From 7716fdbe940350f62fa9affd9da657eb79235bd9 Mon Sep 17 00:00:00 2001 From: SecurityJedi Date: Sun, 17 Jul 2022 21:21:28 -0400 Subject: [PATCH 01/24] [AutoGeneration] SecurityInsights module (1.2.0) (#18790) * Move to new branch * fixes per comments * Fixed docs with build-module and missing examples --- src/SecurityInsights/.gitattributes | 1 + src/SecurityInsights/.gitignore | 16 + src/SecurityInsights/Az.SecurityInsights.psd1 | 24 + src/SecurityInsights/README.md | 27 + .../custom/New-AzSentinelAlertRule.ps1 | 682 + .../custom/New-AzSentinelDataConnector.ps1 | 708 + .../custom/New-AzSentinelEntityQuery.ps1 | 216 + src/SecurityInsights/custom/README.md | 41 + ...zSentinelDataConnectorCheckRequirement.ps1 | 219 + .../custom/Update-AzSentinelAlertRule.ps1 | 814 + .../custom/Update-AzSentinelDataConnector.ps1 | 831 + .../custom/Update-AzSentinelEntityQuery.ps1 | 262 + .../custom/Update-AzSentinelSetting.ps1 | 246 + .../docs/Az.SecurityInsights.md | 199 + .../docs/Get-AzSentinelAlertRule.md | 235 + .../docs/Get-AzSentinelAlertRuleAction.md | 209 + .../docs/Get-AzSentinelAlertRuleTemplate.md | 221 + .../docs/Get-AzSentinelAutomationRule.md | 212 + .../docs/Get-AzSentinelBookmark.md | 210 + .../docs/Get-AzSentinelBookmarkRelation.md | 298 + .../docs/Get-AzSentinelDataConnector.md | 209 + .../docs/Get-AzSentinelEnrichment.md | 228 + .../docs/Get-AzSentinelEntity.md | 234 + .../docs/Get-AzSentinelEntityActivity.md | 146 + .../docs/Get-AzSentinelEntityInsight.md | 246 + .../docs/Get-AzSentinelEntityQuery.md | 254 + .../docs/Get-AzSentinelEntityQueryTemplate.md | 242 + .../docs/Get-AzSentinelEntityRelation.md | 280 + .../docs/Get-AzSentinelEntityTimeline.md | 229 + .../docs/Get-AzSentinelIncident.md | 277 + .../docs/Get-AzSentinelIncidentAlert.md | 167 + .../docs/Get-AzSentinelIncidentBookmark.md | 166 + .../docs/Get-AzSentinelIncidentComment.md | 291 + .../docs/Get-AzSentinelIncidentEntity.md | 161 + .../docs/Get-AzSentinelIncidentRelation.md | 306 + .../docs/Get-AzSentinelMetadata.md | 255 + .../docs/Get-AzSentinelOnboardingState.md | 202 + .../docs/Get-AzSentinelSetting.md | 233 + ...t-AzSentinelThreatIntelligenceIndicator.md | 288 + ...ntinelThreatIntelligenceIndicatorMetric.md | 116 + ...entinelThreatIntelligenceIndicatorQuery.md | 355 + .../docs/New-AzSentinelAlertRule.md | 774 + .../docs/New-AzSentinelAlertRuleAction.md | 188 + .../docs/New-AzSentinelAutomationRule.md | 318 + .../docs/New-AzSentinelBookmark.md | 388 + .../docs/New-AzSentinelBookmarkRelation.md | 213 + .../docs/New-AzSentinelDataConnector.md | 965 + .../docs/New-AzSentinelEntityQuery.md | 353 + .../docs/New-AzSentinelIncident.md | 457 + .../docs/New-AzSentinelIncidentComment.md | 216 + .../docs/New-AzSentinelIncidentRelation.md | 220 + .../docs/New-AzSentinelIncidentTeam.md | 263 + .../docs/New-AzSentinelOnboardingState.md | 213 + src/SecurityInsights/docs/README.md | 11 + .../docs/Remove-AzSentinelAlertRule.md | 224 + .../docs/Remove-AzSentinelAlertRuleAction.md | 240 + .../docs/Remove-AzSentinelAutomationRule.md | 224 + .../docs/Remove-AzSentinelBookmark.md | 224 + .../docs/Remove-AzSentinelBookmarkRelation.md | 240 + .../docs/Remove-AzSentinelDataConnector.md | 224 + .../docs/Remove-AzSentinelEntityQuery.md | 232 + .../docs/Remove-AzSentinelIncident.md | 231 + .../docs/Remove-AzSentinelIncidentComment.md | 240 + .../docs/Remove-AzSentinelIncidentRelation.md | 240 + .../docs/Remove-AzSentinelOnboardingState.md | 225 + ...AzSentinelDataConnectorCheckRequirement.md | 243 + .../docs/Update-AzSentinelAlertRule.md | 848 + .../docs/Update-AzSentinelAlertRuleAction.md | 257 + .../docs/Update-AzSentinelAutomationRule.md | 314 + .../docs/Update-AzSentinelBookmark.md | 397 + .../docs/Update-AzSentinelBookmarkRelation.md | 240 + .../docs/Update-AzSentinelDataConnector.md | 1102 + .../docs/Update-AzSentinelEntityQuery.md | 399 + .../docs/Update-AzSentinelIncident.md | 464 + .../docs/Update-AzSentinelIncidentComment.md | 240 + .../docs/Update-AzSentinelIncidentRelation.md | 241 + .../docs/Update-AzSentinelSetting.md | 300 + .../examples/Get-AzSentinelAlertRule.md | 54 + .../examples/Get-AzSentinelAlertRuleAction.md | 15 + .../Get-AzSentinelAlertRuleTemplate.md | 41 + .../examples/Get-AzSentinelAutomationRule.md | 32 + .../examples/Get-AzSentinelBookmark.md | 30 + .../Get-AzSentinelBookmarkRelation.md | 36 + .../examples/Get-AzSentinelDataConnector.md | 29 + .../examples/Get-AzSentinelEnrichment.md | 41 + .../examples/Get-AzSentinelEntity.md | 52 + .../examples/Get-AzSentinelEntityActivity.md | 29 + .../examples/Get-AzSentinelEntityInsight.md | 32 + .../examples/Get-AzSentinelEntityQuery.md | 58 + .../Get-AzSentinelEntityQueryTemplate.md | 46 + .../examples/Get-AzSentinelEntityRelation.md | 24 + .../examples/Get-AzSentinelEntityTimeline.md | 18 + .../examples/Get-AzSentinelIncident.md | 31 + .../examples/Get-AzSentinelIncidentAlert.md | 17 + .../Get-AzSentinelIncidentBookmark.md | 16 + .../examples/Get-AzSentinelIncidentComment.md | 30 + .../examples/Get-AzSentinelIncidentEntity.md | 11 + .../Get-AzSentinelIncidentRelation.md | 44 + .../examples/Get-AzSentinelMetadata.md | 11 + .../examples/Get-AzSentinelOnboardingState.md | 21 + .../examples/Get-AzSentinelSetting.md | 51 + ...t-AzSentinelThreatIntelligenceIndicator.md | 41 + ...ntinelThreatIntelligenceIndicatorMetric.md | 12 + ...entinelThreatIntelligenceIndicatorQuery.md | 11 + .../examples/New-AzSentinelAlertRule.md | 58 + .../examples/New-AzSentinelAlertRuleAction.md | 11 + .../examples/New-AzSentinelAutomationRule.md | 30 + .../examples/New-AzSentinelBookmark.md | 16 + .../New-AzSentinelBookmarkRelation.md | 10 + .../examples/New-AzSentinelDataConnector.md | 8 + .../examples/New-AzSentinelEntityQuery.md | 28 + .../examples/New-AzSentinelIncident.md | 16 + .../examples/New-AzSentinelIncidentComment.md | 8 + .../New-AzSentinelIncidentRelation.md | 14 + .../examples/New-AzSentinelIncidentTeam.md | 15 + .../examples/New-AzSentinelOnboardingState.md | 8 + .../examples/Remove-AzSentinelAlertRule.md | 8 + .../Remove-AzSentinelAlertRuleAction.md | 8 + .../Remove-AzSentinelAutomationRule.md | 9 + .../examples/Remove-AzSentinelBookmark.md | 10 + .../Remove-AzSentinelBookmarkRelation.md | 9 + .../Remove-AzSentinelDataConnector.md | 9 + .../examples/Remove-AzSentinelEntityQuery.md | 19 + .../examples/Remove-AzSentinelIncident.md | 18 + .../Remove-AzSentinelIncidentComment.md | 10 + .../Remove-AzSentinelIncidentRelation.md | 8 + .../Remove-AzSentinelOnboardingState.md | 8 + ...AzSentinelDataConnectorCheckRequirement.md | 22 + .../examples/Update-AzSentinelAlertRule.md | 9 + .../Update-AzSentinelAlertRuleAction.md | 10 + .../Update-AzSentinelAutomationRule.md | 15 + .../examples/Update-AzSentinelBookmark.md | 12 + .../Update-AzSentinelBookmarkRelation.md | 9 + .../Update-AzSentinelDataConnector.md | 9 + .../examples/Update-AzSentinelEntityQuery.md | 8 + .../examples/Update-AzSentinelIncident.md | 8 + .../Update-AzSentinelIncidentComment.md | 9 + .../Update-AzSentinelIncidentRelation.md | 11 + .../examples/Update-AzSentinelSetting.md | 10 + src/SecurityInsights/how-to.md | 58 + src/SecurityInsights/license.txt | 227 + src/SecurityInsights/readme.md | 347 + src/SecurityInsights/resources/README.md | 11 + .../Get-AzSentinelAlertRule.Recording.json | 166 + .../test/Get-AzSentinelAlertRule.Tests.ps1 | 33 + ...t-AzSentinelAlertRuleAction.Recording.json | 166 + .../Get-AzSentinelAlertRuleAction.Tests.ps1 | 33 + ...AzSentinelAlertRuleTemplate.Recording.json | 166 + .../Get-AzSentinelAlertRuleTemplate.Tests.ps1 | 33 + ...et-AzSentinelAutomationRule.Recording.json | 166 + .../Get-AzSentinelAutomationRule.Tests.ps1 | 33 + .../Get-AzSentinelBookmark.Recording.json | 166 + .../test/Get-AzSentinelBookmark.Tests.ps1 | 33 + ...-AzSentinelBookmarkRelation.Recording.json | 166 + .../Get-AzSentinelBookmarkRelation.Tests.ps1 | 33 + ...Get-AzSentinelDataConnector.Recording.json | 166 + .../Get-AzSentinelDataConnector.Tests.ps1 | 33 + .../Get-AzSentinelEnrichment.Recording.json | 84 + .../test/Get-AzSentinelEnrichment.Tests.ps1 | 27 + .../test/Get-AzSentinelEntity.Recording.json | 248 + .../test/Get-AzSentinelEntity.Tests.ps1 | 35 + ...et-AzSentinelEntityActivity.Recording.json | 84 + .../Get-AzSentinelEntityActivity.Tests.ps1 | 23 + ...Get-AzSentinelEntityInsight.Recording.json | 79 + .../Get-AzSentinelEntityInsight.Tests.ps1 | 25 + .../Get-AzSentinelEntityQuery.Recording.json | 166 + .../test/Get-AzSentinelEntityQuery.Tests.ps1 | 33 + ...SentinelEntityQueryTemplate.Recording.json | 125 + ...et-AzSentinelEntityQueryTemplate.Tests.ps1 | 35 + .../Get-AzSentinelEntityRelation.Tests.ps1 | 29 + ...et-AzSentinelEntityTimeline.Recording.json | 79 + .../Get-AzSentinelEntityTimeline.Tests.ps1 | 25 + .../Get-AzSentinelIncident.Recording.json | 166 + .../test/Get-AzSentinelIncident.Tests.ps1 | 33 + ...Get-AzSentinelIncidentAlert.Recording.json | 84 + .../Get-AzSentinelIncidentAlert.Tests.ps1 | 23 + ...-AzSentinelIncidentBookmark.Recording.json | 43 + .../Get-AzSentinelIncidentBookmark.Tests.ps1 | 22 + ...t-AzSentinelIncidentComment.Recording.json | 84 + .../Get-AzSentinelIncidentComment.Tests.ps1 | 33 + ...et-AzSentinelIncidentEntity.Recording.json | 84 + .../Get-AzSentinelIncidentEntity.Tests.ps1 | 23 + ...-AzSentinelIncidentRelation.Recording.json | 166 + .../Get-AzSentinelIncidentRelation.Tests.ps1 | 33 + .../Get-AzSentinelMetadata.Recording.json | 166 + .../test/Get-AzSentinelMetadata.Tests.ps1 | 33 + .../Get-AzSentinelOfficeConsent.Tests.ps1 | 29 + ...t-AzSentinelOnboardingState.Recording.json | 166 + .../Get-AzSentinelOnboardingState.Tests.ps1 | 33 + .../test/Get-AzSentinelSetting.Recording.json | 84 + .../test/Get-AzSentinelSetting.Tests.ps1 | 33 + .../Get-AzSentinelSourceControl.Tests.ps1 | 33 + ...zSentinelSourceControlRepository.Tests.ps1 | 21 + ...ThreatIntelligenceIndicator.Recording.json | 84 + ...tinelThreatIntelligenceIndicator.Tests.ps1 | 33 + ...IntelligenceIndicatorMetric.Recording.json | 43 + ...hreatIntelligenceIndicatorMetric.Tests.ps1 | 22 + ...nelDataConnectorCheckRequirement.Tests.ps1 | 25 + ...aConnectorsCheckRequirement.Recording.json | 434 + ...elDataConnectorsCheckRequirement.Tests.ps1 | 77 + ...tIntelligenceIndicatorQuery.Recording.json | 38 + ...ThreatIntelligenceIndicatorQuery.Tests.ps1 | 22 + .../New-AzSentinelAlertRule.Recording.json | 38 + .../test/New-AzSentinelAlertRule.Tests.ps1 | 24 + ...w-AzSentinelAlertRuleAction.Recording.json | 74 + .../New-AzSentinelAlertRuleAction.Tests.ps1 | 27 + ...ew-AzSentinelAutomationRule.Recording.json | 38 + .../New-AzSentinelAutomationRule.Tests.ps1 | 29 + .../New-AzSentinelBookmark.Recording.json | 38 + .../test/New-AzSentinelBookmark.Tests.ps1 | 24 + ...-AzSentinelBookmarkRelation.Recording.json | 110 + .../New-AzSentinelBookmarkRelation.Tests.ps1 | 28 + ...New-AzSentinelDataConnector.Recording.json | 38 + .../New-AzSentinelDataConnector.Tests.ps1 | 24 + .../New-AzSentinelEntityQuery.Recording.json | 38 + .../test/New-AzSentinelEntityQuery.Tests.ps1 | 37 + .../New-AzSentinelIncident.Recording.json | 38 + .../test/New-AzSentinelIncident.Tests.ps1 | 23 + ...w-AzSentinelIncidentComment.Recording.json | 74 + .../New-AzSentinelIncidentComment.Tests.ps1 | 25 + ...-AzSentinelIncidentRelation.Recording.json | 110 + .../New-AzSentinelIncidentRelation.Tests.ps1 | 28 + .../New-AzSentinelIncidentTeam.Recording.json | 74 + .../test/New-AzSentinelIncidentTeam.Tests.ps1 | 25 + .../New-AzSentinelOnboardingState.Tests.ps1 | 22 + ...tinelThreatIntelligenceIndicator.Tests.ps1 | 29 + src/SecurityInsights/test/README.md | 17 + .../Remove-AzSentinelAlertRule.Recording.json | 125 + .../test/Remove-AzSentinelAlertRule.Tests.ps1 | 27 + ...e-AzSentinelAlertRuleAction.Recording.json | 123 + ...Remove-AzSentinelAlertRuleAction.Tests.ps1 | 27 + ...ve-AzSentinelAutomationRule.Recording.json | 125 + .../Remove-AzSentinelAutomationRule.Tests.ps1 | 27 + .../Remove-AzSentinelBookmark.Recording.json | 125 + .../test/Remove-AzSentinelBookmark.Tests.ps1 | 27 + ...-AzSentinelBookmarkRelation.Recording.json | 125 + ...emove-AzSentinelBookmarkRelation.Tests.ps1 | 27 + ...ove-AzSentinelDataConnector.Recording.json | 156 + .../Remove-AzSentinelDataConnector.Tests.ps1 | 29 + ...emove-AzSentinelEntityQuery.Recording.json | 125 + .../Remove-AzSentinelEntityQuery.Tests.ps1 | 27 + .../Remove-AzSentinelIncident.Recording.json | 125 + .../test/Remove-AzSentinelIncident.Tests.ps1 | 27 + ...e-AzSentinelIncidentComment.Recording.json | 125 + ...Remove-AzSentinelIncidentComment.Tests.ps1 | 27 + ...-AzSentinelIncidentRelation.Recording.json | 123 + ...emove-AzSentinelIncidentRelation.Tests.ps1 | 27 + .../Remove-AzSentinelOfficeConsent.Tests.ps1 | 25 + ...e-AzSentinelOnboardingState.Recording.json | 43 + ...Remove-AzSentinelOnboardingState.Tests.ps1 | 25 + ...nelDataConnectorCheckRequirement.Tests.ps1 | 25 + .../Update-AzSentinelAlertRule.Recording.json | 38 + .../test/Update-AzSentinelAlertRule.Tests.ps1 | 28 + ...e-AzSentinelAlertRuleAction.Recording.json | 115 + ...Update-AzSentinelAlertRuleAction.Tests.ps1 | 30 + ...te-AzSentinelAutomationRule.Recording.json | 156 + .../Update-AzSentinelAutomationRule.Tests.ps1 | 39 + .../Update-AzSentinelBookmark.Recording.json | 156 + .../test/Update-AzSentinelBookmark.Tests.ps1 | 31 + ...-AzSentinelBookmarkRelation.Recording.json | 187 + ...pdate-AzSentinelBookmarkRelation.Tests.ps1 | 34 + ...ate-AzSentinelDataConnector.Recording.json | 115 + .../Update-AzSentinelDataConnector.Tests.ps1 | 30 + ...pdate-AzSentinelEntityQuery.Recording.json | 115 + .../Update-AzSentinelEntityQuery.Tests.ps1 | 29 + .../Update-AzSentinelIncident.Recording.json | 156 + .../test/Update-AzSentinelIncident.Tests.ps1 | 31 + ...e-AzSentinelIncidentComment.Recording.json | 115 + ...Update-AzSentinelIncidentComment.Tests.ps1 | 30 + ...-AzSentinelIncidentRelation.Recording.json | 187 + ...pdate-AzSentinelIncidentRelation.Tests.ps1 | 36 + .../Update-AzSentinelSetting.Recording.json | 125 + .../test/Update-AzSentinelSetting.Tests.ps1 | 30 + src/SecurityInsights/test/common.ps1 | 552 + src/SecurityInsights/test/constants.json | 4 + .../alertRule/template.json | 54 + .../alertRule/template.parameters.json | 15 + .../alertRuleAction/template.json | 80 + .../alertRuleAction/template.parameters.json | 24 + .../authorization/template.json | 26 + .../authorization/template.parameters.json | 9 + .../automationRule/template.json | 54 + .../automationRule/template.parameters.json | 18 + .../bookmark/template.json | 44 + .../bookmark/template.parameters.json | 21 + .../bookmarkRelation/template.json | 77 + .../bookmarkRelation/template.parameters.json | 30 + .../customData/alertRules.json | 218 + .../customData/alertRules.parameters.json | 18 + .../dataConnector/template.json | 55 + .../dataConnector/template.parameters.json | 15 + .../entityQuery/template.json | 54 + .../entityQuery/template.parameters.json | 12 + .../incident/template.json | 27 + .../incident/template.parameters.json | 12 + .../incidentComment/template.json | 46 + .../incidentComment/template.parameters.json | 18 + .../incidentRelation/template.json | 80 + .../incidentRelation/template.parameters.json | 30 + .../metadata/template.json | 558 + .../metadata/template.parameters.json | 9 + .../playbooks/template.json | 900 + .../playbooks/template.parameters.json | 18 + .../sourceControl/template.json | 46 + .../sourceControl/template.parameters.json | 18 + .../threatIntelligenceIndicator/template.json | 52 + .../template.parameters.json | 21 + .../workspace/template.json | 139 + .../workspace/template.parameters.json | 15 + src/SecurityInsights/test/env.json | 184 + src/SecurityInsights/test/loadEnv.ps1 | 29 + src/SecurityInsights/test/localEnv.json | 184 + .../test/sampleData/AuditLogs.csv | 6 + .../test/sampleData/AzureAcitivity.csv | 1232 + .../test/sampleData/Cisco_Umbrella_dns.csv | 2 + .../test/sampleData/CommonSecurityLog.csv | 2 + .../test/sampleData/OfficeActivity.csv | 583 + .../test/sampleData/SecurityEvent.csv | 76458 ++++++++++++++++ .../test/sampleData/SigninLogs.csv | 1233 + src/SecurityInsights/test/utils.ps1 | 331 + .../utils/Unprotect-SecureString.ps1 | 16 + 321 files changed, 117471 insertions(+) create mode 100644 src/SecurityInsights/.gitattributes create mode 100644 src/SecurityInsights/.gitignore create mode 100644 src/SecurityInsights/Az.SecurityInsights.psd1 create mode 100644 src/SecurityInsights/README.md create mode 100644 src/SecurityInsights/custom/New-AzSentinelAlertRule.ps1 create mode 100644 src/SecurityInsights/custom/New-AzSentinelDataConnector.ps1 create mode 100644 src/SecurityInsights/custom/New-AzSentinelEntityQuery.ps1 create mode 100644 src/SecurityInsights/custom/README.md create mode 100644 src/SecurityInsights/custom/Test-AzSentinelDataConnectorCheckRequirement.ps1 create mode 100644 src/SecurityInsights/custom/Update-AzSentinelAlertRule.ps1 create mode 100644 src/SecurityInsights/custom/Update-AzSentinelDataConnector.ps1 create mode 100644 src/SecurityInsights/custom/Update-AzSentinelEntityQuery.ps1 create mode 100644 src/SecurityInsights/custom/Update-AzSentinelSetting.ps1 create mode 100644 src/SecurityInsights/docs/Az.SecurityInsights.md create mode 100644 src/SecurityInsights/docs/Get-AzSentinelAlertRule.md create mode 100644 src/SecurityInsights/docs/Get-AzSentinelAlertRuleAction.md create mode 100644 src/SecurityInsights/docs/Get-AzSentinelAlertRuleTemplate.md create mode 100644 src/SecurityInsights/docs/Get-AzSentinelAutomationRule.md create mode 100644 src/SecurityInsights/docs/Get-AzSentinelBookmark.md create mode 100644 src/SecurityInsights/docs/Get-AzSentinelBookmarkRelation.md create mode 100644 src/SecurityInsights/docs/Get-AzSentinelDataConnector.md create mode 100644 src/SecurityInsights/docs/Get-AzSentinelEnrichment.md create mode 100644 src/SecurityInsights/docs/Get-AzSentinelEntity.md create mode 100644 src/SecurityInsights/docs/Get-AzSentinelEntityActivity.md create mode 100644 src/SecurityInsights/docs/Get-AzSentinelEntityInsight.md create mode 100644 src/SecurityInsights/docs/Get-AzSentinelEntityQuery.md create mode 100644 src/SecurityInsights/docs/Get-AzSentinelEntityQueryTemplate.md create mode 100644 src/SecurityInsights/docs/Get-AzSentinelEntityRelation.md create mode 100644 src/SecurityInsights/docs/Get-AzSentinelEntityTimeline.md create mode 100644 src/SecurityInsights/docs/Get-AzSentinelIncident.md create mode 100644 src/SecurityInsights/docs/Get-AzSentinelIncidentAlert.md create mode 100644 src/SecurityInsights/docs/Get-AzSentinelIncidentBookmark.md create mode 100644 src/SecurityInsights/docs/Get-AzSentinelIncidentComment.md create mode 100644 src/SecurityInsights/docs/Get-AzSentinelIncidentEntity.md create mode 100644 src/SecurityInsights/docs/Get-AzSentinelIncidentRelation.md create mode 100644 src/SecurityInsights/docs/Get-AzSentinelMetadata.md create mode 100644 src/SecurityInsights/docs/Get-AzSentinelOnboardingState.md create mode 100644 src/SecurityInsights/docs/Get-AzSentinelSetting.md create mode 100644 src/SecurityInsights/docs/Get-AzSentinelThreatIntelligenceIndicator.md create mode 100644 src/SecurityInsights/docs/Get-AzSentinelThreatIntelligenceIndicatorMetric.md create mode 100644 src/SecurityInsights/docs/Invoke-AzSentinelThreatIntelligenceIndicatorQuery.md create mode 100644 src/SecurityInsights/docs/New-AzSentinelAlertRule.md create mode 100644 src/SecurityInsights/docs/New-AzSentinelAlertRuleAction.md create mode 100644 src/SecurityInsights/docs/New-AzSentinelAutomationRule.md create mode 100644 src/SecurityInsights/docs/New-AzSentinelBookmark.md create mode 100644 src/SecurityInsights/docs/New-AzSentinelBookmarkRelation.md create mode 100644 src/SecurityInsights/docs/New-AzSentinelDataConnector.md create mode 100644 src/SecurityInsights/docs/New-AzSentinelEntityQuery.md create mode 100644 src/SecurityInsights/docs/New-AzSentinelIncident.md create mode 100644 src/SecurityInsights/docs/New-AzSentinelIncidentComment.md create mode 100644 src/SecurityInsights/docs/New-AzSentinelIncidentRelation.md create mode 100644 src/SecurityInsights/docs/New-AzSentinelIncidentTeam.md create mode 100644 src/SecurityInsights/docs/New-AzSentinelOnboardingState.md create mode 100644 src/SecurityInsights/docs/README.md create mode 100644 src/SecurityInsights/docs/Remove-AzSentinelAlertRule.md create mode 100644 src/SecurityInsights/docs/Remove-AzSentinelAlertRuleAction.md create mode 100644 src/SecurityInsights/docs/Remove-AzSentinelAutomationRule.md create mode 100644 src/SecurityInsights/docs/Remove-AzSentinelBookmark.md create mode 100644 src/SecurityInsights/docs/Remove-AzSentinelBookmarkRelation.md create mode 100644 src/SecurityInsights/docs/Remove-AzSentinelDataConnector.md create mode 100644 src/SecurityInsights/docs/Remove-AzSentinelEntityQuery.md create mode 100644 src/SecurityInsights/docs/Remove-AzSentinelIncident.md create mode 100644 src/SecurityInsights/docs/Remove-AzSentinelIncidentComment.md create mode 100644 src/SecurityInsights/docs/Remove-AzSentinelIncidentRelation.md create mode 100644 src/SecurityInsights/docs/Remove-AzSentinelOnboardingState.md create mode 100644 src/SecurityInsights/docs/Test-AzSentinelDataConnectorCheckRequirement.md create mode 100644 src/SecurityInsights/docs/Update-AzSentinelAlertRule.md create mode 100644 src/SecurityInsights/docs/Update-AzSentinelAlertRuleAction.md create mode 100644 src/SecurityInsights/docs/Update-AzSentinelAutomationRule.md create mode 100644 src/SecurityInsights/docs/Update-AzSentinelBookmark.md create mode 100644 src/SecurityInsights/docs/Update-AzSentinelBookmarkRelation.md create mode 100644 src/SecurityInsights/docs/Update-AzSentinelDataConnector.md create mode 100644 src/SecurityInsights/docs/Update-AzSentinelEntityQuery.md create mode 100644 src/SecurityInsights/docs/Update-AzSentinelIncident.md create mode 100644 src/SecurityInsights/docs/Update-AzSentinelIncidentComment.md create mode 100644 src/SecurityInsights/docs/Update-AzSentinelIncidentRelation.md create mode 100644 src/SecurityInsights/docs/Update-AzSentinelSetting.md create mode 100644 src/SecurityInsights/examples/Get-AzSentinelAlertRule.md create mode 100644 src/SecurityInsights/examples/Get-AzSentinelAlertRuleAction.md create mode 100644 src/SecurityInsights/examples/Get-AzSentinelAlertRuleTemplate.md create mode 100644 src/SecurityInsights/examples/Get-AzSentinelAutomationRule.md create mode 100644 src/SecurityInsights/examples/Get-AzSentinelBookmark.md create mode 100644 src/SecurityInsights/examples/Get-AzSentinelBookmarkRelation.md create mode 100644 src/SecurityInsights/examples/Get-AzSentinelDataConnector.md create mode 100644 src/SecurityInsights/examples/Get-AzSentinelEnrichment.md create mode 100644 src/SecurityInsights/examples/Get-AzSentinelEntity.md create mode 100644 src/SecurityInsights/examples/Get-AzSentinelEntityActivity.md create mode 100644 src/SecurityInsights/examples/Get-AzSentinelEntityInsight.md create mode 100644 src/SecurityInsights/examples/Get-AzSentinelEntityQuery.md create mode 100644 src/SecurityInsights/examples/Get-AzSentinelEntityQueryTemplate.md create mode 100644 src/SecurityInsights/examples/Get-AzSentinelEntityRelation.md create mode 100644 src/SecurityInsights/examples/Get-AzSentinelEntityTimeline.md create mode 100644 src/SecurityInsights/examples/Get-AzSentinelIncident.md create mode 100644 src/SecurityInsights/examples/Get-AzSentinelIncidentAlert.md create mode 100644 src/SecurityInsights/examples/Get-AzSentinelIncidentBookmark.md create mode 100644 src/SecurityInsights/examples/Get-AzSentinelIncidentComment.md create mode 100644 src/SecurityInsights/examples/Get-AzSentinelIncidentEntity.md create mode 100644 src/SecurityInsights/examples/Get-AzSentinelIncidentRelation.md create mode 100644 src/SecurityInsights/examples/Get-AzSentinelMetadata.md create mode 100644 src/SecurityInsights/examples/Get-AzSentinelOnboardingState.md create mode 100644 src/SecurityInsights/examples/Get-AzSentinelSetting.md create mode 100644 src/SecurityInsights/examples/Get-AzSentinelThreatIntelligenceIndicator.md create mode 100644 src/SecurityInsights/examples/Get-AzSentinelThreatIntelligenceIndicatorMetric.md create mode 100644 src/SecurityInsights/examples/Invoke-AzSentinelThreatIntelligenceIndicatorQuery.md create mode 100644 src/SecurityInsights/examples/New-AzSentinelAlertRule.md create mode 100644 src/SecurityInsights/examples/New-AzSentinelAlertRuleAction.md create mode 100644 src/SecurityInsights/examples/New-AzSentinelAutomationRule.md create mode 100644 src/SecurityInsights/examples/New-AzSentinelBookmark.md create mode 100644 src/SecurityInsights/examples/New-AzSentinelBookmarkRelation.md create mode 100644 src/SecurityInsights/examples/New-AzSentinelDataConnector.md create mode 100644 src/SecurityInsights/examples/New-AzSentinelEntityQuery.md create mode 100644 src/SecurityInsights/examples/New-AzSentinelIncident.md create mode 100644 src/SecurityInsights/examples/New-AzSentinelIncidentComment.md create mode 100644 src/SecurityInsights/examples/New-AzSentinelIncidentRelation.md create mode 100644 src/SecurityInsights/examples/New-AzSentinelIncidentTeam.md create mode 100644 src/SecurityInsights/examples/New-AzSentinelOnboardingState.md create mode 100644 src/SecurityInsights/examples/Remove-AzSentinelAlertRule.md create mode 100644 src/SecurityInsights/examples/Remove-AzSentinelAlertRuleAction.md create mode 100644 src/SecurityInsights/examples/Remove-AzSentinelAutomationRule.md create mode 100644 src/SecurityInsights/examples/Remove-AzSentinelBookmark.md create mode 100644 src/SecurityInsights/examples/Remove-AzSentinelBookmarkRelation.md create mode 100644 src/SecurityInsights/examples/Remove-AzSentinelDataConnector.md create mode 100644 src/SecurityInsights/examples/Remove-AzSentinelEntityQuery.md create mode 100644 src/SecurityInsights/examples/Remove-AzSentinelIncident.md create mode 100644 src/SecurityInsights/examples/Remove-AzSentinelIncidentComment.md create mode 100644 src/SecurityInsights/examples/Remove-AzSentinelIncidentRelation.md create mode 100644 src/SecurityInsights/examples/Remove-AzSentinelOnboardingState.md create mode 100644 src/SecurityInsights/examples/Test-AzSentinelDataConnectorCheckRequirement.md create mode 100644 src/SecurityInsights/examples/Update-AzSentinelAlertRule.md create mode 100644 src/SecurityInsights/examples/Update-AzSentinelAlertRuleAction.md create mode 100644 src/SecurityInsights/examples/Update-AzSentinelAutomationRule.md create mode 100644 src/SecurityInsights/examples/Update-AzSentinelBookmark.md create mode 100644 src/SecurityInsights/examples/Update-AzSentinelBookmarkRelation.md create mode 100644 src/SecurityInsights/examples/Update-AzSentinelDataConnector.md create mode 100644 src/SecurityInsights/examples/Update-AzSentinelEntityQuery.md create mode 100644 src/SecurityInsights/examples/Update-AzSentinelIncident.md create mode 100644 src/SecurityInsights/examples/Update-AzSentinelIncidentComment.md create mode 100644 src/SecurityInsights/examples/Update-AzSentinelIncidentRelation.md create mode 100644 src/SecurityInsights/examples/Update-AzSentinelSetting.md create mode 100644 src/SecurityInsights/how-to.md create mode 100644 src/SecurityInsights/license.txt create mode 100644 src/SecurityInsights/readme.md create mode 100644 src/SecurityInsights/resources/README.md create mode 100644 src/SecurityInsights/test/Get-AzSentinelAlertRule.Recording.json create mode 100644 src/SecurityInsights/test/Get-AzSentinelAlertRule.Tests.ps1 create mode 100644 src/SecurityInsights/test/Get-AzSentinelAlertRuleAction.Recording.json create mode 100644 src/SecurityInsights/test/Get-AzSentinelAlertRuleAction.Tests.ps1 create mode 100644 src/SecurityInsights/test/Get-AzSentinelAlertRuleTemplate.Recording.json create mode 100644 src/SecurityInsights/test/Get-AzSentinelAlertRuleTemplate.Tests.ps1 create mode 100644 src/SecurityInsights/test/Get-AzSentinelAutomationRule.Recording.json create mode 100644 src/SecurityInsights/test/Get-AzSentinelAutomationRule.Tests.ps1 create mode 100644 src/SecurityInsights/test/Get-AzSentinelBookmark.Recording.json create mode 100644 src/SecurityInsights/test/Get-AzSentinelBookmark.Tests.ps1 create mode 100644 src/SecurityInsights/test/Get-AzSentinelBookmarkRelation.Recording.json create mode 100644 src/SecurityInsights/test/Get-AzSentinelBookmarkRelation.Tests.ps1 create mode 100644 src/SecurityInsights/test/Get-AzSentinelDataConnector.Recording.json create mode 100644 src/SecurityInsights/test/Get-AzSentinelDataConnector.Tests.ps1 create mode 100644 src/SecurityInsights/test/Get-AzSentinelEnrichment.Recording.json create mode 100644 src/SecurityInsights/test/Get-AzSentinelEnrichment.Tests.ps1 create mode 100644 src/SecurityInsights/test/Get-AzSentinelEntity.Recording.json create mode 100644 src/SecurityInsights/test/Get-AzSentinelEntity.Tests.ps1 create mode 100644 src/SecurityInsights/test/Get-AzSentinelEntityActivity.Recording.json create mode 100644 src/SecurityInsights/test/Get-AzSentinelEntityActivity.Tests.ps1 create mode 100644 src/SecurityInsights/test/Get-AzSentinelEntityInsight.Recording.json create mode 100644 src/SecurityInsights/test/Get-AzSentinelEntityInsight.Tests.ps1 create mode 100644 src/SecurityInsights/test/Get-AzSentinelEntityQuery.Recording.json create mode 100644 src/SecurityInsights/test/Get-AzSentinelEntityQuery.Tests.ps1 create mode 100644 src/SecurityInsights/test/Get-AzSentinelEntityQueryTemplate.Recording.json create mode 100644 src/SecurityInsights/test/Get-AzSentinelEntityQueryTemplate.Tests.ps1 create mode 100644 src/SecurityInsights/test/Get-AzSentinelEntityRelation.Tests.ps1 create mode 100644 src/SecurityInsights/test/Get-AzSentinelEntityTimeline.Recording.json create mode 100644 src/SecurityInsights/test/Get-AzSentinelEntityTimeline.Tests.ps1 create mode 100644 src/SecurityInsights/test/Get-AzSentinelIncident.Recording.json create mode 100644 src/SecurityInsights/test/Get-AzSentinelIncident.Tests.ps1 create mode 100644 src/SecurityInsights/test/Get-AzSentinelIncidentAlert.Recording.json create mode 100644 src/SecurityInsights/test/Get-AzSentinelIncidentAlert.Tests.ps1 create mode 100644 src/SecurityInsights/test/Get-AzSentinelIncidentBookmark.Recording.json create mode 100644 src/SecurityInsights/test/Get-AzSentinelIncidentBookmark.Tests.ps1 create mode 100644 src/SecurityInsights/test/Get-AzSentinelIncidentComment.Recording.json create mode 100644 src/SecurityInsights/test/Get-AzSentinelIncidentComment.Tests.ps1 create mode 100644 src/SecurityInsights/test/Get-AzSentinelIncidentEntity.Recording.json create mode 100644 src/SecurityInsights/test/Get-AzSentinelIncidentEntity.Tests.ps1 create mode 100644 src/SecurityInsights/test/Get-AzSentinelIncidentRelation.Recording.json create mode 100644 src/SecurityInsights/test/Get-AzSentinelIncidentRelation.Tests.ps1 create mode 100644 src/SecurityInsights/test/Get-AzSentinelMetadata.Recording.json create mode 100644 src/SecurityInsights/test/Get-AzSentinelMetadata.Tests.ps1 create mode 100644 src/SecurityInsights/test/Get-AzSentinelOfficeConsent.Tests.ps1 create mode 100644 src/SecurityInsights/test/Get-AzSentinelOnboardingState.Recording.json create mode 100644 src/SecurityInsights/test/Get-AzSentinelOnboardingState.Tests.ps1 create mode 100644 src/SecurityInsights/test/Get-AzSentinelSetting.Recording.json create mode 100644 src/SecurityInsights/test/Get-AzSentinelSetting.Tests.ps1 create mode 100644 src/SecurityInsights/test/Get-AzSentinelSourceControl.Tests.ps1 create mode 100644 src/SecurityInsights/test/Get-AzSentinelSourceControlRepository.Tests.ps1 create mode 100644 src/SecurityInsights/test/Get-AzSentinelThreatIntelligenceIndicator.Recording.json create mode 100644 src/SecurityInsights/test/Get-AzSentinelThreatIntelligenceIndicator.Tests.ps1 create mode 100644 src/SecurityInsights/test/Get-AzSentinelThreatIntelligenceIndicatorMetric.Recording.json create mode 100644 src/SecurityInsights/test/Get-AzSentinelThreatIntelligenceIndicatorMetric.Tests.ps1 create mode 100644 src/SecurityInsights/test/Invoke-AzSentinelDataConnectorCheckRequirement.Tests.ps1 create mode 100644 src/SecurityInsights/test/Invoke-AzSentinelDataConnectorsCheckRequirement.Recording.json create mode 100644 src/SecurityInsights/test/Invoke-AzSentinelDataConnectorsCheckRequirement.Tests.ps1 create mode 100644 src/SecurityInsights/test/Invoke-AzSentinelThreatIntelligenceIndicatorQuery.Recording.json create mode 100644 src/SecurityInsights/test/Invoke-AzSentinelThreatIntelligenceIndicatorQuery.Tests.ps1 create mode 100644 src/SecurityInsights/test/New-AzSentinelAlertRule.Recording.json create mode 100644 src/SecurityInsights/test/New-AzSentinelAlertRule.Tests.ps1 create mode 100644 src/SecurityInsights/test/New-AzSentinelAlertRuleAction.Recording.json create mode 100644 src/SecurityInsights/test/New-AzSentinelAlertRuleAction.Tests.ps1 create mode 100644 src/SecurityInsights/test/New-AzSentinelAutomationRule.Recording.json create mode 100644 src/SecurityInsights/test/New-AzSentinelAutomationRule.Tests.ps1 create mode 100644 src/SecurityInsights/test/New-AzSentinelBookmark.Recording.json create mode 100644 src/SecurityInsights/test/New-AzSentinelBookmark.Tests.ps1 create mode 100644 src/SecurityInsights/test/New-AzSentinelBookmarkRelation.Recording.json create mode 100644 src/SecurityInsights/test/New-AzSentinelBookmarkRelation.Tests.ps1 create mode 100644 src/SecurityInsights/test/New-AzSentinelDataConnector.Recording.json create mode 100644 src/SecurityInsights/test/New-AzSentinelDataConnector.Tests.ps1 create mode 100644 src/SecurityInsights/test/New-AzSentinelEntityQuery.Recording.json create mode 100644 src/SecurityInsights/test/New-AzSentinelEntityQuery.Tests.ps1 create mode 100644 src/SecurityInsights/test/New-AzSentinelIncident.Recording.json create mode 100644 src/SecurityInsights/test/New-AzSentinelIncident.Tests.ps1 create mode 100644 src/SecurityInsights/test/New-AzSentinelIncidentComment.Recording.json create mode 100644 src/SecurityInsights/test/New-AzSentinelIncidentComment.Tests.ps1 create mode 100644 src/SecurityInsights/test/New-AzSentinelIncidentRelation.Recording.json create mode 100644 src/SecurityInsights/test/New-AzSentinelIncidentRelation.Tests.ps1 create mode 100644 src/SecurityInsights/test/New-AzSentinelIncidentTeam.Recording.json create mode 100644 src/SecurityInsights/test/New-AzSentinelIncidentTeam.Tests.ps1 create mode 100644 src/SecurityInsights/test/New-AzSentinelOnboardingState.Tests.ps1 create mode 100644 src/SecurityInsights/test/New-AzSentinelThreatIntelligenceIndicator.Tests.ps1 create mode 100644 src/SecurityInsights/test/README.md create mode 100644 src/SecurityInsights/test/Remove-AzSentinelAlertRule.Recording.json create mode 100644 src/SecurityInsights/test/Remove-AzSentinelAlertRule.Tests.ps1 create mode 100644 src/SecurityInsights/test/Remove-AzSentinelAlertRuleAction.Recording.json create mode 100644 src/SecurityInsights/test/Remove-AzSentinelAlertRuleAction.Tests.ps1 create mode 100644 src/SecurityInsights/test/Remove-AzSentinelAutomationRule.Recording.json create mode 100644 src/SecurityInsights/test/Remove-AzSentinelAutomationRule.Tests.ps1 create mode 100644 src/SecurityInsights/test/Remove-AzSentinelBookmark.Recording.json create mode 100644 src/SecurityInsights/test/Remove-AzSentinelBookmark.Tests.ps1 create mode 100644 src/SecurityInsights/test/Remove-AzSentinelBookmarkRelation.Recording.json create mode 100644 src/SecurityInsights/test/Remove-AzSentinelBookmarkRelation.Tests.ps1 create mode 100644 src/SecurityInsights/test/Remove-AzSentinelDataConnector.Recording.json create mode 100644 src/SecurityInsights/test/Remove-AzSentinelDataConnector.Tests.ps1 create mode 100644 src/SecurityInsights/test/Remove-AzSentinelEntityQuery.Recording.json create mode 100644 src/SecurityInsights/test/Remove-AzSentinelEntityQuery.Tests.ps1 create mode 100644 src/SecurityInsights/test/Remove-AzSentinelIncident.Recording.json create mode 100644 src/SecurityInsights/test/Remove-AzSentinelIncident.Tests.ps1 create mode 100644 src/SecurityInsights/test/Remove-AzSentinelIncidentComment.Recording.json create mode 100644 src/SecurityInsights/test/Remove-AzSentinelIncidentComment.Tests.ps1 create mode 100644 src/SecurityInsights/test/Remove-AzSentinelIncidentRelation.Recording.json create mode 100644 src/SecurityInsights/test/Remove-AzSentinelIncidentRelation.Tests.ps1 create mode 100644 src/SecurityInsights/test/Remove-AzSentinelOfficeConsent.Tests.ps1 create mode 100644 src/SecurityInsights/test/Remove-AzSentinelOnboardingState.Recording.json create mode 100644 src/SecurityInsights/test/Remove-AzSentinelOnboardingState.Tests.ps1 create mode 100644 src/SecurityInsights/test/Test-AzSentinelDataConnectorCheckRequirement.Tests.ps1 create mode 100644 src/SecurityInsights/test/Update-AzSentinelAlertRule.Recording.json create mode 100644 src/SecurityInsights/test/Update-AzSentinelAlertRule.Tests.ps1 create mode 100644 src/SecurityInsights/test/Update-AzSentinelAlertRuleAction.Recording.json create mode 100644 src/SecurityInsights/test/Update-AzSentinelAlertRuleAction.Tests.ps1 create mode 100644 src/SecurityInsights/test/Update-AzSentinelAutomationRule.Recording.json create mode 100644 src/SecurityInsights/test/Update-AzSentinelAutomationRule.Tests.ps1 create mode 100644 src/SecurityInsights/test/Update-AzSentinelBookmark.Recording.json create mode 100644 src/SecurityInsights/test/Update-AzSentinelBookmark.Tests.ps1 create mode 100644 src/SecurityInsights/test/Update-AzSentinelBookmarkRelation.Recording.json create mode 100644 src/SecurityInsights/test/Update-AzSentinelBookmarkRelation.Tests.ps1 create mode 100644 src/SecurityInsights/test/Update-AzSentinelDataConnector.Recording.json create mode 100644 src/SecurityInsights/test/Update-AzSentinelDataConnector.Tests.ps1 create mode 100644 src/SecurityInsights/test/Update-AzSentinelEntityQuery.Recording.json create mode 100644 src/SecurityInsights/test/Update-AzSentinelEntityQuery.Tests.ps1 create mode 100644 src/SecurityInsights/test/Update-AzSentinelIncident.Recording.json create mode 100644 src/SecurityInsights/test/Update-AzSentinelIncident.Tests.ps1 create mode 100644 src/SecurityInsights/test/Update-AzSentinelIncidentComment.Recording.json create mode 100644 src/SecurityInsights/test/Update-AzSentinelIncidentComment.Tests.ps1 create mode 100644 src/SecurityInsights/test/Update-AzSentinelIncidentRelation.Recording.json create mode 100644 src/SecurityInsights/test/Update-AzSentinelIncidentRelation.Tests.ps1 create mode 100644 src/SecurityInsights/test/Update-AzSentinelSetting.Recording.json create mode 100644 src/SecurityInsights/test/Update-AzSentinelSetting.Tests.ps1 create mode 100644 src/SecurityInsights/test/common.ps1 create mode 100644 src/SecurityInsights/test/constants.json create mode 100644 src/SecurityInsights/test/deployment-templates/alertRule/template.json create mode 100644 src/SecurityInsights/test/deployment-templates/alertRule/template.parameters.json create mode 100644 src/SecurityInsights/test/deployment-templates/alertRuleAction/template.json create mode 100644 src/SecurityInsights/test/deployment-templates/alertRuleAction/template.parameters.json create mode 100644 src/SecurityInsights/test/deployment-templates/authorization/template.json create mode 100644 src/SecurityInsights/test/deployment-templates/authorization/template.parameters.json create mode 100644 src/SecurityInsights/test/deployment-templates/automationRule/template.json create mode 100644 src/SecurityInsights/test/deployment-templates/automationRule/template.parameters.json create mode 100644 src/SecurityInsights/test/deployment-templates/bookmark/template.json create mode 100644 src/SecurityInsights/test/deployment-templates/bookmark/template.parameters.json create mode 100644 src/SecurityInsights/test/deployment-templates/bookmarkRelation/template.json create mode 100644 src/SecurityInsights/test/deployment-templates/bookmarkRelation/template.parameters.json create mode 100644 src/SecurityInsights/test/deployment-templates/customData/alertRules.json create mode 100644 src/SecurityInsights/test/deployment-templates/customData/alertRules.parameters.json create mode 100644 src/SecurityInsights/test/deployment-templates/dataConnector/template.json create mode 100644 src/SecurityInsights/test/deployment-templates/dataConnector/template.parameters.json create mode 100644 src/SecurityInsights/test/deployment-templates/entityQuery/template.json create mode 100644 src/SecurityInsights/test/deployment-templates/entityQuery/template.parameters.json create mode 100644 src/SecurityInsights/test/deployment-templates/incident/template.json create mode 100644 src/SecurityInsights/test/deployment-templates/incident/template.parameters.json create mode 100644 src/SecurityInsights/test/deployment-templates/incidentComment/template.json create mode 100644 src/SecurityInsights/test/deployment-templates/incidentComment/template.parameters.json create mode 100644 src/SecurityInsights/test/deployment-templates/incidentRelation/template.json create mode 100644 src/SecurityInsights/test/deployment-templates/incidentRelation/template.parameters.json create mode 100644 src/SecurityInsights/test/deployment-templates/metadata/template.json create mode 100644 src/SecurityInsights/test/deployment-templates/metadata/template.parameters.json create mode 100644 src/SecurityInsights/test/deployment-templates/playbooks/template.json create mode 100644 src/SecurityInsights/test/deployment-templates/playbooks/template.parameters.json create mode 100644 src/SecurityInsights/test/deployment-templates/sourceControl/template.json create mode 100644 src/SecurityInsights/test/deployment-templates/sourceControl/template.parameters.json create mode 100644 src/SecurityInsights/test/deployment-templates/threatIntelligenceIndicator/template.json create mode 100644 src/SecurityInsights/test/deployment-templates/threatIntelligenceIndicator/template.parameters.json create mode 100644 src/SecurityInsights/test/deployment-templates/workspace/template.json create mode 100644 src/SecurityInsights/test/deployment-templates/workspace/template.parameters.json create mode 100644 src/SecurityInsights/test/env.json create mode 100644 src/SecurityInsights/test/loadEnv.ps1 create mode 100644 src/SecurityInsights/test/localEnv.json create mode 100644 src/SecurityInsights/test/sampleData/AuditLogs.csv create mode 100644 src/SecurityInsights/test/sampleData/AzureAcitivity.csv create mode 100644 src/SecurityInsights/test/sampleData/Cisco_Umbrella_dns.csv create mode 100644 src/SecurityInsights/test/sampleData/CommonSecurityLog.csv create mode 100644 src/SecurityInsights/test/sampleData/OfficeActivity.csv create mode 100644 src/SecurityInsights/test/sampleData/SecurityEvent.csv create mode 100644 src/SecurityInsights/test/sampleData/SigninLogs.csv create mode 100644 src/SecurityInsights/test/utils.ps1 create mode 100644 src/SecurityInsights/utils/Unprotect-SecureString.ps1 diff --git a/src/SecurityInsights/.gitattributes b/src/SecurityInsights/.gitattributes new file mode 100644 index 000000000000..2125666142eb --- /dev/null +++ b/src/SecurityInsights/.gitattributes @@ -0,0 +1 @@ +* text=auto \ No newline at end of file diff --git a/src/SecurityInsights/.gitignore b/src/SecurityInsights/.gitignore new file mode 100644 index 000000000000..3c3d57339c8b --- /dev/null +++ b/src/SecurityInsights/.gitignore @@ -0,0 +1,16 @@ +bin +obj +.vs +generated +internal +exports +tools +custom/*.psm1 +custom/autogen-model-cmdlets +test/*-TestResults.xml +/*.ps1 +/*.ps1xml +/*.psm1 +/*.snk +/*.csproj +/*.nuspec \ No newline at end of file diff --git a/src/SecurityInsights/Az.SecurityInsights.psd1 b/src/SecurityInsights/Az.SecurityInsights.psd1 new file mode 100644 index 000000000000..4fbafc706d95 --- /dev/null +++ b/src/SecurityInsights/Az.SecurityInsights.psd1 @@ -0,0 +1,24 @@ +@{ + GUID = '3a0e09d6-7b89-4078-a565-5db26e7455b8' + RootModule = './Az.SecurityInsights.psm1' + ModuleVersion = '1.2.0' + CompatiblePSEditions = 'Core', 'Desktop' + Author = 'Microsoft Corporation' + CompanyName = 'Microsoft Corporation' + Copyright = 'Microsoft Corporation. All rights reserved.' + Description = 'Microsoft Azure PowerShell: SecurityInsights cmdlets' + PowerShellVersion = '5.1' + DotNetFrameworkVersion = '4.7.2' + RequiredAssemblies = './bin/Az.SecurityInsights.private.dll' + FormatsToProcess = './Az.SecurityInsights.format.ps1xml' + FunctionsToExport = 'Get-AzSentinelAlertRule', 'Get-AzSentinelAlertRuleAction', 'Get-AzSentinelAlertRuleTemplate', 'Get-AzSentinelAutomationRule', 'Get-AzSentinelBookmark', 'Get-AzSentinelBookmarkRelation', 'Get-AzSentinelDataConnector', 'Get-AzSentinelEnrichment', 'Get-AzSentinelEntity', 'Get-AzSentinelEntityActivity', 'Get-AzSentinelEntityInsight', 'Get-AzSentinelEntityQuery', 'Get-AzSentinelEntityQueryTemplate', 'Get-AzSentinelEntityRelation', 'Get-AzSentinelEntityTimeline', 'Get-AzSentinelIncident', 'Get-AzSentinelIncidentAlert', 'Get-AzSentinelIncidentBookmark', 'Get-AzSentinelIncidentComment', 'Get-AzSentinelIncidentEntity', 'Get-AzSentinelIncidentRelation', 'Get-AzSentinelMetadata', 'Get-AzSentinelOnboardingState', 'Get-AzSentinelSetting', 'Get-AzSentinelThreatIntelligenceIndicator', 'Get-AzSentinelThreatIntelligenceIndicatorMetric', 'Invoke-AzSentinelThreatIntelligenceIndicatorQuery', 'New-AzSentinelAlertRule', 'New-AzSentinelAlertRuleAction', 'New-AzSentinelAutomationRule', 'New-AzSentinelBookmark', 'New-AzSentinelBookmarkRelation', 'New-AzSentinelDataConnector', 'New-AzSentinelEntityQuery', 'New-AzSentinelIncident', 'New-AzSentinelIncidentComment', 'New-AzSentinelIncidentRelation', 'New-AzSentinelIncidentTeam', 'New-AzSentinelOnboardingState', 'Remove-AzSentinelAlertRule', 'Remove-AzSentinelAlertRuleAction', 'Remove-AzSentinelAutomationRule', 'Remove-AzSentinelBookmark', 'Remove-AzSentinelBookmarkRelation', 'Remove-AzSentinelDataConnector', 'Remove-AzSentinelEntityQuery', 'Remove-AzSentinelIncident', 'Remove-AzSentinelIncidentComment', 'Remove-AzSentinelIncidentRelation', 'Remove-AzSentinelOnboardingState', 'Test-AzSentinelDataConnectorCheckRequirement', 'Update-AzSentinelAlertRule', 'Update-AzSentinelAlertRuleAction', 'Update-AzSentinelAutomationRule', 'Update-AzSentinelBookmark', 'Update-AzSentinelBookmarkRelation', 'Update-AzSentinelDataConnector', 'Update-AzSentinelEntityQuery', 'Update-AzSentinelIncident', 'Update-AzSentinelIncidentComment', 'Update-AzSentinelIncidentRelation', 'Update-AzSentinelSetting', '*' + AliasesToExport = '*' + PrivateData = @{ + PSData = @{ + Tags = 'Azure', 'ResourceManager', 'ARM', 'PSModule', 'SecurityInsights' + LicenseUri = 'https://aka.ms/azps-license' + ProjectUri = 'https://github.com/Azure/azure-powershell' + ReleaseNotes = '' + } + } +} diff --git a/src/SecurityInsights/README.md b/src/SecurityInsights/README.md new file mode 100644 index 000000000000..54385914e651 --- /dev/null +++ b/src/SecurityInsights/README.md @@ -0,0 +1,27 @@ + +# Az.SecurityInsights +This directory contains the PowerShell module for the SecurityInsights service. + +--- +## Status +[![Az.SecurityInsights](https://img.shields.io/powershellgallery/v/Az.SecurityInsights.svg?style=flat-square&label=Az.SecurityInsights "Az.SecurityInsights")](https://www.powershellgallery.com/packages/Az.SecurityInsights/) + +## Info +- Modifiable: yes +- Generated: all +- Committed: yes +- Packaged: yes + +--- +## Detail +This module was primarily generated via [AutoRest](https://github.com/Azure/autorest) using the [PowerShell](https://github.com/Azure/autorest.powershell) extension. + +## Module Requirements +- [Az.Accounts module](https://www.powershellgallery.com/packages/Az.Accounts/), version 2.7.5 or greater + +## Authentication +AutoRest does not generate authentication code for the module. Authentication is handled via Az.Accounts by altering the HTTP payload before it is sent. + +## Development +For information on how to develop for `Az.SecurityInsights`, see [how-to.md](how-to.md). + diff --git a/src/SecurityInsights/custom/New-AzSentinelAlertRule.ps1 b/src/SecurityInsights/custom/New-AzSentinelAlertRule.ps1 new file mode 100644 index 000000000000..eeb248cf1f2e --- /dev/null +++ b/src/SecurityInsights/custom/New-AzSentinelAlertRule.ps1 @@ -0,0 +1,682 @@ + +# ---------------------------------------------------------------------------------- +# +# Copyright Microsoft Corporation +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# http://www.apache.org/licenses/LICENSE-2.0 +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ---------------------------------------------------------------------------------- + +<# +.Synopsis +Creates or updates the alert rule. +.Description +Creates or updates the alert rule. + +.Link +https://docs.microsoft.com/powershell/module/az.securityinsights/new-azsentinelalertrule +#> +function New-AzSentinelAlertRule { + [OutputType([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AlertRule])] + [CmdletBinding(DefaultParameterSetName = 'FusionMLTI', PositionalBinding = $false, SupportsShouldProcess, ConfirmImpact = 'Medium')] + param( + [Parameter()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = '(Get-AzContext).Subscription.Id')] + [System.String] + # Gets subscription credentials which uniquely identify Microsoft Azure subscription. + # The subscription ID forms part of the URI for every service call. + ${SubscriptionId}, + + [Parameter(Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [System.String] + # The Resource Group Name. + ${ResourceGroupName}, + + [Parameter(Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [System.String] + # The name of the workspace. + ${WorkspaceName}, + + [Parameter()] + #[Alias('RuleId')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = '(New-Guid).Guid')] + [System.String] + # The Id of the Rule. + ${RuleId}, + + [Parameter(Mandatory)] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertRuleKind])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertRuleKind] + # Kind of the the data connection + ${Kind}, + + [Parameter(ParameterSetName = 'FusionMLTI', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${AlertRuleTemplate}, + + [Parameter(ParameterSetName = 'MicrosoftSecurityIncidentCreation')] + [Parameter(ParameterSetName = 'NRT')] + [Parameter(ParameterSetName = 'Scheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${AlertRuleTemplateName}, + + [Parameter(ParameterSetName = 'FusionMLTI')] + [Parameter(ParameterSetName = 'MicrosoftSecurityIncidentCreation')] + [Parameter(ParameterSetName = 'NRT')] + [Parameter(ParameterSetName = 'Scheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Switch] + ${Enabled}, + + [Parameter(ParameterSetName = 'MicrosoftSecurityIncidentCreation')] + [Parameter(ParameterSetName = 'NRT')] + [Parameter(ParameterSetName = 'Scheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${Description}, + + [Parameter(ParameterSetName = 'MicrosoftSecurityIncidentCreation')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${DisplayNamesFilter}, + + [Parameter(ParameterSetName = 'MicrosoftSecurityIncidentCreation')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${DisplayNamesExcludeFilter}, + + + [Parameter(ParameterSetName = 'MicrosoftSecurityIncidentCreation', Mandatory)] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.MicrosoftSecurityProductName])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.MicrosoftSecurityProductName] + ${ProductFilter}, + + [Parameter(ParameterSetName = 'MicrosoftSecurityIncidentCreation')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertSeverity[]] + #High, Medium, Low, Informational + ${SeveritiesFilter}, + + [Parameter(ParameterSetName = 'NRT', Mandatory)] + [Parameter(ParameterSetName = 'Scheduled', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${Query}, + + [Parameter(ParameterSetName = 'NRT', Mandatory)] + [Parameter(ParameterSetName = 'Scheduled', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${DisplayName}, + + [Parameter(ParameterSetName = 'NRT')] + [Parameter(ParameterSetName = 'Scheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = 'New-TimeSpan -Hours 5')] + [System.TimeSpan] + ${SuppressionDuration}, + + [Parameter(ParameterSetName = 'NRT')] + [Parameter(ParameterSetName = 'Scheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Switch] + ${SuppressionEnabled}, + + [Parameter(ParameterSetName = 'NRT', Mandatory)] + [Parameter(ParameterSetName = 'Scheduled', Mandatory)] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertSeverity])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertSeverity] + ${Severity}, + + [Parameter(ParameterSetName = 'NRT')] + [Parameter(ParameterSetName = 'Scheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + #[Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AttackTactic] + [System.String] + #InitialAccess, Execution, Persistence, PrivilegeEscalation, DefenseEvasion, CredentialAccess, Discovery, LateralMovement, Collection, Exfiltration, CommandAndControl, Impact, PreAttack + ${Tactic}, + + [Parameter(ParameterSetName = 'NRT')] + [Parameter(ParameterSetName = 'Scheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Switch] + ${CreateIncident}, + + [Parameter(ParameterSetName = 'NRT')] + [Parameter(ParameterSetName = 'Scheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Switch] + ${GroupingConfigurationEnabled}, + + [Parameter(ParameterSetName = 'NRT')] + [Parameter(ParameterSetName = 'Scheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Switch] + ${ReOpenClosedIncident}, + + [Parameter(ParameterSetName = 'NRT')] + [Parameter(ParameterSetName = 'Scheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = 'New-TimeSpan -Hours 5')] + [System.TimeSpan] + ${LookbackDuration}, + + [Parameter(ParameterSetName = 'NRT')] + [Parameter(ParameterSetName = 'Scheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = '"AllEntities"')] + [ValidateSet('AllEntities', 'AnyAlert', 'Selected')] + [System.String] + ${MatchingMethod}, + + + [Parameter(ParameterSetName = 'NRT')] + [Parameter(ParameterSetName = 'Scheduled')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertDetail])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertDetail] + ${GroupByAlertDetail}, + + [Parameter(ParameterSetName = 'NRT')] + [Parameter(ParameterSetName = 'Scheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [string[]] + ${GroupByCustomDetail}, + + [Parameter(ParameterSetName = 'NRT')] + [Parameter(ParameterSetName = 'Scheduled')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityMappingType])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityMappingType] + ${GroupByEntity}, + + + [Parameter(ParameterSetName = 'NRT')] + [Parameter(ParameterSetName = 'Scheduled')] + #'Account', 'Host', 'IP', 'Malware', 'File', 'Process', 'CloudApplication', 'DNS', 'AzureResource', 'FileHash', 'RegistryKey', 'RegistryValue', 'SecurityGroup', 'URL', 'Mailbox', 'MailCluster', 'MailMessage', 'SubmissionMail' + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.EntityMapping] + ${EntityMapping}, + + [Parameter(ParameterSetName = 'NRT')] + [Parameter(ParameterSetName = 'Scheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${AlertDescriptionFormat}, + + [Parameter(ParameterSetName = 'NRT')] + [Parameter(ParameterSetName = 'Scheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${AlertDisplayNameFormat}, + + [Parameter(ParameterSetName = 'NRT')] + [Parameter(ParameterSetName = 'Scheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${AlertSeverityColumnName}, + + [Parameter(ParameterSetName = 'NRT')] + [Parameter(ParameterSetName = 'Scheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${AlertTacticsColumnName}, + + + [Parameter(ParameterSetName = 'Scheduled', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.TimeSpan] + ${QueryFrequency}, + + [Parameter(ParameterSetName = 'Scheduled', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.TimeSpan] + ${QueryPeriod}, + + [Parameter(ParameterSetName = 'Scheduled', Mandatory)] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.TriggerOperator])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.TriggerOperator] + ${TriggerOperator}, + + [Parameter(ParameterSetName = 'Scheduled', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [int] + ${TriggerThreshold}, + + [Parameter(ParameterSetName = 'Scheduled')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EventGroupingAggregationKind])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EventGroupingAggregationKind] + ${EventGroupingSettingAggregationKind}, + + [Parameter()] + [Alias('AzureRMContext', 'AzureCredential')] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Azure')] + [System.Management.Automation.PSObject] + # The credentials, account, tenant, and subscription used for communication with Azure. + ${DefaultProfile}, + + [Parameter()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Run the command as a job + ${AsJob}, + + [Parameter(DontShow)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Wait for .NET debugger to attach + ${Break}, + + [Parameter(DontShow)] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.SendAsyncStep[]] + # SendAsync Pipeline Steps to be appended to the front of the pipeline + ${HttpPipelineAppend}, + + [Parameter(DontShow)] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.SendAsyncStep[]] + # SendAsync Pipeline Steps to be prepended to the front of the pipeline + ${HttpPipelinePrepend}, + + [Parameter()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Run the command asynchronously + ${NoWait}, + + [Parameter(DontShow)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Uri] + # The URI for the proxy server to use + ${Proxy}, + + [Parameter(DontShow)] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.PSCredential] + # Credentials for a proxy server to use for the remote call + ${ProxyCredential}, + + [Parameter(DontShow)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Use the default credentials for the proxy + ${ProxyUseDefaultCredentials} + ) + + process { + try { + #Fusion + if ($PSBoundParameters['Kind'] -eq 'Fusion'){ + $AlertRule = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.FusionAlertRule]::new() + + $AlertRule.AlertRuleTemplateName = $PSBoundParameters['AlertRuleTemplate'] + $null = $PSBoundParameters.Remove('AlertRuleTemplate') + + If($PSBoundParameters['Enabled']){ + $AlertRule.Enabled = $true + $null = $PSBoundParameters.Remove('Enabled') + } + else{ + $AlertRule.Enabled = $false + } + } + #MSIC + if($PSBoundParameters['Kind'] -eq 'MicrosoftSecurityIncidentCreation'){ + $AlertRule = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.MicrosoftSecurityIncidentCreationAlertRule]::new() + + If($PSBoundParameters['AlertRuleTemplateName']){ + $AlertRule.AlertRuleTemplateName = $PSBoundParameters['AlertRuleTemplateName'] + $null = $PSBoundParameters.Remove('AlertRuleTemplateName') + } + + If($PSBoundParameters['Enabled']){ + $AlertRule.Enabled = $true + $null = $PSBoundParameters.Remove('Enabled') + } + else{ + $AlertRule.Enabled = $false + } + + If($PSBoundParameters['Description']){ + $AlertRule.Enabled = $PSBoundParameters['Description'] + $null = $PSBoundParameters.Remove('Description') + } + + If($PSBoundParameters['DisplayNamesFilter']){ + $AlertRule.Enabled = $PSBoundParameters['DisplayNamesFilter'] + $null = $PSBoundParameters.Remove('DisplayNamesFilter') + } + + If($PSBoundParameters['DisplayNamesExcludeFilter']){ + $AlertRule.Enabled = $PSBoundParameters['DisplayNamesExcludeFilter'] + $null = $PSBoundParameters.Remove('DisplayNamesExcludeFilter') + } + + $AlertRule.ProductFilter = $PSBoundParameters['ProductFilter'] + $null = $PSBoundParameters.Remove('ProductFilter') + + If($PSBoundParameters['SeveritiesFilter']){ + $AlertRule.Enabled = $PSBoundParameters['SeveritiesFilter'] + $null = $PSBoundParameters.Remove('SeveritiesFilter') + } + } + #ML + if ($PSBoundParameters['Kind'] -eq 'MLBehaviorAnalytics'){ + $AlertRule = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.MlBehaviorAnalyticsAlertRule]::new() + + $AlertRule.AlertRuleTemplateName = $PSBoundParameters['AlertRuleTemplate'] + $null = $PSBoundParameters.Remove('AlertRuleTemplate') + + If($PSBoundParameters['Enabled']){ + $AlertRule.Enabled = $true + $null = $PSBoundParameters.Remove('Enabled') + } + else{ + $AlertRule.Enabled = $false + } + } + + #NRT + if($PSBoundParameters['Kind'] -eq 'NRT'){ + $AlertRule = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.NrtAlertRule]::new() + + If($PSBoundParameters['AlertRuleTemplateName']){ + $AlertRule.AlertRuleTemplateName = $PSBoundParameters['AlertRuleTemplateName'] + $null = $PSBoundParameters.Remove('AlertRuleTemplateName') + } + + If($PSBoundParameters['Enabled']){ + $AlertRule.Enabled = $true + $null = $PSBoundParameters.Remove('Enabled') + } + else{ + $AlertRule.Enabled = $false + } + + If($PSBoundParameters['Description']){ + $AlertRule.Enabled = $PSBoundParameters['Description'] + $null = $PSBoundParameters.Remove('Description') + } + + $AlertRule.Query = $PSBoundParameters['Query'] + $null = $PSBoundParameters.Remove('Query') + + $AlertRule.DisplayName = $PSBoundParameters['DisplayName'] + $null = $PSBoundParameters.Remove('DisplayName') + + $AlertRule.SuppressionDuration = $PSBoundParameters['SuppressionDuration'] + $null = $PSBoundParameters.Remove('SuppressionDuration') + + If($PSBoundParameters['SuppressionEnabled']){ + $AlertRule.SuppressionEnabled = $PSBoundParameters['SuppressionEnabled'] + $null = $PSBoundParameters.Remove('SuppressionEnabled') + } + else{ + $AlertRule.SuppressionEnabled = $false + } + + $AlertRule.Severity = $PSBoundParameters['Severity'] + $null = $PSBoundParameters.Remove('Severity') + + If($PSBoundParameters['Tactic']){ + $AlertRule.Tactic = $PSBoundParameters['Tactic'] + $null = $PSBoundParameters.Remove('Tactic') + } + + If($PSBoundParameters['CreateIncident']){ + $AlertRule.IncidentConfigurationCreateIncident = $PSBoundParameters['CreateIncident'] + $null = $PSBoundParameters.Remove('CreateIncident') + } + else{ + $AlertRule.IncidentConfigurationCreateIncident = $false + } + + If($PSBoundParameters['GroupingConfigurationEnabled']){ + $AlertRule.GroupingConfigurationEnabled = $PSBoundParameters['GroupingConfigurationEnabled'] + $null = $PSBoundParameters.Remove('GroupingConfigurationEnabled') + } + else{ + $AlertRule.GroupingConfigurationEnabled = $false + } + + If($PSBoundParameters['ReOpenClosedIncident']){ + $AlertRule.GroupingConfigurationReOpenClosedIncident = $PSBoundParameters['ReOpenClosedIncident'] + $null = $PSBoundParameters.Remove('ReOpenClosedIncident') + } + else{ + $AlertRule.GroupingConfigurationReOpenClosedIncident = $false + } + + $AlertRule.GroupingConfigurationLookbackDuration = $PSBoundParameters['LookbackDuration'] + $null = $PSBoundParameters.Remove('LookbackDuration') + + $AlertRule.GroupingConfigurationMatchingMethod = $PSBoundParameters['MatchingMethod'] + $null = $PSBoundParameters.Remove('MatchingMethod') + + If($PSBoundParameters['GroupByAlertDetail']){ + $AlertRule.GroupingConfigurationGroupByAlertDetail = $PSBoundParameters['GroupByAlertDetail'] + $null = $PSBoundParameters.Remove('GroupByAlertDetail') + } + + If($PSBoundParameters['GroupByCustomDetail']){ + $AlertRule.GroupingConfigurationGroupByCustomDetail = $PSBoundParameters['GroupByCustomDetail'] + $null = $PSBoundParameters.Remove('GroupByCustomDetail') + } + + If($PSBoundParameters['GroupByEntity']){ + $AlertRule.GroupingConfigurationGroupByEntity = $PSBoundParameters['GroupByEntity'] + $null = $PSBoundParameters.Remove('GroupByEntity') + } + + If($PSBoundParameters['EntityMapping']){ + $AlertRule.EntityMapping = $PSBoundParameters['EntityMapping'] + $null = $PSBoundParameters.Remove('EntityMapping') + } + + If($PSBoundParameters['AlertDescriptionFormat']){ + $AlertRule.AlertDetailOverrideAlertDescriptionFormat = $PSBoundParameters['AlertDescriptionFormat'] + $null = $PSBoundParameters.Remove('AlertDescriptionFormat') + } + + If($PSBoundParameters['AlertDisplayNameFormat']){ + $AlertRule.AlertDetailOverrideAlertDisplayNameFormat = $PSBoundParameters['AlertDisplayNameFormat'] + $null = $PSBoundParameters.Remove('AlertDisplayNameFormat') + } + + If($PSBoundParameters['AlertSeverityColumnName']){ + $AlertRule.AlertDetailOverrideAlertSeverityColumnName = $PSBoundParameters['AlertSeverityColumnName'] + $null = $PSBoundParameters.Remove('AlertSeverityColumnName') + } + + If($PSBoundParameters['AlertTacticsColumnName']){ + $AlertRule.AlertDetailOverrideAlertTacticsColumnName = $PSBoundParameters['AlertTacticsColumnName'] + $null = $PSBoundParameters.Remove('AlertTacticsColumnName') + } + + } + #Scheduled + if ($PSBoundParameters['Kind'] -eq 'Scheduled'){ + $AlertRule = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ScheduledAlertRule]::new() + + If($PSBoundParameters['AlertRuleTemplateName']){ + $AlertRule.AlertRuleTemplateName = $PSBoundParameters['AlertRuleTemplateName'] + $null = $PSBoundParameters.Remove('AlertRuleTemplateName') + } + + If($PSBoundParameters['Enabled']){ + $AlertRule.Enabled = $true + $null = $PSBoundParameters.Remove('Enabled') + } + else{ + $AlertRule.Enabled = $false + } + + If($PSBoundParameters['Description']){ + $AlertRule.Description = $PSBoundParameters['Description'] + $null = $PSBoundParameters.Remove('Description') + } + + $AlertRule.Query = $PSBoundParameters['Query'] + $null = $PSBoundParameters.Remove('Query') + + $AlertRule.DisplayName = $PSBoundParameters['DisplayName'] + $null = $PSBoundParameters.Remove('DisplayName') + + $AlertRule.SuppressionDuration = $PSBoundParameters['SuppressionDuration'] + $null = $PSBoundParameters.Remove('SuppressionDuration') + + If($PSBoundParameters['SuppressionEnabled']){ + $AlertRule.SuppressionEnabled = $PSBoundParameters['SuppressionEnabled'] + $null = $PSBoundParameters.Remove('SuppressionEnabled') + } + else{ + $AlertRule.SuppressionEnabled = $false + } + + $AlertRule.Severity = $PSBoundParameters['Severity'] + $null = $PSBoundParameters.Remove('Severity') + + If($PSBoundParameters['Tactic']){ + $AlertRule.Tactic = $PSBoundParameters['Tactic'] + $null = $PSBoundParameters.Remove('Tactic') + } + + If($PSBoundParameters['CreateIncident']){ + $AlertRule.IncidentConfigurationCreateIncident = $PSBoundParameters['CreateIncident'] + $null = $PSBoundParameters.Remove('CreateIncident') + } + else{ + $AlertRule.IncidentConfigurationCreateIncident = $false + } + + If($PSBoundParameters['GroupingConfigurationEnabled']){ + $AlertRule.GroupingConfigurationEnabled = $PSBoundParameters['GroupingConfigurationEnabled'] + $null = $PSBoundParameters.Remove('GroupingConfigurationEnabled') + } + else{ + $AlertRule.GroupingConfigurationEnabled = $false + } + + If($PSBoundParameters['ReOpenClosedIncident']){ + $AlertRule.GroupingConfigurationReOpenClosedIncident = $PSBoundParameters['ReOpenClosedIncident'] + $null = $PSBoundParameters.Remove('ReOpenClosedIncident') + } + else{ + $AlertRule.GroupingConfigurationReOpenClosedIncident = $false + } + + $AlertRule.GroupingConfigurationLookbackDuration = $PSBoundParameters['LookbackDuration'] + $null = $PSBoundParameters.Remove('LookbackDuration') + + $AlertRule.GroupingConfigurationMatchingMethod = $PSBoundParameters['MatchingMethod'] + $null = $PSBoundParameters.Remove('MatchingMethod') + + If($PSBoundParameters['GroupByAlertDetail']){ + $AlertRule.GroupingConfigurationGroupByAlertDetail = $PSBoundParameters['GroupByAlertDetail'] + $null = $PSBoundParameters.Remove('GroupByAlertDetail') + } + + If($PSBoundParameters['GroupByCustomDetail']){ + $AlertRule.GroupingConfigurationGroupByCustomDetail = $PSBoundParameters['GroupByCustomDetail'] + $null = $PSBoundParameters.Remove('GroupByCustomDetail') + } + + If($PSBoundParameters['GroupByEntity']){ + $AlertRule.GroupingConfigurationGroupByEntity = $PSBoundParameters['GroupByEntity'] + $null = $PSBoundParameters.Remove('GroupByEntity') + } + + If($PSBoundParameters['EntityMapping']){ + $AlertRule.EntityMapping = $PSBoundParameters['EntityMapping'] + $null = $PSBoundParameters.Remove('EntityMapping') + } + + If($PSBoundParameters['AlertDescriptionFormat']){ + $AlertRule.AlertDetailOverrideAlertDescriptionFormat = $PSBoundParameters['AlertDescriptionFormat'] + $null = $PSBoundParameters.Remove('AlertDescriptionFormat') + } + + If($PSBoundParameters['AlertDisplayNameFormat']){ + $AlertRule.AlertDetailOverrideAlertDisplayNameFormat = $PSBoundParameters['AlertDisplayNameFormat'] + $null = $PSBoundParameters.Remove('AlertDisplayNameFormat') + } + + If($PSBoundParameters['AlertSeverityColumnName']){ + $AlertRule.AlertDetailOverrideAlertSeverityColumnName = $PSBoundParameters['AlertSeverityColumnName'] + $null = $PSBoundParameters.Remove('AlertSeverityColumnName') + } + + If($PSBoundParameters['AlertTacticsColumnName']){ + $AlertRule.AlertDetailOverrideAlertTacticsColumnName = $PSBoundParameters['AlertTacticsColumnName'] + $null = $PSBoundParameters.Remove('AlertTacticsColumnName') + } + + $AlertRule.QueryFrequency = $PSBoundParameters['QueryFrequency'] + $null = $PSBoundParameters.Remove('QueryFrequency') + + $AlertRule.QueryPeriod = $PSBoundParameters['QueryPeriod'] + $null = $PSBoundParameters.Remove('QueryPeriod') + + $AlertRule.TriggerOperator = $PSBoundParameters['TriggerOperator'] + $null = $PSBoundParameters.Remove('TriggerOperator') + + $AlertRule.TriggerThreshold = $PSBoundParameters['TriggerThreshold'] + $null = $PSBoundParameters.Remove('TriggerThreshold') + + If($PSBoundParameters['EventGroupingSettingAggregationKind']){ + $AlertRule.EventGroupingSettingAggregationKind = $PSBoundParameters['EventGroupingSettingAggregationKind'] + $null = $PSBoundParameters.Remove('EventGroupingSettingAggregationKind') + } + } + #TI + if ($PSBoundParameters['Kind'] -eq 'ThreatIntelligence'){ + $AlertRule = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ThreatIntelligenceAlertRule]::new() + + $AlertRule.AlertRuleTemplateName = $PSBoundParameters['AlertRuleTemplate'] + $null = $PSBoundParameters.Remove('AlertRuleTemplate') + + If($PSBoundParameters['Enabled']){ + $AlertRule.Enabled = $true + $null = $PSBoundParameters.Remove('Enabled') + } + else { + $AlertRule.Enabled = $false + } + } + + $null = $PSBoundParameters.Remove('FusionMLTI') + + $AlertRule.Kind = $PSBoundParameters['Kind'] + $null = $PSBoundParameters.Remove('Kind') + + $null = $PSBoundParameters.Add('AlertRule', $AlertRule) + + Az.SecurityInsights.internal\New-AzSentinelAlertRule @PSBoundParameters + } + catch { + throw + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/custom/New-AzSentinelDataConnector.ps1 b/src/SecurityInsights/custom/New-AzSentinelDataConnector.ps1 new file mode 100644 index 000000000000..9880df269994 --- /dev/null +++ b/src/SecurityInsights/custom/New-AzSentinelDataConnector.ps1 @@ -0,0 +1,708 @@ + +# ---------------------------------------------------------------------------------- +# +# Copyright Microsoft Corporation +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# http://www.apache.org/licenses/LICENSE-2.0 +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ---------------------------------------------------------------------------------- + +<# +.Synopsis +Creates or updates the data connector. +.Description +Creates or updates the data connector. + +.Link +https://docs.microsoft.com/powershell/module/az.securityinsights/new-azsentineldataconnector +#> +function New-AzSentinelDataConnector { + [OutputType([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.DataConnector])] + [CmdletBinding(DefaultParameterSetName = 'AADAATP', PositionalBinding = $false, SupportsShouldProcess, ConfirmImpact = 'Medium')] + param( + [Parameter()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = '(Get-AzContext).Subscription.Id')] + [System.String] + # Gets subscription credentials which uniquely identify Microsoft Azure subscription. + # The subscription ID forms part of the URI for every service call. + ${SubscriptionId}, + + [Parameter(Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [System.String] + # The Resource Group Name. + ${ResourceGroupName}, + + [Parameter(Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [System.String] + # The name of the workspace. + ${WorkspaceName}, + + [Parameter()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = '(New-Guid).Guid')] + [System.String] + # The Id of the Data Connector. + ${DataConnectorId}, + + [Parameter(Mandatory)] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataConnectorKind])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataConnectorKind] + # Kind of the the data connection + ${Kind}, + + [Parameter(ParameterSetName = 'AADAATP')] + [Parameter(ParameterSetName = 'Dynamics365')] + [Parameter(ParameterSetName = 'MicrosoftCloudAppSecurity')] + [Parameter(ParameterSetName = 'MicrosoftDefenderAdvancedThreatProtection')] + [Parameter(ParameterSetName = 'MicrosoftThreatIntelligence')] + [Parameter(ParameterSetName = 'MicrosoftThreatProtection')] + [Parameter(ParameterSetName = 'Office365')] + [Parameter(ParameterSetName = 'OfficeATP')] + [Parameter(ParameterSetName = 'OfficeIRM')] + [Parameter(ParameterSetName = 'ThreatIntelligence')] + [Parameter(ParameterSetName = 'ThreatIntelligenceTaxii')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = '(Get-AzContext).Tenant.Id')] + [System.String] + # The TenantId. + ${TenantId}, + + [Parameter(ParameterSetName = 'AzureSecurityCenter', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + # ASC Subscription Id. + ${ASCSubscriptionId}, + + [Parameter(ParameterSetName = 'AADAATP')] + [Parameter(ParameterSetName = 'AzureSecurityCenter')] + [Parameter(ParameterSetName = 'MicrosoftCloudAppSecurity')] + [Parameter(ParameterSetName = 'MicrosoftDefenderAdvancedThreatProtection')] + [Parameter(ParameterSetName = 'OfficeATP')] + [Parameter(ParameterSetName = 'OfficeIRM')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${Alerts}, + + [Parameter(ParameterSetName = 'Dynamics365')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${CommonDataServiceActivity}, + + [Parameter(ParameterSetName = 'MicrosoftCloudAppSecurity')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${DiscoveryLogs}, + + [Parameter(ParameterSetName = 'MicrosoftThreatIntelligence')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${BingSafetyPhishingURL}, + + [Parameter(ParameterSetName = 'MicrosoftThreatIntelligence')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [ValidateSet('OneDay', 'OneWeek', 'OneMonth', 'All')] + [System.String] + ${BingSafetyPhishingUrlLookbackPeriod}, + + [Parameter(ParameterSetName = 'MicrosoftThreatIntelligence')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${MicrosoftEmergingThreatFeed}, + + [Parameter(ParameterSetName = 'MicrosoftThreatIntelligence')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [ValidateSet('OneDay', 'OneWeek', 'OneMonth', 'All')] + [System.String] + ${MicrosoftEmergingThreatFeedLookbackPeriod}, + + [Parameter(ParameterSetName = 'MicrosoftThreatProtection')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${Incidents}, + + [Parameter(ParameterSetName = 'Office365')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${Exchange}, + + [Parameter(ParameterSetName = 'Office365')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${SharePoint}, + + [Parameter(ParameterSetName = 'Office365')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${Teams}, + + [Parameter(ParameterSetName = 'ThreatIntelligence')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${Indicators}, + + [Parameter(ParameterSetName = 'ThreatIntelligenceTaxii', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${WorkspaceId}, + + [Parameter(ParameterSetName = 'ThreatIntelligenceTaxii', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${FriendlyName}, + + [Parameter(ParameterSetName = 'ThreatIntelligenceTaxii', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${APIRootURL}, + + [Parameter(ParameterSetName = 'ThreatIntelligenceTaxii', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${CollectionId}, + + [Parameter(ParameterSetName = 'ThreatIntelligenceTaxii')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${UserName}, + + [Parameter(ParameterSetName = 'ThreatIntelligenceTaxii')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${Password}, + + [Parameter(ParameterSetName = 'ThreatIntelligenceTaxii')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [ValidateSet('OneDay', 'OneWeek', 'OneMonth', 'All')] + [System.String] + ${TaxiiLookbackPeriod}, + + [Parameter(ParameterSetName = 'ThreatIntelligenceTaxii', Mandatory)] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.PollingFrequency])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.PollingFrequency] + ${PollingFrequency}, + + [Parameter(ParameterSetName = 'AmazonWebServicesCloudTrail', Mandatory)] + [Parameter(ParameterSetName = 'AmazonWebServicesS3', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${AWSRoleArn}, + + [Parameter(ParameterSetName = 'AmazonWebServicesCloudTrail')] + [Parameter(ParameterSetName = 'AmazonWebServicesS3', Mandatory)] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${Logs}, + + [Parameter(ParameterSetName = 'AmazonWebServicesS3', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [String[]] + ${SQSURL}, + + [Parameter(ParameterSetName = 'AmazonWebServicesS3', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${DetinationTable}, + + [Parameter(ParameterSetName = 'GenericUI', Mandatory)] + #[Parameter(ParameterSetName = 'APIPolling', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${UiConfigTitle}, + + [Parameter(ParameterSetName = 'GenericUI', Mandatory)] + #[Parameter(ParameterSetName = 'APIPolling', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${UiConfigPublisher}, + + [Parameter(ParameterSetName = 'GenericUI', Mandatory)] + #[Parameter(ParameterSetName = 'APIPolling', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${UiConfigDescriptionMarkdown}, + + [Parameter(ParameterSetName = 'GenericUI')] + #[Parameter(ParameterSetName = 'APIPolling')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${UiConfigCustomImage}, + + [Parameter(ParameterSetName = 'GenericUI', Mandatory)] + #[Parameter(ParameterSetName = 'APIPolling', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${UiConfigGraphQueriesTableName}, + + [Parameter(ParameterSetName = 'GenericUI', Mandatory)] + #[Parameter(ParameterSetName = 'APIPolling', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.GraphQueries[]] + ${UiConfigGraphQuery}, + + [Parameter(ParameterSetName = 'GenericUI', Mandatory)] + #[Parameter(ParameterSetName = 'APIPolling', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.SampleQueries[]] + ${UiConfigSampleQuery}, + + [Parameter(ParameterSetName = 'GenericUI', Mandatory)] + #[Parameter(ParameterSetName = 'APIPolling', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.LastDataReceivedDataType[]] + ${UiConfigDataType}, + + [Parameter(ParameterSetName = 'GenericUI', Mandatory)] + #[Parameter(ParameterSetName = 'APIPolling', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ConnectivityCriteria[]] + ${UiConfigConnectivityCriterion}, + + [Parameter(ParameterSetName = 'GenericUI', Mandatory)] + #[Parameter(ParameterSetName = 'APIPolling', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Bool] + ${AvailabilityIsPreview}, + + [Parameter(ParameterSetName = 'GenericUI')] + #[Parameter(ParameterSetName = 'APIPolling')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = 1)] + [Int] + ${AvailabilityStatus}, + + [Parameter(ParameterSetName = 'GenericUI')] + #[Parameter(ParameterSetName = 'APIPolling')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.PermissionsResourceProviderItem[]] + ${PermissionResourceProvider}, + + [Parameter(ParameterSetName = 'GenericUI')] + #[Parameter(ParameterSetName = 'APIPolling')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.PermissionsCustomsItem[]] + ${PermissionCustom}, + + [Parameter(ParameterSetName = 'GenericUI', Mandatory)] + #[Parameter(ParameterSetName = 'APIPolling', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.InstructionSteps[]] + ${UiConfigInstructionStep}, + + [Parameter()] + [Alias('AzureRMContext', 'AzureCredential')] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Azure')] + [System.Management.Automation.PSObject] + # The credentials, account, tenant, and subscription used for communication with Azure. + ${DefaultProfile}, + + [Parameter()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Run the command as a job + ${AsJob}, + + [Parameter(DontShow)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Wait for .NET debugger to attach + ${Break}, + + [Parameter(DontShow)] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.SendAsyncStep[]] + # SendAsync Pipeline Steps to be appended to the front of the pipeline + ${HttpPipelineAppend}, + + [Parameter(DontShow)] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.SendAsyncStep[]] + # SendAsync Pipeline Steps to be prepended to the front of the pipeline + ${HttpPipelinePrepend}, + + [Parameter()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Run the command asynchronously + ${NoWait}, + + [Parameter(DontShow)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Uri] + # The URI for the proxy server to use + ${Proxy}, + + [Parameter(DontShow)] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.PSCredential] + # Credentials for a proxy server to use for the remote call + ${ProxyCredential}, + + [Parameter(DontShow)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Use the default credentials for the proxy + ${ProxyUseDefaultCredentials} + ) + + process { + try { + if ($PSBoundParameters['Kind'] -eq 'AzureActiveDirectory'){ + $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AadDataConnector]::new() + + $DataConnector.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + + If($PSBoundParameters['Alerts']){ + $DataConnector.AlertState = $PSBoundParameters['Alerts'] + $null = $PSBoundParameters.Remove('Alerts') + } + } + if($PSBoundParameters['Kind'] -eq 'AzureAdvancedThreatProtection'){ + $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AatpDataConnector]::new() + + $DataConnector.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + + If($PSBoundParameters['Alerts']){ + $DataConnector.AlertState = $PSBoundParameters['Alerts'] + $null = $PSBoundParameters.Remove('Alerts') + } + } + if($PSBoundParameters['Kind'] -eq 'Dynamics365'){ + $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.Dynamics365DataConnector]::new() + + $DataConnector.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + + If($PSBoundParameters['CommonDataServiceActivity']){ + $DataConnector.Dynamics365CdActivityState = $PSBoundParameters['CommonDataServiceActivity'] + $null = $PSBoundParameters.Remove('CommonDataServiceActivity') + } + } + if($PSBoundParameters['Kind'] -eq 'MicrosoftCloudAppSecurity'){ + $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.McasDataConnector]::new() + + $DataConnector.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + + If($PSBoundParameters['Alerts']){ + $DataConnector.DataTypeAlertState = $PSBoundParameters['Alerts'] + $null = $PSBoundParameters.Remove('Alerts') + } + + If($PSBoundParameters['DiscoveryLogs']){ + $DataConnector.DiscoveryLogState = $PSBoundParameters['DiscoveryLogs'] + $null = $PSBoundParameters.Remove('DiscoveryLogs') + } + } + if($PSBoundParameters['Kind'] -eq 'MicrosoftDefenderAdvancedThreatProtection'){ + $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.MdatpDataConnector]::new() + + $DataConnector.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + + If($PSBoundParameters['Alerts']){ + $DataConnector.AlertState = $PSBoundParameters['Alerts'] + $null = $PSBoundParameters.Remove('Alerts') + } + } + if($PSBoundParameters['Kind'] -eq 'MicrosoftThreatIntelligence'){ + $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.MstiDataConnector]::new() + + $DataConnector.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + + If($PSBoundParameters['BingSafetyPhishingURL']){ + $DataConnector.BingSafetyPhishingUrlState = $PSBoundParameters['BingSafetyPhishingURL'] + $null = $PSBoundParameters.Remove('BingSafetyPhishingURL') + } + + If($PSBoundParameters['BingSafetyPhishingUrlLookbackPeriod']){ + if($PSBoundParameters['BingSafetyPhishingUrlLookbackPeriod'] -eq 'OneDay'){ + $DataConnector.BingSafetyPhishingUrlLookbackPeriod = ((Get-Date).AddDays(-1).ToUniversalTime() | Get-DAte -Format yyyy-MM-ddTHH:mm:ss.fffZ).ToString() + } + elseif ($PSBoundParameters['BingSafetyPhishingUrlLookbackPeriod'] -eq 'OneWeek') { + $DataConnector.BingSafetyPhishingUrlLookbackPeriod = ((Get-Date).AddDays(-7).ToUniversalTime() | Get-DAte -Format yyyy-MM-ddTHH:mm:ss.fffZ).ToString() + } + elseif ($PSBoundParameters['BingSafetyPhishingUrlLookbackPeriod'] -eq 'OneMonth') { + $DataConnector.BingSafetyPhishingUrlLookbackPeriod = ((Get-Date).AddMonths(-1).ToUniversalTime() | Get-DAte -Format yyyy-MM-ddTHH:mm:ss.fffZ).ToString() + } + elseif ($PSBoundParameters['BingSafetyPhishingUrlLookbackPeriod'] -eq 'All') { + $DataConnector.BingSafetyPhishingUrlLookbackPeriod = "1970-01-01T00:00:00.000Z" + } + $null = $PSBoundParameters.Remove('BingSafetyPhishingUrlLookbackPeriod') + } + else{ + $DataConnector.BingSafetyPhishingUrlLookbackPeriod = "1970-01-01T00:00:00.000Z" + } + + If($PSBoundParameters['MicrosoftEmergingThreatFeed']){ + $DataConnector.MicrosoftEmergingThreatFeedState = $PSBoundParameters['MicrosoftEmergingThreatFeed'] + $null = $PSBoundParameters.Remove('MicrosoftEmergingThreatFeed') + } + + If($PSBoundParameters['MicrosoftEmergingThreatFeedLookbackPeriod']){ + if($PSBoundParameters['MicrosoftEmergingThreatFeedLookbackPeriod'] -eq 'OneDay'){ + $DataConnector.MicrosoftEmergingThreatFeedLookbackPeriod = ((Get-Date).AddDays(-1).ToUniversalTime() | Get-DAte -Format yyyy-MM-ddTHH:mm:ss.fffZ).ToString() + } + elseif ($PSBoundParameters['MicrosoftEmergingThreatFeedLookbackPeriod'] -eq 'OneWeek') { + $DataConnector.MicrosoftEmergingThreatFeedLookbackPeriod = ((Get-Date).AddDays(-7).ToUniversalTime() | Get-DAte -Format yyyy-MM-ddTHH:mm:ss.fffZ).ToString() + } + elseif ($PSBoundParameters['MicrosoftEmergingThreatFeedLookbackPeriod'] -eq 'OneMonth') { + $DataConnector.MicrosoftEmergingThreatFeedLookbackPeriod = ((Get-Date).AddMonths(-1).ToUniversalTime() | Get-DAte -Format yyyy-MM-ddTHH:mm:ss.fffZ).ToString() + } + elseif ($PSBoundParameters['MicrosoftEmergingThreatFeedLookbackPeriod'] -eq 'All') { + $DataConnector.MicrosoftEmergingThreatFeedLookbackPeriod = "1970-01-01T00:00:00.000Z" + } + $null = $PSBoundParameters.Remove('MicrosoftEmergingThreatFeedLookbackPeriod') + } + else{ + $DataConnector.MicrosoftEmergingThreatFeedLookbackPeriod = "1970-01-01T00:00:00.000Z" + } + } + + if($PSBoundParameters['Kind'] -eq 'MicrosoftThreatProtection'){ + $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.MtpDataConnector]::new() + + $DataConnector.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + + If($PSBoundParameters['Incidents']){ + $DataConnector.IncidentState = $PSBoundParameters['Incidents'] + $null = $PSBoundParameters.Remove('Incidents') + } + } + if($PSBoundParameters['Kind'] -eq 'Office365'){ + $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.OfficeDataConnector]::new() + + $DataConnector.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + + If($PSBoundParameters['Exchange']){ + $DataConnector.ExchangeState = $PSBoundParameters['Exchange'] + $null = $PSBoundParameters.Remove('Exchange') + } + + If($PSBoundParameters['SharePoint']){ + $DataConnector.SharePointState = $PSBoundParameters['SharePoint'] + $null = $PSBoundParameters.Remove('SharePoint') + } + + If($PSBoundParameters['Teams']){ + $DataConnector.TeamState = $PSBoundParameters['Teams'] + $null = $PSBoundParameters.Remove('Teams') + } + } + if($PSBoundParameters['Kind'] -eq 'OfficeATP'){ + $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.OfficeAtpDataConnector]::new() + + $DataConnector.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + + If($PSBoundParameters['Alerts']){ + $DataConnector.AlertState = $PSBoundParameters['Alerts'] + $null = $PSBoundParameters.Remove('Alerts') + } + } + if($PSBoundParameters['Kind'] -eq 'OfficeIRM'){ + $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.OfficeIrmDataConnector]::new() + + $DataConnector.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + + If($PSBoundParameters['Alerts']){ + $DataConnector.AlertState = $PSBoundParameters['Alerts'] + $null = $PSBoundParameters.Remove('Alerts') + } + } + if($PSBoundParameters['Kind'] -eq 'ThreatIntelligence'){ + $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.TiDataConnector]::new() + + $DataConnector.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + + $DataConnector.TipLookbackPeriod = "1970-01-01T00:00:00.000Z" + + If($PSBoundParameters['Indicators']){ + $DataConnector.IndicatorState = $PSBoundParameters['Indicators'] + $null = $PSBoundParameters.Remove('Indicators') + } + } + if($PSBoundParameters['Kind'] -eq 'ThreatIntelligenceTaxii'){ + $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.TiTaxiiDataConnector]::new() + + $DataConnector.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + + $DataConnector.FriendlyName = $PSBoundParameters['FriendlyName'] + $null = $PSBoundParameters.Remove('FriendlyName') + + $DataConnector.TaxiiServer = $PSBoundParameters['APIRootURL'] + $null = $PSBoundParameters.Remove('APIRootURL') + + $DataConnector.CollectionId = $PSBoundParameters['CollectionId'] + $null = $PSBoundParameters.Remove('CollectionId') + + If($PSBoundParameters['UserName']){ + $DataConnector.UserName = $PSBoundParameters['UserName'] + $null = $PSBoundParameters.Remove('UserName') + } + + If($PSBoundParameters['Password']){ + $DataConnector.Password = $PSBoundParameters['Password'] + $null = $PSBoundParameters.Remove('Password') + } + + $DataConnector.WorkspaceId = $PSBoundParameters['WorkspaceId'] + $null = $PSBoundParameters.Remove('WorkspaceId') + + + if($PSBoundParameters['PollingFrequency'] -eq 'OnceADay'){ + $DataConnector.PollingFrequency = "OnceADay" + } + elseif ($PSBoundParameters['PollingFrequency'] -eq 'OnceAMinute') { + $DataConnector.PollingFrequency = "OnceAMinute" + } + elseif ($PSBoundParameters['PollingFrequency'] -eq 'OnceAnHour') { + $DataConnector.PollingFrequency = "OnceAnHour" + } + $null = $PSBoundParameters.Remove('PollingFrequency') + + } + + if($PSBoundParameters['Kind'] -eq 'AzureSecurityCenter'){ + $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AscDataConnector]::new() + + $DataConnector.SubscriptionId = $PSBoundParameters['ASCSubscriptionId'] + $null = $PSBoundParameters.Remove('ASCSubscriptionId') + + If($PSBoundParameters['Alerts']){ + $DataConnector.AlertState = $PSBoundParameters['Alerts'] + $null = $PSBoundParameters.Remove('Alerts') + } + } + if($PSBoundParameters['Kind'] -eq 'AmazonWebServicesCloudTrail'){ + $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AwsCloudTrailDataConnector]::new() + + $DataConnector.AWSRoleArn = $PSBoundParameters['AWSRoleArn'] + $null = $PSBoundParameters.Remove('AWSRoleArn') + + If($PSBoundParameters['Logs']){ + $DataConnector.LogState = $PSBoundParameters['Logs'] + $null = $PSBoundParameters.Remove('Logs') + } + } + if($PSBoundParameters['Kind'] -eq 'AmazonWebServicesS3'){ + $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AwsCloudTrailDataConnector]::new() + + $DataConnector.RoleArn = $PSBoundParameters['AWSRoleArn'] + $null = $PSBoundParameters.Remove('AWSRoleArn') + + If($PSBoundParameters['Logs']){ + $DataConnector.LogState = $PSBoundParameters['Logs'] + $null = $PSBoundParameters.Remove('Logs') + } + + $DataConnector.SqsUrl = $PSBoundParameters['SQSURL'] + $null = $PSBoundParameters.Remove('SQSURL') + + $DataConnector.DestinationTable = $PSBoundParameters['DetinationTable'] + $null = $PSBoundParameters.Remove('DetinationTable') + } + if($PSBoundParameters['Kind'] -eq 'GenericUI'){ + $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.CodelessUiDataConnector]::new() + + $DataConnector.ConnectorUiConfigTitle = $PSBoundParameters['UiConfigTitle'] + $null = $PSBoundParameters.Remove('UiConfigTitle') + + $DataConnector.ConnectorUiConfigPublisher = $PSBoundParameters['UiConfigPublisher'] + $null = $PSBoundParameters.Remove('UiConfigPublisher') + + $DataConnector.ConnectorUiConfigDescriptionMarkdown = $PSBoundParameters['UiConfigDescriptionMarkdown'] + $null = $PSBoundParameters.Remove('UiConfigDescriptionMarkdown') + + If($PSBoundParameters['Logs']){ + $DataConnector.ConnectorUiConfigCustomImage = $PSBoundParameters['UiConfigCustomImage'] + $null = $PSBoundParameters.Remove('UiConfigCustomImage') + } + + $DataConnector.ConnectorUiConfigGraphQueriesTableName = $PSBoundParameters['UiConfigGraphQueriesTableName'] + $null = $PSBoundParameters.Remove('UiConfigGraphQueriesTableName') + + $DataConnector.ConnectorUiConfigGraphQuery = $PSBoundParameters['UiConfigGraphQuery'] + $null = $PSBoundParameters.Remove('UiConfigGraphQuery') + + $DataConnector.ConnectorUiConfigSampleQuery = $PSBoundParameters['UiConfigSampleQuery'] + $null = $PSBoundParameters.Remove('UiConfigSampleQuery') + + $DataConnector.ConnectorUiConfigDataType = $PSBoundParameters['UiConfigDataType'] + $null = $PSBoundParameters.Remove('UiConfigDataType') + + $DataConnector.ConnectorUiConfigConnectivityCriterion = $PSBoundParameters['UiConfigConnectivityCriterion'] + $null = $PSBoundParameters.Remove('UiConfigConnectivityCriterion') + + $DataConnector.AvailabilityIsPreview = $PSBoundParameters['AvailabilityIsPreview'] + $null = $PSBoundParameters.Remove('AvailabilityIsPreview') + + If($PSBoundParameters['AvailabilityStatus']){ + $DataConnector.AvailabilityStatus = $PSBoundParameters['AvailabilityStatus'] + $null = $PSBoundParameters.Remove('AvailabilityStatus') + } + + If($PSBoundParameters['PermissionResourceProvider']){ + $DataConnector.AvailabilityStatus = $PSBoundParameters['PermissionResourceProvider'] + $null = $PSBoundParameters.Remove('PermissionResourceProvider') + } + ElseIf($PSBoundParameters['PermissionCustom']){ + $DataConnector.AvailabilityStatus = $PSBoundParameters['PermissionCustom'] + $null = $PSBoundParameters.Remove('PermissionCustom') + } + Else { + Write-Host -ForegroundColor Red "You must provide either a Resource Provider Permission or Custom Permissions" + break + } + + $DataConnector.ConnectorUiConfigInstructionStep = $PSBoundParameters['UiConfigInstructionStep'] + $null = $PSBoundParameters.Remove('UiConfigInstructionStep') + + } + + $DataConnector.Kind = $PSBoundParameters['Kind'] + $null = $PSBoundParameters.Remove('Kind') + + $null = $PSBoundParameters.Remove('DataConnector') + $null = $PSBoundParameters.Add('DataConnector', $DataConnector) + + Az.SecurityInsights.internal\New-AzSentinelDataConnector @PSBoundParameters + } + catch { + throw + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/custom/New-AzSentinelEntityQuery.ps1 b/src/SecurityInsights/custom/New-AzSentinelEntityQuery.ps1 new file mode 100644 index 000000000000..288fea99923f --- /dev/null +++ b/src/SecurityInsights/custom/New-AzSentinelEntityQuery.ps1 @@ -0,0 +1,216 @@ + +# ---------------------------------------------------------------------------------- +# +# Copyright Microsoft Corporation +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# http://www.apache.org/licenses/LICENSE-2.0 +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ---------------------------------------------------------------------------------- + +<# +.Synopsis +Creates or updates the entity query. +.Description +Creates or updates the entity query. + +.Link +https://docs.microsoft.com/powershell/module/az.securityinsights/new-azsentinelentityquery +#> +function New-AzSentinelEntityQuery { + [OutputType([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.CustomEntityQuery])] + [CmdletBinding(DefaultParameterSetName = 'Activity', PositionalBinding = $false, SupportsShouldProcess, ConfirmImpact = 'Medium')] + param( + [Parameter()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = '(Get-AzContext).Subscription.Id')] + [System.String] + # Gets subscription credentials which uniquely identify Microsoft Azure subscription. + # The subscription ID forms part of the URI for every service call. + ${SubscriptionId}, + + [Parameter(Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [System.String] + # The Resource Group Name. + ${ResourceGroupName}, + + [Parameter(Mandatory)] + #[Alias('DataConnectionName')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [System.String] + # The name of the workspace. + ${WorkspaceName}, + + [Parameter()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = '(New-Guid).Guid')] + [System.String] + # The Id of the Entity Query. + ${EntityQueryId}, + + [Parameter(Mandatory)] + [ArgumentCompleter( { param ( $CommandName, $EntityQueryName, $WordToComplete, $CommandAst, $FakeBoundParameters ) return @('Activity') })] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + # Kind of the the Entity Query + ${Kind}, + + [Parameter(ParameterSetName = 'Activity', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${Title}, + + [Parameter(ParameterSetName = 'Activity', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${Content}, + + [Parameter(ParameterSetName = 'Activity', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${Description}, + + [Parameter(ParameterSetName = 'Activity', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${QueryDefinitionQuery}, + + [Parameter(ParameterSetName = 'Activity', Mandatory)] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityType])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityType] + ${InputEntityType}, + + [Parameter(ParameterSetName = 'Activity')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [String[]] + ${RequiredInputFieldsSet}, + + [Parameter(ParameterSetName = 'Activity')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ActivityEntityQueriesPropertiesEntitiesFilter] + ${EntitiesFilter}, + + [Parameter(ParameterSetName = 'Activity')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${TemplateName}, + + [Parameter()] + [Alias('AzureRMContext', 'AzureCredential')] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Azure')] + [System.Management.Automation.PSObject] + # The credentials, account, tenant, and subscription used for communication with Azure. + ${DefaultProfile}, + + [Parameter()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Run the command as a job + ${AsJob}, + + [Parameter(DontShow)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Wait for .NET debugger to attach + ${Break}, + + [Parameter(DontShow)] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.SendAsyncStep[]] + # SendAsync Pipeline Steps to be appended to the front of the pipeline + ${HttpPipelineAppend}, + + [Parameter(DontShow)] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.SendAsyncStep[]] + # SendAsync Pipeline Steps to be prepended to the front of the pipeline + ${HttpPipelinePrepend}, + + [Parameter()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Run the command asynchronously + ${NoWait}, + + [Parameter(DontShow)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Uri] + # The URI for the proxy server to use + ${Proxy}, + + [Parameter(DontShow)] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.PSCredential] + # Credentials for a proxy server to use for the remote call + ${ProxyCredential}, + + [Parameter(DontShow)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Use the default credentials for the proxy + ${ProxyUseDefaultCredentials} + ) + + process { + try { + + if ($PSBoundParameters['Kind'] -eq 'Activity'){ + $EntityQuery = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ActivityCustomEntityQuery]::new() + + $EntityQuery.Title = $PSBoundParameters['Title'] + $null = $PSBoundParameters.Remove('Title') + + $EntityQuery.Content = $PSBoundParameters['Content'] + $null = $PSBoundParameters.Remove('Content') + + $EntityQuery.Description = $PSBoundParameters['Description'] + $null = $PSBoundParameters.Remove('Description') + + $EntityQuery.QueryDefinitionQuery = $PSBoundParameters['QueryDefinitionQuery'] + $null = $PSBoundParameters.Remove('QueryDefinitionQuery') + + $EntityQuery.InputEntityType = $PSBoundParameters['InputEntityType'] + $null = $PSBoundParameters.Remove('InputEntityType') + + If($PSBoundParameters['RequiredInputFieldsSet']){ + $EntityQuery.RequiredInputFieldsSet = $PSBoundParameters['RequiredInputFieldsSet'] + $null = $PSBoundParameters.Remove('RequiredInputFieldsSet') + } + + If($PSBoundParameters['EntitiesFilter']){ + $EntityQuery.EntitiesFilter = $PSBoundParameters['EntitiesFilter'] + $null = $PSBoundParameters.Remove('EntitiesFilter') + } + + If($PSBoundParameters['TemplateName']){ + $EntityQuery.TemplateName = $PSBoundParameters['TemplateName'] + $null = $PSBoundParameters.Remove('TemplateName') + } + } + else { + Write-Error "This cmdlet only works with Entity Queries of the Activity kind." + break + } + + #$EntityQuery.Kind = $PSBoundParameters['Kind'] + $null = $PSBoundParameters.Remove('Kind') + + $null = $PSBoundParameters.Add('EntityQuery', $EntityQuery) + + Az.SecurityInsights.internal\New-AzSentinelEntityQuery @PSBoundParameters + } + catch { + throw + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/custom/README.md b/src/SecurityInsights/custom/README.md new file mode 100644 index 000000000000..403330afa28c --- /dev/null +++ b/src/SecurityInsights/custom/README.md @@ -0,0 +1,41 @@ +# Custom +This directory contains custom implementation for non-generated cmdlets for the `Az.SecurityInsights` module. Both scripts (`.ps1`) and C# files (`.cs`) can be implemented here. They will be used during the build process in `build-module.ps1`, and create cmdlets into the `../exports` folder. The only generated file into this folder is the `Az.SecurityInsights.custom.psm1`. This file should not be modified. + +## Info +- Modifiable: yes +- Generated: partial +- Committed: yes +- Packaged: yes + +## Details +For `Az.SecurityInsights` to use custom cmdlets, it does this two different ways. We **highly recommend** creating script cmdlets, as they are easier to write and allow access to the other exported cmdlets. C# cmdlets *cannot access exported cmdlets*. + +For C# cmdlets, they are compiled with the rest of the generated low-level cmdlets into the `./bin/Az.SecurityInsights.private.dll`. The names of the cmdlets (methods) and files must follow the `[cmdletName]_[variantName]` syntax used for generated cmdlets. The `variantName` is used as the `ParameterSetName`, so use something appropriate that doesn't clash with already created variant or parameter set names. You cannot use the `ParameterSetName` property in the `Parameter` attribute on C# cmdlets. Each cmdlet must be separated into variants using the same pattern as seen in the `generated/cmdlets` folder. + +For script cmdlets, these are loaded via the `Az.SecurityInsights.custom.psm1`. Then, during the build process, this module is loaded and processed in the same manner as the C# cmdlets. The fundamental difference is the script cmdlets use the `ParameterSetName` attribute and C# cmdlets do not. To create a script cmdlet variant of a generated cmdlet, simply decorate all parameters in the script with the new `ParameterSetName` in the `Parameter` attribute. This will appropriately treat each parameter set as a separate variant when processed to be exported during the build. + +## Purpose +This allows the modules to have cmdlets that were not defined in the REST specification. It also allows combining logic using generated cmdlets. This is a level of customization beyond what can be done using the [readme configuration options](https://github.com/Azure/autorest/blob/master/docs/powershell/options.md) that are currently available. These custom cmdlets are then referenced by the cmdlets created at build-time in the `../exports` folder. + +## Usage +The easiest way currently to start developing custom cmdlets is to copy an existing cmdlet. For C# cmdlets, copy one from the `generated/cmdlets` folder. For script cmdlets, build the project using `build-module.ps1` and copy one of the scripts from the `../exports` folder. After that, if you want to add new parameter sets, follow the guidelines in the `Details` section above. For implementing a new cmdlets, at minimum, please keep these parameters: +- Break +- DefaultProfile +- HttpPipelineAppend +- HttpPipelinePrepend +- Proxy +- ProxyCredential +- ProxyUseDefaultCredentials + +These provide functionality to our HTTP pipeline and other useful features. In script, you can forward these parameters using `$PSBoundParameters` to the other cmdlets you're calling within `Az.SecurityInsights`. For C#, follow the usage seen in the `ProcessRecordAsync` method. + +### Attributes +For processing the cmdlets, we've created some additional attributes: +- `Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.DescriptionAttribute` + - Used in C# cmdlets to provide a high-level description of the cmdlet. This is propagated to reference documentation via [help comments](https://docs.microsoft.com/powershell/module/microsoft.powershell.core/about/about_comment_based_help) in the exported scripts. +- `Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.DoNotExportAttribute` + - Used in C# and script cmdlets to suppress creating an exported cmdlet at build-time. These cmdlets will *not be exposed* by `Az.SecurityInsights`. +- `Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.InternalExportAttribute` + - Used in C# cmdlets to route exported cmdlets to the `../internal`, which are *not exposed* by `Az.SecurityInsights`. For more information, see [README.md](../internal/README.md) in the `../internal` folder. +- `Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.ProfileAttribute` + - Used in C# and script cmdlets to define which Azure profiles the cmdlet supports. This is only supported for Azure (`--azure`) modules. \ No newline at end of file diff --git a/src/SecurityInsights/custom/Test-AzSentinelDataConnectorCheckRequirement.ps1 b/src/SecurityInsights/custom/Test-AzSentinelDataConnectorCheckRequirement.ps1 new file mode 100644 index 000000000000..97e1b698a2d2 --- /dev/null +++ b/src/SecurityInsights/custom/Test-AzSentinelDataConnectorCheckRequirement.ps1 @@ -0,0 +1,219 @@ + +# ---------------------------------------------------------------------------------- +# +# Copyright Microsoft Corporation +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# http://www.apache.org/licenses/LICENSE-2.0 +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ---------------------------------------------------------------------------------- + +<# +.Synopsis +Get requirements state for a data connector type. +.Description +Get requirements state for a data connector type. + +.Link +https://docs.microsoft.com/powershell/module/az.securityinsights/test-azsentineldataconnectorcheckrequirement +#> +function Test-AzSentinelDataConnectorCheckRequirement { + [OutputType([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.DataConnectorsCheckRequirements])] + [CmdletBinding(DefaultParameterSetName = 'AADTenant', PositionalBinding = $false, SupportsShouldProcess, ConfirmImpact = 'Medium')] + param( + [Parameter()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = '(Get-AzContext).Subscription.Id')] + [System.String] + # Gets subscription credentials which uniquely identify Microsoft Azure subscription. + # The subscription ID forms part of the URI for every service call. + ${SubscriptionId}, + + [Parameter(Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [System.String] + # The Resource Group Name. + ${ResourceGroupName}, + + [Parameter(Mandatory)] + #[Alias('DataConnectionName')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [System.String] + # The name of the workspace. + ${WorkspaceName}, + + [Parameter(Mandatory)] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataConnectorKind])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataConnectorKind] + # Kind of the the data connection + ${Kind}, + + + [Parameter(ParameterSetName = 'AADTenant')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = '(Get-AzContext).Tenant.Id')] + [System.String] + # The TenantId. + ${TenantId}, + + [Parameter(ParameterSetName = 'AzureSecurityCenter', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + # ASC Subscription Id. + ${ASCSubscriptionId}, + + #[Parameter(ParameterSetName = 'AmazonWebServicesCloudTrail', Mandatory)] + #[Parameter(ParameterSetName = 'AmazonWebServicesS3', Mandatory)] + #[Parameter(ParameterSetName = 'GenericUI', Mandatory)] + + [Parameter()] + [Alias('AzureRMContext', 'AzureCredential')] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Azure')] + [System.Management.Automation.PSObject] + # The credentials, account, tenant, and subscription used for communication with Azure. + ${DefaultProfile}, + + [Parameter()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Run the command as a job + ${AsJob}, + + [Parameter(DontShow)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Wait for .NET debugger to attach + ${Break}, + + [Parameter(DontShow)] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.SendAsyncStep[]] + # SendAsync Pipeline Steps to be appended to the front of the pipeline + ${HttpPipelineAppend}, + + [Parameter(DontShow)] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.SendAsyncStep[]] + # SendAsync Pipeline Steps to be prepended to the front of the pipeline + ${HttpPipelinePrepend}, + + [Parameter()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Run the command asynchronously + ${NoWait}, + + [Parameter(DontShow)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Uri] + # The URI for the proxy server to use + ${Proxy}, + + [Parameter(DontShow)] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.PSCredential] + # Credentials for a proxy server to use for the remote call + ${ProxyCredential}, + + [Parameter(DontShow)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Use the default credentials for the proxy + ${ProxyUseDefaultCredentials} + ) + + process { + try { + + if ($PSBoundParameters['Kind'] -eq 'AzureActiveDirectory'){ + $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AadCheckRequirements]::new() + $DataConnectorCheckRequirement.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + } + if($PSBoundParameters['Kind'] -eq 'AzureAdvancedThreatProtection'){ + $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AatpCheckRequirements]::new() + $DataConnectorCheckRequirement.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + } + if($PSBoundParameters['Kind'] -eq 'Dynamics365'){ + $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.Dynamics365CheckRequirements]::new() + $DataConnectorCheckRequirement.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + } + if($PSBoundParameters['Kind'] -eq 'MicrosoftCloudAppSecurity'){ + $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.MCASCheckRequirements]::new() + $DataConnectorCheckRequirement.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + } + if($PSBoundParameters['Kind'] -eq 'MicrosoftDefenderAdvancedThreatProtection'){ + $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.MDATPCheckRequirements]::new() + $DataConnectorCheckRequirement.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + } + if($PSBoundParameters['Kind'] -eq 'MicrosoftThreatIntelligence'){ + $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.MSTICheckRequirements]::new() + $DataConnectorCheckRequirement.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + } + if($PSBoundParameters['Kind'] -eq 'MicrosoftThreatProtection'){ + $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.MtpCheckRequirements]::new() + $DataConnectorCheckRequirement.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + } + #if($PSBoundParameters['Kind'] -eq 'Office365'){ + # $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.Office365CheckRequirements]::new() + # $DataConnectorCheckRequirement.TenantId = $PSBoundParameters['TenantId'] + # $null = $PSBoundParameters.Remove('TenantId') + #} + if($PSBoundParameters['Kind'] -eq 'OfficeATP'){ + $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.OfficeATPCheckRequirements]::new() + $DataConnectorCheckRequirement.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + } + if($PSBoundParameters['Kind'] -eq 'OfficeIRM'){ + $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.OfficeIrmCheckRequirements]::new() + $DataConnectorCheckRequirement.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + } + if($PSBoundParameters['Kind'] -eq 'ThreatIntelligence'){ + $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.TICheckRequirements]::new() + $DataConnectorCheckRequirement.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + } + if($PSBoundParameters['Kind'] -eq 'ThreatIntelligenceTaxii'){ + $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.TiTaxiiCheckRequirements]::new() + $DataConnectorCheckRequirement.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + } + + if($PSBoundParameters['Kind'] -eq 'AzureSecurityCenter'){ + $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ASCCheckRequirements]::new() + $DataConnectorCheckRequirement.SubscriptionId = $PSBoundParameters['ASCSubscriptionId'] + $null = $PSBoundParameters.Remove('ASCSubscriptionId') + } + #if($PSBoundParameters['Kind'] -eq 'AmazonWebServicesCloudTrail'){} + #if($PSBoundParameters['Kind'] -eq 'AmazonWebServicesS3'){} + #if($PSBoundParameters['Kind'] -eq 'GenericUI'){} + + $DataConnectorCheckRequirement.Kind = $PSBoundParameters['Kind'] + $null = $PSBoundParameters.Remove('Kind') + + $null = $PSBoundParameters.Add('DataConnectorCheckRequirement', $DataConnectorCheckRequirement) + + Az.SecurityInsights.internal\Test-AzSentinelDataConnectorCheckRequirement @PSBoundParameters + } + catch { + throw + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/custom/Update-AzSentinelAlertRule.ps1 b/src/SecurityInsights/custom/Update-AzSentinelAlertRule.ps1 new file mode 100644 index 000000000000..815f4636d80e --- /dev/null +++ b/src/SecurityInsights/custom/Update-AzSentinelAlertRule.ps1 @@ -0,0 +1,814 @@ + +# ---------------------------------------------------------------------------------- +# +# Copyright Microsoft Corporation +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# http://www.apache.org/licenses/LICENSE-2.0 +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ---------------------------------------------------------------------------------- + +<# +.Synopsis +Updates the alert rule. +.Description +Updates the alert rule. + +.Link +https://docs.microsoft.com/powershell/module/az.securityinsights/Update-azsentinelalertrule +#> +function Update-AzSentinelAlertRule { + [OutputType([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AlertRule])] + [CmdletBinding(DefaultParameterSetName = 'UpdateScheduled', PositionalBinding = $false, SupportsShouldProcess, ConfirmImpact = 'Medium')] + param( + [Parameter(ParameterSetName = 'UpdateFusionMLTI')] + [Parameter(ParameterSetName = 'UpdateMicrosoftSecurityIncidentCreation')] + [Parameter(ParameterSetName = 'UpdateNRT')] + [Parameter(ParameterSetName = 'UpdateScheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = '(Get-AzContext).Subscription.Id')] + [System.String] + # Gets subscription credentials which uniquely identify Microsoft Azure subscription. + # The subscription ID forms part of the URI for every service call. + ${SubscriptionId}, + + [Parameter(ParameterSetName = 'UpdateFusionMLTI', Mandatory)] + [Parameter(ParameterSetName = 'UpdateMicrosoftSecurityIncidentCreation', Mandatory)] + [Parameter(ParameterSetName = 'UpdateNRT', Mandatory)] + [Parameter(ParameterSetName = 'UpdateScheduled', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [System.String] + # The Resource Group Name. + ${ResourceGroupName}, + + [Parameter(ParameterSetName = 'UpdateFusionMLTI', Mandatory)] + [Parameter(ParameterSetName = 'UpdateMicrosoftSecurityIncidentCreation', Mandatory)] + [Parameter(ParameterSetName = 'UpdateNRT', Mandatory)] + [Parameter(ParameterSetName = 'UpdateScheduled', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [System.String] + # The name of the workspace. + ${WorkspaceName}, + + [Parameter(ParameterSetName = 'UpdateFusionMLTI', Mandatory)] + [Parameter(ParameterSetName = 'UpdateMicrosoftSecurityIncidentCreation', Mandatory)] + [Parameter(ParameterSetName = 'UpdateNRT', Mandatory)] + [Parameter(ParameterSetName = 'UpdateScheduled', Mandatory)] + #[Alias('RuleId')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [System.String] + # The name of Operational Insights Resource Provider. + ${RuleId}, + + [Parameter(ParameterSetName = 'UpdateViaIdentityFusionMLTI', Mandatory, ValueFromPipeline)] + [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftSecurityIncidentCreation', Mandatory, ValueFromPipeline)] + [Parameter(ParameterSetName = 'UpdateViaIdentityNRT', Mandatory, ValueFromPipeline)] + [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled', Mandatory, ValueFromPipeline)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity] + # Identity Parameter + # To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + ${InputObject}, + + [Parameter(ParameterSetName = 'UpdateFusionMLTI')] + [Parameter(ParameterSetName = 'UpdateViaIdentityFusionMLTI')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + ${FusionMLorTI}, + + [Parameter(ParameterSetName = 'UpdateMicrosoftSecurityIncidentCreation')] + [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftSecurityIncidentCreation')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + ${MicrosoftSecurityIncidentCreation}, + + [Parameter(ParameterSetName = 'UpdateNRT')] + [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + ${NRT}, + + [Parameter(ParameterSetName = 'UpdateScheduled')] + [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + ${Scheduled}, + + [Parameter(ParameterSetName = 'UpdateFusionMLTI')] + [Parameter(ParameterSetName = 'UpdateMicrosoftSecurityIncidentCreation')] + [Parameter(ParameterSetName = 'UpdateNRT')] + [Parameter(ParameterSetName = 'UpdateScheduled')] + [Parameter(ParameterSetName = 'UpdateViaIdentityFusionMLTI')] + [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftSecurityIncidentCreation')] + [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')] + [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${AlertRuleTemplateName}, + + [Parameter(ParameterSetName = 'UpdateFusionMLTI')] + [Parameter(ParameterSetName = 'UpdateMicrosoftSecurityIncidentCreation')] + [Parameter(ParameterSetName = 'UpdateNRT')] + [Parameter(ParameterSetName = 'UpdateScheduled')] + [Parameter(ParameterSetName = 'UpdateViaIdentityFusionMLTI')] + [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftSecurityIncidentCreation')] + [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')] + [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Switch] + ${Enabled}, + + [Parameter(ParameterSetName = 'UpdateMicrosoftSecurityIncidentCreation')] + [Parameter(ParameterSetName = 'UpdateNRT')] + [Parameter(ParameterSetName = 'UpdateScheduled')] + [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftSecurityIncidentCreation')] + [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')] + [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${Description}, + + [Parameter(ParameterSetName = 'UpdateMicrosoftSecurityIncidentCreation')] + [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftSecurityIncidentCreation')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${DisplayNamesFilter}, + + [Parameter(ParameterSetName = 'UpdateMicrosoftSecurityIncidentCreation')] + [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftSecurityIncidentCreation')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${DisplayNamesExcludeFilter}, + + + [Parameter(ParameterSetName = 'UpdateMicrosoftSecurityIncidentCreation')] + [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftSecurityIncidentCreation')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.MicrosoftSecurityProductName])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.MicrosoftSecurityProductName] + ${ProductFilter}, + + [Parameter(ParameterSetName = 'UpdateMicrosoftSecurityIncidentCreation')] + [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftSecurityIncidentCreation')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertSeverity[]] + #High, Medium, Low, Informational + ${SeveritiesFilter}, + + [Parameter(ParameterSetName = 'UpdateNRT')] + [Parameter(ParameterSetName = 'UpdateScheduled')] + [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')] + [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${Query}, + + [Parameter(ParameterSetName = 'UpdateNRT')] + [Parameter(ParameterSetName = 'UpdateScheduled')] + [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')] + [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${DisplayName}, + + [Parameter(ParameterSetName = 'UpdateNRT')] + [Parameter(ParameterSetName = 'UpdateScheduled')] + [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')] + [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = 'New-TimeSpan -Hours 5')] + [System.TimeSpan] + ${SuppressionDuration}, + + [Parameter(ParameterSetName = 'UpdateNRT')] + [Parameter(ParameterSetName = 'UpdateScheduled')] + [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')] + [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Switch] + ${SuppressionEnabled}, + + [Parameter(ParameterSetName = 'UpdateNRT')] + [Parameter(ParameterSetName = 'UpdateScheduled')] + [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')] + [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertSeverity])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertSeverity] + ${Severity}, + + [Parameter(ParameterSetName = 'UpdateNRT')] + [Parameter(ParameterSetName = 'UpdateScheduled')] + [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')] + [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AttackTactic])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AttackTactic] + [System.String] + ${Tactic}, + + + [Parameter(ParameterSetName = 'UpdateNRT')] + [Parameter(ParameterSetName = 'UpdateScheduled')] + [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')] + [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Switch] + ${CreateIncident}, + + [Parameter(ParameterSetName = 'UpdateNRT')] + [Parameter(ParameterSetName = 'UpdateScheduled')] + [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')] + [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Switch] + ${GroupingConfigurationEnabled}, + + [Parameter(ParameterSetName = 'UpdateNRT')] + [Parameter(ParameterSetName = 'UpdateScheduled')] + [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')] + [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Switch] + ${ReOpenClosedIncident}, + + [Parameter(ParameterSetName = 'UpdateNRT')] + [Parameter(ParameterSetName = 'UpdateScheduled')] + [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')] + [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = 'New-TimeSpan -Hours 5')] + [System.TimeSpan] + ${LookbackDuration}, + + [Parameter(ParameterSetName = 'UpdateNRT')] + [Parameter(ParameterSetName = 'UpdateScheduled')] + [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')] + [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = '"AllEntities"')] + [ValidateSet('AllEntities', 'AnyAlert', 'Selected')] + [System.String] + ${MatchingMethod}, + + + [Parameter(ParameterSetName = 'UpdateNRT')] + [Parameter(ParameterSetName = 'UpdateScheduled')] + [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')] + [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertDetail])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertDetail] + ${GroupByAlertDetail}, + + [Parameter(ParameterSetName = 'UpdateNRT')] + [Parameter(ParameterSetName = 'UpdateScheduled')] + [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')] + [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [string[]] + ${GroupByCustomDetail}, + + [Parameter(ParameterSetName = 'UpdateNRT')] + [Parameter(ParameterSetName = 'UpdateScheduled')] + [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')] + [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityMappingType])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityMappingType] + ${GroupByEntity}, + + + [Parameter(ParameterSetName = 'UpdateNRT')] + [Parameter(ParameterSetName = 'UpdateScheduled')] + [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')] + [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] + #'Account', 'Host', 'IP', 'Malware', 'File', 'Process', 'CloudApplication', 'DNS', 'AzureResource', 'FileHash', 'RegistryKey', 'RegistryValue', 'SecurityGroup', 'URL', 'Mailbox', 'MailCluster', 'MailMessage', 'SubmissionMail' + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.EntityMapping] + ${EntityMapping}, + + [Parameter(ParameterSetName = 'UpdateNRT')] + [Parameter(ParameterSetName = 'UpdateScheduled')] + [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')] + [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${AlertDescriptionFormat}, + + [Parameter(ParameterSetName = 'UpdateNRT')] + [Parameter(ParameterSetName = 'UpdateScheduled')] + [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')] + [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${AlertDisplayNameFormat}, + + [Parameter(ParameterSetName = 'UpdateNRT')] + [Parameter(ParameterSetName = 'UpdateScheduled')] + [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')] + [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${AlertSeverityColumnName}, + + [Parameter(ParameterSetName = 'UpdateNRT')] + [Parameter(ParameterSetName = 'UpdateScheduled')] + [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')] + [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${AlertTacticsColumnName}, + + + [Parameter(ParameterSetName = 'UpdateScheduled')] + [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.TimeSpan] + ${QueryFrequency}, + + [Parameter(ParameterSetName = 'UpdateScheduled')] + [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.TimeSpan] + ${QueryPeriod}, + + [Parameter(ParameterSetName = 'UpdateScheduled')] + [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.TriggerOperator])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.TriggerOperator] + ${TriggerOperator}, + + [Parameter(ParameterSetName = 'UpdateScheduled')] + [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [int] + ${TriggerThreshold}, + + [Parameter(ParameterSetName = 'UpdateScheduled')] + [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EventGroupingAggregationKind])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EventGroupingAggregationKind] + ${EventGroupingSettingAggregationKind}, + + [Parameter()] + [Alias('AzureRMContext', 'AzureCredential')] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Azure')] + [System.Management.Automation.PSObject] + # The credentials, account, tenant, and subscription used for communication with Azure. + ${DefaultProfile}, + + [Parameter()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Run the command as a job + ${AsJob}, + + [Parameter(DontShow)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Wait for .NET debugger to attach + ${Break}, + + [Parameter(DontShow)] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.SendAsyncStep[]] + # SendAsync Pipeline Steps to be appended to the front of the pipeline + ${HttpPipelineAppend}, + + [Parameter(DontShow)] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.SendAsyncStep[]] + # SendAsync Pipeline Steps to be prepended to the front of the pipeline + ${HttpPipelinePrepend}, + + [Parameter()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Run the command asynchronously + ${NoWait}, + + [Parameter(DontShow)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Uri] + # The URI for the proxy server to use + ${Proxy}, + + [Parameter(DontShow)] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.PSCredential] + # Credentials for a proxy server to use for the remote call + ${ProxyCredential}, + + [Parameter(DontShow)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Use the default credentials for the proxy + ${ProxyUseDefaultCredentials} + ) + + process { + try { + $null = $PSBoundParameters.Remove('FusionMLorTI') + $null = $PSBoundParameters.Remove('MicrosoftSecurityIncidentCreation') + $null = $PSBoundParameters.Remove('NRT') + $null = $PSBoundParameters.Remove('Scheduled') + #Handle Get + $GetPSBoundParameters = @{} + if($PSBoundParameters['InputObject']){ + $GetPSBoundParameters.Add('InputObject', $PSBoundParameters['InputObject']) + } + else { + $GetPSBoundParameters.Add('ResourceGroupName', $PSBoundParameters['ResourceGroupName']) + $GetPSBoundParameters.Add('WorkspaceName', $PSBoundParameters['WorkspaceName']) + $GetPSBoundParameters.Add('RuleId', $PSBoundParameters['RuleId']) + } + $AlertRule = Az.SecurityInsights\Get-AzSentinelAlertRule @GetPSBoundParameters + + #Fusion + if ($AlertRule.Kind -eq 'Fusion'){ + If($PSBoundParameters['AlertTemplateName']){ + $AlertRule.AlertRuleTemplateName = $PSBoundParameters['AlertRuleTemplateName'] + $null = $PSBoundParameters.Remove('AlertRuleTemplateName') + } + + If($PSBoundParameters['Enabled']){ + $AlertRule.Enabled = $true + $null = $PSBoundParameters.Remove('Enabled') + } + else { + $AlertRule.Enabled = $false + } + } + #MSIC + if($AlertRule.Kind -eq 'MicrosoftSecurityIncidentCreation'){ + If($PSBoundParameters['AlertRuleTemplateName']){ + $AlertRule.AlertRuleTemplateName = $PSBoundParameters['AlertRuleTemplateName'] + $null = $PSBoundParameters.Remove('AlertRuleTemplateName') + } + + If($PSBoundParameters['Enabled']){ + $AlertRule.Enabled = $true + $null = $PSBoundParameters.Remove('Enabled') + } + else { + $AlertRule.Enabled = $false + } + + If($PSBoundParameters['Description']){ + $AlertRule.Enabled = $PSBoundParameters['Description'] + $null = $PSBoundParameters.Remove('Description') + } + + If($PSBoundParameters['DisplayNamesFilter']){ + $AlertRule.Enabled = $PSBoundParameters['DisplayNamesFilter'] + $null = $PSBoundParameters.Remove('DisplayNamesFilter') + } + + If($PSBoundParameters['DisplayNamesExcludeFilter']){ + $AlertRule.Enabled = $PSBoundParameters['DisplayNamesExcludeFilter'] + $null = $PSBoundParameters.Remove('DisplayNamesExcludeFilter') + } + + If($PSBoundParameters['ProductFilter']){ + $AlertRule.ProductFilter = $PSBoundParameters['ProductFilter'] + $null = $PSBoundParameters.Remove('ProductFilter') + } + + If($PSBoundParameters['SeveritiesFilter']){ + $Parameter.Enabled = $PSBoundParameters['SeveritiesFilter'] + $null = $PSBoundParameters.Remove('SeveritiesFilter') + } + } + #ML + if ($AlertRule.Kind -eq 'MLBehaviorAnalytics'){ + If($PSBoundParameters['AlertRuleTemplateName']){ + $AlertRule.AlertRuleTemplateName = $PSBoundParameters['AlertRuleTemplateName'] + $null = $PSBoundParameters.Remove('AlertRuleTemplateName') + } + + If($PSBoundParameters['Enabled']){ + $AlertRule.Enabled = $true + $null = $PSBoundParameters.Remove('Enabled') + } + else { + $AlertRule.Enabled = $false + } + } + + #NRT + if($AlertRule.Kind -eq 'NRT'){ + If($PSBoundParameters['AlertRuleTemplateName']){ + $AlertRule.Enabled = $PSBoundParameters['AlertRuleTemplateName'] + $null = $PSBoundParameters.Remove('AlertRuleTemplateName') + } + + If($PSBoundParameters['Enabled']){ + $AlertRule.Enabled = $PSBoundParameters['Enabled'] + $null = $PSBoundParameters.Remove('Enabled') + } + else { + $AlertRule.Enabled = $false + } + + If($PSBoundParameters['Description']){ + $AlertRule.Enabled = $PSBoundParameters['Description'] + $null = $PSBoundParameters.Remove('Description') + } + + If($PSBoundParameters['Query']){ + $AlertRule.Query = $PSBoundParameters['Query'] + $null = $PSBoundParameters.Remove('Query') + } + + If($PSBoundParameters['DisplayName']){ + $AlertRule.DisplayName = $PSBoundParameters['DisplayName'] + $null = $PSBoundParameters.Remove('DisplayName') + } + + If($PSBoundParameters['SuppressionDuration']){ + $AlertRule.SuppressionDuration = $PSBoundParameters['SuppressionDuration'] + $null = $PSBoundParameters.Remove('SuppressionDuration') + } + + If($PSBoundParameters['SuppressionEnabled']){ + $AlertRule.SuppressionEnabled = $true + $null = $PSBoundParameters.Remove('SuppressionEnabled') + } + else{ + $AlertRule.SuppressionEnabled = $false + } + + If($PSBoundParameters['Severity']){ + $AlertRule.Severity = $PSBoundParameters['Severity'] + $null = $PSBoundParameters.Remove('Severity') + } + + If($PSBoundParameters['Tactic']){ + $AlertRule.Tactic = $PSBoundParameters['Tactic'] + $null = $PSBoundParameters.Remove('Tactic') + } + + If($PSBoundParameters['IncidentConfigurationCreateIncident']){ + $AlertRule.IncidentConfigurationCreateIncident = $true + $null = $PSBoundParameters.Remove('IncidentConfigurationCreateIncident') + } + else{ + $AlertRule.IncidentConfigurationCreateIncident = $false + } + + If($PSBoundParameters['Enabled']){ + $AlertRule.GroupingConfigurationEnabled = $true + $null = $PSBoundParameters.Remove('Enabled') + } + else{ + $AlertRule.GroupingConfigurationEnabled = $false + } + + If($PSBoundParameters['ReOpenClosedIncident']){ + $AlertRule.GroupingConfigurationReOpenClosedIncident = $true + $null = $PSBoundParameters.Remove('ReOpenClosedIncident') + } + else{ + $AlertRule.GroupingConfigurationReOpenClosedIncident = $false + } + + If($PSBoundParameters['LookbackDuration']){ + $AlertRule.GroupingConfigurationLookbackDuration = $PSBoundParameters['LookbackDuration'] + $null = $PSBoundParameters.Remove('LookbackDuration') + } + + If($PSBoundParameters['LookbackDuration']){ + $AlertRule.GroupingConfigurationMatchingMethod = $PSBoundParameters['MatchingMethod'] + $null = $PSBoundParameters.Remove('MatchingMethod') + } + + If($PSBoundParameters['GroupByAlertDetail']){ + $AlertRule.GroupingConfigurationGroupByAlertDetail = $PSBoundParameters['GroupByAlertDetail'] + $null = $PSBoundParameters.Remove('GroupByAlertDetail') + } + + If($PSBoundParameters['GroupByCustomDetail']){ + $AlertRule.GroupingConfigurationGroupByCustomDetail = $PSBoundParameters['GroupByCustomDetail'] + $null = $PSBoundParameters.Remove('GroupByCustomDetail') + } + + If($PSBoundParameters['GroupByEntity']){ + $AlertRule.GroupingConfigurationGroupByEntity = $PSBoundParameters['GroupByEntity'] + $null = $PSBoundParameters.Remove('GroupByEntity') + } + + If($PSBoundParameters['EntityMapping']){ + $AlertRule.EntityMapping = $PSBoundParameters['EntityMapping'] + $null = $PSBoundParameters.Remove('EntityMapping') + } + + If($PSBoundParameters['AlertDescriptionFormat']){ + $AlertRule.AlertDetailOverrideAlertDescriptionFormat = $PSBoundParameters['AlertDescriptionFormat'] + $null = $PSBoundParameters.Remove('AlertDescriptionFormat') + } + + If($PSBoundParameters['AlertDisplayNameFormat']){ + $AlertRule.AlertDetailOverrideAlertDisplayNameFormat = $PSBoundParameters['AlertDisplayNameFormat'] + $null = $PSBoundParameters.Remove('AlertDisplayNameFormat') + } + + If($PSBoundParameters['AlertSeverityColumnName']){ + $AlertRule.AlertDetailOverrideAlertSeverityColumnName = $PSBoundParameters['AlertSeverityColumnName'] + $null = $PSBoundParameters.Remove('AlertSeverityColumnName') + } + + If($PSBoundParameters['AlertTacticsColumnName']){ + $AlertRule.AlertDetailOverrideAlertTacticsColumnName = $PSBoundParameters['AlertTacticsColumnName'] + $null = $PSBoundParameters.Remove('AlertTacticsColumnName') + } + + } + #Scheduled + if ($AlertRule.Kind -eq 'Scheduled'){ + If($PSBoundParameters['AlertRuleTemplateName']){ + $AlertRule.Enabled = $PSBoundParameters['AlertRuleTemplateName'] + $null = $PSBoundParameters.Remove('AlertRuleTemplateName') + } + + If($PSBoundParameters['Enabled']){ + $AlertRule.Enabled = $PSBoundParameters['Enabled'] + $null = $PSBoundParameters.Remove('Enabled') + } + else { + $AlertRule.Enabled = $false + } + + If($PSBoundParameters['Description']){ + $AlertRule.Enabled = $PSBoundParameters['Description'] + $null = $PSBoundParameters.Remove('Description') + } + + If($PSBoundParameters['Query']){ + $AlertRule.Query = $PSBoundParameters['Query'] + $null = $PSBoundParameters.Remove('Query') + } + + If($PSBoundParameters['DisplayName']){ + $AlertRule.DisplayName = $PSBoundParameters['DisplayName'] + $null = $PSBoundParameters.Remove('DisplayName') + } + + If($PSBoundParameters['SuppressionDuration']){ + $AlertRule.SuppressionDuration = $PSBoundParameters['SuppressionDuration'] + $null = $PSBoundParameters.Remove('SuppressionDuration') + } + + If($PSBoundParameters['SuppressionEnabled']){ + $AlertRule.SuppressionEnabled = $true + $null = $PSBoundParameters.Remove('SuppressionEnabled') + } + else{ + $AlertRule.SuppressionEnabled = $false + } + + If($PSBoundParameters['Severity']){ + $AlertRule.Severity = $PSBoundParameters['Severity'] + $null = $PSBoundParameters.Remove('Severity') + } + + If($PSBoundParameters['Tactic']){ + $AlertRule.Tactic = $PSBoundParameters['Tactic'] + $null = $PSBoundParameters.Remove('Tactic') + } + + If($PSBoundParameters['CreateIncident']){ + $AlertRule.IncidentConfigurationCreateIncident = $true + $null = $PSBoundParameters.Remove('CreateIncident') + } + else{ + $AlertRule.IncidentConfigurationCreateIncident = $false + } + + If($PSBoundParameters['GroupingConfigurationEnabled']){ + $AlertRule.GroupingConfigurationEnabled = $true + $null = $PSBoundParameters.Remove('GroupingConfigurationEnabled') + } + else{ + $AlertRule.GroupingConfigurationEnabled = $false + } + + If($PSBoundParameters['ReOpenClosedIncident']){ + $AlertRule.GroupingConfigurationReOpenClosedIncident = $PSBoundParameters['ReOpenClosedIncident'] + $null = $PSBoundParameters.Remove('ReOpenClosedIncident') + } + else{ + $AlertRule.GroupingConfigurationReOpenClosedIncident = $false + } + + If($PSBoundParameters['LookbackDuration']){ + $AlertRule.GroupingConfigurationLookbackDuration = $PSBoundParameters['LookbackDuration'] + $null = $PSBoundParameters.Remove('LookbackDuration') + } + + If($PSBoundParameters['MatchingMethod']){ + $AlertRule.GroupingConfigurationMatchingMethod = $PSBoundParameters['MatchingMethod'] + $null = $PSBoundParameters.Remove('MatchingMethod') + } + + If($PSBoundParameters['GroupByAlertDetail']){ + $AlertRule.GroupingConfigurationGroupByAlertDetail = $PSBoundParameters['GroupByAlertDetail'] + $null = $PSBoundParameters.Remove('GroupByAlertDetail') + } + + If($PSBoundParameters['GroupByCustomDetail']){ + $AlertRule.GroupingConfigurationGroupByCustomDetail = $PSBoundParameters['GroupByCustomDetail'] + $null = $PSBoundParameters.Remove('GroupByCustomDetail') + } + + If($PSBoundParameters['GroupByEntity']){ + $AlertRule.GroupingConfigurationGroupByEntity = $PSBoundParameters['GroupByEntity'] + $null = $PSBoundParameters.Remove('GroupByEntity') + } + + If($PSBoundParameters['EntityMapping']){ + $AlertRule.EntityMapping = $PSBoundParameters['EntityMapping'] + $null = $PSBoundParameters.Remove('EntityMapping') + } + + If($PSBoundParameters['AlertDescriptionFormat']){ + $AlertRule.AlertDetailOverrideAlertDescriptionFormat = $PSBoundParameters['AlertDescriptionFormat'] + $null = $PSBoundParameters.Remove('AlertDescriptionFormat') + } + + If($PSBoundParameters['AlertDisplayNameFormat']){ + $AlertRule.AlertDetailOverrideAlertDisplayNameFormat = $PSBoundParameters['AlertDisplayNameFormat'] + $null = $PSBoundParameters.Remove('AlertDisplayNameFormat') + } + + If($PSBoundParameters['AlertSeverityColumnName']){ + $AlertRule.AlertDetailOverrideAlertSeverityColumnName = $PSBoundParameters['AlertSeverityColumnName'] + $null = $PSBoundParameters.Remove('AlertSeverityColumnName') + } + + If($PSBoundParameters['AlertTacticsColumnName']){ + $AlertRule.AlertDetailOverrideAlertTacticsColumnName = $PSBoundParameters['AlertTacticsColumnName'] + $null = $PSBoundParameters.Remove('AlertTacticsColumnName') + } + + If($PSBoundParameters['QueryFrequency']){ + $AlertRule.QueryFrequency = $PSBoundParameters['QueryFrequency'] + $null = $PSBoundParameters.Remove('QueryFrequency') + } + + If($PSBoundParameters['QueryPeriod']){ + $AlertRule.QueryPeriod = $PSBoundParameters['QueryPeriod'] + $null = $PSBoundParameters.Remove('QueryPeriod') + } + + If($PSBoundParameters['TriggerOperator']){ + $AlertRule.TriggerOperator = $PSBoundParameters['TriggerOperator'] + $null = $PSBoundParameters.Remove('TriggerOperator') + } + + If($PSBoundParameters['TriggerThreshold']){ + $AlertRule.TriggerThreshold = $PSBoundParameters['TriggerThreshold'] + $null = $PSBoundParameters.Remove('TriggerThreshold') + } + + If($PSBoundParameters['EventGroupingSettingAggregationKind']){ + $AlertRule.EventGroupingSettingAggregationKind = $PSBoundParameters['EventGroupingSettingAggregationKind'] + $null = $PSBoundParameters.Remove('EventGroupingSettingAggregationKind') + } + } + #TI + if ($AlertRule.Kind -eq 'ThreatIntelligence'){ + If($PSBoundParameters['AlertRuleTemplateName']){ + $AlertRule.AlertRuleTemplateName = $PSBoundParameters['AlertRuleTemplateName'] + $null = $PSBoundParameters.Remove('AlertRuleTemplateName') + } + + If($PSBoundParameters['Enabled']){ + $AlertRule.Enabled = $true + $null = $PSBoundParameters.Remove('Enabled') + } + else { + $AlertRule.Enabled = $false + } + } + + $null = $PSBoundParameters.Add('AlertRule', $AlertRule) + + Az.SecurityInsights.internal\Update-AzSentinelAlertRule @PSBoundParameters + } + catch { + throw + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/custom/Update-AzSentinelDataConnector.ps1 b/src/SecurityInsights/custom/Update-AzSentinelDataConnector.ps1 new file mode 100644 index 000000000000..ac285003f984 --- /dev/null +++ b/src/SecurityInsights/custom/Update-AzSentinelDataConnector.ps1 @@ -0,0 +1,831 @@ + +# ---------------------------------------------------------------------------------- +# +# Copyright Microsoft Corporation +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# http://www.apache.org/licenses/LICENSE-2.0 +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ---------------------------------------------------------------------------------- + +<# +.Synopsis +Updates the data connector. +.Description +Updates the data connector. + +.Link +https://docs.microsoft.com/powershell/module/az.securityinsights/update-azsentineldataconnector +#> +function Update-AzSentinelDataConnector { + [OutputType([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.DataConnector])] + [CmdletBinding(DefaultParameterSetName = 'UpdateAADAATP', PositionalBinding = $false, SupportsShouldProcess, ConfirmImpact = 'Medium')] + param( + [Parameter(ParameterSetName = 'UpdateAmazonWebServicesCloudTrail')] + [Parameter(ParameterSetName = 'UpdateAmazonWebServicesS3')] + [Parameter(ParameterSetName = 'UpdateAADAATP')] + [Parameter(ParameterSetName = 'UpdateAzureSecurityCenter')] + [Parameter(ParameterSetName = 'UpdateDynamics365')] + #[Parameter(ParameterSetName = 'UpdateGenericUI')] + [Parameter(ParameterSetName = 'UpdateMicrosoftCloudAppSecurity')] + [Parameter(ParameterSetName = 'UpdateMicrosoftDefenderAdvancedThreatProtection')] + [Parameter(ParameterSetName = 'UpdateMicrosoftThreatIntelligence')] + [Parameter(ParameterSetName = 'UpdateMicrosoftThreatProtection')] + [Parameter(ParameterSetName = 'UpdateOffice365')] + [Parameter(ParameterSetName = 'UpdateOfficeATP')] + [Parameter(ParameterSetName = 'UpdateOfficeIRM')] + [Parameter(ParameterSetName = 'UpdateThreatIntelligence')] + [Parameter(ParameterSetName = 'UpdateThreatIntelligenceTaxii')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = '(Get-AzContext).Subscription.Id')] + [System.String] + # Gets subscription credentials which uniquely identify Microsoft Azure subscription. + # The subscription ID forms part of the URI for every service call. + ${SubscriptionId}, + + [Parameter(ParameterSetName = 'UpdateAmazonWebServicesCloudTrail', Mandatory)] + [Parameter(ParameterSetName = 'UpdateAmazonWebServicesS3', Mandatory)] + [Parameter(ParameterSetName = 'UpdateAADAATP', Mandatory)] + [Parameter(ParameterSetName = 'UpdateAzureSecurityCenter', Mandatory)] + [Parameter(ParameterSetName = 'UpdateDynamics365', Mandatory)] + #[Parameter(ParameterSetName = 'UpdateGenericUI', Mandatory)] + [Parameter(ParameterSetName = 'UpdateMicrosoftCloudAppSecurity', Mandatory)] + [Parameter(ParameterSetName = 'UpdateMicrosoftDefenderAdvancedThreatProtection', Mandatory)] + [Parameter(ParameterSetName = 'UpdateMicrosoftThreatIntelligence', Mandatory)] + [Parameter(ParameterSetName = 'UpdateMicrosoftThreatProtection', Mandatory)] + [Parameter(ParameterSetName = 'UpdateOffice365', Mandatory)] + [Parameter(ParameterSetName = 'UpdateOfficeATP', Mandatory)] + [Parameter(ParameterSetName = 'UpdateOfficeIRM', Mandatory)] + [Parameter(ParameterSetName = 'UpdateThreatIntelligence', Mandatory)] + [Parameter(ParameterSetName = 'UpdateThreatIntelligenceTaxii', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [System.String] + # The Resource Group Name. + ${ResourceGroupName}, + + [Parameter(ParameterSetName = 'UpdateAmazonWebServicesCloudTrail', Mandatory)] + [Parameter(ParameterSetName = 'UpdateAmazonWebServicesS3', Mandatory)] + [Parameter(ParameterSetName = 'UpdateAADAATP', Mandatory)] + [Parameter(ParameterSetName = 'UpdateAzureSecurityCenter', Mandatory)] + [Parameter(ParameterSetName = 'UpdateDynamics365', Mandatory)] + #[Parameter(ParameterSetName = 'UpdateGenericUI', Mandatory)] + [Parameter(ParameterSetName = 'UpdateMicrosoftCloudAppSecurity', Mandatory)] + [Parameter(ParameterSetName = 'UpdateMicrosoftDefenderAdvancedThreatProtection', Mandatory)] + [Parameter(ParameterSetName = 'UpdateMicrosoftThreatIntelligence', Mandatory)] + [Parameter(ParameterSetName = 'UpdateMicrosoftThreatProtection', Mandatory)] + [Parameter(ParameterSetName = 'UpdateOffice365', Mandatory)] + [Parameter(ParameterSetName = 'UpdateOfficeATP', Mandatory)] + [Parameter(ParameterSetName = 'UpdateOfficeIRM', Mandatory)] + [Parameter(ParameterSetName = 'UpdateThreatIntelligence', Mandatory)] + [Parameter(ParameterSetName = 'UpdateThreatIntelligenceTaxii', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [System.String] + # The name of the workspace. + ${WorkspaceName}, + + [Parameter(ParameterSetName = 'UpdateAmazonWebServicesCloudTrail', Mandatory)] + [Parameter(ParameterSetName = 'UpdateAmazonWebServicesS3', Mandatory)] + [Parameter(ParameterSetName = 'UpdateAADAATP', Mandatory)] + [Parameter(ParameterSetName = 'UpdateAzureSecurityCenter', Mandatory)] + [Parameter(ParameterSetName = 'UpdateDynamics365', Mandatory)] + #[Parameter(ParameterSetName = 'UpdateGenericUI', Mandatory)] + [Parameter(ParameterSetName = 'UpdateMicrosoftCloudAppSecurity', Mandatory)] + [Parameter(ParameterSetName = 'UpdateMicrosoftDefenderAdvancedThreatProtection', Mandatory)] + [Parameter(ParameterSetName = 'UpdateMicrosoftThreatIntelligence', Mandatory)] + [Parameter(ParameterSetName = 'UpdateMicrosoftThreatProtection', Mandatory)] + [Parameter(ParameterSetName = 'UpdateOffice365', Mandatory)] + [Parameter(ParameterSetName = 'UpdateOfficeATP', Mandatory)] + [Parameter(ParameterSetName = 'UpdateOfficeIRM', Mandatory)] + [Parameter(ParameterSetName = 'UpdateThreatIntelligence', Mandatory)] + [Parameter(ParameterSetName = 'UpdateThreatIntelligenceTaxii', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [System.String] + # The Id of the Data Connector. + ${DataConnectorId}, + + [Parameter(ParameterSetName = 'UpdateViaIdentityAmazonWebServicesCloudTrail', Mandatory, ValueFromPipeline)] + [Parameter(ParameterSetName = 'UpdateViaIdentityAmazonWebServicesS3', Mandatory, ValueFromPipeline)] + [Parameter(ParameterSetName = 'UpdateViaIdentityAADAATP', Mandatory, ValueFromPipeline)] + [Parameter(ParameterSetName = 'UpdateViaIdentityAzureSecurityCenter', Mandatory, ValueFromPipeline)] + [Parameter(ParameterSetName = 'UpdateViaIdentityDynamics365', Mandatory, ValueFromPipeline)] + #[Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI', Mandatory, ValueFromPipeline)] + [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftCloudAppSecurity', Mandatory, ValueFromPipeline)] + [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftDefenderAdvancedThreatProtection', Mandatory, ValueFromPipeline)] + [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftThreatIntelligence', Mandatory, ValueFromPipeline)] + [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftThreatProtection', Mandatory, ValueFromPipeline)] + [Parameter(ParameterSetName = 'UpdateViaIdentityOffice365', Mandatory, ValueFromPipeline)] + [Parameter(ParameterSetName = 'UpdateViaIdentityOfficeATP', Mandatory, ValueFromPipeline)] + [Parameter(ParameterSetName = 'UpdateViaIdentityOfficeIRM', Mandatory, ValueFromPipeline)] + [Parameter(ParameterSetName = 'UpdateViaIdentityThreatIntelligence', Mandatory, ValueFromPipeline)] + [Parameter(ParameterSetName = 'UpdateViaIdentityThreatIntelligenceTaxii', Mandatory, ValueFromPipeline)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity] + # Identity Parameter + # To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + ${InputObject}, + + [Parameter(ParameterSetName = 'UpdateAADAATP')] + [Parameter(ParameterSetName = 'UpdateDynamics365')] + [Parameter(ParameterSetName = 'UpdateMicrosoftCloudAppSecurity')] + [Parameter(ParameterSetName = 'UpdateMicrosoftDefenderAdvancedThreatProtection')] + [Parameter(ParameterSetName = 'UpdateMicrosoftThreatIntelligence')] + [Parameter(ParameterSetName = 'UpdateMicrosoftThreatProtection')] + [Parameter(ParameterSetName = 'UpdateOffice365')] + [Parameter(ParameterSetName = 'UpdateOfficeATP')] + [Parameter(ParameterSetName = 'UpdateOfficeIRM')] + [Parameter(ParameterSetName = 'UpdateThreatIntelligence')] + [Parameter(ParameterSetName = 'UpdateThreatIntelligenceTaxii')] + [Parameter(ParameterSetName = 'UpdateViaIdentityAmazonWebServicesCloudTrail')] + [Parameter(ParameterSetName = 'UpdateViaIdentityAmazonWebServicesS3')] + [Parameter(ParameterSetName = 'UpdateViaIdentityAADAATP')] + [Parameter(ParameterSetName = 'UpdateViaIdentityAzureSecurityCenter')] + [Parameter(ParameterSetName = 'UpdateViaIdentityDynamics365')] + #[Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI')] + [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftCloudAppSecurity')] + [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftDefenderAdvancedThreatProtection')] + [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftThreatIntelligence')] + [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftThreatProtection')] + [Parameter(ParameterSetName = 'UpdateViaIdentityOffice365')] + [Parameter(ParameterSetName = 'UpdateViaIdentityOfficeATP')] + [Parameter(ParameterSetName = 'UpdateViaIdentityOfficeIRM')] + [Parameter(ParameterSetName = 'UpdateViaIdentityThreatIntelligence')] + [Parameter(ParameterSetName = 'UpdateViaIdentityThreatIntelligenceTaxii')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = '(Get-AzContext).Tenant.Id')] + [System.String] + # The TenantId. + ${TenantId}, + + [Parameter(ParameterSetName = 'UpdateAzureSecurityCenter')] + [Parameter(ParameterSetName = 'UpdateViaIdentityAzureSecurityCenter')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + # ASC Subscription Id. + ${ASCSubscriptionId}, + + [Parameter(ParameterSetName = 'UpdateAADAATP')] + [Parameter(ParameterSetName = 'UpdateAzureSecurityCenter')] + [Parameter(ParameterSetName = 'UpdateMicrosoftCloudAppSecurity')] + [Parameter(ParameterSetName = 'UpdateMicrosoftDefenderAdvancedThreatProtection')] + [Parameter(ParameterSetName = 'UpdateOfficeATP')] + [Parameter(ParameterSetName = 'UpdateOfficeIRM')] + [Parameter(ParameterSetName = 'UpdateViaIdentityAADAATP')] + [Parameter(ParameterSetName = 'UpdateViaIdentityAzureSecurityCenter')] + [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftCloudAppSecurity')] + [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftDefenderAdvancedThreatProtection')] + [Parameter(ParameterSetName = 'UpdateViaIdentityOfficeATP')] + [Parameter(ParameterSetName = 'UpdateViaIdentityOfficeIRM')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${Alerts}, + + [Parameter(ParameterSetName = 'UpdateDynamics365')] + [Parameter(ParameterSetName = 'UpdateViaIdentityDynamics365')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${CommonDataServiceActivity}, + + [Parameter(ParameterSetName = 'UpdateMicrosoftCloudAppSecurity')] + [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftCloudAppSecurity')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${DiscoveryLogs}, + + [Parameter(ParameterSetName = 'UpdateMicrosoftThreatIntelligence')] + [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftThreatIntelligence')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${BingSafetyPhishinURL}, + + [Parameter(ParameterSetName = 'UpdateMicrosoftThreatIntelligence')] + [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftThreatIntelligence')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [ValidateSet('OneDay', 'OneWeek', 'OneMonth', 'All')] + [System.String] + ${BingSafetyPhishingUrlLookbackPeriod}, + + [Parameter(ParameterSetName = 'UpdateMicrosoftThreatIntelligence')] + [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftThreatIntelligence')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${MicrosoftEmergingThreatFeed}, + + [Parameter(ParameterSetName = 'UpdateMicrosoftThreatIntelligence')] + [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftThreatIntelligence')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [ValidateSet('OneDay', 'OneWeek', 'OneMonth', 'All')] + [System.String] + ${MicrosoftEmergingThreatFeedLookbackPeriod}, + + [Parameter(ParameterSetName = 'UpdateMicrosoftThreatProtection')] + [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftThreatProtection')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${Incidents}, + + [Parameter(ParameterSetName = 'UpdateOffice365')] + [Parameter(ParameterSetName = 'UpdateViaIdentityOffice365')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${Exchange}, + + [Parameter(ParameterSetName = 'UpdateOffice365')] + [Parameter(ParameterSetName = 'UpdateViaIdentityOffice365')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${SharePoint}, + + [Parameter(ParameterSetName = 'UpdateOffice365')] + [Parameter(ParameterSetName = 'UpdateViaIdentityOffice365')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${Teams}, + + [Parameter(ParameterSetName = 'UpdateThreatIntelligence')] + [Parameter(ParameterSetName = 'UpdateViaIdentityThreatIntelligence')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${Indicators}, + + [Parameter(ParameterSetName = 'UpdateThreatIntelligenceTaxii')] + [Parameter(ParameterSetName = 'UpdateViaIdentityThreatIntelligenceTaxii')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${WorkspaceId}, + + [Parameter(ParameterSetName = 'UpdateThreatIntelligenceTaxii')] + [Parameter(ParameterSetName = 'UpdateViaIdentityThreatIntelligenceTaxii')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${FriendlyName}, + + [Parameter(ParameterSetName = 'UpdateThreatIntelligenceTaxii', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${APIRootURL}, + + [Parameter(ParameterSetName = 'UpdateThreatIntelligenceTaxii')] + [Parameter(ParameterSetName = 'UpdateViaIdentityThreatIntelligenceTaxii')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${CollectionId}, + + [Parameter(ParameterSetName = 'UpdateThreatIntelligenceTaxii')] + [Parameter(ParameterSetName = 'UpdateViaIdentityThreatIntelligenceTaxii')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${UserName}, + + [Parameter(ParameterSetName = 'UpdateThreatIntelligenceTaxii')] + [Parameter(ParameterSetName = 'UpdateViaIdentityThreatIntelligenceTaxii')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${Password}, + + [Parameter(ParameterSetName = 'UpdateThreatIntelligenceTaxii')] + [Parameter(ParameterSetName = 'UpdateViaIdentityThreatIntelligenceTaxii')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [ValidateSet('OneDay', 'OneWeek', 'OneMonth', 'All')] + [System.String] + ${TaxiiLookbackPeriod}, + + [Parameter(ParameterSetName = 'UpdateThreatIntelligenceTaxii')] + [Parameter(ParameterSetName = 'UpdateViaIdentityThreatIntelligenceTaxii')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.PollingFrequency])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.PollingFrequency] + ${PollingFrequency}, + + [Parameter(ParameterSetName = 'UpdateAmazonWebServicesCloudTrail')] + [Parameter(ParameterSetName = 'UpdateAmazonWebServicesS3')] + [Parameter(ParameterSetName = 'UpdateViaIdentityAmazonWebServicesCloudTrail')] + [Parameter(ParameterSetName = 'UpdateViaIdentityAmazonWebServicesS3')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${AWSRoleArn}, + + [Parameter(ParameterSetName = 'UpdateAmazonWebServicesCloudTrail')] + [Parameter(ParameterSetName = 'UpdateAmazonWebServicesS3')] + [Parameter(ParameterSetName = 'UpdateViaIdentityAmazonWebServicesCloudTrail')] + [Parameter(ParameterSetName = 'UpdateViaIdentityAmazonWebServicesS3')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${Logs}, + + [Parameter(ParameterSetName = 'UpdateAmazonWebServicesS3')] + [Parameter(ParameterSetName = 'UpdateViaIdentityAmazonWebServicesS3')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [String[]] + ${SQSURL}, + + [Parameter(ParameterSetName = 'UpdateAmazonWebServicesS3')] + [Parameter(ParameterSetName = 'UpdateViaIdentityAmazonWebServicesS3')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${DetinationTable}, + + [Parameter(ParameterSetName = 'UpdateGenericUI')] + [Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${UiConfigTitle}, + + [Parameter(ParameterSetName = 'UpdateGenericUI')] + [Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${UiConfigPublisher}, + + [Parameter(ParameterSetName = 'UpdateGenericUI')] + [Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${UiConfigDescriptionMarkdown}, + + [Parameter(ParameterSetName = 'UpdateGenericUI')] + [Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${UiConfigCustomImage}, + + [Parameter(ParameterSetName = 'UpdateGenericUI')] + [Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${UiConfigGraphQueriesTableName}, + + [Parameter(ParameterSetName = 'UpdateGenericUI')] + [Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.GraphQueries[]] + ${UiConfigGraphQuery}, + + [Parameter(ParameterSetName = 'UpdateGenericUI')] + [Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.SampleQueries[]] + ${UiConfigSampleQuery}, + + [Parameter(ParameterSetName = 'UpdateGenericUI')] + [Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.LastDataReceivedDataType[]] + ${UiConfigDataType}, + + [Parameter(ParameterSetName = 'UpdateGenericUI')] + [Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ConnectivityCriteria[]] + ${UiConfigConnectivityCriterion}, + + [Parameter(ParameterSetName = 'UpdateGenericUI')] + [Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Bool] + ${AvailabilityIsPreview}, + + [Parameter(ParameterSetName = 'UpdateGenericUI')] + [Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = 1)] + [Int] + ${AvailabilityStatus}, + + [Parameter(ParameterSetName = 'UpdateGenericUI')] + [Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.PermissionsResourceProviderItem[]] + ${PermissionResourceProvider}, + + [Parameter(ParameterSetName = 'UpdateGenericUI')] + [Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.PermissionsCustomsItem[]] + ${PermissionCustom}, + + [Parameter(ParameterSetName = 'UpdateGenericUI')] + [Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.InstructionSteps[]] + ${UiConfigInstructionStep}, + + [Parameter()] + [Alias('AzureRMContext', 'AzureCredential')] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Azure')] + [System.Management.Automation.PSObject] + # The credentials, account, tenant, and subscription used for communication with Azure. + ${DefaultProfile}, + + [Parameter()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Run the command as a job + ${AsJob}, + + [Parameter(DontShow)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Wait for .NET debugger to attach + ${Break}, + + [Parameter(DontShow)] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.SendAsyncStep[]] + # SendAsync Pipeline Steps to be appended to the front of the pipeline + ${HttpPipelineAppend}, + + [Parameter(DontShow)] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.SendAsyncStep[]] + # SendAsync Pipeline Steps to be prepended to the front of the pipeline + ${HttpPipelinePrepend}, + + [Parameter()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Run the command asynchronously + ${NoWait}, + + [Parameter(DontShow)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Uri] + # The URI for the proxy server to use + ${Proxy}, + + [Parameter(DontShow)] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.PSCredential] + # Credentials for a proxy server to use for the remote call + ${ProxyCredential}, + + [Parameter(DontShow)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Use the default credentials for the proxy + ${ProxyUseDefaultCredentials} + ) + + process { + try { + #Handle Get + $GetPSBoundParameters = @{} + if ($PSBoundParameters['InputObject']) { + $GetPSBoundParameters.Add('InputObject', $PSBoundParameters['InputObject']) + } + else { + $GetPSBoundParameters.Add('ResourceGroupName', $PSBoundParameters['ResourceGroupName']) + $GetPSBoundParameters.Add('WorkspaceName', $PSBoundParameters['WorkspaceName']) + $GetPSBoundParameters.Add('DataConnectorId', $PSBoundParameters['DataConnectorId']) + } + $DataConnector = Az.SecurityInsights\Get-AzSentinelDataConnector @GetPSBoundParameters + + + if ($DataConnector.Kind -eq 'AzureActiveDirectory') { + If ($PSBoundParameters['TenantId']) { + $DataConnector.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + } + If ($PSBoundParameters['Alerts']) { + $DataConnector.AlertState = $PSBoundParameters['Alerts'] + $null = $PSBoundParameters.Remove('Alerts') + } + } + if ($DataConnector.Kind -eq 'AzureAdvancedThreatProtection') { + If ($PSBoundParameters['TenantId']) { + $DataConnector.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + } + If ($PSBoundParameters['Alerts']) { + $DataConnector.AlertState = $PSBoundParameters['Alerts'] + $null = $PSBoundParameters.Remove('Alerts') + } + } + if ($DataConnector.Kind -eq 'Dynamics365') { + If ($PSBoundParameters['TenantId']) { + $DataConnector.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + } + + If ($PSBoundParameters['CommonDataServiceActivity']) { + $DataConnector.Dynamics365CdActivityState = $PSBoundParameters['CommonDataServiceActivity'] + $null = $PSBoundParameters.Remove('CommonDataServiceActivity') + } + } + if ($DataConnector.Kind -eq 'MicrosoftCloudAppSecurity') { + If ($PSBoundParameters['TenantId']) { + $DataConnector.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + } + + If ($PSBoundParameters['Alerts']) { + $DataConnector.DataTypeAlertState = $PSBoundParameters['Alerts'] + $null = $PSBoundParameters.Remove('Alerts') + } + + If ($PSBoundParameters['DiscoveryLogs']) { + $DataConnector.DiscoveryLogState = $PSBoundParameters['DiscoveryLogs'] + $null = $PSBoundParameters.Remove('DiscoveryLogs') + } + } + if ($DataConnector.Kind -eq 'MicrosoftDefenderAdvancedThreatProtection') { + If ($PSBoundParameters['TenantId']) { + $DataConnector.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + } + + If ($PSBoundParameters['Alerts']) { + $DataConnector.AlertState = $PSBoundParameters['Alerts'] + $null = $PSBoundParameters.Remove('Alerts') + } + } + if ($DataConnector.Kind -eq 'MicrosoftThreatIntelligence') { + If ($PSBoundParameters['TenantId']) { + $DataConnector.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + } + + If ($PSBoundParameters['BingSafetyPhishinURL']) { + $DataConnector.BingSafetyPhishingUrlState = $PSBoundParameters['BingSafetyPhishinURL'] + $null = $PSBoundParameters.Remove('BingSafetyPhishinURL') + } + + If ($PSBoundParameters['BingSafetyPhishingUrlLookbackPeriod']) { + if ($PSBoundParameters['BingSafetyPhishingUrlLookbackPeriod'] -eq 'OneDay') { + $DataConnector.BingSafetyPhishingUrlLookbackPeriod = ((Get-Date).AddDays(-1).ToUniversalTime() | Get-DAte -Format yyyy-MM-ddTHH:mm:ss.fffZ).ToString() + } + elseif ($PSBoundParameters['BingSafetyPhishingUrlLookbackPeriod'] -eq 'OneWeek') { + $DataConnector.BingSafetyPhishingUrlLookbackPeriod = ((Get-Date).AddDays(-7).ToUniversalTime() | Get-DAte -Format yyyy-MM-ddTHH:mm:ss.fffZ).ToString() + } + elseif ($PSBoundParameters['BingSafetyPhishingUrlLookbackPeriod'] -eq 'OneMonth') { + $DataConnector.BingSafetyPhishingUrlLookbackPeriod = ((Get-Date).AddMonths(-1).ToUniversalTime() | Get-DAte -Format yyyy-MM-ddTHH:mm:ss.fffZ).ToString() + } + elseif ($PSBoundParameters['BingSafetyPhishingUrlLookbackPeriod'] -eq 'All') { + $DataConnector.BingSafetyPhishingUrlLookbackPeriod = "1970-01-01T00:00:00.000Z" + } + $null = $PSBoundParameters.Remove('BingSafetyPhishingUrlLookbackPeriod') + } + + If ($PSBoundParameters['MicrosoftEmergingThreatFeed']) { + $DataConnector.MicrosoftEmergingThreatFeedState = $PSBoundParameters['MicrosoftEmergingThreatFeed'] + $null = $PSBoundParameters.Remove('MicrosoftEmergingThreatFeed') + } + + If ($PSBoundParameters['MicrosoftEmergingThreatFeedLookbackPeriod']) { + if ($PSBoundParameters['MicrosoftEmergingThreatFeedLookbackPeriod'] -eq 'OneDay') { + $DataConnector.MicrosoftEmergingThreatFeedLookbackPeriod = ((Get-Date).AddDays(-1).ToUniversalTime() | Get-DAte -Format yyyy-MM-ddTHH:mm:ss.fffZ).ToString() + } + elseif ($PSBoundParameters['MicrosoftEmergingThreatFeedLookbackPeriod'] -eq 'OneWeek') { + $DataConnector.MicrosoftEmergingThreatFeedLookbackPeriod = ((Get-Date).AddDays(-7).ToUniversalTime() | Get-DAte -Format yyyy-MM-ddTHH:mm:ss.fffZ).ToString() + } + elseif ($PSBoundParameters['MicrosoftEmergingThreatFeedLookbackPeriod'] -eq 'OneMonth') { + $DataConnector.MicrosoftEmergingThreatFeedLookbackPeriod = ((Get-Date).AddMonths(-1).ToUniversalTime() | Get-DAte -Format yyyy-MM-ddTHH:mm:ss.fffZ).ToString() + } + elseif ($PSBoundParameters['MicrosoftEmergingThreatFeedLookbackPeriod'] -eq 'All') { + $DataConnector.MicrosoftEmergingThreatFeedLookbackPeriod = "1970-01-01T00:00:00.000Z" + } + $null = $PSBoundParameters.Remove('MicrosoftEmergingThreatFeedLookbackPeriod') + } + } + if ($DataConnector.Kind -eq 'MicrosoftThreatProtection') { + If ($PSBoundParameters['TenantId']) { + $DataConnector.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + } + + If ($PSBoundParameters['Incidents']) { + $DataConnector.IncidentState = $PSBoundParameters['Incidents'] + $null = $PSBoundParameters.Remove('Incidents') + } + } + if ($DataConnector.Kind -eq 'Office365') { + If ($PSBoundParameters['TenantId']) { + $DataConnector.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + } + + If ($PSBoundParameters['Exchange']) { + $DataConnector.ExchangeState = $PSBoundParameters['Exchange'] + $null = $PSBoundParameters.Remove('Exchange') + } + + If ($PSBoundParameters['SharePoint']) { + $DataConnector.SharePointState = $PSBoundParameters['SharePoint'] + $null = $PSBoundParameters.Remove('SharePoint') + } + + If ($PSBoundParameters['Teams']) { + $DataConnector.TeamState = $PSBoundParameters['Teams'] + $null = $PSBoundParameters.Remove('Teams') + } + } + if ($DataConnector.Kind -eq 'OfficeATP') { + If ($PSBoundParameters['TenantId']) { + $DataConnector.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + } + + If ($PSBoundParameters['Alerts']) { + $DataConnector.AlertState = $PSBoundParameters['Alerts'] + $null = $PSBoundParameters.Remove('Alerts') + } + } + if ($DataConnector.Kind -eq 'OfficeIRM') { + If ($PSBoundParameters['TenantId']) { + $DataConnector.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + } + + If ($PSBoundParameters['Alerts']) { + $DataConnector.AlertState = $PSBoundParameters['Alerts'] + $null = $PSBoundParameters.Remove('Alerts') + } + } + if ($DataConnector.Kind -eq 'ThreatIntelligence') { + If ($PSBoundParameters['TenantId']) { + $DataConnector.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + } + + If ($PSBoundParameters['Indicators']) { + $DataConnector.IndicatorState = $PSBoundParameters['Indicators'] + $null = $PSBoundParameters.Remove('Indicators') + } + } + if ($DataConnector.Kind -eq 'ThreatIntelligenceTaxii') { + If ($PSBoundParameters['TenantId']) { + $DataConnector.TenantId = $PSBoundParameters['TenantId'] + $null = $PSBoundParameters.Remove('TenantId') + } + + If ($PSBoundParameters['FriendlyName']) { + $DataConnector.FriendlyName = $PSBoundParameters['FriendlyName'] + $null = $PSBoundParameters.Remove('FriendlyName') + } + + If ($PSBoundParameters['APIRootURL']) { + $DataConnector.TaxiiServer = $PSBoundParameters['APIRootURL'] + $null = $PSBoundParameters.Remove('APIRootURL') + } + + If ($PSBoundParameters['CollectionId']) { + $DataConnector.CollectionId = $PSBoundParameters['CollectionId'] + $null = $PSBoundParameters.Remove('CollectionId') + } + + If ($PSBoundParameters['UserName']) { + $DataConnector.UserName = $PSBoundParameters['UserName'] + $null = $PSBoundParameters.Remove('UserName') + } + + If ($PSBoundParameters['Password']) { + $DataConnector.Password = $PSBoundParameters['Password'] + $null = $PSBoundParameters.Remove('Password') + } + + If ($PSBoundParameters['WorkspaceId']) { + $DataConnector.WorkspaceId = $PSBoundParameters['WorkspaceId'] + $null = $PSBoundParameters.Remove('WorkspaceId') + } + + if ($PSBoundParameters['PollingFrequency']) { + if ($PSBoundParameters['PollingFrequency'] -eq 'OnceADay') { + $DataConnector.PollingFrequency = "OnceADay" + } + elseif ($PSBoundParameters['PollingFrequency'] -eq 'OnceAMinute') { + $DataConnector.PollingFrequency = "OnceAMinute" + } + elseif ($PSBoundParameters['PollingFrequency'] -eq 'OnceAnHour') { + $DataConnector.PollingFrequency = "OnceAnHour" + } + $null = $PSBoundParameters.Remove('PollingFrequency') + } + } + if ($DataConnector.Kind -eq 'AzureSecurityCenter') { + If ($PSBoundParameters['ASCSubscriptionId']) { + $DataConnector.SubscriptionId = $PSBoundParameters['ASCSubscriptionId'] + $null = $PSBoundParameters.Remove('ASCSubscriptionId') + } + + If ($PSBoundParameters['Alerts']) { + $DataConnector.AlertState = $PSBoundParameters['Alerts'] + $null = $PSBoundParameters.Remove('Alerts') + } + } + if ($DataConnector.Kind -eq 'AmazonWebServicesCloudTrail') { + If ($PSBoundParameters['AWSRoleArn']) { + $DataConnector.AWSRoleArn = $PSBoundParameters['AWSRoleArn'] + $null = $PSBoundParameters.Remove('AWSRoleArn') + } + + If ($PSBoundParameters['Logs']) { + $DataConnector.LogState = $PSBoundParameters['Logs'] + $null = $PSBoundParameters.Remove('Logs') + } + } + if ($DataConnector.Kind -eq 'AmazonWebServicesS3') { + If ($PSBoundParameters['AWSRoleArn']) { + $DataConnector.AWSRoleArn = $PSBoundParameters['AWSRoleArn'] + $null = $PSBoundParameters.Remove('AWSRoleArn') + } + + If ($PSBoundParameters['Logs']) { + $DataConnector.LogState = $PSBoundParameters['Logs'] + $null = $PSBoundParameters.Remove('Logs') + } + + If ($PSBoundParameters['SQSURL']) { + $DataConnector.SqsUrl = $PSBoundParameters['SQSURL'] + $null = $PSBoundParameters.Remove('SQSURL') + } + If ($PSBoundParameters['DetinationTable']) { + $DataConnector.DestinationTable = $PSBoundParameters['DetinationTable'] + $null = $PSBoundParameters.Remove('DetinationTable') + } + } + if ($DataConnector.Kind -eq 'GenericUI') { + If ($PSBoundParameters['UiConfigTitle']) { + $DataConnector.ConnectorUiConfigTitle = $PSBoundParameters['UiConfigTitle'] + $null = $PSBoundParameters.Remove('UiConfigTitle') + } + If ($PSBoundParameters['UiConfigPublisher']) { + $DataConnector.ConnectorUiConfigPublisher = $PSBoundParameters['UiConfigPublisher'] + $null = $PSBoundParameters.Remove('UiConfigPublisher') + } + If ($PSBoundParameters['UiConfigDescriptionMarkdown']) { + $DataConnector.ConnectorUiConfigDescriptionMarkdown = $PSBoundParameters['UiConfigDescriptionMarkdown'] + $null = $PSBoundParameters.Remove('UiConfigDescriptionMarkdown') + } + If ($PSBoundParameters['UiConfigCustomImage']) { + $DataConnector.ConnectorUiConfigCustomImage = $PSBoundParameters['UiConfigCustomImage'] + $null = $PSBoundParameters.Remove('UiConfigCustomImage') + } + If ($PSBoundParameters['UiConfigGraphQueriesTableName']) { + $DataConnector.ConnectorUiConfigGraphQueriesTableName = $PSBoundParameters['UiConfigGraphQueriesTableName'] + $null = $PSBoundParameters.Remove('UiConfigGraphQueriesTableName') + } + If ($PSBoundParameters['UiConfigGraphQuery']) { + $DataConnector.ConnectorUiConfigGraphQuery = $PSBoundParameters['UiConfigGraphQuery'] + $null = $PSBoundParameters.Remove('UiConfigGraphQuery') + } + If ($PSBoundParameters['UiConfigSampleQuery']) { + $DataConnector.ConnectorUiConfigSampleQuery = $PSBoundParameters['UiConfigSampleQuery'] + $null = $PSBoundParameters.Remove('UiConfigSampleQuery') + } + If ($PSBoundParameters['UiConfigDataType']) { + $DataConnector.ConnectorUiConfigDataType = $PSBoundParameters['UiConfigDataType'] + $null = $PSBoundParameters.Remove('UiConfigDataType') + } + If ($PSBoundParameters['UiConfigConnectivityCriterion']) { + $DataConnector.ConnectorUiConfigConnectivityCriterion = $PSBoundParameters['UiConfigConnectivityCriterion'] + $null = $PSBoundParameters.Remove('UiConfigConnectivityCriterion') + } + If ($PSBoundParameters['AvailabilityIsPreview']) { + $DataConnector.AvailabilityIsPreview = $PSBoundParameters['AvailabilityIsPreview'] + $null = $PSBoundParameters.Remove('AvailabilityIsPreview') + } + If ($PSBoundParameters['AvailabilityStatus']) { + $DataConnector.AvailabilityStatus = $PSBoundParameters['AvailabilityStatus'] + $null = $PSBoundParameters.Remove('AvailabilityStatus') + } + If ($PSBoundParameters['PermissionResourceProvider']) { + $DataConnector.PermissionResourceProvider = $PSBoundParameters['PermissionResourceProvider'] + $null = $PSBoundParameters.Remove('PermissionResourceProvider') + } + If ($PSBoundParameters['PermissionCustom']) { + $DataConnector.DestinationTable = $PSBoundParameters['PermissionCustom'] + $null = $PSBoundParameters.Remove('PermissionCustom') + } + If ($PSBoundParameters['UiConfigInstructionStep']) { + $DataConnector.ConnectorUiConfigInstructionStep = $PSBoundParameters['UiConfigInstructionStep'] + $null = $PSBoundParameters.Remove('UiConfigInstructionStep') + } + } + + $null = $PSBoundParameters.Add('DataConnector', $DataConnector) + Az.SecurityInsights.internal\Update-AzSentinelDataConnector @PSBoundParameters + } + catch { + throw + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/custom/Update-AzSentinelEntityQuery.ps1 b/src/SecurityInsights/custom/Update-AzSentinelEntityQuery.ps1 new file mode 100644 index 000000000000..9ba61bf4ccac --- /dev/null +++ b/src/SecurityInsights/custom/Update-AzSentinelEntityQuery.ps1 @@ -0,0 +1,262 @@ + +# ---------------------------------------------------------------------------------- +# +# Copyright Microsoft Corporation +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# http://www.apache.org/licenses/LICENSE-2.0 +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ---------------------------------------------------------------------------------- + +<# +.Synopsis +Updates the entity query. +.Description +Updates the entity query. + +.Link +https://docs.microsoft.com/powershell/module/az.securityinsights/update-azsentinelentityquery +#> +function Update-AzSentinelEntityQuery { + [OutputType([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.CustomEntityQuery])] + [CmdletBinding(DefaultParameterSetName = 'UpdateActivity', PositionalBinding = $false, SupportsShouldProcess, ConfirmImpact = 'Medium')] + param( + [Parameter(ParameterSetName = 'UpdateActivity')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = '(Get-AzContext).Subscription.Id')] + [System.String] + # Gets subscription credentials which uniquely identify Microsoft Azure subscription. + # The subscription ID forms part of the URI for every service call. + ${SubscriptionId}, + + [Parameter(ParameterSetName = 'UpdateActivity', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [System.String] + # The Resource Group Name. + ${ResourceGroupName}, + + [Parameter(ParameterSetName = 'UpdateActivity', Mandatory)] + #[Alias('DataConnectionName')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [System.String] + # The name of the workspace. + ${WorkspaceName}, + + [Parameter(ParameterSetName = 'UpdateActivity', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [System.String] + # The Id of the Entity Query. + ${EntityQueryId}, + + [Parameter(ParameterSetName = 'UpdateViaIdentityActivity', Mandatory, ValueFromPipeline)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity] + # Identity Parameter + # To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + ${InputObject}, + + [Parameter(ParameterSetName = 'UpdateActivity')] + [Parameter(ParameterSetName = 'UpdateViaIdentityActivity')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${Title}, + + [Parameter(ParameterSetName = 'UpdateActivity')] + [Parameter(ParameterSetName = 'UpdateViaIdentityActivity')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${Content}, + + [Parameter(ParameterSetName = 'UpdateActivity')] + [Parameter(ParameterSetName = 'UpdateViaIdentityActivity')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${Description}, + + [Parameter(ParameterSetName = 'UpdateActivity')] + [Parameter(ParameterSetName = 'UpdateViaIdentityActivity')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${QueryDefinitionQuery}, + + [Parameter(ParameterSetName = 'UpdateActivity')] + [Parameter(ParameterSetName = 'UpdateViaIdentityActivity')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityType])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityType] + ${InputEntityType}, + + [Parameter(ParameterSetName = 'UpdateActivity')] + [Parameter(ParameterSetName = 'UpdateViaIdentityActivity')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [String[]] + ${RequiredInputFieldsSet}, + + [Parameter(ParameterSetName = 'UpdateActivity')] + [Parameter(ParameterSetName = 'UpdateViaIdentityActivity')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ActivityEntityQueriesPropertiesEntitiesFilter] + ${EntitiesFilter}, + + [Parameter(ParameterSetName = 'UpdateActivity')] + [Parameter(ParameterSetName = 'UpdateViaIdentityActivity')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + ${TemplateName}, + + [Parameter(ParameterSetName = 'UpdateActivity')] + [Parameter(ParameterSetName = 'UpdateViaIdentityActivity')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Switch] + ${Enabled}, + + [Parameter(ParameterSetName = 'UpdateActivity')] + [Parameter(ParameterSetName = 'UpdateViaIdentityActivity')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Switch] + ${Disabled}, + + [Parameter()] + [Alias('AzureRMContext', 'AzureCredential')] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Azure')] + [System.Management.Automation.PSObject] + # The credentials, account, tenant, and subscription used for communication with Azure. + ${DefaultProfile}, + + [Parameter()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Run the command as a job + ${AsJob}, + + [Parameter(DontShow)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Wait for .NET debugger to attach + ${Break}, + + [Parameter(DontShow)] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.SendAsyncStep[]] + # SendAsync Pipeline Steps to be appended to the front of the pipeline + ${HttpPipelineAppend}, + + [Parameter(DontShow)] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.SendAsyncStep[]] + # SendAsync Pipeline Steps to be prepended to the front of the pipeline + ${HttpPipelinePrepend}, + + [Parameter()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Run the command asynchronously + ${NoWait}, + + [Parameter(DontShow)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Uri] + # The URI for the proxy server to use + ${Proxy}, + + [Parameter(DontShow)] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.PSCredential] + # Credentials for a proxy server to use for the remote call + ${ProxyCredential}, + + [Parameter(DontShow)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Use the default credentials for the proxy + ${ProxyUseDefaultCredentials} + ) + + process { + try { + #Handle Get + $GetPSBoundParameters = @{} + if($PSBoundParameters['InputObject']){ + $GetPSBoundParameters.Add('InputObject', $PSBoundParameters['InputObject']) + } + else { + $GetPSBoundParameters.Add('ResourceGroupName', $PSBoundParameters['ResourceGroupName']) + $GetPSBoundParameters.Add('WorkspaceName', $PSBoundParameters['WorkspaceName']) + $GetPSBoundParameters.Add('EntityQueryId', $PSBoundParameters['EntityQueryId']) + } + $EntityQuery = Az.SecurityInsights\Get-AzSentinelEntityQuery @GetPSBoundParameters + + if ($EntityQuery.Kind -eq 'Activity'){ + If($PSBoundParameters['Title']){ + $EntityQuery.Title = $PSBoundParameters['Title'] + $null = $PSBoundParameters.Remove('Title') + } + + If($PSBoundParameters['Content']){ + $EntityQuery.Content = $PSBoundParameters['Content'] + $null = $PSBoundParameters.Remove('Content') + } + + If($PSBoundParameters['Description']){ + $EntityQuery.Description = $PSBoundParameters['Description'] + $null = $PSBoundParameters.Remove('Description') + } + + If($PSBoundParameters['QueryDefinitionQuery']){ + $EntityQuery.QueryDefinitionQuery = $PSBoundParameters['QueryDefinitionQuery'] + $null = $PSBoundParameters.Remove('QueryDefinitionQuery') + } + + If($PSBoundParameters['InputEntityType']){ + $EntityQuery.InputEntityType = $PSBoundParameters['InputEntityType'] + $null = $PSBoundParameters.Remove('InputEntityType') + } + + If($PSBoundParameters['RequiredInputFieldsSet']){ + $EntityQuery.RequiredInputFieldsSet = $PSBoundParameters['RequiredInputFieldsSet'] + $null = $PSBoundParameters.Remove('RequiredInputFieldsSet') + } + + If($PSBoundParameters['EntitiesFilter']){ + $EntityQuery.EntitiesFilter = $PSBoundParameters['EntitiesFilter'] + $null = $PSBoundParameters.Remove('EntitiesFilter') + } + + If($PSBoundParameters['TemplateName']){ + $EntityQuery.TemplateName = $PSBoundParameters['TemplateName'] + $null = $PSBoundParameters.Remove('TemplateName') + } + + If($PSBoundParameters['Enabled']){ + $EntityQuery.Enabled = $true + $null = $PSBoundParameters.Remove('Enabled') + } + + If($PSBoundParameters['Disabled']){ + $EntityQuery.Enabled = $false + $null = $PSBoundParameters.Remove('Disabled') + } + } + else { + Write-Error "This cmdlet only works with Entity Queries of the Activity kind." + break + } + + $null = $PSBoundParameters.Add('EntityQuery', $EntityQuery) + + Az.SecurityInsights.internal\Update-AzSentinelEntityQuery @PSBoundParameters + } + catch { + throw + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/custom/Update-AzSentinelSetting.ps1 b/src/SecurityInsights/custom/Update-AzSentinelSetting.ps1 new file mode 100644 index 000000000000..ce94d00a7d27 --- /dev/null +++ b/src/SecurityInsights/custom/Update-AzSentinelSetting.ps1 @@ -0,0 +1,246 @@ + +# ---------------------------------------------------------------------------------- +# +# Copyright Microsoft Corporation +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# http://www.apache.org/licenses/LICENSE-2.0 +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ---------------------------------------------------------------------------------- + +<# +.Synopsis +Updates setting. +.Description +Updates setting. + +.Link +https://docs.microsoft.com/powershell/module/az.securityinsights/update-azsentinelsetting +#> +function Update-AzSentinelSetting { + [OutputType([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.Settings])] + [CmdletBinding(DefaultParameterSetName = 'UpdateExpandedAnomaliesEyesOnEntityAnalytics', PositionalBinding = $false, SupportsShouldProcess, ConfirmImpact = 'Medium')] + param( + [Parameter(ParameterSetName = 'UpdateExpandedAnomaliesEyesOnEntityAnalytics')] + [Parameter(ParameterSetName = 'UpdateExpandedUeba')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = '(Get-AzContext).Subscription.Id')] + [System.String] + # Gets subscription credentials which uniquely identify Microsoft Azure subscription. + # The subscription ID forms part of the URI for every service call. + ${SubscriptionId}, + + [Parameter(ParameterSetName = 'UpdateExpandedAnomaliesEyesOnEntityAnalytics', Mandatory)] + [Parameter(ParameterSetName = 'UpdateExpandedUeba', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [System.String] + # The Resource Group Name. + ${ResourceGroupName}, + + [Parameter(ParameterSetName = 'UpdateExpandedAnomaliesEyesOnEntityAnalytics', Mandatory)] + [Parameter(ParameterSetName = 'UpdateExpandedUeba', Mandatory)] + #[Alias('DataConnectionName')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [System.String] + # The name of the workspace. + ${WorkspaceName}, + + [Parameter(ParameterSetName = 'UpdateExpandedAnomaliesEyesOnEntityAnalytics', Mandatory)] + [Parameter(ParameterSetName = 'UpdateExpandedUeba', Mandatory)] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.SettingKind])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [System.String] + # The setting Name + ${SettingsName}, + + [Parameter(ParameterSetName = 'UpdateViaIdentityExpandedAnomaliesEyesOnEntityAnalytics', Mandatory, ValueFromPipeline)] + [Parameter(ParameterSetName = 'UpdateViaIdentityExpandedUeba', Mandatory, ValueFromPipeline)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity] + # Identity Parameter + # To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + ${InputObject}, + + #Anomalies + #.EyesOn + #.EntityAnalytics + [Parameter(ParameterSetName = 'UpdateExpandedAnomaliesEyesOnEntityAnalytics')] + [Parameter(ParameterSetName = 'UpdateViaIdentityExpandedAnomaliesEyesOnEntityAnalytics')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Switch] + ${Enabled}, + + [Parameter(ParameterSetName = 'UpdateExpandedAnomaliesEyesOnEntityAnalytics')] + [Parameter(ParameterSetName = 'UpdateViaIdentityExpandedAnomaliesEyesOnEntityAnalytics')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Switch] + ${Disabled}, + + #.Ueba + [Parameter(ParameterSetName = 'UpdateExpandedUeba')] + [Parameter(ParameterSetName = 'UpdateViaIdentityExpandedUeba')] + [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.UebaDataSources])] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.UebaDataSources[]] + ${DataSource}, + + [Parameter()] + [Alias('AzureRMContext', 'AzureCredential')] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Azure')] + [System.Management.Automation.PSObject] + # The credentials, account, tenant, and subscription used for communication with Azure. + ${DefaultProfile}, + + [Parameter()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Run the command as a job + ${AsJob}, + + [Parameter(DontShow)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Wait for .NET debugger to attach + ${Break}, + + [Parameter(DontShow)] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.SendAsyncStep[]] + # SendAsync Pipeline Steps to be appended to the front of the pipeline + ${HttpPipelineAppend}, + + [Parameter(DontShow)] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.SendAsyncStep[]] + # SendAsync Pipeline Steps to be prepended to the front of the pipeline + ${HttpPipelinePrepend}, + + [Parameter()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Run the command asynchronously + ${NoWait}, + + [Parameter(DontShow)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Uri] + # The URI for the proxy server to use + ${Proxy}, + + [Parameter(DontShow)] + [ValidateNotNull()] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.PSCredential] + # Credentials for a proxy server to use for the remote call + ${ProxyCredential}, + + [Parameter(DontShow)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + # Use the default credentials for the proxy + ${ProxyUseDefaultCredentials} + ) + + process { + try { + #Handle Get + $GetPSBoundParameters = @{} + if($PSBoundParameters['InputObject']){ + $GetPSBoundParameters.Add('ResourceGroupName', ($PSBoundParameters['InputObject']).Id.Split('/')[4]) + $GetPSBoundParameters.Add('WorkspaceName', ($PSBoundParameters['InputObject']).Id.Split('/')[8]) + $Name = ($PSBoundParameters['InputObject']).Name + } + else { + $GetPSBoundParameters.Add('ResourceGroupName', $PSBoundParameters['ResourceGroupName']) + $GetPSBoundParameters.Add('WorkspaceName', $PSBoundParameters['WorkspaceName']) + $Name = $PSBoundParameters['SettingsName'] + } + if($Name -eq 'Ueba'){ + $GetPSBoundParameters.Add('SettingsName', 'Ueba') + $ueba = Az.SecurityInsights\Get-AzSentinelSetting @GetPSBoundParameters + } + else{ + $Settings = Az.SecurityInsights\Get-AzSentinelSetting @GetPSBoundParameters + } + + + if ($Name -eq 'Anomalies'){ + If($PSBoundParameters['Enabled']){ + if($Settings.Name -contains 'Anomalies'){ + Write-Host "$Name is already Enabled!" -ForegroundColor Green + } + else{ + Az.SecurityInsights.internal\Update-AzSentinelSetting -ResourceGroupName $GetPSBoundParameters['ResourceGroupName'] -WorkspaceName $GetPSBoundParameters['WorkspaceName'] -SettingsName $Name -Kind $Name + } + } + + If($PSBoundParameters['Disabled']){ + if($Settings.Name -contains 'Anomalies'){ + Az.SecurityInsights.internal\Remove-AzSentinelSetting -ResourceGroupName $GetPSBoundParameters['ResourceGroupName'] -WorkspaceName $GetPSBoundParameters['WorkspaceName'] -SettingsName $Name + } + else{ + Write-Host "$Name is already Disabled!" -ForegroundColor Green + } + } + } + if ($Name -eq 'EyesOn'){ + If($PSBoundParameters['Enabled']){ + if($Settings.Name -contains 'EyesOn'){ + Write-Host "$Name is already Enabled!" -ForegroundColor Green + } + else{ + Az.SecurityInsights.internal\Update-AzSentinelSetting -ResourceGroupName $GetPSBoundParameters['ResourceGroupName'] -WorkspaceName $GetPSBoundParameters['WorkspaceName'] -SettingsName $Name -Kind $Name + } + } + + If($PSBoundParameters['Disabled']){ + if($Settings.Name -contains 'EyesOn'){ + Az.SecurityInsights.internal\Remove-AzSentinelSetting -ResourceGroupName $GetPSBoundParameters['ResourceGroupName'] -WorkspaceName $GetPSBoundParameters['WorkspaceName'] -SettingsName $Name + } + else{ + Write-Host "$Name is already Disabled!" -ForegroundColor Green + } + } + } + if ($Name -eq 'EntityAnalytics'){ + If($PSBoundParameters['Enabled']){ + if($Settings.Name -contains 'EntityAnalytics'){ + Write-Host "$Name is already Enabled!" -ForegroundColor Green + } + else{ + Az.SecurityInsights.internal\Update-AzSentinelSetting -ResourceGroupName $GetPSBoundParameters['ResourceGroupName'] -WorkspaceName $GetPSBoundParameters['WorkspaceName'] -SettingsName $Name -Kind $Name + } + } + + If($PSBoundParameters['Disabled']){ + if($Settings.Name -contains 'EntityAnalytics'){ + Az.SecurityInsights.internal\Remove-AzSentinelSetting -ResourceGroupName $GetPSBoundParameters['ResourceGroupName'] -WorkspaceName $GetPSBoundParameters['WorkspaceName'] -SettingsName $Name + } + else{ + Write-Host "$Name is already Disabled!" -ForegroundColor Green + } + } + } + + if ($Name -eq 'Ueba'){ + If($PSBoundParameters['DataSource']){ + $ueba.DataSource = $PSBoundParameters['DataSource'] + $null = $PSBoundParameters.Remove('DataSource') + } + $null = $PSBoundParameters.Add('Setting', $Setting) + Az.SecurityInsights.internal\Update-AzSentinelSetting @PSBoundParameters + } + } + catch { + throw + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/docs/Az.SecurityInsights.md b/src/SecurityInsights/docs/Az.SecurityInsights.md new file mode 100644 index 000000000000..136272a12bf0 --- /dev/null +++ b/src/SecurityInsights/docs/Az.SecurityInsights.md @@ -0,0 +1,199 @@ +--- +Module Name: Az.SecurityInsights +Module Guid: 3a0e09d6-7b89-4078-a565-5db26e7455b8 +Download Help Link: https://docs.microsoft.com/powershell/module/az.securityinsights +Help Version: 1.0.0.0 +Locale: en-US +--- + +# Az.SecurityInsights Module +## Description +Microsoft Azure PowerShell: SecurityInsights cmdlets + +## Az.SecurityInsights Cmdlets +### [Get-AzSentinelAlertRule](Get-AzSentinelAlertRule.md) +Gets the alert rule. + +### [Get-AzSentinelAlertRuleAction](Get-AzSentinelAlertRuleAction.md) +Gets the action of alert rule. + +### [Get-AzSentinelAlertRuleTemplate](Get-AzSentinelAlertRuleTemplate.md) +Gets the alert rule template. + +### [Get-AzSentinelAutomationRule](Get-AzSentinelAutomationRule.md) +Gets the automation rule. + +### [Get-AzSentinelBookmark](Get-AzSentinelBookmark.md) +Gets a bookmark. + +### [Get-AzSentinelBookmarkRelation](Get-AzSentinelBookmarkRelation.md) +Gets a bookmark relation. + +### [Get-AzSentinelDataConnector](Get-AzSentinelDataConnector.md) +Gets a data connector. + +### [Get-AzSentinelEnrichment](Get-AzSentinelEnrichment.md) +Get geodata for a single IP address + +### [Get-AzSentinelEntity](Get-AzSentinelEntity.md) +Gets an entity. + +### [Get-AzSentinelEntityActivity](Get-AzSentinelEntityActivity.md) +Get Insights and Activities for an entity. + +### [Get-AzSentinelEntityInsight](Get-AzSentinelEntityInsight.md) +Execute Insights for an entity. + +### [Get-AzSentinelEntityQuery](Get-AzSentinelEntityQuery.md) +Gets an entity query. + +### [Get-AzSentinelEntityQueryTemplate](Get-AzSentinelEntityQueryTemplate.md) +Gets an entity query. + +### [Get-AzSentinelEntityRelation](Get-AzSentinelEntityRelation.md) +Gets an entity relation. + +### [Get-AzSentinelEntityTimeline](Get-AzSentinelEntityTimeline.md) +Timeline for an entity. + +### [Get-AzSentinelIncident](Get-AzSentinelIncident.md) +Gets an incident. + +### [Get-AzSentinelIncidentAlert](Get-AzSentinelIncidentAlert.md) +Gets all incident alerts. + +### [Get-AzSentinelIncidentBookmark](Get-AzSentinelIncidentBookmark.md) +Gets all incident bookmarks. + +### [Get-AzSentinelIncidentComment](Get-AzSentinelIncidentComment.md) +Gets an incident comment. + +### [Get-AzSentinelIncidentEntity](Get-AzSentinelIncidentEntity.md) +Gets all incident related entities. + +### [Get-AzSentinelIncidentRelation](Get-AzSentinelIncidentRelation.md) +Gets an incident relation. + +### [Get-AzSentinelMetadata](Get-AzSentinelMetadata.md) +Get a Metadata. + +### [Get-AzSentinelOnboardingState](Get-AzSentinelOnboardingState.md) +Get Sentinel onboarding state + +### [Get-AzSentinelSetting](Get-AzSentinelSetting.md) +Gets a setting. + +### [Get-AzSentinelThreatIntelligenceIndicator](Get-AzSentinelThreatIntelligenceIndicator.md) +View a threat intelligence indicator by name. + +### [Get-AzSentinelThreatIntelligenceIndicatorMetric](Get-AzSentinelThreatIntelligenceIndicatorMetric.md) +Get threat intelligence indicators metrics (Indicators counts by Type, Threat Type, Source). + +### [Invoke-AzSentinelThreatIntelligenceIndicatorQuery](Invoke-AzSentinelThreatIntelligenceIndicatorQuery.md) +Query threat intelligence indicators as per filtering criteria. + +### [New-AzSentinelAlertRule](New-AzSentinelAlertRule.md) +Creates or updates the alert rule. + +### [New-AzSentinelAlertRuleAction](New-AzSentinelAlertRuleAction.md) +Creates or updates the action of alert rule. + +### [New-AzSentinelAutomationRule](New-AzSentinelAutomationRule.md) +Creates or updates the automation rule. + +### [New-AzSentinelBookmark](New-AzSentinelBookmark.md) +Creates or updates the bookmark. + +### [New-AzSentinelBookmarkRelation](New-AzSentinelBookmarkRelation.md) +Creates the bookmark relation. + +### [New-AzSentinelDataConnector](New-AzSentinelDataConnector.md) +Creates or updates the data connector. + +### [New-AzSentinelEntityQuery](New-AzSentinelEntityQuery.md) +Creates or updates the entity query. + +### [New-AzSentinelIncident](New-AzSentinelIncident.md) +Creates or updates the incident. + +### [New-AzSentinelIncidentComment](New-AzSentinelIncidentComment.md) +Creates or updates the incident comment. + +### [New-AzSentinelIncidentRelation](New-AzSentinelIncidentRelation.md) +Creates or updates the incident relation. + +### [New-AzSentinelIncidentTeam](New-AzSentinelIncidentTeam.md) +Creates a Microsoft team to investigate the incident by sharing information and insights between participants. + +### [New-AzSentinelOnboardingState](New-AzSentinelOnboardingState.md) +Create Sentinel onboarding state + +### [Remove-AzSentinelAlertRule](Remove-AzSentinelAlertRule.md) +Delete the alert rule. + +### [Remove-AzSentinelAlertRuleAction](Remove-AzSentinelAlertRuleAction.md) +Delete the action of alert rule. + +### [Remove-AzSentinelAutomationRule](Remove-AzSentinelAutomationRule.md) +Delete the automation rule. + +### [Remove-AzSentinelBookmark](Remove-AzSentinelBookmark.md) +Delete the bookmark. + +### [Remove-AzSentinelBookmarkRelation](Remove-AzSentinelBookmarkRelation.md) +Delete the bookmark relation. + +### [Remove-AzSentinelDataConnector](Remove-AzSentinelDataConnector.md) +Delete the data connector. + +### [Remove-AzSentinelEntityQuery](Remove-AzSentinelEntityQuery.md) +Delete the entity query. + +### [Remove-AzSentinelIncident](Remove-AzSentinelIncident.md) +Delete the incident. + +### [Remove-AzSentinelIncidentComment](Remove-AzSentinelIncidentComment.md) +Delete the incident comment. + +### [Remove-AzSentinelIncidentRelation](Remove-AzSentinelIncidentRelation.md) +Delete the incident relation. + +### [Remove-AzSentinelOnboardingState](Remove-AzSentinelOnboardingState.md) +Delete Sentinel onboarding state + +### [Test-AzSentinelDataConnectorCheckRequirement](Test-AzSentinelDataConnectorCheckRequirement.md) +Get requirements state for a data connector type. + +### [Update-AzSentinelAlertRule](Update-AzSentinelAlertRule.md) +Updates the alert rule. + +### [Update-AzSentinelAlertRuleAction](Update-AzSentinelAlertRuleAction.md) +Creates or updates the action of alert rule. + +### [Update-AzSentinelAutomationRule](Update-AzSentinelAutomationRule.md) +Creates or updates the automation rule. + +### [Update-AzSentinelBookmark](Update-AzSentinelBookmark.md) +Creates or updates the bookmark. + +### [Update-AzSentinelBookmarkRelation](Update-AzSentinelBookmarkRelation.md) +Creates the bookmark relation. + +### [Update-AzSentinelDataConnector](Update-AzSentinelDataConnector.md) +Updates the data connector. + +### [Update-AzSentinelEntityQuery](Update-AzSentinelEntityQuery.md) +Updates the entity query. + +### [Update-AzSentinelIncident](Update-AzSentinelIncident.md) +Creates or updates the incident. + +### [Update-AzSentinelIncidentComment](Update-AzSentinelIncidentComment.md) +Creates or updates the incident comment. + +### [Update-AzSentinelIncidentRelation](Update-AzSentinelIncidentRelation.md) +Creates or updates the incident relation. + +### [Update-AzSentinelSetting](Update-AzSentinelSetting.md) +Updates setting. + diff --git a/src/SecurityInsights/docs/Get-AzSentinelAlertRule.md b/src/SecurityInsights/docs/Get-AzSentinelAlertRule.md new file mode 100644 index 000000000000..cfc6b8728c36 --- /dev/null +++ b/src/SecurityInsights/docs/Get-AzSentinelAlertRule.md @@ -0,0 +1,235 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/get-azsentinelalertrule +schema: 2.0.0 +--- + +# Get-AzSentinelAlertRule + +## SYNOPSIS +Gets the alert rule. + +## SYNTAX + +### List (Default) +``` +Get-AzSentinelAlertRule -ResourceGroupName -WorkspaceName [-SubscriptionId ] + [-DefaultProfile ] [] +``` + +### Get +``` +Get-AzSentinelAlertRule -ResourceGroupName -RuleId -WorkspaceName + [-SubscriptionId ] [-DefaultProfile ] [] +``` + +### GetViaIdentity +``` +Get-AzSentinelAlertRule -InputObject [-DefaultProfile ] + [] +``` + +## DESCRIPTION +Gets the alert rule. + +## EXAMPLES + +### Example 1: List all Alert Rules +```powershell + Get-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" +``` + +```output +AlertDisplayName : (Preview) TI map IP entity to SigninLogs +FriendlyName : (Preview) TI map IP entity to SigninLogs +Description : Identifies a match in SigninLogs from any IP IOC from TI +Kind : SecurityAlert +Name : d1e4d1dd-8d16-1aed-59bd-a256266d7244 +ProductName : Azure Sentinel +Status : New +ProviderAlertId : d6c7a42b-c0da-41ef-9629-b3d2d407b181 +Tactic : {Impact} +``` + +This command lists all Alert Rules under a Microsoft Sentinel workspace. + +### Example 2: Get an Alert Rule +```powershell + Get-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -RuleId "d6c7a42b-c0da-41ef-9629-b3d2d407b181" +``` + +```output +AlertDisplayName : (Preview) TI map IP entity to SigninLogs +FriendlyName : (Preview) TI map IP entity to SigninLogs +Description : Identifies a match in SigninLogs from any IP IOC from TI +Kind : SecurityAlert +Name : d1e4d1dd-8d16-1aed-59bd-a256266d7244 +ProductName : Azure Sentinel +Status : New +ProviderAlertId : d6c7a42b-c0da-41ef-9629-b3d2d407b181 +Tactic : {Impact} +``` + +This command gets an Alert Rule. + +### Example 3: Get an Alert Rule by object Id +```powershell + $rules = Get-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" + $rules[0] | Get-AzSentinelAlertRule +``` + +```output +AlertDisplayName : (Preview) TI map IP entity to SigninLogs +FriendlyName : (Preview) TI map IP entity to SigninLogs +Description : Identifies a match in SigninLogs from any IP IOC from TI +Kind : SecurityAlert +Name : d1e4d1dd-8d16-1aed-59bd-a256266d7244 +ProductName : Azure Sentinel +Status : New +ProviderAlertId : d6c7a42b-c0da-41ef-9629-b3d2d407b181 +Tactic : {Impact} +``` + +This command gets an Alert Rule by object + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: GetViaIdentity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RuleId +Alert rule ID + +```yaml +Type: System.String +Parameter Sets: Get +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String[] +Parameter Sets: Get, List +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IAlertRule + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +`INPUTOBJECT `: Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Get-AzSentinelAlertRuleAction.md b/src/SecurityInsights/docs/Get-AzSentinelAlertRuleAction.md new file mode 100644 index 000000000000..f6482fc95095 --- /dev/null +++ b/src/SecurityInsights/docs/Get-AzSentinelAlertRuleAction.md @@ -0,0 +1,209 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/get-azsentinelalertruleaction +schema: 2.0.0 +--- + +# Get-AzSentinelAlertRuleAction + +## SYNOPSIS +Gets the action of alert rule. + +## SYNTAX + +### List (Default) +``` +Get-AzSentinelAlertRuleAction -ResourceGroupName -RuleId -WorkspaceName + [-SubscriptionId ] [-DefaultProfile ] [] +``` + +### Get +``` +Get-AzSentinelAlertRuleAction -Id -ResourceGroupName -RuleId + -WorkspaceName [-SubscriptionId ] [-DefaultProfile ] [] +``` + +### GetViaIdentity +``` +Get-AzSentinelAlertRuleAction -InputObject [-DefaultProfile ] + [] +``` + +## DESCRIPTION +Gets the action of alert rule. + +## EXAMPLES + +### Example 1: List all Actions for a given Alert Rule +```powershell + Get-AzSentinelAlertRuleAction -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -RuleId "myRuleId" +``` + +```output +LogicAppResourceId : /subscriptions/174b1a81-c53c-4092-8d4a-7210f6a44a0c/resourceGroups/myResourceGroup/providers/Microsoft.Logic/workflows/A-Demo-1 +Name : f32239c5-cb9c-48da-a3f6-bd5bd3d924a4 +WorkflowId : 3c73d72560fa4cb6a72a0f10d3a80940 + +LogicAppResourceId : /subscriptions/274b1a41-c53c-4092-8d4a-7210f6a44a0c/resourceGroups/myResourceGroup/providers/Microsoft.Logic/workflows/EmptyPlaybook +Name : cf815c77-bc65-4c02-946f-d81e15e9a100 +WorkflowId : 1ac8ccb8bd134253b4baf0c75fe3ecc6 +``` + +This command lists all Actions for a given Alert Rule. + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Id +Action ID + +```yaml +Type: System.String +Parameter Sets: Get +Aliases: ActionId + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: GetViaIdentity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RuleId +Alert rule ID + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String[] +Parameter Sets: Get, List +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IActionResponse + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +`INPUTOBJECT `: Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Get-AzSentinelAlertRuleTemplate.md b/src/SecurityInsights/docs/Get-AzSentinelAlertRuleTemplate.md new file mode 100644 index 000000000000..86b15193b94d --- /dev/null +++ b/src/SecurityInsights/docs/Get-AzSentinelAlertRuleTemplate.md @@ -0,0 +1,221 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/get-azsentinelalertruletemplate +schema: 2.0.0 +--- + +# Get-AzSentinelAlertRuleTemplate + +## SYNOPSIS +Gets the alert rule template. + +## SYNTAX + +### List (Default) +``` +Get-AzSentinelAlertRuleTemplate -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-DefaultProfile ] [] +``` + +### Get +``` +Get-AzSentinelAlertRuleTemplate -Id -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-DefaultProfile ] [] +``` + +### GetViaIdentity +``` +Get-AzSentinelAlertRuleTemplate -InputObject [-DefaultProfile ] + [] +``` + +## DESCRIPTION +Gets the alert rule template. + +## EXAMPLES + +### Example 1: List all Alert Rule Templates +```powershell + Get-AzSentinelAlertRuleTemplate -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" +``` + +```output +DisplayName : TI map IP entity to GitHub_CL +Description : Identifies a match in GitHub_CL table from any IP IOC from TI +CreatedDateUtc : 8/27/2019 12:00:00 AM +LastUpdatedDateUtc : 10/19/2021 12:00:00 AM +Kind : Scheduled +Severity : Medium +Name : aac495a9-feb1-446d-b08e-a1164a539452 + +DisplayName : Accessed files shared by temporary external user +Description : This detection identifies an external user is added to a Team or Teams chat + and shares a files which is accessed by many users (>10) and the users is removed within short period of time. This might be + an indicator of suspicious activity. +CreatedDateUtc : 8/18/2020 12:00:00 AM +LastUpdatedDateUtc : 1/3/2022 12:00:00 AM +Kind : Scheduled +Severity : Low +Name : bff058b2-500e-4ae5-bb49-a5b1423cbd5b +``` + +This command lists all Alert Rule Templates under a Microsoft Sentinel workspace. + +### Example 2: Get an Alert Rule Template +```powershell + Get-AzSentinelAlertRuleTemplate -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Id "myRuaac495a9-feb1-446d-b08e-a1164a539452leTemplateId" +``` + +```output +DisplayName : TI map IP entity to GitHub_CL +Description : Identifies a match in GitHub_CL table from any IP IOC from TI +CreatedDateUtc : 8/27/2019 12:00:00 AM +LastUpdatedDateUtc : 10/19/2021 12:00:00 AM +Kind : Scheduled +Severity : Medium +Name : aac495a9-feb1-446d-b08e-a1164a539452 +``` + +This command gets an Alert Rule Template. + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Id +Alert rule template ID + +```yaml +Type: System.String +Parameter Sets: Get +Aliases: AlertRuleTemplateId, TemplateId + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: GetViaIdentity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String[] +Parameter Sets: Get, List +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IAlertRuleTemplate + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +`INPUTOBJECT `: Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Get-AzSentinelAutomationRule.md b/src/SecurityInsights/docs/Get-AzSentinelAutomationRule.md new file mode 100644 index 000000000000..43921221c76f --- /dev/null +++ b/src/SecurityInsights/docs/Get-AzSentinelAutomationRule.md @@ -0,0 +1,212 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/get-azsentinelautomationrule +schema: 2.0.0 +--- + +# Get-AzSentinelAutomationRule + +## SYNOPSIS +Gets the automation rule. + +## SYNTAX + +### List (Default) +``` +Get-AzSentinelAutomationRule -ResourceGroupName -WorkspaceName [-SubscriptionId ] + [-DefaultProfile ] [] +``` + +### Get +``` +Get-AzSentinelAutomationRule -Id -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-DefaultProfile ] [] +``` + +### GetViaIdentity +``` +Get-AzSentinelAutomationRule -InputObject [-DefaultProfile ] + [] +``` + +## DESCRIPTION +Gets the automation rule. + +## EXAMPLES + +### Example 1: List all Automation Rules +```powershell + Get-AzSentinelAutomationRule -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" +``` + +```output +DisplayName : VIP automation rule +CreatedByEmail : luke@contoso.com +CreatedByUserPrincipalName : luke@contoso.com +TriggeringLogicIsEnabled : True +TriggeringLogicTriggersOn : Incidents +TriggeringLogicTriggersWhen : Created +Name : 2f32af32-ad13-4fbb-9fbc-e19e0e7ff767 + +``` + +This command lists all Automation Rules under a Microsoft Sentinel workspace. + +### Example 2: Get an Automation Rule +```powershell + Get-AzSentinelAutomationRule -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Id "2f32af32-ad13-4fbb-9fbc-e19e0e7ff767" +``` + +```output +DisplayName : VIP automation rule +CreatedByEmail : luke@contoso.com +CreatedByUserPrincipalName : luke@contoso.com +TriggeringLogicIsEnabled : True +TriggeringLogicTriggersOn : Incidents +TriggeringLogicTriggersWhen : Created +Name : 2f32af32-ad13-4fbb-9fbc-e19e0e7ff767 +``` + +This command gets an Automation Rule. + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Id +Automation rule ID + +```yaml +Type: System.String +Parameter Sets: Get +Aliases: AutomationRuleId + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: GetViaIdentity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String[] +Parameter Sets: Get, List +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IAutomationRule + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +`INPUTOBJECT `: Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Get-AzSentinelBookmark.md b/src/SecurityInsights/docs/Get-AzSentinelBookmark.md new file mode 100644 index 000000000000..51e41574b2b4 --- /dev/null +++ b/src/SecurityInsights/docs/Get-AzSentinelBookmark.md @@ -0,0 +1,210 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/get-azsentinelbookmark +schema: 2.0.0 +--- + +# Get-AzSentinelBookmark + +## SYNOPSIS +Gets a bookmark. + +## SYNTAX + +### List (Default) +``` +Get-AzSentinelBookmark -ResourceGroupName -WorkspaceName [-SubscriptionId ] + [-DefaultProfile ] [] +``` + +### Get +``` +Get-AzSentinelBookmark -Id -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-DefaultProfile ] [] +``` + +### GetViaIdentity +``` +Get-AzSentinelBookmark -InputObject [-DefaultProfile ] + [] +``` + +## DESCRIPTION +Gets a bookmark. + +## EXAMPLES + +### Example 1: List all Bookmarks +```powershell + Get-AzSentinelBookmark -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" +``` + +```output +DisplayName : SecurityAlert - 28b401e1e0c9 +CreatedByEmail : john@contoso.com +CreatedByName : John Contoso +Label : {} +Note : This needs further investigation +Name : 515fc035-2ed8-4fa1-ad7d-28b401e1e0c9 + +``` + +This command lists all Bookmarks under a Microsoft Sentinel workspace. + +### Example 2: Get a Bookmark +```powershell + Get-AzSentinelBookmark -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Id "515fc035-2ed8-4fa1-ad7d-28b401e1e0c9" +``` + +```output +DisplayName : SecurityAlert - 28b401e1e0c9 +CreatedByEmail : john@contoso.com +CreatedByName : John Contoso +Label : {} +Note : This needs further investigation +Name : 515fc035-2ed8-4fa1-ad7d-28b401e1e0c9 +``` + +This command gets a Bookmark. + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Id +Bookmark ID + +```yaml +Type: System.String +Parameter Sets: Get +Aliases: BookmarkId + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: GetViaIdentity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String[] +Parameter Sets: Get, List +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IBookmark + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +`INPUTOBJECT `: Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Get-AzSentinelBookmarkRelation.md b/src/SecurityInsights/docs/Get-AzSentinelBookmarkRelation.md new file mode 100644 index 000000000000..29e9a3f98e06 --- /dev/null +++ b/src/SecurityInsights/docs/Get-AzSentinelBookmarkRelation.md @@ -0,0 +1,298 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/get-azsentinelbookmarkrelation +schema: 2.0.0 +--- + +# Get-AzSentinelBookmarkRelation + +## SYNOPSIS +Gets a bookmark relation. + +## SYNTAX + +### List (Default) +``` +Get-AzSentinelBookmarkRelation -BookmarkId -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-Filter ] [-Orderby ] [-SkipToken ] [-Top ] + [-DefaultProfile ] [] +``` + +### Get +``` +Get-AzSentinelBookmarkRelation -BookmarkId -RelationName -ResourceGroupName + -WorkspaceName [-SubscriptionId ] [-DefaultProfile ] [] +``` + +### GetViaIdentity +``` +Get-AzSentinelBookmarkRelation -InputObject [-DefaultProfile ] + [] +``` + +## DESCRIPTION +Gets a bookmark relation. + +## EXAMPLES + +### Example 1: List all Bookmark Relations for a given Bookmark +```powershell + Get-AzSentinelBookmarkRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -BookmarkId "myBookmarkId" +``` + +```output +Name : 83846045-d8dc-4d6b-abbe-7588219c474e +RelatedResourceName : 7cc984fe-61a2-43c2-a1a4-3583c8a89da2 +RelatedResourceType : Microsoft.SecurityInsights/Incidents +``` + +This command lists all Bookmark Relations for a given Bookmark. + +### Example 2: Get a Bookmark Relation +```powershell + Get-AzSentinelBookmarkRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -BookmarkId "myBookmarkId" +``` + +```output +Name : 83846045-d8dc-4d6b-abbe-7588219c474e +RelatedResourceName : 7cc984fe-61a2-43c2-a1a4-3583c8a89da2 +RelatedResourceType : Microsoft.SecurityInsights/Incidents +``` + +This command gets a Bookmark Relation. + +### Example 3: Get a Bookmark Relation by object Id +```powershell + $Bookmarkrelations = Get-AzSentinelBookmarkRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -BookmarkId "myBookmarkId" + $Bookmarkrelations[0] | Get-AzSentinelBookmarkRelation +``` + +```output +Name : 83846045-d8dc-4d6b-abbe-7588219c474e +RelatedResourceName : 7cc984fe-61a2-43c2-a1a4-3583c8a89da2 +RelatedResourceType : Microsoft.SecurityInsights/Incidents +``` + +This command gets a Bookmark by object + +## PARAMETERS + +### -BookmarkId +Bookmark ID + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Filter +Filters the results, based on a Boolean condition. +Optional. + +```yaml +Type: System.String +Parameter Sets: List +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: GetViaIdentity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -Orderby +Sorts the results. +Optional. + +```yaml +Type: System.String +Parameter Sets: List +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RelationName +Relation Name + +```yaml +Type: System.String +Parameter Sets: Get +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SkipToken +Skiptoken is only used if a previous operation returned a partial result. +If a previous response contains a nextLink element, the value of the nextLink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls. +Optional. + +```yaml +Type: System.String +Parameter Sets: List +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String[] +Parameter Sets: Get, List +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Top +Returns only the first n results. +Optional. + +```yaml +Type: System.Int32 +Parameter Sets: List +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IRelation + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +`INPUTOBJECT `: Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Get-AzSentinelDataConnector.md b/src/SecurityInsights/docs/Get-AzSentinelDataConnector.md new file mode 100644 index 000000000000..bdd246d7622c --- /dev/null +++ b/src/SecurityInsights/docs/Get-AzSentinelDataConnector.md @@ -0,0 +1,209 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/get-azsentineldataconnector +schema: 2.0.0 +--- + +# Get-AzSentinelDataConnector + +## SYNOPSIS +Gets a data connector. + +## SYNTAX + +### List (Default) +``` +Get-AzSentinelDataConnector -ResourceGroupName -WorkspaceName [-SubscriptionId ] + [-DefaultProfile ] [] +``` + +### Get +``` +Get-AzSentinelDataConnector -Id -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-DefaultProfile ] [] +``` + +### GetViaIdentity +``` +Get-AzSentinelDataConnector -InputObject [-DefaultProfile ] + [] +``` + +## DESCRIPTION +Gets a data connector. + +## EXAMPLES + +### Example 1: List all Data Connectors +```powershell + Get-AzSentinelDataConnector -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" +``` + +```output +Kind : AzureActiveDirectory +Name : 8207e1f9-a793-4869-afb1-5ad4540d66d1 + +Kind : AzureAdvancedThreatProtection +Name : 1d75aada-a558-4461-986b-c6822182e81d + +Kind : Office365 +Name : 6323c716-83ae-4cfd-bf93-58235c8beb23 + +``` + +This command lists all DataConnectors under a Microsoft Sentinel workspace. + +### Example 2: Get a specific Data Connector +```powershell + Get-AzSentinelDataConnector -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" | Where-Object {$_.kind -eq "Office365"} +``` + +```output +Kind : Office365 +Name : 6323c716-83ae-4cfd-bf93-58235c8beb23 +SharePointState : enabled +``` + +This command gets a specific DataConnector based on kind + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Id +Connector ID + +```yaml +Type: System.String +Parameter Sets: Get +Aliases: DataConnectorId + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: GetViaIdentity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String[] +Parameter Sets: Get, List +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IDataConnector + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +`INPUTOBJECT `: Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Get-AzSentinelEnrichment.md b/src/SecurityInsights/docs/Get-AzSentinelEnrichment.md new file mode 100644 index 000000000000..7797cbb23c00 --- /dev/null +++ b/src/SecurityInsights/docs/Get-AzSentinelEnrichment.md @@ -0,0 +1,228 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/get-azsentinelenrichment +schema: 2.0.0 +--- + +# Get-AzSentinelEnrichment + +## SYNOPSIS +Get geodata for a single IP address + +## SYNTAX + +### Get (Default) +``` +Get-AzSentinelEnrichment -ResourceGroupName -IPAddress [-SubscriptionId ] + [-DefaultProfile ] [] +``` + +### Get1 +``` +Get-AzSentinelEnrichment -ResourceGroupName -Domain [-SubscriptionId ] + [-DefaultProfile ] [] +``` + +### GetViaIdentity +``` +Get-AzSentinelEnrichment -InputObject -IPAddress + [-DefaultProfile ] [] +``` + +### GetViaIdentity1 +``` +Get-AzSentinelEnrichment -InputObject -Domain + [-DefaultProfile ] [] +``` + +## DESCRIPTION +Get geodata for a single IP address + +## EXAMPLES + +### Example 1: Get a Domain Enrichment +```powershell + Get-AzSentinelEnrichment -ResourceGroupName "myResourceGroupName" -Domain "microsoft.com +``` + +```output +Created : 5/2/1991 12:00:00 AM +Domain : microsoft.com +Expire : 5/3/2022 12:00:00 AM +Server : whois.markmonitor.com +Updated : 3/12/2021 12:00:00 AM +``` + +This command gets an enrichment for a domain. + +### Example 2: Get a IP Enrichment +```powershell + Get-AzSentinelEnrichment -ResourceGroupName "myResourceGroupName" IPAddress "1.1.1.1" +``` + +```output +Asn : 13335 +Carrier : cloudflare +City : ringwood +CityCf : 90 +Continent : oceania +Country : australia +CountryCf : 99 +IPAddr : 1.1.1.1 +IPRoutingType : fixed +Latitude : -37.8143 +Longitude : 145.2274 +Organization : apnic and cloudflare dns resolver project +OrganizationType : Internet Hosting Services +Region : +State : victoria +StateCf : 95 +StateCode : + +``` + +This command an enrichment for an IP Address. + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Domain +Domain name to be enriched + +```yaml +Type: System.String +Parameter Sets: Get1, GetViaIdentity1 +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: GetViaIdentity, GetViaIdentity1 +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -IPAddress +IP address (v4 or v6) to be enriched + +```yaml +Type: System.String +Parameter Sets: Get, GetViaIdentity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: Get, Get1 +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String[] +Parameter Sets: Get, Get1 +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IEnrichmentDomainWhois + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IEnrichmentIPGeodata + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +`INPUTOBJECT `: Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Get-AzSentinelEntity.md b/src/SecurityInsights/docs/Get-AzSentinelEntity.md new file mode 100644 index 000000000000..dd8e8b6380bf --- /dev/null +++ b/src/SecurityInsights/docs/Get-AzSentinelEntity.md @@ -0,0 +1,234 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/get-azsentinelentity +schema: 2.0.0 +--- + +# Get-AzSentinelEntity + +## SYNOPSIS +Gets an entity. + +## SYNTAX + +### List (Default) +``` +Get-AzSentinelEntity -ResourceGroupName -WorkspaceName [-SubscriptionId ] + [-DefaultProfile ] [] +``` + +### Get +``` +Get-AzSentinelEntity -Id -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-DefaultProfile ] [] +``` + +### GetViaIdentity +``` +Get-AzSentinelEntity -InputObject [-DefaultProfile ] + [] +``` + +## DESCRIPTION +Gets an entity. + +## EXAMPLES + +### Example 1: List all Entities +```powershell + Get-AzSentinelEntity -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" +``` + +```output +FriendlyName : WIN2019 +Kind : Host +Name : 8d036a2d-f37d-e936-6cca-4e172687cb79 + +FriendlyName : 186.120.101.12 +Kind : Ip +Name : bb590b07-5ef5-bf85-1c3e-2a04e1e137d2 +``` + +This command lists all Entities under a Microsoft Sentinel workspace. + +### Example 2: Get an Entity +```powershell + Get-AzSentinelEntity -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Id "8d036a2d-f37d-e936-6cca-4e172687cb79" +``` + +```output +FriendlyName : WIN2019 +Kind : Host +Name : 8d036a2d-f37d-e936-6cca-4e172687cb79 +``` + +This command gets an Entity. + +### Example 3: Get a Entity by object Id +```powershell + $Entitys = Get-AzSentinelEntity -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" + $Entitys[0] | Get-AzSentinelEntity +``` + +```output +FriendlyName : WIN2019 +Kind : Host +Name : 8d036a2d-f37d-e936-6cca-4e172687cb79 +``` + +This command gets an Entity by object + +### Example 4: Get a Entity by kind +```powershell + Get-AzSentinelEntity -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" | Where-Object {$_.Kind -eq "CloudApplication"} +``` + +```output +FriendlyName : Office 365 +Kind : CloudApplication +Name : 8fceb9c4-abe7-7174-aabf-f1dde96a945e +``` + +This command gets an Entity by kind + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Id +entity ID + +```yaml +Type: System.String +Parameter Sets: Get +Aliases: EntityId + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: GetViaIdentity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String[] +Parameter Sets: Get, List +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IEntity + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +`INPUTOBJECT `: Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Get-AzSentinelEntityActivity.md b/src/SecurityInsights/docs/Get-AzSentinelEntityActivity.md new file mode 100644 index 000000000000..adbf250a4333 --- /dev/null +++ b/src/SecurityInsights/docs/Get-AzSentinelEntityActivity.md @@ -0,0 +1,146 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/get-azsentinelentityactivity +schema: 2.0.0 +--- + +# Get-AzSentinelEntityActivity + +## SYNOPSIS +Get Insights and Activities for an entity. + +## SYNTAX + +``` +Get-AzSentinelEntityActivity -EntityId -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-DefaultProfile ] [] +``` + +## DESCRIPTION +Get Insights and Activities for an entity. + +## EXAMPLES + +### Example 1: Get Insights and Activities for an Entity +```powershell + Get-AzSentinelEntityAcivity -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -EntityId "myEntityId" +``` + +```output +FriendlyName : WIN2019 +Kind : Host +Name : 8d036a2d-f37d-e936-6cca-4e172687cb79 + +FriendlyName : HackTool:Win32/Mimikatz.gen!H +Kind : Malware +Name : 876fda24-fe06-62b7-7dca-bced167a0ca3 + +FriendlyName : 52.166.111.66 +Kind : Ip +Name : 4ebb68f3-a435-fac0-d3b6-94712d246f0a +``` + +This command gets insights and activities for an Entity. + +### Example 2: Get Insights and Activities for an Entity by Id +```powershell + $Entity = Get-AzSentinelEntity -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -EntityId "4ebb68f3-a435-fac0-d3b6-94712d246f0a" + $Entity | Get-AzSentinelEntityActivity +``` + +This command gets insights and activies for an Entity by object + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -EntityId +entity ID + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IEntityQueryItem + +## NOTES + +ALIASES + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Get-AzSentinelEntityInsight.md b/src/SecurityInsights/docs/Get-AzSentinelEntityInsight.md new file mode 100644 index 000000000000..a11223aa02bf --- /dev/null +++ b/src/SecurityInsights/docs/Get-AzSentinelEntityInsight.md @@ -0,0 +1,246 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/get-azsentinelentityinsight +schema: 2.0.0 +--- + +# Get-AzSentinelEntityInsight + +## SYNOPSIS +Execute Insights for an entity. + +## SYNTAX + +``` +Get-AzSentinelEntityInsight -EntityId -ResourceGroupName -WorkspaceName + -EndTime -StartTime [-SubscriptionId ] [-AddDefaultExtendedTimeRange] + [-InsightQueryId ] [-DefaultProfile ] [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Execute Insights for an entity. + +## EXAMPLES + +### Example 1: Get Insights for an Entity for a given time range +```powershell + $startTime = (get-date).AddDays(-7).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + $endTime = (get-date).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + Get-AzSentinelEntityInsight -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -EntityId "myEntityId" -EndTime $endTime -StartTime $startTime +``` + +```output +QueryId : 4191a4d7-e72b-4564-b2fb-25580630384b +QueryTimeIntervalEndTime : 12/21/2021 10:00:00 AM +QueryTimeIntervalStartTime : 12/14/2021 10:00:00 AM +TableQueryResultColumn : {Activity, expectedCount, actualCount, anomalyScore…} +TableQueryResultRow : {4663 - An attempt was made to access an object. 0 3901 713.91 1 0} +``` + +This command gets insights for an Entity for a given time range. + +### Example 2: Get Insights for an Entity by entity Id for a given time range +```powershell + $startTime = (get-date).AddDays(-7).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + $endTime = (get-date).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + $Entity = Get-AzSentinelEntity -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -EntityId "8d036a2d-f37d-e936-6cca-4e172687cb79" + $Entity | Get-AzSentinelEntityInsight -EndTime $endTime -StartTime $startTime +``` + +```output +QueryId : 4191a4d7-e72b-4564-b2fb-25580630384b +QueryTimeIntervalEndTime : 12/21/2021 10:00:00 AM +QueryTimeIntervalStartTime : 12/14/2021 10:00:00 AM +TableQueryResultColumn : {Activity, expectedCount, actualCount, anomalyScore…} +TableQueryResultRow : {4663 - An attempt was made to access an object. 0 3901 713.91 1 0} +``` + +This command gets insights for an Entity by object for a given time range. + +## PARAMETERS + +### -AddDefaultExtendedTimeRange +Indicates if query time range should be extended with default time range of the query. +Default value is false + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -EndTime +The end timeline date, so the results returned are before this date. + +```yaml +Type: System.DateTime +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -EntityId +entity ID + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InsightQueryId +List of Insights Query Id. +If empty, default value is all insights of this entity + +```yaml +Type: System.String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -StartTime +The start timeline date, so the results returned are after this date. + +```yaml +Type: System.DateTime +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IEntityGetInsightsResponse + +## NOTES + +ALIASES + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Get-AzSentinelEntityQuery.md b/src/SecurityInsights/docs/Get-AzSentinelEntityQuery.md new file mode 100644 index 000000000000..beef38e95c2b --- /dev/null +++ b/src/SecurityInsights/docs/Get-AzSentinelEntityQuery.md @@ -0,0 +1,254 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/get-azsentinelentityquery +schema: 2.0.0 +--- + +# Get-AzSentinelEntityQuery + +## SYNOPSIS +Gets an entity query. + +## SYNTAX + +### List (Default) +``` +Get-AzSentinelEntityQuery -ResourceGroupName -WorkspaceName [-SubscriptionId ] + [-Kind ] [-DefaultProfile ] [] +``` + +### Get +``` +Get-AzSentinelEntityQuery -Id -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-DefaultProfile ] [] +``` + +### GetViaIdentity +``` +Get-AzSentinelEntityQuery -InputObject [-DefaultProfile ] + [] +``` + +## DESCRIPTION +Gets an entity query. + +## EXAMPLES + +### Example 1: List all Entity Queries +```powershell + Get-AzSentinelEntityQuery -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" +``` + +```output +DisplayName : Related entities +DataSource : {SecurityAlert} +Name : 98b974fd-cc64-48b8-9bd0-3a209f5b944b +InputEntityType : SecurityAlert + +DisplayName : Related alerts +DataSource : {SecurityAlert} +Name : 055a5692-555f-42bd-ac17-923a5a9994ed +InputEntityType : Host +``` + +This command lists all Entity Queries under a Microsoft Sentinel workspace. + +### Example 2: Get an Entity Query +```powershell + Get-AzSentinelEntityQuery -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Id "myEntityQueryId" +``` + +```output +DisplayName : Related entities +DataSource : {SecurityAlert} +Name : 98b974fd-cc64-48b8-9bd0-3a209f5b944b +InputEntityType : SecurityAlert +QueryTemplate : let GetAlertRelatedEntities = (v_SecurityAlert_SystemAlertId:string){ + SecurityAlert + | where SystemAlertId == v_SecurityAlert_SystemAlertId + | project entities = todynamic(Entities) + | mv-expand entities + | project-rename entity=entities}; + GetAlertRelatedEntities('') +``` + +This command gets an Entity Query. + +### Example 3: Get an Entity Query by object Id +```powershell + $EntityQueries = Get-AzSentinelEntityQuery -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" + $EntityQueries[0] | Get-AzSentinelEntityQuery +``` + +```output +DisplayName : Related entities +DataSource : {SecurityAlert} +Name : 98b974fd-cc64-48b8-9bd0-3a209f5b944b +InputEntityType : SecurityAlert +QueryTemplate : let GetAlertRelatedEntities = (v_SecurityAlert_SystemAlertId:string){ + SecurityAlert + | where SystemAlertId == v_SecurityAlert_SystemAlertId + | project entities = todynamic(Entities) + | mv-expand entities + | project-rename entity=entities}; + GetAlertRelatedEntities('') +``` + +This command gets a Entity Query by object. + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Id +entity query ID + +```yaml +Type: System.String +Parameter Sets: Get +Aliases: EntityQueryId + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: GetViaIdentity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -Kind +The entity query kind we want to fetch + +```yaml +Type: System.String +Parameter Sets: List +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String[] +Parameter Sets: Get, List +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IEntityQuery + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +`INPUTOBJECT `: Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Get-AzSentinelEntityQueryTemplate.md b/src/SecurityInsights/docs/Get-AzSentinelEntityQueryTemplate.md new file mode 100644 index 000000000000..defea674fb03 --- /dev/null +++ b/src/SecurityInsights/docs/Get-AzSentinelEntityQueryTemplate.md @@ -0,0 +1,242 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/get-azsentinelentityquerytemplate +schema: 2.0.0 +--- + +# Get-AzSentinelEntityQueryTemplate + +## SYNOPSIS +Gets an entity query. + +## SYNTAX + +### List (Default) +``` +Get-AzSentinelEntityQueryTemplate -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-Kind ] [-DefaultProfile ] [] +``` + +### Get +``` +Get-AzSentinelEntityQueryTemplate -Id -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-DefaultProfile ] [] +``` + +### GetViaIdentity +``` +Get-AzSentinelEntityQueryTemplate -InputObject [-DefaultProfile ] + [] +``` + +## DESCRIPTION +Gets an entity query. + +## EXAMPLES + +### Example 1: List all Entity Query Templates +```powershell + Get-AzSentinelEntityQueryTemplate -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" +``` + +```output +Title : The user has created an account +Description : This activity displays account creation events performed by the user +InputEntityType : Account +Kind : Activity +Name : d6d08c94-455f-4ea5-8f76-fc6c0c442cfa + +Title : The user has deleted an account +Description : This activity displays account deletion events performed by the user +InputEntityType : Account +Kind : Activity +Name : e0459780-ac9d-4b72-8bd4-fecf6b46a0a1 +``` + +This command lists all Entity Query Templates under a Microsoft Sentinel workspace. + +### Example 2: Get an Entity Query Template +```powershell + Get-AzSentinelEntityQueryTemplate -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Id "d6d08c94-455f-4ea5-8f76-fc6c0c442cfa" +``` + +```output +Description : This activity displays account creation events performed by the user +InputEntityType : Account +Kind : Activity +Name : d6d08c94-455f-4ea5-8f76-fc6c0c442cfa +``` + +This command gets an Entity Query Template. + +### Example 3: Get an Entity Query Template by object Id +```powershell + $EntityQueryTemplates = Get-AzSentinelEntityQueryTemplate -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" + $EntityQueryTemplates[0] | Get-AzSentinelEntityQueryTemplate +``` + +```output +Description : This activity displays account creation events performed by the user +InputEntityType : Account +Kind : Activity +Name : d6d08c94-455f-4ea5-8f76-fc6c0c442cfa +``` + +This command gets a Entity Query Template by object. + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Id +entity query template ID + +```yaml +Type: System.String +Parameter Sets: Get +Aliases: EntityQueryTemplateId + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: GetViaIdentity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -Kind +The entity template query kind we want to fetch + +```yaml +Type: System.String +Parameter Sets: List +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String[] +Parameter Sets: Get, List +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IEntityQueryTemplate + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +`INPUTOBJECT `: Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Get-AzSentinelEntityRelation.md b/src/SecurityInsights/docs/Get-AzSentinelEntityRelation.md new file mode 100644 index 000000000000..47df57a8d066 --- /dev/null +++ b/src/SecurityInsights/docs/Get-AzSentinelEntityRelation.md @@ -0,0 +1,280 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/get-azsentinelentityrelation +schema: 2.0.0 +--- + +# Get-AzSentinelEntityRelation + +## SYNOPSIS +Gets an entity relation. + +## SYNTAX + +### List (Default) +``` +Get-AzSentinelEntityRelation -EntityId -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-Filter ] [-Orderby ] [-SkipToken ] [-Top ] + [-DefaultProfile ] [] +``` + +### Get +``` +Get-AzSentinelEntityRelation -EntityId -RelationName -ResourceGroupName + -WorkspaceName [-SubscriptionId ] [-DefaultProfile ] [] +``` + +### GetViaIdentity +``` +Get-AzSentinelEntityRelation -InputObject [-DefaultProfile ] + [] +``` + +## DESCRIPTION +Gets an entity relation. + +## EXAMPLES + +### Example 1: List all Entity Relations for a given Entity +```powershell + Get-AzSentinelEntityRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -EntityId "myEntityId" +``` + +This command lists all Entity Relations for a given Entity. + +### Example 2: Get an Entity Relation +```powershell + Get-AzSentinelEntityRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -EntityId "myEntityId" -Id "myEntityRelationId" +``` + +This command gets an Entity Relation for a given Entity. + +### Example 3: Get an Entity Relation by object Id +```powershell + $EntityRelations = Get-AzSentinelEntityRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -EntityId "myEntityId" + $EntityRelations[0] | Get-AzSentinelEntityRelation +``` + +This command gets a Entity Relation by object + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -EntityId +entity ID + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Filter +Filters the results, based on a Boolean condition. +Optional. + +```yaml +Type: System.String +Parameter Sets: List +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: GetViaIdentity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -Orderby +Sorts the results. +Optional. + +```yaml +Type: System.String +Parameter Sets: List +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RelationName +Relation Name + +```yaml +Type: System.String +Parameter Sets: Get +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SkipToken +Skiptoken is only used if a previous operation returned a partial result. +If a previous response contains a nextLink element, the value of the nextLink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls. +Optional. + +```yaml +Type: System.String +Parameter Sets: List +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String[] +Parameter Sets: Get, List +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Top +Returns only the first n results. +Optional. + +```yaml +Type: System.Int32 +Parameter Sets: List +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IRelation + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +`INPUTOBJECT `: Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Get-AzSentinelEntityTimeline.md b/src/SecurityInsights/docs/Get-AzSentinelEntityTimeline.md new file mode 100644 index 000000000000..2d1047f32ff0 --- /dev/null +++ b/src/SecurityInsights/docs/Get-AzSentinelEntityTimeline.md @@ -0,0 +1,229 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/get-azsentinelentitytimeline +schema: 2.0.0 +--- + +# Get-AzSentinelEntityTimeline + +## SYNOPSIS +Timeline for an entity. + +## SYNTAX + +``` +Get-AzSentinelEntityTimeline -EntityId -ResourceGroupName -WorkspaceName + -EndTime -StartTime [-SubscriptionId ] [-Kind ] + [-NumberOfBucket ] [-DefaultProfile ] [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Timeline for an entity. + +## EXAMPLES + +### Example 1: Get Timeline for an Entity for a given time range +```powershell + $startTime = (get-date).AddDays(-7).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + $endTime = (get-date).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + Get-AzSentinelEntityTime -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -EntityId "myEntityId" -EndTime $endTime -StartTime $startTime +``` + +```output +DisplayName : Suspicious process executed +Description : Machine logs indicate that a suspicious process often associated with attacker attempts to access credentials was running on the host. +Kind : SecurityAlert +ProductName : Azure Security Center +Severity : High +StartTimeUtc : 12/20/2021 3:04:17 PM +EndTimeUtc : 12/20/2021 3:04:17 PM +TimeGenerated : 12/20/2021 3:05:52 PM +``` + +This command gets the Timeline for an Entity for a given time range. + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -EndTime +The end timeline date, so the results returned are before this date. + +```yaml +Type: System.DateTime +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -EntityId +entity ID + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Kind +Array of timeline Item kinds. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityTimelineKind[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -NumberOfBucket +The number of bucket for timeline queries aggregation. + +```yaml +Type: System.Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -StartTime +The start timeline date, so the results returned are after this date. + +```yaml +Type: System.DateTime +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IEntityTimelineResponse + +## NOTES + +ALIASES + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Get-AzSentinelIncident.md b/src/SecurityInsights/docs/Get-AzSentinelIncident.md new file mode 100644 index 000000000000..d03fb27d831b --- /dev/null +++ b/src/SecurityInsights/docs/Get-AzSentinelIncident.md @@ -0,0 +1,277 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/get-azsentinelincident +schema: 2.0.0 +--- + +# Get-AzSentinelIncident + +## SYNOPSIS +Gets an incident. + +## SYNTAX + +### List (Default) +``` +Get-AzSentinelIncident -ResourceGroupName -WorkspaceName [-SubscriptionId ] + [-Filter ] [-Orderby ] [-SkipToken ] [-Top ] [-DefaultProfile ] + [] +``` + +### Get +``` +Get-AzSentinelIncident -Id -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-DefaultProfile ] [] +``` + +### GetViaIdentity +``` +Get-AzSentinelIncident -InputObject [-DefaultProfile ] + [] +``` + +## DESCRIPTION +Gets an incident. + +## EXAMPLES + +### Example 1: List all Incidents +```powershell + Get-AzSentinelIncident -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" +``` + +```output +Title : (Preview) TI map IP entity to AzureActivity +Description : Identifies a match in AzureActivity from any IP IOC from TI +Severity : Medium +Number : 754 +Label : {} +ProviderName : Azure Sentinel +Name : f5409f55-7dd8-4c73-9981-4627520b2db +``` + +This command lists all Incidents under a Microsoft Sentinel workspace. + +### Example 2: Get an Incident +```powershell + Get-AzSentinelIncident -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Id "f5409f55-7dd8-4c73-9981-4627520b2db" +``` + +```output +Title : (Preview) TI map IP entity to AzureActivity +Description : Identifies a match in AzureActivity from any IP IOC from TI +Severity : Medium +Number : 754 +Label : {} +ProviderName : Azure Sentinel +Name : f5409f55-7dd8-4c73-9981-4627520b2db +``` + +This command gets an Incident. + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Filter +Filters the results, based on a Boolean condition. +Optional. + +```yaml +Type: System.String +Parameter Sets: List +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Id +Incident ID + +```yaml +Type: System.String +Parameter Sets: Get +Aliases: IncidentId + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: GetViaIdentity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -Orderby +Sorts the results. +Optional. + +```yaml +Type: System.String +Parameter Sets: List +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SkipToken +Skiptoken is only used if a previous operation returned a partial result. +If a previous response contains a nextLink element, the value of the nextLink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls. +Optional. + +```yaml +Type: System.String +Parameter Sets: List +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String[] +Parameter Sets: Get, List +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Top +Returns only the first n results. +Optional. + +```yaml +Type: System.Int32 +Parameter Sets: List +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IIncident + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +`INPUTOBJECT `: Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Get-AzSentinelIncidentAlert.md b/src/SecurityInsights/docs/Get-AzSentinelIncidentAlert.md new file mode 100644 index 000000000000..43b1cb0a1f23 --- /dev/null +++ b/src/SecurityInsights/docs/Get-AzSentinelIncidentAlert.md @@ -0,0 +1,167 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/get-azsentinelincidentalert +schema: 2.0.0 +--- + +# Get-AzSentinelIncidentAlert + +## SYNOPSIS +Gets all incident alerts. + +## SYNTAX + +``` +Get-AzSentinelIncidentAlert -IncidentId -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-DefaultProfile ] [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Gets all incident alerts. + +## EXAMPLES + +### Example 1: List all Alerts for a given Incident +```powershell + Get-AzSentinelIncidentAlert -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId "myIncidentId" +``` + +```output +AlertDisplayName : (Preview) TI map IP entity to SigninLogs +FriendlyName : (Preview) TI map IP entity to SigninLogs +Description : Identifies a match in SigninLogs from any IP IOC from TI +Kind : SecurityAlert +Name : d1e4d1dd-8d16-1aed-59bd-a256266d7244 +ProductName : Azure Sentinel +Status : New +ProviderAlertId : d6c7a42b-c0da-41ef-9629-b3d2d407b181 +Tactic : {Impact} +``` + +This command lists all Alerts for a given Incident. + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -IncidentId +Incident ID + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ISecurityAlert + +## NOTES + +ALIASES + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Get-AzSentinelIncidentBookmark.md b/src/SecurityInsights/docs/Get-AzSentinelIncidentBookmark.md new file mode 100644 index 000000000000..fe510e0d9a16 --- /dev/null +++ b/src/SecurityInsights/docs/Get-AzSentinelIncidentBookmark.md @@ -0,0 +1,166 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/get-azsentinelincidentbookmark +schema: 2.0.0 +--- + +# Get-AzSentinelIncidentBookmark + +## SYNOPSIS +Gets all incident bookmarks. + +## SYNTAX + +``` +Get-AzSentinelIncidentBookmark -IncidentId -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-DefaultProfile ] [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Gets all incident bookmarks. + +## EXAMPLES + +### Example 1: List all Bookmarks for a given Incident +```powershell + Get-AzSentinelIncidentBookmark -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId "7f40bbbc-e205-404b-bc2b-5d71cd1017a8" +``` + +```output +DisplayName : My 2021 Bookmark +FriendlyName : My 2021 Bookmark +Label : {my Tags} +Note : my notes + 2nd line notes +CreatedByEmail : luke@contoso.com +CreatedByName : Luke +Name : 4557d832-41f0-456f-977e-78a2e129b8d0 +``` + +This command lists all Bookmarks for a given Incident. + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -IncidentId +Incident ID + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IHuntingBookmark + +## NOTES + +ALIASES + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Get-AzSentinelIncidentComment.md b/src/SecurityInsights/docs/Get-AzSentinelIncidentComment.md new file mode 100644 index 000000000000..17617fe272f0 --- /dev/null +++ b/src/SecurityInsights/docs/Get-AzSentinelIncidentComment.md @@ -0,0 +1,291 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/get-azsentinelincidentcomment +schema: 2.0.0 +--- + +# Get-AzSentinelIncidentComment + +## SYNOPSIS +Gets an incident comment. + +## SYNTAX + +### List (Default) +``` +Get-AzSentinelIncidentComment -IncidentId -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-Filter ] [-Orderby ] [-SkipToken ] [-Top ] + [-DefaultProfile ] [] +``` + +### Get +``` +Get-AzSentinelIncidentComment -Id -IncidentId -ResourceGroupName + -WorkspaceName [-SubscriptionId ] [-DefaultProfile ] [] +``` + +### GetViaIdentity +``` +Get-AzSentinelIncidentComment -InputObject [-DefaultProfile ] + [] +``` + +## DESCRIPTION +Gets an incident comment. + +## EXAMPLES + +### Example 1: List all Incident Comments for a given Incident +```powershell + Get-AzSentinelIncidentComment -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId "7a4c27ea-d61a-496b-b5c3-246770c857c1" +``` + +```output +AuthorEmail : john@contoso.com +AuthorName : John Contoso +AuthorUserPrincipalName : john@contoso.com +CreatedTimeUtc : 1/6/2022 2:15:44 PM +Message : This is my comment +Name : da0957c9-2f1a-44a2-bc83-a2c0696b2bf1 + +``` + +This command lists all Incident Comments for a given Incident. + +### Example 2: Get an Incident Comment +```powershell + Get-AzSentinelIncidentComment -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId "7a4c27ea-d61a-496b-b5c3-246770c857c1" -Id "da0957c9-2f1a-44a2-bc83-a2c0696b2bf1" +``` + +```output +AuthorEmail : john@contoso.com +AuthorName : John Contoso +AuthorUserPrincipalName : john@contoso.com +CreatedTimeUtc : 1/6/2022 2:15:44 PM +Message : This is my comment +Name : da0957c9-2f1a-44a2-bc83-a2c0696b2bf1 +``` + +This command gets an Incident Comment. + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Filter +Filters the results, based on a Boolean condition. +Optional. + +```yaml +Type: System.String +Parameter Sets: List +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Id +Incident comment ID + +```yaml +Type: System.String +Parameter Sets: Get +Aliases: IncidentCommentId + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -IncidentId +Incident ID + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: GetViaIdentity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -Orderby +Sorts the results. +Optional. + +```yaml +Type: System.String +Parameter Sets: List +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SkipToken +Skiptoken is only used if a previous operation returned a partial result. +If a previous response contains a nextLink element, the value of the nextLink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls. +Optional. + +```yaml +Type: System.String +Parameter Sets: List +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String[] +Parameter Sets: Get, List +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Top +Returns only the first n results. +Optional. + +```yaml +Type: System.Int32 +Parameter Sets: List +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IIncidentComment + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +`INPUTOBJECT `: Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Get-AzSentinelIncidentEntity.md b/src/SecurityInsights/docs/Get-AzSentinelIncidentEntity.md new file mode 100644 index 000000000000..50fa3286e5fa --- /dev/null +++ b/src/SecurityInsights/docs/Get-AzSentinelIncidentEntity.md @@ -0,0 +1,161 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/get-azsentinelincidententity +schema: 2.0.0 +--- + +# Get-AzSentinelIncidentEntity + +## SYNOPSIS +Gets all incident related entities. + +## SYNTAX + +``` +Get-AzSentinelIncidentEntity -IncidentId -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-DefaultProfile ] [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Gets all incident related entities. + +## EXAMPLES + +### Example 1: List all Entities for a given Incident +```powershell + Get-AzSentinelIncidentEntity -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId "0ddb580f-efd0-4076-bb77-77e9aef8a187" +``` + +```output +FriendlyName : win2019 +Kind : Host +Name : cb577adf-0266-8873-84d7-accf4b45417b +``` + +This command lists all Entities for a given Incident. + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -IncidentId +Incident ID + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IIncidentEntitiesResponse + +## NOTES + +ALIASES + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Get-AzSentinelIncidentRelation.md b/src/SecurityInsights/docs/Get-AzSentinelIncidentRelation.md new file mode 100644 index 000000000000..f88685604aa5 --- /dev/null +++ b/src/SecurityInsights/docs/Get-AzSentinelIncidentRelation.md @@ -0,0 +1,306 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/get-azsentinelincidentrelation +schema: 2.0.0 +--- + +# Get-AzSentinelIncidentRelation + +## SYNOPSIS +Gets an incident relation. + +## SYNTAX + +### List (Default) +``` +Get-AzSentinelIncidentRelation -IncidentId -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-Filter ] [-Orderby ] [-SkipToken ] [-Top ] + [-DefaultProfile ] [] +``` + +### Get +``` +Get-AzSentinelIncidentRelation -IncidentId -RelationName -ResourceGroupName + -WorkspaceName [-SubscriptionId ] [-DefaultProfile ] [] +``` + +### GetViaIdentity +``` +Get-AzSentinelIncidentRelation -InputObject [-DefaultProfile ] + [] +``` + +## DESCRIPTION +Gets an incident relation. + +## EXAMPLES + +### Example 1: List all Incident Relations for a given Incident +```powershell + Get-AzSentinelIncidentRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId "myIncidentId" +``` + +```output +Name : 8969f5ea-4e92-433a-9b67-2f9233d8113f_457a48b2-9dfc-7054-64a5-e8a9d17489d7 +RelatedResourceName : 457a48b2-9dfc-7054-64a5-e8a9d17489d7 +RelatedResourceKind : SecurityAlert +RelatedResourceType : Microsoft.SecurityInsights/entities + +Name : 076bda5c-7d94-b6d8-8ef4-b0b2a0830dac_df9493a7-4f2e-84da-1f41-4914e8c029ba +RelatedResourceName : df9493a7-4f2e-84da-1f41-4914e8c029ba +RelatedResourceKind : SecurityAlert +RelatedResourceType : Microsoft.SecurityInsights/entities +``` + +This command lists all Incident Relations for a given Incident. + +### Example 2: Get a Incident Relation +```powershell + Get-AzSentinelIncidentRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId "myIncidentId" -Id "myIncidentRelationId" +``` + +```output +Name : 076bda5c-7d94-b6d8-8ef4-b0b2a0830dac_df9493a7-4f2e-84da-1f41-4914e8c029ba +RelatedResourceName : df9493a7-4f2e-84da-1f41-4914e8c029ba +RelatedResourceKind : SecurityAlert +RelatedResourceType : Microsoft.SecurityInsights/entities +``` + +This command gets a Incident Relation. + +### Example 3: Get a Incident Relation by object Id +```powershell + $Incidentrelations = Get-AzSentinelIncidentRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId "myIncidentId" + $Incidentrelations[0] | Get-AzSentinelIncidentRelation +``` + +```output +Name : 076bda5c-7d94-b6d8-8ef4-b0b2a0830dac_df9493a7-4f2e-84da-1f41-4914e8c029ba +RelatedResourceName : df9493a7-4f2e-84da-1f41-4914e8c029ba +RelatedResourceKind : SecurityAlert +RelatedResourceType : Microsoft.SecurityInsights/entities +``` + +This command gets a Incident by object + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Filter +Filters the results, based on a Boolean condition. +Optional. + +```yaml +Type: System.String +Parameter Sets: List +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -IncidentId +Incident ID + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: GetViaIdentity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -Orderby +Sorts the results. +Optional. + +```yaml +Type: System.String +Parameter Sets: List +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RelationName +Relation Name + +```yaml +Type: System.String +Parameter Sets: Get +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SkipToken +Skiptoken is only used if a previous operation returned a partial result. +If a previous response contains a nextLink element, the value of the nextLink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls. +Optional. + +```yaml +Type: System.String +Parameter Sets: List +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String[] +Parameter Sets: Get, List +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Top +Returns only the first n results. +Optional. + +```yaml +Type: System.Int32 +Parameter Sets: List +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IRelation + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +`INPUTOBJECT `: Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Get-AzSentinelMetadata.md b/src/SecurityInsights/docs/Get-AzSentinelMetadata.md new file mode 100644 index 000000000000..58447408cd4a --- /dev/null +++ b/src/SecurityInsights/docs/Get-AzSentinelMetadata.md @@ -0,0 +1,255 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/get-azsentinelmetadata +schema: 2.0.0 +--- + +# Get-AzSentinelMetadata + +## SYNOPSIS +Get a Metadata. + +## SYNTAX + +### List (Default) +``` +Get-AzSentinelMetadata -ResourceGroupName -WorkspaceName [-SubscriptionId ] + [-Filter ] [-Orderby ] [-Skip ] [-Top ] [-DefaultProfile ] + [] +``` + +### Get +``` +Get-AzSentinelMetadata -Name -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-DefaultProfile ] [] +``` + +### GetViaIdentity +``` +Get-AzSentinelMetadata -InputObject [-DefaultProfile ] + [] +``` + +## DESCRIPTION +Get a Metadata. + +## EXAMPLES + +### Example 1: Get Solution metadata from the workspace +```powershell + Get-AzSentinelMetadata -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" +``` + +```output +Etag Name SystemDataCreatedAt SystemDataCreatedBy SystemDataCreatedByType +---- ---- ------------------- ------------------- ----------- + azuresentinel.azure-sentinel-solution-slackaudit 3/11/2022 11:20:19 PM user@domain.local User +``` + +This command lists all Solution metadata for a workspace. + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Filter +Filters the results, based on a Boolean condition. +Optional. + +```yaml +Type: System.String +Parameter Sets: List +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: GetViaIdentity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -Name +The Metadata name. + +```yaml +Type: System.String +Parameter Sets: Get +Aliases: MetadataName + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Orderby +Sorts the results. +Optional. + +```yaml +Type: System.String +Parameter Sets: List +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Skip +Used to skip n elements in the OData query (offset). +Returns a nextLink to the next page of results if there are any left. + +```yaml +Type: System.Int32 +Parameter Sets: List +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String[] +Parameter Sets: Get, List +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Top +Returns only the first n results. +Optional. + +```yaml +Type: System.Int32 +Parameter Sets: List +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IMetadataModel + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +`INPUTOBJECT `: Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Get-AzSentinelOnboardingState.md b/src/SecurityInsights/docs/Get-AzSentinelOnboardingState.md new file mode 100644 index 000000000000..77cbe4072e81 --- /dev/null +++ b/src/SecurityInsights/docs/Get-AzSentinelOnboardingState.md @@ -0,0 +1,202 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/get-azsentinelonboardingstate +schema: 2.0.0 +--- + +# Get-AzSentinelOnboardingState + +## SYNOPSIS +Get Sentinel onboarding state + +## SYNTAX + +### List (Default) +``` +Get-AzSentinelOnboardingState -ResourceGroupName -WorkspaceName [-SubscriptionId ] + [-DefaultProfile ] [] +``` + +### Get +``` +Get-AzSentinelOnboardingState -Name -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-DefaultProfile ] [] +``` + +### GetViaIdentity +``` +Get-AzSentinelOnboardingState -InputObject [-DefaultProfile ] + [] +``` + +## DESCRIPTION +Get Sentinel onboarding state + +## EXAMPLES + +### Example 1: List all Onboarding States +```powershell + Get-AzSentinelOnboardingState -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" +``` + +```output +Id : /subscriptions/314b1a41-c53c-4092-8d4a-2810f6a44a0c/resourceGroups/myRG/providers/Microsoft.OperationalInsights/workspaces/cybersecurity/providers/Microsoft.SecurityInsights/onboardingStates/default +Name : default +``` + +This command lists all Onboarding States under a Microsoft Sentinel workspace. + +### Example 2: Get an Onboarding State +```powershell + Get-AzSentinelOnboardingState -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Name "default" +``` + +```output +Id : /subscriptions/314b1a41-c53c-4092-8d4a-2810f6a44a0c/resourceGroups/myRG/providers/Microsoft.OperationalInsights/workspaces/cybersecurity/providers/Microsoft.SecurityInsights/onboardingStates/default +Name : default +``` + +This command gets an Onboarding State. + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: GetViaIdentity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -Name +The Sentinel onboarding state name. +Supports - default + +```yaml +Type: System.String +Parameter Sets: Get +Aliases: SentinelOnboardingStateName + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String[] +Parameter Sets: Get, List +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ISentinelOnboardingState + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +`INPUTOBJECT `: Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Get-AzSentinelSetting.md b/src/SecurityInsights/docs/Get-AzSentinelSetting.md new file mode 100644 index 000000000000..a5c9f05dcc2f --- /dev/null +++ b/src/SecurityInsights/docs/Get-AzSentinelSetting.md @@ -0,0 +1,233 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/get-azsentinelsetting +schema: 2.0.0 +--- + +# Get-AzSentinelSetting + +## SYNOPSIS +Gets a setting. + +## SYNTAX + +### List (Default) +``` +Get-AzSentinelSetting -ResourceGroupName -WorkspaceName [-SubscriptionId ] + [-DefaultProfile ] [] +``` + +### Get +``` +Get-AzSentinelSetting -ResourceGroupName -SettingsName -WorkspaceName + [-SubscriptionId ] [-DefaultProfile ] [] +``` + +### GetViaIdentity +``` +Get-AzSentinelSetting -InputObject [-DefaultProfile ] + [] +``` + +## DESCRIPTION +Gets a setting. + +## EXAMPLES + +### Example 1: List all Settings +```powershell + Get-AzSentinelSetting -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" +``` + +```output +Kind : EntityAnalytics +Name : EntityAnalytics +IsEnabled : True + +Kind : EyesOn +Name : EyesOn +IsEnabled : True + +Kind : IPSyncer +Name : IPSyncer + +Kind : Anomalies +Name : Anomalies +IsEnabled : True + +Kind : Ueba +Name : Ueba +DataSource : {AuditLogs, AzureActivity, SecurityEvent, SigninLogs} +``` + +This command lists all Settings under a Microsoft Sentinel workspace. + +### Example 2: Get a Setting +```powershell + Get-AzSentinelSetting -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -SettingsName "Anomalies" +``` + +```output +Kind : Anomalies +Name : Anomalies +IsEnabled : True +``` + +This command gets a Setting. + +### Example 3: Get a Setting by object Id +```powershell + $Settings = Get-AzSentinelSetting -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" + $Settings[0] | Get-AzSentinelSetting +``` + +```output +Kind : Anomalies +Name : Anomalies +IsEnabled : True +``` + +This command gets a Setting by object + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: GetViaIdentity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SettingsName +The setting name. +Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + +```yaml +Type: System.String +Parameter Sets: Get +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String[] +Parameter Sets: Get, List +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ISettings + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +`INPUTOBJECT `: Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Get-AzSentinelThreatIntelligenceIndicator.md b/src/SecurityInsights/docs/Get-AzSentinelThreatIntelligenceIndicator.md new file mode 100644 index 000000000000..5fcf4043581b --- /dev/null +++ b/src/SecurityInsights/docs/Get-AzSentinelThreatIntelligenceIndicator.md @@ -0,0 +1,288 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/get-azsentinelthreatintelligenceindicator +schema: 2.0.0 +--- + +# Get-AzSentinelThreatIntelligenceIndicator + +## SYNOPSIS +View a threat intelligence indicator by name. + +## SYNTAX + +### List (Default) +``` +Get-AzSentinelThreatIntelligenceIndicator -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-Filter ] [-Orderby ] [-SkipToken ] [-Top ] + [-DefaultProfile ] [] +``` + +### Get +``` +Get-AzSentinelThreatIntelligenceIndicator -Name -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-DefaultProfile ] [] +``` + +### GetViaIdentity +``` +Get-AzSentinelThreatIntelligenceIndicator -InputObject + [-DefaultProfile ] [] +``` + +## DESCRIPTION +View a threat intelligence indicator by name. + +## EXAMPLES + +### Example 1: List all Threat Intelligence Indicators +```powershell + Get-AzSentinelThreatIntelligenceIndicator -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" +``` + +```output +Kind : indicator +Name : 8ff8f736-8f9b-a180-49a2-9a395cf088ca + +Kind : indicator +Name : 8afa82a1-6c4a-dca2-595f-28239965882d +``` + +This command lists all Threat Intelligence Indicators under a Microsoft Sentinel workspace. + +### Example 2: Get a Threat Intelligence Indicator +```powershell + Get-AzSentinelThreatIntelligenceIndicator -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Name "514840ce-5582-f7a4-8562-7996e29dc07a" +``` + +```output +Kind : indicator +Name : 514840ce-5582-f7a4-8562-7996e29dc07a +``` + +This command gets a Threat Intelligence Indicator by name (Id) + +### Example 3: Get the Threat Intelligence Indicator top 3 +```powershell + $tiIndicators = Get-AzSentinelThreatIntelligenceIndicator -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Top 3 +``` + +```output +Kind : indicator +Name : 8ff8f736-8f9b-a180-49a2-9a395cf088ca + +Kind : indicator +Name : 8afa82a1-6c4a-dca2-595f-28239965882d + +Kind : indicator +Name : 38ac867b-85f9-be4c-afd5-b3cffdcf69f1 +``` + +This command gets a Threat Intelligence Indicator by object + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Filter +Filters the results, based on a Boolean condition. +Optional. + +```yaml +Type: System.String +Parameter Sets: List +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: GetViaIdentity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -Name +Threat intelligence indicator name field. + +```yaml +Type: System.String +Parameter Sets: Get +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Orderby +Sorts the results. +Optional. + +```yaml +Type: System.String +Parameter Sets: List +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SkipToken +Skiptoken is only used if a previous operation returned a partial result. +If a previous response contains a nextLink element, the value of the nextLink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls. +Optional. + +```yaml +Type: System.String +Parameter Sets: List +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String[] +Parameter Sets: Get, List +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Top +Returns only the first n results. +Optional. + +```yaml +Type: System.Int32 +Parameter Sets: List +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: Get, List +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IThreatIntelligenceInformation + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +`INPUTOBJECT `: Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Get-AzSentinelThreatIntelligenceIndicatorMetric.md b/src/SecurityInsights/docs/Get-AzSentinelThreatIntelligenceIndicatorMetric.md new file mode 100644 index 000000000000..0ee2d10f8d86 --- /dev/null +++ b/src/SecurityInsights/docs/Get-AzSentinelThreatIntelligenceIndicatorMetric.md @@ -0,0 +1,116 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/get-azsentinelthreatintelligenceindicatormetric +schema: 2.0.0 +--- + +# Get-AzSentinelThreatIntelligenceIndicatorMetric + +## SYNOPSIS +Get threat intelligence indicators metrics (Indicators counts by Type, Threat Type, Source). + +## SYNTAX + +``` +Get-AzSentinelThreatIntelligenceIndicatorMetric -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-DefaultProfile ] [] +``` + +## DESCRIPTION +Get threat intelligence indicators metrics (Indicators counts by Type, Threat Type, Source). + +## EXAMPLES + +### Example 1: Get all metrics for Threat Intelligence Indicators +```powershell + Get-AzSentinelThreatIntelligenceIndicatorMetric -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" +``` + +```output +LastUpdatedTimeUtc : 2022-02-07T10:44:45.3919348Z +PatternTypeMetric : {network-traffic, url, ipv4-addr, file} +SourceMetric : {Microsoft Emerging Threat Feed, Bing Safety Phishing URL, Azure Sentinel, CyberCrime…} +ThreatTypeMetric : {botnet, maliciousurl, phishing, malicious-activity…} +``` + +This command gets Threat Intelligence Indicator metrics. + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IThreatIntelligenceMetrics + +## NOTES + +ALIASES + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Invoke-AzSentinelThreatIntelligenceIndicatorQuery.md b/src/SecurityInsights/docs/Invoke-AzSentinelThreatIntelligenceIndicatorQuery.md new file mode 100644 index 000000000000..3bf8cb69b0d5 --- /dev/null +++ b/src/SecurityInsights/docs/Invoke-AzSentinelThreatIntelligenceIndicatorQuery.md @@ -0,0 +1,355 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/invoke-azsentinelthreatintelligenceindicatorquery +schema: 2.0.0 +--- + +# Invoke-AzSentinelThreatIntelligenceIndicatorQuery + +## SYNOPSIS +Query threat intelligence indicators as per filtering criteria. + +## SYNTAX + +``` +Invoke-AzSentinelThreatIntelligenceIndicatorQuery -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-Id ] [-IncludeDisabled] [-Keyword ] [-MaxConfidence ] + [-MaxValidUntil ] [-MinConfidence ] [-MinValidUntil ] [-PageSize ] + [-PatternType ] [-SkipToken ] [-SortBy ] + [-Source ] [-ThreatType ] [-DefaultProfile ] [-Confirm] [-WhatIf] + [] +``` + +## DESCRIPTION +Query threat intelligence indicators as per filtering criteria. + +## EXAMPLES + +### Example 1: Query all Threat Intelligence Indicators +```powershell +Invoke-AzSentinelThreatIntelligenceIndicatorQuery -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" +``` + +```output +Etag Kind Name SystemDataCreatedAt SystemDataCreatedBy +---- ---- ---- ------------------- ------- +"b603878e-0000-0100-0000-62d1d0010000" indicator f4dd9aa3-081b-2f0b-a5d7-3805954e8a39 +``` + +This command queries TI indicators. + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Id +Ids of threat intelligence indicators + +```yaml +Type: System.String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -IncludeDisabled +Parameter to include/exclude disabled indicators. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Keyword +Keywords for searching threat intelligence indicators + +```yaml +Type: System.String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -MaxConfidence +Maximum confidence. + +```yaml +Type: System.Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -MaxValidUntil +End time for ValidUntil filter. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -MinConfidence +Minimum confidence. + +```yaml +Type: System.Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -MinValidUntil +Start time for ValidUntil filter. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -PageSize +Page size + +```yaml +Type: System.Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -PatternType +Pattern types + +```yaml +Type: System.String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SkipToken +Skip token. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SortBy +Columns to sort by and sorting order +To construct, see NOTES section for SORTBY properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IThreatIntelligenceSortingCriteria[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Source +Sources of threat intelligence indicators + +```yaml +Type: System.String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ThreatType +Threat types of threat intelligence indicators + +```yaml +Type: System.String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IThreatIntelligenceInformation + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +`SORTBY `: Columns to sort by and sorting order + - `[ItemKey ]`: Column name + - `[SortOrder ]`: Sorting order (ascending/descending/unsorted). + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/New-AzSentinelAlertRule.md b/src/SecurityInsights/docs/New-AzSentinelAlertRule.md new file mode 100644 index 000000000000..22d572a9d818 --- /dev/null +++ b/src/SecurityInsights/docs/New-AzSentinelAlertRule.md @@ -0,0 +1,774 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/new-azsentinelalertrule +schema: 2.0.0 +--- + +# New-AzSentinelAlertRule + +## SYNOPSIS +Creates or updates the alert rule. + +## SYNTAX + +### FusionMLTI (Default) +``` +New-AzSentinelAlertRule -ResourceGroupName -WorkspaceName -AlertRuleTemplate + -Kind [-RuleId ] [-SubscriptionId ] [-Enabled] [-DefaultProfile ] + [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### MicrosoftSecurityIncidentCreation +``` +New-AzSentinelAlertRule -ResourceGroupName -WorkspaceName -Kind + -ProductFilter [-RuleId ] [-SubscriptionId ] + [-AlertRuleTemplateName ] [-Description ] [-DisplayNamesExcludeFilter ] + [-DisplayNamesFilter ] [-Enabled] [-SeveritiesFilter ] [-DefaultProfile ] + [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### NRT +``` +New-AzSentinelAlertRule -ResourceGroupName -WorkspaceName -DisplayName + -Kind -Query -Severity [-RuleId ] [-SubscriptionId ] + [-AlertDescriptionFormat ] [-AlertDisplayNameFormat ] [-AlertRuleTemplateName ] + [-AlertSeverityColumnName ] [-AlertTacticsColumnName ] [-CreateIncident] + [-Description ] [-Enabled] [-EntityMapping ] [-GroupByAlertDetail ] + [-GroupByCustomDetail ] [-GroupByEntity ] [-GroupingConfigurationEnabled] + [-LookbackDuration ] [-MatchingMethod ] [-ReOpenClosedIncident] + [-SuppressionDuration ] [-SuppressionEnabled] [-Tactic ] [-DefaultProfile ] + [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### Scheduled +``` +New-AzSentinelAlertRule -ResourceGroupName -WorkspaceName -DisplayName + -Kind -Query -QueryFrequency -QueryPeriod + -Severity -TriggerOperator -TriggerThreshold [-RuleId ] + [-SubscriptionId ] [-AlertDescriptionFormat ] [-AlertDisplayNameFormat ] + [-AlertRuleTemplateName ] [-AlertSeverityColumnName ] [-AlertTacticsColumnName ] + [-CreateIncident] [-Description ] [-Enabled] [-EntityMapping ] + [-EventGroupingSettingAggregationKind ] [-GroupByAlertDetail ] + [-GroupByCustomDetail ] [-GroupByEntity ] [-GroupingConfigurationEnabled] + [-LookbackDuration ] [-MatchingMethod ] [-ReOpenClosedIncident] + [-SuppressionDuration ] [-SuppressionEnabled] [-Tactic ] [-DefaultProfile ] + [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Creates or updates the alert rule. + +## EXAMPLES + +### Example 1: Create the Fusion Alert rule +```powershell + $AlertRuleTemplateName = "f71aba3d-28fb-450b-b192-4e76a83015c8" + New-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Kind Fusion -Enabled -AlertRuleTemplateName $AlertRuleTemplateName +``` + +This command creates an Alert Rule of the Fusion kind based on the template "Advanced Multistage Attack Detection" + +### Example 2: Create the ML Behavior Analytics Alert Rule +```powershell + $AlertRuleTemplateName = "fa118b98-de46-4e94-87f9-8e6d5060b60b" + New-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Kind MLBehaviorAnalytics -Enabled -AlertRuleTemplateName $AlertRuleTemplateName +``` + +This command creates an Alert Rule of the MLBehaviorAnalytics kind based on the template "Anomalous SSH Login Detection" + +### Example 2: Create the Threat Intelligence Alert Rule +```powershell + $AlertRuleTemplateName = "0dd422ee-e6af-4204-b219-f59ac172e4c6" + New-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Kind ThreatIntelligence -Enabled -AlertRuleTemplateName $AlertRuleTemplateName +``` + +This command creates an Alert Rule of the ThreatIntelligence kind based on the template "Microsoft Threat Intelligence Analytics" + +### Example 3: Create a Microsoft Security Incident Creation Alert Rule +```powershell + $AlertRuleTemplateName = "a2e0eb51-1f11-461a-999b-cd0ebe5c7a72" + New-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Kind MicrosoftSecurityIncidentCreation -Enabled -AlertRuleTemplateName $AlertRuleTemplateName -DisplayName "Create incidents based on Microsoft Defender for IoT" -ProductFilter "Azure Security Center for IoT" +``` + +This command creates an Alert Rule of the MicrosoftSecurityIncidentCreation kind based on the template for Create incidents based on Azure Security Center for IoT alerts. + +### Example 4: Create a Scheduled Alert Rule +```powershell +PS C:> New-AzSentinelAlertRule -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Kind Scheduled -Enabled -DisplayName "Powershell Exection Alert (Several Times per Hour)" -Severity Low -Query "SecurityEvent | where EventId == 4688" -QueryFrequency (New-TimeSpan -Hours 1) -QueryPeriod (New-TimeSpan -Hours 1) -TriggerThreshold 10 +``` + +This command creates an Alert Rule of the Scheduled kind. +Please note that that query (parameter -Query) needs to be on a single line as as string. + +### Example 5: Create a Near Realtime Alert Rule +```powershell +PS C:> New-AzSentinelAlertRule -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Kind NRT -Enabled -DisplayName "Break glass account accessed" -Severity High -Query "let Break_Glass_Account = _GetWatchlist('break_glass_account')\n|project UPN;\nSigninLogs\n| where UserPrincipalName in (Break_Glass_Account)" +``` + +This command creates an Alert Rule of the NRT kind. +Please note that that query (parameter -Query) needs to be on a single line as as string. + +## PARAMETERS + +### -AlertDescriptionFormat + + +```yaml +Type: System.String +Parameter Sets: NRT, Scheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AlertDisplayNameFormat + + +```yaml +Type: System.String +Parameter Sets: NRT, Scheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AlertRuleTemplate + + +```yaml +Type: System.String +Parameter Sets: FusionMLTI +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AlertRuleTemplateName + + +```yaml +Type: System.String +Parameter Sets: MicrosoftSecurityIncidentCreation, NRT, Scheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AlertSeverityColumnName + + +```yaml +Type: System.String +Parameter Sets: NRT, Scheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AlertTacticsColumnName + + +```yaml +Type: System.String +Parameter Sets: NRT, Scheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AsJob +Run the command as a job + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -CreateIncident + + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: NRT, Scheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Description + + +```yaml +Type: System.String +Parameter Sets: MicrosoftSecurityIncidentCreation, NRT, Scheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DisplayName + + +```yaml +Type: System.String +Parameter Sets: NRT, Scheduled +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DisplayNamesExcludeFilter + + +```yaml +Type: System.String +Parameter Sets: MicrosoftSecurityIncidentCreation +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DisplayNamesFilter + + +```yaml +Type: System.String +Parameter Sets: MicrosoftSecurityIncidentCreation +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Enabled + + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -EntityMapping +'Account', 'Host', 'IP', 'Malware', 'File', 'Process', 'CloudApplication', 'DNS', 'AzureResource', 'FileHash', 'RegistryKey', 'RegistryValue', 'SecurityGroup', 'URL', 'Mailbox', 'MailCluster', 'MailMessage', 'SubmissionMail' +To construct, see NOTES section for ENTITYMAPPING properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.EntityMapping +Parameter Sets: NRT, Scheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -EventGroupingSettingAggregationKind + + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EventGroupingAggregationKind +Parameter Sets: Scheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -GroupByAlertDetail + + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertDetail +Parameter Sets: NRT, Scheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -GroupByCustomDetail + + +```yaml +Type: System.String[] +Parameter Sets: NRT, Scheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -GroupByEntity + + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityMappingType +Parameter Sets: NRT, Scheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -GroupingConfigurationEnabled + + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: NRT, Scheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Kind +Kind of the the data connection + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertRuleKind +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LookbackDuration + + +```yaml +Type: System.TimeSpan +Parameter Sets: NRT, Scheduled +Aliases: + +Required: False +Position: Named +Default value: New-TimeSpan -Hours 5 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -MatchingMethod + + +```yaml +Type: System.String +Parameter Sets: NRT, Scheduled +Aliases: + +Required: False +Position: Named +Default value: "AllEntities" +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -NoWait +Run the command asynchronously + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ProductFilter + + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.MicrosoftSecurityProductName +Parameter Sets: MicrosoftSecurityIncidentCreation +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Query + + +```yaml +Type: System.String +Parameter Sets: NRT, Scheduled +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -QueryFrequency + + +```yaml +Type: System.TimeSpan +Parameter Sets: Scheduled +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -QueryPeriod + + +```yaml +Type: System.TimeSpan +Parameter Sets: Scheduled +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ReOpenClosedIncident + + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: NRT, Scheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The Resource Group Name. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RuleId +[Alias('RuleId')] + The Id of the Rule. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: (New-Guid).Guid +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SeveritiesFilter +High, Medium, Low, Informational + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertSeverity[] +Parameter Sets: MicrosoftSecurityIncidentCreation +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Severity + + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertSeverity +Parameter Sets: NRT, Scheduled +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +Gets subscription credentials which uniquely identify Microsoft Azure subscription. +The subscription ID forms part of the URI for every service call. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SuppressionDuration + + +```yaml +Type: System.TimeSpan +Parameter Sets: NRT, Scheduled +Aliases: + +Required: False +Position: Named +Default value: New-TimeSpan -Hours 5 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SuppressionEnabled + + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: NRT, Scheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tactic +[Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AttackTactic] +InitialAccess, Execution, Persistence, PrivilegeEscalation, DefenseEvasion, CredentialAccess, Discovery, LateralMovement, Collection, Exfiltration, CommandAndControl, Impact, PreAttack + +```yaml +Type: System.String +Parameter Sets: NRT, Scheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -TriggerOperator + + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.TriggerOperator +Parameter Sets: Scheduled +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -TriggerThreshold + + +```yaml +Type: System.Int32 +Parameter Sets: Scheduled +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AlertRule + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +`ENTITYMAPPING `: 'Account', 'Host', 'IP', 'Malware', 'File', 'Process', 'CloudApplication', 'DNS', 'AzureResource', 'FileHash', 'RegistryKey', 'RegistryValue', 'SecurityGroup', 'URL', 'Mailbox', 'MailCluster', 'MailMessage', 'SubmissionMail' + - `[EntityType ]`: The V3 type of the mapped entity + - `[FieldMapping ]`: array of field mappings for the given entity mapping + - `[ColumnName ]`: the column name to be mapped to the identifier + - `[Identifier ]`: the V3 identifier of the entity + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/New-AzSentinelAlertRuleAction.md b/src/SecurityInsights/docs/New-AzSentinelAlertRuleAction.md new file mode 100644 index 000000000000..f11300427304 --- /dev/null +++ b/src/SecurityInsights/docs/New-AzSentinelAlertRuleAction.md @@ -0,0 +1,188 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/new-azsentinelalertruleaction +schema: 2.0.0 +--- + +# New-AzSentinelAlertRuleAction + +## SYNOPSIS +Creates or updates the action of alert rule. + +## SYNTAX + +``` +New-AzSentinelAlertRuleAction -ResourceGroupName -RuleId -WorkspaceName + [-SubscriptionId ] [-LogicAppResourceId ] [-TriggerUri ] [-DefaultProfile ] + [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Creates or updates the action of alert rule. + +## EXAMPLES + +### Example 1: Add a Logic App Playbook as an action to an existing analytics rule +```powershell + $LogicAppResourceId = Get-AzLogicApp -ResourceGroupName "myLogicAppResourceGroupName" -Name "myLogicAppPlaybookName" +$LogicAppTriggerUri = Get-AzLogicAppTriggerCallbackUrl -ResourceGroupName "myLogicAppResourceGroupName" -Name $LogicAppResourceId.Name -TriggerName "When_a_response_to_an_Azure_Sentinel_alert_is_triggered" +New-AzSentinelAlertRuleAction -ResourceGroupName "mySentinelResourceGroupName" -workspaceName "myWorkspaceName" -RuleId "48bbf86d-540b-4a7b-9fee-2bd7d810dbed" -LogicAppResourceId ($LogicAppResourceId.Id) -TriggerUri ($LogicAppTriggerUri.Value) -Id ((New-Guid).Guid) +``` + +This command adds an existing Logic App Playbook to an existing analytics rule + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LogicAppResourceId +Logic App Resource Id, /subscriptions/{my-subscription}/resourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my-workflow-id}. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RuleId +Alert rule ID + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -TriggerUri +Logic App Callback URL for this specific workflow. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IActionResponse + +## NOTES + +ALIASES + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/New-AzSentinelAutomationRule.md b/src/SecurityInsights/docs/New-AzSentinelAutomationRule.md new file mode 100644 index 000000000000..5f43965e4591 --- /dev/null +++ b/src/SecurityInsights/docs/New-AzSentinelAutomationRule.md @@ -0,0 +1,318 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/new-azsentinelautomationrule +schema: 2.0.0 +--- + +# New-AzSentinelAutomationRule + +## SYNOPSIS +Creates or updates the automation rule. + +## SYNTAX + +### CreateExpanded (Default) +``` +New-AzSentinelAutomationRule -ResourceGroupName -WorkspaceName [-SubscriptionId ] + [-Action ] [-DisplayName ] [-Order ] + [-TriggeringLogicCondition ] [-TriggeringLogicExpirationTimeUtc ] + [-TriggeringLogicIsEnabled] [-DefaultProfile ] [-Confirm] [-WhatIf] [] +``` + +### Create +``` +New-AzSentinelAutomationRule -ResourceGroupName -WorkspaceName + -AutomationRule [-SubscriptionId ] [-DefaultProfile ] [-Confirm] + [-WhatIf] [] +``` + +## DESCRIPTION +Creates or updates the automation rule. + +## EXAMPLES + +### Example 1: Create an Automation Rule using Run Playbook +```powershell + $LogicAppResourceId = Get-AzLogicApp -ResourceGroupName "myResourceGroup" -Name "Reset-AADPassword" + $automationRuleAction = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AutomationRuleRunPlaybookAction]::new() + $automationRuleAction.Order = 1 + $automationRuleAction.ActionType = "RunPlaybook" + $automationRuleAction.ActionConfigurationLogicAppResourceId = ($LogicAppResourceId.Id) + $automationRuleAction.ActionConfigurationTenantId = (Get-AzContext).Tenant.Id + New-AzSentinelAutomationRule -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id ((New-Guid).Guid) -Action $automationRuleAction -DisplayName "Run Playbook to reset AAD password" -Order 2 -TriggeringLogicIsEnabled +``` + +```output +{{ Add output here }} +``` + +This command creates an Automation Rule that has an Action of Run Playbook. + +### Example 2: {{ Add title here }} +```powershell + $automationRuleAction = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AutomationRuleModifyPropertiesAction]::new() + $automationRuleAction.Order = 1 + $automationRuleAction.ActionType = "ModifyProperties" + $automationRuleAction.ActionConfigurationSeverity = "Low" + New-AzSentinelAutomationRule -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id ((New-Guid).Guid) -Action $automationRuleAction -DisplayName "Change severity to Low" -Order 3 -TriggeringLogicIsEnabled +``` + +```output +{{ Add output here }} +``` + +This command creates an Automation Rule that has an Action of changing the severity. + +## PARAMETERS + +### -Action +The actions to execute when the automation rule is triggered +To construct, see NOTES section for ACTION properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IAutomationRuleAction[] +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AutomationRule +Represents an automation rule. +To construct, see NOTES section for AUTOMATIONRULE properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IAutomationRule +Parameter Sets: Create +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DisplayName +The display name of the automation rule + +```yaml +Type: System.String +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Order +The order of execution of the automation rule + +```yaml +Type: System.Int32 +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -TriggeringLogicCondition +The conditions to evaluate to determine if the automation rule should be triggered on a given object + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IAutomationRuleCondition[] +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -TriggeringLogicExpirationTimeUtc +Determines when the automation rule should automatically expire and be disabled. + +```yaml +Type: System.DateTime +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -TriggeringLogicIsEnabled +Determines whether the automation rule is enabled or disabled. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IAutomationRule + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IAutomationRule + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +`ACTION `: The actions to execute when the automation rule is triggered + - `ActionType `: The type of the automation rule action + - `Order `: The order of execution of the automation rule action + +`AUTOMATIONRULE `: Represents an automation rule. + - `[Etag ]`: Etag of the azure resource + - `[SystemDataCreatedAt ]`: The timestamp of resource creation (UTC). + - `[SystemDataCreatedBy ]`: The identity that created the resource. + - `[SystemDataCreatedByType ]`: The type of identity that created the resource. + - `[SystemDataLastModifiedAt ]`: The timestamp of resource last modification (UTC) + - `[SystemDataLastModifiedBy ]`: The identity that last modified the resource. + - `[SystemDataLastModifiedByType ]`: The type of identity that last modified the resource. + - `[Action ]`: The actions to execute when the automation rule is triggered + - `ActionType `: The type of the automation rule action + - `Order `: The order of execution of the automation rule action + - `[CreatedByEmail ]`: The email of the client. + - `[CreatedByName ]`: The name of the client. + - `[CreatedByObjectId ]`: The object id of the client. + - `[CreatedByUserPrincipalName ]`: The user principal name of the client. + - `[DisplayName ]`: The display name of the automation rule + - `[LastModifiedByEmail ]`: The email of the client. + - `[LastModifiedByName ]`: The name of the client. + - `[LastModifiedByObjectId ]`: The object id of the client. + - `[LastModifiedByUserPrincipalName ]`: The user principal name of the client. + - `[Order ]`: The order of execution of the automation rule + - `[TriggeringLogicCondition ]`: The conditions to evaluate to determine if the automation rule should be triggered on a given object + - `[TriggeringLogicExpirationTimeUtc ]`: Determines when the automation rule should automatically expire and be disabled. + - `[TriggeringLogicIsEnabled ]`: Determines whether the automation rule is enabled or disabled. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/New-AzSentinelBookmark.md b/src/SecurityInsights/docs/New-AzSentinelBookmark.md new file mode 100644 index 000000000000..cbf04db4e2d0 --- /dev/null +++ b/src/SecurityInsights/docs/New-AzSentinelBookmark.md @@ -0,0 +1,388 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/new-azsentinelbookmark +schema: 2.0.0 +--- + +# New-AzSentinelBookmark + +## SYNOPSIS +Creates or updates the bookmark. + +## SYNTAX + +### CreateExpanded (Default) +``` +New-AzSentinelBookmark -ResourceGroupName -WorkspaceName [-SubscriptionId ] + [-DisplayName ] [-EventTime ] [-IncidentInfoIncidentId ] + [-IncidentInfoRelationName ] [-IncidentInfoSeverity ] [-IncidentInfoTitle ] + [-Label ] [-Note ] [-Query ] [-QueryEndTime ] [-QueryResult ] + [-QueryStartTime ] [-DefaultProfile ] [-Confirm] [-WhatIf] [] +``` + +### Create +``` +New-AzSentinelBookmark -ResourceGroupName -WorkspaceName -Bookmark + [-SubscriptionId ] [-DefaultProfile ] [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Creates or updates the bookmark. + +## EXAMPLES + +### Example 1: Create a Bookmark +```powershell + $queryStartTime = (get-date).AddDays(-1).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + $queryEndTime = (get-date).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + New-AzSentinelBookmark -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id ((New-Guid).Guid) -DisplayName "Incident Evidence" -Query "SecurityEvent | take 1" -QueryStartTime $queryStartTime -QueryEndTime $queryEndTime -EventTime $queryEndTime +``` + +```output +DisplayName : Incident Evidence +CreatedByName : John Contoso +CreatedByEmail : john@contoso.com +Name : 6a8d6ea6-04d5-49d7-8169-ffca8b0ced59 +Note : my notes +``` + +This command creates a Bookmark. + +## PARAMETERS + +### -Bookmark +Represents a bookmark in Azure Security Insights. +To construct, see NOTES section for BOOKMARK properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IBookmark +Parameter Sets: Create +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DisplayName +The display name of the bookmark + +```yaml +Type: System.String +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -EventTime +The bookmark event time + +```yaml +Type: System.DateTime +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -IncidentInfoIncidentId +Incident Id + +```yaml +Type: System.String +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -IncidentInfoRelationName +Relation Name + +```yaml +Type: System.String +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -IncidentInfoSeverity +The severity of the incident + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.IncidentSeverity +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -IncidentInfoTitle +The title of the incident + +```yaml +Type: System.String +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Label +List of labels relevant to this bookmark + +```yaml +Type: System.String[] +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Note +The notes of the bookmark + +```yaml +Type: System.String +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Query +The query of the bookmark. + +```yaml +Type: System.String +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -QueryEndTime +The end time for the query + +```yaml +Type: System.DateTime +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -QueryResult +The query result of the bookmark. + +```yaml +Type: System.String +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -QueryStartTime +The start time for the query + +```yaml +Type: System.DateTime +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IBookmark + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IBookmark + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +`BOOKMARK `: Represents a bookmark in Azure Security Insights. + - `[Etag ]`: Etag of the azure resource + - `[SystemDataCreatedAt ]`: The timestamp of resource creation (UTC). + - `[SystemDataCreatedBy ]`: The identity that created the resource. + - `[SystemDataCreatedByType ]`: The type of identity that created the resource. + - `[SystemDataLastModifiedAt ]`: The timestamp of resource last modification (UTC) + - `[SystemDataLastModifiedBy ]`: The identity that last modified the resource. + - `[SystemDataLastModifiedByType ]`: The type of identity that last modified the resource. + - `[Created ]`: The time the bookmark was created + - `[CreatedByObjectId ]`: The object id of the user. + - `[DisplayName ]`: The display name of the bookmark + - `[EventTime ]`: The bookmark event time + - `[IncidentInfoIncidentId ]`: Incident Id + - `[IncidentInfoRelationName ]`: Relation Name + - `[IncidentInfoSeverity ]`: The severity of the incident + - `[IncidentInfoTitle ]`: The title of the incident + - `[Label ]`: List of labels relevant to this bookmark + - `[Note ]`: The notes of the bookmark + - `[Query ]`: The query of the bookmark. + - `[QueryEndTime ]`: The end time for the query + - `[QueryResult ]`: The query result of the bookmark. + - `[QueryStartTime ]`: The start time for the query + - `[Updated ]`: The last time the bookmark was updated + - `[UpdatedByObjectId ]`: The object id of the user. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/New-AzSentinelBookmarkRelation.md b/src/SecurityInsights/docs/New-AzSentinelBookmarkRelation.md new file mode 100644 index 000000000000..5345df5e9da5 --- /dev/null +++ b/src/SecurityInsights/docs/New-AzSentinelBookmarkRelation.md @@ -0,0 +1,213 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/new-azsentinelbookmarkrelation +schema: 2.0.0 +--- + +# New-AzSentinelBookmarkRelation + +## SYNOPSIS +Creates the bookmark relation. + +## SYNTAX + +### CreateExpanded (Default) +``` +New-AzSentinelBookmarkRelation -BookmarkId -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-RelatedResourceId ] [-DefaultProfile ] [-Confirm] [-WhatIf] + [] +``` + +### Create +``` +New-AzSentinelBookmarkRelation -BookmarkId -ResourceGroupName -WorkspaceName + -Relation [-SubscriptionId ] [-DefaultProfile ] [-Confirm] [-WhatIf] + [] +``` + +## DESCRIPTION +Creates the bookmark relation. + +## EXAMPLES + +### Example 1: Create a Bookmark Relation +```powershell + $incident = Get-AzSentinelIncident -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id "myIncidentId" + $bookmarkRelation = New-AzSentinelBookmarkRelation -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -BookmarkId "myBookmarkId" -RelationName ((New-Guid).Guid) -RelatedResourceId ($incident.Id) +``` + +This command creates a Bookmark Relation connecting the Incident to the Bookmark. + +## PARAMETERS + +### -BookmarkId +Bookmark ID + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RelatedResourceId +The resource ID of the related resource + +```yaml +Type: System.String +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Relation +Represents a relation between two resources +To construct, see NOTES section for RELATION properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IRelation +Parameter Sets: Create +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IRelation + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IRelation + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +`RELATION `: Represents a relation between two resources + - `[Etag ]`: Etag of the azure resource + - `[SystemDataCreatedAt ]`: The timestamp of resource creation (UTC). + - `[SystemDataCreatedBy ]`: The identity that created the resource. + - `[SystemDataCreatedByType ]`: The type of identity that created the resource. + - `[SystemDataLastModifiedAt ]`: The timestamp of resource last modification (UTC) + - `[SystemDataLastModifiedBy ]`: The identity that last modified the resource. + - `[SystemDataLastModifiedByType ]`: The type of identity that last modified the resource. + - `[RelatedResourceId ]`: The resource ID of the related resource + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/New-AzSentinelDataConnector.md b/src/SecurityInsights/docs/New-AzSentinelDataConnector.md new file mode 100644 index 000000000000..44192f13a347 --- /dev/null +++ b/src/SecurityInsights/docs/New-AzSentinelDataConnector.md @@ -0,0 +1,965 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/new-azsentineldataconnector +schema: 2.0.0 +--- + +# New-AzSentinelDataConnector + +## SYNOPSIS +Creates or updates the data connector. + +## SYNTAX + +### AADAATP (Default) +``` +New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -Kind + [-DataConnectorId ] [-SubscriptionId ] [-Alerts ] [-TenantId ] + [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### AmazonWebServicesCloudTrail +``` +New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -AWSRoleArn + -Kind [-DataConnectorId ] [-SubscriptionId ] [-Logs ] + [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### AmazonWebServicesS3 +``` +New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -AWSRoleArn + -DetinationTable -Kind -Logs -SQSURL + [-DataConnectorId ] [-SubscriptionId ] [-DefaultProfile ] [-AsJob] [-NoWait] + [-Confirm] [-WhatIf] [] +``` + +### AzureSecurityCenter +``` +New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -ASCSubscriptionId + -Kind [-DataConnectorId ] [-SubscriptionId ] [-Alerts ] + [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### Dynamics365 +``` +New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -Kind + [-DataConnectorId ] [-SubscriptionId ] [-CommonDataServiceActivity ] + [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] + [] +``` + +### GenericUI +``` +New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName + -AvailabilityIsPreview -Kind + -UiConfigConnectivityCriterion -UiConfigDataType + -UiConfigDescriptionMarkdown -UiConfigGraphQueriesTableName + -UiConfigGraphQuery -UiConfigInstructionStep + -UiConfigPublisher -UiConfigSampleQuery -UiConfigTitle + [-DataConnectorId ] [-SubscriptionId ] [-AvailabilityStatus ] + [-PermissionCustom ] + [-PermissionResourceProvider ] [-UiConfigCustomImage ] + [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### MicrosoftCloudAppSecurity +``` +New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -Kind + [-DataConnectorId ] [-SubscriptionId ] [-Alerts ] [-DiscoveryLogs ] + [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] + [] +``` + +### MicrosoftDefenderAdvancedThreatProtection +``` +New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -Kind + [-DataConnectorId ] [-SubscriptionId ] [-Alerts ] [-TenantId ] + [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### MicrosoftThreatIntelligence +``` +New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -Kind + [-DataConnectorId ] [-SubscriptionId ] [-BingSafetyPhishingURL ] + [-BingSafetyPhishingUrlLookbackPeriod ] [-MicrosoftEmergingThreatFeed ] + [-MicrosoftEmergingThreatFeedLookbackPeriod ] [-TenantId ] [-DefaultProfile ] + [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### MicrosoftThreatProtection +``` +New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -Kind + [-DataConnectorId ] [-SubscriptionId ] [-Incidents ] [-TenantId ] + [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### Office365 +``` +New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -Kind + [-DataConnectorId ] [-SubscriptionId ] [-Exchange ] [-SharePoint ] + [-Teams ] [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] + [] +``` + +### OfficeATP +``` +New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -Kind + [-DataConnectorId ] [-SubscriptionId ] [-Alerts ] [-TenantId ] + [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### OfficeIRM +``` +New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -Kind + [-DataConnectorId ] [-SubscriptionId ] [-Alerts ] [-TenantId ] + [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### ThreatIntelligence +``` +New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -Kind + [-DataConnectorId ] [-SubscriptionId ] [-Indicators ] [-TenantId ] + [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### ThreatIntelligenceTaxii +``` +New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -APIRootURL + -CollectionId -FriendlyName -Kind -PollingFrequency + -WorkspaceId [-DataConnectorId ] [-SubscriptionId ] [-Password ] + [-TaxiiLookbackPeriod ] [-TenantId ] [-UserName ] [-DefaultProfile ] + [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Creates or updates the data connector. + +## EXAMPLES + +### Example 1: {{ Add title here }} +```powershell +New-AzSentinelDataConnector -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -DataConnectorId ((New-Guid).Guid) -Kind 'MicrosoftThreatIntelligence' -BingSafetyPhishingURL Enabled -BingSafetyPhishingUrlLookbackPeriod All -MicrosoftEmergingThreatFeed Enabled -MicrosoftEmergingThreatFeedLookbackPeriod All +``` + +This command enables the Threat Intelligence data connector + +## PARAMETERS + +### -Alerts + + +```yaml +Type: System.String +Parameter Sets: AADAATP, AzureSecurityCenter, MicrosoftCloudAppSecurity, MicrosoftDefenderAdvancedThreatProtection, OfficeATP, OfficeIRM +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -APIRootURL + + +```yaml +Type: System.String +Parameter Sets: ThreatIntelligenceTaxii +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ASCSubscriptionId +ASC Subscription Id. + +```yaml +Type: System.String +Parameter Sets: AzureSecurityCenter +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AsJob +Run the command as a job + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AvailabilityIsPreview +[Parameter(ParameterSetName = 'APIPolling', Mandatory)] + +```yaml +Type: System.Boolean +Parameter Sets: GenericUI +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AvailabilityStatus +[Parameter(ParameterSetName = 'APIPolling')] + +```yaml +Type: System.Int32 +Parameter Sets: GenericUI +Aliases: + +Required: False +Position: Named +Default value: 1 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AWSRoleArn + + +```yaml +Type: System.String +Parameter Sets: AmazonWebServicesCloudTrail, AmazonWebServicesS3 +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -BingSafetyPhishingURL + + +```yaml +Type: System.String +Parameter Sets: MicrosoftThreatIntelligence +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -BingSafetyPhishingUrlLookbackPeriod + + +```yaml +Type: System.String +Parameter Sets: MicrosoftThreatIntelligence +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -CollectionId + + +```yaml +Type: System.String +Parameter Sets: ThreatIntelligenceTaxii +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -CommonDataServiceActivity + + +```yaml +Type: System.String +Parameter Sets: Dynamics365 +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DataConnectorId +The Id of the Data Connector. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: (New-Guid).Guid +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DetinationTable + + +```yaml +Type: System.String +Parameter Sets: AmazonWebServicesS3 +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DiscoveryLogs + + +```yaml +Type: System.String +Parameter Sets: MicrosoftCloudAppSecurity +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Exchange + + +```yaml +Type: System.String +Parameter Sets: Office365 +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -FriendlyName + + +```yaml +Type: System.String +Parameter Sets: ThreatIntelligenceTaxii +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Incidents + + +```yaml +Type: System.String +Parameter Sets: MicrosoftThreatProtection +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Indicators + + +```yaml +Type: System.String +Parameter Sets: ThreatIntelligence +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Kind +Kind of the the data connection + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataConnectorKind +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Logs + + +```yaml +Type: System.String +Parameter Sets: AmazonWebServicesCloudTrail, AmazonWebServicesS3 +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -MicrosoftEmergingThreatFeed + + +```yaml +Type: System.String +Parameter Sets: MicrosoftThreatIntelligence +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -MicrosoftEmergingThreatFeedLookbackPeriod + + +```yaml +Type: System.String +Parameter Sets: MicrosoftThreatIntelligence +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -NoWait +Run the command asynchronously + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Password + + +```yaml +Type: System.String +Parameter Sets: ThreatIntelligenceTaxii +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -PermissionCustom +[Parameter(ParameterSetName = 'APIPolling')] +To construct, see NOTES section for PERMISSIONCUSTOM properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.PermissionsCustomsItem[] +Parameter Sets: GenericUI +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -PermissionResourceProvider +[Parameter(ParameterSetName = 'APIPolling')] +To construct, see NOTES section for PERMISSIONRESOURCEPROVIDER properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.PermissionsResourceProviderItem[] +Parameter Sets: GenericUI +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -PollingFrequency + + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.PollingFrequency +Parameter Sets: ThreatIntelligenceTaxii +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The Resource Group Name. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SharePoint + + +```yaml +Type: System.String +Parameter Sets: Office365 +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SQSURL + + +```yaml +Type: System.String[] +Parameter Sets: AmazonWebServicesS3 +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +Gets subscription credentials which uniquely identify Microsoft Azure subscription. +The subscription ID forms part of the URI for every service call. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -TaxiiLookbackPeriod + + +```yaml +Type: System.String +Parameter Sets: ThreatIntelligenceTaxii +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Teams + + +```yaml +Type: System.String +Parameter Sets: Office365 +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -TenantId +The TenantId. + +```yaml +Type: System.String +Parameter Sets: AADAATP, Dynamics365, MicrosoftCloudAppSecurity, MicrosoftDefenderAdvancedThreatProtection, MicrosoftThreatIntelligence, MicrosoftThreatProtection, Office365, OfficeATP, OfficeIRM, ThreatIntelligence, ThreatIntelligenceTaxii +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Tenant.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UiConfigConnectivityCriterion +[Parameter(ParameterSetName = 'APIPolling', Mandatory)] +To construct, see NOTES section for UICONFIGCONNECTIVITYCRITERION properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ConnectivityCriteria[] +Parameter Sets: GenericUI +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UiConfigCustomImage +[Parameter(ParameterSetName = 'APIPolling')] + +```yaml +Type: System.String +Parameter Sets: GenericUI +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UiConfigDataType +[Parameter(ParameterSetName = 'APIPolling', Mandatory)] +To construct, see NOTES section for UICONFIGDATATYPE properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.LastDataReceivedDataType[] +Parameter Sets: GenericUI +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UiConfigDescriptionMarkdown +[Parameter(ParameterSetName = 'APIPolling', Mandatory)] + +```yaml +Type: System.String +Parameter Sets: GenericUI +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UiConfigGraphQueriesTableName +[Parameter(ParameterSetName = 'APIPolling', Mandatory)] + +```yaml +Type: System.String +Parameter Sets: GenericUI +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UiConfigGraphQuery +[Parameter(ParameterSetName = 'APIPolling', Mandatory)] +To construct, see NOTES section for UICONFIGGRAPHQUERY properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.GraphQueries[] +Parameter Sets: GenericUI +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UiConfigInstructionStep +[Parameter(ParameterSetName = 'APIPolling', Mandatory)] +To construct, see NOTES section for UICONFIGINSTRUCTIONSTEP properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.InstructionSteps[] +Parameter Sets: GenericUI +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UiConfigPublisher +[Parameter(ParameterSetName = 'APIPolling', Mandatory)] + +```yaml +Type: System.String +Parameter Sets: GenericUI +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UiConfigSampleQuery +[Parameter(ParameterSetName = 'APIPolling', Mandatory)] +To construct, see NOTES section for UICONFIGSAMPLEQUERY properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.SampleQueries[] +Parameter Sets: GenericUI +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UiConfigTitle +[Parameter(ParameterSetName = 'APIPolling', Mandatory)] + +```yaml +Type: System.String +Parameter Sets: GenericUI +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserName + + +```yaml +Type: System.String +Parameter Sets: ThreatIntelligenceTaxii +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceId + + +```yaml +Type: System.String +Parameter Sets: ThreatIntelligenceTaxii +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.DataConnector + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +`PERMISSIONCUSTOM `: [Parameter(ParameterSetName = 'APIPolling')] + - `[Description ]`: Customs permissions description + - `[Name ]`: Customs permissions name + +`PERMISSIONRESOURCEPROVIDER `: [Parameter(ParameterSetName = 'APIPolling')] + - `[PermissionsDisplayText ]`: Permission description text + - `[Provider ]`: Provider name + - `[ProviderDisplayName ]`: Permission provider display name + - `[RequiredPermissionAction ]`: action permission + - `[RequiredPermissionDelete ]`: delete permission + - `[RequiredPermissionRead ]`: read permission + - `[RequiredPermissionWrite ]`: write permission + - `[Scope ]`: Permission provider scope + +`UICONFIGCONNECTIVITYCRITERION `: [Parameter(ParameterSetName = 'APIPolling', Mandatory)] + - `[Type ]`: type of connectivity + - `[Value ]`: Queries for checking connectivity + +`UICONFIGDATATYPE `: [Parameter(ParameterSetName = 'APIPolling', Mandatory)] + - `[LastDataReceivedQuery ]`: Query for indicate last data received + - `[Name ]`: Name of the data type to show in the graph. can be use with {{graphQueriesTableName}} placeholder + +`UICONFIGGRAPHQUERY `: [Parameter(ParameterSetName = 'APIPolling', Mandatory)] + - `[BaseQuery ]`: The base query for the graph + - `[Legend ]`: The legend for the graph + - `[MetricName ]`: the metric that the query is checking + +`UICONFIGINSTRUCTIONSTEP `: [Parameter(ParameterSetName = 'APIPolling', Mandatory)] + - `[Description ]`: Instruction step description + - `[Instruction ]`: Instruction step details + - `Type `: The kind of the setting + - `[Parameter ]`: The parameters for the setting + - `[Title ]`: Instruction step title + +`UICONFIGSAMPLEQUERY `: [Parameter(ParameterSetName = 'APIPolling', Mandatory)] + - `[Description ]`: The sample query description + - `[Query ]`: the sample query + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/New-AzSentinelEntityQuery.md b/src/SecurityInsights/docs/New-AzSentinelEntityQuery.md new file mode 100644 index 000000000000..d1d5cf8cede3 --- /dev/null +++ b/src/SecurityInsights/docs/New-AzSentinelEntityQuery.md @@ -0,0 +1,353 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/new-azsentinelentityquery +schema: 2.0.0 +--- + +# New-AzSentinelEntityQuery + +## SYNOPSIS +Creates or updates the entity query. + +## SYNTAX + +``` +New-AzSentinelEntityQuery -ResourceGroupName -WorkspaceName -Content + -Description -InputEntityType -Kind -QueryDefinitionQuery + -Title [-EntityQueryId ] [-SubscriptionId ] + [-EntitiesFilter ] [-RequiredInputFieldsSet ] + [-TemplateName ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] + [] +``` + +## DESCRIPTION +Creates or updates the entity query. + +## EXAMPLES + +### Example 1: Create Entity Query +```powershell + $template = Get-AzSentinelEntityQueryTemplate -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Id "myEntityQueryTemplateId" + New-AzSentinelEntityQuery -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" [-EntityQueryId ] -Kind Activity -Title ($template.title) -InputEntityType ($template.inputEntityType) -TemplateName ($template.Name) +``` + +```output +Title : The user has created an account +Name : 6d37a904-d199-43ff-892b-53653b784122 +Content : The user {{InitiatedByAccount}} has created the account {{TargetAccount}} {{Count}} time(s) +Description : This activity displays account creation events performed by the user +Enabled : True +Kind : Activity +CreatedTimeUtc : 12/22/2021 11:44:34 AM +LastModifiedTimeUtc : 12/22/2021 11:47:13 AM + +``` + +This command creates an Entity Query by using a Template. + +### Example 2: Create Entity Query +```powershell + New-AzSentinelEntityQuery -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -EntityQueryId ((New-Guid).Guid) -Kind Activity -Title 'An account was deleted on this host' -InputEntityType 'Host' -Content "On '{{Computer}}' the account '{{TargetAccount}}' was deleted by '{{AddedBy}}'" -Description "Account deleted on host" -QueryDefinitionQuery 'let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\nSecurityEvent\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\n// parsing for Host to handle variety of conventions coming from data\n| extend Host_HostName = case(\nComputer has ''@'', tostring(split(Computer, ''@'')[0]),\nComputer has ''\\'', tostring(split(Computer, ''\\'')[1]),\nComputer has ''.'', tostring(split(Computer, ''.'')[0]),\nComputer\n)\n| extend Host_NTDomain = case(\nComputer has ''\\'', tostring(split(Computer, ''\\'')[0]), \nComputer has ''.'', tostring(split(Computer, ''.'')[-2]), \nComputer\n)\n| extend Host_DnsDomain = case(\nComputer has ''\\'', tostring(split(Computer, ''\\'')[0]), \nComputer has ''.'', strcat_array(array_slice(split(Computer,''.''),-2,-1),''.''), \nComputer\n)\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \nor v_Host_AzureID =~ _ResourceId \nor v_Host_OMSAgentID == SourceComputerId\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId\n| extend AddedBy = SubjectUserName\n// Future support for Activities\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount\n};\nGetAccountActions(''{{Host_HostName}}'', ''{{Host_NTDomain}}'', ''{{Host_DnsDomain}}'', ''{{Host_AzureID}}'', ''{{Host_OMSAgentID}}'')\n \n| where EventID == 4726' -RequiredInputFieldsSet @(@("Host_HostName","Host_NTDomain"),@("Host_HostName","Host_DnsDomain"),@("Host_AzureID"),@("Host_OMSAgentID")) -EntitiesFilter @{"Host_OsFamily" = @("Windows")} +``` + +This command creates an Entity Query. + +## PARAMETERS + +### -AsJob +Run the command as a job + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Content + + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Description + + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -EntitiesFilter +To construct, see NOTES section for ENTITIESFILTER properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ActivityEntityQueriesPropertiesEntitiesFilter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -EntityQueryId +The Id of the Entity Query. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: (New-Guid).Guid +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputEntityType + + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityType +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Kind +Kind of the the Entity Query + +```yaml +Type: System.Object +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -NoWait +Run the command asynchronously + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -QueryDefinitionQuery + + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RequiredInputFieldsSet + + +```yaml +Type: System.String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The Resource Group Name. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +Gets subscription credentials which uniquely identify Microsoft Azure subscription. +The subscription ID forms part of the URI for every service call. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -TemplateName + + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Title + + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +[Alias('DataConnectionName')] + The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.CustomEntityQuery + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +`ENTITIESFILTER `: + - `[(Any) ]`: This indicates any property can be added to this object. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/New-AzSentinelIncident.md b/src/SecurityInsights/docs/New-AzSentinelIncident.md new file mode 100644 index 000000000000..78e72edbf464 --- /dev/null +++ b/src/SecurityInsights/docs/New-AzSentinelIncident.md @@ -0,0 +1,457 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/new-azsentinelincident +schema: 2.0.0 +--- + +# New-AzSentinelIncident + +## SYNOPSIS +Creates or updates the incident. + +## SYNTAX + +### CreateExpanded (Default) +``` +New-AzSentinelIncident -ResourceGroupName -WorkspaceName [-SubscriptionId ] + [-Classification ] [-ClassificationComment ] + [-ClassificationReason ] [-Description ] + [-FirstActivityTimeUtc ] [-Label ] [-LastActivityTimeUtc ] + [-OwnerAssignedTo ] [-OwnerEmail ] [-OwnerObjectId ] + [-OwnerUserPrincipalName ] [-ProviderIncidentId ] [-ProviderName ] + [-Severity ] [-Status ] [-Title ] [-DefaultProfile ] + [-Confirm] [-WhatIf] [] +``` + +### Create +``` +New-AzSentinelIncident -ResourceGroupName -WorkspaceName -Incident + [-SubscriptionId ] [-DefaultProfile ] [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Creates or updates the incident. + +## EXAMPLES + +### Example 1: Create an Incident +```powershell + New-AzSentinelIncident -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id ((New-Guid).Guid) -Title "NewIncident" -Description "My Description" -Severity Low -Status New +``` + +```output +Title : NewIncident +Description : My Description +Severity : Low +Status : New +Number : 779 +CreatedTimeUtc : 2/3/2022 7:47:03 PM +Name : c831b5a7-5644-403f-9dc3-96d651e04c6d +Url : https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/274b1a41-c53c-4092-8d4a-7210f6a44a0c/resourceGroups/cyber-soc/providers/Microsoft.OperationalInsights/workspaces/myworkspace/providers/Microsoft.SecurityInsights/Incidents/c831b5a7-5644-403f-9dc3-96d651e04c6d +``` + +This command creates an Incident. + +## PARAMETERS + +### -Classification +The reason the incident was closed + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.IncidentClassification +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ClassificationComment +Describes the reason the incident was closed + +```yaml +Type: System.String +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ClassificationReason +The classification reason the incident was closed with + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.IncidentClassificationReason +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Description +The description of the incident + +```yaml +Type: System.String +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -FirstActivityTimeUtc +The time of the first activity in the incident + +```yaml +Type: System.DateTime +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Incident +Represents an incident in Azure Security Insights. +To construct, see NOTES section for INCIDENT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IIncident +Parameter Sets: Create +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -Label +List of labels relevant to this incident +To construct, see NOTES section for LABEL properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IIncidentLabel[] +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LastActivityTimeUtc +The time of the last activity in the incident + +```yaml +Type: System.DateTime +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -OwnerAssignedTo +The name of the user the incident is assigned to. + +```yaml +Type: System.String +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -OwnerEmail +The email of the user the incident is assigned to. + +```yaml +Type: System.String +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -OwnerObjectId +The object id of the user the incident is assigned to. + +```yaml +Type: System.String +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -OwnerUserPrincipalName +The user principal name of the user the incident is assigned to. + +```yaml +Type: System.String +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ProviderIncidentId +The incident ID assigned by the incident provider + +```yaml +Type: System.String +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ProviderName +The name of the source provider that generated the incident + +```yaml +Type: System.String +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Severity +The severity of the incident + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.IncidentSeverity +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Status +The status of the incident + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.IncidentStatus +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Title +The title of the incident + +```yaml +Type: System.String +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IIncident + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IIncident + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +`INCIDENT `: Represents an incident in Azure Security Insights. + - `[Etag ]`: Etag of the azure resource + - `[SystemDataCreatedAt ]`: The timestamp of resource creation (UTC). + - `[SystemDataCreatedBy ]`: The identity that created the resource. + - `[SystemDataCreatedByType ]`: The type of identity that created the resource. + - `[SystemDataLastModifiedAt ]`: The timestamp of resource last modification (UTC) + - `[SystemDataLastModifiedBy ]`: The identity that last modified the resource. + - `[SystemDataLastModifiedByType ]`: The type of identity that last modified the resource. + - `[Classification ]`: The reason the incident was closed + - `[ClassificationComment ]`: Describes the reason the incident was closed + - `[ClassificationReason ]`: The classification reason the incident was closed with + - `[Description ]`: The description of the incident + - `[FirstActivityTimeUtc ]`: The time of the first activity in the incident + - `[Label ]`: List of labels relevant to this incident + - `LabelName `: The name of the label + - `[LastActivityTimeUtc ]`: The time of the last activity in the incident + - `[OwnerAssignedTo ]`: The name of the user the incident is assigned to. + - `[OwnerEmail ]`: The email of the user the incident is assigned to. + - `[OwnerObjectId ]`: The object id of the user the incident is assigned to. + - `[OwnerUserPrincipalName ]`: The user principal name of the user the incident is assigned to. + - `[ProviderIncidentId ]`: The incident ID assigned by the incident provider + - `[ProviderName ]`: The name of the source provider that generated the incident + - `[Severity ]`: The severity of the incident + - `[Status ]`: The status of the incident + - `[Title ]`: The title of the incident + +`LABEL `: List of labels relevant to this incident + - `LabelName `: The name of the label + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/New-AzSentinelIncidentComment.md b/src/SecurityInsights/docs/New-AzSentinelIncidentComment.md new file mode 100644 index 000000000000..72f9233554dd --- /dev/null +++ b/src/SecurityInsights/docs/New-AzSentinelIncidentComment.md @@ -0,0 +1,216 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/new-azsentinelincidentcomment +schema: 2.0.0 +--- + +# New-AzSentinelIncidentComment + +## SYNOPSIS +Creates or updates the incident comment. + +## SYNTAX + +### CreateExpanded (Default) +``` +New-AzSentinelIncidentComment -IncidentId -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-Message ] [-DefaultProfile ] [-Confirm] [-WhatIf] + [] +``` + +### Create +``` +New-AzSentinelIncidentComment -IncidentId -ResourceGroupName -WorkspaceName + -IncidentComment [-SubscriptionId ] [-DefaultProfile ] [-Confirm] + [-WhatIf] [] +``` + +## DESCRIPTION +Creates or updates the incident comment. + +## EXAMPLES + +### Example 1: Create an Incident Comment +```powershell + New-AzSentinelIncident -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -IncidentId "myIncidentId" -Id ((New-Guid).Guid) -Message "IncidentCommentGoesHere" +``` + +This command creates an Incident Comment. + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -IncidentComment +Represents an incident comment +To construct, see NOTES section for INCIDENTCOMMENT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IIncidentComment +Parameter Sets: Create +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -IncidentId +Incident ID + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Message +The comment message + +```yaml +Type: System.String +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IIncidentComment + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IIncidentComment + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +`INCIDENTCOMMENT `: Represents an incident comment + - `[Etag ]`: Etag of the azure resource + - `[SystemDataCreatedAt ]`: The timestamp of resource creation (UTC). + - `[SystemDataCreatedBy ]`: The identity that created the resource. + - `[SystemDataCreatedByType ]`: The type of identity that created the resource. + - `[SystemDataLastModifiedAt ]`: The timestamp of resource last modification (UTC) + - `[SystemDataLastModifiedBy ]`: The identity that last modified the resource. + - `[SystemDataLastModifiedByType ]`: The type of identity that last modified the resource. + - `[AuthorEmail ]`: The email of the client. + - `[AuthorName ]`: The name of the client. + - `[AuthorObjectId ]`: The object id of the client. + - `[AuthorUserPrincipalName ]`: The user principal name of the client. + - `[Message ]`: The comment message + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/New-AzSentinelIncidentRelation.md b/src/SecurityInsights/docs/New-AzSentinelIncidentRelation.md new file mode 100644 index 000000000000..65832c7b4d5b --- /dev/null +++ b/src/SecurityInsights/docs/New-AzSentinelIncidentRelation.md @@ -0,0 +1,220 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/new-azsentinelincidentrelation +schema: 2.0.0 +--- + +# New-AzSentinelIncidentRelation + +## SYNOPSIS +Creates or updates the incident relation. + +## SYNTAX + +### CreateExpanded (Default) +``` +New-AzSentinelIncidentRelation -IncidentId -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-RelatedResourceId ] [-DefaultProfile ] [-Confirm] [-WhatIf] + [] +``` + +### Create +``` +New-AzSentinelIncidentRelation -IncidentId -ResourceGroupName -WorkspaceName + -Relation [-SubscriptionId ] [-DefaultProfile ] [-Confirm] [-WhatIf] + [] +``` + +## DESCRIPTION +Creates or updates the incident relation. + +## EXAMPLES + +### Example 1: Create a Incident Relation +```powershell + $bookmark = Get-AzSentinelBookmark -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id "myBookmarkId" + New-AzSentinelIncidentRelation -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -IncidentId "myIncidentId" -RelationName ((New-Guid).Guid) -RelatedResourceId ($bookmark.Id) +``` + +```output +Name : 4b112bd9-a6b5-44f6-b89d-8bcbf021fbdf +RelatedResourceName : a636a51c-471a-468d-89ed-d7f4b2a7a569 +RelatedResourceKind : +RelatedResourceType : Microsoft.SecurityInsights/Bookmarks +``` + +This command creates a Incident Relation connecting the Bookmark to the Incident. + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -IncidentId +Incident ID + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RelatedResourceId +The resource ID of the related resource + +```yaml +Type: System.String +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Relation +Represents a relation between two resources +To construct, see NOTES section for RELATION properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IRelation +Parameter Sets: Create +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IRelation + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IRelation + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +`RELATION `: Represents a relation between two resources + - `[Etag ]`: Etag of the azure resource + - `[SystemDataCreatedAt ]`: The timestamp of resource creation (UTC). + - `[SystemDataCreatedBy ]`: The identity that created the resource. + - `[SystemDataCreatedByType ]`: The type of identity that created the resource. + - `[SystemDataLastModifiedAt ]`: The timestamp of resource last modification (UTC) + - `[SystemDataLastModifiedBy ]`: The identity that last modified the resource. + - `[SystemDataLastModifiedByType ]`: The type of identity that last modified the resource. + - `[RelatedResourceId ]`: The resource ID of the related resource + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/New-AzSentinelIncidentTeam.md b/src/SecurityInsights/docs/New-AzSentinelIncidentTeam.md new file mode 100644 index 000000000000..69355576dcce --- /dev/null +++ b/src/SecurityInsights/docs/New-AzSentinelIncidentTeam.md @@ -0,0 +1,263 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/new-azsentinelincidentteam +schema: 2.0.0 +--- + +# New-AzSentinelIncidentTeam + +## SYNOPSIS +Creates a Microsoft team to investigate the incident by sharing information and insights between participants. + +## SYNTAX + +### CreateExpanded (Default) +``` +New-AzSentinelIncidentTeam -IncidentId -ResourceGroupName -WorkspaceName + -TeamName [-SubscriptionId ] [-GroupId ] [-MemberId ] + [-TeamDescription ] [-DefaultProfile ] [-Confirm] [-WhatIf] [] +``` + +### Create +``` +New-AzSentinelIncidentTeam -IncidentId -ResourceGroupName -WorkspaceName + -TeamProperty [-SubscriptionId ] [-DefaultProfile ] [-Confirm] [-WhatIf] + [] +``` + +## DESCRIPTION +Creates a Microsoft team to investigate the incident by sharing information and insights between participants. + +## EXAMPLES + +### Example 1: Create an Incident Teams Room +```powershell + $incident = Get-AzSentinelIncident -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id "myIncidentId" + New-AzSentinelIncidentTeam -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -IncidentId ($incident.Name) -TeamName ("Incident "+$incident.incidentNumber+": "+$incident.title) +``` + +```output +Description : +Name : Incident : NewIncident3 +PrimaryChannelUrl : https://teams.microsoft.com/l/team/19:vYoGjeGlZmTEDmu0gTbrk9T_eDS4pKIkEU7UuM1IyZk1%40thread.tacv2/conversations?groupId=3c637cc5-caf1-46c7-93ac-069c6 + 4b05395&tenantId=8f21ced5-2eff-4f8d-aff1-4dbb4cee8e3d +TeamCreationTimeUtc : 2/4/2022 3:02:03 PM +TeamId : 3c637cc5-caf1-46c7-93ac-069c64b05395 +``` + +This command creates a Teams group for the Incident. + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -GroupId +List of group IDs to add their members to the team + +```yaml +Type: System.String[] +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -IncidentId +Incident ID + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -MemberId +List of member IDs to add to the team + +```yaml +Type: System.String[] +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -TeamDescription +The description of the team + +```yaml +Type: System.String +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -TeamName +The name of the team + +```yaml +Type: System.String +Parameter Sets: CreateExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -TeamProperty +Describes team properties +To construct, see NOTES section for TEAMPROPERTY properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ITeamProperties +Parameter Sets: Create +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ITeamProperties + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ITeamInformation + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +`TEAMPROPERTY `: Describes team properties + - `TeamName `: The name of the team + - `[GroupId ]`: List of group IDs to add their members to the team + - `[MemberId ]`: List of member IDs to add to the team + - `[TeamDescription ]`: The description of the team + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/New-AzSentinelOnboardingState.md b/src/SecurityInsights/docs/New-AzSentinelOnboardingState.md new file mode 100644 index 000000000000..f88917a5c857 --- /dev/null +++ b/src/SecurityInsights/docs/New-AzSentinelOnboardingState.md @@ -0,0 +1,213 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/new-azsentinelonboardingstate +schema: 2.0.0 +--- + +# New-AzSentinelOnboardingState + +## SYNOPSIS +Create Sentinel onboarding state + +## SYNTAX + +### CreateExpanded (Default) +``` +New-AzSentinelOnboardingState -Name -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-CustomerManagedKey] [-DefaultProfile ] [-Confirm] [-WhatIf] + [] +``` + +### Create +``` +New-AzSentinelOnboardingState -Name -ResourceGroupName -WorkspaceName + -SentinelOnboardingStateParameter [-SubscriptionId ] + [-DefaultProfile ] [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Create Sentinel onboarding state + +## EXAMPLES + +### Example 1: Add Sentinel onboarding state +```powershell +AzSentinelOnboardingState -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Name "default" +``` + +This command configures the onboarding state of Sentinel + +## PARAMETERS + +### -CustomerManagedKey +Flag that indicates the status of the CMK setting + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: CreateExpanded +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Name +The Sentinel onboarding state name. +Supports - default + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: SentinelOnboardingStateName + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SentinelOnboardingStateParameter +Sentinel onboarding state +To construct, see NOTES section for SENTINELONBOARDINGSTATEPARAMETER properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ISentinelOnboardingState +Parameter Sets: Create +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ISentinelOnboardingState + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ISentinelOnboardingState + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +`SENTINELONBOARDINGSTATEPARAMETER `: Sentinel onboarding state + - `[Etag ]`: Etag of the azure resource + - `[SystemDataCreatedAt ]`: The timestamp of resource creation (UTC). + - `[SystemDataCreatedBy ]`: The identity that created the resource. + - `[SystemDataCreatedByType ]`: The type of identity that created the resource. + - `[SystemDataLastModifiedAt ]`: The timestamp of resource last modification (UTC) + - `[SystemDataLastModifiedBy ]`: The identity that last modified the resource. + - `[SystemDataLastModifiedByType ]`: The type of identity that last modified the resource. + - `[CustomerManagedKey ]`: Flag that indicates the status of the CMK setting + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/README.md b/src/SecurityInsights/docs/README.md new file mode 100644 index 000000000000..ea77161005f3 --- /dev/null +++ b/src/SecurityInsights/docs/README.md @@ -0,0 +1,11 @@ +# Docs +This directory contains the documentation of the cmdlets for the `Az.SecurityInsights` module. To run documentation generation, use the `generate-help.ps1` script at the root module folder. Files in this folder will *always be overridden on regeneration*. To update documentation examples, please use the `../examples` folder. + +## Info +- Modifiable: no +- Generated: all +- Committed: yes +- Packaged: yes + +## Details +The process of documentation generation loads `Az.SecurityInsights` and analyzes the exported cmdlets from the module. It recognizes the [help comments](https://docs.microsoft.com/powershell/module/microsoft.powershell.core/about/about_comment_based_help) that are generated into the scripts in the `../exports` folder. Additionally, when writing custom cmdlets in the `../custom` folder, you can use the help comments syntax, which decorate the exported scripts at build-time. The documentation examples are taken from the `../examples` folder. \ No newline at end of file diff --git a/src/SecurityInsights/docs/Remove-AzSentinelAlertRule.md b/src/SecurityInsights/docs/Remove-AzSentinelAlertRule.md new file mode 100644 index 000000000000..ce4fd9a86de7 --- /dev/null +++ b/src/SecurityInsights/docs/Remove-AzSentinelAlertRule.md @@ -0,0 +1,224 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/remove-azsentinelalertrule +schema: 2.0.0 +--- + +# Remove-AzSentinelAlertRule + +## SYNOPSIS +Delete the alert rule. + +## SYNTAX + +### Delete (Default) +``` +Remove-AzSentinelAlertRule -ResourceGroupName -RuleId -WorkspaceName + [-SubscriptionId ] [-DefaultProfile ] [-PassThru] [-Confirm] [-WhatIf] [] +``` + +### DeleteViaIdentity +``` +Remove-AzSentinelAlertRule -InputObject [-DefaultProfile ] [-PassThru] + [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Delete the alert rule. + +## EXAMPLES + +### Example 1: Remove an alert rule +```powershell +Remove-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -RuleId 4a21e485-75ae-48b3-a7b9-e6a92bcfe434 +``` + +The command removes a Sentinel alert rule + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: DeleteViaIdentity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -PassThru +Returns true when the command succeeds + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RuleId +Alert rule ID + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### System.Boolean + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +`INPUTOBJECT `: Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Remove-AzSentinelAlertRuleAction.md b/src/SecurityInsights/docs/Remove-AzSentinelAlertRuleAction.md new file mode 100644 index 000000000000..8e07886c9c66 --- /dev/null +++ b/src/SecurityInsights/docs/Remove-AzSentinelAlertRuleAction.md @@ -0,0 +1,240 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/remove-azsentinelalertruleaction +schema: 2.0.0 +--- + +# Remove-AzSentinelAlertRuleAction + +## SYNOPSIS +Delete the action of alert rule. + +## SYNTAX + +### Delete (Default) +``` +Remove-AzSentinelAlertRuleAction -Id -ResourceGroupName -RuleId + -WorkspaceName [-SubscriptionId ] [-DefaultProfile ] [-PassThru] [-Confirm] + [-WhatIf] [] +``` + +### DeleteViaIdentity +``` +Remove-AzSentinelAlertRuleAction -InputObject [-DefaultProfile ] + [-PassThru] [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Delete the action of alert rule. + +## EXAMPLES + +### Example 1: {{ Add title here }} +```powershell +Remove-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -RuleId 29d2523f-84ce-42d3-b5f1-9e63c85aaed1 -Id 1a33301b-fb83-416a-8d58-3873c7c2dc86 +``` + +This command removes an alert rule action. + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Id +Action ID + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: ActionId + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: DeleteViaIdentity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -PassThru +Returns true when the command succeeds + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RuleId +Alert rule ID + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### System.Boolean + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +`INPUTOBJECT `: Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Remove-AzSentinelAutomationRule.md b/src/SecurityInsights/docs/Remove-AzSentinelAutomationRule.md new file mode 100644 index 000000000000..5e025cf0d6d0 --- /dev/null +++ b/src/SecurityInsights/docs/Remove-AzSentinelAutomationRule.md @@ -0,0 +1,224 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/remove-azsentinelautomationrule +schema: 2.0.0 +--- + +# Remove-AzSentinelAutomationRule + +## SYNOPSIS +Delete the automation rule. + +## SYNTAX + +### Delete (Default) +``` +Remove-AzSentinelAutomationRule -Id -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-DefaultProfile ] [-PassThru] [-Confirm] [-WhatIf] [] +``` + +### DeleteViaIdentity +``` +Remove-AzSentinelAutomationRule -InputObject [-DefaultProfile ] + [-PassThru] [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Delete the automation rule. + +## EXAMPLES + +### Example 1: {{ Add title here }} +```powershell +Remove-AzSentinelAutomationRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Id 2f32af32-ad13-4fbb-9fbc-e19e0e7ff767 +``` + +This command removes a Sentinel automation rule + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Id +Automation rule ID + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: AutomationRuleId + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: DeleteViaIdentity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -PassThru +Returns true when the command succeeds + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### System.Boolean + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +`INPUTOBJECT `: Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Remove-AzSentinelBookmark.md b/src/SecurityInsights/docs/Remove-AzSentinelBookmark.md new file mode 100644 index 000000000000..17bd7e967358 --- /dev/null +++ b/src/SecurityInsights/docs/Remove-AzSentinelBookmark.md @@ -0,0 +1,224 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/remove-azsentinelbookmark +schema: 2.0.0 +--- + +# Remove-AzSentinelBookmark + +## SYNOPSIS +Delete the bookmark. + +## SYNTAX + +### Delete (Default) +``` +Remove-AzSentinelBookmark -Id -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-DefaultProfile ] [-PassThru] [-Confirm] [-WhatIf] [] +``` + +### DeleteViaIdentity +``` +Remove-AzSentinelBookmark -InputObject [-DefaultProfile ] [-PassThru] + [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Delete the bookmark. + +## EXAMPLES + +### Example 1: Remove a Sentinel Bookmark +```powershell +Remove-AzSentinelBookmark -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id +``` + +This command removes a bookmark + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Id +Bookmark ID + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: BookmarkId + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: DeleteViaIdentity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -PassThru +Returns true when the command succeeds + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### System.Boolean + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +`INPUTOBJECT `: Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Remove-AzSentinelBookmarkRelation.md b/src/SecurityInsights/docs/Remove-AzSentinelBookmarkRelation.md new file mode 100644 index 000000000000..3deb9a5537d2 --- /dev/null +++ b/src/SecurityInsights/docs/Remove-AzSentinelBookmarkRelation.md @@ -0,0 +1,240 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/remove-azsentinelbookmarkrelation +schema: 2.0.0 +--- + +# Remove-AzSentinelBookmarkRelation + +## SYNOPSIS +Delete the bookmark relation. + +## SYNTAX + +### Delete (Default) +``` +Remove-AzSentinelBookmarkRelation -BookmarkId -RelationName -ResourceGroupName + -WorkspaceName [-SubscriptionId ] [-DefaultProfile ] [-PassThru] [-Confirm] + [-WhatIf] [] +``` + +### DeleteViaIdentity +``` +Remove-AzSentinelBookmarkRelation -InputObject [-DefaultProfile ] + [-PassThru] [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Delete the bookmark relation. + +## EXAMPLES + +### Example 1: Remove a bookmark relation +```powershell + Remove-AzSentinelBookmarkRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -BookmarkId 83846045-d8dc-4d6b-abbe-7588219c474e -RelationName 7cc984fe-61a2-43c2-a1a4-3583c8a89da2 +``` + +This command removes a bookmarkrelation + +## PARAMETERS + +### -BookmarkId +Bookmark ID + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: DeleteViaIdentity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -PassThru +Returns true when the command succeeds + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RelationName +Relation Name + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### System.Boolean + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +`INPUTOBJECT `: Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Remove-AzSentinelDataConnector.md b/src/SecurityInsights/docs/Remove-AzSentinelDataConnector.md new file mode 100644 index 000000000000..95bbec95565b --- /dev/null +++ b/src/SecurityInsights/docs/Remove-AzSentinelDataConnector.md @@ -0,0 +1,224 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/remove-azsentineldataconnector +schema: 2.0.0 +--- + +# Remove-AzSentinelDataConnector + +## SYNOPSIS +Delete the data connector. + +## SYNTAX + +### Delete (Default) +``` +Remove-AzSentinelDataConnector -Id -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-DefaultProfile ] [-PassThru] [-Confirm] [-WhatIf] [] +``` + +### DeleteViaIdentity +``` +Remove-AzSentinelDataConnector -InputObject [-DefaultProfile ] + [-PassThru] [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Delete the data connector. + +## EXAMPLES + +### Example 1: Removes Sentinel Data Connector +```powershell +Remove-AzSentinelDataConnector -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Id 661b961f-53d8-4bd1-be97-24e808fd04f5 +``` + +This command removes a data connector. + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Id +Connector ID + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: DataConnectorId + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: DeleteViaIdentity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -PassThru +Returns true when the command succeeds + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### System.Boolean + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +`INPUTOBJECT `: Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Remove-AzSentinelEntityQuery.md b/src/SecurityInsights/docs/Remove-AzSentinelEntityQuery.md new file mode 100644 index 000000000000..89ce6c20501a --- /dev/null +++ b/src/SecurityInsights/docs/Remove-AzSentinelEntityQuery.md @@ -0,0 +1,232 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/remove-azsentinelentityquery +schema: 2.0.0 +--- + +# Remove-AzSentinelEntityQuery + +## SYNOPSIS +Delete the entity query. + +## SYNTAX + +### Delete (Default) +``` +Remove-AzSentinelEntityQuery -Id -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-DefaultProfile ] [-PassThru] [-Confirm] [-WhatIf] [] +``` + +### DeleteViaIdentity +``` +Remove-AzSentinelEntityQuery -InputObject [-DefaultProfile ] [-PassThru] + [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Delete the entity query. + +## EXAMPLES + +### Example 1: Remove Entity Query +```powershell + Remove-AzSentinelEntityQuery -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Id "myEntityQueryTemplateId" +``` + +This command removes a specific entity query based on the entity query Id + +### Example 2: Remove an Entity Query based on the title +```powershell + $queryTemplateId = Get-AzSentinelEntityQueryTemplate -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" | Where-Object {$_.Title -eq "The user has created an account"} +Remove-AzSentinelEntityQuery -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Id $queryTemplateId.Name +``` + +This command removes a specific entity query based on the title + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Id +entity query ID + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: EntityQueryId + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: DeleteViaIdentity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -PassThru +Returns true when the command succeeds + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### System.Boolean + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +`INPUTOBJECT `: Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Remove-AzSentinelIncident.md b/src/SecurityInsights/docs/Remove-AzSentinelIncident.md new file mode 100644 index 000000000000..07ae5c6e957d --- /dev/null +++ b/src/SecurityInsights/docs/Remove-AzSentinelIncident.md @@ -0,0 +1,231 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/remove-azsentinelincident +schema: 2.0.0 +--- + +# Remove-AzSentinelIncident + +## SYNOPSIS +Delete the incident. + +## SYNTAX + +### Delete (Default) +``` +Remove-AzSentinelIncident -Id -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-DefaultProfile ] [-PassThru] [-Confirm] [-WhatIf] [] +``` + +### DeleteViaIdentity +``` +Remove-AzSentinelIncident -InputObject [-DefaultProfile ] [-PassThru] + [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Delete the incident. + +## EXAMPLES + +### Example 1: Removes an incident based on the incident Id +```powershell +Remove-AzSentinelIncident -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id +``` + +This command removes an incident based on the incident id. + +### Example 2: Removes an incident based on the incident number +```powershell +$myIncident = Get-AzSentinelIncident -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id | Where-Object {$_.Number -eq "780"} +``` + +The command removes an incident based on an incident number. + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Id +Incident ID + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: IncidentId + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: DeleteViaIdentity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -PassThru +Returns true when the command succeeds + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### System.Boolean + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +`INPUTOBJECT `: Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Remove-AzSentinelIncidentComment.md b/src/SecurityInsights/docs/Remove-AzSentinelIncidentComment.md new file mode 100644 index 000000000000..256bcc7b2f20 --- /dev/null +++ b/src/SecurityInsights/docs/Remove-AzSentinelIncidentComment.md @@ -0,0 +1,240 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/remove-azsentinelincidentcomment +schema: 2.0.0 +--- + +# Remove-AzSentinelIncidentComment + +## SYNOPSIS +Delete the incident comment. + +## SYNTAX + +### Delete (Default) +``` +Remove-AzSentinelIncidentComment -Id -IncidentId -ResourceGroupName + -WorkspaceName [-SubscriptionId ] [-DefaultProfile ] [-PassThru] [-Confirm] + [-WhatIf] [] +``` + +### DeleteViaIdentity +``` +Remove-AzSentinelIncidentComment -InputObject [-DefaultProfile ] + [-PassThru] [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Delete the incident comment. + +## EXAMPLES + +### Example 1: Remove an incident comment +```powershell +Remove-AzSentinelIncidentComment -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId 7cc984fe-61a2-43c2-a1a4-3583c8a89da2 -Id 7a4c27ea-d61a-496b-b5c3-246770c857c1 +``` + +This command removes an incident comment + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Id +Incident comment ID + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: IncidentCommentId + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -IncidentId +Incident ID + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: DeleteViaIdentity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -PassThru +Returns true when the command succeeds + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### System.Boolean + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +`INPUTOBJECT `: Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Remove-AzSentinelIncidentRelation.md b/src/SecurityInsights/docs/Remove-AzSentinelIncidentRelation.md new file mode 100644 index 000000000000..afa37201e050 --- /dev/null +++ b/src/SecurityInsights/docs/Remove-AzSentinelIncidentRelation.md @@ -0,0 +1,240 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/remove-azsentinelincidentrelation +schema: 2.0.0 +--- + +# Remove-AzSentinelIncidentRelation + +## SYNOPSIS +Delete the incident relation. + +## SYNTAX + +### Delete (Default) +``` +Remove-AzSentinelIncidentRelation -IncidentId -RelationName -ResourceGroupName + -WorkspaceName [-SubscriptionId ] [-DefaultProfile ] [-PassThru] [-Confirm] + [-WhatIf] [] +``` + +### DeleteViaIdentity +``` +Remove-AzSentinelIncidentRelation -InputObject [-DefaultProfile ] + [-PassThru] [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Delete the incident relation. + +## EXAMPLES + +### Example 1: {{ Add title here }} +```powershell +Remove-AzSentinelIncidentRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId 7cc984fe-61a2-43c2-a1a4-3583c8a89da2 -RelationName 7a4c27ea-d61a-496b-b5c3-246770c857c1 +``` + +This command removes the incident relation + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -IncidentId +Incident ID + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: DeleteViaIdentity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -PassThru +Returns true when the command succeeds + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RelationName +Relation Name + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### System.Boolean + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +`INPUTOBJECT `: Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Remove-AzSentinelOnboardingState.md b/src/SecurityInsights/docs/Remove-AzSentinelOnboardingState.md new file mode 100644 index 000000000000..ef99ec749e63 --- /dev/null +++ b/src/SecurityInsights/docs/Remove-AzSentinelOnboardingState.md @@ -0,0 +1,225 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/remove-azsentinelonboardingstate +schema: 2.0.0 +--- + +# Remove-AzSentinelOnboardingState + +## SYNOPSIS +Delete Sentinel onboarding state + +## SYNTAX + +### Delete (Default) +``` +Remove-AzSentinelOnboardingState -Name -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-DefaultProfile ] [-PassThru] [-Confirm] [-WhatIf] [] +``` + +### DeleteViaIdentity +``` +Remove-AzSentinelOnboardingState -InputObject [-DefaultProfile ] + [-PassThru] [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Delete Sentinel onboarding state + +## EXAMPLES + +### Example 1: Remove the Sentinel onboarding state +```powershell +Remove-AzSentinelOnboardingState -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Name "default" +``` + +This commands removes the Sentinel onboarding state + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: DeleteViaIdentity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -Name +The Sentinel onboarding state name. +Supports - default + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: SentinelOnboardingStateName + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -PassThru +Returns true when the command succeeds + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: Delete +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### System.Boolean + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +`INPUTOBJECT `: Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Test-AzSentinelDataConnectorCheckRequirement.md b/src/SecurityInsights/docs/Test-AzSentinelDataConnectorCheckRequirement.md new file mode 100644 index 000000000000..ba8341f1cf06 --- /dev/null +++ b/src/SecurityInsights/docs/Test-AzSentinelDataConnectorCheckRequirement.md @@ -0,0 +1,243 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/test-azsentineldataconnectorcheckrequirement +schema: 2.0.0 +--- + +# Test-AzSentinelDataConnectorCheckRequirement + +## SYNOPSIS +Get requirements state for a data connector type. + +## SYNTAX + +### AADTenant (Default) +``` +Test-AzSentinelDataConnectorCheckRequirement -ResourceGroupName -WorkspaceName + -Kind [-SubscriptionId ] [-TenantId ] [-DefaultProfile ] + [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### AzureSecurityCenter +``` +Test-AzSentinelDataConnectorCheckRequirement -ResourceGroupName -WorkspaceName + -ASCSubscriptionId -Kind [-SubscriptionId ] [-DefaultProfile ] + [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Get requirements state for a data connector type. + +## EXAMPLES + +### Example 1: {{ Add title here }} +```powershell +{{ Add code here }} +``` + +```output +{{ Add output here }} +``` + +{{ Add description here }} + +### Example 2: {{ Add title here }} +```powershell +{{ Add code here }} +``` + +```output +{{ Add output here }} +``` + +{{ Add description here }} + +## PARAMETERS + +### -ASCSubscriptionId +ASC Subscription Id. + +```yaml +Type: System.String +Parameter Sets: AzureSecurityCenter +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AsJob +Run the command as a job + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DefaultProfile +[Parameter(ParameterSetName = 'AmazonWebServicesCloudTrail', Mandatory)] +[Parameter(ParameterSetName = 'AmazonWebServicesS3', Mandatory)] +[Parameter(ParameterSetName = 'GenericUI', Mandatory)] + The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Kind +Kind of the the data connection + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataConnectorKind +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -NoWait +Run the command asynchronously + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The Resource Group Name. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +Gets subscription credentials which uniquely identify Microsoft Azure subscription. +The subscription ID forms part of the URI for every service call. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -TenantId +The TenantId. + +```yaml +Type: System.String +Parameter Sets: AADTenant +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Tenant.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +[Alias('DataConnectionName')] + The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.DataConnectorsCheckRequirements + +## NOTES + +ALIASES + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Update-AzSentinelAlertRule.md b/src/SecurityInsights/docs/Update-AzSentinelAlertRule.md new file mode 100644 index 000000000000..7aab56d6a8fe --- /dev/null +++ b/src/SecurityInsights/docs/Update-AzSentinelAlertRule.md @@ -0,0 +1,848 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/Update-azsentinelalertrule +schema: 2.0.0 +--- + +# Update-AzSentinelAlertRule + +## SYNOPSIS +Updates the alert rule. + +## SYNTAX + +### UpdateScheduled (Default) +``` +Update-AzSentinelAlertRule -ResourceGroupName -RuleId -WorkspaceName + [-SubscriptionId ] [-AlertDescriptionFormat ] [-AlertDisplayNameFormat ] + [-AlertRuleTemplateName ] [-AlertSeverityColumnName ] [-AlertTacticsColumnName ] + [-CreateIncident] [-Description ] [-DisplayName ] [-Enabled] [-EntityMapping ] + [-EventGroupingSettingAggregationKind ] [-GroupByAlertDetail ] + [-GroupByCustomDetail ] [-GroupByEntity ] [-GroupingConfigurationEnabled] + [-LookbackDuration ] [-MatchingMethod ] [-Query ] [-QueryFrequency ] + [-QueryPeriod ] [-ReOpenClosedIncident] [-Severity ] + [-SuppressionDuration ] [-SuppressionEnabled] [-Tactic ] + [-TriggerOperator ] [-TriggerThreshold ] [-DefaultProfile ] [-AsJob] + [-NoWait] [-Scheduled] [-Confirm] [-WhatIf] [] +``` + +### UpdateFusionMLTI +``` +Update-AzSentinelAlertRule -ResourceGroupName -RuleId -WorkspaceName + [-SubscriptionId ] [-AlertRuleTemplateName ] [-Enabled] [-DefaultProfile ] [-AsJob] + [-FusionMLorTI] [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### UpdateMicrosoftSecurityIncidentCreation +``` +Update-AzSentinelAlertRule -ResourceGroupName -RuleId -WorkspaceName + [-SubscriptionId ] [-AlertRuleTemplateName ] [-Description ] + [-DisplayNamesExcludeFilter ] [-DisplayNamesFilter ] [-Enabled] + [-ProductFilter ] [-SeveritiesFilter ] + [-DefaultProfile ] [-AsJob] [-MicrosoftSecurityIncidentCreation] [-NoWait] [-Confirm] [-WhatIf] + [] +``` + +### UpdateNRT +``` +Update-AzSentinelAlertRule -ResourceGroupName -RuleId -WorkspaceName + [-SubscriptionId ] [-AlertDescriptionFormat ] [-AlertDisplayNameFormat ] + [-AlertRuleTemplateName ] [-AlertSeverityColumnName ] [-AlertTacticsColumnName ] + [-CreateIncident] [-Description ] [-DisplayName ] [-Enabled] [-EntityMapping ] + [-GroupByAlertDetail ] [-GroupByCustomDetail ] [-GroupByEntity ] + [-GroupingConfigurationEnabled] [-LookbackDuration ] [-MatchingMethod ] [-Query ] + [-ReOpenClosedIncident] [-Severity ] [-SuppressionDuration ] [-SuppressionEnabled] + [-Tactic ] [-DefaultProfile ] [-AsJob] [-NoWait] [-NRT] [-Confirm] [-WhatIf] + [] +``` + +### UpdateViaIdentityFusionMLTI +``` +Update-AzSentinelAlertRule -InputObject [-AlertRuleTemplateName ] + [-Enabled] [-DefaultProfile ] [-AsJob] [-FusionMLorTI] [-NoWait] [-Confirm] [-WhatIf] + [] +``` + +### UpdateViaIdentityMicrosoftSecurityIncidentCreation +``` +Update-AzSentinelAlertRule -InputObject [-AlertRuleTemplateName ] + [-Description ] [-DisplayNamesExcludeFilter ] [-DisplayNamesFilter ] [-Enabled] + [-ProductFilter ] [-SeveritiesFilter ] + [-DefaultProfile ] [-AsJob] [-MicrosoftSecurityIncidentCreation] [-NoWait] [-Confirm] [-WhatIf] + [] +``` + +### UpdateViaIdentityNRT +``` +Update-AzSentinelAlertRule -InputObject [-AlertDescriptionFormat ] + [-AlertDisplayNameFormat ] [-AlertRuleTemplateName ] [-AlertSeverityColumnName ] + [-AlertTacticsColumnName ] [-CreateIncident] [-Description ] [-DisplayName ] + [-Enabled] [-EntityMapping ] [-GroupByAlertDetail ] + [-GroupByCustomDetail ] [-GroupByEntity ] [-GroupingConfigurationEnabled] + [-LookbackDuration ] [-MatchingMethod ] [-Query ] [-ReOpenClosedIncident] + [-Severity ] [-SuppressionDuration ] [-SuppressionEnabled] [-Tactic ] + [-DefaultProfile ] [-AsJob] [-NoWait] [-NRT] [-Confirm] [-WhatIf] [] +``` + +### UpdateViaIdentityUpdateScheduled +``` +Update-AzSentinelAlertRule -InputObject [-AlertDescriptionFormat ] + [-AlertDisplayNameFormat ] [-AlertRuleTemplateName ] [-AlertSeverityColumnName ] + [-AlertTacticsColumnName ] [-CreateIncident] [-Description ] [-DisplayName ] + [-Enabled] [-EntityMapping ] + [-EventGroupingSettingAggregationKind ] [-GroupByAlertDetail ] + [-GroupByCustomDetail ] [-GroupByEntity ] [-GroupingConfigurationEnabled] + [-LookbackDuration ] [-MatchingMethod ] [-Query ] [-QueryFrequency ] + [-QueryPeriod ] [-ReOpenClosedIncident] [-Severity ] + [-SuppressionDuration ] [-SuppressionEnabled] [-Tactic ] + [-TriggerOperator ] [-TriggerThreshold ] [-DefaultProfile ] [-AsJob] + [-NoWait] [-Scheduled] [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Updates the alert rule. + +## EXAMPLES + +### Example 1: Update an scheduled alert rule +```powershell +Update-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -ruleId "4a21e485-75ae-48b3-a7b9-e6a92bcfe434" -Query "SecurityAlert | take 2" +``` + +This command updates a scheduled alert rule + +## PARAMETERS + +### -AlertDescriptionFormat + + +```yaml +Type: System.String +Parameter Sets: UpdateNRT, UpdateScheduled, UpdateViaIdentityNRT, UpdateViaIdentityUpdateScheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AlertDisplayNameFormat + + +```yaml +Type: System.String +Parameter Sets: UpdateNRT, UpdateScheduled, UpdateViaIdentityNRT, UpdateViaIdentityUpdateScheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AlertRuleTemplateName + + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AlertSeverityColumnName + + +```yaml +Type: System.String +Parameter Sets: UpdateNRT, UpdateScheduled, UpdateViaIdentityNRT, UpdateViaIdentityUpdateScheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AlertTacticsColumnName + + +```yaml +Type: System.String +Parameter Sets: UpdateNRT, UpdateScheduled, UpdateViaIdentityNRT, UpdateViaIdentityUpdateScheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AsJob +Run the command as a job + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -CreateIncident + + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: UpdateNRT, UpdateScheduled, UpdateViaIdentityNRT, UpdateViaIdentityUpdateScheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Description + + +```yaml +Type: System.String +Parameter Sets: UpdateMicrosoftSecurityIncidentCreation, UpdateNRT, UpdateScheduled, UpdateViaIdentityMicrosoftSecurityIncidentCreation, UpdateViaIdentityNRT, UpdateViaIdentityUpdateScheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DisplayName + + +```yaml +Type: System.String +Parameter Sets: UpdateNRT, UpdateScheduled, UpdateViaIdentityNRT, UpdateViaIdentityUpdateScheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DisplayNamesExcludeFilter + + +```yaml +Type: System.String +Parameter Sets: UpdateMicrosoftSecurityIncidentCreation, UpdateViaIdentityMicrosoftSecurityIncidentCreation +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DisplayNamesFilter + + +```yaml +Type: System.String +Parameter Sets: UpdateMicrosoftSecurityIncidentCreation, UpdateViaIdentityMicrosoftSecurityIncidentCreation +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Enabled + + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -EntityMapping +'Account', 'Host', 'IP', 'Malware', 'File', 'Process', 'CloudApplication', 'DNS', 'AzureResource', 'FileHash', 'RegistryKey', 'RegistryValue', 'SecurityGroup', 'URL', 'Mailbox', 'MailCluster', 'MailMessage', 'SubmissionMail' +To construct, see NOTES section for ENTITYMAPPING properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.EntityMapping +Parameter Sets: UpdateNRT, UpdateScheduled, UpdateViaIdentityNRT, UpdateViaIdentityUpdateScheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -EventGroupingSettingAggregationKind + + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EventGroupingAggregationKind +Parameter Sets: UpdateScheduled, UpdateViaIdentityUpdateScheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -FusionMLorTI + + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: UpdateFusionMLTI, UpdateViaIdentityFusionMLTI +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -GroupByAlertDetail + + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertDetail +Parameter Sets: UpdateNRT, UpdateScheduled, UpdateViaIdentityNRT, UpdateViaIdentityUpdateScheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -GroupByCustomDetail + + +```yaml +Type: System.String[] +Parameter Sets: UpdateNRT, UpdateScheduled, UpdateViaIdentityNRT, UpdateViaIdentityUpdateScheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -GroupByEntity + + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityMappingType +Parameter Sets: UpdateNRT, UpdateScheduled, UpdateViaIdentityNRT, UpdateViaIdentityUpdateScheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -GroupingConfigurationEnabled + + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: UpdateNRT, UpdateScheduled, UpdateViaIdentityNRT, UpdateViaIdentityUpdateScheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: UpdateViaIdentityFusionMLTI, UpdateViaIdentityMicrosoftSecurityIncidentCreation, UpdateViaIdentityNRT, UpdateViaIdentityUpdateScheduled +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -LookbackDuration + + +```yaml +Type: System.TimeSpan +Parameter Sets: UpdateNRT, UpdateScheduled, UpdateViaIdentityNRT, UpdateViaIdentityUpdateScheduled +Aliases: + +Required: False +Position: Named +Default value: New-TimeSpan -Hours 5 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -MatchingMethod + + +```yaml +Type: System.String +Parameter Sets: UpdateNRT, UpdateScheduled, UpdateViaIdentityNRT, UpdateViaIdentityUpdateScheduled +Aliases: + +Required: False +Position: Named +Default value: "AllEntities" +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -MicrosoftSecurityIncidentCreation + + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: UpdateMicrosoftSecurityIncidentCreation, UpdateViaIdentityMicrosoftSecurityIncidentCreation +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -NoWait +Run the command asynchronously + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -NRT + + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: UpdateNRT, UpdateViaIdentityNRT +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ProductFilter + + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.MicrosoftSecurityProductName +Parameter Sets: UpdateMicrosoftSecurityIncidentCreation, UpdateViaIdentityMicrosoftSecurityIncidentCreation +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Query + + +```yaml +Type: System.String +Parameter Sets: UpdateNRT, UpdateScheduled, UpdateViaIdentityNRT, UpdateViaIdentityUpdateScheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -QueryFrequency + + +```yaml +Type: System.TimeSpan +Parameter Sets: UpdateScheduled, UpdateViaIdentityUpdateScheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -QueryPeriod + + +```yaml +Type: System.TimeSpan +Parameter Sets: UpdateScheduled, UpdateViaIdentityUpdateScheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ReOpenClosedIncident + + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: UpdateNRT, UpdateScheduled, UpdateViaIdentityNRT, UpdateViaIdentityUpdateScheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The Resource Group Name. + +```yaml +Type: System.String +Parameter Sets: UpdateFusionMLTI, UpdateMicrosoftSecurityIncidentCreation, UpdateNRT, UpdateScheduled +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RuleId +[Alias('RuleId')] + The name of Operational Insights Resource Provider. + +```yaml +Type: System.String +Parameter Sets: UpdateFusionMLTI, UpdateMicrosoftSecurityIncidentCreation, UpdateNRT, UpdateScheduled +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Scheduled + + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: UpdateScheduled, UpdateViaIdentityUpdateScheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SeveritiesFilter +High, Medium, Low, Informational + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertSeverity[] +Parameter Sets: UpdateMicrosoftSecurityIncidentCreation, UpdateViaIdentityMicrosoftSecurityIncidentCreation +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Severity + + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertSeverity +Parameter Sets: UpdateNRT, UpdateScheduled, UpdateViaIdentityNRT, UpdateViaIdentityUpdateScheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +Gets subscription credentials which uniquely identify Microsoft Azure subscription. +The subscription ID forms part of the URI for every service call. + +```yaml +Type: System.String +Parameter Sets: UpdateFusionMLTI, UpdateMicrosoftSecurityIncidentCreation, UpdateNRT, UpdateScheduled +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SuppressionDuration + + +```yaml +Type: System.TimeSpan +Parameter Sets: UpdateNRT, UpdateScheduled, UpdateViaIdentityNRT, UpdateViaIdentityUpdateScheduled +Aliases: + +Required: False +Position: Named +Default value: New-TimeSpan -Hours 5 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SuppressionEnabled + + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: UpdateNRT, UpdateScheduled, UpdateViaIdentityNRT, UpdateViaIdentityUpdateScheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tactic + + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AttackTactic +Parameter Sets: UpdateNRT, UpdateScheduled, UpdateViaIdentityNRT, UpdateViaIdentityUpdateScheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -TriggerOperator + + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.TriggerOperator +Parameter Sets: UpdateScheduled, UpdateViaIdentityUpdateScheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -TriggerThreshold + + +```yaml +Type: System.Int32 +Parameter Sets: UpdateScheduled, UpdateViaIdentityUpdateScheduled +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: UpdateFusionMLTI, UpdateMicrosoftSecurityIncidentCreation, UpdateNRT, UpdateScheduled +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AlertRule + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +`ENTITYMAPPING `: 'Account', 'Host', 'IP', 'Malware', 'File', 'Process', 'CloudApplication', 'DNS', 'AzureResource', 'FileHash', 'RegistryKey', 'RegistryValue', 'SecurityGroup', 'URL', 'Mailbox', 'MailCluster', 'MailMessage', 'SubmissionMail' + - `[EntityType ]`: The V3 type of the mapped entity + - `[FieldMapping ]`: array of field mappings for the given entity mapping + - `[ColumnName ]`: the column name to be mapped to the identifier + - `[Identifier ]`: the V3 identifier of the entity + +`INPUTOBJECT `: Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Update-AzSentinelAlertRuleAction.md b/src/SecurityInsights/docs/Update-AzSentinelAlertRuleAction.md new file mode 100644 index 000000000000..00e38512a8e7 --- /dev/null +++ b/src/SecurityInsights/docs/Update-AzSentinelAlertRuleAction.md @@ -0,0 +1,257 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/update-azsentinelalertruleaction +schema: 2.0.0 +--- + +# Update-AzSentinelAlertRuleAction + +## SYNOPSIS +Creates or updates the action of alert rule. + +## SYNTAX + +### UpdateExpanded (Default) +``` +Update-AzSentinelAlertRuleAction -Id -ResourceGroupName -RuleId + -WorkspaceName [-SubscriptionId ] [-LogicAppResourceId ] [-TriggerUri ] + [-DefaultProfile ] [-Confirm] [-WhatIf] [] +``` + +### UpdateViaIdentityExpanded +``` +Update-AzSentinelAlertRuleAction -InputObject [-LogicAppResourceId ] + [-TriggerUri ] [-DefaultProfile ] [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Creates or updates the action of alert rule. + +## EXAMPLES + +### Example 1: {{ Add title here }} +```powershell +$LogicAppResourceId = Get-AzLogicApp -ResourceGroupName "myLogicAppResourceGroupName" -Name "myLogicAppPlaybookName" +$LogicAppTriggerUri = Get-AzLogicAppTriggerCallbackUrl -ResourceGroupName "myLogicAppResourceGroupName" -Name $LogicAppResourceId.Name -TriggerName "When_a_response_to_an_Azure_Sentinel_alert_is_triggered" +Update-AzSentinelAlertRuleAction -ResourceGroupName "mySentinelResourceGroupName" -workspaceName "myWorkspaceName" -RuleId "48bbf86d-540b-4a7b-9fee-2bd7d810dbed" -LogicAppResourceId ($LogicAppResourceId.Id) -TriggerUri ($LogicAppTriggerUri.Value) -Id ((New-Guid).Guid) +``` + +This command updates an alert rule action + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Id +Action ID + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: ActionId + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: UpdateViaIdentityExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -LogicAppResourceId +Logic App Resource Id, /subscriptions/{my-subscription}/resourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my-workflow-id}. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RuleId +Alert rule ID + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -TriggerUri +Logic App Callback URL for this specific workflow. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IActionResponse + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +`INPUTOBJECT `: Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Update-AzSentinelAutomationRule.md b/src/SecurityInsights/docs/Update-AzSentinelAutomationRule.md new file mode 100644 index 000000000000..1e375fdbdd57 --- /dev/null +++ b/src/SecurityInsights/docs/Update-AzSentinelAutomationRule.md @@ -0,0 +1,314 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/update-azsentinelautomationrule +schema: 2.0.0 +--- + +# Update-AzSentinelAutomationRule + +## SYNOPSIS +Creates or updates the automation rule. + +## SYNTAX + +### UpdateExpanded (Default) +``` +Update-AzSentinelAutomationRule -Id -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-Action ] [-DisplayName ] [-Order ] + [-TriggeringLogicCondition ] [-TriggeringLogicExpirationTimeUtc ] + [-TriggeringLogicIsEnabled] [-DefaultProfile ] [-Confirm] [-WhatIf] [] +``` + +### UpdateViaIdentityExpanded +``` +Update-AzSentinelAutomationRule -InputObject [-Action ] + [-DisplayName ] [-Order ] [-TriggeringLogicCondition ] + [-TriggeringLogicExpirationTimeUtc ] [-TriggeringLogicIsEnabled] [-DefaultProfile ] + [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Creates or updates the automation rule. + +## EXAMPLES + +### Example 1: {{ Add title here }} +```powershell + $LogicAppResourceId = Get-AzLogicApp -ResourceGroupName "myResourceGroup" -Name "Reset-AADPassword" + $automationRuleAction = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AutomationRuleRunPlaybookAction]::new() + $automationRuleAction.Order = 1 + $automationRuleAction.ActionType = "RunPlaybook" + $automationRuleAction.ActionConfigurationLogicAppResourceId = ($LogicAppResourceId.Id) + $automationRuleAction.ActionConfigurationTenantId = (Get-AzContext).Tenant.Id + Update-AzSentinelAutomationRule -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id ((New-Guid).Guid) -Action $automationRuleAction -DisplayName "Run Playbook to reset AAD password" -Order 2 -TriggeringLogicIsEnabled +``` + +This command updates an automation rule + +## PARAMETERS + +### -Action +The actions to execute when the automation rule is triggered +To construct, see NOTES section for ACTION properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IAutomationRuleAction[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DisplayName +The display name of the automation rule + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Id +Automation rule ID + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: AutomationRuleId + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: UpdateViaIdentityExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -Order +The order of execution of the automation rule + +```yaml +Type: System.Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -TriggeringLogicCondition +The conditions to evaluate to determine if the automation rule should be triggered on a given object + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IAutomationRuleCondition[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -TriggeringLogicExpirationTimeUtc +Determines when the automation rule should automatically expire and be disabled. + +```yaml +Type: System.DateTime +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -TriggeringLogicIsEnabled +Determines whether the automation rule is enabled or disabled. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IAutomationRule + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +`ACTION `: The actions to execute when the automation rule is triggered + - `ActionType `: The type of the automation rule action + - `Order `: The order of execution of the automation rule action + +`INPUTOBJECT `: Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Update-AzSentinelBookmark.md b/src/SecurityInsights/docs/Update-AzSentinelBookmark.md new file mode 100644 index 000000000000..88b71157ced8 --- /dev/null +++ b/src/SecurityInsights/docs/Update-AzSentinelBookmark.md @@ -0,0 +1,397 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/update-azsentinelbookmark +schema: 2.0.0 +--- + +# Update-AzSentinelBookmark + +## SYNOPSIS +Creates or updates the bookmark. + +## SYNTAX + +### UpdateExpanded (Default) +``` +Update-AzSentinelBookmark -Id -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-DisplayName ] [-EventTime ] [-IncidentInfoIncidentId ] + [-IncidentInfoRelationName ] [-IncidentInfoSeverity ] [-IncidentInfoTitle ] + [-Label ] [-Note ] [-Query ] [-QueryEndTime ] [-QueryResult ] + [-QueryStartTime ] [-DefaultProfile ] [-Confirm] [-WhatIf] [] +``` + +### UpdateViaIdentityExpanded +``` +Update-AzSentinelBookmark -InputObject [-DisplayName ] + [-EventTime ] [-IncidentInfoIncidentId ] [-IncidentInfoRelationName ] + [-IncidentInfoSeverity ] [-IncidentInfoTitle ] [-Label ] [-Note ] + [-Query ] [-QueryEndTime ] [-QueryResult ] [-QueryStartTime ] + [-DefaultProfile ] [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Creates or updates the bookmark. + +## EXAMPLES + +### Example 1: Update Sentinel Bookmark +```powershell + $queryStartTime = (get-date).AddDays(-1).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + $queryEndTime = (get-date).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + Update-AzSentinelBookmark -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id ((New-Guid).Guid) -DisplayName "Incident Evidence" -Query "SecurityEvent | take 1" -QueryStartTime $queryStartTime -QueryEndTime $queryEndTime -EventTime $queryEndTime +``` + +This command updates a bookmark + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DisplayName +The display name of the bookmark + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -EventTime +The bookmark event time + +```yaml +Type: System.DateTime +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Id +Bookmark ID + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: BookmarkId + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -IncidentInfoIncidentId +Incident Id + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -IncidentInfoRelationName +Relation Name + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -IncidentInfoSeverity +The severity of the incident + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.IncidentSeverity +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -IncidentInfoTitle +The title of the incident + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: UpdateViaIdentityExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -Label +List of labels relevant to this bookmark + +```yaml +Type: System.String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Note +The notes of the bookmark + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Query +The query of the bookmark. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -QueryEndTime +The end time for the query + +```yaml +Type: System.DateTime +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -QueryResult +The query result of the bookmark. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -QueryStartTime +The start time for the query + +```yaml +Type: System.DateTime +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IBookmark + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +`INPUTOBJECT `: Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Update-AzSentinelBookmarkRelation.md b/src/SecurityInsights/docs/Update-AzSentinelBookmarkRelation.md new file mode 100644 index 000000000000..e9a3b4f57a98 --- /dev/null +++ b/src/SecurityInsights/docs/Update-AzSentinelBookmarkRelation.md @@ -0,0 +1,240 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/update-azsentinelbookmarkrelation +schema: 2.0.0 +--- + +# Update-AzSentinelBookmarkRelation + +## SYNOPSIS +Creates the bookmark relation. + +## SYNTAX + +### UpdateExpanded (Default) +``` +Update-AzSentinelBookmarkRelation -BookmarkId -RelationName -ResourceGroupName + -WorkspaceName [-SubscriptionId ] [-RelatedResourceId ] [-DefaultProfile ] + [-Confirm] [-WhatIf] [] +``` + +### UpdateViaIdentityExpanded +``` +Update-AzSentinelBookmarkRelation -InputObject [-RelatedResourceId ] + [-DefaultProfile ] [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Creates the bookmark relation. + +## EXAMPLES + +### Example 1: Update a Bookmark relation +```powershell +Update-AzSentinelBookmarkRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -BookmarkId 6a8d6ea6-04d5-49d7-8169-ffca8b0ced59 -RelationName f185b6f8-1a0d-43eb-97de-67720839ac67 -RelatedResourceId f185b6f8-1a0d-43eb-97de-67720839ac67 +``` + +This command updates a bookmark relation + +## PARAMETERS + +### -BookmarkId +Bookmark ID + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: UpdateViaIdentityExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -RelatedResourceId +The resource ID of the related resource + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RelationName +Relation Name + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IRelation + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +`INPUTOBJECT `: Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Update-AzSentinelDataConnector.md b/src/SecurityInsights/docs/Update-AzSentinelDataConnector.md new file mode 100644 index 000000000000..b2bf4238392b --- /dev/null +++ b/src/SecurityInsights/docs/Update-AzSentinelDataConnector.md @@ -0,0 +1,1102 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/update-azsentineldataconnector +schema: 2.0.0 +--- + +# Update-AzSentinelDataConnector + +## SYNOPSIS +Updates the data connector. + +## SYNTAX + +### UpdateAADAATP (Default) +``` +Update-AzSentinelDataConnector -DataConnectorId -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-Alerts ] [-TenantId ] [-DefaultProfile ] [-AsJob] + [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### UpdateAmazonWebServicesCloudTrail +``` +Update-AzSentinelDataConnector -DataConnectorId -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-AWSRoleArn ] [-Logs ] [-DefaultProfile ] [-AsJob] + [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### UpdateAmazonWebServicesS3 +``` +Update-AzSentinelDataConnector -DataConnectorId -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-AWSRoleArn ] [-DetinationTable ] [-Logs ] + [-SQSURL ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] + [] +``` + +### UpdateAzureSecurityCenter +``` +Update-AzSentinelDataConnector -DataConnectorId -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-Alerts ] [-ASCSubscriptionId ] [-DefaultProfile ] + [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### UpdateDynamics365 +``` +Update-AzSentinelDataConnector -DataConnectorId -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-CommonDataServiceActivity ] [-TenantId ] + [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### UpdateGenericUI +``` +Update-AzSentinelDataConnector [-AvailabilityIsPreview ] [-AvailabilityStatus ] + [-PermissionCustom ] + [-PermissionResourceProvider ] + [-UiConfigConnectivityCriterion ] [-UiConfigCustomImage ] + [-UiConfigDataType ] [-UiConfigDescriptionMarkdown ] + [-UiConfigGraphQueriesTableName ] [-UiConfigGraphQuery ] + [-UiConfigInstructionStep ] [-UiConfigPublisher ] + [-UiConfigSampleQuery ] [-UiConfigTitle ] [-DefaultProfile ] [-AsJob] + [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### UpdateMicrosoftCloudAppSecurity +``` +Update-AzSentinelDataConnector -DataConnectorId -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-Alerts ] [-DiscoveryLogs ] [-TenantId ] + [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### UpdateMicrosoftDefenderAdvancedThreatProtection +``` +Update-AzSentinelDataConnector -DataConnectorId -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-Alerts ] [-TenantId ] [-DefaultProfile ] [-AsJob] + [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### UpdateMicrosoftThreatIntelligence +``` +Update-AzSentinelDataConnector -DataConnectorId -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-BingSafetyPhishingUrlLookbackPeriod ] [-BingSafetyPhishinURL ] + [-MicrosoftEmergingThreatFeed ] [-MicrosoftEmergingThreatFeedLookbackPeriod ] + [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] + [] +``` + +### UpdateMicrosoftThreatProtection +``` +Update-AzSentinelDataConnector -DataConnectorId -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-Incidents ] [-TenantId ] [-DefaultProfile ] [-AsJob] + [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### UpdateOffice365 +``` +Update-AzSentinelDataConnector -DataConnectorId -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-Exchange ] [-SharePoint ] [-Teams ] [-TenantId ] + [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### UpdateOfficeATP +``` +Update-AzSentinelDataConnector -DataConnectorId -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-Alerts ] [-TenantId ] [-DefaultProfile ] [-AsJob] + [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### UpdateOfficeIRM +``` +Update-AzSentinelDataConnector -DataConnectorId -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-Alerts ] [-TenantId ] [-DefaultProfile ] [-AsJob] + [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### UpdateThreatIntelligence +``` +Update-AzSentinelDataConnector -DataConnectorId -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-Indicators ] [-TenantId ] [-DefaultProfile ] [-AsJob] + [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### UpdateThreatIntelligenceTaxii +``` +Update-AzSentinelDataConnector -DataConnectorId -ResourceGroupName -WorkspaceName + -APIRootURL [-SubscriptionId ] [-CollectionId ] [-FriendlyName ] + [-Password ] [-PollingFrequency ] [-TaxiiLookbackPeriod ] + [-TenantId ] [-UserName ] [-WorkspaceId ] [-DefaultProfile ] [-AsJob] + [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### UpdateViaIdentityAADAATP +``` +Update-AzSentinelDataConnector -InputObject [-Alerts ] + [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] + [] +``` + +### UpdateViaIdentityAmazonWebServicesCloudTrail +``` +Update-AzSentinelDataConnector -InputObject [-AWSRoleArn ] + [-Logs ] [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] + [] +``` + +### UpdateViaIdentityAmazonWebServicesS3 +``` +Update-AzSentinelDataConnector -InputObject [-AWSRoleArn ] + [-DetinationTable ] [-Logs ] [-SQSURL ] [-TenantId ] + [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### UpdateViaIdentityAzureSecurityCenter +``` +Update-AzSentinelDataConnector -InputObject [-Alerts ] + [-ASCSubscriptionId ] [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] + [-WhatIf] [] +``` + +### UpdateViaIdentityDynamics365 +``` +Update-AzSentinelDataConnector -InputObject [-CommonDataServiceActivity ] + [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] + [] +``` + +### UpdateViaIdentityGenericUI +``` +Update-AzSentinelDataConnector [-AvailabilityIsPreview ] [-AvailabilityStatus ] + [-PermissionCustom ] + [-PermissionResourceProvider ] + [-UiConfigConnectivityCriterion ] [-UiConfigCustomImage ] + [-UiConfigDataType ] [-UiConfigDescriptionMarkdown ] + [-UiConfigGraphQueriesTableName ] [-UiConfigGraphQuery ] + [-UiConfigInstructionStep ] [-UiConfigPublisher ] + [-UiConfigSampleQuery ] [-UiConfigTitle ] [-DefaultProfile ] [-AsJob] + [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### UpdateViaIdentityMicrosoftCloudAppSecurity +``` +Update-AzSentinelDataConnector -InputObject [-Alerts ] + [-DiscoveryLogs ] [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] + [-WhatIf] [] +``` + +### UpdateViaIdentityMicrosoftDefenderAdvancedThreatProtection +``` +Update-AzSentinelDataConnector -InputObject [-Alerts ] + [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] + [] +``` + +### UpdateViaIdentityMicrosoftThreatIntelligence +``` +Update-AzSentinelDataConnector -InputObject + [-BingSafetyPhishingUrlLookbackPeriod ] [-BingSafetyPhishinURL ] + [-MicrosoftEmergingThreatFeed ] [-MicrosoftEmergingThreatFeedLookbackPeriod ] + [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] + [] +``` + +### UpdateViaIdentityMicrosoftThreatProtection +``` +Update-AzSentinelDataConnector -InputObject [-Incidents ] + [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] + [] +``` + +### UpdateViaIdentityOffice365 +``` +Update-AzSentinelDataConnector -InputObject [-Exchange ] + [-SharePoint ] [-Teams ] [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] + [-Confirm] [-WhatIf] [] +``` + +### UpdateViaIdentityOfficeATP +``` +Update-AzSentinelDataConnector -InputObject [-Alerts ] + [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] + [] +``` + +### UpdateViaIdentityOfficeIRM +``` +Update-AzSentinelDataConnector -InputObject [-Alerts ] + [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] + [] +``` + +### UpdateViaIdentityThreatIntelligence +``` +Update-AzSentinelDataConnector -InputObject [-Indicators ] + [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] + [] +``` + +### UpdateViaIdentityThreatIntelligenceTaxii +``` +Update-AzSentinelDataConnector -InputObject [-CollectionId ] + [-FriendlyName ] [-Password ] [-PollingFrequency ] + [-TaxiiLookbackPeriod ] [-TenantId ] [-UserName ] [-WorkspaceId ] + [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Updates the data connector. + +## EXAMPLES + +### Example 1: Update a Sentinel data connector +```powershell +Update-AzSentinelDataConnector -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -DataConnectorId 3bd6c555-1412-4103-9b9d-2b0b40cda6b6 -SharePoint "Enabled" +``` + +This command updates a Sentinel data connector + +## PARAMETERS + +### -Alerts + + +```yaml +Type: System.String +Parameter Sets: UpdateAADAATP, UpdateAzureSecurityCenter, UpdateMicrosoftCloudAppSecurity, UpdateMicrosoftDefenderAdvancedThreatProtection, UpdateOfficeATP, UpdateOfficeIRM, UpdateViaIdentityAADAATP, UpdateViaIdentityAzureSecurityCenter, UpdateViaIdentityMicrosoftCloudAppSecurity, UpdateViaIdentityMicrosoftDefenderAdvancedThreatProtection, UpdateViaIdentityOfficeATP, UpdateViaIdentityOfficeIRM +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -APIRootURL + + +```yaml +Type: System.String +Parameter Sets: UpdateThreatIntelligenceTaxii +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ASCSubscriptionId +ASC Subscription Id. + +```yaml +Type: System.String +Parameter Sets: UpdateAzureSecurityCenter, UpdateViaIdentityAzureSecurityCenter +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AsJob +Run the command as a job + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AvailabilityIsPreview + + +```yaml +Type: System.Boolean +Parameter Sets: UpdateGenericUI, UpdateViaIdentityGenericUI +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AvailabilityStatus + + +```yaml +Type: System.Int32 +Parameter Sets: UpdateGenericUI, UpdateViaIdentityGenericUI +Aliases: + +Required: False +Position: Named +Default value: 1 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AWSRoleArn + + +```yaml +Type: System.String +Parameter Sets: UpdateAmazonWebServicesCloudTrail, UpdateAmazonWebServicesS3, UpdateViaIdentityAmazonWebServicesCloudTrail, UpdateViaIdentityAmazonWebServicesS3 +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -BingSafetyPhishingUrlLookbackPeriod + + +```yaml +Type: System.String +Parameter Sets: UpdateMicrosoftThreatIntelligence, UpdateViaIdentityMicrosoftThreatIntelligence +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -BingSafetyPhishinURL + + +```yaml +Type: System.String +Parameter Sets: UpdateMicrosoftThreatIntelligence, UpdateViaIdentityMicrosoftThreatIntelligence +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -CollectionId + + +```yaml +Type: System.String +Parameter Sets: UpdateThreatIntelligenceTaxii, UpdateViaIdentityThreatIntelligenceTaxii +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -CommonDataServiceActivity + + +```yaml +Type: System.String +Parameter Sets: UpdateDynamics365, UpdateViaIdentityDynamics365 +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DataConnectorId +[Parameter(ParameterSetName = 'UpdateGenericUI', Mandatory)] + The Id of the Data Connector. + +```yaml +Type: System.String +Parameter Sets: UpdateAADAATP, UpdateAmazonWebServicesCloudTrail, UpdateAmazonWebServicesS3, UpdateAzureSecurityCenter, UpdateDynamics365, UpdateMicrosoftCloudAppSecurity, UpdateMicrosoftDefenderAdvancedThreatProtection, UpdateMicrosoftThreatIntelligence, UpdateMicrosoftThreatProtection, UpdateOffice365, UpdateOfficeATP, UpdateOfficeIRM, UpdateThreatIntelligence, UpdateThreatIntelligenceTaxii +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DetinationTable + + +```yaml +Type: System.String +Parameter Sets: UpdateAmazonWebServicesS3, UpdateViaIdentityAmazonWebServicesS3 +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DiscoveryLogs + + +```yaml +Type: System.String +Parameter Sets: UpdateMicrosoftCloudAppSecurity, UpdateViaIdentityMicrosoftCloudAppSecurity +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Exchange + + +```yaml +Type: System.String +Parameter Sets: UpdateOffice365, UpdateViaIdentityOffice365 +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -FriendlyName + + +```yaml +Type: System.String +Parameter Sets: UpdateThreatIntelligenceTaxii, UpdateViaIdentityThreatIntelligenceTaxii +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Incidents + + +```yaml +Type: System.String +Parameter Sets: UpdateMicrosoftThreatProtection, UpdateViaIdentityMicrosoftThreatProtection +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Indicators + + +```yaml +Type: System.String +Parameter Sets: UpdateThreatIntelligence, UpdateViaIdentityThreatIntelligence +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +[Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI', Mandatory, ValueFromPipeline)] + Identity Parameter + +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: UpdateViaIdentityAADAATP, UpdateViaIdentityAmazonWebServicesCloudTrail, UpdateViaIdentityAmazonWebServicesS3, UpdateViaIdentityAzureSecurityCenter, UpdateViaIdentityDynamics365, UpdateViaIdentityMicrosoftCloudAppSecurity, UpdateViaIdentityMicrosoftDefenderAdvancedThreatProtection, UpdateViaIdentityMicrosoftThreatIntelligence, UpdateViaIdentityMicrosoftThreatProtection, UpdateViaIdentityOffice365, UpdateViaIdentityOfficeATP, UpdateViaIdentityOfficeIRM, UpdateViaIdentityThreatIntelligence, UpdateViaIdentityThreatIntelligenceTaxii +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -Logs + + +```yaml +Type: System.String +Parameter Sets: UpdateAmazonWebServicesCloudTrail, UpdateAmazonWebServicesS3, UpdateViaIdentityAmazonWebServicesCloudTrail, UpdateViaIdentityAmazonWebServicesS3 +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -MicrosoftEmergingThreatFeed + + +```yaml +Type: System.String +Parameter Sets: UpdateMicrosoftThreatIntelligence, UpdateViaIdentityMicrosoftThreatIntelligence +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -MicrosoftEmergingThreatFeedLookbackPeriod + + +```yaml +Type: System.String +Parameter Sets: UpdateMicrosoftThreatIntelligence, UpdateViaIdentityMicrosoftThreatIntelligence +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -NoWait +Run the command asynchronously + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Password + + +```yaml +Type: System.String +Parameter Sets: UpdateThreatIntelligenceTaxii, UpdateViaIdentityThreatIntelligenceTaxii +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -PermissionCustom +To construct, see NOTES section for PERMISSIONCUSTOM properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.PermissionsCustomsItem[] +Parameter Sets: UpdateGenericUI, UpdateViaIdentityGenericUI +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -PermissionResourceProvider +To construct, see NOTES section for PERMISSIONRESOURCEPROVIDER properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.PermissionsResourceProviderItem[] +Parameter Sets: UpdateGenericUI, UpdateViaIdentityGenericUI +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -PollingFrequency + + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.PollingFrequency +Parameter Sets: UpdateThreatIntelligenceTaxii, UpdateViaIdentityThreatIntelligenceTaxii +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +[Parameter(ParameterSetName = 'UpdateGenericUI', Mandatory)] + The Resource Group Name. + +```yaml +Type: System.String +Parameter Sets: UpdateAADAATP, UpdateAmazonWebServicesCloudTrail, UpdateAmazonWebServicesS3, UpdateAzureSecurityCenter, UpdateDynamics365, UpdateMicrosoftCloudAppSecurity, UpdateMicrosoftDefenderAdvancedThreatProtection, UpdateMicrosoftThreatIntelligence, UpdateMicrosoftThreatProtection, UpdateOffice365, UpdateOfficeATP, UpdateOfficeIRM, UpdateThreatIntelligence, UpdateThreatIntelligenceTaxii +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SharePoint + + +```yaml +Type: System.String +Parameter Sets: UpdateOffice365, UpdateViaIdentityOffice365 +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SQSURL + + +```yaml +Type: System.String[] +Parameter Sets: UpdateAmazonWebServicesS3, UpdateViaIdentityAmazonWebServicesS3 +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +[Parameter(ParameterSetName = 'UpdateGenericUI')] + Gets subscription credentials which uniquely identify Microsoft Azure subscription. + The subscription ID forms part of the URI for every service call. + +```yaml +Type: System.String +Parameter Sets: UpdateAADAATP, UpdateAmazonWebServicesCloudTrail, UpdateAmazonWebServicesS3, UpdateAzureSecurityCenter, UpdateDynamics365, UpdateMicrosoftCloudAppSecurity, UpdateMicrosoftDefenderAdvancedThreatProtection, UpdateMicrosoftThreatIntelligence, UpdateMicrosoftThreatProtection, UpdateOffice365, UpdateOfficeATP, UpdateOfficeIRM, UpdateThreatIntelligence, UpdateThreatIntelligenceTaxii +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -TaxiiLookbackPeriod + + +```yaml +Type: System.String +Parameter Sets: UpdateThreatIntelligenceTaxii, UpdateViaIdentityThreatIntelligenceTaxii +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Teams + + +```yaml +Type: System.String +Parameter Sets: UpdateOffice365, UpdateViaIdentityOffice365 +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -TenantId +[Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI')] + The TenantId. + +```yaml +Type: System.String +Parameter Sets: UpdateAADAATP, UpdateDynamics365, UpdateMicrosoftCloudAppSecurity, UpdateMicrosoftDefenderAdvancedThreatProtection, UpdateMicrosoftThreatIntelligence, UpdateMicrosoftThreatProtection, UpdateOffice365, UpdateOfficeATP, UpdateOfficeIRM, UpdateThreatIntelligence, UpdateThreatIntelligenceTaxii, UpdateViaIdentityAADAATP, UpdateViaIdentityAmazonWebServicesCloudTrail, UpdateViaIdentityAmazonWebServicesS3, UpdateViaIdentityAzureSecurityCenter, UpdateViaIdentityDynamics365, UpdateViaIdentityMicrosoftCloudAppSecurity, UpdateViaIdentityMicrosoftDefenderAdvancedThreatProtection, UpdateViaIdentityMicrosoftThreatIntelligence, UpdateViaIdentityMicrosoftThreatProtection, UpdateViaIdentityOffice365, UpdateViaIdentityOfficeATP, UpdateViaIdentityOfficeIRM, UpdateViaIdentityThreatIntelligence, UpdateViaIdentityThreatIntelligenceTaxii +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Tenant.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UiConfigConnectivityCriterion +To construct, see NOTES section for UICONFIGCONNECTIVITYCRITERION properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ConnectivityCriteria[] +Parameter Sets: UpdateGenericUI, UpdateViaIdentityGenericUI +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UiConfigCustomImage + + +```yaml +Type: System.String +Parameter Sets: UpdateGenericUI, UpdateViaIdentityGenericUI +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UiConfigDataType +To construct, see NOTES section for UICONFIGDATATYPE properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.LastDataReceivedDataType[] +Parameter Sets: UpdateGenericUI, UpdateViaIdentityGenericUI +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UiConfigDescriptionMarkdown + + +```yaml +Type: System.String +Parameter Sets: UpdateGenericUI, UpdateViaIdentityGenericUI +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UiConfigGraphQueriesTableName + + +```yaml +Type: System.String +Parameter Sets: UpdateGenericUI, UpdateViaIdentityGenericUI +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UiConfigGraphQuery +To construct, see NOTES section for UICONFIGGRAPHQUERY properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.GraphQueries[] +Parameter Sets: UpdateGenericUI, UpdateViaIdentityGenericUI +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UiConfigInstructionStep +To construct, see NOTES section for UICONFIGINSTRUCTIONSTEP properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.InstructionSteps[] +Parameter Sets: UpdateGenericUI, UpdateViaIdentityGenericUI +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UiConfigPublisher + + +```yaml +Type: System.String +Parameter Sets: UpdateGenericUI, UpdateViaIdentityGenericUI +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UiConfigSampleQuery +To construct, see NOTES section for UICONFIGSAMPLEQUERY properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.SampleQueries[] +Parameter Sets: UpdateGenericUI, UpdateViaIdentityGenericUI +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UiConfigTitle + + +```yaml +Type: System.String +Parameter Sets: UpdateGenericUI, UpdateViaIdentityGenericUI +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserName + + +```yaml +Type: System.String +Parameter Sets: UpdateThreatIntelligenceTaxii, UpdateViaIdentityThreatIntelligenceTaxii +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceId + + +```yaml +Type: System.String +Parameter Sets: UpdateThreatIntelligenceTaxii, UpdateViaIdentityThreatIntelligenceTaxii +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +[Parameter(ParameterSetName = 'UpdateGenericUI', Mandatory)] + The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: UpdateAADAATP, UpdateAmazonWebServicesCloudTrail, UpdateAmazonWebServicesS3, UpdateAzureSecurityCenter, UpdateDynamics365, UpdateMicrosoftCloudAppSecurity, UpdateMicrosoftDefenderAdvancedThreatProtection, UpdateMicrosoftThreatIntelligence, UpdateMicrosoftThreatProtection, UpdateOffice365, UpdateOfficeATP, UpdateOfficeIRM, UpdateThreatIntelligence, UpdateThreatIntelligenceTaxii +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.DataConnector + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +`INPUTOBJECT `: [Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI', Mandatory, ValueFromPipeline)] Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +`PERMISSIONCUSTOM `: + - `[Description ]`: Customs permissions description + - `[Name ]`: Customs permissions name + +`PERMISSIONRESOURCEPROVIDER `: + - `[PermissionsDisplayText ]`: Permission description text + - `[Provider ]`: Provider name + - `[ProviderDisplayName ]`: Permission provider display name + - `[RequiredPermissionAction ]`: action permission + - `[RequiredPermissionDelete ]`: delete permission + - `[RequiredPermissionRead ]`: read permission + - `[RequiredPermissionWrite ]`: write permission + - `[Scope ]`: Permission provider scope + +`UICONFIGCONNECTIVITYCRITERION `: + - `[Type ]`: type of connectivity + - `[Value ]`: Queries for checking connectivity + +`UICONFIGDATATYPE `: + - `[LastDataReceivedQuery ]`: Query for indicate last data received + - `[Name ]`: Name of the data type to show in the graph. can be use with {{graphQueriesTableName}} placeholder + +`UICONFIGGRAPHQUERY `: + - `[BaseQuery ]`: The base query for the graph + - `[Legend ]`: The legend for the graph + - `[MetricName ]`: the metric that the query is checking + +`UICONFIGINSTRUCTIONSTEP `: + - `[Description ]`: Instruction step description + - `[Instruction ]`: Instruction step details + - `Type `: The kind of the setting + - `[Parameter ]`: The parameters for the setting + - `[Title ]`: Instruction step title + +`UICONFIGSAMPLEQUERY `: + - `[Description ]`: The sample query description + - `[Query ]`: the sample query + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Update-AzSentinelEntityQuery.md b/src/SecurityInsights/docs/Update-AzSentinelEntityQuery.md new file mode 100644 index 000000000000..6a008930da44 --- /dev/null +++ b/src/SecurityInsights/docs/Update-AzSentinelEntityQuery.md @@ -0,0 +1,399 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/update-azsentinelentityquery +schema: 2.0.0 +--- + +# Update-AzSentinelEntityQuery + +## SYNOPSIS +Updates the entity query. + +## SYNTAX + +### UpdateActivity (Default) +``` +Update-AzSentinelEntityQuery -EntityQueryId -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-Content ] [-Description ] [-Disabled] [-Enabled] + [-EntitiesFilter ] [-InputEntityType ] + [-QueryDefinitionQuery ] [-RequiredInputFieldsSet ] [-TemplateName ] + [-Title ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### UpdateViaIdentityActivity +``` +Update-AzSentinelEntityQuery -InputObject [-Content ] + [-Description ] [-Disabled] [-Enabled] + [-EntitiesFilter ] [-InputEntityType ] + [-QueryDefinitionQuery ] [-RequiredInputFieldsSet ] [-TemplateName ] + [-Title ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Updates the entity query. + +## EXAMPLES + +### Example 1: Update an Entity Query +```powershell +Update-AzSentinelEntityQuery -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -EntityQueryId "4a21e485-75ae-48b3-a7b9-e6a92bcfe434" -Title "myEntityQuery Title" +``` + +This command updates an entity query. + +## PARAMETERS + +### -AsJob +Run the command as a job + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Content + + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Description + + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Disabled + + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Enabled + + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -EntitiesFilter +To construct, see NOTES section for ENTITIESFILTER properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ActivityEntityQueriesPropertiesEntitiesFilter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -EntityQueryId +The Id of the Entity Query. + +```yaml +Type: System.String +Parameter Sets: UpdateActivity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputEntityType + + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityType +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: UpdateViaIdentityActivity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -NoWait +Run the command asynchronously + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -QueryDefinitionQuery + + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RequiredInputFieldsSet + + +```yaml +Type: System.String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The Resource Group Name. + +```yaml +Type: System.String +Parameter Sets: UpdateActivity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +Gets subscription credentials which uniquely identify Microsoft Azure subscription. +The subscription ID forms part of the URI for every service call. + +```yaml +Type: System.String +Parameter Sets: UpdateActivity +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -TemplateName + + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Title + + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +[Alias('DataConnectionName')] + The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: UpdateActivity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.CustomEntityQuery + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +`ENTITIESFILTER `: + - `[(Any) ]`: This indicates any property can be added to this object. + +`INPUTOBJECT `: Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Update-AzSentinelIncident.md b/src/SecurityInsights/docs/Update-AzSentinelIncident.md new file mode 100644 index 000000000000..14025d559f22 --- /dev/null +++ b/src/SecurityInsights/docs/Update-AzSentinelIncident.md @@ -0,0 +1,464 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/update-azsentinelincident +schema: 2.0.0 +--- + +# Update-AzSentinelIncident + +## SYNOPSIS +Creates or updates the incident. + +## SYNTAX + +### UpdateExpanded (Default) +``` +Update-AzSentinelIncident -Id -ResourceGroupName -WorkspaceName + [-SubscriptionId ] [-Classification ] [-ClassificationComment ] + [-ClassificationReason ] [-Description ] + [-FirstActivityTimeUtc ] [-Label ] [-LastActivityTimeUtc ] + [-OwnerAssignedTo ] [-OwnerEmail ] [-OwnerObjectId ] + [-OwnerUserPrincipalName ] [-ProviderIncidentId ] [-ProviderName ] + [-Severity ] [-Status ] [-Title ] [-DefaultProfile ] + [-Confirm] [-WhatIf] [] +``` + +### UpdateViaIdentityExpanded +``` +Update-AzSentinelIncident -InputObject [-Classification ] + [-ClassificationComment ] [-ClassificationReason ] + [-Description ] [-FirstActivityTimeUtc ] [-Label ] + [-LastActivityTimeUtc ] [-OwnerAssignedTo ] [-OwnerEmail ] + [-OwnerObjectId ] [-OwnerUserPrincipalName ] [-ProviderIncidentId ] + [-ProviderName ] [-Severity ] [-Status ] [-Title ] + [-DefaultProfile ] [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Creates or updates the incident. + +## EXAMPLES + +### Example 1: Update an Incident +```powershell +Update-AzSentinelEntityQuery -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Id "4a21e485-75ae-48b3-a7b9-e6a92bcfe434" -OwnerAssignedTo "user@mydomain.local" +``` + +This command updates an incident by assigning an owner. + +## PARAMETERS + +### -Classification +The reason the incident was closed + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.IncidentClassification +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ClassificationComment +Describes the reason the incident was closed + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ClassificationReason +The classification reason the incident was closed with + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.IncidentClassificationReason +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Description +The description of the incident + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -FirstActivityTimeUtc +The time of the first activity in the incident + +```yaml +Type: System.DateTime +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Id +Incident ID + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: IncidentId + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: UpdateViaIdentityExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -Label +List of labels relevant to this incident +To construct, see NOTES section for LABEL properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IIncidentLabel[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LastActivityTimeUtc +The time of the last activity in the incident + +```yaml +Type: System.DateTime +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -OwnerAssignedTo +The name of the user the incident is assigned to. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -OwnerEmail +The email of the user the incident is assigned to. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -OwnerObjectId +The object id of the user the incident is assigned to. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -OwnerUserPrincipalName +The user principal name of the user the incident is assigned to. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ProviderIncidentId +The incident ID assigned by the incident provider + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ProviderName +The name of the source provider that generated the incident + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Severity +The severity of the incident + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.IncidentSeverity +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Status +The status of the incident + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.IncidentStatus +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Title +The title of the incident + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IIncident + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +`INPUTOBJECT `: Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +`LABEL `: List of labels relevant to this incident + - `LabelName `: The name of the label + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Update-AzSentinelIncidentComment.md b/src/SecurityInsights/docs/Update-AzSentinelIncidentComment.md new file mode 100644 index 000000000000..114fa7c871cb --- /dev/null +++ b/src/SecurityInsights/docs/Update-AzSentinelIncidentComment.md @@ -0,0 +1,240 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/update-azsentinelincidentcomment +schema: 2.0.0 +--- + +# Update-AzSentinelIncidentComment + +## SYNOPSIS +Creates or updates the incident comment. + +## SYNTAX + +### UpdateExpanded (Default) +``` +Update-AzSentinelIncidentComment -Id -IncidentId -ResourceGroupName + -WorkspaceName [-SubscriptionId ] [-Message ] [-DefaultProfile ] + [-Confirm] [-WhatIf] [] +``` + +### UpdateViaIdentityExpanded +``` +Update-AzSentinelIncidentComment -InputObject [-Message ] + [-DefaultProfile ] [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Creates or updates the incident comment. + +## EXAMPLES + +### Example 1: Update incident comment +```powershell +Update-AzSentinelIncidentComment -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId 7cc984fe-61a2-43c2-a1a4-3583c8a89da2 -Id 8bb5c1eb-a3a9-4575-9451-cd2834be0e0a -Message "my comment" +``` + +This command updates an incident comment + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Id +Incident comment ID + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: IncidentCommentId + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -IncidentId +Incident ID + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: UpdateViaIdentityExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -Message +The comment message + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IIncidentComment + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +`INPUTOBJECT `: Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Update-AzSentinelIncidentRelation.md b/src/SecurityInsights/docs/Update-AzSentinelIncidentRelation.md new file mode 100644 index 000000000000..8c3476bb9360 --- /dev/null +++ b/src/SecurityInsights/docs/Update-AzSentinelIncidentRelation.md @@ -0,0 +1,241 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/update-azsentinelincidentrelation +schema: 2.0.0 +--- + +# Update-AzSentinelIncidentRelation + +## SYNOPSIS +Creates or updates the incident relation. + +## SYNTAX + +### UpdateExpanded (Default) +``` +Update-AzSentinelIncidentRelation -IncidentId -RelationName -ResourceGroupName + -WorkspaceName [-SubscriptionId ] [-RelatedResourceId ] [-DefaultProfile ] + [-Confirm] [-WhatIf] [] +``` + +### UpdateViaIdentityExpanded +``` +Update-AzSentinelIncidentRelation -InputObject [-RelatedResourceId ] + [-DefaultProfile ] [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Creates or updates the incident relation. + +## EXAMPLES + +### Example 1: Update an incident relation +```powershell + $bookmark = Get-AzSentinelBookmark -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id "myBookmarkId" + Update-AzSentinelIncidentRelation -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -IncidentId "myIncidentId" -RelationName ((New-Guid).Guid) -RelatedResourceId ($bookmark.Id) +``` + +This command updates an incident relation + +## PARAMETERS + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -IncidentId +Incident ID + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: UpdateViaIdentityExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -RelatedResourceId +The resource ID of the related resource + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RelationName +Relation Name + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The name of the resource group. +The name is case insensitive. + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +The ID of the target subscription. + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: UpdateExpanded +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IRelation + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +`INPUTOBJECT `: Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/docs/Update-AzSentinelSetting.md b/src/SecurityInsights/docs/Update-AzSentinelSetting.md new file mode 100644 index 000000000000..562b297749b5 --- /dev/null +++ b/src/SecurityInsights/docs/Update-AzSentinelSetting.md @@ -0,0 +1,300 @@ +--- +external help file: +Module Name: Az.SecurityInsights +online version: https://docs.microsoft.com/powershell/module/az.securityinsights/update-azsentinelsetting +schema: 2.0.0 +--- + +# Update-AzSentinelSetting + +## SYNOPSIS +Updates setting. + +## SYNTAX + +### UpdateExpandedAnomaliesEyesOnEntityAnalytics (Default) +``` +Update-AzSentinelSetting -ResourceGroupName -WorkspaceName -SettingsName + [-SubscriptionId ] [-Disabled] [-Enabled] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] + [-WhatIf] [] +``` + +### UpdateExpandedUeba +``` +Update-AzSentinelSetting -ResourceGroupName -WorkspaceName -SettingsName + [-SubscriptionId ] [-DataSource ] [-DefaultProfile ] [-AsJob] [-NoWait] + [-Confirm] [-WhatIf] [] +``` + +### UpdateViaIdentityExpandedAnomaliesEyesOnEntityAnalytics +``` +Update-AzSentinelSetting -InputObject [-Disabled] [-Enabled] + [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +``` + +### UpdateViaIdentityExpandedUeba +``` +Update-AzSentinelSetting -InputObject [-DataSource ] + [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +``` + +## DESCRIPTION +Updates setting. + +## EXAMPLES + +### Example 1: Update the Anomalies setting +```powershell + Update-AzSentinelSetting -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -SettingsName 'Anomalies' -Enabled +``` + +This command updates the Anomalies setting, other settings are: +EyesOn, EntityAnalytics and Ueba + +## PARAMETERS + +### -AsJob +Run the command as a job + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DataSource + + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.UebaDataSources[] +Parameter Sets: UpdateExpandedUeba, UpdateViaIdentityExpandedUeba +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DefaultProfile +The credentials, account, tenant, and subscription used for communication with Azure. + +```yaml +Type: System.Management.Automation.PSObject +Parameter Sets: (All) +Aliases: AzureRMContext, AzureCredential + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Disabled + + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: UpdateExpandedAnomaliesEyesOnEntityAnalytics, UpdateViaIdentityExpandedAnomaliesEyesOnEntityAnalytics +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Enabled +Anomalies + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: UpdateExpandedAnomaliesEyesOnEntityAnalytics, UpdateViaIdentityExpandedAnomaliesEyesOnEntityAnalytics +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InputObject +Identity Parameter +To construct, see NOTES section for INPUTOBJECT properties and create a hash table. + +```yaml +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity +Parameter Sets: UpdateViaIdentityExpandedAnomaliesEyesOnEntityAnalytics, UpdateViaIdentityExpandedUeba +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -NoWait +Run the command asynchronously + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResourceGroupName +The Resource Group Name. + +```yaml +Type: System.String +Parameter Sets: UpdateExpandedAnomaliesEyesOnEntityAnalytics, UpdateExpandedUeba +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SettingsName +The setting Name + +```yaml +Type: System.String +Parameter Sets: UpdateExpandedAnomaliesEyesOnEntityAnalytics, UpdateExpandedUeba +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SubscriptionId +Gets subscription credentials which uniquely identify Microsoft Azure subscription. +The subscription ID forms part of the URI for every service call. + +```yaml +Type: System.String +Parameter Sets: UpdateExpandedAnomaliesEyesOnEntityAnalytics, UpdateExpandedUeba +Aliases: + +Required: False +Position: Named +Default value: (Get-AzContext).Subscription.Id +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +[Alias('DataConnectionName')] + The name of the workspace. + +```yaml +Type: System.String +Parameter Sets: UpdateExpandedAnomaliesEyesOnEntityAnalytics, UpdateExpandedUeba +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity + +## OUTPUTS + +### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.Settings + +## NOTES + +ALIASES + +COMPLEX PARAMETER PROPERTIES + +To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. + + +`INPUTOBJECT `: Identity Parameter + - `[ActionId ]`: Action ID + - `[AlertRuleTemplateId ]`: Alert rule template ID + - `[AutomationRuleId ]`: Automation rule ID + - `[BookmarkId ]`: Bookmark ID + - `[ConsentId ]`: consent ID + - `[DataConnectorId ]`: Connector ID + - `[EntityId ]`: entity ID + - `[EntityQueryId ]`: entity query ID + - `[EntityQueryTemplateId ]`: entity query template ID + - `[Id ]`: Resource identity path + - `[IncidentCommentId ]`: Incident comment ID + - `[IncidentId ]`: Incident ID + - `[MetadataName ]`: The Metadata name. + - `[Name ]`: Threat intelligence indicator name field. + - `[RelationName ]`: Relation Name + - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive. + - `[RuleId ]`: Alert rule ID + - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default + - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba + - `[SourceControlId ]`: Source control Id + - `[SubscriptionId ]`: The ID of the target subscription. + - `[WorkspaceName ]`: The name of the workspace. + +## RELATED LINKS + diff --git a/src/SecurityInsights/examples/Get-AzSentinelAlertRule.md b/src/SecurityInsights/examples/Get-AzSentinelAlertRule.md new file mode 100644 index 000000000000..7cc3a8904245 --- /dev/null +++ b/src/SecurityInsights/examples/Get-AzSentinelAlertRule.md @@ -0,0 +1,54 @@ +### Example 1: List all Alert Rules +```powershell + Get-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" +``` +```output +AlertDisplayName : (Preview) TI map IP entity to SigninLogs +FriendlyName : (Preview) TI map IP entity to SigninLogs +Description : Identifies a match in SigninLogs from any IP IOC from TI +Kind : SecurityAlert +Name : d1e4d1dd-8d16-1aed-59bd-a256266d7244 +ProductName : Azure Sentinel +Status : New +ProviderAlertId : d6c7a42b-c0da-41ef-9629-b3d2d407b181 +Tactic : {Impact} +``` + +This command lists all Alert Rules under a Microsoft Sentinel workspace. + +### Example 2: Get an Alert Rule +```powershell + Get-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -RuleId "d6c7a42b-c0da-41ef-9629-b3d2d407b181" +``` +```output +AlertDisplayName : (Preview) TI map IP entity to SigninLogs +FriendlyName : (Preview) TI map IP entity to SigninLogs +Description : Identifies a match in SigninLogs from any IP IOC from TI +Kind : SecurityAlert +Name : d1e4d1dd-8d16-1aed-59bd-a256266d7244 +ProductName : Azure Sentinel +Status : New +ProviderAlertId : d6c7a42b-c0da-41ef-9629-b3d2d407b181 +Tactic : {Impact} +``` + +This command gets an Alert Rule. + +### Example 3: Get an Alert Rule by object Id +```powershell + $rules = Get-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" + $rules[0] | Get-AzSentinelAlertRule +``` +```output +AlertDisplayName : (Preview) TI map IP entity to SigninLogs +FriendlyName : (Preview) TI map IP entity to SigninLogs +Description : Identifies a match in SigninLogs from any IP IOC from TI +Kind : SecurityAlert +Name : d1e4d1dd-8d16-1aed-59bd-a256266d7244 +ProductName : Azure Sentinel +Status : New +ProviderAlertId : d6c7a42b-c0da-41ef-9629-b3d2d407b181 +Tactic : {Impact} +``` + +This command gets an Alert Rule by object \ No newline at end of file diff --git a/src/SecurityInsights/examples/Get-AzSentinelAlertRuleAction.md b/src/SecurityInsights/examples/Get-AzSentinelAlertRuleAction.md new file mode 100644 index 000000000000..6b9d40914647 --- /dev/null +++ b/src/SecurityInsights/examples/Get-AzSentinelAlertRuleAction.md @@ -0,0 +1,15 @@ +### Example 1: List all Actions for a given Alert Rule +```powershell + Get-AzSentinelAlertRuleAction -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -RuleId "myRuleId" +``` +```output +LogicAppResourceId : /subscriptions/174b1a81-c53c-4092-8d4a-7210f6a44a0c/resourceGroups/myResourceGroup/providers/Microsoft.Logic/workflows/A-Demo-1 +Name : f32239c5-cb9c-48da-a3f6-bd5bd3d924a4 +WorkflowId : 3c73d72560fa4cb6a72a0f10d3a80940 + +LogicAppResourceId : /subscriptions/274b1a41-c53c-4092-8d4a-7210f6a44a0c/resourceGroups/myResourceGroup/providers/Microsoft.Logic/workflows/EmptyPlaybook +Name : cf815c77-bc65-4c02-946f-d81e15e9a100 +WorkflowId : 1ac8ccb8bd134253b4baf0c75fe3ecc6 +``` + +This command lists all Actions for a given Alert Rule. diff --git a/src/SecurityInsights/examples/Get-AzSentinelAlertRuleTemplate.md b/src/SecurityInsights/examples/Get-AzSentinelAlertRuleTemplate.md new file mode 100644 index 000000000000..1bd0ed5e1a9c --- /dev/null +++ b/src/SecurityInsights/examples/Get-AzSentinelAlertRuleTemplate.md @@ -0,0 +1,41 @@ +### Example 1: List all Alert Rule Templates +```powershell + Get-AzSentinelAlertRuleTemplate -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" +``` +```output +DisplayName : TI map IP entity to GitHub_CL +Description : Identifies a match in GitHub_CL table from any IP IOC from TI +CreatedDateUtc : 8/27/2019 12:00:00 AM +LastUpdatedDateUtc : 10/19/2021 12:00:00 AM +Kind : Scheduled +Severity : Medium +Name : aac495a9-feb1-446d-b08e-a1164a539452 + +DisplayName : Accessed files shared by temporary external user +Description : This detection identifies an external user is added to a Team or Teams chat + and shares a files which is accessed by many users (>10) and the users is removed within short period of time. This might be + an indicator of suspicious activity. +CreatedDateUtc : 8/18/2020 12:00:00 AM +LastUpdatedDateUtc : 1/3/2022 12:00:00 AM +Kind : Scheduled +Severity : Low +Name : bff058b2-500e-4ae5-bb49-a5b1423cbd5b +``` + +This command lists all Alert Rule Templates under a Microsoft Sentinel workspace. + +### Example 2: Get an Alert Rule Template +```powershell + Get-AzSentinelAlertRuleTemplate -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Id "myRuaac495a9-feb1-446d-b08e-a1164a539452leTemplateId" +``` +```output +DisplayName : TI map IP entity to GitHub_CL +Description : Identifies a match in GitHub_CL table from any IP IOC from TI +CreatedDateUtc : 8/27/2019 12:00:00 AM +LastUpdatedDateUtc : 10/19/2021 12:00:00 AM +Kind : Scheduled +Severity : Medium +Name : aac495a9-feb1-446d-b08e-a1164a539452 +``` + +This command gets an Alert Rule Template. \ No newline at end of file diff --git a/src/SecurityInsights/examples/Get-AzSentinelAutomationRule.md b/src/SecurityInsights/examples/Get-AzSentinelAutomationRule.md new file mode 100644 index 000000000000..e6126c81a5d7 --- /dev/null +++ b/src/SecurityInsights/examples/Get-AzSentinelAutomationRule.md @@ -0,0 +1,32 @@ +### Example 1: List all Automation Rules +```powershell + Get-AzSentinelAutomationRule -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" +``` +```output +DisplayName : VIP automation rule +CreatedByEmail : luke@contoso.com +CreatedByUserPrincipalName : luke@contoso.com +TriggeringLogicIsEnabled : True +TriggeringLogicTriggersOn : Incidents +TriggeringLogicTriggersWhen : Created +Name : 2f32af32-ad13-4fbb-9fbc-e19e0e7ff767 + +``` + +This command lists all Automation Rules under a Microsoft Sentinel workspace. + +### Example 2: Get an Automation Rule +```powershell + Get-AzSentinelAutomationRule -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Id "2f32af32-ad13-4fbb-9fbc-e19e0e7ff767" +``` +```output +DisplayName : VIP automation rule +CreatedByEmail : luke@contoso.com +CreatedByUserPrincipalName : luke@contoso.com +TriggeringLogicIsEnabled : True +TriggeringLogicTriggersOn : Incidents +TriggeringLogicTriggersWhen : Created +Name : 2f32af32-ad13-4fbb-9fbc-e19e0e7ff767 +``` + +This command gets an Automation Rule. \ No newline at end of file diff --git a/src/SecurityInsights/examples/Get-AzSentinelBookmark.md b/src/SecurityInsights/examples/Get-AzSentinelBookmark.md new file mode 100644 index 000000000000..9309645971e8 --- /dev/null +++ b/src/SecurityInsights/examples/Get-AzSentinelBookmark.md @@ -0,0 +1,30 @@ +### Example 1: List all Bookmarks +```powershell + Get-AzSentinelBookmark -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" +``` +```output +DisplayName : SecurityAlert - 28b401e1e0c9 +CreatedByEmail : john@contoso.com +CreatedByName : John Contoso +Label : {} +Note : This needs further investigation +Name : 515fc035-2ed8-4fa1-ad7d-28b401e1e0c9 + +``` + +This command lists all Bookmarks under a Microsoft Sentinel workspace. + +### Example 2: Get a Bookmark +```powershell + Get-AzSentinelBookmark -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Id "515fc035-2ed8-4fa1-ad7d-28b401e1e0c9" +``` +```output +DisplayName : SecurityAlert - 28b401e1e0c9 +CreatedByEmail : john@contoso.com +CreatedByName : John Contoso +Label : {} +Note : This needs further investigation +Name : 515fc035-2ed8-4fa1-ad7d-28b401e1e0c9 +``` + +This command gets a Bookmark. \ No newline at end of file diff --git a/src/SecurityInsights/examples/Get-AzSentinelBookmarkRelation.md b/src/SecurityInsights/examples/Get-AzSentinelBookmarkRelation.md new file mode 100644 index 000000000000..9bc4fe1db714 --- /dev/null +++ b/src/SecurityInsights/examples/Get-AzSentinelBookmarkRelation.md @@ -0,0 +1,36 @@ +### Example 1: List all Bookmark Relations for a given Bookmark +```powershell + Get-AzSentinelBookmarkRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -BookmarkId "myBookmarkId" +``` +```output +Name : 83846045-d8dc-4d6b-abbe-7588219c474e +RelatedResourceName : 7cc984fe-61a2-43c2-a1a4-3583c8a89da2 +RelatedResourceType : Microsoft.SecurityInsights/Incidents +``` + +This command lists all Bookmark Relations for a given Bookmark. + +### Example 2: Get a Bookmark Relation +```powershell + Get-AzSentinelBookmarkRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -BookmarkId "myBookmarkId" +``` +```output +Name : 83846045-d8dc-4d6b-abbe-7588219c474e +RelatedResourceName : 7cc984fe-61a2-43c2-a1a4-3583c8a89da2 +RelatedResourceType : Microsoft.SecurityInsights/Incidents +``` + +This command gets a Bookmark Relation. + +### Example 3: Get a Bookmark Relation by object Id +```powershell + $Bookmarkrelations = Get-AzSentinelBookmarkRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -BookmarkId "myBookmarkId" + $Bookmarkrelations[0] | Get-AzSentinelBookmarkRelation +``` +```output +Name : 83846045-d8dc-4d6b-abbe-7588219c474e +RelatedResourceName : 7cc984fe-61a2-43c2-a1a4-3583c8a89da2 +RelatedResourceType : Microsoft.SecurityInsights/Incidents +``` + +This command gets a Bookmark by object \ No newline at end of file diff --git a/src/SecurityInsights/examples/Get-AzSentinelDataConnector.md b/src/SecurityInsights/examples/Get-AzSentinelDataConnector.md new file mode 100644 index 000000000000..d6b42b82b48b --- /dev/null +++ b/src/SecurityInsights/examples/Get-AzSentinelDataConnector.md @@ -0,0 +1,29 @@ +### Example 1: List all Data Connectors +```powershell + Get-AzSentinelDataConnector -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" +``` +```output +Kind : AzureActiveDirectory +Name : 8207e1f9-a793-4869-afb1-5ad4540d66d1 + +Kind : AzureAdvancedThreatProtection +Name : 1d75aada-a558-4461-986b-c6822182e81d + +Kind : Office365 +Name : 6323c716-83ae-4cfd-bf93-58235c8beb23 + +``` + +This command lists all DataConnectors under a Microsoft Sentinel workspace. + +### Example 2: Get a specific Data Connector +```powershell + Get-AzSentinelDataConnector -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" | Where-Object {$_.kind -eq "Office365"} +``` +```output +Kind : Office365 +Name : 6323c716-83ae-4cfd-bf93-58235c8beb23 +SharePointState : enabled +``` + +This command gets a specific DataConnector based on kind \ No newline at end of file diff --git a/src/SecurityInsights/examples/Get-AzSentinelEnrichment.md b/src/SecurityInsights/examples/Get-AzSentinelEnrichment.md new file mode 100644 index 000000000000..06a31e9f90ed --- /dev/null +++ b/src/SecurityInsights/examples/Get-AzSentinelEnrichment.md @@ -0,0 +1,41 @@ +### Example 1: Get a Domain Enrichment +```powershell + Get-AzSentinelEnrichment -ResourceGroupName "myResourceGroupName" -Domain "microsoft.com +``` +```output +Created : 5/2/1991 12:00:00 AM +Domain : microsoft.com +Expire : 5/3/2022 12:00:00 AM +Server : whois.markmonitor.com +Updated : 3/12/2021 12:00:00 AM +``` + +This command gets an enrichment for a domain. + +### Example 2: Get a IP Enrichment +```powershell + Get-AzSentinelEnrichment -ResourceGroupName "myResourceGroupName" IPAddress "1.1.1.1" +``` +```output +Asn : 13335 +Carrier : cloudflare +City : ringwood +CityCf : 90 +Continent : oceania +Country : australia +CountryCf : 99 +IPAddr : 1.1.1.1 +IPRoutingType : fixed +Latitude : -37.8143 +Longitude : 145.2274 +Organization : apnic and cloudflare dns resolver project +OrganizationType : Internet Hosting Services +Region : +State : victoria +StateCf : 95 +StateCode : + +``` + +This command an enrichment for an IP Address. + diff --git a/src/SecurityInsights/examples/Get-AzSentinelEntity.md b/src/SecurityInsights/examples/Get-AzSentinelEntity.md new file mode 100644 index 000000000000..2a46261b0721 --- /dev/null +++ b/src/SecurityInsights/examples/Get-AzSentinelEntity.md @@ -0,0 +1,52 @@ +### Example 1: List all Entities +```powershell + Get-AzSentinelEntity -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" +``` +```output +FriendlyName : WIN2019 +Kind : Host +Name : 8d036a2d-f37d-e936-6cca-4e172687cb79 + +FriendlyName : 186.120.101.12 +Kind : Ip +Name : bb590b07-5ef5-bf85-1c3e-2a04e1e137d2 +``` + +This command lists all Entities under a Microsoft Sentinel workspace. + +### Example 2: Get an Entity +```powershell + Get-AzSentinelEntity -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Id "8d036a2d-f37d-e936-6cca-4e172687cb79" +``` +```output +FriendlyName : WIN2019 +Kind : Host +Name : 8d036a2d-f37d-e936-6cca-4e172687cb79 +``` + +This command gets an Entity. + +### Example 3: Get a Entity by object Id +```powershell + $Entitys = Get-AzSentinelEntity -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" + $Entitys[0] | Get-AzSentinelEntity +``` +```output +FriendlyName : WIN2019 +Kind : Host +Name : 8d036a2d-f37d-e936-6cca-4e172687cb79 +``` + +This command gets an Entity by object + +### Example 4: Get a Entity by kind +```powershell + Get-AzSentinelEntity -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" | Where-Object {$_.Kind -eq "CloudApplication"} +``` +```output +FriendlyName : Office 365 +Kind : CloudApplication +Name : 8fceb9c4-abe7-7174-aabf-f1dde96a945e +``` + +This command gets an Entity by kind \ No newline at end of file diff --git a/src/SecurityInsights/examples/Get-AzSentinelEntityActivity.md b/src/SecurityInsights/examples/Get-AzSentinelEntityActivity.md new file mode 100644 index 000000000000..9797e2697567 --- /dev/null +++ b/src/SecurityInsights/examples/Get-AzSentinelEntityActivity.md @@ -0,0 +1,29 @@ +### Example 1: Get Insights and Activities for an Entity +```powershell + Get-AzSentinelEntityAcivity -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -EntityId "myEntityId" +``` +```output +FriendlyName : WIN2019 +Kind : Host +Name : 8d036a2d-f37d-e936-6cca-4e172687cb79 + +FriendlyName : HackTool:Win32/Mimikatz.gen!H +Kind : Malware +Name : 876fda24-fe06-62b7-7dca-bced167a0ca3 + +FriendlyName : 52.166.111.66 +Kind : Ip +Name : 4ebb68f3-a435-fac0-d3b6-94712d246f0a +``` + +This command gets insights and activities for an Entity. + +### Example 2: Get Insights and Activities for an Entity by Id +```powershell + $Entity = Get-AzSentinelEntity -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -EntityId "4ebb68f3-a435-fac0-d3b6-94712d246f0a" + $Entity | Get-AzSentinelEntityActivity +``` +```output +``` + +This command gets insights and activies for an Entity by object \ No newline at end of file diff --git a/src/SecurityInsights/examples/Get-AzSentinelEntityInsight.md b/src/SecurityInsights/examples/Get-AzSentinelEntityInsight.md new file mode 100644 index 000000000000..e24deacf3f08 --- /dev/null +++ b/src/SecurityInsights/examples/Get-AzSentinelEntityInsight.md @@ -0,0 +1,32 @@ +### Example 1: Get Insights for an Entity for a given time range +```powershell + $startTime = (get-date).AddDays(-7).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + $endTime = (get-date).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + Get-AzSentinelEntityInsight -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -EntityId "myEntityId" -EndTime $endTime -StartTime $startTime +``` +```output +QueryId : 4191a4d7-e72b-4564-b2fb-25580630384b +QueryTimeIntervalEndTime : 12/21/2021 10:00:00 AM +QueryTimeIntervalStartTime : 12/14/2021 10:00:00 AM +TableQueryResultColumn : {Activity, expectedCount, actualCount, anomalyScore…} +TableQueryResultRow : {4663 - An attempt was made to access an object. 0 3901 713.91 1 0} +``` + +This command gets insights for an Entity for a given time range. + +### Example 2: Get Insights for an Entity by entity Id for a given time range +```powershell + $startTime = (get-date).AddDays(-7).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + $endTime = (get-date).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + $Entity = Get-AzSentinelEntity -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -EntityId "8d036a2d-f37d-e936-6cca-4e172687cb79" + $Entity | Get-AzSentinelEntityInsight -EndTime $endTime -StartTime $startTime +``` +```output +QueryId : 4191a4d7-e72b-4564-b2fb-25580630384b +QueryTimeIntervalEndTime : 12/21/2021 10:00:00 AM +QueryTimeIntervalStartTime : 12/14/2021 10:00:00 AM +TableQueryResultColumn : {Activity, expectedCount, actualCount, anomalyScore…} +TableQueryResultRow : {4663 - An attempt was made to access an object. 0 3901 713.91 1 0} +``` + +This command gets insights for an Entity by object for a given time range. \ No newline at end of file diff --git a/src/SecurityInsights/examples/Get-AzSentinelEntityQuery.md b/src/SecurityInsights/examples/Get-AzSentinelEntityQuery.md new file mode 100644 index 000000000000..28721d6c89e7 --- /dev/null +++ b/src/SecurityInsights/examples/Get-AzSentinelEntityQuery.md @@ -0,0 +1,58 @@ +### Example 1: List all Entity Queries +```powershell + Get-AzSentinelEntityQuery -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" +``` +```output +DisplayName : Related entities +DataSource : {SecurityAlert} +Name : 98b974fd-cc64-48b8-9bd0-3a209f5b944b +InputEntityType : SecurityAlert + +DisplayName : Related alerts +DataSource : {SecurityAlert} +Name : 055a5692-555f-42bd-ac17-923a5a9994ed +InputEntityType : Host +``` + +This command lists all Entity Queries under a Microsoft Sentinel workspace. + +### Example 2: Get an Entity Query +```powershell + Get-AzSentinelEntityQuery -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Id "myEntityQueryId" +``` +```output +DisplayName : Related entities +DataSource : {SecurityAlert} +Name : 98b974fd-cc64-48b8-9bd0-3a209f5b944b +InputEntityType : SecurityAlert +QueryTemplate : let GetAlertRelatedEntities = (v_SecurityAlert_SystemAlertId:string){ + SecurityAlert + | where SystemAlertId == v_SecurityAlert_SystemAlertId + | project entities = todynamic(Entities) + | mv-expand entities + | project-rename entity=entities}; + GetAlertRelatedEntities('') +``` + +This command gets an Entity Query. + +### Example 3: Get an Entity Query by object Id +```powershell + $EntityQueries = Get-AzSentinelEntityQuery -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" + $EntityQueries[0] | Get-AzSentinelEntityQuery +``` +```output +DisplayName : Related entities +DataSource : {SecurityAlert} +Name : 98b974fd-cc64-48b8-9bd0-3a209f5b944b +InputEntityType : SecurityAlert +QueryTemplate : let GetAlertRelatedEntities = (v_SecurityAlert_SystemAlertId:string){ + SecurityAlert + | where SystemAlertId == v_SecurityAlert_SystemAlertId + | project entities = todynamic(Entities) + | mv-expand entities + | project-rename entity=entities}; + GetAlertRelatedEntities('') +``` + +This command gets a Entity Query by object. \ No newline at end of file diff --git a/src/SecurityInsights/examples/Get-AzSentinelEntityQueryTemplate.md b/src/SecurityInsights/examples/Get-AzSentinelEntityQueryTemplate.md new file mode 100644 index 000000000000..fc945ec5fc78 --- /dev/null +++ b/src/SecurityInsights/examples/Get-AzSentinelEntityQueryTemplate.md @@ -0,0 +1,46 @@ +### Example 1: List all Entity Query Templates +```powershell + Get-AzSentinelEntityQueryTemplate -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" +``` +```output +Title : The user has created an account +Description : This activity displays account creation events performed by the user +InputEntityType : Account +Kind : Activity +Name : d6d08c94-455f-4ea5-8f76-fc6c0c442cfa + +Title : The user has deleted an account +Description : This activity displays account deletion events performed by the user +InputEntityType : Account +Kind : Activity +Name : e0459780-ac9d-4b72-8bd4-fecf6b46a0a1 +``` + +This command lists all Entity Query Templates under a Microsoft Sentinel workspace. + +### Example 2: Get an Entity Query Template +```powershell + Get-AzSentinelEntityQueryTemplate -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Id "d6d08c94-455f-4ea5-8f76-fc6c0c442cfa" +``` +```output +Description : This activity displays account creation events performed by the user +InputEntityType : Account +Kind : Activity +Name : d6d08c94-455f-4ea5-8f76-fc6c0c442cfa +``` + +This command gets an Entity Query Template. + +### Example 3: Get an Entity Query Template by object Id +```powershell + $EntityQueryTemplates = Get-AzSentinelEntityQueryTemplate -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" + $EntityQueryTemplates[0] | Get-AzSentinelEntityQueryTemplate +``` +```output +Description : This activity displays account creation events performed by the user +InputEntityType : Account +Kind : Activity +Name : d6d08c94-455f-4ea5-8f76-fc6c0c442cfa +``` + +This command gets a Entity Query Template by object. \ No newline at end of file diff --git a/src/SecurityInsights/examples/Get-AzSentinelEntityRelation.md b/src/SecurityInsights/examples/Get-AzSentinelEntityRelation.md new file mode 100644 index 000000000000..55cebb5e75dd --- /dev/null +++ b/src/SecurityInsights/examples/Get-AzSentinelEntityRelation.md @@ -0,0 +1,24 @@ +### Example 1: List all Entity Relations for a given Entity +```powershell + Get-AzSentinelEntityRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -EntityId "myEntityId" +``` +```output +``` +This command lists all Entity Relations for a given Entity. + +### Example 2: Get an Entity Relation +```powershell + Get-AzSentinelEntityRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -EntityId "myEntityId" -Id "myEntityRelationId" +``` + +This command gets an Entity Relation for a given Entity. + +### Example 3: Get an Entity Relation by object Id +```powershell + $EntityRelations = Get-AzSentinelEntityRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -EntityId "myEntityId" + $EntityRelations[0] | Get-AzSentinelEntityRelation +``` +```output +``` + +This command gets a Entity Relation by object \ No newline at end of file diff --git a/src/SecurityInsights/examples/Get-AzSentinelEntityTimeline.md b/src/SecurityInsights/examples/Get-AzSentinelEntityTimeline.md new file mode 100644 index 000000000000..2b9cee700bb0 --- /dev/null +++ b/src/SecurityInsights/examples/Get-AzSentinelEntityTimeline.md @@ -0,0 +1,18 @@ +### Example 1: Get Timeline for an Entity for a given time range +```powershell + $startTime = (get-date).AddDays(-7).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + $endTime = (get-date).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + Get-AzSentinelEntityTime -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -EntityId "myEntityId" -EndTime $endTime -StartTime $startTime +``` +```output +DisplayName : Suspicious process executed +Description : Machine logs indicate that a suspicious process often associated with attacker attempts to access credentials was running on the host. +Kind : SecurityAlert +ProductName : Azure Security Center +Severity : High +StartTimeUtc : 12/20/2021 3:04:17 PM +EndTimeUtc : 12/20/2021 3:04:17 PM +TimeGenerated : 12/20/2021 3:05:52 PM +``` + +This command gets the Timeline for an Entity for a given time range. diff --git a/src/SecurityInsights/examples/Get-AzSentinelIncident.md b/src/SecurityInsights/examples/Get-AzSentinelIncident.md new file mode 100644 index 000000000000..14bb7a754405 --- /dev/null +++ b/src/SecurityInsights/examples/Get-AzSentinelIncident.md @@ -0,0 +1,31 @@ +### Example 1: List all Incidents +```powershell + Get-AzSentinelIncident -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" +``` +```output +Title : (Preview) TI map IP entity to AzureActivity +Description : Identifies a match in AzureActivity from any IP IOC from TI +Severity : Medium +Number : 754 +Label : {} +ProviderName : Azure Sentinel +Name : f5409f55-7dd8-4c73-9981-4627520b2db +``` + +This command lists all Incidents under a Microsoft Sentinel workspace. + +### Example 2: Get an Incident +```powershell + Get-AzSentinelIncident -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Id "f5409f55-7dd8-4c73-9981-4627520b2db" +``` +```output +Title : (Preview) TI map IP entity to AzureActivity +Description : Identifies a match in AzureActivity from any IP IOC from TI +Severity : Medium +Number : 754 +Label : {} +ProviderName : Azure Sentinel +Name : f5409f55-7dd8-4c73-9981-4627520b2db +``` + +This command gets an Incident. \ No newline at end of file diff --git a/src/SecurityInsights/examples/Get-AzSentinelIncidentAlert.md b/src/SecurityInsights/examples/Get-AzSentinelIncidentAlert.md new file mode 100644 index 000000000000..2cdbdbed0b71 --- /dev/null +++ b/src/SecurityInsights/examples/Get-AzSentinelIncidentAlert.md @@ -0,0 +1,17 @@ +### Example 1: List all Alerts for a given Incident +```powershell + Get-AzSentinelIncidentAlert -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId "myIncidentId" +``` +```output +AlertDisplayName : (Preview) TI map IP entity to SigninLogs +FriendlyName : (Preview) TI map IP entity to SigninLogs +Description : Identifies a match in SigninLogs from any IP IOC from TI +Kind : SecurityAlert +Name : d1e4d1dd-8d16-1aed-59bd-a256266d7244 +ProductName : Azure Sentinel +Status : New +ProviderAlertId : d6c7a42b-c0da-41ef-9629-b3d2d407b181 +Tactic : {Impact} +``` + +This command lists all Alerts for a given Incident. \ No newline at end of file diff --git a/src/SecurityInsights/examples/Get-AzSentinelIncidentBookmark.md b/src/SecurityInsights/examples/Get-AzSentinelIncidentBookmark.md new file mode 100644 index 000000000000..3feb6c259e88 --- /dev/null +++ b/src/SecurityInsights/examples/Get-AzSentinelIncidentBookmark.md @@ -0,0 +1,16 @@ +### Example 1: List all Bookmarks for a given Incident +```powershell + Get-AzSentinelIncidentBookmark -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId "7f40bbbc-e205-404b-bc2b-5d71cd1017a8" +``` +```output +DisplayName : My 2021 Bookmark +FriendlyName : My 2021 Bookmark +Label : {my Tags} +Note : my notes + 2nd line notes +CreatedByEmail : luke@contoso.com +CreatedByName : Luke +Name : 4557d832-41f0-456f-977e-78a2e129b8d0 +``` + +This command lists all Bookmarks for a given Incident. \ No newline at end of file diff --git a/src/SecurityInsights/examples/Get-AzSentinelIncidentComment.md b/src/SecurityInsights/examples/Get-AzSentinelIncidentComment.md new file mode 100644 index 000000000000..9ed46e5a7be9 --- /dev/null +++ b/src/SecurityInsights/examples/Get-AzSentinelIncidentComment.md @@ -0,0 +1,30 @@ +### Example 1: List all Incident Comments for a given Incident +```powershell + Get-AzSentinelIncidentComment -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId "7a4c27ea-d61a-496b-b5c3-246770c857c1" +``` +```output +AuthorEmail : john@contoso.com +AuthorName : John Contoso +AuthorUserPrincipalName : john@contoso.com +CreatedTimeUtc : 1/6/2022 2:15:44 PM +Message : This is my comment +Name : da0957c9-2f1a-44a2-bc83-a2c0696b2bf1 + +``` + +This command lists all Incident Comments for a given Incident. + +### Example 2: Get an Incident Comment +```powershell + Get-AzSentinelIncidentComment -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId "7a4c27ea-d61a-496b-b5c3-246770c857c1" -Id "da0957c9-2f1a-44a2-bc83-a2c0696b2bf1" +``` +```output +AuthorEmail : john@contoso.com +AuthorName : John Contoso +AuthorUserPrincipalName : john@contoso.com +CreatedTimeUtc : 1/6/2022 2:15:44 PM +Message : This is my comment +Name : da0957c9-2f1a-44a2-bc83-a2c0696b2bf1 +``` + +This command gets an Incident Comment. \ No newline at end of file diff --git a/src/SecurityInsights/examples/Get-AzSentinelIncidentEntity.md b/src/SecurityInsights/examples/Get-AzSentinelIncidentEntity.md new file mode 100644 index 000000000000..3b130a5a03bf --- /dev/null +++ b/src/SecurityInsights/examples/Get-AzSentinelIncidentEntity.md @@ -0,0 +1,11 @@ +### Example 1: List all Entities for a given Incident +```powershell + Get-AzSentinelIncidentEntity -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId "0ddb580f-efd0-4076-bb77-77e9aef8a187" +``` +```output +FriendlyName : win2019 +Kind : Host +Name : cb577adf-0266-8873-84d7-accf4b45417b +``` + +This command lists all Entities for a given Incident. \ No newline at end of file diff --git a/src/SecurityInsights/examples/Get-AzSentinelIncidentRelation.md b/src/SecurityInsights/examples/Get-AzSentinelIncidentRelation.md new file mode 100644 index 000000000000..1b6008296e02 --- /dev/null +++ b/src/SecurityInsights/examples/Get-AzSentinelIncidentRelation.md @@ -0,0 +1,44 @@ +### Example 1: List all Incident Relations for a given Incident +```powershell + Get-AzSentinelIncidentRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId "myIncidentId" +``` +```output +Name : 8969f5ea-4e92-433a-9b67-2f9233d8113f_457a48b2-9dfc-7054-64a5-e8a9d17489d7 +RelatedResourceName : 457a48b2-9dfc-7054-64a5-e8a9d17489d7 +RelatedResourceKind : SecurityAlert +RelatedResourceType : Microsoft.SecurityInsights/entities + +Name : 076bda5c-7d94-b6d8-8ef4-b0b2a0830dac_df9493a7-4f2e-84da-1f41-4914e8c029ba +RelatedResourceName : df9493a7-4f2e-84da-1f41-4914e8c029ba +RelatedResourceKind : SecurityAlert +RelatedResourceType : Microsoft.SecurityInsights/entities +``` + +This command lists all Incident Relations for a given Incident. + +### Example 2: Get a Incident Relation +```powershell + Get-AzSentinelIncidentRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId "myIncidentId" -Id "myIncidentRelationId" +``` +```output +Name : 076bda5c-7d94-b6d8-8ef4-b0b2a0830dac_df9493a7-4f2e-84da-1f41-4914e8c029ba +RelatedResourceName : df9493a7-4f2e-84da-1f41-4914e8c029ba +RelatedResourceKind : SecurityAlert +RelatedResourceType : Microsoft.SecurityInsights/entities +``` + +This command gets a Incident Relation. + +### Example 3: Get a Incident Relation by object Id +```powershell + $Incidentrelations = Get-AzSentinelIncidentRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId "myIncidentId" + $Incidentrelations[0] | Get-AzSentinelIncidentRelation +``` +```output +Name : 076bda5c-7d94-b6d8-8ef4-b0b2a0830dac_df9493a7-4f2e-84da-1f41-4914e8c029ba +RelatedResourceName : df9493a7-4f2e-84da-1f41-4914e8c029ba +RelatedResourceKind : SecurityAlert +RelatedResourceType : Microsoft.SecurityInsights/entities +``` + +This command gets a Incident by object \ No newline at end of file diff --git a/src/SecurityInsights/examples/Get-AzSentinelMetadata.md b/src/SecurityInsights/examples/Get-AzSentinelMetadata.md new file mode 100644 index 000000000000..6bdd9618940f --- /dev/null +++ b/src/SecurityInsights/examples/Get-AzSentinelMetadata.md @@ -0,0 +1,11 @@ +### Example 1: Get Solution metadata from the workspace +```powershell + Get-AzSentinelMetadata -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" +``` +```output +Etag Name SystemDataCreatedAt SystemDataCreatedBy SystemDataCreatedByType +---- ---- ------------------- ------------------- ----------- + azuresentinel.azure-sentinel-solution-slackaudit 3/11/2022 11:20:19 PM user@domain.local User +``` + +This command lists all Solution metadata for a workspace. \ No newline at end of file diff --git a/src/SecurityInsights/examples/Get-AzSentinelOnboardingState.md b/src/SecurityInsights/examples/Get-AzSentinelOnboardingState.md new file mode 100644 index 000000000000..28a25543a8f0 --- /dev/null +++ b/src/SecurityInsights/examples/Get-AzSentinelOnboardingState.md @@ -0,0 +1,21 @@ +### Example 1: List all Onboarding States +```powershell + Get-AzSentinelOnboardingState -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" +``` +```output +Id : /subscriptions/314b1a41-c53c-4092-8d4a-2810f6a44a0c/resourceGroups/myRG/providers/Microsoft.OperationalInsights/workspaces/cybersecurity/providers/Microsoft.SecurityInsights/onboardingStates/default +Name : default +``` + +This command lists all Onboarding States under a Microsoft Sentinel workspace. + +### Example 2: Get an Onboarding State +```powershell + Get-AzSentinelOnboardingState -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Name "default" +``` +```output +Id : /subscriptions/314b1a41-c53c-4092-8d4a-2810f6a44a0c/resourceGroups/myRG/providers/Microsoft.OperationalInsights/workspaces/cybersecurity/providers/Microsoft.SecurityInsights/onboardingStates/default +Name : default +``` + +This command gets an Onboarding State. \ No newline at end of file diff --git a/src/SecurityInsights/examples/Get-AzSentinelSetting.md b/src/SecurityInsights/examples/Get-AzSentinelSetting.md new file mode 100644 index 000000000000..7f6f296e92df --- /dev/null +++ b/src/SecurityInsights/examples/Get-AzSentinelSetting.md @@ -0,0 +1,51 @@ +### Example 1: List all Settings +```powershell + Get-AzSentinelSetting -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" +``` +```output +Kind : EntityAnalytics +Name : EntityAnalytics +IsEnabled : True + +Kind : EyesOn +Name : EyesOn +IsEnabled : True + +Kind : IPSyncer +Name : IPSyncer + +Kind : Anomalies +Name : Anomalies +IsEnabled : True + +Kind : Ueba +Name : Ueba +DataSource : {AuditLogs, AzureActivity, SecurityEvent, SigninLogs} +``` + +This command lists all Settings under a Microsoft Sentinel workspace. + +### Example 2: Get a Setting +```powershell + Get-AzSentinelSetting -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -SettingsName "Anomalies" +``` +```output +Kind : Anomalies +Name : Anomalies +IsEnabled : True +``` + +This command gets a Setting. + +### Example 3: Get a Setting by object Id +```powershell + $Settings = Get-AzSentinelSetting -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" + $Settings[0] | Get-AzSentinelSetting +``` +```output +Kind : Anomalies +Name : Anomalies +IsEnabled : True +``` + +This command gets a Setting by object \ No newline at end of file diff --git a/src/SecurityInsights/examples/Get-AzSentinelThreatIntelligenceIndicator.md b/src/SecurityInsights/examples/Get-AzSentinelThreatIntelligenceIndicator.md new file mode 100644 index 000000000000..c5636b1a7310 --- /dev/null +++ b/src/SecurityInsights/examples/Get-AzSentinelThreatIntelligenceIndicator.md @@ -0,0 +1,41 @@ +### Example 1: List all Threat Intelligence Indicators +```powershell + Get-AzSentinelThreatIntelligenceIndicator -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" +``` +```output +Kind : indicator +Name : 8ff8f736-8f9b-a180-49a2-9a395cf088ca + +Kind : indicator +Name : 8afa82a1-6c4a-dca2-595f-28239965882d +``` + +This command lists all Threat Intelligence Indicators under a Microsoft Sentinel workspace. + +### Example 2: Get a Threat Intelligence Indicator +```powershell + Get-AzSentinelThreatIntelligenceIndicator -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Name "514840ce-5582-f7a4-8562-7996e29dc07a" +``` +```output +Kind : indicator +Name : 514840ce-5582-f7a4-8562-7996e29dc07a +``` + +This command gets a Threat Intelligence Indicator by name (Id) + +### Example 3: Get the Threat Intelligence Indicator top 3 +```powershell + $tiIndicators = Get-AzSentinelThreatIntelligenceIndicator -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Top 3 +``` +```output +Kind : indicator +Name : 8ff8f736-8f9b-a180-49a2-9a395cf088ca + +Kind : indicator +Name : 8afa82a1-6c4a-dca2-595f-28239965882d + +Kind : indicator +Name : 38ac867b-85f9-be4c-afd5-b3cffdcf69f1 +``` + +This command gets a Threat Intelligence Indicator by object \ No newline at end of file diff --git a/src/SecurityInsights/examples/Get-AzSentinelThreatIntelligenceIndicatorMetric.md b/src/SecurityInsights/examples/Get-AzSentinelThreatIntelligenceIndicatorMetric.md new file mode 100644 index 000000000000..a9c01783a81d --- /dev/null +++ b/src/SecurityInsights/examples/Get-AzSentinelThreatIntelligenceIndicatorMetric.md @@ -0,0 +1,12 @@ +### Example 1: Get all metrics for Threat Intelligence Indicators +```powershell + Get-AzSentinelThreatIntelligenceIndicatorMetric -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" +``` +```output +LastUpdatedTimeUtc : 2022-02-07T10:44:45.3919348Z +PatternTypeMetric : {network-traffic, url, ipv4-addr, file} +SourceMetric : {Microsoft Emerging Threat Feed, Bing Safety Phishing URL, Azure Sentinel, CyberCrime…} +ThreatTypeMetric : {botnet, maliciousurl, phishing, malicious-activity…} +``` + +This command gets Threat Intelligence Indicator metrics. \ No newline at end of file diff --git a/src/SecurityInsights/examples/Invoke-AzSentinelThreatIntelligenceIndicatorQuery.md b/src/SecurityInsights/examples/Invoke-AzSentinelThreatIntelligenceIndicatorQuery.md new file mode 100644 index 000000000000..fcd917c46fb9 --- /dev/null +++ b/src/SecurityInsights/examples/Invoke-AzSentinelThreatIntelligenceIndicatorQuery.md @@ -0,0 +1,11 @@ +### Example 1: Query all Threat Intelligence Indicators +```powershell +Invoke-AzSentinelThreatIntelligenceIndicatorQuery -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" +``` +```output +Etag Kind Name SystemDataCreatedAt SystemDataCreatedBy +---- ---- ---- ------------------- ------- +"b603878e-0000-0100-0000-62d1d0010000" indicator f4dd9aa3-081b-2f0b-a5d7-3805954e8a39 +``` + +This command queries TI indicators. diff --git a/src/SecurityInsights/examples/New-AzSentinelAlertRule.md b/src/SecurityInsights/examples/New-AzSentinelAlertRule.md new file mode 100644 index 000000000000..8cb01d9a6dbe --- /dev/null +++ b/src/SecurityInsights/examples/New-AzSentinelAlertRule.md @@ -0,0 +1,58 @@ +### Example 1: Create the Fusion Alert rule +```powershell + $AlertRuleTemplateName = "f71aba3d-28fb-450b-b192-4e76a83015c8" + New-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Kind Fusion -Enabled -AlertRuleTemplateName $AlertRuleTemplateName +``` +```output +``` + +This command creates an Alert Rule of the Fusion kind based on the template "Advanced Multistage Attack Detection" + +### Example 2: Create the ML Behavior Analytics Alert Rule +```powershell + $AlertRuleTemplateName = "fa118b98-de46-4e94-87f9-8e6d5060b60b" + New-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Kind MLBehaviorAnalytics -Enabled -AlertRuleTemplateName $AlertRuleTemplateName +``` +```output +``` + +This command creates an Alert Rule of the MLBehaviorAnalytics kind based on the template "Anomalous SSH Login Detection" + +### Example 2: Create the Threat Intelligence Alert Rule +```powershell + $AlertRuleTemplateName = "0dd422ee-e6af-4204-b219-f59ac172e4c6" + New-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Kind ThreatIntelligence -Enabled -AlertRuleTemplateName $AlertRuleTemplateName +``` +```output +``` + +This command creates an Alert Rule of the ThreatIntelligence kind based on the template "Microsoft Threat Intelligence Analytics" + +### Example 3: Create a Microsoft Security Incident Creation Alert Rule +```powershell + $AlertRuleTemplateName = "a2e0eb51-1f11-461a-999b-cd0ebe5c7a72" + New-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Kind MicrosoftSecurityIncidentCreation -Enabled -AlertRuleTemplateName $AlertRuleTemplateName -DisplayName "Create incidents based on Microsoft Defender for IoT" -ProductFilter "Azure Security Center for IoT" +``` +```output + +``` + +This command creates an Alert Rule of the MicrosoftSecurityIncidentCreation kind based on the template for Create incidents based on Azure Security Center for IoT alerts. + +### Example 4: Create a Scheduled Alert Rule +```powershell +PS C:> New-AzSentinelAlertRule -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Kind Scheduled -Enabled -DisplayName "Powershell Exection Alert (Several Times per Hour)" -Severity Low -Query "SecurityEvent | where EventId == 4688" -QueryFrequency (New-TimeSpan -Hours 1) -QueryPeriod (New-TimeSpan -Hours 1) -TriggerThreshold 10 +``` +```output +``` + +This command creates an Alert Rule of the Scheduled kind. Please note that that query (parameter -Query) needs to be on a single line as as string. + +### Example 5: Create a Near Realtime Alert Rule +```powershell +PS C:> New-AzSentinelAlertRule -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Kind NRT -Enabled -DisplayName "Break glass account accessed" -Severity High -Query "let Break_Glass_Account = _GetWatchlist('break_glass_account')\n|project UPN;\nSigninLogs\n| where UserPrincipalName in (Break_Glass_Account)" +``` +```output +``` + +This command creates an Alert Rule of the NRT kind. Please note that that query (parameter -Query) needs to be on a single line as as string. diff --git a/src/SecurityInsights/examples/New-AzSentinelAlertRuleAction.md b/src/SecurityInsights/examples/New-AzSentinelAlertRuleAction.md new file mode 100644 index 000000000000..36fd820aa512 --- /dev/null +++ b/src/SecurityInsights/examples/New-AzSentinelAlertRuleAction.md @@ -0,0 +1,11 @@ +### Example 1: Add a Logic App Playbook as an action to an existing analytics rule +```powershell + $LogicAppResourceId = Get-AzLogicApp -ResourceGroupName "myLogicAppResourceGroupName" -Name "myLogicAppPlaybookName" +$LogicAppTriggerUri = Get-AzLogicAppTriggerCallbackUrl -ResourceGroupName "myLogicAppResourceGroupName" -Name $LogicAppResourceId.Name -TriggerName "When_a_response_to_an_Azure_Sentinel_alert_is_triggered" +New-AzSentinelAlertRuleAction -ResourceGroupName "mySentinelResourceGroupName" -workspaceName "myWorkspaceName" -RuleId "48bbf86d-540b-4a7b-9fee-2bd7d810dbed" -LogicAppResourceId ($LogicAppResourceId.Id) -TriggerUri ($LogicAppTriggerUri.Value) -Id ((New-Guid).Guid) +``` +```output +``` + +This command adds an existing Logic App Playbook to an existing analytics rule + diff --git a/src/SecurityInsights/examples/New-AzSentinelAutomationRule.md b/src/SecurityInsights/examples/New-AzSentinelAutomationRule.md new file mode 100644 index 000000000000..2005f7502ce8 --- /dev/null +++ b/src/SecurityInsights/examples/New-AzSentinelAutomationRule.md @@ -0,0 +1,30 @@ +### Example 1: Create an Automation Rule using Run Playbook +```powershell + $LogicAppResourceId = Get-AzLogicApp -ResourceGroupName "myResourceGroup" -Name "Reset-AADPassword" + $automationRuleAction = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AutomationRuleRunPlaybookAction]::new() + $automationRuleAction.Order = 1 + $automationRuleAction.ActionType = "RunPlaybook" + $automationRuleAction.ActionConfigurationLogicAppResourceId = ($LogicAppResourceId.Id) + $automationRuleAction.ActionConfigurationTenantId = (Get-AzContext).Tenant.Id + New-AzSentinelAutomationRule -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id ((New-Guid).Guid) -Action $automationRuleAction -DisplayName "Run Playbook to reset AAD password" -Order 2 -TriggeringLogicIsEnabled +``` +```output +{{ Add output here }} +``` + +This command creates an Automation Rule that has an Action of Run Playbook. + +### Example 2: {{ Add title here }} +```powershell + $automationRuleAction = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AutomationRuleModifyPropertiesAction]::new() + $automationRuleAction.Order = 1 + $automationRuleAction.ActionType = "ModifyProperties" + $automationRuleAction.ActionConfigurationSeverity = "Low" + New-AzSentinelAutomationRule -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id ((New-Guid).Guid) -Action $automationRuleAction -DisplayName "Change severity to Low" -Order 3 -TriggeringLogicIsEnabled +``` +```output +{{ Add output here }} +``` + +This command creates an Automation Rule that has an Action of changing the severity. + diff --git a/src/SecurityInsights/examples/New-AzSentinelBookmark.md b/src/SecurityInsights/examples/New-AzSentinelBookmark.md new file mode 100644 index 000000000000..af53a80e922d --- /dev/null +++ b/src/SecurityInsights/examples/New-AzSentinelBookmark.md @@ -0,0 +1,16 @@ +### Example 1: Create a Bookmark +```powershell + $queryStartTime = (get-date).AddDays(-1).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + $queryEndTime = (get-date).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + New-AzSentinelBookmark -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id ((New-Guid).Guid) -DisplayName "Incident Evidence" -Query "SecurityEvent | take 1" -QueryStartTime $queryStartTime -QueryEndTime $queryEndTime -EventTime $queryEndTime +``` +```output +DisplayName : Incident Evidence +CreatedByName : John Contoso +CreatedByEmail : john@contoso.com +Name : 6a8d6ea6-04d5-49d7-8169-ffca8b0ced59 +Note : my notes +``` + +This command creates a Bookmark. + diff --git a/src/SecurityInsights/examples/New-AzSentinelBookmarkRelation.md b/src/SecurityInsights/examples/New-AzSentinelBookmarkRelation.md new file mode 100644 index 000000000000..a65ff7e72026 --- /dev/null +++ b/src/SecurityInsights/examples/New-AzSentinelBookmarkRelation.md @@ -0,0 +1,10 @@ +### Example 1: Create a Bookmark Relation +```powershell + $incident = Get-AzSentinelIncident -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id "myIncidentId" + $bookmarkRelation = New-AzSentinelBookmarkRelation -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -BookmarkId "myBookmarkId" -RelationName ((New-Guid).Guid) -RelatedResourceId ($incident.Id) +``` +```output +``` + +This command creates a Bookmark Relation connecting the Incident to the Bookmark. + diff --git a/src/SecurityInsights/examples/New-AzSentinelDataConnector.md b/src/SecurityInsights/examples/New-AzSentinelDataConnector.md new file mode 100644 index 000000000000..d3d4fa13dc02 --- /dev/null +++ b/src/SecurityInsights/examples/New-AzSentinelDataConnector.md @@ -0,0 +1,8 @@ +### Example 1: {{ Add title here }} +```powershell +New-AzSentinelDataConnector -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -DataConnectorId ((New-Guid).Guid) -Kind 'MicrosoftThreatIntelligence' -BingSafetyPhishingURL Enabled -BingSafetyPhishingUrlLookbackPeriod All -MicrosoftEmergingThreatFeed Enabled -MicrosoftEmergingThreatFeedLookbackPeriod All +``` +```output +``` + +This command enables the Threat Intelligence data connector \ No newline at end of file diff --git a/src/SecurityInsights/examples/New-AzSentinelEntityQuery.md b/src/SecurityInsights/examples/New-AzSentinelEntityQuery.md new file mode 100644 index 000000000000..6dc5ad631afa --- /dev/null +++ b/src/SecurityInsights/examples/New-AzSentinelEntityQuery.md @@ -0,0 +1,28 @@ +### Example 1: Create Entity Query +```powershell + $template = Get-AzSentinelEntityQueryTemplate -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Id "myEntityQueryTemplateId" + New-AzSentinelEntityQuery -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" [-EntityQueryId ] -Kind Activity -Title ($template.title) -InputEntityType ($template.inputEntityType) -TemplateName ($template.Name) +``` +```output +Title : The user has created an account +Name : 6d37a904-d199-43ff-892b-53653b784122 +Content : The user {{InitiatedByAccount}} has created the account {{TargetAccount}} {{Count}} time(s) +Description : This activity displays account creation events performed by the user +Enabled : True +Kind : Activity +CreatedTimeUtc : 12/22/2021 11:44:34 AM +LastModifiedTimeUtc : 12/22/2021 11:47:13 AM + +``` + +This command creates an Entity Query by using a Template. + +### Example 2: Create Entity Query +```powershell + New-AzSentinelEntityQuery -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -EntityQueryId ((New-Guid).Guid) -Kind Activity -Title 'An account was deleted on this host' -InputEntityType 'Host' -Content "On '{{Computer}}' the account '{{TargetAccount}}' was deleted by '{{AddedBy}}'" -Description "Account deleted on host" -QueryDefinitionQuery 'let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\nSecurityEvent\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\n// parsing for Host to handle variety of conventions coming from data\n| extend Host_HostName = case(\nComputer has ''@'', tostring(split(Computer, ''@'')[0]),\nComputer has ''\\'', tostring(split(Computer, ''\\'')[1]),\nComputer has ''.'', tostring(split(Computer, ''.'')[0]),\nComputer\n)\n| extend Host_NTDomain = case(\nComputer has ''\\'', tostring(split(Computer, ''\\'')[0]), \nComputer has ''.'', tostring(split(Computer, ''.'')[-2]), \nComputer\n)\n| extend Host_DnsDomain = case(\nComputer has ''\\'', tostring(split(Computer, ''\\'')[0]), \nComputer has ''.'', strcat_array(array_slice(split(Computer,''.''),-2,-1),''.''), \nComputer\n)\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \nor v_Host_AzureID =~ _ResourceId \nor v_Host_OMSAgentID == SourceComputerId\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId\n| extend AddedBy = SubjectUserName\n// Future support for Activities\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount\n};\nGetAccountActions(''{{Host_HostName}}'', ''{{Host_NTDomain}}'', ''{{Host_DnsDomain}}'', ''{{Host_AzureID}}'', ''{{Host_OMSAgentID}}'')\n \n| where EventID == 4726' -RequiredInputFieldsSet @(@("Host_HostName","Host_NTDomain"),@("Host_HostName","Host_DnsDomain"),@("Host_AzureID"),@("Host_OMSAgentID")) -EntitiesFilter @{"Host_OsFamily" = @("Windows")} +``` +```output +``` + +This command creates an Entity Query. + diff --git a/src/SecurityInsights/examples/New-AzSentinelIncident.md b/src/SecurityInsights/examples/New-AzSentinelIncident.md new file mode 100644 index 000000000000..a5263e919c87 --- /dev/null +++ b/src/SecurityInsights/examples/New-AzSentinelIncident.md @@ -0,0 +1,16 @@ +### Example 1: Create an Incident +```powershell + New-AzSentinelIncident -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id ((New-Guid).Guid) -Title "NewIncident" -Description "My Description" -Severity Low -Status New +``` +```output +Title : NewIncident +Description : My Description +Severity : Low +Status : New +Number : 779 +CreatedTimeUtc : 2/3/2022 7:47:03 PM +Name : c831b5a7-5644-403f-9dc3-96d651e04c6d +Url : https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/274b1a41-c53c-4092-8d4a-7210f6a44a0c/resourceGroups/cyber-soc/providers/Microsoft.OperationalInsights/workspaces/myworkspace/providers/Microsoft.SecurityInsights/Incidents/c831b5a7-5644-403f-9dc3-96d651e04c6d +``` + +This command creates an Incident. diff --git a/src/SecurityInsights/examples/New-AzSentinelIncidentComment.md b/src/SecurityInsights/examples/New-AzSentinelIncidentComment.md new file mode 100644 index 000000000000..57cb99edde12 --- /dev/null +++ b/src/SecurityInsights/examples/New-AzSentinelIncidentComment.md @@ -0,0 +1,8 @@ +### Example 1: Create an Incident Comment +```powershell + New-AzSentinelIncident -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -IncidentId "myIncidentId" -Id ((New-Guid).Guid) -Message "IncidentCommentGoesHere" +``` +```output +``` + +This command creates an Incident Comment. diff --git a/src/SecurityInsights/examples/New-AzSentinelIncidentRelation.md b/src/SecurityInsights/examples/New-AzSentinelIncidentRelation.md new file mode 100644 index 000000000000..6ab55a170fe1 --- /dev/null +++ b/src/SecurityInsights/examples/New-AzSentinelIncidentRelation.md @@ -0,0 +1,14 @@ +### Example 1: Create a Incident Relation +```powershell + $bookmark = Get-AzSentinelBookmark -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id "myBookmarkId" + New-AzSentinelIncidentRelation -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -IncidentId "myIncidentId" -RelationName ((New-Guid).Guid) -RelatedResourceId ($bookmark.Id) +``` +```output +Name : 4b112bd9-a6b5-44f6-b89d-8bcbf021fbdf +RelatedResourceName : a636a51c-471a-468d-89ed-d7f4b2a7a569 +RelatedResourceKind : +RelatedResourceType : Microsoft.SecurityInsights/Bookmarks +``` + +This command creates a Incident Relation connecting the Bookmark to the Incident. + diff --git a/src/SecurityInsights/examples/New-AzSentinelIncidentTeam.md b/src/SecurityInsights/examples/New-AzSentinelIncidentTeam.md new file mode 100644 index 000000000000..7086cc39ac5d --- /dev/null +++ b/src/SecurityInsights/examples/New-AzSentinelIncidentTeam.md @@ -0,0 +1,15 @@ +### Example 1: Create an Incident Teams Room +```powershell + $incident = Get-AzSentinelIncident -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id "myIncidentId" + New-AzSentinelIncidentTeam -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -IncidentId ($incident.Name) -TeamName ("Incident "+$incident.incidentNumber+": "+$incident.title) +``` +```output +Description : +Name : Incident : NewIncident3 +PrimaryChannelUrl : https://teams.microsoft.com/l/team/19:vYoGjeGlZmTEDmu0gTbrk9T_eDS4pKIkEU7UuM1IyZk1%40thread.tacv2/conversations?groupId=3c637cc5-caf1-46c7-93ac-069c6 + 4b05395&tenantId=8f21ced5-2eff-4f8d-aff1-4dbb4cee8e3d +TeamCreationTimeUtc : 2/4/2022 3:02:03 PM +TeamId : 3c637cc5-caf1-46c7-93ac-069c64b05395 +``` + +This command creates a Teams group for the Incident. diff --git a/src/SecurityInsights/examples/New-AzSentinelOnboardingState.md b/src/SecurityInsights/examples/New-AzSentinelOnboardingState.md new file mode 100644 index 000000000000..aab625a4fa78 --- /dev/null +++ b/src/SecurityInsights/examples/New-AzSentinelOnboardingState.md @@ -0,0 +1,8 @@ +### Example 1: Add Sentinel onboarding state +```powershell +AzSentinelOnboardingState -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Name "default" +``` +```output +``` + +This command configures the onboarding state of Sentinel \ No newline at end of file diff --git a/src/SecurityInsights/examples/Remove-AzSentinelAlertRule.md b/src/SecurityInsights/examples/Remove-AzSentinelAlertRule.md new file mode 100644 index 000000000000..967f7193c13e --- /dev/null +++ b/src/SecurityInsights/examples/Remove-AzSentinelAlertRule.md @@ -0,0 +1,8 @@ +### Example 1: Remove an alert rule +```powershell +Remove-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -RuleId 4a21e485-75ae-48b3-a7b9-e6a92bcfe434 +``` +```output +``` + +The command removes a Sentinel alert rule diff --git a/src/SecurityInsights/examples/Remove-AzSentinelAlertRuleAction.md b/src/SecurityInsights/examples/Remove-AzSentinelAlertRuleAction.md new file mode 100644 index 000000000000..dfea77edbf0d --- /dev/null +++ b/src/SecurityInsights/examples/Remove-AzSentinelAlertRuleAction.md @@ -0,0 +1,8 @@ +### Example 1: {{ Add title here }} +```powershell +Remove-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -RuleId 29d2523f-84ce-42d3-b5f1-9e63c85aaed1 -Id 1a33301b-fb83-416a-8d58-3873c7c2dc86 +``` +```output +``` + +This command removes an alert rule action. diff --git a/src/SecurityInsights/examples/Remove-AzSentinelAutomationRule.md b/src/SecurityInsights/examples/Remove-AzSentinelAutomationRule.md new file mode 100644 index 000000000000..e064ccfe03ca --- /dev/null +++ b/src/SecurityInsights/examples/Remove-AzSentinelAutomationRule.md @@ -0,0 +1,9 @@ +### Example 1: {{ Add title here }} +```powershell +Remove-AzSentinelAutomationRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Id 2f32af32-ad13-4fbb-9fbc-e19e0e7ff767 +``` +```output +``` + +This command removes a Sentinel automation rule + diff --git a/src/SecurityInsights/examples/Remove-AzSentinelBookmark.md b/src/SecurityInsights/examples/Remove-AzSentinelBookmark.md new file mode 100644 index 000000000000..21f86032d0e0 --- /dev/null +++ b/src/SecurityInsights/examples/Remove-AzSentinelBookmark.md @@ -0,0 +1,10 @@ +### Example 1: Remove a Sentinel Bookmark +```powershell +Remove-AzSentinelBookmark -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id +``` +```output +``` + +This command removes a bookmark + + diff --git a/src/SecurityInsights/examples/Remove-AzSentinelBookmarkRelation.md b/src/SecurityInsights/examples/Remove-AzSentinelBookmarkRelation.md new file mode 100644 index 000000000000..d5121288e804 --- /dev/null +++ b/src/SecurityInsights/examples/Remove-AzSentinelBookmarkRelation.md @@ -0,0 +1,9 @@ +### Example 1: Remove a bookmark relation +```powershell + Remove-AzSentinelBookmarkRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -BookmarkId 83846045-d8dc-4d6b-abbe-7588219c474e -RelationName 7cc984fe-61a2-43c2-a1a4-3583c8a89da2 +``` +```output +``` + +This command removes a bookmarkrelation + diff --git a/src/SecurityInsights/examples/Remove-AzSentinelDataConnector.md b/src/SecurityInsights/examples/Remove-AzSentinelDataConnector.md new file mode 100644 index 000000000000..6c0bc4200efe --- /dev/null +++ b/src/SecurityInsights/examples/Remove-AzSentinelDataConnector.md @@ -0,0 +1,9 @@ +### Example 1: Removes Sentinel Data Connector +```powershell +Remove-AzSentinelDataConnector -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Id 661b961f-53d8-4bd1-be97-24e808fd04f5 +``` +```output +``` + +This command removes a data connector. + diff --git a/src/SecurityInsights/examples/Remove-AzSentinelEntityQuery.md b/src/SecurityInsights/examples/Remove-AzSentinelEntityQuery.md new file mode 100644 index 000000000000..00b3e18d85b9 --- /dev/null +++ b/src/SecurityInsights/examples/Remove-AzSentinelEntityQuery.md @@ -0,0 +1,19 @@ +### Example 1: Remove Entity Query +```powershell + Remove-AzSentinelEntityQuery -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Id "myEntityQueryTemplateId" +``` +```output +``` + +This command removes a specific entity query based on the entity query Id + +### Example 2: Remove an Entity Query based on the title +```powershell + $queryTemplateId = Get-AzSentinelEntityQueryTemplate -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" | Where-Object {$_.Title -eq "The user has created an account"} +Remove-AzSentinelEntityQuery -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Id $queryTemplateId.Name +``` +```output +``` + +This command removes a specific entity query based on the title + diff --git a/src/SecurityInsights/examples/Remove-AzSentinelIncident.md b/src/SecurityInsights/examples/Remove-AzSentinelIncident.md new file mode 100644 index 000000000000..a94fc3cf7832 --- /dev/null +++ b/src/SecurityInsights/examples/Remove-AzSentinelIncident.md @@ -0,0 +1,18 @@ +### Example 1: Removes an incident based on the incident Id +```powershell +Remove-AzSentinelIncident -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id +``` +```output +``` + +This command removes an incident based on the incident id. + +### Example 2: Removes an incident based on the incident number +```powershell +$myIncident = Get-AzSentinelIncident -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id | Where-Object {$_.Number -eq "780"} +``` +```output +``` + +The command removes an incident based on an incident number. + diff --git a/src/SecurityInsights/examples/Remove-AzSentinelIncidentComment.md b/src/SecurityInsights/examples/Remove-AzSentinelIncidentComment.md new file mode 100644 index 000000000000..b574344fdcb8 --- /dev/null +++ b/src/SecurityInsights/examples/Remove-AzSentinelIncidentComment.md @@ -0,0 +1,10 @@ +### Example 1: Remove an incident comment +```powershell +Remove-AzSentinelIncidentComment -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId 7cc984fe-61a2-43c2-a1a4-3583c8a89da2 -Id 7a4c27ea-d61a-496b-b5c3-246770c857c1 +``` +```output +``` +This command removes an incident comment + + + diff --git a/src/SecurityInsights/examples/Remove-AzSentinelIncidentRelation.md b/src/SecurityInsights/examples/Remove-AzSentinelIncidentRelation.md new file mode 100644 index 000000000000..5332454bc7cb --- /dev/null +++ b/src/SecurityInsights/examples/Remove-AzSentinelIncidentRelation.md @@ -0,0 +1,8 @@ +### Example 1: {{ Add title here }} +```powershell +Remove-AzSentinelIncidentRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId 7cc984fe-61a2-43c2-a1a4-3583c8a89da2 -RelationName 7a4c27ea-d61a-496b-b5c3-246770c857c1 +``` +```output +``` + +This command removes the incident relation diff --git a/src/SecurityInsights/examples/Remove-AzSentinelOnboardingState.md b/src/SecurityInsights/examples/Remove-AzSentinelOnboardingState.md new file mode 100644 index 000000000000..484c8d529ff2 --- /dev/null +++ b/src/SecurityInsights/examples/Remove-AzSentinelOnboardingState.md @@ -0,0 +1,8 @@ +### Example 1: Remove the Sentinel onboarding state +```powershell +Remove-AzSentinelOnboardingState -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Name "default" +``` +```output +``` + +This commands removes the Sentinel onboarding state diff --git a/src/SecurityInsights/examples/Test-AzSentinelDataConnectorCheckRequirement.md b/src/SecurityInsights/examples/Test-AzSentinelDataConnectorCheckRequirement.md new file mode 100644 index 000000000000..6ee1a83db970 --- /dev/null +++ b/src/SecurityInsights/examples/Test-AzSentinelDataConnectorCheckRequirement.md @@ -0,0 +1,22 @@ +### Example 1: {{ Add title here }} +```powershell +{{ Add code here }} +``` + +```output +{{ Add output here }} +``` + +{{ Add description here }} + +### Example 2: {{ Add title here }} +```powershell +{{ Add code here }} +``` + +```output +{{ Add output here }} +``` + +{{ Add description here }} + diff --git a/src/SecurityInsights/examples/Update-AzSentinelAlertRule.md b/src/SecurityInsights/examples/Update-AzSentinelAlertRule.md new file mode 100644 index 000000000000..389248d8a314 --- /dev/null +++ b/src/SecurityInsights/examples/Update-AzSentinelAlertRule.md @@ -0,0 +1,9 @@ +### Example 1: Update an scheduled alert rule +```powershell +Update-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -ruleId "4a21e485-75ae-48b3-a7b9-e6a92bcfe434" -Query "SecurityAlert | take 2" +``` +```output +``` + +This command updates a scheduled alert rule + diff --git a/src/SecurityInsights/examples/Update-AzSentinelAlertRuleAction.md b/src/SecurityInsights/examples/Update-AzSentinelAlertRuleAction.md new file mode 100644 index 000000000000..d96a650adbb2 --- /dev/null +++ b/src/SecurityInsights/examples/Update-AzSentinelAlertRuleAction.md @@ -0,0 +1,10 @@ +### Example 1: {{ Add title here }} +```powershell +$LogicAppResourceId = Get-AzLogicApp -ResourceGroupName "myLogicAppResourceGroupName" -Name "myLogicAppPlaybookName" +$LogicAppTriggerUri = Get-AzLogicAppTriggerCallbackUrl -ResourceGroupName "myLogicAppResourceGroupName" -Name $LogicAppResourceId.Name -TriggerName "When_a_response_to_an_Azure_Sentinel_alert_is_triggered" +Update-AzSentinelAlertRuleAction -ResourceGroupName "mySentinelResourceGroupName" -workspaceName "myWorkspaceName" -RuleId "48bbf86d-540b-4a7b-9fee-2bd7d810dbed" -LogicAppResourceId ($LogicAppResourceId.Id) -TriggerUri ($LogicAppTriggerUri.Value) -Id ((New-Guid).Guid) +``` +```output +``` + +This command updates an alert rule action diff --git a/src/SecurityInsights/examples/Update-AzSentinelAutomationRule.md b/src/SecurityInsights/examples/Update-AzSentinelAutomationRule.md new file mode 100644 index 000000000000..7b0b3f63a6d7 --- /dev/null +++ b/src/SecurityInsights/examples/Update-AzSentinelAutomationRule.md @@ -0,0 +1,15 @@ +### Example 1: {{ Add title here }} +```powershell + $LogicAppResourceId = Get-AzLogicApp -ResourceGroupName "myResourceGroup" -Name "Reset-AADPassword" + $automationRuleAction = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AutomationRuleRunPlaybookAction]::new() + $automationRuleAction.Order = 1 + $automationRuleAction.ActionType = "RunPlaybook" + $automationRuleAction.ActionConfigurationLogicAppResourceId = ($LogicAppResourceId.Id) + $automationRuleAction.ActionConfigurationTenantId = (Get-AzContext).Tenant.Id + Update-AzSentinelAutomationRule -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id ((New-Guid).Guid) -Action $automationRuleAction -DisplayName "Run Playbook to reset AAD password" -Order 2 -TriggeringLogicIsEnabled +``` +```output + +``` +This command updates an automation rule + diff --git a/src/SecurityInsights/examples/Update-AzSentinelBookmark.md b/src/SecurityInsights/examples/Update-AzSentinelBookmark.md new file mode 100644 index 000000000000..2250c14764ca --- /dev/null +++ b/src/SecurityInsights/examples/Update-AzSentinelBookmark.md @@ -0,0 +1,12 @@ +### Example 1: Update Sentinel Bookmark +```powershell + $queryStartTime = (get-date).AddDays(-1).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + $queryEndTime = (get-date).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + Update-AzSentinelBookmark -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id ((New-Guid).Guid) -DisplayName "Incident Evidence" -Query "SecurityEvent | take 1" -QueryStartTime $queryStartTime -QueryEndTime $queryEndTime -EventTime $queryEndTime +``` +```output +``` +This command updates a bookmark + + + diff --git a/src/SecurityInsights/examples/Update-AzSentinelBookmarkRelation.md b/src/SecurityInsights/examples/Update-AzSentinelBookmarkRelation.md new file mode 100644 index 000000000000..3341b9831628 --- /dev/null +++ b/src/SecurityInsights/examples/Update-AzSentinelBookmarkRelation.md @@ -0,0 +1,9 @@ +### Example 1: Update a Bookmark relation +```powershell +Update-AzSentinelBookmarkRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -BookmarkId 6a8d6ea6-04d5-49d7-8169-ffca8b0ced59 -RelationName f185b6f8-1a0d-43eb-97de-67720839ac67 -RelatedResourceId f185b6f8-1a0d-43eb-97de-67720839ac67 +``` +```output +``` + +This command updates a bookmark relation + diff --git a/src/SecurityInsights/examples/Update-AzSentinelDataConnector.md b/src/SecurityInsights/examples/Update-AzSentinelDataConnector.md new file mode 100644 index 000000000000..6e522cbb12fd --- /dev/null +++ b/src/SecurityInsights/examples/Update-AzSentinelDataConnector.md @@ -0,0 +1,9 @@ +### Example 1: Update a Sentinel data connector +```powershell +Update-AzSentinelDataConnector -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -DataConnectorId 3bd6c555-1412-4103-9b9d-2b0b40cda6b6 -SharePoint "Enabled" +``` +```output +``` + +This command updates a Sentinel data connector + diff --git a/src/SecurityInsights/examples/Update-AzSentinelEntityQuery.md b/src/SecurityInsights/examples/Update-AzSentinelEntityQuery.md new file mode 100644 index 000000000000..14b95fa43b2e --- /dev/null +++ b/src/SecurityInsights/examples/Update-AzSentinelEntityQuery.md @@ -0,0 +1,8 @@ +### Example 1: Update an Entity Query +```powershell +Update-AzSentinelEntityQuery -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -EntityQueryId "4a21e485-75ae-48b3-a7b9-e6a92bcfe434" -Title "myEntityQuery Title" +``` +```output +``` + +This command updates an entity query. diff --git a/src/SecurityInsights/examples/Update-AzSentinelIncident.md b/src/SecurityInsights/examples/Update-AzSentinelIncident.md new file mode 100644 index 000000000000..dead01cb4d92 --- /dev/null +++ b/src/SecurityInsights/examples/Update-AzSentinelIncident.md @@ -0,0 +1,8 @@ +### Example 1: Update an Incident +```powershell +Update-AzSentinelEntityQuery -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Id "4a21e485-75ae-48b3-a7b9-e6a92bcfe434" -OwnerAssignedTo "user@mydomain.local" +``` +```output +``` + +This command updates an incident by assigning an owner. diff --git a/src/SecurityInsights/examples/Update-AzSentinelIncidentComment.md b/src/SecurityInsights/examples/Update-AzSentinelIncidentComment.md new file mode 100644 index 000000000000..4d7aeeb393b3 --- /dev/null +++ b/src/SecurityInsights/examples/Update-AzSentinelIncidentComment.md @@ -0,0 +1,9 @@ +### Example 1: Update incident comment +```powershell +Update-AzSentinelIncidentComment -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId 7cc984fe-61a2-43c2-a1a4-3583c8a89da2 -Id 8bb5c1eb-a3a9-4575-9451-cd2834be0e0a -Message "my comment" +``` +```output +``` + +This command updates an incident comment + diff --git a/src/SecurityInsights/examples/Update-AzSentinelIncidentRelation.md b/src/SecurityInsights/examples/Update-AzSentinelIncidentRelation.md new file mode 100644 index 000000000000..9bd488db520c --- /dev/null +++ b/src/SecurityInsights/examples/Update-AzSentinelIncidentRelation.md @@ -0,0 +1,11 @@ +### Example 1: Update an incident relation +```powershell + $bookmark = Get-AzSentinelBookmark -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id "myBookmarkId" + Update-AzSentinelIncidentRelation -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -IncidentId "myIncidentId" -RelationName ((New-Guid).Guid) -RelatedResourceId ($bookmark.Id) +``` +```output +``` + +This command updates an incident relation + + diff --git a/src/SecurityInsights/examples/Update-AzSentinelSetting.md b/src/SecurityInsights/examples/Update-AzSentinelSetting.md new file mode 100644 index 000000000000..00130cdb4ff6 --- /dev/null +++ b/src/SecurityInsights/examples/Update-AzSentinelSetting.md @@ -0,0 +1,10 @@ +### Example 1: Update the Anomalies setting +```powershell + Update-AzSentinelSetting -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -SettingsName 'Anomalies' -Enabled +``` +```output +``` + +This command updates the Anomalies setting, other settings are: +EyesOn, EntityAnalytics and Ueba + diff --git a/src/SecurityInsights/how-to.md b/src/SecurityInsights/how-to.md new file mode 100644 index 000000000000..8feee0fe3fad --- /dev/null +++ b/src/SecurityInsights/how-to.md @@ -0,0 +1,58 @@ +# How-To +This document describes how to develop for `Az.SecurityInsights`. + +## Building `Az.SecurityInsights` +To build, run the `build-module.ps1` at the root of the module directory. This will generate the proxy script cmdlets that are the cmdlets being exported by this module. After the build completes, the proxy script cmdlets will be output to the `exports` folder. To read more about the proxy script cmdlets, look at the [README.md](exports/README.md) in the `exports` folder. + +## Creating custom cmdlets +To add cmdlets that were not generated by the REST specification, use the `custom` folder. This folder allows you to add handwritten `.ps1` and `.cs` files. Currently, we support using `.ps1` scripts as new cmdlets or as additional low-level variants (via `ParameterSet`), and `.cs` files as low-level (variants) cmdlets that the exported script cmdlets call. We do not support exporting any `.cs` (dll) cmdlets directly. To read more about custom cmdlets, look at the [README.md](custom/README.md) in the `custom` folder. + +## Generating documentation +To generate documentation, the process is now integrated into the `build-module.ps1` script. If you don't want to run this process as part of `build-module.ps1`, you can provide the `-NoDocs` switch. If you want to run documentation generation after the build process, you may still run the `generate-help.ps1` script. Overall, the process will look at the documentation comments in the generated and custom cmdlets and types, and create `.md` files into the `docs` folder. Additionally, this pulls in any examples from the `examples` folder and adds them to the generated help markdown documents. To read more about examples, look at the [README.md](examples/README.md) in the `examples` folder. To read more about documentation, look at the [README.md](docs/README.md) in the `docs` folder. + +## Testing `Az.SecurityInsights` +To test the cmdlets, we use [Pester](https://github.com/pester/Pester). Tests scripts (`.ps1`) should be added to the `test` folder. To execute the Pester tests, run the `test-module.ps1` script. This will run all tests in `playback` mode within the `test` folder. To read more about testing cmdlets, look at the [README.md](examples/README.md) in the `examples` folder. + +## Packing `Az.SecurityInsights` +To pack `Az.SecurityInsights` for distribution, run the `pack-module.ps1` script. This will take the contents of multiple directories and certain root-folder files to create a `.nupkg`. The structure of the `.nupkg` is created so it can be loaded part of a [PSRepository](https://docs.microsoft.com/powershell/module/powershellget/register-psrepository). Additionally, this package is in a format for distribution to the [PSGallery](https://www.powershellgallery.com/). For signing an Azure module, please contact the [Azure PowerShell](https://github.com/Azure/azure-powershell) team. + +## Module Script Details +There are multiple scripts created for performing different actions for developing `Az.SecurityInsights`. +- `build-module.ps1` + - Builds the module DLL (`./bin/Az.SecurityInsights.private.dll`), creates the exported cmdlets and documentation, generates custom cmdlet test stubs and exported cmdlet example stubs, and updates `./Az.SecurityInsights.psd1` with Azure profile information. + - **Parameters**: [`Switch` parameters] + - `-Run`: After building, creates an isolated PowerShell session and loads `Az.SecurityInsights`. + - `-Test`: After building, runs the `Pester` tests defined in the `test` folder. + - `-Docs`: After building, generates the Markdown documents for the modules into the `docs` folder. + - `-Pack`: After building, packages the module into a `.nupkg`. + - `-Code`: After building, opens a VSCode window with the module's directory and runs (see `-Run`) the module. + - `-Release`: Builds the module in `Release` configuration (as opposed to `Debug` configuration). + - `-NoDocs`: Supresses writing the documentation markdown files as part of the cmdlet exporting process. + - `-Debugger`: Used when attaching the debugger in Visual Studio to the PowerShell session, and running the build process without recompiling the DLL. This suppresses running the script as an isolated process. +- `run-module.ps1` + - Creates an isolated PowerShell session and loads `Az.SecurityInsights` into the session. + - Same as `-Run` in `build-module.ps1`. + - **Parameters**: [`Switch` parameters] + - `-Code`: Opens a VSCode window with the module's directory. + - Same as `-Code` in `build-module.ps1`. +- `generate-help.ps1` + - Generates the Markdown documents for the modules into the `docs` folder. + - Same as `-Docs` in `build-module.ps1`. +- `test-module.ps1` + - Runs the `Pester` tests defined in the `test` folder. + - Same as `-Test` in `build-module.ps1`. +- `pack-module.ps1` + - Packages the module into a `.nupkg` for distribution. + - Same as `-Pack` in `build-module.ps1`. +- `generate-help.ps1` + - Generates the Markdown documents for the modules into the `docs` folder. + - Same as `-Docs` in `build-module.ps1`. + - This process is now integrated into `build-module.ps1` automatically. To disable, use `-NoDocs` when running `build-module.ps1`. +- `export-surface.ps1` + - Generates Markdown documents for both the cmdlet surface and the model (class) surface of the module. + - These files are placed into the `resources` folder. + - Used for investigating the surface of your module. These are *not* documentation for distribution. +- `check-dependencies.ps1` + - Used in `run-module.ps1` and `test-module.ps1` to verify dependent modules are available to run those tasks. + - It will download local (within the module's directory structure) versions of those modules as needed. + - This script *does not* need to be ran by-hand. \ No newline at end of file diff --git a/src/SecurityInsights/license.txt b/src/SecurityInsights/license.txt new file mode 100644 index 000000000000..b9f3180fb9af --- /dev/null +++ b/src/SecurityInsights/license.txt @@ -0,0 +1,227 @@ +MICROSOFT SOFTWARE LICENSE TERMS + +MICROSOFT AZURE POWERSHELL + +These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its affiliates) and you. Please read them. They apply to the software named above, which includes the media on which you received it, if any. + +BY USING THE SOFTWARE, YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM, DO NOT USE THE SOFTWARE. + + +-----------------START OF LICENSE-------------------------- + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + +-------------------END OF LICENSE------------------------------------------ + + +----------------START OF THIRD PARTY NOTICE-------------------------------- + + +The software includes the AutoMapper library ("AutoMapper"). The MIT License set out below is provided for informational purposes only. It is not the license that governs any part of the software. + +Provided for Informational Purposes Only + +AutoMapper + +The MIT License (MIT) +Copyright (c) 2010 Jimmy Bogard + + +Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + + + + + + +*************** + +The software includes Newtonsoft.Json. The MIT License set out below is provided for informational purposes only. It is not the license that governs any part of the software. + +Newtonsoft.Json + +The MIT License (MIT) +Copyright (c) 2007 James Newton-King +Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: +The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +-------------END OF THIRD PARTY NOTICE---------------------------------------- + diff --git a/src/SecurityInsights/readme.md b/src/SecurityInsights/readme.md new file mode 100644 index 000000000000..956cf1b3ce24 --- /dev/null +++ b/src/SecurityInsights/readme.md @@ -0,0 +1,347 @@ + +# Az.SecurityInsights +This directory contains the PowerShell module for the SecurityInsights service. + +--- +## Status +[![Az.SecurityInsights](https://img.shields.io/powershellgallery/v/Az.SecurityInsights.svg?style=flat-square&label=Az.SecurityInsights "Az.SecurityInsights")](https://www.powershellgallery.com/packages/Az.SecurityInsights/) + +## Info +- Modifiable: yes +- Generated: all +- Committed: yes +- Packaged: yes + +--- +## Detail +This module was primarily generated via [AutoRest](https://github.com/Azure/autorest) using the [PowerShell](https://github.com/Azure/autorest.powershell) extension. + +## Module Requirements +- [Az.Accounts module](https://www.powershellgallery.com/packages/Az.Accounts/), version 2.7.5 or greater + +## Authentication +AutoRest does not generate authentication code for the module. Authentication is handled via Az.Accounts by altering the HTTP payload before it is sent. + +## Development +For information on how to develop for `Az.SecurityInsights`, see [how-to.md](how-to.md). + + +--- +## Generation Requirements +Use of the beta version of `autorest.powershell` generator requires the following: +- [NodeJS LTS](https://nodejs.org) (10.15.x LTS preferred) + - **Note**: It *will not work* with Node < 10.x. Using 11.x builds may cause issues as they may introduce instability or breaking changes. +> If you want an easy way to install and update Node, [NVS - Node Version Switcher](../nodejs/installing-via-nvs.md) or [NVM - Node Version Manager](../nodejs/installing-via-nvm.md) is recommended. +- [AutoRest](https://aka.ms/autorest) v3 beta
`npm install -g autorest@autorest`
  +- PowerShell 6.0 or greater + - If you don't have it installed, you can use the cross-platform npm package
`npm install -g pwsh`
  +- .NET Core SDK 2.0 or greater + - If you don't have it installed, you can use the cross-platform npm package
`npm install -g dotnet-sdk-2.2`
  + +## Run Generation +In this directory, run AutoRest: +> `autorest` + +--- +### AutoRest Configuration +> see https://aka.ms/autorest + +``` yaml +require: + - $(this-folder)/../readme.azure.noprofile.md +# lock the commit +branch: 59eb5a7f1d09d0be2b80b8497785ffa2d784b5b6 + +input-file: + - $(repo)/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/AlertRules.json + - $(repo)/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/AutomationRules.json + - $(repo)/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/Bookmarks.json + - $(repo)/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/Enrichment.json + - $(repo)/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/Entities.json + - $(repo)/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/EntityQueries.json + - $(repo)/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/EntityQueryTemplates.json + - $(repo)/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/Incidents.json + - $(repo)/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/Metadata.json + - $(repo)/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/OfficeConsents.json + - $(repo)/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/OnboardingStates.json + - $(repo)/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/Settings.json + - $(repo)/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/SourceControls.json + - $(repo)/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/ThreatIntelligence.json + #- $(repo)/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/Watchlists.json + - $(repo)/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/dataConnectors.json + - $(repo)/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/operations.json + +module-version: 1.2.0 +title: SecurityInsights +subject-prefix: Sentinel + +inlining-threshold: 50 + +directive: + # Fixes/overrides to swaggers + # Fix to x-ms-enum when integer (https://github.com/Azure/autorest.powershell/issues/856) + - from: dataConnectors.json + where: $.definitions.Availability.properties.status + transform: >- + return { + "description": "The connector Availability Status", + "format": "int32", + "type": "integer", + "enum": [ + 1 + ] + } + # Customize + # Hide Operation API + - where: + subject: Operation + hide: true + # Hide OfficeConsent API + - where: + subject: OfficeConsent + hide: true + # Fix Action to be AlertRuleAction + - where: + subject: Action + set: + subject: AlertRuleAction + # Change Sets to Updates to match current module + - where: + verb: Set + set: + verb: Update + # fix subject name to encrichment + - where: + subject: DomainWhois + set: + subject: Enrichment + - where: + subject: IPGeodata + set: + subject: Enrichment + # Shorten to just Setting + - where: + subject: ProductSetting + set: + subject: Setting + # Fix subject Names + - where: + subject: EntitiesGetTimeline + set: + subject: EntityTimeline + - where: + subject: EntitiesRelation + set: + subject: EntityRelation + - where: + subject: QueryThreatIntelligenceIndicator + set: + subject: ThreatIntelligenceIndicatorQuery + # Change invoke as this is more a Get operation + - where: + verb: Invoke + subject: QueryEntity + set: + verb: Get + subject: EntityActivity + # Fix Update ThreatIntelligenceIndicator + - select: command + where: + verb: New + subject: ThreatIntelligenceIndicator + variant: CreateExpanded1 + set: + verb: Update + variant: UpdateExpanded + - select: command + where: + verb: New + subject: ThreatIntelligenceIndicator + variant: CreateViaIdentity1 + set: + verb: Update + variant: UpdateViaIdentity + - select: command + where: + verb: New + subject: ThreatIntelligenceIndicator + variant: CreateViaIdentityExpanded1 + set: + verb: Update + variant: UpdateViaIdentityExpanded + - where: + subject: ThreatIntelligenceIndicatorQuery + variant: QueryViaIdentityExpanded + remove: true + # Fix Entity Insights + - where: + subject: EntityInsight + variant: ^Get$|^GetViaIdentity$ + remove: true + # Fix Entity TimeLime + - where: + subject: EntityTimeline + variant: List + remove: true + # Rename Id for user expierence + - where: + subject: AlertRuleAction + parameter-name: Id + set: + alias: ActionId + - where: + subject: AlertRuleTemplate + parameter-name: Id + set: + alias: TemplateId + - where: + subject: AutomationRule + parameter-name: Id + set: + alias: AutomationRuleId + - where: + subject: Bookmark + parameter-name: Id + set: + alias: BookmarkId + - where: + subject: DataConnector + parameter-name: Id + set: + alias: DataConnectorId + - where: + subject: Entity + parameter-name: Id + set: + alias: EntityId + - where: + subject: Incident + parameter-name: Id + set: + alias: IncidentId + - where: + subject: IncidentComment + parameter-name: Id + set: + alias: IncidentCommentId + #Remove Enrichment + - where: + subject: ^Enrichment$ + variant: ^GetViaIdenity$|^GetViaIdenity1$ + remove: true + # Remove source control (requires OAUTH tokens) + - where: + subject: SourceControl + remove: true + #Custom Built Commands + - where: + verb: Invoke + subject: DataConnectorsCheckRequirement + hide: true + - where: + subject: ^AlertRule$|^DataConnector$|^EntityQuery$ + variant: ^Create$|^CreateExpanded$|^Update$|^UpdateExpanded$|^UpdateViaIdentity$|^UpdateViaIdentityExpanded$ + hide: true + - where: + verb: ^Update$|^Remove$ + subject: Setting + hide: true + # Hide Etag as it isnt used + - where: + parameter-name: Etag + hide: true + # TI API not useful until API changes + - where: + verb: ^Add$|^New$|^Update$|^Remove$ + subject: ThreatIntelligenceIndicator + hide: true + - where: + verb: ^Add$|^New$|^Update$|^Remove$ + subject: ThreatIntelligenceIndicatorTag + hide: true + # CCP + - where: + verb: ^Connect$|^Disconnect$ + subject: DataConnector + hide: true + # cmdlet review feedback + - where: + subject: Bookmark + parameter-name: Created|^CreatedByObjectId&|^Updated$|^UpdatedByObjectId$ + hide: true + - where: + subject: DataConnector + parameter-name: SQSURLs + set: + parameter-name: SQSURL + - where: + subject: DataConnector + parameter-name: CommonDataServiceActivities + set: + parameter-name: CommonDataServiceActivity + - where: + verb: Invoke + subject: DataConnectorsCheckRequirement + set: + verb: Test + - where: + verb: Invoke + subject: DataConnectorsCheckRequirement + set: + subject: DataConnectorCheckRequirement + - where: + verb: Invoke + subject: DataConnectorsCheckRequirement + parameter-name: DataConnectorsCheckRequirement + set: + parameter-name: DataConnectorCheckRequirement + - where: + verb: New + subject: AlertRuleAction + variant: Create + hide: true + - where: + verb: New + subject: ^AlertRuleAction$|^AutomationRule$|^Bookmark$|^Incident$|^IncidentComment$| + parameter-name: Id + hide: true + set: + default: + script: '(New-Guid).Guid' + - where: + verb: New + subject: ^BookmarkRelation$|^IncidentRelation$ + parameter-name: RelationName + hide: true + set: + default: + script: '(New-Guid).Guid' + # Hide Expand + - where: + verb: Expand + subject: ^Bookmark$|^Entity$ + hide: true + - where: + verb: ^New$|^Update$|^Remove$ + subject: Metadata + hide: true + # Hide Source Control + - where: + verb: Get + subject: SourceControlRepository + hide: true + # Hide UpdateViaId and Update + - where: + variant: ^Update$|^UpdateViaIdentity$ + hide: true + # Remove the unexpanded parameter set + - where: + variant: ^Append$|^AppendViaIdentity$|^Connect$|^ConnectViaIdentity$|^CreateViaIdentity$|^CreateViaIdentityExpanded$|^Expand$|^ExpandViaIdentity$|^ExpandViaIdentityExpanded$|^GetViaIdentityExpanded$|^PostViaIdentity$|^Query$|^QueryViaIdentity$|^QueriesViaIdentity$|^Replace$|^ReplaceViaIdentity$ + remove: true + # fix Equals that conflicts with inhertied property + - where: + enum-name: AutomationRulePropertyConditionSupportedOperator + enum-value-name: Equals + set: + enum-value-name: Equal +``` diff --git a/src/SecurityInsights/resources/README.md b/src/SecurityInsights/resources/README.md new file mode 100644 index 000000000000..736492341e3d --- /dev/null +++ b/src/SecurityInsights/resources/README.md @@ -0,0 +1,11 @@ +# Resources +This directory can contain any additional resources for module that are not required at runtime. This directory **does not** get packaged with the module. If you have assets for custom implementation, place them into the `../custom` folder. + +## Info +- Modifiable: yes +- Generated: no +- Committed: yes +- Packaged: no + +## Purpose +Use this folder to put anything you want to keep around as part of the repository for the module, but is not something that is required for the module. For example, development files, packaged builds, or additional information. This is only intended to be used in repositories where the module's output directory is cleaned, but tangential resources for the module want to remain intact. \ No newline at end of file diff --git a/src/SecurityInsights/test/Get-AzSentinelAlertRule.Recording.json b/src/SecurityInsights/test/Get-AzSentinelAlertRule.Recording.json new file mode 100644 index 000000000000..34f71061a2f9 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelAlertRule.Recording.json @@ -0,0 +1,166 @@ +{ + "Get-AzSentinelAlertRule+[NoContext]+List+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "159" ], + "x-ms-client-request-id": [ "c050c818-9f97-4df8-bc11-94c349ef9d53" ], + "CommandName": [ "Get-AzSentinelAlertRule" ], + "FullCommandName": [ "Get-AzSentinelAlertRule_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11999" ], + "x-ms-request-id": [ "51617cd1-21bb-4178-81ff-968264f8fe83" ], + "x-ms-correlation-request-id": [ "51617cd1-21bb-4178-81ff-968264f8fe83" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015317Z:51617cd1-21bb-4178-81ff-968264f8fe83" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:53:17 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "131519" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/BuiltInFusion\",\"name\":\"BuiltInFusion\",\"etag\":\"\\\"9100268d-0000-0100-0000-61b54cad0000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Fusion\",\"properties\":{\"displayName\":\"Advanced Multistage Attack Detection\",\"description\":\"Microsoft Sentinel uses Fusion, a correlation engine based on scalable machine learning algorithms, to automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.\\n\\nSince Fusion correlates multiple signals from various products to detect advanced multistage attacks, successful Fusion detections are presented as Fusion incidents on the Microsoft Sentinel Incidents page. This rule covers the following detections:\\n- Fusion for emerging threats\\n- Fusion for ransomware\\n- Scenario-based Fusion detections (122 scenarios)\\n\\nTo enable these detections, we recommend you configure the following data connectors for best results:\\n- Out-of-the-box anomaly detections\\n- Azure Active Directory Identity Protection\\n- Azure Defender\\n- Azure Defender for IoT\\n- Microsoft 365 Defender\\n- Microsoft Cloud App Security \\n- Microsoft Defender for Endpoint\\n- Microsoft Defender for Identity\\n- Microsoft Defender for Office 365\\n- Palo Alto Networks\\n- Scheduled analytics rules, both built-in and those created by your security analysts. Analytics rules must contain kill-chain (tactics) and entity mapping information in order to be used by Fusion.\\n\\nFor the full description of each detection that is supported by Fusion, go to https://aka.ms/SentinelFusion.\",\"alertRuleTemplateName\":\"f71aba3d-28fb-450b-b192-4e76a83015c8\",\"tactics\":[\"Collection\",\"CommandAndControl\",\"CredentialAccess\",\"DefenseEvasion\",\"Discovery\",\"Execution\",\"Exfiltration\",\"Impact\",\"InitialAccess\",\"LateralMovement\",\"Persistence\",\"PrivilegeEscalation\"],\"severity\":\"High\",\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:17.5992035Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/a3863d8b-8be1-4f52-8ba2-d6cec98b606b\",\"name\":\"a3863d8b-8be1-4f52-8ba2-d6cec98b606b\",\"etag\":\"\\\"9100888d-0000-0100-0000-61b54cb00000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"a3863d8b-8be1-4f52-8ba2-d6cec98b606b\",\"displayName\":\"(Preview) Suspicious volume of logins to user account with elevated token\",\"description\":\"This algorithm detects an unusually high volume of successful logins with elevated token per user account. The model is trained on the previous 21 days of security event ID 4624 on an account. It indicates anomalous high volume of successful logins with administrator privileges in the last day.\",\"anomalyVersion\":\"1.1.7\",\"techniques\":[\"T1078\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.7\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"InitialAccess\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:20.6683082Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/1f6d7abe-2cb7-4a4c-aeca-91fe6bfad0b2\",\"name\":\"1f6d7abe-2cb7-4a4c-aeca-91fe6bfad0b2\",\"etag\":\"\\\"91008e8d-0000-0100-0000-61b54cb00000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"1f6d7abe-2cb7-4a4c-aeca-91fe6bfad0b2\",\"displayName\":\"(Preview) Unusual web traffic detected with IP in URL path\",\"description\":\"This algorithm identifies unusual web requests which have a direct IP address as the host. This can be an attempt to bypass URL reputation services etc for \\nmalicious purposes. The anomaly filters all web requests with IP addresses in the URL path and compares them with the previous week of data to exclude known benign traffic. \\nAfter excluding known benign traffic, it triggers an anomaly only after exceeding certain thresholds with configured values such as total web requests, \\nnumbers of URLs seen with same host destination IP address, and number of distinct source IPs within the set of URLs with the same destination IP address.\",\"anomalyVersion\":\"1.0.3\",\"techniques\":[\"T1189\",\"T1071\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Palo Alto Networks\",\"Fortinet\",\"Zscaler\",\"Check Point\"],\"supportedValuesKql\":null,\"value\":\"Palo Alto Networks\",\"name\":\"Device vendor\",\"description\":\"Select device vendor of network connection logs from CommonSecurityLog\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"10\",\"maximum\":\"1000\",\"value\":\"25\",\"name\":\"Degree of source IPs\",\"description\":\"Suppress anomalies when the number of source IPs in a day accessing the URL is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"10\",\"maximum\":\"1000\",\"value\":\"30\",\"name\":\"Daily web requests threshold\",\"description\":\"Suppress anomalies when the number of daily web requests is less than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"},{\"minimum\":\"1\",\"maximum\":\"25\",\"value\":\"4\",\"name\":\"Number of distinct URLs for the destination IP\",\"description\":\"Suppress anomalies when number of distinct URLs are less than the chosen value\",\"sequenceNumber\":3,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"InitialAccess\",\"CommandAndControl\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:20.7261046Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/9c712bb2-08dc-44d3-b66b-af154dfc1c4f\",\"name\":\"9c712bb2-08dc-44d3-b66b-af154dfc1c4f\",\"etag\":\"\\\"9100908d-0000-0100-0000-61b54cb00000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"9c712bb2-08dc-44d3-b66b-af154dfc1c4f\",\"displayName\":\"(Preview) Suspicious volume of logins to computer\",\"description\":\"This algorithm detects an unusually high volume of successful logins per computer. The model is trained on the previous 21 days of security event ID 4624 on a computer. It indicates anomalous high volume of successful logins in the last day\",\"anomalyVersion\":\"1.2.8\",\"techniques\":[\"T1078\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.07\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"InitialAccess\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:20.7217187Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/0c804654-63b9-4241-89f8-1cddd7e9cacd\",\"name\":\"0c804654-63b9-4241-89f8-1cddd7e9cacd\",\"etag\":\"\\\"9100938d-0000-0100-0000-61b54cb00000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"0c804654-63b9-4241-89f8-1cddd7e9cacd\",\"displayName\":\"(Preview) Suspicious volume of AWS write API calls from a user account \",\"description\":\"This algorithm detects an unusually high volume of AWS write API calls per user account within the last day. The model is trained on the previous 21 days of AWS cloud trail log events on a user account basis. This activity may indicate that the account is compromised.\",\"anomalyVersion\":\"1.0.0\",\"techniques\":[\"T1078\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.2\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"InitialAccess\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:20.7605576Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/95514e77-1b23-4f05-817c-ae363c53aad3\",\"name\":\"95514e77-1b23-4f05-817c-ae363c53aad3\",\"etag\":\"\\\"9100958d-0000-0100-0000-61b54cb00000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"95514e77-1b23-4f05-817c-ae363c53aad3\",\"displayName\":\"(Preview) Unusual network volume anomaly\",\"description\":\"This algorithm is to detect unusually high volume of connections in network logs. \\nIt uses time series to decompose the data into seasonal, trend and residual components to \\ncalculate baseline. Any sudden large deviation from the historical baseline is considered as anomalous activity.\",\"anomalyVersion\":\"1.0.4\",\"techniques\":[\"T1030\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Akamai\",\"Aruba Networks\",\"Check Point\",\"Dell\",\"Forcepoint\",\"Fortinet\",\"McAfee\",\"Palo Alto Networks\",\"SonicWall\",\"Trend Micro\",\"Vectra Networks\",\"Zscaler\"],\"supportedValuesKql\":null,\"value\":\"Palo Alto Networks\",\"name\":\"Device vendor\",\"description\":\"Select device vendor reporting network connection logs to CommonSecurityLog\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"10\",\"maximum\":\"10000\",\"value\":\"10\",\"name\":\"Hourly event count threshold\",\"description\":\"Suppress anomalies when hourly event count is less than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\".98\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"Exfiltration\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:20.9281318Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/29094df8-e0c7-4475-a74c-bda74a07affb\",\"name\":\"29094df8-e0c7-4475-a74c-bda74a07affb\",\"etag\":\"\\\"9100968d-0000-0100-0000-61b54cb10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"29094df8-e0c7-4475-a74c-bda74a07affb\",\"displayName\":\"(Preview) Suspicious volume of logins to user account by logon types\",\"description\":\"This algorithm detects an unusually high volume of successful logins per user account by different logon types. The model is trained on the previous 21 days of security event ID 4624 on an account. It indicates anomalous high volume of successful logins in the last day.\",\"anomalyVersion\":\"1.0.8\",\"techniques\":[\"T1078\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.03\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"InitialAccess\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:20.9489601Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/ffe3625d-a933-4f63-b192-7e6ebf3be5fb\",\"name\":\"ffe3625d-a933-4f63-b192-7e6ebf3be5fb\",\"etag\":\"\\\"9100978d-0000-0100-0000-61b54cb10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"ffe3625d-a933-4f63-b192-7e6ebf3be5fb\",\"displayName\":\"(Preview) Attempted user account bruteforce\",\"description\":\"This algorithm detects an unusually high volume of failed login attempts per user account. The model is trained on the previous 21 days of security event ID 4625 on an account. It indicates anomalous high volume of failed login attempts in the last day.\",\"anomalyVersion\":\"1.2.8\",\"techniques\":[\"T1110\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.1\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"CredentialAccess\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:20.9145159Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/25bf2f45-1cf0-47d2-b394-a7b331d707b3\",\"name\":\"25bf2f45-1cf0-47d2-b394-a7b331d707b3\",\"etag\":\"\\\"9100a08d-0000-0100-0000-61b54cb10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"25bf2f45-1cf0-47d2-b394-a7b331d707b3\",\"displayName\":\"(Preview) Suspicious geography change in Palo Alto GlobalProtect account logins\",\"description\":\"When a Palo Alto GlobalProtect account logs in from a geographically new region that is not the same as the last region the day before, an anomaly will be generated.\",\"anomalyVersion\":\"2.0.0\",\"techniques\":[\"T1133\",\"T1078\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Yes\",\"No\"],\"supportedValuesKql\":null,\"value\":\"Yes\",\"name\":\"Use region adjacency\",\"description\":\"Suppress anomalies originated from two adjacent regions.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"supportedValues\":[\"Yes\",\"No\"],\"supportedValuesKql\":null,\"value\":\"No\",\"name\":\"Check for matching device\",\"description\":\"Suppress anomalies which are originated from the same device.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":null,\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"InitialAccess\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:21.0864049Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/30dea201-74da-4141-8d21-8a18f0861d60\",\"name\":\"30dea201-74da-4141-8d21-8a18f0861d60\",\"etag\":\"\\\"9100a18d-0000-0100-0000-61b54cb10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"30dea201-74da-4141-8d21-8a18f0861d60\",\"displayName\":\"(Preview) Suspicious volume of AWS cloud trail logs events of group user account by EventTypeName\",\"description\":\"This algorithm detects an unusually high volume of AWS cloud trail log events per group user account by different event types (AwsApiCall, AwsServiceEvent, AwsConsoleSignIn, AwsConsoleAction) within the last day. The model is trained on the previous 21 days of AWS cloud trail log events on a group user account basis. This activity may indicate that the account is compromised.\",\"anomalyVersion\":\"1.0.3\",\"techniques\":[\"T1078\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.02\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"InitialAccess\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:21.0949212Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/8a602940-4153-4045-a741-3bf15591ae29\",\"name\":\"8a602940-4153-4045-a741-3bf15591ae29\",\"etag\":\"\\\"9100a28d-0000-0100-0000-61b54cb10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"8a602940-4153-4045-a741-3bf15591ae29\",\"displayName\":\"(Preview) Attempted computer bruteforce\",\"description\":\"This algorithm detects an unusually high volume of failed login attempts to each computer. The model is trained on the previous 21 days of security event ID 4625 on a computer. It indicates anomalous high volume of failed login attempts in the last day.\",\"anomalyVersion\":\"1.2.8\",\"techniques\":[\"T1110\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.4\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"CredentialAccess\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:21.0380076Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/06107abb-1b68-4fdc-841b-8a1ff9301467\",\"name\":\"06107abb-1b68-4fdc-841b-8a1ff9301467\",\"etag\":\"\\\"9100a48d-0000-0100-0000-61b54cb10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"06107abb-1b68-4fdc-841b-8a1ff9301467\",\"displayName\":\"(Preview) Excessive Downloads via Palo Alto GlobalProtect\",\"description\":\"This algorithm detects unusually high volume of download per user account via Palo Alto VPN solution. The model is trained on the previous 14 days of the VPN logs. It indicates anomalous high volume of downloads in the last day.\",\"anomalyVersion\":\"1.0.6\",\"techniques\":[\"T1030\",\"T1041\",\"T1011\",\"T1567\",\"T1029\",\"T1537\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.87\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"Exfiltration\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:21.1472644Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/03401f05-5c45-4f2d-9295-092764090e02\",\"name\":\"03401f05-5c45-4f2d-9295-092764090e02\",\"etag\":\"\\\"9100a68d-0000-0100-0000-61b54cb10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"03401f05-5c45-4f2d-9295-092764090e02\",\"displayName\":\"(Preview) Multi-region logins in a single day via Palo Alto GlobalProtect\",\"description\":\"This algorithm detects a user account which had logins from multiple non-adjacent regions in a single day via Palo Alto VPN.\",\"anomalyVersion\":\"2.0.0\",\"techniques\":[\"T1078\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Yes\",\"No\"],\"supportedValuesKql\":null,\"value\":\"Yes\",\"name\":\"Use region adjacency\",\"description\":\"Suppress anomalies originated from two adjacent regions.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"2\",\"maximum\":\"10\",\"value\":\"2\",\"name\":\"Minimum daily regions for anomaly\",\"description\":\"Generate an anomaly when a user logs in from this many or more regions in a day\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"InitialAccess\",\"DefenseEvasion\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:21.2701652Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/fc1b7e7a-bc24-42c3-ad67-5c76c8fcb2d6\",\"name\":\"fc1b7e7a-bc24-42c3-ad67-5c76c8fcb2d6\",\"etag\":\"\\\"9100af8d-0000-0100-0000-61b54cb10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"fc1b7e7a-bc24-42c3-ad67-5c76c8fcb2d6\",\"displayName\":\"(Preview) Unusual mass downgrade AIP label\",\"description\":\"This algorithm detects unusual high volume of downgrade label activity in Azure Information Protection (AIP) logs.\\nIt considers \\\"AIP\\\" workload records for a given number of days and determines the sequence of activity performed on documents along with the label applied to classify unusual volume of downgrade activity.\",\"anomalyVersion\":\"1.0.3\",\"techniques\":[\"T1530\",\"T1213\",\"T1005\",\"T1039\",\"T1114\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\".txt,.jpg,.mp4\",\"dataType\":\"string\",\"name\":\"File extension\",\"description\":\"Give comma separated file extension to exclude from source data within double quotes, example: \\\".txt,.jpg,.mp4\\\"\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"5\",\"maximum\":\"100\",\"value\":\"10\",\"name\":\"Minimum number of downgrades\",\"description\":\"Generate an anomaly when number of downgrade label is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"Collection\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:21.3780064Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/8a12afde-ed27-46ac-a5ef-392e3d4f071f\",\"name\":\"8a12afde-ed27-46ac-a5ef-392e3d4f071f\",\"etag\":\"\\\"9100b18d-0000-0100-0000-61b54cb10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"8a12afde-ed27-46ac-a5ef-392e3d4f071f\",\"displayName\":\"(Preview) Anomalous W3CIIS logs activity\",\"description\":\"This anomaly indicates anomalous W3CIIS sessions within the last day, due to reasons such as a high number of distinct uri queries, specific http verbs or http statuses, user agents, or an unusually high number of logs in a session.\\nThe machine learning algorithm identifies unusual W3CIIS log events within an hourly session, grouped by site name and client IP.\\nThe model is trained on the previous 7 days of W3CIIS activity, using an autoencoder. The algorithm checks for sufficient volume of W3CIIS activity before training the model.\\nThe autoencoder compressess these site name/client IP sessions using a bottleneck encoding, and reconstructs the input sessions using a decoder.\\nSessions with high reconstruction errors are marked as anomalous.\",\"anomalyVersion\":\"1.0.0\",\"techniques\":[\"T1190\",\"T1505\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"1\",\"2\",\"3\"],\"supportedValuesKql\":null,\"value\":\"3\",\"name\":\"Number of reasons for anomalous activity\",\"description\":\"Provide explanations for the specified number of reasons why a W3CIIS session is anomalous.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"supportedValues\":[\"Distinct number of methods\",\"Distinct number of uri queries\",\"Distinct number of uri stems\",\"Distinct number of statuses\",\"Distinct number of user agents\",\"Total number of operations\",\"Total number of http verbs\",\"Total number of http statuses\",\"None\"],\"supportedValuesKql\":null,\"value\":\"None\",\"name\":\"Display anomalies for a specific top reason\",\"description\":\"Display anomalies only where the top reason is specified in the checklist.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"supportedValues\":[\"Public IPs\",\"Private IPs\",\"All IPs\"],\"supportedValuesKql\":null,\"value\":\"All IPs\",\"name\":\"Display anomalies for public, private, or all IPs\",\"description\":\"Choose to display anomalies for public, private, or all IPs.\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":null,\"dataType\":\"string\",\"name\":\"Exclude client IPs from the anomalies generated\",\"description\":\"Enter comma separated client IPs (prefixed client IP entities supported) that the anomalies should not display results for, in the exclude field.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.7\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"InitialAccess\",\"Persistence\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:21.3413051Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/213252f1-497c-4124-91da-6cb43902d5b1\",\"name\":\"213252f1-497c-4124-91da-6cb43902d5b1\",\"etag\":\"\\\"9100b78d-0000-0100-0000-61b54cb10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"213252f1-497c-4124-91da-6cb43902d5b1\",\"displayName\":\"(Preview) Unusual external firewall alarm detected\",\"description\":\"This algorithm identifies unusual external firewall alarms which are threat signatures released by a firewall vendor. \\nThe anomaly takes last 7 days activities to calculate top 10 noisy signatures and also noisy source hosts which are repeatedly seen \\ntriggering threat signatures. After excluding both type of noisy events, it triggers an anomaly only after exceeding the threshold of \\nnumber of signatures triggered in a single day.\",\"anomalyVersion\":\"1.0.4\",\"techniques\":[\"T1046\",\"T1135\",\"T1071\",\"T1095\",\"T1571\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"5\",\"maximum\":\"15\",\"value\":\"7\",\"name\":\"Number of distinct signatures in a day\",\"description\":\"Triggers anomalies when daily signatures triggered is more than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"Discovery\",\"CommandAndControl\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:21.3502544Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/c097bfdb-8b4b-4a98-b74d-1871ffd50a03\",\"name\":\"c097bfdb-8b4b-4a98-b74d-1871ffd50a03\",\"etag\":\"\\\"9100b88d-0000-0100-0000-61b54cb10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"c097bfdb-8b4b-4a98-b74d-1871ffd50a03\",\"displayName\":\"(Preview) Attempted user account bruteforce per logon type\",\"description\":\"This algorithm detects an unusually high volume of failed login attempts per user account per logon type. The model is trained on the previous 21 days of security event ID 4625 on an account and a logon type. It indicates anomalous high volume of failed login attempts with certain logon type in the last day.\",\"anomalyVersion\":\"1.0.6\",\"techniques\":[\"T1110\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"2-Interactive\",\"3-Network\",\"4-Batch\",\"5-Service\",\"7-Unlock\",\"8-NetworkCleartext\",\"9-NewCredentials\",\"10-RemoteInteractive\",\"11-CachedInteractive\"],\"values\":[\"2-Interactive\",\"3-Network\",\"4-Batch\",\"5-Service\",\"7-Unlock\",\"8-NetworkCleartext\",\"9-NewCredentials\",\"10-RemoteInteractive\",\"11-CachedInteractive\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Logon Types\",\"description\":\"Include only selected logon types in anomaly results.\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.03\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"CredentialAccess\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:21.4401824Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/8595d264-2f64-442d-b293-4e16dffc9882\",\"name\":\"8595d264-2f64-442d-b293-4e16dffc9882\",\"etag\":\"\\\"9100c28d-0000-0100-0000-61b54cb10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"8595d264-2f64-442d-b293-4e16dffc9882\",\"displayName\":\"(Preview) Anomalous Code Execution\",\"description\":\"Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.\\nThese interfaces and languages provide ways of interacting with computer systems\\nand are a common feature across many different platforms.\",\"anomalyVersion\":\"1.0.0\",\"techniques\":[\"T1059\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0\",\"name\":\"Anomaly score threshold\",\"description\":\"Generate an anomaly when the anomaly score is greater than the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"Execution\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:21.5726126Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/2d3e33c6-d8e6-4b51-92d6-dbe8bd9efb05\",\"name\":\"2d3e33c6-d8e6-4b51-92d6-dbe8bd9efb05\",\"etag\":\"\\\"9100c38d-0000-0100-0000-61b54cb10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"2d3e33c6-d8e6-4b51-92d6-dbe8bd9efb05\",\"displayName\":\"(Preview) Anomalous Azure AD sign-in sessions\",\"description\":\"The machine learning model groups the Azure AD sign-in logs on a per-user basis.\\nThe model is trained on the previous 6 days of user sign-in behavior.\\nIt indicates anomalous user sign-in sessions in the last day.\\nThis algorithm checks for sufficient volume of data before training the model.\\n\\nAn autoencoder model is used.\\nIts aim is to compress the user sign-in sessions into a bottleneck encoding.\\nIt then attempts to reconstruct the input sessions as best it can from the bottleneck encoding.\\nThe sessions with high reconstruction errors are assumed to be anomalous.\",\"anomalyVersion\":\"1.0.4\",\"techniques\":[\"T1078\",\"T1566\",\"T1133\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"Fraction of failed signins\",\"Number of failed signins\",\"Failed signins to successful signins ratio\",\"Number of signins with incorrect passwords\",\"Incorrect passwords to correct passwords ratio\",\"Fraction of incorrect password signins\",\"Distinct number of app ids\",\"Distinct number of client apps\",\"Distinct number of ip addresses\",\"Distinct number of opperating systems\",\"Distinct number of browsers\",\"Distinct number of cities\",\"Distinct number of states\",\"Distinct number of countries\"],\"values\":[\"Fraction of failed signins\",\"Number of failed signins\",\"Failed signins to successful signins ratio\",\"Number of signins with incorrect passwords\",\"Incorrect passwords to correct passwords ratio\",\"Fraction of incorrect password signins\",\"Distinct number of app ids\",\"Distinct number of client apps\",\"Distinct number of ip addresses\",\"Distinct number of opperating systems\",\"Distinct number of browsers\",\"Distinct number of cities\",\"Distinct number of states\",\"Distinct number of countries\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Top reason for high anomaly score\",\"description\":\"Include only anomalies where the top reason is one of these values.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.5\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"InitialAccess\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:21.5819245Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/edc946ae-cba8-419f-8e90-309966895956\",\"name\":\"edc946ae-cba8-419f-8e90-309966895956\",\"etag\":\"\\\"9100c78d-0000-0100-0000-61b54cb10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"edc946ae-cba8-419f-8e90-309966895956\",\"displayName\":\"(Preview) Anomalous web request activity\",\"description\":\"This algorithm groups the W3CIIS logs into per site name and per URI stem hourly sessions.\\nThe machine learning model identifies the sessions with anomalous requests that triggered response code 5xx in the last day.\\n5xx codes are an indication that some application instability or error condition has been triggered by the request.\\nThey can be an indication that an attacker is probing the URI stem for vulnerabilities and configuration issues, performing some exploitation activity such as SQL injection, or leveraging an unpatched vulnerability.\\n\\nThe algorithm uses 6 days of data for training.\\nIt identifies unusual high volume of web requests that generated respond code 5xx in the last day.\",\"anomalyVersion\":\"1.0.2\",\"techniques\":[\"T1190\",\"T1505\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Include regularly repeating anomalies for URI stems\",\"Exclude regularly repeating anomalies for URI stems\"],\"supportedValuesKql\":null,\"value\":\"Exclude regularly repeating anomalies for URI stems\",\"name\":\"Handle regularly repeating anomalies for URI stems\",\"description\":\"Choose to exclude URI stems that have been regularly occuring in the Anomalies table in Log Analytics.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":[{\"prioritize\":\".asp, .aspx, .armx, .asax, .ashz, .asmx, .axd, .cshtml, .php, .phps, .php3, .php4, .php5, .php7, .jsp, .jspx, .cfm, .cfml, .phtml\",\"exclude\":null,\"dataType\":\"string\",\"name\":\"Prioritize script suffixes of the URI stems\",\"description\":\"Give comma separated script suffixes of the URI stems that should be included in the prioritize field.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"prioritize\":null,\"exclude\":\"\",\"dataType\":\"string\",\"name\":\"Exclude noisy URI stems\",\"description\":\"Give comma separated URI stems that are frequently observing noisy sessions, and should be excluded from the Anomalies table in Log Analytics.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.2\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"InitialAccess\",\"Persistence\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:21.6281053Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/9c27cee8-0a33-4abe-8683-212c0a98fc28\",\"name\":\"9c27cee8-0a33-4abe-8683-212c0a98fc28\",\"etag\":\"\\\"9100ca8d-0000-0100-0000-61b54cb10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"9c27cee8-0a33-4abe-8683-212c0a98fc28\",\"displayName\":\"(Preview) Suspicious volume of logins to computer with elevated token\",\"description\":\"This algorithm detects an unusually high volume of successful logins with elevated token per computer. The model is trained on the previous 21 days of security event ID 4624 on a computer. It indicates anomalous high volume of successful logins with administrator privileges in the last day.\",\"anomalyVersion\":\"1.0.6\",\"techniques\":[\"T1078\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.1\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"InitialAccess\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:21.6801578Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/23850aa1-37d3-4b4b-9f39-4ebf5feb59fd\",\"name\":\"23850aa1-37d3-4b4b-9f39-4ebf5feb59fd\",\"etag\":\"\\\"9100cf8d-0000-0100-0000-61b54cb10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"23850aa1-37d3-4b4b-9f39-4ebf5feb59fd\",\"displayName\":\"(Preview) Excessive data transfer anomaly\",\"description\":\"This algorithm is to detect unusually high data transfer seen in network logs. \\nIt uses time series to decompose the data into seasonal, trend and residual components to \\ncalculate baseline. Any sudden large deviation from the historical baseline is considered anomalous activity.\",\"anomalyVersion\":\"1.0.5\",\"techniques\":[\"T1011\",\"T1029\",\"T1030\",\"T1041\",\"T1011\",\"T1537\",\"T1567\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Akamai\",\"Aruba Networks\",\"Check Point\",\"Dell\",\"Forcepoint\",\"Fortinet\",\"McAfee\",\"Palo Alto Networks\",\"SonicWall\",\"Trend Micro\",\"Vectra Networks\",\"Zscaler\"],\"supportedValuesKql\":null,\"value\":\"Palo Alto Networks\",\"name\":\"Device vendor\",\"description\":\"Select device vendor reporting network connection logs to CommonSecurityLog\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"1\",\"maximum\":\"10000\",\"value\":\"1\",\"name\":\"Hourly data transfer threshold in MB\",\"description\":\"Suppress anomalies when hourly data transfered (in MB) per hour is less than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\".98\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"Exfiltration\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:21.7739836Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/e7277475-4e31-41c7-9997-0b8b3d7f00cd\",\"name\":\"e7277475-4e31-41c7-9997-0b8b3d7f00cd\",\"etag\":\"\\\"9100d18d-0000-0100-0000-61b54cb10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"e7277475-4e31-41c7-9997-0b8b3d7f00cd\",\"displayName\":\"(Preview) Suspicious volume of failed login attempts to AWS Console by each source IP address\",\"description\":\"This algorithm detects an unusually high volume of AWS cloud trail log console failed login events per source IP address within the last day. The model is trained on the previous 21 days of AWS cloud trail log events on source IP address basis. This activity may indicate that the IP address is compromised.\",\"anomalyVersion\":\"1.0.2\",\"techniques\":[\"T1078\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.01\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"InitialAccess\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:21.7773051Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/f209187f-1d17-4431-94af-c141bf5f23db\",\"name\":\"f209187f-1d17-4431-94af-c141bf5f23db\",\"etag\":\"\\\"9100d38d-0000-0100-0000-61b54cb10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"f209187f-1d17-4431-94af-c141bf5f23db\",\"displayName\":\"(Preview) Anomalous Account Creation\",\"description\":\"Adversaries may create an account to maintain access to victim systems. With a sufficient level of access,\\ncreating such accounts may be used to establish secondary credentialed access\\nthat do not require persistent remote access tools to be deployed on the system.\",\"anomalyVersion\":\"1.0.1\",\"techniques\":[\"T1136\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.4\",\"name\":\"Anomaly score threshold\",\"description\":\"Generate an anomaly when the anomaly score is greater than the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"Persistence\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:21.8501491Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/93c4b361-ea7d-40f4-9ca6-e501cdef9c53\",\"name\":\"93c4b361-ea7d-40f4-9ca6-e501cdef9c53\",\"etag\":\"\\\"9100d58d-0000-0100-0000-61b54cb10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"93c4b361-ea7d-40f4-9ca6-e501cdef9c53\",\"displayName\":\"(Preview) Attempted user account bruteforce per failure reason\",\"description\":\"This algorithm detects an unusually high volume of failed login attempts per user account per failure reason. The model is trained on the previous 21 days of security event ID 4625 on an account and a failure reason. It indicates anomalous high volume of failed login attempts with certain failure reason in the last day.\",\"anomalyVersion\":\"1.1.6\",\"techniques\":[\"T1110\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"\\\\%%2305-The specified user account has expired\",\"\\\\%%2309-The specified account\u0027s password has expired\",\"\\\\%%2310-Account currently disabled\",\"\\\\%%2311-Account logon time restriction violation\",\"\\\\%%2312-User not allowed to logon at this computer\",\"\\\\%%2313-Unknown user name or bad password\",\"\\\\%%2307-Account locked out\",\"\\\\%%2304-An Error occurred during Logon\"],\"values\":[\"\\\\%%2305-The specified user account has expired\",\"\\\\%%2309-The specified account\u0027s password has expired\",\"\\\\%%2310-Account currently disabled\",\"\\\\%%2311-Account logon time restriction violation\",\"\\\\%%2312-User not allowed to logon at this computer\",\"\\\\%%2313-Unknown user name or bad password\",\"\\\\%%2307-Account locked out\",\"\\\\%%2304-An Error occurred during Logon\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Failure Reasons\",\"description\":\"Include only selected failure reasons in anomaly results.\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.3\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"CredentialAccess\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:21.8726705Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/622844c2-fc11-4efc-91e6-c05b06ab3008\",\"name\":\"622844c2-fc11-4efc-91e6-c05b06ab3008\",\"etag\":\"\\\"9100d88d-0000-0100-0000-61b54cb20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"622844c2-fc11-4efc-91e6-c05b06ab3008\",\"displayName\":\"(Preview) Detect machine generated network beaconing behavior\",\"description\":\"This algorithm identifies beaconing patterns from network traffic connection logs based on recurrent time delta patterns.\\nAny network connection towards the untrusted public networks at repetitive time delta is an indication of malware callbacks or data exfiltration attempts. \\nThe anomaly will calculate time delta between consecutive network connection between same source and destination ip as well as count (Connections in time-delta sequence) of \\ntime-delta sequence between same source and destination. Percentage of beaconing is calculated between connections in time-delta sequence against total connections in a day.\",\"anomalyVersion\":\"1.0.5\",\"techniques\":[\"T1001\",\"T1008\",\"T1071\",\"T1090\",\"T1095\",\"T1102\",\"T1104\",\"T1132\",\"T1205\",\"T1568\",\"T1571\",\"T1572\",\"T1573\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"10\",\"maximum\":\"1000\",\"value\":\"25\",\"name\":\"Degree of source IPs\",\"description\":\"Suppress anomalies when degree of source IPs is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"10\",\"maximum\":\"1000\",\"value\":\"30\",\"name\":\"Daily event count threshold\",\"description\":\"Suppress anomalies when daily event count is less than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"},{\"minimum\":\"10\",\"maximum\":\"1000\",\"value\":\"60\",\"name\":\"Time delta threshold in seconds\",\"description\":\"Suppress anomalies when time delta in seconds between network connections is less than the chosen value\",\"sequenceNumber\":3,\"rerun\":\"RerunAlways\"},{\"minimum\":\"50\",\"maximum\":\"100\",\"value\":\"75\",\"name\":\"Percent beaconing threshold\",\"description\":\"Generate an anomaly when percent beaconing is greater than the chosen value\",\"sequenceNumber\":4,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"CommandAndControl\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:21.9421482Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/af7fd11a-f305-44e1-8f46-f31580a15eab\",\"name\":\"af7fd11a-f305-44e1-8f46-f31580a15eab\",\"etag\":\"\\\"9100d98d-0000-0100-0000-61b54cb20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"af7fd11a-f305-44e1-8f46-f31580a15eab\",\"displayName\":\"(Preview) Potential data staging\",\"description\":\"The algorithm compares the downloads of distinct files on a per user basis from the previous week with the downloads for the current day for each user and \\nan anomaly is triggered when the number of downloads of distinct files exceeds the configured number of standard deviations above the mean. \\nCurrently the algorithm only analyze commonly seen files during exfiltration of type documents, images, videos and archives with the extensions\\n[\\\"doc\\\",\\\"docx\\\",\\\"xls\\\",\\\"xlsx\\\",\\\"xlsm\\\",\\\"ppt\\\",\\\"pptx\\\",\\\"one\\\",\\\"pdf\\\",\\\"zip\\\",\\\"rar\\\",\\\"bmp\\\",\\\"jpg\\\",\\\"mp3\\\",\\\"mp4\\\",\\\"mov\\\"].\",\"anomalyVersion\":\"1.0.0\",\"techniques\":[\"T1074\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\"app@sharepoint,user@example.com\",\"dataType\":\"string\",\"name\":\"User allowlist\",\"description\":\"Enter comma separated userids to be suppressed while triggering anomalies. This should be within double quotes and is case insensitive, example: \\\"user@exmaple.com, app@sharepoint\\\"\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"10\",\"maximum\":\"100\",\"value\":\"25\",\"name\":\"Number of distinct files dowloaded per day\",\"description\":\"Suppress anomalies when daily number of distinct files downloaded per day is less than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"2\",\"maximum\":\"10\",\"value\":\"3\",\"name\":\"Number of standard deviations\",\"description\":\"Triggers anomalies when number of standard deviations is greater than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"Collection\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:21.9788898Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/bb32dc8a-4f6b-4274-a28f-50f3400070b4\",\"name\":\"bb32dc8a-4f6b-4274-a28f-50f3400070b4\",\"etag\":\"\\\"9100e38d-0000-0100-0000-61b54cb20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"bb32dc8a-4f6b-4274-a28f-50f3400070b4\",\"displayName\":\"(Preview) Anomalous Sign In\",\"description\":\"Adversaries may steal the credentials of a specific user or service account using Credential\\nAccess techniques or capture credentials earlier in their reconnaissance process through\\nsocial engineering for means of gaining Persistence.\",\"anomalyVersion\":\"1.0.1\",\"techniques\":[\"T1078\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.2\",\"name\":\"Anomaly score threshold\",\"description\":\"Generate an anomaly when the anomaly score is greater than the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"InitialAccess\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:22.0605927Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/200f05a2-db6e-4ff7-be83-bbc30b44755f\",\"name\":\"200f05a2-db6e-4ff7-be83-bbc30b44755f\",\"etag\":\"\\\"9100e48d-0000-0100-0000-61b54cb20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"200f05a2-db6e-4ff7-be83-bbc30b44755f\",\"displayName\":\"(Preview) Suspicious volume of logins to user account\",\"description\":\"This algorithm detects an unusually high volume of successful logins per user account. The model is trained on the previous 21 days of security event ID 4624 on an account. It indicates anomalous high volume of successful logins in the last day\",\"anomalyVersion\":\"1.3.8\",\"techniques\":[\"T1078\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.07\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"InitialAccess\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:22.0796649Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/16d55bbb-8c54-4c1d-8537-521824e76bb6\",\"name\":\"16d55bbb-8c54-4c1d-8537-521824e76bb6\",\"etag\":\"\\\"9100e68d-0000-0100-0000-61b54cb20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"16d55bbb-8c54-4c1d-8537-521824e76bb6\",\"displayName\":\"(Preview) Anomalous user activities in Office Exchange\",\"description\":\"This machine learning model groups the Office Exchange logs on a per-user basis into hourly buckets. We define one\\nhour as a session. The model is trained on the previous 7 days of behavior across all regular (non-admin) users.\\nIt indicates anomalous user Office Exchange sessions in the last day.\\nThis algorithm checks for sufficient volume of data before training the model.\\n\\nAn autoencoder model is used.\\nIts aim is to compress the user Office Exchange sessions into a bottleneck encoding.\\nIt then attempts to reconstruct the input sessions as best it can from the bottleneck encoding.\\nThe sessions with high reconstruction errors are assumed to be anomalous.\",\"anomalyVersion\":\"1.0.2\",\"techniques\":[\"T1114\",\"T1213\",\"T1098\",\"T1136\",\"T1137\",\"T1505\",\"T1078\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"Distinct number of operations\",\"Distinct number of ClientInfoString\",\"Distinct number of mailboxes\",\"Number of operations\",\"Distinct number of IP addresses\",\"Distinct number of /24 subnets\",\"Distinct number of /16 subnets\",\"Number of MessageBind operations\",\"Number of FolderBind operations\",\"Number of UpdateInboxRules operations\",\"Number of MailItemsAccessed operations\"],\"values\":[\"Distinct number of operations\",\"Distinct number of ClientInfoString\",\"Distinct number of mailboxes\",\"Number of operations\",\"Distinct number of IP addresses\",\"Distinct number of /24 subnets\",\"Distinct number of /16 subnets\",\"Number of MessageBind operations\",\"Number of FolderBind operations\",\"Number of UpdateInboxRules operations\",\"Number of MailItemsAccessed operations\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Top reason for high anomaly score\",\"description\":\"Include only anomalies where the top reason is one of these values.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.6\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"Collection\",\"Persistence\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:22.1203371Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/c5644575-4982-4a07-8884-b11ec2866dc3\",\"name\":\"c5644575-4982-4a07-8884-b11ec2866dc3\",\"etag\":\"\\\"9100e88d-0000-0100-0000-61b54cb20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"c5644575-4982-4a07-8884-b11ec2866dc3\",\"displayName\":\"(Preview) Anomalous local account creation\",\"description\":\"This algorithm is to detect anomalous local account creation on windows systems. Adversaries may create local accounts to maintain access to victim systems.\\nThis algorithm analyzes historical local account creation activity (14 days) by users and compare with current day to find similar activity from the users who were not \\npreviously seen in historical activity. You can further customize the allowlist to filter known users from triggering this anomaly.\",\"anomalyVersion\":\"1.0.0\",\"techniques\":[\"T1136\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\"srcdomain1\\\\account1, srcdomain1\\\\account1\",\"dataType\":\"string\",\"name\":\"Source user allowlist\",\"description\":\"Enter comma separated source usernames to be suppressed while triggering anomalies. This should be within double quotes and is case sensitive, example: \\\"srcdomain1\\\\\\\\account1, srcdomain2\\\\\\\\account2\\\"\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"prioritize\":null,\"exclude\":\"account1, account2\",\"dataType\":\"string\",\"name\":\"Destination user allowlist\",\"description\":\"Enter comma separated destination usernames to be suppressed while triggering anomalies. This should be within double quotes and is case sensitive, example: \\\"account1, account2\\\"\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":null,\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"Persistence\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:22.1708984Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/8546330c-e1fb-422a-9388-5c09e9a8f4ca\",\"name\":\"8546330c-e1fb-422a-9388-5c09e9a8f4ca\",\"etag\":\"\\\"9100ef8d-0000-0100-0000-61b54cb20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"8546330c-e1fb-422a-9388-5c09e9a8f4ca\",\"displayName\":\"(Preview) Login from an unusual region via Palo Alto GlobalProtect account logins\",\"description\":\"When a Palo Alto GlobalProtect account logs in from a source region that has rarely been logged in\\nfrom during the last 14 days, an anomaly is triggered. This anomaly may indicate that the account\\nhas been compromised.\",\"anomalyVersion\":\"1.0.0\",\"techniques\":[\"T1133\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.8\",\"name\":\"Score\",\"description\":\"Generate an anomaly when a region rarity score is less than the threshold.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"minimum\":\"2\",\"maximum\":\"100\",\"value\":\"100\",\"name\":\"Minimum users per region\",\"description\":\"whitelist an anomaly if the number of users from a rare region is greater than this limit.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"InitialAccess\",\"CredentialAccess\",\"LateralMovement\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:22.2702628Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/b783df9c-4088-452e-a791-0c4fca47a109\",\"name\":\"b783df9c-4088-452e-a791-0c4fca47a109\",\"etag\":\"\\\"9100f18d-0000-0100-0000-61b54cb20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"b783df9c-4088-452e-a791-0c4fca47a109\",\"displayName\":\"(Preview) Domain generation algorithm (DGA) on DNS domains\",\"description\":\"This machine learning model indicates potential DGA domains in the second-level-domain (SLD) from the last day in the DNS logs.\\nThe algorithm applies to the DNS records that resolve to IPv4 and IPv6 addresses.\",\"anomalyVersion\":\"1.0.4\",\"techniques\":[\"T1568\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\".lan, .home\",\"dataType\":\"string\",\"name\":\"Top level domain\",\"description\":\"Give comma separated TLDs to exclude from source data within double quotes, example: \\\".lan, .home\\\"\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.9\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"CommandAndControl\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:22.3165847Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/d7309cb9-b16b-4c7a-9e4b-3e9009bd373d\",\"name\":\"d7309cb9-b16b-4c7a-9e4b-3e9009bd373d\",\"etag\":\"\\\"9100f28d-0000-0100-0000-61b54cb20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"d7309cb9-b16b-4c7a-9e4b-3e9009bd373d\",\"displayName\":\"(Preview) Anomalous Azure operations\",\"description\":\"This detection algorithm generates anomaly of a caller who performed sequence of an operation(s) which is uncommon in their workspace.\\nWe collect and featurize last 21 days of operation happened in the workspace grouped by the caller as a training data for ML algorithm.\\nThe trained model is used to score the operation performed by the caller on the test date and we tag those caller as anomaly whose error score is greater than given thershold.\\nFrom Security perspective, this anomaly will capture the caller along with operation performed on the test date which are not common in their workspace.\",\"anomalyVersion\":\"1.0.0\",\"techniques\":[\"T1190\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.7\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"InitialAccess\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:22.2947893Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/b40a7a5b-5d39-46fe-a79e-2acdb38e1ce7\",\"name\":\"b40a7a5b-5d39-46fe-a79e-2acdb38e1ce7\",\"etag\":\"\\\"9100f88d-0000-0100-0000-61b54cb20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"b40a7a5b-5d39-46fe-a79e-2acdb38e1ce7\",\"displayName\":\"(Preview) Suspicious volume of failed login attempts to AWS Console by each group user account\",\"description\":\"This algorithm detects an unusually high volume of AWS cloud trail log console failed login events per group user account within the last day. The model is trained on the previous 21 days of AWS cloud trail log events on group user account basis. This activity may indicate that the account is compromised.\",\"anomalyVersion\":\"1.0.3\",\"techniques\":[\"T1078\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.01\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"InitialAccess\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:22.4044454Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/ae9128e8-2740-4b62-8bde-54e62b183fca\",\"name\":\"ae9128e8-2740-4b62-8bde-54e62b183fca\",\"etag\":\"\\\"9100fa8d-0000-0100-0000-61b54cb20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"ae9128e8-2740-4b62-8bde-54e62b183fca\",\"displayName\":\"(Preview) Unusual network communication on commonly used ports\",\"description\":\"This algorithm identifies unusual network communication on commonly used ports, comparing daily traffic to a baseline from the previous 7 days.\\nThis includes traffic on commonly used ports (22, 53, 80, 443, 8080, 8888), and compares daily traffic to the mean and standard deviation of several\\nnetwork traffic attributes calculated over the baseline period. The traffic attributes considered are daily total events, daily data transfer and \\nnumber of distinct destination IP addresses per port. An anomaly is triggered when the daily values are greater than the configured number of standard deviations above the mean.\",\"anomalyVersion\":\"1.0.5\",\"techniques\":[\"T1030\",\"T1071\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Palo Alto Networks\",\"Fortinet\",\"Check Point\"],\"supportedValuesKql\":null,\"value\":\"Palo Alto Networks\",\"name\":\"Device vendor\",\"description\":\"Select device vendor of network connection logs from CommonSecurityLog\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"1\",\"maximum\":\"100\",\"value\":\"25\",\"name\":\"Daily data transfer threshold in MB\",\"description\":\"Suppress anomalies when daily data transfered (in MB) per hour is less than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"2\",\"maximum\":\"10\",\"value\":\"3\",\"name\":\"Number of standard deviations\",\"description\":\"Triggers anomalies when number of standard deviations is greater than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:22.4553897Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/543c9254-eb6f-4fdd-858d-783e0e3d5cb9\",\"name\":\"543c9254-eb6f-4fdd-858d-783e0e3d5cb9\",\"etag\":\"\\\"9100018e-0000-0100-0000-61b54cb20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"543c9254-eb6f-4fdd-858d-783e0e3d5cb9\",\"displayName\":\"(Preview) Suspicious number of protected documents accessed\",\"description\":\"This algorithm is to detect high volume of access to protected documents in Azure Information Protection (AIP) logs. \\nIt considers AIP workload records for a given number of days and determines whether the user performed unusual access to protected documents in a day given his/her historical behavior.\",\"anomalyVersion\":\"1.0.3\",\"techniques\":[\"T1530\",\"T1213\",\"T1005\",\"T1039\",\"T1114\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\".msg,.jpg,.txt\",\"dataType\":\"string\",\"name\":\"File extension\",\"description\":\"Give comma separated file extension to exclude from source data, for example: .txt,.jpg,.mp4\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.9\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the error percentile is greater than chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"Collection\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:22.549869Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/d4f9d54b-6dec-4655-8631-0fa8d4954fea\",\"name\":\"d4f9d54b-6dec-4655-8631-0fa8d4954fea\",\"etag\":\"\\\"91000a8e-0000-0100-0000-61b54cb20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"d4f9d54b-6dec-4655-8631-0fa8d4954fea\",\"displayName\":\"(Preview) Domain Reputation Palo Alto anomaly\",\"description\":\"This anomaly evaluates the reputation for all domains seen specifically for Palo Alto firewall (PAN-OS product).\\nA high anomaly score indicates a low reputation, suggesting that the domain has been observed to host malicious content or is likely to do so.\",\"anomalyVersion\":\"1.0.4\",\"techniques\":[\"T1568\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.99\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"CommandAndControl\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:22.6349232Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/2bb167bf-3951-435b-a932-8b03bfde0a2b\",\"name\":\"2bb167bf-3951-435b-a932-8b03bfde0a2b\",\"etag\":\"\\\"91000f8e-0000-0100-0000-61b54cb20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"2bb167bf-3951-435b-a932-8b03bfde0a2b\",\"displayName\":\"(Preview) Anomalous scanning activity\",\"description\":\"The Scanning Activity anomaly is looking to determine if there is potential port scanning anomaly in an environment coming from a single source IP to one or more destination IPs. \\nThe algorithm takes into account whether the IP is public, meaning external, or private, meaning internal, and the event is marked accordingly. Only private to public or public \\nto private is considered at this time. Scanning activity can indicate an attacker attempting to determine available services in an environment that can be potentially \\nexploited and used for ingress or lateral movement.\\nA high number of source ports and high number of destination ports from a single source IP to either a single or multiple destination IP or IPs can be interesting and indicate \\nanomalous scanning. Additionally, if there is a high ratio of destination IPs to the single source IP this can indicate anomalous scanning.\\nConfiguration details -\\nJob run default is daily, with hourly bins\\nThe algorithm uses the following defaults to limit the results based on hourly bins, each is configurable\\n-\u003e Included device actions - accept, allow, start\\n-\u003e Excluded ports - 53, 67, 80, 8080, 123, 137, 138, 443, 445, 3389\\n-\u003e Distinct destination port count \u003e= 600\\n-\u003e Distinct source port count \u003e= 600\\n-\u003e Distinct source port count divided by distinct destination port, ratio converted to percent \u003e= 99.99\\n-\u003e Source IP (always 1) divided by destination IP, ratio converted to percent \u003e= 99.99\",\"anomalyVersion\":\"1.0.3\",\"techniques\":[\"T1046\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"accept\",\"allow\",\"start\"],\"values\":[\"accept\",\"allow\",\"start\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Device action\",\"description\":\"Include only these specific device actions\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\"53,67,80,8080,123,137,138,443,445,3389\",\"dataType\":\"string\",\"name\":\"Exclude ports\",\"description\":\"Provide a comma separated list to exclude specific ports from source data. This should be within double quotes, example: \\\"53, 67, 80, 8080, 123, 137, 138, 443, 445, 3389\\\"\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"1\",\"maximum\":\"60000000\",\"value\":\"600\",\"name\":\"Destination IP count\",\"description\":\"The minimum distinct destination IP count per hour required for inclusion. Default is 600. This is an OR condition with destination port count.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"minimum\":\"1\",\"maximum\":\"60000000\",\"value\":\"600\",\"name\":\"Destination port count\",\"description\":\"The minimum distinct destination port count per hour required for inclusion. Default is 600. This is an OR condition with destination IP count.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"0.00\",\"maximum\":\"1.00\",\"value\":\"1.00\",\"name\":\"IP ratio\",\"description\":\"The distinct source IP (always 1) to distinct destination IP count with a default minimum ratio of 1.00 or lower (converted to Base 10 to the -4 power of original value). This is an OR condition with port ratio.\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"},{\"minimum\":\"0.00\",\"maximum\":\"1.00\",\"value\":\"1.00\",\"name\":\"Port ratio\",\"description\":\"The distinct source port to distinct destination port count with a default minimum ratio of 1.00 or lower (converted to Base 10 to the -4 power of original value). This is an OR condition with IP Ratio.\",\"sequenceNumber\":3,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"Discovery\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:22.6459974Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/d0bd9611-2fc1-42cb-af4e-793b6f28ba92\",\"name\":\"d0bd9611-2fc1-42cb-af4e-793b6f28ba92\",\"etag\":\"\\\"9100158e-0000-0100-0000-61b54cb20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"d0bd9611-2fc1-42cb-af4e-793b6f28ba92\",\"displayName\":\"(Preview) Excessive upload via Palo Alto GlobalProtect\",\"description\":\"This algorithm detects unusually high volume of upload per user account via Palo Alto VPN solution.\\nThe model is trained on the previous 14 days of the VPN logs.\\nIt indicates anomalous high volume of upload in the last day.\",\"anomalyVersion\":\"1.0.7\",\"techniques\":[\"T1030\",\"T1041\",\"T1011\",\"T1567\",\"T1029\",\"T1537\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.87\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"Exfiltration\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:22.7701239Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/32686052-5bed-48ef-9ffa-39fc7699f085\",\"name\":\"32686052-5bed-48ef-9ffa-39fc7699f085\",\"etag\":\"\\\"91001c8e-0000-0100-0000-61b54cb30000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"32686052-5bed-48ef-9ffa-39fc7699f085\",\"displayName\":\"(Preview) Suspicious volume of AWS API calls from Non-AWS source IP address from a user account id per workspace on a daily basis\",\"description\":\"This algorithm detects an unusually high volume of AWS API calls from Source IPs not in AWS Source IP ranges from one user account per workspace within the last day. The model is trained on the previous 21 days of AWS cloud trail log events on source IP address basis. This activity may indicate that the user account is compromised.\",\"anomalyVersion\":\"1.0.0\",\"techniques\":[\"T1078\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.1\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"InitialAccess\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:22.9059365Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/02874339-f9a1-4ced-bdaf-44b3d8eb57a6\",\"name\":\"02874339-f9a1-4ced-bdaf-44b3d8eb57a6\",\"etag\":\"\\\"910061fe-0000-0100-0000-61b54f190000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":true,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT12H\",\"matchingMethod\":\"Selected\",\"groupByEntities\":[\"Account\"],\"groupByAlertDetails\":[],\"groupByCustomDetails\":[]}},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId__s\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Malicious Inbox Rule, affected user {{UserId__s}}\",\"alertDescriptionFormat\":null,\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"severity\":\"Medium\",\"query\":\"let Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\r\\nOfficeActivity_CL\\r\\n| where Operation_s =~ \\\"New-InboxRule\\\"\\r\\n| where Parameters_s has \\\"Deleted Items\\\" or Parameters_s has \\\"Junk Email\\\" \\r\\n| extend Events=todynamic(Parameters_s)\\r\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords \u0027}\u0027*\\r\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords \u0027}\u0027*\\r\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords \u0027}\u0027*\\r\\n| where SubjectContainsWords has_any (Keywords)\\r\\nor BodyContainsWords has_any (Keywords)\\r\\nor SubjectOrBodyContainsWords has_any (Keywords)\\r\\n| extend ClientIPAddress = case( ClientIP_s has \\\".\\\", tostring(split(ClientIP_s,\\\":\\\")[0]), ClientIP_s has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP_s,\\\"]\\\")[0]))), ClientIP_s )\\r\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\r\\n| extend RuleDetail = case(OfficeObjectId_s contains \u0027/\u0027 , tostring(split(OfficeObjectId_s, \u0027/\u0027)[-1]) , tostring(split(OfficeObjectId_s, \u0027\\\\\\\\\u0027)[-1]))\\r\\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation_s, UserId__s, ClientIPAddress, ResultStatus_s, Keyword, OriginatingServer_s, OfficeObjectId_s, RuleDetail\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Malicious Inbox Rule - custom\",\"enabled\":true,\"description\":\"This rule is detecting on delete all traces of phishing email from user mailboxes\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:23:36.39834Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/10a698ca-8310-4b90-a86e-2f43fe285e56\",\"name\":\"10a698ca-8310-4b90-a86e-2f43fe285e56\",\"etag\":\"\\\"91006cfe-0000-0100-0000-61b54f190000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":true,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[\"IP\"],\"groupByAlertDetails\":[],\"groupByCustomDetails\":[]}},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Medium\",\"query\":\"SigninLogs_CL\\n | where ResultType == \\\"50057\\\" \\n | where ResultDescription == \\\"User account is disabled. The account has been disabled by an administrator.\\\" \\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), disabledAccountLoginAttempts = count(), \\n disabledAccountsTargeted = dcount(UserPrincipalName_s), applicationsTargeted = dcount(AppDisplayName_s), disabledAccountSet = makeset(UserPrincipalName_s), \\n applicationSet = makeset(AppDisplayName_s)\\n by IPAddress, Type\\n | order by disabledAccountLoginAttempts desc\\n | join kind= leftouter (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n SigninLogs_CL\\n | where ResultType == 0\\n | summarize successfulAccountSigninCount = dcount(UserPrincipalName_s), successfulAccountSigninSet = makeset(UserPrincipalName_s, 15) by IPAddress, Type\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount \u003c 100\\n )\\n on IPAddress \\n | where successfulAccountSigninCount != 0\\n | project StartTime, EndTime, IPAddress, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\n successfulAccountSigninCount, successfulAccountSigninSet, Type\\n | order by disabledAccountLoginAttempts\\n | extend timestamp = StartTime, IPCustomEntity = IPAddress\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"enabled\":true,\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"alertRuleTemplateName\":\"500c103a-0319-4d56-8e99-3cec8d860757\",\"lastModifiedUtc\":\"2021-12-12T01:23:36.1386167Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/af03fc0e-d33f-447a-8397-d60726aa92c5\",\"name\":\"af03fc0e-d33f-447a-8397-d60726aa92c5\",\"etag\":\"\\\"9100d4fe-0000-0100-0000-61b54f1b0000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":true,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AnyAlert\",\"groupByEntities\":[],\"groupByAlertDetails\":[],\"groupByCustomDetails\":[]}},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"High\",\"query\":\"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | where DNSName in~ (domains) or DestinationHostName has_any (domains) or RequestURL has_any(domains)\\n | extend AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName, IPCustomEntity = SourceIP\\n ),\\n(DnsEvents \\n | extend DNSName = Name\\n | where isnotempty(DNSName)\\n | where DNSName in~ (domains)\\n | extend IPCustomEntity = ClientIP\\n ),\\n(imDns \\n | where isnotempty(Query)\\n | where Query in~ (domains)\\n | extend DNSName = Query\\n | extend IPCustomEntity = SrcIpAddr\\n ),\\n(VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n | where isnotempty(DNSName)\\n | where DNSName in~ (domains)\\n | extend IPCustomEntity = RemoteIp\\n ),\\n(DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl has_any (domains) \\n | extend DNSName = RemoteUrl\\n | extend IPCustomEntity = RemoteIP \\n | extend HostCustomEntity = DeviceName \\n ),\\n(AzureDiagnostics\\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallDnsProxy\\\"\\n | parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n | where Request_Name has_any (domains) \\n | extend DNSName = Request_Name\\n | extend IPCustomEntity = ClientIP \\n ),\\n(AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (domains) \\n | extend DNSName = DestinationHost \\n | extend IPCustomEntity = SourceHost\\n ) \\n )\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Solorigate Network Beacon\",\"enabled\":true,\"description\":\"Identifies a match across various data feeds for domains IOCs related to the Solorigate incident.\\n References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \\n https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1\",\"alertRuleTemplateName\":\"cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"lastModifiedUtc\":\"2021-12-12T01:23:36.2680673Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/aa4274ad-8144-44e6-8dc2-669dc0b5ea0d\",\"name\":\"aa4274ad-8144-44e6-8dc2-669dc0b5ea0d\",\"etag\":\"\\\"92003e0a-0000-0100-0000-61b54f580000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"GetAlertRulez4ros0\",\"enabled\":true,\"description\":\"GetAlertRulez4ros0 aa4274ad-8144-44e6-8dc2-669dc0b5ea0d\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:24:39.7729775Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/fdbab4a1-bd45-4dc1-a93b-e4aa20d16262\",\"name\":\"fdbab4a1-bd45-4dc1-a93b-e4aa20d16262\",\"etag\":\"\\\"92006710-0000-0100-0000-61b54f790000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"RemoveAlertRulesuagz6\",\"enabled\":true,\"description\":\"RemoveAlertRulesuagz6 fdbab4a1-bd45-4dc1-a93b-e4aa20d16262\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:25:11.212957Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/952fd6df-a3b8-4d0c-825a-53dcc519a480\",\"name\":\"952fd6df-a3b8-4d0c-825a-53dcc519a480\",\"etag\":\"\\\"9200b415-0000-0100-0000-61b54f960000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"RemoveViaIdAlertRule62imtb\",\"enabled\":true,\"description\":\"RemoveViaIdAlertRule62imtb 952fd6df-a3b8-4d0c-825a-53dcc519a480\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:25:42.5246541Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/98981b11-0c0a-40bb-adc9-63f3693592bf\",\"name\":\"98981b11-0c0a-40bb-adc9-63f3693592bf\",\"etag\":\"\\\"9200241b-0000-0100-0000-61b54fb50000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"UpdateAlertRulevi15sc\",\"enabled\":true,\"description\":\"UpdateAlertRulevi15sc 98981b11-0c0a-40bb-adc9-63f3693592bf\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:26:13.0837645Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/6dde1054-1a0b-4c5a-a9a8-3587c76613a2\",\"name\":\"6dde1054-1a0b-4c5a-a9a8-3587c76613a2\",\"etag\":\"\\\"9200dd20-0000-0100-0000-61b54fd40000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"UpdateViaIdAlertRuledgk4wi\",\"enabled\":true,\"description\":\"UpdateViaIdAlertRuledgk4wi 6dde1054-1a0b-4c5a-a9a8-3587c76613a2\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:26:44.114196Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/453b8e9c-424a-4b50-8c6d-58de856d5abf\",\"name\":\"453b8e9c-424a-4b50-8c6d-58de856d5abf\",\"etag\":\"\\\"9200a026-0000-0100-0000-61b54ff30000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"GetalertRuleActionRuleName1539nb\",\"enabled\":true,\"description\":\"GetalertRuleActionRuleName1539nb 453b8e9c-424a-4b50-8c6d-58de856d5abf\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:27:15.28338Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/3e459759-acb2-48cd-b091-f325a2618fb6\",\"name\":\"3e459759-acb2-48cd-b091-f325a2618fb6\",\"etag\":\"\\\"9200562c-0000-0100-0000-61b550120000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"RemovealertRuleActionRuleNamerey7av\",\"enabled\":true,\"description\":\"RemovealertRuleActionRuleNamerey7av 3e459759-acb2-48cd-b091-f325a2618fb6\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:27:46.3915852Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/a2dda58f-98fd-44db-ac37-397a9ccd9e25\",\"name\":\"a2dda58f-98fd-44db-ac37-397a9ccd9e25\",\"etag\":\"\\\"9200fc31-0000-0100-0000-61b550320000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"RemoveViaIdalertRuleActionRuleNamea13fz8\",\"enabled\":true,\"description\":\"RemoveViaIdalertRuleActionRuleNamea13fz8 a2dda58f-98fd-44db-ac37-397a9ccd9e25\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:28:18.3040106Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/09b5716f-9b0b-4663-8302-e17b94a12ead\",\"name\":\"09b5716f-9b0b-4663-8302-e17b94a12ead\",\"etag\":\"\\\"9200e237-0000-0100-0000-61b550520000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"UpdatealertRuleActionRuleName1lirvu\",\"enabled\":true,\"description\":\"UpdatealertRuleActionRuleName1lirvu 09b5716f-9b0b-4663-8302-e17b94a12ead\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:28:49.5419602Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/a555c523-e318-4501-bfe8-b9c6da354af7\",\"name\":\"a555c523-e318-4501-bfe8-b9c6da354af7\",\"etag\":\"\\\"92008e3d-0000-0100-0000-61b550710000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"UpdateViaIdalertRuleActionRuleNameymswnj\",\"enabled\":true,\"description\":\"UpdateViaIdalertRuleActionRuleNameymswnj a555c523-e318-4501-bfe8-b9c6da354af7\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:29:20.6202232Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/34c477db-1e8e-4b5e-9fc7-ef127fbfa354\",\"name\":\"34c477db-1e8e-4b5e-9fc7-ef127fbfa354\",\"etag\":\"\\\"93003d2e-0000-0100-0000-61b555900000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027Universal Security Capabilities\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Universal Security Capabilities Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:51:12.8940733Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/dd7306f3-4a9a-4270-a174-816dd3747be0\",\"name\":\"dd7306f3-4a9a-4270-a174-816dd3747be0\",\"etag\":\"\\\"9300442e-0000-0100-0000-61b555900000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n| join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n| where Family == \u0027Data Protection\u0027\\n| summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n| extend SuccessRatePercentage = (Success * 100 / Assessments)\\n| extend FailedRatePercentage = (Failed * 100 / Assessments)\\n| extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n| project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n| where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n// | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n| where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n| sort by FailedRatePercentage desc\\n| limit 250\\n| extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Data Protection Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:51:12.9239147Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/dfe9fbbf-c55e-4637-9ab6-9f9905d305ff\",\"name\":\"dfe9fbbf-c55e-4637-9ab6-9f9905d305ff\",\"etag\":\"\\\"9300492e-0000-0100-0000-61b555910000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027Email\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Email Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:51:13.0054042Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/b888a369-216c-4de2-a4c8-972018977325\",\"name\":\"b888a369-216c-4de2-a4c8-972018977325\",\"etag\":\"\\\"93004a2e-0000-0100-0000-61b555910000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n| join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n| where Family == \u0027Intrusion Detection\u0027\\n| summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n| extend SuccessRatePercentage = (Success * 100 / Assessments)\\n| extend FailedRatePercentage = (Failed * 100 / Assessments)\\n| extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n| project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n| where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n// | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n| where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n| sort by FailedRatePercentage desc\\n| limit 250\\n| extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Intrusion Detection Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:51:13.0215473Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/17bb920a-238b-4d2c-b208-83addc14efbe\",\"name\":\"17bb920a-238b-4d2c-b208-83addc14efbe\",\"etag\":\"\\\"93004b2e-0000-0100-0000-61b555910000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027Resiliency\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Resiliency Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:51:13.021751Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/3074775a-74e8-43cd-a60a-28ff236f1e2e\",\"name\":\"3074775a-74e8-43cd-a60a-28ff236f1e2e\",\"etag\":\"\\\"93004c2e-0000-0100-0000-61b555910000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027DNS\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) DNS Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:51:13.0175408Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/a074a675-209d-48d5-bae8-b6c958152873\",\"name\":\"a074a675-209d-48d5-bae8-b6c958152873\",\"etag\":\"\\\"93004d2e-0000-0100-0000-61b555910000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027Web\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Web Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:51:13.0388622Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/c3aa2c95-89ae-4417-b50f-e926a02a58a8\",\"name\":\"c3aa2c95-89ae-4417-b50f-e926a02a58a8\",\"etag\":\"\\\"93004e2e-0000-0100-0000-61b555910000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027Networking\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Networking Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:51:13.0351918Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/946778f9-52a0-414d-9453-fc3645ceca6f\",\"name\":\"946778f9-52a0-414d-9453-fc3645ceca6f\",\"etag\":\"\\\"9300502e-0000-0100-0000-61b555910000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027Files\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Files Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:51:13.0496088Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/07c2c80e-4c67-43fc-bce5-c8a34057f8a2\",\"name\":\"07c2c80e-4c67-43fc-bce5-c8a34057f8a2\",\"etag\":\"\\\"9300512e-0000-0100-0000-61b555910000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n| join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n| where Family == \u0027Enterprise\u0027\\n| summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n| extend SuccessRatePercentage = (Success * 100 / Assessments)\\n| extend FailedRatePercentage = (Failed * 100 / Assessments)\\n| extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n| project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n| where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n// | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n| where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n| sort by FailedRatePercentage desc\\n| limit 250\\n| extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Enterprise Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:51:13.0345167Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/a8219a17-8d55-42af-b4de-f9f06ddb6b66\",\"name\":\"a8219a17-8d55-42af-b4de-f9f06ddb6b66\",\"etag\":\"\\\"9300522e-0000-0100-0000-61b555910000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n| join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n| where Family == \u0027Unified Communications \u0026 Collaboration\u0027\\n| summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n| extend SuccessRatePercentage = (Success * 100 / Assessments)\\n| extend FailedRatePercentage = (Failed * 100 / Assessments)\\n| extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n| project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n| where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n// | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n| where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n| sort by FailedRatePercentage desc\\n| limit 250\\n| extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) UCC Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:51:13.017663Z\"}}]}", + "isContentBase64": false + } + }, + "Get-AzSentinelAlertRule+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/aa4274ad-8144-44e6-8dc2-669dc0b5ea0d?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/aa4274ad-8144-44e6-8dc2-669dc0b5ea0d?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "160" ], + "x-ms-client-request-id": [ "ad064d7e-64b9-48c0-825d-cf1d4327108a" ], + "CommandName": [ "Get-AzSentinelAlertRule" ], + "FullCommandName": [ "Get-AzSentinelAlertRule_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11998" ], + "x-ms-request-id": [ "54f6230f-8093-4fa1-91cd-f9dd1b65d2a1" ], + "x-ms-correlation-request-id": [ "54f6230f-8093-4fa1-91cd-f9dd1b65d2a1" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015317Z:54f6230f-8093-4fa1-91cd-f9dd1b65d2a1" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:53:17 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1164" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/aa4274ad-8144-44e6-8dc2-669dc0b5ea0d\",\"name\":\"aa4274ad-8144-44e6-8dc2-669dc0b5ea0d\",\"etag\":\"\\\"92003e0a-0000-0100-0000-61b54f580000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"GetAlertRulez4ros0\",\"enabled\":true,\"description\":\"GetAlertRulez4ros0 aa4274ad-8144-44e6-8dc2-669dc0b5ea0d\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:24:39.7729775Z\"}}", + "isContentBase64": false + } + }, + "Get-AzSentinelAlertRule+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/aa4274ad-8144-44e6-8dc2-669dc0b5ea0d?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/aa4274ad-8144-44e6-8dc2-669dc0b5ea0d?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "161" ], + "x-ms-client-request-id": [ "81026a09-75bd-4bfa-a6a8-6df0d416ebee" ], + "CommandName": [ "Get-AzSentinelAlertRule" ], + "FullCommandName": [ "Get-AzSentinelAlertRule_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11997" ], + "x-ms-request-id": [ "2816f5b9-b6a9-4fb8-984f-3633293f3c35" ], + "x-ms-correlation-request-id": [ "2816f5b9-b6a9-4fb8-984f-3633293f3c35" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015318Z:2816f5b9-b6a9-4fb8-984f-3633293f3c35" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:53:17 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1164" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/aa4274ad-8144-44e6-8dc2-669dc0b5ea0d\",\"name\":\"aa4274ad-8144-44e6-8dc2-669dc0b5ea0d\",\"etag\":\"\\\"92003e0a-0000-0100-0000-61b54f580000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"GetAlertRulez4ros0\",\"enabled\":true,\"description\":\"GetAlertRulez4ros0 aa4274ad-8144-44e6-8dc2-669dc0b5ea0d\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:24:39.7729775Z\"}}", + "isContentBase64": false + } + }, + "Get-AzSentinelAlertRule+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/aa4274ad-8144-44e6-8dc2-669dc0b5ea0d?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/aa4274ad-8144-44e6-8dc2-669dc0b5ea0d?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "162" ], + "x-ms-client-request-id": [ "d982dd2f-d791-462c-adb1-8d0efc44d1c0" ], + "CommandName": [ "Get-AzSentinelAlertRule" ], + "FullCommandName": [ "Get-AzSentinelAlertRule_GetViaIdentity" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11996" ], + "x-ms-request-id": [ "7a6d78ae-d285-414c-b301-d44f032f07c9" ], + "x-ms-correlation-request-id": [ "7a6d78ae-d285-414c-b301-d44f032f07c9" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015318Z:7a6d78ae-d285-414c-b301-d44f032f07c9" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:53:17 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1164" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/aa4274ad-8144-44e6-8dc2-669dc0b5ea0d\",\"name\":\"aa4274ad-8144-44e6-8dc2-669dc0b5ea0d\",\"etag\":\"\\\"92003e0a-0000-0100-0000-61b54f580000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"GetAlertRulez4ros0\",\"enabled\":true,\"description\":\"GetAlertRulez4ros0 aa4274ad-8144-44e6-8dc2-669dc0b5ea0d\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:24:39.7729775Z\"}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Get-AzSentinelAlertRule.Tests.ps1 b/src/SecurityInsights/test/Get-AzSentinelAlertRule.Tests.ps1 new file mode 100644 index 000000000000..3831550ce167 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelAlertRule.Tests.ps1 @@ -0,0 +1,33 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Get-AzSentinelAlertRule')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Get-AzSentinelAlertRule.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Get-AzSentinelAlertRule' { + It 'List' { + $alertRules = Get-AzSentinelAlertRule -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName + $alertRules.Count | Should -BeGreaterorEqual 1 + } + + It 'Get' { + $alertRule = Get-AzSentinelAlertRule -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -RuleId $env.GetAlertRuleId + $alertRule.Name | Should -Be $env.GetAlertRuleId + } + + It 'GetViaIdentity' { + $alertRule = Get-AzSentinelAlertRule -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -RuleId $env.GetAlertRuleId + $alertRuleViaId = Get-AzSentinelAlertRule -InputObject $alertRule + $alertRuleViaId.Name | Should -Be $env.GetAlertRuleId + } +} diff --git a/src/SecurityInsights/test/Get-AzSentinelAlertRuleAction.Recording.json b/src/SecurityInsights/test/Get-AzSentinelAlertRuleAction.Recording.json new file mode 100644 index 000000000000..92fe31f567cf --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelAlertRuleAction.Recording.json @@ -0,0 +1,166 @@ +{ + "Get-AzSentinelAlertRuleAction+[NoContext]+List+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/453b8e9c-424a-4b50-8c6d-58de856d5abf/actions?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/453b8e9c-424a-4b50-8c6d-58de856d5abf/actions?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "163" ], + "x-ms-client-request-id": [ "f916e3cf-4111-4055-a8e2-bdad5cc49a84" ], + "CommandName": [ "Get-AzSentinelAlertRuleAction" ], + "FullCommandName": [ "Get-AzSentinelAlertRuleAction_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11995" ], + "x-ms-request-id": [ "95d74ead-bcfe-4c63-92a2-d8a15a6d51c3" ], + "x-ms-correlation-request-id": [ "95d74ead-bcfe-4c63-92a2-d8a15a6d51c3" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015339Z:95d74ead-bcfe-4c63-92a2-d8a15a6d51c3" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:53:39 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "727" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/asicustomalertsv3_453b8e9c-424a-4b50-8c6d-58de856d5abf_1ce91c05-b6a4-4476-9e83-4df36d224e97/actions/1ce91c05-b6a4-4476-9e83-4df36d224e97\",\"name\":\"1ce91c05-b6a4-4476-9e83-4df36d224e97\",\"etag\":\"\\\"26009453-0000-0300-0000-61b54ff50000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"3647b421918e40f19a5e9346dc633c61\",\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}]}", + "isContentBase64": false + } + }, + "Get-AzSentinelAlertRuleAction+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/453b8e9c-424a-4b50-8c6d-58de856d5abf/actions/1ce91c05-b6a4-4476-9e83-4df36d224e97?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/453b8e9c-424a-4b50-8c6d-58de856d5abf/actions/1ce91c05-b6a4-4476-9e83-4df36d224e97?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "164" ], + "x-ms-client-request-id": [ "8e4fe198-4eff-4579-af07-a882932d6da7" ], + "CommandName": [ "Get-AzSentinelAlertRuleAction" ], + "FullCommandName": [ "Get-AzSentinelAlertRuleAction_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11994" ], + "x-ms-request-id": [ "a9da4e26-15f4-4849-ad47-901cc441d680" ], + "x-ms-correlation-request-id": [ "a9da4e26-15f4-4849-ad47-901cc441d680" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015339Z:a9da4e26-15f4-4849-ad47-901cc441d680" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:53:39 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "660" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/453b8e9c-424a-4b50-8c6d-58de856d5abf/actions/1ce91c05-b6a4-4476-9e83-4df36d224e97\",\"name\":\"1ce91c05-b6a4-4476-9e83-4df36d224e97\",\"etag\":\"\\\"26009453-0000-0300-0000-61b54ff50000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"3647b421918e40f19a5e9346dc633c61\",\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}", + "isContentBase64": false + } + }, + "Get-AzSentinelAlertRuleAction+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/453b8e9c-424a-4b50-8c6d-58de856d5abf/actions/1ce91c05-b6a4-4476-9e83-4df36d224e97?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/453b8e9c-424a-4b50-8c6d-58de856d5abf/actions/1ce91c05-b6a4-4476-9e83-4df36d224e97?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "165" ], + "x-ms-client-request-id": [ "601a3c6b-e4b8-4b3b-861d-46725b40243f" ], + "CommandName": [ "Get-AzSentinelAlertRuleAction" ], + "FullCommandName": [ "Get-AzSentinelAlertRuleAction_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11993" ], + "x-ms-request-id": [ "3cef07d3-4665-4f94-82aa-102d543b3681" ], + "x-ms-correlation-request-id": [ "3cef07d3-4665-4f94-82aa-102d543b3681" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015340Z:3cef07d3-4665-4f94-82aa-102d543b3681" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:53:40 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "660" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/453b8e9c-424a-4b50-8c6d-58de856d5abf/actions/1ce91c05-b6a4-4476-9e83-4df36d224e97\",\"name\":\"1ce91c05-b6a4-4476-9e83-4df36d224e97\",\"etag\":\"\\\"26009453-0000-0300-0000-61b54ff50000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"3647b421918e40f19a5e9346dc633c61\",\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}", + "isContentBase64": false + } + }, + "Get-AzSentinelAlertRuleAction+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/453b8e9c-424a-4b50-8c6d-58de856d5abf/actions/1ce91c05-b6a4-4476-9e83-4df36d224e97?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/453b8e9c-424a-4b50-8c6d-58de856d5abf/actions/1ce91c05-b6a4-4476-9e83-4df36d224e97?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "166" ], + "x-ms-client-request-id": [ "781a0ed8-5f29-4a45-a193-08596b71230a" ], + "CommandName": [ "Get-AzSentinelAlertRuleAction" ], + "FullCommandName": [ "Get-AzSentinelAlertRuleAction_GetViaIdentity" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11992" ], + "x-ms-request-id": [ "b8aeefe7-936a-4f07-9331-983e4c4a906b" ], + "x-ms-correlation-request-id": [ "b8aeefe7-936a-4f07-9331-983e4c4a906b" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015340Z:b8aeefe7-936a-4f07-9331-983e4c4a906b" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:53:40 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "660" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/453b8e9c-424a-4b50-8c6d-58de856d5abf/actions/1ce91c05-b6a4-4476-9e83-4df36d224e97\",\"name\":\"1ce91c05-b6a4-4476-9e83-4df36d224e97\",\"etag\":\"\\\"26009453-0000-0300-0000-61b54ff50000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"3647b421918e40f19a5e9346dc633c61\",\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Get-AzSentinelAlertRuleAction.Tests.ps1 b/src/SecurityInsights/test/Get-AzSentinelAlertRuleAction.Tests.ps1 new file mode 100644 index 000000000000..b10d5ae00306 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelAlertRuleAction.Tests.ps1 @@ -0,0 +1,33 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Get-AzSentinelAlertRuleAction')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Get-AzSentinelAlertRuleAction.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Get-AzSentinelAlertRuleAction' { + It 'List' { + $alertRuleActions = Get-AzSentinelAlertRuleAction -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -RuleId $env.GetAlertRuleActionRuleId + $alertRuleActions.Count | Should -BeGreaterorEqual 1 + } + + It 'Get' { + $alertRuleAction = Get-AzSentinelAlertRuleAction -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -RuleId $env.GetAlertRuleActionRuleId -Id $env.GetAlertRuleActionId + $alertRuleAction.LogicAppResourceId | Should -Be $env.Playbook1LogicAppResourceId + } + + It 'GetViaIdentity' { + $alertRuleAction = Get-AzSentinelAlertRuleAction -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -RuleId $env.GetAlertRuleActionRuleId -Id $env.GetAlertRuleActionId + $alertRuleActionviaId = Get-AzSentinelAlertRuleAction -InputObject $alertRuleAction + $alertRuleActionviaId.LogicAppResourceId | Should -Be $env.Playbook1LogicAppResourceId + } +} diff --git a/src/SecurityInsights/test/Get-AzSentinelAlertRuleTemplate.Recording.json b/src/SecurityInsights/test/Get-AzSentinelAlertRuleTemplate.Recording.json new file mode 100644 index 000000000000..104f76ac1356 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelAlertRuleTemplate.Recording.json @@ -0,0 +1,166 @@ +{ + "Get-AzSentinelAlertRuleTemplate+[NoContext]+List+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRuleTemplates?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRuleTemplates?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "167" ], + "x-ms-client-request-id": [ "57316fa6-441c-4908-9e85-2ec6a3a32d84" ], + "CommandName": [ "Get-AzSentinelAlertRuleTemplate" ], + "FullCommandName": [ "Get-AzSentinelAlertRuleTemplate_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11991" ], + "x-ms-request-id": [ "f493e6a5-6947-4531-9414-66f7ea1c7408" ], + "x-ms-correlation-request-id": [ "f493e6a5-6947-4531-9414-66f7ea1c7408" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015403Z:f493e6a5-6947-4531-9414-66f7ea1c7408" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:54:02 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1139662" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/738702fd-0a66-42c7-8586-e30f0583f8fe\",\"name\":\"738702fd-0a66-42c7-8586-e30f0583f8fe\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"DeviceEvents\\n| where ActionType has \\\"ExploitGuardNonMicrosoftSignedBlocked\\\"\\n| where InitiatingProcessFileName contains \\\"svchost.exe\\\" and FileName contains \\\"NetSetupSvc.dll\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\nHostCustomEntity = DeviceName, FileHashCustomEntity = InitiatingProcessSHA1, FileHashType = \\\"SHA1\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"TEARDROP memory-only dropper\",\"description\":\"Identifies SolarWinds TEARDROP memory-only dropper IOCs in Window\u0027s defender Exploit Guard activity\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/968358d6-6af8-49bb-aaa4-187b3067fb95\",\"name\":\"968358d6-6af8-49bb-aaa4-187b3067fb95\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let successCodes = dynamic([200, 302, 401]);\\nW3CIISLog\\n| where scStatus has_any (successCodes)\\n| where ipv4_is_private(cIP) == False\\n| where csUriStem hasprefix \\\"/autodiscover/autodiscover.json\\\"\\n| project TimeGenerated, cIP, sIP, sSiteName, csUriStem, csUriQuery, Computer, csUserName, _ResourceId, FileUri\\n| where (csUriQuery !has \\\"Protocol\\\" and isnotempty(csUriQuery))\\nor (csUriQuery has_any(\\\"/mapi/\\\", \\\"powershell\\\"))\\nor (csUriQuery contains \\\"@\\\" and csUriQuery matches regex @\\\"\\\\.[a-zA-Z]{2,4}?(?:[a-zA-Z]{2,4}\\\\/)\\\")\\nor (csUriQuery contains \\\":\\\" and csUriQuery matches regex @\\\"\\\\:[0-9]{2,4}\\\\/\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP, AccountCustomEntity = csUserName, ResourceCustomEntity = _ResourceId, FileCustomEntity = FileUri\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange SSRF Autodiscover ProxyShell - Detection\",\"description\":\"This query looks for suspicious request patterns to Exchange servers that fit patterns recently\\nblogged about by PeterJson. This exploitation chain utilises an SSRF vulnerability in Exchange\\nwhich eventually allows the attacker to execute arbitrary Powershell on the server. In the example\\npowershell can be used to write an email to disk with an encoded attachment containing a shell.\\nReference: https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-09T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69b7723c-2889-469f-8b55-a2d355ed9c87\",\"name\":\"69b7723c-2889-469f-8b55-a2d355ed9c87\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n DnsEvents | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where SubType =~ \\\"LookupQuery\\\" and isnotempty(IPAddresses)\\n | extend SingleIP = split(IPAddresses, \\\",\\\")\\n | mvexpand SingleIP\\n | extend SingleIP = tostring(SingleIP)\\n // renaming time column so it is clear the log this came from\\n | extend DNS_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SingleIP\\n| where DNS_TimeGenerated \u003e= TimeGenerated and DNS_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated,\\nTI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = DNS_TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.2\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to DnsEvents\",\"description\":\"Identifies a match in DnsEvents from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-18T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\"name\":\"d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\" \\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed), LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\\n| where MFAUsed !~ \\\"Yes\\\" and LoginResult !~ \\\"Failure\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUsed, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"Login to AWS Management Console without MFA\",\"description\":\"Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.\\nYou can limit this detection to trigger for adminsitrative accounts if you do not have MFA enabled on all accounts.\\nThis is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used \\nand the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/321f9dbd-64b7-4541-81dc-08cf7732ccb0\",\"name\":\"321f9dbd-64b7-4541-81dc-08cf7732ccb0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Edit this variable to only keep the Severity level where an incident needs to be created (Defaults are: \\\"Low\\\", \\\"Medium\\\", \\\"High\\\", \\\"Critical\\\" ) \\nlet configured_level = dynamic([\\\"Low\\\", \\\"Medium\\\", \\\"High\\\", \\\"Critical\\\"]);\\nlet upn_has_prefix = \\\":\\\";\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Vectra Networks\\\"\\n| where DeviceProduct == \\\"X Series\\\"\\n| where DeviceEventClassID == \\\"asc\\\"\\n| extend saccount = extract(\\\"saccount=(.+?);\\\", 1, AdditionalExtensions)\\n| extend type = iff(saccount matches regex upn_has_prefix, tostring(split(saccount,\\\":\\\")[0]) ,\\\"network\\\" ) \\n| extend upn = iff(saccount matches regex upn_has_prefix, tostring(split(saccount,\\\":\\\")[1]) , saccount )\\n| project-rename threat_score = FlexNumber1\\n| project-rename certainty_score = FlexNumber2\\n| project-rename vectra_URL = DeviceCustomString4\\n| project-rename detection_name = DeviceEventClassID\\n| project-rename score_decreases = DeviceCustomString3\\n| extend level = case( threat_score \u003c 50 and certainty_score \u003c 50, \\\"Low\\\",\\n threat_score \u003c 50 and certainty_score \u003e= 50 , \\\"Medium\\\", \\n threat_score \u003e= 50 and certainty_score \u003c= 50, \\\"High\\\", \\n threat_score \u003e= 50 and certainty_score \u003e= 50, \\\"Critical\\\",\\n \\\"UNKNOWN\\\")\\n| extend Severity = case( level == \\\"Low\\\", \\\"Low\\\",\\n level == \\\"Medium\\\", \\\"Medium\\\",\\n level == \\\"High\\\", \\\"Medium\\\",\\n level == \\\"Critical\\\", \\\"High\\\",\\n \\\"UNKNOWN\\\")\\n| where level in (configured_level) \\n//keep only the event with the highest threat score per Host\\n| summarize arg_max(threat_score, *) by saccount\\n| project TimeGenerated, saccount, level, Severity, upn, type, threat_score, certainty_score, vectra_URL\\n| extend AccountCustomEntity = upn, URLCustomEntity = vectra_URL, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Discovery\",\"LateralMovement\",\"Collection\",\"CommandAndControl\",\"Exfiltration\",\"Impact\"],\"displayName\":\"Vectra AI Detect - Suspected Compromised Account\",\"description\":\"Create an incident when an Account is suspected to be compromised. \\nThe higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. \\nLevel of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.\",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2021-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AIVectraDetect\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884be6e7-e568-418e-9c12-89229865ffde\",\"name\":\"884be6e7-e568-418e-9c12-89229865ffde\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let FailureThreshold = 15;\\nlet FailedLogins = Okta_CL\\n| where eventType_s =~ \\\"user.session.start\\\" and outcome_reason_s =~ \\\"VERIFICATION_ERROR\\\"\\n| summarize count() by actor_alternateId_s, client_ipAddress_s, bin(TimeGenerated, 5m)\\n| where count_ \u003e FailureThreshold\\n| project client_ipAddress_s, actor_alternateId_s;\\nOkta_CL\\n| join kind=inner (FailedLogins) on client_ipAddress_s, actor_alternateId_s\\n| where eventType_s =~ \\\"user.session.start\\\" and outcome_reason_s =~ \\\"VERIFICATION_ERROR\\\"\\n| summarize count() by actor_alternateId_s, ClientIP = client_ipAddress_s, City = client_geographicalContext_city_s, Country = client_geographicalContext_country_s, column_ifexists(\u0027published_t\u0027, now())\\n| sort by column_ifexists(\u0027published_t\u0027, now()) desc\\n| extend timestamp = column_ifexists(\u0027published_t\u0027, now()), IPCustomEntity = ClientIP, AccountCustomEntity = actor_alternateId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed Logins from Unknown or Invalid User\",\"description\":\"This query searches for numerous login attempts to the management console with an unknown or invalid user name\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OktaSSO\",\"dataTypes\":[\"Okta_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/213252f1-497c-4124-91da-6cb43902d5b1\",\"name\":\"213252f1-497c-4124-91da-6cb43902d5b1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.4\",\"techniques\":[\"T1046\",\"T1135\",\"T1071\",\"T1095\",\"T1571\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"5\",\"maximum\":\"15\",\"value\":\"7\",\"name\":\"Number of distinct signatures in a day\",\"description\":\"Triggers anomalies when daily signatures triggered is more than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Discovery\",\"CommandAndControl\"],\"displayName\":\"(Preview) Unusual external firewall alarm detected\",\"description\":\"This algorithm identifies unusual external firewall alarms which are threat signatures released by a firewall vendor. \\nThe anomaly takes last 7 days activities to calculate top 10 noisy signatures and also noisy source hosts which are repeatedly seen \\ntriggering threat signatures. After excluding both type of noisy events, it triggers an anomaly only after exceeding the threshold of \\nnumber of signatures triggered in a single day.\",\"lastUpdatedDateUTC\":\"2021-07-10T00:00:00Z\",\"createdDateUTC\":\"2021-04-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1f3b4dfd-21ff-4ed3-8e27-afc219e05c50\",\"name\":\"1f3b4dfd-21ff-4ed3-8e27-afc219e05c50\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where LoggedByService =~ \\\"PIM\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has \\\"Disable PIM Alert\\\"\\n| extend IpAddress = case(\\n isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), \\n isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.app)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.app)).ipAddress),\\n \u0027Not Available\u0027)\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName)), UserRoles = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| project InitiatedBy, ActivityDateTime, ActivityDisplayName, IpAddress, AADOperationType, AADTenantId, ResourceId, CorrelationId, Identity\\n| extend timestamp = ActivityDateTime, IPCustomEntity = IpAddress, AccountCustomEntity = tolower(InitiatedBy), ResourceCustomEntity = ResourceId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Detect PIM Alert Disabling activity\",\"description\":\"Privileged Identity Management (PIM) generates alerts when there is suspicious or unsafe activity in Azure Active Directory (Azure AD) organization. \\nThis query will help detect attackers attempts to disable in product PIM alerts which are associated with Azure MFA requirements and could indicate activation of privileged access\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56b0a0cd-894e-4b38-a0a1-c41d9f96649a\",\"name\":\"56b0a0cd-894e-4b38-a0a1-c41d9f96649a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let lbtime = 1h;\\nlet tls_ciphers = dynamic([\u0027RC4-SHA\u0027, \u0027DES-CBC3-SHA\u0027]);\\nProofpointPOD\\n| where EventType == \u0027message\u0027\\n| where TlsCipher in (tls_ciphers)\\n| extend IpCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"displayName\":\"ProofpointPOD - Weak ciphers\",\"description\":\"Detects when weak TLS ciphers are used.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8e267e91-6bda-4b3c-bf68-9f5cbdd103a3\",\"name\":\"8e267e91-6bda-4b3c-bf68-9f5cbdd103a3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"ZoomLogs \\n| where Event =~ \\\"account.settings_updated\\\" \\n| extend EnforceLogin = columnifexists(\\\"payload_object_settings_schedule_meeting_enfore_login_b\\\", \\\"\\\") \\n| extend EnforceLoginDomain = columnifexists(\\\"payload_object_settings_schedule_meeting_enfore_login_b\\\", \\\"\\\") \\n| extend GuestAlerts = columnifexists(\\\"payload_object_settings_in_meeting_alert_guest_join_b\\\", \\\"\\\") \\n| where EnforceLogin == \u0027false\u0027 or EnforceLoginDomain == \u0027false\u0027 or GuestAlerts == \u0027false\u0027 \\n| extend SettingChanged = case(EnforceLogin == \u0027false\u0027 and EnforceLoginDomain == \u0027false\u0027 and GuestAlerts == \u0027false\u0027, \\\"All settings changed\\\", \\n EnforceLogin == \u0027false\u0027 and EnforceLoginDomain == \u0027false\u0027, \\\"Enforced Logons and Restricted Domains Changed\\\", \\n EnforceLoginDomain == \u0027false\u0027 and GuestAlerts == \u0027false\u0027, \\\"Enforced Domains Changed\\\", \\n EnforceLoginDomain == \u0027false\u0027, \\\"Enfored Domains Changed\\\", \\n GuestAlerts == \u0027false\u0027, \\\"Guest Join Alerts Changed\\\", \\n EnforceLogin == \u0027false\u0027, \\\"Enforced Logins Changed\\\", \\n \\\"No Changes\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"External User Access Enabled\",\"description\":\"This alerts when the account setting is changed to allow either external domain access or anonymous access to meetings.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ba239935-42c2-472d-80ba-689186099ea1\",\"name\":\"ba239935-42c2-472d-80ba-689186099ea1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"afad_parser\\n| where MessageType == 2 and Codename == \\\"Password Guessing\\\"\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid Password Guessing\",\"description\":\"Searches for bruteforce Password Guessing attacks\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09ec8fa2-b25f-4696-bfae-05a7b85d7b9e\",\"name\":\"09ec8fa2-b25f-4696-bfae-05a7b85d7b9e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT3H\",\"queryPeriod\":\"PT3H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let timeframe = ago(3h);\\nlet threshold = 2;\\nimAuthentication\\n| where TimeGenerated \u003e timeframe\\n| where EventType==\u0027Logon\u0027 and EventResult==\u0027Success\u0027\\n| where isnotempty(SrcGeoCountry)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Vendors=make_set(EventVendor), Products=make_set(EventProduct)\\n , NumOfCountries = dcount(SrcGeoCountry)\\n by TargetUserId, TargetUsername, TargetUserType\\n| where NumOfCountries \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = TargetUsername\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.2.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"User login from different countries within 3 hours (Uses Authentication Normalization)\",\"description\":\"This query searches for successful user logins from different countries within 3 hours.\\n To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelAuthentication)\",\"lastUpdatedDateUTC\":\"2021-10-26T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb32dc8a-4f6b-4274-a28f-50f3400070b4\",\"name\":\"bb32dc8a-4f6b-4274-a28f-50f3400070b4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.1\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.2\",\"name\":\"Anomaly score threshold\",\"description\":\"Generate an anomaly when the anomaly score is greater than the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous Sign In\",\"description\":\"Adversaries may steal the credentials of a specific user or service account using Credential\\nAccess techniques or capture credentials earlier in their reconnaissance process through\\nsocial engineering for means of gaining Persistence.\",\"lastUpdatedDateUTC\":\"2021-08-25T00:00:00Z\",\"createdDateUTC\":\"2021-08-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884c4957-70ea-4f57-80b9-1bca3890315b\",\"name\":\"884c4957-70ea-4f57-80b9-1bca3890315b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeBin = 10m;\\nlet failedThreshold = 100;\\nW3CIISLog\\n| where scStatus in (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n// Handling Exchange specific items in IIS logs to remove the unique log identifier in the URI\\n| extend csUriQuery = iff(csUriQuery startswith \\\"MailboxId=\\\", tostring(split(csUriQuery, \\\"\u0026\\\")[0]) , csUriQuery )\\n| extend csUriQuery = iff(csUriQuery startswith \\\"X-ARR-CACHE-HIT=\\\", strcat(tostring(split(csUriQuery, \\\"\u0026\\\")[0]),tostring(split(csUriQuery, \\\"\u0026\\\")[1])) , csUriQuery )\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of failed logons by a user\\n| summarize makeset(decodedUriQuery), makeset(cIP), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), csUserName, Computer, sIP\\n| where FailedConnectionsCount \u003e= failedThreshold\\n| project TimeGenerated, csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_cIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"High count of failed logons by a user\",\"description\":\"Identifies when 100 or more failed attempts by a given user in 10 minutes occur on the IIS Server.\\nThis could be indicative of attempted brute force based on known account information.\\nThis could also simply indicate a misconfigured service or device. \\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/78979d32-e63f-4740-b206-cfb300c735e0\",\"name\":\"78979d32-e63f-4740-b206-cfb300c735e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ioc_lookBack = 30d;\\nlet timeframe = 1h;\\nlet TI_IP_List =\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(NetworkIP)\\n| summarize make_list(NetworkIP);\\nProofpointPOD \\n| where TimeGenerated \u003e ago(timeframe)\\n| where isnotempty(SrcIpAddr)\\n| where SrcIpAddr in~ (TI_IP_List)\\n| extend Message = \\\"Email sender IP in TI list\\\"\\n| project Message, SrcUserUpn, DstUserUpn, SrcIpAddr\\n| extend AccountCustomEntity = SrcUserUpn, IpCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\",\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Email sender IP in TI list\",\"description\":\"Email sender IP in TI list.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_maillog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\"name\":\"28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let failureCountThreshold = 5;\\nlet successCountThreshold = 1;\\nlet authenticationWindow = 20m;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n| where AppDisplayName has \\\"Azure Portal\\\"\\n// Split out failure versus non-failure types\\n| extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = make_set(IPAddress), make_set(OS), make_set(Browser), make_set(City),\\nmake_set(State), make_set(Region),make_set(ResultType), FailureCount = countif(FailureOrSuccess==\\\"Failure\\\"), SuccessCount = countif(FailureOrSuccess==\\\"Success\\\") \\nby bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName, AppDisplayName, Type\\n| where FailureCount \u003e= failureCountThreshold and SuccessCount \u003e= successCountThreshold\\n| mvexpand IPAddress\\n| extend IPAddress = tostring(IPAddress)\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against Azure Portal\",\"description\":\"Identifies evidence of brute force activity against Azure Portal by highlighting multiple authentication failures \\nand by a successful authentication within a given time window. \\n(The query does not enforce any sequence - eg requiring the successful authentication to occur last.)\\nDefault Failure count is 5, Default Success count is 1 and default Time Window is 20 minutes.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/694c91ee-d606-4ba9-928e-405a2dd0ff0f\",\"name\":\"694c91ee-d606-4ba9-928e-405a2dd0ff0f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let VIPUsers = (IdentityInfo\\n| where AssignedRoles contains \\\"Admin\\\"\\n| summarize by tolower(AccountUPN));\\nAuditLogs\\n| where Category =~ \\\"UserManagement\\\"\\n| where ActivityDisplayName =~ \\\"User registered security info\\\"\\n| where LoggedByService =~ \\\"Authentication Methods\\\"\\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| where AccountCustomEntity in (VIPUsers)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\"],\"displayName\":\"Authentication Methods Changed for Privileged Account\",\"description\":\"Identifies authentication methods being changed for a privileged account. This could be an indicated of an attacker adding an auth method to the account so they can have continued access.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ae9128e8-2740-4b62-8bde-54e62b183fca\",\"name\":\"ae9128e8-2740-4b62-8bde-54e62b183fca\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.5\",\"techniques\":[\"T1030\",\"T1071\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Palo Alto Networks\",\"Fortinet\",\"Check Point\"],\"supportedValuesKql\":null,\"value\":\"Palo Alto Networks\",\"name\":\"Device vendor\",\"description\":\"Select device vendor of network connection logs from CommonSecurityLog\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"1\",\"maximum\":\"100\",\"value\":\"25\",\"name\":\"Daily data transfer threshold in MB\",\"description\":\"Suppress anomalies when daily data transfered (in MB) per hour is less than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"2\",\"maximum\":\"10\",\"value\":\"3\",\"name\":\"Number of standard deviations\",\"description\":\"Triggers anomalies when number of standard deviations is greater than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"(Preview) Unusual network communication on commonly used ports\",\"description\":\"This algorithm identifies unusual network communication on commonly used ports, comparing daily traffic to a baseline from the previous 7 days.\\nThis includes traffic on commonly used ports (22, 53, 80, 443, 8080, 8888), and compares daily traffic to the mean and standard deviation of several\\nnetwork traffic attributes calculated over the baseline period. The traffic attributes considered are daily total events, daily data transfer and \\nnumber of distinct destination IP addresses per port. An anomaly is triggered when the daily values are greater than the configured number of standard deviations above the mean.\",\"lastUpdatedDateUTC\":\"2021-07-10T00:00:00Z\",\"createdDateUTC\":\"2021-05-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/35a0792a-1269-431e-ac93-7ae2980d4dde\",\"name\":\"35a0792a-1269-431e-ac93-7ae2980d4dde\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ioc_lookBack = 30d;\\nlet timeframe = 1h;\\nlet TI_email_List =\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(EmailSenderAddress)\\n| summarize make_list(EmailSenderAddress);\\nProofpointPOD \\n| where TimeGenerated \u003e ago(timeframe)\\n| where isnotempty(SrcUserUpn)\\n| where SrcUserUpn in~ (TI_email_List)\\n| extend Message = \\\"Email sender in TI list\\\"\\n| project Message, SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\",\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Email sender in TI list\",\"description\":\"Email sender in TI list.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_maillog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bc5ffe2a-84d6-48fe-bc7b-1055100469bc\",\"name\":\"bc5ffe2a-84d6-48fe-bc7b-1055100469bc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let SunburstMD5=dynamic([\\\"b91ce2fa41029f6955bff20079468448\\\",\\\"02af7cec58b9a5da1c542b5a32151ba1\\\",\\\"2c4a910a1299cdae2a4e55988a2f102e\\\",\\\"846e27a652a5e1bfbd0ddd38a16dc865\\\",\\\"4f2eb62fa529c0283b28d05ddd311fae\\\"]);\\nlet SupernovaMD5=\\\"56ceb6d0011d87b6e4d7023d7ef85676\\\";\\nimFileEvent\\n| where TargetFileMD5 in(SunburstMD5) or TargetFileMD5 in(SupernovaMD5)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = User, \\n HostCustomEntity = DvcHostname,\\n FileHashCustomEntity = TargetFileMD5\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"MD5\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events)\",\"description\":\"Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in File Events\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelFileEvent)\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/62085097-d113-459f-9ea7-30216f2ee6af\",\"name\":\"62085097-d113-459f-9ea7-30216f2ee6af\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P3D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let starttime = 3d;\\nlet SecEvents = materialize ( SecurityEvent | where TimeGenerated \u003e= ago(starttime)\\n| where EventID in (4722,4723) | where TargetUserName !endswith \\\"$\\\"\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, SubjectAccount, SubjectUserSid);\\nlet userEnable = SecEvents\\n| extend EventID4722Time = TimeGenerated\\n// 4722: User Account Enabled\\n| where EventID == 4722\\n| project Time_Event4722 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4722 = SubjectAccount, SubjectUserSid_Event4722 = SubjectUserSid, Activity_4722 = Activity, Computer_4722 = Computer;\\nlet userPwdSet = SecEvents\\n// 4723: Attempt made by user to set password\\n| where EventID == 4723\\n| project Time_Event4723 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4723 = SubjectAccount, SubjectUserSid_Event4723 = SubjectUserSid, Activity_4723 = Activity, Computer_4723 = Computer;\\nuserEnable | join kind=leftouter userPwdSet on TargetAccount, TargetSid\\n| extend PasswordSetAttemptDelta_Min = datetime_diff(\u0027minute\u0027, Time_Event4723, Time_Event4722)\\n| where PasswordSetAttemptDelta_Min \u003e 2880 or isempty(PasswordSetAttemptDelta_Min)\\n| project-away TargetAccount1, TargetSid1\\n| extend Reason = @\\\"User either has not yet attempted to set the initial password after account was enabled or it occurred after 48 hours\\\"\\n| order by Time_Event4722 asc \\n| extend timestamp = Time_Event4722, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer_4722\\n| project-reorder Time_Event4722, Time_Event4723, PasswordSetAttemptDelta_Min, TargetAccount, TargetSid\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"AD user enabled and password not set within 48 hours\",\"description\":\"Identifies when an account is enabled with a default password and the password is not set by the user within 48 hours.\\nEffectively, there is an event 4722 indicating an account was enabled and within 48 hours, no event 4723 occurs which \\nindicates there was no attempt by the user to set the password. This will show any attempts (success or fail) that occur \\nafter 48 hours, which can indicate too long of a time period in setting the password to something that only the user knows.\\nIt is recommended that this time period is adjusted per your internal company policy.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/11b4c19d-2a79-4da3-af38-b067e1273dee\",\"name\":\"11b4c19d-2a79-4da3-af38-b067e1273dee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID in (17,18)\\n| where EventData has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend PipeName = column_ifexists(\\\"PipeName\\\", \\\"\\\")\\n| extend Account = UserName\\n),\\n(\\n SecurityEvent\\n| where EventID == \u00275145\u0027\\n// %%4418 looks for presence of CreatePipeInstance value \\n| where AccessList has \u0027%%4418\u0027 \\n| where RelativeTargetName has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\"],\"displayName\":\"Solorigate Named Pipe\",\"description\":\"Identifies a match across various data feeds for named pipe IOCs related to the Solorigate incident.\\n For the sysmon events required for this detection, logging for Named Pipe Events needs to be configured in Sysmon config (Event ID 17 and Event ID 18)\\n Reference: https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\"name\":\"9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Low\",\"query\":\"let tokens = dynamic([\\\"416\\\",\\\"208\\\",\\\"128\\\",\\\"120\\\",\\\"96\\\",\\\"80\\\",\\\"72\\\",\\\"64\\\",\\\"48\\\",\\\"44\\\",\\\"40\\\",\\\"g5\\\",\\\"gs5\\\",\\\"g4\\\",\\\"gs4\\\",\\\"nc12\\\",\\\"nc24\\\",\\\"nv12\\\"]);\\nlet operationList = dynamic([\\\"microsoft.compute/virtualmachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nAzureActivity\\n| where tolower(OperationNameValue) in (operationList)\\n| where ActivityStatusValue == \\\"Accepted\\\" \\n| where isnotempty(Properties)\\n| extend vmSize = tolower(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).hardwareProfile)).vmSize))\\n| where isnotempty(vmSize)\\n| where vmSize has_any (tokens) \\n| extend ComputerName = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).osProfile)).computerName)\\n| extend clientIpAddress = tostring(parse_json(HTTPRequest).clientIpAddress)\\n| project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Creation of expensive computes in Azure\",\"description\":\"Identifies the creation of large size/expensive VMs (GPU or with large no of virtual CPUs) in Azure.\\nAdversary may create new or update existing virtual machines sizes to evade defenses \\nor use it for cryptomining purposes.\\nFor Windows/Linux Vm Sizes - https://docs.microsoft.com/azure/virtual-machines/windows/sizes \\nAzure VM Naming Conventions - https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f15370f4-c6fa-42c5-9be4-1d308f40284e\",\"name\":\"f15370f4-c6fa-42c5-9be4-1d308f40284e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n OfficeActivity | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.ClientIP\\n| where OfficeActivity_TimeGenerated \u003e= TimeGenerated and OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, OfficeActivity_TimeGenerated,\\nTI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = OfficeActivity_TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to OfficeActivity\",\"description\":\"Identifies a match in OfficeActivity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\"name\":\"ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(DestinationUserID)\\n // Filtering PAN Logs for specific event type to match relevant email entities\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"wildfire\\\" and ApplicationProtocol in (\\\"smtp\\\",\\\"pop3\\\")\\n | extend DestinationUserID = tolower(DestinationUserID)\\n | where DestinationUserID matches regex emailregex\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.DestinationUserID\\n| where CommonSecurityLog_TimeGenerated \u003e= TimeGenerated and CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, CommonSecurityLog_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction,\\nSourceIP, SourcePort, DestinationIP, DestinationPort, Protocol, ApplicationProtocol\\n| extend timestamp = CommonSecurityLog_TimeGenerated, AccountCustomEntity = DestinationUserID, IPCustomEntity = SourceIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to CommonSecurityLog\",\"description\":\"Identifies a match in CommonSecurityLog table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/11bda520-a965-4654-9a45-d09f372f71aa\",\"name\":\"11bda520-a965-4654-9a45-d09f372f71aa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AzureActivity\\n// Isolate run command actions\\n| where OperationNameValue == \\\"Microsoft.Compute/virtualMachines/runCommand/action\\\"\\n// Confirm that the operation impacted a virtual machine\\n| where Authorization has \\\"virtualMachines\\\"\\n// Each runcommand operation consists of three events when successful, Started, Accepted (or Rejected), Successful (or Failed).\\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), max(CallerIpAddress), make_list(ActivityStatusValue) by CorrelationId, Authorization, Caller\\n// Limit to Run Command executions that Succeeded\\n| where list_ActivityStatusValue has \\\"Succeeded\\\"\\n// Extract data from the Authorization field, allowing us to later extract the Caller (UPN) and CallerIpAddress\\n| extend Authorization_d = parse_json(Authorization)\\n| extend Scope = Authorization_d.scope\\n| extend Scope_s = split(Scope, \\\"/\\\")\\n| extend Subscription = tostring(Scope_s[2])\\n| extend VirtualMachineName = tostring(Scope_s[-1])\\n| project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress\\n// Create a join key using the Caller (UPN) and the Caller IP\\n| extend joinkey = tolower(Caller)\\n// Join the Run Command actions to UEBA data\\n| join kind = inner (\\n BehaviorAnalytics\\n // We are specifically interested in unsual logins\\n | where EventSource == \\\"Azure AD\\\"\\n | project UEBAEventTime=TimeGenerated, UEBAActionType=ActionType, UserPrincipalName, UEBASourceIPLocation=SourceIPLocation, UEBAActivityInsights=ActivityInsights, UEBAUsersInsights=UsersInsights\\n | where isnotempty(UserPrincipalName) and isnotempty(UEBASourceIPLocation)\\n | extend joinkey = tolower(UserPrincipalName)\\n) on joinkey\\n| project StartTime, EndTime, Subscription, VirtualMachineName, Caller, CallerIpAddress, UEBAEventTime, UEBAActionType, UEBASourceIPLocation, UEBAActivityInsights, UEBAUsersInsights\\n// Create a window around the UEBA event times, check to see if the Run Command action was performed within them\\n| extend UEBAWindowStart = UEBAEventTime - 1h | extend UEBAWindowEnd = UEBAEventTime - 6h\\n| where StartTime between (UEBAWindowStart .. UEBAWindowEnd)\\n| project StartTime, EndTime, Subscription, VirtualMachineName, Caller, CallerIpAddress, UEBAEventTime, UEBAActionType, UEBASourceIPLocation, UEBAActivityInsights, UEBAUsersInsights\\n| extend timestamp = StartTime, AccountCustomEntity=Caller, IPCustomEntity=CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"LateralMovement\",\"CredentialAccess\"],\"displayName\":\"Azure VM Run Command operation executed during suspicious login window\",\"description\":\"Identifies when the Azure Run Command operation is executed by a UserPrincipalName and IP Address \\nthat has resulted in a recent user entity behaviour alert.\",\"lastUpdatedDateUTC\":\"2021-11-04T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/18e6a87e-9d06-4a4e-8b59-3469cd49552d\",\"name\":\"18e6a87e-9d06-4a4e-8b59-3469cd49552d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true (SecurityEvent \\n| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created. \\n| where ObjectServer == \u0027DS\u0027\\n| where OperationType == \u0027Object Access\u0027\\n//| where ObjectName contains \u0027\u003cGUID of ADFS Policy Store DKM Group object\u0027 This is unique to the domain. Check description for more details.\\n| where ObjectType contains \u00275cb41ed0-0e4c-11d0-a286-00aa003049e2\u0027 // Contact Class\\n| where Properties contains \u00278d3bca50-1d7e-11d0-a081-00aa006c33ed\u0027 // Picture Attribute - Ldap-Display-Name: thumbnailPhoto\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = SubjectAccount),\\n(DeviceEvents\\n| where ActionType =~ \\\"LdapSearch\\\"\\n| where AdditionalFields.AttributeList contains \\\"thumbnailPhoto\\\"\\n| where AdditionalFields.DistinguishedName contains \\\"CN=ADFS,CN=Microsoft,CN=Program Data\\\" // Filter results to show only hits related to the ADFS AD container\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = InitiatingProcessAccountName)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"ADFS DKM Master Key Export\",\"description\":\"Identifies an export of the ADFS DKM Master Key from Active Directory.\\nReferences: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \\nhttps://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1\\nTo understand further the details behind this detection, please review the details in the original PR and subequent PR update to this:\\nhttps://github.com/Azure/Azure-Sentinel/pull/1562#issue-551542469\\nhttps://github.com/Azure/Azure-Sentinel/pull/1512#issue-543053339\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65c78944-930b-4cae-bd79-c3664ae30ba7\",\"name\":\"65c78944-930b-4cae-bd79-c3664ae30ba7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(AuditLogs \\n| where OperationName =~ \\\"Disable Strong Authentication\\\"\\n| extend IPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) \\n| extend InitiatedByUser = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend Targetprop = todynamic(TargetResources)\\n| extend TargetUser = tostring(Targetprop[0].userPrincipalName) \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, InitiatedByUser , Operation = OperationName , CorrelationId, IPAddress, Category, Source = SourceSystem , AADTenantId, Type\\n),\\n(AWSCloudTrail\\n| where EventName in~ (\\\"DeactivateMFADevice\\\", \\\"DeleteVirtualMFADevice\\\") \\n| extend InstanceProfileName = tostring(parse_json(RequestParameters).InstanceProfileName)\\n| extend TargetUser = tostring(parse_json(RequestParameters).userName)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, Source = EventSource , Operation = EventName , TenantorInstance_Detail = InstanceProfileName, IPAddress = SourceIpAddress\\n)\\n)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"MFA disabled for a user\",\"description\":\"Multi-Factor Authentication (MFA) helps prevent credential compromise. This alert identifies when an attempt has been made to disable MFA for a user \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95dc4ae3-e0f2-48bd-b996-cdd22b90f9af\",\"name\":\"95dc4ae3-e0f2-48bd-b996-cdd22b90f9af\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(\\nAuditLogs\\n| where OperationName =~ \\\"Set federation settings on domain\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName)\\n| mv-expand AdditionalDetails\\n),\\n(\\nAuditLogs\\n| where OperationName =~ \\\"Set domain authentication\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName), NewDomainValue=tostring(parse_json(modifiedProperties).newValue)\\n| where NewDomainValue has \\\"Federated\\\"\\n)\\n)\\n| extend UserAgent = iff(AdditionalDetails.key == \\\"User-Agent\\\",tostring(AdditionalDetails.value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Modified domain federation trust settings\",\"description\":\"This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/66276b14-32c5-4226-88e3-080dacc31ce1\",\"name\":\"66276b14-32c5-4226-88e3-080dacc31ce1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet AccountAllowList = dynamic([\u0027SYSTEM\u0027]);\\nlet SubCategoryList = dynamic([\\\"Logoff\\\", \\\"Account Lockout\\\", \\\"User Account Management\\\", \\\"Authorization Policy Change\\\"]); // Add any Category in the list to be allowed or disallowed\\nlet tokens = dynamic([\\\"clear\\\", \\\"remove\\\", \\\"success:disable\\\",\\\"failure:disable\\\"]); \\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n//| where Process =~ \\\"auditpol.exe\\\" \\n| where CommandLine has_any (tokens)\\n| where AccountType !~ \\\"Machine\\\" and Account !in~ (AccountAllowList)\\n| parse CommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n// | where InitiatingProcessFileName =~ \\\"auditpol.exe\\\" \\n| where InitiatingProcessCommandLine has_any (tokens)\\n| where AccountName !in~ (AccountAllowList)\\n| parse InitiatingProcessCommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n// | where OriginalFileName =~ \\\"auditpol.exe\\\"\\n| where CommandLine has_any (tokens)\\n| where User !in~ (AccountAllowList)\\n| parse CommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, Computer, User, Process, ParentImage, CommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\"],\"displayName\":\"Audit policy manipulation using auditpol utility\",\"description\":\"This detects attempt to manipulate audit policies using auditpol command.\\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\\nThe process name in each data source is commented out as an adversary could rename it. It is advisable to keep process name commented but \\nif the results show unrelated false positives, users may want to uncomment it.\\nRefer to auditpol syntax: https://docs.microsoft.com/windows-server/administration/windows-commands/auditpol \\nRefer to our M365 blog for details on use during the Solorigate attack:\\nhttps://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80733eb7-35b2-45b6-b2b8-3c51df258206\",\"name\":\"80733eb7-35b2-45b6-b2b8-3c51df258206\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\\"xmrget.com\\\", \\n\\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\\"supportxmr.com\\\",\\n\\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\n\\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\n\\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\n\\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\n\\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\",\\n\\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\",\\n\\\"shscrypto.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage), \\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage), \\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage), \\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \u0027200\u0027\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Squid proxy events related to mining pools\",\"description\":\"Checks for Squid proxy events in Syslog associated with common mining pools .This query presumes the default Squid log format is being used. \\n http://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bff093b2-500e-4ae5-bb49-a5b1423cbd5b\",\"name\":\"bff093b2-500e-4ae5-bb49-a5b1423cbd5b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n| where Operation =~ \\\"MemberAdded\\\"\\n| extend UPN = tostring(parse_json(Members)[0].UPN)\\n| where UPN contains (\\\"#EXT#\\\")\\n| project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName\\n| join (\\n OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n| where Operation =~ \\\"MemberRemoved\\\"\\n| extend UPN = tostring(parse_json(Members)[0].UPN)\\n| where UPN contains (\\\"#EXT#\\\")\\n| project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName\\n) on UPN\\n| where TimeDeleted \u003e TimeAdded\\n| project TimeAdded, TimeDeleted, UPN, UserWhoAdded, UserWhoDeleted, TeamName\\n| extend timestamp = TimeAdded, AccountCustomEntity = UPN\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"External user added and removed in short timeframe\",\"description\":\"This detection flags the occurances of external user accounts that are added to a Team and then removed within\\none hour.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/be52662c-3b23-435a-a6fa-f39bdfc849e6\",\"name\":\"be52662c-3b23-435a-a6fa-f39bdfc849e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetection_CL\\n| mv-expand todynamic(Detections_s)\\n| where Detections_s.Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\\n| where count_ \u003e= threshold\\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"High Number of Urgent Vulnerabilities Detected\",\"description\":\"This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/eb68b129-5f17-4f56-bf6d-dde48d5e615a\",\"name\":\"eb68b129-5f17-4f56-bf6d-dde48d5e615a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| extend attachedMimeType = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where attachedMimeType == \u0027application/zip\u0027\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = DstUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Binary file in attachment\",\"description\":\"Detects when email recieved with binary file as attachment.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d29b1d66-d4d9-4be2-b607-63278fc4fe6b\",\"name\":\"d29b1d66-d4d9-4be2-b607-63278fc4fe6b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let mediumRisk = 2;\\nlet financial = \u0027Financial Information\u0027;\\nCognniIncidents_CL \\n| where Severity == mediumRisk\\n| where informationType_s == financial\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Medium Sensitivity Financial Information\",\"description\":\"Display incidents in which medium sensitive financial information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b783df9c-4088-452e-a791-0c4fca47a109\",\"name\":\"b783df9c-4088-452e-a791-0c4fca47a109\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.4\",\"techniques\":[\"T1568\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\".lan, .home\",\"dataType\":\"string\",\"name\":\"Top level domain\",\"description\":\"Give comma separated TLDs to exclude from source data within double quotes, example: \\\".lan, .home\\\"\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.9\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"(Preview) Domain generation algorithm (DGA) on DNS domains\",\"description\":\"This machine learning model indicates potential DGA domains in the second-level-domain (SLD) from the last day in the DNS logs.\\nThe algorithm applies to the DNS records that resolve to IPv4 and IPv6 addresses.\",\"lastUpdatedDateUTC\":\"2021-05-21T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7d7e20f8-3384-4b71-811c-f5e950e8306c\",\"name\":\"7d7e20f8-3384-4b71-811c-f5e950e8306c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AuditLogs\\n| where ActivityDisplayName =~\u0027Add member to role completed (PIM activation)\u0027\\n| where Result == \\\"failure\\\"\\n| extend Role = tostring(TargetResources[3].displayName)\\n| extend User = tostring(TargetResources[2].displayName)\\n| project-reorder TimeGenerated, User, Role, OperationName, Result, ResultDescription\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| extend AccountCustomEntity = User, IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\"],\"displayName\":\"PIM Elevation Request Rejected\",\"description\":\"Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d82e1987-4356-4a7b-bc5e-064f29b143c0\",\"name\":\"d82e1987-4356-4a7b-bc5e-064f29b143c0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 4688\\n| where Process =~ \u0027rundll32.exe\u0027 \\n| where CommandLine has_all (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"NOBELIUM - suspicious rundll32.exe execution of vbscript\",\"description\":\"This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/48607a29-a26a-4abf-8078-a06dbdd174a4\",\"name\":\"48607a29-a26a-4abf-8078-a06dbdd174a4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeRange = 3d;\\nlet lookBack = 7d;\\nlet authenticationWindow = 20m;\\nlet authenticationThreshold = 5;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet failureCodes = dynamic([50053, 50126, 50055]); // invalid password, account is locked - too many sign ins, expired password\\nlet successCodes = dynamic([0, 50055, 50057, 50155, 50105, 50133, 50005, 50076, 50079, 50173, 50158, 50072, 50074, 53003, 53000, 53001, 50129]);\\n// Lookup up resolved identities from last 7 days\\nlet aadFunc = (tableName:string){\\nlet identityLookup = table(tableName)\\n| where TimeGenerated \u003e= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| where isnotempty(UserId)\\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName, Type;\\n// collect window threshold breaches\\ntable(tableName)\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(failureCodes)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed), count() by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName, UserPrincipalName, Type\\n| summarize FailedPrincipalCount = dcount(UserPrincipalName) by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName, Type\\n| where FailedPrincipalCount \u003e= authenticationThreshold\\n| summarize WindowThresholdBreaches = count() by IPAddress, Type\\n| join kind= inner (\\n// where we breached a threshold, join the details back on all failure data\\ntable(tableName)\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(failureCodes)\\n| extend LocationDetails = todynamic(LocationDetails)\\n| extend FullLocation = strcat(LocationDetails.countryOrRegion,\u0027|\u0027, LocationDetails.state, \u0027|\u0027, LocationDetails.city)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed), make_set(FullLocation), FailureCount = count() by IPAddress, AppDisplayName, UserPrincipalName, UserDisplayName, Identity, UserId, Type\\n// lookup any unresolved identities\\n| extend UnresolvedUserId = iff(Identity matches regex isGUID, UserId, \\\"\\\")\\n| join kind= leftouter (\\n identityLookup \\n) on $left.UnresolvedUserId==$right.UserId\\n| extend UserDisplayName=iff(isempty(lu_UserDisplayName), UserDisplayName, lu_UserDisplayName)\\n| extend UserPrincipalName=iff(isempty(lu_UserPrincipalName), UserPrincipalName, lu_UserPrincipalName)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), make_set(UserPrincipalName), make_set(UserDisplayName), make_set(set_ClientAppUsed), make_set(set_FullLocation), make_list(FailureCount) by IPAddress, AppDisplayName, Type\\n| extend FailedPrincipalCount = arraylength(set_UserPrincipalName)\\n) on IPAddress\\n| project IPAddress, StartTime, EndTime, TargetedApplication=AppDisplayName, FailedPrincipalCount, UserPrincipalNames=set_UserPrincipalName, UserDisplayNames=set_UserDisplayName, ClientAppsUsed=set_set_ClientAppUsed, Locations=set_set_FullLocation, FailureCountByPrincipal=list_FailureCount, WindowThresholdBreaches, Type\\n| join kind= inner (\\ntable(tableName) // get data on success vs. failure history for each IP\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(successCodes) or ResultType in(failureCodes) // success or failure types\\n| summarize GlobalSuccessPrincipalCount = dcountif(UserPrincipalName, (ResultType in(successCodes))), ResultTypeSuccesses = make_set_if(ResultType, (ResultType in(successCodes))), GlobalFailPrincipalCount = dcountif(UserPrincipalName, (ResultType in(failureCodes))), ResultTypeFailures = make_set_if(ResultType, (ResultType in(failureCodes))) by IPAddress, Type\\n| where GlobalFailPrincipalCount \u003e GlobalSuccessPrincipalCount // where the number of failed principals is greater than success - eliminates FPs from IPs who authenticate successfully alot and as a side effect have alot of failures\\n) on IPAddress\\n| project-away IPAddress1\\n| extend timestamp=StartTime, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Password spray attack against Azure AD application\",\"description\":\"Identifies evidence of password spray activity against Azure AD applications by looking for failures from multiple accounts from the same\\nIP address within a time window. If the number of accounts breaches the threshold just once, all failures from the IP address within the time range\\nare bought into the result. Details on whether there were successful authentications by the IP address within the time window are also included.\\nThis can be an indicator that an attack was successful.\\nThe default failure acccount threshold is 5, Default time window for failures is 20m and default look back window is 3 days\\nNote: Due to the number of possible accounts involved in a password spray it is not possible to map identities to a custom entity.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2c286288-3756-4824-b599-d3c499836c11\",\"name\":\"2c286288-3756-4824-b599-d3c499836c11\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let mediumRisk = 2;\\nlet business = \u0027Business Information\u0027;\\nCognniIncidents_CL \\n| where Severity == mediumRisk\\n| where informationType_s == business\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Medium Sensitivity Business Information\",\"description\":\"Display incidents in which medium sensitivity business information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\"name\":\"83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":3,\"severity\":\"Medium\",\"query\":\"let current = 1d;\\nlet auditLookback = 7d;\\n// Setting threshold to 3 as a default, change as needed. \\n// Any operation that has been initiated by a user or app more than 3 times in the past 7 days will be excluded\\nlet threshold = 3;\\n// Gather initial data from lookback period, excluding current, adjust current to more than a single day if no results\\nlet AuditTrail = AuditLogs | where TimeGenerated \u003e= ago(auditLookback) and TimeGenerated \u003c ago(current)\\n// 2 other operations that can be part of malicious activity in this situation are \\n// \\\"Add OAuth2PermissionGrant\\\" and \\\"Add service principal\\\", extend the filter below to capture these too\\n| where OperationName has \\\"Consent to application\\\"\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\n| summarize max(TimeGenerated), OperationCount = count() by OperationName, InitiatedBy, TargetResourceName\\n// only including operations by initiated by a user or app that is above the threshold so we produce only rare and has not occurred in last 7 days\\n| where OperationCount \u003e threshold\\n;\\n// Gather current period of audit data\\nlet RecentConsent = AuditLogs | where TimeGenerated \u003e= ago(current)\\n| where OperationName has \\\"Consent to application\\\"\\n| extend IpAddress = case(\\nisnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), \\nisnotempty(tostring(parse_json(tostring(InitiatedBy.app)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.app)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.app)).ipAddress),\\n\u0027Not Available\u0027)\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\n| parse TargetResources.[0].modifiedProperties with * \\\"ConsentType: \\\" ConsentType \\\"]\\\" *\\n| mv-expand AdditionalDetails\\n| extend UserAgent = iff(AdditionalDetails.key == \\\"User-Agent\\\",tostring(AdditionalDetails.value),\\\"\\\")\\n| project TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type;\\n// Exclude previously seen audit activity for \\\"Consent to application\\\" that was seen in the lookback period\\n// First for rare InitiatedBy\\nlet RareConsentBy = RecentConsent | join kind= leftanti AuditTrail on OperationName, InitiatedBy \\n| extend Reason = \\\"Previously unseen user consenting\\\";\\n// Second for rare TargetResourceName\\nlet RareConsentApp = RecentConsent | join kind= leftanti AuditTrail on OperationName, TargetResourceName\\n| extend Reason = \\\"Previously unseen app granted consent\\\";\\nRareConsentBy | union RareConsentApp\\n| summarize Reason = makeset(Reason) by TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatedBy, HostCustomEntity = TargetResourceName, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Persistence\",\"LateralMovement\",\"Collection\"],\"displayName\":\"Rare application consent\",\"description\":\"This will alert when the \\\"Consent to application\\\" operation occurs by a user that has not done this operation before or rarely does this.\\nThis could indicate that permissions to access the listed Azure App were provided to a malicious actor. \\nConsent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events. \\nThis may help detect the Oauth2 attack that can be initiated by this publicly available tool - https://github.com/fireeye/PwnAuth\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e1ce0eab-10d1-4aae-863f-9a383345ba88\",\"name\":\"e1ce0eab-10d1-4aae-863f-9a383345ba88\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let threshold = 15;\\nSyslog\\n| where SyslogMessage contains \\\"Failed password for invalid user\\\"\\n| where ProcessName =~ \\\"sshd\\\" \\n| parse kind=relaxed SyslogMessage with * \\\"invalid user\\\" user \\\" from \\\" ip \\\" port\\\" port \\\" ssh2\\\"\\n| project user, ip, port, SyslogMessage, EventTime\\n| summarize EventTimes = make_list(EventTime), PerHourCount = count() by ip, bin(EventTime, 4h), user\\n| where PerHourCount \u003e threshold\\n| mvexpand EventTimes\\n| extend EventTimes = tostring(EventTimes) \\n| summarize StartTimeUtc = min(EventTimes), EndTimeUtc = max(EventTimes), UserList = makeset(user), sum(PerHourCount) by IPAddress = ip\\n| extend UserList = tostring(UserList) \\n| extend timestamp = StartTimeUtc, IPCustomEntity = IPAddress, AccountCustomEntity = UserList\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"SSH - Potential Brute Force\",\"description\":\"Identifies an IP address that had 15 failed attempts to sign in via SSH in a 4 hour block during a 24 hour time period.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532c1811-79ee-4d9f-8d4d-6304c840daa1\",\"name\":\"532c1811-79ee-4d9f-8d4d-6304c840daa1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Active Directory Identity Protection\",\"displayName\":\"Create incidents based on Azure Active Directory Identity Protection alerts\",\"description\":\"Create incidents based on all alerts generated in Azure Active Directory Identity Protection\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0c804654-63b9-4241-89f8-1cddd7e9cacd\",\"name\":\"0c804654-63b9-4241-89f8-1cddd7e9cacd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.0\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.2\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of AWS write API calls from a user account \",\"description\":\"This algorithm detects an unusually high volume of AWS write API calls per user account within the last day. The model is trained on the previous 21 days of AWS cloud trail log events on a user account basis. This activity may indicate that the account is compromised.\",\"lastUpdatedDateUTC\":\"2021-10-26T00:00:00Z\",\"createdDateUTC\":\"2021-10-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65360bb0-8986-4ade-a89d-af3cf44d28aa\",\"name\":\"65360bb0-8986-4ade-a89d-af3cf44d28aa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"CreateNetworkAclEntry\\\",\\\"CreateRoute\\\",\\\"CreateRouteTable\\\",\\\"CreateInternetGateway\\\",\\\"CreateNatGateway\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"PrivilegeEscalation\",\"LateralMovement\"],\"displayName\":\"Changes to Amazon VPC settings\",\"description\":\"Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources\\nin a virtual network that you define.\\nThis identifies changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries,routes, routetable or Gateways.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\nand AWS VPC API Docs: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/OperationList-query-vpc.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5ef06767-b37c-4818-b035-47de950d0046\",\"name\":\"5ef06767-b37c-4818-b035-47de950d0046\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// How far back to look for events from\\nlet timeframe = 1d;\\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\\nlet time_window = 5m;\\n// Edit this to include build processes used\\nlet build_processes = dynamic([\\\"MSBuild.exe\\\", \\\"dotnet.exe\\\", \\\"VBCSCompiler.exe\\\"]);\\n// Include any processes that you want to allow to edit files during/around the build process\\nlet allow_list = dynamic([\\\"\\\"]);\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where EventID == 4688\\n| where Process has_any (build_processes)\\n| summarize by BuildParentProcess=ParentProcessName, BuildProcess=Process, BuildAccount = Account, Computer, BuildCommand=CommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for file modifications to code file\\n| where EventID == 4663\\n| where Process !in (allow_list)\\n// Look for code files, edit this to include file extensions used in build.\\n| where ObjectName endswith \\\".cs\\\" or ObjectName endswith \\\".cpp\\\"\\n// 0x6 and 0x4 for file append, 0x100 for file replacements\\n| where AccessMask == \\\"0x6\\\" or AccessMask == \\\"0x4\\\" or AccessMask == \\\"0X100\\\"\\n| summarize by FileEditParentProcess=ParentProcessName, FileEditAccount = Account, Computer, FileEdited=ObjectName, FileEditProcess=ProcessName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, Computer\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, Computer, BuildParentProcess, BuildProcess\\n| extend HostCustomEntity=Computer, timestamp=timekey\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Potential Build Process Compromise\",\"description\":\"The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process.\\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ec21493c-2684-4acd-9bc2-696dbad72426\",\"name\":\"ec21493c-2684-4acd-9bc2-696dbad72426\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation of extracted domains\\nlet list_tlds = ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e ago(ioc_lookBack)\\n | where isnotempty(DomainName)\\n | extend DomainName = tolower(DomainName)\\n | extend parts = split(DomainName, \u0027.\u0027)\\n | extend tld = parts[(array_length(parts)-1)]\\n | summarize count() by tostring(tld)\\n | summarize make_list(tld);\\n ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true\\n // Picking up only IOC\u0027s that contain the entities we want\\n | where isnotempty(DomainName)\\n | join (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n | where DeviceVendor =~ \u0027Palo Alto Networks\u0027\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | extend Domain = trim(@\\\"\\\"\\\"\\\",tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend parts = split(Domain, \u0027.\u0027)\\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\\n | where tld in~ (list_tlds)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n ) on $left.DomainName==$right.Domain\\n | where CommonSecurityLog_TimeGenerated \u003e= TimeGenerated and CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n | project LatestIndicatorTime, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, CommonSecurityLog_TimeGenerated, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\\n | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to PaloAlto\",\"description\":\"Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\"name\":\"f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"// Replace these with the username or emails of your VIP users you wish to monitor for.\\nlet vips = dynamic([\u0027vip1@email.com\u0027,\u0027vip2@email.com\u0027]);\\n// Add users who are allowed to conduct these searches - this could be specific SOC team members\\nlet allowed_users = dynamic([]);\\nLAQueryLogs\\n| where QueryText has_any (vips) or QueryText has_any (\u0027_GetWatchlist(\\\"VIPUsers\\\")\u0027, \\\"_GetWatchlist(\u0027VIPUsers\u0027)\\\")\\n| where AADEmail !in (allowed_users)\\n| project TimeGenerated, AADEmail, RequestClientApp, QueryText, ResponseRowCount, RequestTarget\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AADEmail\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"RequestTarget\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Users searching for VIP user activity\",\"description\":\"This query monitors for users running Log Analytics queries that contain filters\\nfor specific, defined VIP user accounts or the VIPUser watchlist template.\\nUse this detection to alert for users specifically searching for activity of sensitive users.\",\"lastUpdatedDateUTC\":\"2021-11-11T00:00:00Z\",\"createdDateUTC\":\"2020-09-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d0bd9611-2fc1-42cb-af4e-793b6f28ba92\",\"name\":\"d0bd9611-2fc1-42cb-af4e-793b6f28ba92\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.7\",\"techniques\":[\"T1030\",\"T1041\",\"T1011\",\"T1567\",\"T1029\",\"T1537\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.87\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"(Preview) Excessive upload via Palo Alto GlobalProtect\",\"description\":\"This algorithm detects unusually high volume of upload per user account via Palo Alto VPN solution.\\nThe model is trained on the previous 14 days of the VPN logs.\\nIt indicates anomalous high volume of upload in the last day.\",\"lastUpdatedDateUTC\":\"2021-11-17T00:00:00Z\",\"createdDateUTC\":\"2020-11-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\"name\":\"532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n| join (\\n Syslog\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n //Extract domain patterns from syslog message\\n | extend domain = extract(\\\"(([a-z0-9]+(-[a-z0-9]+)*\\\\\\\\.)+[a-z]{2,})\\\",1, tolower(SyslogMessage))\\n | where isnotempty(domain)\\n | extend parts = split(domain, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.domain\\n| where Syslog_TimeGenerated \u003e= TimeGenerated and Syslog_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, domain, HostIP, Url\\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to Syslog\",\"description\":\"Identifies a match in Syslog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a9956d3a-07a9-44a6-a279-081a85020cae\",\"name\":\"a9956d3a-07a9-44a6-a279-081a85020cae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 15;\\nlet rejectedAccess = SymantecVIP\\n| where isnotempty(RADIUSAuth)\\n| where RADIUSAuth =~ \\\"Reject\\\"\\n| summarize Total = count() by ClientIP, bin(TimeGenerated, 15m)\\n| where Total \u003e threshold\\n| project ClientIP;\\nSymantecVIP\\n| where isnotempty(RADIUSAuth)\\n| where RADIUSAuth =~ \\\"Reject\\\"\\n| join kind=inner rejectedAccess on ClientIP\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by ClientIP, User\\n| extend timestamp = StartTime, IPCustomEntity = ClientIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"ClientDeniedAccess\",\"description\":\"Creates an incident in the event a Client has an excessive amounts of denied access requests.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SymantecVIP\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2dd4a3a-ebac-4994-9499-1a859938c947\",\"name\":\"f2dd4a3a-ebac-4994-9499-1a859938c947\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet bytessentperhourthreshold = 10;\\nlet PrivateIPregex = @\u0027^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.\u0027;\\nlet TimeSeriesData = (union isfuzzy=true\\n(\\nVMConnection\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\\n| extend DestinationIpType = iff(DestinationIp matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIpType == \\\"public\\\" | extend DeviceVendor = \\\"VMConnection\\\"\\n| project TimeGenerated, BytesSent, DeviceVendor\\n| make-series TotalBytesSent=sum(BytesSent) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n),\\n(\\nCommonSecurityLog\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| extend DestinationIpType = iff(DestinationIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIpType == \\\"public\\\"\\n| project TimeGenerated, SentBytes, DeviceVendor\\n| make-series TotalBytesSent=sum(SentBytes) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n)\\n);\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(TotalBytesSent, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand TotalBytesSent to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| extend TotalBytesSentinMBperHour = round(((TotalBytesSent / 1024)/1024),2), baselinebytessentperHour = round(((baseline / 1024)/1024),2), score = round(score,2)\\n| project DeviceVendor, AnomalyHour, TimeGenerated, TotalBytesSentinMBperHour, baselinebytessentperHour, anomalies, score);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\n//Union of all BaseLogs aggregated per hour\\nlet BaseLogs = (union isfuzzy=true\\n(\\nCommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend DestinationIpType = iff(DestinationIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIpType == \\\"public\\\"\\n| extend SentBytesinMB = ((SentBytes / 1024)/1024), ReceivedBytesinMB = ((ReceivedBytes / 1024)/1024)\\n| summarize HourlyCount = count(), TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort,100), TotalSentBytesinMB = sum(SentBytesinMB), TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| where TotalSentBytesinMB \u003e bytessentperhourthreshold\\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\\n| where Rank \u003c 10 // Selecting Top 10 records with Highest BytesSent in each Hour\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\\n),\\n(\\nVMConnection\\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend SourceIP = SourceIp, DestinationIP = DestinationIp\\n| extend DestinationIpType = iff(DestinationIp matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIpType == \\\"public\\\" | extend DeviceVendor = \\\"VMConnection\\\"\\n| extend SentBytesinMB = ((BytesSent / 1024)/1024), ReceivedBytesinMB = ((BytesReceived / 1024)/1024)\\n| summarize HourlyCount = count(),TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort, 100), TotalSentBytesinMB = sum(SentBytesinMB),TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| where TotalSentBytesinMB \u003e bytessentperhourthreshold\\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\\n| where Rank \u003c 10 // Selecting Top 10 records with Highest BytesSent in each Hour\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\\n)\\n);\\n// Join against base logs to retrive records associated with the hour of anomoly\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\n BaseLogs | extend AnomalyHour = TimeGeneratedHour\\n) on DeviceVendor, AnomalyHour | sort by score desc\\n| project DeviceVendor, AnomalyHour,TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\\n| summarize EventCount = count(), StartTimeUtc= min(TimeGeneratedMax), EndTimeUtc= max(TimeGeneratedMax), SourceIPMax= arg_max(SourceIP,*), TotalBytesSentinMB = sum(TotalSentBytesinMB), TotalBytesReceivedinMB = sum(TotalReceivedBytesinMB), SourceIPList = make_set(SourceIP, 100), DestinationIPList = make_set(DestinationIPList, 100) by AnomalyHour,TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\\n| project DeviceVendor, AnomalyHour, StartTimeUtc, EndTimeUtc, SourceIPMax, SourceIPList, DestinationIPList, DestinationPortList, TotalBytesSentinMB, TotalBytesReceivedinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies, EventCount\\n| extend timestamp =EndTimeUtc, IPCustomEntity = SourceIPMax\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"Time series anomaly for data size transferred to public internet\",\"description\":\"Identifies anomalous data transfer to public networks. The query leverages built-in KQL anomaly detection algorithms that detects large deviations from a baseline pattern.\\nA sudden increase in data transferred to unknown public networks is an indication of data exfiltration attempts and should be investigated.\\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port bytes sent traffic observed in the flagged anomaly hour.\\nThe source IP addresses which were sending less than bytessentperhourthreshold have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-05-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95002681-4ecb-4da3-9ece-26d7e5feaa33\",\"name\":\"95002681-4ecb-4da3-9ece-26d7e5feaa33\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"imAuthentication\\n| where EventResult ==\u0027Failure\u0027\\n| where EventResultDetails == \u0027User disabled\u0027\\n| summarize StartTime=min(EventStartTime), EndTime=max(EventEndTime), disabledAccountLoginAttempts = count()\\n , disabledAccountsTargeted = dcount(TargetUsername), disabledAccountSet = make_set(TargetUsername)\\n , applicationsTargeted = dcount(TargetAppName)\\n , applicationSet = make_set(TargetAppName) \\n by SrcDvcIpAddr, Type\\n| order by disabledAccountLoginAttempts desc\\n| join kind=leftouter \\n (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n imAuthentication\\n | where EventResult==\u0027Success\u0027\\n | summarize successfulAccountSigninCount = dcount(TargetUsername), successfulAccountSigninSet = makeset(TargetUsername, 15) by SrcDvcIpAddr, Type\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount \u003c 100\\n )\\n on SrcDvcIpAddr\\n| where isnotempty(successfulAccountSigninCount)\\n| project StartTime, EndTime, SrcDvcIpAddr, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\nsuccessfulAccountSigninCount, successfulAccountSigninSet, Type\\n| order by disabledAccountLoginAttempts\\n| extend timestamp = StartTime, IPCustomEntity = SrcDvcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelAuthentication)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-07-27T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a50766a7-0674-4ccb-8845-15dc55a80ba1\",\"name\":\"a50766a7-0674-4ccb-8845-15dc55a80ba1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n WireData | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(RemoteIP)\\n // renaming time column so it is clear the log this came from\\n | extend WireData_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIP\\n| where WireData_TimeGenerated \u003e= TimeGenerated and WireData_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, WireData_TimeGenerated,\\nTI_ipEntity, Computer, LocalIP, RemoteIP, ProcessName, ApplicationProtocol, LocalPortNumber, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = WireData_TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to WireData\",\"description\":\"Identifies a match in WireData from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\"name\":\"d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let SensitiveOperationList = dynamic(\\n[\\\"VaultDelete\\\", \\\"KeyDelete\\\", \\\"SecretDelete\\\", \\\"SecretPurge\\\", \\\"KeyPurge\\\", \\\"SecretBackup\\\", \\\"KeyBackup\\\"]);\\nAzureDiagnostics\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\" \\n| where OperationName in~ (SensitiveOperationList) \\n| summarize EventCount=count(), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\\n| extend timestamp = StartTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Impact\"],\"displayName\":\"Sensitive Azure Key Vault operations\",\"description\":\"Identifies when sensitive Azure Key Vault operations are used. This includes: VaultDelete, KeyDelete, SecretDelete, SecretPurge, KeyPurge, SecretBackup, KeyBackup. \\nAny Backup operations should match with expected scheduled backup activity.\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/04384937-e927-4595-8f3c-89ff58ed231f\",\"name\":\"04384937-e927-4595-8f3c-89ff58ed231f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let IPs = dynamic ([\\\"199.249.230.\\\",\\\"185.220.101.\\\",\\\"23.129.64.\\\",\\\"109.70.100.\\\",\\\"185.220.102.\\\"]);\\nOfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != \u0027UserLoggedIn\u0027\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = ExtendedProperties.Value\\n| where ClientIP has_any (IPs)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts \u003e 2500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Possible STRONTIUM attempted credential harvesting - Sept 2020\",\"description\":\"Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.\\nReferences: https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/427e4c9e-8cf4-4094-a684-a2d060dbca38\",\"name\":\"427e4c9e-8cf4-4094-a684-a2d060dbca38\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 50;\\nSophosXGFirewall\\n| where Log_Type =~ \\\"Firewall\\\"\\n| where not(ipv4_is_match(\\\"10.0.0.0\\\",Src_IP,8) or ipv4_is_match(\\\"172.16.0.0\\\",Src_IP,12) or ipv4_is_match(\\\"192.168.0.0\\\",Src_IP,16))\\n| summarize dcount(Dst_Port) by Src_IP, bin(TimeGenerated, 5m)\\n| where dcount_Dst_Port \u003e threshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = Src_IP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\"],\"displayName\":\"Port Scan Detected\",\"description\":\"This alert creates an incident when a source IP addresses attempt to communicate with a large amount of distinct ports within a short period.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SophosXGFirewall\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/86a036b2-3686-42eb-b417-909fc0867771\",\"name\":\"86a036b2-3686-42eb-b417-909fc0867771\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/delete\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS Service Delete\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.\\nA threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.\\nThe health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.\\nMore information in this blog https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/00cb180c-08a8-4e55-a276-63fb1442d5b5\",\"name\":\"00cb180c-08a8-4e55-a276-63fb1442d5b5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let cmdTokens0 = dynamic([\u0027vbscript\u0027,\u0027jscript\u0027]);\\nlet cmdTokens1 = dynamic([\u0027mshtml\u0027,\u0027RunHTMLApplication\u0027]);\\nlet cmdTokens2 = dynamic([\u0027Execute\u0027,\u0027CreateObject\u0027,\u0027RegRead\u0027,\u0027window.close\u0027]);\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(14d)\\n| where EventID == 4688\\n| where CommandLine has @\u0027\\\\Microsoft\\\\Windows\\\\CurrentVersion\u0027\\n| where not(CommandLine has_any (@\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\u0027, @\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\u0027))\\n// If you are receiving false positives, then it may help to make the query more strict by uncommenting one or both of the lines below to refine the matches\\n//| where CommandLine has_any (cmdTokens0)\\n//| where CommandLine has_all (cmdTokens1)\\n| where CommandLine has_all (cmdTokens2)\\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\"],\"displayName\":\"NOBELIUM - Script payload stored in Registry\",\"description\":\"This query idenifies when a process execution commandline indicates that a registry value is written to allow for later execution a malicious script\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d023f64-8225-41a2-9570-2bd7c2c4535e\",\"name\":\"3d023f64-8225-41a2-9570-2bd7c2c4535e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\nSecurityEvent \\n| where TimeGenerated \u003e ago(2*timeframe) \\n// A user account was enabled\\n| where EventID == 4722\\n| where AccountType =~ \\\"User\\\"\\n| where TargetAccount !hassuffix \\\"$\\\"\\n| project EnableTime = TimeGenerated, EnableEventID = EventID, EnableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToEnable = SubjectAccount, SIDofAccountUsedToEnable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n| join kind= inner (\\n SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe) \\n // A user account was disabled \\n | where EventID == 4725\\n| where AccountType =~ \\\"User\\\"\\n| project DisableTime = TimeGenerated, DisableEventID = EventID, DisableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToDisable = SubjectAccount, SIDofAccountUsedToDisable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n) on Computer, TargetAccount\\n| where DisableTime - EnableTime \u003c spanoftime\\n| extend TimeDelta = DisableTime - EnableTime\\n| where tolong(TimeDelta) \u003e= threshold\\n| project TimeDelta, EnableTime, EnableEventID, EnableActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToEnable, SIDofAccountUsedToEnable, \\nDisableTime, DisableEventID, DisableActivity, AccountUsedToDisable, SIDofAccountUsedToDisable\\n| extend timestamp = EnableTime, AccountCustomEntity = AccountUsedToEnable, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"SIDofAccountUsedToEnable\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account enabled and disabled within 10 mins\",\"description\":\"Identifies when a user account is enabled and then disabled within 10 minutes. This can be an indication of compromise and\\nan adversary attempting to hide in the noise.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/707494a5-8e44-486b-90f8-155d1797a8eb\",\"name\":\"707494a5-8e44-486b-90f8-155d1797a8eb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let auditLookbackStart = 2d;\\nlet auditLookbackEnd = 1d;\\nAuditLogs\\n| where TimeGenerated \u003e= ago(auditLookbackStart)\\n| where OperationName =~ \\\"Consent to application\\\" \\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| extend targetResourceName = tostring(target.displayName)\\n| extend targetResourceID = tostring(target.id)\\n| extend targetResourceType = tostring(target.type)\\n| extend targetModifiedProp = TargetResources[0].modifiedProperties\\n| extend isAdminConsent = targetModifiedProp[0].newValue\\n| extend Consent_ServicePrincipalNames = targetModifiedProp[5].newValue\\n| extend Consent_Permissions = targetModifiedProp[4].newValue\\n| extend Consent_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend Consent_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| join ( \\nAuditLogs\\n| where TimeGenerated \u003e= ago(auditLookbackEnd)\\n| where OperationName =~ \\\"Add service principal credentials\\\"\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| extend targetResourceName = tostring(target.displayName)\\n| extend targetResourceID = tostring(target.id)\\n| extend targetModifiedProp = TargetResources[0].modifiedProperties\\n| extend Credential_KeyDescription = targetModifiedProp[0].newValue\\n| extend UpdatedProperties = targetModifiedProp[1].newValue\\n| extend Credential_ServicePrincipalNames = targetModifiedProp[2].newValue\\n| extend Credential_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend Credential_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n) on targetResourceName, targetResourceID\\n| extend TimeConsent = TimeGenerated, TimeCred = TimeGenerated1\\n| where TimeConsent \u003e TimeCred \\n| project TimeConsent, TimeCred, Consent_InitiatingUserOrApp, Credential_InitiatingUserOrApp, targetResourceName, targetResourceType, isAdminConsent, Consent_ServicePrincipalNames, Credential_ServicePrincipalNames, Consent_Permissions, Credential_KeyDescription, Consent_InitiatingIpAddress, Credential_InitiatingIpAddress\\n| extend timestamp = TimeConsent, AccountCustomEntity = Consent_InitiatingUserOrApp, IPCustomEntity = Consent_InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Credential added after admin consented to Application\",\"description\":\"This query will identify instances where Service Principal credentials were added to an application by one user after the application was granted admin consent rights by another user.\\n If a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\n Additional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow.\\n For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/610d3850-c26f-4f20-8d86-f10fdf2425f5\",\"name\":\"610d3850-c26f-4f20-8d86-f10fdf2425f5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"UpdateTrail\\\",\\\"DeleteTrail\\\",\\\"StopLogging\\\",\\\"DeleteFlowLogs\\\",\\\"DeleteEventBus\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Changes made to AWS CloudTrail logs\",\"description\":\"Attackers often try to hide their steps by deleting or stopping the collection of logs that could show their activity. \\nThis alert identifies any manipulation of AWS CloudTrail, Cloudwatch/EventBridge or VPC Flow logs.\\nMore Information: AWS CloudTrail API: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html\\nAWS Cloudwatch/Eventbridge API: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_Operations.html\\nAWS DelteteFlowLogs API : https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2cfc3c6e-f424-4b88-9cc9-c89f482d016a\",\"name\":\"2cfc3c6e-f424-4b88-9cc9-c89f482d016a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set == \\\"[]\\\"\\n| parse new_value_set with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"First access credential added to Application or Service Principal where no credential was present\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d722831e-88f5-4e25-b106-4ef6e29f8c13\",\"name\":\"d722831e-88f5-4e25-b106-4ef6e29f8c13\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"// a threshold can be enabled, see commented line below for PrevSeenCount\\nlet threshold = 2;\\nlet uploadOp = \u0027FileUploaded\u0027;\\n// Extensions that are interesting. Add/Remove to this list as you see fit\\nlet execExt = dynamic([\u0027exe\u0027, \u0027inf\u0027, \u0027gzip\u0027, \u0027cmd\u0027, \u0027bat\u0027]);\\nlet starttime = 8d;\\nlet endtime = 1d;\\nOfficeActivity | where TimeGenerated \u003e= ago(endtime)\\n// Limited to File Uploads due to potential noise, comment out the Operation statement below to include any operation type\\n// Additional, but potentially noisy operation types that include Uploads and Downloads can be included by adding the following - Operation contains \\\"upload\\\" or Operation contains \\\"download\\\"\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| project TimeGenerated, OfficeId, OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, UserAgent, Site_Url, SourceRelativeUrl, SourceFileName\\n| join kind= leftanti (\\nOfficeActivity | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| summarize SourceRelativeUrl = make_set(SourceRelativeUrl), UserId = make_set(UserId) , PrevSeenCount = count() by SourceFileName\\n// To exclude previous matches when only above a specific count, change threshold above and uncomment the line below\\n//| where PrevSeenCount \u003e threshold\\n| mvexpand SourceRelativeUrl, UserId\\n| extend SourceRelativeUrl = tostring(SourceRelativeUrl), UserId = tostring(UserId)\\n) on SourceFileName, SourceRelativeUrl, UserId \\n| extend SiteUrlUserFolder = tolower(split(Site_Url, \u0027/\u0027)[-2])\\n| extend UserIdUserFolderFormat = tolower(replace(\u0027@|\\\\\\\\.\u0027, \u0027_\u0027,UserId))\\n// identify when UserId is not a match to the specific site url personal folder reference\\n| extend UserIdDiffThanUserFolder = iff(Site_Url has \u0027/personal/\u0027 and SiteUrlUserFolder != UserIdUserFolderFormat, true , false ) \\n| summarize TimeGenerated = make_list(TimeGenerated), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), \\nUserAgents = make_list(UserAgent), OfficeIds = make_list(OfficeId), SourceRelativeUrls = make_list(SourceRelativeUrl), FileNames = make_list(SourceFileName)\\nby OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, Site_Url, SiteUrlUserFolder, UserIdUserFolderFormat, UserIdDiffThanUserFolder\\n| extend timestamp = StartTime, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"New executable via Office FileUploaded Operation\",\"description\":\"Identifies when executable file types are uploaded to Office services such as SharePoint and OneDrive.\\nList currently includes \u0027exe\u0027, \u0027inf\u0027, \u0027gzip\u0027, \u0027cmd\u0027, \u0027bat\u0027 file extensions.\\nAdditionally, identifies when a given user is uploading these files to another users workspace.\\nThis may be indication of a staging location for malware or other malicious activity.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d804b39c-03a4-417c-a949-bdbf21fa3305\",\"name\":\"d804b39c-03a4-417c-a949-bdbf21fa3305\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\\n[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet file_paths = (iocs | where Type =~ \\\"filepath\\\" | project IoC);\\nlet sha256s = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet ips = (iocs | where Type =~ \\\"ip\\\" | project IoC);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\" | project IoC);\\nunion isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4663\\n| where ObjectName in (file_paths)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(imFileEvent\\n| where TargetFileName in (file_paths)\\n or\\n TargetFileSHA256 in (sha256s)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\\n),\\n(DeviceFileEvents\\n| where FolderPath in (file_paths)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 in (sha256s)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256s)\\n| extend timestamp = TimeGenerated\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| where isnotempty(Hashes)\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 *\\n| where SHA256 in~ (sha256s)\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = Hashes\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where (SourceIP in (ips) or DestinationIP in (ips) or Message has_any (ips)) or (RequestURL has_any (domains))\\n| extend IPMatch = case(SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"Message\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\")\\n),\\n(VMConnection\\n| where isnotempty(SourceIp) or isnotempty(DestinationIp)\\n| where SourceIp in (ips) or DestinationIp in (ips)\\n| extend IPMatch = case( SourceIp in (ips), \\\"SourceIP\\\", DestinationIp in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(WireData\\n| where isnotempty(RemoteIP)\\n| where RemoteIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer\\n),\\n(W3CIISLog\\n| where isnotempty(cIP)\\n| where cIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(\\nDeviceNetworkEvents\\n| where (RemoteIPType =~ \\\"Public\\\" and RemoteUrl has_any (domains)) or (isnotempty(RemoteIP) and RemoteIP in (ips))\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(\\nWindowsFirewall\\n| where SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n),\\n(\\nDnsEvents\\n| where SubType =~ \\\"LookupQuery\\\"\\n| where Name has_any (domains)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\\n),\\n(\\nimDns(domain_has_any=domains)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\\n)\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.4.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange Server Vulnerabilities Disclosed March 2021 IoC Match\",\"description\":\"This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements.\\nRef: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog (Cisco)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog (F5)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dcdf9bfc-c239-4764-a9f9-3612e6dff49c\",\"name\":\"dcdf9bfc-c239-4764-a9f9-3612e6dff49c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 6d;\\n// Adjust this to adjust the key export detection timeframe\\n//let timeframe = 1d;\\n// Start be identifying ADFS servers to reduce FP chance\\nlet ADFS_Servers = (\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\")\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| summarize by Computer);\\n// Look for ADFS servers where Named Pipes event are present\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| where Computer in~ (ADFS_Servers)\\n| extend RenderedDescription = tostring(split(RenderedDescription, \\\":\\\")[0])\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend RuleName = column_ifexists(\\\"RuleName\\\", \\\"\\\"),\\n TechniqueId = column_ifexists(\\\"TechniqueId\\\", \\\"\\\"),\\n TechniqueName = column_ifexists(\\\"TechniqueName\\\", \\\"\\\"),\\n Image = column_ifexists(\\\"Image\\\", \\\"\\\"),\\n PipeName = column_ifexists(\\\"PipeName\\\", \\\"\\\"),\\n EventType = column_ifexists(\\\"EventType\\\", \\\"\\\")\\n| parse RuleName with * \u0027technique_id=\u0027 TechniqueId \u0027,\u0027 * \u0027technique_name=\u0027 TechniqueName\\n// Look for Pipe related to querying the WID\\n| where PipeName == \\\"\\\\\\\\MICROSOFT##WID\\\\\\\\tsql\\\\\\\\query\\\"\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n// Exclude expected processes\\n| where process !in (\\\"Microsoft.IdentityServer.ServiceHost.exe\\\", \\\"Microsoft.Identity.Health.Adfs.PshSurrogate.exe\\\", \\\"AzureADConnect.exe\\\", \\\"Microsoft.Tri.Sensor.exe\\\", \\\"wsmprovhost.exe\\\",\\\"mmc.exe\\\", \\\"sqlservr.exe\\\")\\n| extend Operation = RenderedDescription\\n| project-reorder TimeGenerated, EventType, Operation, process, Image, Computer, UserName\\n| extend HostCustomEntity = Computer, AccountCustomEntity = UserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Collection\"],\"displayName\":\"ADFS Database Named Pipe Connection\",\"description\":\"This detection uses Sysmon telemetry to detect suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).\\nIn order to use this query you need to be collecting Sysmon EventIdD 18 (Pipe Connected).\\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\\nFailed to resolve scalar expression named \\\"[@Name]\",\"lastUpdatedDateUTC\":\"2021-11-23T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a0647a60-16f9-4175-b344-5cdd2934413f\",\"name\":\"a0647a60-16f9-4175-b344-5cdd2934413f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let lowRisk = 1;\\nlet business = \u0027Business Information\u0027;\\nCognniIncidents_CL \\n| where Severity == lowRisk\\n| where informationType_s == business\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Low Sensitivity Business Information\",\"description\":\"Display incidents in which low sensitivity business information] was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5f0d80db-3415-4265-9d52-8466b7372e3a\",\"name\":\"5f0d80db-3415-4265-9d52-8466b7372e3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AzureDevOpsAuditing\\n| where AuthenticationMechanism startswith \\\"PAT\\\"\\n// Look for useragents that include a redenring engine\\n| where UserAgent has_any (\\\"Gecko\\\", \\\"WebKit\\\", \\\"Presto\\\", \\\"Trident\\\", \\\"EdgeHTML\\\", \\\"Blink\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure DevOps PAT used with Browser.\",\"description\":\"Personal Access Tokens (PATs) are used as an alternate password to authenticate into Azure DevOps. PATs are intended for programmatic access use in code or applications. \\nThis can be prone to attacker theft if not adequately secured. This query looks for the use of a PAT in authentication but from a User Agent indicating a browser. \\nThis should not be normal activity and could be an indicator of an attacker using a stolen PAT.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\"name\":\"30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nlet aadFunc = (tableName:string){\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n table(tableName) | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(UserPrincipalName)\\n //Normalizing the column to lower case for exact match with EmailSenderAddress column\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n | where UserPrincipalName matches regex emailregex\\n | extend Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n // renaming timestamp column so it is clear the log this came from SigninLogs table\\n | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type\\n)\\non $left.EmailSenderAddress == $right.UserPrincipalName\\n| where SigninLogs_TimeGenerated \u003e= TimeGenerated and SigninLogs_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, SigninLogs_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, IPAddress, UserPrincipalName, AppDisplayName,\\nStatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, Type\\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SigninLogs\",\"description\":\"Identifies a match in SigninLogs table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75bf9902-0789-47c1-a5d8-f57046aa72df\",\"name\":\"75bf9902-0789-47c1-a5d8-f57046aa72df\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let procList = dynamic([\\\"cmd.exe\\\",\\\"ftp.exe\\\",\\\"schtasks.exe\\\",\\\"powershell.exe\\\",\\\"rundll32.exe\\\",\\\"regsvr32.exe\\\",\\\"msiexec.exe\\\"]);\\nlet ProcessCreationEvents=() {\\nlet processEvents=SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,\\nFileName = Process, CommandLine, ParentProcessName;\\nprocessEvents};\\nProcessCreationEvents \\n| where FileName in~ (procList)\\n| where CommandLine contains \\\":\\\\\\\\recycler\\\"\\n| project StartTimeUtc = TimeGenerated, Computer, Account, NewProcessName, FileName, CommandLine, ParentProcessName\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Malware in the recycle bin\",\"description\":\"Identifies malware that has been hidden in the recycle bin.\\nReferences: https://azure.microsoft.com/blog/how-azure-security-center-helps-reveal-a-cyberattack/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2018-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23005e87-2d3a-482b-b03d-edbebd1ae151\",\"name\":\"23005e87-2d3a-482b-b03d-edbebd1ae151\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let exchange_servers = (\\nW3CIISLog\\n| where TimeGenerated \u003e ago(14d)\\n| where sSiteName =~ \\\"Exchange Back End\\\"\\n| summarize by Computer);\\nW3CIISLog\\n| where TimeGenerated \u003e ago(1d)\\n| where Computer in (exchange_servers)\\n| where csUriQuery startswith \\\"t=\\\"\\n| project-reorder TimeGenerated, Computer, csUriStem, csUriQuery, csUserName, csUserAgent, cIP\\n| extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious Exchange Request\",\"description\":\"This query looks for suspicious request patterns to Exchange servers that fit a pattern observed by HAFNIUM actors.\\nThe same query can be run on HTTPProxy logs from on-premise hosted Exchange servers.\\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3ff0fffb-d963-40c0-b235-3404f915add7\",\"name\":\"3ff0fffb-d963-40c0-b235-3404f915add7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"GitHubAudit\\n| where Action == \\\"org.disable_two_factor_requirement\\\"\\n| project TimeGenerated, Action, Actor, Country, IPaddress, Repository\\n| extend AccountCustomEntity = Actor, IPCustomEntity = IPaddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"GitHub Two Factor Auth Disable\",\"description\":\"Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/473d57e6-f787-435c-a16b-b38b51fa9a4b\",\"name\":\"473d57e6-f787-435c-a16b-b38b51fa9a4b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let servicelist = dynamic([\u0027Services\\\\\\\\HealthService\u0027, \u0027Services\\\\\\\\Sense\u0027, \u0027Services\\\\\\\\WinDefend\u0027, \u0027Services\\\\\\\\MsSecFlt\u0027, \u0027Services\\\\\\\\DiagTrack\u0027, \u0027Services\\\\\\\\SgrmBroker\u0027, \u0027Services\\\\\\\\SgrmAgent\u0027, \u0027Services\\\\\\\\AATPSensorUpdater\u0027 , \u0027Services\\\\\\\\AATPSensor\u0027, \u0027Services\\\\\\\\mpssvc\u0027]);\\nlet filename = dynamic([\\\"subinacl.exe\\\",\u0027SetACL.exe\u0027]);\\nlet parameters = dynamic ([\u0027/deny=SYSTEM\u0027, \u0027/deny=S-1-5-18\u0027, \u0027/grant=SYSTEM=r\u0027, \u0027/grant=S-1-5-18=r\u0027, \u0027n:SYSTEM;p:READ\u0027, \u0027n1:SYSTEM;ta:remtrst;w:dacl\u0027]);\\nlet FullAccess = dynamic([\u0027A;CI;KA;;;SY\u0027, \u0027A;ID;KA;;;SY\u0027, \u0027A;CIID;KA;;;SY\u0027]);\\nlet ReadAccess = dynamic([\u0027A;CI;KR;;;SY\u0027, \u0027A;ID;KR;;;SY\u0027, \u0027A;CIID;KR;;;SY\u0027]);\\nlet DenyAccess = dynamic([\u0027D;CI;KR;;;SY\u0027, \u0027D;ID;KR;;;SY\u0027, \u0027D;CIID;KR;;;SY\u0027]);\\nlet timeframe = 1d;\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4670\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName has_any (servicelist)\\n| parse EventData with * \u0027OldSd\\\"\u003e\u0027 OldSd \\\"\u003c\\\" *\\n| parse EventData with * \u0027NewSd\\\"\u003e\u0027 NewSd \\\"\u003c\\\" *\\n| extend Reason = case( (OldSd has \u0027;;;SY\u0027 and NewSd !has \u0027;;;SY\u0027), \u0027System Account is removed\u0027, (OldSd has_any (FullAccess) and NewSd has_any (ReadAccess)) , \u0027System permission has been changed to read from full access\u0027, (OldSd has_any (FullAccess) and NewSd has_any (DenyAccess)), \u0027System account has been given denied permission\u0027, \u0027None\u0027)\\n| project TimeGenerated, Computer, Account, ProcessName, ProcessId, ObjectName, EventData, Activity, HandleId, SubjectLogonId, OldSd, NewSd , Reason\\n),\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688\\n| extend ProcessName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ProcessName in~ (filename) \\n| where CommandLine has_any (servicelist) and CommandLine has_any (parameters)\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where InitiatingProcessFileName in~ (filename) \\n| where InitiatingProcessCommandLine has_any(servicelist) and InitiatingProcessCommandLine has_any (parameters)\\n| extend Account = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName), Computer = DeviceName\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName = InitiatingProcessFileName, ProcessNameFullPath = FolderPath, Activity = ActionType, CommandLine = InitiatingProcessCommandLine, Type, InitiatingProcessParentFileName\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Security Service Registry ACL Modification\",\"description\":\"Identifies attempts to modify registry ACL to evade security solutions. In the Solorigate attack, the attackers were found modifying registry permissions so services.exe cannot access the relevant registry keys to start the service.\\n The detection leverages Security Event as well as MDE data to identify when specific security services registry permissions are modified. \\n Only some portions of this detection are related to Solorigate, it also includes coverage for some common tools that perform this activity. \\n Reference on guidance for enabling registry auditing:\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing-faq\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-registry\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4670\\n - For the event 4670 to be created the audit policy for the registry must have auditing enabled for Write DAC and/or Write Owner\\n - https://github.com/OTRF/Set-AuditRule \\n - https://docs.microsoft.com/dotnet/api/system.security.accesscontrol.registryrights?view=dotnet-plat-ext-5.0\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b619d1f1-7f39-4c7e-bf9e-afbb46457997\",\"name\":\"b619d1f1-7f39-4c7e-bf9e-afbb46457997\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal contains \\\"XMRig\\\" or HttpUserAgentOriginal contains \\\"ccminer\\\"\\n| extend Message = \\\"Crypto Miner User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Crypto Miner User-Agent Detected\",\"description\":\"Detects suspicious user agent strings used by crypto miners in proxy logs.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/17f23fbe-bb73-4324-8ecf-a18545a5dc26\",\"name\":\"17f23fbe-bb73-4324-8ecf-a18545a5dc26\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P3D\",\"queryPeriod\":\"P3D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 3d;\\n// Get Release Pipeline Creation Events and group by day\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineCreated\\\"\\n// Group by day\\n| extend timekey = bin(TimeGenerated, 1d)\\n| extend PipelineId = tostring(Data.PipelineId)\\n| extend PipelineName = tostring(Data.PipelineName)\\n// Rename some columns to make output clearer\\n| project-rename TimeCreated = TimeGenerated, CreatingUser = ActorUPN, CreatingUserAgent = UserAgent, CreatingIP = IpAddress\\n// Join with Release Pipeline Deletions where Pipeline ID is the same and deletion occurred on same day as creation\\n| join (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineDeleted\\\"\\n// Group by day\\n| extend timekey = bin(TimeGenerated, 1d)\\n| extend PipelineId = tostring(Data.PipelineId)\\n| extend PipelineName = tostring(Data.PipelineName)\\n// Rename some things to make the output clearer\\n| project-rename TimeDeleted = TimeGenerated, DeletingUser = ActorUPN, DeletingUserAgent = UserAgent, DeletingIP = IpAddress) on PipelineId, timekey\\n| project TimeCreated, TimeDeleted, PipelineName, PipelineId, CreatingUser, CreatingIP, CreatingUserAgent, DeletingUser, DeletingIP, DeletingUserAgent, ScopeDisplayName, ProjectName, Data, OperationName, OperationName1\\n| extend timestamp = TimeCreated, AccountCustomEntity = CreatingUser, IPCustomEntity = CreatingIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeletingUser\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DeletingIP\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\"],\"displayName\":\"Azure DevOps Pipeline Created and Deleted on the Same Day\",\"description\":\"An attacker with access to Azure DevOps could create a pipeline to inject artifacts used by other pipelines, \\nor to create a malicious software build that looks legitimate by using a pipeline that incorporates legitimate elements. \\nAn attacker would also likely want to cover their tracks once conducting such activity. This query looks for Pipelines \\ncreated and deleted within the same day, this is unlikely to be legitimate user activity in the majority of cases.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\"name\":\"5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n W3CIISLog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(cIP)\\n // renaming time column so it is clear the log this came from\\n | extend W3CIISLog_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.cIP\\n| where W3CIISLog_TimeGenerated \u003e= TimeGenerated and W3CIISLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nW3CIISLog_TimeGenerated, TI_ipEntity, Computer, sSiteName, cIP, sIP, sPort, csMethod, csUserName, scStatus, scSubStatus, scWin32Status,\\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = W3CIISLog_TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to W3CIISLog\",\"description\":\"Identifies a match in W3CIISLog from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7564d76-ec6b-4519-a66b-fcc80c42332b\",\"name\":\"a7564d76-ec6b-4519-a66b-fcc80c42332b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet GroupAddition = SecurityEvent \\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group \\n| where EventID in (\\\"4728\\\", \\\"4732\\\", \\\"4756\\\") \\n| where AccountType =~ \\\"User\\\" and MemberName == \\\"-\\\"\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, GroupAddComputer = Computer, GroupAddTargetAccount = TargetAccount, \\nGroupAddTargetSid = TargetSid, GroupAddSubjectAccount = SubjectAccount, GroupAddSubjectUserSid = SubjectUserSid, GroupSid = MemberSid;\\nlet GroupCreated = SecurityEvent\\n// 4727 - A security-enabled global group was created\\n// 4731 - A security-enabled local group was created\\n// 4754 - A security-enabled universal group was created\\n| where EventID in (\\\"4727\\\", \\\"4731\\\", \\\"4754\\\")\\n| where AccountType =~ \\\"User\\\"\\n| project GroupCreateTime = TimeGenerated, GroupCreateEventID = EventID, GroupCreateActivity = Activity, GroupCreateComputer = Computer, GroupCreateTargetAccount = TargetAccount, \\nGroupCreateSubjectAccount = SubjectAccount, GroupCreateSubjectUserSid = SubjectUserSid, GroupSid = TargetSid;\\nGroupCreated\\n| join (\\nGroupAddition\\n) on GroupSid \\n| extend timestamp = GroupCreateTime, AccountCustomEntity = GroupCreateSubjectAccount, HostCustomEntity = GroupCreateComputer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"GroupCreateSubjectUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Group created then added to built in domain local or global group\",\"description\":\"Identifies when a recently created Group was added to a privileged built in domain local group or global group such as the \\nEnterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\\nReferences: For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/67775878-7f8b-4380-ac54-115e1e828901\",\"name\":\"67775878-7f8b-4380-ac54-115e1e828901\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet IP_TI = (ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\\\"\\\")\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId);\\nlet TI_IP_List=IP_TI | summarize make_set( TI_ipEntity);\\nimDns(starttime=ago(dt_lookBack), response_has_any_prefix=todynamic(toscalar(TI_IP_List)))\\n | extend tilist = toscalar(TI_IP_List)\\n | mv-expand tilist\\n | extend SingleIP=tostring(tilist)\\n | project-away tilist\\n | where has_ipv4(DnsResponseName, SingleIP)\\n | extend DNS_TimeGenerated = TimeGenerated\\n| join IP_TI\\n on $left.SingleIP == $right.TI_ipEntity\\n| where DNS_TimeGenerated \u003e= TimeGenerated and DNS_TimeGenerated \u003c ExpirationDateTime\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated,\\nTI_ipEntity, Dvc, EventId, SubType, SrcIpAddr, DnsQuery, DnsResponseName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = DNS_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Dvc, URLCustomEntity = Url\",\"customDetails\":{\"LatestIndicatorTime\":\"LatestIndicatorTime\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"ConfidenceScore\":\"ConfidenceScore\",\"DnsQuery\":\"DnsQuery\",\"Description\":\"Description\",\"EventId\":\"EventId\",\"IndicatorId\":\"IndicatorId\",\"DNSRequestTime\":\"DNS_TimeGenerated\",\"ThreatType\":\"ThreatType\",\"ExpirationDateTime\":\"ExpirationDateTime\",\"SubType\":\"SubType\",\"SourceIPAddress\":\"SrcIpAddr\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map IP entity to Dns Events (Normalized DNS)\",\"description\":\"Identifies a match in DNS events from any IP IOC from TI\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns).\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3863d8b-8be1-4f52-8ba2-d6cec98b606b\",\"name\":\"a3863d8b-8be1-4f52-8ba2-d6cec98b606b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.1.7\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.7\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of logins to user account with elevated token\",\"description\":\"This algorithm detects an unusually high volume of successful logins with elevated token per user account. The model is trained on the previous 21 days of security event ID 4624 on an account. It indicates anomalous high volume of successful logins with administrator privileges in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/983a6922-894d-413c-9f04-d7add0ecc307\",\"name\":\"983a6922-894d-413c-9f04-d7add0ecc307\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P10D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let referencestarttime = 10d;\\nlet referenceendtime = 1d;\\nlet threshold = 100;\\nlet nxDomainDnsEvents = (stime:datetime, etime:datetime) \\n {imDns(responsecodename=\u0027NXDOMAIN\u0027, starttime=stime, endtime=etime)\\n | where DnsQueryTypeName in (\\\"A\\\", \\\"AAAA\\\")\\n | where ipv4_is_match(\\\"127.0.0.1\\\", SrcIpAddr) == False\\n | where DnsQuery !contains \\\"/\\\" and DnsQuery contains \\\".\\\"};\\nnxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now())\\n | extend sld = tostring(split(DnsQuery, \\\".\\\")[-2])\\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld) by SrcIpAddr\\n | where dcount_sld \u003e threshold\\n // Filter out previously seen IPs\\n | join kind=leftanti (nxDomainDnsEvents (stime=ago(referencestarttime), etime=ago(referenceendtime))\\n | extend sld = tostring(split(DnsQuery, \\\".\\\")[-2])\\n | summarize dcount(sld) by SrcIpAddr\\n | where dcount_sld \u003e threshold ) on SrcIpAddr\\n// Pull out sample NXDomain responses for those remaining potentially infected IPs\\n| join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential DGA detected (ASimDNS)\",\"description\":\"Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains\\nwhere most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with \\nNXDomain records in prior 10-day baseline period).\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"name\":\"cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | where DNSName in~ (domains) or DestinationHostName has_any (domains) or RequestURL has_any(domains)\\n | extend AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName, IPCustomEntity = SourceIP\\n ),\\n(DnsEvents \\n | extend DNSName = Name\\n | where isnotempty(DNSName)\\n | where DNSName has_any (domains)\\n | extend IPCustomEntity = ClientIP\\n ),\\n(imDns (domain_has_any=domains)\\n | extend DNSName = DnsQuery\\n | extend IPCustomEntity = SrcIpAddr\\n ),\\n(VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n | where isnotempty(DNSName)\\n | where DNSName in~ (domains)\\n | extend IPCustomEntity = RemoteIp\\n ),\\n(DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl has_any (domains) \\n | extend DNSName = RemoteUrl\\n | extend IPCustomEntity = RemoteIP \\n | extend HostCustomEntity = DeviceName \\n ),\\n(AzureDiagnostics\\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallDnsProxy\\\"\\n | parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n | where Request_Name has_any (domains) \\n | extend DNSName = Request_Name\\n | extend IPCustomEntity = ClientIP \\n ),\\n(AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (domains) \\n | extend DNSName = DestinationHost \\n | extend IPCustomEntity = SourceHost\\n ) \\n )\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"version\":\"1.3.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Solorigate Network Beacon\",\"description\":\"Identifies a match across various data feeds for domains IOCs related to the Solorigate incident.\\n References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \\n https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5436f471-b03d-41cb-b333-65891f887c43\",\"name\":\"5436f471-b03d-41cb-b333-65891f887c43\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Informational\",\"query\":\"GitHubRepo\\n| where Action == \\\"vulnerabilityAlert\\\"\\n| project TimeGenerated, DismmisedAt, Reason, vulnerableManifestFilename, Description, Link, PublishedAt, Severity, Summary\",\"entityMappings\":[],\"version\":\"1.0.0\",\"displayName\":\"GitHub Security Vulnerability in Repository\",\"description\":\"This alerts when there is a new security vulnerability in a GitHub repository.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-10T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb8a3481-dd14-4e76-8dcc-bbec8776d695\",\"name\":\"bb8a3481-dd14-4e76-8dcc-bbec8776d695\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let DomainNames = dynamic([\u0027onetechcompany.com\u0027, \u0027reyweb.com\u0027, \u0027srfnetwork.org\u0027, \u0027sense4baby.fr\u0027, \u0027nikeoutletinc.org\u0027, \u0027megatoolkit.com\u0027]);\\nlet IPList = dynamic([\u0027185.225.69.69\u0027]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (DomainNames) or RequestURL has_any (DomainNames) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (DomainNames), \\\"RequestUrl\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) or Name has_any (DomainNames) \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(imDns\\n| where DnsResponseName has_any (IPList) or DnsQuery has_any(DomainNames) \\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (DomainNames)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer\\n),\\n(OfficeActivity\\n| where ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (DomainNames) or RemoteIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"NOBELIUM - Domain and IP IOCs - March 2021\",\"description\":\"Identifies a match across various data feeds for domains and IP IOCs related to NOBELIUM.\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2d3e33c6-d8e6-4b51-92d6-dbe8bd9efb05\",\"name\":\"2d3e33c6-d8e6-4b51-92d6-dbe8bd9efb05\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.4\",\"techniques\":[\"T1078\",\"T1566\",\"T1133\"],\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"Fraction of failed signins\",\"Number of failed signins\",\"Failed signins to successful signins ratio\",\"Number of signins with incorrect passwords\",\"Incorrect passwords to correct passwords ratio\",\"Fraction of incorrect password signins\",\"Distinct number of app ids\",\"Distinct number of client apps\",\"Distinct number of ip addresses\",\"Distinct number of opperating systems\",\"Distinct number of browsers\",\"Distinct number of cities\",\"Distinct number of states\",\"Distinct number of countries\"],\"values\":[\"Fraction of failed signins\",\"Number of failed signins\",\"Failed signins to successful signins ratio\",\"Number of signins with incorrect passwords\",\"Incorrect passwords to correct passwords ratio\",\"Fraction of incorrect password signins\",\"Distinct number of app ids\",\"Distinct number of client apps\",\"Distinct number of ip addresses\",\"Distinct number of opperating systems\",\"Distinct number of browsers\",\"Distinct number of cities\",\"Distinct number of states\",\"Distinct number of countries\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Top reason for high anomaly score\",\"description\":\"Include only anomalies where the top reason is one of these values.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.5\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous Azure AD sign-in sessions\",\"description\":\"The machine learning model groups the Azure AD sign-in logs on a per-user basis.\\nThe model is trained on the previous 6 days of user sign-in behavior.\\nIt indicates anomalous user sign-in sessions in the last day.\\nThis algorithm checks for sufficient volume of data before training the model.\\n\\nAn autoencoder model is used.\\nIts aim is to compress the user sign-in sessions into a bottleneck encoding.\\nIt then attempts to reconstruct the input sessions as best it can from the bottleneck encoding.\\nThe sessions with high reconstruction errors are assumed to be anomalous.\",\"lastUpdatedDateUTC\":\"2021-07-07T00:00:00Z\",\"createdDateUTC\":\"2020-11-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6d63efa6-7c25-4bd4-a486-aa6bf50fde8a\",\"name\":\"6d63efa6-7c25-4bd4-a486-aa6bf50fde8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Add non-approved user principal names to the list below to search for their account creation/deletion activity\\n// ex: dynamic([\\\"UPN1\\\", \\\"upn123\\\"])\\nlet nonapproved_users = dynamic([]);\\nAuditLogs\\n| where OperationName == \\\"Add user\\\" or OperationName == \\\"Delete user\\\"\\n| where Result == \\\"success\\\"\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| where InitiatingUser has_any (nonapproved_users)\\n| project-reorder TimeGenerated, ResourceId, OperationName, InitiatingUser, TargetResources\\n| extend AccountCustomEntity = InitiatingUser, IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Account created or deleted by non-approved user\",\"description\":\"Identifies accounts that were created or deleted by a defined list of non-approved user principal names. Add to this list before running the query for accurate results.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts\",\"lastUpdatedDateUTC\":\"2021-10-29T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b40a7a5b-5d39-46fe-a79e-2acdb38e1ce7\",\"name\":\"b40a7a5b-5d39-46fe-a79e-2acdb38e1ce7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.3\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.01\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of failed login attempts to AWS Console by each group user account\",\"description\":\"This algorithm detects an unusually high volume of AWS cloud trail log console failed login events per group user account within the last day. The model is trained on the previous 21 days of AWS cloud trail log events on group user account basis. This activity may indicate that the account is compromised.\",\"lastUpdatedDateUTC\":\"2021-10-26T00:00:00Z\",\"createdDateUTC\":\"2021-08-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\"name\":\"4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n OfficeActivity | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(UserId)\\n | where UserId matches regex emailregex\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.UserId\\n| where OfficeActivity_TimeGenerated \u003e= TimeGenerated and OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, OfficeActivity_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters\\n| extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to OfficeActivity\",\"description\":\"Identifies a match in OfficeActivity table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d4f9d54b-6dec-4655-8631-0fa8d4954fea\",\"name\":\"d4f9d54b-6dec-4655-8631-0fa8d4954fea\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.4\",\"techniques\":[\"T1568\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.99\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"(Preview) Domain Reputation Palo Alto anomaly\",\"description\":\"This anomaly evaluates the reputation for all domains seen specifically for Palo Alto firewall (PAN-OS product).\\nA high anomaly score indicates a low reputation, suggesting that the domain has been observed to host malicious content or is likely to do so.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-07-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1218175f-c534-421c-8070-5dcaabf28067\",\"name\":\"1218175f-c534-421c-8070-5dcaabf28067\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let threshold = 3; \\nZoomLogs \\n| where Event =~ \\\"chat_message.sent\\\" \\n| extend Channel = tostring(parse_json(ChatEvents).Channel) \\n| extend Message = tostring(parse_json(ChatEvents).Message) \\n| where Message matches regex \\\"http(s?):\\\\\\\\/\\\\\\\\/\\\" \\n| summarize Channels = makeset(Channel), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Message, User, UserId\\n| extend ChannelCount = arraylength(Channels) \\n| where ChannelCount \u003e threshold\\n| extend timestamp = StartTime, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"Suspicious link sharing pattern\",\"description\":\"Alerts in links that have been shared across multiple Zoom chat channels by the same user in a short space if time. \\nAdjust the threshold figure to change the number of channels a message needs to be posted in before an alert is raised.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/154fde9f-ae00-4422-a8da-ef00b11da3fc\",\"name\":\"154fde9f-ae00-4422-a8da-ef00b11da3fc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nafad_parser\\n| where MessageType == 0\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid Indicators of Exposures\",\"description\":\"Searches for triggered Indicators of Exposures\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f948a32f-226c-4116-bddd-d95e91d97eb9\",\"name\":\"f948a32f-226c-4116-bddd-d95e91d97eb9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"mailboxsettings\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"contacts.read\\\" and ConsentFull contains \\\"user.read\\\" and ConsentFull contains \\\"mail.read\\\" and ConsentFull contains \\\"notes.read.all\\\" and ConsentFull contains \\\"mailboxsettings.readwrite\\\" and ConsentFull contains \\\"Files.ReadWrite.All\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), \\\"\\\")\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Suspicious application consent similar to O365 Attack Toolkit\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\\nThe default permissions/scope for the MDSec O365 Attack toolkit are contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, and files.readwrite.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/45b903c5-6f56-4969-af10-ae62ac709718\",\"name\":\"45b903c5-6f56-4969-af10-ae62ac709718\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count() \\nby Account = tolower(Account), Computer = toupper(Computer), IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n// use left anti to exclude anything from the previous 14 days that is not rare\\n| join kind=leftanti (\\nSecurityEvent\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where EventID == 4624\\n| summarize by Computer = toupper(Computer), IpAddress, Account = tolower(Account)\\n) on Account, Computer\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), ConnectionCount = sum(ConnectionCount) \\nby Account, Computer, IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\"],\"displayName\":\"Rare RDP Connections\",\"description\":\"Identifies when an RDP connection is new or rare related to any logon type by a given account today based on comparison with the previous 14 days.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-01-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/327cd4ed-ca42-454b-887c-54e1c91363c6\",\"name\":\"327cd4ed-ca42-454b-887c-54e1c91363c6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft Defender Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Endpoint alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Endpoint\",\"lastUpdatedDateUTC\":\"2019-10-24T00:00:00Z\",\"createdDateUTC\":\"2019-10-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4915c713-ab38-432e-800b-8e2d46933de6\",\"name\":\"4915c713-ab38-432e-800b-8e2d46933de6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let PrivateIPregex = @\u0027^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.\u0027; \\nlet avgthreshold = 0;\\nlet probabilityLimit = 0.01;\\nlet ssh_logins = Syslog\\n| where Facility contains \\\"auth\\\" and ProcessName =~ \\\"sshd\\\"\\n| where SyslogMessage has \\\"Accepted\\\"\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage) \\n| where isnotempty(SourceIP)\\n| extend ipType = iff(SourceIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\");\\nssh_logins \\n| summarize privatecount=countif(ipType==\\\"private\\\"), publiccount=countif(ipType==\\\"public\\\") by HostName, HostIP, bin(EventTime, 1d)\\n| summarize \\npublicIPLoginHistory = make_list(pack(\u0027IPCount\u0027, publiccount, \u0027logon_time\u0027, EventTime)),\\nprivateIPLoginHistory = make_list(pack(\u0027IPCount\u0027, privatecount, \u0027logon_time\u0027, EventTime)) by HostName, HostIP\\n| mv-apply publicIPLoginHistory = publicIPLoginHistory on\\n(\\n order by todatetime(publicIPLoginHistory[\u0027logon_time\u0027]) asc\\n | summarize publicIPLoginCountList=make_list(toint(publicIPLoginHistory[\u0027IPCount\u0027])), publicAverage=avg(toint(publicIPLoginHistory[\u0027IPCount\u0027])), publicStd=stdev(toint(publicIPLoginHistory[\u0027IPCount\u0027])), maxPublicLoginCount=max(toint(publicIPLoginHistory[\u0027IPCount\u0027]))\\n)\\n| mv-apply privateIPLoginHistory = privateIPLoginHistory on\\n(\\n order by todatetime(privateIPLoginHistory[\u0027logon_time\u0027]) asc\\n | summarize privateIPLoginCountList=make_list(toint(privateIPLoginHistory[\u0027IPCount\u0027])), privateAverage=avg(toint(privateIPLoginHistory[\u0027IPCount\u0027])), privateStd=stdev(toint(privateIPLoginHistory[\u0027IPCount\u0027]))\\n)\\n// Some logins from private IPs\\n| where privateAverage \u003e avgthreshold\\n// There is a non-zero number of logins from public IPs\\n| where publicAverage \u003e avgthreshold\\n// Approximate probability of seeing login from a public IP is \u003c 1%\\n| extend probabilityPublic = publicAverage / (privateAverage + publicAverage)\\n| where probabilityPublic \u003c probabilityLimit\\n// Today has the highest number of logins from public IPs that we\u0027ve seen in the last week\\n| extend publicLoginCountToday = publicIPLoginCountList[-1]\\n| where publicLoginCountToday \u003e= maxPublicLoginCount\\n| extend HostCustomEntity = HostName\\n// Optionally retrieve the original raw data for those logins that we\u0027ve identified as potentially suspect\\n// | join kind=rightsemi (\\n// ssh_logins\\n// | where ipType == \\\"public\\\"\\n// ) on HostName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"New internet-exposed SSH endpoints\",\"description\":\"Looks for SSH endpoints with a history of sign-ins only from private IP addresses are accessed from a public IP address.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd\",\"name\":\"c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let args = dynamic([\\\"objectcategory\\\",\\\"domainlist\\\",\\\"dcmodes\\\",\\\"adinfo\\\",\\\"trustdmp\\\",\\\"computers_pwdnotreqd\\\",\\\"Domain Admins\\\", \\\"objectcategory=person\\\", \\\"objectcategory=computer\\\", \\\"objectcategory=*\\\",\\\"dclist\\\"]);\\nlet parentProcesses = dynamic([\\\"pwsh.exe\\\",\\\"powershell.exe\\\",\\\"cmd.exe\\\"]);\\nDeviceProcessEvents\\n//looks for execution from a shell\\n| where InitiatingProcessFileName in (parentProcesses)\\n// main filter\\n| where FileName =~ \\\"AdFind.exe\\\" or SHA256 == \\\"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\\\"\\n // AdFind common Flags to check for from various threat actor TTPs\\n or ProcessCommandLine has_any (args)\\n| extend AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = SHA256\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"SHA256\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\"],\"displayName\":\"Probable AdFind Recon Tool Usage\",\"description\":\"Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-04-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c094384d-7ea7-4091-83be-18706ecca981\",\"name\":\"c094384d-7ea7-4091-83be-18706ecca981\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let minersDomains=dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\"]);\\nimDns(domain_has_any=minersDomains)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.2.0\",\"tactics\":[\"Impact\"],\"displayName\":\"DNS events related to mining pools (Normalized DNS)\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1f6d7abe-2cb7-4a4c-aeca-91fe6bfad0b2\",\"name\":\"1f6d7abe-2cb7-4a4c-aeca-91fe6bfad0b2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.3\",\"techniques\":[\"T1189\",\"T1071\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Palo Alto Networks\",\"Fortinet\",\"Zscaler\",\"Check Point\"],\"supportedValuesKql\":null,\"value\":\"Palo Alto Networks\",\"name\":\"Device vendor\",\"description\":\"Select device vendor of network connection logs from CommonSecurityLog\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"10\",\"maximum\":\"1000\",\"value\":\"25\",\"name\":\"Degree of source IPs\",\"description\":\"Suppress anomalies when the number of source IPs in a day accessing the URL is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"10\",\"maximum\":\"1000\",\"value\":\"30\",\"name\":\"Daily web requests threshold\",\"description\":\"Suppress anomalies when the number of daily web requests is less than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"},{\"minimum\":\"1\",\"maximum\":\"25\",\"value\":\"4\",\"name\":\"Number of distinct URLs for the destination IP\",\"description\":\"Suppress anomalies when number of distinct URLs are less than the chosen value\",\"sequenceNumber\":3,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\",\"CommandAndControl\"],\"displayName\":\"(Preview) Unusual web traffic detected with IP in URL path\",\"description\":\"This algorithm identifies unusual web requests which have a direct IP address as the host. This can be an attempt to bypass URL reputation services etc for \\nmalicious purposes. The anomaly filters all web requests with IP addresses in the URL path and compares them with the previous week of data to exclude known benign traffic. \\nAfter excluding known benign traffic, it triggers an anomaly only after exceeding certain thresholds with configured values such as total web requests, \\nnumbers of URLs seen with same host destination IP address, and number of distinct source IPs within the set of URLs with the same destination IP address.\",\"lastUpdatedDateUTC\":\"2021-07-10T00:00:00Z\",\"createdDateUTC\":\"2021-05-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f041e01d-840d-43da-95c8-4188f6cef546\",\"name\":\"f041e01d-840d-43da-95c8-4188f6cef546\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let LearningPeriod = 7d;\\nlet RunTime = 1h;\\nlet StartTime = 1h;\\nlet EndRunTime = StartTime - RunTime;\\nlet EndLearningTime = StartTime + LearningPeriod;\\nlet GitHubCountryCodeLogs = (GitHubAudit\\n| where Country != \\\"\\\");\\n GitHubCountryCodeLogs\\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime))\\n| summarize makeset(Country) by Actor\\n| join kind=innerunique (\\n GitHubCountryCodeLogs\\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime))\\n | distinct Country, Actor, TimeGenerated\\n) on Actor \\n| where set_Country !contains Country\\n| extend AccountCustomEntity = Actor , timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"GitHub Activites from a New Country\",\"description\":\"Detect activities from a location that was not recently or was never visited by the user or by any user in your organization.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d7309cb9-b16b-4c7a-9e4b-3e9009bd373d\",\"name\":\"d7309cb9-b16b-4c7a-9e4b-3e9009bd373d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.0\",\"techniques\":[\"T1190\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.7\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous Azure operations\",\"description\":\"This detection algorithm generates anomaly of a caller who performed sequence of an operation(s) which is uncommon in their workspace.\\nWe collect and featurize last 21 days of operation happened in the workspace grouped by the caller as a training data for ML algorithm.\\nThe trained model is used to score the operation performed by the caller on the test date and we tag those caller as anomaly whose error score is greater than given thershold.\\nFrom Security perspective, this anomaly will capture the caller along with operation performed on the test date which are not common in their workspace.\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2021-11-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8b3c49c-4087-499b-920f-0dcfaff0cbca\",\"name\":\"f8b3c49c-4087-499b-920f-0dcfaff0cbca\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"imProcessCreate\\n | where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n | where isnotempty(Process)\\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Dvc, ActorUsername, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\\n | extend timestamp = StartTimeUtc, AccountCustomEntity = ActorUsername, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Base64 encoded Windows process command-lines (Normalized Process Events)\",\"description\":\"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2018-09-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e4779bdc-397a-4b71-be28-59e6a1e1d16b\",\"name\":\"e4779bdc-397a-4b71-be28-59e6a1e1d16b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"ZoomLogs\\n| where Event =~ \\\"account.settings_updated\\\"\\n| extend NewE2ESetting = columnifexists(\\\"payload_object_settings_in_meeting_e2e_encryption_b\\\", \\\"\\\")\\n| extend OldE2ESetting = columnifexists(\\\"payload_old_object_settings_in_meeting_e2e_encryption_b\\\", \\\"\\\")\\n| where OldE2ESetting =~ \u0027false\u0027 and NewE2ESetting =~ \u0027true\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Discovery\"],\"displayName\":\"Zoom E2E Encryption Disabled\",\"description\":\"This alerts when end to end encryption is disabled for Zoom meetings.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/85aca4d1-5d15-4001-abd9-acb86ca1786a\",\"name\":\"85aca4d1-5d15-4001-abd9-acb86ca1786a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n| join (\\n DnsEvents\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n //Extract domain patterns from syslog message\\n | where isnotempty(Name)\\n | extend parts = split(Name, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend DNS_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.Name\\n| where DNS_TimeGenerated \u003e= TimeGenerated and DNS_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Computer, ClientIP, Name, QueryType\\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = ClientIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to DnsEvent\",\"description\":\"Identifies a match in DnsEvent table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b8266f81-2715-41a6-9062-42486cbc9c73\",\"name\":\"b8266f81-2715-41a6-9062-42486cbc9c73\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 200;\\nInfobloxNIOS\\n| where ProcessName =~ \\\"named\\\" and Log_Type =~ \\\"client\\\"\\n| where isnotempty(ResponseCode)\\n| where ResponseCode =~ \\\"NXDOMAIN\\\"\\n| summarize count() by Client_IP, bin(TimeGenerated,15m)\\n| where count_ \u003e threshold\\n| join kind=inner (InfobloxNIOS\\n | where ProcessName =~ \\\"named\\\" and Log_Type =~ \\\"client\\\"\\n | where isnotempty(ResponseCode)\\n | where ResponseCode =~ \\\"NXDOMAIN\\\"\\n ) on Client_IP\\n| extend timestamp = TimeGenerated, IPCustomEntity = Client_IP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Excessive NXDOMAIN DNS Queries\",\"description\":\"This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/25e0b2dd-3ad3-4d5b-80dd-720f4ef0f12c\",\"name\":\"25e0b2dd-3ad3-4d5b-80dd-720f4ef0f12c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"afad_parser\\n| where MessageType == 2 and Codename == \\\"DCShadow\\\"\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Alsid DCShadow\",\"description\":\"Searches for DCShadow attacks\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06bbf969-fcbe-43fa-bac2-b2fa131d113a\",\"name\":\"06bbf969-fcbe-43fa-bac2-b2fa131d113a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// ADHealthAgent Registry Key\\nlet aadConnectHealthRegKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\ADHealthAgent\\\";\\n// Filter out known processes\\nlet aadConnectHealthProcs = dynamic ([\\n \u0027Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.InsightsService.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.PshSurrogate.exe\u0027,\\n \u0027Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe\u0027\\n]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| extend SubjectUserName = column_ifexists(\\\"SubjectUserName\\\", \\\"\\\"),\\n SubjectDomainName = column_ifexists(\\\"SubjectDomainName\\\", \\\"\\\"),\\n ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),\\n ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\"),\\n ProcessName = column_ifexists(\\\"ProcessName\\\", \\\"\\\")\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],\\n Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName startswith aadConnectHealthRegKey\\n| where Process !in (aadConnectHealthProcs)\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName startswith aadConnectHealthRegKey\\n| where Process !in (aadConnectHealthProcs)\\n)\\n)\\n// You can filter out potential machine accounts\\n//| where AccountType != \u0027Machine\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Azure AD Health Service Agents Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).\\nInformation from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).\\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\\\\SOFTWARE\\\\Microsoft\\\\ADHealthAgent.\\nMake sure you set the SACL to propagate to its sub-keys. You can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/999e9f5d-db4a-4b07-a206-29c4e667b7e8\",\"name\":\"999e9f5d-db4a-4b07-a206-29c4e667b7e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet DomainTIs= ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n // Picking up only IOC\u0027s that contain the entities we want\\n | where isnotempty(DomainName)\\n | where Active == true\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId;\\nlet Domains= toscalar(DomainTIs | where isnotempty(DomainName) |summarize make_set(DomainName));\\nDomainTIs\\n | join (\\n imDns(starttime=ago(dt_lookBack), domain_has_any=(Domains))\\n | extend DNS_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.DnsQuery\\n| where DNS_TimeGenerated \u003c ExpirationDateTime\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, QueryType\\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url\",\"customDetails\":{\"IndicatorId\":\"IndicatorId\",\"SourceIPAddress\":\"SrcIpAddr\",\"ThreatType\":\"ThreatType\",\"ConfidenceScore\":\"ConfidenceScore\",\"DnsQuery\":\"DnsQuery\",\"Description\":\"Description\",\"ExpirationDateTime\":\"ExpirationDateTime\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"LatestIndicatorTime\":\"LatestIndicatorTime\",\"QueryType\":\"QueryType\",\"DNSRequestTime\":\"DNS_TimeGenerated\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map Domain entity to Dns Events (Normalized DNS)\",\"description\":\"Identifies a match in DNS events from any Domain IOC from TI\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns).\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/12dcea64-bec2-41c9-9df2-9f28461b1295\",\"name\":\"12dcea64-bec2-41c9-9df2-9f28461b1295\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\n// Adjust for a longer timeframe for identifying ADFS Servers\\nlet lookback = 6d;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n);\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where Account !endswith \\\"$\\\"\\n// Check for scheduled task events\\n| where EventID in (4697, 4698, 4699, 4700, 4701, 4702)\\n| extend EventDataParsed = parse_xml(EventData)\\n| extend SubjectLogonId = tostring(EventDataParsed.EventData.Data[3][\\\"#text\\\"])\\n// Check specifically for access to IPC$ share and PIPE\\\\svcctl and PIPE\\\\atsvc for Service Control Services and Schedule Control Services\\n| union ( \\n SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n | where Account !endswith \\\"$\\\"\\n | where EventID == 5145\\n | where RelativeTargetName =~ \\\"svcctl\\\" or RelativeTargetName =~ \\\"atsvc\\\"\\n)\\n// Check for lateral movement\\n| join kind=inner\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Account !endswith \\\"$\\\"\\n| where EventID == 4624 and LogonType == 3\\n) on $left.SubjectLogonId == $right.TargetLogonId\\n| project TimeGenerated, Account, Computer, EventID, RelativeTargetName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\"],\"displayName\":\"Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task\",\"description\":\"This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through SMB and Remote Service or Scheduled Task.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f0be259a-34ac-4946-aa15-ca2b115d5feb\",\"name\":\"f0be259a-34ac-4946-aa15-ca2b115d5feb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let starttime = 2d;\\nlet endtime = 1d;\\nlet TimeDeltaThreshold = 10;\\nlet TotalEventsThreshold = 15;\\nlet PercentBeaconThreshold = 80;\\nlet PrivateIPregex = @\u0027^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.\u0027;\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Palo Alto Networks\\\" and Activity == \\\"TRAFFIC\\\"\\n| where TimeGenerated between (ago(starttime)..ago(endtime))\\n| extend DestinationIPType = iff(DestinationIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIPType == \\\"public\\\"\\n| project TimeGenerated, DeviceName, SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, ReceivedBytes, SentBytes\\n| sort by SourceIP asc,TimeGenerated asc, DestinationIP asc, DestinationPort asc\\n| serialize\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\u0027second\u0027,nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP\\n//Whitelisting criteria/ threshold criteria\\n| where TimeDeltainSeconds \u003e TimeDeltaThreshold \\n| project TimeGenerated, TimeDeltainSeconds, DeviceName, SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, ReceivedBytes, SentBytes\\n| summarize count(), sum(ReceivedBytes), sum(SentBytes), make_list(TimeDeltainSeconds) \\nby TimeDeltainSeconds, bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSentBytes = sum(sum_SentBytes), TotalReceivedBytes = sum(sum_ReceivedBytes) \\nby bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| where TotalEvents \u003e TotalEventsThreshold \\n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\\n| where BeaconPercent \u003e PercentBeaconThreshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Palo Alto - potential beaconing detected\",\"description\":\"Identifies beaconing patterns from Palo Alto Network traffic logs based on recurrent timedelta patterns. \\nThe query leverages various KQL functions to calculate time deltas and then compares it with total events observed in a day to find percentage of beaconing. \\nThis outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts.\\nReference Blog:\\nhttp://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-05-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/622844c2-fc11-4efc-91e6-c05b06ab3008\",\"name\":\"622844c2-fc11-4efc-91e6-c05b06ab3008\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.5\",\"techniques\":[\"T1001\",\"T1008\",\"T1071\",\"T1090\",\"T1095\",\"T1102\",\"T1104\",\"T1132\",\"T1205\",\"T1568\",\"T1571\",\"T1572\",\"T1573\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"10\",\"maximum\":\"1000\",\"value\":\"25\",\"name\":\"Degree of source IPs\",\"description\":\"Suppress anomalies when degree of source IPs is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"10\",\"maximum\":\"1000\",\"value\":\"30\",\"name\":\"Daily event count threshold\",\"description\":\"Suppress anomalies when daily event count is less than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"},{\"minimum\":\"10\",\"maximum\":\"1000\",\"value\":\"60\",\"name\":\"Time delta threshold in seconds\",\"description\":\"Suppress anomalies when time delta in seconds between network connections is less than the chosen value\",\"sequenceNumber\":3,\"rerun\":\"RerunAlways\"},{\"minimum\":\"50\",\"maximum\":\"100\",\"value\":\"75\",\"name\":\"Percent beaconing threshold\",\"description\":\"Generate an anomaly when percent beaconing is greater than the chosen value\",\"sequenceNumber\":4,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"(Preview) Detect machine generated network beaconing behavior\",\"description\":\"This algorithm identifies beaconing patterns from network traffic connection logs based on recurrent time delta patterns.\\nAny network connection towards the untrusted public networks at repetitive time delta is an indication of malware callbacks or data exfiltration attempts. \\nThe anomaly will calculate time delta between consecutive network connection between same source and destination ip as well as count (Connections in time-delta sequence) of \\ntime-delta sequence between same source and destination. Percentage of beaconing is calculated between connections in time-delta sequence against total connections in a day.\",\"lastUpdatedDateUTC\":\"2021-07-10T00:00:00Z\",\"createdDateUTC\":\"2021-04-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/32686052-5bed-48ef-9ffa-39fc7699f085\",\"name\":\"32686052-5bed-48ef-9ffa-39fc7699f085\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.0\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.1\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of AWS API calls from Non-AWS source IP address from a user account id per workspace on a daily basis\",\"description\":\"This algorithm detects an unusually high volume of AWS API calls from Source IPs not in AWS Source IP ranges from one user account per workspace within the last day. The model is trained on the previous 21 days of AWS cloud trail log events on source IP address basis. This activity may indicate that the user account is compromised.\",\"lastUpdatedDateUTC\":\"2021-10-07T00:00:00Z\",\"createdDateUTC\":\"2021-10-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2d8a60aa-c15e-442e-9ce3-ee924889d2a6\",\"name\":\"2d8a60aa-c15e-442e-9ce3-ee924889d2a6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT5M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"eset_CL\\n| where event_type_s == \\\"Threat_Event\\\"\\n| extend HostCustomEntity = hostname_s, AccountCustomEntity = username_s, IPCustomEntity = ipv4_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"CredentialAccess\",\"PrivilegeEscalation\"],\"displayName\":\"Threats detected by Eset\",\"description\":\"Escalates threats detected by Eset.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-09T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"EsetSMC\",\"dataTypes\":[\"eset_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a5fe9489-cf8b-47ae-a87e-8f3a13e4203e\",\"name\":\"a5fe9489-cf8b-47ae-a87e-8f3a13e4203e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nlet codeNameList = datatable(Codename:string)[\\\"C-PRIV-ACCOUNTS-SPN\\\", \\\"C-NATIVE-ADM-GROUP-MEMBERS\\\", \\\"C-KRBTGT-PASSWORD\\\", \\\"C-PROTECTED-USERS-GROUP-UNUSED\\\", \\\"C-ADMINCOUNT-ACCOUNT-PROPS\\\", \\\"C-ADM-ACC-USAGE\\\", \\\"C-LAPS-UNSECURE-CONFIG\\\", \\\"C-DISABLED-ACCOUNTS-PRIV-GROUPS\\\"];\\nafad_parser\\n| where MessageType == 0 and Codename in~ (codeNameList)\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid privileged accounts issues\",\"description\":\"Searches for triggered Indicators of Exposures related to privileged accounts issues\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\"name\":\"90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Security Center\",\"severitiesFilter\":[\"Low\",\"Medium\",\"High\"],\"displayName\":\"Create incidents based on Azure Defender alerts\",\"description\":\"Create incidents based on all alerts generated in Azure Defender\",\"lastUpdatedDateUTC\":\"2021-07-25T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert (ASC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\"name\":\"b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n Syslog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // Extract URL from the Syslog message but only take messages that include URLs\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,SyslogMessage)\\n | where isnotempty(Url)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n) on Url\\n| where Syslog_TimeGenerated \u003e= TimeGenerated and Syslog_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, Url, HostIP\\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to Syslog data\",\"description\":\"Identifies a match in Syslog data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0625fcce-6d52-491e-8c68-1d9b801d25b9\",\"name\":\"0625fcce-6d52-491e-8c68-1d9b801d25b9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"Event\\n| where EventLog =~ \\\"Application\\\"\\n| where Source startswith \\\"MSExchange\\\"\\n| where EventLevelName =~ \\\"error\\\"\\n| where (RenderedDescription startswith \\\"Watson report\\\" and RenderedDescription contains \\\"umworkerprocess\\\" and RenderedDescription contains \\\"TextFormattingRunProperties\\\") or RenderedDescription startswith \\\"An unhandled exception occurred in a UM worker process\\\" or RenderedDescription startswith \\\"The Microsoft Exchange Unified Messaging service\\\" or RenderedDescription contains \\\"MSExchange Unified Messaging\\\"\\n| where RenderedDescription !contains \\\"System.OutOfMemoryException\\\"\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious UM Service Error\",\"description\":\"This query looks for errors that may indicate that an attacker is attempting to exploit a vulnerability in the service. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/26a3b261-b997-4374-94ea-6c37f67f4f39\",\"name\":\"26a3b261-b997-4374-94ea-6c37f67f4f39\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"asyspy256.ddns.net\\\",\\\"hotkillmail9sddcc.ddns.net\\\",\\\"rosaf112.ddns.net\\\",\\\"cvdfhjh1231.myftp.biz\\\",\\\"sz2016rose.ddns.net\\\",\\\"dffwescwer4325.myftp.biz\\\",\\\"cvdfhjh1231.ddns.net\\\"]);\\nlet SHA1Hash = dynamic ([\\\"53a44c2396d15c3a03723fa5e5db54cafd527635\\\", \\\"9c5e496921e3bc882dc40694f1dcc3746a75db19\\\", \\\"aeb573accfd95758550cf30bf04f389a92922844\\\", \\\"79ef78a797403a4ed1a616c68e07fff868a8650a\\\", \\\"4f6f38b4cec35e895d91c052b1f5a83d665c2196\\\", \\\"1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d\\\", \\\"e841a63e47361a572db9a7334af459ddca11347a\\\", \\\"c28f606df28a9bc8df75a4d5e5837fc5522dd34d\\\", \\\"2e94b305d6812a9f96e6781c888e48c7fb157b6b\\\", \\\"dd44133716b8a241957b912fa6a02efde3ce3025\\\", \\\"8793bf166cb89eb55f0593404e4e933ab605e803\\\", \\\"a39b57032dbb2335499a51e13470a7cd5d86b138\\\", \\\"41cc2b15c662bc001c0eb92f6cc222934f0beeea\\\", \\\"d209430d6af54792371174e70e27dd11d3def7a7\\\", \\\"1c6452026c56efd2c94cea7e0f671eb55515edb0\\\", \\\"c6b41d3afdcdcaf9f442bbe772f5da871801fd5a\\\", \\\"4923d460e22fbbf165bbbaba168e5a46b8157d9f\\\", \\\"f201504bd96e81d0d350c3a8332593ee1c9e09de\\\", \\\"ddd2db1127632a2a52943a2fe516a2e7d05d70d2\\\"]);\\nlet SHA256Hash = dynamic ([\\\"9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd\\\", \\\"7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b\\\", \\\"657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5\\\", \\\"2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29\\\", \\\"52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77\\\", \\\"a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3\\\", \\\"5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022\\\", \\\"6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883\\\", \\\"3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e\\\", \\\"1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7\\\", \\\"fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1\\\", \\\"7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c\\\", \\\"178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945\\\", \\\"51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9\\\", \\\"889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79\\\", \\\"332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf\\\", \\\"44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08\\\", \\\"63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef\\\", \\\"056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070\\\"]);\\nlet SigNames = dynamic([\\\"TrojanDropper:Win32/BlackMould.A!dha\\\", \\\"Trojan:Win32/BlackMould.B!dha\\\", \\\"Trojan:Win32/QuarkBandit.A!dha\\\", \\\"Trojan:Win32/Sidelod.A!dha\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(DnsEvents \\n| extend DNSName = Name\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend IPAddress = ClientIP\\n),\\n( imDns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA1=\u0027 SHA1 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA1Hash) \\n| extend Account = UserName\\n),\\n(SecurityAlert\\n| where Entities has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName)\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend DNSName = Request_Name\\n| extend IPAddress = ClientIP \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.3.0\",\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known GALLIUM domains and hashes\",\"description\":\"GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. \\n Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\\n References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-12-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3acf5617-7c41-4085-9a79-cc3a425ba83a\",\"name\":\"3acf5617-7c41-4085-9a79-cc3a425ba83a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"afad_parser\\n| where MessageType == 2 and Codename == \\\"OS Credential Dumping: LSASS Memory\\\"\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid LSASS Memory\",\"description\":\"Searches for OS Credentials dumping attacks\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2560515c-07d1-434e-87fb-ebe3af267760\",\"name\":\"2560515c-07d1-434e-87fb-ebe3af267760\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add delegated permission grant\\\",\\\"Add app role assignment to service principal\\\")\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend props = parse_json(tostring(TargetResources[0].modifiedProperties))\\n| mv-expand props\\n| extend UserAgent = tostring(AdditionalDetails[0].value)\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| extend UserIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| extend DisplayName = tostring(props.displayName)\\n| extend Permissions = tostring(parse_json(tostring(props.newValue)))\\n| where Permissions has_any (\\\"Mail.Read\\\", \\\"Mail.ReadWrite\\\")\\n| extend PermissionsAddedTo = tostring(TargetResources[0].displayName)\\n| extend Type = tostring(TargetResources[0].type)\\n| project-away props\\n| join kind=leftouter(\\n AuditLogs\\n | where ActivityDisplayName has \\\"Consent to application\\\"\\n | extend AppName = tostring(TargetResources[0].displayName)\\n | extend AppId = tostring(TargetResources[0].id)\\n | project AppName, AppId, CorrelationId) on CorrelationId\\n| project-reorder TimeGenerated, OperationName, InitiatingUser, UserIPAddress, UserAgent, PermissionsAddedTo, Permissions, AppName, AppId, CorrelationId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUser, IPCustomEntity = UserIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Mail.Read Permissions Granted to Application\",\"description\":\"This query look for applications that have been granted (Delegated or App/Role) permissions to Read Mail (Permissions field has Mail.Read) and subsequently has been consented to. This can help identify applications that have been abused to gain access to mailboxes.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a4025a76-6490-4e6b-bb69-d02be4b03f07\",\"name\":\"a4025a76-6490-4e6b-bb69-d02be4b03f07\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n AzureNetworkAnalytics_CL\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AzureNetworkAnalytics_CL_TimeGenerated = TimeGenerated\\n // NSG Flow Logs have additional information concat with Public IP, removing onlp Public IP\\n | extend PIPs = split(PublicIPs_s, \u0027|\u0027, 0)\\n | extend PIP = tostring(PIPs[0])\\n)\\non $left.TI_ipEntity == $right.PIP\\n| where AzureNetworkAnalytics_CL_TimeGenerated \u003e= TimeGenerated and AzureNetworkAnalytics_CL_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n// Set to alert on Allowed NSG Flows from TI Public IP IOC\\n| where FlowStatus_s == \\\"A\\\"\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AzureNetworkAnalytics_CL_TimeGenerated,\\nTI_ipEntity, Computer, FlowDirection_s, FlowStatus_s, FlowType_s, SrcPublicIPs_s, DestPublicIPs_s, PublicIPs_s, L7Protocol_s, DestPort_d, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureNetworkAnalytics_CL_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)\",\"description\":\"Identifies a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI that was Allowed\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/01f64465-b1ef-41ea-a7f5-31553a11ad43\",\"name\":\"01f64465-b1ef-41ea-a7f5-31553a11ad43\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let endpointData = \\n(SecurityEvent\\n | where EventID == 4688\\n | extend shortFileName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n );\\n// Correlate suspect executables seen in TrendMicro rule updates with similar activity on endpoints\\nCommonSecurityLog\\n| where DeviceVendor =~ \\\"Trend Micro\\\"\\n| where Activity =~ \\\"Deny List updated\\\" \\n| where RequestURL endswith \\\".exe\\\"\\n| project TimeGenerated, Activity , RequestURL , SourceIP, DestinationIP\\n| extend suspectExeName = tolower(tostring(split(RequestURL, \u0027/\u0027)[-1]))\\n| join (endpointData) on $left.suspectExeName == $right.shortFileName \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = TargetUserName, HostCustomEntity = Computer, URLCustomEntity = RequestURL\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\"],\"displayName\":\"Network endpoint to host executable correlation\",\"description\":\"Correlates blocked URLs hosting [malicious] executables with host endpoint data\\nto identify potential instances of executables of the same name having been recently run.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"TrendMicro\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\"name\":\"9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let szOperationNames = dynamic([\\\"Microsoft.Compute/virtualMachines/write\\\", \\\"Microsoft.Resources/deployments/write\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet RareCaller = AzureActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationNameValue in~ (szOperationNames)\\n| project ResourceGroup, Caller, OperationNameValue, CallerIpAddress\\n| join kind=rightantisemi (\\nAzureActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityStatusValue = makeset(ActivityStatusValue), OperationIds = makeset(OperationId), CallerIpAddress = makeset(CallerIpAddress) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n) on Caller, ResourceGroup \\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress);\\nlet Counts = RareCaller | summarize ActivityCountByCaller = count() by Caller;\\nRareCaller | join kind= inner (Counts) on Caller | project-away Caller1\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = tostring(CallerIpAddress)\\n| sort by ActivityCountByCaller desc nulls last\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"Suspicious Resource deployment\",\"description\":\"Identifies when a rare Resource and ResourceGroup deployment occurs by a previously unseen Caller.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6116dc19-475a-4148-84b2-efe89c073e27\",\"name\":\"6116dc19-475a-4148-84b2-efe89c073e27\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetectionV2_CL\\n| extend Status = tostring(Status_s), Vulnerability = tostring(QID_s), Severity = tostring(Severity_s)\\n| where Status =~ \\\"New\\\" and Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(QID_s)\\n| where dcount_NetBios_s \u003e= threshold\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"New High Severity Vulnerability Detected Across Multiple Hosts\",\"description\":\"This creates an incident when a new high severity vulnerability is detected across multilple hosts\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetectionV2_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2f561e20-d97b-4b13-b02d-18b34af6e87c\",\"name\":\"2f561e20-d97b-4b13-b02d-18b34af6e87c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet cmdList = dynamic([\\\"Set-CASMailbox\\\",\\\"ActiveSyncAllowedDeviceIDs\\\",\\\"add\\\"]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where CommandLine has_all (cmdList)\\n| project Type, TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where InitiatingProcessCommandLine has_all (cmdList)\\n| project Type, TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where CommandLine has_all (cmdList)\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| project Type, TimeGenerated, Computer, User, Process, ParentImage, CommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Email access via active sync\",\"description\":\"This query detects attempts to add attacker devices as allowed IDs for active sync using the Set-CASMailbox command.\\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\\n- Note that this query can be changed to use the KQL \\\"has_all\\\" operator, which hasn\u0027t yet been documented officially, but will be soon.\\n In short, \\\"has_all\\\" will only match when the referenced field has all strings in the list.\\n- Refer to Set-CASMailbox syntax: https://docs.microsoft.com/powershell/module/exchange/set-casmailbox?view=exchange-ps \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fb9e0b51-8867-48d7-86f4-6e76f2176bf8\",\"name\":\"fb9e0b51-8867-48d7-86f4-6e76f2176bf8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nlet codeNameList = datatable(Codename:string)[\\\"C-ACCOUNTS-DANG-SID-HISTORY\\\", \\\"C-PRE-WIN2000-ACCESS-MEMBERS\\\", \\\"C-PASSWORD-DONT-EXPIRE\\\", \\\"C-SLEEPING-ACCOUNTS\\\", \\\"C-DANG-PRIMGROUPID\\\", \\\"C-PASSWORD-NOT-REQUIRED\\\", \\\"C-USER-PASSWORD\\\"];\\nafad_parser\\n| where MessageType == 0 and Codename in~ (codeNameList)\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid user accounts issues\",\"description\":\"Searches for triggered Indicators of Exposures related to user accounts issues\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/29094df8-e0c7-4475-a74c-bda74a07affb\",\"name\":\"29094df8-e0c7-4475-a74c-bda74a07affb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.8\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.03\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of logins to user account by logon types\",\"description\":\"This algorithm detects an unusually high volume of successful logins per user account by different logon types. The model is trained on the previous 21 days of security event ID 4624 on an account. It indicates anomalous high volume of successful logins in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3a9d5ede-2b9d-43a2-acc4-d272321ff77c\",\"name\":\"3a9d5ede-2b9d-43a2-acc4-d272321ff77c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 5;\\nlet aadFunc = (tableName:string){\\n // Failed Signins attempts with reasoning related to conditional access policies.\\n table(tableName)\\n | where TimeGenerated between (startofday(ago(starttime))..startofday(ago(timeframe)))\\n | where ResultDescription has_any (\\\"conditional access\\\", \\\"CA\\\") or ResultType in (50005, 50131, 53000, 53001, 53002, 52003, 70044)\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt ;\\nlet TimeSeriesData = union isfuzzy=true aadSignin, aadNonInt \\n| project TimeGenerated, UserPrincipalName\\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by UserPrincipalName\\n| project TimeGenerated, UserPrincipalName, HourlyCount;\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| where baseline \u003e baselinethreshold // Filtering low count events per baselinethreshold\\n| project UserPrincipalName, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated;\\n// Filter the alerts for specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join kind=inner ( \\nunion isfuzzy=true aadSignin, aadNonInt\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n | summarize HourlyCount=count(), LatestAnomalyTime = arg_max(timestamp,*) by bin(TimeGenerated,1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\\n) on UserPrincipalName\\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, HourlyCount, baseline, anomalies, score\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"User Accounts - Sign in Failure due to CA Spikes\",\"description\":\" Identifies spike in failed sign-ins from user accounts due to conditional access policied.\\nSpike is determined based on Time series anomaly which will look at historical baseline values.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aa1eff90-29d4-49dc-a3ea-b65199f516db\",\"name\":\"aa1eff90-29d4-49dc-a3ea-b65199f516db\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"SecurityEvent\\n| where EventID == 4720\\n| where AccountType == \\\"User\\\"\\n| project CreatedUserTime = TimeGenerated, CreatedUserEventID = EventID, CreatedUserActivity = Activity, Computer = toupper(Computer), \\nCreatedUser = tolower(TargetAccount), CreatedUserSid = TargetSid, AccountUsedToCreateUser = strcat(SubjectAccount), SidofAccountUsedToCreateUser = SubjectUserSid\\n| join (\\nSecurityEvent \\n| where AccountType == \\\"User\\\"\\n// 4732 - A member was added to a security-enabled local group\\n| where EventID == 4732\\n//TargetSid is the builin Admins group: S-1-5-32-544\\n| where TargetSid == \\\"S-1-5-32-544\\\"\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, Computer = toupper(Computer), GroupName = tolower(TargetAccount), \\nGroupSid = TargetSid, AccountThatAddedUser = SubjectAccount, SIDofAccountThatAddedUser = SubjectUserSid, CreatedUserSid = MemberSid\\n)\\non CreatedUserSid\\n//Create User first, then the add to the group.\\n| project Computer, CreatedUserTime, CreatedUserEventID, CreatedUserActivity, CreatedUser, CreatedUserSid, GroupAddTime, GroupAddEventID, \\nGroupAddActivity, AccountUsedToCreateUser, GroupName, GroupSid, AccountThatAddedUser, SIDofAccountThatAddedUser \\n| extend timestamp = CreatedUserTime, AccountCustomEntity = CreatedUser, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"CreatedUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"New user created and added to the built-in administrators group\",\"description\":\"Identifies when a user account was created and then added to the builtin Administrators group in the same day.\\nThis should be monitored closely and all additions reviewed.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4f45f43b-3a4b-491b-9cbe-d649603384aa\",\"name\":\"4f45f43b-3a4b-491b-9cbe-d649603384aa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let highRisk = 3;\\nlet legal = \u0027Legal Information\u0027;\\nCognniIncidents_CL \\n| where Severity == highRisk\\n| where informationType_s == legal\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Highly Sensitive Legal Information\",\"description\":\"Display incidents in which highly sensitive legal information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/200f05a2-db6e-4ff7-be83-bbc30b44755f\",\"name\":\"200f05a2-db6e-4ff7-be83-bbc30b44755f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.3.8\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.07\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of logins to user account\",\"description\":\"This algorithm detects an unusually high volume of successful logins per user account. The model is trained on the previous 21 days of security event ID 4624 on an account. It indicates anomalous high volume of successful logins in the last day\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2020-12-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3edb7215-250b-40c0-8b46-79093949242d\",\"name\":\"3edb7215-250b-40c0-8b46-79093949242d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetectionV2_CL\\n| where Severity_s == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\\n| where count_ \u003e= threshold\\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"High Number of Urgent Vulnerabilities Detected\",\"description\":\"This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetectionV2_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd0a6029-ecef-4507-89c4-fc355ac52111\",\"name\":\"dd0a6029-ecef-4507-89c4-fc355ac52111\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation of extracted domains\\nlet list_tlds = ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e ago(ioc_lookBack)\\n | where isnotempty(DomainName)\\n | extend DomainName = tolower(DomainName)\\n | extend parts = split(DomainName, \u0027.\u0027)\\n | extend tld = parts[(array_length(parts)-1)]\\n | summarize count() by tostring(tld)\\n | summarize make_list(tld);\\n ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true\\n // Picking up only IOC\u0027s that contain the entities we want\\n | where isnotempty(DomainName)\\n | join (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | extend Domain = trim(@\\\"\\\"\\\"\\\",tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend parts = split(Domain, \u0027.\u0027)\\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\\n | where tld in~ (list_tlds)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n ) on $left.DomainName==$right.Domain\\n | where CommonSecurityLog_TimeGenerated \u003e= TimeGenerated and CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n | project LatestIndicatorTime, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, CommonSecurityLog_TimeGenerated, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\\n | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to CommonSecurityLog\",\"description\":\"Identifies a match in CommonSecurityLog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5dd76a87-9f87-4576-bab3-268b0e2b338b\",\"name\":\"5dd76a87-9f87-4576-bab3-268b0e2b338b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 5;\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet historicalActivity =\\nOfficeActivity\\n| where TimeGenerated between(ago(starttime)..ago(endtime))\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| summarize historicalCount = count() by UserAgent, RecordType, Operation;\\nlet recentActivity = OfficeActivity\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where TimeGenerated \u003e ago(endtime)\\n| where isnotempty(UserAgent)\\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by UserAgent, RecordType, Operation;\\nlet RareUserAgent = recentActivity | join kind = leftanti (historicalActivity) on UserAgent\\n| order by recentCount desc, UserAgent\\n// More than 5 downloads/uploads from a new user agent today\\n| where recentCount \u003e threshold;\\nOfficeActivity \\n| where TimeGenerated \u003e ago(endtime) \\n| where RecordType =~ szSharePointFileOperation \\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| join kind= inner (RareUserAgent)\\non UserAgent, RecordType, Operation \\n| where Start_Time between(min_Start_Time .. max_Start_Time)\\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserAgent, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgentSeenCount = recentCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\\n| order by UserAgentSeenCount desc, UserAgent asc, Operation asc, UserId asc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"SharePointFileOperation via devices with previously unseen user agents\",\"description\":\"Identifies if the number of documents uploaded or downloaded from device(s) associated\\nwith a previously unseen user agent exceeds a threshold (default is 5).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84cf1d59-f620-4fee-b569-68daf7008b7b\",\"name\":\"84cf1d59-f620-4fee-b569-68daf7008b7b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetection_CL\\n| mv-expand todynamic(Detections_s)\\n| extend Status = tostring(Detections_s.Status), Vulnerability = tostring(Detections_s.Results), Severity = tostring(Detections_s.Severity)\\n| where Status =~ \\\"New\\\" and Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(Detections_s.QID)\\n| where dcount_NetBios_s \u003e= threshold\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"New High Severity Vulnerability Detected Across Multiple Hosts\",\"description\":\"This creates an incident when a new high severity vulnerability is detected across multilple hosts\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/011c84d8-85f0-4370-b864-24c13455aa94\",\"name\":\"011c84d8-85f0-4370-b864-24c13455aa94\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SecurityAlert\\n| extend Extprop = parse_json(ExtendedProperties)\\n| extend Computer = iff(isnotempty(toupper(tostring(Extprop[\\\"Compromised Host\\\"]))), toupper(tostring(Extprop[\\\"Compromised Host\\\"])), tostring(parse_json(Entities)[0].HostName))\\n| extend Account = iff(isnotempty(tolower(tostring(Extprop[\\\"User Name\\\"]))), tolower(tostring(Extprop[\\\"User Name\\\"])), tolower(tostring(Extprop[\\\"user name\\\"])))\\n| extend IpAddress = tostring(parse_json(ExtendedProperties).[\\\"IpAddress\\\"]) \\n| project TimeGenerated, AlertName, Computer, Account, IpAddress, ExtendedProperties\\n| extend timestamp = TimeGenerated, Account, MachineName = Computer, IpAddress\\n| join kind=inner\\n(\\nCoreAzureBackup\\n| where State =~ \\\"Deleted\\\"\\n| where OperationName =~ \\\"BackupItem\\\"\\n| extend data = split(BackupItemUniqueId, \\\";\\\")\\n| extend AzureLocation = data[0], VaultId=data[1], MachineName=data[2], DrivesBackedUp=data[3]\\n| project timestamp = TimeGenerated, AzureLocation, VaultId, tostring(MachineName), DrivesBackedUp, State, BackupItemUniqueId, _ResourceId, OperationName, BackupItemFriendlyName\\n)\\non MachineName\\n| project timestamp, AlertName, HostCustomEntity = MachineName, AccountCustomEntity = Account, ResourceCustomEntity = _ResourceId, IPCustomEntity = IpAddress, VaultId, AzureLocation, DrivesBackedUp, State, BackupItemUniqueId, OperationName, BackupItemFriendlyName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"CoreBackUp Deletion in correlation with other related security alerts\",\"description\":\"This query will help detect attackers attempt to delete backup containers in correlation with other alerts that could have triggered to help possibly reveal more details of attacker activity. \\nThough such an activity could be legitimate as part of business operation, some ransomware actors may perform such operation to cause interruption to regular business services.\",\"lastUpdatedDateUTC\":\"2021-11-06T00:00:00Z\",\"createdDateUTC\":\"2021-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/157c0cfc-d76d-463b-8755-c781608cdc1a\",\"name\":\"157c0cfc-d76d-463b-8755-c781608cdc1a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let PrivateIPregex = @\u0027^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.\u0027;\\nlet aadFunc = (tableName:string){\\nCommonSecurityLog\\n| where DeviceVendor =~ \\\"Cisco\\\"\\n| where DeviceAction =~ \\\"denied\\\"\\n| extend SourceIPType = iff(SourceIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where SourceIPType == \\\"public\\\"\\n| summarize count() by SourceIP\\n| join (\\n // Successful signins from IPs blocked by the firewall solution are suspect\\n // Include fully successful sign-ins, but also ones that failed only at MFA stage\\n // as that supposes the password was sucessfully guessed.\\n table(tableName)\\n | where ResultType in (\\\"0\\\", \\\"50074\\\", \\\"50076\\\") \\n) on $left.SourceIP == $right.IPAddress\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Cisco - firewall block but success logon to Azure AD\",\"description\":\"Correlate IPs blocked by a Cisco firewall appliance with successful Azure Active Directory signins. \\nBecause the IP was blocked by the firewall, that same IP logging on successfully to AAD is potentially suspect\\nand could indicate credential compromise for the user account.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\"name\":\"7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"154.223.45.38\\\",\\\"185.141.207.140\\\",\\\"185.234.73.19\\\",\\\"216.245.210.106\\\",\\\"51.91.48.210\\\",\\\"46.255.230.229\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n|extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account\\n),\\n(DnsEvents \\n| extend DestinationIPAddress = IPAddresses, Host = Computer\\n| where DestinationIPAddress has_any (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(imDns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DnsResponseName, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(VMConnection \\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) \\n| where SourceIp in (IPList) or DestinationIp in (IPList) \\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(SigninLogs\\n| where isnotempty(IPAddress)\\n| where IPAddress in (IPList)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(AADNonInteractiveUserSignInLogs\\n| where isnotempty(IPAddress)\\n| where IPAddress in (IPList)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(W3CIISLog \\n| where isnotempty(cIP)\\n| where cIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(AzureActivity \\n| where isnotempty(CallerIpAddress)\\n| where CallerIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller\\n),\\n(\\nAWSCloudTrail\\n| where isnotempty(SourceIpAddress)\\n| where SourceIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.2.1\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known IRIDIUM IP\",\"description\":\"IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.\",\"lastUpdatedDateUTC\":\"2021-11-25T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a04cf847-a832-4c60-b687-b0b6147da219\",\"name\":\"a04cf847-a832-4c60-b687-b0b6147da219\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"45.63.52.41\\\",\\\"140.82.17.161\\\",\\\"207.148.101.95\\\",\\\"45.32.87.51\\\",\\\"66.42.98.156\\\",\\\"45.76.144.105\\\",\\\"217.163.28.35\\\",\\\"45.32.141.174\\\",\\\"149.28.165.249\\\",\\\"209.250.225.247\\\",\\\"45.63.100.115\\\",\\\"95.179.229.230\\\",\\\"209.250.233.247\\\",\\\"45.77.121.232\\\",\\\"45.76.175.65\\\",\\\"104.238.160.237\\\",\\\"45.77.181.97\\\",\\\"95.179.192.125\\\",\\\"149.28.93.184\\\",\\\"140.82.16.81\\\",\\\"45.76.173.103\\\",\\\"45.77.255.22\\\",\\\"45.32.11.71\\\",\\\"149.28.77.26\\\",\\\"45.32.54.50\\\",\\\"104.156.233.156\\\",\\\"45.32.21.118\\\",\\\"45.63.62.109\\\",\\\"45.77.244.202\\\",\\\"149.248.11.205\\\",\\\"104.238.190.244\\\"]);\\nlet IOCTerms = \\\"\\\\\\\\?lang=[/..]*/dev/cmdb/sslvpn_websession|/dana-na/jam/[/..]*home/webserver/htdocs/dana/html5acc/guacamole[/..]*etc/passwd\\\\\\\\?\\\";\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or has_any_ipv4 (Message, IPList)\\n| extend IPMatch = case(\\nSourceIP in (IPList), \\\"SourceIP\\\", \\nDestinationIP in (IPList), \\\"DestinationIP\\\",\\n\\\"Message\\\") \\n| where Message matches regex IOCTerms\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n| where isnotempty(UserAgent) and ClientIP in (IPList)\\n| where UserAgent contains \\\"ExchangeServicesClient/0.0.0.0\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP = ClientIP, Account = UserId, Type, RecordType, OfficeWorkload, UserAgent, OfficeObjectId, IPMatch = \\\"ClientIP\\\"\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"InitialAccess\",\"Collection\"],\"displayName\":\"Known Manganese IP and UserAgent activity\",\"description\":\"Matches IP plus UserAgent IOCs in OfficeActivity data, along with IP plus Connection string information in the CommonSecurityLog data related to Manganese group activity.\\nReferences: \\nhttps://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/\\nhttps://fortiguard.com/psirt/FG-IR-18-384\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-10-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\"name\":\"02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let logonDiff = 10m;\\nlet aadFunc = (tableName:string){\\ntable(tableName) \\n| where ResultType == \\\"0\\\" \\n| where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\")\\n| project SuccessLogonTime = TimeGenerated, UserPrincipalName, SuccessIPAddress = IPAddress, AppDisplayName, SuccessIPBlock = strcat(split(IPAddress, \\\".\\\")[0], \\\".\\\", split(IPAddress, \\\".\\\")[1]), Type\\n| join kind= inner (\\n table(tableName)\\n | where ResultType !in (\\\"0\\\", \\\"50140\\\") \\n | where ResultDescription !~ \\\"Other\\\" \\n | where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\")\\n | project FailedLogonTime = TimeGenerated, UserPrincipalName, FailedIPAddress = IPAddress, AppDisplayName, ResultType, ResultDescription, Type\\n) on UserPrincipalName, AppDisplayName \\n| where SuccessLogonTime \u003c FailedLogonTime and FailedLogonTime - SuccessLogonTime \u003c= logonDiff and FailedIPAddress !startswith SuccessIPBlock\\n| summarize FailedLogonTime = max(FailedLogonTime), SuccessLogonTime = max(SuccessLogonTime) by UserPrincipalName, SuccessIPAddress, AppDisplayName, FailedIPAddress, ResultType, ResultDescription, Type\\n| extend timestamp = SuccessLogonTime\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SuccessIPAddress\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"FailedIPAddress\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"CredentialAccess\",\"InitialAccess\"],\"displayName\":\"Successful logon from IP and failure from a different IP\",\"description\":\"Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP.\\nThis may indicate a malicious attempt at password guessing based on knowledge of the users account.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\"name\":\"90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage), \\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage), \\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage), \\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \\\"200\\\"\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Squid proxy events for ToR proxies\",\"description\":\"Check for Squid proxy events associated with common ToR proxies. This query presumes the default squid log format is being used.\\nhttp://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b4ceb583-4c44-4555-8ecf-39f572e827ba\",\"name\":\"b4ceb583-4c44-4555-8ecf-39f572e827ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 1.5;\\nlet percentthreshold = 50;\\n// Preparing the time series data aggregated hourly count of MailItemsAccessd Operation in the form of multi-value array to use with time series anomaly function.\\nlet TimeSeriesData =\\nOfficeActivity\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where OfficeWorkload=~ \\\"Exchange\\\" and Operation =~ \\\"MailItemsAccessed\\\" and ResultStatus =~ \\\"Succeeded\\\"\\n| project TimeGenerated, Operation, MailboxOwnerUPN\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe;\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0\\n| project TimeGenerated, Total, baseline, anomalies, score;\\n// Joining the flagged outlier from the previous step with the original dataset to present contextual information\\n// during the anomalyhour to analysts to conduct investigation or informed decisions.\\nTimeSeriesAlerts | where TimeGenerated \u003e ago(2d)\\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\\n| join (\\n OfficeActivity\\n | where TimeGenerated \u003e ago(2d)\\n | extend DateHour = bin(TimeGenerated, 1h)\\n | where OfficeWorkload=~ \\\"Exchange\\\" and Operation =~ \\\"MailItemsAccessed\\\" and ResultStatus =~ \\\"Succeeded\\\"\\n | summarize HourlyCount=count(), TimeGeneratedMax = arg_max(TimeGenerated, *), IPAdressList = make_set(Client_IPAddress), SourceIPMax= arg_max(Client_IPAddress, *), ClientInfoStringList= make_set(ClientInfoString) by MailboxOwnerUPN, Logon_Type, TenantId, UserType, TimeGenerated = bin(TimeGenerated, 1h) \\n | where HourlyCount \u003e 25 // Only considering operations with more than 25 hourly count to reduce False Positivies\\n | order by HourlyCount desc \\n) on TimeGenerated\\n| extend PercentofTotal = round(HourlyCount/Total, 2) * 100 \\n| where PercentofTotal \u003e percentthreshold // Filter Users with count of less than 5 percent of TotalEvents per Hour to remove FPs/ users with very low count of MailItemsAccessed events\\n| order by PercentofTotal desc \\n| project-reorder TimeGeneratedMax, Type, OfficeWorkload, Operation, UserId,SourceIPMax ,IPAdressList, ClientInfoStringList, HourlyCount, PercentofTotal, Total, baseline, score, anomalies\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Exchange workflow MailItemsAccessed operation anomaly\",\"description\":\"Identifies anomalous increases in Exchange mail items accessed operations.\\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\\nSudden increases in execution frequency of sensitive actions should be further investigated for malicious activity.\\nManually change scorethreshold from 1.5 to 3 or higher to reduce the noise based on outliers flagged from the query criteria.\\nRead more about MailItemsAccessed- https://docs.microsoft.com/microsoft-365/compliance/advanced-audit?view=o365-worldwide#mailitemsaccessed\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182\",\"name\":\"8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT5M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = ago(5m);\\nDuoSecurityTrustMonitor_CL\\n| where TimeGenerated \u003e= timeframe\\n| extend AccountCustomEntity = surfaced_auth_user_name_s, IPCustomEntity = surfaced_auth_access_device_ip_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Trust Monitor Event\",\"description\":\"This query identifies when a new trust monitor event is detected.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\"name\":\"8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"AuthorizeDBSecurityGroupIngress\\\",\\\"CreateDBSecurityGroup\\\",\\\"DeleteDBSecurityGroup\\\",\\\"RevokeDBSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to internet facing AWS RDS Database instances\",\"description\":\"Amazon Relational Database Service (RDS) is scalable relational database in the cloud. \\nIf your organization have one or more AWS RDS Databases running, monitoring changes to especially internet facing AWS RDS (Relational Database Service) \\nOnce alerts triggered, validate if changes observed are authorized and adhere to change control policy. \\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255\\nand RDS API Reference Docs: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Operations.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09551db0-e147-4a0c-9e7b-918f88847605\",\"name\":\"09551db0-e147-4a0c-9e7b-918f88847605\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let tokens = dynamic([\\\"SSL_HandShaking\\\", \\\"ASN2_TYPE_new\\\", \\\"sql_blob_open\\\", \\\"cmsSetLogHandlerTHR\\\", \\\"ntSystemInfo\\\", \\\"SetWebFilterString\\\", \\\"CleanupBrokerString\\\", \\\"glInitSampler\\\", \\\"deflateSuffix\\\", \\\"ntWindowsProc\\\"]);\\nlet DomainNames = dynamic([\u0027codevexillium.org\u0027, \u0027angeldonationblog.com\u0027, \u0027investbooking.de\u0027, \u0027krakenfolio.com\u0027]);\\nlet SHA256Hash = dynamic([\u002758a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495\u0027,\u0027e0e59bfc22876c170af65dcbf19f744ae560cc43b720b23b9d248f4505c02f3e\u0027,\u00273d3195697521973efe0097a320cbce0f0f98d29d50e044f4505e1fbc043e8cf9\u0027, \u00270a2d81164d524be7022ba8fd4e1e8e01bfd65407148569d172e2171b5cd76cd4\u0027, \u002796d7a93f6691303d39a9cc270b8814151dfec5683e12094537fd580afdf2e5fe\u0027,\u0027dc4cf164635db06b2a0b62d313dbd186350bca6fc88438617411a68df13ec83c\u0027, \u002746efd5179e43c9cbf07dcec22ce0d5527e2402655aee3afc016e5c260650284a\u0027, \u002795e42a94d4df1e7e472998f43b9879eb34aaa93f3705d7d3ef9e3b97349d7008\u0027, \u00279d5320e883264a80ea214077f44b1d4b22155446ad5083f4b27d2ab5bd127ef5\u0027, \u00279fd05063ad203581a126232ac68027ca731290d17bd43b5d3311e8153c893fe3\u0027, \u0027ada7e80c9d09f3efb39b729af238fcdf375383caaf0e9e0aed303931dc73b720\u0027, \u0027edb1597789c7ed784b85367a36440bf05267ac786efe5a4044ec23e490864cee\u0027, \u002733665ce1157ddb7cd7e905e3356b39245dfba17b7a658bdbf02b6968656b9998\u0027, \u00273ab770458577eb72bd6239fe97c35e7eb8816bce5a4b47da7bd0382622854f7c\u0027, \u0027b630ad8ffa11003693ce8431d2f1c6b8b126cd32b657a4bfa9c0dbe70b007d6c\u0027, \u002753f3e55c1217dafb8801af7087e7d68b605e2b6dde6368fceea14496c8a9f3e5\u0027, \u002799c95b5272c5b11093eed3ef2272e304b7a9311a22ff78caeb91632211fcb777\u0027, \u0027f21abadef52b4dbd01ad330efb28ef50f8205f57916a26daf5de02249c0f24ef\u0027, \u00272cbdea62e26d06080d114bbd922d6368807d7c6b950b1421d0aa030eca7e85da\u0027, \u0027079659fac6bd9a1ce28384e7e3a465be4380acade3b4a4a4f0e67fd0260e9447\u0027]);\\nlet SigNames = dynamic([\\\"Backdoor:Script/ComebackerCompile.A!dha\\\", \\\"Trojan:Win64/Comebacker.A!dha\\\", \\\"Trojan:Win64/Comebacker.A.gen!dha\\\", \\\"Trojan:Win64/Comebacker.B.gen!dha\\\", \\\"Trojan:Win32/Comebacker.C.gen!dha\\\", \\\"Trojan:Win32/Klackring.A!dha\\\", \\\"Trojan:Win32/Klackring.B!dha\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in~ (SHA256Hash) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n| project Type, TimeGenerated, Computer, Account, IPAddress, FileHash, DNSName\\n),\\n(DnsEvents\\n| extend DNSName = Name\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend Type = \\\"DnsEvents\\\", IPAddress = ClientIP\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(imDns(domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend Type = \\\"imDns\\\", IPAddress = SrcIpAddr, Computer=Dvc\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(VMConnection\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| where isnotempty(Hashes)\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 * \\n| where SHA256 in~ (SHA256Hash) \\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = Hashes\\n| project Type, TimeGenerated, Computer, Account, FileHash\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (SHA256Hash)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (SHA256Hash)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl in~ (DomainNames)\\n| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName\\n| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl\\n),\\n(SecurityAlert\\n| where Entities has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName) \\n| project Type, TimeGenerated, Computer\\n),\\n(DeviceProcessEvents\\n| where FileName =~ \\\"powershell.exe\\\" or FileName =~ \\\"rundll32.exe\\\"\\n| where (ProcessCommandLine has \\\"is64bitoperatingsystem\\\" and ProcessCommandLine has \\\"Debug\\\\\\\\Browse\\\") or (ProcessCommandLine has_any (tokens))\\n| extend Computer = DeviceName, Account = AccountName, CommandLine = ProcessCommandLine\\n| project Type, TimeGenerated, Computer, Account, CommandLine, FileName\\n),\\n(SecurityEvent\\n| where ProcessName has_any (\\\"powershell.exe\\\", \\\"rundll32.exe\\\")\\n| where (CommandLine has \\\"is64bitoperatingsystem\\\" and CommandLine has \\\"Debug\\\\\\\\Browse\\\") or (CommandLine has_any (tokens))\\n| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine \\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend DNSName = Request_Name\\n| extend IPAddress = ClientIP \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.3.0\",\"tactics\":[\"CommandAndControl\",\"Execution\"],\"displayName\":\"Known ZINC Comebacker and Klackring malware hashes\",\"description\":\"ZINC attacks against security researcher campaign malware hashes.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\"name\":\"a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n| where isnotempty(FileHashValue)\\n| join (\\n SecurityEvent | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where EventID in (\\\"8003\\\",\\\"8002\\\",\\\"8005\\\")\\n | where isnotempty(FileHash)\\n | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID\\n)\\non $left.FileHashValue == $right.FileHash\\n| where SecurityEvent_TimeGenerated \u003e= TimeGenerated and SecurityEvent_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nSecurityEvent_TimeGenerated, Process, FileHash, Computer, Account, Event\\n| extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map File Hash to Security Event\",\"description\":\"Identifies a match in Security Event data from any File Hash IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\"name\":\"e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 15;\\n// Below pulls messages from syslog-authpriv logs where there was an authentication failure with an unknown user.\\n// IP address of system attempting logon is also extracted from the SyslogMessage field. Some of these messages\\n// are aggregated.\\nlet authfail = Syslog\\n| where Facility =~ \\\"authpriv\\\" // looks at authpriv messages\\n| where SyslogMessage contains \\\"authentication failure\\\" and SyslogMessage contains \\\" uid=0\\\"\\n| parse SyslogMessage with * \\\"rhost=\\\" ExternalIP\\n| project TimeGenerated, Computer, ProcessName, HostIP, ExternalIP, ProcessID; \\n// Below pulls messages from syslog-authpriv logs that show each instance an unknown user tried to logon. \\nlet userfail = Syslog \\n| where Facility =~ \\\"authpriv\\\" \\n| where SyslogMessage contains \\\"user unknown\\\"\\n| project TimeGenerated, Computer, HostIP, ProcessID;\\n// Join the two log messages above\\nlet userauthfail = authfail | join (userfail) on Computer, HostIP, ProcessID\\n| project TimeGenerated, Computer, HostIP, ExternalIP, ProcessID ;\\n// Extract the EventTime of the first logon attempt\\nlet firstfail = userauthfail\\n| summarize arg_min(TimeGenerated, *) by Computer, ExternalIP\\n| project Computer, ExternalIP, FirstLogonAttempt = TimeGenerated;\\n// Extract the EventTime of the last logon attempt\\nlet lastfail = userauthfail\\n| summarize arg_max(TimeGenerated, *) by Computer, ExternalIP\\n| project Computer, ExternalIP, LatestLogonAttempt = TimeGenerated;\\n// Join first and last logon attempt data and calculate the time between them (AttemptPeriodLength).\\nlet faildates = firstfail | join (lastfail) on Computer, ExternalIP\\n| project ExternalIP, Computer, FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts = LatestLogonAttempt - FirstLogonAttempt;\\n// Count the number of failed logon attempts by External IP and internal machine\\nlet totalfails = userauthfail\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), TotalLogonAttempts = count() by ExternalIP, Computer, HostIP\\n| project StartTimeUtc, EndTimeUtc, ExternalIP, Computer, HostIP, TotalLogonAttempts;\\n// Combine total attempts with timing data from above\\nlet finalfails = totalfails | join (faildates) on Computer, ExternalIP\\n| project StartTimeUtc, EndTimeUtc, SourceAddress = ExternalIP, DestinationHost = Computer, DestinationIP = HostIP, TotalLogonAttempts, FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts\\n| order by DestinationHost asc nulls last;\\nfinalfails \\n| where TotalLogonAttempts \u003e= threshold\\n| extend timestamp = StartTimeUtc, HostCustomEntity = DestinationHost, IPCustomEntity = DestinationIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed logon attempts in authpriv\",\"description\":\"Identifies failed logon attempts from unknown users in Syslog authpriv logs. The unknown user means the account that tried to log in \\nisn\u0027t provisioned on the machine. A few hits could indicate someone attempting to access a machine they aren\u0027t authorized to access. \\nIf there are many of hits, especially from outside your network, it could indicate a brute force attack. \\nDefault threshold for logon attempts is 15.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\"name\":\"a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == 500121\\n| where Status has \\\"MFA Denied; user declined the authentication\\\"\\n| extend Type = Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = ClientAppUsed\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Explicit MFA Deny\",\"description\":\"User explicitly denies MFA push, indicating that login was not expected and the account\u0027s password may be compromised.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\"name\":\"68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let User_Agents = dynamic ([\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70\\\", \\n\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.1 Safari/605.1.15\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\", \\n\\\"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\"]);\\nOfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != \u0027UserLoggedIn\u0027\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = todynamic(ExtendedProperties).Value\\n| where UserAgent =~ \\\"ms-office\\\" or UserAgent has_any (User_Agents)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts \u003e 500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Possible STRONTIUM attempted credential harvesting - Oct 2020\",\"description\":\"Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/de58ee9e-b229-4252-8537-41a4c2f4045e\",\"name\":\"de58ee9e-b229-4252-8537-41a4c2f4045e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let file_ext_blocklist = dynamic([\u0027.ps1\u0027, \u0027.vbs\u0027, \u0027.bat\u0027, \u0027.scr\u0027]);\\nlet lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| extend file_ext = extract(@\u0027.*(\\\\.\\\\w+)$\u0027, 1, UrlOriginal)\\n| extend Filename = extract(@\u0027.*\\\\/*\\\\/(.*\\\\.\\\\w+)$\u0027, 1, UrlOriginal)\\n| where file_ext in (file_ext_blocklist)\\n| project TimeGenerated, SrcIpAddr, Identities, Filename\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Cisco Umbrella - Request to blocklisted file type\",\"description\":\"Detects request to potentially harmful file types (.ps1, .bat, .vbs, etc.).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fc1b7e7a-bc24-42c3-ad67-5c76c8fcb2d6\",\"name\":\"fc1b7e7a-bc24-42c3-ad67-5c76c8fcb2d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.3\",\"techniques\":[\"T1530\",\"T1213\",\"T1005\",\"T1039\",\"T1114\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\".txt,.jpg,.mp4\",\"dataType\":\"string\",\"name\":\"File extension\",\"description\":\"Give comma separated file extension to exclude from source data within double quotes, example: \\\".txt,.jpg,.mp4\\\"\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"5\",\"maximum\":\"100\",\"value\":\"10\",\"name\":\"Minimum number of downgrades\",\"description\":\"Generate an anomaly when number of downgrade label is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Collection\"],\"displayName\":\"(Preview) Unusual mass downgrade AIP label\",\"description\":\"This algorithm detects unusual high volume of downgrade label activity in Azure Information Protection (AIP) logs.\\nIt considers \\\"AIP\\\" workload records for a given number of days and determines the sequence of activity performed on documents along with the label applied to classify unusual volume of downgrade activity.\",\"lastUpdatedDateUTC\":\"2021-06-04T00:00:00Z\",\"createdDateUTC\":\"2020-11-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureInformationProtection\",\"dataTypes\":[\"InformationProtectionLogs_CL\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/53e936c6-6c30-4d12-8343-b8a0456e8429\",\"name\":\"53e936c6-6c30-4d12-8343-b8a0456e8429\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let SUNSPOT_Hashes = dynamic([\\\"c45c9bda8db1d470f1fd0dcc346dc449839eb5ce9a948c70369230af0b3ef168\\\", \\\"0819db19be479122c1d48743e644070a8dc9a1c852df9a8c0dc2343e904da389\\\"]);\\nunion isfuzzy=true(\\nDeviceEvents\\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes)),\\n(DeviceImageLoadEvents\\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes))\\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"SUNSPOT malware hashes\",\"description\":\"This query uses Microsoft Defender for Endpoint data to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\\nMore details: \\n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \\n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceImageLoadEvents\",\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b9a44d7-c651-45ed-816c-eae583a6f2f1\",\"name\":\"3b9a44d7-c651-45ed-816c-eae583a6f2f1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\nlet historical_data =\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend variables = Data.Variables\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend UserKey = strcat(VariableGroupId, \\\"-\\\", ActorUserId)\\n| project UserKey;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend VariableGroupName = tostring(Data.VariableGroupName)\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend UserKey = strcat(VariableGroupId, \\\"-\\\", ActorUserId)\\n| where UserKey !in (historical_data)\\n| project-away UserKey\\n| project-reorder TimeGenerated, VariableGroupName, ActorUPN, IpAddress, UserAgent\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Build Variable Modified by New User.\",\"description\":\"Variables can be configured and used at any stage of the build process in Azure DevOps to inject values. An attacker with the required permissions could modify \\nor add to these variables to conduct malicious activity such as changing paths or remote endpoints called during the build. As variables are often changed by users, \\njust detecting these changes would have a high false positive rate. This detection looks for modifications to variable groups where that user has not been observed \\nmodifying them before.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c3b11fb2-9201-4844-b7b9-6b7bf6d9b851\",\"name\":\"c3b11fb2-9201-4844-b7b9-6b7bf6d9b851\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 200;\\nimDns(responsecodename=\u0027NXDOMAIN\u0027)\\n| where isnotempty(DnsResponseCodeName)\\n//| where DnsResponseCodeName =~ \\\"NXDOMAIN\\\"\\n| summarize count() by SrcIpAddr, bin(TimeGenerated,15m)\\n| where count_ \u003e threshold\\n| join kind=inner (imDns(responsecodename=\u0027NXDOMAIN\u0027)\\n ) on SrcIpAddr\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.2.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Excessive NXDOMAIN DNS Queries (Normalized DNS)\",\"description\":\"This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. \\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8ee967a2-a645-4832-85f4-72b635bcb3a6\",\"name\":\"8ee967a2-a645-4832-85f4-72b635bcb3a6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit the environment\\nlet signin_threshold = 5;\\n//Make a list of all IPs with failed signins to AAD above our threshold\\nlet aadFunc = (tableName:string){\\nlet suspicious_signins =\\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress !in (\u0027127.0.0.1\u0027, \u0027::1\u0027)\\n| summarize count() by IPAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(IPAddress);\\n//See if any of these IPs have sucessfully logged into *nix hosts\\nlet linux_logons =\\nSyslog\\n| where Facility contains \\\"auth\\\" and ProcessName != \\\"sudo\\\"\\n| where SyslogMessage has \\\"Accepted\\\"\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Computer, HostIP, IpAddress = SourceIP, SyslogMessage, Facility, ProcessName, Reason;\\n//See if any of these IPs have sucessfully logged into Windows hosts\\nlet win_logons =\\nSecurityEvent\\n| where EventID == 4624\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| where IpAddress in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Account, AccountType, Computer, Activity, EventID, LogonProcessName, IpAddress, LogonTypeName, TargetUserSid, Reason;\\nunion isfuzzy=true linux_logons,win_logons\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, IPCustomEntity = IpAddress, HostCustomEntity = Computer\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AzureAD logons but success logon to host\",\"description\":\"Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory.\\nUses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/543c9254-eb6f-4fdd-858d-783e0e3d5cb9\",\"name\":\"543c9254-eb6f-4fdd-858d-783e0e3d5cb9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.3\",\"techniques\":[\"T1530\",\"T1213\",\"T1005\",\"T1039\",\"T1114\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\".msg,.jpg,.txt\",\"dataType\":\"string\",\"name\":\"File extension\",\"description\":\"Give comma separated file extension to exclude from source data, for example: .txt,.jpg,.mp4\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.9\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the error percentile is greater than chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Collection\"],\"displayName\":\"(Preview) Suspicious number of protected documents accessed\",\"description\":\"This algorithm is to detect high volume of access to protected documents in Azure Information Protection (AIP) logs. \\nIt considers AIP workload records for a given number of days and determines whether the user performed unusual access to protected documents in a day given his/her historical behavior.\",\"lastUpdatedDateUTC\":\"2021-06-04T00:00:00Z\",\"createdDateUTC\":\"2021-02-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureInformationProtection\",\"dataTypes\":[\"InformationProtectionLogs_CL\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d23ed927-5be3-4902-a9c1-85f841eb4fa1\",\"name\":\"d23ed927-5be3-4902-a9c1-85f841eb4fa1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n DuoSecurityAuthentication_CL\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(access_device_ip_s)\\n // renaming time column so it is clear the log this came from\\n | extend Duo_TimeGenerated = isotimestamp_t\\n)\\non $left.TI_ipEntity == $right.access_device_ip_s\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Duo_TimeGenerated,\\nTI_ipEntity, user_name_s, factor_s, result_s, application_name_s, event_type_s, txid_g, user_key_s, access_device_ip_s, access_device_location_city_s, access_device_location_state_s, access_device_location_country_s\\n| extend timestamp = Duo_TimeGenerated, IPCustomEntity = access_device_ip_s, AccountCustomEntity = user_name_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Duo Security\",\"description\":\"Identifies a match in DuoSecurity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3073ac-7383-48a9-90a8-eb6716183a54\",\"name\":\"4a3073ac-7383-48a9-90a8-eb6716183a54\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let excludeProcs = dynamic([@\\\"\\\\SolarWinds\\\\Orion\\\\APM\\\\APMServiceControl.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\ExportToPDFCmd.Exe\\\", @\\\"\\\\SolarWinds.Credentials\\\\SolarWinds.Credentials.Orion.WebApi.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Topology\\\\SolarWinds.Orion.Topology.Calculator.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Database-Maint.exe\\\", @\\\"\\\\SolarWinds.Orion.ApiPoller.Service\\\\SolarWinds.Orion.ApiPoller.Service.exe\\\", @\\\"\\\\Windows\\\\SysWOW64\\\\WerFault.exe\\\"]);\\nDeviceProcessEvents\\n| where InitiatingProcessFileName =~ \\\"solarwinds.businesslayerhost.exe\\\"\\n| where not(FolderPath has_any (excludeProcs))\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n FileHashCustomEntity = MD5\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"MD5\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST suspicious SolarWinds child processes\",\"description\":\"Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/269435e3-1db8-4423-9dfc-9bf59997da1c\",\"name\":\"269435e3-1db8-4423-9dfc-9bf59997da1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName =~ \u0027Add member to role (permanent)\u0027\\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Privleged Role Assigned Outside PIM\",\"description\":\"Identifies a privileged role being assigned to a user outside of PIM\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\"name\":\"6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"SecurityEvent\\n| where EventID == 4738\\n// 2089 value indicates the Don\u0027t Expire Password value has been set\\n| where UserAccountControl has \\\"%%2089\\\" \\n| extend Value_2089 = iff(UserAccountControl has \\\"%%2089\\\",\\\"\u0027Don\u0027t Expire Password\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n// 2050 indicates that the Password Not Required value is NOT set, this often shows up at the same time as a 2089 and is the recommended value. This value may not be in the event. \\n| extend Value_2050 = iff(UserAccountControl has \\\"%%2050\\\",\\\"\u0027Password Not Required\u0027 - Disabled\\\", \\\"Not Changed\\\")\\n// If value %%2082 is present in the 4738 event, this indicates the account has been configured to logon WITHOUT a password. Generally you should only see this value when an account is created and only in Event 4720: Account Creation Event. \\n| extend Value_2082 = iff(UserAccountControl has \\\"%%2082\\\",\\\"\u0027Password Not Required\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n| project StartTime = TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, AccountType, UserAccountControl, Value_2089, Value_2050, Value_2082, SubjectAccount\\n| extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"AD account with Don\u0027t Expire Password\",\"description\":\"Identifies whenever a user account has the setting \\\"Password Never Expires\\\" in the user account properties selected.\\nThis is indicated in Security event 4738 in the EventData item labeled UserAccountControl with an included value of %%2089.\\n%%2089 resolves to \\\"Don\u0027t Expire Password - Enabled\\\".\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2ca4e7fc-c61a-49e5-9736-5da8035c47e0\",\"name\":\"2ca4e7fc-c61a-49e5-9736-5da8035c47e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 8;\\nCarbonBlackNotifications_CL\\n| where threatHunterInfo_score_d \u003e= threshold\\n| extend eventTime = datetime(1970-01-01) + tolong(threatHunterInfo_time_d/1000) * 1sec\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by eventTime, Threat_Name = threatHunterInfo_reportName_s, Device_Name = deviceInfo_deviceName_s, Internal_IP = deviceInfo_internalIpAddress_s, External_IP = deviceInfo_externalIpAddress_s, Threat_Score = threatHunterInfo_score_d\\n| project-away count_\\n| extend timestamp = StartTime, HostCustomEntity = Device_Name, IPCustomEntity = Internal_IP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\"],\"displayName\":\"Critical Threat Detected\",\"description\":\"This creates an incident in the event a critical threat was identified on a Carbon Black managed endpoint.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"VMwareCarbonBlack\",\"dataTypes\":[\"CarbonBlackNotifications_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d992b87b-eb49-4a9d-aa96-baacf9d26247\",\"name\":\"d992b87b-eb49-4a9d-aa96-baacf9d26247\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let IPList = dynamic([\\\"185.63.90.137\\\"]); \\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet sha256Hashes = \\ndynamic([\\\"53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441\\\",\\n\\\"c297e545b8f150cc5ff56dbb68dc74fe30a421d9d40f38f4a53083192697c44c\\\",\\n\\\"17921368901f23e0cad0d2fe4ce5694aebaf4727699ed0358117500701914d1b\\\",\\n\\\"198a2d42df010d838b4207f478d885ef36e3db13b1744d673e221b828c28bf77\\\",\\n\\\"71d7b48c2fdc7b57b104a7858a35165bbed21d2fa7e34828d6c1d50b2b33a1d0\\\",\\n\\\"601227d52c6e367e11b80240183d07d38bc11a88e844e8401fce17eb25e92ba8\\\",\\n\\\"63ff04bed4fdb120a9cb9b1ea7fd88e83f12fb01ab6a057088f8016e663b48d4\\\",\\n\\\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\\\",\\n\\\"e19b8be1b21c066d60725e550f8455f824065abbf1b43f7b2fe4fb338b241ffc\\\",\\n\\\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\\\"\\n]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", MessageIP in (IPList), \\\"Message\\\", \\\"NoMatch\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DeviceNetworkEvents\\n| where RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) \\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP\\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost) \\n| where SourceHost in (IPList) or DestinationHost in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(DeviceFileEvents\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash\\n| where FileHash in (sha256Hashes)\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = FileHash\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 in~ (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash\\n),\\n(SecurityEvent\\n| where EventID == \u00274688\u0027\\n| where NewProcessName in (IPList) \\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"SHA256\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Impact\"],\"displayName\":\"Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021\",\"description\":\"Identifies a match across various data feeds for IP,hashes and IOCs related to Windows/ELF malware published by Black Lotus Labs\\nReference: \\nhttps://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders/\\nhttps://github.com/ManuelBerrueta/YARA-rules/blob/master/BlackLotusLabs-WSLMalware/BLL_SneakyWSL.yar\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32\",\"name\":\"d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet msgthreshold = 3;\\nlet msgszthreshold = 3000000;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where NetworkBytes \u003e msgszthreshold\\n| summarize count() by SrcUserUpn, DstUserUpn\\n| where count_ \u003e msgthreshold\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple large emails to the same recipient\",\"description\":\"Detects when multiple emails with lage size where sent to the same recipient.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae\",\"name\":\"2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 4656\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, TargetAccount, Computer, EventSourceName, Channel, Task, Level, EventID, Activity, TargetLogonId, SourceComputerId, EventOriginId, Type, _ResourceId, TenantId, SourceSystem, ManagementGroupName, IpAddress, Account)\\n| extend ObjectServer = column_ifexists(\u0027ObjectServer\u0027, \\\"\\\"), ObjectType = column_ifexists(\u0027ObjectType\u0027, \\\"\\\"), ObjectName = column_ifexists(\u0027ObjectName\u0027, \\\"\\\")\\n| where isnotempty(ObjectServer) and isnotempty(ObjectType) and isnotempty(ObjectName)\\n| where ObjectServer =~ \\\"SC Manager\\\" and ObjectType =~ \\\"SERVICE OBJECT\\\" and ObjectName =~ \\\"HealthService\\\"\\n// Comment out the join below if the SACL only audits users that are part of the Network logon users, i.e. with user/group target pointing to \\\"NU.\\\"\\n| join kind=leftouter (\\n SecurityEvent\\n | where EventID == 4624\\n) on TargetLogonId\\n| project TimeGenerated, Computer, Account, TargetAccount, IpAddress,TargetLogonId, ObjectServer, ObjectType, ObjectName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Starting or Stopping HealthService to Avoid Detection\",\"description\":\"This query detects events where an actor is stopping or starting HealthService to disable telemetry collection/detection from the agent.\\n The query requires a SACL to audit for access request to the service.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4acd3a04-2fad-4efc-8a4b-51476594cec4\",\"name\":\"4acd3a04-2fad-4efc-8a4b-51476594cec4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let triThreshold = 500;\\nlet startTime = 6h;\\nlet dgaLengthThreshold = 8;\\n// fetch the alexa top 1M domains\\nlet top1M = (externaldata (Position:int, Domain:string) [@\\\"http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip\\\"] with (format=\\\"csv\\\", zipPattern=\\\"*.csv\\\"));\\n// extract tri grams that are above our threshold - i.e. are common\\nlet triBaseline = top1M\\n| extend Domain = tolower(extract(\\\"([^.]*).{0,7}$\\\", 1, Domain))\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", Domain), extract_all(\\\"(...)\\\", substring(Domain, 1)), extract_all(\\\"(...)\\\", substring(Domain, 2)))\\n| mvexpand Trigram=AllTriGrams\\n| summarize triCount=count() by tostring(Trigram)\\n| sort by triCount desc\\n| where triCount \u003e triThreshold\\n| distinct Trigram;\\n// collect domain information from common security log, filter and extract the DGA candidate and its trigrams\\nlet allDataSummarized = CommonSecurityLog\\n| where TimeGenerated \u003e ago(startTime)\\n| where isnotempty(DestinationHostName)\\n| extend Name = tolower(DestinationHostName)\\n| distinct Name\\n| where Name has \\\".\\\"\\n| where Name !endswith \\\".home\\\" and Name !endswith \\\".lan\\\"\\n// extract DGA candidate\\n| extend DGADomain = extract(\\\"([^.]*).{0,7}$\\\", 1, Name)\\n| where strlen(DGADomain) \u003e dgaLengthThreshold\\n// throw out domains with number in them\\n| where DGADomain matches regex \\\"^[A-Za-z]{0,}$\\\"\\n// extract the tri grams from summarized data\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", DGADomain), extract_all(\\\"(...)\\\", substring(DGADomain, 1)), extract_all(\\\"(...)\\\", substring(DGADomain, 2)));\\n// throw out domains that have repeating tri\u0027s and/or \u003e=3 repeating letters\\nlet nonRepeatingTris = allDataSummarized\\n| join kind=leftanti\\n(\\n allDataSummarized\\n | mvexpand AllTriGrams\\n | summarize count() by tostring(AllTriGrams), DGADomain\\n | where count_ \u003e 1\\n | distinct DGADomain\\n)\\non DGADomain;\\n// find domains that do not have a common tri in the baseline\\nlet dataWithRareTris = nonRepeatingTris\\n| join kind=leftanti\\n(\\n nonRepeatingTris\\n | mvexpand AllTriGrams\\n | extend Trigram = tostring(AllTriGrams)\\n | distinct Trigram, DGADomain\\n | join kind=inner\\n (\\n triBaseline\\n )\\n on Trigram\\n | distinct DGADomain\\n)\\non DGADomain;\\ndataWithRareTris\\n// join DGAs back on connection data\\n| join kind=inner\\n(\\n CommonSecurityLog\\n | where TimeGenerated \u003e ago(startTime)\\n | where isnotempty(DestinationHostName)\\n | extend DestinationHostName = tolower(DestinationHostName)\\n | project-rename Name=DestinationHostName, DataSource=DeviceVendor\\n | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) by Name, SourceIP, DestinationIP, DataSource\\n)\\non Name\\n| project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, DataSource\\n| extend timestamp=StartTime, IPCustomEntity=SourceIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"Name\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Possible contact with a domain generated by a DGA\",\"description\":\"Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used\\nby malware to generate rendezvous points that are difficult to predict in advance. This detection uses the Alexa Top 1 million domain names to build a model\\nof what normal domains look like. It uses this to identify domains that may have been randomly generated by an algorithm.\\nThe triThreshold is set to 500 - increase this to report on domains that are less likely to have been randomly generated, decrease it for more likely.\\nThe start time and end time look back over 6 hours of data and the dgaLengthThreshold is set to 8 - meaning domains whose length is 8 or more are reported.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Barracuda\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/78422ef2-62bf-48ca-9bab-72c69818a425\",\"name\":\"78422ef2-62bf-48ca-9bab-72c69818a425\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let endtime = 1d;\\nlet starttime = 8d;\\nlet threshold = 2.0;\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName) \\nby Account, IpAddress, AccountType, Activity, LogonTypeName\\n| join kind=inner (\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n| summarize ComputerCountPrev7Days = dcount(Computer) by Account, IpAddress\\n) on Account, IpAddress\\n| extend Ratio = ComputerCountToday/(ComputerCountPrev7Days*1.0)\\n// Where the ratio of today to previous 7 days is more than double.\\n| where Ratio \u003e threshold\\n| project StartTimeUtc, EndTimeUtc, Account, IpAddress, ComputerSet, ComputerCountToday, ComputerCountPrev7Days, Ratio, AccountType, Activity, LogonTypeName, ProcessSet\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\"],\"displayName\":\"Multiple RDP connections from Single System\",\"description\":\"Identifies when an RDP connection is made to multiple systems and above the normal for the previous 7 days. \\nConnections from the same system with the same account within the same day.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-10-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9d0295ee-cb75-4f2c-9952-e5acfbb67036\",\"name\":\"9d0295ee-cb75-4f2c-9952-e5acfbb67036\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Informational\",\"query\":\"let timeframe = ago(1d);\\nAppServiceAntivirusScanAuditLogs\\n| where NumberOfInfectedFiles \u003e 0\\n| extend HostCustomEntity = _ResourceId, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"displayName\":\"AppServices AV Scan with Infected Files\",\"description\":\"Identifies if an AV scan finds infected files in Azure App Services.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/30dea201-74da-4141-8d21-8a18f0861d60\",\"name\":\"30dea201-74da-4141-8d21-8a18f0861d60\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.3\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.02\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of AWS cloud trail logs events of group user account by EventTypeName\",\"description\":\"This algorithm detects an unusually high volume of AWS cloud trail log events per group user account by different event types (AwsApiCall, AwsServiceEvent, AwsConsoleSignIn, AwsConsoleAction) within the last day. The model is trained on the previous 21 days of AWS cloud trail log events on a group user account basis. This activity may indicate that the account is compromised.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-06-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\"name\":\"a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n SecurityAlert \\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\\n | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray\\n // Parsing relevant entity column to filter type account and creating new column by combining account and UPNSuffix\\n | extend Entitytype = tostring(parse_json(EntitiesDynamicArray).Type), EntityName = tostring(parse_json(EntitiesDynamicArray).Name),\\n EntityUPNSuffix = tostring(parse_json(EntitiesDynamicArray).UPNSuffix)\\n | where Entitytype =~ \\\"account\\\"\\n | extend EntityEmail = tolower(strcat(EntityName, \\\"@\\\", EntityUPNSuffix))\\n | where EntityEmail matches regex emailregex\\n | extend Alert_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.EntityEmail\\n| where Alert_TimeGenerated \u003e= TimeGenerated and Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Alert_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, EntityEmail, AlertName, AlertType,\\nAlertSeverity, Entities, ProviderName, VendorName\\n| extend timestamp = Alert_TimeGenerated, AccountCustomEntity = EntityEmail, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.2\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SecurityAlert\",\"description\":\"Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others\",\"lastUpdatedDateUTC\":\"2021-11-24T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bda5a2bd-979b-4828-a91f-27c2a5048f7f\",\"name\":\"bda5a2bd-979b-4828-a91f-27c2a5048f7f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet msgthreshold = 3;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| extend attachedMimeType = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where attachedMimeType == \u0027application/zip\u0027\\n| summarize count() by SrcUserUpn, DstUserUpn\\n| where count_ \u003e msgthreshold\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple archived attachments to the same recipient\",\"description\":\"Detects when multiple emails where sent to the same recipient with large archived attachments.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5d33fc63-b83b-4913-b95e-94d13f0d379f\",\"name\":\"5d33fc63-b83b-4913-b95e-94d13f0d379f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet fileHashIndicators = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n| where isnotempty(FileHashValue);\\n// Handle matches against both lower case and uppercase versions of the hash:\\n( fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n |union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n| join (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.FileHashValue == $right.FileHash\\n| where CommonSecurityLog_TimeGenerated \u003e= TimeGenerated and CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nCommonSecurityLog_TimeGenerated, SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction,\\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map File Hash to CommonSecurityLog Event\",\"description\":\"Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/00282588-11e7-436d-90e8-011256c3c691\",\"name\":\"00282588-11e7-436d-90e8-011256c3c691\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let threshold = 100;\\nTrendMicro_XDR_CL \\n| where modelSeverity_s == \u0027medium\u0027 or modelSeverity_s == \u0027low\u0027\\n| extend AccountCustomEntity = impactScope_account_s, HostCustomEntity = impactScope_hostname_s, IPCustomEntity = impactScope_host_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"displayName\":\"Create Incident for XDR Alerts (Medium \u0026 Low)\",\"description\":\"This Query creates an incident based on Trend Micro XDR Workbench Alerts and maps the impacted entities for Microsoft Sentinel usage. (Medium \u0026 Low Serverity Alerts)\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-12-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"TrendMicroXDR\",\"dataTypes\":[\"TrendMicro_XDR_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ef8654b1-b2cf-4f6c-ae5c-eca635a764e8\",\"name\":\"ef8654b1-b2cf-4f6c-ae5c-eca635a764e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let lowRisk = 1;\\nlet hr = \u0027HR Information\u0027;\\nCognniIncidents_CL \\n| where Severity == lowRisk\\n| where informationType_s == hr\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Low Sensitivity HR Information\",\"description\":\"Display incidents in which low sensitive HR information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/46ac55ae-47b8-414a-8f94-89ccd1962178\",\"name\":\"46ac55ae-47b8-414a-8f94-89ccd1962178\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let mode = \u0027Blocked\u0027; \\nlet successCode = dynamic([\u0027200\u0027, \u0027101\u0027,\u0027204\u0027, \u0027400\u0027,\u0027504\u0027,\u0027304\u0027,\u0027401\u0027,\u0027500\u0027]);\\nlet minTime = ago(1d);\\nlet maxSessionWindow = 1h;\\nlet sessionBin = maxSessionWindow/2.0;\\nAzureDiagnostics\\n| where TimeGenerated \u003e minTime\\n| where Category == \u0027ApplicationGatewayFirewallLog\u0027\\n| where action_s == mode\\n| sort by hostname_s asc, clientIp_s asc, TimeGenerated asc\\n| extend SessionStarted = row_window_session(TimeGenerated, maxSessionWindow, 10m, ((clientIp_s != prev(clientIp_s)) or (hostname_s != prev(hostname_s))))\\n| summarize minTime = min(TimeGenerated), maxTime = max(TimeGenerated), SessionBlockedCount=count() by hostname_s, clientIp_s, SessionStarted\\n| extend duration = maxTime - minTime\\n| extend TimeKey = bin(SessionStarted, sessionBin)\\n| join kind = inner(\\nAzureDiagnostics\\n| where TimeGenerated \u003e minTime\\n| where Category == \u0027ApplicationGatewayAccessLog\u0027\\n| where httpStatus_d in (successCode) or isempty(httpStatus_d)\\n| extend TimeKey = range(bin(TimeGenerated-maxSessionWindow, sessionBin), bin(TimeGenerated, sessionBin), sessionBin)\\n| mv-expand TimeKey to typeof(datetime)\\n) on $left.hostname_s == $right.host_s, $left.clientIp_s == $right.clientIP_s, TimeKey\\n| where (TimeGenerated - SessionStarted) between (0m .. duration)\\n| extend originalRequestUriWithArgs_s = column_ifexists(\\\"originalRequestUriWithArgs_s\\\", \\\"\\\")\\n| extend serverStatus_s = column_ifexists(\\\"serverStatus_s\\\", \\\"\\\")\\n| extend timestamp = SessionStarted, IPCustomEntity = clientIP_s\\n| summarize SuccessfulAccessLogCount = count(), UserAgents = make_set(userAgent_s), RequestURIs = make_set(requestUri_s) , OriginalRequestURIs = make_set(originalRequestUriWithArgs_s), \\nSuccessCodes = make_set(httpStatus_d), SuccessCodes_BackendServer = make_set(serverStatus_s) by timestamp, hostname_s, IPCustomEntity, SessionBlockedCount\\n| extend BlockvsSuccessRatio = SessionBlockedCount/SuccessfulAccessLogCount\\n| sort by BlockvsSuccessRatio desc, timestamp asc\\n| where SessionBlockedCount \u003e SuccessfulAccessLogCount\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"A potentially malicious web request was executed against a web server\",\"description\":\"Detects unobstructed Web Application Firewall (WAF) activity in sessions where the WAF blocked incoming requests by computing the \\nratio between blocked requests and unobstructed WAF requests in these sessions (BlockvsSuccessRatio metric). A high ratio value for \\na given client IP and hostname calls for further investigation of the WAF data in that session, due to the significantly high number \\nof blocked requests and a few unobstructed logs which may be malicious but have passed undetected through the WAF. The successCode \\nvariable defines what the detection thinks is a successful status code, and should be altered to fit the environment.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/edc946ae-cba8-419f-8e90-309966895956\",\"name\":\"edc946ae-cba8-419f-8e90-309966895956\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.2\",\"techniques\":[\"T1190\",\"T1505\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Include regularly repeating anomalies for URI stems\",\"Exclude regularly repeating anomalies for URI stems\"],\"supportedValuesKql\":null,\"value\":\"Exclude regularly repeating anomalies for URI stems\",\"name\":\"Handle regularly repeating anomalies for URI stems\",\"description\":\"Choose to exclude URI stems that have been regularly occuring in the Anomalies table in Log Analytics.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":[{\"prioritize\":\".asp, .aspx, .armx, .asax, .ashz, .asmx, .axd, .cshtml, .php, .phps, .php3, .php4, .php5, .php7, .jsp, .jspx, .cfm, .cfml, .phtml\",\"exclude\":null,\"dataType\":\"string\",\"name\":\"Prioritize script suffixes of the URI stems\",\"description\":\"Give comma separated script suffixes of the URI stems that should be included in the prioritize field.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"prioritize\":null,\"exclude\":\"\",\"dataType\":\"string\",\"name\":\"Exclude noisy URI stems\",\"description\":\"Give comma separated URI stems that are frequently observing noisy sessions, and should be excluded from the Anomalies table in Log Analytics.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.2\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"(Preview) Anomalous web request activity\",\"description\":\"This algorithm groups the W3CIIS logs into per site name and per URI stem hourly sessions.\\nThe machine learning model identifies the sessions with anomalous requests that triggered response code 5xx in the last day.\\n5xx codes are an indication that some application instability or error condition has been triggered by the request.\\nThey can be an indication that an attacker is probing the URI stem for vulnerabilities and configuration issues, performing some exploitation activity such as SQL injection, or leveraging an unpatched vulnerability.\\n\\nThe algorithm uses 6 days of data for training.\\nIt identifies unusual high volume of web requests that generated respond code 5xx in the last day.\",\"lastUpdatedDateUTC\":\"2021-06-10T00:00:00Z\",\"createdDateUTC\":\"2021-04-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d500e6d-c984-43a3-9f39-7edec8dcc04d\",\"name\":\"4d500e6d-c984-43a3-9f39-7edec8dcc04d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".aspx\\\", \\\".asp\\\", \\\".cfml\\\"]);\\n//The number of URI\u0027s seen to be suspicious, higher = less likely to be suspicious\\nlet uriThreshold = 1;\\nCommonSecurityLog\\n// Only look at connections that were allowed through the web proxy\\n| where DeviceVendor =~ \\\"Zscaler\\\" and DeviceAction =~ \\\"Allowed\\\"\\n// Only look where some data was exchanged.\\n| where SentBytes \u003e 0 and ReceivedBytes \u003e 0\\n// Extract the Domain\\n| extend Domain = iff(countof(DestinationHostName,\u0027.\u0027) \u003e= 2, strcat(split(DestinationHostName,\u0027.\u0027)[-2], \u0027.\u0027,split(DestinationHostName,\u0027.\u0027)[-1]), DestinationHostName)\\n| extend GetData=iff(RequestURL == \\\"?\\\", 1, 0)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), makelist(RequestURL), makelist(DestinationIP), makelist(SourceIP), numOfConnections = count(), make_set(RequestMethod), max(GetData), max(RequestContext) by Domain\\n// Determine the number of URIs that have been visited for the domain\\n| extend destinationURI = arraylength(list_RequestURL)\\n| where destinationURI \u003c= uriThreshold\\n| where tostring(list_RequestURL) has_any(scriptExtensions)\\n//Remove matches with referer\\n| where max_RequestContext == \\\"\\\"\\n//Keep requests where data was trasferred either in a GET with parameters or a POST\\n| where set_RequestMethod in~ (\\\"POST\\\") or max_GetData == 1\\n//Defeat email click tracking, may increase FN\u0027s while decreasing FP\u0027s\\n| where list_RequestURL !has \\\"click\\\" and set_RequestMethod !has \\\"GET\\\"\\n| mvexpand list_RequestURL, list_DestinationIP\\n| extend RequestURL = tostring(list_RequestURL), DestinationIP = tostring(list_DestinationIP), ClientIP = tostring(list_SourceIP)\\n//Extend custom entitites for incidents\\n| extend timestamp = StartTimeUtc, IPCustomEntity = DestinationIP\\n| project-away list_RequestURL, list_DestinationIP, list_SourceIP, destinationURI, Domain, StartTimeUtc, EndTimeUtc, max_GetData, max_RequestContext\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Request for single resource on domain\",\"description\":\"This will look for connections to a domain where only a single file is requested, this is unusual as most modern web applications require additional recources. This type of activity is often assocaited with malware beaconing or tracking URL\u0027s delivered in emails. Developed for Zscaler but applicable to any outbound web logging.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/155f40c6-610d-497d-85fc-3cf06ec13256\",\"name\":\"155f40c6-610d-497d-85fc-3cf06ec13256\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"yahoo-verification.org\\\",\\\"support-servics.com\\\",\\\"verification-live.com\\\",\\\"com-mailbox.com\\\",\\\"com-myaccuants.com\\\",\\\"notification-accountservice.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\\"verify-linkedin.net\\\", \\n\\\"yahoo-verification.net\\\",\\\"yahoo-verify.net\\\",\\\"outlook-verify.net\\\",\\\"com-users.net\\\",\\\"verifiy-account.net\\\",\\\"te1egram.net\\\",\\\"account-verifiy.net\\\",\\\"myaccount-services.net\\\",\\n\\\"com-identifier-servicelog.name\\\",\\\"microsoft-update.bid\\\",\\\"outlook-livecom.bid\\\",\\\"update-microsoft.bid\\\",\\\"documentsfilesharing.cloud\\\",\\\"com-microsoftonline.club\\\",\\n\\\"confirm-session-identifier.info\\\",\\\"session-management.info\\\",\\\"confirmation-service.info\\\",\\\"document-share.info\\\",\\\"broadcast-news.info\\\",\\\"customize-identity.info\\\",\\\"webemail.info\\\",\\n\\\"com-identifier-servicelog.info\\\",\\\"documentsharing.info\\\",\\\"notification-accountservice.info\\\",\\\"identifier-activities.info\\\",\\\"documentofficupdate.info\\\",\\\"recoveryusercustomer.info\\\",\\n\\\"serverbroadcast.info\\\",\\\"account-profile-users.info\\\",\\\"account-service-management.info\\\",\\\"accounts-manager.info\\\",\\\"activity-confirmation-service.info\\\",\\\"com-accountidentifier.info\\\",\\n\\\"com-privacy-help.info\\\",\\\"com-sessionidentifier.info\\\",\\\"com-useraccount.info\\\",\\\"confirmation-users-service.info\\\",\\\"confirm-identity.info\\\",\\\"confirm-session-identification.info\\\",\\n\\\"continue-session-identifier.info\\\",\\\"customer-recovery.info\\\",\\\"customers-activities.info\\\",\\\"elitemaildelivery.info\\\",\\\"email-delivery.info\\\",\\\"identify-user-session.info\\\",\\n\\\"message-serviceprovider.info\\\",\\\"notificationapp.info\\\",\\\"notification-manager.info\\\",\\\"recognized-activity.info\\\",\\\"recover-customers-service.info\\\",\\\"recovery-session-change.info\\\",\\n\\\"service-recovery-session.info\\\",\\\"service-session-continue.info\\\",\\\"session-mail-customers.info\\\",\\\"session-managment.info\\\",\\\"session-verify-user.info\\\",\\\"shop-sellwear.info\\\",\\n\\\"supportmailservice.info\\\",\\\"terms-service-notification.info\\\",\\\"user-activity-issues.info\\\",\\\"useridentity-confirm.info\\\",\\\"users-issue-services.info\\\",\\\"verify-user-session.info\\\",\\n\\\"login-gov.info\\\",\\\"notification-signal-agnecy.info\\\",\\\"notifications-center.info\\\",\\\"identifier-services-sessions.info\\\",\\\"customers-manager.info\\\",\\\"session-manager.info\\\",\\n\\\"customer-managers.info\\\",\\\"confirmation-recovery-options.info\\\",\\\"service-session-confirm.info\\\",\\\"session-recovery-options.info\\\",\\\"services-session-confirmation.info\\\",\\n\\\"notification-managers.info\\\",\\\"activities-services-notification.info\\\",\\\"activities-recovery-options.info\\\",\\\"activity-session-recovery.info\\\",\\\"customers-services.info\\\",\\n\\\"sessions-notification.info\\\",\\\"download-teamspeak.info\\\",\\\"services-issue-notification.info\\\",\\\"microsoft-upgrade.mobi\\\",\\\"broadcastnews.pro\\\",\\\"mobile-messengerplus.network\\\"]);\\nlet IPList = dynamic([\\\"51.91.200.147\\\"]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(SourceIP) and SourceIP in (IPList)) or (isnotempty(DestinationIP) and DestinationIP in (IPList)) \\nor (isnotempty(DNSName) and DNSName in~ (DomainNames)) or (isnotempty(DestinationHostName) and DestinationHostName in~ (DomainNames)) or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames) or RequestURLIP in (IPList))) \\nor (isnotempty(Message) and MessageIP in (IPList))\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURLIP in (IPList), \\\"RequestUrl\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP,IPMatch == \\\"Message\\\", MessageIP,\\nIPMatch == \\\"RequestUrl\\\", RequestURLIP,\\\"NoMatch\\\"), Account = SourceUserID, Host = DeviceName\\n),\\n(DnsEvents \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| where DestinationIPAddress in (IPList) or DNSName has_any (DomainNames) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),\\n(imDns\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| where DestinationIPAddress has_any (IPList) or DNSName has_any (DomainNames) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) or isnotempty(DNSName)\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or DNSName in~ (DomainNames)\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer),\\n(OfficeActivity\\n| extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend DNSName = Request_Name\\n| extend IPCustomEntity = ClientIP),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPCustomEntity = SourceHost \\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.2.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Phosphorus group domains/IP\",\"description\":\"Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d94d4a9-dc96-450a-9dea-4d4d4594199b\",\"name\":\"4d94d4a9-dc96-450a-9dea-4d4d4594199b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"SecurityNestedRecommendation\\n| where RemediationDescription has \u0027CVE-2021-38647\u0027\\n| parse ResourceDetails with * \u0027virtualMachines/\u0027 VirtualMAchine \u0027\\\"\u0027 *\\n| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId\\n| extend Timestamp = TimeGenerated, HostCustomEntity = VirtualMAchine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.2\",\"tactics\":[\"InitialAccess\",\"Execution\"],\"displayName\":\"Vulnerable Machines related to OMIGOD CVE-2021-38647\",\"description\":\"This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to OMIGOD CVE-2021-38647. OMI is the Linux equivalent of Windows WMI and \\n helps users manage configurations across remote and local environments. The query aims to find machines that have this OMI vulnerability (CVE-2021-38647).\\n Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).\\n Reference: https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure\\n Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/050b9b3d-53d0-4364-a3da-1b678b8211ec\",\"name\":\"050b9b3d-53d0-4364-a3da-1b678b8211ec\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\")\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| summarize by bin(TimeGenerated, 1h), OperationName, RoleName, Target, Initiator, Result\\n| extend AccountCustomEntity = Target\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Initiator\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\"],\"displayName\":\"User Assigned Privileged Role\",\"description\":\"Identifies when a new privileged role is assigned to a user. Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn\u0027t the responsibility of the account holder, investigate.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75ff4f7d-0564-4a55-8b25-a75be951cde3\",\"name\":\"75ff4f7d-0564-4a55-8b25-a75be951cde3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let mediumRisk = 2;\\nlet hr = \u0027HR Information\u0027;\\nCognniIncidents_CL \\n| where Severity == mediumRisk\\n| where informationType_s == hr\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Medium Sensitivity HR Information\",\"description\":\"Display incidents in which medium sensitivity HR information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbfbf530-506b-49a4-81ad-4030885a195c\",\"name\":\"fbfbf530-506b-49a4-81ad-4030885a195c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let alertTimeWindow = 1h;\\nlet logTimeWindow = 7d;\\n// Define script extensions that suit your web application environment - a sample are provided below\\nlet scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]); \\nlet alertData = materialize(SecurityAlert \\n| where TimeGenerated \u003e ago(alertTimeWindow) \\n| where ProviderName == \\\"MDATP\\\" \\n// Parse and expand the alert JSON \\n| extend alertData = parse_json(Entities) \\n| mvexpand alertData);\\nlet fileData = alertData\\n// Extract web script files from MDATP alerts - our malicious web scripts - candidate webshells\\n| where alertData.Type =~ \\\"file\\\" \\n| where alertData.Name has_any(scriptExtensions) \\n| extend FileName = tostring(alertData.Name), Directory = tostring(alertData.Directory);\\nlet hostData = alertData\\n// Extract server details from alerts and map to alert id\\n| where alertData.Type =~ \\\"host\\\"\\n| project HostName = tostring(alertData.HostName), DnsDomain = tostring(alertData.DnsDomain), SystemAlertId\\n| distinct HostName, DnsDomain, SystemAlertId;\\n// Join the files on their impacted servers\\nlet webshellData = fileData\\n| join kind=inner (hostData) on SystemAlertId \\n| project TimeGenerated, FileName, Directory, HostName, DnsDomain;\\nwebshellData\\n| join ( \\n// Find requests that were made to this file on the impacted server in the W3CIISLog table \\nW3CIISLog \\n| where TimeGenerated \u003e ago(logTimeWindow) \\n// Restrict to accesses to script extensions \\n| where csUriStem has_any(scriptExtensions)\\n| extend splitUriStem = split(csUriStem, \\\"/\\\") \\n| extend FileName = splitUriStem[-1], HostName = sComputerName\\n// Summarize potential attacker activity\\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), RequestUserAgents=make_set(csUserAgent), ReqestMethods=make_set(csMethod), RequestStatusCodes=make_set(scStatus), RequestCookies=make_set(csCookie), RequestReferers=make_set(csReferer), RequestQueryStrings=make_set(csUriQuery) by AttackerIP=cIP, SiteName=sSiteName, ShellLocation=csUriStem, tostring(FileName), HostName \\n) on FileName, HostName\\n| project StartTime, EndTime, AttackerIP, RequestUserAgents, HostName, SiteName, ShellLocation, ReqestMethods, RequestStatusCodes, RequestCookies, RequestReferers, RequestQueryStrings, RequestCount = count_\\n// Expose the attacker ip address as a custom entity\\n| extend timestamp=StartTime, IPCustomEntity = AttackerIP, HostCustomEntity = HostName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Malicious web application requests linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts\",\"description\":\"Takes Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts where web scripts are present in the evidence and correlates with requests made to those scripts\\nin the WCSIISLog to surface new alerts for potentially malicious web request activity.\\nThe lookback for alerts is set to 1h and the lookback for W3CIISLogs is set to 7d. A sample set of popular web script extensions\\nhas been provided in scriptExtensions that should be tailored to your environment.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-05-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e7277475-4e31-41c7-9997-0b8b3d7f00cd\",\"name\":\"e7277475-4e31-41c7-9997-0b8b3d7f00cd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.2\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.01\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of failed login attempts to AWS Console by each source IP address\",\"description\":\"This algorithm detects an unusually high volume of AWS cloud trail log console failed login events per source IP address within the last day. The model is trained on the previous 21 days of AWS cloud trail log events on source IP address basis. This activity may indicate that the IP address is compromised.\",\"lastUpdatedDateUTC\":\"2021-10-26T00:00:00Z\",\"createdDateUTC\":\"2021-08-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0bd65651-1404-438b-8f63-eecddcec87b4\",\"name\":\"0bd65651-1404-438b-8f63-eecddcec87b4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\n// Adjust for a longer timeframe for identifying ADFS Servers\\nlet lookback = 6d;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\nEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n| union isfuzzy=true (\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n)\\n| distinct Computer);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where ParentProcessName has \u0027wmiprvse.exe\u0027\\n// Looking for rundll32.exe is based on intel from the blog linked in the description\\n// This can be commented out or altered to filter out known internal uses\\n| where CommandLine has_any (\u0027rundll32\u0027) \\n| project TimeGenerated, TargetAccount, CommandLine, Computer, Account, TargetLogonId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n// Search for recent logons to identify lateral movement\\n| join kind= inner\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventID == 4624 and LogonType == 3\\n| where Account !endswith \\\"$\\\"\\n| project TargetLogonId\\n) on TargetLogonId\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n// Check for WMI Events\\n| where Computer in~ (ADFS_Servers) and EventID in (19, 20, 21)\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| project TimeGenerated, EventType, Image, Computer, UserName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = UserName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\"],\"displayName\":\"Gain Code Execution on ADFS Server via Remote WMI Execution\",\"description\":\"This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through remote WMI Execution.\\nIn order to use this query you need to be collecting Sysmon EventIDs 19, 20, and 21.\\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\\n Failed to resolve scalar expression named \\\"[@Name]\\\"\\nFor more on how WMI was used in Solorigate see https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/.\\nThe query contains some features from the following detections to look for potentially malicious ADFS activity. See them for more details.\\n- ADFS Key Export (Sysmon): https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSKeyExportSysmon.yaml\\n- ADFS DKM Master Key Export: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/03e04c97-8cae-48b3-9d2f-4ab262e4ffff\",\"name\":\"03e04c97-8cae-48b3-9d2f-4ab262e4ffff\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]);\\nhttp_proxy_oab_CL\\n| where RawData contains \\\"Download failed and temporary file\\\"\\n| extend File = extract(\\\"([^\\\\\\\\\\\\\\\\]*)(\\\\\\\\\\\\\\\\[^\u0027]*)\\\",2,RawData)\\n| extend Extension = strcat(\\\".\\\",split(File, \\\".\\\")[-1])\\n| extend InteractiveFile = iif(Extension in (scriptExtensions), \\\"Yes\\\", \\\"No\\\")\\n// Uncomment the following line to alert only on interactive file download type\\n//| where InteractiveFile =~ \\\"Yes\\\"\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious File Downloads.\",\"description\":\"This query looks for messages related to file downloads of suspicious file types. This query uses the Exchange HttpProxy AOBGeneratorLog, you will need to onboard this log as a custom log under the table http_proxy_oab_CL before using this query. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/194dd92e-d6e7-4249-85a5-273350a7f5ce\",\"name\":\"194dd92e-d6e7-4249-85a5-273350a7f5ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\") \\n// Only admin or global-admin can disable audit logging\\n| where Operation =~ \\\"Set-AdminAuditLogConfig\\\" \\n| extend AdminAuditLogEnabledValue = tostring(parse_json(tostring(parse_json(tostring(array_slice(parse_json(Parameters),3,3)))[0])).Value)\\n| where AdminAuditLogEnabledValue =~ \\\"False\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP, ResultStatus, Parameters, AdminAuditLogEnabledValue\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Exchange AuditLog disabled\",\"description\":\"Identifies when the exchange audit logging has been disabled which may be an adversary attempt\\nto evade detection or avoid other defenses.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c37711a4-5f44-4472-8afc-0679bc0ef966\",\"name\":\"c37711a4-5f44-4472-8afc-0679bc0ef966\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/FoggyWebIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type == \\\"sha256\\\" | project IoC);\\nlet FilePaths = (iocs | where Type =~ \\\"FilePath\\\" | project IoC);\\nlet POST_URI = (iocs | where Type =~ \\\"URI1\\\" | project IoC);\\nlet GET_URI = (iocs | where Type =~ \\\"URI2\\\" | project IoC);\\n//Include in the list below, the ADFS servers you know about in your environment. In the next part of the query, we will try to identify them for you if you have the telemetry.\\nlet ADFS_Servers1 = datatable(Computer:string)\\n[ \\\"\u003cADFS01\u003e.\u003cDOMAIN\u003e.\u003cCOM\u003e\\\",\\n\\\"\u003cADFS02\u003e.\u003cDOMAIN\u003e.\u003cCOM\u003e\\\"\\n];\\n// Automatically identify potential ADFS services in your environment by searching process event telemetry for \\\"Microsoft.IdentityServer.ServiceHost.exe\\\".\\nlet ADFS_Servers2 = \\n(union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n),\\n(DeviceProcessEvents\\n| where InitiatingProcessFileName == \u0027Microsoft.IdentityServer.ServiceHost.exe\u0027\\n| extend Computer = DeviceName\\n| distinct Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n)\\n);\\nlet ADFS_Servers =\\nADFS_Servers1\\n| union (ADFS_Servers2 | distinct Computer);\\n(union isfuzzy=true\\n(DeviceNetworkEvents\\n| where DeviceName in (ADFS_Servers)\\n| where isnotempty(InitiatingProcessSHA256) or isnotempty(InitiatingProcessFolderPath)\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or InitiatingProcessFolderPath has_any (FilePaths)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\" and EventID == \u00277\u0027\\n| where Computer in (ADFS_Servers)\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend ImageLoaded = EventDetail.[5].[\\\"#text\\\"], Hashes = EventDetail.[11].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| where ImageLoaded has_any (FilePaths) or SHA256 has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, ImageLoaded, EventID\\n| extend Type = strcat(Type,\\\":\\\",EventID, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\\\"#text\\\"] \\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = FileHash\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = FileHash\\n),\\n(DeviceEvents\\n| where DeviceName in (ADFS_Servers)\\n| extend FilePath = strcat(FolderPath, \u0027\\\\\\\\\u0027, FileName)\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash\\n),\\n(DeviceFileEvents\\n| where DeviceName in (ADFS_Servers)\\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash\\n),\\n(DeviceImageLoadEvents\\n| where DeviceName in (ADFS_Servers)\\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where Computer in (ADFS_Servers)\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| where EventDetail has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\\\"#text\\\"] \\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = FileHash\\n),\\n(W3CIISLog \\n| where ( csMethod == \u0027GET\u0027 and csUriStem has_any (GET_URI)) or (csMethod == \u0027POST\u0027 and csUriStem has_any (POST_URI))\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), cIP_MethodCount = count() \\nby cIP, cIP_MethodCountType = \\\"Count of repeated entries, this is to reduce rowsets returned\\\", csMethod, \\ncsHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, csReferer\\n| extend timestamp = StartTime, IPCustomEntity = cIP, HostCustomEntity = csHost, AccountCustomEntity = csUserName\\n),\\n(imFileEvent\\n| where DvcHostname in (ADFS_Servers)\\n| where TargetFileSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"SHA256\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"version\":\"2.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"NOBELIUM IOCs related to FoggyWeb backdoor\",\"description\":\"Identifies a match across various data feeds for IOCs related to FoggyWeb backdoor by the threat actor NOBELIUM.\\n FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server.\\n It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server.\\n Reference: https://aka.ms/nobelium-foggy-web\",\"lastUpdatedDateUTC\":\"2021-11-16T00:00:00Z\",\"createdDateUTC\":\"2021-09-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\"name\":\"7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet AC_Add = \\nSecurityEvent\\n// Event ID related to member addition.\\n| where EventID in (4728, 4732,4756) \\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountAdded \\\",OU\\\" *\\n| where isnotempty(AccountAdded)\\n| extend GroupAddedTo = TargetUserName, AddingAccount = Account \\n| extend AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, \\\"||\\\", GroupAddedTo, \\\"||\\\", AddingAccount )\\n| project AccountAdded_GroupAddedTo_AddingAccount, AccountAddedTime = TimeGenerated;\\nlet AC_Remove = \\nSecurityEvent\\n// Event IDs related to member removal.\\n| where EventID in (4729,4733,4757)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountRemoved \\\",OU\\\" * \\n| where isnotempty(AccountRemoved)\\n| extend GroupRemovedFrom = TargetUserName, RemovingAccount = Account\\n| extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, \\\"||\\\", GroupRemovedFrom, \\\"||\\\", RemovingAccount)\\n| project AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime = TimeGenerated, Computer, RemovedAccountId = tolower(AccountRemoved), \\nRemovedByUser = SubjectUserName, RemovedByUserLogonId = SubjectLogonId, GroupRemovedFrom = TargetUserName, TargetDomainName; \\nAC_Add \\n| join kind= inner AC_Remove on $left.AccountAdded_GroupAddedTo_AddingAccount == $right.AccountRemoved_GroupRemovedFrom_RemovingAccount \\n| extend DurationinSecondAfter_Removed = datetime_diff (\u0027second\u0027, AccountRemovedTime, AccountAddedTime)\\n| where DurationinSecondAfter_Removed \u003e 0\\n| project-away AccountRemoved_GroupRemovedFrom_RemovingAccount\\n| extend timestamp = AccountAddedTime, AccountCustomEntity = RemovedAccountId, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Account added and removed from privileged groups\",\"description\":\"Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise.\u0027 \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/472b7cf4-bf1a-4061-b9ab-9fe4894e3c17\",\"name\":\"472b7cf4-bf1a-4061-b9ab-9fe4894e3c17\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nlet codeNameList = datatable(Codename:string)[\\\"C-CLEARTEXT-PASSWORD\\\", \\\"C-PASSWORD-DONT-EXPIRE\\\", \\\"C-USER-REVER-PWDS\\\", \\\"C-PASSWORD-POLICY\\\", \\\"C-USER-PASSWORD\\\", \\\"C-KRBTGT-PASSWORD\\\", \\\"C-AAD-SSO-PASSWORD\\\", \\\"C-REVER-PWD-GPO\\\"];\\nafad_parser\\n| where MessageType == 0 and Codename in~ (codeNameList)\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid Password issues\",\"description\":\"Searches for triggered Indicators of Exposures related to password issues\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/25bf2f45-1cf0-47d2-b394-a7b331d707b3\",\"name\":\"25bf2f45-1cf0-47d2-b394-a7b331d707b3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"2.0.0\",\"techniques\":[\"T1133\",\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Yes\",\"No\"],\"supportedValuesKql\":null,\"value\":\"Yes\",\"name\":\"Use region adjacency\",\"description\":\"Suppress anomalies originated from two adjacent regions.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"supportedValues\":[\"Yes\",\"No\"],\"supportedValuesKql\":null,\"value\":\"No\",\"name\":\"Check for matching device\",\"description\":\"Suppress anomalies which are originated from the same device.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":null,\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious geography change in Palo Alto GlobalProtect account logins\",\"description\":\"When a Palo Alto GlobalProtect account logs in from a geographically new region that is not the same as the last region the day before, an anomaly will be generated.\",\"lastUpdatedDateUTC\":\"2021-07-13T00:00:00Z\",\"createdDateUTC\":\"2021-04-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7ebb7386-6c99-4331-aab1-a185a603eb47\",\"name\":\"7ebb7386-6c99-4331-aab1-a185a603eb47\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let highRisk = 3;\\nlet financial = \u0027Financial Information\u0027;\\nCognniIncidents_CL \\n| where Severity == highRisk\\n| where informationType_s == financial\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Highly Sensitive Financial Information\",\"description\":\"Display incidents in which highly sensitive financial information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b443f22-9be9-4c35-ac70-a94757748439\",\"name\":\"3b443f22-9be9-4c35-ac70-a94757748439\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let files1 = dynamic([\\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\lsa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pc.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\Rar.exe\\\"]);\\nlet files2 = dynamic([\\\"svchost.exe\\\",\\\"wdmsvc.exe\\\"]);\\nlet FileHash1 = dynamic([\\\"43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\\\", \\\"ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\\\", \\\"010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77\\\", \\\"56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7\\\"]);\\nlet FileHash2 = dynamic([\\\"2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\\\", \\\"9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\\\", \\\"18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\\\"]);\\nDeviceProcessEvents\\n| where ( FolderPath has_any (files1) and SHA256 has_any (FileHash1)) or (FolderPath has_any (files2) and SHA256 has_any (FileHash2))\\n| extend DvcId = DeviceId\\n| join kind=leftouter (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| mv-expand todynamic(Entities)\\n| extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)\\n| where isnotempty(DvcId)\\n// Higher risk score are for Defender alerts related to threat actor\\n| extend AlertRiskScore = iif(ThreatName has_any (\\\"Backdoor:MSIL/ShellClient.A\\\", \\\"Backdoor:MSIL/ShellClient.A!dll\\\", \\\"Trojan:MSIL/Mimikatz.BA!MTB\\\"), 1.0, 0.5)\\n| project DvcId, AlertRiskScore) on DvcId\\n| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = AccountName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileName\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Execution\"],\"displayName\":\"Dev-0228 File Path Hashes November 2021\",\"description\":\"This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.\\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.\",\"lastUpdatedDateUTC\":\"2021-11-18T00:00:00Z\",\"createdDateUTC\":\"2021-11-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95a15f39-d9cc-4667-8cdd-58f3113691c9\",\"name\":\"95a15f39-d9cc-4667-8cdd-58f3113691c9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\nSecurityEvent\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where EventID == 4688\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| join kind=rightanti (\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where EventID == 4688) on NewProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM New UM Service Child Process\",\"description\":\"This query looks for new processes being spawned by the Exchange UM service where that process has not previously been observed before. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\"name\":\"7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lookBack_long = 7d;\\nlet lookBack_med = 3d;\\nlet lookBack = 1d;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack_long))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n// Create time series \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_long)),now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n// Compute best fit line for each entry \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount) \\n// Chart the 3 most interesting lines \\n// A 0-value slope corresponds to an account being completely stable over time for a given Azure Active Directory application\\n| where Slope \u003e 0.3\\n| top 50 by Slope desc\\n| join kind = leftsemi (\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack_med))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_med)) ,now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount)\\n| where Slope \u003e 0.3\\n| top 50 by Slope desc\\n) on UserPrincipalName, AppDisplayName\\n| join kind = leftsemi (\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack)) ,now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount)\\n| where Slope \u003e 5\\n| top 50 by Slope desc\\n// Higher threshold requirement on last day anomaly\\n) on UserPrincipalName, AppDisplayName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomalous sign-in location by user account and authenticating application\",\"description\":\"This query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active \\nDirectory application and picks out the most anomalous change in location profile for a user within an \\nindividual application. An alert is generated for recent sign-ins that have location counts that are anomalous\\nover last day but also over the last 3-day and 7-day periods.\\nPlease note that on workspaces with larger volume of Signin data (~10M+ events a day) may timeout when using this default query time period.\\nIt is recommended that you test and tune this appropriately for the workspace.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6a2e2ff4-5568-475e-bef2-b95f12b9367b\",\"name\":\"6a2e2ff4-5568-475e-bef2-b95f12b9367b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let FailureThreshold = 15;\\nimAuthentication\\n| where EventType== \u0027Logon\u0027 and EventResult== \u0027Failure\u0027\\n// reason: creds \\n| where EventResultDetails in (\u0027No such user or password\u0027, \u0027Incorrect password\u0027)\\n| summarize UserCount=dcount(TargetUserId), Vendors=make_set(EventVendor), Products=make_set(EventVendor)\\n , Users = make_set(TargetUserId,100) \\n by SrcDvcIpAddr, SrcGeoCountry, bin(TimeGenerated, 5m)\\n| where UserCount \u003e FailureThreshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcDvcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Potential Password Spray Attack (Uses Authentication Normalization)\",\"description\":\"This query searches for failed attempts to log in from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack\\n To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelAuthentication)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\"name\":\"79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let timeframe = 1h;\\nlet last1h = CommonSecurityLog \\n| where TimeGenerated \u003e= ago(timeframe)\\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend CurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend CurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend CumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize last1hCumTotal = sum(CumulativeTotal), last1hAvgRatePerSec = avg(CurrentAvgRatePerSec), last1hAvgBurstRatePerSec = avg(CurrentBurstRatePerSec) by DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlet prev6h = CommonSecurityLog \\n| where TimeGenerated between (ago(6h) .. ago(1h))\\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend prevCurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend prevCurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend prevCumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), prev6hCumTotal = sum(prevCumulativeTotal), prev6hAvgRatePerSec = avg(prevCurrentAvgRatePerSec), prev6hAvgBurstRatePerSec = avg(prevCurrentBurstRatePerSec) \\nby DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlast1h | join (\\n prev6h \\n) on DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate\\n| project StartTimeUtc, EndTimeUtc, DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate, last1hCumTotal, prev6hCumTotal, prev6hAvgCumTotal = prev6hCumTotal/6, last1hAvgRatePerSec, prev6hAvgRatePerSec, last1hAvgBurstRatePerSec, prev6hAvgBurstRatePerSec\\n// Select only events that indicate a doubling of the expected rate in the last hour over the previous 6 hours\\n| where last1hCumTotal \u003e 2*prev6hAvgCumTotal or last1hAvgRatePerSec \u003e 2*prev6hAvgRatePerSec or last1hAvgBurstRatePerSec \u003e 2*prev6hAvgBurstRatePerSec\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\",\"Impact\"],\"displayName\":\"Cisco ASA - average attack detection rate increase\",\"description\":\"This will help you determine if Cisco ASA devices are under heavier attack than normal over the last hour versus the previous 6 hours based on DeviceEventClassID 733100\\nReferences: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a34d0338-eda0-42b5-8b93-32aae0d7a501\",\"name\":\"a34d0338-eda0-42b5-8b93-32aae0d7a501\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"CommonSecurityLog\\n| where DeviceVendor == \\\"Vectra Networks\\\"\\n| where DeviceProduct == \\\"X Series\\\"\\n| where DeviceEventClassID contains \\\"campaign\\\"\\n| where DeviceAction == \\\"START\\\"\\n| extend reason = extract(\\\"reason=(.+?)$\\\", 1, AdditionalExtensions)\\n| project-rename vectra_URL = DeviceCustomString4\\n| project Activity,SourceHostName, reason, vectra_URL\\n| extend HostCustomEntity = SourceHostName, URLCustomEntity = vectra_URL\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"LateralMovement\",\"CommandAndControl\"],\"displayName\":\"Vectra AI Detect - New Campaign Detected\",\"description\":\"Identifies when a new Campaign has been detected. This occurs when multiple Detections accross different Hosts are suspected to be part of the same Attack Campaign.\",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2021-05-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AIVectraDetect\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\"name\":\"7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\nOfficeActivity\\n| where Operation =~ \\\"New-InboxRule\\\"\\n| where Parameters has \\\"Deleted Items\\\" or Parameters has \\\"Junk Email\\\" or Parameters has \\\"DeleteMessage\\\"\\n| extend Events=todynamic(Parameters)\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords \u0027}\u0027*\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords \u0027}\u0027*\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords \u0027}\u0027*\\n| where SubjectContainsWords has_any (Keywords)\\n or BodyContainsWords has_any (Keywords)\\n or SubjectOrBodyContainsWords has_any (Keywords)\\n| extend ClientIPAddress = case( ClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), ClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))), ClientIP )\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\n| extend RuleDetail = case(OfficeObjectId contains \u0027/\u0027 , tostring(split(OfficeObjectId, \u0027/\u0027)[-1]) , tostring(split(OfficeObjectId, \u0027\\\\\\\\\u0027)[-1]))\\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation, UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIPAddress, AccountCustomEntity = UserId , HostCustomEntity = OriginatingServer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Malicious Inbox Rule\",\"description\":\"Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords. \\n This is done so as to limit ability to warn compromised users that they\u0027ve been compromised. Below is a sample query that tries to detect this.\\nReference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6d7214d9-4a28-44df-aafb-0910b9e6ae3e\",\"name\":\"6d7214d9-4a28-44df-aafb-0910b9e6ae3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let match_window = 3m;\\nAzureActivity\\n| where ResourceGroup has \\\"cloud-shell\\\"\\n| where (OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/listKeys/action\\\") \\n| where ActivityStatusValue == \\\"Success\\\"\\n| extend TimeKey = bin(TimeGenerated, match_window), AzureIP = CallerIpAddress\\n| join kind = inner\\n(AzureActivity\\n| where ResourceGroup has \\\"cloud-shell\\\"\\n| where (OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/write\\\") \\n| extend TimeKey = bin(TimeGenerated, match_window), UserIP = CallerIpAddress\\n) on Caller, TimeKey\\n| summarize count() by TimeKey, Caller, ResourceGroup, SubscriptionId, TenantId, AzureIP, UserIP, HTTPRequest, Type, Properties, CategoryValue, OperationList = strcat(OperationNameValue, \u0027 , \u0027, OperationNameValue1)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"UserIP\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Execution\"],\"displayName\":\"New CloudShell User\",\"description\":\"Identifies when a user creates an Azure CloudShell for the first time.\\nMonitor this activity to ensure only expected user are using CloudShell\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cf3ede88-a429-493b-9108-3e46d3c741f7\",\"name\":\"cf3ede88-a429-493b-9108-3e46d3c741f7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let timeRange = 6h;\\nlet authenticationWindow = 1h;\\nlet authenticationThreshold = 5;\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeRange)\\n| where EventID == 4624 or EventID == 4625\\n| where IpAddress != \\\"-\\\" and isnotempty(Account)\\n| extend Outcome = iff(EventID == 4624, \\\"Success\\\", \\\"Failure\\\")\\n// bin outcomes into 5 minute windows to reduce the volume of data\\n| summarize OutcomeCount=count() by Account, IpAddress, Computer, Outcome, bin(TimeGenerated, 5m)\\n| project TimeGenerated, Account, IpAddress, Computer, Outcome, OutcomeCount\\n// sort ready for sessionizing - by account and time of the authentication outcome\\n| sort by Account asc, TimeGenerated asc\\n| serialize \\n// sessionize into failure groupings until either the account changes or there is a success\\n| extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, Account != prev(Account) or prev(Outcome) == \\\"Success\\\")\\n// count the failures in each session\\n| summarize FailureCountBeforeSuccess=sumif(OutcomeCount, Outcome == \\\"Failure\\\"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), makelist(Outcome), makeset(Computer), makeset(IpAddress) by SessionStartedUtc, Account\\n// the session must not start with a success, and must end with one\\n| where array_index_of(list_Outcome, \\\"Success\\\") != 0\\n| where array_index_of(list_Outcome, \\\"Success\\\") == array_length(list_Outcome) - 1\\n| project-away SessionStartedUtc, list_Outcome \\n// where the number of failures before the success is above the threshold \\n| where FailureCountBeforeSuccess \u003e= authenticationThreshold\\n// expand out ip and computer for customer entity assignment\\n| mvexpand set_IpAddress, set_Computer\\n| extend IpAddress = tostring(set_IpAddress), Computer = tostring(set_Computer)\\n| extend timestamp=StartTime, AccountCustomEntity=Account, HostCustomEntity=Computer, IPCustomEntity=IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"SecurityEvent - Multiple authentication failures followed by a success\",\"description\":\"Identifies accounts who have failed to logon to the domain multiple times in a row, followed by a successful authentication\\nwithin a short time frame. Multiple failed attempts followed by a success can be an indication of a brute force attempt or\\npossible mis-configuration of a service account within an environment.\\nThe lookback is set to 6h and the authentication window and threshold are set to 1h and 5, meaning we need to see a minimum\\nof 5 failures followed by a success for an account within 1 hour to surface an alert.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7a58b253-0ef2-4248-b4e5-c350f15a8346\",\"name\":\"7a58b253-0ef2-4248-b4e5-c350f15a8346\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let threshold = 100;\\nSymantecProxySG \\n| where sc_filter_result =~ \\\"DENIED\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by c_ip, cs_host\\n| where count_ \u003e threshold\\n| extend timestamp = StartTime, HostCustomEntity = cs_host, IPCustomEntity = c_ip\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Excessive Denied Proxy Traffic\",\"description\":\"This alert creates an incident when a client generates an excessive amounts of denied proxy traffic.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SymantecProxySG\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\"name\":\"75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 3;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == \\\"50057\\\"\\n| where ResultDescription =~ \\\"User account is disabled. The account has been disabled by an administrator.\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), applicationCount = dcount(AppDisplayName), \\napplicationSet = make_set(AppDisplayName), count() by UserPrincipalName, IPAddress, Type\\n| where applicationCount \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Attempts to sign in to disabled accounts\",\"description\":\"Identifies failed attempts to sign in to disabled accounts across multiple Azure Applications.\\nDefault threshold for Azure Applications attempted to sign in to is 3.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/910124df-913c-47e3-a7cd-29e1643fa55e\",\"name\":\"910124df-913c-47e3-a7cd-29e1643fa55e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with failed AWS console logins\\nlet aws_fails = AWSCloudTrail\\n| where EventName == \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \\n| where LoginResult != \\\"Success\\\"\\n| where SourceIpAddress != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_list(SourceIpAddress);\\n//See if any of those IPs have sucessfully logged into Azure AD.\\nSigninLogs\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (aws_fails) \\n| extend Reason = \\\"Multiple failed AWS Console logins from IP address\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AWS Console logons but success logon to AzureAD\",\"description\":\"Identifies a list of IP addresses with a minimum numbe(default of 5) of failed logon attempts to AWS Console.\\nUses that list to identify any successful Azure Active Directory logons from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/32555639-b639-4c2b-afda-c0ae0abefa55\",\"name\":\"32555639-b639-4c2b-afda-c0ae0abefa55\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"GetCallerIdentity\\\" and UserIdentityType =~ \\\"AssumedRole\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by SourceIpAddress, EventName, EventTypeName, UserIdentityType, UserIdentityAccountId, UserIdentityPrincipalid, \\nUserAgent, UserIdentityUserName, SessionMfaAuthenticated,AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTime, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\\n| sort by EndTime desc nulls last\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\"],\"displayName\":\"Monitor AWS Credential abuse or hijacking\",\"description\":\"Looking for GetCallerIdentity Events where the UserID Type is AssumedRole \\nAn attacker who has assumed the role of a legitimate account can call the GetCallerIdentity function to determine what account they are using.\\nA legitimate user using legitimate credentials would not need to call GetCallerIdentity since they should already know what account they are using.\\nMore Information: https://duo.com/decipher/trailblazer-hunts-compromised-credentials-in-aws\\nAWS STS GetCallerIdentity API: https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fb0f4a93-d8ad-4b54-9931-85bdb7550f90\",\"name\":\"fb0f4a93-d8ad-4b54-9931-85bdb7550f90\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SymantecProxySG\\n| mv-expand cs_categories\\n| where cs_categories has_any (\\\"Suspicious\\\",\\\"phishing\\\", \\\"hacking\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by sc_filter_result, cs_userdn, c_ip, cs_host, Computer, tostring(cs_categories)\\n| extend timestamp = StartTime, AccountCustomEntity = cs_userdn, IPCustomEntity = c_ip, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"User Accessed Suspicious URL Categories\",\"description\":\"Creates an incident in the event the requested URL accessed by the user has been identified as Suspicious, Phishing, or Hacking.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SymantecProxySG\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bfb1c90f-8006-4325-98be-c7fffbc254d6\",\"name\":\"bfb1c90f-8006-4325-98be-c7fffbc254d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let s_threshold = 30;\\nlet l_threshold = 3;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where OperationName =~ \\\"Sign-in activity\\\"\\n// Error codes that we want to look at as they are related to the use of incorrect password.\\n| where ResultType in (\\\"50126\\\", \\\"50053\\\" , \\\"50055\\\", \\\"50056\\\")\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend LocationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), LocationCount=dcount(LocationString), Location = make_set(LocationString), \\nIPAddress = make_set(IPAddress), IPAddressCount = dcount(IPAddress), AppDisplayName = make_set(AppDisplayName), ResultDescription = make_set(ResultDescription), \\nBrowser = make_set(Browser), OS = make_set(OS), SigninCount = count() by UserPrincipalName, Type \\n// Setting a generic threshold - Can be different for different environment\\n| where SigninCount \u003e s_threshold and LocationCount \u003e= l_threshold\\n| extend tostring(Location), tostring(IPAddress), tostring(AppDisplayName), tostring(ResultDescription), tostring(Browser), tostring(OS)\\n| distinct *\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Distributed Password cracking attempts in AzureAD\",\"description\":\"Identifies distributed password cracking attempts from the Azure Active Directory SigninLogs.\\nThe query looks for unusually high number of failed password attempts coming from multiple locations for a user account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50053 Account is locked because the user tried to sign in too many times with an incorrect user ID or password.\\n50055 Invalid password, entered expired password.\\n50056 Invalid or null password - Password does not exist in store for this user.\\n50126 Invalid username or password, or invalid on-premises username or password.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ef88eb96-861c-43a0-ab16-f3835a97c928\",\"name\":\"ef88eb96-861c-43a0-ab16-f3835a97c928\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let regexEmpire = @\\\"SetDelay|GetDelay|Set-LostLimit|Get-LostLimit|Set-Killdate|Get-Killdate|Set-WorkingHours|Get-WorkingHours|Get-Sysinfo|Add-Servers|Invoke-ShellCommand|Start-AgentJob|Update-Profile|Get-FilePart|Encrypt-Bytes|Decrypt-Bytes|Encode-Packet|Decode-Packet|Send-Message|Process-Packet|Process-Tasking|Get-Task|Start-Negotiate|Invoke-DllInjection|Invoke-ReflectivePEInjection|Invoke-Shellcode|Invoke-ShellcodeMSIL|Get-ChromeDump|Get-ClipboardContents|Get-IndexedItem|Get-Keystrokes|Invoke-Inveigh|Invoke-NetRipper|local:Invoke-PatchDll|Invoke-NinjaCopy|Get-Win32Types|Get-Win32Constants|Get-Win32Functions|Sub-SignedIntAsUnsigned|Add-SignedIntAsUnsigned|Compare-Val1GreaterThanVal2AsUInt|Convert-UIntToInt|Test-MemoryRangeValid|Write-BytesToMemory|Get-DelegateType|Get-ProcAddress|Enable-SeDebugPrivilege|Invoke-CreateRemoteThread|Get-ImageNtHeaders|Get-PEBasicInfo|Get-PEDetailedInfo|Import-DllInRemoteProcess|Get-RemoteProcAddress|Copy-Sections|Update-MemoryAddresses|Import-DllImports|Get-VirtualProtectValue|Update-MemoryProtectionFlags|Update-ExeFunctions|Copy-ArrayOfMemAddresses|Get-MemoryProcAddress|Invoke-MemoryLoadLibrary|Invoke-MemoryFreeLibrary|Out-Minidump|Get-VaultCredential|Invoke-DCSync|Translate-Name|Get-NetDomain|Get-NetForest|Get-NetForestDomain|Get-DomainSearcher|Get-NetComputer|Get-NetGroupMember|Get-NetUser|Invoke-Mimikatz|Invoke-PowerDump|Invoke-TokenManipulation|Exploit-JMXConsole|Exploit-JBoss|Invoke-Thunderstruck|Invoke-VoiceTroll|Set-WallPaper|Invoke-PsExec|Invoke-SSHCommand|Invoke-PSInject|Invoke-RunAs|Invoke-SendMail|Invoke-Rule|Get-OSVersion|Select-EmailItem|View-Email|Get-OutlookFolder|Get-EmailItems|Invoke-MailSearch|Get-SubFolders|Get-GlobalAddressList|Invoke-SearchGAL|Get-SMTPAddress|Disable-SecuritySettings|Reset-SecuritySettings|Get-OutlookInstance|New-HoneyHash|Set-MacAttribute|Invoke-PatchDll|Get-SecurityPackages|Install-SSP|Invoke-BackdoorLNK|New-ElevatedPersistenceOption|New-UserPersistenceOption|Add-Persistence|Invoke-CallbackIEX|Add-PSFirewallRules|Invoke-EventLoop|Invoke-PortBind|Invoke-DNSLoop|Invoke-PacketKnock|Invoke-CallbackLoop|Invoke-BypassUAC|Get-DecryptedCpassword|Get-GPPInnerFields|Invoke-WScriptBypassUAC|Get-ModifiableFile|Get-ServiceUnquoted|Get-ServiceFilePermission|Get-ServicePermission|Invoke-ServiceUserAdd|Invoke-ServiceCMD|Write-UserAddServiceBinary|Write-CMDServiceBinary|Write-ServiceEXE|Write-ServiceEXECMD|Restore-ServiceEXE|Invoke-ServiceStart|Invoke-ServiceStop|Invoke-ServiceEnable|Invoke-ServiceDisable|Get-ServiceDetail|Find-DLLHijack|Find-PathHijack|Write-HijackDll|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-VulnAutoRun|Get-VulnSchTask|Get-UnattendedInstallFile|Get-Webconfig|Get-ApplicationHost|Write-UserAddMSI|Invoke-AllChecks|Invoke-ThreadedFunction|Test-Login|Get-UserAgent|Test-Password|Get-ComputerDetails|Find-4648Logons|Find-4624Logons|Find-AppLockerLogs|Find-PSScriptsInPSAppLog|Find-RDPClientConnections|Get-SystemDNSServer|Invoke-Paranoia|Invoke-WinEnum{|Get-SPN|Invoke-ARPScan|Invoke-Portscan|Invoke-ReverseDNSLookup|Invoke-SMBScanner|New-InMemoryModule|Add-Win32Type|Export-PowerViewCSV|Get-MacAttribute|Copy-ClonedFile|Get-IPAddress|Convert-NameToSid|Convert-SidToName|Convert-NT4toCanonical|Get-Proxy|Get-PathAcl|Get-NameField|Convert-LDAPProperty|Get-NetDomainController|Add-NetUser|Add-NetGroupUser|Get-UserProperty|Find-UserField|Get-UserEvent|Get-ObjectAcl|Add-ObjectAcl|Invoke-ACLScanner|Get-GUIDMap|Get-ADObject|Set-ADObject|Get-ComputerProperty|Find-ComputerField|Get-NetOU|Get-NetSite|Get-NetSubnet|Get-DomainSID|Get-NetGroup|Get-NetFileServer|SplitPath|Get-DFSshare|Get-DFSshareV1|Get-DFSshareV2|Get-GptTmpl|Get-GroupsXML|Get-NetGPO|Get-NetGPOGroup|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Invoke-ImpersonateUser|Create-ProcessWithToken|Free-AllTokens|Enum-AllTokens|Invoke-RevertToSelf|Set-Speaker(\\\\$Volume){\\\\$wshShell|Local:Get-RandomString|Local:Invoke-PsExecCmd|Get-GPPPassword|Local:Inject-BypassStuff|Local:Invoke-CopyFile\\\\(\\\\$sSource,|ind-Fruit|New-IPv4Range|New-IPv4RangeFromCIDR|Parse-Hosts|Parse-ILHosts|Exclude-Hosts|Get-TopPort|Parse-Ports|Parse-IpPorts|Remove-Ports|Write-PortscanOut|Convert-SwitchtoBool|Get-ForeignUser|Get-ForeignGroup\\\";\\nlet ProcessCreationEvents=() {\\nlet processEvents=SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName;\\nprocessEvents};\\nlet decodedPS = ProcessCreationEvents\\n| where CommandLine contains \\\" -encodedCommand\\\"\\n| parse kind=regex flags=i CommandLine with * \\\"-EncodedCommand \\\" encodedCommand\\n| project StartTimeUtc = TimeGenerated, encodedCommand = tostring(split(encodedCommand, \u0027 \u0027)[0]), CommandLine\\n// Note: currently the base64_decode_tostring function is limited to supporting UTF8\\n| extend decodedCommand = translate(\u0027\\\\0\u0027,\u0027\u0027, base64_decode_tostring(substring(encodedCommand, 0, strlen(encodedCommand) - (strlen(encodedCommand) %8)))), encodedCommand, CommandLine , strlen(encodedCommand);\\n(decodedPS\\n| union \\n(ProcessCreationEvents\\n| where FileName in~ (\\\"powershell.exe\\\",\\\"powershell_ise.exe\\\")\\n| where CommandLine !contains \\\"-encodedcommand\\\")\\n| extend StartTimeUtc = TimeGenerated\\n)\\n| where CommandLine matches regex regexEmpire\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"Powershell Empire cmdlets seen in command line\",\"description\":\"Identifies instances of PowerShell Empire cmdlets in powershell process command line data.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a0907abe-6925-4d90-af2b-c7e89dc201a6\",\"name\":\"a0907abe-6925-4d90-af2b-c7e89dc201a6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P10D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 10d;\\nlet endtime = 1d;\\nlet threshold = 100;\\nlet nxDomainDnsEvents = DnsEvents \\n| where ResultCode == 3 \\n| where QueryType in (\\\"A\\\", \\\"AAAA\\\")\\n| where ipv4_is_match(\\\"127.0.0.1\\\", ClientIP) == False\\n| where Name !contains \\\"/\\\"\\n| where Name contains \\\".\\\";\\nnxDomainDnsEvents\\n| where TimeGenerated \u003e ago(endtime)\\n| extend sld = tostring(split(Name, \\\".\\\")[-2])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld) by ClientIP\\n| where dcount_sld \u003e threshold\\n// Filter out previously seen IPs\\n| join kind=leftanti (nxDomainDnsEvents\\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | extend sld = tostring(split(Name, \\\".\\\")[-2])\\n | summarize dcount(sld) by ClientIP\\n | where dcount_sld \u003e threshold ) on ClientIP\\n// Pull out sample NXDomain responses for those remaining potentially infected IPs\\n| join kind = inner (nxDomainDnsEvents | summarize by Name, ClientIP) on ClientIP\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(Name, 100) by ClientIP, dcount_sld\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential DGA detected\",\"description\":\"Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains\\nwhere most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with \\nNXDomain records in prior 10-day baseline period).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c2da1106-bfe4-4a63-bf14-5ab73130ccd5\",\"name\":\"c2da1106-bfe4-4a63-bf14-5ab73130ccd5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Informational\",\"query\":\"let timeframe = ago(1d);\\nAppServiceAntivirusScanAuditLogs\\n| where ScanStatus == \\\"Failed\\\"\\n| extend HostCustomEntity = _ResourceId, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"displayName\":\"AppServices AV Scan Failure\",\"description\":\"Identifies if an AV scan fails in Azure App Services.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d9938c3b-16f9-444d-bc22-ea9a9110e0fd\",\"name\":\"d9938c3b-16f9-444d-bc22-ea9a9110e0fd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Azure AD Connect Health Agent - cf6d7e68-f018-4e0a-a7b3-126e053fb88d\\n// Azure Active Directory Connect - cb1056e2-e479-49de-ae31-7812af012ed8\\nlet appList = dynamic([\u0027cf6d7e68-f018-4e0a-a7b3-126e053fb88d\u0027,\u0027cb1056e2-e479-49de-ae31-7812af012ed8\u0027]);\\nlet operationNamesList = dynamic([\u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027,\u0027Microsoft.ADHybridHealthService/services/delete\u0027]);\\nAzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue in~ (operationNamesList)\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| where AppId !in (appList)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS Suspicious Application\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to a suspicious application adding a server instance to an Azure AD Hybrid health AD FS service or deleting the AD FS service instance.\\nUsually the Azure AD Connect Health Agent application with ID cf6d7e68-f018-4e0a-a7b3-126e053fb88d is used to perform those operations.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c5644575-4982-4a07-8884-b11ec2866dc3\",\"name\":\"c5644575-4982-4a07-8884-b11ec2866dc3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.0\",\"techniques\":[\"T1136\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\"srcdomain1\\\\account1, srcdomain1\\\\account1\",\"dataType\":\"string\",\"name\":\"Source user allowlist\",\"description\":\"Enter comma separated source usernames to be suppressed while triggering anomalies. This should be within double quotes and is case sensitive, example: \\\"srcdomain1\\\\\\\\account1, srcdomain2\\\\\\\\account2\\\"\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"prioritize\":null,\"exclude\":\"account1, account2\",\"dataType\":\"string\",\"name\":\"Destination user allowlist\",\"description\":\"Enter comma separated destination usernames to be suppressed while triggering anomalies. This should be within double quotes and is case sensitive, example: \\\"account1, account2\\\"\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":null,\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Persistence\"],\"displayName\":\"(Preview) Anomalous local account creation\",\"description\":\"This algorithm is to detect anomalous local account creation on windows systems. Adversaries may create local accounts to maintain access to victim systems.\\nThis algorithm analyzes historical local account creation activity (14 days) by users and compare with current day to find similar activity from the users who were not \\npreviously seen in historical activity. You can further customize the allowlist to filter known users from triggering this anomaly.\",\"lastUpdatedDateUTC\":\"2021-09-22T00:00:00Z\",\"createdDateUTC\":\"2021-09-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/faf1a6ff-53b5-4f92-8c55-4b20e9957594\",\"name\":\"faf1a6ff-53b5-4f92-8c55-4b20e9957594\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"SecurityEvent\\n// Look for specific Directory Service Changes and parse data\\n| where EventID == 5136\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion = array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value),TimeGenerated, EventID, Computer, Account, AccountType, EventSourceName, Activity, SubjectAccount)\\n// Where changes relate to Exchange OAB\\n| extend ObjectClass = column_ifexists(\\\"ObjectClass\\\", \\\"\\\")\\n| where ObjectClass =~ \\\"msExchOABVirtualDirectory\\\"\\n// Look for InternalHostName or ExternalHostName properties being changed\\n| extend AttributeLDAPDisplayName = column_ifexists(\\\"AttributeLDAPDisplayName\\\", \\\"\\\")\\n| where AttributeLDAPDisplayName in (\\\"msExchExternalHostName\\\", \\\"msExchInternalHostName\\\")\\n// Look for suspected webshell activity\\n| extend AttributeValue = column_ifexists(\\\"AttributeValue\\\", \\\"\\\")\\n| where AttributeValue has \\\"script\\\"\\n| project-rename LastSeen = TimeGenerated\\n| extend ObjectDN = column_ifexists(\\\"ObjectDN\\\", \\\"\\\")\\n| project-reorder LastSeen, Computer, Account, ObjectDN, AttributeLDAPDisplayName, AttributeValue\\n| extend timestamp = LastSeen, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange OAB Virtual Directory Attribute Containing Potential Webshell\",\"description\":\"This query uses Windows Event ID 5136 in order to detect potential webshell deployment by exploitation of CVE-2021-27065.\\nThis query looks for changes to the InternalHostName or ExternalHostName properties of Exchange OAB Virtual Directory objects in AD Directory Services\\nwhere the new objects contain potential webshell objects. Ref: https://aka.ms/ExchangeVulns\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/61988db3-0565-49b5-b8e3-747195baac6e\",\"name\":\"61988db3-0565-49b5-b8e3-747195baac6e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let procList = dynamic([\\\"cmd.exe\\\",\\\"ftp.exe\\\",\\\"schtasks.exe\\\",\\\"powershell.exe\\\",\\\"rundll32.exe\\\",\\\"regsvr32.exe\\\",\\\"msiexec.exe\\\"]); \\nimProcessCreate\\n| where CommandLine has \\\"recycler\\\"\\n| where Process has_any (procList)\\n| extend FileName = tostring(split(Process, \u0027\\\\\\\\\u0027)[-1])\\n| where FileName in~ (procList)\\n| project StartTimeUtc = TimeGenerated, Dvc, User, Process, FileName, CommandLine, ActingProcessName, EventVendor, EventProduct\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.2.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Malware in the recycle bin (Normalized Process Events)\",\"description\":\"Identifies malware that has been hidden in the recycle bin.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)\",\"lastUpdatedDateUTC\":\"2021-10-26T00:00:00Z\",\"createdDateUTC\":\"2021-06-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5efb0cfd-063d-417a-803b-562eae5b0301\",\"name\":\"5efb0cfd-063d-417a-803b-562eae5b0301\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 6h;\\n// Ignore Build/Releases with less/equal this number\\nlet ServiceConnectionThreshold = 3;\\n// New Connections need to exhibit execution of more \\\"new\\\" connections than this number.\\nlet NewConnectionThreshold = 1;\\n// List of Builds/Releases to ignore in your space\\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\\n[\\n//\\\"103\\\", \\\"Release\\\", \\\"ProjectA\\\",\\n//\\\"42\\\", \\\"Release\\\", \\\"ProjectB\\\",\\n//\\\"122\\\", \\\"Build\\\", \\\"ProjectB\\\"\\n];\\nlet HistoricDefs = AzureDevOpsAuditing\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| summarize HistoricCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)) \\n by DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e= ago(endtime)\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| parse ScopeDisplayName with OrganizationName \u0027 (Organization)\u0027\\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) \\n by OrganizationName, DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN\\n| where CurrentCount \u003e ServiceConnectionThreshold\\n| join (HistoricDefs) on ProjectId, DefId, Type, ActorUPN\\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\\n| extend link = iff(\\nType == \\\"Build\\\", strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_build?definitionId=\u0027, DefId),\\nstrcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_release?_a=releases\u0026view=mine\u0026definitionId=\u0027, DefId))\\n| where CurrentCount \u003e= HistoricCount + NewConnectionThreshold\\n| project StartTime, OrganizationName, ProjectName, DefId, link, RecentDistinctServiceConnections = CurrentCount, HistoricDistinctServiceConnections = HistoricCount, \\n RecentConnections = ConnectionNames, HistoricConnections = ConnectionNames1, ActorUPN\\n| extend timestamp = StartTime, AccountCustomEntity = ActorUPN\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure DevOps Service Connection Addition/Abuse - Historic allow list\",\"description\":\"This detection builds an allow list of historic service connection use by Builds and Releases and compares to recent history, flagging growth of service connection use which are not manually included in the allow list and \\nnot historically included in the allow list Build/Release runs. This is to determine if someone is hijacking a build/release and adding many service connections in order to abuse or dump credentials from service connections.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2b701288-b428-4fb8-805e-e4372c574786\",\"name\":\"2b701288-b428-4fb8-805e-e4372c574786\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//The bigger the window the better the data sample size, as we use IP prevalence, more sample data is better.\\n//The minimum number of countries that the account has been accessed from [default: 2]\\nlet minimumCountries = 2;\\n//The delta (%) between the largest in-use IP and the smallest [default: 90]\\nlet deltaThreshold = 95;\\n//The maximum (%) threshold that the country appears in login data [default: 10]\\nlet countryPrevalenceThreshold = 10;\\n//The time to project forward after the last login activity [default: 60min]\\nlet projectedEndTime = 60min; \\n//Get Teams successful signins globally\\nlet aadFunc = (tableName:string){\\nlet signinData =\\n table(tableName)\\n | where AppDisplayName has \\\"Teams\\\"\\n | where ConditionalAccessStatus =~ \\\"success\\\"\\n | extend country = tostring(todynamic(LocationDetails)[\u0027countryOrRegion\u0027])\\n | where isnotempty(country) and isnotempty(IPAddress);\\n// Collect successful signins to teams\\nlet loginEvents = \\n signinData\\n | summarize count(), country=any(country), make_list(TimeGenerated) by IPAddress, UserPrincipalName;\\n//Calcualte delta between logins\\nlet loginDelta =\\n loginEvents\\n | summarize max(count_), min(count_) by UserPrincipalName\\n | extend delta = toreal(max_count_ - min_count_) / max_count_ * 100\\n | where delta \u003e= deltaThreshold;\\n//Count number of countries used to sign in\\nlet countryCount =\\n loginEvents\\n | summarize Countries = dcount(country) by UserPrincipalName;\\n//Join delta and sign in counts to successful logins\\nloginDelta\\n| join kind=rightouter (\\n loginEvents\\n) on UserPrincipalName\\n| join kind=rightouter (\\n countryCount\\n) on UserPrincipalName\\n//Check where the record meets the minimum required countries\\n| where Countries \u003e= minimumCountries\\n| join kind=leftouter (\\n signinData\\n | summarize count() by country\\n | join (\\n //Now get the total number of logins from any country and join it to the previous count in a single table\\n signinData\\n | summarize count() by country\\n | summarize sum(count_), make_list(country)\\n | mv-expand list_country\\n | extend country = tostring(list_country)\\n ) on country\\n | summarize by country, count_, sum_count_\\n //Now calculate each countries prevalence within login events\\n | extend prevalence = toreal(count_) / toreal(sum_count_) * 100\\n | project-away sum_count_\\n | order by prevalence\\n) on country\\n//The % that suspicious country is prevalent in data, this can be configured, less than 10% is uncommon\\n| where prevalence \u003c countryPrevalenceThreshold\\n| where min_count_ == count_\\n//Login start and end times from the JSON object, this is the activity window the suspicious IP was active within\\n| extend EventTimes = list_TimeGenerated\\n| extend SuspiciousIP = IPAddress\\n| project UserPrincipalName, SuspiciousIP, UserIPDelta = delta, SuspiciousLoginCountry = country, SuspiciousCountryPrevalence = prevalence, EventTimes\\n//Teams join to collect operations the user account has performed within the given time range\\n| join kind=inner( \\n OfficeActivity\\n | where Operation in~ (\\\"TeamsAdminAction\\\", \\\"MemberAdded\\\", \\\"MemberRemoved\\\", \\\"MemberRoleChanged\\\", \\\"AppInstalled\\\", \\\"BotAddedToTeam\\\")\\n | project Operation, UserId=tolower(UserId), OperationTime=TimeGenerated\\n) on $left.UserPrincipalName == $right.UserId\\n| mv-expand StartTime = EventTimes\\n| extend StartTime = make_datetime(StartTime)\\n//The end time is projected 60 minutes forward, in case actions took place within the last hour of the final login for the suspicious IP\\n| extend ProjectedEndTime = make_datetime(StartTime + projectedEndTime)\\n//Limit to operations carried out by the user account in the timeframe the IP was active\\n| where OperationTime between (StartTime .. ProjectedEndTime)\\n| project UserPrincipalName, SuspiciousIP, StartTime, ProjectedEndTime, OperationTime, Operation, SuspiciousLoginCountry, SuspiciousCountryPrevalence\\n//Filter on suspicious actions\\n| extend activitySummary = pack(tostring(StartTime), pack(\\\"Operation\\\",tostring(Operation), \\\"OperationTime\\\", OperationTime))\\n| summarize make_bag(activitySummary) by UserPrincipalName, SuspiciousIP, SuspiciousLoginCountry, SuspiciousCountryPrevalence\\n| extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Anomalous login followed by Teams action\",\"description\":\"Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed.\\nQuery calculates IP usage Delta for each user account and selects accounts where a delta \u003e= 90% is observed between the most and least used IP.\\nTo further reduce results the query performs a prevalence check on the lowest used IP\u0027s country, only keeping IP\u0027s where the country is unusual for the tenant (dynamic ranges)\\nFinally the user accounts activity within Teams logs is checked for suspicious commands (modifying user privileges or admin actions) during the period the suspicious IP was active.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ca74dc0-8352-4ac5-893c-73571cc78331\",\"name\":\"4ca74dc0-8352-4ac5-893c-73571cc78331\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let keywords = dynamic([\\\"secret\\\", \\\"secrets\\\", \\\"password\\\", \\\"PAT\\\", \\\"passwd\\\", \\\"pswd\\\", \\\"pwd\\\", \\\"cred\\\", \\\"creds\\\", \\\"credentials\\\", \\\"credential\\\", \\\"key\\\"]);\\nAzureDevOpsAuditing\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend Type = tostring(Data.Type)\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend VariableGroupName = tostring(Data.VariableGroupName)\\n| mv-expand Data.Variables\\n| where VariableGroupName has_any (keywords) or Data_Variables has_any (keywords)\\n| where Type != \\\"AzureKeyVault\\\"\\n| where Data_Variables !has \\\"IsSecret\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure DevOps Variable Secret Not Secured\",\"description\":\"Credentials used in the build process may be stored as Azure DevOps variables. To secure these variables they should be stored in KeyVault or marked as Secrets. \\nThis detection looks for new variables added with names that suggest they are credentials but where they are not set as Secrets or stored in KeyVault.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c9b6d281-b96b-4763-b728-9a04b9fe1246\",\"name\":\"c9b6d281-b96b-4763-b728-9a04b9fe1246\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlCategory has_any (\u0027Dynamic and Residential\u0027, \u0027Personal VPN\u0027)\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"Exfiltration\"],\"displayName\":\"Cisco Umbrella - Connection to non-corporate private network\",\"description\":\"IP addresses of broadband links that usually indicates users attempting to access their home network, for example for a remote session to a home computer.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75297f62-10a8-4fc1-9b2a-12f25c6f05a7\",\"name\":\"75297f62-10a8-4fc1-9b2a-12f25c6f05a7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let domain_lookBack= 14d;\\nlet timeframe = 1d;\\nlet top_million_list = Cisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(domain_lookBack) and TimeGenerated \u003c ago(timeframe)\\n| extend Hostname = parse_url(UrlOriginal)[\\\"Host\\\"]\\n| summarize count() by tostring(Hostname)\\n| top 1000000 by count_\\n| summarize make_list(Hostname);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| extend Hostname = parse_url(UrlOriginal)[\\\"Host\\\"]\\n| where Hostname !in (top_million_list)\\n| extend Message = \\\"Connect to unpopular website (possible malicious payload delivery)\\\"\\n| project Message, SrcIpAddr, DstIpAddr,UrlOriginal, TimeGenerated\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Connection to Unpopular Website Detected\",\"description\":\"Detects first connection to an unpopular website (possible malicious payload delivery).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c775a46b-21b1-46d7-afa6-37e3e577a27b\",\"name\":\"c775a46b-21b1-46d7-afa6-37e3e577a27b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 15;\\nSymantecVIP\\n| where isnotempty(RADIUSAuth)\\n| where RADIUSAuth =~ \\\"Reject\\\"\\n| summarize Total = count() by bin(TimeGenerated, 15m), User, ClientIP\\n| where Total \u003e threshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Excessive Failed Authentication from Invalid Inputs\",\"description\":\"Creates an incident in the event that a user generates an excessive amount of failed authentications due to invalid inputs, indications of a potential brute force.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SymantecVIP\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3fbc20a4-04c4-464e-8fcb-6667f53e4987\",\"name\":\"3fbc20a4-04c4-464e-8fcb-6667f53e4987\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let failureCountThreshold = 5;\\nlet successCountThreshold = 1;\\nlet authenticationWindow = 20m;\\nSigninLogs\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\\n| where AppDisplayName =~ \\\"Windows Sign In\\\"\\n// Split out failure versus non-failure types\\n| extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = makeset(IPAddress), makeset(OS), makeset(Browser), makeset(City), \\nmakeset(ResultType), FailureCount = countif(FailureOrSuccess==\\\"Failure\\\"), SuccessCount = countif(FailureOrSuccess==\\\"Success\\\") \\nby bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName, AppDisplayName\\n| where FailureCount \u003e= failureCountThreshold and SuccessCount \u003e= successCountThreshold\\n| mvexpand IPAddress\\n| extend IPAddress = tostring(IPAddress)\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against a Cloud PC\",\"description\":\"Identifies evidence of brute force activity against a Windows 365 Cloud PC by highlighting multiple authentication failures and by a successful authentication within a given time window.\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2021-10-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3fe3c520-04f1-44b8-8398-782ed21435f8\",\"name\":\"3fe3c520-04f1-44b8-8398-782ed21435f8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let torProxies=dynamic([\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\"]);\\nimDns(domain_has_any=torProxies)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.2.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"DNS events related to ToR proxies (Normalized DNS)\",\"description\":\"Identifies IP addresses performing DNS lookups associated with common ToR proxies.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c1d4a005-e220-4d06-9e53-7326a22b8fe4\",\"name\":\"c1d4a005-e220-4d06-9e53-7326a22b8fe4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let mediumRisk = 2;\\nlet goverence = \u0027Goverence Information\u0027;\\nCognniIncidents_CL \\n| where Severity == mediumRisk\\n| where informationType_s == goverence\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Medium Sensitivity Governance Information\",\"description\":\"Display incidents in which medium sensitivity governance information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/595a10c9-91be-4abb-bbc7-ae9c57848bef\",\"name\":\"595a10c9-91be-4abb-bbc7-ae9c57848bef\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, DNSName, Type\\n| extend MessageIP = extract(IPRegex, 0, Message), RequestIP = extract(IPRegex, 0, RequestURL)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL has_any (domains), \\\"RequestUrl\\\", \\\"NoMatch\\\"), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID, UrlCustomEntity = RequestURL \\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) or Name in~ (domains) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer, ProcessCustomEntity = ProcessName\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Image has_any (process)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = split(Image, \u0027\\\\\\\\\u0027, -1)[-1], HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) \\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, AlertDetail = \u0027Chia crypto IOC detected\u0027, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (domains) or RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) or InitiatingProcessFileName has_any (process)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, AlertDetail = \u0027Chia crypto IOC detected\u0027, UrlCustomEntity =RemoteUrl\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\"), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains) or ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| where EventDetail has_any (sha256Hashes) \\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\\\"#text\\\"] , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = split(Image, \u0027\\\\\\\\\u0027, -1)[-1], FileHashCustomEntity = FileHash\\n),\\n(DeviceFileEvents\\n| where InitiatingProcessFolderPath has_any (process)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = FileHash, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| project TimeGenerated, EventDetail, UserName, Computer, Type\\n| extend Image = EventDetail.[4].[\\\"#text\\\"] , CommandLine = EventDetail.[10].[\\\"#text\\\"], Account = UserName, FileHash = EventDetail.[17].[\\\"#text\\\"] , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| where Image has_any (process)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = split(Image, \u0027\\\\\\\\\u0027, -1)[-1], FileHashCustomEntity = FileHash\\n),\\n(DeviceEvents\\n| where InitiatingProcessFileName has_any (process) or InitiatingProcessSHA256 in~ (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash\\n),\\n( SecurityEvent\\n| where EventID == \u00274688\u0027\\n| where NewProcessName has_any (process)\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"SHA256\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021\",\"description\":\"Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-06-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d0aa8969-1bbe-4da3-9e76-09e5f67c9d85\",\"name\":\"d0aa8969-1bbe-4da3-9e76-09e5f67c9d85\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now() \\n| where Active == true\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureDiagnostics\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where ResourceProvider == \u0027MICROSOFT.SQL\u0027\\n | where Category == \u0027SQLSecurityAuditEvents\u0027\\n | extend SQLSecurityAuditEvents_TimeGenerated = TimeGenerated\\n // projecting fields with column if exists as this is in AzureDiag and if the event is not in the table, then queries will fail due to event specific schemas\\n | extend ClientIP = column_ifexists(\\\"client_ip_s\\\", \\\"Not Available\\\"), Action = column_ifexists(\\\"action_name_s\\\", \\\"Not Available\\\"), \\n Application = column_ifexists(\\\"application_name_s\\\", \\\"Not Available\\\"), HostName = column_ifexists(\\\"host_name_s\\\", \\\"Not Available\\\")\\n)\\non $left.TI_ipEntity == $right.ClientIP\\n| where SQLSecurityAuditEvents_TimeGenerated \u003c ExpirationDateTime\\n| summarize SQLSecurityAuditEvents_TimeGenerated = arg_max(SQLSecurityAuditEvents_TimeGenerated, *) by IndicatorId, ClientIP\\n| project SQLSecurityAuditEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ResourceId, ClientIP, Action, Application, HostName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = SQLSecurityAuditEvents_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Azure SQL Security Audit Events\",\"description\":\"Identifies a match in SQLSecurityAuditEvents from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8a602940-4153-4045-a741-3bf15591ae29\",\"name\":\"8a602940-4153-4045-a741-3bf15591ae29\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.2.8\",\"techniques\":[\"T1110\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.4\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"(Preview) Attempted computer bruteforce\",\"description\":\"This algorithm detects an unusually high volume of failed login attempts to each computer. The model is trained on the previous 21 days of security event ID 4625 on a computer. It indicates anomalous high volume of failed login attempts in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2020-12-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/45076281-35ae-45e0-b443-c32aa0baf965\",\"name\":\"45076281-35ae-45e0-b443-c32aa0baf965\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let args = dynamic([\\\"objectcategory\\\",\\\"domainlist\\\",\\\"dcmodes\\\",\\\"adinfo\\\",\\\"trustdmp\\\",\\\"computers_pwdnotreqd\\\",\\\"Domain Admins\\\", \\\"objectcategory=person\\\", \\\"objectcategory=computer\\\", \\\"objectcategory=*\\\",\\\"dclist\\\"]);\\nlet parentProcesses = dynamic([\\\"pwsh.exe\\\",\\\"powershell.exe\\\",\\\"cmd.exe\\\"]);\\nimProcessCreate\\n//looks for execution from a shell\\n| where ActingProcessName has_any (parentProcesses)\\n| extend ActingProcessFileName = tostring(split(ActingProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ActingProcessFileName in~ (parentProcesses)\\n// main filter\\n| where Process hassuffix \\\"AdFind.exe\\\" or TargetProcessSHA256 == \\\"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\\\"\\n // AdFind common Flags to check for from various threat actor TTPs\\n or CommandLine has_any (args)\\n| extend AccountCustomEntity = User, HostCustomEntity = Dvc, ProcessCustomEntity = ActingProcessName, FileHashCustomEntity = TargetProcessSHA256\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"SHA256\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Discovery\"],\"displayName\":\"Probable AdFind Recon Tool Usage (Normalized Process Events)\",\"description\":\"Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-06-09T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/106813db-679e-4382-a51b-1bfc463befc3\",\"name\":\"106813db-679e-4382-a51b-1bfc463befc3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n // Select on Palo Alto logs\\n | where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Select logs where URL data is populated\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url), extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | where isnotempty(PA_Url)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n) on $left.Url == $right.PA_Url\\n| where CommonSecurityLog_TimeGenerated \u003e= TimeGenerated and CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, SourceIP, CommonSecurityLog_TimeGenerated, PA_Url, DeviceName\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to PaloAlto data\",\"description\":\"Identifies a match in PaloAlto data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\"name\":\"97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let LearningPeriod = 7d; \\nlet BinTime = 1h; \\nlet RunTime = 1h; \\nlet StartTime = 1h; \\nlet NumberOfStds = 3; \\nlet MinThreshold = 10.0; \\nlet EndRunTime = StartTime - RunTime; \\nlet EndLearningTime = StartTime + LearningPeriod;\\nlet aadFunc = (tableName:string){\\nlet GitHubFailedSSOLogins = (table(tableName) \\n| where AppDisplayName == \\\"GitHub.com\\\" \\n| where ResultType != 0); \\nGitHubFailedSSOLogins \\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime)) \\n| summarize FailedLoginsCountInBinTime = count() by UserPrincipalName, bin(TimeGenerated, BinTime), Type\\n| summarize AvgOfFailedLoginsInLearning = avg(FailedLoginsCountInBinTime), StdOfFailedLoginsInLearning = stdev(FailedLoginsCountInBinTime) by UserPrincipalName, Type\\n| extend LearningThreshold = max_of(AvgOfFailedLoginsInLearning + StdOfFailedLoginsInLearning * NumberOfStds, MinThreshold) \\n| join kind=innerunique ( \\n GitHubFailedSSOLogins \\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime)) \\n | summarize FailedLoginsCountInRunTime = count() by User = Identity, UserPrincipalName, bin(TimeGenerated, BinTime), Type\\n) on UserPrincipalName \\n| where FailedLoginsCountInRunTime \u003e LearningThreshold\\n| extend AccountCustomEntity = UserPrincipalName , timestamp = TimeGenerated\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute Force Attack against GitHub Account\",\"description\":\"Attackers who are trying to guess your users\u0027 passwords or use brute-force methods to get in. If your organization is using SSO with Azure Active Directory, authentication logs to GitHub.com will be generated. Using the following query can help you identify a sudden increase in failed logon attempt of users.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8\",\"name\":\"f71aba3d-28fb-450b-b192-4e76a83015c8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Fusion\",\"properties\":{\"severity\":\"High\",\"tactics\":[\"Collection\",\"CommandAndControl\",\"CredentialAccess\",\"DefenseEvasion\",\"Discovery\",\"Execution\",\"Exfiltration\",\"Impact\",\"InitialAccess\",\"LateralMovement\",\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Advanced Multistage Attack Detection\",\"description\":\"Microsoft Sentinel uses Fusion, a correlation engine based on scalable machine learning algorithms, to automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.\\n\\nSince Fusion correlates multiple signals from various products to detect advanced multistage attacks, successful Fusion detections are presented as Fusion incidents on the Microsoft Sentinel Incidents page. This rule covers the following detections:\\n- Fusion for emerging threats\\n- Fusion for ransomware\\n- Scenario-based Fusion detections (122 scenarios)\\n\\nTo enable these detections, we recommend you configure the following data connectors for best results:\\n- Out-of-the-box anomaly detections\\n- Azure Active Directory Identity Protection\\n- Azure Defender\\n- Azure Defender for IoT\\n- Microsoft 365 Defender\\n- Microsoft Cloud App Security \\n- Microsoft Defender for Endpoint\\n- Microsoft Defender for Identity\\n- Microsoft Defender for Office 365\\n- Palo Alto Networks\\n- Scheduled analytics rules, both built-in and those created by your security analysts. Analytics rules must contain kill-chain (tactics) and entity mapping information in order to be used by Fusion.\\n\\nFor the full description of each detection that is supported by Fusion, go to https://aka.ms/SentinelFusion.\",\"lastUpdatedDateUTC\":\"2021-06-09T00:00:00Z\",\"createdDateUTC\":\"2019-07-25T00:00:00Z\",\"status\":\"Installed\",\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/677da133-e487-4108-a150-5b926591a92b\",\"name\":\"677da133-e487-4108-a150-5b926591a92b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\\n[@\\\"https://raw.githubusercontent.com/microsoft/mstic/master/Indicators/May21-NOBELIUM/May21NOBELIUMIoCs.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256s = (iocs | where Type =~ \\\"SHA256\\\"| project IoC);\\nlet ips = (iocs | where Type =~ \\\"IP\\\"| project IoC);\\nlet IPList = dynamic([\\\"192.99.221.77\\\",\\\"83.171.237.173\\\"]);\\nlet domains = (iocs | where Type =~ \\\"Domain\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet sha256Hashes = dynamic([\\\"2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252\\\",\\n\\\"d035d394a82ae1e44b25e273f99eae8e2369da828d6b6fdb95076fd3eb5de142\\\",\\n\\\"94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916\\\",\\n\\\"48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0\\\",\\n\\\"ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c\\\",\\n\\\"ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (domains) or RequestURL has_any (domains) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (domains), \\\"RequestUrl\\\", SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) or IPAddresses in (ips) or Name in~ (domains) \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or SourceIp in (ips) or DestinationIp in (ips) or RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", SourceIp in (ips), \\\"SourceIP\\\", DestinationIp in (ips), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) or ClientIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (domains) or RemoteIP in (IPList) or RemoteIP in (ips)\\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| where EventDetail has_any (sha256Hashes) or EventDetail has_any (sha256s)\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, FileHash\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (sha256Hashes) or SHA256 in~ (sha256s)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (sha256Hashes) or TargetFileSHA256 in~ (sha256s)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes) or FileHash in (sha256s)\\n| extend timestamp = TimeGenerated\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"version\":\"1.3.0\",\"tactics\":[\"CommandAndControl\",\"Execution\"],\"displayName\":\"NOBELIUM - Domain, Hash and IP IOCs - May 2021\",\"description\":\"Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM.\\nRef: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f6a51e2c-2d6a-4f92-a090-cfb002ca611f\",\"name\":\"f6a51e2c-2d6a-4f92-a090-cfb002ca611f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nlet disallowed_ext = dynamic([\u0027ps1\u0027, \u0027exe\u0027, \u0027vbs\u0027, \u0027js\u0027, \u0027scr\u0027]);\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| extend attachedExt = todynamic(MsgParts)[0][\u0027detectedExt\u0027]\\n| where attachedExt in (disallowed_ext)\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = DstUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Suspicious attachment\",\"description\":\"Detects when email contains suspicious attachment (file type).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/643c2025-9604-47c5-833f-7b4b9378a1f5\",\"name\":\"643c2025-9604-47c5-833f-7b4b9378a1f5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit your environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with AAD signin failures above our threshold\\nlet aadFunc = (tableName:string){\\nlet Suspicious_signins = \\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n| summarize count() by IPAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(IPAddress);\\nSuspicious_signins\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet Suspicious_signins = \\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize make_set(set_IPAddress);\\n//See if any of those IPs have sucessfully logged into the AWS console\\nAWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \\n| where LoginResult =~ \\\"Success\\\"\\n| where SourceIpAddress in (Suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed)\\n| extend User = iif(isempty(UserIdentityUserName), UserIdentityType, UserIdentityUserName) \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Reason, LoginResult, EventTypeName, UserIdentityType, User, AWSRegion, SourceIpAddress, UserAgent, MFAUsed\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AzureAD logons but success logon to AWS Console\",\"description\":\"Identifies a list of IP addresses with a minimum number(defualt of 5) of failed logon attempts to Azure Active Directory.\\nUses that list to identify any successful AWS Console logons from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/39e48890-2c02-487e-aa9e-3ba494061798\",\"name\":\"39e48890-2c02-487e-aa9e-3ba494061798\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"// Edit this variable to only keep the tactics where an incident needs to be created (Defaults are: \\\"COMMAND \u0026 CONTROL\\\", \\\"BOTNET ACTIVITY\\\", \\\"EXFILTRATION\\\", \\\"LATERAL MOVEMENT\\\", \\\"RECONNAISSANCE\\\") \\nlet configured_tactics = dynamic([\\\"COMMAND \u0026 CONTROL\\\", \\\"BOTNET ACTIVITY\\\", \\\"EXFILTRATION\\\", \\\"LATERAL MOVEMENT\\\", \\\"RECONNAISSANCE\\\"]);\\n//default threshold is 7 (meaning a threat score of 70)\\nlet severity_threshold = 7.0;\\n//Map by default to High Severity in Sentinel\\nlet Severity = \\\"High\\\";\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Vectra Networks\\\"\\n| where DeviceProduct == \\\"X Series\\\"\\n| where DeviceEventClassID != \\\"campaigns\\\" and DeviceEventClassID != \\\"hsc\\\" and DeviceEventClassID != \\\"audit\\\" and DeviceEventClassID != \\\"health\\\" and DeviceEventClassID != \\\"asc\\\"\\n| extend Category = extract(\\\"cat=(.+?);\\\", 1, AdditionalExtensions) \\n| project-rename threat_score = FlexNumber1\\n| project-rename certainty_score = FlexNumber2\\n| project-rename vectra_URL = DeviceCustomString4\\n| project-rename detection_name = DeviceEventClassID\\n| where todecimal(LogSeverity) \u003e= severity_threshold\\n| extend Tactic = case( Category == \\\"COMMAND \u0026 CONTROL\\\", \\\"CommandAndControl\\\",\\n Category == \\\"BOTNET ACTIVITY\\\" , \\\"Impact\\\",\\n Category == \\\"EXFILTRATION\\\", \\\"Exfiltration\\\",\\n Category == \\\"LATERAL MOVEMENT\\\", \\\"LateralMovement\\\",\\n Category == \\\"RECONNAISSANCE\\\", \\\"Discovery\\\",\\n \\\"UNKNOWN\\\")\\n| extend account = extract(\\\"account=(.+?);\\\", 1, AdditionalExtensions)\\n| extend upn = iff(account matches regex \\\":\\\", tostring(split(account,\\\":\\\")[1]) ,tostring(split(account,\\\":\\\")[0])) \\n| extend source_entity = case( isnotempty(upn), upn,\\n isnotempty(SourceHostName), SourceHostName,\\n \\\"UNKNWON\\\") \\n| where Category in (configured_tactics) \\n| summarize arg_max(threat_score, *) by source_entity, Activity\\n| sort by TimeGenerated\\n| project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Tactic, Activity, LogSeverity, Severity, vectra_URL\\n| extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Discovery\",\"LateralMovement\",\"Collection\",\"CommandAndControl\",\"Exfiltration\",\"Impact\"],\"displayName\":\"Vectra AI Detect - Detections with High Severity\",\"description\":\"Create an incident for high severity malicious behavior detected by Vectra AI (Threat score superior to 7.0). \\nThe Severity is a mapping with the Threat score assigned to a detection. It ranges between 0 and 10. \\nThe severity_threshold variable can be adjusted as desired.\u0027 \",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2021-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AIVectraDetect\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2fc5d810-c9cc-491a-b564-841427ae0e50\",\"name\":\"2fc5d810-c9cc-491a-b564-841427ae0e50\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n SecurityEvent | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(TargetUserName)\\n //Normalizing the column to lower case for exact match with EmailSenderAddress column\\n | extend TargetUserName = tolower(TargetUserName)\\n // renaming timestamp column so it is clear the log this came from SecurityEvent table\\n | extend SecurityEvent_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.TargetUserName\\n| where SecurityEvent_TimeGenerated \u003e= TimeGenerated and SecurityEvent_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, SecurityEvent_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Computer, EventID, TargetUserName, Activity, IpAddress, AccountType,\\nLogonTypeName, LogonProcessName, Status, SubStatus\\n| extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SecurityEvent\",\"description\":\"Identifies a match in SecurityEvent table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fa118b98-de46-4e94-87f9-8e6d5060b60b\",\"name\":\"fa118b98-de46-4e94-87f9-8e6d5060b60b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MLBehaviorAnalytics\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous SSH Login Detection\",\"description\":\"This detection uses machine learning (ML) to identify anomalous Secure Shell (SSH) login activity, based on syslog data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Microsoft Sentinel to build a profile of normal activity for your environment.\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-syslog#configure-the-syslog-connector-for-anomalous-ssh-login-detection)\\n\\nBy enabling this rule, you give Microsoft permission to copy ingested data outside of your Microsoft Sentinel workspace\u0027s geography as necessary for processing by the machine learning engine.\",\"lastUpdatedDateUTC\":\"2021-03-26T00:00:00Z\",\"createdDateUTC\":\"2019-08-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8e0403b1-07f8-4865-b2e9-74d1e83200a4\",\"name\":\"8e0403b1-07f8-4865-b2e9-74d1e83200a4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let timeframe = 14d;\\nlet time_generated_bucket = 1h;\\nlet min_urgency = 9;\\nlet maxTimeGeneratedBucket = toscalar(\\n CyberpionActionItems_CL\\n | where TimeGenerated \u003e ago(timeframe)\\n | summarize max(bin(TimeGenerated, time_generated_bucket))\\n );\\nCyberpionActionItems_CL\\n | where TimeGenerated \u003e ago(timeframe) and is_open_b == true\\n | where bin(TimeGenerated, time_generated_bucket) == maxTimeGeneratedBucket\\n | where urgency_d \u003e= min_urgency\\n | extend timestamp = opening_datetime_t\\n | extend DNSCustomEntity = host_s\",\"entityMappings\":[{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"High Urgency Cyberpion Action Items\",\"description\":\"This query creates an alert for active Cyberpion Action Items with high urgency (9-10).\\n Urgency can be altered using the \\\"min_urgency\\\" variable in the query.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CyberpionSecurityLogs\",\"dataTypes\":[\"CyberpionActionItems_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5239248b-abfb-4c6a-8177-b104ade5db56\",\"name\":\"5239248b-abfb-4c6a-8177-b104ade5db56\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let RunCommandData = materialize ( AzureActivity\\n// Isolate run command actions\\n| where OperationNameValue == \\\"Microsoft.Compute/virtualMachines/runCommand/action\\\"\\n// Confirm that the operation impacted a virtual machine\\n| where Authorization has \\\"virtualMachines\\\"\\n// Each runcommand operation consists of three events when successful, StartTimeed, Accepted (or Rejected), Successful (or Failed).\\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), max(CallerIpAddress), make_list(ActivityStatusValue) by CorrelationId, Authorization, Caller\\n// Limit to Run Command executions that Succeeded\\n| where list_ActivityStatusValue has \\\"Succeeded\\\"\\n// Extract data from the Authorization field, allowing us to later extract the Caller (UPN) and CallerIpAddress\\n| extend Authorization_d = parse_json(Authorization)\\n| extend Scope = Authorization_d.scope\\n| extend Scope_s = split(Scope, \\\"/\\\")\\n| extend Subscription = tostring(Scope_s[2])\\n| extend VirtualMachineName = tostring(Scope_s[-1])\\n| project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress\\n| join kind=leftouter (\\n DeviceFileEvents\\n | where InitiatingProcessFileName == \\\"RunCommandExtension.exe\\\"\\n | extend VirtualMachineName = tostring(split(DeviceName, \\\".\\\")[0])\\n | project VirtualMachineName, PowershellFileCreatedTimestamp=TimeGenerated, FileName, FileSize, InitiatingProcessAccountName, InitiatingProcessAccountDomain, InitiatingProcessFolderPath, InitiatingProcessId\\n) on VirtualMachineName\\n// We need to filter by time sadly, this is the only way to link events\\n| where PowershellFileCreatedTimestamp between (StartTime .. EndTime)\\n| project StartTime, EndTime, PowershellFileCreatedTimestamp, VirtualMachineName, Caller, CallerIpAddress, FileName, FileSize, InitiatingProcessId, InitiatingProcessAccountDomain, InitiatingProcessFolderPath\\n| join kind=inner(\\n DeviceEvents\\n | extend VirtualMachineName = tostring(split(DeviceName, \\\".\\\")[0])\\n | where InitiatingProcessCommandLine has \\\"-File\\\"\\n // Extract the script name based on the structure used by the RunCommand extension\\n | extend PowershellFileName = extract(@\\\"\\\\-File\\\\s(script[0-9]{1,9}\\\\.ps1)\\\", 1, InitiatingProcessCommandLine)\\n // Discard results that didn\u0027t successfully extract, these are not run command related\\n | where isnotempty(PowershellFileName)\\n | extend PSCommand = tostring(parse_json(AdditionalFields).Command)\\n // The first execution of PowerShell will be the RunCommand script itself, we can discard this as it will break our hash later\\n | where PSCommand != PowershellFileName \\n // Now we normalise the cmdlets, we\u0027re aiming to hash them to find scripts using rare combinations\\n | extend PSCommand = toupper(PSCommand)\\n | order by PSCommand asc\\n | summarize PowershellExecStartTime=min(TimeGenerated), PowershellExecEnd=max(TimeGenerated), make_list(PSCommand) by PowershellFileName, InitiatingProcessCommandLine\\n) on $left.FileName == $right.PowershellFileName\\n| project StartTime, EndTime, PowershellFileCreatedTimestamp, PowershellExecStartTime, PowershellExecEnd, PowershellFileName, PowershellScriptCommands=list_PSCommand, Caller, CallerIpAddress, InitiatingProcessCommandLine, PowershellFileSize=FileSize, VirtualMachineName\\n| order by StartTime asc \\n// We generate the hash based on the cmdlets called and the size of the powershell script\\n| extend TempFingerprintString = strcat(PowershellScriptCommands, PowershellFileSize)\\n| extend ScriptFingerprintHash = hash_sha256(tostring(PowershellScriptCommands)));\\nlet totals = toscalar (RunCommandData\\n| summarize count());\\nlet hashTotals = RunCommandData\\n| summarize HashCount=count() by ScriptFingerprintHash;\\nRunCommandData\\n| join kind=leftouter (\\nhashTotals\\n) on ScriptFingerprintHash\\n// Calculate prevelance, while we don\u0027t need this, it may be useful for responders to know how rare this script is in relation to normal activity\\n| extend Prevelance = toreal(HashCount) / toreal(totals) * 100\\n// Where the hash was only ever seen once.\\n| where HashCount == 1\\n| extend timestamp = StartTime, IPCustomEntity=CallerIpAddress, AccountCustomEntity=Caller, HostCustomEntity=VirtualMachineName\\n| project timestamp, StartTime, EndTime, PowershellFileName, VirtualMachineName, Caller, CallerIpAddress, PowershellScriptCommands, PowershellFileSize, ScriptFingerprintHash, IPCustomEntity, AccountCustomEntity, HostCustomEntity\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\",\"CredentialAccess\"],\"displayName\":\"Azure VM Run Command operations executing a unique powershell script\",\"description\":\"Identifies when Azure Run command is used to execute a powershell script on a VM that is unique.\\nThe uniqueness of the powershell script is determined by taking a combined hash of the cmdlets it imports\\nand the filesize of the PowerShell script. Alerts from this detection indicate a unique PowerShell was executed\\nin your environment.\",\"lastUpdatedDateUTC\":\"2021-10-25T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2926ce29-08d2-4654-b2e8-7d8df70095d9\",\"name\":\"2926ce29-08d2-4654-b2e8-7d8df70095d9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let highRisk = 3;\\nlet governance = \u0027Governance Information\u0027;\\nCognniIncidents_CL \\n| where Severity == highRisk\\n| where informationType_s == governance\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Highly Sensitive Governance Information\",\"description\":\"Display incidents in which highly sensitive governance information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/40ba9493-4183-4eee-974f-87fe39c8f267\",\"name\":\"40ba9493-4183-4eee-974f-87fe39c8f267\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Identity alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Identity\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (AATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f819c592-c5f9-4d5c-a79f-1e6819863533\",\"name\":\"f819c592-c5f9-4d5c-a79f-1e6819863533\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// ADHealth Monitoring Agent Registry Key\\nlet aadHealthMonAgentRegKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Microsoft Online\\\\\\\\Reporting\\\\\\\\MonitoringAgent\\\";\\n// Filter out known processes\\nlet aadConnectHealthProcs = dynamic ([\\n \u0027Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.InsightsService.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.PshSurrogate.exe\u0027,\\n \u0027Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe\u0027\\n]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| extend SubjectUserName = column_ifexists(\\\"SubjectUserName\\\", \\\"\\\"),\\n SubjectDomainName = column_ifexists(\\\"SubjectDomainName\\\", \\\"\\\"),\\n ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),\\n ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\"),\\n ProcessName = column_ifexists(\\\"ProcessName\\\", \\\"\\\")\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],\\n Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| where Process !in (aadConnectHealthProcs)\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| where Process !in (aadConnectHealthProcs)\\n)\\n)\\n// You can filter out potential machine accounts\\n//| where AccountType != \u0027Machine\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n| summarize count() by ProcessName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Azure AD Health Monitoring Agent Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.\\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\\\\SOFTWARE\\\\Microsoft\\\\Microsoft Online\\\\Reporting\\\\MonitoringAgent.\\nYou can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_monitoring_agent.yml\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ffe3625d-a933-4f63-b192-7e6ebf3be5fb\",\"name\":\"ffe3625d-a933-4f63-b192-7e6ebf3be5fb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.2.8\",\"techniques\":[\"T1110\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.1\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"(Preview) Attempted user account bruteforce\",\"description\":\"This algorithm detects an unusually high volume of failed login attempts per user account. The model is trained on the previous 21 days of security event ID 4625 on an account. It indicates anomalous high volume of failed login attempts in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2020-12-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d3980830-dd9d-40a5-911f-76b44dfdce16\",\"name\":\"d3980830-dd9d-40a5-911f-76b44dfdce16\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where AppDisplayName == \\\"GitHub.com\\\"\\n| where ResultType == 0\\n| summarize CountOfLocations = dcount(Location), Locations = make_set(Location), BurstStartTime = min(TimeGenerated), BurstEndTime = max(TimeGenerated) by UserPrincipalName, Type\\n| where CountOfLocations \u003e 1\\n| extend timestamp = BurstStartTime, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"GitHub Signin Burst from Multiple Locations\",\"description\":\"This alerts when there Signin burst from multiple locations in GitHub (AAD SSO).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d57c33a9-76b9-40e0-9dfa-ff0404546410\",\"name\":\"d57c33a9-76b9-40e0-9dfa-ff0404546410\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 0d;\\n// Adjust this to adjust detection timeframe\\n//let timeframe = 1d;\\n// Filter out other servers in the AD FS farm\\nlet ADFSServersList = dynamic([\\\"ADFS02.domain.com\\\",\\\"ADFS03.domain.com\\\"]);\\n// Start by identifying ADFS servers to reduce FP chance\\nlet ADFS_Servers = (\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| where Computer !in (ADFSServersList)\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\")\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| summarize by Computer\\n);\\n// Look for ADFS servers receiving connections over port 80\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where Computer in~ (ADFS_Servers)\\n| extend RenderedDescription = tostring(split(RenderedDescription, \\\":\\\")[0])\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, _ResourceId)\\n| extend RuleName = column_ifexists(\\\"RuleName\\\", \\\"\\\"), TechniqueId = column_ifexists(\\\"TechniqueId\\\", \\\"\\\"), TechniqueName = column_ifexists(\\\"TechniqueName\\\", \\\"\\\")\\n| parse RuleName with * \u0027technique_id=\u0027 TechniqueId \u0027,\u0027 * \u0027technique_name=\u0027 TechniqueName\\n| where EventID == 3\\n// Look for endpoints connecting to the AD FS server over port 80\\n| extend DestinationPort = column_ifexists(\\\"DestinationPort\\\", \\\"\\\"), Image = column_ifexists(\\\"Image\\\", \\\"\\\"), Initiated = column_ifexists(\\\"Initiated\\\", \\\"\\\"), SourceIp = column_ifexists(\\\"DestinationIp\\\", \\\"\\\"), DestinationIp = column_ifexists(\\\"DestinationIp\\\", \\\"\\\")\\n| where DestinationPort == 80\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n// Look for the System process receiving connections\\n| where process == \u0027System\u0027 and Initiated == \u0027false\u0027\\n| where DestinationIp !in (\u0027::1\u0027,\u00270:0:0:0:0:0:0:1\u0027)\\n| extend Operation = RenderedDescription\\n| project-reorder TimeGenerated, Operation, Image, Computer, UserName\\n| extend HostCustomEntity = Computer, AccountCustomEntity = UserName, IPCustomEntity = SourceIp\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"AD FS Remote HTTP Network Connection\",\"description\":\"This detection uses Sysmon events (NetworkConnect events) to detect incoming network traffic on port 80 on AD FS servers. This could be a sign of a threat actor\\ntrying to use replication services on the AD FS server to get its configuration settings and extract sensitive information such as AD FS certificates.\\nIn order to use this query you need to enable Sysmon telemetry on the AD FS Server.\\nReference: https://twitter.com/OTR_Community/status/1387038995016732672\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3c144f9-8051-47d4-ac29-ffb0c312c910\",\"name\":\"a3c144f9-8051-47d4-ac29-ffb0c312c910\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let SunburstMD5=dynamic([\\\"b91ce2fa41029f6955bff20079468448\\\",\\\"02af7cec58b9a5da1c542b5a32151ba1\\\",\\\"2c4a910a1299cdae2a4e55988a2f102e\\\",\\\"846e27a652a5e1bfbd0ddd38a16dc865\\\",\\\"4f2eb62fa529c0283b28d05ddd311fae\\\"]);\\nlet SupernovaMD5=\\\"56ceb6d0011d87b6e4d7023d7ef85676\\\";\\nDeviceFileEvents\\n| where MD5 in(SunburstMD5) or MD5 in(SupernovaMD5)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n FileHashCustomEntity = MD5\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"MD5\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST and SUPERNOVA backdoor hashes\",\"description\":\"Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in DeviceFileEvents\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ba144bf8-75b8-406f-9420-ed74397f9479\",\"name\":\"ba144bf8-75b8-406f-9420-ed74397f9479\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//Set a threshold of failed AAD signins from an IP address within 1 day above which we want to deem those logins suspicious.\\nlet signin_threshold = 5; \\n//Make a list of IPs with AAD signin failures above our threshold.\\nlet aadFunc = (tableName:string){\\nlet suspicious_signins = \\n table(tableName)\\n //Looking for logon failure results\\n | where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n //Exclude localhost addresses to reduce the chance of FPs\\n | where IPAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n | summarize count() by IPAddress\\n | where count_ \u003e signin_threshold\\n | summarize make_set(IPAddress);\\n suspicious_signins\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet suspicious_signins = \\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize make_set(set_IPAddress);\\n//See if any of those IPs have sucessfully logged into PA VPNs during the same timeperiod\\nCommonSecurityLog\\n //Select only PA VPN sucessful logons\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"globalprotect\\\"\\n | where Message has \\\"GlobalProtect gateway user authentication succeeded\\\"\\n //Parse out the logon source IP from the Message field to match on\\n | extend SourceIP = extract(\\\"Login from: ([^,]+)\\\", 1, Message) \\n | where SourceIP in (suspicious_signins)\\n | extend Reason = \\\"Multiple failed AAD logins from SourceIP\\\"\\n //Parse out other useful information from Message field\\n | extend User = extract(\u0027User name: ([^,]+)\u0027, 1, Message) \\n | extend ClientOS = extract(\u0027Client OS version: ([^,\\\\\\\"]+)\u0027, 1, Message)\\n | extend Location = extract(\u0027Source region: ([^,]{2})\u0027,1, Message)\\n | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName\\n | extend AccountCustomEntity = User, IPCustomEntity = SourceIP, timestamp = TimeGenerated, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN\",\"description\":\"This query creates a list of IP addresses with a number failed login attempts to AAD \\nabove a set threshold. It then looks for any successful Palo Alto VPN logins from any\\nof these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-09-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9f86885f-f31f-4e66-a39d-352771ee789e\",\"name\":\"9f86885f-f31f-4e66-a39d-352771ee789e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"CarbonBlackEvents_CL\\n| extend eventTime = datetime(1970-01-01) + tolong(eventTime_d/1000) * 1sec\\n| where targetApp_effectiveReputation_s =~ \\\"KNOWN_MALWARE\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by eventTime, deviceDetails_deviceName_s, deviceDetails_deviceIpAddress_s, processDetails_fullUserName_s, processDetails_targetName_s\\n| extend timestamp = StartTime, AccountCustomEntity = processDetails_fullUserName_s, HostCustomEntity = deviceDetails_deviceName_s, IPCustomEntity = deviceDetails_deviceIpAddress_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\"],\"displayName\":\"Known Malware Detected\",\"description\":\"This creates an incident when a known Malware is detected on a endpoint managed by a Carbon Black.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"VMwareCarbonBlack\",\"dataTypes\":[\"CarbonBlackEvents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/957cb240-f45d-4491-9ba5-93430a3c08be\",\"name\":\"957cb240-f45d-4491-9ba5-93430a3c08be\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"OfficeActivity\\n| where Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Add-MailboxFolderPermission\\\", \\\"Set-Mailbox\\\", \\\"New-ManagementRoleAssignment\\\")\\nand not(UserId has_any (\u0027NT AUTHORITY\\\\\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\u0027,\u0027devilfish-applicationaccount\u0027) and Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Set-Mailbox\\\"))\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"Collection\"],\"displayName\":\"Rare and potentially high-risk Office operations\",\"description\":\"Identifies Office operations that are typically rare and can provide capabilities useful to attackers.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9c712bb2-08dc-44d3-b66b-af154dfc1c4f\",\"name\":\"9c712bb2-08dc-44d3-b66b-af154dfc1c4f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.2.8\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.07\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of logins to computer\",\"description\":\"This algorithm detects an unusually high volume of successful logins per computer. The model is trained on the previous 21 days of security event ID 4624 on a computer. It indicates anomalous high volume of successful logins in the last day\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2020-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/44a555d8-ecee-4a25-95ce-055879b4b14b\",\"name\":\"44a555d8-ecee-4a25-95ce-055879b4b14b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeBin = 10m;\\nlet portThreshold = 30;\\nW3CIISLog\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of attempts by client IP on many ports\\n| summarize makeset(sPort), makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), ConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\\n| extend portCount = arraylength(set_sPort)\\n| where portCount \u003e= portThreshold\\n| project TimeGenerated, cIP, set_sPort, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, ConnectionsCount, portCount\\n| order by portCount\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"High count of connections by client IP on many ports\",\"description\":\"Identifies when 30 or more ports are used for a given client IP in 10 minutes occurring on the IIS server.\\nThis could be indicative of attempted port scanning or exploit attempt at internet facing web applications. \\nThis could also simply indicate a misconfigured service or device.\\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\"name\":\"fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let opList = OfficeActivity \\n| summarize by Operation\\n//| where Operation startswith \\\"Remove-\\\" or Operation startswith \\\"Disable-\\\"\\n| where Operation has_any (\\\"Remove\\\", \\\"Disable\\\")\\n| where Operation contains \\\"AntiPhish\\\" or Operation contains \\\"SafeAttachment\\\" or Operation contains \\\"SafeLinks\\\" or Operation contains \\\"Dlp\\\" or Operation contains \\\"Audit\\\"\\n| summarize make_set(Operation);\\nOfficeActivity\\n// Only admin or global-admin can disable/remove policy\\n| where RecordType =~ \\\"ExchangeAdmin\\\"\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\")\\n// Pass in interesting Operation list\\n| where Operation in~ (opList)\\n| extend ClientIPOnly = case( \\nClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), \\nClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))),\\nClientIP\\n) \\n| extend Port = case(\\nClientIP has \\\".\\\", (split(ClientIP,\\\":\\\")[1]),\\nClientIP has \\\"[\\\", tostring(split(ClientIP,\\\"]:\\\")[1]),\\nClientIP\\n)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP = ClientIPOnly, Port, ResultStatus, Parameters\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Office policy tampering\",\"description\":\"Identifies if any tampering is done to either auditlog, ATP Safelink, SafeAttachment, AntiPhish or Dlp policy. \\nAn adversary may use this technique to evade detection or avoid other policy based defenses.\\nReferences: https://docs.microsoft.com/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ab4b6944-a20d-42ab-8b63-238426525801\",\"name\":\"ab4b6944-a20d-42ab-8b63-238426525801\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\nlet timeframe = 1h;\\nlet connections = VMConnection \\n | where TimeGenerated \u003e= ago(timeframe)\\n | extend DNSName = set_union(todynamic(RemoteDnsCanonicalNames),todynamic(RemoteDnsQuestions))\\n | mv-expand DNSName\\n | where isnotempty(DNSName)\\n | where DNSName has_any (domains)\\n | extend IPCustomEntity = RemoteIp\\n | summarize TimeGenerated = arg_min(TimeGenerated, *), requests = count() by IPCustomEntity, DNSName = tostring(DNSName), AgentId, Machine, Process;\\nlet processes = VMProcess\\n | where TimeGenerated \u003e= ago(timeframe)\\n | project AgentId, Machine, Process, UserName, UserDomain, ExecutablePath, CommandLine, FirstPid\\n | extend exePathArr = split(ExecutablePath, \\\"\\\\\\\\\\\")\\n | extend DirectoryName = array_strcat(array_slice(exePathArr, 0, array_length(exePathArr) - 2), \\\"\\\\\\\\\\\")\\n | extend Filename = array_strcat(array_slice(exePathArr, array_length(exePathArr) - 1, array_length(exePathArr)), \\\"\\\\\\\\\\\")\\n | project-away exePathArr;\\nlet computers = VMComputer\\n | where TimeGenerated \u003e= ago(timeframe)\\n | project HostCustomEntity = HostName, AzureResourceId = _ResourceId, AgentId, Machine;\\nconnections | join kind = inner (processes) on AgentId, Machine, Process\\n | join kind = inner (computers) on AgentId, Machine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"FirstPid\"},{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Directory\",\"columnName\":\"DirectoryName\"},{\"identifier\":\"Name\",\"columnName\":\"Filename\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Solorigate Domains Found in VM Insights\",\"description\":\"Identifies connections to Solorigate-related DNS records based on VM insights data\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMProcess\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMComputer\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\"name\":\"c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"ApplySecurityGroupsToLoadBalancer\\\", \\\"SetSecurityGroups\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \\nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion,\\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to AWS Elastic Load Balancer security groups\",\"description\":\"Elastic Load Balancer distributes incoming traffic across multiple instances in multiple availability Zones. This increases the fault tolerance of your applications. \\n Unwanted changes to Elastic Load Balancer specific security groups could open your environment to attack and hence needs monitoring.\\n More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\n and https://aws.amazon.com/elasticloadbalancing/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d99cf5c3-d660-436c-895b-8a8f8448da23\",\"name\":\"d99cf5c3-d660-436c-895b-8a8f8448da23\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SigninLogs\\n| where ResultType == 500121\\n| extend additionalDetails_ = tostring(Status.additionalDetails)\\n| where additionalDetails_ =~ \\\"MFA denied; user declined the authentication\\\"\\n| extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"MFA Rejected by User\",\"description\":\"Identifies accurances where a user has rejected an MFA prompt. This could be an indicator that a threat actor has compromised the username and password of this user account and is using it to try and log into the account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\"name\":\"70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"seoulhobi.biz\\\", \\\"reader.cash\\\", \\\"pieceview.club\\\", \\\"app-wallet.com\\\", \\\"bigwnet.com\\\", \\\"bitwoll.com\\\", \\\"cexrout.com\\\", \\\"change-pw.com\\\", \\\"checkprofie.com\\\", \\\"cloudwebappservice.com\\\", \\\"ctquast.com\\\", \\\"dataviewering.com\\\", \\\"day-post.com\\\", \\\"dialy-post.com\\\", \\\"documentviewingcom.com\\\", \\\"dovvn-mail.com\\\", \\\"down-error.com\\\", \\\"drivecheckingcom.com\\\", \\\"drog-service.com\\\", \\\"encodingmail.com\\\", \\\"filinvestment.com\\\", \\\"foldershareing.com\\\", \\\"golangapis.com\\\", \\\"hotrnall.com\\\", \\\"lh-logins.com\\\", \\\"login-use.com\\\", \\\"mail-down.com\\\", \\\"matmiho.com\\\", \\\"mihomat.com\\\", \\\"natwpersonal-online.com\\\", \\\"nidlogin.com\\\", \\\"nid-login.com\\\", \\\"nidlogon.com\\\", \\\"pw-change.com\\\", \\\"rnaii.com\\\", \\\"rnailm.com\\\", \\\"sec-live.com\\\", \\\"secrityprocessing.com\\\", \\\"securitedmode.com\\\", \\\"securytingmail.com\\\", \\\"set-login.com\\\", \\\"usrchecking.com\\\", \\\"com-serviceround.info\\\", \\\"mai1.info\\\", \\\"reviewer.mobi\\\", \\\"files-download.net\\\", \\\"fixcool.net\\\", \\\"hanrnaii.net\\\", \\\"office356-us.org\\\", \\\"smtper.org\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(DnsEvents \\n| extend DNSName = Name\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend IPAddress = ClientIP\\n),\\n(imDns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend DNSName = Request_Name\\n| extend IPAddress = ClientIP \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost \\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.3.0\",\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"THALLIUM domains included in DCU takedown\",\"description\":\"THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. \\n Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\\n References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-01-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/29a29e5d-354e-4f5e-8321-8b39d25047bf\",\"name\":\"29a29e5d-354e-4f5e-8321-8b39d25047bf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let files1 = dynamic([\\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\lsa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pc.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\Rar.exe\\\"]);\\nlet files2 = dynamic([\\\"svchost.exe\\\",\\\"wdmsvc.exe\\\"]);\\nlet FileHash1 = dynamic([\\\"43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\\\", \\\"ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\\\", \\\"010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77\\\", \\\"56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7\\\"]);\\nlet FileHash2 = dynamic([\\\"2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\\\", \\\"9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\\\", \\\"18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\\\"]);\\nimFileEvent\\n| where ((FilePath has_any (files1)) and (ActingProcessSHA256 has_any (FileHash1))) or ((FilePath has_any (files2)) and (ActingProcessSHA256 has_any (FileHash2)))\\n// Increase risk score if recent alerts for the host\\n| join kind=leftouter (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| mv-expand todynamic(Entities)\\n| extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)\\n| where isnotempty(DvcId)\\n// Higher risk score are for Defender alerts related to threat actor\\n| extend AlertRiskScore = iif(ThreatName has_any (\\\"Backdoor:MSIL/ShellClient.A\\\", \\\"Backdoor:MSIL/ShellClient.A!dll\\\", \\\"Trojan:MSIL/Mimikatz.BA!MTB\\\"), 1.0, 0.5)\\n| project DvcId, AlertRiskScore) on DvcId\\n| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = ActorUsername\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileName\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"CredentialAccess\",\"Execution\"],\"displayName\":\"Dev-0228 File Path Hashes November 2021 - ASIM\",\"description\":\"This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.\\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.\\n This query uses the Microsoft Sentinel Information Model - https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2021-11-18T00:00:00Z\",\"createdDateUTC\":\"2021-11-18T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/44e80f00-b4f5-486b-a57d-4073746276df\",\"name\":\"44e80f00-b4f5-486b-a57d-4073746276df\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let highRisk = 3;\\nlet business = \u0027Business Information\u0027;\\nCognniIncidents_CL \\n| where Severity == highRisk\\n| where informationType_s == business\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Highly Sensitive Business Information\",\"description\":\"Display incidents in which highly sensitive business information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2acc91c3-17c2-4388-938e-4eac2d5894e8\",\"name\":\"2acc91c3-17c2-4388-938e-4eac2d5894e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"W3CIISLog\\n| where csMethod == \u0027GET\u0027\\n| where isnotempty(csUriStem) and isnotempty(csUriQuery)\\n| where csUriStem contains \\\"logoimagehandler.ashx\\\"\\n| where csUriQuery contains \\\"codes\\\" and csUriQuery contains \\\"clazz\\\" and csUriQuery contains \\\"method\\\" and csUriQuery contains \\\"args\\\"\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"SUPERNOVA webshell\",\"description\":\"Identifies SUPERNOVA webshell based on W3CIISLog data.\\n References:\\n - https://unit42.paloaltonetworks.com/solarstorm-supernova/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6190dde-8fd2-456a-ac5b-0a32400b0464\",\"name\":\"d6190dde-8fd2-456a-ac5b-0a32400b0464\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ProcessCreationEvents=() {\\nlet processEvents=SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName;\\nprocessEvents;\\n};\\nProcessCreationEvents \\n| where CommandLine contains \\\".decode(\u0027base64\u0027)\\\"\\n or CommandLine contains \\\"base64 --decode\\\"\\n or CommandLine contains \\\".decode64(\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), CountToday = count() by Computer, Account, AccountDomain, FileName, CommandLine, ParentProcessName \\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Process executed from binary hidden in Base64 encoded file\",\"description\":\"Encoding malicious software is a technique used to obfuscate files from detection. \\nThe first CommandLine component is looking for Python decoding base64. \\nThe second CommandLine component is looking for Bash/sh command line base64 decoding.\\nThe third one is looking for Ruby decoding base64.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bdf04f58-242b-4729-b376-577c4bdf5d3a\",\"name\":\"bdf04f58-242b-4729-b376-577c4bdf5d3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"imProcessCreate\\n| where Process hassuffix \u0027rundll32.exe\u0027\\n| where CommandLine has_any (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| project TimeGenerated, Dvc, User, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\\n| extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"NOBELIUM - suspicious rundll32.exe execution of vbscript (Normalized Process Events)\",\"description\":\"This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\\nReferences: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/712fab52-2a7d-401e-a08c-ff939cc7c25e\",\"name\":\"712fab52-2a7d-401e-a08c-ff939cc7c25e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n AuditLogs\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // Extract the URL that is contained within the JSON data\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\\\", 1,tostring(TargetResources))\\n | where isnotempty(Url)\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend TargetResourceDisplayName = tostring(TargetResources[0].displayName)\\n | extend Audit_TimeGenerated = TimeGenerated\\n) on Url\\n| where Audit_TimeGenerated \u003e= TimeGenerated and Audit_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nAudit_TimeGenerated, OperationName, Identity, userPrincipalName, TargetResourceDisplayName, Url\\n| extend timestamp = Audit_TimeGenerated, AccountCustomEntity = userPrincipalName, HostCustomEntity = TargetResourceDisplayName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to AuditLogs\",\"description\":\"Identifies a match in AuditLogs from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1bf6e165-5e32-420e-ab4f-0da8558a8be2\",\"name\":\"1bf6e165-5e32-420e-ab4f-0da8558a8be2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// How far back to look for events from\\nlet timeframe = 1d;\\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\\nlet time_window = 5m;\\n// Edit this to include build processes used\\nlet build_processes = dynamic([\\\"MSBuild.exe\\\", \\\"dotnet.exe\\\", \\\"VBCSCompiler.exe\\\"]);\\n// Include any processes that you want to allow to edit files during/around the build process\\nlet allow_list = dynamic([]);\\nDeviceProcessEvents\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where FileName has_any (build_processes)\\n| summarize by BuildParentProcess=InitiatingProcessFileName, BuildProcess=FileName, BuildAccount = AccountName, DeviceName, BuildCommand=ProcessCommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nDeviceFileEvents\\n| where TimeGenerated \u003e ago(timeframe)\\n| where InitiatingProcessFileName !in (allow_list)\\n| where ActionType == \\\"FileCreated\\\" or ActionType == \\\"FileModified\\\"\\n// Look for code files, edit this to include file extensions used in build.\\n| where FileName endswith \\\".cs\\\" or FileName endswith \\\".cpp\\\"\\n| summarize by FileEditParentProcess=InitiatingProcessParentFileName, FileEditAccount = InitiatingProcessAccountName, DeviceName, FileEdited=FileName, FileEditProcess=InitiatingProcessFileName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, DeviceName\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, DeviceName, BuildParentProcess, BuildProcess\\n| extend HostCustomEntity=DeviceName, timestamp=timekey\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Potential Build Process Compromise - MDE\",\"description\":\"The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process. This query uses Microsoft Defender for Endpoint telemetry.\\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\",\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b93c5af-d20b-4236-b696-a28b8c51407f\",\"name\":\"4b93c5af-d20b-4236-b696-a28b8c51407f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\nSecurityEvent \\n| where TimeGenerated \u003e ago(2*timeframe) \\n// A user account was created\\n| where EventID == 4720\\n| where AccountType =~ \\\"User\\\"\\n| project creationTime = TimeGenerated, CreateEventID = EventID, CreateActivity = Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToCreate = SubjectAccount, SIDofAccountUsedToCreate = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n| join kind= inner (\\n SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe) \\n // A user account was deleted \\n | where EventID == 4726\\n| where AccountType == \\\"User\\\"\\n| project deletionTime = TimeGenerated, DeleteEventID = EventID, DeleteActivity = Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToDelete = SubjectAccount, SIDofAccountUsedToDelete = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n) on Computer, TargetAccount\\n| where deletionTime - creationTime \u003c spanoftime\\n| extend TimeDelta = deletionTime - creationTime\\n| where tolong(TimeDelta) \u003e= threshold\\n| project TimeDelta, creationTime, CreateEventID, CreateActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToCreate, SIDofAccountUsedToCreate,\\ndeletionTime, DeleteEventID, DeleteActivity, AccountUsedToDelete, SIDofAccountUsedToDelete\\n| extend timestamp = creationTime, AccountCustomEntity = AccountUsedToCreate, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"SIDofAccountUsedToCreate\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account created and deleted within 10 mins\",\"description\":\"Identifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and\\nan adversary attempting to hide in the noise.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23de46ea-c425-4a77-b456-511ae4855d69\",\"name\":\"23de46ea-c425-4a77-b456-511ae4855d69\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\nlet SensitiveOperationList = dynamic([\\\"microsoft.compute/snapshots/write\\\", \\\"microsoft.network/networksecuritygroups/write\\\", \\\"microsoft.storage/storageaccounts/listkeys/action\\\"]);\\nlet SensitiveActivity = AzureActivity\\n| where OperationNameValue in~ (SensitiveOperationList) or OperationNameValue hassuffix \\\"listkeys/action\\\"\\n| where ActivityStatusValue =~ \\\"Succeeded\\\";\\nSensitiveActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller, OperationNameValue\\n| where count_ \u003e= alertOperationThreshold\\n| join kind = rightanti ( \\nSensitiveActivity\\n| where TimeGenerated \u003e= ago(endtime)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CorrelationIds = makelist(CorrelationId), Resources = makelist(Resource), ResourceGroups = makelist(ResourceGroup), ResourceIds = makelist(ResourceId), ActivityCountByCallerIPAddress = count() \\nby CallerIpAddress, Caller, OperationNameValue\\n) on CallerIpAddress, Caller, OperationNameValue\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"Rare subscription-level operations in Azure\",\"description\":\"This query looks for a few sensitive subscription-level events based on Azure Activity Logs. \\n For example this monitors for the operation name \u0027Create or Update Snapshot\u0027 which is used for creating backups but could be misused by attackers \\n to dump hashes or extract sensitive information from the disk.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c7cd6073-6d2c-4284-a5c8-da27605bdfde\",\"name\":\"c7cd6073-6d2c-4284-a5c8-da27605bdfde\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| where FilterModulesSpamScoresOverall == \u0027100\u0027\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - High risk message not discarded\",\"description\":\"Detects when email with high risk score was not rejected or discarded by filters.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/16d55bbb-8c54-4c1d-8537-521824e76bb6\",\"name\":\"16d55bbb-8c54-4c1d-8537-521824e76bb6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.2\",\"techniques\":[\"T1114\",\"T1213\",\"T1098\",\"T1136\",\"T1137\",\"T1505\",\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"Distinct number of operations\",\"Distinct number of ClientInfoString\",\"Distinct number of mailboxes\",\"Number of operations\",\"Distinct number of IP addresses\",\"Distinct number of /24 subnets\",\"Distinct number of /16 subnets\",\"Number of MessageBind operations\",\"Number of FolderBind operations\",\"Number of UpdateInboxRules operations\",\"Number of MailItemsAccessed operations\"],\"values\":[\"Distinct number of operations\",\"Distinct number of ClientInfoString\",\"Distinct number of mailboxes\",\"Number of operations\",\"Distinct number of IP addresses\",\"Distinct number of /24 subnets\",\"Distinct number of /16 subnets\",\"Number of MessageBind operations\",\"Number of FolderBind operations\",\"Number of UpdateInboxRules operations\",\"Number of MailItemsAccessed operations\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Top reason for high anomaly score\",\"description\":\"Include only anomalies where the top reason is one of these values.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.6\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Collection\",\"Persistence\"],\"displayName\":\"(Preview) Anomalous user activities in Office Exchange\",\"description\":\"This machine learning model groups the Office Exchange logs on a per-user basis into hourly buckets. We define one\\nhour as a session. The model is trained on the previous 7 days of behavior across all regular (non-admin) users.\\nIt indicates anomalous user Office Exchange sessions in the last day.\\nThis algorithm checks for sufficient volume of data before training the model.\\n\\nAn autoencoder model is used.\\nIts aim is to compress the user Office Exchange sessions into a bottleneck encoding.\\nIt then attempts to reconstruct the input sessions as best it can from the bottleneck encoding.\\nThe sessions with high reconstruction errors are assumed to be anomalous.\",\"lastUpdatedDateUTC\":\"2021-06-09T00:00:00Z\",\"createdDateUTC\":\"2021-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Exchange)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4759ddb4-2daf-43cb-b34e-d85b85b4e4a5\",\"name\":\"4759ddb4-2daf-43cb-b34e-d85b85b4e4a5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\nlet parentprocess = (iocs | where Type =~ \\\"parentprocess\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or RequestURL has_any (IPList) or Message has_any (IPList)\\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, Type\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (IPList), \\\"RequestUrl\\\",\\\"NoMatch\\\"), AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, IPMatch == \\\"RequestUrl\\\", RequestURL, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer, ProcessCustomEntity = ProcessName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) \\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, AlertDetail = \u0027Dev-0322 IOC match\u0027, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, AlertDetail = \u0027Dev-0322 IOC match\u0027, UrlCustomEntity =RemoteUrl, ProcessCustomEntity = InitiatingProcessFileName\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\"), AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where SourceHost in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend ParentImage = EventDetail.[20].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where ( ParentImage has_any (parentprocess) and Image has_any (process))\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256,Image, ParentImage \\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = FileHash\\n),\\n(DeviceFileEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type, CommandLineIP\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash, IPCustomEntity = CommandLineIP\\n),\\n(DeviceEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, CommandLineIP\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash, IPCustomEntity = CommandLineIP\\n),\\n(DeviceProcessEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, CommandLineIP, AccountName\\n| extend Account = AccountName, Computer = DeviceName, IPAddress = CommandLineIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash, IPCustomEntity = IPAddress\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| extend CommandLineIP = extract(IPRegex, 0, CommandLine)\\n| where CommandLineIP in (IPList) or (NewProcessName has_any (process) and ParentProcessName has_any (parentprocess))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, CommandLine, CommandLineIP\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = \u0027Dev-0322 IOC match\u0027, IPCustomEntity = CommandLineIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"SHA256\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"DEV-0322 Serv-U related IOCs - July 2021\",\"description\":\"Identifies a match across IOC\u0027s related to DEV-0322 targeting SolarWinds Serv-U software.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-06-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\"name\":\"f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Medium\",\"query\":\"let threshold = 1;\\nAzureDiagnostics\\n | where OperationName in (\\\"AzureFirewallApplicationRuleLog\\\",\\\"AzureFirewallNetworkRuleLog\\\")\\n | extend msg_s_replaced0 = replace(@\\\"\\\\s\\\\s\\\",@\\\" \\\",msg_s)\\n | extend msg_s_replaced1 = replace(@\\\"\\\\.\\\\s\\\",@\\\" \\\",msg_s_replaced0)\\n | extend msg_a = split(msg_s_replaced1,\\\" \\\")\\n | extend srcAddr_a = split(msg_a[3],\\\":\\\") , destAddr_a = split(msg_a[5],\\\":\\\")\\n | extend protocol = tostring(msg_a[0]), srcIp = tostring(srcAddr_a[0]), srcPort = tostring(srcAddr_a[1]), destIp = tostring(destAddr_a[0]), destPort = tostring(destAddr_a[1]), action = tostring(msg_a[7])\\n | where action == \\\"Deny\\\"\\n | extend url = iff(destIp matches regex \\\"\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\",\\\"\\\",destIp)\\n | summarize StartTime = min(TimeGenerated), count() by srcIp, destIp, url, action, protocol\\n | where count_ \u003e= [\\\"threshold\\\"]\\n | extend timestamp = StartTime, URLCustomEntity = url, IPCustomEntity = srcIp\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\",\"LateralMovement\",\"CommandAndControl\"],\"displayName\":\"Several deny actions registered\",\"description\":\"Identifies attack pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/57e56fc9-417a-4f41-a579-5475aea7b8ce\",\"name\":\"57e56fc9-417a-4f41-a579-5475aea7b8ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 1000;\\nInfobloxNIOS\\n| where ProcessName =~ \\\"dhcpd\\\" and Log_Type =~ \\\"DHCPREQUEST\\\"\\n| summarize count() by ServerIP, bin(TimeGenerated,5m)\\n| where count_ \u003e threshold\\n| join kind=inner (InfobloxNIOS\\n | where ProcessName =~ \\\"dhcpd\\\" and Log_Type =~ \\\"DHCPREQUEST\\\"\\n ) on ServerIP\\n| extend timestamp = TimeGenerated, IPCustomEntity = ServerIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Potential DHCP Starvation Attack\",\"description\":\"This creates an incident in the event that an excessive amount of DHCPREQUEST have been recieved by a DHCP Server and could potentially be an indication of a DHCP Starvation Attack.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0dd422ee-e6af-4204-b219-f59ac172e4c6\",\"name\":\"0dd422ee-e6af-4204-b219-f59ac172e4c6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"ThreatIntelligence\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"Persistence\",\"LateralMovement\"],\"displayName\":\"(Preview) Microsoft Threat Intelligence Analytics\",\"description\":\"This rule generates an alert when a Microsoft Threat Intelligence Indicator gets matched with your event logs. The alerts are very high fidelity.\\n\\nNote : It is advised to turn off any custom alert rules which match the threat intelligence indicators with the same event logs matched by this analytics to prevent duplicate alerts.\",\"lastUpdatedDateUTC\":\"2021-07-28T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508\",\"name\":\"e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let FailureThreshold = 15;\\nlet FailedEvents = Okta_CL\\n| where eventType_s =~ \\\"user.session.start\\\"and outcome_reason_s in (\\\"VERIFICATION_ERROR\\\",\\\"INVALID_CREDENTIALS\\\")\\n| summarize dcount(actor_alternateId_s) by client_ipAddress_s, bin(TimeGenerated, 5m)\\n| where dcount_actor_alternateId_s \u003e FailureThreshold\\n| project client_ipAddress_s, TimeGenerated;\\nOkta_CL\\n| where eventType_s =~ \\\"user.session.start\\\"and outcome_reason_s in (\\\"VERIFICATION_ERROR\\\",\\\"INVALID_CREDENTIALS\\\")\\n| summarize Users = make_set(actor_alternateId_s) by client_ipAddress_s, City = client_geographicalContext_city_s, Country = client_geographicalContext_country_s, bin(TimeGenerated, 5m)\\n| join kind=inner (FailedEvents) on client_ipAddress_s, TimeGenerated\\n| sort by TimeGenerated desc\\n| extend timestamp = TimeGenerated, IPCustomEntity = client_ipAddress_s\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Potential Password Spray Attack\",\"description\":\"This query searches for failed attempts to log into the Okta console from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OktaSSO\",\"dataTypes\":[\"Okta_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/93c4b361-ea7d-40f4-9ca6-e501cdef9c53\",\"name\":\"93c4b361-ea7d-40f4-9ca6-e501cdef9c53\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.1.6\",\"techniques\":[\"T1110\"],\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"\\\\%%2305-The specified user account has expired\",\"\\\\%%2309-The specified account\u0027s password has expired\",\"\\\\%%2310-Account currently disabled\",\"\\\\%%2311-Account logon time restriction violation\",\"\\\\%%2312-User not allowed to logon at this computer\",\"\\\\%%2313-Unknown user name or bad password\",\"\\\\%%2307-Account locked out\",\"\\\\%%2304-An Error occurred during Logon\"],\"values\":[\"\\\\%%2305-The specified user account has expired\",\"\\\\%%2309-The specified account\u0027s password has expired\",\"\\\\%%2310-Account currently disabled\",\"\\\\%%2311-Account logon time restriction violation\",\"\\\\%%2312-User not allowed to logon at this computer\",\"\\\\%%2313-Unknown user name or bad password\",\"\\\\%%2307-Account locked out\",\"\\\\%%2304-An Error occurred during Logon\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Failure Reasons\",\"description\":\"Include only selected failure reasons in anomaly results.\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.3\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"(Preview) Attempted user account bruteforce per failure reason\",\"description\":\"This algorithm detects an unusually high volume of failed login attempts per user account per failure reason. The model is trained on the previous 21 days of security event ID 4625 on an account and a failure reason. It indicates anomalous high volume of failed login attempts with certain failure reason in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-04-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e\",\"name\":\"7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]);\\nunion isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4663\\n| where Process has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where ObjectName has_any (scriptExtensions)\\n| where AccessMask in (\u00270x2\u0027,\u00270x100\u0027, \u00270x10\u0027, \u00270x4\u0027)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n(imFileEvent\\n| where EventType == \\\"FileCreated\\\"\\n| where ActingProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n and\\n TargetFileName has_any (scriptExtensions)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\\n),\\n(DeviceFileEvents\\n| where ActionType =~ \\\"FileCreated\\\"\\n| where InitiatingProcessFileName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where FileName has_any(scriptExtensions)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName, IPCustomEntity = RequestSourceIP)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingProcessAccountUpn\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM UM Service writing suspicious file\",\"description\":\"This query looks for the Exchange server UM process writing suspicious files that may be indicative of webshells.\\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d3c658bd-8da9-4372-82e4-aaffa922f428\",\"name\":\"d3c658bd-8da9-4372-82e4-aaffa922f428\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"afad_parser\\n| where MessageType == 2 and Codename == \\\"DCSync\\\"\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid DCSync\",\"description\":\"Searches for DCSync attacks\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/88f453ff-7b9e-45bb-8c12-4058ca5e44ee\",\"name\":\"88f453ff-7b9e-45bb-8c12-4058ca5e44ee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS New Server\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.\\nA threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.\\nThis can be done programmatically via HTTP requests to Azure. More information in this blog: https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\"name\":\"1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 1d;\\nlet endtime = 1h;\\nlet prev23hThreshold = 4;\\nlet prev1hThreshold = 15;\\nlet Kerbevent =\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(starttime)\\n| where EventID == 4769\\n| parse EventData with * \u0027TicketEncryptionType\\\"\u003e\u0027 TicketEncryptionType \\\"\u003c\\\" *\\n| where TicketEncryptionType == \u00270x17\u0027\\n| parse EventData with * \u0027TicketOptions\\\"\u003e\u0027 TicketOptions \\\"\u003c\\\" *\\n| where TicketOptions == \u00270x40810000\u0027\\n| parse EventData with * \u0027Status\\\"\u003e\u0027 Status \\\"\u003c\\\" *\\n| where Status == \u00270x0\u0027\\n| parse EventData with * \u0027ServiceName\\\"\u003e\u0027 ServiceName \\\"\u003c\\\" *\\n| where ServiceName !contains \\\"$\\\" and ServiceName !contains \\\"krbtgt\\\" \\n| parse EventData with * \u0027TargetUserName\\\"\u003e\u0027 TargetUserName \\\"\u003c\\\" *\\n| where TargetUserName !contains \\\"$@\\\" and TargetUserName !contains ServiceName\\n| parse EventData with * \u0027IpAddress\\\"\u003e::ffff:\u0027 ClientIPAddress \\\"\u003c\\\" *;\\nlet Kerbevent23h = Kerbevent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| summarize ServiceNameCountPrev23h = dcount(ServiceName), ServiceNameSet23h = makeset(ServiceName) \\nby Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status\\n| where ServiceNameCountPrev23h \u003c prev23hThreshold;\\nlet Kerbevent1h = \\nKerbevent\\n| where TimeGenerated \u003e= ago(endtime)\\n| summarize min(TimeGenerated), max(TimeGenerated), ServiceNameCountPrev1h = dcount(ServiceName), ServiceNameSet1h = makeset(ServiceName) \\nby Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status;\\nKerbevent1h \\n| join kind=leftanti\\n(\\nKerbevent23h\\n) on TargetUserName, TargetDomainName\\n// Threshold value set above is based on testing, this value may need to be changed for your environment.\\n| where ServiceNameCountPrev1h \u003e prev1hThreshold\\n| project StartTimeUtc = min_TimeGenerated, EndTimeUtc = max_TimeGenerated, TargetUserName, Computer, ClientIPAddress, TicketOptions, \\nTicketEncryptionType, Status, ServiceNameCountPrev1h, ServiceNameSet1h, TargetDomainName\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = strcat(TargetDomainName,\\\"\\\\\\\\\\\", TargetUserName), HostCustomEntity = Computer, IPCustomEntity = ClientIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Potential Kerberoasting\",\"description\":\"A service principal name (SPN) is used to uniquely identify a service instance in a Windows environment. \\nEach SPN is usually associated with a service account. Organizations may have used service accounts with weak passwords in their environment. \\nAn attacker can try requesting Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC) which contains \\na hash of the Service account. This can then be used for offline cracking. This hunting query looks for accounts that are generating excessive \\nrequests to different resources within the last hour compared with the previous 24 hours. Normal users would not make an unusually large number \\nof request within a small time window. This is based on 4769 events which can be very noisy so environment based tweaking might be needed.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/972c89fa-c969-4d12-932f-04d55d145299\",\"name\":\"972c89fa-c969-4d12-932f-04d55d145299\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"( union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| extend FileName = Process, ProcessCommandLine = CommandLine\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\n or ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(DeviceProcessEvents\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\nor ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1 \\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\"), ProcessCommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| extend FileName = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\n or ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\"],\"displayName\":\"MSHTML vulnerability CVE-2021-40444 attack\",\"description\":\"This query detects attacks that exploit the CVE-2021-40444 MSHTML vulnerability using specially crafted Microsoft Office documents. \\n The detection searches for relevant files used in the attack along with regex matches in commnadline to look for pattern similar to : \\\".cpl:../../msword.inf\\\"\\n Refrence: https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0914adab-90b5-47a3-a79f-7cdcac843aa7\",\"name\":\"0914adab-90b5-47a3-a79f-7cdcac843aa7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 5;\\n// To avoid any False Positives, filtering using AppId is recommended. For example the AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds \\n// to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\\nlet Allowedappid = dynamic([\\\"509e4652-da8d-478d-a730-e9d4a1996ca4\\\"]);\\nlet OperationList = dynamic(\\n[\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nlet TimeSeriesData = AzureDiagnostics\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList)\\n| project TimeGenerated, OperationName, Resource, CallerIPAddress\\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by Resource;\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| where baseline \u003e baselinethreshold // Filtering low count events per baselinethreshold\\n| project Resource, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated;\\n// Filter the alerts since specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\\n| join (\\nAzureDiagnostics\\n| where TimeGenerated \u003e ago(timeframe)\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList)\\n| summarize PerOperationCount=count(), LatestAnomalyTime = arg_max(TimeGenerated,*) by bin(TimeGenerated,1h), Resource, OperationName, id_s, CallerIPAddress, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, requestUri_s, clientInfo_s\\n) on Resource, TimeGenerated\\n| summarize EventCount=count(), OperationNameList = make_set(OperationName), RequestURLList = make_set(requestUri_s, 100), AccountList = make_set(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, 100), AccountMax = arg_max(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g,*) by Resource, id_s, clientInfo_s, LatestAnomalyTime\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = CallerIPAddress, AccountCustomEntity = AccountMax\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.2\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure Key Vault access TimeSeries anomaly\",\"description\":\"Indentifies a sudden increase in count of Azure Key Vault secret or vault access operations by CallerIPAddress. The query leverages a built-in KQL anomaly detection algorithm\\nto find large deviations from baseline Azure Key Vault access patterns. Any sudden increase in the count of Azure Key Vault accesses can be an\\nindication of adversary dumping credentials via automated methods. If you are seeing any noise, try filtering known source(IP/Account) and user-agent combinations.\\nTimeSeries Reference Blog: https://techcommunity.microsoft.com/t5/azure-sentinel/looking-for-unknown-anomalies-what-is-normal-time-series/ba-p/555052\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500415fb-bba7-4227-a08a-9857fb61b6a7\",\"name\":\"500415fb-bba7-4227-a08a-9857fb61b6a7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where OfficeWorkload == \\\"Exchange\\\"\\n| where Operation in~ (\\\"New-TransportRule\\\", \\\"Set-TransportRule\\\")\\n| extend p = parse_json(Parameters)\\n| extend RuleName = case(\\n Operation =~ \\\"Set-TransportRule\\\", tostring(OfficeObjectId),\\n Operation =~ \\\"New-TransportRule\\\", tostring(p[1].Value),\\n \\\"Unknown\\\"\\n ) \\n| mvexpand p\\n| where (p.Name =~ \\\"BlindCopyTo\\\" or p.Name =~ \\\"RedirectMessageTo\\\") and isnotempty(p.Value)\\n| extend RedirectTo = p.Value\\n| extend ClientIPOnly = case( \\n ClientIP has \\\".\\\" and ClientIP has \\\":\\\", tostring(split(ClientIP,\\\":\\\")[0]), \\n ClientIP has \\\".\\\" and ClientIP has \\\"-\\\", tostring(split(ClientIP,\\\"-\\\")[0]), \\n ClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))),\\n ClientIP\\n ) \\n| extend Port = case(\\n ClientIP has \\\".\\\" and ClientIP has \\\":\\\", (split(ClientIP,\\\":\\\")[1]),\\n ClientIP has \\\".\\\" and ClientIP has \\\"-\\\", (split(ClientIP,\\\"-\\\")[1]),\\n ClientIP has \\\"[\\\" and ClientIP has \\\":\\\", tostring(split(ClientIP,\\\"]:\\\")[1]),\\n ClientIP has \\\"[\\\" and ClientIP has \\\"-\\\", tostring(split(ClientIP,\\\"]-\\\")[1]),\\n ClientIP\\n )\\n| extend ClientIP = ClientIPOnly\\n| project TimeGenerated, RedirectTo, ClientIP, Port, UserId, Operation, RuleName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Mail redirect via ExO transport rule\",\"description\":\"Identifies when Exchange Online transport rule configured to forward emails.\\nThis could be an adversary mailbox configured to collect mail from multiple user accounts.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-05-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/57c7e832-64eb-411f-8928-4133f01f4a25\",\"name\":\"57c7e832-64eb-411f-8928-4133f01f4a25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now() \\n| where Active == true\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureDiagnostics\\n | where ResourceType =~ \\\"VAULTS\\\"\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend KeyVaultEvents_TimeGenerated = TimeGenerated, ClientIP = CallerIPAddress\\n)\\non $left.TI_ipEntity == $right.ClientIP\\n| where KeyVaultEvents_TimeGenerated \u003c ExpirationDateTime\\n| summarize KeyVaultEvents_TimeGenerated = arg_max(KeyVaultEvents_TimeGenerated, *) by IndicatorId, ClientIP\\n| project KeyVaultEvents_TimeGenerated , Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ClientIP, ResourceId, SubscriptionId, OperationName, ResultType, CorrelationId, id_s, clientInfo_s, httpStatusCode_d, identity_claim_appid_g, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\n| extend timestamp = KeyVaultEvents_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Azure Key Vault logs\",\"description\":\"Identifies a match in Azure Key Vault logsfrom any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f845881e-2500-44dc-8ed7-b372af3e1e25\",\"name\":\"f845881e-2500-44dc-8ed7-b372af3e1e25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let short_uaLength = 5;\\nlet long_uaLength = 1000;\\nlet c_threshold = 100;\\nW3CIISLog \\n// Exclude local IPs as these create noise\\n| where cIP !startswith \\\"192.168.\\\" and cIP != \\\"::1\\\"\\n| where isnotempty(csUserAgent) and csUserAgent !in~ (\\\"-\\\", \\\"MSRPC\\\") and (string_size(csUserAgent) \u003c= short_uaLength or string_size(csUserAgent) \u003e= long_uaLength)\\n| extend csUserAgent_size = string_size(csUserAgent)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ConnectionCount = count() by Computer, sSiteName, sPort, csUserAgent, csUserAgent_size, csUserName , csMethod, csUriStem, sIP, cIP, scStatus, scSubStatus, scWin32Status\\n| where ConnectionCount \u003c c_threshold\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomalous User Agent connection attempt\",\"description\":\"Identifies connection attempts (success or fail) from clients with very short or very long User Agent strings and with less than 100 connection attempts.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cca3b4d9-ac39-4109-8b93-65bb284003e6\",\"name\":\"cca3b4d9-ac39-4109-8b93-65bb284003e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n AzureActivity | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(Caller)\\n | extend Caller = tolower(Caller)\\n | where Caller matches regex emailregex\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.Caller\\n| where AzureActivity_TimeGenerated \u003e= TimeGenerated and AzureActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, AzureActivity_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Caller, Level, CallerIpAddress, CategoryValue,\\nOperationNameValue, ActivityStatusValue, ResourceGroup, SubscriptionId\\n| extend timestamp = AzureActivity_TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to AzureActivity\",\"description\":\"Identifies a match in AzureActivity table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/71d374e0-1cf8-4e50-aecd-ab6c519795c2\",\"name\":\"71d374e0-1cf8-4e50-aecd-ab6c519795c2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"Pipelines.PipelineRetentionSettingChanged\\\"\\n| where Data.SettingName in (\\\"PurgeArtifacts\\\", \\\"PurgeRuns\\\")\\n| where Data.NewValue == 1 or Data.NewValue \u003c Data.OldValue/2\\n| project-reorder TimeGenerated, OperationName, ActorUPN, IpAddress, UserAgent, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.2\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Retention Reduced\",\"description\":\"AzureDevOps retains items such as run records and produced artifacts for a configurable amount of time. An attacker looking to reduce the footprint left by their malicious activity may look to reduce the retention time for artifacts and runs.\\nThis query will look for where retention has been reduced to the minimum level - 1, or reduced by more than half.\",\"lastUpdatedDateUTC\":\"2021-11-02T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d2e40c79-fe8c-428e-8cb9-0e2282d4558c\",\"name\":\"d2e40c79-fe8c-428e-8cb9-0e2282d4558c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let lowRisk = 1;\\nlet governance = \u0027Governance Information\u0027;\\nCognniIncidents_CL \\n| where Severity == lowRisk\\n| where informationType_s == governance\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Low Sensitivity Governance Information\",\"description\":\"Display incidents in which low sensitivity governance information] was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\"name\":\"4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let OperationList = dynamic([\\\"Add member to role\\\",\\\"Add member to role in PIM requested (permanent)\\\"]);\\nlet PrivilegedGroups = dynamic([\\\"UserAccountAdmins\\\",\\\"PrivilegedRoleAdmins\\\",\\\"TenantAdmins\\\"]);\\nAuditLogs\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName in~ (OperationList)\\n| mv-expand TargetResources\\n| extend modProps = parse_json(TargetResources).modifiedProperties\\n| mv-expand bagexpansion=array modProps\\n| evaluate bag_unpack(modProps)\\n| extend displayName = column_ifexists(\\\"displayName\\\", \\\"NotAvailable\\\"), newValue = column_ifexists(\\\"newValue\\\", \\\"NotAvailable\\\")\\n| where displayName =~ \\\"Role.WellKnownObjectName\\\"\\n| extend DisplayName = displayName, GroupName = replace(\u0027\\\"\u0027,\u0027\u0027,newValue)\\n| extend initByApp = parse_json(InitiatedBy).app, initByUser = parse_json(InitiatedBy).user\\n| extend AppId = initByApp.appId, \\nInitiatedByDisplayName = case(isnotempty(initByApp.displayName), initByApp.displayName, isnotempty(initByUser.displayName), initByUser.displayName, \\\"not available\\\"),\\nServicePrincipalId = tostring(initByApp.servicePrincipalId),\\nServicePrincipalName = tostring(initByApp.servicePrincipalName),\\nUserId = initByUser.id,\\nUserIPAddress = initByUser.ipAddress,\\nUserRoles = initByUser.roles,\\nUserPrincipalName = tostring(initByUser.userPrincipalName),\\nTargetUserPrincipalName = tostring(TargetResources.userPrincipalName)\\n| where GroupName in~ (PrivilegedGroups)\\n// If you don\u0027t want to alert for operations from PIM, remove below filtering for MS-PIM.\\n//| where InitiatedByDisplayName != \\\"MS-PIM\\\"\\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, isnotempty(ServicePrincipalId), ServicePrincipalId, isnotempty(UserPrincipalName), UserPrincipalName, \\\"not available\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User added to Azure Active Directory Privileged Groups\",\"description\":\"This will alert when a user is added to any of the Privileged Groups.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\\nFor Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500c103a-0319-4d56-8e99-3cec8d860757\",\"name\":\"500c103a-0319-4d56-8e99-3cec8d860757\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == \\\"50057\\\" \\n| where ResultDescription == \\\"User account is disabled. The account has been disabled by an administrator.\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), disabledAccountLoginAttempts = count(), \\ndisabledAccountsTargeted = dcount(UserPrincipalName), applicationsTargeted = dcount(AppDisplayName), disabledAccountSet = make_set(UserPrincipalName), \\napplicationSet = make_set(AppDisplayName) by IPAddress, Type\\n| order by disabledAccountLoginAttempts desc\\n| join kind= leftouter (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n table(tableName)\\n | where ResultType == 0\\n | summarize successfulAccountSigninCount = dcount(UserPrincipalName), successfulAccountSigninSet = make_set(UserPrincipalName, 15) by IPAddress, Type\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount \u003c 100\\n) on IPAddress \\n// IPs from which attempts to authenticate as disabled user accounts originated, and had a non-zero success rate for some other account\\n| where isnotempty(successfulAccountSigninCount)\\n| project StartTime, EndTime, IPAddress, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\nsuccessfulAccountSigninCount, successfulAccountSigninSet, Type\\n| order by disabledAccountLoginAttempts\\n| extend timestamp = StartTime, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts and where that same IP has had successful signins from other accounts.\\nThis could indicate an attacker who obtained credentials for a list of accounts and is attempting to login with those accounts, some of which may have already been disabled.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"lastUpdatedDateUTC\":\"2021-10-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9e20eb4e-cc0d-4349-a99d-cad756859dfb\",\"name\":\"9e20eb4e-cc0d-4349-a99d-cad756859dfb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"afad_parser\\n| where MessageType == 2 and Codename == \\\"Password Spraying\\\"\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid Password Spraying\",\"description\":\"Searches for Password spraying attacks\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8d537f3c-094f-430c-a588-8a87da36ee3a\",\"name\":\"8d537f3c-094f-430c-a588-8a87da36ee3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nlet user_agents=dynamic([\\n \u0027(hydra)\u0027,\\n \u0027 arachni/\u0027,\\n \u0027 BFAC \u0027,\\n \u0027 brutus \u0027,\\n \u0027 cgichk \u0027,\\n \u0027core-project/1.0\u0027,\\n \u0027 crimscanner/\u0027,\\n \u0027datacha0s\u0027,\\n \u0027dirbuster\u0027,\\n \u0027domino hunter\u0027,\\n \u0027dotdotpwn\u0027,\\n \u0027FHScan Core\u0027,\\n \u0027floodgate\u0027,\\n \u0027get-minimal\u0027,\\n \u0027gootkit auto-rooter scanner\u0027,\\n \u0027grendel-scan\u0027,\\n \u0027 inspath \u0027,\\n \u0027internet ninja\u0027,\\n \u0027jaascois\u0027,\\n \u0027 zmeu \u0027,\\n \u0027masscan\u0027,\\n \u0027 metis \u0027,\\n \u0027morfeus fucking scanner\u0027,\\n \u0027n-stealth\u0027,\\n \u0027nsauditor\u0027,\\n \u0027pmafind\u0027,\\n \u0027security scan\u0027,\\n \u0027springenwerk\u0027,\\n \u0027teh forest lobster\u0027,\\n \u0027toata dragostea\u0027,\\n \u0027 vega/\u0027,\\n \u0027voideye\u0027,\\n \u0027webshag\u0027,\\n \u0027webvulnscan\u0027,\\n \u0027 whcc/\u0027,\\n \u0027 Havij\u0027,\\n \u0027absinthe\u0027,\\n \u0027bsqlbf\u0027,\\n \u0027mysqloit\u0027,\\n \u0027pangolin\u0027,\\n \u0027sql power injector\u0027,\\n \u0027sqlmap\u0027,\\n \u0027sqlninja\u0027,\\n \u0027uil2pn\u0027,\\n \u0027ruler\u0027,\\n \u0027Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)\u0027\\n ]);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal has_any (user_agents)\\n| extend Message = \\\"Hack Tool User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Hack Tool User-Agent Detected\",\"description\":\"Detects suspicious user agent strings used by known hack tools\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/87210ca1-49a4-4a7d-bb4a-4988752f978c\",\"name\":\"87210ca1-49a4-4a7d-bb4a-4988752f978c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Get details of current Azure Ranges (note this URL updates regularly so will need to be manually updated over time)\\n// You may find the name of the new JSON here: https://www.microsoft.com/download/details.aspx?id=56519\\nlet azure_ranges = externaldata(changeNumber: string, cloud: string, values: dynamic)\\n[\\\"https://download.microsoft.com/download/7/1/D/71D86715-5596-4529-9B13-DA13A5DE5B63/ServiceTags_Public_20211108.json\\\"]\\nwith(format=\u0027multijson\u0027)\\n| mv-expand values\\n| mv-expand values.properties.addressPrefixes\\n| mv-expand values_properties_addressPrefixes\\n| summarize by tostring(values_properties_addressPrefixes);\\nSigninLogs\\n// Limiting to Azure Portal really reduces false positives and helps focus on potential admin activity\\n| where AppDisplayName =~ \\\"Azure Portal\\\"\\n// Only get logons where the IP address is in an Azure range\\n| evaluate ipv4_lookup(azure_ranges, IPAddress, values_properties_addressPrefixes)\\n// Limit to where the user is external to the tenant\\n| where HomeTenantId != ResourceTenantId\\n// Further limit it to just access to the current tenant (you can drop this if you wanted to look elsewhere as well but it helps reduce FPs)\\n| where ResourceTenantId == TenantId\\n| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), make_set(ResourceDisplayName) by UserPrincipalName, IPAddress, UserAgent, Location, HomeTenantId, ResourceTenantId\\n| extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure Portal Signin from another Azure Tenant\",\"description\":\"This query looks for sign in attempts to the Azure Portal where the user who is signing in from another Azure tenant,\\n and the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look\\n to pivot to other tenants leveraging cross-tenant delegated access in this manner.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f209187f-1d17-4431-94af-c141bf5f23db\",\"name\":\"f209187f-1d17-4431-94af-c141bf5f23db\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.1\",\"techniques\":[\"T1136\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.4\",\"name\":\"Anomaly score threshold\",\"description\":\"Generate an anomaly when the anomaly score is greater than the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Persistence\"],\"displayName\":\"(Preview) Anomalous Account Creation\",\"description\":\"Adversaries may create an account to maintain access to victim systems. With a sufficient level of access,\\ncreating such accounts may be used to establish secondary credentialed access\\nthat do not require persistent remote access tools to be deployed on the system.\",\"lastUpdatedDateUTC\":\"2021-07-26T00:00:00Z\",\"createdDateUTC\":\"2021-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b12b3dab-d973-45af-b07e-e29bb34d8db9\",\"name\":\"b12b3dab-d973-45af-b07e-e29bb34d8db9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal contains \\\"WindowsPowerShell\\\"\\n| extend Message = \\\"Windows PowerShell User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"DefenseEvasion\"],\"displayName\":\"Cisco Umbrella - Windows PowerShell User-Agent Detected\",\"description\":\"Rule helps to detect Powershell user-agent activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/34663177-8abf-4db1-b0a4-5683ab273f44\",\"name\":\"34663177-8abf-4db1-b0a4-5683ab273f44\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let threshold = 20;\\nPulseConnectSecure\\n| where Messages contains \\\"Login failed\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by User, Source_IP\\n| where count_ \u003e threshold\\n| extend timestamp = StartTime, AccountCustomEntity = User, IPCustomEntity = Source_IP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"PulseConnectSecure - Potential Brute Force Attempts\",\"description\":\"This query identifies evidence of potential brute force attack by looking at multiple failed attempts to log into the VPN server\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PulseConnectSecure\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/15ae38a2-2e29-48f7-883f-863fb25a5a06\",\"name\":\"15ae38a2-2e29-48f7-883f-863fb25a5a06\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 10;\\nDnsEvents \\n| where TimeGenerated \u003e ago(endtime)\\n| where Name contains \\\"in-addr.arpa\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(Name) by ClientIP\\n| where dcount_Name \u003e threshold\\n| project StartTimeUtc, EndTimeUtc, ClientIP , dcount_Name \\n| join kind=leftanti (DnsEvents \\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | where Name contains \\\"in-addr.arpa\\\" \\n | summarize dcount(Name) by ClientIP, bin(TimeGenerated, 1d)\\n | where dcount_Name \u003e threshold\\n | project ClientIP , dcount_Name \\n) on ClientIP\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\"],\"displayName\":\"Rare client observed with high reverse DNS lookup count\",\"description\":\"Identifies clients with a high reverse DNS counts which could be carrying out reconnaissance or discovery activity.\\nAlert is generated if the IP performing such reverse DNS lookups was not seen doing so in the preceding 7-day period.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\"name\":\"24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let EventCountThreshold = 25;\\n// To avoid any False Positives, filtering using AppId is recommended. For example the AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds \\n// to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\\nlet Allowedappid = dynamic([\\\"509e4652-da8d-478d-a730-e9d4a1996ca4\\\"]);\\nlet OperationList = dynamic(\\n[\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nAzureDiagnostics\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList) \\n| summarize count() by identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, OperationName\\n| where count_ \u003e EventCountThreshold \\n| join (\\nAzureDiagnostics\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where OperationName in~ (OperationList) \\n) on identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g \\n| summarize EventCount=sum(count_), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\\n| extend timestamp = EndTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.2\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Mass secret retrieval from Azure Key Vault\",\"description\":\"Identifies mass secret retrieval from Azure Key Vault observed by a single user. \\nMass secret retrival crossing a certain threshold is an indication of credential dump operations or mis-configured applications. \\nYou can tweak the EventCountThreshold based on average count seen in your environment \\nand also filter any known sources (IP/Account) and useragent combinations based on historical analysis to further reduce noise\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/39198934-62a0-4781-8416-a81265c03fd6\",\"name\":\"39198934-62a0-4781-8416-a81265c03fd6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"user.read\\\" and ConsentFull contains \\\"offline_access\\\" and ConsentFull contains \\\"mail.readwrite\\\" and ConsentFull contains \\\"mail.send\\\" and ConsentFull contains \\\"files.read.all\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\")\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Suspicious application consent similar to PwnAuth\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the FireEye PwnAuth toolkit (https://github.com/fireeye/PwnAuth).\\nThe default permissions/scope for the PwnAuth toolkit are user.read, offline_access, mail.readwrite, mail.send, and files.read.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/35ce9aff-1708-45b8-a295-5e9a307f5f17\",\"name\":\"35ce9aff-1708-45b8-a295-5e9a307f5f17\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"Group.UpdateGroupMembership.Add\\\"\\n| where Details has_any (\\\"Project Administrators\\\", \\\"Project Collection Administrators\\\", \\\"Project Collection Service Accounts\\\", \\\"Build Administrator\\\")\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, AuthenticationMechanism, ScopeDisplayName\\n| extend timekey = bin(TimeGenerated, 1h)\\n| extend ActorUserId = tostring(Data.MemberId)\\n| project timekey, ActorUserId, AddingUser=ActorUPN, TimeAdded=TimeGenerated, PermissionGrantDetails = Details\\n// Get details of operations conducted by user soon after elevation of permissions\\n| join (AzureDevOpsAuditing\\n| extend ActorUserId = tostring(Data.MemberId)\\n| extend timekey = bin(TimeGenerated, 1h)) on timekey, ActorUserId\\n| summarize ActionsWhenAdded = make_set(OperationName) by ActorUPN, AddingUser, TimeAdded, PermissionGrantDetails, IpAddress, UserAgent\\n| extend timestamp = TimeAdded, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddingUser\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"New PA, PCA, or PCAS added to Azure DevOps\",\"description\":\"In order for an attacker to be able to conduct many potential attacks against Azure DevOps they will need to gain elevated permissions. \\nThis detection looks for users being granted key administrative permissions. If the principal of least privilege is applied, the number of \\nusers granted these permissions should be small. Note that permissions can also be granted via Azure AD groups and monitoring of these \\nshould also be conducted.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0b904747-1336-4363-8d84-df2710bfe5e7\",\"name\":\"0b904747-1336-4363-8d84-df2710bfe5e7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n AzureDiagnostics\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where OperationName in (\\\"AzureFirewallApplicationRuleLog\\\",\\\"AzureFirewallNetworkRuleLog\\\")\\n | parse kind=regex flags=U msg_s with Protocol \u0027request from \u0027 SourceHost \u0027to \u0027 DestinationHost @\u0027\\\\.? Action:\u0027 Action\\n | extend SourceAddress = extract(@\u0027([\\\\.0-9]+)(:[\\\\.0-9]+)?\u0027,1,SourceHost)\\n | extend DestinationAddress = extract(@\u0027([\\\\.0-9]+)(:[\\\\.0-9]+)?\u0027,1,DestinationHost)\\n | where not(ipv4_is_private(DestinationAddress))\\n | project-rename AzureFirewall_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.DestinationAddress\\n| where AzureFirewall_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureFirewall_TimeGenerated = arg_max(AzureFirewall_TimeGenerated, *) by IndicatorId, SourceAddress\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, AzureFirewall_TimeGenerated,\\nTI_ipEntity, Resource, Category, msg_s, SourceAddress, DestinationAddress, Action, Protocol, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureFirewall_TimeGenerated, IPCustomEntity = TI_ipEntity, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureFirewall\",\"description\":\"Identifies a match in AzureFirewall (NetworkRule \u0026 ApplicationRule Logs) from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3df4a32-4805-4c6d-8699-f3c888af2f67\",\"name\":\"a3df4a32-4805-4c6d-8699-f3c888af2f67\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let Alert1 = \\nSecurityAlert\\n| where AlertName == \\\"Unfamiliar sign-in properties\\\"\\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\\\"User Account\\\"])\\n| extend Alert1Time = TimeGenerated\\n| extend Alert1 = AlertName\\n| extend Alert1Severity = AlertSeverity\\n;\\nlet Alert2 = \\nSecurityAlert\\n| where AlertName == \\\"Atypical travel\\\"\\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\\\"User Account\\\"])\\n| extend Alert2Time = TimeGenerated\\n| extend Alert2 = AlertName\\n| extend Alert2Severity = AlertSeverity\\n| extend CurrentLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[1].Location)).CountryCode), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[1].Location)).State), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[1].Location)).City))\\n| extend PreviousLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[2].Location)).CountryCode), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).State), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).City))\\n| extend CurrentIPAddress = tostring(parse_json(Entities)[1].Address)\\n| extend PreviousIPAddress = tostring(parse_json(Entities)[2].Address)\\n;\\nAlert1\\n| join kind=inner Alert2 on UserPrincipalName\\n| where abs(datetime_diff(\u0027minute\u0027, Alert1Time, Alert2Time)) \u003c=10\\n| extend TimeDelta = Alert1Time - Alert2Time\\n| project UserPrincipalName, Alert1, Alert1Time, Alert1Severity, Alert2, Alert2Time, Alert2Severity, TimeDelta, CurrentLocation, PreviousLocation, CurrentIPAddress, PreviousIPAddress\\n| extend AccountCustomEntity = UserPrincipalName\\n| extend IPCustomEntity = CurrentIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Correlate Unfamiliar sign-in properties and atypical travel alerts\",\"description\":\"The combination of an Unfamiliar sign-in properties alert and an Atypical travel alert about the same user within a +10m or -10m window is considered a high severity incident.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3174a9ec-d0ad-4152-8307-94ed04fa450a\",\"name\":\"3174a9ec-d0ad-4152-8307-94ed04fa450a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let SHA256Hash = \\\"1174fd03271f80f5e2a6435c72bdd0272a6e3a37049f6190abf125b216a83471\\\" ;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) \\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA265 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA256Hash) \\n| extend Account = UserName\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known ZINC related maldoc hash\",\"description\":\"Document hash used by ZINC in highly targeted spear phishing campaign.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/acfdee3f-b794-404a-aeba-ef6a1fa08ad1\",\"name\":\"acfdee3f-b794-404a-aeba-ef6a1fa08ad1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let lookback = 14d;\\nlet timewindow = 7d;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback)\\n| where OperationName =~ \\\"Library.AgentPoolCreated\\\"\\n| extend AgentCloudId = tostring(Data.AgentCloudId)\\n| extend PoolType = iif(isnotempty(AgentCloudId), \\\"Azure VMs\\\", \\\"Self Hosted\\\")\\n// Comment this line out to include cloud pools as well\\n| where PoolType == \\\"Self Hosted\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend AgentPoolId = tostring(Data.AgentPoolId)\\n| extend IsHosted = tostring(Data.IsHosted)\\n| extend IsLegacy = tostring(Data.IsLegacy)\\n| extend timekey = bin(TimeGenerated, timewindow)\\n// Join only with pools deleted in the same window\\n| join (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback)\\n| where OperationName =~ \\\"Library.AgentPoolDeleted\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend AgentPoolId = tostring(Data.AgentPoolId)\\n| extend timekey = bin(TimeGenerated, timewindow)) on AgentPoolId, timekey\\n| project-reorder TimeGenerated, ActorUPN, UserAgent, IpAddress, AuthenticationMechanism, OperationName, AgentPoolName, IsHosted, IsLegacy, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Agent Pool Created Then Deleted\",\"description\":\"As well as adding build agents to an existing pool to execute malicious activity within a pipeline, an attacker could create a complete new agent pool and use this for execution.\\nAzure DevOps allows for the creation of agent pools with Azure hosted infrastructure or self-hosted infrastructure. Given the additional customizability of self-hosted agents this \\ndetection focuses on the creation of new self-hosted pools. To further reduce false positive rates the detection looks for pools created and deleted relatively quickly (within 7 days by default), \\nas an attacker is likely to remove a malicious pool once used in order to reduce/remove evidence of their activity.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2b328487-162d-4034-b472-59f1d53684a1\",\"name\":\"2b328487-162d-4034-b472-59f1d53684a1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal == \u0027\u0027\\n| extend Message = \\\"Empty User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Empty User Agent Detected\",\"description\":\"Rule helps to detect empty and unusual user agent indicating web browsing activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3533f74c-9207-4047-96e2-0eb9383be587\",\"name\":\"3533f74c-9207-4047-96e2-0eb9383be587\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"offline_access\\\" and ConsentFull contains \\\"Files.Read\\\" or ConsentFull contains \\\"Mail.Read\\\" or ConsentFull contains \\\"Notes.Read\\\" or ConsentFull contains \\\"ChannelMessage.Read\\\" or ConsentFull contains \\\"Chat.Read\\\" or ConsentFull contains \\\"TeamsActivity.Read\\\" or ConsentFull contains \\\"Group.Read\\\" or ConsentFull contains \\\"EWS.AccessAsUser.All\\\" or ConsentFull contains \\\"EAS.AccessAsUser.All\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))\\n| extend GrantUserAgent = tostring(iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\"))\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Suspicious application consent for offline access\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with offline access via OAuth.\\nOffline access will provide the Azure App with access to the listed resources without requiring two-factor authentication.\\nConsent to applications with offline access and read capabilities should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\"name\":\"c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let DomainNames = \\\"miniodaum.ml\\\";\\nlet SHA256Hash = dynamic ([\\\"53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0dfd44771762257\\\", \\\"0897c80df8b80b4c49bf1ccf876f5f782849608b830c3b5cb3ad212dc3e19eff\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName =~ DomainNames\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(DnsEvents \\n| extend DNSName = Name\\n| where isnotempty(DNSName)\\n| where DNSName =~ DomainNames\\n| extend IPAddress = ClientIP\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName =~ DomainNames\\n| extend IPAddress = RemoteIp\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend DNSName = Request_Name\\n| extend IPAddress = ClientIP \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known CERIUM domains and hashes\",\"description\":\"CERIUM malicious webserver and hash values for maldocs and malware. \\n Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f30a47c1-65fb-42b1-a7f4-00941c12550b\",\"name\":\"f30a47c1-65fb-42b1-a7f4-00941c12550b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n SecurityAlert\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n // Extract URL from JSON data\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,Entities)\\n // We only want alerts that actually contain URL data\\n | where isnotempty(Url)\\n // Extract hostname from JSON data for entity mapping\\n | extend Compromised_Host = tostring(parse_json(ExtendedProperties).[\\\"Compromised Host\\\"])\\n | extend Alert_TimeGenerated = TimeGenerated\\n) on Url\\n| where Alert_TimeGenerated \u003e= TimeGenerated and Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Alert_TimeGenerated,\\nAlertName, AlertSeverity, Description, Url, Compromised_Host\\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = Compromised_Host, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.2\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to SecurityAlert data\",\"description\":\"Identifies a match in SecurityAlert data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-24T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8374ec0f-d857-4c17-b1e7-93d11800f8fb\",\"name\":\"8374ec0f-d857-4c17-b1e7-93d11800f8fb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let lowRisk = 1;\\nlet legal = \u0027Legal Information\u0027;\\nCognniIncidents_CL \\n| where Severity == lowRisk\\n| where informationType_s == legal\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Low Sensitivity Legal Information\",\"description\":\"Display incidents in which low sensitivity legal information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06107abb-1b68-4fdc-841b-8a1ff9301467\",\"name\":\"06107abb-1b68-4fdc-841b-8a1ff9301467\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.6\",\"techniques\":[\"T1030\",\"T1041\",\"T1011\",\"T1567\",\"T1029\",\"T1537\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.87\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"(Preview) Excessive Downloads via Palo Alto GlobalProtect\",\"description\":\"This algorithm detects unusually high volume of download per user account via Palo Alto VPN solution. The model is trained on the previous 14 days of the VPN logs. It indicates anomalous high volume of downloads in the last day.\",\"lastUpdatedDateUTC\":\"2021-06-10T00:00:00Z\",\"createdDateUTC\":\"2020-11-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/87890d78-3e05-43ec-9ab9-ba32f4e01250\",\"name\":\"87890d78-3e05-43ec-9ab9-ba32f4e01250\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n| join (\\n SecurityAlert\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n //Extract domain patterns from message\\n | extend domain = extract(\\\"(([a-z0-9]+(-[a-z0-9]+)*\\\\\\\\.)+[a-z]{2,})\\\", 1, tolower(Entities))\\n | where isnotempty(domain)\\n | extend parts = split(domain, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\\n | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray\\n // Parsing relevant entity column extract hostname and IP address\\n | extend EntityType = tostring(parse_json(EntitiesDynamicArray).Type), EntityAddress = tostring(EntitiesDynamicArray.Address), EntityHostName = tostring(EntitiesDynamicArray.HostName)\\n | extend HostName = iif(EntityType == \u0027host\u0027, EntityHostName, \u0027\u0027)\\n | extend IP_addr = iif(EntityType == \u0027ip\u0027, EntityAddress, \u0027\u0027)\\n | extend Alert_TimeGenerated = TimeGenerated\\n | extend Alert_Description = Description\\n) on $left.DomainName==$right.domain\\n| where Alert_TimeGenerated \u003e= TimeGenerated and Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Alert_TimeGenerated, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url\\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = HostName, IPCustomEntity = IP_addr, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.2\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to SecurityAlert\",\"description\":\"Identifies a match in SecurityAlert table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-24T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\"name\":\"5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"CommonSecurityLog \\n| where isnotempty(DestinationPort) and DeviceAction !in (\\\"reset-both\\\", \\\"deny\\\") \\n// filter out common usage ports. Add ports that are legitimate for your environment\\n| where DestinationPort !in (\\\"443\\\", \\\"53\\\", \\\"389\\\", \\\"80\\\", \\\"0\\\", \\\"880\\\", \\\"8888\\\", \\\"8080\\\")\\n| where ApplicationProtocol == \\\"incomplete\\\" \\n// filter out IANA ephemeral or negotiated ports as per https://en.wikipedia.org/wiki/Ephemeral_port\\n| where DestinationPort !between (toint(49512) .. toint(65535)) \\n| where Computer != \\\"\\\" \\n| where DestinationIP !startswith \\\"10.\\\"\\n// Filter out any graceful reset reasons of AGED OUT which occurs when a TCP session closes with a FIN due to aging out. \\n| where AdditionalExtensions !has \\\"reason=aged-out\\\" \\n// Filter out any TCP FIN which occurs when a TCP FIN is used to gracefully close half or both sides of a connection.\\n| where AdditionalExtensions !has \\\"reason=tcp-fin\\\" \\n// Uncomment one of the following where clauses to trigger on specific TCP reset reasons\\n// See Palo Alto article for details - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK\\n// TCP RST-server - Occurs when the server sends a TCP reset to the client\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-server\\\" \\n// TCP RST-client - Occurs when the client sends a TCP reset to the server\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-client\\\" \\n| extend reason = tostring(split(AdditionalExtensions, \\\";\\\")[3])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction, DestinationIP\\n| where count_ \u003e= 10\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), makeset(DestinationIP), totalcount = sum(count_) by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\"],\"displayName\":\"Palo Alto - possible internal to external port scanning\",\"description\":\"Identifies a list of internal Source IPs (10.x.x.x Hosts) that have triggered 10 or more non-graceful tcp server resets from one or more Destination IPs which \\nresults in an \\\"ApplicationProtocol = incomplete\\\" designation. The server resets coupled with an \\\"Incomplete\\\" ApplicationProtocol designation can be an indication \\nof internal to external port scanning or probing attack. \\nReferences: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK and\\nhttps://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTaCAK\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69a45b05-71f5-45ca-8944-2e038747fb39\",\"name\":\"69a45b05-71f5-45ca-8944-2e038747fb39\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let endtime = 1d;\\nlet starttime = 8d;\\n// The threshold below excludes matching on RDP connection computer counts of 5 or more by a given account and IP in a given day. Change the threshold as needed.\\nlet threshold = 5;\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n// Labeling the first RDP connection time, computer and ip\\n| extend FirstHop = TimeGenerated, FirstComputer = toupper(Computer), FirstIPAddress = IpAddress, Account = tolower(Account) \\n| join kind=inner (\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n// Labeling the second RDP connection time, computer and ip\\n| extend SecondHop = TimeGenerated, SecondComputer = toupper(Computer), SecondIPAddress = IpAddress, Account = tolower(Account)\\n) on Account\\n// Make sure that the first connection is after the second connection --\u003e SecondHop \u003e FirstHop\\n// Then identify only RDP to another computer from within the first RDP connection by only choosing matches where the Computer names do not match --\u003e FirstComputer != SecondComputer\\n// Then make sure the IPAddresses do not match by excluding connections from the same computers with first hop RDP connections to multiple computers --\u003e FirstIPAddress != SecondIPAddress\\n| where FirstComputer != SecondComputer and FirstIPAddress != SecondIPAddress and SecondHop \u003e FirstHop\\n// where the second hop occurs within 30 minutes of the first hop\\n| where SecondHop \u003c= FirstHop+30m\\n| distinct Account, FirstHop, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, SecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\\n// use left anti to exclude anything from the previous 7 days where the Account and IP has connected 5 or more computers.\\n| join kind=leftanti (\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n| summarize makeset(Computer), ComputerCount = dcount(Computer) by bin(TimeGenerated, 1d), Account = tolower(Account), IpAddress\\n// Connection count to computer by same account and IP to exclude counts of 5 or more on a given day\\n| where ComputerCount \u003e= threshold\\n| mvexpand set_Computer\\n| extend Computer = toupper(set_Computer)\\n) on Account, $left.SecondComputer == $right.Computer, $left.SecondIPAddress == $right.IpAddress\\n| summarize FirstHopFirstSeen = min(FirstHop), FirstHopLastSeen = max(FirstHop) by Account, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, \\nSecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\\n| extend timestamp = FirstHopFirstSeen, AccountCustomEntity = Account, HostCustomEntity = FirstComputer, IPCustomEntity = FirstIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\"],\"displayName\":\"RDP Nesting\",\"description\":\"Identifies when an RDP connection is made to a first system and then an RDP connection is made from the first system \\nto another system with the same account within the 60 minutes. Additionally, if historically daily \\nRDP connections are indicated by the logged EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-10-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9c27cee8-0a33-4abe-8683-212c0a98fc28\",\"name\":\"9c27cee8-0a33-4abe-8683-212c0a98fc28\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.6\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.1\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of logins to computer with elevated token\",\"description\":\"This algorithm detects an unusually high volume of successful logins with elevated token per computer. The model is trained on the previous 21 days of security event ID 4624 on a computer. It indicates anomalous high volume of successful logins with administrator privileges in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84ad2f8a-b64c-49bc-b669-bdb4fd3071e9\",\"name\":\"84ad2f8a-b64c-49bc-b669-bdb4fd3071e9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT5M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"eset_CL\\n| where event_type_s == \u0027FilteredWebsites_Event\u0027\\n| extend AccountCustomEntity = username_s, URLCustomEntity = object_uri_s, HostCustomEntity = hostname_s, IPCustomEntity = ipv4_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\",\"CommandAndControl\",\"InitialAccess\"],\"displayName\":\"Web sites blocked by Eset\",\"description\":\"Create alert on web sites blocked by Eset.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-09T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"EsetSMC\",\"dataTypes\":[\"eset_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/223db5c1-1bf8-47d8-8806-bed401b356a4\",\"name\":\"223db5c1-1bf8-47d8-8806-bed401b356a4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let timeRange = 1d;\\nlet lookBack = 7d;\\nlet threshold_Failed = 5;\\nlet threshold_FailedwithSingleIP = 20;\\nlet threshold_IPAddressCount = 2;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet aadFunc = (tableName:string){\\nlet azPortalSignins = materialize(table(tableName)\\n| where TimeGenerated \u003e= ago(lookBack)\\n// Azure Portal only\\n| where AppDisplayName =~ \\\"Azure Portal\\\")\\n;\\nlet successPortalSignins = azPortalSignins\\n| where TimeGenerated \u003e= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n// Tagging identities not resolved to friendly names\\n//| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n| distinct TimeGenerated, UserPrincipalName, Id, ResultType\\n;\\nlet failPortalSignins = azPortalSignins\\n| where TimeGenerated \u003e= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n// Tagging identities not resolved to friendly names\\n| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n;\\n// Verify there is no success for the same connection attempt after the fail\\nlet failnoSuccess = failPortalSignins | join kind= leftouter (\\n successPortalSignins \\n) on UserPrincipalName, Id\\n| where TimeGenerated \u003e TimeGenerated1\\n| project-away TimeGenerated1, UserPrincipalName1, Id1, ResultType1\\n;\\n// Lookup up resolved identities from last 7 days\\nlet identityLookup = azPortalSignins\\n| where TimeGenerated \u003e= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName;\\n// Join resolved names to unresolved list from portal signins\\nlet unresolvedNames = failnoSuccess | where Unresolved == true | join kind= inner (\\n identityLookup \\n) on UserId\\n| extend UserDisplayName = lu_UserDisplayName, UserPrincipalName = lu_UserPrincipalName\\n| project-away lu_UserDisplayName, lu_UserPrincipalName;\\n// Join Signins that had resolved names with list of unresolved that now have a resolved name\\nlet u_azPortalSignins = failnoSuccess | where Unresolved == false | union unresolvedNames;\\nu_azPortalSignins\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend Status = strcat(ResultType, \\\": \\\", ResultDescription), OS = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n| extend FullLocation = strcat(Region,\u0027|\u0027, State, \u0027|\u0027, City)\\n| summarize TimeGenerated = makelist(TimeGenerated), Status = makelist(Status), IPAddresses = makelist(IPAddress), IPAddressCount = dcount(IPAddress), FailedLogonCount = count()\\nby UserPrincipalName, UserId, UserDisplayName, AppDisplayName, Browser, OS, FullLocation, Type\\n| mvexpand TimeGenerated, IPAddresses, Status\\n| extend TimeGenerated = todatetime(tostring(TimeGenerated)), IPAddress = tostring(IPAddresses), Status = tostring(Status)\\n| project-away IPAddresses\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserPrincipalName, UserId, UserDisplayName, Status, FailedLogonCount, IPAddress, IPAddressCount, AppDisplayName, Browser, OS, FullLocation, Type\\n| where (IPAddressCount \u003e= threshold_IPAddressCount and FailedLogonCount \u003e= threshold_Failed) or FailedLogonCount \u003e= threshold_FailedwithSingleIP\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed login attempts to Azure Portal\",\"description\":\"Identifies failed login attempts in the Azure Active Directory SigninLogs to the Azure Portal. Many failed logon \\nattempts or some failed logon attempts from multiple IPs could indicate a potential brute force attack. \\nThe following are excluded due to success and non-failure results:\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n0 - successful logon\\n50125 - Sign-in was interrupted due to a password reset or password registration entry.\\n50140 - This error occurred due to \u0027Keep me signed in\u0027 interrupt when the user was signing-in.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\"name\":\"1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with failed Windows host logins above threshold\\nlet win_fails = \\nSecurityEvent\\n| where EventID == 4625\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| summarize count() by IpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_list(IpAddress);\\n//Make a list of IPs with failed *nix host logins above threshold\\nlet nix_fails = \\nSyslog\\n| where Facility contains \u0027auth\u0027 and ProcessName != \u0027sudo\u0027\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP != \\\"\\\" and SourceIP != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIP\\n| where count_ \u003e signin_threshold\\n| summarize make_list(SourceIP);\\n//See if any of the IPs with failed host logins hve had a sucessful Azure AD login\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (win_fails) or IPAddress in (nix_fails)\\n| extend Reason= \\\"Multiple failed host logins from IP address with successful Azure AD login\\\"\\n| extend timstamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, Type = Type\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed host logons but success logon to AzureAD\",\"description\":\"Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts.\\nUses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8546330c-e1fb-422a-9388-5c09e9a8f4ca\",\"name\":\"8546330c-e1fb-422a-9388-5c09e9a8f4ca\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.1\",\"techniques\":[\"T1133\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.8\",\"name\":\"Score\",\"description\":\"Generate an anomaly when a region rarity score is less than the threshold.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"minimum\":\"2\",\"maximum\":\"100\",\"value\":\"100\",\"name\":\"Minimum users per region\",\"description\":\"whitelist an anomaly if the number of users from a rare region is greater than this limit.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\",\"LateralMovement\"],\"displayName\":\"(Preview) Login from an unusual region via Palo Alto GlobalProtect account logins\",\"description\":\"When a Palo Alto GlobalProtect account logs in from a source region that has rarely been logged in\\nfrom during the last 14 days, an anomaly is triggered. This anomaly may indicate that the account\\nhas been compromised.\",\"lastUpdatedDateUTC\":\"2021-06-07T00:00:00Z\",\"createdDateUTC\":\"2021-06-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d564ff12-8f53-41b8-8649-44f76b37b99f\",\"name\":\"d564ff12-8f53-41b8-8649-44f76b37b99f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// How many greater than Service Connections you want to view per build/release\\nlet ServiceConnectionThreshold = 4;\\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\\n[\\n//\\\"103\\\", \\\"Release\\\", \\\"ProjectA\\\",\\n//\\\"42\\\", \\\"Release\\\", \\\"ProjectB\\\",\\n//\\\"122\\\", \\\"Build\\\", \\\"ProjectB\\\"\\n];\\nAzureDevOpsAuditing\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| parse ScopeDisplayName with OrganizationName \u0027 (Organization)\u0027\\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) \\n by OrganizationName, tostring(DefId), tostring(Type), ProjectId, ProjectName\\n| where CurrentCount \u003e ServiceConnectionThreshold\\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\\n| extend link = iif(\\n Type == \\\"Build\\\", strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_build?definitionId=\u0027, DefId),\\n strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_release?_a=releases\u0026view=mine\u0026definitionId=\u0027, DefId))\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure DevOps Service Connection Abuse\",\"description\":\"Flags builds/releases that use a large number of service connections if they aren\u0027t manually in the allow list.\\nThis is to determine if someone is hijacking a build/release and adding many service connections in order to abuse \\nor dump credentials from service connections.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c0e84221-f240-4dd7-ab1e-37e034ea2a4e\",\"name\":\"c0e84221-f240-4dd7-ab1e-37e034ea2a4e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"union isfuzzy=true\\n(DeviceFileEvents\\n| where FolderPath endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated),\\n(SecurityEvent\\n| where EventID == 4663\\n| where ObjectName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = Computer, timestamp=TimeGenerated),\\n(imFileEvent\\n| where TargetFileName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = DvcHostname, timestamp=TimeGenerated\\n)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"SUNSPOT log file creation\",\"description\":\"This query uses Microsoft Defender for Endpoint data and Windows Event Logs to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\\nMore details: \\n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \\n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2bb167bf-3951-435b-a932-8b03bfde0a2b\",\"name\":\"2bb167bf-3951-435b-a932-8b03bfde0a2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.3\",\"techniques\":[\"T1046\"],\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"accept\",\"allow\",\"start\"],\"values\":[\"accept\",\"allow\",\"start\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Device action\",\"description\":\"Include only these specific device actions\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\"53,67,80,8080,123,137,138,443,445,3389\",\"dataType\":\"string\",\"name\":\"Exclude ports\",\"description\":\"Provide a comma separated list to exclude specific ports from source data. This should be within double quotes, example: \\\"53, 67, 80, 8080, 123, 137, 138, 443, 445, 3389\\\"\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"1\",\"maximum\":\"60000000\",\"value\":\"600\",\"name\":\"Destination IP count\",\"description\":\"The minimum distinct destination IP count per hour required for inclusion. Default is 600. This is an OR condition with destination port count.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"minimum\":\"1\",\"maximum\":\"60000000\",\"value\":\"600\",\"name\":\"Destination port count\",\"description\":\"The minimum distinct destination port count per hour required for inclusion. Default is 600. This is an OR condition with destination IP count.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"0.00\",\"maximum\":\"1.00\",\"value\":\"1.00\",\"name\":\"IP ratio\",\"description\":\"The distinct source IP (always 1) to distinct destination IP count with a default minimum ratio of 1.00 or lower (converted to Base 10 to the -4 power of original value). This is an OR condition with port ratio.\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"},{\"minimum\":\"0.00\",\"maximum\":\"1.00\",\"value\":\"1.00\",\"name\":\"Port ratio\",\"description\":\"The distinct source port to distinct destination port count with a default minimum ratio of 1.00 or lower (converted to Base 10 to the -4 power of original value). This is an OR condition with IP Ratio.\",\"sequenceNumber\":3,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) Anomalous scanning activity\",\"description\":\"The Scanning Activity anomaly is looking to determine if there is potential port scanning anomaly in an environment coming from a single source IP to one or more destination IPs. \\nThe algorithm takes into account whether the IP is public, meaning external, or private, meaning internal, and the event is marked accordingly. Only private to public or public \\nto private is considered at this time. Scanning activity can indicate an attacker attempting to determine available services in an environment that can be potentially \\nexploited and used for ingress or lateral movement.\\nA high number of source ports and high number of destination ports from a single source IP to either a single or multiple destination IP or IPs can be interesting and indicate \\nanomalous scanning. Additionally, if there is a high ratio of destination IPs to the single source IP this can indicate anomalous scanning.\\nConfiguration details -\\nJob run default is daily, with hourly bins\\nThe algorithm uses the following defaults to limit the results based on hourly bins, each is configurable\\n-\u003e Included device actions - accept, allow, start\\n-\u003e Excluded ports - 53, 67, 80, 8080, 123, 137, 138, 443, 445, 3389\\n-\u003e Distinct destination port count \u003e= 600\\n-\u003e Distinct source port count \u003e= 600\\n-\u003e Distinct source port count divided by distinct destination port, ratio converted to percent \u003e= 99.99\\n-\u003e Source IP (always 1) divided by destination IP, ratio converted to percent \u003e= 99.99\",\"lastUpdatedDateUTC\":\"2021-07-10T00:00:00Z\",\"createdDateUTC\":\"2021-04-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/34c5aff9-a8c2-4601-9654-c7e46342d03b\",\"name\":\"34c5aff9-a8c2-4601-9654-c7e46342d03b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 5;\\nlet aadFunc = (tableName:string){\\nIdentityInfo\\n| where AssignedRoles contains \\\"Admin\\\"\\n| mv-expand AssignedRoles\\n| extend Roles = tostring(AssignedRoles), AccountUPN = tolower(AccountUPN)\\n| where Roles contains \\\"Admin\\\"\\n| distinct Roles, AccountUPN\\n| join kind=inner (\\n // Failed Signins attempts with reasoning related to MFA.\\n table(tableName)\\n | where TimeGenerated between (startofday(ago(starttime))..startofday(ago(timeframe)))\\n | where ResultType != 0\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n) on $left.AccountUPN == $right.UserPrincipalName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt ;\\nlet TimeSeriesData = union isfuzzy=true aadSignin, aadNonInt \\n| project TimeGenerated, Roles, UserPrincipalName\\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by UserPrincipalName, Roles\\n| project TimeGenerated, Roles, UserPrincipalName, HourlyCount;\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| where baseline \u003e baselinethreshold // Filtering low count events per baselinethreshold\\n| project Roles, UserPrincipalName, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated;\\n// Filter the alerts for specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join kind=inner ( \\nunion isfuzzy=true aadSignin, aadNonInt\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n | summarize HourlyCount=count(), LatestAnomalyTime = arg_max(timestamp,*) by bin(TimeGenerated,1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\\n) on UserPrincipalName\\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, HourlyCount, baseline, anomalies, score\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Privileged Accounts - Sign in Failure Spikes\",\"description\":\" Identifies spike in failed sign-ins from Privileged accounts. Privileged accounts list can be based on IdentityInfo UEBA table or built-in watchlist.\\nSpike is determined based on Time series anomaly which will look at historical baseline values.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor\",\"lastUpdatedDateUTC\":\"2021-11-01T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f110287e-1358-490d-8147-ed804b328514\",\"name\":\"f110287e-1358-490d-8147-ed804b328514\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n AWSCloudTrail | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AWSCloudTrail_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SourceIpAddress\\n| where AWSCloudTrail_TimeGenerated \u003e= TimeGenerated and AWSCloudTrail_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AWSCloudTrail_TimeGenerated,\\nTI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress,\\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AWSCloudTrail_TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AWSCloudTrail\",\"description\":\"Identifies a match in AWSCloudTrail from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c097bfdb-8b4b-4a98-b74d-1871ffd50a03\",\"name\":\"c097bfdb-8b4b-4a98-b74d-1871ffd50a03\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.6\",\"techniques\":[\"T1110\"],\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"2-Interactive\",\"3-Network\",\"4-Batch\",\"5-Service\",\"7-Unlock\",\"8-NetworkCleartext\",\"9-NewCredentials\",\"10-RemoteInteractive\",\"11-CachedInteractive\"],\"values\":[\"2-Interactive\",\"3-Network\",\"4-Batch\",\"5-Service\",\"7-Unlock\",\"8-NetworkCleartext\",\"9-NewCredentials\",\"10-RemoteInteractive\",\"11-CachedInteractive\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Logon Types\",\"description\":\"Include only selected logon types in anomaly results.\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.03\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"(Preview) Attempted user account bruteforce per logon type\",\"description\":\"This algorithm detects an unusually high volume of failed login attempts per user account per logon type. The model is trained on the previous 21 days of security event ID 4625 on an account and a logon type. It indicates anomalous high volume of failed login attempts with certain logon type in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2954d424-f786-4677-9ffc-c24c44c6e7d5\",\"name\":\"2954d424-f786-4677-9ffc-c24c44c6e7d5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT3H\",\"queryPeriod\":\"PT3H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let timeframe = ago(3h);\\nlet threshold = 2;\\nOkta_CL\\n| where column_ifexists(\u0027published_t\u0027, now()) \u003e= timeframe\\n| where eventType_s =~ \\\"user.session.start\\\"\\n| where outcome_result_s =~ \\\"SUCCESS\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumOfCountries = dcount(client_geographicalContext_country_s) by actor_alternateId_s\\n| where NumOfCountries \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = actor_alternateId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"User Login from Different Countries within 3 hours\",\"description\":\"This query searches for successful user logins to the Okta Console from different countries within 3 hours\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OktaSSO\",\"dataTypes\":[\"Okta_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/adc32a33-1cd6-46f5-8801-e3ed8337885f\",\"name\":\"adc32a33-1cd6-46f5-8801-e3ed8337885f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Add any known allowed sources and source locations to the filter below (the NuGet Gallery has been added here as an example).\\nlet allowed_sources = dynamic([\\\"NuGet Gallery\\\"]);\\nlet allowed_locations = dynamic([\\\"https://api.nuget.org/v3/index.json\\\"]);\\nAzureDevOpsAuditing\\n// Look for feeds created or modified at either the organization or project level\\n| where OperationName matches regex \\\"Artifacts.Feed.(Org|Project).Modify\\\"\\n| where Details has \\\"UpstreamSources, added\\\"\\n| extend FeedName = tostring(Data.FeedName)\\n| extend FeedId = tostring(Data.FeedId)\\n| extend UpstreamsAdded = Data.UpstreamsAdded\\n// As multiple feeds may be added expand these out\\n| mv-expand UpstreamsAdded\\n// Only focus on external feeds\\n| where UpstreamsAdded.UpstreamSourceType !~ \\\"internal\\\"\\n| extend SourceLocation = tostring(UpstreamsAdded.Location)\\n| extend SourceName = tostring(UpstreamsAdded.Name)\\n// Exclude sources and locations in the allow list\\n| where SourceLocation !in (allowed_locations) and SourceName !in (allowed_sources)\\n| extend SourceProtocol = tostring(UpstreamsAdded.Protocol)\\n| extend SourceStatus = tostring(UpstreamsAdded.Status)\\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, ProjectName, FeedName, SourceName, SourceLocation, SourceProtocol, ActorUPN, UserAgent, IpAddress\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"External Upstream Source Added to Azure DevOps Feed\",\"description\":\"The detection looks for new external sources added to an Azure DevOps feed. An allow list can be customized to explicitly allow known good sources. \\nAn attacker could look to add a malicious feed in order to inject malicious packages into a build pipeline.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6852d9da-8015-4b95-8ecf-d9572ee0395d\",\"name\":\"6852d9da-8015-4b95-8ecf-d9572ee0395d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let timeframe = 60m;\\nlet lookback = 10m;\\nlet account_created =\\nAuditLogs \\n | where ActivityDisplayName == \\\"Add service principal\\\"\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend creationTime = ActivityDateTime\\n | extend userPrincipalName_creator = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend ipAddress_creator = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\\nlet account_activity =\\nAADServicePrincipalSignInLogs\\n | extend Activities = pack(\\\"ActivityTime\\\", TimeGenerated ,\\\"IpAddress\\\", IPAddress, \\\"ResourceDisplayName\\\", ResourceDisplayName)\\n | extend AppID = AppId\\n | summarize make_list(Activities) by AppID;\\nlet account_deleted =\\nAuditLogs \\n | where OperationName == \\\"Remove service principal\\\"\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend deletionTime = ActivityDateTime\\n | extend userPrincipalName_deleter = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend ipAddress_deleter = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\\nlet account_credentials =\\nAuditLogs\\n | where OperationName contains \\\"Update application - Certificates and secrets management\\\"\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend credentialCreationTime = ActivityDateTime;\\nlet roles_assigned =\\nAuditLogs\\n | where ActivityDisplayName == \\\"Add app role assignment to service principal\\\"\\n | extend AppID = tostring(TargetResources[1].displayName)\\n | extend AssignedRole = iff(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].displayName)==\\\"AppRole.Value\\\", tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue))),\\\"\\\")\\n | extend AssignedRoles = pack(\\\"Role\\\", AssignedRole)\\n |summarize make_list(AssignedRoles) by AppID;\\naccount_created \\n | join kind= inner (account_activity) on AppID, AppID \\n | join kind= inner (account_deleted) on AppID, AppID \\n | join kind= inner (account_credentials) on AppID, AppID \\n | join kind= inner (roles_assigned) on AppID, AppID\\n | where deletionTime - creationTime \u003c lookback\\n | where tolong(deletionTime - creationTime) \u003e= 0\\n | where creationTime \u003e ago(timeframe)\\n | extend AliveTime = deletionTime - creationTime\\n | project AADTenantId, AppID, creationTime, deletionTime, userPrincipalName_creator, userPrincipalName_deleter, ipAddress_creator, ipAddress_deleter, list_Activities , list_AssignedRoles, AliveTime\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName_creator\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName_deleter\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress_creator\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress_deleter\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"PrivilegeEscalation\",\"InitialAccess\"],\"displayName\":\"Suspicious Service Principal creation activity\",\"description\":\"This alert will detect creation of an SPN, permissions granted, credentials cretaed, activity and deletion of the SPN in a time frame (default 10 minutes)\",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2021-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\",\"AADServicePrincipalSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2eb15bd-8a88-4b24-9281-e133edfba315\",\"name\":\"f2eb15bd-8a88-4b24-9281-e133edfba315\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet aadFunc = (tableName:string){\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join kind=innerunique (\\n table(tableName) | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend Status = todynamic(Status), LocationDetails = todynamic(LocationDetails)\\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails), StatusReason = tostring(Status.failureReason)\\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n // renaming time column so it is clear the log this came from\\n | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type\\n)\\non $left.TI_ipEntity == $right.IPAddress\\n| where SigninLogs_TimeGenerated \u003c ExpirationDateTime\\n| summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, IPAddress\\n| project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDetails, StatusReason, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.2\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to SigninLogs\",\"description\":\"Identifies a match in SigninLogs from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/60eb6cf0-3fa1-44c1-b1fe-220fbee23d63\",\"name\":\"60eb6cf0-3fa1-44c1-b1fe-220fbee23d63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"// Edit this variable to only keep the Severity level where an incident needs to be created (Defaults are: \\\"Low\\\", \\\"Medium\\\", \\\"High\\\", \\\"Critical\\\" ) \\nlet configured_level = dynamic([\\\"Low\\\", \\\"Medium\\\", \\\"High\\\", \\\"Critical\\\"]);\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Vectra Networks\\\"\\n| where DeviceProduct == \\\"X Series\\\"\\n| where DeviceEventClassID == \\\"hsc\\\"\\n| project-rename threat_score = FlexNumber1\\n| project-rename certainty_score = FlexNumber2\\n| project-rename vectra_URL = DeviceCustomString4\\n| project-rename detection_name = DeviceEventClassID\\n| project-rename score_decreases = DeviceCustomString3\\n| extend level = case( threat_score \u003c 50 and certainty_score \u003c 50, \\\"Low\\\",\\n threat_score \u003c 50 and certainty_score \u003e= 50 , \\\"Medium\\\", \\n threat_score \u003e= 50 and certainty_score \u003c= 50, \\\"High\\\", \\n threat_score \u003e= 50 and certainty_score \u003e= 50, \\\"Critical\\\",\\n \\\"UNKNOWN\\\")\\n| extend Severity = case( level == \\\"Low\\\", \\\"Low\\\",\\n level == \\\"Medium\\\", \\\"Medium\\\",\\n level == \\\"High\\\", \\\"Medium\\\",\\n level == \\\"Critical\\\", \\\"High\\\",\\n \\\"UNKNOWN\\\")\\n| where level in (configured_level) \\n//keep only the event with the highest threat score per Host\\n| summarize arg_max(threat_score, *) by SourceHostName\\n| project SourceHostName, level, Severity, TimeGenerated, SourceIP, threat_score, certainty_score, vectra_URL\\n| extend HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Discovery\",\"LateralMovement\",\"Collection\",\"CommandAndControl\",\"Exfiltration\",\"Impact\"],\"displayName\":\"Vectra AI Detect - Suspected Compromised Host\",\"description\":\"Create an incident when a Host is suspected to be compromised. \\nThe higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. \\nLevel of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.\",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2021-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AIVectraDetect\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/03401f05-5c45-4f2d-9295-092764090e02\",\"name\":\"03401f05-5c45-4f2d-9295-092764090e02\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"2.0.0\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Yes\",\"No\"],\"supportedValuesKql\":null,\"value\":\"Yes\",\"name\":\"Use region adjacency\",\"description\":\"Suppress anomalies originated from two adjacent regions.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"2\",\"maximum\":\"10\",\"value\":\"2\",\"name\":\"Minimum daily regions for anomaly\",\"description\":\"Generate an anomaly when a user logs in from this many or more regions in a day\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\",\"DefenseEvasion\"],\"displayName\":\"(Preview) Multi-region logins in a single day via Palo Alto GlobalProtect\",\"description\":\"This algorithm detects a user account which had logins from multiple non-adjacent regions in a single day via Palo Alto VPN.\",\"lastUpdatedDateUTC\":\"2021-07-13T00:00:00Z\",\"createdDateUTC\":\"2021-04-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/074ce265-f684-41cd-af07-613c5f3e6d0d\",\"name\":\"074ce265-f684-41cd-af07-613c5f3e6d0d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"irf.services\\\",\\\"microsoft-onthehub.com\\\",\\\"msofficelab.com\\\",\\\"com-mailbox.com\\\",\\\"my-sharefile.com\\\",\\\"my-sharepoints.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\n\\\"onedrive-sharedfile.com\\\",\\\"onedrv-live.com\\\",\\\"transparencyinternational-my-sharepoint.com\\\",\\\"transparencyinternational-my-sharepoints.com\\\",\\\"soros-my-sharepoint.com\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend Account = SourceUserID, Host = DeviceName, IPAddress = SourceIP),\\n(DnsEvents \\n| extend IPAddress = ClientIP, DNSName = Name, Host = Computer),\\n(imDns (domain_has_any=DomainNames)\\n| extend IPAddress = SrcIpAddr, DNSName = DnsQuery, Host = Dvc),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| extend IPAddress = RemoteIp, Host = Computer),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| extend DNSName = Request_Name\\n| extend IPAddress = ClientIP),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost)\\n)\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = Account, HostCustomEntity = Host\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.3.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known STRONTIUM group domains - July 2019\",\"description\":\"Matches domain name IOCs related to Strontium group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b3cfc7c0-092c-481c-a55b-34a3979758cb\",\"name\":\"b3cfc7c0-092c-481c-a55b-34a3979758cb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft Cloud App Security\",\"displayName\":\"Create incidents based on Microsoft Cloud App Security alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Cloud App Security\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert (MCAS)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/77171efa-4502-4ab7-9d23-d12305ff5a5e\",\"name\":\"77171efa-4502-4ab7-9d23-d12305ff5a5e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let lowRisk = 1;\\nlet financial = \u0027Financial Information\u0027;\\nCognniIncidents_CL \\n| where Severity == lowRisk\\n| where informationType_s == financial\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Low Sensitivity Financial Information\",\"description\":\"Display incidents in which low sensitivity financial information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/173f8699-6af5-484a-8b06-8c47ba89b380\",\"name\":\"173f8699-6af5-484a-8b06-8c47ba89b380\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"// Adjust this value to change how many Teams should be deleted before including\\nlet max_delete_count = 3;\\n// Adjust this value to change the timewindow the query runs over\\n OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\" \\n| where Operation =~ \\\"TeamDeleted\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DeletedTeams = make_set(TeamName) by UserId\\n| where array_length(DeletedTeams) \u003e max_delete_count\\n| extend timestamp = StartTime, AccountCustomEntity = UserId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Impact\"],\"displayName\":\"Multiple Teams deleted by a single user\",\"description\":\"This detection flags the occurrences of deleting multiple teams within an hour.\\nThis data is a part of Office 365 Connector in Microsoft Sentinel.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a35f2c18-1b97-458f-ad26-e033af18eb99\",\"name\":\"a35f2c18-1b97-458f-ad26-e033af18eb99\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"// For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups\\nlet WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nSecurityEvent \\n// When MemberName contains \u0027-\u0027 this indicates addition of a group to a group\\n| where AccountType == \\\"User\\\" and MemberName != \\\"-\\\"\\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group\\n| where EventID in (4728, 4732, 4756) \\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| extend SimpleMemberName = substring(MemberName, 3, indexof_regex(MemberName, @\\\",OU|,CN\\\") - 3)\\n| project TimeGenerated, EventID, Activity, Computer, SimpleMemberName, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SimpleMemberName, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.2.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account added to built in domain local or global group\",\"description\":\"Identifies when a user account has been added to a privileged built in domain local group or global group \\nsuch as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/631d02df-ab51-46c1-8d72-32d0cfec0720\",\"name\":\"631d02df-ab51-46c1-8d72-32d0cfec0720\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let excludeProcs = dynamic([@\\\"\\\\SolarWinds\\\\Orion\\\\APM\\\\APMServiceControl.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\ExportToPDFCmd.Exe\\\", @\\\"\\\\SolarWinds.Credentials\\\\SolarWinds.Credentials.Orion.WebApi.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Topology\\\\SolarWinds.Orion.Topology.Calculator.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Database-Maint.exe\\\", @\\\"\\\\SolarWinds.Orion.ApiPoller.Service\\\\SolarWinds.Orion.ApiPoller.Service.exe\\\", @\\\"\\\\Windows\\\\SysWOW64\\\\WerFault.exe\\\"]);\\nimProcessCreate\\n| where Process hassuffix \u0027solarwinds.businesslayerhost.exe\u0027\\n| where not(Process has_any (excludeProcs))\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = ActorUsername,\\n HostCustomEntity = User,\\n FileHashCustomEntity = TargetProcessMD5 // Change to *hash* once implemented\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"MD5\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST suspicious SolarWinds child processes (Normalized Process Events)\",\"description\":\"Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\"name\":\"4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([ \\\"AuthorizeSecurityGroupEgress\\\", \\\"AuthorizeSecurityGroupIngress\\\", \\\"RevokeSecurityGroupEgress\\\", \\\"RevokeSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \\nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion, \\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to AWS Security Group ingress and egress settings\",\"description\":\"A Security Group acts as a virtual firewall of an instance to control inbound and outbound traffic. \\n Hence, ingress and egress settings changes to AWS Security Group should be monitored as these can expose the enviornment to new attack vectors.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/737a2ce1-70a3-4968-9e90-3e6aca836abf\",\"name\":\"737a2ce1-70a3-4968-9e90-3e6aca836abf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MLBehaviorAnalytics\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous RDP Login Detections\",\"description\":\"This detection uses machine learning (ML) to identify anomalous Remote Desktop Protocol (RDP) login activity, based on Windows Security Event data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Microsoft Sentinel to build a profile of normal activity for your environment.\\t\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events)\\n\\nBy enabling this rule, you give Microsoft permission to copy ingested data outside of your Microsoft Sentinel workspace\u0027s geography as necessary for processing by the machine learning engine.\",\"lastUpdatedDateUTC\":\"2021-03-26T00:00:00Z\",\"createdDateUTC\":\"2020-04-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9713e3c0-1410-468d-b79e-383448434b2d\",\"name\":\"9713e3c0-1410-468d-b79e-383448434b2d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n VMConnection\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend VMConnection_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIp\\n| where VMConnection_TimeGenerated \u003e= TimeGenerated and VMConnection_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, VMConnection_TimeGenerated,\\nTI_ipEntity, Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = VMConnection_TimeGenerated, IPCustomEntity = RemoteIp, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to VMConnection\",\"description\":\"Identifies a match in VMConnection from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/19e01883-15d8-4eb6-a7a5-3276cd668388\",\"name\":\"19e01883-15d8-4eb6-a7a5-3276cd668388\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeBin = 1m;\\nlet failedThreshold = 20;\\nW3CIISLog\\n| where scStatus in (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of failed attempts from same client IP\\n| summarize makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\\n| where FailedConnectionsCount \u003e= failedThreshold\\n| project TimeGenerated, cIP, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"High count of failed attempts from same client IP\",\"description\":\"Identifies when 20 or more failed attempts from a given client IP in 1 minute occur on the IIS server.\\nThis could be indicative of an attempted brute force. This could also simply indicate a misconfigured service or device.\\nRecommendations: Validate that these are expected connections from the given Client IP. If the client IP is not recognized, \\npotentially block these connections at the edge device.\\nIf these are expected connections, verify the credentials are properly configured on the system, service, application or device \\nthat is associated with the client IP.\\nReferences:\\nIIS status code mapping: https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping: https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e70fa6e0-796a-4e85-9420-98b17b0bb749\",\"name\":\"e70fa6e0-796a-4e85-9420-98b17b0bb749\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"DeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where ThreatName has \\\"Solorigate\\\"\\n| extend HostCustomEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.HostCustomEntity\\n| project TimeGenerated, DisplayName, ThreatName, CompromisedEntity, PublicIP, MachineGroup, AlertSeverity, Description, LoggedOnUsers, DeviceId, TenantId, HostCustomEntity\\n| extend timestamp = TimeGenerated, IPCustomEntity = PublicIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Solorigate Defender Detections\",\"description\":\"Surfaces any Defender Alert for Solorigate Events. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as \\n Device group, ip, logged on users etc. This way, the Microsoft Sentinel user can have all the pertinent device info in one view for all the the Solarigate Defender alerts.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7249500f-3038-4b83-8549-9cd8dfa2d498\",\"name\":\"7249500f-3038-4b83-8549-9cd8dfa2d498\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"de-ma.online\\\", \\\"g20saudi.000webhostapp.com\\\", \\\"ksat20.000webhostapp.com\\\"]);\\nlet EmailAddresses = dynamic([\\\"munichconference1962@gmail.com\\\",\\\"munichconference@outlook.de\\\", \\\"munichconference@outlook.com\\\", \\\"t20saudiarabia@gmail.com\\\", \\\"t20saudiarabia@hotmail.com\\\", \\\"t20saudiarabia@outlook.sa\\\"]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(DNSName) and DNSName has_any (DomainNames)) \\n or (isnotempty(DestinationHostName) and DestinationHostName has_any (DomainNames)) \\n or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames)))\\n| extend timestamp = TimeGenerated , AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\\n),\\n(DnsEvents \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| where DNSName has_any (DomainNames) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend timestamp = TimeGenerated , HostCustomEntity = Computer),\\n(SecurityAlert\\n| where ProviderName =~ \u0027OATP\u0027\\n| extend UPN = case(isnotempty(parse_json(Entities)[0].Upn), parse_json(Entities)[0].Upn, \\n isnotempty(parse_json(Entities)[1].Upn), parse_json(Entities)[1].Upn,\\n isnotempty(parse_json(Entities)[2].Upn), parse_json(Entities)[2].Upn,\\n isnotempty(parse_json(Entities)[3].Upn), parse_json(Entities)[3].Upn,\\n isnotempty(parse_json(Entities)[4].Upn), parse_json(Entities)[4].Upn,\\n isnotempty(parse_json(Entities)[5].Upn), parse_json(Entities)[5].Upn,\\n isnotempty(parse_json(Entities)[6].Upn), parse_json(Entities)[6].Upn,\\n isnotempty(parse_json(Entities)[7].Upn), parse_json(Entities)[7].Upn,\\n isnotempty(parse_json(Entities)[8].Upn), parse_json(Entities)[8].Upn,\\n parse_json(Entities)[9].Upn)\\n| where Entities has_any (EmailAddresses)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = tostring(UPN)),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"AZUREFIREWALLS\\\"\\n| where msg_s has_any (DomainNames)\\n| extend timestamp = TimeGenerated))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"InitialAccess\"],\"displayName\":\"Known PHOSPHORUS group domains/IP - October 2020\",\"description\":\"Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\\nReferences: \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog (Cisco)\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert (OATP)\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics (Azure Firewall)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3caa67ef-8ed3-4ab5-baf2-3850d3667f3d\",\"name\":\"3caa67ef-8ed3-4ab5-baf2-3850d3667f3d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nafad_parser\\n| where MessageType == 2\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid Indicators of Attack\",\"description\":\"Searches for triggered Indicators of Attack\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d8de9e6-263e-4845-8618-cd23a4f58b70\",\"name\":\"4d8de9e6-263e-4845-8618-cd23a4f58b70\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT3H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 3h;\\n// Add full UPN (user@domain.com) to Authorized Bypassers to ignore policy bypasses by certain authorized users\\nlet AuthorizedBypassers = dynamic([\u0027foo@baz.com\u0027, \u0027test@foo.com\u0027]);\\nlet historicBypassers = AzureDevOpsAuditing\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationName == \u0027Git.RefUpdatePoliciesBypassed\u0027\\n| distinct ActorUPN;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e= ago(endtime)\\n| where OperationName == \u0027Git.RefUpdatePoliciesBypassed\u0027\\n| where ActorUPN !in (historicBypassers) and ActorUPN !in (AuthorizedBypassers)\\n| parse ScopeDisplayName with OrganizationName \u0027(Organization)\u0027\\n| project TimeGenerated, ActorUPN, IpAddress, UserAgent, OrganizationName, ProjectName, RepoName = Data.RepoName, AlertDetails = Details, Branch = Data.Name, \\n BypassReason = Data.BypassReason, PRLink = strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_git/\u0027, Data.RepoName, \u0027/pullrequest/\u0027, Data.PullRequestId)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps Pull Request Policy Bypassing - Historic allow list\",\"description\":\"This detection builds an allow list of historic PR policy bypasses and compares to recent history, flagging pull request bypasses that are not manually in the allow list and not historically included in the allow list.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\"name\":\"ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Office 365 Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Office 365 alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Office 365\",\"lastUpdatedDateUTC\":\"2020-09-01T00:00:00Z\",\"createdDateUTC\":\"2020-04-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert (OATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bf0cde21-0c41-48f6-a40c-6b5bd71fa106\",\"name\":\"bf0cde21-0c41-48f6-a40c-6b5bd71fa106\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AWSGuardDuty | extend tokens = split(ActivityType,\\\":\\\") | extend ThreatPurpose = tokens[0], tokens= split(tokens[1],\\\"/\\\") | extend ResourceTypeAffected = tokens[0], ThreatFamilyName= tokens[1] | extend UniqueFindingId = Id | extend AWSAcoundId = AccountId | project-away tokens,ActivityType, Id, AccountId | project-away TimeGenerated, TenantId, SchemaVersion, Region, Partition | extend Severity= iff(Severity between (7.0..8.9),\\\"High\\\",iff(Severity between (4.0..6.9), \\\"Medium\\\", iff(Severity between (1.0..3.9),\\\"Low\\\",\\\"Unknown\\\")))\",\"customDetails\":{\"ThreatPurpos\":\"ThreatPurpose\",\"ResourceTypeAffected\":\"ResourceTypeAffected\",\"UniqueFindingId\":\"UniqueFindingId\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Arn\"},{\"identifier\":\"ObjectGuid\",\"columnName\":\"AWSAcoundId\"}]}],\"version\":\"1.0.0\",\"displayName\":\"AWS Guard Duty Alert\",\"description\":\"Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. This templates create an alert for each Amazon GuardDuty finding.\",\"lastUpdatedDateUTC\":\"2021-11-18T00:00:00Z\",\"createdDateUTC\":\"2021-11-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSGuardDuty\",\"dataTypes\":[\"AWSGuardDuty\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\"name\":\"a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Security Center for IoT\",\"displayName\":\"Create incidents based on Azure Defender for IOT alerts\",\"description\":\"Create incidents based on all alerts generated in Azure Defender for IOT\",\"lastUpdatedDateUTC\":\"2019-12-24T00:00:00Z\",\"createdDateUTC\":\"2019-12-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"IoT\",\"dataTypes\":[\"SecurityAlert (ASC for IoT)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ac891683-53c3-4f86-86b4-c361708e2b2b\",\"name\":\"ac891683-53c3-4f86-86b4-c361708e2b2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"// Allowlisted UPNs should likely stay empty\\nlet AllowlistedUpns = datatable(UPN:string)[\u0027foo@bar.com\u0027, \u0027test@foo.com\u0027];\\n// Operation Name parts that will alert\\nlet HasAnyBlocklist = datatable(OperationNamePart:string)[\u0027Security.\u0027,\u0027Project.\u0027,\u0027AuditLog.\u0027,\u0027Extension.\u0027];\\n// Distinct Operation Names that will flag\\nlet HasExactBlocklist = datatable(OperationName:string)[\u0027Group.UpdateGroupMembership.Add\u0027,\u0027Library.ServiceConnectionExecuted\u0027,\u0027Pipelines.PipelineModified\u0027,\\n\u0027Release.ReleasePipelineModified\u0027, \u0027Git.RefUpdatePoliciesBypassed\u0027];\\nAzureDevOpsAuditing\\n| where AuthenticationMechanism startswith \\\"PAT\\\" and (OperationName has_any (HasAnyBlocklist) or OperationName in (HasExactBlocklist))\\n and ActorUPN !in (AllowlistedUpns)\\n| project TimeGenerated, AuthenticationMechanism, ProjectName, ActorUPN, ActorDisplayName, IpAddress, UserAgent, OperationName, Details, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Execution\",\"Impact\"],\"displayName\":\"Azure DevOps Personal Access Token (PAT) misuse\",\"description\":\"This Alert detects whenever a PAT is used in ways that PATs are not normally used. May require an allow list and baselining.\\nReference - https://docs.microsoft.com/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops\u0026tabs=preview-page\\nUse this query for baselining:\\nAzureDevOpsAuditing\\n| distinct OperationName\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6cb75f65-231f-46c4-a0b3-50ff21ee6ed3\",\"name\":\"6cb75f65-231f-46c4-a0b3-50ff21ee6ed3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Edit this variable to only keep the tactics where an incident needs to be created (Defaults are: \\\"COMMAND \u0026 CONTROL\\\", \\\"BOTNET ACTIVITY\\\", \\\"EXFILTRATION\\\", \\\"LATERAL MOVEMENT\\\", \\\"RECONNAISSANCE\\\") \\nlet configured_tactics = dynamic([\\\"COMMAND \u0026 CONTROL\\\", \\\"BOTNET ACTIVITY\\\", \\\"EXFILTRATION\\\", \\\"LATERAL MOVEMENT\\\", \\\"RECONNAISSANCE\\\"]);\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Vectra Networks\\\"\\n| where DeviceProduct == \\\"X Series\\\"\\n| where DeviceEventClassID != \\\"campaigns\\\" and DeviceEventClassID != \\\"hsc\\\" and DeviceEventClassID != \\\"audit\\\" and DeviceEventClassID != \\\"health\\\" and DeviceEventClassID != \\\"asc\\\" \\n| extend Category = extract(\\\"cat=(.+?);\\\", 1, AdditionalExtensions) \\n| project-rename threat_score = FlexNumber1\\n| project-rename certainty_score = FlexNumber2\\n| project-rename triaged = DeviceCustomString5\\n| project-rename vectra_URL = DeviceCustomString4\\n| project-rename detection_name = DeviceEventClassID\\n| extend Tactic = case( Category == \\\"COMMAND \u0026 CONTROL\\\", \\\"CommandAndControl\\\",\\n Category == \\\"BOTNET ACTIVITY\\\" , \\\"Impact\\\",\\n Category == \\\"EXFILTRATION\\\", \\\"Exfiltration\\\",\\n Category == \\\"LATERAL MOVEMENT\\\", \\\"LateralMovement\\\",\\n Category == \\\"RECONNAISSANCE\\\", \\\"Discovery\\\",\\n \\\"UNKNOWN\\\")\\n| extend level = case( threat_score \u003c 50 and certainty_score \u003c 50, \\\"Low\\\",\\n threat_score \u003c 50 and certainty_score \u003e= 50 , \\\"Medium\\\", \\n threat_score \u003e= 50 and certainty_score \u003c= 50, \\\"High\\\", \\n threat_score \u003e= 50 and certainty_score \u003e= 50, \\\"Critical\\\",\\n \\\"UNKNOWN\\\")\\n| extend Severity = case( level == \\\"Low\\\", \\\"Low\\\",\\n level == \\\"Medium\\\", \\\"Medium\\\",\\n level == \\\"High\\\", \\\"Medium\\\",\\n level == \\\"Critical\\\", \\\"High\\\",\\n \\\"UNKNOWN\\\")\\n| extend account = extract(\\\"account=(.+?);\\\", 1, AdditionalExtensions)\\n| extend upn = iff(account matches regex \\\":\\\", tostring(split(account,\\\":\\\")[1]) ,tostring(split(account,\\\":\\\")[0])) \\n| extend source_entity = case( isnotempty(upn), upn,\\n isnotempty(SourceHostName), SourceHostName,\\n \\\"UNKNWON\\\") \\n| where Category in (configured_tactics) \\n| summarize arg_max(threat_score, *) by source_entity , Activity\\n| project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Activity, Tactic, Severity, threat_score, certainty_score, triaged, vectra_URL\\n| extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Discovery\",\"LateralMovement\",\"Collection\",\"CommandAndControl\",\"Exfiltration\",\"Impact\"],\"displayName\":\"Vectra AI Detect - Suspicious Behaviors\",\"description\":\"Create an incident for each new malicious behavior detected by Vectra Detect. \\nBy default, it looks through all tactics. This can be modified to create incident only for a subset of tactics.\",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2021-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AIVectraDetect\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\"name\":\"0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let PerUserThreshold = 5;\\nlet TotalThreshold = 100;\\nlet action = dynamic([\\\"change\\\", \\\"changed\\\", \\\"reset\\\"]);\\nlet pWord = dynamic([\\\"password\\\", \\\"credentials\\\"]);\\nlet PasswordResetMultiDataSource =\\n(union isfuzzy=true\\n(//Password reset events\\n//4723: An attempt was made to change an account\u0027s password\\n//4724: An attempt was made to reset an accounts password\\nSecurityEvent\\n| where EventID in (\\\"4723\\\",\\\"4724\\\")\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName),\\n(//Azure Active Directory Password reset events\\nAuditLogs\\n| where OperationName has_any (pWord) and OperationName has_any (action) and Result =~ \\\"success\\\"\\n| extend AccountType = tostring(TargetResources[0].type), Account = tostring(TargetResources[0].userPrincipalName), \\nTargetUserName = tolower(tostring(TargetResources[0].displayName))\\n| project TimeGenerated, AccountType, Account, Computer = \\\"\\\", Type),\\n(//OfficeActive ActiveDirectory Password reset events\\nOfficeActivity\\n| where OfficeWorkload == \\\"AzureActiveDirectory\\\" \\n| where (ExtendedProperties has_any (pWord) or ModifiedProperties has_any (pWord)) and (ExtendedProperties has_any (action) or ModifiedProperties has_any (action))\\n| extend AccountType = UserType, Account = OfficeObjectId \\n| project TimeGenerated, AccountType, Account, Type, Computer = \\\"\\\"),\\n(// Unix syslog password reset events\\nSyslog\\n| where Facility in (\\\"auth\\\",\\\"authpriv\\\")\\n| where SyslogMessage has_any (pWord) and SyslogMessage has_any (action)\\n| extend AccountType = iif(SyslogMessage contains \\\"root\\\", \\\"Root\\\", \\\"Non-Root\\\")\\n| where SyslogMessage matches regex \\\".*password changed for.*\\\"\\n| parse SyslogMessage with * \\\"password changed for\\\" Account\\n| project TimeGenerated, AccountType, Account, Computer = HostName, Type)\\n);\\nlet pwrmd = PasswordResetMultiDataSource\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName;\\n(union isfuzzy=true \\n(pwrmd\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Computerlist = make_set(Computer, 25), AccountType = make_set(AccountType, 25), Computer = arg_max(Computer , TimeGenerated), TargetUserList = make_set(TargetUserName, 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), Total=count() by Account, Type\\n| where Total \u003e PerUserThreshold\\n| extend ResetPivot = \\\"PerUserReset\\\"), \\n(pwrmd\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerList = make_set(Computer, 25), AccountList = make_set(Account, 25), AccountType = make_set(AccountType, 25), Account = arg_max(Account, TimeGenerated), Computer = arg_max(Computer , TimeGenerated), TargetUserList = make_set(TargetUserName, 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), Total=count() by Type\\n| where Total \u003e TotalThreshold\\n| extend ResetPivot = \\\"TotalUserReset\\\")\\n)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserName\"}]}],\"version\":\"2.0.0\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Multiple Password Reset by user\",\"description\":\"This query will determine multiple password resets by user across multiple data sources. \\nAccount manipulation including password reset may aid adversaries in maintaining access to credentials \\nand certain permission levels within an environment.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-09-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6ee72a9e-2e54-459c-bc9a-9c09a6502a63\",\"name\":\"6ee72a9e-2e54-459c-bc9a-9c09a6502a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"216.24.185.74\\\", \\\"107.175.189.159\\\", \\\"192.210.132.102\\\", \\\"67.230.163.214\\\", \\n \\\"199.19.110.240\\\", \\\"107.148.130.176\\\", \\\"154.212.129.218\\\", \\\"172.86.75.54\\\", \\\"45.61.136.199\\\", \\n \\\"149.28.150.195\\\", \\\"108.61.214.194\\\", \\\"144.202.98.198\\\", \\\"149.28.84.98\\\", \\\"103.99.209.78\\\", \\n \\\"45.61.136.2\\\", \\\"176.122.162.149\\\", \\\"192.3.80.245\\\", \\\"149.28.23.32\\\", \\\"107.182.18.149\\\", \\\"107.174.45.134\\\", \\n \\\"149.248.18.104\\\", \\\"65.49.192.74\\\", \\\"156.255.2.154\\\", \\\"45.76.6.149\\\", \\\"8.9.11.130\\\", \\\"140.238.27.255\\\", \\n \\\"107.182.24.70\\\", \\\"176.122.188.254\\\", \\\"192.161.161.108\\\", \\\"64.64.234.24\\\", \\\"104.224.185.36\\\", \\n \\\"104.233.224.227\\\", \\\"104.36.69.105\\\", \\\"119.28.139.120\\\", \\\"161.117.39.130\\\", \\\"66.42.100.42\\\", \\\"45.76.31.159\\\", \\n \\\"149.248.8.134\\\", \\\"216.24.182.48\\\", \\\"66.42.103.222\\\", \\\"218.89.236.11\\\", \\\"180.150.227.249\\\", \\\"47.75.80.23\\\",\\n \\\"124.156.164.19\\\", \\\"149.248.62.83\\\", \\\"150.109.76.174\\\", \\\"222.209.187.207\\\", \\\"218.38.191.38\\\", \\n \\\"119.28.226.59\\\", \\\"66.42.98.220\\\", \\\"74.82.201.8\\\", \\\"173.242.122.198\\\", \\\"45.32.130.72\\\", \\\"89.35.178.10\\\", \\n \\\"89.43.60.113\\\"]); \\n(union isfuzzy=true \\n(CommonSecurityLog \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch \\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n), \\n(OfficeActivity \\n|extend SourceIPAddress = ClientIP, Account = UserId \\n| where SourceIPAddress in (IPList) \\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \\n),\\n(DnsEvents \\n| extend DestinationIPAddress = IPAddresses, Host = Computer \\n| where DestinationIPAddress has_any (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \\n), \\n(imDns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \\n), \\n(VMConnection \\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) \\n| where SourceIp in (IPList) or DestinationIp in (IPList) \\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer \\n), \\n(Event \\n| where Source == \\\"Microsoft-Windows-Sysmon\\\" \\n| where EventID == 3 \\n| extend EvData = parse_xml(EventData) \\n| extend EventDetail = EvData.DataItem.EventData.Data \\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"] \\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\") \\n), \\n(WireData \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer \\n), \\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Barium IP\",\"description\":\"Identifies a match across various data feeds for IP IOCs related to the Barium activity group. \\n References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer\u0027 \",\"lastUpdatedDateUTC\":\"2021-11-25T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\"name\":\"a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"DNS events related to ToR proxies\",\"description\":\"Identifies IP addresses performing DNS lookups associated with common ToR proxies.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\"name\":\"3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let starttime = 1d;\\nlet TimeDeltaThresholdInSeconds = 60; // we ignore beacons diffs that fall below this threshold \\nlet TotalBeaconsThreshold = 4; // minimum number of beacons required in a session to surface a row\\nlet JitterTolerance = 0.2; // tolerance to jitter, e.g. - 0.2 = 20% jitter is tolerated either side of the periodicity\\nlet PrivateIPregex = @\\\"^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.\\\"; // exclude destinations that fall into this category\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Fortinet\\\"\\n| where TimeGenerated \u003e ago(starttime)\\n// eliminate bad data\\n| where isnotempty(SourceIP) and isnotempty(DestinationIP) and SourceIP != \\\"0.0.0.0\\\"\\n// filter out deny, close, rst and SNMP to reduce data volume\\n| where DeviceAction !in (\\\"close\\\", \\\"client-rst\\\", \\\"server-rst\\\", \\\"deny\\\") and DestinationPort != 161\\n// map input fields\\n| project TimeGenerated , SourceIP, DestinationIP, DestinationPort, ReceivedBytes, SentBytes, DeviceAction \\n// where destination IPs are public\\n| extend DestinationIPType = iff(DestinationIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIPType == \\\"public\\\"\\n// sort into source-\u003edestination \u0027sessions\u0027\\n| sort by SourceIP asc, DestinationIP asc, DestinationPort asc, TimeGenerated asc\\n| serialize\\n// time diff the contact times between source and destination to get a list of deltas\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1), nextDestIP = next(DestinationIP, 1), nextDestPort = next(DestinationPort, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\\\"second\\\",nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP and DestinationIP == nextDestIP and DestinationPort == nextDestPort\\n// remove small time deltas below the set threshold\\n| where TimeDeltainSeconds \u003e TimeDeltaThresholdInSeconds\\n| project TimeGenerated, TimeDeltainSeconds, SourceIP, DestinationIP, DestinationPort, ReceivedBytes, SentBytes, DeviceAction \\n// summarize the deltas by source-\u003edestination\\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), sum(ReceivedBytes), sum(SentBytes), makelist(TimeDeltainSeconds), makeset(DeviceAction) by SourceIP, DestinationIP, DestinationPort\\n// get some statistical properties of the delta distribution and smooth any outliers (e.g. laptop shut overnight, working hours)\\n| extend series_stats(list_TimeDeltainSeconds), outliers=series_outliers(list_TimeDeltainSeconds)\\n// expand the deltas and the outliers\\n| mvexpand list_TimeDeltainSeconds to typeof(double), outliers to typeof(double)\\n// replace outliers with the average of the distribution\\n| extend list_TimeDeltainSeconds_normalized=iff(outliers \u003e 1.5 or outliers \u003c -1.5, series_stats_list_TimeDeltainSeconds_avg , list_TimeDeltainSeconds)\\n// summarize with the smoothed distribution\\n| summarize BeaconCount=count(), makelist(list_TimeDeltainSeconds), list_TimeDeltainSeconds_normalized=makelist(list_TimeDeltainSeconds_normalized), makeset(set_DeviceAction) by StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, sum_ReceivedBytes, sum_SentBytes\\n// get stats on the smoothed distribution\\n| extend series_stats(list_TimeDeltainSeconds_normalized)\\n// match jitter tolerance on smoothed distrib\\n| extend MaxJitter = (series_stats_list_TimeDeltainSeconds_normalized_avg*JitterTolerance)\\n| where series_stats_list_TimeDeltainSeconds_normalized_stdev \u003c MaxJitter\\n// where the minimum beacon threshold is satisfied and there was some data transfer\\n| where BeaconCount \u003e TotalBeaconsThreshold and (sum_SentBytes \u003e 0 or sum_ReceivedBytes \u003e 0)\\n// final projection\\n| project StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, BeaconCount, TimeDeltasInSeconds=list_list_TimeDeltainSeconds, Periodicity=series_stats_list_TimeDeltainSeconds_normalized_avg, ReceivedBytes=sum_ReceivedBytes, SentBytes=sum_SentBytes, Actions=set_set_DeviceAction\\n// where periodicity is order of magnitude larger than time delta threshold (eliminates FPs whose periodicity is close to the values we ignored)\\n| where Periodicity \u003e= (10*TimeDeltaThresholdInSeconds)\\n| extend timestamp = StartTime, IPCustomEntity = DestinationIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Fortinet - Beacon pattern detected\",\"description\":\"Identifies patterns in the time deltas of contacts between internal and external IPs in Fortinet network data that are consistent with beaconing.\\n Accounts for randomness (jitter) and seasonality such as working hours that may have been introduced into the beacon pattern.\\n The lookback is set to 1d, the minimum granularity in time deltas is set to 60 seconds and the minimum number of beacons required to emit a\\n detection is set to 4.\\n Increase the lookback period to capture beacons with larger periodicities.\\n The jitter tolerance is set to 0.2 - This means we account for an overall 20% deviation from the infered beacon periodicity. Seasonality is dealt with\\n automatically using series_outliers.\\n Note: In large environments it may be necessary to reduce the lookback period to get fast query times.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d\",\"name\":\"b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//Collect the alert events\\nlet alertData = SecurityAlert \\n| where DisplayName has \\\"Potential malware uploaded to\\\" \\n| extend Entities = parse_json(Entities) \\n| mv-expand Entities;\\n//Parse the IP address data\\nlet ipData = alertData \\n| where Entities[\u0027Type\u0027] =~ \\\"ip\\\" \\n| extend AttackerIP = tostring(Entities[\u0027Address\u0027]), AttackerCountry = tostring(Entities[\u0027Location\u0027][\u0027CountryName\u0027]);\\n//Parse the file data\\nlet FileData = alertData \\n| where Entities[\u0027Type\u0027] =~ \\\"file\\\" \\n| extend MaliciousFileDirectory = tostring(Entities[\u0027Directory\u0027]), MaliciousFileName = tostring(Entities[\u0027Name\u0027]), MaliciousFileHashes = tostring(Entities[\u0027FileHashes\u0027]);\\n//Combine the File and IP data together\\nipData \\n| join (FileData) on VendorOriginalId \\n| summarize by TimeGenerated, AttackerIP, AttackerCountry, DisplayName, ResourceId, AlertType, MaliciousFileDirectory, MaliciousFileName, MaliciousFileHashes\\n//Create a type column so we can track if it was a File storage or blobl storage upload \\n| extend type = iff(DisplayName has \\\"file\\\", \\\"File\\\", \\\"Blob\\\") \\n| join (\\n union\\n StorageFileLogs, \\n StorageBlobLogs \\n //File upload operations \\n | where OperationName =~ \\\"PutBlob\\\" or OperationName =~ \\\"PutRange\\\"\\n //Parse out the uploader IP \\n | extend ClientIP = tostring(split(CallerIpAddress, \\\":\\\", 0)[0])\\n //Extract the filename from the Uri \\n | extend FileName = extract(@\\\"\\\\/([\\\\w\\\\-. ]+)\\\\?\\\", 1, Uri)\\n //Base64 decode the MD5 filehash, we will encounter non-ascii hex so string operations don\u0027t work\\n //We can work around this by making it an array then converting it to hex from an int \\n | extend base64Char = base64_decode_toarray(ResponseMd5) \\n | mv-expand base64Char \\n | extend hexChar = tohex(toint(base64Char))\\n | extend hexChar = iff(strlen(hexChar) \u003c 2, strcat(\\\"0\\\", hexChar), hexChar) \\n | extend SourceTable = iff(OperationName has \\\"range\\\", \\\"StorageFileLogs\\\", \\\"StorageBlobLogs\\\") \\n | summarize make_list(hexChar) by CorrelationId, ResponseMd5, FileName, AccountName, TimeGenerated, RequestBodySize, ClientIP, SourceTable \\n | extend Md5Hash = strcat_array(list_hexChar, \\\"\\\")\\n //Pack the file information the summarise into a ClientIP row \\n | extend p = pack(\\\"FileName\\\", FileName, \\\"FileSize\\\", RequestBodySize, \\\"Md5Hash\\\", Md5Hash, \\\"Time\\\", TimeGenerated, \\\"SourceTable\\\", SourceTable) \\n | summarize UploadedFileInfo=make_list(p), FilesUploaded=count() by ClientIP \\n | join kind=leftouter (\\n union\\n StorageFileLogs,\\n StorageBlobLogs \\n | where OperationName =~ \\\"DeleteFile\\\" or OperationName =~ \\\"DeleteBlob\\\" \\n | extend ClientIP = tostring(split(CallerIpAddress, \\\":\\\", 0)[0]) \\n | extend FileName = extract(@\\\"\\\\/([\\\\w\\\\-. ]+)\\\\?\\\", 1, Uri) \\n | extend SourceTable = iff(OperationName has \\\"range\\\", \\\"StorageFileLogs\\\", \\\"StorageBlobLogs\\\") \\n | extend p = pack(\\\"FileName\\\", FileName, \\\"Time\\\", TimeGenerated, \\\"SourceTable\\\", SourceTable) \\n | summarize DeletedFileInfo=make_list(p), FilesDeleted=count() by ClientIP\\n ) on ClientIP\\n ) on $left.AttackerIP == $right.ClientIP \\n| mvexpand UploadedFileInfo \\n| extend LinkedMaliciousFileName = UploadedFileInfo.FileName \\n| extend LinkedMaliciousFileHash = UploadedFileInfo.Md5Hash \\n| project AlertTimeGenerated = TimeGenerated, tostring(LinkedMaliciousFileName), tostring(LinkedMaliciousFileHash), AlertType, AttackerIP, AttackerCountry, MaliciousFileDirectory, MaliciousFileName, FilesUploaded, UploadedFileInfo \\n| extend FileHashCustomEntity = LinkedMaliciousFileName, HashAlgorithm = \\\"MD5\\\", IPCustomEntity = AttackerIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"Exfiltration\"],\"displayName\":\"Linked Malicious Storage Artifacts\",\"description\":\"An IP address which uploaded malicious content to an Azure Blob or File Storage container (triggering a malware alert) also uploaded additional files.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b9d2eebc-5dcb-4888-8165-900db44443ab\",\"name\":\"b9d2eebc-5dcb-4888-8165-900db44443ab\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"// Enter a reference list of hostnames for your DC servers\\n//let DCServersList = dynamic ([\\\"DC01.simulandlabs.com\\\",\\\"DC02.simulandlabs.com\\\"]);\\nSecurityEvent\\n//| where Computer in (DCServersList)\\n| where EventID == 4662 and ObjectServer == \u0027DS\u0027\\n| where AccountType != \u0027Machine\u0027\\n| where Properties has \u00271131f6aa-9c07-11d1-f79f-00c04fc2dcd2\u0027 //DS-Replication-Get-Changes\\n or Properties has \u00271131f6ad-9c07-11d1-f79f-00c04fc2dcd2\u0027 //DS-Replication-Get-Changes-All\\n or Properties has \u002789e95b76-444d-4c62-991a-0facbeda640c\u0027 //DS-Replication-Get-Changes-In-Filtered-Set\\n| project TimeGenerated, Account, Activity, Properties, SubjectLogonId, Computer\\n| join kind=leftouter\\n(\\n SecurityEvent\\n //| where Computer in (DCServersList)\\n | where EventID == 4624 and LogonType == 3\\n | where AccountType != \u0027Machine\u0027\\n | project TargetLogonId, IpAddress\\n)\\non $left.SubjectLogonId == $right.TargetLogonId\\n| project-reorder TimeGenerated, Computer, Account, IpAddress\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, SourceAddress = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceAddress\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Non Domain Controller Active Directory Replication\",\"description\":\"This query detects potential attempts by non-computer accounts (non domain controllers) to retrieve/synchronize an active directory object leveraging directory replication services (DRS).\\nA Domain Controller (computer account) would usually be performing these actions in a domain environment. Another detection rule can be created to cover domain controllers accounts doing at rare times.\\nA domain user with privileged permissions to use directory replication services is rare. Ref: https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html\",\"lastUpdatedDateUTC\":\"2021-11-08T00:00:00Z\",\"createdDateUTC\":\"2021-05-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8127962-7739-4211-a4a9-390a7a00e91f\",\"name\":\"f8127962-7739-4211-a4a9-390a7a00e91f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet lbperiod = 30d;\\nlet knownrecipients = ProofpointPOD\\n| where TimeGenerated \u003e ago(lbperiod)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where SrcUserUpn != \u0027\u0027\\n| where array_length(todynamic(DstUserUpn)) == 1\\n| summarize recipients = make_set(tostring(todynamic(DstUserUpn)[0])) by SrcUserUpn\\n| extend commcol = SrcUserUpn;\\nProofpointPOD\\n| where TimeGenerated between (ago(lbtime) .. now())\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| extend isProtected = todynamic(MsgParts)[0][\u0027isProtected\u0027]\\n| extend mimePgp = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where isProtected == \u0027true\u0027 or mimePgp == \u0027application/pgp-encrypted\u0027\\n| extend DstUserMail = tostring(todynamic(DstUserUpn)[0])\\n| extend commcol = tostring(todynamic(DstUserUpn)[0])\\n| join knownrecipients on commcol\\n| where recipients !contains DstUserMail\\n| project SrcUserUpn, DstUserMail\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple protected emails to unknown recipient\",\"description\":\"Detects when multiple protected messages where sent to early not seen recipient.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/826bb2f8-7894-4785-9a6b-a8a855d8366f\",\"name\":\"826bb2f8-7894-4785-9a6b-a8a855d8366f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let EventNameList = dynamic([\\\"AttachUserPolicy\\\",\\\"AttachRolePolicy\\\",\\\"AttachGroupPolicy\\\"]);\\nlet createPolicy = \\\"CreatePolicy\\\";\\nlet timeframe = 1d;\\nlet lookback = 14d;\\n// Creating Master table with all the events to use with materialize for better performance\\nlet EventInfo = AWSCloudTrail\\n| where TimeGenerated \u003e= ago(lookback)\\n| where EventName in (EventNameList) or EventName == createPolicy;\\n//Checking for Policy creation event with Full Admin Privileges since lookback period.\\nlet FullAdminPolicyEvents = materialize( EventInfo\\n| where TimeGenerated \u003e= ago(lookback)\\n| where EventName == createPolicy\\n| extend PolicyName = tostring(parse_json(RequestParameters).policyName)\\n| extend Statement = parse_json(tostring((parse_json(RequestParameters).policyDocument))).Statement\\n| mvexpand Statement\\n| extend Action = parse_json(Statement).Action , Effect = tostring(parse_json(Statement).Effect), Resource = tostring(parse_json(Statement).Resource)\\n| mvexpand Action\\n| extend Action = tostring(Action)\\n| where Effect =~ \\\"Allow\\\" and Action == \\\"*\\\" and Resource == \\\"*\\\"\\n| distinct TimeGenerated, EventName, PolicyName, SourceIpAddress, UserIdentityArn, UserIdentityUserName\\n| extend UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,\u0027/\u0027)[-1]))\\n| project-rename StartTime = TimeGenerated );\\nlet PolicyAttach = materialize( EventInfo\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventName in (EventNameList)\\n| extend PolicyName = tostring(split(tostring(parse_json(RequestParameters).policyArn),\\\"/\\\")[1])\\n| summarize AttachEventCount=count(), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventSource, EventName, UserIdentityType , UserIdentityArn, SourceIpAddress, UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,\u0027/\u0027)[-1])), PolicyName\\n| extend AttachEvent = pack(\\\"StartTime\\\", StartTime, \\\"EndTime\\\", EndTime, \\\"EventName\\\", EventName, \\\"UserIdentityType\\\", UserIdentityType, \\\"UserIdentityArn\\\", UserIdentityArn, \\\"SourceIpAddress\\\", SourceIpAddress, \\\"UserIdentityUserName\\\", UserIdentityUserName)\\n| project EventSource, PolicyName, AttachEvent, AttachEventCount\\n);\\n// Joining the list of PolicyNames and checking if it has been attached to any Roles/Users/Groups.\\n// These Roles/Users/Groups will be Privileged and can be used by adversaries as pivot point for privilege escalation via multiple ways.\\nFullAdminPolicyEvents\\n| join kind=leftouter\\n(\\n PolicyAttach\\n)\\non PolicyName\\n| project-away PolicyName1\\n| extend timestamp = StartTime, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Full Admin policy created and then attached to Roles, Users or Groups\",\"description\":\"Identity and Access Management (IAM) securely manages access to AWS services and resources. \\nIdentifies when a policy is created with Full Administrators Access (Allow-Action:*,Resource:*). \\nThis policy can be attached to role,user or group and may be used by an adversary to escalate a normal user privileges to an adminsitrative level.\\nAWS IAM Policy Grammar: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html\\nand AWS IAM API at https://docs.aws.amazon.com/IAM/latest/APIReference/API_Operations.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/155e9134-d5ad-4a6f-88f3-99c220040b66\",\"name\":\"155e9134-d5ad-4a6f-88f3-99c220040b66\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Set the lookback to determine if user has created pipelines before\\nlet timeback = 14d;\\n// Set the period for detections\\nlet timeframe = 1d;\\n// Get a list of previous Release Pipeline creators to exclude\\nlet releaseusers = AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName in (\\\"Release.ReleasePipelineCreated\\\", \\\"Release.ReleasePipelineModified\\\")\\n// We want to look for users performing actions in specific projects so we create this userscope object to match on\\n| extend UserScope = strcat(ActorUserId, \\\"-\\\", ProjectName)\\n| summarize by UserScope;\\n// Get Release Pipeline creations by new users\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineModified\\\"\\n| extend UserScope = strcat(ActorUserId, \\\"-\\\", ProjectName)\\n| where UserScope !in (releaseusers)\\n| extend ActorUPN = tolower(ActorUPN)\\n| project-away Id, ActivityId, ActorCUID, ScopeId, ProjectId, TenantId, SourceSystem, UserScope\\n// See if any of these users have Azure AD alerts associated with them in the same timeframe\\n| join kind = leftouter (\\nSecurityAlert\\n| where TimeGenerated \u003e ago(timeframe)\\n| where ProviderName == \\\"IPC\\\"\\n| extend AadUserId = tostring(parse_json(Entities)[0].AadUserId)\\n| summarize Alerts=count() by AadUserId) on $left.ActorUserId == $right.AadUserId\\n| extend Alerts = iif(isnotempty(Alerts), Alerts, 0)\\n// Uncomment the line below to only show results where the user as AADIdP alerts\\n//| where Alerts \u003e 0\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Pipeline modified by a new user.\",\"description\":\"There are several potential pipeline steps that could be modified by an attacker to inject malicious code into the build cycle. A likely attacker path is the modification to an existing pipeline that they have access to. \\nThis detection looks for users modifying a pipeline when they have not previously been observed modifying or creating that pipeline before. This query also joins events with data to Azure AD Identity Protection (AAD IdP) \\nin order to show if the user conducting the action has any associated AAD IdP alerts. You can also choose to filter this detection to only alert when the user also has AAD IdP alerts associated with them.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79566f41-df67-4e10-a703-c38a6213afd8\",\"name\":\"79566f41-df67-4e10-a703-c38a6213afd8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set != \\\"[]\\\"\\n| extend diff = set_difference(new_value_set, old_value_set)\\n| where isnotempty(diff)\\n| parse diff with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away diff, new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"New access credential added to Application or Service Principal\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6bf1931-b1eb-448d-90b2-de118559c7ce\",\"name\":\"d6bf1931-b1eb-448d-90b2-de118559c7ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlCategory contains \u0027Adult Themes\u0027 or\\n UrlCategory contains \u0027Adware\u0027 or\\n UrlCategory contains \u0027Alcohol\u0027 or\\n UrlCategory contains \u0027Illegal Downloads\u0027 or\\n UrlCategory contains \u0027Drugs\u0027 or\\n UrlCategory contains \u0027Child Abuse Content\u0027 or\\n UrlCategory contains \u0027Hate/Discrimination\u0027 or\\n UrlCategory contains \u0027Nudity\u0027 or\\n UrlCategory contains \u0027Pornography\u0027 or\\n UrlCategory contains \u0027Proxy/Anonymizer\u0027 or\\n UrlCategory contains \u0027Sexuality\u0027 or\\n UrlCategory contains \u0027Tasteless\u0027 or\\n UrlCategory contains \u0027Terrorism\u0027 or\\n UrlCategory contains \u0027Web Spam\u0027 or\\n UrlCategory contains \u0027German Youth Protection\u0027 or\\n UrlCategory contains \u0027Illegal Activities\u0027 or\\n UrlCategory contains \u0027Lingerie/Bikini\u0027 or\\n UrlCategory contains \u0027Weapons\u0027\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"InitialAccess\"],\"displayName\":\"Cisco Umbrella - Request Allowed to harmful/malicious URI category\",\"description\":\"It is reccomended that these Categories shoud be blocked by policies because they provide harmful/malicious content..\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c805d9b1-97e7-4bc0-9172-67edb36273e4\",\"name\":\"c805d9b1-97e7-4bc0-9172-67edb36273e4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft 365 Insider Risk Management\",\"displayName\":\"(Private Preview) Create incidents based on Microsoft 365 Insider Risk Management\",\"description\":\"Create incidents based on all alerts generated in Microsoft 365 Insider Risk Management\",\"lastUpdatedDateUTC\":\"2021-05-13T00:00:00Z\",\"createdDateUTC\":\"2021-05-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeIRM\",\"dataTypes\":[\"SecurityAlert (OfficeIRM)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4e8238bd-ff4f-4126-a9f6-09b3b6801b3d\",\"name\":\"4e8238bd-ff4f-4126-a9f6-09b3b6801b3d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"AuditLog.StreamDisabledByUser\\\"\\n| extend StreamType = tostring(Data.ConsumerType)\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, StreamType\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Audit Stream Disabled\",\"description\":\"Azure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams \\nbefore conducting activity and then re-enabling the stream after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action \\nits unlikely to have a high false positive rate.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d645a88-2724-41a7-adea-db74c439cf79\",\"name\":\"3d645a88-2724-41a7-adea-db74c439cf79\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 5000;\\nSophosXGFirewall\\n| where Log_Type =~ \\\"Firewall\\\" and Status =~ \\\"Deny\\\"\\n| summarize count() by Src_IP, bin(TimeGenerated,5m)\\n| where count_ \u003e threshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = Src_IP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"Excessive Amount of Denied Connections from a Single Source\",\"description\":\"This creates an incident in the event that a single source IP address generates a excessive amount of denied connections.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SophosXGFirewall\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a357535e-f722-4afe-b375-cff362b2b376\",\"name\":\"a357535e-f722-4afe-b375-cff362b2b376\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(OfficeActivity | where UserAgent != \\\"\\\"),\\n(OfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectory\\\", \\\"AzureActiveDirectoryStsLogon\\\")\\n| extend OperationName = Operation\\n| parse ExtendedProperties with * \u0027User-Agent\\\\\\\\\\\":\\\\\\\\\\\"\u0027 UserAgent2 \u0027\\\\\\\\\u0027 *\\n| parse ExtendedProperties with * \u0027UserAgent\\\", \\\"Value\\\": \\\"\u0027 UserAgent1 \u0027\\\"\u0027 *\\n| where isnotempty(UserAgent1) or isnotempty(UserAgent2)\\n| extend UserAgent = iff( RecordType == \u0027AzureActiveDirectoryStsLogon\u0027, UserAgent1, UserAgent2)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\\n),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"APPLICATIONGATEWAYS\\\" \\n| where OperationName =~ \\\"ApplicationGatewayAccess\\\" \\n| extend ClientIP = columnifexists(\\\"clientIP_s\\\", \\\"None\\\"), UserAgent = columnifexists(\\\"userAgent_s\\\", \\\"None\\\")\\n| where UserAgent != \u0027-\u0027\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, requestUri_s, httpMethod_s, host_s, requestQuery_s, Type\\n),\\n(\\nW3CIISLog\\n| where isnotempty(csUserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\\n),\\n(SigninLogs\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n)\\n)\\n// Likely artefact of hardcoding\\n| where UserAgent startswith \\\"User\\\" or UserAgent startswith \u0027\\\\\\\"\u0027\\n// Incorrect casing\\nor (UserAgent startswith \\\"Mozilla\\\" and not(UserAgent containscs \\\"Mozilla\\\"))\\n// Incorrect casing\\nor UserAgent containscs \\\"(Compatible;\\\"\\n// Missing MSIE version\\nor UserAgent matches regex @\\\"MSIE\\\\s?;\\\"\\n// Incorrect spacing around MSIE version\\nor UserAgent matches regex @\\\"MSIE(?:\\\\d|.{1,5}?\\\\d\\\\s;)\\\"\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CommandAndControl\",\"Execution\"],\"displayName\":\"Malformed user agent\",\"description\":\"Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware.\\nMalformed user agents can be an indication of such malware.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee1818ec-5f65-4991-b711-bcf2ab7e36c3\",\"name\":\"ee1818ec-5f65-4991-b711-bcf2ab7e36c3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlOriginal matches regex @\u0027\\\\Ahttp:\\\\/\\\\/\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}.*\u0027\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - URI contains IP address\",\"description\":\"Malware can use IP address to communicate with C2.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bf07ca9c-e408-443a-8939-6860a45a929e\",\"name\":\"bf07ca9c-e408-443a-8939-6860a45a929e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let allowed_publishers = dynamic([]);\\nAzureDevOpsAuditing\\n| where OperationName =~ \\\"Extension.Installed\\\"\\n| extend ExtensionName = tostring(Data.ExtensionName)\\n| extend PublisherName = tostring(Data.PublisherName)\\n| where PublisherName !in (allowed_publishers)\\n| project-reorder TimeGenerated, OperationName, ExtensionName, PublisherName, ActorUPN, IpAddress, UserAgent, ScopeDisplayName, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps New Extension Added\",\"description\":\"Extensions add additional features to Azure DevOps. An attacker could use a malicious extension to conduct malicious activity. \\nThis query looks for new extensions that are not from a configurable list of approved publishers.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/89e6adbd-612c-4fbe-bc3d-32f81baf3b6c\",\"name\":\"89e6adbd-612c-4fbe-bc3d-32f81baf3b6c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT4H\",\"queryPeriod\":\"PT4H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Change to true to monitor for Project Administrator adds to *any* project\\nlet MonitorAllProjects = false;\\n// If MonitorAllProjects is false, trigger only on Project Administrator add for the following projects\\nlet ProjectsToMonitor = dynamic([\u0027\u003cproject_X\u003e\u0027,\u0027\u003cproject_Y\u003e\u0027]);\\nAzureDevOpsAuditing\\n| where Area == \\\"Group\\\" and OperationName == \\\"Group.UpdateGroupMembership.Add\\\"\\n| where Details has \u0027Administrators\u0027\\n| where Details has \\\"was added as a member of group\\\" and (Details endswith \u0027\\\\\\\\Project Administrators\u0027 or Details endswith \u0027\\\\\\\\Project Collection Administrators\u0027)\\n| parse Details with AddedIdentity \u0027 was added as a member of group [\u0027 EntityName \u0027]\\\\\\\\\u0027 GroupName\\n| extend Level = iif(GroupName == \u0027Project Collection Administrators\u0027, \u0027Organization\u0027, \u0027Project\u0027), AddedIdentityId = Data.MemberId\\n| extend Severity = iif(Level == \u0027Organization\u0027, \u0027High\u0027, \u0027Medium\u0027), AlertDetails = strcat(\u0027At \u0027, TimeGenerated, \u0027 UTC \u0027, ActorUPN, \u0027/\u0027, ActorDisplayName, \u0027 added \u0027, AddedIdentity, \u0027 to the \u0027, EntityName, \u0027 \u0027, Level)\\n| where MonitorAllProjects == true or EntityName in (ProjectsToMonitor) or Level == \u0027Organization\u0027\\n| project TimeGenerated, Severity, Adder = ActorUPN, AddedIdentity, AddedIdentityId, AlertDetails, Level, EntityName, GroupName, ActorAuthType = AuthenticationMechanism, \\n ActorIpAddress = IpAddress, ActorUserAgent = UserAgent, RawDetails = Details\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Adder, IPCustomEntity = ActorIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps Administrator Group Monitoring\",\"description\":\"This detection monitors for additions to projects or project collection administration groups in an Azure DevOps Organization.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/218f60de-c269-457a-b882-9966632b9dc6\",\"name\":\"218f60de-c269-457a-b882-9966632b9dc6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| summarize dcount(Target) by bin(TimeGenerated, 1h)\\n| where dcount_Target \u003e 9\\n| join kind=rightsemi (AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| extend TimeWindow = bin(TimeGenerated, 1h)) on $left.TimeGenerated == $right.TimeWindow\\n| extend AccountCustomEntity = Target\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Bulk Changes to Privileged Account Permissions\",\"description\":\"Identifies when changes to multiple users permissions are changed at once. Investigate immediately if not a planned change. This setting could enable an attacker access to Azure subscriptions in your environment.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\"name\":\"795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"CommonSecurityLog \\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID in (\\\"733101\\\",\\\"733102\\\",\\\"733103\\\",\\\"733104\\\",\\\"733105\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\",\"Impact\"],\"displayName\":\"Cisco ASA - threat detection message fired\",\"description\":\"Identifies when the Cisco ASA Threat Detection engine fired an alert based on malicious activity occurring on the network inicated by DeviceEventClassID 733101-733105\\nResources: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/58fc0170-0877-4ea8-a9ff-d805e361cfae\",\"name\":\"58fc0170-0877-4ea8-a9ff-d805e361cfae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let schedule_lookback = 14d; \\nlet join_lookback = 1d; \\n// If you want to whitelist specific timezones include them in a list here\\nlet tz_whitelist = dynamic([]);\\nlet meetings = ( \\nZoomLogs \\n| where TimeGenerated \u003e= ago(schedule_lookback) \\n| where Event =~ \\\"meeting.created\\\" \\n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId) \\n| extend SchedTimezone = tostring(parse_json(MeetingEvents).Timezone)); \\nZoomLogs \\n| where TimeGenerated \u003e= ago(join_lookback) \\n| where Event =~ \\\"meeting.participant_joined\\\" \\n| extend JoinedTimeZone = tostring(parse_json(MeetingEvents).Timezone) \\n| extend MeetingName = tostring(parse_json(MeetingEvents).MeetingName) \\n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId) \\n| where JoinedTimeZone !in (tz_whitelist)\\n| join (meetings) on MeetingId \\n| where SchedTimezone != JoinedTimeZone \\n| project TimeGenerated, MeetingName, JoiningUser=payload_object_participant_user_name_s, JoinedTimeZone, SchedTimezone, MeetingScheduler=User1 \\n| extend timestamp = TimeGenerated, AccountCustomEntity = JoiningUser\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"User joining Zoom meeting from suspicious timezone\",\"description\":\"The alert shows users that join a Zoom meeting from a time zone other than the one the meeting was created in.\\nYou can also whitelist known good time zones in the tz_whitelist value using the tz database name format https://en.wikipedia.org/wiki/List_of_tz_database_time_zones\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95514e77-1b23-4f05-817c-ae363c53aad3\",\"name\":\"95514e77-1b23-4f05-817c-ae363c53aad3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.4\",\"techniques\":[\"T1030\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Akamai\",\"Aruba Networks\",\"Check Point\",\"Dell\",\"Forcepoint\",\"Fortinet\",\"McAfee\",\"Palo Alto Networks\",\"SonicWall\",\"Trend Micro\",\"Vectra Networks\",\"Zscaler\"],\"supportedValuesKql\":null,\"value\":\"Palo Alto Networks\",\"name\":\"Device vendor\",\"description\":\"Select device vendor reporting network connection logs to CommonSecurityLog\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"10\",\"maximum\":\"10000\",\"value\":\"10\",\"name\":\"Hourly event count threshold\",\"description\":\"Suppress anomalies when hourly event count is less than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\".98\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"(Preview) Unusual network volume anomaly\",\"description\":\"This algorithm is to detect unusually high volume of connections in network logs. \\nIt uses time series to decompose the data into seasonal, trend and residual components to \\ncalculate baseline. Any sudden large deviation from the historical baseline is considered as anomalous activity.\",\"lastUpdatedDateUTC\":\"2021-07-10T00:00:00Z\",\"createdDateUTC\":\"2021-04-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6\",\"name\":\"2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 0d;\\n// Adjust this to adjust detection timeframe\\n//let timeframe = 1d;\\n// SamAccountName of AD FS Service Account. Filter on the use of a specific AD FS user account\\n//let adfsuser = \u0027adfsadmin\u0027;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\n SecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe+lookback)\\n | where EventSourceName == \u0027AD FS Auditing\u0027\\n | distinct Computer\\n);\\nSecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n // A token of type \u0027http://schemas.microsoft.com/ws/2006/05/servicemodel/tokens/SecureConversation\u0027\\n // for relying party \u0027-\u0027 was successfully authenticated.\\n | where EventID == 412\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | extend InstanceId = tostring(EventData[0])\\n| join kind=inner\\n(\\n SecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n // Events to identify caller identity from event 412\\n | where EventID == 501\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | where tostring(EventData[1]) contains \u0027identity/claims/name\u0027\\n | extend InstanceId = tostring(EventData[0])\\n | extend ClaimsName = tostring(EventData[2])\\n // Filter on the use of a specific AD FS user account\\n //| where ClaimsName contains adfsuser\\n)\\non $left.InstanceId == $right.InstanceId\\n| join kind=inner\\n(\\n SecurityEvent\\n | where EventID == 5156\\n | where Computer in~ (ADFS_Servers)\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | mv-expand bagexpansion=array EventData\\n | evaluate bag_unpack(EventData)\\n | extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n | evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n | extend DestPort = column_ifexists(\\\"DestPort\\\", \\\"\\\"),\\n Direction = column_ifexists(\\\"Direction\\\", \\\"\\\"),\\n Application = column_ifexists(\\\"Application\\\", \\\"\\\"),\\n DestAddress = column_ifexists(\\\"DestAddress\\\", \\\"\\\"),\\n SourceAddress = column_ifexists(\\\"SourceAddress\\\", \\\"\\\"),\\n SourcePort = column_ifexists(\\\"SourcePort\\\", \\\"\\\")\\n // Look for inbound connections from endpoints on port 80\\n | where DestPort == 80 and Direction == \u0027%%14592\u0027 and Application == \u0027System\u0027\\n | where DestAddress !in (\u0027::1\u0027,\u00270:0:0:0:0:0:0:1\u0027) \\n)\\non $left.Computer == $right.Computer\\n| project TimeGenerated, Computer, ClaimsName, SourceAddress, SourcePort\\n| extend HostCustomEntity = Computer, AccountCustomEntity = ClaimsName, IPCustomEntity = SourceAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"AD FS Remote Auth Sync Connection\",\"description\":\"This detection uses Security events from the \\\"AD FS Auditing\\\" provider to detect suspicious authentication events on an AD FS server. The results then get\\ncorrelated with events from the Windows Filtering Platform (WFP) to detect suspicious incoming network traffic on port 80 on the AD FS server.\\nThis could be a sign of a threat actor trying to use replication services on the AD FS server to get its configuration settings and extract\\nsensitive information such as AD FS certificates.\\nIn order to use this query you need to enable AD FS auditing on the AD FS Server.\\nReference: https://twitter.com/OTR_Community/status/1387038995016732672\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-04-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\"name\":\"2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n AzureActivity | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CallerIpAddress\\n| where AzureActivity_TimeGenerated \u003e= TimeGenerated and AzureActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AzureActivity_TimeGenerated,\\nTI_ipEntity, CallerIpAddress, Caller, OperationNameValue, ActivityStatusValue, CategoryValue, ResourceId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureActivity_TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureActivity\",\"description\":\"Identifies a match in AzureActivity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\"name\":\"4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 50;\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet historicalActivity =\\nOfficeActivity\\n| where TimeGenerated between(ago(starttime)..ago(endtime))\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| summarize historicalCount = count() by ClientIP, RecordType, Operation;\\nlet recentActivity = OfficeActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by ClientIP, RecordType, Operation;\\nlet RareIP = recentActivity | join kind= leftanti ( historicalActivity ) on ClientIP, RecordType, Operation\\n// More than 50 downloads/uploads from a new IP\\n| where recentCount \u003e threshold;\\nOfficeActivity \\n| where TimeGenerated \u003e= ago(endtime) \\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| join kind= inner (RareIP) on ClientIP, RecordType, Operation\\n| where Start_Time between(min_Start_Time .. max_Start_Time)\\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgent, IPSeenCount = recentCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\\n| order by IPSeenCount desc, ClientIP asc, Operation asc, UserId asc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"SharePointFileOperation via previously unseen IPs\",\"description\":\"Identifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses\\nexceeds a threshold (default is 50).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0febd8cc-1b8d-45ed-87b3-e1e8a57d14cd\",\"name\":\"0febd8cc-1b8d-45ed-87b3-e1e8a57d14cd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let threshold = 100;\\nTrendMicro_XDR_CL \\n| where modelSeverity_s == \u0027high\u0027 or modelSeverity_s == \u0027critical\u0027\\n| extend AccountCustomEntity = impactScope_account_s, HostCustomEntity = impactScope_hostname_s, IPCustomEntity = impactScope_host_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"displayName\":\"Create Incident for XDR Alerts (Critical \u0026 High)\",\"description\":\"This Query creates an incident based on Trend Micro XDR Workbench Alerts and maps the impacted entities for Microsoft Sentinel usage. (Critical \u0026 High Serverity Alerts)\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-12-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"TrendMicroXDR\",\"dataTypes\":[\"TrendMicro_XDR_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/50574fac-f8d1-4395-81c7-78a463ff0c52\",\"name\":\"50574fac-f8d1-4395-81c7-78a463ff0c52\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where AppId =~ \\\"1b730954-1685-4b74-9bfd-dac224a7b894\\\" // AppDisplayName IS Azure Active Directory PowerShell\\n| where TokenIssuerType =~ \\\"AzureAD\\\"\\n| where ResourceIdentity !in (\\\"00000002-0000-0000-c000-000000000000\\\", \\\"00000003-0000-0000-c000-000000000000\\\") // ResourceDisplayName IS NOT Windows Azure Active Directory OR Microsoft Graph\\n| extend Status = todynamic(Status)\\n| where Status.errorCode == 0 // Success\\n| project-reorder IPAddress, UserAgent, ResourceDisplayName, UserDisplayName, UserId, UserPrincipalName, Type\\n| order by TimeGenerated desc\\n// New entity mapping\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure Active Directory PowerShell accessing non-AAD resources\",\"description\":\"This will alert when a user or application signs in using Azure Active Directory PowerShell to access non-Active Directory resources, such as the Azure Key Vault, which may be undesired or unauthorized behavior.\\nFor capabilities and expected behavior of the Azure Active Directory PowerShell module, see: https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0.\\nFor further information on Azure Active Directory Signin activity reports, see: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb616d82-108f-47d3-9dec-9652ea0d3bf6\",\"name\":\"bb616d82-108f-47d3-9dec-9652ea0d3bf6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AuditLogs\\n| where OperationName =~ \\\"Add user\\\"\\n| extend UPN = tostring(TargetResources[0].userPrincipalName)\\n| join kind=inner (AuditLogs\\n| where OperationName =~ \\\"Delete user\\\"\\n| extend UPN = tostring(TargetResources[0].userPrincipalName)\\n| extend IPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) on UPN\\n| extend timedelta = TimeGenerated1 - TimeGenerated\\n| project-reorder TimeGenerated, TimeGenerated1, timedelta\\n| where timedelta \u003c timespan(24h) and timedelta \u003e timespan(0h)\\n| extend CustomAccountEntity = UPN, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CustomAccountEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Account Created and Deleted in Short Timeframe\",\"description\":\"Search for user principal name (UPN) events. Look for accounts created and then deleted in under 24 hours. Attackers may create an account for their use, and then remove the account when no longer needed.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-account\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\"name\":\"0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"DNS events related to mining pools\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3cc5ccd8-b416-4141-bb2d-4eba370e37a5\",\"name\":\"3cc5ccd8-b416-4141-bb2d-4eba370e37a5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let OMIVulnerabilityPatchVersion = \\\"OMIVulnerabilityPatchVersion:1.13.40-0\\\";\\nHeartbeat\\n| where Category == \\\"Direct Agent\\\"\\n| summarize arg_max(TimeGenerated,*) by Computer\\n| parse strcat(\\\"Version:\\\" , Version) with * \\\"Version:\\\" Major:long \\\".\\\"\\nMinor:long \\\".\\\" Patch:long \\\"-\\\" *\\n| parse OMIVulnerabilityPatchVersion with * \\\"OMIVulnerabilityPatchVersion:\\\"\\nOMIVersionMajor:long \\\".\\\" OMIVersionMinor:long \\\".\\\" OMIVersionPatch:long \\\"-\\\" *\\n| where Major \u003cOMIVersionMajor or (Major==OMIVersionMajor and Minor\\n\u003cOMIVersionMinor) or (Major==OMIVersionMajor and Minor==OMIVersionMinor and\\nPatch\u003cOMIVersionPatch) \\n| project Version, Major,Minor,Patch,\\nComputer,ComputerIP,OSType,OSName,ResourceId\",\"customDetails\":{\"OSName\":\"OSName\",\"OSType\":\"OSType\",\"HostIp\":\"ComputerIP\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"OMI Vulnerability Exploitation\",\"description\":\"Following the September 14th, 2021 release of three Elevation of Privilege\\n(EoP) vulnerabilities (CVE-2021-38645, CVE-2021-38649, CVE-2021-38648) and one\\nunauthenticated Remote Code Execution (RCE) vulnerability (CVE-2021-38647) in\\nthe Open Management Infrastructure (OMI) Framework.\\nThis detection validates that any OMS-agent that is reporting to the Microsoft\\nSentinel workspace is updated with the patch. The detection will go over the\\nheartbeats received from all agents over the last day and will create alert\\nfor those agents who are not updated.\",\"lastUpdatedDateUTC\":\"2021-11-18T00:00:00Z\",\"createdDateUTC\":\"2021-09-23T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9649e203-3cb7-47ff-89a9-42f2a5eefe31\",\"name\":\"9649e203-3cb7-47ff-89a9-42f2a5eefe31\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nlet codeNameList = datatable(Codename:string)[\\\"C-PRIV-ACCOUNTS-SPN\\\", \\\"C-SDPROP-CONSISTENCY\\\", \\\"C-DANG-PRIMGROUPID\\\", \\\"C-GPO-HARDENING\\\", \\\"C-DC-ACCESS-CONSISTENCY\\\", \\\"C-DANGEROUS-TRUST-RELATIONSHIP\\\", \\\"C-UNCONST-DELEG\\\", \\\"C-ABNORMAL-ENTRIES-IN-SCHEMA\\\"];\\nafad_parser\\n| where MessageType == 0 and Codename in~ (codeNameList)\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid Active Directory attacks pathways\",\"description\":\"Searches for triggered Indicators of Exposures related to Active Directory attacks pathways\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\"name\":\"3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let threshold = 1;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ConditionalAccessStatus == 1 or ConditionalAccessStatus =~ \\\"failure\\\"\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion) \\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend ConditionalAccessPolicies = todynamic(ConditionalAccessPolicies)\\n| extend ConditionalAccessPol0Name = tostring(ConditionalAccessPolicies[0].displayName)\\n| extend ConditionalAccessPol1Name = tostring(ConditionalAccessPolicies[1].displayName)\\n| extend ConditionalAccessPol2Name = tostring(ConditionalAccessPolicies[2].displayName)\\n| extend Status = strcat(StatusCode, \\\": \\\", ResultDescription) \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Status = make_list(Status), StatusDetails = make_list(StatusDetails), IPAddresses = make_list(IPAddress), IPAddressCount = dcount(IPAddress), CorrelationIds = make_list(CorrelationId) \\nby UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name, Type\\n| where IPAddressCount \u003e threshold and StatusDetails !has \\\"MFA successfully completed\\\"\\n| mvexpand IPAddresses, Status, StatusDetails, CorrelationIds\\n| extend Status = strcat(Status, \\\" \\\", StatusDetails)\\n| summarize IPAddresses = make_set(IPAddresses), Status = make_set(Status), CorrelationIds = make_set(CorrelationIds) \\nby StartTime, EndTime, UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name, IPAddressCount, Type\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = tostring(IPAddresses)\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Attempt to bypass conditional access rule in Azure AD\",\"description\":\"Identifies an attempt to Bypass conditional access rule(s) in Azure Active Directory.\\nThe ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access\\nor if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1).\\nReferences: \\nhttps://docs.microsoft.com/azure/active-directory/conditional-access/overview\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\nConditionalAccessStatus == 0 // Success\\nConditionalAccessStatus == 1 // Failure\\nConditionalAccessStatus == 2 // Not Applied\\nConditionalAccessStatus == 3 // unknown\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4899-42cb-910c-5ffaf9d7997d\",\"name\":\"70b12a3b-4899-42cb-910c-5ffaf9d7997d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"0.ns1.dns-info.gq\\\", \\\"1.ns1.dns-info.gq\\\", \\\"10.ns1.dns-info.gq\\\", \\\"102.ns1.dns-info.gq\\\", \\n \\\"104.ns1.dns-info.gq\\\", \\\"11.ns1.dns-info.gq\\\", \\\"110.ns1.dns-info.gq\\\", \\\"115.ns1.dns-info.gq\\\", \\\"116.ns1.dns-info.gq\\\", \\n \\\"117.ns1.dns-info.gq\\\", \\\"118.ns1.dns-info.gq\\\", \\\"12.ns1.dns-info.gq\\\", \\\"120.ns1.dns-info.gq\\\", \\\"122.ns1.dns-info.gq\\\", \\n \\\"123.ns1.dns-info.gq\\\", \\\"128.ns1.dns-info.gq\\\", \\\"13.ns1.dns-info.gq\\\", \\\"134.ns1.dns-info.gq\\\", \\\"135.ns1.dns-info.gq\\\", \\n \\\"138.ns1.dns-info.gq\\\", \\\"14.ns1.dns-info.gq\\\", \\\"144.ns1.dns-info.gq\\\", \\\"15.ns1.dns-info.gq\\\", \\\"153.ns1.dns-info.gq\\\", \\n \\\"157.ns1.dns-info.gq\\\", \\\"16.ns1.dns-info.gq\\\", \\\"17.ns1.dns-info.gq\\\", \\\"18.ns1.dns-info.gq\\\", \\\"19.ns1.dns-info.gq\\\", \\n \\\"1a9604fa.ns1.feedsdns.com\\\", \\\"1c7606b6.ns1.steamappstore.com\\\", \\\"2.ns1.dns-info.gq\\\", \\\"20.ns1.dns-info.gq\\\", \\n \\\"201.ns1.dns-info.gq\\\", \\\"202.ns1.dns-info.gq\\\", \\\"204.ns1.dns-info.gq\\\", \\\"207.ns1.dns-info.gq\\\", \\\"21.ns1.dns-info.gq\\\", \\n \\\"210.ns1.dns-info.gq\\\", \\\"211.ns1.dns-info.gq\\\", \\\"216.ns1.dns-info.gq\\\", \\\"22.ns1.dns-info.gq\\\", \\\"220.ns1.dns-info.gq\\\", \\n \\\"223.ns1.dns-info.gq\\\", \\\"23.ns1.dns-info.gq\\\", \\\"24.ns1.dns-info.gq\\\", \\\"25.ns1.dns-info.gq\\\", \\\"26.ns1.dns-info.gq\\\", \\n \\\"27.ns1.dns-info.gq\\\", \\\"28.ns1.dns-info.gq\\\", \\\"29.ns1.dns-info.gq\\\", \\\"3.ns1.dns-info.gq\\\", \\\"30.ns1.dns-info.gq\\\", \\n \\\"31.ns1.dns-info.gq\\\", \\\"32.ns1.dns-info.gq\\\", \\\"33.ns1.dns-info.gq\\\", \\\"34.ns1.dns-info.gq\\\", \\\"35.ns1.dns-info.gq\\\", \\n \\\"36.ns1.dns-info.gq\\\", \\\"37.ns1.dns-info.gq\\\", \\\"39.ns1.dns-info.gq\\\", \\\"3d6fe4b2.ns1.steamappstore.com\\\", \\n \\\"4.ns1.dns-info.gq\\\", \\\"40.ns1.dns-info.gq\\\", \\\"42.ns1.dns-info.gq\\\", \\\"43.ns1.dns-info.gq\\\", \\\"44.ns1.dns-info.gq\\\", \\n \\\"45.ns1.dns-info.gq\\\", \\\"46.ns1.dns-info.gq\\\", \\\"48.ns1.dns-info.gq\\\", \\\"5.ns1.dns-info.gq\\\", \\\"50.ns1.dns-info.gq\\\", \\n \\\"50417.service.gstatic.dnset.com\\\", \\\"51.ns1.dns-info.gq\\\", \\\"52.ns1.dns-info.gq\\\", \\\"53.ns1.dns-info.gq\\\",\\n \\\"54.ns1.dns-info.gq\\\", \\\"55.ns1.dns-info.gq\\\", \\\"56.ns1.dns-info.gq\\\", \\\"57.ns1.dns-info.gq\\\", \\\"58.ns1.dns-info.gq\\\", \\n \\\"6.ns1.dns-info.gq\\\", \\\"60.ns1.dns-info.gq\\\", \\\"62.ns1.dns-info.gq\\\", \\\"63.ns1.dns-info.gq\\\", \\\"64.ns1.dns-info.gq\\\", \\n \\\"65.ns1.dns-info.gq\\\", \\\"67.ns1.dns-info.gq\\\", \\\"7.ns1.dns-info.gq\\\", \\\"70.ns1.dns-info.gq\\\", \\\"71.ns1.dns-info.gq\\\",\\n \\\"73.ns1.dns-info.gq\\\", \\\"77.ns1.dns-info.gq\\\", \\\"77075.service.gstatic.dnset.com\\\", \\\"7c1947fa.ns1.steamappstore.com\\\",\\n \\\"8.ns1.dns-info.gq\\\", \\\"81.ns1.dns-info.gq\\\", \\\"86.ns1.dns-info.gq\\\", \\\"87.ns1.dns-info.gq\\\", \\\"9.ns1.dns-info.gq\\\", \\n \\\"94343.service.gstatic.dnset.com\\\", \\\"9939.service.gstatic.dnset.com\\\", \\\"aa.ns.mircosoftdoc.com\\\", \\n \\\"aaa.feeds.api.ns1.feedsdns.com\\\", \\\"aaa.googlepublic.feeds.ns1.dns-info.gq\\\", \\n \\\"aaa.resolution.174547._get.cache.up.sourcedns.tk\\\", \\\"acc.microsoftonetravel.com\\\", \\n \\\"accounts.longmusic.com\\\", \\\"admin.dnstemplog.com\\\", \\\"agent.updatenai.com\\\", \\n \\\"alibaba.zzux.com\\\", \\\"api.feedsdns.com\\\", \\\"app.portomnail.com\\\", \\\"asia.updatenai.com\\\", \\n \\\"battllestategames.com\\\", \\\"bguha.serveuser.com\\\", \\\"binann-ce.com\\\", \\\"bing.dsmtp.com\\\", \\n \\\"blog.cdsend.xyz\\\", \\\"brives.minivineyapp.com\\\", \\\"bsbana.dynamic-dns.net\\\", \\n \\\"californiaforce.000webhostapp.com\\\", \\\"californiafroce.000webhostapp.com\\\", \\n \\\"cdn.freetcp.com\\\", \\\"cdsend.xyz\\\", \\\"cipla.zzux.com\\\", \\\"cloudfeeddns.com\\\", \\\"comcleanner.info\\\",\\n \\\"cs.microsoftsonline.net\\\", \\\"dns-info.gq\\\", \\\"dns05.cf\\\", \\\"dns22.ml\\\", \\\"dns224.com\\\", \\n \\\"dnsdist.org\\\", \\\"dnstemplog.com\\\", \\\"doc.mircosoftdoc.com\\\", \\\"dropdns.com\\\", \\n \\\"eshop.cdn.freetcp.com\\\", \\\"exchange.dumb1.com\\\", \\\"exchange.misecure.com\\\", \\\"exchange.mrbasic.com\\\",\\n \\\"facebookdocs.com\\\", \\\"facebookint.com\\\", \\\"facebookvi.com\\\", \\\"feed.ns1.dns-info.gq\\\", \\\"feedsdns.com\\\", \\n \\\"firejun.freeddns.com\\\", \\\"ftp.dns-info.dyndns.pro\\\", \\\"goallbandungtravel.com\\\", \\\"goodhk.azurewebsites.net\\\", \\n \\\"googlepublic.feed.ns1.dns-info.gq\\\", \\\"gp.spotifylite.cloud\\\", \\\"gskytop.com\\\", \\\"gstatic.dnset.com\\\", \\n \\\"gxxservice.com\\\", \\\"helpdesk.cdn.freetcp.com\\\", \\\"id.serveuser.com\\\", \\\"infestexe.com\\\", \\\"item.itemdb.com\\\",\\n \\\"m.mircosoftdoc.com\\\", \\\"mail.transferdkim.xyz\\\", \\\"mcafee.updatenai.com\\\", \\\"mecgjm.mircosoftdoc.com\\\",\\n \\\"microdocs.ga\\\", \\\"microsock.website\\\", \\\"microsocks.net\\\", \\\"microsoft.sendsmtp.com\\\", \\n \\\"microsoftbook.dns05.com\\\", \\\"microsoftcontactcenter.com\\\", \\\"microsoftdocs.dns05.com\\\", \\\"microsoftdocs.ml\\\", \\n \\\"microsoftonetravel.com\\\", \\\"microsoftonlines.net\\\", \\\"microsoftprod.com\\\", \\\"microsofts.dns1.us\\\", \\\"microsoftsonline.net\\\",\\n \\\"minivineyapp.com\\\", \\\"mircosoftdoc.com\\\", \\\"mircosoftdocs.com\\\", \\\"mlcrosoft.ninth.biz\\\", \\\"mlcrosoft.site\\\", \\n \\\"mm.portomnail.com\\\", \\\"msdnupdate.com\\\", \\\"msecdn.cloud\\\", \\\"mtnl1.dynamic-dns.net\\\", \\\"ns.gstatic.dnset.com\\\", \\n \\\"ns.microsoftprod.com\\\", \\\"ns.steamappstore.com\\\", \\\"ns1.cdn.freetcp.com\\\", \\\"ns1.comcleanner.info\\\", \\\"ns1.dns-info.gq\\\", \\n \\\"ns1.dns05.cf\\\", \\\"ns1.dnstemplog.com\\\", \\\"ns1.dropdns.com\\\", \\\"ns1.microsoftonetravel.com\\\", \\n \\\"ns1.microsoftonlines.net\\\", \\\"ns1.microsoftprod.com\\\", \\\"ns1.microsoftsonline.net\\\", \\\"ns1.mlcrosoft.site\\\", \\n \\\"ns1.teams.wikaba.com\\\", \\\"ns1.windowsdefende.com\\\", \\\"ns2.comcleanner.info\\\", \\\"ns2.dnstemplog.com\\\", \\n \\\"ns2.microsoftonetravel.com\\\", \\\"ns2.microsoftprod.com\\\", \\\"ns2.microsoftsonline.net\\\", \\\"ns2.mlcrosoft.site\\\", \\n \\\"ns2.windowsdefende.com\\\", \\\"ns3.microsoftprod.com\\\", \\\"ns3.mlcrosoft.site\\\", \\\"nutrition.mrbasic.com\\\", \\n \\\"nutrition.youdontcare.com\\\", \\\"online.mlcrosoft.site\\\", \\\"online.msdnupdate.com\\\", \\\"outlookservce.site\\\", \\n \\\"owa.jetos.com\\\", \\\"owa.otzo.com\\\", \\\"pornotime.co\\\", \\\"portomnail.com\\\", \\n \\\"post.1a0.066e063ac.7c1947fa.ns1.steamappstore.com\\\", \\\"pricingdmdk.com\\\", \\\"prod.microsoftprod.com\\\", \\n \\\"product.microsoftprod.com\\\", \\\"ptcl.yourtrap.com\\\", \\\"query.api.sourcedns.tk\\\", \\\"rb.itemdb.com\\\", \\\"redditcdn.com\\\", \\n \\\"rss.otzo.com\\\", \\\"secure.msdnupdate.com\\\", \\\"service.dns22.ml\\\", \\\"service.gstatic.dnset.com\\\", \\\"service04.dns04.com\\\", \\n \\\"settings.teams.wikaba.com\\\", \\\"sip.outlookservce.site\\\", \\\"sixindent.epizy.com\\\", \\\"soft.msdnupdate.com\\\", \\\"sourcedns.ml\\\", \\n \\\"sourcedns.tk\\\", \\\"sport.msdnupdate.com\\\", \\\"spotifylite.cloud\\\", \\\"static.misecure.com\\\", \\\"steamappstore.com\\\", \\n \\\"store.otzo.com\\\", \\\"survey.outlookservce.site\\\", \\\"team.itemdb.com\\\", \\\"temp221.com\\\", \\\"test.microsoftprod.com\\\", \\n \\\"thisisaaa.000webhostapp.com\\\", \\\"token.dns04.com\\\", \\\"token.dns05.com\\\", \\\"transferdkim.xyz\\\", \\n \\\"travelsanignacio.com\\\", \\\"update08.com\\\", \\\"updated08.com\\\", \\\"updatenai.com\\\", \\\"wantforspeed.com\\\",\\n \\\"web.mircosoftdoc.com\\\", \\\"webmail.pornotime.co\\\", \\\"webwhois.team.itemdb.com\\\", \\\"windowsdefende.com\\\", \\\"wnswindows.com\\\",\\n \\\"ashcrack.freetcp.com\\\", \\\"battllestategames.com\\\", \\\"binannce.com\\\", \\\"cdsend.xyz\\\", \\\"comcleanner.info\\\", \\\"microsock.website\\\", \\n \\\"microsocks.net\\\", \\\"microsoftsonline.net\\\", \\\"mlcrosoft.site\\\", \\\"notify.serveuser.com\\\", \\\"ns1.microsoftprod.com\\\", \\n \\\"ns2.microsoftprod.com\\\", \\\"pricingdmdk.com\\\", \\\"steamappstore.com\\\", \\\"update08.com\\\", \\\"wnswindows.com\\\", \\n \\\"youtube.dns05.com\\\", \\\"z1.zalofilescdn.com\\\", \\\"z2.zalofilescdn.com\\\", \\\"zalofilescdn.com\\\"]); \\n(union isfuzzy=true \\n (CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | where DNSName in~ (DomainNames) \\n | extend Account = SourceUserID, Computer = DeviceName, IPAddress = DestinationIP \\n ), \\n (DnsEvents \\n | extend DNSName = Name \\n | where isnotempty(DNSName) \\n | where DNSName has_any (DomainNames) \\n | extend IPAddress = ClientIP \\n ), \\n (imDns (domain_has_any=DomainNames)\\n | extend DNSName = DnsQuery \\n | extend IPAddress = SrcIpAddr, Computer = Dvc\\n ), \\n (VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 * \\n | where isnotempty(DNSName) \\n | where DNSName in~ (DomainNames) \\n | extend IPAddress = RemoteIp \\n ), \\n ( \\n DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl in~ (DomainNames) \\n | extend IPAddress = RemoteIP \\n | extend Computer = DeviceName \\n ),\\n (AzureDiagnostics\\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallDnsProxy\\\"\\n | parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n | where Request_Name has_any (DomainNames) \\n | extend DNSName = Request_Name\\n | extend IPAddress = ClientIP \\n ),\\n (AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (DomainNames) \\n | extend DNSName = DestinationHost \\n | extend IPAddress = SourceHost\\n ) \\n ) \\n | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.3.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Barium domains\",\"description\":\"Identifies a match across various data feeds for domains IOCs related to the Barium activity group.\\n References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\"name\":\"2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet TotalEventsThreshold = 5;\\nlet ExeList = dynamic([\\\"powershell.exe\\\",\\\"cmd.exe\\\",\\\"wmic.exe\\\",\\\"psexec.exe\\\",\\\"cacls.exe\\\",\\\"rundll.exe\\\"]);\\nlet TimeSeriesData =\\nSecurityEvent\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where Process in (ExeList)\\n| project TimeGenerated, Computer, AccountType, Account, Process\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by Process;\\nlet TimeSeriesAlerts = materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 1.5, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0\\n| project Process, TimeGenerated, Total, baseline, anomalies, score\\n| where Total \u003e TotalEventsThreshold);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\nSecurityEvent\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| summarize CommandlineCount = count() by bin(TimeGenerated, 1h), Process, CommandLine, Computer, Account\\n) on Process, TimeGenerated\\n| project AnomalyHour = TimeGenerated, Computer, Account, Process, CommandLine, CommandlineCount, Total, baseline, anomalies, score\\n| extend timestamp = AnomalyHour, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Execution\"],\"displayName\":\"Process execution frequency anomaly\",\"description\":\"Identifies anomalous spike in frequency of executions of sensitive processes which are often leveraged as attack vectors.\\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\\nSudden increases in execution frequency of sensitive processes should be further investigated for malicious activity.\\nTune the values from 1.5 to 3 in series_decompose_anomalies for further outliers or based on custom threshold values for score.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-05-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ce1e7025-866c-41f3-9b08-ec170e05e73e\",\"name\":\"ce1e7025-866c-41f3-9b08-ec170e05e73e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let SunburstURL=dynamic([\\\"panhardware.com\\\",\\\"databasegalore.com\\\",\\\"avsvmcloud.com\\\",\\\"freescanonline.com\\\",\\\"thedoccloud.com\\\",\\\"deftsecurity.com\\\"]);\\nDeviceNetworkEvents\\n| where ActionType == \\\"ConnectionSuccess\\\"\\n| where RemoteUrl in(SunburstURL)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n FileHashCustomEntity = InitiatingProcessMD5, \\n HashAlgorithm = \u0027MD5\u0027,\\n URLCustomEntity = RemoteUrl,\\n IPCustomEntity = RemoteIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST network beacons\",\"description\":\"Identifies SolarWinds SUNBURST domain beacon IOCs in DeviceNetworkEvents\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06a9b845-6a95-4432-a78b-83919b28c375\",\"name\":\"06a9b845-6a95-4432-a78b-83919b28c375\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":3,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet percentotalthreshold = 50;\\nlet TimeSeriesData = CommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| project TimeGenerated,SourceIP, DestinationIP, DeviceVendor\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor;\\n// Filtering specific records associated with spikes as outliers\\nlet TimeSeriesAlerts=materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend score = round(score,2), AnomalyHour = TimeGenerated\\n| project DeviceVendor,AnomalyHour, TimeGenerated, Total, baseline, anomalies, score);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\n// Join anomalies with Base Data to popalate associated records for investigation - Results sorted by score in descending order\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\n CommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| summarize HourlyCount = count(), TimeGeneratedMax = arg_max(TimeGenerated, *), DestinationIPlist = make_set(DestinationIP, 100), DestinationPortlist = make_set(DestinationPort, 100) by DeviceVendor, SourceIP, TimeGeneratedHour= bin(TimeGenerated, 1h)\\n| extend AnomalyHour = TimeGeneratedHour\\n) on AnomalyHour, DeviceVendor\\n| extend PercentTotal = round((HourlyCount / Total) * 100, 3)\\n| where PercentTotal \u003e percentotalthreshold\\n| project DeviceVendor , AnomalyHour, TimeGeneratedMax, SourceIP, DestinationIPlist, DestinationPortlist, HourlyCount, PercentTotal, Total, baseline, score, anomalies\\n| summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist, 100), DestinationPortlist = make_set(DestinationPortlist, 100) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies\\n| project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies\\n| extend timestamp= EndTimeUtc , IPCustomEntity = SourceIPMax\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"Time series anomaly detection for total volume of traffic\",\"description\":\"Identifies anamalous spikes in network traffic logs as compared to baseline or normal historical patterns.\\nThe query leverages a KQL built-in anomaly detection algorithm to find large deviations from baseline patterns.\\nSudden increases in network traffic volume may be an indication of data exfiltration attempts and should be investigated.\\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port traffic observed in the flagged anomaly hour.\\nThe source IP addresses which were sending less than percentotalthreshold of the total traffic have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-05-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Barracuda\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/871ba14c-88ef-48aa-ad38-810f26760ca3\",\"name\":\"871ba14c-88ef-48aa-ad38-810f26760ca3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where Operation =~ \\\"Set-Mailbox\\\"\\n| where Parameters has \\\"ForwardingSmtpAddress\\\"\\n| extend parsed = parse_json(Parameters)\\n| mv-expand parsed\\n| where parsed.Name == \\\"ForwardingSmtpAddress\\\"\\n| extend parameterName = tostring(parsed.Name), fwdingDestination = tostring(parsed.Value)\\n| where isnotempty(fwdingDestination)\\n| extend ClientIPOnly = case( \\nClientIP has \\\".\\\" and ClientIP has \u0027:\u0027, tostring(split(ClientIP,\\\":\\\")[0]), \\nClientIP has \\\".\\\" and ClientIP has \u0027-\u0027, tostring(split(ClientIP,\\\"-\\\")[0]), \\nClientIP has \u0027]-\u0027, tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))),\\nClientIP has \u0027]:\u0027, tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))),\\nisempty(ClientIP) and ClientIP_ has \\\".\\\" and ClientIP_ has \u0027:\u0027, tostring(split(ClientIP_,\\\":\\\")[0]), \\nisempty(ClientIP) and ClientIP_ has \\\".\\\" and ClientIP_ has \u0027-\u0027, tostring(split(ClientIP_,\\\"-\\\")[0]), \\nisempty(ClientIP) and ClientIP_ has \u0027]-\u0027, tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP_,\\\"]\\\")[0]))),\\nisempty(ClientIP) and ClientIP_ has \u0027]:\u0027, tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP_,\\\"]\\\")[0]))),\\nisnotempty(ClientIP), ClientIP,\\nisnotempty(ClientIP_), ClientIP_,\\n\\\"IP Not Available\\\"\\n) \\n| extend Port = case(\\nClientIP has \\\".\\\" and ClientIP has \u0027:\u0027, tostring(split(ClientIP,\\\":\\\")[1]), \\nClientIP has \\\".\\\" and ClientIP has \u0027-\u0027, tostring(split(ClientIP,\\\"-\\\")[1]), \\nClientIP has \u0027]-\u0027, tostring(split(ClientIP,\\\"]-\\\")[1]), \\nClientIP has \u0027]:\u0027, tostring(split(ClientIP,\\\"]:\\\")[1]), \\nisempty(ClientIP) and ClientIP_ has \\\".\\\" and ClientIP_ has \u0027:\u0027, tostring(split(ClientIP_,\\\":\\\")[1]), \\nisempty(ClientIP) and ClientIP_ has \\\".\\\" and ClientIP_ has \u0027-\u0027, tostring(split(ClientIP_,\\\"-\\\")[1]), \\nisempty(ClientIP) and ClientIP_ has \u0027]-\u0027, tostring(split(ClientIP_,\\\"]-\\\")[1]),\\nisempty(ClientIP) and ClientIP_ has \u0027]:\u0027, tostring(split(ClientIP_,\\\"]:\\\")[1]),\\nisnotempty(ClientIP), ClientIP,\\nisnotempty(ClientIP_), ClientIP_,\\n\\\"IP Not Available\\\"\\n)\\n| extend UserId = iff(isempty(UserId), UserId_, UserId)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId), \\nPorts = make_set(Port), EventCount = count() by fwdingDestination, ClientIP = ClientIPOnly \\n| where DistinctUserCount \u003e 1\\n| mv-expand UserId\\n| extend UserId = tostring(UserId), Ports = tostring(Ports)\\n| distinct StartTimeUtc, EndTimeUtc, UserId, DistinctUserCount, ClientIP, Ports, fwdingDestination, EventCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Multiple users email forwarded to same destination\",\"description\":\"Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination. \\nThis could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aedc5b33-2d7c-42cb-a692-f25ef637cbb1\",\"name\":\"aedc5b33-2d7c-42cb-a692-f25ef637cbb1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where array_length(todynamic(DstUserUpn)) == 1\\n| extend sender = extract(@\u0027\\\\A(.*?)@\u0027, 1, SrcUserUpn)\\n| extend sender_domain = extract(@\u0027@(.*)$\u0027, 1, SrcUserUpn)\\n| extend recipient = extract(@\u0027\\\\A(.*?)@\u0027, 1, tostring(todynamic(DstUserUpn)[0]))\\n| extend recipient_domain = extract(@\u0027@(.*)$\u0027, 1, tostring(todynamic(DstUserUpn)[0]))\\n| where sender =~ recipient\\n| where sender_domain != recipient_domain\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Possible data exfiltration to private email\",\"description\":\"Detects when sender sent email to the non-corporate domain and recipient\u0027s username is the same as sender\u0027s username.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\"name\":\"36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n OfficeActivity\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n //Extract the Url from a number of potential fields\\n | extend Url = iif(OfficeWorkload == \\\"AzureActiveDirectory\\\",extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\\\", 1,ModifiedProperties),tostring(parse_json(ModifiedProperties)[12].NewValue))\\n | where isnotempty(Url)\\n // Ensure we get a clean URL\\n | extend Url = tostring(split(Url, \u0027;\u0027)[0])\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n // Project a single user identity that we can use for entity mapping\\n | extend User = iif(isnotempty(UserId), UserId, iif(isnotempty(Actor), tostring(parse_json(Actor)[0].ID), tostring(parse_json(Parameters)[0].Vlaue))) \\n) on Url\\n| where OfficeActivity_TimeGenerated \u003e= TimeGenerated and OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Operation, \\nUserType, OfficeWorkload, Parameters, OfficeActivity_TimeGenerated, Url, User\\n| extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = User, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to OfficeActivity data\",\"description\":\"Identifies a match in OfficeActivity data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\"name\":\"80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 1102 and EventSourceName == \\\"Microsoft-Windows-Eventlog\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Security Event log cleared\",\"description\":\"Checks for event id 1102 which indicates the security event log was cleared. \\nIt uses Event Source Name \\\"Microsoft-Windows-Eventlog\\\" to avoid generating false positives from other sources, like AD FS servers for instance.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1fa1528e-f746-4794-8a41-14827f4cb798\",\"name\":\"1fa1528e-f746-4794-8a41-14827f4cb798\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 100;\\nPulseConnectSecure\\n| where Messages startswith \\\"Login failed\\\"\\n| summarize dcount(User) by Computer, bin(TimeGenerated, 15m)\\n| where dcount_User \u003e threshold\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"PulseConnectSecure - Large Number of Distinct Failed User Logins\",\"description\":\"This query identifies evidence of failed login attempts from a large number of distinct users on a Pulse Connect Secure VPN server\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PulseConnectSecure\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/94749332-1ad9-49dd-a5ab-5ff2170788fc\",\"name\":\"94749332-1ad9-49dd-a5ab-5ff2170788fc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet file_path1 = (iocs | where Type =~ \\\"filepath1\\\" | project IoC);\\nlet file_path2 = (iocs | where Type =~ \\\"filepath2\\\" | project IoC);\\nlet file_path3 = (iocs | where Type =~ \\\"filepath3\\\" | project IoC);\\nlet reg_key = (iocs | where Type =~ \\\"regkey\\\" | project IoC);\\n (union isfuzzy=true\\n(CommonSecurityLog\\n| where DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (domains)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 *\\n| project TimeGenerated, Message, SourceUserID, RequestURL, DestinationHostName, Type, SourceIP, DestinationIP, DNSName\\n| extend Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SourceUserID, UrlCustomEntity = RequestURL , IPCustomEntity = DestinationIP, DNSCustomEntity = DNSName\\n),\\n(DnsEvents\\n| where Name in~ (domains)\\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DNSName = Name, Host = Computer , Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Host, DNSCustomEntity = DNSName, IPCustomEntity = IPAddresses\\n),\\n(VMConnection\\n| where RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, RemoteDnsCanonicalNames, ProcessName, SourceIp, DestinationIp, DestinationPort, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIp, HostCustomEntity = Computer, ProcessCustomEntity = ProcessName, DNSCustomEntity = DNSName, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where Image has_any (file_path1) or Image has_any (file_path3)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, EventDetail, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = split(Image, \u0027\\\\\\\\\u0027, -1)[-1], HostCustomEntity = Computer , IPCustomEntity = DestinationIP, Alert = \u0027SOURGUM IOC detected\u0027\\n), \\n(DeviceNetworkEvents\\n| where (RemoteUrl has_any (domains)) or (InitiatingProcessSHA256 in (sha256Hashes) and InitiatingProcessFolderPath has_any (file_path1)) or InitiatingProcessFolderPath has_any (file_path3)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, Alert = \u0027SOURGUM IOC detected\u0027, UrlCustomEntity =RemoteUrl\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"]\\n| where (SHA256 has_any (sha256Hashes) and Image has_any (file_path1)) or (Image has_any (file_path3)) or ( CommandLine has_any (file_path3)) or ( CommandLine has_any (file_path1)) or ( CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source), Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = split(Image, \u0027\\\\\\\\\u0027, -1)[-1], FileHashCustomEntity = SHA256\\n),\\n(DeviceRegistryEvents\\n| where RegistryKey has_any (reg_key) and RegistryValueData has_any (file_path2)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type \\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceProcessEvents\\n| where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3)) or ( InitiatingProcessCommandLine has \u0027reg add\u0027 and InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceFileEvents\\n| where (InitiatingProcessSHA256 has_any (sha256Hashes) and InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3)) or ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = RequestAccountName, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceEvents\\n| where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3)) or ( InitiatingProcessCommandLine has \u0027reg add\u0027 and InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend CommandLine = InitiatingProcessCommandLine, Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = InitiatingProcessSHA256\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has_any (file_path1)) or ( CommandLine has_any (file_path3)) or ( CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) or (NewProcessName has_any (file_path1)) or (NewProcessName has_any (file_path3)) or (ParentProcessName has_any (file_path1)) or (ParentProcessName has_any (file_path3))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = \u0027SOURGUM IOC detected\u0027\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"SHA256\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"SOURGUM Actor IOC - July 2021\",\"description\":\"Identifies a match across IOC\u0027s related to an actor tracked by Microsoft as SOURGUM\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-07-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceRegistryEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a6c435a2-b1a0-466d-b730-9f8af69262e8\",\"name\":\"a6c435a2-b1a0-466d-b730-9f8af69262e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let failureCountThreshold = 10;\\nlet successCountThreshold = 1;\\nlet authenticationWindow = 20m;\\nimAuthentication\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = make_set(SrcDvcIpAddr)\\n , FailureCount = countif(EventResult==\u0027Failure\u0027)\\n , SuccessCount = countif(EventResult==\u0027Success\u0027) \\n // might be improved by counting FailReason:Outdated as Success.\\nby bin(TimeGenerated, authenticationWindow), TargetUserId, TargetUsername, TargetUserType \\n| where FailureCount \u003e= failureCountThreshold and SuccessCount \u003e= successCountThreshold\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against user credentials (Uses Authentication Normalization)\",\"description\":\"Identifies evidence of brute force activity against a user highlighting multiple authentication failures \\nand by a successful authentication within a given time window. \\n(The query does not enforce any sequence - eg requiring the successful authentication to occur last.)\\nDefault Failure count is 10, Default Success count is 1 and default Time Window is 20 minutes.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelAuthentication)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8a12afde-ed27-46ac-a5ef-392e3d4f071f\",\"name\":\"8a12afde-ed27-46ac-a5ef-392e3d4f071f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.0\",\"techniques\":[\"T1190\",\"T1505\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"1\",\"2\",\"3\"],\"supportedValuesKql\":null,\"value\":\"3\",\"name\":\"Number of reasons for anomalous activity\",\"description\":\"Provide explanations for the specified number of reasons why a W3CIIS session is anomalous.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"supportedValues\":[\"Distinct number of methods\",\"Distinct number of uri queries\",\"Distinct number of uri stems\",\"Distinct number of statuses\",\"Distinct number of user agents\",\"Total number of operations\",\"Total number of http verbs\",\"Total number of http statuses\",\"None\"],\"supportedValuesKql\":null,\"value\":\"None\",\"name\":\"Display anomalies for a specific top reason\",\"description\":\"Display anomalies only where the top reason is specified in the checklist.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"supportedValues\":[\"Public IPs\",\"Private IPs\",\"All IPs\"],\"supportedValuesKql\":null,\"value\":\"All IPs\",\"name\":\"Display anomalies for public, private, or all IPs\",\"description\":\"Choose to display anomalies for public, private, or all IPs.\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":null,\"dataType\":\"string\",\"name\":\"Exclude client IPs from the anomalies generated\",\"description\":\"Enter comma separated client IPs (prefixed client IP entities supported) that the anomalies should not display results for, in the exclude field.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.7\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"(Preview) Anomalous W3CIIS logs activity\",\"description\":\"This anomaly indicates anomalous W3CIIS sessions within the last day, due to reasons such as a high number of distinct uri queries, specific http verbs or http statuses, user agents, or an unusually high number of logs in a session.\\nThe machine learning algorithm identifies unusual W3CIIS log events within an hourly session, grouped by site name and client IP.\\nThe model is trained on the previous 7 days of W3CIIS activity, using an autoencoder. The algorithm checks for sufficient volume of W3CIIS activity before training the model.\\nThe autoencoder compressess these site name/client IP sessions using a bottleneck encoding, and reconstructs the input sessions using a decoder.\\nSessions with high reconstruction errors are marked as anomalous.\",\"lastUpdatedDateUTC\":\"2021-07-26T00:00:00Z\",\"createdDateUTC\":\"2021-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f9949656-473f-4503-bf43-a9d9890f7d08\",\"name\":\"f9949656-473f-4503-bf43-a9d9890f7d08\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n AppServiceHTTPLogs | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(CIp)\\n | extend WebApp = split(_ResourceId, \u0027/\u0027)[8]\\n // renaming time column so it is clear the log this came from\\n | extend AppService_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CIp\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AppService_TimeGenerated, TI_ipEntity, CsUsername, WebApp = split(_ResourceId, \u0027/\u0027)[8], CIp, CsHost, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AppService_TimeGenerated, AccountCustomEntity = CsUsername, IPCustomEntity = CIp, URLCustomEntity = CsHost\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AppServiceHTTPLogs\",\"description\":\"Identifies a match in AppServiceHTTPLogs from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/21ab3f52-6d79-47e3-97f8-ad65f2cb29fb\",\"name\":\"21ab3f52-6d79-47e3-97f8-ad65f2cb29fb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"afad_parser\\n| where MessageType == 2 and Codename == \\\"Golden Ticket\\\"\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid Golden Ticket\",\"description\":\"Searches for Golden Ticket attacks\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\"name\":\"0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let threshold = 20;\\nSecurityEvent \\n| where EventID == 4625\\n| where AccountType =~ \\\"User\\\"\\n| where SubStatus !=\u00270xc0000064\u0027 and Account !in (\u0027\\\\\\\\\u0027, \u0027-\\\\\\\\-\u0027)\\n// SubStatus \u00270xc0000064\u0027 signifies \u0027Account name does not exist\u0027\\n| extend ResourceId = column_ifexists(\\\"_ResourceId\\\", _ResourceId), SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", SourceComputerId)\\n| extend Reason = case(\\nSubStatus =~ \u00270xC000005E\u0027, \u0027There are currently no logon servers available to service the logon request.\u0027,\\nSubStatus =~ \u00270xC0000064\u0027, \u0027User logon with misspelled or bad user account\u0027,\\nSubStatus =~ \u00270xC000006A\u0027, \u0027User logon with misspelled or bad password\u0027, \\nSubStatus =~ \u00270xC000006D\u0027, \u0027Bad user name or password\u0027,\\nSubStatus =~ \u00270xC000006E\u0027, \u0027Unknown user name or bad password\u0027,\\nSubStatus =~ \u00270xC000006F\u0027, \u0027User logon outside authorized hours\u0027,\\nSubStatus =~ \u00270xC0000070\u0027, \u0027User logon from unauthorized workstation\u0027,\\nSubStatus =~ \u00270xC0000071\u0027, \u0027User logon with expired password\u0027,\\nSubStatus =~ \u00270xC0000072\u0027, \u0027User logon to account disabled by administrator\u0027,\\nSubStatus =~ \u00270xC00000DC\u0027, \u0027Indicates the Sam Server was in the wrong state to perform the desired operation\u0027, \\nSubStatus =~ \u00270xC0000133\u0027, \u0027Clocks between DC and other computer too far out of sync\u0027,\\nSubStatus =~ \u00270xC000015B\u0027, \u0027The user has not been granted the requested logon type (aka logon right) at this machine\u0027,\\nSubStatus =~ \u00270xC000018C\u0027, \u0027The logon request failed because the trust relationship between the primary domain and the trusted domain failed\u0027,\\nSubStatus =~ \u00270xC0000192\u0027, \u0027An attempt was made to logon, but the Netlogon service was not started\u0027,\\nSubStatus =~ \u00270xC0000193\u0027, \u0027User logon with expired account\u0027,\\nSubStatus =~ \u00270xC0000224\u0027, \u0027User is required to change password at next logon\u0027,\\nSubStatus =~ \u00270xC0000225\u0027, \u0027Evidently a bug in Windows and not a risk\u0027,\\nSubStatus =~ \u00270xC0000234\u0027, \u0027User logon with account locked\u0027,\\nSubStatus =~ \u00270xC00002EE\u0027, \u0027Failure Reason: An Error occurred during Logon\u0027,\\nSubStatus =~ \u00270xC0000413\u0027, \u0027Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine\u0027,\\nstrcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), FailedLogonCount = count() by EventID, \\nActivity, Computer, Account, TargetAccount, TargetUserName, TargetDomainName, \\nLogonType, LogonTypeName, LogonProcessName, Status, SubStatus, Reason, ResourceId, SourceComputerId, WorkstationName, IpAddress\\n| where FailedLogonCount \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed logon attempts by valid accounts within 10 mins\",\"description\":\"Identifies when failed logon attempts are 20 or higher during a 10 minute period (2 failed logons per minute minimum) from valid account.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\"name\":\"b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\nlet createRoleAssignmentActivity = AzureActivity\\n| where OperationNameValue =~ \\\"microsoft.authorization/roleassignments/write\\\";\\ncreateRoleAssignmentActivity \\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller\\n| where count_ \u003e= alertOperationThreshold\\n| join kind = rightanti ( \\ncreateRoleAssignmentActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = make_set(TimeGenerated), ActivityStatusValue = make_set(ActivityStatusValue), \\nOperationIds = make_set(OperationId), CorrelationId = make_set(CorrelationId), ActivityCountByCallerIPAddress = count() \\nby ResourceId, CallerIpAddress, Caller, OperationNameValue, Resource, ResourceGroup\\n) on CallerIpAddress, Caller\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Suspicious granting of permissions to an account\",\"description\":\"Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2790795b-7dba-483e-853f-44aa0bc9c985\",\"name\":\"2790795b-7dba-483e-853f-44aa0bc9c985\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"CommonSecurityLog\\n| where DeviceProduct =~ \\\"Wazuh\\\"\\n| where Activity has \\\"Web server 400 error code.\\\"\\n| where Message has \\\"403\\\"\\n| extend HostName=substring(split(DeviceCustomString1,\\\")\\\")[0],1)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = dcount(SourceIP) by HostName, SourceIP\\n| where NumberOfErrors \u003e 400\\n| sort by NumberOfErrors desc\\n| extend timestamp = StartTime, HostCustomEntity = HostName, IPCustomEntity = SourceIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Wazuh - Large Number of Web errors from an IP\",\"description\":\"Identifies instances where Wazuh logged over 400 \u0027403\u0027 Web Errors from one IP Address. To onboard Wazuh data into Sentinel please view: https://github.com/wazuh/wazuh-documentation/blob/master/source/azure/monitoring%20activity.rst\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-21T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ce177b3-56b1-4f0e-b83e-27eed4cb0b16\",\"name\":\"4ce177b3-56b1-4f0e-b83e-27eed4cb0b16\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\n// exclude allowed users from query such as the ADO service\\nlet allowed_users = dynamic([\\\"Azure DevOps Service\\\"]);\\nunion\\n// Look for agents being added to a pool of a OS type not seen with that pool before\\n(AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName =~ \\\"Library.AgentAdded\\\"\\n| where ActorUPN !in (allowed_users)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| where isnotempty(OsDescription)\\n| extend OsDescription = tostring(split(OsDescription, \\\"#\\\", 0)[0])\\n| project AgentPoolName, OsDescription\\n| join kind=rightanti (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName == \\\"Library.AgentAdded\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| where isnotempty(OsDescription)\\n| extend OsDescription = tostring(split(OsDescription, \\\"#\\\", 0)[0])) on AgentPoolName, OsDescription),\\n// Look for users addeing agents to a pool that they have not added agents to before.\\n(AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| where ActorUPN !in (allowed_users)\\n| project AgentPoolName, ActorUPN\\n| join kind=rightanti (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName == \\\"Library.AgentAdded\\\"\\n| where ActorUPN !in (allowed_users)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n) on AgentPoolName, ActorUPN)\\n| extend AgentName = tostring(Data.AgentName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| extend SystemDetails = Data.SystemCapabilities\\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, AgentPoolName, AgentName, ActorUPN, IpAddress, UserAgent, OsDescription, SystemDetails, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Execution\"],\"displayName\":\"New Agent Added to Pool by New User or Added to a New OS Type.\",\"description\":\"As seen in attacks such as SolarWinds attackers can look to subvert a build process by controlling build servers. Azure DevOps uses agent pools to execute pipeline tasks. \\nAn attacker could insert compromised agents that they control into the pools in order to execute malicious code. This query looks for users adding agents to pools they have \\nnot added agents to before, or adding agents to a pool of an OS that has not been added to that pool before. This detection has potential for false positives so has a \\nconfigurable allow list to allow for certain users to be excluded from the logic.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\"name\":\"ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ProcessCreationEvents=() {\\nlet processEvents=SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,\\nFileName = Process, CommandLine, ParentProcessName;\\nprocessEvents};\\nProcessCreationEvents\\n| where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Base64 encoded Windows process command-lines\",\"description\":\"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2018-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/af7fd11a-f305-44e1-8f46-f31580a15eab\",\"name\":\"af7fd11a-f305-44e1-8f46-f31580a15eab\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.0\",\"techniques\":[\"T1074\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\"app@sharepoint,user@example.com\",\"dataType\":\"string\",\"name\":\"User allowlist\",\"description\":\"Enter comma separated userids to be suppressed while triggering anomalies. This should be within double quotes and is case insensitive, example: \\\"user@exmaple.com, app@sharepoint\\\"\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"10\",\"maximum\":\"100\",\"value\":\"25\",\"name\":\"Number of distinct files dowloaded per day\",\"description\":\"Suppress anomalies when daily number of distinct files downloaded per day is less than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"2\",\"maximum\":\"10\",\"value\":\"3\",\"name\":\"Number of standard deviations\",\"description\":\"Triggers anomalies when number of standard deviations is greater than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Collection\"],\"displayName\":\"(Preview) Potential data staging\",\"description\":\"The algorithm compares the downloads of distinct files on a per user basis from the previous week with the downloads for the current day for each user and \\nan anomaly is triggered when the number of downloads of distinct files exceeds the configured number of standard deviations above the mean. \\nCurrently the algorithm only analyze commonly seen files during exfiltration of type documents, images, videos and archives with the extensions\\n[\\\"doc\\\",\\\"docx\\\",\\\"xls\\\",\\\"xlsx\\\",\\\"xlsm\\\",\\\"ppt\\\",\\\"pptx\\\",\\\"one\\\",\\\"pdf\\\",\\\"zip\\\",\\\"rar\\\",\\\"bmp\\\",\\\"jpg\\\",\\\"mp3\\\",\\\"mp4\\\",\\\"mov\\\"].\",\"lastUpdatedDateUTC\":\"2021-08-24T00:00:00Z\",\"createdDateUTC\":\"2021-08-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Exchange)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\"name\":\"b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet UserAgentAll =\\n(union isfuzzy=true\\n(OfficeActivity\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\\n),\\n(\\nW3CIISLog\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(csUserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\\n))\\n// remove wordSize blocks of non-numeric hex characters prior to word extraction\\n| extend UserAgentNoHexAlphas = replace(\\\"([A-Fa-f]{4,})\\\", \\\"x\\\", UserAgent)\\n// once blocks of hex chars are removed, extract wordSize blocks of a-z\\n| extend Tokens = extract_all(\\\"([A-Za-z]{4,})\\\", UserAgentNoHexAlphas)\\n// concatenate extracted words to create a summarized user agent for baseline and comparison\\n| extend NormalizedUserAgent = strcat_array(Tokens, \\\"|\\\")\\n| project-away UserAgentNoHexAlphas, Tokens;\\nUserAgentAll\\n| where StartTime \u003e= ago(endtime)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), count() by UserAgent, NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n| join kind=leftanti\\n(\\nUserAgentAll\\n| where StartTime \u003c ago(endtime)\\n| summarize by NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n)\\non NormalizedUserAgent\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CommandAndControl\",\"Execution\"],\"displayName\":\"New UserAgent observed in last 24 hours\",\"description\":\"Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection\\nextracts words from user agents to build the baseline and determine rareity rather than perform a\\ndirect comparison. This avoids FPs caused by version numbers and other high entropy user agent components.\\nThese new UserAgents could be benign. However, in normally stable environments,\\nthese new UserAgents could provide a starting point for investigating malicious activity.\\nNote: W3CIISLog can be noisy depending on the environment, however OfficeActivity and AWSCloudTrail are\\nusually stable with low numbers of detections.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23850aa1-37d3-4b4b-9f39-4ebf5feb59fd\",\"name\":\"23850aa1-37d3-4b4b-9f39-4ebf5feb59fd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.5\",\"techniques\":[\"T1011\",\"T1029\",\"T1030\",\"T1041\",\"T1011\",\"T1537\",\"T1567\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Akamai\",\"Aruba Networks\",\"Check Point\",\"Dell\",\"Forcepoint\",\"Fortinet\",\"McAfee\",\"Palo Alto Networks\",\"SonicWall\",\"Trend Micro\",\"Vectra Networks\",\"Zscaler\"],\"supportedValuesKql\":null,\"value\":\"Palo Alto Networks\",\"name\":\"Device vendor\",\"description\":\"Select device vendor reporting network connection logs to CommonSecurityLog\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"1\",\"maximum\":\"10000\",\"value\":\"1\",\"name\":\"Hourly data transfer threshold in MB\",\"description\":\"Suppress anomalies when hourly data transfered (in MB) per hour is less than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\".98\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"(Preview) Excessive data transfer anomaly\",\"description\":\"This algorithm is to detect unusually high data transfer seen in network logs. \\nIt uses time series to decompose the data into seasonal, trend and residual components to \\ncalculate baseline. Any sudden large deviation from the historical baseline is considered anomalous activity.\",\"lastUpdatedDateUTC\":\"2021-07-10T00:00:00Z\",\"createdDateUTC\":\"2021-04-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\"name\":\"361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let szOperationNames = dynamic([\\\"microsoft.compute/virtualMachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nlet starttime = 7d;\\nlet endtime = 1d;\\nAzureActivity\\n| where TimeGenerated between (startofday(ago(starttime)) .. startofday(ago(endtime)))\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress)\\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(7d)), now(), 1d) \\nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatusValue), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationNameValue , Resource, ResourceGroup\\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\\n| where Slope \u003e 0.2\\n| join kind=leftsemi (\\n// Last day\u0027s activity is anomalous\\nAzureActivity\\n| where TimeGenerated \u003e= startofday(ago(endtime))\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress)\\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(1d)), now(), 1d) \\nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatusValue), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationNameValue , Resource, ResourceGroup\\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\\n| where Slope \u003e 0.2 \\n) on Caller, CallerIpAddress \\n| mvexpand todynamic(ActivityTimeStamp), todynamic(ActivityStatusValue), todynamic(OperationIds), todynamic(CorrelationId)\\n| extend timestamp = ActivityTimeStamp, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Impact\"],\"displayName\":\"Suspicious number of resource creation or deployment activities\",\"description\":\"Indicates when an anomalous number of VM creations or deployment activities occur in Azure via the AzureActivity log.\\nThe anomaly detection identifies activities that have occurred both since the start of the day 1 day ago and the start of the day 7 days ago.\\nThe start of the day is considered 12am UTC time.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/db750607-d48f-4aef-b238-085f4a9882f1\",\"name\":\"db750607-d48f-4aef-b238-085f4a9882f1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let mediumRisk = 2;\\nlet legal = \u0027Legal Information\u0027;\\nCognniIncidents_CL \\n| where Severity == mediumRisk\\n| where informationType_s == legal\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Medium Sensitivity Legal Information\",\"description\":\"Display incidents in which medium sensitivity legal information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8c8de3fa-6425-4623-9cd9-45de1dd0569a\",\"name\":\"8c8de3fa-6425-4623-9cd9-45de1dd0569a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lookBack = 14d;\\nlet timeframe = 1d;\\nlet user_agents_list = Cisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(lookBack) and TimeGenerated \u003c ago(timeframe)\\n| summarize count() by HttpUserAgentOriginal\\n| summarize make_list(HttpUserAgentOriginal);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal !in (user_agents_list)\\n| extend Message = \\\"Rare User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Rare User Agent Detected\",\"description\":\"Rule helps to detect a rare user-agents indicating web browsing activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8595d264-2f64-442d-b293-4e16dffc9882\",\"name\":\"8595d264-2f64-442d-b293-4e16dffc9882\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.1\",\"techniques\":[\"T1059\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0\",\"name\":\"Anomaly score threshold\",\"description\":\"Generate an anomaly when the anomaly score is greater than the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Execution\"],\"displayName\":\"(Preview) Anomalous Code Execution\",\"description\":\"Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.\\nThese interfaces and languages provide ways of interacting with computer systems\\nand are a common feature across many different platforms.\",\"lastUpdatedDateUTC\":\"2021-07-26T00:00:00Z\",\"createdDateUTC\":\"2021-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2be4ef67-a93f-4d8a-981a-88158cb73abd\",\"name\":\"2be4ef67-a93f-4d8a-981a-88158cb73abd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet covidIndicators = (externaldata(TimeGenerated:datetime, FileHashValue:string, FileHashType: string, TlpLevel: string, Product: string, ThreatType: string, Description: string )\\n[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.csv\\\"] with (format=\\\"csv\\\"));\\nlet fileHashIndicators = covidIndicators\\n| where isnotempty(FileHashValue);\\n// Handle matches against both lower case and uppercase versions of the hash:\\n( fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n | union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n| join (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack) \\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.FileHashValue == $right.FileHash\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by FileHashValue\\n| project LatestIndicatorTime, FileHashValue, FileHashType, Description, ThreatType, \\nCommonSecurityLog_TimeGenerated, SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, \\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"Microsoft COVID-19 file hash indicator matches\",\"description\":\"Identifies a match in CommonSecurityLog Event data from any FileHash published in the Microsoft COVID-19 Threat Intel Feed - as described at https://www.microsoft.com/security/blog/2020/05/14/open-sourcing-covid-threat-intelligence/\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2019-08-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f68846cf-ec99-497d-9ce1-80a9441564fb\",\"name\":\"f68846cf-ec99-497d-9ce1-80a9441564fb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let highRisk = 3;\\nlet hr = \u0027HR Information\u0027;\\nCognniIncidents_CL \\n| where Severity == highRisk\\n| where informationType_s == hr\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Highly Sensitive HR Information\",\"description\":\"Display incidents in which highly sensitive HR information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2391ce61-8c8d-41ac-9723-d945b2e90720\",\"name\":\"2391ce61-8c8d-41ac-9723-d945b2e90720\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 0.333;\\nlet countlimit = 50;\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4625 and AccountType =~ \\\"User\\\"\\n| where IpAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), CountToday = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress, Process\\n| join kind=leftouter (\\n SecurityEvent \\n | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n | where EventID == 4625 and AccountType =~ \\\"User\\\"\\n | where IpAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n | summarize CountPrev7day = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n) on EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n| where CountToday \u003e= coalesce(CountPrev7day,0)*threshold and CountToday \u003e= countlimit\\n//SubStatus Codes are detailed here - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4625\\n| extend Reason = case(\\nSubStatus =~ \u00270xC000005E\u0027, \u0027There are currently no logon servers available to service the logon request.\u0027,\\nSubStatus =~ \u00270xC0000064\u0027, \u0027User logon with misspelled or bad user account\u0027,\\nSubStatus =~ \u00270xC000006A\u0027, \u0027User logon with misspelled or bad password\u0027, \\nSubStatus =~ \u00270xC000006D\u0027, \u0027Bad user name or password\u0027,\\nSubStatus =~ \u00270xC000006E\u0027, \u0027Unknown user name or bad password\u0027,\\nSubStatus =~ \u00270xC000006F\u0027, \u0027User logon outside authorized hours\u0027,\\nSubStatus =~ \u00270xC0000070\u0027, \u0027User logon from unauthorized workstation\u0027,\\nSubStatus =~ \u00270xC0000071\u0027, \u0027User logon with expired password\u0027,\\nSubStatus =~ \u00270xC0000072\u0027, \u0027User logon to account disabled by administrator\u0027,\\nSubStatus =~ \u00270xC00000DC\u0027, \u0027Indicates the Sam Server was in the wrong state to perform the desired operation\u0027, \\nSubStatus =~ \u00270xC0000133\u0027, \u0027Clocks between DC and other computer too far out of sync\u0027,\\nSubStatus =~ \u00270xC000015B\u0027, \u0027The user has not been granted the requested logon type (aka logon right) at this machine\u0027,\\nSubStatus =~ \u00270xC000018C\u0027, \u0027The logon request failed because the trust relationship between the primary domain and the trusted domain failed\u0027,\\nSubStatus =~ \u00270xC0000192\u0027, \u0027An attempt was made to logon, but the Netlogon service was not started\u0027,\\nSubStatus =~ \u00270xC0000193\u0027, \u0027User logon with expired account\u0027,\\nSubStatus =~ \u00270xC0000224\u0027, \u0027User is required to change password at next logon\u0027,\\nSubStatus =~ \u00270xC0000225\u0027, \u0027Evidently a bug in Windows and not a risk\u0027,\\nSubStatus =~ \u00270xC0000234\u0027, \u0027User logon with account locked\u0027,\\nSubStatus =~ \u00270xC00002EE\u0027, \u0027Failure Reason: An Error occurred during Logon\u0027,\\nSubStatus =~ \u00270xC0000413\u0027, \u0027Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine\u0027,\\nstrcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n| extend WorkstationName = iff(WorkstationName == \\\"-\\\" or isempty(WorkstationName), Computer , WorkstationName) \\n| project StartTime, EndTime, EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, Computer, WorkstationName, IpAddress, CountToday, CountPrev7day, Avg7Day = round(CountPrev7day*1.00/7,2), Process\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), Computer = make_set(Computer,128), IpAddressList = make_set(IpAddress,128), sum(CountToday), sum(CountPrev7day), avg(Avg7Day) \\nby EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, WorkstationName, Process\\n| order by sum_CountToday desc nulls last \\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = WorkstationName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"Process\"}]}],\"version\":\"2.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Excessive Windows logon failures\",\"description\":\"User has over 50 Windows logon failures today and at least 33% of the count of logon failures over the previous 7 days.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aac495a9-feb1-446d-b08e-a1164a539452\",\"name\":\"aac495a9-feb1-446d-b08e-a1164a539452\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"ThreatIntelligenceIndicator\\n| where Action == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n GitHubAudit\\n | extend GitHubAudit_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.IPaddress\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, GitHubAudit_TimeGenerated, TI_ipEntity, IPaddress, Actor, Action, Country, OperationType, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = GitHubAudit_TimeGenerated, IPCustomEntity = IPaddress, AccountCustomEntity = Actor\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to GitHub_CL\",\"description\":\"Identifies a match in GitHub_CL table from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}}]}", + "isContentBase64": false + } + }, + "Get-AzSentinelAlertRuleTemplate+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRuleTemplates?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRuleTemplates?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "168" ], + "x-ms-client-request-id": [ "24437480-02f4-48bb-8768-777fee15218a" ], + "CommandName": [ "Get-AzSentinelAlertRuleTemplate" ], + "FullCommandName": [ "Get-AzSentinelAlertRuleTemplate_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11990" ], + "x-ms-request-id": [ "29320738-9dd0-4d68-9991-91f8e8512634" ], + "x-ms-correlation-request-id": [ "29320738-9dd0-4d68-9991-91f8e8512634" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015408Z:29320738-9dd0-4d68-9991-91f8e8512634" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:54:07 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1139662" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/738702fd-0a66-42c7-8586-e30f0583f8fe\",\"name\":\"738702fd-0a66-42c7-8586-e30f0583f8fe\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"DeviceEvents\\n| where ActionType has \\\"ExploitGuardNonMicrosoftSignedBlocked\\\"\\n| where InitiatingProcessFileName contains \\\"svchost.exe\\\" and FileName contains \\\"NetSetupSvc.dll\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\nHostCustomEntity = DeviceName, FileHashCustomEntity = InitiatingProcessSHA1, FileHashType = \\\"SHA1\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"TEARDROP memory-only dropper\",\"description\":\"Identifies SolarWinds TEARDROP memory-only dropper IOCs in Window\u0027s defender Exploit Guard activity\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/968358d6-6af8-49bb-aaa4-187b3067fb95\",\"name\":\"968358d6-6af8-49bb-aaa4-187b3067fb95\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let successCodes = dynamic([200, 302, 401]);\\nW3CIISLog\\n| where scStatus has_any (successCodes)\\n| where ipv4_is_private(cIP) == False\\n| where csUriStem hasprefix \\\"/autodiscover/autodiscover.json\\\"\\n| project TimeGenerated, cIP, sIP, sSiteName, csUriStem, csUriQuery, Computer, csUserName, _ResourceId, FileUri\\n| where (csUriQuery !has \\\"Protocol\\\" and isnotempty(csUriQuery))\\nor (csUriQuery has_any(\\\"/mapi/\\\", \\\"powershell\\\"))\\nor (csUriQuery contains \\\"@\\\" and csUriQuery matches regex @\\\"\\\\.[a-zA-Z]{2,4}?(?:[a-zA-Z]{2,4}\\\\/)\\\")\\nor (csUriQuery contains \\\":\\\" and csUriQuery matches regex @\\\"\\\\:[0-9]{2,4}\\\\/\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP, AccountCustomEntity = csUserName, ResourceCustomEntity = _ResourceId, FileCustomEntity = FileUri\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange SSRF Autodiscover ProxyShell - Detection\",\"description\":\"This query looks for suspicious request patterns to Exchange servers that fit patterns recently\\nblogged about by PeterJson. This exploitation chain utilises an SSRF vulnerability in Exchange\\nwhich eventually allows the attacker to execute arbitrary Powershell on the server. In the example\\npowershell can be used to write an email to disk with an encoded attachment containing a shell.\\nReference: https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-09T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69b7723c-2889-469f-8b55-a2d355ed9c87\",\"name\":\"69b7723c-2889-469f-8b55-a2d355ed9c87\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n DnsEvents | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where SubType =~ \\\"LookupQuery\\\" and isnotempty(IPAddresses)\\n | extend SingleIP = split(IPAddresses, \\\",\\\")\\n | mvexpand SingleIP\\n | extend SingleIP = tostring(SingleIP)\\n // renaming time column so it is clear the log this came from\\n | extend DNS_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SingleIP\\n| where DNS_TimeGenerated \u003e= TimeGenerated and DNS_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated,\\nTI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = DNS_TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.2\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to DnsEvents\",\"description\":\"Identifies a match in DnsEvents from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-18T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\"name\":\"d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\" \\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed), LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\\n| where MFAUsed !~ \\\"Yes\\\" and LoginResult !~ \\\"Failure\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUsed, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"Login to AWS Management Console without MFA\",\"description\":\"Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.\\nYou can limit this detection to trigger for adminsitrative accounts if you do not have MFA enabled on all accounts.\\nThis is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used \\nand the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/321f9dbd-64b7-4541-81dc-08cf7732ccb0\",\"name\":\"321f9dbd-64b7-4541-81dc-08cf7732ccb0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Edit this variable to only keep the Severity level where an incident needs to be created (Defaults are: \\\"Low\\\", \\\"Medium\\\", \\\"High\\\", \\\"Critical\\\" ) \\nlet configured_level = dynamic([\\\"Low\\\", \\\"Medium\\\", \\\"High\\\", \\\"Critical\\\"]);\\nlet upn_has_prefix = \\\":\\\";\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Vectra Networks\\\"\\n| where DeviceProduct == \\\"X Series\\\"\\n| where DeviceEventClassID == \\\"asc\\\"\\n| extend saccount = extract(\\\"saccount=(.+?);\\\", 1, AdditionalExtensions)\\n| extend type = iff(saccount matches regex upn_has_prefix, tostring(split(saccount,\\\":\\\")[0]) ,\\\"network\\\" ) \\n| extend upn = iff(saccount matches regex upn_has_prefix, tostring(split(saccount,\\\":\\\")[1]) , saccount )\\n| project-rename threat_score = FlexNumber1\\n| project-rename certainty_score = FlexNumber2\\n| project-rename vectra_URL = DeviceCustomString4\\n| project-rename detection_name = DeviceEventClassID\\n| project-rename score_decreases = DeviceCustomString3\\n| extend level = case( threat_score \u003c 50 and certainty_score \u003c 50, \\\"Low\\\",\\n threat_score \u003c 50 and certainty_score \u003e= 50 , \\\"Medium\\\", \\n threat_score \u003e= 50 and certainty_score \u003c= 50, \\\"High\\\", \\n threat_score \u003e= 50 and certainty_score \u003e= 50, \\\"Critical\\\",\\n \\\"UNKNOWN\\\")\\n| extend Severity = case( level == \\\"Low\\\", \\\"Low\\\",\\n level == \\\"Medium\\\", \\\"Medium\\\",\\n level == \\\"High\\\", \\\"Medium\\\",\\n level == \\\"Critical\\\", \\\"High\\\",\\n \\\"UNKNOWN\\\")\\n| where level in (configured_level) \\n//keep only the event with the highest threat score per Host\\n| summarize arg_max(threat_score, *) by saccount\\n| project TimeGenerated, saccount, level, Severity, upn, type, threat_score, certainty_score, vectra_URL\\n| extend AccountCustomEntity = upn, URLCustomEntity = vectra_URL, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Discovery\",\"LateralMovement\",\"Collection\",\"CommandAndControl\",\"Exfiltration\",\"Impact\"],\"displayName\":\"Vectra AI Detect - Suspected Compromised Account\",\"description\":\"Create an incident when an Account is suspected to be compromised. \\nThe higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. \\nLevel of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.\",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2021-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AIVectraDetect\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884be6e7-e568-418e-9c12-89229865ffde\",\"name\":\"884be6e7-e568-418e-9c12-89229865ffde\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let FailureThreshold = 15;\\nlet FailedLogins = Okta_CL\\n| where eventType_s =~ \\\"user.session.start\\\" and outcome_reason_s =~ \\\"VERIFICATION_ERROR\\\"\\n| summarize count() by actor_alternateId_s, client_ipAddress_s, bin(TimeGenerated, 5m)\\n| where count_ \u003e FailureThreshold\\n| project client_ipAddress_s, actor_alternateId_s;\\nOkta_CL\\n| join kind=inner (FailedLogins) on client_ipAddress_s, actor_alternateId_s\\n| where eventType_s =~ \\\"user.session.start\\\" and outcome_reason_s =~ \\\"VERIFICATION_ERROR\\\"\\n| summarize count() by actor_alternateId_s, ClientIP = client_ipAddress_s, City = client_geographicalContext_city_s, Country = client_geographicalContext_country_s, column_ifexists(\u0027published_t\u0027, now())\\n| sort by column_ifexists(\u0027published_t\u0027, now()) desc\\n| extend timestamp = column_ifexists(\u0027published_t\u0027, now()), IPCustomEntity = ClientIP, AccountCustomEntity = actor_alternateId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed Logins from Unknown or Invalid User\",\"description\":\"This query searches for numerous login attempts to the management console with an unknown or invalid user name\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OktaSSO\",\"dataTypes\":[\"Okta_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/213252f1-497c-4124-91da-6cb43902d5b1\",\"name\":\"213252f1-497c-4124-91da-6cb43902d5b1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.4\",\"techniques\":[\"T1046\",\"T1135\",\"T1071\",\"T1095\",\"T1571\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"5\",\"maximum\":\"15\",\"value\":\"7\",\"name\":\"Number of distinct signatures in a day\",\"description\":\"Triggers anomalies when daily signatures triggered is more than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Discovery\",\"CommandAndControl\"],\"displayName\":\"(Preview) Unusual external firewall alarm detected\",\"description\":\"This algorithm identifies unusual external firewall alarms which are threat signatures released by a firewall vendor. \\nThe anomaly takes last 7 days activities to calculate top 10 noisy signatures and also noisy source hosts which are repeatedly seen \\ntriggering threat signatures. After excluding both type of noisy events, it triggers an anomaly only after exceeding the threshold of \\nnumber of signatures triggered in a single day.\",\"lastUpdatedDateUTC\":\"2021-07-10T00:00:00Z\",\"createdDateUTC\":\"2021-04-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1f3b4dfd-21ff-4ed3-8e27-afc219e05c50\",\"name\":\"1f3b4dfd-21ff-4ed3-8e27-afc219e05c50\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where LoggedByService =~ \\\"PIM\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has \\\"Disable PIM Alert\\\"\\n| extend IpAddress = case(\\n isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), \\n isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.app)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.app)).ipAddress),\\n \u0027Not Available\u0027)\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName)), UserRoles = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| project InitiatedBy, ActivityDateTime, ActivityDisplayName, IpAddress, AADOperationType, AADTenantId, ResourceId, CorrelationId, Identity\\n| extend timestamp = ActivityDateTime, IPCustomEntity = IpAddress, AccountCustomEntity = tolower(InitiatedBy), ResourceCustomEntity = ResourceId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Detect PIM Alert Disabling activity\",\"description\":\"Privileged Identity Management (PIM) generates alerts when there is suspicious or unsafe activity in Azure Active Directory (Azure AD) organization. \\nThis query will help detect attackers attempts to disable in product PIM alerts which are associated with Azure MFA requirements and could indicate activation of privileged access\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56b0a0cd-894e-4b38-a0a1-c41d9f96649a\",\"name\":\"56b0a0cd-894e-4b38-a0a1-c41d9f96649a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let lbtime = 1h;\\nlet tls_ciphers = dynamic([\u0027RC4-SHA\u0027, \u0027DES-CBC3-SHA\u0027]);\\nProofpointPOD\\n| where EventType == \u0027message\u0027\\n| where TlsCipher in (tls_ciphers)\\n| extend IpCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"displayName\":\"ProofpointPOD - Weak ciphers\",\"description\":\"Detects when weak TLS ciphers are used.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8e267e91-6bda-4b3c-bf68-9f5cbdd103a3\",\"name\":\"8e267e91-6bda-4b3c-bf68-9f5cbdd103a3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"ZoomLogs \\n| where Event =~ \\\"account.settings_updated\\\" \\n| extend EnforceLogin = columnifexists(\\\"payload_object_settings_schedule_meeting_enfore_login_b\\\", \\\"\\\") \\n| extend EnforceLoginDomain = columnifexists(\\\"payload_object_settings_schedule_meeting_enfore_login_b\\\", \\\"\\\") \\n| extend GuestAlerts = columnifexists(\\\"payload_object_settings_in_meeting_alert_guest_join_b\\\", \\\"\\\") \\n| where EnforceLogin == \u0027false\u0027 or EnforceLoginDomain == \u0027false\u0027 or GuestAlerts == \u0027false\u0027 \\n| extend SettingChanged = case(EnforceLogin == \u0027false\u0027 and EnforceLoginDomain == \u0027false\u0027 and GuestAlerts == \u0027false\u0027, \\\"All settings changed\\\", \\n EnforceLogin == \u0027false\u0027 and EnforceLoginDomain == \u0027false\u0027, \\\"Enforced Logons and Restricted Domains Changed\\\", \\n EnforceLoginDomain == \u0027false\u0027 and GuestAlerts == \u0027false\u0027, \\\"Enforced Domains Changed\\\", \\n EnforceLoginDomain == \u0027false\u0027, \\\"Enfored Domains Changed\\\", \\n GuestAlerts == \u0027false\u0027, \\\"Guest Join Alerts Changed\\\", \\n EnforceLogin == \u0027false\u0027, \\\"Enforced Logins Changed\\\", \\n \\\"No Changes\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"External User Access Enabled\",\"description\":\"This alerts when the account setting is changed to allow either external domain access or anonymous access to meetings.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ba239935-42c2-472d-80ba-689186099ea1\",\"name\":\"ba239935-42c2-472d-80ba-689186099ea1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"afad_parser\\n| where MessageType == 2 and Codename == \\\"Password Guessing\\\"\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid Password Guessing\",\"description\":\"Searches for bruteforce Password Guessing attacks\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09ec8fa2-b25f-4696-bfae-05a7b85d7b9e\",\"name\":\"09ec8fa2-b25f-4696-bfae-05a7b85d7b9e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT3H\",\"queryPeriod\":\"PT3H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let timeframe = ago(3h);\\nlet threshold = 2;\\nimAuthentication\\n| where TimeGenerated \u003e timeframe\\n| where EventType==\u0027Logon\u0027 and EventResult==\u0027Success\u0027\\n| where isnotempty(SrcGeoCountry)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Vendors=make_set(EventVendor), Products=make_set(EventProduct)\\n , NumOfCountries = dcount(SrcGeoCountry)\\n by TargetUserId, TargetUsername, TargetUserType\\n| where NumOfCountries \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = TargetUsername\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.2.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"User login from different countries within 3 hours (Uses Authentication Normalization)\",\"description\":\"This query searches for successful user logins from different countries within 3 hours.\\n To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelAuthentication)\",\"lastUpdatedDateUTC\":\"2021-10-26T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb32dc8a-4f6b-4274-a28f-50f3400070b4\",\"name\":\"bb32dc8a-4f6b-4274-a28f-50f3400070b4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.1\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.2\",\"name\":\"Anomaly score threshold\",\"description\":\"Generate an anomaly when the anomaly score is greater than the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous Sign In\",\"description\":\"Adversaries may steal the credentials of a specific user or service account using Credential\\nAccess techniques or capture credentials earlier in their reconnaissance process through\\nsocial engineering for means of gaining Persistence.\",\"lastUpdatedDateUTC\":\"2021-08-25T00:00:00Z\",\"createdDateUTC\":\"2021-08-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884c4957-70ea-4f57-80b9-1bca3890315b\",\"name\":\"884c4957-70ea-4f57-80b9-1bca3890315b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeBin = 10m;\\nlet failedThreshold = 100;\\nW3CIISLog\\n| where scStatus in (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n// Handling Exchange specific items in IIS logs to remove the unique log identifier in the URI\\n| extend csUriQuery = iff(csUriQuery startswith \\\"MailboxId=\\\", tostring(split(csUriQuery, \\\"\u0026\\\")[0]) , csUriQuery )\\n| extend csUriQuery = iff(csUriQuery startswith \\\"X-ARR-CACHE-HIT=\\\", strcat(tostring(split(csUriQuery, \\\"\u0026\\\")[0]),tostring(split(csUriQuery, \\\"\u0026\\\")[1])) , csUriQuery )\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of failed logons by a user\\n| summarize makeset(decodedUriQuery), makeset(cIP), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), csUserName, Computer, sIP\\n| where FailedConnectionsCount \u003e= failedThreshold\\n| project TimeGenerated, csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_cIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"High count of failed logons by a user\",\"description\":\"Identifies when 100 or more failed attempts by a given user in 10 minutes occur on the IIS Server.\\nThis could be indicative of attempted brute force based on known account information.\\nThis could also simply indicate a misconfigured service or device. \\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/78979d32-e63f-4740-b206-cfb300c735e0\",\"name\":\"78979d32-e63f-4740-b206-cfb300c735e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ioc_lookBack = 30d;\\nlet timeframe = 1h;\\nlet TI_IP_List =\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(NetworkIP)\\n| summarize make_list(NetworkIP);\\nProofpointPOD \\n| where TimeGenerated \u003e ago(timeframe)\\n| where isnotempty(SrcIpAddr)\\n| where SrcIpAddr in~ (TI_IP_List)\\n| extend Message = \\\"Email sender IP in TI list\\\"\\n| project Message, SrcUserUpn, DstUserUpn, SrcIpAddr\\n| extend AccountCustomEntity = SrcUserUpn, IpCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\",\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Email sender IP in TI list\",\"description\":\"Email sender IP in TI list.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_maillog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\"name\":\"28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let failureCountThreshold = 5;\\nlet successCountThreshold = 1;\\nlet authenticationWindow = 20m;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n| where AppDisplayName has \\\"Azure Portal\\\"\\n// Split out failure versus non-failure types\\n| extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = make_set(IPAddress), make_set(OS), make_set(Browser), make_set(City),\\nmake_set(State), make_set(Region),make_set(ResultType), FailureCount = countif(FailureOrSuccess==\\\"Failure\\\"), SuccessCount = countif(FailureOrSuccess==\\\"Success\\\") \\nby bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName, AppDisplayName, Type\\n| where FailureCount \u003e= failureCountThreshold and SuccessCount \u003e= successCountThreshold\\n| mvexpand IPAddress\\n| extend IPAddress = tostring(IPAddress)\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against Azure Portal\",\"description\":\"Identifies evidence of brute force activity against Azure Portal by highlighting multiple authentication failures \\nand by a successful authentication within a given time window. \\n(The query does not enforce any sequence - eg requiring the successful authentication to occur last.)\\nDefault Failure count is 5, Default Success count is 1 and default Time Window is 20 minutes.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/694c91ee-d606-4ba9-928e-405a2dd0ff0f\",\"name\":\"694c91ee-d606-4ba9-928e-405a2dd0ff0f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let VIPUsers = (IdentityInfo\\n| where AssignedRoles contains \\\"Admin\\\"\\n| summarize by tolower(AccountUPN));\\nAuditLogs\\n| where Category =~ \\\"UserManagement\\\"\\n| where ActivityDisplayName =~ \\\"User registered security info\\\"\\n| where LoggedByService =~ \\\"Authentication Methods\\\"\\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| where AccountCustomEntity in (VIPUsers)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\"],\"displayName\":\"Authentication Methods Changed for Privileged Account\",\"description\":\"Identifies authentication methods being changed for a privileged account. This could be an indicated of an attacker adding an auth method to the account so they can have continued access.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ae9128e8-2740-4b62-8bde-54e62b183fca\",\"name\":\"ae9128e8-2740-4b62-8bde-54e62b183fca\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.5\",\"techniques\":[\"T1030\",\"T1071\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Palo Alto Networks\",\"Fortinet\",\"Check Point\"],\"supportedValuesKql\":null,\"value\":\"Palo Alto Networks\",\"name\":\"Device vendor\",\"description\":\"Select device vendor of network connection logs from CommonSecurityLog\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"1\",\"maximum\":\"100\",\"value\":\"25\",\"name\":\"Daily data transfer threshold in MB\",\"description\":\"Suppress anomalies when daily data transfered (in MB) per hour is less than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"2\",\"maximum\":\"10\",\"value\":\"3\",\"name\":\"Number of standard deviations\",\"description\":\"Triggers anomalies when number of standard deviations is greater than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"(Preview) Unusual network communication on commonly used ports\",\"description\":\"This algorithm identifies unusual network communication on commonly used ports, comparing daily traffic to a baseline from the previous 7 days.\\nThis includes traffic on commonly used ports (22, 53, 80, 443, 8080, 8888), and compares daily traffic to the mean and standard deviation of several\\nnetwork traffic attributes calculated over the baseline period. The traffic attributes considered are daily total events, daily data transfer and \\nnumber of distinct destination IP addresses per port. An anomaly is triggered when the daily values are greater than the configured number of standard deviations above the mean.\",\"lastUpdatedDateUTC\":\"2021-07-10T00:00:00Z\",\"createdDateUTC\":\"2021-05-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/35a0792a-1269-431e-ac93-7ae2980d4dde\",\"name\":\"35a0792a-1269-431e-ac93-7ae2980d4dde\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ioc_lookBack = 30d;\\nlet timeframe = 1h;\\nlet TI_email_List =\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(EmailSenderAddress)\\n| summarize make_list(EmailSenderAddress);\\nProofpointPOD \\n| where TimeGenerated \u003e ago(timeframe)\\n| where isnotempty(SrcUserUpn)\\n| where SrcUserUpn in~ (TI_email_List)\\n| extend Message = \\\"Email sender in TI list\\\"\\n| project Message, SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\",\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Email sender in TI list\",\"description\":\"Email sender in TI list.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_maillog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bc5ffe2a-84d6-48fe-bc7b-1055100469bc\",\"name\":\"bc5ffe2a-84d6-48fe-bc7b-1055100469bc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let SunburstMD5=dynamic([\\\"b91ce2fa41029f6955bff20079468448\\\",\\\"02af7cec58b9a5da1c542b5a32151ba1\\\",\\\"2c4a910a1299cdae2a4e55988a2f102e\\\",\\\"846e27a652a5e1bfbd0ddd38a16dc865\\\",\\\"4f2eb62fa529c0283b28d05ddd311fae\\\"]);\\nlet SupernovaMD5=\\\"56ceb6d0011d87b6e4d7023d7ef85676\\\";\\nimFileEvent\\n| where TargetFileMD5 in(SunburstMD5) or TargetFileMD5 in(SupernovaMD5)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = User, \\n HostCustomEntity = DvcHostname,\\n FileHashCustomEntity = TargetFileMD5\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"MD5\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events)\",\"description\":\"Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in File Events\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelFileEvent)\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/62085097-d113-459f-9ea7-30216f2ee6af\",\"name\":\"62085097-d113-459f-9ea7-30216f2ee6af\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P3D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let starttime = 3d;\\nlet SecEvents = materialize ( SecurityEvent | where TimeGenerated \u003e= ago(starttime)\\n| where EventID in (4722,4723) | where TargetUserName !endswith \\\"$\\\"\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, SubjectAccount, SubjectUserSid);\\nlet userEnable = SecEvents\\n| extend EventID4722Time = TimeGenerated\\n// 4722: User Account Enabled\\n| where EventID == 4722\\n| project Time_Event4722 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4722 = SubjectAccount, SubjectUserSid_Event4722 = SubjectUserSid, Activity_4722 = Activity, Computer_4722 = Computer;\\nlet userPwdSet = SecEvents\\n// 4723: Attempt made by user to set password\\n| where EventID == 4723\\n| project Time_Event4723 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4723 = SubjectAccount, SubjectUserSid_Event4723 = SubjectUserSid, Activity_4723 = Activity, Computer_4723 = Computer;\\nuserEnable | join kind=leftouter userPwdSet on TargetAccount, TargetSid\\n| extend PasswordSetAttemptDelta_Min = datetime_diff(\u0027minute\u0027, Time_Event4723, Time_Event4722)\\n| where PasswordSetAttemptDelta_Min \u003e 2880 or isempty(PasswordSetAttemptDelta_Min)\\n| project-away TargetAccount1, TargetSid1\\n| extend Reason = @\\\"User either has not yet attempted to set the initial password after account was enabled or it occurred after 48 hours\\\"\\n| order by Time_Event4722 asc \\n| extend timestamp = Time_Event4722, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer_4722\\n| project-reorder Time_Event4722, Time_Event4723, PasswordSetAttemptDelta_Min, TargetAccount, TargetSid\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"AD user enabled and password not set within 48 hours\",\"description\":\"Identifies when an account is enabled with a default password and the password is not set by the user within 48 hours.\\nEffectively, there is an event 4722 indicating an account was enabled and within 48 hours, no event 4723 occurs which \\nindicates there was no attempt by the user to set the password. This will show any attempts (success or fail) that occur \\nafter 48 hours, which can indicate too long of a time period in setting the password to something that only the user knows.\\nIt is recommended that this time period is adjusted per your internal company policy.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/11b4c19d-2a79-4da3-af38-b067e1273dee\",\"name\":\"11b4c19d-2a79-4da3-af38-b067e1273dee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID in (17,18)\\n| where EventData has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend PipeName = column_ifexists(\\\"PipeName\\\", \\\"\\\")\\n| extend Account = UserName\\n),\\n(\\n SecurityEvent\\n| where EventID == \u00275145\u0027\\n// %%4418 looks for presence of CreatePipeInstance value \\n| where AccessList has \u0027%%4418\u0027 \\n| where RelativeTargetName has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\"],\"displayName\":\"Solorigate Named Pipe\",\"description\":\"Identifies a match across various data feeds for named pipe IOCs related to the Solorigate incident.\\n For the sysmon events required for this detection, logging for Named Pipe Events needs to be configured in Sysmon config (Event ID 17 and Event ID 18)\\n Reference: https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\"name\":\"9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Low\",\"query\":\"let tokens = dynamic([\\\"416\\\",\\\"208\\\",\\\"128\\\",\\\"120\\\",\\\"96\\\",\\\"80\\\",\\\"72\\\",\\\"64\\\",\\\"48\\\",\\\"44\\\",\\\"40\\\",\\\"g5\\\",\\\"gs5\\\",\\\"g4\\\",\\\"gs4\\\",\\\"nc12\\\",\\\"nc24\\\",\\\"nv12\\\"]);\\nlet operationList = dynamic([\\\"microsoft.compute/virtualmachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nAzureActivity\\n| where tolower(OperationNameValue) in (operationList)\\n| where ActivityStatusValue == \\\"Accepted\\\" \\n| where isnotempty(Properties)\\n| extend vmSize = tolower(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).hardwareProfile)).vmSize))\\n| where isnotempty(vmSize)\\n| where vmSize has_any (tokens) \\n| extend ComputerName = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).osProfile)).computerName)\\n| extend clientIpAddress = tostring(parse_json(HTTPRequest).clientIpAddress)\\n| project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Creation of expensive computes in Azure\",\"description\":\"Identifies the creation of large size/expensive VMs (GPU or with large no of virtual CPUs) in Azure.\\nAdversary may create new or update existing virtual machines sizes to evade defenses \\nor use it for cryptomining purposes.\\nFor Windows/Linux Vm Sizes - https://docs.microsoft.com/azure/virtual-machines/windows/sizes \\nAzure VM Naming Conventions - https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f15370f4-c6fa-42c5-9be4-1d308f40284e\",\"name\":\"f15370f4-c6fa-42c5-9be4-1d308f40284e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n OfficeActivity | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.ClientIP\\n| where OfficeActivity_TimeGenerated \u003e= TimeGenerated and OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, OfficeActivity_TimeGenerated,\\nTI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = OfficeActivity_TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to OfficeActivity\",\"description\":\"Identifies a match in OfficeActivity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\"name\":\"ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(DestinationUserID)\\n // Filtering PAN Logs for specific event type to match relevant email entities\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"wildfire\\\" and ApplicationProtocol in (\\\"smtp\\\",\\\"pop3\\\")\\n | extend DestinationUserID = tolower(DestinationUserID)\\n | where DestinationUserID matches regex emailregex\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.DestinationUserID\\n| where CommonSecurityLog_TimeGenerated \u003e= TimeGenerated and CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, CommonSecurityLog_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction,\\nSourceIP, SourcePort, DestinationIP, DestinationPort, Protocol, ApplicationProtocol\\n| extend timestamp = CommonSecurityLog_TimeGenerated, AccountCustomEntity = DestinationUserID, IPCustomEntity = SourceIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to CommonSecurityLog\",\"description\":\"Identifies a match in CommonSecurityLog table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/11bda520-a965-4654-9a45-d09f372f71aa\",\"name\":\"11bda520-a965-4654-9a45-d09f372f71aa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AzureActivity\\n// Isolate run command actions\\n| where OperationNameValue == \\\"Microsoft.Compute/virtualMachines/runCommand/action\\\"\\n// Confirm that the operation impacted a virtual machine\\n| where Authorization has \\\"virtualMachines\\\"\\n// Each runcommand operation consists of three events when successful, Started, Accepted (or Rejected), Successful (or Failed).\\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), max(CallerIpAddress), make_list(ActivityStatusValue) by CorrelationId, Authorization, Caller\\n// Limit to Run Command executions that Succeeded\\n| where list_ActivityStatusValue has \\\"Succeeded\\\"\\n// Extract data from the Authorization field, allowing us to later extract the Caller (UPN) and CallerIpAddress\\n| extend Authorization_d = parse_json(Authorization)\\n| extend Scope = Authorization_d.scope\\n| extend Scope_s = split(Scope, \\\"/\\\")\\n| extend Subscription = tostring(Scope_s[2])\\n| extend VirtualMachineName = tostring(Scope_s[-1])\\n| project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress\\n// Create a join key using the Caller (UPN) and the Caller IP\\n| extend joinkey = tolower(Caller)\\n// Join the Run Command actions to UEBA data\\n| join kind = inner (\\n BehaviorAnalytics\\n // We are specifically interested in unsual logins\\n | where EventSource == \\\"Azure AD\\\"\\n | project UEBAEventTime=TimeGenerated, UEBAActionType=ActionType, UserPrincipalName, UEBASourceIPLocation=SourceIPLocation, UEBAActivityInsights=ActivityInsights, UEBAUsersInsights=UsersInsights\\n | where isnotempty(UserPrincipalName) and isnotempty(UEBASourceIPLocation)\\n | extend joinkey = tolower(UserPrincipalName)\\n) on joinkey\\n| project StartTime, EndTime, Subscription, VirtualMachineName, Caller, CallerIpAddress, UEBAEventTime, UEBAActionType, UEBASourceIPLocation, UEBAActivityInsights, UEBAUsersInsights\\n// Create a window around the UEBA event times, check to see if the Run Command action was performed within them\\n| extend UEBAWindowStart = UEBAEventTime - 1h | extend UEBAWindowEnd = UEBAEventTime - 6h\\n| where StartTime between (UEBAWindowStart .. UEBAWindowEnd)\\n| project StartTime, EndTime, Subscription, VirtualMachineName, Caller, CallerIpAddress, UEBAEventTime, UEBAActionType, UEBASourceIPLocation, UEBAActivityInsights, UEBAUsersInsights\\n| extend timestamp = StartTime, AccountCustomEntity=Caller, IPCustomEntity=CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"LateralMovement\",\"CredentialAccess\"],\"displayName\":\"Azure VM Run Command operation executed during suspicious login window\",\"description\":\"Identifies when the Azure Run Command operation is executed by a UserPrincipalName and IP Address \\nthat has resulted in a recent user entity behaviour alert.\",\"lastUpdatedDateUTC\":\"2021-11-04T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/18e6a87e-9d06-4a4e-8b59-3469cd49552d\",\"name\":\"18e6a87e-9d06-4a4e-8b59-3469cd49552d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true (SecurityEvent \\n| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created. \\n| where ObjectServer == \u0027DS\u0027\\n| where OperationType == \u0027Object Access\u0027\\n//| where ObjectName contains \u0027\u003cGUID of ADFS Policy Store DKM Group object\u0027 This is unique to the domain. Check description for more details.\\n| where ObjectType contains \u00275cb41ed0-0e4c-11d0-a286-00aa003049e2\u0027 // Contact Class\\n| where Properties contains \u00278d3bca50-1d7e-11d0-a081-00aa006c33ed\u0027 // Picture Attribute - Ldap-Display-Name: thumbnailPhoto\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = SubjectAccount),\\n(DeviceEvents\\n| where ActionType =~ \\\"LdapSearch\\\"\\n| where AdditionalFields.AttributeList contains \\\"thumbnailPhoto\\\"\\n| where AdditionalFields.DistinguishedName contains \\\"CN=ADFS,CN=Microsoft,CN=Program Data\\\" // Filter results to show only hits related to the ADFS AD container\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = InitiatingProcessAccountName)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"ADFS DKM Master Key Export\",\"description\":\"Identifies an export of the ADFS DKM Master Key from Active Directory.\\nReferences: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \\nhttps://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1\\nTo understand further the details behind this detection, please review the details in the original PR and subequent PR update to this:\\nhttps://github.com/Azure/Azure-Sentinel/pull/1562#issue-551542469\\nhttps://github.com/Azure/Azure-Sentinel/pull/1512#issue-543053339\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65c78944-930b-4cae-bd79-c3664ae30ba7\",\"name\":\"65c78944-930b-4cae-bd79-c3664ae30ba7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(AuditLogs \\n| where OperationName =~ \\\"Disable Strong Authentication\\\"\\n| extend IPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) \\n| extend InitiatedByUser = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend Targetprop = todynamic(TargetResources)\\n| extend TargetUser = tostring(Targetprop[0].userPrincipalName) \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, InitiatedByUser , Operation = OperationName , CorrelationId, IPAddress, Category, Source = SourceSystem , AADTenantId, Type\\n),\\n(AWSCloudTrail\\n| where EventName in~ (\\\"DeactivateMFADevice\\\", \\\"DeleteVirtualMFADevice\\\") \\n| extend InstanceProfileName = tostring(parse_json(RequestParameters).InstanceProfileName)\\n| extend TargetUser = tostring(parse_json(RequestParameters).userName)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, Source = EventSource , Operation = EventName , TenantorInstance_Detail = InstanceProfileName, IPAddress = SourceIpAddress\\n)\\n)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"MFA disabled for a user\",\"description\":\"Multi-Factor Authentication (MFA) helps prevent credential compromise. This alert identifies when an attempt has been made to disable MFA for a user \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95dc4ae3-e0f2-48bd-b996-cdd22b90f9af\",\"name\":\"95dc4ae3-e0f2-48bd-b996-cdd22b90f9af\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(\\nAuditLogs\\n| where OperationName =~ \\\"Set federation settings on domain\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName)\\n| mv-expand AdditionalDetails\\n),\\n(\\nAuditLogs\\n| where OperationName =~ \\\"Set domain authentication\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName), NewDomainValue=tostring(parse_json(modifiedProperties).newValue)\\n| where NewDomainValue has \\\"Federated\\\"\\n)\\n)\\n| extend UserAgent = iff(AdditionalDetails.key == \\\"User-Agent\\\",tostring(AdditionalDetails.value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Modified domain federation trust settings\",\"description\":\"This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/66276b14-32c5-4226-88e3-080dacc31ce1\",\"name\":\"66276b14-32c5-4226-88e3-080dacc31ce1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet AccountAllowList = dynamic([\u0027SYSTEM\u0027]);\\nlet SubCategoryList = dynamic([\\\"Logoff\\\", \\\"Account Lockout\\\", \\\"User Account Management\\\", \\\"Authorization Policy Change\\\"]); // Add any Category in the list to be allowed or disallowed\\nlet tokens = dynamic([\\\"clear\\\", \\\"remove\\\", \\\"success:disable\\\",\\\"failure:disable\\\"]); \\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n//| where Process =~ \\\"auditpol.exe\\\" \\n| where CommandLine has_any (tokens)\\n| where AccountType !~ \\\"Machine\\\" and Account !in~ (AccountAllowList)\\n| parse CommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n// | where InitiatingProcessFileName =~ \\\"auditpol.exe\\\" \\n| where InitiatingProcessCommandLine has_any (tokens)\\n| where AccountName !in~ (AccountAllowList)\\n| parse InitiatingProcessCommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n// | where OriginalFileName =~ \\\"auditpol.exe\\\"\\n| where CommandLine has_any (tokens)\\n| where User !in~ (AccountAllowList)\\n| parse CommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, Computer, User, Process, ParentImage, CommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\"],\"displayName\":\"Audit policy manipulation using auditpol utility\",\"description\":\"This detects attempt to manipulate audit policies using auditpol command.\\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\\nThe process name in each data source is commented out as an adversary could rename it. It is advisable to keep process name commented but \\nif the results show unrelated false positives, users may want to uncomment it.\\nRefer to auditpol syntax: https://docs.microsoft.com/windows-server/administration/windows-commands/auditpol \\nRefer to our M365 blog for details on use during the Solorigate attack:\\nhttps://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80733eb7-35b2-45b6-b2b8-3c51df258206\",\"name\":\"80733eb7-35b2-45b6-b2b8-3c51df258206\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\\"xmrget.com\\\", \\n\\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\\"supportxmr.com\\\",\\n\\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\n\\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\n\\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\n\\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\n\\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\",\\n\\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\",\\n\\\"shscrypto.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage), \\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage), \\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage), \\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \u0027200\u0027\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Squid proxy events related to mining pools\",\"description\":\"Checks for Squid proxy events in Syslog associated with common mining pools .This query presumes the default Squid log format is being used. \\n http://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bff093b2-500e-4ae5-bb49-a5b1423cbd5b\",\"name\":\"bff093b2-500e-4ae5-bb49-a5b1423cbd5b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n| where Operation =~ \\\"MemberAdded\\\"\\n| extend UPN = tostring(parse_json(Members)[0].UPN)\\n| where UPN contains (\\\"#EXT#\\\")\\n| project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName\\n| join (\\n OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n| where Operation =~ \\\"MemberRemoved\\\"\\n| extend UPN = tostring(parse_json(Members)[0].UPN)\\n| where UPN contains (\\\"#EXT#\\\")\\n| project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName\\n) on UPN\\n| where TimeDeleted \u003e TimeAdded\\n| project TimeAdded, TimeDeleted, UPN, UserWhoAdded, UserWhoDeleted, TeamName\\n| extend timestamp = TimeAdded, AccountCustomEntity = UPN\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"External user added and removed in short timeframe\",\"description\":\"This detection flags the occurances of external user accounts that are added to a Team and then removed within\\none hour.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/be52662c-3b23-435a-a6fa-f39bdfc849e6\",\"name\":\"be52662c-3b23-435a-a6fa-f39bdfc849e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetection_CL\\n| mv-expand todynamic(Detections_s)\\n| where Detections_s.Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\\n| where count_ \u003e= threshold\\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"High Number of Urgent Vulnerabilities Detected\",\"description\":\"This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/eb68b129-5f17-4f56-bf6d-dde48d5e615a\",\"name\":\"eb68b129-5f17-4f56-bf6d-dde48d5e615a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| extend attachedMimeType = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where attachedMimeType == \u0027application/zip\u0027\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = DstUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Binary file in attachment\",\"description\":\"Detects when email recieved with binary file as attachment.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d29b1d66-d4d9-4be2-b607-63278fc4fe6b\",\"name\":\"d29b1d66-d4d9-4be2-b607-63278fc4fe6b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let mediumRisk = 2;\\nlet financial = \u0027Financial Information\u0027;\\nCognniIncidents_CL \\n| where Severity == mediumRisk\\n| where informationType_s == financial\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Medium Sensitivity Financial Information\",\"description\":\"Display incidents in which medium sensitive financial information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b783df9c-4088-452e-a791-0c4fca47a109\",\"name\":\"b783df9c-4088-452e-a791-0c4fca47a109\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.4\",\"techniques\":[\"T1568\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\".lan, .home\",\"dataType\":\"string\",\"name\":\"Top level domain\",\"description\":\"Give comma separated TLDs to exclude from source data within double quotes, example: \\\".lan, .home\\\"\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.9\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"(Preview) Domain generation algorithm (DGA) on DNS domains\",\"description\":\"This machine learning model indicates potential DGA domains in the second-level-domain (SLD) from the last day in the DNS logs.\\nThe algorithm applies to the DNS records that resolve to IPv4 and IPv6 addresses.\",\"lastUpdatedDateUTC\":\"2021-05-21T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7d7e20f8-3384-4b71-811c-f5e950e8306c\",\"name\":\"7d7e20f8-3384-4b71-811c-f5e950e8306c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AuditLogs\\n| where ActivityDisplayName =~\u0027Add member to role completed (PIM activation)\u0027\\n| where Result == \\\"failure\\\"\\n| extend Role = tostring(TargetResources[3].displayName)\\n| extend User = tostring(TargetResources[2].displayName)\\n| project-reorder TimeGenerated, User, Role, OperationName, Result, ResultDescription\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| extend AccountCustomEntity = User, IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\"],\"displayName\":\"PIM Elevation Request Rejected\",\"description\":\"Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d82e1987-4356-4a7b-bc5e-064f29b143c0\",\"name\":\"d82e1987-4356-4a7b-bc5e-064f29b143c0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 4688\\n| where Process =~ \u0027rundll32.exe\u0027 \\n| where CommandLine has_all (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"NOBELIUM - suspicious rundll32.exe execution of vbscript\",\"description\":\"This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/48607a29-a26a-4abf-8078-a06dbdd174a4\",\"name\":\"48607a29-a26a-4abf-8078-a06dbdd174a4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeRange = 3d;\\nlet lookBack = 7d;\\nlet authenticationWindow = 20m;\\nlet authenticationThreshold = 5;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet failureCodes = dynamic([50053, 50126, 50055]); // invalid password, account is locked - too many sign ins, expired password\\nlet successCodes = dynamic([0, 50055, 50057, 50155, 50105, 50133, 50005, 50076, 50079, 50173, 50158, 50072, 50074, 53003, 53000, 53001, 50129]);\\n// Lookup up resolved identities from last 7 days\\nlet aadFunc = (tableName:string){\\nlet identityLookup = table(tableName)\\n| where TimeGenerated \u003e= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| where isnotempty(UserId)\\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName, Type;\\n// collect window threshold breaches\\ntable(tableName)\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(failureCodes)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed), count() by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName, UserPrincipalName, Type\\n| summarize FailedPrincipalCount = dcount(UserPrincipalName) by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName, Type\\n| where FailedPrincipalCount \u003e= authenticationThreshold\\n| summarize WindowThresholdBreaches = count() by IPAddress, Type\\n| join kind= inner (\\n// where we breached a threshold, join the details back on all failure data\\ntable(tableName)\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(failureCodes)\\n| extend LocationDetails = todynamic(LocationDetails)\\n| extend FullLocation = strcat(LocationDetails.countryOrRegion,\u0027|\u0027, LocationDetails.state, \u0027|\u0027, LocationDetails.city)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed), make_set(FullLocation), FailureCount = count() by IPAddress, AppDisplayName, UserPrincipalName, UserDisplayName, Identity, UserId, Type\\n// lookup any unresolved identities\\n| extend UnresolvedUserId = iff(Identity matches regex isGUID, UserId, \\\"\\\")\\n| join kind= leftouter (\\n identityLookup \\n) on $left.UnresolvedUserId==$right.UserId\\n| extend UserDisplayName=iff(isempty(lu_UserDisplayName), UserDisplayName, lu_UserDisplayName)\\n| extend UserPrincipalName=iff(isempty(lu_UserPrincipalName), UserPrincipalName, lu_UserPrincipalName)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), make_set(UserPrincipalName), make_set(UserDisplayName), make_set(set_ClientAppUsed), make_set(set_FullLocation), make_list(FailureCount) by IPAddress, AppDisplayName, Type\\n| extend FailedPrincipalCount = arraylength(set_UserPrincipalName)\\n) on IPAddress\\n| project IPAddress, StartTime, EndTime, TargetedApplication=AppDisplayName, FailedPrincipalCount, UserPrincipalNames=set_UserPrincipalName, UserDisplayNames=set_UserDisplayName, ClientAppsUsed=set_set_ClientAppUsed, Locations=set_set_FullLocation, FailureCountByPrincipal=list_FailureCount, WindowThresholdBreaches, Type\\n| join kind= inner (\\ntable(tableName) // get data on success vs. failure history for each IP\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(successCodes) or ResultType in(failureCodes) // success or failure types\\n| summarize GlobalSuccessPrincipalCount = dcountif(UserPrincipalName, (ResultType in(successCodes))), ResultTypeSuccesses = make_set_if(ResultType, (ResultType in(successCodes))), GlobalFailPrincipalCount = dcountif(UserPrincipalName, (ResultType in(failureCodes))), ResultTypeFailures = make_set_if(ResultType, (ResultType in(failureCodes))) by IPAddress, Type\\n| where GlobalFailPrincipalCount \u003e GlobalSuccessPrincipalCount // where the number of failed principals is greater than success - eliminates FPs from IPs who authenticate successfully alot and as a side effect have alot of failures\\n) on IPAddress\\n| project-away IPAddress1\\n| extend timestamp=StartTime, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Password spray attack against Azure AD application\",\"description\":\"Identifies evidence of password spray activity against Azure AD applications by looking for failures from multiple accounts from the same\\nIP address within a time window. If the number of accounts breaches the threshold just once, all failures from the IP address within the time range\\nare bought into the result. Details on whether there were successful authentications by the IP address within the time window are also included.\\nThis can be an indicator that an attack was successful.\\nThe default failure acccount threshold is 5, Default time window for failures is 20m and default look back window is 3 days\\nNote: Due to the number of possible accounts involved in a password spray it is not possible to map identities to a custom entity.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2c286288-3756-4824-b599-d3c499836c11\",\"name\":\"2c286288-3756-4824-b599-d3c499836c11\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let mediumRisk = 2;\\nlet business = \u0027Business Information\u0027;\\nCognniIncidents_CL \\n| where Severity == mediumRisk\\n| where informationType_s == business\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Medium Sensitivity Business Information\",\"description\":\"Display incidents in which medium sensitivity business information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\"name\":\"83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":3,\"severity\":\"Medium\",\"query\":\"let current = 1d;\\nlet auditLookback = 7d;\\n// Setting threshold to 3 as a default, change as needed. \\n// Any operation that has been initiated by a user or app more than 3 times in the past 7 days will be excluded\\nlet threshold = 3;\\n// Gather initial data from lookback period, excluding current, adjust current to more than a single day if no results\\nlet AuditTrail = AuditLogs | where TimeGenerated \u003e= ago(auditLookback) and TimeGenerated \u003c ago(current)\\n// 2 other operations that can be part of malicious activity in this situation are \\n// \\\"Add OAuth2PermissionGrant\\\" and \\\"Add service principal\\\", extend the filter below to capture these too\\n| where OperationName has \\\"Consent to application\\\"\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\n| summarize max(TimeGenerated), OperationCount = count() by OperationName, InitiatedBy, TargetResourceName\\n// only including operations by initiated by a user or app that is above the threshold so we produce only rare and has not occurred in last 7 days\\n| where OperationCount \u003e threshold\\n;\\n// Gather current period of audit data\\nlet RecentConsent = AuditLogs | where TimeGenerated \u003e= ago(current)\\n| where OperationName has \\\"Consent to application\\\"\\n| extend IpAddress = case(\\nisnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), \\nisnotempty(tostring(parse_json(tostring(InitiatedBy.app)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.app)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.app)).ipAddress),\\n\u0027Not Available\u0027)\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\n| parse TargetResources.[0].modifiedProperties with * \\\"ConsentType: \\\" ConsentType \\\"]\\\" *\\n| mv-expand AdditionalDetails\\n| extend UserAgent = iff(AdditionalDetails.key == \\\"User-Agent\\\",tostring(AdditionalDetails.value),\\\"\\\")\\n| project TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type;\\n// Exclude previously seen audit activity for \\\"Consent to application\\\" that was seen in the lookback period\\n// First for rare InitiatedBy\\nlet RareConsentBy = RecentConsent | join kind= leftanti AuditTrail on OperationName, InitiatedBy \\n| extend Reason = \\\"Previously unseen user consenting\\\";\\n// Second for rare TargetResourceName\\nlet RareConsentApp = RecentConsent | join kind= leftanti AuditTrail on OperationName, TargetResourceName\\n| extend Reason = \\\"Previously unseen app granted consent\\\";\\nRareConsentBy | union RareConsentApp\\n| summarize Reason = makeset(Reason) by TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatedBy, HostCustomEntity = TargetResourceName, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Persistence\",\"LateralMovement\",\"Collection\"],\"displayName\":\"Rare application consent\",\"description\":\"This will alert when the \\\"Consent to application\\\" operation occurs by a user that has not done this operation before or rarely does this.\\nThis could indicate that permissions to access the listed Azure App were provided to a malicious actor. \\nConsent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events. \\nThis may help detect the Oauth2 attack that can be initiated by this publicly available tool - https://github.com/fireeye/PwnAuth\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e1ce0eab-10d1-4aae-863f-9a383345ba88\",\"name\":\"e1ce0eab-10d1-4aae-863f-9a383345ba88\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let threshold = 15;\\nSyslog\\n| where SyslogMessage contains \\\"Failed password for invalid user\\\"\\n| where ProcessName =~ \\\"sshd\\\" \\n| parse kind=relaxed SyslogMessage with * \\\"invalid user\\\" user \\\" from \\\" ip \\\" port\\\" port \\\" ssh2\\\"\\n| project user, ip, port, SyslogMessage, EventTime\\n| summarize EventTimes = make_list(EventTime), PerHourCount = count() by ip, bin(EventTime, 4h), user\\n| where PerHourCount \u003e threshold\\n| mvexpand EventTimes\\n| extend EventTimes = tostring(EventTimes) \\n| summarize StartTimeUtc = min(EventTimes), EndTimeUtc = max(EventTimes), UserList = makeset(user), sum(PerHourCount) by IPAddress = ip\\n| extend UserList = tostring(UserList) \\n| extend timestamp = StartTimeUtc, IPCustomEntity = IPAddress, AccountCustomEntity = UserList\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"SSH - Potential Brute Force\",\"description\":\"Identifies an IP address that had 15 failed attempts to sign in via SSH in a 4 hour block during a 24 hour time period.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532c1811-79ee-4d9f-8d4d-6304c840daa1\",\"name\":\"532c1811-79ee-4d9f-8d4d-6304c840daa1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Active Directory Identity Protection\",\"displayName\":\"Create incidents based on Azure Active Directory Identity Protection alerts\",\"description\":\"Create incidents based on all alerts generated in Azure Active Directory Identity Protection\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0c804654-63b9-4241-89f8-1cddd7e9cacd\",\"name\":\"0c804654-63b9-4241-89f8-1cddd7e9cacd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.0\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.2\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of AWS write API calls from a user account \",\"description\":\"This algorithm detects an unusually high volume of AWS write API calls per user account within the last day. The model is trained on the previous 21 days of AWS cloud trail log events on a user account basis. This activity may indicate that the account is compromised.\",\"lastUpdatedDateUTC\":\"2021-10-26T00:00:00Z\",\"createdDateUTC\":\"2021-10-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65360bb0-8986-4ade-a89d-af3cf44d28aa\",\"name\":\"65360bb0-8986-4ade-a89d-af3cf44d28aa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"CreateNetworkAclEntry\\\",\\\"CreateRoute\\\",\\\"CreateRouteTable\\\",\\\"CreateInternetGateway\\\",\\\"CreateNatGateway\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"PrivilegeEscalation\",\"LateralMovement\"],\"displayName\":\"Changes to Amazon VPC settings\",\"description\":\"Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources\\nin a virtual network that you define.\\nThis identifies changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries,routes, routetable or Gateways.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\nand AWS VPC API Docs: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/OperationList-query-vpc.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5ef06767-b37c-4818-b035-47de950d0046\",\"name\":\"5ef06767-b37c-4818-b035-47de950d0046\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// How far back to look for events from\\nlet timeframe = 1d;\\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\\nlet time_window = 5m;\\n// Edit this to include build processes used\\nlet build_processes = dynamic([\\\"MSBuild.exe\\\", \\\"dotnet.exe\\\", \\\"VBCSCompiler.exe\\\"]);\\n// Include any processes that you want to allow to edit files during/around the build process\\nlet allow_list = dynamic([\\\"\\\"]);\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where EventID == 4688\\n| where Process has_any (build_processes)\\n| summarize by BuildParentProcess=ParentProcessName, BuildProcess=Process, BuildAccount = Account, Computer, BuildCommand=CommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for file modifications to code file\\n| where EventID == 4663\\n| where Process !in (allow_list)\\n// Look for code files, edit this to include file extensions used in build.\\n| where ObjectName endswith \\\".cs\\\" or ObjectName endswith \\\".cpp\\\"\\n// 0x6 and 0x4 for file append, 0x100 for file replacements\\n| where AccessMask == \\\"0x6\\\" or AccessMask == \\\"0x4\\\" or AccessMask == \\\"0X100\\\"\\n| summarize by FileEditParentProcess=ParentProcessName, FileEditAccount = Account, Computer, FileEdited=ObjectName, FileEditProcess=ProcessName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, Computer\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, Computer, BuildParentProcess, BuildProcess\\n| extend HostCustomEntity=Computer, timestamp=timekey\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Potential Build Process Compromise\",\"description\":\"The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process.\\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ec21493c-2684-4acd-9bc2-696dbad72426\",\"name\":\"ec21493c-2684-4acd-9bc2-696dbad72426\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation of extracted domains\\nlet list_tlds = ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e ago(ioc_lookBack)\\n | where isnotempty(DomainName)\\n | extend DomainName = tolower(DomainName)\\n | extend parts = split(DomainName, \u0027.\u0027)\\n | extend tld = parts[(array_length(parts)-1)]\\n | summarize count() by tostring(tld)\\n | summarize make_list(tld);\\n ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true\\n // Picking up only IOC\u0027s that contain the entities we want\\n | where isnotempty(DomainName)\\n | join (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n | where DeviceVendor =~ \u0027Palo Alto Networks\u0027\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | extend Domain = trim(@\\\"\\\"\\\"\\\",tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend parts = split(Domain, \u0027.\u0027)\\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\\n | where tld in~ (list_tlds)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n ) on $left.DomainName==$right.Domain\\n | where CommonSecurityLog_TimeGenerated \u003e= TimeGenerated and CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n | project LatestIndicatorTime, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, CommonSecurityLog_TimeGenerated, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\\n | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to PaloAlto\",\"description\":\"Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\"name\":\"f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"// Replace these with the username or emails of your VIP users you wish to monitor for.\\nlet vips = dynamic([\u0027vip1@email.com\u0027,\u0027vip2@email.com\u0027]);\\n// Add users who are allowed to conduct these searches - this could be specific SOC team members\\nlet allowed_users = dynamic([]);\\nLAQueryLogs\\n| where QueryText has_any (vips) or QueryText has_any (\u0027_GetWatchlist(\\\"VIPUsers\\\")\u0027, \\\"_GetWatchlist(\u0027VIPUsers\u0027)\\\")\\n| where AADEmail !in (allowed_users)\\n| project TimeGenerated, AADEmail, RequestClientApp, QueryText, ResponseRowCount, RequestTarget\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AADEmail\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"RequestTarget\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Users searching for VIP user activity\",\"description\":\"This query monitors for users running Log Analytics queries that contain filters\\nfor specific, defined VIP user accounts or the VIPUser watchlist template.\\nUse this detection to alert for users specifically searching for activity of sensitive users.\",\"lastUpdatedDateUTC\":\"2021-11-11T00:00:00Z\",\"createdDateUTC\":\"2020-09-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d0bd9611-2fc1-42cb-af4e-793b6f28ba92\",\"name\":\"d0bd9611-2fc1-42cb-af4e-793b6f28ba92\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.7\",\"techniques\":[\"T1030\",\"T1041\",\"T1011\",\"T1567\",\"T1029\",\"T1537\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.87\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"(Preview) Excessive upload via Palo Alto GlobalProtect\",\"description\":\"This algorithm detects unusually high volume of upload per user account via Palo Alto VPN solution.\\nThe model is trained on the previous 14 days of the VPN logs.\\nIt indicates anomalous high volume of upload in the last day.\",\"lastUpdatedDateUTC\":\"2021-11-17T00:00:00Z\",\"createdDateUTC\":\"2020-11-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\"name\":\"532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n| join (\\n Syslog\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n //Extract domain patterns from syslog message\\n | extend domain = extract(\\\"(([a-z0-9]+(-[a-z0-9]+)*\\\\\\\\.)+[a-z]{2,})\\\",1, tolower(SyslogMessage))\\n | where isnotempty(domain)\\n | extend parts = split(domain, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.domain\\n| where Syslog_TimeGenerated \u003e= TimeGenerated and Syslog_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, domain, HostIP, Url\\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to Syslog\",\"description\":\"Identifies a match in Syslog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a9956d3a-07a9-44a6-a279-081a85020cae\",\"name\":\"a9956d3a-07a9-44a6-a279-081a85020cae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 15;\\nlet rejectedAccess = SymantecVIP\\n| where isnotempty(RADIUSAuth)\\n| where RADIUSAuth =~ \\\"Reject\\\"\\n| summarize Total = count() by ClientIP, bin(TimeGenerated, 15m)\\n| where Total \u003e threshold\\n| project ClientIP;\\nSymantecVIP\\n| where isnotempty(RADIUSAuth)\\n| where RADIUSAuth =~ \\\"Reject\\\"\\n| join kind=inner rejectedAccess on ClientIP\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by ClientIP, User\\n| extend timestamp = StartTime, IPCustomEntity = ClientIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"ClientDeniedAccess\",\"description\":\"Creates an incident in the event a Client has an excessive amounts of denied access requests.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SymantecVIP\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2dd4a3a-ebac-4994-9499-1a859938c947\",\"name\":\"f2dd4a3a-ebac-4994-9499-1a859938c947\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet bytessentperhourthreshold = 10;\\nlet PrivateIPregex = @\u0027^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.\u0027;\\nlet TimeSeriesData = (union isfuzzy=true\\n(\\nVMConnection\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\\n| extend DestinationIpType = iff(DestinationIp matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIpType == \\\"public\\\" | extend DeviceVendor = \\\"VMConnection\\\"\\n| project TimeGenerated, BytesSent, DeviceVendor\\n| make-series TotalBytesSent=sum(BytesSent) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n),\\n(\\nCommonSecurityLog\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| extend DestinationIpType = iff(DestinationIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIpType == \\\"public\\\"\\n| project TimeGenerated, SentBytes, DeviceVendor\\n| make-series TotalBytesSent=sum(SentBytes) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n)\\n);\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(TotalBytesSent, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand TotalBytesSent to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| extend TotalBytesSentinMBperHour = round(((TotalBytesSent / 1024)/1024),2), baselinebytessentperHour = round(((baseline / 1024)/1024),2), score = round(score,2)\\n| project DeviceVendor, AnomalyHour, TimeGenerated, TotalBytesSentinMBperHour, baselinebytessentperHour, anomalies, score);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\n//Union of all BaseLogs aggregated per hour\\nlet BaseLogs = (union isfuzzy=true\\n(\\nCommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend DestinationIpType = iff(DestinationIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIpType == \\\"public\\\"\\n| extend SentBytesinMB = ((SentBytes / 1024)/1024), ReceivedBytesinMB = ((ReceivedBytes / 1024)/1024)\\n| summarize HourlyCount = count(), TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort,100), TotalSentBytesinMB = sum(SentBytesinMB), TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| where TotalSentBytesinMB \u003e bytessentperhourthreshold\\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\\n| where Rank \u003c 10 // Selecting Top 10 records with Highest BytesSent in each Hour\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\\n),\\n(\\nVMConnection\\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend SourceIP = SourceIp, DestinationIP = DestinationIp\\n| extend DestinationIpType = iff(DestinationIp matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIpType == \\\"public\\\" | extend DeviceVendor = \\\"VMConnection\\\"\\n| extend SentBytesinMB = ((BytesSent / 1024)/1024), ReceivedBytesinMB = ((BytesReceived / 1024)/1024)\\n| summarize HourlyCount = count(),TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort, 100), TotalSentBytesinMB = sum(SentBytesinMB),TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| where TotalSentBytesinMB \u003e bytessentperhourthreshold\\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\\n| where Rank \u003c 10 // Selecting Top 10 records with Highest BytesSent in each Hour\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\\n)\\n);\\n// Join against base logs to retrive records associated with the hour of anomoly\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\n BaseLogs | extend AnomalyHour = TimeGeneratedHour\\n) on DeviceVendor, AnomalyHour | sort by score desc\\n| project DeviceVendor, AnomalyHour,TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\\n| summarize EventCount = count(), StartTimeUtc= min(TimeGeneratedMax), EndTimeUtc= max(TimeGeneratedMax), SourceIPMax= arg_max(SourceIP,*), TotalBytesSentinMB = sum(TotalSentBytesinMB), TotalBytesReceivedinMB = sum(TotalReceivedBytesinMB), SourceIPList = make_set(SourceIP, 100), DestinationIPList = make_set(DestinationIPList, 100) by AnomalyHour,TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\\n| project DeviceVendor, AnomalyHour, StartTimeUtc, EndTimeUtc, SourceIPMax, SourceIPList, DestinationIPList, DestinationPortList, TotalBytesSentinMB, TotalBytesReceivedinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies, EventCount\\n| extend timestamp =EndTimeUtc, IPCustomEntity = SourceIPMax\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"Time series anomaly for data size transferred to public internet\",\"description\":\"Identifies anomalous data transfer to public networks. The query leverages built-in KQL anomaly detection algorithms that detects large deviations from a baseline pattern.\\nA sudden increase in data transferred to unknown public networks is an indication of data exfiltration attempts and should be investigated.\\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port bytes sent traffic observed in the flagged anomaly hour.\\nThe source IP addresses which were sending less than bytessentperhourthreshold have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-05-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95002681-4ecb-4da3-9ece-26d7e5feaa33\",\"name\":\"95002681-4ecb-4da3-9ece-26d7e5feaa33\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"imAuthentication\\n| where EventResult ==\u0027Failure\u0027\\n| where EventResultDetails == \u0027User disabled\u0027\\n| summarize StartTime=min(EventStartTime), EndTime=max(EventEndTime), disabledAccountLoginAttempts = count()\\n , disabledAccountsTargeted = dcount(TargetUsername), disabledAccountSet = make_set(TargetUsername)\\n , applicationsTargeted = dcount(TargetAppName)\\n , applicationSet = make_set(TargetAppName) \\n by SrcDvcIpAddr, Type\\n| order by disabledAccountLoginAttempts desc\\n| join kind=leftouter \\n (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n imAuthentication\\n | where EventResult==\u0027Success\u0027\\n | summarize successfulAccountSigninCount = dcount(TargetUsername), successfulAccountSigninSet = makeset(TargetUsername, 15) by SrcDvcIpAddr, Type\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount \u003c 100\\n )\\n on SrcDvcIpAddr\\n| where isnotempty(successfulAccountSigninCount)\\n| project StartTime, EndTime, SrcDvcIpAddr, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\nsuccessfulAccountSigninCount, successfulAccountSigninSet, Type\\n| order by disabledAccountLoginAttempts\\n| extend timestamp = StartTime, IPCustomEntity = SrcDvcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelAuthentication)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-07-27T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a50766a7-0674-4ccb-8845-15dc55a80ba1\",\"name\":\"a50766a7-0674-4ccb-8845-15dc55a80ba1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n WireData | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(RemoteIP)\\n // renaming time column so it is clear the log this came from\\n | extend WireData_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIP\\n| where WireData_TimeGenerated \u003e= TimeGenerated and WireData_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, WireData_TimeGenerated,\\nTI_ipEntity, Computer, LocalIP, RemoteIP, ProcessName, ApplicationProtocol, LocalPortNumber, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = WireData_TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to WireData\",\"description\":\"Identifies a match in WireData from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\"name\":\"d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let SensitiveOperationList = dynamic(\\n[\\\"VaultDelete\\\", \\\"KeyDelete\\\", \\\"SecretDelete\\\", \\\"SecretPurge\\\", \\\"KeyPurge\\\", \\\"SecretBackup\\\", \\\"KeyBackup\\\"]);\\nAzureDiagnostics\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\" \\n| where OperationName in~ (SensitiveOperationList) \\n| summarize EventCount=count(), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\\n| extend timestamp = StartTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Impact\"],\"displayName\":\"Sensitive Azure Key Vault operations\",\"description\":\"Identifies when sensitive Azure Key Vault operations are used. This includes: VaultDelete, KeyDelete, SecretDelete, SecretPurge, KeyPurge, SecretBackup, KeyBackup. \\nAny Backup operations should match with expected scheduled backup activity.\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/04384937-e927-4595-8f3c-89ff58ed231f\",\"name\":\"04384937-e927-4595-8f3c-89ff58ed231f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let IPs = dynamic ([\\\"199.249.230.\\\",\\\"185.220.101.\\\",\\\"23.129.64.\\\",\\\"109.70.100.\\\",\\\"185.220.102.\\\"]);\\nOfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != \u0027UserLoggedIn\u0027\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = ExtendedProperties.Value\\n| where ClientIP has_any (IPs)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts \u003e 2500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Possible STRONTIUM attempted credential harvesting - Sept 2020\",\"description\":\"Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.\\nReferences: https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/427e4c9e-8cf4-4094-a684-a2d060dbca38\",\"name\":\"427e4c9e-8cf4-4094-a684-a2d060dbca38\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 50;\\nSophosXGFirewall\\n| where Log_Type =~ \\\"Firewall\\\"\\n| where not(ipv4_is_match(\\\"10.0.0.0\\\",Src_IP,8) or ipv4_is_match(\\\"172.16.0.0\\\",Src_IP,12) or ipv4_is_match(\\\"192.168.0.0\\\",Src_IP,16))\\n| summarize dcount(Dst_Port) by Src_IP, bin(TimeGenerated, 5m)\\n| where dcount_Dst_Port \u003e threshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = Src_IP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\"],\"displayName\":\"Port Scan Detected\",\"description\":\"This alert creates an incident when a source IP addresses attempt to communicate with a large amount of distinct ports within a short period.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SophosXGFirewall\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/86a036b2-3686-42eb-b417-909fc0867771\",\"name\":\"86a036b2-3686-42eb-b417-909fc0867771\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/delete\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS Service Delete\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.\\nA threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.\\nThe health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.\\nMore information in this blog https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/00cb180c-08a8-4e55-a276-63fb1442d5b5\",\"name\":\"00cb180c-08a8-4e55-a276-63fb1442d5b5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let cmdTokens0 = dynamic([\u0027vbscript\u0027,\u0027jscript\u0027]);\\nlet cmdTokens1 = dynamic([\u0027mshtml\u0027,\u0027RunHTMLApplication\u0027]);\\nlet cmdTokens2 = dynamic([\u0027Execute\u0027,\u0027CreateObject\u0027,\u0027RegRead\u0027,\u0027window.close\u0027]);\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(14d)\\n| where EventID == 4688\\n| where CommandLine has @\u0027\\\\Microsoft\\\\Windows\\\\CurrentVersion\u0027\\n| where not(CommandLine has_any (@\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\u0027, @\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\u0027))\\n// If you are receiving false positives, then it may help to make the query more strict by uncommenting one or both of the lines below to refine the matches\\n//| where CommandLine has_any (cmdTokens0)\\n//| where CommandLine has_all (cmdTokens1)\\n| where CommandLine has_all (cmdTokens2)\\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\"],\"displayName\":\"NOBELIUM - Script payload stored in Registry\",\"description\":\"This query idenifies when a process execution commandline indicates that a registry value is written to allow for later execution a malicious script\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d023f64-8225-41a2-9570-2bd7c2c4535e\",\"name\":\"3d023f64-8225-41a2-9570-2bd7c2c4535e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\nSecurityEvent \\n| where TimeGenerated \u003e ago(2*timeframe) \\n// A user account was enabled\\n| where EventID == 4722\\n| where AccountType =~ \\\"User\\\"\\n| where TargetAccount !hassuffix \\\"$\\\"\\n| project EnableTime = TimeGenerated, EnableEventID = EventID, EnableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToEnable = SubjectAccount, SIDofAccountUsedToEnable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n| join kind= inner (\\n SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe) \\n // A user account was disabled \\n | where EventID == 4725\\n| where AccountType =~ \\\"User\\\"\\n| project DisableTime = TimeGenerated, DisableEventID = EventID, DisableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToDisable = SubjectAccount, SIDofAccountUsedToDisable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n) on Computer, TargetAccount\\n| where DisableTime - EnableTime \u003c spanoftime\\n| extend TimeDelta = DisableTime - EnableTime\\n| where tolong(TimeDelta) \u003e= threshold\\n| project TimeDelta, EnableTime, EnableEventID, EnableActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToEnable, SIDofAccountUsedToEnable, \\nDisableTime, DisableEventID, DisableActivity, AccountUsedToDisable, SIDofAccountUsedToDisable\\n| extend timestamp = EnableTime, AccountCustomEntity = AccountUsedToEnable, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"SIDofAccountUsedToEnable\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account enabled and disabled within 10 mins\",\"description\":\"Identifies when a user account is enabled and then disabled within 10 minutes. This can be an indication of compromise and\\nan adversary attempting to hide in the noise.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/707494a5-8e44-486b-90f8-155d1797a8eb\",\"name\":\"707494a5-8e44-486b-90f8-155d1797a8eb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let auditLookbackStart = 2d;\\nlet auditLookbackEnd = 1d;\\nAuditLogs\\n| where TimeGenerated \u003e= ago(auditLookbackStart)\\n| where OperationName =~ \\\"Consent to application\\\" \\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| extend targetResourceName = tostring(target.displayName)\\n| extend targetResourceID = tostring(target.id)\\n| extend targetResourceType = tostring(target.type)\\n| extend targetModifiedProp = TargetResources[0].modifiedProperties\\n| extend isAdminConsent = targetModifiedProp[0].newValue\\n| extend Consent_ServicePrincipalNames = targetModifiedProp[5].newValue\\n| extend Consent_Permissions = targetModifiedProp[4].newValue\\n| extend Consent_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend Consent_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| join ( \\nAuditLogs\\n| where TimeGenerated \u003e= ago(auditLookbackEnd)\\n| where OperationName =~ \\\"Add service principal credentials\\\"\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| extend targetResourceName = tostring(target.displayName)\\n| extend targetResourceID = tostring(target.id)\\n| extend targetModifiedProp = TargetResources[0].modifiedProperties\\n| extend Credential_KeyDescription = targetModifiedProp[0].newValue\\n| extend UpdatedProperties = targetModifiedProp[1].newValue\\n| extend Credential_ServicePrincipalNames = targetModifiedProp[2].newValue\\n| extend Credential_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend Credential_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n) on targetResourceName, targetResourceID\\n| extend TimeConsent = TimeGenerated, TimeCred = TimeGenerated1\\n| where TimeConsent \u003e TimeCred \\n| project TimeConsent, TimeCred, Consent_InitiatingUserOrApp, Credential_InitiatingUserOrApp, targetResourceName, targetResourceType, isAdminConsent, Consent_ServicePrincipalNames, Credential_ServicePrincipalNames, Consent_Permissions, Credential_KeyDescription, Consent_InitiatingIpAddress, Credential_InitiatingIpAddress\\n| extend timestamp = TimeConsent, AccountCustomEntity = Consent_InitiatingUserOrApp, IPCustomEntity = Consent_InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Credential added after admin consented to Application\",\"description\":\"This query will identify instances where Service Principal credentials were added to an application by one user after the application was granted admin consent rights by another user.\\n If a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\n Additional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow.\\n For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/610d3850-c26f-4f20-8d86-f10fdf2425f5\",\"name\":\"610d3850-c26f-4f20-8d86-f10fdf2425f5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"UpdateTrail\\\",\\\"DeleteTrail\\\",\\\"StopLogging\\\",\\\"DeleteFlowLogs\\\",\\\"DeleteEventBus\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Changes made to AWS CloudTrail logs\",\"description\":\"Attackers often try to hide their steps by deleting or stopping the collection of logs that could show their activity. \\nThis alert identifies any manipulation of AWS CloudTrail, Cloudwatch/EventBridge or VPC Flow logs.\\nMore Information: AWS CloudTrail API: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html\\nAWS Cloudwatch/Eventbridge API: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_Operations.html\\nAWS DelteteFlowLogs API : https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2cfc3c6e-f424-4b88-9cc9-c89f482d016a\",\"name\":\"2cfc3c6e-f424-4b88-9cc9-c89f482d016a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set == \\\"[]\\\"\\n| parse new_value_set with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"First access credential added to Application or Service Principal where no credential was present\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d722831e-88f5-4e25-b106-4ef6e29f8c13\",\"name\":\"d722831e-88f5-4e25-b106-4ef6e29f8c13\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"// a threshold can be enabled, see commented line below for PrevSeenCount\\nlet threshold = 2;\\nlet uploadOp = \u0027FileUploaded\u0027;\\n// Extensions that are interesting. Add/Remove to this list as you see fit\\nlet execExt = dynamic([\u0027exe\u0027, \u0027inf\u0027, \u0027gzip\u0027, \u0027cmd\u0027, \u0027bat\u0027]);\\nlet starttime = 8d;\\nlet endtime = 1d;\\nOfficeActivity | where TimeGenerated \u003e= ago(endtime)\\n// Limited to File Uploads due to potential noise, comment out the Operation statement below to include any operation type\\n// Additional, but potentially noisy operation types that include Uploads and Downloads can be included by adding the following - Operation contains \\\"upload\\\" or Operation contains \\\"download\\\"\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| project TimeGenerated, OfficeId, OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, UserAgent, Site_Url, SourceRelativeUrl, SourceFileName\\n| join kind= leftanti (\\nOfficeActivity | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| summarize SourceRelativeUrl = make_set(SourceRelativeUrl), UserId = make_set(UserId) , PrevSeenCount = count() by SourceFileName\\n// To exclude previous matches when only above a specific count, change threshold above and uncomment the line below\\n//| where PrevSeenCount \u003e threshold\\n| mvexpand SourceRelativeUrl, UserId\\n| extend SourceRelativeUrl = tostring(SourceRelativeUrl), UserId = tostring(UserId)\\n) on SourceFileName, SourceRelativeUrl, UserId \\n| extend SiteUrlUserFolder = tolower(split(Site_Url, \u0027/\u0027)[-2])\\n| extend UserIdUserFolderFormat = tolower(replace(\u0027@|\\\\\\\\.\u0027, \u0027_\u0027,UserId))\\n// identify when UserId is not a match to the specific site url personal folder reference\\n| extend UserIdDiffThanUserFolder = iff(Site_Url has \u0027/personal/\u0027 and SiteUrlUserFolder != UserIdUserFolderFormat, true , false ) \\n| summarize TimeGenerated = make_list(TimeGenerated), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), \\nUserAgents = make_list(UserAgent), OfficeIds = make_list(OfficeId), SourceRelativeUrls = make_list(SourceRelativeUrl), FileNames = make_list(SourceFileName)\\nby OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, Site_Url, SiteUrlUserFolder, UserIdUserFolderFormat, UserIdDiffThanUserFolder\\n| extend timestamp = StartTime, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"New executable via Office FileUploaded Operation\",\"description\":\"Identifies when executable file types are uploaded to Office services such as SharePoint and OneDrive.\\nList currently includes \u0027exe\u0027, \u0027inf\u0027, \u0027gzip\u0027, \u0027cmd\u0027, \u0027bat\u0027 file extensions.\\nAdditionally, identifies when a given user is uploading these files to another users workspace.\\nThis may be indication of a staging location for malware or other malicious activity.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d804b39c-03a4-417c-a949-bdbf21fa3305\",\"name\":\"d804b39c-03a4-417c-a949-bdbf21fa3305\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\\n[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet file_paths = (iocs | where Type =~ \\\"filepath\\\" | project IoC);\\nlet sha256s = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet ips = (iocs | where Type =~ \\\"ip\\\" | project IoC);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\" | project IoC);\\nunion isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4663\\n| where ObjectName in (file_paths)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(imFileEvent\\n| where TargetFileName in (file_paths)\\n or\\n TargetFileSHA256 in (sha256s)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\\n),\\n(DeviceFileEvents\\n| where FolderPath in (file_paths)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 in (sha256s)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256s)\\n| extend timestamp = TimeGenerated\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| where isnotempty(Hashes)\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 *\\n| where SHA256 in~ (sha256s)\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = Hashes\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where (SourceIP in (ips) or DestinationIP in (ips) or Message has_any (ips)) or (RequestURL has_any (domains))\\n| extend IPMatch = case(SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"Message\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\")\\n),\\n(VMConnection\\n| where isnotempty(SourceIp) or isnotempty(DestinationIp)\\n| where SourceIp in (ips) or DestinationIp in (ips)\\n| extend IPMatch = case( SourceIp in (ips), \\\"SourceIP\\\", DestinationIp in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(WireData\\n| where isnotempty(RemoteIP)\\n| where RemoteIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer\\n),\\n(W3CIISLog\\n| where isnotempty(cIP)\\n| where cIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(\\nDeviceNetworkEvents\\n| where (RemoteIPType =~ \\\"Public\\\" and RemoteUrl has_any (domains)) or (isnotempty(RemoteIP) and RemoteIP in (ips))\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(\\nWindowsFirewall\\n| where SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n),\\n(\\nDnsEvents\\n| where SubType =~ \\\"LookupQuery\\\"\\n| where Name has_any (domains)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\\n),\\n(\\nimDns(domain_has_any=domains)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\\n)\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.4.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange Server Vulnerabilities Disclosed March 2021 IoC Match\",\"description\":\"This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements.\\nRef: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog (Cisco)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog (F5)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dcdf9bfc-c239-4764-a9f9-3612e6dff49c\",\"name\":\"dcdf9bfc-c239-4764-a9f9-3612e6dff49c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 6d;\\n// Adjust this to adjust the key export detection timeframe\\n//let timeframe = 1d;\\n// Start be identifying ADFS servers to reduce FP chance\\nlet ADFS_Servers = (\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\")\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| summarize by Computer);\\n// Look for ADFS servers where Named Pipes event are present\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| where Computer in~ (ADFS_Servers)\\n| extend RenderedDescription = tostring(split(RenderedDescription, \\\":\\\")[0])\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend RuleName = column_ifexists(\\\"RuleName\\\", \\\"\\\"),\\n TechniqueId = column_ifexists(\\\"TechniqueId\\\", \\\"\\\"),\\n TechniqueName = column_ifexists(\\\"TechniqueName\\\", \\\"\\\"),\\n Image = column_ifexists(\\\"Image\\\", \\\"\\\"),\\n PipeName = column_ifexists(\\\"PipeName\\\", \\\"\\\"),\\n EventType = column_ifexists(\\\"EventType\\\", \\\"\\\")\\n| parse RuleName with * \u0027technique_id=\u0027 TechniqueId \u0027,\u0027 * \u0027technique_name=\u0027 TechniqueName\\n// Look for Pipe related to querying the WID\\n| where PipeName == \\\"\\\\\\\\MICROSOFT##WID\\\\\\\\tsql\\\\\\\\query\\\"\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n// Exclude expected processes\\n| where process !in (\\\"Microsoft.IdentityServer.ServiceHost.exe\\\", \\\"Microsoft.Identity.Health.Adfs.PshSurrogate.exe\\\", \\\"AzureADConnect.exe\\\", \\\"Microsoft.Tri.Sensor.exe\\\", \\\"wsmprovhost.exe\\\",\\\"mmc.exe\\\", \\\"sqlservr.exe\\\")\\n| extend Operation = RenderedDescription\\n| project-reorder TimeGenerated, EventType, Operation, process, Image, Computer, UserName\\n| extend HostCustomEntity = Computer, AccountCustomEntity = UserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Collection\"],\"displayName\":\"ADFS Database Named Pipe Connection\",\"description\":\"This detection uses Sysmon telemetry to detect suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).\\nIn order to use this query you need to be collecting Sysmon EventIdD 18 (Pipe Connected).\\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\\nFailed to resolve scalar expression named \\\"[@Name]\",\"lastUpdatedDateUTC\":\"2021-11-23T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a0647a60-16f9-4175-b344-5cdd2934413f\",\"name\":\"a0647a60-16f9-4175-b344-5cdd2934413f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let lowRisk = 1;\\nlet business = \u0027Business Information\u0027;\\nCognniIncidents_CL \\n| where Severity == lowRisk\\n| where informationType_s == business\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Low Sensitivity Business Information\",\"description\":\"Display incidents in which low sensitivity business information] was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5f0d80db-3415-4265-9d52-8466b7372e3a\",\"name\":\"5f0d80db-3415-4265-9d52-8466b7372e3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AzureDevOpsAuditing\\n| where AuthenticationMechanism startswith \\\"PAT\\\"\\n// Look for useragents that include a redenring engine\\n| where UserAgent has_any (\\\"Gecko\\\", \\\"WebKit\\\", \\\"Presto\\\", \\\"Trident\\\", \\\"EdgeHTML\\\", \\\"Blink\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure DevOps PAT used with Browser.\",\"description\":\"Personal Access Tokens (PATs) are used as an alternate password to authenticate into Azure DevOps. PATs are intended for programmatic access use in code or applications. \\nThis can be prone to attacker theft if not adequately secured. This query looks for the use of a PAT in authentication but from a User Agent indicating a browser. \\nThis should not be normal activity and could be an indicator of an attacker using a stolen PAT.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\"name\":\"30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nlet aadFunc = (tableName:string){\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n table(tableName) | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(UserPrincipalName)\\n //Normalizing the column to lower case for exact match with EmailSenderAddress column\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n | where UserPrincipalName matches regex emailregex\\n | extend Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n // renaming timestamp column so it is clear the log this came from SigninLogs table\\n | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type\\n)\\non $left.EmailSenderAddress == $right.UserPrincipalName\\n| where SigninLogs_TimeGenerated \u003e= TimeGenerated and SigninLogs_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, SigninLogs_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, IPAddress, UserPrincipalName, AppDisplayName,\\nStatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, Type\\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SigninLogs\",\"description\":\"Identifies a match in SigninLogs table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75bf9902-0789-47c1-a5d8-f57046aa72df\",\"name\":\"75bf9902-0789-47c1-a5d8-f57046aa72df\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let procList = dynamic([\\\"cmd.exe\\\",\\\"ftp.exe\\\",\\\"schtasks.exe\\\",\\\"powershell.exe\\\",\\\"rundll32.exe\\\",\\\"regsvr32.exe\\\",\\\"msiexec.exe\\\"]);\\nlet ProcessCreationEvents=() {\\nlet processEvents=SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,\\nFileName = Process, CommandLine, ParentProcessName;\\nprocessEvents};\\nProcessCreationEvents \\n| where FileName in~ (procList)\\n| where CommandLine contains \\\":\\\\\\\\recycler\\\"\\n| project StartTimeUtc = TimeGenerated, Computer, Account, NewProcessName, FileName, CommandLine, ParentProcessName\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Malware in the recycle bin\",\"description\":\"Identifies malware that has been hidden in the recycle bin.\\nReferences: https://azure.microsoft.com/blog/how-azure-security-center-helps-reveal-a-cyberattack/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2018-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23005e87-2d3a-482b-b03d-edbebd1ae151\",\"name\":\"23005e87-2d3a-482b-b03d-edbebd1ae151\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let exchange_servers = (\\nW3CIISLog\\n| where TimeGenerated \u003e ago(14d)\\n| where sSiteName =~ \\\"Exchange Back End\\\"\\n| summarize by Computer);\\nW3CIISLog\\n| where TimeGenerated \u003e ago(1d)\\n| where Computer in (exchange_servers)\\n| where csUriQuery startswith \\\"t=\\\"\\n| project-reorder TimeGenerated, Computer, csUriStem, csUriQuery, csUserName, csUserAgent, cIP\\n| extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious Exchange Request\",\"description\":\"This query looks for suspicious request patterns to Exchange servers that fit a pattern observed by HAFNIUM actors.\\nThe same query can be run on HTTPProxy logs from on-premise hosted Exchange servers.\\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3ff0fffb-d963-40c0-b235-3404f915add7\",\"name\":\"3ff0fffb-d963-40c0-b235-3404f915add7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"GitHubAudit\\n| where Action == \\\"org.disable_two_factor_requirement\\\"\\n| project TimeGenerated, Action, Actor, Country, IPaddress, Repository\\n| extend AccountCustomEntity = Actor, IPCustomEntity = IPaddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"GitHub Two Factor Auth Disable\",\"description\":\"Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/473d57e6-f787-435c-a16b-b38b51fa9a4b\",\"name\":\"473d57e6-f787-435c-a16b-b38b51fa9a4b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let servicelist = dynamic([\u0027Services\\\\\\\\HealthService\u0027, \u0027Services\\\\\\\\Sense\u0027, \u0027Services\\\\\\\\WinDefend\u0027, \u0027Services\\\\\\\\MsSecFlt\u0027, \u0027Services\\\\\\\\DiagTrack\u0027, \u0027Services\\\\\\\\SgrmBroker\u0027, \u0027Services\\\\\\\\SgrmAgent\u0027, \u0027Services\\\\\\\\AATPSensorUpdater\u0027 , \u0027Services\\\\\\\\AATPSensor\u0027, \u0027Services\\\\\\\\mpssvc\u0027]);\\nlet filename = dynamic([\\\"subinacl.exe\\\",\u0027SetACL.exe\u0027]);\\nlet parameters = dynamic ([\u0027/deny=SYSTEM\u0027, \u0027/deny=S-1-5-18\u0027, \u0027/grant=SYSTEM=r\u0027, \u0027/grant=S-1-5-18=r\u0027, \u0027n:SYSTEM;p:READ\u0027, \u0027n1:SYSTEM;ta:remtrst;w:dacl\u0027]);\\nlet FullAccess = dynamic([\u0027A;CI;KA;;;SY\u0027, \u0027A;ID;KA;;;SY\u0027, \u0027A;CIID;KA;;;SY\u0027]);\\nlet ReadAccess = dynamic([\u0027A;CI;KR;;;SY\u0027, \u0027A;ID;KR;;;SY\u0027, \u0027A;CIID;KR;;;SY\u0027]);\\nlet DenyAccess = dynamic([\u0027D;CI;KR;;;SY\u0027, \u0027D;ID;KR;;;SY\u0027, \u0027D;CIID;KR;;;SY\u0027]);\\nlet timeframe = 1d;\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4670\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName has_any (servicelist)\\n| parse EventData with * \u0027OldSd\\\"\u003e\u0027 OldSd \\\"\u003c\\\" *\\n| parse EventData with * \u0027NewSd\\\"\u003e\u0027 NewSd \\\"\u003c\\\" *\\n| extend Reason = case( (OldSd has \u0027;;;SY\u0027 and NewSd !has \u0027;;;SY\u0027), \u0027System Account is removed\u0027, (OldSd has_any (FullAccess) and NewSd has_any (ReadAccess)) , \u0027System permission has been changed to read from full access\u0027, (OldSd has_any (FullAccess) and NewSd has_any (DenyAccess)), \u0027System account has been given denied permission\u0027, \u0027None\u0027)\\n| project TimeGenerated, Computer, Account, ProcessName, ProcessId, ObjectName, EventData, Activity, HandleId, SubjectLogonId, OldSd, NewSd , Reason\\n),\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688\\n| extend ProcessName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ProcessName in~ (filename) \\n| where CommandLine has_any (servicelist) and CommandLine has_any (parameters)\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where InitiatingProcessFileName in~ (filename) \\n| where InitiatingProcessCommandLine has_any(servicelist) and InitiatingProcessCommandLine has_any (parameters)\\n| extend Account = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName), Computer = DeviceName\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName = InitiatingProcessFileName, ProcessNameFullPath = FolderPath, Activity = ActionType, CommandLine = InitiatingProcessCommandLine, Type, InitiatingProcessParentFileName\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Security Service Registry ACL Modification\",\"description\":\"Identifies attempts to modify registry ACL to evade security solutions. In the Solorigate attack, the attackers were found modifying registry permissions so services.exe cannot access the relevant registry keys to start the service.\\n The detection leverages Security Event as well as MDE data to identify when specific security services registry permissions are modified. \\n Only some portions of this detection are related to Solorigate, it also includes coverage for some common tools that perform this activity. \\n Reference on guidance for enabling registry auditing:\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing-faq\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-registry\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4670\\n - For the event 4670 to be created the audit policy for the registry must have auditing enabled for Write DAC and/or Write Owner\\n - https://github.com/OTRF/Set-AuditRule \\n - https://docs.microsoft.com/dotnet/api/system.security.accesscontrol.registryrights?view=dotnet-plat-ext-5.0\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b619d1f1-7f39-4c7e-bf9e-afbb46457997\",\"name\":\"b619d1f1-7f39-4c7e-bf9e-afbb46457997\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal contains \\\"XMRig\\\" or HttpUserAgentOriginal contains \\\"ccminer\\\"\\n| extend Message = \\\"Crypto Miner User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Crypto Miner User-Agent Detected\",\"description\":\"Detects suspicious user agent strings used by crypto miners in proxy logs.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/17f23fbe-bb73-4324-8ecf-a18545a5dc26\",\"name\":\"17f23fbe-bb73-4324-8ecf-a18545a5dc26\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P3D\",\"queryPeriod\":\"P3D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 3d;\\n// Get Release Pipeline Creation Events and group by day\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineCreated\\\"\\n// Group by day\\n| extend timekey = bin(TimeGenerated, 1d)\\n| extend PipelineId = tostring(Data.PipelineId)\\n| extend PipelineName = tostring(Data.PipelineName)\\n// Rename some columns to make output clearer\\n| project-rename TimeCreated = TimeGenerated, CreatingUser = ActorUPN, CreatingUserAgent = UserAgent, CreatingIP = IpAddress\\n// Join with Release Pipeline Deletions where Pipeline ID is the same and deletion occurred on same day as creation\\n| join (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineDeleted\\\"\\n// Group by day\\n| extend timekey = bin(TimeGenerated, 1d)\\n| extend PipelineId = tostring(Data.PipelineId)\\n| extend PipelineName = tostring(Data.PipelineName)\\n// Rename some things to make the output clearer\\n| project-rename TimeDeleted = TimeGenerated, DeletingUser = ActorUPN, DeletingUserAgent = UserAgent, DeletingIP = IpAddress) on PipelineId, timekey\\n| project TimeCreated, TimeDeleted, PipelineName, PipelineId, CreatingUser, CreatingIP, CreatingUserAgent, DeletingUser, DeletingIP, DeletingUserAgent, ScopeDisplayName, ProjectName, Data, OperationName, OperationName1\\n| extend timestamp = TimeCreated, AccountCustomEntity = CreatingUser, IPCustomEntity = CreatingIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeletingUser\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DeletingIP\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\"],\"displayName\":\"Azure DevOps Pipeline Created and Deleted on the Same Day\",\"description\":\"An attacker with access to Azure DevOps could create a pipeline to inject artifacts used by other pipelines, \\nor to create a malicious software build that looks legitimate by using a pipeline that incorporates legitimate elements. \\nAn attacker would also likely want to cover their tracks once conducting such activity. This query looks for Pipelines \\ncreated and deleted within the same day, this is unlikely to be legitimate user activity in the majority of cases.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\"name\":\"5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n W3CIISLog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(cIP)\\n // renaming time column so it is clear the log this came from\\n | extend W3CIISLog_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.cIP\\n| where W3CIISLog_TimeGenerated \u003e= TimeGenerated and W3CIISLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nW3CIISLog_TimeGenerated, TI_ipEntity, Computer, sSiteName, cIP, sIP, sPort, csMethod, csUserName, scStatus, scSubStatus, scWin32Status,\\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = W3CIISLog_TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to W3CIISLog\",\"description\":\"Identifies a match in W3CIISLog from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7564d76-ec6b-4519-a66b-fcc80c42332b\",\"name\":\"a7564d76-ec6b-4519-a66b-fcc80c42332b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet GroupAddition = SecurityEvent \\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group \\n| where EventID in (\\\"4728\\\", \\\"4732\\\", \\\"4756\\\") \\n| where AccountType =~ \\\"User\\\" and MemberName == \\\"-\\\"\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, GroupAddComputer = Computer, GroupAddTargetAccount = TargetAccount, \\nGroupAddTargetSid = TargetSid, GroupAddSubjectAccount = SubjectAccount, GroupAddSubjectUserSid = SubjectUserSid, GroupSid = MemberSid;\\nlet GroupCreated = SecurityEvent\\n// 4727 - A security-enabled global group was created\\n// 4731 - A security-enabled local group was created\\n// 4754 - A security-enabled universal group was created\\n| where EventID in (\\\"4727\\\", \\\"4731\\\", \\\"4754\\\")\\n| where AccountType =~ \\\"User\\\"\\n| project GroupCreateTime = TimeGenerated, GroupCreateEventID = EventID, GroupCreateActivity = Activity, GroupCreateComputer = Computer, GroupCreateTargetAccount = TargetAccount, \\nGroupCreateSubjectAccount = SubjectAccount, GroupCreateSubjectUserSid = SubjectUserSid, GroupSid = TargetSid;\\nGroupCreated\\n| join (\\nGroupAddition\\n) on GroupSid \\n| extend timestamp = GroupCreateTime, AccountCustomEntity = GroupCreateSubjectAccount, HostCustomEntity = GroupCreateComputer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"GroupCreateSubjectUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Group created then added to built in domain local or global group\",\"description\":\"Identifies when a recently created Group was added to a privileged built in domain local group or global group such as the \\nEnterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\\nReferences: For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/67775878-7f8b-4380-ac54-115e1e828901\",\"name\":\"67775878-7f8b-4380-ac54-115e1e828901\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet IP_TI = (ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\\\"\\\")\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId);\\nlet TI_IP_List=IP_TI | summarize make_set( TI_ipEntity);\\nimDns(starttime=ago(dt_lookBack), response_has_any_prefix=todynamic(toscalar(TI_IP_List)))\\n | extend tilist = toscalar(TI_IP_List)\\n | mv-expand tilist\\n | extend SingleIP=tostring(tilist)\\n | project-away tilist\\n | where has_ipv4(DnsResponseName, SingleIP)\\n | extend DNS_TimeGenerated = TimeGenerated\\n| join IP_TI\\n on $left.SingleIP == $right.TI_ipEntity\\n| where DNS_TimeGenerated \u003e= TimeGenerated and DNS_TimeGenerated \u003c ExpirationDateTime\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated,\\nTI_ipEntity, Dvc, EventId, SubType, SrcIpAddr, DnsQuery, DnsResponseName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = DNS_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Dvc, URLCustomEntity = Url\",\"customDetails\":{\"LatestIndicatorTime\":\"LatestIndicatorTime\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"ConfidenceScore\":\"ConfidenceScore\",\"DnsQuery\":\"DnsQuery\",\"Description\":\"Description\",\"EventId\":\"EventId\",\"IndicatorId\":\"IndicatorId\",\"DNSRequestTime\":\"DNS_TimeGenerated\",\"ThreatType\":\"ThreatType\",\"ExpirationDateTime\":\"ExpirationDateTime\",\"SubType\":\"SubType\",\"SourceIPAddress\":\"SrcIpAddr\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map IP entity to Dns Events (Normalized DNS)\",\"description\":\"Identifies a match in DNS events from any IP IOC from TI\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns).\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3863d8b-8be1-4f52-8ba2-d6cec98b606b\",\"name\":\"a3863d8b-8be1-4f52-8ba2-d6cec98b606b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.1.7\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.7\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of logins to user account with elevated token\",\"description\":\"This algorithm detects an unusually high volume of successful logins with elevated token per user account. The model is trained on the previous 21 days of security event ID 4624 on an account. It indicates anomalous high volume of successful logins with administrator privileges in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/983a6922-894d-413c-9f04-d7add0ecc307\",\"name\":\"983a6922-894d-413c-9f04-d7add0ecc307\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P10D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let referencestarttime = 10d;\\nlet referenceendtime = 1d;\\nlet threshold = 100;\\nlet nxDomainDnsEvents = (stime:datetime, etime:datetime) \\n {imDns(responsecodename=\u0027NXDOMAIN\u0027, starttime=stime, endtime=etime)\\n | where DnsQueryTypeName in (\\\"A\\\", \\\"AAAA\\\")\\n | where ipv4_is_match(\\\"127.0.0.1\\\", SrcIpAddr) == False\\n | where DnsQuery !contains \\\"/\\\" and DnsQuery contains \\\".\\\"};\\nnxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now())\\n | extend sld = tostring(split(DnsQuery, \\\".\\\")[-2])\\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld) by SrcIpAddr\\n | where dcount_sld \u003e threshold\\n // Filter out previously seen IPs\\n | join kind=leftanti (nxDomainDnsEvents (stime=ago(referencestarttime), etime=ago(referenceendtime))\\n | extend sld = tostring(split(DnsQuery, \\\".\\\")[-2])\\n | summarize dcount(sld) by SrcIpAddr\\n | where dcount_sld \u003e threshold ) on SrcIpAddr\\n// Pull out sample NXDomain responses for those remaining potentially infected IPs\\n| join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential DGA detected (ASimDNS)\",\"description\":\"Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains\\nwhere most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with \\nNXDomain records in prior 10-day baseline period).\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"name\":\"cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | where DNSName in~ (domains) or DestinationHostName has_any (domains) or RequestURL has_any(domains)\\n | extend AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName, IPCustomEntity = SourceIP\\n ),\\n(DnsEvents \\n | extend DNSName = Name\\n | where isnotempty(DNSName)\\n | where DNSName has_any (domains)\\n | extend IPCustomEntity = ClientIP\\n ),\\n(imDns (domain_has_any=domains)\\n | extend DNSName = DnsQuery\\n | extend IPCustomEntity = SrcIpAddr\\n ),\\n(VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n | where isnotempty(DNSName)\\n | where DNSName in~ (domains)\\n | extend IPCustomEntity = RemoteIp\\n ),\\n(DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl has_any (domains) \\n | extend DNSName = RemoteUrl\\n | extend IPCustomEntity = RemoteIP \\n | extend HostCustomEntity = DeviceName \\n ),\\n(AzureDiagnostics\\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallDnsProxy\\\"\\n | parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n | where Request_Name has_any (domains) \\n | extend DNSName = Request_Name\\n | extend IPCustomEntity = ClientIP \\n ),\\n(AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (domains) \\n | extend DNSName = DestinationHost \\n | extend IPCustomEntity = SourceHost\\n ) \\n )\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"version\":\"1.3.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Solorigate Network Beacon\",\"description\":\"Identifies a match across various data feeds for domains IOCs related to the Solorigate incident.\\n References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \\n https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5436f471-b03d-41cb-b333-65891f887c43\",\"name\":\"5436f471-b03d-41cb-b333-65891f887c43\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Informational\",\"query\":\"GitHubRepo\\n| where Action == \\\"vulnerabilityAlert\\\"\\n| project TimeGenerated, DismmisedAt, Reason, vulnerableManifestFilename, Description, Link, PublishedAt, Severity, Summary\",\"entityMappings\":[],\"version\":\"1.0.0\",\"displayName\":\"GitHub Security Vulnerability in Repository\",\"description\":\"This alerts when there is a new security vulnerability in a GitHub repository.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-10T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb8a3481-dd14-4e76-8dcc-bbec8776d695\",\"name\":\"bb8a3481-dd14-4e76-8dcc-bbec8776d695\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let DomainNames = dynamic([\u0027onetechcompany.com\u0027, \u0027reyweb.com\u0027, \u0027srfnetwork.org\u0027, \u0027sense4baby.fr\u0027, \u0027nikeoutletinc.org\u0027, \u0027megatoolkit.com\u0027]);\\nlet IPList = dynamic([\u0027185.225.69.69\u0027]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (DomainNames) or RequestURL has_any (DomainNames) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (DomainNames), \\\"RequestUrl\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) or Name has_any (DomainNames) \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(imDns\\n| where DnsResponseName has_any (IPList) or DnsQuery has_any(DomainNames) \\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (DomainNames)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer\\n),\\n(OfficeActivity\\n| where ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (DomainNames) or RemoteIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"NOBELIUM - Domain and IP IOCs - March 2021\",\"description\":\"Identifies a match across various data feeds for domains and IP IOCs related to NOBELIUM.\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2d3e33c6-d8e6-4b51-92d6-dbe8bd9efb05\",\"name\":\"2d3e33c6-d8e6-4b51-92d6-dbe8bd9efb05\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.4\",\"techniques\":[\"T1078\",\"T1566\",\"T1133\"],\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"Fraction of failed signins\",\"Number of failed signins\",\"Failed signins to successful signins ratio\",\"Number of signins with incorrect passwords\",\"Incorrect passwords to correct passwords ratio\",\"Fraction of incorrect password signins\",\"Distinct number of app ids\",\"Distinct number of client apps\",\"Distinct number of ip addresses\",\"Distinct number of opperating systems\",\"Distinct number of browsers\",\"Distinct number of cities\",\"Distinct number of states\",\"Distinct number of countries\"],\"values\":[\"Fraction of failed signins\",\"Number of failed signins\",\"Failed signins to successful signins ratio\",\"Number of signins with incorrect passwords\",\"Incorrect passwords to correct passwords ratio\",\"Fraction of incorrect password signins\",\"Distinct number of app ids\",\"Distinct number of client apps\",\"Distinct number of ip addresses\",\"Distinct number of opperating systems\",\"Distinct number of browsers\",\"Distinct number of cities\",\"Distinct number of states\",\"Distinct number of countries\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Top reason for high anomaly score\",\"description\":\"Include only anomalies where the top reason is one of these values.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.5\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous Azure AD sign-in sessions\",\"description\":\"The machine learning model groups the Azure AD sign-in logs on a per-user basis.\\nThe model is trained on the previous 6 days of user sign-in behavior.\\nIt indicates anomalous user sign-in sessions in the last day.\\nThis algorithm checks for sufficient volume of data before training the model.\\n\\nAn autoencoder model is used.\\nIts aim is to compress the user sign-in sessions into a bottleneck encoding.\\nIt then attempts to reconstruct the input sessions as best it can from the bottleneck encoding.\\nThe sessions with high reconstruction errors are assumed to be anomalous.\",\"lastUpdatedDateUTC\":\"2021-07-07T00:00:00Z\",\"createdDateUTC\":\"2020-11-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6d63efa6-7c25-4bd4-a486-aa6bf50fde8a\",\"name\":\"6d63efa6-7c25-4bd4-a486-aa6bf50fde8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Add non-approved user principal names to the list below to search for their account creation/deletion activity\\n// ex: dynamic([\\\"UPN1\\\", \\\"upn123\\\"])\\nlet nonapproved_users = dynamic([]);\\nAuditLogs\\n| where OperationName == \\\"Add user\\\" or OperationName == \\\"Delete user\\\"\\n| where Result == \\\"success\\\"\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| where InitiatingUser has_any (nonapproved_users)\\n| project-reorder TimeGenerated, ResourceId, OperationName, InitiatingUser, TargetResources\\n| extend AccountCustomEntity = InitiatingUser, IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Account created or deleted by non-approved user\",\"description\":\"Identifies accounts that were created or deleted by a defined list of non-approved user principal names. Add to this list before running the query for accurate results.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts\",\"lastUpdatedDateUTC\":\"2021-10-29T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b40a7a5b-5d39-46fe-a79e-2acdb38e1ce7\",\"name\":\"b40a7a5b-5d39-46fe-a79e-2acdb38e1ce7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.3\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.01\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of failed login attempts to AWS Console by each group user account\",\"description\":\"This algorithm detects an unusually high volume of AWS cloud trail log console failed login events per group user account within the last day. The model is trained on the previous 21 days of AWS cloud trail log events on group user account basis. This activity may indicate that the account is compromised.\",\"lastUpdatedDateUTC\":\"2021-10-26T00:00:00Z\",\"createdDateUTC\":\"2021-08-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\"name\":\"4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n OfficeActivity | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(UserId)\\n | where UserId matches regex emailregex\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.UserId\\n| where OfficeActivity_TimeGenerated \u003e= TimeGenerated and OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, OfficeActivity_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters\\n| extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to OfficeActivity\",\"description\":\"Identifies a match in OfficeActivity table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d4f9d54b-6dec-4655-8631-0fa8d4954fea\",\"name\":\"d4f9d54b-6dec-4655-8631-0fa8d4954fea\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.4\",\"techniques\":[\"T1568\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.99\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"(Preview) Domain Reputation Palo Alto anomaly\",\"description\":\"This anomaly evaluates the reputation for all domains seen specifically for Palo Alto firewall (PAN-OS product).\\nA high anomaly score indicates a low reputation, suggesting that the domain has been observed to host malicious content or is likely to do so.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-07-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1218175f-c534-421c-8070-5dcaabf28067\",\"name\":\"1218175f-c534-421c-8070-5dcaabf28067\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let threshold = 3; \\nZoomLogs \\n| where Event =~ \\\"chat_message.sent\\\" \\n| extend Channel = tostring(parse_json(ChatEvents).Channel) \\n| extend Message = tostring(parse_json(ChatEvents).Message) \\n| where Message matches regex \\\"http(s?):\\\\\\\\/\\\\\\\\/\\\" \\n| summarize Channels = makeset(Channel), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Message, User, UserId\\n| extend ChannelCount = arraylength(Channels) \\n| where ChannelCount \u003e threshold\\n| extend timestamp = StartTime, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"Suspicious link sharing pattern\",\"description\":\"Alerts in links that have been shared across multiple Zoom chat channels by the same user in a short space if time. \\nAdjust the threshold figure to change the number of channels a message needs to be posted in before an alert is raised.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/154fde9f-ae00-4422-a8da-ef00b11da3fc\",\"name\":\"154fde9f-ae00-4422-a8da-ef00b11da3fc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nafad_parser\\n| where MessageType == 0\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid Indicators of Exposures\",\"description\":\"Searches for triggered Indicators of Exposures\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f948a32f-226c-4116-bddd-d95e91d97eb9\",\"name\":\"f948a32f-226c-4116-bddd-d95e91d97eb9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"mailboxsettings\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"contacts.read\\\" and ConsentFull contains \\\"user.read\\\" and ConsentFull contains \\\"mail.read\\\" and ConsentFull contains \\\"notes.read.all\\\" and ConsentFull contains \\\"mailboxsettings.readwrite\\\" and ConsentFull contains \\\"Files.ReadWrite.All\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), \\\"\\\")\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Suspicious application consent similar to O365 Attack Toolkit\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\\nThe default permissions/scope for the MDSec O365 Attack toolkit are contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, and files.readwrite.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/45b903c5-6f56-4969-af10-ae62ac709718\",\"name\":\"45b903c5-6f56-4969-af10-ae62ac709718\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count() \\nby Account = tolower(Account), Computer = toupper(Computer), IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n// use left anti to exclude anything from the previous 14 days that is not rare\\n| join kind=leftanti (\\nSecurityEvent\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where EventID == 4624\\n| summarize by Computer = toupper(Computer), IpAddress, Account = tolower(Account)\\n) on Account, Computer\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), ConnectionCount = sum(ConnectionCount) \\nby Account, Computer, IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\"],\"displayName\":\"Rare RDP Connections\",\"description\":\"Identifies when an RDP connection is new or rare related to any logon type by a given account today based on comparison with the previous 14 days.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-01-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/327cd4ed-ca42-454b-887c-54e1c91363c6\",\"name\":\"327cd4ed-ca42-454b-887c-54e1c91363c6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft Defender Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Endpoint alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Endpoint\",\"lastUpdatedDateUTC\":\"2019-10-24T00:00:00Z\",\"createdDateUTC\":\"2019-10-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4915c713-ab38-432e-800b-8e2d46933de6\",\"name\":\"4915c713-ab38-432e-800b-8e2d46933de6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let PrivateIPregex = @\u0027^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.\u0027; \\nlet avgthreshold = 0;\\nlet probabilityLimit = 0.01;\\nlet ssh_logins = Syslog\\n| where Facility contains \\\"auth\\\" and ProcessName =~ \\\"sshd\\\"\\n| where SyslogMessage has \\\"Accepted\\\"\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage) \\n| where isnotempty(SourceIP)\\n| extend ipType = iff(SourceIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\");\\nssh_logins \\n| summarize privatecount=countif(ipType==\\\"private\\\"), publiccount=countif(ipType==\\\"public\\\") by HostName, HostIP, bin(EventTime, 1d)\\n| summarize \\npublicIPLoginHistory = make_list(pack(\u0027IPCount\u0027, publiccount, \u0027logon_time\u0027, EventTime)),\\nprivateIPLoginHistory = make_list(pack(\u0027IPCount\u0027, privatecount, \u0027logon_time\u0027, EventTime)) by HostName, HostIP\\n| mv-apply publicIPLoginHistory = publicIPLoginHistory on\\n(\\n order by todatetime(publicIPLoginHistory[\u0027logon_time\u0027]) asc\\n | summarize publicIPLoginCountList=make_list(toint(publicIPLoginHistory[\u0027IPCount\u0027])), publicAverage=avg(toint(publicIPLoginHistory[\u0027IPCount\u0027])), publicStd=stdev(toint(publicIPLoginHistory[\u0027IPCount\u0027])), maxPublicLoginCount=max(toint(publicIPLoginHistory[\u0027IPCount\u0027]))\\n)\\n| mv-apply privateIPLoginHistory = privateIPLoginHistory on\\n(\\n order by todatetime(privateIPLoginHistory[\u0027logon_time\u0027]) asc\\n | summarize privateIPLoginCountList=make_list(toint(privateIPLoginHistory[\u0027IPCount\u0027])), privateAverage=avg(toint(privateIPLoginHistory[\u0027IPCount\u0027])), privateStd=stdev(toint(privateIPLoginHistory[\u0027IPCount\u0027]))\\n)\\n// Some logins from private IPs\\n| where privateAverage \u003e avgthreshold\\n// There is a non-zero number of logins from public IPs\\n| where publicAverage \u003e avgthreshold\\n// Approximate probability of seeing login from a public IP is \u003c 1%\\n| extend probabilityPublic = publicAverage / (privateAverage + publicAverage)\\n| where probabilityPublic \u003c probabilityLimit\\n// Today has the highest number of logins from public IPs that we\u0027ve seen in the last week\\n| extend publicLoginCountToday = publicIPLoginCountList[-1]\\n| where publicLoginCountToday \u003e= maxPublicLoginCount\\n| extend HostCustomEntity = HostName\\n// Optionally retrieve the original raw data for those logins that we\u0027ve identified as potentially suspect\\n// | join kind=rightsemi (\\n// ssh_logins\\n// | where ipType == \\\"public\\\"\\n// ) on HostName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"New internet-exposed SSH endpoints\",\"description\":\"Looks for SSH endpoints with a history of sign-ins only from private IP addresses are accessed from a public IP address.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd\",\"name\":\"c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let args = dynamic([\\\"objectcategory\\\",\\\"domainlist\\\",\\\"dcmodes\\\",\\\"adinfo\\\",\\\"trustdmp\\\",\\\"computers_pwdnotreqd\\\",\\\"Domain Admins\\\", \\\"objectcategory=person\\\", \\\"objectcategory=computer\\\", \\\"objectcategory=*\\\",\\\"dclist\\\"]);\\nlet parentProcesses = dynamic([\\\"pwsh.exe\\\",\\\"powershell.exe\\\",\\\"cmd.exe\\\"]);\\nDeviceProcessEvents\\n//looks for execution from a shell\\n| where InitiatingProcessFileName in (parentProcesses)\\n// main filter\\n| where FileName =~ \\\"AdFind.exe\\\" or SHA256 == \\\"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\\\"\\n // AdFind common Flags to check for from various threat actor TTPs\\n or ProcessCommandLine has_any (args)\\n| extend AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = SHA256\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"SHA256\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\"],\"displayName\":\"Probable AdFind Recon Tool Usage\",\"description\":\"Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-04-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c094384d-7ea7-4091-83be-18706ecca981\",\"name\":\"c094384d-7ea7-4091-83be-18706ecca981\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let minersDomains=dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\"]);\\nimDns(domain_has_any=minersDomains)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.2.0\",\"tactics\":[\"Impact\"],\"displayName\":\"DNS events related to mining pools (Normalized DNS)\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1f6d7abe-2cb7-4a4c-aeca-91fe6bfad0b2\",\"name\":\"1f6d7abe-2cb7-4a4c-aeca-91fe6bfad0b2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.3\",\"techniques\":[\"T1189\",\"T1071\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Palo Alto Networks\",\"Fortinet\",\"Zscaler\",\"Check Point\"],\"supportedValuesKql\":null,\"value\":\"Palo Alto Networks\",\"name\":\"Device vendor\",\"description\":\"Select device vendor of network connection logs from CommonSecurityLog\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"10\",\"maximum\":\"1000\",\"value\":\"25\",\"name\":\"Degree of source IPs\",\"description\":\"Suppress anomalies when the number of source IPs in a day accessing the URL is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"10\",\"maximum\":\"1000\",\"value\":\"30\",\"name\":\"Daily web requests threshold\",\"description\":\"Suppress anomalies when the number of daily web requests is less than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"},{\"minimum\":\"1\",\"maximum\":\"25\",\"value\":\"4\",\"name\":\"Number of distinct URLs for the destination IP\",\"description\":\"Suppress anomalies when number of distinct URLs are less than the chosen value\",\"sequenceNumber\":3,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\",\"CommandAndControl\"],\"displayName\":\"(Preview) Unusual web traffic detected with IP in URL path\",\"description\":\"This algorithm identifies unusual web requests which have a direct IP address as the host. This can be an attempt to bypass URL reputation services etc for \\nmalicious purposes. The anomaly filters all web requests with IP addresses in the URL path and compares them with the previous week of data to exclude known benign traffic. \\nAfter excluding known benign traffic, it triggers an anomaly only after exceeding certain thresholds with configured values such as total web requests, \\nnumbers of URLs seen with same host destination IP address, and number of distinct source IPs within the set of URLs with the same destination IP address.\",\"lastUpdatedDateUTC\":\"2021-07-10T00:00:00Z\",\"createdDateUTC\":\"2021-05-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f041e01d-840d-43da-95c8-4188f6cef546\",\"name\":\"f041e01d-840d-43da-95c8-4188f6cef546\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let LearningPeriod = 7d;\\nlet RunTime = 1h;\\nlet StartTime = 1h;\\nlet EndRunTime = StartTime - RunTime;\\nlet EndLearningTime = StartTime + LearningPeriod;\\nlet GitHubCountryCodeLogs = (GitHubAudit\\n| where Country != \\\"\\\");\\n GitHubCountryCodeLogs\\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime))\\n| summarize makeset(Country) by Actor\\n| join kind=innerunique (\\n GitHubCountryCodeLogs\\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime))\\n | distinct Country, Actor, TimeGenerated\\n) on Actor \\n| where set_Country !contains Country\\n| extend AccountCustomEntity = Actor , timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"GitHub Activites from a New Country\",\"description\":\"Detect activities from a location that was not recently or was never visited by the user or by any user in your organization.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d7309cb9-b16b-4c7a-9e4b-3e9009bd373d\",\"name\":\"d7309cb9-b16b-4c7a-9e4b-3e9009bd373d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.0\",\"techniques\":[\"T1190\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.7\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous Azure operations\",\"description\":\"This detection algorithm generates anomaly of a caller who performed sequence of an operation(s) which is uncommon in their workspace.\\nWe collect and featurize last 21 days of operation happened in the workspace grouped by the caller as a training data for ML algorithm.\\nThe trained model is used to score the operation performed by the caller on the test date and we tag those caller as anomaly whose error score is greater than given thershold.\\nFrom Security perspective, this anomaly will capture the caller along with operation performed on the test date which are not common in their workspace.\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2021-11-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8b3c49c-4087-499b-920f-0dcfaff0cbca\",\"name\":\"f8b3c49c-4087-499b-920f-0dcfaff0cbca\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"imProcessCreate\\n | where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n | where isnotempty(Process)\\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Dvc, ActorUsername, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\\n | extend timestamp = StartTimeUtc, AccountCustomEntity = ActorUsername, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Base64 encoded Windows process command-lines (Normalized Process Events)\",\"description\":\"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2018-09-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e4779bdc-397a-4b71-be28-59e6a1e1d16b\",\"name\":\"e4779bdc-397a-4b71-be28-59e6a1e1d16b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"ZoomLogs\\n| where Event =~ \\\"account.settings_updated\\\"\\n| extend NewE2ESetting = columnifexists(\\\"payload_object_settings_in_meeting_e2e_encryption_b\\\", \\\"\\\")\\n| extend OldE2ESetting = columnifexists(\\\"payload_old_object_settings_in_meeting_e2e_encryption_b\\\", \\\"\\\")\\n| where OldE2ESetting =~ \u0027false\u0027 and NewE2ESetting =~ \u0027true\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Discovery\"],\"displayName\":\"Zoom E2E Encryption Disabled\",\"description\":\"This alerts when end to end encryption is disabled for Zoom meetings.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/85aca4d1-5d15-4001-abd9-acb86ca1786a\",\"name\":\"85aca4d1-5d15-4001-abd9-acb86ca1786a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n| join (\\n DnsEvents\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n //Extract domain patterns from syslog message\\n | where isnotempty(Name)\\n | extend parts = split(Name, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend DNS_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.Name\\n| where DNS_TimeGenerated \u003e= TimeGenerated and DNS_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Computer, ClientIP, Name, QueryType\\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = ClientIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to DnsEvent\",\"description\":\"Identifies a match in DnsEvent table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b8266f81-2715-41a6-9062-42486cbc9c73\",\"name\":\"b8266f81-2715-41a6-9062-42486cbc9c73\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 200;\\nInfobloxNIOS\\n| where ProcessName =~ \\\"named\\\" and Log_Type =~ \\\"client\\\"\\n| where isnotempty(ResponseCode)\\n| where ResponseCode =~ \\\"NXDOMAIN\\\"\\n| summarize count() by Client_IP, bin(TimeGenerated,15m)\\n| where count_ \u003e threshold\\n| join kind=inner (InfobloxNIOS\\n | where ProcessName =~ \\\"named\\\" and Log_Type =~ \\\"client\\\"\\n | where isnotempty(ResponseCode)\\n | where ResponseCode =~ \\\"NXDOMAIN\\\"\\n ) on Client_IP\\n| extend timestamp = TimeGenerated, IPCustomEntity = Client_IP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Excessive NXDOMAIN DNS Queries\",\"description\":\"This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/25e0b2dd-3ad3-4d5b-80dd-720f4ef0f12c\",\"name\":\"25e0b2dd-3ad3-4d5b-80dd-720f4ef0f12c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"afad_parser\\n| where MessageType == 2 and Codename == \\\"DCShadow\\\"\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Alsid DCShadow\",\"description\":\"Searches for DCShadow attacks\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06bbf969-fcbe-43fa-bac2-b2fa131d113a\",\"name\":\"06bbf969-fcbe-43fa-bac2-b2fa131d113a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// ADHealthAgent Registry Key\\nlet aadConnectHealthRegKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\ADHealthAgent\\\";\\n// Filter out known processes\\nlet aadConnectHealthProcs = dynamic ([\\n \u0027Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.InsightsService.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.PshSurrogate.exe\u0027,\\n \u0027Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe\u0027\\n]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| extend SubjectUserName = column_ifexists(\\\"SubjectUserName\\\", \\\"\\\"),\\n SubjectDomainName = column_ifexists(\\\"SubjectDomainName\\\", \\\"\\\"),\\n ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),\\n ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\"),\\n ProcessName = column_ifexists(\\\"ProcessName\\\", \\\"\\\")\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],\\n Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName startswith aadConnectHealthRegKey\\n| where Process !in (aadConnectHealthProcs)\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName startswith aadConnectHealthRegKey\\n| where Process !in (aadConnectHealthProcs)\\n)\\n)\\n// You can filter out potential machine accounts\\n//| where AccountType != \u0027Machine\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Azure AD Health Service Agents Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).\\nInformation from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).\\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\\\\SOFTWARE\\\\Microsoft\\\\ADHealthAgent.\\nMake sure you set the SACL to propagate to its sub-keys. You can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/999e9f5d-db4a-4b07-a206-29c4e667b7e8\",\"name\":\"999e9f5d-db4a-4b07-a206-29c4e667b7e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet DomainTIs= ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n // Picking up only IOC\u0027s that contain the entities we want\\n | where isnotempty(DomainName)\\n | where Active == true\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId;\\nlet Domains= toscalar(DomainTIs | where isnotempty(DomainName) |summarize make_set(DomainName));\\nDomainTIs\\n | join (\\n imDns(starttime=ago(dt_lookBack), domain_has_any=(Domains))\\n | extend DNS_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.DnsQuery\\n| where DNS_TimeGenerated \u003c ExpirationDateTime\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, QueryType\\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url\",\"customDetails\":{\"IndicatorId\":\"IndicatorId\",\"SourceIPAddress\":\"SrcIpAddr\",\"ThreatType\":\"ThreatType\",\"ConfidenceScore\":\"ConfidenceScore\",\"DnsQuery\":\"DnsQuery\",\"Description\":\"Description\",\"ExpirationDateTime\":\"ExpirationDateTime\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"LatestIndicatorTime\":\"LatestIndicatorTime\",\"QueryType\":\"QueryType\",\"DNSRequestTime\":\"DNS_TimeGenerated\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map Domain entity to Dns Events (Normalized DNS)\",\"description\":\"Identifies a match in DNS events from any Domain IOC from TI\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns).\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/12dcea64-bec2-41c9-9df2-9f28461b1295\",\"name\":\"12dcea64-bec2-41c9-9df2-9f28461b1295\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\n// Adjust for a longer timeframe for identifying ADFS Servers\\nlet lookback = 6d;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n);\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where Account !endswith \\\"$\\\"\\n// Check for scheduled task events\\n| where EventID in (4697, 4698, 4699, 4700, 4701, 4702)\\n| extend EventDataParsed = parse_xml(EventData)\\n| extend SubjectLogonId = tostring(EventDataParsed.EventData.Data[3][\\\"#text\\\"])\\n// Check specifically for access to IPC$ share and PIPE\\\\svcctl and PIPE\\\\atsvc for Service Control Services and Schedule Control Services\\n| union ( \\n SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n | where Account !endswith \\\"$\\\"\\n | where EventID == 5145\\n | where RelativeTargetName =~ \\\"svcctl\\\" or RelativeTargetName =~ \\\"atsvc\\\"\\n)\\n// Check for lateral movement\\n| join kind=inner\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Account !endswith \\\"$\\\"\\n| where EventID == 4624 and LogonType == 3\\n) on $left.SubjectLogonId == $right.TargetLogonId\\n| project TimeGenerated, Account, Computer, EventID, RelativeTargetName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\"],\"displayName\":\"Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task\",\"description\":\"This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through SMB and Remote Service or Scheduled Task.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f0be259a-34ac-4946-aa15-ca2b115d5feb\",\"name\":\"f0be259a-34ac-4946-aa15-ca2b115d5feb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let starttime = 2d;\\nlet endtime = 1d;\\nlet TimeDeltaThreshold = 10;\\nlet TotalEventsThreshold = 15;\\nlet PercentBeaconThreshold = 80;\\nlet PrivateIPregex = @\u0027^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.\u0027;\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Palo Alto Networks\\\" and Activity == \\\"TRAFFIC\\\"\\n| where TimeGenerated between (ago(starttime)..ago(endtime))\\n| extend DestinationIPType = iff(DestinationIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIPType == \\\"public\\\"\\n| project TimeGenerated, DeviceName, SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, ReceivedBytes, SentBytes\\n| sort by SourceIP asc,TimeGenerated asc, DestinationIP asc, DestinationPort asc\\n| serialize\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\u0027second\u0027,nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP\\n//Whitelisting criteria/ threshold criteria\\n| where TimeDeltainSeconds \u003e TimeDeltaThreshold \\n| project TimeGenerated, TimeDeltainSeconds, DeviceName, SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, ReceivedBytes, SentBytes\\n| summarize count(), sum(ReceivedBytes), sum(SentBytes), make_list(TimeDeltainSeconds) \\nby TimeDeltainSeconds, bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSentBytes = sum(sum_SentBytes), TotalReceivedBytes = sum(sum_ReceivedBytes) \\nby bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| where TotalEvents \u003e TotalEventsThreshold \\n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\\n| where BeaconPercent \u003e PercentBeaconThreshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Palo Alto - potential beaconing detected\",\"description\":\"Identifies beaconing patterns from Palo Alto Network traffic logs based on recurrent timedelta patterns. \\nThe query leverages various KQL functions to calculate time deltas and then compares it with total events observed in a day to find percentage of beaconing. \\nThis outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts.\\nReference Blog:\\nhttp://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-05-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/622844c2-fc11-4efc-91e6-c05b06ab3008\",\"name\":\"622844c2-fc11-4efc-91e6-c05b06ab3008\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.5\",\"techniques\":[\"T1001\",\"T1008\",\"T1071\",\"T1090\",\"T1095\",\"T1102\",\"T1104\",\"T1132\",\"T1205\",\"T1568\",\"T1571\",\"T1572\",\"T1573\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"10\",\"maximum\":\"1000\",\"value\":\"25\",\"name\":\"Degree of source IPs\",\"description\":\"Suppress anomalies when degree of source IPs is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"10\",\"maximum\":\"1000\",\"value\":\"30\",\"name\":\"Daily event count threshold\",\"description\":\"Suppress anomalies when daily event count is less than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"},{\"minimum\":\"10\",\"maximum\":\"1000\",\"value\":\"60\",\"name\":\"Time delta threshold in seconds\",\"description\":\"Suppress anomalies when time delta in seconds between network connections is less than the chosen value\",\"sequenceNumber\":3,\"rerun\":\"RerunAlways\"},{\"minimum\":\"50\",\"maximum\":\"100\",\"value\":\"75\",\"name\":\"Percent beaconing threshold\",\"description\":\"Generate an anomaly when percent beaconing is greater than the chosen value\",\"sequenceNumber\":4,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"(Preview) Detect machine generated network beaconing behavior\",\"description\":\"This algorithm identifies beaconing patterns from network traffic connection logs based on recurrent time delta patterns.\\nAny network connection towards the untrusted public networks at repetitive time delta is an indication of malware callbacks or data exfiltration attempts. \\nThe anomaly will calculate time delta between consecutive network connection between same source and destination ip as well as count (Connections in time-delta sequence) of \\ntime-delta sequence between same source and destination. Percentage of beaconing is calculated between connections in time-delta sequence against total connections in a day.\",\"lastUpdatedDateUTC\":\"2021-07-10T00:00:00Z\",\"createdDateUTC\":\"2021-04-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/32686052-5bed-48ef-9ffa-39fc7699f085\",\"name\":\"32686052-5bed-48ef-9ffa-39fc7699f085\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.0\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.1\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of AWS API calls from Non-AWS source IP address from a user account id per workspace on a daily basis\",\"description\":\"This algorithm detects an unusually high volume of AWS API calls from Source IPs not in AWS Source IP ranges from one user account per workspace within the last day. The model is trained on the previous 21 days of AWS cloud trail log events on source IP address basis. This activity may indicate that the user account is compromised.\",\"lastUpdatedDateUTC\":\"2021-10-07T00:00:00Z\",\"createdDateUTC\":\"2021-10-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2d8a60aa-c15e-442e-9ce3-ee924889d2a6\",\"name\":\"2d8a60aa-c15e-442e-9ce3-ee924889d2a6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT5M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"eset_CL\\n| where event_type_s == \\\"Threat_Event\\\"\\n| extend HostCustomEntity = hostname_s, AccountCustomEntity = username_s, IPCustomEntity = ipv4_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"CredentialAccess\",\"PrivilegeEscalation\"],\"displayName\":\"Threats detected by Eset\",\"description\":\"Escalates threats detected by Eset.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-09T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"EsetSMC\",\"dataTypes\":[\"eset_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a5fe9489-cf8b-47ae-a87e-8f3a13e4203e\",\"name\":\"a5fe9489-cf8b-47ae-a87e-8f3a13e4203e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nlet codeNameList = datatable(Codename:string)[\\\"C-PRIV-ACCOUNTS-SPN\\\", \\\"C-NATIVE-ADM-GROUP-MEMBERS\\\", \\\"C-KRBTGT-PASSWORD\\\", \\\"C-PROTECTED-USERS-GROUP-UNUSED\\\", \\\"C-ADMINCOUNT-ACCOUNT-PROPS\\\", \\\"C-ADM-ACC-USAGE\\\", \\\"C-LAPS-UNSECURE-CONFIG\\\", \\\"C-DISABLED-ACCOUNTS-PRIV-GROUPS\\\"];\\nafad_parser\\n| where MessageType == 0 and Codename in~ (codeNameList)\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid privileged accounts issues\",\"description\":\"Searches for triggered Indicators of Exposures related to privileged accounts issues\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\"name\":\"90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Security Center\",\"severitiesFilter\":[\"Low\",\"Medium\",\"High\"],\"displayName\":\"Create incidents based on Azure Defender alerts\",\"description\":\"Create incidents based on all alerts generated in Azure Defender\",\"lastUpdatedDateUTC\":\"2021-07-25T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert (ASC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\"name\":\"b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n Syslog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // Extract URL from the Syslog message but only take messages that include URLs\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,SyslogMessage)\\n | where isnotempty(Url)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n) on Url\\n| where Syslog_TimeGenerated \u003e= TimeGenerated and Syslog_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, Url, HostIP\\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to Syslog data\",\"description\":\"Identifies a match in Syslog data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0625fcce-6d52-491e-8c68-1d9b801d25b9\",\"name\":\"0625fcce-6d52-491e-8c68-1d9b801d25b9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"Event\\n| where EventLog =~ \\\"Application\\\"\\n| where Source startswith \\\"MSExchange\\\"\\n| where EventLevelName =~ \\\"error\\\"\\n| where (RenderedDescription startswith \\\"Watson report\\\" and RenderedDescription contains \\\"umworkerprocess\\\" and RenderedDescription contains \\\"TextFormattingRunProperties\\\") or RenderedDescription startswith \\\"An unhandled exception occurred in a UM worker process\\\" or RenderedDescription startswith \\\"The Microsoft Exchange Unified Messaging service\\\" or RenderedDescription contains \\\"MSExchange Unified Messaging\\\"\\n| where RenderedDescription !contains \\\"System.OutOfMemoryException\\\"\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious UM Service Error\",\"description\":\"This query looks for errors that may indicate that an attacker is attempting to exploit a vulnerability in the service. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/26a3b261-b997-4374-94ea-6c37f67f4f39\",\"name\":\"26a3b261-b997-4374-94ea-6c37f67f4f39\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"asyspy256.ddns.net\\\",\\\"hotkillmail9sddcc.ddns.net\\\",\\\"rosaf112.ddns.net\\\",\\\"cvdfhjh1231.myftp.biz\\\",\\\"sz2016rose.ddns.net\\\",\\\"dffwescwer4325.myftp.biz\\\",\\\"cvdfhjh1231.ddns.net\\\"]);\\nlet SHA1Hash = dynamic ([\\\"53a44c2396d15c3a03723fa5e5db54cafd527635\\\", \\\"9c5e496921e3bc882dc40694f1dcc3746a75db19\\\", \\\"aeb573accfd95758550cf30bf04f389a92922844\\\", \\\"79ef78a797403a4ed1a616c68e07fff868a8650a\\\", \\\"4f6f38b4cec35e895d91c052b1f5a83d665c2196\\\", \\\"1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d\\\", \\\"e841a63e47361a572db9a7334af459ddca11347a\\\", \\\"c28f606df28a9bc8df75a4d5e5837fc5522dd34d\\\", \\\"2e94b305d6812a9f96e6781c888e48c7fb157b6b\\\", \\\"dd44133716b8a241957b912fa6a02efde3ce3025\\\", \\\"8793bf166cb89eb55f0593404e4e933ab605e803\\\", \\\"a39b57032dbb2335499a51e13470a7cd5d86b138\\\", \\\"41cc2b15c662bc001c0eb92f6cc222934f0beeea\\\", \\\"d209430d6af54792371174e70e27dd11d3def7a7\\\", \\\"1c6452026c56efd2c94cea7e0f671eb55515edb0\\\", \\\"c6b41d3afdcdcaf9f442bbe772f5da871801fd5a\\\", \\\"4923d460e22fbbf165bbbaba168e5a46b8157d9f\\\", \\\"f201504bd96e81d0d350c3a8332593ee1c9e09de\\\", \\\"ddd2db1127632a2a52943a2fe516a2e7d05d70d2\\\"]);\\nlet SHA256Hash = dynamic ([\\\"9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd\\\", \\\"7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b\\\", \\\"657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5\\\", \\\"2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29\\\", \\\"52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77\\\", \\\"a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3\\\", \\\"5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022\\\", \\\"6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883\\\", \\\"3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e\\\", \\\"1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7\\\", \\\"fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1\\\", \\\"7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c\\\", \\\"178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945\\\", \\\"51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9\\\", \\\"889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79\\\", \\\"332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf\\\", \\\"44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08\\\", \\\"63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef\\\", \\\"056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070\\\"]);\\nlet SigNames = dynamic([\\\"TrojanDropper:Win32/BlackMould.A!dha\\\", \\\"Trojan:Win32/BlackMould.B!dha\\\", \\\"Trojan:Win32/QuarkBandit.A!dha\\\", \\\"Trojan:Win32/Sidelod.A!dha\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(DnsEvents \\n| extend DNSName = Name\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend IPAddress = ClientIP\\n),\\n( imDns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA1=\u0027 SHA1 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA1Hash) \\n| extend Account = UserName\\n),\\n(SecurityAlert\\n| where Entities has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName)\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend DNSName = Request_Name\\n| extend IPAddress = ClientIP \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.3.0\",\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known GALLIUM domains and hashes\",\"description\":\"GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. \\n Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\\n References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-12-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3acf5617-7c41-4085-9a79-cc3a425ba83a\",\"name\":\"3acf5617-7c41-4085-9a79-cc3a425ba83a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"afad_parser\\n| where MessageType == 2 and Codename == \\\"OS Credential Dumping: LSASS Memory\\\"\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid LSASS Memory\",\"description\":\"Searches for OS Credentials dumping attacks\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2560515c-07d1-434e-87fb-ebe3af267760\",\"name\":\"2560515c-07d1-434e-87fb-ebe3af267760\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add delegated permission grant\\\",\\\"Add app role assignment to service principal\\\")\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend props = parse_json(tostring(TargetResources[0].modifiedProperties))\\n| mv-expand props\\n| extend UserAgent = tostring(AdditionalDetails[0].value)\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| extend UserIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| extend DisplayName = tostring(props.displayName)\\n| extend Permissions = tostring(parse_json(tostring(props.newValue)))\\n| where Permissions has_any (\\\"Mail.Read\\\", \\\"Mail.ReadWrite\\\")\\n| extend PermissionsAddedTo = tostring(TargetResources[0].displayName)\\n| extend Type = tostring(TargetResources[0].type)\\n| project-away props\\n| join kind=leftouter(\\n AuditLogs\\n | where ActivityDisplayName has \\\"Consent to application\\\"\\n | extend AppName = tostring(TargetResources[0].displayName)\\n | extend AppId = tostring(TargetResources[0].id)\\n | project AppName, AppId, CorrelationId) on CorrelationId\\n| project-reorder TimeGenerated, OperationName, InitiatingUser, UserIPAddress, UserAgent, PermissionsAddedTo, Permissions, AppName, AppId, CorrelationId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUser, IPCustomEntity = UserIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Mail.Read Permissions Granted to Application\",\"description\":\"This query look for applications that have been granted (Delegated or App/Role) permissions to Read Mail (Permissions field has Mail.Read) and subsequently has been consented to. This can help identify applications that have been abused to gain access to mailboxes.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a4025a76-6490-4e6b-bb69-d02be4b03f07\",\"name\":\"a4025a76-6490-4e6b-bb69-d02be4b03f07\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n AzureNetworkAnalytics_CL\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AzureNetworkAnalytics_CL_TimeGenerated = TimeGenerated\\n // NSG Flow Logs have additional information concat with Public IP, removing onlp Public IP\\n | extend PIPs = split(PublicIPs_s, \u0027|\u0027, 0)\\n | extend PIP = tostring(PIPs[0])\\n)\\non $left.TI_ipEntity == $right.PIP\\n| where AzureNetworkAnalytics_CL_TimeGenerated \u003e= TimeGenerated and AzureNetworkAnalytics_CL_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n// Set to alert on Allowed NSG Flows from TI Public IP IOC\\n| where FlowStatus_s == \\\"A\\\"\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AzureNetworkAnalytics_CL_TimeGenerated,\\nTI_ipEntity, Computer, FlowDirection_s, FlowStatus_s, FlowType_s, SrcPublicIPs_s, DestPublicIPs_s, PublicIPs_s, L7Protocol_s, DestPort_d, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureNetworkAnalytics_CL_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)\",\"description\":\"Identifies a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI that was Allowed\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/01f64465-b1ef-41ea-a7f5-31553a11ad43\",\"name\":\"01f64465-b1ef-41ea-a7f5-31553a11ad43\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let endpointData = \\n(SecurityEvent\\n | where EventID == 4688\\n | extend shortFileName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n );\\n// Correlate suspect executables seen in TrendMicro rule updates with similar activity on endpoints\\nCommonSecurityLog\\n| where DeviceVendor =~ \\\"Trend Micro\\\"\\n| where Activity =~ \\\"Deny List updated\\\" \\n| where RequestURL endswith \\\".exe\\\"\\n| project TimeGenerated, Activity , RequestURL , SourceIP, DestinationIP\\n| extend suspectExeName = tolower(tostring(split(RequestURL, \u0027/\u0027)[-1]))\\n| join (endpointData) on $left.suspectExeName == $right.shortFileName \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = TargetUserName, HostCustomEntity = Computer, URLCustomEntity = RequestURL\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\"],\"displayName\":\"Network endpoint to host executable correlation\",\"description\":\"Correlates blocked URLs hosting [malicious] executables with host endpoint data\\nto identify potential instances of executables of the same name having been recently run.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"TrendMicro\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\"name\":\"9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let szOperationNames = dynamic([\\\"Microsoft.Compute/virtualMachines/write\\\", \\\"Microsoft.Resources/deployments/write\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet RareCaller = AzureActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationNameValue in~ (szOperationNames)\\n| project ResourceGroup, Caller, OperationNameValue, CallerIpAddress\\n| join kind=rightantisemi (\\nAzureActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityStatusValue = makeset(ActivityStatusValue), OperationIds = makeset(OperationId), CallerIpAddress = makeset(CallerIpAddress) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n) on Caller, ResourceGroup \\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress);\\nlet Counts = RareCaller | summarize ActivityCountByCaller = count() by Caller;\\nRareCaller | join kind= inner (Counts) on Caller | project-away Caller1\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = tostring(CallerIpAddress)\\n| sort by ActivityCountByCaller desc nulls last\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"Suspicious Resource deployment\",\"description\":\"Identifies when a rare Resource and ResourceGroup deployment occurs by a previously unseen Caller.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6116dc19-475a-4148-84b2-efe89c073e27\",\"name\":\"6116dc19-475a-4148-84b2-efe89c073e27\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetectionV2_CL\\n| extend Status = tostring(Status_s), Vulnerability = tostring(QID_s), Severity = tostring(Severity_s)\\n| where Status =~ \\\"New\\\" and Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(QID_s)\\n| where dcount_NetBios_s \u003e= threshold\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"New High Severity Vulnerability Detected Across Multiple Hosts\",\"description\":\"This creates an incident when a new high severity vulnerability is detected across multilple hosts\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetectionV2_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2f561e20-d97b-4b13-b02d-18b34af6e87c\",\"name\":\"2f561e20-d97b-4b13-b02d-18b34af6e87c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet cmdList = dynamic([\\\"Set-CASMailbox\\\",\\\"ActiveSyncAllowedDeviceIDs\\\",\\\"add\\\"]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where CommandLine has_all (cmdList)\\n| project Type, TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where InitiatingProcessCommandLine has_all (cmdList)\\n| project Type, TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where CommandLine has_all (cmdList)\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| project Type, TimeGenerated, Computer, User, Process, ParentImage, CommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Email access via active sync\",\"description\":\"This query detects attempts to add attacker devices as allowed IDs for active sync using the Set-CASMailbox command.\\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\\n- Note that this query can be changed to use the KQL \\\"has_all\\\" operator, which hasn\u0027t yet been documented officially, but will be soon.\\n In short, \\\"has_all\\\" will only match when the referenced field has all strings in the list.\\n- Refer to Set-CASMailbox syntax: https://docs.microsoft.com/powershell/module/exchange/set-casmailbox?view=exchange-ps \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fb9e0b51-8867-48d7-86f4-6e76f2176bf8\",\"name\":\"fb9e0b51-8867-48d7-86f4-6e76f2176bf8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nlet codeNameList = datatable(Codename:string)[\\\"C-ACCOUNTS-DANG-SID-HISTORY\\\", \\\"C-PRE-WIN2000-ACCESS-MEMBERS\\\", \\\"C-PASSWORD-DONT-EXPIRE\\\", \\\"C-SLEEPING-ACCOUNTS\\\", \\\"C-DANG-PRIMGROUPID\\\", \\\"C-PASSWORD-NOT-REQUIRED\\\", \\\"C-USER-PASSWORD\\\"];\\nafad_parser\\n| where MessageType == 0 and Codename in~ (codeNameList)\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid user accounts issues\",\"description\":\"Searches for triggered Indicators of Exposures related to user accounts issues\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/29094df8-e0c7-4475-a74c-bda74a07affb\",\"name\":\"29094df8-e0c7-4475-a74c-bda74a07affb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.8\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.03\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of logins to user account by logon types\",\"description\":\"This algorithm detects an unusually high volume of successful logins per user account by different logon types. The model is trained on the previous 21 days of security event ID 4624 on an account. It indicates anomalous high volume of successful logins in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3a9d5ede-2b9d-43a2-acc4-d272321ff77c\",\"name\":\"3a9d5ede-2b9d-43a2-acc4-d272321ff77c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 5;\\nlet aadFunc = (tableName:string){\\n // Failed Signins attempts with reasoning related to conditional access policies.\\n table(tableName)\\n | where TimeGenerated between (startofday(ago(starttime))..startofday(ago(timeframe)))\\n | where ResultDescription has_any (\\\"conditional access\\\", \\\"CA\\\") or ResultType in (50005, 50131, 53000, 53001, 53002, 52003, 70044)\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt ;\\nlet TimeSeriesData = union isfuzzy=true aadSignin, aadNonInt \\n| project TimeGenerated, UserPrincipalName\\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by UserPrincipalName\\n| project TimeGenerated, UserPrincipalName, HourlyCount;\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| where baseline \u003e baselinethreshold // Filtering low count events per baselinethreshold\\n| project UserPrincipalName, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated;\\n// Filter the alerts for specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join kind=inner ( \\nunion isfuzzy=true aadSignin, aadNonInt\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n | summarize HourlyCount=count(), LatestAnomalyTime = arg_max(timestamp,*) by bin(TimeGenerated,1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\\n) on UserPrincipalName\\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, HourlyCount, baseline, anomalies, score\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"User Accounts - Sign in Failure due to CA Spikes\",\"description\":\" Identifies spike in failed sign-ins from user accounts due to conditional access policied.\\nSpike is determined based on Time series anomaly which will look at historical baseline values.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aa1eff90-29d4-49dc-a3ea-b65199f516db\",\"name\":\"aa1eff90-29d4-49dc-a3ea-b65199f516db\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"SecurityEvent\\n| where EventID == 4720\\n| where AccountType == \\\"User\\\"\\n| project CreatedUserTime = TimeGenerated, CreatedUserEventID = EventID, CreatedUserActivity = Activity, Computer = toupper(Computer), \\nCreatedUser = tolower(TargetAccount), CreatedUserSid = TargetSid, AccountUsedToCreateUser = strcat(SubjectAccount), SidofAccountUsedToCreateUser = SubjectUserSid\\n| join (\\nSecurityEvent \\n| where AccountType == \\\"User\\\"\\n// 4732 - A member was added to a security-enabled local group\\n| where EventID == 4732\\n//TargetSid is the builin Admins group: S-1-5-32-544\\n| where TargetSid == \\\"S-1-5-32-544\\\"\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, Computer = toupper(Computer), GroupName = tolower(TargetAccount), \\nGroupSid = TargetSid, AccountThatAddedUser = SubjectAccount, SIDofAccountThatAddedUser = SubjectUserSid, CreatedUserSid = MemberSid\\n)\\non CreatedUserSid\\n//Create User first, then the add to the group.\\n| project Computer, CreatedUserTime, CreatedUserEventID, CreatedUserActivity, CreatedUser, CreatedUserSid, GroupAddTime, GroupAddEventID, \\nGroupAddActivity, AccountUsedToCreateUser, GroupName, GroupSid, AccountThatAddedUser, SIDofAccountThatAddedUser \\n| extend timestamp = CreatedUserTime, AccountCustomEntity = CreatedUser, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"CreatedUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"New user created and added to the built-in administrators group\",\"description\":\"Identifies when a user account was created and then added to the builtin Administrators group in the same day.\\nThis should be monitored closely and all additions reviewed.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4f45f43b-3a4b-491b-9cbe-d649603384aa\",\"name\":\"4f45f43b-3a4b-491b-9cbe-d649603384aa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let highRisk = 3;\\nlet legal = \u0027Legal Information\u0027;\\nCognniIncidents_CL \\n| where Severity == highRisk\\n| where informationType_s == legal\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Highly Sensitive Legal Information\",\"description\":\"Display incidents in which highly sensitive legal information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/200f05a2-db6e-4ff7-be83-bbc30b44755f\",\"name\":\"200f05a2-db6e-4ff7-be83-bbc30b44755f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.3.8\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.07\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of logins to user account\",\"description\":\"This algorithm detects an unusually high volume of successful logins per user account. The model is trained on the previous 21 days of security event ID 4624 on an account. It indicates anomalous high volume of successful logins in the last day\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2020-12-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3edb7215-250b-40c0-8b46-79093949242d\",\"name\":\"3edb7215-250b-40c0-8b46-79093949242d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetectionV2_CL\\n| where Severity_s == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\\n| where count_ \u003e= threshold\\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"High Number of Urgent Vulnerabilities Detected\",\"description\":\"This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetectionV2_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd0a6029-ecef-4507-89c4-fc355ac52111\",\"name\":\"dd0a6029-ecef-4507-89c4-fc355ac52111\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation of extracted domains\\nlet list_tlds = ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e ago(ioc_lookBack)\\n | where isnotempty(DomainName)\\n | extend DomainName = tolower(DomainName)\\n | extend parts = split(DomainName, \u0027.\u0027)\\n | extend tld = parts[(array_length(parts)-1)]\\n | summarize count() by tostring(tld)\\n | summarize make_list(tld);\\n ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true\\n // Picking up only IOC\u0027s that contain the entities we want\\n | where isnotempty(DomainName)\\n | join (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | extend Domain = trim(@\\\"\\\"\\\"\\\",tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend parts = split(Domain, \u0027.\u0027)\\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\\n | where tld in~ (list_tlds)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n ) on $left.DomainName==$right.Domain\\n | where CommonSecurityLog_TimeGenerated \u003e= TimeGenerated and CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n | project LatestIndicatorTime, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, CommonSecurityLog_TimeGenerated, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\\n | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to CommonSecurityLog\",\"description\":\"Identifies a match in CommonSecurityLog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5dd76a87-9f87-4576-bab3-268b0e2b338b\",\"name\":\"5dd76a87-9f87-4576-bab3-268b0e2b338b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 5;\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet historicalActivity =\\nOfficeActivity\\n| where TimeGenerated between(ago(starttime)..ago(endtime))\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| summarize historicalCount = count() by UserAgent, RecordType, Operation;\\nlet recentActivity = OfficeActivity\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where TimeGenerated \u003e ago(endtime)\\n| where isnotempty(UserAgent)\\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by UserAgent, RecordType, Operation;\\nlet RareUserAgent = recentActivity | join kind = leftanti (historicalActivity) on UserAgent\\n| order by recentCount desc, UserAgent\\n// More than 5 downloads/uploads from a new user agent today\\n| where recentCount \u003e threshold;\\nOfficeActivity \\n| where TimeGenerated \u003e ago(endtime) \\n| where RecordType =~ szSharePointFileOperation \\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| join kind= inner (RareUserAgent)\\non UserAgent, RecordType, Operation \\n| where Start_Time between(min_Start_Time .. max_Start_Time)\\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserAgent, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgentSeenCount = recentCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\\n| order by UserAgentSeenCount desc, UserAgent asc, Operation asc, UserId asc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"SharePointFileOperation via devices with previously unseen user agents\",\"description\":\"Identifies if the number of documents uploaded or downloaded from device(s) associated\\nwith a previously unseen user agent exceeds a threshold (default is 5).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84cf1d59-f620-4fee-b569-68daf7008b7b\",\"name\":\"84cf1d59-f620-4fee-b569-68daf7008b7b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetection_CL\\n| mv-expand todynamic(Detections_s)\\n| extend Status = tostring(Detections_s.Status), Vulnerability = tostring(Detections_s.Results), Severity = tostring(Detections_s.Severity)\\n| where Status =~ \\\"New\\\" and Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(Detections_s.QID)\\n| where dcount_NetBios_s \u003e= threshold\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"New High Severity Vulnerability Detected Across Multiple Hosts\",\"description\":\"This creates an incident when a new high severity vulnerability is detected across multilple hosts\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/011c84d8-85f0-4370-b864-24c13455aa94\",\"name\":\"011c84d8-85f0-4370-b864-24c13455aa94\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SecurityAlert\\n| extend Extprop = parse_json(ExtendedProperties)\\n| extend Computer = iff(isnotempty(toupper(tostring(Extprop[\\\"Compromised Host\\\"]))), toupper(tostring(Extprop[\\\"Compromised Host\\\"])), tostring(parse_json(Entities)[0].HostName))\\n| extend Account = iff(isnotempty(tolower(tostring(Extprop[\\\"User Name\\\"]))), tolower(tostring(Extprop[\\\"User Name\\\"])), tolower(tostring(Extprop[\\\"user name\\\"])))\\n| extend IpAddress = tostring(parse_json(ExtendedProperties).[\\\"IpAddress\\\"]) \\n| project TimeGenerated, AlertName, Computer, Account, IpAddress, ExtendedProperties\\n| extend timestamp = TimeGenerated, Account, MachineName = Computer, IpAddress\\n| join kind=inner\\n(\\nCoreAzureBackup\\n| where State =~ \\\"Deleted\\\"\\n| where OperationName =~ \\\"BackupItem\\\"\\n| extend data = split(BackupItemUniqueId, \\\";\\\")\\n| extend AzureLocation = data[0], VaultId=data[1], MachineName=data[2], DrivesBackedUp=data[3]\\n| project timestamp = TimeGenerated, AzureLocation, VaultId, tostring(MachineName), DrivesBackedUp, State, BackupItemUniqueId, _ResourceId, OperationName, BackupItemFriendlyName\\n)\\non MachineName\\n| project timestamp, AlertName, HostCustomEntity = MachineName, AccountCustomEntity = Account, ResourceCustomEntity = _ResourceId, IPCustomEntity = IpAddress, VaultId, AzureLocation, DrivesBackedUp, State, BackupItemUniqueId, OperationName, BackupItemFriendlyName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"CoreBackUp Deletion in correlation with other related security alerts\",\"description\":\"This query will help detect attackers attempt to delete backup containers in correlation with other alerts that could have triggered to help possibly reveal more details of attacker activity. \\nThough such an activity could be legitimate as part of business operation, some ransomware actors may perform such operation to cause interruption to regular business services.\",\"lastUpdatedDateUTC\":\"2021-11-06T00:00:00Z\",\"createdDateUTC\":\"2021-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/157c0cfc-d76d-463b-8755-c781608cdc1a\",\"name\":\"157c0cfc-d76d-463b-8755-c781608cdc1a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let PrivateIPregex = @\u0027^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.\u0027;\\nlet aadFunc = (tableName:string){\\nCommonSecurityLog\\n| where DeviceVendor =~ \\\"Cisco\\\"\\n| where DeviceAction =~ \\\"denied\\\"\\n| extend SourceIPType = iff(SourceIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where SourceIPType == \\\"public\\\"\\n| summarize count() by SourceIP\\n| join (\\n // Successful signins from IPs blocked by the firewall solution are suspect\\n // Include fully successful sign-ins, but also ones that failed only at MFA stage\\n // as that supposes the password was sucessfully guessed.\\n table(tableName)\\n | where ResultType in (\\\"0\\\", \\\"50074\\\", \\\"50076\\\") \\n) on $left.SourceIP == $right.IPAddress\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Cisco - firewall block but success logon to Azure AD\",\"description\":\"Correlate IPs blocked by a Cisco firewall appliance with successful Azure Active Directory signins. \\nBecause the IP was blocked by the firewall, that same IP logging on successfully to AAD is potentially suspect\\nand could indicate credential compromise for the user account.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\"name\":\"7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"154.223.45.38\\\",\\\"185.141.207.140\\\",\\\"185.234.73.19\\\",\\\"216.245.210.106\\\",\\\"51.91.48.210\\\",\\\"46.255.230.229\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n|extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account\\n),\\n(DnsEvents \\n| extend DestinationIPAddress = IPAddresses, Host = Computer\\n| where DestinationIPAddress has_any (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(imDns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DnsResponseName, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(VMConnection \\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) \\n| where SourceIp in (IPList) or DestinationIp in (IPList) \\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(SigninLogs\\n| where isnotempty(IPAddress)\\n| where IPAddress in (IPList)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(AADNonInteractiveUserSignInLogs\\n| where isnotempty(IPAddress)\\n| where IPAddress in (IPList)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(W3CIISLog \\n| where isnotempty(cIP)\\n| where cIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(AzureActivity \\n| where isnotempty(CallerIpAddress)\\n| where CallerIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller\\n),\\n(\\nAWSCloudTrail\\n| where isnotempty(SourceIpAddress)\\n| where SourceIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.2.1\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known IRIDIUM IP\",\"description\":\"IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.\",\"lastUpdatedDateUTC\":\"2021-11-25T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a04cf847-a832-4c60-b687-b0b6147da219\",\"name\":\"a04cf847-a832-4c60-b687-b0b6147da219\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"45.63.52.41\\\",\\\"140.82.17.161\\\",\\\"207.148.101.95\\\",\\\"45.32.87.51\\\",\\\"66.42.98.156\\\",\\\"45.76.144.105\\\",\\\"217.163.28.35\\\",\\\"45.32.141.174\\\",\\\"149.28.165.249\\\",\\\"209.250.225.247\\\",\\\"45.63.100.115\\\",\\\"95.179.229.230\\\",\\\"209.250.233.247\\\",\\\"45.77.121.232\\\",\\\"45.76.175.65\\\",\\\"104.238.160.237\\\",\\\"45.77.181.97\\\",\\\"95.179.192.125\\\",\\\"149.28.93.184\\\",\\\"140.82.16.81\\\",\\\"45.76.173.103\\\",\\\"45.77.255.22\\\",\\\"45.32.11.71\\\",\\\"149.28.77.26\\\",\\\"45.32.54.50\\\",\\\"104.156.233.156\\\",\\\"45.32.21.118\\\",\\\"45.63.62.109\\\",\\\"45.77.244.202\\\",\\\"149.248.11.205\\\",\\\"104.238.190.244\\\"]);\\nlet IOCTerms = \\\"\\\\\\\\?lang=[/..]*/dev/cmdb/sslvpn_websession|/dana-na/jam/[/..]*home/webserver/htdocs/dana/html5acc/guacamole[/..]*etc/passwd\\\\\\\\?\\\";\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or has_any_ipv4 (Message, IPList)\\n| extend IPMatch = case(\\nSourceIP in (IPList), \\\"SourceIP\\\", \\nDestinationIP in (IPList), \\\"DestinationIP\\\",\\n\\\"Message\\\") \\n| where Message matches regex IOCTerms\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n| where isnotempty(UserAgent) and ClientIP in (IPList)\\n| where UserAgent contains \\\"ExchangeServicesClient/0.0.0.0\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP = ClientIP, Account = UserId, Type, RecordType, OfficeWorkload, UserAgent, OfficeObjectId, IPMatch = \\\"ClientIP\\\"\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"InitialAccess\",\"Collection\"],\"displayName\":\"Known Manganese IP and UserAgent activity\",\"description\":\"Matches IP plus UserAgent IOCs in OfficeActivity data, along with IP plus Connection string information in the CommonSecurityLog data related to Manganese group activity.\\nReferences: \\nhttps://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/\\nhttps://fortiguard.com/psirt/FG-IR-18-384\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-10-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\"name\":\"02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let logonDiff = 10m;\\nlet aadFunc = (tableName:string){\\ntable(tableName) \\n| where ResultType == \\\"0\\\" \\n| where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\")\\n| project SuccessLogonTime = TimeGenerated, UserPrincipalName, SuccessIPAddress = IPAddress, AppDisplayName, SuccessIPBlock = strcat(split(IPAddress, \\\".\\\")[0], \\\".\\\", split(IPAddress, \\\".\\\")[1]), Type\\n| join kind= inner (\\n table(tableName)\\n | where ResultType !in (\\\"0\\\", \\\"50140\\\") \\n | where ResultDescription !~ \\\"Other\\\" \\n | where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\")\\n | project FailedLogonTime = TimeGenerated, UserPrincipalName, FailedIPAddress = IPAddress, AppDisplayName, ResultType, ResultDescription, Type\\n) on UserPrincipalName, AppDisplayName \\n| where SuccessLogonTime \u003c FailedLogonTime and FailedLogonTime - SuccessLogonTime \u003c= logonDiff and FailedIPAddress !startswith SuccessIPBlock\\n| summarize FailedLogonTime = max(FailedLogonTime), SuccessLogonTime = max(SuccessLogonTime) by UserPrincipalName, SuccessIPAddress, AppDisplayName, FailedIPAddress, ResultType, ResultDescription, Type\\n| extend timestamp = SuccessLogonTime\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SuccessIPAddress\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"FailedIPAddress\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"CredentialAccess\",\"InitialAccess\"],\"displayName\":\"Successful logon from IP and failure from a different IP\",\"description\":\"Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP.\\nThis may indicate a malicious attempt at password guessing based on knowledge of the users account.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\"name\":\"90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage), \\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage), \\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage), \\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \\\"200\\\"\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Squid proxy events for ToR proxies\",\"description\":\"Check for Squid proxy events associated with common ToR proxies. This query presumes the default squid log format is being used.\\nhttp://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b4ceb583-4c44-4555-8ecf-39f572e827ba\",\"name\":\"b4ceb583-4c44-4555-8ecf-39f572e827ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 1.5;\\nlet percentthreshold = 50;\\n// Preparing the time series data aggregated hourly count of MailItemsAccessd Operation in the form of multi-value array to use with time series anomaly function.\\nlet TimeSeriesData =\\nOfficeActivity\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where OfficeWorkload=~ \\\"Exchange\\\" and Operation =~ \\\"MailItemsAccessed\\\" and ResultStatus =~ \\\"Succeeded\\\"\\n| project TimeGenerated, Operation, MailboxOwnerUPN\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe;\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0\\n| project TimeGenerated, Total, baseline, anomalies, score;\\n// Joining the flagged outlier from the previous step with the original dataset to present contextual information\\n// during the anomalyhour to analysts to conduct investigation or informed decisions.\\nTimeSeriesAlerts | where TimeGenerated \u003e ago(2d)\\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\\n| join (\\n OfficeActivity\\n | where TimeGenerated \u003e ago(2d)\\n | extend DateHour = bin(TimeGenerated, 1h)\\n | where OfficeWorkload=~ \\\"Exchange\\\" and Operation =~ \\\"MailItemsAccessed\\\" and ResultStatus =~ \\\"Succeeded\\\"\\n | summarize HourlyCount=count(), TimeGeneratedMax = arg_max(TimeGenerated, *), IPAdressList = make_set(Client_IPAddress), SourceIPMax= arg_max(Client_IPAddress, *), ClientInfoStringList= make_set(ClientInfoString) by MailboxOwnerUPN, Logon_Type, TenantId, UserType, TimeGenerated = bin(TimeGenerated, 1h) \\n | where HourlyCount \u003e 25 // Only considering operations with more than 25 hourly count to reduce False Positivies\\n | order by HourlyCount desc \\n) on TimeGenerated\\n| extend PercentofTotal = round(HourlyCount/Total, 2) * 100 \\n| where PercentofTotal \u003e percentthreshold // Filter Users with count of less than 5 percent of TotalEvents per Hour to remove FPs/ users with very low count of MailItemsAccessed events\\n| order by PercentofTotal desc \\n| project-reorder TimeGeneratedMax, Type, OfficeWorkload, Operation, UserId,SourceIPMax ,IPAdressList, ClientInfoStringList, HourlyCount, PercentofTotal, Total, baseline, score, anomalies\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Exchange workflow MailItemsAccessed operation anomaly\",\"description\":\"Identifies anomalous increases in Exchange mail items accessed operations.\\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\\nSudden increases in execution frequency of sensitive actions should be further investigated for malicious activity.\\nManually change scorethreshold from 1.5 to 3 or higher to reduce the noise based on outliers flagged from the query criteria.\\nRead more about MailItemsAccessed- https://docs.microsoft.com/microsoft-365/compliance/advanced-audit?view=o365-worldwide#mailitemsaccessed\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182\",\"name\":\"8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT5M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = ago(5m);\\nDuoSecurityTrustMonitor_CL\\n| where TimeGenerated \u003e= timeframe\\n| extend AccountCustomEntity = surfaced_auth_user_name_s, IPCustomEntity = surfaced_auth_access_device_ip_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Trust Monitor Event\",\"description\":\"This query identifies when a new trust monitor event is detected.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\"name\":\"8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"AuthorizeDBSecurityGroupIngress\\\",\\\"CreateDBSecurityGroup\\\",\\\"DeleteDBSecurityGroup\\\",\\\"RevokeDBSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to internet facing AWS RDS Database instances\",\"description\":\"Amazon Relational Database Service (RDS) is scalable relational database in the cloud. \\nIf your organization have one or more AWS RDS Databases running, monitoring changes to especially internet facing AWS RDS (Relational Database Service) \\nOnce alerts triggered, validate if changes observed are authorized and adhere to change control policy. \\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255\\nand RDS API Reference Docs: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Operations.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09551db0-e147-4a0c-9e7b-918f88847605\",\"name\":\"09551db0-e147-4a0c-9e7b-918f88847605\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let tokens = dynamic([\\\"SSL_HandShaking\\\", \\\"ASN2_TYPE_new\\\", \\\"sql_blob_open\\\", \\\"cmsSetLogHandlerTHR\\\", \\\"ntSystemInfo\\\", \\\"SetWebFilterString\\\", \\\"CleanupBrokerString\\\", \\\"glInitSampler\\\", \\\"deflateSuffix\\\", \\\"ntWindowsProc\\\"]);\\nlet DomainNames = dynamic([\u0027codevexillium.org\u0027, \u0027angeldonationblog.com\u0027, \u0027investbooking.de\u0027, \u0027krakenfolio.com\u0027]);\\nlet SHA256Hash = dynamic([\u002758a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495\u0027,\u0027e0e59bfc22876c170af65dcbf19f744ae560cc43b720b23b9d248f4505c02f3e\u0027,\u00273d3195697521973efe0097a320cbce0f0f98d29d50e044f4505e1fbc043e8cf9\u0027, \u00270a2d81164d524be7022ba8fd4e1e8e01bfd65407148569d172e2171b5cd76cd4\u0027, \u002796d7a93f6691303d39a9cc270b8814151dfec5683e12094537fd580afdf2e5fe\u0027,\u0027dc4cf164635db06b2a0b62d313dbd186350bca6fc88438617411a68df13ec83c\u0027, \u002746efd5179e43c9cbf07dcec22ce0d5527e2402655aee3afc016e5c260650284a\u0027, \u002795e42a94d4df1e7e472998f43b9879eb34aaa93f3705d7d3ef9e3b97349d7008\u0027, \u00279d5320e883264a80ea214077f44b1d4b22155446ad5083f4b27d2ab5bd127ef5\u0027, \u00279fd05063ad203581a126232ac68027ca731290d17bd43b5d3311e8153c893fe3\u0027, \u0027ada7e80c9d09f3efb39b729af238fcdf375383caaf0e9e0aed303931dc73b720\u0027, \u0027edb1597789c7ed784b85367a36440bf05267ac786efe5a4044ec23e490864cee\u0027, \u002733665ce1157ddb7cd7e905e3356b39245dfba17b7a658bdbf02b6968656b9998\u0027, \u00273ab770458577eb72bd6239fe97c35e7eb8816bce5a4b47da7bd0382622854f7c\u0027, \u0027b630ad8ffa11003693ce8431d2f1c6b8b126cd32b657a4bfa9c0dbe70b007d6c\u0027, \u002753f3e55c1217dafb8801af7087e7d68b605e2b6dde6368fceea14496c8a9f3e5\u0027, \u002799c95b5272c5b11093eed3ef2272e304b7a9311a22ff78caeb91632211fcb777\u0027, \u0027f21abadef52b4dbd01ad330efb28ef50f8205f57916a26daf5de02249c0f24ef\u0027, \u00272cbdea62e26d06080d114bbd922d6368807d7c6b950b1421d0aa030eca7e85da\u0027, \u0027079659fac6bd9a1ce28384e7e3a465be4380acade3b4a4a4f0e67fd0260e9447\u0027]);\\nlet SigNames = dynamic([\\\"Backdoor:Script/ComebackerCompile.A!dha\\\", \\\"Trojan:Win64/Comebacker.A!dha\\\", \\\"Trojan:Win64/Comebacker.A.gen!dha\\\", \\\"Trojan:Win64/Comebacker.B.gen!dha\\\", \\\"Trojan:Win32/Comebacker.C.gen!dha\\\", \\\"Trojan:Win32/Klackring.A!dha\\\", \\\"Trojan:Win32/Klackring.B!dha\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in~ (SHA256Hash) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n| project Type, TimeGenerated, Computer, Account, IPAddress, FileHash, DNSName\\n),\\n(DnsEvents\\n| extend DNSName = Name\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend Type = \\\"DnsEvents\\\", IPAddress = ClientIP\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(imDns(domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend Type = \\\"imDns\\\", IPAddress = SrcIpAddr, Computer=Dvc\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(VMConnection\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| where isnotempty(Hashes)\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 * \\n| where SHA256 in~ (SHA256Hash) \\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = Hashes\\n| project Type, TimeGenerated, Computer, Account, FileHash\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (SHA256Hash)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (SHA256Hash)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl in~ (DomainNames)\\n| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName\\n| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl\\n),\\n(SecurityAlert\\n| where Entities has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName) \\n| project Type, TimeGenerated, Computer\\n),\\n(DeviceProcessEvents\\n| where FileName =~ \\\"powershell.exe\\\" or FileName =~ \\\"rundll32.exe\\\"\\n| where (ProcessCommandLine has \\\"is64bitoperatingsystem\\\" and ProcessCommandLine has \\\"Debug\\\\\\\\Browse\\\") or (ProcessCommandLine has_any (tokens))\\n| extend Computer = DeviceName, Account = AccountName, CommandLine = ProcessCommandLine\\n| project Type, TimeGenerated, Computer, Account, CommandLine, FileName\\n),\\n(SecurityEvent\\n| where ProcessName has_any (\\\"powershell.exe\\\", \\\"rundll32.exe\\\")\\n| where (CommandLine has \\\"is64bitoperatingsystem\\\" and CommandLine has \\\"Debug\\\\\\\\Browse\\\") or (CommandLine has_any (tokens))\\n| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine \\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend DNSName = Request_Name\\n| extend IPAddress = ClientIP \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.3.0\",\"tactics\":[\"CommandAndControl\",\"Execution\"],\"displayName\":\"Known ZINC Comebacker and Klackring malware hashes\",\"description\":\"ZINC attacks against security researcher campaign malware hashes.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\"name\":\"a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n| where isnotempty(FileHashValue)\\n| join (\\n SecurityEvent | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where EventID in (\\\"8003\\\",\\\"8002\\\",\\\"8005\\\")\\n | where isnotempty(FileHash)\\n | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID\\n)\\non $left.FileHashValue == $right.FileHash\\n| where SecurityEvent_TimeGenerated \u003e= TimeGenerated and SecurityEvent_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nSecurityEvent_TimeGenerated, Process, FileHash, Computer, Account, Event\\n| extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map File Hash to Security Event\",\"description\":\"Identifies a match in Security Event data from any File Hash IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\"name\":\"e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 15;\\n// Below pulls messages from syslog-authpriv logs where there was an authentication failure with an unknown user.\\n// IP address of system attempting logon is also extracted from the SyslogMessage field. Some of these messages\\n// are aggregated.\\nlet authfail = Syslog\\n| where Facility =~ \\\"authpriv\\\" // looks at authpriv messages\\n| where SyslogMessage contains \\\"authentication failure\\\" and SyslogMessage contains \\\" uid=0\\\"\\n| parse SyslogMessage with * \\\"rhost=\\\" ExternalIP\\n| project TimeGenerated, Computer, ProcessName, HostIP, ExternalIP, ProcessID; \\n// Below pulls messages from syslog-authpriv logs that show each instance an unknown user tried to logon. \\nlet userfail = Syslog \\n| where Facility =~ \\\"authpriv\\\" \\n| where SyslogMessage contains \\\"user unknown\\\"\\n| project TimeGenerated, Computer, HostIP, ProcessID;\\n// Join the two log messages above\\nlet userauthfail = authfail | join (userfail) on Computer, HostIP, ProcessID\\n| project TimeGenerated, Computer, HostIP, ExternalIP, ProcessID ;\\n// Extract the EventTime of the first logon attempt\\nlet firstfail = userauthfail\\n| summarize arg_min(TimeGenerated, *) by Computer, ExternalIP\\n| project Computer, ExternalIP, FirstLogonAttempt = TimeGenerated;\\n// Extract the EventTime of the last logon attempt\\nlet lastfail = userauthfail\\n| summarize arg_max(TimeGenerated, *) by Computer, ExternalIP\\n| project Computer, ExternalIP, LatestLogonAttempt = TimeGenerated;\\n// Join first and last logon attempt data and calculate the time between them (AttemptPeriodLength).\\nlet faildates = firstfail | join (lastfail) on Computer, ExternalIP\\n| project ExternalIP, Computer, FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts = LatestLogonAttempt - FirstLogonAttempt;\\n// Count the number of failed logon attempts by External IP and internal machine\\nlet totalfails = userauthfail\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), TotalLogonAttempts = count() by ExternalIP, Computer, HostIP\\n| project StartTimeUtc, EndTimeUtc, ExternalIP, Computer, HostIP, TotalLogonAttempts;\\n// Combine total attempts with timing data from above\\nlet finalfails = totalfails | join (faildates) on Computer, ExternalIP\\n| project StartTimeUtc, EndTimeUtc, SourceAddress = ExternalIP, DestinationHost = Computer, DestinationIP = HostIP, TotalLogonAttempts, FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts\\n| order by DestinationHost asc nulls last;\\nfinalfails \\n| where TotalLogonAttempts \u003e= threshold\\n| extend timestamp = StartTimeUtc, HostCustomEntity = DestinationHost, IPCustomEntity = DestinationIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed logon attempts in authpriv\",\"description\":\"Identifies failed logon attempts from unknown users in Syslog authpriv logs. The unknown user means the account that tried to log in \\nisn\u0027t provisioned on the machine. A few hits could indicate someone attempting to access a machine they aren\u0027t authorized to access. \\nIf there are many of hits, especially from outside your network, it could indicate a brute force attack. \\nDefault threshold for logon attempts is 15.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\"name\":\"a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == 500121\\n| where Status has \\\"MFA Denied; user declined the authentication\\\"\\n| extend Type = Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = ClientAppUsed\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Explicit MFA Deny\",\"description\":\"User explicitly denies MFA push, indicating that login was not expected and the account\u0027s password may be compromised.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\"name\":\"68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let User_Agents = dynamic ([\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70\\\", \\n\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.1 Safari/605.1.15\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\", \\n\\\"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\"]);\\nOfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != \u0027UserLoggedIn\u0027\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = todynamic(ExtendedProperties).Value\\n| where UserAgent =~ \\\"ms-office\\\" or UserAgent has_any (User_Agents)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts \u003e 500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Possible STRONTIUM attempted credential harvesting - Oct 2020\",\"description\":\"Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/de58ee9e-b229-4252-8537-41a4c2f4045e\",\"name\":\"de58ee9e-b229-4252-8537-41a4c2f4045e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let file_ext_blocklist = dynamic([\u0027.ps1\u0027, \u0027.vbs\u0027, \u0027.bat\u0027, \u0027.scr\u0027]);\\nlet lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| extend file_ext = extract(@\u0027.*(\\\\.\\\\w+)$\u0027, 1, UrlOriginal)\\n| extend Filename = extract(@\u0027.*\\\\/*\\\\/(.*\\\\.\\\\w+)$\u0027, 1, UrlOriginal)\\n| where file_ext in (file_ext_blocklist)\\n| project TimeGenerated, SrcIpAddr, Identities, Filename\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Cisco Umbrella - Request to blocklisted file type\",\"description\":\"Detects request to potentially harmful file types (.ps1, .bat, .vbs, etc.).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fc1b7e7a-bc24-42c3-ad67-5c76c8fcb2d6\",\"name\":\"fc1b7e7a-bc24-42c3-ad67-5c76c8fcb2d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.3\",\"techniques\":[\"T1530\",\"T1213\",\"T1005\",\"T1039\",\"T1114\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\".txt,.jpg,.mp4\",\"dataType\":\"string\",\"name\":\"File extension\",\"description\":\"Give comma separated file extension to exclude from source data within double quotes, example: \\\".txt,.jpg,.mp4\\\"\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"5\",\"maximum\":\"100\",\"value\":\"10\",\"name\":\"Minimum number of downgrades\",\"description\":\"Generate an anomaly when number of downgrade label is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Collection\"],\"displayName\":\"(Preview) Unusual mass downgrade AIP label\",\"description\":\"This algorithm detects unusual high volume of downgrade label activity in Azure Information Protection (AIP) logs.\\nIt considers \\\"AIP\\\" workload records for a given number of days and determines the sequence of activity performed on documents along with the label applied to classify unusual volume of downgrade activity.\",\"lastUpdatedDateUTC\":\"2021-06-04T00:00:00Z\",\"createdDateUTC\":\"2020-11-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureInformationProtection\",\"dataTypes\":[\"InformationProtectionLogs_CL\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/53e936c6-6c30-4d12-8343-b8a0456e8429\",\"name\":\"53e936c6-6c30-4d12-8343-b8a0456e8429\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let SUNSPOT_Hashes = dynamic([\\\"c45c9bda8db1d470f1fd0dcc346dc449839eb5ce9a948c70369230af0b3ef168\\\", \\\"0819db19be479122c1d48743e644070a8dc9a1c852df9a8c0dc2343e904da389\\\"]);\\nunion isfuzzy=true(\\nDeviceEvents\\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes)),\\n(DeviceImageLoadEvents\\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes))\\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"SUNSPOT malware hashes\",\"description\":\"This query uses Microsoft Defender for Endpoint data to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\\nMore details: \\n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \\n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceImageLoadEvents\",\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b9a44d7-c651-45ed-816c-eae583a6f2f1\",\"name\":\"3b9a44d7-c651-45ed-816c-eae583a6f2f1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\nlet historical_data =\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend variables = Data.Variables\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend UserKey = strcat(VariableGroupId, \\\"-\\\", ActorUserId)\\n| project UserKey;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend VariableGroupName = tostring(Data.VariableGroupName)\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend UserKey = strcat(VariableGroupId, \\\"-\\\", ActorUserId)\\n| where UserKey !in (historical_data)\\n| project-away UserKey\\n| project-reorder TimeGenerated, VariableGroupName, ActorUPN, IpAddress, UserAgent\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Build Variable Modified by New User.\",\"description\":\"Variables can be configured and used at any stage of the build process in Azure DevOps to inject values. An attacker with the required permissions could modify \\nor add to these variables to conduct malicious activity such as changing paths or remote endpoints called during the build. As variables are often changed by users, \\njust detecting these changes would have a high false positive rate. This detection looks for modifications to variable groups where that user has not been observed \\nmodifying them before.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c3b11fb2-9201-4844-b7b9-6b7bf6d9b851\",\"name\":\"c3b11fb2-9201-4844-b7b9-6b7bf6d9b851\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 200;\\nimDns(responsecodename=\u0027NXDOMAIN\u0027)\\n| where isnotempty(DnsResponseCodeName)\\n//| where DnsResponseCodeName =~ \\\"NXDOMAIN\\\"\\n| summarize count() by SrcIpAddr, bin(TimeGenerated,15m)\\n| where count_ \u003e threshold\\n| join kind=inner (imDns(responsecodename=\u0027NXDOMAIN\u0027)\\n ) on SrcIpAddr\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.2.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Excessive NXDOMAIN DNS Queries (Normalized DNS)\",\"description\":\"This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. \\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8ee967a2-a645-4832-85f4-72b635bcb3a6\",\"name\":\"8ee967a2-a645-4832-85f4-72b635bcb3a6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit the environment\\nlet signin_threshold = 5;\\n//Make a list of all IPs with failed signins to AAD above our threshold\\nlet aadFunc = (tableName:string){\\nlet suspicious_signins =\\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress !in (\u0027127.0.0.1\u0027, \u0027::1\u0027)\\n| summarize count() by IPAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(IPAddress);\\n//See if any of these IPs have sucessfully logged into *nix hosts\\nlet linux_logons =\\nSyslog\\n| where Facility contains \\\"auth\\\" and ProcessName != \\\"sudo\\\"\\n| where SyslogMessage has \\\"Accepted\\\"\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Computer, HostIP, IpAddress = SourceIP, SyslogMessage, Facility, ProcessName, Reason;\\n//See if any of these IPs have sucessfully logged into Windows hosts\\nlet win_logons =\\nSecurityEvent\\n| where EventID == 4624\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| where IpAddress in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Account, AccountType, Computer, Activity, EventID, LogonProcessName, IpAddress, LogonTypeName, TargetUserSid, Reason;\\nunion isfuzzy=true linux_logons,win_logons\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, IPCustomEntity = IpAddress, HostCustomEntity = Computer\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AzureAD logons but success logon to host\",\"description\":\"Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory.\\nUses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/543c9254-eb6f-4fdd-858d-783e0e3d5cb9\",\"name\":\"543c9254-eb6f-4fdd-858d-783e0e3d5cb9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.3\",\"techniques\":[\"T1530\",\"T1213\",\"T1005\",\"T1039\",\"T1114\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\".msg,.jpg,.txt\",\"dataType\":\"string\",\"name\":\"File extension\",\"description\":\"Give comma separated file extension to exclude from source data, for example: .txt,.jpg,.mp4\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.9\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the error percentile is greater than chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Collection\"],\"displayName\":\"(Preview) Suspicious number of protected documents accessed\",\"description\":\"This algorithm is to detect high volume of access to protected documents in Azure Information Protection (AIP) logs. \\nIt considers AIP workload records for a given number of days and determines whether the user performed unusual access to protected documents in a day given his/her historical behavior.\",\"lastUpdatedDateUTC\":\"2021-06-04T00:00:00Z\",\"createdDateUTC\":\"2021-02-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureInformationProtection\",\"dataTypes\":[\"InformationProtectionLogs_CL\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d23ed927-5be3-4902-a9c1-85f841eb4fa1\",\"name\":\"d23ed927-5be3-4902-a9c1-85f841eb4fa1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n DuoSecurityAuthentication_CL\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(access_device_ip_s)\\n // renaming time column so it is clear the log this came from\\n | extend Duo_TimeGenerated = isotimestamp_t\\n)\\non $left.TI_ipEntity == $right.access_device_ip_s\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Duo_TimeGenerated,\\nTI_ipEntity, user_name_s, factor_s, result_s, application_name_s, event_type_s, txid_g, user_key_s, access_device_ip_s, access_device_location_city_s, access_device_location_state_s, access_device_location_country_s\\n| extend timestamp = Duo_TimeGenerated, IPCustomEntity = access_device_ip_s, AccountCustomEntity = user_name_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Duo Security\",\"description\":\"Identifies a match in DuoSecurity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3073ac-7383-48a9-90a8-eb6716183a54\",\"name\":\"4a3073ac-7383-48a9-90a8-eb6716183a54\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let excludeProcs = dynamic([@\\\"\\\\SolarWinds\\\\Orion\\\\APM\\\\APMServiceControl.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\ExportToPDFCmd.Exe\\\", @\\\"\\\\SolarWinds.Credentials\\\\SolarWinds.Credentials.Orion.WebApi.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Topology\\\\SolarWinds.Orion.Topology.Calculator.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Database-Maint.exe\\\", @\\\"\\\\SolarWinds.Orion.ApiPoller.Service\\\\SolarWinds.Orion.ApiPoller.Service.exe\\\", @\\\"\\\\Windows\\\\SysWOW64\\\\WerFault.exe\\\"]);\\nDeviceProcessEvents\\n| where InitiatingProcessFileName =~ \\\"solarwinds.businesslayerhost.exe\\\"\\n| where not(FolderPath has_any (excludeProcs))\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n FileHashCustomEntity = MD5\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"MD5\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST suspicious SolarWinds child processes\",\"description\":\"Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/269435e3-1db8-4423-9dfc-9bf59997da1c\",\"name\":\"269435e3-1db8-4423-9dfc-9bf59997da1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName =~ \u0027Add member to role (permanent)\u0027\\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Privleged Role Assigned Outside PIM\",\"description\":\"Identifies a privileged role being assigned to a user outside of PIM\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\"name\":\"6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"SecurityEvent\\n| where EventID == 4738\\n// 2089 value indicates the Don\u0027t Expire Password value has been set\\n| where UserAccountControl has \\\"%%2089\\\" \\n| extend Value_2089 = iff(UserAccountControl has \\\"%%2089\\\",\\\"\u0027Don\u0027t Expire Password\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n// 2050 indicates that the Password Not Required value is NOT set, this often shows up at the same time as a 2089 and is the recommended value. This value may not be in the event. \\n| extend Value_2050 = iff(UserAccountControl has \\\"%%2050\\\",\\\"\u0027Password Not Required\u0027 - Disabled\\\", \\\"Not Changed\\\")\\n// If value %%2082 is present in the 4738 event, this indicates the account has been configured to logon WITHOUT a password. Generally you should only see this value when an account is created and only in Event 4720: Account Creation Event. \\n| extend Value_2082 = iff(UserAccountControl has \\\"%%2082\\\",\\\"\u0027Password Not Required\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n| project StartTime = TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, AccountType, UserAccountControl, Value_2089, Value_2050, Value_2082, SubjectAccount\\n| extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"AD account with Don\u0027t Expire Password\",\"description\":\"Identifies whenever a user account has the setting \\\"Password Never Expires\\\" in the user account properties selected.\\nThis is indicated in Security event 4738 in the EventData item labeled UserAccountControl with an included value of %%2089.\\n%%2089 resolves to \\\"Don\u0027t Expire Password - Enabled\\\".\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2ca4e7fc-c61a-49e5-9736-5da8035c47e0\",\"name\":\"2ca4e7fc-c61a-49e5-9736-5da8035c47e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 8;\\nCarbonBlackNotifications_CL\\n| where threatHunterInfo_score_d \u003e= threshold\\n| extend eventTime = datetime(1970-01-01) + tolong(threatHunterInfo_time_d/1000) * 1sec\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by eventTime, Threat_Name = threatHunterInfo_reportName_s, Device_Name = deviceInfo_deviceName_s, Internal_IP = deviceInfo_internalIpAddress_s, External_IP = deviceInfo_externalIpAddress_s, Threat_Score = threatHunterInfo_score_d\\n| project-away count_\\n| extend timestamp = StartTime, HostCustomEntity = Device_Name, IPCustomEntity = Internal_IP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\"],\"displayName\":\"Critical Threat Detected\",\"description\":\"This creates an incident in the event a critical threat was identified on a Carbon Black managed endpoint.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"VMwareCarbonBlack\",\"dataTypes\":[\"CarbonBlackNotifications_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d992b87b-eb49-4a9d-aa96-baacf9d26247\",\"name\":\"d992b87b-eb49-4a9d-aa96-baacf9d26247\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let IPList = dynamic([\\\"185.63.90.137\\\"]); \\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet sha256Hashes = \\ndynamic([\\\"53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441\\\",\\n\\\"c297e545b8f150cc5ff56dbb68dc74fe30a421d9d40f38f4a53083192697c44c\\\",\\n\\\"17921368901f23e0cad0d2fe4ce5694aebaf4727699ed0358117500701914d1b\\\",\\n\\\"198a2d42df010d838b4207f478d885ef36e3db13b1744d673e221b828c28bf77\\\",\\n\\\"71d7b48c2fdc7b57b104a7858a35165bbed21d2fa7e34828d6c1d50b2b33a1d0\\\",\\n\\\"601227d52c6e367e11b80240183d07d38bc11a88e844e8401fce17eb25e92ba8\\\",\\n\\\"63ff04bed4fdb120a9cb9b1ea7fd88e83f12fb01ab6a057088f8016e663b48d4\\\",\\n\\\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\\\",\\n\\\"e19b8be1b21c066d60725e550f8455f824065abbf1b43f7b2fe4fb338b241ffc\\\",\\n\\\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\\\"\\n]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", MessageIP in (IPList), \\\"Message\\\", \\\"NoMatch\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DeviceNetworkEvents\\n| where RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) \\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP\\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost) \\n| where SourceHost in (IPList) or DestinationHost in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(DeviceFileEvents\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash\\n| where FileHash in (sha256Hashes)\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = FileHash\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 in~ (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash\\n),\\n(SecurityEvent\\n| where EventID == \u00274688\u0027\\n| where NewProcessName in (IPList) \\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"SHA256\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Impact\"],\"displayName\":\"Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021\",\"description\":\"Identifies a match across various data feeds for IP,hashes and IOCs related to Windows/ELF malware published by Black Lotus Labs\\nReference: \\nhttps://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders/\\nhttps://github.com/ManuelBerrueta/YARA-rules/blob/master/BlackLotusLabs-WSLMalware/BLL_SneakyWSL.yar\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32\",\"name\":\"d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet msgthreshold = 3;\\nlet msgszthreshold = 3000000;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where NetworkBytes \u003e msgszthreshold\\n| summarize count() by SrcUserUpn, DstUserUpn\\n| where count_ \u003e msgthreshold\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple large emails to the same recipient\",\"description\":\"Detects when multiple emails with lage size where sent to the same recipient.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae\",\"name\":\"2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 4656\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, TargetAccount, Computer, EventSourceName, Channel, Task, Level, EventID, Activity, TargetLogonId, SourceComputerId, EventOriginId, Type, _ResourceId, TenantId, SourceSystem, ManagementGroupName, IpAddress, Account)\\n| extend ObjectServer = column_ifexists(\u0027ObjectServer\u0027, \\\"\\\"), ObjectType = column_ifexists(\u0027ObjectType\u0027, \\\"\\\"), ObjectName = column_ifexists(\u0027ObjectName\u0027, \\\"\\\")\\n| where isnotempty(ObjectServer) and isnotempty(ObjectType) and isnotempty(ObjectName)\\n| where ObjectServer =~ \\\"SC Manager\\\" and ObjectType =~ \\\"SERVICE OBJECT\\\" and ObjectName =~ \\\"HealthService\\\"\\n// Comment out the join below if the SACL only audits users that are part of the Network logon users, i.e. with user/group target pointing to \\\"NU.\\\"\\n| join kind=leftouter (\\n SecurityEvent\\n | where EventID == 4624\\n) on TargetLogonId\\n| project TimeGenerated, Computer, Account, TargetAccount, IpAddress,TargetLogonId, ObjectServer, ObjectType, ObjectName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Starting or Stopping HealthService to Avoid Detection\",\"description\":\"This query detects events where an actor is stopping or starting HealthService to disable telemetry collection/detection from the agent.\\n The query requires a SACL to audit for access request to the service.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4acd3a04-2fad-4efc-8a4b-51476594cec4\",\"name\":\"4acd3a04-2fad-4efc-8a4b-51476594cec4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let triThreshold = 500;\\nlet startTime = 6h;\\nlet dgaLengthThreshold = 8;\\n// fetch the alexa top 1M domains\\nlet top1M = (externaldata (Position:int, Domain:string) [@\\\"http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip\\\"] with (format=\\\"csv\\\", zipPattern=\\\"*.csv\\\"));\\n// extract tri grams that are above our threshold - i.e. are common\\nlet triBaseline = top1M\\n| extend Domain = tolower(extract(\\\"([^.]*).{0,7}$\\\", 1, Domain))\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", Domain), extract_all(\\\"(...)\\\", substring(Domain, 1)), extract_all(\\\"(...)\\\", substring(Domain, 2)))\\n| mvexpand Trigram=AllTriGrams\\n| summarize triCount=count() by tostring(Trigram)\\n| sort by triCount desc\\n| where triCount \u003e triThreshold\\n| distinct Trigram;\\n// collect domain information from common security log, filter and extract the DGA candidate and its trigrams\\nlet allDataSummarized = CommonSecurityLog\\n| where TimeGenerated \u003e ago(startTime)\\n| where isnotempty(DestinationHostName)\\n| extend Name = tolower(DestinationHostName)\\n| distinct Name\\n| where Name has \\\".\\\"\\n| where Name !endswith \\\".home\\\" and Name !endswith \\\".lan\\\"\\n// extract DGA candidate\\n| extend DGADomain = extract(\\\"([^.]*).{0,7}$\\\", 1, Name)\\n| where strlen(DGADomain) \u003e dgaLengthThreshold\\n// throw out domains with number in them\\n| where DGADomain matches regex \\\"^[A-Za-z]{0,}$\\\"\\n// extract the tri grams from summarized data\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", DGADomain), extract_all(\\\"(...)\\\", substring(DGADomain, 1)), extract_all(\\\"(...)\\\", substring(DGADomain, 2)));\\n// throw out domains that have repeating tri\u0027s and/or \u003e=3 repeating letters\\nlet nonRepeatingTris = allDataSummarized\\n| join kind=leftanti\\n(\\n allDataSummarized\\n | mvexpand AllTriGrams\\n | summarize count() by tostring(AllTriGrams), DGADomain\\n | where count_ \u003e 1\\n | distinct DGADomain\\n)\\non DGADomain;\\n// find domains that do not have a common tri in the baseline\\nlet dataWithRareTris = nonRepeatingTris\\n| join kind=leftanti\\n(\\n nonRepeatingTris\\n | mvexpand AllTriGrams\\n | extend Trigram = tostring(AllTriGrams)\\n | distinct Trigram, DGADomain\\n | join kind=inner\\n (\\n triBaseline\\n )\\n on Trigram\\n | distinct DGADomain\\n)\\non DGADomain;\\ndataWithRareTris\\n// join DGAs back on connection data\\n| join kind=inner\\n(\\n CommonSecurityLog\\n | where TimeGenerated \u003e ago(startTime)\\n | where isnotempty(DestinationHostName)\\n | extend DestinationHostName = tolower(DestinationHostName)\\n | project-rename Name=DestinationHostName, DataSource=DeviceVendor\\n | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) by Name, SourceIP, DestinationIP, DataSource\\n)\\non Name\\n| project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, DataSource\\n| extend timestamp=StartTime, IPCustomEntity=SourceIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"Name\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Possible contact with a domain generated by a DGA\",\"description\":\"Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used\\nby malware to generate rendezvous points that are difficult to predict in advance. This detection uses the Alexa Top 1 million domain names to build a model\\nof what normal domains look like. It uses this to identify domains that may have been randomly generated by an algorithm.\\nThe triThreshold is set to 500 - increase this to report on domains that are less likely to have been randomly generated, decrease it for more likely.\\nThe start time and end time look back over 6 hours of data and the dgaLengthThreshold is set to 8 - meaning domains whose length is 8 or more are reported.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Barracuda\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/78422ef2-62bf-48ca-9bab-72c69818a425\",\"name\":\"78422ef2-62bf-48ca-9bab-72c69818a425\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let endtime = 1d;\\nlet starttime = 8d;\\nlet threshold = 2.0;\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName) \\nby Account, IpAddress, AccountType, Activity, LogonTypeName\\n| join kind=inner (\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n| summarize ComputerCountPrev7Days = dcount(Computer) by Account, IpAddress\\n) on Account, IpAddress\\n| extend Ratio = ComputerCountToday/(ComputerCountPrev7Days*1.0)\\n// Where the ratio of today to previous 7 days is more than double.\\n| where Ratio \u003e threshold\\n| project StartTimeUtc, EndTimeUtc, Account, IpAddress, ComputerSet, ComputerCountToday, ComputerCountPrev7Days, Ratio, AccountType, Activity, LogonTypeName, ProcessSet\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\"],\"displayName\":\"Multiple RDP connections from Single System\",\"description\":\"Identifies when an RDP connection is made to multiple systems and above the normal for the previous 7 days. \\nConnections from the same system with the same account within the same day.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-10-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9d0295ee-cb75-4f2c-9952-e5acfbb67036\",\"name\":\"9d0295ee-cb75-4f2c-9952-e5acfbb67036\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Informational\",\"query\":\"let timeframe = ago(1d);\\nAppServiceAntivirusScanAuditLogs\\n| where NumberOfInfectedFiles \u003e 0\\n| extend HostCustomEntity = _ResourceId, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"displayName\":\"AppServices AV Scan with Infected Files\",\"description\":\"Identifies if an AV scan finds infected files in Azure App Services.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/30dea201-74da-4141-8d21-8a18f0861d60\",\"name\":\"30dea201-74da-4141-8d21-8a18f0861d60\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.3\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.02\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of AWS cloud trail logs events of group user account by EventTypeName\",\"description\":\"This algorithm detects an unusually high volume of AWS cloud trail log events per group user account by different event types (AwsApiCall, AwsServiceEvent, AwsConsoleSignIn, AwsConsoleAction) within the last day. The model is trained on the previous 21 days of AWS cloud trail log events on a group user account basis. This activity may indicate that the account is compromised.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-06-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\"name\":\"a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n SecurityAlert \\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\\n | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray\\n // Parsing relevant entity column to filter type account and creating new column by combining account and UPNSuffix\\n | extend Entitytype = tostring(parse_json(EntitiesDynamicArray).Type), EntityName = tostring(parse_json(EntitiesDynamicArray).Name),\\n EntityUPNSuffix = tostring(parse_json(EntitiesDynamicArray).UPNSuffix)\\n | where Entitytype =~ \\\"account\\\"\\n | extend EntityEmail = tolower(strcat(EntityName, \\\"@\\\", EntityUPNSuffix))\\n | where EntityEmail matches regex emailregex\\n | extend Alert_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.EntityEmail\\n| where Alert_TimeGenerated \u003e= TimeGenerated and Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Alert_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, EntityEmail, AlertName, AlertType,\\nAlertSeverity, Entities, ProviderName, VendorName\\n| extend timestamp = Alert_TimeGenerated, AccountCustomEntity = EntityEmail, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.2\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SecurityAlert\",\"description\":\"Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others\",\"lastUpdatedDateUTC\":\"2021-11-24T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bda5a2bd-979b-4828-a91f-27c2a5048f7f\",\"name\":\"bda5a2bd-979b-4828-a91f-27c2a5048f7f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet msgthreshold = 3;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| extend attachedMimeType = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where attachedMimeType == \u0027application/zip\u0027\\n| summarize count() by SrcUserUpn, DstUserUpn\\n| where count_ \u003e msgthreshold\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple archived attachments to the same recipient\",\"description\":\"Detects when multiple emails where sent to the same recipient with large archived attachments.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5d33fc63-b83b-4913-b95e-94d13f0d379f\",\"name\":\"5d33fc63-b83b-4913-b95e-94d13f0d379f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet fileHashIndicators = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n| where isnotempty(FileHashValue);\\n// Handle matches against both lower case and uppercase versions of the hash:\\n( fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n |union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n| join (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.FileHashValue == $right.FileHash\\n| where CommonSecurityLog_TimeGenerated \u003e= TimeGenerated and CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nCommonSecurityLog_TimeGenerated, SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction,\\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map File Hash to CommonSecurityLog Event\",\"description\":\"Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/00282588-11e7-436d-90e8-011256c3c691\",\"name\":\"00282588-11e7-436d-90e8-011256c3c691\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let threshold = 100;\\nTrendMicro_XDR_CL \\n| where modelSeverity_s == \u0027medium\u0027 or modelSeverity_s == \u0027low\u0027\\n| extend AccountCustomEntity = impactScope_account_s, HostCustomEntity = impactScope_hostname_s, IPCustomEntity = impactScope_host_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"displayName\":\"Create Incident for XDR Alerts (Medium \u0026 Low)\",\"description\":\"This Query creates an incident based on Trend Micro XDR Workbench Alerts and maps the impacted entities for Microsoft Sentinel usage. (Medium \u0026 Low Serverity Alerts)\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-12-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"TrendMicroXDR\",\"dataTypes\":[\"TrendMicro_XDR_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ef8654b1-b2cf-4f6c-ae5c-eca635a764e8\",\"name\":\"ef8654b1-b2cf-4f6c-ae5c-eca635a764e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let lowRisk = 1;\\nlet hr = \u0027HR Information\u0027;\\nCognniIncidents_CL \\n| where Severity == lowRisk\\n| where informationType_s == hr\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Low Sensitivity HR Information\",\"description\":\"Display incidents in which low sensitive HR information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/46ac55ae-47b8-414a-8f94-89ccd1962178\",\"name\":\"46ac55ae-47b8-414a-8f94-89ccd1962178\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let mode = \u0027Blocked\u0027; \\nlet successCode = dynamic([\u0027200\u0027, \u0027101\u0027,\u0027204\u0027, \u0027400\u0027,\u0027504\u0027,\u0027304\u0027,\u0027401\u0027,\u0027500\u0027]);\\nlet minTime = ago(1d);\\nlet maxSessionWindow = 1h;\\nlet sessionBin = maxSessionWindow/2.0;\\nAzureDiagnostics\\n| where TimeGenerated \u003e minTime\\n| where Category == \u0027ApplicationGatewayFirewallLog\u0027\\n| where action_s == mode\\n| sort by hostname_s asc, clientIp_s asc, TimeGenerated asc\\n| extend SessionStarted = row_window_session(TimeGenerated, maxSessionWindow, 10m, ((clientIp_s != prev(clientIp_s)) or (hostname_s != prev(hostname_s))))\\n| summarize minTime = min(TimeGenerated), maxTime = max(TimeGenerated), SessionBlockedCount=count() by hostname_s, clientIp_s, SessionStarted\\n| extend duration = maxTime - minTime\\n| extend TimeKey = bin(SessionStarted, sessionBin)\\n| join kind = inner(\\nAzureDiagnostics\\n| where TimeGenerated \u003e minTime\\n| where Category == \u0027ApplicationGatewayAccessLog\u0027\\n| where httpStatus_d in (successCode) or isempty(httpStatus_d)\\n| extend TimeKey = range(bin(TimeGenerated-maxSessionWindow, sessionBin), bin(TimeGenerated, sessionBin), sessionBin)\\n| mv-expand TimeKey to typeof(datetime)\\n) on $left.hostname_s == $right.host_s, $left.clientIp_s == $right.clientIP_s, TimeKey\\n| where (TimeGenerated - SessionStarted) between (0m .. duration)\\n| extend originalRequestUriWithArgs_s = column_ifexists(\\\"originalRequestUriWithArgs_s\\\", \\\"\\\")\\n| extend serverStatus_s = column_ifexists(\\\"serverStatus_s\\\", \\\"\\\")\\n| extend timestamp = SessionStarted, IPCustomEntity = clientIP_s\\n| summarize SuccessfulAccessLogCount = count(), UserAgents = make_set(userAgent_s), RequestURIs = make_set(requestUri_s) , OriginalRequestURIs = make_set(originalRequestUriWithArgs_s), \\nSuccessCodes = make_set(httpStatus_d), SuccessCodes_BackendServer = make_set(serverStatus_s) by timestamp, hostname_s, IPCustomEntity, SessionBlockedCount\\n| extend BlockvsSuccessRatio = SessionBlockedCount/SuccessfulAccessLogCount\\n| sort by BlockvsSuccessRatio desc, timestamp asc\\n| where SessionBlockedCount \u003e SuccessfulAccessLogCount\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"A potentially malicious web request was executed against a web server\",\"description\":\"Detects unobstructed Web Application Firewall (WAF) activity in sessions where the WAF blocked incoming requests by computing the \\nratio between blocked requests and unobstructed WAF requests in these sessions (BlockvsSuccessRatio metric). A high ratio value for \\na given client IP and hostname calls for further investigation of the WAF data in that session, due to the significantly high number \\nof blocked requests and a few unobstructed logs which may be malicious but have passed undetected through the WAF. The successCode \\nvariable defines what the detection thinks is a successful status code, and should be altered to fit the environment.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/edc946ae-cba8-419f-8e90-309966895956\",\"name\":\"edc946ae-cba8-419f-8e90-309966895956\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.2\",\"techniques\":[\"T1190\",\"T1505\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Include regularly repeating anomalies for URI stems\",\"Exclude regularly repeating anomalies for URI stems\"],\"supportedValuesKql\":null,\"value\":\"Exclude regularly repeating anomalies for URI stems\",\"name\":\"Handle regularly repeating anomalies for URI stems\",\"description\":\"Choose to exclude URI stems that have been regularly occuring in the Anomalies table in Log Analytics.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":[{\"prioritize\":\".asp, .aspx, .armx, .asax, .ashz, .asmx, .axd, .cshtml, .php, .phps, .php3, .php4, .php5, .php7, .jsp, .jspx, .cfm, .cfml, .phtml\",\"exclude\":null,\"dataType\":\"string\",\"name\":\"Prioritize script suffixes of the URI stems\",\"description\":\"Give comma separated script suffixes of the URI stems that should be included in the prioritize field.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"prioritize\":null,\"exclude\":\"\",\"dataType\":\"string\",\"name\":\"Exclude noisy URI stems\",\"description\":\"Give comma separated URI stems that are frequently observing noisy sessions, and should be excluded from the Anomalies table in Log Analytics.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.2\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"(Preview) Anomalous web request activity\",\"description\":\"This algorithm groups the W3CIIS logs into per site name and per URI stem hourly sessions.\\nThe machine learning model identifies the sessions with anomalous requests that triggered response code 5xx in the last day.\\n5xx codes are an indication that some application instability or error condition has been triggered by the request.\\nThey can be an indication that an attacker is probing the URI stem for vulnerabilities and configuration issues, performing some exploitation activity such as SQL injection, or leveraging an unpatched vulnerability.\\n\\nThe algorithm uses 6 days of data for training.\\nIt identifies unusual high volume of web requests that generated respond code 5xx in the last day.\",\"lastUpdatedDateUTC\":\"2021-06-10T00:00:00Z\",\"createdDateUTC\":\"2021-04-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d500e6d-c984-43a3-9f39-7edec8dcc04d\",\"name\":\"4d500e6d-c984-43a3-9f39-7edec8dcc04d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".aspx\\\", \\\".asp\\\", \\\".cfml\\\"]);\\n//The number of URI\u0027s seen to be suspicious, higher = less likely to be suspicious\\nlet uriThreshold = 1;\\nCommonSecurityLog\\n// Only look at connections that were allowed through the web proxy\\n| where DeviceVendor =~ \\\"Zscaler\\\" and DeviceAction =~ \\\"Allowed\\\"\\n// Only look where some data was exchanged.\\n| where SentBytes \u003e 0 and ReceivedBytes \u003e 0\\n// Extract the Domain\\n| extend Domain = iff(countof(DestinationHostName,\u0027.\u0027) \u003e= 2, strcat(split(DestinationHostName,\u0027.\u0027)[-2], \u0027.\u0027,split(DestinationHostName,\u0027.\u0027)[-1]), DestinationHostName)\\n| extend GetData=iff(RequestURL == \\\"?\\\", 1, 0)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), makelist(RequestURL), makelist(DestinationIP), makelist(SourceIP), numOfConnections = count(), make_set(RequestMethod), max(GetData), max(RequestContext) by Domain\\n// Determine the number of URIs that have been visited for the domain\\n| extend destinationURI = arraylength(list_RequestURL)\\n| where destinationURI \u003c= uriThreshold\\n| where tostring(list_RequestURL) has_any(scriptExtensions)\\n//Remove matches with referer\\n| where max_RequestContext == \\\"\\\"\\n//Keep requests where data was trasferred either in a GET with parameters or a POST\\n| where set_RequestMethod in~ (\\\"POST\\\") or max_GetData == 1\\n//Defeat email click tracking, may increase FN\u0027s while decreasing FP\u0027s\\n| where list_RequestURL !has \\\"click\\\" and set_RequestMethod !has \\\"GET\\\"\\n| mvexpand list_RequestURL, list_DestinationIP\\n| extend RequestURL = tostring(list_RequestURL), DestinationIP = tostring(list_DestinationIP), ClientIP = tostring(list_SourceIP)\\n//Extend custom entitites for incidents\\n| extend timestamp = StartTimeUtc, IPCustomEntity = DestinationIP\\n| project-away list_RequestURL, list_DestinationIP, list_SourceIP, destinationURI, Domain, StartTimeUtc, EndTimeUtc, max_GetData, max_RequestContext\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Request for single resource on domain\",\"description\":\"This will look for connections to a domain where only a single file is requested, this is unusual as most modern web applications require additional recources. This type of activity is often assocaited with malware beaconing or tracking URL\u0027s delivered in emails. Developed for Zscaler but applicable to any outbound web logging.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/155f40c6-610d-497d-85fc-3cf06ec13256\",\"name\":\"155f40c6-610d-497d-85fc-3cf06ec13256\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"yahoo-verification.org\\\",\\\"support-servics.com\\\",\\\"verification-live.com\\\",\\\"com-mailbox.com\\\",\\\"com-myaccuants.com\\\",\\\"notification-accountservice.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\\"verify-linkedin.net\\\", \\n\\\"yahoo-verification.net\\\",\\\"yahoo-verify.net\\\",\\\"outlook-verify.net\\\",\\\"com-users.net\\\",\\\"verifiy-account.net\\\",\\\"te1egram.net\\\",\\\"account-verifiy.net\\\",\\\"myaccount-services.net\\\",\\n\\\"com-identifier-servicelog.name\\\",\\\"microsoft-update.bid\\\",\\\"outlook-livecom.bid\\\",\\\"update-microsoft.bid\\\",\\\"documentsfilesharing.cloud\\\",\\\"com-microsoftonline.club\\\",\\n\\\"confirm-session-identifier.info\\\",\\\"session-management.info\\\",\\\"confirmation-service.info\\\",\\\"document-share.info\\\",\\\"broadcast-news.info\\\",\\\"customize-identity.info\\\",\\\"webemail.info\\\",\\n\\\"com-identifier-servicelog.info\\\",\\\"documentsharing.info\\\",\\\"notification-accountservice.info\\\",\\\"identifier-activities.info\\\",\\\"documentofficupdate.info\\\",\\\"recoveryusercustomer.info\\\",\\n\\\"serverbroadcast.info\\\",\\\"account-profile-users.info\\\",\\\"account-service-management.info\\\",\\\"accounts-manager.info\\\",\\\"activity-confirmation-service.info\\\",\\\"com-accountidentifier.info\\\",\\n\\\"com-privacy-help.info\\\",\\\"com-sessionidentifier.info\\\",\\\"com-useraccount.info\\\",\\\"confirmation-users-service.info\\\",\\\"confirm-identity.info\\\",\\\"confirm-session-identification.info\\\",\\n\\\"continue-session-identifier.info\\\",\\\"customer-recovery.info\\\",\\\"customers-activities.info\\\",\\\"elitemaildelivery.info\\\",\\\"email-delivery.info\\\",\\\"identify-user-session.info\\\",\\n\\\"message-serviceprovider.info\\\",\\\"notificationapp.info\\\",\\\"notification-manager.info\\\",\\\"recognized-activity.info\\\",\\\"recover-customers-service.info\\\",\\\"recovery-session-change.info\\\",\\n\\\"service-recovery-session.info\\\",\\\"service-session-continue.info\\\",\\\"session-mail-customers.info\\\",\\\"session-managment.info\\\",\\\"session-verify-user.info\\\",\\\"shop-sellwear.info\\\",\\n\\\"supportmailservice.info\\\",\\\"terms-service-notification.info\\\",\\\"user-activity-issues.info\\\",\\\"useridentity-confirm.info\\\",\\\"users-issue-services.info\\\",\\\"verify-user-session.info\\\",\\n\\\"login-gov.info\\\",\\\"notification-signal-agnecy.info\\\",\\\"notifications-center.info\\\",\\\"identifier-services-sessions.info\\\",\\\"customers-manager.info\\\",\\\"session-manager.info\\\",\\n\\\"customer-managers.info\\\",\\\"confirmation-recovery-options.info\\\",\\\"service-session-confirm.info\\\",\\\"session-recovery-options.info\\\",\\\"services-session-confirmation.info\\\",\\n\\\"notification-managers.info\\\",\\\"activities-services-notification.info\\\",\\\"activities-recovery-options.info\\\",\\\"activity-session-recovery.info\\\",\\\"customers-services.info\\\",\\n\\\"sessions-notification.info\\\",\\\"download-teamspeak.info\\\",\\\"services-issue-notification.info\\\",\\\"microsoft-upgrade.mobi\\\",\\\"broadcastnews.pro\\\",\\\"mobile-messengerplus.network\\\"]);\\nlet IPList = dynamic([\\\"51.91.200.147\\\"]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(SourceIP) and SourceIP in (IPList)) or (isnotempty(DestinationIP) and DestinationIP in (IPList)) \\nor (isnotempty(DNSName) and DNSName in~ (DomainNames)) or (isnotempty(DestinationHostName) and DestinationHostName in~ (DomainNames)) or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames) or RequestURLIP in (IPList))) \\nor (isnotempty(Message) and MessageIP in (IPList))\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURLIP in (IPList), \\\"RequestUrl\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP,IPMatch == \\\"Message\\\", MessageIP,\\nIPMatch == \\\"RequestUrl\\\", RequestURLIP,\\\"NoMatch\\\"), Account = SourceUserID, Host = DeviceName\\n),\\n(DnsEvents \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| where DestinationIPAddress in (IPList) or DNSName has_any (DomainNames) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),\\n(imDns\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| where DestinationIPAddress has_any (IPList) or DNSName has_any (DomainNames) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) or isnotempty(DNSName)\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or DNSName in~ (DomainNames)\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer),\\n(OfficeActivity\\n| extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend DNSName = Request_Name\\n| extend IPCustomEntity = ClientIP),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPCustomEntity = SourceHost \\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.2.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Phosphorus group domains/IP\",\"description\":\"Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d94d4a9-dc96-450a-9dea-4d4d4594199b\",\"name\":\"4d94d4a9-dc96-450a-9dea-4d4d4594199b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"SecurityNestedRecommendation\\n| where RemediationDescription has \u0027CVE-2021-38647\u0027\\n| parse ResourceDetails with * \u0027virtualMachines/\u0027 VirtualMAchine \u0027\\\"\u0027 *\\n| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId\\n| extend Timestamp = TimeGenerated, HostCustomEntity = VirtualMAchine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.2\",\"tactics\":[\"InitialAccess\",\"Execution\"],\"displayName\":\"Vulnerable Machines related to OMIGOD CVE-2021-38647\",\"description\":\"This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to OMIGOD CVE-2021-38647. OMI is the Linux equivalent of Windows WMI and \\n helps users manage configurations across remote and local environments. The query aims to find machines that have this OMI vulnerability (CVE-2021-38647).\\n Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).\\n Reference: https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure\\n Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/050b9b3d-53d0-4364-a3da-1b678b8211ec\",\"name\":\"050b9b3d-53d0-4364-a3da-1b678b8211ec\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\")\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| summarize by bin(TimeGenerated, 1h), OperationName, RoleName, Target, Initiator, Result\\n| extend AccountCustomEntity = Target\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Initiator\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\"],\"displayName\":\"User Assigned Privileged Role\",\"description\":\"Identifies when a new privileged role is assigned to a user. Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn\u0027t the responsibility of the account holder, investigate.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75ff4f7d-0564-4a55-8b25-a75be951cde3\",\"name\":\"75ff4f7d-0564-4a55-8b25-a75be951cde3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let mediumRisk = 2;\\nlet hr = \u0027HR Information\u0027;\\nCognniIncidents_CL \\n| where Severity == mediumRisk\\n| where informationType_s == hr\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Medium Sensitivity HR Information\",\"description\":\"Display incidents in which medium sensitivity HR information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbfbf530-506b-49a4-81ad-4030885a195c\",\"name\":\"fbfbf530-506b-49a4-81ad-4030885a195c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let alertTimeWindow = 1h;\\nlet logTimeWindow = 7d;\\n// Define script extensions that suit your web application environment - a sample are provided below\\nlet scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]); \\nlet alertData = materialize(SecurityAlert \\n| where TimeGenerated \u003e ago(alertTimeWindow) \\n| where ProviderName == \\\"MDATP\\\" \\n// Parse and expand the alert JSON \\n| extend alertData = parse_json(Entities) \\n| mvexpand alertData);\\nlet fileData = alertData\\n// Extract web script files from MDATP alerts - our malicious web scripts - candidate webshells\\n| where alertData.Type =~ \\\"file\\\" \\n| where alertData.Name has_any(scriptExtensions) \\n| extend FileName = tostring(alertData.Name), Directory = tostring(alertData.Directory);\\nlet hostData = alertData\\n// Extract server details from alerts and map to alert id\\n| where alertData.Type =~ \\\"host\\\"\\n| project HostName = tostring(alertData.HostName), DnsDomain = tostring(alertData.DnsDomain), SystemAlertId\\n| distinct HostName, DnsDomain, SystemAlertId;\\n// Join the files on their impacted servers\\nlet webshellData = fileData\\n| join kind=inner (hostData) on SystemAlertId \\n| project TimeGenerated, FileName, Directory, HostName, DnsDomain;\\nwebshellData\\n| join ( \\n// Find requests that were made to this file on the impacted server in the W3CIISLog table \\nW3CIISLog \\n| where TimeGenerated \u003e ago(logTimeWindow) \\n// Restrict to accesses to script extensions \\n| where csUriStem has_any(scriptExtensions)\\n| extend splitUriStem = split(csUriStem, \\\"/\\\") \\n| extend FileName = splitUriStem[-1], HostName = sComputerName\\n// Summarize potential attacker activity\\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), RequestUserAgents=make_set(csUserAgent), ReqestMethods=make_set(csMethod), RequestStatusCodes=make_set(scStatus), RequestCookies=make_set(csCookie), RequestReferers=make_set(csReferer), RequestQueryStrings=make_set(csUriQuery) by AttackerIP=cIP, SiteName=sSiteName, ShellLocation=csUriStem, tostring(FileName), HostName \\n) on FileName, HostName\\n| project StartTime, EndTime, AttackerIP, RequestUserAgents, HostName, SiteName, ShellLocation, ReqestMethods, RequestStatusCodes, RequestCookies, RequestReferers, RequestQueryStrings, RequestCount = count_\\n// Expose the attacker ip address as a custom entity\\n| extend timestamp=StartTime, IPCustomEntity = AttackerIP, HostCustomEntity = HostName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Malicious web application requests linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts\",\"description\":\"Takes Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts where web scripts are present in the evidence and correlates with requests made to those scripts\\nin the WCSIISLog to surface new alerts for potentially malicious web request activity.\\nThe lookback for alerts is set to 1h and the lookback for W3CIISLogs is set to 7d. A sample set of popular web script extensions\\nhas been provided in scriptExtensions that should be tailored to your environment.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-05-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e7277475-4e31-41c7-9997-0b8b3d7f00cd\",\"name\":\"e7277475-4e31-41c7-9997-0b8b3d7f00cd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.2\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.01\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of failed login attempts to AWS Console by each source IP address\",\"description\":\"This algorithm detects an unusually high volume of AWS cloud trail log console failed login events per source IP address within the last day. The model is trained on the previous 21 days of AWS cloud trail log events on source IP address basis. This activity may indicate that the IP address is compromised.\",\"lastUpdatedDateUTC\":\"2021-10-26T00:00:00Z\",\"createdDateUTC\":\"2021-08-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0bd65651-1404-438b-8f63-eecddcec87b4\",\"name\":\"0bd65651-1404-438b-8f63-eecddcec87b4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\n// Adjust for a longer timeframe for identifying ADFS Servers\\nlet lookback = 6d;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\nEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n| union isfuzzy=true (\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n)\\n| distinct Computer);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where ParentProcessName has \u0027wmiprvse.exe\u0027\\n// Looking for rundll32.exe is based on intel from the blog linked in the description\\n// This can be commented out or altered to filter out known internal uses\\n| where CommandLine has_any (\u0027rundll32\u0027) \\n| project TimeGenerated, TargetAccount, CommandLine, Computer, Account, TargetLogonId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n// Search for recent logons to identify lateral movement\\n| join kind= inner\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventID == 4624 and LogonType == 3\\n| where Account !endswith \\\"$\\\"\\n| project TargetLogonId\\n) on TargetLogonId\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n// Check for WMI Events\\n| where Computer in~ (ADFS_Servers) and EventID in (19, 20, 21)\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| project TimeGenerated, EventType, Image, Computer, UserName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = UserName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\"],\"displayName\":\"Gain Code Execution on ADFS Server via Remote WMI Execution\",\"description\":\"This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through remote WMI Execution.\\nIn order to use this query you need to be collecting Sysmon EventIDs 19, 20, and 21.\\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\\n Failed to resolve scalar expression named \\\"[@Name]\\\"\\nFor more on how WMI was used in Solorigate see https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/.\\nThe query contains some features from the following detections to look for potentially malicious ADFS activity. See them for more details.\\n- ADFS Key Export (Sysmon): https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSKeyExportSysmon.yaml\\n- ADFS DKM Master Key Export: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/03e04c97-8cae-48b3-9d2f-4ab262e4ffff\",\"name\":\"03e04c97-8cae-48b3-9d2f-4ab262e4ffff\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]);\\nhttp_proxy_oab_CL\\n| where RawData contains \\\"Download failed and temporary file\\\"\\n| extend File = extract(\\\"([^\\\\\\\\\\\\\\\\]*)(\\\\\\\\\\\\\\\\[^\u0027]*)\\\",2,RawData)\\n| extend Extension = strcat(\\\".\\\",split(File, \\\".\\\")[-1])\\n| extend InteractiveFile = iif(Extension in (scriptExtensions), \\\"Yes\\\", \\\"No\\\")\\n// Uncomment the following line to alert only on interactive file download type\\n//| where InteractiveFile =~ \\\"Yes\\\"\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious File Downloads.\",\"description\":\"This query looks for messages related to file downloads of suspicious file types. This query uses the Exchange HttpProxy AOBGeneratorLog, you will need to onboard this log as a custom log under the table http_proxy_oab_CL before using this query. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/194dd92e-d6e7-4249-85a5-273350a7f5ce\",\"name\":\"194dd92e-d6e7-4249-85a5-273350a7f5ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\") \\n// Only admin or global-admin can disable audit logging\\n| where Operation =~ \\\"Set-AdminAuditLogConfig\\\" \\n| extend AdminAuditLogEnabledValue = tostring(parse_json(tostring(parse_json(tostring(array_slice(parse_json(Parameters),3,3)))[0])).Value)\\n| where AdminAuditLogEnabledValue =~ \\\"False\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP, ResultStatus, Parameters, AdminAuditLogEnabledValue\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Exchange AuditLog disabled\",\"description\":\"Identifies when the exchange audit logging has been disabled which may be an adversary attempt\\nto evade detection or avoid other defenses.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c37711a4-5f44-4472-8afc-0679bc0ef966\",\"name\":\"c37711a4-5f44-4472-8afc-0679bc0ef966\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/FoggyWebIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type == \\\"sha256\\\" | project IoC);\\nlet FilePaths = (iocs | where Type =~ \\\"FilePath\\\" | project IoC);\\nlet POST_URI = (iocs | where Type =~ \\\"URI1\\\" | project IoC);\\nlet GET_URI = (iocs | where Type =~ \\\"URI2\\\" | project IoC);\\n//Include in the list below, the ADFS servers you know about in your environment. In the next part of the query, we will try to identify them for you if you have the telemetry.\\nlet ADFS_Servers1 = datatable(Computer:string)\\n[ \\\"\u003cADFS01\u003e.\u003cDOMAIN\u003e.\u003cCOM\u003e\\\",\\n\\\"\u003cADFS02\u003e.\u003cDOMAIN\u003e.\u003cCOM\u003e\\\"\\n];\\n// Automatically identify potential ADFS services in your environment by searching process event telemetry for \\\"Microsoft.IdentityServer.ServiceHost.exe\\\".\\nlet ADFS_Servers2 = \\n(union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n),\\n(DeviceProcessEvents\\n| where InitiatingProcessFileName == \u0027Microsoft.IdentityServer.ServiceHost.exe\u0027\\n| extend Computer = DeviceName\\n| distinct Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n)\\n);\\nlet ADFS_Servers =\\nADFS_Servers1\\n| union (ADFS_Servers2 | distinct Computer);\\n(union isfuzzy=true\\n(DeviceNetworkEvents\\n| where DeviceName in (ADFS_Servers)\\n| where isnotempty(InitiatingProcessSHA256) or isnotempty(InitiatingProcessFolderPath)\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or InitiatingProcessFolderPath has_any (FilePaths)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\" and EventID == \u00277\u0027\\n| where Computer in (ADFS_Servers)\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend ImageLoaded = EventDetail.[5].[\\\"#text\\\"], Hashes = EventDetail.[11].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| where ImageLoaded has_any (FilePaths) or SHA256 has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, ImageLoaded, EventID\\n| extend Type = strcat(Type,\\\":\\\",EventID, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\\\"#text\\\"] \\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = FileHash\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = FileHash\\n),\\n(DeviceEvents\\n| where DeviceName in (ADFS_Servers)\\n| extend FilePath = strcat(FolderPath, \u0027\\\\\\\\\u0027, FileName)\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash\\n),\\n(DeviceFileEvents\\n| where DeviceName in (ADFS_Servers)\\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash\\n),\\n(DeviceImageLoadEvents\\n| where DeviceName in (ADFS_Servers)\\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where Computer in (ADFS_Servers)\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| where EventDetail has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\\\"#text\\\"] \\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = FileHash\\n),\\n(W3CIISLog \\n| where ( csMethod == \u0027GET\u0027 and csUriStem has_any (GET_URI)) or (csMethod == \u0027POST\u0027 and csUriStem has_any (POST_URI))\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), cIP_MethodCount = count() \\nby cIP, cIP_MethodCountType = \\\"Count of repeated entries, this is to reduce rowsets returned\\\", csMethod, \\ncsHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, csReferer\\n| extend timestamp = StartTime, IPCustomEntity = cIP, HostCustomEntity = csHost, AccountCustomEntity = csUserName\\n),\\n(imFileEvent\\n| where DvcHostname in (ADFS_Servers)\\n| where TargetFileSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"SHA256\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"version\":\"2.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"NOBELIUM IOCs related to FoggyWeb backdoor\",\"description\":\"Identifies a match across various data feeds for IOCs related to FoggyWeb backdoor by the threat actor NOBELIUM.\\n FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server.\\n It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server.\\n Reference: https://aka.ms/nobelium-foggy-web\",\"lastUpdatedDateUTC\":\"2021-11-16T00:00:00Z\",\"createdDateUTC\":\"2021-09-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\"name\":\"7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet AC_Add = \\nSecurityEvent\\n// Event ID related to member addition.\\n| where EventID in (4728, 4732,4756) \\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountAdded \\\",OU\\\" *\\n| where isnotempty(AccountAdded)\\n| extend GroupAddedTo = TargetUserName, AddingAccount = Account \\n| extend AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, \\\"||\\\", GroupAddedTo, \\\"||\\\", AddingAccount )\\n| project AccountAdded_GroupAddedTo_AddingAccount, AccountAddedTime = TimeGenerated;\\nlet AC_Remove = \\nSecurityEvent\\n// Event IDs related to member removal.\\n| where EventID in (4729,4733,4757)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountRemoved \\\",OU\\\" * \\n| where isnotempty(AccountRemoved)\\n| extend GroupRemovedFrom = TargetUserName, RemovingAccount = Account\\n| extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, \\\"||\\\", GroupRemovedFrom, \\\"||\\\", RemovingAccount)\\n| project AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime = TimeGenerated, Computer, RemovedAccountId = tolower(AccountRemoved), \\nRemovedByUser = SubjectUserName, RemovedByUserLogonId = SubjectLogonId, GroupRemovedFrom = TargetUserName, TargetDomainName; \\nAC_Add \\n| join kind= inner AC_Remove on $left.AccountAdded_GroupAddedTo_AddingAccount == $right.AccountRemoved_GroupRemovedFrom_RemovingAccount \\n| extend DurationinSecondAfter_Removed = datetime_diff (\u0027second\u0027, AccountRemovedTime, AccountAddedTime)\\n| where DurationinSecondAfter_Removed \u003e 0\\n| project-away AccountRemoved_GroupRemovedFrom_RemovingAccount\\n| extend timestamp = AccountAddedTime, AccountCustomEntity = RemovedAccountId, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Account added and removed from privileged groups\",\"description\":\"Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise.\u0027 \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/472b7cf4-bf1a-4061-b9ab-9fe4894e3c17\",\"name\":\"472b7cf4-bf1a-4061-b9ab-9fe4894e3c17\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nlet codeNameList = datatable(Codename:string)[\\\"C-CLEARTEXT-PASSWORD\\\", \\\"C-PASSWORD-DONT-EXPIRE\\\", \\\"C-USER-REVER-PWDS\\\", \\\"C-PASSWORD-POLICY\\\", \\\"C-USER-PASSWORD\\\", \\\"C-KRBTGT-PASSWORD\\\", \\\"C-AAD-SSO-PASSWORD\\\", \\\"C-REVER-PWD-GPO\\\"];\\nafad_parser\\n| where MessageType == 0 and Codename in~ (codeNameList)\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid Password issues\",\"description\":\"Searches for triggered Indicators of Exposures related to password issues\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/25bf2f45-1cf0-47d2-b394-a7b331d707b3\",\"name\":\"25bf2f45-1cf0-47d2-b394-a7b331d707b3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"2.0.0\",\"techniques\":[\"T1133\",\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Yes\",\"No\"],\"supportedValuesKql\":null,\"value\":\"Yes\",\"name\":\"Use region adjacency\",\"description\":\"Suppress anomalies originated from two adjacent regions.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"supportedValues\":[\"Yes\",\"No\"],\"supportedValuesKql\":null,\"value\":\"No\",\"name\":\"Check for matching device\",\"description\":\"Suppress anomalies which are originated from the same device.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":null,\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious geography change in Palo Alto GlobalProtect account logins\",\"description\":\"When a Palo Alto GlobalProtect account logs in from a geographically new region that is not the same as the last region the day before, an anomaly will be generated.\",\"lastUpdatedDateUTC\":\"2021-07-13T00:00:00Z\",\"createdDateUTC\":\"2021-04-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7ebb7386-6c99-4331-aab1-a185a603eb47\",\"name\":\"7ebb7386-6c99-4331-aab1-a185a603eb47\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let highRisk = 3;\\nlet financial = \u0027Financial Information\u0027;\\nCognniIncidents_CL \\n| where Severity == highRisk\\n| where informationType_s == financial\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Highly Sensitive Financial Information\",\"description\":\"Display incidents in which highly sensitive financial information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b443f22-9be9-4c35-ac70-a94757748439\",\"name\":\"3b443f22-9be9-4c35-ac70-a94757748439\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let files1 = dynamic([\\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\lsa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pc.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\Rar.exe\\\"]);\\nlet files2 = dynamic([\\\"svchost.exe\\\",\\\"wdmsvc.exe\\\"]);\\nlet FileHash1 = dynamic([\\\"43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\\\", \\\"ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\\\", \\\"010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77\\\", \\\"56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7\\\"]);\\nlet FileHash2 = dynamic([\\\"2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\\\", \\\"9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\\\", \\\"18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\\\"]);\\nDeviceProcessEvents\\n| where ( FolderPath has_any (files1) and SHA256 has_any (FileHash1)) or (FolderPath has_any (files2) and SHA256 has_any (FileHash2))\\n| extend DvcId = DeviceId\\n| join kind=leftouter (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| mv-expand todynamic(Entities)\\n| extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)\\n| where isnotempty(DvcId)\\n// Higher risk score are for Defender alerts related to threat actor\\n| extend AlertRiskScore = iif(ThreatName has_any (\\\"Backdoor:MSIL/ShellClient.A\\\", \\\"Backdoor:MSIL/ShellClient.A!dll\\\", \\\"Trojan:MSIL/Mimikatz.BA!MTB\\\"), 1.0, 0.5)\\n| project DvcId, AlertRiskScore) on DvcId\\n| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = AccountName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileName\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Execution\"],\"displayName\":\"Dev-0228 File Path Hashes November 2021\",\"description\":\"This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.\\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.\",\"lastUpdatedDateUTC\":\"2021-11-18T00:00:00Z\",\"createdDateUTC\":\"2021-11-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95a15f39-d9cc-4667-8cdd-58f3113691c9\",\"name\":\"95a15f39-d9cc-4667-8cdd-58f3113691c9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\nSecurityEvent\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where EventID == 4688\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| join kind=rightanti (\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where EventID == 4688) on NewProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM New UM Service Child Process\",\"description\":\"This query looks for new processes being spawned by the Exchange UM service where that process has not previously been observed before. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\"name\":\"7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lookBack_long = 7d;\\nlet lookBack_med = 3d;\\nlet lookBack = 1d;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack_long))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n// Create time series \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_long)),now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n// Compute best fit line for each entry \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount) \\n// Chart the 3 most interesting lines \\n// A 0-value slope corresponds to an account being completely stable over time for a given Azure Active Directory application\\n| where Slope \u003e 0.3\\n| top 50 by Slope desc\\n| join kind = leftsemi (\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack_med))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_med)) ,now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount)\\n| where Slope \u003e 0.3\\n| top 50 by Slope desc\\n) on UserPrincipalName, AppDisplayName\\n| join kind = leftsemi (\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack)) ,now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount)\\n| where Slope \u003e 5\\n| top 50 by Slope desc\\n// Higher threshold requirement on last day anomaly\\n) on UserPrincipalName, AppDisplayName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomalous sign-in location by user account and authenticating application\",\"description\":\"This query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active \\nDirectory application and picks out the most anomalous change in location profile for a user within an \\nindividual application. An alert is generated for recent sign-ins that have location counts that are anomalous\\nover last day but also over the last 3-day and 7-day periods.\\nPlease note that on workspaces with larger volume of Signin data (~10M+ events a day) may timeout when using this default query time period.\\nIt is recommended that you test and tune this appropriately for the workspace.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6a2e2ff4-5568-475e-bef2-b95f12b9367b\",\"name\":\"6a2e2ff4-5568-475e-bef2-b95f12b9367b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let FailureThreshold = 15;\\nimAuthentication\\n| where EventType== \u0027Logon\u0027 and EventResult== \u0027Failure\u0027\\n// reason: creds \\n| where EventResultDetails in (\u0027No such user or password\u0027, \u0027Incorrect password\u0027)\\n| summarize UserCount=dcount(TargetUserId), Vendors=make_set(EventVendor), Products=make_set(EventVendor)\\n , Users = make_set(TargetUserId,100) \\n by SrcDvcIpAddr, SrcGeoCountry, bin(TimeGenerated, 5m)\\n| where UserCount \u003e FailureThreshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcDvcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Potential Password Spray Attack (Uses Authentication Normalization)\",\"description\":\"This query searches for failed attempts to log in from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack\\n To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelAuthentication)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\"name\":\"79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let timeframe = 1h;\\nlet last1h = CommonSecurityLog \\n| where TimeGenerated \u003e= ago(timeframe)\\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend CurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend CurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend CumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize last1hCumTotal = sum(CumulativeTotal), last1hAvgRatePerSec = avg(CurrentAvgRatePerSec), last1hAvgBurstRatePerSec = avg(CurrentBurstRatePerSec) by DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlet prev6h = CommonSecurityLog \\n| where TimeGenerated between (ago(6h) .. ago(1h))\\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend prevCurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend prevCurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend prevCumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), prev6hCumTotal = sum(prevCumulativeTotal), prev6hAvgRatePerSec = avg(prevCurrentAvgRatePerSec), prev6hAvgBurstRatePerSec = avg(prevCurrentBurstRatePerSec) \\nby DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlast1h | join (\\n prev6h \\n) on DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate\\n| project StartTimeUtc, EndTimeUtc, DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate, last1hCumTotal, prev6hCumTotal, prev6hAvgCumTotal = prev6hCumTotal/6, last1hAvgRatePerSec, prev6hAvgRatePerSec, last1hAvgBurstRatePerSec, prev6hAvgBurstRatePerSec\\n// Select only events that indicate a doubling of the expected rate in the last hour over the previous 6 hours\\n| where last1hCumTotal \u003e 2*prev6hAvgCumTotal or last1hAvgRatePerSec \u003e 2*prev6hAvgRatePerSec or last1hAvgBurstRatePerSec \u003e 2*prev6hAvgBurstRatePerSec\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\",\"Impact\"],\"displayName\":\"Cisco ASA - average attack detection rate increase\",\"description\":\"This will help you determine if Cisco ASA devices are under heavier attack than normal over the last hour versus the previous 6 hours based on DeviceEventClassID 733100\\nReferences: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a34d0338-eda0-42b5-8b93-32aae0d7a501\",\"name\":\"a34d0338-eda0-42b5-8b93-32aae0d7a501\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"CommonSecurityLog\\n| where DeviceVendor == \\\"Vectra Networks\\\"\\n| where DeviceProduct == \\\"X Series\\\"\\n| where DeviceEventClassID contains \\\"campaign\\\"\\n| where DeviceAction == \\\"START\\\"\\n| extend reason = extract(\\\"reason=(.+?)$\\\", 1, AdditionalExtensions)\\n| project-rename vectra_URL = DeviceCustomString4\\n| project Activity,SourceHostName, reason, vectra_URL\\n| extend HostCustomEntity = SourceHostName, URLCustomEntity = vectra_URL\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"LateralMovement\",\"CommandAndControl\"],\"displayName\":\"Vectra AI Detect - New Campaign Detected\",\"description\":\"Identifies when a new Campaign has been detected. This occurs when multiple Detections accross different Hosts are suspected to be part of the same Attack Campaign.\",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2021-05-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AIVectraDetect\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\"name\":\"7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\nOfficeActivity\\n| where Operation =~ \\\"New-InboxRule\\\"\\n| where Parameters has \\\"Deleted Items\\\" or Parameters has \\\"Junk Email\\\" or Parameters has \\\"DeleteMessage\\\"\\n| extend Events=todynamic(Parameters)\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords \u0027}\u0027*\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords \u0027}\u0027*\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords \u0027}\u0027*\\n| where SubjectContainsWords has_any (Keywords)\\n or BodyContainsWords has_any (Keywords)\\n or SubjectOrBodyContainsWords has_any (Keywords)\\n| extend ClientIPAddress = case( ClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), ClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))), ClientIP )\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\n| extend RuleDetail = case(OfficeObjectId contains \u0027/\u0027 , tostring(split(OfficeObjectId, \u0027/\u0027)[-1]) , tostring(split(OfficeObjectId, \u0027\\\\\\\\\u0027)[-1]))\\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation, UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIPAddress, AccountCustomEntity = UserId , HostCustomEntity = OriginatingServer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Malicious Inbox Rule\",\"description\":\"Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords. \\n This is done so as to limit ability to warn compromised users that they\u0027ve been compromised. Below is a sample query that tries to detect this.\\nReference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6d7214d9-4a28-44df-aafb-0910b9e6ae3e\",\"name\":\"6d7214d9-4a28-44df-aafb-0910b9e6ae3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let match_window = 3m;\\nAzureActivity\\n| where ResourceGroup has \\\"cloud-shell\\\"\\n| where (OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/listKeys/action\\\") \\n| where ActivityStatusValue == \\\"Success\\\"\\n| extend TimeKey = bin(TimeGenerated, match_window), AzureIP = CallerIpAddress\\n| join kind = inner\\n(AzureActivity\\n| where ResourceGroup has \\\"cloud-shell\\\"\\n| where (OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/write\\\") \\n| extend TimeKey = bin(TimeGenerated, match_window), UserIP = CallerIpAddress\\n) on Caller, TimeKey\\n| summarize count() by TimeKey, Caller, ResourceGroup, SubscriptionId, TenantId, AzureIP, UserIP, HTTPRequest, Type, Properties, CategoryValue, OperationList = strcat(OperationNameValue, \u0027 , \u0027, OperationNameValue1)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"UserIP\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Execution\"],\"displayName\":\"New CloudShell User\",\"description\":\"Identifies when a user creates an Azure CloudShell for the first time.\\nMonitor this activity to ensure only expected user are using CloudShell\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cf3ede88-a429-493b-9108-3e46d3c741f7\",\"name\":\"cf3ede88-a429-493b-9108-3e46d3c741f7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let timeRange = 6h;\\nlet authenticationWindow = 1h;\\nlet authenticationThreshold = 5;\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeRange)\\n| where EventID == 4624 or EventID == 4625\\n| where IpAddress != \\\"-\\\" and isnotempty(Account)\\n| extend Outcome = iff(EventID == 4624, \\\"Success\\\", \\\"Failure\\\")\\n// bin outcomes into 5 minute windows to reduce the volume of data\\n| summarize OutcomeCount=count() by Account, IpAddress, Computer, Outcome, bin(TimeGenerated, 5m)\\n| project TimeGenerated, Account, IpAddress, Computer, Outcome, OutcomeCount\\n// sort ready for sessionizing - by account and time of the authentication outcome\\n| sort by Account asc, TimeGenerated asc\\n| serialize \\n// sessionize into failure groupings until either the account changes or there is a success\\n| extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, Account != prev(Account) or prev(Outcome) == \\\"Success\\\")\\n// count the failures in each session\\n| summarize FailureCountBeforeSuccess=sumif(OutcomeCount, Outcome == \\\"Failure\\\"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), makelist(Outcome), makeset(Computer), makeset(IpAddress) by SessionStartedUtc, Account\\n// the session must not start with a success, and must end with one\\n| where array_index_of(list_Outcome, \\\"Success\\\") != 0\\n| where array_index_of(list_Outcome, \\\"Success\\\") == array_length(list_Outcome) - 1\\n| project-away SessionStartedUtc, list_Outcome \\n// where the number of failures before the success is above the threshold \\n| where FailureCountBeforeSuccess \u003e= authenticationThreshold\\n// expand out ip and computer for customer entity assignment\\n| mvexpand set_IpAddress, set_Computer\\n| extend IpAddress = tostring(set_IpAddress), Computer = tostring(set_Computer)\\n| extend timestamp=StartTime, AccountCustomEntity=Account, HostCustomEntity=Computer, IPCustomEntity=IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"SecurityEvent - Multiple authentication failures followed by a success\",\"description\":\"Identifies accounts who have failed to logon to the domain multiple times in a row, followed by a successful authentication\\nwithin a short time frame. Multiple failed attempts followed by a success can be an indication of a brute force attempt or\\npossible mis-configuration of a service account within an environment.\\nThe lookback is set to 6h and the authentication window and threshold are set to 1h and 5, meaning we need to see a minimum\\nof 5 failures followed by a success for an account within 1 hour to surface an alert.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7a58b253-0ef2-4248-b4e5-c350f15a8346\",\"name\":\"7a58b253-0ef2-4248-b4e5-c350f15a8346\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let threshold = 100;\\nSymantecProxySG \\n| where sc_filter_result =~ \\\"DENIED\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by c_ip, cs_host\\n| where count_ \u003e threshold\\n| extend timestamp = StartTime, HostCustomEntity = cs_host, IPCustomEntity = c_ip\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Excessive Denied Proxy Traffic\",\"description\":\"This alert creates an incident when a client generates an excessive amounts of denied proxy traffic.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SymantecProxySG\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\"name\":\"75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 3;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == \\\"50057\\\"\\n| where ResultDescription =~ \\\"User account is disabled. The account has been disabled by an administrator.\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), applicationCount = dcount(AppDisplayName), \\napplicationSet = make_set(AppDisplayName), count() by UserPrincipalName, IPAddress, Type\\n| where applicationCount \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Attempts to sign in to disabled accounts\",\"description\":\"Identifies failed attempts to sign in to disabled accounts across multiple Azure Applications.\\nDefault threshold for Azure Applications attempted to sign in to is 3.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/910124df-913c-47e3-a7cd-29e1643fa55e\",\"name\":\"910124df-913c-47e3-a7cd-29e1643fa55e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with failed AWS console logins\\nlet aws_fails = AWSCloudTrail\\n| where EventName == \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \\n| where LoginResult != \\\"Success\\\"\\n| where SourceIpAddress != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_list(SourceIpAddress);\\n//See if any of those IPs have sucessfully logged into Azure AD.\\nSigninLogs\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (aws_fails) \\n| extend Reason = \\\"Multiple failed AWS Console logins from IP address\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AWS Console logons but success logon to AzureAD\",\"description\":\"Identifies a list of IP addresses with a minimum numbe(default of 5) of failed logon attempts to AWS Console.\\nUses that list to identify any successful Azure Active Directory logons from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/32555639-b639-4c2b-afda-c0ae0abefa55\",\"name\":\"32555639-b639-4c2b-afda-c0ae0abefa55\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"GetCallerIdentity\\\" and UserIdentityType =~ \\\"AssumedRole\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by SourceIpAddress, EventName, EventTypeName, UserIdentityType, UserIdentityAccountId, UserIdentityPrincipalid, \\nUserAgent, UserIdentityUserName, SessionMfaAuthenticated,AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTime, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\\n| sort by EndTime desc nulls last\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\"],\"displayName\":\"Monitor AWS Credential abuse or hijacking\",\"description\":\"Looking for GetCallerIdentity Events where the UserID Type is AssumedRole \\nAn attacker who has assumed the role of a legitimate account can call the GetCallerIdentity function to determine what account they are using.\\nA legitimate user using legitimate credentials would not need to call GetCallerIdentity since they should already know what account they are using.\\nMore Information: https://duo.com/decipher/trailblazer-hunts-compromised-credentials-in-aws\\nAWS STS GetCallerIdentity API: https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fb0f4a93-d8ad-4b54-9931-85bdb7550f90\",\"name\":\"fb0f4a93-d8ad-4b54-9931-85bdb7550f90\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SymantecProxySG\\n| mv-expand cs_categories\\n| where cs_categories has_any (\\\"Suspicious\\\",\\\"phishing\\\", \\\"hacking\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by sc_filter_result, cs_userdn, c_ip, cs_host, Computer, tostring(cs_categories)\\n| extend timestamp = StartTime, AccountCustomEntity = cs_userdn, IPCustomEntity = c_ip, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"User Accessed Suspicious URL Categories\",\"description\":\"Creates an incident in the event the requested URL accessed by the user has been identified as Suspicious, Phishing, or Hacking.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SymantecProxySG\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bfb1c90f-8006-4325-98be-c7fffbc254d6\",\"name\":\"bfb1c90f-8006-4325-98be-c7fffbc254d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let s_threshold = 30;\\nlet l_threshold = 3;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where OperationName =~ \\\"Sign-in activity\\\"\\n// Error codes that we want to look at as they are related to the use of incorrect password.\\n| where ResultType in (\\\"50126\\\", \\\"50053\\\" , \\\"50055\\\", \\\"50056\\\")\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend LocationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), LocationCount=dcount(LocationString), Location = make_set(LocationString), \\nIPAddress = make_set(IPAddress), IPAddressCount = dcount(IPAddress), AppDisplayName = make_set(AppDisplayName), ResultDescription = make_set(ResultDescription), \\nBrowser = make_set(Browser), OS = make_set(OS), SigninCount = count() by UserPrincipalName, Type \\n// Setting a generic threshold - Can be different for different environment\\n| where SigninCount \u003e s_threshold and LocationCount \u003e= l_threshold\\n| extend tostring(Location), tostring(IPAddress), tostring(AppDisplayName), tostring(ResultDescription), tostring(Browser), tostring(OS)\\n| distinct *\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Distributed Password cracking attempts in AzureAD\",\"description\":\"Identifies distributed password cracking attempts from the Azure Active Directory SigninLogs.\\nThe query looks for unusually high number of failed password attempts coming from multiple locations for a user account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50053 Account is locked because the user tried to sign in too many times with an incorrect user ID or password.\\n50055 Invalid password, entered expired password.\\n50056 Invalid or null password - Password does not exist in store for this user.\\n50126 Invalid username or password, or invalid on-premises username or password.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ef88eb96-861c-43a0-ab16-f3835a97c928\",\"name\":\"ef88eb96-861c-43a0-ab16-f3835a97c928\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let regexEmpire = @\\\"SetDelay|GetDelay|Set-LostLimit|Get-LostLimit|Set-Killdate|Get-Killdate|Set-WorkingHours|Get-WorkingHours|Get-Sysinfo|Add-Servers|Invoke-ShellCommand|Start-AgentJob|Update-Profile|Get-FilePart|Encrypt-Bytes|Decrypt-Bytes|Encode-Packet|Decode-Packet|Send-Message|Process-Packet|Process-Tasking|Get-Task|Start-Negotiate|Invoke-DllInjection|Invoke-ReflectivePEInjection|Invoke-Shellcode|Invoke-ShellcodeMSIL|Get-ChromeDump|Get-ClipboardContents|Get-IndexedItem|Get-Keystrokes|Invoke-Inveigh|Invoke-NetRipper|local:Invoke-PatchDll|Invoke-NinjaCopy|Get-Win32Types|Get-Win32Constants|Get-Win32Functions|Sub-SignedIntAsUnsigned|Add-SignedIntAsUnsigned|Compare-Val1GreaterThanVal2AsUInt|Convert-UIntToInt|Test-MemoryRangeValid|Write-BytesToMemory|Get-DelegateType|Get-ProcAddress|Enable-SeDebugPrivilege|Invoke-CreateRemoteThread|Get-ImageNtHeaders|Get-PEBasicInfo|Get-PEDetailedInfo|Import-DllInRemoteProcess|Get-RemoteProcAddress|Copy-Sections|Update-MemoryAddresses|Import-DllImports|Get-VirtualProtectValue|Update-MemoryProtectionFlags|Update-ExeFunctions|Copy-ArrayOfMemAddresses|Get-MemoryProcAddress|Invoke-MemoryLoadLibrary|Invoke-MemoryFreeLibrary|Out-Minidump|Get-VaultCredential|Invoke-DCSync|Translate-Name|Get-NetDomain|Get-NetForest|Get-NetForestDomain|Get-DomainSearcher|Get-NetComputer|Get-NetGroupMember|Get-NetUser|Invoke-Mimikatz|Invoke-PowerDump|Invoke-TokenManipulation|Exploit-JMXConsole|Exploit-JBoss|Invoke-Thunderstruck|Invoke-VoiceTroll|Set-WallPaper|Invoke-PsExec|Invoke-SSHCommand|Invoke-PSInject|Invoke-RunAs|Invoke-SendMail|Invoke-Rule|Get-OSVersion|Select-EmailItem|View-Email|Get-OutlookFolder|Get-EmailItems|Invoke-MailSearch|Get-SubFolders|Get-GlobalAddressList|Invoke-SearchGAL|Get-SMTPAddress|Disable-SecuritySettings|Reset-SecuritySettings|Get-OutlookInstance|New-HoneyHash|Set-MacAttribute|Invoke-PatchDll|Get-SecurityPackages|Install-SSP|Invoke-BackdoorLNK|New-ElevatedPersistenceOption|New-UserPersistenceOption|Add-Persistence|Invoke-CallbackIEX|Add-PSFirewallRules|Invoke-EventLoop|Invoke-PortBind|Invoke-DNSLoop|Invoke-PacketKnock|Invoke-CallbackLoop|Invoke-BypassUAC|Get-DecryptedCpassword|Get-GPPInnerFields|Invoke-WScriptBypassUAC|Get-ModifiableFile|Get-ServiceUnquoted|Get-ServiceFilePermission|Get-ServicePermission|Invoke-ServiceUserAdd|Invoke-ServiceCMD|Write-UserAddServiceBinary|Write-CMDServiceBinary|Write-ServiceEXE|Write-ServiceEXECMD|Restore-ServiceEXE|Invoke-ServiceStart|Invoke-ServiceStop|Invoke-ServiceEnable|Invoke-ServiceDisable|Get-ServiceDetail|Find-DLLHijack|Find-PathHijack|Write-HijackDll|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-VulnAutoRun|Get-VulnSchTask|Get-UnattendedInstallFile|Get-Webconfig|Get-ApplicationHost|Write-UserAddMSI|Invoke-AllChecks|Invoke-ThreadedFunction|Test-Login|Get-UserAgent|Test-Password|Get-ComputerDetails|Find-4648Logons|Find-4624Logons|Find-AppLockerLogs|Find-PSScriptsInPSAppLog|Find-RDPClientConnections|Get-SystemDNSServer|Invoke-Paranoia|Invoke-WinEnum{|Get-SPN|Invoke-ARPScan|Invoke-Portscan|Invoke-ReverseDNSLookup|Invoke-SMBScanner|New-InMemoryModule|Add-Win32Type|Export-PowerViewCSV|Get-MacAttribute|Copy-ClonedFile|Get-IPAddress|Convert-NameToSid|Convert-SidToName|Convert-NT4toCanonical|Get-Proxy|Get-PathAcl|Get-NameField|Convert-LDAPProperty|Get-NetDomainController|Add-NetUser|Add-NetGroupUser|Get-UserProperty|Find-UserField|Get-UserEvent|Get-ObjectAcl|Add-ObjectAcl|Invoke-ACLScanner|Get-GUIDMap|Get-ADObject|Set-ADObject|Get-ComputerProperty|Find-ComputerField|Get-NetOU|Get-NetSite|Get-NetSubnet|Get-DomainSID|Get-NetGroup|Get-NetFileServer|SplitPath|Get-DFSshare|Get-DFSshareV1|Get-DFSshareV2|Get-GptTmpl|Get-GroupsXML|Get-NetGPO|Get-NetGPOGroup|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Invoke-ImpersonateUser|Create-ProcessWithToken|Free-AllTokens|Enum-AllTokens|Invoke-RevertToSelf|Set-Speaker(\\\\$Volume){\\\\$wshShell|Local:Get-RandomString|Local:Invoke-PsExecCmd|Get-GPPPassword|Local:Inject-BypassStuff|Local:Invoke-CopyFile\\\\(\\\\$sSource,|ind-Fruit|New-IPv4Range|New-IPv4RangeFromCIDR|Parse-Hosts|Parse-ILHosts|Exclude-Hosts|Get-TopPort|Parse-Ports|Parse-IpPorts|Remove-Ports|Write-PortscanOut|Convert-SwitchtoBool|Get-ForeignUser|Get-ForeignGroup\\\";\\nlet ProcessCreationEvents=() {\\nlet processEvents=SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName;\\nprocessEvents};\\nlet decodedPS = ProcessCreationEvents\\n| where CommandLine contains \\\" -encodedCommand\\\"\\n| parse kind=regex flags=i CommandLine with * \\\"-EncodedCommand \\\" encodedCommand\\n| project StartTimeUtc = TimeGenerated, encodedCommand = tostring(split(encodedCommand, \u0027 \u0027)[0]), CommandLine\\n// Note: currently the base64_decode_tostring function is limited to supporting UTF8\\n| extend decodedCommand = translate(\u0027\\\\0\u0027,\u0027\u0027, base64_decode_tostring(substring(encodedCommand, 0, strlen(encodedCommand) - (strlen(encodedCommand) %8)))), encodedCommand, CommandLine , strlen(encodedCommand);\\n(decodedPS\\n| union \\n(ProcessCreationEvents\\n| where FileName in~ (\\\"powershell.exe\\\",\\\"powershell_ise.exe\\\")\\n| where CommandLine !contains \\\"-encodedcommand\\\")\\n| extend StartTimeUtc = TimeGenerated\\n)\\n| where CommandLine matches regex regexEmpire\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"Powershell Empire cmdlets seen in command line\",\"description\":\"Identifies instances of PowerShell Empire cmdlets in powershell process command line data.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a0907abe-6925-4d90-af2b-c7e89dc201a6\",\"name\":\"a0907abe-6925-4d90-af2b-c7e89dc201a6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P10D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 10d;\\nlet endtime = 1d;\\nlet threshold = 100;\\nlet nxDomainDnsEvents = DnsEvents \\n| where ResultCode == 3 \\n| where QueryType in (\\\"A\\\", \\\"AAAA\\\")\\n| where ipv4_is_match(\\\"127.0.0.1\\\", ClientIP) == False\\n| where Name !contains \\\"/\\\"\\n| where Name contains \\\".\\\";\\nnxDomainDnsEvents\\n| where TimeGenerated \u003e ago(endtime)\\n| extend sld = tostring(split(Name, \\\".\\\")[-2])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld) by ClientIP\\n| where dcount_sld \u003e threshold\\n// Filter out previously seen IPs\\n| join kind=leftanti (nxDomainDnsEvents\\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | extend sld = tostring(split(Name, \\\".\\\")[-2])\\n | summarize dcount(sld) by ClientIP\\n | where dcount_sld \u003e threshold ) on ClientIP\\n// Pull out sample NXDomain responses for those remaining potentially infected IPs\\n| join kind = inner (nxDomainDnsEvents | summarize by Name, ClientIP) on ClientIP\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(Name, 100) by ClientIP, dcount_sld\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential DGA detected\",\"description\":\"Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains\\nwhere most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with \\nNXDomain records in prior 10-day baseline period).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c2da1106-bfe4-4a63-bf14-5ab73130ccd5\",\"name\":\"c2da1106-bfe4-4a63-bf14-5ab73130ccd5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Informational\",\"query\":\"let timeframe = ago(1d);\\nAppServiceAntivirusScanAuditLogs\\n| where ScanStatus == \\\"Failed\\\"\\n| extend HostCustomEntity = _ResourceId, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"displayName\":\"AppServices AV Scan Failure\",\"description\":\"Identifies if an AV scan fails in Azure App Services.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d9938c3b-16f9-444d-bc22-ea9a9110e0fd\",\"name\":\"d9938c3b-16f9-444d-bc22-ea9a9110e0fd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Azure AD Connect Health Agent - cf6d7e68-f018-4e0a-a7b3-126e053fb88d\\n// Azure Active Directory Connect - cb1056e2-e479-49de-ae31-7812af012ed8\\nlet appList = dynamic([\u0027cf6d7e68-f018-4e0a-a7b3-126e053fb88d\u0027,\u0027cb1056e2-e479-49de-ae31-7812af012ed8\u0027]);\\nlet operationNamesList = dynamic([\u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027,\u0027Microsoft.ADHybridHealthService/services/delete\u0027]);\\nAzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue in~ (operationNamesList)\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| where AppId !in (appList)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS Suspicious Application\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to a suspicious application adding a server instance to an Azure AD Hybrid health AD FS service or deleting the AD FS service instance.\\nUsually the Azure AD Connect Health Agent application with ID cf6d7e68-f018-4e0a-a7b3-126e053fb88d is used to perform those operations.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c5644575-4982-4a07-8884-b11ec2866dc3\",\"name\":\"c5644575-4982-4a07-8884-b11ec2866dc3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.0\",\"techniques\":[\"T1136\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\"srcdomain1\\\\account1, srcdomain1\\\\account1\",\"dataType\":\"string\",\"name\":\"Source user allowlist\",\"description\":\"Enter comma separated source usernames to be suppressed while triggering anomalies. This should be within double quotes and is case sensitive, example: \\\"srcdomain1\\\\\\\\account1, srcdomain2\\\\\\\\account2\\\"\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"prioritize\":null,\"exclude\":\"account1, account2\",\"dataType\":\"string\",\"name\":\"Destination user allowlist\",\"description\":\"Enter comma separated destination usernames to be suppressed while triggering anomalies. This should be within double quotes and is case sensitive, example: \\\"account1, account2\\\"\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":null,\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Persistence\"],\"displayName\":\"(Preview) Anomalous local account creation\",\"description\":\"This algorithm is to detect anomalous local account creation on windows systems. Adversaries may create local accounts to maintain access to victim systems.\\nThis algorithm analyzes historical local account creation activity (14 days) by users and compare with current day to find similar activity from the users who were not \\npreviously seen in historical activity. You can further customize the allowlist to filter known users from triggering this anomaly.\",\"lastUpdatedDateUTC\":\"2021-09-22T00:00:00Z\",\"createdDateUTC\":\"2021-09-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/faf1a6ff-53b5-4f92-8c55-4b20e9957594\",\"name\":\"faf1a6ff-53b5-4f92-8c55-4b20e9957594\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"SecurityEvent\\n// Look for specific Directory Service Changes and parse data\\n| where EventID == 5136\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion = array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value),TimeGenerated, EventID, Computer, Account, AccountType, EventSourceName, Activity, SubjectAccount)\\n// Where changes relate to Exchange OAB\\n| extend ObjectClass = column_ifexists(\\\"ObjectClass\\\", \\\"\\\")\\n| where ObjectClass =~ \\\"msExchOABVirtualDirectory\\\"\\n// Look for InternalHostName or ExternalHostName properties being changed\\n| extend AttributeLDAPDisplayName = column_ifexists(\\\"AttributeLDAPDisplayName\\\", \\\"\\\")\\n| where AttributeLDAPDisplayName in (\\\"msExchExternalHostName\\\", \\\"msExchInternalHostName\\\")\\n// Look for suspected webshell activity\\n| extend AttributeValue = column_ifexists(\\\"AttributeValue\\\", \\\"\\\")\\n| where AttributeValue has \\\"script\\\"\\n| project-rename LastSeen = TimeGenerated\\n| extend ObjectDN = column_ifexists(\\\"ObjectDN\\\", \\\"\\\")\\n| project-reorder LastSeen, Computer, Account, ObjectDN, AttributeLDAPDisplayName, AttributeValue\\n| extend timestamp = LastSeen, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange OAB Virtual Directory Attribute Containing Potential Webshell\",\"description\":\"This query uses Windows Event ID 5136 in order to detect potential webshell deployment by exploitation of CVE-2021-27065.\\nThis query looks for changes to the InternalHostName or ExternalHostName properties of Exchange OAB Virtual Directory objects in AD Directory Services\\nwhere the new objects contain potential webshell objects. Ref: https://aka.ms/ExchangeVulns\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/61988db3-0565-49b5-b8e3-747195baac6e\",\"name\":\"61988db3-0565-49b5-b8e3-747195baac6e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let procList = dynamic([\\\"cmd.exe\\\",\\\"ftp.exe\\\",\\\"schtasks.exe\\\",\\\"powershell.exe\\\",\\\"rundll32.exe\\\",\\\"regsvr32.exe\\\",\\\"msiexec.exe\\\"]); \\nimProcessCreate\\n| where CommandLine has \\\"recycler\\\"\\n| where Process has_any (procList)\\n| extend FileName = tostring(split(Process, \u0027\\\\\\\\\u0027)[-1])\\n| where FileName in~ (procList)\\n| project StartTimeUtc = TimeGenerated, Dvc, User, Process, FileName, CommandLine, ActingProcessName, EventVendor, EventProduct\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.2.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Malware in the recycle bin (Normalized Process Events)\",\"description\":\"Identifies malware that has been hidden in the recycle bin.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)\",\"lastUpdatedDateUTC\":\"2021-10-26T00:00:00Z\",\"createdDateUTC\":\"2021-06-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5efb0cfd-063d-417a-803b-562eae5b0301\",\"name\":\"5efb0cfd-063d-417a-803b-562eae5b0301\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 6h;\\n// Ignore Build/Releases with less/equal this number\\nlet ServiceConnectionThreshold = 3;\\n// New Connections need to exhibit execution of more \\\"new\\\" connections than this number.\\nlet NewConnectionThreshold = 1;\\n// List of Builds/Releases to ignore in your space\\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\\n[\\n//\\\"103\\\", \\\"Release\\\", \\\"ProjectA\\\",\\n//\\\"42\\\", \\\"Release\\\", \\\"ProjectB\\\",\\n//\\\"122\\\", \\\"Build\\\", \\\"ProjectB\\\"\\n];\\nlet HistoricDefs = AzureDevOpsAuditing\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| summarize HistoricCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)) \\n by DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e= ago(endtime)\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| parse ScopeDisplayName with OrganizationName \u0027 (Organization)\u0027\\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) \\n by OrganizationName, DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN\\n| where CurrentCount \u003e ServiceConnectionThreshold\\n| join (HistoricDefs) on ProjectId, DefId, Type, ActorUPN\\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\\n| extend link = iff(\\nType == \\\"Build\\\", strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_build?definitionId=\u0027, DefId),\\nstrcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_release?_a=releases\u0026view=mine\u0026definitionId=\u0027, DefId))\\n| where CurrentCount \u003e= HistoricCount + NewConnectionThreshold\\n| project StartTime, OrganizationName, ProjectName, DefId, link, RecentDistinctServiceConnections = CurrentCount, HistoricDistinctServiceConnections = HistoricCount, \\n RecentConnections = ConnectionNames, HistoricConnections = ConnectionNames1, ActorUPN\\n| extend timestamp = StartTime, AccountCustomEntity = ActorUPN\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure DevOps Service Connection Addition/Abuse - Historic allow list\",\"description\":\"This detection builds an allow list of historic service connection use by Builds and Releases and compares to recent history, flagging growth of service connection use which are not manually included in the allow list and \\nnot historically included in the allow list Build/Release runs. This is to determine if someone is hijacking a build/release and adding many service connections in order to abuse or dump credentials from service connections.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2b701288-b428-4fb8-805e-e4372c574786\",\"name\":\"2b701288-b428-4fb8-805e-e4372c574786\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//The bigger the window the better the data sample size, as we use IP prevalence, more sample data is better.\\n//The minimum number of countries that the account has been accessed from [default: 2]\\nlet minimumCountries = 2;\\n//The delta (%) between the largest in-use IP and the smallest [default: 90]\\nlet deltaThreshold = 95;\\n//The maximum (%) threshold that the country appears in login data [default: 10]\\nlet countryPrevalenceThreshold = 10;\\n//The time to project forward after the last login activity [default: 60min]\\nlet projectedEndTime = 60min; \\n//Get Teams successful signins globally\\nlet aadFunc = (tableName:string){\\nlet signinData =\\n table(tableName)\\n | where AppDisplayName has \\\"Teams\\\"\\n | where ConditionalAccessStatus =~ \\\"success\\\"\\n | extend country = tostring(todynamic(LocationDetails)[\u0027countryOrRegion\u0027])\\n | where isnotempty(country) and isnotempty(IPAddress);\\n// Collect successful signins to teams\\nlet loginEvents = \\n signinData\\n | summarize count(), country=any(country), make_list(TimeGenerated) by IPAddress, UserPrincipalName;\\n//Calcualte delta between logins\\nlet loginDelta =\\n loginEvents\\n | summarize max(count_), min(count_) by UserPrincipalName\\n | extend delta = toreal(max_count_ - min_count_) / max_count_ * 100\\n | where delta \u003e= deltaThreshold;\\n//Count number of countries used to sign in\\nlet countryCount =\\n loginEvents\\n | summarize Countries = dcount(country) by UserPrincipalName;\\n//Join delta and sign in counts to successful logins\\nloginDelta\\n| join kind=rightouter (\\n loginEvents\\n) on UserPrincipalName\\n| join kind=rightouter (\\n countryCount\\n) on UserPrincipalName\\n//Check where the record meets the minimum required countries\\n| where Countries \u003e= minimumCountries\\n| join kind=leftouter (\\n signinData\\n | summarize count() by country\\n | join (\\n //Now get the total number of logins from any country and join it to the previous count in a single table\\n signinData\\n | summarize count() by country\\n | summarize sum(count_), make_list(country)\\n | mv-expand list_country\\n | extend country = tostring(list_country)\\n ) on country\\n | summarize by country, count_, sum_count_\\n //Now calculate each countries prevalence within login events\\n | extend prevalence = toreal(count_) / toreal(sum_count_) * 100\\n | project-away sum_count_\\n | order by prevalence\\n) on country\\n//The % that suspicious country is prevalent in data, this can be configured, less than 10% is uncommon\\n| where prevalence \u003c countryPrevalenceThreshold\\n| where min_count_ == count_\\n//Login start and end times from the JSON object, this is the activity window the suspicious IP was active within\\n| extend EventTimes = list_TimeGenerated\\n| extend SuspiciousIP = IPAddress\\n| project UserPrincipalName, SuspiciousIP, UserIPDelta = delta, SuspiciousLoginCountry = country, SuspiciousCountryPrevalence = prevalence, EventTimes\\n//Teams join to collect operations the user account has performed within the given time range\\n| join kind=inner( \\n OfficeActivity\\n | where Operation in~ (\\\"TeamsAdminAction\\\", \\\"MemberAdded\\\", \\\"MemberRemoved\\\", \\\"MemberRoleChanged\\\", \\\"AppInstalled\\\", \\\"BotAddedToTeam\\\")\\n | project Operation, UserId=tolower(UserId), OperationTime=TimeGenerated\\n) on $left.UserPrincipalName == $right.UserId\\n| mv-expand StartTime = EventTimes\\n| extend StartTime = make_datetime(StartTime)\\n//The end time is projected 60 minutes forward, in case actions took place within the last hour of the final login for the suspicious IP\\n| extend ProjectedEndTime = make_datetime(StartTime + projectedEndTime)\\n//Limit to operations carried out by the user account in the timeframe the IP was active\\n| where OperationTime between (StartTime .. ProjectedEndTime)\\n| project UserPrincipalName, SuspiciousIP, StartTime, ProjectedEndTime, OperationTime, Operation, SuspiciousLoginCountry, SuspiciousCountryPrevalence\\n//Filter on suspicious actions\\n| extend activitySummary = pack(tostring(StartTime), pack(\\\"Operation\\\",tostring(Operation), \\\"OperationTime\\\", OperationTime))\\n| summarize make_bag(activitySummary) by UserPrincipalName, SuspiciousIP, SuspiciousLoginCountry, SuspiciousCountryPrevalence\\n| extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Anomalous login followed by Teams action\",\"description\":\"Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed.\\nQuery calculates IP usage Delta for each user account and selects accounts where a delta \u003e= 90% is observed between the most and least used IP.\\nTo further reduce results the query performs a prevalence check on the lowest used IP\u0027s country, only keeping IP\u0027s where the country is unusual for the tenant (dynamic ranges)\\nFinally the user accounts activity within Teams logs is checked for suspicious commands (modifying user privileges or admin actions) during the period the suspicious IP was active.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ca74dc0-8352-4ac5-893c-73571cc78331\",\"name\":\"4ca74dc0-8352-4ac5-893c-73571cc78331\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let keywords = dynamic([\\\"secret\\\", \\\"secrets\\\", \\\"password\\\", \\\"PAT\\\", \\\"passwd\\\", \\\"pswd\\\", \\\"pwd\\\", \\\"cred\\\", \\\"creds\\\", \\\"credentials\\\", \\\"credential\\\", \\\"key\\\"]);\\nAzureDevOpsAuditing\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend Type = tostring(Data.Type)\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend VariableGroupName = tostring(Data.VariableGroupName)\\n| mv-expand Data.Variables\\n| where VariableGroupName has_any (keywords) or Data_Variables has_any (keywords)\\n| where Type != \\\"AzureKeyVault\\\"\\n| where Data_Variables !has \\\"IsSecret\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure DevOps Variable Secret Not Secured\",\"description\":\"Credentials used in the build process may be stored as Azure DevOps variables. To secure these variables they should be stored in KeyVault or marked as Secrets. \\nThis detection looks for new variables added with names that suggest they are credentials but where they are not set as Secrets or stored in KeyVault.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c9b6d281-b96b-4763-b728-9a04b9fe1246\",\"name\":\"c9b6d281-b96b-4763-b728-9a04b9fe1246\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlCategory has_any (\u0027Dynamic and Residential\u0027, \u0027Personal VPN\u0027)\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"Exfiltration\"],\"displayName\":\"Cisco Umbrella - Connection to non-corporate private network\",\"description\":\"IP addresses of broadband links that usually indicates users attempting to access their home network, for example for a remote session to a home computer.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75297f62-10a8-4fc1-9b2a-12f25c6f05a7\",\"name\":\"75297f62-10a8-4fc1-9b2a-12f25c6f05a7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let domain_lookBack= 14d;\\nlet timeframe = 1d;\\nlet top_million_list = Cisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(domain_lookBack) and TimeGenerated \u003c ago(timeframe)\\n| extend Hostname = parse_url(UrlOriginal)[\\\"Host\\\"]\\n| summarize count() by tostring(Hostname)\\n| top 1000000 by count_\\n| summarize make_list(Hostname);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| extend Hostname = parse_url(UrlOriginal)[\\\"Host\\\"]\\n| where Hostname !in (top_million_list)\\n| extend Message = \\\"Connect to unpopular website (possible malicious payload delivery)\\\"\\n| project Message, SrcIpAddr, DstIpAddr,UrlOriginal, TimeGenerated\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Connection to Unpopular Website Detected\",\"description\":\"Detects first connection to an unpopular website (possible malicious payload delivery).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c775a46b-21b1-46d7-afa6-37e3e577a27b\",\"name\":\"c775a46b-21b1-46d7-afa6-37e3e577a27b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 15;\\nSymantecVIP\\n| where isnotempty(RADIUSAuth)\\n| where RADIUSAuth =~ \\\"Reject\\\"\\n| summarize Total = count() by bin(TimeGenerated, 15m), User, ClientIP\\n| where Total \u003e threshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Excessive Failed Authentication from Invalid Inputs\",\"description\":\"Creates an incident in the event that a user generates an excessive amount of failed authentications due to invalid inputs, indications of a potential brute force.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SymantecVIP\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3fbc20a4-04c4-464e-8fcb-6667f53e4987\",\"name\":\"3fbc20a4-04c4-464e-8fcb-6667f53e4987\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let failureCountThreshold = 5;\\nlet successCountThreshold = 1;\\nlet authenticationWindow = 20m;\\nSigninLogs\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\\n| where AppDisplayName =~ \\\"Windows Sign In\\\"\\n// Split out failure versus non-failure types\\n| extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = makeset(IPAddress), makeset(OS), makeset(Browser), makeset(City), \\nmakeset(ResultType), FailureCount = countif(FailureOrSuccess==\\\"Failure\\\"), SuccessCount = countif(FailureOrSuccess==\\\"Success\\\") \\nby bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName, AppDisplayName\\n| where FailureCount \u003e= failureCountThreshold and SuccessCount \u003e= successCountThreshold\\n| mvexpand IPAddress\\n| extend IPAddress = tostring(IPAddress)\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against a Cloud PC\",\"description\":\"Identifies evidence of brute force activity against a Windows 365 Cloud PC by highlighting multiple authentication failures and by a successful authentication within a given time window.\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2021-10-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3fe3c520-04f1-44b8-8398-782ed21435f8\",\"name\":\"3fe3c520-04f1-44b8-8398-782ed21435f8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let torProxies=dynamic([\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\"]);\\nimDns(domain_has_any=torProxies)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.2.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"DNS events related to ToR proxies (Normalized DNS)\",\"description\":\"Identifies IP addresses performing DNS lookups associated with common ToR proxies.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c1d4a005-e220-4d06-9e53-7326a22b8fe4\",\"name\":\"c1d4a005-e220-4d06-9e53-7326a22b8fe4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let mediumRisk = 2;\\nlet goverence = \u0027Goverence Information\u0027;\\nCognniIncidents_CL \\n| where Severity == mediumRisk\\n| where informationType_s == goverence\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Medium Sensitivity Governance Information\",\"description\":\"Display incidents in which medium sensitivity governance information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/595a10c9-91be-4abb-bbc7-ae9c57848bef\",\"name\":\"595a10c9-91be-4abb-bbc7-ae9c57848bef\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, DNSName, Type\\n| extend MessageIP = extract(IPRegex, 0, Message), RequestIP = extract(IPRegex, 0, RequestURL)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL has_any (domains), \\\"RequestUrl\\\", \\\"NoMatch\\\"), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID, UrlCustomEntity = RequestURL \\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) or Name in~ (domains) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer, ProcessCustomEntity = ProcessName\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Image has_any (process)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = split(Image, \u0027\\\\\\\\\u0027, -1)[-1], HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) \\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, AlertDetail = \u0027Chia crypto IOC detected\u0027, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (domains) or RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) or InitiatingProcessFileName has_any (process)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, AlertDetail = \u0027Chia crypto IOC detected\u0027, UrlCustomEntity =RemoteUrl\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\"), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains) or ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| where EventDetail has_any (sha256Hashes) \\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\\\"#text\\\"] , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = split(Image, \u0027\\\\\\\\\u0027, -1)[-1], FileHashCustomEntity = FileHash\\n),\\n(DeviceFileEvents\\n| where InitiatingProcessFolderPath has_any (process)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = FileHash, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| project TimeGenerated, EventDetail, UserName, Computer, Type\\n| extend Image = EventDetail.[4].[\\\"#text\\\"] , CommandLine = EventDetail.[10].[\\\"#text\\\"], Account = UserName, FileHash = EventDetail.[17].[\\\"#text\\\"] , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| where Image has_any (process)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = split(Image, \u0027\\\\\\\\\u0027, -1)[-1], FileHashCustomEntity = FileHash\\n),\\n(DeviceEvents\\n| where InitiatingProcessFileName has_any (process) or InitiatingProcessSHA256 in~ (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash\\n),\\n( SecurityEvent\\n| where EventID == \u00274688\u0027\\n| where NewProcessName has_any (process)\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"SHA256\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021\",\"description\":\"Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-06-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d0aa8969-1bbe-4da3-9e76-09e5f67c9d85\",\"name\":\"d0aa8969-1bbe-4da3-9e76-09e5f67c9d85\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now() \\n| where Active == true\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureDiagnostics\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where ResourceProvider == \u0027MICROSOFT.SQL\u0027\\n | where Category == \u0027SQLSecurityAuditEvents\u0027\\n | extend SQLSecurityAuditEvents_TimeGenerated = TimeGenerated\\n // projecting fields with column if exists as this is in AzureDiag and if the event is not in the table, then queries will fail due to event specific schemas\\n | extend ClientIP = column_ifexists(\\\"client_ip_s\\\", \\\"Not Available\\\"), Action = column_ifexists(\\\"action_name_s\\\", \\\"Not Available\\\"), \\n Application = column_ifexists(\\\"application_name_s\\\", \\\"Not Available\\\"), HostName = column_ifexists(\\\"host_name_s\\\", \\\"Not Available\\\")\\n)\\non $left.TI_ipEntity == $right.ClientIP\\n| where SQLSecurityAuditEvents_TimeGenerated \u003c ExpirationDateTime\\n| summarize SQLSecurityAuditEvents_TimeGenerated = arg_max(SQLSecurityAuditEvents_TimeGenerated, *) by IndicatorId, ClientIP\\n| project SQLSecurityAuditEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ResourceId, ClientIP, Action, Application, HostName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = SQLSecurityAuditEvents_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Azure SQL Security Audit Events\",\"description\":\"Identifies a match in SQLSecurityAuditEvents from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8a602940-4153-4045-a741-3bf15591ae29\",\"name\":\"8a602940-4153-4045-a741-3bf15591ae29\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.2.8\",\"techniques\":[\"T1110\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.4\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"(Preview) Attempted computer bruteforce\",\"description\":\"This algorithm detects an unusually high volume of failed login attempts to each computer. The model is trained on the previous 21 days of security event ID 4625 on a computer. It indicates anomalous high volume of failed login attempts in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2020-12-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/45076281-35ae-45e0-b443-c32aa0baf965\",\"name\":\"45076281-35ae-45e0-b443-c32aa0baf965\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let args = dynamic([\\\"objectcategory\\\",\\\"domainlist\\\",\\\"dcmodes\\\",\\\"adinfo\\\",\\\"trustdmp\\\",\\\"computers_pwdnotreqd\\\",\\\"Domain Admins\\\", \\\"objectcategory=person\\\", \\\"objectcategory=computer\\\", \\\"objectcategory=*\\\",\\\"dclist\\\"]);\\nlet parentProcesses = dynamic([\\\"pwsh.exe\\\",\\\"powershell.exe\\\",\\\"cmd.exe\\\"]);\\nimProcessCreate\\n//looks for execution from a shell\\n| where ActingProcessName has_any (parentProcesses)\\n| extend ActingProcessFileName = tostring(split(ActingProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ActingProcessFileName in~ (parentProcesses)\\n// main filter\\n| where Process hassuffix \\\"AdFind.exe\\\" or TargetProcessSHA256 == \\\"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\\\"\\n // AdFind common Flags to check for from various threat actor TTPs\\n or CommandLine has_any (args)\\n| extend AccountCustomEntity = User, HostCustomEntity = Dvc, ProcessCustomEntity = ActingProcessName, FileHashCustomEntity = TargetProcessSHA256\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"SHA256\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Discovery\"],\"displayName\":\"Probable AdFind Recon Tool Usage (Normalized Process Events)\",\"description\":\"Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-06-09T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/106813db-679e-4382-a51b-1bfc463befc3\",\"name\":\"106813db-679e-4382-a51b-1bfc463befc3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n // Select on Palo Alto logs\\n | where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Select logs where URL data is populated\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url), extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | where isnotempty(PA_Url)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n) on $left.Url == $right.PA_Url\\n| where CommonSecurityLog_TimeGenerated \u003e= TimeGenerated and CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, SourceIP, CommonSecurityLog_TimeGenerated, PA_Url, DeviceName\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to PaloAlto data\",\"description\":\"Identifies a match in PaloAlto data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\"name\":\"97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let LearningPeriod = 7d; \\nlet BinTime = 1h; \\nlet RunTime = 1h; \\nlet StartTime = 1h; \\nlet NumberOfStds = 3; \\nlet MinThreshold = 10.0; \\nlet EndRunTime = StartTime - RunTime; \\nlet EndLearningTime = StartTime + LearningPeriod;\\nlet aadFunc = (tableName:string){\\nlet GitHubFailedSSOLogins = (table(tableName) \\n| where AppDisplayName == \\\"GitHub.com\\\" \\n| where ResultType != 0); \\nGitHubFailedSSOLogins \\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime)) \\n| summarize FailedLoginsCountInBinTime = count() by UserPrincipalName, bin(TimeGenerated, BinTime), Type\\n| summarize AvgOfFailedLoginsInLearning = avg(FailedLoginsCountInBinTime), StdOfFailedLoginsInLearning = stdev(FailedLoginsCountInBinTime) by UserPrincipalName, Type\\n| extend LearningThreshold = max_of(AvgOfFailedLoginsInLearning + StdOfFailedLoginsInLearning * NumberOfStds, MinThreshold) \\n| join kind=innerunique ( \\n GitHubFailedSSOLogins \\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime)) \\n | summarize FailedLoginsCountInRunTime = count() by User = Identity, UserPrincipalName, bin(TimeGenerated, BinTime), Type\\n) on UserPrincipalName \\n| where FailedLoginsCountInRunTime \u003e LearningThreshold\\n| extend AccountCustomEntity = UserPrincipalName , timestamp = TimeGenerated\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute Force Attack against GitHub Account\",\"description\":\"Attackers who are trying to guess your users\u0027 passwords or use brute-force methods to get in. If your organization is using SSO with Azure Active Directory, authentication logs to GitHub.com will be generated. Using the following query can help you identify a sudden increase in failed logon attempt of users.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8\",\"name\":\"f71aba3d-28fb-450b-b192-4e76a83015c8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Fusion\",\"properties\":{\"severity\":\"High\",\"tactics\":[\"Collection\",\"CommandAndControl\",\"CredentialAccess\",\"DefenseEvasion\",\"Discovery\",\"Execution\",\"Exfiltration\",\"Impact\",\"InitialAccess\",\"LateralMovement\",\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Advanced Multistage Attack Detection\",\"description\":\"Microsoft Sentinel uses Fusion, a correlation engine based on scalable machine learning algorithms, to automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.\\n\\nSince Fusion correlates multiple signals from various products to detect advanced multistage attacks, successful Fusion detections are presented as Fusion incidents on the Microsoft Sentinel Incidents page. This rule covers the following detections:\\n- Fusion for emerging threats\\n- Fusion for ransomware\\n- Scenario-based Fusion detections (122 scenarios)\\n\\nTo enable these detections, we recommend you configure the following data connectors for best results:\\n- Out-of-the-box anomaly detections\\n- Azure Active Directory Identity Protection\\n- Azure Defender\\n- Azure Defender for IoT\\n- Microsoft 365 Defender\\n- Microsoft Cloud App Security \\n- Microsoft Defender for Endpoint\\n- Microsoft Defender for Identity\\n- Microsoft Defender for Office 365\\n- Palo Alto Networks\\n- Scheduled analytics rules, both built-in and those created by your security analysts. Analytics rules must contain kill-chain (tactics) and entity mapping information in order to be used by Fusion.\\n\\nFor the full description of each detection that is supported by Fusion, go to https://aka.ms/SentinelFusion.\",\"lastUpdatedDateUTC\":\"2021-06-09T00:00:00Z\",\"createdDateUTC\":\"2019-07-25T00:00:00Z\",\"status\":\"Installed\",\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/677da133-e487-4108-a150-5b926591a92b\",\"name\":\"677da133-e487-4108-a150-5b926591a92b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\\n[@\\\"https://raw.githubusercontent.com/microsoft/mstic/master/Indicators/May21-NOBELIUM/May21NOBELIUMIoCs.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256s = (iocs | where Type =~ \\\"SHA256\\\"| project IoC);\\nlet ips = (iocs | where Type =~ \\\"IP\\\"| project IoC);\\nlet IPList = dynamic([\\\"192.99.221.77\\\",\\\"83.171.237.173\\\"]);\\nlet domains = (iocs | where Type =~ \\\"Domain\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet sha256Hashes = dynamic([\\\"2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252\\\",\\n\\\"d035d394a82ae1e44b25e273f99eae8e2369da828d6b6fdb95076fd3eb5de142\\\",\\n\\\"94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916\\\",\\n\\\"48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0\\\",\\n\\\"ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c\\\",\\n\\\"ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (domains) or RequestURL has_any (domains) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (domains), \\\"RequestUrl\\\", SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) or IPAddresses in (ips) or Name in~ (domains) \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or SourceIp in (ips) or DestinationIp in (ips) or RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", SourceIp in (ips), \\\"SourceIP\\\", DestinationIp in (ips), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) or ClientIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (domains) or RemoteIP in (IPList) or RemoteIP in (ips)\\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| where EventDetail has_any (sha256Hashes) or EventDetail has_any (sha256s)\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, FileHash\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (sha256Hashes) or SHA256 in~ (sha256s)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (sha256Hashes) or TargetFileSHA256 in~ (sha256s)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes) or FileHash in (sha256s)\\n| extend timestamp = TimeGenerated\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"version\":\"1.3.0\",\"tactics\":[\"CommandAndControl\",\"Execution\"],\"displayName\":\"NOBELIUM - Domain, Hash and IP IOCs - May 2021\",\"description\":\"Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM.\\nRef: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f6a51e2c-2d6a-4f92-a090-cfb002ca611f\",\"name\":\"f6a51e2c-2d6a-4f92-a090-cfb002ca611f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nlet disallowed_ext = dynamic([\u0027ps1\u0027, \u0027exe\u0027, \u0027vbs\u0027, \u0027js\u0027, \u0027scr\u0027]);\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| extend attachedExt = todynamic(MsgParts)[0][\u0027detectedExt\u0027]\\n| where attachedExt in (disallowed_ext)\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = DstUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Suspicious attachment\",\"description\":\"Detects when email contains suspicious attachment (file type).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/643c2025-9604-47c5-833f-7b4b9378a1f5\",\"name\":\"643c2025-9604-47c5-833f-7b4b9378a1f5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit your environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with AAD signin failures above our threshold\\nlet aadFunc = (tableName:string){\\nlet Suspicious_signins = \\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n| summarize count() by IPAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(IPAddress);\\nSuspicious_signins\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet Suspicious_signins = \\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize make_set(set_IPAddress);\\n//See if any of those IPs have sucessfully logged into the AWS console\\nAWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \\n| where LoginResult =~ \\\"Success\\\"\\n| where SourceIpAddress in (Suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed)\\n| extend User = iif(isempty(UserIdentityUserName), UserIdentityType, UserIdentityUserName) \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Reason, LoginResult, EventTypeName, UserIdentityType, User, AWSRegion, SourceIpAddress, UserAgent, MFAUsed\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AzureAD logons but success logon to AWS Console\",\"description\":\"Identifies a list of IP addresses with a minimum number(defualt of 5) of failed logon attempts to Azure Active Directory.\\nUses that list to identify any successful AWS Console logons from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/39e48890-2c02-487e-aa9e-3ba494061798\",\"name\":\"39e48890-2c02-487e-aa9e-3ba494061798\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"// Edit this variable to only keep the tactics where an incident needs to be created (Defaults are: \\\"COMMAND \u0026 CONTROL\\\", \\\"BOTNET ACTIVITY\\\", \\\"EXFILTRATION\\\", \\\"LATERAL MOVEMENT\\\", \\\"RECONNAISSANCE\\\") \\nlet configured_tactics = dynamic([\\\"COMMAND \u0026 CONTROL\\\", \\\"BOTNET ACTIVITY\\\", \\\"EXFILTRATION\\\", \\\"LATERAL MOVEMENT\\\", \\\"RECONNAISSANCE\\\"]);\\n//default threshold is 7 (meaning a threat score of 70)\\nlet severity_threshold = 7.0;\\n//Map by default to High Severity in Sentinel\\nlet Severity = \\\"High\\\";\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Vectra Networks\\\"\\n| where DeviceProduct == \\\"X Series\\\"\\n| where DeviceEventClassID != \\\"campaigns\\\" and DeviceEventClassID != \\\"hsc\\\" and DeviceEventClassID != \\\"audit\\\" and DeviceEventClassID != \\\"health\\\" and DeviceEventClassID != \\\"asc\\\"\\n| extend Category = extract(\\\"cat=(.+?);\\\", 1, AdditionalExtensions) \\n| project-rename threat_score = FlexNumber1\\n| project-rename certainty_score = FlexNumber2\\n| project-rename vectra_URL = DeviceCustomString4\\n| project-rename detection_name = DeviceEventClassID\\n| where todecimal(LogSeverity) \u003e= severity_threshold\\n| extend Tactic = case( Category == \\\"COMMAND \u0026 CONTROL\\\", \\\"CommandAndControl\\\",\\n Category == \\\"BOTNET ACTIVITY\\\" , \\\"Impact\\\",\\n Category == \\\"EXFILTRATION\\\", \\\"Exfiltration\\\",\\n Category == \\\"LATERAL MOVEMENT\\\", \\\"LateralMovement\\\",\\n Category == \\\"RECONNAISSANCE\\\", \\\"Discovery\\\",\\n \\\"UNKNOWN\\\")\\n| extend account = extract(\\\"account=(.+?);\\\", 1, AdditionalExtensions)\\n| extend upn = iff(account matches regex \\\":\\\", tostring(split(account,\\\":\\\")[1]) ,tostring(split(account,\\\":\\\")[0])) \\n| extend source_entity = case( isnotempty(upn), upn,\\n isnotempty(SourceHostName), SourceHostName,\\n \\\"UNKNWON\\\") \\n| where Category in (configured_tactics) \\n| summarize arg_max(threat_score, *) by source_entity, Activity\\n| sort by TimeGenerated\\n| project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Tactic, Activity, LogSeverity, Severity, vectra_URL\\n| extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Discovery\",\"LateralMovement\",\"Collection\",\"CommandAndControl\",\"Exfiltration\",\"Impact\"],\"displayName\":\"Vectra AI Detect - Detections with High Severity\",\"description\":\"Create an incident for high severity malicious behavior detected by Vectra AI (Threat score superior to 7.0). \\nThe Severity is a mapping with the Threat score assigned to a detection. It ranges between 0 and 10. \\nThe severity_threshold variable can be adjusted as desired.\u0027 \",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2021-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AIVectraDetect\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2fc5d810-c9cc-491a-b564-841427ae0e50\",\"name\":\"2fc5d810-c9cc-491a-b564-841427ae0e50\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n SecurityEvent | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(TargetUserName)\\n //Normalizing the column to lower case for exact match with EmailSenderAddress column\\n | extend TargetUserName = tolower(TargetUserName)\\n // renaming timestamp column so it is clear the log this came from SecurityEvent table\\n | extend SecurityEvent_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.TargetUserName\\n| where SecurityEvent_TimeGenerated \u003e= TimeGenerated and SecurityEvent_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, SecurityEvent_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Computer, EventID, TargetUserName, Activity, IpAddress, AccountType,\\nLogonTypeName, LogonProcessName, Status, SubStatus\\n| extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SecurityEvent\",\"description\":\"Identifies a match in SecurityEvent table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fa118b98-de46-4e94-87f9-8e6d5060b60b\",\"name\":\"fa118b98-de46-4e94-87f9-8e6d5060b60b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MLBehaviorAnalytics\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous SSH Login Detection\",\"description\":\"This detection uses machine learning (ML) to identify anomalous Secure Shell (SSH) login activity, based on syslog data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Microsoft Sentinel to build a profile of normal activity for your environment.\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-syslog#configure-the-syslog-connector-for-anomalous-ssh-login-detection)\\n\\nBy enabling this rule, you give Microsoft permission to copy ingested data outside of your Microsoft Sentinel workspace\u0027s geography as necessary for processing by the machine learning engine.\",\"lastUpdatedDateUTC\":\"2021-03-26T00:00:00Z\",\"createdDateUTC\":\"2019-08-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8e0403b1-07f8-4865-b2e9-74d1e83200a4\",\"name\":\"8e0403b1-07f8-4865-b2e9-74d1e83200a4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let timeframe = 14d;\\nlet time_generated_bucket = 1h;\\nlet min_urgency = 9;\\nlet maxTimeGeneratedBucket = toscalar(\\n CyberpionActionItems_CL\\n | where TimeGenerated \u003e ago(timeframe)\\n | summarize max(bin(TimeGenerated, time_generated_bucket))\\n );\\nCyberpionActionItems_CL\\n | where TimeGenerated \u003e ago(timeframe) and is_open_b == true\\n | where bin(TimeGenerated, time_generated_bucket) == maxTimeGeneratedBucket\\n | where urgency_d \u003e= min_urgency\\n | extend timestamp = opening_datetime_t\\n | extend DNSCustomEntity = host_s\",\"entityMappings\":[{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"High Urgency Cyberpion Action Items\",\"description\":\"This query creates an alert for active Cyberpion Action Items with high urgency (9-10).\\n Urgency can be altered using the \\\"min_urgency\\\" variable in the query.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CyberpionSecurityLogs\",\"dataTypes\":[\"CyberpionActionItems_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5239248b-abfb-4c6a-8177-b104ade5db56\",\"name\":\"5239248b-abfb-4c6a-8177-b104ade5db56\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let RunCommandData = materialize ( AzureActivity\\n// Isolate run command actions\\n| where OperationNameValue == \\\"Microsoft.Compute/virtualMachines/runCommand/action\\\"\\n// Confirm that the operation impacted a virtual machine\\n| where Authorization has \\\"virtualMachines\\\"\\n// Each runcommand operation consists of three events when successful, StartTimeed, Accepted (or Rejected), Successful (or Failed).\\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), max(CallerIpAddress), make_list(ActivityStatusValue) by CorrelationId, Authorization, Caller\\n// Limit to Run Command executions that Succeeded\\n| where list_ActivityStatusValue has \\\"Succeeded\\\"\\n// Extract data from the Authorization field, allowing us to later extract the Caller (UPN) and CallerIpAddress\\n| extend Authorization_d = parse_json(Authorization)\\n| extend Scope = Authorization_d.scope\\n| extend Scope_s = split(Scope, \\\"/\\\")\\n| extend Subscription = tostring(Scope_s[2])\\n| extend VirtualMachineName = tostring(Scope_s[-1])\\n| project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress\\n| join kind=leftouter (\\n DeviceFileEvents\\n | where InitiatingProcessFileName == \\\"RunCommandExtension.exe\\\"\\n | extend VirtualMachineName = tostring(split(DeviceName, \\\".\\\")[0])\\n | project VirtualMachineName, PowershellFileCreatedTimestamp=TimeGenerated, FileName, FileSize, InitiatingProcessAccountName, InitiatingProcessAccountDomain, InitiatingProcessFolderPath, InitiatingProcessId\\n) on VirtualMachineName\\n// We need to filter by time sadly, this is the only way to link events\\n| where PowershellFileCreatedTimestamp between (StartTime .. EndTime)\\n| project StartTime, EndTime, PowershellFileCreatedTimestamp, VirtualMachineName, Caller, CallerIpAddress, FileName, FileSize, InitiatingProcessId, InitiatingProcessAccountDomain, InitiatingProcessFolderPath\\n| join kind=inner(\\n DeviceEvents\\n | extend VirtualMachineName = tostring(split(DeviceName, \\\".\\\")[0])\\n | where InitiatingProcessCommandLine has \\\"-File\\\"\\n // Extract the script name based on the structure used by the RunCommand extension\\n | extend PowershellFileName = extract(@\\\"\\\\-File\\\\s(script[0-9]{1,9}\\\\.ps1)\\\", 1, InitiatingProcessCommandLine)\\n // Discard results that didn\u0027t successfully extract, these are not run command related\\n | where isnotempty(PowershellFileName)\\n | extend PSCommand = tostring(parse_json(AdditionalFields).Command)\\n // The first execution of PowerShell will be the RunCommand script itself, we can discard this as it will break our hash later\\n | where PSCommand != PowershellFileName \\n // Now we normalise the cmdlets, we\u0027re aiming to hash them to find scripts using rare combinations\\n | extend PSCommand = toupper(PSCommand)\\n | order by PSCommand asc\\n | summarize PowershellExecStartTime=min(TimeGenerated), PowershellExecEnd=max(TimeGenerated), make_list(PSCommand) by PowershellFileName, InitiatingProcessCommandLine\\n) on $left.FileName == $right.PowershellFileName\\n| project StartTime, EndTime, PowershellFileCreatedTimestamp, PowershellExecStartTime, PowershellExecEnd, PowershellFileName, PowershellScriptCommands=list_PSCommand, Caller, CallerIpAddress, InitiatingProcessCommandLine, PowershellFileSize=FileSize, VirtualMachineName\\n| order by StartTime asc \\n// We generate the hash based on the cmdlets called and the size of the powershell script\\n| extend TempFingerprintString = strcat(PowershellScriptCommands, PowershellFileSize)\\n| extend ScriptFingerprintHash = hash_sha256(tostring(PowershellScriptCommands)));\\nlet totals = toscalar (RunCommandData\\n| summarize count());\\nlet hashTotals = RunCommandData\\n| summarize HashCount=count() by ScriptFingerprintHash;\\nRunCommandData\\n| join kind=leftouter (\\nhashTotals\\n) on ScriptFingerprintHash\\n// Calculate prevelance, while we don\u0027t need this, it may be useful for responders to know how rare this script is in relation to normal activity\\n| extend Prevelance = toreal(HashCount) / toreal(totals) * 100\\n// Where the hash was only ever seen once.\\n| where HashCount == 1\\n| extend timestamp = StartTime, IPCustomEntity=CallerIpAddress, AccountCustomEntity=Caller, HostCustomEntity=VirtualMachineName\\n| project timestamp, StartTime, EndTime, PowershellFileName, VirtualMachineName, Caller, CallerIpAddress, PowershellScriptCommands, PowershellFileSize, ScriptFingerprintHash, IPCustomEntity, AccountCustomEntity, HostCustomEntity\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\",\"CredentialAccess\"],\"displayName\":\"Azure VM Run Command operations executing a unique powershell script\",\"description\":\"Identifies when Azure Run command is used to execute a powershell script on a VM that is unique.\\nThe uniqueness of the powershell script is determined by taking a combined hash of the cmdlets it imports\\nand the filesize of the PowerShell script. Alerts from this detection indicate a unique PowerShell was executed\\nin your environment.\",\"lastUpdatedDateUTC\":\"2021-10-25T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2926ce29-08d2-4654-b2e8-7d8df70095d9\",\"name\":\"2926ce29-08d2-4654-b2e8-7d8df70095d9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let highRisk = 3;\\nlet governance = \u0027Governance Information\u0027;\\nCognniIncidents_CL \\n| where Severity == highRisk\\n| where informationType_s == governance\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Highly Sensitive Governance Information\",\"description\":\"Display incidents in which highly sensitive governance information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/40ba9493-4183-4eee-974f-87fe39c8f267\",\"name\":\"40ba9493-4183-4eee-974f-87fe39c8f267\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Identity alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Identity\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (AATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f819c592-c5f9-4d5c-a79f-1e6819863533\",\"name\":\"f819c592-c5f9-4d5c-a79f-1e6819863533\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// ADHealth Monitoring Agent Registry Key\\nlet aadHealthMonAgentRegKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Microsoft Online\\\\\\\\Reporting\\\\\\\\MonitoringAgent\\\";\\n// Filter out known processes\\nlet aadConnectHealthProcs = dynamic ([\\n \u0027Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.InsightsService.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.PshSurrogate.exe\u0027,\\n \u0027Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe\u0027\\n]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| extend SubjectUserName = column_ifexists(\\\"SubjectUserName\\\", \\\"\\\"),\\n SubjectDomainName = column_ifexists(\\\"SubjectDomainName\\\", \\\"\\\"),\\n ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),\\n ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\"),\\n ProcessName = column_ifexists(\\\"ProcessName\\\", \\\"\\\")\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],\\n Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| where Process !in (aadConnectHealthProcs)\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| where Process !in (aadConnectHealthProcs)\\n)\\n)\\n// You can filter out potential machine accounts\\n//| where AccountType != \u0027Machine\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n| summarize count() by ProcessName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Azure AD Health Monitoring Agent Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.\\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\\\\SOFTWARE\\\\Microsoft\\\\Microsoft Online\\\\Reporting\\\\MonitoringAgent.\\nYou can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_monitoring_agent.yml\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ffe3625d-a933-4f63-b192-7e6ebf3be5fb\",\"name\":\"ffe3625d-a933-4f63-b192-7e6ebf3be5fb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.2.8\",\"techniques\":[\"T1110\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.1\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"(Preview) Attempted user account bruteforce\",\"description\":\"This algorithm detects an unusually high volume of failed login attempts per user account. The model is trained on the previous 21 days of security event ID 4625 on an account. It indicates anomalous high volume of failed login attempts in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2020-12-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d3980830-dd9d-40a5-911f-76b44dfdce16\",\"name\":\"d3980830-dd9d-40a5-911f-76b44dfdce16\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where AppDisplayName == \\\"GitHub.com\\\"\\n| where ResultType == 0\\n| summarize CountOfLocations = dcount(Location), Locations = make_set(Location), BurstStartTime = min(TimeGenerated), BurstEndTime = max(TimeGenerated) by UserPrincipalName, Type\\n| where CountOfLocations \u003e 1\\n| extend timestamp = BurstStartTime, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"GitHub Signin Burst from Multiple Locations\",\"description\":\"This alerts when there Signin burst from multiple locations in GitHub (AAD SSO).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d57c33a9-76b9-40e0-9dfa-ff0404546410\",\"name\":\"d57c33a9-76b9-40e0-9dfa-ff0404546410\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 0d;\\n// Adjust this to adjust detection timeframe\\n//let timeframe = 1d;\\n// Filter out other servers in the AD FS farm\\nlet ADFSServersList = dynamic([\\\"ADFS02.domain.com\\\",\\\"ADFS03.domain.com\\\"]);\\n// Start by identifying ADFS servers to reduce FP chance\\nlet ADFS_Servers = (\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| where Computer !in (ADFSServersList)\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\")\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| summarize by Computer\\n);\\n// Look for ADFS servers receiving connections over port 80\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where Computer in~ (ADFS_Servers)\\n| extend RenderedDescription = tostring(split(RenderedDescription, \\\":\\\")[0])\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, _ResourceId)\\n| extend RuleName = column_ifexists(\\\"RuleName\\\", \\\"\\\"), TechniqueId = column_ifexists(\\\"TechniqueId\\\", \\\"\\\"), TechniqueName = column_ifexists(\\\"TechniqueName\\\", \\\"\\\")\\n| parse RuleName with * \u0027technique_id=\u0027 TechniqueId \u0027,\u0027 * \u0027technique_name=\u0027 TechniqueName\\n| where EventID == 3\\n// Look for endpoints connecting to the AD FS server over port 80\\n| extend DestinationPort = column_ifexists(\\\"DestinationPort\\\", \\\"\\\"), Image = column_ifexists(\\\"Image\\\", \\\"\\\"), Initiated = column_ifexists(\\\"Initiated\\\", \\\"\\\"), SourceIp = column_ifexists(\\\"DestinationIp\\\", \\\"\\\"), DestinationIp = column_ifexists(\\\"DestinationIp\\\", \\\"\\\")\\n| where DestinationPort == 80\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n// Look for the System process receiving connections\\n| where process == \u0027System\u0027 and Initiated == \u0027false\u0027\\n| where DestinationIp !in (\u0027::1\u0027,\u00270:0:0:0:0:0:0:1\u0027)\\n| extend Operation = RenderedDescription\\n| project-reorder TimeGenerated, Operation, Image, Computer, UserName\\n| extend HostCustomEntity = Computer, AccountCustomEntity = UserName, IPCustomEntity = SourceIp\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"AD FS Remote HTTP Network Connection\",\"description\":\"This detection uses Sysmon events (NetworkConnect events) to detect incoming network traffic on port 80 on AD FS servers. This could be a sign of a threat actor\\ntrying to use replication services on the AD FS server to get its configuration settings and extract sensitive information such as AD FS certificates.\\nIn order to use this query you need to enable Sysmon telemetry on the AD FS Server.\\nReference: https://twitter.com/OTR_Community/status/1387038995016732672\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3c144f9-8051-47d4-ac29-ffb0c312c910\",\"name\":\"a3c144f9-8051-47d4-ac29-ffb0c312c910\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let SunburstMD5=dynamic([\\\"b91ce2fa41029f6955bff20079468448\\\",\\\"02af7cec58b9a5da1c542b5a32151ba1\\\",\\\"2c4a910a1299cdae2a4e55988a2f102e\\\",\\\"846e27a652a5e1bfbd0ddd38a16dc865\\\",\\\"4f2eb62fa529c0283b28d05ddd311fae\\\"]);\\nlet SupernovaMD5=\\\"56ceb6d0011d87b6e4d7023d7ef85676\\\";\\nDeviceFileEvents\\n| where MD5 in(SunburstMD5) or MD5 in(SupernovaMD5)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n FileHashCustomEntity = MD5\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"MD5\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST and SUPERNOVA backdoor hashes\",\"description\":\"Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in DeviceFileEvents\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ba144bf8-75b8-406f-9420-ed74397f9479\",\"name\":\"ba144bf8-75b8-406f-9420-ed74397f9479\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//Set a threshold of failed AAD signins from an IP address within 1 day above which we want to deem those logins suspicious.\\nlet signin_threshold = 5; \\n//Make a list of IPs with AAD signin failures above our threshold.\\nlet aadFunc = (tableName:string){\\nlet suspicious_signins = \\n table(tableName)\\n //Looking for logon failure results\\n | where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n //Exclude localhost addresses to reduce the chance of FPs\\n | where IPAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n | summarize count() by IPAddress\\n | where count_ \u003e signin_threshold\\n | summarize make_set(IPAddress);\\n suspicious_signins\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet suspicious_signins = \\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize make_set(set_IPAddress);\\n//See if any of those IPs have sucessfully logged into PA VPNs during the same timeperiod\\nCommonSecurityLog\\n //Select only PA VPN sucessful logons\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"globalprotect\\\"\\n | where Message has \\\"GlobalProtect gateway user authentication succeeded\\\"\\n //Parse out the logon source IP from the Message field to match on\\n | extend SourceIP = extract(\\\"Login from: ([^,]+)\\\", 1, Message) \\n | where SourceIP in (suspicious_signins)\\n | extend Reason = \\\"Multiple failed AAD logins from SourceIP\\\"\\n //Parse out other useful information from Message field\\n | extend User = extract(\u0027User name: ([^,]+)\u0027, 1, Message) \\n | extend ClientOS = extract(\u0027Client OS version: ([^,\\\\\\\"]+)\u0027, 1, Message)\\n | extend Location = extract(\u0027Source region: ([^,]{2})\u0027,1, Message)\\n | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName\\n | extend AccountCustomEntity = User, IPCustomEntity = SourceIP, timestamp = TimeGenerated, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN\",\"description\":\"This query creates a list of IP addresses with a number failed login attempts to AAD \\nabove a set threshold. It then looks for any successful Palo Alto VPN logins from any\\nof these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-09-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9f86885f-f31f-4e66-a39d-352771ee789e\",\"name\":\"9f86885f-f31f-4e66-a39d-352771ee789e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"CarbonBlackEvents_CL\\n| extend eventTime = datetime(1970-01-01) + tolong(eventTime_d/1000) * 1sec\\n| where targetApp_effectiveReputation_s =~ \\\"KNOWN_MALWARE\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by eventTime, deviceDetails_deviceName_s, deviceDetails_deviceIpAddress_s, processDetails_fullUserName_s, processDetails_targetName_s\\n| extend timestamp = StartTime, AccountCustomEntity = processDetails_fullUserName_s, HostCustomEntity = deviceDetails_deviceName_s, IPCustomEntity = deviceDetails_deviceIpAddress_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\"],\"displayName\":\"Known Malware Detected\",\"description\":\"This creates an incident when a known Malware is detected on a endpoint managed by a Carbon Black.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"VMwareCarbonBlack\",\"dataTypes\":[\"CarbonBlackEvents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/957cb240-f45d-4491-9ba5-93430a3c08be\",\"name\":\"957cb240-f45d-4491-9ba5-93430a3c08be\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"OfficeActivity\\n| where Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Add-MailboxFolderPermission\\\", \\\"Set-Mailbox\\\", \\\"New-ManagementRoleAssignment\\\")\\nand not(UserId has_any (\u0027NT AUTHORITY\\\\\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\u0027,\u0027devilfish-applicationaccount\u0027) and Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Set-Mailbox\\\"))\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"Collection\"],\"displayName\":\"Rare and potentially high-risk Office operations\",\"description\":\"Identifies Office operations that are typically rare and can provide capabilities useful to attackers.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9c712bb2-08dc-44d3-b66b-af154dfc1c4f\",\"name\":\"9c712bb2-08dc-44d3-b66b-af154dfc1c4f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.2.8\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.07\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of logins to computer\",\"description\":\"This algorithm detects an unusually high volume of successful logins per computer. The model is trained on the previous 21 days of security event ID 4624 on a computer. It indicates anomalous high volume of successful logins in the last day\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2020-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/44a555d8-ecee-4a25-95ce-055879b4b14b\",\"name\":\"44a555d8-ecee-4a25-95ce-055879b4b14b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeBin = 10m;\\nlet portThreshold = 30;\\nW3CIISLog\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of attempts by client IP on many ports\\n| summarize makeset(sPort), makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), ConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\\n| extend portCount = arraylength(set_sPort)\\n| where portCount \u003e= portThreshold\\n| project TimeGenerated, cIP, set_sPort, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, ConnectionsCount, portCount\\n| order by portCount\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"High count of connections by client IP on many ports\",\"description\":\"Identifies when 30 or more ports are used for a given client IP in 10 minutes occurring on the IIS server.\\nThis could be indicative of attempted port scanning or exploit attempt at internet facing web applications. \\nThis could also simply indicate a misconfigured service or device.\\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\"name\":\"fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let opList = OfficeActivity \\n| summarize by Operation\\n//| where Operation startswith \\\"Remove-\\\" or Operation startswith \\\"Disable-\\\"\\n| where Operation has_any (\\\"Remove\\\", \\\"Disable\\\")\\n| where Operation contains \\\"AntiPhish\\\" or Operation contains \\\"SafeAttachment\\\" or Operation contains \\\"SafeLinks\\\" or Operation contains \\\"Dlp\\\" or Operation contains \\\"Audit\\\"\\n| summarize make_set(Operation);\\nOfficeActivity\\n// Only admin or global-admin can disable/remove policy\\n| where RecordType =~ \\\"ExchangeAdmin\\\"\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\")\\n// Pass in interesting Operation list\\n| where Operation in~ (opList)\\n| extend ClientIPOnly = case( \\nClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), \\nClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))),\\nClientIP\\n) \\n| extend Port = case(\\nClientIP has \\\".\\\", (split(ClientIP,\\\":\\\")[1]),\\nClientIP has \\\"[\\\", tostring(split(ClientIP,\\\"]:\\\")[1]),\\nClientIP\\n)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP = ClientIPOnly, Port, ResultStatus, Parameters\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Office policy tampering\",\"description\":\"Identifies if any tampering is done to either auditlog, ATP Safelink, SafeAttachment, AntiPhish or Dlp policy. \\nAn adversary may use this technique to evade detection or avoid other policy based defenses.\\nReferences: https://docs.microsoft.com/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ab4b6944-a20d-42ab-8b63-238426525801\",\"name\":\"ab4b6944-a20d-42ab-8b63-238426525801\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\nlet timeframe = 1h;\\nlet connections = VMConnection \\n | where TimeGenerated \u003e= ago(timeframe)\\n | extend DNSName = set_union(todynamic(RemoteDnsCanonicalNames),todynamic(RemoteDnsQuestions))\\n | mv-expand DNSName\\n | where isnotempty(DNSName)\\n | where DNSName has_any (domains)\\n | extend IPCustomEntity = RemoteIp\\n | summarize TimeGenerated = arg_min(TimeGenerated, *), requests = count() by IPCustomEntity, DNSName = tostring(DNSName), AgentId, Machine, Process;\\nlet processes = VMProcess\\n | where TimeGenerated \u003e= ago(timeframe)\\n | project AgentId, Machine, Process, UserName, UserDomain, ExecutablePath, CommandLine, FirstPid\\n | extend exePathArr = split(ExecutablePath, \\\"\\\\\\\\\\\")\\n | extend DirectoryName = array_strcat(array_slice(exePathArr, 0, array_length(exePathArr) - 2), \\\"\\\\\\\\\\\")\\n | extend Filename = array_strcat(array_slice(exePathArr, array_length(exePathArr) - 1, array_length(exePathArr)), \\\"\\\\\\\\\\\")\\n | project-away exePathArr;\\nlet computers = VMComputer\\n | where TimeGenerated \u003e= ago(timeframe)\\n | project HostCustomEntity = HostName, AzureResourceId = _ResourceId, AgentId, Machine;\\nconnections | join kind = inner (processes) on AgentId, Machine, Process\\n | join kind = inner (computers) on AgentId, Machine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"FirstPid\"},{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Directory\",\"columnName\":\"DirectoryName\"},{\"identifier\":\"Name\",\"columnName\":\"Filename\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Solorigate Domains Found in VM Insights\",\"description\":\"Identifies connections to Solorigate-related DNS records based on VM insights data\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMProcess\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMComputer\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\"name\":\"c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"ApplySecurityGroupsToLoadBalancer\\\", \\\"SetSecurityGroups\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \\nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion,\\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to AWS Elastic Load Balancer security groups\",\"description\":\"Elastic Load Balancer distributes incoming traffic across multiple instances in multiple availability Zones. This increases the fault tolerance of your applications. \\n Unwanted changes to Elastic Load Balancer specific security groups could open your environment to attack and hence needs monitoring.\\n More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\n and https://aws.amazon.com/elasticloadbalancing/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d99cf5c3-d660-436c-895b-8a8f8448da23\",\"name\":\"d99cf5c3-d660-436c-895b-8a8f8448da23\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SigninLogs\\n| where ResultType == 500121\\n| extend additionalDetails_ = tostring(Status.additionalDetails)\\n| where additionalDetails_ =~ \\\"MFA denied; user declined the authentication\\\"\\n| extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"MFA Rejected by User\",\"description\":\"Identifies accurances where a user has rejected an MFA prompt. This could be an indicator that a threat actor has compromised the username and password of this user account and is using it to try and log into the account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\"name\":\"70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"seoulhobi.biz\\\", \\\"reader.cash\\\", \\\"pieceview.club\\\", \\\"app-wallet.com\\\", \\\"bigwnet.com\\\", \\\"bitwoll.com\\\", \\\"cexrout.com\\\", \\\"change-pw.com\\\", \\\"checkprofie.com\\\", \\\"cloudwebappservice.com\\\", \\\"ctquast.com\\\", \\\"dataviewering.com\\\", \\\"day-post.com\\\", \\\"dialy-post.com\\\", \\\"documentviewingcom.com\\\", \\\"dovvn-mail.com\\\", \\\"down-error.com\\\", \\\"drivecheckingcom.com\\\", \\\"drog-service.com\\\", \\\"encodingmail.com\\\", \\\"filinvestment.com\\\", \\\"foldershareing.com\\\", \\\"golangapis.com\\\", \\\"hotrnall.com\\\", \\\"lh-logins.com\\\", \\\"login-use.com\\\", \\\"mail-down.com\\\", \\\"matmiho.com\\\", \\\"mihomat.com\\\", \\\"natwpersonal-online.com\\\", \\\"nidlogin.com\\\", \\\"nid-login.com\\\", \\\"nidlogon.com\\\", \\\"pw-change.com\\\", \\\"rnaii.com\\\", \\\"rnailm.com\\\", \\\"sec-live.com\\\", \\\"secrityprocessing.com\\\", \\\"securitedmode.com\\\", \\\"securytingmail.com\\\", \\\"set-login.com\\\", \\\"usrchecking.com\\\", \\\"com-serviceround.info\\\", \\\"mai1.info\\\", \\\"reviewer.mobi\\\", \\\"files-download.net\\\", \\\"fixcool.net\\\", \\\"hanrnaii.net\\\", \\\"office356-us.org\\\", \\\"smtper.org\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(DnsEvents \\n| extend DNSName = Name\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend IPAddress = ClientIP\\n),\\n(imDns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend DNSName = Request_Name\\n| extend IPAddress = ClientIP \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost \\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.3.0\",\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"THALLIUM domains included in DCU takedown\",\"description\":\"THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. \\n Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\\n References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-01-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/29a29e5d-354e-4f5e-8321-8b39d25047bf\",\"name\":\"29a29e5d-354e-4f5e-8321-8b39d25047bf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let files1 = dynamic([\\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\lsa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pc.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\Rar.exe\\\"]);\\nlet files2 = dynamic([\\\"svchost.exe\\\",\\\"wdmsvc.exe\\\"]);\\nlet FileHash1 = dynamic([\\\"43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\\\", \\\"ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\\\", \\\"010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77\\\", \\\"56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7\\\"]);\\nlet FileHash2 = dynamic([\\\"2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\\\", \\\"9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\\\", \\\"18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\\\"]);\\nimFileEvent\\n| where ((FilePath has_any (files1)) and (ActingProcessSHA256 has_any (FileHash1))) or ((FilePath has_any (files2)) and (ActingProcessSHA256 has_any (FileHash2)))\\n// Increase risk score if recent alerts for the host\\n| join kind=leftouter (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| mv-expand todynamic(Entities)\\n| extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)\\n| where isnotempty(DvcId)\\n// Higher risk score are for Defender alerts related to threat actor\\n| extend AlertRiskScore = iif(ThreatName has_any (\\\"Backdoor:MSIL/ShellClient.A\\\", \\\"Backdoor:MSIL/ShellClient.A!dll\\\", \\\"Trojan:MSIL/Mimikatz.BA!MTB\\\"), 1.0, 0.5)\\n| project DvcId, AlertRiskScore) on DvcId\\n| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = ActorUsername\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileName\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"CredentialAccess\",\"Execution\"],\"displayName\":\"Dev-0228 File Path Hashes November 2021 - ASIM\",\"description\":\"This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.\\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.\\n This query uses the Microsoft Sentinel Information Model - https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2021-11-18T00:00:00Z\",\"createdDateUTC\":\"2021-11-18T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/44e80f00-b4f5-486b-a57d-4073746276df\",\"name\":\"44e80f00-b4f5-486b-a57d-4073746276df\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let highRisk = 3;\\nlet business = \u0027Business Information\u0027;\\nCognniIncidents_CL \\n| where Severity == highRisk\\n| where informationType_s == business\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Highly Sensitive Business Information\",\"description\":\"Display incidents in which highly sensitive business information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2acc91c3-17c2-4388-938e-4eac2d5894e8\",\"name\":\"2acc91c3-17c2-4388-938e-4eac2d5894e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"W3CIISLog\\n| where csMethod == \u0027GET\u0027\\n| where isnotempty(csUriStem) and isnotempty(csUriQuery)\\n| where csUriStem contains \\\"logoimagehandler.ashx\\\"\\n| where csUriQuery contains \\\"codes\\\" and csUriQuery contains \\\"clazz\\\" and csUriQuery contains \\\"method\\\" and csUriQuery contains \\\"args\\\"\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"SUPERNOVA webshell\",\"description\":\"Identifies SUPERNOVA webshell based on W3CIISLog data.\\n References:\\n - https://unit42.paloaltonetworks.com/solarstorm-supernova/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6190dde-8fd2-456a-ac5b-0a32400b0464\",\"name\":\"d6190dde-8fd2-456a-ac5b-0a32400b0464\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ProcessCreationEvents=() {\\nlet processEvents=SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName;\\nprocessEvents;\\n};\\nProcessCreationEvents \\n| where CommandLine contains \\\".decode(\u0027base64\u0027)\\\"\\n or CommandLine contains \\\"base64 --decode\\\"\\n or CommandLine contains \\\".decode64(\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), CountToday = count() by Computer, Account, AccountDomain, FileName, CommandLine, ParentProcessName \\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Process executed from binary hidden in Base64 encoded file\",\"description\":\"Encoding malicious software is a technique used to obfuscate files from detection. \\nThe first CommandLine component is looking for Python decoding base64. \\nThe second CommandLine component is looking for Bash/sh command line base64 decoding.\\nThe third one is looking for Ruby decoding base64.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bdf04f58-242b-4729-b376-577c4bdf5d3a\",\"name\":\"bdf04f58-242b-4729-b376-577c4bdf5d3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"imProcessCreate\\n| where Process hassuffix \u0027rundll32.exe\u0027\\n| where CommandLine has_any (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| project TimeGenerated, Dvc, User, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\\n| extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"NOBELIUM - suspicious rundll32.exe execution of vbscript (Normalized Process Events)\",\"description\":\"This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\\nReferences: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/712fab52-2a7d-401e-a08c-ff939cc7c25e\",\"name\":\"712fab52-2a7d-401e-a08c-ff939cc7c25e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n AuditLogs\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // Extract the URL that is contained within the JSON data\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\\\", 1,tostring(TargetResources))\\n | where isnotempty(Url)\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend TargetResourceDisplayName = tostring(TargetResources[0].displayName)\\n | extend Audit_TimeGenerated = TimeGenerated\\n) on Url\\n| where Audit_TimeGenerated \u003e= TimeGenerated and Audit_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nAudit_TimeGenerated, OperationName, Identity, userPrincipalName, TargetResourceDisplayName, Url\\n| extend timestamp = Audit_TimeGenerated, AccountCustomEntity = userPrincipalName, HostCustomEntity = TargetResourceDisplayName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to AuditLogs\",\"description\":\"Identifies a match in AuditLogs from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1bf6e165-5e32-420e-ab4f-0da8558a8be2\",\"name\":\"1bf6e165-5e32-420e-ab4f-0da8558a8be2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// How far back to look for events from\\nlet timeframe = 1d;\\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\\nlet time_window = 5m;\\n// Edit this to include build processes used\\nlet build_processes = dynamic([\\\"MSBuild.exe\\\", \\\"dotnet.exe\\\", \\\"VBCSCompiler.exe\\\"]);\\n// Include any processes that you want to allow to edit files during/around the build process\\nlet allow_list = dynamic([]);\\nDeviceProcessEvents\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where FileName has_any (build_processes)\\n| summarize by BuildParentProcess=InitiatingProcessFileName, BuildProcess=FileName, BuildAccount = AccountName, DeviceName, BuildCommand=ProcessCommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nDeviceFileEvents\\n| where TimeGenerated \u003e ago(timeframe)\\n| where InitiatingProcessFileName !in (allow_list)\\n| where ActionType == \\\"FileCreated\\\" or ActionType == \\\"FileModified\\\"\\n// Look for code files, edit this to include file extensions used in build.\\n| where FileName endswith \\\".cs\\\" or FileName endswith \\\".cpp\\\"\\n| summarize by FileEditParentProcess=InitiatingProcessParentFileName, FileEditAccount = InitiatingProcessAccountName, DeviceName, FileEdited=FileName, FileEditProcess=InitiatingProcessFileName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, DeviceName\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, DeviceName, BuildParentProcess, BuildProcess\\n| extend HostCustomEntity=DeviceName, timestamp=timekey\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Potential Build Process Compromise - MDE\",\"description\":\"The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process. This query uses Microsoft Defender for Endpoint telemetry.\\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\",\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b93c5af-d20b-4236-b696-a28b8c51407f\",\"name\":\"4b93c5af-d20b-4236-b696-a28b8c51407f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\nSecurityEvent \\n| where TimeGenerated \u003e ago(2*timeframe) \\n// A user account was created\\n| where EventID == 4720\\n| where AccountType =~ \\\"User\\\"\\n| project creationTime = TimeGenerated, CreateEventID = EventID, CreateActivity = Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToCreate = SubjectAccount, SIDofAccountUsedToCreate = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n| join kind= inner (\\n SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe) \\n // A user account was deleted \\n | where EventID == 4726\\n| where AccountType == \\\"User\\\"\\n| project deletionTime = TimeGenerated, DeleteEventID = EventID, DeleteActivity = Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToDelete = SubjectAccount, SIDofAccountUsedToDelete = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n) on Computer, TargetAccount\\n| where deletionTime - creationTime \u003c spanoftime\\n| extend TimeDelta = deletionTime - creationTime\\n| where tolong(TimeDelta) \u003e= threshold\\n| project TimeDelta, creationTime, CreateEventID, CreateActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToCreate, SIDofAccountUsedToCreate,\\ndeletionTime, DeleteEventID, DeleteActivity, AccountUsedToDelete, SIDofAccountUsedToDelete\\n| extend timestamp = creationTime, AccountCustomEntity = AccountUsedToCreate, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"SIDofAccountUsedToCreate\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account created and deleted within 10 mins\",\"description\":\"Identifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and\\nan adversary attempting to hide in the noise.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23de46ea-c425-4a77-b456-511ae4855d69\",\"name\":\"23de46ea-c425-4a77-b456-511ae4855d69\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\nlet SensitiveOperationList = dynamic([\\\"microsoft.compute/snapshots/write\\\", \\\"microsoft.network/networksecuritygroups/write\\\", \\\"microsoft.storage/storageaccounts/listkeys/action\\\"]);\\nlet SensitiveActivity = AzureActivity\\n| where OperationNameValue in~ (SensitiveOperationList) or OperationNameValue hassuffix \\\"listkeys/action\\\"\\n| where ActivityStatusValue =~ \\\"Succeeded\\\";\\nSensitiveActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller, OperationNameValue\\n| where count_ \u003e= alertOperationThreshold\\n| join kind = rightanti ( \\nSensitiveActivity\\n| where TimeGenerated \u003e= ago(endtime)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CorrelationIds = makelist(CorrelationId), Resources = makelist(Resource), ResourceGroups = makelist(ResourceGroup), ResourceIds = makelist(ResourceId), ActivityCountByCallerIPAddress = count() \\nby CallerIpAddress, Caller, OperationNameValue\\n) on CallerIpAddress, Caller, OperationNameValue\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"Rare subscription-level operations in Azure\",\"description\":\"This query looks for a few sensitive subscription-level events based on Azure Activity Logs. \\n For example this monitors for the operation name \u0027Create or Update Snapshot\u0027 which is used for creating backups but could be misused by attackers \\n to dump hashes or extract sensitive information from the disk.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c7cd6073-6d2c-4284-a5c8-da27605bdfde\",\"name\":\"c7cd6073-6d2c-4284-a5c8-da27605bdfde\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| where FilterModulesSpamScoresOverall == \u0027100\u0027\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - High risk message not discarded\",\"description\":\"Detects when email with high risk score was not rejected or discarded by filters.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/16d55bbb-8c54-4c1d-8537-521824e76bb6\",\"name\":\"16d55bbb-8c54-4c1d-8537-521824e76bb6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.2\",\"techniques\":[\"T1114\",\"T1213\",\"T1098\",\"T1136\",\"T1137\",\"T1505\",\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"Distinct number of operations\",\"Distinct number of ClientInfoString\",\"Distinct number of mailboxes\",\"Number of operations\",\"Distinct number of IP addresses\",\"Distinct number of /24 subnets\",\"Distinct number of /16 subnets\",\"Number of MessageBind operations\",\"Number of FolderBind operations\",\"Number of UpdateInboxRules operations\",\"Number of MailItemsAccessed operations\"],\"values\":[\"Distinct number of operations\",\"Distinct number of ClientInfoString\",\"Distinct number of mailboxes\",\"Number of operations\",\"Distinct number of IP addresses\",\"Distinct number of /24 subnets\",\"Distinct number of /16 subnets\",\"Number of MessageBind operations\",\"Number of FolderBind operations\",\"Number of UpdateInboxRules operations\",\"Number of MailItemsAccessed operations\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Top reason for high anomaly score\",\"description\":\"Include only anomalies where the top reason is one of these values.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.6\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Collection\",\"Persistence\"],\"displayName\":\"(Preview) Anomalous user activities in Office Exchange\",\"description\":\"This machine learning model groups the Office Exchange logs on a per-user basis into hourly buckets. We define one\\nhour as a session. The model is trained on the previous 7 days of behavior across all regular (non-admin) users.\\nIt indicates anomalous user Office Exchange sessions in the last day.\\nThis algorithm checks for sufficient volume of data before training the model.\\n\\nAn autoencoder model is used.\\nIts aim is to compress the user Office Exchange sessions into a bottleneck encoding.\\nIt then attempts to reconstruct the input sessions as best it can from the bottleneck encoding.\\nThe sessions with high reconstruction errors are assumed to be anomalous.\",\"lastUpdatedDateUTC\":\"2021-06-09T00:00:00Z\",\"createdDateUTC\":\"2021-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Exchange)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4759ddb4-2daf-43cb-b34e-d85b85b4e4a5\",\"name\":\"4759ddb4-2daf-43cb-b34e-d85b85b4e4a5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\nlet parentprocess = (iocs | where Type =~ \\\"parentprocess\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or RequestURL has_any (IPList) or Message has_any (IPList)\\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, Type\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (IPList), \\\"RequestUrl\\\",\\\"NoMatch\\\"), AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, IPMatch == \\\"RequestUrl\\\", RequestURL, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer, ProcessCustomEntity = ProcessName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) \\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, AlertDetail = \u0027Dev-0322 IOC match\u0027, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, AlertDetail = \u0027Dev-0322 IOC match\u0027, UrlCustomEntity =RemoteUrl, ProcessCustomEntity = InitiatingProcessFileName\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\"), AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where SourceHost in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend ParentImage = EventDetail.[20].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where ( ParentImage has_any (parentprocess) and Image has_any (process))\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256,Image, ParentImage \\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = FileHash\\n),\\n(DeviceFileEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type, CommandLineIP\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash, IPCustomEntity = CommandLineIP\\n),\\n(DeviceEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, CommandLineIP\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash, IPCustomEntity = CommandLineIP\\n),\\n(DeviceProcessEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, CommandLineIP, AccountName\\n| extend Account = AccountName, Computer = DeviceName, IPAddress = CommandLineIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash, IPCustomEntity = IPAddress\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| extend CommandLineIP = extract(IPRegex, 0, CommandLine)\\n| where CommandLineIP in (IPList) or (NewProcessName has_any (process) and ParentProcessName has_any (parentprocess))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, CommandLine, CommandLineIP\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = \u0027Dev-0322 IOC match\u0027, IPCustomEntity = CommandLineIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"SHA256\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"DEV-0322 Serv-U related IOCs - July 2021\",\"description\":\"Identifies a match across IOC\u0027s related to DEV-0322 targeting SolarWinds Serv-U software.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-06-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\"name\":\"f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Medium\",\"query\":\"let threshold = 1;\\nAzureDiagnostics\\n | where OperationName in (\\\"AzureFirewallApplicationRuleLog\\\",\\\"AzureFirewallNetworkRuleLog\\\")\\n | extend msg_s_replaced0 = replace(@\\\"\\\\s\\\\s\\\",@\\\" \\\",msg_s)\\n | extend msg_s_replaced1 = replace(@\\\"\\\\.\\\\s\\\",@\\\" \\\",msg_s_replaced0)\\n | extend msg_a = split(msg_s_replaced1,\\\" \\\")\\n | extend srcAddr_a = split(msg_a[3],\\\":\\\") , destAddr_a = split(msg_a[5],\\\":\\\")\\n | extend protocol = tostring(msg_a[0]), srcIp = tostring(srcAddr_a[0]), srcPort = tostring(srcAddr_a[1]), destIp = tostring(destAddr_a[0]), destPort = tostring(destAddr_a[1]), action = tostring(msg_a[7])\\n | where action == \\\"Deny\\\"\\n | extend url = iff(destIp matches regex \\\"\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\",\\\"\\\",destIp)\\n | summarize StartTime = min(TimeGenerated), count() by srcIp, destIp, url, action, protocol\\n | where count_ \u003e= [\\\"threshold\\\"]\\n | extend timestamp = StartTime, URLCustomEntity = url, IPCustomEntity = srcIp\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\",\"LateralMovement\",\"CommandAndControl\"],\"displayName\":\"Several deny actions registered\",\"description\":\"Identifies attack pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/57e56fc9-417a-4f41-a579-5475aea7b8ce\",\"name\":\"57e56fc9-417a-4f41-a579-5475aea7b8ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 1000;\\nInfobloxNIOS\\n| where ProcessName =~ \\\"dhcpd\\\" and Log_Type =~ \\\"DHCPREQUEST\\\"\\n| summarize count() by ServerIP, bin(TimeGenerated,5m)\\n| where count_ \u003e threshold\\n| join kind=inner (InfobloxNIOS\\n | where ProcessName =~ \\\"dhcpd\\\" and Log_Type =~ \\\"DHCPREQUEST\\\"\\n ) on ServerIP\\n| extend timestamp = TimeGenerated, IPCustomEntity = ServerIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Potential DHCP Starvation Attack\",\"description\":\"This creates an incident in the event that an excessive amount of DHCPREQUEST have been recieved by a DHCP Server and could potentially be an indication of a DHCP Starvation Attack.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0dd422ee-e6af-4204-b219-f59ac172e4c6\",\"name\":\"0dd422ee-e6af-4204-b219-f59ac172e4c6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"ThreatIntelligence\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"Persistence\",\"LateralMovement\"],\"displayName\":\"(Preview) Microsoft Threat Intelligence Analytics\",\"description\":\"This rule generates an alert when a Microsoft Threat Intelligence Indicator gets matched with your event logs. The alerts are very high fidelity.\\n\\nNote : It is advised to turn off any custom alert rules which match the threat intelligence indicators with the same event logs matched by this analytics to prevent duplicate alerts.\",\"lastUpdatedDateUTC\":\"2021-07-28T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508\",\"name\":\"e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let FailureThreshold = 15;\\nlet FailedEvents = Okta_CL\\n| where eventType_s =~ \\\"user.session.start\\\"and outcome_reason_s in (\\\"VERIFICATION_ERROR\\\",\\\"INVALID_CREDENTIALS\\\")\\n| summarize dcount(actor_alternateId_s) by client_ipAddress_s, bin(TimeGenerated, 5m)\\n| where dcount_actor_alternateId_s \u003e FailureThreshold\\n| project client_ipAddress_s, TimeGenerated;\\nOkta_CL\\n| where eventType_s =~ \\\"user.session.start\\\"and outcome_reason_s in (\\\"VERIFICATION_ERROR\\\",\\\"INVALID_CREDENTIALS\\\")\\n| summarize Users = make_set(actor_alternateId_s) by client_ipAddress_s, City = client_geographicalContext_city_s, Country = client_geographicalContext_country_s, bin(TimeGenerated, 5m)\\n| join kind=inner (FailedEvents) on client_ipAddress_s, TimeGenerated\\n| sort by TimeGenerated desc\\n| extend timestamp = TimeGenerated, IPCustomEntity = client_ipAddress_s\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Potential Password Spray Attack\",\"description\":\"This query searches for failed attempts to log into the Okta console from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OktaSSO\",\"dataTypes\":[\"Okta_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/93c4b361-ea7d-40f4-9ca6-e501cdef9c53\",\"name\":\"93c4b361-ea7d-40f4-9ca6-e501cdef9c53\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.1.6\",\"techniques\":[\"T1110\"],\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"\\\\%%2305-The specified user account has expired\",\"\\\\%%2309-The specified account\u0027s password has expired\",\"\\\\%%2310-Account currently disabled\",\"\\\\%%2311-Account logon time restriction violation\",\"\\\\%%2312-User not allowed to logon at this computer\",\"\\\\%%2313-Unknown user name or bad password\",\"\\\\%%2307-Account locked out\",\"\\\\%%2304-An Error occurred during Logon\"],\"values\":[\"\\\\%%2305-The specified user account has expired\",\"\\\\%%2309-The specified account\u0027s password has expired\",\"\\\\%%2310-Account currently disabled\",\"\\\\%%2311-Account logon time restriction violation\",\"\\\\%%2312-User not allowed to logon at this computer\",\"\\\\%%2313-Unknown user name or bad password\",\"\\\\%%2307-Account locked out\",\"\\\\%%2304-An Error occurred during Logon\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Failure Reasons\",\"description\":\"Include only selected failure reasons in anomaly results.\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.3\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"(Preview) Attempted user account bruteforce per failure reason\",\"description\":\"This algorithm detects an unusually high volume of failed login attempts per user account per failure reason. The model is trained on the previous 21 days of security event ID 4625 on an account and a failure reason. It indicates anomalous high volume of failed login attempts with certain failure reason in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-04-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e\",\"name\":\"7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]);\\nunion isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4663\\n| where Process has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where ObjectName has_any (scriptExtensions)\\n| where AccessMask in (\u00270x2\u0027,\u00270x100\u0027, \u00270x10\u0027, \u00270x4\u0027)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n(imFileEvent\\n| where EventType == \\\"FileCreated\\\"\\n| where ActingProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n and\\n TargetFileName has_any (scriptExtensions)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\\n),\\n(DeviceFileEvents\\n| where ActionType =~ \\\"FileCreated\\\"\\n| where InitiatingProcessFileName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where FileName has_any(scriptExtensions)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName, IPCustomEntity = RequestSourceIP)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingProcessAccountUpn\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM UM Service writing suspicious file\",\"description\":\"This query looks for the Exchange server UM process writing suspicious files that may be indicative of webshells.\\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d3c658bd-8da9-4372-82e4-aaffa922f428\",\"name\":\"d3c658bd-8da9-4372-82e4-aaffa922f428\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"afad_parser\\n| where MessageType == 2 and Codename == \\\"DCSync\\\"\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid DCSync\",\"description\":\"Searches for DCSync attacks\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/88f453ff-7b9e-45bb-8c12-4058ca5e44ee\",\"name\":\"88f453ff-7b9e-45bb-8c12-4058ca5e44ee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS New Server\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.\\nA threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.\\nThis can be done programmatically via HTTP requests to Azure. More information in this blog: https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\"name\":\"1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 1d;\\nlet endtime = 1h;\\nlet prev23hThreshold = 4;\\nlet prev1hThreshold = 15;\\nlet Kerbevent =\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(starttime)\\n| where EventID == 4769\\n| parse EventData with * \u0027TicketEncryptionType\\\"\u003e\u0027 TicketEncryptionType \\\"\u003c\\\" *\\n| where TicketEncryptionType == \u00270x17\u0027\\n| parse EventData with * \u0027TicketOptions\\\"\u003e\u0027 TicketOptions \\\"\u003c\\\" *\\n| where TicketOptions == \u00270x40810000\u0027\\n| parse EventData with * \u0027Status\\\"\u003e\u0027 Status \\\"\u003c\\\" *\\n| where Status == \u00270x0\u0027\\n| parse EventData with * \u0027ServiceName\\\"\u003e\u0027 ServiceName \\\"\u003c\\\" *\\n| where ServiceName !contains \\\"$\\\" and ServiceName !contains \\\"krbtgt\\\" \\n| parse EventData with * \u0027TargetUserName\\\"\u003e\u0027 TargetUserName \\\"\u003c\\\" *\\n| where TargetUserName !contains \\\"$@\\\" and TargetUserName !contains ServiceName\\n| parse EventData with * \u0027IpAddress\\\"\u003e::ffff:\u0027 ClientIPAddress \\\"\u003c\\\" *;\\nlet Kerbevent23h = Kerbevent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| summarize ServiceNameCountPrev23h = dcount(ServiceName), ServiceNameSet23h = makeset(ServiceName) \\nby Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status\\n| where ServiceNameCountPrev23h \u003c prev23hThreshold;\\nlet Kerbevent1h = \\nKerbevent\\n| where TimeGenerated \u003e= ago(endtime)\\n| summarize min(TimeGenerated), max(TimeGenerated), ServiceNameCountPrev1h = dcount(ServiceName), ServiceNameSet1h = makeset(ServiceName) \\nby Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status;\\nKerbevent1h \\n| join kind=leftanti\\n(\\nKerbevent23h\\n) on TargetUserName, TargetDomainName\\n// Threshold value set above is based on testing, this value may need to be changed for your environment.\\n| where ServiceNameCountPrev1h \u003e prev1hThreshold\\n| project StartTimeUtc = min_TimeGenerated, EndTimeUtc = max_TimeGenerated, TargetUserName, Computer, ClientIPAddress, TicketOptions, \\nTicketEncryptionType, Status, ServiceNameCountPrev1h, ServiceNameSet1h, TargetDomainName\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = strcat(TargetDomainName,\\\"\\\\\\\\\\\", TargetUserName), HostCustomEntity = Computer, IPCustomEntity = ClientIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Potential Kerberoasting\",\"description\":\"A service principal name (SPN) is used to uniquely identify a service instance in a Windows environment. \\nEach SPN is usually associated with a service account. Organizations may have used service accounts with weak passwords in their environment. \\nAn attacker can try requesting Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC) which contains \\na hash of the Service account. This can then be used for offline cracking. This hunting query looks for accounts that are generating excessive \\nrequests to different resources within the last hour compared with the previous 24 hours. Normal users would not make an unusually large number \\nof request within a small time window. This is based on 4769 events which can be very noisy so environment based tweaking might be needed.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/972c89fa-c969-4d12-932f-04d55d145299\",\"name\":\"972c89fa-c969-4d12-932f-04d55d145299\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"( union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| extend FileName = Process, ProcessCommandLine = CommandLine\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\n or ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(DeviceProcessEvents\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\nor ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1 \\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\"), ProcessCommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| extend FileName = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\n or ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\"],\"displayName\":\"MSHTML vulnerability CVE-2021-40444 attack\",\"description\":\"This query detects attacks that exploit the CVE-2021-40444 MSHTML vulnerability using specially crafted Microsoft Office documents. \\n The detection searches for relevant files used in the attack along with regex matches in commnadline to look for pattern similar to : \\\".cpl:../../msword.inf\\\"\\n Refrence: https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0914adab-90b5-47a3-a79f-7cdcac843aa7\",\"name\":\"0914adab-90b5-47a3-a79f-7cdcac843aa7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 5;\\n// To avoid any False Positives, filtering using AppId is recommended. For example the AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds \\n// to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\\nlet Allowedappid = dynamic([\\\"509e4652-da8d-478d-a730-e9d4a1996ca4\\\"]);\\nlet OperationList = dynamic(\\n[\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nlet TimeSeriesData = AzureDiagnostics\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList)\\n| project TimeGenerated, OperationName, Resource, CallerIPAddress\\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by Resource;\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| where baseline \u003e baselinethreshold // Filtering low count events per baselinethreshold\\n| project Resource, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated;\\n// Filter the alerts since specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\\n| join (\\nAzureDiagnostics\\n| where TimeGenerated \u003e ago(timeframe)\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList)\\n| summarize PerOperationCount=count(), LatestAnomalyTime = arg_max(TimeGenerated,*) by bin(TimeGenerated,1h), Resource, OperationName, id_s, CallerIPAddress, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, requestUri_s, clientInfo_s\\n) on Resource, TimeGenerated\\n| summarize EventCount=count(), OperationNameList = make_set(OperationName), RequestURLList = make_set(requestUri_s, 100), AccountList = make_set(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, 100), AccountMax = arg_max(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g,*) by Resource, id_s, clientInfo_s, LatestAnomalyTime\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = CallerIPAddress, AccountCustomEntity = AccountMax\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.2\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure Key Vault access TimeSeries anomaly\",\"description\":\"Indentifies a sudden increase in count of Azure Key Vault secret or vault access operations by CallerIPAddress. The query leverages a built-in KQL anomaly detection algorithm\\nto find large deviations from baseline Azure Key Vault access patterns. Any sudden increase in the count of Azure Key Vault accesses can be an\\nindication of adversary dumping credentials via automated methods. If you are seeing any noise, try filtering known source(IP/Account) and user-agent combinations.\\nTimeSeries Reference Blog: https://techcommunity.microsoft.com/t5/azure-sentinel/looking-for-unknown-anomalies-what-is-normal-time-series/ba-p/555052\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500415fb-bba7-4227-a08a-9857fb61b6a7\",\"name\":\"500415fb-bba7-4227-a08a-9857fb61b6a7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where OfficeWorkload == \\\"Exchange\\\"\\n| where Operation in~ (\\\"New-TransportRule\\\", \\\"Set-TransportRule\\\")\\n| extend p = parse_json(Parameters)\\n| extend RuleName = case(\\n Operation =~ \\\"Set-TransportRule\\\", tostring(OfficeObjectId),\\n Operation =~ \\\"New-TransportRule\\\", tostring(p[1].Value),\\n \\\"Unknown\\\"\\n ) \\n| mvexpand p\\n| where (p.Name =~ \\\"BlindCopyTo\\\" or p.Name =~ \\\"RedirectMessageTo\\\") and isnotempty(p.Value)\\n| extend RedirectTo = p.Value\\n| extend ClientIPOnly = case( \\n ClientIP has \\\".\\\" and ClientIP has \\\":\\\", tostring(split(ClientIP,\\\":\\\")[0]), \\n ClientIP has \\\".\\\" and ClientIP has \\\"-\\\", tostring(split(ClientIP,\\\"-\\\")[0]), \\n ClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))),\\n ClientIP\\n ) \\n| extend Port = case(\\n ClientIP has \\\".\\\" and ClientIP has \\\":\\\", (split(ClientIP,\\\":\\\")[1]),\\n ClientIP has \\\".\\\" and ClientIP has \\\"-\\\", (split(ClientIP,\\\"-\\\")[1]),\\n ClientIP has \\\"[\\\" and ClientIP has \\\":\\\", tostring(split(ClientIP,\\\"]:\\\")[1]),\\n ClientIP has \\\"[\\\" and ClientIP has \\\"-\\\", tostring(split(ClientIP,\\\"]-\\\")[1]),\\n ClientIP\\n )\\n| extend ClientIP = ClientIPOnly\\n| project TimeGenerated, RedirectTo, ClientIP, Port, UserId, Operation, RuleName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Mail redirect via ExO transport rule\",\"description\":\"Identifies when Exchange Online transport rule configured to forward emails.\\nThis could be an adversary mailbox configured to collect mail from multiple user accounts.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-05-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/57c7e832-64eb-411f-8928-4133f01f4a25\",\"name\":\"57c7e832-64eb-411f-8928-4133f01f4a25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now() \\n| where Active == true\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureDiagnostics\\n | where ResourceType =~ \\\"VAULTS\\\"\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend KeyVaultEvents_TimeGenerated = TimeGenerated, ClientIP = CallerIPAddress\\n)\\non $left.TI_ipEntity == $right.ClientIP\\n| where KeyVaultEvents_TimeGenerated \u003c ExpirationDateTime\\n| summarize KeyVaultEvents_TimeGenerated = arg_max(KeyVaultEvents_TimeGenerated, *) by IndicatorId, ClientIP\\n| project KeyVaultEvents_TimeGenerated , Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ClientIP, ResourceId, SubscriptionId, OperationName, ResultType, CorrelationId, id_s, clientInfo_s, httpStatusCode_d, identity_claim_appid_g, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\n| extend timestamp = KeyVaultEvents_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Azure Key Vault logs\",\"description\":\"Identifies a match in Azure Key Vault logsfrom any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f845881e-2500-44dc-8ed7-b372af3e1e25\",\"name\":\"f845881e-2500-44dc-8ed7-b372af3e1e25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let short_uaLength = 5;\\nlet long_uaLength = 1000;\\nlet c_threshold = 100;\\nW3CIISLog \\n// Exclude local IPs as these create noise\\n| where cIP !startswith \\\"192.168.\\\" and cIP != \\\"::1\\\"\\n| where isnotempty(csUserAgent) and csUserAgent !in~ (\\\"-\\\", \\\"MSRPC\\\") and (string_size(csUserAgent) \u003c= short_uaLength or string_size(csUserAgent) \u003e= long_uaLength)\\n| extend csUserAgent_size = string_size(csUserAgent)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ConnectionCount = count() by Computer, sSiteName, sPort, csUserAgent, csUserAgent_size, csUserName , csMethod, csUriStem, sIP, cIP, scStatus, scSubStatus, scWin32Status\\n| where ConnectionCount \u003c c_threshold\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomalous User Agent connection attempt\",\"description\":\"Identifies connection attempts (success or fail) from clients with very short or very long User Agent strings and with less than 100 connection attempts.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cca3b4d9-ac39-4109-8b93-65bb284003e6\",\"name\":\"cca3b4d9-ac39-4109-8b93-65bb284003e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n AzureActivity | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(Caller)\\n | extend Caller = tolower(Caller)\\n | where Caller matches regex emailregex\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.Caller\\n| where AzureActivity_TimeGenerated \u003e= TimeGenerated and AzureActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, AzureActivity_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Caller, Level, CallerIpAddress, CategoryValue,\\nOperationNameValue, ActivityStatusValue, ResourceGroup, SubscriptionId\\n| extend timestamp = AzureActivity_TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to AzureActivity\",\"description\":\"Identifies a match in AzureActivity table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/71d374e0-1cf8-4e50-aecd-ab6c519795c2\",\"name\":\"71d374e0-1cf8-4e50-aecd-ab6c519795c2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"Pipelines.PipelineRetentionSettingChanged\\\"\\n| where Data.SettingName in (\\\"PurgeArtifacts\\\", \\\"PurgeRuns\\\")\\n| where Data.NewValue == 1 or Data.NewValue \u003c Data.OldValue/2\\n| project-reorder TimeGenerated, OperationName, ActorUPN, IpAddress, UserAgent, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.2\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Retention Reduced\",\"description\":\"AzureDevOps retains items such as run records and produced artifacts for a configurable amount of time. An attacker looking to reduce the footprint left by their malicious activity may look to reduce the retention time for artifacts and runs.\\nThis query will look for where retention has been reduced to the minimum level - 1, or reduced by more than half.\",\"lastUpdatedDateUTC\":\"2021-11-02T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d2e40c79-fe8c-428e-8cb9-0e2282d4558c\",\"name\":\"d2e40c79-fe8c-428e-8cb9-0e2282d4558c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let lowRisk = 1;\\nlet governance = \u0027Governance Information\u0027;\\nCognniIncidents_CL \\n| where Severity == lowRisk\\n| where informationType_s == governance\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Low Sensitivity Governance Information\",\"description\":\"Display incidents in which low sensitivity governance information] was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\"name\":\"4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let OperationList = dynamic([\\\"Add member to role\\\",\\\"Add member to role in PIM requested (permanent)\\\"]);\\nlet PrivilegedGroups = dynamic([\\\"UserAccountAdmins\\\",\\\"PrivilegedRoleAdmins\\\",\\\"TenantAdmins\\\"]);\\nAuditLogs\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName in~ (OperationList)\\n| mv-expand TargetResources\\n| extend modProps = parse_json(TargetResources).modifiedProperties\\n| mv-expand bagexpansion=array modProps\\n| evaluate bag_unpack(modProps)\\n| extend displayName = column_ifexists(\\\"displayName\\\", \\\"NotAvailable\\\"), newValue = column_ifexists(\\\"newValue\\\", \\\"NotAvailable\\\")\\n| where displayName =~ \\\"Role.WellKnownObjectName\\\"\\n| extend DisplayName = displayName, GroupName = replace(\u0027\\\"\u0027,\u0027\u0027,newValue)\\n| extend initByApp = parse_json(InitiatedBy).app, initByUser = parse_json(InitiatedBy).user\\n| extend AppId = initByApp.appId, \\nInitiatedByDisplayName = case(isnotempty(initByApp.displayName), initByApp.displayName, isnotempty(initByUser.displayName), initByUser.displayName, \\\"not available\\\"),\\nServicePrincipalId = tostring(initByApp.servicePrincipalId),\\nServicePrincipalName = tostring(initByApp.servicePrincipalName),\\nUserId = initByUser.id,\\nUserIPAddress = initByUser.ipAddress,\\nUserRoles = initByUser.roles,\\nUserPrincipalName = tostring(initByUser.userPrincipalName),\\nTargetUserPrincipalName = tostring(TargetResources.userPrincipalName)\\n| where GroupName in~ (PrivilegedGroups)\\n// If you don\u0027t want to alert for operations from PIM, remove below filtering for MS-PIM.\\n//| where InitiatedByDisplayName != \\\"MS-PIM\\\"\\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, isnotempty(ServicePrincipalId), ServicePrincipalId, isnotempty(UserPrincipalName), UserPrincipalName, \\\"not available\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User added to Azure Active Directory Privileged Groups\",\"description\":\"This will alert when a user is added to any of the Privileged Groups.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\\nFor Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500c103a-0319-4d56-8e99-3cec8d860757\",\"name\":\"500c103a-0319-4d56-8e99-3cec8d860757\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == \\\"50057\\\" \\n| where ResultDescription == \\\"User account is disabled. The account has been disabled by an administrator.\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), disabledAccountLoginAttempts = count(), \\ndisabledAccountsTargeted = dcount(UserPrincipalName), applicationsTargeted = dcount(AppDisplayName), disabledAccountSet = make_set(UserPrincipalName), \\napplicationSet = make_set(AppDisplayName) by IPAddress, Type\\n| order by disabledAccountLoginAttempts desc\\n| join kind= leftouter (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n table(tableName)\\n | where ResultType == 0\\n | summarize successfulAccountSigninCount = dcount(UserPrincipalName), successfulAccountSigninSet = make_set(UserPrincipalName, 15) by IPAddress, Type\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount \u003c 100\\n) on IPAddress \\n// IPs from which attempts to authenticate as disabled user accounts originated, and had a non-zero success rate for some other account\\n| where isnotempty(successfulAccountSigninCount)\\n| project StartTime, EndTime, IPAddress, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\nsuccessfulAccountSigninCount, successfulAccountSigninSet, Type\\n| order by disabledAccountLoginAttempts\\n| extend timestamp = StartTime, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts and where that same IP has had successful signins from other accounts.\\nThis could indicate an attacker who obtained credentials for a list of accounts and is attempting to login with those accounts, some of which may have already been disabled.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"lastUpdatedDateUTC\":\"2021-10-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9e20eb4e-cc0d-4349-a99d-cad756859dfb\",\"name\":\"9e20eb4e-cc0d-4349-a99d-cad756859dfb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"afad_parser\\n| where MessageType == 2 and Codename == \\\"Password Spraying\\\"\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid Password Spraying\",\"description\":\"Searches for Password spraying attacks\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8d537f3c-094f-430c-a588-8a87da36ee3a\",\"name\":\"8d537f3c-094f-430c-a588-8a87da36ee3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nlet user_agents=dynamic([\\n \u0027(hydra)\u0027,\\n \u0027 arachni/\u0027,\\n \u0027 BFAC \u0027,\\n \u0027 brutus \u0027,\\n \u0027 cgichk \u0027,\\n \u0027core-project/1.0\u0027,\\n \u0027 crimscanner/\u0027,\\n \u0027datacha0s\u0027,\\n \u0027dirbuster\u0027,\\n \u0027domino hunter\u0027,\\n \u0027dotdotpwn\u0027,\\n \u0027FHScan Core\u0027,\\n \u0027floodgate\u0027,\\n \u0027get-minimal\u0027,\\n \u0027gootkit auto-rooter scanner\u0027,\\n \u0027grendel-scan\u0027,\\n \u0027 inspath \u0027,\\n \u0027internet ninja\u0027,\\n \u0027jaascois\u0027,\\n \u0027 zmeu \u0027,\\n \u0027masscan\u0027,\\n \u0027 metis \u0027,\\n \u0027morfeus fucking scanner\u0027,\\n \u0027n-stealth\u0027,\\n \u0027nsauditor\u0027,\\n \u0027pmafind\u0027,\\n \u0027security scan\u0027,\\n \u0027springenwerk\u0027,\\n \u0027teh forest lobster\u0027,\\n \u0027toata dragostea\u0027,\\n \u0027 vega/\u0027,\\n \u0027voideye\u0027,\\n \u0027webshag\u0027,\\n \u0027webvulnscan\u0027,\\n \u0027 whcc/\u0027,\\n \u0027 Havij\u0027,\\n \u0027absinthe\u0027,\\n \u0027bsqlbf\u0027,\\n \u0027mysqloit\u0027,\\n \u0027pangolin\u0027,\\n \u0027sql power injector\u0027,\\n \u0027sqlmap\u0027,\\n \u0027sqlninja\u0027,\\n \u0027uil2pn\u0027,\\n \u0027ruler\u0027,\\n \u0027Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)\u0027\\n ]);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal has_any (user_agents)\\n| extend Message = \\\"Hack Tool User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Hack Tool User-Agent Detected\",\"description\":\"Detects suspicious user agent strings used by known hack tools\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/87210ca1-49a4-4a7d-bb4a-4988752f978c\",\"name\":\"87210ca1-49a4-4a7d-bb4a-4988752f978c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Get details of current Azure Ranges (note this URL updates regularly so will need to be manually updated over time)\\n// You may find the name of the new JSON here: https://www.microsoft.com/download/details.aspx?id=56519\\nlet azure_ranges = externaldata(changeNumber: string, cloud: string, values: dynamic)\\n[\\\"https://download.microsoft.com/download/7/1/D/71D86715-5596-4529-9B13-DA13A5DE5B63/ServiceTags_Public_20211108.json\\\"]\\nwith(format=\u0027multijson\u0027)\\n| mv-expand values\\n| mv-expand values.properties.addressPrefixes\\n| mv-expand values_properties_addressPrefixes\\n| summarize by tostring(values_properties_addressPrefixes);\\nSigninLogs\\n// Limiting to Azure Portal really reduces false positives and helps focus on potential admin activity\\n| where AppDisplayName =~ \\\"Azure Portal\\\"\\n// Only get logons where the IP address is in an Azure range\\n| evaluate ipv4_lookup(azure_ranges, IPAddress, values_properties_addressPrefixes)\\n// Limit to where the user is external to the tenant\\n| where HomeTenantId != ResourceTenantId\\n// Further limit it to just access to the current tenant (you can drop this if you wanted to look elsewhere as well but it helps reduce FPs)\\n| where ResourceTenantId == TenantId\\n| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), make_set(ResourceDisplayName) by UserPrincipalName, IPAddress, UserAgent, Location, HomeTenantId, ResourceTenantId\\n| extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure Portal Signin from another Azure Tenant\",\"description\":\"This query looks for sign in attempts to the Azure Portal where the user who is signing in from another Azure tenant,\\n and the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look\\n to pivot to other tenants leveraging cross-tenant delegated access in this manner.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f209187f-1d17-4431-94af-c141bf5f23db\",\"name\":\"f209187f-1d17-4431-94af-c141bf5f23db\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.1\",\"techniques\":[\"T1136\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.4\",\"name\":\"Anomaly score threshold\",\"description\":\"Generate an anomaly when the anomaly score is greater than the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Persistence\"],\"displayName\":\"(Preview) Anomalous Account Creation\",\"description\":\"Adversaries may create an account to maintain access to victim systems. With a sufficient level of access,\\ncreating such accounts may be used to establish secondary credentialed access\\nthat do not require persistent remote access tools to be deployed on the system.\",\"lastUpdatedDateUTC\":\"2021-07-26T00:00:00Z\",\"createdDateUTC\":\"2021-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b12b3dab-d973-45af-b07e-e29bb34d8db9\",\"name\":\"b12b3dab-d973-45af-b07e-e29bb34d8db9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal contains \\\"WindowsPowerShell\\\"\\n| extend Message = \\\"Windows PowerShell User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"DefenseEvasion\"],\"displayName\":\"Cisco Umbrella - Windows PowerShell User-Agent Detected\",\"description\":\"Rule helps to detect Powershell user-agent activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/34663177-8abf-4db1-b0a4-5683ab273f44\",\"name\":\"34663177-8abf-4db1-b0a4-5683ab273f44\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let threshold = 20;\\nPulseConnectSecure\\n| where Messages contains \\\"Login failed\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by User, Source_IP\\n| where count_ \u003e threshold\\n| extend timestamp = StartTime, AccountCustomEntity = User, IPCustomEntity = Source_IP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"PulseConnectSecure - Potential Brute Force Attempts\",\"description\":\"This query identifies evidence of potential brute force attack by looking at multiple failed attempts to log into the VPN server\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PulseConnectSecure\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/15ae38a2-2e29-48f7-883f-863fb25a5a06\",\"name\":\"15ae38a2-2e29-48f7-883f-863fb25a5a06\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 10;\\nDnsEvents \\n| where TimeGenerated \u003e ago(endtime)\\n| where Name contains \\\"in-addr.arpa\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(Name) by ClientIP\\n| where dcount_Name \u003e threshold\\n| project StartTimeUtc, EndTimeUtc, ClientIP , dcount_Name \\n| join kind=leftanti (DnsEvents \\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | where Name contains \\\"in-addr.arpa\\\" \\n | summarize dcount(Name) by ClientIP, bin(TimeGenerated, 1d)\\n | where dcount_Name \u003e threshold\\n | project ClientIP , dcount_Name \\n) on ClientIP\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\"],\"displayName\":\"Rare client observed with high reverse DNS lookup count\",\"description\":\"Identifies clients with a high reverse DNS counts which could be carrying out reconnaissance or discovery activity.\\nAlert is generated if the IP performing such reverse DNS lookups was not seen doing so in the preceding 7-day period.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\"name\":\"24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let EventCountThreshold = 25;\\n// To avoid any False Positives, filtering using AppId is recommended. For example the AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds \\n// to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\\nlet Allowedappid = dynamic([\\\"509e4652-da8d-478d-a730-e9d4a1996ca4\\\"]);\\nlet OperationList = dynamic(\\n[\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nAzureDiagnostics\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList) \\n| summarize count() by identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, OperationName\\n| where count_ \u003e EventCountThreshold \\n| join (\\nAzureDiagnostics\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where OperationName in~ (OperationList) \\n) on identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g \\n| summarize EventCount=sum(count_), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\\n| extend timestamp = EndTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.2\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Mass secret retrieval from Azure Key Vault\",\"description\":\"Identifies mass secret retrieval from Azure Key Vault observed by a single user. \\nMass secret retrival crossing a certain threshold is an indication of credential dump operations or mis-configured applications. \\nYou can tweak the EventCountThreshold based on average count seen in your environment \\nand also filter any known sources (IP/Account) and useragent combinations based on historical analysis to further reduce noise\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/39198934-62a0-4781-8416-a81265c03fd6\",\"name\":\"39198934-62a0-4781-8416-a81265c03fd6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"user.read\\\" and ConsentFull contains \\\"offline_access\\\" and ConsentFull contains \\\"mail.readwrite\\\" and ConsentFull contains \\\"mail.send\\\" and ConsentFull contains \\\"files.read.all\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\")\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Suspicious application consent similar to PwnAuth\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the FireEye PwnAuth toolkit (https://github.com/fireeye/PwnAuth).\\nThe default permissions/scope for the PwnAuth toolkit are user.read, offline_access, mail.readwrite, mail.send, and files.read.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/35ce9aff-1708-45b8-a295-5e9a307f5f17\",\"name\":\"35ce9aff-1708-45b8-a295-5e9a307f5f17\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"Group.UpdateGroupMembership.Add\\\"\\n| where Details has_any (\\\"Project Administrators\\\", \\\"Project Collection Administrators\\\", \\\"Project Collection Service Accounts\\\", \\\"Build Administrator\\\")\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, AuthenticationMechanism, ScopeDisplayName\\n| extend timekey = bin(TimeGenerated, 1h)\\n| extend ActorUserId = tostring(Data.MemberId)\\n| project timekey, ActorUserId, AddingUser=ActorUPN, TimeAdded=TimeGenerated, PermissionGrantDetails = Details\\n// Get details of operations conducted by user soon after elevation of permissions\\n| join (AzureDevOpsAuditing\\n| extend ActorUserId = tostring(Data.MemberId)\\n| extend timekey = bin(TimeGenerated, 1h)) on timekey, ActorUserId\\n| summarize ActionsWhenAdded = make_set(OperationName) by ActorUPN, AddingUser, TimeAdded, PermissionGrantDetails, IpAddress, UserAgent\\n| extend timestamp = TimeAdded, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddingUser\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"New PA, PCA, or PCAS added to Azure DevOps\",\"description\":\"In order for an attacker to be able to conduct many potential attacks against Azure DevOps they will need to gain elevated permissions. \\nThis detection looks for users being granted key administrative permissions. If the principal of least privilege is applied, the number of \\nusers granted these permissions should be small. Note that permissions can also be granted via Azure AD groups and monitoring of these \\nshould also be conducted.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0b904747-1336-4363-8d84-df2710bfe5e7\",\"name\":\"0b904747-1336-4363-8d84-df2710bfe5e7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n AzureDiagnostics\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where OperationName in (\\\"AzureFirewallApplicationRuleLog\\\",\\\"AzureFirewallNetworkRuleLog\\\")\\n | parse kind=regex flags=U msg_s with Protocol \u0027request from \u0027 SourceHost \u0027to \u0027 DestinationHost @\u0027\\\\.? Action:\u0027 Action\\n | extend SourceAddress = extract(@\u0027([\\\\.0-9]+)(:[\\\\.0-9]+)?\u0027,1,SourceHost)\\n | extend DestinationAddress = extract(@\u0027([\\\\.0-9]+)(:[\\\\.0-9]+)?\u0027,1,DestinationHost)\\n | where not(ipv4_is_private(DestinationAddress))\\n | project-rename AzureFirewall_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.DestinationAddress\\n| where AzureFirewall_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureFirewall_TimeGenerated = arg_max(AzureFirewall_TimeGenerated, *) by IndicatorId, SourceAddress\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, AzureFirewall_TimeGenerated,\\nTI_ipEntity, Resource, Category, msg_s, SourceAddress, DestinationAddress, Action, Protocol, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureFirewall_TimeGenerated, IPCustomEntity = TI_ipEntity, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureFirewall\",\"description\":\"Identifies a match in AzureFirewall (NetworkRule \u0026 ApplicationRule Logs) from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3df4a32-4805-4c6d-8699-f3c888af2f67\",\"name\":\"a3df4a32-4805-4c6d-8699-f3c888af2f67\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let Alert1 = \\nSecurityAlert\\n| where AlertName == \\\"Unfamiliar sign-in properties\\\"\\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\\\"User Account\\\"])\\n| extend Alert1Time = TimeGenerated\\n| extend Alert1 = AlertName\\n| extend Alert1Severity = AlertSeverity\\n;\\nlet Alert2 = \\nSecurityAlert\\n| where AlertName == \\\"Atypical travel\\\"\\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\\\"User Account\\\"])\\n| extend Alert2Time = TimeGenerated\\n| extend Alert2 = AlertName\\n| extend Alert2Severity = AlertSeverity\\n| extend CurrentLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[1].Location)).CountryCode), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[1].Location)).State), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[1].Location)).City))\\n| extend PreviousLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[2].Location)).CountryCode), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).State), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).City))\\n| extend CurrentIPAddress = tostring(parse_json(Entities)[1].Address)\\n| extend PreviousIPAddress = tostring(parse_json(Entities)[2].Address)\\n;\\nAlert1\\n| join kind=inner Alert2 on UserPrincipalName\\n| where abs(datetime_diff(\u0027minute\u0027, Alert1Time, Alert2Time)) \u003c=10\\n| extend TimeDelta = Alert1Time - Alert2Time\\n| project UserPrincipalName, Alert1, Alert1Time, Alert1Severity, Alert2, Alert2Time, Alert2Severity, TimeDelta, CurrentLocation, PreviousLocation, CurrentIPAddress, PreviousIPAddress\\n| extend AccountCustomEntity = UserPrincipalName\\n| extend IPCustomEntity = CurrentIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Correlate Unfamiliar sign-in properties and atypical travel alerts\",\"description\":\"The combination of an Unfamiliar sign-in properties alert and an Atypical travel alert about the same user within a +10m or -10m window is considered a high severity incident.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3174a9ec-d0ad-4152-8307-94ed04fa450a\",\"name\":\"3174a9ec-d0ad-4152-8307-94ed04fa450a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let SHA256Hash = \\\"1174fd03271f80f5e2a6435c72bdd0272a6e3a37049f6190abf125b216a83471\\\" ;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) \\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA265 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA256Hash) \\n| extend Account = UserName\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known ZINC related maldoc hash\",\"description\":\"Document hash used by ZINC in highly targeted spear phishing campaign.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/acfdee3f-b794-404a-aeba-ef6a1fa08ad1\",\"name\":\"acfdee3f-b794-404a-aeba-ef6a1fa08ad1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let lookback = 14d;\\nlet timewindow = 7d;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback)\\n| where OperationName =~ \\\"Library.AgentPoolCreated\\\"\\n| extend AgentCloudId = tostring(Data.AgentCloudId)\\n| extend PoolType = iif(isnotempty(AgentCloudId), \\\"Azure VMs\\\", \\\"Self Hosted\\\")\\n// Comment this line out to include cloud pools as well\\n| where PoolType == \\\"Self Hosted\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend AgentPoolId = tostring(Data.AgentPoolId)\\n| extend IsHosted = tostring(Data.IsHosted)\\n| extend IsLegacy = tostring(Data.IsLegacy)\\n| extend timekey = bin(TimeGenerated, timewindow)\\n// Join only with pools deleted in the same window\\n| join (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback)\\n| where OperationName =~ \\\"Library.AgentPoolDeleted\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend AgentPoolId = tostring(Data.AgentPoolId)\\n| extend timekey = bin(TimeGenerated, timewindow)) on AgentPoolId, timekey\\n| project-reorder TimeGenerated, ActorUPN, UserAgent, IpAddress, AuthenticationMechanism, OperationName, AgentPoolName, IsHosted, IsLegacy, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Agent Pool Created Then Deleted\",\"description\":\"As well as adding build agents to an existing pool to execute malicious activity within a pipeline, an attacker could create a complete new agent pool and use this for execution.\\nAzure DevOps allows for the creation of agent pools with Azure hosted infrastructure or self-hosted infrastructure. Given the additional customizability of self-hosted agents this \\ndetection focuses on the creation of new self-hosted pools. To further reduce false positive rates the detection looks for pools created and deleted relatively quickly (within 7 days by default), \\nas an attacker is likely to remove a malicious pool once used in order to reduce/remove evidence of their activity.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2b328487-162d-4034-b472-59f1d53684a1\",\"name\":\"2b328487-162d-4034-b472-59f1d53684a1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal == \u0027\u0027\\n| extend Message = \\\"Empty User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Empty User Agent Detected\",\"description\":\"Rule helps to detect empty and unusual user agent indicating web browsing activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3533f74c-9207-4047-96e2-0eb9383be587\",\"name\":\"3533f74c-9207-4047-96e2-0eb9383be587\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"offline_access\\\" and ConsentFull contains \\\"Files.Read\\\" or ConsentFull contains \\\"Mail.Read\\\" or ConsentFull contains \\\"Notes.Read\\\" or ConsentFull contains \\\"ChannelMessage.Read\\\" or ConsentFull contains \\\"Chat.Read\\\" or ConsentFull contains \\\"TeamsActivity.Read\\\" or ConsentFull contains \\\"Group.Read\\\" or ConsentFull contains \\\"EWS.AccessAsUser.All\\\" or ConsentFull contains \\\"EAS.AccessAsUser.All\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))\\n| extend GrantUserAgent = tostring(iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\"))\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Suspicious application consent for offline access\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with offline access via OAuth.\\nOffline access will provide the Azure App with access to the listed resources without requiring two-factor authentication.\\nConsent to applications with offline access and read capabilities should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\"name\":\"c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let DomainNames = \\\"miniodaum.ml\\\";\\nlet SHA256Hash = dynamic ([\\\"53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0dfd44771762257\\\", \\\"0897c80df8b80b4c49bf1ccf876f5f782849608b830c3b5cb3ad212dc3e19eff\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName =~ DomainNames\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(DnsEvents \\n| extend DNSName = Name\\n| where isnotempty(DNSName)\\n| where DNSName =~ DomainNames\\n| extend IPAddress = ClientIP\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName =~ DomainNames\\n| extend IPAddress = RemoteIp\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend DNSName = Request_Name\\n| extend IPAddress = ClientIP \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known CERIUM domains and hashes\",\"description\":\"CERIUM malicious webserver and hash values for maldocs and malware. \\n Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f30a47c1-65fb-42b1-a7f4-00941c12550b\",\"name\":\"f30a47c1-65fb-42b1-a7f4-00941c12550b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n SecurityAlert\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n // Extract URL from JSON data\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,Entities)\\n // We only want alerts that actually contain URL data\\n | where isnotempty(Url)\\n // Extract hostname from JSON data for entity mapping\\n | extend Compromised_Host = tostring(parse_json(ExtendedProperties).[\\\"Compromised Host\\\"])\\n | extend Alert_TimeGenerated = TimeGenerated\\n) on Url\\n| where Alert_TimeGenerated \u003e= TimeGenerated and Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Alert_TimeGenerated,\\nAlertName, AlertSeverity, Description, Url, Compromised_Host\\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = Compromised_Host, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.2\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to SecurityAlert data\",\"description\":\"Identifies a match in SecurityAlert data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-24T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8374ec0f-d857-4c17-b1e7-93d11800f8fb\",\"name\":\"8374ec0f-d857-4c17-b1e7-93d11800f8fb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let lowRisk = 1;\\nlet legal = \u0027Legal Information\u0027;\\nCognniIncidents_CL \\n| where Severity == lowRisk\\n| where informationType_s == legal\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Low Sensitivity Legal Information\",\"description\":\"Display incidents in which low sensitivity legal information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06107abb-1b68-4fdc-841b-8a1ff9301467\",\"name\":\"06107abb-1b68-4fdc-841b-8a1ff9301467\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.6\",\"techniques\":[\"T1030\",\"T1041\",\"T1011\",\"T1567\",\"T1029\",\"T1537\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.87\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"(Preview) Excessive Downloads via Palo Alto GlobalProtect\",\"description\":\"This algorithm detects unusually high volume of download per user account via Palo Alto VPN solution. The model is trained on the previous 14 days of the VPN logs. It indicates anomalous high volume of downloads in the last day.\",\"lastUpdatedDateUTC\":\"2021-06-10T00:00:00Z\",\"createdDateUTC\":\"2020-11-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/87890d78-3e05-43ec-9ab9-ba32f4e01250\",\"name\":\"87890d78-3e05-43ec-9ab9-ba32f4e01250\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n| join (\\n SecurityAlert\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n //Extract domain patterns from message\\n | extend domain = extract(\\\"(([a-z0-9]+(-[a-z0-9]+)*\\\\\\\\.)+[a-z]{2,})\\\", 1, tolower(Entities))\\n | where isnotempty(domain)\\n | extend parts = split(domain, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\\n | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray\\n // Parsing relevant entity column extract hostname and IP address\\n | extend EntityType = tostring(parse_json(EntitiesDynamicArray).Type), EntityAddress = tostring(EntitiesDynamicArray.Address), EntityHostName = tostring(EntitiesDynamicArray.HostName)\\n | extend HostName = iif(EntityType == \u0027host\u0027, EntityHostName, \u0027\u0027)\\n | extend IP_addr = iif(EntityType == \u0027ip\u0027, EntityAddress, \u0027\u0027)\\n | extend Alert_TimeGenerated = TimeGenerated\\n | extend Alert_Description = Description\\n) on $left.DomainName==$right.domain\\n| where Alert_TimeGenerated \u003e= TimeGenerated and Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Alert_TimeGenerated, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url\\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = HostName, IPCustomEntity = IP_addr, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.2\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to SecurityAlert\",\"description\":\"Identifies a match in SecurityAlert table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-24T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\"name\":\"5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"CommonSecurityLog \\n| where isnotempty(DestinationPort) and DeviceAction !in (\\\"reset-both\\\", \\\"deny\\\") \\n// filter out common usage ports. Add ports that are legitimate for your environment\\n| where DestinationPort !in (\\\"443\\\", \\\"53\\\", \\\"389\\\", \\\"80\\\", \\\"0\\\", \\\"880\\\", \\\"8888\\\", \\\"8080\\\")\\n| where ApplicationProtocol == \\\"incomplete\\\" \\n// filter out IANA ephemeral or negotiated ports as per https://en.wikipedia.org/wiki/Ephemeral_port\\n| where DestinationPort !between (toint(49512) .. toint(65535)) \\n| where Computer != \\\"\\\" \\n| where DestinationIP !startswith \\\"10.\\\"\\n// Filter out any graceful reset reasons of AGED OUT which occurs when a TCP session closes with a FIN due to aging out. \\n| where AdditionalExtensions !has \\\"reason=aged-out\\\" \\n// Filter out any TCP FIN which occurs when a TCP FIN is used to gracefully close half or both sides of a connection.\\n| where AdditionalExtensions !has \\\"reason=tcp-fin\\\" \\n// Uncomment one of the following where clauses to trigger on specific TCP reset reasons\\n// See Palo Alto article for details - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK\\n// TCP RST-server - Occurs when the server sends a TCP reset to the client\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-server\\\" \\n// TCP RST-client - Occurs when the client sends a TCP reset to the server\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-client\\\" \\n| extend reason = tostring(split(AdditionalExtensions, \\\";\\\")[3])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction, DestinationIP\\n| where count_ \u003e= 10\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), makeset(DestinationIP), totalcount = sum(count_) by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\"],\"displayName\":\"Palo Alto - possible internal to external port scanning\",\"description\":\"Identifies a list of internal Source IPs (10.x.x.x Hosts) that have triggered 10 or more non-graceful tcp server resets from one or more Destination IPs which \\nresults in an \\\"ApplicationProtocol = incomplete\\\" designation. The server resets coupled with an \\\"Incomplete\\\" ApplicationProtocol designation can be an indication \\nof internal to external port scanning or probing attack. \\nReferences: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK and\\nhttps://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTaCAK\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69a45b05-71f5-45ca-8944-2e038747fb39\",\"name\":\"69a45b05-71f5-45ca-8944-2e038747fb39\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let endtime = 1d;\\nlet starttime = 8d;\\n// The threshold below excludes matching on RDP connection computer counts of 5 or more by a given account and IP in a given day. Change the threshold as needed.\\nlet threshold = 5;\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n// Labeling the first RDP connection time, computer and ip\\n| extend FirstHop = TimeGenerated, FirstComputer = toupper(Computer), FirstIPAddress = IpAddress, Account = tolower(Account) \\n| join kind=inner (\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n// Labeling the second RDP connection time, computer and ip\\n| extend SecondHop = TimeGenerated, SecondComputer = toupper(Computer), SecondIPAddress = IpAddress, Account = tolower(Account)\\n) on Account\\n// Make sure that the first connection is after the second connection --\u003e SecondHop \u003e FirstHop\\n// Then identify only RDP to another computer from within the first RDP connection by only choosing matches where the Computer names do not match --\u003e FirstComputer != SecondComputer\\n// Then make sure the IPAddresses do not match by excluding connections from the same computers with first hop RDP connections to multiple computers --\u003e FirstIPAddress != SecondIPAddress\\n| where FirstComputer != SecondComputer and FirstIPAddress != SecondIPAddress and SecondHop \u003e FirstHop\\n// where the second hop occurs within 30 minutes of the first hop\\n| where SecondHop \u003c= FirstHop+30m\\n| distinct Account, FirstHop, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, SecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\\n// use left anti to exclude anything from the previous 7 days where the Account and IP has connected 5 or more computers.\\n| join kind=leftanti (\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n| summarize makeset(Computer), ComputerCount = dcount(Computer) by bin(TimeGenerated, 1d), Account = tolower(Account), IpAddress\\n// Connection count to computer by same account and IP to exclude counts of 5 or more on a given day\\n| where ComputerCount \u003e= threshold\\n| mvexpand set_Computer\\n| extend Computer = toupper(set_Computer)\\n) on Account, $left.SecondComputer == $right.Computer, $left.SecondIPAddress == $right.IpAddress\\n| summarize FirstHopFirstSeen = min(FirstHop), FirstHopLastSeen = max(FirstHop) by Account, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, \\nSecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\\n| extend timestamp = FirstHopFirstSeen, AccountCustomEntity = Account, HostCustomEntity = FirstComputer, IPCustomEntity = FirstIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\"],\"displayName\":\"RDP Nesting\",\"description\":\"Identifies when an RDP connection is made to a first system and then an RDP connection is made from the first system \\nto another system with the same account within the 60 minutes. Additionally, if historically daily \\nRDP connections are indicated by the logged EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-10-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9c27cee8-0a33-4abe-8683-212c0a98fc28\",\"name\":\"9c27cee8-0a33-4abe-8683-212c0a98fc28\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.6\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.1\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of logins to computer with elevated token\",\"description\":\"This algorithm detects an unusually high volume of successful logins with elevated token per computer. The model is trained on the previous 21 days of security event ID 4624 on a computer. It indicates anomalous high volume of successful logins with administrator privileges in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84ad2f8a-b64c-49bc-b669-bdb4fd3071e9\",\"name\":\"84ad2f8a-b64c-49bc-b669-bdb4fd3071e9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT5M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"eset_CL\\n| where event_type_s == \u0027FilteredWebsites_Event\u0027\\n| extend AccountCustomEntity = username_s, URLCustomEntity = object_uri_s, HostCustomEntity = hostname_s, IPCustomEntity = ipv4_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\",\"CommandAndControl\",\"InitialAccess\"],\"displayName\":\"Web sites blocked by Eset\",\"description\":\"Create alert on web sites blocked by Eset.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-09T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"EsetSMC\",\"dataTypes\":[\"eset_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/223db5c1-1bf8-47d8-8806-bed401b356a4\",\"name\":\"223db5c1-1bf8-47d8-8806-bed401b356a4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let timeRange = 1d;\\nlet lookBack = 7d;\\nlet threshold_Failed = 5;\\nlet threshold_FailedwithSingleIP = 20;\\nlet threshold_IPAddressCount = 2;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet aadFunc = (tableName:string){\\nlet azPortalSignins = materialize(table(tableName)\\n| where TimeGenerated \u003e= ago(lookBack)\\n// Azure Portal only\\n| where AppDisplayName =~ \\\"Azure Portal\\\")\\n;\\nlet successPortalSignins = azPortalSignins\\n| where TimeGenerated \u003e= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n// Tagging identities not resolved to friendly names\\n//| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n| distinct TimeGenerated, UserPrincipalName, Id, ResultType\\n;\\nlet failPortalSignins = azPortalSignins\\n| where TimeGenerated \u003e= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n// Tagging identities not resolved to friendly names\\n| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n;\\n// Verify there is no success for the same connection attempt after the fail\\nlet failnoSuccess = failPortalSignins | join kind= leftouter (\\n successPortalSignins \\n) on UserPrincipalName, Id\\n| where TimeGenerated \u003e TimeGenerated1\\n| project-away TimeGenerated1, UserPrincipalName1, Id1, ResultType1\\n;\\n// Lookup up resolved identities from last 7 days\\nlet identityLookup = azPortalSignins\\n| where TimeGenerated \u003e= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName;\\n// Join resolved names to unresolved list from portal signins\\nlet unresolvedNames = failnoSuccess | where Unresolved == true | join kind= inner (\\n identityLookup \\n) on UserId\\n| extend UserDisplayName = lu_UserDisplayName, UserPrincipalName = lu_UserPrincipalName\\n| project-away lu_UserDisplayName, lu_UserPrincipalName;\\n// Join Signins that had resolved names with list of unresolved that now have a resolved name\\nlet u_azPortalSignins = failnoSuccess | where Unresolved == false | union unresolvedNames;\\nu_azPortalSignins\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend Status = strcat(ResultType, \\\": \\\", ResultDescription), OS = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n| extend FullLocation = strcat(Region,\u0027|\u0027, State, \u0027|\u0027, City)\\n| summarize TimeGenerated = makelist(TimeGenerated), Status = makelist(Status), IPAddresses = makelist(IPAddress), IPAddressCount = dcount(IPAddress), FailedLogonCount = count()\\nby UserPrincipalName, UserId, UserDisplayName, AppDisplayName, Browser, OS, FullLocation, Type\\n| mvexpand TimeGenerated, IPAddresses, Status\\n| extend TimeGenerated = todatetime(tostring(TimeGenerated)), IPAddress = tostring(IPAddresses), Status = tostring(Status)\\n| project-away IPAddresses\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserPrincipalName, UserId, UserDisplayName, Status, FailedLogonCount, IPAddress, IPAddressCount, AppDisplayName, Browser, OS, FullLocation, Type\\n| where (IPAddressCount \u003e= threshold_IPAddressCount and FailedLogonCount \u003e= threshold_Failed) or FailedLogonCount \u003e= threshold_FailedwithSingleIP\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed login attempts to Azure Portal\",\"description\":\"Identifies failed login attempts in the Azure Active Directory SigninLogs to the Azure Portal. Many failed logon \\nattempts or some failed logon attempts from multiple IPs could indicate a potential brute force attack. \\nThe following are excluded due to success and non-failure results:\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n0 - successful logon\\n50125 - Sign-in was interrupted due to a password reset or password registration entry.\\n50140 - This error occurred due to \u0027Keep me signed in\u0027 interrupt when the user was signing-in.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\"name\":\"1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with failed Windows host logins above threshold\\nlet win_fails = \\nSecurityEvent\\n| where EventID == 4625\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| summarize count() by IpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_list(IpAddress);\\n//Make a list of IPs with failed *nix host logins above threshold\\nlet nix_fails = \\nSyslog\\n| where Facility contains \u0027auth\u0027 and ProcessName != \u0027sudo\u0027\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP != \\\"\\\" and SourceIP != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIP\\n| where count_ \u003e signin_threshold\\n| summarize make_list(SourceIP);\\n//See if any of the IPs with failed host logins hve had a sucessful Azure AD login\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (win_fails) or IPAddress in (nix_fails)\\n| extend Reason= \\\"Multiple failed host logins from IP address with successful Azure AD login\\\"\\n| extend timstamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, Type = Type\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed host logons but success logon to AzureAD\",\"description\":\"Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts.\\nUses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8546330c-e1fb-422a-9388-5c09e9a8f4ca\",\"name\":\"8546330c-e1fb-422a-9388-5c09e9a8f4ca\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.1\",\"techniques\":[\"T1133\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.8\",\"name\":\"Score\",\"description\":\"Generate an anomaly when a region rarity score is less than the threshold.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"minimum\":\"2\",\"maximum\":\"100\",\"value\":\"100\",\"name\":\"Minimum users per region\",\"description\":\"whitelist an anomaly if the number of users from a rare region is greater than this limit.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\",\"LateralMovement\"],\"displayName\":\"(Preview) Login from an unusual region via Palo Alto GlobalProtect account logins\",\"description\":\"When a Palo Alto GlobalProtect account logs in from a source region that has rarely been logged in\\nfrom during the last 14 days, an anomaly is triggered. This anomaly may indicate that the account\\nhas been compromised.\",\"lastUpdatedDateUTC\":\"2021-06-07T00:00:00Z\",\"createdDateUTC\":\"2021-06-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d564ff12-8f53-41b8-8649-44f76b37b99f\",\"name\":\"d564ff12-8f53-41b8-8649-44f76b37b99f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// How many greater than Service Connections you want to view per build/release\\nlet ServiceConnectionThreshold = 4;\\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\\n[\\n//\\\"103\\\", \\\"Release\\\", \\\"ProjectA\\\",\\n//\\\"42\\\", \\\"Release\\\", \\\"ProjectB\\\",\\n//\\\"122\\\", \\\"Build\\\", \\\"ProjectB\\\"\\n];\\nAzureDevOpsAuditing\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| parse ScopeDisplayName with OrganizationName \u0027 (Organization)\u0027\\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) \\n by OrganizationName, tostring(DefId), tostring(Type), ProjectId, ProjectName\\n| where CurrentCount \u003e ServiceConnectionThreshold\\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\\n| extend link = iif(\\n Type == \\\"Build\\\", strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_build?definitionId=\u0027, DefId),\\n strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_release?_a=releases\u0026view=mine\u0026definitionId=\u0027, DefId))\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure DevOps Service Connection Abuse\",\"description\":\"Flags builds/releases that use a large number of service connections if they aren\u0027t manually in the allow list.\\nThis is to determine if someone is hijacking a build/release and adding many service connections in order to abuse \\nor dump credentials from service connections.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c0e84221-f240-4dd7-ab1e-37e034ea2a4e\",\"name\":\"c0e84221-f240-4dd7-ab1e-37e034ea2a4e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"union isfuzzy=true\\n(DeviceFileEvents\\n| where FolderPath endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated),\\n(SecurityEvent\\n| where EventID == 4663\\n| where ObjectName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = Computer, timestamp=TimeGenerated),\\n(imFileEvent\\n| where TargetFileName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = DvcHostname, timestamp=TimeGenerated\\n)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"SUNSPOT log file creation\",\"description\":\"This query uses Microsoft Defender for Endpoint data and Windows Event Logs to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\\nMore details: \\n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \\n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2bb167bf-3951-435b-a932-8b03bfde0a2b\",\"name\":\"2bb167bf-3951-435b-a932-8b03bfde0a2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.3\",\"techniques\":[\"T1046\"],\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"accept\",\"allow\",\"start\"],\"values\":[\"accept\",\"allow\",\"start\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Device action\",\"description\":\"Include only these specific device actions\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\"53,67,80,8080,123,137,138,443,445,3389\",\"dataType\":\"string\",\"name\":\"Exclude ports\",\"description\":\"Provide a comma separated list to exclude specific ports from source data. This should be within double quotes, example: \\\"53, 67, 80, 8080, 123, 137, 138, 443, 445, 3389\\\"\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"1\",\"maximum\":\"60000000\",\"value\":\"600\",\"name\":\"Destination IP count\",\"description\":\"The minimum distinct destination IP count per hour required for inclusion. Default is 600. This is an OR condition with destination port count.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"minimum\":\"1\",\"maximum\":\"60000000\",\"value\":\"600\",\"name\":\"Destination port count\",\"description\":\"The minimum distinct destination port count per hour required for inclusion. Default is 600. This is an OR condition with destination IP count.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"0.00\",\"maximum\":\"1.00\",\"value\":\"1.00\",\"name\":\"IP ratio\",\"description\":\"The distinct source IP (always 1) to distinct destination IP count with a default minimum ratio of 1.00 or lower (converted to Base 10 to the -4 power of original value). This is an OR condition with port ratio.\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"},{\"minimum\":\"0.00\",\"maximum\":\"1.00\",\"value\":\"1.00\",\"name\":\"Port ratio\",\"description\":\"The distinct source port to distinct destination port count with a default minimum ratio of 1.00 or lower (converted to Base 10 to the -4 power of original value). This is an OR condition with IP Ratio.\",\"sequenceNumber\":3,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) Anomalous scanning activity\",\"description\":\"The Scanning Activity anomaly is looking to determine if there is potential port scanning anomaly in an environment coming from a single source IP to one or more destination IPs. \\nThe algorithm takes into account whether the IP is public, meaning external, or private, meaning internal, and the event is marked accordingly. Only private to public or public \\nto private is considered at this time. Scanning activity can indicate an attacker attempting to determine available services in an environment that can be potentially \\nexploited and used for ingress or lateral movement.\\nA high number of source ports and high number of destination ports from a single source IP to either a single or multiple destination IP or IPs can be interesting and indicate \\nanomalous scanning. Additionally, if there is a high ratio of destination IPs to the single source IP this can indicate anomalous scanning.\\nConfiguration details -\\nJob run default is daily, with hourly bins\\nThe algorithm uses the following defaults to limit the results based on hourly bins, each is configurable\\n-\u003e Included device actions - accept, allow, start\\n-\u003e Excluded ports - 53, 67, 80, 8080, 123, 137, 138, 443, 445, 3389\\n-\u003e Distinct destination port count \u003e= 600\\n-\u003e Distinct source port count \u003e= 600\\n-\u003e Distinct source port count divided by distinct destination port, ratio converted to percent \u003e= 99.99\\n-\u003e Source IP (always 1) divided by destination IP, ratio converted to percent \u003e= 99.99\",\"lastUpdatedDateUTC\":\"2021-07-10T00:00:00Z\",\"createdDateUTC\":\"2021-04-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/34c5aff9-a8c2-4601-9654-c7e46342d03b\",\"name\":\"34c5aff9-a8c2-4601-9654-c7e46342d03b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 5;\\nlet aadFunc = (tableName:string){\\nIdentityInfo\\n| where AssignedRoles contains \\\"Admin\\\"\\n| mv-expand AssignedRoles\\n| extend Roles = tostring(AssignedRoles), AccountUPN = tolower(AccountUPN)\\n| where Roles contains \\\"Admin\\\"\\n| distinct Roles, AccountUPN\\n| join kind=inner (\\n // Failed Signins attempts with reasoning related to MFA.\\n table(tableName)\\n | where TimeGenerated between (startofday(ago(starttime))..startofday(ago(timeframe)))\\n | where ResultType != 0\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n) on $left.AccountUPN == $right.UserPrincipalName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt ;\\nlet TimeSeriesData = union isfuzzy=true aadSignin, aadNonInt \\n| project TimeGenerated, Roles, UserPrincipalName\\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by UserPrincipalName, Roles\\n| project TimeGenerated, Roles, UserPrincipalName, HourlyCount;\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| where baseline \u003e baselinethreshold // Filtering low count events per baselinethreshold\\n| project Roles, UserPrincipalName, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated;\\n// Filter the alerts for specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join kind=inner ( \\nunion isfuzzy=true aadSignin, aadNonInt\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n | summarize HourlyCount=count(), LatestAnomalyTime = arg_max(timestamp,*) by bin(TimeGenerated,1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\\n) on UserPrincipalName\\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, HourlyCount, baseline, anomalies, score\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Privileged Accounts - Sign in Failure Spikes\",\"description\":\" Identifies spike in failed sign-ins from Privileged accounts. Privileged accounts list can be based on IdentityInfo UEBA table or built-in watchlist.\\nSpike is determined based on Time series anomaly which will look at historical baseline values.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor\",\"lastUpdatedDateUTC\":\"2021-11-01T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f110287e-1358-490d-8147-ed804b328514\",\"name\":\"f110287e-1358-490d-8147-ed804b328514\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n AWSCloudTrail | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AWSCloudTrail_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SourceIpAddress\\n| where AWSCloudTrail_TimeGenerated \u003e= TimeGenerated and AWSCloudTrail_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AWSCloudTrail_TimeGenerated,\\nTI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress,\\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AWSCloudTrail_TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AWSCloudTrail\",\"description\":\"Identifies a match in AWSCloudTrail from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c097bfdb-8b4b-4a98-b74d-1871ffd50a03\",\"name\":\"c097bfdb-8b4b-4a98-b74d-1871ffd50a03\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.6\",\"techniques\":[\"T1110\"],\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"2-Interactive\",\"3-Network\",\"4-Batch\",\"5-Service\",\"7-Unlock\",\"8-NetworkCleartext\",\"9-NewCredentials\",\"10-RemoteInteractive\",\"11-CachedInteractive\"],\"values\":[\"2-Interactive\",\"3-Network\",\"4-Batch\",\"5-Service\",\"7-Unlock\",\"8-NetworkCleartext\",\"9-NewCredentials\",\"10-RemoteInteractive\",\"11-CachedInteractive\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Logon Types\",\"description\":\"Include only selected logon types in anomaly results.\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.03\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"(Preview) Attempted user account bruteforce per logon type\",\"description\":\"This algorithm detects an unusually high volume of failed login attempts per user account per logon type. The model is trained on the previous 21 days of security event ID 4625 on an account and a logon type. It indicates anomalous high volume of failed login attempts with certain logon type in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2954d424-f786-4677-9ffc-c24c44c6e7d5\",\"name\":\"2954d424-f786-4677-9ffc-c24c44c6e7d5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT3H\",\"queryPeriod\":\"PT3H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let timeframe = ago(3h);\\nlet threshold = 2;\\nOkta_CL\\n| where column_ifexists(\u0027published_t\u0027, now()) \u003e= timeframe\\n| where eventType_s =~ \\\"user.session.start\\\"\\n| where outcome_result_s =~ \\\"SUCCESS\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumOfCountries = dcount(client_geographicalContext_country_s) by actor_alternateId_s\\n| where NumOfCountries \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = actor_alternateId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"User Login from Different Countries within 3 hours\",\"description\":\"This query searches for successful user logins to the Okta Console from different countries within 3 hours\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OktaSSO\",\"dataTypes\":[\"Okta_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/adc32a33-1cd6-46f5-8801-e3ed8337885f\",\"name\":\"adc32a33-1cd6-46f5-8801-e3ed8337885f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Add any known allowed sources and source locations to the filter below (the NuGet Gallery has been added here as an example).\\nlet allowed_sources = dynamic([\\\"NuGet Gallery\\\"]);\\nlet allowed_locations = dynamic([\\\"https://api.nuget.org/v3/index.json\\\"]);\\nAzureDevOpsAuditing\\n// Look for feeds created or modified at either the organization or project level\\n| where OperationName matches regex \\\"Artifacts.Feed.(Org|Project).Modify\\\"\\n| where Details has \\\"UpstreamSources, added\\\"\\n| extend FeedName = tostring(Data.FeedName)\\n| extend FeedId = tostring(Data.FeedId)\\n| extend UpstreamsAdded = Data.UpstreamsAdded\\n// As multiple feeds may be added expand these out\\n| mv-expand UpstreamsAdded\\n// Only focus on external feeds\\n| where UpstreamsAdded.UpstreamSourceType !~ \\\"internal\\\"\\n| extend SourceLocation = tostring(UpstreamsAdded.Location)\\n| extend SourceName = tostring(UpstreamsAdded.Name)\\n// Exclude sources and locations in the allow list\\n| where SourceLocation !in (allowed_locations) and SourceName !in (allowed_sources)\\n| extend SourceProtocol = tostring(UpstreamsAdded.Protocol)\\n| extend SourceStatus = tostring(UpstreamsAdded.Status)\\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, ProjectName, FeedName, SourceName, SourceLocation, SourceProtocol, ActorUPN, UserAgent, IpAddress\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"External Upstream Source Added to Azure DevOps Feed\",\"description\":\"The detection looks for new external sources added to an Azure DevOps feed. An allow list can be customized to explicitly allow known good sources. \\nAn attacker could look to add a malicious feed in order to inject malicious packages into a build pipeline.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6852d9da-8015-4b95-8ecf-d9572ee0395d\",\"name\":\"6852d9da-8015-4b95-8ecf-d9572ee0395d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let timeframe = 60m;\\nlet lookback = 10m;\\nlet account_created =\\nAuditLogs \\n | where ActivityDisplayName == \\\"Add service principal\\\"\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend creationTime = ActivityDateTime\\n | extend userPrincipalName_creator = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend ipAddress_creator = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\\nlet account_activity =\\nAADServicePrincipalSignInLogs\\n | extend Activities = pack(\\\"ActivityTime\\\", TimeGenerated ,\\\"IpAddress\\\", IPAddress, \\\"ResourceDisplayName\\\", ResourceDisplayName)\\n | extend AppID = AppId\\n | summarize make_list(Activities) by AppID;\\nlet account_deleted =\\nAuditLogs \\n | where OperationName == \\\"Remove service principal\\\"\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend deletionTime = ActivityDateTime\\n | extend userPrincipalName_deleter = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend ipAddress_deleter = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\\nlet account_credentials =\\nAuditLogs\\n | where OperationName contains \\\"Update application - Certificates and secrets management\\\"\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend credentialCreationTime = ActivityDateTime;\\nlet roles_assigned =\\nAuditLogs\\n | where ActivityDisplayName == \\\"Add app role assignment to service principal\\\"\\n | extend AppID = tostring(TargetResources[1].displayName)\\n | extend AssignedRole = iff(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].displayName)==\\\"AppRole.Value\\\", tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue))),\\\"\\\")\\n | extend AssignedRoles = pack(\\\"Role\\\", AssignedRole)\\n |summarize make_list(AssignedRoles) by AppID;\\naccount_created \\n | join kind= inner (account_activity) on AppID, AppID \\n | join kind= inner (account_deleted) on AppID, AppID \\n | join kind= inner (account_credentials) on AppID, AppID \\n | join kind= inner (roles_assigned) on AppID, AppID\\n | where deletionTime - creationTime \u003c lookback\\n | where tolong(deletionTime - creationTime) \u003e= 0\\n | where creationTime \u003e ago(timeframe)\\n | extend AliveTime = deletionTime - creationTime\\n | project AADTenantId, AppID, creationTime, deletionTime, userPrincipalName_creator, userPrincipalName_deleter, ipAddress_creator, ipAddress_deleter, list_Activities , list_AssignedRoles, AliveTime\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName_creator\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName_deleter\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress_creator\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress_deleter\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"PrivilegeEscalation\",\"InitialAccess\"],\"displayName\":\"Suspicious Service Principal creation activity\",\"description\":\"This alert will detect creation of an SPN, permissions granted, credentials cretaed, activity and deletion of the SPN in a time frame (default 10 minutes)\",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2021-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\",\"AADServicePrincipalSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2eb15bd-8a88-4b24-9281-e133edfba315\",\"name\":\"f2eb15bd-8a88-4b24-9281-e133edfba315\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet aadFunc = (tableName:string){\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join kind=innerunique (\\n table(tableName) | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend Status = todynamic(Status), LocationDetails = todynamic(LocationDetails)\\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails), StatusReason = tostring(Status.failureReason)\\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n // renaming time column so it is clear the log this came from\\n | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type\\n)\\non $left.TI_ipEntity == $right.IPAddress\\n| where SigninLogs_TimeGenerated \u003c ExpirationDateTime\\n| summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, IPAddress\\n| project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDetails, StatusReason, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.2\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to SigninLogs\",\"description\":\"Identifies a match in SigninLogs from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/60eb6cf0-3fa1-44c1-b1fe-220fbee23d63\",\"name\":\"60eb6cf0-3fa1-44c1-b1fe-220fbee23d63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"// Edit this variable to only keep the Severity level where an incident needs to be created (Defaults are: \\\"Low\\\", \\\"Medium\\\", \\\"High\\\", \\\"Critical\\\" ) \\nlet configured_level = dynamic([\\\"Low\\\", \\\"Medium\\\", \\\"High\\\", \\\"Critical\\\"]);\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Vectra Networks\\\"\\n| where DeviceProduct == \\\"X Series\\\"\\n| where DeviceEventClassID == \\\"hsc\\\"\\n| project-rename threat_score = FlexNumber1\\n| project-rename certainty_score = FlexNumber2\\n| project-rename vectra_URL = DeviceCustomString4\\n| project-rename detection_name = DeviceEventClassID\\n| project-rename score_decreases = DeviceCustomString3\\n| extend level = case( threat_score \u003c 50 and certainty_score \u003c 50, \\\"Low\\\",\\n threat_score \u003c 50 and certainty_score \u003e= 50 , \\\"Medium\\\", \\n threat_score \u003e= 50 and certainty_score \u003c= 50, \\\"High\\\", \\n threat_score \u003e= 50 and certainty_score \u003e= 50, \\\"Critical\\\",\\n \\\"UNKNOWN\\\")\\n| extend Severity = case( level == \\\"Low\\\", \\\"Low\\\",\\n level == \\\"Medium\\\", \\\"Medium\\\",\\n level == \\\"High\\\", \\\"Medium\\\",\\n level == \\\"Critical\\\", \\\"High\\\",\\n \\\"UNKNOWN\\\")\\n| where level in (configured_level) \\n//keep only the event with the highest threat score per Host\\n| summarize arg_max(threat_score, *) by SourceHostName\\n| project SourceHostName, level, Severity, TimeGenerated, SourceIP, threat_score, certainty_score, vectra_URL\\n| extend HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Discovery\",\"LateralMovement\",\"Collection\",\"CommandAndControl\",\"Exfiltration\",\"Impact\"],\"displayName\":\"Vectra AI Detect - Suspected Compromised Host\",\"description\":\"Create an incident when a Host is suspected to be compromised. \\nThe higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. \\nLevel of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.\",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2021-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AIVectraDetect\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/03401f05-5c45-4f2d-9295-092764090e02\",\"name\":\"03401f05-5c45-4f2d-9295-092764090e02\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"2.0.0\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Yes\",\"No\"],\"supportedValuesKql\":null,\"value\":\"Yes\",\"name\":\"Use region adjacency\",\"description\":\"Suppress anomalies originated from two adjacent regions.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"2\",\"maximum\":\"10\",\"value\":\"2\",\"name\":\"Minimum daily regions for anomaly\",\"description\":\"Generate an anomaly when a user logs in from this many or more regions in a day\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\",\"DefenseEvasion\"],\"displayName\":\"(Preview) Multi-region logins in a single day via Palo Alto GlobalProtect\",\"description\":\"This algorithm detects a user account which had logins from multiple non-adjacent regions in a single day via Palo Alto VPN.\",\"lastUpdatedDateUTC\":\"2021-07-13T00:00:00Z\",\"createdDateUTC\":\"2021-04-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/074ce265-f684-41cd-af07-613c5f3e6d0d\",\"name\":\"074ce265-f684-41cd-af07-613c5f3e6d0d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"irf.services\\\",\\\"microsoft-onthehub.com\\\",\\\"msofficelab.com\\\",\\\"com-mailbox.com\\\",\\\"my-sharefile.com\\\",\\\"my-sharepoints.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\n\\\"onedrive-sharedfile.com\\\",\\\"onedrv-live.com\\\",\\\"transparencyinternational-my-sharepoint.com\\\",\\\"transparencyinternational-my-sharepoints.com\\\",\\\"soros-my-sharepoint.com\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend Account = SourceUserID, Host = DeviceName, IPAddress = SourceIP),\\n(DnsEvents \\n| extend IPAddress = ClientIP, DNSName = Name, Host = Computer),\\n(imDns (domain_has_any=DomainNames)\\n| extend IPAddress = SrcIpAddr, DNSName = DnsQuery, Host = Dvc),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| extend IPAddress = RemoteIp, Host = Computer),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| extend DNSName = Request_Name\\n| extend IPAddress = ClientIP),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost)\\n)\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = Account, HostCustomEntity = Host\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.3.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known STRONTIUM group domains - July 2019\",\"description\":\"Matches domain name IOCs related to Strontium group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b3cfc7c0-092c-481c-a55b-34a3979758cb\",\"name\":\"b3cfc7c0-092c-481c-a55b-34a3979758cb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft Cloud App Security\",\"displayName\":\"Create incidents based on Microsoft Cloud App Security alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Cloud App Security\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert (MCAS)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/77171efa-4502-4ab7-9d23-d12305ff5a5e\",\"name\":\"77171efa-4502-4ab7-9d23-d12305ff5a5e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let lowRisk = 1;\\nlet financial = \u0027Financial Information\u0027;\\nCognniIncidents_CL \\n| where Severity == lowRisk\\n| where informationType_s == financial\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Low Sensitivity Financial Information\",\"description\":\"Display incidents in which low sensitivity financial information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/173f8699-6af5-484a-8b06-8c47ba89b380\",\"name\":\"173f8699-6af5-484a-8b06-8c47ba89b380\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"// Adjust this value to change how many Teams should be deleted before including\\nlet max_delete_count = 3;\\n// Adjust this value to change the timewindow the query runs over\\n OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\" \\n| where Operation =~ \\\"TeamDeleted\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DeletedTeams = make_set(TeamName) by UserId\\n| where array_length(DeletedTeams) \u003e max_delete_count\\n| extend timestamp = StartTime, AccountCustomEntity = UserId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Impact\"],\"displayName\":\"Multiple Teams deleted by a single user\",\"description\":\"This detection flags the occurrences of deleting multiple teams within an hour.\\nThis data is a part of Office 365 Connector in Microsoft Sentinel.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a35f2c18-1b97-458f-ad26-e033af18eb99\",\"name\":\"a35f2c18-1b97-458f-ad26-e033af18eb99\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"// For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups\\nlet WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nSecurityEvent \\n// When MemberName contains \u0027-\u0027 this indicates addition of a group to a group\\n| where AccountType == \\\"User\\\" and MemberName != \\\"-\\\"\\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group\\n| where EventID in (4728, 4732, 4756) \\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| extend SimpleMemberName = substring(MemberName, 3, indexof_regex(MemberName, @\\\",OU|,CN\\\") - 3)\\n| project TimeGenerated, EventID, Activity, Computer, SimpleMemberName, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SimpleMemberName, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.2.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account added to built in domain local or global group\",\"description\":\"Identifies when a user account has been added to a privileged built in domain local group or global group \\nsuch as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/631d02df-ab51-46c1-8d72-32d0cfec0720\",\"name\":\"631d02df-ab51-46c1-8d72-32d0cfec0720\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let excludeProcs = dynamic([@\\\"\\\\SolarWinds\\\\Orion\\\\APM\\\\APMServiceControl.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\ExportToPDFCmd.Exe\\\", @\\\"\\\\SolarWinds.Credentials\\\\SolarWinds.Credentials.Orion.WebApi.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Topology\\\\SolarWinds.Orion.Topology.Calculator.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Database-Maint.exe\\\", @\\\"\\\\SolarWinds.Orion.ApiPoller.Service\\\\SolarWinds.Orion.ApiPoller.Service.exe\\\", @\\\"\\\\Windows\\\\SysWOW64\\\\WerFault.exe\\\"]);\\nimProcessCreate\\n| where Process hassuffix \u0027solarwinds.businesslayerhost.exe\u0027\\n| where not(Process has_any (excludeProcs))\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = ActorUsername,\\n HostCustomEntity = User,\\n FileHashCustomEntity = TargetProcessMD5 // Change to *hash* once implemented\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"MD5\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST suspicious SolarWinds child processes (Normalized Process Events)\",\"description\":\"Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\"name\":\"4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([ \\\"AuthorizeSecurityGroupEgress\\\", \\\"AuthorizeSecurityGroupIngress\\\", \\\"RevokeSecurityGroupEgress\\\", \\\"RevokeSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \\nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion, \\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to AWS Security Group ingress and egress settings\",\"description\":\"A Security Group acts as a virtual firewall of an instance to control inbound and outbound traffic. \\n Hence, ingress and egress settings changes to AWS Security Group should be monitored as these can expose the enviornment to new attack vectors.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/737a2ce1-70a3-4968-9e90-3e6aca836abf\",\"name\":\"737a2ce1-70a3-4968-9e90-3e6aca836abf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MLBehaviorAnalytics\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous RDP Login Detections\",\"description\":\"This detection uses machine learning (ML) to identify anomalous Remote Desktop Protocol (RDP) login activity, based on Windows Security Event data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Microsoft Sentinel to build a profile of normal activity for your environment.\\t\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events)\\n\\nBy enabling this rule, you give Microsoft permission to copy ingested data outside of your Microsoft Sentinel workspace\u0027s geography as necessary for processing by the machine learning engine.\",\"lastUpdatedDateUTC\":\"2021-03-26T00:00:00Z\",\"createdDateUTC\":\"2020-04-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9713e3c0-1410-468d-b79e-383448434b2d\",\"name\":\"9713e3c0-1410-468d-b79e-383448434b2d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n VMConnection\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend VMConnection_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIp\\n| where VMConnection_TimeGenerated \u003e= TimeGenerated and VMConnection_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, VMConnection_TimeGenerated,\\nTI_ipEntity, Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = VMConnection_TimeGenerated, IPCustomEntity = RemoteIp, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to VMConnection\",\"description\":\"Identifies a match in VMConnection from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/19e01883-15d8-4eb6-a7a5-3276cd668388\",\"name\":\"19e01883-15d8-4eb6-a7a5-3276cd668388\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeBin = 1m;\\nlet failedThreshold = 20;\\nW3CIISLog\\n| where scStatus in (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of failed attempts from same client IP\\n| summarize makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\\n| where FailedConnectionsCount \u003e= failedThreshold\\n| project TimeGenerated, cIP, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"High count of failed attempts from same client IP\",\"description\":\"Identifies when 20 or more failed attempts from a given client IP in 1 minute occur on the IIS server.\\nThis could be indicative of an attempted brute force. This could also simply indicate a misconfigured service or device.\\nRecommendations: Validate that these are expected connections from the given Client IP. If the client IP is not recognized, \\npotentially block these connections at the edge device.\\nIf these are expected connections, verify the credentials are properly configured on the system, service, application or device \\nthat is associated with the client IP.\\nReferences:\\nIIS status code mapping: https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping: https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e70fa6e0-796a-4e85-9420-98b17b0bb749\",\"name\":\"e70fa6e0-796a-4e85-9420-98b17b0bb749\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"DeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where ThreatName has \\\"Solorigate\\\"\\n| extend HostCustomEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.HostCustomEntity\\n| project TimeGenerated, DisplayName, ThreatName, CompromisedEntity, PublicIP, MachineGroup, AlertSeverity, Description, LoggedOnUsers, DeviceId, TenantId, HostCustomEntity\\n| extend timestamp = TimeGenerated, IPCustomEntity = PublicIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Solorigate Defender Detections\",\"description\":\"Surfaces any Defender Alert for Solorigate Events. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as \\n Device group, ip, logged on users etc. This way, the Microsoft Sentinel user can have all the pertinent device info in one view for all the the Solarigate Defender alerts.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7249500f-3038-4b83-8549-9cd8dfa2d498\",\"name\":\"7249500f-3038-4b83-8549-9cd8dfa2d498\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"de-ma.online\\\", \\\"g20saudi.000webhostapp.com\\\", \\\"ksat20.000webhostapp.com\\\"]);\\nlet EmailAddresses = dynamic([\\\"munichconference1962@gmail.com\\\",\\\"munichconference@outlook.de\\\", \\\"munichconference@outlook.com\\\", \\\"t20saudiarabia@gmail.com\\\", \\\"t20saudiarabia@hotmail.com\\\", \\\"t20saudiarabia@outlook.sa\\\"]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(DNSName) and DNSName has_any (DomainNames)) \\n or (isnotempty(DestinationHostName) and DestinationHostName has_any (DomainNames)) \\n or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames)))\\n| extend timestamp = TimeGenerated , AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\\n),\\n(DnsEvents \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| where DNSName has_any (DomainNames) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend timestamp = TimeGenerated , HostCustomEntity = Computer),\\n(SecurityAlert\\n| where ProviderName =~ \u0027OATP\u0027\\n| extend UPN = case(isnotempty(parse_json(Entities)[0].Upn), parse_json(Entities)[0].Upn, \\n isnotempty(parse_json(Entities)[1].Upn), parse_json(Entities)[1].Upn,\\n isnotempty(parse_json(Entities)[2].Upn), parse_json(Entities)[2].Upn,\\n isnotempty(parse_json(Entities)[3].Upn), parse_json(Entities)[3].Upn,\\n isnotempty(parse_json(Entities)[4].Upn), parse_json(Entities)[4].Upn,\\n isnotempty(parse_json(Entities)[5].Upn), parse_json(Entities)[5].Upn,\\n isnotempty(parse_json(Entities)[6].Upn), parse_json(Entities)[6].Upn,\\n isnotempty(parse_json(Entities)[7].Upn), parse_json(Entities)[7].Upn,\\n isnotempty(parse_json(Entities)[8].Upn), parse_json(Entities)[8].Upn,\\n parse_json(Entities)[9].Upn)\\n| where Entities has_any (EmailAddresses)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = tostring(UPN)),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"AZUREFIREWALLS\\\"\\n| where msg_s has_any (DomainNames)\\n| extend timestamp = TimeGenerated))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"InitialAccess\"],\"displayName\":\"Known PHOSPHORUS group domains/IP - October 2020\",\"description\":\"Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\\nReferences: \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog (Cisco)\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert (OATP)\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics (Azure Firewall)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3caa67ef-8ed3-4ab5-baf2-3850d3667f3d\",\"name\":\"3caa67ef-8ed3-4ab5-baf2-3850d3667f3d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nafad_parser\\n| where MessageType == 2\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid Indicators of Attack\",\"description\":\"Searches for triggered Indicators of Attack\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d8de9e6-263e-4845-8618-cd23a4f58b70\",\"name\":\"4d8de9e6-263e-4845-8618-cd23a4f58b70\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT3H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 3h;\\n// Add full UPN (user@domain.com) to Authorized Bypassers to ignore policy bypasses by certain authorized users\\nlet AuthorizedBypassers = dynamic([\u0027foo@baz.com\u0027, \u0027test@foo.com\u0027]);\\nlet historicBypassers = AzureDevOpsAuditing\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationName == \u0027Git.RefUpdatePoliciesBypassed\u0027\\n| distinct ActorUPN;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e= ago(endtime)\\n| where OperationName == \u0027Git.RefUpdatePoliciesBypassed\u0027\\n| where ActorUPN !in (historicBypassers) and ActorUPN !in (AuthorizedBypassers)\\n| parse ScopeDisplayName with OrganizationName \u0027(Organization)\u0027\\n| project TimeGenerated, ActorUPN, IpAddress, UserAgent, OrganizationName, ProjectName, RepoName = Data.RepoName, AlertDetails = Details, Branch = Data.Name, \\n BypassReason = Data.BypassReason, PRLink = strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_git/\u0027, Data.RepoName, \u0027/pullrequest/\u0027, Data.PullRequestId)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps Pull Request Policy Bypassing - Historic allow list\",\"description\":\"This detection builds an allow list of historic PR policy bypasses and compares to recent history, flagging pull request bypasses that are not manually in the allow list and not historically included in the allow list.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\"name\":\"ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Office 365 Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Office 365 alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Office 365\",\"lastUpdatedDateUTC\":\"2020-09-01T00:00:00Z\",\"createdDateUTC\":\"2020-04-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert (OATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bf0cde21-0c41-48f6-a40c-6b5bd71fa106\",\"name\":\"bf0cde21-0c41-48f6-a40c-6b5bd71fa106\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AWSGuardDuty | extend tokens = split(ActivityType,\\\":\\\") | extend ThreatPurpose = tokens[0], tokens= split(tokens[1],\\\"/\\\") | extend ResourceTypeAffected = tokens[0], ThreatFamilyName= tokens[1] | extend UniqueFindingId = Id | extend AWSAcoundId = AccountId | project-away tokens,ActivityType, Id, AccountId | project-away TimeGenerated, TenantId, SchemaVersion, Region, Partition | extend Severity= iff(Severity between (7.0..8.9),\\\"High\\\",iff(Severity between (4.0..6.9), \\\"Medium\\\", iff(Severity between (1.0..3.9),\\\"Low\\\",\\\"Unknown\\\")))\",\"customDetails\":{\"ThreatPurpos\":\"ThreatPurpose\",\"ResourceTypeAffected\":\"ResourceTypeAffected\",\"UniqueFindingId\":\"UniqueFindingId\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Arn\"},{\"identifier\":\"ObjectGuid\",\"columnName\":\"AWSAcoundId\"}]}],\"version\":\"1.0.0\",\"displayName\":\"AWS Guard Duty Alert\",\"description\":\"Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. This templates create an alert for each Amazon GuardDuty finding.\",\"lastUpdatedDateUTC\":\"2021-11-18T00:00:00Z\",\"createdDateUTC\":\"2021-11-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSGuardDuty\",\"dataTypes\":[\"AWSGuardDuty\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\"name\":\"a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Security Center for IoT\",\"displayName\":\"Create incidents based on Azure Defender for IOT alerts\",\"description\":\"Create incidents based on all alerts generated in Azure Defender for IOT\",\"lastUpdatedDateUTC\":\"2019-12-24T00:00:00Z\",\"createdDateUTC\":\"2019-12-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"IoT\",\"dataTypes\":[\"SecurityAlert (ASC for IoT)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ac891683-53c3-4f86-86b4-c361708e2b2b\",\"name\":\"ac891683-53c3-4f86-86b4-c361708e2b2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"// Allowlisted UPNs should likely stay empty\\nlet AllowlistedUpns = datatable(UPN:string)[\u0027foo@bar.com\u0027, \u0027test@foo.com\u0027];\\n// Operation Name parts that will alert\\nlet HasAnyBlocklist = datatable(OperationNamePart:string)[\u0027Security.\u0027,\u0027Project.\u0027,\u0027AuditLog.\u0027,\u0027Extension.\u0027];\\n// Distinct Operation Names that will flag\\nlet HasExactBlocklist = datatable(OperationName:string)[\u0027Group.UpdateGroupMembership.Add\u0027,\u0027Library.ServiceConnectionExecuted\u0027,\u0027Pipelines.PipelineModified\u0027,\\n\u0027Release.ReleasePipelineModified\u0027, \u0027Git.RefUpdatePoliciesBypassed\u0027];\\nAzureDevOpsAuditing\\n| where AuthenticationMechanism startswith \\\"PAT\\\" and (OperationName has_any (HasAnyBlocklist) or OperationName in (HasExactBlocklist))\\n and ActorUPN !in (AllowlistedUpns)\\n| project TimeGenerated, AuthenticationMechanism, ProjectName, ActorUPN, ActorDisplayName, IpAddress, UserAgent, OperationName, Details, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Execution\",\"Impact\"],\"displayName\":\"Azure DevOps Personal Access Token (PAT) misuse\",\"description\":\"This Alert detects whenever a PAT is used in ways that PATs are not normally used. May require an allow list and baselining.\\nReference - https://docs.microsoft.com/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops\u0026tabs=preview-page\\nUse this query for baselining:\\nAzureDevOpsAuditing\\n| distinct OperationName\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6cb75f65-231f-46c4-a0b3-50ff21ee6ed3\",\"name\":\"6cb75f65-231f-46c4-a0b3-50ff21ee6ed3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Edit this variable to only keep the tactics where an incident needs to be created (Defaults are: \\\"COMMAND \u0026 CONTROL\\\", \\\"BOTNET ACTIVITY\\\", \\\"EXFILTRATION\\\", \\\"LATERAL MOVEMENT\\\", \\\"RECONNAISSANCE\\\") \\nlet configured_tactics = dynamic([\\\"COMMAND \u0026 CONTROL\\\", \\\"BOTNET ACTIVITY\\\", \\\"EXFILTRATION\\\", \\\"LATERAL MOVEMENT\\\", \\\"RECONNAISSANCE\\\"]);\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Vectra Networks\\\"\\n| where DeviceProduct == \\\"X Series\\\"\\n| where DeviceEventClassID != \\\"campaigns\\\" and DeviceEventClassID != \\\"hsc\\\" and DeviceEventClassID != \\\"audit\\\" and DeviceEventClassID != \\\"health\\\" and DeviceEventClassID != \\\"asc\\\" \\n| extend Category = extract(\\\"cat=(.+?);\\\", 1, AdditionalExtensions) \\n| project-rename threat_score = FlexNumber1\\n| project-rename certainty_score = FlexNumber2\\n| project-rename triaged = DeviceCustomString5\\n| project-rename vectra_URL = DeviceCustomString4\\n| project-rename detection_name = DeviceEventClassID\\n| extend Tactic = case( Category == \\\"COMMAND \u0026 CONTROL\\\", \\\"CommandAndControl\\\",\\n Category == \\\"BOTNET ACTIVITY\\\" , \\\"Impact\\\",\\n Category == \\\"EXFILTRATION\\\", \\\"Exfiltration\\\",\\n Category == \\\"LATERAL MOVEMENT\\\", \\\"LateralMovement\\\",\\n Category == \\\"RECONNAISSANCE\\\", \\\"Discovery\\\",\\n \\\"UNKNOWN\\\")\\n| extend level = case( threat_score \u003c 50 and certainty_score \u003c 50, \\\"Low\\\",\\n threat_score \u003c 50 and certainty_score \u003e= 50 , \\\"Medium\\\", \\n threat_score \u003e= 50 and certainty_score \u003c= 50, \\\"High\\\", \\n threat_score \u003e= 50 and certainty_score \u003e= 50, \\\"Critical\\\",\\n \\\"UNKNOWN\\\")\\n| extend Severity = case( level == \\\"Low\\\", \\\"Low\\\",\\n level == \\\"Medium\\\", \\\"Medium\\\",\\n level == \\\"High\\\", \\\"Medium\\\",\\n level == \\\"Critical\\\", \\\"High\\\",\\n \\\"UNKNOWN\\\")\\n| extend account = extract(\\\"account=(.+?);\\\", 1, AdditionalExtensions)\\n| extend upn = iff(account matches regex \\\":\\\", tostring(split(account,\\\":\\\")[1]) ,tostring(split(account,\\\":\\\")[0])) \\n| extend source_entity = case( isnotempty(upn), upn,\\n isnotempty(SourceHostName), SourceHostName,\\n \\\"UNKNWON\\\") \\n| where Category in (configured_tactics) \\n| summarize arg_max(threat_score, *) by source_entity , Activity\\n| project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Activity, Tactic, Severity, threat_score, certainty_score, triaged, vectra_URL\\n| extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Discovery\",\"LateralMovement\",\"Collection\",\"CommandAndControl\",\"Exfiltration\",\"Impact\"],\"displayName\":\"Vectra AI Detect - Suspicious Behaviors\",\"description\":\"Create an incident for each new malicious behavior detected by Vectra Detect. \\nBy default, it looks through all tactics. This can be modified to create incident only for a subset of tactics.\",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2021-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AIVectraDetect\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\"name\":\"0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let PerUserThreshold = 5;\\nlet TotalThreshold = 100;\\nlet action = dynamic([\\\"change\\\", \\\"changed\\\", \\\"reset\\\"]);\\nlet pWord = dynamic([\\\"password\\\", \\\"credentials\\\"]);\\nlet PasswordResetMultiDataSource =\\n(union isfuzzy=true\\n(//Password reset events\\n//4723: An attempt was made to change an account\u0027s password\\n//4724: An attempt was made to reset an accounts password\\nSecurityEvent\\n| where EventID in (\\\"4723\\\",\\\"4724\\\")\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName),\\n(//Azure Active Directory Password reset events\\nAuditLogs\\n| where OperationName has_any (pWord) and OperationName has_any (action) and Result =~ \\\"success\\\"\\n| extend AccountType = tostring(TargetResources[0].type), Account = tostring(TargetResources[0].userPrincipalName), \\nTargetUserName = tolower(tostring(TargetResources[0].displayName))\\n| project TimeGenerated, AccountType, Account, Computer = \\\"\\\", Type),\\n(//OfficeActive ActiveDirectory Password reset events\\nOfficeActivity\\n| where OfficeWorkload == \\\"AzureActiveDirectory\\\" \\n| where (ExtendedProperties has_any (pWord) or ModifiedProperties has_any (pWord)) and (ExtendedProperties has_any (action) or ModifiedProperties has_any (action))\\n| extend AccountType = UserType, Account = OfficeObjectId \\n| project TimeGenerated, AccountType, Account, Type, Computer = \\\"\\\"),\\n(// Unix syslog password reset events\\nSyslog\\n| where Facility in (\\\"auth\\\",\\\"authpriv\\\")\\n| where SyslogMessage has_any (pWord) and SyslogMessage has_any (action)\\n| extend AccountType = iif(SyslogMessage contains \\\"root\\\", \\\"Root\\\", \\\"Non-Root\\\")\\n| where SyslogMessage matches regex \\\".*password changed for.*\\\"\\n| parse SyslogMessage with * \\\"password changed for\\\" Account\\n| project TimeGenerated, AccountType, Account, Computer = HostName, Type)\\n);\\nlet pwrmd = PasswordResetMultiDataSource\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName;\\n(union isfuzzy=true \\n(pwrmd\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Computerlist = make_set(Computer, 25), AccountType = make_set(AccountType, 25), Computer = arg_max(Computer , TimeGenerated), TargetUserList = make_set(TargetUserName, 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), Total=count() by Account, Type\\n| where Total \u003e PerUserThreshold\\n| extend ResetPivot = \\\"PerUserReset\\\"), \\n(pwrmd\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerList = make_set(Computer, 25), AccountList = make_set(Account, 25), AccountType = make_set(AccountType, 25), Account = arg_max(Account, TimeGenerated), Computer = arg_max(Computer , TimeGenerated), TargetUserList = make_set(TargetUserName, 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), Total=count() by Type\\n| where Total \u003e TotalThreshold\\n| extend ResetPivot = \\\"TotalUserReset\\\")\\n)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserName\"}]}],\"version\":\"2.0.0\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Multiple Password Reset by user\",\"description\":\"This query will determine multiple password resets by user across multiple data sources. \\nAccount manipulation including password reset may aid adversaries in maintaining access to credentials \\nand certain permission levels within an environment.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-09-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6ee72a9e-2e54-459c-bc9a-9c09a6502a63\",\"name\":\"6ee72a9e-2e54-459c-bc9a-9c09a6502a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"216.24.185.74\\\", \\\"107.175.189.159\\\", \\\"192.210.132.102\\\", \\\"67.230.163.214\\\", \\n \\\"199.19.110.240\\\", \\\"107.148.130.176\\\", \\\"154.212.129.218\\\", \\\"172.86.75.54\\\", \\\"45.61.136.199\\\", \\n \\\"149.28.150.195\\\", \\\"108.61.214.194\\\", \\\"144.202.98.198\\\", \\\"149.28.84.98\\\", \\\"103.99.209.78\\\", \\n \\\"45.61.136.2\\\", \\\"176.122.162.149\\\", \\\"192.3.80.245\\\", \\\"149.28.23.32\\\", \\\"107.182.18.149\\\", \\\"107.174.45.134\\\", \\n \\\"149.248.18.104\\\", \\\"65.49.192.74\\\", \\\"156.255.2.154\\\", \\\"45.76.6.149\\\", \\\"8.9.11.130\\\", \\\"140.238.27.255\\\", \\n \\\"107.182.24.70\\\", \\\"176.122.188.254\\\", \\\"192.161.161.108\\\", \\\"64.64.234.24\\\", \\\"104.224.185.36\\\", \\n \\\"104.233.224.227\\\", \\\"104.36.69.105\\\", \\\"119.28.139.120\\\", \\\"161.117.39.130\\\", \\\"66.42.100.42\\\", \\\"45.76.31.159\\\", \\n \\\"149.248.8.134\\\", \\\"216.24.182.48\\\", \\\"66.42.103.222\\\", \\\"218.89.236.11\\\", \\\"180.150.227.249\\\", \\\"47.75.80.23\\\",\\n \\\"124.156.164.19\\\", \\\"149.248.62.83\\\", \\\"150.109.76.174\\\", \\\"222.209.187.207\\\", \\\"218.38.191.38\\\", \\n \\\"119.28.226.59\\\", \\\"66.42.98.220\\\", \\\"74.82.201.8\\\", \\\"173.242.122.198\\\", \\\"45.32.130.72\\\", \\\"89.35.178.10\\\", \\n \\\"89.43.60.113\\\"]); \\n(union isfuzzy=true \\n(CommonSecurityLog \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch \\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n), \\n(OfficeActivity \\n|extend SourceIPAddress = ClientIP, Account = UserId \\n| where SourceIPAddress in (IPList) \\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \\n),\\n(DnsEvents \\n| extend DestinationIPAddress = IPAddresses, Host = Computer \\n| where DestinationIPAddress has_any (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \\n), \\n(imDns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \\n), \\n(VMConnection \\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) \\n| where SourceIp in (IPList) or DestinationIp in (IPList) \\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer \\n), \\n(Event \\n| where Source == \\\"Microsoft-Windows-Sysmon\\\" \\n| where EventID == 3 \\n| extend EvData = parse_xml(EventData) \\n| extend EventDetail = EvData.DataItem.EventData.Data \\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"] \\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\") \\n), \\n(WireData \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer \\n), \\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Barium IP\",\"description\":\"Identifies a match across various data feeds for IP IOCs related to the Barium activity group. \\n References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer\u0027 \",\"lastUpdatedDateUTC\":\"2021-11-25T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\"name\":\"a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"DNS events related to ToR proxies\",\"description\":\"Identifies IP addresses performing DNS lookups associated with common ToR proxies.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\"name\":\"3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let starttime = 1d;\\nlet TimeDeltaThresholdInSeconds = 60; // we ignore beacons diffs that fall below this threshold \\nlet TotalBeaconsThreshold = 4; // minimum number of beacons required in a session to surface a row\\nlet JitterTolerance = 0.2; // tolerance to jitter, e.g. - 0.2 = 20% jitter is tolerated either side of the periodicity\\nlet PrivateIPregex = @\\\"^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.\\\"; // exclude destinations that fall into this category\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Fortinet\\\"\\n| where TimeGenerated \u003e ago(starttime)\\n// eliminate bad data\\n| where isnotempty(SourceIP) and isnotempty(DestinationIP) and SourceIP != \\\"0.0.0.0\\\"\\n// filter out deny, close, rst and SNMP to reduce data volume\\n| where DeviceAction !in (\\\"close\\\", \\\"client-rst\\\", \\\"server-rst\\\", \\\"deny\\\") and DestinationPort != 161\\n// map input fields\\n| project TimeGenerated , SourceIP, DestinationIP, DestinationPort, ReceivedBytes, SentBytes, DeviceAction \\n// where destination IPs are public\\n| extend DestinationIPType = iff(DestinationIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIPType == \\\"public\\\"\\n// sort into source-\u003edestination \u0027sessions\u0027\\n| sort by SourceIP asc, DestinationIP asc, DestinationPort asc, TimeGenerated asc\\n| serialize\\n// time diff the contact times between source and destination to get a list of deltas\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1), nextDestIP = next(DestinationIP, 1), nextDestPort = next(DestinationPort, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\\\"second\\\",nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP and DestinationIP == nextDestIP and DestinationPort == nextDestPort\\n// remove small time deltas below the set threshold\\n| where TimeDeltainSeconds \u003e TimeDeltaThresholdInSeconds\\n| project TimeGenerated, TimeDeltainSeconds, SourceIP, DestinationIP, DestinationPort, ReceivedBytes, SentBytes, DeviceAction \\n// summarize the deltas by source-\u003edestination\\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), sum(ReceivedBytes), sum(SentBytes), makelist(TimeDeltainSeconds), makeset(DeviceAction) by SourceIP, DestinationIP, DestinationPort\\n// get some statistical properties of the delta distribution and smooth any outliers (e.g. laptop shut overnight, working hours)\\n| extend series_stats(list_TimeDeltainSeconds), outliers=series_outliers(list_TimeDeltainSeconds)\\n// expand the deltas and the outliers\\n| mvexpand list_TimeDeltainSeconds to typeof(double), outliers to typeof(double)\\n// replace outliers with the average of the distribution\\n| extend list_TimeDeltainSeconds_normalized=iff(outliers \u003e 1.5 or outliers \u003c -1.5, series_stats_list_TimeDeltainSeconds_avg , list_TimeDeltainSeconds)\\n// summarize with the smoothed distribution\\n| summarize BeaconCount=count(), makelist(list_TimeDeltainSeconds), list_TimeDeltainSeconds_normalized=makelist(list_TimeDeltainSeconds_normalized), makeset(set_DeviceAction) by StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, sum_ReceivedBytes, sum_SentBytes\\n// get stats on the smoothed distribution\\n| extend series_stats(list_TimeDeltainSeconds_normalized)\\n// match jitter tolerance on smoothed distrib\\n| extend MaxJitter = (series_stats_list_TimeDeltainSeconds_normalized_avg*JitterTolerance)\\n| where series_stats_list_TimeDeltainSeconds_normalized_stdev \u003c MaxJitter\\n// where the minimum beacon threshold is satisfied and there was some data transfer\\n| where BeaconCount \u003e TotalBeaconsThreshold and (sum_SentBytes \u003e 0 or sum_ReceivedBytes \u003e 0)\\n// final projection\\n| project StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, BeaconCount, TimeDeltasInSeconds=list_list_TimeDeltainSeconds, Periodicity=series_stats_list_TimeDeltainSeconds_normalized_avg, ReceivedBytes=sum_ReceivedBytes, SentBytes=sum_SentBytes, Actions=set_set_DeviceAction\\n// where periodicity is order of magnitude larger than time delta threshold (eliminates FPs whose periodicity is close to the values we ignored)\\n| where Periodicity \u003e= (10*TimeDeltaThresholdInSeconds)\\n| extend timestamp = StartTime, IPCustomEntity = DestinationIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Fortinet - Beacon pattern detected\",\"description\":\"Identifies patterns in the time deltas of contacts between internal and external IPs in Fortinet network data that are consistent with beaconing.\\n Accounts for randomness (jitter) and seasonality such as working hours that may have been introduced into the beacon pattern.\\n The lookback is set to 1d, the minimum granularity in time deltas is set to 60 seconds and the minimum number of beacons required to emit a\\n detection is set to 4.\\n Increase the lookback period to capture beacons with larger periodicities.\\n The jitter tolerance is set to 0.2 - This means we account for an overall 20% deviation from the infered beacon periodicity. Seasonality is dealt with\\n automatically using series_outliers.\\n Note: In large environments it may be necessary to reduce the lookback period to get fast query times.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d\",\"name\":\"b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//Collect the alert events\\nlet alertData = SecurityAlert \\n| where DisplayName has \\\"Potential malware uploaded to\\\" \\n| extend Entities = parse_json(Entities) \\n| mv-expand Entities;\\n//Parse the IP address data\\nlet ipData = alertData \\n| where Entities[\u0027Type\u0027] =~ \\\"ip\\\" \\n| extend AttackerIP = tostring(Entities[\u0027Address\u0027]), AttackerCountry = tostring(Entities[\u0027Location\u0027][\u0027CountryName\u0027]);\\n//Parse the file data\\nlet FileData = alertData \\n| where Entities[\u0027Type\u0027] =~ \\\"file\\\" \\n| extend MaliciousFileDirectory = tostring(Entities[\u0027Directory\u0027]), MaliciousFileName = tostring(Entities[\u0027Name\u0027]), MaliciousFileHashes = tostring(Entities[\u0027FileHashes\u0027]);\\n//Combine the File and IP data together\\nipData \\n| join (FileData) on VendorOriginalId \\n| summarize by TimeGenerated, AttackerIP, AttackerCountry, DisplayName, ResourceId, AlertType, MaliciousFileDirectory, MaliciousFileName, MaliciousFileHashes\\n//Create a type column so we can track if it was a File storage or blobl storage upload \\n| extend type = iff(DisplayName has \\\"file\\\", \\\"File\\\", \\\"Blob\\\") \\n| join (\\n union\\n StorageFileLogs, \\n StorageBlobLogs \\n //File upload operations \\n | where OperationName =~ \\\"PutBlob\\\" or OperationName =~ \\\"PutRange\\\"\\n //Parse out the uploader IP \\n | extend ClientIP = tostring(split(CallerIpAddress, \\\":\\\", 0)[0])\\n //Extract the filename from the Uri \\n | extend FileName = extract(@\\\"\\\\/([\\\\w\\\\-. ]+)\\\\?\\\", 1, Uri)\\n //Base64 decode the MD5 filehash, we will encounter non-ascii hex so string operations don\u0027t work\\n //We can work around this by making it an array then converting it to hex from an int \\n | extend base64Char = base64_decode_toarray(ResponseMd5) \\n | mv-expand base64Char \\n | extend hexChar = tohex(toint(base64Char))\\n | extend hexChar = iff(strlen(hexChar) \u003c 2, strcat(\\\"0\\\", hexChar), hexChar) \\n | extend SourceTable = iff(OperationName has \\\"range\\\", \\\"StorageFileLogs\\\", \\\"StorageBlobLogs\\\") \\n | summarize make_list(hexChar) by CorrelationId, ResponseMd5, FileName, AccountName, TimeGenerated, RequestBodySize, ClientIP, SourceTable \\n | extend Md5Hash = strcat_array(list_hexChar, \\\"\\\")\\n //Pack the file information the summarise into a ClientIP row \\n | extend p = pack(\\\"FileName\\\", FileName, \\\"FileSize\\\", RequestBodySize, \\\"Md5Hash\\\", Md5Hash, \\\"Time\\\", TimeGenerated, \\\"SourceTable\\\", SourceTable) \\n | summarize UploadedFileInfo=make_list(p), FilesUploaded=count() by ClientIP \\n | join kind=leftouter (\\n union\\n StorageFileLogs,\\n StorageBlobLogs \\n | where OperationName =~ \\\"DeleteFile\\\" or OperationName =~ \\\"DeleteBlob\\\" \\n | extend ClientIP = tostring(split(CallerIpAddress, \\\":\\\", 0)[0]) \\n | extend FileName = extract(@\\\"\\\\/([\\\\w\\\\-. ]+)\\\\?\\\", 1, Uri) \\n | extend SourceTable = iff(OperationName has \\\"range\\\", \\\"StorageFileLogs\\\", \\\"StorageBlobLogs\\\") \\n | extend p = pack(\\\"FileName\\\", FileName, \\\"Time\\\", TimeGenerated, \\\"SourceTable\\\", SourceTable) \\n | summarize DeletedFileInfo=make_list(p), FilesDeleted=count() by ClientIP\\n ) on ClientIP\\n ) on $left.AttackerIP == $right.ClientIP \\n| mvexpand UploadedFileInfo \\n| extend LinkedMaliciousFileName = UploadedFileInfo.FileName \\n| extend LinkedMaliciousFileHash = UploadedFileInfo.Md5Hash \\n| project AlertTimeGenerated = TimeGenerated, tostring(LinkedMaliciousFileName), tostring(LinkedMaliciousFileHash), AlertType, AttackerIP, AttackerCountry, MaliciousFileDirectory, MaliciousFileName, FilesUploaded, UploadedFileInfo \\n| extend FileHashCustomEntity = LinkedMaliciousFileName, HashAlgorithm = \\\"MD5\\\", IPCustomEntity = AttackerIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"Exfiltration\"],\"displayName\":\"Linked Malicious Storage Artifacts\",\"description\":\"An IP address which uploaded malicious content to an Azure Blob or File Storage container (triggering a malware alert) also uploaded additional files.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b9d2eebc-5dcb-4888-8165-900db44443ab\",\"name\":\"b9d2eebc-5dcb-4888-8165-900db44443ab\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"// Enter a reference list of hostnames for your DC servers\\n//let DCServersList = dynamic ([\\\"DC01.simulandlabs.com\\\",\\\"DC02.simulandlabs.com\\\"]);\\nSecurityEvent\\n//| where Computer in (DCServersList)\\n| where EventID == 4662 and ObjectServer == \u0027DS\u0027\\n| where AccountType != \u0027Machine\u0027\\n| where Properties has \u00271131f6aa-9c07-11d1-f79f-00c04fc2dcd2\u0027 //DS-Replication-Get-Changes\\n or Properties has \u00271131f6ad-9c07-11d1-f79f-00c04fc2dcd2\u0027 //DS-Replication-Get-Changes-All\\n or Properties has \u002789e95b76-444d-4c62-991a-0facbeda640c\u0027 //DS-Replication-Get-Changes-In-Filtered-Set\\n| project TimeGenerated, Account, Activity, Properties, SubjectLogonId, Computer\\n| join kind=leftouter\\n(\\n SecurityEvent\\n //| where Computer in (DCServersList)\\n | where EventID == 4624 and LogonType == 3\\n | where AccountType != \u0027Machine\u0027\\n | project TargetLogonId, IpAddress\\n)\\non $left.SubjectLogonId == $right.TargetLogonId\\n| project-reorder TimeGenerated, Computer, Account, IpAddress\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, SourceAddress = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceAddress\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Non Domain Controller Active Directory Replication\",\"description\":\"This query detects potential attempts by non-computer accounts (non domain controllers) to retrieve/synchronize an active directory object leveraging directory replication services (DRS).\\nA Domain Controller (computer account) would usually be performing these actions in a domain environment. Another detection rule can be created to cover domain controllers accounts doing at rare times.\\nA domain user with privileged permissions to use directory replication services is rare. Ref: https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html\",\"lastUpdatedDateUTC\":\"2021-11-08T00:00:00Z\",\"createdDateUTC\":\"2021-05-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8127962-7739-4211-a4a9-390a7a00e91f\",\"name\":\"f8127962-7739-4211-a4a9-390a7a00e91f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet lbperiod = 30d;\\nlet knownrecipients = ProofpointPOD\\n| where TimeGenerated \u003e ago(lbperiod)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where SrcUserUpn != \u0027\u0027\\n| where array_length(todynamic(DstUserUpn)) == 1\\n| summarize recipients = make_set(tostring(todynamic(DstUserUpn)[0])) by SrcUserUpn\\n| extend commcol = SrcUserUpn;\\nProofpointPOD\\n| where TimeGenerated between (ago(lbtime) .. now())\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| extend isProtected = todynamic(MsgParts)[0][\u0027isProtected\u0027]\\n| extend mimePgp = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where isProtected == \u0027true\u0027 or mimePgp == \u0027application/pgp-encrypted\u0027\\n| extend DstUserMail = tostring(todynamic(DstUserUpn)[0])\\n| extend commcol = tostring(todynamic(DstUserUpn)[0])\\n| join knownrecipients on commcol\\n| where recipients !contains DstUserMail\\n| project SrcUserUpn, DstUserMail\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple protected emails to unknown recipient\",\"description\":\"Detects when multiple protected messages where sent to early not seen recipient.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/826bb2f8-7894-4785-9a6b-a8a855d8366f\",\"name\":\"826bb2f8-7894-4785-9a6b-a8a855d8366f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let EventNameList = dynamic([\\\"AttachUserPolicy\\\",\\\"AttachRolePolicy\\\",\\\"AttachGroupPolicy\\\"]);\\nlet createPolicy = \\\"CreatePolicy\\\";\\nlet timeframe = 1d;\\nlet lookback = 14d;\\n// Creating Master table with all the events to use with materialize for better performance\\nlet EventInfo = AWSCloudTrail\\n| where TimeGenerated \u003e= ago(lookback)\\n| where EventName in (EventNameList) or EventName == createPolicy;\\n//Checking for Policy creation event with Full Admin Privileges since lookback period.\\nlet FullAdminPolicyEvents = materialize( EventInfo\\n| where TimeGenerated \u003e= ago(lookback)\\n| where EventName == createPolicy\\n| extend PolicyName = tostring(parse_json(RequestParameters).policyName)\\n| extend Statement = parse_json(tostring((parse_json(RequestParameters).policyDocument))).Statement\\n| mvexpand Statement\\n| extend Action = parse_json(Statement).Action , Effect = tostring(parse_json(Statement).Effect), Resource = tostring(parse_json(Statement).Resource)\\n| mvexpand Action\\n| extend Action = tostring(Action)\\n| where Effect =~ \\\"Allow\\\" and Action == \\\"*\\\" and Resource == \\\"*\\\"\\n| distinct TimeGenerated, EventName, PolicyName, SourceIpAddress, UserIdentityArn, UserIdentityUserName\\n| extend UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,\u0027/\u0027)[-1]))\\n| project-rename StartTime = TimeGenerated );\\nlet PolicyAttach = materialize( EventInfo\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventName in (EventNameList)\\n| extend PolicyName = tostring(split(tostring(parse_json(RequestParameters).policyArn),\\\"/\\\")[1])\\n| summarize AttachEventCount=count(), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventSource, EventName, UserIdentityType , UserIdentityArn, SourceIpAddress, UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,\u0027/\u0027)[-1])), PolicyName\\n| extend AttachEvent = pack(\\\"StartTime\\\", StartTime, \\\"EndTime\\\", EndTime, \\\"EventName\\\", EventName, \\\"UserIdentityType\\\", UserIdentityType, \\\"UserIdentityArn\\\", UserIdentityArn, \\\"SourceIpAddress\\\", SourceIpAddress, \\\"UserIdentityUserName\\\", UserIdentityUserName)\\n| project EventSource, PolicyName, AttachEvent, AttachEventCount\\n);\\n// Joining the list of PolicyNames and checking if it has been attached to any Roles/Users/Groups.\\n// These Roles/Users/Groups will be Privileged and can be used by adversaries as pivot point for privilege escalation via multiple ways.\\nFullAdminPolicyEvents\\n| join kind=leftouter\\n(\\n PolicyAttach\\n)\\non PolicyName\\n| project-away PolicyName1\\n| extend timestamp = StartTime, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Full Admin policy created and then attached to Roles, Users or Groups\",\"description\":\"Identity and Access Management (IAM) securely manages access to AWS services and resources. \\nIdentifies when a policy is created with Full Administrators Access (Allow-Action:*,Resource:*). \\nThis policy can be attached to role,user or group and may be used by an adversary to escalate a normal user privileges to an adminsitrative level.\\nAWS IAM Policy Grammar: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html\\nand AWS IAM API at https://docs.aws.amazon.com/IAM/latest/APIReference/API_Operations.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/155e9134-d5ad-4a6f-88f3-99c220040b66\",\"name\":\"155e9134-d5ad-4a6f-88f3-99c220040b66\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Set the lookback to determine if user has created pipelines before\\nlet timeback = 14d;\\n// Set the period for detections\\nlet timeframe = 1d;\\n// Get a list of previous Release Pipeline creators to exclude\\nlet releaseusers = AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName in (\\\"Release.ReleasePipelineCreated\\\", \\\"Release.ReleasePipelineModified\\\")\\n// We want to look for users performing actions in specific projects so we create this userscope object to match on\\n| extend UserScope = strcat(ActorUserId, \\\"-\\\", ProjectName)\\n| summarize by UserScope;\\n// Get Release Pipeline creations by new users\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineModified\\\"\\n| extend UserScope = strcat(ActorUserId, \\\"-\\\", ProjectName)\\n| where UserScope !in (releaseusers)\\n| extend ActorUPN = tolower(ActorUPN)\\n| project-away Id, ActivityId, ActorCUID, ScopeId, ProjectId, TenantId, SourceSystem, UserScope\\n// See if any of these users have Azure AD alerts associated with them in the same timeframe\\n| join kind = leftouter (\\nSecurityAlert\\n| where TimeGenerated \u003e ago(timeframe)\\n| where ProviderName == \\\"IPC\\\"\\n| extend AadUserId = tostring(parse_json(Entities)[0].AadUserId)\\n| summarize Alerts=count() by AadUserId) on $left.ActorUserId == $right.AadUserId\\n| extend Alerts = iif(isnotempty(Alerts), Alerts, 0)\\n// Uncomment the line below to only show results where the user as AADIdP alerts\\n//| where Alerts \u003e 0\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Pipeline modified by a new user.\",\"description\":\"There are several potential pipeline steps that could be modified by an attacker to inject malicious code into the build cycle. A likely attacker path is the modification to an existing pipeline that they have access to. \\nThis detection looks for users modifying a pipeline when they have not previously been observed modifying or creating that pipeline before. This query also joins events with data to Azure AD Identity Protection (AAD IdP) \\nin order to show if the user conducting the action has any associated AAD IdP alerts. You can also choose to filter this detection to only alert when the user also has AAD IdP alerts associated with them.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79566f41-df67-4e10-a703-c38a6213afd8\",\"name\":\"79566f41-df67-4e10-a703-c38a6213afd8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set != \\\"[]\\\"\\n| extend diff = set_difference(new_value_set, old_value_set)\\n| where isnotempty(diff)\\n| parse diff with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away diff, new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"New access credential added to Application or Service Principal\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6bf1931-b1eb-448d-90b2-de118559c7ce\",\"name\":\"d6bf1931-b1eb-448d-90b2-de118559c7ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlCategory contains \u0027Adult Themes\u0027 or\\n UrlCategory contains \u0027Adware\u0027 or\\n UrlCategory contains \u0027Alcohol\u0027 or\\n UrlCategory contains \u0027Illegal Downloads\u0027 or\\n UrlCategory contains \u0027Drugs\u0027 or\\n UrlCategory contains \u0027Child Abuse Content\u0027 or\\n UrlCategory contains \u0027Hate/Discrimination\u0027 or\\n UrlCategory contains \u0027Nudity\u0027 or\\n UrlCategory contains \u0027Pornography\u0027 or\\n UrlCategory contains \u0027Proxy/Anonymizer\u0027 or\\n UrlCategory contains \u0027Sexuality\u0027 or\\n UrlCategory contains \u0027Tasteless\u0027 or\\n UrlCategory contains \u0027Terrorism\u0027 or\\n UrlCategory contains \u0027Web Spam\u0027 or\\n UrlCategory contains \u0027German Youth Protection\u0027 or\\n UrlCategory contains \u0027Illegal Activities\u0027 or\\n UrlCategory contains \u0027Lingerie/Bikini\u0027 or\\n UrlCategory contains \u0027Weapons\u0027\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"InitialAccess\"],\"displayName\":\"Cisco Umbrella - Request Allowed to harmful/malicious URI category\",\"description\":\"It is reccomended that these Categories shoud be blocked by policies because they provide harmful/malicious content..\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c805d9b1-97e7-4bc0-9172-67edb36273e4\",\"name\":\"c805d9b1-97e7-4bc0-9172-67edb36273e4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft 365 Insider Risk Management\",\"displayName\":\"(Private Preview) Create incidents based on Microsoft 365 Insider Risk Management\",\"description\":\"Create incidents based on all alerts generated in Microsoft 365 Insider Risk Management\",\"lastUpdatedDateUTC\":\"2021-05-13T00:00:00Z\",\"createdDateUTC\":\"2021-05-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeIRM\",\"dataTypes\":[\"SecurityAlert (OfficeIRM)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4e8238bd-ff4f-4126-a9f6-09b3b6801b3d\",\"name\":\"4e8238bd-ff4f-4126-a9f6-09b3b6801b3d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"AuditLog.StreamDisabledByUser\\\"\\n| extend StreamType = tostring(Data.ConsumerType)\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, StreamType\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Audit Stream Disabled\",\"description\":\"Azure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams \\nbefore conducting activity and then re-enabling the stream after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action \\nits unlikely to have a high false positive rate.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d645a88-2724-41a7-adea-db74c439cf79\",\"name\":\"3d645a88-2724-41a7-adea-db74c439cf79\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 5000;\\nSophosXGFirewall\\n| where Log_Type =~ \\\"Firewall\\\" and Status =~ \\\"Deny\\\"\\n| summarize count() by Src_IP, bin(TimeGenerated,5m)\\n| where count_ \u003e threshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = Src_IP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"Excessive Amount of Denied Connections from a Single Source\",\"description\":\"This creates an incident in the event that a single source IP address generates a excessive amount of denied connections.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SophosXGFirewall\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a357535e-f722-4afe-b375-cff362b2b376\",\"name\":\"a357535e-f722-4afe-b375-cff362b2b376\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(OfficeActivity | where UserAgent != \\\"\\\"),\\n(OfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectory\\\", \\\"AzureActiveDirectoryStsLogon\\\")\\n| extend OperationName = Operation\\n| parse ExtendedProperties with * \u0027User-Agent\\\\\\\\\\\":\\\\\\\\\\\"\u0027 UserAgent2 \u0027\\\\\\\\\u0027 *\\n| parse ExtendedProperties with * \u0027UserAgent\\\", \\\"Value\\\": \\\"\u0027 UserAgent1 \u0027\\\"\u0027 *\\n| where isnotempty(UserAgent1) or isnotempty(UserAgent2)\\n| extend UserAgent = iff( RecordType == \u0027AzureActiveDirectoryStsLogon\u0027, UserAgent1, UserAgent2)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\\n),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"APPLICATIONGATEWAYS\\\" \\n| where OperationName =~ \\\"ApplicationGatewayAccess\\\" \\n| extend ClientIP = columnifexists(\\\"clientIP_s\\\", \\\"None\\\"), UserAgent = columnifexists(\\\"userAgent_s\\\", \\\"None\\\")\\n| where UserAgent != \u0027-\u0027\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, requestUri_s, httpMethod_s, host_s, requestQuery_s, Type\\n),\\n(\\nW3CIISLog\\n| where isnotempty(csUserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\\n),\\n(SigninLogs\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n)\\n)\\n// Likely artefact of hardcoding\\n| where UserAgent startswith \\\"User\\\" or UserAgent startswith \u0027\\\\\\\"\u0027\\n// Incorrect casing\\nor (UserAgent startswith \\\"Mozilla\\\" and not(UserAgent containscs \\\"Mozilla\\\"))\\n// Incorrect casing\\nor UserAgent containscs \\\"(Compatible;\\\"\\n// Missing MSIE version\\nor UserAgent matches regex @\\\"MSIE\\\\s?;\\\"\\n// Incorrect spacing around MSIE version\\nor UserAgent matches regex @\\\"MSIE(?:\\\\d|.{1,5}?\\\\d\\\\s;)\\\"\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CommandAndControl\",\"Execution\"],\"displayName\":\"Malformed user agent\",\"description\":\"Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware.\\nMalformed user agents can be an indication of such malware.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee1818ec-5f65-4991-b711-bcf2ab7e36c3\",\"name\":\"ee1818ec-5f65-4991-b711-bcf2ab7e36c3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlOriginal matches regex @\u0027\\\\Ahttp:\\\\/\\\\/\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}.*\u0027\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - URI contains IP address\",\"description\":\"Malware can use IP address to communicate with C2.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bf07ca9c-e408-443a-8939-6860a45a929e\",\"name\":\"bf07ca9c-e408-443a-8939-6860a45a929e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let allowed_publishers = dynamic([]);\\nAzureDevOpsAuditing\\n| where OperationName =~ \\\"Extension.Installed\\\"\\n| extend ExtensionName = tostring(Data.ExtensionName)\\n| extend PublisherName = tostring(Data.PublisherName)\\n| where PublisherName !in (allowed_publishers)\\n| project-reorder TimeGenerated, OperationName, ExtensionName, PublisherName, ActorUPN, IpAddress, UserAgent, ScopeDisplayName, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps New Extension Added\",\"description\":\"Extensions add additional features to Azure DevOps. An attacker could use a malicious extension to conduct malicious activity. \\nThis query looks for new extensions that are not from a configurable list of approved publishers.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/89e6adbd-612c-4fbe-bc3d-32f81baf3b6c\",\"name\":\"89e6adbd-612c-4fbe-bc3d-32f81baf3b6c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT4H\",\"queryPeriod\":\"PT4H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Change to true to monitor for Project Administrator adds to *any* project\\nlet MonitorAllProjects = false;\\n// If MonitorAllProjects is false, trigger only on Project Administrator add for the following projects\\nlet ProjectsToMonitor = dynamic([\u0027\u003cproject_X\u003e\u0027,\u0027\u003cproject_Y\u003e\u0027]);\\nAzureDevOpsAuditing\\n| where Area == \\\"Group\\\" and OperationName == \\\"Group.UpdateGroupMembership.Add\\\"\\n| where Details has \u0027Administrators\u0027\\n| where Details has \\\"was added as a member of group\\\" and (Details endswith \u0027\\\\\\\\Project Administrators\u0027 or Details endswith \u0027\\\\\\\\Project Collection Administrators\u0027)\\n| parse Details with AddedIdentity \u0027 was added as a member of group [\u0027 EntityName \u0027]\\\\\\\\\u0027 GroupName\\n| extend Level = iif(GroupName == \u0027Project Collection Administrators\u0027, \u0027Organization\u0027, \u0027Project\u0027), AddedIdentityId = Data.MemberId\\n| extend Severity = iif(Level == \u0027Organization\u0027, \u0027High\u0027, \u0027Medium\u0027), AlertDetails = strcat(\u0027At \u0027, TimeGenerated, \u0027 UTC \u0027, ActorUPN, \u0027/\u0027, ActorDisplayName, \u0027 added \u0027, AddedIdentity, \u0027 to the \u0027, EntityName, \u0027 \u0027, Level)\\n| where MonitorAllProjects == true or EntityName in (ProjectsToMonitor) or Level == \u0027Organization\u0027\\n| project TimeGenerated, Severity, Adder = ActorUPN, AddedIdentity, AddedIdentityId, AlertDetails, Level, EntityName, GroupName, ActorAuthType = AuthenticationMechanism, \\n ActorIpAddress = IpAddress, ActorUserAgent = UserAgent, RawDetails = Details\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Adder, IPCustomEntity = ActorIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps Administrator Group Monitoring\",\"description\":\"This detection monitors for additions to projects or project collection administration groups in an Azure DevOps Organization.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/218f60de-c269-457a-b882-9966632b9dc6\",\"name\":\"218f60de-c269-457a-b882-9966632b9dc6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| summarize dcount(Target) by bin(TimeGenerated, 1h)\\n| where dcount_Target \u003e 9\\n| join kind=rightsemi (AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| extend TimeWindow = bin(TimeGenerated, 1h)) on $left.TimeGenerated == $right.TimeWindow\\n| extend AccountCustomEntity = Target\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Bulk Changes to Privileged Account Permissions\",\"description\":\"Identifies when changes to multiple users permissions are changed at once. Investigate immediately if not a planned change. This setting could enable an attacker access to Azure subscriptions in your environment.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\"name\":\"795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"CommonSecurityLog \\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID in (\\\"733101\\\",\\\"733102\\\",\\\"733103\\\",\\\"733104\\\",\\\"733105\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\",\"Impact\"],\"displayName\":\"Cisco ASA - threat detection message fired\",\"description\":\"Identifies when the Cisco ASA Threat Detection engine fired an alert based on malicious activity occurring on the network inicated by DeviceEventClassID 733101-733105\\nResources: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/58fc0170-0877-4ea8-a9ff-d805e361cfae\",\"name\":\"58fc0170-0877-4ea8-a9ff-d805e361cfae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let schedule_lookback = 14d; \\nlet join_lookback = 1d; \\n// If you want to whitelist specific timezones include them in a list here\\nlet tz_whitelist = dynamic([]);\\nlet meetings = ( \\nZoomLogs \\n| where TimeGenerated \u003e= ago(schedule_lookback) \\n| where Event =~ \\\"meeting.created\\\" \\n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId) \\n| extend SchedTimezone = tostring(parse_json(MeetingEvents).Timezone)); \\nZoomLogs \\n| where TimeGenerated \u003e= ago(join_lookback) \\n| where Event =~ \\\"meeting.participant_joined\\\" \\n| extend JoinedTimeZone = tostring(parse_json(MeetingEvents).Timezone) \\n| extend MeetingName = tostring(parse_json(MeetingEvents).MeetingName) \\n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId) \\n| where JoinedTimeZone !in (tz_whitelist)\\n| join (meetings) on MeetingId \\n| where SchedTimezone != JoinedTimeZone \\n| project TimeGenerated, MeetingName, JoiningUser=payload_object_participant_user_name_s, JoinedTimeZone, SchedTimezone, MeetingScheduler=User1 \\n| extend timestamp = TimeGenerated, AccountCustomEntity = JoiningUser\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"User joining Zoom meeting from suspicious timezone\",\"description\":\"The alert shows users that join a Zoom meeting from a time zone other than the one the meeting was created in.\\nYou can also whitelist known good time zones in the tz_whitelist value using the tz database name format https://en.wikipedia.org/wiki/List_of_tz_database_time_zones\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95514e77-1b23-4f05-817c-ae363c53aad3\",\"name\":\"95514e77-1b23-4f05-817c-ae363c53aad3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.4\",\"techniques\":[\"T1030\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Akamai\",\"Aruba Networks\",\"Check Point\",\"Dell\",\"Forcepoint\",\"Fortinet\",\"McAfee\",\"Palo Alto Networks\",\"SonicWall\",\"Trend Micro\",\"Vectra Networks\",\"Zscaler\"],\"supportedValuesKql\":null,\"value\":\"Palo Alto Networks\",\"name\":\"Device vendor\",\"description\":\"Select device vendor reporting network connection logs to CommonSecurityLog\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"10\",\"maximum\":\"10000\",\"value\":\"10\",\"name\":\"Hourly event count threshold\",\"description\":\"Suppress anomalies when hourly event count is less than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\".98\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"(Preview) Unusual network volume anomaly\",\"description\":\"This algorithm is to detect unusually high volume of connections in network logs. \\nIt uses time series to decompose the data into seasonal, trend and residual components to \\ncalculate baseline. Any sudden large deviation from the historical baseline is considered as anomalous activity.\",\"lastUpdatedDateUTC\":\"2021-07-10T00:00:00Z\",\"createdDateUTC\":\"2021-04-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6\",\"name\":\"2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 0d;\\n// Adjust this to adjust detection timeframe\\n//let timeframe = 1d;\\n// SamAccountName of AD FS Service Account. Filter on the use of a specific AD FS user account\\n//let adfsuser = \u0027adfsadmin\u0027;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\n SecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe+lookback)\\n | where EventSourceName == \u0027AD FS Auditing\u0027\\n | distinct Computer\\n);\\nSecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n // A token of type \u0027http://schemas.microsoft.com/ws/2006/05/servicemodel/tokens/SecureConversation\u0027\\n // for relying party \u0027-\u0027 was successfully authenticated.\\n | where EventID == 412\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | extend InstanceId = tostring(EventData[0])\\n| join kind=inner\\n(\\n SecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n // Events to identify caller identity from event 412\\n | where EventID == 501\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | where tostring(EventData[1]) contains \u0027identity/claims/name\u0027\\n | extend InstanceId = tostring(EventData[0])\\n | extend ClaimsName = tostring(EventData[2])\\n // Filter on the use of a specific AD FS user account\\n //| where ClaimsName contains adfsuser\\n)\\non $left.InstanceId == $right.InstanceId\\n| join kind=inner\\n(\\n SecurityEvent\\n | where EventID == 5156\\n | where Computer in~ (ADFS_Servers)\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | mv-expand bagexpansion=array EventData\\n | evaluate bag_unpack(EventData)\\n | extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n | evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n | extend DestPort = column_ifexists(\\\"DestPort\\\", \\\"\\\"),\\n Direction = column_ifexists(\\\"Direction\\\", \\\"\\\"),\\n Application = column_ifexists(\\\"Application\\\", \\\"\\\"),\\n DestAddress = column_ifexists(\\\"DestAddress\\\", \\\"\\\"),\\n SourceAddress = column_ifexists(\\\"SourceAddress\\\", \\\"\\\"),\\n SourcePort = column_ifexists(\\\"SourcePort\\\", \\\"\\\")\\n // Look for inbound connections from endpoints on port 80\\n | where DestPort == 80 and Direction == \u0027%%14592\u0027 and Application == \u0027System\u0027\\n | where DestAddress !in (\u0027::1\u0027,\u00270:0:0:0:0:0:0:1\u0027) \\n)\\non $left.Computer == $right.Computer\\n| project TimeGenerated, Computer, ClaimsName, SourceAddress, SourcePort\\n| extend HostCustomEntity = Computer, AccountCustomEntity = ClaimsName, IPCustomEntity = SourceAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"AD FS Remote Auth Sync Connection\",\"description\":\"This detection uses Security events from the \\\"AD FS Auditing\\\" provider to detect suspicious authentication events on an AD FS server. The results then get\\ncorrelated with events from the Windows Filtering Platform (WFP) to detect suspicious incoming network traffic on port 80 on the AD FS server.\\nThis could be a sign of a threat actor trying to use replication services on the AD FS server to get its configuration settings and extract\\nsensitive information such as AD FS certificates.\\nIn order to use this query you need to enable AD FS auditing on the AD FS Server.\\nReference: https://twitter.com/OTR_Community/status/1387038995016732672\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-04-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\"name\":\"2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n AzureActivity | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CallerIpAddress\\n| where AzureActivity_TimeGenerated \u003e= TimeGenerated and AzureActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AzureActivity_TimeGenerated,\\nTI_ipEntity, CallerIpAddress, Caller, OperationNameValue, ActivityStatusValue, CategoryValue, ResourceId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureActivity_TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureActivity\",\"description\":\"Identifies a match in AzureActivity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\"name\":\"4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 50;\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet historicalActivity =\\nOfficeActivity\\n| where TimeGenerated between(ago(starttime)..ago(endtime))\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| summarize historicalCount = count() by ClientIP, RecordType, Operation;\\nlet recentActivity = OfficeActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by ClientIP, RecordType, Operation;\\nlet RareIP = recentActivity | join kind= leftanti ( historicalActivity ) on ClientIP, RecordType, Operation\\n// More than 50 downloads/uploads from a new IP\\n| where recentCount \u003e threshold;\\nOfficeActivity \\n| where TimeGenerated \u003e= ago(endtime) \\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| join kind= inner (RareIP) on ClientIP, RecordType, Operation\\n| where Start_Time between(min_Start_Time .. max_Start_Time)\\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgent, IPSeenCount = recentCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\\n| order by IPSeenCount desc, ClientIP asc, Operation asc, UserId asc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"SharePointFileOperation via previously unseen IPs\",\"description\":\"Identifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses\\nexceeds a threshold (default is 50).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0febd8cc-1b8d-45ed-87b3-e1e8a57d14cd\",\"name\":\"0febd8cc-1b8d-45ed-87b3-e1e8a57d14cd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let threshold = 100;\\nTrendMicro_XDR_CL \\n| where modelSeverity_s == \u0027high\u0027 or modelSeverity_s == \u0027critical\u0027\\n| extend AccountCustomEntity = impactScope_account_s, HostCustomEntity = impactScope_hostname_s, IPCustomEntity = impactScope_host_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"displayName\":\"Create Incident for XDR Alerts (Critical \u0026 High)\",\"description\":\"This Query creates an incident based on Trend Micro XDR Workbench Alerts and maps the impacted entities for Microsoft Sentinel usage. (Critical \u0026 High Serverity Alerts)\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-12-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"TrendMicroXDR\",\"dataTypes\":[\"TrendMicro_XDR_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/50574fac-f8d1-4395-81c7-78a463ff0c52\",\"name\":\"50574fac-f8d1-4395-81c7-78a463ff0c52\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where AppId =~ \\\"1b730954-1685-4b74-9bfd-dac224a7b894\\\" // AppDisplayName IS Azure Active Directory PowerShell\\n| where TokenIssuerType =~ \\\"AzureAD\\\"\\n| where ResourceIdentity !in (\\\"00000002-0000-0000-c000-000000000000\\\", \\\"00000003-0000-0000-c000-000000000000\\\") // ResourceDisplayName IS NOT Windows Azure Active Directory OR Microsoft Graph\\n| extend Status = todynamic(Status)\\n| where Status.errorCode == 0 // Success\\n| project-reorder IPAddress, UserAgent, ResourceDisplayName, UserDisplayName, UserId, UserPrincipalName, Type\\n| order by TimeGenerated desc\\n// New entity mapping\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure Active Directory PowerShell accessing non-AAD resources\",\"description\":\"This will alert when a user or application signs in using Azure Active Directory PowerShell to access non-Active Directory resources, such as the Azure Key Vault, which may be undesired or unauthorized behavior.\\nFor capabilities and expected behavior of the Azure Active Directory PowerShell module, see: https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0.\\nFor further information on Azure Active Directory Signin activity reports, see: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb616d82-108f-47d3-9dec-9652ea0d3bf6\",\"name\":\"bb616d82-108f-47d3-9dec-9652ea0d3bf6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AuditLogs\\n| where OperationName =~ \\\"Add user\\\"\\n| extend UPN = tostring(TargetResources[0].userPrincipalName)\\n| join kind=inner (AuditLogs\\n| where OperationName =~ \\\"Delete user\\\"\\n| extend UPN = tostring(TargetResources[0].userPrincipalName)\\n| extend IPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) on UPN\\n| extend timedelta = TimeGenerated1 - TimeGenerated\\n| project-reorder TimeGenerated, TimeGenerated1, timedelta\\n| where timedelta \u003c timespan(24h) and timedelta \u003e timespan(0h)\\n| extend CustomAccountEntity = UPN, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CustomAccountEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Account Created and Deleted in Short Timeframe\",\"description\":\"Search for user principal name (UPN) events. Look for accounts created and then deleted in under 24 hours. Attackers may create an account for their use, and then remove the account when no longer needed.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-account\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\"name\":\"0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"DNS events related to mining pools\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3cc5ccd8-b416-4141-bb2d-4eba370e37a5\",\"name\":\"3cc5ccd8-b416-4141-bb2d-4eba370e37a5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let OMIVulnerabilityPatchVersion = \\\"OMIVulnerabilityPatchVersion:1.13.40-0\\\";\\nHeartbeat\\n| where Category == \\\"Direct Agent\\\"\\n| summarize arg_max(TimeGenerated,*) by Computer\\n| parse strcat(\\\"Version:\\\" , Version) with * \\\"Version:\\\" Major:long \\\".\\\"\\nMinor:long \\\".\\\" Patch:long \\\"-\\\" *\\n| parse OMIVulnerabilityPatchVersion with * \\\"OMIVulnerabilityPatchVersion:\\\"\\nOMIVersionMajor:long \\\".\\\" OMIVersionMinor:long \\\".\\\" OMIVersionPatch:long \\\"-\\\" *\\n| where Major \u003cOMIVersionMajor or (Major==OMIVersionMajor and Minor\\n\u003cOMIVersionMinor) or (Major==OMIVersionMajor and Minor==OMIVersionMinor and\\nPatch\u003cOMIVersionPatch) \\n| project Version, Major,Minor,Patch,\\nComputer,ComputerIP,OSType,OSName,ResourceId\",\"customDetails\":{\"OSName\":\"OSName\",\"OSType\":\"OSType\",\"HostIp\":\"ComputerIP\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"OMI Vulnerability Exploitation\",\"description\":\"Following the September 14th, 2021 release of three Elevation of Privilege\\n(EoP) vulnerabilities (CVE-2021-38645, CVE-2021-38649, CVE-2021-38648) and one\\nunauthenticated Remote Code Execution (RCE) vulnerability (CVE-2021-38647) in\\nthe Open Management Infrastructure (OMI) Framework.\\nThis detection validates that any OMS-agent that is reporting to the Microsoft\\nSentinel workspace is updated with the patch. The detection will go over the\\nheartbeats received from all agents over the last day and will create alert\\nfor those agents who are not updated.\",\"lastUpdatedDateUTC\":\"2021-11-18T00:00:00Z\",\"createdDateUTC\":\"2021-09-23T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9649e203-3cb7-47ff-89a9-42f2a5eefe31\",\"name\":\"9649e203-3cb7-47ff-89a9-42f2a5eefe31\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nlet codeNameList = datatable(Codename:string)[\\\"C-PRIV-ACCOUNTS-SPN\\\", \\\"C-SDPROP-CONSISTENCY\\\", \\\"C-DANG-PRIMGROUPID\\\", \\\"C-GPO-HARDENING\\\", \\\"C-DC-ACCESS-CONSISTENCY\\\", \\\"C-DANGEROUS-TRUST-RELATIONSHIP\\\", \\\"C-UNCONST-DELEG\\\", \\\"C-ABNORMAL-ENTRIES-IN-SCHEMA\\\"];\\nafad_parser\\n| where MessageType == 0 and Codename in~ (codeNameList)\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid Active Directory attacks pathways\",\"description\":\"Searches for triggered Indicators of Exposures related to Active Directory attacks pathways\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\"name\":\"3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let threshold = 1;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ConditionalAccessStatus == 1 or ConditionalAccessStatus =~ \\\"failure\\\"\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion) \\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend ConditionalAccessPolicies = todynamic(ConditionalAccessPolicies)\\n| extend ConditionalAccessPol0Name = tostring(ConditionalAccessPolicies[0].displayName)\\n| extend ConditionalAccessPol1Name = tostring(ConditionalAccessPolicies[1].displayName)\\n| extend ConditionalAccessPol2Name = tostring(ConditionalAccessPolicies[2].displayName)\\n| extend Status = strcat(StatusCode, \\\": \\\", ResultDescription) \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Status = make_list(Status), StatusDetails = make_list(StatusDetails), IPAddresses = make_list(IPAddress), IPAddressCount = dcount(IPAddress), CorrelationIds = make_list(CorrelationId) \\nby UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name, Type\\n| where IPAddressCount \u003e threshold and StatusDetails !has \\\"MFA successfully completed\\\"\\n| mvexpand IPAddresses, Status, StatusDetails, CorrelationIds\\n| extend Status = strcat(Status, \\\" \\\", StatusDetails)\\n| summarize IPAddresses = make_set(IPAddresses), Status = make_set(Status), CorrelationIds = make_set(CorrelationIds) \\nby StartTime, EndTime, UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name, IPAddressCount, Type\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = tostring(IPAddresses)\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Attempt to bypass conditional access rule in Azure AD\",\"description\":\"Identifies an attempt to Bypass conditional access rule(s) in Azure Active Directory.\\nThe ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access\\nor if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1).\\nReferences: \\nhttps://docs.microsoft.com/azure/active-directory/conditional-access/overview\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\nConditionalAccessStatus == 0 // Success\\nConditionalAccessStatus == 1 // Failure\\nConditionalAccessStatus == 2 // Not Applied\\nConditionalAccessStatus == 3 // unknown\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4899-42cb-910c-5ffaf9d7997d\",\"name\":\"70b12a3b-4899-42cb-910c-5ffaf9d7997d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"0.ns1.dns-info.gq\\\", \\\"1.ns1.dns-info.gq\\\", \\\"10.ns1.dns-info.gq\\\", \\\"102.ns1.dns-info.gq\\\", \\n \\\"104.ns1.dns-info.gq\\\", \\\"11.ns1.dns-info.gq\\\", \\\"110.ns1.dns-info.gq\\\", \\\"115.ns1.dns-info.gq\\\", \\\"116.ns1.dns-info.gq\\\", \\n \\\"117.ns1.dns-info.gq\\\", \\\"118.ns1.dns-info.gq\\\", \\\"12.ns1.dns-info.gq\\\", \\\"120.ns1.dns-info.gq\\\", \\\"122.ns1.dns-info.gq\\\", \\n \\\"123.ns1.dns-info.gq\\\", \\\"128.ns1.dns-info.gq\\\", \\\"13.ns1.dns-info.gq\\\", \\\"134.ns1.dns-info.gq\\\", \\\"135.ns1.dns-info.gq\\\", \\n \\\"138.ns1.dns-info.gq\\\", \\\"14.ns1.dns-info.gq\\\", \\\"144.ns1.dns-info.gq\\\", \\\"15.ns1.dns-info.gq\\\", \\\"153.ns1.dns-info.gq\\\", \\n \\\"157.ns1.dns-info.gq\\\", \\\"16.ns1.dns-info.gq\\\", \\\"17.ns1.dns-info.gq\\\", \\\"18.ns1.dns-info.gq\\\", \\\"19.ns1.dns-info.gq\\\", \\n \\\"1a9604fa.ns1.feedsdns.com\\\", \\\"1c7606b6.ns1.steamappstore.com\\\", \\\"2.ns1.dns-info.gq\\\", \\\"20.ns1.dns-info.gq\\\", \\n \\\"201.ns1.dns-info.gq\\\", \\\"202.ns1.dns-info.gq\\\", \\\"204.ns1.dns-info.gq\\\", \\\"207.ns1.dns-info.gq\\\", \\\"21.ns1.dns-info.gq\\\", \\n \\\"210.ns1.dns-info.gq\\\", \\\"211.ns1.dns-info.gq\\\", \\\"216.ns1.dns-info.gq\\\", \\\"22.ns1.dns-info.gq\\\", \\\"220.ns1.dns-info.gq\\\", \\n \\\"223.ns1.dns-info.gq\\\", \\\"23.ns1.dns-info.gq\\\", \\\"24.ns1.dns-info.gq\\\", \\\"25.ns1.dns-info.gq\\\", \\\"26.ns1.dns-info.gq\\\", \\n \\\"27.ns1.dns-info.gq\\\", \\\"28.ns1.dns-info.gq\\\", \\\"29.ns1.dns-info.gq\\\", \\\"3.ns1.dns-info.gq\\\", \\\"30.ns1.dns-info.gq\\\", \\n \\\"31.ns1.dns-info.gq\\\", \\\"32.ns1.dns-info.gq\\\", \\\"33.ns1.dns-info.gq\\\", \\\"34.ns1.dns-info.gq\\\", \\\"35.ns1.dns-info.gq\\\", \\n \\\"36.ns1.dns-info.gq\\\", \\\"37.ns1.dns-info.gq\\\", \\\"39.ns1.dns-info.gq\\\", \\\"3d6fe4b2.ns1.steamappstore.com\\\", \\n \\\"4.ns1.dns-info.gq\\\", \\\"40.ns1.dns-info.gq\\\", \\\"42.ns1.dns-info.gq\\\", \\\"43.ns1.dns-info.gq\\\", \\\"44.ns1.dns-info.gq\\\", \\n \\\"45.ns1.dns-info.gq\\\", \\\"46.ns1.dns-info.gq\\\", \\\"48.ns1.dns-info.gq\\\", \\\"5.ns1.dns-info.gq\\\", \\\"50.ns1.dns-info.gq\\\", \\n \\\"50417.service.gstatic.dnset.com\\\", \\\"51.ns1.dns-info.gq\\\", \\\"52.ns1.dns-info.gq\\\", \\\"53.ns1.dns-info.gq\\\",\\n \\\"54.ns1.dns-info.gq\\\", \\\"55.ns1.dns-info.gq\\\", \\\"56.ns1.dns-info.gq\\\", \\\"57.ns1.dns-info.gq\\\", \\\"58.ns1.dns-info.gq\\\", \\n \\\"6.ns1.dns-info.gq\\\", \\\"60.ns1.dns-info.gq\\\", \\\"62.ns1.dns-info.gq\\\", \\\"63.ns1.dns-info.gq\\\", \\\"64.ns1.dns-info.gq\\\", \\n \\\"65.ns1.dns-info.gq\\\", \\\"67.ns1.dns-info.gq\\\", \\\"7.ns1.dns-info.gq\\\", \\\"70.ns1.dns-info.gq\\\", \\\"71.ns1.dns-info.gq\\\",\\n \\\"73.ns1.dns-info.gq\\\", \\\"77.ns1.dns-info.gq\\\", \\\"77075.service.gstatic.dnset.com\\\", \\\"7c1947fa.ns1.steamappstore.com\\\",\\n \\\"8.ns1.dns-info.gq\\\", \\\"81.ns1.dns-info.gq\\\", \\\"86.ns1.dns-info.gq\\\", \\\"87.ns1.dns-info.gq\\\", \\\"9.ns1.dns-info.gq\\\", \\n \\\"94343.service.gstatic.dnset.com\\\", \\\"9939.service.gstatic.dnset.com\\\", \\\"aa.ns.mircosoftdoc.com\\\", \\n \\\"aaa.feeds.api.ns1.feedsdns.com\\\", \\\"aaa.googlepublic.feeds.ns1.dns-info.gq\\\", \\n \\\"aaa.resolution.174547._get.cache.up.sourcedns.tk\\\", \\\"acc.microsoftonetravel.com\\\", \\n \\\"accounts.longmusic.com\\\", \\\"admin.dnstemplog.com\\\", \\\"agent.updatenai.com\\\", \\n \\\"alibaba.zzux.com\\\", \\\"api.feedsdns.com\\\", \\\"app.portomnail.com\\\", \\\"asia.updatenai.com\\\", \\n \\\"battllestategames.com\\\", \\\"bguha.serveuser.com\\\", \\\"binann-ce.com\\\", \\\"bing.dsmtp.com\\\", \\n \\\"blog.cdsend.xyz\\\", \\\"brives.minivineyapp.com\\\", \\\"bsbana.dynamic-dns.net\\\", \\n \\\"californiaforce.000webhostapp.com\\\", \\\"californiafroce.000webhostapp.com\\\", \\n \\\"cdn.freetcp.com\\\", \\\"cdsend.xyz\\\", \\\"cipla.zzux.com\\\", \\\"cloudfeeddns.com\\\", \\\"comcleanner.info\\\",\\n \\\"cs.microsoftsonline.net\\\", \\\"dns-info.gq\\\", \\\"dns05.cf\\\", \\\"dns22.ml\\\", \\\"dns224.com\\\", \\n \\\"dnsdist.org\\\", \\\"dnstemplog.com\\\", \\\"doc.mircosoftdoc.com\\\", \\\"dropdns.com\\\", \\n \\\"eshop.cdn.freetcp.com\\\", \\\"exchange.dumb1.com\\\", \\\"exchange.misecure.com\\\", \\\"exchange.mrbasic.com\\\",\\n \\\"facebookdocs.com\\\", \\\"facebookint.com\\\", \\\"facebookvi.com\\\", \\\"feed.ns1.dns-info.gq\\\", \\\"feedsdns.com\\\", \\n \\\"firejun.freeddns.com\\\", \\\"ftp.dns-info.dyndns.pro\\\", \\\"goallbandungtravel.com\\\", \\\"goodhk.azurewebsites.net\\\", \\n \\\"googlepublic.feed.ns1.dns-info.gq\\\", \\\"gp.spotifylite.cloud\\\", \\\"gskytop.com\\\", \\\"gstatic.dnset.com\\\", \\n \\\"gxxservice.com\\\", \\\"helpdesk.cdn.freetcp.com\\\", \\\"id.serveuser.com\\\", \\\"infestexe.com\\\", \\\"item.itemdb.com\\\",\\n \\\"m.mircosoftdoc.com\\\", \\\"mail.transferdkim.xyz\\\", \\\"mcafee.updatenai.com\\\", \\\"mecgjm.mircosoftdoc.com\\\",\\n \\\"microdocs.ga\\\", \\\"microsock.website\\\", \\\"microsocks.net\\\", \\\"microsoft.sendsmtp.com\\\", \\n \\\"microsoftbook.dns05.com\\\", \\\"microsoftcontactcenter.com\\\", \\\"microsoftdocs.dns05.com\\\", \\\"microsoftdocs.ml\\\", \\n \\\"microsoftonetravel.com\\\", \\\"microsoftonlines.net\\\", \\\"microsoftprod.com\\\", \\\"microsofts.dns1.us\\\", \\\"microsoftsonline.net\\\",\\n \\\"minivineyapp.com\\\", \\\"mircosoftdoc.com\\\", \\\"mircosoftdocs.com\\\", \\\"mlcrosoft.ninth.biz\\\", \\\"mlcrosoft.site\\\", \\n \\\"mm.portomnail.com\\\", \\\"msdnupdate.com\\\", \\\"msecdn.cloud\\\", \\\"mtnl1.dynamic-dns.net\\\", \\\"ns.gstatic.dnset.com\\\", \\n \\\"ns.microsoftprod.com\\\", \\\"ns.steamappstore.com\\\", \\\"ns1.cdn.freetcp.com\\\", \\\"ns1.comcleanner.info\\\", \\\"ns1.dns-info.gq\\\", \\n \\\"ns1.dns05.cf\\\", \\\"ns1.dnstemplog.com\\\", \\\"ns1.dropdns.com\\\", \\\"ns1.microsoftonetravel.com\\\", \\n \\\"ns1.microsoftonlines.net\\\", \\\"ns1.microsoftprod.com\\\", \\\"ns1.microsoftsonline.net\\\", \\\"ns1.mlcrosoft.site\\\", \\n \\\"ns1.teams.wikaba.com\\\", \\\"ns1.windowsdefende.com\\\", \\\"ns2.comcleanner.info\\\", \\\"ns2.dnstemplog.com\\\", \\n \\\"ns2.microsoftonetravel.com\\\", \\\"ns2.microsoftprod.com\\\", \\\"ns2.microsoftsonline.net\\\", \\\"ns2.mlcrosoft.site\\\", \\n \\\"ns2.windowsdefende.com\\\", \\\"ns3.microsoftprod.com\\\", \\\"ns3.mlcrosoft.site\\\", \\\"nutrition.mrbasic.com\\\", \\n \\\"nutrition.youdontcare.com\\\", \\\"online.mlcrosoft.site\\\", \\\"online.msdnupdate.com\\\", \\\"outlookservce.site\\\", \\n \\\"owa.jetos.com\\\", \\\"owa.otzo.com\\\", \\\"pornotime.co\\\", \\\"portomnail.com\\\", \\n \\\"post.1a0.066e063ac.7c1947fa.ns1.steamappstore.com\\\", \\\"pricingdmdk.com\\\", \\\"prod.microsoftprod.com\\\", \\n \\\"product.microsoftprod.com\\\", \\\"ptcl.yourtrap.com\\\", \\\"query.api.sourcedns.tk\\\", \\\"rb.itemdb.com\\\", \\\"redditcdn.com\\\", \\n \\\"rss.otzo.com\\\", \\\"secure.msdnupdate.com\\\", \\\"service.dns22.ml\\\", \\\"service.gstatic.dnset.com\\\", \\\"service04.dns04.com\\\", \\n \\\"settings.teams.wikaba.com\\\", \\\"sip.outlookservce.site\\\", \\\"sixindent.epizy.com\\\", \\\"soft.msdnupdate.com\\\", \\\"sourcedns.ml\\\", \\n \\\"sourcedns.tk\\\", \\\"sport.msdnupdate.com\\\", \\\"spotifylite.cloud\\\", \\\"static.misecure.com\\\", \\\"steamappstore.com\\\", \\n \\\"store.otzo.com\\\", \\\"survey.outlookservce.site\\\", \\\"team.itemdb.com\\\", \\\"temp221.com\\\", \\\"test.microsoftprod.com\\\", \\n \\\"thisisaaa.000webhostapp.com\\\", \\\"token.dns04.com\\\", \\\"token.dns05.com\\\", \\\"transferdkim.xyz\\\", \\n \\\"travelsanignacio.com\\\", \\\"update08.com\\\", \\\"updated08.com\\\", \\\"updatenai.com\\\", \\\"wantforspeed.com\\\",\\n \\\"web.mircosoftdoc.com\\\", \\\"webmail.pornotime.co\\\", \\\"webwhois.team.itemdb.com\\\", \\\"windowsdefende.com\\\", \\\"wnswindows.com\\\",\\n \\\"ashcrack.freetcp.com\\\", \\\"battllestategames.com\\\", \\\"binannce.com\\\", \\\"cdsend.xyz\\\", \\\"comcleanner.info\\\", \\\"microsock.website\\\", \\n \\\"microsocks.net\\\", \\\"microsoftsonline.net\\\", \\\"mlcrosoft.site\\\", \\\"notify.serveuser.com\\\", \\\"ns1.microsoftprod.com\\\", \\n \\\"ns2.microsoftprod.com\\\", \\\"pricingdmdk.com\\\", \\\"steamappstore.com\\\", \\\"update08.com\\\", \\\"wnswindows.com\\\", \\n \\\"youtube.dns05.com\\\", \\\"z1.zalofilescdn.com\\\", \\\"z2.zalofilescdn.com\\\", \\\"zalofilescdn.com\\\"]); \\n(union isfuzzy=true \\n (CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | where DNSName in~ (DomainNames) \\n | extend Account = SourceUserID, Computer = DeviceName, IPAddress = DestinationIP \\n ), \\n (DnsEvents \\n | extend DNSName = Name \\n | where isnotempty(DNSName) \\n | where DNSName has_any (DomainNames) \\n | extend IPAddress = ClientIP \\n ), \\n (imDns (domain_has_any=DomainNames)\\n | extend DNSName = DnsQuery \\n | extend IPAddress = SrcIpAddr, Computer = Dvc\\n ), \\n (VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 * \\n | where isnotempty(DNSName) \\n | where DNSName in~ (DomainNames) \\n | extend IPAddress = RemoteIp \\n ), \\n ( \\n DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl in~ (DomainNames) \\n | extend IPAddress = RemoteIP \\n | extend Computer = DeviceName \\n ),\\n (AzureDiagnostics\\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallDnsProxy\\\"\\n | parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n | where Request_Name has_any (DomainNames) \\n | extend DNSName = Request_Name\\n | extend IPAddress = ClientIP \\n ),\\n (AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (DomainNames) \\n | extend DNSName = DestinationHost \\n | extend IPAddress = SourceHost\\n ) \\n ) \\n | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.3.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Barium domains\",\"description\":\"Identifies a match across various data feeds for domains IOCs related to the Barium activity group.\\n References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\"name\":\"2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet TotalEventsThreshold = 5;\\nlet ExeList = dynamic([\\\"powershell.exe\\\",\\\"cmd.exe\\\",\\\"wmic.exe\\\",\\\"psexec.exe\\\",\\\"cacls.exe\\\",\\\"rundll.exe\\\"]);\\nlet TimeSeriesData =\\nSecurityEvent\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where Process in (ExeList)\\n| project TimeGenerated, Computer, AccountType, Account, Process\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by Process;\\nlet TimeSeriesAlerts = materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 1.5, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0\\n| project Process, TimeGenerated, Total, baseline, anomalies, score\\n| where Total \u003e TotalEventsThreshold);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\nSecurityEvent\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| summarize CommandlineCount = count() by bin(TimeGenerated, 1h), Process, CommandLine, Computer, Account\\n) on Process, TimeGenerated\\n| project AnomalyHour = TimeGenerated, Computer, Account, Process, CommandLine, CommandlineCount, Total, baseline, anomalies, score\\n| extend timestamp = AnomalyHour, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Execution\"],\"displayName\":\"Process execution frequency anomaly\",\"description\":\"Identifies anomalous spike in frequency of executions of sensitive processes which are often leveraged as attack vectors.\\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\\nSudden increases in execution frequency of sensitive processes should be further investigated for malicious activity.\\nTune the values from 1.5 to 3 in series_decompose_anomalies for further outliers or based on custom threshold values for score.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-05-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ce1e7025-866c-41f3-9b08-ec170e05e73e\",\"name\":\"ce1e7025-866c-41f3-9b08-ec170e05e73e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let SunburstURL=dynamic([\\\"panhardware.com\\\",\\\"databasegalore.com\\\",\\\"avsvmcloud.com\\\",\\\"freescanonline.com\\\",\\\"thedoccloud.com\\\",\\\"deftsecurity.com\\\"]);\\nDeviceNetworkEvents\\n| where ActionType == \\\"ConnectionSuccess\\\"\\n| where RemoteUrl in(SunburstURL)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n FileHashCustomEntity = InitiatingProcessMD5, \\n HashAlgorithm = \u0027MD5\u0027,\\n URLCustomEntity = RemoteUrl,\\n IPCustomEntity = RemoteIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST network beacons\",\"description\":\"Identifies SolarWinds SUNBURST domain beacon IOCs in DeviceNetworkEvents\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06a9b845-6a95-4432-a78b-83919b28c375\",\"name\":\"06a9b845-6a95-4432-a78b-83919b28c375\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":3,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet percentotalthreshold = 50;\\nlet TimeSeriesData = CommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| project TimeGenerated,SourceIP, DestinationIP, DeviceVendor\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor;\\n// Filtering specific records associated with spikes as outliers\\nlet TimeSeriesAlerts=materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend score = round(score,2), AnomalyHour = TimeGenerated\\n| project DeviceVendor,AnomalyHour, TimeGenerated, Total, baseline, anomalies, score);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\n// Join anomalies with Base Data to popalate associated records for investigation - Results sorted by score in descending order\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\n CommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| summarize HourlyCount = count(), TimeGeneratedMax = arg_max(TimeGenerated, *), DestinationIPlist = make_set(DestinationIP, 100), DestinationPortlist = make_set(DestinationPort, 100) by DeviceVendor, SourceIP, TimeGeneratedHour= bin(TimeGenerated, 1h)\\n| extend AnomalyHour = TimeGeneratedHour\\n) on AnomalyHour, DeviceVendor\\n| extend PercentTotal = round((HourlyCount / Total) * 100, 3)\\n| where PercentTotal \u003e percentotalthreshold\\n| project DeviceVendor , AnomalyHour, TimeGeneratedMax, SourceIP, DestinationIPlist, DestinationPortlist, HourlyCount, PercentTotal, Total, baseline, score, anomalies\\n| summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist, 100), DestinationPortlist = make_set(DestinationPortlist, 100) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies\\n| project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies\\n| extend timestamp= EndTimeUtc , IPCustomEntity = SourceIPMax\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"Time series anomaly detection for total volume of traffic\",\"description\":\"Identifies anamalous spikes in network traffic logs as compared to baseline or normal historical patterns.\\nThe query leverages a KQL built-in anomaly detection algorithm to find large deviations from baseline patterns.\\nSudden increases in network traffic volume may be an indication of data exfiltration attempts and should be investigated.\\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port traffic observed in the flagged anomaly hour.\\nThe source IP addresses which were sending less than percentotalthreshold of the total traffic have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-05-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Barracuda\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/871ba14c-88ef-48aa-ad38-810f26760ca3\",\"name\":\"871ba14c-88ef-48aa-ad38-810f26760ca3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where Operation =~ \\\"Set-Mailbox\\\"\\n| where Parameters has \\\"ForwardingSmtpAddress\\\"\\n| extend parsed = parse_json(Parameters)\\n| mv-expand parsed\\n| where parsed.Name == \\\"ForwardingSmtpAddress\\\"\\n| extend parameterName = tostring(parsed.Name), fwdingDestination = tostring(parsed.Value)\\n| where isnotempty(fwdingDestination)\\n| extend ClientIPOnly = case( \\nClientIP has \\\".\\\" and ClientIP has \u0027:\u0027, tostring(split(ClientIP,\\\":\\\")[0]), \\nClientIP has \\\".\\\" and ClientIP has \u0027-\u0027, tostring(split(ClientIP,\\\"-\\\")[0]), \\nClientIP has \u0027]-\u0027, tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))),\\nClientIP has \u0027]:\u0027, tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))),\\nisempty(ClientIP) and ClientIP_ has \\\".\\\" and ClientIP_ has \u0027:\u0027, tostring(split(ClientIP_,\\\":\\\")[0]), \\nisempty(ClientIP) and ClientIP_ has \\\".\\\" and ClientIP_ has \u0027-\u0027, tostring(split(ClientIP_,\\\"-\\\")[0]), \\nisempty(ClientIP) and ClientIP_ has \u0027]-\u0027, tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP_,\\\"]\\\")[0]))),\\nisempty(ClientIP) and ClientIP_ has \u0027]:\u0027, tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP_,\\\"]\\\")[0]))),\\nisnotempty(ClientIP), ClientIP,\\nisnotempty(ClientIP_), ClientIP_,\\n\\\"IP Not Available\\\"\\n) \\n| extend Port = case(\\nClientIP has \\\".\\\" and ClientIP has \u0027:\u0027, tostring(split(ClientIP,\\\":\\\")[1]), \\nClientIP has \\\".\\\" and ClientIP has \u0027-\u0027, tostring(split(ClientIP,\\\"-\\\")[1]), \\nClientIP has \u0027]-\u0027, tostring(split(ClientIP,\\\"]-\\\")[1]), \\nClientIP has \u0027]:\u0027, tostring(split(ClientIP,\\\"]:\\\")[1]), \\nisempty(ClientIP) and ClientIP_ has \\\".\\\" and ClientIP_ has \u0027:\u0027, tostring(split(ClientIP_,\\\":\\\")[1]), \\nisempty(ClientIP) and ClientIP_ has \\\".\\\" and ClientIP_ has \u0027-\u0027, tostring(split(ClientIP_,\\\"-\\\")[1]), \\nisempty(ClientIP) and ClientIP_ has \u0027]-\u0027, tostring(split(ClientIP_,\\\"]-\\\")[1]),\\nisempty(ClientIP) and ClientIP_ has \u0027]:\u0027, tostring(split(ClientIP_,\\\"]:\\\")[1]),\\nisnotempty(ClientIP), ClientIP,\\nisnotempty(ClientIP_), ClientIP_,\\n\\\"IP Not Available\\\"\\n)\\n| extend UserId = iff(isempty(UserId), UserId_, UserId)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId), \\nPorts = make_set(Port), EventCount = count() by fwdingDestination, ClientIP = ClientIPOnly \\n| where DistinctUserCount \u003e 1\\n| mv-expand UserId\\n| extend UserId = tostring(UserId), Ports = tostring(Ports)\\n| distinct StartTimeUtc, EndTimeUtc, UserId, DistinctUserCount, ClientIP, Ports, fwdingDestination, EventCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Multiple users email forwarded to same destination\",\"description\":\"Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination. \\nThis could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aedc5b33-2d7c-42cb-a692-f25ef637cbb1\",\"name\":\"aedc5b33-2d7c-42cb-a692-f25ef637cbb1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where array_length(todynamic(DstUserUpn)) == 1\\n| extend sender = extract(@\u0027\\\\A(.*?)@\u0027, 1, SrcUserUpn)\\n| extend sender_domain = extract(@\u0027@(.*)$\u0027, 1, SrcUserUpn)\\n| extend recipient = extract(@\u0027\\\\A(.*?)@\u0027, 1, tostring(todynamic(DstUserUpn)[0]))\\n| extend recipient_domain = extract(@\u0027@(.*)$\u0027, 1, tostring(todynamic(DstUserUpn)[0]))\\n| where sender =~ recipient\\n| where sender_domain != recipient_domain\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Possible data exfiltration to private email\",\"description\":\"Detects when sender sent email to the non-corporate domain and recipient\u0027s username is the same as sender\u0027s username.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\"name\":\"36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n OfficeActivity\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n //Extract the Url from a number of potential fields\\n | extend Url = iif(OfficeWorkload == \\\"AzureActiveDirectory\\\",extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\\\", 1,ModifiedProperties),tostring(parse_json(ModifiedProperties)[12].NewValue))\\n | where isnotempty(Url)\\n // Ensure we get a clean URL\\n | extend Url = tostring(split(Url, \u0027;\u0027)[0])\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n // Project a single user identity that we can use for entity mapping\\n | extend User = iif(isnotempty(UserId), UserId, iif(isnotempty(Actor), tostring(parse_json(Actor)[0].ID), tostring(parse_json(Parameters)[0].Vlaue))) \\n) on Url\\n| where OfficeActivity_TimeGenerated \u003e= TimeGenerated and OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Operation, \\nUserType, OfficeWorkload, Parameters, OfficeActivity_TimeGenerated, Url, User\\n| extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = User, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to OfficeActivity data\",\"description\":\"Identifies a match in OfficeActivity data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\"name\":\"80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 1102 and EventSourceName == \\\"Microsoft-Windows-Eventlog\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Security Event log cleared\",\"description\":\"Checks for event id 1102 which indicates the security event log was cleared. \\nIt uses Event Source Name \\\"Microsoft-Windows-Eventlog\\\" to avoid generating false positives from other sources, like AD FS servers for instance.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1fa1528e-f746-4794-8a41-14827f4cb798\",\"name\":\"1fa1528e-f746-4794-8a41-14827f4cb798\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 100;\\nPulseConnectSecure\\n| where Messages startswith \\\"Login failed\\\"\\n| summarize dcount(User) by Computer, bin(TimeGenerated, 15m)\\n| where dcount_User \u003e threshold\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"PulseConnectSecure - Large Number of Distinct Failed User Logins\",\"description\":\"This query identifies evidence of failed login attempts from a large number of distinct users on a Pulse Connect Secure VPN server\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PulseConnectSecure\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/94749332-1ad9-49dd-a5ab-5ff2170788fc\",\"name\":\"94749332-1ad9-49dd-a5ab-5ff2170788fc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet file_path1 = (iocs | where Type =~ \\\"filepath1\\\" | project IoC);\\nlet file_path2 = (iocs | where Type =~ \\\"filepath2\\\" | project IoC);\\nlet file_path3 = (iocs | where Type =~ \\\"filepath3\\\" | project IoC);\\nlet reg_key = (iocs | where Type =~ \\\"regkey\\\" | project IoC);\\n (union isfuzzy=true\\n(CommonSecurityLog\\n| where DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (domains)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 *\\n| project TimeGenerated, Message, SourceUserID, RequestURL, DestinationHostName, Type, SourceIP, DestinationIP, DNSName\\n| extend Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SourceUserID, UrlCustomEntity = RequestURL , IPCustomEntity = DestinationIP, DNSCustomEntity = DNSName\\n),\\n(DnsEvents\\n| where Name in~ (domains)\\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DNSName = Name, Host = Computer , Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Host, DNSCustomEntity = DNSName, IPCustomEntity = IPAddresses\\n),\\n(VMConnection\\n| where RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, RemoteDnsCanonicalNames, ProcessName, SourceIp, DestinationIp, DestinationPort, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIp, HostCustomEntity = Computer, ProcessCustomEntity = ProcessName, DNSCustomEntity = DNSName, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where Image has_any (file_path1) or Image has_any (file_path3)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, EventDetail, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = split(Image, \u0027\\\\\\\\\u0027, -1)[-1], HostCustomEntity = Computer , IPCustomEntity = DestinationIP, Alert = \u0027SOURGUM IOC detected\u0027\\n), \\n(DeviceNetworkEvents\\n| where (RemoteUrl has_any (domains)) or (InitiatingProcessSHA256 in (sha256Hashes) and InitiatingProcessFolderPath has_any (file_path1)) or InitiatingProcessFolderPath has_any (file_path3)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, Alert = \u0027SOURGUM IOC detected\u0027, UrlCustomEntity =RemoteUrl\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"]\\n| where (SHA256 has_any (sha256Hashes) and Image has_any (file_path1)) or (Image has_any (file_path3)) or ( CommandLine has_any (file_path3)) or ( CommandLine has_any (file_path1)) or ( CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source), Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = split(Image, \u0027\\\\\\\\\u0027, -1)[-1], FileHashCustomEntity = SHA256\\n),\\n(DeviceRegistryEvents\\n| where RegistryKey has_any (reg_key) and RegistryValueData has_any (file_path2)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type \\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceProcessEvents\\n| where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3)) or ( InitiatingProcessCommandLine has \u0027reg add\u0027 and InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceFileEvents\\n| where (InitiatingProcessSHA256 has_any (sha256Hashes) and InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3)) or ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = RequestAccountName, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceEvents\\n| where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3)) or ( InitiatingProcessCommandLine has \u0027reg add\u0027 and InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend CommandLine = InitiatingProcessCommandLine, Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = InitiatingProcessSHA256\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has_any (file_path1)) or ( CommandLine has_any (file_path3)) or ( CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) or (NewProcessName has_any (file_path1)) or (NewProcessName has_any (file_path3)) or (ParentProcessName has_any (file_path1)) or (ParentProcessName has_any (file_path3))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = \u0027SOURGUM IOC detected\u0027\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"SHA256\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"SOURGUM Actor IOC - July 2021\",\"description\":\"Identifies a match across IOC\u0027s related to an actor tracked by Microsoft as SOURGUM\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-07-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceRegistryEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a6c435a2-b1a0-466d-b730-9f8af69262e8\",\"name\":\"a6c435a2-b1a0-466d-b730-9f8af69262e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let failureCountThreshold = 10;\\nlet successCountThreshold = 1;\\nlet authenticationWindow = 20m;\\nimAuthentication\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = make_set(SrcDvcIpAddr)\\n , FailureCount = countif(EventResult==\u0027Failure\u0027)\\n , SuccessCount = countif(EventResult==\u0027Success\u0027) \\n // might be improved by counting FailReason:Outdated as Success.\\nby bin(TimeGenerated, authenticationWindow), TargetUserId, TargetUsername, TargetUserType \\n| where FailureCount \u003e= failureCountThreshold and SuccessCount \u003e= successCountThreshold\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against user credentials (Uses Authentication Normalization)\",\"description\":\"Identifies evidence of brute force activity against a user highlighting multiple authentication failures \\nand by a successful authentication within a given time window. \\n(The query does not enforce any sequence - eg requiring the successful authentication to occur last.)\\nDefault Failure count is 10, Default Success count is 1 and default Time Window is 20 minutes.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelAuthentication)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8a12afde-ed27-46ac-a5ef-392e3d4f071f\",\"name\":\"8a12afde-ed27-46ac-a5ef-392e3d4f071f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.0\",\"techniques\":[\"T1190\",\"T1505\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"1\",\"2\",\"3\"],\"supportedValuesKql\":null,\"value\":\"3\",\"name\":\"Number of reasons for anomalous activity\",\"description\":\"Provide explanations for the specified number of reasons why a W3CIIS session is anomalous.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"supportedValues\":[\"Distinct number of methods\",\"Distinct number of uri queries\",\"Distinct number of uri stems\",\"Distinct number of statuses\",\"Distinct number of user agents\",\"Total number of operations\",\"Total number of http verbs\",\"Total number of http statuses\",\"None\"],\"supportedValuesKql\":null,\"value\":\"None\",\"name\":\"Display anomalies for a specific top reason\",\"description\":\"Display anomalies only where the top reason is specified in the checklist.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"supportedValues\":[\"Public IPs\",\"Private IPs\",\"All IPs\"],\"supportedValuesKql\":null,\"value\":\"All IPs\",\"name\":\"Display anomalies for public, private, or all IPs\",\"description\":\"Choose to display anomalies for public, private, or all IPs.\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":null,\"dataType\":\"string\",\"name\":\"Exclude client IPs from the anomalies generated\",\"description\":\"Enter comma separated client IPs (prefixed client IP entities supported) that the anomalies should not display results for, in the exclude field.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.7\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"(Preview) Anomalous W3CIIS logs activity\",\"description\":\"This anomaly indicates anomalous W3CIIS sessions within the last day, due to reasons such as a high number of distinct uri queries, specific http verbs or http statuses, user agents, or an unusually high number of logs in a session.\\nThe machine learning algorithm identifies unusual W3CIIS log events within an hourly session, grouped by site name and client IP.\\nThe model is trained on the previous 7 days of W3CIIS activity, using an autoencoder. The algorithm checks for sufficient volume of W3CIIS activity before training the model.\\nThe autoencoder compressess these site name/client IP sessions using a bottleneck encoding, and reconstructs the input sessions using a decoder.\\nSessions with high reconstruction errors are marked as anomalous.\",\"lastUpdatedDateUTC\":\"2021-07-26T00:00:00Z\",\"createdDateUTC\":\"2021-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f9949656-473f-4503-bf43-a9d9890f7d08\",\"name\":\"f9949656-473f-4503-bf43-a9d9890f7d08\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n AppServiceHTTPLogs | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(CIp)\\n | extend WebApp = split(_ResourceId, \u0027/\u0027)[8]\\n // renaming time column so it is clear the log this came from\\n | extend AppService_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CIp\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AppService_TimeGenerated, TI_ipEntity, CsUsername, WebApp = split(_ResourceId, \u0027/\u0027)[8], CIp, CsHost, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AppService_TimeGenerated, AccountCustomEntity = CsUsername, IPCustomEntity = CIp, URLCustomEntity = CsHost\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AppServiceHTTPLogs\",\"description\":\"Identifies a match in AppServiceHTTPLogs from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/21ab3f52-6d79-47e3-97f8-ad65f2cb29fb\",\"name\":\"21ab3f52-6d79-47e3-97f8-ad65f2cb29fb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"afad_parser\\n| where MessageType == 2 and Codename == \\\"Golden Ticket\\\"\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid Golden Ticket\",\"description\":\"Searches for Golden Ticket attacks\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\"name\":\"0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let threshold = 20;\\nSecurityEvent \\n| where EventID == 4625\\n| where AccountType =~ \\\"User\\\"\\n| where SubStatus !=\u00270xc0000064\u0027 and Account !in (\u0027\\\\\\\\\u0027, \u0027-\\\\\\\\-\u0027)\\n// SubStatus \u00270xc0000064\u0027 signifies \u0027Account name does not exist\u0027\\n| extend ResourceId = column_ifexists(\\\"_ResourceId\\\", _ResourceId), SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", SourceComputerId)\\n| extend Reason = case(\\nSubStatus =~ \u00270xC000005E\u0027, \u0027There are currently no logon servers available to service the logon request.\u0027,\\nSubStatus =~ \u00270xC0000064\u0027, \u0027User logon with misspelled or bad user account\u0027,\\nSubStatus =~ \u00270xC000006A\u0027, \u0027User logon with misspelled or bad password\u0027, \\nSubStatus =~ \u00270xC000006D\u0027, \u0027Bad user name or password\u0027,\\nSubStatus =~ \u00270xC000006E\u0027, \u0027Unknown user name or bad password\u0027,\\nSubStatus =~ \u00270xC000006F\u0027, \u0027User logon outside authorized hours\u0027,\\nSubStatus =~ \u00270xC0000070\u0027, \u0027User logon from unauthorized workstation\u0027,\\nSubStatus =~ \u00270xC0000071\u0027, \u0027User logon with expired password\u0027,\\nSubStatus =~ \u00270xC0000072\u0027, \u0027User logon to account disabled by administrator\u0027,\\nSubStatus =~ \u00270xC00000DC\u0027, \u0027Indicates the Sam Server was in the wrong state to perform the desired operation\u0027, \\nSubStatus =~ \u00270xC0000133\u0027, \u0027Clocks between DC and other computer too far out of sync\u0027,\\nSubStatus =~ \u00270xC000015B\u0027, \u0027The user has not been granted the requested logon type (aka logon right) at this machine\u0027,\\nSubStatus =~ \u00270xC000018C\u0027, \u0027The logon request failed because the trust relationship between the primary domain and the trusted domain failed\u0027,\\nSubStatus =~ \u00270xC0000192\u0027, \u0027An attempt was made to logon, but the Netlogon service was not started\u0027,\\nSubStatus =~ \u00270xC0000193\u0027, \u0027User logon with expired account\u0027,\\nSubStatus =~ \u00270xC0000224\u0027, \u0027User is required to change password at next logon\u0027,\\nSubStatus =~ \u00270xC0000225\u0027, \u0027Evidently a bug in Windows and not a risk\u0027,\\nSubStatus =~ \u00270xC0000234\u0027, \u0027User logon with account locked\u0027,\\nSubStatus =~ \u00270xC00002EE\u0027, \u0027Failure Reason: An Error occurred during Logon\u0027,\\nSubStatus =~ \u00270xC0000413\u0027, \u0027Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine\u0027,\\nstrcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), FailedLogonCount = count() by EventID, \\nActivity, Computer, Account, TargetAccount, TargetUserName, TargetDomainName, \\nLogonType, LogonTypeName, LogonProcessName, Status, SubStatus, Reason, ResourceId, SourceComputerId, WorkstationName, IpAddress\\n| where FailedLogonCount \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed logon attempts by valid accounts within 10 mins\",\"description\":\"Identifies when failed logon attempts are 20 or higher during a 10 minute period (2 failed logons per minute minimum) from valid account.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\"name\":\"b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\nlet createRoleAssignmentActivity = AzureActivity\\n| where OperationNameValue =~ \\\"microsoft.authorization/roleassignments/write\\\";\\ncreateRoleAssignmentActivity \\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller\\n| where count_ \u003e= alertOperationThreshold\\n| join kind = rightanti ( \\ncreateRoleAssignmentActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = make_set(TimeGenerated), ActivityStatusValue = make_set(ActivityStatusValue), \\nOperationIds = make_set(OperationId), CorrelationId = make_set(CorrelationId), ActivityCountByCallerIPAddress = count() \\nby ResourceId, CallerIpAddress, Caller, OperationNameValue, Resource, ResourceGroup\\n) on CallerIpAddress, Caller\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Suspicious granting of permissions to an account\",\"description\":\"Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2790795b-7dba-483e-853f-44aa0bc9c985\",\"name\":\"2790795b-7dba-483e-853f-44aa0bc9c985\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"CommonSecurityLog\\n| where DeviceProduct =~ \\\"Wazuh\\\"\\n| where Activity has \\\"Web server 400 error code.\\\"\\n| where Message has \\\"403\\\"\\n| extend HostName=substring(split(DeviceCustomString1,\\\")\\\")[0],1)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = dcount(SourceIP) by HostName, SourceIP\\n| where NumberOfErrors \u003e 400\\n| sort by NumberOfErrors desc\\n| extend timestamp = StartTime, HostCustomEntity = HostName, IPCustomEntity = SourceIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Wazuh - Large Number of Web errors from an IP\",\"description\":\"Identifies instances where Wazuh logged over 400 \u0027403\u0027 Web Errors from one IP Address. To onboard Wazuh data into Sentinel please view: https://github.com/wazuh/wazuh-documentation/blob/master/source/azure/monitoring%20activity.rst\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-21T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ce177b3-56b1-4f0e-b83e-27eed4cb0b16\",\"name\":\"4ce177b3-56b1-4f0e-b83e-27eed4cb0b16\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\n// exclude allowed users from query such as the ADO service\\nlet allowed_users = dynamic([\\\"Azure DevOps Service\\\"]);\\nunion\\n// Look for agents being added to a pool of a OS type not seen with that pool before\\n(AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName =~ \\\"Library.AgentAdded\\\"\\n| where ActorUPN !in (allowed_users)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| where isnotempty(OsDescription)\\n| extend OsDescription = tostring(split(OsDescription, \\\"#\\\", 0)[0])\\n| project AgentPoolName, OsDescription\\n| join kind=rightanti (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName == \\\"Library.AgentAdded\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| where isnotempty(OsDescription)\\n| extend OsDescription = tostring(split(OsDescription, \\\"#\\\", 0)[0])) on AgentPoolName, OsDescription),\\n// Look for users addeing agents to a pool that they have not added agents to before.\\n(AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| where ActorUPN !in (allowed_users)\\n| project AgentPoolName, ActorUPN\\n| join kind=rightanti (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName == \\\"Library.AgentAdded\\\"\\n| where ActorUPN !in (allowed_users)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n) on AgentPoolName, ActorUPN)\\n| extend AgentName = tostring(Data.AgentName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| extend SystemDetails = Data.SystemCapabilities\\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, AgentPoolName, AgentName, ActorUPN, IpAddress, UserAgent, OsDescription, SystemDetails, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Execution\"],\"displayName\":\"New Agent Added to Pool by New User or Added to a New OS Type.\",\"description\":\"As seen in attacks such as SolarWinds attackers can look to subvert a build process by controlling build servers. Azure DevOps uses agent pools to execute pipeline tasks. \\nAn attacker could insert compromised agents that they control into the pools in order to execute malicious code. This query looks for users adding agents to pools they have \\nnot added agents to before, or adding agents to a pool of an OS that has not been added to that pool before. This detection has potential for false positives so has a \\nconfigurable allow list to allow for certain users to be excluded from the logic.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\"name\":\"ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ProcessCreationEvents=() {\\nlet processEvents=SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,\\nFileName = Process, CommandLine, ParentProcessName;\\nprocessEvents};\\nProcessCreationEvents\\n| where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Base64 encoded Windows process command-lines\",\"description\":\"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2018-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/af7fd11a-f305-44e1-8f46-f31580a15eab\",\"name\":\"af7fd11a-f305-44e1-8f46-f31580a15eab\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.0\",\"techniques\":[\"T1074\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\"app@sharepoint,user@example.com\",\"dataType\":\"string\",\"name\":\"User allowlist\",\"description\":\"Enter comma separated userids to be suppressed while triggering anomalies. This should be within double quotes and is case insensitive, example: \\\"user@exmaple.com, app@sharepoint\\\"\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"10\",\"maximum\":\"100\",\"value\":\"25\",\"name\":\"Number of distinct files dowloaded per day\",\"description\":\"Suppress anomalies when daily number of distinct files downloaded per day is less than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"2\",\"maximum\":\"10\",\"value\":\"3\",\"name\":\"Number of standard deviations\",\"description\":\"Triggers anomalies when number of standard deviations is greater than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Collection\"],\"displayName\":\"(Preview) Potential data staging\",\"description\":\"The algorithm compares the downloads of distinct files on a per user basis from the previous week with the downloads for the current day for each user and \\nan anomaly is triggered when the number of downloads of distinct files exceeds the configured number of standard deviations above the mean. \\nCurrently the algorithm only analyze commonly seen files during exfiltration of type documents, images, videos and archives with the extensions\\n[\\\"doc\\\",\\\"docx\\\",\\\"xls\\\",\\\"xlsx\\\",\\\"xlsm\\\",\\\"ppt\\\",\\\"pptx\\\",\\\"one\\\",\\\"pdf\\\",\\\"zip\\\",\\\"rar\\\",\\\"bmp\\\",\\\"jpg\\\",\\\"mp3\\\",\\\"mp4\\\",\\\"mov\\\"].\",\"lastUpdatedDateUTC\":\"2021-08-24T00:00:00Z\",\"createdDateUTC\":\"2021-08-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Exchange)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\"name\":\"b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet UserAgentAll =\\n(union isfuzzy=true\\n(OfficeActivity\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\\n),\\n(\\nW3CIISLog\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(csUserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\\n))\\n// remove wordSize blocks of non-numeric hex characters prior to word extraction\\n| extend UserAgentNoHexAlphas = replace(\\\"([A-Fa-f]{4,})\\\", \\\"x\\\", UserAgent)\\n// once blocks of hex chars are removed, extract wordSize blocks of a-z\\n| extend Tokens = extract_all(\\\"([A-Za-z]{4,})\\\", UserAgentNoHexAlphas)\\n// concatenate extracted words to create a summarized user agent for baseline and comparison\\n| extend NormalizedUserAgent = strcat_array(Tokens, \\\"|\\\")\\n| project-away UserAgentNoHexAlphas, Tokens;\\nUserAgentAll\\n| where StartTime \u003e= ago(endtime)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), count() by UserAgent, NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n| join kind=leftanti\\n(\\nUserAgentAll\\n| where StartTime \u003c ago(endtime)\\n| summarize by NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n)\\non NormalizedUserAgent\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CommandAndControl\",\"Execution\"],\"displayName\":\"New UserAgent observed in last 24 hours\",\"description\":\"Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection\\nextracts words from user agents to build the baseline and determine rareity rather than perform a\\ndirect comparison. This avoids FPs caused by version numbers and other high entropy user agent components.\\nThese new UserAgents could be benign. However, in normally stable environments,\\nthese new UserAgents could provide a starting point for investigating malicious activity.\\nNote: W3CIISLog can be noisy depending on the environment, however OfficeActivity and AWSCloudTrail are\\nusually stable with low numbers of detections.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23850aa1-37d3-4b4b-9f39-4ebf5feb59fd\",\"name\":\"23850aa1-37d3-4b4b-9f39-4ebf5feb59fd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.5\",\"techniques\":[\"T1011\",\"T1029\",\"T1030\",\"T1041\",\"T1011\",\"T1537\",\"T1567\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Akamai\",\"Aruba Networks\",\"Check Point\",\"Dell\",\"Forcepoint\",\"Fortinet\",\"McAfee\",\"Palo Alto Networks\",\"SonicWall\",\"Trend Micro\",\"Vectra Networks\",\"Zscaler\"],\"supportedValuesKql\":null,\"value\":\"Palo Alto Networks\",\"name\":\"Device vendor\",\"description\":\"Select device vendor reporting network connection logs to CommonSecurityLog\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"1\",\"maximum\":\"10000\",\"value\":\"1\",\"name\":\"Hourly data transfer threshold in MB\",\"description\":\"Suppress anomalies when hourly data transfered (in MB) per hour is less than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\".98\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"(Preview) Excessive data transfer anomaly\",\"description\":\"This algorithm is to detect unusually high data transfer seen in network logs. \\nIt uses time series to decompose the data into seasonal, trend and residual components to \\ncalculate baseline. Any sudden large deviation from the historical baseline is considered anomalous activity.\",\"lastUpdatedDateUTC\":\"2021-07-10T00:00:00Z\",\"createdDateUTC\":\"2021-04-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\"name\":\"361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let szOperationNames = dynamic([\\\"microsoft.compute/virtualMachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nlet starttime = 7d;\\nlet endtime = 1d;\\nAzureActivity\\n| where TimeGenerated between (startofday(ago(starttime)) .. startofday(ago(endtime)))\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress)\\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(7d)), now(), 1d) \\nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatusValue), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationNameValue , Resource, ResourceGroup\\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\\n| where Slope \u003e 0.2\\n| join kind=leftsemi (\\n// Last day\u0027s activity is anomalous\\nAzureActivity\\n| where TimeGenerated \u003e= startofday(ago(endtime))\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress)\\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(1d)), now(), 1d) \\nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatusValue), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationNameValue , Resource, ResourceGroup\\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\\n| where Slope \u003e 0.2 \\n) on Caller, CallerIpAddress \\n| mvexpand todynamic(ActivityTimeStamp), todynamic(ActivityStatusValue), todynamic(OperationIds), todynamic(CorrelationId)\\n| extend timestamp = ActivityTimeStamp, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Impact\"],\"displayName\":\"Suspicious number of resource creation or deployment activities\",\"description\":\"Indicates when an anomalous number of VM creations or deployment activities occur in Azure via the AzureActivity log.\\nThe anomaly detection identifies activities that have occurred both since the start of the day 1 day ago and the start of the day 7 days ago.\\nThe start of the day is considered 12am UTC time.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/db750607-d48f-4aef-b238-085f4a9882f1\",\"name\":\"db750607-d48f-4aef-b238-085f4a9882f1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let mediumRisk = 2;\\nlet legal = \u0027Legal Information\u0027;\\nCognniIncidents_CL \\n| where Severity == mediumRisk\\n| where informationType_s == legal\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Medium Sensitivity Legal Information\",\"description\":\"Display incidents in which medium sensitivity legal information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8c8de3fa-6425-4623-9cd9-45de1dd0569a\",\"name\":\"8c8de3fa-6425-4623-9cd9-45de1dd0569a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lookBack = 14d;\\nlet timeframe = 1d;\\nlet user_agents_list = Cisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(lookBack) and TimeGenerated \u003c ago(timeframe)\\n| summarize count() by HttpUserAgentOriginal\\n| summarize make_list(HttpUserAgentOriginal);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal !in (user_agents_list)\\n| extend Message = \\\"Rare User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Rare User Agent Detected\",\"description\":\"Rule helps to detect a rare user-agents indicating web browsing activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8595d264-2f64-442d-b293-4e16dffc9882\",\"name\":\"8595d264-2f64-442d-b293-4e16dffc9882\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.1\",\"techniques\":[\"T1059\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0\",\"name\":\"Anomaly score threshold\",\"description\":\"Generate an anomaly when the anomaly score is greater than the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Execution\"],\"displayName\":\"(Preview) Anomalous Code Execution\",\"description\":\"Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.\\nThese interfaces and languages provide ways of interacting with computer systems\\nand are a common feature across many different platforms.\",\"lastUpdatedDateUTC\":\"2021-07-26T00:00:00Z\",\"createdDateUTC\":\"2021-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2be4ef67-a93f-4d8a-981a-88158cb73abd\",\"name\":\"2be4ef67-a93f-4d8a-981a-88158cb73abd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet covidIndicators = (externaldata(TimeGenerated:datetime, FileHashValue:string, FileHashType: string, TlpLevel: string, Product: string, ThreatType: string, Description: string )\\n[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.csv\\\"] with (format=\\\"csv\\\"));\\nlet fileHashIndicators = covidIndicators\\n| where isnotempty(FileHashValue);\\n// Handle matches against both lower case and uppercase versions of the hash:\\n( fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n | union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n| join (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack) \\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.FileHashValue == $right.FileHash\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by FileHashValue\\n| project LatestIndicatorTime, FileHashValue, FileHashType, Description, ThreatType, \\nCommonSecurityLog_TimeGenerated, SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, \\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"Microsoft COVID-19 file hash indicator matches\",\"description\":\"Identifies a match in CommonSecurityLog Event data from any FileHash published in the Microsoft COVID-19 Threat Intel Feed - as described at https://www.microsoft.com/security/blog/2020/05/14/open-sourcing-covid-threat-intelligence/\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2019-08-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f68846cf-ec99-497d-9ce1-80a9441564fb\",\"name\":\"f68846cf-ec99-497d-9ce1-80a9441564fb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let highRisk = 3;\\nlet hr = \u0027HR Information\u0027;\\nCognniIncidents_CL \\n| where Severity == highRisk\\n| where informationType_s == hr\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Highly Sensitive HR Information\",\"description\":\"Display incidents in which highly sensitive HR information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2391ce61-8c8d-41ac-9723-d945b2e90720\",\"name\":\"2391ce61-8c8d-41ac-9723-d945b2e90720\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 0.333;\\nlet countlimit = 50;\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4625 and AccountType =~ \\\"User\\\"\\n| where IpAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), CountToday = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress, Process\\n| join kind=leftouter (\\n SecurityEvent \\n | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n | where EventID == 4625 and AccountType =~ \\\"User\\\"\\n | where IpAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n | summarize CountPrev7day = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n) on EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n| where CountToday \u003e= coalesce(CountPrev7day,0)*threshold and CountToday \u003e= countlimit\\n//SubStatus Codes are detailed here - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4625\\n| extend Reason = case(\\nSubStatus =~ \u00270xC000005E\u0027, \u0027There are currently no logon servers available to service the logon request.\u0027,\\nSubStatus =~ \u00270xC0000064\u0027, \u0027User logon with misspelled or bad user account\u0027,\\nSubStatus =~ \u00270xC000006A\u0027, \u0027User logon with misspelled or bad password\u0027, \\nSubStatus =~ \u00270xC000006D\u0027, \u0027Bad user name or password\u0027,\\nSubStatus =~ \u00270xC000006E\u0027, \u0027Unknown user name or bad password\u0027,\\nSubStatus =~ \u00270xC000006F\u0027, \u0027User logon outside authorized hours\u0027,\\nSubStatus =~ \u00270xC0000070\u0027, \u0027User logon from unauthorized workstation\u0027,\\nSubStatus =~ \u00270xC0000071\u0027, \u0027User logon with expired password\u0027,\\nSubStatus =~ \u00270xC0000072\u0027, \u0027User logon to account disabled by administrator\u0027,\\nSubStatus =~ \u00270xC00000DC\u0027, \u0027Indicates the Sam Server was in the wrong state to perform the desired operation\u0027, \\nSubStatus =~ \u00270xC0000133\u0027, \u0027Clocks between DC and other computer too far out of sync\u0027,\\nSubStatus =~ \u00270xC000015B\u0027, \u0027The user has not been granted the requested logon type (aka logon right) at this machine\u0027,\\nSubStatus =~ \u00270xC000018C\u0027, \u0027The logon request failed because the trust relationship between the primary domain and the trusted domain failed\u0027,\\nSubStatus =~ \u00270xC0000192\u0027, \u0027An attempt was made to logon, but the Netlogon service was not started\u0027,\\nSubStatus =~ \u00270xC0000193\u0027, \u0027User logon with expired account\u0027,\\nSubStatus =~ \u00270xC0000224\u0027, \u0027User is required to change password at next logon\u0027,\\nSubStatus =~ \u00270xC0000225\u0027, \u0027Evidently a bug in Windows and not a risk\u0027,\\nSubStatus =~ \u00270xC0000234\u0027, \u0027User logon with account locked\u0027,\\nSubStatus =~ \u00270xC00002EE\u0027, \u0027Failure Reason: An Error occurred during Logon\u0027,\\nSubStatus =~ \u00270xC0000413\u0027, \u0027Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine\u0027,\\nstrcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n| extend WorkstationName = iff(WorkstationName == \\\"-\\\" or isempty(WorkstationName), Computer , WorkstationName) \\n| project StartTime, EndTime, EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, Computer, WorkstationName, IpAddress, CountToday, CountPrev7day, Avg7Day = round(CountPrev7day*1.00/7,2), Process\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), Computer = make_set(Computer,128), IpAddressList = make_set(IpAddress,128), sum(CountToday), sum(CountPrev7day), avg(Avg7Day) \\nby EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, WorkstationName, Process\\n| order by sum_CountToday desc nulls last \\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = WorkstationName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"Process\"}]}],\"version\":\"2.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Excessive Windows logon failures\",\"description\":\"User has over 50 Windows logon failures today and at least 33% of the count of logon failures over the previous 7 days.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aac495a9-feb1-446d-b08e-a1164a539452\",\"name\":\"aac495a9-feb1-446d-b08e-a1164a539452\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"ThreatIntelligenceIndicator\\n| where Action == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n GitHubAudit\\n | extend GitHubAudit_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.IPaddress\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, GitHubAudit_TimeGenerated, TI_ipEntity, IPaddress, Actor, Action, Country, OperationType, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = GitHubAudit_TimeGenerated, IPCustomEntity = IPaddress, AccountCustomEntity = Actor\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to GitHub_CL\",\"description\":\"Identifies a match in GitHub_CL table from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}}]}", + "isContentBase64": false + } + }, + "Get-AzSentinelAlertRuleTemplate+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRuleTemplates?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRuleTemplates?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "169" ], + "x-ms-client-request-id": [ "3915ef58-6993-40fa-8056-4fe7e285a636" ], + "CommandName": [ "Get-AzSentinelAlertRuleTemplate" ], + "FullCommandName": [ "Get-AzSentinelAlertRuleTemplate_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11989" ], + "x-ms-request-id": [ "5a2c0f6c-bbe5-45d1-9301-0d033fbbccbc" ], + "x-ms-correlation-request-id": [ "5a2c0f6c-bbe5-45d1-9301-0d033fbbccbc" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015413Z:5a2c0f6c-bbe5-45d1-9301-0d033fbbccbc" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:54:12 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1139662" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/738702fd-0a66-42c7-8586-e30f0583f8fe\",\"name\":\"738702fd-0a66-42c7-8586-e30f0583f8fe\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"DeviceEvents\\n| where ActionType has \\\"ExploitGuardNonMicrosoftSignedBlocked\\\"\\n| where InitiatingProcessFileName contains \\\"svchost.exe\\\" and FileName contains \\\"NetSetupSvc.dll\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\nHostCustomEntity = DeviceName, FileHashCustomEntity = InitiatingProcessSHA1, FileHashType = \\\"SHA1\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"TEARDROP memory-only dropper\",\"description\":\"Identifies SolarWinds TEARDROP memory-only dropper IOCs in Window\u0027s defender Exploit Guard activity\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/968358d6-6af8-49bb-aaa4-187b3067fb95\",\"name\":\"968358d6-6af8-49bb-aaa4-187b3067fb95\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let successCodes = dynamic([200, 302, 401]);\\nW3CIISLog\\n| where scStatus has_any (successCodes)\\n| where ipv4_is_private(cIP) == False\\n| where csUriStem hasprefix \\\"/autodiscover/autodiscover.json\\\"\\n| project TimeGenerated, cIP, sIP, sSiteName, csUriStem, csUriQuery, Computer, csUserName, _ResourceId, FileUri\\n| where (csUriQuery !has \\\"Protocol\\\" and isnotempty(csUriQuery))\\nor (csUriQuery has_any(\\\"/mapi/\\\", \\\"powershell\\\"))\\nor (csUriQuery contains \\\"@\\\" and csUriQuery matches regex @\\\"\\\\.[a-zA-Z]{2,4}?(?:[a-zA-Z]{2,4}\\\\/)\\\")\\nor (csUriQuery contains \\\":\\\" and csUriQuery matches regex @\\\"\\\\:[0-9]{2,4}\\\\/\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP, AccountCustomEntity = csUserName, ResourceCustomEntity = _ResourceId, FileCustomEntity = FileUri\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange SSRF Autodiscover ProxyShell - Detection\",\"description\":\"This query looks for suspicious request patterns to Exchange servers that fit patterns recently\\nblogged about by PeterJson. This exploitation chain utilises an SSRF vulnerability in Exchange\\nwhich eventually allows the attacker to execute arbitrary Powershell on the server. In the example\\npowershell can be used to write an email to disk with an encoded attachment containing a shell.\\nReference: https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-09T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69b7723c-2889-469f-8b55-a2d355ed9c87\",\"name\":\"69b7723c-2889-469f-8b55-a2d355ed9c87\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n DnsEvents | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where SubType =~ \\\"LookupQuery\\\" and isnotempty(IPAddresses)\\n | extend SingleIP = split(IPAddresses, \\\",\\\")\\n | mvexpand SingleIP\\n | extend SingleIP = tostring(SingleIP)\\n // renaming time column so it is clear the log this came from\\n | extend DNS_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SingleIP\\n| where DNS_TimeGenerated \u003e= TimeGenerated and DNS_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated,\\nTI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = DNS_TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.2\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to DnsEvents\",\"description\":\"Identifies a match in DnsEvents from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-18T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\"name\":\"d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\" \\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed), LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\\n| where MFAUsed !~ \\\"Yes\\\" and LoginResult !~ \\\"Failure\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUsed, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"Login to AWS Management Console without MFA\",\"description\":\"Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.\\nYou can limit this detection to trigger for adminsitrative accounts if you do not have MFA enabled on all accounts.\\nThis is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used \\nand the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/321f9dbd-64b7-4541-81dc-08cf7732ccb0\",\"name\":\"321f9dbd-64b7-4541-81dc-08cf7732ccb0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Edit this variable to only keep the Severity level where an incident needs to be created (Defaults are: \\\"Low\\\", \\\"Medium\\\", \\\"High\\\", \\\"Critical\\\" ) \\nlet configured_level = dynamic([\\\"Low\\\", \\\"Medium\\\", \\\"High\\\", \\\"Critical\\\"]);\\nlet upn_has_prefix = \\\":\\\";\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Vectra Networks\\\"\\n| where DeviceProduct == \\\"X Series\\\"\\n| where DeviceEventClassID == \\\"asc\\\"\\n| extend saccount = extract(\\\"saccount=(.+?);\\\", 1, AdditionalExtensions)\\n| extend type = iff(saccount matches regex upn_has_prefix, tostring(split(saccount,\\\":\\\")[0]) ,\\\"network\\\" ) \\n| extend upn = iff(saccount matches regex upn_has_prefix, tostring(split(saccount,\\\":\\\")[1]) , saccount )\\n| project-rename threat_score = FlexNumber1\\n| project-rename certainty_score = FlexNumber2\\n| project-rename vectra_URL = DeviceCustomString4\\n| project-rename detection_name = DeviceEventClassID\\n| project-rename score_decreases = DeviceCustomString3\\n| extend level = case( threat_score \u003c 50 and certainty_score \u003c 50, \\\"Low\\\",\\n threat_score \u003c 50 and certainty_score \u003e= 50 , \\\"Medium\\\", \\n threat_score \u003e= 50 and certainty_score \u003c= 50, \\\"High\\\", \\n threat_score \u003e= 50 and certainty_score \u003e= 50, \\\"Critical\\\",\\n \\\"UNKNOWN\\\")\\n| extend Severity = case( level == \\\"Low\\\", \\\"Low\\\",\\n level == \\\"Medium\\\", \\\"Medium\\\",\\n level == \\\"High\\\", \\\"Medium\\\",\\n level == \\\"Critical\\\", \\\"High\\\",\\n \\\"UNKNOWN\\\")\\n| where level in (configured_level) \\n//keep only the event with the highest threat score per Host\\n| summarize arg_max(threat_score, *) by saccount\\n| project TimeGenerated, saccount, level, Severity, upn, type, threat_score, certainty_score, vectra_URL\\n| extend AccountCustomEntity = upn, URLCustomEntity = vectra_URL, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Discovery\",\"LateralMovement\",\"Collection\",\"CommandAndControl\",\"Exfiltration\",\"Impact\"],\"displayName\":\"Vectra AI Detect - Suspected Compromised Account\",\"description\":\"Create an incident when an Account is suspected to be compromised. \\nThe higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. \\nLevel of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.\",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2021-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AIVectraDetect\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884be6e7-e568-418e-9c12-89229865ffde\",\"name\":\"884be6e7-e568-418e-9c12-89229865ffde\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let FailureThreshold = 15;\\nlet FailedLogins = Okta_CL\\n| where eventType_s =~ \\\"user.session.start\\\" and outcome_reason_s =~ \\\"VERIFICATION_ERROR\\\"\\n| summarize count() by actor_alternateId_s, client_ipAddress_s, bin(TimeGenerated, 5m)\\n| where count_ \u003e FailureThreshold\\n| project client_ipAddress_s, actor_alternateId_s;\\nOkta_CL\\n| join kind=inner (FailedLogins) on client_ipAddress_s, actor_alternateId_s\\n| where eventType_s =~ \\\"user.session.start\\\" and outcome_reason_s =~ \\\"VERIFICATION_ERROR\\\"\\n| summarize count() by actor_alternateId_s, ClientIP = client_ipAddress_s, City = client_geographicalContext_city_s, Country = client_geographicalContext_country_s, column_ifexists(\u0027published_t\u0027, now())\\n| sort by column_ifexists(\u0027published_t\u0027, now()) desc\\n| extend timestamp = column_ifexists(\u0027published_t\u0027, now()), IPCustomEntity = ClientIP, AccountCustomEntity = actor_alternateId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed Logins from Unknown or Invalid User\",\"description\":\"This query searches for numerous login attempts to the management console with an unknown or invalid user name\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OktaSSO\",\"dataTypes\":[\"Okta_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/213252f1-497c-4124-91da-6cb43902d5b1\",\"name\":\"213252f1-497c-4124-91da-6cb43902d5b1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.4\",\"techniques\":[\"T1046\",\"T1135\",\"T1071\",\"T1095\",\"T1571\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"5\",\"maximum\":\"15\",\"value\":\"7\",\"name\":\"Number of distinct signatures in a day\",\"description\":\"Triggers anomalies when daily signatures triggered is more than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Discovery\",\"CommandAndControl\"],\"displayName\":\"(Preview) Unusual external firewall alarm detected\",\"description\":\"This algorithm identifies unusual external firewall alarms which are threat signatures released by a firewall vendor. \\nThe anomaly takes last 7 days activities to calculate top 10 noisy signatures and also noisy source hosts which are repeatedly seen \\ntriggering threat signatures. After excluding both type of noisy events, it triggers an anomaly only after exceeding the threshold of \\nnumber of signatures triggered in a single day.\",\"lastUpdatedDateUTC\":\"2021-07-10T00:00:00Z\",\"createdDateUTC\":\"2021-04-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1f3b4dfd-21ff-4ed3-8e27-afc219e05c50\",\"name\":\"1f3b4dfd-21ff-4ed3-8e27-afc219e05c50\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where LoggedByService =~ \\\"PIM\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has \\\"Disable PIM Alert\\\"\\n| extend IpAddress = case(\\n isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), \\n isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.app)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.app)).ipAddress),\\n \u0027Not Available\u0027)\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName)), UserRoles = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| project InitiatedBy, ActivityDateTime, ActivityDisplayName, IpAddress, AADOperationType, AADTenantId, ResourceId, CorrelationId, Identity\\n| extend timestamp = ActivityDateTime, IPCustomEntity = IpAddress, AccountCustomEntity = tolower(InitiatedBy), ResourceCustomEntity = ResourceId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Detect PIM Alert Disabling activity\",\"description\":\"Privileged Identity Management (PIM) generates alerts when there is suspicious or unsafe activity in Azure Active Directory (Azure AD) organization. \\nThis query will help detect attackers attempts to disable in product PIM alerts which are associated with Azure MFA requirements and could indicate activation of privileged access\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56b0a0cd-894e-4b38-a0a1-c41d9f96649a\",\"name\":\"56b0a0cd-894e-4b38-a0a1-c41d9f96649a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let lbtime = 1h;\\nlet tls_ciphers = dynamic([\u0027RC4-SHA\u0027, \u0027DES-CBC3-SHA\u0027]);\\nProofpointPOD\\n| where EventType == \u0027message\u0027\\n| where TlsCipher in (tls_ciphers)\\n| extend IpCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"displayName\":\"ProofpointPOD - Weak ciphers\",\"description\":\"Detects when weak TLS ciphers are used.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8e267e91-6bda-4b3c-bf68-9f5cbdd103a3\",\"name\":\"8e267e91-6bda-4b3c-bf68-9f5cbdd103a3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"ZoomLogs \\n| where Event =~ \\\"account.settings_updated\\\" \\n| extend EnforceLogin = columnifexists(\\\"payload_object_settings_schedule_meeting_enfore_login_b\\\", \\\"\\\") \\n| extend EnforceLoginDomain = columnifexists(\\\"payload_object_settings_schedule_meeting_enfore_login_b\\\", \\\"\\\") \\n| extend GuestAlerts = columnifexists(\\\"payload_object_settings_in_meeting_alert_guest_join_b\\\", \\\"\\\") \\n| where EnforceLogin == \u0027false\u0027 or EnforceLoginDomain == \u0027false\u0027 or GuestAlerts == \u0027false\u0027 \\n| extend SettingChanged = case(EnforceLogin == \u0027false\u0027 and EnforceLoginDomain == \u0027false\u0027 and GuestAlerts == \u0027false\u0027, \\\"All settings changed\\\", \\n EnforceLogin == \u0027false\u0027 and EnforceLoginDomain == \u0027false\u0027, \\\"Enforced Logons and Restricted Domains Changed\\\", \\n EnforceLoginDomain == \u0027false\u0027 and GuestAlerts == \u0027false\u0027, \\\"Enforced Domains Changed\\\", \\n EnforceLoginDomain == \u0027false\u0027, \\\"Enfored Domains Changed\\\", \\n GuestAlerts == \u0027false\u0027, \\\"Guest Join Alerts Changed\\\", \\n EnforceLogin == \u0027false\u0027, \\\"Enforced Logins Changed\\\", \\n \\\"No Changes\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"External User Access Enabled\",\"description\":\"This alerts when the account setting is changed to allow either external domain access or anonymous access to meetings.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ba239935-42c2-472d-80ba-689186099ea1\",\"name\":\"ba239935-42c2-472d-80ba-689186099ea1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"afad_parser\\n| where MessageType == 2 and Codename == \\\"Password Guessing\\\"\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid Password Guessing\",\"description\":\"Searches for bruteforce Password Guessing attacks\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09ec8fa2-b25f-4696-bfae-05a7b85d7b9e\",\"name\":\"09ec8fa2-b25f-4696-bfae-05a7b85d7b9e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT3H\",\"queryPeriod\":\"PT3H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let timeframe = ago(3h);\\nlet threshold = 2;\\nimAuthentication\\n| where TimeGenerated \u003e timeframe\\n| where EventType==\u0027Logon\u0027 and EventResult==\u0027Success\u0027\\n| where isnotempty(SrcGeoCountry)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Vendors=make_set(EventVendor), Products=make_set(EventProduct)\\n , NumOfCountries = dcount(SrcGeoCountry)\\n by TargetUserId, TargetUsername, TargetUserType\\n| where NumOfCountries \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = TargetUsername\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.2.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"User login from different countries within 3 hours (Uses Authentication Normalization)\",\"description\":\"This query searches for successful user logins from different countries within 3 hours.\\n To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelAuthentication)\",\"lastUpdatedDateUTC\":\"2021-10-26T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb32dc8a-4f6b-4274-a28f-50f3400070b4\",\"name\":\"bb32dc8a-4f6b-4274-a28f-50f3400070b4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.1\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.2\",\"name\":\"Anomaly score threshold\",\"description\":\"Generate an anomaly when the anomaly score is greater than the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous Sign In\",\"description\":\"Adversaries may steal the credentials of a specific user or service account using Credential\\nAccess techniques or capture credentials earlier in their reconnaissance process through\\nsocial engineering for means of gaining Persistence.\",\"lastUpdatedDateUTC\":\"2021-08-25T00:00:00Z\",\"createdDateUTC\":\"2021-08-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884c4957-70ea-4f57-80b9-1bca3890315b\",\"name\":\"884c4957-70ea-4f57-80b9-1bca3890315b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeBin = 10m;\\nlet failedThreshold = 100;\\nW3CIISLog\\n| where scStatus in (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n// Handling Exchange specific items in IIS logs to remove the unique log identifier in the URI\\n| extend csUriQuery = iff(csUriQuery startswith \\\"MailboxId=\\\", tostring(split(csUriQuery, \\\"\u0026\\\")[0]) , csUriQuery )\\n| extend csUriQuery = iff(csUriQuery startswith \\\"X-ARR-CACHE-HIT=\\\", strcat(tostring(split(csUriQuery, \\\"\u0026\\\")[0]),tostring(split(csUriQuery, \\\"\u0026\\\")[1])) , csUriQuery )\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of failed logons by a user\\n| summarize makeset(decodedUriQuery), makeset(cIP), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), csUserName, Computer, sIP\\n| where FailedConnectionsCount \u003e= failedThreshold\\n| project TimeGenerated, csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_cIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"High count of failed logons by a user\",\"description\":\"Identifies when 100 or more failed attempts by a given user in 10 minutes occur on the IIS Server.\\nThis could be indicative of attempted brute force based on known account information.\\nThis could also simply indicate a misconfigured service or device. \\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/78979d32-e63f-4740-b206-cfb300c735e0\",\"name\":\"78979d32-e63f-4740-b206-cfb300c735e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ioc_lookBack = 30d;\\nlet timeframe = 1h;\\nlet TI_IP_List =\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(NetworkIP)\\n| summarize make_list(NetworkIP);\\nProofpointPOD \\n| where TimeGenerated \u003e ago(timeframe)\\n| where isnotempty(SrcIpAddr)\\n| where SrcIpAddr in~ (TI_IP_List)\\n| extend Message = \\\"Email sender IP in TI list\\\"\\n| project Message, SrcUserUpn, DstUserUpn, SrcIpAddr\\n| extend AccountCustomEntity = SrcUserUpn, IpCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\",\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Email sender IP in TI list\",\"description\":\"Email sender IP in TI list.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_maillog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\"name\":\"28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let failureCountThreshold = 5;\\nlet successCountThreshold = 1;\\nlet authenticationWindow = 20m;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n| where AppDisplayName has \\\"Azure Portal\\\"\\n// Split out failure versus non-failure types\\n| extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = make_set(IPAddress), make_set(OS), make_set(Browser), make_set(City),\\nmake_set(State), make_set(Region),make_set(ResultType), FailureCount = countif(FailureOrSuccess==\\\"Failure\\\"), SuccessCount = countif(FailureOrSuccess==\\\"Success\\\") \\nby bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName, AppDisplayName, Type\\n| where FailureCount \u003e= failureCountThreshold and SuccessCount \u003e= successCountThreshold\\n| mvexpand IPAddress\\n| extend IPAddress = tostring(IPAddress)\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against Azure Portal\",\"description\":\"Identifies evidence of brute force activity against Azure Portal by highlighting multiple authentication failures \\nand by a successful authentication within a given time window. \\n(The query does not enforce any sequence - eg requiring the successful authentication to occur last.)\\nDefault Failure count is 5, Default Success count is 1 and default Time Window is 20 minutes.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/694c91ee-d606-4ba9-928e-405a2dd0ff0f\",\"name\":\"694c91ee-d606-4ba9-928e-405a2dd0ff0f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let VIPUsers = (IdentityInfo\\n| where AssignedRoles contains \\\"Admin\\\"\\n| summarize by tolower(AccountUPN));\\nAuditLogs\\n| where Category =~ \\\"UserManagement\\\"\\n| where ActivityDisplayName =~ \\\"User registered security info\\\"\\n| where LoggedByService =~ \\\"Authentication Methods\\\"\\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| where AccountCustomEntity in (VIPUsers)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\"],\"displayName\":\"Authentication Methods Changed for Privileged Account\",\"description\":\"Identifies authentication methods being changed for a privileged account. This could be an indicated of an attacker adding an auth method to the account so they can have continued access.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ae9128e8-2740-4b62-8bde-54e62b183fca\",\"name\":\"ae9128e8-2740-4b62-8bde-54e62b183fca\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.5\",\"techniques\":[\"T1030\",\"T1071\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Palo Alto Networks\",\"Fortinet\",\"Check Point\"],\"supportedValuesKql\":null,\"value\":\"Palo Alto Networks\",\"name\":\"Device vendor\",\"description\":\"Select device vendor of network connection logs from CommonSecurityLog\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"1\",\"maximum\":\"100\",\"value\":\"25\",\"name\":\"Daily data transfer threshold in MB\",\"description\":\"Suppress anomalies when daily data transfered (in MB) per hour is less than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"2\",\"maximum\":\"10\",\"value\":\"3\",\"name\":\"Number of standard deviations\",\"description\":\"Triggers anomalies when number of standard deviations is greater than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"(Preview) Unusual network communication on commonly used ports\",\"description\":\"This algorithm identifies unusual network communication on commonly used ports, comparing daily traffic to a baseline from the previous 7 days.\\nThis includes traffic on commonly used ports (22, 53, 80, 443, 8080, 8888), and compares daily traffic to the mean and standard deviation of several\\nnetwork traffic attributes calculated over the baseline period. The traffic attributes considered are daily total events, daily data transfer and \\nnumber of distinct destination IP addresses per port. An anomaly is triggered when the daily values are greater than the configured number of standard deviations above the mean.\",\"lastUpdatedDateUTC\":\"2021-07-10T00:00:00Z\",\"createdDateUTC\":\"2021-05-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/35a0792a-1269-431e-ac93-7ae2980d4dde\",\"name\":\"35a0792a-1269-431e-ac93-7ae2980d4dde\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ioc_lookBack = 30d;\\nlet timeframe = 1h;\\nlet TI_email_List =\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(EmailSenderAddress)\\n| summarize make_list(EmailSenderAddress);\\nProofpointPOD \\n| where TimeGenerated \u003e ago(timeframe)\\n| where isnotempty(SrcUserUpn)\\n| where SrcUserUpn in~ (TI_email_List)\\n| extend Message = \\\"Email sender in TI list\\\"\\n| project Message, SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\",\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Email sender in TI list\",\"description\":\"Email sender in TI list.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_maillog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bc5ffe2a-84d6-48fe-bc7b-1055100469bc\",\"name\":\"bc5ffe2a-84d6-48fe-bc7b-1055100469bc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let SunburstMD5=dynamic([\\\"b91ce2fa41029f6955bff20079468448\\\",\\\"02af7cec58b9a5da1c542b5a32151ba1\\\",\\\"2c4a910a1299cdae2a4e55988a2f102e\\\",\\\"846e27a652a5e1bfbd0ddd38a16dc865\\\",\\\"4f2eb62fa529c0283b28d05ddd311fae\\\"]);\\nlet SupernovaMD5=\\\"56ceb6d0011d87b6e4d7023d7ef85676\\\";\\nimFileEvent\\n| where TargetFileMD5 in(SunburstMD5) or TargetFileMD5 in(SupernovaMD5)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = User, \\n HostCustomEntity = DvcHostname,\\n FileHashCustomEntity = TargetFileMD5\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"MD5\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events)\",\"description\":\"Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in File Events\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelFileEvent)\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/62085097-d113-459f-9ea7-30216f2ee6af\",\"name\":\"62085097-d113-459f-9ea7-30216f2ee6af\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P3D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let starttime = 3d;\\nlet SecEvents = materialize ( SecurityEvent | where TimeGenerated \u003e= ago(starttime)\\n| where EventID in (4722,4723) | where TargetUserName !endswith \\\"$\\\"\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, SubjectAccount, SubjectUserSid);\\nlet userEnable = SecEvents\\n| extend EventID4722Time = TimeGenerated\\n// 4722: User Account Enabled\\n| where EventID == 4722\\n| project Time_Event4722 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4722 = SubjectAccount, SubjectUserSid_Event4722 = SubjectUserSid, Activity_4722 = Activity, Computer_4722 = Computer;\\nlet userPwdSet = SecEvents\\n// 4723: Attempt made by user to set password\\n| where EventID == 4723\\n| project Time_Event4723 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4723 = SubjectAccount, SubjectUserSid_Event4723 = SubjectUserSid, Activity_4723 = Activity, Computer_4723 = Computer;\\nuserEnable | join kind=leftouter userPwdSet on TargetAccount, TargetSid\\n| extend PasswordSetAttemptDelta_Min = datetime_diff(\u0027minute\u0027, Time_Event4723, Time_Event4722)\\n| where PasswordSetAttemptDelta_Min \u003e 2880 or isempty(PasswordSetAttemptDelta_Min)\\n| project-away TargetAccount1, TargetSid1\\n| extend Reason = @\\\"User either has not yet attempted to set the initial password after account was enabled or it occurred after 48 hours\\\"\\n| order by Time_Event4722 asc \\n| extend timestamp = Time_Event4722, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer_4722\\n| project-reorder Time_Event4722, Time_Event4723, PasswordSetAttemptDelta_Min, TargetAccount, TargetSid\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"AD user enabled and password not set within 48 hours\",\"description\":\"Identifies when an account is enabled with a default password and the password is not set by the user within 48 hours.\\nEffectively, there is an event 4722 indicating an account was enabled and within 48 hours, no event 4723 occurs which \\nindicates there was no attempt by the user to set the password. This will show any attempts (success or fail) that occur \\nafter 48 hours, which can indicate too long of a time period in setting the password to something that only the user knows.\\nIt is recommended that this time period is adjusted per your internal company policy.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/11b4c19d-2a79-4da3-af38-b067e1273dee\",\"name\":\"11b4c19d-2a79-4da3-af38-b067e1273dee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID in (17,18)\\n| where EventData has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend PipeName = column_ifexists(\\\"PipeName\\\", \\\"\\\")\\n| extend Account = UserName\\n),\\n(\\n SecurityEvent\\n| where EventID == \u00275145\u0027\\n// %%4418 looks for presence of CreatePipeInstance value \\n| where AccessList has \u0027%%4418\u0027 \\n| where RelativeTargetName has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\"],\"displayName\":\"Solorigate Named Pipe\",\"description\":\"Identifies a match across various data feeds for named pipe IOCs related to the Solorigate incident.\\n For the sysmon events required for this detection, logging for Named Pipe Events needs to be configured in Sysmon config (Event ID 17 and Event ID 18)\\n Reference: https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\"name\":\"9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Low\",\"query\":\"let tokens = dynamic([\\\"416\\\",\\\"208\\\",\\\"128\\\",\\\"120\\\",\\\"96\\\",\\\"80\\\",\\\"72\\\",\\\"64\\\",\\\"48\\\",\\\"44\\\",\\\"40\\\",\\\"g5\\\",\\\"gs5\\\",\\\"g4\\\",\\\"gs4\\\",\\\"nc12\\\",\\\"nc24\\\",\\\"nv12\\\"]);\\nlet operationList = dynamic([\\\"microsoft.compute/virtualmachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nAzureActivity\\n| where tolower(OperationNameValue) in (operationList)\\n| where ActivityStatusValue == \\\"Accepted\\\" \\n| where isnotempty(Properties)\\n| extend vmSize = tolower(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).hardwareProfile)).vmSize))\\n| where isnotempty(vmSize)\\n| where vmSize has_any (tokens) \\n| extend ComputerName = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).osProfile)).computerName)\\n| extend clientIpAddress = tostring(parse_json(HTTPRequest).clientIpAddress)\\n| project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Creation of expensive computes in Azure\",\"description\":\"Identifies the creation of large size/expensive VMs (GPU or with large no of virtual CPUs) in Azure.\\nAdversary may create new or update existing virtual machines sizes to evade defenses \\nor use it for cryptomining purposes.\\nFor Windows/Linux Vm Sizes - https://docs.microsoft.com/azure/virtual-machines/windows/sizes \\nAzure VM Naming Conventions - https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f15370f4-c6fa-42c5-9be4-1d308f40284e\",\"name\":\"f15370f4-c6fa-42c5-9be4-1d308f40284e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n OfficeActivity | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.ClientIP\\n| where OfficeActivity_TimeGenerated \u003e= TimeGenerated and OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, OfficeActivity_TimeGenerated,\\nTI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = OfficeActivity_TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to OfficeActivity\",\"description\":\"Identifies a match in OfficeActivity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\"name\":\"ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(DestinationUserID)\\n // Filtering PAN Logs for specific event type to match relevant email entities\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"wildfire\\\" and ApplicationProtocol in (\\\"smtp\\\",\\\"pop3\\\")\\n | extend DestinationUserID = tolower(DestinationUserID)\\n | where DestinationUserID matches regex emailregex\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.DestinationUserID\\n| where CommonSecurityLog_TimeGenerated \u003e= TimeGenerated and CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, CommonSecurityLog_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction,\\nSourceIP, SourcePort, DestinationIP, DestinationPort, Protocol, ApplicationProtocol\\n| extend timestamp = CommonSecurityLog_TimeGenerated, AccountCustomEntity = DestinationUserID, IPCustomEntity = SourceIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to CommonSecurityLog\",\"description\":\"Identifies a match in CommonSecurityLog table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/11bda520-a965-4654-9a45-d09f372f71aa\",\"name\":\"11bda520-a965-4654-9a45-d09f372f71aa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AzureActivity\\n// Isolate run command actions\\n| where OperationNameValue == \\\"Microsoft.Compute/virtualMachines/runCommand/action\\\"\\n// Confirm that the operation impacted a virtual machine\\n| where Authorization has \\\"virtualMachines\\\"\\n// Each runcommand operation consists of three events when successful, Started, Accepted (or Rejected), Successful (or Failed).\\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), max(CallerIpAddress), make_list(ActivityStatusValue) by CorrelationId, Authorization, Caller\\n// Limit to Run Command executions that Succeeded\\n| where list_ActivityStatusValue has \\\"Succeeded\\\"\\n// Extract data from the Authorization field, allowing us to later extract the Caller (UPN) and CallerIpAddress\\n| extend Authorization_d = parse_json(Authorization)\\n| extend Scope = Authorization_d.scope\\n| extend Scope_s = split(Scope, \\\"/\\\")\\n| extend Subscription = tostring(Scope_s[2])\\n| extend VirtualMachineName = tostring(Scope_s[-1])\\n| project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress\\n// Create a join key using the Caller (UPN) and the Caller IP\\n| extend joinkey = tolower(Caller)\\n// Join the Run Command actions to UEBA data\\n| join kind = inner (\\n BehaviorAnalytics\\n // We are specifically interested in unsual logins\\n | where EventSource == \\\"Azure AD\\\"\\n | project UEBAEventTime=TimeGenerated, UEBAActionType=ActionType, UserPrincipalName, UEBASourceIPLocation=SourceIPLocation, UEBAActivityInsights=ActivityInsights, UEBAUsersInsights=UsersInsights\\n | where isnotempty(UserPrincipalName) and isnotempty(UEBASourceIPLocation)\\n | extend joinkey = tolower(UserPrincipalName)\\n) on joinkey\\n| project StartTime, EndTime, Subscription, VirtualMachineName, Caller, CallerIpAddress, UEBAEventTime, UEBAActionType, UEBASourceIPLocation, UEBAActivityInsights, UEBAUsersInsights\\n// Create a window around the UEBA event times, check to see if the Run Command action was performed within them\\n| extend UEBAWindowStart = UEBAEventTime - 1h | extend UEBAWindowEnd = UEBAEventTime - 6h\\n| where StartTime between (UEBAWindowStart .. UEBAWindowEnd)\\n| project StartTime, EndTime, Subscription, VirtualMachineName, Caller, CallerIpAddress, UEBAEventTime, UEBAActionType, UEBASourceIPLocation, UEBAActivityInsights, UEBAUsersInsights\\n| extend timestamp = StartTime, AccountCustomEntity=Caller, IPCustomEntity=CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"LateralMovement\",\"CredentialAccess\"],\"displayName\":\"Azure VM Run Command operation executed during suspicious login window\",\"description\":\"Identifies when the Azure Run Command operation is executed by a UserPrincipalName and IP Address \\nthat has resulted in a recent user entity behaviour alert.\",\"lastUpdatedDateUTC\":\"2021-11-04T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/18e6a87e-9d06-4a4e-8b59-3469cd49552d\",\"name\":\"18e6a87e-9d06-4a4e-8b59-3469cd49552d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true (SecurityEvent \\n| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created. \\n| where ObjectServer == \u0027DS\u0027\\n| where OperationType == \u0027Object Access\u0027\\n//| where ObjectName contains \u0027\u003cGUID of ADFS Policy Store DKM Group object\u0027 This is unique to the domain. Check description for more details.\\n| where ObjectType contains \u00275cb41ed0-0e4c-11d0-a286-00aa003049e2\u0027 // Contact Class\\n| where Properties contains \u00278d3bca50-1d7e-11d0-a081-00aa006c33ed\u0027 // Picture Attribute - Ldap-Display-Name: thumbnailPhoto\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = SubjectAccount),\\n(DeviceEvents\\n| where ActionType =~ \\\"LdapSearch\\\"\\n| where AdditionalFields.AttributeList contains \\\"thumbnailPhoto\\\"\\n| where AdditionalFields.DistinguishedName contains \\\"CN=ADFS,CN=Microsoft,CN=Program Data\\\" // Filter results to show only hits related to the ADFS AD container\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = InitiatingProcessAccountName)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"ADFS DKM Master Key Export\",\"description\":\"Identifies an export of the ADFS DKM Master Key from Active Directory.\\nReferences: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \\nhttps://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1\\nTo understand further the details behind this detection, please review the details in the original PR and subequent PR update to this:\\nhttps://github.com/Azure/Azure-Sentinel/pull/1562#issue-551542469\\nhttps://github.com/Azure/Azure-Sentinel/pull/1512#issue-543053339\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65c78944-930b-4cae-bd79-c3664ae30ba7\",\"name\":\"65c78944-930b-4cae-bd79-c3664ae30ba7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(AuditLogs \\n| where OperationName =~ \\\"Disable Strong Authentication\\\"\\n| extend IPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) \\n| extend InitiatedByUser = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend Targetprop = todynamic(TargetResources)\\n| extend TargetUser = tostring(Targetprop[0].userPrincipalName) \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, InitiatedByUser , Operation = OperationName , CorrelationId, IPAddress, Category, Source = SourceSystem , AADTenantId, Type\\n),\\n(AWSCloudTrail\\n| where EventName in~ (\\\"DeactivateMFADevice\\\", \\\"DeleteVirtualMFADevice\\\") \\n| extend InstanceProfileName = tostring(parse_json(RequestParameters).InstanceProfileName)\\n| extend TargetUser = tostring(parse_json(RequestParameters).userName)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, Source = EventSource , Operation = EventName , TenantorInstance_Detail = InstanceProfileName, IPAddress = SourceIpAddress\\n)\\n)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"MFA disabled for a user\",\"description\":\"Multi-Factor Authentication (MFA) helps prevent credential compromise. This alert identifies when an attempt has been made to disable MFA for a user \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95dc4ae3-e0f2-48bd-b996-cdd22b90f9af\",\"name\":\"95dc4ae3-e0f2-48bd-b996-cdd22b90f9af\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(\\nAuditLogs\\n| where OperationName =~ \\\"Set federation settings on domain\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName)\\n| mv-expand AdditionalDetails\\n),\\n(\\nAuditLogs\\n| where OperationName =~ \\\"Set domain authentication\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName), NewDomainValue=tostring(parse_json(modifiedProperties).newValue)\\n| where NewDomainValue has \\\"Federated\\\"\\n)\\n)\\n| extend UserAgent = iff(AdditionalDetails.key == \\\"User-Agent\\\",tostring(AdditionalDetails.value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Modified domain federation trust settings\",\"description\":\"This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/66276b14-32c5-4226-88e3-080dacc31ce1\",\"name\":\"66276b14-32c5-4226-88e3-080dacc31ce1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet AccountAllowList = dynamic([\u0027SYSTEM\u0027]);\\nlet SubCategoryList = dynamic([\\\"Logoff\\\", \\\"Account Lockout\\\", \\\"User Account Management\\\", \\\"Authorization Policy Change\\\"]); // Add any Category in the list to be allowed or disallowed\\nlet tokens = dynamic([\\\"clear\\\", \\\"remove\\\", \\\"success:disable\\\",\\\"failure:disable\\\"]); \\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n//| where Process =~ \\\"auditpol.exe\\\" \\n| where CommandLine has_any (tokens)\\n| where AccountType !~ \\\"Machine\\\" and Account !in~ (AccountAllowList)\\n| parse CommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n// | where InitiatingProcessFileName =~ \\\"auditpol.exe\\\" \\n| where InitiatingProcessCommandLine has_any (tokens)\\n| where AccountName !in~ (AccountAllowList)\\n| parse InitiatingProcessCommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n// | where OriginalFileName =~ \\\"auditpol.exe\\\"\\n| where CommandLine has_any (tokens)\\n| where User !in~ (AccountAllowList)\\n| parse CommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, Computer, User, Process, ParentImage, CommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\"],\"displayName\":\"Audit policy manipulation using auditpol utility\",\"description\":\"This detects attempt to manipulate audit policies using auditpol command.\\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\\nThe process name in each data source is commented out as an adversary could rename it. It is advisable to keep process name commented but \\nif the results show unrelated false positives, users may want to uncomment it.\\nRefer to auditpol syntax: https://docs.microsoft.com/windows-server/administration/windows-commands/auditpol \\nRefer to our M365 blog for details on use during the Solorigate attack:\\nhttps://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80733eb7-35b2-45b6-b2b8-3c51df258206\",\"name\":\"80733eb7-35b2-45b6-b2b8-3c51df258206\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\\"xmrget.com\\\", \\n\\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\\"supportxmr.com\\\",\\n\\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\n\\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\n\\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\n\\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\n\\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\",\\n\\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\",\\n\\\"shscrypto.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage), \\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage), \\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage), \\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \u0027200\u0027\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Squid proxy events related to mining pools\",\"description\":\"Checks for Squid proxy events in Syslog associated with common mining pools .This query presumes the default Squid log format is being used. \\n http://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bff093b2-500e-4ae5-bb49-a5b1423cbd5b\",\"name\":\"bff093b2-500e-4ae5-bb49-a5b1423cbd5b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n| where Operation =~ \\\"MemberAdded\\\"\\n| extend UPN = tostring(parse_json(Members)[0].UPN)\\n| where UPN contains (\\\"#EXT#\\\")\\n| project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName\\n| join (\\n OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n| where Operation =~ \\\"MemberRemoved\\\"\\n| extend UPN = tostring(parse_json(Members)[0].UPN)\\n| where UPN contains (\\\"#EXT#\\\")\\n| project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName\\n) on UPN\\n| where TimeDeleted \u003e TimeAdded\\n| project TimeAdded, TimeDeleted, UPN, UserWhoAdded, UserWhoDeleted, TeamName\\n| extend timestamp = TimeAdded, AccountCustomEntity = UPN\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"External user added and removed in short timeframe\",\"description\":\"This detection flags the occurances of external user accounts that are added to a Team and then removed within\\none hour.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/be52662c-3b23-435a-a6fa-f39bdfc849e6\",\"name\":\"be52662c-3b23-435a-a6fa-f39bdfc849e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetection_CL\\n| mv-expand todynamic(Detections_s)\\n| where Detections_s.Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\\n| where count_ \u003e= threshold\\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"High Number of Urgent Vulnerabilities Detected\",\"description\":\"This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/eb68b129-5f17-4f56-bf6d-dde48d5e615a\",\"name\":\"eb68b129-5f17-4f56-bf6d-dde48d5e615a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| extend attachedMimeType = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where attachedMimeType == \u0027application/zip\u0027\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = DstUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Binary file in attachment\",\"description\":\"Detects when email recieved with binary file as attachment.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d29b1d66-d4d9-4be2-b607-63278fc4fe6b\",\"name\":\"d29b1d66-d4d9-4be2-b607-63278fc4fe6b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let mediumRisk = 2;\\nlet financial = \u0027Financial Information\u0027;\\nCognniIncidents_CL \\n| where Severity == mediumRisk\\n| where informationType_s == financial\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Medium Sensitivity Financial Information\",\"description\":\"Display incidents in which medium sensitive financial information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b783df9c-4088-452e-a791-0c4fca47a109\",\"name\":\"b783df9c-4088-452e-a791-0c4fca47a109\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.4\",\"techniques\":[\"T1568\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\".lan, .home\",\"dataType\":\"string\",\"name\":\"Top level domain\",\"description\":\"Give comma separated TLDs to exclude from source data within double quotes, example: \\\".lan, .home\\\"\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.9\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"(Preview) Domain generation algorithm (DGA) on DNS domains\",\"description\":\"This machine learning model indicates potential DGA domains in the second-level-domain (SLD) from the last day in the DNS logs.\\nThe algorithm applies to the DNS records that resolve to IPv4 and IPv6 addresses.\",\"lastUpdatedDateUTC\":\"2021-05-21T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7d7e20f8-3384-4b71-811c-f5e950e8306c\",\"name\":\"7d7e20f8-3384-4b71-811c-f5e950e8306c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AuditLogs\\n| where ActivityDisplayName =~\u0027Add member to role completed (PIM activation)\u0027\\n| where Result == \\\"failure\\\"\\n| extend Role = tostring(TargetResources[3].displayName)\\n| extend User = tostring(TargetResources[2].displayName)\\n| project-reorder TimeGenerated, User, Role, OperationName, Result, ResultDescription\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| extend AccountCustomEntity = User, IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\"],\"displayName\":\"PIM Elevation Request Rejected\",\"description\":\"Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d82e1987-4356-4a7b-bc5e-064f29b143c0\",\"name\":\"d82e1987-4356-4a7b-bc5e-064f29b143c0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 4688\\n| where Process =~ \u0027rundll32.exe\u0027 \\n| where CommandLine has_all (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"NOBELIUM - suspicious rundll32.exe execution of vbscript\",\"description\":\"This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/48607a29-a26a-4abf-8078-a06dbdd174a4\",\"name\":\"48607a29-a26a-4abf-8078-a06dbdd174a4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeRange = 3d;\\nlet lookBack = 7d;\\nlet authenticationWindow = 20m;\\nlet authenticationThreshold = 5;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet failureCodes = dynamic([50053, 50126, 50055]); // invalid password, account is locked - too many sign ins, expired password\\nlet successCodes = dynamic([0, 50055, 50057, 50155, 50105, 50133, 50005, 50076, 50079, 50173, 50158, 50072, 50074, 53003, 53000, 53001, 50129]);\\n// Lookup up resolved identities from last 7 days\\nlet aadFunc = (tableName:string){\\nlet identityLookup = table(tableName)\\n| where TimeGenerated \u003e= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| where isnotempty(UserId)\\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName, Type;\\n// collect window threshold breaches\\ntable(tableName)\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(failureCodes)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed), count() by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName, UserPrincipalName, Type\\n| summarize FailedPrincipalCount = dcount(UserPrincipalName) by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName, Type\\n| where FailedPrincipalCount \u003e= authenticationThreshold\\n| summarize WindowThresholdBreaches = count() by IPAddress, Type\\n| join kind= inner (\\n// where we breached a threshold, join the details back on all failure data\\ntable(tableName)\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(failureCodes)\\n| extend LocationDetails = todynamic(LocationDetails)\\n| extend FullLocation = strcat(LocationDetails.countryOrRegion,\u0027|\u0027, LocationDetails.state, \u0027|\u0027, LocationDetails.city)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed), make_set(FullLocation), FailureCount = count() by IPAddress, AppDisplayName, UserPrincipalName, UserDisplayName, Identity, UserId, Type\\n// lookup any unresolved identities\\n| extend UnresolvedUserId = iff(Identity matches regex isGUID, UserId, \\\"\\\")\\n| join kind= leftouter (\\n identityLookup \\n) on $left.UnresolvedUserId==$right.UserId\\n| extend UserDisplayName=iff(isempty(lu_UserDisplayName), UserDisplayName, lu_UserDisplayName)\\n| extend UserPrincipalName=iff(isempty(lu_UserPrincipalName), UserPrincipalName, lu_UserPrincipalName)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), make_set(UserPrincipalName), make_set(UserDisplayName), make_set(set_ClientAppUsed), make_set(set_FullLocation), make_list(FailureCount) by IPAddress, AppDisplayName, Type\\n| extend FailedPrincipalCount = arraylength(set_UserPrincipalName)\\n) on IPAddress\\n| project IPAddress, StartTime, EndTime, TargetedApplication=AppDisplayName, FailedPrincipalCount, UserPrincipalNames=set_UserPrincipalName, UserDisplayNames=set_UserDisplayName, ClientAppsUsed=set_set_ClientAppUsed, Locations=set_set_FullLocation, FailureCountByPrincipal=list_FailureCount, WindowThresholdBreaches, Type\\n| join kind= inner (\\ntable(tableName) // get data on success vs. failure history for each IP\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(successCodes) or ResultType in(failureCodes) // success or failure types\\n| summarize GlobalSuccessPrincipalCount = dcountif(UserPrincipalName, (ResultType in(successCodes))), ResultTypeSuccesses = make_set_if(ResultType, (ResultType in(successCodes))), GlobalFailPrincipalCount = dcountif(UserPrincipalName, (ResultType in(failureCodes))), ResultTypeFailures = make_set_if(ResultType, (ResultType in(failureCodes))) by IPAddress, Type\\n| where GlobalFailPrincipalCount \u003e GlobalSuccessPrincipalCount // where the number of failed principals is greater than success - eliminates FPs from IPs who authenticate successfully alot and as a side effect have alot of failures\\n) on IPAddress\\n| project-away IPAddress1\\n| extend timestamp=StartTime, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Password spray attack against Azure AD application\",\"description\":\"Identifies evidence of password spray activity against Azure AD applications by looking for failures from multiple accounts from the same\\nIP address within a time window. If the number of accounts breaches the threshold just once, all failures from the IP address within the time range\\nare bought into the result. Details on whether there were successful authentications by the IP address within the time window are also included.\\nThis can be an indicator that an attack was successful.\\nThe default failure acccount threshold is 5, Default time window for failures is 20m and default look back window is 3 days\\nNote: Due to the number of possible accounts involved in a password spray it is not possible to map identities to a custom entity.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2c286288-3756-4824-b599-d3c499836c11\",\"name\":\"2c286288-3756-4824-b599-d3c499836c11\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let mediumRisk = 2;\\nlet business = \u0027Business Information\u0027;\\nCognniIncidents_CL \\n| where Severity == mediumRisk\\n| where informationType_s == business\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Medium Sensitivity Business Information\",\"description\":\"Display incidents in which medium sensitivity business information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\"name\":\"83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":3,\"severity\":\"Medium\",\"query\":\"let current = 1d;\\nlet auditLookback = 7d;\\n// Setting threshold to 3 as a default, change as needed. \\n// Any operation that has been initiated by a user or app more than 3 times in the past 7 days will be excluded\\nlet threshold = 3;\\n// Gather initial data from lookback period, excluding current, adjust current to more than a single day if no results\\nlet AuditTrail = AuditLogs | where TimeGenerated \u003e= ago(auditLookback) and TimeGenerated \u003c ago(current)\\n// 2 other operations that can be part of malicious activity in this situation are \\n// \\\"Add OAuth2PermissionGrant\\\" and \\\"Add service principal\\\", extend the filter below to capture these too\\n| where OperationName has \\\"Consent to application\\\"\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\n| summarize max(TimeGenerated), OperationCount = count() by OperationName, InitiatedBy, TargetResourceName\\n// only including operations by initiated by a user or app that is above the threshold so we produce only rare and has not occurred in last 7 days\\n| where OperationCount \u003e threshold\\n;\\n// Gather current period of audit data\\nlet RecentConsent = AuditLogs | where TimeGenerated \u003e= ago(current)\\n| where OperationName has \\\"Consent to application\\\"\\n| extend IpAddress = case(\\nisnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), \\nisnotempty(tostring(parse_json(tostring(InitiatedBy.app)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.app)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.app)).ipAddress),\\n\u0027Not Available\u0027)\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\n| parse TargetResources.[0].modifiedProperties with * \\\"ConsentType: \\\" ConsentType \\\"]\\\" *\\n| mv-expand AdditionalDetails\\n| extend UserAgent = iff(AdditionalDetails.key == \\\"User-Agent\\\",tostring(AdditionalDetails.value),\\\"\\\")\\n| project TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type;\\n// Exclude previously seen audit activity for \\\"Consent to application\\\" that was seen in the lookback period\\n// First for rare InitiatedBy\\nlet RareConsentBy = RecentConsent | join kind= leftanti AuditTrail on OperationName, InitiatedBy \\n| extend Reason = \\\"Previously unseen user consenting\\\";\\n// Second for rare TargetResourceName\\nlet RareConsentApp = RecentConsent | join kind= leftanti AuditTrail on OperationName, TargetResourceName\\n| extend Reason = \\\"Previously unseen app granted consent\\\";\\nRareConsentBy | union RareConsentApp\\n| summarize Reason = makeset(Reason) by TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatedBy, HostCustomEntity = TargetResourceName, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Persistence\",\"LateralMovement\",\"Collection\"],\"displayName\":\"Rare application consent\",\"description\":\"This will alert when the \\\"Consent to application\\\" operation occurs by a user that has not done this operation before or rarely does this.\\nThis could indicate that permissions to access the listed Azure App were provided to a malicious actor. \\nConsent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events. \\nThis may help detect the Oauth2 attack that can be initiated by this publicly available tool - https://github.com/fireeye/PwnAuth\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e1ce0eab-10d1-4aae-863f-9a383345ba88\",\"name\":\"e1ce0eab-10d1-4aae-863f-9a383345ba88\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let threshold = 15;\\nSyslog\\n| where SyslogMessage contains \\\"Failed password for invalid user\\\"\\n| where ProcessName =~ \\\"sshd\\\" \\n| parse kind=relaxed SyslogMessage with * \\\"invalid user\\\" user \\\" from \\\" ip \\\" port\\\" port \\\" ssh2\\\"\\n| project user, ip, port, SyslogMessage, EventTime\\n| summarize EventTimes = make_list(EventTime), PerHourCount = count() by ip, bin(EventTime, 4h), user\\n| where PerHourCount \u003e threshold\\n| mvexpand EventTimes\\n| extend EventTimes = tostring(EventTimes) \\n| summarize StartTimeUtc = min(EventTimes), EndTimeUtc = max(EventTimes), UserList = makeset(user), sum(PerHourCount) by IPAddress = ip\\n| extend UserList = tostring(UserList) \\n| extend timestamp = StartTimeUtc, IPCustomEntity = IPAddress, AccountCustomEntity = UserList\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"SSH - Potential Brute Force\",\"description\":\"Identifies an IP address that had 15 failed attempts to sign in via SSH in a 4 hour block during a 24 hour time period.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532c1811-79ee-4d9f-8d4d-6304c840daa1\",\"name\":\"532c1811-79ee-4d9f-8d4d-6304c840daa1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Active Directory Identity Protection\",\"displayName\":\"Create incidents based on Azure Active Directory Identity Protection alerts\",\"description\":\"Create incidents based on all alerts generated in Azure Active Directory Identity Protection\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0c804654-63b9-4241-89f8-1cddd7e9cacd\",\"name\":\"0c804654-63b9-4241-89f8-1cddd7e9cacd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.0\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.2\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of AWS write API calls from a user account \",\"description\":\"This algorithm detects an unusually high volume of AWS write API calls per user account within the last day. The model is trained on the previous 21 days of AWS cloud trail log events on a user account basis. This activity may indicate that the account is compromised.\",\"lastUpdatedDateUTC\":\"2021-10-26T00:00:00Z\",\"createdDateUTC\":\"2021-10-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65360bb0-8986-4ade-a89d-af3cf44d28aa\",\"name\":\"65360bb0-8986-4ade-a89d-af3cf44d28aa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"CreateNetworkAclEntry\\\",\\\"CreateRoute\\\",\\\"CreateRouteTable\\\",\\\"CreateInternetGateway\\\",\\\"CreateNatGateway\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"PrivilegeEscalation\",\"LateralMovement\"],\"displayName\":\"Changes to Amazon VPC settings\",\"description\":\"Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources\\nin a virtual network that you define.\\nThis identifies changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries,routes, routetable or Gateways.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\nand AWS VPC API Docs: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/OperationList-query-vpc.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5ef06767-b37c-4818-b035-47de950d0046\",\"name\":\"5ef06767-b37c-4818-b035-47de950d0046\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// How far back to look for events from\\nlet timeframe = 1d;\\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\\nlet time_window = 5m;\\n// Edit this to include build processes used\\nlet build_processes = dynamic([\\\"MSBuild.exe\\\", \\\"dotnet.exe\\\", \\\"VBCSCompiler.exe\\\"]);\\n// Include any processes that you want to allow to edit files during/around the build process\\nlet allow_list = dynamic([\\\"\\\"]);\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where EventID == 4688\\n| where Process has_any (build_processes)\\n| summarize by BuildParentProcess=ParentProcessName, BuildProcess=Process, BuildAccount = Account, Computer, BuildCommand=CommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for file modifications to code file\\n| where EventID == 4663\\n| where Process !in (allow_list)\\n// Look for code files, edit this to include file extensions used in build.\\n| where ObjectName endswith \\\".cs\\\" or ObjectName endswith \\\".cpp\\\"\\n// 0x6 and 0x4 for file append, 0x100 for file replacements\\n| where AccessMask == \\\"0x6\\\" or AccessMask == \\\"0x4\\\" or AccessMask == \\\"0X100\\\"\\n| summarize by FileEditParentProcess=ParentProcessName, FileEditAccount = Account, Computer, FileEdited=ObjectName, FileEditProcess=ProcessName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, Computer\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, Computer, BuildParentProcess, BuildProcess\\n| extend HostCustomEntity=Computer, timestamp=timekey\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Potential Build Process Compromise\",\"description\":\"The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process.\\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ec21493c-2684-4acd-9bc2-696dbad72426\",\"name\":\"ec21493c-2684-4acd-9bc2-696dbad72426\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation of extracted domains\\nlet list_tlds = ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e ago(ioc_lookBack)\\n | where isnotempty(DomainName)\\n | extend DomainName = tolower(DomainName)\\n | extend parts = split(DomainName, \u0027.\u0027)\\n | extend tld = parts[(array_length(parts)-1)]\\n | summarize count() by tostring(tld)\\n | summarize make_list(tld);\\n ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true\\n // Picking up only IOC\u0027s that contain the entities we want\\n | where isnotempty(DomainName)\\n | join (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n | where DeviceVendor =~ \u0027Palo Alto Networks\u0027\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | extend Domain = trim(@\\\"\\\"\\\"\\\",tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend parts = split(Domain, \u0027.\u0027)\\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\\n | where tld in~ (list_tlds)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n ) on $left.DomainName==$right.Domain\\n | where CommonSecurityLog_TimeGenerated \u003e= TimeGenerated and CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n | project LatestIndicatorTime, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, CommonSecurityLog_TimeGenerated, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\\n | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to PaloAlto\",\"description\":\"Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\"name\":\"f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"// Replace these with the username or emails of your VIP users you wish to monitor for.\\nlet vips = dynamic([\u0027vip1@email.com\u0027,\u0027vip2@email.com\u0027]);\\n// Add users who are allowed to conduct these searches - this could be specific SOC team members\\nlet allowed_users = dynamic([]);\\nLAQueryLogs\\n| where QueryText has_any (vips) or QueryText has_any (\u0027_GetWatchlist(\\\"VIPUsers\\\")\u0027, \\\"_GetWatchlist(\u0027VIPUsers\u0027)\\\")\\n| where AADEmail !in (allowed_users)\\n| project TimeGenerated, AADEmail, RequestClientApp, QueryText, ResponseRowCount, RequestTarget\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AADEmail\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"RequestTarget\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Users searching for VIP user activity\",\"description\":\"This query monitors for users running Log Analytics queries that contain filters\\nfor specific, defined VIP user accounts or the VIPUser watchlist template.\\nUse this detection to alert for users specifically searching for activity of sensitive users.\",\"lastUpdatedDateUTC\":\"2021-11-11T00:00:00Z\",\"createdDateUTC\":\"2020-09-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d0bd9611-2fc1-42cb-af4e-793b6f28ba92\",\"name\":\"d0bd9611-2fc1-42cb-af4e-793b6f28ba92\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.7\",\"techniques\":[\"T1030\",\"T1041\",\"T1011\",\"T1567\",\"T1029\",\"T1537\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.87\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"(Preview) Excessive upload via Palo Alto GlobalProtect\",\"description\":\"This algorithm detects unusually high volume of upload per user account via Palo Alto VPN solution.\\nThe model is trained on the previous 14 days of the VPN logs.\\nIt indicates anomalous high volume of upload in the last day.\",\"lastUpdatedDateUTC\":\"2021-11-17T00:00:00Z\",\"createdDateUTC\":\"2020-11-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\"name\":\"532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n| join (\\n Syslog\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n //Extract domain patterns from syslog message\\n | extend domain = extract(\\\"(([a-z0-9]+(-[a-z0-9]+)*\\\\\\\\.)+[a-z]{2,})\\\",1, tolower(SyslogMessage))\\n | where isnotempty(domain)\\n | extend parts = split(domain, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.domain\\n| where Syslog_TimeGenerated \u003e= TimeGenerated and Syslog_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, domain, HostIP, Url\\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to Syslog\",\"description\":\"Identifies a match in Syslog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a9956d3a-07a9-44a6-a279-081a85020cae\",\"name\":\"a9956d3a-07a9-44a6-a279-081a85020cae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 15;\\nlet rejectedAccess = SymantecVIP\\n| where isnotempty(RADIUSAuth)\\n| where RADIUSAuth =~ \\\"Reject\\\"\\n| summarize Total = count() by ClientIP, bin(TimeGenerated, 15m)\\n| where Total \u003e threshold\\n| project ClientIP;\\nSymantecVIP\\n| where isnotempty(RADIUSAuth)\\n| where RADIUSAuth =~ \\\"Reject\\\"\\n| join kind=inner rejectedAccess on ClientIP\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by ClientIP, User\\n| extend timestamp = StartTime, IPCustomEntity = ClientIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"ClientDeniedAccess\",\"description\":\"Creates an incident in the event a Client has an excessive amounts of denied access requests.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SymantecVIP\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2dd4a3a-ebac-4994-9499-1a859938c947\",\"name\":\"f2dd4a3a-ebac-4994-9499-1a859938c947\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet bytessentperhourthreshold = 10;\\nlet PrivateIPregex = @\u0027^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.\u0027;\\nlet TimeSeriesData = (union isfuzzy=true\\n(\\nVMConnection\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\\n| extend DestinationIpType = iff(DestinationIp matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIpType == \\\"public\\\" | extend DeviceVendor = \\\"VMConnection\\\"\\n| project TimeGenerated, BytesSent, DeviceVendor\\n| make-series TotalBytesSent=sum(BytesSent) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n),\\n(\\nCommonSecurityLog\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| extend DestinationIpType = iff(DestinationIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIpType == \\\"public\\\"\\n| project TimeGenerated, SentBytes, DeviceVendor\\n| make-series TotalBytesSent=sum(SentBytes) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n)\\n);\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(TotalBytesSent, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand TotalBytesSent to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| extend TotalBytesSentinMBperHour = round(((TotalBytesSent / 1024)/1024),2), baselinebytessentperHour = round(((baseline / 1024)/1024),2), score = round(score,2)\\n| project DeviceVendor, AnomalyHour, TimeGenerated, TotalBytesSentinMBperHour, baselinebytessentperHour, anomalies, score);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\n//Union of all BaseLogs aggregated per hour\\nlet BaseLogs = (union isfuzzy=true\\n(\\nCommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend DestinationIpType = iff(DestinationIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIpType == \\\"public\\\"\\n| extend SentBytesinMB = ((SentBytes / 1024)/1024), ReceivedBytesinMB = ((ReceivedBytes / 1024)/1024)\\n| summarize HourlyCount = count(), TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort,100), TotalSentBytesinMB = sum(SentBytesinMB), TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| where TotalSentBytesinMB \u003e bytessentperhourthreshold\\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\\n| where Rank \u003c 10 // Selecting Top 10 records with Highest BytesSent in each Hour\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\\n),\\n(\\nVMConnection\\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend SourceIP = SourceIp, DestinationIP = DestinationIp\\n| extend DestinationIpType = iff(DestinationIp matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIpType == \\\"public\\\" | extend DeviceVendor = \\\"VMConnection\\\"\\n| extend SentBytesinMB = ((BytesSent / 1024)/1024), ReceivedBytesinMB = ((BytesReceived / 1024)/1024)\\n| summarize HourlyCount = count(),TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort, 100), TotalSentBytesinMB = sum(SentBytesinMB),TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| where TotalSentBytesinMB \u003e bytessentperhourthreshold\\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\\n| where Rank \u003c 10 // Selecting Top 10 records with Highest BytesSent in each Hour\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\\n)\\n);\\n// Join against base logs to retrive records associated with the hour of anomoly\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\n BaseLogs | extend AnomalyHour = TimeGeneratedHour\\n) on DeviceVendor, AnomalyHour | sort by score desc\\n| project DeviceVendor, AnomalyHour,TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\\n| summarize EventCount = count(), StartTimeUtc= min(TimeGeneratedMax), EndTimeUtc= max(TimeGeneratedMax), SourceIPMax= arg_max(SourceIP,*), TotalBytesSentinMB = sum(TotalSentBytesinMB), TotalBytesReceivedinMB = sum(TotalReceivedBytesinMB), SourceIPList = make_set(SourceIP, 100), DestinationIPList = make_set(DestinationIPList, 100) by AnomalyHour,TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\\n| project DeviceVendor, AnomalyHour, StartTimeUtc, EndTimeUtc, SourceIPMax, SourceIPList, DestinationIPList, DestinationPortList, TotalBytesSentinMB, TotalBytesReceivedinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies, EventCount\\n| extend timestamp =EndTimeUtc, IPCustomEntity = SourceIPMax\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"Time series anomaly for data size transferred to public internet\",\"description\":\"Identifies anomalous data transfer to public networks. The query leverages built-in KQL anomaly detection algorithms that detects large deviations from a baseline pattern.\\nA sudden increase in data transferred to unknown public networks is an indication of data exfiltration attempts and should be investigated.\\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port bytes sent traffic observed in the flagged anomaly hour.\\nThe source IP addresses which were sending less than bytessentperhourthreshold have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-05-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95002681-4ecb-4da3-9ece-26d7e5feaa33\",\"name\":\"95002681-4ecb-4da3-9ece-26d7e5feaa33\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"imAuthentication\\n| where EventResult ==\u0027Failure\u0027\\n| where EventResultDetails == \u0027User disabled\u0027\\n| summarize StartTime=min(EventStartTime), EndTime=max(EventEndTime), disabledAccountLoginAttempts = count()\\n , disabledAccountsTargeted = dcount(TargetUsername), disabledAccountSet = make_set(TargetUsername)\\n , applicationsTargeted = dcount(TargetAppName)\\n , applicationSet = make_set(TargetAppName) \\n by SrcDvcIpAddr, Type\\n| order by disabledAccountLoginAttempts desc\\n| join kind=leftouter \\n (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n imAuthentication\\n | where EventResult==\u0027Success\u0027\\n | summarize successfulAccountSigninCount = dcount(TargetUsername), successfulAccountSigninSet = makeset(TargetUsername, 15) by SrcDvcIpAddr, Type\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount \u003c 100\\n )\\n on SrcDvcIpAddr\\n| where isnotempty(successfulAccountSigninCount)\\n| project StartTime, EndTime, SrcDvcIpAddr, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\nsuccessfulAccountSigninCount, successfulAccountSigninSet, Type\\n| order by disabledAccountLoginAttempts\\n| extend timestamp = StartTime, IPCustomEntity = SrcDvcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelAuthentication)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-07-27T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a50766a7-0674-4ccb-8845-15dc55a80ba1\",\"name\":\"a50766a7-0674-4ccb-8845-15dc55a80ba1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n WireData | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(RemoteIP)\\n // renaming time column so it is clear the log this came from\\n | extend WireData_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIP\\n| where WireData_TimeGenerated \u003e= TimeGenerated and WireData_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, WireData_TimeGenerated,\\nTI_ipEntity, Computer, LocalIP, RemoteIP, ProcessName, ApplicationProtocol, LocalPortNumber, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = WireData_TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to WireData\",\"description\":\"Identifies a match in WireData from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\"name\":\"d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let SensitiveOperationList = dynamic(\\n[\\\"VaultDelete\\\", \\\"KeyDelete\\\", \\\"SecretDelete\\\", \\\"SecretPurge\\\", \\\"KeyPurge\\\", \\\"SecretBackup\\\", \\\"KeyBackup\\\"]);\\nAzureDiagnostics\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\" \\n| where OperationName in~ (SensitiveOperationList) \\n| summarize EventCount=count(), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\\n| extend timestamp = StartTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Impact\"],\"displayName\":\"Sensitive Azure Key Vault operations\",\"description\":\"Identifies when sensitive Azure Key Vault operations are used. This includes: VaultDelete, KeyDelete, SecretDelete, SecretPurge, KeyPurge, SecretBackup, KeyBackup. \\nAny Backup operations should match with expected scheduled backup activity.\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/04384937-e927-4595-8f3c-89ff58ed231f\",\"name\":\"04384937-e927-4595-8f3c-89ff58ed231f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let IPs = dynamic ([\\\"199.249.230.\\\",\\\"185.220.101.\\\",\\\"23.129.64.\\\",\\\"109.70.100.\\\",\\\"185.220.102.\\\"]);\\nOfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != \u0027UserLoggedIn\u0027\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = ExtendedProperties.Value\\n| where ClientIP has_any (IPs)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts \u003e 2500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Possible STRONTIUM attempted credential harvesting - Sept 2020\",\"description\":\"Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.\\nReferences: https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/427e4c9e-8cf4-4094-a684-a2d060dbca38\",\"name\":\"427e4c9e-8cf4-4094-a684-a2d060dbca38\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 50;\\nSophosXGFirewall\\n| where Log_Type =~ \\\"Firewall\\\"\\n| where not(ipv4_is_match(\\\"10.0.0.0\\\",Src_IP,8) or ipv4_is_match(\\\"172.16.0.0\\\",Src_IP,12) or ipv4_is_match(\\\"192.168.0.0\\\",Src_IP,16))\\n| summarize dcount(Dst_Port) by Src_IP, bin(TimeGenerated, 5m)\\n| where dcount_Dst_Port \u003e threshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = Src_IP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\"],\"displayName\":\"Port Scan Detected\",\"description\":\"This alert creates an incident when a source IP addresses attempt to communicate with a large amount of distinct ports within a short period.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SophosXGFirewall\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/86a036b2-3686-42eb-b417-909fc0867771\",\"name\":\"86a036b2-3686-42eb-b417-909fc0867771\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/delete\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS Service Delete\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.\\nA threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.\\nThe health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.\\nMore information in this blog https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/00cb180c-08a8-4e55-a276-63fb1442d5b5\",\"name\":\"00cb180c-08a8-4e55-a276-63fb1442d5b5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let cmdTokens0 = dynamic([\u0027vbscript\u0027,\u0027jscript\u0027]);\\nlet cmdTokens1 = dynamic([\u0027mshtml\u0027,\u0027RunHTMLApplication\u0027]);\\nlet cmdTokens2 = dynamic([\u0027Execute\u0027,\u0027CreateObject\u0027,\u0027RegRead\u0027,\u0027window.close\u0027]);\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(14d)\\n| where EventID == 4688\\n| where CommandLine has @\u0027\\\\Microsoft\\\\Windows\\\\CurrentVersion\u0027\\n| where not(CommandLine has_any (@\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\u0027, @\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\u0027))\\n// If you are receiving false positives, then it may help to make the query more strict by uncommenting one or both of the lines below to refine the matches\\n//| where CommandLine has_any (cmdTokens0)\\n//| where CommandLine has_all (cmdTokens1)\\n| where CommandLine has_all (cmdTokens2)\\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\"],\"displayName\":\"NOBELIUM - Script payload stored in Registry\",\"description\":\"This query idenifies when a process execution commandline indicates that a registry value is written to allow for later execution a malicious script\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d023f64-8225-41a2-9570-2bd7c2c4535e\",\"name\":\"3d023f64-8225-41a2-9570-2bd7c2c4535e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\nSecurityEvent \\n| where TimeGenerated \u003e ago(2*timeframe) \\n// A user account was enabled\\n| where EventID == 4722\\n| where AccountType =~ \\\"User\\\"\\n| where TargetAccount !hassuffix \\\"$\\\"\\n| project EnableTime = TimeGenerated, EnableEventID = EventID, EnableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToEnable = SubjectAccount, SIDofAccountUsedToEnable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n| join kind= inner (\\n SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe) \\n // A user account was disabled \\n | where EventID == 4725\\n| where AccountType =~ \\\"User\\\"\\n| project DisableTime = TimeGenerated, DisableEventID = EventID, DisableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToDisable = SubjectAccount, SIDofAccountUsedToDisable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n) on Computer, TargetAccount\\n| where DisableTime - EnableTime \u003c spanoftime\\n| extend TimeDelta = DisableTime - EnableTime\\n| where tolong(TimeDelta) \u003e= threshold\\n| project TimeDelta, EnableTime, EnableEventID, EnableActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToEnable, SIDofAccountUsedToEnable, \\nDisableTime, DisableEventID, DisableActivity, AccountUsedToDisable, SIDofAccountUsedToDisable\\n| extend timestamp = EnableTime, AccountCustomEntity = AccountUsedToEnable, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"SIDofAccountUsedToEnable\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account enabled and disabled within 10 mins\",\"description\":\"Identifies when a user account is enabled and then disabled within 10 minutes. This can be an indication of compromise and\\nan adversary attempting to hide in the noise.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/707494a5-8e44-486b-90f8-155d1797a8eb\",\"name\":\"707494a5-8e44-486b-90f8-155d1797a8eb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let auditLookbackStart = 2d;\\nlet auditLookbackEnd = 1d;\\nAuditLogs\\n| where TimeGenerated \u003e= ago(auditLookbackStart)\\n| where OperationName =~ \\\"Consent to application\\\" \\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| extend targetResourceName = tostring(target.displayName)\\n| extend targetResourceID = tostring(target.id)\\n| extend targetResourceType = tostring(target.type)\\n| extend targetModifiedProp = TargetResources[0].modifiedProperties\\n| extend isAdminConsent = targetModifiedProp[0].newValue\\n| extend Consent_ServicePrincipalNames = targetModifiedProp[5].newValue\\n| extend Consent_Permissions = targetModifiedProp[4].newValue\\n| extend Consent_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend Consent_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| join ( \\nAuditLogs\\n| where TimeGenerated \u003e= ago(auditLookbackEnd)\\n| where OperationName =~ \\\"Add service principal credentials\\\"\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| extend targetResourceName = tostring(target.displayName)\\n| extend targetResourceID = tostring(target.id)\\n| extend targetModifiedProp = TargetResources[0].modifiedProperties\\n| extend Credential_KeyDescription = targetModifiedProp[0].newValue\\n| extend UpdatedProperties = targetModifiedProp[1].newValue\\n| extend Credential_ServicePrincipalNames = targetModifiedProp[2].newValue\\n| extend Credential_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend Credential_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n) on targetResourceName, targetResourceID\\n| extend TimeConsent = TimeGenerated, TimeCred = TimeGenerated1\\n| where TimeConsent \u003e TimeCred \\n| project TimeConsent, TimeCred, Consent_InitiatingUserOrApp, Credential_InitiatingUserOrApp, targetResourceName, targetResourceType, isAdminConsent, Consent_ServicePrincipalNames, Credential_ServicePrincipalNames, Consent_Permissions, Credential_KeyDescription, Consent_InitiatingIpAddress, Credential_InitiatingIpAddress\\n| extend timestamp = TimeConsent, AccountCustomEntity = Consent_InitiatingUserOrApp, IPCustomEntity = Consent_InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Credential added after admin consented to Application\",\"description\":\"This query will identify instances where Service Principal credentials were added to an application by one user after the application was granted admin consent rights by another user.\\n If a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\n Additional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow.\\n For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/610d3850-c26f-4f20-8d86-f10fdf2425f5\",\"name\":\"610d3850-c26f-4f20-8d86-f10fdf2425f5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"UpdateTrail\\\",\\\"DeleteTrail\\\",\\\"StopLogging\\\",\\\"DeleteFlowLogs\\\",\\\"DeleteEventBus\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Changes made to AWS CloudTrail logs\",\"description\":\"Attackers often try to hide their steps by deleting or stopping the collection of logs that could show their activity. \\nThis alert identifies any manipulation of AWS CloudTrail, Cloudwatch/EventBridge or VPC Flow logs.\\nMore Information: AWS CloudTrail API: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html\\nAWS Cloudwatch/Eventbridge API: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_Operations.html\\nAWS DelteteFlowLogs API : https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2cfc3c6e-f424-4b88-9cc9-c89f482d016a\",\"name\":\"2cfc3c6e-f424-4b88-9cc9-c89f482d016a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set == \\\"[]\\\"\\n| parse new_value_set with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"First access credential added to Application or Service Principal where no credential was present\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d722831e-88f5-4e25-b106-4ef6e29f8c13\",\"name\":\"d722831e-88f5-4e25-b106-4ef6e29f8c13\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"// a threshold can be enabled, see commented line below for PrevSeenCount\\nlet threshold = 2;\\nlet uploadOp = \u0027FileUploaded\u0027;\\n// Extensions that are interesting. Add/Remove to this list as you see fit\\nlet execExt = dynamic([\u0027exe\u0027, \u0027inf\u0027, \u0027gzip\u0027, \u0027cmd\u0027, \u0027bat\u0027]);\\nlet starttime = 8d;\\nlet endtime = 1d;\\nOfficeActivity | where TimeGenerated \u003e= ago(endtime)\\n// Limited to File Uploads due to potential noise, comment out the Operation statement below to include any operation type\\n// Additional, but potentially noisy operation types that include Uploads and Downloads can be included by adding the following - Operation contains \\\"upload\\\" or Operation contains \\\"download\\\"\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| project TimeGenerated, OfficeId, OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, UserAgent, Site_Url, SourceRelativeUrl, SourceFileName\\n| join kind= leftanti (\\nOfficeActivity | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| summarize SourceRelativeUrl = make_set(SourceRelativeUrl), UserId = make_set(UserId) , PrevSeenCount = count() by SourceFileName\\n// To exclude previous matches when only above a specific count, change threshold above and uncomment the line below\\n//| where PrevSeenCount \u003e threshold\\n| mvexpand SourceRelativeUrl, UserId\\n| extend SourceRelativeUrl = tostring(SourceRelativeUrl), UserId = tostring(UserId)\\n) on SourceFileName, SourceRelativeUrl, UserId \\n| extend SiteUrlUserFolder = tolower(split(Site_Url, \u0027/\u0027)[-2])\\n| extend UserIdUserFolderFormat = tolower(replace(\u0027@|\\\\\\\\.\u0027, \u0027_\u0027,UserId))\\n// identify when UserId is not a match to the specific site url personal folder reference\\n| extend UserIdDiffThanUserFolder = iff(Site_Url has \u0027/personal/\u0027 and SiteUrlUserFolder != UserIdUserFolderFormat, true , false ) \\n| summarize TimeGenerated = make_list(TimeGenerated), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), \\nUserAgents = make_list(UserAgent), OfficeIds = make_list(OfficeId), SourceRelativeUrls = make_list(SourceRelativeUrl), FileNames = make_list(SourceFileName)\\nby OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, Site_Url, SiteUrlUserFolder, UserIdUserFolderFormat, UserIdDiffThanUserFolder\\n| extend timestamp = StartTime, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"New executable via Office FileUploaded Operation\",\"description\":\"Identifies when executable file types are uploaded to Office services such as SharePoint and OneDrive.\\nList currently includes \u0027exe\u0027, \u0027inf\u0027, \u0027gzip\u0027, \u0027cmd\u0027, \u0027bat\u0027 file extensions.\\nAdditionally, identifies when a given user is uploading these files to another users workspace.\\nThis may be indication of a staging location for malware or other malicious activity.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d804b39c-03a4-417c-a949-bdbf21fa3305\",\"name\":\"d804b39c-03a4-417c-a949-bdbf21fa3305\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\\n[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet file_paths = (iocs | where Type =~ \\\"filepath\\\" | project IoC);\\nlet sha256s = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet ips = (iocs | where Type =~ \\\"ip\\\" | project IoC);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\" | project IoC);\\nunion isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4663\\n| where ObjectName in (file_paths)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(imFileEvent\\n| where TargetFileName in (file_paths)\\n or\\n TargetFileSHA256 in (sha256s)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\\n),\\n(DeviceFileEvents\\n| where FolderPath in (file_paths)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 in (sha256s)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256s)\\n| extend timestamp = TimeGenerated\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| where isnotempty(Hashes)\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 *\\n| where SHA256 in~ (sha256s)\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = Hashes\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where (SourceIP in (ips) or DestinationIP in (ips) or Message has_any (ips)) or (RequestURL has_any (domains))\\n| extend IPMatch = case(SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"Message\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\")\\n),\\n(VMConnection\\n| where isnotempty(SourceIp) or isnotempty(DestinationIp)\\n| where SourceIp in (ips) or DestinationIp in (ips)\\n| extend IPMatch = case( SourceIp in (ips), \\\"SourceIP\\\", DestinationIp in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(WireData\\n| where isnotempty(RemoteIP)\\n| where RemoteIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer\\n),\\n(W3CIISLog\\n| where isnotempty(cIP)\\n| where cIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(\\nDeviceNetworkEvents\\n| where (RemoteIPType =~ \\\"Public\\\" and RemoteUrl has_any (domains)) or (isnotempty(RemoteIP) and RemoteIP in (ips))\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(\\nWindowsFirewall\\n| where SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n),\\n(\\nDnsEvents\\n| where SubType =~ \\\"LookupQuery\\\"\\n| where Name has_any (domains)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\\n),\\n(\\nimDns(domain_has_any=domains)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\\n)\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.4.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange Server Vulnerabilities Disclosed March 2021 IoC Match\",\"description\":\"This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements.\\nRef: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog (Cisco)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog (F5)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dcdf9bfc-c239-4764-a9f9-3612e6dff49c\",\"name\":\"dcdf9bfc-c239-4764-a9f9-3612e6dff49c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 6d;\\n// Adjust this to adjust the key export detection timeframe\\n//let timeframe = 1d;\\n// Start be identifying ADFS servers to reduce FP chance\\nlet ADFS_Servers = (\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\")\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| summarize by Computer);\\n// Look for ADFS servers where Named Pipes event are present\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| where Computer in~ (ADFS_Servers)\\n| extend RenderedDescription = tostring(split(RenderedDescription, \\\":\\\")[0])\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend RuleName = column_ifexists(\\\"RuleName\\\", \\\"\\\"),\\n TechniqueId = column_ifexists(\\\"TechniqueId\\\", \\\"\\\"),\\n TechniqueName = column_ifexists(\\\"TechniqueName\\\", \\\"\\\"),\\n Image = column_ifexists(\\\"Image\\\", \\\"\\\"),\\n PipeName = column_ifexists(\\\"PipeName\\\", \\\"\\\"),\\n EventType = column_ifexists(\\\"EventType\\\", \\\"\\\")\\n| parse RuleName with * \u0027technique_id=\u0027 TechniqueId \u0027,\u0027 * \u0027technique_name=\u0027 TechniqueName\\n// Look for Pipe related to querying the WID\\n| where PipeName == \\\"\\\\\\\\MICROSOFT##WID\\\\\\\\tsql\\\\\\\\query\\\"\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n// Exclude expected processes\\n| where process !in (\\\"Microsoft.IdentityServer.ServiceHost.exe\\\", \\\"Microsoft.Identity.Health.Adfs.PshSurrogate.exe\\\", \\\"AzureADConnect.exe\\\", \\\"Microsoft.Tri.Sensor.exe\\\", \\\"wsmprovhost.exe\\\",\\\"mmc.exe\\\", \\\"sqlservr.exe\\\")\\n| extend Operation = RenderedDescription\\n| project-reorder TimeGenerated, EventType, Operation, process, Image, Computer, UserName\\n| extend HostCustomEntity = Computer, AccountCustomEntity = UserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Collection\"],\"displayName\":\"ADFS Database Named Pipe Connection\",\"description\":\"This detection uses Sysmon telemetry to detect suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).\\nIn order to use this query you need to be collecting Sysmon EventIdD 18 (Pipe Connected).\\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\\nFailed to resolve scalar expression named \\\"[@Name]\",\"lastUpdatedDateUTC\":\"2021-11-23T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a0647a60-16f9-4175-b344-5cdd2934413f\",\"name\":\"a0647a60-16f9-4175-b344-5cdd2934413f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let lowRisk = 1;\\nlet business = \u0027Business Information\u0027;\\nCognniIncidents_CL \\n| where Severity == lowRisk\\n| where informationType_s == business\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Low Sensitivity Business Information\",\"description\":\"Display incidents in which low sensitivity business information] was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5f0d80db-3415-4265-9d52-8466b7372e3a\",\"name\":\"5f0d80db-3415-4265-9d52-8466b7372e3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AzureDevOpsAuditing\\n| where AuthenticationMechanism startswith \\\"PAT\\\"\\n// Look for useragents that include a redenring engine\\n| where UserAgent has_any (\\\"Gecko\\\", \\\"WebKit\\\", \\\"Presto\\\", \\\"Trident\\\", \\\"EdgeHTML\\\", \\\"Blink\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure DevOps PAT used with Browser.\",\"description\":\"Personal Access Tokens (PATs) are used as an alternate password to authenticate into Azure DevOps. PATs are intended for programmatic access use in code or applications. \\nThis can be prone to attacker theft if not adequately secured. This query looks for the use of a PAT in authentication but from a User Agent indicating a browser. \\nThis should not be normal activity and could be an indicator of an attacker using a stolen PAT.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\"name\":\"30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nlet aadFunc = (tableName:string){\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n table(tableName) | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(UserPrincipalName)\\n //Normalizing the column to lower case for exact match with EmailSenderAddress column\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n | where UserPrincipalName matches regex emailregex\\n | extend Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n // renaming timestamp column so it is clear the log this came from SigninLogs table\\n | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type\\n)\\non $left.EmailSenderAddress == $right.UserPrincipalName\\n| where SigninLogs_TimeGenerated \u003e= TimeGenerated and SigninLogs_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, SigninLogs_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, IPAddress, UserPrincipalName, AppDisplayName,\\nStatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, Type\\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SigninLogs\",\"description\":\"Identifies a match in SigninLogs table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75bf9902-0789-47c1-a5d8-f57046aa72df\",\"name\":\"75bf9902-0789-47c1-a5d8-f57046aa72df\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let procList = dynamic([\\\"cmd.exe\\\",\\\"ftp.exe\\\",\\\"schtasks.exe\\\",\\\"powershell.exe\\\",\\\"rundll32.exe\\\",\\\"regsvr32.exe\\\",\\\"msiexec.exe\\\"]);\\nlet ProcessCreationEvents=() {\\nlet processEvents=SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,\\nFileName = Process, CommandLine, ParentProcessName;\\nprocessEvents};\\nProcessCreationEvents \\n| where FileName in~ (procList)\\n| where CommandLine contains \\\":\\\\\\\\recycler\\\"\\n| project StartTimeUtc = TimeGenerated, Computer, Account, NewProcessName, FileName, CommandLine, ParentProcessName\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Malware in the recycle bin\",\"description\":\"Identifies malware that has been hidden in the recycle bin.\\nReferences: https://azure.microsoft.com/blog/how-azure-security-center-helps-reveal-a-cyberattack/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2018-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23005e87-2d3a-482b-b03d-edbebd1ae151\",\"name\":\"23005e87-2d3a-482b-b03d-edbebd1ae151\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let exchange_servers = (\\nW3CIISLog\\n| where TimeGenerated \u003e ago(14d)\\n| where sSiteName =~ \\\"Exchange Back End\\\"\\n| summarize by Computer);\\nW3CIISLog\\n| where TimeGenerated \u003e ago(1d)\\n| where Computer in (exchange_servers)\\n| where csUriQuery startswith \\\"t=\\\"\\n| project-reorder TimeGenerated, Computer, csUriStem, csUriQuery, csUserName, csUserAgent, cIP\\n| extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious Exchange Request\",\"description\":\"This query looks for suspicious request patterns to Exchange servers that fit a pattern observed by HAFNIUM actors.\\nThe same query can be run on HTTPProxy logs from on-premise hosted Exchange servers.\\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3ff0fffb-d963-40c0-b235-3404f915add7\",\"name\":\"3ff0fffb-d963-40c0-b235-3404f915add7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"GitHubAudit\\n| where Action == \\\"org.disable_two_factor_requirement\\\"\\n| project TimeGenerated, Action, Actor, Country, IPaddress, Repository\\n| extend AccountCustomEntity = Actor, IPCustomEntity = IPaddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"GitHub Two Factor Auth Disable\",\"description\":\"Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/473d57e6-f787-435c-a16b-b38b51fa9a4b\",\"name\":\"473d57e6-f787-435c-a16b-b38b51fa9a4b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let servicelist = dynamic([\u0027Services\\\\\\\\HealthService\u0027, \u0027Services\\\\\\\\Sense\u0027, \u0027Services\\\\\\\\WinDefend\u0027, \u0027Services\\\\\\\\MsSecFlt\u0027, \u0027Services\\\\\\\\DiagTrack\u0027, \u0027Services\\\\\\\\SgrmBroker\u0027, \u0027Services\\\\\\\\SgrmAgent\u0027, \u0027Services\\\\\\\\AATPSensorUpdater\u0027 , \u0027Services\\\\\\\\AATPSensor\u0027, \u0027Services\\\\\\\\mpssvc\u0027]);\\nlet filename = dynamic([\\\"subinacl.exe\\\",\u0027SetACL.exe\u0027]);\\nlet parameters = dynamic ([\u0027/deny=SYSTEM\u0027, \u0027/deny=S-1-5-18\u0027, \u0027/grant=SYSTEM=r\u0027, \u0027/grant=S-1-5-18=r\u0027, \u0027n:SYSTEM;p:READ\u0027, \u0027n1:SYSTEM;ta:remtrst;w:dacl\u0027]);\\nlet FullAccess = dynamic([\u0027A;CI;KA;;;SY\u0027, \u0027A;ID;KA;;;SY\u0027, \u0027A;CIID;KA;;;SY\u0027]);\\nlet ReadAccess = dynamic([\u0027A;CI;KR;;;SY\u0027, \u0027A;ID;KR;;;SY\u0027, \u0027A;CIID;KR;;;SY\u0027]);\\nlet DenyAccess = dynamic([\u0027D;CI;KR;;;SY\u0027, \u0027D;ID;KR;;;SY\u0027, \u0027D;CIID;KR;;;SY\u0027]);\\nlet timeframe = 1d;\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4670\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName has_any (servicelist)\\n| parse EventData with * \u0027OldSd\\\"\u003e\u0027 OldSd \\\"\u003c\\\" *\\n| parse EventData with * \u0027NewSd\\\"\u003e\u0027 NewSd \\\"\u003c\\\" *\\n| extend Reason = case( (OldSd has \u0027;;;SY\u0027 and NewSd !has \u0027;;;SY\u0027), \u0027System Account is removed\u0027, (OldSd has_any (FullAccess) and NewSd has_any (ReadAccess)) , \u0027System permission has been changed to read from full access\u0027, (OldSd has_any (FullAccess) and NewSd has_any (DenyAccess)), \u0027System account has been given denied permission\u0027, \u0027None\u0027)\\n| project TimeGenerated, Computer, Account, ProcessName, ProcessId, ObjectName, EventData, Activity, HandleId, SubjectLogonId, OldSd, NewSd , Reason\\n),\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688\\n| extend ProcessName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ProcessName in~ (filename) \\n| where CommandLine has_any (servicelist) and CommandLine has_any (parameters)\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where InitiatingProcessFileName in~ (filename) \\n| where InitiatingProcessCommandLine has_any(servicelist) and InitiatingProcessCommandLine has_any (parameters)\\n| extend Account = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName), Computer = DeviceName\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName = InitiatingProcessFileName, ProcessNameFullPath = FolderPath, Activity = ActionType, CommandLine = InitiatingProcessCommandLine, Type, InitiatingProcessParentFileName\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Security Service Registry ACL Modification\",\"description\":\"Identifies attempts to modify registry ACL to evade security solutions. In the Solorigate attack, the attackers were found modifying registry permissions so services.exe cannot access the relevant registry keys to start the service.\\n The detection leverages Security Event as well as MDE data to identify when specific security services registry permissions are modified. \\n Only some portions of this detection are related to Solorigate, it also includes coverage for some common tools that perform this activity. \\n Reference on guidance for enabling registry auditing:\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing-faq\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-registry\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4670\\n - For the event 4670 to be created the audit policy for the registry must have auditing enabled for Write DAC and/or Write Owner\\n - https://github.com/OTRF/Set-AuditRule \\n - https://docs.microsoft.com/dotnet/api/system.security.accesscontrol.registryrights?view=dotnet-plat-ext-5.0\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b619d1f1-7f39-4c7e-bf9e-afbb46457997\",\"name\":\"b619d1f1-7f39-4c7e-bf9e-afbb46457997\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal contains \\\"XMRig\\\" or HttpUserAgentOriginal contains \\\"ccminer\\\"\\n| extend Message = \\\"Crypto Miner User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Crypto Miner User-Agent Detected\",\"description\":\"Detects suspicious user agent strings used by crypto miners in proxy logs.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/17f23fbe-bb73-4324-8ecf-a18545a5dc26\",\"name\":\"17f23fbe-bb73-4324-8ecf-a18545a5dc26\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P3D\",\"queryPeriod\":\"P3D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 3d;\\n// Get Release Pipeline Creation Events and group by day\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineCreated\\\"\\n// Group by day\\n| extend timekey = bin(TimeGenerated, 1d)\\n| extend PipelineId = tostring(Data.PipelineId)\\n| extend PipelineName = tostring(Data.PipelineName)\\n// Rename some columns to make output clearer\\n| project-rename TimeCreated = TimeGenerated, CreatingUser = ActorUPN, CreatingUserAgent = UserAgent, CreatingIP = IpAddress\\n// Join with Release Pipeline Deletions where Pipeline ID is the same and deletion occurred on same day as creation\\n| join (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineDeleted\\\"\\n// Group by day\\n| extend timekey = bin(TimeGenerated, 1d)\\n| extend PipelineId = tostring(Data.PipelineId)\\n| extend PipelineName = tostring(Data.PipelineName)\\n// Rename some things to make the output clearer\\n| project-rename TimeDeleted = TimeGenerated, DeletingUser = ActorUPN, DeletingUserAgent = UserAgent, DeletingIP = IpAddress) on PipelineId, timekey\\n| project TimeCreated, TimeDeleted, PipelineName, PipelineId, CreatingUser, CreatingIP, CreatingUserAgent, DeletingUser, DeletingIP, DeletingUserAgent, ScopeDisplayName, ProjectName, Data, OperationName, OperationName1\\n| extend timestamp = TimeCreated, AccountCustomEntity = CreatingUser, IPCustomEntity = CreatingIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeletingUser\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DeletingIP\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\"],\"displayName\":\"Azure DevOps Pipeline Created and Deleted on the Same Day\",\"description\":\"An attacker with access to Azure DevOps could create a pipeline to inject artifacts used by other pipelines, \\nor to create a malicious software build that looks legitimate by using a pipeline that incorporates legitimate elements. \\nAn attacker would also likely want to cover their tracks once conducting such activity. This query looks for Pipelines \\ncreated and deleted within the same day, this is unlikely to be legitimate user activity in the majority of cases.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\"name\":\"5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n W3CIISLog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(cIP)\\n // renaming time column so it is clear the log this came from\\n | extend W3CIISLog_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.cIP\\n| where W3CIISLog_TimeGenerated \u003e= TimeGenerated and W3CIISLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nW3CIISLog_TimeGenerated, TI_ipEntity, Computer, sSiteName, cIP, sIP, sPort, csMethod, csUserName, scStatus, scSubStatus, scWin32Status,\\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = W3CIISLog_TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to W3CIISLog\",\"description\":\"Identifies a match in W3CIISLog from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7564d76-ec6b-4519-a66b-fcc80c42332b\",\"name\":\"a7564d76-ec6b-4519-a66b-fcc80c42332b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet GroupAddition = SecurityEvent \\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group \\n| where EventID in (\\\"4728\\\", \\\"4732\\\", \\\"4756\\\") \\n| where AccountType =~ \\\"User\\\" and MemberName == \\\"-\\\"\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, GroupAddComputer = Computer, GroupAddTargetAccount = TargetAccount, \\nGroupAddTargetSid = TargetSid, GroupAddSubjectAccount = SubjectAccount, GroupAddSubjectUserSid = SubjectUserSid, GroupSid = MemberSid;\\nlet GroupCreated = SecurityEvent\\n// 4727 - A security-enabled global group was created\\n// 4731 - A security-enabled local group was created\\n// 4754 - A security-enabled universal group was created\\n| where EventID in (\\\"4727\\\", \\\"4731\\\", \\\"4754\\\")\\n| where AccountType =~ \\\"User\\\"\\n| project GroupCreateTime = TimeGenerated, GroupCreateEventID = EventID, GroupCreateActivity = Activity, GroupCreateComputer = Computer, GroupCreateTargetAccount = TargetAccount, \\nGroupCreateSubjectAccount = SubjectAccount, GroupCreateSubjectUserSid = SubjectUserSid, GroupSid = TargetSid;\\nGroupCreated\\n| join (\\nGroupAddition\\n) on GroupSid \\n| extend timestamp = GroupCreateTime, AccountCustomEntity = GroupCreateSubjectAccount, HostCustomEntity = GroupCreateComputer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"GroupCreateSubjectUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Group created then added to built in domain local or global group\",\"description\":\"Identifies when a recently created Group was added to a privileged built in domain local group or global group such as the \\nEnterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\\nReferences: For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/67775878-7f8b-4380-ac54-115e1e828901\",\"name\":\"67775878-7f8b-4380-ac54-115e1e828901\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet IP_TI = (ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\\\"\\\")\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId);\\nlet TI_IP_List=IP_TI | summarize make_set( TI_ipEntity);\\nimDns(starttime=ago(dt_lookBack), response_has_any_prefix=todynamic(toscalar(TI_IP_List)))\\n | extend tilist = toscalar(TI_IP_List)\\n | mv-expand tilist\\n | extend SingleIP=tostring(tilist)\\n | project-away tilist\\n | where has_ipv4(DnsResponseName, SingleIP)\\n | extend DNS_TimeGenerated = TimeGenerated\\n| join IP_TI\\n on $left.SingleIP == $right.TI_ipEntity\\n| where DNS_TimeGenerated \u003e= TimeGenerated and DNS_TimeGenerated \u003c ExpirationDateTime\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated,\\nTI_ipEntity, Dvc, EventId, SubType, SrcIpAddr, DnsQuery, DnsResponseName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = DNS_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Dvc, URLCustomEntity = Url\",\"customDetails\":{\"LatestIndicatorTime\":\"LatestIndicatorTime\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"ConfidenceScore\":\"ConfidenceScore\",\"DnsQuery\":\"DnsQuery\",\"Description\":\"Description\",\"EventId\":\"EventId\",\"IndicatorId\":\"IndicatorId\",\"DNSRequestTime\":\"DNS_TimeGenerated\",\"ThreatType\":\"ThreatType\",\"ExpirationDateTime\":\"ExpirationDateTime\",\"SubType\":\"SubType\",\"SourceIPAddress\":\"SrcIpAddr\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map IP entity to Dns Events (Normalized DNS)\",\"description\":\"Identifies a match in DNS events from any IP IOC from TI\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns).\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3863d8b-8be1-4f52-8ba2-d6cec98b606b\",\"name\":\"a3863d8b-8be1-4f52-8ba2-d6cec98b606b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.1.7\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.7\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of logins to user account with elevated token\",\"description\":\"This algorithm detects an unusually high volume of successful logins with elevated token per user account. The model is trained on the previous 21 days of security event ID 4624 on an account. It indicates anomalous high volume of successful logins with administrator privileges in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/983a6922-894d-413c-9f04-d7add0ecc307\",\"name\":\"983a6922-894d-413c-9f04-d7add0ecc307\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P10D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let referencestarttime = 10d;\\nlet referenceendtime = 1d;\\nlet threshold = 100;\\nlet nxDomainDnsEvents = (stime:datetime, etime:datetime) \\n {imDns(responsecodename=\u0027NXDOMAIN\u0027, starttime=stime, endtime=etime)\\n | where DnsQueryTypeName in (\\\"A\\\", \\\"AAAA\\\")\\n | where ipv4_is_match(\\\"127.0.0.1\\\", SrcIpAddr) == False\\n | where DnsQuery !contains \\\"/\\\" and DnsQuery contains \\\".\\\"};\\nnxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now())\\n | extend sld = tostring(split(DnsQuery, \\\".\\\")[-2])\\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld) by SrcIpAddr\\n | where dcount_sld \u003e threshold\\n // Filter out previously seen IPs\\n | join kind=leftanti (nxDomainDnsEvents (stime=ago(referencestarttime), etime=ago(referenceendtime))\\n | extend sld = tostring(split(DnsQuery, \\\".\\\")[-2])\\n | summarize dcount(sld) by SrcIpAddr\\n | where dcount_sld \u003e threshold ) on SrcIpAddr\\n// Pull out sample NXDomain responses for those remaining potentially infected IPs\\n| join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential DGA detected (ASimDNS)\",\"description\":\"Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains\\nwhere most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with \\nNXDomain records in prior 10-day baseline period).\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"name\":\"cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | where DNSName in~ (domains) or DestinationHostName has_any (domains) or RequestURL has_any(domains)\\n | extend AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName, IPCustomEntity = SourceIP\\n ),\\n(DnsEvents \\n | extend DNSName = Name\\n | where isnotempty(DNSName)\\n | where DNSName has_any (domains)\\n | extend IPCustomEntity = ClientIP\\n ),\\n(imDns (domain_has_any=domains)\\n | extend DNSName = DnsQuery\\n | extend IPCustomEntity = SrcIpAddr\\n ),\\n(VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n | where isnotempty(DNSName)\\n | where DNSName in~ (domains)\\n | extend IPCustomEntity = RemoteIp\\n ),\\n(DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl has_any (domains) \\n | extend DNSName = RemoteUrl\\n | extend IPCustomEntity = RemoteIP \\n | extend HostCustomEntity = DeviceName \\n ),\\n(AzureDiagnostics\\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallDnsProxy\\\"\\n | parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n | where Request_Name has_any (domains) \\n | extend DNSName = Request_Name\\n | extend IPCustomEntity = ClientIP \\n ),\\n(AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (domains) \\n | extend DNSName = DestinationHost \\n | extend IPCustomEntity = SourceHost\\n ) \\n )\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"version\":\"1.3.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Solorigate Network Beacon\",\"description\":\"Identifies a match across various data feeds for domains IOCs related to the Solorigate incident.\\n References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \\n https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5436f471-b03d-41cb-b333-65891f887c43\",\"name\":\"5436f471-b03d-41cb-b333-65891f887c43\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Informational\",\"query\":\"GitHubRepo\\n| where Action == \\\"vulnerabilityAlert\\\"\\n| project TimeGenerated, DismmisedAt, Reason, vulnerableManifestFilename, Description, Link, PublishedAt, Severity, Summary\",\"entityMappings\":[],\"version\":\"1.0.0\",\"displayName\":\"GitHub Security Vulnerability in Repository\",\"description\":\"This alerts when there is a new security vulnerability in a GitHub repository.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-10T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb8a3481-dd14-4e76-8dcc-bbec8776d695\",\"name\":\"bb8a3481-dd14-4e76-8dcc-bbec8776d695\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let DomainNames = dynamic([\u0027onetechcompany.com\u0027, \u0027reyweb.com\u0027, \u0027srfnetwork.org\u0027, \u0027sense4baby.fr\u0027, \u0027nikeoutletinc.org\u0027, \u0027megatoolkit.com\u0027]);\\nlet IPList = dynamic([\u0027185.225.69.69\u0027]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (DomainNames) or RequestURL has_any (DomainNames) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (DomainNames), \\\"RequestUrl\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) or Name has_any (DomainNames) \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(imDns\\n| where DnsResponseName has_any (IPList) or DnsQuery has_any(DomainNames) \\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (DomainNames)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer\\n),\\n(OfficeActivity\\n| where ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (DomainNames) or RemoteIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"NOBELIUM - Domain and IP IOCs - March 2021\",\"description\":\"Identifies a match across various data feeds for domains and IP IOCs related to NOBELIUM.\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2d3e33c6-d8e6-4b51-92d6-dbe8bd9efb05\",\"name\":\"2d3e33c6-d8e6-4b51-92d6-dbe8bd9efb05\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.4\",\"techniques\":[\"T1078\",\"T1566\",\"T1133\"],\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"Fraction of failed signins\",\"Number of failed signins\",\"Failed signins to successful signins ratio\",\"Number of signins with incorrect passwords\",\"Incorrect passwords to correct passwords ratio\",\"Fraction of incorrect password signins\",\"Distinct number of app ids\",\"Distinct number of client apps\",\"Distinct number of ip addresses\",\"Distinct number of opperating systems\",\"Distinct number of browsers\",\"Distinct number of cities\",\"Distinct number of states\",\"Distinct number of countries\"],\"values\":[\"Fraction of failed signins\",\"Number of failed signins\",\"Failed signins to successful signins ratio\",\"Number of signins with incorrect passwords\",\"Incorrect passwords to correct passwords ratio\",\"Fraction of incorrect password signins\",\"Distinct number of app ids\",\"Distinct number of client apps\",\"Distinct number of ip addresses\",\"Distinct number of opperating systems\",\"Distinct number of browsers\",\"Distinct number of cities\",\"Distinct number of states\",\"Distinct number of countries\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Top reason for high anomaly score\",\"description\":\"Include only anomalies where the top reason is one of these values.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.5\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous Azure AD sign-in sessions\",\"description\":\"The machine learning model groups the Azure AD sign-in logs on a per-user basis.\\nThe model is trained on the previous 6 days of user sign-in behavior.\\nIt indicates anomalous user sign-in sessions in the last day.\\nThis algorithm checks for sufficient volume of data before training the model.\\n\\nAn autoencoder model is used.\\nIts aim is to compress the user sign-in sessions into a bottleneck encoding.\\nIt then attempts to reconstruct the input sessions as best it can from the bottleneck encoding.\\nThe sessions with high reconstruction errors are assumed to be anomalous.\",\"lastUpdatedDateUTC\":\"2021-07-07T00:00:00Z\",\"createdDateUTC\":\"2020-11-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6d63efa6-7c25-4bd4-a486-aa6bf50fde8a\",\"name\":\"6d63efa6-7c25-4bd4-a486-aa6bf50fde8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Add non-approved user principal names to the list below to search for their account creation/deletion activity\\n// ex: dynamic([\\\"UPN1\\\", \\\"upn123\\\"])\\nlet nonapproved_users = dynamic([]);\\nAuditLogs\\n| where OperationName == \\\"Add user\\\" or OperationName == \\\"Delete user\\\"\\n| where Result == \\\"success\\\"\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| where InitiatingUser has_any (nonapproved_users)\\n| project-reorder TimeGenerated, ResourceId, OperationName, InitiatingUser, TargetResources\\n| extend AccountCustomEntity = InitiatingUser, IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Account created or deleted by non-approved user\",\"description\":\"Identifies accounts that were created or deleted by a defined list of non-approved user principal names. Add to this list before running the query for accurate results.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts\",\"lastUpdatedDateUTC\":\"2021-10-29T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b40a7a5b-5d39-46fe-a79e-2acdb38e1ce7\",\"name\":\"b40a7a5b-5d39-46fe-a79e-2acdb38e1ce7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.3\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.01\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of failed login attempts to AWS Console by each group user account\",\"description\":\"This algorithm detects an unusually high volume of AWS cloud trail log console failed login events per group user account within the last day. The model is trained on the previous 21 days of AWS cloud trail log events on group user account basis. This activity may indicate that the account is compromised.\",\"lastUpdatedDateUTC\":\"2021-10-26T00:00:00Z\",\"createdDateUTC\":\"2021-08-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\"name\":\"4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n OfficeActivity | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(UserId)\\n | where UserId matches regex emailregex\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.UserId\\n| where OfficeActivity_TimeGenerated \u003e= TimeGenerated and OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, OfficeActivity_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters\\n| extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to OfficeActivity\",\"description\":\"Identifies a match in OfficeActivity table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d4f9d54b-6dec-4655-8631-0fa8d4954fea\",\"name\":\"d4f9d54b-6dec-4655-8631-0fa8d4954fea\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.4\",\"techniques\":[\"T1568\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.99\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"(Preview) Domain Reputation Palo Alto anomaly\",\"description\":\"This anomaly evaluates the reputation for all domains seen specifically for Palo Alto firewall (PAN-OS product).\\nA high anomaly score indicates a low reputation, suggesting that the domain has been observed to host malicious content or is likely to do so.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-07-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1218175f-c534-421c-8070-5dcaabf28067\",\"name\":\"1218175f-c534-421c-8070-5dcaabf28067\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let threshold = 3; \\nZoomLogs \\n| where Event =~ \\\"chat_message.sent\\\" \\n| extend Channel = tostring(parse_json(ChatEvents).Channel) \\n| extend Message = tostring(parse_json(ChatEvents).Message) \\n| where Message matches regex \\\"http(s?):\\\\\\\\/\\\\\\\\/\\\" \\n| summarize Channels = makeset(Channel), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Message, User, UserId\\n| extend ChannelCount = arraylength(Channels) \\n| where ChannelCount \u003e threshold\\n| extend timestamp = StartTime, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"Suspicious link sharing pattern\",\"description\":\"Alerts in links that have been shared across multiple Zoom chat channels by the same user in a short space if time. \\nAdjust the threshold figure to change the number of channels a message needs to be posted in before an alert is raised.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/154fde9f-ae00-4422-a8da-ef00b11da3fc\",\"name\":\"154fde9f-ae00-4422-a8da-ef00b11da3fc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nafad_parser\\n| where MessageType == 0\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid Indicators of Exposures\",\"description\":\"Searches for triggered Indicators of Exposures\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f948a32f-226c-4116-bddd-d95e91d97eb9\",\"name\":\"f948a32f-226c-4116-bddd-d95e91d97eb9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"mailboxsettings\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"contacts.read\\\" and ConsentFull contains \\\"user.read\\\" and ConsentFull contains \\\"mail.read\\\" and ConsentFull contains \\\"notes.read.all\\\" and ConsentFull contains \\\"mailboxsettings.readwrite\\\" and ConsentFull contains \\\"Files.ReadWrite.All\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), \\\"\\\")\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Suspicious application consent similar to O365 Attack Toolkit\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\\nThe default permissions/scope for the MDSec O365 Attack toolkit are contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, and files.readwrite.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/45b903c5-6f56-4969-af10-ae62ac709718\",\"name\":\"45b903c5-6f56-4969-af10-ae62ac709718\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count() \\nby Account = tolower(Account), Computer = toupper(Computer), IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n// use left anti to exclude anything from the previous 14 days that is not rare\\n| join kind=leftanti (\\nSecurityEvent\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where EventID == 4624\\n| summarize by Computer = toupper(Computer), IpAddress, Account = tolower(Account)\\n) on Account, Computer\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), ConnectionCount = sum(ConnectionCount) \\nby Account, Computer, IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\"],\"displayName\":\"Rare RDP Connections\",\"description\":\"Identifies when an RDP connection is new or rare related to any logon type by a given account today based on comparison with the previous 14 days.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-01-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/327cd4ed-ca42-454b-887c-54e1c91363c6\",\"name\":\"327cd4ed-ca42-454b-887c-54e1c91363c6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft Defender Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Endpoint alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Endpoint\",\"lastUpdatedDateUTC\":\"2019-10-24T00:00:00Z\",\"createdDateUTC\":\"2019-10-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4915c713-ab38-432e-800b-8e2d46933de6\",\"name\":\"4915c713-ab38-432e-800b-8e2d46933de6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let PrivateIPregex = @\u0027^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.\u0027; \\nlet avgthreshold = 0;\\nlet probabilityLimit = 0.01;\\nlet ssh_logins = Syslog\\n| where Facility contains \\\"auth\\\" and ProcessName =~ \\\"sshd\\\"\\n| where SyslogMessage has \\\"Accepted\\\"\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage) \\n| where isnotempty(SourceIP)\\n| extend ipType = iff(SourceIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\");\\nssh_logins \\n| summarize privatecount=countif(ipType==\\\"private\\\"), publiccount=countif(ipType==\\\"public\\\") by HostName, HostIP, bin(EventTime, 1d)\\n| summarize \\npublicIPLoginHistory = make_list(pack(\u0027IPCount\u0027, publiccount, \u0027logon_time\u0027, EventTime)),\\nprivateIPLoginHistory = make_list(pack(\u0027IPCount\u0027, privatecount, \u0027logon_time\u0027, EventTime)) by HostName, HostIP\\n| mv-apply publicIPLoginHistory = publicIPLoginHistory on\\n(\\n order by todatetime(publicIPLoginHistory[\u0027logon_time\u0027]) asc\\n | summarize publicIPLoginCountList=make_list(toint(publicIPLoginHistory[\u0027IPCount\u0027])), publicAverage=avg(toint(publicIPLoginHistory[\u0027IPCount\u0027])), publicStd=stdev(toint(publicIPLoginHistory[\u0027IPCount\u0027])), maxPublicLoginCount=max(toint(publicIPLoginHistory[\u0027IPCount\u0027]))\\n)\\n| mv-apply privateIPLoginHistory = privateIPLoginHistory on\\n(\\n order by todatetime(privateIPLoginHistory[\u0027logon_time\u0027]) asc\\n | summarize privateIPLoginCountList=make_list(toint(privateIPLoginHistory[\u0027IPCount\u0027])), privateAverage=avg(toint(privateIPLoginHistory[\u0027IPCount\u0027])), privateStd=stdev(toint(privateIPLoginHistory[\u0027IPCount\u0027]))\\n)\\n// Some logins from private IPs\\n| where privateAverage \u003e avgthreshold\\n// There is a non-zero number of logins from public IPs\\n| where publicAverage \u003e avgthreshold\\n// Approximate probability of seeing login from a public IP is \u003c 1%\\n| extend probabilityPublic = publicAverage / (privateAverage + publicAverage)\\n| where probabilityPublic \u003c probabilityLimit\\n// Today has the highest number of logins from public IPs that we\u0027ve seen in the last week\\n| extend publicLoginCountToday = publicIPLoginCountList[-1]\\n| where publicLoginCountToday \u003e= maxPublicLoginCount\\n| extend HostCustomEntity = HostName\\n// Optionally retrieve the original raw data for those logins that we\u0027ve identified as potentially suspect\\n// | join kind=rightsemi (\\n// ssh_logins\\n// | where ipType == \\\"public\\\"\\n// ) on HostName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"New internet-exposed SSH endpoints\",\"description\":\"Looks for SSH endpoints with a history of sign-ins only from private IP addresses are accessed from a public IP address.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd\",\"name\":\"c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let args = dynamic([\\\"objectcategory\\\",\\\"domainlist\\\",\\\"dcmodes\\\",\\\"adinfo\\\",\\\"trustdmp\\\",\\\"computers_pwdnotreqd\\\",\\\"Domain Admins\\\", \\\"objectcategory=person\\\", \\\"objectcategory=computer\\\", \\\"objectcategory=*\\\",\\\"dclist\\\"]);\\nlet parentProcesses = dynamic([\\\"pwsh.exe\\\",\\\"powershell.exe\\\",\\\"cmd.exe\\\"]);\\nDeviceProcessEvents\\n//looks for execution from a shell\\n| where InitiatingProcessFileName in (parentProcesses)\\n// main filter\\n| where FileName =~ \\\"AdFind.exe\\\" or SHA256 == \\\"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\\\"\\n // AdFind common Flags to check for from various threat actor TTPs\\n or ProcessCommandLine has_any (args)\\n| extend AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = SHA256\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"SHA256\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\"],\"displayName\":\"Probable AdFind Recon Tool Usage\",\"description\":\"Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-04-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c094384d-7ea7-4091-83be-18706ecca981\",\"name\":\"c094384d-7ea7-4091-83be-18706ecca981\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let minersDomains=dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\"]);\\nimDns(domain_has_any=minersDomains)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.2.0\",\"tactics\":[\"Impact\"],\"displayName\":\"DNS events related to mining pools (Normalized DNS)\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1f6d7abe-2cb7-4a4c-aeca-91fe6bfad0b2\",\"name\":\"1f6d7abe-2cb7-4a4c-aeca-91fe6bfad0b2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.3\",\"techniques\":[\"T1189\",\"T1071\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Palo Alto Networks\",\"Fortinet\",\"Zscaler\",\"Check Point\"],\"supportedValuesKql\":null,\"value\":\"Palo Alto Networks\",\"name\":\"Device vendor\",\"description\":\"Select device vendor of network connection logs from CommonSecurityLog\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"10\",\"maximum\":\"1000\",\"value\":\"25\",\"name\":\"Degree of source IPs\",\"description\":\"Suppress anomalies when the number of source IPs in a day accessing the URL is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"10\",\"maximum\":\"1000\",\"value\":\"30\",\"name\":\"Daily web requests threshold\",\"description\":\"Suppress anomalies when the number of daily web requests is less than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"},{\"minimum\":\"1\",\"maximum\":\"25\",\"value\":\"4\",\"name\":\"Number of distinct URLs for the destination IP\",\"description\":\"Suppress anomalies when number of distinct URLs are less than the chosen value\",\"sequenceNumber\":3,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\",\"CommandAndControl\"],\"displayName\":\"(Preview) Unusual web traffic detected with IP in URL path\",\"description\":\"This algorithm identifies unusual web requests which have a direct IP address as the host. This can be an attempt to bypass URL reputation services etc for \\nmalicious purposes. The anomaly filters all web requests with IP addresses in the URL path and compares them with the previous week of data to exclude known benign traffic. \\nAfter excluding known benign traffic, it triggers an anomaly only after exceeding certain thresholds with configured values such as total web requests, \\nnumbers of URLs seen with same host destination IP address, and number of distinct source IPs within the set of URLs with the same destination IP address.\",\"lastUpdatedDateUTC\":\"2021-07-10T00:00:00Z\",\"createdDateUTC\":\"2021-05-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f041e01d-840d-43da-95c8-4188f6cef546\",\"name\":\"f041e01d-840d-43da-95c8-4188f6cef546\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let LearningPeriod = 7d;\\nlet RunTime = 1h;\\nlet StartTime = 1h;\\nlet EndRunTime = StartTime - RunTime;\\nlet EndLearningTime = StartTime + LearningPeriod;\\nlet GitHubCountryCodeLogs = (GitHubAudit\\n| where Country != \\\"\\\");\\n GitHubCountryCodeLogs\\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime))\\n| summarize makeset(Country) by Actor\\n| join kind=innerunique (\\n GitHubCountryCodeLogs\\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime))\\n | distinct Country, Actor, TimeGenerated\\n) on Actor \\n| where set_Country !contains Country\\n| extend AccountCustomEntity = Actor , timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"GitHub Activites from a New Country\",\"description\":\"Detect activities from a location that was not recently or was never visited by the user or by any user in your organization.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d7309cb9-b16b-4c7a-9e4b-3e9009bd373d\",\"name\":\"d7309cb9-b16b-4c7a-9e4b-3e9009bd373d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.0\",\"techniques\":[\"T1190\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.7\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous Azure operations\",\"description\":\"This detection algorithm generates anomaly of a caller who performed sequence of an operation(s) which is uncommon in their workspace.\\nWe collect and featurize last 21 days of operation happened in the workspace grouped by the caller as a training data for ML algorithm.\\nThe trained model is used to score the operation performed by the caller on the test date and we tag those caller as anomaly whose error score is greater than given thershold.\\nFrom Security perspective, this anomaly will capture the caller along with operation performed on the test date which are not common in their workspace.\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2021-11-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8b3c49c-4087-499b-920f-0dcfaff0cbca\",\"name\":\"f8b3c49c-4087-499b-920f-0dcfaff0cbca\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"imProcessCreate\\n | where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n | where isnotempty(Process)\\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Dvc, ActorUsername, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\\n | extend timestamp = StartTimeUtc, AccountCustomEntity = ActorUsername, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Base64 encoded Windows process command-lines (Normalized Process Events)\",\"description\":\"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2018-09-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e4779bdc-397a-4b71-be28-59e6a1e1d16b\",\"name\":\"e4779bdc-397a-4b71-be28-59e6a1e1d16b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"ZoomLogs\\n| where Event =~ \\\"account.settings_updated\\\"\\n| extend NewE2ESetting = columnifexists(\\\"payload_object_settings_in_meeting_e2e_encryption_b\\\", \\\"\\\")\\n| extend OldE2ESetting = columnifexists(\\\"payload_old_object_settings_in_meeting_e2e_encryption_b\\\", \\\"\\\")\\n| where OldE2ESetting =~ \u0027false\u0027 and NewE2ESetting =~ \u0027true\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Discovery\"],\"displayName\":\"Zoom E2E Encryption Disabled\",\"description\":\"This alerts when end to end encryption is disabled for Zoom meetings.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/85aca4d1-5d15-4001-abd9-acb86ca1786a\",\"name\":\"85aca4d1-5d15-4001-abd9-acb86ca1786a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n| join (\\n DnsEvents\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n //Extract domain patterns from syslog message\\n | where isnotempty(Name)\\n | extend parts = split(Name, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend DNS_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.Name\\n| where DNS_TimeGenerated \u003e= TimeGenerated and DNS_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Computer, ClientIP, Name, QueryType\\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = ClientIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to DnsEvent\",\"description\":\"Identifies a match in DnsEvent table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b8266f81-2715-41a6-9062-42486cbc9c73\",\"name\":\"b8266f81-2715-41a6-9062-42486cbc9c73\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 200;\\nInfobloxNIOS\\n| where ProcessName =~ \\\"named\\\" and Log_Type =~ \\\"client\\\"\\n| where isnotempty(ResponseCode)\\n| where ResponseCode =~ \\\"NXDOMAIN\\\"\\n| summarize count() by Client_IP, bin(TimeGenerated,15m)\\n| where count_ \u003e threshold\\n| join kind=inner (InfobloxNIOS\\n | where ProcessName =~ \\\"named\\\" and Log_Type =~ \\\"client\\\"\\n | where isnotempty(ResponseCode)\\n | where ResponseCode =~ \\\"NXDOMAIN\\\"\\n ) on Client_IP\\n| extend timestamp = TimeGenerated, IPCustomEntity = Client_IP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Excessive NXDOMAIN DNS Queries\",\"description\":\"This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/25e0b2dd-3ad3-4d5b-80dd-720f4ef0f12c\",\"name\":\"25e0b2dd-3ad3-4d5b-80dd-720f4ef0f12c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"afad_parser\\n| where MessageType == 2 and Codename == \\\"DCShadow\\\"\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Alsid DCShadow\",\"description\":\"Searches for DCShadow attacks\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06bbf969-fcbe-43fa-bac2-b2fa131d113a\",\"name\":\"06bbf969-fcbe-43fa-bac2-b2fa131d113a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// ADHealthAgent Registry Key\\nlet aadConnectHealthRegKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\ADHealthAgent\\\";\\n// Filter out known processes\\nlet aadConnectHealthProcs = dynamic ([\\n \u0027Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.InsightsService.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.PshSurrogate.exe\u0027,\\n \u0027Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe\u0027\\n]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| extend SubjectUserName = column_ifexists(\\\"SubjectUserName\\\", \\\"\\\"),\\n SubjectDomainName = column_ifexists(\\\"SubjectDomainName\\\", \\\"\\\"),\\n ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),\\n ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\"),\\n ProcessName = column_ifexists(\\\"ProcessName\\\", \\\"\\\")\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],\\n Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName startswith aadConnectHealthRegKey\\n| where Process !in (aadConnectHealthProcs)\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName startswith aadConnectHealthRegKey\\n| where Process !in (aadConnectHealthProcs)\\n)\\n)\\n// You can filter out potential machine accounts\\n//| where AccountType != \u0027Machine\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Azure AD Health Service Agents Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).\\nInformation from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).\\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\\\\SOFTWARE\\\\Microsoft\\\\ADHealthAgent.\\nMake sure you set the SACL to propagate to its sub-keys. You can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/999e9f5d-db4a-4b07-a206-29c4e667b7e8\",\"name\":\"999e9f5d-db4a-4b07-a206-29c4e667b7e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet DomainTIs= ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n // Picking up only IOC\u0027s that contain the entities we want\\n | where isnotempty(DomainName)\\n | where Active == true\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId;\\nlet Domains= toscalar(DomainTIs | where isnotempty(DomainName) |summarize make_set(DomainName));\\nDomainTIs\\n | join (\\n imDns(starttime=ago(dt_lookBack), domain_has_any=(Domains))\\n | extend DNS_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.DnsQuery\\n| where DNS_TimeGenerated \u003c ExpirationDateTime\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, QueryType\\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url\",\"customDetails\":{\"IndicatorId\":\"IndicatorId\",\"SourceIPAddress\":\"SrcIpAddr\",\"ThreatType\":\"ThreatType\",\"ConfidenceScore\":\"ConfidenceScore\",\"DnsQuery\":\"DnsQuery\",\"Description\":\"Description\",\"ExpirationDateTime\":\"ExpirationDateTime\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"LatestIndicatorTime\":\"LatestIndicatorTime\",\"QueryType\":\"QueryType\",\"DNSRequestTime\":\"DNS_TimeGenerated\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map Domain entity to Dns Events (Normalized DNS)\",\"description\":\"Identifies a match in DNS events from any Domain IOC from TI\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns).\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/12dcea64-bec2-41c9-9df2-9f28461b1295\",\"name\":\"12dcea64-bec2-41c9-9df2-9f28461b1295\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\n// Adjust for a longer timeframe for identifying ADFS Servers\\nlet lookback = 6d;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n);\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where Account !endswith \\\"$\\\"\\n// Check for scheduled task events\\n| where EventID in (4697, 4698, 4699, 4700, 4701, 4702)\\n| extend EventDataParsed = parse_xml(EventData)\\n| extend SubjectLogonId = tostring(EventDataParsed.EventData.Data[3][\\\"#text\\\"])\\n// Check specifically for access to IPC$ share and PIPE\\\\svcctl and PIPE\\\\atsvc for Service Control Services and Schedule Control Services\\n| union ( \\n SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n | where Account !endswith \\\"$\\\"\\n | where EventID == 5145\\n | where RelativeTargetName =~ \\\"svcctl\\\" or RelativeTargetName =~ \\\"atsvc\\\"\\n)\\n// Check for lateral movement\\n| join kind=inner\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Account !endswith \\\"$\\\"\\n| where EventID == 4624 and LogonType == 3\\n) on $left.SubjectLogonId == $right.TargetLogonId\\n| project TimeGenerated, Account, Computer, EventID, RelativeTargetName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\"],\"displayName\":\"Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task\",\"description\":\"This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through SMB and Remote Service or Scheduled Task.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f0be259a-34ac-4946-aa15-ca2b115d5feb\",\"name\":\"f0be259a-34ac-4946-aa15-ca2b115d5feb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let starttime = 2d;\\nlet endtime = 1d;\\nlet TimeDeltaThreshold = 10;\\nlet TotalEventsThreshold = 15;\\nlet PercentBeaconThreshold = 80;\\nlet PrivateIPregex = @\u0027^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.\u0027;\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Palo Alto Networks\\\" and Activity == \\\"TRAFFIC\\\"\\n| where TimeGenerated between (ago(starttime)..ago(endtime))\\n| extend DestinationIPType = iff(DestinationIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIPType == \\\"public\\\"\\n| project TimeGenerated, DeviceName, SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, ReceivedBytes, SentBytes\\n| sort by SourceIP asc,TimeGenerated asc, DestinationIP asc, DestinationPort asc\\n| serialize\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\u0027second\u0027,nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP\\n//Whitelisting criteria/ threshold criteria\\n| where TimeDeltainSeconds \u003e TimeDeltaThreshold \\n| project TimeGenerated, TimeDeltainSeconds, DeviceName, SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, ReceivedBytes, SentBytes\\n| summarize count(), sum(ReceivedBytes), sum(SentBytes), make_list(TimeDeltainSeconds) \\nby TimeDeltainSeconds, bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSentBytes = sum(sum_SentBytes), TotalReceivedBytes = sum(sum_ReceivedBytes) \\nby bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| where TotalEvents \u003e TotalEventsThreshold \\n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\\n| where BeaconPercent \u003e PercentBeaconThreshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Palo Alto - potential beaconing detected\",\"description\":\"Identifies beaconing patterns from Palo Alto Network traffic logs based on recurrent timedelta patterns. \\nThe query leverages various KQL functions to calculate time deltas and then compares it with total events observed in a day to find percentage of beaconing. \\nThis outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts.\\nReference Blog:\\nhttp://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-05-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/622844c2-fc11-4efc-91e6-c05b06ab3008\",\"name\":\"622844c2-fc11-4efc-91e6-c05b06ab3008\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.5\",\"techniques\":[\"T1001\",\"T1008\",\"T1071\",\"T1090\",\"T1095\",\"T1102\",\"T1104\",\"T1132\",\"T1205\",\"T1568\",\"T1571\",\"T1572\",\"T1573\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"10\",\"maximum\":\"1000\",\"value\":\"25\",\"name\":\"Degree of source IPs\",\"description\":\"Suppress anomalies when degree of source IPs is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"10\",\"maximum\":\"1000\",\"value\":\"30\",\"name\":\"Daily event count threshold\",\"description\":\"Suppress anomalies when daily event count is less than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"},{\"minimum\":\"10\",\"maximum\":\"1000\",\"value\":\"60\",\"name\":\"Time delta threshold in seconds\",\"description\":\"Suppress anomalies when time delta in seconds between network connections is less than the chosen value\",\"sequenceNumber\":3,\"rerun\":\"RerunAlways\"},{\"minimum\":\"50\",\"maximum\":\"100\",\"value\":\"75\",\"name\":\"Percent beaconing threshold\",\"description\":\"Generate an anomaly when percent beaconing is greater than the chosen value\",\"sequenceNumber\":4,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"(Preview) Detect machine generated network beaconing behavior\",\"description\":\"This algorithm identifies beaconing patterns from network traffic connection logs based on recurrent time delta patterns.\\nAny network connection towards the untrusted public networks at repetitive time delta is an indication of malware callbacks or data exfiltration attempts. \\nThe anomaly will calculate time delta between consecutive network connection between same source and destination ip as well as count (Connections in time-delta sequence) of \\ntime-delta sequence between same source and destination. Percentage of beaconing is calculated between connections in time-delta sequence against total connections in a day.\",\"lastUpdatedDateUTC\":\"2021-07-10T00:00:00Z\",\"createdDateUTC\":\"2021-04-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/32686052-5bed-48ef-9ffa-39fc7699f085\",\"name\":\"32686052-5bed-48ef-9ffa-39fc7699f085\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.0\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.1\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of AWS API calls from Non-AWS source IP address from a user account id per workspace on a daily basis\",\"description\":\"This algorithm detects an unusually high volume of AWS API calls from Source IPs not in AWS Source IP ranges from one user account per workspace within the last day. The model is trained on the previous 21 days of AWS cloud trail log events on source IP address basis. This activity may indicate that the user account is compromised.\",\"lastUpdatedDateUTC\":\"2021-10-07T00:00:00Z\",\"createdDateUTC\":\"2021-10-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2d8a60aa-c15e-442e-9ce3-ee924889d2a6\",\"name\":\"2d8a60aa-c15e-442e-9ce3-ee924889d2a6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT5M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"eset_CL\\n| where event_type_s == \\\"Threat_Event\\\"\\n| extend HostCustomEntity = hostname_s, AccountCustomEntity = username_s, IPCustomEntity = ipv4_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"CredentialAccess\",\"PrivilegeEscalation\"],\"displayName\":\"Threats detected by Eset\",\"description\":\"Escalates threats detected by Eset.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-09T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"EsetSMC\",\"dataTypes\":[\"eset_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a5fe9489-cf8b-47ae-a87e-8f3a13e4203e\",\"name\":\"a5fe9489-cf8b-47ae-a87e-8f3a13e4203e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nlet codeNameList = datatable(Codename:string)[\\\"C-PRIV-ACCOUNTS-SPN\\\", \\\"C-NATIVE-ADM-GROUP-MEMBERS\\\", \\\"C-KRBTGT-PASSWORD\\\", \\\"C-PROTECTED-USERS-GROUP-UNUSED\\\", \\\"C-ADMINCOUNT-ACCOUNT-PROPS\\\", \\\"C-ADM-ACC-USAGE\\\", \\\"C-LAPS-UNSECURE-CONFIG\\\", \\\"C-DISABLED-ACCOUNTS-PRIV-GROUPS\\\"];\\nafad_parser\\n| where MessageType == 0 and Codename in~ (codeNameList)\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid privileged accounts issues\",\"description\":\"Searches for triggered Indicators of Exposures related to privileged accounts issues\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\"name\":\"90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Security Center\",\"severitiesFilter\":[\"Low\",\"Medium\",\"High\"],\"displayName\":\"Create incidents based on Azure Defender alerts\",\"description\":\"Create incidents based on all alerts generated in Azure Defender\",\"lastUpdatedDateUTC\":\"2021-07-25T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert (ASC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\"name\":\"b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n Syslog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // Extract URL from the Syslog message but only take messages that include URLs\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,SyslogMessage)\\n | where isnotempty(Url)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n) on Url\\n| where Syslog_TimeGenerated \u003e= TimeGenerated and Syslog_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, Url, HostIP\\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to Syslog data\",\"description\":\"Identifies a match in Syslog data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0625fcce-6d52-491e-8c68-1d9b801d25b9\",\"name\":\"0625fcce-6d52-491e-8c68-1d9b801d25b9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"Event\\n| where EventLog =~ \\\"Application\\\"\\n| where Source startswith \\\"MSExchange\\\"\\n| where EventLevelName =~ \\\"error\\\"\\n| where (RenderedDescription startswith \\\"Watson report\\\" and RenderedDescription contains \\\"umworkerprocess\\\" and RenderedDescription contains \\\"TextFormattingRunProperties\\\") or RenderedDescription startswith \\\"An unhandled exception occurred in a UM worker process\\\" or RenderedDescription startswith \\\"The Microsoft Exchange Unified Messaging service\\\" or RenderedDescription contains \\\"MSExchange Unified Messaging\\\"\\n| where RenderedDescription !contains \\\"System.OutOfMemoryException\\\"\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious UM Service Error\",\"description\":\"This query looks for errors that may indicate that an attacker is attempting to exploit a vulnerability in the service. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/26a3b261-b997-4374-94ea-6c37f67f4f39\",\"name\":\"26a3b261-b997-4374-94ea-6c37f67f4f39\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"asyspy256.ddns.net\\\",\\\"hotkillmail9sddcc.ddns.net\\\",\\\"rosaf112.ddns.net\\\",\\\"cvdfhjh1231.myftp.biz\\\",\\\"sz2016rose.ddns.net\\\",\\\"dffwescwer4325.myftp.biz\\\",\\\"cvdfhjh1231.ddns.net\\\"]);\\nlet SHA1Hash = dynamic ([\\\"53a44c2396d15c3a03723fa5e5db54cafd527635\\\", \\\"9c5e496921e3bc882dc40694f1dcc3746a75db19\\\", \\\"aeb573accfd95758550cf30bf04f389a92922844\\\", \\\"79ef78a797403a4ed1a616c68e07fff868a8650a\\\", \\\"4f6f38b4cec35e895d91c052b1f5a83d665c2196\\\", \\\"1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d\\\", \\\"e841a63e47361a572db9a7334af459ddca11347a\\\", \\\"c28f606df28a9bc8df75a4d5e5837fc5522dd34d\\\", \\\"2e94b305d6812a9f96e6781c888e48c7fb157b6b\\\", \\\"dd44133716b8a241957b912fa6a02efde3ce3025\\\", \\\"8793bf166cb89eb55f0593404e4e933ab605e803\\\", \\\"a39b57032dbb2335499a51e13470a7cd5d86b138\\\", \\\"41cc2b15c662bc001c0eb92f6cc222934f0beeea\\\", \\\"d209430d6af54792371174e70e27dd11d3def7a7\\\", \\\"1c6452026c56efd2c94cea7e0f671eb55515edb0\\\", \\\"c6b41d3afdcdcaf9f442bbe772f5da871801fd5a\\\", \\\"4923d460e22fbbf165bbbaba168e5a46b8157d9f\\\", \\\"f201504bd96e81d0d350c3a8332593ee1c9e09de\\\", \\\"ddd2db1127632a2a52943a2fe516a2e7d05d70d2\\\"]);\\nlet SHA256Hash = dynamic ([\\\"9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd\\\", \\\"7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b\\\", \\\"657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5\\\", \\\"2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29\\\", \\\"52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77\\\", \\\"a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3\\\", \\\"5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022\\\", \\\"6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883\\\", \\\"3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e\\\", \\\"1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7\\\", \\\"fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1\\\", \\\"7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c\\\", \\\"178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945\\\", \\\"51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9\\\", \\\"889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79\\\", \\\"332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf\\\", \\\"44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08\\\", \\\"63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef\\\", \\\"056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070\\\"]);\\nlet SigNames = dynamic([\\\"TrojanDropper:Win32/BlackMould.A!dha\\\", \\\"Trojan:Win32/BlackMould.B!dha\\\", \\\"Trojan:Win32/QuarkBandit.A!dha\\\", \\\"Trojan:Win32/Sidelod.A!dha\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(DnsEvents \\n| extend DNSName = Name\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend IPAddress = ClientIP\\n),\\n( imDns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA1=\u0027 SHA1 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA1Hash) \\n| extend Account = UserName\\n),\\n(SecurityAlert\\n| where Entities has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName)\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend DNSName = Request_Name\\n| extend IPAddress = ClientIP \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.3.0\",\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known GALLIUM domains and hashes\",\"description\":\"GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. \\n Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\\n References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-12-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3acf5617-7c41-4085-9a79-cc3a425ba83a\",\"name\":\"3acf5617-7c41-4085-9a79-cc3a425ba83a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"afad_parser\\n| where MessageType == 2 and Codename == \\\"OS Credential Dumping: LSASS Memory\\\"\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid LSASS Memory\",\"description\":\"Searches for OS Credentials dumping attacks\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2560515c-07d1-434e-87fb-ebe3af267760\",\"name\":\"2560515c-07d1-434e-87fb-ebe3af267760\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add delegated permission grant\\\",\\\"Add app role assignment to service principal\\\")\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend props = parse_json(tostring(TargetResources[0].modifiedProperties))\\n| mv-expand props\\n| extend UserAgent = tostring(AdditionalDetails[0].value)\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| extend UserIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| extend DisplayName = tostring(props.displayName)\\n| extend Permissions = tostring(parse_json(tostring(props.newValue)))\\n| where Permissions has_any (\\\"Mail.Read\\\", \\\"Mail.ReadWrite\\\")\\n| extend PermissionsAddedTo = tostring(TargetResources[0].displayName)\\n| extend Type = tostring(TargetResources[0].type)\\n| project-away props\\n| join kind=leftouter(\\n AuditLogs\\n | where ActivityDisplayName has \\\"Consent to application\\\"\\n | extend AppName = tostring(TargetResources[0].displayName)\\n | extend AppId = tostring(TargetResources[0].id)\\n | project AppName, AppId, CorrelationId) on CorrelationId\\n| project-reorder TimeGenerated, OperationName, InitiatingUser, UserIPAddress, UserAgent, PermissionsAddedTo, Permissions, AppName, AppId, CorrelationId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUser, IPCustomEntity = UserIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Mail.Read Permissions Granted to Application\",\"description\":\"This query look for applications that have been granted (Delegated or App/Role) permissions to Read Mail (Permissions field has Mail.Read) and subsequently has been consented to. This can help identify applications that have been abused to gain access to mailboxes.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a4025a76-6490-4e6b-bb69-d02be4b03f07\",\"name\":\"a4025a76-6490-4e6b-bb69-d02be4b03f07\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n AzureNetworkAnalytics_CL\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AzureNetworkAnalytics_CL_TimeGenerated = TimeGenerated\\n // NSG Flow Logs have additional information concat with Public IP, removing onlp Public IP\\n | extend PIPs = split(PublicIPs_s, \u0027|\u0027, 0)\\n | extend PIP = tostring(PIPs[0])\\n)\\non $left.TI_ipEntity == $right.PIP\\n| where AzureNetworkAnalytics_CL_TimeGenerated \u003e= TimeGenerated and AzureNetworkAnalytics_CL_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n// Set to alert on Allowed NSG Flows from TI Public IP IOC\\n| where FlowStatus_s == \\\"A\\\"\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AzureNetworkAnalytics_CL_TimeGenerated,\\nTI_ipEntity, Computer, FlowDirection_s, FlowStatus_s, FlowType_s, SrcPublicIPs_s, DestPublicIPs_s, PublicIPs_s, L7Protocol_s, DestPort_d, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureNetworkAnalytics_CL_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)\",\"description\":\"Identifies a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI that was Allowed\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/01f64465-b1ef-41ea-a7f5-31553a11ad43\",\"name\":\"01f64465-b1ef-41ea-a7f5-31553a11ad43\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let endpointData = \\n(SecurityEvent\\n | where EventID == 4688\\n | extend shortFileName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n );\\n// Correlate suspect executables seen in TrendMicro rule updates with similar activity on endpoints\\nCommonSecurityLog\\n| where DeviceVendor =~ \\\"Trend Micro\\\"\\n| where Activity =~ \\\"Deny List updated\\\" \\n| where RequestURL endswith \\\".exe\\\"\\n| project TimeGenerated, Activity , RequestURL , SourceIP, DestinationIP\\n| extend suspectExeName = tolower(tostring(split(RequestURL, \u0027/\u0027)[-1]))\\n| join (endpointData) on $left.suspectExeName == $right.shortFileName \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = TargetUserName, HostCustomEntity = Computer, URLCustomEntity = RequestURL\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\"],\"displayName\":\"Network endpoint to host executable correlation\",\"description\":\"Correlates blocked URLs hosting [malicious] executables with host endpoint data\\nto identify potential instances of executables of the same name having been recently run.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"TrendMicro\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\"name\":\"9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let szOperationNames = dynamic([\\\"Microsoft.Compute/virtualMachines/write\\\", \\\"Microsoft.Resources/deployments/write\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet RareCaller = AzureActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationNameValue in~ (szOperationNames)\\n| project ResourceGroup, Caller, OperationNameValue, CallerIpAddress\\n| join kind=rightantisemi (\\nAzureActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityStatusValue = makeset(ActivityStatusValue), OperationIds = makeset(OperationId), CallerIpAddress = makeset(CallerIpAddress) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n) on Caller, ResourceGroup \\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress);\\nlet Counts = RareCaller | summarize ActivityCountByCaller = count() by Caller;\\nRareCaller | join kind= inner (Counts) on Caller | project-away Caller1\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = tostring(CallerIpAddress)\\n| sort by ActivityCountByCaller desc nulls last\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"Suspicious Resource deployment\",\"description\":\"Identifies when a rare Resource and ResourceGroup deployment occurs by a previously unseen Caller.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6116dc19-475a-4148-84b2-efe89c073e27\",\"name\":\"6116dc19-475a-4148-84b2-efe89c073e27\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetectionV2_CL\\n| extend Status = tostring(Status_s), Vulnerability = tostring(QID_s), Severity = tostring(Severity_s)\\n| where Status =~ \\\"New\\\" and Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(QID_s)\\n| where dcount_NetBios_s \u003e= threshold\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"New High Severity Vulnerability Detected Across Multiple Hosts\",\"description\":\"This creates an incident when a new high severity vulnerability is detected across multilple hosts\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetectionV2_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2f561e20-d97b-4b13-b02d-18b34af6e87c\",\"name\":\"2f561e20-d97b-4b13-b02d-18b34af6e87c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet cmdList = dynamic([\\\"Set-CASMailbox\\\",\\\"ActiveSyncAllowedDeviceIDs\\\",\\\"add\\\"]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where CommandLine has_all (cmdList)\\n| project Type, TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where InitiatingProcessCommandLine has_all (cmdList)\\n| project Type, TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where CommandLine has_all (cmdList)\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| project Type, TimeGenerated, Computer, User, Process, ParentImage, CommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Email access via active sync\",\"description\":\"This query detects attempts to add attacker devices as allowed IDs for active sync using the Set-CASMailbox command.\\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\\n- Note that this query can be changed to use the KQL \\\"has_all\\\" operator, which hasn\u0027t yet been documented officially, but will be soon.\\n In short, \\\"has_all\\\" will only match when the referenced field has all strings in the list.\\n- Refer to Set-CASMailbox syntax: https://docs.microsoft.com/powershell/module/exchange/set-casmailbox?view=exchange-ps \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fb9e0b51-8867-48d7-86f4-6e76f2176bf8\",\"name\":\"fb9e0b51-8867-48d7-86f4-6e76f2176bf8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nlet codeNameList = datatable(Codename:string)[\\\"C-ACCOUNTS-DANG-SID-HISTORY\\\", \\\"C-PRE-WIN2000-ACCESS-MEMBERS\\\", \\\"C-PASSWORD-DONT-EXPIRE\\\", \\\"C-SLEEPING-ACCOUNTS\\\", \\\"C-DANG-PRIMGROUPID\\\", \\\"C-PASSWORD-NOT-REQUIRED\\\", \\\"C-USER-PASSWORD\\\"];\\nafad_parser\\n| where MessageType == 0 and Codename in~ (codeNameList)\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid user accounts issues\",\"description\":\"Searches for triggered Indicators of Exposures related to user accounts issues\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/29094df8-e0c7-4475-a74c-bda74a07affb\",\"name\":\"29094df8-e0c7-4475-a74c-bda74a07affb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.8\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.03\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of logins to user account by logon types\",\"description\":\"This algorithm detects an unusually high volume of successful logins per user account by different logon types. The model is trained on the previous 21 days of security event ID 4624 on an account. It indicates anomalous high volume of successful logins in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3a9d5ede-2b9d-43a2-acc4-d272321ff77c\",\"name\":\"3a9d5ede-2b9d-43a2-acc4-d272321ff77c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 5;\\nlet aadFunc = (tableName:string){\\n // Failed Signins attempts with reasoning related to conditional access policies.\\n table(tableName)\\n | where TimeGenerated between (startofday(ago(starttime))..startofday(ago(timeframe)))\\n | where ResultDescription has_any (\\\"conditional access\\\", \\\"CA\\\") or ResultType in (50005, 50131, 53000, 53001, 53002, 52003, 70044)\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt ;\\nlet TimeSeriesData = union isfuzzy=true aadSignin, aadNonInt \\n| project TimeGenerated, UserPrincipalName\\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by UserPrincipalName\\n| project TimeGenerated, UserPrincipalName, HourlyCount;\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| where baseline \u003e baselinethreshold // Filtering low count events per baselinethreshold\\n| project UserPrincipalName, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated;\\n// Filter the alerts for specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join kind=inner ( \\nunion isfuzzy=true aadSignin, aadNonInt\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n | summarize HourlyCount=count(), LatestAnomalyTime = arg_max(timestamp,*) by bin(TimeGenerated,1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\\n) on UserPrincipalName\\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, HourlyCount, baseline, anomalies, score\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"User Accounts - Sign in Failure due to CA Spikes\",\"description\":\" Identifies spike in failed sign-ins from user accounts due to conditional access policied.\\nSpike is determined based on Time series anomaly which will look at historical baseline values.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aa1eff90-29d4-49dc-a3ea-b65199f516db\",\"name\":\"aa1eff90-29d4-49dc-a3ea-b65199f516db\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"SecurityEvent\\n| where EventID == 4720\\n| where AccountType == \\\"User\\\"\\n| project CreatedUserTime = TimeGenerated, CreatedUserEventID = EventID, CreatedUserActivity = Activity, Computer = toupper(Computer), \\nCreatedUser = tolower(TargetAccount), CreatedUserSid = TargetSid, AccountUsedToCreateUser = strcat(SubjectAccount), SidofAccountUsedToCreateUser = SubjectUserSid\\n| join (\\nSecurityEvent \\n| where AccountType == \\\"User\\\"\\n// 4732 - A member was added to a security-enabled local group\\n| where EventID == 4732\\n//TargetSid is the builin Admins group: S-1-5-32-544\\n| where TargetSid == \\\"S-1-5-32-544\\\"\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, Computer = toupper(Computer), GroupName = tolower(TargetAccount), \\nGroupSid = TargetSid, AccountThatAddedUser = SubjectAccount, SIDofAccountThatAddedUser = SubjectUserSid, CreatedUserSid = MemberSid\\n)\\non CreatedUserSid\\n//Create User first, then the add to the group.\\n| project Computer, CreatedUserTime, CreatedUserEventID, CreatedUserActivity, CreatedUser, CreatedUserSid, GroupAddTime, GroupAddEventID, \\nGroupAddActivity, AccountUsedToCreateUser, GroupName, GroupSid, AccountThatAddedUser, SIDofAccountThatAddedUser \\n| extend timestamp = CreatedUserTime, AccountCustomEntity = CreatedUser, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"CreatedUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"New user created and added to the built-in administrators group\",\"description\":\"Identifies when a user account was created and then added to the builtin Administrators group in the same day.\\nThis should be monitored closely and all additions reviewed.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4f45f43b-3a4b-491b-9cbe-d649603384aa\",\"name\":\"4f45f43b-3a4b-491b-9cbe-d649603384aa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let highRisk = 3;\\nlet legal = \u0027Legal Information\u0027;\\nCognniIncidents_CL \\n| where Severity == highRisk\\n| where informationType_s == legal\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Highly Sensitive Legal Information\",\"description\":\"Display incidents in which highly sensitive legal information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/200f05a2-db6e-4ff7-be83-bbc30b44755f\",\"name\":\"200f05a2-db6e-4ff7-be83-bbc30b44755f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.3.8\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.07\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of logins to user account\",\"description\":\"This algorithm detects an unusually high volume of successful logins per user account. The model is trained on the previous 21 days of security event ID 4624 on an account. It indicates anomalous high volume of successful logins in the last day\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2020-12-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3edb7215-250b-40c0-8b46-79093949242d\",\"name\":\"3edb7215-250b-40c0-8b46-79093949242d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetectionV2_CL\\n| where Severity_s == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\\n| where count_ \u003e= threshold\\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"High Number of Urgent Vulnerabilities Detected\",\"description\":\"This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetectionV2_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd0a6029-ecef-4507-89c4-fc355ac52111\",\"name\":\"dd0a6029-ecef-4507-89c4-fc355ac52111\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation of extracted domains\\nlet list_tlds = ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e ago(ioc_lookBack)\\n | where isnotempty(DomainName)\\n | extend DomainName = tolower(DomainName)\\n | extend parts = split(DomainName, \u0027.\u0027)\\n | extend tld = parts[(array_length(parts)-1)]\\n | summarize count() by tostring(tld)\\n | summarize make_list(tld);\\n ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true\\n // Picking up only IOC\u0027s that contain the entities we want\\n | where isnotempty(DomainName)\\n | join (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | extend Domain = trim(@\\\"\\\"\\\"\\\",tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend parts = split(Domain, \u0027.\u0027)\\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\\n | where tld in~ (list_tlds)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n ) on $left.DomainName==$right.Domain\\n | where CommonSecurityLog_TimeGenerated \u003e= TimeGenerated and CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n | project LatestIndicatorTime, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, CommonSecurityLog_TimeGenerated, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\\n | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to CommonSecurityLog\",\"description\":\"Identifies a match in CommonSecurityLog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5dd76a87-9f87-4576-bab3-268b0e2b338b\",\"name\":\"5dd76a87-9f87-4576-bab3-268b0e2b338b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 5;\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet historicalActivity =\\nOfficeActivity\\n| where TimeGenerated between(ago(starttime)..ago(endtime))\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| summarize historicalCount = count() by UserAgent, RecordType, Operation;\\nlet recentActivity = OfficeActivity\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where TimeGenerated \u003e ago(endtime)\\n| where isnotempty(UserAgent)\\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by UserAgent, RecordType, Operation;\\nlet RareUserAgent = recentActivity | join kind = leftanti (historicalActivity) on UserAgent\\n| order by recentCount desc, UserAgent\\n// More than 5 downloads/uploads from a new user agent today\\n| where recentCount \u003e threshold;\\nOfficeActivity \\n| where TimeGenerated \u003e ago(endtime) \\n| where RecordType =~ szSharePointFileOperation \\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| join kind= inner (RareUserAgent)\\non UserAgent, RecordType, Operation \\n| where Start_Time between(min_Start_Time .. max_Start_Time)\\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserAgent, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgentSeenCount = recentCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\\n| order by UserAgentSeenCount desc, UserAgent asc, Operation asc, UserId asc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"SharePointFileOperation via devices with previously unseen user agents\",\"description\":\"Identifies if the number of documents uploaded or downloaded from device(s) associated\\nwith a previously unseen user agent exceeds a threshold (default is 5).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84cf1d59-f620-4fee-b569-68daf7008b7b\",\"name\":\"84cf1d59-f620-4fee-b569-68daf7008b7b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetection_CL\\n| mv-expand todynamic(Detections_s)\\n| extend Status = tostring(Detections_s.Status), Vulnerability = tostring(Detections_s.Results), Severity = tostring(Detections_s.Severity)\\n| where Status =~ \\\"New\\\" and Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(Detections_s.QID)\\n| where dcount_NetBios_s \u003e= threshold\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"New High Severity Vulnerability Detected Across Multiple Hosts\",\"description\":\"This creates an incident when a new high severity vulnerability is detected across multilple hosts\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/011c84d8-85f0-4370-b864-24c13455aa94\",\"name\":\"011c84d8-85f0-4370-b864-24c13455aa94\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SecurityAlert\\n| extend Extprop = parse_json(ExtendedProperties)\\n| extend Computer = iff(isnotempty(toupper(tostring(Extprop[\\\"Compromised Host\\\"]))), toupper(tostring(Extprop[\\\"Compromised Host\\\"])), tostring(parse_json(Entities)[0].HostName))\\n| extend Account = iff(isnotempty(tolower(tostring(Extprop[\\\"User Name\\\"]))), tolower(tostring(Extprop[\\\"User Name\\\"])), tolower(tostring(Extprop[\\\"user name\\\"])))\\n| extend IpAddress = tostring(parse_json(ExtendedProperties).[\\\"IpAddress\\\"]) \\n| project TimeGenerated, AlertName, Computer, Account, IpAddress, ExtendedProperties\\n| extend timestamp = TimeGenerated, Account, MachineName = Computer, IpAddress\\n| join kind=inner\\n(\\nCoreAzureBackup\\n| where State =~ \\\"Deleted\\\"\\n| where OperationName =~ \\\"BackupItem\\\"\\n| extend data = split(BackupItemUniqueId, \\\";\\\")\\n| extend AzureLocation = data[0], VaultId=data[1], MachineName=data[2], DrivesBackedUp=data[3]\\n| project timestamp = TimeGenerated, AzureLocation, VaultId, tostring(MachineName), DrivesBackedUp, State, BackupItemUniqueId, _ResourceId, OperationName, BackupItemFriendlyName\\n)\\non MachineName\\n| project timestamp, AlertName, HostCustomEntity = MachineName, AccountCustomEntity = Account, ResourceCustomEntity = _ResourceId, IPCustomEntity = IpAddress, VaultId, AzureLocation, DrivesBackedUp, State, BackupItemUniqueId, OperationName, BackupItemFriendlyName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"CoreBackUp Deletion in correlation with other related security alerts\",\"description\":\"This query will help detect attackers attempt to delete backup containers in correlation with other alerts that could have triggered to help possibly reveal more details of attacker activity. \\nThough such an activity could be legitimate as part of business operation, some ransomware actors may perform such operation to cause interruption to regular business services.\",\"lastUpdatedDateUTC\":\"2021-11-06T00:00:00Z\",\"createdDateUTC\":\"2021-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/157c0cfc-d76d-463b-8755-c781608cdc1a\",\"name\":\"157c0cfc-d76d-463b-8755-c781608cdc1a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let PrivateIPregex = @\u0027^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.\u0027;\\nlet aadFunc = (tableName:string){\\nCommonSecurityLog\\n| where DeviceVendor =~ \\\"Cisco\\\"\\n| where DeviceAction =~ \\\"denied\\\"\\n| extend SourceIPType = iff(SourceIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where SourceIPType == \\\"public\\\"\\n| summarize count() by SourceIP\\n| join (\\n // Successful signins from IPs blocked by the firewall solution are suspect\\n // Include fully successful sign-ins, but also ones that failed only at MFA stage\\n // as that supposes the password was sucessfully guessed.\\n table(tableName)\\n | where ResultType in (\\\"0\\\", \\\"50074\\\", \\\"50076\\\") \\n) on $left.SourceIP == $right.IPAddress\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Cisco - firewall block but success logon to Azure AD\",\"description\":\"Correlate IPs blocked by a Cisco firewall appliance with successful Azure Active Directory signins. \\nBecause the IP was blocked by the firewall, that same IP logging on successfully to AAD is potentially suspect\\nand could indicate credential compromise for the user account.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\"name\":\"7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"154.223.45.38\\\",\\\"185.141.207.140\\\",\\\"185.234.73.19\\\",\\\"216.245.210.106\\\",\\\"51.91.48.210\\\",\\\"46.255.230.229\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n|extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account\\n),\\n(DnsEvents \\n| extend DestinationIPAddress = IPAddresses, Host = Computer\\n| where DestinationIPAddress has_any (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(imDns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DnsResponseName, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(VMConnection \\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) \\n| where SourceIp in (IPList) or DestinationIp in (IPList) \\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(SigninLogs\\n| where isnotempty(IPAddress)\\n| where IPAddress in (IPList)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(AADNonInteractiveUserSignInLogs\\n| where isnotempty(IPAddress)\\n| where IPAddress in (IPList)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(W3CIISLog \\n| where isnotempty(cIP)\\n| where cIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(AzureActivity \\n| where isnotempty(CallerIpAddress)\\n| where CallerIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller\\n),\\n(\\nAWSCloudTrail\\n| where isnotempty(SourceIpAddress)\\n| where SourceIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.2.1\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known IRIDIUM IP\",\"description\":\"IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.\",\"lastUpdatedDateUTC\":\"2021-11-25T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a04cf847-a832-4c60-b687-b0b6147da219\",\"name\":\"a04cf847-a832-4c60-b687-b0b6147da219\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"45.63.52.41\\\",\\\"140.82.17.161\\\",\\\"207.148.101.95\\\",\\\"45.32.87.51\\\",\\\"66.42.98.156\\\",\\\"45.76.144.105\\\",\\\"217.163.28.35\\\",\\\"45.32.141.174\\\",\\\"149.28.165.249\\\",\\\"209.250.225.247\\\",\\\"45.63.100.115\\\",\\\"95.179.229.230\\\",\\\"209.250.233.247\\\",\\\"45.77.121.232\\\",\\\"45.76.175.65\\\",\\\"104.238.160.237\\\",\\\"45.77.181.97\\\",\\\"95.179.192.125\\\",\\\"149.28.93.184\\\",\\\"140.82.16.81\\\",\\\"45.76.173.103\\\",\\\"45.77.255.22\\\",\\\"45.32.11.71\\\",\\\"149.28.77.26\\\",\\\"45.32.54.50\\\",\\\"104.156.233.156\\\",\\\"45.32.21.118\\\",\\\"45.63.62.109\\\",\\\"45.77.244.202\\\",\\\"149.248.11.205\\\",\\\"104.238.190.244\\\"]);\\nlet IOCTerms = \\\"\\\\\\\\?lang=[/..]*/dev/cmdb/sslvpn_websession|/dana-na/jam/[/..]*home/webserver/htdocs/dana/html5acc/guacamole[/..]*etc/passwd\\\\\\\\?\\\";\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or has_any_ipv4 (Message, IPList)\\n| extend IPMatch = case(\\nSourceIP in (IPList), \\\"SourceIP\\\", \\nDestinationIP in (IPList), \\\"DestinationIP\\\",\\n\\\"Message\\\") \\n| where Message matches regex IOCTerms\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n| where isnotempty(UserAgent) and ClientIP in (IPList)\\n| where UserAgent contains \\\"ExchangeServicesClient/0.0.0.0\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP = ClientIP, Account = UserId, Type, RecordType, OfficeWorkload, UserAgent, OfficeObjectId, IPMatch = \\\"ClientIP\\\"\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"InitialAccess\",\"Collection\"],\"displayName\":\"Known Manganese IP and UserAgent activity\",\"description\":\"Matches IP plus UserAgent IOCs in OfficeActivity data, along with IP plus Connection string information in the CommonSecurityLog data related to Manganese group activity.\\nReferences: \\nhttps://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/\\nhttps://fortiguard.com/psirt/FG-IR-18-384\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-10-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\"name\":\"02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let logonDiff = 10m;\\nlet aadFunc = (tableName:string){\\ntable(tableName) \\n| where ResultType == \\\"0\\\" \\n| where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\")\\n| project SuccessLogonTime = TimeGenerated, UserPrincipalName, SuccessIPAddress = IPAddress, AppDisplayName, SuccessIPBlock = strcat(split(IPAddress, \\\".\\\")[0], \\\".\\\", split(IPAddress, \\\".\\\")[1]), Type\\n| join kind= inner (\\n table(tableName)\\n | where ResultType !in (\\\"0\\\", \\\"50140\\\") \\n | where ResultDescription !~ \\\"Other\\\" \\n | where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\")\\n | project FailedLogonTime = TimeGenerated, UserPrincipalName, FailedIPAddress = IPAddress, AppDisplayName, ResultType, ResultDescription, Type\\n) on UserPrincipalName, AppDisplayName \\n| where SuccessLogonTime \u003c FailedLogonTime and FailedLogonTime - SuccessLogonTime \u003c= logonDiff and FailedIPAddress !startswith SuccessIPBlock\\n| summarize FailedLogonTime = max(FailedLogonTime), SuccessLogonTime = max(SuccessLogonTime) by UserPrincipalName, SuccessIPAddress, AppDisplayName, FailedIPAddress, ResultType, ResultDescription, Type\\n| extend timestamp = SuccessLogonTime\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SuccessIPAddress\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"FailedIPAddress\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"CredentialAccess\",\"InitialAccess\"],\"displayName\":\"Successful logon from IP and failure from a different IP\",\"description\":\"Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP.\\nThis may indicate a malicious attempt at password guessing based on knowledge of the users account.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\"name\":\"90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage), \\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage), \\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage), \\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \\\"200\\\"\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Squid proxy events for ToR proxies\",\"description\":\"Check for Squid proxy events associated with common ToR proxies. This query presumes the default squid log format is being used.\\nhttp://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b4ceb583-4c44-4555-8ecf-39f572e827ba\",\"name\":\"b4ceb583-4c44-4555-8ecf-39f572e827ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 1.5;\\nlet percentthreshold = 50;\\n// Preparing the time series data aggregated hourly count of MailItemsAccessd Operation in the form of multi-value array to use with time series anomaly function.\\nlet TimeSeriesData =\\nOfficeActivity\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where OfficeWorkload=~ \\\"Exchange\\\" and Operation =~ \\\"MailItemsAccessed\\\" and ResultStatus =~ \\\"Succeeded\\\"\\n| project TimeGenerated, Operation, MailboxOwnerUPN\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe;\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0\\n| project TimeGenerated, Total, baseline, anomalies, score;\\n// Joining the flagged outlier from the previous step with the original dataset to present contextual information\\n// during the anomalyhour to analysts to conduct investigation or informed decisions.\\nTimeSeriesAlerts | where TimeGenerated \u003e ago(2d)\\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\\n| join (\\n OfficeActivity\\n | where TimeGenerated \u003e ago(2d)\\n | extend DateHour = bin(TimeGenerated, 1h)\\n | where OfficeWorkload=~ \\\"Exchange\\\" and Operation =~ \\\"MailItemsAccessed\\\" and ResultStatus =~ \\\"Succeeded\\\"\\n | summarize HourlyCount=count(), TimeGeneratedMax = arg_max(TimeGenerated, *), IPAdressList = make_set(Client_IPAddress), SourceIPMax= arg_max(Client_IPAddress, *), ClientInfoStringList= make_set(ClientInfoString) by MailboxOwnerUPN, Logon_Type, TenantId, UserType, TimeGenerated = bin(TimeGenerated, 1h) \\n | where HourlyCount \u003e 25 // Only considering operations with more than 25 hourly count to reduce False Positivies\\n | order by HourlyCount desc \\n) on TimeGenerated\\n| extend PercentofTotal = round(HourlyCount/Total, 2) * 100 \\n| where PercentofTotal \u003e percentthreshold // Filter Users with count of less than 5 percent of TotalEvents per Hour to remove FPs/ users with very low count of MailItemsAccessed events\\n| order by PercentofTotal desc \\n| project-reorder TimeGeneratedMax, Type, OfficeWorkload, Operation, UserId,SourceIPMax ,IPAdressList, ClientInfoStringList, HourlyCount, PercentofTotal, Total, baseline, score, anomalies\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Exchange workflow MailItemsAccessed operation anomaly\",\"description\":\"Identifies anomalous increases in Exchange mail items accessed operations.\\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\\nSudden increases in execution frequency of sensitive actions should be further investigated for malicious activity.\\nManually change scorethreshold from 1.5 to 3 or higher to reduce the noise based on outliers flagged from the query criteria.\\nRead more about MailItemsAccessed- https://docs.microsoft.com/microsoft-365/compliance/advanced-audit?view=o365-worldwide#mailitemsaccessed\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182\",\"name\":\"8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT5M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = ago(5m);\\nDuoSecurityTrustMonitor_CL\\n| where TimeGenerated \u003e= timeframe\\n| extend AccountCustomEntity = surfaced_auth_user_name_s, IPCustomEntity = surfaced_auth_access_device_ip_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Trust Monitor Event\",\"description\":\"This query identifies when a new trust monitor event is detected.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\"name\":\"8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"AuthorizeDBSecurityGroupIngress\\\",\\\"CreateDBSecurityGroup\\\",\\\"DeleteDBSecurityGroup\\\",\\\"RevokeDBSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to internet facing AWS RDS Database instances\",\"description\":\"Amazon Relational Database Service (RDS) is scalable relational database in the cloud. \\nIf your organization have one or more AWS RDS Databases running, monitoring changes to especially internet facing AWS RDS (Relational Database Service) \\nOnce alerts triggered, validate if changes observed are authorized and adhere to change control policy. \\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255\\nand RDS API Reference Docs: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Operations.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09551db0-e147-4a0c-9e7b-918f88847605\",\"name\":\"09551db0-e147-4a0c-9e7b-918f88847605\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let tokens = dynamic([\\\"SSL_HandShaking\\\", \\\"ASN2_TYPE_new\\\", \\\"sql_blob_open\\\", \\\"cmsSetLogHandlerTHR\\\", \\\"ntSystemInfo\\\", \\\"SetWebFilterString\\\", \\\"CleanupBrokerString\\\", \\\"glInitSampler\\\", \\\"deflateSuffix\\\", \\\"ntWindowsProc\\\"]);\\nlet DomainNames = dynamic([\u0027codevexillium.org\u0027, \u0027angeldonationblog.com\u0027, \u0027investbooking.de\u0027, \u0027krakenfolio.com\u0027]);\\nlet SHA256Hash = dynamic([\u002758a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495\u0027,\u0027e0e59bfc22876c170af65dcbf19f744ae560cc43b720b23b9d248f4505c02f3e\u0027,\u00273d3195697521973efe0097a320cbce0f0f98d29d50e044f4505e1fbc043e8cf9\u0027, \u00270a2d81164d524be7022ba8fd4e1e8e01bfd65407148569d172e2171b5cd76cd4\u0027, \u002796d7a93f6691303d39a9cc270b8814151dfec5683e12094537fd580afdf2e5fe\u0027,\u0027dc4cf164635db06b2a0b62d313dbd186350bca6fc88438617411a68df13ec83c\u0027, \u002746efd5179e43c9cbf07dcec22ce0d5527e2402655aee3afc016e5c260650284a\u0027, \u002795e42a94d4df1e7e472998f43b9879eb34aaa93f3705d7d3ef9e3b97349d7008\u0027, \u00279d5320e883264a80ea214077f44b1d4b22155446ad5083f4b27d2ab5bd127ef5\u0027, \u00279fd05063ad203581a126232ac68027ca731290d17bd43b5d3311e8153c893fe3\u0027, \u0027ada7e80c9d09f3efb39b729af238fcdf375383caaf0e9e0aed303931dc73b720\u0027, \u0027edb1597789c7ed784b85367a36440bf05267ac786efe5a4044ec23e490864cee\u0027, \u002733665ce1157ddb7cd7e905e3356b39245dfba17b7a658bdbf02b6968656b9998\u0027, \u00273ab770458577eb72bd6239fe97c35e7eb8816bce5a4b47da7bd0382622854f7c\u0027, \u0027b630ad8ffa11003693ce8431d2f1c6b8b126cd32b657a4bfa9c0dbe70b007d6c\u0027, \u002753f3e55c1217dafb8801af7087e7d68b605e2b6dde6368fceea14496c8a9f3e5\u0027, \u002799c95b5272c5b11093eed3ef2272e304b7a9311a22ff78caeb91632211fcb777\u0027, \u0027f21abadef52b4dbd01ad330efb28ef50f8205f57916a26daf5de02249c0f24ef\u0027, \u00272cbdea62e26d06080d114bbd922d6368807d7c6b950b1421d0aa030eca7e85da\u0027, \u0027079659fac6bd9a1ce28384e7e3a465be4380acade3b4a4a4f0e67fd0260e9447\u0027]);\\nlet SigNames = dynamic([\\\"Backdoor:Script/ComebackerCompile.A!dha\\\", \\\"Trojan:Win64/Comebacker.A!dha\\\", \\\"Trojan:Win64/Comebacker.A.gen!dha\\\", \\\"Trojan:Win64/Comebacker.B.gen!dha\\\", \\\"Trojan:Win32/Comebacker.C.gen!dha\\\", \\\"Trojan:Win32/Klackring.A!dha\\\", \\\"Trojan:Win32/Klackring.B!dha\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in~ (SHA256Hash) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n| project Type, TimeGenerated, Computer, Account, IPAddress, FileHash, DNSName\\n),\\n(DnsEvents\\n| extend DNSName = Name\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend Type = \\\"DnsEvents\\\", IPAddress = ClientIP\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(imDns(domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend Type = \\\"imDns\\\", IPAddress = SrcIpAddr, Computer=Dvc\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(VMConnection\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| where isnotempty(Hashes)\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 * \\n| where SHA256 in~ (SHA256Hash) \\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = Hashes\\n| project Type, TimeGenerated, Computer, Account, FileHash\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (SHA256Hash)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (SHA256Hash)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl in~ (DomainNames)\\n| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName\\n| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl\\n),\\n(SecurityAlert\\n| where Entities has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName) \\n| project Type, TimeGenerated, Computer\\n),\\n(DeviceProcessEvents\\n| where FileName =~ \\\"powershell.exe\\\" or FileName =~ \\\"rundll32.exe\\\"\\n| where (ProcessCommandLine has \\\"is64bitoperatingsystem\\\" and ProcessCommandLine has \\\"Debug\\\\\\\\Browse\\\") or (ProcessCommandLine has_any (tokens))\\n| extend Computer = DeviceName, Account = AccountName, CommandLine = ProcessCommandLine\\n| project Type, TimeGenerated, Computer, Account, CommandLine, FileName\\n),\\n(SecurityEvent\\n| where ProcessName has_any (\\\"powershell.exe\\\", \\\"rundll32.exe\\\")\\n| where (CommandLine has \\\"is64bitoperatingsystem\\\" and CommandLine has \\\"Debug\\\\\\\\Browse\\\") or (CommandLine has_any (tokens))\\n| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine \\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend DNSName = Request_Name\\n| extend IPAddress = ClientIP \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.3.0\",\"tactics\":[\"CommandAndControl\",\"Execution\"],\"displayName\":\"Known ZINC Comebacker and Klackring malware hashes\",\"description\":\"ZINC attacks against security researcher campaign malware hashes.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\"name\":\"a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n| where isnotempty(FileHashValue)\\n| join (\\n SecurityEvent | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where EventID in (\\\"8003\\\",\\\"8002\\\",\\\"8005\\\")\\n | where isnotempty(FileHash)\\n | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID\\n)\\non $left.FileHashValue == $right.FileHash\\n| where SecurityEvent_TimeGenerated \u003e= TimeGenerated and SecurityEvent_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nSecurityEvent_TimeGenerated, Process, FileHash, Computer, Account, Event\\n| extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map File Hash to Security Event\",\"description\":\"Identifies a match in Security Event data from any File Hash IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\"name\":\"e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 15;\\n// Below pulls messages from syslog-authpriv logs where there was an authentication failure with an unknown user.\\n// IP address of system attempting logon is also extracted from the SyslogMessage field. Some of these messages\\n// are aggregated.\\nlet authfail = Syslog\\n| where Facility =~ \\\"authpriv\\\" // looks at authpriv messages\\n| where SyslogMessage contains \\\"authentication failure\\\" and SyslogMessage contains \\\" uid=0\\\"\\n| parse SyslogMessage with * \\\"rhost=\\\" ExternalIP\\n| project TimeGenerated, Computer, ProcessName, HostIP, ExternalIP, ProcessID; \\n// Below pulls messages from syslog-authpriv logs that show each instance an unknown user tried to logon. \\nlet userfail = Syslog \\n| where Facility =~ \\\"authpriv\\\" \\n| where SyslogMessage contains \\\"user unknown\\\"\\n| project TimeGenerated, Computer, HostIP, ProcessID;\\n// Join the two log messages above\\nlet userauthfail = authfail | join (userfail) on Computer, HostIP, ProcessID\\n| project TimeGenerated, Computer, HostIP, ExternalIP, ProcessID ;\\n// Extract the EventTime of the first logon attempt\\nlet firstfail = userauthfail\\n| summarize arg_min(TimeGenerated, *) by Computer, ExternalIP\\n| project Computer, ExternalIP, FirstLogonAttempt = TimeGenerated;\\n// Extract the EventTime of the last logon attempt\\nlet lastfail = userauthfail\\n| summarize arg_max(TimeGenerated, *) by Computer, ExternalIP\\n| project Computer, ExternalIP, LatestLogonAttempt = TimeGenerated;\\n// Join first and last logon attempt data and calculate the time between them (AttemptPeriodLength).\\nlet faildates = firstfail | join (lastfail) on Computer, ExternalIP\\n| project ExternalIP, Computer, FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts = LatestLogonAttempt - FirstLogonAttempt;\\n// Count the number of failed logon attempts by External IP and internal machine\\nlet totalfails = userauthfail\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), TotalLogonAttempts = count() by ExternalIP, Computer, HostIP\\n| project StartTimeUtc, EndTimeUtc, ExternalIP, Computer, HostIP, TotalLogonAttempts;\\n// Combine total attempts with timing data from above\\nlet finalfails = totalfails | join (faildates) on Computer, ExternalIP\\n| project StartTimeUtc, EndTimeUtc, SourceAddress = ExternalIP, DestinationHost = Computer, DestinationIP = HostIP, TotalLogonAttempts, FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts\\n| order by DestinationHost asc nulls last;\\nfinalfails \\n| where TotalLogonAttempts \u003e= threshold\\n| extend timestamp = StartTimeUtc, HostCustomEntity = DestinationHost, IPCustomEntity = DestinationIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed logon attempts in authpriv\",\"description\":\"Identifies failed logon attempts from unknown users in Syslog authpriv logs. The unknown user means the account that tried to log in \\nisn\u0027t provisioned on the machine. A few hits could indicate someone attempting to access a machine they aren\u0027t authorized to access. \\nIf there are many of hits, especially from outside your network, it could indicate a brute force attack. \\nDefault threshold for logon attempts is 15.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\"name\":\"a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == 500121\\n| where Status has \\\"MFA Denied; user declined the authentication\\\"\\n| extend Type = Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = ClientAppUsed\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Explicit MFA Deny\",\"description\":\"User explicitly denies MFA push, indicating that login was not expected and the account\u0027s password may be compromised.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\"name\":\"68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let User_Agents = dynamic ([\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70\\\", \\n\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.1 Safari/605.1.15\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\", \\n\\\"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\"]);\\nOfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != \u0027UserLoggedIn\u0027\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = todynamic(ExtendedProperties).Value\\n| where UserAgent =~ \\\"ms-office\\\" or UserAgent has_any (User_Agents)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts \u003e 500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Possible STRONTIUM attempted credential harvesting - Oct 2020\",\"description\":\"Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/de58ee9e-b229-4252-8537-41a4c2f4045e\",\"name\":\"de58ee9e-b229-4252-8537-41a4c2f4045e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let file_ext_blocklist = dynamic([\u0027.ps1\u0027, \u0027.vbs\u0027, \u0027.bat\u0027, \u0027.scr\u0027]);\\nlet lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| extend file_ext = extract(@\u0027.*(\\\\.\\\\w+)$\u0027, 1, UrlOriginal)\\n| extend Filename = extract(@\u0027.*\\\\/*\\\\/(.*\\\\.\\\\w+)$\u0027, 1, UrlOriginal)\\n| where file_ext in (file_ext_blocklist)\\n| project TimeGenerated, SrcIpAddr, Identities, Filename\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Cisco Umbrella - Request to blocklisted file type\",\"description\":\"Detects request to potentially harmful file types (.ps1, .bat, .vbs, etc.).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fc1b7e7a-bc24-42c3-ad67-5c76c8fcb2d6\",\"name\":\"fc1b7e7a-bc24-42c3-ad67-5c76c8fcb2d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.3\",\"techniques\":[\"T1530\",\"T1213\",\"T1005\",\"T1039\",\"T1114\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\".txt,.jpg,.mp4\",\"dataType\":\"string\",\"name\":\"File extension\",\"description\":\"Give comma separated file extension to exclude from source data within double quotes, example: \\\".txt,.jpg,.mp4\\\"\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"5\",\"maximum\":\"100\",\"value\":\"10\",\"name\":\"Minimum number of downgrades\",\"description\":\"Generate an anomaly when number of downgrade label is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Collection\"],\"displayName\":\"(Preview) Unusual mass downgrade AIP label\",\"description\":\"This algorithm detects unusual high volume of downgrade label activity in Azure Information Protection (AIP) logs.\\nIt considers \\\"AIP\\\" workload records for a given number of days and determines the sequence of activity performed on documents along with the label applied to classify unusual volume of downgrade activity.\",\"lastUpdatedDateUTC\":\"2021-06-04T00:00:00Z\",\"createdDateUTC\":\"2020-11-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureInformationProtection\",\"dataTypes\":[\"InformationProtectionLogs_CL\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/53e936c6-6c30-4d12-8343-b8a0456e8429\",\"name\":\"53e936c6-6c30-4d12-8343-b8a0456e8429\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let SUNSPOT_Hashes = dynamic([\\\"c45c9bda8db1d470f1fd0dcc346dc449839eb5ce9a948c70369230af0b3ef168\\\", \\\"0819db19be479122c1d48743e644070a8dc9a1c852df9a8c0dc2343e904da389\\\"]);\\nunion isfuzzy=true(\\nDeviceEvents\\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes)),\\n(DeviceImageLoadEvents\\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes))\\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"SUNSPOT malware hashes\",\"description\":\"This query uses Microsoft Defender for Endpoint data to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\\nMore details: \\n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \\n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceImageLoadEvents\",\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b9a44d7-c651-45ed-816c-eae583a6f2f1\",\"name\":\"3b9a44d7-c651-45ed-816c-eae583a6f2f1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\nlet historical_data =\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend variables = Data.Variables\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend UserKey = strcat(VariableGroupId, \\\"-\\\", ActorUserId)\\n| project UserKey;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend VariableGroupName = tostring(Data.VariableGroupName)\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend UserKey = strcat(VariableGroupId, \\\"-\\\", ActorUserId)\\n| where UserKey !in (historical_data)\\n| project-away UserKey\\n| project-reorder TimeGenerated, VariableGroupName, ActorUPN, IpAddress, UserAgent\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Build Variable Modified by New User.\",\"description\":\"Variables can be configured and used at any stage of the build process in Azure DevOps to inject values. An attacker with the required permissions could modify \\nor add to these variables to conduct malicious activity such as changing paths or remote endpoints called during the build. As variables are often changed by users, \\njust detecting these changes would have a high false positive rate. This detection looks for modifications to variable groups where that user has not been observed \\nmodifying them before.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c3b11fb2-9201-4844-b7b9-6b7bf6d9b851\",\"name\":\"c3b11fb2-9201-4844-b7b9-6b7bf6d9b851\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 200;\\nimDns(responsecodename=\u0027NXDOMAIN\u0027)\\n| where isnotempty(DnsResponseCodeName)\\n//| where DnsResponseCodeName =~ \\\"NXDOMAIN\\\"\\n| summarize count() by SrcIpAddr, bin(TimeGenerated,15m)\\n| where count_ \u003e threshold\\n| join kind=inner (imDns(responsecodename=\u0027NXDOMAIN\u0027)\\n ) on SrcIpAddr\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.2.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Excessive NXDOMAIN DNS Queries (Normalized DNS)\",\"description\":\"This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. \\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8ee967a2-a645-4832-85f4-72b635bcb3a6\",\"name\":\"8ee967a2-a645-4832-85f4-72b635bcb3a6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit the environment\\nlet signin_threshold = 5;\\n//Make a list of all IPs with failed signins to AAD above our threshold\\nlet aadFunc = (tableName:string){\\nlet suspicious_signins =\\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress !in (\u0027127.0.0.1\u0027, \u0027::1\u0027)\\n| summarize count() by IPAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(IPAddress);\\n//See if any of these IPs have sucessfully logged into *nix hosts\\nlet linux_logons =\\nSyslog\\n| where Facility contains \\\"auth\\\" and ProcessName != \\\"sudo\\\"\\n| where SyslogMessage has \\\"Accepted\\\"\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Computer, HostIP, IpAddress = SourceIP, SyslogMessage, Facility, ProcessName, Reason;\\n//See if any of these IPs have sucessfully logged into Windows hosts\\nlet win_logons =\\nSecurityEvent\\n| where EventID == 4624\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| where IpAddress in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Account, AccountType, Computer, Activity, EventID, LogonProcessName, IpAddress, LogonTypeName, TargetUserSid, Reason;\\nunion isfuzzy=true linux_logons,win_logons\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, IPCustomEntity = IpAddress, HostCustomEntity = Computer\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AzureAD logons but success logon to host\",\"description\":\"Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory.\\nUses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/543c9254-eb6f-4fdd-858d-783e0e3d5cb9\",\"name\":\"543c9254-eb6f-4fdd-858d-783e0e3d5cb9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.3\",\"techniques\":[\"T1530\",\"T1213\",\"T1005\",\"T1039\",\"T1114\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\".msg,.jpg,.txt\",\"dataType\":\"string\",\"name\":\"File extension\",\"description\":\"Give comma separated file extension to exclude from source data, for example: .txt,.jpg,.mp4\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.9\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the error percentile is greater than chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Collection\"],\"displayName\":\"(Preview) Suspicious number of protected documents accessed\",\"description\":\"This algorithm is to detect high volume of access to protected documents in Azure Information Protection (AIP) logs. \\nIt considers AIP workload records for a given number of days and determines whether the user performed unusual access to protected documents in a day given his/her historical behavior.\",\"lastUpdatedDateUTC\":\"2021-06-04T00:00:00Z\",\"createdDateUTC\":\"2021-02-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureInformationProtection\",\"dataTypes\":[\"InformationProtectionLogs_CL\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d23ed927-5be3-4902-a9c1-85f841eb4fa1\",\"name\":\"d23ed927-5be3-4902-a9c1-85f841eb4fa1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n DuoSecurityAuthentication_CL\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(access_device_ip_s)\\n // renaming time column so it is clear the log this came from\\n | extend Duo_TimeGenerated = isotimestamp_t\\n)\\non $left.TI_ipEntity == $right.access_device_ip_s\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Duo_TimeGenerated,\\nTI_ipEntity, user_name_s, factor_s, result_s, application_name_s, event_type_s, txid_g, user_key_s, access_device_ip_s, access_device_location_city_s, access_device_location_state_s, access_device_location_country_s\\n| extend timestamp = Duo_TimeGenerated, IPCustomEntity = access_device_ip_s, AccountCustomEntity = user_name_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Duo Security\",\"description\":\"Identifies a match in DuoSecurity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3073ac-7383-48a9-90a8-eb6716183a54\",\"name\":\"4a3073ac-7383-48a9-90a8-eb6716183a54\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let excludeProcs = dynamic([@\\\"\\\\SolarWinds\\\\Orion\\\\APM\\\\APMServiceControl.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\ExportToPDFCmd.Exe\\\", @\\\"\\\\SolarWinds.Credentials\\\\SolarWinds.Credentials.Orion.WebApi.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Topology\\\\SolarWinds.Orion.Topology.Calculator.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Database-Maint.exe\\\", @\\\"\\\\SolarWinds.Orion.ApiPoller.Service\\\\SolarWinds.Orion.ApiPoller.Service.exe\\\", @\\\"\\\\Windows\\\\SysWOW64\\\\WerFault.exe\\\"]);\\nDeviceProcessEvents\\n| where InitiatingProcessFileName =~ \\\"solarwinds.businesslayerhost.exe\\\"\\n| where not(FolderPath has_any (excludeProcs))\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n FileHashCustomEntity = MD5\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"MD5\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST suspicious SolarWinds child processes\",\"description\":\"Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/269435e3-1db8-4423-9dfc-9bf59997da1c\",\"name\":\"269435e3-1db8-4423-9dfc-9bf59997da1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName =~ \u0027Add member to role (permanent)\u0027\\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Privleged Role Assigned Outside PIM\",\"description\":\"Identifies a privileged role being assigned to a user outside of PIM\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\"name\":\"6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"SecurityEvent\\n| where EventID == 4738\\n// 2089 value indicates the Don\u0027t Expire Password value has been set\\n| where UserAccountControl has \\\"%%2089\\\" \\n| extend Value_2089 = iff(UserAccountControl has \\\"%%2089\\\",\\\"\u0027Don\u0027t Expire Password\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n// 2050 indicates that the Password Not Required value is NOT set, this often shows up at the same time as a 2089 and is the recommended value. This value may not be in the event. \\n| extend Value_2050 = iff(UserAccountControl has \\\"%%2050\\\",\\\"\u0027Password Not Required\u0027 - Disabled\\\", \\\"Not Changed\\\")\\n// If value %%2082 is present in the 4738 event, this indicates the account has been configured to logon WITHOUT a password. Generally you should only see this value when an account is created and only in Event 4720: Account Creation Event. \\n| extend Value_2082 = iff(UserAccountControl has \\\"%%2082\\\",\\\"\u0027Password Not Required\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n| project StartTime = TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, AccountType, UserAccountControl, Value_2089, Value_2050, Value_2082, SubjectAccount\\n| extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"AD account with Don\u0027t Expire Password\",\"description\":\"Identifies whenever a user account has the setting \\\"Password Never Expires\\\" in the user account properties selected.\\nThis is indicated in Security event 4738 in the EventData item labeled UserAccountControl with an included value of %%2089.\\n%%2089 resolves to \\\"Don\u0027t Expire Password - Enabled\\\".\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2ca4e7fc-c61a-49e5-9736-5da8035c47e0\",\"name\":\"2ca4e7fc-c61a-49e5-9736-5da8035c47e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 8;\\nCarbonBlackNotifications_CL\\n| where threatHunterInfo_score_d \u003e= threshold\\n| extend eventTime = datetime(1970-01-01) + tolong(threatHunterInfo_time_d/1000) * 1sec\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by eventTime, Threat_Name = threatHunterInfo_reportName_s, Device_Name = deviceInfo_deviceName_s, Internal_IP = deviceInfo_internalIpAddress_s, External_IP = deviceInfo_externalIpAddress_s, Threat_Score = threatHunterInfo_score_d\\n| project-away count_\\n| extend timestamp = StartTime, HostCustomEntity = Device_Name, IPCustomEntity = Internal_IP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\"],\"displayName\":\"Critical Threat Detected\",\"description\":\"This creates an incident in the event a critical threat was identified on a Carbon Black managed endpoint.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"VMwareCarbonBlack\",\"dataTypes\":[\"CarbonBlackNotifications_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d992b87b-eb49-4a9d-aa96-baacf9d26247\",\"name\":\"d992b87b-eb49-4a9d-aa96-baacf9d26247\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let IPList = dynamic([\\\"185.63.90.137\\\"]); \\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet sha256Hashes = \\ndynamic([\\\"53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441\\\",\\n\\\"c297e545b8f150cc5ff56dbb68dc74fe30a421d9d40f38f4a53083192697c44c\\\",\\n\\\"17921368901f23e0cad0d2fe4ce5694aebaf4727699ed0358117500701914d1b\\\",\\n\\\"198a2d42df010d838b4207f478d885ef36e3db13b1744d673e221b828c28bf77\\\",\\n\\\"71d7b48c2fdc7b57b104a7858a35165bbed21d2fa7e34828d6c1d50b2b33a1d0\\\",\\n\\\"601227d52c6e367e11b80240183d07d38bc11a88e844e8401fce17eb25e92ba8\\\",\\n\\\"63ff04bed4fdb120a9cb9b1ea7fd88e83f12fb01ab6a057088f8016e663b48d4\\\",\\n\\\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\\\",\\n\\\"e19b8be1b21c066d60725e550f8455f824065abbf1b43f7b2fe4fb338b241ffc\\\",\\n\\\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\\\"\\n]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", MessageIP in (IPList), \\\"Message\\\", \\\"NoMatch\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DeviceNetworkEvents\\n| where RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) \\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP\\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost) \\n| where SourceHost in (IPList) or DestinationHost in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(DeviceFileEvents\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash\\n| where FileHash in (sha256Hashes)\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = FileHash\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 in~ (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash\\n),\\n(SecurityEvent\\n| where EventID == \u00274688\u0027\\n| where NewProcessName in (IPList) \\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"SHA256\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Impact\"],\"displayName\":\"Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021\",\"description\":\"Identifies a match across various data feeds for IP,hashes and IOCs related to Windows/ELF malware published by Black Lotus Labs\\nReference: \\nhttps://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders/\\nhttps://github.com/ManuelBerrueta/YARA-rules/blob/master/BlackLotusLabs-WSLMalware/BLL_SneakyWSL.yar\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32\",\"name\":\"d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet msgthreshold = 3;\\nlet msgszthreshold = 3000000;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where NetworkBytes \u003e msgszthreshold\\n| summarize count() by SrcUserUpn, DstUserUpn\\n| where count_ \u003e msgthreshold\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple large emails to the same recipient\",\"description\":\"Detects when multiple emails with lage size where sent to the same recipient.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae\",\"name\":\"2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 4656\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, TargetAccount, Computer, EventSourceName, Channel, Task, Level, EventID, Activity, TargetLogonId, SourceComputerId, EventOriginId, Type, _ResourceId, TenantId, SourceSystem, ManagementGroupName, IpAddress, Account)\\n| extend ObjectServer = column_ifexists(\u0027ObjectServer\u0027, \\\"\\\"), ObjectType = column_ifexists(\u0027ObjectType\u0027, \\\"\\\"), ObjectName = column_ifexists(\u0027ObjectName\u0027, \\\"\\\")\\n| where isnotempty(ObjectServer) and isnotempty(ObjectType) and isnotempty(ObjectName)\\n| where ObjectServer =~ \\\"SC Manager\\\" and ObjectType =~ \\\"SERVICE OBJECT\\\" and ObjectName =~ \\\"HealthService\\\"\\n// Comment out the join below if the SACL only audits users that are part of the Network logon users, i.e. with user/group target pointing to \\\"NU.\\\"\\n| join kind=leftouter (\\n SecurityEvent\\n | where EventID == 4624\\n) on TargetLogonId\\n| project TimeGenerated, Computer, Account, TargetAccount, IpAddress,TargetLogonId, ObjectServer, ObjectType, ObjectName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Starting or Stopping HealthService to Avoid Detection\",\"description\":\"This query detects events where an actor is stopping or starting HealthService to disable telemetry collection/detection from the agent.\\n The query requires a SACL to audit for access request to the service.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4acd3a04-2fad-4efc-8a4b-51476594cec4\",\"name\":\"4acd3a04-2fad-4efc-8a4b-51476594cec4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let triThreshold = 500;\\nlet startTime = 6h;\\nlet dgaLengthThreshold = 8;\\n// fetch the alexa top 1M domains\\nlet top1M = (externaldata (Position:int, Domain:string) [@\\\"http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip\\\"] with (format=\\\"csv\\\", zipPattern=\\\"*.csv\\\"));\\n// extract tri grams that are above our threshold - i.e. are common\\nlet triBaseline = top1M\\n| extend Domain = tolower(extract(\\\"([^.]*).{0,7}$\\\", 1, Domain))\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", Domain), extract_all(\\\"(...)\\\", substring(Domain, 1)), extract_all(\\\"(...)\\\", substring(Domain, 2)))\\n| mvexpand Trigram=AllTriGrams\\n| summarize triCount=count() by tostring(Trigram)\\n| sort by triCount desc\\n| where triCount \u003e triThreshold\\n| distinct Trigram;\\n// collect domain information from common security log, filter and extract the DGA candidate and its trigrams\\nlet allDataSummarized = CommonSecurityLog\\n| where TimeGenerated \u003e ago(startTime)\\n| where isnotempty(DestinationHostName)\\n| extend Name = tolower(DestinationHostName)\\n| distinct Name\\n| where Name has \\\".\\\"\\n| where Name !endswith \\\".home\\\" and Name !endswith \\\".lan\\\"\\n// extract DGA candidate\\n| extend DGADomain = extract(\\\"([^.]*).{0,7}$\\\", 1, Name)\\n| where strlen(DGADomain) \u003e dgaLengthThreshold\\n// throw out domains with number in them\\n| where DGADomain matches regex \\\"^[A-Za-z]{0,}$\\\"\\n// extract the tri grams from summarized data\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", DGADomain), extract_all(\\\"(...)\\\", substring(DGADomain, 1)), extract_all(\\\"(...)\\\", substring(DGADomain, 2)));\\n// throw out domains that have repeating tri\u0027s and/or \u003e=3 repeating letters\\nlet nonRepeatingTris = allDataSummarized\\n| join kind=leftanti\\n(\\n allDataSummarized\\n | mvexpand AllTriGrams\\n | summarize count() by tostring(AllTriGrams), DGADomain\\n | where count_ \u003e 1\\n | distinct DGADomain\\n)\\non DGADomain;\\n// find domains that do not have a common tri in the baseline\\nlet dataWithRareTris = nonRepeatingTris\\n| join kind=leftanti\\n(\\n nonRepeatingTris\\n | mvexpand AllTriGrams\\n | extend Trigram = tostring(AllTriGrams)\\n | distinct Trigram, DGADomain\\n | join kind=inner\\n (\\n triBaseline\\n )\\n on Trigram\\n | distinct DGADomain\\n)\\non DGADomain;\\ndataWithRareTris\\n// join DGAs back on connection data\\n| join kind=inner\\n(\\n CommonSecurityLog\\n | where TimeGenerated \u003e ago(startTime)\\n | where isnotempty(DestinationHostName)\\n | extend DestinationHostName = tolower(DestinationHostName)\\n | project-rename Name=DestinationHostName, DataSource=DeviceVendor\\n | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) by Name, SourceIP, DestinationIP, DataSource\\n)\\non Name\\n| project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, DataSource\\n| extend timestamp=StartTime, IPCustomEntity=SourceIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"Name\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Possible contact with a domain generated by a DGA\",\"description\":\"Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used\\nby malware to generate rendezvous points that are difficult to predict in advance. This detection uses the Alexa Top 1 million domain names to build a model\\nof what normal domains look like. It uses this to identify domains that may have been randomly generated by an algorithm.\\nThe triThreshold is set to 500 - increase this to report on domains that are less likely to have been randomly generated, decrease it for more likely.\\nThe start time and end time look back over 6 hours of data and the dgaLengthThreshold is set to 8 - meaning domains whose length is 8 or more are reported.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Barracuda\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/78422ef2-62bf-48ca-9bab-72c69818a425\",\"name\":\"78422ef2-62bf-48ca-9bab-72c69818a425\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let endtime = 1d;\\nlet starttime = 8d;\\nlet threshold = 2.0;\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName) \\nby Account, IpAddress, AccountType, Activity, LogonTypeName\\n| join kind=inner (\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n| summarize ComputerCountPrev7Days = dcount(Computer) by Account, IpAddress\\n) on Account, IpAddress\\n| extend Ratio = ComputerCountToday/(ComputerCountPrev7Days*1.0)\\n// Where the ratio of today to previous 7 days is more than double.\\n| where Ratio \u003e threshold\\n| project StartTimeUtc, EndTimeUtc, Account, IpAddress, ComputerSet, ComputerCountToday, ComputerCountPrev7Days, Ratio, AccountType, Activity, LogonTypeName, ProcessSet\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\"],\"displayName\":\"Multiple RDP connections from Single System\",\"description\":\"Identifies when an RDP connection is made to multiple systems and above the normal for the previous 7 days. \\nConnections from the same system with the same account within the same day.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-10-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9d0295ee-cb75-4f2c-9952-e5acfbb67036\",\"name\":\"9d0295ee-cb75-4f2c-9952-e5acfbb67036\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Informational\",\"query\":\"let timeframe = ago(1d);\\nAppServiceAntivirusScanAuditLogs\\n| where NumberOfInfectedFiles \u003e 0\\n| extend HostCustomEntity = _ResourceId, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"displayName\":\"AppServices AV Scan with Infected Files\",\"description\":\"Identifies if an AV scan finds infected files in Azure App Services.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/30dea201-74da-4141-8d21-8a18f0861d60\",\"name\":\"30dea201-74da-4141-8d21-8a18f0861d60\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.3\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.02\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of AWS cloud trail logs events of group user account by EventTypeName\",\"description\":\"This algorithm detects an unusually high volume of AWS cloud trail log events per group user account by different event types (AwsApiCall, AwsServiceEvent, AwsConsoleSignIn, AwsConsoleAction) within the last day. The model is trained on the previous 21 days of AWS cloud trail log events on a group user account basis. This activity may indicate that the account is compromised.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-06-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\"name\":\"a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n SecurityAlert \\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\\n | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray\\n // Parsing relevant entity column to filter type account and creating new column by combining account and UPNSuffix\\n | extend Entitytype = tostring(parse_json(EntitiesDynamicArray).Type), EntityName = tostring(parse_json(EntitiesDynamicArray).Name),\\n EntityUPNSuffix = tostring(parse_json(EntitiesDynamicArray).UPNSuffix)\\n | where Entitytype =~ \\\"account\\\"\\n | extend EntityEmail = tolower(strcat(EntityName, \\\"@\\\", EntityUPNSuffix))\\n | where EntityEmail matches regex emailregex\\n | extend Alert_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.EntityEmail\\n| where Alert_TimeGenerated \u003e= TimeGenerated and Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Alert_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, EntityEmail, AlertName, AlertType,\\nAlertSeverity, Entities, ProviderName, VendorName\\n| extend timestamp = Alert_TimeGenerated, AccountCustomEntity = EntityEmail, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.2\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SecurityAlert\",\"description\":\"Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others\",\"lastUpdatedDateUTC\":\"2021-11-24T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bda5a2bd-979b-4828-a91f-27c2a5048f7f\",\"name\":\"bda5a2bd-979b-4828-a91f-27c2a5048f7f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet msgthreshold = 3;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| extend attachedMimeType = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where attachedMimeType == \u0027application/zip\u0027\\n| summarize count() by SrcUserUpn, DstUserUpn\\n| where count_ \u003e msgthreshold\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple archived attachments to the same recipient\",\"description\":\"Detects when multiple emails where sent to the same recipient with large archived attachments.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5d33fc63-b83b-4913-b95e-94d13f0d379f\",\"name\":\"5d33fc63-b83b-4913-b95e-94d13f0d379f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet fileHashIndicators = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n| where isnotempty(FileHashValue);\\n// Handle matches against both lower case and uppercase versions of the hash:\\n( fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n |union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n| join (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.FileHashValue == $right.FileHash\\n| where CommonSecurityLog_TimeGenerated \u003e= TimeGenerated and CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nCommonSecurityLog_TimeGenerated, SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction,\\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map File Hash to CommonSecurityLog Event\",\"description\":\"Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/00282588-11e7-436d-90e8-011256c3c691\",\"name\":\"00282588-11e7-436d-90e8-011256c3c691\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let threshold = 100;\\nTrendMicro_XDR_CL \\n| where modelSeverity_s == \u0027medium\u0027 or modelSeverity_s == \u0027low\u0027\\n| extend AccountCustomEntity = impactScope_account_s, HostCustomEntity = impactScope_hostname_s, IPCustomEntity = impactScope_host_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"displayName\":\"Create Incident for XDR Alerts (Medium \u0026 Low)\",\"description\":\"This Query creates an incident based on Trend Micro XDR Workbench Alerts and maps the impacted entities for Microsoft Sentinel usage. (Medium \u0026 Low Serverity Alerts)\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-12-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"TrendMicroXDR\",\"dataTypes\":[\"TrendMicro_XDR_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ef8654b1-b2cf-4f6c-ae5c-eca635a764e8\",\"name\":\"ef8654b1-b2cf-4f6c-ae5c-eca635a764e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let lowRisk = 1;\\nlet hr = \u0027HR Information\u0027;\\nCognniIncidents_CL \\n| where Severity == lowRisk\\n| where informationType_s == hr\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Low Sensitivity HR Information\",\"description\":\"Display incidents in which low sensitive HR information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/46ac55ae-47b8-414a-8f94-89ccd1962178\",\"name\":\"46ac55ae-47b8-414a-8f94-89ccd1962178\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let mode = \u0027Blocked\u0027; \\nlet successCode = dynamic([\u0027200\u0027, \u0027101\u0027,\u0027204\u0027, \u0027400\u0027,\u0027504\u0027,\u0027304\u0027,\u0027401\u0027,\u0027500\u0027]);\\nlet minTime = ago(1d);\\nlet maxSessionWindow = 1h;\\nlet sessionBin = maxSessionWindow/2.0;\\nAzureDiagnostics\\n| where TimeGenerated \u003e minTime\\n| where Category == \u0027ApplicationGatewayFirewallLog\u0027\\n| where action_s == mode\\n| sort by hostname_s asc, clientIp_s asc, TimeGenerated asc\\n| extend SessionStarted = row_window_session(TimeGenerated, maxSessionWindow, 10m, ((clientIp_s != prev(clientIp_s)) or (hostname_s != prev(hostname_s))))\\n| summarize minTime = min(TimeGenerated), maxTime = max(TimeGenerated), SessionBlockedCount=count() by hostname_s, clientIp_s, SessionStarted\\n| extend duration = maxTime - minTime\\n| extend TimeKey = bin(SessionStarted, sessionBin)\\n| join kind = inner(\\nAzureDiagnostics\\n| where TimeGenerated \u003e minTime\\n| where Category == \u0027ApplicationGatewayAccessLog\u0027\\n| where httpStatus_d in (successCode) or isempty(httpStatus_d)\\n| extend TimeKey = range(bin(TimeGenerated-maxSessionWindow, sessionBin), bin(TimeGenerated, sessionBin), sessionBin)\\n| mv-expand TimeKey to typeof(datetime)\\n) on $left.hostname_s == $right.host_s, $left.clientIp_s == $right.clientIP_s, TimeKey\\n| where (TimeGenerated - SessionStarted) between (0m .. duration)\\n| extend originalRequestUriWithArgs_s = column_ifexists(\\\"originalRequestUriWithArgs_s\\\", \\\"\\\")\\n| extend serverStatus_s = column_ifexists(\\\"serverStatus_s\\\", \\\"\\\")\\n| extend timestamp = SessionStarted, IPCustomEntity = clientIP_s\\n| summarize SuccessfulAccessLogCount = count(), UserAgents = make_set(userAgent_s), RequestURIs = make_set(requestUri_s) , OriginalRequestURIs = make_set(originalRequestUriWithArgs_s), \\nSuccessCodes = make_set(httpStatus_d), SuccessCodes_BackendServer = make_set(serverStatus_s) by timestamp, hostname_s, IPCustomEntity, SessionBlockedCount\\n| extend BlockvsSuccessRatio = SessionBlockedCount/SuccessfulAccessLogCount\\n| sort by BlockvsSuccessRatio desc, timestamp asc\\n| where SessionBlockedCount \u003e SuccessfulAccessLogCount\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"A potentially malicious web request was executed against a web server\",\"description\":\"Detects unobstructed Web Application Firewall (WAF) activity in sessions where the WAF blocked incoming requests by computing the \\nratio between blocked requests and unobstructed WAF requests in these sessions (BlockvsSuccessRatio metric). A high ratio value for \\na given client IP and hostname calls for further investigation of the WAF data in that session, due to the significantly high number \\nof blocked requests and a few unobstructed logs which may be malicious but have passed undetected through the WAF. The successCode \\nvariable defines what the detection thinks is a successful status code, and should be altered to fit the environment.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/edc946ae-cba8-419f-8e90-309966895956\",\"name\":\"edc946ae-cba8-419f-8e90-309966895956\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.2\",\"techniques\":[\"T1190\",\"T1505\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Include regularly repeating anomalies for URI stems\",\"Exclude regularly repeating anomalies for URI stems\"],\"supportedValuesKql\":null,\"value\":\"Exclude regularly repeating anomalies for URI stems\",\"name\":\"Handle regularly repeating anomalies for URI stems\",\"description\":\"Choose to exclude URI stems that have been regularly occuring in the Anomalies table in Log Analytics.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":[{\"prioritize\":\".asp, .aspx, .armx, .asax, .ashz, .asmx, .axd, .cshtml, .php, .phps, .php3, .php4, .php5, .php7, .jsp, .jspx, .cfm, .cfml, .phtml\",\"exclude\":null,\"dataType\":\"string\",\"name\":\"Prioritize script suffixes of the URI stems\",\"description\":\"Give comma separated script suffixes of the URI stems that should be included in the prioritize field.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"prioritize\":null,\"exclude\":\"\",\"dataType\":\"string\",\"name\":\"Exclude noisy URI stems\",\"description\":\"Give comma separated URI stems that are frequently observing noisy sessions, and should be excluded from the Anomalies table in Log Analytics.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.2\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"(Preview) Anomalous web request activity\",\"description\":\"This algorithm groups the W3CIIS logs into per site name and per URI stem hourly sessions.\\nThe machine learning model identifies the sessions with anomalous requests that triggered response code 5xx in the last day.\\n5xx codes are an indication that some application instability or error condition has been triggered by the request.\\nThey can be an indication that an attacker is probing the URI stem for vulnerabilities and configuration issues, performing some exploitation activity such as SQL injection, or leveraging an unpatched vulnerability.\\n\\nThe algorithm uses 6 days of data for training.\\nIt identifies unusual high volume of web requests that generated respond code 5xx in the last day.\",\"lastUpdatedDateUTC\":\"2021-06-10T00:00:00Z\",\"createdDateUTC\":\"2021-04-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d500e6d-c984-43a3-9f39-7edec8dcc04d\",\"name\":\"4d500e6d-c984-43a3-9f39-7edec8dcc04d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".aspx\\\", \\\".asp\\\", \\\".cfml\\\"]);\\n//The number of URI\u0027s seen to be suspicious, higher = less likely to be suspicious\\nlet uriThreshold = 1;\\nCommonSecurityLog\\n// Only look at connections that were allowed through the web proxy\\n| where DeviceVendor =~ \\\"Zscaler\\\" and DeviceAction =~ \\\"Allowed\\\"\\n// Only look where some data was exchanged.\\n| where SentBytes \u003e 0 and ReceivedBytes \u003e 0\\n// Extract the Domain\\n| extend Domain = iff(countof(DestinationHostName,\u0027.\u0027) \u003e= 2, strcat(split(DestinationHostName,\u0027.\u0027)[-2], \u0027.\u0027,split(DestinationHostName,\u0027.\u0027)[-1]), DestinationHostName)\\n| extend GetData=iff(RequestURL == \\\"?\\\", 1, 0)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), makelist(RequestURL), makelist(DestinationIP), makelist(SourceIP), numOfConnections = count(), make_set(RequestMethod), max(GetData), max(RequestContext) by Domain\\n// Determine the number of URIs that have been visited for the domain\\n| extend destinationURI = arraylength(list_RequestURL)\\n| where destinationURI \u003c= uriThreshold\\n| where tostring(list_RequestURL) has_any(scriptExtensions)\\n//Remove matches with referer\\n| where max_RequestContext == \\\"\\\"\\n//Keep requests where data was trasferred either in a GET with parameters or a POST\\n| where set_RequestMethod in~ (\\\"POST\\\") or max_GetData == 1\\n//Defeat email click tracking, may increase FN\u0027s while decreasing FP\u0027s\\n| where list_RequestURL !has \\\"click\\\" and set_RequestMethod !has \\\"GET\\\"\\n| mvexpand list_RequestURL, list_DestinationIP\\n| extend RequestURL = tostring(list_RequestURL), DestinationIP = tostring(list_DestinationIP), ClientIP = tostring(list_SourceIP)\\n//Extend custom entitites for incidents\\n| extend timestamp = StartTimeUtc, IPCustomEntity = DestinationIP\\n| project-away list_RequestURL, list_DestinationIP, list_SourceIP, destinationURI, Domain, StartTimeUtc, EndTimeUtc, max_GetData, max_RequestContext\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Request for single resource on domain\",\"description\":\"This will look for connections to a domain where only a single file is requested, this is unusual as most modern web applications require additional recources. This type of activity is often assocaited with malware beaconing or tracking URL\u0027s delivered in emails. Developed for Zscaler but applicable to any outbound web logging.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/155f40c6-610d-497d-85fc-3cf06ec13256\",\"name\":\"155f40c6-610d-497d-85fc-3cf06ec13256\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"yahoo-verification.org\\\",\\\"support-servics.com\\\",\\\"verification-live.com\\\",\\\"com-mailbox.com\\\",\\\"com-myaccuants.com\\\",\\\"notification-accountservice.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\\"verify-linkedin.net\\\", \\n\\\"yahoo-verification.net\\\",\\\"yahoo-verify.net\\\",\\\"outlook-verify.net\\\",\\\"com-users.net\\\",\\\"verifiy-account.net\\\",\\\"te1egram.net\\\",\\\"account-verifiy.net\\\",\\\"myaccount-services.net\\\",\\n\\\"com-identifier-servicelog.name\\\",\\\"microsoft-update.bid\\\",\\\"outlook-livecom.bid\\\",\\\"update-microsoft.bid\\\",\\\"documentsfilesharing.cloud\\\",\\\"com-microsoftonline.club\\\",\\n\\\"confirm-session-identifier.info\\\",\\\"session-management.info\\\",\\\"confirmation-service.info\\\",\\\"document-share.info\\\",\\\"broadcast-news.info\\\",\\\"customize-identity.info\\\",\\\"webemail.info\\\",\\n\\\"com-identifier-servicelog.info\\\",\\\"documentsharing.info\\\",\\\"notification-accountservice.info\\\",\\\"identifier-activities.info\\\",\\\"documentofficupdate.info\\\",\\\"recoveryusercustomer.info\\\",\\n\\\"serverbroadcast.info\\\",\\\"account-profile-users.info\\\",\\\"account-service-management.info\\\",\\\"accounts-manager.info\\\",\\\"activity-confirmation-service.info\\\",\\\"com-accountidentifier.info\\\",\\n\\\"com-privacy-help.info\\\",\\\"com-sessionidentifier.info\\\",\\\"com-useraccount.info\\\",\\\"confirmation-users-service.info\\\",\\\"confirm-identity.info\\\",\\\"confirm-session-identification.info\\\",\\n\\\"continue-session-identifier.info\\\",\\\"customer-recovery.info\\\",\\\"customers-activities.info\\\",\\\"elitemaildelivery.info\\\",\\\"email-delivery.info\\\",\\\"identify-user-session.info\\\",\\n\\\"message-serviceprovider.info\\\",\\\"notificationapp.info\\\",\\\"notification-manager.info\\\",\\\"recognized-activity.info\\\",\\\"recover-customers-service.info\\\",\\\"recovery-session-change.info\\\",\\n\\\"service-recovery-session.info\\\",\\\"service-session-continue.info\\\",\\\"session-mail-customers.info\\\",\\\"session-managment.info\\\",\\\"session-verify-user.info\\\",\\\"shop-sellwear.info\\\",\\n\\\"supportmailservice.info\\\",\\\"terms-service-notification.info\\\",\\\"user-activity-issues.info\\\",\\\"useridentity-confirm.info\\\",\\\"users-issue-services.info\\\",\\\"verify-user-session.info\\\",\\n\\\"login-gov.info\\\",\\\"notification-signal-agnecy.info\\\",\\\"notifications-center.info\\\",\\\"identifier-services-sessions.info\\\",\\\"customers-manager.info\\\",\\\"session-manager.info\\\",\\n\\\"customer-managers.info\\\",\\\"confirmation-recovery-options.info\\\",\\\"service-session-confirm.info\\\",\\\"session-recovery-options.info\\\",\\\"services-session-confirmation.info\\\",\\n\\\"notification-managers.info\\\",\\\"activities-services-notification.info\\\",\\\"activities-recovery-options.info\\\",\\\"activity-session-recovery.info\\\",\\\"customers-services.info\\\",\\n\\\"sessions-notification.info\\\",\\\"download-teamspeak.info\\\",\\\"services-issue-notification.info\\\",\\\"microsoft-upgrade.mobi\\\",\\\"broadcastnews.pro\\\",\\\"mobile-messengerplus.network\\\"]);\\nlet IPList = dynamic([\\\"51.91.200.147\\\"]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(SourceIP) and SourceIP in (IPList)) or (isnotempty(DestinationIP) and DestinationIP in (IPList)) \\nor (isnotempty(DNSName) and DNSName in~ (DomainNames)) or (isnotempty(DestinationHostName) and DestinationHostName in~ (DomainNames)) or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames) or RequestURLIP in (IPList))) \\nor (isnotempty(Message) and MessageIP in (IPList))\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURLIP in (IPList), \\\"RequestUrl\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP,IPMatch == \\\"Message\\\", MessageIP,\\nIPMatch == \\\"RequestUrl\\\", RequestURLIP,\\\"NoMatch\\\"), Account = SourceUserID, Host = DeviceName\\n),\\n(DnsEvents \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| where DestinationIPAddress in (IPList) or DNSName has_any (DomainNames) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),\\n(imDns\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| where DestinationIPAddress has_any (IPList) or DNSName has_any (DomainNames) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) or isnotempty(DNSName)\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or DNSName in~ (DomainNames)\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer),\\n(OfficeActivity\\n| extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend DNSName = Request_Name\\n| extend IPCustomEntity = ClientIP),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPCustomEntity = SourceHost \\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.2.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Phosphorus group domains/IP\",\"description\":\"Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d94d4a9-dc96-450a-9dea-4d4d4594199b\",\"name\":\"4d94d4a9-dc96-450a-9dea-4d4d4594199b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"SecurityNestedRecommendation\\n| where RemediationDescription has \u0027CVE-2021-38647\u0027\\n| parse ResourceDetails with * \u0027virtualMachines/\u0027 VirtualMAchine \u0027\\\"\u0027 *\\n| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId\\n| extend Timestamp = TimeGenerated, HostCustomEntity = VirtualMAchine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.2\",\"tactics\":[\"InitialAccess\",\"Execution\"],\"displayName\":\"Vulnerable Machines related to OMIGOD CVE-2021-38647\",\"description\":\"This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to OMIGOD CVE-2021-38647. OMI is the Linux equivalent of Windows WMI and \\n helps users manage configurations across remote and local environments. The query aims to find machines that have this OMI vulnerability (CVE-2021-38647).\\n Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).\\n Reference: https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure\\n Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/050b9b3d-53d0-4364-a3da-1b678b8211ec\",\"name\":\"050b9b3d-53d0-4364-a3da-1b678b8211ec\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\")\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| summarize by bin(TimeGenerated, 1h), OperationName, RoleName, Target, Initiator, Result\\n| extend AccountCustomEntity = Target\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Initiator\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\"],\"displayName\":\"User Assigned Privileged Role\",\"description\":\"Identifies when a new privileged role is assigned to a user. Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn\u0027t the responsibility of the account holder, investigate.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75ff4f7d-0564-4a55-8b25-a75be951cde3\",\"name\":\"75ff4f7d-0564-4a55-8b25-a75be951cde3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let mediumRisk = 2;\\nlet hr = \u0027HR Information\u0027;\\nCognniIncidents_CL \\n| where Severity == mediumRisk\\n| where informationType_s == hr\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Medium Sensitivity HR Information\",\"description\":\"Display incidents in which medium sensitivity HR information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbfbf530-506b-49a4-81ad-4030885a195c\",\"name\":\"fbfbf530-506b-49a4-81ad-4030885a195c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let alertTimeWindow = 1h;\\nlet logTimeWindow = 7d;\\n// Define script extensions that suit your web application environment - a sample are provided below\\nlet scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]); \\nlet alertData = materialize(SecurityAlert \\n| where TimeGenerated \u003e ago(alertTimeWindow) \\n| where ProviderName == \\\"MDATP\\\" \\n// Parse and expand the alert JSON \\n| extend alertData = parse_json(Entities) \\n| mvexpand alertData);\\nlet fileData = alertData\\n// Extract web script files from MDATP alerts - our malicious web scripts - candidate webshells\\n| where alertData.Type =~ \\\"file\\\" \\n| where alertData.Name has_any(scriptExtensions) \\n| extend FileName = tostring(alertData.Name), Directory = tostring(alertData.Directory);\\nlet hostData = alertData\\n// Extract server details from alerts and map to alert id\\n| where alertData.Type =~ \\\"host\\\"\\n| project HostName = tostring(alertData.HostName), DnsDomain = tostring(alertData.DnsDomain), SystemAlertId\\n| distinct HostName, DnsDomain, SystemAlertId;\\n// Join the files on their impacted servers\\nlet webshellData = fileData\\n| join kind=inner (hostData) on SystemAlertId \\n| project TimeGenerated, FileName, Directory, HostName, DnsDomain;\\nwebshellData\\n| join ( \\n// Find requests that were made to this file on the impacted server in the W3CIISLog table \\nW3CIISLog \\n| where TimeGenerated \u003e ago(logTimeWindow) \\n// Restrict to accesses to script extensions \\n| where csUriStem has_any(scriptExtensions)\\n| extend splitUriStem = split(csUriStem, \\\"/\\\") \\n| extend FileName = splitUriStem[-1], HostName = sComputerName\\n// Summarize potential attacker activity\\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), RequestUserAgents=make_set(csUserAgent), ReqestMethods=make_set(csMethod), RequestStatusCodes=make_set(scStatus), RequestCookies=make_set(csCookie), RequestReferers=make_set(csReferer), RequestQueryStrings=make_set(csUriQuery) by AttackerIP=cIP, SiteName=sSiteName, ShellLocation=csUriStem, tostring(FileName), HostName \\n) on FileName, HostName\\n| project StartTime, EndTime, AttackerIP, RequestUserAgents, HostName, SiteName, ShellLocation, ReqestMethods, RequestStatusCodes, RequestCookies, RequestReferers, RequestQueryStrings, RequestCount = count_\\n// Expose the attacker ip address as a custom entity\\n| extend timestamp=StartTime, IPCustomEntity = AttackerIP, HostCustomEntity = HostName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Malicious web application requests linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts\",\"description\":\"Takes Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts where web scripts are present in the evidence and correlates with requests made to those scripts\\nin the WCSIISLog to surface new alerts for potentially malicious web request activity.\\nThe lookback for alerts is set to 1h and the lookback for W3CIISLogs is set to 7d. A sample set of popular web script extensions\\nhas been provided in scriptExtensions that should be tailored to your environment.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-05-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e7277475-4e31-41c7-9997-0b8b3d7f00cd\",\"name\":\"e7277475-4e31-41c7-9997-0b8b3d7f00cd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.2\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.01\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of failed login attempts to AWS Console by each source IP address\",\"description\":\"This algorithm detects an unusually high volume of AWS cloud trail log console failed login events per source IP address within the last day. The model is trained on the previous 21 days of AWS cloud trail log events on source IP address basis. This activity may indicate that the IP address is compromised.\",\"lastUpdatedDateUTC\":\"2021-10-26T00:00:00Z\",\"createdDateUTC\":\"2021-08-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0bd65651-1404-438b-8f63-eecddcec87b4\",\"name\":\"0bd65651-1404-438b-8f63-eecddcec87b4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\n// Adjust for a longer timeframe for identifying ADFS Servers\\nlet lookback = 6d;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\nEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n| union isfuzzy=true (\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n)\\n| distinct Computer);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where ParentProcessName has \u0027wmiprvse.exe\u0027\\n// Looking for rundll32.exe is based on intel from the blog linked in the description\\n// This can be commented out or altered to filter out known internal uses\\n| where CommandLine has_any (\u0027rundll32\u0027) \\n| project TimeGenerated, TargetAccount, CommandLine, Computer, Account, TargetLogonId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n// Search for recent logons to identify lateral movement\\n| join kind= inner\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventID == 4624 and LogonType == 3\\n| where Account !endswith \\\"$\\\"\\n| project TargetLogonId\\n) on TargetLogonId\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n// Check for WMI Events\\n| where Computer in~ (ADFS_Servers) and EventID in (19, 20, 21)\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| project TimeGenerated, EventType, Image, Computer, UserName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = UserName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\"],\"displayName\":\"Gain Code Execution on ADFS Server via Remote WMI Execution\",\"description\":\"This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through remote WMI Execution.\\nIn order to use this query you need to be collecting Sysmon EventIDs 19, 20, and 21.\\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\\n Failed to resolve scalar expression named \\\"[@Name]\\\"\\nFor more on how WMI was used in Solorigate see https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/.\\nThe query contains some features from the following detections to look for potentially malicious ADFS activity. See them for more details.\\n- ADFS Key Export (Sysmon): https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSKeyExportSysmon.yaml\\n- ADFS DKM Master Key Export: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/03e04c97-8cae-48b3-9d2f-4ab262e4ffff\",\"name\":\"03e04c97-8cae-48b3-9d2f-4ab262e4ffff\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]);\\nhttp_proxy_oab_CL\\n| where RawData contains \\\"Download failed and temporary file\\\"\\n| extend File = extract(\\\"([^\\\\\\\\\\\\\\\\]*)(\\\\\\\\\\\\\\\\[^\u0027]*)\\\",2,RawData)\\n| extend Extension = strcat(\\\".\\\",split(File, \\\".\\\")[-1])\\n| extend InteractiveFile = iif(Extension in (scriptExtensions), \\\"Yes\\\", \\\"No\\\")\\n// Uncomment the following line to alert only on interactive file download type\\n//| where InteractiveFile =~ \\\"Yes\\\"\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious File Downloads.\",\"description\":\"This query looks for messages related to file downloads of suspicious file types. This query uses the Exchange HttpProxy AOBGeneratorLog, you will need to onboard this log as a custom log under the table http_proxy_oab_CL before using this query. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/194dd92e-d6e7-4249-85a5-273350a7f5ce\",\"name\":\"194dd92e-d6e7-4249-85a5-273350a7f5ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\") \\n// Only admin or global-admin can disable audit logging\\n| where Operation =~ \\\"Set-AdminAuditLogConfig\\\" \\n| extend AdminAuditLogEnabledValue = tostring(parse_json(tostring(parse_json(tostring(array_slice(parse_json(Parameters),3,3)))[0])).Value)\\n| where AdminAuditLogEnabledValue =~ \\\"False\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP, ResultStatus, Parameters, AdminAuditLogEnabledValue\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Exchange AuditLog disabled\",\"description\":\"Identifies when the exchange audit logging has been disabled which may be an adversary attempt\\nto evade detection or avoid other defenses.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c37711a4-5f44-4472-8afc-0679bc0ef966\",\"name\":\"c37711a4-5f44-4472-8afc-0679bc0ef966\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/FoggyWebIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type == \\\"sha256\\\" | project IoC);\\nlet FilePaths = (iocs | where Type =~ \\\"FilePath\\\" | project IoC);\\nlet POST_URI = (iocs | where Type =~ \\\"URI1\\\" | project IoC);\\nlet GET_URI = (iocs | where Type =~ \\\"URI2\\\" | project IoC);\\n//Include in the list below, the ADFS servers you know about in your environment. In the next part of the query, we will try to identify them for you if you have the telemetry.\\nlet ADFS_Servers1 = datatable(Computer:string)\\n[ \\\"\u003cADFS01\u003e.\u003cDOMAIN\u003e.\u003cCOM\u003e\\\",\\n\\\"\u003cADFS02\u003e.\u003cDOMAIN\u003e.\u003cCOM\u003e\\\"\\n];\\n// Automatically identify potential ADFS services in your environment by searching process event telemetry for \\\"Microsoft.IdentityServer.ServiceHost.exe\\\".\\nlet ADFS_Servers2 = \\n(union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n),\\n(DeviceProcessEvents\\n| where InitiatingProcessFileName == \u0027Microsoft.IdentityServer.ServiceHost.exe\u0027\\n| extend Computer = DeviceName\\n| distinct Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n)\\n);\\nlet ADFS_Servers =\\nADFS_Servers1\\n| union (ADFS_Servers2 | distinct Computer);\\n(union isfuzzy=true\\n(DeviceNetworkEvents\\n| where DeviceName in (ADFS_Servers)\\n| where isnotempty(InitiatingProcessSHA256) or isnotempty(InitiatingProcessFolderPath)\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or InitiatingProcessFolderPath has_any (FilePaths)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\" and EventID == \u00277\u0027\\n| where Computer in (ADFS_Servers)\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend ImageLoaded = EventDetail.[5].[\\\"#text\\\"], Hashes = EventDetail.[11].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| where ImageLoaded has_any (FilePaths) or SHA256 has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, ImageLoaded, EventID\\n| extend Type = strcat(Type,\\\":\\\",EventID, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\\\"#text\\\"] \\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = FileHash\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = FileHash\\n),\\n(DeviceEvents\\n| where DeviceName in (ADFS_Servers)\\n| extend FilePath = strcat(FolderPath, \u0027\\\\\\\\\u0027, FileName)\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash\\n),\\n(DeviceFileEvents\\n| where DeviceName in (ADFS_Servers)\\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash\\n),\\n(DeviceImageLoadEvents\\n| where DeviceName in (ADFS_Servers)\\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where Computer in (ADFS_Servers)\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| where EventDetail has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\\\"#text\\\"] \\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = FileHash\\n),\\n(W3CIISLog \\n| where ( csMethod == \u0027GET\u0027 and csUriStem has_any (GET_URI)) or (csMethod == \u0027POST\u0027 and csUriStem has_any (POST_URI))\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), cIP_MethodCount = count() \\nby cIP, cIP_MethodCountType = \\\"Count of repeated entries, this is to reduce rowsets returned\\\", csMethod, \\ncsHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, csReferer\\n| extend timestamp = StartTime, IPCustomEntity = cIP, HostCustomEntity = csHost, AccountCustomEntity = csUserName\\n),\\n(imFileEvent\\n| where DvcHostname in (ADFS_Servers)\\n| where TargetFileSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"SHA256\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"version\":\"2.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"NOBELIUM IOCs related to FoggyWeb backdoor\",\"description\":\"Identifies a match across various data feeds for IOCs related to FoggyWeb backdoor by the threat actor NOBELIUM.\\n FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server.\\n It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server.\\n Reference: https://aka.ms/nobelium-foggy-web\",\"lastUpdatedDateUTC\":\"2021-11-16T00:00:00Z\",\"createdDateUTC\":\"2021-09-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\"name\":\"7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet AC_Add = \\nSecurityEvent\\n// Event ID related to member addition.\\n| where EventID in (4728, 4732,4756) \\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountAdded \\\",OU\\\" *\\n| where isnotempty(AccountAdded)\\n| extend GroupAddedTo = TargetUserName, AddingAccount = Account \\n| extend AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, \\\"||\\\", GroupAddedTo, \\\"||\\\", AddingAccount )\\n| project AccountAdded_GroupAddedTo_AddingAccount, AccountAddedTime = TimeGenerated;\\nlet AC_Remove = \\nSecurityEvent\\n// Event IDs related to member removal.\\n| where EventID in (4729,4733,4757)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountRemoved \\\",OU\\\" * \\n| where isnotempty(AccountRemoved)\\n| extend GroupRemovedFrom = TargetUserName, RemovingAccount = Account\\n| extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, \\\"||\\\", GroupRemovedFrom, \\\"||\\\", RemovingAccount)\\n| project AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime = TimeGenerated, Computer, RemovedAccountId = tolower(AccountRemoved), \\nRemovedByUser = SubjectUserName, RemovedByUserLogonId = SubjectLogonId, GroupRemovedFrom = TargetUserName, TargetDomainName; \\nAC_Add \\n| join kind= inner AC_Remove on $left.AccountAdded_GroupAddedTo_AddingAccount == $right.AccountRemoved_GroupRemovedFrom_RemovingAccount \\n| extend DurationinSecondAfter_Removed = datetime_diff (\u0027second\u0027, AccountRemovedTime, AccountAddedTime)\\n| where DurationinSecondAfter_Removed \u003e 0\\n| project-away AccountRemoved_GroupRemovedFrom_RemovingAccount\\n| extend timestamp = AccountAddedTime, AccountCustomEntity = RemovedAccountId, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Account added and removed from privileged groups\",\"description\":\"Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise.\u0027 \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/472b7cf4-bf1a-4061-b9ab-9fe4894e3c17\",\"name\":\"472b7cf4-bf1a-4061-b9ab-9fe4894e3c17\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nlet codeNameList = datatable(Codename:string)[\\\"C-CLEARTEXT-PASSWORD\\\", \\\"C-PASSWORD-DONT-EXPIRE\\\", \\\"C-USER-REVER-PWDS\\\", \\\"C-PASSWORD-POLICY\\\", \\\"C-USER-PASSWORD\\\", \\\"C-KRBTGT-PASSWORD\\\", \\\"C-AAD-SSO-PASSWORD\\\", \\\"C-REVER-PWD-GPO\\\"];\\nafad_parser\\n| where MessageType == 0 and Codename in~ (codeNameList)\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid Password issues\",\"description\":\"Searches for triggered Indicators of Exposures related to password issues\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/25bf2f45-1cf0-47d2-b394-a7b331d707b3\",\"name\":\"25bf2f45-1cf0-47d2-b394-a7b331d707b3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"2.0.0\",\"techniques\":[\"T1133\",\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Yes\",\"No\"],\"supportedValuesKql\":null,\"value\":\"Yes\",\"name\":\"Use region adjacency\",\"description\":\"Suppress anomalies originated from two adjacent regions.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"supportedValues\":[\"Yes\",\"No\"],\"supportedValuesKql\":null,\"value\":\"No\",\"name\":\"Check for matching device\",\"description\":\"Suppress anomalies which are originated from the same device.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":null,\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious geography change in Palo Alto GlobalProtect account logins\",\"description\":\"When a Palo Alto GlobalProtect account logs in from a geographically new region that is not the same as the last region the day before, an anomaly will be generated.\",\"lastUpdatedDateUTC\":\"2021-07-13T00:00:00Z\",\"createdDateUTC\":\"2021-04-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7ebb7386-6c99-4331-aab1-a185a603eb47\",\"name\":\"7ebb7386-6c99-4331-aab1-a185a603eb47\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let highRisk = 3;\\nlet financial = \u0027Financial Information\u0027;\\nCognniIncidents_CL \\n| where Severity == highRisk\\n| where informationType_s == financial\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Highly Sensitive Financial Information\",\"description\":\"Display incidents in which highly sensitive financial information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b443f22-9be9-4c35-ac70-a94757748439\",\"name\":\"3b443f22-9be9-4c35-ac70-a94757748439\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let files1 = dynamic([\\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\lsa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pc.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\Rar.exe\\\"]);\\nlet files2 = dynamic([\\\"svchost.exe\\\",\\\"wdmsvc.exe\\\"]);\\nlet FileHash1 = dynamic([\\\"43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\\\", \\\"ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\\\", \\\"010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77\\\", \\\"56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7\\\"]);\\nlet FileHash2 = dynamic([\\\"2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\\\", \\\"9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\\\", \\\"18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\\\"]);\\nDeviceProcessEvents\\n| where ( FolderPath has_any (files1) and SHA256 has_any (FileHash1)) or (FolderPath has_any (files2) and SHA256 has_any (FileHash2))\\n| extend DvcId = DeviceId\\n| join kind=leftouter (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| mv-expand todynamic(Entities)\\n| extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)\\n| where isnotempty(DvcId)\\n// Higher risk score are for Defender alerts related to threat actor\\n| extend AlertRiskScore = iif(ThreatName has_any (\\\"Backdoor:MSIL/ShellClient.A\\\", \\\"Backdoor:MSIL/ShellClient.A!dll\\\", \\\"Trojan:MSIL/Mimikatz.BA!MTB\\\"), 1.0, 0.5)\\n| project DvcId, AlertRiskScore) on DvcId\\n| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = AccountName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileName\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Execution\"],\"displayName\":\"Dev-0228 File Path Hashes November 2021\",\"description\":\"This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.\\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.\",\"lastUpdatedDateUTC\":\"2021-11-18T00:00:00Z\",\"createdDateUTC\":\"2021-11-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95a15f39-d9cc-4667-8cdd-58f3113691c9\",\"name\":\"95a15f39-d9cc-4667-8cdd-58f3113691c9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\nSecurityEvent\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where EventID == 4688\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| join kind=rightanti (\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where EventID == 4688) on NewProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM New UM Service Child Process\",\"description\":\"This query looks for new processes being spawned by the Exchange UM service where that process has not previously been observed before. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\"name\":\"7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lookBack_long = 7d;\\nlet lookBack_med = 3d;\\nlet lookBack = 1d;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack_long))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n// Create time series \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_long)),now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n// Compute best fit line for each entry \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount) \\n// Chart the 3 most interesting lines \\n// A 0-value slope corresponds to an account being completely stable over time for a given Azure Active Directory application\\n| where Slope \u003e 0.3\\n| top 50 by Slope desc\\n| join kind = leftsemi (\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack_med))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_med)) ,now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount)\\n| where Slope \u003e 0.3\\n| top 50 by Slope desc\\n) on UserPrincipalName, AppDisplayName\\n| join kind = leftsemi (\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack)) ,now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount)\\n| where Slope \u003e 5\\n| top 50 by Slope desc\\n// Higher threshold requirement on last day anomaly\\n) on UserPrincipalName, AppDisplayName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomalous sign-in location by user account and authenticating application\",\"description\":\"This query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active \\nDirectory application and picks out the most anomalous change in location profile for a user within an \\nindividual application. An alert is generated for recent sign-ins that have location counts that are anomalous\\nover last day but also over the last 3-day and 7-day periods.\\nPlease note that on workspaces with larger volume of Signin data (~10M+ events a day) may timeout when using this default query time period.\\nIt is recommended that you test and tune this appropriately for the workspace.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6a2e2ff4-5568-475e-bef2-b95f12b9367b\",\"name\":\"6a2e2ff4-5568-475e-bef2-b95f12b9367b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let FailureThreshold = 15;\\nimAuthentication\\n| where EventType== \u0027Logon\u0027 and EventResult== \u0027Failure\u0027\\n// reason: creds \\n| where EventResultDetails in (\u0027No such user or password\u0027, \u0027Incorrect password\u0027)\\n| summarize UserCount=dcount(TargetUserId), Vendors=make_set(EventVendor), Products=make_set(EventVendor)\\n , Users = make_set(TargetUserId,100) \\n by SrcDvcIpAddr, SrcGeoCountry, bin(TimeGenerated, 5m)\\n| where UserCount \u003e FailureThreshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcDvcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Potential Password Spray Attack (Uses Authentication Normalization)\",\"description\":\"This query searches for failed attempts to log in from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack\\n To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelAuthentication)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\"name\":\"79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let timeframe = 1h;\\nlet last1h = CommonSecurityLog \\n| where TimeGenerated \u003e= ago(timeframe)\\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend CurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend CurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend CumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize last1hCumTotal = sum(CumulativeTotal), last1hAvgRatePerSec = avg(CurrentAvgRatePerSec), last1hAvgBurstRatePerSec = avg(CurrentBurstRatePerSec) by DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlet prev6h = CommonSecurityLog \\n| where TimeGenerated between (ago(6h) .. ago(1h))\\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend prevCurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend prevCurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend prevCumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), prev6hCumTotal = sum(prevCumulativeTotal), prev6hAvgRatePerSec = avg(prevCurrentAvgRatePerSec), prev6hAvgBurstRatePerSec = avg(prevCurrentBurstRatePerSec) \\nby DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlast1h | join (\\n prev6h \\n) on DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate\\n| project StartTimeUtc, EndTimeUtc, DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate, last1hCumTotal, prev6hCumTotal, prev6hAvgCumTotal = prev6hCumTotal/6, last1hAvgRatePerSec, prev6hAvgRatePerSec, last1hAvgBurstRatePerSec, prev6hAvgBurstRatePerSec\\n// Select only events that indicate a doubling of the expected rate in the last hour over the previous 6 hours\\n| where last1hCumTotal \u003e 2*prev6hAvgCumTotal or last1hAvgRatePerSec \u003e 2*prev6hAvgRatePerSec or last1hAvgBurstRatePerSec \u003e 2*prev6hAvgBurstRatePerSec\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\",\"Impact\"],\"displayName\":\"Cisco ASA - average attack detection rate increase\",\"description\":\"This will help you determine if Cisco ASA devices are under heavier attack than normal over the last hour versus the previous 6 hours based on DeviceEventClassID 733100\\nReferences: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a34d0338-eda0-42b5-8b93-32aae0d7a501\",\"name\":\"a34d0338-eda0-42b5-8b93-32aae0d7a501\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"CommonSecurityLog\\n| where DeviceVendor == \\\"Vectra Networks\\\"\\n| where DeviceProduct == \\\"X Series\\\"\\n| where DeviceEventClassID contains \\\"campaign\\\"\\n| where DeviceAction == \\\"START\\\"\\n| extend reason = extract(\\\"reason=(.+?)$\\\", 1, AdditionalExtensions)\\n| project-rename vectra_URL = DeviceCustomString4\\n| project Activity,SourceHostName, reason, vectra_URL\\n| extend HostCustomEntity = SourceHostName, URLCustomEntity = vectra_URL\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"LateralMovement\",\"CommandAndControl\"],\"displayName\":\"Vectra AI Detect - New Campaign Detected\",\"description\":\"Identifies when a new Campaign has been detected. This occurs when multiple Detections accross different Hosts are suspected to be part of the same Attack Campaign.\",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2021-05-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AIVectraDetect\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\"name\":\"7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\nOfficeActivity\\n| where Operation =~ \\\"New-InboxRule\\\"\\n| where Parameters has \\\"Deleted Items\\\" or Parameters has \\\"Junk Email\\\" or Parameters has \\\"DeleteMessage\\\"\\n| extend Events=todynamic(Parameters)\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords \u0027}\u0027*\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords \u0027}\u0027*\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords \u0027}\u0027*\\n| where SubjectContainsWords has_any (Keywords)\\n or BodyContainsWords has_any (Keywords)\\n or SubjectOrBodyContainsWords has_any (Keywords)\\n| extend ClientIPAddress = case( ClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), ClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))), ClientIP )\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\n| extend RuleDetail = case(OfficeObjectId contains \u0027/\u0027 , tostring(split(OfficeObjectId, \u0027/\u0027)[-1]) , tostring(split(OfficeObjectId, \u0027\\\\\\\\\u0027)[-1]))\\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation, UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIPAddress, AccountCustomEntity = UserId , HostCustomEntity = OriginatingServer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Malicious Inbox Rule\",\"description\":\"Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords. \\n This is done so as to limit ability to warn compromised users that they\u0027ve been compromised. Below is a sample query that tries to detect this.\\nReference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6d7214d9-4a28-44df-aafb-0910b9e6ae3e\",\"name\":\"6d7214d9-4a28-44df-aafb-0910b9e6ae3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let match_window = 3m;\\nAzureActivity\\n| where ResourceGroup has \\\"cloud-shell\\\"\\n| where (OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/listKeys/action\\\") \\n| where ActivityStatusValue == \\\"Success\\\"\\n| extend TimeKey = bin(TimeGenerated, match_window), AzureIP = CallerIpAddress\\n| join kind = inner\\n(AzureActivity\\n| where ResourceGroup has \\\"cloud-shell\\\"\\n| where (OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/write\\\") \\n| extend TimeKey = bin(TimeGenerated, match_window), UserIP = CallerIpAddress\\n) on Caller, TimeKey\\n| summarize count() by TimeKey, Caller, ResourceGroup, SubscriptionId, TenantId, AzureIP, UserIP, HTTPRequest, Type, Properties, CategoryValue, OperationList = strcat(OperationNameValue, \u0027 , \u0027, OperationNameValue1)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"UserIP\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Execution\"],\"displayName\":\"New CloudShell User\",\"description\":\"Identifies when a user creates an Azure CloudShell for the first time.\\nMonitor this activity to ensure only expected user are using CloudShell\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cf3ede88-a429-493b-9108-3e46d3c741f7\",\"name\":\"cf3ede88-a429-493b-9108-3e46d3c741f7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let timeRange = 6h;\\nlet authenticationWindow = 1h;\\nlet authenticationThreshold = 5;\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeRange)\\n| where EventID == 4624 or EventID == 4625\\n| where IpAddress != \\\"-\\\" and isnotempty(Account)\\n| extend Outcome = iff(EventID == 4624, \\\"Success\\\", \\\"Failure\\\")\\n// bin outcomes into 5 minute windows to reduce the volume of data\\n| summarize OutcomeCount=count() by Account, IpAddress, Computer, Outcome, bin(TimeGenerated, 5m)\\n| project TimeGenerated, Account, IpAddress, Computer, Outcome, OutcomeCount\\n// sort ready for sessionizing - by account and time of the authentication outcome\\n| sort by Account asc, TimeGenerated asc\\n| serialize \\n// sessionize into failure groupings until either the account changes or there is a success\\n| extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, Account != prev(Account) or prev(Outcome) == \\\"Success\\\")\\n// count the failures in each session\\n| summarize FailureCountBeforeSuccess=sumif(OutcomeCount, Outcome == \\\"Failure\\\"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), makelist(Outcome), makeset(Computer), makeset(IpAddress) by SessionStartedUtc, Account\\n// the session must not start with a success, and must end with one\\n| where array_index_of(list_Outcome, \\\"Success\\\") != 0\\n| where array_index_of(list_Outcome, \\\"Success\\\") == array_length(list_Outcome) - 1\\n| project-away SessionStartedUtc, list_Outcome \\n// where the number of failures before the success is above the threshold \\n| where FailureCountBeforeSuccess \u003e= authenticationThreshold\\n// expand out ip and computer for customer entity assignment\\n| mvexpand set_IpAddress, set_Computer\\n| extend IpAddress = tostring(set_IpAddress), Computer = tostring(set_Computer)\\n| extend timestamp=StartTime, AccountCustomEntity=Account, HostCustomEntity=Computer, IPCustomEntity=IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"SecurityEvent - Multiple authentication failures followed by a success\",\"description\":\"Identifies accounts who have failed to logon to the domain multiple times in a row, followed by a successful authentication\\nwithin a short time frame. Multiple failed attempts followed by a success can be an indication of a brute force attempt or\\npossible mis-configuration of a service account within an environment.\\nThe lookback is set to 6h and the authentication window and threshold are set to 1h and 5, meaning we need to see a minimum\\nof 5 failures followed by a success for an account within 1 hour to surface an alert.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7a58b253-0ef2-4248-b4e5-c350f15a8346\",\"name\":\"7a58b253-0ef2-4248-b4e5-c350f15a8346\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let threshold = 100;\\nSymantecProxySG \\n| where sc_filter_result =~ \\\"DENIED\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by c_ip, cs_host\\n| where count_ \u003e threshold\\n| extend timestamp = StartTime, HostCustomEntity = cs_host, IPCustomEntity = c_ip\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Excessive Denied Proxy Traffic\",\"description\":\"This alert creates an incident when a client generates an excessive amounts of denied proxy traffic.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SymantecProxySG\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\"name\":\"75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 3;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == \\\"50057\\\"\\n| where ResultDescription =~ \\\"User account is disabled. The account has been disabled by an administrator.\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), applicationCount = dcount(AppDisplayName), \\napplicationSet = make_set(AppDisplayName), count() by UserPrincipalName, IPAddress, Type\\n| where applicationCount \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Attempts to sign in to disabled accounts\",\"description\":\"Identifies failed attempts to sign in to disabled accounts across multiple Azure Applications.\\nDefault threshold for Azure Applications attempted to sign in to is 3.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/910124df-913c-47e3-a7cd-29e1643fa55e\",\"name\":\"910124df-913c-47e3-a7cd-29e1643fa55e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with failed AWS console logins\\nlet aws_fails = AWSCloudTrail\\n| where EventName == \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \\n| where LoginResult != \\\"Success\\\"\\n| where SourceIpAddress != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_list(SourceIpAddress);\\n//See if any of those IPs have sucessfully logged into Azure AD.\\nSigninLogs\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (aws_fails) \\n| extend Reason = \\\"Multiple failed AWS Console logins from IP address\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AWS Console logons but success logon to AzureAD\",\"description\":\"Identifies a list of IP addresses with a minimum numbe(default of 5) of failed logon attempts to AWS Console.\\nUses that list to identify any successful Azure Active Directory logons from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/32555639-b639-4c2b-afda-c0ae0abefa55\",\"name\":\"32555639-b639-4c2b-afda-c0ae0abefa55\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"GetCallerIdentity\\\" and UserIdentityType =~ \\\"AssumedRole\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by SourceIpAddress, EventName, EventTypeName, UserIdentityType, UserIdentityAccountId, UserIdentityPrincipalid, \\nUserAgent, UserIdentityUserName, SessionMfaAuthenticated,AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTime, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\\n| sort by EndTime desc nulls last\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\"],\"displayName\":\"Monitor AWS Credential abuse or hijacking\",\"description\":\"Looking for GetCallerIdentity Events where the UserID Type is AssumedRole \\nAn attacker who has assumed the role of a legitimate account can call the GetCallerIdentity function to determine what account they are using.\\nA legitimate user using legitimate credentials would not need to call GetCallerIdentity since they should already know what account they are using.\\nMore Information: https://duo.com/decipher/trailblazer-hunts-compromised-credentials-in-aws\\nAWS STS GetCallerIdentity API: https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fb0f4a93-d8ad-4b54-9931-85bdb7550f90\",\"name\":\"fb0f4a93-d8ad-4b54-9931-85bdb7550f90\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SymantecProxySG\\n| mv-expand cs_categories\\n| where cs_categories has_any (\\\"Suspicious\\\",\\\"phishing\\\", \\\"hacking\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by sc_filter_result, cs_userdn, c_ip, cs_host, Computer, tostring(cs_categories)\\n| extend timestamp = StartTime, AccountCustomEntity = cs_userdn, IPCustomEntity = c_ip, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"User Accessed Suspicious URL Categories\",\"description\":\"Creates an incident in the event the requested URL accessed by the user has been identified as Suspicious, Phishing, or Hacking.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SymantecProxySG\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bfb1c90f-8006-4325-98be-c7fffbc254d6\",\"name\":\"bfb1c90f-8006-4325-98be-c7fffbc254d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let s_threshold = 30;\\nlet l_threshold = 3;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where OperationName =~ \\\"Sign-in activity\\\"\\n// Error codes that we want to look at as they are related to the use of incorrect password.\\n| where ResultType in (\\\"50126\\\", \\\"50053\\\" , \\\"50055\\\", \\\"50056\\\")\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend LocationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), LocationCount=dcount(LocationString), Location = make_set(LocationString), \\nIPAddress = make_set(IPAddress), IPAddressCount = dcount(IPAddress), AppDisplayName = make_set(AppDisplayName), ResultDescription = make_set(ResultDescription), \\nBrowser = make_set(Browser), OS = make_set(OS), SigninCount = count() by UserPrincipalName, Type \\n// Setting a generic threshold - Can be different for different environment\\n| where SigninCount \u003e s_threshold and LocationCount \u003e= l_threshold\\n| extend tostring(Location), tostring(IPAddress), tostring(AppDisplayName), tostring(ResultDescription), tostring(Browser), tostring(OS)\\n| distinct *\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Distributed Password cracking attempts in AzureAD\",\"description\":\"Identifies distributed password cracking attempts from the Azure Active Directory SigninLogs.\\nThe query looks for unusually high number of failed password attempts coming from multiple locations for a user account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50053 Account is locked because the user tried to sign in too many times with an incorrect user ID or password.\\n50055 Invalid password, entered expired password.\\n50056 Invalid or null password - Password does not exist in store for this user.\\n50126 Invalid username or password, or invalid on-premises username or password.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ef88eb96-861c-43a0-ab16-f3835a97c928\",\"name\":\"ef88eb96-861c-43a0-ab16-f3835a97c928\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let regexEmpire = @\\\"SetDelay|GetDelay|Set-LostLimit|Get-LostLimit|Set-Killdate|Get-Killdate|Set-WorkingHours|Get-WorkingHours|Get-Sysinfo|Add-Servers|Invoke-ShellCommand|Start-AgentJob|Update-Profile|Get-FilePart|Encrypt-Bytes|Decrypt-Bytes|Encode-Packet|Decode-Packet|Send-Message|Process-Packet|Process-Tasking|Get-Task|Start-Negotiate|Invoke-DllInjection|Invoke-ReflectivePEInjection|Invoke-Shellcode|Invoke-ShellcodeMSIL|Get-ChromeDump|Get-ClipboardContents|Get-IndexedItem|Get-Keystrokes|Invoke-Inveigh|Invoke-NetRipper|local:Invoke-PatchDll|Invoke-NinjaCopy|Get-Win32Types|Get-Win32Constants|Get-Win32Functions|Sub-SignedIntAsUnsigned|Add-SignedIntAsUnsigned|Compare-Val1GreaterThanVal2AsUInt|Convert-UIntToInt|Test-MemoryRangeValid|Write-BytesToMemory|Get-DelegateType|Get-ProcAddress|Enable-SeDebugPrivilege|Invoke-CreateRemoteThread|Get-ImageNtHeaders|Get-PEBasicInfo|Get-PEDetailedInfo|Import-DllInRemoteProcess|Get-RemoteProcAddress|Copy-Sections|Update-MemoryAddresses|Import-DllImports|Get-VirtualProtectValue|Update-MemoryProtectionFlags|Update-ExeFunctions|Copy-ArrayOfMemAddresses|Get-MemoryProcAddress|Invoke-MemoryLoadLibrary|Invoke-MemoryFreeLibrary|Out-Minidump|Get-VaultCredential|Invoke-DCSync|Translate-Name|Get-NetDomain|Get-NetForest|Get-NetForestDomain|Get-DomainSearcher|Get-NetComputer|Get-NetGroupMember|Get-NetUser|Invoke-Mimikatz|Invoke-PowerDump|Invoke-TokenManipulation|Exploit-JMXConsole|Exploit-JBoss|Invoke-Thunderstruck|Invoke-VoiceTroll|Set-WallPaper|Invoke-PsExec|Invoke-SSHCommand|Invoke-PSInject|Invoke-RunAs|Invoke-SendMail|Invoke-Rule|Get-OSVersion|Select-EmailItem|View-Email|Get-OutlookFolder|Get-EmailItems|Invoke-MailSearch|Get-SubFolders|Get-GlobalAddressList|Invoke-SearchGAL|Get-SMTPAddress|Disable-SecuritySettings|Reset-SecuritySettings|Get-OutlookInstance|New-HoneyHash|Set-MacAttribute|Invoke-PatchDll|Get-SecurityPackages|Install-SSP|Invoke-BackdoorLNK|New-ElevatedPersistenceOption|New-UserPersistenceOption|Add-Persistence|Invoke-CallbackIEX|Add-PSFirewallRules|Invoke-EventLoop|Invoke-PortBind|Invoke-DNSLoop|Invoke-PacketKnock|Invoke-CallbackLoop|Invoke-BypassUAC|Get-DecryptedCpassword|Get-GPPInnerFields|Invoke-WScriptBypassUAC|Get-ModifiableFile|Get-ServiceUnquoted|Get-ServiceFilePermission|Get-ServicePermission|Invoke-ServiceUserAdd|Invoke-ServiceCMD|Write-UserAddServiceBinary|Write-CMDServiceBinary|Write-ServiceEXE|Write-ServiceEXECMD|Restore-ServiceEXE|Invoke-ServiceStart|Invoke-ServiceStop|Invoke-ServiceEnable|Invoke-ServiceDisable|Get-ServiceDetail|Find-DLLHijack|Find-PathHijack|Write-HijackDll|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-VulnAutoRun|Get-VulnSchTask|Get-UnattendedInstallFile|Get-Webconfig|Get-ApplicationHost|Write-UserAddMSI|Invoke-AllChecks|Invoke-ThreadedFunction|Test-Login|Get-UserAgent|Test-Password|Get-ComputerDetails|Find-4648Logons|Find-4624Logons|Find-AppLockerLogs|Find-PSScriptsInPSAppLog|Find-RDPClientConnections|Get-SystemDNSServer|Invoke-Paranoia|Invoke-WinEnum{|Get-SPN|Invoke-ARPScan|Invoke-Portscan|Invoke-ReverseDNSLookup|Invoke-SMBScanner|New-InMemoryModule|Add-Win32Type|Export-PowerViewCSV|Get-MacAttribute|Copy-ClonedFile|Get-IPAddress|Convert-NameToSid|Convert-SidToName|Convert-NT4toCanonical|Get-Proxy|Get-PathAcl|Get-NameField|Convert-LDAPProperty|Get-NetDomainController|Add-NetUser|Add-NetGroupUser|Get-UserProperty|Find-UserField|Get-UserEvent|Get-ObjectAcl|Add-ObjectAcl|Invoke-ACLScanner|Get-GUIDMap|Get-ADObject|Set-ADObject|Get-ComputerProperty|Find-ComputerField|Get-NetOU|Get-NetSite|Get-NetSubnet|Get-DomainSID|Get-NetGroup|Get-NetFileServer|SplitPath|Get-DFSshare|Get-DFSshareV1|Get-DFSshareV2|Get-GptTmpl|Get-GroupsXML|Get-NetGPO|Get-NetGPOGroup|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Invoke-ImpersonateUser|Create-ProcessWithToken|Free-AllTokens|Enum-AllTokens|Invoke-RevertToSelf|Set-Speaker(\\\\$Volume){\\\\$wshShell|Local:Get-RandomString|Local:Invoke-PsExecCmd|Get-GPPPassword|Local:Inject-BypassStuff|Local:Invoke-CopyFile\\\\(\\\\$sSource,|ind-Fruit|New-IPv4Range|New-IPv4RangeFromCIDR|Parse-Hosts|Parse-ILHosts|Exclude-Hosts|Get-TopPort|Parse-Ports|Parse-IpPorts|Remove-Ports|Write-PortscanOut|Convert-SwitchtoBool|Get-ForeignUser|Get-ForeignGroup\\\";\\nlet ProcessCreationEvents=() {\\nlet processEvents=SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName;\\nprocessEvents};\\nlet decodedPS = ProcessCreationEvents\\n| where CommandLine contains \\\" -encodedCommand\\\"\\n| parse kind=regex flags=i CommandLine with * \\\"-EncodedCommand \\\" encodedCommand\\n| project StartTimeUtc = TimeGenerated, encodedCommand = tostring(split(encodedCommand, \u0027 \u0027)[0]), CommandLine\\n// Note: currently the base64_decode_tostring function is limited to supporting UTF8\\n| extend decodedCommand = translate(\u0027\\\\0\u0027,\u0027\u0027, base64_decode_tostring(substring(encodedCommand, 0, strlen(encodedCommand) - (strlen(encodedCommand) %8)))), encodedCommand, CommandLine , strlen(encodedCommand);\\n(decodedPS\\n| union \\n(ProcessCreationEvents\\n| where FileName in~ (\\\"powershell.exe\\\",\\\"powershell_ise.exe\\\")\\n| where CommandLine !contains \\\"-encodedcommand\\\")\\n| extend StartTimeUtc = TimeGenerated\\n)\\n| where CommandLine matches regex regexEmpire\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"Powershell Empire cmdlets seen in command line\",\"description\":\"Identifies instances of PowerShell Empire cmdlets in powershell process command line data.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a0907abe-6925-4d90-af2b-c7e89dc201a6\",\"name\":\"a0907abe-6925-4d90-af2b-c7e89dc201a6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P10D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 10d;\\nlet endtime = 1d;\\nlet threshold = 100;\\nlet nxDomainDnsEvents = DnsEvents \\n| where ResultCode == 3 \\n| where QueryType in (\\\"A\\\", \\\"AAAA\\\")\\n| where ipv4_is_match(\\\"127.0.0.1\\\", ClientIP) == False\\n| where Name !contains \\\"/\\\"\\n| where Name contains \\\".\\\";\\nnxDomainDnsEvents\\n| where TimeGenerated \u003e ago(endtime)\\n| extend sld = tostring(split(Name, \\\".\\\")[-2])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld) by ClientIP\\n| where dcount_sld \u003e threshold\\n// Filter out previously seen IPs\\n| join kind=leftanti (nxDomainDnsEvents\\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | extend sld = tostring(split(Name, \\\".\\\")[-2])\\n | summarize dcount(sld) by ClientIP\\n | where dcount_sld \u003e threshold ) on ClientIP\\n// Pull out sample NXDomain responses for those remaining potentially infected IPs\\n| join kind = inner (nxDomainDnsEvents | summarize by Name, ClientIP) on ClientIP\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(Name, 100) by ClientIP, dcount_sld\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential DGA detected\",\"description\":\"Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains\\nwhere most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with \\nNXDomain records in prior 10-day baseline period).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c2da1106-bfe4-4a63-bf14-5ab73130ccd5\",\"name\":\"c2da1106-bfe4-4a63-bf14-5ab73130ccd5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Informational\",\"query\":\"let timeframe = ago(1d);\\nAppServiceAntivirusScanAuditLogs\\n| where ScanStatus == \\\"Failed\\\"\\n| extend HostCustomEntity = _ResourceId, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"displayName\":\"AppServices AV Scan Failure\",\"description\":\"Identifies if an AV scan fails in Azure App Services.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d9938c3b-16f9-444d-bc22-ea9a9110e0fd\",\"name\":\"d9938c3b-16f9-444d-bc22-ea9a9110e0fd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Azure AD Connect Health Agent - cf6d7e68-f018-4e0a-a7b3-126e053fb88d\\n// Azure Active Directory Connect - cb1056e2-e479-49de-ae31-7812af012ed8\\nlet appList = dynamic([\u0027cf6d7e68-f018-4e0a-a7b3-126e053fb88d\u0027,\u0027cb1056e2-e479-49de-ae31-7812af012ed8\u0027]);\\nlet operationNamesList = dynamic([\u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027,\u0027Microsoft.ADHybridHealthService/services/delete\u0027]);\\nAzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue in~ (operationNamesList)\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| where AppId !in (appList)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS Suspicious Application\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to a suspicious application adding a server instance to an Azure AD Hybrid health AD FS service or deleting the AD FS service instance.\\nUsually the Azure AD Connect Health Agent application with ID cf6d7e68-f018-4e0a-a7b3-126e053fb88d is used to perform those operations.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c5644575-4982-4a07-8884-b11ec2866dc3\",\"name\":\"c5644575-4982-4a07-8884-b11ec2866dc3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.0\",\"techniques\":[\"T1136\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\"srcdomain1\\\\account1, srcdomain1\\\\account1\",\"dataType\":\"string\",\"name\":\"Source user allowlist\",\"description\":\"Enter comma separated source usernames to be suppressed while triggering anomalies. This should be within double quotes and is case sensitive, example: \\\"srcdomain1\\\\\\\\account1, srcdomain2\\\\\\\\account2\\\"\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"prioritize\":null,\"exclude\":\"account1, account2\",\"dataType\":\"string\",\"name\":\"Destination user allowlist\",\"description\":\"Enter comma separated destination usernames to be suppressed while triggering anomalies. This should be within double quotes and is case sensitive, example: \\\"account1, account2\\\"\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":null,\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Persistence\"],\"displayName\":\"(Preview) Anomalous local account creation\",\"description\":\"This algorithm is to detect anomalous local account creation on windows systems. Adversaries may create local accounts to maintain access to victim systems.\\nThis algorithm analyzes historical local account creation activity (14 days) by users and compare with current day to find similar activity from the users who were not \\npreviously seen in historical activity. You can further customize the allowlist to filter known users from triggering this anomaly.\",\"lastUpdatedDateUTC\":\"2021-09-22T00:00:00Z\",\"createdDateUTC\":\"2021-09-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/faf1a6ff-53b5-4f92-8c55-4b20e9957594\",\"name\":\"faf1a6ff-53b5-4f92-8c55-4b20e9957594\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"SecurityEvent\\n// Look for specific Directory Service Changes and parse data\\n| where EventID == 5136\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion = array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value),TimeGenerated, EventID, Computer, Account, AccountType, EventSourceName, Activity, SubjectAccount)\\n// Where changes relate to Exchange OAB\\n| extend ObjectClass = column_ifexists(\\\"ObjectClass\\\", \\\"\\\")\\n| where ObjectClass =~ \\\"msExchOABVirtualDirectory\\\"\\n// Look for InternalHostName or ExternalHostName properties being changed\\n| extend AttributeLDAPDisplayName = column_ifexists(\\\"AttributeLDAPDisplayName\\\", \\\"\\\")\\n| where AttributeLDAPDisplayName in (\\\"msExchExternalHostName\\\", \\\"msExchInternalHostName\\\")\\n// Look for suspected webshell activity\\n| extend AttributeValue = column_ifexists(\\\"AttributeValue\\\", \\\"\\\")\\n| where AttributeValue has \\\"script\\\"\\n| project-rename LastSeen = TimeGenerated\\n| extend ObjectDN = column_ifexists(\\\"ObjectDN\\\", \\\"\\\")\\n| project-reorder LastSeen, Computer, Account, ObjectDN, AttributeLDAPDisplayName, AttributeValue\\n| extend timestamp = LastSeen, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange OAB Virtual Directory Attribute Containing Potential Webshell\",\"description\":\"This query uses Windows Event ID 5136 in order to detect potential webshell deployment by exploitation of CVE-2021-27065.\\nThis query looks for changes to the InternalHostName or ExternalHostName properties of Exchange OAB Virtual Directory objects in AD Directory Services\\nwhere the new objects contain potential webshell objects. Ref: https://aka.ms/ExchangeVulns\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/61988db3-0565-49b5-b8e3-747195baac6e\",\"name\":\"61988db3-0565-49b5-b8e3-747195baac6e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let procList = dynamic([\\\"cmd.exe\\\",\\\"ftp.exe\\\",\\\"schtasks.exe\\\",\\\"powershell.exe\\\",\\\"rundll32.exe\\\",\\\"regsvr32.exe\\\",\\\"msiexec.exe\\\"]); \\nimProcessCreate\\n| where CommandLine has \\\"recycler\\\"\\n| where Process has_any (procList)\\n| extend FileName = tostring(split(Process, \u0027\\\\\\\\\u0027)[-1])\\n| where FileName in~ (procList)\\n| project StartTimeUtc = TimeGenerated, Dvc, User, Process, FileName, CommandLine, ActingProcessName, EventVendor, EventProduct\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.2.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Malware in the recycle bin (Normalized Process Events)\",\"description\":\"Identifies malware that has been hidden in the recycle bin.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)\",\"lastUpdatedDateUTC\":\"2021-10-26T00:00:00Z\",\"createdDateUTC\":\"2021-06-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5efb0cfd-063d-417a-803b-562eae5b0301\",\"name\":\"5efb0cfd-063d-417a-803b-562eae5b0301\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 6h;\\n// Ignore Build/Releases with less/equal this number\\nlet ServiceConnectionThreshold = 3;\\n// New Connections need to exhibit execution of more \\\"new\\\" connections than this number.\\nlet NewConnectionThreshold = 1;\\n// List of Builds/Releases to ignore in your space\\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\\n[\\n//\\\"103\\\", \\\"Release\\\", \\\"ProjectA\\\",\\n//\\\"42\\\", \\\"Release\\\", \\\"ProjectB\\\",\\n//\\\"122\\\", \\\"Build\\\", \\\"ProjectB\\\"\\n];\\nlet HistoricDefs = AzureDevOpsAuditing\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| summarize HistoricCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)) \\n by DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e= ago(endtime)\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| parse ScopeDisplayName with OrganizationName \u0027 (Organization)\u0027\\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) \\n by OrganizationName, DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN\\n| where CurrentCount \u003e ServiceConnectionThreshold\\n| join (HistoricDefs) on ProjectId, DefId, Type, ActorUPN\\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\\n| extend link = iff(\\nType == \\\"Build\\\", strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_build?definitionId=\u0027, DefId),\\nstrcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_release?_a=releases\u0026view=mine\u0026definitionId=\u0027, DefId))\\n| where CurrentCount \u003e= HistoricCount + NewConnectionThreshold\\n| project StartTime, OrganizationName, ProjectName, DefId, link, RecentDistinctServiceConnections = CurrentCount, HistoricDistinctServiceConnections = HistoricCount, \\n RecentConnections = ConnectionNames, HistoricConnections = ConnectionNames1, ActorUPN\\n| extend timestamp = StartTime, AccountCustomEntity = ActorUPN\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure DevOps Service Connection Addition/Abuse - Historic allow list\",\"description\":\"This detection builds an allow list of historic service connection use by Builds and Releases and compares to recent history, flagging growth of service connection use which are not manually included in the allow list and \\nnot historically included in the allow list Build/Release runs. This is to determine if someone is hijacking a build/release and adding many service connections in order to abuse or dump credentials from service connections.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2b701288-b428-4fb8-805e-e4372c574786\",\"name\":\"2b701288-b428-4fb8-805e-e4372c574786\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//The bigger the window the better the data sample size, as we use IP prevalence, more sample data is better.\\n//The minimum number of countries that the account has been accessed from [default: 2]\\nlet minimumCountries = 2;\\n//The delta (%) between the largest in-use IP and the smallest [default: 90]\\nlet deltaThreshold = 95;\\n//The maximum (%) threshold that the country appears in login data [default: 10]\\nlet countryPrevalenceThreshold = 10;\\n//The time to project forward after the last login activity [default: 60min]\\nlet projectedEndTime = 60min; \\n//Get Teams successful signins globally\\nlet aadFunc = (tableName:string){\\nlet signinData =\\n table(tableName)\\n | where AppDisplayName has \\\"Teams\\\"\\n | where ConditionalAccessStatus =~ \\\"success\\\"\\n | extend country = tostring(todynamic(LocationDetails)[\u0027countryOrRegion\u0027])\\n | where isnotempty(country) and isnotempty(IPAddress);\\n// Collect successful signins to teams\\nlet loginEvents = \\n signinData\\n | summarize count(), country=any(country), make_list(TimeGenerated) by IPAddress, UserPrincipalName;\\n//Calcualte delta between logins\\nlet loginDelta =\\n loginEvents\\n | summarize max(count_), min(count_) by UserPrincipalName\\n | extend delta = toreal(max_count_ - min_count_) / max_count_ * 100\\n | where delta \u003e= deltaThreshold;\\n//Count number of countries used to sign in\\nlet countryCount =\\n loginEvents\\n | summarize Countries = dcount(country) by UserPrincipalName;\\n//Join delta and sign in counts to successful logins\\nloginDelta\\n| join kind=rightouter (\\n loginEvents\\n) on UserPrincipalName\\n| join kind=rightouter (\\n countryCount\\n) on UserPrincipalName\\n//Check where the record meets the minimum required countries\\n| where Countries \u003e= minimumCountries\\n| join kind=leftouter (\\n signinData\\n | summarize count() by country\\n | join (\\n //Now get the total number of logins from any country and join it to the previous count in a single table\\n signinData\\n | summarize count() by country\\n | summarize sum(count_), make_list(country)\\n | mv-expand list_country\\n | extend country = tostring(list_country)\\n ) on country\\n | summarize by country, count_, sum_count_\\n //Now calculate each countries prevalence within login events\\n | extend prevalence = toreal(count_) / toreal(sum_count_) * 100\\n | project-away sum_count_\\n | order by prevalence\\n) on country\\n//The % that suspicious country is prevalent in data, this can be configured, less than 10% is uncommon\\n| where prevalence \u003c countryPrevalenceThreshold\\n| where min_count_ == count_\\n//Login start and end times from the JSON object, this is the activity window the suspicious IP was active within\\n| extend EventTimes = list_TimeGenerated\\n| extend SuspiciousIP = IPAddress\\n| project UserPrincipalName, SuspiciousIP, UserIPDelta = delta, SuspiciousLoginCountry = country, SuspiciousCountryPrevalence = prevalence, EventTimes\\n//Teams join to collect operations the user account has performed within the given time range\\n| join kind=inner( \\n OfficeActivity\\n | where Operation in~ (\\\"TeamsAdminAction\\\", \\\"MemberAdded\\\", \\\"MemberRemoved\\\", \\\"MemberRoleChanged\\\", \\\"AppInstalled\\\", \\\"BotAddedToTeam\\\")\\n | project Operation, UserId=tolower(UserId), OperationTime=TimeGenerated\\n) on $left.UserPrincipalName == $right.UserId\\n| mv-expand StartTime = EventTimes\\n| extend StartTime = make_datetime(StartTime)\\n//The end time is projected 60 minutes forward, in case actions took place within the last hour of the final login for the suspicious IP\\n| extend ProjectedEndTime = make_datetime(StartTime + projectedEndTime)\\n//Limit to operations carried out by the user account in the timeframe the IP was active\\n| where OperationTime between (StartTime .. ProjectedEndTime)\\n| project UserPrincipalName, SuspiciousIP, StartTime, ProjectedEndTime, OperationTime, Operation, SuspiciousLoginCountry, SuspiciousCountryPrevalence\\n//Filter on suspicious actions\\n| extend activitySummary = pack(tostring(StartTime), pack(\\\"Operation\\\",tostring(Operation), \\\"OperationTime\\\", OperationTime))\\n| summarize make_bag(activitySummary) by UserPrincipalName, SuspiciousIP, SuspiciousLoginCountry, SuspiciousCountryPrevalence\\n| extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Anomalous login followed by Teams action\",\"description\":\"Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed.\\nQuery calculates IP usage Delta for each user account and selects accounts where a delta \u003e= 90% is observed between the most and least used IP.\\nTo further reduce results the query performs a prevalence check on the lowest used IP\u0027s country, only keeping IP\u0027s where the country is unusual for the tenant (dynamic ranges)\\nFinally the user accounts activity within Teams logs is checked for suspicious commands (modifying user privileges or admin actions) during the period the suspicious IP was active.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ca74dc0-8352-4ac5-893c-73571cc78331\",\"name\":\"4ca74dc0-8352-4ac5-893c-73571cc78331\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let keywords = dynamic([\\\"secret\\\", \\\"secrets\\\", \\\"password\\\", \\\"PAT\\\", \\\"passwd\\\", \\\"pswd\\\", \\\"pwd\\\", \\\"cred\\\", \\\"creds\\\", \\\"credentials\\\", \\\"credential\\\", \\\"key\\\"]);\\nAzureDevOpsAuditing\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend Type = tostring(Data.Type)\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend VariableGroupName = tostring(Data.VariableGroupName)\\n| mv-expand Data.Variables\\n| where VariableGroupName has_any (keywords) or Data_Variables has_any (keywords)\\n| where Type != \\\"AzureKeyVault\\\"\\n| where Data_Variables !has \\\"IsSecret\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure DevOps Variable Secret Not Secured\",\"description\":\"Credentials used in the build process may be stored as Azure DevOps variables. To secure these variables they should be stored in KeyVault or marked as Secrets. \\nThis detection looks for new variables added with names that suggest they are credentials but where they are not set as Secrets or stored in KeyVault.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c9b6d281-b96b-4763-b728-9a04b9fe1246\",\"name\":\"c9b6d281-b96b-4763-b728-9a04b9fe1246\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlCategory has_any (\u0027Dynamic and Residential\u0027, \u0027Personal VPN\u0027)\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"Exfiltration\"],\"displayName\":\"Cisco Umbrella - Connection to non-corporate private network\",\"description\":\"IP addresses of broadband links that usually indicates users attempting to access their home network, for example for a remote session to a home computer.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75297f62-10a8-4fc1-9b2a-12f25c6f05a7\",\"name\":\"75297f62-10a8-4fc1-9b2a-12f25c6f05a7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let domain_lookBack= 14d;\\nlet timeframe = 1d;\\nlet top_million_list = Cisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(domain_lookBack) and TimeGenerated \u003c ago(timeframe)\\n| extend Hostname = parse_url(UrlOriginal)[\\\"Host\\\"]\\n| summarize count() by tostring(Hostname)\\n| top 1000000 by count_\\n| summarize make_list(Hostname);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| extend Hostname = parse_url(UrlOriginal)[\\\"Host\\\"]\\n| where Hostname !in (top_million_list)\\n| extend Message = \\\"Connect to unpopular website (possible malicious payload delivery)\\\"\\n| project Message, SrcIpAddr, DstIpAddr,UrlOriginal, TimeGenerated\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Connection to Unpopular Website Detected\",\"description\":\"Detects first connection to an unpopular website (possible malicious payload delivery).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c775a46b-21b1-46d7-afa6-37e3e577a27b\",\"name\":\"c775a46b-21b1-46d7-afa6-37e3e577a27b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 15;\\nSymantecVIP\\n| where isnotempty(RADIUSAuth)\\n| where RADIUSAuth =~ \\\"Reject\\\"\\n| summarize Total = count() by bin(TimeGenerated, 15m), User, ClientIP\\n| where Total \u003e threshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Excessive Failed Authentication from Invalid Inputs\",\"description\":\"Creates an incident in the event that a user generates an excessive amount of failed authentications due to invalid inputs, indications of a potential brute force.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SymantecVIP\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3fbc20a4-04c4-464e-8fcb-6667f53e4987\",\"name\":\"3fbc20a4-04c4-464e-8fcb-6667f53e4987\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let failureCountThreshold = 5;\\nlet successCountThreshold = 1;\\nlet authenticationWindow = 20m;\\nSigninLogs\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\\n| where AppDisplayName =~ \\\"Windows Sign In\\\"\\n// Split out failure versus non-failure types\\n| extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = makeset(IPAddress), makeset(OS), makeset(Browser), makeset(City), \\nmakeset(ResultType), FailureCount = countif(FailureOrSuccess==\\\"Failure\\\"), SuccessCount = countif(FailureOrSuccess==\\\"Success\\\") \\nby bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName, AppDisplayName\\n| where FailureCount \u003e= failureCountThreshold and SuccessCount \u003e= successCountThreshold\\n| mvexpand IPAddress\\n| extend IPAddress = tostring(IPAddress)\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against a Cloud PC\",\"description\":\"Identifies evidence of brute force activity against a Windows 365 Cloud PC by highlighting multiple authentication failures and by a successful authentication within a given time window.\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2021-10-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3fe3c520-04f1-44b8-8398-782ed21435f8\",\"name\":\"3fe3c520-04f1-44b8-8398-782ed21435f8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let torProxies=dynamic([\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\"]);\\nimDns(domain_has_any=torProxies)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.2.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"DNS events related to ToR proxies (Normalized DNS)\",\"description\":\"Identifies IP addresses performing DNS lookups associated with common ToR proxies.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c1d4a005-e220-4d06-9e53-7326a22b8fe4\",\"name\":\"c1d4a005-e220-4d06-9e53-7326a22b8fe4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let mediumRisk = 2;\\nlet goverence = \u0027Goverence Information\u0027;\\nCognniIncidents_CL \\n| where Severity == mediumRisk\\n| where informationType_s == goverence\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Medium Sensitivity Governance Information\",\"description\":\"Display incidents in which medium sensitivity governance information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/595a10c9-91be-4abb-bbc7-ae9c57848bef\",\"name\":\"595a10c9-91be-4abb-bbc7-ae9c57848bef\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, DNSName, Type\\n| extend MessageIP = extract(IPRegex, 0, Message), RequestIP = extract(IPRegex, 0, RequestURL)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL has_any (domains), \\\"RequestUrl\\\", \\\"NoMatch\\\"), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID, UrlCustomEntity = RequestURL \\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) or Name in~ (domains) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer, ProcessCustomEntity = ProcessName\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Image has_any (process)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = split(Image, \u0027\\\\\\\\\u0027, -1)[-1], HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) \\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, AlertDetail = \u0027Chia crypto IOC detected\u0027, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (domains) or RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) or InitiatingProcessFileName has_any (process)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, AlertDetail = \u0027Chia crypto IOC detected\u0027, UrlCustomEntity =RemoteUrl\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\"), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains) or ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| where EventDetail has_any (sha256Hashes) \\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\\\"#text\\\"] , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = split(Image, \u0027\\\\\\\\\u0027, -1)[-1], FileHashCustomEntity = FileHash\\n),\\n(DeviceFileEvents\\n| where InitiatingProcessFolderPath has_any (process)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = FileHash, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| project TimeGenerated, EventDetail, UserName, Computer, Type\\n| extend Image = EventDetail.[4].[\\\"#text\\\"] , CommandLine = EventDetail.[10].[\\\"#text\\\"], Account = UserName, FileHash = EventDetail.[17].[\\\"#text\\\"] , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| where Image has_any (process)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = split(Image, \u0027\\\\\\\\\u0027, -1)[-1], FileHashCustomEntity = FileHash\\n),\\n(DeviceEvents\\n| where InitiatingProcessFileName has_any (process) or InitiatingProcessSHA256 in~ (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash\\n),\\n( SecurityEvent\\n| where EventID == \u00274688\u0027\\n| where NewProcessName has_any (process)\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"SHA256\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021\",\"description\":\"Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-06-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d0aa8969-1bbe-4da3-9e76-09e5f67c9d85\",\"name\":\"d0aa8969-1bbe-4da3-9e76-09e5f67c9d85\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now() \\n| where Active == true\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureDiagnostics\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where ResourceProvider == \u0027MICROSOFT.SQL\u0027\\n | where Category == \u0027SQLSecurityAuditEvents\u0027\\n | extend SQLSecurityAuditEvents_TimeGenerated = TimeGenerated\\n // projecting fields with column if exists as this is in AzureDiag and if the event is not in the table, then queries will fail due to event specific schemas\\n | extend ClientIP = column_ifexists(\\\"client_ip_s\\\", \\\"Not Available\\\"), Action = column_ifexists(\\\"action_name_s\\\", \\\"Not Available\\\"), \\n Application = column_ifexists(\\\"application_name_s\\\", \\\"Not Available\\\"), HostName = column_ifexists(\\\"host_name_s\\\", \\\"Not Available\\\")\\n)\\non $left.TI_ipEntity == $right.ClientIP\\n| where SQLSecurityAuditEvents_TimeGenerated \u003c ExpirationDateTime\\n| summarize SQLSecurityAuditEvents_TimeGenerated = arg_max(SQLSecurityAuditEvents_TimeGenerated, *) by IndicatorId, ClientIP\\n| project SQLSecurityAuditEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ResourceId, ClientIP, Action, Application, HostName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = SQLSecurityAuditEvents_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Azure SQL Security Audit Events\",\"description\":\"Identifies a match in SQLSecurityAuditEvents from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8a602940-4153-4045-a741-3bf15591ae29\",\"name\":\"8a602940-4153-4045-a741-3bf15591ae29\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.2.8\",\"techniques\":[\"T1110\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.4\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"(Preview) Attempted computer bruteforce\",\"description\":\"This algorithm detects an unusually high volume of failed login attempts to each computer. The model is trained on the previous 21 days of security event ID 4625 on a computer. It indicates anomalous high volume of failed login attempts in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2020-12-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/45076281-35ae-45e0-b443-c32aa0baf965\",\"name\":\"45076281-35ae-45e0-b443-c32aa0baf965\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let args = dynamic([\\\"objectcategory\\\",\\\"domainlist\\\",\\\"dcmodes\\\",\\\"adinfo\\\",\\\"trustdmp\\\",\\\"computers_pwdnotreqd\\\",\\\"Domain Admins\\\", \\\"objectcategory=person\\\", \\\"objectcategory=computer\\\", \\\"objectcategory=*\\\",\\\"dclist\\\"]);\\nlet parentProcesses = dynamic([\\\"pwsh.exe\\\",\\\"powershell.exe\\\",\\\"cmd.exe\\\"]);\\nimProcessCreate\\n//looks for execution from a shell\\n| where ActingProcessName has_any (parentProcesses)\\n| extend ActingProcessFileName = tostring(split(ActingProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ActingProcessFileName in~ (parentProcesses)\\n// main filter\\n| where Process hassuffix \\\"AdFind.exe\\\" or TargetProcessSHA256 == \\\"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\\\"\\n // AdFind common Flags to check for from various threat actor TTPs\\n or CommandLine has_any (args)\\n| extend AccountCustomEntity = User, HostCustomEntity = Dvc, ProcessCustomEntity = ActingProcessName, FileHashCustomEntity = TargetProcessSHA256\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"SHA256\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Discovery\"],\"displayName\":\"Probable AdFind Recon Tool Usage (Normalized Process Events)\",\"description\":\"Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-06-09T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/106813db-679e-4382-a51b-1bfc463befc3\",\"name\":\"106813db-679e-4382-a51b-1bfc463befc3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n // Select on Palo Alto logs\\n | where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Select logs where URL data is populated\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url), extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | where isnotempty(PA_Url)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n) on $left.Url == $right.PA_Url\\n| where CommonSecurityLog_TimeGenerated \u003e= TimeGenerated and CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, SourceIP, CommonSecurityLog_TimeGenerated, PA_Url, DeviceName\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to PaloAlto data\",\"description\":\"Identifies a match in PaloAlto data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\"name\":\"97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let LearningPeriod = 7d; \\nlet BinTime = 1h; \\nlet RunTime = 1h; \\nlet StartTime = 1h; \\nlet NumberOfStds = 3; \\nlet MinThreshold = 10.0; \\nlet EndRunTime = StartTime - RunTime; \\nlet EndLearningTime = StartTime + LearningPeriod;\\nlet aadFunc = (tableName:string){\\nlet GitHubFailedSSOLogins = (table(tableName) \\n| where AppDisplayName == \\\"GitHub.com\\\" \\n| where ResultType != 0); \\nGitHubFailedSSOLogins \\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime)) \\n| summarize FailedLoginsCountInBinTime = count() by UserPrincipalName, bin(TimeGenerated, BinTime), Type\\n| summarize AvgOfFailedLoginsInLearning = avg(FailedLoginsCountInBinTime), StdOfFailedLoginsInLearning = stdev(FailedLoginsCountInBinTime) by UserPrincipalName, Type\\n| extend LearningThreshold = max_of(AvgOfFailedLoginsInLearning + StdOfFailedLoginsInLearning * NumberOfStds, MinThreshold) \\n| join kind=innerunique ( \\n GitHubFailedSSOLogins \\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime)) \\n | summarize FailedLoginsCountInRunTime = count() by User = Identity, UserPrincipalName, bin(TimeGenerated, BinTime), Type\\n) on UserPrincipalName \\n| where FailedLoginsCountInRunTime \u003e LearningThreshold\\n| extend AccountCustomEntity = UserPrincipalName , timestamp = TimeGenerated\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute Force Attack against GitHub Account\",\"description\":\"Attackers who are trying to guess your users\u0027 passwords or use brute-force methods to get in. If your organization is using SSO with Azure Active Directory, authentication logs to GitHub.com will be generated. Using the following query can help you identify a sudden increase in failed logon attempt of users.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8\",\"name\":\"f71aba3d-28fb-450b-b192-4e76a83015c8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Fusion\",\"properties\":{\"severity\":\"High\",\"tactics\":[\"Collection\",\"CommandAndControl\",\"CredentialAccess\",\"DefenseEvasion\",\"Discovery\",\"Execution\",\"Exfiltration\",\"Impact\",\"InitialAccess\",\"LateralMovement\",\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Advanced Multistage Attack Detection\",\"description\":\"Microsoft Sentinel uses Fusion, a correlation engine based on scalable machine learning algorithms, to automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.\\n\\nSince Fusion correlates multiple signals from various products to detect advanced multistage attacks, successful Fusion detections are presented as Fusion incidents on the Microsoft Sentinel Incidents page. This rule covers the following detections:\\n- Fusion for emerging threats\\n- Fusion for ransomware\\n- Scenario-based Fusion detections (122 scenarios)\\n\\nTo enable these detections, we recommend you configure the following data connectors for best results:\\n- Out-of-the-box anomaly detections\\n- Azure Active Directory Identity Protection\\n- Azure Defender\\n- Azure Defender for IoT\\n- Microsoft 365 Defender\\n- Microsoft Cloud App Security \\n- Microsoft Defender for Endpoint\\n- Microsoft Defender for Identity\\n- Microsoft Defender for Office 365\\n- Palo Alto Networks\\n- Scheduled analytics rules, both built-in and those created by your security analysts. Analytics rules must contain kill-chain (tactics) and entity mapping information in order to be used by Fusion.\\n\\nFor the full description of each detection that is supported by Fusion, go to https://aka.ms/SentinelFusion.\",\"lastUpdatedDateUTC\":\"2021-06-09T00:00:00Z\",\"createdDateUTC\":\"2019-07-25T00:00:00Z\",\"status\":\"Installed\",\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/677da133-e487-4108-a150-5b926591a92b\",\"name\":\"677da133-e487-4108-a150-5b926591a92b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\\n[@\\\"https://raw.githubusercontent.com/microsoft/mstic/master/Indicators/May21-NOBELIUM/May21NOBELIUMIoCs.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256s = (iocs | where Type =~ \\\"SHA256\\\"| project IoC);\\nlet ips = (iocs | where Type =~ \\\"IP\\\"| project IoC);\\nlet IPList = dynamic([\\\"192.99.221.77\\\",\\\"83.171.237.173\\\"]);\\nlet domains = (iocs | where Type =~ \\\"Domain\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet sha256Hashes = dynamic([\\\"2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252\\\",\\n\\\"d035d394a82ae1e44b25e273f99eae8e2369da828d6b6fdb95076fd3eb5de142\\\",\\n\\\"94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916\\\",\\n\\\"48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0\\\",\\n\\\"ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c\\\",\\n\\\"ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (domains) or RequestURL has_any (domains) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (domains), \\\"RequestUrl\\\", SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) or IPAddresses in (ips) or Name in~ (domains) \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or SourceIp in (ips) or DestinationIp in (ips) or RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", SourceIp in (ips), \\\"SourceIP\\\", DestinationIp in (ips), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) or ClientIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (domains) or RemoteIP in (IPList) or RemoteIP in (ips)\\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| where EventDetail has_any (sha256Hashes) or EventDetail has_any (sha256s)\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, FileHash\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (sha256Hashes) or SHA256 in~ (sha256s)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (sha256Hashes) or TargetFileSHA256 in~ (sha256s)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes) or FileHash in (sha256s)\\n| extend timestamp = TimeGenerated\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"version\":\"1.3.0\",\"tactics\":[\"CommandAndControl\",\"Execution\"],\"displayName\":\"NOBELIUM - Domain, Hash and IP IOCs - May 2021\",\"description\":\"Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM.\\nRef: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f6a51e2c-2d6a-4f92-a090-cfb002ca611f\",\"name\":\"f6a51e2c-2d6a-4f92-a090-cfb002ca611f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nlet disallowed_ext = dynamic([\u0027ps1\u0027, \u0027exe\u0027, \u0027vbs\u0027, \u0027js\u0027, \u0027scr\u0027]);\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| extend attachedExt = todynamic(MsgParts)[0][\u0027detectedExt\u0027]\\n| where attachedExt in (disallowed_ext)\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = DstUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Suspicious attachment\",\"description\":\"Detects when email contains suspicious attachment (file type).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/643c2025-9604-47c5-833f-7b4b9378a1f5\",\"name\":\"643c2025-9604-47c5-833f-7b4b9378a1f5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit your environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with AAD signin failures above our threshold\\nlet aadFunc = (tableName:string){\\nlet Suspicious_signins = \\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n| summarize count() by IPAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(IPAddress);\\nSuspicious_signins\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet Suspicious_signins = \\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize make_set(set_IPAddress);\\n//See if any of those IPs have sucessfully logged into the AWS console\\nAWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \\n| where LoginResult =~ \\\"Success\\\"\\n| where SourceIpAddress in (Suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed)\\n| extend User = iif(isempty(UserIdentityUserName), UserIdentityType, UserIdentityUserName) \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Reason, LoginResult, EventTypeName, UserIdentityType, User, AWSRegion, SourceIpAddress, UserAgent, MFAUsed\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AzureAD logons but success logon to AWS Console\",\"description\":\"Identifies a list of IP addresses with a minimum number(defualt of 5) of failed logon attempts to Azure Active Directory.\\nUses that list to identify any successful AWS Console logons from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/39e48890-2c02-487e-aa9e-3ba494061798\",\"name\":\"39e48890-2c02-487e-aa9e-3ba494061798\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"// Edit this variable to only keep the tactics where an incident needs to be created (Defaults are: \\\"COMMAND \u0026 CONTROL\\\", \\\"BOTNET ACTIVITY\\\", \\\"EXFILTRATION\\\", \\\"LATERAL MOVEMENT\\\", \\\"RECONNAISSANCE\\\") \\nlet configured_tactics = dynamic([\\\"COMMAND \u0026 CONTROL\\\", \\\"BOTNET ACTIVITY\\\", \\\"EXFILTRATION\\\", \\\"LATERAL MOVEMENT\\\", \\\"RECONNAISSANCE\\\"]);\\n//default threshold is 7 (meaning a threat score of 70)\\nlet severity_threshold = 7.0;\\n//Map by default to High Severity in Sentinel\\nlet Severity = \\\"High\\\";\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Vectra Networks\\\"\\n| where DeviceProduct == \\\"X Series\\\"\\n| where DeviceEventClassID != \\\"campaigns\\\" and DeviceEventClassID != \\\"hsc\\\" and DeviceEventClassID != \\\"audit\\\" and DeviceEventClassID != \\\"health\\\" and DeviceEventClassID != \\\"asc\\\"\\n| extend Category = extract(\\\"cat=(.+?);\\\", 1, AdditionalExtensions) \\n| project-rename threat_score = FlexNumber1\\n| project-rename certainty_score = FlexNumber2\\n| project-rename vectra_URL = DeviceCustomString4\\n| project-rename detection_name = DeviceEventClassID\\n| where todecimal(LogSeverity) \u003e= severity_threshold\\n| extend Tactic = case( Category == \\\"COMMAND \u0026 CONTROL\\\", \\\"CommandAndControl\\\",\\n Category == \\\"BOTNET ACTIVITY\\\" , \\\"Impact\\\",\\n Category == \\\"EXFILTRATION\\\", \\\"Exfiltration\\\",\\n Category == \\\"LATERAL MOVEMENT\\\", \\\"LateralMovement\\\",\\n Category == \\\"RECONNAISSANCE\\\", \\\"Discovery\\\",\\n \\\"UNKNOWN\\\")\\n| extend account = extract(\\\"account=(.+?);\\\", 1, AdditionalExtensions)\\n| extend upn = iff(account matches regex \\\":\\\", tostring(split(account,\\\":\\\")[1]) ,tostring(split(account,\\\":\\\")[0])) \\n| extend source_entity = case( isnotempty(upn), upn,\\n isnotempty(SourceHostName), SourceHostName,\\n \\\"UNKNWON\\\") \\n| where Category in (configured_tactics) \\n| summarize arg_max(threat_score, *) by source_entity, Activity\\n| sort by TimeGenerated\\n| project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Tactic, Activity, LogSeverity, Severity, vectra_URL\\n| extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Discovery\",\"LateralMovement\",\"Collection\",\"CommandAndControl\",\"Exfiltration\",\"Impact\"],\"displayName\":\"Vectra AI Detect - Detections with High Severity\",\"description\":\"Create an incident for high severity malicious behavior detected by Vectra AI (Threat score superior to 7.0). \\nThe Severity is a mapping with the Threat score assigned to a detection. It ranges between 0 and 10. \\nThe severity_threshold variable can be adjusted as desired.\u0027 \",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2021-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AIVectraDetect\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2fc5d810-c9cc-491a-b564-841427ae0e50\",\"name\":\"2fc5d810-c9cc-491a-b564-841427ae0e50\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n SecurityEvent | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(TargetUserName)\\n //Normalizing the column to lower case for exact match with EmailSenderAddress column\\n | extend TargetUserName = tolower(TargetUserName)\\n // renaming timestamp column so it is clear the log this came from SecurityEvent table\\n | extend SecurityEvent_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.TargetUserName\\n| where SecurityEvent_TimeGenerated \u003e= TimeGenerated and SecurityEvent_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, SecurityEvent_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Computer, EventID, TargetUserName, Activity, IpAddress, AccountType,\\nLogonTypeName, LogonProcessName, Status, SubStatus\\n| extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SecurityEvent\",\"description\":\"Identifies a match in SecurityEvent table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fa118b98-de46-4e94-87f9-8e6d5060b60b\",\"name\":\"fa118b98-de46-4e94-87f9-8e6d5060b60b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MLBehaviorAnalytics\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous SSH Login Detection\",\"description\":\"This detection uses machine learning (ML) to identify anomalous Secure Shell (SSH) login activity, based on syslog data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Microsoft Sentinel to build a profile of normal activity for your environment.\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-syslog#configure-the-syslog-connector-for-anomalous-ssh-login-detection)\\n\\nBy enabling this rule, you give Microsoft permission to copy ingested data outside of your Microsoft Sentinel workspace\u0027s geography as necessary for processing by the machine learning engine.\",\"lastUpdatedDateUTC\":\"2021-03-26T00:00:00Z\",\"createdDateUTC\":\"2019-08-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8e0403b1-07f8-4865-b2e9-74d1e83200a4\",\"name\":\"8e0403b1-07f8-4865-b2e9-74d1e83200a4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let timeframe = 14d;\\nlet time_generated_bucket = 1h;\\nlet min_urgency = 9;\\nlet maxTimeGeneratedBucket = toscalar(\\n CyberpionActionItems_CL\\n | where TimeGenerated \u003e ago(timeframe)\\n | summarize max(bin(TimeGenerated, time_generated_bucket))\\n );\\nCyberpionActionItems_CL\\n | where TimeGenerated \u003e ago(timeframe) and is_open_b == true\\n | where bin(TimeGenerated, time_generated_bucket) == maxTimeGeneratedBucket\\n | where urgency_d \u003e= min_urgency\\n | extend timestamp = opening_datetime_t\\n | extend DNSCustomEntity = host_s\",\"entityMappings\":[{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"High Urgency Cyberpion Action Items\",\"description\":\"This query creates an alert for active Cyberpion Action Items with high urgency (9-10).\\n Urgency can be altered using the \\\"min_urgency\\\" variable in the query.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CyberpionSecurityLogs\",\"dataTypes\":[\"CyberpionActionItems_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5239248b-abfb-4c6a-8177-b104ade5db56\",\"name\":\"5239248b-abfb-4c6a-8177-b104ade5db56\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let RunCommandData = materialize ( AzureActivity\\n// Isolate run command actions\\n| where OperationNameValue == \\\"Microsoft.Compute/virtualMachines/runCommand/action\\\"\\n// Confirm that the operation impacted a virtual machine\\n| where Authorization has \\\"virtualMachines\\\"\\n// Each runcommand operation consists of three events when successful, StartTimeed, Accepted (or Rejected), Successful (or Failed).\\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), max(CallerIpAddress), make_list(ActivityStatusValue) by CorrelationId, Authorization, Caller\\n// Limit to Run Command executions that Succeeded\\n| where list_ActivityStatusValue has \\\"Succeeded\\\"\\n// Extract data from the Authorization field, allowing us to later extract the Caller (UPN) and CallerIpAddress\\n| extend Authorization_d = parse_json(Authorization)\\n| extend Scope = Authorization_d.scope\\n| extend Scope_s = split(Scope, \\\"/\\\")\\n| extend Subscription = tostring(Scope_s[2])\\n| extend VirtualMachineName = tostring(Scope_s[-1])\\n| project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress\\n| join kind=leftouter (\\n DeviceFileEvents\\n | where InitiatingProcessFileName == \\\"RunCommandExtension.exe\\\"\\n | extend VirtualMachineName = tostring(split(DeviceName, \\\".\\\")[0])\\n | project VirtualMachineName, PowershellFileCreatedTimestamp=TimeGenerated, FileName, FileSize, InitiatingProcessAccountName, InitiatingProcessAccountDomain, InitiatingProcessFolderPath, InitiatingProcessId\\n) on VirtualMachineName\\n// We need to filter by time sadly, this is the only way to link events\\n| where PowershellFileCreatedTimestamp between (StartTime .. EndTime)\\n| project StartTime, EndTime, PowershellFileCreatedTimestamp, VirtualMachineName, Caller, CallerIpAddress, FileName, FileSize, InitiatingProcessId, InitiatingProcessAccountDomain, InitiatingProcessFolderPath\\n| join kind=inner(\\n DeviceEvents\\n | extend VirtualMachineName = tostring(split(DeviceName, \\\".\\\")[0])\\n | where InitiatingProcessCommandLine has \\\"-File\\\"\\n // Extract the script name based on the structure used by the RunCommand extension\\n | extend PowershellFileName = extract(@\\\"\\\\-File\\\\s(script[0-9]{1,9}\\\\.ps1)\\\", 1, InitiatingProcessCommandLine)\\n // Discard results that didn\u0027t successfully extract, these are not run command related\\n | where isnotempty(PowershellFileName)\\n | extend PSCommand = tostring(parse_json(AdditionalFields).Command)\\n // The first execution of PowerShell will be the RunCommand script itself, we can discard this as it will break our hash later\\n | where PSCommand != PowershellFileName \\n // Now we normalise the cmdlets, we\u0027re aiming to hash them to find scripts using rare combinations\\n | extend PSCommand = toupper(PSCommand)\\n | order by PSCommand asc\\n | summarize PowershellExecStartTime=min(TimeGenerated), PowershellExecEnd=max(TimeGenerated), make_list(PSCommand) by PowershellFileName, InitiatingProcessCommandLine\\n) on $left.FileName == $right.PowershellFileName\\n| project StartTime, EndTime, PowershellFileCreatedTimestamp, PowershellExecStartTime, PowershellExecEnd, PowershellFileName, PowershellScriptCommands=list_PSCommand, Caller, CallerIpAddress, InitiatingProcessCommandLine, PowershellFileSize=FileSize, VirtualMachineName\\n| order by StartTime asc \\n// We generate the hash based on the cmdlets called and the size of the powershell script\\n| extend TempFingerprintString = strcat(PowershellScriptCommands, PowershellFileSize)\\n| extend ScriptFingerprintHash = hash_sha256(tostring(PowershellScriptCommands)));\\nlet totals = toscalar (RunCommandData\\n| summarize count());\\nlet hashTotals = RunCommandData\\n| summarize HashCount=count() by ScriptFingerprintHash;\\nRunCommandData\\n| join kind=leftouter (\\nhashTotals\\n) on ScriptFingerprintHash\\n// Calculate prevelance, while we don\u0027t need this, it may be useful for responders to know how rare this script is in relation to normal activity\\n| extend Prevelance = toreal(HashCount) / toreal(totals) * 100\\n// Where the hash was only ever seen once.\\n| where HashCount == 1\\n| extend timestamp = StartTime, IPCustomEntity=CallerIpAddress, AccountCustomEntity=Caller, HostCustomEntity=VirtualMachineName\\n| project timestamp, StartTime, EndTime, PowershellFileName, VirtualMachineName, Caller, CallerIpAddress, PowershellScriptCommands, PowershellFileSize, ScriptFingerprintHash, IPCustomEntity, AccountCustomEntity, HostCustomEntity\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\",\"CredentialAccess\"],\"displayName\":\"Azure VM Run Command operations executing a unique powershell script\",\"description\":\"Identifies when Azure Run command is used to execute a powershell script on a VM that is unique.\\nThe uniqueness of the powershell script is determined by taking a combined hash of the cmdlets it imports\\nand the filesize of the PowerShell script. Alerts from this detection indicate a unique PowerShell was executed\\nin your environment.\",\"lastUpdatedDateUTC\":\"2021-10-25T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2926ce29-08d2-4654-b2e8-7d8df70095d9\",\"name\":\"2926ce29-08d2-4654-b2e8-7d8df70095d9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let highRisk = 3;\\nlet governance = \u0027Governance Information\u0027;\\nCognniIncidents_CL \\n| where Severity == highRisk\\n| where informationType_s == governance\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Highly Sensitive Governance Information\",\"description\":\"Display incidents in which highly sensitive governance information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/40ba9493-4183-4eee-974f-87fe39c8f267\",\"name\":\"40ba9493-4183-4eee-974f-87fe39c8f267\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Identity alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Identity\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (AATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f819c592-c5f9-4d5c-a79f-1e6819863533\",\"name\":\"f819c592-c5f9-4d5c-a79f-1e6819863533\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// ADHealth Monitoring Agent Registry Key\\nlet aadHealthMonAgentRegKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Microsoft Online\\\\\\\\Reporting\\\\\\\\MonitoringAgent\\\";\\n// Filter out known processes\\nlet aadConnectHealthProcs = dynamic ([\\n \u0027Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.InsightsService.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.PshSurrogate.exe\u0027,\\n \u0027Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe\u0027\\n]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| extend SubjectUserName = column_ifexists(\\\"SubjectUserName\\\", \\\"\\\"),\\n SubjectDomainName = column_ifexists(\\\"SubjectDomainName\\\", \\\"\\\"),\\n ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),\\n ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\"),\\n ProcessName = column_ifexists(\\\"ProcessName\\\", \\\"\\\")\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],\\n Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| where Process !in (aadConnectHealthProcs)\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| where Process !in (aadConnectHealthProcs)\\n)\\n)\\n// You can filter out potential machine accounts\\n//| where AccountType != \u0027Machine\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n| summarize count() by ProcessName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Azure AD Health Monitoring Agent Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.\\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\\\\SOFTWARE\\\\Microsoft\\\\Microsoft Online\\\\Reporting\\\\MonitoringAgent.\\nYou can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_monitoring_agent.yml\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ffe3625d-a933-4f63-b192-7e6ebf3be5fb\",\"name\":\"ffe3625d-a933-4f63-b192-7e6ebf3be5fb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.2.8\",\"techniques\":[\"T1110\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.1\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"(Preview) Attempted user account bruteforce\",\"description\":\"This algorithm detects an unusually high volume of failed login attempts per user account. The model is trained on the previous 21 days of security event ID 4625 on an account. It indicates anomalous high volume of failed login attempts in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2020-12-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d3980830-dd9d-40a5-911f-76b44dfdce16\",\"name\":\"d3980830-dd9d-40a5-911f-76b44dfdce16\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where AppDisplayName == \\\"GitHub.com\\\"\\n| where ResultType == 0\\n| summarize CountOfLocations = dcount(Location), Locations = make_set(Location), BurstStartTime = min(TimeGenerated), BurstEndTime = max(TimeGenerated) by UserPrincipalName, Type\\n| where CountOfLocations \u003e 1\\n| extend timestamp = BurstStartTime, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"GitHub Signin Burst from Multiple Locations\",\"description\":\"This alerts when there Signin burst from multiple locations in GitHub (AAD SSO).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d57c33a9-76b9-40e0-9dfa-ff0404546410\",\"name\":\"d57c33a9-76b9-40e0-9dfa-ff0404546410\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 0d;\\n// Adjust this to adjust detection timeframe\\n//let timeframe = 1d;\\n// Filter out other servers in the AD FS farm\\nlet ADFSServersList = dynamic([\\\"ADFS02.domain.com\\\",\\\"ADFS03.domain.com\\\"]);\\n// Start by identifying ADFS servers to reduce FP chance\\nlet ADFS_Servers = (\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| where Computer !in (ADFSServersList)\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\")\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| summarize by Computer\\n);\\n// Look for ADFS servers receiving connections over port 80\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where Computer in~ (ADFS_Servers)\\n| extend RenderedDescription = tostring(split(RenderedDescription, \\\":\\\")[0])\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, _ResourceId)\\n| extend RuleName = column_ifexists(\\\"RuleName\\\", \\\"\\\"), TechniqueId = column_ifexists(\\\"TechniqueId\\\", \\\"\\\"), TechniqueName = column_ifexists(\\\"TechniqueName\\\", \\\"\\\")\\n| parse RuleName with * \u0027technique_id=\u0027 TechniqueId \u0027,\u0027 * \u0027technique_name=\u0027 TechniqueName\\n| where EventID == 3\\n// Look for endpoints connecting to the AD FS server over port 80\\n| extend DestinationPort = column_ifexists(\\\"DestinationPort\\\", \\\"\\\"), Image = column_ifexists(\\\"Image\\\", \\\"\\\"), Initiated = column_ifexists(\\\"Initiated\\\", \\\"\\\"), SourceIp = column_ifexists(\\\"DestinationIp\\\", \\\"\\\"), DestinationIp = column_ifexists(\\\"DestinationIp\\\", \\\"\\\")\\n| where DestinationPort == 80\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n// Look for the System process receiving connections\\n| where process == \u0027System\u0027 and Initiated == \u0027false\u0027\\n| where DestinationIp !in (\u0027::1\u0027,\u00270:0:0:0:0:0:0:1\u0027)\\n| extend Operation = RenderedDescription\\n| project-reorder TimeGenerated, Operation, Image, Computer, UserName\\n| extend HostCustomEntity = Computer, AccountCustomEntity = UserName, IPCustomEntity = SourceIp\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"AD FS Remote HTTP Network Connection\",\"description\":\"This detection uses Sysmon events (NetworkConnect events) to detect incoming network traffic on port 80 on AD FS servers. This could be a sign of a threat actor\\ntrying to use replication services on the AD FS server to get its configuration settings and extract sensitive information such as AD FS certificates.\\nIn order to use this query you need to enable Sysmon telemetry on the AD FS Server.\\nReference: https://twitter.com/OTR_Community/status/1387038995016732672\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3c144f9-8051-47d4-ac29-ffb0c312c910\",\"name\":\"a3c144f9-8051-47d4-ac29-ffb0c312c910\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let SunburstMD5=dynamic([\\\"b91ce2fa41029f6955bff20079468448\\\",\\\"02af7cec58b9a5da1c542b5a32151ba1\\\",\\\"2c4a910a1299cdae2a4e55988a2f102e\\\",\\\"846e27a652a5e1bfbd0ddd38a16dc865\\\",\\\"4f2eb62fa529c0283b28d05ddd311fae\\\"]);\\nlet SupernovaMD5=\\\"56ceb6d0011d87b6e4d7023d7ef85676\\\";\\nDeviceFileEvents\\n| where MD5 in(SunburstMD5) or MD5 in(SupernovaMD5)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n FileHashCustomEntity = MD5\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"MD5\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST and SUPERNOVA backdoor hashes\",\"description\":\"Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in DeviceFileEvents\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ba144bf8-75b8-406f-9420-ed74397f9479\",\"name\":\"ba144bf8-75b8-406f-9420-ed74397f9479\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//Set a threshold of failed AAD signins from an IP address within 1 day above which we want to deem those logins suspicious.\\nlet signin_threshold = 5; \\n//Make a list of IPs with AAD signin failures above our threshold.\\nlet aadFunc = (tableName:string){\\nlet suspicious_signins = \\n table(tableName)\\n //Looking for logon failure results\\n | where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n //Exclude localhost addresses to reduce the chance of FPs\\n | where IPAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n | summarize count() by IPAddress\\n | where count_ \u003e signin_threshold\\n | summarize make_set(IPAddress);\\n suspicious_signins\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet suspicious_signins = \\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize make_set(set_IPAddress);\\n//See if any of those IPs have sucessfully logged into PA VPNs during the same timeperiod\\nCommonSecurityLog\\n //Select only PA VPN sucessful logons\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"globalprotect\\\"\\n | where Message has \\\"GlobalProtect gateway user authentication succeeded\\\"\\n //Parse out the logon source IP from the Message field to match on\\n | extend SourceIP = extract(\\\"Login from: ([^,]+)\\\", 1, Message) \\n | where SourceIP in (suspicious_signins)\\n | extend Reason = \\\"Multiple failed AAD logins from SourceIP\\\"\\n //Parse out other useful information from Message field\\n | extend User = extract(\u0027User name: ([^,]+)\u0027, 1, Message) \\n | extend ClientOS = extract(\u0027Client OS version: ([^,\\\\\\\"]+)\u0027, 1, Message)\\n | extend Location = extract(\u0027Source region: ([^,]{2})\u0027,1, Message)\\n | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName\\n | extend AccountCustomEntity = User, IPCustomEntity = SourceIP, timestamp = TimeGenerated, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN\",\"description\":\"This query creates a list of IP addresses with a number failed login attempts to AAD \\nabove a set threshold. It then looks for any successful Palo Alto VPN logins from any\\nof these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-09-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9f86885f-f31f-4e66-a39d-352771ee789e\",\"name\":\"9f86885f-f31f-4e66-a39d-352771ee789e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"CarbonBlackEvents_CL\\n| extend eventTime = datetime(1970-01-01) + tolong(eventTime_d/1000) * 1sec\\n| where targetApp_effectiveReputation_s =~ \\\"KNOWN_MALWARE\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by eventTime, deviceDetails_deviceName_s, deviceDetails_deviceIpAddress_s, processDetails_fullUserName_s, processDetails_targetName_s\\n| extend timestamp = StartTime, AccountCustomEntity = processDetails_fullUserName_s, HostCustomEntity = deviceDetails_deviceName_s, IPCustomEntity = deviceDetails_deviceIpAddress_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\"],\"displayName\":\"Known Malware Detected\",\"description\":\"This creates an incident when a known Malware is detected on a endpoint managed by a Carbon Black.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"VMwareCarbonBlack\",\"dataTypes\":[\"CarbonBlackEvents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/957cb240-f45d-4491-9ba5-93430a3c08be\",\"name\":\"957cb240-f45d-4491-9ba5-93430a3c08be\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"OfficeActivity\\n| where Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Add-MailboxFolderPermission\\\", \\\"Set-Mailbox\\\", \\\"New-ManagementRoleAssignment\\\")\\nand not(UserId has_any (\u0027NT AUTHORITY\\\\\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\u0027,\u0027devilfish-applicationaccount\u0027) and Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Set-Mailbox\\\"))\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"Collection\"],\"displayName\":\"Rare and potentially high-risk Office operations\",\"description\":\"Identifies Office operations that are typically rare and can provide capabilities useful to attackers.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9c712bb2-08dc-44d3-b66b-af154dfc1c4f\",\"name\":\"9c712bb2-08dc-44d3-b66b-af154dfc1c4f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.2.8\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.07\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of logins to computer\",\"description\":\"This algorithm detects an unusually high volume of successful logins per computer. The model is trained on the previous 21 days of security event ID 4624 on a computer. It indicates anomalous high volume of successful logins in the last day\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2020-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/44a555d8-ecee-4a25-95ce-055879b4b14b\",\"name\":\"44a555d8-ecee-4a25-95ce-055879b4b14b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeBin = 10m;\\nlet portThreshold = 30;\\nW3CIISLog\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of attempts by client IP on many ports\\n| summarize makeset(sPort), makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), ConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\\n| extend portCount = arraylength(set_sPort)\\n| where portCount \u003e= portThreshold\\n| project TimeGenerated, cIP, set_sPort, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, ConnectionsCount, portCount\\n| order by portCount\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"High count of connections by client IP on many ports\",\"description\":\"Identifies when 30 or more ports are used for a given client IP in 10 minutes occurring on the IIS server.\\nThis could be indicative of attempted port scanning or exploit attempt at internet facing web applications. \\nThis could also simply indicate a misconfigured service or device.\\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\"name\":\"fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let opList = OfficeActivity \\n| summarize by Operation\\n//| where Operation startswith \\\"Remove-\\\" or Operation startswith \\\"Disable-\\\"\\n| where Operation has_any (\\\"Remove\\\", \\\"Disable\\\")\\n| where Operation contains \\\"AntiPhish\\\" or Operation contains \\\"SafeAttachment\\\" or Operation contains \\\"SafeLinks\\\" or Operation contains \\\"Dlp\\\" or Operation contains \\\"Audit\\\"\\n| summarize make_set(Operation);\\nOfficeActivity\\n// Only admin or global-admin can disable/remove policy\\n| where RecordType =~ \\\"ExchangeAdmin\\\"\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\")\\n// Pass in interesting Operation list\\n| where Operation in~ (opList)\\n| extend ClientIPOnly = case( \\nClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), \\nClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))),\\nClientIP\\n) \\n| extend Port = case(\\nClientIP has \\\".\\\", (split(ClientIP,\\\":\\\")[1]),\\nClientIP has \\\"[\\\", tostring(split(ClientIP,\\\"]:\\\")[1]),\\nClientIP\\n)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP = ClientIPOnly, Port, ResultStatus, Parameters\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Office policy tampering\",\"description\":\"Identifies if any tampering is done to either auditlog, ATP Safelink, SafeAttachment, AntiPhish or Dlp policy. \\nAn adversary may use this technique to evade detection or avoid other policy based defenses.\\nReferences: https://docs.microsoft.com/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ab4b6944-a20d-42ab-8b63-238426525801\",\"name\":\"ab4b6944-a20d-42ab-8b63-238426525801\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\nlet timeframe = 1h;\\nlet connections = VMConnection \\n | where TimeGenerated \u003e= ago(timeframe)\\n | extend DNSName = set_union(todynamic(RemoteDnsCanonicalNames),todynamic(RemoteDnsQuestions))\\n | mv-expand DNSName\\n | where isnotempty(DNSName)\\n | where DNSName has_any (domains)\\n | extend IPCustomEntity = RemoteIp\\n | summarize TimeGenerated = arg_min(TimeGenerated, *), requests = count() by IPCustomEntity, DNSName = tostring(DNSName), AgentId, Machine, Process;\\nlet processes = VMProcess\\n | where TimeGenerated \u003e= ago(timeframe)\\n | project AgentId, Machine, Process, UserName, UserDomain, ExecutablePath, CommandLine, FirstPid\\n | extend exePathArr = split(ExecutablePath, \\\"\\\\\\\\\\\")\\n | extend DirectoryName = array_strcat(array_slice(exePathArr, 0, array_length(exePathArr) - 2), \\\"\\\\\\\\\\\")\\n | extend Filename = array_strcat(array_slice(exePathArr, array_length(exePathArr) - 1, array_length(exePathArr)), \\\"\\\\\\\\\\\")\\n | project-away exePathArr;\\nlet computers = VMComputer\\n | where TimeGenerated \u003e= ago(timeframe)\\n | project HostCustomEntity = HostName, AzureResourceId = _ResourceId, AgentId, Machine;\\nconnections | join kind = inner (processes) on AgentId, Machine, Process\\n | join kind = inner (computers) on AgentId, Machine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"FirstPid\"},{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Directory\",\"columnName\":\"DirectoryName\"},{\"identifier\":\"Name\",\"columnName\":\"Filename\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Solorigate Domains Found in VM Insights\",\"description\":\"Identifies connections to Solorigate-related DNS records based on VM insights data\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMProcess\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMComputer\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\"name\":\"c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"ApplySecurityGroupsToLoadBalancer\\\", \\\"SetSecurityGroups\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \\nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion,\\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to AWS Elastic Load Balancer security groups\",\"description\":\"Elastic Load Balancer distributes incoming traffic across multiple instances in multiple availability Zones. This increases the fault tolerance of your applications. \\n Unwanted changes to Elastic Load Balancer specific security groups could open your environment to attack and hence needs monitoring.\\n More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\n and https://aws.amazon.com/elasticloadbalancing/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d99cf5c3-d660-436c-895b-8a8f8448da23\",\"name\":\"d99cf5c3-d660-436c-895b-8a8f8448da23\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SigninLogs\\n| where ResultType == 500121\\n| extend additionalDetails_ = tostring(Status.additionalDetails)\\n| where additionalDetails_ =~ \\\"MFA denied; user declined the authentication\\\"\\n| extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"MFA Rejected by User\",\"description\":\"Identifies accurances where a user has rejected an MFA prompt. This could be an indicator that a threat actor has compromised the username and password of this user account and is using it to try and log into the account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\"name\":\"70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"seoulhobi.biz\\\", \\\"reader.cash\\\", \\\"pieceview.club\\\", \\\"app-wallet.com\\\", \\\"bigwnet.com\\\", \\\"bitwoll.com\\\", \\\"cexrout.com\\\", \\\"change-pw.com\\\", \\\"checkprofie.com\\\", \\\"cloudwebappservice.com\\\", \\\"ctquast.com\\\", \\\"dataviewering.com\\\", \\\"day-post.com\\\", \\\"dialy-post.com\\\", \\\"documentviewingcom.com\\\", \\\"dovvn-mail.com\\\", \\\"down-error.com\\\", \\\"drivecheckingcom.com\\\", \\\"drog-service.com\\\", \\\"encodingmail.com\\\", \\\"filinvestment.com\\\", \\\"foldershareing.com\\\", \\\"golangapis.com\\\", \\\"hotrnall.com\\\", \\\"lh-logins.com\\\", \\\"login-use.com\\\", \\\"mail-down.com\\\", \\\"matmiho.com\\\", \\\"mihomat.com\\\", \\\"natwpersonal-online.com\\\", \\\"nidlogin.com\\\", \\\"nid-login.com\\\", \\\"nidlogon.com\\\", \\\"pw-change.com\\\", \\\"rnaii.com\\\", \\\"rnailm.com\\\", \\\"sec-live.com\\\", \\\"secrityprocessing.com\\\", \\\"securitedmode.com\\\", \\\"securytingmail.com\\\", \\\"set-login.com\\\", \\\"usrchecking.com\\\", \\\"com-serviceround.info\\\", \\\"mai1.info\\\", \\\"reviewer.mobi\\\", \\\"files-download.net\\\", \\\"fixcool.net\\\", \\\"hanrnaii.net\\\", \\\"office356-us.org\\\", \\\"smtper.org\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(DnsEvents \\n| extend DNSName = Name\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend IPAddress = ClientIP\\n),\\n(imDns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend DNSName = Request_Name\\n| extend IPAddress = ClientIP \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost \\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.3.0\",\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"THALLIUM domains included in DCU takedown\",\"description\":\"THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. \\n Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\\n References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-01-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/29a29e5d-354e-4f5e-8321-8b39d25047bf\",\"name\":\"29a29e5d-354e-4f5e-8321-8b39d25047bf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let files1 = dynamic([\\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\lsa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pc.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\Rar.exe\\\"]);\\nlet files2 = dynamic([\\\"svchost.exe\\\",\\\"wdmsvc.exe\\\"]);\\nlet FileHash1 = dynamic([\\\"43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\\\", \\\"ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\\\", \\\"010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77\\\", \\\"56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7\\\"]);\\nlet FileHash2 = dynamic([\\\"2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\\\", \\\"9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\\\", \\\"18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\\\"]);\\nimFileEvent\\n| where ((FilePath has_any (files1)) and (ActingProcessSHA256 has_any (FileHash1))) or ((FilePath has_any (files2)) and (ActingProcessSHA256 has_any (FileHash2)))\\n// Increase risk score if recent alerts for the host\\n| join kind=leftouter (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| mv-expand todynamic(Entities)\\n| extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)\\n| where isnotempty(DvcId)\\n// Higher risk score are for Defender alerts related to threat actor\\n| extend AlertRiskScore = iif(ThreatName has_any (\\\"Backdoor:MSIL/ShellClient.A\\\", \\\"Backdoor:MSIL/ShellClient.A!dll\\\", \\\"Trojan:MSIL/Mimikatz.BA!MTB\\\"), 1.0, 0.5)\\n| project DvcId, AlertRiskScore) on DvcId\\n| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = ActorUsername\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileName\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"CredentialAccess\",\"Execution\"],\"displayName\":\"Dev-0228 File Path Hashes November 2021 - ASIM\",\"description\":\"This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.\\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.\\n This query uses the Microsoft Sentinel Information Model - https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2021-11-18T00:00:00Z\",\"createdDateUTC\":\"2021-11-18T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/44e80f00-b4f5-486b-a57d-4073746276df\",\"name\":\"44e80f00-b4f5-486b-a57d-4073746276df\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let highRisk = 3;\\nlet business = \u0027Business Information\u0027;\\nCognniIncidents_CL \\n| where Severity == highRisk\\n| where informationType_s == business\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Highly Sensitive Business Information\",\"description\":\"Display incidents in which highly sensitive business information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2acc91c3-17c2-4388-938e-4eac2d5894e8\",\"name\":\"2acc91c3-17c2-4388-938e-4eac2d5894e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"W3CIISLog\\n| where csMethod == \u0027GET\u0027\\n| where isnotempty(csUriStem) and isnotempty(csUriQuery)\\n| where csUriStem contains \\\"logoimagehandler.ashx\\\"\\n| where csUriQuery contains \\\"codes\\\" and csUriQuery contains \\\"clazz\\\" and csUriQuery contains \\\"method\\\" and csUriQuery contains \\\"args\\\"\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"SUPERNOVA webshell\",\"description\":\"Identifies SUPERNOVA webshell based on W3CIISLog data.\\n References:\\n - https://unit42.paloaltonetworks.com/solarstorm-supernova/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6190dde-8fd2-456a-ac5b-0a32400b0464\",\"name\":\"d6190dde-8fd2-456a-ac5b-0a32400b0464\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ProcessCreationEvents=() {\\nlet processEvents=SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName;\\nprocessEvents;\\n};\\nProcessCreationEvents \\n| where CommandLine contains \\\".decode(\u0027base64\u0027)\\\"\\n or CommandLine contains \\\"base64 --decode\\\"\\n or CommandLine contains \\\".decode64(\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), CountToday = count() by Computer, Account, AccountDomain, FileName, CommandLine, ParentProcessName \\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Process executed from binary hidden in Base64 encoded file\",\"description\":\"Encoding malicious software is a technique used to obfuscate files from detection. \\nThe first CommandLine component is looking for Python decoding base64. \\nThe second CommandLine component is looking for Bash/sh command line base64 decoding.\\nThe third one is looking for Ruby decoding base64.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bdf04f58-242b-4729-b376-577c4bdf5d3a\",\"name\":\"bdf04f58-242b-4729-b376-577c4bdf5d3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"imProcessCreate\\n| where Process hassuffix \u0027rundll32.exe\u0027\\n| where CommandLine has_any (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| project TimeGenerated, Dvc, User, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\\n| extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"NOBELIUM - suspicious rundll32.exe execution of vbscript (Normalized Process Events)\",\"description\":\"This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\\nReferences: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/712fab52-2a7d-401e-a08c-ff939cc7c25e\",\"name\":\"712fab52-2a7d-401e-a08c-ff939cc7c25e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n AuditLogs\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // Extract the URL that is contained within the JSON data\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\\\", 1,tostring(TargetResources))\\n | where isnotempty(Url)\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend TargetResourceDisplayName = tostring(TargetResources[0].displayName)\\n | extend Audit_TimeGenerated = TimeGenerated\\n) on Url\\n| where Audit_TimeGenerated \u003e= TimeGenerated and Audit_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nAudit_TimeGenerated, OperationName, Identity, userPrincipalName, TargetResourceDisplayName, Url\\n| extend timestamp = Audit_TimeGenerated, AccountCustomEntity = userPrincipalName, HostCustomEntity = TargetResourceDisplayName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to AuditLogs\",\"description\":\"Identifies a match in AuditLogs from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1bf6e165-5e32-420e-ab4f-0da8558a8be2\",\"name\":\"1bf6e165-5e32-420e-ab4f-0da8558a8be2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// How far back to look for events from\\nlet timeframe = 1d;\\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\\nlet time_window = 5m;\\n// Edit this to include build processes used\\nlet build_processes = dynamic([\\\"MSBuild.exe\\\", \\\"dotnet.exe\\\", \\\"VBCSCompiler.exe\\\"]);\\n// Include any processes that you want to allow to edit files during/around the build process\\nlet allow_list = dynamic([]);\\nDeviceProcessEvents\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where FileName has_any (build_processes)\\n| summarize by BuildParentProcess=InitiatingProcessFileName, BuildProcess=FileName, BuildAccount = AccountName, DeviceName, BuildCommand=ProcessCommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nDeviceFileEvents\\n| where TimeGenerated \u003e ago(timeframe)\\n| where InitiatingProcessFileName !in (allow_list)\\n| where ActionType == \\\"FileCreated\\\" or ActionType == \\\"FileModified\\\"\\n// Look for code files, edit this to include file extensions used in build.\\n| where FileName endswith \\\".cs\\\" or FileName endswith \\\".cpp\\\"\\n| summarize by FileEditParentProcess=InitiatingProcessParentFileName, FileEditAccount = InitiatingProcessAccountName, DeviceName, FileEdited=FileName, FileEditProcess=InitiatingProcessFileName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, DeviceName\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, DeviceName, BuildParentProcess, BuildProcess\\n| extend HostCustomEntity=DeviceName, timestamp=timekey\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Potential Build Process Compromise - MDE\",\"description\":\"The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process. This query uses Microsoft Defender for Endpoint telemetry.\\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\",\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b93c5af-d20b-4236-b696-a28b8c51407f\",\"name\":\"4b93c5af-d20b-4236-b696-a28b8c51407f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\nSecurityEvent \\n| where TimeGenerated \u003e ago(2*timeframe) \\n// A user account was created\\n| where EventID == 4720\\n| where AccountType =~ \\\"User\\\"\\n| project creationTime = TimeGenerated, CreateEventID = EventID, CreateActivity = Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToCreate = SubjectAccount, SIDofAccountUsedToCreate = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n| join kind= inner (\\n SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe) \\n // A user account was deleted \\n | where EventID == 4726\\n| where AccountType == \\\"User\\\"\\n| project deletionTime = TimeGenerated, DeleteEventID = EventID, DeleteActivity = Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToDelete = SubjectAccount, SIDofAccountUsedToDelete = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n) on Computer, TargetAccount\\n| where deletionTime - creationTime \u003c spanoftime\\n| extend TimeDelta = deletionTime - creationTime\\n| where tolong(TimeDelta) \u003e= threshold\\n| project TimeDelta, creationTime, CreateEventID, CreateActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToCreate, SIDofAccountUsedToCreate,\\ndeletionTime, DeleteEventID, DeleteActivity, AccountUsedToDelete, SIDofAccountUsedToDelete\\n| extend timestamp = creationTime, AccountCustomEntity = AccountUsedToCreate, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"SIDofAccountUsedToCreate\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account created and deleted within 10 mins\",\"description\":\"Identifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and\\nan adversary attempting to hide in the noise.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23de46ea-c425-4a77-b456-511ae4855d69\",\"name\":\"23de46ea-c425-4a77-b456-511ae4855d69\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\nlet SensitiveOperationList = dynamic([\\\"microsoft.compute/snapshots/write\\\", \\\"microsoft.network/networksecuritygroups/write\\\", \\\"microsoft.storage/storageaccounts/listkeys/action\\\"]);\\nlet SensitiveActivity = AzureActivity\\n| where OperationNameValue in~ (SensitiveOperationList) or OperationNameValue hassuffix \\\"listkeys/action\\\"\\n| where ActivityStatusValue =~ \\\"Succeeded\\\";\\nSensitiveActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller, OperationNameValue\\n| where count_ \u003e= alertOperationThreshold\\n| join kind = rightanti ( \\nSensitiveActivity\\n| where TimeGenerated \u003e= ago(endtime)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CorrelationIds = makelist(CorrelationId), Resources = makelist(Resource), ResourceGroups = makelist(ResourceGroup), ResourceIds = makelist(ResourceId), ActivityCountByCallerIPAddress = count() \\nby CallerIpAddress, Caller, OperationNameValue\\n) on CallerIpAddress, Caller, OperationNameValue\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"Rare subscription-level operations in Azure\",\"description\":\"This query looks for a few sensitive subscription-level events based on Azure Activity Logs. \\n For example this monitors for the operation name \u0027Create or Update Snapshot\u0027 which is used for creating backups but could be misused by attackers \\n to dump hashes or extract sensitive information from the disk.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c7cd6073-6d2c-4284-a5c8-da27605bdfde\",\"name\":\"c7cd6073-6d2c-4284-a5c8-da27605bdfde\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| where FilterModulesSpamScoresOverall == \u0027100\u0027\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - High risk message not discarded\",\"description\":\"Detects when email with high risk score was not rejected or discarded by filters.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/16d55bbb-8c54-4c1d-8537-521824e76bb6\",\"name\":\"16d55bbb-8c54-4c1d-8537-521824e76bb6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.2\",\"techniques\":[\"T1114\",\"T1213\",\"T1098\",\"T1136\",\"T1137\",\"T1505\",\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"Distinct number of operations\",\"Distinct number of ClientInfoString\",\"Distinct number of mailboxes\",\"Number of operations\",\"Distinct number of IP addresses\",\"Distinct number of /24 subnets\",\"Distinct number of /16 subnets\",\"Number of MessageBind operations\",\"Number of FolderBind operations\",\"Number of UpdateInboxRules operations\",\"Number of MailItemsAccessed operations\"],\"values\":[\"Distinct number of operations\",\"Distinct number of ClientInfoString\",\"Distinct number of mailboxes\",\"Number of operations\",\"Distinct number of IP addresses\",\"Distinct number of /24 subnets\",\"Distinct number of /16 subnets\",\"Number of MessageBind operations\",\"Number of FolderBind operations\",\"Number of UpdateInboxRules operations\",\"Number of MailItemsAccessed operations\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Top reason for high anomaly score\",\"description\":\"Include only anomalies where the top reason is one of these values.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.6\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Collection\",\"Persistence\"],\"displayName\":\"(Preview) Anomalous user activities in Office Exchange\",\"description\":\"This machine learning model groups the Office Exchange logs on a per-user basis into hourly buckets. We define one\\nhour as a session. The model is trained on the previous 7 days of behavior across all regular (non-admin) users.\\nIt indicates anomalous user Office Exchange sessions in the last day.\\nThis algorithm checks for sufficient volume of data before training the model.\\n\\nAn autoencoder model is used.\\nIts aim is to compress the user Office Exchange sessions into a bottleneck encoding.\\nIt then attempts to reconstruct the input sessions as best it can from the bottleneck encoding.\\nThe sessions with high reconstruction errors are assumed to be anomalous.\",\"lastUpdatedDateUTC\":\"2021-06-09T00:00:00Z\",\"createdDateUTC\":\"2021-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Exchange)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4759ddb4-2daf-43cb-b34e-d85b85b4e4a5\",\"name\":\"4759ddb4-2daf-43cb-b34e-d85b85b4e4a5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\nlet parentprocess = (iocs | where Type =~ \\\"parentprocess\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or RequestURL has_any (IPList) or Message has_any (IPList)\\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, Type\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (IPList), \\\"RequestUrl\\\",\\\"NoMatch\\\"), AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, IPMatch == \\\"RequestUrl\\\", RequestURL, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer, ProcessCustomEntity = ProcessName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) \\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, AlertDetail = \u0027Dev-0322 IOC match\u0027, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, AlertDetail = \u0027Dev-0322 IOC match\u0027, UrlCustomEntity =RemoteUrl, ProcessCustomEntity = InitiatingProcessFileName\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\"), AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where SourceHost in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend ParentImage = EventDetail.[20].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where ( ParentImage has_any (parentprocess) and Image has_any (process))\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256,Image, ParentImage \\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = FileHash\\n),\\n(DeviceFileEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type, CommandLineIP\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash, IPCustomEntity = CommandLineIP\\n),\\n(DeviceEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, CommandLineIP\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash, IPCustomEntity = CommandLineIP\\n),\\n(DeviceProcessEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, CommandLineIP, AccountName\\n| extend Account = AccountName, Computer = DeviceName, IPAddress = CommandLineIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash, IPCustomEntity = IPAddress\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| extend CommandLineIP = extract(IPRegex, 0, CommandLine)\\n| where CommandLineIP in (IPList) or (NewProcessName has_any (process) and ParentProcessName has_any (parentprocess))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, CommandLine, CommandLineIP\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = \u0027Dev-0322 IOC match\u0027, IPCustomEntity = CommandLineIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"SHA256\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"DEV-0322 Serv-U related IOCs - July 2021\",\"description\":\"Identifies a match across IOC\u0027s related to DEV-0322 targeting SolarWinds Serv-U software.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-06-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\"name\":\"f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Medium\",\"query\":\"let threshold = 1;\\nAzureDiagnostics\\n | where OperationName in (\\\"AzureFirewallApplicationRuleLog\\\",\\\"AzureFirewallNetworkRuleLog\\\")\\n | extend msg_s_replaced0 = replace(@\\\"\\\\s\\\\s\\\",@\\\" \\\",msg_s)\\n | extend msg_s_replaced1 = replace(@\\\"\\\\.\\\\s\\\",@\\\" \\\",msg_s_replaced0)\\n | extend msg_a = split(msg_s_replaced1,\\\" \\\")\\n | extend srcAddr_a = split(msg_a[3],\\\":\\\") , destAddr_a = split(msg_a[5],\\\":\\\")\\n | extend protocol = tostring(msg_a[0]), srcIp = tostring(srcAddr_a[0]), srcPort = tostring(srcAddr_a[1]), destIp = tostring(destAddr_a[0]), destPort = tostring(destAddr_a[1]), action = tostring(msg_a[7])\\n | where action == \\\"Deny\\\"\\n | extend url = iff(destIp matches regex \\\"\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\",\\\"\\\",destIp)\\n | summarize StartTime = min(TimeGenerated), count() by srcIp, destIp, url, action, protocol\\n | where count_ \u003e= [\\\"threshold\\\"]\\n | extend timestamp = StartTime, URLCustomEntity = url, IPCustomEntity = srcIp\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\",\"LateralMovement\",\"CommandAndControl\"],\"displayName\":\"Several deny actions registered\",\"description\":\"Identifies attack pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/57e56fc9-417a-4f41-a579-5475aea7b8ce\",\"name\":\"57e56fc9-417a-4f41-a579-5475aea7b8ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 1000;\\nInfobloxNIOS\\n| where ProcessName =~ \\\"dhcpd\\\" and Log_Type =~ \\\"DHCPREQUEST\\\"\\n| summarize count() by ServerIP, bin(TimeGenerated,5m)\\n| where count_ \u003e threshold\\n| join kind=inner (InfobloxNIOS\\n | where ProcessName =~ \\\"dhcpd\\\" and Log_Type =~ \\\"DHCPREQUEST\\\"\\n ) on ServerIP\\n| extend timestamp = TimeGenerated, IPCustomEntity = ServerIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Potential DHCP Starvation Attack\",\"description\":\"This creates an incident in the event that an excessive amount of DHCPREQUEST have been recieved by a DHCP Server and could potentially be an indication of a DHCP Starvation Attack.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0dd422ee-e6af-4204-b219-f59ac172e4c6\",\"name\":\"0dd422ee-e6af-4204-b219-f59ac172e4c6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"ThreatIntelligence\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"Persistence\",\"LateralMovement\"],\"displayName\":\"(Preview) Microsoft Threat Intelligence Analytics\",\"description\":\"This rule generates an alert when a Microsoft Threat Intelligence Indicator gets matched with your event logs. The alerts are very high fidelity.\\n\\nNote : It is advised to turn off any custom alert rules which match the threat intelligence indicators with the same event logs matched by this analytics to prevent duplicate alerts.\",\"lastUpdatedDateUTC\":\"2021-07-28T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508\",\"name\":\"e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let FailureThreshold = 15;\\nlet FailedEvents = Okta_CL\\n| where eventType_s =~ \\\"user.session.start\\\"and outcome_reason_s in (\\\"VERIFICATION_ERROR\\\",\\\"INVALID_CREDENTIALS\\\")\\n| summarize dcount(actor_alternateId_s) by client_ipAddress_s, bin(TimeGenerated, 5m)\\n| where dcount_actor_alternateId_s \u003e FailureThreshold\\n| project client_ipAddress_s, TimeGenerated;\\nOkta_CL\\n| where eventType_s =~ \\\"user.session.start\\\"and outcome_reason_s in (\\\"VERIFICATION_ERROR\\\",\\\"INVALID_CREDENTIALS\\\")\\n| summarize Users = make_set(actor_alternateId_s) by client_ipAddress_s, City = client_geographicalContext_city_s, Country = client_geographicalContext_country_s, bin(TimeGenerated, 5m)\\n| join kind=inner (FailedEvents) on client_ipAddress_s, TimeGenerated\\n| sort by TimeGenerated desc\\n| extend timestamp = TimeGenerated, IPCustomEntity = client_ipAddress_s\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Potential Password Spray Attack\",\"description\":\"This query searches for failed attempts to log into the Okta console from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OktaSSO\",\"dataTypes\":[\"Okta_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/93c4b361-ea7d-40f4-9ca6-e501cdef9c53\",\"name\":\"93c4b361-ea7d-40f4-9ca6-e501cdef9c53\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.1.6\",\"techniques\":[\"T1110\"],\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"\\\\%%2305-The specified user account has expired\",\"\\\\%%2309-The specified account\u0027s password has expired\",\"\\\\%%2310-Account currently disabled\",\"\\\\%%2311-Account logon time restriction violation\",\"\\\\%%2312-User not allowed to logon at this computer\",\"\\\\%%2313-Unknown user name or bad password\",\"\\\\%%2307-Account locked out\",\"\\\\%%2304-An Error occurred during Logon\"],\"values\":[\"\\\\%%2305-The specified user account has expired\",\"\\\\%%2309-The specified account\u0027s password has expired\",\"\\\\%%2310-Account currently disabled\",\"\\\\%%2311-Account logon time restriction violation\",\"\\\\%%2312-User not allowed to logon at this computer\",\"\\\\%%2313-Unknown user name or bad password\",\"\\\\%%2307-Account locked out\",\"\\\\%%2304-An Error occurred during Logon\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Failure Reasons\",\"description\":\"Include only selected failure reasons in anomaly results.\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.3\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"(Preview) Attempted user account bruteforce per failure reason\",\"description\":\"This algorithm detects an unusually high volume of failed login attempts per user account per failure reason. The model is trained on the previous 21 days of security event ID 4625 on an account and a failure reason. It indicates anomalous high volume of failed login attempts with certain failure reason in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-04-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e\",\"name\":\"7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]);\\nunion isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4663\\n| where Process has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where ObjectName has_any (scriptExtensions)\\n| where AccessMask in (\u00270x2\u0027,\u00270x100\u0027, \u00270x10\u0027, \u00270x4\u0027)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n(imFileEvent\\n| where EventType == \\\"FileCreated\\\"\\n| where ActingProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n and\\n TargetFileName has_any (scriptExtensions)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\\n),\\n(DeviceFileEvents\\n| where ActionType =~ \\\"FileCreated\\\"\\n| where InitiatingProcessFileName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where FileName has_any(scriptExtensions)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName, IPCustomEntity = RequestSourceIP)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingProcessAccountUpn\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM UM Service writing suspicious file\",\"description\":\"This query looks for the Exchange server UM process writing suspicious files that may be indicative of webshells.\\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d3c658bd-8da9-4372-82e4-aaffa922f428\",\"name\":\"d3c658bd-8da9-4372-82e4-aaffa922f428\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"afad_parser\\n| where MessageType == 2 and Codename == \\\"DCSync\\\"\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid DCSync\",\"description\":\"Searches for DCSync attacks\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/88f453ff-7b9e-45bb-8c12-4058ca5e44ee\",\"name\":\"88f453ff-7b9e-45bb-8c12-4058ca5e44ee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS New Server\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.\\nA threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.\\nThis can be done programmatically via HTTP requests to Azure. More information in this blog: https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\"name\":\"1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 1d;\\nlet endtime = 1h;\\nlet prev23hThreshold = 4;\\nlet prev1hThreshold = 15;\\nlet Kerbevent =\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(starttime)\\n| where EventID == 4769\\n| parse EventData with * \u0027TicketEncryptionType\\\"\u003e\u0027 TicketEncryptionType \\\"\u003c\\\" *\\n| where TicketEncryptionType == \u00270x17\u0027\\n| parse EventData with * \u0027TicketOptions\\\"\u003e\u0027 TicketOptions \\\"\u003c\\\" *\\n| where TicketOptions == \u00270x40810000\u0027\\n| parse EventData with * \u0027Status\\\"\u003e\u0027 Status \\\"\u003c\\\" *\\n| where Status == \u00270x0\u0027\\n| parse EventData with * \u0027ServiceName\\\"\u003e\u0027 ServiceName \\\"\u003c\\\" *\\n| where ServiceName !contains \\\"$\\\" and ServiceName !contains \\\"krbtgt\\\" \\n| parse EventData with * \u0027TargetUserName\\\"\u003e\u0027 TargetUserName \\\"\u003c\\\" *\\n| where TargetUserName !contains \\\"$@\\\" and TargetUserName !contains ServiceName\\n| parse EventData with * \u0027IpAddress\\\"\u003e::ffff:\u0027 ClientIPAddress \\\"\u003c\\\" *;\\nlet Kerbevent23h = Kerbevent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| summarize ServiceNameCountPrev23h = dcount(ServiceName), ServiceNameSet23h = makeset(ServiceName) \\nby Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status\\n| where ServiceNameCountPrev23h \u003c prev23hThreshold;\\nlet Kerbevent1h = \\nKerbevent\\n| where TimeGenerated \u003e= ago(endtime)\\n| summarize min(TimeGenerated), max(TimeGenerated), ServiceNameCountPrev1h = dcount(ServiceName), ServiceNameSet1h = makeset(ServiceName) \\nby Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status;\\nKerbevent1h \\n| join kind=leftanti\\n(\\nKerbevent23h\\n) on TargetUserName, TargetDomainName\\n// Threshold value set above is based on testing, this value may need to be changed for your environment.\\n| where ServiceNameCountPrev1h \u003e prev1hThreshold\\n| project StartTimeUtc = min_TimeGenerated, EndTimeUtc = max_TimeGenerated, TargetUserName, Computer, ClientIPAddress, TicketOptions, \\nTicketEncryptionType, Status, ServiceNameCountPrev1h, ServiceNameSet1h, TargetDomainName\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = strcat(TargetDomainName,\\\"\\\\\\\\\\\", TargetUserName), HostCustomEntity = Computer, IPCustomEntity = ClientIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Potential Kerberoasting\",\"description\":\"A service principal name (SPN) is used to uniquely identify a service instance in a Windows environment. \\nEach SPN is usually associated with a service account. Organizations may have used service accounts with weak passwords in their environment. \\nAn attacker can try requesting Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC) which contains \\na hash of the Service account. This can then be used for offline cracking. This hunting query looks for accounts that are generating excessive \\nrequests to different resources within the last hour compared with the previous 24 hours. Normal users would not make an unusually large number \\nof request within a small time window. This is based on 4769 events which can be very noisy so environment based tweaking might be needed.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/972c89fa-c969-4d12-932f-04d55d145299\",\"name\":\"972c89fa-c969-4d12-932f-04d55d145299\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"( union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| extend FileName = Process, ProcessCommandLine = CommandLine\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\n or ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(DeviceProcessEvents\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\nor ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1 \\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\"), ProcessCommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| extend FileName = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\n or ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\"],\"displayName\":\"MSHTML vulnerability CVE-2021-40444 attack\",\"description\":\"This query detects attacks that exploit the CVE-2021-40444 MSHTML vulnerability using specially crafted Microsoft Office documents. \\n The detection searches for relevant files used in the attack along with regex matches in commnadline to look for pattern similar to : \\\".cpl:../../msword.inf\\\"\\n Refrence: https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0914adab-90b5-47a3-a79f-7cdcac843aa7\",\"name\":\"0914adab-90b5-47a3-a79f-7cdcac843aa7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 5;\\n// To avoid any False Positives, filtering using AppId is recommended. For example the AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds \\n// to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\\nlet Allowedappid = dynamic([\\\"509e4652-da8d-478d-a730-e9d4a1996ca4\\\"]);\\nlet OperationList = dynamic(\\n[\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nlet TimeSeriesData = AzureDiagnostics\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList)\\n| project TimeGenerated, OperationName, Resource, CallerIPAddress\\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by Resource;\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| where baseline \u003e baselinethreshold // Filtering low count events per baselinethreshold\\n| project Resource, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated;\\n// Filter the alerts since specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\\n| join (\\nAzureDiagnostics\\n| where TimeGenerated \u003e ago(timeframe)\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList)\\n| summarize PerOperationCount=count(), LatestAnomalyTime = arg_max(TimeGenerated,*) by bin(TimeGenerated,1h), Resource, OperationName, id_s, CallerIPAddress, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, requestUri_s, clientInfo_s\\n) on Resource, TimeGenerated\\n| summarize EventCount=count(), OperationNameList = make_set(OperationName), RequestURLList = make_set(requestUri_s, 100), AccountList = make_set(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, 100), AccountMax = arg_max(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g,*) by Resource, id_s, clientInfo_s, LatestAnomalyTime\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = CallerIPAddress, AccountCustomEntity = AccountMax\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.2\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure Key Vault access TimeSeries anomaly\",\"description\":\"Indentifies a sudden increase in count of Azure Key Vault secret or vault access operations by CallerIPAddress. The query leverages a built-in KQL anomaly detection algorithm\\nto find large deviations from baseline Azure Key Vault access patterns. Any sudden increase in the count of Azure Key Vault accesses can be an\\nindication of adversary dumping credentials via automated methods. If you are seeing any noise, try filtering known source(IP/Account) and user-agent combinations.\\nTimeSeries Reference Blog: https://techcommunity.microsoft.com/t5/azure-sentinel/looking-for-unknown-anomalies-what-is-normal-time-series/ba-p/555052\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500415fb-bba7-4227-a08a-9857fb61b6a7\",\"name\":\"500415fb-bba7-4227-a08a-9857fb61b6a7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where OfficeWorkload == \\\"Exchange\\\"\\n| where Operation in~ (\\\"New-TransportRule\\\", \\\"Set-TransportRule\\\")\\n| extend p = parse_json(Parameters)\\n| extend RuleName = case(\\n Operation =~ \\\"Set-TransportRule\\\", tostring(OfficeObjectId),\\n Operation =~ \\\"New-TransportRule\\\", tostring(p[1].Value),\\n \\\"Unknown\\\"\\n ) \\n| mvexpand p\\n| where (p.Name =~ \\\"BlindCopyTo\\\" or p.Name =~ \\\"RedirectMessageTo\\\") and isnotempty(p.Value)\\n| extend RedirectTo = p.Value\\n| extend ClientIPOnly = case( \\n ClientIP has \\\".\\\" and ClientIP has \\\":\\\", tostring(split(ClientIP,\\\":\\\")[0]), \\n ClientIP has \\\".\\\" and ClientIP has \\\"-\\\", tostring(split(ClientIP,\\\"-\\\")[0]), \\n ClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))),\\n ClientIP\\n ) \\n| extend Port = case(\\n ClientIP has \\\".\\\" and ClientIP has \\\":\\\", (split(ClientIP,\\\":\\\")[1]),\\n ClientIP has \\\".\\\" and ClientIP has \\\"-\\\", (split(ClientIP,\\\"-\\\")[1]),\\n ClientIP has \\\"[\\\" and ClientIP has \\\":\\\", tostring(split(ClientIP,\\\"]:\\\")[1]),\\n ClientIP has \\\"[\\\" and ClientIP has \\\"-\\\", tostring(split(ClientIP,\\\"]-\\\")[1]),\\n ClientIP\\n )\\n| extend ClientIP = ClientIPOnly\\n| project TimeGenerated, RedirectTo, ClientIP, Port, UserId, Operation, RuleName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Mail redirect via ExO transport rule\",\"description\":\"Identifies when Exchange Online transport rule configured to forward emails.\\nThis could be an adversary mailbox configured to collect mail from multiple user accounts.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-05-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/57c7e832-64eb-411f-8928-4133f01f4a25\",\"name\":\"57c7e832-64eb-411f-8928-4133f01f4a25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now() \\n| where Active == true\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureDiagnostics\\n | where ResourceType =~ \\\"VAULTS\\\"\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend KeyVaultEvents_TimeGenerated = TimeGenerated, ClientIP = CallerIPAddress\\n)\\non $left.TI_ipEntity == $right.ClientIP\\n| where KeyVaultEvents_TimeGenerated \u003c ExpirationDateTime\\n| summarize KeyVaultEvents_TimeGenerated = arg_max(KeyVaultEvents_TimeGenerated, *) by IndicatorId, ClientIP\\n| project KeyVaultEvents_TimeGenerated , Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ClientIP, ResourceId, SubscriptionId, OperationName, ResultType, CorrelationId, id_s, clientInfo_s, httpStatusCode_d, identity_claim_appid_g, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\n| extend timestamp = KeyVaultEvents_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Azure Key Vault logs\",\"description\":\"Identifies a match in Azure Key Vault logsfrom any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f845881e-2500-44dc-8ed7-b372af3e1e25\",\"name\":\"f845881e-2500-44dc-8ed7-b372af3e1e25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let short_uaLength = 5;\\nlet long_uaLength = 1000;\\nlet c_threshold = 100;\\nW3CIISLog \\n// Exclude local IPs as these create noise\\n| where cIP !startswith \\\"192.168.\\\" and cIP != \\\"::1\\\"\\n| where isnotempty(csUserAgent) and csUserAgent !in~ (\\\"-\\\", \\\"MSRPC\\\") and (string_size(csUserAgent) \u003c= short_uaLength or string_size(csUserAgent) \u003e= long_uaLength)\\n| extend csUserAgent_size = string_size(csUserAgent)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ConnectionCount = count() by Computer, sSiteName, sPort, csUserAgent, csUserAgent_size, csUserName , csMethod, csUriStem, sIP, cIP, scStatus, scSubStatus, scWin32Status\\n| where ConnectionCount \u003c c_threshold\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomalous User Agent connection attempt\",\"description\":\"Identifies connection attempts (success or fail) from clients with very short or very long User Agent strings and with less than 100 connection attempts.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cca3b4d9-ac39-4109-8b93-65bb284003e6\",\"name\":\"cca3b4d9-ac39-4109-8b93-65bb284003e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n AzureActivity | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(Caller)\\n | extend Caller = tolower(Caller)\\n | where Caller matches regex emailregex\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.Caller\\n| where AzureActivity_TimeGenerated \u003e= TimeGenerated and AzureActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, AzureActivity_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Caller, Level, CallerIpAddress, CategoryValue,\\nOperationNameValue, ActivityStatusValue, ResourceGroup, SubscriptionId\\n| extend timestamp = AzureActivity_TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to AzureActivity\",\"description\":\"Identifies a match in AzureActivity table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/71d374e0-1cf8-4e50-aecd-ab6c519795c2\",\"name\":\"71d374e0-1cf8-4e50-aecd-ab6c519795c2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"Pipelines.PipelineRetentionSettingChanged\\\"\\n| where Data.SettingName in (\\\"PurgeArtifacts\\\", \\\"PurgeRuns\\\")\\n| where Data.NewValue == 1 or Data.NewValue \u003c Data.OldValue/2\\n| project-reorder TimeGenerated, OperationName, ActorUPN, IpAddress, UserAgent, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.2\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Retention Reduced\",\"description\":\"AzureDevOps retains items such as run records and produced artifacts for a configurable amount of time. An attacker looking to reduce the footprint left by their malicious activity may look to reduce the retention time for artifacts and runs.\\nThis query will look for where retention has been reduced to the minimum level - 1, or reduced by more than half.\",\"lastUpdatedDateUTC\":\"2021-11-02T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d2e40c79-fe8c-428e-8cb9-0e2282d4558c\",\"name\":\"d2e40c79-fe8c-428e-8cb9-0e2282d4558c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let lowRisk = 1;\\nlet governance = \u0027Governance Information\u0027;\\nCognniIncidents_CL \\n| where Severity == lowRisk\\n| where informationType_s == governance\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Low Sensitivity Governance Information\",\"description\":\"Display incidents in which low sensitivity governance information] was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\"name\":\"4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let OperationList = dynamic([\\\"Add member to role\\\",\\\"Add member to role in PIM requested (permanent)\\\"]);\\nlet PrivilegedGroups = dynamic([\\\"UserAccountAdmins\\\",\\\"PrivilegedRoleAdmins\\\",\\\"TenantAdmins\\\"]);\\nAuditLogs\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName in~ (OperationList)\\n| mv-expand TargetResources\\n| extend modProps = parse_json(TargetResources).modifiedProperties\\n| mv-expand bagexpansion=array modProps\\n| evaluate bag_unpack(modProps)\\n| extend displayName = column_ifexists(\\\"displayName\\\", \\\"NotAvailable\\\"), newValue = column_ifexists(\\\"newValue\\\", \\\"NotAvailable\\\")\\n| where displayName =~ \\\"Role.WellKnownObjectName\\\"\\n| extend DisplayName = displayName, GroupName = replace(\u0027\\\"\u0027,\u0027\u0027,newValue)\\n| extend initByApp = parse_json(InitiatedBy).app, initByUser = parse_json(InitiatedBy).user\\n| extend AppId = initByApp.appId, \\nInitiatedByDisplayName = case(isnotempty(initByApp.displayName), initByApp.displayName, isnotempty(initByUser.displayName), initByUser.displayName, \\\"not available\\\"),\\nServicePrincipalId = tostring(initByApp.servicePrincipalId),\\nServicePrincipalName = tostring(initByApp.servicePrincipalName),\\nUserId = initByUser.id,\\nUserIPAddress = initByUser.ipAddress,\\nUserRoles = initByUser.roles,\\nUserPrincipalName = tostring(initByUser.userPrincipalName),\\nTargetUserPrincipalName = tostring(TargetResources.userPrincipalName)\\n| where GroupName in~ (PrivilegedGroups)\\n// If you don\u0027t want to alert for operations from PIM, remove below filtering for MS-PIM.\\n//| where InitiatedByDisplayName != \\\"MS-PIM\\\"\\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, isnotempty(ServicePrincipalId), ServicePrincipalId, isnotempty(UserPrincipalName), UserPrincipalName, \\\"not available\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User added to Azure Active Directory Privileged Groups\",\"description\":\"This will alert when a user is added to any of the Privileged Groups.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\\nFor Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500c103a-0319-4d56-8e99-3cec8d860757\",\"name\":\"500c103a-0319-4d56-8e99-3cec8d860757\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == \\\"50057\\\" \\n| where ResultDescription == \\\"User account is disabled. The account has been disabled by an administrator.\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), disabledAccountLoginAttempts = count(), \\ndisabledAccountsTargeted = dcount(UserPrincipalName), applicationsTargeted = dcount(AppDisplayName), disabledAccountSet = make_set(UserPrincipalName), \\napplicationSet = make_set(AppDisplayName) by IPAddress, Type\\n| order by disabledAccountLoginAttempts desc\\n| join kind= leftouter (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n table(tableName)\\n | where ResultType == 0\\n | summarize successfulAccountSigninCount = dcount(UserPrincipalName), successfulAccountSigninSet = make_set(UserPrincipalName, 15) by IPAddress, Type\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount \u003c 100\\n) on IPAddress \\n// IPs from which attempts to authenticate as disabled user accounts originated, and had a non-zero success rate for some other account\\n| where isnotempty(successfulAccountSigninCount)\\n| project StartTime, EndTime, IPAddress, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\nsuccessfulAccountSigninCount, successfulAccountSigninSet, Type\\n| order by disabledAccountLoginAttempts\\n| extend timestamp = StartTime, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts and where that same IP has had successful signins from other accounts.\\nThis could indicate an attacker who obtained credentials for a list of accounts and is attempting to login with those accounts, some of which may have already been disabled.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"lastUpdatedDateUTC\":\"2021-10-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9e20eb4e-cc0d-4349-a99d-cad756859dfb\",\"name\":\"9e20eb4e-cc0d-4349-a99d-cad756859dfb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"afad_parser\\n| where MessageType == 2 and Codename == \\\"Password Spraying\\\"\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid Password Spraying\",\"description\":\"Searches for Password spraying attacks\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8d537f3c-094f-430c-a588-8a87da36ee3a\",\"name\":\"8d537f3c-094f-430c-a588-8a87da36ee3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nlet user_agents=dynamic([\\n \u0027(hydra)\u0027,\\n \u0027 arachni/\u0027,\\n \u0027 BFAC \u0027,\\n \u0027 brutus \u0027,\\n \u0027 cgichk \u0027,\\n \u0027core-project/1.0\u0027,\\n \u0027 crimscanner/\u0027,\\n \u0027datacha0s\u0027,\\n \u0027dirbuster\u0027,\\n \u0027domino hunter\u0027,\\n \u0027dotdotpwn\u0027,\\n \u0027FHScan Core\u0027,\\n \u0027floodgate\u0027,\\n \u0027get-minimal\u0027,\\n \u0027gootkit auto-rooter scanner\u0027,\\n \u0027grendel-scan\u0027,\\n \u0027 inspath \u0027,\\n \u0027internet ninja\u0027,\\n \u0027jaascois\u0027,\\n \u0027 zmeu \u0027,\\n \u0027masscan\u0027,\\n \u0027 metis \u0027,\\n \u0027morfeus fucking scanner\u0027,\\n \u0027n-stealth\u0027,\\n \u0027nsauditor\u0027,\\n \u0027pmafind\u0027,\\n \u0027security scan\u0027,\\n \u0027springenwerk\u0027,\\n \u0027teh forest lobster\u0027,\\n \u0027toata dragostea\u0027,\\n \u0027 vega/\u0027,\\n \u0027voideye\u0027,\\n \u0027webshag\u0027,\\n \u0027webvulnscan\u0027,\\n \u0027 whcc/\u0027,\\n \u0027 Havij\u0027,\\n \u0027absinthe\u0027,\\n \u0027bsqlbf\u0027,\\n \u0027mysqloit\u0027,\\n \u0027pangolin\u0027,\\n \u0027sql power injector\u0027,\\n \u0027sqlmap\u0027,\\n \u0027sqlninja\u0027,\\n \u0027uil2pn\u0027,\\n \u0027ruler\u0027,\\n \u0027Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)\u0027\\n ]);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal has_any (user_agents)\\n| extend Message = \\\"Hack Tool User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Hack Tool User-Agent Detected\",\"description\":\"Detects suspicious user agent strings used by known hack tools\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/87210ca1-49a4-4a7d-bb4a-4988752f978c\",\"name\":\"87210ca1-49a4-4a7d-bb4a-4988752f978c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Get details of current Azure Ranges (note this URL updates regularly so will need to be manually updated over time)\\n// You may find the name of the new JSON here: https://www.microsoft.com/download/details.aspx?id=56519\\nlet azure_ranges = externaldata(changeNumber: string, cloud: string, values: dynamic)\\n[\\\"https://download.microsoft.com/download/7/1/D/71D86715-5596-4529-9B13-DA13A5DE5B63/ServiceTags_Public_20211108.json\\\"]\\nwith(format=\u0027multijson\u0027)\\n| mv-expand values\\n| mv-expand values.properties.addressPrefixes\\n| mv-expand values_properties_addressPrefixes\\n| summarize by tostring(values_properties_addressPrefixes);\\nSigninLogs\\n// Limiting to Azure Portal really reduces false positives and helps focus on potential admin activity\\n| where AppDisplayName =~ \\\"Azure Portal\\\"\\n// Only get logons where the IP address is in an Azure range\\n| evaluate ipv4_lookup(azure_ranges, IPAddress, values_properties_addressPrefixes)\\n// Limit to where the user is external to the tenant\\n| where HomeTenantId != ResourceTenantId\\n// Further limit it to just access to the current tenant (you can drop this if you wanted to look elsewhere as well but it helps reduce FPs)\\n| where ResourceTenantId == TenantId\\n| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), make_set(ResourceDisplayName) by UserPrincipalName, IPAddress, UserAgent, Location, HomeTenantId, ResourceTenantId\\n| extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure Portal Signin from another Azure Tenant\",\"description\":\"This query looks for sign in attempts to the Azure Portal where the user who is signing in from another Azure tenant,\\n and the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look\\n to pivot to other tenants leveraging cross-tenant delegated access in this manner.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f209187f-1d17-4431-94af-c141bf5f23db\",\"name\":\"f209187f-1d17-4431-94af-c141bf5f23db\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.1\",\"techniques\":[\"T1136\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.4\",\"name\":\"Anomaly score threshold\",\"description\":\"Generate an anomaly when the anomaly score is greater than the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Persistence\"],\"displayName\":\"(Preview) Anomalous Account Creation\",\"description\":\"Adversaries may create an account to maintain access to victim systems. With a sufficient level of access,\\ncreating such accounts may be used to establish secondary credentialed access\\nthat do not require persistent remote access tools to be deployed on the system.\",\"lastUpdatedDateUTC\":\"2021-07-26T00:00:00Z\",\"createdDateUTC\":\"2021-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b12b3dab-d973-45af-b07e-e29bb34d8db9\",\"name\":\"b12b3dab-d973-45af-b07e-e29bb34d8db9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal contains \\\"WindowsPowerShell\\\"\\n| extend Message = \\\"Windows PowerShell User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"DefenseEvasion\"],\"displayName\":\"Cisco Umbrella - Windows PowerShell User-Agent Detected\",\"description\":\"Rule helps to detect Powershell user-agent activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/34663177-8abf-4db1-b0a4-5683ab273f44\",\"name\":\"34663177-8abf-4db1-b0a4-5683ab273f44\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let threshold = 20;\\nPulseConnectSecure\\n| where Messages contains \\\"Login failed\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by User, Source_IP\\n| where count_ \u003e threshold\\n| extend timestamp = StartTime, AccountCustomEntity = User, IPCustomEntity = Source_IP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"PulseConnectSecure - Potential Brute Force Attempts\",\"description\":\"This query identifies evidence of potential brute force attack by looking at multiple failed attempts to log into the VPN server\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PulseConnectSecure\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/15ae38a2-2e29-48f7-883f-863fb25a5a06\",\"name\":\"15ae38a2-2e29-48f7-883f-863fb25a5a06\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 10;\\nDnsEvents \\n| where TimeGenerated \u003e ago(endtime)\\n| where Name contains \\\"in-addr.arpa\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(Name) by ClientIP\\n| where dcount_Name \u003e threshold\\n| project StartTimeUtc, EndTimeUtc, ClientIP , dcount_Name \\n| join kind=leftanti (DnsEvents \\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | where Name contains \\\"in-addr.arpa\\\" \\n | summarize dcount(Name) by ClientIP, bin(TimeGenerated, 1d)\\n | where dcount_Name \u003e threshold\\n | project ClientIP , dcount_Name \\n) on ClientIP\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\"],\"displayName\":\"Rare client observed with high reverse DNS lookup count\",\"description\":\"Identifies clients with a high reverse DNS counts which could be carrying out reconnaissance or discovery activity.\\nAlert is generated if the IP performing such reverse DNS lookups was not seen doing so in the preceding 7-day period.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\"name\":\"24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let EventCountThreshold = 25;\\n// To avoid any False Positives, filtering using AppId is recommended. For example the AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds \\n// to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\\nlet Allowedappid = dynamic([\\\"509e4652-da8d-478d-a730-e9d4a1996ca4\\\"]);\\nlet OperationList = dynamic(\\n[\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nAzureDiagnostics\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList) \\n| summarize count() by identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, OperationName\\n| where count_ \u003e EventCountThreshold \\n| join (\\nAzureDiagnostics\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where OperationName in~ (OperationList) \\n) on identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g \\n| summarize EventCount=sum(count_), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\\n| extend timestamp = EndTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.2\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Mass secret retrieval from Azure Key Vault\",\"description\":\"Identifies mass secret retrieval from Azure Key Vault observed by a single user. \\nMass secret retrival crossing a certain threshold is an indication of credential dump operations or mis-configured applications. \\nYou can tweak the EventCountThreshold based on average count seen in your environment \\nand also filter any known sources (IP/Account) and useragent combinations based on historical analysis to further reduce noise\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/39198934-62a0-4781-8416-a81265c03fd6\",\"name\":\"39198934-62a0-4781-8416-a81265c03fd6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"user.read\\\" and ConsentFull contains \\\"offline_access\\\" and ConsentFull contains \\\"mail.readwrite\\\" and ConsentFull contains \\\"mail.send\\\" and ConsentFull contains \\\"files.read.all\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\")\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Suspicious application consent similar to PwnAuth\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the FireEye PwnAuth toolkit (https://github.com/fireeye/PwnAuth).\\nThe default permissions/scope for the PwnAuth toolkit are user.read, offline_access, mail.readwrite, mail.send, and files.read.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/35ce9aff-1708-45b8-a295-5e9a307f5f17\",\"name\":\"35ce9aff-1708-45b8-a295-5e9a307f5f17\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"Group.UpdateGroupMembership.Add\\\"\\n| where Details has_any (\\\"Project Administrators\\\", \\\"Project Collection Administrators\\\", \\\"Project Collection Service Accounts\\\", \\\"Build Administrator\\\")\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, AuthenticationMechanism, ScopeDisplayName\\n| extend timekey = bin(TimeGenerated, 1h)\\n| extend ActorUserId = tostring(Data.MemberId)\\n| project timekey, ActorUserId, AddingUser=ActorUPN, TimeAdded=TimeGenerated, PermissionGrantDetails = Details\\n// Get details of operations conducted by user soon after elevation of permissions\\n| join (AzureDevOpsAuditing\\n| extend ActorUserId = tostring(Data.MemberId)\\n| extend timekey = bin(TimeGenerated, 1h)) on timekey, ActorUserId\\n| summarize ActionsWhenAdded = make_set(OperationName) by ActorUPN, AddingUser, TimeAdded, PermissionGrantDetails, IpAddress, UserAgent\\n| extend timestamp = TimeAdded, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddingUser\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"New PA, PCA, or PCAS added to Azure DevOps\",\"description\":\"In order for an attacker to be able to conduct many potential attacks against Azure DevOps they will need to gain elevated permissions. \\nThis detection looks for users being granted key administrative permissions. If the principal of least privilege is applied, the number of \\nusers granted these permissions should be small. Note that permissions can also be granted via Azure AD groups and monitoring of these \\nshould also be conducted.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0b904747-1336-4363-8d84-df2710bfe5e7\",\"name\":\"0b904747-1336-4363-8d84-df2710bfe5e7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n AzureDiagnostics\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where OperationName in (\\\"AzureFirewallApplicationRuleLog\\\",\\\"AzureFirewallNetworkRuleLog\\\")\\n | parse kind=regex flags=U msg_s with Protocol \u0027request from \u0027 SourceHost \u0027to \u0027 DestinationHost @\u0027\\\\.? Action:\u0027 Action\\n | extend SourceAddress = extract(@\u0027([\\\\.0-9]+)(:[\\\\.0-9]+)?\u0027,1,SourceHost)\\n | extend DestinationAddress = extract(@\u0027([\\\\.0-9]+)(:[\\\\.0-9]+)?\u0027,1,DestinationHost)\\n | where not(ipv4_is_private(DestinationAddress))\\n | project-rename AzureFirewall_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.DestinationAddress\\n| where AzureFirewall_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureFirewall_TimeGenerated = arg_max(AzureFirewall_TimeGenerated, *) by IndicatorId, SourceAddress\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, AzureFirewall_TimeGenerated,\\nTI_ipEntity, Resource, Category, msg_s, SourceAddress, DestinationAddress, Action, Protocol, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureFirewall_TimeGenerated, IPCustomEntity = TI_ipEntity, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureFirewall\",\"description\":\"Identifies a match in AzureFirewall (NetworkRule \u0026 ApplicationRule Logs) from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3df4a32-4805-4c6d-8699-f3c888af2f67\",\"name\":\"a3df4a32-4805-4c6d-8699-f3c888af2f67\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let Alert1 = \\nSecurityAlert\\n| where AlertName == \\\"Unfamiliar sign-in properties\\\"\\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\\\"User Account\\\"])\\n| extend Alert1Time = TimeGenerated\\n| extend Alert1 = AlertName\\n| extend Alert1Severity = AlertSeverity\\n;\\nlet Alert2 = \\nSecurityAlert\\n| where AlertName == \\\"Atypical travel\\\"\\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\\\"User Account\\\"])\\n| extend Alert2Time = TimeGenerated\\n| extend Alert2 = AlertName\\n| extend Alert2Severity = AlertSeverity\\n| extend CurrentLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[1].Location)).CountryCode), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[1].Location)).State), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[1].Location)).City))\\n| extend PreviousLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[2].Location)).CountryCode), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).State), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).City))\\n| extend CurrentIPAddress = tostring(parse_json(Entities)[1].Address)\\n| extend PreviousIPAddress = tostring(parse_json(Entities)[2].Address)\\n;\\nAlert1\\n| join kind=inner Alert2 on UserPrincipalName\\n| where abs(datetime_diff(\u0027minute\u0027, Alert1Time, Alert2Time)) \u003c=10\\n| extend TimeDelta = Alert1Time - Alert2Time\\n| project UserPrincipalName, Alert1, Alert1Time, Alert1Severity, Alert2, Alert2Time, Alert2Severity, TimeDelta, CurrentLocation, PreviousLocation, CurrentIPAddress, PreviousIPAddress\\n| extend AccountCustomEntity = UserPrincipalName\\n| extend IPCustomEntity = CurrentIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Correlate Unfamiliar sign-in properties and atypical travel alerts\",\"description\":\"The combination of an Unfamiliar sign-in properties alert and an Atypical travel alert about the same user within a +10m or -10m window is considered a high severity incident.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3174a9ec-d0ad-4152-8307-94ed04fa450a\",\"name\":\"3174a9ec-d0ad-4152-8307-94ed04fa450a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let SHA256Hash = \\\"1174fd03271f80f5e2a6435c72bdd0272a6e3a37049f6190abf125b216a83471\\\" ;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) \\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA265 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA256Hash) \\n| extend Account = UserName\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known ZINC related maldoc hash\",\"description\":\"Document hash used by ZINC in highly targeted spear phishing campaign.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/acfdee3f-b794-404a-aeba-ef6a1fa08ad1\",\"name\":\"acfdee3f-b794-404a-aeba-ef6a1fa08ad1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let lookback = 14d;\\nlet timewindow = 7d;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback)\\n| where OperationName =~ \\\"Library.AgentPoolCreated\\\"\\n| extend AgentCloudId = tostring(Data.AgentCloudId)\\n| extend PoolType = iif(isnotempty(AgentCloudId), \\\"Azure VMs\\\", \\\"Self Hosted\\\")\\n// Comment this line out to include cloud pools as well\\n| where PoolType == \\\"Self Hosted\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend AgentPoolId = tostring(Data.AgentPoolId)\\n| extend IsHosted = tostring(Data.IsHosted)\\n| extend IsLegacy = tostring(Data.IsLegacy)\\n| extend timekey = bin(TimeGenerated, timewindow)\\n// Join only with pools deleted in the same window\\n| join (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback)\\n| where OperationName =~ \\\"Library.AgentPoolDeleted\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend AgentPoolId = tostring(Data.AgentPoolId)\\n| extend timekey = bin(TimeGenerated, timewindow)) on AgentPoolId, timekey\\n| project-reorder TimeGenerated, ActorUPN, UserAgent, IpAddress, AuthenticationMechanism, OperationName, AgentPoolName, IsHosted, IsLegacy, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Agent Pool Created Then Deleted\",\"description\":\"As well as adding build agents to an existing pool to execute malicious activity within a pipeline, an attacker could create a complete new agent pool and use this for execution.\\nAzure DevOps allows for the creation of agent pools with Azure hosted infrastructure or self-hosted infrastructure. Given the additional customizability of self-hosted agents this \\ndetection focuses on the creation of new self-hosted pools. To further reduce false positive rates the detection looks for pools created and deleted relatively quickly (within 7 days by default), \\nas an attacker is likely to remove a malicious pool once used in order to reduce/remove evidence of their activity.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2b328487-162d-4034-b472-59f1d53684a1\",\"name\":\"2b328487-162d-4034-b472-59f1d53684a1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal == \u0027\u0027\\n| extend Message = \\\"Empty User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Empty User Agent Detected\",\"description\":\"Rule helps to detect empty and unusual user agent indicating web browsing activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3533f74c-9207-4047-96e2-0eb9383be587\",\"name\":\"3533f74c-9207-4047-96e2-0eb9383be587\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"offline_access\\\" and ConsentFull contains \\\"Files.Read\\\" or ConsentFull contains \\\"Mail.Read\\\" or ConsentFull contains \\\"Notes.Read\\\" or ConsentFull contains \\\"ChannelMessage.Read\\\" or ConsentFull contains \\\"Chat.Read\\\" or ConsentFull contains \\\"TeamsActivity.Read\\\" or ConsentFull contains \\\"Group.Read\\\" or ConsentFull contains \\\"EWS.AccessAsUser.All\\\" or ConsentFull contains \\\"EAS.AccessAsUser.All\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))\\n| extend GrantUserAgent = tostring(iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\"))\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Suspicious application consent for offline access\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with offline access via OAuth.\\nOffline access will provide the Azure App with access to the listed resources without requiring two-factor authentication.\\nConsent to applications with offline access and read capabilities should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\"name\":\"c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let DomainNames = \\\"miniodaum.ml\\\";\\nlet SHA256Hash = dynamic ([\\\"53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0dfd44771762257\\\", \\\"0897c80df8b80b4c49bf1ccf876f5f782849608b830c3b5cb3ad212dc3e19eff\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName =~ DomainNames\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(DnsEvents \\n| extend DNSName = Name\\n| where isnotempty(DNSName)\\n| where DNSName =~ DomainNames\\n| extend IPAddress = ClientIP\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName =~ DomainNames\\n| extend IPAddress = RemoteIp\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend DNSName = Request_Name\\n| extend IPAddress = ClientIP \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known CERIUM domains and hashes\",\"description\":\"CERIUM malicious webserver and hash values for maldocs and malware. \\n Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f30a47c1-65fb-42b1-a7f4-00941c12550b\",\"name\":\"f30a47c1-65fb-42b1-a7f4-00941c12550b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n SecurityAlert\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n // Extract URL from JSON data\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,Entities)\\n // We only want alerts that actually contain URL data\\n | where isnotempty(Url)\\n // Extract hostname from JSON data for entity mapping\\n | extend Compromised_Host = tostring(parse_json(ExtendedProperties).[\\\"Compromised Host\\\"])\\n | extend Alert_TimeGenerated = TimeGenerated\\n) on Url\\n| where Alert_TimeGenerated \u003e= TimeGenerated and Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Alert_TimeGenerated,\\nAlertName, AlertSeverity, Description, Url, Compromised_Host\\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = Compromised_Host, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.2\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to SecurityAlert data\",\"description\":\"Identifies a match in SecurityAlert data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-24T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8374ec0f-d857-4c17-b1e7-93d11800f8fb\",\"name\":\"8374ec0f-d857-4c17-b1e7-93d11800f8fb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let lowRisk = 1;\\nlet legal = \u0027Legal Information\u0027;\\nCognniIncidents_CL \\n| where Severity == lowRisk\\n| where informationType_s == legal\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Low Sensitivity Legal Information\",\"description\":\"Display incidents in which low sensitivity legal information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06107abb-1b68-4fdc-841b-8a1ff9301467\",\"name\":\"06107abb-1b68-4fdc-841b-8a1ff9301467\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.6\",\"techniques\":[\"T1030\",\"T1041\",\"T1011\",\"T1567\",\"T1029\",\"T1537\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.87\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"(Preview) Excessive Downloads via Palo Alto GlobalProtect\",\"description\":\"This algorithm detects unusually high volume of download per user account via Palo Alto VPN solution. The model is trained on the previous 14 days of the VPN logs. It indicates anomalous high volume of downloads in the last day.\",\"lastUpdatedDateUTC\":\"2021-06-10T00:00:00Z\",\"createdDateUTC\":\"2020-11-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/87890d78-3e05-43ec-9ab9-ba32f4e01250\",\"name\":\"87890d78-3e05-43ec-9ab9-ba32f4e01250\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n| join (\\n SecurityAlert\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n //Extract domain patterns from message\\n | extend domain = extract(\\\"(([a-z0-9]+(-[a-z0-9]+)*\\\\\\\\.)+[a-z]{2,})\\\", 1, tolower(Entities))\\n | where isnotempty(domain)\\n | extend parts = split(domain, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\\n | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray\\n // Parsing relevant entity column extract hostname and IP address\\n | extend EntityType = tostring(parse_json(EntitiesDynamicArray).Type), EntityAddress = tostring(EntitiesDynamicArray.Address), EntityHostName = tostring(EntitiesDynamicArray.HostName)\\n | extend HostName = iif(EntityType == \u0027host\u0027, EntityHostName, \u0027\u0027)\\n | extend IP_addr = iif(EntityType == \u0027ip\u0027, EntityAddress, \u0027\u0027)\\n | extend Alert_TimeGenerated = TimeGenerated\\n | extend Alert_Description = Description\\n) on $left.DomainName==$right.domain\\n| where Alert_TimeGenerated \u003e= TimeGenerated and Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Alert_TimeGenerated, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url\\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = HostName, IPCustomEntity = IP_addr, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.2\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to SecurityAlert\",\"description\":\"Identifies a match in SecurityAlert table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-24T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\"name\":\"5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"CommonSecurityLog \\n| where isnotempty(DestinationPort) and DeviceAction !in (\\\"reset-both\\\", \\\"deny\\\") \\n// filter out common usage ports. Add ports that are legitimate for your environment\\n| where DestinationPort !in (\\\"443\\\", \\\"53\\\", \\\"389\\\", \\\"80\\\", \\\"0\\\", \\\"880\\\", \\\"8888\\\", \\\"8080\\\")\\n| where ApplicationProtocol == \\\"incomplete\\\" \\n// filter out IANA ephemeral or negotiated ports as per https://en.wikipedia.org/wiki/Ephemeral_port\\n| where DestinationPort !between (toint(49512) .. toint(65535)) \\n| where Computer != \\\"\\\" \\n| where DestinationIP !startswith \\\"10.\\\"\\n// Filter out any graceful reset reasons of AGED OUT which occurs when a TCP session closes with a FIN due to aging out. \\n| where AdditionalExtensions !has \\\"reason=aged-out\\\" \\n// Filter out any TCP FIN which occurs when a TCP FIN is used to gracefully close half or both sides of a connection.\\n| where AdditionalExtensions !has \\\"reason=tcp-fin\\\" \\n// Uncomment one of the following where clauses to trigger on specific TCP reset reasons\\n// See Palo Alto article for details - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK\\n// TCP RST-server - Occurs when the server sends a TCP reset to the client\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-server\\\" \\n// TCP RST-client - Occurs when the client sends a TCP reset to the server\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-client\\\" \\n| extend reason = tostring(split(AdditionalExtensions, \\\";\\\")[3])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction, DestinationIP\\n| where count_ \u003e= 10\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), makeset(DestinationIP), totalcount = sum(count_) by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\"],\"displayName\":\"Palo Alto - possible internal to external port scanning\",\"description\":\"Identifies a list of internal Source IPs (10.x.x.x Hosts) that have triggered 10 or more non-graceful tcp server resets from one or more Destination IPs which \\nresults in an \\\"ApplicationProtocol = incomplete\\\" designation. The server resets coupled with an \\\"Incomplete\\\" ApplicationProtocol designation can be an indication \\nof internal to external port scanning or probing attack. \\nReferences: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK and\\nhttps://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTaCAK\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69a45b05-71f5-45ca-8944-2e038747fb39\",\"name\":\"69a45b05-71f5-45ca-8944-2e038747fb39\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let endtime = 1d;\\nlet starttime = 8d;\\n// The threshold below excludes matching on RDP connection computer counts of 5 or more by a given account and IP in a given day. Change the threshold as needed.\\nlet threshold = 5;\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n// Labeling the first RDP connection time, computer and ip\\n| extend FirstHop = TimeGenerated, FirstComputer = toupper(Computer), FirstIPAddress = IpAddress, Account = tolower(Account) \\n| join kind=inner (\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n// Labeling the second RDP connection time, computer and ip\\n| extend SecondHop = TimeGenerated, SecondComputer = toupper(Computer), SecondIPAddress = IpAddress, Account = tolower(Account)\\n) on Account\\n// Make sure that the first connection is after the second connection --\u003e SecondHop \u003e FirstHop\\n// Then identify only RDP to another computer from within the first RDP connection by only choosing matches where the Computer names do not match --\u003e FirstComputer != SecondComputer\\n// Then make sure the IPAddresses do not match by excluding connections from the same computers with first hop RDP connections to multiple computers --\u003e FirstIPAddress != SecondIPAddress\\n| where FirstComputer != SecondComputer and FirstIPAddress != SecondIPAddress and SecondHop \u003e FirstHop\\n// where the second hop occurs within 30 minutes of the first hop\\n| where SecondHop \u003c= FirstHop+30m\\n| distinct Account, FirstHop, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, SecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\\n// use left anti to exclude anything from the previous 7 days where the Account and IP has connected 5 or more computers.\\n| join kind=leftanti (\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n| summarize makeset(Computer), ComputerCount = dcount(Computer) by bin(TimeGenerated, 1d), Account = tolower(Account), IpAddress\\n// Connection count to computer by same account and IP to exclude counts of 5 or more on a given day\\n| where ComputerCount \u003e= threshold\\n| mvexpand set_Computer\\n| extend Computer = toupper(set_Computer)\\n) on Account, $left.SecondComputer == $right.Computer, $left.SecondIPAddress == $right.IpAddress\\n| summarize FirstHopFirstSeen = min(FirstHop), FirstHopLastSeen = max(FirstHop) by Account, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, \\nSecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\\n| extend timestamp = FirstHopFirstSeen, AccountCustomEntity = Account, HostCustomEntity = FirstComputer, IPCustomEntity = FirstIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\"],\"displayName\":\"RDP Nesting\",\"description\":\"Identifies when an RDP connection is made to a first system and then an RDP connection is made from the first system \\nto another system with the same account within the 60 minutes. Additionally, if historically daily \\nRDP connections are indicated by the logged EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-10-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9c27cee8-0a33-4abe-8683-212c0a98fc28\",\"name\":\"9c27cee8-0a33-4abe-8683-212c0a98fc28\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.6\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.1\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of logins to computer with elevated token\",\"description\":\"This algorithm detects an unusually high volume of successful logins with elevated token per computer. The model is trained on the previous 21 days of security event ID 4624 on a computer. It indicates anomalous high volume of successful logins with administrator privileges in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84ad2f8a-b64c-49bc-b669-bdb4fd3071e9\",\"name\":\"84ad2f8a-b64c-49bc-b669-bdb4fd3071e9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT5M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"eset_CL\\n| where event_type_s == \u0027FilteredWebsites_Event\u0027\\n| extend AccountCustomEntity = username_s, URLCustomEntity = object_uri_s, HostCustomEntity = hostname_s, IPCustomEntity = ipv4_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\",\"CommandAndControl\",\"InitialAccess\"],\"displayName\":\"Web sites blocked by Eset\",\"description\":\"Create alert on web sites blocked by Eset.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-09T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"EsetSMC\",\"dataTypes\":[\"eset_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/223db5c1-1bf8-47d8-8806-bed401b356a4\",\"name\":\"223db5c1-1bf8-47d8-8806-bed401b356a4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let timeRange = 1d;\\nlet lookBack = 7d;\\nlet threshold_Failed = 5;\\nlet threshold_FailedwithSingleIP = 20;\\nlet threshold_IPAddressCount = 2;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet aadFunc = (tableName:string){\\nlet azPortalSignins = materialize(table(tableName)\\n| where TimeGenerated \u003e= ago(lookBack)\\n// Azure Portal only\\n| where AppDisplayName =~ \\\"Azure Portal\\\")\\n;\\nlet successPortalSignins = azPortalSignins\\n| where TimeGenerated \u003e= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n// Tagging identities not resolved to friendly names\\n//| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n| distinct TimeGenerated, UserPrincipalName, Id, ResultType\\n;\\nlet failPortalSignins = azPortalSignins\\n| where TimeGenerated \u003e= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n// Tagging identities not resolved to friendly names\\n| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n;\\n// Verify there is no success for the same connection attempt after the fail\\nlet failnoSuccess = failPortalSignins | join kind= leftouter (\\n successPortalSignins \\n) on UserPrincipalName, Id\\n| where TimeGenerated \u003e TimeGenerated1\\n| project-away TimeGenerated1, UserPrincipalName1, Id1, ResultType1\\n;\\n// Lookup up resolved identities from last 7 days\\nlet identityLookup = azPortalSignins\\n| where TimeGenerated \u003e= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName;\\n// Join resolved names to unresolved list from portal signins\\nlet unresolvedNames = failnoSuccess | where Unresolved == true | join kind= inner (\\n identityLookup \\n) on UserId\\n| extend UserDisplayName = lu_UserDisplayName, UserPrincipalName = lu_UserPrincipalName\\n| project-away lu_UserDisplayName, lu_UserPrincipalName;\\n// Join Signins that had resolved names with list of unresolved that now have a resolved name\\nlet u_azPortalSignins = failnoSuccess | where Unresolved == false | union unresolvedNames;\\nu_azPortalSignins\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend Status = strcat(ResultType, \\\": \\\", ResultDescription), OS = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n| extend FullLocation = strcat(Region,\u0027|\u0027, State, \u0027|\u0027, City)\\n| summarize TimeGenerated = makelist(TimeGenerated), Status = makelist(Status), IPAddresses = makelist(IPAddress), IPAddressCount = dcount(IPAddress), FailedLogonCount = count()\\nby UserPrincipalName, UserId, UserDisplayName, AppDisplayName, Browser, OS, FullLocation, Type\\n| mvexpand TimeGenerated, IPAddresses, Status\\n| extend TimeGenerated = todatetime(tostring(TimeGenerated)), IPAddress = tostring(IPAddresses), Status = tostring(Status)\\n| project-away IPAddresses\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserPrincipalName, UserId, UserDisplayName, Status, FailedLogonCount, IPAddress, IPAddressCount, AppDisplayName, Browser, OS, FullLocation, Type\\n| where (IPAddressCount \u003e= threshold_IPAddressCount and FailedLogonCount \u003e= threshold_Failed) or FailedLogonCount \u003e= threshold_FailedwithSingleIP\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed login attempts to Azure Portal\",\"description\":\"Identifies failed login attempts in the Azure Active Directory SigninLogs to the Azure Portal. Many failed logon \\nattempts or some failed logon attempts from multiple IPs could indicate a potential brute force attack. \\nThe following are excluded due to success and non-failure results:\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n0 - successful logon\\n50125 - Sign-in was interrupted due to a password reset or password registration entry.\\n50140 - This error occurred due to \u0027Keep me signed in\u0027 interrupt when the user was signing-in.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\"name\":\"1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with failed Windows host logins above threshold\\nlet win_fails = \\nSecurityEvent\\n| where EventID == 4625\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| summarize count() by IpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_list(IpAddress);\\n//Make a list of IPs with failed *nix host logins above threshold\\nlet nix_fails = \\nSyslog\\n| where Facility contains \u0027auth\u0027 and ProcessName != \u0027sudo\u0027\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP != \\\"\\\" and SourceIP != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIP\\n| where count_ \u003e signin_threshold\\n| summarize make_list(SourceIP);\\n//See if any of the IPs with failed host logins hve had a sucessful Azure AD login\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (win_fails) or IPAddress in (nix_fails)\\n| extend Reason= \\\"Multiple failed host logins from IP address with successful Azure AD login\\\"\\n| extend timstamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, Type = Type\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed host logons but success logon to AzureAD\",\"description\":\"Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts.\\nUses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8546330c-e1fb-422a-9388-5c09e9a8f4ca\",\"name\":\"8546330c-e1fb-422a-9388-5c09e9a8f4ca\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.1\",\"techniques\":[\"T1133\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.8\",\"name\":\"Score\",\"description\":\"Generate an anomaly when a region rarity score is less than the threshold.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"minimum\":\"2\",\"maximum\":\"100\",\"value\":\"100\",\"name\":\"Minimum users per region\",\"description\":\"whitelist an anomaly if the number of users from a rare region is greater than this limit.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\",\"LateralMovement\"],\"displayName\":\"(Preview) Login from an unusual region via Palo Alto GlobalProtect account logins\",\"description\":\"When a Palo Alto GlobalProtect account logs in from a source region that has rarely been logged in\\nfrom during the last 14 days, an anomaly is triggered. This anomaly may indicate that the account\\nhas been compromised.\",\"lastUpdatedDateUTC\":\"2021-06-07T00:00:00Z\",\"createdDateUTC\":\"2021-06-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d564ff12-8f53-41b8-8649-44f76b37b99f\",\"name\":\"d564ff12-8f53-41b8-8649-44f76b37b99f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// How many greater than Service Connections you want to view per build/release\\nlet ServiceConnectionThreshold = 4;\\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\\n[\\n//\\\"103\\\", \\\"Release\\\", \\\"ProjectA\\\",\\n//\\\"42\\\", \\\"Release\\\", \\\"ProjectB\\\",\\n//\\\"122\\\", \\\"Build\\\", \\\"ProjectB\\\"\\n];\\nAzureDevOpsAuditing\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| parse ScopeDisplayName with OrganizationName \u0027 (Organization)\u0027\\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) \\n by OrganizationName, tostring(DefId), tostring(Type), ProjectId, ProjectName\\n| where CurrentCount \u003e ServiceConnectionThreshold\\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\\n| extend link = iif(\\n Type == \\\"Build\\\", strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_build?definitionId=\u0027, DefId),\\n strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_release?_a=releases\u0026view=mine\u0026definitionId=\u0027, DefId))\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure DevOps Service Connection Abuse\",\"description\":\"Flags builds/releases that use a large number of service connections if they aren\u0027t manually in the allow list.\\nThis is to determine if someone is hijacking a build/release and adding many service connections in order to abuse \\nor dump credentials from service connections.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c0e84221-f240-4dd7-ab1e-37e034ea2a4e\",\"name\":\"c0e84221-f240-4dd7-ab1e-37e034ea2a4e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"union isfuzzy=true\\n(DeviceFileEvents\\n| where FolderPath endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated),\\n(SecurityEvent\\n| where EventID == 4663\\n| where ObjectName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = Computer, timestamp=TimeGenerated),\\n(imFileEvent\\n| where TargetFileName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = DvcHostname, timestamp=TimeGenerated\\n)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"SUNSPOT log file creation\",\"description\":\"This query uses Microsoft Defender for Endpoint data and Windows Event Logs to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\\nMore details: \\n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \\n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2bb167bf-3951-435b-a932-8b03bfde0a2b\",\"name\":\"2bb167bf-3951-435b-a932-8b03bfde0a2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.3\",\"techniques\":[\"T1046\"],\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"accept\",\"allow\",\"start\"],\"values\":[\"accept\",\"allow\",\"start\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Device action\",\"description\":\"Include only these specific device actions\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\"53,67,80,8080,123,137,138,443,445,3389\",\"dataType\":\"string\",\"name\":\"Exclude ports\",\"description\":\"Provide a comma separated list to exclude specific ports from source data. This should be within double quotes, example: \\\"53, 67, 80, 8080, 123, 137, 138, 443, 445, 3389\\\"\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"1\",\"maximum\":\"60000000\",\"value\":\"600\",\"name\":\"Destination IP count\",\"description\":\"The minimum distinct destination IP count per hour required for inclusion. Default is 600. This is an OR condition with destination port count.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"minimum\":\"1\",\"maximum\":\"60000000\",\"value\":\"600\",\"name\":\"Destination port count\",\"description\":\"The minimum distinct destination port count per hour required for inclusion. Default is 600. This is an OR condition with destination IP count.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"0.00\",\"maximum\":\"1.00\",\"value\":\"1.00\",\"name\":\"IP ratio\",\"description\":\"The distinct source IP (always 1) to distinct destination IP count with a default minimum ratio of 1.00 or lower (converted to Base 10 to the -4 power of original value). This is an OR condition with port ratio.\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"},{\"minimum\":\"0.00\",\"maximum\":\"1.00\",\"value\":\"1.00\",\"name\":\"Port ratio\",\"description\":\"The distinct source port to distinct destination port count with a default minimum ratio of 1.00 or lower (converted to Base 10 to the -4 power of original value). This is an OR condition with IP Ratio.\",\"sequenceNumber\":3,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) Anomalous scanning activity\",\"description\":\"The Scanning Activity anomaly is looking to determine if there is potential port scanning anomaly in an environment coming from a single source IP to one or more destination IPs. \\nThe algorithm takes into account whether the IP is public, meaning external, or private, meaning internal, and the event is marked accordingly. Only private to public or public \\nto private is considered at this time. Scanning activity can indicate an attacker attempting to determine available services in an environment that can be potentially \\nexploited and used for ingress or lateral movement.\\nA high number of source ports and high number of destination ports from a single source IP to either a single or multiple destination IP or IPs can be interesting and indicate \\nanomalous scanning. Additionally, if there is a high ratio of destination IPs to the single source IP this can indicate anomalous scanning.\\nConfiguration details -\\nJob run default is daily, with hourly bins\\nThe algorithm uses the following defaults to limit the results based on hourly bins, each is configurable\\n-\u003e Included device actions - accept, allow, start\\n-\u003e Excluded ports - 53, 67, 80, 8080, 123, 137, 138, 443, 445, 3389\\n-\u003e Distinct destination port count \u003e= 600\\n-\u003e Distinct source port count \u003e= 600\\n-\u003e Distinct source port count divided by distinct destination port, ratio converted to percent \u003e= 99.99\\n-\u003e Source IP (always 1) divided by destination IP, ratio converted to percent \u003e= 99.99\",\"lastUpdatedDateUTC\":\"2021-07-10T00:00:00Z\",\"createdDateUTC\":\"2021-04-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/34c5aff9-a8c2-4601-9654-c7e46342d03b\",\"name\":\"34c5aff9-a8c2-4601-9654-c7e46342d03b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 5;\\nlet aadFunc = (tableName:string){\\nIdentityInfo\\n| where AssignedRoles contains \\\"Admin\\\"\\n| mv-expand AssignedRoles\\n| extend Roles = tostring(AssignedRoles), AccountUPN = tolower(AccountUPN)\\n| where Roles contains \\\"Admin\\\"\\n| distinct Roles, AccountUPN\\n| join kind=inner (\\n // Failed Signins attempts with reasoning related to MFA.\\n table(tableName)\\n | where TimeGenerated between (startofday(ago(starttime))..startofday(ago(timeframe)))\\n | where ResultType != 0\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n) on $left.AccountUPN == $right.UserPrincipalName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt ;\\nlet TimeSeriesData = union isfuzzy=true aadSignin, aadNonInt \\n| project TimeGenerated, Roles, UserPrincipalName\\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by UserPrincipalName, Roles\\n| project TimeGenerated, Roles, UserPrincipalName, HourlyCount;\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| where baseline \u003e baselinethreshold // Filtering low count events per baselinethreshold\\n| project Roles, UserPrincipalName, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated;\\n// Filter the alerts for specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join kind=inner ( \\nunion isfuzzy=true aadSignin, aadNonInt\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n | summarize HourlyCount=count(), LatestAnomalyTime = arg_max(timestamp,*) by bin(TimeGenerated,1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\\n) on UserPrincipalName\\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, HourlyCount, baseline, anomalies, score\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Privileged Accounts - Sign in Failure Spikes\",\"description\":\" Identifies spike in failed sign-ins from Privileged accounts. Privileged accounts list can be based on IdentityInfo UEBA table or built-in watchlist.\\nSpike is determined based on Time series anomaly which will look at historical baseline values.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor\",\"lastUpdatedDateUTC\":\"2021-11-01T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f110287e-1358-490d-8147-ed804b328514\",\"name\":\"f110287e-1358-490d-8147-ed804b328514\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n AWSCloudTrail | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AWSCloudTrail_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SourceIpAddress\\n| where AWSCloudTrail_TimeGenerated \u003e= TimeGenerated and AWSCloudTrail_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AWSCloudTrail_TimeGenerated,\\nTI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress,\\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AWSCloudTrail_TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AWSCloudTrail\",\"description\":\"Identifies a match in AWSCloudTrail from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c097bfdb-8b4b-4a98-b74d-1871ffd50a03\",\"name\":\"c097bfdb-8b4b-4a98-b74d-1871ffd50a03\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.6\",\"techniques\":[\"T1110\"],\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"2-Interactive\",\"3-Network\",\"4-Batch\",\"5-Service\",\"7-Unlock\",\"8-NetworkCleartext\",\"9-NewCredentials\",\"10-RemoteInteractive\",\"11-CachedInteractive\"],\"values\":[\"2-Interactive\",\"3-Network\",\"4-Batch\",\"5-Service\",\"7-Unlock\",\"8-NetworkCleartext\",\"9-NewCredentials\",\"10-RemoteInteractive\",\"11-CachedInteractive\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Logon Types\",\"description\":\"Include only selected logon types in anomaly results.\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.03\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"(Preview) Attempted user account bruteforce per logon type\",\"description\":\"This algorithm detects an unusually high volume of failed login attempts per user account per logon type. The model is trained on the previous 21 days of security event ID 4625 on an account and a logon type. It indicates anomalous high volume of failed login attempts with certain logon type in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2954d424-f786-4677-9ffc-c24c44c6e7d5\",\"name\":\"2954d424-f786-4677-9ffc-c24c44c6e7d5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT3H\",\"queryPeriod\":\"PT3H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let timeframe = ago(3h);\\nlet threshold = 2;\\nOkta_CL\\n| where column_ifexists(\u0027published_t\u0027, now()) \u003e= timeframe\\n| where eventType_s =~ \\\"user.session.start\\\"\\n| where outcome_result_s =~ \\\"SUCCESS\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumOfCountries = dcount(client_geographicalContext_country_s) by actor_alternateId_s\\n| where NumOfCountries \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = actor_alternateId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"User Login from Different Countries within 3 hours\",\"description\":\"This query searches for successful user logins to the Okta Console from different countries within 3 hours\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OktaSSO\",\"dataTypes\":[\"Okta_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/adc32a33-1cd6-46f5-8801-e3ed8337885f\",\"name\":\"adc32a33-1cd6-46f5-8801-e3ed8337885f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Add any known allowed sources and source locations to the filter below (the NuGet Gallery has been added here as an example).\\nlet allowed_sources = dynamic([\\\"NuGet Gallery\\\"]);\\nlet allowed_locations = dynamic([\\\"https://api.nuget.org/v3/index.json\\\"]);\\nAzureDevOpsAuditing\\n// Look for feeds created or modified at either the organization or project level\\n| where OperationName matches regex \\\"Artifacts.Feed.(Org|Project).Modify\\\"\\n| where Details has \\\"UpstreamSources, added\\\"\\n| extend FeedName = tostring(Data.FeedName)\\n| extend FeedId = tostring(Data.FeedId)\\n| extend UpstreamsAdded = Data.UpstreamsAdded\\n// As multiple feeds may be added expand these out\\n| mv-expand UpstreamsAdded\\n// Only focus on external feeds\\n| where UpstreamsAdded.UpstreamSourceType !~ \\\"internal\\\"\\n| extend SourceLocation = tostring(UpstreamsAdded.Location)\\n| extend SourceName = tostring(UpstreamsAdded.Name)\\n// Exclude sources and locations in the allow list\\n| where SourceLocation !in (allowed_locations) and SourceName !in (allowed_sources)\\n| extend SourceProtocol = tostring(UpstreamsAdded.Protocol)\\n| extend SourceStatus = tostring(UpstreamsAdded.Status)\\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, ProjectName, FeedName, SourceName, SourceLocation, SourceProtocol, ActorUPN, UserAgent, IpAddress\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"External Upstream Source Added to Azure DevOps Feed\",\"description\":\"The detection looks for new external sources added to an Azure DevOps feed. An allow list can be customized to explicitly allow known good sources. \\nAn attacker could look to add a malicious feed in order to inject malicious packages into a build pipeline.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6852d9da-8015-4b95-8ecf-d9572ee0395d\",\"name\":\"6852d9da-8015-4b95-8ecf-d9572ee0395d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let timeframe = 60m;\\nlet lookback = 10m;\\nlet account_created =\\nAuditLogs \\n | where ActivityDisplayName == \\\"Add service principal\\\"\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend creationTime = ActivityDateTime\\n | extend userPrincipalName_creator = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend ipAddress_creator = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\\nlet account_activity =\\nAADServicePrincipalSignInLogs\\n | extend Activities = pack(\\\"ActivityTime\\\", TimeGenerated ,\\\"IpAddress\\\", IPAddress, \\\"ResourceDisplayName\\\", ResourceDisplayName)\\n | extend AppID = AppId\\n | summarize make_list(Activities) by AppID;\\nlet account_deleted =\\nAuditLogs \\n | where OperationName == \\\"Remove service principal\\\"\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend deletionTime = ActivityDateTime\\n | extend userPrincipalName_deleter = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend ipAddress_deleter = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\\nlet account_credentials =\\nAuditLogs\\n | where OperationName contains \\\"Update application - Certificates and secrets management\\\"\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend credentialCreationTime = ActivityDateTime;\\nlet roles_assigned =\\nAuditLogs\\n | where ActivityDisplayName == \\\"Add app role assignment to service principal\\\"\\n | extend AppID = tostring(TargetResources[1].displayName)\\n | extend AssignedRole = iff(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].displayName)==\\\"AppRole.Value\\\", tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue))),\\\"\\\")\\n | extend AssignedRoles = pack(\\\"Role\\\", AssignedRole)\\n |summarize make_list(AssignedRoles) by AppID;\\naccount_created \\n | join kind= inner (account_activity) on AppID, AppID \\n | join kind= inner (account_deleted) on AppID, AppID \\n | join kind= inner (account_credentials) on AppID, AppID \\n | join kind= inner (roles_assigned) on AppID, AppID\\n | where deletionTime - creationTime \u003c lookback\\n | where tolong(deletionTime - creationTime) \u003e= 0\\n | where creationTime \u003e ago(timeframe)\\n | extend AliveTime = deletionTime - creationTime\\n | project AADTenantId, AppID, creationTime, deletionTime, userPrincipalName_creator, userPrincipalName_deleter, ipAddress_creator, ipAddress_deleter, list_Activities , list_AssignedRoles, AliveTime\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName_creator\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName_deleter\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress_creator\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress_deleter\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"PrivilegeEscalation\",\"InitialAccess\"],\"displayName\":\"Suspicious Service Principal creation activity\",\"description\":\"This alert will detect creation of an SPN, permissions granted, credentials cretaed, activity and deletion of the SPN in a time frame (default 10 minutes)\",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2021-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\",\"AADServicePrincipalSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2eb15bd-8a88-4b24-9281-e133edfba315\",\"name\":\"f2eb15bd-8a88-4b24-9281-e133edfba315\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet aadFunc = (tableName:string){\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join kind=innerunique (\\n table(tableName) | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend Status = todynamic(Status), LocationDetails = todynamic(LocationDetails)\\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails), StatusReason = tostring(Status.failureReason)\\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n // renaming time column so it is clear the log this came from\\n | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type\\n)\\non $left.TI_ipEntity == $right.IPAddress\\n| where SigninLogs_TimeGenerated \u003c ExpirationDateTime\\n| summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, IPAddress\\n| project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDetails, StatusReason, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.2\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to SigninLogs\",\"description\":\"Identifies a match in SigninLogs from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/60eb6cf0-3fa1-44c1-b1fe-220fbee23d63\",\"name\":\"60eb6cf0-3fa1-44c1-b1fe-220fbee23d63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"// Edit this variable to only keep the Severity level where an incident needs to be created (Defaults are: \\\"Low\\\", \\\"Medium\\\", \\\"High\\\", \\\"Critical\\\" ) \\nlet configured_level = dynamic([\\\"Low\\\", \\\"Medium\\\", \\\"High\\\", \\\"Critical\\\"]);\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Vectra Networks\\\"\\n| where DeviceProduct == \\\"X Series\\\"\\n| where DeviceEventClassID == \\\"hsc\\\"\\n| project-rename threat_score = FlexNumber1\\n| project-rename certainty_score = FlexNumber2\\n| project-rename vectra_URL = DeviceCustomString4\\n| project-rename detection_name = DeviceEventClassID\\n| project-rename score_decreases = DeviceCustomString3\\n| extend level = case( threat_score \u003c 50 and certainty_score \u003c 50, \\\"Low\\\",\\n threat_score \u003c 50 and certainty_score \u003e= 50 , \\\"Medium\\\", \\n threat_score \u003e= 50 and certainty_score \u003c= 50, \\\"High\\\", \\n threat_score \u003e= 50 and certainty_score \u003e= 50, \\\"Critical\\\",\\n \\\"UNKNOWN\\\")\\n| extend Severity = case( level == \\\"Low\\\", \\\"Low\\\",\\n level == \\\"Medium\\\", \\\"Medium\\\",\\n level == \\\"High\\\", \\\"Medium\\\",\\n level == \\\"Critical\\\", \\\"High\\\",\\n \\\"UNKNOWN\\\")\\n| where level in (configured_level) \\n//keep only the event with the highest threat score per Host\\n| summarize arg_max(threat_score, *) by SourceHostName\\n| project SourceHostName, level, Severity, TimeGenerated, SourceIP, threat_score, certainty_score, vectra_URL\\n| extend HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Discovery\",\"LateralMovement\",\"Collection\",\"CommandAndControl\",\"Exfiltration\",\"Impact\"],\"displayName\":\"Vectra AI Detect - Suspected Compromised Host\",\"description\":\"Create an incident when a Host is suspected to be compromised. \\nThe higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. \\nLevel of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.\",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2021-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AIVectraDetect\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/03401f05-5c45-4f2d-9295-092764090e02\",\"name\":\"03401f05-5c45-4f2d-9295-092764090e02\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"2.0.0\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Yes\",\"No\"],\"supportedValuesKql\":null,\"value\":\"Yes\",\"name\":\"Use region adjacency\",\"description\":\"Suppress anomalies originated from two adjacent regions.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"2\",\"maximum\":\"10\",\"value\":\"2\",\"name\":\"Minimum daily regions for anomaly\",\"description\":\"Generate an anomaly when a user logs in from this many or more regions in a day\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\",\"DefenseEvasion\"],\"displayName\":\"(Preview) Multi-region logins in a single day via Palo Alto GlobalProtect\",\"description\":\"This algorithm detects a user account which had logins from multiple non-adjacent regions in a single day via Palo Alto VPN.\",\"lastUpdatedDateUTC\":\"2021-07-13T00:00:00Z\",\"createdDateUTC\":\"2021-04-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/074ce265-f684-41cd-af07-613c5f3e6d0d\",\"name\":\"074ce265-f684-41cd-af07-613c5f3e6d0d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"irf.services\\\",\\\"microsoft-onthehub.com\\\",\\\"msofficelab.com\\\",\\\"com-mailbox.com\\\",\\\"my-sharefile.com\\\",\\\"my-sharepoints.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\n\\\"onedrive-sharedfile.com\\\",\\\"onedrv-live.com\\\",\\\"transparencyinternational-my-sharepoint.com\\\",\\\"transparencyinternational-my-sharepoints.com\\\",\\\"soros-my-sharepoint.com\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend Account = SourceUserID, Host = DeviceName, IPAddress = SourceIP),\\n(DnsEvents \\n| extend IPAddress = ClientIP, DNSName = Name, Host = Computer),\\n(imDns (domain_has_any=DomainNames)\\n| extend IPAddress = SrcIpAddr, DNSName = DnsQuery, Host = Dvc),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| extend IPAddress = RemoteIp, Host = Computer),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| extend DNSName = Request_Name\\n| extend IPAddress = ClientIP),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost)\\n)\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = Account, HostCustomEntity = Host\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.3.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known STRONTIUM group domains - July 2019\",\"description\":\"Matches domain name IOCs related to Strontium group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b3cfc7c0-092c-481c-a55b-34a3979758cb\",\"name\":\"b3cfc7c0-092c-481c-a55b-34a3979758cb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft Cloud App Security\",\"displayName\":\"Create incidents based on Microsoft Cloud App Security alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Cloud App Security\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert (MCAS)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/77171efa-4502-4ab7-9d23-d12305ff5a5e\",\"name\":\"77171efa-4502-4ab7-9d23-d12305ff5a5e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let lowRisk = 1;\\nlet financial = \u0027Financial Information\u0027;\\nCognniIncidents_CL \\n| where Severity == lowRisk\\n| where informationType_s == financial\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Low Sensitivity Financial Information\",\"description\":\"Display incidents in which low sensitivity financial information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/173f8699-6af5-484a-8b06-8c47ba89b380\",\"name\":\"173f8699-6af5-484a-8b06-8c47ba89b380\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"// Adjust this value to change how many Teams should be deleted before including\\nlet max_delete_count = 3;\\n// Adjust this value to change the timewindow the query runs over\\n OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\" \\n| where Operation =~ \\\"TeamDeleted\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DeletedTeams = make_set(TeamName) by UserId\\n| where array_length(DeletedTeams) \u003e max_delete_count\\n| extend timestamp = StartTime, AccountCustomEntity = UserId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Impact\"],\"displayName\":\"Multiple Teams deleted by a single user\",\"description\":\"This detection flags the occurrences of deleting multiple teams within an hour.\\nThis data is a part of Office 365 Connector in Microsoft Sentinel.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a35f2c18-1b97-458f-ad26-e033af18eb99\",\"name\":\"a35f2c18-1b97-458f-ad26-e033af18eb99\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"// For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups\\nlet WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nSecurityEvent \\n// When MemberName contains \u0027-\u0027 this indicates addition of a group to a group\\n| where AccountType == \\\"User\\\" and MemberName != \\\"-\\\"\\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group\\n| where EventID in (4728, 4732, 4756) \\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| extend SimpleMemberName = substring(MemberName, 3, indexof_regex(MemberName, @\\\",OU|,CN\\\") - 3)\\n| project TimeGenerated, EventID, Activity, Computer, SimpleMemberName, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SimpleMemberName, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.2.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account added to built in domain local or global group\",\"description\":\"Identifies when a user account has been added to a privileged built in domain local group or global group \\nsuch as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/631d02df-ab51-46c1-8d72-32d0cfec0720\",\"name\":\"631d02df-ab51-46c1-8d72-32d0cfec0720\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let excludeProcs = dynamic([@\\\"\\\\SolarWinds\\\\Orion\\\\APM\\\\APMServiceControl.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\ExportToPDFCmd.Exe\\\", @\\\"\\\\SolarWinds.Credentials\\\\SolarWinds.Credentials.Orion.WebApi.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Topology\\\\SolarWinds.Orion.Topology.Calculator.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Database-Maint.exe\\\", @\\\"\\\\SolarWinds.Orion.ApiPoller.Service\\\\SolarWinds.Orion.ApiPoller.Service.exe\\\", @\\\"\\\\Windows\\\\SysWOW64\\\\WerFault.exe\\\"]);\\nimProcessCreate\\n| where Process hassuffix \u0027solarwinds.businesslayerhost.exe\u0027\\n| where not(Process has_any (excludeProcs))\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = ActorUsername,\\n HostCustomEntity = User,\\n FileHashCustomEntity = TargetProcessMD5 // Change to *hash* once implemented\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"MD5\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST suspicious SolarWinds child processes (Normalized Process Events)\",\"description\":\"Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\"name\":\"4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([ \\\"AuthorizeSecurityGroupEgress\\\", \\\"AuthorizeSecurityGroupIngress\\\", \\\"RevokeSecurityGroupEgress\\\", \\\"RevokeSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \\nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion, \\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to AWS Security Group ingress and egress settings\",\"description\":\"A Security Group acts as a virtual firewall of an instance to control inbound and outbound traffic. \\n Hence, ingress and egress settings changes to AWS Security Group should be monitored as these can expose the enviornment to new attack vectors.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/737a2ce1-70a3-4968-9e90-3e6aca836abf\",\"name\":\"737a2ce1-70a3-4968-9e90-3e6aca836abf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MLBehaviorAnalytics\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous RDP Login Detections\",\"description\":\"This detection uses machine learning (ML) to identify anomalous Remote Desktop Protocol (RDP) login activity, based on Windows Security Event data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Microsoft Sentinel to build a profile of normal activity for your environment.\\t\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events)\\n\\nBy enabling this rule, you give Microsoft permission to copy ingested data outside of your Microsoft Sentinel workspace\u0027s geography as necessary for processing by the machine learning engine.\",\"lastUpdatedDateUTC\":\"2021-03-26T00:00:00Z\",\"createdDateUTC\":\"2020-04-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9713e3c0-1410-468d-b79e-383448434b2d\",\"name\":\"9713e3c0-1410-468d-b79e-383448434b2d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n VMConnection\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend VMConnection_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIp\\n| where VMConnection_TimeGenerated \u003e= TimeGenerated and VMConnection_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, VMConnection_TimeGenerated,\\nTI_ipEntity, Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = VMConnection_TimeGenerated, IPCustomEntity = RemoteIp, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to VMConnection\",\"description\":\"Identifies a match in VMConnection from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/19e01883-15d8-4eb6-a7a5-3276cd668388\",\"name\":\"19e01883-15d8-4eb6-a7a5-3276cd668388\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeBin = 1m;\\nlet failedThreshold = 20;\\nW3CIISLog\\n| where scStatus in (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of failed attempts from same client IP\\n| summarize makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\\n| where FailedConnectionsCount \u003e= failedThreshold\\n| project TimeGenerated, cIP, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"High count of failed attempts from same client IP\",\"description\":\"Identifies when 20 or more failed attempts from a given client IP in 1 minute occur on the IIS server.\\nThis could be indicative of an attempted brute force. This could also simply indicate a misconfigured service or device.\\nRecommendations: Validate that these are expected connections from the given Client IP. If the client IP is not recognized, \\npotentially block these connections at the edge device.\\nIf these are expected connections, verify the credentials are properly configured on the system, service, application or device \\nthat is associated with the client IP.\\nReferences:\\nIIS status code mapping: https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping: https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e70fa6e0-796a-4e85-9420-98b17b0bb749\",\"name\":\"e70fa6e0-796a-4e85-9420-98b17b0bb749\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"DeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where ThreatName has \\\"Solorigate\\\"\\n| extend HostCustomEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.HostCustomEntity\\n| project TimeGenerated, DisplayName, ThreatName, CompromisedEntity, PublicIP, MachineGroup, AlertSeverity, Description, LoggedOnUsers, DeviceId, TenantId, HostCustomEntity\\n| extend timestamp = TimeGenerated, IPCustomEntity = PublicIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Solorigate Defender Detections\",\"description\":\"Surfaces any Defender Alert for Solorigate Events. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as \\n Device group, ip, logged on users etc. This way, the Microsoft Sentinel user can have all the pertinent device info in one view for all the the Solarigate Defender alerts.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7249500f-3038-4b83-8549-9cd8dfa2d498\",\"name\":\"7249500f-3038-4b83-8549-9cd8dfa2d498\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"de-ma.online\\\", \\\"g20saudi.000webhostapp.com\\\", \\\"ksat20.000webhostapp.com\\\"]);\\nlet EmailAddresses = dynamic([\\\"munichconference1962@gmail.com\\\",\\\"munichconference@outlook.de\\\", \\\"munichconference@outlook.com\\\", \\\"t20saudiarabia@gmail.com\\\", \\\"t20saudiarabia@hotmail.com\\\", \\\"t20saudiarabia@outlook.sa\\\"]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(DNSName) and DNSName has_any (DomainNames)) \\n or (isnotempty(DestinationHostName) and DestinationHostName has_any (DomainNames)) \\n or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames)))\\n| extend timestamp = TimeGenerated , AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\\n),\\n(DnsEvents \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| where DNSName has_any (DomainNames) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend timestamp = TimeGenerated , HostCustomEntity = Computer),\\n(SecurityAlert\\n| where ProviderName =~ \u0027OATP\u0027\\n| extend UPN = case(isnotempty(parse_json(Entities)[0].Upn), parse_json(Entities)[0].Upn, \\n isnotempty(parse_json(Entities)[1].Upn), parse_json(Entities)[1].Upn,\\n isnotempty(parse_json(Entities)[2].Upn), parse_json(Entities)[2].Upn,\\n isnotempty(parse_json(Entities)[3].Upn), parse_json(Entities)[3].Upn,\\n isnotempty(parse_json(Entities)[4].Upn), parse_json(Entities)[4].Upn,\\n isnotempty(parse_json(Entities)[5].Upn), parse_json(Entities)[5].Upn,\\n isnotempty(parse_json(Entities)[6].Upn), parse_json(Entities)[6].Upn,\\n isnotempty(parse_json(Entities)[7].Upn), parse_json(Entities)[7].Upn,\\n isnotempty(parse_json(Entities)[8].Upn), parse_json(Entities)[8].Upn,\\n parse_json(Entities)[9].Upn)\\n| where Entities has_any (EmailAddresses)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = tostring(UPN)),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"AZUREFIREWALLS\\\"\\n| where msg_s has_any (DomainNames)\\n| extend timestamp = TimeGenerated))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"InitialAccess\"],\"displayName\":\"Known PHOSPHORUS group domains/IP - October 2020\",\"description\":\"Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\\nReferences: \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog (Cisco)\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert (OATP)\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics (Azure Firewall)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3caa67ef-8ed3-4ab5-baf2-3850d3667f3d\",\"name\":\"3caa67ef-8ed3-4ab5-baf2-3850d3667f3d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nafad_parser\\n| where MessageType == 2\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid Indicators of Attack\",\"description\":\"Searches for triggered Indicators of Attack\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d8de9e6-263e-4845-8618-cd23a4f58b70\",\"name\":\"4d8de9e6-263e-4845-8618-cd23a4f58b70\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT3H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 3h;\\n// Add full UPN (user@domain.com) to Authorized Bypassers to ignore policy bypasses by certain authorized users\\nlet AuthorizedBypassers = dynamic([\u0027foo@baz.com\u0027, \u0027test@foo.com\u0027]);\\nlet historicBypassers = AzureDevOpsAuditing\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationName == \u0027Git.RefUpdatePoliciesBypassed\u0027\\n| distinct ActorUPN;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e= ago(endtime)\\n| where OperationName == \u0027Git.RefUpdatePoliciesBypassed\u0027\\n| where ActorUPN !in (historicBypassers) and ActorUPN !in (AuthorizedBypassers)\\n| parse ScopeDisplayName with OrganizationName \u0027(Organization)\u0027\\n| project TimeGenerated, ActorUPN, IpAddress, UserAgent, OrganizationName, ProjectName, RepoName = Data.RepoName, AlertDetails = Details, Branch = Data.Name, \\n BypassReason = Data.BypassReason, PRLink = strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_git/\u0027, Data.RepoName, \u0027/pullrequest/\u0027, Data.PullRequestId)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps Pull Request Policy Bypassing - Historic allow list\",\"description\":\"This detection builds an allow list of historic PR policy bypasses and compares to recent history, flagging pull request bypasses that are not manually in the allow list and not historically included in the allow list.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\"name\":\"ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Office 365 Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Office 365 alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Office 365\",\"lastUpdatedDateUTC\":\"2020-09-01T00:00:00Z\",\"createdDateUTC\":\"2020-04-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert (OATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bf0cde21-0c41-48f6-a40c-6b5bd71fa106\",\"name\":\"bf0cde21-0c41-48f6-a40c-6b5bd71fa106\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AWSGuardDuty | extend tokens = split(ActivityType,\\\":\\\") | extend ThreatPurpose = tokens[0], tokens= split(tokens[1],\\\"/\\\") | extend ResourceTypeAffected = tokens[0], ThreatFamilyName= tokens[1] | extend UniqueFindingId = Id | extend AWSAcoundId = AccountId | project-away tokens,ActivityType, Id, AccountId | project-away TimeGenerated, TenantId, SchemaVersion, Region, Partition | extend Severity= iff(Severity between (7.0..8.9),\\\"High\\\",iff(Severity between (4.0..6.9), \\\"Medium\\\", iff(Severity between (1.0..3.9),\\\"Low\\\",\\\"Unknown\\\")))\",\"customDetails\":{\"ThreatPurpos\":\"ThreatPurpose\",\"ResourceTypeAffected\":\"ResourceTypeAffected\",\"UniqueFindingId\":\"UniqueFindingId\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Arn\"},{\"identifier\":\"ObjectGuid\",\"columnName\":\"AWSAcoundId\"}]}],\"version\":\"1.0.0\",\"displayName\":\"AWS Guard Duty Alert\",\"description\":\"Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. This templates create an alert for each Amazon GuardDuty finding.\",\"lastUpdatedDateUTC\":\"2021-11-18T00:00:00Z\",\"createdDateUTC\":\"2021-11-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSGuardDuty\",\"dataTypes\":[\"AWSGuardDuty\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\"name\":\"a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Security Center for IoT\",\"displayName\":\"Create incidents based on Azure Defender for IOT alerts\",\"description\":\"Create incidents based on all alerts generated in Azure Defender for IOT\",\"lastUpdatedDateUTC\":\"2019-12-24T00:00:00Z\",\"createdDateUTC\":\"2019-12-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"IoT\",\"dataTypes\":[\"SecurityAlert (ASC for IoT)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ac891683-53c3-4f86-86b4-c361708e2b2b\",\"name\":\"ac891683-53c3-4f86-86b4-c361708e2b2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"// Allowlisted UPNs should likely stay empty\\nlet AllowlistedUpns = datatable(UPN:string)[\u0027foo@bar.com\u0027, \u0027test@foo.com\u0027];\\n// Operation Name parts that will alert\\nlet HasAnyBlocklist = datatable(OperationNamePart:string)[\u0027Security.\u0027,\u0027Project.\u0027,\u0027AuditLog.\u0027,\u0027Extension.\u0027];\\n// Distinct Operation Names that will flag\\nlet HasExactBlocklist = datatable(OperationName:string)[\u0027Group.UpdateGroupMembership.Add\u0027,\u0027Library.ServiceConnectionExecuted\u0027,\u0027Pipelines.PipelineModified\u0027,\\n\u0027Release.ReleasePipelineModified\u0027, \u0027Git.RefUpdatePoliciesBypassed\u0027];\\nAzureDevOpsAuditing\\n| where AuthenticationMechanism startswith \\\"PAT\\\" and (OperationName has_any (HasAnyBlocklist) or OperationName in (HasExactBlocklist))\\n and ActorUPN !in (AllowlistedUpns)\\n| project TimeGenerated, AuthenticationMechanism, ProjectName, ActorUPN, ActorDisplayName, IpAddress, UserAgent, OperationName, Details, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Execution\",\"Impact\"],\"displayName\":\"Azure DevOps Personal Access Token (PAT) misuse\",\"description\":\"This Alert detects whenever a PAT is used in ways that PATs are not normally used. May require an allow list and baselining.\\nReference - https://docs.microsoft.com/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops\u0026tabs=preview-page\\nUse this query for baselining:\\nAzureDevOpsAuditing\\n| distinct OperationName\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6cb75f65-231f-46c4-a0b3-50ff21ee6ed3\",\"name\":\"6cb75f65-231f-46c4-a0b3-50ff21ee6ed3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Edit this variable to only keep the tactics where an incident needs to be created (Defaults are: \\\"COMMAND \u0026 CONTROL\\\", \\\"BOTNET ACTIVITY\\\", \\\"EXFILTRATION\\\", \\\"LATERAL MOVEMENT\\\", \\\"RECONNAISSANCE\\\") \\nlet configured_tactics = dynamic([\\\"COMMAND \u0026 CONTROL\\\", \\\"BOTNET ACTIVITY\\\", \\\"EXFILTRATION\\\", \\\"LATERAL MOVEMENT\\\", \\\"RECONNAISSANCE\\\"]);\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Vectra Networks\\\"\\n| where DeviceProduct == \\\"X Series\\\"\\n| where DeviceEventClassID != \\\"campaigns\\\" and DeviceEventClassID != \\\"hsc\\\" and DeviceEventClassID != \\\"audit\\\" and DeviceEventClassID != \\\"health\\\" and DeviceEventClassID != \\\"asc\\\" \\n| extend Category = extract(\\\"cat=(.+?);\\\", 1, AdditionalExtensions) \\n| project-rename threat_score = FlexNumber1\\n| project-rename certainty_score = FlexNumber2\\n| project-rename triaged = DeviceCustomString5\\n| project-rename vectra_URL = DeviceCustomString4\\n| project-rename detection_name = DeviceEventClassID\\n| extend Tactic = case( Category == \\\"COMMAND \u0026 CONTROL\\\", \\\"CommandAndControl\\\",\\n Category == \\\"BOTNET ACTIVITY\\\" , \\\"Impact\\\",\\n Category == \\\"EXFILTRATION\\\", \\\"Exfiltration\\\",\\n Category == \\\"LATERAL MOVEMENT\\\", \\\"LateralMovement\\\",\\n Category == \\\"RECONNAISSANCE\\\", \\\"Discovery\\\",\\n \\\"UNKNOWN\\\")\\n| extend level = case( threat_score \u003c 50 and certainty_score \u003c 50, \\\"Low\\\",\\n threat_score \u003c 50 and certainty_score \u003e= 50 , \\\"Medium\\\", \\n threat_score \u003e= 50 and certainty_score \u003c= 50, \\\"High\\\", \\n threat_score \u003e= 50 and certainty_score \u003e= 50, \\\"Critical\\\",\\n \\\"UNKNOWN\\\")\\n| extend Severity = case( level == \\\"Low\\\", \\\"Low\\\",\\n level == \\\"Medium\\\", \\\"Medium\\\",\\n level == \\\"High\\\", \\\"Medium\\\",\\n level == \\\"Critical\\\", \\\"High\\\",\\n \\\"UNKNOWN\\\")\\n| extend account = extract(\\\"account=(.+?);\\\", 1, AdditionalExtensions)\\n| extend upn = iff(account matches regex \\\":\\\", tostring(split(account,\\\":\\\")[1]) ,tostring(split(account,\\\":\\\")[0])) \\n| extend source_entity = case( isnotempty(upn), upn,\\n isnotempty(SourceHostName), SourceHostName,\\n \\\"UNKNWON\\\") \\n| where Category in (configured_tactics) \\n| summarize arg_max(threat_score, *) by source_entity , Activity\\n| project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Activity, Tactic, Severity, threat_score, certainty_score, triaged, vectra_URL\\n| extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Discovery\",\"LateralMovement\",\"Collection\",\"CommandAndControl\",\"Exfiltration\",\"Impact\"],\"displayName\":\"Vectra AI Detect - Suspicious Behaviors\",\"description\":\"Create an incident for each new malicious behavior detected by Vectra Detect. \\nBy default, it looks through all tactics. This can be modified to create incident only for a subset of tactics.\",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2021-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AIVectraDetect\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\"name\":\"0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let PerUserThreshold = 5;\\nlet TotalThreshold = 100;\\nlet action = dynamic([\\\"change\\\", \\\"changed\\\", \\\"reset\\\"]);\\nlet pWord = dynamic([\\\"password\\\", \\\"credentials\\\"]);\\nlet PasswordResetMultiDataSource =\\n(union isfuzzy=true\\n(//Password reset events\\n//4723: An attempt was made to change an account\u0027s password\\n//4724: An attempt was made to reset an accounts password\\nSecurityEvent\\n| where EventID in (\\\"4723\\\",\\\"4724\\\")\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName),\\n(//Azure Active Directory Password reset events\\nAuditLogs\\n| where OperationName has_any (pWord) and OperationName has_any (action) and Result =~ \\\"success\\\"\\n| extend AccountType = tostring(TargetResources[0].type), Account = tostring(TargetResources[0].userPrincipalName), \\nTargetUserName = tolower(tostring(TargetResources[0].displayName))\\n| project TimeGenerated, AccountType, Account, Computer = \\\"\\\", Type),\\n(//OfficeActive ActiveDirectory Password reset events\\nOfficeActivity\\n| where OfficeWorkload == \\\"AzureActiveDirectory\\\" \\n| where (ExtendedProperties has_any (pWord) or ModifiedProperties has_any (pWord)) and (ExtendedProperties has_any (action) or ModifiedProperties has_any (action))\\n| extend AccountType = UserType, Account = OfficeObjectId \\n| project TimeGenerated, AccountType, Account, Type, Computer = \\\"\\\"),\\n(// Unix syslog password reset events\\nSyslog\\n| where Facility in (\\\"auth\\\",\\\"authpriv\\\")\\n| where SyslogMessage has_any (pWord) and SyslogMessage has_any (action)\\n| extend AccountType = iif(SyslogMessage contains \\\"root\\\", \\\"Root\\\", \\\"Non-Root\\\")\\n| where SyslogMessage matches regex \\\".*password changed for.*\\\"\\n| parse SyslogMessage with * \\\"password changed for\\\" Account\\n| project TimeGenerated, AccountType, Account, Computer = HostName, Type)\\n);\\nlet pwrmd = PasswordResetMultiDataSource\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName;\\n(union isfuzzy=true \\n(pwrmd\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Computerlist = make_set(Computer, 25), AccountType = make_set(AccountType, 25), Computer = arg_max(Computer , TimeGenerated), TargetUserList = make_set(TargetUserName, 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), Total=count() by Account, Type\\n| where Total \u003e PerUserThreshold\\n| extend ResetPivot = \\\"PerUserReset\\\"), \\n(pwrmd\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerList = make_set(Computer, 25), AccountList = make_set(Account, 25), AccountType = make_set(AccountType, 25), Account = arg_max(Account, TimeGenerated), Computer = arg_max(Computer , TimeGenerated), TargetUserList = make_set(TargetUserName, 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), Total=count() by Type\\n| where Total \u003e TotalThreshold\\n| extend ResetPivot = \\\"TotalUserReset\\\")\\n)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserName\"}]}],\"version\":\"2.0.0\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Multiple Password Reset by user\",\"description\":\"This query will determine multiple password resets by user across multiple data sources. \\nAccount manipulation including password reset may aid adversaries in maintaining access to credentials \\nand certain permission levels within an environment.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-09-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6ee72a9e-2e54-459c-bc9a-9c09a6502a63\",\"name\":\"6ee72a9e-2e54-459c-bc9a-9c09a6502a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"216.24.185.74\\\", \\\"107.175.189.159\\\", \\\"192.210.132.102\\\", \\\"67.230.163.214\\\", \\n \\\"199.19.110.240\\\", \\\"107.148.130.176\\\", \\\"154.212.129.218\\\", \\\"172.86.75.54\\\", \\\"45.61.136.199\\\", \\n \\\"149.28.150.195\\\", \\\"108.61.214.194\\\", \\\"144.202.98.198\\\", \\\"149.28.84.98\\\", \\\"103.99.209.78\\\", \\n \\\"45.61.136.2\\\", \\\"176.122.162.149\\\", \\\"192.3.80.245\\\", \\\"149.28.23.32\\\", \\\"107.182.18.149\\\", \\\"107.174.45.134\\\", \\n \\\"149.248.18.104\\\", \\\"65.49.192.74\\\", \\\"156.255.2.154\\\", \\\"45.76.6.149\\\", \\\"8.9.11.130\\\", \\\"140.238.27.255\\\", \\n \\\"107.182.24.70\\\", \\\"176.122.188.254\\\", \\\"192.161.161.108\\\", \\\"64.64.234.24\\\", \\\"104.224.185.36\\\", \\n \\\"104.233.224.227\\\", \\\"104.36.69.105\\\", \\\"119.28.139.120\\\", \\\"161.117.39.130\\\", \\\"66.42.100.42\\\", \\\"45.76.31.159\\\", \\n \\\"149.248.8.134\\\", \\\"216.24.182.48\\\", \\\"66.42.103.222\\\", \\\"218.89.236.11\\\", \\\"180.150.227.249\\\", \\\"47.75.80.23\\\",\\n \\\"124.156.164.19\\\", \\\"149.248.62.83\\\", \\\"150.109.76.174\\\", \\\"222.209.187.207\\\", \\\"218.38.191.38\\\", \\n \\\"119.28.226.59\\\", \\\"66.42.98.220\\\", \\\"74.82.201.8\\\", \\\"173.242.122.198\\\", \\\"45.32.130.72\\\", \\\"89.35.178.10\\\", \\n \\\"89.43.60.113\\\"]); \\n(union isfuzzy=true \\n(CommonSecurityLog \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch \\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n), \\n(OfficeActivity \\n|extend SourceIPAddress = ClientIP, Account = UserId \\n| where SourceIPAddress in (IPList) \\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \\n),\\n(DnsEvents \\n| extend DestinationIPAddress = IPAddresses, Host = Computer \\n| where DestinationIPAddress has_any (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \\n), \\n(imDns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \\n), \\n(VMConnection \\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) \\n| where SourceIp in (IPList) or DestinationIp in (IPList) \\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer \\n), \\n(Event \\n| where Source == \\\"Microsoft-Windows-Sysmon\\\" \\n| where EventID == 3 \\n| extend EvData = parse_xml(EventData) \\n| extend EventDetail = EvData.DataItem.EventData.Data \\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"] \\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\") \\n), \\n(WireData \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer \\n), \\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Barium IP\",\"description\":\"Identifies a match across various data feeds for IP IOCs related to the Barium activity group. \\n References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer\u0027 \",\"lastUpdatedDateUTC\":\"2021-11-25T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\"name\":\"a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"DNS events related to ToR proxies\",\"description\":\"Identifies IP addresses performing DNS lookups associated with common ToR proxies.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\"name\":\"3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let starttime = 1d;\\nlet TimeDeltaThresholdInSeconds = 60; // we ignore beacons diffs that fall below this threshold \\nlet TotalBeaconsThreshold = 4; // minimum number of beacons required in a session to surface a row\\nlet JitterTolerance = 0.2; // tolerance to jitter, e.g. - 0.2 = 20% jitter is tolerated either side of the periodicity\\nlet PrivateIPregex = @\\\"^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.\\\"; // exclude destinations that fall into this category\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Fortinet\\\"\\n| where TimeGenerated \u003e ago(starttime)\\n// eliminate bad data\\n| where isnotempty(SourceIP) and isnotempty(DestinationIP) and SourceIP != \\\"0.0.0.0\\\"\\n// filter out deny, close, rst and SNMP to reduce data volume\\n| where DeviceAction !in (\\\"close\\\", \\\"client-rst\\\", \\\"server-rst\\\", \\\"deny\\\") and DestinationPort != 161\\n// map input fields\\n| project TimeGenerated , SourceIP, DestinationIP, DestinationPort, ReceivedBytes, SentBytes, DeviceAction \\n// where destination IPs are public\\n| extend DestinationIPType = iff(DestinationIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIPType == \\\"public\\\"\\n// sort into source-\u003edestination \u0027sessions\u0027\\n| sort by SourceIP asc, DestinationIP asc, DestinationPort asc, TimeGenerated asc\\n| serialize\\n// time diff the contact times between source and destination to get a list of deltas\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1), nextDestIP = next(DestinationIP, 1), nextDestPort = next(DestinationPort, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\\\"second\\\",nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP and DestinationIP == nextDestIP and DestinationPort == nextDestPort\\n// remove small time deltas below the set threshold\\n| where TimeDeltainSeconds \u003e TimeDeltaThresholdInSeconds\\n| project TimeGenerated, TimeDeltainSeconds, SourceIP, DestinationIP, DestinationPort, ReceivedBytes, SentBytes, DeviceAction \\n// summarize the deltas by source-\u003edestination\\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), sum(ReceivedBytes), sum(SentBytes), makelist(TimeDeltainSeconds), makeset(DeviceAction) by SourceIP, DestinationIP, DestinationPort\\n// get some statistical properties of the delta distribution and smooth any outliers (e.g. laptop shut overnight, working hours)\\n| extend series_stats(list_TimeDeltainSeconds), outliers=series_outliers(list_TimeDeltainSeconds)\\n// expand the deltas and the outliers\\n| mvexpand list_TimeDeltainSeconds to typeof(double), outliers to typeof(double)\\n// replace outliers with the average of the distribution\\n| extend list_TimeDeltainSeconds_normalized=iff(outliers \u003e 1.5 or outliers \u003c -1.5, series_stats_list_TimeDeltainSeconds_avg , list_TimeDeltainSeconds)\\n// summarize with the smoothed distribution\\n| summarize BeaconCount=count(), makelist(list_TimeDeltainSeconds), list_TimeDeltainSeconds_normalized=makelist(list_TimeDeltainSeconds_normalized), makeset(set_DeviceAction) by StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, sum_ReceivedBytes, sum_SentBytes\\n// get stats on the smoothed distribution\\n| extend series_stats(list_TimeDeltainSeconds_normalized)\\n// match jitter tolerance on smoothed distrib\\n| extend MaxJitter = (series_stats_list_TimeDeltainSeconds_normalized_avg*JitterTolerance)\\n| where series_stats_list_TimeDeltainSeconds_normalized_stdev \u003c MaxJitter\\n// where the minimum beacon threshold is satisfied and there was some data transfer\\n| where BeaconCount \u003e TotalBeaconsThreshold and (sum_SentBytes \u003e 0 or sum_ReceivedBytes \u003e 0)\\n// final projection\\n| project StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, BeaconCount, TimeDeltasInSeconds=list_list_TimeDeltainSeconds, Periodicity=series_stats_list_TimeDeltainSeconds_normalized_avg, ReceivedBytes=sum_ReceivedBytes, SentBytes=sum_SentBytes, Actions=set_set_DeviceAction\\n// where periodicity is order of magnitude larger than time delta threshold (eliminates FPs whose periodicity is close to the values we ignored)\\n| where Periodicity \u003e= (10*TimeDeltaThresholdInSeconds)\\n| extend timestamp = StartTime, IPCustomEntity = DestinationIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Fortinet - Beacon pattern detected\",\"description\":\"Identifies patterns in the time deltas of contacts between internal and external IPs in Fortinet network data that are consistent with beaconing.\\n Accounts for randomness (jitter) and seasonality such as working hours that may have been introduced into the beacon pattern.\\n The lookback is set to 1d, the minimum granularity in time deltas is set to 60 seconds and the minimum number of beacons required to emit a\\n detection is set to 4.\\n Increase the lookback period to capture beacons with larger periodicities.\\n The jitter tolerance is set to 0.2 - This means we account for an overall 20% deviation from the infered beacon periodicity. Seasonality is dealt with\\n automatically using series_outliers.\\n Note: In large environments it may be necessary to reduce the lookback period to get fast query times.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d\",\"name\":\"b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//Collect the alert events\\nlet alertData = SecurityAlert \\n| where DisplayName has \\\"Potential malware uploaded to\\\" \\n| extend Entities = parse_json(Entities) \\n| mv-expand Entities;\\n//Parse the IP address data\\nlet ipData = alertData \\n| where Entities[\u0027Type\u0027] =~ \\\"ip\\\" \\n| extend AttackerIP = tostring(Entities[\u0027Address\u0027]), AttackerCountry = tostring(Entities[\u0027Location\u0027][\u0027CountryName\u0027]);\\n//Parse the file data\\nlet FileData = alertData \\n| where Entities[\u0027Type\u0027] =~ \\\"file\\\" \\n| extend MaliciousFileDirectory = tostring(Entities[\u0027Directory\u0027]), MaliciousFileName = tostring(Entities[\u0027Name\u0027]), MaliciousFileHashes = tostring(Entities[\u0027FileHashes\u0027]);\\n//Combine the File and IP data together\\nipData \\n| join (FileData) on VendorOriginalId \\n| summarize by TimeGenerated, AttackerIP, AttackerCountry, DisplayName, ResourceId, AlertType, MaliciousFileDirectory, MaliciousFileName, MaliciousFileHashes\\n//Create a type column so we can track if it was a File storage or blobl storage upload \\n| extend type = iff(DisplayName has \\\"file\\\", \\\"File\\\", \\\"Blob\\\") \\n| join (\\n union\\n StorageFileLogs, \\n StorageBlobLogs \\n //File upload operations \\n | where OperationName =~ \\\"PutBlob\\\" or OperationName =~ \\\"PutRange\\\"\\n //Parse out the uploader IP \\n | extend ClientIP = tostring(split(CallerIpAddress, \\\":\\\", 0)[0])\\n //Extract the filename from the Uri \\n | extend FileName = extract(@\\\"\\\\/([\\\\w\\\\-. ]+)\\\\?\\\", 1, Uri)\\n //Base64 decode the MD5 filehash, we will encounter non-ascii hex so string operations don\u0027t work\\n //We can work around this by making it an array then converting it to hex from an int \\n | extend base64Char = base64_decode_toarray(ResponseMd5) \\n | mv-expand base64Char \\n | extend hexChar = tohex(toint(base64Char))\\n | extend hexChar = iff(strlen(hexChar) \u003c 2, strcat(\\\"0\\\", hexChar), hexChar) \\n | extend SourceTable = iff(OperationName has \\\"range\\\", \\\"StorageFileLogs\\\", \\\"StorageBlobLogs\\\") \\n | summarize make_list(hexChar) by CorrelationId, ResponseMd5, FileName, AccountName, TimeGenerated, RequestBodySize, ClientIP, SourceTable \\n | extend Md5Hash = strcat_array(list_hexChar, \\\"\\\")\\n //Pack the file information the summarise into a ClientIP row \\n | extend p = pack(\\\"FileName\\\", FileName, \\\"FileSize\\\", RequestBodySize, \\\"Md5Hash\\\", Md5Hash, \\\"Time\\\", TimeGenerated, \\\"SourceTable\\\", SourceTable) \\n | summarize UploadedFileInfo=make_list(p), FilesUploaded=count() by ClientIP \\n | join kind=leftouter (\\n union\\n StorageFileLogs,\\n StorageBlobLogs \\n | where OperationName =~ \\\"DeleteFile\\\" or OperationName =~ \\\"DeleteBlob\\\" \\n | extend ClientIP = tostring(split(CallerIpAddress, \\\":\\\", 0)[0]) \\n | extend FileName = extract(@\\\"\\\\/([\\\\w\\\\-. ]+)\\\\?\\\", 1, Uri) \\n | extend SourceTable = iff(OperationName has \\\"range\\\", \\\"StorageFileLogs\\\", \\\"StorageBlobLogs\\\") \\n | extend p = pack(\\\"FileName\\\", FileName, \\\"Time\\\", TimeGenerated, \\\"SourceTable\\\", SourceTable) \\n | summarize DeletedFileInfo=make_list(p), FilesDeleted=count() by ClientIP\\n ) on ClientIP\\n ) on $left.AttackerIP == $right.ClientIP \\n| mvexpand UploadedFileInfo \\n| extend LinkedMaliciousFileName = UploadedFileInfo.FileName \\n| extend LinkedMaliciousFileHash = UploadedFileInfo.Md5Hash \\n| project AlertTimeGenerated = TimeGenerated, tostring(LinkedMaliciousFileName), tostring(LinkedMaliciousFileHash), AlertType, AttackerIP, AttackerCountry, MaliciousFileDirectory, MaliciousFileName, FilesUploaded, UploadedFileInfo \\n| extend FileHashCustomEntity = LinkedMaliciousFileName, HashAlgorithm = \\\"MD5\\\", IPCustomEntity = AttackerIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"Exfiltration\"],\"displayName\":\"Linked Malicious Storage Artifacts\",\"description\":\"An IP address which uploaded malicious content to an Azure Blob or File Storage container (triggering a malware alert) also uploaded additional files.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b9d2eebc-5dcb-4888-8165-900db44443ab\",\"name\":\"b9d2eebc-5dcb-4888-8165-900db44443ab\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"// Enter a reference list of hostnames for your DC servers\\n//let DCServersList = dynamic ([\\\"DC01.simulandlabs.com\\\",\\\"DC02.simulandlabs.com\\\"]);\\nSecurityEvent\\n//| where Computer in (DCServersList)\\n| where EventID == 4662 and ObjectServer == \u0027DS\u0027\\n| where AccountType != \u0027Machine\u0027\\n| where Properties has \u00271131f6aa-9c07-11d1-f79f-00c04fc2dcd2\u0027 //DS-Replication-Get-Changes\\n or Properties has \u00271131f6ad-9c07-11d1-f79f-00c04fc2dcd2\u0027 //DS-Replication-Get-Changes-All\\n or Properties has \u002789e95b76-444d-4c62-991a-0facbeda640c\u0027 //DS-Replication-Get-Changes-In-Filtered-Set\\n| project TimeGenerated, Account, Activity, Properties, SubjectLogonId, Computer\\n| join kind=leftouter\\n(\\n SecurityEvent\\n //| where Computer in (DCServersList)\\n | where EventID == 4624 and LogonType == 3\\n | where AccountType != \u0027Machine\u0027\\n | project TargetLogonId, IpAddress\\n)\\non $left.SubjectLogonId == $right.TargetLogonId\\n| project-reorder TimeGenerated, Computer, Account, IpAddress\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, SourceAddress = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceAddress\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Non Domain Controller Active Directory Replication\",\"description\":\"This query detects potential attempts by non-computer accounts (non domain controllers) to retrieve/synchronize an active directory object leveraging directory replication services (DRS).\\nA Domain Controller (computer account) would usually be performing these actions in a domain environment. Another detection rule can be created to cover domain controllers accounts doing at rare times.\\nA domain user with privileged permissions to use directory replication services is rare. Ref: https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html\",\"lastUpdatedDateUTC\":\"2021-11-08T00:00:00Z\",\"createdDateUTC\":\"2021-05-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8127962-7739-4211-a4a9-390a7a00e91f\",\"name\":\"f8127962-7739-4211-a4a9-390a7a00e91f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet lbperiod = 30d;\\nlet knownrecipients = ProofpointPOD\\n| where TimeGenerated \u003e ago(lbperiod)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where SrcUserUpn != \u0027\u0027\\n| where array_length(todynamic(DstUserUpn)) == 1\\n| summarize recipients = make_set(tostring(todynamic(DstUserUpn)[0])) by SrcUserUpn\\n| extend commcol = SrcUserUpn;\\nProofpointPOD\\n| where TimeGenerated between (ago(lbtime) .. now())\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| extend isProtected = todynamic(MsgParts)[0][\u0027isProtected\u0027]\\n| extend mimePgp = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where isProtected == \u0027true\u0027 or mimePgp == \u0027application/pgp-encrypted\u0027\\n| extend DstUserMail = tostring(todynamic(DstUserUpn)[0])\\n| extend commcol = tostring(todynamic(DstUserUpn)[0])\\n| join knownrecipients on commcol\\n| where recipients !contains DstUserMail\\n| project SrcUserUpn, DstUserMail\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple protected emails to unknown recipient\",\"description\":\"Detects when multiple protected messages where sent to early not seen recipient.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/826bb2f8-7894-4785-9a6b-a8a855d8366f\",\"name\":\"826bb2f8-7894-4785-9a6b-a8a855d8366f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let EventNameList = dynamic([\\\"AttachUserPolicy\\\",\\\"AttachRolePolicy\\\",\\\"AttachGroupPolicy\\\"]);\\nlet createPolicy = \\\"CreatePolicy\\\";\\nlet timeframe = 1d;\\nlet lookback = 14d;\\n// Creating Master table with all the events to use with materialize for better performance\\nlet EventInfo = AWSCloudTrail\\n| where TimeGenerated \u003e= ago(lookback)\\n| where EventName in (EventNameList) or EventName == createPolicy;\\n//Checking for Policy creation event with Full Admin Privileges since lookback period.\\nlet FullAdminPolicyEvents = materialize( EventInfo\\n| where TimeGenerated \u003e= ago(lookback)\\n| where EventName == createPolicy\\n| extend PolicyName = tostring(parse_json(RequestParameters).policyName)\\n| extend Statement = parse_json(tostring((parse_json(RequestParameters).policyDocument))).Statement\\n| mvexpand Statement\\n| extend Action = parse_json(Statement).Action , Effect = tostring(parse_json(Statement).Effect), Resource = tostring(parse_json(Statement).Resource)\\n| mvexpand Action\\n| extend Action = tostring(Action)\\n| where Effect =~ \\\"Allow\\\" and Action == \\\"*\\\" and Resource == \\\"*\\\"\\n| distinct TimeGenerated, EventName, PolicyName, SourceIpAddress, UserIdentityArn, UserIdentityUserName\\n| extend UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,\u0027/\u0027)[-1]))\\n| project-rename StartTime = TimeGenerated );\\nlet PolicyAttach = materialize( EventInfo\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventName in (EventNameList)\\n| extend PolicyName = tostring(split(tostring(parse_json(RequestParameters).policyArn),\\\"/\\\")[1])\\n| summarize AttachEventCount=count(), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventSource, EventName, UserIdentityType , UserIdentityArn, SourceIpAddress, UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,\u0027/\u0027)[-1])), PolicyName\\n| extend AttachEvent = pack(\\\"StartTime\\\", StartTime, \\\"EndTime\\\", EndTime, \\\"EventName\\\", EventName, \\\"UserIdentityType\\\", UserIdentityType, \\\"UserIdentityArn\\\", UserIdentityArn, \\\"SourceIpAddress\\\", SourceIpAddress, \\\"UserIdentityUserName\\\", UserIdentityUserName)\\n| project EventSource, PolicyName, AttachEvent, AttachEventCount\\n);\\n// Joining the list of PolicyNames and checking if it has been attached to any Roles/Users/Groups.\\n// These Roles/Users/Groups will be Privileged and can be used by adversaries as pivot point for privilege escalation via multiple ways.\\nFullAdminPolicyEvents\\n| join kind=leftouter\\n(\\n PolicyAttach\\n)\\non PolicyName\\n| project-away PolicyName1\\n| extend timestamp = StartTime, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Full Admin policy created and then attached to Roles, Users or Groups\",\"description\":\"Identity and Access Management (IAM) securely manages access to AWS services and resources. \\nIdentifies when a policy is created with Full Administrators Access (Allow-Action:*,Resource:*). \\nThis policy can be attached to role,user or group and may be used by an adversary to escalate a normal user privileges to an adminsitrative level.\\nAWS IAM Policy Grammar: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html\\nand AWS IAM API at https://docs.aws.amazon.com/IAM/latest/APIReference/API_Operations.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/155e9134-d5ad-4a6f-88f3-99c220040b66\",\"name\":\"155e9134-d5ad-4a6f-88f3-99c220040b66\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Set the lookback to determine if user has created pipelines before\\nlet timeback = 14d;\\n// Set the period for detections\\nlet timeframe = 1d;\\n// Get a list of previous Release Pipeline creators to exclude\\nlet releaseusers = AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName in (\\\"Release.ReleasePipelineCreated\\\", \\\"Release.ReleasePipelineModified\\\")\\n// We want to look for users performing actions in specific projects so we create this userscope object to match on\\n| extend UserScope = strcat(ActorUserId, \\\"-\\\", ProjectName)\\n| summarize by UserScope;\\n// Get Release Pipeline creations by new users\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineModified\\\"\\n| extend UserScope = strcat(ActorUserId, \\\"-\\\", ProjectName)\\n| where UserScope !in (releaseusers)\\n| extend ActorUPN = tolower(ActorUPN)\\n| project-away Id, ActivityId, ActorCUID, ScopeId, ProjectId, TenantId, SourceSystem, UserScope\\n// See if any of these users have Azure AD alerts associated with them in the same timeframe\\n| join kind = leftouter (\\nSecurityAlert\\n| where TimeGenerated \u003e ago(timeframe)\\n| where ProviderName == \\\"IPC\\\"\\n| extend AadUserId = tostring(parse_json(Entities)[0].AadUserId)\\n| summarize Alerts=count() by AadUserId) on $left.ActorUserId == $right.AadUserId\\n| extend Alerts = iif(isnotempty(Alerts), Alerts, 0)\\n// Uncomment the line below to only show results where the user as AADIdP alerts\\n//| where Alerts \u003e 0\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Pipeline modified by a new user.\",\"description\":\"There are several potential pipeline steps that could be modified by an attacker to inject malicious code into the build cycle. A likely attacker path is the modification to an existing pipeline that they have access to. \\nThis detection looks for users modifying a pipeline when they have not previously been observed modifying or creating that pipeline before. This query also joins events with data to Azure AD Identity Protection (AAD IdP) \\nin order to show if the user conducting the action has any associated AAD IdP alerts. You can also choose to filter this detection to only alert when the user also has AAD IdP alerts associated with them.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79566f41-df67-4e10-a703-c38a6213afd8\",\"name\":\"79566f41-df67-4e10-a703-c38a6213afd8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set != \\\"[]\\\"\\n| extend diff = set_difference(new_value_set, old_value_set)\\n| where isnotempty(diff)\\n| parse diff with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away diff, new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"New access credential added to Application or Service Principal\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6bf1931-b1eb-448d-90b2-de118559c7ce\",\"name\":\"d6bf1931-b1eb-448d-90b2-de118559c7ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlCategory contains \u0027Adult Themes\u0027 or\\n UrlCategory contains \u0027Adware\u0027 or\\n UrlCategory contains \u0027Alcohol\u0027 or\\n UrlCategory contains \u0027Illegal Downloads\u0027 or\\n UrlCategory contains \u0027Drugs\u0027 or\\n UrlCategory contains \u0027Child Abuse Content\u0027 or\\n UrlCategory contains \u0027Hate/Discrimination\u0027 or\\n UrlCategory contains \u0027Nudity\u0027 or\\n UrlCategory contains \u0027Pornography\u0027 or\\n UrlCategory contains \u0027Proxy/Anonymizer\u0027 or\\n UrlCategory contains \u0027Sexuality\u0027 or\\n UrlCategory contains \u0027Tasteless\u0027 or\\n UrlCategory contains \u0027Terrorism\u0027 or\\n UrlCategory contains \u0027Web Spam\u0027 or\\n UrlCategory contains \u0027German Youth Protection\u0027 or\\n UrlCategory contains \u0027Illegal Activities\u0027 or\\n UrlCategory contains \u0027Lingerie/Bikini\u0027 or\\n UrlCategory contains \u0027Weapons\u0027\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"InitialAccess\"],\"displayName\":\"Cisco Umbrella - Request Allowed to harmful/malicious URI category\",\"description\":\"It is reccomended that these Categories shoud be blocked by policies because they provide harmful/malicious content..\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c805d9b1-97e7-4bc0-9172-67edb36273e4\",\"name\":\"c805d9b1-97e7-4bc0-9172-67edb36273e4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft 365 Insider Risk Management\",\"displayName\":\"(Private Preview) Create incidents based on Microsoft 365 Insider Risk Management\",\"description\":\"Create incidents based on all alerts generated in Microsoft 365 Insider Risk Management\",\"lastUpdatedDateUTC\":\"2021-05-13T00:00:00Z\",\"createdDateUTC\":\"2021-05-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeIRM\",\"dataTypes\":[\"SecurityAlert (OfficeIRM)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4e8238bd-ff4f-4126-a9f6-09b3b6801b3d\",\"name\":\"4e8238bd-ff4f-4126-a9f6-09b3b6801b3d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"AuditLog.StreamDisabledByUser\\\"\\n| extend StreamType = tostring(Data.ConsumerType)\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, StreamType\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Audit Stream Disabled\",\"description\":\"Azure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams \\nbefore conducting activity and then re-enabling the stream after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action \\nits unlikely to have a high false positive rate.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d645a88-2724-41a7-adea-db74c439cf79\",\"name\":\"3d645a88-2724-41a7-adea-db74c439cf79\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 5000;\\nSophosXGFirewall\\n| where Log_Type =~ \\\"Firewall\\\" and Status =~ \\\"Deny\\\"\\n| summarize count() by Src_IP, bin(TimeGenerated,5m)\\n| where count_ \u003e threshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = Src_IP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"Excessive Amount of Denied Connections from a Single Source\",\"description\":\"This creates an incident in the event that a single source IP address generates a excessive amount of denied connections.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SophosXGFirewall\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a357535e-f722-4afe-b375-cff362b2b376\",\"name\":\"a357535e-f722-4afe-b375-cff362b2b376\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(OfficeActivity | where UserAgent != \\\"\\\"),\\n(OfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectory\\\", \\\"AzureActiveDirectoryStsLogon\\\")\\n| extend OperationName = Operation\\n| parse ExtendedProperties with * \u0027User-Agent\\\\\\\\\\\":\\\\\\\\\\\"\u0027 UserAgent2 \u0027\\\\\\\\\u0027 *\\n| parse ExtendedProperties with * \u0027UserAgent\\\", \\\"Value\\\": \\\"\u0027 UserAgent1 \u0027\\\"\u0027 *\\n| where isnotempty(UserAgent1) or isnotempty(UserAgent2)\\n| extend UserAgent = iff( RecordType == \u0027AzureActiveDirectoryStsLogon\u0027, UserAgent1, UserAgent2)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\\n),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"APPLICATIONGATEWAYS\\\" \\n| where OperationName =~ \\\"ApplicationGatewayAccess\\\" \\n| extend ClientIP = columnifexists(\\\"clientIP_s\\\", \\\"None\\\"), UserAgent = columnifexists(\\\"userAgent_s\\\", \\\"None\\\")\\n| where UserAgent != \u0027-\u0027\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, requestUri_s, httpMethod_s, host_s, requestQuery_s, Type\\n),\\n(\\nW3CIISLog\\n| where isnotempty(csUserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\\n),\\n(SigninLogs\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n)\\n)\\n// Likely artefact of hardcoding\\n| where UserAgent startswith \\\"User\\\" or UserAgent startswith \u0027\\\\\\\"\u0027\\n// Incorrect casing\\nor (UserAgent startswith \\\"Mozilla\\\" and not(UserAgent containscs \\\"Mozilla\\\"))\\n// Incorrect casing\\nor UserAgent containscs \\\"(Compatible;\\\"\\n// Missing MSIE version\\nor UserAgent matches regex @\\\"MSIE\\\\s?;\\\"\\n// Incorrect spacing around MSIE version\\nor UserAgent matches regex @\\\"MSIE(?:\\\\d|.{1,5}?\\\\d\\\\s;)\\\"\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CommandAndControl\",\"Execution\"],\"displayName\":\"Malformed user agent\",\"description\":\"Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware.\\nMalformed user agents can be an indication of such malware.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee1818ec-5f65-4991-b711-bcf2ab7e36c3\",\"name\":\"ee1818ec-5f65-4991-b711-bcf2ab7e36c3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlOriginal matches regex @\u0027\\\\Ahttp:\\\\/\\\\/\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}.*\u0027\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - URI contains IP address\",\"description\":\"Malware can use IP address to communicate with C2.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bf07ca9c-e408-443a-8939-6860a45a929e\",\"name\":\"bf07ca9c-e408-443a-8939-6860a45a929e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let allowed_publishers = dynamic([]);\\nAzureDevOpsAuditing\\n| where OperationName =~ \\\"Extension.Installed\\\"\\n| extend ExtensionName = tostring(Data.ExtensionName)\\n| extend PublisherName = tostring(Data.PublisherName)\\n| where PublisherName !in (allowed_publishers)\\n| project-reorder TimeGenerated, OperationName, ExtensionName, PublisherName, ActorUPN, IpAddress, UserAgent, ScopeDisplayName, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps New Extension Added\",\"description\":\"Extensions add additional features to Azure DevOps. An attacker could use a malicious extension to conduct malicious activity. \\nThis query looks for new extensions that are not from a configurable list of approved publishers.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/89e6adbd-612c-4fbe-bc3d-32f81baf3b6c\",\"name\":\"89e6adbd-612c-4fbe-bc3d-32f81baf3b6c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT4H\",\"queryPeriod\":\"PT4H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Change to true to monitor for Project Administrator adds to *any* project\\nlet MonitorAllProjects = false;\\n// If MonitorAllProjects is false, trigger only on Project Administrator add for the following projects\\nlet ProjectsToMonitor = dynamic([\u0027\u003cproject_X\u003e\u0027,\u0027\u003cproject_Y\u003e\u0027]);\\nAzureDevOpsAuditing\\n| where Area == \\\"Group\\\" and OperationName == \\\"Group.UpdateGroupMembership.Add\\\"\\n| where Details has \u0027Administrators\u0027\\n| where Details has \\\"was added as a member of group\\\" and (Details endswith \u0027\\\\\\\\Project Administrators\u0027 or Details endswith \u0027\\\\\\\\Project Collection Administrators\u0027)\\n| parse Details with AddedIdentity \u0027 was added as a member of group [\u0027 EntityName \u0027]\\\\\\\\\u0027 GroupName\\n| extend Level = iif(GroupName == \u0027Project Collection Administrators\u0027, \u0027Organization\u0027, \u0027Project\u0027), AddedIdentityId = Data.MemberId\\n| extend Severity = iif(Level == \u0027Organization\u0027, \u0027High\u0027, \u0027Medium\u0027), AlertDetails = strcat(\u0027At \u0027, TimeGenerated, \u0027 UTC \u0027, ActorUPN, \u0027/\u0027, ActorDisplayName, \u0027 added \u0027, AddedIdentity, \u0027 to the \u0027, EntityName, \u0027 \u0027, Level)\\n| where MonitorAllProjects == true or EntityName in (ProjectsToMonitor) or Level == \u0027Organization\u0027\\n| project TimeGenerated, Severity, Adder = ActorUPN, AddedIdentity, AddedIdentityId, AlertDetails, Level, EntityName, GroupName, ActorAuthType = AuthenticationMechanism, \\n ActorIpAddress = IpAddress, ActorUserAgent = UserAgent, RawDetails = Details\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Adder, IPCustomEntity = ActorIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps Administrator Group Monitoring\",\"description\":\"This detection monitors for additions to projects or project collection administration groups in an Azure DevOps Organization.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/218f60de-c269-457a-b882-9966632b9dc6\",\"name\":\"218f60de-c269-457a-b882-9966632b9dc6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| summarize dcount(Target) by bin(TimeGenerated, 1h)\\n| where dcount_Target \u003e 9\\n| join kind=rightsemi (AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| extend TimeWindow = bin(TimeGenerated, 1h)) on $left.TimeGenerated == $right.TimeWindow\\n| extend AccountCustomEntity = Target\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Bulk Changes to Privileged Account Permissions\",\"description\":\"Identifies when changes to multiple users permissions are changed at once. Investigate immediately if not a planned change. This setting could enable an attacker access to Azure subscriptions in your environment.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\"name\":\"795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"CommonSecurityLog \\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID in (\\\"733101\\\",\\\"733102\\\",\\\"733103\\\",\\\"733104\\\",\\\"733105\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\",\"Impact\"],\"displayName\":\"Cisco ASA - threat detection message fired\",\"description\":\"Identifies when the Cisco ASA Threat Detection engine fired an alert based on malicious activity occurring on the network inicated by DeviceEventClassID 733101-733105\\nResources: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/58fc0170-0877-4ea8-a9ff-d805e361cfae\",\"name\":\"58fc0170-0877-4ea8-a9ff-d805e361cfae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let schedule_lookback = 14d; \\nlet join_lookback = 1d; \\n// If you want to whitelist specific timezones include them in a list here\\nlet tz_whitelist = dynamic([]);\\nlet meetings = ( \\nZoomLogs \\n| where TimeGenerated \u003e= ago(schedule_lookback) \\n| where Event =~ \\\"meeting.created\\\" \\n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId) \\n| extend SchedTimezone = tostring(parse_json(MeetingEvents).Timezone)); \\nZoomLogs \\n| where TimeGenerated \u003e= ago(join_lookback) \\n| where Event =~ \\\"meeting.participant_joined\\\" \\n| extend JoinedTimeZone = tostring(parse_json(MeetingEvents).Timezone) \\n| extend MeetingName = tostring(parse_json(MeetingEvents).MeetingName) \\n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId) \\n| where JoinedTimeZone !in (tz_whitelist)\\n| join (meetings) on MeetingId \\n| where SchedTimezone != JoinedTimeZone \\n| project TimeGenerated, MeetingName, JoiningUser=payload_object_participant_user_name_s, JoinedTimeZone, SchedTimezone, MeetingScheduler=User1 \\n| extend timestamp = TimeGenerated, AccountCustomEntity = JoiningUser\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"User joining Zoom meeting from suspicious timezone\",\"description\":\"The alert shows users that join a Zoom meeting from a time zone other than the one the meeting was created in.\\nYou can also whitelist known good time zones in the tz_whitelist value using the tz database name format https://en.wikipedia.org/wiki/List_of_tz_database_time_zones\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95514e77-1b23-4f05-817c-ae363c53aad3\",\"name\":\"95514e77-1b23-4f05-817c-ae363c53aad3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.4\",\"techniques\":[\"T1030\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Akamai\",\"Aruba Networks\",\"Check Point\",\"Dell\",\"Forcepoint\",\"Fortinet\",\"McAfee\",\"Palo Alto Networks\",\"SonicWall\",\"Trend Micro\",\"Vectra Networks\",\"Zscaler\"],\"supportedValuesKql\":null,\"value\":\"Palo Alto Networks\",\"name\":\"Device vendor\",\"description\":\"Select device vendor reporting network connection logs to CommonSecurityLog\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"10\",\"maximum\":\"10000\",\"value\":\"10\",\"name\":\"Hourly event count threshold\",\"description\":\"Suppress anomalies when hourly event count is less than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\".98\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"(Preview) Unusual network volume anomaly\",\"description\":\"This algorithm is to detect unusually high volume of connections in network logs. \\nIt uses time series to decompose the data into seasonal, trend and residual components to \\ncalculate baseline. Any sudden large deviation from the historical baseline is considered as anomalous activity.\",\"lastUpdatedDateUTC\":\"2021-07-10T00:00:00Z\",\"createdDateUTC\":\"2021-04-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6\",\"name\":\"2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 0d;\\n// Adjust this to adjust detection timeframe\\n//let timeframe = 1d;\\n// SamAccountName of AD FS Service Account. Filter on the use of a specific AD FS user account\\n//let adfsuser = \u0027adfsadmin\u0027;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\n SecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe+lookback)\\n | where EventSourceName == \u0027AD FS Auditing\u0027\\n | distinct Computer\\n);\\nSecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n // A token of type \u0027http://schemas.microsoft.com/ws/2006/05/servicemodel/tokens/SecureConversation\u0027\\n // for relying party \u0027-\u0027 was successfully authenticated.\\n | where EventID == 412\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | extend InstanceId = tostring(EventData[0])\\n| join kind=inner\\n(\\n SecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n // Events to identify caller identity from event 412\\n | where EventID == 501\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | where tostring(EventData[1]) contains \u0027identity/claims/name\u0027\\n | extend InstanceId = tostring(EventData[0])\\n | extend ClaimsName = tostring(EventData[2])\\n // Filter on the use of a specific AD FS user account\\n //| where ClaimsName contains adfsuser\\n)\\non $left.InstanceId == $right.InstanceId\\n| join kind=inner\\n(\\n SecurityEvent\\n | where EventID == 5156\\n | where Computer in~ (ADFS_Servers)\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | mv-expand bagexpansion=array EventData\\n | evaluate bag_unpack(EventData)\\n | extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n | evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n | extend DestPort = column_ifexists(\\\"DestPort\\\", \\\"\\\"),\\n Direction = column_ifexists(\\\"Direction\\\", \\\"\\\"),\\n Application = column_ifexists(\\\"Application\\\", \\\"\\\"),\\n DestAddress = column_ifexists(\\\"DestAddress\\\", \\\"\\\"),\\n SourceAddress = column_ifexists(\\\"SourceAddress\\\", \\\"\\\"),\\n SourcePort = column_ifexists(\\\"SourcePort\\\", \\\"\\\")\\n // Look for inbound connections from endpoints on port 80\\n | where DestPort == 80 and Direction == \u0027%%14592\u0027 and Application == \u0027System\u0027\\n | where DestAddress !in (\u0027::1\u0027,\u00270:0:0:0:0:0:0:1\u0027) \\n)\\non $left.Computer == $right.Computer\\n| project TimeGenerated, Computer, ClaimsName, SourceAddress, SourcePort\\n| extend HostCustomEntity = Computer, AccountCustomEntity = ClaimsName, IPCustomEntity = SourceAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"AD FS Remote Auth Sync Connection\",\"description\":\"This detection uses Security events from the \\\"AD FS Auditing\\\" provider to detect suspicious authentication events on an AD FS server. The results then get\\ncorrelated with events from the Windows Filtering Platform (WFP) to detect suspicious incoming network traffic on port 80 on the AD FS server.\\nThis could be a sign of a threat actor trying to use replication services on the AD FS server to get its configuration settings and extract\\nsensitive information such as AD FS certificates.\\nIn order to use this query you need to enable AD FS auditing on the AD FS Server.\\nReference: https://twitter.com/OTR_Community/status/1387038995016732672\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-04-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\"name\":\"2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n AzureActivity | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CallerIpAddress\\n| where AzureActivity_TimeGenerated \u003e= TimeGenerated and AzureActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AzureActivity_TimeGenerated,\\nTI_ipEntity, CallerIpAddress, Caller, OperationNameValue, ActivityStatusValue, CategoryValue, ResourceId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureActivity_TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureActivity\",\"description\":\"Identifies a match in AzureActivity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\"name\":\"4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 50;\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet historicalActivity =\\nOfficeActivity\\n| where TimeGenerated between(ago(starttime)..ago(endtime))\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| summarize historicalCount = count() by ClientIP, RecordType, Operation;\\nlet recentActivity = OfficeActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by ClientIP, RecordType, Operation;\\nlet RareIP = recentActivity | join kind= leftanti ( historicalActivity ) on ClientIP, RecordType, Operation\\n// More than 50 downloads/uploads from a new IP\\n| where recentCount \u003e threshold;\\nOfficeActivity \\n| where TimeGenerated \u003e= ago(endtime) \\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| join kind= inner (RareIP) on ClientIP, RecordType, Operation\\n| where Start_Time between(min_Start_Time .. max_Start_Time)\\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgent, IPSeenCount = recentCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\\n| order by IPSeenCount desc, ClientIP asc, Operation asc, UserId asc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"SharePointFileOperation via previously unseen IPs\",\"description\":\"Identifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses\\nexceeds a threshold (default is 50).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0febd8cc-1b8d-45ed-87b3-e1e8a57d14cd\",\"name\":\"0febd8cc-1b8d-45ed-87b3-e1e8a57d14cd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let threshold = 100;\\nTrendMicro_XDR_CL \\n| where modelSeverity_s == \u0027high\u0027 or modelSeverity_s == \u0027critical\u0027\\n| extend AccountCustomEntity = impactScope_account_s, HostCustomEntity = impactScope_hostname_s, IPCustomEntity = impactScope_host_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"displayName\":\"Create Incident for XDR Alerts (Critical \u0026 High)\",\"description\":\"This Query creates an incident based on Trend Micro XDR Workbench Alerts and maps the impacted entities for Microsoft Sentinel usage. (Critical \u0026 High Serverity Alerts)\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-12-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"TrendMicroXDR\",\"dataTypes\":[\"TrendMicro_XDR_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/50574fac-f8d1-4395-81c7-78a463ff0c52\",\"name\":\"50574fac-f8d1-4395-81c7-78a463ff0c52\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where AppId =~ \\\"1b730954-1685-4b74-9bfd-dac224a7b894\\\" // AppDisplayName IS Azure Active Directory PowerShell\\n| where TokenIssuerType =~ \\\"AzureAD\\\"\\n| where ResourceIdentity !in (\\\"00000002-0000-0000-c000-000000000000\\\", \\\"00000003-0000-0000-c000-000000000000\\\") // ResourceDisplayName IS NOT Windows Azure Active Directory OR Microsoft Graph\\n| extend Status = todynamic(Status)\\n| where Status.errorCode == 0 // Success\\n| project-reorder IPAddress, UserAgent, ResourceDisplayName, UserDisplayName, UserId, UserPrincipalName, Type\\n| order by TimeGenerated desc\\n// New entity mapping\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure Active Directory PowerShell accessing non-AAD resources\",\"description\":\"This will alert when a user or application signs in using Azure Active Directory PowerShell to access non-Active Directory resources, such as the Azure Key Vault, which may be undesired or unauthorized behavior.\\nFor capabilities and expected behavior of the Azure Active Directory PowerShell module, see: https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0.\\nFor further information on Azure Active Directory Signin activity reports, see: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb616d82-108f-47d3-9dec-9652ea0d3bf6\",\"name\":\"bb616d82-108f-47d3-9dec-9652ea0d3bf6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AuditLogs\\n| where OperationName =~ \\\"Add user\\\"\\n| extend UPN = tostring(TargetResources[0].userPrincipalName)\\n| join kind=inner (AuditLogs\\n| where OperationName =~ \\\"Delete user\\\"\\n| extend UPN = tostring(TargetResources[0].userPrincipalName)\\n| extend IPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) on UPN\\n| extend timedelta = TimeGenerated1 - TimeGenerated\\n| project-reorder TimeGenerated, TimeGenerated1, timedelta\\n| where timedelta \u003c timespan(24h) and timedelta \u003e timespan(0h)\\n| extend CustomAccountEntity = UPN, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CustomAccountEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Account Created and Deleted in Short Timeframe\",\"description\":\"Search for user principal name (UPN) events. Look for accounts created and then deleted in under 24 hours. Attackers may create an account for their use, and then remove the account when no longer needed.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-account\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\"name\":\"0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"DNS events related to mining pools\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3cc5ccd8-b416-4141-bb2d-4eba370e37a5\",\"name\":\"3cc5ccd8-b416-4141-bb2d-4eba370e37a5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let OMIVulnerabilityPatchVersion = \\\"OMIVulnerabilityPatchVersion:1.13.40-0\\\";\\nHeartbeat\\n| where Category == \\\"Direct Agent\\\"\\n| summarize arg_max(TimeGenerated,*) by Computer\\n| parse strcat(\\\"Version:\\\" , Version) with * \\\"Version:\\\" Major:long \\\".\\\"\\nMinor:long \\\".\\\" Patch:long \\\"-\\\" *\\n| parse OMIVulnerabilityPatchVersion with * \\\"OMIVulnerabilityPatchVersion:\\\"\\nOMIVersionMajor:long \\\".\\\" OMIVersionMinor:long \\\".\\\" OMIVersionPatch:long \\\"-\\\" *\\n| where Major \u003cOMIVersionMajor or (Major==OMIVersionMajor and Minor\\n\u003cOMIVersionMinor) or (Major==OMIVersionMajor and Minor==OMIVersionMinor and\\nPatch\u003cOMIVersionPatch) \\n| project Version, Major,Minor,Patch,\\nComputer,ComputerIP,OSType,OSName,ResourceId\",\"customDetails\":{\"OSName\":\"OSName\",\"OSType\":\"OSType\",\"HostIp\":\"ComputerIP\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"OMI Vulnerability Exploitation\",\"description\":\"Following the September 14th, 2021 release of three Elevation of Privilege\\n(EoP) vulnerabilities (CVE-2021-38645, CVE-2021-38649, CVE-2021-38648) and one\\nunauthenticated Remote Code Execution (RCE) vulnerability (CVE-2021-38647) in\\nthe Open Management Infrastructure (OMI) Framework.\\nThis detection validates that any OMS-agent that is reporting to the Microsoft\\nSentinel workspace is updated with the patch. The detection will go over the\\nheartbeats received from all agents over the last day and will create alert\\nfor those agents who are not updated.\",\"lastUpdatedDateUTC\":\"2021-11-18T00:00:00Z\",\"createdDateUTC\":\"2021-09-23T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9649e203-3cb7-47ff-89a9-42f2a5eefe31\",\"name\":\"9649e203-3cb7-47ff-89a9-42f2a5eefe31\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nlet codeNameList = datatable(Codename:string)[\\\"C-PRIV-ACCOUNTS-SPN\\\", \\\"C-SDPROP-CONSISTENCY\\\", \\\"C-DANG-PRIMGROUPID\\\", \\\"C-GPO-HARDENING\\\", \\\"C-DC-ACCESS-CONSISTENCY\\\", \\\"C-DANGEROUS-TRUST-RELATIONSHIP\\\", \\\"C-UNCONST-DELEG\\\", \\\"C-ABNORMAL-ENTRIES-IN-SCHEMA\\\"];\\nafad_parser\\n| where MessageType == 0 and Codename in~ (codeNameList)\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid Active Directory attacks pathways\",\"description\":\"Searches for triggered Indicators of Exposures related to Active Directory attacks pathways\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\"name\":\"3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let threshold = 1;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ConditionalAccessStatus == 1 or ConditionalAccessStatus =~ \\\"failure\\\"\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion) \\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend ConditionalAccessPolicies = todynamic(ConditionalAccessPolicies)\\n| extend ConditionalAccessPol0Name = tostring(ConditionalAccessPolicies[0].displayName)\\n| extend ConditionalAccessPol1Name = tostring(ConditionalAccessPolicies[1].displayName)\\n| extend ConditionalAccessPol2Name = tostring(ConditionalAccessPolicies[2].displayName)\\n| extend Status = strcat(StatusCode, \\\": \\\", ResultDescription) \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Status = make_list(Status), StatusDetails = make_list(StatusDetails), IPAddresses = make_list(IPAddress), IPAddressCount = dcount(IPAddress), CorrelationIds = make_list(CorrelationId) \\nby UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name, Type\\n| where IPAddressCount \u003e threshold and StatusDetails !has \\\"MFA successfully completed\\\"\\n| mvexpand IPAddresses, Status, StatusDetails, CorrelationIds\\n| extend Status = strcat(Status, \\\" \\\", StatusDetails)\\n| summarize IPAddresses = make_set(IPAddresses), Status = make_set(Status), CorrelationIds = make_set(CorrelationIds) \\nby StartTime, EndTime, UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name, IPAddressCount, Type\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = tostring(IPAddresses)\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Attempt to bypass conditional access rule in Azure AD\",\"description\":\"Identifies an attempt to Bypass conditional access rule(s) in Azure Active Directory.\\nThe ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access\\nor if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1).\\nReferences: \\nhttps://docs.microsoft.com/azure/active-directory/conditional-access/overview\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\nConditionalAccessStatus == 0 // Success\\nConditionalAccessStatus == 1 // Failure\\nConditionalAccessStatus == 2 // Not Applied\\nConditionalAccessStatus == 3 // unknown\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4899-42cb-910c-5ffaf9d7997d\",\"name\":\"70b12a3b-4899-42cb-910c-5ffaf9d7997d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"0.ns1.dns-info.gq\\\", \\\"1.ns1.dns-info.gq\\\", \\\"10.ns1.dns-info.gq\\\", \\\"102.ns1.dns-info.gq\\\", \\n \\\"104.ns1.dns-info.gq\\\", \\\"11.ns1.dns-info.gq\\\", \\\"110.ns1.dns-info.gq\\\", \\\"115.ns1.dns-info.gq\\\", \\\"116.ns1.dns-info.gq\\\", \\n \\\"117.ns1.dns-info.gq\\\", \\\"118.ns1.dns-info.gq\\\", \\\"12.ns1.dns-info.gq\\\", \\\"120.ns1.dns-info.gq\\\", \\\"122.ns1.dns-info.gq\\\", \\n \\\"123.ns1.dns-info.gq\\\", \\\"128.ns1.dns-info.gq\\\", \\\"13.ns1.dns-info.gq\\\", \\\"134.ns1.dns-info.gq\\\", \\\"135.ns1.dns-info.gq\\\", \\n \\\"138.ns1.dns-info.gq\\\", \\\"14.ns1.dns-info.gq\\\", \\\"144.ns1.dns-info.gq\\\", \\\"15.ns1.dns-info.gq\\\", \\\"153.ns1.dns-info.gq\\\", \\n \\\"157.ns1.dns-info.gq\\\", \\\"16.ns1.dns-info.gq\\\", \\\"17.ns1.dns-info.gq\\\", \\\"18.ns1.dns-info.gq\\\", \\\"19.ns1.dns-info.gq\\\", \\n \\\"1a9604fa.ns1.feedsdns.com\\\", \\\"1c7606b6.ns1.steamappstore.com\\\", \\\"2.ns1.dns-info.gq\\\", \\\"20.ns1.dns-info.gq\\\", \\n \\\"201.ns1.dns-info.gq\\\", \\\"202.ns1.dns-info.gq\\\", \\\"204.ns1.dns-info.gq\\\", \\\"207.ns1.dns-info.gq\\\", \\\"21.ns1.dns-info.gq\\\", \\n \\\"210.ns1.dns-info.gq\\\", \\\"211.ns1.dns-info.gq\\\", \\\"216.ns1.dns-info.gq\\\", \\\"22.ns1.dns-info.gq\\\", \\\"220.ns1.dns-info.gq\\\", \\n \\\"223.ns1.dns-info.gq\\\", \\\"23.ns1.dns-info.gq\\\", \\\"24.ns1.dns-info.gq\\\", \\\"25.ns1.dns-info.gq\\\", \\\"26.ns1.dns-info.gq\\\", \\n \\\"27.ns1.dns-info.gq\\\", \\\"28.ns1.dns-info.gq\\\", \\\"29.ns1.dns-info.gq\\\", \\\"3.ns1.dns-info.gq\\\", \\\"30.ns1.dns-info.gq\\\", \\n \\\"31.ns1.dns-info.gq\\\", \\\"32.ns1.dns-info.gq\\\", \\\"33.ns1.dns-info.gq\\\", \\\"34.ns1.dns-info.gq\\\", \\\"35.ns1.dns-info.gq\\\", \\n \\\"36.ns1.dns-info.gq\\\", \\\"37.ns1.dns-info.gq\\\", \\\"39.ns1.dns-info.gq\\\", \\\"3d6fe4b2.ns1.steamappstore.com\\\", \\n \\\"4.ns1.dns-info.gq\\\", \\\"40.ns1.dns-info.gq\\\", \\\"42.ns1.dns-info.gq\\\", \\\"43.ns1.dns-info.gq\\\", \\\"44.ns1.dns-info.gq\\\", \\n \\\"45.ns1.dns-info.gq\\\", \\\"46.ns1.dns-info.gq\\\", \\\"48.ns1.dns-info.gq\\\", \\\"5.ns1.dns-info.gq\\\", \\\"50.ns1.dns-info.gq\\\", \\n \\\"50417.service.gstatic.dnset.com\\\", \\\"51.ns1.dns-info.gq\\\", \\\"52.ns1.dns-info.gq\\\", \\\"53.ns1.dns-info.gq\\\",\\n \\\"54.ns1.dns-info.gq\\\", \\\"55.ns1.dns-info.gq\\\", \\\"56.ns1.dns-info.gq\\\", \\\"57.ns1.dns-info.gq\\\", \\\"58.ns1.dns-info.gq\\\", \\n \\\"6.ns1.dns-info.gq\\\", \\\"60.ns1.dns-info.gq\\\", \\\"62.ns1.dns-info.gq\\\", \\\"63.ns1.dns-info.gq\\\", \\\"64.ns1.dns-info.gq\\\", \\n \\\"65.ns1.dns-info.gq\\\", \\\"67.ns1.dns-info.gq\\\", \\\"7.ns1.dns-info.gq\\\", \\\"70.ns1.dns-info.gq\\\", \\\"71.ns1.dns-info.gq\\\",\\n \\\"73.ns1.dns-info.gq\\\", \\\"77.ns1.dns-info.gq\\\", \\\"77075.service.gstatic.dnset.com\\\", \\\"7c1947fa.ns1.steamappstore.com\\\",\\n \\\"8.ns1.dns-info.gq\\\", \\\"81.ns1.dns-info.gq\\\", \\\"86.ns1.dns-info.gq\\\", \\\"87.ns1.dns-info.gq\\\", \\\"9.ns1.dns-info.gq\\\", \\n \\\"94343.service.gstatic.dnset.com\\\", \\\"9939.service.gstatic.dnset.com\\\", \\\"aa.ns.mircosoftdoc.com\\\", \\n \\\"aaa.feeds.api.ns1.feedsdns.com\\\", \\\"aaa.googlepublic.feeds.ns1.dns-info.gq\\\", \\n \\\"aaa.resolution.174547._get.cache.up.sourcedns.tk\\\", \\\"acc.microsoftonetravel.com\\\", \\n \\\"accounts.longmusic.com\\\", \\\"admin.dnstemplog.com\\\", \\\"agent.updatenai.com\\\", \\n \\\"alibaba.zzux.com\\\", \\\"api.feedsdns.com\\\", \\\"app.portomnail.com\\\", \\\"asia.updatenai.com\\\", \\n \\\"battllestategames.com\\\", \\\"bguha.serveuser.com\\\", \\\"binann-ce.com\\\", \\\"bing.dsmtp.com\\\", \\n \\\"blog.cdsend.xyz\\\", \\\"brives.minivineyapp.com\\\", \\\"bsbana.dynamic-dns.net\\\", \\n \\\"californiaforce.000webhostapp.com\\\", \\\"californiafroce.000webhostapp.com\\\", \\n \\\"cdn.freetcp.com\\\", \\\"cdsend.xyz\\\", \\\"cipla.zzux.com\\\", \\\"cloudfeeddns.com\\\", \\\"comcleanner.info\\\",\\n \\\"cs.microsoftsonline.net\\\", \\\"dns-info.gq\\\", \\\"dns05.cf\\\", \\\"dns22.ml\\\", \\\"dns224.com\\\", \\n \\\"dnsdist.org\\\", \\\"dnstemplog.com\\\", \\\"doc.mircosoftdoc.com\\\", \\\"dropdns.com\\\", \\n \\\"eshop.cdn.freetcp.com\\\", \\\"exchange.dumb1.com\\\", \\\"exchange.misecure.com\\\", \\\"exchange.mrbasic.com\\\",\\n \\\"facebookdocs.com\\\", \\\"facebookint.com\\\", \\\"facebookvi.com\\\", \\\"feed.ns1.dns-info.gq\\\", \\\"feedsdns.com\\\", \\n \\\"firejun.freeddns.com\\\", \\\"ftp.dns-info.dyndns.pro\\\", \\\"goallbandungtravel.com\\\", \\\"goodhk.azurewebsites.net\\\", \\n \\\"googlepublic.feed.ns1.dns-info.gq\\\", \\\"gp.spotifylite.cloud\\\", \\\"gskytop.com\\\", \\\"gstatic.dnset.com\\\", \\n \\\"gxxservice.com\\\", \\\"helpdesk.cdn.freetcp.com\\\", \\\"id.serveuser.com\\\", \\\"infestexe.com\\\", \\\"item.itemdb.com\\\",\\n \\\"m.mircosoftdoc.com\\\", \\\"mail.transferdkim.xyz\\\", \\\"mcafee.updatenai.com\\\", \\\"mecgjm.mircosoftdoc.com\\\",\\n \\\"microdocs.ga\\\", \\\"microsock.website\\\", \\\"microsocks.net\\\", \\\"microsoft.sendsmtp.com\\\", \\n \\\"microsoftbook.dns05.com\\\", \\\"microsoftcontactcenter.com\\\", \\\"microsoftdocs.dns05.com\\\", \\\"microsoftdocs.ml\\\", \\n \\\"microsoftonetravel.com\\\", \\\"microsoftonlines.net\\\", \\\"microsoftprod.com\\\", \\\"microsofts.dns1.us\\\", \\\"microsoftsonline.net\\\",\\n \\\"minivineyapp.com\\\", \\\"mircosoftdoc.com\\\", \\\"mircosoftdocs.com\\\", \\\"mlcrosoft.ninth.biz\\\", \\\"mlcrosoft.site\\\", \\n \\\"mm.portomnail.com\\\", \\\"msdnupdate.com\\\", \\\"msecdn.cloud\\\", \\\"mtnl1.dynamic-dns.net\\\", \\\"ns.gstatic.dnset.com\\\", \\n \\\"ns.microsoftprod.com\\\", \\\"ns.steamappstore.com\\\", \\\"ns1.cdn.freetcp.com\\\", \\\"ns1.comcleanner.info\\\", \\\"ns1.dns-info.gq\\\", \\n \\\"ns1.dns05.cf\\\", \\\"ns1.dnstemplog.com\\\", \\\"ns1.dropdns.com\\\", \\\"ns1.microsoftonetravel.com\\\", \\n \\\"ns1.microsoftonlines.net\\\", \\\"ns1.microsoftprod.com\\\", \\\"ns1.microsoftsonline.net\\\", \\\"ns1.mlcrosoft.site\\\", \\n \\\"ns1.teams.wikaba.com\\\", \\\"ns1.windowsdefende.com\\\", \\\"ns2.comcleanner.info\\\", \\\"ns2.dnstemplog.com\\\", \\n \\\"ns2.microsoftonetravel.com\\\", \\\"ns2.microsoftprod.com\\\", \\\"ns2.microsoftsonline.net\\\", \\\"ns2.mlcrosoft.site\\\", \\n \\\"ns2.windowsdefende.com\\\", \\\"ns3.microsoftprod.com\\\", \\\"ns3.mlcrosoft.site\\\", \\\"nutrition.mrbasic.com\\\", \\n \\\"nutrition.youdontcare.com\\\", \\\"online.mlcrosoft.site\\\", \\\"online.msdnupdate.com\\\", \\\"outlookservce.site\\\", \\n \\\"owa.jetos.com\\\", \\\"owa.otzo.com\\\", \\\"pornotime.co\\\", \\\"portomnail.com\\\", \\n \\\"post.1a0.066e063ac.7c1947fa.ns1.steamappstore.com\\\", \\\"pricingdmdk.com\\\", \\\"prod.microsoftprod.com\\\", \\n \\\"product.microsoftprod.com\\\", \\\"ptcl.yourtrap.com\\\", \\\"query.api.sourcedns.tk\\\", \\\"rb.itemdb.com\\\", \\\"redditcdn.com\\\", \\n \\\"rss.otzo.com\\\", \\\"secure.msdnupdate.com\\\", \\\"service.dns22.ml\\\", \\\"service.gstatic.dnset.com\\\", \\\"service04.dns04.com\\\", \\n \\\"settings.teams.wikaba.com\\\", \\\"sip.outlookservce.site\\\", \\\"sixindent.epizy.com\\\", \\\"soft.msdnupdate.com\\\", \\\"sourcedns.ml\\\", \\n \\\"sourcedns.tk\\\", \\\"sport.msdnupdate.com\\\", \\\"spotifylite.cloud\\\", \\\"static.misecure.com\\\", \\\"steamappstore.com\\\", \\n \\\"store.otzo.com\\\", \\\"survey.outlookservce.site\\\", \\\"team.itemdb.com\\\", \\\"temp221.com\\\", \\\"test.microsoftprod.com\\\", \\n \\\"thisisaaa.000webhostapp.com\\\", \\\"token.dns04.com\\\", \\\"token.dns05.com\\\", \\\"transferdkim.xyz\\\", \\n \\\"travelsanignacio.com\\\", \\\"update08.com\\\", \\\"updated08.com\\\", \\\"updatenai.com\\\", \\\"wantforspeed.com\\\",\\n \\\"web.mircosoftdoc.com\\\", \\\"webmail.pornotime.co\\\", \\\"webwhois.team.itemdb.com\\\", \\\"windowsdefende.com\\\", \\\"wnswindows.com\\\",\\n \\\"ashcrack.freetcp.com\\\", \\\"battllestategames.com\\\", \\\"binannce.com\\\", \\\"cdsend.xyz\\\", \\\"comcleanner.info\\\", \\\"microsock.website\\\", \\n \\\"microsocks.net\\\", \\\"microsoftsonline.net\\\", \\\"mlcrosoft.site\\\", \\\"notify.serveuser.com\\\", \\\"ns1.microsoftprod.com\\\", \\n \\\"ns2.microsoftprod.com\\\", \\\"pricingdmdk.com\\\", \\\"steamappstore.com\\\", \\\"update08.com\\\", \\\"wnswindows.com\\\", \\n \\\"youtube.dns05.com\\\", \\\"z1.zalofilescdn.com\\\", \\\"z2.zalofilescdn.com\\\", \\\"zalofilescdn.com\\\"]); \\n(union isfuzzy=true \\n (CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | where DNSName in~ (DomainNames) \\n | extend Account = SourceUserID, Computer = DeviceName, IPAddress = DestinationIP \\n ), \\n (DnsEvents \\n | extend DNSName = Name \\n | where isnotempty(DNSName) \\n | where DNSName has_any (DomainNames) \\n | extend IPAddress = ClientIP \\n ), \\n (imDns (domain_has_any=DomainNames)\\n | extend DNSName = DnsQuery \\n | extend IPAddress = SrcIpAddr, Computer = Dvc\\n ), \\n (VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 * \\n | where isnotempty(DNSName) \\n | where DNSName in~ (DomainNames) \\n | extend IPAddress = RemoteIp \\n ), \\n ( \\n DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl in~ (DomainNames) \\n | extend IPAddress = RemoteIP \\n | extend Computer = DeviceName \\n ),\\n (AzureDiagnostics\\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallDnsProxy\\\"\\n | parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n | where Request_Name has_any (DomainNames) \\n | extend DNSName = Request_Name\\n | extend IPAddress = ClientIP \\n ),\\n (AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (DomainNames) \\n | extend DNSName = DestinationHost \\n | extend IPAddress = SourceHost\\n ) \\n ) \\n | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.3.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Barium domains\",\"description\":\"Identifies a match across various data feeds for domains IOCs related to the Barium activity group.\\n References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\"name\":\"2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet TotalEventsThreshold = 5;\\nlet ExeList = dynamic([\\\"powershell.exe\\\",\\\"cmd.exe\\\",\\\"wmic.exe\\\",\\\"psexec.exe\\\",\\\"cacls.exe\\\",\\\"rundll.exe\\\"]);\\nlet TimeSeriesData =\\nSecurityEvent\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where Process in (ExeList)\\n| project TimeGenerated, Computer, AccountType, Account, Process\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by Process;\\nlet TimeSeriesAlerts = materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 1.5, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0\\n| project Process, TimeGenerated, Total, baseline, anomalies, score\\n| where Total \u003e TotalEventsThreshold);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\nSecurityEvent\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| summarize CommandlineCount = count() by bin(TimeGenerated, 1h), Process, CommandLine, Computer, Account\\n) on Process, TimeGenerated\\n| project AnomalyHour = TimeGenerated, Computer, Account, Process, CommandLine, CommandlineCount, Total, baseline, anomalies, score\\n| extend timestamp = AnomalyHour, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Execution\"],\"displayName\":\"Process execution frequency anomaly\",\"description\":\"Identifies anomalous spike in frequency of executions of sensitive processes which are often leveraged as attack vectors.\\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\\nSudden increases in execution frequency of sensitive processes should be further investigated for malicious activity.\\nTune the values from 1.5 to 3 in series_decompose_anomalies for further outliers or based on custom threshold values for score.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-05-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ce1e7025-866c-41f3-9b08-ec170e05e73e\",\"name\":\"ce1e7025-866c-41f3-9b08-ec170e05e73e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let SunburstURL=dynamic([\\\"panhardware.com\\\",\\\"databasegalore.com\\\",\\\"avsvmcloud.com\\\",\\\"freescanonline.com\\\",\\\"thedoccloud.com\\\",\\\"deftsecurity.com\\\"]);\\nDeviceNetworkEvents\\n| where ActionType == \\\"ConnectionSuccess\\\"\\n| where RemoteUrl in(SunburstURL)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n FileHashCustomEntity = InitiatingProcessMD5, \\n HashAlgorithm = \u0027MD5\u0027,\\n URLCustomEntity = RemoteUrl,\\n IPCustomEntity = RemoteIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST network beacons\",\"description\":\"Identifies SolarWinds SUNBURST domain beacon IOCs in DeviceNetworkEvents\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06a9b845-6a95-4432-a78b-83919b28c375\",\"name\":\"06a9b845-6a95-4432-a78b-83919b28c375\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":3,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet percentotalthreshold = 50;\\nlet TimeSeriesData = CommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| project TimeGenerated,SourceIP, DestinationIP, DeviceVendor\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor;\\n// Filtering specific records associated with spikes as outliers\\nlet TimeSeriesAlerts=materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend score = round(score,2), AnomalyHour = TimeGenerated\\n| project DeviceVendor,AnomalyHour, TimeGenerated, Total, baseline, anomalies, score);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\n// Join anomalies with Base Data to popalate associated records for investigation - Results sorted by score in descending order\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\n CommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| summarize HourlyCount = count(), TimeGeneratedMax = arg_max(TimeGenerated, *), DestinationIPlist = make_set(DestinationIP, 100), DestinationPortlist = make_set(DestinationPort, 100) by DeviceVendor, SourceIP, TimeGeneratedHour= bin(TimeGenerated, 1h)\\n| extend AnomalyHour = TimeGeneratedHour\\n) on AnomalyHour, DeviceVendor\\n| extend PercentTotal = round((HourlyCount / Total) * 100, 3)\\n| where PercentTotal \u003e percentotalthreshold\\n| project DeviceVendor , AnomalyHour, TimeGeneratedMax, SourceIP, DestinationIPlist, DestinationPortlist, HourlyCount, PercentTotal, Total, baseline, score, anomalies\\n| summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist, 100), DestinationPortlist = make_set(DestinationPortlist, 100) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies\\n| project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies\\n| extend timestamp= EndTimeUtc , IPCustomEntity = SourceIPMax\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"Time series anomaly detection for total volume of traffic\",\"description\":\"Identifies anamalous spikes in network traffic logs as compared to baseline or normal historical patterns.\\nThe query leverages a KQL built-in anomaly detection algorithm to find large deviations from baseline patterns.\\nSudden increases in network traffic volume may be an indication of data exfiltration attempts and should be investigated.\\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port traffic observed in the flagged anomaly hour.\\nThe source IP addresses which were sending less than percentotalthreshold of the total traffic have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-05-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Barracuda\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/871ba14c-88ef-48aa-ad38-810f26760ca3\",\"name\":\"871ba14c-88ef-48aa-ad38-810f26760ca3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where Operation =~ \\\"Set-Mailbox\\\"\\n| where Parameters has \\\"ForwardingSmtpAddress\\\"\\n| extend parsed = parse_json(Parameters)\\n| mv-expand parsed\\n| where parsed.Name == \\\"ForwardingSmtpAddress\\\"\\n| extend parameterName = tostring(parsed.Name), fwdingDestination = tostring(parsed.Value)\\n| where isnotempty(fwdingDestination)\\n| extend ClientIPOnly = case( \\nClientIP has \\\".\\\" and ClientIP has \u0027:\u0027, tostring(split(ClientIP,\\\":\\\")[0]), \\nClientIP has \\\".\\\" and ClientIP has \u0027-\u0027, tostring(split(ClientIP,\\\"-\\\")[0]), \\nClientIP has \u0027]-\u0027, tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))),\\nClientIP has \u0027]:\u0027, tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))),\\nisempty(ClientIP) and ClientIP_ has \\\".\\\" and ClientIP_ has \u0027:\u0027, tostring(split(ClientIP_,\\\":\\\")[0]), \\nisempty(ClientIP) and ClientIP_ has \\\".\\\" and ClientIP_ has \u0027-\u0027, tostring(split(ClientIP_,\\\"-\\\")[0]), \\nisempty(ClientIP) and ClientIP_ has \u0027]-\u0027, tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP_,\\\"]\\\")[0]))),\\nisempty(ClientIP) and ClientIP_ has \u0027]:\u0027, tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP_,\\\"]\\\")[0]))),\\nisnotempty(ClientIP), ClientIP,\\nisnotempty(ClientIP_), ClientIP_,\\n\\\"IP Not Available\\\"\\n) \\n| extend Port = case(\\nClientIP has \\\".\\\" and ClientIP has \u0027:\u0027, tostring(split(ClientIP,\\\":\\\")[1]), \\nClientIP has \\\".\\\" and ClientIP has \u0027-\u0027, tostring(split(ClientIP,\\\"-\\\")[1]), \\nClientIP has \u0027]-\u0027, tostring(split(ClientIP,\\\"]-\\\")[1]), \\nClientIP has \u0027]:\u0027, tostring(split(ClientIP,\\\"]:\\\")[1]), \\nisempty(ClientIP) and ClientIP_ has \\\".\\\" and ClientIP_ has \u0027:\u0027, tostring(split(ClientIP_,\\\":\\\")[1]), \\nisempty(ClientIP) and ClientIP_ has \\\".\\\" and ClientIP_ has \u0027-\u0027, tostring(split(ClientIP_,\\\"-\\\")[1]), \\nisempty(ClientIP) and ClientIP_ has \u0027]-\u0027, tostring(split(ClientIP_,\\\"]-\\\")[1]),\\nisempty(ClientIP) and ClientIP_ has \u0027]:\u0027, tostring(split(ClientIP_,\\\"]:\\\")[1]),\\nisnotempty(ClientIP), ClientIP,\\nisnotempty(ClientIP_), ClientIP_,\\n\\\"IP Not Available\\\"\\n)\\n| extend UserId = iff(isempty(UserId), UserId_, UserId)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId), \\nPorts = make_set(Port), EventCount = count() by fwdingDestination, ClientIP = ClientIPOnly \\n| where DistinctUserCount \u003e 1\\n| mv-expand UserId\\n| extend UserId = tostring(UserId), Ports = tostring(Ports)\\n| distinct StartTimeUtc, EndTimeUtc, UserId, DistinctUserCount, ClientIP, Ports, fwdingDestination, EventCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Multiple users email forwarded to same destination\",\"description\":\"Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination. \\nThis could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aedc5b33-2d7c-42cb-a692-f25ef637cbb1\",\"name\":\"aedc5b33-2d7c-42cb-a692-f25ef637cbb1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where array_length(todynamic(DstUserUpn)) == 1\\n| extend sender = extract(@\u0027\\\\A(.*?)@\u0027, 1, SrcUserUpn)\\n| extend sender_domain = extract(@\u0027@(.*)$\u0027, 1, SrcUserUpn)\\n| extend recipient = extract(@\u0027\\\\A(.*?)@\u0027, 1, tostring(todynamic(DstUserUpn)[0]))\\n| extend recipient_domain = extract(@\u0027@(.*)$\u0027, 1, tostring(todynamic(DstUserUpn)[0]))\\n| where sender =~ recipient\\n| where sender_domain != recipient_domain\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Possible data exfiltration to private email\",\"description\":\"Detects when sender sent email to the non-corporate domain and recipient\u0027s username is the same as sender\u0027s username.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\"name\":\"36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n OfficeActivity\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n //Extract the Url from a number of potential fields\\n | extend Url = iif(OfficeWorkload == \\\"AzureActiveDirectory\\\",extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\\\", 1,ModifiedProperties),tostring(parse_json(ModifiedProperties)[12].NewValue))\\n | where isnotempty(Url)\\n // Ensure we get a clean URL\\n | extend Url = tostring(split(Url, \u0027;\u0027)[0])\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n // Project a single user identity that we can use for entity mapping\\n | extend User = iif(isnotempty(UserId), UserId, iif(isnotempty(Actor), tostring(parse_json(Actor)[0].ID), tostring(parse_json(Parameters)[0].Vlaue))) \\n) on Url\\n| where OfficeActivity_TimeGenerated \u003e= TimeGenerated and OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Operation, \\nUserType, OfficeWorkload, Parameters, OfficeActivity_TimeGenerated, Url, User\\n| extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = User, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to OfficeActivity data\",\"description\":\"Identifies a match in OfficeActivity data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\"name\":\"80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 1102 and EventSourceName == \\\"Microsoft-Windows-Eventlog\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Security Event log cleared\",\"description\":\"Checks for event id 1102 which indicates the security event log was cleared. \\nIt uses Event Source Name \\\"Microsoft-Windows-Eventlog\\\" to avoid generating false positives from other sources, like AD FS servers for instance.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1fa1528e-f746-4794-8a41-14827f4cb798\",\"name\":\"1fa1528e-f746-4794-8a41-14827f4cb798\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 100;\\nPulseConnectSecure\\n| where Messages startswith \\\"Login failed\\\"\\n| summarize dcount(User) by Computer, bin(TimeGenerated, 15m)\\n| where dcount_User \u003e threshold\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"PulseConnectSecure - Large Number of Distinct Failed User Logins\",\"description\":\"This query identifies evidence of failed login attempts from a large number of distinct users on a Pulse Connect Secure VPN server\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PulseConnectSecure\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/94749332-1ad9-49dd-a5ab-5ff2170788fc\",\"name\":\"94749332-1ad9-49dd-a5ab-5ff2170788fc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet file_path1 = (iocs | where Type =~ \\\"filepath1\\\" | project IoC);\\nlet file_path2 = (iocs | where Type =~ \\\"filepath2\\\" | project IoC);\\nlet file_path3 = (iocs | where Type =~ \\\"filepath3\\\" | project IoC);\\nlet reg_key = (iocs | where Type =~ \\\"regkey\\\" | project IoC);\\n (union isfuzzy=true\\n(CommonSecurityLog\\n| where DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (domains)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 *\\n| project TimeGenerated, Message, SourceUserID, RequestURL, DestinationHostName, Type, SourceIP, DestinationIP, DNSName\\n| extend Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SourceUserID, UrlCustomEntity = RequestURL , IPCustomEntity = DestinationIP, DNSCustomEntity = DNSName\\n),\\n(DnsEvents\\n| where Name in~ (domains)\\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DNSName = Name, Host = Computer , Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Host, DNSCustomEntity = DNSName, IPCustomEntity = IPAddresses\\n),\\n(VMConnection\\n| where RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, RemoteDnsCanonicalNames, ProcessName, SourceIp, DestinationIp, DestinationPort, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIp, HostCustomEntity = Computer, ProcessCustomEntity = ProcessName, DNSCustomEntity = DNSName, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where Image has_any (file_path1) or Image has_any (file_path3)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, EventDetail, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = split(Image, \u0027\\\\\\\\\u0027, -1)[-1], HostCustomEntity = Computer , IPCustomEntity = DestinationIP, Alert = \u0027SOURGUM IOC detected\u0027\\n), \\n(DeviceNetworkEvents\\n| where (RemoteUrl has_any (domains)) or (InitiatingProcessSHA256 in (sha256Hashes) and InitiatingProcessFolderPath has_any (file_path1)) or InitiatingProcessFolderPath has_any (file_path3)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, Alert = \u0027SOURGUM IOC detected\u0027, UrlCustomEntity =RemoteUrl\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"]\\n| where (SHA256 has_any (sha256Hashes) and Image has_any (file_path1)) or (Image has_any (file_path3)) or ( CommandLine has_any (file_path3)) or ( CommandLine has_any (file_path1)) or ( CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source), Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = split(Image, \u0027\\\\\\\\\u0027, -1)[-1], FileHashCustomEntity = SHA256\\n),\\n(DeviceRegistryEvents\\n| where RegistryKey has_any (reg_key) and RegistryValueData has_any (file_path2)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type \\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceProcessEvents\\n| where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3)) or ( InitiatingProcessCommandLine has \u0027reg add\u0027 and InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceFileEvents\\n| where (InitiatingProcessSHA256 has_any (sha256Hashes) and InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3)) or ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = RequestAccountName, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceEvents\\n| where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3)) or ( InitiatingProcessCommandLine has \u0027reg add\u0027 and InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend CommandLine = InitiatingProcessCommandLine, Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = InitiatingProcessSHA256\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has_any (file_path1)) or ( CommandLine has_any (file_path3)) or ( CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) or (NewProcessName has_any (file_path1)) or (NewProcessName has_any (file_path3)) or (ParentProcessName has_any (file_path1)) or (ParentProcessName has_any (file_path3))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = \u0027SOURGUM IOC detected\u0027\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"SHA256\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"SOURGUM Actor IOC - July 2021\",\"description\":\"Identifies a match across IOC\u0027s related to an actor tracked by Microsoft as SOURGUM\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-07-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceRegistryEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a6c435a2-b1a0-466d-b730-9f8af69262e8\",\"name\":\"a6c435a2-b1a0-466d-b730-9f8af69262e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let failureCountThreshold = 10;\\nlet successCountThreshold = 1;\\nlet authenticationWindow = 20m;\\nimAuthentication\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = make_set(SrcDvcIpAddr)\\n , FailureCount = countif(EventResult==\u0027Failure\u0027)\\n , SuccessCount = countif(EventResult==\u0027Success\u0027) \\n // might be improved by counting FailReason:Outdated as Success.\\nby bin(TimeGenerated, authenticationWindow), TargetUserId, TargetUsername, TargetUserType \\n| where FailureCount \u003e= failureCountThreshold and SuccessCount \u003e= successCountThreshold\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against user credentials (Uses Authentication Normalization)\",\"description\":\"Identifies evidence of brute force activity against a user highlighting multiple authentication failures \\nand by a successful authentication within a given time window. \\n(The query does not enforce any sequence - eg requiring the successful authentication to occur last.)\\nDefault Failure count is 10, Default Success count is 1 and default Time Window is 20 minutes.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelAuthentication)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8a12afde-ed27-46ac-a5ef-392e3d4f071f\",\"name\":\"8a12afde-ed27-46ac-a5ef-392e3d4f071f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.0\",\"techniques\":[\"T1190\",\"T1505\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"1\",\"2\",\"3\"],\"supportedValuesKql\":null,\"value\":\"3\",\"name\":\"Number of reasons for anomalous activity\",\"description\":\"Provide explanations for the specified number of reasons why a W3CIIS session is anomalous.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"supportedValues\":[\"Distinct number of methods\",\"Distinct number of uri queries\",\"Distinct number of uri stems\",\"Distinct number of statuses\",\"Distinct number of user agents\",\"Total number of operations\",\"Total number of http verbs\",\"Total number of http statuses\",\"None\"],\"supportedValuesKql\":null,\"value\":\"None\",\"name\":\"Display anomalies for a specific top reason\",\"description\":\"Display anomalies only where the top reason is specified in the checklist.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"supportedValues\":[\"Public IPs\",\"Private IPs\",\"All IPs\"],\"supportedValuesKql\":null,\"value\":\"All IPs\",\"name\":\"Display anomalies for public, private, or all IPs\",\"description\":\"Choose to display anomalies for public, private, or all IPs.\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":null,\"dataType\":\"string\",\"name\":\"Exclude client IPs from the anomalies generated\",\"description\":\"Enter comma separated client IPs (prefixed client IP entities supported) that the anomalies should not display results for, in the exclude field.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.7\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"(Preview) Anomalous W3CIIS logs activity\",\"description\":\"This anomaly indicates anomalous W3CIIS sessions within the last day, due to reasons such as a high number of distinct uri queries, specific http verbs or http statuses, user agents, or an unusually high number of logs in a session.\\nThe machine learning algorithm identifies unusual W3CIIS log events within an hourly session, grouped by site name and client IP.\\nThe model is trained on the previous 7 days of W3CIIS activity, using an autoencoder. The algorithm checks for sufficient volume of W3CIIS activity before training the model.\\nThe autoencoder compressess these site name/client IP sessions using a bottleneck encoding, and reconstructs the input sessions using a decoder.\\nSessions with high reconstruction errors are marked as anomalous.\",\"lastUpdatedDateUTC\":\"2021-07-26T00:00:00Z\",\"createdDateUTC\":\"2021-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f9949656-473f-4503-bf43-a9d9890f7d08\",\"name\":\"f9949656-473f-4503-bf43-a9d9890f7d08\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n AppServiceHTTPLogs | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(CIp)\\n | extend WebApp = split(_ResourceId, \u0027/\u0027)[8]\\n // renaming time column so it is clear the log this came from\\n | extend AppService_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CIp\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AppService_TimeGenerated, TI_ipEntity, CsUsername, WebApp = split(_ResourceId, \u0027/\u0027)[8], CIp, CsHost, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AppService_TimeGenerated, AccountCustomEntity = CsUsername, IPCustomEntity = CIp, URLCustomEntity = CsHost\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AppServiceHTTPLogs\",\"description\":\"Identifies a match in AppServiceHTTPLogs from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/21ab3f52-6d79-47e3-97f8-ad65f2cb29fb\",\"name\":\"21ab3f52-6d79-47e3-97f8-ad65f2cb29fb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"afad_parser\\n| where MessageType == 2 and Codename == \\\"Golden Ticket\\\"\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid Golden Ticket\",\"description\":\"Searches for Golden Ticket attacks\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\"name\":\"0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let threshold = 20;\\nSecurityEvent \\n| where EventID == 4625\\n| where AccountType =~ \\\"User\\\"\\n| where SubStatus !=\u00270xc0000064\u0027 and Account !in (\u0027\\\\\\\\\u0027, \u0027-\\\\\\\\-\u0027)\\n// SubStatus \u00270xc0000064\u0027 signifies \u0027Account name does not exist\u0027\\n| extend ResourceId = column_ifexists(\\\"_ResourceId\\\", _ResourceId), SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", SourceComputerId)\\n| extend Reason = case(\\nSubStatus =~ \u00270xC000005E\u0027, \u0027There are currently no logon servers available to service the logon request.\u0027,\\nSubStatus =~ \u00270xC0000064\u0027, \u0027User logon with misspelled or bad user account\u0027,\\nSubStatus =~ \u00270xC000006A\u0027, \u0027User logon with misspelled or bad password\u0027, \\nSubStatus =~ \u00270xC000006D\u0027, \u0027Bad user name or password\u0027,\\nSubStatus =~ \u00270xC000006E\u0027, \u0027Unknown user name or bad password\u0027,\\nSubStatus =~ \u00270xC000006F\u0027, \u0027User logon outside authorized hours\u0027,\\nSubStatus =~ \u00270xC0000070\u0027, \u0027User logon from unauthorized workstation\u0027,\\nSubStatus =~ \u00270xC0000071\u0027, \u0027User logon with expired password\u0027,\\nSubStatus =~ \u00270xC0000072\u0027, \u0027User logon to account disabled by administrator\u0027,\\nSubStatus =~ \u00270xC00000DC\u0027, \u0027Indicates the Sam Server was in the wrong state to perform the desired operation\u0027, \\nSubStatus =~ \u00270xC0000133\u0027, \u0027Clocks between DC and other computer too far out of sync\u0027,\\nSubStatus =~ \u00270xC000015B\u0027, \u0027The user has not been granted the requested logon type (aka logon right) at this machine\u0027,\\nSubStatus =~ \u00270xC000018C\u0027, \u0027The logon request failed because the trust relationship between the primary domain and the trusted domain failed\u0027,\\nSubStatus =~ \u00270xC0000192\u0027, \u0027An attempt was made to logon, but the Netlogon service was not started\u0027,\\nSubStatus =~ \u00270xC0000193\u0027, \u0027User logon with expired account\u0027,\\nSubStatus =~ \u00270xC0000224\u0027, \u0027User is required to change password at next logon\u0027,\\nSubStatus =~ \u00270xC0000225\u0027, \u0027Evidently a bug in Windows and not a risk\u0027,\\nSubStatus =~ \u00270xC0000234\u0027, \u0027User logon with account locked\u0027,\\nSubStatus =~ \u00270xC00002EE\u0027, \u0027Failure Reason: An Error occurred during Logon\u0027,\\nSubStatus =~ \u00270xC0000413\u0027, \u0027Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine\u0027,\\nstrcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), FailedLogonCount = count() by EventID, \\nActivity, Computer, Account, TargetAccount, TargetUserName, TargetDomainName, \\nLogonType, LogonTypeName, LogonProcessName, Status, SubStatus, Reason, ResourceId, SourceComputerId, WorkstationName, IpAddress\\n| where FailedLogonCount \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed logon attempts by valid accounts within 10 mins\",\"description\":\"Identifies when failed logon attempts are 20 or higher during a 10 minute period (2 failed logons per minute minimum) from valid account.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\"name\":\"b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\nlet createRoleAssignmentActivity = AzureActivity\\n| where OperationNameValue =~ \\\"microsoft.authorization/roleassignments/write\\\";\\ncreateRoleAssignmentActivity \\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller\\n| where count_ \u003e= alertOperationThreshold\\n| join kind = rightanti ( \\ncreateRoleAssignmentActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = make_set(TimeGenerated), ActivityStatusValue = make_set(ActivityStatusValue), \\nOperationIds = make_set(OperationId), CorrelationId = make_set(CorrelationId), ActivityCountByCallerIPAddress = count() \\nby ResourceId, CallerIpAddress, Caller, OperationNameValue, Resource, ResourceGroup\\n) on CallerIpAddress, Caller\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Suspicious granting of permissions to an account\",\"description\":\"Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2790795b-7dba-483e-853f-44aa0bc9c985\",\"name\":\"2790795b-7dba-483e-853f-44aa0bc9c985\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"CommonSecurityLog\\n| where DeviceProduct =~ \\\"Wazuh\\\"\\n| where Activity has \\\"Web server 400 error code.\\\"\\n| where Message has \\\"403\\\"\\n| extend HostName=substring(split(DeviceCustomString1,\\\")\\\")[0],1)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = dcount(SourceIP) by HostName, SourceIP\\n| where NumberOfErrors \u003e 400\\n| sort by NumberOfErrors desc\\n| extend timestamp = StartTime, HostCustomEntity = HostName, IPCustomEntity = SourceIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Wazuh - Large Number of Web errors from an IP\",\"description\":\"Identifies instances where Wazuh logged over 400 \u0027403\u0027 Web Errors from one IP Address. To onboard Wazuh data into Sentinel please view: https://github.com/wazuh/wazuh-documentation/blob/master/source/azure/monitoring%20activity.rst\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-21T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ce177b3-56b1-4f0e-b83e-27eed4cb0b16\",\"name\":\"4ce177b3-56b1-4f0e-b83e-27eed4cb0b16\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\n// exclude allowed users from query such as the ADO service\\nlet allowed_users = dynamic([\\\"Azure DevOps Service\\\"]);\\nunion\\n// Look for agents being added to a pool of a OS type not seen with that pool before\\n(AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName =~ \\\"Library.AgentAdded\\\"\\n| where ActorUPN !in (allowed_users)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| where isnotempty(OsDescription)\\n| extend OsDescription = tostring(split(OsDescription, \\\"#\\\", 0)[0])\\n| project AgentPoolName, OsDescription\\n| join kind=rightanti (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName == \\\"Library.AgentAdded\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| where isnotempty(OsDescription)\\n| extend OsDescription = tostring(split(OsDescription, \\\"#\\\", 0)[0])) on AgentPoolName, OsDescription),\\n// Look for users addeing agents to a pool that they have not added agents to before.\\n(AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| where ActorUPN !in (allowed_users)\\n| project AgentPoolName, ActorUPN\\n| join kind=rightanti (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName == \\\"Library.AgentAdded\\\"\\n| where ActorUPN !in (allowed_users)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n) on AgentPoolName, ActorUPN)\\n| extend AgentName = tostring(Data.AgentName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| extend SystemDetails = Data.SystemCapabilities\\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, AgentPoolName, AgentName, ActorUPN, IpAddress, UserAgent, OsDescription, SystemDetails, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Execution\"],\"displayName\":\"New Agent Added to Pool by New User or Added to a New OS Type.\",\"description\":\"As seen in attacks such as SolarWinds attackers can look to subvert a build process by controlling build servers. Azure DevOps uses agent pools to execute pipeline tasks. \\nAn attacker could insert compromised agents that they control into the pools in order to execute malicious code. This query looks for users adding agents to pools they have \\nnot added agents to before, or adding agents to a pool of an OS that has not been added to that pool before. This detection has potential for false positives so has a \\nconfigurable allow list to allow for certain users to be excluded from the logic.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\"name\":\"ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ProcessCreationEvents=() {\\nlet processEvents=SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,\\nFileName = Process, CommandLine, ParentProcessName;\\nprocessEvents};\\nProcessCreationEvents\\n| where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Base64 encoded Windows process command-lines\",\"description\":\"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2018-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/af7fd11a-f305-44e1-8f46-f31580a15eab\",\"name\":\"af7fd11a-f305-44e1-8f46-f31580a15eab\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.0\",\"techniques\":[\"T1074\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\"app@sharepoint,user@example.com\",\"dataType\":\"string\",\"name\":\"User allowlist\",\"description\":\"Enter comma separated userids to be suppressed while triggering anomalies. This should be within double quotes and is case insensitive, example: \\\"user@exmaple.com, app@sharepoint\\\"\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"10\",\"maximum\":\"100\",\"value\":\"25\",\"name\":\"Number of distinct files dowloaded per day\",\"description\":\"Suppress anomalies when daily number of distinct files downloaded per day is less than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"2\",\"maximum\":\"10\",\"value\":\"3\",\"name\":\"Number of standard deviations\",\"description\":\"Triggers anomalies when number of standard deviations is greater than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Collection\"],\"displayName\":\"(Preview) Potential data staging\",\"description\":\"The algorithm compares the downloads of distinct files on a per user basis from the previous week with the downloads for the current day for each user and \\nan anomaly is triggered when the number of downloads of distinct files exceeds the configured number of standard deviations above the mean. \\nCurrently the algorithm only analyze commonly seen files during exfiltration of type documents, images, videos and archives with the extensions\\n[\\\"doc\\\",\\\"docx\\\",\\\"xls\\\",\\\"xlsx\\\",\\\"xlsm\\\",\\\"ppt\\\",\\\"pptx\\\",\\\"one\\\",\\\"pdf\\\",\\\"zip\\\",\\\"rar\\\",\\\"bmp\\\",\\\"jpg\\\",\\\"mp3\\\",\\\"mp4\\\",\\\"mov\\\"].\",\"lastUpdatedDateUTC\":\"2021-08-24T00:00:00Z\",\"createdDateUTC\":\"2021-08-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Exchange)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\"name\":\"b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet UserAgentAll =\\n(union isfuzzy=true\\n(OfficeActivity\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\\n),\\n(\\nW3CIISLog\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(csUserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\\n))\\n// remove wordSize blocks of non-numeric hex characters prior to word extraction\\n| extend UserAgentNoHexAlphas = replace(\\\"([A-Fa-f]{4,})\\\", \\\"x\\\", UserAgent)\\n// once blocks of hex chars are removed, extract wordSize blocks of a-z\\n| extend Tokens = extract_all(\\\"([A-Za-z]{4,})\\\", UserAgentNoHexAlphas)\\n// concatenate extracted words to create a summarized user agent for baseline and comparison\\n| extend NormalizedUserAgent = strcat_array(Tokens, \\\"|\\\")\\n| project-away UserAgentNoHexAlphas, Tokens;\\nUserAgentAll\\n| where StartTime \u003e= ago(endtime)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), count() by UserAgent, NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n| join kind=leftanti\\n(\\nUserAgentAll\\n| where StartTime \u003c ago(endtime)\\n| summarize by NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n)\\non NormalizedUserAgent\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CommandAndControl\",\"Execution\"],\"displayName\":\"New UserAgent observed in last 24 hours\",\"description\":\"Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection\\nextracts words from user agents to build the baseline and determine rareity rather than perform a\\ndirect comparison. This avoids FPs caused by version numbers and other high entropy user agent components.\\nThese new UserAgents could be benign. However, in normally stable environments,\\nthese new UserAgents could provide a starting point for investigating malicious activity.\\nNote: W3CIISLog can be noisy depending on the environment, however OfficeActivity and AWSCloudTrail are\\nusually stable with low numbers of detections.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23850aa1-37d3-4b4b-9f39-4ebf5feb59fd\",\"name\":\"23850aa1-37d3-4b4b-9f39-4ebf5feb59fd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.5\",\"techniques\":[\"T1011\",\"T1029\",\"T1030\",\"T1041\",\"T1011\",\"T1537\",\"T1567\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Akamai\",\"Aruba Networks\",\"Check Point\",\"Dell\",\"Forcepoint\",\"Fortinet\",\"McAfee\",\"Palo Alto Networks\",\"SonicWall\",\"Trend Micro\",\"Vectra Networks\",\"Zscaler\"],\"supportedValuesKql\":null,\"value\":\"Palo Alto Networks\",\"name\":\"Device vendor\",\"description\":\"Select device vendor reporting network connection logs to CommonSecurityLog\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"1\",\"maximum\":\"10000\",\"value\":\"1\",\"name\":\"Hourly data transfer threshold in MB\",\"description\":\"Suppress anomalies when hourly data transfered (in MB) per hour is less than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\".98\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"(Preview) Excessive data transfer anomaly\",\"description\":\"This algorithm is to detect unusually high data transfer seen in network logs. \\nIt uses time series to decompose the data into seasonal, trend and residual components to \\ncalculate baseline. Any sudden large deviation from the historical baseline is considered anomalous activity.\",\"lastUpdatedDateUTC\":\"2021-07-10T00:00:00Z\",\"createdDateUTC\":\"2021-04-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\"name\":\"361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let szOperationNames = dynamic([\\\"microsoft.compute/virtualMachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nlet starttime = 7d;\\nlet endtime = 1d;\\nAzureActivity\\n| where TimeGenerated between (startofday(ago(starttime)) .. startofday(ago(endtime)))\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress)\\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(7d)), now(), 1d) \\nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatusValue), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationNameValue , Resource, ResourceGroup\\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\\n| where Slope \u003e 0.2\\n| join kind=leftsemi (\\n// Last day\u0027s activity is anomalous\\nAzureActivity\\n| where TimeGenerated \u003e= startofday(ago(endtime))\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress)\\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(1d)), now(), 1d) \\nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatusValue), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationNameValue , Resource, ResourceGroup\\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\\n| where Slope \u003e 0.2 \\n) on Caller, CallerIpAddress \\n| mvexpand todynamic(ActivityTimeStamp), todynamic(ActivityStatusValue), todynamic(OperationIds), todynamic(CorrelationId)\\n| extend timestamp = ActivityTimeStamp, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Impact\"],\"displayName\":\"Suspicious number of resource creation or deployment activities\",\"description\":\"Indicates when an anomalous number of VM creations or deployment activities occur in Azure via the AzureActivity log.\\nThe anomaly detection identifies activities that have occurred both since the start of the day 1 day ago and the start of the day 7 days ago.\\nThe start of the day is considered 12am UTC time.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/db750607-d48f-4aef-b238-085f4a9882f1\",\"name\":\"db750607-d48f-4aef-b238-085f4a9882f1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let mediumRisk = 2;\\nlet legal = \u0027Legal Information\u0027;\\nCognniIncidents_CL \\n| where Severity == mediumRisk\\n| where informationType_s == legal\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Medium Sensitivity Legal Information\",\"description\":\"Display incidents in which medium sensitivity legal information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8c8de3fa-6425-4623-9cd9-45de1dd0569a\",\"name\":\"8c8de3fa-6425-4623-9cd9-45de1dd0569a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lookBack = 14d;\\nlet timeframe = 1d;\\nlet user_agents_list = Cisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(lookBack) and TimeGenerated \u003c ago(timeframe)\\n| summarize count() by HttpUserAgentOriginal\\n| summarize make_list(HttpUserAgentOriginal);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal !in (user_agents_list)\\n| extend Message = \\\"Rare User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Rare User Agent Detected\",\"description\":\"Rule helps to detect a rare user-agents indicating web browsing activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8595d264-2f64-442d-b293-4e16dffc9882\",\"name\":\"8595d264-2f64-442d-b293-4e16dffc9882\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.1\",\"techniques\":[\"T1059\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0\",\"name\":\"Anomaly score threshold\",\"description\":\"Generate an anomaly when the anomaly score is greater than the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Execution\"],\"displayName\":\"(Preview) Anomalous Code Execution\",\"description\":\"Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.\\nThese interfaces and languages provide ways of interacting with computer systems\\nand are a common feature across many different platforms.\",\"lastUpdatedDateUTC\":\"2021-07-26T00:00:00Z\",\"createdDateUTC\":\"2021-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2be4ef67-a93f-4d8a-981a-88158cb73abd\",\"name\":\"2be4ef67-a93f-4d8a-981a-88158cb73abd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet covidIndicators = (externaldata(TimeGenerated:datetime, FileHashValue:string, FileHashType: string, TlpLevel: string, Product: string, ThreatType: string, Description: string )\\n[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.csv\\\"] with (format=\\\"csv\\\"));\\nlet fileHashIndicators = covidIndicators\\n| where isnotempty(FileHashValue);\\n// Handle matches against both lower case and uppercase versions of the hash:\\n( fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n | union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n| join (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack) \\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.FileHashValue == $right.FileHash\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by FileHashValue\\n| project LatestIndicatorTime, FileHashValue, FileHashType, Description, ThreatType, \\nCommonSecurityLog_TimeGenerated, SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, \\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"Microsoft COVID-19 file hash indicator matches\",\"description\":\"Identifies a match in CommonSecurityLog Event data from any FileHash published in the Microsoft COVID-19 Threat Intel Feed - as described at https://www.microsoft.com/security/blog/2020/05/14/open-sourcing-covid-threat-intelligence/\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2019-08-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f68846cf-ec99-497d-9ce1-80a9441564fb\",\"name\":\"f68846cf-ec99-497d-9ce1-80a9441564fb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let highRisk = 3;\\nlet hr = \u0027HR Information\u0027;\\nCognniIncidents_CL \\n| where Severity == highRisk\\n| where informationType_s == hr\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Highly Sensitive HR Information\",\"description\":\"Display incidents in which highly sensitive HR information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2391ce61-8c8d-41ac-9723-d945b2e90720\",\"name\":\"2391ce61-8c8d-41ac-9723-d945b2e90720\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 0.333;\\nlet countlimit = 50;\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4625 and AccountType =~ \\\"User\\\"\\n| where IpAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), CountToday = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress, Process\\n| join kind=leftouter (\\n SecurityEvent \\n | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n | where EventID == 4625 and AccountType =~ \\\"User\\\"\\n | where IpAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n | summarize CountPrev7day = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n) on EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n| where CountToday \u003e= coalesce(CountPrev7day,0)*threshold and CountToday \u003e= countlimit\\n//SubStatus Codes are detailed here - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4625\\n| extend Reason = case(\\nSubStatus =~ \u00270xC000005E\u0027, \u0027There are currently no logon servers available to service the logon request.\u0027,\\nSubStatus =~ \u00270xC0000064\u0027, \u0027User logon with misspelled or bad user account\u0027,\\nSubStatus =~ \u00270xC000006A\u0027, \u0027User logon with misspelled or bad password\u0027, \\nSubStatus =~ \u00270xC000006D\u0027, \u0027Bad user name or password\u0027,\\nSubStatus =~ \u00270xC000006E\u0027, \u0027Unknown user name or bad password\u0027,\\nSubStatus =~ \u00270xC000006F\u0027, \u0027User logon outside authorized hours\u0027,\\nSubStatus =~ \u00270xC0000070\u0027, \u0027User logon from unauthorized workstation\u0027,\\nSubStatus =~ \u00270xC0000071\u0027, \u0027User logon with expired password\u0027,\\nSubStatus =~ \u00270xC0000072\u0027, \u0027User logon to account disabled by administrator\u0027,\\nSubStatus =~ \u00270xC00000DC\u0027, \u0027Indicates the Sam Server was in the wrong state to perform the desired operation\u0027, \\nSubStatus =~ \u00270xC0000133\u0027, \u0027Clocks between DC and other computer too far out of sync\u0027,\\nSubStatus =~ \u00270xC000015B\u0027, \u0027The user has not been granted the requested logon type (aka logon right) at this machine\u0027,\\nSubStatus =~ \u00270xC000018C\u0027, \u0027The logon request failed because the trust relationship between the primary domain and the trusted domain failed\u0027,\\nSubStatus =~ \u00270xC0000192\u0027, \u0027An attempt was made to logon, but the Netlogon service was not started\u0027,\\nSubStatus =~ \u00270xC0000193\u0027, \u0027User logon with expired account\u0027,\\nSubStatus =~ \u00270xC0000224\u0027, \u0027User is required to change password at next logon\u0027,\\nSubStatus =~ \u00270xC0000225\u0027, \u0027Evidently a bug in Windows and not a risk\u0027,\\nSubStatus =~ \u00270xC0000234\u0027, \u0027User logon with account locked\u0027,\\nSubStatus =~ \u00270xC00002EE\u0027, \u0027Failure Reason: An Error occurred during Logon\u0027,\\nSubStatus =~ \u00270xC0000413\u0027, \u0027Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine\u0027,\\nstrcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n| extend WorkstationName = iff(WorkstationName == \\\"-\\\" or isempty(WorkstationName), Computer , WorkstationName) \\n| project StartTime, EndTime, EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, Computer, WorkstationName, IpAddress, CountToday, CountPrev7day, Avg7Day = round(CountPrev7day*1.00/7,2), Process\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), Computer = make_set(Computer,128), IpAddressList = make_set(IpAddress,128), sum(CountToday), sum(CountPrev7day), avg(Avg7Day) \\nby EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, WorkstationName, Process\\n| order by sum_CountToday desc nulls last \\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = WorkstationName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"Process\"}]}],\"version\":\"2.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Excessive Windows logon failures\",\"description\":\"User has over 50 Windows logon failures today and at least 33% of the count of logon failures over the previous 7 days.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aac495a9-feb1-446d-b08e-a1164a539452\",\"name\":\"aac495a9-feb1-446d-b08e-a1164a539452\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"ThreatIntelligenceIndicator\\n| where Action == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n GitHubAudit\\n | extend GitHubAudit_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.IPaddress\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, GitHubAudit_TimeGenerated, TI_ipEntity, IPaddress, Actor, Action, Country, OperationType, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = GitHubAudit_TimeGenerated, IPCustomEntity = IPaddress, AccountCustomEntity = Actor\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to GitHub_CL\",\"description\":\"Identifies a match in GitHub_CL table from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}}]}", + "isContentBase64": false + } + }, + "Get-AzSentinelAlertRuleTemplate+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "170" ], + "x-ms-client-request-id": [ "b8c53d8e-cc22-4686-86be-c4722bd12ca0" ], + "CommandName": [ "Get-AzSentinelAlertRuleTemplate" ], + "FullCommandName": [ "Get-AzSentinelAlertRuleTemplate_GetViaIdentity" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11988" ], + "x-ms-request-id": [ "a75b22f0-4c1e-4f1c-ad86-7ff9baf9725f" ], + "x-ms-correlation-request-id": [ "a75b22f0-4c1e-4f1c-ad86-7ff9baf9725f" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015418Z:a75b22f0-4c1e-4f1c-ad86-7ff9baf9725f" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:54:17 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "2430" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8\",\"name\":\"f71aba3d-28fb-450b-b192-4e76a83015c8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Fusion\",\"properties\":{\"severity\":\"High\",\"tactics\":[\"Collection\",\"CommandAndControl\",\"CredentialAccess\",\"DefenseEvasion\",\"Discovery\",\"Execution\",\"Exfiltration\",\"Impact\",\"InitialAccess\",\"LateralMovement\",\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Advanced Multistage Attack Detection\",\"description\":\"Microsoft Sentinel uses Fusion, a correlation engine based on scalable machine learning algorithms, to automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.\\n\\nSince Fusion correlates multiple signals from various products to detect advanced multistage attacks, successful Fusion detections are presented as Fusion incidents on the Microsoft Sentinel Incidents page. This rule covers the following detections:\\n- Fusion for emerging threats\\n- Fusion for ransomware\\n- Scenario-based Fusion detections (122 scenarios)\\n\\nTo enable these detections, we recommend you configure the following data connectors for best results:\\n- Out-of-the-box anomaly detections\\n- Azure Active Directory Identity Protection\\n- Azure Defender\\n- Azure Defender for IoT\\n- Microsoft 365 Defender\\n- Microsoft Cloud App Security \\n- Microsoft Defender for Endpoint\\n- Microsoft Defender for Identity\\n- Microsoft Defender for Office 365\\n- Palo Alto Networks\\n- Scheduled analytics rules, both built-in and those created by your security analysts. Analytics rules must contain kill-chain (tactics) and entity mapping information in order to be used by Fusion.\\n\\nFor the full description of each detection that is supported by Fusion, go to https://aka.ms/SentinelFusion.\",\"lastUpdatedDateUTC\":\"2021-06-09T00:00:00Z\",\"createdDateUTC\":\"2019-07-25T00:00:00Z\",\"status\":\"Installed\",\"alertRulesCreatedByTemplateCount\":1}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Get-AzSentinelAlertRuleTemplate.Tests.ps1 b/src/SecurityInsights/test/Get-AzSentinelAlertRuleTemplate.Tests.ps1 new file mode 100644 index 000000000000..d32bae512cd4 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelAlertRuleTemplate.Tests.ps1 @@ -0,0 +1,33 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Get-AzSentinelAlertRuleTemplate')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Get-AzSentinelAlertRuleTemplate.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Get-AzSentinelAlertRuleTemplate' { + It 'List' { + $alertRuleTemplates = Get-AzSentinelAlertRuleTemplate -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName + $alertRuleTemplates.Count | Should -BeGreaterorEqual 1 + } + + It 'Get' { + $alertRuleTemplate = Get-AzSentinelAlertRuleTemplate -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName | Where {$_.Kind -eq "Fusion"} + $alertRuleTemplate.Kind | Should -Be "Fusion" + } + + It 'GetViaIdentity' { + $alertRuleTemplate = Get-AzSentinelAlertRuleTemplate -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName | where {$_.Kind -eq "Fusion"} + $alertRuleTemplateViaIdentity = Get-AzSentinelAlertRuleTemplate -InputObject $alertRuleTemplate + $alertRuleTemplateViaIdentity.Kind | Should -Be "Fusion" + } +} diff --git a/src/SecurityInsights/test/Get-AzSentinelAutomationRule.Recording.json b/src/SecurityInsights/test/Get-AzSentinelAutomationRule.Recording.json new file mode 100644 index 000000000000..30cbc5d44324 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelAutomationRule.Recording.json @@ -0,0 +1,166 @@ +{ + "Get-AzSentinelAutomationRule+[NoContext]+List+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "171" ], + "x-ms-client-request-id": [ "89eee22f-9145-4286-b477-5e07ac0c3d51" ], + "CommandName": [ "Get-AzSentinelAutomationRule" ], + "FullCommandName": [ "Get-AzSentinelAutomationRule_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], + "x-ms-request-id": [ "d26d4155-c9e7-49c2-a5d4-6e57259a343f" ], + "x-ms-correlation-request-id": [ "d26d4155-c9e7-49c2-a5d4-6e57259a343f" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015439Z:d26d4155-c9e7-49c2-a5d4-6e57259a343f" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:54:39 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "6768" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AutomationRules/34534660-0566-46ea-98f2-4f5ff70d51e4\",\"name\":\"34534660-0566-46ea-98f2-4f5ff70d51e4\",\"etag\":\"\\\"7900c58f-0000-0100-0000-61b5510c0000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"GetAutomationRulezbilmf\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"}}],\"lastModifiedTimeUtc\":\"2021-12-12T01:31:56Z\",\"createdTimeUtc\":\"2021-12-12T01:31:56Z\",\"lastModifiedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"},\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AutomationRules/a3adc54b-e32d-4c80-8af2-988f5d59f102\",\"name\":\"a3adc54b-e32d-4c80-8af2-988f5d59f102\",\"etag\":\"\\\"79001a91-0000-0100-0000-61b5512a0000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"RemoveAutomationRule0cjsva\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"}}],\"lastModifiedTimeUtc\":\"2021-12-12T01:32:26Z\",\"createdTimeUtc\":\"2021-12-12T01:32:26Z\",\"lastModifiedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"},\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AutomationRules/37a50acc-05b0-41ad-be1d-7a53c88ff383\",\"name\":\"37a50acc-05b0-41ad-be1d-7a53c88ff383\",\"etag\":\"\\\"79000c93-0000-0100-0000-61b5514a0000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"RemoveViaIdAutomationRule1whyd4\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"}}],\"lastModifiedTimeUtc\":\"2021-12-12T01:32:58Z\",\"createdTimeUtc\":\"2021-12-12T01:32:58Z\",\"lastModifiedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"},\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AutomationRules/6b61f56c-c075-4127-9f2a-56a855dee096\",\"name\":\"6b61f56c-c075-4127-9f2a-56a855dee096\",\"etag\":\"\\\"79008294-0000-0100-0000-61b551690000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"UpdateAutomationRule1ceigy\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"}}],\"lastModifiedTimeUtc\":\"2021-12-12T01:33:29Z\",\"createdTimeUtc\":\"2021-12-12T01:33:29Z\",\"lastModifiedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"},\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AutomationRules/61701d90-8353-4d61-b435-f9905a31142d\",\"name\":\"61701d90-8353-4d61-b435-f9905a31142d\",\"etag\":\"\\\"79002696-0000-0100-0000-61b551880000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"UpdateViaIdAutomationRulezi05h4\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"}}],\"lastModifiedTimeUtc\":\"2021-12-12T01:34:00Z\",\"createdTimeUtc\":\"2021-12-12T01:34:00Z\",\"lastModifiedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"},\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"}}}]}", + "isContentBase64": false + } + }, + "Get-AzSentinelAutomationRule+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/34534660-0566-46ea-98f2-4f5ff70d51e4?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/34534660-0566-46ea-98f2-4f5ff70d51e4?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "172" ], + "x-ms-client-request-id": [ "0e920e48-4286-4f8b-8c5b-6fce44d2b068" ], + "CommandName": [ "Get-AzSentinelAutomationRule" ], + "FullCommandName": [ "Get-AzSentinelAutomationRule_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], + "x-ms-request-id": [ "e7262c18-b846-43b8-8dae-834cb4c09b11" ], + "x-ms-correlation-request-id": [ "e7262c18-b846-43b8-8dae-834cb4c09b11" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015440Z:e7262c18-b846-43b8-8dae-834cb4c09b11" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:54:39 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1346" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AutomationRules/34534660-0566-46ea-98f2-4f5ff70d51e4\",\"name\":\"34534660-0566-46ea-98f2-4f5ff70d51e4\",\"etag\":\"\\\"7900c58f-0000-0100-0000-61b5510c0000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"GetAutomationRulezbilmf\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"}}],\"lastModifiedTimeUtc\":\"2021-12-12T01:31:56Z\",\"createdTimeUtc\":\"2021-12-12T01:31:56Z\",\"lastModifiedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"},\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"}}}", + "isContentBase64": false + } + }, + "Get-AzSentinelAutomationRule+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/34534660-0566-46ea-98f2-4f5ff70d51e4?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/34534660-0566-46ea-98f2-4f5ff70d51e4?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "173" ], + "x-ms-client-request-id": [ "2ffef0f0-16f6-4651-b9fb-dab342d27d78" ], + "CommandName": [ "Get-AzSentinelAutomationRule" ], + "FullCommandName": [ "Get-AzSentinelAutomationRule_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "497" ], + "x-ms-request-id": [ "afd4f5f1-3f95-4119-8816-76e3cacf6c7b" ], + "x-ms-correlation-request-id": [ "afd4f5f1-3f95-4119-8816-76e3cacf6c7b" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015440Z:afd4f5f1-3f95-4119-8816-76e3cacf6c7b" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:54:39 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1346" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AutomationRules/34534660-0566-46ea-98f2-4f5ff70d51e4\",\"name\":\"34534660-0566-46ea-98f2-4f5ff70d51e4\",\"etag\":\"\\\"7900c58f-0000-0100-0000-61b5510c0000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"GetAutomationRulezbilmf\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"}}],\"lastModifiedTimeUtc\":\"2021-12-12T01:31:56Z\",\"createdTimeUtc\":\"2021-12-12T01:31:56Z\",\"lastModifiedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"},\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"}}}", + "isContentBase64": false + } + }, + "Get-AzSentinelAutomationRule+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/34534660-0566-46ea-98f2-4f5ff70d51e4?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/34534660-0566-46ea-98f2-4f5ff70d51e4?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "174" ], + "x-ms-client-request-id": [ "83ac92cd-0958-49e1-8e9f-389a5e155aab" ], + "CommandName": [ "Get-AzSentinelAutomationRule" ], + "FullCommandName": [ "Get-AzSentinelAutomationRule_GetViaIdentity" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "496" ], + "x-ms-request-id": [ "4ddec940-73a6-424f-a5cd-df17f2ad68c7" ], + "x-ms-correlation-request-id": [ "4ddec940-73a6-424f-a5cd-df17f2ad68c7" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015440Z:4ddec940-73a6-424f-a5cd-df17f2ad68c7" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:54:39 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1346" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AutomationRules/34534660-0566-46ea-98f2-4f5ff70d51e4\",\"name\":\"34534660-0566-46ea-98f2-4f5ff70d51e4\",\"etag\":\"\\\"7900c58f-0000-0100-0000-61b5510c0000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"GetAutomationRulezbilmf\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"}}],\"lastModifiedTimeUtc\":\"2021-12-12T01:31:56Z\",\"createdTimeUtc\":\"2021-12-12T01:31:56Z\",\"lastModifiedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"},\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"}}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Get-AzSentinelAutomationRule.Tests.ps1 b/src/SecurityInsights/test/Get-AzSentinelAutomationRule.Tests.ps1 new file mode 100644 index 000000000000..f196a48520c3 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelAutomationRule.Tests.ps1 @@ -0,0 +1,33 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Get-AzSentinelAutomationRule')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Get-AzSentinelAutomationRule.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Get-AzSentinelAutomationRule' { + It 'List' { + $automationRules = Get-AzSentinelAutomationRule -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName + $automationRules.Count | Should -BeGreaterorEqual 1 + } + + It 'Get' { + $automationRule = Get-AzSentinelAutomationRule -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Id $env.GetAutomationRuleId + $automationRule.Name | Should -Be $env.GetAutomationRuleId + } + + It 'GetViaIdentity' { + $automationRule = Get-AzSentinelAutomationRule -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Id $env.GetAutomationRuleId + $automationRuleViaIdentity = Get-AzSentinelAutomationRule -InputObject $automationRule + $automationRuleViaIdentity.Name | Should -Be $env.GetAutomationRuleId + } +} diff --git a/src/SecurityInsights/test/Get-AzSentinelBookmark.Recording.json b/src/SecurityInsights/test/Get-AzSentinelBookmark.Recording.json new file mode 100644 index 000000000000..f7ed885ded11 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelBookmark.Recording.json @@ -0,0 +1,166 @@ +{ + "Get-AzSentinelBookmark+[NoContext]+List+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "175" ], + "x-ms-client-request-id": [ "913eb8f4-b416-43b1-b3fc-75e5faabe775" ], + "CommandName": [ "Get-AzSentinelbookmark" ], + "FullCommandName": [ "Get-AzSentinelBookmark_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11987" ], + "x-ms-request-id": [ "435df7cf-2c49-4ca6-826f-3431e381252f" ], + "x-ms-correlation-request-id": [ "435df7cf-2c49-4ca6-826f-3431e381252f" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015502Z:435df7cf-2c49-4ca6-826f-3431e381252f" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:55:02 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "44318" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/6eca09df-59e8-44f1-b96e-d316b4d3ad08\",\"name\":\"6eca09df-59e8-44f1-b96e-d316b4d3ad08\",\"etag\":\"\\\"6b027c97-0000-0100-0000-61b551a60000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Getbookmark3k6sjz\",\"created\":\"2021-12-12T01:34:30.6913373+00:00\",\"updated\":\"2021-12-12T01:34:30.6913373+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2021-12-11T01:00:00+00:00\",\"queryEndTime\":\"2021-12-12T01:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/9ff7b322-3212-4574-bfad-4408206875f8\",\"name\":\"9ff7b322-3212-4574-bfad-4408206875f8\",\"etag\":\"\\\"6b02bf99-0000-0100-0000-61b551c50000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Removebookmarkorux9k\",\"created\":\"2021-12-12T01:35:01.4256876+00:00\",\"updated\":\"2021-12-12T01:35:01.4256876+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2021-12-11T01:00:00+00:00\",\"queryEndTime\":\"2021-12-12T01:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/4327ac2f-6115-4602-9616-83cf991298a5\",\"name\":\"4327ac2f-6115-4602-9616-83cf991298a5\",\"etag\":\"\\\"6b02319c-0000-0100-0000-61b551e60000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"RemoveViaIdbookmark061i4x\",\"created\":\"2021-12-12T01:35:34.2696125+00:00\",\"updated\":\"2021-12-12T01:35:34.2696125+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2021-12-11T01:00:00+00:00\",\"queryEndTime\":\"2021-12-12T01:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/c6b3fee2-4b8e-4966-aaa7-94bd47e67021\",\"name\":\"c6b3fee2-4b8e-4966-aaa7-94bd47e67021\",\"etag\":\"\\\"6b02ce9f-0000-0100-0000-61b552060000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Updatebookmarktfriza\",\"created\":\"2021-12-12T01:36:06.6776344+00:00\",\"updated\":\"2021-12-12T01:36:06.6776344+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2021-12-11T01:00:00+00:00\",\"queryEndTime\":\"2021-12-12T01:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/e19c0b42-e8cf-4fae-8690-7d632b11beaf\",\"name\":\"e19c0b42-e8cf-4fae-8690-7d632b11beaf\",\"etag\":\"\\\"6b02e6a2-0000-0100-0000-61b552250000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateViaIdbookmark63g7uz\",\"created\":\"2021-12-12T01:36:37.0345164+00:00\",\"updated\":\"2021-12-12T01:36:37.0345164+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2021-12-11T01:00:00+00:00\",\"queryEndTime\":\"2021-12-12T01:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/b35d430d-02ac-4025-a10e-32cd2ffbe46b\",\"name\":\"b35d430d-02ac-4025-a10e-32cd2ffbe46b\",\"etag\":\"\\\"6b02e1a5-0000-0100-0000-61b552440000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Expandbookmarkq42uhy\",\"created\":\"2021-12-12T01:37:08.7269486+00:00\",\"updated\":\"2021-12-12T01:37:08.7269486+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2021-12-11T01:00:00+00:00\",\"queryEndTime\":\"2021-12-12T01:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/5df694bf-7774-49cf-a84b-282fd43a926b\",\"name\":\"5df694bf-7774-49cf-a84b-282fd43a926b\",\"etag\":\"\\\"6b0265a9-0000-0100-0000-61b552650000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"GetbookmarkRelationBookmarkNamezks1qr\",\"created\":\"2021-12-12T01:37:40.5117261+00:00\",\"updated\":\"2021-12-12T01:37:40.5117261+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2021-12-11T01:00:00+00:00\",\"queryEndTime\":\"2021-12-12T01:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"69e3141d-30e8-49d1-9152-33f3b44cf6b0\",\"title\":\"GetbookmarkRelationIncidentNames3ckzp\",\"relationName\":\"4a09f636-6002-4389-80a1-b6a357af8225\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/20d8a730-18a5-4a76-9420-a32e46ce5888\",\"name\":\"20d8a730-18a5-4a76-9420-a32e46ce5888\",\"etag\":\"\\\"6b020aad-0000-0100-0000-61b552840000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"RemovebookmarkRelationBookmarkNamepvhuk4\",\"created\":\"2021-12-12T01:38:11.2924904+00:00\",\"updated\":\"2021-12-12T01:38:11.2924904+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2021-12-11T01:00:00+00:00\",\"queryEndTime\":\"2021-12-12T01:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"4908bd22-0eb2-40fc-83ce-b6c8ba7a26a1\",\"title\":\"RemovebookmarkRelationIncidentNamehynb4o\",\"relationName\":\"adad6e56-9f94-4fba-ba3b-96f4616cdf68\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/675541b3-2ae4-4199-b3b3-59f4b6c1f5b4\",\"name\":\"675541b3-2ae4-4199-b3b3-59f4b6c1f5b4\",\"etag\":\"\\\"6b0254b0-0000-0100-0000-61b552a20000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"RemoveViaIdbookmarkRelationBookmarkNamexlrb8u\",\"created\":\"2021-12-12T01:38:41.8962323+00:00\",\"updated\":\"2021-12-12T01:38:41.8962323+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2021-12-11T01:00:00+00:00\",\"queryEndTime\":\"2021-12-12T01:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"7d56a89d-59f4-4b3a-aa71-34494c2f5f5c\",\"title\":\"RemoveViaIdbookmarkRelationIncidentNameyci6fv\",\"relationName\":\"e6624397-ccd0-42fd-98b4-9730d7baa0e2\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/6548e330-d18d-4690-b6fa-b5ba7f5eac27\",\"name\":\"6548e330-d18d-4690-b6fa-b5ba7f5eac27\",\"etag\":\"\\\"6b0226b3-0000-0100-0000-61b552c20000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdatebookmarkRelationBookmarkNamecawzes\",\"created\":\"2021-12-12T01:39:13.5533963+00:00\",\"updated\":\"2021-12-12T01:39:13.5533963+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2021-12-11T01:00:00+00:00\",\"queryEndTime\":\"2021-12-12T01:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"e788124d-3280-4da8-b9f7-3f464296947e\",\"title\":\"UpdatebookmarkRelationIncidentNamehqlcfb\",\"relationName\":\"3106728c-12de-4dad-b0c6-603a9285765e\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/463b2e8b-17c1-48d6-94a3-7443b0ba2cbf\",\"name\":\"463b2e8b-17c1-48d6-94a3-7443b0ba2cbf\",\"etag\":\"\\\"6b026ab6-0000-0100-0000-61b552e00000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateViaIdbookmarkRelationBookmarkName5modef\",\"created\":\"2021-12-12T01:39:43.9875375+00:00\",\"updated\":\"2021-12-12T01:39:43.9875375+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2021-12-11T01:00:00+00:00\",\"queryEndTime\":\"2021-12-12T01:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"6cbc4e33-d46b-4993-96e4-ecb0e44415cb\",\"title\":\"UpdateViaIdbookmarkRelationIncidentName84x0ne\",\"relationName\":\"e2e68737-82b4-49f0-822f-f9196f65aac8\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/21e8e280-fe09-4a83-a662-4b0711e9c127\",\"name\":\"21e8e280-fe09-4a83-a662-4b0711e9c127\",\"etag\":\"\\\"6b0223c7-0000-0100-0000-61b554f40000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"GetincidentRelationBookmarkNameib8ohc\",\"created\":\"2021-12-12T01:48:35.4604989+00:00\",\"updated\":\"2021-12-12T01:48:35.4604989+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2021-12-11T01:00:00+00:00\",\"queryEndTime\":\"2021-12-12T01:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0\",\"title\":\"GetincidentRelationIncidentNamerea364\",\"relationName\":\"0ef2e445-e524-42ad-8810-fdd6cbe3e5f7\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/ee0bcd82-8a83-41c3-8f97-9502c91951ec\",\"name\":\"ee0bcd82-8a83-41c3-8f97-9502c91951ec\",\"etag\":\"\\\"6b02abc7-0000-0100-0000-61b555140000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"RemoveincidentRelationBookmarkName72z1my\",\"created\":\"2021-12-12T01:49:07.7080162+00:00\",\"updated\":\"2021-12-12T01:49:07.7080162+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2021-12-11T01:00:00+00:00\",\"queryEndTime\":\"2021-12-12T01:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"0c5dc585-a174-461c-a546-75dc9d7bedc8\",\"title\":\"RemoveincidentRelationIncidentNameuk6d50\",\"relationName\":\"969e8896-2438-40e6-9455-f5fd9b30d396\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/3dcbfb4e-d6fb-40df-a64a-29695148826d\",\"name\":\"3dcbfb4e-d6fb-40df-a64a-29695148826d\",\"etag\":\"\\\"6b025fc8-0000-0100-0000-61b555330000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"RemoveViaIdincidentRelationBookmarkNamebtlx8k\",\"created\":\"2021-12-12T01:49:38.6183798+00:00\",\"updated\":\"2021-12-12T01:49:38.6183798+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2021-12-11T01:00:00+00:00\",\"queryEndTime\":\"2021-12-12T01:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"7bfb344d-ad2a-431d-9e39-78747ac51f54\",\"title\":\"RemoveViaIdincidentRelationIncidentName150wxv\",\"relationName\":\"827874ba-8b75-40d5-ad61-57fbb9594309\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/201247f4-bb20-4a3b-8e89-3609968c888f\",\"name\":\"201247f4-bb20-4a3b-8e89-3609968c888f\",\"etag\":\"\\\"6b02fac8-0000-0100-0000-61b555530000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateincidentRelationBookmarkNamewqmnkf\",\"created\":\"2021-12-12T01:50:09.9581751+00:00\",\"updated\":\"2021-12-12T01:50:09.9581751+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2021-12-11T01:00:00+00:00\",\"queryEndTime\":\"2021-12-12T01:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"473aa008-13fc-4a61-9ea2-c3fdc64a828c\",\"title\":\"UpdateincidentRelationIncidentNametdo819\",\"relationName\":\"defc1116-f142-4647-a377-6869110f6e77\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/f18e48e7-15f9-49c8-bb2b-fdf166e7cf9a\",\"name\":\"f18e48e7-15f9-49c8-bb2b-fdf166e7cf9a\",\"etag\":\"\\\"6b028ec9-0000-0100-0000-61b555710000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateViaIdincidentRelationBookmarkNamehd50fa\",\"created\":\"2021-12-12T01:50:40.6751074+00:00\",\"updated\":\"2021-12-12T01:50:40.6751074+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2021-12-11T01:00:00+00:00\",\"queryEndTime\":\"2021-12-12T01:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"43aedae6-3726-41c1-b0e8-9876df66aa2d\",\"title\":\"UpdateViaIdincidentRelationIncidentNameewut32\",\"relationName\":\"b03e0e3c-97ce-4eb5-a1f0-e096bbeeddd4\",\"severity\":\"Informational\"}}}]}", + "isContentBase64": false + } + }, + "Get-AzSentinelBookmark+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/6eca09df-59e8-44f1-b96e-d316b4d3ad08?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/6eca09df-59e8-44f1-b96e-d316b4d3ad08?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "176" ], + "x-ms-client-request-id": [ "1573c77a-d964-4b7c-87fb-64bbad1506b7" ], + "CommandName": [ "Get-AzSentinelbookmark" ], + "FullCommandName": [ "Get-AzSentinelBookmark_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11986" ], + "x-ms-request-id": [ "a6f0c3d0-7492-4d18-8d26-2dde17901092" ], + "x-ms-correlation-request-id": [ "a6f0c3d0-7492-4d18-8d26-2dde17901092" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015502Z:a6f0c3d0-7492-4d18-8d26-2dde17901092" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:55:02 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "5318" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/6eca09df-59e8-44f1-b96e-d316b4d3ad08\",\"name\":\"6eca09df-59e8-44f1-b96e-d316b4d3ad08\",\"etag\":\"\\\"6b027c97-0000-0100-0000-61b551a60000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Getbookmark3k6sjz\",\"created\":\"2021-12-12T01:34:30.6913373+00:00\",\"updated\":\"2021-12-12T01:34:30.6913373+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2021-12-11T01:00:00+00:00\",\"queryEndTime\":\"2021-12-12T01:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "isContentBase64": false + } + }, + "Get-AzSentinelBookmark+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/6eca09df-59e8-44f1-b96e-d316b4d3ad08?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/6eca09df-59e8-44f1-b96e-d316b4d3ad08?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "177" ], + "x-ms-client-request-id": [ "47087007-a3e4-469e-bb34-f20498017770" ], + "CommandName": [ "Get-AzSentinelbookmark" ], + "FullCommandName": [ "Get-AzSentinelBookmark_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11985" ], + "x-ms-request-id": [ "2b897cfc-05a9-49e1-a794-53629eac9f2e" ], + "x-ms-correlation-request-id": [ "2b897cfc-05a9-49e1-a794-53629eac9f2e" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015502Z:2b897cfc-05a9-49e1-a794-53629eac9f2e" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:55:02 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "5318" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/6eca09df-59e8-44f1-b96e-d316b4d3ad08\",\"name\":\"6eca09df-59e8-44f1-b96e-d316b4d3ad08\",\"etag\":\"\\\"6b027c97-0000-0100-0000-61b551a60000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Getbookmark3k6sjz\",\"created\":\"2021-12-12T01:34:30.6913373+00:00\",\"updated\":\"2021-12-12T01:34:30.6913373+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2021-12-11T01:00:00+00:00\",\"queryEndTime\":\"2021-12-12T01:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "isContentBase64": false + } + }, + "Get-AzSentinelBookmark+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/6eca09df-59e8-44f1-b96e-d316b4d3ad08?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/6eca09df-59e8-44f1-b96e-d316b4d3ad08?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "178" ], + "x-ms-client-request-id": [ "f3557608-69db-46dc-8c5b-6943a35806c3" ], + "CommandName": [ "Get-AzSentinelbookmark" ], + "FullCommandName": [ "Get-AzSentinelBookmark_GetViaIdentity" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11984" ], + "x-ms-request-id": [ "6f86cf92-90a8-42fd-9138-36bc918877b7" ], + "x-ms-correlation-request-id": [ "6f86cf92-90a8-42fd-9138-36bc918877b7" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015502Z:6f86cf92-90a8-42fd-9138-36bc918877b7" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:55:02 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "5318" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/6eca09df-59e8-44f1-b96e-d316b4d3ad08\",\"name\":\"6eca09df-59e8-44f1-b96e-d316b4d3ad08\",\"etag\":\"\\\"6b027c97-0000-0100-0000-61b551a60000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Getbookmark3k6sjz\",\"created\":\"2021-12-12T01:34:30.6913373+00:00\",\"updated\":\"2021-12-12T01:34:30.6913373+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2021-12-11T01:00:00+00:00\",\"queryEndTime\":\"2021-12-12T01:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Get-AzSentinelBookmark.Tests.ps1 b/src/SecurityInsights/test/Get-AzSentinelBookmark.Tests.ps1 new file mode 100644 index 000000000000..9868eddb659f --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelBookmark.Tests.ps1 @@ -0,0 +1,33 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Get-AzSentinelBookmark')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Get-AzSentinelBookmark.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Get-AzSentinelBookmark' { + It 'List' { + $bookmarks = Get-AzSentinelbookmark -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName + $bookmarks.Count | Should -BeGreaterorEqual 1 + } + + It 'Get' { + $bookmark = Get-AzSentinelbookmark -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Id $env.GetbookmarkId + $bookmark.Name | Should -Be $env.GetbookmarkId + } + + It 'GetViaIdentity' { + $bookmark = Get-AzSentinelbookmark -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Id $env.GetbookmarkId + $bookmarkViaIdentity = Get-AzSentinelbookmark -InputObject $bookmark + $bookmarkViaIdentity.Name | Should -Be $env.GetbookmarkId + } +} diff --git a/src/SecurityInsights/test/Get-AzSentinelBookmarkRelation.Recording.json b/src/SecurityInsights/test/Get-AzSentinelBookmarkRelation.Recording.json new file mode 100644 index 000000000000..a12690eee6e3 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelBookmarkRelation.Recording.json @@ -0,0 +1,166 @@ +{ + "Get-AzSentinelBookmarkRelation+[NoContext]+List+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/5df694bf-7774-49cf-a84b-282fd43a926b/relations?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/5df694bf-7774-49cf-a84b-282fd43a926b/relations?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "179" ], + "x-ms-client-request-id": [ "ec3b8cab-30fa-4cc8-ab80-a8e87156cf78" ], + "CommandName": [ "Get-AzSentinelbookmarkRelation" ], + "FullCommandName": [ "Get-AzSentinelBookmarkRelation_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11983" ], + "x-ms-request-id": [ "94232814-f7a6-47aa-9c6e-7e3a5ef63aa7" ], + "x-ms-correlation-request-id": [ "94232814-f7a6-47aa-9c6e-7e3a5ef63aa7" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015523Z:94232814-f7a6-47aa-9c6e-7e3a5ef63aa7" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:55:23 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "840" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/5df694bf-7774-49cf-a84b-282fd43a926b/relations/4a09f636-6002-4389-80a1-b6a357af8225\",\"name\":\"4a09f636-6002-4389-80a1-b6a357af8225\",\"etag\":\"\\\"6b0265a9-0000-0100-0000-61b552650000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/69e3141d-30e8-49d1-9152-33f3b44cf6b0\",\"relatedResourceName\":\"69e3141d-30e8-49d1-9152-33f3b44cf6b0\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}]}", + "isContentBase64": false + } + }, + "Get-AzSentinelBookmarkRelation+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/5df694bf-7774-49cf-a84b-282fd43a926b/relations/4a09f636-6002-4389-80a1-b6a357af8225?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/5df694bf-7774-49cf-a84b-282fd43a926b/relations/4a09f636-6002-4389-80a1-b6a357af8225?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "180" ], + "x-ms-client-request-id": [ "797ffe9f-42a7-4f8e-85b6-b6139680dbc7" ], + "CommandName": [ "Get-AzSentinelbookmarkRelation" ], + "FullCommandName": [ "Get-AzSentinelBookmarkRelation_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11982" ], + "x-ms-request-id": [ "1643ccf9-e232-4827-b91d-0a71ba3574bf" ], + "x-ms-correlation-request-id": [ "1643ccf9-e232-4827-b91d-0a71ba3574bf" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015523Z:1643ccf9-e232-4827-b91d-0a71ba3574bf" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:55:23 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "828" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/5df694bf-7774-49cf-a84b-282fd43a926b/relations/4a09f636-6002-4389-80a1-b6a357af8225\",\"name\":\"4a09f636-6002-4389-80a1-b6a357af8225\",\"etag\":\"\\\"6b0265a9-0000-0100-0000-61b552650000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/69e3141d-30e8-49d1-9152-33f3b44cf6b0\",\"relatedResourceName\":\"69e3141d-30e8-49d1-9152-33f3b44cf6b0\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", + "isContentBase64": false + } + }, + "Get-AzSentinelBookmarkRelation+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/5df694bf-7774-49cf-a84b-282fd43a926b/relations/4a09f636-6002-4389-80a1-b6a357af8225?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/5df694bf-7774-49cf-a84b-282fd43a926b/relations/4a09f636-6002-4389-80a1-b6a357af8225?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "181" ], + "x-ms-client-request-id": [ "44689ac9-3345-4e7e-afda-2ffe63d7fb90" ], + "CommandName": [ "Get-AzSentinelbookmarkRelation" ], + "FullCommandName": [ "Get-AzSentinelBookmarkRelation_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11981" ], + "x-ms-request-id": [ "bdbb996e-6c8c-49a3-b263-7b584bf9230e" ], + "x-ms-correlation-request-id": [ "bdbb996e-6c8c-49a3-b263-7b584bf9230e" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015523Z:bdbb996e-6c8c-49a3-b263-7b584bf9230e" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:55:23 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "828" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/5df694bf-7774-49cf-a84b-282fd43a926b/relations/4a09f636-6002-4389-80a1-b6a357af8225\",\"name\":\"4a09f636-6002-4389-80a1-b6a357af8225\",\"etag\":\"\\\"6b0265a9-0000-0100-0000-61b552650000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/69e3141d-30e8-49d1-9152-33f3b44cf6b0\",\"relatedResourceName\":\"69e3141d-30e8-49d1-9152-33f3b44cf6b0\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", + "isContentBase64": false + } + }, + "Get-AzSentinelBookmarkRelation+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/5df694bf-7774-49cf-a84b-282fd43a926b/relations/4a09f636-6002-4389-80a1-b6a357af8225?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/5df694bf-7774-49cf-a84b-282fd43a926b/relations/4a09f636-6002-4389-80a1-b6a357af8225?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "182" ], + "x-ms-client-request-id": [ "578d2294-6c45-4278-b066-4cc314dc7c98" ], + "CommandName": [ "Get-AzSentinelbookmarkRelation" ], + "FullCommandName": [ "Get-AzSentinelBookmarkRelation_GetViaIdentity" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11980" ], + "x-ms-request-id": [ "557a6e40-c70c-43a5-9cbc-a10d9f72ffb0" ], + "x-ms-correlation-request-id": [ "557a6e40-c70c-43a5-9cbc-a10d9f72ffb0" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015523Z:557a6e40-c70c-43a5-9cbc-a10d9f72ffb0" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:55:23 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "828" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/5df694bf-7774-49cf-a84b-282fd43a926b/relations/4a09f636-6002-4389-80a1-b6a357af8225\",\"name\":\"4a09f636-6002-4389-80a1-b6a357af8225\",\"etag\":\"\\\"6b0265a9-0000-0100-0000-61b552650000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/69e3141d-30e8-49d1-9152-33f3b44cf6b0\",\"relatedResourceName\":\"69e3141d-30e8-49d1-9152-33f3b44cf6b0\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Get-AzSentinelBookmarkRelation.Tests.ps1 b/src/SecurityInsights/test/Get-AzSentinelBookmarkRelation.Tests.ps1 new file mode 100644 index 000000000000..617296650474 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelBookmarkRelation.Tests.ps1 @@ -0,0 +1,33 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Get-AzSentinelBookmarkRelation')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Get-AzSentinelBookmarkRelation.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Get-AzSentinelBookmarkRelation' { + It 'List' { + $bookmarkRelations = Get-AzSentinelbookmarkRelation -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -BookmarkId $env.GetbookmarkRelationBookmarkId + $bookmarkRelations.Count | Should -BeGreaterorEqual 1 + } + + It 'Get' { + $bookmarkRelation = Get-AzSentinelbookmarkRelation -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -BookmarkId $env.GetbookmarkRelationBookmarkId -RelationName $env.GetbookmarkRelationId + $bookmarkRelation.Name | Should -Be $env.GetbookmarkRelationId + } + + It 'GetViaIdentity' { + $bookmarkRelation = Get-AzSentinelbookmarkRelation -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -BookmarkId $env.GetbookmarkRelationBookmarkId -RelationName $env.GetbookmarkRelationId + $bookmarkRelationViaIdentity = Get-AzSentinelbookmarkRelation -InputObject $bookmarkRelation + $bookmarkRelationViaIdentity.Name | Should -Be $env.GetbookmarkRelationId + } +} diff --git a/src/SecurityInsights/test/Get-AzSentinelDataConnector.Recording.json b/src/SecurityInsights/test/Get-AzSentinelDataConnector.Recording.json new file mode 100644 index 000000000000..595c82678ef5 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelDataConnector.Recording.json @@ -0,0 +1,166 @@ +{ + "Get-AzSentinelDataConnector+[NoContext]+List+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "183" ], + "x-ms-client-request-id": [ "9ca37a10-31ec-41f6-adf8-4f12db2f49a6" ], + "CommandName": [ "Get-AzSentineldataConnector" ], + "FullCommandName": [ "Get-AzSentinelDataConnector_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11979" ], + "x-ms-request-id": [ "a33da1cc-5dec-42c3-a1e2-2cf4ba3a86bc" ], + "x-ms-correlation-request-id": [ "a33da1cc-5dec-42c3-a1e2-2cf4ba3a86bc" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015546Z:a33da1cc-5dec-42c3-a1e2-2cf4ba3a86bc" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:55:46 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1122" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/88da8507-46cb-4c34-9cf3-189e58b34c9e\",\"name\":\"88da8507-46cb-4c34-9cf3-189e58b34c9e\",\"etag\":\"66942b87-5147-46a2-8696-f8fde8f4193b\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"AzureSecurityCenter\",\"properties\":{\"subscriptionId\":\"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\",\"dataTypes\":{\"alerts\":{\"state\":\"enabled\"}}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/b4b8bb52-2917-4179-a28d-fb197dc52aa6\",\"name\":\"b4b8bb52-2917-4179-a28d-fb197dc52aa6\",\"etag\":\"b233bb7e-98ea-415f-895d-e389655250ac\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"Office365\",\"properties\":{\"dataTypes\":{\"sharePoint\":{\"state\":\"disabled\"},\"exchange\":{\"state\":\"enabled\"},\"teams\":{\"state\":\"disabled\"}},\"tenantId\":\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"}}]}", + "isContentBase64": false + } + }, + "Get-AzSentinelDataConnector+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/88da8507-46cb-4c34-9cf3-189e58b34c9e?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/88da8507-46cb-4c34-9cf3-189e58b34c9e?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "184" ], + "x-ms-client-request-id": [ "3f28bef1-d283-4989-83dc-560e93ad206f" ], + "CommandName": [ "Get-AzSentineldataConnector" ], + "FullCommandName": [ "Get-AzSentinelDataConnector_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11978" ], + "x-ms-request-id": [ "45ac5272-df88-40f2-92d4-b69198bf3f5c" ], + "x-ms-correlation-request-id": [ "45ac5272-df88-40f2-92d4-b69198bf3f5c" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015546Z:45ac5272-df88-40f2-92d4-b69198bf3f5c" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:55:46 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "530" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/88da8507-46cb-4c34-9cf3-189e58b34c9e\",\"name\":\"88da8507-46cb-4c34-9cf3-189e58b34c9e\",\"etag\":\"66942b87-5147-46a2-8696-f8fde8f4193b\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"AzureSecurityCenter\",\"properties\":{\"subscriptionId\":\"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\",\"dataTypes\":{\"alerts\":{\"state\":\"enabled\"}}}}", + "isContentBase64": false + } + }, + "Get-AzSentinelDataConnector+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/88da8507-46cb-4c34-9cf3-189e58b34c9e?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/88da8507-46cb-4c34-9cf3-189e58b34c9e?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "185" ], + "x-ms-client-request-id": [ "f0b9c309-c273-44b3-81df-88c1e8add32c" ], + "CommandName": [ "Get-AzSentineldataConnector" ], + "FullCommandName": [ "Get-AzSentinelDataConnector_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11977" ], + "x-ms-request-id": [ "d79df0b1-5b5a-406e-9f37-3e9ef2ec3186" ], + "x-ms-correlation-request-id": [ "d79df0b1-5b5a-406e-9f37-3e9ef2ec3186" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015547Z:d79df0b1-5b5a-406e-9f37-3e9ef2ec3186" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:55:46 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "530" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/88da8507-46cb-4c34-9cf3-189e58b34c9e\",\"name\":\"88da8507-46cb-4c34-9cf3-189e58b34c9e\",\"etag\":\"66942b87-5147-46a2-8696-f8fde8f4193b\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"AzureSecurityCenter\",\"properties\":{\"subscriptionId\":\"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\",\"dataTypes\":{\"alerts\":{\"state\":\"enabled\"}}}}", + "isContentBase64": false + } + }, + "Get-AzSentinelDataConnector+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/88da8507-46cb-4c34-9cf3-189e58b34c9e?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/88da8507-46cb-4c34-9cf3-189e58b34c9e?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "186" ], + "x-ms-client-request-id": [ "9cf28c4c-0667-4cd3-92b8-1a38a856b836" ], + "CommandName": [ "Get-AzSentineldataConnector" ], + "FullCommandName": [ "Get-AzSentinelDataConnector_GetViaIdentity" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11976" ], + "x-ms-request-id": [ "22ba730e-db64-430e-bf46-e675d9070622" ], + "x-ms-correlation-request-id": [ "22ba730e-db64-430e-bf46-e675d9070622" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015547Z:22ba730e-db64-430e-bf46-e675d9070622" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:55:46 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "530" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/88da8507-46cb-4c34-9cf3-189e58b34c9e\",\"name\":\"88da8507-46cb-4c34-9cf3-189e58b34c9e\",\"etag\":\"66942b87-5147-46a2-8696-f8fde8f4193b\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"AzureSecurityCenter\",\"properties\":{\"subscriptionId\":\"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\",\"dataTypes\":{\"alerts\":{\"state\":\"enabled\"}}}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Get-AzSentinelDataConnector.Tests.ps1 b/src/SecurityInsights/test/Get-AzSentinelDataConnector.Tests.ps1 new file mode 100644 index 000000000000..5d623a9bf492 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelDataConnector.Tests.ps1 @@ -0,0 +1,33 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Get-AzSentinelDataConnector')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Get-AzSentinelDataConnector.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Get-AzSentinelDataConnector' { + It 'List' { + $dataConnectors = Get-AzSentineldataConnector -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName + $dataConnectors.Count | Should -BeGreaterorEqual 1 + } + + It 'Get' { + $dataConnector = Get-AzSentineldataConnector -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Id $env.dataConnectorId + $dataConnector.Name | Should -Be $env.dataConnectorId + } + + It 'GetViaIdentity' { + $dataConnector = Get-AzSentineldataConnector -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Id $env.dataConnectorId + $dataConnectorViaIdentity = Get-AzSentineldataConnector -InputObject $dataConnector + $dataConnectorViaIdentity.Name | Should -Be $env.dataConnectorId + } +} diff --git a/src/SecurityInsights/test/Get-AzSentinelEnrichment.Recording.json b/src/SecurityInsights/test/Get-AzSentinelEnrichment.Recording.json new file mode 100644 index 000000000000..d8b483fa1586 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelEnrichment.Recording.json @@ -0,0 +1,84 @@ +{ + "Get-AzSentinelEnrichment+[NoContext]+Get_IP+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.SecurityInsights/enrichment/ip/geodata/?api-version=2021-09-01-preview\u0026ipAddress=8.8.8.8+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.SecurityInsights/enrichment/ip/geodata/?api-version=2021-09-01-preview\u0026ipAddress=8.8.8.8", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "187" ], + "x-ms-client-request-id": [ "12efe3e7-d714-40b6-84d0-5750915d645f" ], + "CommandName": [ "Get-AzSentinelEnrichment" ], + "FullCommandName": [ "Get-AzSentinelEnrichment_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11975" ], + "x-ms-request-id": [ "4c2036d5-9b43-43df-aeaf-3bd0dde1750c" ], + "x-ms-correlation-request-id": [ "4c2036d5-9b43-43df-aeaf-3bd0dde1750c" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015608Z:4c2036d5-9b43-43df-aeaf-3bd0dde1750c" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:56:08 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "375" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"asn\":\"15169\",\"carrier\":\"google llc\",\"city\":\"mountain view\",\"cityCf\":80,\"continent\":\"north america\",\"country\":\"united states\",\"countryCf\":99,\"ipAddr\":\"8.8.8.8\",\"ipRoutingType\":\"fixed\",\"latitude\":\"37.38802\",\"longitude\":\"-122.07431\",\"organization\":\"google\",\"organizationType\":\"Internet Service Provider\",\"region\":\"southwest\",\"state\":\"california\",\"stateCf\":95,\"stateCode\":\"ca\"}", + "isContentBase64": false + } + }, + "Get-AzSentinelEnrichment+[NoContext]+Get_Domain+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.SecurityInsights/enrichment/domain/whois/?api-version=2021-09-01-preview\u0026domain=google.com+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.SecurityInsights/enrichment/domain/whois/?api-version=2021-09-01-preview\u0026domain=google.com", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "188" ], + "x-ms-client-request-id": [ "faec6059-9760-4bf5-b8f8-830c947b9b44" ], + "CommandName": [ "Get-AzSentinelEnrichment" ], + "FullCommandName": [ "Get-AzSentinelEnrichment_Get1" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11974" ], + "x-ms-request-id": [ "8814fca2-cec6-4158-bf67-abd08c2602bf" ], + "x-ms-correlation-request-id": [ "8814fca2-cec6-4158-bf67-abd08c2602bf" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015609Z:8814fca2-cec6-4158-bf67-abd08c2602bf" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:56:08 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1408" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"domain\":\"google.com\",\"server\":\"whois.markmonitor.com\",\"created\":\"1997-09-15T00:00:00\",\"updated\":\"2019-09-09T00:00:00\",\"expires\":\"2028-09-14T00:00:00\",\"parsed_whois\":{\"registrar\":{\"name\":\"MarkMonitor, Inc.\",\"abuse_contact_phone\":\"12083895770\",\"abuse_contact_email\":\"abusecomplaints@markmonitor.com\",\"iana_id\":\"292\",\"url\":\"http://www.markmonitor.com\",\"whois_server\":\"whois.markmonitor.com\"},\"contacts\":{\"admin\":{\"name\":\"\",\"org\":\"Google LLC\",\"street\":[],\"city\":\"\",\"state\":\"CA\",\"postal\":\"\",\"country\":\"us\",\"phone\":\"\",\"fax\":\"\",\"email\":\"Select Request Email Form at https://domains.markmonitor.com/whois/google.com\"},\"registrant\":{\"name\":\"\",\"org\":\"Google LLC\",\"street\":[],\"city\":\"\",\"state\":\"CA\",\"postal\":\"\",\"country\":\"us\",\"phone\":\"\",\"fax\":\"\",\"email\":\"Select Request Email Form at https://domains.markmonitor.com/whois/google.com\"},\"billing\":{\"name\":\"\",\"org\":\"\",\"street\":[],\"city\":\"\",\"state\":\"\",\"postal\":\"\",\"country\":\"\",\"phone\":\"\",\"fax\":\"\",\"email\":\"\"},\"tech\":{\"name\":\"\",\"org\":\"Google LLC\",\"street\":[],\"city\":\"\",\"state\":\"CA\",\"postal\":\"\",\"country\":\"us\",\"phone\":\"\",\"fax\":\"\",\"email\":\"Select Request Email Form at https://domains.markmonitor.com/whois/google.com\"}},\"name_servers\":[\"ns1.google.com\",\"ns2.google.com\",\"ns3.google.com\",\"ns4.google.com\"],\"statuses\":[\"clientUpdateProhibited\",\"clientTransferProhibited\",\"clientDeleteProhibited\",\"serverUpdateProhibited\",\"serverTransferProhibited\",\"serverDeleteProhibited\"]}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Get-AzSentinelEnrichment.Tests.ps1 b/src/SecurityInsights/test/Get-AzSentinelEnrichment.Tests.ps1 new file mode 100644 index 000000000000..5b6cd8654e23 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelEnrichment.Tests.ps1 @@ -0,0 +1,27 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Get-AzSentinelEnrichment')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Get-AzSentinelEnrichment.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Get-AzSentinelEnrichment' { + It 'Get_IP' { + $IPEnrichment = Get-AzSentinelEnrichment -ResourceGroupName $env.resourceGroupName -IPAddress 8.8.8.8 + $IPEnrichment.ipAddr | Should -Be '8.8.8.8' + } + + It 'Get_Domain' { + $DomainEnrichment = Get-AzSentinelEnrichment -ResourceGroupName $env.resourceGroupName -Domain "google.com" + $DomainEnrichment.domain | Should -Be 'google.com' + } +} diff --git a/src/SecurityInsights/test/Get-AzSentinelEntity.Recording.json b/src/SecurityInsights/test/Get-AzSentinelEntity.Recording.json new file mode 100644 index 000000000000..2617a84eb81d --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelEntity.Recording.json @@ -0,0 +1,248 @@ +{ + "Get-AzSentinelEntity+[NoContext]+List+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "189" ], + "x-ms-client-request-id": [ "af05e47d-2a7c-454b-b7c7-bf35c1b686c5" ], + "CommandName": [ "Get-AzSentinelentity" ], + "FullCommandName": [ "Get-AzSentinelEntity_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11973" ], + "x-ms-request-id": [ "b437ade9-ae56-4259-9c59-fe545172ae4d" ], + "x-ms-correlation-request-id": [ "b437ade9-ae56-4259-9c59-fe545172ae4d" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015630Z:b437ade9-ae56-4259-9c59-fe545172ae4d" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:56:30 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "461" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"additionalData\":{\"AlertCount\":\"6\"},\"friendlyName\":\"175.45.176.99\"}}]}", + "isContentBase64": false + } + }, + "Get-AzSentinelEntity+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "190" ], + "x-ms-client-request-id": [ "40fc19d6-790d-4129-b422-33cbfb745571" ], + "CommandName": [ "Get-AzSentinelentity" ], + "FullCommandName": [ "Get-AzSentinelEntity_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11972" ], + "x-ms-request-id": [ "2443a7c7-ab0b-48f0-b3f6-ffa3e4675bd3" ], + "x-ms-correlation-request-id": [ "2443a7c7-ab0b-48f0-b3f6-ffa3e4675bd3" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015631Z:2443a7c7-ab0b-48f0-b3f6-ffa3e4675bd3" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:56:30 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "461" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"additionalData\":{\"AlertCount\":\"6\"},\"friendlyName\":\"175.45.176.99\"}}]}", + "isContentBase64": false + } + }, + "Get-AzSentinelEntity+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "191" ], + "x-ms-client-request-id": [ "d2959a56-b498-437a-b324-ad0289b52252" ], + "CommandName": [ "Get-AzSentinelentity" ], + "FullCommandName": [ "Get-AzSentinelEntity_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11971" ], + "x-ms-request-id": [ "cf68626a-a59c-4d3d-9f8e-c8c8f7317a01" ], + "x-ms-correlation-request-id": [ "cf68626a-a59c-4d3d-9f8e-c8c8f7317a01" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015631Z:cf68626a-a59c-4d3d-9f8e-c8c8f7317a01" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:56:31 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "413" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"friendlyName\":\"175.45.176.99\"}}", + "isContentBase64": false + } + }, + "Get-AzSentinelEntity+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "192" ], + "x-ms-client-request-id": [ "fb1bb058-e36c-4d32-9db8-ff5f656d1037" ], + "CommandName": [ "Get-AzSentinelentity" ], + "FullCommandName": [ "Get-AzSentinelEntity_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11970" ], + "x-ms-request-id": [ "67cff94a-8ea6-4ce5-8777-6314a012ceee" ], + "x-ms-correlation-request-id": [ "67cff94a-8ea6-4ce5-8777-6314a012ceee" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015632Z:67cff94a-8ea6-4ce5-8777-6314a012ceee" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:56:31 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "461" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"additionalData\":{\"AlertCount\":\"6\"},\"friendlyName\":\"175.45.176.99\"}}]}", + "isContentBase64": false + } + }, + "Get-AzSentinelEntity+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "193" ], + "x-ms-client-request-id": [ "6e1955bd-faad-4f20-a643-5956f9ac47ff" ], + "CommandName": [ "Get-AzSentinelentity" ], + "FullCommandName": [ "Get-AzSentinelEntity_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11969" ], + "x-ms-request-id": [ "687044df-ca03-4391-879a-195164267c13" ], + "x-ms-correlation-request-id": [ "687044df-ca03-4391-879a-195164267c13" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015632Z:687044df-ca03-4391-879a-195164267c13" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:56:32 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "413" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"friendlyName\":\"175.45.176.99\"}}", + "isContentBase64": false + } + }, + "Get-AzSentinelEntity+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d?api-version=2021-09-01-preview+3": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "194" ], + "x-ms-client-request-id": [ "4df17961-e010-4663-a97c-305403a5b564" ], + "CommandName": [ "Get-AzSentinelentity" ], + "FullCommandName": [ "Get-AzSentinelEntity_GetViaIdentity" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11968" ], + "x-ms-request-id": [ "0cd7c978-84df-4556-a772-4b5bb9bfb3d0" ], + "x-ms-correlation-request-id": [ "0cd7c978-84df-4556-a772-4b5bb9bfb3d0" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015633Z:0cd7c978-84df-4556-a772-4b5bb9bfb3d0" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:56:32 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "413" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"friendlyName\":\"175.45.176.99\"}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Get-AzSentinelEntity.Tests.ps1 b/src/SecurityInsights/test/Get-AzSentinelEntity.Tests.ps1 new file mode 100644 index 000000000000..803dc2377f30 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelEntity.Tests.ps1 @@ -0,0 +1,35 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Get-AzSentinelEntity')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Get-AzSentinelEntity.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Get-AzSentinelEntity' { + It 'List' { + $entities = Get-AzSentinelentity -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName + $entities.Count | Should -BeGreaterorEqual 1 + } + + It 'Get' { + $entities = Get-AzSentinelentity -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName + $entity = Get-AzSentinelentity -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Id $entities[0].Name + $entity.Name | Should -Be $entities[0].Name + } + + It 'GetViaIdentity' { + $entities = Get-AzSentinelentity -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName + $entity = Get-AzSentinelentity -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Id $entities[0].Name + $entityViaId = Get-AzSentinelentity -InputObject $entity + $entityViaId.Name | Should -Be $entities[0].Name + } +} diff --git a/src/SecurityInsights/test/Get-AzSentinelEntityActivity.Recording.json b/src/SecurityInsights/test/Get-AzSentinelEntityActivity.Recording.json new file mode 100644 index 000000000000..1dd40543e6d3 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelEntityActivity.Recording.json @@ -0,0 +1,84 @@ +{ + "Get-AzSentinelEntityActivity+[NoContext]+Queries+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "195" ], + "x-ms-client-request-id": [ "3a8d1b1a-15d4-4a1d-9bc7-cbae66fc4666" ], + "CommandName": [ "Get-AzSentinelentity" ], + "FullCommandName": [ "Get-AzSentinelEntity_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11967" ], + "x-ms-request-id": [ "519fca47-ffd0-415a-9ce6-e2788d98c593" ], + "x-ms-correlation-request-id": [ "519fca47-ffd0-415a-9ce6-e2788d98c593" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015654Z:519fca47-ffd0-415a-9ce6-e2788d98c593" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:56:54 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "461" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"additionalData\":{\"AlertCount\":\"6\"},\"friendlyName\":\"175.45.176.99\"}}]}", + "isContentBase64": false + } + }, + "Get-AzSentinelEntityActivity+[NoContext]+Queries+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/queries?api-version=2021-09-01-preview\u0026kind=Insight+2": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/queries?api-version=2021-09-01-preview\u0026kind=Insight", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "196" ], + "x-ms-client-request-id": [ "9ace68b3-6c28-4e38-8315-983d38166b5d" ], + "CommandName": [ "Get-AzSentinelEntityActivity" ], + "FullCommandName": [ "Get-AzSentinelEntityActivity_Queries" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11966" ], + "x-ms-request-id": [ "81bb2c7b-c1b0-413c-b117-402a71f99be2" ], + "x-ms-correlation-request-id": [ "81bb2c7b-c1b0-413c-b117-402a71f99be2" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015658Z:81bb2c7b-c1b0-413c-b117-402a71f99be2" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:56:57 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "20801" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/queries/b8e2df44-f98f-4c95-bcbe-f8210f3e0f23\",\"name\":\"b8e2df44-f98f-4c95-bcbe-f8210f3e0f23\",\"type\":\"Microsoft.SecurityInsights/entities/queries\",\"kind\":\"Insight\",\"properties\":{\"displayName\":\"IP address remote connections\",\"description\":\"\u0027Provides the remote IP connection count information for outbound and inbound connections to an IP address. Note due to potential performance impact, data is limited to a 7 day max window.\u0027\\n\",\"baseQuery\":\"let GetIPStats = (Ip_Address:string){\\n//checking time span to lock to 7 days or less for Entity page usage\\nlet start = datetime(\u0027{{StartTimeISO}}\u0027);\\nlet end = datetime(\u0027{{EndTimeISO}}\u0027);\\nlet end_start = datetime_diff(\u0027day\u0027,end,start);\\nlet start_time = iff(end_start \u003e 7, end - 7d, start);\\nlet end_time = end;\\nlet IpStats = (union isfuzzy=true\\n(\\nVMConnection\\n| where TimeGenerated between (start_time..end_time)\\n| where SourceIp =~ Ip_Address\\n| where SourceIp != DestinationIp\\n| where Direction =~ \\\"outbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), OutboundCount = countif(Direction =~ \\\"outbound\\\") by IPAddress = SourceIp, Type, RemoteIPAddress = DestinationIp, Direction, SentBytes = tolong(BytesSent), ReceivedBytes = tolong(BytesReceived)\\n),\\n(\\nVMConnection\\n| where TimeGenerated between (start_time..end_time)\\n| where DestinationIp =~ Ip_Address\\n| where SourceIp != DestinationIp\\n| where Direction =~ \\\"inbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(Direction =~ \\\"inbound\\\") by IPAddress = DestinationIp, Type, RemoteIPAddress = SourceIp, Direction, SentBytes = tolong(BytesSent), ReceivedBytes = tolong(BytesReceived)\\n),\\n(\\nWireData\\n| where TimeGenerated between (start_time..end_time)\\n| where LocalIP =~ Ip_Address\\n| where LocalIP != RemoteIP\\n| where Direction =~ \\\"outbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), OutboundCount = countif(Direction =~ \\\"outbound\\\") by IPAddress = LocalIP, Type, RemoteIPAddress = RemoteIP, Direction\\n),\\n(\\nWireData\\n| where TimeGenerated between (start_time..end_time)\\n| where RemoteIP =~ Ip_Address\\n| where LocalIP != RemoteIP\\n| where Direction =~ \\\"inbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(Direction =~ \\\"inbound\\\") by IPAddress = RemoteIP, Type, RemoteIPAddress = LocalIP, Direction\\n),\\n(\\nDeviceNetworkEvents\\n| where TimeGenerated between (start_time..end_time)\\n| where LocalIP =~ Ip_Address\\n| where LocalIP != RemoteIP\\n| extend Direction = \\\"outbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), OutboundCount = countif(ActionType =~ \\\"ConnectionSuccess\\\") by IPAddress = LocalIP, Type, RemoteIPAddress = RemoteIP, Direction\\n),\\n(\\nDeviceNetworkEvents\\n| where TimeGenerated between (start_time..end_time)\\n| where RemoteIP =~ Ip_Address\\n| where LocalIP != RemoteIP\\n| extend Direction = \\\"inbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(ActionType =~ \\\"InboundConnectionAccepted\\\") by IPAddress = RemoteIP, Type, RemoteIPAddress = LocalIP, Direction\\n),\\n(\\nCommonSecurityLog\\n| where TimeGenerated between (start_time..end_time)\\n| where SourceIP =~ Ip_Address\\n| where SourceIP != DestinationIP\\n//| where DeviceAction has_any (\u0027allow\u0027, \u0027allowed\u0027, \u0027accept\u0027, \u0027built\u0027, \u0027start\u0027, \u0027connect\u0027, \u0027\u0027)\\n//| where not(DeviceAction has_any (\u0027built\u0027,\u0027deny\u0027, \u0027denied\u0027, \u0027rst\u0027, \u0027blocked\u0027, \u0027teardown\u0027))\\n| extend Direction = iff(CommunicationDirection !in~ (\u0027outbound\u0027,\u00270\u0027) or CommunicationDirection !in~ (\u0027inbound\u0027,\u00271\u0027), \u0027NotAvailable\u0027, CommunicationDirection)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(Direction in~ (\u0027Inbound\u0027,\u00271\u0027)), OutboundCount = countif(Direction in~ (\u0027Outbound\u0027, \u00270\u0027)), UnknownDirection = countif(Direction =~ \u0027NotAvailable\u0027) by IPAddress = SourceIP, Type = strcat(Type,\u0027:\u0027, DeviceVendor,\u0027-\u0027, DeviceProduct), RemoteIPAddress = DestinationIP, Direction, SentBytes = tolong(SentBytes), ReceivedBytes = tolong(ReceivedBytes)\\n),\\n(\\nCommonSecurityLog\\n| where TimeGenerated between (start_time..end_time)\\n| where DestinationIP =~ Ip_Address\\n| where SourceIP != DestinationIP\\n//| where DeviceAction has_any (\u0027allow\u0027, \u0027allowed\u0027, \u0027accept\u0027, \u0027built\u0027, \u0027start\u0027, \u0027connect\u0027, \u0027\u0027)\\n//| where not(DeviceAction has_any (\u0027built\u0027,\u0027deny\u0027, \u0027denied\u0027, \u0027rst\u0027, \u0027blocked\u0027, \u0027teardown\u0027))\\n| extend Direction = iff(CommunicationDirection !in~ (\u0027outbound\u0027,\u00270\u0027) or CommunicationDirection !in~ (\u0027inbound\u0027,\u00271\u0027), \u0027NotAvailable\u0027, CommunicationDirection)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(Direction in~ (\u0027Inbound\u0027,\u00271\u0027)), OutboundCount = countif(Direction in~ (\u0027Outbound\u0027, \u00270\u0027)), UnknownDirection = countif(Direction =~ \u0027NotAvailable\u0027) by IPAddress = DestinationIP, Type = strcat(Type,\u0027:\u0027, DeviceVendor,\u0027-\u0027, DeviceProduct), RemoteIPAddress = SourceIP, Direction, SentBytes = tolong(SentBytes), ReceivedBytes = tolong(ReceivedBytes)\\n)\\n);\\nIpStats\\n};\\nGetIPStats(\u0027175.45.176.99\u0027)\",\"tableQuery\":{\"columnsDefinitions\":[{\"header\":\"Direction\",\"outputType\":\"String\",\"supportDeepLink\":false},{\"header\":\"IPAddress\",\"outputType\":\"String\",\"supportDeepLink\":true},{\"header\":\"RemoteIP/Count\",\"outputType\":\"String\",\"supportDeepLink\":true},{\"header\":\"Total\",\"outputType\":\"Number\",\"supportDeepLink\":true}],\"queriesDefinitions\":[{\"filter\":\"where InboundCount \u003e 0\",\"summarize\":\"summarize Total = sum(InboundCount) by IPAddress, RemoteIPAddress | top 1 by Total\",\"project\":\"project Direction = \u0027Top In\u0027, IPAddress, RemoteIP = RemoteIPAddress, Total\",\"linkColumnsDefinitions\":[{\"projectedName\":\"Direction\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"IPAddress\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"RemoteIP\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"Total\",\"Query\":\"{{BaseQuery}} | \"}]},{\"filter\":\"where OutboundCount \u003e 0\",\"summarize\":\"summarize Total = sum(OutboundCount) by IPAddress, RemoteIPAddress | top 1 by Total\",\"project\":\"project Direction = \u0027Top Out\u0027, IPAddress, RemoteIP = RemoteIPAddress, Total\",\"linkColumnsDefinitions\":[{\"projectedName\":\"Direction\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"IPAddress\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"RemoteIP\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"Total\",\"Query\":\"{{BaseQuery}} | \"}]},{\"filter\":\"where UnknownDirection \u003e 0\",\"summarize\":\"summarize Total = sum(UnknownDirection) by IPAddress, RemoteIPAddress | top 1 by Total\",\"project\":\"project Direction = \u0027Top Unknown\u0027, IPAddress, RemoteIP = RemoteIPAddress, Total\",\"linkColumnsDefinitions\":[{\"projectedName\":\"Direction\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"IPAddress\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"RemoteIP\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"Total\",\"Query\":\"{{BaseQuery}} | \"}]},{\"filter\":\"project IPAddress, RemoteIPAddress, InboundCount, OutboundCount, UnknownDirection\",\"summarize\":\"summarize Inbound = sum(InboundCount), Outbound = sum(OutboundCount), Unknown = sum(UnknownDirection), RemIPs = make_set(RemoteIPAddress) by IPAddress | extend Total = tolong(Inbound + Outbound + Unknown)\",\"project\":\"project Direction = \u0027All\u0027, IPAddress, RemoteIP = case(array_length(RemIPs) == 1, tostring(RemIPs[0]), array_length(RemIPs) \u003e 1 and array_length(RemIPs) \u003c= 100, strcat(tostring(array_length(RemIPs)),\u0027 IPs\u0027), array_length(RemIPs) \u003e= 101, \u0027\u003e 100 IPs\u0027 , \u0027None\u0027), Total\",\"linkColumnsDefinitions\":[{\"projectedName\":\"Direction\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"IPAddress\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"RemoteIP\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"Total\",\"Query\":\"{{BaseQuery}} | \"}]}]},\"chartQuery\":null,\"additionalQuery\":{\"text\":\"See All connections\",\"query\":\"summarize StartTime = min(StartTime), EndTime = max(EndTime), InboundTotal = sum(InboundCount), OutboundTotal = sum(OutboundCount), ReceivedBytesTotal = sum(ReceivedBytes), SentBytesTotal = sum(SentBytes), UnknownDirectionBytesTotal = sum(UnknownDirection) by IPAddress, RemoteIPAddress, Type\"},\"defaultTimeRange\":{\"beforeRange\":\"12h\",\"afterRange\":\"12h\"},\"referenceTimeRange\":null,\"dataTypes\":[{\"dataType\":\"Heartbeat\"},{\"dataType\":\"VMConnection\"},{\"dataType\":\"VMComputer\"},{\"dataType\":\"WireData\"},{\"dataType\":\"ProtectionStatus\"},{\"dataType\":\"DeviceNetworkInfo\"},{\"dataType\":\"DeviceNetworkEvents\"},{\"dataType\":\"DnsEvents\"},{\"dataType\":\"CommonSecurityLog\"},{\"dataType\":\"Event\"},{\"dataType\":\"SecurityEvent\"},{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Ip\",\"requiredInputFieldsSets\":[[\"Ip_Address\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/queries/340e5f6f-d218-4a11-8638-09e1af7847cc\",\"name\":\"340e5f6f-d218-4a11-8638-09e1af7847cc\",\"type\":\"Microsoft.SecurityInsights/entities/queries\",\"kind\":\"Insight\",\"properties\":{\"displayName\":\"IP address remote connections with TI match\",\"description\":\"\u0027Provides the threat intelligence related hits for the remote IP address. Note due to potential performance impact, data is limited to a 7 day max window.\u0027\\n\",\"baseQuery\":\"let GetIPStats = (Ip_Address:string){\\n//checking time span to lock to 7 days or less for Entity page usage\\nlet start = datetime(\u0027{{StartTimeISO}}\u0027);\\nlet end = datetime(\u0027{{EndTimeISO}}\u0027);\\nlet end_start = datetime_diff(\u0027day\u0027,end,start);\\nlet start_time = iff(end_start \u003e 7, end - 7d, start);\\nlet end_time = end;\\nlet IpStats = (union isfuzzy=true\\n(\\nVMConnection\\n| where TimeGenerated between (start_time..end_time)\\n| where SourceIp =~ Ip_Address\\n| where SourceIp != DestinationIp\\n| where Direction =~ \\\"outbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), OutboundCount = countif(Direction =~ \\\"outbound\\\") by IPAddress = SourceIp, Type, RemoteIPAddress = DestinationIp, Direction, SentBytes = tolong(BytesSent), ReceivedBytes = tolong(BytesReceived)\\n),\\n(\\nVMConnection\\n| where TimeGenerated between (start_time..end_time)\\n| where DestinationIp =~ Ip_Address\\n| where SourceIp != DestinationIp\\n| where Direction =~ \\\"inbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(Direction =~ \\\"inbound\\\") by IPAddress = DestinationIp, Type, RemoteIPAddress = SourceIp, Direction, SentBytes = tolong(BytesSent), ReceivedBytes = tolong(BytesReceived)\\n),\\n(\\nWireData\\n| where TimeGenerated between (start_time..end_time)\\n| where LocalIP =~ Ip_Address\\n| where LocalIP != RemoteIP\\n| where Direction =~ \\\"outbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), OutboundCount = countif(Direction =~ \\\"outbound\\\") by IPAddress = LocalIP, Type, RemoteIPAddress = RemoteIP, Direction\\n),\\n(\\nWireData\\n| where TimeGenerated between (start_time..end_time)\\n| where RemoteIP =~ Ip_Address\\n| where LocalIP != RemoteIP\\n| where Direction =~ \\\"inbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(Direction =~ \\\"inbound\\\") by IPAddress = RemoteIP, Type, RemoteIPAddress = LocalIP, Direction\\n),\\n(\\nDeviceNetworkEvents\\n| where TimeGenerated between (start_time..end_time)\\n| where LocalIP =~ Ip_Address\\n| where LocalIP != RemoteIP\\n| extend Direction = \\\"outbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), OutboundCount = countif(ActionType =~ \\\"ConnectionSuccess\\\") by IPAddress = LocalIP, Type, RemoteIPAddress = RemoteIP, Direction\\n),\\n(\\nDeviceNetworkEvents\\n| where TimeGenerated between (start_time..end_time)\\n| where RemoteIP =~ Ip_Address\\n| where LocalIP != RemoteIP\\n| extend Direction = \\\"inbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(ActionType =~ \\\"InboundConnectionAccepted\\\") by IPAddress = RemoteIP, Type, RemoteIPAddress = LocalIP, Direction\\n),\\n(\\nCommonSecurityLog\\n| where TimeGenerated between (start_time..end_time)\\n| where SourceIP =~ Ip_Address\\n| where SourceIP != DestinationIP\\n| extend Direction = iff(CommunicationDirection !in~ (\u0027outbound\u0027,\u00270\u0027) or CommunicationDirection !in~ (\u0027inbound\u0027,\u00271\u0027), \u0027NotAvailable\u0027, CommunicationDirection)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(Direction in~ (\u0027Inbound\u0027,\u00271\u0027)), OutboundCount = countif(Direction in~ (\u0027Outbound\u0027, \u00270\u0027)), UnknownDirection = countif(Direction =~ \u0027NotAvailable\u0027) by IPAddress = SourceIP, Type = strcat(Type,\u0027:\u0027, DeviceVendor,\u0027-\u0027, DeviceProduct), RemoteIPAddress = DestinationIP, Direction, SentBytes = tolong(SentBytes), ReceivedBytes = tolong(ReceivedBytes)\\n),\\n(\\nCommonSecurityLog\\n| where TimeGenerated between (start_time..end_time)\\n| where DestinationIP =~ Ip_Address\\n| where SourceIP != DestinationIP\\n| extend Direction = iff(CommunicationDirection !in~ (\u0027outbound\u0027,\u00270\u0027) or CommunicationDirection !in~ (\u0027inbound\u0027,\u00271\u0027), \u0027NotAvailable\u0027, CommunicationDirection)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(Direction in~ (\u0027Inbound\u0027,\u00271\u0027)), OutboundCount = countif(Direction in~ (\u0027Outbound\u0027, \u00270\u0027)), UnknownDirection = countif(Direction =~ \u0027NotAvailable\u0027) by IPAddress = DestinationIP, Type = strcat(Type,\u0027:\u0027, DeviceVendor,\u0027-\u0027, DeviceProduct), RemoteIPAddress = SourceIP, Direction, SentBytes = tolong(SentBytes), ReceivedBytes = tolong(ReceivedBytes)\\n)\\n);\\nIpStats\\n| join kind=inner (ThreatIntelligenceIndicator | where TimeGenerated \u003c ago(1m)\\n| where Active = true\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = case(\\nisnotempty(NetworkIP), NetworkIP,\\nisempty(NetworkIP) and isnotempty(NetworkSourceIP), NetworkSourceIP,\\nisempty(NetworkIP) and isempty(NetworkSourceIP) and isnotempty(NetworkDestinationIP), NetworkDestinationIP,\\nisempty(NetworkIP) and isempty(NetworkSourceIP) and isempty(NetworkDestinationIP), EmailSourceIpAddress,\\n\\\"NotAvailable\\\"\\n)\\n| summarize arg_max(TimeGenerated, *) by ThreatIntelMatch = Description, ThreatType, TI_ipEntity) on $left.RemoteIPAddress == $right.TI_ipEntity\\n};\\nGetIPStats(\u0027175.45.176.99\u0027)\",\"tableQuery\":{\"columnsDefinitions\":[{\"header\":\"Direction\",\"outputType\":\"String\",\"supportDeepLink\":false},{\"header\":\"IPAddress\",\"outputType\":\"String\",\"supportDeepLink\":true},{\"header\":\"RemoteIP\",\"outputType\":\"String\",\"supportDeepLink\":true},{\"header\":\"ThreatType\",\"outputType\":\"String\",\"supportDeepLink\":false}],\"queriesDefinitions\":[{\"filter\":\"project IPAddress, RemoteIPAddress, InboundCount, ThreatType\",\"summarize\":\"summarize Inbound = sum(InboundCount) by IPAddress, RemoteIPAddress, ThreatType | where Inbound \u003e 0\",\"project\":\"project Direction = \u0027In\u0027, IPAddress, RemoteIP = RemoteIPAddress, ThreatType\",\"linkColumnsDefinitions\":[{\"projectedName\":\"Direction\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"IPAddress\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"RemoteIP\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"ThreatType\",\"Query\":\"{{BaseQuery}} | \"}]},{\"filter\":\"project IPAddress, RemoteIPAddress, OutboundCount, ThreatType\",\"summarize\":\"summarize Outbound = sum(OutboundCount) by IPAddress, RemoteIPAddress, ThreatType | where Outbound \u003e 0\",\"project\":\"project Direction = \u0027Out\u0027, IPAddress, RemoteIP = RemoteIPAddress, ThreatType\",\"linkColumnsDefinitions\":[{\"projectedName\":\"Direction\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"IPAddress\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"RemoteIP\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"ThreatType\",\"Query\":\"{{BaseQuery}} | \"}]},{\"filter\":\"project IPAddress, RemoteIPAddress, UnknownDirection, ThreatType\",\"summarize\":\"summarize UnknownCount = sum(UnknownDirection) by IPAddress, RemoteIPAddress, ThreatType | where UnknownCount \u003e 0\",\"project\":\"project Direction = \u0027Unknown\u0027, IPAddress, RemoteIP = RemoteIPAddress, ThreatType\",\"linkColumnsDefinitions\":[{\"projectedName\":\"Direction\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"IPAddress\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"RemoteIP\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"ThreatType\",\"Query\":\"{{BaseQuery}} | \"}]}]},\"chartQuery\":{\"title\":\"Connection Count to IP in TI\",\"dataSets\":[{\"query\":\"summarize Count = max(InboundCount) by Time = bin(StartTime, 1d), RemoteIPAddress = strcat(RemoteIPAddress,\u0027 - In\u0027) | where isnotempty(Count) and Count \u003e 0\",\"xColumnName\":\"Time\",\"yColumnName\":\"Count\",\"legendColumnName\":\"RemoteIPAddress\"},{\"query\":\"summarize Count = max(OutboundCount) by Time = bin(StartTime, 1d), RemoteIPAddress = strcat(RemoteIPAddress,\u0027 - Out\u0027) | where isnotempty(Count) and Count \u003e 0\",\"xColumnName\":\"Time\",\"yColumnName\":\"Count\",\"legendColumnName\":\"RemoteIPAddress\"},{\"query\":\"summarize Count = max(UnknownDirection) by Time = bin(StartTime, 1d), RemoteIPAddress = strcat(RemoteIPAddress,\u0027 - UnknownDirection\u0027) | where isnotempty(Count) and Count \u003e 0\",\"xColumnName\":\"Time\",\"yColumnName\":\"Count\",\"legendColumnName\":\"RemoteIPAddress\"}],\"type\":\"BarChart\"},\"additionalQuery\":{\"text\":\"See All connections\",\"query\":\"project StartTime, EndTime, IPAddress, RemoteIPAddress, InboundCount, OutboundCount, ReceivedBytes, SentBytes, UnknownDirection, Type, ThreatType, ThreatIntelMatch\"},\"defaultTimeRange\":{\"beforeRange\":\"12h\",\"afterRange\":\"12h\"},\"referenceTimeRange\":null,\"dataTypes\":[{\"dataType\":\"Heartbeat\"},{\"dataType\":\"VMConnection\"},{\"dataType\":\"VMComputer\"},{\"dataType\":\"WireData\"},{\"dataType\":\"ProtectionStatus\"},{\"dataType\":\"DeviceNetworkInfo\"},{\"dataType\":\"DeviceNetworkEvents\"},{\"dataType\":\"DnsEvents\"},{\"dataType\":\"CommonSecurityLog\"},{\"dataType\":\"Event\"},{\"dataType\":\"SecurityEvent\"},{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Ip\",\"requiredInputFieldsSets\":[[\"Ip_Address\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/queries/3834647e-ac3e-4fb4-a5f8-0dd50ba2b66c\",\"name\":\"3834647e-ac3e-4fb4-a5f8-0dd50ba2b66c\",\"type\":\"Microsoft.SecurityInsights/entities/queries\",\"kind\":\"Insight\",\"properties\":{\"displayName\":\"Watchlist Insights (Preview)\",\"description\":\"### Description\\n ___\\nThis insight aggregates data from the watchlists templates (Network Addresses) regarding the IP address.\",\"baseQuery\":\"let defaultValue = \u0027defaultValue\u0027; \\n let myIP = \u0027175.45.176.99\u0027; \\n let ips = _GetWatchlist(\u0027NetworkAddresses\u0027); \\n ips | extend IPSubnet = column_ifexists(\u0027IP Subnet\u0027, defaultValue) | extend FirstIP = split(IPSubnet , \u0027-\u0027).[0], SecondIP = split(IPSubnet, \u0027-\u0027).[1], checkIPv4 = parse_ipv4(myIP) | extend myIPnum = iff(isempty(checkIPv4), (parse_ipv6(myIP)), tostring(checkIPv4)) | extend firstIPparsed = iff(isempty(checkIPv4), parse_ipv6(tostring(FirstIP)), tostring(parse_ipv4(tostring(FirstIP)))), secondIPparsed = iff(isempty(checkIPv4), parse_ipv6(tostring(SecondIP)), tostring(parse_ipv4(tostring(SecondIP)))) | extend results = iff((isnotempty(checkIPv4) and tolong(firstIPparsed) \u003c= tolong(myIPnum) and (tolong(myIPnum) \u003c= tolong(secondIPparsed)) or (ipv4_is_in_range(myIP, tostring(SecondIP)) or (ipv6_compare(myIP, tostring(FirstIP)) == 0) or (ipv6_compare(myIP, tostring(SecondIP))==0))), True, false) | where results == true | extend RangeName = column_ifexists(\u0027Range Name\u0027, defaultValue) | extend IPSubnet = column_ifexists(\u0027IP Subnet\u0027, defaultValue) | extend Tags = column_ifexists(\u0027Tags\u0027, defaultValue) | extend [\u0027Watchlist Insight\u0027] = \u0027IP Address is within a known range\u0027 | extend [\u0027Additional Data\u0027] = strcat(\u0027Range Name: \u0027, RangeName,\u0027, \u0027,\u0027IP Range: \u0027, IPSubnet) | project [\u0027Watchlist Insight\u0027],[\u0027Additional Data\u0027], Tags\",\"tableQuery\":{\"columnsDefinitions\":[{\"header\":\"Watchlist Insight\",\"outputType\":\"String\",\"supportDeepLink\":false},{\"header\":\"Additional Data\",\"outputType\":\"String\",\"supportDeepLink\":false},{\"header\":\"Tags\",\"outputType\":\"String\",\"supportDeepLink\":false}],\"queriesDefinitions\":[{\"filter\":\" where 1 == 1\",\"summarize\":\" summarize count() by [\u0027Watchlist Insight\u0027], [\u0027Additional Data\u0027], Tags\",\"project\":\" project [\u0027Watchlist Insight\u0027], [\u0027Additional Data\u0027], Tags\",\"linkColumnsDefinitions\":[]}]},\"chartQuery\":null,\"additionalQuery\":null,\"defaultTimeRange\":{\"beforeRange\":\"0d\",\"afterRange\":\"0d\"},\"referenceTimeRange\":{\"beforeRange\":\"0d\"},\"dataTypes\":[{\"dataType\":\"Watchlist templates\"}],\"inputEntityType\":\"Ip\",\"requiredInputFieldsSets\":[[\"IP_Address\"]],\"entitiesFilter\":{}}}]}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Get-AzSentinelEntityActivity.Tests.ps1 b/src/SecurityInsights/test/Get-AzSentinelEntityActivity.Tests.ps1 new file mode 100644 index 000000000000..aad19cfd008a --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelEntityActivity.Tests.ps1 @@ -0,0 +1,23 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Get-AzSentinelEntityActivity')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Get-AzSentinelEntityActivity.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Get-AzSentinelEntityActivity' { + It 'Queries' { + $entities = Get-AzSentinelentity -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName + $queries = Get-AzSentinelEntityActivity -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -EntityId $entities[0].Name + $queries.Count | Should -BeGreaterorEqual 1 + } +} diff --git a/src/SecurityInsights/test/Get-AzSentinelEntityInsight.Recording.json b/src/SecurityInsights/test/Get-AzSentinelEntityInsight.Recording.json new file mode 100644 index 000000000000..1b91850f78ac --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelEntityInsight.Recording.json @@ -0,0 +1,79 @@ +{ + "Get-AzSentinelEntityInsight+[NoContext]+GetExpanded+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "197" ], + "x-ms-client-request-id": [ "c99f59a5-31cc-4138-b561-8fe621ad89c5" ], + "CommandName": [ "Get-AzSentinelentity" ], + "FullCommandName": [ "Get-AzSentinelEntity_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11965" ], + "x-ms-request-id": [ "4af5eb56-43e2-4815-86bb-80a1da31432f" ], + "x-ms-correlation-request-id": [ "4af5eb56-43e2-4815-86bb-80a1da31432f" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015719Z:4af5eb56-43e2-4815-86bb-80a1da31432f" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:57:19 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "461" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"additionalData\":{\"AlertCount\":\"6\"},\"friendlyName\":\"175.45.176.99\"}}]}", + "isContentBase64": false + } + }, + "Get-AzSentinelEntityInsight+[NoContext]+GetExpanded+$POST+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/getInsights?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "POST", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/getInsights?api-version=2021-09-01-preview", + "Content": "{\n \"startTime\": \"2021-12-11T01:00:00.0000000+00:00\",\n \"endTime\": \"2021-12-12T01:00:00.0000000+00:00\"\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "104" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11964" ], + "x-ms-request-id": [ "0f5df074-c8e7-464b-8a83-3d63d3cdce91" ], + "x-ms-correlation-request-id": [ "0f5df074-c8e7-464b-8a83-3d63d3cdce91" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015723Z:0f5df074-c8e7-464b-8a83-3d63d3cdce91" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:57:23 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1719" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"tableQueryResults\":{\"columns\":[{\"name\":\"Direction\",\"type\":\"string\"},{\"name\":\"IPAddress\",\"type\":\"string\"},{\"name\":\"RemoteIP\",\"type\":\"string\"},{\"name\":\"Total\",\"type\":\"long\"},{\"name\":\"InternalOrder\",\"type\":\"long\"},{\"name\":\"Index\",\"type\":\"long\"}],\"rows\":[]},\"chartQueryResults\":[],\"queryTimeInterval\":{\"startTime\":\"2021-12-11T01:00:00+00:00\",\"endTime\":\"2021-12-12T01:00:00+00:00\"},\"queryId\":\"b8e2df44-f98f-4c95-bcbe-f8210f3e0f23\"},{\"tableQueryResults\":{\"columns\":[{\"name\":\"Direction\",\"type\":\"string\"},{\"name\":\"IPAddress\",\"type\":\"string\"},{\"name\":\"RemoteIP\",\"type\":\"string\"},{\"name\":\"ThreatType\",\"type\":\"string\"},{\"name\":\"InternalOrder\",\"type\":\"long\"},{\"name\":\"Index\",\"type\":\"long\"}],\"rows\":[]},\"chartQueryResults\":[{\"columns\":[{\"name\":\"Time\",\"type\":\"datetime\"},{\"name\":\"RemoteIPAddress\",\"type\":\"string\"},{\"name\":\"Count\",\"type\":\"long\"}],\"rows\":[]},{\"columns\":[{\"name\":\"Time\",\"type\":\"datetime\"},{\"name\":\"RemoteIPAddress\",\"type\":\"string\"},{\"name\":\"Count\",\"type\":\"long\"}],\"rows\":[]},{\"columns\":[{\"name\":\"Time\",\"type\":\"datetime\"},{\"name\":\"RemoteIPAddress\",\"type\":\"string\"},{\"name\":\"Count\",\"type\":\"long\"}],\"rows\":[]}],\"queryTimeInterval\":{\"startTime\":\"2021-12-11T01:00:00+00:00\",\"endTime\":\"2021-12-12T01:00:00+00:00\"},\"queryId\":\"340e5f6f-d218-4a11-8638-09e1af7847cc\"},{\"tableQueryResults\":{\"columns\":[{\"name\":\"Watchlist Insight\",\"type\":\"string\"},{\"name\":\"Additional Data\",\"type\":\"string\"},{\"name\":\"Tags\",\"type\":\"string\"},{\"name\":\"InternalOrder\",\"type\":\"long\"},{\"name\":\"Index\",\"type\":\"long\"}],\"rows\":[]},\"chartQueryResults\":[],\"queryTimeInterval\":{\"startTime\":\"2021-12-11T01:00:00+00:00\",\"endTime\":\"2021-12-12T01:00:00+00:00\"},\"queryId\":\"3834647e-ac3e-4fb4-a5f8-0dd50ba2b66c\"}],\"metaData\":{\"totalCount\":3,\"errors\":[]}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Get-AzSentinelEntityInsight.Tests.ps1 b/src/SecurityInsights/test/Get-AzSentinelEntityInsight.Tests.ps1 new file mode 100644 index 000000000000..02698a98536d --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelEntityInsight.Tests.ps1 @@ -0,0 +1,25 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Get-AzSentinelEntityInsight')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Get-AzSentinelEntityInsight.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Get-AzSentinelEntityInsight' { + It 'GetExpanded' { + $startTime = (get-date).AddDays(-1).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + $endTime = (get-date).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + $entities = Get-AzSentinelentity -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName + $entityInsight = Get-AzSentinelEntityInsight -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -EntityId $entities[0].Name -StartTime $startTime -EndTime $endTime + $entityInsight.MetaDataTotalCount | Should -BeGreaterorEqual 1 + } +} diff --git a/src/SecurityInsights/test/Get-AzSentinelEntityQuery.Recording.json b/src/SecurityInsights/test/Get-AzSentinelEntityQuery.Recording.json new file mode 100644 index 000000000000..9e86177cadfe --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelEntityQuery.Recording.json @@ -0,0 +1,166 @@ +{ + "Get-AzSentinelEntityQuery+[NoContext]+List+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "199" ], + "x-ms-client-request-id": [ "f9562eb3-7e8c-4c59-9683-f8d910ad9bb0" ], + "CommandName": [ "Get-AzSentinelentityQuery" ], + "FullCommandName": [ "Get-AzSentinelEntityQuery_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11963" ], + "x-ms-request-id": [ "76d36b59-9041-4922-a0dd-869b8636a8c5" ], + "x-ms-correlation-request-id": [ "76d36b59-9041-4922-a0dd-869b8636a8c5" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015745Z:76d36b59-9041-4922-a0dd-869b8636a8c5" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:57:44 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "163861" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/98b974fd-cc64-48b8-9bd0-3a209f5b944b\",\"name\":\"98b974fd-cc64-48b8-9bd0-3a209f5b944b\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related entities\",\"queryTemplate\":\"let GetAlertRelatedEntities = (v_SecurityAlert_SystemAlertId:string){\\n SecurityAlert\\n | where SystemAlertId == v_SecurityAlert_SystemAlertId\\n | project entities = todynamic(Entities)\\n | mv-expand entities\\n | project-rename entity=entities};\\n GetAlertRelatedEntities(\u0027\u003csystemAlertId\u003e\u0027)\",\"inputFields\":[\"systemAlertId\"],\"outputEntityTypes\":[],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"SecurityAlert\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/27f76e63-c41b-480f-bb18-12ad2e011d49\",\"name\":\"27f76e63-c41b-480f-bb18-12ad2e011d49\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related entities\",\"queryTemplate\":\"\",\"inputFields\":[],\"outputEntityTypes\":[],\"dataSources\":[],\"inputEntityType\":\"HuntingBookmark\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/055a5692-555f-42bd-ac17-923a5a9994ed\",\"name\":\"055a5692-555f-42bd-ac17-923a5a9994ed\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetHostRelatedAlerts = (v_Host_HostName:string){\\n SecurityAlert\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\n | extend entities = todynamic(Entities) \\n | mv-expand entities\\n | project-rename entity=entities\\n | where entity[\u0027Type\u0027] == \u0027host\u0027 and entity[\u0027HostName\u0027] =~ v_Host_HostName\\n | project-away entity};\\n GetHostRelatedAlerts(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/e36c2ceb-4caf-4919-8433-d61dbc3e294a\",\"name\":\"e36c2ceb-4caf-4919-8433-d61dbc3e294a\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related bookmarks\",\"queryTemplate\":\"\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"HuntingBookmark\"],\"dataSources\":[],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/a77992f3-25e9-4d01-99a4-5ff606cc410a\",\"name\":\"a77992f3-25e9-4d01-99a4-5ff606cc410a\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetAccountRelatedAlerts = (v_Account_Name:string){\\n SecurityAlert\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\n | extend entities = todynamic(Entities) \\n | mv-expand entities\\n | project-rename entity=entities\\n | where entity[\u0027Type\u0027] == \u0027account\u0027 and entity[\u0027Name\u0027] =~ v_Account_Name\\n | project-away entity};\\n GetAccountRelatedAlerts(\u0027\u003caccountName\u003e\u0027)\",\"inputFields\":[\"accountName\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/504ea455-3bf7-47ef-8555-dc747b465f99\",\"name\":\"504ea455-3bf7-47ef-8555-dc747b465f99\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related bookmarks\",\"queryTemplate\":\"\",\"inputFields\":[\"accountName\"],\"outputEntityTypes\":[\"HuntingBookmark\"],\"dataSources\":[],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/4a014a1b-c5a1-499f-9f54-3f7b99b0a675\",\"name\":\"4a014a1b-c5a1-499f-9f54-3f7b99b0a675\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetAzureResourceRelatedAlerts = (v_AzureResource_ResourceId:string){\\n SecurityAlert\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\n | extend entities = todynamic(Entities) \\n | mv-expand entities\\n | project-rename entity=entities\\n | where entity[\u0027Type\u0027] == \u0027azure-resource\u0027 and entity[\u0027ResourceId\u0027] =~ v_AzureResource_ResourceId\\n | project-away entity};\\n GetAzureResourceRelatedAlerts(\u0027\u003cresourceId\u003e\u0027)\",\"inputFields\":[\"resourceId\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"AzureResource\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/f74ad13a-ae93-47b9-8782-b1142b95d046\",\"name\":\"f74ad13a-ae93-47b9-8782-b1142b95d046\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetCloudApplicationRelatedAlerts = (v_CloudApplication_AppId:string){\\n SecurityAlert\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\n | extend entities = todynamic(Entities) \\n | mv-expand entities\\n | project-rename entity=entities\\n | where entity[\u0027Type\u0027] == \u0027cloud-application\u0027 and entity[\u0027AppId\u0027] =~ v_CloudApplication_AppId\\n | project-away entity};\\n GetCloudApplicationRelatedAlerts(\u0027\u003cappId\u003e\u0027)\",\"inputFields\":[\"appId\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"CloudApplication\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/80218599-45b4-4402-95cc-86f9929dd43d\",\"name\":\"80218599-45b4-4402-95cc-86f9929dd43d\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetDNSRelatedAlerts = (v_DNS_DomainName:string){\\n SecurityAlert\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\n | extend entities = todynamic(Entities) \\n | mv-expand entities\\n | project-rename entity=entities\\n | where entity[\u0027Type\u0027] == \u0027dns\u0027 and entity[\u0027DomainName\u0027] =~ v_DNS_DomainName\\n | project-away entity};\\n GetDNSRelatedAlerts(\u0027\u003cdomainName\u003e\u0027)\",\"inputFields\":[\"domainName\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"DNS\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/0f0bccef-4512-4530-a866-27056a39dcd6\",\"name\":\"0f0bccef-4512-4530-a866-27056a39dcd6\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetFileRelatedAlerts = (v_File_Name:string){\\n SecurityAlert\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\n | extend entities = todynamic(Entities) \\n | mv-expand entities\\n | project-rename entity=entities\\n | where entity[\u0027Type\u0027] == \u0027file\u0027 and entity[\u0027Name\u0027] =~ v_File_Name\\n | project-away entity};\\n GetFileRelatedAlerts(\u0027\u003cfileName\u003e\u0027)\",\"inputFields\":[\"fileName\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"File\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/b6eaa3ad-e69b-437e-9c13-bb5273dd34ab\",\"name\":\"b6eaa3ad-e69b-437e-9c13-bb5273dd34ab\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetFileHashRelatedAlerts = (v_FileHash_Value:string){\\n SecurityAlert\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\n | extend entities = todynamic(Entities) \\n | mv-expand entities\\n | project-rename entity=entities\\n | where entity[\u0027Type\u0027] == \u0027filehash\u0027 and entity[\u0027Value\u0027] =~ v_FileHash_Value\\n | project-away entity};\\n GetFileHashRelatedAlerts(\u0027\u003chashValue\u003e\u0027)\",\"inputFields\":[\"hashValue\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"FileHash\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/58c1516f-b78a-4d78-9e71-77c40849c27b\",\"name\":\"58c1516f-b78a-4d78-9e71-77c40849c27b\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetIPRelatedAlerts = (v_IP_Address:string){\\n SecurityAlert\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\n | extend entities = todynamic(Entities) \\n | mv-expand entities\\n | project-rename entity=entities\\n | where entity[\u0027Type\u0027] == \u0027ip\u0027 and entity[\u0027Address\u0027] =~ v_IP_Address\\n | project-away entity};\\n GetIPRelatedAlerts(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/6a6a5dcb-605c-4dad-8bb6-c8c439db4f0a\",\"name\":\"6a6a5dcb-605c-4dad-8bb6-c8c439db4f0a\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related bookmarks\",\"queryTemplate\":\"\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"HuntingBookmark\"],\"dataSources\":[],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/b8407195-b9a3-4565-bf08-7b23e5c57e3a\",\"name\":\"b8407195-b9a3-4565-bf08-7b23e5c57e3a\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetMalwareRelatedAlerts = (v_Malware_Name:string){\\n SecurityAlert\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\n | extend entities = todynamic(Entities) \\n | mv-expand entities\\n | project-rename entity=entities\\n | where entity[\u0027Type\u0027] == \u0027malware\u0027 and entity[\u0027Name\u0027] =~ v_Malware_Name\\n | project-away entity};\\n GetMalwareRelatedAlerts(\u0027\u003cmalwareName\u003e\u0027)\",\"inputFields\":[\"malwareName\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"Malware\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/63a4fa2f-f89d-4cf5-96a2-cb2479e49731\",\"name\":\"63a4fa2f-f89d-4cf5-96a2-cb2479e49731\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetProcessRelatedAlerts = (v_Process_ProcessId:string){\\n SecurityAlert\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\n | extend entities = todynamic(Entities) \\n | mv-expand entities\\n | project-rename entity=entities\\n | where entity[\u0027Type\u0027] == \u0027process\u0027 and entity[\u0027ProcessId\u0027] =~ v_Process_ProcessId\\n | project-away entity};\\n GetProcessRelatedAlerts(\u0027\u003cprocessId\u003e\u0027)\",\"inputFields\":[\"processId\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"Process\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/d788cd65-a7ef-448e-aa34-81185ac0e611\",\"name\":\"d788cd65-a7ef-448e-aa34-81185ac0e611\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetRegistryKeyRelatedAlerts = (v_RegistryKey_Key:string){\\n SecurityAlert\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\n | extend entities = todynamic(Entities) \\n | mv-expand entities\\n | project-rename entity=entities\\n | where entity[\u0027Type\u0027] == \u0027registry-key\u0027 and entity[\u0027Key\u0027] =~ v_RegistryKey_Key\\n | project-away entity};\\n GetRegistryKeyRelatedAlerts(\u0027\u003ckey\u003e\u0027)\",\"inputFields\":[\"key\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"RegistryKey\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/3a45a7e3-80e0-4e05-84db-b97bd1ae452b\",\"name\":\"3a45a7e3-80e0-4e05-84db-b97bd1ae452b\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetRegistryValueRelatedAlerts = (v_RegistryValue_Name:string){\\n SecurityAlert\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\n | extend entities = todynamic(Entities) \\n | mv-expand entities\\n | project-rename entity=entities\\n | where entity[\u0027Type\u0027] == \u0027registry-value\u0027 and entity[\u0027Name\u0027] =~ v_RegistryValue_Name\\n | project-away entity};\\n GetRegistryValueRelatedAlerts(\u0027\u003cvalueName\u003e\u0027)\",\"inputFields\":[\"valueName\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"RegistryValue\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/43c07636-6be0-4c62-8c62-9a6040a98821\",\"name\":\"43c07636-6be0-4c62-8c62-9a6040a98821\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetSecurityGroupRelatedAlerts = (v_SecurityGroup_DistinguishedName:string){\\n SecurityAlert\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\n | extend entities = todynamic(Entities) \\n | mv-expand entities\\n | project-rename entity=entities\\n | where entity[\u0027Type\u0027] == \u0027security-group\u0027 and entity[\u0027DistinguishedName\u0027] =~ v_SecurityGroup_DistinguishedName\\n | project-away entity};\\n GetSecurityGroupRelatedAlerts(\u0027\u003cdistinguishedName\u003e\u0027)\",\"inputFields\":[\"distinguishedName\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"SecurityGroup\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/7b61d5e2-4b66-40a7-bb0f-9145b445104e\",\"name\":\"7b61d5e2-4b66-40a7-bb0f-9145b445104e\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetURLRelatedAlerts = (v_URL_Url:string){\\n SecurityAlert\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\n | extend entities = todynamic(Entities) \\n | mv-expand entities\\n | project-rename entity=entities\\n | where entity[\u0027Type\u0027] == \u0027url\u0027 and entity[\u0027Url\u0027] =~ v_URL_Url\\n | project-away entity};\\n GetURLRelatedAlerts(\u0027\u003curl\u003e\u0027)\",\"inputFields\":[\"url\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"URL\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/855ea9fe-2fdd-4890-8daa-c895c136eef3\",\"name\":\"855ea9fe-2fdd-4890-8daa-c895c136eef3\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related bookmarks\",\"queryTemplate\":\"\",\"inputFields\":[\"url\"],\"outputEntityTypes\":[\"HuntingBookmark\"],\"dataSources\":[],\"inputEntityType\":\"URL\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/4daeed0e-0e74-4f2d-990c-a958210e9dd7\",\"name\":\"4daeed0e-0e74-4f2d-990c-a958210e9dd7\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetIoTDeviceRelatedAlerts = (v_IoTDevice_DeviceId:string){\\n SecurityAlert\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\n | extend entities = todynamic(Entities) \\n | mv-expand entities\\n | project-rename entity=entities\\n | where entity[\u0027Type\u0027] == \u0027iotdevice\u0027 and entity[\u0027DeviceId\u0027] =~ v_IoTDevice_DeviceId\\n | project-away entity};\\n GetIoTDeviceRelatedAlerts(\u0027\u003cdeviceId\u003e\u0027)\",\"inputFields\":[\"deviceId\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"IoTDevice\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/fb123681-fb7e-4684-86fd-3866df84ac2f\",\"name\":\"fb123681-fb7e-4684-86fd-3866df84ac2f\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Assigned IPs\",\"queryTemplate\":\"let GetIPsForHost = (v_Host_HostName:string){\\n Heartbeat\\r\\n | where Computer =~ v_Host_HostName\\r\\n | summarize arg_max(TimeGenerated, *) by ComputerIP\\r\\n };\\n GetIPsForHost(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"IP\"],\"dataSources\":[],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/fa16a940-53cc-4e45-9e6f-d8409cb42390\",\"name\":\"fa16a940-53cc-4e45-9e6f-d8409cb42390\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Host assigned with IP\",\"queryTemplate\":\"let GetHostsForIp = (v_IP_Address:string){\\r\\n Heartbeat\\r\\n | where ComputerIP =~ v_IP_Address\\r\\n | summarize arg_max(TimeGenerated, *) by Computer\\r\\n };\\n GetHostsForIp(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/0a691e7d-a9bb-4a80-8591-2cc0b5094298\",\"name\":\"0a691e7d-a9bb-4a80-8591-2cc0b5094298\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetMailboxRelatedAlerts = (v_Mailbox_MailboxPrimaryAddress:string){\\n SecurityAlert\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\n | extend entities = todynamic(Entities) \\n | mv-expand entities\\n | project-rename entity=entities\\n | where entity[\u0027Type\u0027] == \u0027mailbox\u0027 and entity[\u0027MailboxPrimaryAddress\u0027] =~ v_Mailbox_MailboxPrimaryAddress\\n | project-away entity};\\n GetMailboxRelatedAlerts(\u0027\u003cmailboxPrimaryAddress\u003e\u0027)\",\"inputFields\":[\"mailboxPrimaryAddress\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"Mailbox\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/cf68388a-a0db-41d5-969f-919f7a2e47bc\",\"name\":\"cf68388a-a0db-41d5-969f-919f7a2e47bc\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetMailClusterRelatedAlerts = (v_MailCluster_Query:string){\\n SecurityAlert\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\n | extend entities = todynamic(Entities) \\n | mv-expand entities\\n | project-rename entity=entities\\n | where entity[\u0027Type\u0027] == \u0027mailCluster\u0027 and entity[\u0027Query\u0027] =~ v_MailCluster_Query\\n | project-away entity};\\n GetMailClusterRelatedAlerts(\u0027\u003cquery\u003e\u0027)\",\"inputFields\":[\"query\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"MailCluster\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/33fbca35-93cf-45f8-864f-eb3d553d5bb8\",\"name\":\"33fbca35-93cf-45f8-864f-eb3d553d5bb8\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetMailMessageRelatedAlerts = (v_MailMessage_NetworkMessageId:string){\\n SecurityAlert\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\n | extend entities = todynamic(Entities) \\n | mv-expand entities\\n | project-rename entity=entities\\n | where entity[\u0027Type\u0027] == \u0027mailMessage\u0027 and entity[\u0027NetworkMessageId\u0027] =~ v_MailMessage_NetworkMessageId\\n | project-away entity};\\n GetMailMessageRelatedAlerts(\u0027\u003cnetworkMessageId\u003e\u0027)\",\"inputFields\":[\"networkMessageId\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"MailMessage\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/d215b047-259d-40b4-843c-4d509b013525\",\"name\":\"d215b047-259d-40b4-843c-4d509b013525\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetSubmissionMailRelatedAlerts = (v_SubmissionMail_SubmissionId:string){\\n SecurityAlert\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\n | extend entities = todynamic(Entities) \\n | mv-expand entities\\n | project-rename entity=entities\\n | where entity[\u0027Type\u0027] == \u0027SubmissionMail\u0027 and entity[\u0027SubmissionId\u0027] =~ v_SubmissionMail_SubmissionId\\n | project-away entity};\\n GetSubmissionMailRelatedAlerts(\u0027\u003csubmissionId\u003e\u0027)\",\"inputFields\":[\"submissionId\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"SubmissionMail\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/4c541df8-a680-4da5-96c9-74456927213f\",\"name\":\"4c541df8-a680-4da5-96c9-74456927213f\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Hosts the account failed to log in to the most\",\"queryTemplate\":\"let SuccessfulLoginEventId = 4624;\\r\\n\\t\\t\\t\\t\\t\\t\\tlet FailedLoginEventId = 4625;\\r\\n\\t\\t\\t\\t\\t\\t\\tlet MostFailedLogins = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_UPNSuffix:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tSecurityEvent\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend p_Account_Name = case(\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name\\r\\n\\t\\t\\t\\t\\t\\t\\t)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend p_Account_UPNSuffix = case(\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_UPNSuffix has \u0027@\u0027, tostring(split(v_Account_UPNSuffix, \u0027@\u0027)[1]),\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_UPNSuffix has \u0027\\\\\\\\\u0027, tostring(split(v_Account_UPNSuffix, \u0027\\\\\\\\\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_UPNSuffix\\r\\n\\t\\t\\t\\t\\t\\t\\t)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend p_Account_NTDomain = case(\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_UPNSuffix, \u0027\\\\\\\\\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_NTDomain\\r\\n\\t\\t\\t\\t\\t\\t\\t)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Account_UPNSuffix = iff(Account has \u0027@\u0027, tostring(split(Account,\u0027@\u0027)[1]),\u0027\u0027)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Account_NTDomain = iff(Account has \u0027\\\\\\\\\u0027, tostring(split(Account,\u0027\\\\\\\\\u0027)[0]),\u0027\u0027)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Account_Name = extract(@\u0027^([^\\\\\\\\]*\\\\\\\\)?([^@]+)@?\u0027,2,Account)\\r\\n\\t\\t\\t\\t\\t\\t\\t| where ( (isnotempty(Account_Name) and Account_Name==p_Account_Name)\\r\\n\\t\\t\\t\\t\\t\\t\\t and\\r\\n\\t\\t\\t\\t\\t\\t\\t iff(isnotempty(p_Account_NTDomain) and isnotempty(Account_NTDomain) ,p_Account_NTDomain==Account_NTDomain,true )\\r\\n\\t\\t\\t\\t\\t\\t\\t and\\r\\n\\t\\t\\t\\t\\t\\t\\t iff(isnotempty(p_Account_UPNSuffix) and isnotempty(Account_UPNSuffix) ,p_Account_UPNSuffix==Account_UPNSuffix,true )\\r\\n\\t\\t\\t\\t\\t\\t\\t )\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize Host_Aux_SuccessfulLoginCount = countif(EventID==SuccessfulLoginEventId), Host_Aux_FailedLoginsCount\\t= countif(EventID==FailedLoginEventId), Host_Aux_LogonTypes=make_set(LogonType)\\r\\n\\t\\t\\t\\t\\t\\t\\t by Computer, Account, SourceComputerId, _ResourceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_FailedLoginsCount\\r\\n\\t\\t\\t\\t\\t\\t\\t| parse Computer with Host_NTDomain \u0027\\\\\\\\\u0027 *\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Host_HostName = tostring(split(Computer,\u0027.\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\t Host_DnsDomain = strcat_array(array_slice(split(Computer,\u0027.\u0027),1,256),\u0027.\u0027), Host_OMSAgentID=SourceComputerId, Host_AzureID = _ResourceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-away Computer, Account, _ResourceId, SourceComputerId\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tMostFailedLogins(\u0027\u003caccountName\u003e\u0027,\u0027\u003cntDomain\u003e\u0027,\u0027\u003cupnSuffix\u003e\u0027)\",\"inputFields\":[\"accountName\",\"upnSuffix\",\"ntDomain\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"SecurityEvent\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/2db8cac9-d2ce-4494-93bf-4678cd872ce4\",\"name\":\"2db8cac9-d2ce-4494-93bf-4678cd872ce4\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"IPs from rare locations used by account\",\"queryTemplate\":\"let IPsFromRareLocations = (v_Account_Name:string, v_Account_UPNSuffix:string, v_Account_AadUserId:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tlet LocationPrevalence =\\r\\n\\t\\t\\t\\t\\t\\t\\tSigninLogs\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend p_Account_Name = case(\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name\\r\\n\\t\\t\\t\\t\\t\\t\\t)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend p_Account_UPNSuffix = case(\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_UPNSuffix has \u0027@\u0027, tostring(split(v_Account_UPNSuffix, \u0027@\u0027)[1]),\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_UPNSuffix has \u0027\\\\\\\\\u0027, tostring(split(v_Account_UPNSuffix, \u0027\\\\\\\\\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_UPNSuffix\\r\\n\\t\\t\\t\\t\\t\\t\\t)\\r\\n\\t\\t\\t\\t\\t\\t\\t| parse UserPrincipalName with Account_Name \u0027@\u0027 Account_UPNSuffix\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Account_AadUserId = toguid(UserId)\\r\\n\\t\\t\\t\\t\\t\\t\\t| where (isnotempty(Account_Name) and Account_Name =~ p_Account_Name and isnotempty(Account_UPNSuffix) and Account_UPNSuffix =~ p_Account_UPNSuffix)\\r\\n\\t\\t\\t\\t\\t\\t\\tor (isnotempty(Account_AadUserId) and Account_AadUserId == toguid(v_Account_AadUserId))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend FullLocation = strcat(Location,\u0027|\u0027, LocationDetails.state, \u0027|\u0027, LocationDetails.city)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize ConnectionCount = count() by FullLocation, UserPrincipalName, IPAddress, Account_Name, Account_UPNSuffix, Account_AadUserId;\\r\\n\\t\\t\\t\\t\\t\\t\\tLocationPrevalence\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize make_list(IPAddress), make_list(FullLocation), make_list(ConnectionCount), dcount(FullLocation), totalActivity = sum(ConnectionCount) by UserPrincipalName, Account_Name, Account_UPNSuffix, Account_AadUserId\\r\\n\\t\\t\\t\\t\\t\\t\\t| mvexpand Location = list_FullLocation, ConnectionCount = list_ConnectionCount, IPAddress = list_IPAddress\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Location = tostring(Location), ConnectionCount = toint(ConnectionCount), IPAddress = tostring(IPAddress)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend percentOfActivity = 100*round(todouble(ConnectionCount)/totalActivity,4)\\r\\n\\t\\t\\t\\t\\t\\t\\t| where percentOfActivity \u003c 10\\r\\n\\t\\t\\t\\t\\t\\t\\t| project UserPrincipalName, Account_Name, Account_UPNSuffix, Account_AadUserId, IPAddress, Location, ConnectionCount, percentOfActivity\\r\\n\\t\\t\\t\\t\\t\\t\\t| sort by percentOfActivity asc, ConnectionCount desc\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by percentOfActivity asc\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend IP_Location_Country = tostring(split(Location,\u0027|\u0027)[0]), IP_Location_Region = tostring(split(Location,\u0027|\u0027)[1]), IP_Location_City = tostring(split(Location,\u0027|\u0027)[2])\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Account_Aux_info = pack(\u0027PercentOfActivity\u0027, percentOfActivity, \u0027ConnectionCount\u0027, ConnectionCount)\\r\\n\\t\\t\\t\\t\\t\\t\\t| parse UserPrincipalName with Account_NTDomain \u0027\\\\\\\\\u0027 *\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Account_UnstructuredName = UserPrincipalName, Account_Name, Account_NTDomain, Account_UPNSuffix, Account_AadUserId, IP_Address = IPAddress, IP_Location_Country, IP_Location_Region, IP_Location_City, Account_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tIPsFromRareLocations(\u0027\u003caccountName\u003e\u0027, \u0027\u003cupnSuffix\u003e\u0027, \u0027\u003caadUserId\u003e\u0027)\",\"inputFields\":[\"accountName\",\"upnSuffix\",\"aadUserId\"],\"outputEntityTypes\":[\"IP\"],\"dataSources\":[\"SigninLogs\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/160c7513-f704-46b7-adf9-d9c4176a44a3\",\"name\":\"160c7513-f704-46b7-adf9-d9c4176a44a3\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Hosts triggering Microsoft Defender Application Control\",\"queryTemplate\":\"let AppControlEvents=(v_Account_Name:string, v_Account_UPNSuffix:string, v_Account_Sid:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tlet p_Account_UPN = iff(isnotempty(v_Account_Name) and isnotempty(v_Account_UPNSuffix), strcat(v_Account_Name,\u0027@\u0027,v_Account_UPNSuffix), \\\"\\\");\\r\\n\\t\\t\\t\\t\\t\\t\\tlet AppControls=datatable(ActionType:string, Description:string, FriendlyActivityName:string)\\r\\n\\t\\t\\t\\t\\t\\t\\t [\\\"AppControlAppInstallationAudited\\\", \\\"Application control detected the installation of an untrusted app.\\\",\\\"Untrusted app installed\\\"\\r\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlAppInstallationBlocked\\\", \\\"Application control blocked the installation of an untrusted app.\\\", \\\"Untrusted app installation blocked\\\"\\r\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlCodeIntegrityDriverRevoked\\\", \\\"Application control found a driver with a revoked certificate.\\\", \\\"Driver with revoked certificate detected\\\"\\r\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlCodeIntegrityImageRevoked\\\", \\\"Application control found an executable file with a revoked certificate.\\\", \\\"Executable with revoked certificate detected\\\"\\r\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlExecutableAudited\\\",\\\"Application control detected the use of an untrusted executable.\\\",\\\"Untrusted executable used\\\"\\r\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlExecutableClocked\\\",\\\"Application control blocked the use of an untrusted executable.\\\",\\\"Untrusted executable blocked\\\"\\r\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlScriptAudited\\\", \\\"Application control detected the use of an untrusted script.\\\", \\\"Untrusted script detected\\\"\\r\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlScriptBlocked\\\", \\\"Application control blocked the use of an untrusted script.\\\", \\\"Untrusted script blocked\\\" ];\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceEvents\\r\\n\\t\\t\\t\\t\\t\\t\\t| where ActionType in (AppControls)\\r\\n\\t\\t\\t\\t\\t\\t\\t| where isnotempty(p_Account_UPN) and p_Account_UPN =~ InitiatingProcessAccountUpn\\r\\n\\t\\t\\t\\t\\t\\t\\t or\\r\\n\\t\\t\\t\\t\\t\\t\\t isnotempty(v_Account_Sid) and v_Account_Sid =~ InitiatingProcessAccountSid\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Host_UnstructuredName = DeviceName\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize Host_Aux_AppConCount=count() by Host_UnstructuredName\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_AppConCount desc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tAppControlEvents(\u0027\u003caccountName\u003e\u0027,\u0027\u003cupnSuffix\u003e\u0027,\u0027\u003csid\u003e\u0027)\",\"inputFields\":[\"accountName\",\"upnSuffix\",\"sid\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"DeviceEvents\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/f89061dd-e6d6-4553-9c88-301a7360fc14\",\"name\":\"f89061dd-e6d6-4553-9c88-301a7360fc14\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent processes for this account\",\"queryTemplate\":\"let GetSysLogEventsByAccount = (v_Account_Name:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tSyslog\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend v_Account_Name = case(\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name\\r\\n\\t\\t\\t\\t\\t\\t\\t)\\r\\n\\t\\t\\t\\t\\t\\t\\t| where SyslogMessage has v_Account_Name\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027HostName\u0027, HostName, \u0027HostIP\u0027, HostIP)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize Process_Aux_StartTime=min(EventTime), Process_Aux_EndTime=max(EventTime), count(), Process_Aux_info = makeset(info) by Computer, ProcessName, ProcessID\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ asc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Process_Aux_StartTime, Process_Aux_EndTime, Process_Host_UnstructuredName=Computer, Process_ImageFile_FullPath=ProcessName, Process_ProcessId=tostring(ProcessID), Process_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetSysLogEventsByAccount(\u0027\u003caccountName\u003e\u0027)\",\"inputFields\":[\"accountName\"],\"outputEntityTypes\":[\"Process\"],\"dataSources\":[\"Syslog\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/dd8f30e4-8171-452e-84a0-99bcd570bd08\",\"name\":\"dd8f30e4-8171-452e-84a0-99bcd570bd08\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Services created by account\",\"queryTemplate\":\"let GetServiceCreationsByAccount = (v_Account_Name:string, v_Account_NTDomain:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tEvent\\r\\n\\t\\t\\t\\t\\t\\t\\t| where EventID == 7045\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend p_Account_Name = case(\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name\\r\\n\\t\\t\\t\\t\\t\\t\\t)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend p_Account_NTDomain = case(\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_NTDomain\\r\\n\\t\\t\\t\\t\\t\\t\\t)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_Account_Name = tostring(split(UserName, \u0027\\\\\\\\\u0027)[1]), Process_Account_NTDomain = tostring(split(UserName, \u0027\\\\\\\\\u0027)[0])\\r\\n\\t\\t\\t\\t\\t\\t\\t| where Process_Account_Name =~ p_Account_Name and Process_Account_NTDomain =~ p_Account_NTDomain\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend EventDataParse = parse_xml(EventData)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServiceName = tostring(EventDataParse.DataItem.EventData.Data[0][\u0027#text\u0027])\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ImagePath = tostring(EventDataParse.DataItem.EventData.Data[1][\u0027#text\u0027])\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServiceType = tostring(EventDataParse.DataItem.EventData.Data[2][\u0027#text\u0027])\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend StartType = tostring(EventDataParse.DataItem.EventData.Data[3][\u0027#text\u0027])\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServiceAccount = tostring(EventDataParse.DataItem.EventData.Data[4][\u0027#text\u0027])\\r\\n\\t\\t\\t\\t\\t\\t\\t| where ImagePath !has \u0027\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Definition Updates\\\\\\\\\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_Aux_Account_info = pack(\u0027ServiceName\u0027, ServiceName, \u0027ServiceType\u0027, ServiceType, \u0027StartType\u0027, StartType, \u0027ServiceAccount\u0027, ServiceAccount)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize Process_Host_Aux_StartTimeUtc = min(TimeGenerated), Process_Host_Aux_EndTimeUtc = max(TimeGenerated) by Process_Host_UnstructuredName = Computer, Process_Account_Name,\\r\\n\\t\\t\\t\\t\\t\\t\\tProcess_Account_NTDomain, Process_Account_UnstructuredName = UserName, Process_ImageFile_FullPath = ImagePath, tostring(Process_Aux_Account_info)\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Process_Host_Aux_StartTimeUtc desc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetServiceCreationsByAccount(\u0027\u003caccountName\u003e\u0027, \u0027\u003cntDomain\u003e\u0027)\",\"inputFields\":[\"accountName\",\"ntDomain\"],\"outputEntityTypes\":[\"Process\"],\"dataSources\":[\"SecurityEvent\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/84375346-c3f0-4926-ae48-a156010c67e3\",\"name\":\"84375346-c3f0-4926-ae48-a156010c67e3\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"User account failed logons\",\"queryTemplate\":\"let GetAllLogonsForUser = (v_Account_Name:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tSecurityEvent\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend v_Account_Name = case(\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name\\r\\n\\t\\t\\t\\t\\t\\t\\t)\\r\\n\\t\\t\\t\\t\\t\\t\\t| where EventID == 4625\\r\\n\\t\\t\\t\\t\\t\\t\\t| where AccountType == \u0027User\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t| where tolower(Account) contains tolower(v_Account_Name)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027EventID\u0027, EventID, \u0027Account\u0027, Account, \u0027LogonTypeName\u0027, LogonTypeName, \u0027SubStatus\u0027, SubStatus, \u0027AccountType\u0027, AccountType, \u0027WorkstationName\u0027, WorkstationName, \u0027IpAddress\u0027, IpAddress)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), Host_Aux_info = makeset(info) by Computer, SourceComputerId\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Host_Aux_StartTime=min_TimeGenerated, Host_Aux_EndTime = max_TimeGenerated, Host_UnstructuredName=Computer, Host_Aux_info, Host_OMSAgentID=SourceComputerId\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_StartTime asc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetAllLogonsForUser(tolower(\u0027\u003caccountName\u003e\u0027))\",\"inputFields\":[\"accountName\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"SecurityEvent\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/7f3989bf-1558-4d3c-bb5e-e17ac2a67a87\",\"name\":\"7f3989bf-1558-4d3c-bb5e-e17ac2a67a87\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Office activity IPs for this account\",\"queryTemplate\":\"let GetAllIPbyAccount = (v_Account_Name:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tOfficeActivity\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend v_Account_Name = case(\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name\\r\\n\\t\\t\\t\\t\\t\\t\\t )\\r\\n\\t\\t\\t\\t\\t\\t\\t| where UserId contains v_Account_Name\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027ClientIP\u0027, ClientIP, \u0027UserType\u0027, UserType, \u0027Operation\u0027, Operation, \u0027OfficeWorkload\u0027, OfficeWorkload, \u0027ResultStatus\u0027, ResultStatus)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), IP_Aux_info = makeset(info) by ClientIP\\r\\n\\t\\t\\t\\t\\t\\t\\t| project IP_Aux_StartTime = min_TimeGenerated, IP_Aux_EndTime = max_TimeGenerated, ClientIP, IP_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename IP_Address=ClientIP\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by IP_Aux_StartTime desc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetAllIPbyAccount (\u0027\u003caccountName\u003e\u0027)\",\"inputFields\":[\"accountName\"],\"outputEntityTypes\":[\"IP\"],\"dataSources\":[\"OfficeActivity\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/6d1c2ca8-8efe-4fa2-bea6-fa582c03637c\",\"name\":\"6d1c2ca8-8efe-4fa2-bea6-fa582c03637c\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"User account interactive logon to new devices\",\"queryTemplate\":\"let GetNewInteractiveLogonsForUser = (v_Account_Name:string, v_Account_Sid:string, v_Account_AadUserId:string)\\r\\n\\t\\t\\t\\t\\t\\t\\t{\\r\\n\\t\\t\\t\\t\\t\\t\\t BehaviorAnalytics\\r\\n\\t\\t\\t\\t\\t\\t\\t | extend v_Account_Name = case(\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name)\\r\\n\\t\\t\\t\\t\\t\\t\\t | where ActionType == \\\"InteractiveLogon\\\" and\\r\\n\\t\\t\\t\\t\\t\\t\\t tobool(ActivityInsights.FirstTimeUserLoggedOnToDevice) and\\r\\n\\t\\t\\t\\t\\t\\t\\t (\\r\\n\\t\\t\\t\\t\\t\\t\\t (isnotempty(UserName) and UserName =~ v_Account_Name) or\\r\\n\\t\\t\\t\\t\\t\\t\\t (isnotempty(UsersInsights.AccountObjectID) and UsersInsights.AccountObjectID == v_Account_AadUserId) or\\r\\n\\t\\t\\t\\t\\t\\t\\t (isnotempty(UsersInsights.OnPremisesSID) and UsersInsights.OnPremisesSID =~ v_Account_Sid)\\r\\n\\t\\t\\t\\t\\t\\t\\t )\\r\\n\\t\\t\\t\\t\\t\\t\\t | extend device_info = pack(\u0027DevicesInsights\u0027, DevicesInsights, \u0027ActivityInsights\u0027, ActivityInsights)\\r\\n\\t\\t\\t\\t\\t\\t\\t | project Host_Aux_TimeGenerated = TimeGenerated,\\r\\n\\t\\t\\t\\t\\t\\t\\t Host_UnstructuredName = DestinationDevice,\\r\\n\\t\\t\\t\\t\\t\\t\\t Host_Aux_Insights = device_info,\\r\\n\\t\\t\\t\\t\\t\\t\\t Account_Name = UserName,\\r\\n\\t\\t\\t\\t\\t\\t\\t Account_Sid = v_Account_Sid,\\r\\n\\t\\t\\t\\t\\t\\t\\t Account_AadUserId = toguid(UsersInsights.AccountObjectID),\\r\\n\\t\\t\\t\\t\\t\\t\\t Account_Aux_Insights = UsersInsights\\r\\n\\t\\t\\t\\t\\t\\t\\t | top 10 by Host_Aux_TimeGenerated asc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetNewInteractiveLogonsForUser(\u0027\u003caccountName\u003e\u0027, \u0027\u003csid\u003e\u0027, \u0027\u003caadUserId\u003e\u0027)\",\"inputFields\":[\"accountName\",\"sid\",\"aadUserId\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"BehaviorAnalytics\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/b66ab2aa-cd31-43b9-82a2-dd5f0ee9ca81\",\"name\":\"b66ab2aa-cd31-43b9-82a2-dd5f0ee9ca81\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"User account remote interactive logon to new devices\",\"queryTemplate\":\"let GetAllNewRemoteInteractiveLogonForUser = (v_Account_Name:string, v_Account_Sid:string, v_Account_AadUserId:string)\\r\\n\\t\\t\\t\\t\\t\\t\\t{\\r\\n\\t\\t\\t\\t\\t\\t\\t BehaviorAnalytics\\r\\n\\t\\t\\t\\t\\t\\t\\t | extend v_Account_Name = case(\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name)\\r\\n\\t\\t\\t\\t\\t\\t\\t | where ActionType == \\\"RemoteInteractiveLogon\\\" and\\r\\n\\t\\t\\t\\t\\t\\t\\t tobool(ActivityInsights.FirstTimeUserLoggedOnToDevice) and\\r\\n\\t\\t\\t\\t\\t\\t\\t (\\r\\n\\t\\t\\t\\t\\t\\t\\t (isnotempty(UserName) and UserName =~ v_Account_Name) or\\r\\n\\t\\t\\t\\t\\t\\t\\t (isnotempty(UsersInsights.AccountObjectID) and UsersInsights.AccountObjectID == v_Account_AadUserId) or\\r\\n\\t\\t\\t\\t\\t\\t\\t (isnotempty(UsersInsights.OnPremisesSID) and UsersInsights.OnPremisesSID =~ v_Account_Sid)\\r\\n\\t\\t\\t\\t\\t\\t\\t )\\r\\n\\t\\t\\t\\t\\t\\t\\t | extend device_info = pack(\u0027DevicesInsights\u0027, DevicesInsights, \u0027ActivityInsights\u0027, ActivityInsights)\\r\\n\\t\\t\\t\\t\\t\\t\\t | project Host_Aux_TimeGenerated = TimeGenerated,\\r\\n\\t\\t\\t\\t\\t\\t\\t Host_UnstructuredName = DestinationDevice,\\r\\n\\t\\t\\t\\t\\t\\t\\t Host_Aux_Insights = device_info,\\r\\n\\t\\t\\t\\t\\t\\t\\t Account_Name = UserName,\\r\\n\\t\\t\\t\\t\\t\\t\\t Account_Sid = v_Account_Sid,\\r\\n\\t\\t\\t\\t\\t\\t\\t Account_AadUserId = toguid(UsersInsights.AccountObjectID),\\r\\n\\t\\t\\t\\t\\t\\t\\t Account_Aux_Insights = UsersInsights\\r\\n\\t\\t\\t\\t\\t\\t\\t | top 10 by Host_Aux_TimeGenerated asc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetAllNewRemoteInteractiveLogonForUser(\u0027\u003caccountName\u003e\u0027, \u0027\u003csid\u003e\u0027, \u0027\u003caadUserId\u003e\u0027)\",\"inputFields\":[\"accountName\",\"sid\",\"aadUserId\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"BehaviorAnalytics\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/82cdcee5-cc2e-4e9f-a235-357159c60c8c\",\"name\":\"82cdcee5-cc2e-4e9f-a235-357159c60c8c\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"User account access to new resources\",\"queryTemplate\":\"let GetAllNewResourceAccessForUser = (v_Account_Name:string, v_Account_Sid:string, v_Account_AadUserId:string)\\r\\n\\t\\t\\t\\t\\t\\t\\t{\\r\\n\\t\\t\\t\\t\\t\\t\\t BehaviorAnalytics\\r\\n\\t\\t\\t\\t\\t\\t\\t | extend v_Account_Name = case(\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name)\\r\\n\\t\\t\\t\\t\\t\\t\\t | where ActionType == \\\"ResourceAccess\\\" and\\r\\n\\t\\t\\t\\t\\t\\t\\t tobool(ActivityInsights.FirstTimeUserLoggedOnToDevice) and\\r\\n\\t\\t\\t\\t\\t\\t\\t (\\r\\n\\t\\t\\t\\t\\t\\t\\t (isnotempty(UserName) and UserName =~ v_Account_Name) or\\r\\n\\t\\t\\t\\t\\t\\t\\t (isnotempty(UsersInsights.AccountObjectID) and UsersInsights.AccountObjectID == v_Account_AadUserId) or\\r\\n\\t\\t\\t\\t\\t\\t\\t (isnotempty(UsersInsights.OnPremisesSID) and UsersInsights.OnPremisesSID =~ v_Account_Sid)\\r\\n\\t\\t\\t\\t\\t\\t\\t )\\r\\n\\t\\t\\t\\t\\t\\t\\t | extend device_info = pack(\u0027DevicesInsights\u0027, DevicesInsights, \u0027ActivityInsights\u0027, ActivityInsights)\\r\\n\\t\\t\\t\\t\\t\\t\\t | project Host_Aux_TimeGenerated = TimeGenerated,\\r\\n\\t\\t\\t\\t\\t\\t\\t Host_UnstructuredName = DestinationDevice,\\r\\n\\t\\t\\t\\t\\t\\t\\t Host_Aux_Insights = device_info,\\r\\n\\t\\t\\t\\t\\t\\t\\t Account_Name = UserName,\\r\\n\\t\\t\\t\\t\\t\\t\\t Account_Sid = v_Account_Sid,\\r\\n\\t\\t\\t\\t\\t\\t\\t Account_AadUserId = UsersInsights.AccountObjectID,\\r\\n\\t\\t\\t\\t\\t\\t\\t Account_Aux_Insights = UsersInsights\\r\\n\\t\\t\\t\\t\\t\\t\\t | top 10 by Host_Aux_TimeGenerated asc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetAllNewResourceAccessForUser(\u0027\u003caccountName\u003e\u0027, \u0027\u003csid\u003e\u0027, \u0027\u003caadUserId\u003e\u0027)\",\"inputFields\":[\"accountName\",\"sid\",\"aadUserId\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"BehaviorAnalytics\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/18b7e4e3-5b57-4924-b3cd-7e9a5a143521\",\"name\":\"18b7e4e3-5b57-4924-b3cd-7e9a5a143521\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Peers with a recent alert\",\"queryTemplate\":\"let GetUserPeersWithAlerts = (v_Account_Name:string, v_Account_UPNSuffix:string, v_Account_AadUserId:string) {\\r\\n\\t\\t\\t\\t\\t\\t\\t let Account_UPN = strcat(v_Account_Name, \u0027@\u0027,v_Account_UPNSuffix);\\r\\n\\t\\t\\t\\t\\t\\t\\t let Peers= UserPeerAnalytics\\r\\n\\t\\t\\t\\t\\t\\t\\t | where UserPrincipalName =~ Account_UPN or UserId =~ v_Account_AadUserId\\r\\n\\t\\t\\t\\t\\t\\t\\t | where TimeGenerated == toscalar (UserPeerAnalytics | summarize max(TimeGenerated))\\r\\n\\t\\t\\t\\t\\t\\t\\t | project PeerUserPrincipalName, PeerUserId, Rank\\r\\n\\t\\t\\t\\t\\t\\t\\t | extend PeerUserPrincipalName=tolower(PeerUserPrincipalName)\\r\\n\\t\\t\\t\\t\\t\\t\\t | parse PeerUserPrincipalName with Account_Name \u0027@\u0027 Account_UPNSuffix;\\r\\n\\t\\t\\t\\t\\t\\t\\t let PeerNames= Peers | summarize make_set_if(Account_Name, isnotempty(Account_Name));\\r\\n\\t\\t\\t\\t\\t\\t\\t let PeerIds = Peers | summarize make_set_if(PeerUserId , isnotempty(PeerUserId));\\r\\n\\t\\t\\t\\t\\t\\t\\t let PeersWithSecAlert=SecurityAlert\\r\\n\\t\\t\\t\\t\\t\\t\\t | where Entities has \\\"account\\\"\\r\\n\\t\\t\\t\\t\\t\\t\\t | where Entities has_any (PeerNames) or Entities has_any (PeerIds)\\r\\n\\t\\t\\t\\t\\t\\t\\t | mvexpand todynamic(Entities)\\r\\n\\t\\t\\t\\t\\t\\t\\t | where tostring(parsejson(Entities).Type) ==\\\"account\\\"\\r\\n\\t\\t\\t\\t\\t\\t\\t | where tostring(parsejson(Entities).Name) has_any (PeerNames) or tostring(parsejson(Entities).AadUserId) has_any (PeerIds)\\r\\n\\t\\t\\t\\t\\t\\t\\t | summarize Account_Aux_AlertCount = count()\\r\\n\\t\\t\\t\\t\\t\\t\\t by Account_Name=tolower(tostring(parsejson(Entities).Name))\\r\\n\\t\\t\\t\\t\\t\\t\\t , Account_UPNSuffix=tolower(tostring(parsejson(Entities).UPNSuffix));\\r\\n\\t\\t\\t\\t\\t\\t\\t PeersWithSecAlert\\r\\n\\t\\t\\t\\t\\t\\t\\t | join kind=innerunique\\r\\n\\t\\t\\t\\t\\t\\t\\t Peers\\r\\n\\t\\t\\t\\t\\t\\t\\t on Account_Name, Account_UPNSuffix\\r\\n\\t\\t\\t\\t\\t\\t\\t | project Account_Name, Account_UPNSuffix, Account_Aux_AlertCount\\r\\n\\t\\t\\t\\t\\t\\t\\t };\\r\\n\\t\\t\\t\\t\\t\\t\\t GetUserPeersWithAlerts(\\\"{{Account_Name}}\\\",\\\"{{Account_UPNSuffix}}\\\", \\\"{{Account_AadUserId}}\\\")\",\"inputFields\":[\"accountName\",\"upnSuffix\"],\"outputEntityTypes\":[\"Account\"],\"dataSources\":[\"UserPeerAnalytics SecurityAlert\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/c34bf507-cedf-4120-bf41-f835dd68b0d9\",\"name\":\"c34bf507-cedf-4120-bf41-f835dd68b0d9\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Hosts which the account logged on to\",\"queryTemplate\":\"let GetAllHostsbyAccount = (v_Account_Name:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tSigninLogs\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend v_Account_Name = case(\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name\\r\\n\\t\\t\\t\\t\\t\\t\\t)\\r\\n\\t\\t\\t\\t\\t\\t\\t| where UserPrincipalName contains v_Account_Name\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend RemoteHost = tolower(tostring(parsejson(DeviceDetail[\u0027displayName\u0027])))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027UserDisplayName\u0027, UserDisplayName, \u0027UserPrincipalName\u0027, UserPrincipalName, \u0027AppDisplayName\u0027, AppDisplayName, \u0027ClientAppUsed\u0027, ClientAppUsed, \u0027Browser\u0027, tostring(Browser), \u0027IPAddress\u0027, IPAddress, \u0027ResultType\u0027, ResultType, \u0027ResultDescription\u0027, ResultDescription, \u0027Location\u0027, Location, \u0027State\u0027, State, \u0027City\u0027, City, \u0027StatusCode\u0027, StatusCode, \u0027StatusDetails\u0027, StatusDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), Host_Aux_info = makeset(info) by RemoteHost , tostring(OS)\\r\\n\\t\\t\\t\\t\\t\\t\\t| project min_TimeGenerated, max_TimeGenerated, RemoteHost, OS, Host_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by min_TimeGenerated desc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Host_UnstructuredName=RemoteHost, Host_OSVersion=OS, Host_Aux_StartTime=min_TimeGenerated, Host_Aux_EndTime=max_TimeGenerated\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetAllHostsbyAccount(\u0027\u003caccountName\u003e\u0027)\",\"inputFields\":[\"accountName\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"SigninLogs\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/81d63625-6617-455d-b1e3-ee5ed989e5f8\",\"name\":\"81d63625-6617-455d-b1e3-ee5ed989e5f8\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Screenshots taken\",\"queryTemplate\":\"let HostScreenshot= (Account_Name:string, Account_UPNSuffix:string){\\r\\n\\t\\t\\t\\t\\t\\t\\t let p_Account_UPN = strcat(Account_Name,\u0027@\u0027,Account_UPNSuffix);\\r\\n\\t\\t\\t\\t\\t\\t\\t DeviceEvents\\r\\n\\t\\t\\t\\t\\t\\t\\t | where ActionType ==\u0027ScreenshotTaken\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t | where InitiatingProcessAccountUpn =~ p_Account_UPN\\r\\n\\t\\t\\t\\t\\t\\t\\t | summarize Count=count() by DeviceName\\r\\n\\t\\t\\t\\t\\t\\t\\t | top 10 by Count desc\\r\\n\\t\\t\\t\\t\\t\\t\\t | project Host_UnstructuredName=DeviceName\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tHostScreenshot(\u0027\u003cAccount_Name\u003e\u0027, \u0027\u003cAccount_UPNSuffix\u003e\u0027)\",\"inputFields\":[\"accountName\",\"upnSuffix\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"DeviceEvents\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/8a697f4c-04af-4198-a6d3-ce5dc3acc8dd\",\"name\":\"8a697f4c-04af-4198-a6d3-ce5dc3acc8dd\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"User account successful logons\",\"queryTemplate\":\"let GetAllLogonsForUser = (v_Account_Name:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tSecurityEvent\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend v_Account_Name = case(\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name\\r\\n\\t\\t\\t\\t\\t\\t\\t)\\r\\n\\t\\t\\t\\t\\t\\t\\t| where EventID == 4624\\r\\n\\t\\t\\t\\t\\t\\t\\t| where AccountType == \u0027User\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t| where tolower(Account) contains tolower(v_Account_Name)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027EventID\u0027, EventID, \u0027Account\u0027, Account, \u0027LogonTypeName\u0027, LogonTypeName, \u0027SubStatus\u0027, SubStatus, \u0027AccountType\u0027, AccountType, \u0027WorkstationName\u0027, WorkstationName, \u0027IpAddress\u0027, IpAddress)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), Host_Aux_info = makeset(info) by Computer, SourceComputerId, _ResourceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| project min_TimeGenerated, max_TimeGenerated, Computer, Host_Aux_info, Host_OMSAgentID=SourceComputerId, Host_AzureID=_ResourceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Host_UnstructuredName=Computer, Host_Aux_StartTime=min_TimeGenerated, Host_Aux_EndTime=max_TimeGenerated\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_StartTime asc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetAllLogonsForUser(tolower(\u0027\u003caccountName\u003e\u0027))\",\"inputFields\":[\"accountName\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"SecurityEvent\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/62527635-bc5a-4233-bb93-e4eb4e60bb70\",\"name\":\"62527635-bc5a-4233-bb93-e4eb4e60bb70\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Hosts where this file was mentioned\",\"queryTemplate\":\"let GetFilesHost = (v_File_Name:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tSecurityEvent\\r\\n\\t\\t\\t\\t\\t\\t\\t| where CommandLine contains v_File_Name or ServiceFileName contains v_File_Name or ServiceName contains v_File_Name\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated) by Computer, Host_OMSAgentID=SourceComputerId, Host_AzureID = _ResourceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| project min_TimeGenerated, max_TimeGenerated, Computer, Host_OMSAgentID, Host_AzureID\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Host_UnstructuredName=Computer, Host_Aux_min_TimeGenerated=min_TimeGenerated, Host_Aux_max_TimeGenerated=max_TimeGenerated\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_min_TimeGenerated desc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetFilesHost(\u0027\u003cfileName\u003e\u0027)\",\"inputFields\":[\"fileName\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"SecurityEvent\"],\"inputEntityType\":\"File\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/4e0d1f17-e3a9-4c1a-aa7d-3842828c10a2\",\"name\":\"4e0d1f17-e3a9-4c1a-aa7d-3842828c10a2\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"DefenderForIoT - Hosts communicating the most amount of data with this Host\",\"queryTemplate\":\"let ConnectionData_DefenderForIoT_GetHost2Host = (v_Host_HostName:string) {\\r\\n\\t\\t\\t\\t\\t\\t\\tlet connectionData = SecurityIoTRawEvent\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceType = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceType\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceId = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientIpAddress = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).ipAddress\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientisExternal = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).isExternal\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceType = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceType\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceId = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerIpAddress = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).ipAddress\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerisExternal = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).isExternal\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceName = tostring(todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceName)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceName = tostring(todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceName)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Bandwidth = todynamic(extractjson(\\\"$Bandwidth\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend LastActivity = todynamic(extractjson(\\\"$LastActivity\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Protocol = todynamic(extractjson(\\\"$Protocol\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerPort = todynamic(extractjson(\\\"$ServerPort\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDevice = extractjson(\\\"$ServerDevice\\\", EventDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDevice = extractjson(\\\"$ClientDevice\\\", EventDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend SensorId = DeviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceGUID = strcat(SensorId, \\\"_\\\", ClientDeviceId), ServerDeviceGUID = strcat(SensorId, \\\"_\\\", ServerDeviceId);\\r\\n\\t\\t\\t\\t\\t\\t\\tconnectionData\\r\\n\\t\\t\\t\\t\\t\\t\\t| where ClientDeviceName == v_Host_HostName or ServerDeviceName == v_Host_HostName\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Direction = iff(ClientDeviceName == v_Host_HostName, \\\"Outbound\\\", \\\"Inbound\\\")\\r\\n\\t\\t\\t\\t\\t\\t\\t| project DeviceGUID = iff(Direction == \\\"Outbound\\\", ServerDeviceGUID, ClientDeviceGUID),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceType = iff(Direction == \\\"Outbound\\\", ServerDeviceType, ClientDeviceType),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceIp = iff(Direction == \\\"Outbound\\\", ServerIpAddress, ClientIpAddress),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceName = iff(Direction == \\\"Outbound\\\", ServerDeviceName, ClientDeviceName),\\r\\n\\t\\t\\t\\t\\t\\t\\tSensorId, LastActivity = todatetime(LastActivity), Bandwidth = todouble(Bandwidth), Protocol, ServerPort\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize TotalBandwidth = sum(Bandwidth), LastActivity = max(LastActivity), Protocols = make_set(Protocol), ServerPorts = make_set(ServerPort) by DeviceGUID, DeviceName, IpAddress = tostring(DeviceIp), IoTDevice_DeviceType = tostring(DeviceType)\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename TotalBandwidth_MB = TotalBandwidth\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend TotalBandwidth_MB = floor(todecimal(TotalBandwidth_MB / 1000), 0.1)\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Host_HostName = DeviceName, Host_Aux_IpAddress = IpAddress,Host_Aux_Type = IoTDevice_DeviceType, Host_Aux_LastActivity = LastActivity, Host_Aux_Protocols = Protocols, Host_Aux_ServerPorts = ServerPorts, Host_Aux_TotalBandwidth_MB = TotalBandwidth_MB\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_TotalBandwidth_MB\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tConnectionData_DefenderForIoT_GetHost2Host(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"SecurityIoTRawEvent\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/ec41f36e-3fbe-44e3-a09e-adf99bc87dcb\",\"name\":\"ec41f36e-3fbe-44e3-a09e-adf99bc87dcb\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"DefenderForIoT - IoT Devices communicating the most amount of data with this Host\",\"queryTemplate\":\"let ConnectionData_DefenderForIoT_GetHost2IoTDevice = (v_Host_HostName:string) {\\r\\n\\t\\t\\t\\t\\t\\t\\tSecurityIoTRawEvent\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceType = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceType\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceId = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientIpAddress = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).ipAddress\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientisExternal = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).isExternal\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceType = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceType\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceId = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerIpAddress = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).ipAddress\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerisExternal = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).isExternal\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceName = tostring(todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceName)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceName = tostring(todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceName)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Bandwidth = todynamic(extractjson(\\\"$Bandwidth\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend LastActivity = todynamic(extractjson(\\\"$LastActivity\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Protocol = todynamic(extractjson(\\\"$Protocol\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerPort = todynamic(extractjson(\\\"$ServerPort\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDevice = extractjson(\\\"$ServerDevice\\\", EventDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDevice = extractjson(\\\"$ClientDevice\\\", EventDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend SensorId = DeviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceGUID = strcat(SensorId, \\\"_\\\", ClientDeviceId), ServerDeviceGUID = strcat(SensorId, \\\"_\\\", ServerDeviceId)\\r\\n\\t\\t\\t\\t\\t\\t\\t| where ClientDeviceName == v_Host_HostName or ServerDeviceName == v_Host_HostName\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Direction = iff(ClientDeviceName == v_Host_HostName, \\\"Outbound\\\", \\\"Inbound\\\")\\r\\n\\t\\t\\t\\t\\t\\t\\t| project DeviceGUID = iff(Direction == \\\"Outbound\\\", ServerDeviceGUID, ClientDeviceGUID),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceType = iff(Direction == \\\"Outbound\\\", ServerDeviceType, ClientDeviceType),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceIp = iff(Direction == \\\"Outbound\\\", ServerIpAddress, ClientIpAddress),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceName = iff(Direction == \\\"Outbound\\\", ServerDeviceName, ClientDeviceName),\\r\\n\\t\\t\\t\\t\\t\\t\\tSensorId, LastActivity = todatetime(LastActivity), Bandwidth = todouble(Bandwidth), Protocol, ServerPort\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize TotalBandwidth = sum(Bandwidth), IoTDevice_Aux_LastActivity = max(LastActivity), IoTDevice_Aux_Protocols = make_set(Protocol), IoTDevice_Aux_ServerPorts = make_set(ServerPort) by IoTDevice_DeviceId = DeviceGUID, IoTDevice_DeviceName = DeviceName, IoTDevice_IpAddress = tostring(pack(\u0027Address\u0027,tostring(DeviceIp))), IoTDevice_DeviceType = tostring(DeviceType)\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename IoTDevice_Aux_TotalBandwidth_MB = TotalBandwidth\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend IoTDevice_Aux_TotalBandwidth_MB = floor(todecimal(IoTDevice_Aux_TotalBandwidth_MB / 1000), 0.1), IoTDevice_IpAddress=todynamic(IoTDevice_IpAddress)\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by IoTDevice_Aux_TotalBandwidth_MB\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tConnectionData_DefenderForIoT_GetHost2IoTDevice(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"IoTDevice\"],\"dataSources\":[\"SecurityIoTRawEvent\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/cc942838-2ce5-4a05-8bf9-25a00102a7b7\",\"name\":\"cc942838-2ce5-4a05-8bf9-25a00102a7b7\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"DefenderForIoT - IP Addresses communicating the most amount of data with this Host\",\"queryTemplate\":\"let ConnectionData_DefenderForIoT_GetHost2IP = (v_Host_HostName: string) {\\r\\n\\t\\t\\t\\t\\t\\t\\tlet connectionData = SecurityIoTRawEvent\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceType = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceType\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceId = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientIpAddress = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).ipAddress\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientisExternal = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).isExternal\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceType = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceType\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceId = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerIpAddress = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).ipAddress\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerisExternal = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).isExternal\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceName = tostring(todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceName)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceName = tostring(todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceName)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Bandwidth = todynamic(extractjson(\\\"$Bandwidth\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend LastActivity = todynamic(extractjson(\\\"$LastActivity\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Protocol = todynamic(extractjson(\\\"$Protocol\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerPort = todynamic(extractjson(\\\"$ServerPort\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDevice = extractjson(\\\"$ServerDevice\\\", EventDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDevice = extractjson(\\\"$ClientDevice\\\", EventDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend SensorId = DeviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceGUID = strcat(SensorId, \\\"_\\\", ClientDeviceId), ServerDeviceGUID = strcat(SensorId, \\\"_\\\", ServerDeviceId);\\r\\n\\t\\t\\t\\t\\t\\t\\tconnectionData\\r\\n\\t\\t\\t\\t\\t\\t\\t| where ClientDeviceName == v_Host_HostName or ServerDeviceName == v_Host_HostName\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Direction = iff(ClientDeviceName == v_Host_HostName, \\\"Outbound\\\", \\\"Inbound\\\")\\r\\n\\t\\t\\t\\t\\t\\t\\t| project DeviceGUID = iff(Direction == \\\"Outbound\\\", ServerDeviceGUID, ClientDeviceGUID),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceType = iff(Direction == \\\"Outbound\\\", ServerDeviceType, ClientDeviceType),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceIp = iff(Direction == \\\"Outbound\\\", ServerIpAddress, ClientIpAddress),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceIsExternal = iff(Direction == \\\"Outbound\\\", ServerisExternal, ClientisExternal),\\r\\n\\t\\t\\t\\t\\t\\t\\tSensorId, LastActivity = todatetime(LastActivity), Bandwidth = todouble(Bandwidth), Protocol, ServerPort, Direction\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize TotalBandwidth = sum(Bandwidth), LastActivity = max(LastActivity), Protocols = make_set(Protocol), ServerPorts = make_set(ServerPort) by IoTDevice_DeviceId = DeviceGUID, IoTDevice_IpAddress = tostring(DeviceIp), IoTDevice_DeviceType = tostring(DeviceType), DeviceIsExternal = tostring(DeviceIsExternal)\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename TotalBandwidth_MB = TotalBandwidth\\r\\n\\t\\t\\t\\t\\t\\t\\t| project IP_Address = IoTDevice_IpAddress, IP_Aux_DeviceType = IoTDevice_DeviceType, IP_Aux_LastActivity = LastActivity, IP_Aux_Protocols = Protocols, IP_Aux_ServerPorts = ServerPorts, IP_Aux_TotalBandwidth_MB = TotalBandwidth_MB, IP_Aux_IsExternal = DeviceIsExternal\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend IP_Aux_TotalBandwidth_MB = floor(todecimal(IP_Aux_TotalBandwidth_MB / 1000), 0.1)\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by IP_Aux_TotalBandwidth_MB\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tConnectionData_DefenderForIoT_GetHost2IP(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"IP\"],\"dataSources\":[\"SecurityIoTRawEvent\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/98b2ce21-167d-43bd-a496-9f2c85c5f95b\",\"name\":\"98b2ce21-167d-43bd-a496-9f2c85c5f95b\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Accounts with several failed logins immediately followed by a successful login\",\"queryTemplate\":\"let BRUTEFORCE_THRESHOLD = 10;\\r\\n\\t\\t\\t\\t\\t\\t\\tlet SuccessfulLoginEventId = 4624;\\r\\n\\t\\t\\t\\t\\t\\t\\tlet FailedLoginEventId = 4625;\\r\\n\\t\\t\\t\\t\\t\\t\\tlet AccountsPossibleSuccessfulBruteForce = (v_Host_HostName:string, v_Host_DnsDomain:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tSecurityEvent\\r\\n\\t\\t\\t\\t\\t\\t\\t| where AccountType == \u0027User\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend p_Host_HostName=tostring(split(v_Host_HostName,\u0027.\u0027)[0])\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend p_Host_DnsDomain=case (isnotempty(v_Host_DnsDomain),v_Host_DnsDomain\\r\\n\\t\\t\\t\\t\\t\\t\\t ,v_Host_HostName has \u0027.\u0027, extract(@\u0027\\\\.(.+$)\u0027,1,v_Host_HostName)\\r\\n\\t\\t\\t\\t\\t\\t\\t , \u0027\u0027)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Host_HostName=tostring(split(Computer,\u0027.\u0027)[0])\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Host_DnsDomain=iff(Computer has \u0027.\u0027, extract(@\u0027\\\\.(.+$)\u0027,1,Computer) ,\\\"\\\")\\r\\n\\t\\t\\t\\t\\t\\t\\t| where p_Host_HostName=~Host_HostName and (isempty(p_Host_DnsDomain) or isempty(Host_DnsDomain) or p_Host_DnsDomain=~Host_DnsDomain)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Fails = (EventID == FailedLoginEventId), Success = (EventID == SuccessfulLoginEventId)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Account = tolower(Account)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize Account_Aux_SuccessPerMin = countif(Success), Account_Aux_FailPerMin = countif(Fails) by Account, bin(TimeGenerated, 1m)\\r\\n\\t\\t\\t\\t\\t\\t\\t| where Account_Aux_FailPerMin\\t\u003e BRUTEFORCE_THRESHOLD and Account_Aux_SuccessPerMin \u003e 0\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend EventData = pack(\u0027FailPerMin\u0027,Account_Aux_FailPerMin, \u0027SuccessPerMin\u0027, Account_Aux_SuccessPerMin, \u0027Time\u0027, TimeGenerated )\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize Max = max(Account_Aux_FailPerMin), Account_Aux_EventsData=makeset(EventData) by Account\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Max\\r\\n\\t\\t\\t\\t\\t\\t\\t| parse Account with Account_NTDomain \u0027\\\\\\\\\u0027 *\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Account_Name = extract(@\u0027^([^\\\\\\\\]*\\\\\\\\)?([^@]+)(@.*)?$\u0027,2,Account),\\r\\n\\t\\t\\t\\t\\t\\t\\t Account_UPNSuffix = extract(@\u0027^([^\\\\\\\\]*\\\\\\\\)?([^@]+)(@(.*))?$\u0027,4,Account)\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Account_Name, Account_NTDomain, Account_UPNSuffix, Account_Aux_EventsData\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tAccountsPossibleSuccessfulBruteForce(\u0027\u003chostName\u003e\u0027, \u0027\u003cdnsDomain\u003e\u0027)\",\"inputFields\":[\"hostName\",\"dnsDomain\"],\"outputEntityTypes\":[\"Account\"],\"dataSources\":[\"SecurityEvent\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/bb6100ee-ae38-41b5-8457-88d503a3bf8f\",\"name\":\"bb6100ee-ae38-41b5-8457-88d503a3bf8f\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent inbound WireData connections\",\"queryTemplate\":\"let GetWireDataInboundWithHost = (v_Host_HostName:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tWireData\\r\\n\\t\\t\\t\\t\\t\\t\\t| where Direction == \u0027Inbound\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t| where Computer has v_Host_HostName\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027Computer\u0027, Computer, \u0027LocalPortNumber\u0027, LocalPortNumber, \u0027RemoteIP\u0027, RemoteIP, \u0027Direction\u0027, Direction, \u0027ApplicationProtocol\u0027, ApplicationProtocol)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize Process_Aux_Min_SessionStartTime=min(SessionStartTime), count(), IP_Aux_info = makeset(info) by ProcessName , LocalIP, ProcessID\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_Aux_info = IP_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ asc\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Process_Aux_Min_SessionStartTime, ProcessName , LocalIP, IP_Aux_info, Process_Aux_info, Process_ProcessId=tostring(ProcessID)\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename IP_Address=LocalIP, Process_ImageFile_FullPath=ProcessName\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetWireDataInboundWithHost(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"IP\",\"Process\"],\"dataSources\":[\"WireData\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/8c00a2a0-43d3-45a9-aa2e-f73deb0abfbb\",\"name\":\"8c00a2a0-43d3-45a9-aa2e-f73deb0abfbb\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent outbound WireData connections\",\"queryTemplate\":\"let GetWireDataOutboundWithHost = (v_Host_HostName:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tWireData\\r\\n\\t\\t\\t\\t\\t\\t\\t| where Direction == \u0027Outbound\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t| where Computer has v_Host_HostName\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027Computer\u0027, Computer, \u0027LocalIP\u0027, LocalIP, \u0027LocalPortNumber\u0027, LocalPortNumber, \u0027Direction\u0027, Direction, \u0027ApplicationProtocol\u0027, ApplicationProtocol)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize Process_Aux_Min_SessionStartTime=min(SessionStartTime), count(), IP_Aux_info = makeset(info) by ProcessName, RemoteIP, ProcessID\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_Aux_info = IP_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ asc\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Process_Aux_Min_SessionStartTime, ProcessName, RemoteIP, IP_Aux_info, Process_Aux_info, Process_ProcessId=tostring(ProcessID)\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename IP_Address=RemoteIP, Process_ImageFile_FullPath=ProcessName\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetWireDataOutboundWithHost(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"IP\",\"Process\"],\"dataSources\":[\"WireData\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/ea747f91-23f9-425a-baa8-628f30193888\",\"name\":\"ea747f91-23f9-425a-baa8-628f30193888\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent processes for this host\",\"queryTemplate\":\"let GetSysLogEventsOnHost = (v_Host_HostName:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tSyslog\\r\\n\\t\\t\\t\\t\\t\\t\\t| where Computer has v_Host_HostName\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027HostName\u0027, HostName, \u0027HostIP\u0027, HostIP)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize Process_Aux_StartTime=min(EventTime), Process_Aux_EndTime=max(EventTime), count(), Process_Aux_info = makeset(info) by Computer, ProcessName, ProcessID\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ asc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Process_Aux_StartTime, Process_Aux_EndTime, Process_Host_UnstructuredName=Computer, Process_ProcessId=tostring(ProcessID), Process_ImageFile_FullPath=ProcessName, Process_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetSysLogEventsOnHost(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"Process\"],\"dataSources\":[\"Syslog\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/07da3cc8-c8ad-4710-a44e-334cdcb7882b\",\"name\":\"07da3cc8-c8ad-4710-a44e-334cdcb7882b\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Parent processes running on host\",\"queryTemplate\":\"let GetParentProcessesOnHost = (v_Host_HostName:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tSecurityEvent\\r\\n\\t\\t\\t\\t\\t\\t\\t| where EventID == 4688\\r\\n\\t\\t\\t\\t\\t\\t\\t| where isnotempty(ParentProcessName)\\r\\n\\t\\t\\t\\t\\t\\t\\t| where NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\conhost.exe\u0027 and ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\conhost.exe\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t and NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework64\\\\\\\\v2.0.50727\\\\\\\\csc.exe\u0027 and ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework64\\\\\\\\v2.0.50727\\\\\\\\csc.exe\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t and NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework64\\\\\\\\v2.0.50727\\\\\\\\cvtres.exe\u0027 and ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework64\\\\\\\\v2.0.50727\\\\\\\\cvtres.exe\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t and NewProcessName!contains \u0027:\\\\\\\\Program Files\\\\\\\\Microsoft Monitoring Agent\\\\\\\\Agent\\\\\\\\MonitoringHost.exe\u0027 and ParentProcessName !contains \u0027:\\\\\\\\Program Files\\\\\\\\Microsoft Monitoring Agent\\\\\\\\Agent\\\\\\\\MonitoringHost.exe\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t and ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\CCM\\\\\\\\CcmExec.exe\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t| where(ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\u0027 and (NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe\u0027 or NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe\u0027))\\r\\n\\t\\t\\t\\t\\t\\t\\t| where(ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\services.exe\u0027 and NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\TrustedInstaller.exe\u0027)\\r\\n\\t\\t\\t\\t\\t\\t\\t| where toupper(Computer) contains v_Host_HostName or toupper(WorkstationName) contains v_Host_HostName\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027EventID\u0027, EventID, \u0027TargetAccount\u0027, TargetAccount)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), Process_Aux_info = makeset(info) by Account, Computer, ParentProcessName, NewProcessName, CommandLine, ProcessId\\r\\n\\t\\t\\t\\t\\t\\t\\t| project min_TimeGenerated, max_TimeGenerated, Account, Computer, ParentProcessName, NewProcessName, CommandLine, ProcessId, Process_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Process_Host_UnstructuredName=Computer, Process_Account_UnstructuredName=Account, Process_CommandLine=CommandLine, Process_ProcessId=ProcessId, Process_ImageFile_FullPath=NewProcessName, Process_ParentProcess_ImageFile_FullPath=ParentProcessName, Process_Aux_StartTime = min_TimeGenerated, Process_Aux_EndTime= max_TimeGenerated\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Process_Aux_StartTime asc\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetParentProcessesOnHost(toupper(\u0027\u003chostName\u003e\u0027))\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"Process\"],\"dataSources\":[\"SecurityEvent\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/f87b2afb-068f-4734-88a0-94560309f9d7\",\"name\":\"f87b2afb-068f-4734-88a0-94560309f9d7\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Processes on Host blocked from loading non-Microsoft-signed binaries\",\"queryTemplate\":\"let BlockedUnsigned = (v_Host_HostName:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceEvents\\r\\n\\t\\t\\t\\t\\t\\t\\t| where ActionType == \\\"ExploitGuardNonMicrosoftSignedBlocked\\\" and FileName !hassuffix \\\".ni.dll\\\"\\r\\n\\t\\t\\t\\t\\t\\t\\t| where v_Host_HostName =~ tostring(split(DeviceName, \u0027.\u0027)[0])\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize Process_Aux_Count=count() by Process_ProcessId=InitiatingProcessId, Process_CommandLine=InitiatingProcessCommandLine, Process_Host_UnstructuredName=DeviceName\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Process_Aux_Count desc\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tBlockedUnsigned(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"Process\"],\"dataSources\":[\"DeviceEvents\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/d3393571-0533-4127-bfe1-6b1de4ab126e\",\"name\":\"d3393571-0533-4127-bfe1-6b1de4ab126e\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Processes running on Host\",\"queryTemplate\":\"let GetActiveProcessesOnHost = (v_Host_HostName:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tSecurityEvent\\r\\n\\t\\t\\t\\t\\t\\t\\t| where EventID == 4688\\r\\n\\t\\t\\t\\t\\t\\t\\t| where NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\conhost.exe\u0027 and ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\conhost.exe\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t and NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework64\\\\\\\\v2.0.50727\\\\\\\\csc.exe\u0027 and ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework64\\\\\\\\v2.0.50727\\\\\\\\csc.exe\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t and NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework64\\\\\\\\v2.0.50727\\\\\\\\cvtres.exe\u0027 and ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework64\\\\\\\\v2.0.50727\\\\\\\\cvtres.exe\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t and NewProcessName!contains \u0027:\\\\\\\\Program Files\\\\\\\\Microsoft Monitoring Agent\\\\\\\\Agent\\\\\\\\MonitoringHost.exe\u0027 and ParentProcessName !contains \u0027:\\\\\\\\Program Files\\\\\\\\Microsoft Monitoring Agent\\\\\\\\Agent\\\\\\\\MonitoringHost.exe\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t and ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\CCM\\\\\\\\CcmExec.exe\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t| where (ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\u0027 and (NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe\u0027 or NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe\u0027))\\r\\n\\t\\t\\t\\t\\t\\t\\t| where (ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\services.exe\u0027 and NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\TrustedInstaller.exe\u0027)\\r\\n\\t\\t\\t\\t\\t\\t\\t| where toupper(Computer) contains v_Host_HostName or toupper(WorkstationName) contains v_Host_HostName\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize Process_Aux_StartTime=min(TimeGenerated), Process_Aux_EndTime=max(TimeGenerated) by Computer, Account, NewProcessName, CommandLine, ProcessId, ParentProcessName\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Process_Aux_StartTime, Process_Aux_EndTime, Computer, Account, NewProcessName, CommandLine, ProcessId, Process_ParentProcess_ImageFile_FullPath=ParentProcessName\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Process_Host_UnstructuredName=Computer, Process_Account_UnstructuredName=Account, Process_CommandLine=CommandLine, Process_ProcessId=ProcessId, Process_ImageFile_FullPath=NewProcessName\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Process_Aux_StartTime desc\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetActiveProcessesOnHost(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"Process\"],\"dataSources\":[\"SecurityEvent\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/6537a8c3-a269-4b2f-8c70-3824c23fef7b\",\"name\":\"6537a8c3-a269-4b2f-8c70-3824c23fef7b\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Services created on host\",\"queryTemplate\":\"let GetServiceCreationsOnHost = (v_Host_HostName:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tEvent\\r\\n\\t\\t\\t\\t\\t\\t\\t| where EventID == 7045\\r\\n\\t\\t\\t\\t\\t\\t\\t| where Computer =~ v_Host_HostName\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend EventDataParse = parse_xml(EventData)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_Aux_ServiceName = tostring(EventDataParse.DataItem.EventData.Data[0][\u0027#text\u0027])\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ImagePath = tostring(EventDataParse.DataItem.EventData.Data[1][\u0027#text\u0027])\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServiceType = tostring(EventDataParse.DataItem.EventData.Data[2][\u0027#text\u0027])\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend StartType = tostring(EventDataParse.DataItem.EventData.Data[3][\u0027#text\u0027])\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServiceAccount = tostring(EventDataParse.DataItem.EventData.Data[4][\u0027#text\u0027])\\r\\n\\t\\t\\t\\t\\t\\t\\t| where ImagePath !has \u0027\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Definition Updates\\\\\\\\\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\tand ImagePath !has \u0027\\\\\\\\Packages\\\\\\\\Plugins\\\\\\\\Microsoft.EnterpriseCloud.Monitoring.MicrosoftMonitoringAgent\\\\\\\\\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\tand not(ImagePath has \u0027\\\\\\\\WindowsAzure\\\\\\\\GuestAgent_\u0027 and ImagePath has \u0027\\\\\\\\Telemetry\\\\\\\\WindowsAzureTelemetryService.exe\u0027)\\r\\n\\t\\t\\t\\t\\t\\t\\tand not(ImagePath has \u0027\\\\\\\\WindowsAzure\\\\\\\\GuestAgent_\u0027 and ImagePath has \u0027\\\\\\\\GuestAgent\\\\\\\\WindowsAzureGuestAgent.exe\u0027)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_Aux_Service_info = pack(\u0027ServiceName\u0027, Process_Aux_ServiceName, \u0027ServiceType\u0027, ServiceType, \u0027StartType\u0027, StartType, \u0027ServiceAccount\u0027, ServiceAccount)\\r\\n\\t\\t\\t\\t\\t\\t\\t| project TimeGenerated, Computer, UserName, Process_Aux_ServiceName, ImagePath, Process_Aux_Service_info\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Process_Host_UnstructuredName=Computer, Process_Account_UnstructuredName=UserName, Process_ImageFile_FullPath=ImagePath, Process_CreationTimeUtc=TimeGenerated\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Process_CreationTimeUtc desc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetServiceCreationsOnHost(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"Process\"],\"dataSources\":[\"Event\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/3aed43db-e358-4952-a5cd-a10f00d90af4\",\"name\":\"3aed43db-e358-4952-a5cd-a10f00d90af4\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"User accounts created or deleted on host\",\"queryTemplate\":\"let GetAccountChangesOnHost = (v_Host_HostName:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tSecurityEvent\\r\\n\\t\\t\\t\\t\\t\\t\\t| where EventID == 4720 or EventID == 4726\\r\\n\\t\\t\\t\\t\\t\\t\\t| where AccountType == \u0027User\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t| where Computer contains v_Host_HostName or WorkstationName contains v_Host_HostName\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027TargetAccount\u0027, TargetAccount, \u0027SubjectAccount\u0027, SubjectAccount, \u0027Activity\u0027, Activity)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), Account_Aux_info = makeset(info) by Computer, TargetAccount\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Account_Aux_StartTime=min_TimeGenerated, Account_Aux_EndTime=max_TimeGenerated, Account_Host_UnstructuredName=Computer, Account_UnstructuredName=TargetAccount, Account_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Account_Aux_StartTime asc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetAccountChangesOnHost(toupper(\u0027\u003chostName\u003e\u0027))\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"Account\"],\"dataSources\":[\"SecurityEvent\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/37fdc179-d35c-4dcd-b6ff-6cf02248d8f9\",\"name\":\"37fdc179-d35c-4dcd-b6ff-6cf02248d8f9\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Accounts which logged onto this host and their IPs\",\"queryTemplate\":\"let GetAccountsFromHost = (v_Host_HostName:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tSigninLogs\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend RemoteHost = tolower(tostring(DeviceDetail.displayName))\\r\\n\\t\\t\\t\\t\\t\\t\\t| where RemoteHost == tolower(v_Host_HostName)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend OS = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser), TrustType = tostring(DeviceDetail.trustType)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Latitude = tostring(LocationDetails.geoCoordinates.latitude), Longitude = tostring(LocationDetails.geoCoordinates.longitude)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027UserPrincipalName\u0027, UserPrincipalName, \u0027AppDisplayName\u0027, AppDisplayName, \u0027ClientAppUsed\u0027, ClientAppUsed, \u0027Browser\u0027, tostring(Browser), \u0027ResultType\u0027, ResultType, \u0027ResultDescription\u0027, ResultDescription, \u0027Location\u0027, Location, \u0027StatusCode\u0027, StatusCode, \u0027StatusDetails\u0027, StatusDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), count(), Account_Aux_info = makeset(info) by RemoteHost , UserDisplayName, OS, IPAddress, State, City, Latitude, Longitude\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend IP_Aux_info = Account_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Account_Aux_StartTimeUtc = min_TimeGenerated, Account_Aux_EndTimeUtc = max_TimeGenerated, RemoteHost, UserDisplayName, OS, IPAddress, State, City, Latitude, Longitude, Account_Aux_info, IP_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Account_Aux_StartTimeUtc desc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Account_UnstructuredName=UserDisplayName, Account_Host_UnstructuredName=RemoteHost, Account_Host_OSVersion=OS, IP_Address=IPAddress, IP_Location_State=State, IP_Location_City=City, IP_Location_Latitude=Latitude, IP_Location_Longitude=Longitude\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetAccountsFromHost(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"Account\",\"IP\"],\"dataSources\":[\"SigninLogs\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/b8de20fa-d96e-4fe0-84b3-8477ca29b04a\",\"name\":\"b8de20fa-d96e-4fe0-84b3-8477ca29b04a\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Accounts triggering Microsoft Defender Application Control\",\"queryTemplate\":\"let AppControlEvents=(v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tlet p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain));\\r\\n\\t\\t\\t\\t\\t\\t\\tlet AppControls=datatable(ActionType:string, Description:string, FriendlyActivityName:string)\\r\\n\\t\\t\\t\\t\\t\\t\\t [\\\"AppControlAppInstallationAudited\\\", \\\"Application control detected the installation of an untrusted app.\\\",\\\"Untrusted app installed\\\"\\r\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlAppInstallationBlocked\\\", \\\"Application control blocked the installation of an untrusted app.\\\", \\\"Untrusted app installation blocked\\\"\\r\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlCodeIntegrityDriverRevoked\\\", \\\"Application control found a driver with a revoked certificate.\\\", \\\"Driver with revoked certificate detected\\\"\\r\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlCodeIntegrityImageRevoked\\\", \\\"Application control found an executable file with a revoked certificate.\\\", \\\"Executable with revoked certificate detected\\\"\\r\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlExecutableAudited\\\",\\\"Application control detected the use of an untrusted executable.\\\",\\\"Untrusted executable used\\\"\\r\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlExecutableClocked\\\",\\\"Application control blocked the use of an untrusted executable.\\\",\\\"Untrusted executable blocked\\\"\\r\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlScriptAudited\\\", \\\"Application control detected the use of an untrusted script.\\\", \\\"Untrusted script detected\\\"\\r\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlScriptBlocked\\\", \\\"Application control blocked the use of an untrusted script.\\\", \\\"Untrusted script blocked\\\" ];\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceEvents\\r\\n\\t\\t\\t\\t\\t\\t\\t| where ActionType in (AppControls)\\r\\n\\t\\t\\t\\t\\t\\t\\t| where DeviceName ==p_FullDeviceName\\r\\n\\t\\t\\t\\t\\t\\t\\t| parse InitiatingProcessAccountUpn with Account_Name \u0027@\u0027 Account_UPNSuffix\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Account_Name, Account_UPNSuffix, Account_Sid=InitiatingProcessAccountSid\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize Account_Aux_AppConCount=count() by Account_Name, Account_UPNSuffix, Account_Sid\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Account_Aux_AppConCount desc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tAppControlEvents(\u0027\u003chostName\u003e\u0027,\u0027\u003cntDomain\u003e\u0027,\u0027\u003cdnsDomain\u003e\u0027)\",\"inputFields\":[\"hostName\",\"dnsDomain\",\"ntDomain\"],\"outputEntityTypes\":[\"Account\"],\"dataSources\":[\"DeviceEvents\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/b66111f6-42ff-4f5a-8e3e-66ca1a71a758\",\"name\":\"b66111f6-42ff-4f5a-8e3e-66ca1a71a758\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"DefenderForIoT - Hosts communicating the most amount of data with this IP Address\",\"queryTemplate\":\"let ConnectionData_DefenderForIoT_GetIP2Host = (v_IP_Address:string) {\\r\\n\\t\\t\\t\\t\\t\\t\\tlet connectionData = SecurityIoTRawEvent\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceType = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceType\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceId = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientIpAddress = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).ipAddress\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientisExternal = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).isExternal\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceType = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceType\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceId = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerIpAddress = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).ipAddress\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerisExternal = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).isExternal\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceName = tostring(todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceName)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceName = tostring(todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceName)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Bandwidth = todynamic(extractjson(\\\"$Bandwidth\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend LastActivity = todynamic(extractjson(\\\"$LastActivity\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Protocol = todynamic(extractjson(\\\"$Protocol\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerPort = todynamic(extractjson(\\\"$ServerPort\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDevice = extractjson(\\\"$ServerDevice\\\", EventDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDevice = extractjson(\\\"$ClientDevice\\\", EventDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend SensorId = DeviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceGUID = strcat(SensorId, \\\"_\\\", ClientDeviceId), ServerDeviceGUID = strcat(SensorId, \\\"_\\\", ServerDeviceId);\\r\\n\\t\\t\\t\\t\\t\\t\\tconnectionData\\r\\n\\t\\t\\t\\t\\t\\t\\t| where ClientIpAddress == v_IP_Address or ServerIpAddress == v_IP_Address\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Direction = iff(ClientIpAddress == v_IP_Address, \\\"Outbound\\\", \\\"Inbound\\\")\\r\\n\\t\\t\\t\\t\\t\\t\\t| project DeviceGUID = iff(Direction == \\\"Outbound\\\", ServerDeviceGUID, ClientDeviceGUID),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceType = iff(Direction == \\\"Outbound\\\", ServerDeviceType, ClientDeviceType),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceIp = iff(Direction == \\\"Outbound\\\", ServerIpAddress, ClientIpAddress),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceName = iff(Direction == \\\"Outbound\\\", ServerDeviceName, ClientDeviceName),\\r\\n\\t\\t\\t\\t\\t\\t\\tSensorId, LastActivity = todatetime(LastActivity), Bandwidth = todouble(Bandwidth), Protocol, ServerPort\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize TotalBandwidth = sum(Bandwidth), LastActivity = max(LastActivity), Protocols = make_set(Protocol), ServerPorts = make_set(ServerPort) by DeviceGUID, DeviceName, IpAddress = tostring(DeviceIp), IoTDevice_DeviceType = tostring(DeviceType)\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename TotalBandwidth_MB = TotalBandwidth\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend TotalBandwidth_MB = floor(todecimal(TotalBandwidth_MB / 1000), 0.1)\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Host_HostName = DeviceName, Host_Aux_IpAddress = IpAddress, Host_Aux_Type = IoTDevice_DeviceType, Host_Aux_LastActivity = LastActivity, Host_Aux_Protocols = Protocols, Host_Aux_ServerPorts = ServerPorts, Host_Aux_TotalBandwidth_MB = TotalBandwidth_MB\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_TotalBandwidth_MB\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tConnectionData_DefenderForIoT_GetIP2Host(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"SecurityIoTRawEvent\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/3d110544-328c-4c02-ad49-eabc2b69f26d\",\"name\":\"3d110544-328c-4c02-ad49-eabc2b69f26d\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"DefenderForIoT - IoT Devices communicating the most amount of data with this IP Address\",\"queryTemplate\":\"let ConnectionData_DefenderForIoT_GetIP2IoTDevice = (v_IP_Address:string) {\\r\\n\\t\\t\\t\\t\\t\\t\\tlet connectionData = SecurityIoTRawEvent\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceType = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceType\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceId = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientIpAddress = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).ipAddress\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientisExternal = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).isExternal\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceType = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceType\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceId = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerIpAddress = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).ipAddress\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerisExternal = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).isExternal\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceName = tostring(todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceName)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceName = tostring(todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceName)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Bandwidth = todynamic(extractjson(\\\"$Bandwidth\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend LastActivity = todynamic(extractjson(\\\"$LastActivity\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Protocol = todynamic(extractjson(\\\"$Protocol\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerPort = todynamic(extractjson(\\\"$ServerPort\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDevice = extractjson(\\\"$ServerDevice\\\", EventDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDevice = extractjson(\\\"$ClientDevice\\\", EventDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend SensorId = DeviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceGUID = strcat(SensorId, \\\"_\\\", ClientDeviceId), ServerDeviceGUID = strcat(SensorId, \\\"_\\\", ServerDeviceId);\\r\\n\\t\\t\\t\\t\\t\\t\\tconnectionData\\r\\n\\t\\t\\t\\t\\t\\t\\t| where ClientIpAddress == v_IP_Address or ServerIpAddress == v_IP_Address\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Direction = iff(ClientIpAddress == v_IP_Address, \\\"Outbound\\\", \\\"Inbound\\\")\\r\\n\\t\\t\\t\\t\\t\\t\\t| project DeviceGUID = iff(Direction == \\\"Outbound\\\", ServerDeviceGUID, ClientDeviceGUID),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceType = iff(Direction == \\\"Outbound\\\", ServerDeviceType, ClientDeviceType),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceIp = iff(Direction == \\\"Outbound\\\", ServerIpAddress, ClientIpAddress),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceName = iff(Direction == \\\"Outbound\\\", ServerDeviceName, ClientDeviceName),\\r\\n\\t\\t\\t\\t\\t\\t\\tSensorId, LastActivity = todatetime(LastActivity), Bandwidth = todouble(Bandwidth), Protocol, ServerPort\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize TotalBandwidth = sum(Bandwidth), IoTDevice_Aux_LastActivity = max(LastActivity), IoTDevice_Aux_Protocols = make_set(Protocol), IoTDevice_Aux_ServerPorts = make_set(ServerPort) by IoTDevice_DeviceId = DeviceGUID, IoTDevice_DeviceName = DeviceName, IoTDevice_IpAddress = tostring(pack(\u0027Address\u0027,tostring(DeviceIp))), IoTDevice_DeviceType = tostring(DeviceType)\\r\\n\\t\\t\\t\\t\\t\\t\\t | project-rename IoTDevice_Aux_TotalBandwidth_MB = TotalBandwidth\\r\\n\\t\\t\\t\\t\\t\\t\\t | extend IoTDevice_Aux_TotalBandwidth_MB = floor(todecimal(IoTDevice_Aux_TotalBandwidth_MB / 1000), 0.1), IoTDevice_IpAddress=todynamic(IoTDevice_IpAddress)\\r\\n\\t\\t\\t\\t\\t\\t\\t | top 10 by IoTDevice_Aux_TotalBandwidth_MB\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tConnectionData_DefenderForIoT_GetIP2IoTDevice(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"IoTDevice\"],\"dataSources\":[\"SecurityIoTRawEvent\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/b7bd2812-f485-4430-bfac-6b0a1dd4c3f7\",\"name\":\"b7bd2812-f485-4430-bfac-6b0a1dd4c3f7\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"DefenderForIoT - IP Addresses communicating the most amount of data with this IP Address\",\"queryTemplate\":\"let ConnectionData_DefenderForIoT_GetIP2IP = (v_IP_Address:string) {\\r\\n\\t\\t\\t\\t\\t\\t\\tlet connectionData = SecurityIoTRawEvent\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceType = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceType\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceId = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientIpAddress = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).ipAddress\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientisExternal = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).isExternal\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceType = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceType\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceId = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerIpAddress = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).ipAddress\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerisExternal = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).isExternal\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Bandwidth = todynamic(extractjson(\\\"$Bandwidth\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend LastActivity = todynamic(extractjson(\\\"$LastActivity\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Protocol = todynamic(extractjson(\\\"$Protocol\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerPort = todynamic(extractjson(\\\"$ServerPort\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDevice = extractjson(\\\"$ServerDevice\\\", EventDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDevice = extractjson(\\\"$ClientDevice\\\", EventDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend SensorId = DeviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceGUID = strcat(SensorId, \\\"_\\\", ClientDeviceId), ServerDeviceGUID = strcat(SensorId, \\\"_\\\", ServerDeviceId);\\r\\n\\t\\t\\t\\t\\t\\t\\tconnectionData\\r\\n\\t\\t\\t\\t\\t\\t\\t| where ClientIpAddress == v_IP_Address or ServerIpAddress == v_IP_Address\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Direction = iff(ClientIpAddress == v_IP_Address, \\\"Outbound\\\", \\\"Inbound\\\")\\r\\n\\t\\t\\t\\t\\t\\t\\t| project DeviceGUID = iff(Direction == \\\"Outbound\\\", ServerDeviceGUID, ClientDeviceGUID),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceType = iff(Direction == \\\"Outbound\\\", ServerDeviceType, ClientDeviceType),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceIp = iff(Direction == \\\"Outbound\\\", ServerIpAddress, ClientIpAddress),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceIsExternal = iff(Direction == \\\"Outbound\\\", ServerisExternal, ClientisExternal),\\r\\n\\t\\t\\t\\t\\t\\t\\tSensorId, LastActivity = todatetime(LastActivity), Bandwidth = todouble(Bandwidth), Protocol, ServerPort, Direction\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize TotalBandwidth = sum(Bandwidth), LastActivity = max(LastActivity), Protocols = make_set(Protocol), ServerPorts = make_set(ServerPort) by IoTDevice_DeviceId = DeviceGUID, IoTDevice_IpAddress = tostring(DeviceIp), IoTDevice_DeviceType = tostring(DeviceType), DeviceIsExternal = tostring(DeviceIsExternal)\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename TotalBandwidth_MB = TotalBandwidth\\r\\n\\t\\t\\t\\t\\t\\t\\t| project IP_Address = IoTDevice_IpAddress, IP_Aux_DeviceType = IoTDevice_DeviceType, IP_Aux_LastActivity = LastActivity, IP_Aux_Protocols = Protocols, IP_Aux_ServerPorts = ServerPorts, IP_Aux_TotalBandwidth_MB = TotalBandwidth_MB, IP_Aux_IsExternal = DeviceIsExternal\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend IP_Aux_TotalBandwidth_MB = floor(todecimal(IP_Aux_TotalBandwidth_MB / 1000), 0.1)\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by IP_Aux_TotalBandwidth_MB\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tConnectionData_DefenderForIoT_GetIP2IP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"IP\"],\"dataSources\":[\"SecurityIoTRawEvent\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/37ca3555-c135-4a73-a65e-9c1d00323f5d\",\"name\":\"37ca3555-c135-4a73-a65e-9c1d00323f5d\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"The least active accounts on Azure from this IP\",\"queryTemplate\":\"let AccountActivity_byIP = (v_IP_Address:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tAzureActivity\\r\\n\\t\\t\\t\\t\\t\\t\\t| where Caller != \u0027\u0027 and CallerIpAddress =~ v_IP_Address\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize Account_Aux_StartTime = min(TimeGenerated),\\r\\n\\t\\t\\t\\t\\t\\t\\t Account_Aux_EndTime = max(TimeGenerated),\\r\\n\\t\\t\\t\\t\\t\\t\\t Count = count() by\\r\\n\\t\\t\\t\\t\\t\\t\\t Caller, TenantId\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Count asc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend UPN = iff(Caller contains \u0027@\u0027, Caller, \u0027\u0027), Account_AadUserId = toguid(iff(Caller !contains \u0027@\u0027, Caller,\u0027\u0027))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Account_Name = split(UPN,\u0027@\u0027)[0] , Account_UPNSuffix = split(UPN,\u0027@\u0027)[1]\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Account_Name, Account_UPNSuffix, Account_AadUserId, Account_AadTenantId=TenantId, Account_Aux_StartTime , Account_Aux_EndTime\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tAccountActivity_byIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Account\"],\"dataSources\":[\"AzureActivity\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/97a1d515-abf2-4231-9a35-985f9de0bb91\",\"name\":\"97a1d515-abf2-4231-9a35-985f9de0bb91\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"The most active accounts on Azure from this IP\",\"queryTemplate\":\"let AccountActivity_byIP = (v_IP_Address:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tAzureActivity\\r\\n\\t\\t\\t\\t\\t\\t\\t| where Caller != \u0027\u0027 and CallerIpAddress =~ v_IP_Address\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize Account_Aux_StartTime = min(TimeGenerated),\\r\\n\\t\\t\\t\\t\\t\\t\\t Account_Aux_EndTime = max(TimeGenerated),\\r\\n\\t\\t\\t\\t\\t\\t\\t Count = count() by\\r\\n\\t\\t\\t\\t\\t\\t\\t Caller, TenantId\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Count desc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend UPN = iff(Caller contains \u0027@\u0027, Caller, \u0027\u0027), Account_AadUserId = toguid(iff(Caller !contains \u0027@\u0027, Caller,\u0027\u0027))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Account_Name = split(UPN,\u0027@\u0027)[0] , Account_UPNSuffix = split(UPN,\u0027@\u0027)[1]\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Account_Name, Account_UPNSuffix, Account_AadUserId, Account_AadTenantId=TenantId, Account_Aux_StartTime , Account_Aux_EndTime\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tAccountActivity_byIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Account\"],\"dataSources\":[\"AzureActivity\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/aa497951-c779-4ea2-be2a-127ea66c5fba\",\"name\":\"aa497951-c779-4ea2-be2a-127ea66c5fba\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Hosts receiving the least amount of data from this IP\",\"queryTemplate\":\"let HostsReceivingDatafromIP = (v_IP_Address:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tWireData\\r\\n\\t\\t\\t\\t\\t\\t\\t| parse Computer with HostName \u0027.\u0027 Host_DnsDomain\\r\\n\\t\\t\\t\\t\\t\\t\\t| where SessionState == \u0027Disconnected\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t| where RemoteIP =~ v_IP_Address\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Host_HostName = iff(Computer has \u0027.\u0027, HostName, Computer)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize Host_Aux_BytesReceived = sum(ReceivedBytes), Host_Aux_LocalIPs=make_set(LocalIP) by Host_HostName, Host_DnsDomain\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_BytesReceived asc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tHostsReceivingDatafromIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"WireData\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/73fb9b8d-fd13-4c43-8136-6d693cafaa23\",\"name\":\"73fb9b8d-fd13-4c43-8136-6d693cafaa23\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Hosts receiving the most amount of data from this IP\",\"queryTemplate\":\"let HostsReceivingDatafromIP = (v_IP_Address:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tWireData\\r\\n\\t\\t\\t\\t\\t\\t\\t| parse Computer with HostName \u0027.\u0027 Host_DnsDomain\\r\\n\\t\\t\\t\\t\\t\\t\\t| where SessionState == \u0027Disconnected\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t| where RemoteIP =~ v_IP_Address\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Host_HostName = iff(Computer has \u0027.\u0027, HostName, Computer)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize Host_Aux_BytesReceived = sum(ReceivedBytes), Host_Aux_LocalIPs=make_set(LocalIP) by Host_HostName, Host_DnsDomain\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_BytesReceived desc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tHostsReceivingDatafromIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"WireData\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/ab597a67-352e-4914-b2e6-d64919a910a8\",\"name\":\"ab597a67-352e-4914-b2e6-d64919a910a8\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Hosts sending the least amount of data to this IP\",\"queryTemplate\":\"let HostsSendingDatatoIP = (v_IP_Address:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tWireData\\r\\n\\t\\t\\t\\t\\t\\t\\t| where SessionState == \u0027Disconnected\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t| where RemoteIP =~ v_IP_Address\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize Host_Aux_BytesSent = sum(SentBytes) by Computer, LocalIP\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_BytesSent asc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Host_UnstructuredName=Computer, Host_Aux_LocalIP=LocalIP\\r\\n\\t\\t\\t\\t\\t\\t\\t };\\r\\n\\t\\t\\t\\t\\t\\t\\tHostsSendingDatatoIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"WireData\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/5b57680b-d60a-42a5-9cd5-17e499834f8e\",\"name\":\"5b57680b-d60a-42a5-9cd5-17e499834f8e\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Hosts sending the most amount of data to this IP\",\"queryTemplate\":\"let HostsSendingDatatoIP = (v_IP_Address:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tWireData\\r\\n\\t\\t\\t\\t\\t\\t\\t| where SessionState == \u0027Disconnected\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t| where RemoteIP =~ v_IP_Address\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize Host_Aux_BytesSent = sum(SentBytes) by Computer, LocalIP\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_BytesSent desc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Host_UnstructuredName=Computer, Host_Aux_LocalIP=LocalIP\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tHostsSendingDatatoIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"WireData\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/980762f8-014e-4439-8840-5f0a90285dce\",\"name\":\"980762f8-014e-4439-8840-5f0a90285dce\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Destination IPs with the greatest number of dropped sessions\",\"queryTemplate\":\"let MostDroppedDestIP = (v_IP_Address:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tWindowsFirewall\\r\\n\\t\\t\\t\\t\\t\\t\\t| where FirewallAction == \u0027DROP\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t and SourceIP =~ v_IP_Address\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize DropCount = count(), Ports = makeset(DestinationPort) by DestinationIP\\r\\n\\t\\t\\t\\t\\t\\t\\t| sort by array_length(Ports), DropCount\\r\\n\\t\\t\\t\\t\\t\\t\\t| serialize rn=row_number()\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by rn asc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename IP_Address = DestinationIP, IP_Aux_DropCount = DropCount, IP_Aux_DroppedSessionPorts = Ports\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-away rn\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tMostDroppedDestIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"IP\"],\"dataSources\":[\"WindowsFirewall\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/935ab312-cb52-42a5-b296-548f21786102\",\"name\":\"935ab312-cb52-42a5-b296-548f21786102\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Source IPs with the greatest number of dropped sessions\",\"queryTemplate\":\"let MostDroppedSourceIP = (v_IP_Address:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tWindowsFirewall\\r\\n\\t\\t\\t\\t\\t\\t\\t| where FirewallAction == \u0027DROP\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t and DestinationIP =~ v_IP_Address\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize IP_Aux_DropCount = count(), IP_Aux_DestPorts = makeset(DestinationPort) by SourceIP\\r\\n\\t\\t\\t\\t\\t\\t\\t| sort by IP_Aux_DropCount\\r\\n\\t\\t\\t\\t\\t\\t\\t| serialize rn=row_number()\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by rn asc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t| project IP_Address = SourceIP, IP_Aux_DropCount, IP_Aux_DestPorts\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tMostDroppedSourceIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"IP\"],\"dataSources\":[\"WindowsFirewall\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/588f5d9f-3380-4eff-9983-e61d62fdd172\",\"name\":\"588f5d9f-3380-4eff-9983-e61d62fdd172\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Office activity accounts with this IP\",\"queryTemplate\":\"let GetAllAccountByIP = (v_IP_Address:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tOfficeActivity\\r\\n\\t\\t\\t\\t\\t\\t\\t| where ClientIP =~ v_IP_Address\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027ClientIP\u0027, ClientIP, \u0027UserType\u0027, UserType, \u0027Operation\u0027, Operation, \u0027OfficeWorkload\u0027, OfficeWorkload, \u0027ResultStatus\u0027, ResultStatus)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), Account_Aux_Count=count(), Account_Aux_info = makeset(info) by UserId\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Account_Aux_StartTime = min_TimeGenerated, Account_Aux_EndTime = max_TimeGenerated, UserId, Account_Aux_Count, Account_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Account_UnstructuredName=UserId\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Account_Aux_Count desc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetAllAccountByIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Account\"],\"dataSources\":[\"OfficeActivity\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/801bacb0-612a-4195-a84f-7939cca63b92\",\"name\":\"801bacb0-612a-4195-a84f-7939cca63b92\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent client IPs with DNS name lookup query for this IP\",\"queryTemplate\":\"let GetAllIPByClientIP = (v_IP_Address:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tDnsEvents\\r\\n\\t\\t\\t\\t\\t\\t\\t| where SubType == \u0027LookupQuery\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t| where IPAddresses has v_IP_Address\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend IP_Aux_IPAddresses = split(IPAddresses,\u0027,\u0027), IP_Address=ClientIP\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize IP_Aux_StartTime=min(TimeGenerated), IP_Aux_EndTime=max(TimeGenerated), IP_Aux_DomainNames=makeset(Name), IP_Aux_Count= count() by IP_Address, IPAddresses\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-away IPAddresses\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by IP_Aux_Count asc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetAllIPByClientIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"IP\"],\"dataSources\":[\"DnsEvents\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/188ff904-e3c3-4253-9326-e0190b4b7a01\",\"name\":\"188ff904-e3c3-4253-9326-e0190b4b7a01\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent inbound WireData connections\",\"queryTemplate\":\"let GetWireDataInboundWithIp = (v_IPAddress:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tWireData\\r\\n\\t\\t\\t\\t\\t\\t\\t| where Direction == \u0027Inbound\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t| where RemoteIP has v_IPAddress\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027LocalPortNumber\u0027, LocalPortNumber, \u0027RemoteIP\u0027, RemoteIP, \u0027Direction\u0027, Direction, \u0027ApplicationProtocol\u0027, ApplicationProtocol)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize Process_Aux_EarliestSessionStartTime=min(SessionStartTime), count(), IP_Aux_info = makeset(info) by Computer, ProcessName , LocalIP, ProcessID\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_Aux_info = IP_Aux_info, Host_Aux_info = IP_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ asc\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Process_Aux_EarliestSessionStartTime, Computer, ProcessName , LocalIP, Process_ProcessId=tostring(ProcessID), IP_Aux_info, Process_Aux_info, Host_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename IP_Address=LocalIP, Process_ImageFile_FullPath=ProcessName, Host_UnstructuredName=Computer\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetWireDataInboundWithIp(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"IP\",\"Process\",\"Host\"],\"dataSources\":[\"WireData\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/897267e4-68e1-4827-b318-7fb055b52fc0\",\"name\":\"897267e4-68e1-4827-b318-7fb055b52fc0\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent outbound WireData connections\",\"queryTemplate\":\"let GetWireDataOutboundWithIp = (v_IP_Address:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tWireData\\r\\n\\t\\t\\t\\t\\t\\t\\t| where Direction == \u0027Outbound\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t| where LocalIP has v_IP_Address\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027LocalIP\u0027, LocalIP, \u0027LocalPortNumber\u0027, LocalPortNumber, \u0027Direction\u0027, Direction, \u0027ApplicationProtocol\u0027, ApplicationProtocol)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize count(), IP_Aux_info = makeset(info) by Computer, ProcessName, RemoteIP, ProcessID\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_Aux_info = IP_Aux_info, Host_Aux_info = IP_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ asc\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Computer, ProcessName, RemoteIP, Process_ProcessId=tostring(ProcessID), IP_Aux_info, Process_Aux_info, Host_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename IP_Address=RemoteIP, Process_ImageFile_FullPath=ProcessName, Host_UnstructuredName=Computer\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetWireDataOutboundWithIp(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"IP\",\"Process\",\"Host\"],\"dataSources\":[\"WireData\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/fdb3e714-c036-4708-a0eb-6ae10a1912a1\",\"name\":\"fdb3e714-c036-4708-a0eb-6ae10a1912a1\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent accounts associated with this IP\",\"queryTemplate\":\"let GetLeastPrevUsersbyIP = (v_IP_Address:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tSigninLogs\\r\\n\\t\\t\\t\\t\\t\\t\\t| where IPAddress contains v_IP_Address\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend RemoteHost = tolower(tostring(parsejson(DeviceDetail[\u0027displayName\u0027])))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027AppDisplayName\u0027, AppDisplayName, \u0027ClientAppUsed\u0027, ClientAppUsed, \u0027Browser\u0027, tostring(Browser), \u0027IPAddress\u0027, IPAddress, \u0027ResultType\u0027, ResultType, \u0027ResultDescription\u0027, ResultDescription, \u0027Location\u0027, Location, \u0027State\u0027, State, \u0027City\u0027, City, \u0027StatusCode\u0027, StatusCode, \u0027StatusDetails\u0027, StatusDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), count(), Account_Aux_info = makeset(info) by RemoteHost , UserDisplayName, tostring(OS), UserPrincipalName, AADTenantId, UserId\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ asc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Account_Aux_StartTime = min_TimeGenerated, Account_Aux_EndTime = max_TimeGenerated, RemoteHost, UserDisplayName, OS, UserPrincipalName, AADTenantId, Account_AadUserId=toguid(UserId), Account_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Account_UnstructuredName=UserPrincipalName, Account_DisplayName=UserDisplayName, Account_AadTenantId=AADTenantId , Account_Host_UnstructuredName=RemoteHost, Account_Host_OSVersion=OS };\\r\\n\\t\\t\\t\\t\\t\\t\\tGetLeastPrevUsersbyIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Account\"],\"dataSources\":[\"SigninLogs\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/0cb64e03-8534-47b6-9094-7de2d018fd7a\",\"name\":\"0cb64e03-8534-47b6-9094-7de2d018fd7a\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Most prevalent client IPs with DNS name lookup query for this IP\",\"queryTemplate\":\"let GetAllIPByClientIP = (v_IP_Address:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tDnsEvents\\r\\n\\t\\t\\t\\t\\t\\t\\t| where SubType == \u0027LookupQuery\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t| where IPAddresses has v_IP_Address\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend IP_Aux_IPAddresses = split(IPAddresses,\u0027,\u0027), IP_Address=ClientIP\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize IP_Aux_StartTime=min(TimeGenerated), IP_Aux_EndTime=max(TimeGenerated), IP_Aux_DomainNames=makeset(Name), IP_Aux_Count= count() by IP_Address, IPAddresses\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-away IPAddresses\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by IP_Aux_Count desc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetAllIPByClientIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"IP\"],\"dataSources\":[\"DnsEvents\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/41146c58-ffc6-47ff-975e-f85013629dfd\",\"name\":\"41146c58-ffc6-47ff-975e-f85013629dfd\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Most prevalent Linux hosts with this IP\",\"queryTemplate\":\"let GetSysLogEventsWithIP = (v_IP_Address:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tSyslog\\r\\n\\t\\t\\t\\t\\t\\t\\t| where HostIP has v_IP_Address\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027HostIP\u0027, HostIP, \u0027ProcessName\u0027, ProcessName, \u0027SeverityLevel\u0027, SeverityLevel)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(EventTime), max(EventTime), count(), Host_Aux_info = makeset(info) by Computer\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ desc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Host_Aux_StartTime = min_EventTime, Host_Aux_EndTime = max_EventTime, Computer, Host_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Host_UnstructuredName=Computer\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetSysLogEventsWithIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"Syslog\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/bc6c7cc9-da18-4afd-8fda-d201f13b54a4\",\"name\":\"bc6c7cc9-da18-4afd-8fda-d201f13b54a4\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Most prevalent accounts associated with this IP\",\"queryTemplate\":\"let GetMostPrevUsersbyIP = (v_IP_Address:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tSigninLogs\\r\\n\\t\\t\\t\\t\\t\\t\\t| where IPAddress contains v_IP_Address\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend RemoteHost = tolower(tostring(parsejson(DeviceDetail[\u0027displayName\u0027])))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027AppDisplayName\u0027, AppDisplayName, \u0027ClientAppUsed\u0027, ClientAppUsed, \u0027Browser\u0027, tostring(Browser), \u0027IPAddress\u0027, IPAddress, \u0027ResultType\u0027, ResultType, \u0027ResultDescription\u0027, ResultDescription, \u0027Location\u0027, Location, \u0027State\u0027, State, \u0027City\u0027, City, \u0027StatusCode\u0027, StatusCode, \u0027StatusDetails\u0027, StatusDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), count(), Account_Aux_info = makeset(info) by RemoteHost , UserDisplayName, tostring(OS), UserPrincipalName, AADTenantId, UserId\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ desc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Account_Aux_StartTimeUtc = min_TimeGenerated, Account_Aux_EndTimeUtc = max_TimeGenerated, RemoteHost, UserDisplayName, OS, UserPrincipalName, AADTenantId, Account_Aux_info, Account_AadUserId=toguid(UserId)\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Account_UnstructuredName=UserPrincipalName, Account_DisplayName=UserDisplayName, Account_AadTenantId=AADTenantId, Account_Host_UnstructuredName=RemoteHost, Account_Host_OSVersion=OS\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetMostPrevUsersbyIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Account\"],\"dataSources\":[\"SigninLogs\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/f87b2afb-068f-4734-88a0-94560309f9c7\",\"name\":\"f87b2afb-068f-4734-88a0-94560309f9c7\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Processes blocked from loading non-Microsoft-signed binaries\",\"queryTemplate\":\"let BlockedUnsignedFile = (v_Process_ProcessId:int, v_Process_ImageFile:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tlet p_Process_ImageFile_Name = tostring(parse_json(v_Process_ImageFile)[\u0027Name\u0027]);\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceEvents\\r\\n\\t\\t\\t\\t\\t\\t\\t| where ActionType == \\\"ExploitGuardNonMicrosoftSignedBlocked\\\" and FileName !hassuffix \\\".ni.dll\\\"\\r\\n\\t\\t\\t\\t\\t\\t\\t| where InitiatingProcessId == v_Process_ProcessId and InitiatingProcessFileName =~ p_Process_ImageFile_Name\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize Count=count() by FileName\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 15 by Count desc\\r\\n\\t\\t\\t\\t\\t\\t\\t| project File_Name=FileName\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tBlockedUnsignedFile(\u0027\u003cv_Process_ProcessId\u003e\u0027,\u0027\u003cv_Process_ImageFile\u003e\u0027)\",\"inputFields\":[\"processId\",\"ImageFile\"],\"outputEntityTypes\":[\"File\"],\"dataSources\":[\"DeviceEvents\"],\"inputEntityType\":\"Process\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/77f9839a-1c03-49e2-803e-72b97042fc05\",\"name\":\"77f9839a-1c03-49e2-803e-72b97042fc05\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent inbound WireData connections\",\"queryTemplate\":\"let GetWireDataInboundWithProcess = (v_Process_CommandLine:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tlet tempFullPath = tostring(split(v_Process_CommandLine, \u0027 \u0027)[0]);\\r\\n\\t\\t\\t\\t\\t\\t\\tlet tempFullPath2 = iff(tempFullPath startswith \u0027\\\"\u0027, substring(tempFullPath, 1, strlen(tempFullPath)-2), tempFullPath);\\r\\n\\t\\t\\t\\t\\t\\t\\tlet v_Process_ImageFile_FullPath = iff(tempFullPath2 startswith \u0027\\\\\\\\??\\\\\\\\\u0027, substring(tempFullPath2, 4, strlen(tempFullPath2)-1), tempFullPath2);\\r\\n\\t\\t\\t\\t\\t\\t\\tWireData\\r\\n\\t\\t\\t\\t\\t\\t\\t| where Direction == \u0027Inbound\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t| where ProcessName has v_Process_ImageFile_FullPath\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027ProcessName\u0027, ProcessName, \u0027LocalPortNumber\u0027, LocalPortNumber, \u0027RemoteIP\u0027, RemoteIP, \u0027Direction\u0027, Direction, \u0027ApplicationProtocol\u0027, ApplicationProtocol)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(SessionStartTime), count(), IP_Aux_info = makeset(info) by Computer, LocalIP\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Host_Aux_info = IP_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ asc\\r\\n\\t\\t\\t\\t\\t\\t\\t| project min_SessionStartTime, Computer, LocalIP, IP_Aux_info, Host_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename IP_Address=LocalIP, Host_UnstructuredName=Computer, Host_Aux_min_SessionStartTime=min_SessionStartTime\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetWireDataInboundWithProcess(\u0027\u003ccommandLine\u003e\u0027)\",\"inputFields\":[\"commandLine\"],\"outputEntityTypes\":[\"IP\",\"Host\"],\"dataSources\":[\"WireData\"],\"inputEntityType\":\"Process\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/def383f2-dff3-4f5b-9416-aca8dca39812\",\"name\":\"def383f2-dff3-4f5b-9416-aca8dca39812\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent Linux hosts with this process\",\"queryTemplate\":\"let GetSysLogEventsWithProcess = (v_Process_CommandLine:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tlet tempFullPath = tostring(split(v_Process_CommandLine, \u0027 \u0027)[0]);\\r\\n\\t\\t\\t\\t\\t\\t\\tlet tempFullPath2 = iff(tempFullPath startswith \u0027\\\"\u0027, substring(tempFullPath, 1, strlen(tempFullPath)-2), tempFullPath);\\r\\n\\t\\t\\t\\t\\t\\t\\tlet v_Process_ImageFile_FullPath = iff(tempFullPath2 startswith \u0027\\\\\\\\??\\\\\\\\\u0027, substring(tempFullPath2, 4, strlen(tempFullPath2)-1), tempFullPath2);\\r\\n\\t\\t\\t\\t\\t\\t\\tSyslog\\r\\n\\t\\t\\t\\t\\t\\t\\t| where ProcessName has v_Process_ImageFile_FullPath\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027HostName\u0027, HostName, \u0027HostIP\u0027, HostIP, \u0027ProcessName\u0027, ProcessName, \u0027SyslogMessage\u0027, SyslogMessage)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(EventTime), max(EventTime), count(), Host_Aux_info = makeset(info) by Computer\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ asc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Host_Aux_StartTime=min_EventTime, Host_Aux_EndTime=max_EventTime, Computer, Host_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Host_UnstructuredName=Computer\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetSysLogEventsWithProcess(\u0027\u003ccommandLine\u003e\u0027)\",\"inputFields\":[\"commandLine\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"Syslog\"],\"inputEntityType\":\"Process\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/39df618a-684d-402d-b096-6f505a8e741e\",\"name\":\"39df618a-684d-402d-b096-6f505a8e741e\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent outbound WireData connections\",\"queryTemplate\":\"let GetWireDataOutboundWithProcess = (v_Process_CommandLine:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tlet tempFullPath = tostring(split(v_Process_CommandLine, \u0027 \u0027)[0]);\\r\\n\\t\\t\\t\\t\\t\\t\\tlet tempFullPath2 = iff(tempFullPath startswith \u0027\\\"\u0027, substring(tempFullPath, 1, strlen(tempFullPath)-2), tempFullPath);\\r\\n\\t\\t\\t\\t\\t\\t\\tlet v_Process_ImageFile_FullPath = iff(tempFullPath2 startswith \u0027\\\\\\\\??\\\\\\\\\u0027, substring(tempFullPath2, 4, strlen(tempFullPath2)-1), tempFullPath2);\\r\\n\\t\\t\\t\\t\\t\\t\\tWireData\\r\\n\\t\\t\\t\\t\\t\\t\\t| where Direction == \u0027Outbound\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t| where ProcessName has v_Process_ImageFile_FullPath\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027ProcessName\u0027, ProcessName, \u0027LocalIP\u0027, LocalIP, \u0027LocalPortNumber\u0027, LocalPortNumber, \u0027Direction\u0027, Direction, \u0027ApplicationProtocol\u0027, ApplicationProtocol)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(SessionStartTime), count(), IP_Aux_info = makeset(info) by Computer, RemoteIP\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Host_Aux_info = IP_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ asc\\r\\n\\t\\t\\t\\t\\t\\t\\t| project min_SessionStartTime, Computer, RemoteIP, IP_Aux_info, Host_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename IP_Address=RemoteIP, Host_UnstructuredName=Computer, Host_Aux_min_SessionStartTime=min_SessionStartTime\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetWireDataOutboundWithProcess(\u0027\u003ccommandLine\u003e\u0027)\",\"inputFields\":[\"commandLine\"],\"outputEntityTypes\":[\"IP\",\"Host\"],\"dataSources\":[\"WireData\"],\"inputEntityType\":\"Process\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/e32a48a9-bf82-4cec-ba94-9ec406a69ef8\",\"name\":\"e32a48a9-bf82-4cec-ba94-9ec406a69ef8\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"10 most recent VM configuration changes based on process\",\"queryTemplate\":\"let exclude = dynamic([\u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\u0027, \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\sppsvc.exe\u0027, \u0027:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\wbem\\\\\\\\WmiApSrv.exe\u0027, \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\conhost.exe\u0027, \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wuauclt.exe\u0027, \u0027:\\\\\\\\Windows\\\\\\\\SoftwareDistribution\\\\\\\\Download\\\\\\\\Install\\\\\\\\\u0027, \u0027:\\\\\\\\WindowsAzure\\\\\\\\GuestAgent_\u0027, \u0027:\\\\\\\\WindowsAzure\\\\\\\\WindowsAzureNetAgent_\u0027,\\r\\n\\t\\t\\t\\t\\t\\t\\t\u0027:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\platform\\\\\\\\\u0027, \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\taskhostw.exe\u0027, \u0027\\\\\\\\MpSigStub.exe\u0027,\u0027:\\\\\\\\Program Files\\\\\\\\Microsoft Monitoring Agent\\\\\\\\Agent\\\\\\\\MonitoringHost.exe\u0027, \u0027:\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\trustedinstaller.exe\u0027, \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFault.exe\u0027, \u0027:\\\\\\\\Windows\\\\\\\\CCM\\\\\\\\CcmExec.exe\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t\\\"HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Active Setup\\\\\\\\Installed Components\\\\\\\\\\\"]);\\r\\n\\t\\t\\t\\t\\t\\t\\tlet ConfigChange = (v_Process_ImageFile:string )\\r\\n\\t\\t\\t\\t\\t\\t\\t{let Process_ImageFile_Name = tostring(parse_json(v_Process_ImageFile)[\u0027Name\u0027]);\\r\\n\\t\\t\\t\\t\\t\\t\\tConfigurationChange\\r\\n\\t\\t\\t\\t\\t\\t\\t| where ConfigChangeType != \\\"Software\\\"\\r\\n\\t\\t\\t\\t\\t\\t\\t| where isnotempty(ValueData) or isnotempty(SvcPath) or isnotempty(FileSystemPath)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Process = case(\\r\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType == \\\"Registry\\\" and (ValueData has \\\".exe\\\" or ValueData has \\\".bat\\\" or ValueData has \\\".cmd\\\"), ValueData,\\r\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType == \\\"WindowsServices\\\", SvcPath,\\r\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType == \\\"Files\\\" and ((FileSystemPath has \\\".exe\\\" or FileSystemPath has \\\".bat\\\" or FileSystemPath has \\\".cmd\\\") or FileSystemPath has \u0027/\u0027), FileSystemPath,\\r\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType == \\\"Daemons\\\", SvcPath,\\r\\n\\t\\t\\t\\t\\t\\t\\t\\\"ProcessNotAvailable\\\"\\r\\n\\t\\t\\t\\t\\t\\t\\t)\\r\\n\\t\\t\\t\\t\\t\\t\\t| where not(Process has_any (exclude)) and (Process !has \u0027:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework\u0027 and not(Process has_any (\u0027\\\\\\\\ngentask.exe\u0027, \u0027\\\\\\\\ngen.exe\u0027)))\\r\\n\\t\\t\\t\\t\\t\\t\\t| where iff(Process_ImageFile_Name == \\\"\\\", false, Process has Process_ImageFile_Name)\\r\\n\\t\\t\\t\\t\\t\\t\\t| parse FileContentChecksum with * \\\"Hash=\\\" Hash \\\" \\\" *\\r\\n\\t\\t\\t\\t\\t\\t\\t| parse PreviousFileContentChecksum with * \\\"Hash=\\\" Hash \\\" \\\" *\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Changes = case(\\r\\n\\t\\t\\t\\t\\t\\t\\t ConfigChangeType == \\\"Registry\\\" and ChangeCategory == \\\"Modified\\\",\\r\\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"RegistryKey\\\" , RegistryKey, \\\"ValueName\\\", ValueName, \\\"ValueData\\\", ValueData, \\\"PreviousValueData\\\", PreviousValueData),\\r\\n\\t\\t\\t\\t\\t\\t\\t ConfigChangeType == \\\"Registry\\\" and ChangeCategory == \\\"Added\\\",\\r\\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"RegistryKey\\\" , RegistryKey, \\\"ValueName\\\", ValueName, \\\"ValueData\\\", ValueData),\\r\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType == \\\"Registry\\\" and ChangeCategory == \\\"Removed\\\",\\r\\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"RegistryKey\\\" , RegistryKey, \\\"ValueName\\\", ValueName, \\\"PreviousValueData\\\", PreviousValueData),\\r\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType in (\\\"WindowsServices\\\",\\\"Daemons\\\") and ChangeCategory == \\\"Modified\\\" and SvcChangeType == \\\"Path\\\",\\r\\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"SvcChangeType\\\", SvcChangeType, \\\"SvcName\\\", SvcName, \\\"SvcPath\\\", SvcPath, \\\"SvcPreviousPath\\\", SvcPreviousPath),\\r\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType in (\\\"WindowsServices\\\",\\\"Daemons\\\") and ChangeCategory == \\\"Modified\\\" and SvcChangeType == \\\"Runlevels\\\",\\r\\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"SvcChangeType\\\", SvcChangeType, \\\"SvcName\\\", SvcName, \\\"SvcPath\\\", SvcPath, \\\"SvcRunlevels\\\", SvcRunlevels,\\\"SvcPreviousRunlevels\\\", SvcPreviousRunlevels),\\r\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType in (\\\"WindowsServices\\\",\\\"Daemons\\\") and ChangeCategory == \\\"Modified\\\" and SvcChangeType == \\\"StartupType\\\",\\r\\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"SvcChangeType\\\", SvcChangeType, \\\"SvcName\\\", SvcName, \\\"SvcPath\\\", SvcPath, \\\"SvcStartupType\\\", SvcStartupType, \\\"SvcPreviousStartupType\\\", SvcPreviousStartupType),\\r\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType in (\\\"WindowsServices\\\",\\\"Daemons\\\") and ChangeCategory == \\\"Modified\\\" and SvcChangeType == \\\"State\\\",\\r\\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"SvcChangeType\\\", SvcChangeType, \\\"SvcName\\\", SvcName, \\\"SvcPath\\\", SvcPath, \\\"SvcState\\\", SvcState, \\\"SvcPreviousState\\\", SvcPreviousState),\\r\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType in (\\\"WindowsServices\\\",\\\"Daemons\\\") and ChangeCategory == \\\"Modified\\\" and SvcChangeType == \\\"State StartupType\\\",\\r\\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"SvcChangeType\\\", SvcChangeType, \\\"SvcName\\\", SvcName, \\\"SvcPath\\\", SvcPath, \\\"SvcState\\\", SvcState, \\\"SvcPreviousState\\\", SvcPreviousState, \\\"SvcStartupType\\\", SvcStartupType, \\\"SvcPreviousStartupType\\\", SvcPreviousStartupType),\\r\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType in (\\\"WindowsServices\\\",\\\"Daemons\\\") and ChangeCategory == \\\"Added\\\",\\r\\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"SvcName\\\", SvcName, \\\"SvcPath\\\", SvcPath, \\\"SvcState\\\", SvcState, \\\"SvcStartupType\\\", SvcStartupType),\\r\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType in (\\\"WindowsServices\\\",\\\"Daemons\\\") and ChangeCategory == \\\"Removed\\\",\\r\\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"SvcName\\\", SvcName, \\\"SvcPreviousPath\\\", SvcPreviousPath, \\\"SvcPreviousState\\\", SvcPreviousState, \\\"SvcPreviousStartupType\\\", SvcPreviousStartupType),\\r\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType == \\\"Files\\\" and ChangeCategory == \\\"Added\\\",\\r\\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"FileSystemPath\\\", FileSystemPath, \\\"DateCreated\\\", DateCreated, \\\"DateModified\\\", DateModified, \\\"Hash\\\", Hash),\\r\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType == \\\"Files\\\" and ChangeCategory == \\\"Removed\\\",\\r\\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"FileSystemPath\\\", FileSystemPath, \\\"DateCreated\\\", PreviousDateCreated, \\\"DateModified\\\", PreviousDateModified, \\\"Hash\\\", Hash),\\r\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType == \\\"Files\\\" and ChangeCategory == \\\"Modified\\\",\\r\\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"FileSystemPath\\\", FileSystemPath, \\\"FieldsChanged\\\", FieldsChanged, \\\"DateCreated\\\", PreviousDateCreated, \\\"DateModified\\\", PreviousDateModified, \\\"Hash\\\", Hash),\\r\\n\\t\\t\\t\\t\\t\\t\\t\\\"\\\")\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Host_HostName = tostring(split(Computer, \\\".\\\")[0]), Host_DnsDomain = strcat_array(array_slice(split(Computer,\u0027.\u0027),1,256),\u0027.\u0027)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize Host_Aux_StartTimeUtc = min(TimeGenerated), Host_Aux_EndTimeUtc = max(TimeGenerated), Host_Aux_ConfigChangeDetail = makeset(Changes) by Host_HostName, Host_DnsDomain\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_StartTimeUtc desc};\\r\\n\\t\\t\\t\\t\\t\\t\\tConfigChange(\u0027\u003cImageFile\u003e\u0027)\",\"inputFields\":[\"ImageFile\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"ConfigurationChange\"],\"inputEntityType\":\"Process\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/0880a6d7-d914-40f6-91bc-150de4810e4e\",\"name\":\"0880a6d7-d914-40f6-91bc-150de4810e4e\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Windows hosts with this process\",\"queryTemplate\":\"let GetHostsWithProcess = (v_Process_CommandLine:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tlet tempFullPath = tostring(split(v_Process_CommandLine, \u0027 \u0027)[0]);\\r\\n\\t\\t\\t\\t\\t\\t\\tlet tempFullPath2 = iff(tempFullPath startswith \u0027\\\"\u0027, substring(tempFullPath, 1, strlen(tempFullPath)-2), tempFullPath);\\r\\n\\t\\t\\t\\t\\t\\t\\tlet v_Process_ImageFile_FullPath = iff(tempFullPath2 startswith \u0027\\\\\\\\??\\\\\\\\\u0027, substring(tempFullPath2, 4, strlen(tempFullPath2)-1), tempFullPath2);\\r\\n\\t\\t\\t\\t\\t\\t\\tSecurityEvent\\r\\n\\t\\t\\t\\t\\t\\t\\t| where EventID == 4688\\r\\n\\t\\t\\t\\t\\t\\t\\t| where NewProcessName has v_Process_ImageFile_FullPath\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027Account\u0027, Account, \u0027NewProcessName\u0027, NewProcessName, \u0027CommandLine\u0027, CommandLine)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), Host_Aux_info = makeset(info) by Computer, SourceComputerId, _ResourceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| project min_TimeGenerated, max_TimeGenerated, Computer, Host_Aux_info, Host_OMSAgentID=SourceComputerId\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by min_TimeGenerated asc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Host_UnstructuredName=Computer, Host_Aux_StartTime=min_TimeGenerated, Host_Aux_EndTime=max_TimeGenerated\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetHostsWithProcess(\u0027\u003ccommandLine\u003e\u0027)\",\"inputFields\":[\"commandLine\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"SecurityEvent\"],\"inputEntityType\":\"Process\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/c07c8936-d2a7-41a7-97d2-d3afdf267da4\",\"name\":\"c07c8936-d2a7-41a7-97d2-d3afdf267da4\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"DefenderForIoT - Hosts communicating the most amount of data with this IoT Device\",\"queryTemplate\":\"let ConnectionData_DefenderForIoT_GetIoTDevice2Host = (v_IoTDevice_DeviceId:string) {\\r\\n\\t\\t\\t\\t\\t\\t\\tlet connectionData = SecurityIoTRawEvent\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceType = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceType\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceId = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientIpAddress = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).ipAddress\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientisExternal = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).isExternal\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceType = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceType\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceId = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerIpAddress = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).ipAddress\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerisExternal = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).isExternal\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceName = tostring(todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceName)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceName = tostring(todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceName)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Bandwidth = todynamic(extractjson(\\\"$Bandwidth\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend LastActivity = todynamic(extractjson(\\\"$LastActivity\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Protocol = todynamic(extractjson(\\\"$Protocol\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerPort = todynamic(extractjson(\\\"$ServerPort\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDevice = extractjson(\\\"$ServerDevice\\\", EventDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDevice = extractjson(\\\"$ClientDevice\\\", EventDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend SensorId = DeviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceGUID = strcat(SensorId, \\\"_\\\", ClientDeviceId), ServerDeviceGUID = strcat(SensorId, \\\"_\\\", ServerDeviceId);\\r\\n\\t\\t\\t\\t\\t\\t\\tconnectionData\\r\\n\\t\\t\\t\\t\\t\\t\\t| where ClientDeviceGUID == v_IoTDevice_DeviceId or ServerDeviceGUID == v_IoTDevice_DeviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Direction = iff(ClientDeviceGUID == v_IoTDevice_DeviceId, \\\"Outbound\\\", \\\"Inbound\\\")\\r\\n\\t\\t\\t\\t\\t\\t\\t| project DeviceGUID = iff(Direction == \\\"Outbound\\\", ServerDeviceGUID, ClientDeviceGUID),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceType = iff(Direction == \\\"Outbound\\\", ServerDeviceType, ClientDeviceType),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceIp = iff(Direction == \\\"Outbound\\\", ServerIpAddress, ClientIpAddress),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceName = iff(Direction == \\\"Outbound\\\", ServerDeviceName, ClientDeviceName),\\r\\n\\t\\t\\t\\t\\t\\t\\tSensorId, LastActivity = todatetime(LastActivity), Bandwidth = todouble(Bandwidth), Protocol, ServerPort\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize TotalBandwidth = sum(Bandwidth), LastActivity = max(LastActivity), Protocols = make_set(Protocol), ServerPorts = make_set(ServerPort) by DeviceGUID, DeviceName, IpAddress = tostring(DeviceIp), IoTDevice_DeviceType = tostring(DeviceType)\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename TotalBandwidth_MB = TotalBandwidth\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend TotalBandwidth_MB = floor(todecimal(TotalBandwidth_MB / 1000), 0.1)\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Host_HostName = DeviceName, Host_Aux_IpAddress = IpAddress, Host_Aux_Type = IoTDevice_DeviceType, Host_Aux_LastActivity = LastActivity, Host_Aux_Protocols = Protocols, Host_Aux_ServerPorts = ServerPorts, Host_Aux_TotalBandwidth_MB = TotalBandwidth_MB\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_TotalBandwidth_MB\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tConnectionData_DefenderForIoT_GetIoTDevice2Host(\u0027\u003cdeviceId\u003e\u0027)\",\"inputFields\":[\"deviceId\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"SecurityIoTRawEvent\"],\"inputEntityType\":\"IoTDevice\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/233eaf89-cbb0-461a-bc45-e0f873ad6b15\",\"name\":\"233eaf89-cbb0-461a-bc45-e0f873ad6b15\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"DefenderForIoT - IoT Devices communicating the most amount of data with this IoT Device\",\"queryTemplate\":\"let ConnectionData_DefenderForIoT_GetIoTDevice2IoTDevice = (v_IoTDevice_DeviceId:string) {\\r\\n\\t\\t\\t\\t\\t\\t\\tlet connectionData = SecurityIoTRawEvent\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceType = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceType\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceId = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientIpAddress = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).ipAddress\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientisExternal = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).isExternal\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceType = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceType\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceId = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerIpAddress = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).ipAddress\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerisExternal = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).isExternal\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceName = tostring(todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceName)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceName = tostring(todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceName)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Bandwidth = todynamic(extractjson(\\\"$Bandwidth\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend LastActivity = todynamic(extractjson(\\\"$LastActivity\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Protocol = todynamic(extractjson(\\\"$Protocol\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerPort = todynamic(extractjson(\\\"$ServerPort\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDevice = extractjson(\\\"$ServerDevice\\\", EventDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDevice = extractjson(\\\"$ClientDevice\\\", EventDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend SensorId = DeviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceGUID = strcat(SensorId, \\\"_\\\", ClientDeviceId), ServerDeviceGUID = strcat(SensorId, \\\"_\\\", ServerDeviceId);\\r\\n\\t\\t\\t\\t\\t\\t\\tconnectionData\\r\\n\\t\\t\\t\\t\\t\\t\\t| where ClientDeviceGUID == v_IoTDevice_DeviceId or ServerDeviceGUID == v_IoTDevice_DeviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Direction = iff(ClientDeviceGUID == v_IoTDevice_DeviceId, \\\"Outbound\\\", \\\"Inbound\\\")\\r\\n\\t\\t\\t\\t\\t\\t\\t| project DeviceGUID = iff(Direction == \\\"Outbound\\\", ServerDeviceGUID, ClientDeviceGUID),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceType = iff(Direction == \\\"Outbound\\\", ServerDeviceType, ClientDeviceType),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceIp = iff(Direction == \\\"Outbound\\\", ServerIpAddress, ClientIpAddress),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceName = iff(Direction == \\\"Outbound\\\", ServerDeviceName, ClientDeviceName),\\r\\n\\t\\t\\t\\t\\t\\t\\tSensorId, LastActivity = todatetime(LastActivity), Bandwidth = todouble(Bandwidth), Protocol, ServerPort\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize TotalBandwidth = sum(Bandwidth), IoTDevice_Aux_LastActivity = max(LastActivity), IoTDevice_Aux_Protocols = make_set(Protocol), IoTDevice_Aux_ServerPorts = make_set(ServerPort) by IoTDevice_DeviceId = DeviceGUID, IoTDevice_DeviceName = DeviceName, IoTDevice_IpAddress = tostring(pack(\u0027Address\u0027,tostring(DeviceIp))), IoTDevice_DeviceType = tostring(DeviceType)\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename IoTDevice_Aux_TotalBandwidth_MB = TotalBandwidth\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend IoTDevice_Aux_TotalBandwidth_MB = floor(todecimal(IoTDevice_Aux_TotalBandwidth_MB / 1000), 0.1), IoTDevice_IpAddress=todynamic(IoTDevice_IpAddress)\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by IoTDevice_Aux_TotalBandwidth_MB\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tConnectionData_DefenderForIoT_GetIoTDevice2IoTDevice(\u0027\u003cdeviceId\u003e\u0027)\",\"inputFields\":[\"deviceId\"],\"outputEntityTypes\":[\"IoTDevice\"],\"dataSources\":[\"SecurityIoTRawEvent\"],\"inputEntityType\":\"IoTDevice\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/f1cce474-7a4f-435c-a7ee-3d5a800a6df4\",\"name\":\"f1cce474-7a4f-435c-a7ee-3d5a800a6df4\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"DefenderForIoT - IP Addresses communicating the most amount of data with this IoT Device\",\"queryTemplate\":\"let ConnectionData_DefenderForIoT_GetIoTDevice2IP = (v_IoTDevice_DeviceId:string) {\\r\\n\\t\\t\\t\\t\\t\\t\\tlet connectionData = SecurityIoTRawEvent\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceType = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceType\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceId = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientIpAddress = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).ipAddress\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientisExternal = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).isExternal\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceType = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceType\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceId = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerIpAddress = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).ipAddress\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerisExternal = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).isExternal\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Bandwidth = todynamic(extractjson(\\\"$Bandwidth\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend LastActivity = todynamic(extractjson(\\\"$LastActivity\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Protocol = todynamic(extractjson(\\\"$Protocol\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDevice = extractjson(\\\"$ServerDevice\\\", EventDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerPort = todynamic(extractjson(\\\"$ServerPort\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDevice = extractjson(\\\"$ClientDevice\\\", EventDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend SensorId = DeviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceGUID = strcat(SensorId, \\\"_\\\", ClientDeviceId), ServerDeviceGUID = strcat(SensorId, \\\"_\\\", ServerDeviceId);\\r\\n\\t\\t\\t\\t\\t\\t\\tconnectionData\\r\\n\\t\\t\\t\\t\\t\\t\\t| where ClientDeviceGUID == v_IoTDevice_DeviceId or ServerDeviceGUID == v_IoTDevice_DeviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Direction = iff(ClientDeviceGUID == v_IoTDevice_DeviceId, \\\"Outbound\\\", \\\"Inbound\\\")\\r\\n\\t\\t\\t\\t\\t\\t\\t| project DeviceGUID = iff(Direction == \\\"Outbound\\\", ServerDeviceGUID, ClientDeviceGUID),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceType = iff(Direction == \\\"Outbound\\\", ServerDeviceType, ClientDeviceType),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceIp = iff(Direction == \\\"Outbound\\\", ServerIpAddress, ClientIpAddress),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceIsExternal = iff(Direction == \\\"Outbound\\\", ServerisExternal, ClientisExternal),\\r\\n\\t\\t\\t\\t\\t\\t\\tSensorId, LastActivity = todatetime(LastActivity), Bandwidth = todouble(Bandwidth), Protocol, ServerPort\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize TotalBandwidth = sum(Bandwidth), LastActivity = max(LastActivity), Protocols = make_set(Protocol), ServerPorts = make_set(ServerPort) by DeviceGUID, IpAddress = tostring(DeviceIp), IoTDevice_DeviceType = tostring(DeviceType), DeviceIsExternal = tostring(DeviceIsExternal)\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename TotalBandwidth_MB = TotalBandwidth\\r\\n\\t\\t\\t\\t\\t\\t\\t| project IP_Address = IpAddress, IP_Aux_DeviceType = IoTDevice_DeviceType, IP_Aux_LastActivity = LastActivity, IP_Aux_Protocols = Protocols, IP_Aux_ServerPorts = ServerPorts, IP_Aux_TotalBandwidth_MB = TotalBandwidth_MB, IP_Aux_IsExternal = DeviceIsExternal\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend IP_Aux_TotalBandwidth_MB = floor(todecimal(IP_Aux_TotalBandwidth_MB / 1000), 0.1)\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by IP_Aux_TotalBandwidth_MB\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tConnectionData_DefenderForIoT_GetIoTDevice2IP(\u0027\u003cdeviceId\u003e\u0027)\",\"inputFields\":[\"deviceId\"],\"outputEntityTypes\":[\"IP\"],\"dataSources\":[\"SecurityIoTRawEvent\"],\"inputEntityType\":\"IoTDevice\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/1f3ecde7-5c69-4d44-ac93-5feac6d1cd2f\",\"name\":\"1f3ecde7-5c69-4d44-ac93-5feac6d1cd2f\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Most frequent command executions on the device\",\"queryTemplate\":\"let Process_byIoTDevice = (v_IotDevice_DeviceId:string, v_IoTDevice_IoTHub:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tSecurityIoTRawEvent\\r\\n\\t\\t\\t\\t\\t\\t\\t| where RawEventName =~ \u0027ProcessCreate\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t| where AssociatedResourceId =~ parse_json(v_IoTDevice_IoTHub)[\u0027ResourceId\u0027] and DeviceId =~ v_IotDevice_DeviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_CommandLine = tostring(parse_json(EventDetails)[\u0027CommandLine\u0027])\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_ProcessId = tostring(parse_json(EventDetails)[\u0027ProcessId\u0027])\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_ParentProcess_ProcessId = tostring(parse_json(EventDetails)[\u0027ParentProcessId\u0027])\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_CreationTimeUtc = TimeStamp\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize procCount = count() by Process_CommandLine, Process_ProcessId, Process_ParentProcess_ProcessId, Process_CreationTimeUtc\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by procCount\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_Aux_Count = procCount\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-away procCount\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tProcess_byIoTDevice(\u0027\u003cdeviceId\u003e\u0027, \u0027\u003cIoTHub\u003e\u0027)\",\"inputFields\":[\"deviceId\",\"IoTHub\"],\"outputEntityTypes\":[\"Process\"],\"dataSources\":[\"SecurityIoTRawEvent\"],\"inputEntityType\":\"IoTDevice\"}}]}", + "isContentBase64": false + } + }, + "Get-AzSentinelEntityQuery+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/1a4fe801-0031-4965-a4a1-5c68929b6d76?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/1a4fe801-0031-4965-a4a1-5c68929b6d76?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "200" ], + "x-ms-client-request-id": [ "02e528c7-7971-4a86-9a7f-03105bcc360f" ], + "CommandName": [ "Get-AzSentinelentityQuery" ], + "FullCommandName": [ "Get-AzSentinelEntityQuery_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11962" ], + "x-ms-request-id": [ "6019dc0a-ab4e-4e02-a402-0623b982620a" ], + "x-ms-correlation-request-id": [ "6019dc0a-ab4e-4e02-a402-0623b982620a" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015746Z:6019dc0a-ab4e-4e02-a402-0623b982620a" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:57:45 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "2326" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/1a4fe801-0031-4965-a4a1-5c68929b6d76\",\"name\":\"1a4fe801-0031-4965-a4a1-5c68929b6d76\",\"etag\":\"\\\"5001e9de-0000-0100-0000-61b5531f0000\\\"\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was deleted by \",\"description\":\"Account deleted on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027)\\n \\n| where EventID == 4726 \"},\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]},\"enabled\":true,\"createdTimeUtc\":\"2021-12-12T01:40:47.0564999Z\",\"lastModifiedTimeUtc\":\"2021-12-12T01:40:47.0564999Z\",\"inputEntityType\":\"Host\"}}", + "isContentBase64": false + } + }, + "Get-AzSentinelEntityQuery+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/1a4fe801-0031-4965-a4a1-5c68929b6d76?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/1a4fe801-0031-4965-a4a1-5c68929b6d76?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "201" ], + "x-ms-client-request-id": [ "ea04149a-ed83-4baf-acf8-736472c4560b" ], + "CommandName": [ "Get-AzSentinelentityQuery" ], + "FullCommandName": [ "Get-AzSentinelEntityQuery_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11961" ], + "x-ms-request-id": [ "a8f3f90f-88ca-46ea-928f-fd5ede3e8aa3" ], + "x-ms-correlation-request-id": [ "a8f3f90f-88ca-46ea-928f-fd5ede3e8aa3" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015746Z:a8f3f90f-88ca-46ea-928f-fd5ede3e8aa3" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:57:45 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "2326" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/1a4fe801-0031-4965-a4a1-5c68929b6d76\",\"name\":\"1a4fe801-0031-4965-a4a1-5c68929b6d76\",\"etag\":\"\\\"5001e9de-0000-0100-0000-61b5531f0000\\\"\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was deleted by \",\"description\":\"Account deleted on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027)\\n \\n| where EventID == 4726 \"},\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]},\"enabled\":true,\"createdTimeUtc\":\"2021-12-12T01:40:47.0564999Z\",\"lastModifiedTimeUtc\":\"2021-12-12T01:40:47.0564999Z\",\"inputEntityType\":\"Host\"}}", + "isContentBase64": false + } + }, + "Get-AzSentinelEntityQuery+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/1a4fe801-0031-4965-a4a1-5c68929b6d76?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/1a4fe801-0031-4965-a4a1-5c68929b6d76?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "202" ], + "x-ms-client-request-id": [ "b6d33220-31bf-433b-a328-453bf3ad00ee" ], + "CommandName": [ "Get-AzSentinelentityQuery" ], + "FullCommandName": [ "Get-AzSentinelEntityQuery_GetViaIdentity" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11960" ], + "x-ms-request-id": [ "0841672c-7b3a-4843-ba83-3e237ad2cf37" ], + "x-ms-correlation-request-id": [ "0841672c-7b3a-4843-ba83-3e237ad2cf37" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015746Z:0841672c-7b3a-4843-ba83-3e237ad2cf37" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:57:46 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "2326" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/1a4fe801-0031-4965-a4a1-5c68929b6d76\",\"name\":\"1a4fe801-0031-4965-a4a1-5c68929b6d76\",\"etag\":\"\\\"5001e9de-0000-0100-0000-61b5531f0000\\\"\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was deleted by \",\"description\":\"Account deleted on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027)\\n \\n| where EventID == 4726 \"},\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]},\"enabled\":true,\"createdTimeUtc\":\"2021-12-12T01:40:47.0564999Z\",\"lastModifiedTimeUtc\":\"2021-12-12T01:40:47.0564999Z\",\"inputEntityType\":\"Host\"}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Get-AzSentinelEntityQuery.Tests.ps1 b/src/SecurityInsights/test/Get-AzSentinelEntityQuery.Tests.ps1 new file mode 100644 index 000000000000..06c4f58f24fa --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelEntityQuery.Tests.ps1 @@ -0,0 +1,33 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Get-AzSentinelEntityQuery')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Get-AzSentinelEntityQuery.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Get-AzSentinelEntityQuery' { + It 'List' { + $entityQueryies = Get-AzSentinelentityQuery -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName + $entityQueryies.Count | Should -BeGreaterorEqual 1 + } + + It 'Get' { + $entityQuery = Get-AzSentinelentityQuery -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Id $env.GetentityQueryActivityId + $entityQuery.Name | Should -Be $env.GetentityQueryActivityId + } + + It 'GetViaIdentity' { + $entityQuery = Get-AzSentinelentityQuery -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Id $env.GetentityQueryActivityId + $entityQueryViaId = Get-AzSentinelentityQuery -InputObject $entityQuery + $entityQueryViaId.Name | Should -Be $env.GetentityQueryActivityId + } +} diff --git a/src/SecurityInsights/test/Get-AzSentinelEntityQueryTemplate.Recording.json b/src/SecurityInsights/test/Get-AzSentinelEntityQueryTemplate.Recording.json new file mode 100644 index 000000000000..81d8de3dcd35 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelEntityQueryTemplate.Recording.json @@ -0,0 +1,125 @@ +{ + "Get-AzSentinelEntityQueryTemplate+[NoContext]+List+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "203" ], + "x-ms-client-request-id": [ "e0396517-e4b0-43b4-acfc-bd6083c1ae8f" ], + "CommandName": [ "Get-AzSentinelentityQueryTemplate" ], + "FullCommandName": [ "Get-AzSentinelEntityQueryTemplate_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11959" ], + "x-ms-request-id": [ "a6207471-5adf-4afe-991e-fbad1946447e" ], + "x-ms-correlation-request-id": [ "a6207471-5adf-4afe-991e-fbad1946447e" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015809Z:a6207471-5adf-4afe-991e-fbad1946447e" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:58:09 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "187304" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/d6d08c94-455f-4ea5-8f76-fc6c0c442cfa\",\"name\":\"d6d08c94-455f-4ea5-8f76-fc6c0c442cfa\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has created an account\",\"content\":\"The user {{InitiatedByAccount}} has created the account {{TargetAccount}} {{Count}} time(s)\",\"description\":\"This activity displays account creation events performed by the user\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AADUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) or Account_AADUserId =~ tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ SubjectAccount or Account_Sid =~ SubjectUserSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AADUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Add user\u0027, \u00274720\u0027) \\n| project InitiatedByAccount, TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AADUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/e0459780-ac9d-4b72-8bd4-fecf6b46a0a1\",\"name\":\"e0459780-ac9d-4b72-8bd4-fecf6b46a0a1\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has deleted an account\",\"content\":\"The user {{InitiatedByAccount}} has deleted the account {{TargetAccount}} {{Count}} time(s)\",\"description\":\"This activity displays account deletion events performed by the user\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AADUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) or Account_AADUserId =~ tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ SubjectAccount or Account_Sid =~ SubjectUserSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AADUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Delete user\u0027, \u00274726\u0027) \\n| project InitiatedByAccount, TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AADUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/ad1f4269-5418-4c46-a3b6-4ec01031de60\",\"name\":\"ad1f4269-5418-4c46-a3b6-4ec01031de60\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has reset an account\u0027s password\",\"content\":\"The password for account {{TargetAccount}} was reset by the user {{InitiatedByAccount}} {{Count}} time(s)\",\"description\":\"This activity displays password reset events performed by the user\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AADUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) or Account_AADUserId =~ tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ SubjectAccount or Account_Sid =~ SubjectUserSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AADUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (by admin)\u0027, \u0027Reset password (self-service)\u0027, \u00274724\u0027, \u00274723\u0027) \\n| project InitiatedByAccount, TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AADUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/fde1b9cc-9480-4418-ae21-91723d16b24d\",\"name\":\"fde1b9cc-9480-4418-ae21-91723d16b24d\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user account was created\",\"content\":\"The user account {{TargetAccount}} was created\",\"description\":\"This activity displays the user account events for when it was created\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AADUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(TargetResources[0].userPrincipalName) or Account_AADUserId =~ tostring(TargetResources[0].id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ TargetAccount or Account_Sid =~ TargetSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AADUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Add user\u0027, \u00274720\u0027) \\n| project TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AADUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/b15901ba-8679-4f6a-b312-722031ab58f2\",\"name\":\"b15901ba-8679-4f6a-b312-722031ab58f2\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user account was deleted\",\"content\":\"The user account {{TargetAccount}} was deleted\",\"description\":\"This activity displays the user account events for when it was deleted\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AADUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(TargetResources[0].userPrincipalName) or Account_AADUserId =~ tostring(TargetResources[0].id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ TargetAccount or Account_Sid =~ TargetSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AADUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Delete user\u0027, \u00274726\u0027) \\n| project TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AADUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/c07d1d02-0a06-455e-add9-12c5a5e426f3\",\"name\":\"c07d1d02-0a06-455e-add9-12c5a5e426f3\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user account password was reset\",\"content\":\"The user account {{TargetAccount}} had a password reset\",\"description\":\"This activity displays the user account events for when the password was reset\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AADUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(TargetResources[0].userPrincipalName) or Account_AADUserId =~ tostring(TargetResources[0].id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ TargetAccount or Account_Sid =~ TargetSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AADUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (by admin)\u0027, \u0027Reset password (self-service)\u0027, \u00274723\u0027, \u00274724\u0027) \\n| project TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AADUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/5e9ecee5-e7a4-4a2a-94c4-9c0e22e1b673\",\"name\":\"5e9ecee5-e7a4-4a2a-94c4-9c0e22e1b673\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user consented to OAuth application\",\"content\":\"The user consented to the OAuth application named {{Target_CloudApplication_Name}} {{Count}} time(s)\",\"description\":\"This activity lists user\u0027s consents to an OAuth applications.\",\"queryDefinitions\":{\"query\":\"let UserConsentToApplication = (Account_Name:string, Account_UPNSuffix:string, Account_AadUserId:string){\\nlet account_upn = iff(Account_Name != \\\"\\\" and Account_UPNSuffix != \\\"\\\"\\n, strcat(Account_Name,\\\"@\\\",Account_UPNSuffix)\\n,\\\"\\\" );\\nAuditLogs\\n| where OperationName == \\\"Consent to application\\\"\\n| extend Source_Account_UPNSuffix = tostring(todynamic(InitiatedBy) [\\\"user\\\"][\\\"userPrincipalName\\\"]), Source_Account_AadUserId = tostring(todynamic(InitiatedBy) [\\\"user\\\"][\\\"id\\\"])\\n| where (account_upn != \\\"\\\" and account_upn =~ Source_Account_UPNSuffix) \\nor (Account_AadUserId != \\\"\\\" and Account_AadUserId =~ Source_Account_AadUserId)\\n| extend Target_CloudApplication_Name = tostring(todynamic(TargetResources)[0][\\\"displayName\\\"]), Target_CloudApplication_AppId = tostring(todynamic(TargetResources)[0][\\\"id\\\"])\\n};\\nUserConsentToApplication(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027) \\n| project Target_CloudApplication_AppId, Target_CloudApplication_Name, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/cab4058a-0707-4a02-b76f-cf96270823ed\",\"name\":\"cab4058a-0707-4a02-b76f-cf96270823ed\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"User performed operation on azure resource from IP\",\"content\":\"User performed operation {{OperationName}} on azure resource: {{shortResourceId}} from IP {{Source_IP_Address}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s activities on Azure.\",\"queryDefinitions\":{\"query\":\"let AzureRunProcess = (Account_Name:string, Account_UPNSuffix:string,Account_AadUserId:string){\\nlet upn = strcat(Account_Name,\\\"@\\\",Account_UPNSuffix);\\nAzureActivity \\n| where (isnotempty(Account_AadUserId) and Caller =~ Account_AadUserId) or Caller =~ upn\\n| where OperationName contains \\\"Run Command on Virtual Machine\\\"\\n or (OperationName == \\\"List Storage Account Keys\\\" and ActivityStatus == \\\"Succeeded\\\")\\n or OperationName == \\\"Create or Update Virtual Machine\\\" \\n or OperationName == \\\"Create Deployment\\\"\\n or OperationName == \\\"Create role assignment\\\"\\n| project-rename Target_AzureResource_ResourceId = _ResourceId, Source_IP_Address = CallerIpAddress\\n| extend shortResourceId = tostring(split(ResourceId,\u0027/\u0027)[-1])\\n};\\nAzureRunProcess(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027) \\n| project Target_AzureResource_ResourceId, Source_IP_Address, shortResourceId, OperationName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/febba410-e7d6-4c63-8fe5-2b93f448b7a1\",\"name\":\"febba410-e7d6-4c63-8fe5-2b93f448b7a1\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added accounts to a local privileged group\",\"content\":\"The user has added accounts to the local privileged group, {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays the user that added accounts to a local privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == false and MemberNTDomainMatch == false) or MemberSidMatch == false) and TargetSid matches regex WellKnownLocalGroupSID | where TargetSid !in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/0e98c61c-6ae0-4e13-8071-d807dc25082a\",\"name\":\"0e98c61c-6ae0-4e13-8071-d807dc25082a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added accounts to a domain privileged group\",\"content\":\"The user has added accounts to the domain privileged group, {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays the user that added accounts to a domain privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == false and MemberNTDomainMatch == false) or MemberSidMatch == false) and TargetSid matches regex WellKnownDomainGroupSID \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/0caf9819-3269-48ac-b162-eeee638e4aa9\",\"name\":\"0caf9819-3269-48ac-b162-eeee638e4aa9\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to a local privileged group\",\"content\":\"This user was added to the local privileged group {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays that this user was added to a local privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and TargetSid matches regex WellKnownLocalGroupSID | where TargetSid !in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/d57681e4-18e6-459f-b61d-4d4a1f205b70\",\"name\":\"d57681e4-18e6-459f-b61d-4d4a1f205b70\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to a domain privileged group\",\"content\":\"This user was added to the domain privileged group {{TargetAccount}}\",\"description\":\"This activity displays that this user was added to a domain privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and TargetSid matches regex WellKnownDomainGroupSID \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/5ae2baf4-de7b-40f0-a861-8852266bfcd0\",\"name\":\"5ae2baf4-de7b-40f0-a861-8852266bfcd0\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added accounts to the Remote Desktop Users group\",\"content\":\"The user has added accounts to the {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays the user that added accounts to Remote Desktop group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == false and MemberNTDomainMatch == false) or MemberSidMatch == false) and TargetSid in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/60ef2e21-5f90-48bf-9bbc-d2a1829c3861\",\"name\":\"60ef2e21-5f90-48bf-9bbc-d2a1829c3861\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to the Remote Desktop Users group\",\"content\":\"This user was added to the {{TargetAccount}} group\",\"description\":\"This activity displays that this user was added to the Remote Desktop group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and TargetSid in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/bf56473d-b9bd-4eb1-96d0-8569ec7a9003\",\"name\":\"bf56473d-b9bd-4eb1-96d0-8569ec7a9003\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added an account to a security group\",\"content\":\"The user has added {{MemberAdded}} to the {{TargetAccount}} group\",\"description\":\"This activity displays the user that added an account and the account that was added to a security group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true) and not(TargetSid matches regex WellKnownLocalGroupSID or TargetSid matches regex WellKnownDomainGroupSID) \\n| project SubjectAccount, MemberAdded, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/252c9ad7-2957-43cd-8f33-4ac4bb56e119\",\"name\":\"252c9ad7-2957-43cd-8f33-4ac4bb56e119\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to a security group\",\"content\":\"This user was added to the {{TargetAccount}} group, {{Count}} time(s)\",\"description\":\"This activity displays that this user was added to a security group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and not(TargetSid matches regex WellKnownLocalGroupSID or TargetSid matches regex WellKnownDomainGroupSID) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/1f82f263-d694-469a-9717-1b3edf9d3bb2\",\"name\":\"1f82f263-d694-469a-9717-1b3edf9d3bb2\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user acted on another accounts mailbox\",\"content\":\"The user acted on mailbox {{MailboxOwnerUPN}} {{Count}} time(s)\",\"description\":\"This activity lists user\u0027s activities on others\u0027 mailbox\",\"queryDefinitions\":{\"query\":\"let TLQ_UserActedOnForeignMailbox = (Account_Name:string, Account_UPNSuffix:string, account_sid:string){\\nlet account_upn = iff(Account_Name!=\\\"\\\" and Account_UPNSuffix != \\\"\\\"\\n,strcat(Account_Name,\\\"@\\\",Account_UPNSuffix)\\n,\\\"\\\");\\nOfficeActivity\\n| where RecordType == \\\"ExchangeItem\\\" and UserType ==\\\"Regular\\\" and Operation !contains \\\"InboxRule\\\"\\n| where LogonUserSid != MailboxOwnerSid \\n| where ((account_sid != \\\"\\\" and LogonUserSid =~ account_sid)\\n or ( account_upn != \\\"\\\" and UserId =~ account_upn ))\\n};\\nTLQ_UserActedOnForeignMailbox(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| project MailboxOwnerSid, MailboxOwnerUPN, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/e480efd0-016d-428e-b892-84b9d586d004\",\"name\":\"e480efd0-016d-428e-b892-84b9d586d004\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user modified inbox rules on another accounts mailbox\",\"content\":\"User Modified {{Count}} inbox rules on {{MailboxOwnerUPN}}\u0027s Mailbox\",\"description\":\"User modified inbox rules on a mailbox\",\"queryDefinitions\":{\"query\":\"let ruleChangeRecordTypes = dynamic( [\\\"ExchangeAdmin\\\", \\\"ExchangeItem\\\"]);\\nlet TLQ_UserModifiedinboxRules = (Account_Name: string, Account_UPNSuffix: string, Account_Sid: string){\\nlet upn = iff(Account_Name != \\\"\\\" and Account_UPNSuffix != \\\"\\\"\\n, strcat(Account_Name, \\\"@\\\", Account_UPNSuffix)\\n, \\\"\\\");\\nOfficeActivity\\n| where RecordType in~ (ruleChangeRecordTypes) and Operation contains \\\"InboxRule\\\"\\n| where((Account_Sid != \\\"\\\" and LogonUserSid == Account_Sid)\\nor(upn != \\\"\\\" and UserId == upn )\\n)\\n};\\nTLQ_UserModifiedinboxRules(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| project MailboxOwnerSid, MailboxOwnerUPN, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/0eabec03-51e7-4909-b0cb-1adc76759e93\",\"name\":\"0eabec03-51e7-4909-b0cb-1adc76759e93\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"User uploaded files to SharePoint\",\"content\":\"User uploaded {{Count}} file(s) To SharePoint from {{Source_IP_Address}}\",\"description\":\"This activity lists the user\u0027s SharePoint uploads.\",\"queryDefinitions\":{\"query\":\"let TLQ_UserUploadFiles = (Account_Name:string, Account_UPNSuffix:string){\\nlet upn = strcat(Account_Name,\\\"@\\\",Account_UPNSuffix);\\nOfficeActivity\\n| where RecordType =~ \\\"SharePointFileOperation\\\" and Operation in~ (\\\"FileUploaded\\\", \\\"FileDownloaded\\\")\\n| where upn =~UserId\\n| extend Subject_File_Directory = tostring(split(OfficeObjectId,SourceFileName)[0])\\n| project-rename Source_IP_Address = ClientIP\\n};\\nTLQ_UserUploadFiles(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027) \\n| where Operation =~ \\\"FileUploaded\\\" \\n| project Source_IP_Address, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/df564e7b-bf6d-4dc4-a32d-79b00bd2cc7b\",\"name\":\"df564e7b-bf6d-4dc4-a32d-79b00bd2cc7b\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"User downloaded files from SharePoint\",\"content\":\"User downloaded {{Count}} File(s) from SharePoint from {{Source_IP_Address}}\",\"description\":\"This activity lists the user\u0027s SharePoint downloads.\",\"queryDefinitions\":{\"query\":\"let TLQ_UserUploadFiles = (Account_Name:string, Account_UPNSuffix:string){\\nlet upn = strcat(Account_Name,\\\"@\\\",Account_UPNSuffix);\\nOfficeActivity\\n| where RecordType =~ \\\"SharePointFileOperation\\\" and Operation in~ (\\\"FileUploaded\\\", \\\"FileDownloaded\\\")\\n| where upn =~UserId\\n| extend Subject_File_Directory = tostring(split(OfficeObjectId,SourceFileName)[0])\\n| project-rename Source_IP_Address = ClientIP\\n};\\nTLQ_UserUploadFiles(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027) \\n| where Operation =~ \\\"FileDownloaded\\\" \\n| project Source_IP_Address, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/0f328f28-7e21-4596-b71c-54309fee5551\",\"name\":\"0f328f28-7e21-4596-b71c-54309fee5551\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user signed in to an Azure resource\",\"content\":\"The user signed in to {{shortResourceId}} {{Count}} time(s)\",\"description\":\"This activity lists user\u0027s sign ins to Azure Resources\",\"queryDefinitions\":{\"query\":\"let SignInsByResource = (Account_Name:string, Account_UPNSuffix:string, Account_AadUserId:string){\\nlet acc_upn = iff(Account_Name != \\\"\\\" and Account_UPNSuffix != \\\"\\\" ,strcat(Account_Name,\\\"@\\\" ,Account_UPNSuffix),\\\"\\\");\\nSigninLogs\\n| where (acc_upn != \\\"\\\" and UserPrincipalName =~ acc_upn) or\\n   (Account_AadUserId != \\\"\\\" and Account_AadUserId =~ UserId) // UserPrincipalName, UserId\\n| extend shortResourceId = tostring(split(ResourceId,\\\"/\\\")[-1])\\n};\\nSignInsByResource(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027) \\n| project shortResourceId, ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SigninLogs\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/0d4ec12e-e44a-40a4-bb87-3db84d2a8057\",\"name\":\"0d4ec12e-e44a-40a4-bb87-3db84d2a8057\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s interactive log-ins grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID==4624 and LogonTypeName == \u00272 - Interactive\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/c9da5786-6c3c-45b5-9a46-53200ed9df09\",\"name\":\"c9da5786-6c3c-45b5-9a46-53200ed9df09\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Network log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s network log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID ==4624 and LogonTypeName == \u00273 - Network\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/8a302bfc-00e3-43b3-a516-102fd0cb0dbc\",\"name\":\"8a302bfc-00e3-43b3-a516-102fd0cb0dbc\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Remote interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s remote interactive log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID ==4624 and LogonTypeName == \u002710 - RemoteInteractive\u0027| extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/ec87b066-17ad-4f9b-97c2-c2f2ee2d99e0\",\"name\":\"ec87b066-17ad-4f9b-97c2-c2f2ee2d99e0\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"New credentials log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s log-ins with new credentials, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID ==4624 and LogonTypeName == \u00279 - NewCredentials\u0027| extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/e1c4c03c-2b40-47cf-9b8c-49e0a37a6da6\",\"name\":\"e1c4c03c-2b40-47cf-9b8c-49e0a37a6da6\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Privileged log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s privileged log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID == 4672 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/a6fc3ad9-1a61-41f5-a5e2-bd1f5a6fe44d\",\"name\":\"a6fc3ad9-1a61-41f5-a5e2-bd1f5a6fe44d\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Failed interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s failed interactive log-ins grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet =~ \u0027AllEvents\u0027 and EventID == 4625 and LogonTypeName == \u00272 - Interactive\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/11449689-6542-4867-86dc-56264abbd90c\",\"name\":\"11449689-6542-4867-86dc-56264abbd90c\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Failed network log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s failed network log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet =~ \u0027AllEvents\u0027 and EventID == 4625 and LogonTypeName == \u00273 - Network\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/686cf7e8-87c7-4391-8898-25adf1033a54\",\"name\":\"686cf7e8-87c7-4391-8898-25adf1033a54\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Failed remote interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} failed to logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s failed remote interactive log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet =~ \u0027AllEvents\u0027 and EventID == 4625 and LogonTypeName == \u002710 - RemoteInteractive\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/c6523929-5696-4e94-8a61-61aeb1c953d1\",\"name\":\"c6523929-5696-4e94-8a61-61aeb1c953d1\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Custom Script Extension execution (Preview)\",\"content\":\"The account {{Caller}} ran the custom script extension {{extName}} {{Count}} time(s)\",\"description\":\"This activity indicated Custom Script Extension execution\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| extend resBody = parse_json(Properties).responseBody\\n| where resBody != \\\"\\\"\\n| extend resBody = parse_json(tostring(resBody))\\n| extend extName = tostring(resBody.name), extType = resBody.properties.type\\n| where extType in (\\\"CustomScriptExtension\\\", \\\"CustomScript\\\", \\\"CustomScriptForLinux\\\")\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource, extType, extName \\n| project Caller, _ResourceId, extName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/a8b50062-f80e-4331-a247-de0e10d7b83f\",\"name\":\"a8b50062-f80e-4331-a247-de0e10d7b83f\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Storage account keys list (Preview)\",\"content\":\"The account {{Caller}} retrieved the keys of the storage account {{_ResourceId}} {{Count}} time(s)\",\"description\":\"This activity indicated storage account keys list operation\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/listKeys/action\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/e24d372a-ce9a-424e-99ba-5894177365a0\",\"name\":\"e24d372a-ce9a-424e-99ba-5894177365a0\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Storage account keys list were regenerated (Preview)\",\"content\":\"The account {{Caller}} regenerated the keys of the storage account {{_ResourceId}} {{Count}} time(s)\",\"description\":\"This activity indicated storage account keys list regeneration\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/2276eacb-9400-47e9-88c9-600b9b04ad81\",\"name\":\"2276eacb-9400-47e9-88c9-600b9b04ad81\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"VM Run Command execution (Preview)\",\"content\":\"The account {{Caller}} used Run Command on the VM {{Count}} time(s)\",\"description\":\"This activity indicates usage of Run Command\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/0aa3626b-30dd-4731-9d1e-39872a73949c\",\"name\":\"0aa3626b-30dd-4731-9d1e-39872a73949c\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"VM access extension execution (Preview)\",\"content\":\"The account {{Caller}} ran VM Access extension on the VM {{Count}} time(s)\",\"description\":\"This activity indicated VM access extension execution\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| extend resBody = parse_json(Properties).responseBody\\n| where resBody != \\\"\\\"\\n| extend resBody = parse_json(tostring(resBody))\\n| extend extName = resBody.name, extType = resBody.properties.type\\n| where extType in (\\\"VMAccessAgent\\\", \\\"VMAccessForLinux\\\")\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/307c85ee-39a2-4da3-952e-4fd79aa46d3a\",\"name\":\"307c85ee-39a2-4da3-952e-4fd79aa46d3a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was created on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was created by \u0027{{AddedBy}}\u0027\",\"description\":\"Account created on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId\\n| extend AddedBy = SubjectUserName\\n// Future support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount\\n};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where EventID == 4720 \\n| project Computer, TargetAccount, AddedBy, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/31529548-dbd2-4d5d-8270-710330cdcec7\",\"name\":\"31529548-dbd2-4d5d-8270-710330cdcec7\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was deleted by \u0027{{AddedBy}}\u0027\",\"description\":\"Account deleted on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId\\n| extend AddedBy = SubjectUserName\\n// Future support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount\\n};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where EventID == 4726 \\n| project Computer, TargetAccount, AddedBy, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/2fcda698-9526-454f-8fe0-4a0fd7af13f2\",\"name\":\"2fcda698-9526-454f-8fe0-4a0fd7af13f2\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Security Event log cleared by account on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{SubjectAccount}}\u0027 cleared the \u0027{{LogName}}\u0027 log, EventID: \u0027{{EventID}}\u0027\",\"description\":\"Security Event log cleared by account\",\"queryDefinitions\":{\"query\":\"let SystemAccount = datatable(AccountName:string)[\u0027NT AUTHORITY\\\\\\\\SYSTEM\u0027, \u0027NT AUTHORITY\\\\\\\\NETWORK SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\LOCAL SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\IUSR\u0027, \u0027NTAUTHORITY\\\\\\\\ANONYMOUS LOGON\u0027];\\nlet SvcAcctList = dynamic([\\\"Local SYSTEM\\\",\\\"Local SERVICE\\\",\\\"Network SERVICE\\\",\\\"NT AUTHORITY\\\"]);\\nlet ServiceAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and LogonType == \u00275\u0027 and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet MachineAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and AccountType == \\\"Machine\\\" and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet Accounts = union isfuzzy=true SystemAccount, ServiceAccount, MachineAccount;\\nlet source = \u0027Microsoft-Windows-Eventlog\u0027;\\nlet tableFunc = (tableName:string, event:int){\\ntable(tableName) \\n| where EventID == event\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| extend SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", \\\"NotAvailable\\\"), EventOriginId = column_ifexists(\\\"EventOriginId\\\", \\\"NotAvailable\\\")\\n| parse EventData with * \u0027SubjectUserName\u003e\u0027 SubjectUserName \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectUserSid\u003e\u0027 SubjectUserSid \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectLogonId\u003e\u0027 SubjectLogonId \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectDomainName\u003e\u0027 SubjectDomainName \u0027\u003c\u0027 *\\n| extend SubjectAccount = strcat(SubjectDomainName, \u0027\\\\\\\\\u0027, SubjectUserName)\\n};\\nlet HostClearedEventLog = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string)\\n{\\nlet Event104 = tableFunc(\u0027Event\u0027, event=104)\\n| where Source =~ source\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| parse RenderedDescription with * \u0027The\u0027 LogName \u0027log\u0027 *\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nlet Event1102 = tableFunc(\u0027SecurityEvent\u0027, event=1102)\\n| where EventSourceName == source\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| extend LogName = \u0027Security\u0027\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nunion isfuzzy=true Event104, Event1102\\n};\\nHostClearedEventLog(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where LogName =~ \u0027Security\u0027 \\n| project Computer, SubjectAccount, LogName, EventID, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"},{\"dataType\":\"Event\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/3ff675ee-3052-4e0b-88ad-f34ed1732adc\",\"name\":\"3ff675ee-3052-4e0b-88ad-f34ed1732adc\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Event log(s) cleared by account on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{SubjectAccount}}\u0027 cleared the \u0027{{LogName}}\u0027 log, EventID: \u0027{{EventID}}\u0027\",\"description\":\"Event logs cleared by account\",\"queryDefinitions\":{\"query\":\"let SystemAccount = datatable(AccountName:string)[\u0027NT AUTHORITY\\\\\\\\SYSTEM\u0027, \u0027NT AUTHORITY\\\\\\\\NETWORK SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\LOCAL SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\IUSR\u0027, \u0027NTAUTHORITY\\\\\\\\ANONYMOUS LOGON\u0027];\\nlet SvcAcctList = dynamic([\\\"Local SYSTEM\\\",\\\"Local SERVICE\\\",\\\"Network SERVICE\\\",\\\"NT AUTHORITY\\\"]);\\nlet ServiceAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and LogonType == \u00275\u0027 and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet MachineAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and AccountType == \\\"Machine\\\" and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet Accounts = union isfuzzy=true SystemAccount, ServiceAccount, MachineAccount;\\nlet source = \u0027Microsoft-Windows-Eventlog\u0027;\\nlet tableFunc = (tableName:string, event:int){\\ntable(tableName) \\n| where EventID == event\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| extend SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", \\\"NotAvailable\\\"), EventOriginId = column_ifexists(\\\"EventOriginId\\\", \\\"NotAvailable\\\")\\n| parse EventData with * \u0027SubjectUserName\u003e\u0027 SubjectUserName \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectUserSid\u003e\u0027 SubjectUserSid \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectLogonId\u003e\u0027 SubjectLogonId \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectDomainName\u003e\u0027 SubjectDomainName \u0027\u003c\u0027 *\\n| extend SubjectAccount = strcat(SubjectDomainName, \u0027\\\\\\\\\u0027, SubjectUserName)\\n};\\nlet HostClearedEventLog = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string)\\n{\\nlet Event104 = tableFunc(\u0027Event\u0027, event=104)\\n| where Source =~ source\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| parse RenderedDescription with * \u0027The\u0027 LogName \u0027log\u0027 *\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nlet Event1102 = tableFunc(\u0027SecurityEvent\u0027, event=1102)\\n| where EventSourceName == source\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| extend LogName = \u0027Security\u0027\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nunion isfuzzy=true Event104, Event1102\\n};\\nHostClearedEventLog(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where LogName !~ \u0027Security\u0027 \\n| project Computer, SubjectAccount, LogName, EventID, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"},{\"dataType\":\"Event\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/b880ad94-f905-4ba8-8a3f-9088b19b12fa\",\"name\":\"b880ad94-f905-4ba8-8a3f-9088b19b12fa\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the local Administrators group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to local Administrators group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where TargetSid == \u0027S-1-5-32-544\u0027 \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/aaad22c3-be50-465f-b258-8570d629c3db\",\"name\":\"aaad22c3-be50-465f-b258-8570d629c3db\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the Domain Admins group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to the Domain Admins group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-512$\u0027 \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/cf3469b3-f64c-4ae2-9900-289617443d74\",\"name\":\"cf3469b3-f64c-4ae2-9900-289617443d74\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the Enterprise Admins group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to the Enterprise Admins group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-519$\u0027 \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/5ba7b064-c667-4bb9-b8ac-7e87872ae479\",\"name\":\"5ba7b064-c667-4bb9-b8ac-7e87872ae479\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Account added to a privileged group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to privileged group.\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where (TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID) and TargetSid != \u0027S-1-5-32-544\u0027 and not(TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-512$\u0027) and not(TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-519$\u0027) \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/290032e9-c52e-4e66-841a-7428f0b356bb\",\"name\":\"290032e9-c52e-4e66-841a-7428f0b356bb\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was created on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{User}}\u0027 was created by sudo\",\"description\":\"Account created on Host\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where ProcessName in~ (\u0027useradd\u0027,\u0027userdel\u0027)\\n| where SyslogMessage startswith \u0027new user:\u0027 or SyslogMessage startswith \u0027delete user \u0027\\n| extend User = case(SyslogMessage startswith \u0027new user:\u0027, tostring(split(tostring(split(SyslogMessage, \u0027name=\u0027)[1]), \u0027,\u0027)[0]),\\nSyslogMessage startswith \u0027delete user \u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]),\\n\u0027Not Available\u0027)\\n| extend Action = case( SyslogMessage startswith \u0027new user\u0027, \u0027new user\u0027, SyslogMessage startswith \u0027delete user\u0027, \u0027delete user\u0027, \u0027None\u0027)\\n| project TimeGenerated, Computer, HostIP, User, Facility, ProcessName, Action, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action == \u0027new user\u0027 \\n| project Computer, User, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/ce9e87c7-2ffa-42cb-92e5-f1a4f21f007a\",\"name\":\"ce9e87c7-2ffa-42cb-92e5-f1a4f21f007a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{User}}\u0027 was deleted by sudo\",\"description\":\"Account deleted on Host\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where ProcessName in~ (\u0027useradd\u0027,\u0027userdel\u0027)\\n| where SyslogMessage startswith \u0027new user:\u0027 or SyslogMessage startswith \u0027delete user \u0027\\n| extend User = case(SyslogMessage startswith \u0027new user:\u0027, tostring(split(tostring(split(SyslogMessage, \u0027name=\u0027)[1]), \u0027,\u0027)[0]),\\nSyslogMessage startswith \u0027delete user \u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]),\\n\u0027Not Available\u0027)\\n| extend Action = case( SyslogMessage startswith \u0027new user\u0027, \u0027new user\u0027, SyslogMessage startswith \u0027delete user\u0027, \u0027delete user\u0027, \u0027None\u0027)\\n| project TimeGenerated, Computer, HostIP, User, Facility, ProcessName, Action, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action == \u0027delete user\u0027 \\n| project Computer, User, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/46aeae2d-187c-41f9-b8d6-9d75c43bce0a\",\"name\":\"46aeae2d-187c-41f9-b8d6-9d75c43bce0a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the sudo group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{User}}\u0027 was added by \u0027{{AcctMakingChange}}\u0027 to group: \u0027{{Group}}\u0027\",\"description\":\"Account added to the sudo group\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where SyslogMessage !startswith \\\"omsagent\\\"\\n| where SyslogMessage has \u0027COMMAND\u0027 or ProcessName in~ (\u0027gpasswd\u0027, \u0027useradd\u0027, \u0027userdel\u0027)\\n| parse SyslogMessage with * \u0027user \u0027 User \u0027 \u0027 Verb \u0027 by \u0027 AcctMakingChange \u0027 \u0027 Preposition \u0027 group \u0027 Group\\n| extend Group = case(\\nSyslogMessage startswith \u0027removed group\u0027 or SyslogMessage startswith \u0027removed shadow group\u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]), \\nSyslogMessage startswith \u0027new group\u0027, tostring(split(tostring(split(SyslogMessage, \u0027=\u0027)[1]),\u0027,\u0027)[0]),\\nGroup)\\n| extend Action = case(\\nisnotempty(Verb) or isnotempty(Preposition), strcat(Verb, \u0027 \u0027, Preposition),\\nSyslogMessage startswith \u0027new group\u0027, \u0027new group\u0027,\\nSyslogMessage startswith \u0027removed group\u0027, \u0027removed group\u0027,\\nSyslogMessage startswith \u0027removed shadow group\u0027, \u0027removed shadow group\u0027,\\n\u0027None\u0027)\\n| where isnotempty(Action) and Action != \u0027None\u0027 and isnotempty(Group)\\n| project TimeGenerated, Computer, HostIP, User, Action, Group, Facility, ProcessName, AcctMakingChange, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action =~ \u0027added to\u0027 and Group =~ \u0027sudo\u0027 \\n| project Computer, User, AcctMakingChange, Group, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/e24dd437-c65e-40e1-8d59-cd303ad4496a\",\"name\":\"e24dd437-c65e-40e1-8d59-cd303ad4496a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was removed from the sudo group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{User}}\u0027 was added by \u0027{{AcctMakingChange}}\u0027 to group: \u0027{{Group}}\u0027\",\"description\":\"Account removed from sudo group\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where SyslogMessage !startswith \\\"omsagent\\\"\\n| where SyslogMessage has \u0027COMMAND\u0027 or ProcessName in~ (\u0027gpasswd\u0027, \u0027useradd\u0027, \u0027userdel\u0027)\\n| parse SyslogMessage with * \u0027user \u0027 User \u0027 \u0027 Verb \u0027 by \u0027 AcctMakingChange \u0027 \u0027 Preposition \u0027 group \u0027 Group\\n| extend Group = case(\\nSyslogMessage startswith \u0027removed group\u0027 or SyslogMessage startswith \u0027removed shadow group\u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]), \\nSyslogMessage startswith \u0027new group\u0027, tostring(split(tostring(split(SyslogMessage, \u0027=\u0027)[1]),\u0027,\u0027)[0]),\\nGroup)\\n| extend Action = case(\\nisnotempty(Verb) or isnotempty(Preposition), strcat(Verb, \u0027 \u0027, Preposition),\\nSyslogMessage startswith \u0027new group\u0027, \u0027new group\u0027,\\nSyslogMessage startswith \u0027removed group\u0027, \u0027removed group\u0027,\\nSyslogMessage startswith \u0027removed shadow group\u0027, \u0027removed shadow group\u0027,\\n\u0027None\u0027)\\n| where isnotempty(Action) and Action != \u0027None\u0027 and isnotempty(Group)\\n| project TimeGenerated, Computer, HostIP, User, Action, Group, Facility, ProcessName, AcctMakingChange, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action =~ \u0027removed from\u0027 and Group =~ \u0027sudo\u0027 \\n| project Computer, User, AcctMakingChange, Group, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/c91cb743-7c6c-4ccf-b066-13448c9c085c\",\"name\":\"c91cb743-7c6c-4ccf-b066-13448c9c085c\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Windows Defender Application Control activities on this host\",\"content\":\"{{FriendlyActivityName}} by {{InitiatingProcessAccountUpn}} {{Count}} time(s)\",\"description\":\"Microsoft Defender Application Control activities\",\"queryDefinitions\":{\"query\":\"let AppControlEvents=(v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\nlet p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain));\\nlet AppControls=datatable(ActionType:string, Description:string, FriendlyActivityName:string)\\n [\\\"AppControlAppInstallationAudited\\\", \\\"Application control detected the installation of an untrusted app.\\\",\\\"Untrusted app installed\\\"\\n ,\\\"AppControlAppInstallationBlocked\\\", \\\"Application control blocked the installation of an untrusted app.\\\", \\\"Untrusted app installation blocked\\\"\\n ,\\\"AppControlCodeIntegrityDriverRevoked\\\", \\\"Application control found a driver with a revoked certificate.\\\", \\\"Driver with revoked certificate detected\\\"\\n ,\\\"AppControlCodeIntegrityImageRevoked\\\", \\\"Application control found an executable file with a revoked certificate.\\\", \\\"Executable with revoked certificate detected\\\"\\n ,\\\"AppControlExecutableAudited\\\",\\\"Application control detected the use of an untrusted executable.\\\",\\\"Untrusted executable used\\\"\\n ,\\\"AppControlExecutableBlocked\\\",\\\"Application control blocked the use of an untrusted executable.\\\",\\\"Untrusted executable blocked\\\"\\n ,\\\"AppControlScriptAudited\\\", \\\"Application control detected the use of an untrusted script.\\\", \\\"Untrusted script detected\\\"\\n ,\\\"AppControlScriptBlocked\\\", \\\"Application control blocked the use of an untrusted script.\\\", \\\"Untrusted script blocked\\\" ];\\nDeviceEvents\\n| where ActionType in (AppControls) \\n| where DeviceName ==p_FullDeviceName\\n| lookup AppControls on ActionType\\n};\\nAppControlEvents(\u0027{{Host_HostName}}\u0027,\u0027{{Host_NTDomain}}\u0027,\u0027{{Host_DnsDomain}}\u0027) \\n| project DeviceName, ActionType, FriendlyActivityName, InitiatingProcessAccountUpn, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/c7def1db-6a27-45dc-bee0-0c5fd5e7f1fe\",\"name\":\"c7def1db-6a27-45dc-bee0-0c5fd5e7f1fe\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Screenshot taken\",\"content\":\"The user \u0027{{InitiatingProcessAccountUpn}}\u0027 has taken {{Count}} screenshot(s) on the host\",\"description\":\"A screenshot was taken on the host\",\"queryDefinitions\":{\"query\":\"let ScreenshotTakers= (v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\n let p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain) );\\n DeviceEvents \\n | where ActionType ==\u0027ScreenshotTaken\u0027 \\n | where DeviceName =~ p_FullDeviceName\\n};\\nScreenshotTakers(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027) \\n| where 1==1 \\n| project InitiatingProcessAccountName, InitiatingProcessAccountUpn, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/8d0e9356-be1e-45ac-9403-d0ac3f1605b7\",\"name\":\"8d0e9356-be1e-45ac-9403-d0ac3f1605b7\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Exploit protection blocked the launch of a process from an image file that is not signed by Microsoft\",\"content\":\"Launch of unsigned file \u0027{{FileName}}\u0027 by process \u0027{{InitiatingProcessFileName}}\u0027 initiated by \u0027{{InitiatingProcessAccountName}}\u0027 was blocked. \",\"description\":\"Exploit protection blocked the launch of a process from an image file that is not signed by Microsoft\",\"queryDefinitions\":{\"query\":\"let NonMSSignedBlocked= (v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\n let p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain) );\\n DeviceEvents\\n | where ActionType in (\\\"ExploitGuardNonMicrosoftSignedBlocked\\\", \\\"ExploitGuardNonMicrosoftSignedAudited\\\") \\n and FileName !hassuffix \u0027.ni.dll\u0027\\n | where DeviceName =~ p_FullDeviceName\\n | project TimeGenerated\\n , FileName\\n ,InitiatingProcessFileName\\n , InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid\\n , DeviceName , ActionType\\n};\\nNonMSSignedBlocked(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027) \\n| where ActionType =~ \u0027ExploitGuardNonMicrosoftSignedBlocked\u0027 \\n| project FileName, InitiatingProcessFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/3ff80327-7c54-449d-95d4-613848f7d60b\",\"name\":\"3ff80327-7c54-449d-95d4-613848f7d60b\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Exploit protection detected the launch of a process from an image file that is not signed by Microsoft\",\"content\":\"Launch of unsigned file \u0027{{FileName}}\u0027 by process \u0027{{InitiatingProcessFileName}}\u0027 initiated by \u0027{{InitiatingProcessAccountName}}\u0027 was audited.\",\"description\":\"Exploit protection detected the launch of a process from an image file that is not signed by Microsoft\",\"queryDefinitions\":{\"query\":\"let NonMSSignedBlocked= (v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\n let p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain) );\\n DeviceEvents\\n | where ActionType in (\\\"ExploitGuardNonMicrosoftSignedBlocked\\\", \\\"ExploitGuardNonMicrosoftSignedAudited\\\") \\n and FileName !hassuffix \u0027.ni.dll\u0027\\n | where DeviceName =~ p_FullDeviceName\\n | project TimeGenerated\\n , FileName\\n ,InitiatingProcessFileName\\n , InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid\\n , DeviceName , ActionType\\n};\\nNonMSSignedBlocked(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027) \\n| where ActionType =~ \u0027ExploitGuardNonMicrosoftSignedAudited\u0027 \\n| project FileName, InitiatingProcessFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/3f7059b2-67ea-4fc1-af34-37f5fc69a630\",\"name\":\"3f7059b2-67ea-4fc1-af34-37f5fc69a630\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Windows Defender Antivirus activities on this host\",\"content\":\"Window Defender Antivirus \u0027{{ActionType}}\u0027 activity was spotted on Host {{Host_HostName}}\",\"description\":\"Windows Defender Antivirus activities\",\"queryDefinitions\":{\"query\":\"let AntivirusEvents=(v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\nlet Severity= datatable(ActionType:string, Severity:int)[\\\"AntivirusMalwareActionFailed\\\",1,\\\"AntivirusDetection\\\",2,\\\"AntivirusScanFailed\\\",3, \\\"AntivirusError\\\",4, \\\"AntivirusDefinitionsUpdateFailed\\\",5];\\nlet p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain));\\nDeviceEvents\\n| where ActionType hasprefix \\\"Antivirus\\\" and ActionType !in( \\\"AntivirusReport\\\", \\\"AntivirusScanCompleted\\\", \\\"AntivirusDefinitionsUpdated\\\",\\\"AntivirusEmergencyUpdatesInstalled\\\")\\n| where DeviceName ==p_FullDeviceName\\n| lookup Severity on ActionType};\\nAntivirusEvents(\u0027{{Host_HostName}}\u0027,\u0027{{Host_NTDomain}}\u0027,\u0027{{Host_DnsDomain}}\u0027) \\n| where ActionType !in( \\\"AntivirusReport\\\", \\\"AntivirusScanCompleted\\\", \\\"AntivirusDefinitionsUpdated\\\",\\\"AntivirusEmergencyUpdatesInstalled\\\") \\n| project ActionType, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}}]}", + "isContentBase64": false + } + }, + "Get-AzSentinelEntityQueryTemplate+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "204" ], + "x-ms-client-request-id": [ "c806251a-84a5-4cda-96a3-9481c0232d15" ], + "CommandName": [ "Get-AzSentinelentityQueryTemplate" ], + "FullCommandName": [ "Get-AzSentinelEntityQueryTemplate_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11958" ], + "x-ms-request-id": [ "1a72f600-be84-4ce9-a11e-eca776b3444e" ], + "x-ms-correlation-request-id": [ "1a72f600-be84-4ce9-a11e-eca776b3444e" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015812Z:1a72f600-be84-4ce9-a11e-eca776b3444e" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:58:11 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "187304" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/d6d08c94-455f-4ea5-8f76-fc6c0c442cfa\",\"name\":\"d6d08c94-455f-4ea5-8f76-fc6c0c442cfa\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has created an account\",\"content\":\"The user {{InitiatedByAccount}} has created the account {{TargetAccount}} {{Count}} time(s)\",\"description\":\"This activity displays account creation events performed by the user\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AADUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) or Account_AADUserId =~ tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ SubjectAccount or Account_Sid =~ SubjectUserSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AADUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Add user\u0027, \u00274720\u0027) \\n| project InitiatedByAccount, TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AADUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/e0459780-ac9d-4b72-8bd4-fecf6b46a0a1\",\"name\":\"e0459780-ac9d-4b72-8bd4-fecf6b46a0a1\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has deleted an account\",\"content\":\"The user {{InitiatedByAccount}} has deleted the account {{TargetAccount}} {{Count}} time(s)\",\"description\":\"This activity displays account deletion events performed by the user\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AADUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) or Account_AADUserId =~ tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ SubjectAccount or Account_Sid =~ SubjectUserSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AADUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Delete user\u0027, \u00274726\u0027) \\n| project InitiatedByAccount, TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AADUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/ad1f4269-5418-4c46-a3b6-4ec01031de60\",\"name\":\"ad1f4269-5418-4c46-a3b6-4ec01031de60\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has reset an account\u0027s password\",\"content\":\"The password for account {{TargetAccount}} was reset by the user {{InitiatedByAccount}} {{Count}} time(s)\",\"description\":\"This activity displays password reset events performed by the user\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AADUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) or Account_AADUserId =~ tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ SubjectAccount or Account_Sid =~ SubjectUserSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AADUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (by admin)\u0027, \u0027Reset password (self-service)\u0027, \u00274724\u0027, \u00274723\u0027) \\n| project InitiatedByAccount, TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AADUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/fde1b9cc-9480-4418-ae21-91723d16b24d\",\"name\":\"fde1b9cc-9480-4418-ae21-91723d16b24d\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user account was created\",\"content\":\"The user account {{TargetAccount}} was created\",\"description\":\"This activity displays the user account events for when it was created\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AADUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(TargetResources[0].userPrincipalName) or Account_AADUserId =~ tostring(TargetResources[0].id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ TargetAccount or Account_Sid =~ TargetSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AADUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Add user\u0027, \u00274720\u0027) \\n| project TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AADUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/b15901ba-8679-4f6a-b312-722031ab58f2\",\"name\":\"b15901ba-8679-4f6a-b312-722031ab58f2\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user account was deleted\",\"content\":\"The user account {{TargetAccount}} was deleted\",\"description\":\"This activity displays the user account events for when it was deleted\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AADUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(TargetResources[0].userPrincipalName) or Account_AADUserId =~ tostring(TargetResources[0].id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ TargetAccount or Account_Sid =~ TargetSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AADUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Delete user\u0027, \u00274726\u0027) \\n| project TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AADUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/c07d1d02-0a06-455e-add9-12c5a5e426f3\",\"name\":\"c07d1d02-0a06-455e-add9-12c5a5e426f3\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user account password was reset\",\"content\":\"The user account {{TargetAccount}} had a password reset\",\"description\":\"This activity displays the user account events for when the password was reset\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AADUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(TargetResources[0].userPrincipalName) or Account_AADUserId =~ tostring(TargetResources[0].id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ TargetAccount or Account_Sid =~ TargetSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AADUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (by admin)\u0027, \u0027Reset password (self-service)\u0027, \u00274723\u0027, \u00274724\u0027) \\n| project TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AADUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/5e9ecee5-e7a4-4a2a-94c4-9c0e22e1b673\",\"name\":\"5e9ecee5-e7a4-4a2a-94c4-9c0e22e1b673\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user consented to OAuth application\",\"content\":\"The user consented to the OAuth application named {{Target_CloudApplication_Name}} {{Count}} time(s)\",\"description\":\"This activity lists user\u0027s consents to an OAuth applications.\",\"queryDefinitions\":{\"query\":\"let UserConsentToApplication = (Account_Name:string, Account_UPNSuffix:string, Account_AadUserId:string){\\nlet account_upn = iff(Account_Name != \\\"\\\" and Account_UPNSuffix != \\\"\\\"\\n, strcat(Account_Name,\\\"@\\\",Account_UPNSuffix)\\n,\\\"\\\" );\\nAuditLogs\\n| where OperationName == \\\"Consent to application\\\"\\n| extend Source_Account_UPNSuffix = tostring(todynamic(InitiatedBy) [\\\"user\\\"][\\\"userPrincipalName\\\"]), Source_Account_AadUserId = tostring(todynamic(InitiatedBy) [\\\"user\\\"][\\\"id\\\"])\\n| where (account_upn != \\\"\\\" and account_upn =~ Source_Account_UPNSuffix) \\nor (Account_AadUserId != \\\"\\\" and Account_AadUserId =~ Source_Account_AadUserId)\\n| extend Target_CloudApplication_Name = tostring(todynamic(TargetResources)[0][\\\"displayName\\\"]), Target_CloudApplication_AppId = tostring(todynamic(TargetResources)[0][\\\"id\\\"])\\n};\\nUserConsentToApplication(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027) \\n| project Target_CloudApplication_AppId, Target_CloudApplication_Name, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/cab4058a-0707-4a02-b76f-cf96270823ed\",\"name\":\"cab4058a-0707-4a02-b76f-cf96270823ed\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"User performed operation on azure resource from IP\",\"content\":\"User performed operation {{OperationName}} on azure resource: {{shortResourceId}} from IP {{Source_IP_Address}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s activities on Azure.\",\"queryDefinitions\":{\"query\":\"let AzureRunProcess = (Account_Name:string, Account_UPNSuffix:string,Account_AadUserId:string){\\nlet upn = strcat(Account_Name,\\\"@\\\",Account_UPNSuffix);\\nAzureActivity \\n| where (isnotempty(Account_AadUserId) and Caller =~ Account_AadUserId) or Caller =~ upn\\n| where OperationName contains \\\"Run Command on Virtual Machine\\\"\\n or (OperationName == \\\"List Storage Account Keys\\\" and ActivityStatus == \\\"Succeeded\\\")\\n or OperationName == \\\"Create or Update Virtual Machine\\\" \\n or OperationName == \\\"Create Deployment\\\"\\n or OperationName == \\\"Create role assignment\\\"\\n| project-rename Target_AzureResource_ResourceId = _ResourceId, Source_IP_Address = CallerIpAddress\\n| extend shortResourceId = tostring(split(ResourceId,\u0027/\u0027)[-1])\\n};\\nAzureRunProcess(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027) \\n| project Target_AzureResource_ResourceId, Source_IP_Address, shortResourceId, OperationName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/febba410-e7d6-4c63-8fe5-2b93f448b7a1\",\"name\":\"febba410-e7d6-4c63-8fe5-2b93f448b7a1\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added accounts to a local privileged group\",\"content\":\"The user has added accounts to the local privileged group, {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays the user that added accounts to a local privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == false and MemberNTDomainMatch == false) or MemberSidMatch == false) and TargetSid matches regex WellKnownLocalGroupSID | where TargetSid !in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/0e98c61c-6ae0-4e13-8071-d807dc25082a\",\"name\":\"0e98c61c-6ae0-4e13-8071-d807dc25082a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added accounts to a domain privileged group\",\"content\":\"The user has added accounts to the domain privileged group, {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays the user that added accounts to a domain privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == false and MemberNTDomainMatch == false) or MemberSidMatch == false) and TargetSid matches regex WellKnownDomainGroupSID \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/0caf9819-3269-48ac-b162-eeee638e4aa9\",\"name\":\"0caf9819-3269-48ac-b162-eeee638e4aa9\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to a local privileged group\",\"content\":\"This user was added to the local privileged group {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays that this user was added to a local privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and TargetSid matches regex WellKnownLocalGroupSID | where TargetSid !in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/d57681e4-18e6-459f-b61d-4d4a1f205b70\",\"name\":\"d57681e4-18e6-459f-b61d-4d4a1f205b70\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to a domain privileged group\",\"content\":\"This user was added to the domain privileged group {{TargetAccount}}\",\"description\":\"This activity displays that this user was added to a domain privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and TargetSid matches regex WellKnownDomainGroupSID \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/5ae2baf4-de7b-40f0-a861-8852266bfcd0\",\"name\":\"5ae2baf4-de7b-40f0-a861-8852266bfcd0\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added accounts to the Remote Desktop Users group\",\"content\":\"The user has added accounts to the {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays the user that added accounts to Remote Desktop group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == false and MemberNTDomainMatch == false) or MemberSidMatch == false) and TargetSid in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/60ef2e21-5f90-48bf-9bbc-d2a1829c3861\",\"name\":\"60ef2e21-5f90-48bf-9bbc-d2a1829c3861\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to the Remote Desktop Users group\",\"content\":\"This user was added to the {{TargetAccount}} group\",\"description\":\"This activity displays that this user was added to the Remote Desktop group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and TargetSid in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/bf56473d-b9bd-4eb1-96d0-8569ec7a9003\",\"name\":\"bf56473d-b9bd-4eb1-96d0-8569ec7a9003\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added an account to a security group\",\"content\":\"The user has added {{MemberAdded}} to the {{TargetAccount}} group\",\"description\":\"This activity displays the user that added an account and the account that was added to a security group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true) and not(TargetSid matches regex WellKnownLocalGroupSID or TargetSid matches regex WellKnownDomainGroupSID) \\n| project SubjectAccount, MemberAdded, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/252c9ad7-2957-43cd-8f33-4ac4bb56e119\",\"name\":\"252c9ad7-2957-43cd-8f33-4ac4bb56e119\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to a security group\",\"content\":\"This user was added to the {{TargetAccount}} group, {{Count}} time(s)\",\"description\":\"This activity displays that this user was added to a security group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and not(TargetSid matches regex WellKnownLocalGroupSID or TargetSid matches regex WellKnownDomainGroupSID) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/1f82f263-d694-469a-9717-1b3edf9d3bb2\",\"name\":\"1f82f263-d694-469a-9717-1b3edf9d3bb2\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user acted on another accounts mailbox\",\"content\":\"The user acted on mailbox {{MailboxOwnerUPN}} {{Count}} time(s)\",\"description\":\"This activity lists user\u0027s activities on others\u0027 mailbox\",\"queryDefinitions\":{\"query\":\"let TLQ_UserActedOnForeignMailbox = (Account_Name:string, Account_UPNSuffix:string, account_sid:string){\\nlet account_upn = iff(Account_Name!=\\\"\\\" and Account_UPNSuffix != \\\"\\\"\\n,strcat(Account_Name,\\\"@\\\",Account_UPNSuffix)\\n,\\\"\\\");\\nOfficeActivity\\n| where RecordType == \\\"ExchangeItem\\\" and UserType ==\\\"Regular\\\" and Operation !contains \\\"InboxRule\\\"\\n| where LogonUserSid != MailboxOwnerSid \\n| where ((account_sid != \\\"\\\" and LogonUserSid =~ account_sid)\\n or ( account_upn != \\\"\\\" and UserId =~ account_upn ))\\n};\\nTLQ_UserActedOnForeignMailbox(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| project MailboxOwnerSid, MailboxOwnerUPN, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/e480efd0-016d-428e-b892-84b9d586d004\",\"name\":\"e480efd0-016d-428e-b892-84b9d586d004\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user modified inbox rules on another accounts mailbox\",\"content\":\"User Modified {{Count}} inbox rules on {{MailboxOwnerUPN}}\u0027s Mailbox\",\"description\":\"User modified inbox rules on a mailbox\",\"queryDefinitions\":{\"query\":\"let ruleChangeRecordTypes = dynamic( [\\\"ExchangeAdmin\\\", \\\"ExchangeItem\\\"]);\\nlet TLQ_UserModifiedinboxRules = (Account_Name: string, Account_UPNSuffix: string, Account_Sid: string){\\nlet upn = iff(Account_Name != \\\"\\\" and Account_UPNSuffix != \\\"\\\"\\n, strcat(Account_Name, \\\"@\\\", Account_UPNSuffix)\\n, \\\"\\\");\\nOfficeActivity\\n| where RecordType in~ (ruleChangeRecordTypes) and Operation contains \\\"InboxRule\\\"\\n| where((Account_Sid != \\\"\\\" and LogonUserSid == Account_Sid)\\nor(upn != \\\"\\\" and UserId == upn )\\n)\\n};\\nTLQ_UserModifiedinboxRules(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| project MailboxOwnerSid, MailboxOwnerUPN, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/0eabec03-51e7-4909-b0cb-1adc76759e93\",\"name\":\"0eabec03-51e7-4909-b0cb-1adc76759e93\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"User uploaded files to SharePoint\",\"content\":\"User uploaded {{Count}} file(s) To SharePoint from {{Source_IP_Address}}\",\"description\":\"This activity lists the user\u0027s SharePoint uploads.\",\"queryDefinitions\":{\"query\":\"let TLQ_UserUploadFiles = (Account_Name:string, Account_UPNSuffix:string){\\nlet upn = strcat(Account_Name,\\\"@\\\",Account_UPNSuffix);\\nOfficeActivity\\n| where RecordType =~ \\\"SharePointFileOperation\\\" and Operation in~ (\\\"FileUploaded\\\", \\\"FileDownloaded\\\")\\n| where upn =~UserId\\n| extend Subject_File_Directory = tostring(split(OfficeObjectId,SourceFileName)[0])\\n| project-rename Source_IP_Address = ClientIP\\n};\\nTLQ_UserUploadFiles(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027) \\n| where Operation =~ \\\"FileUploaded\\\" \\n| project Source_IP_Address, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/df564e7b-bf6d-4dc4-a32d-79b00bd2cc7b\",\"name\":\"df564e7b-bf6d-4dc4-a32d-79b00bd2cc7b\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"User downloaded files from SharePoint\",\"content\":\"User downloaded {{Count}} File(s) from SharePoint from {{Source_IP_Address}}\",\"description\":\"This activity lists the user\u0027s SharePoint downloads.\",\"queryDefinitions\":{\"query\":\"let TLQ_UserUploadFiles = (Account_Name:string, Account_UPNSuffix:string){\\nlet upn = strcat(Account_Name,\\\"@\\\",Account_UPNSuffix);\\nOfficeActivity\\n| where RecordType =~ \\\"SharePointFileOperation\\\" and Operation in~ (\\\"FileUploaded\\\", \\\"FileDownloaded\\\")\\n| where upn =~UserId\\n| extend Subject_File_Directory = tostring(split(OfficeObjectId,SourceFileName)[0])\\n| project-rename Source_IP_Address = ClientIP\\n};\\nTLQ_UserUploadFiles(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027) \\n| where Operation =~ \\\"FileDownloaded\\\" \\n| project Source_IP_Address, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/0f328f28-7e21-4596-b71c-54309fee5551\",\"name\":\"0f328f28-7e21-4596-b71c-54309fee5551\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user signed in to an Azure resource\",\"content\":\"The user signed in to {{shortResourceId}} {{Count}} time(s)\",\"description\":\"This activity lists user\u0027s sign ins to Azure Resources\",\"queryDefinitions\":{\"query\":\"let SignInsByResource = (Account_Name:string, Account_UPNSuffix:string, Account_AadUserId:string){\\nlet acc_upn = iff(Account_Name != \\\"\\\" and Account_UPNSuffix != \\\"\\\" ,strcat(Account_Name,\\\"@\\\" ,Account_UPNSuffix),\\\"\\\");\\nSigninLogs\\n| where (acc_upn != \\\"\\\" and UserPrincipalName =~ acc_upn) or\\n   (Account_AadUserId != \\\"\\\" and Account_AadUserId =~ UserId) // UserPrincipalName, UserId\\n| extend shortResourceId = tostring(split(ResourceId,\\\"/\\\")[-1])\\n};\\nSignInsByResource(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027) \\n| project shortResourceId, ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SigninLogs\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/0d4ec12e-e44a-40a4-bb87-3db84d2a8057\",\"name\":\"0d4ec12e-e44a-40a4-bb87-3db84d2a8057\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s interactive log-ins grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID==4624 and LogonTypeName == \u00272 - Interactive\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/c9da5786-6c3c-45b5-9a46-53200ed9df09\",\"name\":\"c9da5786-6c3c-45b5-9a46-53200ed9df09\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Network log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s network log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID ==4624 and LogonTypeName == \u00273 - Network\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/8a302bfc-00e3-43b3-a516-102fd0cb0dbc\",\"name\":\"8a302bfc-00e3-43b3-a516-102fd0cb0dbc\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Remote interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s remote interactive log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID ==4624 and LogonTypeName == \u002710 - RemoteInteractive\u0027| extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/ec87b066-17ad-4f9b-97c2-c2f2ee2d99e0\",\"name\":\"ec87b066-17ad-4f9b-97c2-c2f2ee2d99e0\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"New credentials log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s log-ins with new credentials, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID ==4624 and LogonTypeName == \u00279 - NewCredentials\u0027| extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/e1c4c03c-2b40-47cf-9b8c-49e0a37a6da6\",\"name\":\"e1c4c03c-2b40-47cf-9b8c-49e0a37a6da6\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Privileged log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s privileged log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID == 4672 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/a6fc3ad9-1a61-41f5-a5e2-bd1f5a6fe44d\",\"name\":\"a6fc3ad9-1a61-41f5-a5e2-bd1f5a6fe44d\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Failed interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s failed interactive log-ins grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet =~ \u0027AllEvents\u0027 and EventID == 4625 and LogonTypeName == \u00272 - Interactive\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/11449689-6542-4867-86dc-56264abbd90c\",\"name\":\"11449689-6542-4867-86dc-56264abbd90c\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Failed network log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s failed network log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet =~ \u0027AllEvents\u0027 and EventID == 4625 and LogonTypeName == \u00273 - Network\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/686cf7e8-87c7-4391-8898-25adf1033a54\",\"name\":\"686cf7e8-87c7-4391-8898-25adf1033a54\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Failed remote interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} failed to logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s failed remote interactive log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet =~ \u0027AllEvents\u0027 and EventID == 4625 and LogonTypeName == \u002710 - RemoteInteractive\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/c6523929-5696-4e94-8a61-61aeb1c953d1\",\"name\":\"c6523929-5696-4e94-8a61-61aeb1c953d1\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Custom Script Extension execution (Preview)\",\"content\":\"The account {{Caller}} ran the custom script extension {{extName}} {{Count}} time(s)\",\"description\":\"This activity indicated Custom Script Extension execution\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| extend resBody = parse_json(Properties).responseBody\\n| where resBody != \\\"\\\"\\n| extend resBody = parse_json(tostring(resBody))\\n| extend extName = tostring(resBody.name), extType = resBody.properties.type\\n| where extType in (\\\"CustomScriptExtension\\\", \\\"CustomScript\\\", \\\"CustomScriptForLinux\\\")\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource, extType, extName \\n| project Caller, _ResourceId, extName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/a8b50062-f80e-4331-a247-de0e10d7b83f\",\"name\":\"a8b50062-f80e-4331-a247-de0e10d7b83f\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Storage account keys list (Preview)\",\"content\":\"The account {{Caller}} retrieved the keys of the storage account {{_ResourceId}} {{Count}} time(s)\",\"description\":\"This activity indicated storage account keys list operation\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/listKeys/action\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/e24d372a-ce9a-424e-99ba-5894177365a0\",\"name\":\"e24d372a-ce9a-424e-99ba-5894177365a0\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Storage account keys list were regenerated (Preview)\",\"content\":\"The account {{Caller}} regenerated the keys of the storage account {{_ResourceId}} {{Count}} time(s)\",\"description\":\"This activity indicated storage account keys list regeneration\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/2276eacb-9400-47e9-88c9-600b9b04ad81\",\"name\":\"2276eacb-9400-47e9-88c9-600b9b04ad81\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"VM Run Command execution (Preview)\",\"content\":\"The account {{Caller}} used Run Command on the VM {{Count}} time(s)\",\"description\":\"This activity indicates usage of Run Command\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/0aa3626b-30dd-4731-9d1e-39872a73949c\",\"name\":\"0aa3626b-30dd-4731-9d1e-39872a73949c\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"VM access extension execution (Preview)\",\"content\":\"The account {{Caller}} ran VM Access extension on the VM {{Count}} time(s)\",\"description\":\"This activity indicated VM access extension execution\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| extend resBody = parse_json(Properties).responseBody\\n| where resBody != \\\"\\\"\\n| extend resBody = parse_json(tostring(resBody))\\n| extend extName = resBody.name, extType = resBody.properties.type\\n| where extType in (\\\"VMAccessAgent\\\", \\\"VMAccessForLinux\\\")\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/307c85ee-39a2-4da3-952e-4fd79aa46d3a\",\"name\":\"307c85ee-39a2-4da3-952e-4fd79aa46d3a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was created on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was created by \u0027{{AddedBy}}\u0027\",\"description\":\"Account created on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId\\n| extend AddedBy = SubjectUserName\\n// Future support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount\\n};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where EventID == 4720 \\n| project Computer, TargetAccount, AddedBy, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/31529548-dbd2-4d5d-8270-710330cdcec7\",\"name\":\"31529548-dbd2-4d5d-8270-710330cdcec7\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was deleted by \u0027{{AddedBy}}\u0027\",\"description\":\"Account deleted on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId\\n| extend AddedBy = SubjectUserName\\n// Future support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount\\n};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where EventID == 4726 \\n| project Computer, TargetAccount, AddedBy, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/2fcda698-9526-454f-8fe0-4a0fd7af13f2\",\"name\":\"2fcda698-9526-454f-8fe0-4a0fd7af13f2\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Security Event log cleared by account on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{SubjectAccount}}\u0027 cleared the \u0027{{LogName}}\u0027 log, EventID: \u0027{{EventID}}\u0027\",\"description\":\"Security Event log cleared by account\",\"queryDefinitions\":{\"query\":\"let SystemAccount = datatable(AccountName:string)[\u0027NT AUTHORITY\\\\\\\\SYSTEM\u0027, \u0027NT AUTHORITY\\\\\\\\NETWORK SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\LOCAL SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\IUSR\u0027, \u0027NTAUTHORITY\\\\\\\\ANONYMOUS LOGON\u0027];\\nlet SvcAcctList = dynamic([\\\"Local SYSTEM\\\",\\\"Local SERVICE\\\",\\\"Network SERVICE\\\",\\\"NT AUTHORITY\\\"]);\\nlet ServiceAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and LogonType == \u00275\u0027 and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet MachineAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and AccountType == \\\"Machine\\\" and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet Accounts = union isfuzzy=true SystemAccount, ServiceAccount, MachineAccount;\\nlet source = \u0027Microsoft-Windows-Eventlog\u0027;\\nlet tableFunc = (tableName:string, event:int){\\ntable(tableName) \\n| where EventID == event\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| extend SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", \\\"NotAvailable\\\"), EventOriginId = column_ifexists(\\\"EventOriginId\\\", \\\"NotAvailable\\\")\\n| parse EventData with * \u0027SubjectUserName\u003e\u0027 SubjectUserName \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectUserSid\u003e\u0027 SubjectUserSid \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectLogonId\u003e\u0027 SubjectLogonId \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectDomainName\u003e\u0027 SubjectDomainName \u0027\u003c\u0027 *\\n| extend SubjectAccount = strcat(SubjectDomainName, \u0027\\\\\\\\\u0027, SubjectUserName)\\n};\\nlet HostClearedEventLog = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string)\\n{\\nlet Event104 = tableFunc(\u0027Event\u0027, event=104)\\n| where Source =~ source\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| parse RenderedDescription with * \u0027The\u0027 LogName \u0027log\u0027 *\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nlet Event1102 = tableFunc(\u0027SecurityEvent\u0027, event=1102)\\n| where EventSourceName == source\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| extend LogName = \u0027Security\u0027\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nunion isfuzzy=true Event104, Event1102\\n};\\nHostClearedEventLog(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where LogName =~ \u0027Security\u0027 \\n| project Computer, SubjectAccount, LogName, EventID, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"},{\"dataType\":\"Event\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/3ff675ee-3052-4e0b-88ad-f34ed1732adc\",\"name\":\"3ff675ee-3052-4e0b-88ad-f34ed1732adc\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Event log(s) cleared by account on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{SubjectAccount}}\u0027 cleared the \u0027{{LogName}}\u0027 log, EventID: \u0027{{EventID}}\u0027\",\"description\":\"Event logs cleared by account\",\"queryDefinitions\":{\"query\":\"let SystemAccount = datatable(AccountName:string)[\u0027NT AUTHORITY\\\\\\\\SYSTEM\u0027, \u0027NT AUTHORITY\\\\\\\\NETWORK SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\LOCAL SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\IUSR\u0027, \u0027NTAUTHORITY\\\\\\\\ANONYMOUS LOGON\u0027];\\nlet SvcAcctList = dynamic([\\\"Local SYSTEM\\\",\\\"Local SERVICE\\\",\\\"Network SERVICE\\\",\\\"NT AUTHORITY\\\"]);\\nlet ServiceAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and LogonType == \u00275\u0027 and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet MachineAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and AccountType == \\\"Machine\\\" and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet Accounts = union isfuzzy=true SystemAccount, ServiceAccount, MachineAccount;\\nlet source = \u0027Microsoft-Windows-Eventlog\u0027;\\nlet tableFunc = (tableName:string, event:int){\\ntable(tableName) \\n| where EventID == event\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| extend SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", \\\"NotAvailable\\\"), EventOriginId = column_ifexists(\\\"EventOriginId\\\", \\\"NotAvailable\\\")\\n| parse EventData with * \u0027SubjectUserName\u003e\u0027 SubjectUserName \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectUserSid\u003e\u0027 SubjectUserSid \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectLogonId\u003e\u0027 SubjectLogonId \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectDomainName\u003e\u0027 SubjectDomainName \u0027\u003c\u0027 *\\n| extend SubjectAccount = strcat(SubjectDomainName, \u0027\\\\\\\\\u0027, SubjectUserName)\\n};\\nlet HostClearedEventLog = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string)\\n{\\nlet Event104 = tableFunc(\u0027Event\u0027, event=104)\\n| where Source =~ source\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| parse RenderedDescription with * \u0027The\u0027 LogName \u0027log\u0027 *\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nlet Event1102 = tableFunc(\u0027SecurityEvent\u0027, event=1102)\\n| where EventSourceName == source\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| extend LogName = \u0027Security\u0027\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nunion isfuzzy=true Event104, Event1102\\n};\\nHostClearedEventLog(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where LogName !~ \u0027Security\u0027 \\n| project Computer, SubjectAccount, LogName, EventID, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"},{\"dataType\":\"Event\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/b880ad94-f905-4ba8-8a3f-9088b19b12fa\",\"name\":\"b880ad94-f905-4ba8-8a3f-9088b19b12fa\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the local Administrators group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to local Administrators group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where TargetSid == \u0027S-1-5-32-544\u0027 \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/aaad22c3-be50-465f-b258-8570d629c3db\",\"name\":\"aaad22c3-be50-465f-b258-8570d629c3db\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the Domain Admins group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to the Domain Admins group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-512$\u0027 \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/cf3469b3-f64c-4ae2-9900-289617443d74\",\"name\":\"cf3469b3-f64c-4ae2-9900-289617443d74\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the Enterprise Admins group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to the Enterprise Admins group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-519$\u0027 \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/5ba7b064-c667-4bb9-b8ac-7e87872ae479\",\"name\":\"5ba7b064-c667-4bb9-b8ac-7e87872ae479\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Account added to a privileged group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to privileged group.\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where (TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID) and TargetSid != \u0027S-1-5-32-544\u0027 and not(TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-512$\u0027) and not(TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-519$\u0027) \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/290032e9-c52e-4e66-841a-7428f0b356bb\",\"name\":\"290032e9-c52e-4e66-841a-7428f0b356bb\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was created on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{User}}\u0027 was created by sudo\",\"description\":\"Account created on Host\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where ProcessName in~ (\u0027useradd\u0027,\u0027userdel\u0027)\\n| where SyslogMessage startswith \u0027new user:\u0027 or SyslogMessage startswith \u0027delete user \u0027\\n| extend User = case(SyslogMessage startswith \u0027new user:\u0027, tostring(split(tostring(split(SyslogMessage, \u0027name=\u0027)[1]), \u0027,\u0027)[0]),\\nSyslogMessage startswith \u0027delete user \u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]),\\n\u0027Not Available\u0027)\\n| extend Action = case( SyslogMessage startswith \u0027new user\u0027, \u0027new user\u0027, SyslogMessage startswith \u0027delete user\u0027, \u0027delete user\u0027, \u0027None\u0027)\\n| project TimeGenerated, Computer, HostIP, User, Facility, ProcessName, Action, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action == \u0027new user\u0027 \\n| project Computer, User, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/ce9e87c7-2ffa-42cb-92e5-f1a4f21f007a\",\"name\":\"ce9e87c7-2ffa-42cb-92e5-f1a4f21f007a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{User}}\u0027 was deleted by sudo\",\"description\":\"Account deleted on Host\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where ProcessName in~ (\u0027useradd\u0027,\u0027userdel\u0027)\\n| where SyslogMessage startswith \u0027new user:\u0027 or SyslogMessage startswith \u0027delete user \u0027\\n| extend User = case(SyslogMessage startswith \u0027new user:\u0027, tostring(split(tostring(split(SyslogMessage, \u0027name=\u0027)[1]), \u0027,\u0027)[0]),\\nSyslogMessage startswith \u0027delete user \u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]),\\n\u0027Not Available\u0027)\\n| extend Action = case( SyslogMessage startswith \u0027new user\u0027, \u0027new user\u0027, SyslogMessage startswith \u0027delete user\u0027, \u0027delete user\u0027, \u0027None\u0027)\\n| project TimeGenerated, Computer, HostIP, User, Facility, ProcessName, Action, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action == \u0027delete user\u0027 \\n| project Computer, User, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/46aeae2d-187c-41f9-b8d6-9d75c43bce0a\",\"name\":\"46aeae2d-187c-41f9-b8d6-9d75c43bce0a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the sudo group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{User}}\u0027 was added by \u0027{{AcctMakingChange}}\u0027 to group: \u0027{{Group}}\u0027\",\"description\":\"Account added to the sudo group\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where SyslogMessage !startswith \\\"omsagent\\\"\\n| where SyslogMessage has \u0027COMMAND\u0027 or ProcessName in~ (\u0027gpasswd\u0027, \u0027useradd\u0027, \u0027userdel\u0027)\\n| parse SyslogMessage with * \u0027user \u0027 User \u0027 \u0027 Verb \u0027 by \u0027 AcctMakingChange \u0027 \u0027 Preposition \u0027 group \u0027 Group\\n| extend Group = case(\\nSyslogMessage startswith \u0027removed group\u0027 or SyslogMessage startswith \u0027removed shadow group\u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]), \\nSyslogMessage startswith \u0027new group\u0027, tostring(split(tostring(split(SyslogMessage, \u0027=\u0027)[1]),\u0027,\u0027)[0]),\\nGroup)\\n| extend Action = case(\\nisnotempty(Verb) or isnotempty(Preposition), strcat(Verb, \u0027 \u0027, Preposition),\\nSyslogMessage startswith \u0027new group\u0027, \u0027new group\u0027,\\nSyslogMessage startswith \u0027removed group\u0027, \u0027removed group\u0027,\\nSyslogMessage startswith \u0027removed shadow group\u0027, \u0027removed shadow group\u0027,\\n\u0027None\u0027)\\n| where isnotempty(Action) and Action != \u0027None\u0027 and isnotempty(Group)\\n| project TimeGenerated, Computer, HostIP, User, Action, Group, Facility, ProcessName, AcctMakingChange, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action =~ \u0027added to\u0027 and Group =~ \u0027sudo\u0027 \\n| project Computer, User, AcctMakingChange, Group, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/e24dd437-c65e-40e1-8d59-cd303ad4496a\",\"name\":\"e24dd437-c65e-40e1-8d59-cd303ad4496a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was removed from the sudo group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{User}}\u0027 was added by \u0027{{AcctMakingChange}}\u0027 to group: \u0027{{Group}}\u0027\",\"description\":\"Account removed from sudo group\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where SyslogMessage !startswith \\\"omsagent\\\"\\n| where SyslogMessage has \u0027COMMAND\u0027 or ProcessName in~ (\u0027gpasswd\u0027, \u0027useradd\u0027, \u0027userdel\u0027)\\n| parse SyslogMessage with * \u0027user \u0027 User \u0027 \u0027 Verb \u0027 by \u0027 AcctMakingChange \u0027 \u0027 Preposition \u0027 group \u0027 Group\\n| extend Group = case(\\nSyslogMessage startswith \u0027removed group\u0027 or SyslogMessage startswith \u0027removed shadow group\u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]), \\nSyslogMessage startswith \u0027new group\u0027, tostring(split(tostring(split(SyslogMessage, \u0027=\u0027)[1]),\u0027,\u0027)[0]),\\nGroup)\\n| extend Action = case(\\nisnotempty(Verb) or isnotempty(Preposition), strcat(Verb, \u0027 \u0027, Preposition),\\nSyslogMessage startswith \u0027new group\u0027, \u0027new group\u0027,\\nSyslogMessage startswith \u0027removed group\u0027, \u0027removed group\u0027,\\nSyslogMessage startswith \u0027removed shadow group\u0027, \u0027removed shadow group\u0027,\\n\u0027None\u0027)\\n| where isnotempty(Action) and Action != \u0027None\u0027 and isnotempty(Group)\\n| project TimeGenerated, Computer, HostIP, User, Action, Group, Facility, ProcessName, AcctMakingChange, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action =~ \u0027removed from\u0027 and Group =~ \u0027sudo\u0027 \\n| project Computer, User, AcctMakingChange, Group, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/c91cb743-7c6c-4ccf-b066-13448c9c085c\",\"name\":\"c91cb743-7c6c-4ccf-b066-13448c9c085c\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Windows Defender Application Control activities on this host\",\"content\":\"{{FriendlyActivityName}} by {{InitiatingProcessAccountUpn}} {{Count}} time(s)\",\"description\":\"Microsoft Defender Application Control activities\",\"queryDefinitions\":{\"query\":\"let AppControlEvents=(v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\nlet p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain));\\nlet AppControls=datatable(ActionType:string, Description:string, FriendlyActivityName:string)\\n [\\\"AppControlAppInstallationAudited\\\", \\\"Application control detected the installation of an untrusted app.\\\",\\\"Untrusted app installed\\\"\\n ,\\\"AppControlAppInstallationBlocked\\\", \\\"Application control blocked the installation of an untrusted app.\\\", \\\"Untrusted app installation blocked\\\"\\n ,\\\"AppControlCodeIntegrityDriverRevoked\\\", \\\"Application control found a driver with a revoked certificate.\\\", \\\"Driver with revoked certificate detected\\\"\\n ,\\\"AppControlCodeIntegrityImageRevoked\\\", \\\"Application control found an executable file with a revoked certificate.\\\", \\\"Executable with revoked certificate detected\\\"\\n ,\\\"AppControlExecutableAudited\\\",\\\"Application control detected the use of an untrusted executable.\\\",\\\"Untrusted executable used\\\"\\n ,\\\"AppControlExecutableBlocked\\\",\\\"Application control blocked the use of an untrusted executable.\\\",\\\"Untrusted executable blocked\\\"\\n ,\\\"AppControlScriptAudited\\\", \\\"Application control detected the use of an untrusted script.\\\", \\\"Untrusted script detected\\\"\\n ,\\\"AppControlScriptBlocked\\\", \\\"Application control blocked the use of an untrusted script.\\\", \\\"Untrusted script blocked\\\" ];\\nDeviceEvents\\n| where ActionType in (AppControls) \\n| where DeviceName ==p_FullDeviceName\\n| lookup AppControls on ActionType\\n};\\nAppControlEvents(\u0027{{Host_HostName}}\u0027,\u0027{{Host_NTDomain}}\u0027,\u0027{{Host_DnsDomain}}\u0027) \\n| project DeviceName, ActionType, FriendlyActivityName, InitiatingProcessAccountUpn, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/c7def1db-6a27-45dc-bee0-0c5fd5e7f1fe\",\"name\":\"c7def1db-6a27-45dc-bee0-0c5fd5e7f1fe\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Screenshot taken\",\"content\":\"The user \u0027{{InitiatingProcessAccountUpn}}\u0027 has taken {{Count}} screenshot(s) on the host\",\"description\":\"A screenshot was taken on the host\",\"queryDefinitions\":{\"query\":\"let ScreenshotTakers= (v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\n let p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain) );\\n DeviceEvents \\n | where ActionType ==\u0027ScreenshotTaken\u0027 \\n | where DeviceName =~ p_FullDeviceName\\n};\\nScreenshotTakers(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027) \\n| where 1==1 \\n| project InitiatingProcessAccountName, InitiatingProcessAccountUpn, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/8d0e9356-be1e-45ac-9403-d0ac3f1605b7\",\"name\":\"8d0e9356-be1e-45ac-9403-d0ac3f1605b7\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Exploit protection blocked the launch of a process from an image file that is not signed by Microsoft\",\"content\":\"Launch of unsigned file \u0027{{FileName}}\u0027 by process \u0027{{InitiatingProcessFileName}}\u0027 initiated by \u0027{{InitiatingProcessAccountName}}\u0027 was blocked. \",\"description\":\"Exploit protection blocked the launch of a process from an image file that is not signed by Microsoft\",\"queryDefinitions\":{\"query\":\"let NonMSSignedBlocked= (v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\n let p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain) );\\n DeviceEvents\\n | where ActionType in (\\\"ExploitGuardNonMicrosoftSignedBlocked\\\", \\\"ExploitGuardNonMicrosoftSignedAudited\\\") \\n and FileName !hassuffix \u0027.ni.dll\u0027\\n | where DeviceName =~ p_FullDeviceName\\n | project TimeGenerated\\n , FileName\\n ,InitiatingProcessFileName\\n , InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid\\n , DeviceName , ActionType\\n};\\nNonMSSignedBlocked(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027) \\n| where ActionType =~ \u0027ExploitGuardNonMicrosoftSignedBlocked\u0027 \\n| project FileName, InitiatingProcessFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/3ff80327-7c54-449d-95d4-613848f7d60b\",\"name\":\"3ff80327-7c54-449d-95d4-613848f7d60b\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Exploit protection detected the launch of a process from an image file that is not signed by Microsoft\",\"content\":\"Launch of unsigned file \u0027{{FileName}}\u0027 by process \u0027{{InitiatingProcessFileName}}\u0027 initiated by \u0027{{InitiatingProcessAccountName}}\u0027 was audited.\",\"description\":\"Exploit protection detected the launch of a process from an image file that is not signed by Microsoft\",\"queryDefinitions\":{\"query\":\"let NonMSSignedBlocked= (v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\n let p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain) );\\n DeviceEvents\\n | where ActionType in (\\\"ExploitGuardNonMicrosoftSignedBlocked\\\", \\\"ExploitGuardNonMicrosoftSignedAudited\\\") \\n and FileName !hassuffix \u0027.ni.dll\u0027\\n | where DeviceName =~ p_FullDeviceName\\n | project TimeGenerated\\n , FileName\\n ,InitiatingProcessFileName\\n , InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid\\n , DeviceName , ActionType\\n};\\nNonMSSignedBlocked(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027) \\n| where ActionType =~ \u0027ExploitGuardNonMicrosoftSignedAudited\u0027 \\n| project FileName, InitiatingProcessFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/3f7059b2-67ea-4fc1-af34-37f5fc69a630\",\"name\":\"3f7059b2-67ea-4fc1-af34-37f5fc69a630\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Windows Defender Antivirus activities on this host\",\"content\":\"Window Defender Antivirus \u0027{{ActionType}}\u0027 activity was spotted on Host {{Host_HostName}}\",\"description\":\"Windows Defender Antivirus activities\",\"queryDefinitions\":{\"query\":\"let AntivirusEvents=(v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\nlet Severity= datatable(ActionType:string, Severity:int)[\\\"AntivirusMalwareActionFailed\\\",1,\\\"AntivirusDetection\\\",2,\\\"AntivirusScanFailed\\\",3, \\\"AntivirusError\\\",4, \\\"AntivirusDefinitionsUpdateFailed\\\",5];\\nlet p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain));\\nDeviceEvents\\n| where ActionType hasprefix \\\"Antivirus\\\" and ActionType !in( \\\"AntivirusReport\\\", \\\"AntivirusScanCompleted\\\", \\\"AntivirusDefinitionsUpdated\\\",\\\"AntivirusEmergencyUpdatesInstalled\\\")\\n| where DeviceName ==p_FullDeviceName\\n| lookup Severity on ActionType};\\nAntivirusEvents(\u0027{{Host_HostName}}\u0027,\u0027{{Host_NTDomain}}\u0027,\u0027{{Host_DnsDomain}}\u0027) \\n| where ActionType !in( \\\"AntivirusReport\\\", \\\"AntivirusScanCompleted\\\", \\\"AntivirusDefinitionsUpdated\\\",\\\"AntivirusEmergencyUpdatesInstalled\\\") \\n| project ActionType, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}}]}", + "isContentBase64": false + } + }, + "Get-AzSentinelEntityQueryTemplate+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/d6d08c94-455f-4ea5-8f76-fc6c0c442cfa?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/d6d08c94-455f-4ea5-8f76-fc6c0c442cfa?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "205" ], + "x-ms-client-request-id": [ "383f2cec-54da-4e58-9428-626dea7ce23d" ], + "CommandName": [ "Get-AzSentinelentityQueryTemplate" ], + "FullCommandName": [ "Get-AzSentinelEntityQueryTemplate_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11957" ], + "x-ms-request-id": [ "6f0db073-ea27-45ff-91d2-e1a23af5579c" ], + "x-ms-correlation-request-id": [ "6f0db073-ea27-45ff-91d2-e1a23af5579c" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015815Z:6f0db073-ea27-45ff-91d2-e1a23af5579c" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:58:14 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "3224" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/d6d08c94-455f-4ea5-8f76-fc6c0c442cfa\",\"name\":\"d6d08c94-455f-4ea5-8f76-fc6c0c442cfa\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has created an account\",\"content\":\"The user {{InitiatedByAccount}} has created the account {{TargetAccount}} {{Count}} time(s)\",\"description\":\"This activity displays account creation events performed by the user\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AADUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) or Account_AADUserId =~ tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ SubjectAccount or Account_Sid =~ SubjectUserSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AADUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Add user\u0027, \u00274720\u0027) \\n| project InitiatedByAccount, TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AADUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Get-AzSentinelEntityQueryTemplate.Tests.ps1 b/src/SecurityInsights/test/Get-AzSentinelEntityQueryTemplate.Tests.ps1 new file mode 100644 index 000000000000..3b69ea166719 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelEntityQueryTemplate.Tests.ps1 @@ -0,0 +1,35 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Get-AzSentinelEntityQueryTemplate')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Get-AzSentinelEntityQueryTemplate.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Get-AzSentinelEntityQueryTemplate' { + It 'List' { + $entityQueryTemplates = Get-AzSentinelentityQueryTemplate -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName + $entityQueryTemplates.Count | Should -BeGreaterorEqual 1 + } + + It 'Get' { + $entityQueryTemplates = Get-AzSentinelentityQueryTemplate -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName + $entityQueryTemplate = Get-AzSentinelentityQueryTemplate -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Id $entityQueryTemplates[0].Name + $entityQueryTemplate.Name | Should -Be $entityQueryTemplates[0].Name + } + + It 'GetViaIdentity' -skip { + $entityQueryTemplates = Get-AzSentinelentityQueryTemplate -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName + $entityQueryTemplate = Get-AzSentinelentityQueryTemplate -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Id $entityQueryTemplates[0].Name + $entityQueryTemplateViaId = Get-AzSentinelentityQuery -InputObject $entityQueryTemplate + $entityQueryTemplateViaId.Name | Should -Be $entityQueryTemplates[0].Name + } +} diff --git a/src/SecurityInsights/test/Get-AzSentinelEntityRelation.Tests.ps1 b/src/SecurityInsights/test/Get-AzSentinelEntityRelation.Tests.ps1 new file mode 100644 index 000000000000..174637af2859 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelEntityRelation.Tests.ps1 @@ -0,0 +1,29 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Get-AzSentinelEntityRelation')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Get-AzSentinelEntityRelation.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Get-AzSentinelEntityRelation' { + It 'List' -skip { + { throw [System.NotImplementedException] } | Should -Not -Throw + } + + It 'Get' -skip { + { throw [System.NotImplementedException] } | Should -Not -Throw + } + + It 'GetViaIdentity' -skip { + { throw [System.NotImplementedException] } | Should -Not -Throw + } +} diff --git a/src/SecurityInsights/test/Get-AzSentinelEntityTimeline.Recording.json b/src/SecurityInsights/test/Get-AzSentinelEntityTimeline.Recording.json new file mode 100644 index 000000000000..4aa4103e97ae --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelEntityTimeline.Recording.json @@ -0,0 +1,79 @@ +{ + "Get-AzSentinelEntityTimeline+[NoContext]+ListExpanded+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "206" ], + "x-ms-client-request-id": [ "81504883-85f8-4e9f-a467-387ece9a56a4" ], + "CommandName": [ "Get-AzSentinelentity" ], + "FullCommandName": [ "Get-AzSentinelEntity_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11956" ], + "x-ms-request-id": [ "c8613f2f-a444-468e-94f2-595cdf668ec6" ], + "x-ms-correlation-request-id": [ "c8613f2f-a444-468e-94f2-595cdf668ec6" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015857Z:c8613f2f-a444-468e-94f2-595cdf668ec6" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:58:57 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "461" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"additionalData\":{\"AlertCount\":\"6\"},\"friendlyName\":\"175.45.176.99\"}}]}", + "isContentBase64": false + } + }, + "Get-AzSentinelEntityTimeline+[NoContext]+ListExpanded+$POST+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/getTimeline?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "POST", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/getTimeline?api-version=2021-09-01-preview", + "Content": "{\n \"startTime\": \"2021-12-11T01:00:00.0000000+00:00\",\n \"endTime\": \"2021-12-12T01:00:00.0000000+00:00\"\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "104" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11955" ], + "x-ms-request-id": [ "c2a1f10e-b74e-4cba-b516-5e1d00b59a40" ], + "x-ms-correlation-request-id": [ "c2a1f10e-b74e-4cba-b516-5e1d00b59a40" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015900Z:c2a1f10e-b74e-4cba-b516-5e1d00b59a40" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:58:59 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "152" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[],\"metaData\":{\"aggregations\":[{\"kind\":\"Activity\",\"count\":0},{\"kind\":\"Bookmark\",\"count\":0},{\"kind\":\"SecurityAlert\",\"count\":0}],\"totalCount\":0}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Get-AzSentinelEntityTimeline.Tests.ps1 b/src/SecurityInsights/test/Get-AzSentinelEntityTimeline.Tests.ps1 new file mode 100644 index 000000000000..485cf7c87485 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelEntityTimeline.Tests.ps1 @@ -0,0 +1,25 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Get-AzSentinelEntityTimeline')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Get-AzSentinelEntityTimeline.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Get-AzSentinelEntityTimeline' { + It 'ListExpanded' { + $startTime = (get-date).AddDays(-1).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + $endTime = (get-date).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + $entities = Get-AzSentinelentity -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName + $entityTimeline = Get-AzSentinelEntityTimeline -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -EntityId $entities[0].Name -startTime $startTime -EndTime $endTime + $entityTimeline | Should -Not -Be $null + } +} diff --git a/src/SecurityInsights/test/Get-AzSentinelIncident.Recording.json b/src/SecurityInsights/test/Get-AzSentinelIncident.Recording.json new file mode 100644 index 000000000000..71b9ebd0487e --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelIncident.Recording.json @@ -0,0 +1,166 @@ +{ + "Get-AzSentinelIncident+[NoContext]+List+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "208" ], + "x-ms-client-request-id": [ "1618b3e6-b413-4db4-917b-bff18620916a" ], + "CommandName": [ "Get-AzSentinelincident" ], + "FullCommandName": [ "Get-AzSentinelIncident_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11954" ], + "x-ms-request-id": [ "c541cfb6-9955-445d-adf0-05353e2da147" ], + "x-ms-correlation-request-id": [ "c541cfb6-9955-445d-adf0-05353e2da147" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015921Z:c541cfb6-9955-445d-adf0-05353e2da147" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:59:20 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "26515" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/43aedae6-3726-41c1-b0e8-9876df66aa2d\",\"name\":\"43aedae6-3726-41c1-b0e8-9876df66aa2d\",\"etag\":\"\\\"3c006463-0000-0100-0000-61b555710000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdincidentRelationIncidentNameewut32\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:50:41.6370473Z\",\"createdTimeUtc\":\"2021-12-12T01:50:41.1927933Z\",\"incidentNumber\":21,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/43aedae6-3726-41c1-b0e8-9876df66aa2d\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"21\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/473aa008-13fc-4a61-9ea2-c3fdc64a828c\",\"name\":\"473aa008-13fc-4a61-9ea2-c3fdc64a828c\",\"etag\":\"\\\"3c009162-0000-0100-0000-61b555530000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateincidentRelationIncidentNametdo819\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:50:11.0669406Z\",\"createdTimeUtc\":\"2021-12-12T01:50:10.6585571Z\",\"incidentNumber\":20,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/473aa008-13fc-4a61-9ea2-c3fdc64a828c\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"20\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/7bfb344d-ad2a-431d-9e39-78747ac51f54\",\"name\":\"7bfb344d-ad2a-431d-9e39-78747ac51f54\",\"etag\":\"\\\"3c00b661-0000-0100-0000-61b555330000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdincidentRelationIncidentName150wxv\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:49:39.5308437Z\",\"createdTimeUtc\":\"2021-12-12T01:49:39.1352139Z\",\"incidentNumber\":19,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/7bfb344d-ad2a-431d-9e39-78747ac51f54\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"19\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/0c5dc585-a174-461c-a546-75dc9d7bedc8\",\"name\":\"0c5dc585-a174-461c-a546-75dc9d7bedc8\",\"etag\":\"\\\"3c003f61-0000-0100-0000-61b555140000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveincidentRelationIncidentNameuk6d50\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:49:08.8163447Z\",\"createdTimeUtc\":\"2021-12-12T01:49:08.4291239Z\",\"incidentNumber\":18,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/0c5dc585-a174-461c-a546-75dc9d7bedc8\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"18\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0\",\"name\":\"e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0\",\"etag\":\"\\\"3c008760-0000-0100-0000-61b554f40000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetincidentRelationIncidentNamerea364\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:48:36.3299209Z\",\"createdTimeUtc\":\"2021-12-12T01:48:35.946428Z\",\"incidentNumber\":17,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"17\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/aa0c1725-78eb-4c1e-87b8-9dd801ebf670\",\"name\":\"aa0c1725-78eb-4c1e-87b8-9dd801ebf670\",\"etag\":\"\\\"3c00f15f-0000-0100-0000-61b554d40000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdincidentCommentoq4cge\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:48:04.5197134Z\",\"createdTimeUtc\":\"2021-12-12T01:48:03.7828Z\",\"incidentNumber\":16,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/aa0c1725-78eb-4c1e-87b8-9dd801ebf670\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"16\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/4d88d68e-1a03-4287-b8d2-919981228c5c\",\"name\":\"4d88d68e-1a03-4287-b8d2-919981228c5c\",\"etag\":\"\\\"3c00675f-0000-0100-0000-61b554b40000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateincidentCommentjmgwit\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:47:32.914693Z\",\"createdTimeUtc\":\"2021-12-12T01:47:32.2205967Z\",\"incidentNumber\":15,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/4d88d68e-1a03-4287-b8d2-919981228c5c\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"15\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/754fd7ba-74d1-42cc-8aa0-25593496d4bd\",\"name\":\"754fd7ba-74d1-42cc-8aa0-25593496d4bd\",\"etag\":\"\\\"3c00ae5e-0000-0100-0000-61b554960000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdincidentComment8ftdy3\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:47:02.132971Z\",\"createdTimeUtc\":\"2021-12-12T01:47:01.6162756Z\",\"incidentNumber\":14,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/754fd7ba-74d1-42cc-8aa0-25593496d4bd\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"14\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/39c0047a-27bf-41d3-940d-bfb849d18460\",\"name\":\"39c0047a-27bf-41d3-940d-bfb849d18460\",\"etag\":\"\\\"3c00525e-0000-0100-0000-61b554760000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveincidentCommentmhcwg3\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:46:30.3340484Z\",\"createdTimeUtc\":\"2021-12-12T01:46:29.8715201Z\",\"incidentNumber\":13,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/39c0047a-27bf-41d3-940d-bfb849d18460\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"13\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/03f0e7ca-255a-49dc-a98d-19f65584d06c\",\"name\":\"03f0e7ca-255a-49dc-a98d-19f65584d06c\",\"etag\":\"\\\"3c00de5d-0000-0100-0000-61b554580000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetincidentComment48q5k9\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:46:00.3354391Z\",\"createdTimeUtc\":\"2021-12-12T01:45:59.6977853Z\",\"incidentNumber\":12,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/03f0e7ca-255a-49dc-a98d-19f65584d06c\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"12\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/85b206c3-bf60-48e0-b492-71a79bb8503a\",\"name\":\"85b206c3-bf60-48e0-b492-71a79bb8503a\",\"etag\":\"\\\"3c002c5d-0000-0100-0000-61b554370000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:45:27.6270446Z\",\"createdTimeUtc\":\"2021-12-12T01:45:27.6270446Z\",\"incidentNumber\":11,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/85b206c3-bf60-48e0-b492-71a79bb8503a\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"11\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/23dc6b0b-2413-4b21-94b3-242f576b73c2\",\"name\":\"23dc6b0b-2413-4b21-94b3-242f576b73c2\",\"etag\":\"\\\"3c00aa5c-0000-0100-0000-61b554180000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:44:56.0348538Z\",\"createdTimeUtc\":\"2021-12-12T01:44:56.0348538Z\",\"incidentNumber\":10,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/23dc6b0b-2413-4b21-94b3-242f576b73c2\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"10\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/1f88da2c-e158-4900-8d6e-a467f72fdd34\",\"name\":\"1f88da2c-e158-4900-8d6e-a467f72fdd34\",\"etag\":\"\\\"3c00cd5b-0000-0100-0000-61b553f90000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:44:25.0620632Z\",\"createdTimeUtc\":\"2021-12-12T01:44:25.0620632Z\",\"incidentNumber\":9,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/1f88da2c-e158-4900-8d6e-a467f72fdd34\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"9\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/cc0a7c84-b29b-4136-acbb-648a7237df0a\",\"name\":\"cc0a7c84-b29b-4136-acbb-648a7237df0a\",\"etag\":\"\\\"3c00435b-0000-0100-0000-61b553d90000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:43:53.2153466Z\",\"createdTimeUtc\":\"2021-12-12T01:43:53.2153466Z\",\"incidentNumber\":8,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/cc0a7c84-b29b-4136-acbb-648a7237df0a\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"8\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/853e143c-97fd-48f1-86df-c8a68dbb87f1\",\"name\":\"853e143c-97fd-48f1-86df-c8a68dbb87f1\",\"etag\":\"\\\"3c007d5a-0000-0100-0000-61b553ba0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:43:22.8314686Z\",\"createdTimeUtc\":\"2021-12-12T01:43:22.8314686Z\",\"incidentNumber\":7,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/853e143c-97fd-48f1-86df-c8a68dbb87f1\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"7\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/6cbc4e33-d46b-4993-96e4-ecb0e44415cb\",\"name\":\"6cbc4e33-d46b-4993-96e4-ecb0e44415cb\",\"etag\":\"\\\"3c00ec54-0000-0100-0000-61b552e00000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdbookmarkRelationIncidentName84x0ne\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:39:44.4784666Z\",\"createdTimeUtc\":\"2021-12-12T01:39:44.1016486Z\",\"incidentNumber\":6,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/6cbc4e33-d46b-4993-96e4-ecb0e44415cb\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"6\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/e788124d-3280-4da8-b9f7-3f464296947e\",\"name\":\"e788124d-3280-4da8-b9f7-3f464296947e\",\"etag\":\"\\\"3c00b853-0000-0100-0000-61b552c20000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdatebookmarkRelationIncidentNamehqlcfb\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:39:14.3220984Z\",\"createdTimeUtc\":\"2021-12-12T01:39:13.3611655Z\",\"incidentNumber\":5,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/e788124d-3280-4da8-b9f7-3f464296947e\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"5\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/7d56a89d-59f4-4b3a-aa71-34494c2f5f5c\",\"name\":\"7d56a89d-59f4-4b3a-aa71-34494c2f5f5c\",\"etag\":\"\\\"3c00a552-0000-0100-0000-61b552a20000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdbookmarkRelationIncidentNameyci6fv\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:38:42.3519492Z\",\"createdTimeUtc\":\"2021-12-12T01:38:41.8102576Z\",\"incidentNumber\":4,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/7d56a89d-59f4-4b3a-aa71-34494c2f5f5c\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"4\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/4908bd22-0eb2-40fc-83ce-b6c8ba7a26a1\",\"name\":\"4908bd22-0eb2-40fc-83ce-b6c8ba7a26a1\",\"etag\":\"\\\"3c008b51-0000-0100-0000-61b552840000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemovebookmarkRelationIncidentNamehynb4o\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:38:12.1498788Z\",\"createdTimeUtc\":\"2021-12-12T01:38:11.2263698Z\",\"incidentNumber\":3,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/4908bd22-0eb2-40fc-83ce-b6c8ba7a26a1\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"3\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/69e3141d-30e8-49d1-9152-33f3b44cf6b0\",\"name\":\"69e3141d-30e8-49d1-9152-33f3b44cf6b0\",\"etag\":\"\\\"3c007450-0000-0100-0000-61b552650000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetbookmarkRelationIncidentNames3ckzp\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:37:41.3961428Z\",\"createdTimeUtc\":\"2021-12-12T01:37:40.4966895Z\",\"incidentNumber\":2,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/69e3141d-30e8-49d1-9152-33f3b44cf6b0\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"2\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/b2d155b7-a5b2-78f2-6872-d80f33937101\",\"name\":\"b2d155b7-a5b2-78f2-6872-d80f33937101\",\"etag\":\"\\\"3c00ce60-0000-0100-0000-61b554fc0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"severity\":\"Medium\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"firstActivityTimeUtc\":\"2021-12-12T00:48:37.8638145Z\",\"lastActivityTimeUtc\":\"2021-12-12T01:43:37.8638145Z\",\"lastModifiedTimeUtc\":\"2021-12-12T01:48:44.1406751Z\",\"createdTimeUtc\":\"2021-12-12T01:23:43.793478Z\",\"incidentNumber\":1,\"additionalData\":{\"alertsCount\":6,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[\"Azure Sentinel\"],\"tactics\":[\"InitialAccess\",\"Persistence\"]},\"relatedAnalyticRuleIds\":[\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/10a698ca-8310-4b90-a86e-2f43fe285e56\"],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/b2d155b7-a5b2-78f2-6872-d80f33937101\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"1\"}}]}", + "isContentBase64": false + } + }, + "Get-AzSentinelIncident+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/853e143c-97fd-48f1-86df-c8a68dbb87f1?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/853e143c-97fd-48f1-86df-c8a68dbb87f1?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "209" ], + "x-ms-client-request-id": [ "09469cc9-e322-451c-bbc4-7fbc230b7978" ], + "CommandName": [ "Get-AzSentinelincident" ], + "FullCommandName": [ "Get-AzSentinelIncident_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11953" ], + "x-ms-request-id": [ "f1c6c0c6-31c2-43f4-ac4b-d5cceae8f2a9" ], + "x-ms-correlation-request-id": [ "f1c6c0c6-31c2-43f4-ac4b-d5cceae8f2a9" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015921Z:f1c6c0c6-31c2-43f4-ac4b-d5cceae8f2a9" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:59:20 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1206" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/853e143c-97fd-48f1-86df-c8a68dbb87f1\",\"name\":\"853e143c-97fd-48f1-86df-c8a68dbb87f1\",\"etag\":\"\\\"3c007d5a-0000-0100-0000-61b553ba0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:43:22.8314686Z\",\"createdTimeUtc\":\"2021-12-12T01:43:22.8314686Z\",\"incidentNumber\":7,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/853e143c-97fd-48f1-86df-c8a68dbb87f1\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"7\"}}", + "isContentBase64": false + } + }, + "Get-AzSentinelIncident+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/853e143c-97fd-48f1-86df-c8a68dbb87f1?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/853e143c-97fd-48f1-86df-c8a68dbb87f1?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "210" ], + "x-ms-client-request-id": [ "ef690bf8-1fe4-4e13-8a0d-d3020df2bab3" ], + "CommandName": [ "Get-AzSentinelincident" ], + "FullCommandName": [ "Get-AzSentinelIncident_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11952" ], + "x-ms-request-id": [ "f671c02e-8936-42ff-ba04-9731718fc2f6" ], + "x-ms-correlation-request-id": [ "f671c02e-8936-42ff-ba04-9731718fc2f6" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015921Z:f671c02e-8936-42ff-ba04-9731718fc2f6" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:59:21 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1206" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/853e143c-97fd-48f1-86df-c8a68dbb87f1\",\"name\":\"853e143c-97fd-48f1-86df-c8a68dbb87f1\",\"etag\":\"\\\"3c007d5a-0000-0100-0000-61b553ba0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:43:22.8314686Z\",\"createdTimeUtc\":\"2021-12-12T01:43:22.8314686Z\",\"incidentNumber\":7,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/853e143c-97fd-48f1-86df-c8a68dbb87f1\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"7\"}}", + "isContentBase64": false + } + }, + "Get-AzSentinelIncident+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/853e143c-97fd-48f1-86df-c8a68dbb87f1?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/853e143c-97fd-48f1-86df-c8a68dbb87f1?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "211" ], + "x-ms-client-request-id": [ "cf47aa68-5549-4bbb-bed9-a700a6887532" ], + "CommandName": [ "Get-AzSentinelincident" ], + "FullCommandName": [ "Get-AzSentinelIncident_GetViaIdentity" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11951" ], + "x-ms-request-id": [ "48feafa1-bdb4-4686-897f-b966354d8091" ], + "x-ms-correlation-request-id": [ "48feafa1-bdb4-4686-897f-b966354d8091" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015921Z:48feafa1-bdb4-4686-897f-b966354d8091" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:59:21 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1206" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/853e143c-97fd-48f1-86df-c8a68dbb87f1\",\"name\":\"853e143c-97fd-48f1-86df-c8a68dbb87f1\",\"etag\":\"\\\"3c007d5a-0000-0100-0000-61b553ba0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:43:22.8314686Z\",\"createdTimeUtc\":\"2021-12-12T01:43:22.8314686Z\",\"incidentNumber\":7,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/853e143c-97fd-48f1-86df-c8a68dbb87f1\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"7\"}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Get-AzSentinelIncident.Tests.ps1 b/src/SecurityInsights/test/Get-AzSentinelIncident.Tests.ps1 new file mode 100644 index 000000000000..424dd5256310 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelIncident.Tests.ps1 @@ -0,0 +1,33 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Get-AzSentinelIncident')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Get-AzSentinelIncident.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Get-AzSentinelIncident' { + It 'List' { + $incidents = Get-AzSentinelincident -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName + $incidents.Count | Should -BeGreaterorEqual 1 + } + + It 'Get' { + $incident = Get-AzSentinelincident -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Id $env.GetincidentId + $incident.Name | Should -Be $env.GetincidentId + } + + It 'GetViaIdentity' { + $incident = Get-AzSentinelincident -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Id $env.GetincidentId + $incidentviaId = Get-AzSentinelincident -InputObject $incident + $incidentviaId.Name | Should -Be $env.GetincidentId + } +} diff --git a/src/SecurityInsights/test/Get-AzSentinelIncidentAlert.Recording.json b/src/SecurityInsights/test/Get-AzSentinelIncidentAlert.Recording.json new file mode 100644 index 000000000000..d6ebd51b53ba --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelIncidentAlert.Recording.json @@ -0,0 +1,84 @@ +{ + "Get-AzSentinelIncidentAlert+[NoContext]+List+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "212" ], + "x-ms-client-request-id": [ "d30beebf-7b72-4cd3-abad-11f13e973a35" ], + "CommandName": [ "Get-AzSentinelIncident" ], + "FullCommandName": [ "Get-AzSentinelIncident_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11950" ], + "x-ms-request-id": [ "ef078886-f7ce-4b2f-b68b-af941c842a3d" ], + "x-ms-correlation-request-id": [ "ef078886-f7ce-4b2f-b68b-af941c842a3d" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015941Z:ef078886-f7ce-4b2f-b68b-af941c842a3d" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:59:41 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "26515" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/43aedae6-3726-41c1-b0e8-9876df66aa2d\",\"name\":\"43aedae6-3726-41c1-b0e8-9876df66aa2d\",\"etag\":\"\\\"3c006463-0000-0100-0000-61b555710000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdincidentRelationIncidentNameewut32\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:50:41.6370473Z\",\"createdTimeUtc\":\"2021-12-12T01:50:41.1927933Z\",\"incidentNumber\":21,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/43aedae6-3726-41c1-b0e8-9876df66aa2d\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"21\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/473aa008-13fc-4a61-9ea2-c3fdc64a828c\",\"name\":\"473aa008-13fc-4a61-9ea2-c3fdc64a828c\",\"etag\":\"\\\"3c009162-0000-0100-0000-61b555530000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateincidentRelationIncidentNametdo819\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:50:11.0669406Z\",\"createdTimeUtc\":\"2021-12-12T01:50:10.6585571Z\",\"incidentNumber\":20,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/473aa008-13fc-4a61-9ea2-c3fdc64a828c\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"20\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/7bfb344d-ad2a-431d-9e39-78747ac51f54\",\"name\":\"7bfb344d-ad2a-431d-9e39-78747ac51f54\",\"etag\":\"\\\"3c00b661-0000-0100-0000-61b555330000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdincidentRelationIncidentName150wxv\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:49:39.5308437Z\",\"createdTimeUtc\":\"2021-12-12T01:49:39.1352139Z\",\"incidentNumber\":19,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/7bfb344d-ad2a-431d-9e39-78747ac51f54\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"19\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/0c5dc585-a174-461c-a546-75dc9d7bedc8\",\"name\":\"0c5dc585-a174-461c-a546-75dc9d7bedc8\",\"etag\":\"\\\"3c003f61-0000-0100-0000-61b555140000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveincidentRelationIncidentNameuk6d50\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:49:08.8163447Z\",\"createdTimeUtc\":\"2021-12-12T01:49:08.4291239Z\",\"incidentNumber\":18,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/0c5dc585-a174-461c-a546-75dc9d7bedc8\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"18\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0\",\"name\":\"e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0\",\"etag\":\"\\\"3c008760-0000-0100-0000-61b554f40000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetincidentRelationIncidentNamerea364\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:48:36.3299209Z\",\"createdTimeUtc\":\"2021-12-12T01:48:35.946428Z\",\"incidentNumber\":17,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"17\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/aa0c1725-78eb-4c1e-87b8-9dd801ebf670\",\"name\":\"aa0c1725-78eb-4c1e-87b8-9dd801ebf670\",\"etag\":\"\\\"3c00f15f-0000-0100-0000-61b554d40000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdincidentCommentoq4cge\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:48:04.5197134Z\",\"createdTimeUtc\":\"2021-12-12T01:48:03.7828Z\",\"incidentNumber\":16,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/aa0c1725-78eb-4c1e-87b8-9dd801ebf670\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"16\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/4d88d68e-1a03-4287-b8d2-919981228c5c\",\"name\":\"4d88d68e-1a03-4287-b8d2-919981228c5c\",\"etag\":\"\\\"3c00675f-0000-0100-0000-61b554b40000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateincidentCommentjmgwit\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:47:32.914693Z\",\"createdTimeUtc\":\"2021-12-12T01:47:32.2205967Z\",\"incidentNumber\":15,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/4d88d68e-1a03-4287-b8d2-919981228c5c\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"15\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/754fd7ba-74d1-42cc-8aa0-25593496d4bd\",\"name\":\"754fd7ba-74d1-42cc-8aa0-25593496d4bd\",\"etag\":\"\\\"3c00ae5e-0000-0100-0000-61b554960000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdincidentComment8ftdy3\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:47:02.132971Z\",\"createdTimeUtc\":\"2021-12-12T01:47:01.6162756Z\",\"incidentNumber\":14,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/754fd7ba-74d1-42cc-8aa0-25593496d4bd\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"14\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/39c0047a-27bf-41d3-940d-bfb849d18460\",\"name\":\"39c0047a-27bf-41d3-940d-bfb849d18460\",\"etag\":\"\\\"3c00525e-0000-0100-0000-61b554760000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveincidentCommentmhcwg3\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:46:30.3340484Z\",\"createdTimeUtc\":\"2021-12-12T01:46:29.8715201Z\",\"incidentNumber\":13,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/39c0047a-27bf-41d3-940d-bfb849d18460\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"13\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/03f0e7ca-255a-49dc-a98d-19f65584d06c\",\"name\":\"03f0e7ca-255a-49dc-a98d-19f65584d06c\",\"etag\":\"\\\"3c00de5d-0000-0100-0000-61b554580000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetincidentComment48q5k9\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:46:00.3354391Z\",\"createdTimeUtc\":\"2021-12-12T01:45:59.6977853Z\",\"incidentNumber\":12,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/03f0e7ca-255a-49dc-a98d-19f65584d06c\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"12\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/85b206c3-bf60-48e0-b492-71a79bb8503a\",\"name\":\"85b206c3-bf60-48e0-b492-71a79bb8503a\",\"etag\":\"\\\"3c002c5d-0000-0100-0000-61b554370000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:45:27.6270446Z\",\"createdTimeUtc\":\"2021-12-12T01:45:27.6270446Z\",\"incidentNumber\":11,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/85b206c3-bf60-48e0-b492-71a79bb8503a\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"11\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/23dc6b0b-2413-4b21-94b3-242f576b73c2\",\"name\":\"23dc6b0b-2413-4b21-94b3-242f576b73c2\",\"etag\":\"\\\"3c00aa5c-0000-0100-0000-61b554180000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:44:56.0348538Z\",\"createdTimeUtc\":\"2021-12-12T01:44:56.0348538Z\",\"incidentNumber\":10,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/23dc6b0b-2413-4b21-94b3-242f576b73c2\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"10\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/1f88da2c-e158-4900-8d6e-a467f72fdd34\",\"name\":\"1f88da2c-e158-4900-8d6e-a467f72fdd34\",\"etag\":\"\\\"3c00cd5b-0000-0100-0000-61b553f90000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:44:25.0620632Z\",\"createdTimeUtc\":\"2021-12-12T01:44:25.0620632Z\",\"incidentNumber\":9,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/1f88da2c-e158-4900-8d6e-a467f72fdd34\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"9\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/cc0a7c84-b29b-4136-acbb-648a7237df0a\",\"name\":\"cc0a7c84-b29b-4136-acbb-648a7237df0a\",\"etag\":\"\\\"3c00435b-0000-0100-0000-61b553d90000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:43:53.2153466Z\",\"createdTimeUtc\":\"2021-12-12T01:43:53.2153466Z\",\"incidentNumber\":8,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/cc0a7c84-b29b-4136-acbb-648a7237df0a\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"8\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/853e143c-97fd-48f1-86df-c8a68dbb87f1\",\"name\":\"853e143c-97fd-48f1-86df-c8a68dbb87f1\",\"etag\":\"\\\"3c007d5a-0000-0100-0000-61b553ba0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:43:22.8314686Z\",\"createdTimeUtc\":\"2021-12-12T01:43:22.8314686Z\",\"incidentNumber\":7,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/853e143c-97fd-48f1-86df-c8a68dbb87f1\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"7\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/6cbc4e33-d46b-4993-96e4-ecb0e44415cb\",\"name\":\"6cbc4e33-d46b-4993-96e4-ecb0e44415cb\",\"etag\":\"\\\"3c00ec54-0000-0100-0000-61b552e00000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdbookmarkRelationIncidentName84x0ne\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:39:44.4784666Z\",\"createdTimeUtc\":\"2021-12-12T01:39:44.1016486Z\",\"incidentNumber\":6,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/6cbc4e33-d46b-4993-96e4-ecb0e44415cb\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"6\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/e788124d-3280-4da8-b9f7-3f464296947e\",\"name\":\"e788124d-3280-4da8-b9f7-3f464296947e\",\"etag\":\"\\\"3c00b853-0000-0100-0000-61b552c20000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdatebookmarkRelationIncidentNamehqlcfb\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:39:14.3220984Z\",\"createdTimeUtc\":\"2021-12-12T01:39:13.3611655Z\",\"incidentNumber\":5,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/e788124d-3280-4da8-b9f7-3f464296947e\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"5\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/7d56a89d-59f4-4b3a-aa71-34494c2f5f5c\",\"name\":\"7d56a89d-59f4-4b3a-aa71-34494c2f5f5c\",\"etag\":\"\\\"3c00a552-0000-0100-0000-61b552a20000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdbookmarkRelationIncidentNameyci6fv\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:38:42.3519492Z\",\"createdTimeUtc\":\"2021-12-12T01:38:41.8102576Z\",\"incidentNumber\":4,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/7d56a89d-59f4-4b3a-aa71-34494c2f5f5c\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"4\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/4908bd22-0eb2-40fc-83ce-b6c8ba7a26a1\",\"name\":\"4908bd22-0eb2-40fc-83ce-b6c8ba7a26a1\",\"etag\":\"\\\"3c008b51-0000-0100-0000-61b552840000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemovebookmarkRelationIncidentNamehynb4o\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:38:12.1498788Z\",\"createdTimeUtc\":\"2021-12-12T01:38:11.2263698Z\",\"incidentNumber\":3,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/4908bd22-0eb2-40fc-83ce-b6c8ba7a26a1\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"3\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/69e3141d-30e8-49d1-9152-33f3b44cf6b0\",\"name\":\"69e3141d-30e8-49d1-9152-33f3b44cf6b0\",\"etag\":\"\\\"3c007450-0000-0100-0000-61b552650000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetbookmarkRelationIncidentNames3ckzp\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:37:41.3961428Z\",\"createdTimeUtc\":\"2021-12-12T01:37:40.4966895Z\",\"incidentNumber\":2,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/69e3141d-30e8-49d1-9152-33f3b44cf6b0\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"2\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/b2d155b7-a5b2-78f2-6872-d80f33937101\",\"name\":\"b2d155b7-a5b2-78f2-6872-d80f33937101\",\"etag\":\"\\\"3c00ce60-0000-0100-0000-61b554fc0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"severity\":\"Medium\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"firstActivityTimeUtc\":\"2021-12-12T00:48:37.8638145Z\",\"lastActivityTimeUtc\":\"2021-12-12T01:43:37.8638145Z\",\"lastModifiedTimeUtc\":\"2021-12-12T01:48:44.1406751Z\",\"createdTimeUtc\":\"2021-12-12T01:23:43.793478Z\",\"incidentNumber\":1,\"additionalData\":{\"alertsCount\":6,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[\"Azure Sentinel\"],\"tactics\":[\"InitialAccess\",\"Persistence\"]},\"relatedAnalyticRuleIds\":[\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/10a698ca-8310-4b90-a86e-2f43fe285e56\"],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/b2d155b7-a5b2-78f2-6872-d80f33937101\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"1\"}}]}", + "isContentBase64": false + } + }, + "Get-AzSentinelIncidentAlert+[NoContext]+List+$POST+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/b2d155b7-a5b2-78f2-6872-d80f33937101/alerts?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "POST", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/b2d155b7-a5b2-78f2-6872-d80f33937101/alerts?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "213" ], + "x-ms-client-request-id": [ "6e6c449f-5e47-4b23-90c3-ee86ae7891a3" ], + "CommandName": [ "Get-AzSentinelIncidentAlert" ], + "FullCommandName": [ "Get-AzSentinelIncidentAlert_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], + "x-ms-request-id": [ "c2f7c390-aa19-48e5-9c54-a6d413f0974c" ], + "x-ms-correlation-request-id": [ "c2f7c390-aa19-48e5-9c54-a6d413f0974c" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T015941Z:c2f7c390-aa19-48e5-9c54-a6d413f0974c" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 01:59:41 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "10322" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Entities/58fb97d0-4b98-ebac-3e8d-e1d3af7038f6\",\"name\":\"58fb97d0-4b98-ebac-3e8d-e1d3af7038f6\",\"type\":\"Microsoft.SecurityInsights/Entities\",\"kind\":\"SecurityAlert\",\"properties\":{\"systemAlertId\":\"58fb97d0-4b98-ebac-3e8d-e1d3af7038f6\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"alertDisplayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"confidenceLevel\":\"Unknown\",\"severity\":\"Medium\",\"vendorName\":\"Microsoft\",\"productName\":\"Azure Sentinel\",\"productComponentName\":\"Scheduled Alerts\",\"alertType\":\"04acdb04-b6a1-4292-a956-621f955f6a5f_10a698ca-8310-4b90-a86e-2f43fe285e56\",\"processingEndTime\":\"2021-12-12T01:23:43.455803Z\",\"status\":\"New\",\"endTimeUtc\":\"2021-12-12T01:18:37.8638145Z\",\"startTimeUtc\":\"2021-12-12T00:48:37.8638145Z\",\"timeGenerated\":\"2021-12-12T01:23:43.4558068Z\",\"providerAlertId\":\"62114603-97d6-4e81-aa88-9c046bdb6ffb\",\"resourceIdentifiers\":[{\"type\":\"LogAnalytics\",\"workspaceId\":\"04acdb04-b6a1-4292-a956-621f955f6a5f\",\"subscriptionId\":\"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\",\"resourceGroup\":\"aspstest91v7fr\"}],\"additionalData\":{\"AlertMessageEnqueueTime\":\"2021-12-12T01:23:43.597Z\"},\"friendlyName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Entities/65ed6a1f-9a9b-ce95-a6a7-ffc8a5aac53d\",\"name\":\"65ed6a1f-9a9b-ce95-a6a7-ffc8a5aac53d\",\"type\":\"Microsoft.SecurityInsights/Entities\",\"kind\":\"SecurityAlert\",\"properties\":{\"systemAlertId\":\"65ed6a1f-9a9b-ce95-a6a7-ffc8a5aac53d\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"alertDisplayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"confidenceLevel\":\"Unknown\",\"severity\":\"Medium\",\"vendorName\":\"Microsoft\",\"productName\":\"Azure Sentinel\",\"productComponentName\":\"Scheduled Alerts\",\"alertType\":\"04acdb04-b6a1-4292-a956-621f955f6a5f_10a698ca-8310-4b90-a86e-2f43fe285e56\",\"processingEndTime\":\"2021-12-12T01:28:40.8799388Z\",\"status\":\"New\",\"endTimeUtc\":\"2021-12-12T01:23:37.8638145Z\",\"startTimeUtc\":\"2021-12-12T00:53:37.8638145Z\",\"timeGenerated\":\"2021-12-12T01:28:40.8799421Z\",\"providerAlertId\":\"8abf1a2b-486b-441e-9358-50d973e0e3c2\",\"resourceIdentifiers\":[{\"type\":\"LogAnalytics\",\"workspaceId\":\"04acdb04-b6a1-4292-a956-621f955f6a5f\",\"subscriptionId\":\"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\",\"resourceGroup\":\"aspstest91v7fr\"}],\"additionalData\":{\"AlertMessageEnqueueTime\":\"2021-12-12T01:28:41.081Z\"},\"friendlyName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Entities/936b5422-dc31-6382-a81f-1daebd2c950d\",\"name\":\"936b5422-dc31-6382-a81f-1daebd2c950d\",\"type\":\"Microsoft.SecurityInsights/Entities\",\"kind\":\"SecurityAlert\",\"properties\":{\"systemAlertId\":\"936b5422-dc31-6382-a81f-1daebd2c950d\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"alertDisplayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"confidenceLevel\":\"Unknown\",\"severity\":\"Medium\",\"vendorName\":\"Microsoft\",\"productName\":\"Azure Sentinel\",\"productComponentName\":\"Scheduled Alerts\",\"alertType\":\"04acdb04-b6a1-4292-a956-621f955f6a5f_10a698ca-8310-4b90-a86e-2f43fe285e56\",\"processingEndTime\":\"2021-12-12T01:33:40.9195282Z\",\"status\":\"New\",\"endTimeUtc\":\"2021-12-12T01:28:37.8638145Z\",\"startTimeUtc\":\"2021-12-12T00:58:37.8638145Z\",\"timeGenerated\":\"2021-12-12T01:33:40.9195312Z\",\"providerAlertId\":\"3979b3b4-491f-4d88-bf9e-9d4c87d19ed3\",\"resourceIdentifiers\":[{\"type\":\"LogAnalytics\",\"workspaceId\":\"04acdb04-b6a1-4292-a956-621f955f6a5f\",\"subscriptionId\":\"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\",\"resourceGroup\":\"aspstest91v7fr\"}],\"additionalData\":{\"AlertMessageEnqueueTime\":\"2021-12-12T01:33:41.089Z\"},\"friendlyName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Entities/89785dc9-8d86-e3b6-5467-cebafeab044d\",\"name\":\"89785dc9-8d86-e3b6-5467-cebafeab044d\",\"type\":\"Microsoft.SecurityInsights/Entities\",\"kind\":\"SecurityAlert\",\"properties\":{\"systemAlertId\":\"89785dc9-8d86-e3b6-5467-cebafeab044d\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"alertDisplayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"confidenceLevel\":\"Unknown\",\"severity\":\"Medium\",\"vendorName\":\"Microsoft\",\"productName\":\"Azure Sentinel\",\"productComponentName\":\"Scheduled Alerts\",\"alertType\":\"04acdb04-b6a1-4292-a956-621f955f6a5f_10a698ca-8310-4b90-a86e-2f43fe285e56\",\"processingEndTime\":\"2021-12-12T01:38:41.118344Z\",\"status\":\"New\",\"endTimeUtc\":\"2021-12-12T01:33:37.8638145Z\",\"startTimeUtc\":\"2021-12-12T01:03:37.8638145Z\",\"timeGenerated\":\"2021-12-12T01:38:41.1183474Z\",\"providerAlertId\":\"201f798f-b46b-4c26-9c21-e24082f5cf85\",\"resourceIdentifiers\":[{\"type\":\"LogAnalytics\",\"workspaceId\":\"04acdb04-b6a1-4292-a956-621f955f6a5f\",\"subscriptionId\":\"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\",\"resourceGroup\":\"aspstest91v7fr\"}],\"additionalData\":{\"AlertMessageEnqueueTime\":\"2021-12-12T01:38:41.28Z\"},\"friendlyName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Entities/637c5319-a9f1-b241-662f-f9b19323150a\",\"name\":\"637c5319-a9f1-b241-662f-f9b19323150a\",\"type\":\"Microsoft.SecurityInsights/Entities\",\"kind\":\"SecurityAlert\",\"properties\":{\"systemAlertId\":\"637c5319-a9f1-b241-662f-f9b19323150a\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"alertDisplayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"confidenceLevel\":\"Unknown\",\"severity\":\"Medium\",\"vendorName\":\"Microsoft\",\"productName\":\"Azure Sentinel\",\"productComponentName\":\"Scheduled Alerts\",\"alertType\":\"04acdb04-b6a1-4292-a956-621f955f6a5f_10a698ca-8310-4b90-a86e-2f43fe285e56\",\"processingEndTime\":\"2021-12-12T01:43:46.6351857Z\",\"status\":\"New\",\"endTimeUtc\":\"2021-12-12T01:38:37.8638145Z\",\"startTimeUtc\":\"2021-12-12T01:08:37.8638145Z\",\"timeGenerated\":\"2021-12-12T01:43:46.6351897Z\",\"providerAlertId\":\"c8375355-483a-4815-b9ad-ef06115266f0\",\"resourceIdentifiers\":[{\"type\":\"LogAnalytics\",\"workspaceId\":\"04acdb04-b6a1-4292-a956-621f955f6a5f\",\"subscriptionId\":\"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\",\"resourceGroup\":\"aspstest91v7fr\"}],\"additionalData\":{\"AlertMessageEnqueueTime\":\"2021-12-12T01:43:46.778Z\"},\"friendlyName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Entities/0ceeae80-6e19-e31b-c6dc-ab7c22834f90\",\"name\":\"0ceeae80-6e19-e31b-c6dc-ab7c22834f90\",\"type\":\"Microsoft.SecurityInsights/Entities\",\"kind\":\"SecurityAlert\",\"properties\":{\"systemAlertId\":\"0ceeae80-6e19-e31b-c6dc-ab7c22834f90\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"alertDisplayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"confidenceLevel\":\"Unknown\",\"severity\":\"Medium\",\"vendorName\":\"Microsoft\",\"productName\":\"Azure Sentinel\",\"productComponentName\":\"Scheduled Alerts\",\"alertType\":\"04acdb04-b6a1-4292-a956-621f955f6a5f_10a698ca-8310-4b90-a86e-2f43fe285e56\",\"processingEndTime\":\"2021-12-12T01:48:43.7008681Z\",\"status\":\"New\",\"endTimeUtc\":\"2021-12-12T01:43:37.8638145Z\",\"startTimeUtc\":\"2021-12-12T01:13:37.8638145Z\",\"timeGenerated\":\"2021-12-12T01:48:43.7008712Z\",\"providerAlertId\":\"1af2d93d-fdc2-4c5b-9232-d5f601f6ac2a\",\"resourceIdentifiers\":[{\"type\":\"LogAnalytics\",\"workspaceId\":\"04acdb04-b6a1-4292-a956-621f955f6a5f\",\"subscriptionId\":\"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\",\"resourceGroup\":\"aspstest91v7fr\"}],\"additionalData\":{\"AlertMessageEnqueueTime\":\"2021-12-12T01:48:43.904Z\"},\"friendlyName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\"}}]}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Get-AzSentinelIncidentAlert.Tests.ps1 b/src/SecurityInsights/test/Get-AzSentinelIncidentAlert.Tests.ps1 new file mode 100644 index 000000000000..597f3df05ae4 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelIncidentAlert.Tests.ps1 @@ -0,0 +1,23 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Get-AzSentinelIncidentAlert')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Get-AzSentinelIncidentAlert.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Get-AzSentinelIncidentAlert' { + It 'List' { + $incident = Get-AzSentinelIncident -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName | Where {$_.Title -eq "Sign-ins from IPs that attempt sign-ins to disabled accounts"} + $incidentAlerts = Get-AzSentinelIncidentAlert -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -IncidentId $incident[0].Name + $incidentAlerts.Count | Should -BeGreaterorEqual 1 + } +} diff --git a/src/SecurityInsights/test/Get-AzSentinelIncidentBookmark.Recording.json b/src/SecurityInsights/test/Get-AzSentinelIncidentBookmark.Recording.json new file mode 100644 index 000000000000..c98f9b7315c2 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelIncidentBookmark.Recording.json @@ -0,0 +1,43 @@ +{ + "Get-AzSentinelIncidentBookmark+[NoContext]+List+$POST+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0/bookmarks?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "POST", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0/bookmarks?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "214" ], + "x-ms-client-request-id": [ "49eeb730-e1fd-4563-865c-2e2e149f81ca" ], + "CommandName": [ "Get-AzSentinelIncidentBookmark" ], + "FullCommandName": [ "Get-AzSentinelIncidentBookmark_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], + "Server": [ "Kestrel" ], + "x-ms-request-id": [ "20823661-e1ef-489f-86f5-d4a18d3fc683" ], + "x-ms-correlation-request-id": [ "20823661-e1ef-489f-86f5-d4a18d3fc683" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020003Z:20823661-e1ef-489f-86f5-d4a18d3fc683" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:00:02 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1148" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Entities/21e8e280-fe09-4a83-a662-4b0711e9c127\",\"name\":\"21e8e280-fe09-4a83-a662-4b0711e9c127\",\"type\":\"Microsoft.SecurityInsights/Entities\",\"kind\":\"Bookmark\",\"properties\":{\"displayName\":\"GetincidentRelationBookmarkNameib8ohc\",\"created\":\"2021-12-12T01:48:35.4604989+00:00\",\"updated\":\"2021-12-12T01:48:35.4604989+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"additionalData\":{\"EntityMappings\":\"[]\",\"Tactics\":\"[]\",\"Techniques\":\"[]\",\"ETag\":\"\\\"6b0223c7-0000-0100-0000-61b554f40000\\\"\",\"EntityId\":\"21e8e280-fe09-4a83-a662-4b0711e9c127\"},\"friendlyName\":\"GetincidentRelationBookmarkNameib8ohc\"}}]}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Get-AzSentinelIncidentBookmark.Tests.ps1 b/src/SecurityInsights/test/Get-AzSentinelIncidentBookmark.Tests.ps1 new file mode 100644 index 000000000000..ec7805e91098 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelIncidentBookmark.Tests.ps1 @@ -0,0 +1,22 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Get-AzSentinelIncidentBookmark')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Get-AzSentinelIncidentBookmark.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Get-AzSentinelIncidentBookmark' { + It 'List' { + $incidentBookmarks = Get-AzSentinelIncidentBookmark -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -IncidentId $env.GetincidentRelationIncidentId + $incidentBookmarks.Count | Should -BeGreaterorEqual 1 + } +} diff --git a/src/SecurityInsights/test/Get-AzSentinelIncidentComment.Recording.json b/src/SecurityInsights/test/Get-AzSentinelIncidentComment.Recording.json new file mode 100644 index 000000000000..7e19c23f469b --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelIncidentComment.Recording.json @@ -0,0 +1,84 @@ +{ + "Get-AzSentinelIncidentComment+[NoContext]+List+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/03f0e7ca-255a-49dc-a98d-19f65584d06c/comments?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/03f0e7ca-255a-49dc-a98d-19f65584d06c/comments?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "215" ], + "x-ms-client-request-id": [ "e78c0393-ce99-4aa0-853a-84fe18c3b571" ], + "CommandName": [ "Get-AzSentinelincidentComment" ], + "FullCommandName": [ "Get-AzSentinelIncidentComment_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], + "x-ms-request-id": [ "4f874d63-7966-47c9-bdd2-bafaa659e669" ], + "x-ms-correlation-request-id": [ "4f874d63-7966-47c9-bdd2-bafaa659e669" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020024Z:4f874d63-7966-47c9-bdd2-bafaa659e669" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:00:23 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "801" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/03f0e7ca-255a-49dc-a98d-19f65584d06c/Comments/1b475d8b-b763-4d91-9dc9-c2125a6531e9\",\"name\":\"1b475d8b-b763-4d91-9dc9-c2125a6531e9\",\"etag\":\"\\\"3c00dd5d-0000-0100-0000-61b554580000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/Comments\",\"properties\":{\"message\":\"GetincidentComment48q5k9\",\"createdTimeUtc\":\"2021-12-12T01:46:00.3142181Z\",\"lastModifiedTimeUtc\":\"2021-12-12T01:46:00.3142181Z\",\"author\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"}}}]}", + "isContentBase64": false + } + }, + "Get-AzSentinelIncidentComment+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/03f0e7ca-255a-49dc-a98d-19f65584d06c/comments/1b475d8b-b763-4d91-9dc9-c2125a6531e9?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/03f0e7ca-255a-49dc-a98d-19f65584d06c/comments/1b475d8b-b763-4d91-9dc9-c2125a6531e9?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "216" ], + "x-ms-client-request-id": [ "6302306a-1456-4455-8ef3-3fc6284ddd0c" ], + "CommandName": [ "Get-AzSentinelincidentComment" ], + "FullCommandName": [ "Get-AzSentinelIncidentComment_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], + "x-ms-request-id": [ "634b8ea9-8a00-42d6-a7e5-d64e371a11e3" ], + "x-ms-correlation-request-id": [ "634b8ea9-8a00-42d6-a7e5-d64e371a11e3" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020024Z:634b8ea9-8a00-42d6-a7e5-d64e371a11e3" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:00:23 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "789" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/03f0e7ca-255a-49dc-a98d-19f65584d06c/Comments/1b475d8b-b763-4d91-9dc9-c2125a6531e9\",\"name\":\"1b475d8b-b763-4d91-9dc9-c2125a6531e9\",\"etag\":\"\\\"3c00dd5d-0000-0100-0000-61b554580000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/Comments\",\"properties\":{\"message\":\"GetincidentComment48q5k9\",\"createdTimeUtc\":\"2021-12-12T01:46:00.3142181Z\",\"lastModifiedTimeUtc\":\"2021-12-12T01:46:00.3142181Z\",\"author\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"}}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Get-AzSentinelIncidentComment.Tests.ps1 b/src/SecurityInsights/test/Get-AzSentinelIncidentComment.Tests.ps1 new file mode 100644 index 000000000000..df8b2644ab85 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelIncidentComment.Tests.ps1 @@ -0,0 +1,33 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Get-AzSentinelIncidentComment')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Get-AzSentinelIncidentComment.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Get-AzSentinelIncidentComment' { + It 'List' { + $incidentComments = Get-AzSentinelincidentComment -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -IncidentId $env.GetincidentCommentIncidentId + $incidentComments.Count | Should -BeGreaterorEqual 1 + } + + It 'Get' { + $incidentComment = Get-AzSentinelincidentComment -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -IncidentId $env.GetincidentCommentIncidentId -Id $env.GetincidentCommentId + $incidentComment.Name | Should -Be $env.GetincidentCommentId + } + + It 'GetViaIdentity' -skip { + $incidentComment = Get-AzSentinelincidentComment -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -IncidentId $env.GetincidentCommentIncidentId -Id $env.GetincidentCommentId + $incidentCommentViaId = Get-AzSentinelincident -InputObject $incidentComment + $incidentCommentViaId.Name | Should -Be $env.GetincidentCommentId + } +} diff --git a/src/SecurityInsights/test/Get-AzSentinelIncidentEntity.Recording.json b/src/SecurityInsights/test/Get-AzSentinelIncidentEntity.Recording.json new file mode 100644 index 000000000000..caabcbc362a4 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelIncidentEntity.Recording.json @@ -0,0 +1,84 @@ +{ + "Get-AzSentinelIncidentEntity+[NoContext]+List+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "217" ], + "x-ms-client-request-id": [ "b70ee8b3-92d6-4fca-a293-3eafc9df299b" ], + "CommandName": [ "Get-AzSentinelIncident" ], + "FullCommandName": [ "Get-AzSentinelIncident_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11949" ], + "x-ms-request-id": [ "e9a3d79b-fa50-48eb-83ed-84ec56b1da76" ], + "x-ms-correlation-request-id": [ "e9a3d79b-fa50-48eb-83ed-84ec56b1da76" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020046Z:e9a3d79b-fa50-48eb-83ed-84ec56b1da76" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:00:45 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "26515" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/43aedae6-3726-41c1-b0e8-9876df66aa2d\",\"name\":\"43aedae6-3726-41c1-b0e8-9876df66aa2d\",\"etag\":\"\\\"3c006463-0000-0100-0000-61b555710000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdincidentRelationIncidentNameewut32\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:50:41.6370473Z\",\"createdTimeUtc\":\"2021-12-12T01:50:41.1927933Z\",\"incidentNumber\":21,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/43aedae6-3726-41c1-b0e8-9876df66aa2d\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"21\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/473aa008-13fc-4a61-9ea2-c3fdc64a828c\",\"name\":\"473aa008-13fc-4a61-9ea2-c3fdc64a828c\",\"etag\":\"\\\"3c009162-0000-0100-0000-61b555530000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateincidentRelationIncidentNametdo819\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:50:11.0669406Z\",\"createdTimeUtc\":\"2021-12-12T01:50:10.6585571Z\",\"incidentNumber\":20,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/473aa008-13fc-4a61-9ea2-c3fdc64a828c\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"20\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/7bfb344d-ad2a-431d-9e39-78747ac51f54\",\"name\":\"7bfb344d-ad2a-431d-9e39-78747ac51f54\",\"etag\":\"\\\"3c00b661-0000-0100-0000-61b555330000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdincidentRelationIncidentName150wxv\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:49:39.5308437Z\",\"createdTimeUtc\":\"2021-12-12T01:49:39.1352139Z\",\"incidentNumber\":19,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/7bfb344d-ad2a-431d-9e39-78747ac51f54\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"19\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/0c5dc585-a174-461c-a546-75dc9d7bedc8\",\"name\":\"0c5dc585-a174-461c-a546-75dc9d7bedc8\",\"etag\":\"\\\"3c003f61-0000-0100-0000-61b555140000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveincidentRelationIncidentNameuk6d50\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:49:08.8163447Z\",\"createdTimeUtc\":\"2021-12-12T01:49:08.4291239Z\",\"incidentNumber\":18,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/0c5dc585-a174-461c-a546-75dc9d7bedc8\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"18\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0\",\"name\":\"e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0\",\"etag\":\"\\\"3c008760-0000-0100-0000-61b554f40000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetincidentRelationIncidentNamerea364\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:48:36.3299209Z\",\"createdTimeUtc\":\"2021-12-12T01:48:35.946428Z\",\"incidentNumber\":17,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"17\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/aa0c1725-78eb-4c1e-87b8-9dd801ebf670\",\"name\":\"aa0c1725-78eb-4c1e-87b8-9dd801ebf670\",\"etag\":\"\\\"3c00f15f-0000-0100-0000-61b554d40000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdincidentCommentoq4cge\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:48:04.5197134Z\",\"createdTimeUtc\":\"2021-12-12T01:48:03.7828Z\",\"incidentNumber\":16,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/aa0c1725-78eb-4c1e-87b8-9dd801ebf670\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"16\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/4d88d68e-1a03-4287-b8d2-919981228c5c\",\"name\":\"4d88d68e-1a03-4287-b8d2-919981228c5c\",\"etag\":\"\\\"3c00675f-0000-0100-0000-61b554b40000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateincidentCommentjmgwit\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:47:32.914693Z\",\"createdTimeUtc\":\"2021-12-12T01:47:32.2205967Z\",\"incidentNumber\":15,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/4d88d68e-1a03-4287-b8d2-919981228c5c\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"15\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/754fd7ba-74d1-42cc-8aa0-25593496d4bd\",\"name\":\"754fd7ba-74d1-42cc-8aa0-25593496d4bd\",\"etag\":\"\\\"3c00ae5e-0000-0100-0000-61b554960000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdincidentComment8ftdy3\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:47:02.132971Z\",\"createdTimeUtc\":\"2021-12-12T01:47:01.6162756Z\",\"incidentNumber\":14,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/754fd7ba-74d1-42cc-8aa0-25593496d4bd\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"14\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/39c0047a-27bf-41d3-940d-bfb849d18460\",\"name\":\"39c0047a-27bf-41d3-940d-bfb849d18460\",\"etag\":\"\\\"3c00525e-0000-0100-0000-61b554760000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveincidentCommentmhcwg3\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:46:30.3340484Z\",\"createdTimeUtc\":\"2021-12-12T01:46:29.8715201Z\",\"incidentNumber\":13,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/39c0047a-27bf-41d3-940d-bfb849d18460\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"13\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/03f0e7ca-255a-49dc-a98d-19f65584d06c\",\"name\":\"03f0e7ca-255a-49dc-a98d-19f65584d06c\",\"etag\":\"\\\"3c00de5d-0000-0100-0000-61b554580000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetincidentComment48q5k9\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:46:00.3354391Z\",\"createdTimeUtc\":\"2021-12-12T01:45:59.6977853Z\",\"incidentNumber\":12,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/03f0e7ca-255a-49dc-a98d-19f65584d06c\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"12\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/85b206c3-bf60-48e0-b492-71a79bb8503a\",\"name\":\"85b206c3-bf60-48e0-b492-71a79bb8503a\",\"etag\":\"\\\"3c002c5d-0000-0100-0000-61b554370000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:45:27.6270446Z\",\"createdTimeUtc\":\"2021-12-12T01:45:27.6270446Z\",\"incidentNumber\":11,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/85b206c3-bf60-48e0-b492-71a79bb8503a\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"11\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/23dc6b0b-2413-4b21-94b3-242f576b73c2\",\"name\":\"23dc6b0b-2413-4b21-94b3-242f576b73c2\",\"etag\":\"\\\"3c00aa5c-0000-0100-0000-61b554180000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:44:56.0348538Z\",\"createdTimeUtc\":\"2021-12-12T01:44:56.0348538Z\",\"incidentNumber\":10,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/23dc6b0b-2413-4b21-94b3-242f576b73c2\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"10\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/1f88da2c-e158-4900-8d6e-a467f72fdd34\",\"name\":\"1f88da2c-e158-4900-8d6e-a467f72fdd34\",\"etag\":\"\\\"3c00cd5b-0000-0100-0000-61b553f90000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:44:25.0620632Z\",\"createdTimeUtc\":\"2021-12-12T01:44:25.0620632Z\",\"incidentNumber\":9,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/1f88da2c-e158-4900-8d6e-a467f72fdd34\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"9\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/cc0a7c84-b29b-4136-acbb-648a7237df0a\",\"name\":\"cc0a7c84-b29b-4136-acbb-648a7237df0a\",\"etag\":\"\\\"3c00435b-0000-0100-0000-61b553d90000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:43:53.2153466Z\",\"createdTimeUtc\":\"2021-12-12T01:43:53.2153466Z\",\"incidentNumber\":8,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/cc0a7c84-b29b-4136-acbb-648a7237df0a\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"8\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/853e143c-97fd-48f1-86df-c8a68dbb87f1\",\"name\":\"853e143c-97fd-48f1-86df-c8a68dbb87f1\",\"etag\":\"\\\"3c007d5a-0000-0100-0000-61b553ba0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:43:22.8314686Z\",\"createdTimeUtc\":\"2021-12-12T01:43:22.8314686Z\",\"incidentNumber\":7,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/853e143c-97fd-48f1-86df-c8a68dbb87f1\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"7\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/6cbc4e33-d46b-4993-96e4-ecb0e44415cb\",\"name\":\"6cbc4e33-d46b-4993-96e4-ecb0e44415cb\",\"etag\":\"\\\"3c00ec54-0000-0100-0000-61b552e00000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdbookmarkRelationIncidentName84x0ne\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:39:44.4784666Z\",\"createdTimeUtc\":\"2021-12-12T01:39:44.1016486Z\",\"incidentNumber\":6,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/6cbc4e33-d46b-4993-96e4-ecb0e44415cb\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"6\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/e788124d-3280-4da8-b9f7-3f464296947e\",\"name\":\"e788124d-3280-4da8-b9f7-3f464296947e\",\"etag\":\"\\\"3c00b853-0000-0100-0000-61b552c20000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdatebookmarkRelationIncidentNamehqlcfb\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:39:14.3220984Z\",\"createdTimeUtc\":\"2021-12-12T01:39:13.3611655Z\",\"incidentNumber\":5,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/e788124d-3280-4da8-b9f7-3f464296947e\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"5\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/7d56a89d-59f4-4b3a-aa71-34494c2f5f5c\",\"name\":\"7d56a89d-59f4-4b3a-aa71-34494c2f5f5c\",\"etag\":\"\\\"3c00a552-0000-0100-0000-61b552a20000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdbookmarkRelationIncidentNameyci6fv\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:38:42.3519492Z\",\"createdTimeUtc\":\"2021-12-12T01:38:41.8102576Z\",\"incidentNumber\":4,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/7d56a89d-59f4-4b3a-aa71-34494c2f5f5c\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"4\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/4908bd22-0eb2-40fc-83ce-b6c8ba7a26a1\",\"name\":\"4908bd22-0eb2-40fc-83ce-b6c8ba7a26a1\",\"etag\":\"\\\"3c008b51-0000-0100-0000-61b552840000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemovebookmarkRelationIncidentNamehynb4o\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:38:12.1498788Z\",\"createdTimeUtc\":\"2021-12-12T01:38:11.2263698Z\",\"incidentNumber\":3,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/4908bd22-0eb2-40fc-83ce-b6c8ba7a26a1\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"3\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/69e3141d-30e8-49d1-9152-33f3b44cf6b0\",\"name\":\"69e3141d-30e8-49d1-9152-33f3b44cf6b0\",\"etag\":\"\\\"3c007450-0000-0100-0000-61b552650000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetbookmarkRelationIncidentNames3ckzp\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:37:41.3961428Z\",\"createdTimeUtc\":\"2021-12-12T01:37:40.4966895Z\",\"incidentNumber\":2,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/69e3141d-30e8-49d1-9152-33f3b44cf6b0\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"2\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/b2d155b7-a5b2-78f2-6872-d80f33937101\",\"name\":\"b2d155b7-a5b2-78f2-6872-d80f33937101\",\"etag\":\"\\\"3c00ce60-0000-0100-0000-61b554fc0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"severity\":\"Medium\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"firstActivityTimeUtc\":\"2021-12-12T00:48:37.8638145Z\",\"lastActivityTimeUtc\":\"2021-12-12T01:43:37.8638145Z\",\"lastModifiedTimeUtc\":\"2021-12-12T01:48:44.1406751Z\",\"createdTimeUtc\":\"2021-12-12T01:23:43.793478Z\",\"incidentNumber\":1,\"additionalData\":{\"alertsCount\":6,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[\"Azure Sentinel\"],\"tactics\":[\"InitialAccess\",\"Persistence\"]},\"relatedAnalyticRuleIds\":[\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/10a698ca-8310-4b90-a86e-2f43fe285e56\"],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/b2d155b7-a5b2-78f2-6872-d80f33937101\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"1\"}}]}", + "isContentBase64": false + } + }, + "Get-AzSentinelIncidentEntity+[NoContext]+List+$POST+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/b2d155b7-a5b2-78f2-6872-d80f33937101/entities?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "POST", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/b2d155b7-a5b2-78f2-6872-d80f33937101/entities?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "218" ], + "x-ms-client-request-id": [ "ba327d30-bb62-4d6d-8a53-18c62d38ac74" ], + "CommandName": [ "Get-AzSentinelIncidentEntity" ], + "FullCommandName": [ "Get-AzSentinelIncidentEntity_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], + "x-ms-request-id": [ "6d58458d-1041-4431-892a-9a90e46d7fe4" ], + "x-ms-correlation-request-id": [ "6d58458d-1041-4431-892a-9a90e46d7fe4" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020047Z:6d58458d-1041-4431-892a-9a90e46d7fe4" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:00:46 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "471" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"entities\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/Entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"friendlyName\":\"175.45.176.99\"}}],\"metaData\":[{\"entityKind\":\"Ip\",\"count\":1}]}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Get-AzSentinelIncidentEntity.Tests.ps1 b/src/SecurityInsights/test/Get-AzSentinelIncidentEntity.Tests.ps1 new file mode 100644 index 000000000000..a33c83a57d01 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelIncidentEntity.Tests.ps1 @@ -0,0 +1,23 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Get-AzSentinelIncidentEntity')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Get-AzSentinelIncidentEntity.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Get-AzSentinelIncidentEntity' { + It 'List' { + $incident = Get-AzSentinelIncident -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName | Where {$_.Title -eq "Sign-ins from IPs that attempt sign-ins to disabled accounts"} + $incidentEntity = Get-AzSentinelIncidentEntity -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -IncidentId $incident.Name + $incidentEntity | Should -Not -Be $null + } +} diff --git a/src/SecurityInsights/test/Get-AzSentinelIncidentRelation.Recording.json b/src/SecurityInsights/test/Get-AzSentinelIncidentRelation.Recording.json new file mode 100644 index 000000000000..4427cd11cf34 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelIncidentRelation.Recording.json @@ -0,0 +1,166 @@ +{ + "Get-AzSentinelIncidentRelation+[NoContext]+List+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0/relations?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0/relations?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "219" ], + "x-ms-client-request-id": [ "543939f3-469d-45b7-94e2-442b3b121f93" ], + "CommandName": [ "Get-AzSentinelincidentRelation" ], + "FullCommandName": [ "Get-AzSentinelIncidentRelation_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], + "x-ms-request-id": [ "220ce4f4-4ecf-43ea-8e24-96a33224d870" ], + "x-ms-correlation-request-id": [ "220ce4f4-4ecf-43ea-8e24-96a33224d870" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020108Z:220ce4f4-4ecf-43ea-8e24-96a33224d870" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:01:08 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "840" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0/relations/0ef2e445-e524-42ad-8810-fdd6cbe3e5f7\",\"name\":\"0ef2e445-e524-42ad-8810-fdd6cbe3e5f7\",\"etag\":\"\\\"3c008760-0000-0100-0000-61b554f40000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/21e8e280-fe09-4a83-a662-4b0711e9c127\",\"relatedResourceName\":\"21e8e280-fe09-4a83-a662-4b0711e9c127\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}]}", + "isContentBase64": false + } + }, + "Get-AzSentinelIncidentRelation+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0/relations/0ef2e445-e524-42ad-8810-fdd6cbe3e5f7?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0/relations/0ef2e445-e524-42ad-8810-fdd6cbe3e5f7?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "220" ], + "x-ms-client-request-id": [ "d1b7e789-6b33-473d-865e-c57bbba761b7" ], + "CommandName": [ "Get-AzSentinelincidentRelation" ], + "FullCommandName": [ "Get-AzSentinelIncidentRelation_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], + "x-ms-request-id": [ "6cbbc917-4ae1-45e6-b407-5cc8119abf2f" ], + "x-ms-correlation-request-id": [ "6cbbc917-4ae1-45e6-b407-5cc8119abf2f" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020108Z:6cbbc917-4ae1-45e6-b407-5cc8119abf2f" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:01:08 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "828" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0/relations/0ef2e445-e524-42ad-8810-fdd6cbe3e5f7\",\"name\":\"0ef2e445-e524-42ad-8810-fdd6cbe3e5f7\",\"etag\":\"\\\"3c008760-0000-0100-0000-61b554f40000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/21e8e280-fe09-4a83-a662-4b0711e9c127\",\"relatedResourceName\":\"21e8e280-fe09-4a83-a662-4b0711e9c127\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", + "isContentBase64": false + } + }, + "Get-AzSentinelIncidentRelation+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0/relations/0ef2e445-e524-42ad-8810-fdd6cbe3e5f7?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0/relations/0ef2e445-e524-42ad-8810-fdd6cbe3e5f7?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "221" ], + "x-ms-client-request-id": [ "2dc9a5c1-f9ed-4c1d-9f26-d97477d427e7" ], + "CommandName": [ "Get-AzSentinelincidentRelation" ], + "FullCommandName": [ "Get-AzSentinelIncidentRelation_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "497" ], + "x-ms-request-id": [ "dd5162c6-d074-4f49-8fb6-d3aa805a70b0" ], + "x-ms-correlation-request-id": [ "dd5162c6-d074-4f49-8fb6-d3aa805a70b0" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020109Z:dd5162c6-d074-4f49-8fb6-d3aa805a70b0" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:01:09 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "828" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0/relations/0ef2e445-e524-42ad-8810-fdd6cbe3e5f7\",\"name\":\"0ef2e445-e524-42ad-8810-fdd6cbe3e5f7\",\"etag\":\"\\\"3c008760-0000-0100-0000-61b554f40000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/21e8e280-fe09-4a83-a662-4b0711e9c127\",\"relatedResourceName\":\"21e8e280-fe09-4a83-a662-4b0711e9c127\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", + "isContentBase64": false + } + }, + "Get-AzSentinelIncidentRelation+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0/relations/0ef2e445-e524-42ad-8810-fdd6cbe3e5f7?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0/relations/0ef2e445-e524-42ad-8810-fdd6cbe3e5f7?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "222" ], + "x-ms-client-request-id": [ "5130bf8f-1387-4aa0-9792-07f416857f49" ], + "CommandName": [ "Get-AzSentinelincidentRelation" ], + "FullCommandName": [ "Get-AzSentinelIncidentRelation_GetViaIdentity" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "496" ], + "x-ms-request-id": [ "ffb84286-5c2f-4f62-9b0a-ed13404e11f1" ], + "x-ms-correlation-request-id": [ "ffb84286-5c2f-4f62-9b0a-ed13404e11f1" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020109Z:ffb84286-5c2f-4f62-9b0a-ed13404e11f1" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:01:09 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "828" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0/relations/0ef2e445-e524-42ad-8810-fdd6cbe3e5f7\",\"name\":\"0ef2e445-e524-42ad-8810-fdd6cbe3e5f7\",\"etag\":\"\\\"3c008760-0000-0100-0000-61b554f40000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/21e8e280-fe09-4a83-a662-4b0711e9c127\",\"relatedResourceName\":\"21e8e280-fe09-4a83-a662-4b0711e9c127\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Get-AzSentinelIncidentRelation.Tests.ps1 b/src/SecurityInsights/test/Get-AzSentinelIncidentRelation.Tests.ps1 new file mode 100644 index 000000000000..e24c90c95f9c --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelIncidentRelation.Tests.ps1 @@ -0,0 +1,33 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Get-AzSentinelIncidentRelation')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Get-AzSentinelIncidentRelation.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Get-AzSentinelIncidentRelation' { + It 'List' { + $incidentRelations = Get-AzSentinelincidentRelation -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -IncidentId $env.GetincidentRelationIncidentId + $incidentRelations.Count | Should -BeGreaterorEqual 1 + } + + It 'Get' { + $incidentRelation = Get-AzSentinelincidentRelation -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -IncidentId $env.GetincidentRelationIncidentId -RelationName $env.GetincidentRelationId + $incidentRelation.Name | Should -Be $env.GetincidentRelationId + } + + It 'GetViaIdentity' { + $incidentRelation = Get-AzSentinelincidentRelation -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -IncidentId $env.GetincidentRelationIncidentId -RelationName $env.GetincidentRelationId + $incidentRelationViaIdentity = Get-AzSentinelincidentRelation -InputObject $incidentRelation + $incidentRelationViaIdentity.Name | Should -Be $env.GetincidentRelationId + } +} diff --git a/src/SecurityInsights/test/Get-AzSentinelMetadata.Recording.json b/src/SecurityInsights/test/Get-AzSentinelMetadata.Recording.json new file mode 100644 index 000000000000..29cf397dd2d9 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelMetadata.Recording.json @@ -0,0 +1,166 @@ +{ + "Get-AzSentinelMetadata+[NoContext]+List+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/metadata?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/metadata?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "223" ], + "x-ms-client-request-id": [ "7dd14f19-3c79-40e6-a9e1-2efdc697dc80" ], + "CommandName": [ "Get-AzSentinelMetadata" ], + "FullCommandName": [ "Get-AzSentinelMetadata_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11948" ], + "x-ms-request-id": [ "f6e0872f-3306-4826-a2e1-384ec749455e" ], + "x-ms-correlation-request-id": [ "f6e0872f-3306-4826-a2e1-384ec749455e" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020131Z:f6e0872f-3306-4826-a2e1-384ec749455e" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:01:30 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "2675" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourcegroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust\",\"name\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"type\":\"Microsoft.SecurityInsights/metadata\",\"systemData\":{\"createdAt\":\"2021-12-12T01:51:12.9027539Z\",\"createdBy\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"createdByType\":\"User\",\"lastModifiedAt\":\"2021-12-12T01:51:12.9027539Z\",\"lastModifiedBy\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"lastModifiedByType\":\"User\"},\"properties\":{\"contentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"parentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"kind\":\"Solution\",\"version\":\"1.0.5\",\"source\":{\"kind\":\"Solution\",\"name\":\"ZeroTrust(TIC3.0)\",\"sourceId\":\"azuresentinel.azure-sentinel-solution-zerotrust\"},\"author\":{\"name\":\"Nikhil Tripathi\",\"email\":\"v-ntripathi@microsoft.com\"},\"support\":{\"tier\":\"Microsoft\",\"name\":\"Microsoft Corporation\",\"email\":\"support@microsoft.com\",\"link\":\"https://support.microsoft.com\"},\"dependencies\":{\"criteria\":[{\"contentId\":\"ZeroTrustTIC3.0_workbook\",\"kind\":\"Workbook\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDNSFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDataProtectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEmailFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEnterpriseFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustFilesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustIntrusionDetectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustNetworkingFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustResiliencyFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUCCFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUniversalSecurityCapabilitiesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustWebFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"}],\"operator\":\"AND\"},\"providers\":[\"Microsoft\"],\"categories\":{\"domains\":[\"Identity\",\"Security - Others\"],\"verticals\":null},\"firstPublishDate\":\"2021-10-20\"}}]}", + "isContentBase64": false + } + }, + "Get-AzSentinelMetadata+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "224" ], + "x-ms-client-request-id": [ "12cf9fc0-accc-40b9-917d-fc64e2a26fe8" ], + "CommandName": [ "Get-AzSentinelMetadata" ], + "FullCommandName": [ "Get-AzSentinelMetadata_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11947" ], + "x-ms-request-id": [ "a8a30997-baec-41f5-bd47-d2b2535f0e21" ], + "x-ms-correlation-request-id": [ "a8a30997-baec-41f5-bd47-d2b2535f0e21" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020131Z:a8a30997-baec-41f5-bd47-d2b2535f0e21" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:01:31 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "2663" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourcegroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust\",\"name\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"type\":\"Microsoft.SecurityInsights/metadata\",\"systemData\":{\"createdAt\":\"2021-12-12T01:51:12.9027539Z\",\"createdBy\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"createdByType\":\"User\",\"lastModifiedAt\":\"2021-12-12T01:51:12.9027539Z\",\"lastModifiedBy\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"lastModifiedByType\":\"User\"},\"properties\":{\"contentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"parentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"kind\":\"Solution\",\"version\":\"1.0.5\",\"source\":{\"kind\":\"Solution\",\"name\":\"ZeroTrust(TIC3.0)\",\"sourceId\":\"azuresentinel.azure-sentinel-solution-zerotrust\"},\"author\":{\"name\":\"Nikhil Tripathi\",\"email\":\"v-ntripathi@microsoft.com\"},\"support\":{\"tier\":\"Microsoft\",\"name\":\"Microsoft Corporation\",\"email\":\"support@microsoft.com\",\"link\":\"https://support.microsoft.com\"},\"dependencies\":{\"criteria\":[{\"contentId\":\"ZeroTrustTIC3.0_workbook\",\"kind\":\"Workbook\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDNSFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDataProtectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEmailFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEnterpriseFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustFilesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustIntrusionDetectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustNetworkingFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustResiliencyFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUCCFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUniversalSecurityCapabilitiesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustWebFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"}],\"operator\":\"AND\"},\"providers\":[\"Microsoft\"],\"categories\":{\"domains\":[\"Identity\",\"Security - Others\"],\"verticals\":null},\"firstPublishDate\":\"2021-10-20\"}}", + "isContentBase64": false + } + }, + "Get-AzSentinelMetadata+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "225" ], + "x-ms-client-request-id": [ "36630d0d-af71-425a-8b20-fa0e83c2c13d" ], + "CommandName": [ "Get-AzSentinelMetadata" ], + "FullCommandName": [ "Get-AzSentinelMetadata_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11946" ], + "x-ms-request-id": [ "24ade85f-3414-43e9-8634-292b32ca4f5d" ], + "x-ms-correlation-request-id": [ "24ade85f-3414-43e9-8634-292b32ca4f5d" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020131Z:24ade85f-3414-43e9-8634-292b32ca4f5d" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:01:31 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "2663" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourcegroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust\",\"name\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"type\":\"Microsoft.SecurityInsights/metadata\",\"systemData\":{\"createdAt\":\"2021-12-12T01:51:12.9027539Z\",\"createdBy\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"createdByType\":\"User\",\"lastModifiedAt\":\"2021-12-12T01:51:12.9027539Z\",\"lastModifiedBy\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"lastModifiedByType\":\"User\"},\"properties\":{\"contentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"parentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"kind\":\"Solution\",\"version\":\"1.0.5\",\"source\":{\"kind\":\"Solution\",\"name\":\"ZeroTrust(TIC3.0)\",\"sourceId\":\"azuresentinel.azure-sentinel-solution-zerotrust\"},\"author\":{\"name\":\"Nikhil Tripathi\",\"email\":\"v-ntripathi@microsoft.com\"},\"support\":{\"tier\":\"Microsoft\",\"name\":\"Microsoft Corporation\",\"email\":\"support@microsoft.com\",\"link\":\"https://support.microsoft.com\"},\"dependencies\":{\"criteria\":[{\"contentId\":\"ZeroTrustTIC3.0_workbook\",\"kind\":\"Workbook\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDNSFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDataProtectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEmailFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEnterpriseFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustFilesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustIntrusionDetectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustNetworkingFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustResiliencyFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUCCFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUniversalSecurityCapabilitiesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustWebFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"}],\"operator\":\"AND\"},\"providers\":[\"Microsoft\"],\"categories\":{\"domains\":[\"Identity\",\"Security - Others\"],\"verticals\":null},\"firstPublishDate\":\"2021-10-20\"}}", + "isContentBase64": false + } + }, + "Get-AzSentinelMetadata+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "226" ], + "x-ms-client-request-id": [ "498626d9-5833-4d56-8ac9-8d31747f7b08" ], + "CommandName": [ "Get-AzSentinelMetadata" ], + "FullCommandName": [ "Get-AzSentinelMetadata_GetViaIdentity" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11945" ], + "x-ms-request-id": [ "48113ccf-2d4e-4d65-8083-daa784e033b2" ], + "x-ms-correlation-request-id": [ "48113ccf-2d4e-4d65-8083-daa784e033b2" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020131Z:48113ccf-2d4e-4d65-8083-daa784e033b2" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:01:31 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "2663" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourcegroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust\",\"name\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"type\":\"Microsoft.SecurityInsights/metadata\",\"systemData\":{\"createdAt\":\"2021-12-12T01:51:12.9027539Z\",\"createdBy\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"createdByType\":\"User\",\"lastModifiedAt\":\"2021-12-12T01:51:12.9027539Z\",\"lastModifiedBy\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"lastModifiedByType\":\"User\"},\"properties\":{\"contentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"parentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"kind\":\"Solution\",\"version\":\"1.0.5\",\"source\":{\"kind\":\"Solution\",\"name\":\"ZeroTrust(TIC3.0)\",\"sourceId\":\"azuresentinel.azure-sentinel-solution-zerotrust\"},\"author\":{\"name\":\"Nikhil Tripathi\",\"email\":\"v-ntripathi@microsoft.com\"},\"support\":{\"tier\":\"Microsoft\",\"name\":\"Microsoft Corporation\",\"email\":\"support@microsoft.com\",\"link\":\"https://support.microsoft.com\"},\"dependencies\":{\"criteria\":[{\"contentId\":\"ZeroTrustTIC3.0_workbook\",\"kind\":\"Workbook\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDNSFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDataProtectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEmailFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEnterpriseFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustFilesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustIntrusionDetectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustNetworkingFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustResiliencyFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUCCFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUniversalSecurityCapabilitiesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustWebFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"}],\"operator\":\"AND\"},\"providers\":[\"Microsoft\"],\"categories\":{\"domains\":[\"Identity\",\"Security - Others\"],\"verticals\":null},\"firstPublishDate\":\"2021-10-20\"}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Get-AzSentinelMetadata.Tests.ps1 b/src/SecurityInsights/test/Get-AzSentinelMetadata.Tests.ps1 new file mode 100644 index 000000000000..b167c4c20ad9 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelMetadata.Tests.ps1 @@ -0,0 +1,33 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Get-AzSentinelMetadata')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Get-AzSentinelMetadata.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Get-AzSentinelMetadata' { + It 'List' { + $metadatas = Get-AzSentinelMetadata -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName + $metadatas.Count | Should -BeGreaterorEqual 1 + } + + It 'Get' { + $metadata = Get-AzSentinelMetadata -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Name $env.metadataName + $metadata.Name | Should -Be $env.metadataName + } + + It 'GetViaIdentity' { + $metadata = Get-AzSentinelMetadata -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -name $env.metadataName + $metadataViaIdentity = Get-AzSentinelMetadata -InputObject $metadata + $metadataViaIdentity.Name | Should -Be $env.metadataName + } +} diff --git a/src/SecurityInsights/test/Get-AzSentinelOfficeConsent.Tests.ps1 b/src/SecurityInsights/test/Get-AzSentinelOfficeConsent.Tests.ps1 new file mode 100644 index 000000000000..ddac0d153d4a --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelOfficeConsent.Tests.ps1 @@ -0,0 +1,29 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Get-AzSentinelOfficeConsent')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Get-AzSentinelOfficeConsent.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Get-AzSentinelOfficeConsent' { + It 'List' -skip { + { throw [System.NotImplementedException] } | Should -Not -Throw + } + + It 'Get' -skip { + { throw [System.NotImplementedException] } | Should -Not -Throw + } + + It 'GetViaIdentity' -skip { + { throw [System.NotImplementedException] } | Should -Not -Throw + } +} diff --git a/src/SecurityInsights/test/Get-AzSentinelOnboardingState.Recording.json b/src/SecurityInsights/test/Get-AzSentinelOnboardingState.Recording.json new file mode 100644 index 000000000000..ba421bec4e80 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelOnboardingState.Recording.json @@ -0,0 +1,166 @@ +{ + "Get-AzSentinelOnboardingState+[NoContext]+List+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/onboardingStates?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/onboardingStates?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "227" ], + "x-ms-client-request-id": [ "f8b5c201-6908-4a89-9cdb-38b731b3ed50" ], + "CommandName": [ "Get-AzSentinelonboardingState" ], + "FullCommandName": [ "Get-AzSentinelOnboardingState_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "11" ], + "x-ms-request-id": [ "21be829e-a8b0-4e8e-a5b1-b4827b31c49d" ], + "x-ms-correlation-request-id": [ "21be829e-a8b0-4e8e-a5b1-b4827b31c49d" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020214Z:21be829e-a8b0-4e8e-a5b1-b4827b31c49d" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:02:14 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "331" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/onboardingStates/default\",\"name\":\"default\",\"type\":\"Microsoft.SecurityInsights/onboardingStates\",\"systemData\":{},\"properties\":{}}]}", + "isContentBase64": false + } + }, + "Get-AzSentinelOnboardingState+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "228" ], + "x-ms-client-request-id": [ "c3004244-1407-42db-99d3-d644bf0b6cbd" ], + "CommandName": [ "Get-AzSentinelonboardingState" ], + "FullCommandName": [ "Get-AzSentinelOnboardingState_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "10" ], + "x-ms-request-id": [ "c8ee9bf7-8a35-4ccf-873e-77e03768c3b8" ], + "x-ms-correlation-request-id": [ "c8ee9bf7-8a35-4ccf-873e-77e03768c3b8" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020215Z:c8ee9bf7-8a35-4ccf-873e-77e03768c3b8" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:02:14 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "319" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/onboardingStates/default\",\"name\":\"default\",\"type\":\"Microsoft.SecurityInsights/onboardingStates\",\"systemData\":{},\"properties\":{}}", + "isContentBase64": false + } + }, + "Get-AzSentinelOnboardingState+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "229" ], + "x-ms-client-request-id": [ "b3c157ba-e1de-428d-b56a-fa42997984bf" ], + "CommandName": [ "Get-AzSentinelonboardingState" ], + "FullCommandName": [ "Get-AzSentinelOnboardingState_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "9" ], + "x-ms-request-id": [ "8fa2b1bd-5d0d-4330-9813-ff3ec7166aec" ], + "x-ms-correlation-request-id": [ "8fa2b1bd-5d0d-4330-9813-ff3ec7166aec" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020215Z:8fa2b1bd-5d0d-4330-9813-ff3ec7166aec" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:02:14 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "319" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/onboardingStates/default\",\"name\":\"default\",\"type\":\"Microsoft.SecurityInsights/onboardingStates\",\"systemData\":{},\"properties\":{}}", + "isContentBase64": false + } + }, + "Get-AzSentinelOnboardingState+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "230" ], + "x-ms-client-request-id": [ "8cb0dc3e-413d-45fc-9e44-61e1c76c245a" ], + "CommandName": [ "Get-AzSentinelonboardingState" ], + "FullCommandName": [ "Get-AzSentinelOnboardingState_GetViaIdentity" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "8" ], + "x-ms-request-id": [ "81d8195e-0d70-46df-8eaa-3ed5dad15a0f" ], + "x-ms-correlation-request-id": [ "81d8195e-0d70-46df-8eaa-3ed5dad15a0f" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020215Z:81d8195e-0d70-46df-8eaa-3ed5dad15a0f" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:02:15 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "319" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/onboardingStates/default\",\"name\":\"default\",\"type\":\"Microsoft.SecurityInsights/onboardingStates\",\"systemData\":{},\"properties\":{}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Get-AzSentinelOnboardingState.Tests.ps1 b/src/SecurityInsights/test/Get-AzSentinelOnboardingState.Tests.ps1 new file mode 100644 index 000000000000..2eafee9039ce --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelOnboardingState.Tests.ps1 @@ -0,0 +1,33 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Get-AzSentinelOnboardingState')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Get-AzSentinelOnboardingState.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Get-AzSentinelOnboardingState' { + It 'List' { + $onboardingStates = Get-AzSentinelonboardingState -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName + $onboardingStates.Count | Should -BeGreaterorEqual 1 + } + + It 'Get' { + $onboardingState = Get-AzSentinelonboardingState -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Name "default" + $onboardingState.Name | Should -Be "default" + } + + It 'GetViaIdentity' { + $onboardingState = Get-AzSentinelonboardingState -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Name "default" + $onboardingStateViaId = Get-AzSentinelonboardingState -InputObject $onboardingState + $onboardingStateViaId.Name | Should -Be "default" + } +} diff --git a/src/SecurityInsights/test/Get-AzSentinelSetting.Recording.json b/src/SecurityInsights/test/Get-AzSentinelSetting.Recording.json new file mode 100644 index 000000000000..6e0f0902468e --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelSetting.Recording.json @@ -0,0 +1,84 @@ +{ + "Get-AzSentinelSetting+[NoContext]+List+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/settings?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/settings?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "231" ], + "x-ms-client-request-id": [ "19eb3922-a3ee-46a7-8ef5-4ece366d0ea2" ], + "CommandName": [ "Get-AzSentinelSetting" ], + "FullCommandName": [ "Get-AzSentinelSetting_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11944" ], + "x-ms-request-id": [ "79611318-1db6-4131-869d-d09447af501c" ], + "x-ms-correlation-request-id": [ "79611318-1db6-4131-869d-d09447af501c" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020236Z:79611318-1db6-4131-869d-d09447af501c" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:02:36 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1178" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/settings/EyesOn\",\"name\":\"EyesOn\",\"etag\":\"\\\"85013658-0000-0300-0000-61b54cae0000\\\"\",\"type\":\"Microsoft.SecurityInsights/settings\",\"kind\":\"EyesOn\",\"systemData\":{},\"properties\":{\"isEnabled\":true}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/settings/IPSyncer\",\"name\":\"IPSyncer\",\"etag\":\"\\\"85019b58-0000-0300-0000-61b54caf0000\\\"\",\"type\":\"Microsoft.SecurityInsights/settings\",\"kind\":\"IPSyncer\",\"systemData\":{},\"properties\":{\"isEnabled\":true}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/settings/Anomalies\",\"name\":\"Anomalies\",\"etag\":\"\\\"8501b258-0000-0300-0000-61b54cb00000\\\"\",\"type\":\"Microsoft.SecurityInsights/settings\",\"kind\":\"Anomalies\",\"systemData\":{},\"properties\":{\"isEnabled\":true}}]}", + "isContentBase64": false + } + }, + "Get-AzSentinelSetting+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/settings/Anomalies?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/settings/Anomalies?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "232" ], + "x-ms-client-request-id": [ "9691a5fd-cc67-4d7e-b1f7-caaeeae13eb0" ], + "CommandName": [ "Get-AzSentinelSetting" ], + "FullCommandName": [ "Get-AzSentinelSetting_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11943" ], + "x-ms-request-id": [ "55e0d8b4-2be2-46ab-b149-3d9babe269a0" ], + "x-ms-correlation-request-id": [ "55e0d8b4-2be2-46ab-b149-3d9babe269a0" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020236Z:55e0d8b4-2be2-46ab-b149-3d9babe269a0" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:02:36 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "392" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/settings/Anomalies\",\"name\":\"Anomalies\",\"etag\":\"\\\"8501b258-0000-0300-0000-61b54cb00000\\\"\",\"type\":\"Microsoft.SecurityInsights/settings\",\"kind\":\"Anomalies\",\"systemData\":{},\"properties\":{\"isEnabled\":true}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Get-AzSentinelSetting.Tests.ps1 b/src/SecurityInsights/test/Get-AzSentinelSetting.Tests.ps1 new file mode 100644 index 000000000000..82088d92754a --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelSetting.Tests.ps1 @@ -0,0 +1,33 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Get-AzSentinelSetting')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Get-AzSentinelSetting.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Get-AzSentinelSetting' { + It 'List' { + $settings = Get-AzSentinelSetting -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName + $settings.Count | Should -BeGreaterorEqual 1 + } + + It 'Get' { + $setting = Get-AzSentinelSetting -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -SettingsName "Anomalies" + $setting.Name | Should -Be "Anomalies" + } + + It 'GetViaIdentity' -skip { + $setting = Get-AzSentinelSetting -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -SettingsName "Anomalies" + $settingViaId = Get-AzSentinelonboardingState -InputObject $setting + $settingViaId.Name | Should -Be "Anomalies" + } +} diff --git a/src/SecurityInsights/test/Get-AzSentinelSourceControl.Tests.ps1 b/src/SecurityInsights/test/Get-AzSentinelSourceControl.Tests.ps1 new file mode 100644 index 000000000000..6acde93eee67 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelSourceControl.Tests.ps1 @@ -0,0 +1,33 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Get-AzSentinelSourceControl')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Get-AzSentinelSourceControl.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Get-AzSentinelSourceControl' { + It 'List' -skip { + $sourceControls = Get-AzSentinelsourceControl -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName + $sourceControls.Count | Should -BeGreaterorEqual 1 + } + + It 'Get' -skip { + $sourceControl = Get-AzSentinelsourceControl -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Id $env.GetsourceControlId + $sourceControl.Name | Should -Be $env.GetsourceControlId + } + + It 'GetViaIdentity' -skip { + $sourceControl = Get-AzSentinelsourceControl -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Id $env.GetsourceControlId + $sourceControlViaId = $sourceControl | Get-AzSentinelonboardingState + $sourceControlViaId.Name | Should -Be $env.GetsourceControlId + } +} diff --git a/src/SecurityInsights/test/Get-AzSentinelSourceControlRepository.Tests.ps1 b/src/SecurityInsights/test/Get-AzSentinelSourceControlRepository.Tests.ps1 new file mode 100644 index 000000000000..855ce433ef3a --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelSourceControlRepository.Tests.ps1 @@ -0,0 +1,21 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Get-AzSentinelSourceControlRepository')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Get-AzSentinelSourceControlRepository.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Get-AzSentinelSourceControlRepository' { + It 'List' -skip { + { throw [System.NotImplementedException] } | Should -Not -Throw + } +} diff --git a/src/SecurityInsights/test/Get-AzSentinelThreatIntelligenceIndicator.Recording.json b/src/SecurityInsights/test/Get-AzSentinelThreatIntelligenceIndicator.Recording.json new file mode 100644 index 000000000000..264f33201f42 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelThreatIntelligenceIndicator.Recording.json @@ -0,0 +1,84 @@ +{ + "Get-AzSentinelThreatIntelligenceIndicator+[NoContext]+List+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "233" ], + "x-ms-client-request-id": [ "b28d579b-2e72-4762-ac11-e87bf2eef599" ], + "CommandName": [ "Get-AzSentinelthreatIntelligenceIndicator" ], + "FullCommandName": [ "Get-AzSentinelThreatIntelligenceIndicator_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11942" ], + "x-ms-request-id": [ "570b860d-d1f5-4f34-bf8c-c0a96c141f0e" ], + "x-ms-correlation-request-id": [ "570b860d-d1f5-4f34-bf8c-c0a96c141f0e" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020340Z:570b860d-d1f5-4f34-bf8c-c0a96c141f0e" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:03:39 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "4753" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/threatIntelligence/e43bf713-da7f-8329-80bb-e1556c70abdd\",\"name\":\"e43bf713-da7f-8329-80bb-e1556c70abdd\",\"etag\":\"\\\"00004c9d-0000-0200-0000-61b555c10000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2021-12-12T01:51:49.8349782Z\",\"externalId\":\"indicator--1a8e6023-38be-4bf1-92a9-d0f8bff496f3\",\"lastUpdatedTimeUtc\":\"2021-12-12T01:51:49.8423586Z\",\"revoked\":false,\"source\":\"Azure Sentinel\",\"displayName\":\"UpdateViaIdthreatIntelligenceIndicatorol6dht\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.5\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.5\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2021-12-12T01:00:00Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/threatIntelligence/857acee8-b9d5-9c49-56c4-93496d0bf3bf\",\"name\":\"857acee8-b9d5-9c49-56c4-93496d0bf3bf\",\"etag\":\"\\\"00004a9d-0000-0200-0000-61b555b60000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2021-12-12T01:51:48.9401782Z\",\"externalId\":\"indicator--2310bb8d-83b8-4d07-b46a-082da3184294\",\"lastUpdatedTimeUtc\":\"2021-12-12T01:51:48.9404217Z\",\"revoked\":false,\"source\":\"Azure Sentinel\",\"displayName\":\"UpdatethreatIntelligenceIndicator9tg8p7\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.4\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.4\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2021-12-12T01:00:00Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/threatIntelligence/b37ddba1-7a4f-1feb-9959-e1161d3bf335\",\"name\":\"b37ddba1-7a4f-1feb-9959-e1161d3bf335\",\"etag\":\"\\\"0000459d-0000-0200-0000-61b555b40000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2021-12-12T01:51:48.0131394Z\",\"externalId\":\"indicator--01627cbb-77f2-4832-9dbe-9c3cf232ddef\",\"lastUpdatedTimeUtc\":\"2021-12-12T01:51:48.0976111Z\",\"revoked\":false,\"source\":\"Azure Sentinel\",\"displayName\":\"RemoveViaIdthreatIntelligenceIndicatornqcsd9\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.3\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.3\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2021-12-12T01:00:00Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/threatIntelligence/ccfb7869-be18-0f44-ff2c-a9b36e598fd1\",\"name\":\"ccfb7869-be18-0f44-ff2c-a9b36e598fd1\",\"etag\":\"\\\"0000429d-0000-0200-0000-61b555b30000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2021-12-12T01:51:46.6007607Z\",\"externalId\":\"indicator--f7049b64-f651-4bd5-8324-3d13dc40ebc7\",\"lastUpdatedTimeUtc\":\"2021-12-12T01:51:46.8679787Z\",\"revoked\":false,\"source\":\"Azure Sentinel\",\"displayName\":\"RemovethreatIntelligenceIndicatorows6tu\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.2\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.2\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2021-12-12T01:00:00Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/threatIntelligence/711bdb9e-2ecc-abba-d962-171ce4710199\",\"name\":\"711bdb9e-2ecc-abba-d962-171ce4710199\",\"etag\":\"\\\"00004b9d-0000-0200-0000-61b555c00000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2021-12-12T01:51:42.7595857Z\",\"externalId\":\"indicator--6990ddd5-505d-42ac-9880-ab23363f30c7\",\"lastUpdatedTimeUtc\":\"2021-12-12T01:51:45.3738433Z\",\"revoked\":false,\"source\":\"Azure Sentinel\",\"displayName\":\"GetthreatIntelligenceIndicator2c47h8\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.1\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.1\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2021-12-12T01:00:00Z\"}}]}", + "isContentBase64": false + } + }, + "Get-AzSentinelThreatIntelligenceIndicator+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/711bdb9e-2ecc-abba-d962-171ce4710199?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/711bdb9e-2ecc-abba-d962-171ce4710199?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "234" ], + "x-ms-client-request-id": [ "1ac48501-1464-4138-ab5f-1d5687f396d5" ], + "CommandName": [ "Get-AzSentinelthreatIntelligenceIndicator" ], + "FullCommandName": [ "Get-AzSentinelThreatIntelligenceIndicator_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11941" ], + "x-ms-request-id": [ "694a71b8-847c-47b2-8b2b-b4806b31c7e7" ], + "x-ms-correlation-request-id": [ "694a71b8-847c-47b2-8b2b-b4806b31c7e7" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020340Z:694a71b8-847c-47b2-8b2b-b4806b31c7e7" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:03:39 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "943" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/threatIntelligence/711bdb9e-2ecc-abba-d962-171ce4710199\",\"name\":\"711bdb9e-2ecc-abba-d962-171ce4710199\",\"etag\":\"\\\"00004b9d-0000-0200-0000-61b555c00000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2021-12-12T01:51:42.7595857Z\",\"externalId\":\"indicator--6990ddd5-505d-42ac-9880-ab23363f30c7\",\"lastUpdatedTimeUtc\":\"2021-12-12T01:51:45.3738433Z\",\"revoked\":false,\"source\":\"Azure Sentinel\",\"displayName\":\"GetthreatIntelligenceIndicator2c47h8\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.1\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.1\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2021-12-12T01:00:00Z\"}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Get-AzSentinelThreatIntelligenceIndicator.Tests.ps1 b/src/SecurityInsights/test/Get-AzSentinelThreatIntelligenceIndicator.Tests.ps1 new file mode 100644 index 000000000000..386a11e058d1 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelThreatIntelligenceIndicator.Tests.ps1 @@ -0,0 +1,33 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Get-AzSentinelThreatIntelligenceIndicator')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Get-AzSentinelThreatIntelligenceIndicator.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Get-AzSentinelThreatIntelligenceIndicator' { + It 'List' { + $threatIntelligenceIndicators = Get-AzSentinelthreatIntelligenceIndicator -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName + $threatIntelligenceIndicators.Count | Should -BeGreaterorEqual 1 + } + + It 'Get' { + $threatIntelligenceIndicator = Get-AzSentinelthreatIntelligenceIndicator -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Name $env.GetthreatIntelligenceIndicatorId + $threatIntelligenceIndicator.Name | Should -Be $env.GetthreatIntelligenceIndicatorId + } + + It 'GetViaIdentity' -skip { + $threatIntelligenceIndicator = Get-AzSentinelthreatIntelligenceIndicator -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Name $env.GetthreatIntelligenceIndicatorId + $threatIntelligenceIndicatorViaId = Get-AzSentinelthreatIntelligenceIndicator -InputObject $threatIntelligenceIndicator + $threatIntelligenceIndicatorViaId.Name | Should -Be $env.GetthreatIntelligenceIndicatorId + } +} diff --git a/src/SecurityInsights/test/Get-AzSentinelThreatIntelligenceIndicatorMetric.Recording.json b/src/SecurityInsights/test/Get-AzSentinelThreatIntelligenceIndicatorMetric.Recording.json new file mode 100644 index 000000000000..36cdc113d0c9 --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelThreatIntelligenceIndicatorMetric.Recording.json @@ -0,0 +1,43 @@ +{ + "Get-AzSentinelThreatIntelligenceIndicatorMetric+[NoContext]+List+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/threatIntelligence/main/metrics?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/threatIntelligence/main/metrics?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "235" ], + "x-ms-client-request-id": [ "13903039-a3c7-45c0-87bf-f121e21932a0" ], + "CommandName": [ "Get-AzSentinelthreatIntelligenceIndicatorMetric" ], + "FullCommandName": [ "Get-AzSentinelThreatIntelligenceIndicatorMetric_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11940" ], + "x-ms-request-id": [ "ab5f8907-6953-427d-8fbe-fb1671d65579" ], + "x-ms-correlation-request-id": [ "ab5f8907-6953-427d-8fbe-fb1671d65579" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020401Z:ab5f8907-6953-427d-8fbe-fb1671d65579" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:04:01 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "275" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"properties\":{\"lastUpdatedTimeUtc\":\"2021-12-12T02:04:01.6827262Z\",\"threatTypeMetrics\":[{\"metricName\":\"unknown\",\"metricValue\":5}],\"patternTypeMetrics\":[{\"metricName\":\"ipv4-addr\",\"metricValue\":5}],\"sourceMetrics\":[{\"metricName\":\"Azure Sentinel\",\"metricValue\":5}]}}]}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Get-AzSentinelThreatIntelligenceIndicatorMetric.Tests.ps1 b/src/SecurityInsights/test/Get-AzSentinelThreatIntelligenceIndicatorMetric.Tests.ps1 new file mode 100644 index 000000000000..b325b344ee1e --- /dev/null +++ b/src/SecurityInsights/test/Get-AzSentinelThreatIntelligenceIndicatorMetric.Tests.ps1 @@ -0,0 +1,22 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Get-AzSentinelThreatIntelligenceIndicatorMetric')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Get-AzSentinelThreatIntelligenceIndicatorMetric.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Get-AzSentinelThreatIntelligenceIndicatorMetric' { + It 'List' { + $threatIntelligenceIndicatorMetrics = Get-AzSentinelthreatIntelligenceIndicatorMetric -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName + $threatIntelligenceIndicatorMetrics | Should -Not -BeNullOrEmpty + } +} diff --git a/src/SecurityInsights/test/Invoke-AzSentinelDataConnectorCheckRequirement.Tests.ps1 b/src/SecurityInsights/test/Invoke-AzSentinelDataConnectorCheckRequirement.Tests.ps1 new file mode 100644 index 000000000000..33cc9de276a4 --- /dev/null +++ b/src/SecurityInsights/test/Invoke-AzSentinelDataConnectorCheckRequirement.Tests.ps1 @@ -0,0 +1,25 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Invoke-AzSentinelDataConnectorCheckRequirement')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Invoke-AzSentinelDataConnectorCheckRequirement.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Invoke-AzSentinelDataConnectorCheckRequirement' { + It 'AADTenant' -skip { + { throw [System.NotImplementedException] } | Should -Not -Throw + } + + It 'AzureSecurityCenter' -skip { + { throw [System.NotImplementedException] } | Should -Not -Throw + } +} diff --git a/src/SecurityInsights/test/Invoke-AzSentinelDataConnectorsCheckRequirement.Recording.json b/src/SecurityInsights/test/Invoke-AzSentinelDataConnectorsCheckRequirement.Recording.json new file mode 100644 index 000000000000..ac4d88f5b1c8 --- /dev/null +++ b/src/SecurityInsights/test/Invoke-AzSentinelDataConnectorsCheckRequirement.Recording.json @@ -0,0 +1,434 @@ +{ + "Invoke-AzSentinelDataConnectorsCheckRequirement+[NoContext]+Custom_AzureSecurityCenter+$POST+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "POST", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview", + "Content": "{\n \"kind\": \"AzureSecurityCenter\",\n \"properties\": {\n \"subscriptionId\": \"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "119" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1199" ], + "x-ms-request-id": [ "067a90a9-90af-4389-8e0d-dfaa9ca97fdf" ], + "x-ms-correlation-request-id": [ "067a90a9-90af-4389-8e0d-dfaa9ca97fdf" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020424Z:067a90a9-90af-4389-8e0d-dfaa9ca97fdf" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:04:24 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "53" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"authorizationState\":\"Valid\",\"licenseState\":\"Valid\"}", + "isContentBase64": false + } + }, + "Invoke-AzSentinelDataConnectorsCheckRequirement+[NoContext]+Custom_AzureActiveDirectory+$POST+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "POST", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview", + "Content": "{\n \"kind\": \"AzureActiveDirectory\",\n \"properties\": {\n \"tenantId\": \"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "114" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1198" ], + "x-ms-request-id": [ "31d44d8e-f917-453c-94f7-8084bf96b0b9" ], + "x-ms-correlation-request-id": [ "31d44d8e-f917-453c-94f7-8084bf96b0b9" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020424Z:31d44d8e-f917-453c-94f7-8084bf96b0b9" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:04:24 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "53" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"authorizationState\":\"Valid\",\"licenseState\":\"Valid\"}", + "isContentBase64": false + } + }, + "Invoke-AzSentinelDataConnectorsCheckRequirement+[NoContext]+Custom_AzureAdvancedThreatProtection+$POST+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "POST", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview", + "Content": "{\n \"kind\": \"AzureAdvancedThreatProtection\",\n \"properties\": {\n \"tenantId\": \"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "123" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1197" ], + "x-ms-request-id": [ "a0ffb256-0622-4b9d-851d-104c022195d7" ], + "x-ms-correlation-request-id": [ "a0ffb256-0622-4b9d-851d-104c022195d7" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020425Z:a0ffb256-0622-4b9d-851d-104c022195d7" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:04:25 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "53" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"authorizationState\":\"Valid\",\"licenseState\":\"Valid\"}", + "isContentBase64": false + } + }, + "Invoke-AzSentinelDataConnectorsCheckRequirement+[NoContext]+Custom_Dynamics365+$POST+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "POST", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview", + "Content": "{\n \"kind\": \"Dynamics365\",\n \"properties\": {\n \"tenantId\": \"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "105" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1196" ], + "x-ms-request-id": [ "00f29027-4aed-4d77-b5b2-937ca09c1b7f" ], + "x-ms-correlation-request-id": [ "00f29027-4aed-4d77-b5b2-937ca09c1b7f" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020425Z:00f29027-4aed-4d77-b5b2-937ca09c1b7f" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:04:25 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "53" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"authorizationState\":\"Valid\",\"licenseState\":\"Valid\"}", + "isContentBase64": false + } + }, + "Invoke-AzSentinelDataConnectorsCheckRequirement+[NoContext]+Custom_MicrosoftCloudAppSecurity+$POST+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "POST", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview", + "Content": "{\n \"kind\": \"MicrosoftCloudAppSecurity\",\n \"properties\": {\n \"tenantId\": \"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "119" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1195" ], + "x-ms-request-id": [ "d259aace-10bd-4183-a041-cce090f09496" ], + "x-ms-correlation-request-id": [ "d259aace-10bd-4183-a041-cce090f09496" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020426Z:d259aace-10bd-4183-a041-cce090f09496" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:04:25 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "53" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"authorizationState\":\"Valid\",\"licenseState\":\"Valid\"}", + "isContentBase64": false + } + }, + "Invoke-AzSentinelDataConnectorsCheckRequirement+[NoContext]+Custom_MicrosoftDefenderAdvancedThreatProtection+$POST+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "POST", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview", + "Content": "{\n \"kind\": \"MicrosoftDefenderAdvancedThreatProtection\",\n \"properties\": {\n \"tenantId\": \"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "135" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1194" ], + "x-ms-request-id": [ "d0278114-9296-43b6-a2bc-8342394a3f83" ], + "x-ms-correlation-request-id": [ "d0278114-9296-43b6-a2bc-8342394a3f83" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020426Z:d0278114-9296-43b6-a2bc-8342394a3f83" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:04:26 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "53" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"authorizationState\":\"Valid\",\"licenseState\":\"Valid\"}", + "isContentBase64": false + } + }, + "Invoke-AzSentinelDataConnectorsCheckRequirement+[NoContext]+Custom_MicrosoftThreatIntelligence+$POST+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "POST", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview", + "Content": "{\n \"kind\": \"MicrosoftThreatIntelligence\",\n \"properties\": {\n \"tenantId\": \"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "121" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1193" ], + "x-ms-request-id": [ "635f1a34-5786-42ff-81a9-678b7a1637d0" ], + "x-ms-correlation-request-id": [ "635f1a34-5786-42ff-81a9-678b7a1637d0" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020426Z:635f1a34-5786-42ff-81a9-678b7a1637d0" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:04:26 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "53" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"authorizationState\":\"Valid\",\"licenseState\":\"Valid\"}", + "isContentBase64": false + } + }, + "Invoke-AzSentinelDataConnectorsCheckRequirement+[NoContext]+Custom_MicrosoftThreatProtection+$POST+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "POST", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview", + "Content": "{\n \"kind\": \"MicrosoftThreatProtection\",\n \"properties\": {\n \"tenantId\": \"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "119" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1192" ], + "x-ms-request-id": [ "29e7c947-2e90-46d1-8f58-f9154c2e25ff" ], + "x-ms-correlation-request-id": [ "29e7c947-2e90-46d1-8f58-f9154c2e25ff" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020427Z:29e7c947-2e90-46d1-8f58-f9154c2e25ff" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:04:27 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "53" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"authorizationState\":\"Valid\",\"licenseState\":\"Valid\"}", + "isContentBase64": false + } + }, + "Invoke-AzSentinelDataConnectorsCheckRequirement+[NoContext]+Custom_OfficeATP+$POST+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "POST", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview", + "Content": "{\n \"kind\": \"OfficeATP\",\n \"properties\": {\n \"tenantId\": \"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "103" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1191" ], + "x-ms-request-id": [ "46f168bf-2db7-4ec3-b817-7e6ff0011250" ], + "x-ms-correlation-request-id": [ "46f168bf-2db7-4ec3-b817-7e6ff0011250" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020428Z:46f168bf-2db7-4ec3-b817-7e6ff0011250" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:04:27 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "53" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"authorizationState\":\"Valid\",\"licenseState\":\"Valid\"}", + "isContentBase64": false + } + }, + "Invoke-AzSentinelDataConnectorsCheckRequirement+[NoContext]+Custom_OfficeIRM+$POST+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "POST", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview", + "Content": "{\n \"kind\": \"OfficeIRM\",\n \"properties\": {\n \"tenantId\": \"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "103" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1190" ], + "x-ms-request-id": [ "f98dc21c-eb87-4827-834b-ec49e690671b" ], + "x-ms-correlation-request-id": [ "f98dc21c-eb87-4827-834b-ec49e690671b" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020428Z:f98dc21c-eb87-4827-834b-ec49e690671b" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:04:28 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "53" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"authorizationState\":\"Valid\",\"licenseState\":\"Valid\"}", + "isContentBase64": false + } + }, + "Invoke-AzSentinelDataConnectorsCheckRequirement+[NoContext]+Custom_ThreatIntelligence+$POST+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "POST", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview", + "Content": "{\n \"kind\": \"ThreatIntelligence\",\n \"properties\": {\n \"tenantId\": \"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "112" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1189" ], + "x-ms-request-id": [ "dfcf88c3-d99b-413f-be34-4d8e19da0dc8" ], + "x-ms-correlation-request-id": [ "dfcf88c3-d99b-413f-be34-4d8e19da0dc8" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020428Z:dfcf88c3-d99b-413f-be34-4d8e19da0dc8" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:04:28 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "53" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"authorizationState\":\"Valid\",\"licenseState\":\"Valid\"}", + "isContentBase64": false + } + }, + "Invoke-AzSentinelDataConnectorsCheckRequirement+[NoContext]+Custom_ThreatIntelligenceTaxii+$POST+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "POST", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview", + "Content": "{\n \"kind\": \"ThreatIntelligenceTaxii\",\n \"properties\": {\n \"tenantId\": \"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "117" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1188" ], + "x-ms-request-id": [ "1f027955-e01b-400d-8018-f815fc1e5710" ], + "x-ms-correlation-request-id": [ "1f027955-e01b-400d-8018-f815fc1e5710" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020429Z:1f027955-e01b-400d-8018-f815fc1e5710" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:04:28 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "53" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"authorizationState\":\"Valid\",\"licenseState\":\"Valid\"}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Invoke-AzSentinelDataConnectorsCheckRequirement.Tests.ps1 b/src/SecurityInsights/test/Invoke-AzSentinelDataConnectorsCheckRequirement.Tests.ps1 new file mode 100644 index 000000000000..b44ad970e8b9 --- /dev/null +++ b/src/SecurityInsights/test/Invoke-AzSentinelDataConnectorsCheckRequirement.Tests.ps1 @@ -0,0 +1,77 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Invoke-AzSentinelDataConnectorsCheckRequirement')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Invoke-AzSentinelDataConnectorsCheckRequirement.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Invoke-AzSentinelDataConnectorsCheckRequirement' { + It 'Custom_AzureSecurityCenter' { + $result = Invoke-AzSentinelDataConnectorsCheckRequirement -ResourceGroupName $env.ResourceGroupName -WorkspaceName $env.workspaceName -Kind AzureSecurityCenter -ASCSubscriptionId $env.SubscriptionId + $result | Should -Not -Be $null + } + + It 'Custom_AzureActiveDirectory' { + $result = Invoke-AzSentinelDataConnectorsCheckRequirement -ResourceGroupName $env.ResourceGroupName -WorkspaceName $env.workspaceName -Kind AzureActiveDirectory -TenantId $env.Tenant + $result | Should -Not -Be $null + } + + It 'Custom_AzureAdvancedThreatProtection' { + $result = Invoke-AzSentinelDataConnectorsCheckRequirement -ResourceGroupName $env.ResourceGroupName -WorkspaceName $env.workspaceName -Kind AzureAdvancedThreatProtection -TenantId $env.Tenant + $result | Should -Not -Be $null + } + + It 'Custom_Dynamics365' { + $result = Invoke-AzSentinelDataConnectorsCheckRequirement -ResourceGroupName $env.ResourceGroupName -WorkspaceName $env.workspaceName -Kind Dynamics365 -TenantId $env.Tenant + $result | Should -Not -Be $null + } + + It 'Custom_MicrosoftCloudAppSecurity' { + $result = Invoke-AzSentinelDataConnectorsCheckRequirement -ResourceGroupName $env.ResourceGroupName -WorkspaceName $env.workspaceName -Kind MicrosoftCloudAppSecurity -TenantId $env.Tenant + $result | Should -Not -Be $null + } + + It 'Custom_MicrosoftDefenderAdvancedThreatProtection' { + $result = Invoke-AzSentinelDataConnectorsCheckRequirement -ResourceGroupName $env.ResourceGroupName -WorkspaceName $env.workspaceName -Kind MicrosoftDefenderAdvancedThreatProtection -TenantId $env.Tenant + $result | Should -Not -Be $null + } + + It 'Custom_MicrosoftThreatIntelligence' { + $result = Invoke-AzSentinelDataConnectorsCheckRequirement -ResourceGroupName $env.ResourceGroupName -WorkspaceName $env.workspaceName -Kind MicrosoftThreatIntelligence -TenantId $env.Tenant + $result | Should -Not -Be $null + } + + It 'Custom_MicrosoftThreatProtection' { + $result = Invoke-AzSentinelDataConnectorsCheckRequirement -ResourceGroupName $env.ResourceGroupName -WorkspaceName $env.workspaceName -Kind MicrosoftThreatProtection -TenantId $env.Tenant + $result | Should -Not -Be $null + } + + It 'Custom_OfficeATP' { + $result = Invoke-AzSentinelDataConnectorsCheckRequirement -ResourceGroupName $env.ResourceGroupName -WorkspaceName $env.workspaceName -Kind OfficeATP -TenantId $env.Tenant + $result | Should -Not -Be $null + } + + It 'Custom_OfficeIRM' { + $result = Invoke-AzSentinelDataConnectorsCheckRequirement -ResourceGroupName $env.ResourceGroupName -WorkspaceName $env.workspaceName -Kind OfficeIRM -TenantId $env.Tenant + $result | Should -Not -Be $null + } + + It 'Custom_ThreatIntelligence' { + $result = Invoke-AzSentinelDataConnectorsCheckRequirement -ResourceGroupName $env.ResourceGroupName -WorkspaceName $env.workspaceName -Kind ThreatIntelligence -TenantId $env.Tenant + $result | Should -Not -Be $null + } + + It 'Custom_ThreatIntelligenceTaxii' { + $result = Invoke-AzSentinelDataConnectorsCheckRequirement -ResourceGroupName $env.ResourceGroupName -WorkspaceName $env.workspaceName -Kind ThreatIntelligenceTaxii -TenantId $env.Tenant + $result | Should -Not -Be $null + } +} diff --git a/src/SecurityInsights/test/Invoke-AzSentinelThreatIntelligenceIndicatorQuery.Recording.json b/src/SecurityInsights/test/Invoke-AzSentinelThreatIntelligenceIndicatorQuery.Recording.json new file mode 100644 index 000000000000..bc429ea06f43 --- /dev/null +++ b/src/SecurityInsights/test/Invoke-AzSentinelThreatIntelligenceIndicatorQuery.Recording.json @@ -0,0 +1,38 @@ +{ + "Invoke-AzSentinelThreatIntelligenceIndicatorQuery+[NoContext]+QueryExpanded+$POST+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/threatIntelligence/main/queryIndicators?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "POST", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/threatIntelligence/main/queryIndicators?api-version=2021-09-01-preview", + "Content": "{\n \"pageSize\": 10,\n \"includeDisabled\": true\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "47" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11939" ], + "x-ms-request-id": [ "6ffbdd72-7b6b-47e7-bbf5-5f789fdd5f19" ], + "x-ms-correlation-request-id": [ "6ffbdd72-7b6b-47e7-bbf5-5f789fdd5f19" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020450Z:6ffbdd72-7b6b-47e7-bbf5-5f789fdd5f19" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:04:50 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "4753" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/threatIntelligence/e43bf713-da7f-8329-80bb-e1556c70abdd\",\"name\":\"e43bf713-da7f-8329-80bb-e1556c70abdd\",\"etag\":\"\\\"00004c9d-0000-0200-0000-61b555c10000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2021-12-12T01:51:49.8349782Z\",\"externalId\":\"indicator--1a8e6023-38be-4bf1-92a9-d0f8bff496f3\",\"lastUpdatedTimeUtc\":\"2021-12-12T01:51:49.8423586Z\",\"revoked\":false,\"source\":\"Azure Sentinel\",\"displayName\":\"UpdateViaIdthreatIntelligenceIndicatorol6dht\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.5\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.5\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2021-12-12T01:00:00Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/threatIntelligence/857acee8-b9d5-9c49-56c4-93496d0bf3bf\",\"name\":\"857acee8-b9d5-9c49-56c4-93496d0bf3bf\",\"etag\":\"\\\"00004a9d-0000-0200-0000-61b555b60000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2021-12-12T01:51:48.9401782Z\",\"externalId\":\"indicator--2310bb8d-83b8-4d07-b46a-082da3184294\",\"lastUpdatedTimeUtc\":\"2021-12-12T01:51:48.9404217Z\",\"revoked\":false,\"source\":\"Azure Sentinel\",\"displayName\":\"UpdatethreatIntelligenceIndicator9tg8p7\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.4\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.4\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2021-12-12T01:00:00Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/threatIntelligence/b37ddba1-7a4f-1feb-9959-e1161d3bf335\",\"name\":\"b37ddba1-7a4f-1feb-9959-e1161d3bf335\",\"etag\":\"\\\"0000459d-0000-0200-0000-61b555b40000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2021-12-12T01:51:48.0131394Z\",\"externalId\":\"indicator--01627cbb-77f2-4832-9dbe-9c3cf232ddef\",\"lastUpdatedTimeUtc\":\"2021-12-12T01:51:48.0976111Z\",\"revoked\":false,\"source\":\"Azure Sentinel\",\"displayName\":\"RemoveViaIdthreatIntelligenceIndicatornqcsd9\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.3\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.3\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2021-12-12T01:00:00Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/threatIntelligence/ccfb7869-be18-0f44-ff2c-a9b36e598fd1\",\"name\":\"ccfb7869-be18-0f44-ff2c-a9b36e598fd1\",\"etag\":\"\\\"0000429d-0000-0200-0000-61b555b30000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2021-12-12T01:51:46.6007607Z\",\"externalId\":\"indicator--f7049b64-f651-4bd5-8324-3d13dc40ebc7\",\"lastUpdatedTimeUtc\":\"2021-12-12T01:51:46.8679787Z\",\"revoked\":false,\"source\":\"Azure Sentinel\",\"displayName\":\"RemovethreatIntelligenceIndicatorows6tu\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.2\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.2\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2021-12-12T01:00:00Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/threatIntelligence/711bdb9e-2ecc-abba-d962-171ce4710199\",\"name\":\"711bdb9e-2ecc-abba-d962-171ce4710199\",\"etag\":\"\\\"00004b9d-0000-0200-0000-61b555c00000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2021-12-12T01:51:42.7595857Z\",\"externalId\":\"indicator--6990ddd5-505d-42ac-9880-ab23363f30c7\",\"lastUpdatedTimeUtc\":\"2021-12-12T01:51:45.3738433Z\",\"revoked\":false,\"source\":\"Azure Sentinel\",\"displayName\":\"GetthreatIntelligenceIndicator2c47h8\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.1\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.1\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2021-12-12T01:00:00Z\"}}]}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Invoke-AzSentinelThreatIntelligenceIndicatorQuery.Tests.ps1 b/src/SecurityInsights/test/Invoke-AzSentinelThreatIntelligenceIndicatorQuery.Tests.ps1 new file mode 100644 index 000000000000..40de278493a0 --- /dev/null +++ b/src/SecurityInsights/test/Invoke-AzSentinelThreatIntelligenceIndicatorQuery.Tests.ps1 @@ -0,0 +1,22 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Invoke-AzSentinelThreatIntelligenceIndicatorQuery')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Invoke-AzSentinelThreatIntelligenceIndicatorQuery.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Invoke-AzSentinelThreatIntelligenceIndicatorQuery' { + It 'QueryExpanded' { + $threatIntelligenceIndicators = Invoke-AzSentinelThreatIntelligenceIndicatorQuery -ResourceGroupName $env.ResourceGroupName -WorkspaceName $env.WorkspaceName -IncludeDisabled -PageSize 10 + $threatIntelligenceIndicators | Should -Not -Be $null + } +} diff --git a/src/SecurityInsights/test/New-AzSentinelAlertRule.Recording.json b/src/SecurityInsights/test/New-AzSentinelAlertRule.Recording.json new file mode 100644 index 000000000000..721e709eb8ad --- /dev/null +++ b/src/SecurityInsights/test/New-AzSentinelAlertRule.Recording.json @@ -0,0 +1,38 @@ +{ + "New-AzSentinelAlertRule+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/5147f709-f401-4e34-865c-e348fcfdf633?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/5147f709-f401-4e34-865c-e348fcfdf633?api-version=2021-09-01-preview", + "Content": "{\n \"kind\": \"Scheduled\",\n \"properties\": {\n \"queryFrequency\": \"PT1H\",\n \"queryPeriod\": \"P1D\",\n \"triggerOperator\": \"GreaterThan\",\n \"triggerThreshold\": 1,\n \"incidentConfiguration\": {\n \"groupingConfiguration\": {\n \"enabled\": false,\n \"reopenClosedIncident\": false,\n \"lookbackDuration\": \"PT5H\",\n \"matchingMethod\": \"AllEntities\"\n },\n \"createIncident\": false\n },\n \"query\": \"SecurityEvent | take 1\",\n \"displayName\": \"NewAlertRulePSTest\",\n \"enabled\": true,\n \"suppressionDuration\": \"PT5H\",\n \"suppressionEnabled\": false,\n \"severity\": \"Informational\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "621" ] + } + }, + "Response": { + "StatusCode": 201, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1199" ], + "x-ms-request-id": [ "83a95078-452b-4182-bc87-232dfeea8d3f" ], + "x-ms-correlation-request-id": [ "83a95078-452b-4182-bc87-232dfeea8d3f" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020513Z:83a95078-452b-4182-bc87-232dfeea8d3f" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:05:12 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1047" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/5147f709-f401-4e34-865c-e348fcfdf633\",\"name\":\"5147f709-f401-4e34-865c-e348fcfdf633\",\"etag\":\"\\\"930033c9-0000-0100-0000-61b558d80000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":false,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":null,\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Informational\",\"query\":\"SecurityEvent | take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":null,\"displayName\":\"NewAlertRulePSTest\",\"enabled\":true,\"description\":null,\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T02:05:12.5081355Z\"}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/New-AzSentinelAlertRule.Tests.ps1 b/src/SecurityInsights/test/New-AzSentinelAlertRule.Tests.ps1 new file mode 100644 index 000000000000..e2ad07c21c56 --- /dev/null +++ b/src/SecurityInsights/test/New-AzSentinelAlertRule.Tests.ps1 @@ -0,0 +1,24 @@ +if(($null -eq $TestName) -or ($TestName -contains 'New-AzSentinelAlertRule')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'New-AzSentinelAlertRule.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'New-AzSentinelAlertRule' { + It 'CreateExpanded' { + $alertRule = New-AzSentinelAlertRule -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -Kind Scheduled -Disabled -Query 'SecurityEvent | take 1' -DisplayName "NewAlertRulePSTest" -Severity Informational ` + -QueryFrequency (New-TimeSpan -Hours 1) -QueryPeriod (New-TimeSpan -Days 1) -TriggerOperator "GreaterThan" -TriggerThreshold 1 + $alertRule.DisplayName | Should -Be "NewAlertRulePSTest" + } +} diff --git a/src/SecurityInsights/test/New-AzSentinelAlertRuleAction.Recording.json b/src/SecurityInsights/test/New-AzSentinelAlertRuleAction.Recording.json new file mode 100644 index 000000000000..63d58aca0652 --- /dev/null +++ b/src/SecurityInsights/test/New-AzSentinelAlertRuleAction.Recording.json @@ -0,0 +1,74 @@ +{ + "New-AzSentinelAlertRuleAction+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/973adaf2-4d97-4f62-af62-b19edbf22e69?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/973adaf2-4d97-4f62-af62-b19edbf22e69?api-version=2021-09-01-preview", + "Content": "{\n \"kind\": \"Scheduled\",\n \"properties\": {\n \"queryFrequency\": \"PT1H\",\n \"queryPeriod\": \"P1D\",\n \"triggerOperator\": \"GreaterThan\",\n \"triggerThreshold\": 1,\n \"incidentConfiguration\": {\n \"groupingConfiguration\": {\n \"enabled\": false,\n \"reopenClosedIncident\": false,\n \"lookbackDuration\": \"PT5H\",\n \"matchingMethod\": \"AllEntities\"\n },\n \"createIncident\": false\n },\n \"query\": \"SecurityEvent | take 1\",\n \"displayName\": \"NewAlertRulePSTest\",\n \"enabled\": true,\n \"suppressionDuration\": \"PT5H\",\n \"suppressionEnabled\": false,\n \"severity\": \"Informational\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "621" ] + } + }, + "Response": { + "StatusCode": 201, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1198" ], + "x-ms-request-id": [ "d6a72ee0-a7dc-4bab-b03d-651e9c5731b5" ], + "x-ms-correlation-request-id": [ "d6a72ee0-a7dc-4bab-b03d-651e9c5731b5" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020534Z:d6a72ee0-a7dc-4bab-b03d-651e9c5731b5" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:05:33 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1047" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/973adaf2-4d97-4f62-af62-b19edbf22e69\",\"name\":\"973adaf2-4d97-4f62-af62-b19edbf22e69\",\"etag\":\"\\\"9300f3cc-0000-0100-0000-61b558ee0000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":false,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":null,\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Informational\",\"query\":\"SecurityEvent | take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":null,\"displayName\":\"NewAlertRulePSTest\",\"enabled\":true,\"description\":null,\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T02:05:33.9989938Z\"}}", + "isContentBase64": false + } + }, + "New-AzSentinelAlertRuleAction+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/973adaf2-4d97-4f62-af62-b19edbf22e69/actions/e9a08151-4f8b-43ae-9199-2c0df1ce9038?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/973adaf2-4d97-4f62-af62-b19edbf22e69/actions/e9a08151-4f8b-43ae-9199-2c0df1ce9038?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\",\n \"triggerUri\": \"https://prod-07.centralus.logic.azure.com:443/workflows/3647b421918e40f19a5e9346dc633c61/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2016-06-01\\u0026sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun\\u0026sv=1.0\\u0026sig=8SgwCaNwsGFFEsJ0yKJoTXy329Qt949c0AsSDlv48sQ\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "551" ] + } + }, + "Response": { + "StatusCode": 201, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], + "x-ms-request-id": [ "8027ce88-1f97-4221-8074-99b3ee7d128b" ], + "x-ms-correlation-request-id": [ "8027ce88-1f97-4221-8074-99b3ee7d128b" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020535Z:8027ce88-1f97-4221-8074-99b3ee7d128b" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:05:34 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "610" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/973adaf2-4d97-4f62-af62-b19edbf22e69/actions/e9a08151-4f8b-43ae-9199-2c0df1ce9038\",\"name\":\"e9a08151-4f8b-43ae-9199-2c0df1ce9038\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"3647b421918e40f19a5e9346dc633c61\",\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/New-AzSentinelAlertRuleAction.Tests.ps1 b/src/SecurityInsights/test/New-AzSentinelAlertRuleAction.Tests.ps1 new file mode 100644 index 000000000000..d44be2f4904b --- /dev/null +++ b/src/SecurityInsights/test/New-AzSentinelAlertRuleAction.Tests.ps1 @@ -0,0 +1,27 @@ +if(($null -eq $TestName) -or ($TestName -contains 'New-AzSentinelAlertRuleAction')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'New-AzSentinelAlertRuleAction.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'New-AzSentinelAlertRuleAction' { + It 'CreateExpanded' { + $alertRule = New-AzSentinelAlertRule -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -Kind Scheduled -Disabled -Query "SecurityEvent | take 1" -DisplayName "NewAlertRulePSTest" -Severity Informational ` + -QueryFrequency (New-TimeSpan -Hours 1) -QueryPeriod (New-TimeSpan -Days 1) -TriggerOperator "GreaterThan" -TriggerThreshold 1 + $alertRuleAction = New-AzSentinelAlertRuleAction -Id ((New-Guid).Guid) -ResourceGroupName $env.ResourceGroupName ` + -RuleId ($alertRule.Name) -WorkspaceName $env.workspaceName -LogicAppResourceId $env.Playbook1LogicAppResourceId ` + -TriggerUri $env.Playbook1TriggerUrl + $alertRuleAction.LogicAppResourceId | Should -Be $env.Playbook1LogicAppResourceId + } +} diff --git a/src/SecurityInsights/test/New-AzSentinelAutomationRule.Recording.json b/src/SecurityInsights/test/New-AzSentinelAutomationRule.Recording.json new file mode 100644 index 000000000000..b52dd85f383d --- /dev/null +++ b/src/SecurityInsights/test/New-AzSentinelAutomationRule.Recording.json @@ -0,0 +1,38 @@ +{ + "New-AzSentinelAutomationRule+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/9612d8a8-8eef-4188-b4d3-11b66bfc0800?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/9612d8a8-8eef-4188-b4d3-11b66bfc0800?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"triggeringLogic\": {\n \"isEnabled\": true,\n \"triggersOn\": \"Incidents\",\n \"triggersWhen\": \"Created\"\n },\n \"displayName\": \"NewAutomationRulePSTest\",\n \"order\": 2,\n \"actions\": [\n {\n \"order\": 1,\n \"actionType\": \"RunPlaybook\",\n \"actionConfiguration\": {\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\n \"tenantId\": \"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"\n }\n }\n ]\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "585" ] + } + }, + "Response": { + "StatusCode": 201, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], + "x-ms-request-id": [ "b7e7f700-5069-48ec-9bd6-e1b1cfacb9c2" ], + "x-ms-correlation-request-id": [ "b7e7f700-5069-48ec-9bd6-e1b1cfacb9c2" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020558Z:b7e7f700-5069-48ec-9bd6-e1b1cfacb9c2" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:05:57 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1346" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AutomationRules/9612d8a8-8eef-4188-b4d3-11b66bfc0800\",\"name\":\"9612d8a8-8eef-4188-b4d3-11b66bfc0800\",\"etag\":\"\\\"79004be5-0000-0100-0000-61b559060000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"NewAutomationRulePSTest\",\"order\":2,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"}}],\"lastModifiedTimeUtc\":\"2021-12-12T02:05:58Z\",\"createdTimeUtc\":\"2021-12-12T02:05:58Z\",\"lastModifiedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"},\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"}}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/New-AzSentinelAutomationRule.Tests.ps1 b/src/SecurityInsights/test/New-AzSentinelAutomationRule.Tests.ps1 new file mode 100644 index 000000000000..b5be0e04d2a6 --- /dev/null +++ b/src/SecurityInsights/test/New-AzSentinelAutomationRule.Tests.ps1 @@ -0,0 +1,29 @@ +if(($null -eq $TestName) -or ($TestName -contains 'New-AzSentinelAutomationRule')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'New-AzSentinelAutomationRule.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'New-AzSentinelAutomationRule' { + It 'CreateExpanded' { + $automationRuleAction = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AutomationRuleRunPlaybookAction]::new() + $automationRuleAction.Order = 1 + $automationRuleAction.ActionType = "RunPlaybook" + $automationRuleAction.ActionConfigurationLogicAppResourceId = $env.Playbook2LogicAppResourceId + $automationRuleAction.ActionConfigurationTenantId = $env.Tenant + $automationRule = New-AzSentinelAutomationRule -Id ((New-Guid).Guid) -ResourceGroupName $env.resourceGroupName ` + -WorkspaceName $env.workspaceName -Action $automationRuleAction -DisplayName "NewAutomationRulePSTest" -Order 2 ` + -TriggeringLogicIsEnabled + $automationRule.DisplayName | Should -Be "NewAutomationRulePSTest" + } +} diff --git a/src/SecurityInsights/test/New-AzSentinelBookmark.Recording.json b/src/SecurityInsights/test/New-AzSentinelBookmark.Recording.json new file mode 100644 index 000000000000..3e6bf985d937 --- /dev/null +++ b/src/SecurityInsights/test/New-AzSentinelBookmark.Recording.json @@ -0,0 +1,38 @@ +{ + "New-AzSentinelBookmark+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/aa863e57-e1ec-45cf-a4d9-1db1a64a354d?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/aa863e57-e1ec-45cf-a4d9-1db1a64a354d?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"displayName\": \"NewBookmarkPSTest\",\n \"query\": \"SecurityEvent | take 1\",\n \"eventTime\": \"2021-12-12T02:06:29.0674151Z\",\n \"queryStartTime\": \"2021-12-11T02:06:29.0660871Z\",\n \"queryEndTime\": \"2021-12-12T02:06:29.0666390Z\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "258" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1197" ], + "x-ms-request-id": [ "607f3836-8646-408b-aa27-0348a676b88e" ], + "x-ms-correlation-request-id": [ "607f3836-8646-408b-aa27-0348a676b88e" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020620Z:607f3836-8646-408b-aa27-0348a676b88e" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:06:20 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1074" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/aa863e57-e1ec-45cf-a4d9-1db1a64a354d\",\"name\":\"aa863e57-e1ec-45cf-a4d9-1db1a64a354d\",\"etag\":\"\\\"6b02b4e0-0000-0100-0000-61b5591c0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"NewBookmarkPSTest\",\"created\":\"2021-12-12T02:06:20.7338899+00:00\",\"updated\":\"2021-12-12T02:06:20+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T02:06:29.0674151+00:00\",\"labels\":[],\"query\":\"SecurityEvent | take 1\",\"queryStartTime\":\"2021-12-11T02:06:29.0660871+00:00\",\"queryEndTime\":\"2021-12-12T02:06:29.066639+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/New-AzSentinelBookmark.Tests.ps1 b/src/SecurityInsights/test/New-AzSentinelBookmark.Tests.ps1 new file mode 100644 index 000000000000..0f6230c9300e --- /dev/null +++ b/src/SecurityInsights/test/New-AzSentinelBookmark.Tests.ps1 @@ -0,0 +1,24 @@ +if(($null -eq $TestName) -or ($TestName -contains 'New-AzSentinelBookmark')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'New-AzSentinelBookmark.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'New-AzSentinelBookmark' { + It 'CreateExpanded' { + $bookmark = New-AzSentinelBookmark -Id ((New-Guid).Guid) -ResourceGroupName $env.resourceGroupName ` + -WorkspaceName $env.workspaceName -DisplayName "NewBookmarkPSTest" -Query "SecurityEvent | take 1" ` + -QueryStartTime (get-date).AddDays(-1).ToUniversalTime() -QueryEndTime (get-date).ToUniversalTime() -EventTime (get-date).ToUniversalTime() + $bookmark.DisplayName | Should -Be "NewBookmarkPSTest" + } +} diff --git a/src/SecurityInsights/test/New-AzSentinelBookmarkRelation.Recording.json b/src/SecurityInsights/test/New-AzSentinelBookmarkRelation.Recording.json new file mode 100644 index 000000000000..c193128326b0 --- /dev/null +++ b/src/SecurityInsights/test/New-AzSentinelBookmarkRelation.Recording.json @@ -0,0 +1,110 @@ +{ + "New-AzSentinelBookmarkRelation+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/c14cba0a-4aa1-4d5f-9080-c510f9057e39?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/c14cba0a-4aa1-4d5f-9080-c510f9057e39?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"displayName\": \"NewBookmarkRelationPSTest\",\n \"query\": \"SecurityEvent\\\\n| take 1\",\n \"eventTime\": \"2021-12-12T02:06:50.3515249Z\",\n \"queryStartTime\": \"2021-12-11T02:06:50.3509781Z\",\n \"queryEndTime\": \"2021-12-12T02:06:50.3513391Z\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "268" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1196" ], + "x-ms-request-id": [ "54f92a27-3ce0-451c-a6a7-57c490614229" ], + "x-ms-correlation-request-id": [ "54f92a27-3ce0-451c-a6a7-57c490614229" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020641Z:54f92a27-3ce0-451c-a6a7-57c490614229" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:06:41 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1085" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/c14cba0a-4aa1-4d5f-9080-c510f9057e39\",\"name\":\"c14cba0a-4aa1-4d5f-9080-c510f9057e39\",\"etag\":\"\\\"6b0269e1-0000-0100-0000-61b559310000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"NewBookmarkRelationPSTest\",\"created\":\"2021-12-12T02:06:41.8714854+00:00\",\"updated\":\"2021-12-12T02:06:41+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T02:06:50.3515249+00:00\",\"labels\":[],\"query\":\"SecurityEvent\\\\n| take 1\",\"queryStartTime\":\"2021-12-11T02:06:50.3509781+00:00\",\"queryEndTime\":\"2021-12-12T02:06:50.3513391+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "isContentBase64": false + } + }, + "New-AzSentinelBookmarkRelation+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/878b8f0f-3f11-47bd-849f-24a935b0efd5?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/878b8f0f-3f11-47bd-849f-24a935b0efd5?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"severity\": \"Informational\",\n \"status\": \"New\",\n \"title\": \"NewBookmarkRelationPSTest\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "120" ] + } + }, + "Response": { + "StatusCode": 201, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], + "x-ms-request-id": [ "4f33c507-2951-4059-a27f-37ed38709947" ], + "x-ms-correlation-request-id": [ "4f33c507-2951-4059-a27f-37ed38709947" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020642Z:4f33c507-2951-4059-a27f-37ed38709947" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:06:42 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1219" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/878b8f0f-3f11-47bd-849f-24a935b0efd5\",\"name\":\"878b8f0f-3f11-47bd-849f-24a935b0efd5\",\"etag\":\"\\\"3c009578-0000-0100-0000-61b559320000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"NewBookmarkRelationPSTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T02:06:42.155687Z\",\"createdTimeUtc\":\"2021-12-12T02:06:42.155687Z\",\"incidentNumber\":22,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/878b8f0f-3f11-47bd-849f-24a935b0efd5\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"22\"}}", + "isContentBase64": false + } + }, + "New-AzSentinelBookmarkRelation+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/c14cba0a-4aa1-4d5f-9080-c510f9057e39/relations/c68fd237-f983-4d0a-8c76-6933a86e15d7?api-version=2021-09-01-preview+3": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/c14cba0a-4aa1-4d5f-9080-c510f9057e39/relations/c68fd237-f983-4d0a-8c76-6933a86e15d7?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"relatedResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/878b8f0f-3f11-47bd-849f-24a935b0efd5\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "283" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1195" ], + "x-ms-request-id": [ "e4184674-c345-4f93-a706-44473e0ef70e" ], + "x-ms-correlation-request-id": [ "e4184674-c345-4f93-a706-44473e0ef70e" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020642Z:e4184674-c345-4f93-a706-44473e0ef70e" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:06:42 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "828" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/c14cba0a-4aa1-4d5f-9080-c510f9057e39/relations/c68fd237-f983-4d0a-8c76-6933a86e15d7\",\"name\":\"c68fd237-f983-4d0a-8c76-6933a86e15d7\",\"etag\":\"\\\"6b0273e1-0000-0100-0000-61b559320000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/878b8f0f-3f11-47bd-849f-24a935b0efd5\",\"relatedResourceName\":\"878b8f0f-3f11-47bd-849f-24a935b0efd5\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/New-AzSentinelBookmarkRelation.Tests.ps1 b/src/SecurityInsights/test/New-AzSentinelBookmarkRelation.Tests.ps1 new file mode 100644 index 000000000000..a25434a3f3c8 --- /dev/null +++ b/src/SecurityInsights/test/New-AzSentinelBookmarkRelation.Tests.ps1 @@ -0,0 +1,28 @@ +if(($null -eq $TestName) -or ($TestName -contains 'New-AzSentinelBookmarkRelation')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'New-AzSentinelBookmarkRelation.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'New-AzSentinelBookmarkRelation' { + It 'CreateExpanded' { + $bookmark = New-AzSentinelBookmark -Id ((New-Guid).Guid) -ResourceGroupName $env.resourceGroupName ` + -WorkspaceName $env.workspaceName -DisplayName "NewBookmarkRelationPSTest" -Query "SecurityEvent\n| take 1" ` + -QueryStartTime (get-date).AddDays(-1).ToUniversalTime() -QueryEndTime (get-date).ToUniversalTime() -EventTime (get-date).ToUniversalTime() + $incident = New-AzSentinelIncident -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -Id ((New-Guid).Guid) -Severity Informational -Status New -Title "NewBookmarkRelationPSTest" + $bookmarkRelation = New-AzSentinelBookmarkRelation -BookmarkId $bookmark.Name -RelationName ((New-Guid).Guid) ` + -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -RelatedResourceId $incident.Id + $bookmarkRelation.RelatedResourceId | Should -Be $incident.Id + } +} diff --git a/src/SecurityInsights/test/New-AzSentinelDataConnector.Recording.json b/src/SecurityInsights/test/New-AzSentinelDataConnector.Recording.json new file mode 100644 index 000000000000..26e0adb53f53 --- /dev/null +++ b/src/SecurityInsights/test/New-AzSentinelDataConnector.Recording.json @@ -0,0 +1,38 @@ +{ + "New-AzSentinelDataConnector+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/a9a5afd4-43fd-4973-9a02-c30a6b06c40d?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/a9a5afd4-43fd-4973-9a02-c30a6b06c40d?api-version=2021-09-01-preview", + "Content": "{\n \"kind\": \"MicrosoftThreatIntelligence\",\n \"properties\": {\n \"tenantId\": \"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\",\n \"dataTypes\": {\n \"bingSafetyPhishingURL\": {\n \"state\": \"Enabled\",\n \"lookbackPeriod\": \"1970-01-01T00:00:00.000Z\"\n },\n \"microsoftEmergingThreatFeed\": {\n \"state\": \"Enabled\",\n \"lookbackPeriod\": \"1970-01-01T00:00:00.000Z\"\n }\n }\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "398" ] + } + }, + "Response": { + "StatusCode": 201, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1194" ], + "x-ms-request-id": [ "64586126-56b6-4bdf-9b06-bc6b048fd665" ], + "x-ms-correlation-request-id": [ "64586126-56b6-4bdf-9b06-bc6b048fd665" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020704Z:64586126-56b6-4bdf-9b06-bc6b048fd665" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:07:04 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "675" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/a9a5afd4-43fd-4973-9a02-c30a6b06c40d\",\"name\":\"a9a5afd4-43fd-4973-9a02-c30a6b06c40d\",\"etag\":\"340c63e1-c0f5-4771-89ed-8d5652f9c15d\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"MicrosoftThreatIntelligence\",\"properties\":{\"dataTypes\":{\"bingSafetyPhishingURL\":{\"state\":\"enabled\",\"lookbackPeriod\":\"01/01/1970 00:00:00\"},\"microsoftEmergingThreatFeed\":{\"state\":\"enabled\",\"lookbackPeriod\":\"01/01/1970 00:00:00\"}},\"tenantId\":\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/New-AzSentinelDataConnector.Tests.ps1 b/src/SecurityInsights/test/New-AzSentinelDataConnector.Tests.ps1 new file mode 100644 index 000000000000..f9c0e921740a --- /dev/null +++ b/src/SecurityInsights/test/New-AzSentinelDataConnector.Tests.ps1 @@ -0,0 +1,24 @@ +if(($null -eq $TestName) -or ($TestName -contains 'New-AzSentinelDataConnector')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'New-AzSentinelDataConnector.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'New-AzSentinelDataConnector' { + It 'CreateExpanded' { + $dataConnector = New-AzSentinelDataConnector -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -DataConnectorId ((New-Guid).Guid) -Kind 'MicrosoftThreatIntelligence' -BingSafetyPhishingURL Enabled -BingSafetyPhishingUrlLookbackPeriod All ` + -MicrosoftEmergingThreatFeed Enabled -MicrosoftEmergingThreatFeedLookbackPeriod All + $dataConnector | Should -Not -Be $null + } +} diff --git a/src/SecurityInsights/test/New-AzSentinelEntityQuery.Recording.json b/src/SecurityInsights/test/New-AzSentinelEntityQuery.Recording.json new file mode 100644 index 000000000000..7a2b32327b20 --- /dev/null +++ b/src/SecurityInsights/test/New-AzSentinelEntityQuery.Recording.json @@ -0,0 +1,38 @@ +{ + "New-AzSentinelEntityQuery+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/56959909-d6b6-4cf1-95b3-6c86f0a7dc5e?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/56959909-d6b6-4cf1-95b3-6c86f0a7dc5e?api-version=2021-09-01-preview", + "Content": "{\n \"kind\": \"Activity\",\n \"properties\": {\n \"queryDefinitions\": {\n \"query\": \"let UserConsentToApplication = (Account_Name:string, Account_UPNSuffix:string, Account_AadUserId:string){\\r\\n let account_upn = iff(Account_Name != \\\"\\\" and Account_UPNSuffix != \\\"\\\", strcat(Account_Name,\\\"@\\\",Account_UPNSuffix),\\\"\\\" );\\r\\n AuditLogs\\r\\n | where OperationName == \\\"Consent to application\\\"\\r\\n | extend Source_Account_UPNSuffix = tostring(todynamic(InitiatedBy) [\\\"user\\\"][\\\"userPrincipalName\\\"]), Source_Account_AadUserId = tostring(todynamic(InitiatedBy) [\\\"user\\\"][\\\"id\\\"])\\r\\n | where (account_upn != \\\"\\\" and account_upn =~ Source_Account_UPNSuffix) \\r\\n or (Account_AadUserId != \\\"\\\" and Account_AadUserId =~ Source_Account_AadUserId)\\r\\n | extend Target_CloudApplication_Name = tostring(todynamic(TargetResources)[0][\\\"displayName\\\"]), Target_CloudApplication_AppId = tostring(todynamic(TargetResources)[0][\\\"id\\\"])\\r\\n };\\r\\n UserConsentToApplication(\\u0027{{Account_Name}}\\u0027, \\u0027{{Account_UPNSuffix}}\\u0027, \\u0027{{Account_AadUserId}}\\u0027) \\r\\n | project Target_CloudApplication_AppId, Target_CloudApplication_Name, TimeGenerated\"\n },\n \"title\": \"The user consented to OAuth application\",\n \"content\": \"The user consented to the OAuth application named {{Target_CloudApplication_Name}} {{Count}} time(s)\",\n \"description\": \"This activity lists user\\u0027s consents to an OAuth applications.\",\n \"inputEntityType\": \"Account\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "1571" ] + } + }, + "Response": { + "StatusCode": 201, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1193" ], + "x-ms-request-id": [ "8b652823-01cc-42b7-88c7-36b658aaa3bb" ], + "x-ms-correlation-request-id": [ "8b652823-01cc-42b7-88c7-36b658aaa3bb" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020726Z:8b652823-01cc-42b7-88c7-36b658aaa3bb" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:07:26 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "2034" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/56959909-d6b6-4cf1-95b3-6c86f0a7dc5e\",\"name\":\"56959909-d6b6-4cf1-95b3-6c86f0a7dc5e\",\"etag\":\"\\\"5101f127-0000-0100-0000-61b5595e0000\\\"\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user consented to OAuth application\",\"content\":\"The user consented to the OAuth application named {{Target_CloudApplication_Name}} {{Count}} time(s)\",\"description\":\"This activity lists user\u0027s consents to an OAuth applications.\",\"queryDefinitions\":{\"query\":\"let UserConsentToApplication = (Account_Name:string, Account_UPNSuffix:string, Account_AadUserId:string){\\r\\n let account_upn = iff(Account_Name != \\\"\\\" and Account_UPNSuffix != \\\"\\\", strcat(Account_Name,\\\"@\\\",Account_UPNSuffix),\\\"\\\" );\\r\\n AuditLogs\\r\\n | where OperationName == \\\"Consent to application\\\"\\r\\n | extend Source_Account_UPNSuffix = tostring(todynamic(InitiatedBy) [\\\"user\\\"][\\\"userPrincipalName\\\"]), Source_Account_AadUserId = tostring(todynamic(InitiatedBy) [\\\"user\\\"][\\\"id\\\"])\\r\\n | where (account_upn != \\\"\\\" and account_upn =~ Source_Account_UPNSuffix) \\r\\n or (Account_AadUserId != \\\"\\\" and Account_AadUserId =~ Source_Account_AadUserId)\\r\\n | extend Target_CloudApplication_Name = tostring(todynamic(TargetResources)[0][\\\"displayName\\\"]), Target_CloudApplication_AppId = tostring(todynamic(TargetResources)[0][\\\"id\\\"])\\r\\n };\\r\\n UserConsentToApplication(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027) \\r\\n | project Target_CloudApplication_AppId, Target_CloudApplication_Name, TimeGenerated\"},\"requiredInputFieldsSets\":[],\"entitiesFilter\":{},\"enabled\":true,\"createdTimeUtc\":\"2021-12-12T02:07:26.3377287Z\",\"lastModifiedTimeUtc\":\"2021-12-12T02:07:26.3377287Z\",\"inputEntityType\":\"Account\"}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/New-AzSentinelEntityQuery.Tests.ps1 b/src/SecurityInsights/test/New-AzSentinelEntityQuery.Tests.ps1 new file mode 100644 index 000000000000..563857267e84 --- /dev/null +++ b/src/SecurityInsights/test/New-AzSentinelEntityQuery.Tests.ps1 @@ -0,0 +1,37 @@ +if(($null -eq $TestName) -or ($TestName -contains 'New-AzSentinelEntityQuery')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'New-AzSentinelEntityQuery.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'New-AzSentinelEntityQuery' { + It 'CreateExpanded' { + $query = 'let UserConsentToApplication = (Account_Name:string, Account_UPNSuffix:string, Account_AadUserId:string){ + let account_upn = iff(Account_Name != "" and Account_UPNSuffix != "", strcat(Account_Name,"@",Account_UPNSuffix),"" ); + AuditLogs + | where OperationName == "Consent to application" + | extend Source_Account_UPNSuffix = tostring(todynamic(InitiatedBy) ["user"]["userPrincipalName"]), Source_Account_AadUserId = tostring(todynamic(InitiatedBy) ["user"]["id"]) + | where (account_upn != "" and account_upn =~ Source_Account_UPNSuffix) + or (Account_AadUserId != "" and Account_AadUserId =~ Source_Account_AadUserId) + | extend Target_CloudApplication_Name = tostring(todynamic(TargetResources)[0]["displayName"]), Target_CloudApplication_AppId = tostring(todynamic(TargetResources)[0]["id"]) + }; + UserConsentToApplication(''{{Account_Name}}'', ''{{Account_UPNSuffix}}'', ''{{Account_AadUserId}}'') + | project Target_CloudApplication_AppId, Target_CloudApplication_Name, TimeGenerated' + $entityQuery = New-AzSentinelEntityQuery -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -EntityQueryId ((New-Guid).Guid) -Kind Activity -Title "The user consented to OAuth application" ` + -InputEntityType "Account" -Content "The user consented to the OAuth application named {{Target_CloudApplication_Name}} {{Count}} time(s)" ` + -Description "This activity lists user's consents to an OAuth applications." ` + -QueryDefinitionQuery $query + $entityQuery.InputEntityType | Should -Be "Account" + } +} diff --git a/src/SecurityInsights/test/New-AzSentinelIncident.Recording.json b/src/SecurityInsights/test/New-AzSentinelIncident.Recording.json new file mode 100644 index 000000000000..75dc6cbdf0e4 --- /dev/null +++ b/src/SecurityInsights/test/New-AzSentinelIncident.Recording.json @@ -0,0 +1,38 @@ +{ + "New-AzSentinelIncident+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/0e4bfdc2-dfdf-46a5-88e8-f8184be9d9aa?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/0e4bfdc2-dfdf-46a5-88e8-f8184be9d9aa?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"severity\": \"Informational\",\n \"status\": \"New\",\n \"title\": \"NewIncidentPSTest\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "112" ] + } + }, + "Response": { + "StatusCode": 201, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], + "x-ms-request-id": [ "2c3ed61a-6a11-4eb0-97c9-554725d92685" ], + "x-ms-correlation-request-id": [ "2c3ed61a-6a11-4eb0-97c9-554725d92685" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020747Z:2c3ed61a-6a11-4eb0-97c9-554725d92685" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:07:47 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1213" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/0e4bfdc2-dfdf-46a5-88e8-f8184be9d9aa\",\"name\":\"0e4bfdc2-dfdf-46a5-88e8-f8184be9d9aa\",\"etag\":\"\\\"3c006b7a-0000-0100-0000-61b559730000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"NewIncidentPSTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T02:07:47.5655543Z\",\"createdTimeUtc\":\"2021-12-12T02:07:47.5655543Z\",\"incidentNumber\":23,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/0e4bfdc2-dfdf-46a5-88e8-f8184be9d9aa\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"23\"}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/New-AzSentinelIncident.Tests.ps1 b/src/SecurityInsights/test/New-AzSentinelIncident.Tests.ps1 new file mode 100644 index 000000000000..5599eb9c01ae --- /dev/null +++ b/src/SecurityInsights/test/New-AzSentinelIncident.Tests.ps1 @@ -0,0 +1,23 @@ +if(($null -eq $TestName) -or ($TestName -contains 'New-AzSentinelIncident')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'New-AzSentinelIncident.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'New-AzSentinelIncident' { + It 'CreateExpanded' { + $incident = New-AzSentinelIncident -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -Id ((New-Guid).Guid) -Severity Informational -Status New -Title "NewIncidentPSTest" + $incident.Title | Should -Be "NewIncidentPSTest" + } +} diff --git a/src/SecurityInsights/test/New-AzSentinelIncidentComment.Recording.json b/src/SecurityInsights/test/New-AzSentinelIncidentComment.Recording.json new file mode 100644 index 000000000000..65af3b90c983 --- /dev/null +++ b/src/SecurityInsights/test/New-AzSentinelIncidentComment.Recording.json @@ -0,0 +1,74 @@ +{ + "New-AzSentinelIncidentComment+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/ded5d1ef-0f12-402a-adab-bbd723756ea1?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/ded5d1ef-0f12-402a-adab-bbd723756ea1?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"severity\": \"Informational\",\n \"status\": \"New\",\n \"title\": \"NewIncidentCommentPSTest\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "119" ] + } + }, + "Response": { + "StatusCode": 201, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "497" ], + "x-ms-request-id": [ "b9a2fecf-a534-4b99-b1f6-db6642e90197" ], + "x-ms-correlation-request-id": [ "b9a2fecf-a534-4b99-b1f6-db6642e90197" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020809Z:b9a2fecf-a534-4b99-b1f6-db6642e90197" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:08:08 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1220" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/ded5d1ef-0f12-402a-adab-bbd723756ea1\",\"name\":\"ded5d1ef-0f12-402a-adab-bbd723756ea1\",\"etag\":\"\\\"3c00ec7a-0000-0100-0000-61b559890000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"NewIncidentCommentPSTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T02:08:09.5235385Z\",\"createdTimeUtc\":\"2021-12-12T02:08:09.5235385Z\",\"incidentNumber\":24,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/ded5d1ef-0f12-402a-adab-bbd723756ea1\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"24\"}}", + "isContentBase64": false + } + }, + "New-AzSentinelIncidentComment+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/ded5d1ef-0f12-402a-adab-bbd723756ea1/comments/af24ae68-4352-4fb3-837b-8bce51dae455?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/ded5d1ef-0f12-402a-adab-bbd723756ea1/comments/af24ae68-4352-4fb3-837b-8bce51dae455?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"message\": \"NewIncidentCommentPSTest\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "67" ] + } + }, + "Response": { + "StatusCode": 201, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], + "x-ms-request-id": [ "2dc93090-c394-4f85-bf6e-2bb4d0f38179" ], + "x-ms-correlation-request-id": [ "2dc93090-c394-4f85-bf6e-2bb4d0f38179" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020810Z:2dc93090-c394-4f85-bf6e-2bb4d0f38179" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:08:09 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "789" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/ded5d1ef-0f12-402a-adab-bbd723756ea1/Comments/af24ae68-4352-4fb3-837b-8bce51dae455\",\"name\":\"af24ae68-4352-4fb3-837b-8bce51dae455\",\"etag\":\"\\\"3c00f17a-0000-0100-0000-61b559890000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/Comments\",\"properties\":{\"message\":\"NewIncidentCommentPSTest\",\"createdTimeUtc\":\"2021-12-12T02:08:09.9001761Z\",\"lastModifiedTimeUtc\":\"2021-12-12T02:08:09.9001761Z\",\"author\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"}}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/New-AzSentinelIncidentComment.Tests.ps1 b/src/SecurityInsights/test/New-AzSentinelIncidentComment.Tests.ps1 new file mode 100644 index 000000000000..4e940249a4c1 --- /dev/null +++ b/src/SecurityInsights/test/New-AzSentinelIncidentComment.Tests.ps1 @@ -0,0 +1,25 @@ +if(($null -eq $TestName) -or ($TestName -contains 'New-AzSentinelIncidentComment')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'New-AzSentinelIncidentComment.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'New-AzSentinelIncidentComment' { + It 'CreateExpanded' { + $incident = New-AzSentinelIncident -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -Id ((New-Guid).Guid) -Severity Informational -Status New -Title "NewIncidentCommentPSTest" + $incidentComment = New-AzSentinelIncidentComment -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -Id ((New-Guid).Guid) -IncidentId $incident.Name -Message "NewIncidentCommentPSTest" + $incidentComment.Message | Should -Be "NewIncidentCommentPSTest" + } +} diff --git a/src/SecurityInsights/test/New-AzSentinelIncidentRelation.Recording.json b/src/SecurityInsights/test/New-AzSentinelIncidentRelation.Recording.json new file mode 100644 index 000000000000..9c7cd908c266 --- /dev/null +++ b/src/SecurityInsights/test/New-AzSentinelIncidentRelation.Recording.json @@ -0,0 +1,110 @@ +{ + "New-AzSentinelIncidentRelation+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/a6a9698e-7a5e-4406-a2a3-d5ca77107d6c?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/a6a9698e-7a5e-4406-a2a3-d5ca77107d6c?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"displayName\": \"NewIncidentRelationPSTest\",\n \"query\": \"SecurityEvent\\\\n| take 1\",\n \"eventTime\": \"2021-12-12T02:08:40.3864588Z\",\n \"queryStartTime\": \"2021-12-11T02:08:40.3860073Z\",\n \"queryEndTime\": \"2021-12-12T02:08:40.3862850Z\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "268" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1192" ], + "x-ms-request-id": [ "bc0d5cf8-db13-427e-8272-e2ad13b7830a" ], + "x-ms-correlation-request-id": [ "bc0d5cf8-db13-427e-8272-e2ad13b7830a" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020831Z:bc0d5cf8-db13-427e-8272-e2ad13b7830a" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:08:31 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1084" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/a6a9698e-7a5e-4406-a2a3-d5ca77107d6c\",\"name\":\"a6a9698e-7a5e-4406-a2a3-d5ca77107d6c\",\"etag\":\"\\\"6b02fee4-0000-0100-0000-61b5599f0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"NewIncidentRelationPSTest\",\"created\":\"2021-12-12T02:08:31.8504366+00:00\",\"updated\":\"2021-12-12T02:08:31+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T02:08:40.3864588+00:00\",\"labels\":[],\"query\":\"SecurityEvent\\\\n| take 1\",\"queryStartTime\":\"2021-12-11T02:08:40.3860073+00:00\",\"queryEndTime\":\"2021-12-12T02:08:40.386285+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "isContentBase64": false + } + }, + "New-AzSentinelIncidentRelation+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/d87bcc72-7d44-45a7-bf59-dcf7fc67b8d1?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/d87bcc72-7d44-45a7-bf59-dcf7fc67b8d1?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"severity\": \"Informational\",\n \"status\": \"New\",\n \"title\": \"NewIncidentRelationPSTest\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "120" ] + } + }, + "Response": { + "StatusCode": 201, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "496" ], + "x-ms-request-id": [ "8b21f6cc-e664-484d-97a9-45898efa2ef7" ], + "x-ms-correlation-request-id": [ "8b21f6cc-e664-484d-97a9-45898efa2ef7" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020832Z:8b21f6cc-e664-484d-97a9-45898efa2ef7" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:08:31 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1221" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/d87bcc72-7d44-45a7-bf59-dcf7fc67b8d1\",\"name\":\"d87bcc72-7d44-45a7-bf59-dcf7fc67b8d1\",\"etag\":\"\\\"3c00807b-0000-0100-0000-61b559a00000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"NewIncidentRelationPSTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T02:08:32.0999195Z\",\"createdTimeUtc\":\"2021-12-12T02:08:32.0999195Z\",\"incidentNumber\":25,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/d87bcc72-7d44-45a7-bf59-dcf7fc67b8d1\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"25\"}}", + "isContentBase64": false + } + }, + "New-AzSentinelIncidentRelation+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/d87bcc72-7d44-45a7-bf59-dcf7fc67b8d1/relations/b7b6b9c0-028a-46c8-968c-802c214340b3?api-version=2021-09-01-preview+3": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/d87bcc72-7d44-45a7-bf59-dcf7fc67b8d1/relations/b7b6b9c0-028a-46c8-968c-802c214340b3?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"relatedResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/a6a9698e-7a5e-4406-a2a3-d5ca77107d6c\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "283" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], + "x-ms-request-id": [ "1a8c3539-e9c8-4ae7-93c3-cd2f29626ab2" ], + "x-ms-correlation-request-id": [ "1a8c3539-e9c8-4ae7-93c3-cd2f29626ab2" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020832Z:1a8c3539-e9c8-4ae7-93c3-cd2f29626ab2" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:08:31 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "828" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/d87bcc72-7d44-45a7-bf59-dcf7fc67b8d1/relations/b7b6b9c0-028a-46c8-968c-802c214340b3\",\"name\":\"b7b6b9c0-028a-46c8-968c-802c214340b3\",\"etag\":\"\\\"3c00847b-0000-0100-0000-61b559a00000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/a6a9698e-7a5e-4406-a2a3-d5ca77107d6c\",\"relatedResourceName\":\"a6a9698e-7a5e-4406-a2a3-d5ca77107d6c\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/New-AzSentinelIncidentRelation.Tests.ps1 b/src/SecurityInsights/test/New-AzSentinelIncidentRelation.Tests.ps1 new file mode 100644 index 000000000000..54d60f23df2d --- /dev/null +++ b/src/SecurityInsights/test/New-AzSentinelIncidentRelation.Tests.ps1 @@ -0,0 +1,28 @@ +if(($null -eq $TestName) -or ($TestName -contains 'New-AzSentinelIncidentRelation')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'New-AzSentinelIncidentRelation.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'New-AzSentinelIncidentRelation' { + It 'CreateExpanded' { + $bookmark = New-AzSentinelBookmark -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -Id ((New-Guid).Guid) -DisplayName "NewIncidentRelationPSTest" -Query "SecurityEvent\n| take 1" ` + -QueryStartTime (get-date).AddDays(-1).ToUniversalTime() -QueryEndTime (get-date).ToUniversalTime() -EventTime (get-date).ToUniversalTime() + $incident = New-AzSentinelIncident -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -Id ((New-Guid).Guid) -Severity Informational -Status New -Title "NewIncidentRelationPSTest" + $incidentRelation = New-AzSentinelIncidentRelation -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -IncidentId $incident.Name -RelationName ((New-Guid).Guid) -RelatedResourceId $bookmark.Id + $incidentRelation.RelatedResourceId | Should -Be $bookmark.Id + } +} diff --git a/src/SecurityInsights/test/New-AzSentinelIncidentTeam.Recording.json b/src/SecurityInsights/test/New-AzSentinelIncidentTeam.Recording.json new file mode 100644 index 000000000000..9f260a1d3ef8 --- /dev/null +++ b/src/SecurityInsights/test/New-AzSentinelIncidentTeam.Recording.json @@ -0,0 +1,74 @@ +{ + "New-AzSentinelIncidentTeam+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/8be31373-5184-4105-a012-dd4a94188a6e?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/8be31373-5184-4105-a012-dd4a94188a6e?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"severity\": \"Informational\",\n \"status\": \"New\",\n \"title\": \"NITPSTest\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "104" ] + } + }, + "Response": { + "StatusCode": 201, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "495" ], + "x-ms-request-id": [ "b747fabb-3578-4c20-879e-e8f9d3967805" ], + "x-ms-correlation-request-id": [ "b747fabb-3578-4c20-879e-e8f9d3967805" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020854Z:b747fabb-3578-4c20-879e-e8f9d3967805" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:08:53 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1205" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/8be31373-5184-4105-a012-dd4a94188a6e\",\"name\":\"8be31373-5184-4105-a012-dd4a94188a6e\",\"etag\":\"\\\"3c00e17b-0000-0100-0000-61b559b60000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"NITPSTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T02:08:54.1822429Z\",\"createdTimeUtc\":\"2021-12-12T02:08:54.1822429Z\",\"incidentNumber\":26,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/8be31373-5184-4105-a012-dd4a94188a6e\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"26\"}}", + "isContentBase64": false + } + }, + "New-AzSentinelIncidentTeam+[NoContext]+CreateExpanded+$POST+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/8be31373-5184-4105-a012-dd4a94188a6e/createTeam?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "POST", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/8be31373-5184-4105-a012-dd4a94188a6e/createTeam?api-version=2021-09-01-preview", + "Content": "{\n \"teamName\": \"NITPSTest\"\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "29" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1187" ], + "x-ms-request-id": [ "9debb5c1-62f8-4b27-bf6e-dd87c24a9805" ], + "x-ms-correlation-request-id": [ "9debb5c1-62f8-4b27-bf6e-dd87c24a9805" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T020857Z:9debb5c1-62f8-4b27-bf6e-dd87c24a9805" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:08:57 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "351" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"teamId\":\"f35942d5-9ccd-4683-b9f3-9e606644bdef\",\"primaryChannelUrl\":\"https://teams.microsoft.com/l/team/19:Rd-gdsF3H1aQfej8OHndmWn6d1YcVARleCI3HazjTdI1%40thread.tacv2/conversations?groupId=f35942d5-9ccd-4683-b9f3-9e606644bdef\u0026tenantId=5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\",\"teamCreationTimeUtc\":\"2021-12-12T02:08:57.4447948+00:00\",\"name\":\"NITPSTest\"}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/New-AzSentinelIncidentTeam.Tests.ps1 b/src/SecurityInsights/test/New-AzSentinelIncidentTeam.Tests.ps1 new file mode 100644 index 000000000000..f080e9ad5564 --- /dev/null +++ b/src/SecurityInsights/test/New-AzSentinelIncidentTeam.Tests.ps1 @@ -0,0 +1,25 @@ +if(($null -eq $TestName) -or ($TestName -contains 'New-AzSentinelIncidentTeam')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'New-AzSentinelIncidentTeam.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'New-AzSentinelIncidentTeam' { + It 'CreateExpanded' { + $incident = New-AzSentinelIncident -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -Id ((New-Guid).Guid) -Severity Informational -Status New -Title "NITPSTest" + $team = New-AzSentinelIncidentTeam -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -TeamName "NITPSTest" -IncidentId $incident.Name + $team.Name | Should -Be "NITPSTest" + } +} diff --git a/src/SecurityInsights/test/New-AzSentinelOnboardingState.Tests.ps1 b/src/SecurityInsights/test/New-AzSentinelOnboardingState.Tests.ps1 new file mode 100644 index 000000000000..6052dce6e666 --- /dev/null +++ b/src/SecurityInsights/test/New-AzSentinelOnboardingState.Tests.ps1 @@ -0,0 +1,22 @@ +if(($null -eq $TestName) -or ($TestName -contains 'New-AzSentinelOnboardingState')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'New-AzSentinelOnboardingState.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'New-AzSentinelOnboardingState' { + It 'CreateExpanded' -skip { + { New-AzSentinelOnboardingState -ResourceGroupName $env.ResourceGroupName -WorkspaceName $env.newOnboardingStateWS -Name "default" } | Should -Not -Throw + } +} + \ No newline at end of file diff --git a/src/SecurityInsights/test/New-AzSentinelThreatIntelligenceIndicator.Tests.ps1 b/src/SecurityInsights/test/New-AzSentinelThreatIntelligenceIndicator.Tests.ps1 new file mode 100644 index 000000000000..c40db87cc9c3 --- /dev/null +++ b/src/SecurityInsights/test/New-AzSentinelThreatIntelligenceIndicator.Tests.ps1 @@ -0,0 +1,29 @@ +if(($null -eq $TestName) -or ($TestName -contains 'New-AzSentinelThreatIntelligenceIndicator')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'New-AzSentinelThreatIntelligenceIndicator.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'New-AzSentinelThreatIntelligenceIndicator' { + It 'CreateExpanded' -skip { + { throw [System.NotImplementedException] } | Should -Not -Throw + } + + It 'Create1' -skip { + { throw [System.NotImplementedException] } | Should -Not -Throw + } + + It 'Create' -skip { + { throw [System.NotImplementedException] } | Should -Not -Throw + } +} diff --git a/src/SecurityInsights/test/README.md b/src/SecurityInsights/test/README.md new file mode 100644 index 000000000000..1969200c6a09 --- /dev/null +++ b/src/SecurityInsights/test/README.md @@ -0,0 +1,17 @@ +# Test +This directory contains the [Pester](https://www.powershellgallery.com/packages/Pester) tests to run for the module. We use Pester as it is the unofficial standard for PowerShell unit testing. Test stubs for custom cmdlets (created in `../custom`) will be generated into this folder when `build-module.ps1` is ran. These test stubs will fail automatically, to indicate that tests should be written for custom cmdlets. + +## Info +- Modifiable: yes +- Generated: partial +- Committed: yes +- Packaged: no + +## Details +We allow three testing modes: *live*, *record*, and *playback*. These can be selected using the `-Live`, `-Record`, and `-Playback` switches respectively on the `test-module.ps1` script. This script will run through any `.Tests.ps1` scripts in the `test` folder. If you choose the *record* mode, it will create a `.Recording.json` file of the REST calls between the client and server. Then, when you choose *playback* mode, it will use the `.Recording.json` file to mock the communication between server and client. The *live* mode runs the same as the *record* mode; however, it doesn't create the `.Recording.json` file. + +## Purpose +Custom cmdlets generally encompass additional functionality not described in the REST specification, or combines functionality generated from the REST spec. To validate this functionality continues to operate as intended, creating tests that can be ran and re-ran against custom cmdlets is part of the framework. + +## Usage +To execute tests, run the `test-module.ps1`. To write tests, [this example](https://github.com/pester/Pester/blob/8b9cf4248315e44f1ac6673be149f7e0d7f10466/Examples/Planets/Get-Planet.Tests.ps1#L1) from the Pester repository is very useful for getting started. \ No newline at end of file diff --git a/src/SecurityInsights/test/Remove-AzSentinelAlertRule.Recording.json b/src/SecurityInsights/test/Remove-AzSentinelAlertRule.Recording.json new file mode 100644 index 000000000000..6acf6c6fd5fe --- /dev/null +++ b/src/SecurityInsights/test/Remove-AzSentinelAlertRule.Recording.json @@ -0,0 +1,125 @@ +{ + "Remove-AzSentinelAlertRule+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/fdbab4a1-bd45-4dc1-a93b-e4aa20d16262?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "DELETE", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/fdbab4a1-bd45-4dc1-a93b-e4aa20d16262?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "269" ], + "x-ms-client-request-id": [ "f9d2be0b-03a7-4e01-a67d-5f2d62438d10" ], + "CommandName": [ "Remove-AzSentinelAlertRule" ], + "FullCommandName": [ "Remove-AzSentinelAlertRule_Delete" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-deletes": [ "14999" ], + "x-ms-request-id": [ "8c4f2dd6-858d-4b62-9ecb-25353516f6d5" ], + "x-ms-correlation-request-id": [ "8c4f2dd6-858d-4b62-9ecb-25353516f6d5" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021024Z:8c4f2dd6-858d-4b62-9ecb-25353516f6d5" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:10:23 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "2" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{}", + "isContentBase64": false + } + }, + "Remove-AzSentinelAlertRule+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/952fd6df-a3b8-4d0c-825a-53dcc519a480?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/952fd6df-a3b8-4d0c-825a-53dcc519a480?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "270" ], + "x-ms-client-request-id": [ "5c460652-1a17-4fc5-bb9e-0ea05c7214ef" ], + "CommandName": [ "Get-AzSentinelAlertRule" ], + "FullCommandName": [ "Get-AzSentinelAlertRule_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11938" ], + "x-ms-request-id": [ "54e41a3d-a03e-4268-9632-9f8ef9460555" ], + "x-ms-correlation-request-id": [ "54e41a3d-a03e-4268-9632-9f8ef9460555" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021024Z:54e41a3d-a03e-4268-9632-9f8ef9460555" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:10:23 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1180" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/952fd6df-a3b8-4d0c-825a-53dcc519a480\",\"name\":\"952fd6df-a3b8-4d0c-825a-53dcc519a480\",\"etag\":\"\\\"9200b415-0000-0100-0000-61b54f960000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"RemoveViaIdAlertRule62imtb\",\"enabled\":true,\"description\":\"RemoveViaIdAlertRule62imtb 952fd6df-a3b8-4d0c-825a-53dcc519a480\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:25:42.5246541Z\"}}", + "isContentBase64": false + } + }, + "Remove-AzSentinelAlertRule+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/952fd6df-a3b8-4d0c-825a-53dcc519a480?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "DELETE", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/952fd6df-a3b8-4d0c-825a-53dcc519a480?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "271" ], + "x-ms-client-request-id": [ "09bfc100-0d59-4301-827a-446ddfe1d034" ], + "CommandName": [ "Remove-AzSentinelAlertRule" ], + "FullCommandName": [ "Remove-AzSentinelAlertRule_DeleteViaIdentity" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-deletes": [ "14998" ], + "x-ms-request-id": [ "544a85ae-3aa7-4d13-8736-d1fbcf11bc8f" ], + "x-ms-correlation-request-id": [ "544a85ae-3aa7-4d13-8736-d1fbcf11bc8f" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021024Z:544a85ae-3aa7-4d13-8736-d1fbcf11bc8f" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:10:23 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "2" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Remove-AzSentinelAlertRule.Tests.ps1 b/src/SecurityInsights/test/Remove-AzSentinelAlertRule.Tests.ps1 new file mode 100644 index 000000000000..e9b1d8a2f619 --- /dev/null +++ b/src/SecurityInsights/test/Remove-AzSentinelAlertRule.Tests.ps1 @@ -0,0 +1,27 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Remove-AzSentinelAlertRule')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Remove-AzSentinelAlertRule.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Remove-AzSentinelAlertRule' { + It 'Delete' { + { Remove-AzSentinelAlertRule -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -RuleId $env.RemoveAlertRuleId } | Should -Not -Throw + } + + It 'DeleteViaIdentity' { + $alertRule = Get-AzSentinelAlertRule -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -RuleId $env.RemoveViaIdAlertRuleId + { Remove-AzSentinelAlertRule -InputObject $alertRule } | Should -Not -Throw + } +} + \ No newline at end of file diff --git a/src/SecurityInsights/test/Remove-AzSentinelAlertRuleAction.Recording.json b/src/SecurityInsights/test/Remove-AzSentinelAlertRuleAction.Recording.json new file mode 100644 index 000000000000..d12cf459335c --- /dev/null +++ b/src/SecurityInsights/test/Remove-AzSentinelAlertRuleAction.Recording.json @@ -0,0 +1,123 @@ +{ + "Remove-AzSentinelAlertRuleAction+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/3e459759-acb2-48cd-b091-f325a2618fb6/actions/d359018e-774c-4345-aad4-eaf449a72b0c?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "DELETE", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/3e459759-acb2-48cd-b091-f325a2618fb6/actions/d359018e-774c-4345-aad4-eaf449a72b0c?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "272" ], + "x-ms-client-request-id": [ "dbc99097-45e4-4ce8-ad2c-ab0995cfdbaa" ], + "CommandName": [ "Remove-AzSentinelAlertRuleAction" ], + "FullCommandName": [ "Remove-AzSentinelAlertRuleAction_Delete" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-deletes": [ "14997" ], + "x-ms-request-id": [ "acc2a458-3098-41cf-a945-7b2de7a674cb" ], + "x-ms-correlation-request-id": [ "acc2a458-3098-41cf-a945-7b2de7a674cb" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021046Z:acc2a458-3098-41cf-a945-7b2de7a674cb" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:10:45 GMT" ] + }, + "ContentHeaders": { + "Expires": [ "-1" ], + "Content-Length": [ "0" ] + }, + "Content": null, + "isContentBase64": false + } + }, + "Remove-AzSentinelAlertRuleAction+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/a2dda58f-98fd-44db-ac37-397a9ccd9e25/actions/49c62647-0f89-442a-8fc1-76a2159daa80?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/a2dda58f-98fd-44db-ac37-397a9ccd9e25/actions/49c62647-0f89-442a-8fc1-76a2159daa80?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "273" ], + "x-ms-client-request-id": [ "a1ffcfe9-2e9f-4977-a742-bd67e6bfae66" ], + "CommandName": [ "Get-AzSentinelAlertRuleAction" ], + "FullCommandName": [ "Get-AzSentinelAlertRuleAction_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11937" ], + "x-ms-request-id": [ "f928eb20-886a-4e9f-ac2b-418095866ce6" ], + "x-ms-correlation-request-id": [ "f928eb20-886a-4e9f-ac2b-418095866ce6" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021047Z:f928eb20-886a-4e9f-ac2b-418095866ce6" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:10:46 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "660" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/a2dda58f-98fd-44db-ac37-397a9ccd9e25/actions/49c62647-0f89-442a-8fc1-76a2159daa80\",\"name\":\"49c62647-0f89-442a-8fc1-76a2159daa80\",\"etag\":\"\\\"2600e554-0000-0300-0000-61b550330000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"3647b421918e40f19a5e9346dc633c61\",\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}", + "isContentBase64": false + } + }, + "Remove-AzSentinelAlertRuleAction+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/a2dda58f-98fd-44db-ac37-397a9ccd9e25/actions/49c62647-0f89-442a-8fc1-76a2159daa80?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "DELETE", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/a2dda58f-98fd-44db-ac37-397a9ccd9e25/actions/49c62647-0f89-442a-8fc1-76a2159daa80?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "274" ], + "x-ms-client-request-id": [ "75cd3713-b8a9-4013-b834-41d7af4399db" ], + "CommandName": [ "Remove-AzSentinelAlertRuleAction" ], + "FullCommandName": [ "Remove-AzSentinelAlertRuleAction_DeleteViaIdentity" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-deletes": [ "14996" ], + "x-ms-request-id": [ "3f232c75-0ea5-4687-a3bf-22d656c9e5ef" ], + "x-ms-correlation-request-id": [ "3f232c75-0ea5-4687-a3bf-22d656c9e5ef" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021048Z:3f232c75-0ea5-4687-a3bf-22d656c9e5ef" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:10:47 GMT" ] + }, + "ContentHeaders": { + "Expires": [ "-1" ], + "Content-Length": [ "0" ] + }, + "Content": null, + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Remove-AzSentinelAlertRuleAction.Tests.ps1 b/src/SecurityInsights/test/Remove-AzSentinelAlertRuleAction.Tests.ps1 new file mode 100644 index 000000000000..04de4070aade --- /dev/null +++ b/src/SecurityInsights/test/Remove-AzSentinelAlertRuleAction.Tests.ps1 @@ -0,0 +1,27 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Remove-AzSentinelAlertRuleAction')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Remove-AzSentinelAlertRuleAction.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Remove-AzSentinelAlertRuleAction' { + It 'Delete' { + { Remove-AzSentinelAlertRuleAction -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -RuleId $env.RemoveAlertRuleActionRuleId -Id $env.RemoveAlertRuleActionId} | Should -Not -Throw + } + + It 'DeleteViaIdentity' { + $alertRuleAction = Get-AzSentinelAlertRuleAction -ResourceGroupName $env.ResourceGroupName -WorkspaceName $env.workspaceName ` + -RuleId $env.RemoveViaIdAlertRuleActionRuleId -Id $env.RemoveViaIdAlertRuleActionId + { Remove-AzSentinelAlertRuleAction -InputObject $alertRuleAction } | Should -Not -Throw + } +} diff --git a/src/SecurityInsights/test/Remove-AzSentinelAutomationRule.Recording.json b/src/SecurityInsights/test/Remove-AzSentinelAutomationRule.Recording.json new file mode 100644 index 000000000000..9890b36e8728 --- /dev/null +++ b/src/SecurityInsights/test/Remove-AzSentinelAutomationRule.Recording.json @@ -0,0 +1,125 @@ +{ + "Remove-AzSentinelAutomationRule+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/a3adc54b-e32d-4c80-8af2-988f5d59f102?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "DELETE", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/a3adc54b-e32d-4c80-8af2-988f5d59f102?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "275" ], + "x-ms-client-request-id": [ "c4479378-6f8f-4564-9baa-c7941f8b8853" ], + "CommandName": [ "Remove-AzSentinelAutomationRule" ], + "FullCommandName": [ "Remove-AzSentinelAutomationRule_Delete" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-deletes": [ "14995" ], + "x-ms-request-id": [ "cb3b9051-fc4c-4bc8-951c-e5ddbca0d15c" ], + "x-ms-correlation-request-id": [ "cb3b9051-fc4c-4bc8-951c-e5ddbca0d15c" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021110Z:cb3b9051-fc4c-4bc8-951c-e5ddbca0d15c" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:11:10 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "2" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{}", + "isContentBase64": false + } + }, + "Remove-AzSentinelAutomationRule+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/37a50acc-05b0-41ad-be1d-7a53c88ff383?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/37a50acc-05b0-41ad-be1d-7a53c88ff383?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "276" ], + "x-ms-client-request-id": [ "941690b1-0c9a-4f3f-8270-3b496e8efb48" ], + "CommandName": [ "Get-AzSentinelAutomationRule" ], + "FullCommandName": [ "Get-AzSentinelAutomationRule_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], + "x-ms-request-id": [ "4fa25446-f052-49cf-995a-ebd22dbac529" ], + "x-ms-correlation-request-id": [ "4fa25446-f052-49cf-995a-ebd22dbac529" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021110Z:4fa25446-f052-49cf-995a-ebd22dbac529" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:11:10 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1354" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AutomationRules/37a50acc-05b0-41ad-be1d-7a53c88ff383\",\"name\":\"37a50acc-05b0-41ad-be1d-7a53c88ff383\",\"etag\":\"\\\"79000c93-0000-0100-0000-61b5514a0000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"RemoveViaIdAutomationRule1whyd4\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"}}],\"lastModifiedTimeUtc\":\"2021-12-12T01:32:58Z\",\"createdTimeUtc\":\"2021-12-12T01:32:58Z\",\"lastModifiedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"},\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"}}}", + "isContentBase64": false + } + }, + "Remove-AzSentinelAutomationRule+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/37a50acc-05b0-41ad-be1d-7a53c88ff383?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "DELETE", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/37a50acc-05b0-41ad-be1d-7a53c88ff383?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "277" ], + "x-ms-client-request-id": [ "8e085c3b-bebc-448b-a8e7-d262c731b62f" ], + "CommandName": [ "Remove-AzSentinelAutomationRule" ], + "FullCommandName": [ "Remove-AzSentinelAutomationRule_DeleteViaIdentity" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-deletes": [ "14994" ], + "x-ms-request-id": [ "73787d6a-a355-42e0-9e1e-09b17db17146" ], + "x-ms-correlation-request-id": [ "73787d6a-a355-42e0-9e1e-09b17db17146" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021110Z:73787d6a-a355-42e0-9e1e-09b17db17146" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:11:10 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "2" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Remove-AzSentinelAutomationRule.Tests.ps1 b/src/SecurityInsights/test/Remove-AzSentinelAutomationRule.Tests.ps1 new file mode 100644 index 000000000000..c3572a6064da --- /dev/null +++ b/src/SecurityInsights/test/Remove-AzSentinelAutomationRule.Tests.ps1 @@ -0,0 +1,27 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Remove-AzSentinelAutomationRule')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Remove-AzSentinelAutomationRule.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Remove-AzSentinelAutomationRule' { + It 'Delete' { + { Remove-AzSentinelAutomationRule -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Id $env.RemoveAutomationRuleId } | Should -Not -Throw + } + + It 'DeleteViaIdentity' { + $automationRule = Get-AzSentinelAutomationRule -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -Id $env.RemoveViaIdAutomationRuleId + { Remove-AzSentinelAutomationRule -InputObject $automationRule} | Should -Not -Throw + } +} diff --git a/src/SecurityInsights/test/Remove-AzSentinelBookmark.Recording.json b/src/SecurityInsights/test/Remove-AzSentinelBookmark.Recording.json new file mode 100644 index 000000000000..a1f3b9763cdb --- /dev/null +++ b/src/SecurityInsights/test/Remove-AzSentinelBookmark.Recording.json @@ -0,0 +1,125 @@ +{ + "Remove-AzSentinelBookmark+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/9ff7b322-3212-4574-bfad-4408206875f8?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "DELETE", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/9ff7b322-3212-4574-bfad-4408206875f8?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "278" ], + "x-ms-client-request-id": [ "e8476f9a-f07a-4121-98ae-0005160b8a62" ], + "CommandName": [ "Remove-AzSentinelBookmark" ], + "FullCommandName": [ "Remove-AzSentinelBookmark_Delete" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-deletes": [ "14993" ], + "x-ms-request-id": [ "35b19d0f-e78d-4290-8ed7-89ca3ac6d6a7" ], + "x-ms-correlation-request-id": [ "35b19d0f-e78d-4290-8ed7-89ca3ac6d6a7" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021133Z:35b19d0f-e78d-4290-8ed7-89ca3ac6d6a7" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:11:33 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "2" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{}", + "isContentBase64": false + } + }, + "Remove-AzSentinelBookmark+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/4327ac2f-6115-4602-9616-83cf991298a5?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/4327ac2f-6115-4602-9616-83cf991298a5?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "279" ], + "x-ms-client-request-id": [ "6acd6fc2-853e-4f07-a2a8-a9f2ea22fc11" ], + "CommandName": [ "Get-AzSentinelBookmark" ], + "FullCommandName": [ "Get-AzSentinelBookmark_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11936" ], + "x-ms-request-id": [ "cf1450bd-cc4a-4753-9fc5-ab09e5a2e11a" ], + "x-ms-correlation-request-id": [ "cf1450bd-cc4a-4753-9fc5-ab09e5a2e11a" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021133Z:cf1450bd-cc4a-4753-9fc5-ab09e5a2e11a" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:11:33 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "5326" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/4327ac2f-6115-4602-9616-83cf991298a5\",\"name\":\"4327ac2f-6115-4602-9616-83cf991298a5\",\"etag\":\"\\\"6b02319c-0000-0100-0000-61b551e60000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"RemoveViaIdbookmark061i4x\",\"created\":\"2021-12-12T01:35:34.2696125+00:00\",\"updated\":\"2021-12-12T01:35:34.2696125+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2021-12-11T01:00:00+00:00\",\"queryEndTime\":\"2021-12-12T01:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "isContentBase64": false + } + }, + "Remove-AzSentinelBookmark+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/4327ac2f-6115-4602-9616-83cf991298a5?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "DELETE", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/4327ac2f-6115-4602-9616-83cf991298a5?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "280" ], + "x-ms-client-request-id": [ "3cf9b7de-7557-4b52-a511-75d856d1962a" ], + "CommandName": [ "Remove-AzSentinelBookmark" ], + "FullCommandName": [ "Remove-AzSentinelBookmark_DeleteViaIdentity" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-deletes": [ "14992" ], + "x-ms-request-id": [ "e9e5bc04-72d1-4bcc-8eee-34f724b78bde" ], + "x-ms-correlation-request-id": [ "e9e5bc04-72d1-4bcc-8eee-34f724b78bde" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021134Z:e9e5bc04-72d1-4bcc-8eee-34f724b78bde" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:11:34 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "2" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Remove-AzSentinelBookmark.Tests.ps1 b/src/SecurityInsights/test/Remove-AzSentinelBookmark.Tests.ps1 new file mode 100644 index 000000000000..e864505fc0f8 --- /dev/null +++ b/src/SecurityInsights/test/Remove-AzSentinelBookmark.Tests.ps1 @@ -0,0 +1,27 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Remove-AzSentinelBookmark')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Remove-AzSentinelBookmark.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Remove-AzSentinelBookmark' { + It 'Delete' { + { Remove-AzSentinelBookmark -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Id $env.RemoveBookmarkId } | Should -Not -Throw + } + + It 'DeleteViaIdentity' { + $bookmark = Get-AzSentinelBookmark -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -Id $env.RemoveViaIdBookmarkId + { Remove-AzSentinelBookmark -InputObject $bookmark } | Should -Not -Throw + } +} diff --git a/src/SecurityInsights/test/Remove-AzSentinelBookmarkRelation.Recording.json b/src/SecurityInsights/test/Remove-AzSentinelBookmarkRelation.Recording.json new file mode 100644 index 000000000000..d9c26fe06ae8 --- /dev/null +++ b/src/SecurityInsights/test/Remove-AzSentinelBookmarkRelation.Recording.json @@ -0,0 +1,125 @@ +{ + "Remove-AzSentinelBookmarkRelation+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/20d8a730-18a5-4a76-9420-a32e46ce5888/relations/adad6e56-9f94-4fba-ba3b-96f4616cdf68?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "DELETE", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/20d8a730-18a5-4a76-9420-a32e46ce5888/relations/adad6e56-9f94-4fba-ba3b-96f4616cdf68?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "281" ], + "x-ms-client-request-id": [ "a8e52b88-2b95-4183-bda7-9b192bbe6eea" ], + "CommandName": [ "Remove-AzSentinelBookmarkRelation" ], + "FullCommandName": [ "Remove-AzSentinelBookmarkRelation_Delete" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-deletes": [ "14991" ], + "x-ms-request-id": [ "e563fe49-40fd-4119-95b8-af7c4c887deb" ], + "x-ms-correlation-request-id": [ "e563fe49-40fd-4119-95b8-af7c4c887deb" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021156Z:e563fe49-40fd-4119-95b8-af7c4c887deb" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:11:56 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "2" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{}", + "isContentBase64": false + } + }, + "Remove-AzSentinelBookmarkRelation+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/675541b3-2ae4-4199-b3b3-59f4b6c1f5b4/relations/e6624397-ccd0-42fd-98b4-9730d7baa0e2?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/675541b3-2ae4-4199-b3b3-59f4b6c1f5b4/relations/e6624397-ccd0-42fd-98b4-9730d7baa0e2?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "282" ], + "x-ms-client-request-id": [ "0e9b0a62-8442-402b-8a94-7512c9c6a6c8" ], + "CommandName": [ "Get-AzSentinelBookmarkRelation" ], + "FullCommandName": [ "Get-AzSentinelBookmarkRelation_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11935" ], + "x-ms-request-id": [ "cc098520-2b65-4165-9046-f57ce899c1ca" ], + "x-ms-correlation-request-id": [ "cc098520-2b65-4165-9046-f57ce899c1ca" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021156Z:cc098520-2b65-4165-9046-f57ce899c1ca" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:11:56 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "828" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/675541b3-2ae4-4199-b3b3-59f4b6c1f5b4/relations/e6624397-ccd0-42fd-98b4-9730d7baa0e2\",\"name\":\"e6624397-ccd0-42fd-98b4-9730d7baa0e2\",\"etag\":\"\\\"6b0254b0-0000-0100-0000-61b552a20000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/7d56a89d-59f4-4b3a-aa71-34494c2f5f5c\",\"relatedResourceName\":\"7d56a89d-59f4-4b3a-aa71-34494c2f5f5c\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", + "isContentBase64": false + } + }, + "Remove-AzSentinelBookmarkRelation+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/675541b3-2ae4-4199-b3b3-59f4b6c1f5b4/relations/e6624397-ccd0-42fd-98b4-9730d7baa0e2?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "DELETE", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/675541b3-2ae4-4199-b3b3-59f4b6c1f5b4/relations/e6624397-ccd0-42fd-98b4-9730d7baa0e2?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "283" ], + "x-ms-client-request-id": [ "75dedba1-e385-4668-82f4-9d6186ef3845" ], + "CommandName": [ "Remove-AzSentinelBookmarkRelation" ], + "FullCommandName": [ "Remove-AzSentinelBookmarkRelation_DeleteViaIdentity" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-deletes": [ "14990" ], + "x-ms-request-id": [ "a0f51d36-ff18-4054-9f30-8877d6bd7f4a" ], + "x-ms-correlation-request-id": [ "a0f51d36-ff18-4054-9f30-8877d6bd7f4a" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021157Z:a0f51d36-ff18-4054-9f30-8877d6bd7f4a" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:11:56 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "2" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Remove-AzSentinelBookmarkRelation.Tests.ps1 b/src/SecurityInsights/test/Remove-AzSentinelBookmarkRelation.Tests.ps1 new file mode 100644 index 000000000000..61d3036008c2 --- /dev/null +++ b/src/SecurityInsights/test/Remove-AzSentinelBookmarkRelation.Tests.ps1 @@ -0,0 +1,27 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Remove-AzSentinelBookmarkRelation')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Remove-AzSentinelBookmarkRelation.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Remove-AzSentinelBookmarkRelation' { + It 'Delete' { + { Remove-AzSentinelBookmarkRelation -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -BookmarkId $env.RemovebookmarkRelationBookmarkId -RelationName $env.RemoveBookmarkRelationId } | Should -Not -Throw + } + + It 'DeleteViaIdentity' { + $bookmarkRelation = Get-AzSentinelBookmarkRelation -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -BookmarkId $env.RemoveViaIdbookmarkRelationBookmarkId -RelationName $env.RemoveViaIdBookmarkRelationId + { Remove-AzSentinelBookmarkRelation -InputObject $bookmarkRelation } | Should -Not -Throw + } +} diff --git a/src/SecurityInsights/test/Remove-AzSentinelDataConnector.Recording.json b/src/SecurityInsights/test/Remove-AzSentinelDataConnector.Recording.json new file mode 100644 index 000000000000..77b652862e92 --- /dev/null +++ b/src/SecurityInsights/test/Remove-AzSentinelDataConnector.Recording.json @@ -0,0 +1,156 @@ +{ + "Remove-AzSentinelDataConnector+[NoContext]+Delete+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/6ba8eed7-c5fb-4756-8441-1a211e0a6eea?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/6ba8eed7-c5fb-4756-8441-1a211e0a6eea?api-version=2021-09-01-preview", + "Content": "{\n \"kind\": \"MicrosoftCloudAppSecurity\",\n \"properties\": {\n \"tenantId\": \"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\",\n \"dataTypes\": {\n \"alerts\": {\n \"state\": \"Enabled\"\n }\n }\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "198" ] + } + }, + "Response": { + "StatusCode": 201, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1190" ], + "x-ms-request-id": [ "d764a3df-4f12-4563-903f-3d84addd6046" ], + "x-ms-correlation-request-id": [ "d764a3df-4f12-4563-903f-3d84addd6046" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021219Z:d764a3df-4f12-4563-903f-3d84addd6046" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:12:18 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "567" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/6ba8eed7-c5fb-4756-8441-1a211e0a6eea\",\"name\":\"6ba8eed7-c5fb-4756-8441-1a211e0a6eea\",\"etag\":\"8777901f-f253-4327-98a9-2841f902da12\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"MicrosoftCloudAppSecurity\",\"properties\":{\"dataTypes\":{\"alerts\":{\"state\":\"enabled\"},\"discoveryLogs\":{\"state\":\"disabled\"}},\"tenantId\":\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"}}", + "isContentBase64": false + } + }, + "Remove-AzSentinelDataConnector+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/6ba8eed7-c5fb-4756-8441-1a211e0a6eea?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "DELETE", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/6ba8eed7-c5fb-4756-8441-1a211e0a6eea?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "285" ], + "x-ms-client-request-id": [ "49737722-1805-4d80-9e73-2bd45b6058b1" ], + "CommandName": [ "Remove-AzSentinelDataConnector" ], + "FullCommandName": [ "Remove-AzSentinelDataConnector_Delete" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-deletes": [ "14989" ], + "x-ms-request-id": [ "9475ca24-66a5-4018-91c1-912457c89898" ], + "x-ms-correlation-request-id": [ "9475ca24-66a5-4018-91c1-912457c89898" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021219Z:9475ca24-66a5-4018-91c1-912457c89898" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:12:19 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "2" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{}", + "isContentBase64": false + } + }, + "Remove-AzSentinelDataConnector+[NoContext]+DeleteViaIdentity+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/d932006a-f4c7-43ed-8c91-2fe5485678fd?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/d932006a-f4c7-43ed-8c91-2fe5485678fd?api-version=2021-09-01-preview", + "Content": "{\n \"kind\": \"MicrosoftCloudAppSecurity\",\n \"properties\": {\n \"tenantId\": \"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\",\n \"dataTypes\": {\n \"alerts\": {\n \"state\": \"Enabled\"\n }\n }\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "198" ] + } + }, + "Response": { + "StatusCode": 201, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1189" ], + "x-ms-request-id": [ "dbe15727-44a0-4ae9-9260-6f28caa3834b" ], + "x-ms-correlation-request-id": [ "dbe15727-44a0-4ae9-9260-6f28caa3834b" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021220Z:dbe15727-44a0-4ae9-9260-6f28caa3834b" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:12:20 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "567" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/d932006a-f4c7-43ed-8c91-2fe5485678fd\",\"name\":\"d932006a-f4c7-43ed-8c91-2fe5485678fd\",\"etag\":\"73cea443-5e30-47db-b856-8635bd63e9f2\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"MicrosoftCloudAppSecurity\",\"properties\":{\"dataTypes\":{\"alerts\":{\"state\":\"enabled\"},\"discoveryLogs\":{\"state\":\"disabled\"}},\"tenantId\":\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"}}", + "isContentBase64": false + } + }, + "Remove-AzSentinelDataConnector+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/d932006a-f4c7-43ed-8c91-2fe5485678fd?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "DELETE", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/d932006a-f4c7-43ed-8c91-2fe5485678fd?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "287" ], + "x-ms-client-request-id": [ "3a2801d9-0d21-403e-985b-6c0f17a9ad13" ], + "CommandName": [ "Remove-AzSentinelDataConnector" ], + "FullCommandName": [ "Remove-AzSentinelDataConnector_DeleteViaIdentity" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-deletes": [ "14988" ], + "x-ms-request-id": [ "e6d2a8fb-7e6e-4ad9-b0fe-77c71ae06281" ], + "x-ms-correlation-request-id": [ "e6d2a8fb-7e6e-4ad9-b0fe-77c71ae06281" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021221Z:e6d2a8fb-7e6e-4ad9-b0fe-77c71ae06281" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:12:20 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "2" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Remove-AzSentinelDataConnector.Tests.ps1 b/src/SecurityInsights/test/Remove-AzSentinelDataConnector.Tests.ps1 new file mode 100644 index 000000000000..89201404f566 --- /dev/null +++ b/src/SecurityInsights/test/Remove-AzSentinelDataConnector.Tests.ps1 @@ -0,0 +1,29 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Remove-AzSentinelDataConnector')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Remove-AzSentinelDataConnector.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Remove-AzSentinelDataConnector' { + It 'Delete' { + $dataConnector = New-AzSentinelDataConnector -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -DataConnectorId ((New-Guid).Guid) -Kind 'MicrosoftCloudAppSecurity' -Alerts "Enabled" + { Remove-AzSentinelDataConnector -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Id $dataConnector.Name } | Should -Not -Throw + } + + It 'DeleteViaIdentity' { + $dataConnector = New-AzSentinelDataConnector -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -DataConnectorId ((New-Guid).Guid) -Kind 'MicrosoftCloudAppSecurity' -Alerts "Enabled" + { Remove-AzSentinelDataConnector -InputObject $dataConnector } | Should -Not -Throw + } +} diff --git a/src/SecurityInsights/test/Remove-AzSentinelEntityQuery.Recording.json b/src/SecurityInsights/test/Remove-AzSentinelEntityQuery.Recording.json new file mode 100644 index 000000000000..c830d07b7fb5 --- /dev/null +++ b/src/SecurityInsights/test/Remove-AzSentinelEntityQuery.Recording.json @@ -0,0 +1,125 @@ +{ + "Remove-AzSentinelEntityQuery+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/6feafad3-e3a9-4c0f-b9a7-f74b31c2c4db?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "DELETE", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/6feafad3-e3a9-4c0f-b9a7-f74b31c2c4db?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "288" ], + "x-ms-client-request-id": [ "f3353721-6954-4ce5-97d0-b78e750f1313" ], + "CommandName": [ "Remove-AzSentinelEntityQuery" ], + "FullCommandName": [ "Remove-AzSentinelEntityQuery_Delete" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-deletes": [ "14987" ], + "x-ms-request-id": [ "3d39b250-9f16-44c0-98a4-d1a3eb60e730" ], + "x-ms-correlation-request-id": [ "3d39b250-9f16-44c0-98a4-d1a3eb60e730" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021242Z:3d39b250-9f16-44c0-98a4-d1a3eb60e730" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:12:41 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "2" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{}", + "isContentBase64": false + } + }, + "Remove-AzSentinelEntityQuery+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/f75cff94-cd35-4d3e-a20b-4c4eee51dd8e?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/f75cff94-cd35-4d3e-a20b-4c4eee51dd8e?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "289" ], + "x-ms-client-request-id": [ "2160734d-69fa-4379-a011-4f58077788cc" ], + "CommandName": [ "Get-AzSentinelEntityQuery" ], + "FullCommandName": [ "Get-AzSentinelEntityQuery_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11934" ], + "x-ms-request-id": [ "8c0f7930-5d20-4760-b414-94e36e7675b9" ], + "x-ms-correlation-request-id": [ "8c0f7930-5d20-4760-b414-94e36e7675b9" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021242Z:8c0f7930-5d20-4760-b414-94e36e7675b9" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:12:41 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "2326" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/f75cff94-cd35-4d3e-a20b-4c4eee51dd8e\",\"name\":\"f75cff94-cd35-4d3e-a20b-4c4eee51dd8e\",\"etag\":\"\\\"50013ae2-0000-0100-0000-61b5535d0000\\\"\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was deleted by \",\"description\":\"Account deleted on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027)\\n \\n| where EventID == 4726 \"},\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]},\"enabled\":true,\"createdTimeUtc\":\"2021-12-12T01:41:49.6134342Z\",\"lastModifiedTimeUtc\":\"2021-12-12T01:41:49.6134342Z\",\"inputEntityType\":\"Host\"}}", + "isContentBase64": false + } + }, + "Remove-AzSentinelEntityQuery+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/f75cff94-cd35-4d3e-a20b-4c4eee51dd8e?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "DELETE", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/f75cff94-cd35-4d3e-a20b-4c4eee51dd8e?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "290" ], + "x-ms-client-request-id": [ "af1f747e-7f78-4d0e-993d-c8530a04e4e3" ], + "CommandName": [ "Remove-AzSentinelEntityQuery" ], + "FullCommandName": [ "Remove-AzSentinelEntityQuery_DeleteViaIdentity" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-deletes": [ "14986" ], + "x-ms-request-id": [ "367c75ba-89ae-481a-b829-5f173538b0b5" ], + "x-ms-correlation-request-id": [ "367c75ba-89ae-481a-b829-5f173538b0b5" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021242Z:367c75ba-89ae-481a-b829-5f173538b0b5" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:12:42 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "2" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Remove-AzSentinelEntityQuery.Tests.ps1 b/src/SecurityInsights/test/Remove-AzSentinelEntityQuery.Tests.ps1 new file mode 100644 index 000000000000..057f867b6510 --- /dev/null +++ b/src/SecurityInsights/test/Remove-AzSentinelEntityQuery.Tests.ps1 @@ -0,0 +1,27 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Remove-AzSentinelEntityQuery')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Remove-AzSentinelEntityQuery.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Remove-AzSentinelEntityQuery' { + It 'Delete' { + { Remove-AzSentinelEntityQuery -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Id $env.RemoveentityQueryActivityId } | Should -Not -Throw + } + + It 'DeleteViaIdentity' { + $entityQuery = Get-AzSentinelEntityQuery -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -Id $env.RemoveViaIdentityQueryActivityId + { Remove-AzSentinelEntityQuery -InputObject $entityQuery } | Should -Not -Throw + } +} diff --git a/src/SecurityInsights/test/Remove-AzSentinelIncident.Recording.json b/src/SecurityInsights/test/Remove-AzSentinelIncident.Recording.json new file mode 100644 index 000000000000..dd0e17816391 --- /dev/null +++ b/src/SecurityInsights/test/Remove-AzSentinelIncident.Recording.json @@ -0,0 +1,125 @@ +{ + "Remove-AzSentinelIncident+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/cc0a7c84-b29b-4136-acbb-648a7237df0a?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "DELETE", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/cc0a7c84-b29b-4136-acbb-648a7237df0a?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "291" ], + "x-ms-client-request-id": [ "574a9df9-4e96-4bf7-b983-de396ac7a8f7" ], + "CommandName": [ "Remove-AzSentinelIncident" ], + "FullCommandName": [ "Remove-AzSentinelIncident_Delete" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-deletes": [ "14985" ], + "x-ms-request-id": [ "ba411cec-55f6-4380-8706-301eac432d72" ], + "x-ms-correlation-request-id": [ "ba411cec-55f6-4380-8706-301eac432d72" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021303Z:ba411cec-55f6-4380-8706-301eac432d72" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:13:02 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "2" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{}", + "isContentBase64": false + } + }, + "Remove-AzSentinelIncident+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/1f88da2c-e158-4900-8d6e-a467f72fdd34?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/1f88da2c-e158-4900-8d6e-a467f72fdd34?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "292" ], + "x-ms-client-request-id": [ "572569e4-b995-4a3c-9303-6c9c128da808" ], + "CommandName": [ "Get-AzSentinelIncident" ], + "FullCommandName": [ "Get-AzSentinelIncident_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11933" ], + "x-ms-request-id": [ "7c8960fa-dabc-4c98-ac69-444a9d0313a4" ], + "x-ms-correlation-request-id": [ "7c8960fa-dabc-4c98-ac69-444a9d0313a4" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021303Z:7c8960fa-dabc-4c98-ac69-444a9d0313a4" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:13:02 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1206" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/1f88da2c-e158-4900-8d6e-a467f72fdd34\",\"name\":\"1f88da2c-e158-4900-8d6e-a467f72fdd34\",\"etag\":\"\\\"3c00cd5b-0000-0100-0000-61b553f90000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:44:25.0620632Z\",\"createdTimeUtc\":\"2021-12-12T01:44:25.0620632Z\",\"incidentNumber\":9,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/1f88da2c-e158-4900-8d6e-a467f72fdd34\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"9\"}}", + "isContentBase64": false + } + }, + "Remove-AzSentinelIncident+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/1f88da2c-e158-4900-8d6e-a467f72fdd34?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "DELETE", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/1f88da2c-e158-4900-8d6e-a467f72fdd34?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "293" ], + "x-ms-client-request-id": [ "09e42b86-ecb3-4fcb-8027-9fa8147f1be2" ], + "CommandName": [ "Remove-AzSentinelIncident" ], + "FullCommandName": [ "Remove-AzSentinelIncident_DeleteViaIdentity" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-deletes": [ "14984" ], + "x-ms-request-id": [ "6adbda51-5299-4e10-ade3-e69443b3e4cc" ], + "x-ms-correlation-request-id": [ "6adbda51-5299-4e10-ade3-e69443b3e4cc" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021303Z:6adbda51-5299-4e10-ade3-e69443b3e4cc" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:13:02 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "2" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Remove-AzSentinelIncident.Tests.ps1 b/src/SecurityInsights/test/Remove-AzSentinelIncident.Tests.ps1 new file mode 100644 index 000000000000..b8c4dda87a22 --- /dev/null +++ b/src/SecurityInsights/test/Remove-AzSentinelIncident.Tests.ps1 @@ -0,0 +1,27 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Remove-AzSentinelIncident')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Remove-AzSentinelIncident.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Remove-AzSentinelIncident' { + It 'Delete' { + { Remove-AzSentinelIncident -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Id $env.RemoveincidentId } | Should -Not -Throw + } + + It 'DeleteViaIdentity' { + $incident = Get-AzSentinelIncident -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -Id $env.RemoveViaIdincidentId + { Remove-AzSentinelIncident -InputObject $incident } | Should -Not -Throw + } +} diff --git a/src/SecurityInsights/test/Remove-AzSentinelIncidentComment.Recording.json b/src/SecurityInsights/test/Remove-AzSentinelIncidentComment.Recording.json new file mode 100644 index 000000000000..009621cf4459 --- /dev/null +++ b/src/SecurityInsights/test/Remove-AzSentinelIncidentComment.Recording.json @@ -0,0 +1,125 @@ +{ + "Remove-AzSentinelIncidentComment+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/39c0047a-27bf-41d3-940d-bfb849d18460/comments/2305a5f7-84eb-482c-bc88-33d76495c69c?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "DELETE", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/39c0047a-27bf-41d3-940d-bfb849d18460/comments/2305a5f7-84eb-482c-bc88-33d76495c69c?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "294" ], + "x-ms-client-request-id": [ "15babaea-3ef5-46e9-a706-02b3d6c966c2" ], + "CommandName": [ "Remove-AzSentinelIncidentComment" ], + "FullCommandName": [ "Remove-AzSentinelIncidentComment_Delete" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], + "x-ms-request-id": [ "06dcefee-e140-4cf5-b425-b81c11b059b2" ], + "x-ms-correlation-request-id": [ "06dcefee-e140-4cf5-b425-b81c11b059b2" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021324Z:06dcefee-e140-4cf5-b425-b81c11b059b2" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:13:24 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "2" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{}", + "isContentBase64": false + } + }, + "Remove-AzSentinelIncidentComment+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/754fd7ba-74d1-42cc-8aa0-25593496d4bd/comments/97010b56-8d45-49b6-9f11-02d55ed685b8?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/754fd7ba-74d1-42cc-8aa0-25593496d4bd/comments/97010b56-8d45-49b6-9f11-02d55ed685b8?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "295" ], + "x-ms-client-request-id": [ "f3278cb2-da91-40b4-ac8e-5fa8cfa66a23" ], + "CommandName": [ "Get-AzSentinelIncidentComment" ], + "FullCommandName": [ "Get-AzSentinelIncidentComment_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], + "x-ms-request-id": [ "4a175543-f6e7-4898-ac14-aed7e9905217" ], + "x-ms-correlation-request-id": [ "4a175543-f6e7-4898-ac14-aed7e9905217" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021324Z:4a175543-f6e7-4898-ac14-aed7e9905217" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:13:24 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "797" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/754fd7ba-74d1-42cc-8aa0-25593496d4bd/Comments/97010b56-8d45-49b6-9f11-02d55ed685b8\",\"name\":\"97010b56-8d45-49b6-9f11-02d55ed685b8\",\"etag\":\"\\\"3c00ac5e-0000-0100-0000-61b554960000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/Comments\",\"properties\":{\"message\":\"RemoveViaIdincidentComment8ftdy3\",\"createdTimeUtc\":\"2021-12-12T01:47:02.1178777Z\",\"lastModifiedTimeUtc\":\"2021-12-12T01:47:02.1178777Z\",\"author\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"}}}", + "isContentBase64": false + } + }, + "Remove-AzSentinelIncidentComment+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/754fd7ba-74d1-42cc-8aa0-25593496d4bd/comments/97010b56-8d45-49b6-9f11-02d55ed685b8?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "DELETE", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/754fd7ba-74d1-42cc-8aa0-25593496d4bd/comments/97010b56-8d45-49b6-9f11-02d55ed685b8?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "296" ], + "x-ms-client-request-id": [ "60ee7844-7239-4bbc-bf2a-cc4ec66a49d0" ], + "CommandName": [ "Remove-AzSentinelIncidentComment" ], + "FullCommandName": [ "Remove-AzSentinelIncidentComment_DeleteViaIdentity" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], + "x-ms-request-id": [ "c10d476f-3190-4ce5-8b93-98a50d36ffbb" ], + "x-ms-correlation-request-id": [ "c10d476f-3190-4ce5-8b93-98a50d36ffbb" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021325Z:c10d476f-3190-4ce5-8b93-98a50d36ffbb" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:13:24 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "2" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Remove-AzSentinelIncidentComment.Tests.ps1 b/src/SecurityInsights/test/Remove-AzSentinelIncidentComment.Tests.ps1 new file mode 100644 index 000000000000..4f0f526d3573 --- /dev/null +++ b/src/SecurityInsights/test/Remove-AzSentinelIncidentComment.Tests.ps1 @@ -0,0 +1,27 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Remove-AzSentinelIncidentComment')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Remove-AzSentinelIncidentComment.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Remove-AzSentinelIncidentComment' { + It 'Delete' { + { Remove-AzSentinelIncidentComment -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -IncidentId $env.RemoveincidentCommentIncidentId -Id $env.RemoveincidentCommentId } | Should -Not -Throw + } + + It 'DeleteViaIdentity' { + $incidentComment = Get-AzSentinelIncidentComment -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -IncidentId $env.RemoveViaIdincidentCommentIncidentId -Id $env.RemoveViaIdincidentCommentId + { Remove-AzSentinelIncidentComment -InputObject $incidentComment } | Should -Not -Throw + } +} diff --git a/src/SecurityInsights/test/Remove-AzSentinelIncidentRelation.Recording.json b/src/SecurityInsights/test/Remove-AzSentinelIncidentRelation.Recording.json new file mode 100644 index 000000000000..723b1d498b24 --- /dev/null +++ b/src/SecurityInsights/test/Remove-AzSentinelIncidentRelation.Recording.json @@ -0,0 +1,123 @@ +{ + "Remove-AzSentinelIncidentRelation+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/39c0047a-27bf-41d3-940d-bfb849d18460/relations/969e8896-2438-40e6-9455-f5fd9b30d396?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "DELETE", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/39c0047a-27bf-41d3-940d-bfb849d18460/relations/969e8896-2438-40e6-9455-f5fd9b30d396?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "297" ], + "x-ms-client-request-id": [ "1d8a4923-93be-4a4b-a886-dfe9bfa70be1" ], + "CommandName": [ "Remove-AzSentinelIncidentRelation" ], + "FullCommandName": [ "Remove-AzSentinelIncidentRelation_Delete" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 204, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], + "x-ms-request-id": [ "db3b0bfd-7fb5-48fd-8488-f81d19191a3e" ], + "x-ms-correlation-request-id": [ "db3b0bfd-7fb5-48fd-8488-f81d19191a3e" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021347Z:db3b0bfd-7fb5-48fd-8488-f81d19191a3e" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:13:46 GMT" ] + }, + "ContentHeaders": { + "Expires": [ "-1" ] + }, + "Content": null, + "isContentBase64": false + } + }, + "Remove-AzSentinelIncidentRelation+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/7bfb344d-ad2a-431d-9e39-78747ac51f54/relations/827874ba-8b75-40d5-ad61-57fbb9594309?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/7bfb344d-ad2a-431d-9e39-78747ac51f54/relations/827874ba-8b75-40d5-ad61-57fbb9594309?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "298" ], + "x-ms-client-request-id": [ "cbfc9c68-1cf2-4e27-b06f-ef17307a6764" ], + "CommandName": [ "Get-AzSentinelIncidentRelation" ], + "FullCommandName": [ "Get-AzSentinelIncidentRelation_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], + "x-ms-request-id": [ "cb853e40-f2b4-410f-a94f-55aa7a478627" ], + "x-ms-correlation-request-id": [ "cb853e40-f2b4-410f-a94f-55aa7a478627" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021347Z:cb853e40-f2b4-410f-a94f-55aa7a478627" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:13:46 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "828" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/7bfb344d-ad2a-431d-9e39-78747ac51f54/relations/827874ba-8b75-40d5-ad61-57fbb9594309\",\"name\":\"827874ba-8b75-40d5-ad61-57fbb9594309\",\"etag\":\"\\\"3c00b661-0000-0100-0000-61b555330000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/3dcbfb4e-d6fb-40df-a64a-29695148826d\",\"relatedResourceName\":\"3dcbfb4e-d6fb-40df-a64a-29695148826d\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", + "isContentBase64": false + } + }, + "Remove-AzSentinelIncidentRelation+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/7bfb344d-ad2a-431d-9e39-78747ac51f54/relations/827874ba-8b75-40d5-ad61-57fbb9594309?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "DELETE", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/7bfb344d-ad2a-431d-9e39-78747ac51f54/relations/827874ba-8b75-40d5-ad61-57fbb9594309?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "299" ], + "x-ms-client-request-id": [ "07a06a05-0cf8-4c71-a63e-c0f4633a9835" ], + "CommandName": [ "Remove-AzSentinelIncidentRelation" ], + "FullCommandName": [ "Remove-AzSentinelIncidentRelation_DeleteViaIdentity" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], + "x-ms-request-id": [ "6fd54667-8971-4f70-ae03-f1e0b4da3242" ], + "x-ms-correlation-request-id": [ "6fd54667-8971-4f70-ae03-f1e0b4da3242" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021347Z:6fd54667-8971-4f70-ae03-f1e0b4da3242" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:13:47 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "2" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Remove-AzSentinelIncidentRelation.Tests.ps1 b/src/SecurityInsights/test/Remove-AzSentinelIncidentRelation.Tests.ps1 new file mode 100644 index 000000000000..50372d36ca5b --- /dev/null +++ b/src/SecurityInsights/test/Remove-AzSentinelIncidentRelation.Tests.ps1 @@ -0,0 +1,27 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Remove-AzSentinelIncidentRelation')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Remove-AzSentinelIncidentRelation.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Remove-AzSentinelIncidentRelation' { + It 'Delete' { + { Remove-AzSentinelIncidentRelation -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -IncidentId $env.RemoveincidentCommentIncidentId -RelationName $env.RemoveincidentRelationId } | Should -Not -Throw + } + + It 'DeleteViaIdentity' { + $incidentRelation = Get-AzSentinelIncidentRelation -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -IncidentId $env.RemoveViaIdincidentRelationIncidentId -RelationName $env.RemoveViaIdincidentRelationId + { Remove-AzSentinelIncidentRelation -InputObject $incidentRelation } | Should -Not -Throw + } +} diff --git a/src/SecurityInsights/test/Remove-AzSentinelOfficeConsent.Tests.ps1 b/src/SecurityInsights/test/Remove-AzSentinelOfficeConsent.Tests.ps1 new file mode 100644 index 000000000000..614737036a1b --- /dev/null +++ b/src/SecurityInsights/test/Remove-AzSentinelOfficeConsent.Tests.ps1 @@ -0,0 +1,25 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Remove-AzSentinelOfficeConsent')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Remove-AzSentinelOfficeConsent.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Remove-AzSentinelOfficeConsent' { + It 'Delete' -skip { + { throw [System.NotImplementedException] } | Should -Not -Throw + } + + It 'DeleteViaIdentity' -skip { + { throw [System.NotImplementedException] } | Should -Not -Throw + } +} diff --git a/src/SecurityInsights/test/Remove-AzSentinelOnboardingState.Recording.json b/src/SecurityInsights/test/Remove-AzSentinelOnboardingState.Recording.json new file mode 100644 index 000000000000..7bae50663116 --- /dev/null +++ b/src/SecurityInsights/test/Remove-AzSentinelOnboardingState.Recording.json @@ -0,0 +1,43 @@ +{ + "Remove-AzSentinelOnboardingState+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptestdlvh1s/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "DELETE", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptestdlvh1s/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "304" ], + "x-ms-client-request-id": [ "a1499210-7039-49aa-8d0a-efbddac44cb5" ], + "CommandName": [ "Remove-AzSentinelOnboardingState" ], + "FullCommandName": [ "Remove-AzSentinelOnboardingState_Delete" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-deletes": [ "14981" ], + "x-ms-request-id": [ "0a1c6133-0e9e-4d99-b392-2a7de9d73fea" ], + "x-ms-correlation-request-id": [ "0a1c6133-0e9e-4d99-b392-2a7de9d73fea" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021455Z:0a1c6133-0e9e-4d99-b392-2a7de9d73fea" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:14:54 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "2" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Remove-AzSentinelOnboardingState.Tests.ps1 b/src/SecurityInsights/test/Remove-AzSentinelOnboardingState.Tests.ps1 new file mode 100644 index 000000000000..3a402fef7387 --- /dev/null +++ b/src/SecurityInsights/test/Remove-AzSentinelOnboardingState.Tests.ps1 @@ -0,0 +1,25 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Remove-AzSentinelOnboardingState')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Remove-AzSentinelOnboardingState.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Remove-AzSentinelOnboardingState' { + It 'Delete' { + { Remove-AzSentinelOnboardingState -Name "default" -ResourceGroupName $env.ResourceGroupName -WorkspaceName $env.removeOnboardingStateWS } | Should -Not -Throw + } + + It 'DeleteViaIdentity' -skip { + { throw [System.NotImplementedException] } | Should -Not -Throw + } +} diff --git a/src/SecurityInsights/test/Test-AzSentinelDataConnectorCheckRequirement.Tests.ps1 b/src/SecurityInsights/test/Test-AzSentinelDataConnectorCheckRequirement.Tests.ps1 new file mode 100644 index 000000000000..05fb98d9a28e --- /dev/null +++ b/src/SecurityInsights/test/Test-AzSentinelDataConnectorCheckRequirement.Tests.ps1 @@ -0,0 +1,25 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Test-AzSentinelDataConnectorCheckRequirement')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Test-AzSentinelDataConnectorCheckRequirement.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Test-AzSentinelDataConnectorCheckRequirement' { + It 'AADTenant' -skip { + { throw [System.NotImplementedException] } | Should -Not -Throw + } + + It 'AzureSecurityCenter' -skip { + { throw [System.NotImplementedException] } | Should -Not -Throw + } +} diff --git a/src/SecurityInsights/test/Update-AzSentinelAlertRule.Recording.json b/src/SecurityInsights/test/Update-AzSentinelAlertRule.Recording.json new file mode 100644 index 000000000000..c001a4156df5 --- /dev/null +++ b/src/SecurityInsights/test/Update-AzSentinelAlertRule.Recording.json @@ -0,0 +1,38 @@ +{ + "Update-AzSentinelAlertRule+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/98981b11-0c0a-40bb-adc9-63f3693592bf?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/98981b11-0c0a-40bb-adc9-63f3693592bf?api-version=2021-09-01-preview", + "Content": "{\n \"etag\": \"\\\"9200241b-0000-0100-0000-61b54fb50000\\\"\",\n \"kind\": \"Scheduled\",\n \"properties\": {\n \"eventGroupingSettings\": {\n \"aggregationKind\": \"SingleAlert\"\n },\n \"queryFrequency\": \"P1D\",\n \"queryPeriod\": \"P1D\",\n \"triggerOperator\": \"GreaterThan\",\n \"triggerThreshold\": 0,\n \"incidentConfiguration\": {\n \"groupingConfiguration\": {\n \"enabled\": false,\n \"reopenClosedIncident\": false,\n \"lookbackDuration\": \"PT5H\",\n \"matchingMethod\": \"AllEntities\",\n \"groupByEntities\": [ ]\n },\n \"createIncident\": false\n },\n \"description\": \"UpdateAlertRulevi15sc 98981b11-0c0a-40bb-adc9-63f3693592bf\",\n \"query\": \"SecurityEvent\\n| take 1\",\n \"displayName\": \"UpdateAlertRulevi15sc\",\n \"enabled\": true,\n \"suppressionDuration\": \"PT5H\",\n \"suppressionEnabled\": false,\n \"severity\": \"Informational\",\n \"tactics\": [ \"Execution\" ]\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "900" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1186" ], + "x-ms-request-id": [ "6ca0716c-8691-4fe1-ba57-92dd0e89a9a1" ], + "x-ms-correlation-request-id": [ "6ca0716c-8691-4fe1-ba57-92dd0e89a9a1" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021541Z:6ca0716c-8691-4fe1-ba57-92dd0e89a9a1" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:15:41 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1171" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/98981b11-0c0a-40bb-adc9-63f3693592bf\",\"name\":\"98981b11-0c0a-40bb-adc9-63f3693592bf\",\"etag\":\"\\\"9400d13c-0000-0100-0000-61b55b4d0000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":false,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"UpdateAlertRulevi15sc\",\"enabled\":true,\"description\":\"UpdateAlertRulevi15sc 98981b11-0c0a-40bb-adc9-63f3693592bf\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T02:15:39.3269202Z\"}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Update-AzSentinelAlertRule.Tests.ps1 b/src/SecurityInsights/test/Update-AzSentinelAlertRule.Tests.ps1 new file mode 100644 index 000000000000..c3f044d17718 --- /dev/null +++ b/src/SecurityInsights/test/Update-AzSentinelAlertRule.Tests.ps1 @@ -0,0 +1,28 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Update-AzSentinelAlertRule')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Update-AzSentinelAlertRule.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Update-AzSentinelAlertRule' { + It 'UpdateExpanded' { + $alertRule = Update-AzSentinelAlertRule -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -RuleId $env.UpdateAlertRuleId -Disabled + $alertRule.Enabled | Should -Be $true + } + + It 'UpdateViaIdentityExpanded' -skip { + $alertRule = Get-AzSentinelAlertRule -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -RuleId $env.UpdateViaIdAlertRuleId + $alertRuleUpdate = Update-AzSentinelAlertRule -InputObject $alertRule -Disabled + $alertRuleUpdate.Enabled | Should -Be $true + } +} diff --git a/src/SecurityInsights/test/Update-AzSentinelAlertRuleAction.Recording.json b/src/SecurityInsights/test/Update-AzSentinelAlertRuleAction.Recording.json new file mode 100644 index 000000000000..d21e529faef4 --- /dev/null +++ b/src/SecurityInsights/test/Update-AzSentinelAlertRuleAction.Recording.json @@ -0,0 +1,115 @@ +{ + "Update-AzSentinelAlertRuleAction+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/09b5716f-9b0b-4663-8302-e17b94a12ead/actions/5ec4ff48-a958-4a95-aab5-4ae7e8cddbdf?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/09b5716f-9b0b-4663-8302-e17b94a12ead/actions/5ec4ff48-a958-4a95-aab5-4ae7e8cddbdf?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Alert\",\n \"triggerUri\": \"https://prod-29.centralus.logic.azure.com:443/workflows/6e83051f6df6465c872c5540c8c167f5/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2016-06-01\\u0026sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun\\u0026sv=1.0\\u0026sig=7_edWmU4wZ31-sXPdtbxReXl11jbmLX99HIT9l134Wo\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "558" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], + "x-ms-request-id": [ "be5a5298-67cd-4ecc-8868-2c86d113e1f4" ], + "x-ms-correlation-request-id": [ "be5a5298-67cd-4ecc-8868-2c86d113e1f4" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021604Z:be5a5298-67cd-4ecc-8868-2c86d113e1f4" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:16:04 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "617" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/09b5716f-9b0b-4663-8302-e17b94a12ead/actions/5ec4ff48-a958-4a95-aab5-4ae7e8cddbdf\",\"name\":\"5ec4ff48-a958-4a95-aab5-4ae7e8cddbdf\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"6e83051f6df6465c872c5540c8c167f5\",\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Alert\"}}", + "isContentBase64": false + } + }, + "Update-AzSentinelAlertRuleAction+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/a555c523-e318-4501-bfe8-b9c6da354af7/actions/34ec4b87-3f90-443e-9034-c32e77c5fb6e?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/a555c523-e318-4501-bfe8-b9c6da354af7/actions/34ec4b87-3f90-443e-9034-c32e77c5fb6e?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "309" ], + "x-ms-client-request-id": [ "4b5c6ed0-5e91-4f9c-b469-ced7536e5041" ], + "CommandName": [ "Get-AzSentinelAlertRuleAction" ], + "FullCommandName": [ "Get-AzSentinelAlertRuleAction_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11931" ], + "x-ms-request-id": [ "4f5c1141-ed11-41ad-b56d-4587eda36fa6" ], + "x-ms-correlation-request-id": [ "4f5c1141-ed11-41ad-b56d-4587eda36fa6" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021604Z:4f5c1141-ed11-41ad-b56d-4587eda36fa6" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:16:04 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "660" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/a555c523-e318-4501-bfe8-b9c6da354af7/actions/34ec4b87-3f90-443e-9034-c32e77c5fb6e\",\"name\":\"34ec4b87-3f90-443e-9034-c32e77c5fb6e\",\"etag\":\"\\\"26005c56-0000-0300-0000-61b550730000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"3647b421918e40f19a5e9346dc633c61\",\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}", + "isContentBase64": false + } + }, + "Update-AzSentinelAlertRuleAction+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/a555c523-e318-4501-bfe8-b9c6da354af7/actions/34ec4b87-3f90-443e-9034-c32e77c5fb6e?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/a555c523-e318-4501-bfe8-b9c6da354af7/actions/34ec4b87-3f90-443e-9034-c32e77c5fb6e?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Alert\",\n \"triggerUri\": \"https://prod-29.centralus.logic.azure.com:443/workflows/6e83051f6df6465c872c5540c8c167f5/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2016-06-01\\u0026sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun\\u0026sv=1.0\\u0026sig=7_edWmU4wZ31-sXPdtbxReXl11jbmLX99HIT9l134Wo\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "558" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], + "x-ms-request-id": [ "ab262b0f-7a2a-4402-ac4a-bf7649c8f96b" ], + "x-ms-correlation-request-id": [ "ab262b0f-7a2a-4402-ac4a-bf7649c8f96b" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021606Z:ab262b0f-7a2a-4402-ac4a-bf7649c8f96b" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:16:06 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "617" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/a555c523-e318-4501-bfe8-b9c6da354af7/actions/34ec4b87-3f90-443e-9034-c32e77c5fb6e\",\"name\":\"34ec4b87-3f90-443e-9034-c32e77c5fb6e\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"6e83051f6df6465c872c5540c8c167f5\",\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Alert\"}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Update-AzSentinelAlertRuleAction.Tests.ps1 b/src/SecurityInsights/test/Update-AzSentinelAlertRuleAction.Tests.ps1 new file mode 100644 index 000000000000..bbb7351a8864 --- /dev/null +++ b/src/SecurityInsights/test/Update-AzSentinelAlertRuleAction.Tests.ps1 @@ -0,0 +1,30 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Update-AzSentinelAlertRuleAction')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Update-AzSentinelAlertRuleAction.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Update-AzSentinelAlertRuleAction' { + It 'UpdateExpanded' { + $alertRuleAction = Update-AzSentinelAlertRuleAction -ResourceGroupName $env.ResourceGroupName -WorkspaceName $env.workspaceName ` + -RuleId $env.UpdateAlertRuleActionRuleId -Id $env.UpdateAlertRuleActionId -LogicAppResourceId $env.Playbook3LogicAppResourceId -TriggerUri $env.Playbook3TriggerUrl + $alertRuleAction.LogicAppResourceId | Should -Be $env.Playbook3LogicAppResourceId + } + + It 'UpdateViaIdentityExpanded' { + $alertRuleAction = Get-AzSentinelAlertRuleAction -ResourceGroupName $env.ResourceGroupName -WorkspaceName $env.workspaceName ` + -RuleId $env.UpdateViaIdAlertRuleActionRuleId -Id $env.UpdateViaIdAlertRuleActionId + $alertRuleAction = Update-AzSentinelAlertRuleAction -InputObject $alertRuleAction -LogicAppResourceId $env.Playbook3LogicAppResourceId -TriggerUri $env.Playbook3TriggerUrl + $alertRuleAction.LogicAppResourceId | Should -Be $env.Playbook3LogicAppResourceId + } +} diff --git a/src/SecurityInsights/test/Update-AzSentinelAutomationRule.Recording.json b/src/SecurityInsights/test/Update-AzSentinelAutomationRule.Recording.json new file mode 100644 index 000000000000..8622059da0bb --- /dev/null +++ b/src/SecurityInsights/test/Update-AzSentinelAutomationRule.Recording.json @@ -0,0 +1,156 @@ +{ + "Update-AzSentinelAutomationRule+[NoContext]+UpdateExpanded+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/6b61f56c-c075-4127-9f2a-56a855dee096?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/6b61f56c-c075-4127-9f2a-56a855dee096?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "311" ], + "x-ms-client-request-id": [ "0525ef71-01e7-4abf-b7f2-24f81d44d550" ], + "CommandName": [ "Get-AzSentinelAutomationRule" ], + "FullCommandName": [ "Get-AzSentinelAutomationRule_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], + "x-ms-request-id": [ "9b313ce0-d2f0-49e5-a83b-56e83219b5ed" ], + "x-ms-correlation-request-id": [ "9b313ce0-d2f0-49e5-a83b-56e83219b5ed" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021628Z:9b313ce0-d2f0-49e5-a83b-56e83219b5ed" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:16:28 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1349" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AutomationRules/6b61f56c-c075-4127-9f2a-56a855dee096\",\"name\":\"6b61f56c-c075-4127-9f2a-56a855dee096\",\"etag\":\"\\\"79008294-0000-0100-0000-61b551690000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"UpdateAutomationRule1ceigy\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"}}],\"lastModifiedTimeUtc\":\"2021-12-12T01:33:29Z\",\"createdTimeUtc\":\"2021-12-12T01:33:29Z\",\"lastModifiedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"},\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"}}}", + "isContentBase64": false + } + }, + "Update-AzSentinelAutomationRule+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/6b61f56c-c075-4127-9f2a-56a855dee096?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/6b61f56c-c075-4127-9f2a-56a855dee096?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"triggeringLogic\": {\n \"isEnabled\": true,\n \"triggersOn\": \"Incidents\",\n \"triggersWhen\": \"Created\"\n },\n \"displayName\": \"UpdateAutomationRule1ceigy\",\n \"order\": 1,\n \"actions\": [\n {\n \"order\": 1,\n \"actionType\": \"RunPlaybook\",\n \"actionConfiguration\": {\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Incident\",\n \"tenantId\": \"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"\n }\n }\n ]\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "595" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], + "x-ms-request-id": [ "fc1403e8-c556-4eab-904b-5943a77e4c09" ], + "x-ms-correlation-request-id": [ "fc1403e8-c556-4eab-904b-5943a77e4c09" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021629Z:fc1403e8-c556-4eab-904b-5943a77e4c09" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:16:29 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1356" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AutomationRules/6b61f56c-c075-4127-9f2a-56a855dee096\",\"name\":\"6b61f56c-c075-4127-9f2a-56a855dee096\",\"etag\":\"\\\"7a00f80c-0000-0100-0000-61b55b7d0000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"UpdateAutomationRule1ceigy\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Incident\",\"tenantId\":\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"}}],\"lastModifiedTimeUtc\":\"2021-12-12T02:16:29Z\",\"createdTimeUtc\":\"2021-12-12T01:33:29Z\",\"lastModifiedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"},\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"}}}", + "isContentBase64": false + } + }, + "Update-AzSentinelAutomationRule+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/6b61f56c-c075-4127-9f2a-56a855dee096?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/6b61f56c-c075-4127-9f2a-56a855dee096?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "313" ], + "x-ms-client-request-id": [ "c77aae63-9c15-419d-a9bc-3f5e88d54b19" ], + "CommandName": [ "Get-AzSentinelAutomationRule" ], + "FullCommandName": [ "Get-AzSentinelAutomationRule_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "497" ], + "x-ms-request-id": [ "69eb9712-d889-41c4-9a51-03c0eb2ca2ac" ], + "x-ms-correlation-request-id": [ "69eb9712-d889-41c4-9a51-03c0eb2ca2ac" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021630Z:69eb9712-d889-41c4-9a51-03c0eb2ca2ac" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:16:29 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1356" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AutomationRules/6b61f56c-c075-4127-9f2a-56a855dee096\",\"name\":\"6b61f56c-c075-4127-9f2a-56a855dee096\",\"etag\":\"\\\"7a00f80c-0000-0100-0000-61b55b7d0000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"UpdateAutomationRule1ceigy\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Incident\",\"tenantId\":\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"}}],\"lastModifiedTimeUtc\":\"2021-12-12T02:16:29Z\",\"createdTimeUtc\":\"2021-12-12T01:33:29Z\",\"lastModifiedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"},\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"}}}", + "isContentBase64": false + } + }, + "Update-AzSentinelAutomationRule+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/6b61f56c-c075-4127-9f2a-56a855dee096?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/6b61f56c-c075-4127-9f2a-56a855dee096?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"triggeringLogic\": {\n \"isEnabled\": true,\n \"triggersOn\": \"Incidents\",\n \"triggersWhen\": \"Created\"\n },\n \"displayName\": \"UpdateAutomationRule1ceigy\",\n \"order\": 1,\n \"actions\": [\n {\n \"order\": 1,\n \"actionType\": \"RunPlaybook\",\n \"actionConfiguration\": {\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Incident\",\n \"tenantId\": \"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"\n }\n }\n ]\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "595" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], + "x-ms-request-id": [ "4d4b42cb-ea8c-4746-8f18-114855163bbf" ], + "x-ms-correlation-request-id": [ "4d4b42cb-ea8c-4746-8f18-114855163bbf" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021631Z:4d4b42cb-ea8c-4746-8f18-114855163bbf" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:16:30 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1356" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AutomationRules/6b61f56c-c075-4127-9f2a-56a855dee096\",\"name\":\"6b61f56c-c075-4127-9f2a-56a855dee096\",\"etag\":\"\\\"7a00070d-0000-0100-0000-61b55b7e0000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"UpdateAutomationRule1ceigy\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Incident\",\"tenantId\":\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"}}],\"lastModifiedTimeUtc\":\"2021-12-12T02:16:30Z\",\"createdTimeUtc\":\"2021-12-12T01:33:29Z\",\"lastModifiedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"},\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"}}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Update-AzSentinelAutomationRule.Tests.ps1 b/src/SecurityInsights/test/Update-AzSentinelAutomationRule.Tests.ps1 new file mode 100644 index 000000000000..cc178161a47f --- /dev/null +++ b/src/SecurityInsights/test/Update-AzSentinelAutomationRule.Tests.ps1 @@ -0,0 +1,39 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Update-AzSentinelAutomationRule')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Update-AzSentinelAutomationRule.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Update-AzSentinelAutomationRule' { + It 'UpdateExpanded' { + $automationRuleAction = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AutomationRuleRunPlaybookAction]::new() + $automationRuleAction.Order = 1 + $automationRuleAction.ActionType = "RunPlaybook" + $automationRuleAction.ActionConfigurationLogicAppResourceId = $env.Playbook4LogicAppResourceId + $automationRuleAction.ActionConfigurationTenantId = $env.Tenant + $getRule = Get-AzSentinelAutomationRule -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Id $env.UpdateAutomationRuleId + $automationRule = Update-AzSentinelAutomationRule -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Id $env.UpdateAutomationRuleId -Action $automationRuleAction -DisplayName $getRule.DisplayName -Order $getRule.Order -TriggeringLogicIsEnabled + $automationRule.Action.ActionConfigurationLogicAppResourceId | Should -Be $env.Playbook4LogicAppResourceId + } + + It 'UpdateViaIdentityExpanded' { + $automationRuleAction = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AutomationRuleRunPlaybookAction]::new() + $automationRuleAction.Order = 1 + $automationRuleAction.ActionType = "RunPlaybook" + $automationRuleAction.ActionConfigurationLogicAppResourceId = $env.Playbook4LogicAppResourceId + $automationRuleAction.ActionConfigurationTenantId = $env.Tenant + $getRule = Get-AzSentinelAutomationRule -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Id $env.UpdateAutomationRuleId + $automationRuleUpdate = Update-AzSentinelAutomationRule -InputObject $getRule -Action $automationRuleAction -DisplayName $getRule.DisplayName -Order $getRule.Order -TriggeringLogicIsEnabled + $automationRuleUpdate.Action.ActionConfigurationLogicAppResourceId | Should -Be $env.Playbook4LogicAppResourceId + } +} diff --git a/src/SecurityInsights/test/Update-AzSentinelBookmark.Recording.json b/src/SecurityInsights/test/Update-AzSentinelBookmark.Recording.json new file mode 100644 index 000000000000..8d34e003ad91 --- /dev/null +++ b/src/SecurityInsights/test/Update-AzSentinelBookmark.Recording.json @@ -0,0 +1,156 @@ +{ + "Update-AzSentinelBookmark+[NoContext]+UpdateExpanded+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/c6b3fee2-4b8e-4966-aaa7-94bd47e67021?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/c6b3fee2-4b8e-4966-aaa7-94bd47e67021?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "315" ], + "x-ms-client-request-id": [ "5fcb1435-2914-4d90-9863-6293574ccb0c" ], + "CommandName": [ "Get-AzSentinelBookmark" ], + "FullCommandName": [ "Get-AzSentinelBookmark_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11930" ], + "Server": [ "Kestrel" ], + "x-ms-request-id": [ "3d8569f0-29eb-48cf-982b-bc78b18b9545" ], + "x-ms-correlation-request-id": [ "3d8569f0-29eb-48cf-982b-bc78b18b9545" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021652Z:3d8569f0-29eb-48cf-982b-bc78b18b9545" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:16:51 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "5321" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/c6b3fee2-4b8e-4966-aaa7-94bd47e67021\",\"name\":\"c6b3fee2-4b8e-4966-aaa7-94bd47e67021\",\"etag\":\"\\\"6b02ce9f-0000-0100-0000-61b552060000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Updatebookmarktfriza\",\"created\":\"2021-12-12T01:36:06.6776344+00:00\",\"updated\":\"2021-12-12T01:36:06.6776344+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2021-12-11T01:00:00+00:00\",\"queryEndTime\":\"2021-12-12T01:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "isContentBase64": false + } + }, + "Update-AzSentinelBookmark+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/c6b3fee2-4b8e-4966-aaa7-94bd47e67021?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/c6b3fee2-4b8e-4966-aaa7-94bd47e67021?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"displayName\": \"UpdateBookmarkPSTest\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "67" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1185" ], + "x-ms-request-id": [ "5ff39c1c-4597-4147-a0f4-ce71106ce1ea" ], + "x-ms-correlation-request-id": [ "5ff39c1c-4597-4147-a0f4-ce71106ce1ea" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021653Z:5ff39c1c-4597-4147-a0f4-ce71106ce1ea" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:16:52 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "941" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/c6b3fee2-4b8e-4966-aaa7-94bd47e67021\",\"name\":\"c6b3fee2-4b8e-4966-aaa7-94bd47e67021\",\"etag\":\"\\\"6b0299f0-0000-0100-0000-61b55b950000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateBookmarkPSTest\",\"created\":\"2021-12-12T01:36:06.6776344+00:00\",\"updated\":\"2021-12-12T02:16:53+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T02:16:53.1695666+00:00\",\"labels\":[],\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "isContentBase64": false + } + }, + "Update-AzSentinelBookmark+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/c6b3fee2-4b8e-4966-aaa7-94bd47e67021?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/c6b3fee2-4b8e-4966-aaa7-94bd47e67021?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "317" ], + "x-ms-client-request-id": [ "bf852d4c-f0b1-4047-bb5f-f5a328ef936d" ], + "CommandName": [ "Get-AzSentinelBookmark" ], + "FullCommandName": [ "Get-AzSentinelBookmark_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11929" ], + "x-ms-request-id": [ "00463f13-8de4-43dd-80d0-f1af7f6a19cf" ], + "x-ms-correlation-request-id": [ "00463f13-8de4-43dd-80d0-f1af7f6a19cf" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021653Z:00463f13-8de4-43dd-80d0-f1af7f6a19cf" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:16:52 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "949" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/c6b3fee2-4b8e-4966-aaa7-94bd47e67021\",\"name\":\"c6b3fee2-4b8e-4966-aaa7-94bd47e67021\",\"etag\":\"\\\"6b0299f0-0000-0100-0000-61b55b950000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateBookmarkPSTest\",\"created\":\"2021-12-12T01:36:06.6776344+00:00\",\"updated\":\"2021-12-12T02:16:53.1698187+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T02:16:53.1695666+00:00\",\"labels\":[],\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "isContentBase64": false + } + }, + "Update-AzSentinelBookmark+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/c6b3fee2-4b8e-4966-aaa7-94bd47e67021?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/c6b3fee2-4b8e-4966-aaa7-94bd47e67021?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"displayName\": \"UpdateBookmarkPSTest\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "67" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1184" ], + "x-ms-request-id": [ "cf766814-ac08-4045-9b3e-47195d1ec81b" ], + "x-ms-correlation-request-id": [ "cf766814-ac08-4045-9b3e-47195d1ec81b" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021653Z:cf766814-ac08-4045-9b3e-47195d1ec81b" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:16:52 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "941" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/c6b3fee2-4b8e-4966-aaa7-94bd47e67021\",\"name\":\"c6b3fee2-4b8e-4966-aaa7-94bd47e67021\",\"etag\":\"\\\"6b029df0-0000-0100-0000-61b55b950000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateBookmarkPSTest\",\"created\":\"2021-12-12T01:36:06.6776344+00:00\",\"updated\":\"2021-12-12T02:16:53+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T02:16:53.6063277+00:00\",\"labels\":[],\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Update-AzSentinelBookmark.Tests.ps1 b/src/SecurityInsights/test/Update-AzSentinelBookmark.Tests.ps1 new file mode 100644 index 000000000000..af2179c43b6d --- /dev/null +++ b/src/SecurityInsights/test/Update-AzSentinelBookmark.Tests.ps1 @@ -0,0 +1,31 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Update-AzSentinelBookmark')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Update-AzSentinelBookmark.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Update-AzSentinelBookmark' { + It 'UpdateExpanded' { + $getBookmark = Get-AzSentinelBookmark -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Id $env.UpdateBookmarkId + $bookmark = Update-AzSentinelBookmark -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -Id $env.UpdateBookmarkId -DisplayName "UpdateBookmarkPSTest" + $bookmark.DisplayName | Should -Be "UpdateBookmarkPSTest" + } + + It 'UpdateViaIdentityExpanded' { + $bookmark = Get-AzSentinelBookmark -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -Id $env.UpdateBookmarkId + $bookmarkUpdate = Update-AzSentinelBookmark -InputObject $bookmark -DisplayName "UpdateBookmarkPSTest" + $bookmarkUpdate.DisplayName | Should -Be "UpdateBookmarkPSTest" + } +} diff --git a/src/SecurityInsights/test/Update-AzSentinelBookmarkRelation.Recording.json b/src/SecurityInsights/test/Update-AzSentinelBookmarkRelation.Recording.json new file mode 100644 index 000000000000..a576258895f0 --- /dev/null +++ b/src/SecurityInsights/test/Update-AzSentinelBookmarkRelation.Recording.json @@ -0,0 +1,187 @@ +{ + "Update-AzSentinelBookmarkRelation+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/0eaa2e17-5832-4e33-a3db-a7712b8fc0e8?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/0eaa2e17-5832-4e33-a3db-a7712b8fc0e8?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"severity\": \"Informational\",\n \"status\": \"New\",\n \"title\": \"UpdateBookmarkRelationPSTest\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "123" ] + } + }, + "Response": { + "StatusCode": 201, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], + "x-ms-request-id": [ "da61e2ed-0fb1-40e3-ae81-4eefa718f3e7" ], + "x-ms-correlation-request-id": [ "da61e2ed-0fb1-40e3-ae81-4eefa718f3e7" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021716Z:da61e2ed-0fb1-40e3-ae81-4eefa718f3e7" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:17:16 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1224" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/0eaa2e17-5832-4e33-a3db-a7712b8fc0e8\",\"name\":\"0eaa2e17-5832-4e33-a3db-a7712b8fc0e8\",\"etag\":\"\\\"3c005a8d-0000-0100-0000-61b55bac0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateBookmarkRelationPSTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T02:17:16.8238616Z\",\"createdTimeUtc\":\"2021-12-12T02:17:16.8238616Z\",\"incidentNumber\":27,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/0eaa2e17-5832-4e33-a3db-a7712b8fc0e8\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"27\"}}", + "isContentBase64": false + } + }, + "Update-AzSentinelBookmarkRelation+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/6548e330-d18d-4690-b6fa-b5ba7f5eac27/relations/3106728c-12de-4dad-b0c6-603a9285765e?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/6548e330-d18d-4690-b6fa-b5ba7f5eac27/relations/3106728c-12de-4dad-b0c6-603a9285765e?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"relatedResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/0eaa2e17-5832-4e33-a3db-a7712b8fc0e8\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "283" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1183" ], + "x-ms-request-id": [ "9dd4b482-6d59-4cf2-b15f-9cf2ae6b0136" ], + "x-ms-correlation-request-id": [ "9dd4b482-6d59-4cf2-b15f-9cf2ae6b0136" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021717Z:9dd4b482-6d59-4cf2-b15f-9cf2ae6b0136" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:17:17 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "828" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/6548e330-d18d-4690-b6fa-b5ba7f5eac27/relations/3106728c-12de-4dad-b0c6-603a9285765e\",\"name\":\"3106728c-12de-4dad-b0c6-603a9285765e\",\"etag\":\"\\\"6b0226f1-0000-0100-0000-61b55bad0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/0eaa2e17-5832-4e33-a3db-a7712b8fc0e8\",\"relatedResourceName\":\"0eaa2e17-5832-4e33-a3db-a7712b8fc0e8\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", + "isContentBase64": false + } + }, + "Update-AzSentinelBookmarkRelation+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/450d9025-3a65-4e80-8dd9-90f973a9cbb9?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/450d9025-3a65-4e80-8dd9-90f973a9cbb9?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"severity\": \"Informational\",\n \"status\": \"New\",\n \"title\": \"UpdateViaIdBookmarkRelationPSTest\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "128" ] + } + }, + "Response": { + "StatusCode": 201, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], + "x-ms-request-id": [ "7189d02f-9e4b-4ab3-904e-1e6138da2b0f" ], + "x-ms-correlation-request-id": [ "7189d02f-9e4b-4ab3-904e-1e6138da2b0f" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021717Z:7189d02f-9e4b-4ab3-904e-1e6138da2b0f" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:17:17 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1229" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/450d9025-3a65-4e80-8dd9-90f973a9cbb9\",\"name\":\"450d9025-3a65-4e80-8dd9-90f973a9cbb9\",\"etag\":\"\\\"3c00648d-0000-0100-0000-61b55bad0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdBookmarkRelationPSTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T02:17:17.3702395Z\",\"createdTimeUtc\":\"2021-12-12T02:17:17.3702395Z\",\"incidentNumber\":28,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/450d9025-3a65-4e80-8dd9-90f973a9cbb9\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"28\"}}", + "isContentBase64": false + } + }, + "Update-AzSentinelBookmarkRelation+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/463b2e8b-17c1-48d6-94a3-7443b0ba2cbf/relations/e2e68737-82b4-49f0-822f-f9196f65aac8?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/463b2e8b-17c1-48d6-94a3-7443b0ba2cbf/relations/e2e68737-82b4-49f0-822f-f9196f65aac8?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "322" ], + "x-ms-client-request-id": [ "cdb860a8-60c2-4148-8365-c73bda64c033" ], + "CommandName": [ "Get-AzSentinelBookmarkRelation" ], + "FullCommandName": [ "Get-AzSentinelBookmarkRelation_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11928" ], + "x-ms-request-id": [ "e92b4ad7-5b17-4e13-a59b-539921307c3e" ], + "x-ms-correlation-request-id": [ "e92b4ad7-5b17-4e13-a59b-539921307c3e" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021717Z:e92b4ad7-5b17-4e13-a59b-539921307c3e" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:17:17 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "828" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/463b2e8b-17c1-48d6-94a3-7443b0ba2cbf/relations/e2e68737-82b4-49f0-822f-f9196f65aac8\",\"name\":\"e2e68737-82b4-49f0-822f-f9196f65aac8\",\"etag\":\"\\\"6b026ab6-0000-0100-0000-61b552e00000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/6cbc4e33-d46b-4993-96e4-ecb0e44415cb\",\"relatedResourceName\":\"6cbc4e33-d46b-4993-96e4-ecb0e44415cb\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", + "isContentBase64": false + } + }, + "Update-AzSentinelBookmarkRelation+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/463b2e8b-17c1-48d6-94a3-7443b0ba2cbf/relations/e2e68737-82b4-49f0-822f-f9196f65aac8?api-version=2021-09-01-preview+3": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/463b2e8b-17c1-48d6-94a3-7443b0ba2cbf/relations/e2e68737-82b4-49f0-822f-f9196f65aac8?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"relatedResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/450d9025-3a65-4e80-8dd9-90f973a9cbb9\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "283" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1182" ], + "x-ms-request-id": [ "1fbc8f36-f6ca-434a-b0d3-386e1704074e" ], + "x-ms-correlation-request-id": [ "1fbc8f36-f6ca-434a-b0d3-386e1704074e" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021717Z:1fbc8f36-f6ca-434a-b0d3-386e1704074e" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:17:17 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "828" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/463b2e8b-17c1-48d6-94a3-7443b0ba2cbf/relations/e2e68737-82b4-49f0-822f-f9196f65aac8\",\"name\":\"e2e68737-82b4-49f0-822f-f9196f65aac8\",\"etag\":\"\\\"6b0227f1-0000-0100-0000-61b55bad0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/450d9025-3a65-4e80-8dd9-90f973a9cbb9\",\"relatedResourceName\":\"450d9025-3a65-4e80-8dd9-90f973a9cbb9\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Update-AzSentinelBookmarkRelation.Tests.ps1 b/src/SecurityInsights/test/Update-AzSentinelBookmarkRelation.Tests.ps1 new file mode 100644 index 000000000000..7d65a5b39cf3 --- /dev/null +++ b/src/SecurityInsights/test/Update-AzSentinelBookmarkRelation.Tests.ps1 @@ -0,0 +1,34 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Update-AzSentinelBookmarkRelation')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Update-AzSentinelBookmarkRelation.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Update-AzSentinelBookmarkRelation' { + It 'UpdateExpanded' { + $incident = New-AzSentinelIncident -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -Id ((New-Guid).Guid) -Severity Informational -Status New -Title "UpdateBookmarkRelationPSTest" + $bookmarkRelation = Update-AzSentinelBookmarkRelation -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -BookmarkId $env.UpdatebookmarkRelationBookmarkId -RelationName $env.UpdateBookmarkRelationId -RelatedResourceId $incident.Id + $bookmarkRelation.RelatedResourceId | Should -Be $incident.Id + } + + It 'UpdateViaIdentityExpanded' { + $incident = New-AzSentinelIncident -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -Id ((New-Guid).Guid) -Severity Informational -Status New -Title "UpdateViaIdBookmarkRelationPSTest" + $bookmarkRelation = Get-AzSentinelBookmarkRelation -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -BookmarkId $env.UpdateViaIdbookmarkRelationBookmarkId -RelationName $env.UpdateViaIdBookmarkRelationId + $bookmarkRelationUpdate = Update-AzSentinelBookmarkRelation -InputObject $bookmarkRelation -RelatedResourceId $incident.Id + $bookmarkRelationUpdate.RelatedResourceId | Should -Be $incident.Id + } +} diff --git a/src/SecurityInsights/test/Update-AzSentinelDataConnector.Recording.json b/src/SecurityInsights/test/Update-AzSentinelDataConnector.Recording.json new file mode 100644 index 000000000000..b31fe151e8b5 --- /dev/null +++ b/src/SecurityInsights/test/Update-AzSentinelDataConnector.Recording.json @@ -0,0 +1,115 @@ +{ + "Update-AzSentinelDataConnector+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/b4b8bb52-2917-4179-a28d-fb197dc52aa6?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/b4b8bb52-2917-4179-a28d-fb197dc52aa6?api-version=2021-09-01-preview", + "Content": "{\n \"etag\": \"b233bb7e-98ea-415f-895d-e389655250ac\",\n \"kind\": \"Office365\",\n \"properties\": {\n \"tenantId\": \"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\",\n \"dataTypes\": {\n \"exchange\": {\n \"state\": \"enabled\"\n },\n \"sharePoint\": {\n \"state\": \"Enabled\"\n },\n \"teams\": {\n \"state\": \"disabled\"\n }\n }\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "346" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1181" ], + "x-ms-request-id": [ "b5cc095f-8c79-4962-8620-d5dbc20bff51" ], + "x-ms-correlation-request-id": [ "b5cc095f-8c79-4962-8620-d5dbc20bff51" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021740Z:b5cc095f-8c79-4962-8620-d5dbc20bff51" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:17:40 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "578" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/b4b8bb52-2917-4179-a28d-fb197dc52aa6\",\"name\":\"b4b8bb52-2917-4179-a28d-fb197dc52aa6\",\"etag\":\"1fb2ee18-a126-48b7-a304-0b6c1250783f\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"Office365\",\"properties\":{\"dataTypes\":{\"sharePoint\":{\"state\":\"enabled\"},\"exchange\":{\"state\":\"enabled\"},\"teams\":{\"state\":\"disabled\"}},\"tenantId\":\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"}}", + "isContentBase64": false + } + }, + "Update-AzSentinelDataConnector+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/b4b8bb52-2917-4179-a28d-fb197dc52aa6?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/b4b8bb52-2917-4179-a28d-fb197dc52aa6?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "326" ], + "x-ms-client-request-id": [ "f4a28c41-9844-4978-a6d9-02f66c8debe3" ], + "CommandName": [ "Get-AzSentinelDataConnector" ], + "FullCommandName": [ "Get-AzSentinelDataConnector_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11926" ], + "x-ms-request-id": [ "bb0def68-94d4-4c1d-aec5-0fde5342d46f" ], + "x-ms-correlation-request-id": [ "bb0def68-94d4-4c1d-aec5-0fde5342d46f" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021741Z:bb0def68-94d4-4c1d-aec5-0fde5342d46f" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:17:41 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "578" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/b4b8bb52-2917-4179-a28d-fb197dc52aa6\",\"name\":\"b4b8bb52-2917-4179-a28d-fb197dc52aa6\",\"etag\":\"1fb2ee18-a126-48b7-a304-0b6c1250783f\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"Office365\",\"properties\":{\"dataTypes\":{\"sharePoint\":{\"state\":\"enabled\"},\"exchange\":{\"state\":\"enabled\"},\"teams\":{\"state\":\"disabled\"}},\"tenantId\":\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"}}", + "isContentBase64": false + } + }, + "Update-AzSentinelDataConnector+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/b4b8bb52-2917-4179-a28d-fb197dc52aa6?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/b4b8bb52-2917-4179-a28d-fb197dc52aa6?api-version=2021-09-01-preview", + "Content": "{\n \"etag\": \"1fb2ee18-a126-48b7-a304-0b6c1250783f\",\n \"kind\": \"Office365\",\n \"properties\": {\n \"tenantId\": \"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\",\n \"dataTypes\": {\n \"exchange\": {\n \"state\": \"enabled\"\n },\n \"sharePoint\": {\n \"state\": \"enabled\"\n },\n \"teams\": {\n \"state\": \"Enabled\"\n }\n }\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "345" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1180" ], + "x-ms-request-id": [ "dca440dc-282f-4154-b26a-0a180c937e11" ], + "x-ms-correlation-request-id": [ "dca440dc-282f-4154-b26a-0a180c937e11" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021742Z:dca440dc-282f-4154-b26a-0a180c937e11" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:17:42 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "577" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/b4b8bb52-2917-4179-a28d-fb197dc52aa6\",\"name\":\"b4b8bb52-2917-4179-a28d-fb197dc52aa6\",\"etag\":\"e0ea214e-c798-468a-a3ed-ea1de3deea54\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"Office365\",\"properties\":{\"dataTypes\":{\"sharePoint\":{\"state\":\"enabled\"},\"exchange\":{\"state\":\"enabled\"},\"teams\":{\"state\":\"enabled\"}},\"tenantId\":\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Update-AzSentinelDataConnector.Tests.ps1 b/src/SecurityInsights/test/Update-AzSentinelDataConnector.Tests.ps1 new file mode 100644 index 000000000000..6e4534861b80 --- /dev/null +++ b/src/SecurityInsights/test/Update-AzSentinelDataConnector.Tests.ps1 @@ -0,0 +1,30 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Update-AzSentinelDataConnector')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Update-AzSentinelDataConnector.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Update-AzSentinelDataConnector' { + It 'UpdateExpanded' { + $dataConnector = Update-AzSentinelDataConnector -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -DataConnectorId $env.updateDataConnectorId -SharePoint "Enabled" + $dataConnector.SharePointState | Should -Be "Enabled" + } + + It 'UpdateViaIdentityExpanded' { + $dataConnector = Get-AzSentinelDataConnector -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -DataConnectorId $env.updateDataConnectorId + $dataConnectorUpdate = Update-AzSentinelDataConnector -InputObject $dataConnector -Teams "Enabled" + $dataConnectorUpdate.TeamState | Should -Be "Enabled" + } +} diff --git a/src/SecurityInsights/test/Update-AzSentinelEntityQuery.Recording.json b/src/SecurityInsights/test/Update-AzSentinelEntityQuery.Recording.json new file mode 100644 index 000000000000..4ed152e938b6 --- /dev/null +++ b/src/SecurityInsights/test/Update-AzSentinelEntityQuery.Recording.json @@ -0,0 +1,115 @@ +{ + "Update-AzSentinelEntityQuery+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/64feba96-1f57-4f3d-8068-a1532ed4e2dc?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/64feba96-1f57-4f3d-8068-a1532ed4e2dc?api-version=2021-09-01-preview", + "Content": "{\n \"etag\": \"\\\"50014de4-0000-0100-0000-61b5537d0000\\\"\",\n \"kind\": \"Activity\",\n \"properties\": {\n \"queryDefinitions\": {\n \"query\": \"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \\u0027@\\u0027, tostring(split(Computer, \\u0027@\\u0027)[0]),\\nComputer has \\u0027\\\\\\\\\\u0027, tostring(split(Computer, \\u0027\\\\\\\\\\u0027)[1]),\\nComputer has \\u0027.\\u0027, tostring(split(Computer, \\u0027.\\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \\u0027\\\\\\\\\\u0027, tostring(split(Computer, \\u0027\\\\\\\\\\u0027)[0]), \\nComputer has \\u0027.\\u0027, tostring(split(Computer, \\u0027.\\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \\u0027\\\\\\\\\\u0027, tostring(split(Computer, \\u0027\\\\\\\\\\u0027)[0]), \\nComputer has \\u0027.\\u0027, strcat_array(array_slice(split(Computer,\\u0027.\\u0027),-2,-1),\\u0027.\\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid};\\nGetAccountActions(\\u0027{{Host_HostName}}\\u0027, \\u0027{{Host_NTDomain}}\\u0027, \\u0027{{Host_DnsDomain}}\\u0027, \\u0027{{Host_AzureID}}\\u0027, \\u0027{{Host_OMSAgentID}}\\u0027)\\n \\n| where EventID == 4726 \"\n },\n \"title\": \"UpdateEntityQueryPSTest\",\n \"content\": \"On \\u0027{{Computer}}\\u0027 the account \\u0027{{TargetAccount}}\\u0027 was deleted by \",\n \"description\": \"Account deleted on host\",\n \"inputEntityType\": \"Host\",\n \"requiredInputFieldsSets\": [\n [ \"Host_HostName\", \"Host_NTDomain\" ],\n [ \"Host_HostName\", \"Host_DnsDomain\" ],\n [ \"Host_AzureID\" ],\n [ \"Host_OMSAgentID\" ]\n ],\n \"enabled\": true\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "2162" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1179" ], + "x-ms-request-id": [ "47be5e27-77bb-4c44-9d29-dbfd2d09caca" ], + "x-ms-correlation-request-id": [ "47be5e27-77bb-4c44-9d29-dbfd2d09caca" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021804Z:47be5e27-77bb-4c44-9d29-dbfd2d09caca" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:18:04 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "2286" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/64feba96-1f57-4f3d-8068-a1532ed4e2dc\",\"name\":\"64feba96-1f57-4f3d-8068-a1532ed4e2dc\",\"etag\":\"\\\"51016d4c-0000-0100-0000-61b55bdc0000\\\"\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Activity\",\"properties\":{\"title\":\"UpdateEntityQueryPSTest\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was deleted by \",\"description\":\"Account deleted on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027)\\n \\n| where EventID == 4726 \"},\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{},\"enabled\":true,\"createdTimeUtc\":\"2021-12-12T01:42:21.052492Z\",\"lastModifiedTimeUtc\":\"2021-12-12T02:18:04.8210404Z\",\"inputEntityType\":\"Host\"}}", + "isContentBase64": false + } + }, + "Update-AzSentinelEntityQuery+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/fb33bcbe-0bc0-433f-9910-e474dbfab616?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/fb33bcbe-0bc0-433f-9910-e474dbfab616?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "331" ], + "x-ms-client-request-id": [ "56b3e04b-7397-4e92-bac4-1a888d915fa0" ], + "CommandName": [ "Get-AzSentinelEntityQuery" ], + "FullCommandName": [ "Get-AzSentinelEntityQuery_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11923" ], + "x-ms-request-id": [ "94857087-f52f-4f97-854d-d04d9f315fde" ], + "x-ms-correlation-request-id": [ "94857087-f52f-4f97-854d-d04d9f315fde" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021805Z:94857087-f52f-4f97-854d-d04d9f315fde" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:18:04 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "2326" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/fb33bcbe-0bc0-433f-9910-e474dbfab616\",\"name\":\"fb33bcbe-0bc0-433f-9910-e474dbfab616\",\"etag\":\"\\\"500183e6-0000-0100-0000-61b5539e0000\\\"\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was deleted by \",\"description\":\"Account deleted on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027)\\n \\n| where EventID == 4726 \"},\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]},\"enabled\":true,\"createdTimeUtc\":\"2021-12-12T01:42:54.0134159Z\",\"lastModifiedTimeUtc\":\"2021-12-12T01:42:54.0134159Z\",\"inputEntityType\":\"Host\"}}", + "isContentBase64": false + } + }, + "Update-AzSentinelEntityQuery+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/fb33bcbe-0bc0-433f-9910-e474dbfab616?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/fb33bcbe-0bc0-433f-9910-e474dbfab616?api-version=2021-09-01-preview", + "Content": "{\n \"etag\": \"\\\"500183e6-0000-0100-0000-61b5539e0000\\\"\",\n \"kind\": \"Activity\",\n \"properties\": {\n \"queryDefinitions\": {\n \"query\": \"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \\u0027@\\u0027, tostring(split(Computer, \\u0027@\\u0027)[0]),\\nComputer has \\u0027\\\\\\\\\\u0027, tostring(split(Computer, \\u0027\\\\\\\\\\u0027)[1]),\\nComputer has \\u0027.\\u0027, tostring(split(Computer, \\u0027.\\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \\u0027\\\\\\\\\\u0027, tostring(split(Computer, \\u0027\\\\\\\\\\u0027)[0]), \\nComputer has \\u0027.\\u0027, tostring(split(Computer, \\u0027.\\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \\u0027\\\\\\\\\\u0027, tostring(split(Computer, \\u0027\\\\\\\\\\u0027)[0]), \\nComputer has \\u0027.\\u0027, strcat_array(array_slice(split(Computer,\\u0027.\\u0027),-2,-1),\\u0027.\\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid};\\nGetAccountActions(\\u0027{{Host_HostName}}\\u0027, \\u0027{{Host_NTDomain}}\\u0027, \\u0027{{Host_DnsDomain}}\\u0027, \\u0027{{Host_AzureID}}\\u0027, \\u0027{{Host_OMSAgentID}}\\u0027)\\n \\n| where EventID == 4726 \"\n },\n \"title\": \"UpdateEntityQueryPSTest\",\n \"content\": \"On \\u0027{{Computer}}\\u0027 the account \\u0027{{TargetAccount}}\\u0027 was deleted by \",\n \"description\": \"Account deleted on host\",\n \"inputEntityType\": \"Host\",\n \"requiredInputFieldsSets\": [\n [ \"Host_HostName\", \"Host_NTDomain\" ],\n [ \"Host_HostName\", \"Host_DnsDomain\" ],\n [ \"Host_AzureID\" ],\n [ \"Host_OMSAgentID\" ]\n ],\n \"enabled\": true\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "2162" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1178" ], + "x-ms-request-id": [ "89238b4f-3f72-49a3-857d-9cd796715ab0" ], + "x-ms-correlation-request-id": [ "89238b4f-3f72-49a3-857d-9cd796715ab0" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021806Z:89238b4f-3f72-49a3-857d-9cd796715ab0" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:18:05 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "2287" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/fb33bcbe-0bc0-433f-9910-e474dbfab616\",\"name\":\"fb33bcbe-0bc0-433f-9910-e474dbfab616\",\"etag\":\"\\\"5101754c-0000-0100-0000-61b55bde0000\\\"\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Activity\",\"properties\":{\"title\":\"UpdateEntityQueryPSTest\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was deleted by \",\"description\":\"Account deleted on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027)\\n \\n| where EventID == 4726 \"},\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{},\"enabled\":true,\"createdTimeUtc\":\"2021-12-12T01:42:54.0134159Z\",\"lastModifiedTimeUtc\":\"2021-12-12T02:18:05.9962445Z\",\"inputEntityType\":\"Host\"}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Update-AzSentinelEntityQuery.Tests.ps1 b/src/SecurityInsights/test/Update-AzSentinelEntityQuery.Tests.ps1 new file mode 100644 index 000000000000..fa2df6f530c7 --- /dev/null +++ b/src/SecurityInsights/test/Update-AzSentinelEntityQuery.Tests.ps1 @@ -0,0 +1,29 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Update-AzSentinelEntityQuery')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Update-AzSentinelEntityQuery.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Update-AzSentinelEntityQuery' { + It 'UpdateExpanded' { + $entityQuery = Update-AzSentinelEntityQuery -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -EntityQueryId $env.UpdateentityQueryActivityId -Title "UpdateEntityQueryPSTest" + $entityQuery.Title | Should -Be "UpdateEntityQueryPSTest" + } + It 'UpdateViaIdentityExpanded' { + $entityQuery = Get-AzSentinelEntityQuery -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -EntityQueryId $env.UpdateViaIdentityQueryActivityId + $entityQueryUpdate = Update-AzSentinelEntityQuery -InputObject $entityQuery -Title "UpdateEntityQueryPSTest" + $entityQueryUpdate.Title | Should -Be "UpdateEntityQueryPSTest" + } +} diff --git a/src/SecurityInsights/test/Update-AzSentinelIncident.Recording.json b/src/SecurityInsights/test/Update-AzSentinelIncident.Recording.json new file mode 100644 index 000000000000..dba41cd72fca --- /dev/null +++ b/src/SecurityInsights/test/Update-AzSentinelIncident.Recording.json @@ -0,0 +1,156 @@ +{ + "Update-AzSentinelIncident+[NoContext]+UpdateExpanded+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/23dc6b0b-2413-4b21-94b3-242f576b73c2?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/23dc6b0b-2413-4b21-94b3-242f576b73c2?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "334" ], + "x-ms-client-request-id": [ "7bc4824c-999c-46ec-9943-3ccd1a9c07aa" ], + "CommandName": [ "Get-AzSentinelIncident" ], + "FullCommandName": [ "Get-AzSentinelIncident_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11921" ], + "x-ms-request-id": [ "bd9d0795-7b5b-4fed-bc81-2ff41ef058bd" ], + "x-ms-correlation-request-id": [ "bd9d0795-7b5b-4fed-bc81-2ff41ef058bd" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021827Z:bd9d0795-7b5b-4fed-bc81-2ff41ef058bd" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:18:26 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1208" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/23dc6b0b-2413-4b21-94b3-242f576b73c2\",\"name\":\"23dc6b0b-2413-4b21-94b3-242f576b73c2\",\"etag\":\"\\\"3c00aa5c-0000-0100-0000-61b554180000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:44:56.0348538Z\",\"createdTimeUtc\":\"2021-12-12T01:44:56.0348538Z\",\"incidentNumber\":10,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/23dc6b0b-2413-4b21-94b3-242f576b73c2\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"10\"}}", + "isContentBase64": false + } + }, + "Update-AzSentinelIncident+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/23dc6b0b-2413-4b21-94b3-242f576b73c2?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/23dc6b0b-2413-4b21-94b3-242f576b73c2?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"severity\": \"Informational\",\n \"status\": \"Active\",\n \"title\": \"IncidentTest\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "110" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "497" ], + "x-ms-request-id": [ "3547cbac-4ecd-4133-8334-6f717cc195a6" ], + "x-ms-correlation-request-id": [ "3547cbac-4ecd-4133-8334-6f717cc195a6" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021827Z:3547cbac-4ecd-4133-8334-6f717cc195a6" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:18:27 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1211" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/23dc6b0b-2413-4b21-94b3-242f576b73c2\",\"name\":\"23dc6b0b-2413-4b21-94b3-242f576b73c2\",\"etag\":\"\\\"3c00de92-0000-0100-0000-61b55bf30000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"Active\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T02:18:27.4677391Z\",\"createdTimeUtc\":\"2021-12-12T01:44:56.0348538Z\",\"incidentNumber\":10,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/23dc6b0b-2413-4b21-94b3-242f576b73c2\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"10\"}}", + "isContentBase64": false + } + }, + "Update-AzSentinelIncident+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/85b206c3-bf60-48e0-b492-71a79bb8503a?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/85b206c3-bf60-48e0-b492-71a79bb8503a?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "336" ], + "x-ms-client-request-id": [ "b4f38023-2f12-4c7f-9a76-a99d449d5609" ], + "CommandName": [ "Get-AzSentinelIncident" ], + "FullCommandName": [ "Get-AzSentinelIncident_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11920" ], + "x-ms-request-id": [ "722bd76b-a708-49d0-b44e-1c9674312111" ], + "x-ms-correlation-request-id": [ "722bd76b-a708-49d0-b44e-1c9674312111" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021827Z:722bd76b-a708-49d0-b44e-1c9674312111" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:18:27 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1208" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/85b206c3-bf60-48e0-b492-71a79bb8503a\",\"name\":\"85b206c3-bf60-48e0-b492-71a79bb8503a\",\"etag\":\"\\\"3c002c5d-0000-0100-0000-61b554370000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:45:27.6270446Z\",\"createdTimeUtc\":\"2021-12-12T01:45:27.6270446Z\",\"incidentNumber\":11,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/85b206c3-bf60-48e0-b492-71a79bb8503a\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"11\"}}", + "isContentBase64": false + } + }, + "Update-AzSentinelIncident+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/85b206c3-bf60-48e0-b492-71a79bb8503a?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/85b206c3-bf60-48e0-b492-71a79bb8503a?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"severity\": \"Informational\",\n \"status\": \"Active\",\n \"title\": \"IncidentTest\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "110" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "496" ], + "x-ms-request-id": [ "216cf4f2-6a17-4c28-98bc-92cf583523f8" ], + "x-ms-correlation-request-id": [ "216cf4f2-6a17-4c28-98bc-92cf583523f8" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021827Z:216cf4f2-6a17-4c28-98bc-92cf583523f8" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:18:27 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1211" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/85b206c3-bf60-48e0-b492-71a79bb8503a\",\"name\":\"85b206c3-bf60-48e0-b492-71a79bb8503a\",\"etag\":\"\\\"3c00e892-0000-0100-0000-61b55bf30000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"Active\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T02:18:27.9035618Z\",\"createdTimeUtc\":\"2021-12-12T01:45:27.6270446Z\",\"incidentNumber\":11,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/85b206c3-bf60-48e0-b492-71a79bb8503a\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"11\"}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Update-AzSentinelIncident.Tests.ps1 b/src/SecurityInsights/test/Update-AzSentinelIncident.Tests.ps1 new file mode 100644 index 000000000000..455256232c77 --- /dev/null +++ b/src/SecurityInsights/test/Update-AzSentinelIncident.Tests.ps1 @@ -0,0 +1,31 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Update-AzSentinelIncident')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Update-AzSentinelIncident.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Update-AzSentinelIncident' { + It 'UpdateExpanded' { + $getIncident = Get-AzSentinelIncident -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Id $env.UpdateincidentId + $incident = Update-AzSentinelIncident -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -Id $env.UpdateincidentId -Status "Active" -Title $getIncident.Title -Severity $getIncident.Severity + $incident.Status | Should -Be "Active" + } + + It 'UpdateViaIdentityExpanded' { + $incident = Get-AzSentinelIncident -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -Id $env.UpdateViaIdincidentId + $incidentUpdate = Update-AzSentinelIncident -InputObject $incident -Status "Active" -Title $incident.Title -Severity $incident.Severity + $incidentUpdate.Status | Should -Be "Active" + } +} diff --git a/src/SecurityInsights/test/Update-AzSentinelIncidentComment.Recording.json b/src/SecurityInsights/test/Update-AzSentinelIncidentComment.Recording.json new file mode 100644 index 000000000000..53fdd252db9b --- /dev/null +++ b/src/SecurityInsights/test/Update-AzSentinelIncidentComment.Recording.json @@ -0,0 +1,115 @@ +{ + "Update-AzSentinelIncidentComment+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/4d88d68e-1a03-4287-b8d2-919981228c5c/comments/2e3b2f73-ae6b-4e88-be17-6fd85a9400ee?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/4d88d68e-1a03-4287-b8d2-919981228c5c/comments/2e3b2f73-ae6b-4e88-be17-6fd85a9400ee?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"message\": \"UpdateIncidentCommentPSTest\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "70" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], + "x-ms-request-id": [ "1574a9cb-d657-455d-b357-360f32f17a87" ], + "x-ms-correlation-request-id": [ "1574a9cb-d657-455d-b357-360f32f17a87" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021850Z:1574a9cb-d657-455d-b357-360f32f17a87" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:18:49 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "792" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/4d88d68e-1a03-4287-b8d2-919981228c5c/Comments/2e3b2f73-ae6b-4e88-be17-6fd85a9400ee\",\"name\":\"2e3b2f73-ae6b-4e88-be17-6fd85a9400ee\",\"etag\":\"\\\"3c009694-0000-0100-0000-61b55c090000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/Comments\",\"properties\":{\"message\":\"UpdateIncidentCommentPSTest\",\"createdTimeUtc\":\"2021-12-12T01:47:32.8969339Z\",\"lastModifiedTimeUtc\":\"2021-12-12T02:18:49.9965827Z\",\"author\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"}}}", + "isContentBase64": false + } + }, + "Update-AzSentinelIncidentComment+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/4d88d68e-1a03-4287-b8d2-919981228c5c/comments/2e3b2f73-ae6b-4e88-be17-6fd85a9400ee?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/4d88d68e-1a03-4287-b8d2-919981228c5c/comments/2e3b2f73-ae6b-4e88-be17-6fd85a9400ee?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "339" ], + "x-ms-client-request-id": [ "430efa41-3b8e-46b8-9995-d6eb6ca455ca" ], + "CommandName": [ "Get-AzSentinelIncidentComment" ], + "FullCommandName": [ "Get-AzSentinelIncidentComment_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], + "x-ms-request-id": [ "878d5449-a418-49d2-afde-2d04dc43ff7a" ], + "x-ms-correlation-request-id": [ "878d5449-a418-49d2-afde-2d04dc43ff7a" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021850Z:878d5449-a418-49d2-afde-2d04dc43ff7a" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:18:49 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "792" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/4d88d68e-1a03-4287-b8d2-919981228c5c/Comments/2e3b2f73-ae6b-4e88-be17-6fd85a9400ee\",\"name\":\"2e3b2f73-ae6b-4e88-be17-6fd85a9400ee\",\"etag\":\"\\\"3c009694-0000-0100-0000-61b55c090000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/Comments\",\"properties\":{\"message\":\"UpdateIncidentCommentPSTest\",\"createdTimeUtc\":\"2021-12-12T01:47:32.8969339Z\",\"lastModifiedTimeUtc\":\"2021-12-12T02:18:49.9965827Z\",\"author\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"}}}", + "isContentBase64": false + } + }, + "Update-AzSentinelIncidentComment+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/4d88d68e-1a03-4287-b8d2-919981228c5c/comments/2e3b2f73-ae6b-4e88-be17-6fd85a9400ee?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/4d88d68e-1a03-4287-b8d2-919981228c5c/comments/2e3b2f73-ae6b-4e88-be17-6fd85a9400ee?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"message\": \"UpdateIncidentCommentPSTest\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "70" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], + "x-ms-request-id": [ "5ab51cd2-2e10-4d39-8d0d-7d27eb6232bf" ], + "x-ms-correlation-request-id": [ "5ab51cd2-2e10-4d39-8d0d-7d27eb6232bf" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021850Z:5ab51cd2-2e10-4d39-8d0d-7d27eb6232bf" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:18:50 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "792" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/4d88d68e-1a03-4287-b8d2-919981228c5c/Comments/2e3b2f73-ae6b-4e88-be17-6fd85a9400ee\",\"name\":\"2e3b2f73-ae6b-4e88-be17-6fd85a9400ee\",\"etag\":\"\\\"3c00a694-0000-0100-0000-61b55c0a0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/Comments\",\"properties\":{\"message\":\"UpdateIncidentCommentPSTest\",\"createdTimeUtc\":\"2021-12-12T01:47:32.8969339Z\",\"lastModifiedTimeUtc\":\"2021-12-12T02:18:50.8684487Z\",\"author\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"}}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Update-AzSentinelIncidentComment.Tests.ps1 b/src/SecurityInsights/test/Update-AzSentinelIncidentComment.Tests.ps1 new file mode 100644 index 000000000000..18829691d5e5 --- /dev/null +++ b/src/SecurityInsights/test/Update-AzSentinelIncidentComment.Tests.ps1 @@ -0,0 +1,30 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Update-AzSentinelIncidentComment')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Update-AzSentinelIncidentComment.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Update-AzSentinelIncidentComment' { + It 'UpdateExpanded' { + $incidentComment = Update-AzSentinelIncidentComment -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -IncidentId $env.UpdateincidentCommentIncidentId -Id $env.UpdateincidentCommentId -Message "UpdateIncidentCommentPSTest" + $incidentComment.Message | Should -Be "UpdateIncidentCommentPSTest" + } + + It 'UpdateViaIdentityExpanded' { + $incidentComment = Get-AzSentinelIncidentComment -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -IncidentId $env.UpdateincidentCommentIncidentId -Id $env.UpdateincidentCommentId + $incidentCommentUpdate = Update-AzSentinelIncidentComment -InputObject $incidentComment -Message "UpdateIncidentCommentPSTest" + $incidentCommentUpdate.Message | Should -Be "UpdateIncidentCommentPSTest" + } +} diff --git a/src/SecurityInsights/test/Update-AzSentinelIncidentRelation.Recording.json b/src/SecurityInsights/test/Update-AzSentinelIncidentRelation.Recording.json new file mode 100644 index 000000000000..44b169165908 --- /dev/null +++ b/src/SecurityInsights/test/Update-AzSentinelIncidentRelation.Recording.json @@ -0,0 +1,187 @@ +{ + "Update-AzSentinelIncidentRelation+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/e01832fb-3e0a-41eb-a95c-1ce5829701d9?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/e01832fb-3e0a-41eb-a95c-1ce5829701d9?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"displayName\": \"UpdateIncidentRelationPSTest\",\n \"query\": \"SecurityEvent\\\\n| take 1\",\n \"eventTime\": \"2021-12-12T02:19:21.3879941Z\",\n \"queryStartTime\": \"2021-12-12T02:19:21.3875305Z\",\n \"queryEndTime\": \"2021-12-11T02:19:21.3877395Z\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "271" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1177" ], + "x-ms-request-id": [ "d05bbaef-e156-4da8-80c7-121f113af754" ], + "x-ms-correlation-request-id": [ "d05bbaef-e156-4da8-80c7-121f113af754" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021913Z:d05bbaef-e156-4da8-80c7-121f113af754" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:19:12 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1088" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/e01832fb-3e0a-41eb-a95c-1ce5829701d9\",\"name\":\"e01832fb-3e0a-41eb-a95c-1ce5829701d9\",\"etag\":\"\\\"6b02f1f3-0000-0100-0000-61b55c210000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateIncidentRelationPSTest\",\"created\":\"2021-12-12T02:19:13.2559774+00:00\",\"updated\":\"2021-12-12T02:19:13+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T02:19:21.3879941+00:00\",\"labels\":[],\"query\":\"SecurityEvent\\\\n| take 1\",\"queryStartTime\":\"2021-12-12T02:19:21.3875305+00:00\",\"queryEndTime\":\"2021-12-11T02:19:21.3877395+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "isContentBase64": false + } + }, + "Update-AzSentinelIncidentRelation+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/473aa008-13fc-4a61-9ea2-c3fdc64a828c/relations/defc1116-f142-4647-a377-6869110f6e77?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/473aa008-13fc-4a61-9ea2-c3fdc64a828c/relations/defc1116-f142-4647-a377-6869110f6e77?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"relatedResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/e01832fb-3e0a-41eb-a95c-1ce5829701d9\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "283" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], + "x-ms-request-id": [ "dbdd9fe0-d935-476e-b949-202e117f6649" ], + "x-ms-correlation-request-id": [ "dbdd9fe0-d935-476e-b949-202e117f6649" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021913Z:dbdd9fe0-d935-476e-b949-202e117f6649" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:19:12 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "828" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/473aa008-13fc-4a61-9ea2-c3fdc64a828c/relations/defc1116-f142-4647-a377-6869110f6e77\",\"name\":\"defc1116-f142-4647-a377-6869110f6e77\",\"etag\":\"\\\"3c00f395-0000-0100-0000-61b55c210000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/e01832fb-3e0a-41eb-a95c-1ce5829701d9\",\"relatedResourceName\":\"e01832fb-3e0a-41eb-a95c-1ce5829701d9\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", + "isContentBase64": false + } + }, + "Update-AzSentinelIncidentRelation+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/c61a86c4-1839-4800-b41e-6a232283462e?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/c61a86c4-1839-4800-b41e-6a232283462e?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"displayName\": \"UpdateIncidentRelationPSTest\",\n \"query\": \"SecurityEvent\\\\n| take 1\",\n \"eventTime\": \"2021-12-12T02:19:22.5675905Z\",\n \"queryStartTime\": \"2021-12-12T02:19:22.5673080Z\",\n \"queryEndTime\": \"2021-12-11T02:19:22.5674628Z\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "271" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1176" ], + "x-ms-request-id": [ "3b119088-390b-44d6-b71a-f2aecac50942" ], + "x-ms-correlation-request-id": [ "3b119088-390b-44d6-b71a-f2aecac50942" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021914Z:3b119088-390b-44d6-b71a-f2aecac50942" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:19:13 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "1087" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/c61a86c4-1839-4800-b41e-6a232283462e\",\"name\":\"c61a86c4-1839-4800-b41e-6a232283462e\",\"etag\":\"\\\"6b02f3f3-0000-0100-0000-61b55c220000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateIncidentRelationPSTest\",\"created\":\"2021-12-12T02:19:14.2335643+00:00\",\"updated\":\"2021-12-12T02:19:14+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T02:19:22.5675905+00:00\",\"labels\":[],\"query\":\"SecurityEvent\\\\n| take 1\",\"queryStartTime\":\"2021-12-12T02:19:22.567308+00:00\",\"queryEndTime\":\"2021-12-11T02:19:22.5674628+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "isContentBase64": false + } + }, + "Update-AzSentinelIncidentRelation+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/43aedae6-3726-41c1-b0e8-9876df66aa2d/relations/b03e0e3c-97ce-4eb5-a1f0-e096bbeeddd4?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/43aedae6-3726-41c1-b0e8-9876df66aa2d/relations/b03e0e3c-97ce-4eb5-a1f0-e096bbeeddd4?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "344" ], + "x-ms-client-request-id": [ "39c3accf-62d3-4018-b97d-504a21758816" ], + "CommandName": [ "Get-AzSentinelIncidentRelation" ], + "FullCommandName": [ "Get-AzSentinelIncidentRelation_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], + "x-ms-request-id": [ "7f6f3763-8d78-4a6c-8759-a1f399002c26" ], + "x-ms-correlation-request-id": [ "7f6f3763-8d78-4a6c-8759-a1f399002c26" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021914Z:7f6f3763-8d78-4a6c-8759-a1f399002c26" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:19:13 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "828" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/43aedae6-3726-41c1-b0e8-9876df66aa2d/relations/b03e0e3c-97ce-4eb5-a1f0-e096bbeeddd4\",\"name\":\"b03e0e3c-97ce-4eb5-a1f0-e096bbeeddd4\",\"etag\":\"\\\"3c006463-0000-0100-0000-61b555710000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/f18e48e7-15f9-49c8-bb2b-fdf166e7cf9a\",\"relatedResourceName\":\"f18e48e7-15f9-49c8-bb2b-fdf166e7cf9a\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", + "isContentBase64": false + } + }, + "Update-AzSentinelIncidentRelation+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/43aedae6-3726-41c1-b0e8-9876df66aa2d/relations/b03e0e3c-97ce-4eb5-a1f0-e096bbeeddd4?api-version=2021-09-01-preview+3": { + "Request": { + "Method": "PUT", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/43aedae6-3726-41c1-b0e8-9876df66aa2d/relations/b03e0e3c-97ce-4eb5-a1f0-e096bbeeddd4?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"relatedResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/c61a86c4-1839-4800-b41e-6a232283462e\"\n }\n}", + "isContentBase64": false, + "Headers": { + }, + "ContentHeaders": { + "Content-Type": [ "application/json" ], + "Content-Length": [ "283" ] + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], + "x-ms-request-id": [ "88f9d12c-b36e-4ab8-b132-6978829996c3" ], + "x-ms-correlation-request-id": [ "88f9d12c-b36e-4ab8-b132-6978829996c3" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021914Z:88f9d12c-b36e-4ab8-b132-6978829996c3" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:19:13 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "828" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/43aedae6-3726-41c1-b0e8-9876df66aa2d/relations/b03e0e3c-97ce-4eb5-a1f0-e096bbeeddd4\",\"name\":\"b03e0e3c-97ce-4eb5-a1f0-e096bbeeddd4\",\"etag\":\"\\\"3c000296-0000-0100-0000-61b55c220000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/c61a86c4-1839-4800-b41e-6a232283462e\",\"relatedResourceName\":\"c61a86c4-1839-4800-b41e-6a232283462e\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Update-AzSentinelIncidentRelation.Tests.ps1 b/src/SecurityInsights/test/Update-AzSentinelIncidentRelation.Tests.ps1 new file mode 100644 index 000000000000..926389139c3b --- /dev/null +++ b/src/SecurityInsights/test/Update-AzSentinelIncidentRelation.Tests.ps1 @@ -0,0 +1,36 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Update-AzSentinelIncidentRelation')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Update-AzSentinelIncidentRelation.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Update-AzSentinelIncidentRelation' { + It 'UpdateExpanded' { + $bookmark = New-AzSentinelBookmark -Id ((New-Guid).Guid) -ResourceGroupName $env.resourceGroupName ` + -WorkspaceName $env.workspaceName -DisplayName "UpdateIncidentRelationPSTest" -Query "SecurityEvent\n| take 1" ` + -QueryStartTime (get-date).ToUniversalTime() -QueryEndTime (get-date).AddDays(-1).ToUniversalTime() -EventTime (get-date).ToUniversalTime() + $incidentRelation = Update-AzSentinelIncidentRelation -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -IncidentId $env.UpdateincidentRelationIncidentId -RelationName $env.UpdateincidentRelationId -RelatedResourceId $bookmark.Id + $incidentRelation.RelatedResourceId | should -be $bookmark.id + } + + It 'UpdateViaIdentityExpanded' { + $bookmark = New-AzSentinelBookmark -Id ((New-Guid).Guid) -ResourceGroupName $env.resourceGroupName ` + -WorkspaceName $env.workspaceName -DisplayName "UpdateIncidentRelationPSTest" -Query "SecurityEvent\n| take 1" ` + -QueryStartTime (get-date).ToUniversalTime() -QueryEndTime (get-date).AddDays(-1).ToUniversalTime() -EventTime (get-date).ToUniversalTime() + $incidentRelation = Get-AzSentinelIncidentRelation -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` + -IncidentId $env.UpdateViaIdincidentRelationIncidentId -RelationName $env.UpdateViaIdincidentRelationId + $incidentRelationUpdate = Update-AzSentinelIncidentRelation -InputObject $IncidentRelation -RelatedResourceId $bookmark.Id + $incidentRelationUpdate.RelatedResourceId | should -be $bookmark.id + } +} diff --git a/src/SecurityInsights/test/Update-AzSentinelSetting.Recording.json b/src/SecurityInsights/test/Update-AzSentinelSetting.Recording.json new file mode 100644 index 000000000000..5fa3de5c818e --- /dev/null +++ b/src/SecurityInsights/test/Update-AzSentinelSetting.Recording.json @@ -0,0 +1,125 @@ +{ + "Update-AzSentinelSetting+[NoContext]+UpdateExpanded+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/settings?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/settings?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "353" ], + "x-ms-client-request-id": [ "52b982d6-4a65-43ef-a2c7-830ed2d49deb" ], + "CommandName": [ "get-AzSentinelSetting" ], + "FullCommandName": [ "Get-AzSentinelSetting_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11917" ], + "x-ms-request-id": [ "ea7d0a30-9bee-49cb-b23f-90a90868e10f" ], + "x-ms-correlation-request-id": [ "ea7d0a30-9bee-49cb-b23f-90a90868e10f" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T021959Z:ea7d0a30-9bee-49cb-b23f-90a90868e10f" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:19:59 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "785" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/settings/EyesOn\",\"name\":\"EyesOn\",\"etag\":\"\\\"85013658-0000-0300-0000-61b54cae0000\\\"\",\"type\":\"Microsoft.SecurityInsights/settings\",\"kind\":\"EyesOn\",\"systemData\":{},\"properties\":{\"isEnabled\":true}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/settings/IPSyncer\",\"name\":\"IPSyncer\",\"etag\":\"\\\"85019b58-0000-0300-0000-61b54caf0000\\\"\",\"type\":\"Microsoft.SecurityInsights/settings\",\"kind\":\"IPSyncer\",\"systemData\":{},\"properties\":{\"isEnabled\":true}}]}", + "isContentBase64": false + } + }, + "Update-AzSentinelSetting+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/settings/EyesOn?api-version=2021-09-01-preview+1": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/settings/EyesOn?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "354" ], + "x-ms-client-request-id": [ "1b1a5f23-3c84-4709-8959-99c92cdd5ff7" ], + "CommandName": [ "Get-AzSentinelSetting" ], + "FullCommandName": [ "Get-AzSentinelSetting_Get" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11916" ], + "x-ms-request-id": [ "79fd4a7d-858f-48f3-a638-9872c5c9012b" ], + "x-ms-correlation-request-id": [ "79fd4a7d-858f-48f3-a638-9872c5c9012b" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T022000Z:79fd4a7d-858f-48f3-a638-9872c5c9012b" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:19:59 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "383" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/settings/EyesOn\",\"name\":\"EyesOn\",\"etag\":\"\\\"85013658-0000-0300-0000-61b54cae0000\\\"\",\"type\":\"Microsoft.SecurityInsights/settings\",\"kind\":\"EyesOn\",\"systemData\":{},\"properties\":{\"isEnabled\":true}}", + "isContentBase64": false + } + }, + "Update-AzSentinelSetting+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/settings?api-version=2021-09-01-preview+2": { + "Request": { + "Method": "GET", + "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/settings?api-version=2021-09-01-preview", + "Content": null, + "isContentBase64": false, + "Headers": { + "x-ms-unique-id": [ "357" ], + "x-ms-client-request-id": [ "3f577564-30c0-4629-8bf1-1a2da7453d06" ], + "CommandName": [ "get-AzSentinelSetting" ], + "FullCommandName": [ "Get-AzSentinelSetting_List" ], + "ParameterSetName": [ "__AllParameterSets" ], + "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "Authorization": [ "[Filtered]" ] + }, + "ContentHeaders": { + } + }, + "Response": { + "StatusCode": 200, + "Headers": { + "Cache-Control": [ "no-cache" ], + "Pragma": [ "no-cache" ], + "Server": [ "Kestrel" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11914" ], + "x-ms-request-id": [ "14a48316-711a-4459-834c-a24190ab3126" ], + "x-ms-correlation-request-id": [ "14a48316-711a-4459-834c-a24190ab3126" ], + "x-ms-routing-request-id": [ "WESTUS2:20211212T022001Z:14a48316-711a-4459-834c-a24190ab3126" ], + "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], + "X-Content-Type-Options": [ "nosniff" ], + "Date": [ "Sun, 12 Dec 2021 02:20:00 GMT" ] + }, + "ContentHeaders": { + "Content-Length": [ "401" ], + "Content-Type": [ "application/json; charset=utf-8" ], + "Expires": [ "-1" ] + }, + "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/settings/IPSyncer\",\"name\":\"IPSyncer\",\"etag\":\"\\\"85019b58-0000-0300-0000-61b54caf0000\\\"\",\"type\":\"Microsoft.SecurityInsights/settings\",\"kind\":\"IPSyncer\",\"systemData\":{},\"properties\":{\"isEnabled\":true}}]}", + "isContentBase64": false + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/Update-AzSentinelSetting.Tests.ps1 b/src/SecurityInsights/test/Update-AzSentinelSetting.Tests.ps1 new file mode 100644 index 000000000000..43d3de433d63 --- /dev/null +++ b/src/SecurityInsights/test/Update-AzSentinelSetting.Tests.ps1 @@ -0,0 +1,30 @@ +if(($null -eq $TestName) -or ($TestName -contains 'Update-AzSentinelSetting')) +{ + $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' + if (-Not (Test-Path -Path $loadEnvPath)) { + $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' + } + . ($loadEnvPath) + $TestRecordingFile = Join-Path $PSScriptRoot 'Update-AzSentinelSetting.Recording.json' + $currentPath = $PSScriptRoot + while(-not $mockingPath) { + $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File + $currentPath = Split-Path -Path $currentPath -Parent + } + . ($mockingPath | Select-Object -First 1).FullName +} + +Describe 'Update-AzSentinelSetting' { + It 'UpdateExpanded' { + Update-AzSentinelSetting -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -SettingsName Anomalies -Disabled + $settings = get-AzSentinelSetting -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName + $sttings.Name | Should -Not -Contain "Anomalies" + } + + It 'UpdateViaIdentityExpanded' { + $setting = Get-AzSentinelSetting -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -SettingsName EyesOn + Update-AzSentinelSetting -InputObject $setting -Disabled + $settings = get-AzSentinelSetting -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName + $sttings.Name | Should -Not -Contain "EyesOn" + } +} diff --git a/src/SecurityInsights/test/common.ps1 b/src/SecurityInsights/test/common.ps1 new file mode 100644 index 000000000000..edffa16c4fbd --- /dev/null +++ b/src/SecurityInsights/test/common.ps1 @@ -0,0 +1,552 @@ +# ---------------------------------------------------------------------------------- +# +# Copyright Microsoft Corporation +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# http://www.apache.org/licenses/LICENSE-2.0 +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ---------------------------------------------------------------------------------- +function Start-WaitForData($seconds) { + $doneDT = (Get-Date).AddSeconds($seconds) + while($doneDT -gt (Get-Date)) { + $secondsLeft = $doneDT.Subtract((Get-Date)).TotalSeconds + $percent = ($seconds - $secondsLeft) / $seconds * 100 + Write-Progress -Activity "Sleeping" -Status "Sleeping..." -SecondsRemaining $secondsLeft -PercentComplete $percent + [System.Threading.Thread]::Sleep(500) + } + Write-Progress -Activity "Sleeping" -Status "Sleeping..." -SecondsRemaining 0 -Completed +} + +Function Write-OMSLogfile { + <# + .SYNOPSIS + Inputs a hashtable, date and workspace type and writes it to a Log Analytics Workspace. + .DESCRIPTION + Given a value pair hash table, this function will write the data to an OMS Log Analytics workspace. + Certain variables, such as Customer ID and Shared Key are specific to the OMS workspace data is being written to. + This function will not write to multiple OMS workspaces. BuildSignature and post-analytics function from Microsoft documentation + at https://docs.microsoft.com/azure/log-analytics/log-analytics-data-collector-api + .PARAMETER DateTime + date and time for the log. DateTime value + .PARAMETER Type + Name of the logfile or Log Analytics "Type". Log Analytics will append _CL at the end of custom logs String Value + .PARAMETER LogData + A series of key, value pairs that will be written to the log. Log file are unstructured but the key should be consistent + withing each source. + .INPUTS + The parameters of data and time, type and logdata. Logdata is converted to JSON to submit to Log Analytics. + .OUTPUTS + The Function will return the HTTP status code from the Post method. Status code 200 indicates the request was received. + .NOTES + Version: 2.0 + Author: Travis Roberts + Creation Date: 7/9/2018 + Purpose/Change: Crating a stand alone function + #> + [cmdletbinding()] + Param( + [Parameter(Mandatory = $true, Position = 0)] + [datetime]$dateTime, + [parameter(Mandatory = $true, Position = 1)] + [string]$type, + [Parameter(Mandatory = $true, Position = 2)] + [psobject]$logdata, + [Parameter(Mandatory = $true, Position = 3)] + [string]$CustomerID, + [Parameter(Mandatory = $true, Position = 4)] + [string]$SharedKey + ) + Write-Verbose -Message "DateTime: $dateTime" + Write-Verbose -Message ('DateTimeKind:' + $dateTime.kind) + Write-Verbose -Message "Type: $type" + write-Verbose -Message "LogData: $logdata" + + # Supporting Functions + # Function to create the auth signature + Function BuildSignature ($CustomerID, $SharedKey, $Date, $ContentLength, $Method, $ContentType, $Resource) { + $xheaders = 'x-ms-date:' + $Date + $stringToHash = $Method + "`n" + $contentLength + "`n" + $contentType + "`n" + $xHeaders + "`n" + $Resource + $bytesToHash = [text.Encoding]::UTF8.GetBytes($stringToHash) + $keyBytes = [Convert]::FromBase64String($SharedKey) + $sha256 = New-Object System.Security.Cryptography.HMACSHA256 + $sha256.key = $keyBytes + $calculateHash = $sha256.ComputeHash($bytesToHash) + $encodeHash = [convert]::ToBase64String($calculateHash) + $authorization = 'SharedKey {0}:{1}' -f $CustomerID, $encodeHash + return $authorization + } + # Function to create and post the request + Function PostLogAnalyticsData ($CustomerID, $SharedKey, $Body, $Type) { + $method = "POST" + $contentType = 'application/json' + $resource = '/api/logs' + $rfc1123date = ($dateTime).ToString('r') + $ContentLength = $Body.Length + $signature = BuildSignature ` + -customerId $CustomerID ` + -sharedKey $SharedKey ` + -date $rfc1123date ` + -contentLength $ContentLength ` + -method $method ` + -contentType $contentType ` + -resource $resource + $uri = "https://" + $customerId + ".ods.opinsights.azure.com" + $resource + "?api-version=2016-04-01" + Write-Output "LA_URI : $uri" + $headers = @{ + "Authorization" = $signature; + "Log-Type" = $type; + "x-ms-date" = $rfc1123date + "time-generated-field" = $dateTime + } + $response = Invoke-WebRequest -Uri $uri -Method $method -ContentType $contentType -Headers $headers -Body $Body -UseBasicParsing + Write-Verbose -message ('Post Function Return Code ' + $response.statuscode) + return $response.statuscode + } + + # Check if time is UTC, Convert to UTC if not. + # $dateTime = (Get-Date) + if ($dateTime.kind.tostring() -ne 'Utc') { + $dateTime = $dateTime.ToUniversalTime() + Write-Verbose -Message $dateTime + } + #Build the JSON file + $logMessage = ($logdata | ConvertTo-Json -Depth 20) + + #Submit the data + $returnCode = PostLogAnalyticsData -CustomerID $CustomerID -SharedKey $SharedKey -Body $logMessage -Type $type + Write-Verbose -Message "Post Statement Return Code $returnCode" + return $returnCode +} + + +Function SendToLogA ($eventsTableName, $EventsTableFile, $CustomerId, $SharedKey ) { + $eventsData = Import-Csv $EventsTableFile + + #Test Size; Log A limit is 30MB + $tempdata = @() + $tempDataSize = 0 + + if ((($eventsData | Convertto-json -depth 20).Length) -gt 25MB) { + Write-Host "Upload is over 25MB, needs to be split" + foreach ($record in $eventsData) { + $tempdata += $record + $tempDataSize += ($record | ConvertTo-Json -depth 20).Length + if ($tempDataSize -gt 25MB) { + $postLAStatus = Write-OMSLogfile -dateTime (Get-Date) -type $eventsTableName -logdata $tempdata -CustomerID $CustomerId -SharedKey $SharedKey + write-Host "Sending data = $TempDataSize" + $tempdata = $null + $tempdata = @() + $tempDataSize = 0 + } + } + Write-Host "Sending left over data = $Tempdatasize" + $postLAStatus = Write-OMSLogfile -dateTime (Get-Date) -type $eventsTableName -logdata $tempdata -CustomerID $CustomerId -SharedKey $SharedKey + } + Else { + $postLAStatus = Write-OMSLogfile -dateTime (Get-Date) -type $eventsTableName -logdata $eventsData -CustomerID $CustomerId -SharedKey $SharedKey + } + return $postLAStatus +} + +Function Prepare-LogATables{ + [cmdletbinding()] + Param( + [Parameter(Mandatory = $true, Position = 0)] + [datetime]$SubscriptionId, + [parameter(Mandatory = $true, Position = 1)] + [string]$ResourceGroup, + [Parameter(Mandatory = $true, Position = 2)] + [psobject]$WorkspaceName, + [Parameter(Mandatory = $true, Position = 3)] + [psobject]$Tables + + ) + + ForEach($Table in $Tables){ + $tableParams = @' +{ + "properties": { + "schema": { + "name": "LAQueryLogs", + "columns": [ + ] + } + } +} +'@ + Invoke-AzRestMethod -Path "/subscriptions/$SubscriptionId/resourcegroups/$ResourceGroup/providers/microsoft.operationalinsights/workspaces/$WorkspaceName/tables/LAQueryLogs?api-version=2021-03-01-privatepreview" -Method PUT -payload $tableParams + + } +} + +Function Create-AlertRule{ + [cmdletbinding()] + Param( + [Parameter(Mandatory = $true, Position = 0)] + [string]$PSVerb, + [Parameter(Mandatory = $true, Position = 1)] + [string]$workspaceName + ) + $alertRuleName = $PSVerb + "AlertRule" + (RandomString -allChars $false -len 6) + $alertRuleId = (New-Guid).Guid + $alertRuleParams = Get-Content .\test\deployment-templates\alertRule\template.parameters.json | ConvertFrom-Json + $alertRuleParams.parameters.alertruleName.value = $alertRuleName + $alertRuleParams.parameters.alertRuleId.value = $alertRuleId + $alertRuleParams.parameters.workspaceName.value = $workspaceName + set-content -Path .\test\deployment-templates\alertRule\template.parameters.json -Value (ConvertTo-Json $alertRuleParams) + $TemplateFile = (Get-ChildItem $TemplatePath\alertRule\template.json).FullName + $TemplateParametersFile = (Get-ChildItem $TemplatePath\alertRule\template.parameters.json).FullName + $result = New-AzDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name ($PSVerb+"AlertRule") -ResourceGroupName $resourceGroupName + if($result.ProvisioningState -eq "Succeeded"){ + $null = $env.Add(($PSVerb+"AlertRuleName"), $alertRuleName) + $null = $env.Add(($PSVerb+"AlertRuleId"), $alertRuleId) + } +} + +Function Create-AlertRuleAction{ + [cmdletbinding()] + Param( + [Parameter(Mandatory = $true, Position = 0)] + [string]$PSVerb, + [Parameter(Mandatory = $true, Position = 1)] + [string]$WorkspaceName, + [Parameter(Mandatory = $true, Position = 2)] + [string]$logicAppResourceId, + [Parameter(Mandatory = $true, Position = 3)] + [string]$triggerUrl + + ) + $alertRuleActionRuleId = (New-Guid).Guid + $alertRuleActionRuleName = $PSVerb + "alertRuleActionRuleName" + (RandomString -allChars $false -len 6) + $alertRuleActionId = (New-Guid).Guid + $alertRuleActionParams = Get-Content .\test\deployment-templates\alertRuleAction\template.parameters.json | ConvertFrom-Json + $alertRuleActionParams.parameters.alertRuleActionRuleId.value = $alertRuleActionRuleId + $alertRuleActionParams.parameters.alertRuleActionRuleName.value = $alertRuleActionRuleName + $alertRuleActionParams.parameters.alertRuleActionId.value = $alertRuleActionId + $alertRuleActionParams.parameters.workspaceName.value = $workspaceName + $alertRuleActionParams.parameters.logicAppResourceId.value = $logicAppResourceId + $alertRuleActionParams.parameters.triggerUrl.value = $triggerUrl + set-content -Path .\test\deployment-templates\alertRuleAction\template.parameters.json -Value (ConvertTo-Json $alertRuleActionParams) + $TemplateFile = (Get-ChildItem $TemplatePath\alertRuleAction\template.json).FullName + $TemplateParametersFile = (Get-ChildItem $TemplatePath\alertRuleAction\template.parameters.json).FullName + $result = New-AzDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name ($PSVerb+"AlertRuleAction") -ResourceGroupName $resourceGroupName + if($result.ProvisioningState -eq "Succeeded"){ + $null = $env.Add(($PSVerb+"alertRuleActionRuleId"), $alertRuleActionRuleId) + $null = $env.Add(($PSVerb+"alertRuleActionRuleName"), $alertRuleActionRuleName) + $null = $env.Add(($PSVerb+"AlertRuleActionId"), $alertRuleActionId) + } +} + +Function Create-AutomationRule{ + [cmdletbinding()] + Param( + [Parameter(Mandatory = $true, Position = 0)] + [string]$PSVerb, + [Parameter(Mandatory = $true, Position = 1)] + [string]$WorkspaceName, + [Parameter(Mandatory = $true, Position = 2)] + [string]$logicAppResourceId + + ) + $automationRuleName = $PSVerb+"AutomationRule"+ (RandomString -allChars $false -len 6) + $automationRuleId = (New-Guid).Guid + $automationRuleParams = Get-Content .\test\deployment-templates\automationRule\template.parameters.json | ConvertFrom-Json + $automationRuleParams.parameters.automationRuleName.value = $automationRuleName + $automationRuleParams.parameters.automationRuleId.value = $automationRuleId + $automationRuleParams.parameters.workspaceName.value = $workspaceName + $automationRuleParams.parameters.logicAppResourceId.value = $logicAppResourceId + set-content -Path .\test\deployment-templates\automationRule\template.parameters.json -Value (ConvertTo-Json $automationRuleParams) + $TemplateFile = (Get-ChildItem $TemplatePath\automationRule\template.json).FullName + $TemplateParametersFile = (Get-ChildItem $TemplatePath\automationRule\template.parameters.json).FullName + $result = New-AzDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name ($PSVerb+"AutomationRule") -ResourceGroupName $resourceGroupName + if($result.ProvisioningState -eq "Succeeded"){ + $null = $env.Add(($PSVerb+'AutomationRule'), $automationRuleName) + $null = $env.Add(($PSVerb+'AutomationRuleId'), $automationRuleId) + } +} + +Function Create-Bookmark{ + [cmdletbinding()] + Param( + [Parameter(Mandatory = $true, Position = 0)] + [string]$PSVerb, + [Parameter(Mandatory = $true, Position = 1)] + [string]$WorkspaceName + ) + $bookmarkName = $PSVerb+"bookmark"+ (RandomString -allChars $false -len 6) + $bookmarkId = (New-Guid).Guid + $bookmarkParams = Get-Content .\test\deployment-templates\bookmark\template.parameters.json | ConvertFrom-Json + $bookmarkParams.parameters.bookmarkName.value = $bookmarkName + $bookmarkParams.parameters.bookmarkId.value = $bookmarkId + $bookmarkParams.parameters.workspaceName.value = $workspaceName + $bookmarkParams.parameters.queryStartTime.value = (get-date).AddDays(-1).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + $bookmarkParams.parameters.queryEndTime.value = (get-date).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + set-content -Path .\test\deployment-templates\bookmark\template.parameters.json -Value (ConvertTo-Json $bookmarkParams) + $TemplateFile = (Get-ChildItem $TemplatePath\bookmark\template.json).FullName + $TemplateParametersFile = (Get-ChildItem $TemplatePath\bookmark\template.parameters.json).FullName + $result = New-AzDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name ($PSVerb+"bookmark") -ResourceGroupName $resourceGroupName + if($result.ProvisioningState -eq "Succeeded"){ + $null = $env.Add(($PSVerb+'BookmarkName'), $bookmarkName) + $null = $env.Add(($PSVerb+'BookmarkId'), $bookmarkId) + } + # workaround using API to create bookmarks. + #$queryStartTime = (get-date).AddDays(-1).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + #$queryEndTime = (get-date).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + #$uri = "https://management.azure.com/subscriptions/"+$env.SubscriptionId+"/resourceGroups/"+$env.resourceGroupName+"/providers/Microsoft.OperationalInsights/workspaces/"+$env.workspaceName+"/providers/Microsoft.SecurityInsights/bookmarks/"+$bookmarkId+"?api-version=2020-01-01" + #$token = ConvertTo-SecureString -String ((Get-AzAccessToken).Token) -AsPlainText + #$body = @{ + # "properties" = @{ + # "displayName" = "$bookmarkName" + # "labels" = @( "asptest" ) + # "notes" = "Notes go here" + # "query" = "SecurityEvent\n| take 1" + # "queryStartTime" = "$queryStartTime" + # "queryEndTime" = "$queryEndTime" + # "eventTime" = "$queryEndTime" + # } + #} + #$result = Invoke-RestMethod -Uri $uri -Method PUT -Authentication Bearer -Token $token -Body ($body | ConvertTo-Json) +} + +Function Create-BookmarkRelation{ + [cmdletbinding()] + Param( + [Parameter(Mandatory = $true, Position = 0)] + [string]$PSVerb, + [Parameter(Mandatory = $true, Position = 1)] + [string]$WorkspaceName + ) + $bookmarkRelationName = $PSVerb + "bookmarkRelation"+ (RandomString -allChars $false -len 6) + $bookmarkRelationId = (New-Guid).Guid + $bookmarkRelationBookmarkId = (New-Guid).Guid + $bookmarkRelationBookmarkName = $PSVerb + "bookmarkRelationBookmarkName"+ (RandomString -allChars $false -len 6) + $bookmarkRelationIncidentId = (New-Guid).Guid + $bookmarkRelationIncidentName = $PSVerb + "bookmarkRelationIncidentName"+ (RandomString -allChars $false -len 6) + $bookmarkRelationParams = Get-Content .\test\deployment-templates\bookmarkRelation\template.parameters.json | ConvertFrom-Json + $bookmarkRelationParams.parameters.bookmarkRelationId.value = $bookmarkRelationId + $bookmarkRelationParams.parameters.bookmarkRelationBookmarkId.value = $bookmarkRelationBookmarkId + $bookmarkRelationParams.parameters.bookmarkRelationBookmarkName.value = $bookmarkRelationBookmarkName + $bookmarkRelationParams.parameters.queryStartTime.value = (get-date).AddDays(-1).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + $bookmarkRelationParams.parameters.queryEndTime.value = (get-date).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + $bookmarkRelationParams.parameters.bookmarkRelationIncidentId.value = $bookmarkRelationIncidentId + $bookmarkRelationParams.parameters.bookmarkRelationIncidentName.value = $bookmarkRelationIncidentName + $bookmarkRelationParams.parameters.workspaceName.value = $workspaceName + set-content -Path .\test\deployment-templates\bookmarkRelation\template.parameters.json -Value (ConvertTo-Json $bookmarkRelationParams) + $TemplateFile = (Get-ChildItem $TemplatePath\bookmarkRelation\template.json).FullName + $TemplateParametersFile = (Get-ChildItem $TemplatePath\bookmarkRelation\template.parameters.json).FullName + $result = New-AzDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name ($PSVerb+"BookmarkRelation") -ResourceGroupName $resourceGroupName + if($result.ProvisioningState -eq "Succeeded"){ + $null = $env.Add(($PSVerb+'BookmarkRelationName'), $bookmarkRelationName) + $null = $env.Add(($PSVerb+'BookmarkRelationId'), $bookmarkRelationId) + $null = $env.Add(($PSVerb+'bookmarkRelationBookmarkId'), $bookmarkRelationBookmarkId) + $null = $env.Add(($PSVerb+'bookmarkRelationBookmarkName'), $bookmarkRelationBookmarkName) + $null = $env.Add(($PSVerb+'BookmarkRelationIncidentId'), $bookmarkRelationIncidentId) + $null = $env.Add(($PSVerb+'bookmarkRelationIncidentName'), $bookmarkRelationIncidentName) + } +} + +Function Create-EntityQuery{ + [cmdletbinding()] + Param( + [Parameter(Mandatory = $true, Position = 0)] + [string]$PSVerb, + [Parameter(Mandatory = $true, Position = 1)] + [string]$WorkspaceName + ) + $entityQueryActivityName = $PSVerb+"entityQueryActivity"+ (RandomString -allChars $false -len 6) + $entityQueryActivityId = (New-Guid).Guid + $entityQueryParams = Get-Content .\test\deployment-templates\entityQuery\template.parameters.json | ConvertFrom-Json + $entityQueryParams.parameters.entityQueryActivityId.value = $entityQueryActivityId + $entityQueryParams.parameters.workspaceName.value = $workspaceName + set-content -Path .\test\deployment-templates\entityQuery\template.parameters.json -Value (ConvertTo-Json $entityQueryParams) + $TemplateFile = (Get-ChildItem $TemplatePath\entityQuery\template.json).FullName + $TemplateParametersFile = (Get-ChildItem $TemplatePath\entityQuery\template.parameters.json).FullName + # Bug Sent to Aviv + $result = New-AzDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name ($PSVerb+"entityQuery") -ResourceGroupName $resourceGroupName + if($result.ProvisioningState -eq "Succeeded"){ + $null = $env.Add(($PSVerb+'entityQueryActivityName'), $entityQueryActivityName) + $null = $env.Add(($PSVerb+'entityQueryActivityId'), $entityQueryActivityId) + } +} + +Function Create-Incident{ + [cmdletbinding()] + Param( + [Parameter(Mandatory = $true, Position = 0)] + [string]$PSVerb, + [Parameter(Mandatory = $true, Position = 1)] + [string]$WorkspaceName + ) + $incidentName = $PSVerb+"incident"+ (RandomString -allChars $false -len 6) + $incidentId = (New-Guid).Guid + $incidentParams = Get-Content .\test\deployment-templates\incident\template.parameters.json | ConvertFrom-Json + $incidentParams.parameters.incidentId.value = $incidentId + $incidentParams.parameters.workspaceName.value = $workspaceName + set-content -Path .\test\deployment-templates\incident\template.parameters.json -Value (ConvertTo-Json $incidentParams) + $TemplateFile = (Get-ChildItem $TemplatePath\incident\template.json).FullName + $TemplateParametersFile = (Get-ChildItem $TemplatePath\incident\template.parameters.json).FullName + $result = New-AzDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name ($PSVerb+"incident") -ResourceGroupName $resourceGroupName + if($result.ProvisioningState -eq "Succeeded"){ + $null = $env.Add(($PSVerb+'incidentName'), $incidentName) + $null = $env.Add(($PSVerb+'incidentId'), $incidentId) + } +} + +Function Create-IncidentComment{ + [cmdletbinding()] + Param( + [Parameter(Mandatory = $true, Position = 0)] + [string]$PSVerb, + [Parameter(Mandatory = $true, Position = 1)] + [string]$WorkspaceName + ) + $incidentCommentName = $PSVerb+"incidentComment"+ (RandomString -allChars $false -len 6) + $incidentCommentId = (New-Guid).Guid + $incidentCommentIncidentId = (New-Guid).Guid + $incidentCommentParams = Get-Content .\test\deployment-templates\incidentComment\template.parameters.json | ConvertFrom-Json + $incidentCommentParams.parameters.incidentCommentIncidentId.value = $incidentCommentIncidentId + $incidentCommentParams.parameters.incidentCommentId.value = $incidentCommentId + $incidentCommentParams.parameters.incidentCommentName.value = $incidentCommentName + $incidentCommentParams.parameters.workspaceName.value = $workspaceName + set-content -Path .\test\deployment-templates\incidentComment\template.parameters.json -Value (ConvertTo-Json $incidentCommentParams) + $TemplateFile = (Get-ChildItem $TemplatePath\incidentComment\template.json).FullName + $TemplateParametersFile = (Get-ChildItem $TemplatePath\incidentComment\template.parameters.json).FullName + $result = New-AzDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name ($PSVerb+"incidentComment") -ResourceGroupName $resourceGroupName + if($result.ProvisioningState -eq "Succeeded"){ + $null = $env.Add(($PSVerb+'incidentCommentName'), $incidentCommentName) + $null = $env.Add(($PSVerb+'incidentCommentId'), $incidentCommentId) + $null = $env.Add(($PSVerb+'incidentCommentIncidentId'), $incidentCommentIncidentId) + } +} + +Function Create-IncidentRelation{ + [cmdletbinding()] + Param( + [Parameter(Mandatory = $true, Position = 0)] + [string]$PSVerb, + [Parameter(Mandatory = $true, Position = 1)] + [string]$WorkspaceName + ) + $incidentRelationName = $PSVerb+"incidentRelationName"+ (RandomString -allChars $false -len 6) + $incidentRelationId = (New-Guid).Guid + $incidentRelationIncidentName = $PSVerb+"incidentRelationIncidentName"+ (RandomString -allChars $false -len 6) + $incidentRelationIncidentId = (New-Guid).Guid + $incidentRelationBookmarkName = $PSVerb+"incidentRelationBookmarkName"+ (RandomString -allChars $false -len 6) + $incidentRelationBookmarkId = (New-Guid).Guid + $incidentRelationParams = Get-Content .\test\deployment-templates\incidentRelation\template.parameters.json | ConvertFrom-Json + $incidentRelationParams.parameters.incidentRelationBookmarkId.value = $incidentRelationBookmarkId + $incidentRelationParams.parameters.incidentRelationBookmarkName.value = $incidentRelationBookmarkName + $incidentRelationParams.parameters.incidentRelationIncidentId.value = $incidentRelationIncidentId + $incidentRelationParams.parameters.incidentRelationIncidentName.value = $incidentRelationIncidentName + $incidentRelationParams.parameters.queryStartTime.value = (get-date).AddDays(-1).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + $incidentRelationParams.parameters.queryEndTime.value = (get-date).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + $incidentRelationParams.parameters.incidentRelationId.value = $incidentRelationId + $incidentRelationParams.parameters.workspaceName.value = $workspaceName + set-content -Path .\test\deployment-templates\incidentRelation\template.parameters.json -Value (ConvertTo-Json $incidentRelationParams) + $TemplateFile = (Get-ChildItem $TemplatePath\incidentRelation\template.json).FullName + $TemplateParametersFile = (Get-ChildItem $TemplatePath\incidentRelation\template.parameters.json).FullName + #Bug due to bookmark + $result = New-AzDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name ($PSVerb+"incidentRelation") -ResourceGroupName $resourceGroupName + if($result.ProvisioningState -eq "Succeeded"){ + $null = $env.Add(($PSVerb+'incidentRelationName'), $incidentRelationName) + $null = $env.Add(($PSVerb+'incidentRelationId'), $incidentRelationId) + $null = $env.Add(($PSVerb+'incidentRelationIncidentId'), $incidentRelationIncidentId) + $null = $env.Add(($PSVerb+'incidentRelationIncidentName'), $incidentRelationIncidentName) + $null = $env.Add(($PSVerb+'incidentRelationBookmarkId'), $incidentRelationBookmarkId) + $null = $env.Add(($PSVerb+'incidentRelationBookmarkName'), $incidentRelationBookmarkName) + } +} + +Function Create-SourceControl{ + [cmdletbinding()] + Param( + [Parameter(Mandatory = $true, Position = 0)] + [string]$PSVerb, + [Parameter(Mandatory = $true, Position = 1)] + [string]$WorkspaceName, + [Parameter(Mandatory = $true, Position = 2)] + [string]$Url + ) + $sourceControlName = $PSVerb+"sourceControl"+ (RandomString -allChars $false -len 6) + $sourceControlId = (New-Guid).Guid + $sourceControlParams = Get-Content .\test\deployment-templates\sourceControl\template.parameters.json | ConvertFrom-Json + $sourceControlParams.parameters.sourceControlId.value = $sourceControlId + $sourceControlParams.parameters.sourceControlName.value = $sourceControlName + $sourceControlParams.parameters.url.value = $url + $sourceControlParams.parameters.workspaceName.value = $workspaceName + set-content -Path .\test\deployment-templates\sourceControl\template.parameters.json -Value (ConvertTo-Json $sourceControlParams) + $TemplateFile = (Get-ChildItem $TemplatePath\sourceControl\template.json).FullName + $TemplateParametersFile = (Get-ChildItem $TemplatePath\sourceControl\template.parameters.json).FullName + $result = New-AzDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name ($PSVerb+"sourceControl") -ResourceGroupName $resourceGroupName + if($result.ProvisioningState -eq "Succeeded"){ + $null = $env.Add(($PSVerb+'sourceControlName'), $sourceControlName) + $null = $env.Add(($PSVerb+'sourceControlId'), $sourceControlId) + $null = $env.Add(($PSVerb+'sourceControlurl'), $url) + } +} + +Function Create-ThreatIntelligenceIndicator{ + [cmdletbinding()] + Param( + [Parameter(Mandatory = $true, Position = 0)] + [string]$PSVerb, + [Parameter(Mandatory = $true, Position = 1)] + [string]$WorkspaceName, + [Parameter(Mandatory = $true, Position = 2)] + [string]$IP + ) + $threatIntelligenceIndicatorName = $PSVerb+"threatIntelligenceIndicator"+ (RandomString -allChars $false -len 6) + $threatIntelligenceIndicatorId = (New-Guid).Guid + $threatIntelligenceIndicatorDate = (get-date).ToUniversalTime() | Get-Date -Format "ddd, dd MMM yyyy hh:00:00 'GMT'" + $threatIntelligenceIndicatorParams = Get-Content .\test\deployment-templates\threatIntelligenceIndicator\template.parameters.json | ConvertFrom-Json + $threatIntelligenceIndicatorParams.parameters.threatIntelligenceIndicatorId.value = $threatIntelligenceIndicatorId + $threatIntelligenceIndicatorParams.parameters.threatIntelligenceIndicatorName.value = $threatIntelligenceIndicatorName + $threatIntelligenceIndicatorParams.parameters.ip.value = $IP + $threatIntelligenceIndicatorParams.parameters.threatIntelligenceIndicatorDate.value = $threatIntelligenceIndicatorDate + $threatIntelligenceIndicatorParams.parameters.workspaceName.value = $workspaceName + set-content -Path .\test\deployment-templates\threatIntelligenceIndicator\template.parameters.json -Value (ConvertTo-Json $threatIntelligenceIndicatorParams) + $TemplateFile = (Get-ChildItem $TemplatePath\threatIntelligenceIndicator\template.json).FullName + $TemplateParametersFile = (Get-ChildItem $TemplatePath\threatIntelligenceIndicator\template.parameters.json).FullName + #ARM doesnt work use API + #$result = New-AzDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name ($PSVerb+"threatIntelligenceIndicator") -ResourceGroupName $resourceGroupName + #if($result.ProvisioningState -eq "Succeeded"){ + # $null = $env.Add(($PSVerb+'threatIntelligenceIndicatorName'), $threatIntelligenceIndicatorName) + # $null = $env.Add(($PSVerb+'threatIntelligenceIndicatorId'), $threatIntelligenceIndicatorId) + # $null = $env.Add(($PSVerb+'threatIntelligenceIndicatorIP'), $IP) + #} + $tiToken = (Get-AzAccessToken).Token + $tiHeaders = @{ + Authorization="Bearer $tiToken" + Content='application/json' + } + $tiBody = @{ + "kind" = "indicator" + "properties" = @{ + "confidence" = 0 + "threatTypes"= @( + "unknown" + ) + "displayName" = "$threatIntelligenceIndicatorName" + "pattern" = "[ipv4-addr:value = '$ip']" + "patternType" = "ipv4-addr" + "revoked" = $false + "validFrom" = "$threatIntelligenceIndicatorDate" + "validUntil" = $null + "source" = "Azure Sentinel" + "threatIntelligenceTags" = @() + } + } + $tiBody = $tiBody | Convertto-json + $uri = "https://management.azure.com/subscriptions/"+ $env.SubscriptionId + "/resourceGroups/" + $env.resourceGroupName + "/providers/Microsoft.OperationalInsights/workspaces/" + $env.workspaceName + "/providers/Microsoft.SecurityInsights/threatIntelligence/main/createIndicator?api-version=2021-09-01-preview" + $indicator = Invoke-RestMethod -Method POST -Uri $Uri -Headers $tiHeaders -body $tiBody -ContentType Application/json + #if($indicator.Kind -eq "indicator"){ + $null = $env.Add(($PSVerb+'threatIntelligenceIndicatorName'), $threatIntelligenceIndicatorName) + $null = $env.Add(($PSVerb+'threatIntelligenceIndicatorId'), ($indicator.Name)) + $null = $env.Add(($PSVerb+'threatIntelligenceIndicatorIP'), $IP) + #} +} \ No newline at end of file diff --git a/src/SecurityInsights/test/constants.json b/src/SecurityInsights/test/constants.json new file mode 100644 index 000000000000..e204ea31dadb --- /dev/null +++ b/src/SecurityInsights/test/constants.json @@ -0,0 +1,4 @@ +{ + "location" : "Central US", + "ASIServicePrinicpal": "ffe300b4-cb65-4eb4-9d60-477cee66dd5e" +} \ No newline at end of file diff --git a/src/SecurityInsights/test/deployment-templates/alertRule/template.json b/src/SecurityInsights/test/deployment-templates/alertRule/template.json new file mode 100644 index 000000000000..aef1b4aa95f4 --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/alertRule/template.json @@ -0,0 +1,54 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "alertRuleName": { + "defaultValue": "alertRuleName", + "type": "String" + }, + "alertRuleId": { + "defaultValue": "alertRuleId", + "type": "String" + }, + "workspaceName": { + "defaultValue": "workspaceName", + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/', parameters('alertRuleId'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "apiVersion": "2021-03-01-preview", + "kind": "Scheduled", + "properties": { + "description": "[concat(parameters('alertRuleName'), ' ', parameters('alertRuleId'))]", + "displayName": "[parameters('alertRuleName')]", + "enabled": true, + "eventGroupingSettings": { + "aggregationKind": "SingleAlert" + }, + "incidentConfiguration": { + "createIncident": true, + "groupingConfiguration": { + "enabled": false, + "groupByEntities": [], + "lookbackDuration": "PT5H", + "MatchingMethod": "AllEntities", + "reopenClosedIncident": false + } + }, + "query": "SecurityEvent\n| take 1", + "queryFrequency": "P1D", + "queryPeriod": "P1D", + "severity": "Informational", + "suppressionDuration": "PT5H", + "suppressionEnabled": false, + "tactics": [ "Execution" ], + "triggerOperator": "GreaterThan", + "triggerThreshold": 0 + } + } + ] +} \ No newline at end of file diff --git a/src/SecurityInsights/test/deployment-templates/alertRule/template.parameters.json b/src/SecurityInsights/test/deployment-templates/alertRule/template.parameters.json new file mode 100644 index 000000000000..e0ad7018fd73 --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/alertRule/template.parameters.json @@ -0,0 +1,15 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "alertRuleName": { + "value": "UpdateViaIdAlertRuledgk4wi" + }, + "alertRuleId": { + "value": "6dde1054-1a0b-4c5a-a9a8-3587c76613a2" + }, + "workspaceName": { + "value": "asptest8xu4wd" + } + } +} diff --git a/src/SecurityInsights/test/deployment-templates/alertRuleAction/template.json b/src/SecurityInsights/test/deployment-templates/alertRuleAction/template.json new file mode 100644 index 000000000000..eaca4a5c4a23 --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/alertRuleAction/template.json @@ -0,0 +1,80 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "alertRuleActionRuleId": { + "defaultValue": "alertRuleActionRuleId", + "type": "string" + }, + "alertRuleActionRuleName": { + "defaultValue": "alertRuleActionRuleName", + "type": "string" + }, + "alertRuleActionId": { + "defaultValue": "alertRuleActionId", + "type": "string" + }, + "workspaceName": { + "defaultValue": "workspaceName", + "type": "string" + }, + "logicAppResourceId":{ + "defaultValue": "logicAppResourceId", + "type": "string" + }, + "triggerUrl": { + "defaultValue": "triggerUrl", + "type": "string" + } + }, + "variables": { + }, + "resources": [ + { + "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/', parameters('alertRuleActionRuleId'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "apiVersion": "2021-03-01-preview", + "kind": "Scheduled", + "properties": { + "description": "[concat(parameters('alertRuleActionRuleName'), ' ', parameters('alertRuleActionRuleId'))]", + "displayName": "[parameters('alertRuleActionRuleName')]", + "enabled": true, + "eventGroupingSettings": { + "aggregationKind": "SingleAlert" + }, + "incidentConfiguration": { + "createIncident": true, + "groupingConfiguration": { + "enabled": false, + "groupByEntities": [], + "lookbackDuration": "PT5H", + "MatchingMethod": "AllEntities", + "reopenClosedIncident": false + } + }, + "query": "SecurityEvent\n| take 1", + "queryFrequency": "P1D", + "queryPeriod": "P1D", + "severity": "Informational", + "suppressionDuration": "PT5H", + "suppressionEnabled": false, + "tactics": [ "Execution" ], + "triggerOperator": "GreaterThan", + "triggerThreshold": 0 + } + }, + { + "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/', parameters('alertRuleActionRuleId'), '/', parameters('alertRuleActionId'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules/actions", + "apiVersion": "2021-03-01-preview", + "dependsOn": [ + "[resourceId('Microsoft.OperationalInsights/workspaces/providers/alertRules', parameters('workspaceName'), 'Microsoft.SecurityInsights', parameters('alertRuleActionRuleId'))]" ], + "properties": { + "logicAppResourceId": "[parameters('logicAppResourceId')]", + "triggerUri": "[parameters('triggerUrl')]" + } + } + ], + "outputs": { + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/deployment-templates/alertRuleAction/template.parameters.json b/src/SecurityInsights/test/deployment-templates/alertRuleAction/template.parameters.json new file mode 100644 index 000000000000..ed36ae3cec2d --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/alertRuleAction/template.parameters.json @@ -0,0 +1,24 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "alertRuleActionRuleId": { + "value": "a555c523-e318-4501-bfe8-b9c6da354af7" + }, + "alertRuleActionRuleName": { + "value": "UpdateViaIdalertRuleActionRuleNameymswnj" + }, + "alertRuleActionId": { + "value": "34ec4b87-3f90-443e-9034-c32e77c5fb6e" + }, + "workspaceName": { + "value": "asptest8xu4wd" + }, + "logicAppResourceId": { + "value": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Alert" + }, + "triggerUrl": { + "value": "https://prod-07.centralus.logic.azure.com:443/workflows/3647b421918e40f19a5e9346dc633c61/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2016-06-01&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=8SgwCaNwsGFFEsJ0yKJoTXy329Qt949c0AsSDlv48sQ" + } + } +} diff --git a/src/SecurityInsights/test/deployment-templates/authorization/template.json b/src/SecurityInsights/test/deployment-templates/authorization/template.json new file mode 100644 index 000000000000..ffe2c6c0bdb1 --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/authorization/template.json @@ -0,0 +1,26 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "ASIServicePrinicpal": { + "defaultValue": "ASIServicePrinicpal", + "type": "string" + } + }, + "variables": { + "roleAssignmentName": "[guid(parameters('ASIServicePrinicpal'), resourceGroup().id)]" + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2021-04-01-preview", + "name": "[variables('roleAssignmentName')]", + "properties": { + "roleDefinitionId": "[concat('/subscriptions/', subscription().id, '/', resourceGroup().name, '/providers/Microsoft.Authorization/roleDefinitions/f4c81013-99ee-4d62-a7ee-b3f1f648599a')]", + "principalId": "[parameters('ASIServicePrinicpal')]" + } + } + ], + "outputs": { + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/deployment-templates/authorization/template.parameters.json b/src/SecurityInsights/test/deployment-templates/authorization/template.parameters.json new file mode 100644 index 000000000000..80cc3c6d007c --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/authorization/template.parameters.json @@ -0,0 +1,9 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "ASIServicePrinicpal": { + "value": "ffe300b4-cb65-4eb4-9d60-477cee66dd5e" + } + } +} diff --git a/src/SecurityInsights/test/deployment-templates/automationRule/template.json b/src/SecurityInsights/test/deployment-templates/automationRule/template.json new file mode 100644 index 000000000000..f5e91b749b48 --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/automationRule/template.json @@ -0,0 +1,54 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "automationRuleName": { + "defaultValue": "automationRuleName", + "type": "string" + }, + "automationRuleId": { + "defaultValue": "automationRuleId", + "type": "string" + }, + "workspaceName": { + "defaultValue": "workspaceName", + "type": "string" + }, + "logicAppResourceId":{ + "defaultValue": "logicAppResourceId", + "type": "string" + } + }, + "variables": { + }, + "resources": [ + { + "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/', parameters('automationRuleId'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/automationRules", + "apiVersion": "2019-01-01-preview", + "properties": { + "actions": [ + { + "order": 1, + "actionType": "RunPlaybook", + "actionConfiguration": { + "logicAppResourceId": "[parameters('logicAppResourceId')]", + "tenantId": "[subscription().tenantId]" + } + } + ], + "displayName": "[parameters('automationRuleName')]", + "order": 1, + "triggeringLogic": { + "conditions": [], + "isEnabled": true, + "triggersOn": "Incidents", + "triggersWhen": "Created", + "expirationTimeUtc": null + } + } + } + ], + "outputs": { + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/deployment-templates/automationRule/template.parameters.json b/src/SecurityInsights/test/deployment-templates/automationRule/template.parameters.json new file mode 100644 index 000000000000..0b2f0d689dac --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/automationRule/template.parameters.json @@ -0,0 +1,18 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "automationRuleName": { + "value": "UpdateViaIdAutomationRulezi05h4" + }, + "automationRuleId": { + "value": "61701d90-8353-4d61-b435-f9905a31142d" + }, + "workspaceName": { + "value": "asptest8xu4wd" + }, + "logicAppResourceId": { + "value": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident" + } + } +} diff --git a/src/SecurityInsights/test/deployment-templates/bookmark/template.json b/src/SecurityInsights/test/deployment-templates/bookmark/template.json new file mode 100644 index 000000000000..83bed78db2bf --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/bookmark/template.json @@ -0,0 +1,44 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "bookmarkName": { + "defaultValue": "bookmarkName", + "type": "String" + }, + "bookmarkId": { + "defaultValue": "bookmarkId", + "type": "String" + }, + "workspaceName": { + "defaultValue": "workspaceName", + "type": "string" + }, + "queryStartTime": { + "defaultValue": "queryStartTime", + "type": "string" + }, + "queryEndTime": { + "defaultValue": "queryEndTime", + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/', parameters('bookmarkId'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/bookmarks", + "apiVersion": "2020-01-01", + "properties": { + "displayName": "[parameters('bookmarkName')]", + "labels": [ "asptest" ], + "notes": "Notes go here", + "query": "SigninLogs_CL", + "queryStartTime": "[parameters('queryStartTime')]", + "queryEndTime": "[parameters('queryEndTime')]", + "eventTime": "[parameters('queryEndTime')]", + "queryResult": "{\"TenantId\":\"6ad64079-1c3e-4672-bc2d-08df98ad5751\",\"SourceSystem\":\"RestAPI\",\"MG\":\"\",\"ManagementGroupName\":\"\",\"TimeGenerated\":\"2021-12-08T03:59:19.262Z\",\"Computer\":\"\",\"RawData\":\"\",\"ResourceId\":\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\",\"OperationName\":\"Sign-in activity\",\"OperationVersion\":\"1\",\"Category\":\"SignInLogs\",\"ResultType\":\"0\",\"ResultSignature\":\"None\",\"ResultDescription\":\"\",\"DurationMs\":0,\"CorrelationId\":\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\",\"Resource\":\"Microsoft.aadiam\",\"ResourceGroup\":\"Microsoft.aadiam\",\"ResourceProvider\":\"\",\"Identity_s\":\"Adele Vance\",\"Level\":\"4\",\"Location_s\":\"IL\",\"AlternateSignInName_s\":\"\",\"AppDisplayName_s\":\"Azure Portal\",\"AppId_g\":\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\",\"AuthenticationDetails_s\":\"[\\r\\n {\\r\\n \\\"authenticationStepDateTime\\\": \\\"2021-04-28T14:08:45.2213421+00:00\\\",\\r\\n \\\"authenticationMethod\\\": \\\"Previously satisfied\\\",\\r\\n \\\"succeeded\\\": true,\\r\\n \\\"authenticationStepResultDetail\\\": \\\"First factor requirement satisfied by claim in the token\\\",\\r\\n \\\"authenticationStepRequirement\\\": \\\"Primary authentication\\\",\\r\\n \\\"StatusSequence\\\": 0,\\r\\n \\\"RequestSequence\\\": 0\\r\\n }\\r\\n]\",\"AuthenticationMethodsUsed_s\":\"\",\"AuthenticationProcessingDetails_s\":\"[\\r\\n {\\r\\n \\\"key\\\": \\\"IsCAEToken\\\",\\r\\n \\\"value\\\": \\\"False\\\"\\r\\n }\\r\\n]\",\"AuthenticationRequirement_s\":\"singleFactorAuthentication\",\"AuthenticationRequirementPolicies_s\":\"[]\",\"ClientAppUsed_s\":\"Browser\",\"ConditionalAccessPolicies_dynamic_s\":\"[{\\\"enforcedSessionControls\\\":[],\\\"conditionsNotSatisfied\\\":0,\\\"enforcedGrantControls\\\":[],\\\"conditionsSatisfied\\\":0,\\\"displayName\\\":\\\"Exchange Online Requires Compliant Device\\\",\\\"result\\\":\\\"notEnabled\\\",\\\"id\\\":\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\"}]\",\"ConditionalAccessPolicies_string_s\":\"\",\"ConditionalAccessStatus_s\":\"notApplied\",\"CreatedDateTime_UTC__s\":\"4/28/2021, 2:08:45.221 PM\",\"DeviceDetail_dynamic_s\":\"{\\\"operatingSystem\\\":\\\"Windows 10\\\",\\\"deviceId\\\":\\\"\\\",\\\"browser\\\":\\\"Edge 90.0.818\\\"}\",\"DeviceDetail_string_s\":\"\",\"IsInteractive_s\":\"TRUE\",\"Id_g\":\"cfb68155-70f5-4e28-b046-0a3a7086c401\",\"IPAddress\":\"175.45.176.99\",\"IsRisky_s\":\"\",\"LocationDetails_dynamic_s\":\"{\\\"countryOrRegion\\\":\\\"IL\\\",\\\"geoCoordinates\\\":{\\\"longitude\\\":34.79964828491211,\\\"latitude\\\":32.02956008911133},\\\"state\\\":\\\"Tel Aviv\\\",\\\"city\\\":\\\"Azor\\\"}\",\"LocationDetails_string_s\":\"\",\"MfaDetail_dynamic_s\":\"{}\",\"MfaDetail_string_s\":\"\",\"NetworkLocationDetails_s\":\"[]\",\"OriginalRequestId_g\":\"cfb68155-70f5-4e28-b046-0a3a7086c401\",\"ProcessingTimeInMilliseconds_s\":\"3535\",\"RiskDetail_s\":\"none\",\"RiskEventTypes_s\":\"[]\",\"RiskEventTypes_V2_s\":\"[]\",\"RiskLevelAggregated_s\":\"none\",\"RiskLevelDuringSignIn_s\":\"none\",\"RiskState_s\":\"none\",\"ResourceDisplayName_s\":\"Windows Azure Service Management API\",\"ResourceIdentity_g\":\"797f4846-ba00-4fd7-ba43-dac1f8f63013\",\"ServicePrincipalId_s\":\"\",\"ServicePrincipalName_s\":\"\",\"Status_dynamic_s\":\"{\\\"errorCode\\\":0}\",\"Status_string_s\":\"\",\"TokenIssuerName_s\":\"\",\"TokenIssuerType_s\":\"AzureAD\",\"UserAgent_s\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\",\"UserDisplayName_s\":\"Adele Vance\",\"UserId_g\":\"9b117c67-170e-4aed-9702-658b3fddc889\",\"UserPrincipalName_s\":\"adelev@m365x816222.onmicrosoft.com\",\"AADTenantId_g\":\"2ad3fc79-1859-42fa-9011-6f8df2251b22\",\"UserType_s\":\"Member\",\"FlaggedForReview_s\":\"\",\"SignInIdentifier_s\":\"\",\"SignInIdentifierType_s\":\"\",\"ResourceTenantId_g\":\"2ad3fc79-1859-42fa-9011-6f8df2251b22\",\"HomeTenantId_g\":\"2ad3fc79-1859-42fa-9011-6f8df2251b22\",\"Type_s\":\"SigninLogs\",\"AdditionalDetails_s\":\"\",\"InitiatedBy_s\":\"\",\"ResourceIdentity_s\":\"\",\"HomeTenantId_s\":\"\",\"Type\":\"SigninLogs_CL\",\"_ResourceId\":\"\"}" + } + } + ] +} \ No newline at end of file diff --git a/src/SecurityInsights/test/deployment-templates/bookmark/template.parameters.json b/src/SecurityInsights/test/deployment-templates/bookmark/template.parameters.json new file mode 100644 index 000000000000..70c0ce3ee6dc --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/bookmark/template.parameters.json @@ -0,0 +1,21 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "bookmarkName": { + "value": "Expandbookmarkq42uhy" + }, + "bookmarkId": { + "value": "b35d430d-02ac-4025-a10e-32cd2ffbe46b" + }, + "workspaceName": { + "value": "asptest8xu4wd" + }, + "queryStartTime": { + "Value": "2021-12-11T01:00:00.000Z" + }, + "queryEndTime": { + "Value": "2021-12-12T01:00:00.000Z" + } + } +} diff --git a/src/SecurityInsights/test/deployment-templates/bookmarkRelation/template.json b/src/SecurityInsights/test/deployment-templates/bookmarkRelation/template.json new file mode 100644 index 000000000000..bb2d5b77c1c0 --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/bookmarkRelation/template.json @@ -0,0 +1,77 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "bookmarkRelationId": { + "defaultValue": "bookmarkRelationId", + "type": "string" + }, + "bookmarkRelationBookmarkId": { + "defaultValue": "bookmarkRelationBookmarkId", + "type": "string" + }, + "bookmarkRelationBookmarkName": { + "defaultValue": "bookmarkRelationBookmarkName", + "type": "string" + }, + "queryStartTime": { + "defaultValue": "queryStartTime", + "type": "string" + }, + "queryEndTime": { + "defaultValue": "queryEndTime", + "type": "string" + }, + "bookmarkRelationIncidentId": { + "defaultValue": "bookmarkRelationIncidentId", + "type": "string" + }, + "bookmarkRelationIncidentName": { + "defaultValue": "bookmarkRelationIncidentName", + "type": "string" + }, + "workspaceName": { + "defaultValue": "workspaceName", + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/providers/incidents", + "apiVersion": "2021-04-01", + "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/', parameters('bookmarkRelationIncidentId'))]", + "properties": { + "severity": "Informational", + "status": "New", + "title": "[parameters('bookmarkRelationIncidentName')]" + } + }, + { + "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/', parameters('bookmarkRelationBookmarkId'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/bookmarks", + "apiVersion": "2020-01-01", + "properties": { + "displayName": "[parameters('bookmarkRelationBookmarkName')]", + "labels": [ "asptest" ], + "notes": "Notes go here", + "query": "SecurityEvent\n| take 1", + "queryStartTime": "[parameters('queryStartTime')]", + "queryEndTime": "[parameters('queryEndTime')]", + "eventTime": "[parameters('queryEndTime')]" + } + }, + { + "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/', parameters('bookmarkRelationBookmarkId'), '/', parameters('bookmarkRelationId'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/bookmarks/relations", + "apiVersion": "2020-01-01", + "dependsOn": [ + "[resourceId('Microsoft.OperationalInsights/workspaces/providers/bookmarks', parameters('workspaceName'), 'Microsoft.SecurityInsights', parameters('bookmarkRelationBookmarkId'))]", + "[resourceId('Microsoft.OperationalInsights/workspaces/providers/incidents', parameters('workspaceName'), 'Microsoft.SecurityInsights', parameters('bookmarkRelationIncidentId'))]" + ], + "properties": { + "relatedResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces/providers/incidents', parameters('workspaceName'), 'Microsoft.SecurityInsights', parameters('bookmarkRelationIncidentId'))]" + } + } + ] +} \ No newline at end of file diff --git a/src/SecurityInsights/test/deployment-templates/bookmarkRelation/template.parameters.json b/src/SecurityInsights/test/deployment-templates/bookmarkRelation/template.parameters.json new file mode 100644 index 000000000000..6f579cd722fa --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/bookmarkRelation/template.parameters.json @@ -0,0 +1,30 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "bookmarkRelationId": { + "value": "e2e68737-82b4-49f0-822f-f9196f65aac8" + }, + "bookmarkRelationBookmarkId": { + "value": "463b2e8b-17c1-48d6-94a3-7443b0ba2cbf" + }, + "bookmarkRelationBookmarkName": { + "value": "UpdateViaIdbookmarkRelationBookmarkName5modef" + }, + "queryStartTime": { + "value": "2021-12-11T01:00:00.000Z" + }, + "queryEndTime": { + "value": "2021-12-12T01:00:00.000Z" + }, + "bookmarkRelationIncidentId": { + "value": "6cbc4e33-d46b-4993-96e4-ecb0e44415cb" + }, + "bookmarkRelationIncidentName": { + "value": "UpdateViaIdbookmarkRelationIncidentName84x0ne" + }, + "workspaceName": { + "Value": "asptest8xu4wd" + } + } +} diff --git a/src/SecurityInsights/test/deployment-templates/customData/alertRules.json b/src/SecurityInsights/test/deployment-templates/customData/alertRules.json new file mode 100644 index 000000000000..c010ad5fe9e4 --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/customData/alertRules.json @@ -0,0 +1,218 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "workspaceName": { + "type": "string" + }, + "solarigateRuleGuid": { + "type": "string", + "defaultValue": "[newGuid()]" + }, + "disabledRuleGuid": { + "type": "string", + "defaultValue": "[newGuid()]" + }, + "mlRuleGuid": { + "type": "string", + "defaultValue": "[newGuid()]" + } + }, + "variables": { + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/',parameters('solarigateRuleGuid'))]", + "kind": "Scheduled", + "apiVersion":"2021-03-01-preview", + "properties": { + "displayName": "Solorigate Network Beacon", + "description": "Identifies a match across various data feeds for domains IOCs related to the Solorigate incident.\n References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \n https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1", + "severity": "High", + "enabled": true, + "query": "let domains = dynamic([\"incomeupdate.com\",\"zupertech.com\",\"databasegalore.com\",\"panhardware.com\",\"avsvmcloud.com\",\"digitalcollege.org\",\"freescanonline.com\",\"deftsecurity.com\",\"thedoccloud.com\",\"virtualdataserver.com\",\"lcomputers.com\",\"webcodez.com\",\"globalnetworkissues.com\",\"kubecloud.com\",\"seobundlekit.com\",\"solartrackingsystem.net\",\"virtualwebdata.com\"]);\n(union isfuzzy=true\n(CommonSecurityLog \n | parse Message with * '(' DNSName ')' * \n | where DNSName in~ (domains) or DestinationHostName has_any (domains) or RequestURL has_any(domains)\n | extend AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName, IPCustomEntity = SourceIP\n ),\n(DnsEvents \n | extend DNSName = Name\n | where isnotempty(DNSName)\n | where DNSName in~ (domains)\n | extend IPCustomEntity = ClientIP\n ),\n(imDns \n | where isnotempty(Query)\n | where Query in~ (domains)\n | extend DNSName = Query\n | extend IPCustomEntity = SrcIpAddr\n ),\n(VMConnection \n | parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n | where isnotempty(DNSName)\n | where DNSName in~ (domains)\n | extend IPCustomEntity = RemoteIp\n ),\n(DeviceNetworkEvents \n | where isnotempty(RemoteUrl) \n | where RemoteUrl has_any (domains) \n | extend DNSName = RemoteUrl\n | extend IPCustomEntity = RemoteIP \n | extend HostCustomEntity = DeviceName \n ),\n(AzureDiagnostics\n | where ResourceType == \"AZUREFIREWALLS\"\n | where Category == \"AzureFirewallDnsProxy\"\n | parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n | where Request_Name has_any (domains) \n | extend DNSName = Request_Name\n | extend IPCustomEntity = ClientIP \n ),\n(AzureDiagnostics \n | where ResourceType == \"AZUREFIREWALLS\"\n | where Category == \"AzureFirewallApplicationRule\"\n | parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n | where isnotempty(DestinationHost)\n | where DestinationHost has_any (domains) \n | extend DNSName = DestinationHost \n | extend IPCustomEntity = SourceHost\n ) \n )", + "queryFrequency": "PT5M", + "queryPeriod": "PT30M", + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "suppressionDuration": "PT5H", + "suppressionEnabled": false, + "tactics": [ + "CommandAndControl" + ], + "alertRuleTemplateName": "cecdbd4c-4902-403c-8d4b-32eb1efe460b", + "incidentConfiguration": { + "createIncident": true, + "groupingConfiguration": { + "enabled": true, + "reopenClosedIncident": false, + "lookbackDuration": "PT5H", + "matchingMethod": "AnyAlert", + "groupByEntities": [], + "groupByAlertDetails": [], + "groupByCustomDetails": [] + } + }, + "eventGroupingSettings": { + "aggregationKind": "SingleAlert" + }, + "alertDetailsOverride": null, + "customDetails": null, + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "identifier": "FullName", + "columnName": "AccountCustomEntity" + } + ] + }, + { + "entityType": "Host", + "fieldMappings": [ + { + "identifier": "FullName", + "columnName": "HostCustomEntity" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IPCustomEntity" + } + ] + }, + { + "entityType": "DNS", + "fieldMappings": [ + { + "identifier": "DomainName", + "columnName": "DNSName" + } + ] + } + ], + "templateVersion": "1.0.0" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/',parameters('disabledRuleGuid'))]", + "apiVersion": "2021-03-01-preview", + "kind": "Scheduled", + "properties": { + "displayName": "Sign-ins from IPs that attempt sign-ins to disabled accounts", + "description": "Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n50057 - User account is disabled. The account has been disabled by an administrator.", + "severity": "Medium", + "enabled": true, + "query": "SigninLogs_CL\n | where ResultType == \"50057\" \n | where ResultDescription == \"User account is disabled. The account has been disabled by an administrator.\" \n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), disabledAccountLoginAttempts = count(), \n disabledAccountsTargeted = dcount(UserPrincipalName_s), applicationsTargeted = dcount(AppDisplayName_s), disabledAccountSet = makeset(UserPrincipalName_s), \n applicationSet = makeset(AppDisplayName_s)\n by IPAddress, Type\n | order by disabledAccountLoginAttempts desc\n | join kind= leftouter (\n // Consider these IPs suspicious - and alert any related successful sign-ins\n SigninLogs_CL\n | where ResultType == 0\n | summarize successfulAccountSigninCount = dcount(UserPrincipalName_s), successfulAccountSigninSet = makeset(UserPrincipalName_s, 15) by IPAddress, Type\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\n | where successfulAccountSigninCount < 100\n )\n on IPAddress \n | where successfulAccountSigninCount != 0\n | project StartTime, EndTime, IPAddress, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \n successfulAccountSigninCount, successfulAccountSigninSet, Type\n | order by disabledAccountLoginAttempts\n | extend timestamp = StartTime, IPCustomEntity = IPAddress", + "queryFrequency": "PT5M", + "queryPeriod": "PT30M", + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "suppressionDuration": "PT5H", + "suppressionEnabled": false, + "tactics": [ + "InitialAccess", + "Persistence" + ], + "alertRuleTemplateName": "500c103a-0319-4d56-8e99-3cec8d860757", + "incidentConfiguration": { + "createIncident": true, + "groupingConfiguration": { + "enabled": true, + "reopenClosedIncident": false, + "lookbackDuration": "PT5H", + "matchingMethod": "AllEntities", + "groupByEntities": [ + "IP" + ], + "groupByAlertDetails": [], + "groupByCustomDetails": [] + } + }, + "eventGroupingSettings": { + "aggregationKind": "SingleAlert" + }, + "alertDetailsOverride": null, + "customDetails": null, + "entityMappings": [ + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IPCustomEntity" + } + ] + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/',parameters('mlRuleGuid'))]", + "apiVersion": "2021-03-01-preview", + "kind": "Scheduled", + "properties": { + "displayName": "Malicious Inbox Rule - custom", + "description": "This rule is detecting on delete all traces of phishing email from user mailboxes", + "severity": "Medium", + "enabled": true, + "query": "let Keywords = dynamic([\"helpdesk\", \" alert\", \" suspicious\", \"fake\", \"malicious\", \"phishing\", \"spam\", \"do not click\", \"do not open\", \"hijacked\", \"Fatal\"]);\r\nOfficeActivity_CL\r\n| where Operation_s =~ \"New-InboxRule\"\r\n| where Parameters_s has \"Deleted Items\" or Parameters_s has \"Junk Email\" \r\n| extend Events=todynamic(Parameters_s)\r\n| parse Events with * \"SubjectContainsWords\" SubjectContainsWords '}'*\r\n| parse Events with * \"BodyContainsWords\" BodyContainsWords '}'*\r\n| parse Events with * \"SubjectOrBodyContainsWords\" SubjectOrBodyContainsWords '}'*\r\n| where SubjectContainsWords has_any (Keywords)\r\nor BodyContainsWords has_any (Keywords)\r\nor SubjectOrBodyContainsWords has_any (Keywords)\r\n| extend ClientIPAddress = case( ClientIP_s has \".\", tostring(split(ClientIP_s,\":\")[0]), ClientIP_s has \"[\", tostring(trim_start(@'[[]',tostring(split(ClientIP_s,\"]\")[0]))), ClientIP_s )\r\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\r\n| extend RuleDetail = case(OfficeObjectId_s contains '/' , tostring(split(OfficeObjectId_s, '/')[-1]) , tostring(split(OfficeObjectId_s, '\\\\')[-1]))\r\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation_s, UserId__s, ClientIPAddress, ResultStatus_s, Keyword, OriginatingServer_s, OfficeObjectId_s, RuleDetail", + "queryFrequency": "PT5M", + "queryPeriod": "PT30M", + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "suppressionDuration": "PT5H", + "suppressionEnabled": false, + "tactics": [ + "Persistence", + "DefenseEvasion" + ], + "alertRuleTemplateName": null, + "incidentConfiguration": { + "createIncident": true, + "groupingConfiguration": { + "enabled": true, + "reopenClosedIncident": false, + "lookbackDuration": "PT12H", + "matchingMethod": "Selected", + "groupByEntities": [ + "Account" + ], + "groupByAlertDetails": [], + "groupByCustomDetails": [] + } + }, + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "alertDetailsOverride": { + "alertDisplayNameFormat": "Malicious Inbox Rule, affected user {{UserId__s}}", + "alertDescriptionFormat": null, + "alertTacticsColumnName": null, + "alertSeverityColumnName": null + }, + "customDetails": null, + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "identifier": "FullName", + "columnName": "UserId__s" + } + ] + } + ] + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/src/SecurityInsights/test/deployment-templates/customData/alertRules.parameters.json b/src/SecurityInsights/test/deployment-templates/customData/alertRules.parameters.json new file mode 100644 index 000000000000..8cadfedfa18e --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/customData/alertRules.parameters.json @@ -0,0 +1,18 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "solarigateRuleGuid": { + "value": "af03fc0e-d33f-447a-8397-d60726aa92c5" + }, + "disabledRuleGuid": { + "value": "10a698ca-8310-4b90-a86e-2f43fe285e56" + }, + "mlRuleGuid": { + "value": "02874339-f9a1-4ced-bdaf-44b3d8eb57a6" + }, + "workspaceName": { + "value": "asptest8xu4wd" + } + } +} diff --git a/src/SecurityInsights/test/deployment-templates/dataConnector/template.json b/src/SecurityInsights/test/deployment-templates/dataConnector/template.json new file mode 100644 index 000000000000..c8a07c48c94c --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/dataConnector/template.json @@ -0,0 +1,55 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "dataconnectorId": { + "defaultValue": "dataConnectorId", + "type": "string" + }, + "updateDataConnectorId": { + "defaultValue": "updateDataConnectorId", + "type": "string" + }, + "workspaceName": { + "defaultValue": "workspaceName", + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/', parameters('dataconnectorId'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "apiVersion": "2021-03-01-preview", + "kind": "AzureSecurityCenter", + "properties": { + "dataTypes": { + "alerts": { + "state": "Enabled" + } + }, + "subscriptionId": "[subscription().subscriptionId]" + } + }, + { + "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/', parameters('updateDataConnectorId'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "apiVersion": "2021-03-01-preview", + "kind": "Office365", + "properties": { + "dataTypes": { + "exchange": { + "state": "Enabled" + }, + "sharepoint": { + "state": "Disabled" + }, + "teams": { + "state": "Disabled" + } + }, + "tenantId": "[subscription().tenantId]" + } + } + ] +} \ No newline at end of file diff --git a/src/SecurityInsights/test/deployment-templates/dataConnector/template.parameters.json b/src/SecurityInsights/test/deployment-templates/dataConnector/template.parameters.json new file mode 100644 index 000000000000..221eaba78c18 --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/dataConnector/template.parameters.json @@ -0,0 +1,15 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "dataConnectorId": { + "value": "88da8507-46cb-4c34-9cf3-189e58b34c9e" + }, + "updateDataConnectorId": { + "value": "b4b8bb52-2917-4179-a28d-fb197dc52aa6" + }, + "workspaceName": { + "value": "asptest8xu4wd" + } + } +} diff --git a/src/SecurityInsights/test/deployment-templates/entityQuery/template.json b/src/SecurityInsights/test/deployment-templates/entityQuery/template.json new file mode 100644 index 000000000000..7817996ee8b3 --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/entityQuery/template.json @@ -0,0 +1,54 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "entityQueryActivityId": { + "defaultValue": "entityQueryActivityId", + "type": "String" + }, + "workspaceName": { + "defaultValue": "workspaceName", + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/', parameters('entityQueryActivityId'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/entityQueries", + "apiVersion": "2021-03-01-preview", + "kind": "Activity", + "properties": { + "title": "An account was deleted on this host", + "content": "On '{{Computer}}' the account '{{TargetAccount}}' was deleted by ", + "description": "Account deleted on host", + "queryDefinitions": { + "query": "let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\nSecurityEvent\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\n// parsing for Host to handle variety of conventions coming from data\n| extend Host_HostName = case(\nComputer has '@', tostring(split(Computer, '@')[0]),\nComputer has '\\\\', tostring(split(Computer, '\\\\')[1]),\nComputer has '.', tostring(split(Computer, '.')[0]),\nComputer\n)\n| extend Host_NTDomain = case(\nComputer has '\\\\', tostring(split(Computer, '\\\\')[0]), \nComputer has '.', tostring(split(Computer, '.')[-2]), \nComputer\n)\n| extend Host_DnsDomain = case(\nComputer has '\\\\', tostring(split(Computer, '\\\\')[0]), \nComputer has '.', strcat_array(array_slice(split(Computer,'.'),-2,-1),'.'), \nComputer\n)\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \nor v_Host_AzureID =~ _ResourceId \nor v_Host_OMSAgentID == SourceComputerId\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid};\nGetAccountActions('{{Host_HostName}}', '{{Host_NTDomain}}', '{{Host_DnsDomain}}', '{{Host_AzureID}}', '{{Host_OMSAgentID}}')\n \n| where EventID == 4726 " + }, + "inputEntityType": "Host", + "requiredInputFieldsSets": [ + [ + "Host_HostName", + "Host_NTDomain" + ], + [ + "Host_HostName", + "Host_DnsDomain" + ], + [ + "Host_AzureID" + ], + [ + "Host_OMSAgentID" + ] + ], + "entitiesFilter": { + "Host_OsFamily": [ + "Windows" + ] + }, + "enabled": true + } + } + ] +} \ No newline at end of file diff --git a/src/SecurityInsights/test/deployment-templates/entityQuery/template.parameters.json b/src/SecurityInsights/test/deployment-templates/entityQuery/template.parameters.json new file mode 100644 index 000000000000..70a2d4ab57d5 --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/entityQuery/template.parameters.json @@ -0,0 +1,12 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "entityQueryActivityId": { + "value": "fb33bcbe-0bc0-433f-9910-e474dbfab616" + }, + "workspaceName": { + "value": "asptest8xu4wd" + } + } +} diff --git a/src/SecurityInsights/test/deployment-templates/incident/template.json b/src/SecurityInsights/test/deployment-templates/incident/template.json new file mode 100644 index 000000000000..7828babbc39f --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/incident/template.json @@ -0,0 +1,27 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "incidentId": { + "defaultValue": "incidentId", + "type": "String" + }, + "workspaceName": { + "defaultValue": "workspaceName", + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/providers/incidents", + "apiVersion": "2021-04-01", + "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/', parameters('incidentId'))]", + "properties": { + "severity": "Informational", + "status": "New", + "title": "IncidentTest" + } + } + ] +} \ No newline at end of file diff --git a/src/SecurityInsights/test/deployment-templates/incident/template.parameters.json b/src/SecurityInsights/test/deployment-templates/incident/template.parameters.json new file mode 100644 index 000000000000..4b5320dae2da --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/incident/template.parameters.json @@ -0,0 +1,12 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "incidentId": { + "value": "85b206c3-bf60-48e0-b492-71a79bb8503a" + }, + "workspaceName": { + "value": "asptest8xu4wd" + } + } +} diff --git a/src/SecurityInsights/test/deployment-templates/incidentComment/template.json b/src/SecurityInsights/test/deployment-templates/incidentComment/template.json new file mode 100644 index 000000000000..b736228013f4 --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/incidentComment/template.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "incidentCommentIncidentId": { + "defaultValue": "incidentCommentIncidentId", + "type": "string" + }, + "incidentCommentId": { + "defaultValue": "incidentCommentId", + "type": "string" + }, + "incidentCommentName": { + "defaultValue": "incidentCommentName", + "type": "string" + }, + "workspaceName": { + "defaultValue": "workspaceName", + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/providers/incidents", + "apiVersion": "2021-04-01", + "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/', parameters('incidentCommentIncidentId'))]", + "properties": { + "severity": "Informational", + "status": "New", + "title": "[parameters('incidentCommentName')]" + } + }, + { + "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/', parameters('incidentCommentIncidentId'), '/', parameters('incidentCommentId'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/incidents/comments", + "apiVersion": "2021-04-01", + "dependsOn": [ + "[resourceId('Microsoft.OperationalInsights/workspaces/providers/incidents', parameters('workspaceName'), 'Microsoft.SecurityInsights', parameters('incidentCommentIncidentId'))]" + ], + "properties": { + "message": "[parameters('incidentCommentName')]" + } + } + ] +} \ No newline at end of file diff --git a/src/SecurityInsights/test/deployment-templates/incidentComment/template.parameters.json b/src/SecurityInsights/test/deployment-templates/incidentComment/template.parameters.json new file mode 100644 index 000000000000..0dcdaac82e21 --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/incidentComment/template.parameters.json @@ -0,0 +1,18 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "incidentCommentIncidentId": { + "value": "aa0c1725-78eb-4c1e-87b8-9dd801ebf670" + }, + "incidentCommentId": { + "value": "c3bc7c2d-a384-4bb5-8fde-e2ee44fc18be" + }, + "incidentCommentName": { + "value": "UpdateViaIdincidentCommentoq4cge" + }, + "workspaceName": { + "value": "asptest8xu4wd" + } + } +} diff --git a/src/SecurityInsights/test/deployment-templates/incidentRelation/template.json b/src/SecurityInsights/test/deployment-templates/incidentRelation/template.json new file mode 100644 index 000000000000..1b67f6ad4d2b --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/incidentRelation/template.json @@ -0,0 +1,80 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "incidentRelationBookmarkId": { + "defaultValue": "incidentRelationBookmarkId", + "type": "string" + }, + "incidentRelationBookmarkName": { + "defaultValue": "incidentRelationBookmarkName", + "type": "string" + }, + "queryStartTime": { + "defaultValue": "queryStartTime", + "type": "string" + }, + "queryEndTime": { + "defaultValue": "queryEndTime", + "type": "string" + }, + "incidentRelationIncidentId": { + "defaultValue": "incidentRelationIncidentId", + "type": "string" + }, + "incidentRelationIncidentName": { + "defaultValue": "incidentRelationIncidentName", + "type": "string" + }, + "incidentRelationId": { + "defaultValue": "incidentRelationId", + "type": "string" + }, + "workspaceName": { + "defaultValue": "workspaceName", + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/', parameters('incidentRelationBookmarkId'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/bookmarks", + "apiVersion": "2020-01-01", + "properties": { + "displayName": "[parameters('incidentRelationBookmarkName')]", + "labels": [ "asptest" ], + "notes": "Notes go here", + "query": "SecurityEvent\n| take 1", + "queryStartTime": "[parameters('queryStartTime')]", + "queryEndTime": "[parameters('queryEndTime')]", + "eventTime": "[parameters('queryEndTime')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/incidents", + "apiVersion": "2021-04-01", + "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/', parameters('incidentRelationIncidentId'))]", + "dependsOn": [ + "[resourceId('Microsoft.OperationalInsights/workspaces/providers/bookmarks', parameters('workspaceName'), 'Microsoft.SecurityInsights', parameters('incidentRelationBookmarkId'))]" + ], + "properties": { + "severity": "Informational", + "status": "New", + "title": "[parameters('incidentRelationIncidentName')]" + } + }, + { + "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/', parameters('incidentRelationIncidentId'), '/', parameters('incidentRelationId'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/incidents/relations", + "apiVersion": "2021-03-01-preview", + "dependsOn": [ + "[resourceId('Microsoft.OperationalInsights/workspaces/providers/incidents', parameters('workspaceName'), 'Microsoft.SecurityInsights', parameters('incidentRelationIncidentId'))]", + "[resourceId('Microsoft.OperationalInsights/workspaces/providers/bookmarks', parameters('workspaceName'), 'Microsoft.SecurityInsights', parameters('incidentRelationBookmarkId'))]" + ], + "properties": { + "relatedResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces/providers/bookmarks', parameters('workspaceName'), 'Microsoft.SecurityInsights', parameters('incidentRelationBookmarkId'))]" + } + } + ] +} \ No newline at end of file diff --git a/src/SecurityInsights/test/deployment-templates/incidentRelation/template.parameters.json b/src/SecurityInsights/test/deployment-templates/incidentRelation/template.parameters.json new file mode 100644 index 000000000000..cacae2c29971 --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/incidentRelation/template.parameters.json @@ -0,0 +1,30 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "incidentRelationBookmarkId": { + "value": "f18e48e7-15f9-49c8-bb2b-fdf166e7cf9a" + }, + "incidentRelationBookmarkName": { + "value": "UpdateViaIdincidentRelationBookmarkNamehd50fa" + }, + "queryStartTime": { + "value": "2021-12-11T01:00:00.000Z" + }, + "queryEndTime": { + "value": "2021-12-12T01:00:00.000Z" + }, + "incidentRelationIncidentId": { + "value": "43aedae6-3726-41c1-b0e8-9876df66aa2d" + }, + "incidentRelationIncidentName": { + "value": "UpdateViaIdincidentRelationIncidentNameewut32" + }, + "incidentRelationId": { + "value": "b03e0e3c-97ce-4eb5-a1f0-e096bbeeddd4" + }, + "workspaceName": { + "value": "asptest8xu4wd" + } + } +} diff --git a/src/SecurityInsights/test/deployment-templates/metadata/template.json b/src/SecurityInsights/test/deployment-templates/metadata/template.json new file mode 100644 index 000000000000..fed3b9ae0fed --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/metadata/template.json @@ -0,0 +1,558 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "author": "Nikhil Tripathi - v-ntripathi@microsoft.com", + "comments": "Solution template for ZeroTrust(TIC3.0)" + }, + "parameters": { + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "minLength": 1, + "defaultValue": "[parameters('location')]", + "metadata": { + "description": "Region to deploy solution resources" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Sentinel is setup" + } + }, + "formattedTimeNow": { + "type": "string", + "defaultValue": "[utcNow('g')]", + "metadata": { + "description": "Appended to workbook displayNames to make them unique" + } + }, + "workbook1-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the workbook" + } + }, + "workbook1-name": { + "type": "string", + "defaultValue": "ZeroTrust(TIC3.0)", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + }, + "analytic1-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the scheduled alert rule" + } + }, + "analytic2-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the scheduled alert rule" + } + }, + "analytic3-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the scheduled alert rule" + } + }, + "analytic4-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the scheduled alert rule" + } + }, + "analytic5-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the scheduled alert rule" + } + }, + "analytic6-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the scheduled alert rule" + } + }, + "analytic7-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the scheduled alert rule" + } + }, + "analytic8-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the scheduled alert rule" + } + }, + "analytic9-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the scheduled alert rule" + } + }, + "analytic10-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the scheduled alert rule" + } + }, + "analytic11-id": { + "type": "string", + "defaultValue": "[newGuid()]", + "minLength": 1, + "metadata": { + "description": "Unique id for the scheduled alert rule" + } + } + }, + "variables": { + "ZeroTrustTIC3.0_workbook": "ZeroTrustTIC3.0_workbook", + "_ZeroTrustTIC3.0_workbook": "[variables('ZeroTrustTIC3.0_workbook')]", + "workbook-source": "[concat(resourceGroup().id, '/providers/Microsoft.OperationalInsights/workspaces/',parameters('workspace'))]", + "_workbook-source": "[variables('workbook-source')]", + "ZeroTrustDNSFamilyControlsMonitoring_AnalyticalRules": "ZeroTrustDNSFamilyControlsMonitoring_AnalyticalRules", + "_ZeroTrustDNSFamilyControlsMonitoring_AnalyticalRules": "[variables('ZeroTrustDNSFamilyControlsMonitoring_AnalyticalRules')]", + "ZeroTrustDataProtectionFamilyControlsMonitoring_AnalyticalRules": "ZeroTrustDataProtectionFamilyControlsMonitoring_AnalyticalRules", + "_ZeroTrustDataProtectionFamilyControlsMonitoring_AnalyticalRules": "[variables('ZeroTrustDataProtectionFamilyControlsMonitoring_AnalyticalRules')]", + "ZeroTrustEmailFamilyControlsMonitoring_AnalyticalRules": "ZeroTrustEmailFamilyControlsMonitoring_AnalyticalRules", + "_ZeroTrustEmailFamilyControlsMonitoring_AnalyticalRules": "[variables('ZeroTrustEmailFamilyControlsMonitoring_AnalyticalRules')]", + "ZeroTrustEnterpriseFamilyControlsMonitoring_AnalyticalRules": "ZeroTrustEnterpriseFamilyControlsMonitoring_AnalyticalRules", + "_ZeroTrustEnterpriseFamilyControlsMonitoring_AnalyticalRules": "[variables('ZeroTrustEnterpriseFamilyControlsMonitoring_AnalyticalRules')]", + "ZeroTrustFilesFamilyControlsMonitoring_AnalyticalRules": "ZeroTrustFilesFamilyControlsMonitoring_AnalyticalRules", + "_ZeroTrustFilesFamilyControlsMonitoring_AnalyticalRules": "[variables('ZeroTrustFilesFamilyControlsMonitoring_AnalyticalRules')]", + "ZeroTrustIntrusionDetectionFamilyControlsMonitoring_AnalyticalRules": "ZeroTrustIntrusionDetectionFamilyControlsMonitoring_AnalyticalRules", + "_ZeroTrustIntrusionDetectionFamilyControlsMonitoring_AnalyticalRules": "[variables('ZeroTrustIntrusionDetectionFamilyControlsMonitoring_AnalyticalRules')]", + "ZeroTrustNetworkingFamilyControlsMonitoring_AnalyticalRules": "ZeroTrustNetworkingFamilyControlsMonitoring_AnalyticalRules", + "_ZeroTrustNetworkingFamilyControlsMonitoring_AnalyticalRules": "[variables('ZeroTrustNetworkingFamilyControlsMonitoring_AnalyticalRules')]", + "ZeroTrustResiliencyFamilyControlsMonitoring_AnalyticalRules": "ZeroTrustResiliencyFamilyControlsMonitoring_AnalyticalRules", + "_ZeroTrustResiliencyFamilyControlsMonitoring_AnalyticalRules": "[variables('ZeroTrustResiliencyFamilyControlsMonitoring_AnalyticalRules')]", + "ZeroTrustUCCFamilyControlsMonitoring_AnalyticalRules": "ZeroTrustUCCFamilyControlsMonitoring_AnalyticalRules", + "_ZeroTrustUCCFamilyControlsMonitoring_AnalyticalRules": "[variables('ZeroTrustUCCFamilyControlsMonitoring_AnalyticalRules')]", + "ZeroTrustUniversalSecurityCapabilitiesFamilyControlsMonitoring_AnalyticalRules": "ZeroTrustUniversalSecurityCapabilitiesFamilyControlsMonitoring_AnalyticalRules", + "_ZeroTrustUniversalSecurityCapabilitiesFamilyControlsMonitoring_AnalyticalRules": "[variables('ZeroTrustUniversalSecurityCapabilitiesFamilyControlsMonitoring_AnalyticalRules')]", + "ZeroTrustWebFamilyControlsMonitoring_AnalyticalRules": "ZeroTrustWebFamilyControlsMonitoring_AnalyticalRules", + "_ZeroTrustWebFamilyControlsMonitoring_AnalyticalRules": "[variables('ZeroTrustWebFamilyControlsMonitoring_AnalyticalRules')]", + "sourceId": "azuresentinel.azure-sentinel-solution-zerotrust", + "_sourceId": "[variables('sourceId')]" + }, + "resources": [ + { + "name": "pid-48509547-1f22-4bce-9634-1fa50d662519-partnercenter", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.Insights/workbooks", + "name": "[parameters('workbook1-id')]", + "location": "[parameters('workspace-location')]", + "kind": "shared", + "apiVersion": "2020-02-12", + "properties": { + "displayName": "[concat(parameters('workbook1-name'), ' - ', parameters('formattedTimeNow'))]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a4b4e975-fa7c-46a3-b669-850aacc88134\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"🔎 Guide\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\r\\n]\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"DefaultSubscription_Internal\",\"type\":1,\"isRequired\":true,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| take 1\\r\\n| project subscriptionId\",\"crossComponentResources\":[\"value::selected\"],\"isHiddenWhenLocked\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"id\":\"a4b4e975-fa7c-46a3-b669-850aacc88134\"},{\"id\":\"e6ded9a1-a83c-4762-938d-5bf8ff3d3d38\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)\",\"crossComponentResources\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"id\":\"e3225ed0-6210-40a1-b2d0-66e42ffa71d6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"resources\\r\\n| where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| order by name asc\\r\\n| summarize Selected = makelist(id, 10), All = makelist(id, 1000)\\r\\n| mvexpand All limit 100\\r\\n| project value = tostring(All), label = tostring(All), selected = iff(Selected contains All, true, false)\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"id\":\"15b2c181-7397-43c1-900a-28e175ae8a6f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":2592000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":86400000},{\"durationMs\":604800000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"Parameter Selectors\"},{\"type\":1,\"content\":{\"json\":\"  Please take time to answer a quick survey,\\r\\n[ click here. ](https://forms.office.com/r/0xxx6arkaS)\"},\"name\":\"Survey\"},{\"type\":1,\"content\":{\"json\":\"# Zero Trust (TIC3.0) Solution\\n---\\nThis workbook enables Security Governance Risk Compliance Professionals, SecOps Analysts, and MSSPs to gain situational awareness for cloud workload security posture. This workbook is designed to augment staffing through automation, artificial intelligence, machine learning, query+alerting generation and visualizations. For more information, see the 💡[Microsoft Zero Trust Model](https://www.microsoft.com/security/business/zero-trust), 💡[Trusted Internet Connections: Core Guidance Documents](https://www.cisa.gov/trusted-internet-connections). The Azure Sentinel Zero Trust (TIC 3.0) Workbook demonstrates best practice guidance, but Microsoft does not guarantee nor imply compliance. All TIC requirements, validations, and controls are governed by the 💡 [Cybersecurity & Infrastructure Security Agency](https://www.cisa.gov/trusted-internet-connections). This workbook provides visibility and situational awareness for security capabilities delivered with Microsoft technologies in predominantly cloud-based environments. Customer experience will vary by user and some panels may require additional configurations for operation. Recommendations do not imply coverage of respective controls as they are often one of several courses of action for approaching requirements which is unique to each customer. Recommendations should be considered a starting point for planning full or partial coverage of respective requirements. \"},\"customWidth\":\"79\",\"name\":\"Workbook Overview\"},{\"type\":1,\"content\":{\"json\":\"![Image Name](https://azure.microsoft.com/svghandler/azure-sentinel?width=600&height=315) \"},\"customWidth\":\"21\",\"name\":\"Azure Sentinel Logo\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Section\\\\\\\": \\\\\\\"Assessment\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Assessment\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Section\\\\\\\": \\\\\\\"Universal Security Capabilities\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Universal Security Capabilities\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Section\\\\\\\": \\\\\\\"Files\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Files\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Section\\\\\\\": \\\\\\\"Email\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Email\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Section\\\\\\\": \\\\\\\"Web\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Web\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Section\\\\\\\": \\\\\\\"Networking\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Networking\\\\\\\" }\\\\r\\\\n]\\\"}\",\"size\":3,\"title\":\"TIC 3.0 Capabilities\",\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"37\",\"name\":\"query - 107\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"cec6c07e-2856-4c77-8b48-98935f2c1218\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isAssessmentVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Assessment\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"eab3e5a8-66c3-4304-8c2b-43264e858ba8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"isUniversalSecurityCapabilitiesVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Universal Security Capabilities\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000}},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isFilesVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Files\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"67de7a24-1840-4fc5-94d5-a6b5d7520a7c\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isEmailVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Email\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"ec480379-6561-4a30-b005-7533da78ed14\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isWebVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Web\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"2919b971-fb14-440c-ab42-50304df3ceab\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isNetworkingVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Networking\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"38d5c68b-fce9-479b-b8dd-acb7a97d85e7\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"5\",\"name\":\"isVisible Navigation\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n\\\\t{ \\\\\\\"Section\\\\\\\": \\\\\\\"Resiliency\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Resiliency\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Section\\\\\\\": \\\\\\\"DNS\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"DNS\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Section\\\\\\\": \\\\\\\"Intrusion Detection\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Intrusion Detection\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Section\\\\\\\": \\\\\\\"Enterprise\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Enterprise\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Section\\\\\\\": \\\\\\\"Unified Communications & Collaboration\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Unified Communications & Collaboration\\\\\\\" },\\\\r\\\\n\\\\t{ \\\\\\\"Section\\\\\\\": \\\\\\\"Data Protection\\\\\\\", \\\\\\\"tab\\\\\\\": \\\\\\\"Data Protection\\\\\\\" }\\\\r\\\\n]\\\"}\",\"size\":3,\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"tab\",\"parameterName\":\"Tab\",\"parameterType\":1}],\"queryType\":8,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"tab\",\"formatter\":5}],\"filter\":true}},\"customWidth\":\"37\",\"name\":\"query - 109\",\"styleSettings\":{\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isResiliencyVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Resiliency\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"62d67234-8fb2-43e6-b5d2-945692493431\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDNSVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"DNS\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"9cb339a8-c8b4-43ad-b2e5-76f61b87d8c1\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isIntrusionDetectionVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Intrusion Detection\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"4b799471-726e-432c-b577-2f45474d883c\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isEnterpriseVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Enterprise\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"584fbe21-b31b-49cb-bd65-62ef850a8310\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isUnifiedCommunicationsCollaborationVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Unified Communications & Collaboration\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"78d61c25-823a-4232-8a32-1a7e7018e596\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"isDataProtectionVisible\",\"type\":1,\"isHiddenWhenLocked\":true,\"criteriaData\":[{\"criteriaContext\":{\"leftOperand\":\"Tab\",\"operator\":\"contains\",\"rightValType\":\"static\",\"rightVal\":\"Data Protection\",\"resultValType\":\"static\",\"resultVal\":\"true\"}},{\"criteriaContext\":{\"operator\":\"Default\",\"rightValType\":\"param\",\"resultValType\":\"static\",\"resultVal\":\"false\"}}],\"timeContext\":{\"durationMs\":86400000},\"id\":\"740b611b-8155-4e96-bbcc-bbdba0541143\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"5\",\"name\":\"isVisible Navigation - Copy\"},{\"type\":1,\"content\":{\"json\":\"# ✳️ [Getting Started](https://docs.microsoft.com/azure/sentinel/prerequisites)\\r\\n---\\r\\n\\r\\nThis workbook enables Security Governance Risk Compliance Professionals, SecOps Analysts, and MSSPs to gain situational awareness for cloud workload security posture. This workbook is designed to augment staffing through automation, artificial intelligence, machine learning, query+alerting generation and visualizations. Recommended onboarding steps are included below, note user experience will vary by workload.
\\r\\n
\\r\\n1️⃣ [Confirm Roles & Permissions: Azure Sentinel Contributor for Create & Edit / Azure Sentinel Responder for Viewing Workbook](https://docs.microsoft.com/azure/sentinel/roles#:~:text=Azure%20Sentinel-specific%20roles%201%20Azure%20Sentinel%20Reader%20can,and%20other%20Azure%20Sentinel%20resources.%20More%20items...%20)
\\r\\n2️⃣ [Onboard Azure Sentinel](https://docs.microsoft.com/azure/sentinel/quickstart-onboard)
\\r\\n3️⃣ [Onboard Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-get-started)
\\r\\n4️⃣ [Add the Azure Security Benchmark and NIST SP 800-53 R5 Assessments to Your Dashboard](https://docs.microsoft.com/azure/security-center/update-regulatory-compliance-packages#add-a-regulatory-standard-to-your-dashboard)
\\r\\n5️⃣ [Continuously Export Security Center Data](https://docs.microsoft.com/azure/security-center/continuous-export)
\\r\\n6️⃣ [Extend Azure Sentinel Across Workspaces and Tenants](https://docs.microsoft.com/azure/sentinel/extend-sentinel-across-workspaces-tenants)
\\r\\n7️⃣ [Deploy Azure Sentinel: Zero Trust (TIC3.0) Solution & Review Monitoring Analytics Rules](https://portal.azure.com/#blade/Microsoft_Azure_Marketplace/GalleryItemDetailsBladeNopdl/id/azuresentinel.azure-sentinel-solution-zerotrust)
\\r\\n\\r\\n\\r\\n\\r\\n\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"customWidth\":\"50\",\"name\":\"text - 106\"},{\"type\":1,\"content\":{\"json\":\"# ✳️ [Recommended Enrichments](https://docs.microsoft.com/azure/sentinel/connect-data-sources)\\r\\n---\\r\\nThis workbook leverages 50+ Microsoft Security products. While only Azure Sentinel and Azure Security Center are mandatory for this solution, the following offerings provide enrichments
\\r\\n\\r\\n✳️[Azure Active Directory](https://azure.microsoft.com/services/active-directory/)
\\r\\n✳️[Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender)
\\r\\n✳️[Azure Firewall Premium](https://azure.microsoft.com/services/azure-firewall)
\\r\\n✳️[Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/security/endpoint-defender)
\\r\\n✳️[Azure Virtual Desktop](https://azure.microsoft.com/services/virtual-desktop/)
\\r\\n✳️[Azure Web Application Firewall](https://azure.microsoft.com/services/web-application-firewall/)
\\r\\n✳️[Azure Information Protection](https://azure.microsoft.com/services/information-protection/)
\\r\\n✳️[Azure Defender](https://azure.microsoft.com/services/azure-defender/)
\\r\\n✳️[Microsoft 365 Defender](https://www.microsoft.com/microsoft-365/security/microsoft-365-defender)
\\r\\n✳️[Microsoft Cloud App Security](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security)
\\r\\n✳️[Key Vault](https://azure.microsoft.com/services/key-vault/)
\\r\\n✳️[Azure DDoS Protection](https://azure.microsoft.com/services/ddos-protection/)
\\r\\n✳️[Microsoft Defender for Identity](https://www.microsoft.com/microsoft-365/security/identity-defender)
\\r\\n\\r\\n\\r\\n\\r\\n\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"customWidth\":\"50\",\"name\":\"text - 107\"},{\"type\":1,\"content\":{\"json\":\"# ✳️ [Microsoft Zero Trust Deployment Center](https://docs.microsoft.com/security/zero-trust)\\r\\n![Image Name](https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4KvMM?ver=13f6&q=0&m=6&h=600&w=1600&b=%23FFFFFFFF&u=t&l=f&f=jpg&o=t&aim=true \\\"Security Policy Enforcement\\\")\\r\\n\\r\\n\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"customWidth\":\"50\",\"name\":\"Zero Trust Model\"},{\"type\":1,\"content\":{\"json\":\"# ✳️ [Trusted Internet Connections 3.0](https://www.cisa.gov/trusted-internet-connections)\\r\\n\\r\\n| Security Objectives |\\r\\n| : | : | \\r\\n| Manage Traffic | Observe, validate, and filter data connections to align with authorized activities; least privilege and default deny |\\r\\n| Protect Traffic Confidentiality | Ensure only authorized parties can discern the contents of data in transit; sender and receiver identification and enforcement |\\r\\n| Protect Traffic Integrity | Prevent alteration of data in transit; detect altered data in transit |\\r\\n| Ensure Service Resiliency | Promote resilient application and security services for continuous operation as the technology and threat landscape evolve |\\r\\n| Ensure Effective Response | Promote timely reaction and adapt future response to discovered threats; policies defined and implemented; simplified adoption of new countermeasures |\\r\\n\\r\\n\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"customWidth\":\"50\",\"name\":\"Trusted Internet Connections 3.0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"99a47f97-1aa4-4840-91ee-119aad6d6217\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ControlFamily\",\"label\":\"Control Family\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\r\\n SecurityRecommendation\\r\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\r\\n| summarize count() by Family\\r\\n| sort by count_ desc\\r\\n| project Family\\r\\n\",\"crossComponentResources\":[\"{Workspace}\"],\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 26\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\r\\n SecurityRecommendation\\r\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\r\\n| where RecommendationName <> \\\"\\\"\\r\\n| where RecommendationState <> \\\"Healthy\\\"\\r\\n| where Family in ({ControlFamily})\\r\\n| summarize count() by Family\\r\\n| sort by count_ desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Recommendations by Control Family\",\"noDataMessage\":\"No Current Zero Trust(TIC3.0) Recommendations in this Area. Confirm the CMMC Level 3 Assessment is Enabled in Azure Security Center: Regulatory Compliance Blade.\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ControlFamily\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}}]}},\"customWidth\":\"50\",\"name\":\"query - 3 - Copy\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\r\\n SecurityRecommendation\\r\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\r\\n| where RecommendationName <> \\\"\\\"\\r\\n| where RecommendationState <> \\\"Healthy\\\"\\r\\n| where Family in ({ControlFamily})\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by Family\\r\\n| render timechart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Recommendations over Time\",\"noDataMessage\":\"No Current Zero Trust(TIC3.0) Recommendations in this Area. Confirm the CMMC Level 3 Assessment is Enabled in Azure Security Center: Regulatory Compliance Blade.\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ControlNumber\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Persistence\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"greenRed\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\r\\n SecurityRecommendation\\r\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\r\\n| where RecommendationName <> \\\"\\\"\\r\\n| where RecommendationState <> \\\"Healthy\\\"\\r\\n| where Family in ({ControlFamily})\\r\\n| summarize count() by RecommendationDisplayName\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Recommendations\",\"noDataMessage\":\"No Current Zero Trust(TIC3.0) Recommendations in this Area. Confirm the CMMC Level 3 Assessment is Enabled in Azure Security Center: Regulatory Compliance Blade.\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Recommendation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"coldHot\"}},{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"warning\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"State\",\"formatter\":1},{\"columnMatch\":\"ControlID\",\"formatter\":1},{\"columnMatch\":\"statusChangeDate\",\"formatter\":6},{\"columnMatch\":\"firstEvaluationDate\",\"formatter\":6}],\"filter\":true},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"RecommendationName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"query - 4 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\r\\n SecurityRecommendation\\r\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\r\\n| where RecommendationName <> \\\"\\\"\\r\\n| where RecommendationState <> \\\"Healthy\\\"\\r\\n| where Family in ({ControlFamily})\\r\\n| summarize count() by AssessedResourceId\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Assets with Recommendations\",\"noDataMessage\":\"No Current Zero Trust(TIC3.0) Recommendations in this Area. Confirm the CMMC Level 3 Assessment is Enabled in Azure Security Center: Regulatory Compliance Blade.\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ResourceType\",\"formatter\":16,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"warning\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"State\",\"formatter\":1},{\"columnMatch\":\"ControlID\",\"formatter\":1},{\"columnMatch\":\"Recommendation\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Recommendation >\"}},{\"columnMatch\":\"statusChangeDate\",\"formatter\":6},{\"columnMatch\":\"firstEvaluationDate\",\"formatter\":6}],\"filter\":true},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"RecommendationName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"query - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\r\\n SecurityRecommendation\\r\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\r\\n| where RecommendationName <> \\\"\\\"\\r\\n| where RecommendationState <> \\\"Healthy\\\"\\r\\n| where Family in ({ControlFamily})\\r\\n| project AssessedResourceId, Family, Capability, RecommendationDisplayName, RecommendationLink, RecommendationSeverity, RecommendationState, DiscoveredTimeUTC\\r\\n| sort by DiscoveredTimeUTC desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Recommendation Details\",\"noDataMessage\":\"No Current Zero Trust(TIC3.0) Recommendations in this Area. Confirm the CMMC Level 3 Assessment is Enabled in Azure Security Center: Regulatory Compliance Blade.\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ResourceType\",\"formatter\":16,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"RecommendationDisplayName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"warning\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"State\",\"formatter\":1},{\"columnMatch\":\"ControlID\",\"formatter\":1},{\"columnMatch\":\"Recommendation\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Recommendation >\"}},{\"columnMatch\":\"statusChangeDate\",\"formatter\":6},{\"columnMatch\":\"firstEvaluationDate\",\"formatter\":6}],\"filter\":true},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"RecommendationName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"query - 6\"}]},\"conditionalVisibility\":{\"parameterName\":\"isAssessmentVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"group - 1\"},{\"type\":1,\"content\":{\"json\":\"# ✳️ [Universal Security Capabilities](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\n---\\r\\nUniversal capabilities are enterprise-level capabilities that outline guiding principles for TIC use cases. Universal capabilities are selected to be broadly applicable; the same list of capabilities apply to every use case. However, certain use cases may provide unique guidance on specific capabilities where necessary. Agencies have significant discretion regarding how to meet the individual security capability requirements and address their particular needs. Agencies are free to determine the level of rigor necessary for applying universal capabilities based on federal guidelines and risk tolerance. While it is expected that agencies may often be able to employ a common solution to fulfill multiple roles or serve multiple purposes, the selection of an appropriate set of solutions is left to each agency.\"},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"customWidth\":\"50\",\"name\":\"text - 105\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"c93e24ce-ec5c-4a5a-a505-f69f222f1c57\",\"cellValue\":\"Backup and Recovery\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Backup and Reccovery\",\"style\":\"link\"},{\"id\":\"bac9107f-354e-46ac-b4ad-a3e6e0f55cb0\",\"cellValue\":\"Central Log Management with Analysis\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Central Log Management with Analysis\",\"style\":\"link\"},{\"id\":\"4ffc1b21-56f5-450b-8eff-0ad8878d145b\",\"cellValue\":\"Configuration Management\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Configuration Management\",\"style\":\"link\"},{\"id\":\"8d000886-a46f-4445-ab37-3f8d85d1a03c\",\"cellValue\":\"Incident Response Plan and Incident Handling\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Incident Response Plan and Incident Handling\",\"style\":\"link\"},{\"id\":\"5716dd9a-2dc4-49b6-8159-6ecb38cae5b8\",\"cellValue\":\"Inventory\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Inventory\",\"style\":\"link\"},{\"id\":\"fd99b1dd-8ab6-458a-9750-9bea08680143\",\"cellValue\":\"Least Privilege\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Least Privilege\",\"style\":\"link\"},{\"id\":\"e44f9cc8-c90d-4180-bc5b-05ea686c2a48\",\"cellValue\":\"Secure Administration\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Secure Administration\",\"style\":\"link\"},{\"id\":\"3d6bbb2b-5f84-45e1-840b-d5751ae01724\",\"cellValue\":\" Strong Authentication\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Strong Authentication\",\"style\":\"link\"},{\"id\":\"39eeaf42-397f-4f0b-9ecb-6094cb499da5\",\"cellValue\":\"Time Synchronization\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Time Synchronization\",\"style\":\"link\"},{\"id\":\"7a410392-0071-45de-bd44-6c1a302099bf\",\"cellValue\":\"Vulnerability Management\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Vulnerability Management\",\"style\":\"link\"},{\"id\":\"85947fdc-7b1e-4ccf-b381-e14c481d44b2\",\"cellValue\":\"Patch Management\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Patch Management\",\"style\":\"link\"},{\"id\":\"c785c05b-3c23-440c-880e-d137a5129d57\",\"cellValue\":\"Auditing and Accounting\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Auditing and Accounting\",\"style\":\"link\"},{\"id\":\"c05f7400-cd07-4f88-8b83-01e7a423b212\",\"cellValue\":\"Resilience\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Resilience\",\"style\":\"link\"},{\"id\":\"e1e208ec-51b4-4a92-b4c0-3b642dad5710\",\"cellValue\":\"Enterprise Threat Intelligence\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Enterprise Threat Intelligence\",\"style\":\"link\"},{\"id\":\"ea9cabf5-fb7c-4243-82bf-ec8bc27d563e\",\"cellValue\":\"Situational Awareness\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Situational Awareness\",\"style\":\"link\"},{\"id\":\"cca8efec-9930-4851-8245-6624c437608e\",\"cellValue\":\"Dynamic Threat Discovery\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Dynamic Threat Discovery\",\"style\":\"link\"},{\"id\":\"af1e2514-78fd-4553-b883-e7e509081cd4\",\"cellValue\":\"Policy Enforcement Parity\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Policy Enforcement Parity\",\"style\":\"link\"},{\"id\":\"e728fd6f-9b96-46e7-b657-7b94a4333060\",\"cellValue\":\"Effective Use of Shared Services\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Effective Use of Shared Services\",\"style\":\"link\"},{\"id\":\"51a146f0-a041-43d3-8ed8-f2d03ce3a40b\",\"cellValue\":\"Integrated Desktop, Mobile, and Remote Policies\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Integrated Desktop, Mobile, and Remote Policies\",\"style\":\"link\"}]},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"customWidth\":\"50\",\"name\":\"Universal Security Capabilities Navigation\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Backup and Recovery](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nKeeping copies of configuration and data, as needed, to allow for the quick restoration of service in the event of malicious incidents, system failures, or corruption.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [What is the Azure Backup Service?](https://docs.microsoft.com/azure/backup/backup-overview)
\\r\\n💡 [Review Your Security Recommendations](https://docs.microsoft.com/azure/security-center/security-center-recommendations)
\\r\\n💡 [Configure Recovery Service Vaults](https://docs.microsoft.com/azure/backup/backup-azure-recovery-services-vault-overview)
\\r\\n💡 [Leverage Azure Blueprints for Landing Zones](https://docs.microsoft.com/azure/governance/blueprints/overview)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) ✳️ [Azure Security Center](https://azure.microsoft.com/services/security-center/)
🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Azure Backup](https://azure.microsoft.com/services/backup/)\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Backup Vaults](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyMenuBlade/Overview)
\\r\\n🔄 [Recovery Services Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.RecoveryServices%2Fvaults)
\\r\\n🔄 [Blueprints](https://portal.azure.com/#blade/Microsoft_Azure_Policy/BlueprintsMenuBlade/GetStarted)
\\r\\n🔄 [Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.BE, PR.IP, PR.DS, RS.MI, RC.RP](https://www.nist.gov/cyberframework)\\r\\n\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 0\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityRecommendation\\r\\n| where RecommendationName contains \\\"back\\\"\\r\\n| summarize count() by RecommendationName, AssessedResourceId, RecommendationLink\\r\\n| sort by count_ desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Azure Security Center: Recommendations for Backups\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Recommendation >>\"}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityBaseline\\r\\n| where Description contains \\\"back up\\\" or Description contains \\\"backup\\\" or Description contains \\\"back-up\\\" or Description contains \\\"restore\\\" or Description contains \\\"recover\\\"\\r\\n| summarize count() by Description, AnalyzeResult, ResourceId\\r\\n| sort by count_ desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Backup & Recovery: Baseline Assessments\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AnalyzeResult\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Passed\",\"representation\":\"success\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Failed\",\"representation\":\"4\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"cancelled\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 2\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Backup and Recovery\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Central Log Management & Analysis](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nCollecting, storing, and analyzing telemetry, where the collection and storage are designed to facilitate data fusion and the security analysis aids in discovery and response to malicious activity.\\r\\n\\r\\n### Microsoft Reference \\r\\n💡 [Create Diagnostic Settings to Send Platform Logs and Metrics to Different Destinations](https://docs.microsoft.com/azure/azure-monitor/platform/diagnostic-settings)
\\r\\n💡 [Use Azure Security Center Recommendations to Enhance Security](https://docs.microsoft.com/azure/security-center/security-center-using-recommendations)
\\r\\n💡 [What is Azure Lighthouse?](https://docs.microsoft.com/azure/lighthouse/overview)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) ✳️ [Azure Security Center](https://azure.microsoft.com/services/security-center/)
🔷 [Usage](https://docs.microsoft.com/azure/azure-monitor/reference/tables/usage) ✳️ [Azure Monitor](https://azure.microsoft.com/services/monitor/)\\r\\n\\t\\r\\n### Microsoft Security Portals, Features, & Admin Centers\\r\\n🔄 [Resource Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResourceGroups)
\\r\\n🔄 [Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\\r\\n🔄 [Azure Lighthouse](https://portal.azure.com/#blade/Microsoft_Azure_CustomerHub/LighthouseBlade)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.AM, PR.PT, DE.AE, RS.AN](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Usage\\r\\n| summarize count() by DataType\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Log Events Count by Log Type\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"gridSettings\":{\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"DataType\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"agent\\\" or RecommendationDisplayName contains \\\"log\\\"\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by RecommendationDisplayName\\r\\n| render areachart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Azure Security Center: Recommendations for Logging\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"DataType\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3 - Copy\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union withsource=_TableName *\\r\\n| summarize Entries = count(), Size = sum(_BilledSize), last_log = datetime_diff(\\\"second\\\",now(), max(TimeGenerated)), estimate = sumif(_BilledSize, _IsBillable==true) by _TableName, _IsBillable\\r\\n| project ['Table Name'] = _TableName, ['Table Size'] = Size, ['Table Entries'] = Entries,\\r\\n ['Size per Entry'] = 1.0 * Size / Entries, ['IsBillable'] = _IsBillable\\r\\n| order by ['Table Size'] desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Log Table Management\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Table Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Table Size\",\"formatter\":8,\"formatOptions\":{\"palette\":\"purple\"},\"numberFormat\":{\"unit\":2,\"options\":{\"style\":\"decimal\",\"useGrouping\":false}}},{\"columnMatch\":\"Table Entries\",\"formatter\":8,\"formatOptions\":{\"palette\":\"turquoise\"},\"numberFormat\":{\"unit\":2,\"options\":{\"style\":\"decimal\",\"useGrouping\":false}}},{\"columnMatch\":\"Size per Entry\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":2,\"options\":{\"style\":\"decimal\",\"useGrouping\":false}}},{\"columnMatch\":\"IsBillable\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"True\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"False\",\"representation\":\"success\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Important\",\"text\":\"{0}{1}\"}]}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_thresholds_IsBillable_4\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_thresholds_IsBillable_4\",\"sortOrder\":2}],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"DataType\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 5\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union withsource=_TableName *\\r\\n| summarize count() , Size = sum(_BilledSize) by bin(_TimeReceived, 1m), Type, _IsBillable\\r\\n| extend counttemp =count_ / 60\\r\\n| summarize \\r\\n ['Current EPS Average']=avg(counttemp), ['Minimum EPS']=min(counttemp),\\r\\n ['Maximum EPS']=max(counttemp)\\r\\n by ['Table Name']=Type\\r\\n| order by ['Current EPS Average'] desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Log Table Events Per Second (EPS) Management\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Table Name\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Current EPS Average\",\"formatter\":3,\"formatOptions\":{\"palette\":\"blueDark\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true}}},{\"columnMatch\":\"Minimum EPS\",\"formatter\":3,\"formatOptions\":{\"palette\":\"red\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true}}},{\"columnMatch\":\"Maximum EPS\",\"formatter\":3,\"formatOptions\":{\"palette\":\"green\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":false}}},{\"columnMatch\":\"Table Size\",\"formatter\":8,\"formatOptions\":{\"palette\":\"purple\"},\"numberFormat\":{\"unit\":2,\"options\":{\"style\":\"decimal\",\"useGrouping\":false}}},{\"columnMatch\":\"Table Entries\",\"formatter\":8,\"formatOptions\":{\"palette\":\"turquoise\"},\"numberFormat\":{\"unit\":2,\"options\":{\"style\":\"decimal\",\"useGrouping\":false}}},{\"columnMatch\":\"Size per Entry\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":2,\"options\":{\"style\":\"decimal\",\"useGrouping\":false}}},{\"columnMatch\":\"IsBillable\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"True\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"False\",\"representation\":\"success\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Important\",\"text\":\"{0}{1}\"}]}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_bar_Current EPS Average_1\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_bar_Current EPS Average_1\",\"sortOrder\":2}],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"DataType\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false}},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 5\"}]},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Central Log Management with Analysis\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Configuration Management](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nImplementing a formal plan for documenting, managing changes to the environment, and monitoring for deviations, preferably automated.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Enable Change Tracking and Inventory From an Automation Account](https://docs.microsoft.com/azure/automation/change-tracking/enable-from-automation-account)
\\r\\n💡 [Ensure Your Endpoints Are Configured Properly](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines)
\\r\\n💡 [Secure Score in Azure Defender](https://docs.microsoft.com/azure/security-center/secure-score-security-controls)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) 🔷 [SecurityBaseline](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Azure Security Center](https://azure.microsoft.com/services/security-center/)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Automation Accounts](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Automation%2FAutomationAccounts)
\\r\\n🔄 [Microsoft 365 Security Center](https://security.microsoft.com/)
\\r\\n🔄 [Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.BE, PR.DS, PR.IP, PR.MA](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecureScoreControls\\r\\n| extend Percent=PercentageScore*100\\r\\n| summarize avg(Percent) by bin(TimeGenerated,1d), ControlName, SubscriptionId=_SubscriptionId\\r\\n| render timechart\",\"size\":0,\"aggregation\":1,\"showAnalytics\":true,\"title\":\"Azure Security Center: Secure Score Controls (Percentage) Over Time\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3 - Copy\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityBaselineSummary\\r\\n| summarize count() by Resource, PercentageOfPassedRules, CriticalFailedRules, WarningFailedRules\\r\\n| project Resource, CriticalFailedRules, WarningFailedRules, PercentageOfPassedRules\\r\\n| sort by CriticalFailedRules desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Monitor & Enforce Security Baselines\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"CriticalFailedRules\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"WarningFailedRules\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"PercentageOfPassedRules\",\"formatter\":4,\"formatOptions\":{\"palette\":\"green\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Configuration Management\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Incident Response Plan and Incident Handling](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDocumenting and implementing a set of instructions, procedures, or technical capabilities to sense and detect, respond to, limit consequences of malicious cyberattacks, and restore the integrity of the network and associated systems.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Quickstart: Tutorial: Investigate incidents with Azure Sentinel](https://docs.microsoft.com/azure/sentinel/tutorial-investigate-cases)
\\r\\n💡 [Use Jupyter Notebook to Hunt for Security Threats](https://docs.microsoft.com/azure/sentinel/notebooks)
\\r\\n💡 [Tutorial: Set Up Automated Threat Responses in Azure Sentinel](https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook)
\\r\\n💡[Overview of Microsoft 365 Advanced eDiscovery](https://docs.microsoft.com/microsoft-365/compliance/overview-ediscovery-20)
\\r\\n💡[Learn About Insider Risk Management in Microsoft 365](https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityIncident](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityincident) 🔷 [AzureActivity](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azureactivity) ✳️ [Azure Sentinel](https://azure.microsoft.com/services/azure-sentinel/) \\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Azure Portal](https://portal.azure.com/)
\\r\\n🔄 [Microsoft 365 Compliance Center](https://compliance.microsoft.com/)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.GV, ID.RA, PR.IP, DE.DP, DE.AE, RS.RP, RS.CO, RS.AN, RS.MI](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| where Severity in ('*') or 'All' ==  \\\"All\\\"\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by Severity\\r\\n| render areachart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Azure Sentinel Incidents over Time\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureActivity\\r\\n| where ResourceProvider == \\\"Microsoft.Logic\\\"\\r\\n| summarize count() by ResourceId\\r\\n| sort by count_ desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Azure Sentinel Playbooks Triggered\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3 - Copy\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Incident Response Plan and Incident Handling\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Inventory](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDeveloping, documenting, and maintaining a current inventory of all systems, networks, and components so that only authorized endpoints are given access, and unauthorized and unmanaged endpoints are found and prevented from gaining access.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Explore and Manage Your Resources With Asset Inventory](https://docs.microsoft.com/azure/security-center/asset-inventory)
\\r\\n💡 [Protect Your Network Resources](https://docs.microsoft.com/azure/security-center/security-center-network-recommendations)
\\r\\n💡 [View Installed Software](https://docs.microsoft.com/azure/automation/automation-tutorial-installed-software#view-installed-software)
\\r\\n💡 [What is Windows Virtual Desktop?](https://docs.microsoft.com/azure/virtual-desktop/overview)
\\r\\n💡 [What is Azure Resource Graph?](https://docs.microsoft.com/azure/governance/resource-graph/overview)
\\r\\n💡 [Azure Arc Overview](https://docs.microsoft.com/azure/azure-arc/overview)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Heartbeat](https://docs.microsoft.com/azure/azure-monitor/reference/tables/heartbeat) ✳️ [Azure Monitor](https://azure.microsoft.com/services/monitor/)
🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Resource Graph](https://azure.microsoft.com/features/resource-graph/)
\\r\\n\\t\\r\\n### Microsoft Portals\\r\\n🔄 [Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\\r\\n🔄 [Automation Accounts](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Automation%2FAutomationAccounts)
\\r\\n🔄 [Azure Virtual Desktop](https://portal.azure.com/#blade/Microsoft_Azure_WVD/WvdManagerMenuBlade/overview)
\\r\\n🔄 [Azure Resource Graph Explorer](https://portal.azure.com/#blade/HubsExtension/ArgQueryBlade)
\\r\\n🔄 [Azure Arc](https://portal.azure.com/#blade/Microsoft_Azure_HybridCompute/AzureArcCenterBlade/overview)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.AM, PR.AC, PR.DS, PR.IP](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Asset Inventory (Azure Resource Graph)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| project id,type,location,resourceGroup\\r\\n| summarize count() by type\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Asset Count by Type\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"type\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"ResourceFlat\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Computer\",\"formatter\":16,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 8\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"where type contains \\\"microsoft\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| summarize count() by location\\r\\n| sort by count_ desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Asset Count by Location\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"location\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Globe\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Computer\",\"formatter\":16,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type =~ 'microsoft.operationalinsights/workspaces' \\r\\n| extend state = trim(' ', tostring(properties.provisioningState))\\r\\n\\t\\t,sku = trim(' ', tostring(properties.sku.name))\\r\\n ,skuUpdate = trim(' ', tostring(properties.sku.lastSkuUpdate))\\r\\n\\t\\t,retentionDays = trim(' ', tostring(properties.retentionInDays))\\r\\n\\t\\t,dailyquotaGB = trim(' ', tostring(properties.workspaceCapping.dailyQuotaGb))\\r\\n| extend dailyquotaGB = iif(dailyquotaGB !=-1.0, dailyquotaGB,\\\"Not set\\\")\\r\\n| extend skuUpdate = iif(strlen(skuUpdate) > 0, skuUpdate,\\\"Unknown\\\")\\r\\n| extend sentinel = iif(toint(retentionDays) < 90,\\\"If you have Sentinel, you can change your retention to 90days (free)?\\\",\\\"\\\")\\r\\n| project ['Workspace Name']=id, ['Resource Group']=resourceGroup, location, ['Data Retention(days)']=retentionDays\",\"size\":2,\"showAnalytics\":true,\"title\":\"Log Analytics Workspace Inventory\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Computer\",\"formatter\":16,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_link_Workspace Name_0\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"$gen_link_Workspace Name_0\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"type\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 9\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Heartbeat\\r\\n| distinct ResourceId, ComputerIP, OSType, Category, ResourceGroup, ResourceType \\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Asset Inventory (Heartbeat)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Computer\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OSType\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Windows\",\"representation\":\"blue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Linux\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"mac\",\"representation\":\"magenta\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Category\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"trenddown\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Heartbeat\\r\\n| where ResourceProvider in (\\\"Microsoft.HybridCompute\\\")\\r\\n| distinct ResourceId, ComputerIP, OSType, Category, ResourceGroup, ResourceType \\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Asset Inventory (Hybrid/On Prem Joined Machines: Azure Arc)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Computer\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"OSType\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Windows\",\"representation\":\"blue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Linux\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"mac\",\"representation\":\"magenta\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Category\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"trenddown\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 8\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Inventory\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Least Privilege](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDesigning the security architecture such that each entity is granted the minimum system resources and authorizations that the entity needs to perform its function.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Administrator roles by admin task in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/roles/delegate-by-task)
\\r\\n💡 [Overview of role-based access control in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/roles/custom-overview)
\\r\\n💡 [Enable User and Entity Behavior Analytics (UEBA) in Azure Sentinel](https://docs.microsoft.com/azure/sentinel/enable-entity-behavior-analytics)
\\r\\n💡 [Azure Active Directory Sign-In Activity](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-all-sign-ins)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [AzureActivity](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azureactivity) ✳️ [Azure Monitor]( https://azure.microsoft.com/services/monitor/)
\\r\\n🔷 [IdentityInfo](https://docs.microsoft.com/azure/azure-monitor/reference/tables/identityinfo) ✳️ [Azure Sentinel](https://azure.microsoft.com/services/azure-sentinel/)
\\r\\n🔷 [AADNonInteractiveUserSignInLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/aadnoninteractiveusersigninlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\\r\\n🔄 [Azure Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.AM, PR.AC, PR.IP, PR.PT, DE.CM](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureActivity\\r\\n| summarize Activities = count() by User = Caller\\r\\n| where User <> \\\"\\\"\\r\\n| sort by Activities desc\\r\\n| take 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Azure Active Directory Users by Action Count\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"User\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"info\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Activities\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"IdentityInfo\\r\\n| extend GroupMemberships = strcat(GroupMembership)\\r\\n| extend AssignedRoles_ = strcat(AssignedRoles)\\r\\n| extend UserPrincipalName = MailAddress\\r\\n| where MailAddress <> \\\"\\\"\\r\\n| distinct UserPrincipalName, GroupMemberships, AssignedRoles_\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Assigned Roles & Group Memberships\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"User\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Activities\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 4\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AADNonInteractiveUserSignInLogs\\r\\n| project AppDisplayName, Identity, TimeGenerated\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by AppDisplayName\\r\\n| render timechart\",\"size\":0,\"showAnalytics\":true,\"title\":\"AAD Non Interactive User Sign-In Logs By Application \",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"User\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"info\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Activities\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AAD Non Interactive User Sign-In Logs By Application \",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Least Privilege\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Secure Administration](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nPerforming administrative tasks in a secure manner, using secure protocols.\\r\\n\\r\\n### Microsoft References\\r\\n💡 [Delegate Administration in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/roles/concept-delegation)
\\r\\n💡 [Start Using Privileged Identity Management](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-getting-started#)
 \\r\\n💡 [Customer Lockbox for Microsoft Azure](https://docs.microsoft.com/azure/security/fundamentals/customer-lockbox-overview) 
\\r\\n💡 [Securing Devices as Part of the Privileged Access Story](https://docs.microsoft.com/security/compass/privileged-access-devices) 
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [AuditLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/auditlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)
\\r\\n\\r\\n### Microsoft Security Portals, Features, & Admin Centers\\r\\n🔄 [Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\\r\\n🔄 [Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart)
\\r\\n🔄 [Customer Lockbox for Microsoft Azure](https://portal.azure.com/#blade/Microsoft_Azure_Lockbox/LockboxMenu/Overview)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.MA](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AuditLogs\\r\\n| where Identity == \\\"MS-PIM\\\"\\r\\n| extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\r\\n| extend PIM_Role = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue)))\\r\\n| where UserPrincipalName <>\\\"\\\"\\r\\n| project UserPrincipalName, OperationName, PIM_Role, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Privileged Identity Management Actions\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Secure Administration\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Strong Authentication](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nVerifying the identity of users, endpoints, or other entities through rigorous means (e.g. multi-factor authentication) before granting access.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Plan an Azure AD Multi-Factor Authentication Deployment](https://docs.microsoft.com/azure/active-directory/authentication/howto)
\\r\\n💡 [How it works: Azure AD Multi-Factor Authentication](https://docs.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks)
\\r\\n💡 [Remediate recommendations in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-remediate-recommendations)
\\r\\n💡 [SecretManagement and Accessing Linux VMs in Azure](https://techcommunity.microsoft.com/t5/itops-talk-blog/secretmanagement-and-accessing-linux-vms-in-azure/ba-p/2278735)
\\r\\n💡 [Eliminate Password-Based Attacks on Azure Linux VMs](https://techcommunity.microsoft.com/t5/azure-security-center/eliminate-password-based-attacks-on-azure-linux-vms/ba-p/2271139)
\\r\\n💡 [Quickstart: Create a Key Vault Using the Azure Portal](https://techcommunity.microsoft.com/t5/itops-talk-blog/secretmanagement-and-accessing-linux-vms-in-azure/ba-p/2278735)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)
\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/defender-for-iot/how-to-security-data-access#security-recommendations) ✳️ [Azure Security Center](https://azure.microsoft.com/services/security-center/)
\\r\\n\\t\\r\\n### Microsoft Portals\\r\\n🔄 [Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\\r\\n🔄 [Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\\r\\n🔄 [Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\\r\\n| extend ResultText = case(isnotempty(ResultDescription), ResultDescription, ResultType == 0 and isempty(ResultDescription), \\\"Successfull login\\\", \\\"unknown\\\")\\r\\n| summarize count() by ResultText\\r\\n| sort by count_ desc\\r\\n\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Authentication Codes\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ResultText\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Success\",\"representation\":\"success\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"error\",\"representation\":\"4\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"not\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"tried\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"invalid\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"unauth\",\"representation\":\"4\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"block\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Invalid\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"expired\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"missing\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"1\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3 - Copy\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\" Strong Authentication\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Time Synchronization](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nCoordinating clocks on all systems (e.g. servers, workstations, network endpoints) to enable accurate comparison of timestamps between systems.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Time Sync for Windows VMs in Azure](https://docs.microsoft.com/azure/virtual-machines/windows/time-sync)\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityBaseline](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Azure Security Center](https://azure.microsoft.com/services/security-center/)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Azure Portal](https://portal.azure.com/)
\\r\\n🔄 [Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines)
\\r\\n🔄 [Microsoft 365 Compliance Center](https://compliance.microsoft.com/)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.IP](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Time Synchronization\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityBaseline\\r\\n| where Description contains \\\"NTP\\\"\\r\\n| project ResourceId, Description, AnalyzeResult, TimeGenerated\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Monitor NTP Syncs\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AnalyzeResult\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Passed\",\"representation\":\"success\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Failed\",\"representation\":\"4\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"1\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Time Synchronization\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Vulnerability Management](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nProactively working to discover vulnerabilities, including the use of both active and passive means of discovery, and taking action to mitigate discovered vulnerabilities.\\r\\n\\r\\n### Microsoft References\\r\\n💡 [Use Azure Security Center Recommendations to Enhance Security](https://docs.microsoft.com/azure/security-center/security-center-using-recommendations)
\\r\\n💡 [Secure Score in Azure Defender](https://docs.microsoft.com/azure/security-center/secure-score-security-controls)
\\r\\n💡 [Azure Defender's Integrated Vulnerability Assessment Solution for Azure and Hybrid Machine](https://docs.microsoft.com/azure/security-center/built-in-vulnerability-assessment)
\\r\\n💡 [Threat and Vulnerability Management Walk-Through](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) 🔷 [SecurityBaseline](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securitybaseline) ✳️ [Azure Security Center](https://azure.microsoft.com/services/security-center/)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\\r\\n🔄 [Microsoft 365 Compliance Center](https://compliance.microsoft.com/)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.RA, PR.IP, DE.AE, DE.CM, DE.DP](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityRecommendation\\r\\n| where RecommendationName contains \\\"vuln\\\" or RecommendationName contains \\\"assess\\\" or RecommendationName contains \\\"update\\\"\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by RecommendationName\\r\\n| render areachart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Vulnerabilty Management Recommendations over Time\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecureScoreControls\\r\\n| extend Percent=PercentageScore*100\\r\\n| summarize avg(Percent) by bin(TimeGenerated,1d), ControlName, SubscriptionId=_SubscriptionId\\r\\n| render timechart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Azure Security Center: Secure Score\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3 - Copy\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityBaseline\\r\\n| where CceId <> \\\"\\\"\\r\\n|project CceId, RuleSeverity, Description, ResourceId\\r\\n|limit 50\",\"size\":0,\"showAnalytics\":true,\"title\":\"Vulnerability Management\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"CceId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Defense Evasion\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RuleSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"4\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Resource\",\"formatter\":13,\"formatOptions\":{\"linkTarget\":\"Resource\",\"showIcon\":true}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 4\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Vulnerability Management\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Patch Management](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nIdentifying, acquiring, installing, and verifying patches for products and systems.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Update Management Overview](https://docs.microsoft.com/azure/automation/update-management/overview)
\\r\\n💡 [Enable Update Management From the Azure Portal](https://docs.microsoft.com/azure/automation/update-management/enable-from-portal)
\\r\\n💡 [Handling Planned Maintenance Notifications Using the Azure Portal](https://docs.microsoft.com/azure/virtual-machines/maintenance-notifications-portal)
\\r\\n💡 [Managing Platform Updates with Maintenance Control](https://docs.microsoft.com/azure/virtual-machines/maintenance-control?toc=/azure/virtual-machines/linux/toc.json&bc=/azure/virtual-machines/linux/breadcrumb/toc.json)
\\r\\n💡 [Scheduling Maintenance Updates with Maintenance Control and Azure Functions](https://github.com/Azure/azure-docs-powershell-samples/tree/master/maintenance-auto-scheduler)
\\r\\n💡 [Use Azure Security Center Recommendations to Enhance Security](https://docs.microsoft.com/azure/security-center/security-center-using-recommendations)
\\r\\n\\r\\n### Required Log (Log Source)\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported ✳️ [Azure Security Center](https://azure.microsoft.com/services/security-center/)
\\r\\n\\r\\n### Microsoft Security Portals, Features, & Admin Centers\\r\\n🔄 [Automation Accounts](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Automation%2FAutomationAccounts)
\\r\\n🔄 [Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines)
\\r\\n🔄 [Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.AM, PR.IP, PR.MA](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityRecommendation\\r\\n| where RecommendationName == \\\"System updates should be installed on your machines\\\" or RecommendationName contains \\\"upgrade\\\" or RecommendationName contains \\\"update\\\" or RecommendationName contains \\\"patch\\\"\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by RecommendationDisplayName\\r\\n| render areachart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Azure Security Center: Recommendations for Updates\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 4\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Patch Management\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Auditing and Accounting](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nCapturing business records, including logs and other telemetry, and making them available for auditing and accounting as required. Design of the auditing system should take insider threat into consideration, including separation of duties violation tracking, such that insider abuse or misuse can be detected.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Create Diagnostic Settings to Send Platform Logs and Metrics to Different Destinations](https://docs.microsoft.com/azure/azure-monitor/platform/diagnostic-settings)
\\r\\n💡 [Tutorial: Grant a User Access to Azure Resources Using the Azure Portal](https://docs.microsoft.com/azure/role-based-access-control/quickstart-assign-role-user-portal)
\\r\\n💡 [Use Azure Security Center Recommendations to Enhance Security](https://docs.microsoft.com/azure/security-center/security-center-using-recommendations)
\\r\\n💡 [Auditing Azure Sentinel Activities](https://techcommunity.microsoft.com/t5/azure-sentinel/auditing-azure-sentinel-activities/ba-p/1718328)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)
\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) ✳️ [Azure Security Center](https://azure.microsoft.com/services/security-center/)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Resource Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResourceGroups)
\\r\\n🔄 [Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\\r\\n🔄 [Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\\r\\n🔄 [Azure Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\\r\\n\\r\\n### NIST CSF Mapping\\r\\n[ID.SC, PR.AC, PR.PT](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Usage\\r\\n| summarize count() by DataType\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Log Events Count by Log Source\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"gridSettings\":{\"filter\":true},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"DataType\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"agent\\\" or RecommendationDisplayName contains \\\"log\\\"\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by RecommendationDisplayName\\r\\n| render areachart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Azure Security Center: Recommendations for Logging\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"DataType\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3 - Copy\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Auditing and Accounting\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Resilience](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nEnsuring that systems, services, and protections maintain acceptable performance under adverse conditions.\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityalert) ✳️ [Azure DDoS Protection]( https://azure.microsoft.com/services/ddos-protection/) ✳️ [Azure Web Application Firewall](https://azure.microsoft.com/services/web-application-firewall/) \\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [DDoS Protection Plans](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FddosProtectionPlans)
\\r\\n🔄 [Availability Sets](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FavailabilitySets)
\\r\\n🔄 [Load Balancing](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/loadBalancers)
\\r\\n🔄 [Web Application Firewall Policies](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/loadBalancers)
\\r\\n🔄 [Virtual Machine Scale Sets](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Compute%2FvirtualMachineScaleSets)
\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Azure DDoS Protection Standard Overview](https://docs.microsoft.com/azure/ddos-protection/ddos-protection-overview)
\\r\\n💡 [Building Solutions for High Availability Using Availability Zones](https://docs.microsoft.com/azure/architecture/high-availability/building-solutions-for-high-availability)
 \\r\\n💡 [Azure Infrastructure Availability](https://docs.microsoft.com/azure/security/fundamentals/infrastructure-availability)
 \\r\\n💡 [What is Azure Load Balancer?](https://docs.microsoft.com/azure/load-balancer/load-balancer-overview)
\\r\\n💡 [What is Azure Web Application Firewall on Azure Application Gateway?](https://docs.microsoft.com/azure/web-application-firewall/ag/ag-overview)
 \\r\\n💡 [What are virtual machine scale sets?](https://docs.microsoft.com/azure/virtual-machine-scale-sets/overview)
 \\r\\n\\r\\n### NIST CSF Mapping\\r\\n[ID.BE, PR.PT](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| distinct AlertName, ProductName, Status, AlertLink, Tactics, TimeGenerated\\r\\n| where AlertName contains \\\"dos\\\" or AlertName contains \\\"waf\\\"\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Alerts: DDoS & WAF\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >\"}},{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UPN\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Incident >\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Resilience\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Enterprise Threat Intelligence](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nObtaining threat intelligence from private and government sources and implementing mitigations for the identified risks.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Connect Data from Threat Intelligence Providers](https://docs.microsoft.com/azure/sentinel/connect-threat-intelligence)
\\r\\n💡 [Microsoft Security Intelligence Portal](https://www.microsoft.com/wdsi)
\\r\\n💡 [Microsoft Graph Security tiIndicators API](https://docs.microsoft.com/graph/api/resources/tiindicator)
\\r\\n💡 [MSTIC Jupyter and Python Security Tools](https://github.com/Microsoft/msticpy)
\\r\\n💡 [Use Jupyter Notebook to Hunt for Security Threats](https://docs.microsoft.com/azure/sentinel/connect-threat-intelligence)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [ThreatIntelligenceIndicator](https://docs.microsoft.com/azure/azure-monitor/reference/tables/threatintelligenceindicator) ✳️ [Azure Sentinel](https://azure.microsoft.com/services/azure-sentinel/)\\r\\n\\t\\r\\n### Microsoft Portals\\r\\n🔄 [Azure Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\\r\\n🔄 [Microsoft Defender Security Intelligence Portal](https://microsoft.com/wdsi)
\\r\\n🔄 [Resource Graph Queries](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.resourcegraph%2Fqueries)
\\r\\n🔄 [MSTICpy](https://github.com/Microsoft/msticpy)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.RA, DE.AE, DE.CM, DE.DP](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| summarize CountOfIndicators = count() by SourceSystem\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=unstacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Cyber Threat Intelligence Indicator Counts\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Enterprise Threat Intelligence\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Situational Awareness](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nMaintaining effective awareness, both current and historical, across all components.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Get Visibility Into Alerts](https://docs.microsoft.com/azure/sentinel/quickstart-get-visibility)
\\r\\n💡 [What is Azure Network Watcher?](https://docs.microsoft.com/graph/api/resources/tiindicator)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityalert) ✳️ [Azure Sentinel](https://azure.microsoft.com/services/azure-sentinel/)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Azure Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\\r\\n🔄 [Network Watcher](https://portal.azure.com/#blade/Microsoft_Azure_Network/NetworkWatcherMenuBlade/overview)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.AM, ID.RA, PR.DS, PR.IP, DE.AE, DE.CM, DE.DP, RS.CO](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| where isnotempty(ProviderName)\\r\\n| summarize count() by ProductName\\r\\n| sort by count_ desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Security Alerts By Product\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Situational Awareness\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Dynamic Threat Discovery](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nUsing dynamic approaches (e.g. heuristics, baselining, etc.) to discover new malicious activity\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Advanced Multistage Attack Detection in Azure Sentinel](https://docs.microsoft.com/azure/sentinel/fusion)
\\r\\n💡 [Enable User and Entity Behavior Analytics (UEBA) in Azure Sentinel](https://docs.microsoft.com/azure/sentinel/enable-entity-behavior-analytics)
\\r\\n💡 [Heuristic Detections in Azure Security Center](https://azure.microsoft.com/blog/heuristic-dns-detections-in-azure-security-center/)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [BehaviorAnalytics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/behavioranalytics) 🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityalert) ✳️ [Azure Sentinel](https://azure.microsoft.com/services/azure-sentinel/)
\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) ✳️ [Azure Security Center](https://azure.microsoft.com/services/security-center/)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Azure Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\\r\\n🔄 [Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.RA, DE.AE, DE.CM, DE.DP](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AnomalousSigninActivity = BehaviorAnalytics\\r\\n | where ActionType == \\\"Sign-in\\\"\\r\\n | where (UsersInsights.NewAccount == True or UsersInsights.DormantAccount == True) and (\\r\\n ActivityInsights.FirstTimeUserAccessedResource == True and ActivityInsights.ResourceUncommonlyAccessedAmongPeers == True\\r\\n or ActivityInsights.FirstTimeUserUsedApp == True and ActivityInsights.AppUncommonlyUsedAmongPeers == False)\\r\\n | join (\\r\\n SigninLogs | where Status.errorCode == 0 or Status.errorCode == 0 and RiskDetail != \\\"none\\\"\\r\\n )\\r\\n on $left.SourceRecordId == $right._ItemId\\r\\n | extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName)\\r\\n | extend AnomalyName = \\\"Anomalous Successful Logon\\\",\\r\\n Tactic = \\\"Persistence\\\",\\r\\n Technique = \\\"Valid Accounts\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Successful Sign-in with one or more of the following indications: sign by new or recently dormant accounts and sign in with resource for the first time (while none of their peers did) or to an app for the first time (while none of their peers did) or performed by a user with Risk indicaiton from AAD\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, ResourceDisplayName, AppDisplayName, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet critical = dynamic(['9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3', 'c4e39bd9-1100-46d3-8c65-fb160da0071f', '158c047a-c907-4556-b7ef-446551a6b5f7', '62e90394-69f5-4237-9190-012177145e10', 'd29b2b05-8046-44ba-8758-1e26182fcf32', '729827e3-9c14-49f7-bb1b-9608f156bbb8', '966707d0-3269-4727-9be2-8c3a10f19b9d', '194ae4cb-b126-40b2-bd5b-6091b380977d', 'fe930be7-5e62-47db-91af-98c3a49a38b1']);\\r\\nlet high = dynamic(['cf1c38e5-3621-4004-a7cb-879624dced7c', '7495fdc4-34c4-4d15-a289-98788ce399fd', 'aaf43236-0c0d-4d5f-883a-6955382ac081', '3edaf663-341e-4475-9f94-5c398ef6c070', '7698a772-787b-4ac8-901f-60d6b08affd2', 'b1be1c3e-b65d-4f19-8427-f6fa0d97feb9', '9f06204d-73c1-4d4c-880a-6edb90606fd8', '29232cdf-9323-42fd-ade2-1d097af3e4de', 'be2f45a1-457d-42af-a067-6ec1fa63bc45', '7be44c8a-adaf-4e2a-84d6-ab2649e08a13', 'e8611ab8-c189-46e8-94e1-60213ab1f814']);//witdstomstl\\r\\nlet AnomalousRoleAssignment = AuditLogs\\r\\n | where TimeGenerated > ago(28d)\\r\\n | where OperationName == \\\"Add member to role\\\"\\r\\n | mv-expand TargetResources\\r\\n | extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\\r\\n | where isnotempty(RoleId) and RoleId in (critical, high)\\r\\n | extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\\r\\n | where isnotempty(RoleName)\\r\\n | extend TargetId = tostring(TargetResources.id)\\r\\n | extend Target = tostring(TargetResources.userPrincipalName)\\r\\n | join kind=inner (\\r\\n BehaviorAnalytics\\r\\n | where ActionType == \\\"Add member to role\\\"\\r\\n | where UsersInsights.BlasrRadius == \\\"High\\\" or ActivityInsights.FirstTimeUserPerformedAction == true\\r\\n )\\r\\n on $left._ItemId == $right.SourceRecordId\\r\\n | extend AnomalyName = \\\"Anomalous Role Assignemt\\\",\\r\\n Tactic = \\\"Persistence\\\",\\r\\n Technique = \\\"Account Manipulation\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Adversaries may manipulate accounts to maintain access to victim systems. These actions include adding new accounts to high privilleged groups. Dragonfly 2.0, for example, added newly created accounts to the administrators group to maintain elevated access. The query below generates an output of all high Blast Radius users performing Add member to priveleged role, or ones that add users for the first time.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"TargetUser\\\"]=Target, RoleName, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; let LogOns=materialize(\\r\\n BehaviorAnalytics\\r\\n | where ActivityType == \\\"LogOn\\\");\\r\\nlet AnomalousResourceAccess = LogOns\\r\\n | where ActionType == \\\"ResourceAccess\\\"\\r\\n | where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\\r\\n | extend AnomalyName = \\\"Anomalous Resource Access\\\",\\r\\n Tactic = \\\"Lateral Movement\\\",\\r\\n Technique = \\\"\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Adversary may be trying to move through the environment. APT29 and APT32, for example, has used PtH & PtT techniques to lateral move around the network. The query below generates an output of all users performing an resource access (4624:3) to devices for the first time.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet AnomalousRDPActivity = LogOns\\r\\n | where ActionType == \\\"RemoteInteractiveLogon\\\"\\r\\n | where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\\r\\n | extend AnomalyName = \\\"Anomalous RDP Activity\\\",\\r\\n Tactic = \\\"Lateral Movement\\\",\\r\\n Technique = \\\"\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. FIN10, for example, has used RDP to move laterally to systems in the victim environment. The query below generates an output of all users performing a remote interactive logon (4624:10) to a device for the first time.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet AnomalousLogintoDevices = LogOns\\r\\n | where ActionType == \\\"InteractiveLogon\\\"\\r\\n | where ActivityInsights.FirstTimeUserLoggedOnToDevice == true\\r\\n | where UsersInsights.DormantAccount == true or DevicesInsights.LocalAdmin == true\\r\\n | extend AnomalyName = \\\"Anomalous Login To Devices\\\",\\r\\n Tactic = \\\"Privilege Escalation\\\",\\r\\n Technique = \\\"Valid Accounts\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access. APT33, for example, has used valid accounts for initial access and privilege escalation. The query below generates an output of all administator users performing an interactive logon (4624:2) to a device for the first time.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet AnomalousPasswordReset = BehaviorAnalytics\\r\\n | where ActionType == \\\"Reset user password\\\"\\r\\n | where ActivityInsights.FirstTimeUserPerformedAction == \\\"True\\\"\\r\\n | join (\\r\\n AuditLogs\\r\\n | where OperationName == \\\"Reset user password\\\"\\r\\n )\\r\\n on $left.SourceRecordId == $right._ItemId\\r\\n | mv-expand TargetResources\\r\\n | extend Target = iff(tostring(TargetResources.userPrincipalName) contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(TargetResources.userPrincipalName, \\\"#\\\")[0])), TargetResources.userPrincipalName), tostring(TargetResources.userPrincipalName)\\r\\n | extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName)\\r\\n | extend AnomalyName = \\\"Anomalous Password Reset\\\",\\r\\n Tactic = \\\"Impact\\\",\\r\\n Technique = \\\"Account Access Removal\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. LockerGoga, for example, has been observed changing account passwords and logging off current users. The query below generates an output of all users performing Reset user password for the first time.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"TargetUser\\\"]=Target, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority\\r\\n | sort by TimeGenerated desc;\\r\\nlet AnomalousGeoLocationLogon = BehaviorAnalytics\\r\\n | where ActionType == \\\"Sign-in\\\"\\r\\n | where ActivityInsights.FirstTimeUserConnectedFromCountry == True and (ActivityInsights.FirstTimeConnectionFromCountryObservedInTenant == True or ActivityInsights.CountryUncommonlyConnectedFromAmongPeers == True)\\r\\n | join (\\r\\n SigninLogs\\r\\n )\\r\\n on $left.SourceRecordId == $right._ItemId\\r\\n | extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName)\\r\\n | extend AnomalyName = \\\"Anomalous Successful Logon\\\",\\r\\n Tactic = \\\"Initial Access\\\",\\r\\n Technique = \\\"Valid Accounts\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access. APT33, for example, has used valid accounts for initial access. The query below generates an output of successful Sign-in performed by a user from a new geo location he has never connected from before, and none of his peers as well.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, ResourceDisplayName, AppDisplayName, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet AnomalousFailedLogon = BehaviorAnalytics\\r\\n | where ActivityType == \\\"LogOn\\\"\\r\\n | where UsersInsights.BlastRadius == \\\"High\\\"\\r\\n | join (\\r\\n SigninLogs \\r\\n | where Status.errorCode == 50126\\r\\n )\\r\\n on $left.SourceRecordId == $right._ItemId\\r\\n | extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName)\\r\\n | extend AnomalyName = \\\"Anomalous Failed Logon\\\",\\r\\n Tactic = \\\"Credential Access\\\",\\r\\n Technique = \\\"Brute Force\\\",\\r\\n SubTechnique = \\\"Password Guessing\\\",\\r\\n Description = \\\"Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Emotet, for example, has been observed using a hard coded list of passwords to brute force user accounts. The query below generates an output of all users with 'High' BlastRadius that perform failed Sign-in:Invalid username or password.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"Evidence\\\"]=ActivityInsights, ResourceDisplayName, AppDisplayName, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; \\r\\nlet AnomalousAADAccountManipulation = AuditLogs\\r\\n | where OperationName == \\\"Update user\\\"\\r\\n | mv-expand AdditionalDetails\\r\\n | where AdditionalDetails.key == \\\"UserPrincipalName\\\"\\r\\n | mv-expand TargetResources\\r\\n | extend RoleId = tostring(TargetResources.modifiedProperties[0].newValue)\\r\\n | where isnotempty(RoleId) and RoleId in (critical, high)\\r\\n | extend RoleName = tostring(TargetResources.modifiedProperties[1].newValue)\\r\\n | where isnotempty(RoleName)\\r\\n | extend TargetId = tostring(TargetResources.id)\\r\\n | extend Target = iff(tostring(TargetResources.userPrincipalName) contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(TargetResources.userPrincipalName, \\\"#\\\")[0])), TargetResources.userPrincipalName), tostring(TargetResources.userPrincipalName)\\r\\n | join kind=inner ( \\r\\n BehaviorAnalytics\\r\\n | where ActionType == \\\"Update user\\\"\\r\\n | where UsersInsights.BlasrRadius == \\\"High\\\" or ActivityInsights.FirstTimeUserPerformedAction == true\\r\\n )\\r\\n on $left._ItemId == $right.SourceRecordId\\r\\n | extend UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName) \\r\\n | extend AnomalyName = \\\"Anomalous Account Manipulation\\\",\\r\\n Tactic = \\\"Persistence\\\",\\r\\n Technique = \\\"Account Manipulation\\\",\\r\\n SubTechnique = \\\"\\\",\\r\\n Description = \\\"Adversaries may manipulate accounts to maintain access to victim systems. These actions include adding new accounts to high privilleged groups. Dragonfly 2.0, for example, added newly created accounts to the administrators group to maintain elevated access. The query below generates an output of all high Blast Radius users performing 'Update user' (name change) to priveleged role, or ones that changed users for the first time.\\\"\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"TargetUser\\\"]=Target, RoleName, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority; let AnomalousAADAccountCreation = BehaviorAnalytics\\r\\n | where ActionType == \\\"Add user\\\"\\r\\n | where ActivityInsights.FirstTimeUserPerformedAction == True or ActivityInsights.FirstTimeActionPerformedInTenant == True or ActivityInsights.ActionUncommonlyPerformedAmongPeers == true\\r\\n | join(\\r\\n AuditLogs\\r\\n | where OperationName == \\\"Add user\\\"\\r\\n )\\r\\n on $left.SourceRecordId == $right._ItemId\\r\\n | mv-expand TargetResources\\r\\n | extend Target = iff(tostring(TargetResources.userPrincipalName) contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(TargetResources.userPrincipalName, \\\"#\\\")[0])), TargetResources.userPrincipalName), tostring(TargetResources.userPrincipalName)\\r\\n | extend DisplayName = tostring(UsersInsights.AccountDisplayName),\\r\\n UserPrincipalName = iff(UserPrincipalName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserPrincipalName),\\r\\n UserName = iff(UserName contains \\\"#EXT#\\\", replace(\\\"_\\\", \\\"@\\\", tostring(split(UserPrincipalName, \\\"#\\\")[0])), UserName)\\r\\n | extend AnomalyName = \\\"Anomalous Account Creation\\\",\\r\\n Tactic = \\\"Persistence\\\",\\r\\n Technique = \\\"Create Account\\\",\\r\\n SubTechnique = \\\"Cloud Account\\\",\\r\\n Description = \\\"Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system. The query below generates an output of all the users performing user creation for the first time and the target users that were created.\\\"\\t\\r\\n | project TimeGenerated, AnomalyName, Tactic, Technique, SubTechnique, Description, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, [\\\"TargetUser\\\"]=Target, [\\\"Evidence\\\"]=ActivityInsights, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, [\\\"Anomaly Score\\\"]=InvestigationPriority\\r\\n | sort by TimeGenerated desc;\\r\\nlet AnomalyTable = union kind=outer AnomalousSigninActivity, AnomalousRoleAssignment, AnomalousResourceAccess, AnomalousRDPActivity, AnomalousPasswordReset, AnomalousLogintoDevices, AnomalousGeoLocationLogon, AnomalousAADAccountManipulation, AnomalousAADAccountCreation, AnomalousFailedLogon;\\r\\nlet TopUsersByAnomalies = AnomalyTable\\r\\n | summarize hint.strategy = shuffle AnomalyCount=count() by UserName, UserPrincipalName, tostring(UsersInsights.OnPremSid), tostring(UsersInsights.AccountObjectId)\\r\\n | project Name=tolower(UserName), UPN=tolower(UserPrincipalName), AadUserId=UsersInsights_AccountObjectId, Sid=UsersInsights_OnPremSid, AnomalyCount\\r\\n | sort by AnomalyCount desc;\\r\\nlet TopUsersByIncidents = SecurityIncident\\r\\n | summarize hint.strategy = shuffle arg_max(LastModifiedTime, *) by IncidentNumber\\r\\n | where Status == \\\"New\\\" or Status == \\\"Active\\\"\\r\\n | mv-expand AlertIds\\r\\n | extend AlertId = tostring(AlertIds)\\r\\n | join kind= innerunique ( \\r\\n SecurityAlert \\r\\n )\\r\\n on $left.AlertId == $right.SystemAlertId\\r\\n | summarize hint.strategy = shuffle arg_max(TimeGenerated, *), NumberOfUpdates = count() by SystemAlertId\\r\\n | mv-expand todynamic(Entities)\\r\\n | where Entities[\\\"Type\\\"] =~ \\\"account\\\"\\r\\n | extend Name = tostring(tolower(Entities[\\\"Name\\\"])), NTDomain = tostring(Entities[\\\"NTDomain\\\"]), UPNSuffix = tostring(Entities[\\\"UPNSuffix\\\"]), AadUserId = tostring(Entities[\\\"AadUserId\\\"]), AadTenantId = tostring(Entities[\\\"AadTenantId\\\"]), \\r\\n Sid = tostring(Entities[\\\"Sid\\\"]), IsDomainJoined = tobool(Entities[\\\"IsDomainJoined\\\"]), Host = tostring(Entities[\\\"Host\\\"])\\r\\n | extend UPN = iff(Name != \\\"\\\" and UPNSuffix != \\\"\\\", strcat(Name, \\\"@\\\", UPNSuffix), \\\"\\\")\\r\\n | union TopUsersByAnomalies\\r\\n | extend \\r\\n AadPivot = iff(isempty(AadUserId), iff(isempty(Sid), Name, Sid), AadUserId),\\r\\n SidPivot = iff(isempty(Sid), iff(isempty(AadUserId), Name, AadUserId), Sid),\\r\\n UPNExists = iff(isempty(UPN), false, true),\\r\\n NameExists = iff(isempty(Name), false, true),\\r\\n SidExists = iff(isempty(Sid), false, true),\\r\\n AADExists = iff(isempty(AadUserId), false, true)\\r\\n | summarize hint.strategy = shuffle IncidentCount=dcount(IncidentNumber, 4), AlertCount=dcountif(AlertId, isnotempty(AlertId), 4), AnomalyCount=sum(AnomalyCount), any(Title, Severity, Status, StartTime, IncidentNumber, IncidentUrl, Owner), UPNAnchor=anyif(UPN, UPNExists == true), NameAnchor=anyif(Name, NameExists == true), AadAnchor=anyif(AadUserId, AADExists == true), SidAnchor=anyif(Sid, SidExists == true), any(SidPivot) by AadPivot\\r\\n | summarize hint.strategy = shuffle IncidentCount=sum(IncidentCount), AlertCount=sum(AlertCount), AnomalyCount=sum(AnomalyCount), UPNAnchor=anyif(UPNAnchor, isempty(UPNAnchor) == false), NameAnchor=anyif(NameAnchor, isempty(NameAnchor) == false), AadAnchor=anyif(AadAnchor, isempty(AadAnchor) == false), SidAnchor=anyif(SidAnchor, isempty(SidAnchor) == false), any(any_Title, any_Severity, any_StartTime, any_IncidentNumber, any_IncidentUrl) by any_SidPivot\\r\\n | summarize hint.strategy = shuffle IncidentCount=sum(IncidentCount), AlertCount=sum(AlertCount), AnomalyCount=sum(AnomalyCount), UPNAnchor=anyif(UPNAnchor, isempty(UPNAnchor) == false), AadAnchor=anyif(AadAnchor, isempty(AadAnchor) == false), SidAnchor=anyif(SidAnchor, isempty(SidAnchor) == false), any(any_any_Title, any_any_Severity, any_any_StartTime, any_any_IncidentNumber, any_any_IncidentUrl) by NameAnchor\\r\\n | project [\\\"UserName\\\"]=NameAnchor, IncidentCount, AlertCount, AnomalyCount, [\\\"AadUserId\\\"]=AadAnchor, [\\\"OnPremSid\\\"]=SidAnchor, [\\\"UserPrincipalName\\\"]=UPNAnchor;\\r\\nTopUsersByIncidents\\r\\n| where UserPrincipalName !contains \\\"[\\\"\\r\\n| where UserPrincipalName <> \\\"\\\"\\r\\n| project UserPrincipalName, IncidentCount, AlertCount, AnomalyCount\\r\\n| sort by AlertCount desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"User Entity Behavior Analytics Alerts\",\"noDataMessage\":\"There are no results within the selected thresholds (time, workspace, subscription). See Enable User and Entity Behavior Analytics (UEBA) in Azure Sentinel for respective UEBA configurations (https://docs.microsoft.com/azure/sentinel/enable-entity-behavior-analytics)\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"AlertCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"AnomalyCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"yellow\"}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 1\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| where ProviderName == \\\"Sentinel Fusion\\\" or AlertName contains \\\"Anomalous\\\"\\r\\n| summarize count () by AlertName, ProductName\\r\\n| sort by count_ desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Dynamic Threat Detection Rules\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >\"}},{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UPN\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Incident >\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Dynamic Threat Discovery\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Policy Enforcement Parity](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nConsistently applying security protections and other policies, independent of the communication mechanism, forwarding path, or endpoints used.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [What is Azure Policy?](https://docs.microsoft.com/azure/governance/policy/overview)
\\r\\n💡 [What is Azure Blueprints?](https://docs.microsoft.com/azure/governance/blueprints/)
\\r\\n💡 [Password Policies and Account Restrictions in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/authentication/concept-sspr-policy)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) ✳️ [Azure Security Center](https://azure.microsoft.com/services/security-center/)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Azure Policy](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyMenuBlade/Overview)
\\r\\n🔄 [Blueprints](https://portal.azure.com/#blade/Microsoft_Azure_Policy/BlueprintsMenuBlade/GetStarted)
\\r\\n🔄 [Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.DS, PR.IP, PR.MA](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityRecommendation\\r\\n| summarize count() by RecommendationName\\r\\n| sort by count_ desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Configured Assessment Policies\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Recommendation >>\"}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Policy Enforcement Parity\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Effective Use of Shared Services](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nEmploying shared services, where applicable, that can be individually tailored, measured to independently validate service conformance, and offer effective protections for tenants against malicious actors, both external as well as internal to the service provider.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Get Started with Azure Lighthouse](https://azure.microsoft.com/services/azure-lighthouse/)
\\r\\n💡 [Customer Lockbox for Microsoft Azure](https://docs.microsoft.com/azure/security/fundamentals/customer-lockbox-overview)
\\r\\n💡 [What are External Identities in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/external-identities/compare-with-b2c)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Azure Lighthouse](https://portal.azure.com/#blade/Microsoft_Azure_CustomerHub/LighthouseBlade)
\\r\\n🔄 [Customer Lockbox for Microsoft Azure](https://portal.azure.com/#blade/Microsoft_Azure_Lockbox/LockboxMenu/Overview)
\\r\\n🔄 [Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.AM, ID.GV, ID.RM, ID.SC, PR.AT, RS.CO](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":1,\"content\":{\"json\":\"### ✳️ [Leverage Azure Lighthouse for Service Provider Access](https://azure.microsoft.com/services/azure-lighthouse/)\\r\\n![Image Name](https://docs.microsoft.com/azure/lighthouse/media/azure-lighthouse-overview.jpg)\\r\\n\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":1,\"content\":{\"json\":\"### ✳️ [Use Azure Customer Lockbox for Shared Access to Resources](https://aka.ms/customerlockbox/insiderprogram)\\r\\n![Image Name](https://docs.microsoft.com/azure/security/fundamentals/media/customer-lockbox-overview/customer-lockbox-landing-page.png)\\r\\n\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3 - Copy\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Effective Use of Shared Services\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Integrated Desktop, Mobile, and Remote Policiess](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDefining polices such that they apply to a given agency entity no matter its location.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [What is Conditional Access?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview)
\\r\\n💡 [What are Common Ways to Use Conditional Access with Intune?](https://docs.microsoft.com/mem/intune/protect/conditional-access-intune-common-ways-use)
 \\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\\r\\n🔄 [Microsoft Endpoint Manager Admin Center](https://devicemanagement.microsoft.com/)
\\r\\n🔄 [Microsoft Intune Portal](https://endpoint.microsoft.com/#blade/Microsoft_Intune_DeviceSettings/DevicesMenu/overview)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.AM, PR.AC, PR.DS, PR.IP, PR.MA](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\",\"size\":0,\"showAnalytics\":true,\"title\":\"Sign-Ins By Location\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"map\",\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"Location\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":1,\"content\":{\"json\":\"### ✳️ [Control Connection of Endpoints with Microsoft Intune: Conditional Access](https://www.microsoft.com/microsoft-365/microsoft-endpoint-Manager)\\r\\n![Image Name](https://docs.microsoft.com/mem/intune/protect/media/conditional-access/ca-diagram-1.png  \\\"Intune Conditional Access\\\") \\r\\n\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isUniversalSecurityCapabilitiesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Integrated Desktop, Mobile, and Remote Policies\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"# ✳️ [Files](https://www.cisa.gov/trusted-internet-connections)\\r\\n---\\r\\nFile-based protections including anti-malware, malicious code removal, content disarm & reconstruction, and detonation chambers.\\r\\n\"},\"conditionalVisibility\":{\"parameterName\":\"isFilesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"customWidth\":\"50\",\"name\":\"Files Capabilities Overview\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"c61c3951-546a-40ae-a680-74638b772d80\",\"cellValue\":\"Anti-Malware\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Anti-Malware\",\"style\":\"link\"},{\"id\":\"6a592926-301d-44d9-8915-359e443fbc61\",\"cellValue\":\"Content Disarm & Reconstruction\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Content Disarm & Reconstruction\",\"style\":\"link\"},{\"id\":\"ec6b5ffc-7d3d-4a93-b1cf-e20af0b57f3e\",\"cellValue\":\"Detonation Chamber\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Detonation Chamber\",\"style\":\"link\"},{\"id\":\"33cb9a0b-8e24-410a-afd4-81d9e201e7a3\",\"cellValue\":\"Data Loss Prevention_F\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Data Loss Prevention\",\"style\":\"link\"}]},\"conditionalVisibility\":{\"parameterName\":\"isFilesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"customWidth\":\"50\",\"name\":\"Files Capabilities Navigation\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Anti-Malware](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nAnti-malware protections detect the presence of malicious code and facilitate its quarantine or removal.\\r\\n\\r\\n### Microsoft References\\r\\n💡 [Microsoft Antimalware Extension for Windows](https://docs.microsoft.com/azure/virtual-machines/extensions/iaas-antimalware-windows)
\\r\\n💡 [Microsoft Antimalware for Azure Cloud Services and Virtual Machines](https://docs.microsoft.com/azure/security/fundamentals/antimalware)
\\r\\n💡 [Microsoft Cloud App Security: Malware Detection](https://docs.microsoft.com/cloud-app-security/anomaly-detection-policy#malware-detection)
\\r\\n💡 [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityalert) ✳️ [Azure Sentinel](https://azure.microsoft.com/services/azure-sentinel/)\\r\\n ✳️ [Azure Defender](https://azure.microsoft.com/services/azure-defender/)\\r\\n✳️ [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/security/endpoint-defender)
✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender) ✳️ [Microsoft Defender for Identity](https://www.microsoft.com/microsoft-365/security/identity-defender) ✳️ [Microsoft Cloud App Security](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security)\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Azure Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\\r\\n🔄 [Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\\r\\n🔄 [Microsoft Defender for Identity Portal](https://portal.atp.azure.com/)
\\r\\n🔄 [Microsoft 365 Security Center](https://security.microsoft.com/)
\\r\\n🔄 [Microsoft Cloud App Security Portal](https://portal.cloudappsecurity.com/)
\\r\\n🔄 [Office 365 Security & Compliance Center](https://protection.office.com/)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.DS, PR.PT, DE.CM, DE.DP, RS.MI](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isFilesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| distinct AlertName, ProductName, Status, AlertLink, Tactics, TimeGenerated\\r\\n| where AlertName contains \\\"mal\\\"\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\",\"size\":0,\"title\":\"Security Alerts: Malware\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >\"}},{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UPN\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Incident >\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isFilesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| where AlertName contains \\\"mal\\\"\\r\\n| summarize count() by ProductName\\r\\n| sort by count_ desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Malware Detected by Product\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isFilesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isFilesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Anti-Malware\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Content Disarm & Reconstruction](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nContent disarm and reconstruction technology detects the presence of unapproved active content and facilitates its removal.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Setup Safe Attachments Policies in Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/set-up-atp-safe-attachments-policies)
\\r\\n💡 [Threat and Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [EmailAttachmentInfo](https://docs.microsoft.com/azure/azure-monitor/reference/tables/emailattachmentinfo) ✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender)\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Microsoft 365 Security Center](https://security.microsoft.com/)
\\r\\n🔄 [Office 365 Security & Compliance Center](https://protection.office.com/)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.CM, DE.DP](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isFilesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"EmailAttachmentInfo\\r\\n| extend Detection = strcat(DetectionMethods)\\r\\n| where ThreatTypes <> \\\"\\\"\\r\\n| project RecipientEmailAddress, FileName, ThreatTypes, ThreatNames, Detection, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Safe Attachments: Attachment Mitigations\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecipientEmailAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatTypes\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isFilesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isFilesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Content Disarm & Reconstruction\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Detonation Chamber](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDetonation chambers facilitate the detection of malicious code through the use of protected and isolated execution environments to analyze the files.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Submit File for Deep Analysis](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts#submit-files-for-deep-analysis)
\\r\\n💡 [Using the Built-in URL Detonation in Azure Sentinel](https://techcommunity.microsoft.com/t5/azure-sentinel/using-the-new-built-in-url-detonation-in-azure-sentinel/ba-p/996229)
\\r\\n💡 [Safe Links in Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/atp-safe-links)
\\r\\n💡 [Safe Attachments in Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/atp-safe-attachments)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [EmailEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/emailevents) ✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender)
\\r\\n\\r\\n### Microsoft Portals \\r\\n🔄 [Azure Portal](https://portal.azure.com/)
\\r\\n🔄 [Microsoft 365 Security Center](https://security.microsoft.com/)
\\r\\n🔄 [Office 365 Security & Compliance Center](https://protection.office.com/)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[DE.CM, DE.DP, RS.AN, RS.MI](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isFilesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"EmailEvents\\r\\n| where DetectionMethods <>\\\"\\\"\\r\\n| project RecipientEmailAddress, DeliveryAction, DeliveryLocation, EmailDirection, EmailAction, DetectionMethods, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Email Detonation: SafeLinks, SafeAttachments, SafeFiles\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecipientEmailAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DeliveryAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"4\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"EmailDirection\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Outbound\",\"representation\":\"right\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"left\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"EmailAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"4\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DetectionMethods\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatTypes\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isFilesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isFilesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Detonation Chamber\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Data Loss Prevention](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nData loss prevention technologies detect instances of the exfiltration, either malicious or accidental, of agency data.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [How to Configure a Label for Rights Management Protection](https://docs.microsoft.com/azure/information-protection/configure-policy-protection)
\\r\\n💡 [Hunt for Threats with Azure Sentinel](https://docs.microsoft.com/azure/sentinel/hunting)\\r\\n💡 [Learn about Microsoft 365 Endpoint Data Loss Prevention](https://docs.microsoft.com/microsoft-365/compliance/endpoint-dlp-learn-about)
\\r\\n💡 [Configure and View Alerts for DLP Polices](https://docs.microsoft.com/microsoft-365/compliance/dlp-configure-view-alerts-policies)
\\r\\n\\r\\n### Required Log (Log Source)\\r\\n🔷 [InformationProtectionLogs_CL](https://docs.microsoft.com/azure/information-protection/audit-logs) ✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/)
\\r\\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityalert) ✳️ [Azure Sentinel](https://azure.microsoft.com/services/azure-sentinel/) ✳️ [Microsoft Defender for Office 365]( https://www.microsoft.com/microsoft-365/security/office-365-defender) ✳️ [Microsoft Defender for Endpoint]( https://www.microsoft.com/microsoft-365/security/endpoint-defender)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade)
\\r\\n🔄 [Azure Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\\r\\n🔄 [Office 365 Security & Compliance Center](https://protection.office.com/)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.DS](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isFilesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InformationProtectionLogs_CL\\r\\n| extend UserPrincipalName = UserId_s_s\\r\\n| where LabelName_s <> \\\"\\\"\\r\\n| join (SigninLogs) on UserPrincipalName\\r\\n| extend City = tostring(LocationDetails.city)\\r\\n| extend State = tostring(LocationDetails.state)\\r\\n| extend Country_Region = tostring(LocationDetails.countryOrRegion)\\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Sensitive Data Access by Geolocation\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"map\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"warning\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UncommonActionVolume\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"UncommonAction\",\"formatter\":4,\"formatOptions\":{\"palette\":\"green\"}},{\"columnMatch\":\"FirstTimeUserAction\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"FirstTimeDeviceLogon\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellow\"}},{\"columnMatch\":\"IncidentCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"AlertCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}},{\"columnMatch\":\"AnomalyCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"yellow\"}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"yellow\"}]}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isFilesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| distinct AlertName, ProductName, Status, AlertLink, Tactics, TimeGenerated\\r\\n| where Tactics contains \\\"exfil\\\"\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\",\"size\":0,\"title\":\"Security Alerts: Data Loss Prevention\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >\"}},{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UPN\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Incident >\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isFilesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isFilesVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Data Loss Prevention_F\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"# ✳️ [Email](https://www.cisa.gov/trusted-internet-connections)\\r\\n---\\r\\nEmail-based protections including anti-phishing, anti-spam, authenticated received chain, data loss prevention, DMARC for incoming/outgoing mail, email encryption, and malicious URL protections.\\r\\n\"},\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"customWidth\":\"50\",\"name\":\"Email Capabilities Help\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"75486fb8-e143-457b-881a-b1acaee05453\",\"cellValue\":\"Anti-Phishing Protections\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Anti-Phishing Protections\",\"style\":\"link\"},{\"id\":\"a4879110-271e-496c-ae2f-7e30296af266\",\"cellValue\":\"Anti-SPAM Protections\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Anti-SPAM Protections\",\"style\":\"link\"},{\"id\":\"bbc29b77-2e9a-4438-970f-e0abfdc8a3cc\",\"cellValue\":\"Authenticated Received Chain\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Authenticated Received Chain\",\"style\":\"link\"},{\"id\":\"43972d55-2e0c-4660-ac09-91459af1713e\",\"cellValue\":\"Data Loss Prevention_E\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Data Loss Prevention\",\"style\":\"link\"},{\"id\":\"d7f5b5ba-5ccc-4043-b403-f046b15a853e\",\"cellValue\":\"DMARC for Incoming Email\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ DMARC for Incoming Email\",\"style\":\"link\"},{\"id\":\"42784042-f170-4520-bf7f-8f765ca54584\",\"cellValue\":\"DMARC for Outgoing Email\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ DMARC for Outgoing Email\",\"style\":\"link\"},{\"id\":\"50c50837-7378-419f-b5ab-60a4f50a8e3c\",\"cellValue\":\"Encryption for Email Transmission\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Encryption for Email Transmission\",\"style\":\"link\"},{\"id\":\"8ea80e97-f1f8-4f1f-9be1-85f5b2974254\",\"cellValue\":\"Malicious URL Protections\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Malicious URL Protections\",\"style\":\"link\"},{\"id\":\"1247fbc5-40c8-4326-8e9d-dc7dc6387e65\",\"cellValue\":\"URL Click-Through Protection\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ URL Click-Through Protection\",\"style\":\"link\"}]},\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"customWidth\":\"50\",\"name\":\"Email Capabilities\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Anti-Phishing Protections](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nAnti-phishing protections detect instances of phishing and prevent users from accessing them.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Anti-Phishing Protection in Microsoft 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/anti-phishing-protection)
\\r\\n💡 [Configure Anti-Phishing Policies in Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/configure-atp-anti-phishing-policies)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityevent)✳️ [Microsoft Defender for Office 365]( https://www.microsoft.com/microsoft-365/security/office-365-defender)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Office 365 Security & Compliance Center](https://protection.office.com/) \\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AT, PR.PT, DE.CM](https://www.nist.gov/cyberframework)\\r\\n\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| where ProductName contains \\\"Office 365 Advanced Threat Protection\\\"\\r\\n| distinct AlertName, ProductName, Status, AlertLink, Tactics, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\",\"size\":0,\"title\":\"Security Alerts: Phishing\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"3\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"uninitialized\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >\"}},{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UPN\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Incident >\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"city_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"state_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\",\"text\":\"{0}{1}\"}]}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"SigninStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"blue\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"Location\",\"latitude\":\"SourceIPLocation\",\"longitude\":\"SourceIPLocation\",\"sizeSettings\":\"Location\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"Location\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"Location\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blueDark\"}]}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Anti-Phishing Protections\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Anti-SPAM Protections](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nAnti-SPAM protections detect and quarantine instances of SPAM.\\r\\n\\r\\n### Microsoft Reference \\r\\n💡 [Anti-Spam protection in Exchange Online Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/anti-spam-protection)
\\r\\n💡 [Configure Anti-Spam Policies in Exchange Online Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/configure-your-spam-filter-policies)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [EmailEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/emailevents) ✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender)
\\r\\n\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Office 365 Security & Compliance Center](https://protection.office.com/) \\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.CM](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"EmailEvents\\r\\n| extend Spam = tostring(parse_json(ConfidenceLevel).Spam)\\r\\n| where Spam <> \\\"Skipped\\\"\\r\\n| where Spam <> \\\"Not spam\\\"\\r\\n| project Spam, RecipientEmailAddress, DeliveryAction, EmailDirection, ConfidenceLevel, DetectionMethods, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Spam Email Actions\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Spam\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Mail\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecipientEmailAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatTypes\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Anti-SPAM Protections\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Authenticated Received Chain](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nAuthenticated Received Chain allows for an intermediary, like a mailing list or forwarding service, to sign its own authentication of the original email, allowing downstream entities to accept the intermediary’s authentication even if the email was changed.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [How Microsoft 365 Utilizes Authenticated Received Chain (ARC)](https://docs.microsoft.com/microsoft-365/security/office-365-security/use-dmarc-to-validate-email#how-microsoft-365-utilizes-authenticated-received-chain-arc)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityevent) ✳️ [Microsoft Defender for Office 365]( https://www.microsoft.com/microsoft-365/security/office-365-defender)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Office 365 Security & Compliance Center](https://protection.office.com/)
\\r\\n🔄 [Microsoft 365 Admin Center](https://admin.microsoft.com/)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| where ProviderName == \\\"OATP\\\"\\r\\n| where Entities contains \\\"Fail\\\"\\r\\n| project AlertName, AlertLink, ProductName, Entities, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Review Security Alerts for DMARC, SPF, DKIM Validations\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >>\"}},{\"columnMatch\":\"Spam\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Mail\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecipientEmailAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatTypes\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Authenticated Received Chain\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Data Loss Prevention](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nData loss prevention technologies detect instances of the exfiltration, either malicious or accidental, of agency data.\\r\\n\\r\\n### Microsoft Reference \\r\\n💡 [How to Configure a Label for Rights Management Protection](https://docs.microsoft.com/azure/information-protection/configure-policy-protection)
\\r\\n💡 [Configure and View Alerts for DLP Polices](https://docs.microsoft.com/microsoft-365/compliance/dlp-configure-view-alerts-policies)
\\r\\n💡 [How DLP Works Between the Security & Compliance Center and Exchange Admin Centers](https://docs.microsoft.com/microsoft-365/compliance/how-dlp-works-between-admin-centers)
\\r\\n💡 [Email Entity Page](https://docs.microsoft.com/microsoft-365/security/office-365-security/mdo-email-entity-page)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [InformationProtectionLogs_CL](https://docs.microsoft.com/azure/information-protection/audit-logs) ✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade)
\\r\\n🔄 [Office 365 Security & Compliance Center](https://protection.office.com/)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.DS](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InformationProtectionLogs_CL\\r\\n| where ApplicationName_s == \\\"Outlook Web\\\" or ApplicationName_s contains \\\"exchange\\\"\\r\\n| project UserId_s, ApplicationName_s, LabelName_s, Activity_s, Operation_s, TimeGenerated\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Email Data Loss Prevention\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId_s\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":1,\"content\":{\"json\":\"### ✳️ [Azure Information Protection: Email Classifications & Labeling](https://azure.microsoft.com/services/information-protection/)\\r\\n![Image Name](https://docs.microsoft.com/azure/information-protection/media/recipients-only-label2.png)\\r\\n\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Data Loss Prevention_E\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [DMARC for Incoming Email](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDMARC protections authenticate incoming email according to the DMARC email authentication protocol defined in RFC 7489.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Use DMARC to Validate Email](https://docs.microsoft.com/microsoft-365/security/office-365-security/use-dmarc-to-validate-email)
\\r\\n💡 [How Microsoft 365 Handles Inbound Emails that Fail DMARC](https://docs.microsoft.com/microsoft-365/security/office-365-security/use-dmarc-to-validate-email#how-microsoft-365-handles-inbound-email-that-fails-dmarc)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityevent) ✳️ [Microsoft Defender for Office 365]( https://www.microsoft.com/microsoft-365/security/office-365-defender)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Office 365 Security & Compliance Center](https://protection.office.com/)
\\r\\n🔄 [Microsoft 365 Admin Center](https://admin.microsoft.com/)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, PR.IP](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| where ProviderName == \\\"OATP\\\"\\r\\n| where Entities contains \\\"Fail\\\" and Entities contains \\\"inbound\\\"\\r\\n| project AlertName, AlertLink, ProductName, Entities, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Inbound DMARC Failures\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >>\"}},{\"columnMatch\":\"Spam\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Mail\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecipientEmailAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatTypes\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"DMARC for Incoming Email\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [DMARC for Outgoing Email](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDMARC protections facilitate the authentication of outgoing email by signing the emails and ensuring that external parties may validate the email signatures. The DMARC email authentication protocol is defined in RFC7489.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Use DMARC to Validate Email](https://docs.microsoft.com/microsoft-365/security/office-365-security/use-dmarc-to-validate-email)
\\r\\n💡 [How Microsoft 365 Handles Inbound Emails that Fail DMARC](https://docs.microsoft.com/microsoft-365/security/office-365-security/use-dmarc-to-validate-email#how-microsoft-365-handles-inbound-email-that-fails-dmarc)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityevent) ✳️ [Microsoft Defender for Office 365]( https://www.microsoft.com/microsoft-365/security/office-365-defender)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Office 365 Security & Compliance Center](https://protection.office.com/)
\\r\\n🔄 [Microsoft 365 Admin Center](https://admin.microsoft.com/)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, PR.IP](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| where ProviderName == \\\"OATP\\\"\\r\\n| where Entities contains \\\"Fail\\\" and Entities contains \\\"outbound\\\"\\r\\n| project AlertName, AlertLink, ProductName, Entities, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Outbound DMARC Failures\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >>\"}},{\"columnMatch\":\"Spam\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Mail\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecipientEmailAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatTypes\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"DMARC for Outgoing Email\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Encryption for Email Transmission](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nEmail services are configured to use encrypted connections, when possible, for communications between clients and other email servers.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Email Encryption](https://docs.microsoft.com/microsoft-365/compliance/ome)
\\r\\n💡 [How Exchange Online Uses TLS to Secure Email Connections](https://docs.microsoft.com/microsoft-365/compliance/exchange-online-uses-tls-to-secure-email-connections)
\\r\\n💡 [Define Mail Flow Rules to Encrypt Email Messages](https://docs.microsoft.com/microsoft-365/compliance/define-mail-flow-rules-to-encrypt-email)
\\r\\n💡 [Setup New Message Encryption Capabilities](https://docs.microsoft.com/microsoft-365/compliance/set-up-new-message-encryption-capabilities)
\\r\\n💡 [Define Mail Flow Rules to Encrypt Email Messages](https://docs.microsoft.com/microsoft-365/compliance/define-mail-flow-rules-to-encrypt-email)
\\r\\n💡 [Manage Office 365 Message Encryption](https://docs.microsoft.com/microsoft-365/compliance/manage-office-365-message-encryption)
\\r\\n\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) ✳️ [Azure Security Center](https://azure.microsoft.com/services/security-center/)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Microsoft 365 Admin Center](https://admin.microsoft.com/)
🔄 [Office 365 Security & Compliance Center](https://protection.office.com/)
🔄[Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, PR.DS](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityRecommendation\\r\\n| where RecommendationDisplayName contains \\\"encrypt\\\"\\r\\n| summarize count() by RecommendationDisplayName, AssessedResourceId, RecommendationLink\\r\\n| sort by count_ desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Workload Encryption Recommendations\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Recommendation >>\"}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >>\"}},{\"columnMatch\":\"Spam\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Mail\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecipientEmailAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatTypes\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Encryption for Email Transmission\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Malicious URL Protections](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nMalicious URL protections detect malicious URLs in emails and prevent users from accessing them.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Safe Links in Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/atp-safe-links)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [EmailEvents](https://docs.microsoft.com/azure/azure-monitor/reference/tables/emailevents) ✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Office 365 Security & Compliance Center](https://protection.office.com/)
\\r\\n🔄 [Azure Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.CM](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"EmailEvents\\r\\n| where DetectionMethods contains \\\"url\\\"\\r\\n| join (EmailUrlInfo) on NetworkMessageId\\r\\n| project RecipientEmailAddress, DeliveryAction, Url, UrlDomain, EmailDirection, ConfidenceLevel, DetectionMethods, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"SafeLinks Email Protections\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecipientEmailAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DeliveryAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"4\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Url\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Spam\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Mail\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatTypes\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Malicious URL Protections\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [URL Click-Through Protection](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nURL click-through protections ensure that when a URL from an email is clicked, the requester is directed to a protection that verifies the security of the URL destination before permitting access.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Safe Links in Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/atp-safe-links)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityevent) ✳️ [Microsoft Defender for Office 365]( https://www.microsoft.com/microsoft-365/security/office-365-defender)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Office 365 Security & Compliance Center](https://protection.office.com/)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.CM](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| where ProviderName == \\\"OATP\\\"\\r\\n| where DisplayName contains \\\"URL\\\"\\r\\n| summarize count() by AlertName, ProductName\\r\\n| sort by count_ desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Email URL Protections\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ProductName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"pending\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert >>\"}},{\"columnMatch\":\"Spam\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Mail\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecipientEmailAddress\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatTypes\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isEmailVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"URL Click-Through Protection\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"# ✳️ [Web](https://www.cisa.gov/trusted-internet-connections)\\r\\n---\\r\\nWeb-based protections including break/inspect, active content mitigation, certificate blacklisting/consensus, content filtering, authenticated proxy, data loss prevention, DNS-over-HTTPS filtering, RFC compliance enforcement, domain category filtering, domain reputation filtering, bandwidth control, malicious content filtering, and access control.\"},\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"customWidth\":\"50\",\"name\":\"Web Capabilities Guide\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"02e1e8dc-ada0-4398-a18e-ee6a27a4398c\",\"cellValue\":\"Break and Inspect\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Break and Inspect\",\"style\":\"link\"},{\"id\":\"73c46479-2507-480d-81c2-59b8eb2dde4c\",\"cellValue\":\"Active Content Mitigation\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Active Content Mitigation\",\"style\":\"link\"},{\"id\":\"899e3919-5a81-48ad-9fe1-2b30ea75e063\",\"cellValue\":\"Certificate Denylisting\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Certificate Denylisting\",\"style\":\"link\"},{\"id\":\"134c9530-0a39-49e3-af06-57a55a4405a2\",\"cellValue\":\"Content Filtering\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Content Filtering\",\"style\":\"link\"},{\"id\":\"654216c3-dd72-4350-936e-fbddc7403bfe\",\"cellValue\":\"Authenticated Proxy\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Authenticated Proxy\",\"style\":\"link\"},{\"id\":\"53b5caf3-9696-403b-9aba-501f81f28a78\",\"cellValue\":\"Data Loss Prevention_W\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Data Loss Prevention\",\"style\":\"link\"},{\"id\":\"1399dbe0-3ec8-4aca-a6f2-159076019a67\",\"cellValue\":\"DNS-over-HTTPS Filtering\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ DNS-over-HTTPS Filtering\",\"style\":\"link\"},{\"id\":\"4c24ab6e-8548-40ad-8e13-6f57a9216e8f\",\"cellValue\":\"RFC Compliance Enforcement\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ RFC Compliance Enforcement\",\"style\":\"link\"},{\"id\":\"3330274e-62a3-4080-818e-e69976148766\",\"cellValue\":\"Domain Category Filtering\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Domain Category Filtering\",\"style\":\"link\"},{\"id\":\"281a70fe-cc00-4620-acad-fa927c48575b\",\"cellValue\":\"Domain Reputation Filter\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Domain Reputation Filter\",\"style\":\"link\"},{\"id\":\"8089a515-f341-40d7-9826-4d88a34f5f93\",\"cellValue\":\"Bandwidth Control\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Bandwidth Control\",\"style\":\"link\"},{\"id\":\"a3175efa-dcda-4782-b216-e9bbdc6a8903\",\"cellValue\":\"Malicious Content Filtering\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Malicious Content Filtering\",\"style\":\"link\"},{\"id\":\"421a85e7-424d-4bbb-8c60-cda8e43ba959\",\"cellValue\":\"Access Control_W\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Access Control\",\"style\":\"link\"}]},\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"customWidth\":\"50\",\"name\":\"Web Selector\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Break and Inspect](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nBreak-and-Inspect systems, or encryption proxies, terminate encrypted traffic, logging or performing policy enforcement against the plaintext, and re-encrypting the traffic, if applicable, before transmitting to the final destination.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Azure Firewall Premium Features](https://docs.microsoft.com/azure/firewall/premium-features)
\\r\\n💡 [Inspect Traffic with Azure Firewall](https://docs.microsoft.com/azure/private-link/inspect-traffic-with-azure-firewall)
\\r\\n💡 [Tutorial: Deploy and Configure Azure Firewall Using the Azure Portal](https://docs.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Firewall Premium](https://azure.microsoft.com/services/azure-firewall/)\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Firewalls](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FazureFirewalls)
\\r\\n🔄 [Firewall Manager](https://portal.azure.com/#blade/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/firewallManagerOverview)
\\r\\n🔄 [Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FfirewallPolicies)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.CM](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Resources\\r\\n| where type contains \\\"microsoft.network/azurefirewalls\\\"\\r\\n| extend ResourceGroup = substring(id, 0, indexof(id, '/providers'))\\r\\n| extend ipConfigurations = properties.ipConfigurations\\r\\n| extend FirewallSKU = tostring(properties.sku.tier)\\r\\n| extend ThreatIntelMode = tostring(properties.threatIntelMode)\\r\\n| extend DNSConfig = properties.additionalProperties\\r\\n| mv-expand bagexpansion=array ipConfigurations\\r\\n| extend PIPid = tostring(ipConfigurations.properties.publicIPAddress.id)\\r\\n| join ( Resources | where type=='microsoft.network/publicipaddresses' | extend PublicIPAddress=tostring(properties.ipAddress) | project PIPid=id,PublicIPAddress ) on PIPid\\r\\n| extend PrivateIP = tostring(ipConfigurations.properties.privateIPAddress)\\r\\n| extend PrivateIPAllocation = tostring(ipConfigurations.properties.privateIPAllocationMethod)\\r\\n| extend SubnetId = ipConfigurations.properties.subnet.id\\r\\n| project-away kind, managedBy, plan, sku, properties, identity, zones, extendedLocation, ipConfigurations, PIPid, PIPid1, tags, tenantId, name, resourceGroup\",\"size\":0,\"showAnalytics\":true,\"title\":\"Azure Firewalls\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Subscription}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"type\",\"formatter\":16,\"formatOptions\":{\"linkTarget\":\"Resource\",\"showIcon\":true}},{\"columnMatch\":\"location\",\"formatter\":17},{\"columnMatch\":\"subscriptionId\",\"formatter\":15,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"ResourceGroup\",\"formatter\":14,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"SubnetId\",\"formatter\":13,\"formatOptions\":{\"linkTarget\":\"Resource\",\"showIcon\":true}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"id\",\"label\":\"Name\"},{\"columnId\":\"type\",\"label\":\"Type\"},{\"columnId\":\"location\",\"label\":\"Region\"},{\"columnId\":\"subscriptionId\",\"label\":\"Subscription\"},{\"columnId\":\"ResourceGroup\",\"label\":\"Resource Group\"},{\"columnId\":\"FirewallSKU\",\"label\":\"Firewall SKU\"},{\"columnId\":\"ThreatIntelMode\",\"label\":\"Threat Intel Mode\"},{\"columnId\":\"DNSConfig\",\"label\":\"DNS Config\"},{\"columnId\":\"PublicIPAddress\",\"label\":\"Public IP Address\"},{\"columnId\":\"PrivateIP\",\"label\":\"Private IP\"},{\"columnId\":\"PrivateIPAllocation\",\"label\":\"Private IP Allocation\"},{\"columnId\":\"SubnetId\",\"label\":\"Subnet\"}]}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"AzureFirewalls\"}]},\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Break and Inspect\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Active Content Mitigation](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nActive content mitigation protections detect the presence of unapproved active content and facilitate its removal.\\r\\n\\r\\n### Microsoft References \\r\\n💡[What is Azure Web Application Firewall on Azure Application Gateway?](https://docs.microsoft.com/azure/web-application-firewall/ag/ag-overview)
\\r\\n💡[Azure Web Application Firewall on Azure Front Door](https://docs.microsoft.com/azure/web-application-firewall/afds/afds-overview)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Web Application Firewall](https://azure.microsoft.com/services/web-application-firewall/)\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Web Application Firewall Policies](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/loadBalancers)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.CM](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FakeData = (datatable (Message: string, ruleName_s: string, clientIp_s: string, clientIP_s: string, action_s: string, transactionId_s: string, trackingReference_s: string) [\\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\", \\\"\\\"]);\\r\\nFakeData\\r\\n| union AzureDiagnostics\\r\\n| where (ResourceType == \\\"APPLICATIONGATEWAYS\\\" or ResourceType == \\\"FRONTDOORS\\\" or ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\") and (\\\"Application Gateway\\\" == \\\"All\\\" or (ResourceType == \\\"APPLICATIONGATEWAYS\\\" and \\\"Application Gateway\\\" contains \\\"application gateway\\\") or (ResourceType == \\\"FRONTDOORS\\\" and \\\"Application Gateway\\\" contains \\\"azure front door\\\") or (ResourceType == \\\"CDNWEBAPPLICATIONFIREWALLPOLICIES\\\" and \\\"Application Gateway\\\" contains \\\"cdn\\\")) and (\\\"SOC-NS-AG-WAFV2 - 1129440\\\" == \\\"All\\\" or Resource in ('SOC-NS-AG-WAFV2'))\\r\\n| where Category == \\\"FrontdoorWebApplicationFirewallLog\\\" or OperationName == \\\"ApplicationGatewayFirewall\\\" or Category == \\\"WebApplicationFirewallLogs\\\"\\r\\n| extend Action = iif(action_s == \\\"Blocked\\\", Action = \\\"Block\\\", action_s)\\r\\n| extend Action = iif(Action == \\\"Detected\\\", Action = \\\"Log\\\", Action)\\r\\n| where '*' == Action or '*' == \\\"*\\\" \\r\\n| where '*' == requestUri_s or '*' == \\\"*\\\"\\r\\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\\r\\n| extend Rule= iif(Rule contains \\\"Mandatory rule. Cannot be disabled.\\\", strcat_array(split(Rule, \\\"Mandatory rule. Cannot be disabled. Inbound \\\", 1), \\\"\\\"), Rule) // Removes initial component for mandatory rule \\r\\n| extend Rule = iif(Rule contains \\\"Total Inbound Score\\\", strcat_array(array_concat(split(Rule, \\\" - SQLI=\\\", 0), parse_json('[\\\") -\\\"]'), split(Rule, \\\"):\\\", 1)), \\\"\\\"), Rule) // Removes smaller information if more info is available for anomaly score\\r\\n| summarize count() by Rule\\r\\n| top 50 by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Azure WAF Events\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Rule\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"warning\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redDark\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Active Content Mitigation\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Certificate Denylisting](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nCertificate denylisting protections prevent communication with entities that use a set of known bad certificates.\\r\\n\\r\\n### Microsoft References\\r\\n💡 [Certificates Used by Azure Firewall Premium](https://docs.microsoft.com/azure/firewall/premium-certificates)
\\r\\n💡 [Tutorial: Deploy and Configure Azure Firewall Using the Azure Portal](https://docs.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal)
\\r\\n💡 [Quickstart: Create a Key Vault using the Azure Portal](https://docs.microsoft.com/azure/key-vault/general/quick-create-portal)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Firewall](https://azure.microsoft.com/services/azure-firewall/)\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Firewalls](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FazureFirewalls)
\\r\\n🔄 [Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FfirewallPolicies)
\\r\\n🔄 [Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.CM](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"key\\\" or type contains \\\"firewall\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Leverage Azure Firewall & Key Vault Assets for Certificate Enforcement\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 2\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Certificate Denylisting\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Content Filtering](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nContent filtering protections detect the presence of unapproved content and facilitate its removal or denial of access.\\r\\n\\r\\n### Microsoft References\\r\\n💡 [Azure Firewall Web Categories](https://docs.microsoft.com/azure/firewall/web-categories)
\\r\\n💡 [Tutorial: Deploy and Configure Azure Firewall Using the Azure Portal](https://docs.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal)
\\r\\n💡 [Web Content Filtering](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/web-content-filtering)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Azure Firewall](https://azure.microsoft.com/services/azure-firewall/)\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Firewalls](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FazureFirewalls)
\\r\\n🔄 [Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FfirewallPolicies)
\\r\\n🔄 [Microsoft 365 Security Center](https://security.microsoft.com/)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.CM, DE.DP](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let materializedData =\\r\\n materialize(\\r\\n AzureDiagnostics\\r\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\r\\n | project msg_s, Resource, TimeGenerated);\\r\\nunion\\r\\n (\\r\\n materializedData\\r\\n | where msg_s has \\\"Web Category:\\\" and msg_s has \\\". Url\\\"\\r\\n | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Url:\\\" Url \\\". Action: \\\" Action \\\". Rule Collection:\\\" RuleCollection \\\". Rule:\\\" Rule \\\". Web Category:\\\" WebCategory\\r\\n ),\\r\\n (\\r\\n materializedData\\r\\n | where msg_s !has \\\"Web Category:\\\"\\r\\n and msg_s has \\\". Url\\\"\\r\\n and msg_s has \\\". No rule matched\\\"\\r\\n | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Url:\\\" Url \\\". Action: \\\" Action \\\". No rule matched\\\" *\\r\\n ),\\r\\n (\\r\\n materializedData\\r\\n | where msg_s !has \\\"Web Category:\\\"\\r\\n and msg_s !has \\\". Url\\\"\\r\\n and msg_s has \\\". No rule matched\\\"\\r\\n | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". No rule matched\\\" *\\r\\n ),\\r\\n (\\r\\n materializedData\\r\\n | where msg_s has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\"\\r\\n | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection:\\\" RuleCollection \\\". Rule:\\\" Rule \\\". Web Category:\\\" WebCategory\\r\\n ),\\r\\n (\\r\\n materializedData\\r\\n | where msg_s !has \\\"Web Category:\\\"\\r\\n and msg_s !has \\\". Url\\\"\\r\\n and msg_s !has \\\"Rule Collection\\\"\\r\\n and msg_s !has \\\" Reason: \\\"\\r\\n | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". \\\" RuleCollection \\\". \\\" Rule\\r\\n ),\\r\\n (\\r\\n materializedData\\r\\n | where msg_s !has \\\"Web Category:\\\"\\r\\n and msg_s !has \\\". Url\\\"\\r\\n and msg_s !has \\\"Rule Collection\\\"\\r\\n and msg_s !has \\\"TLS extension was missing\\\"\\r\\n | where msg_s has \\\" Reason:\\\"\\r\\n | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\". Action: \\\" Action \\\". Reason: \\\" Rule \\\".\\\"\\r\\n ),\\r\\n (\\r\\n materializedData\\r\\n | where msg_s !has \\\"Web Category:\\\"\\r\\n and msg_s !has \\\". Url\\\"\\r\\n and msg_s !has \\\"TLS extension was missing\\\"\\r\\n and msg_s !has \\\"No rule matched\\\"\\r\\n | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n ),\\r\\n (\\r\\n materializedData\\r\\n | where msg_s !has \\\"Web Category:\\\"\\r\\n and msg_s !has \\\". Url\\\"\\r\\n and msg_s !has \\\"Rule Collection\\\"\\r\\n and msg_s !has \\\" Reason: \\\"\\r\\n | where msg_s has \\\"Rule Collection Group\\\"\\r\\n | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Policy:\\\" Policy \\\". Rule Collection Group:\\\" RuleCollectionGroup \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n )\\r\\n| summarize Count = count(), last_log = datetime_diff(\\\"second\\\", now(), max(TimeGenerated)) by RuleCollection, Rule, WebCategory\",\"size\":1,\"showAnalytics\":true,\"title\":\"Azure Firewall: Content Enforcement\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"noDataMessageStyle\":2,\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"palette\":\"whiteBlack\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumSignificantDigits\":4}}},{\"columnMatch\":\"last_log\",\"formatter\":8,\"formatOptions\":{\"palette\":\"greenRed\"},\"numberFormat\":{\"unit\":24,\"options\":{\"style\":\"decimal\",\"useGrouping\":false}}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_heatmap_last_log_4\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"$gen_heatmap_last_log_4\",\"sortOrder\":1}]},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 36\"}]},\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Content Filtering\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Authenticated Proxy](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nAuthenticated proxies require entities to authenticate with the proxy before making use of it, enabling user, group, and location-aware security controls.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Plan an Azure AD Application Proxy Deployment](https://docs.microsoft.com/azure/active-directory/manage-apps/application-proxy-deployment-plan)
\\r\\n💡 [Configure Real-Time Application Access Monitoring with Microsoft Cloud App Security and Azure Active Directory](https://docs.microsoft.com/azure/active-directory/manage-apps/application-proxy-integrate-with-microsoft-cloud-application-security)
\\r\\n💡 [Protect Apps with Microsoft Cloud App Security Conditional Access App Control](https://docs.microsoft.com/cloud-app-security/proxy-intro-aad)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\\r\\n🔄 [Microsoft Cloud App Security Portal](https://portal.cloudappsecurity.com/)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| where ProviderName == \\\"MCAS\\\"\\r\\n| summarize count() by AlertName\\r\\n| sort by count_ desc\\r\\n| limit 250\",\"size\":1,\"showAnalytics\":true,\"title\":\"Microsoft Cloud App Security: Cloud App Security Brokering\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"palette\":\"whiteBlack\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumSignificantDigits\":4}}},{\"columnMatch\":\"last_log\",\"formatter\":8,\"formatOptions\":{\"palette\":\"greenRed\"},\"numberFormat\":{\"unit\":24,\"options\":{\"style\":\"decimal\",\"useGrouping\":false}}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 36\"}]},\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Authenticated Proxy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Data Loss Prevention](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nData loss prevention technologies detect instances of the exfiltration, either malicious or accidental, of agency data.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Microsoft Cloud App Security: File Policies](https://docs.microsoft.com/cloud-app-security/data-protection-policies)
\\r\\n💡 [Content Inspection for Protected Files](https://docs.microsoft.com/cloud-app-security/content-inspection)
\\r\\n💡 [How to Configure a Label for Rights Management Protection](https://docs.microsoft.com/azure/information-protection/configure-policy-protection)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityalert) ✳️ [Azure Sentinel](https://azure.microsoft.com/services/azure-sentinel/)\\r\\n ✳️ [Azure Defender](https://azure.microsoft.com/services/azure-defender/)\\r\\n✳️ [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/security/endpoint-defender)
✳️ [Microsoft Defender for Office 365](https://www.microsoft.com/microsoft-365/security/office-365-defender) ✳️ [Microsoft Defender for Identity](https://www.microsoft.com/microsoft-365/security/identity-defender) ✳️ [Microsoft Cloud App Security](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security)\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Azure Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\\r\\n🔄 [Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\\r\\n🔄 [Microsoft Defender for Identity Portal](https://portal.atp.azure.com/)
\\r\\n🔄 [Microsoft 365 Security Center](https://security.microsoft.com/)
\\r\\n🔄 [Microsoft Cloud App Security Portal](https://portal.cloudappsecurity.com/)
\\r\\n🔄 [Office 365 Security & Compliance Center](https://protection.office.com/)
\\r\\n🔄 [Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade) \\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.DS](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| where Tactics contains \\\"exfil\\\"\\r\\n| summarize count() by AlertName, ProductName, Tactics\\r\\n| sort by count_ desc\\r\\n| limit 250\",\"size\":1,\"showAnalytics\":true,\"title\":\"Web Data Loss Prevention Alerts\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"palette\":\"whiteBlack\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumSignificantDigits\":4}}},{\"columnMatch\":\"last_log\",\"formatter\":8,\"formatOptions\":{\"palette\":\"greenRed\"},\"numberFormat\":{\"unit\":24,\"options\":{\"style\":\"decimal\",\"useGrouping\":false}}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 36\"}]},\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Data Loss Prevention_W\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [DNS-over-HTTPS Filtering](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDNS-over-HTTPS filtering prevents entities from using the DNS-over-HTTPS protocol, possibly evading DNS-based protections.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Web Content Filtering](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityalert) ✳️ [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/security/endpoint-defender)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Microsoft 365 Security Center](https://security.microsoft.com/) \\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.CM](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| where ProviderName == \\\"MDATP\\\"\\r\\n| where AlertName contains \\\"URL\\\" or AlertName contains \\\"web\\\" or AlertName contains \\\"indicator\\\" or Description contains \\\"URL\\\" or AlertType contains \\\"NetworkProtectionBlocked\\\"\\r\\n| summarize count() by AlertName\\r\\n| sort by count_ desc\\r\\n| limit 250\",\"size\":1,\"showAnalytics\":true,\"title\":\"Mitigate DNS-over-HTTPS with Agent-Based Web Filters such as Microft Defender for Endpoint: Web Content Filtering\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"palette\":\"whiteBlack\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumSignificantDigits\":4}}},{\"columnMatch\":\"last_log\",\"formatter\":8,\"formatOptions\":{\"palette\":\"greenRed\"},\"numberFormat\":{\"unit\":24,\"options\":{\"style\":\"decimal\",\"useGrouping\":false}}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 36\"}]},\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"DNS-over-HTTPS Filtering\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [RFC Compliance Enforcement](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nRFC compliant enforcement technologies ensure that traffic complies with protocol definitions.\\r\\n\\r\\n### Microsoft References\\r\\n💡[What is Azure Web Application Firewall on Azure Application Gateway?](https://docs.microsoft.com/azure/web-application-firewall/ag/ag-overview)
\\r\\n💡[Tutorial: Create an Application Gateway with a Web Application Firewall using the Azure Portal](https://docs.microsoft.com/azure/web-application-firewall/ag/application-gateway-web-application-firewall-portal)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Azure Web Application Firewall]( https://azure.microsoft.com/services/web-application-firewall/) ✳️ [Azure Firewall]( https://azure.microsoft.com/services/azure-firewall/) \\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Web Application Firewall Policies](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/loadBalancers)
\\r\\n🔄 [Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FfirewallPolicies)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics \\r\\n| where Category == \\\"ApplicationGatewayFirewallLog\\\"\\r\\n| where details_file_s contains \\\"rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf\\\"\\r\\n| summarize count() by ResourceId, Message\\r\\n| sort by count_ desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Web Protocol Enforcement Alerts\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"RFC Compliance Enforcement\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Domain Category Filtering](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDomain category filtering technologies allow for classes of domains (e.g. banking, medical) to receive a different set of security protections.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Azure Firewall: Web Categories](https://docs.microsoft.com/azure/firewall/premium-deploy#web-categories-testing)
\\r\\n💡 [Use FQDN Filtering in Network Rules](https://docs.microsoft.com/azure/firewall/fqdn-filtering-network-rules)
\\r\\n💡 [Azure Firewall Premium Features](https://docs.microsoft.com/azure/firewall/premium-features)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Azure Firewall]( https://azure.microsoft.com/services/azure-firewall/) \\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Firewalls](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FazureFirewalls)
\\r\\n🔄 [Firewall Manager](https://portal.azure.com/#blade/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/firewallManagerOverview)
\\r\\n🔄 [Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FfirewallPolicies)\\t
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC, PR.IP](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let materializedData =\\r\\n materialize(\\r\\n AzureDiagnostics\\r\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\r\\n | project msg_s, Resource, TimeGenerated);\\r\\nunion\\r\\n (\\r\\n materializedData\\r\\n | where msg_s has \\\"Web Category:\\\" and msg_s has \\\". Url\\\"\\r\\n | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Url:\\\" Url \\\". Action: \\\" Action \\\". Rule Collection:\\\" RuleCollection \\\". Rule:\\\" Rule \\\". Web Category:\\\" WebCategory\\r\\n ),\\r\\n (\\r\\n materializedData\\r\\n | where msg_s !has \\\"Web Category:\\\"\\r\\n and msg_s has \\\". Url\\\"\\r\\n and msg_s has \\\". No rule matched\\\"\\r\\n | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Url:\\\" Url \\\". Action: \\\" Action \\\". No rule matched\\\" *\\r\\n ),\\r\\n (\\r\\n materializedData\\r\\n | where msg_s !has \\\"Web Category:\\\"\\r\\n and msg_s !has \\\". Url\\\"\\r\\n and msg_s has \\\". No rule matched\\\"\\r\\n | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". No rule matched\\\" *\\r\\n ),\\r\\n (\\r\\n materializedData\\r\\n | where msg_s has \\\"Web Category:\\\" and msg_s !has \\\". Url\\\"\\r\\n | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection:\\\" RuleCollection \\\". Rule:\\\" Rule \\\". Web Category:\\\" WebCategory\\r\\n ),\\r\\n (\\r\\n materializedData\\r\\n | where msg_s !has \\\"Web Category:\\\"\\r\\n and msg_s !has \\\". Url\\\"\\r\\n and msg_s !has \\\"Rule Collection\\\"\\r\\n and msg_s !has \\\" Reason: \\\"\\r\\n | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". \\\" RuleCollection \\\". \\\" Rule\\r\\n ),\\r\\n (\\r\\n materializedData\\r\\n | where msg_s !has \\\"Web Category:\\\"\\r\\n and msg_s !has \\\". Url\\\"\\r\\n and msg_s !has \\\"Rule Collection\\\"\\r\\n and msg_s !has \\\"TLS extension was missing\\\"\\r\\n | where msg_s has \\\" Reason:\\\"\\r\\n | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\". Action: \\\" Action \\\". Reason: \\\" Rule \\\".\\\"\\r\\n ),\\r\\n (\\r\\n materializedData\\r\\n | where msg_s !has \\\"Web Category:\\\"\\r\\n and msg_s !has \\\". Url\\\"\\r\\n and msg_s !has \\\"TLS extension was missing\\\"\\r\\n and msg_s !has \\\"No rule matched\\\"\\r\\n | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n ),\\r\\n (\\r\\n materializedData\\r\\n | where msg_s !has \\\"Web Category:\\\"\\r\\n and msg_s !has \\\". Url\\\"\\r\\n and msg_s !has \\\"Rule Collection\\\"\\r\\n and msg_s !has \\\" Reason: \\\"\\r\\n | where msg_s has \\\"Rule Collection Group\\\"\\r\\n | parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". Policy:\\\" Policy \\\". Rule Collection Group:\\\" RuleCollectionGroup \\\". Rule Collection: \\\" RuleCollection \\\". Rule: \\\" Rule\\r\\n )\\r\\n| where Action == \\\"Deny\\\"\\r\\n| where '*' == SourceIP or '*' == \\\"*\\\" \\r\\n| summarize count() by FQDN\\r\\n| sort by count_ desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Domain & Category Filtering\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"FQDN\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Diagnostics\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Domain Category Filtering\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Domain Reputation Filter](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDomain reputation filtering protections are a form of domain denylisting based on a domain’s reputation, as defined by either the agency or an external entity.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Azure Firewall Threat Intelligence-Based Filtering](https://docs.microsoft.com/azure/firewall/threat-intel)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Azure Firewall]( https://azure.microsoft.com/services/azure-firewall/) \\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Firewalls](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FazureFirewalls)
\\r\\n🔄 [Firewall Manager](https://portal.azure.com/#blade/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/firewallManagerOverview)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let materializedData =\\r\\nmaterialize(\\r\\nAzureDiagnostics\\r\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\r\\n| where OperationName == \\\"AzureFirewallThreatIntelLog\\\"\\r\\n| where msg_s <> \\\" request from to . Action: . ThreatIntel: \\\"\\r\\n| project msg_s, Resource, TimeGenerated,ResourceId , ResourceGroup , SubscriptionId);\\r\\nunion\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s has \\\"Url\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Url: \\\" Url \\\". Action: \\\" Action \\\". ThreatIntel: \\\" ThreatIntelMsg\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n| where msg_s !has \\\"Url\\\"\\r\\n| parse msg_s with Protocol \\\" request from \\\" SourceIP \\\":\\\" SourcePort \\\" to \\\" FQDN \\\":\\\" DestinationPort \\\". Action: \\\" Action \\\". ThreatIntel: \\\" ThreatIntelMsg\\r\\n)\\r\\n| summarize by ThreatIntelMsg, Url, Action, Protocol, SourceIP, SourcePort, FQDN, DestinationPort, TimeGenerated\\r\\n| where Url <> \\\"\\\"\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Azure Firewall: Threat Intelligence URL Blocks\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Url\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Diagnostics\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Action\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"4\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Domain Reputation Filter\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Bandwidth Control](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nBandwidth control technologies allow for limiting the amount of bandwidth used by different classes of domains.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Azure Monitor Metrics Overview](https://docs.microsoft.com/azure/azure-monitor/essentials/data-platform-metrics)
\\r\\n💡 [Monitor Azure Firewall Logs and Metrics](https://docs.microsoft.com/azure/firewall/firewall-diagnostics) \\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Metrics](https://docs.microsoft.com/azure/azure-monitor/essentials/data-platform-metrics) ✳️ [Azure Firewall](https://azure.microsoft.com/services/azure-firewall/)\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Firewalls](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FazureFirewalls)
\\r\\n🔄 [Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FfirewallPolicies)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"40\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Bandwidth Control\",\"styleSettings\":{\"maxWidth\":\"40\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"5084e141-6c56-4d7f-bd8a-09f7ef9af1bc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Resource\",\"label\":\"Azure Firewalls\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"where type =~ 'Microsoft.Network/azureFirewalls'\\r\\n| project id, name\",\"crossComponentResources\":[\"value::selected\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"]},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"20\",\"name\":\"parameters - 1\"},{\"type\":10,\"content\":{\"chartId\":\"workbook76864ed5-dd34-42d0-ae35-f3db9f9e8f15\",\"version\":\"MetricsItem/2.0\",\"size\":0,\"chartType\":2,\"resourceType\":\"microsoft.network/azurefirewalls\",\"metricScope\":0,\"resourceParameter\":\"Resource\",\"resourceIds\":[\"{Resource}\"],\"timeContextFromParameter\":\"TimeRange\",\"timeContext\":{\"durationMs\":7776000000},\"metrics\":[{\"namespace\":\"microsoft.network/azurefirewalls\",\"metric\":\"microsoft.network/azurefirewalls--Throughput\",\"aggregation\":4,\"columnName\":\"All Firewall Throughput Average\"}],\"title\":\"Average Throughput of Firewall Traffic\",\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"40\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"metric - 25\"}]},\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Bandwidth Control\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Malicious Content Filtering](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nMalicious content filtering protections detect the presence of malicious content and facilitate its removal.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [What is Azure Web Application Firewall on Azure Application Gateway?](https://docs.microsoft.com/azure/web-application-firewall/ag/ag-overview)
\\r\\n💡 [Azure Web Application Firewall on Azure Front Door](https://docs.microsoft.com/azure/web-application-firewall/afds/afds-overview)
\\r\\n💡 [Azure Firewall Premium Features](https://docs.microsoft.com/azure/firewall/premium-features)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Azure Firewall]( https://azure.microsoft.com/services/azure-firewall/) ✳️ [Azure Web Application Firewall](https://azure.microsoft.com/services/web-application-firewall/)\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FfirewallPolicies)
\\r\\n🔄 [Web Application Firewall Policies](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/loadBalancers)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.DS, PR.PT, PR.CM](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let materializedData =\\r\\nmaterialize(\\r\\nAzureDiagnostics\\r\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\r\\n| project Category, ResourceType, OperationName);\\r\\nunion\\r\\n(\\r\\nmaterializedData\\r\\n | where OperationName == \\\"AzureFirewallIDSLog\\\"\\r\\n | summarize Volume=count() by OperationName\\r\\n | project Category=OperationName, Volume\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n | where OperationName == \\\"AzureFirewallThreatIntelLog\\\"\\r\\n | summarize Volume=count() by OperationName\\r\\n | project Category=OperationName, Volume\\r\\n),\\r\\n(\\r\\nmaterializedData\\r\\n | where OperationName <> \\\"AzureFirewallThreatIntelLog\\\"\\r\\n | where OperationName <> \\\"AzureFirewallIDSLog\\\"\\r\\n | summarize Volume=count() by Category\\r\\n)\\r\\n| sort by Volume desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Web Protections by Rule Category\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"noDataMessageStyle\":4,\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"Category\",\"exportParameterName\":\"SelectedCategory\",\"exportDefaultValue\":\"*\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Volume\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Category\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Volume\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Malicious Content Filtering\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Access Control](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nAccess control technologies allow an agency to define policies limiting what actions may be performed by connected users and entities.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Overview of Role-Based Access Control in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/roles/custom-overview)
\\r\\n💡 [What is Azure AD Privileged Identity Management?](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure)
\\r\\n💡 [Secure Your Management Ports With Just-In-Time Access](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) ✳️ [Azure Security Center](https://azure.microsoft.com/services/security-center/)
\\r\\n🔷 [AuditLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/auditlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)
\\r\\n\\r\\n### Microsoft Security Portals, Features, & Admin Centers\\r\\n🔄 [Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\\r\\n🔄 [Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityRecommendation\\r\\n| where RecommendationName contains \\\"just\\\" or RecommendationName contains \\\"JIT\\\"\\r\\n| summarize count() by AssessedResourceId, RecommendationName, RecommendationLink\\r\\n| sort by count_ desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Just in Time Access Recommenations\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go To Recommendation >>\"}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AuditLogs\\r\\n| where Identity == \\\"MS-PIM\\\"\\r\\n| extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\r\\n| extend PIM_Role = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue)))\\r\\n| where UserPrincipalName <>\\\"\\\"\\r\\n| project UserPrincipalName, OperationName, PIM_Role, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Privileged Identity Management Actions\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserPrincipalName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isWebVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Access Control_W\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"# ✳️ [Networking](https://www.cisa.gov/trusted-internet-connections)\\r\\n---\\r\\nNetwork-based protections including network access controls, IP denylisting, host containment, network segmentation, and microsegmentation. \\r\\n\"},\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"customWidth\":\"50\",\"name\":\"Networking Capabilities Guide\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"24c6c093-03b1-48d3-8446-b62c7768ab91\",\"cellValue\":\"Access Control_N\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Access Control\",\"style\":\"link\"},{\"id\":\"49076f2b-dc1e-4fc8-8a35-415b2bd20baa\",\"cellValue\":\"IP Denylisting\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ IP Denylisting\",\"style\":\"link\"},{\"id\":\"36a87896-a2b9-4050-82d5-36891c43b497\",\"cellValue\":\"Host Containment\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Host Containment\",\"style\":\"link\"},{\"id\":\"baf36c82-aa55-42e8-88df-60bf3051c347\",\"cellValue\":\"Network Segmentation\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Network Segmentation\",\"style\":\"link\"},{\"id\":\"2fcbeaa9-e652-4d47-a07b-0c3b9bc6b266\",\"cellValue\":\"Microsegmentation\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Microsegmentation\",\"style\":\"link\"}]},\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"customWidth\":\"50\",\"name\":\"Networking Capabilities Selector\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Access Control](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nAccess control protections prevent the ingest, egress, or transiting of unauthorized network traffic.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Security Recommendations in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-recommendations)
\\r\\n💡 [Network Security Groups](https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview)
\\r\\n💡 [Tutorial: Deploy and Configure Azure Firewall Using the Azure Portal](https://docs.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal)
\\r\\n💡[Tutorial: Create an Application Gateway with a Web Application Firewall using the Azure Portal](https://docs.microsoft.com/azure/web-application-firewall/ag/application-gateway-web-application-firewall-portal)
\\r\\n💡[Tutorial: Create and Manage a VPN Gateway using Azure Portal]( https://docs.microsoft.com/azure/vpn-gateway/tutorial-create-gateway-portal)
\\r\\n💡[What is Azure ExpressRoute?](https://docs.microsoft.com/azure/expressroute/expressroute-introduction)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) ✳️ [Azure Security Center](https://azure.microsoft.com/services/security-center/)
\\r\\n🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Azure Firewall]( https://azure.microsoft.com/services/azure-firewall/) \\r\\n✳️ [Virtual Network](https://azure.microsoft.com/services/virtual-network/)\\r\\n✳️ [Azure Web Application Firewall](https://azure.microsoft.com/services/web-application-firewall/)\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
🔄 [Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups)
🔄 [Firewalls](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FazureFirewalls)
🔄 [Web Application Firewall Policies](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/loadBalancers)
🔄 [Virtual Network Gateways](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FvirtualNetworkGateways)
🔄 [ExpressRoute Circuits](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FexpressRouteCircuits) \\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC, PR.IP, DE.CM](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"network\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Networking Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where OperationName == \\\"NetworkSecurityGroupEvents\\\"\\r\\n| summarize count() by ruleName_s\\r\\n| sort by count_ desc \",\"size\":0,\"showAnalytics\":true,\"title\":\"Network Security Groups: Rules Triggered\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 4\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where Category contains \\\"AzureFirewall\\\"\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by OperationName\\r\\n| render areachart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Network Conrol Actions over Time\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 4\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Access Control_N\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [IP Denylisting](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nIP denylisting protections prevent the ingest or transiting of traffic received from or destined to a denylisted IP address.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Connect Data from Threat Intelligence Providers](https://docs.microsoft.com/azure/sentinel/connect-threat-intelligence)
\\r\\n💡 [Azure Firewall Threat Intelligence Configuration](https://docs.microsoft.com/azure/firewall-Manager/threat-intelligence-settings)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [ThreatIntelligenceIndicator](https://docs.microsoft.com/azure/azure-monitor/reference/tables/threatintelligenceindicator) ✳️ [Azure Sentinel](https://azure.microsoft.com/services/azure-sentinel/)
\\r\\n🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Azure Firewall]( https://azure.microsoft.com/services/azure-firewall/) \\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Azure Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\\r\\n🔄 [Firewall Manager](https://portal.azure.com/#blade/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/firewallManagerOverview)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.CM](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \\\"IP\\\",\\r\\n\\t iff(isnotempty(Url), \\\"URL\\\",\\r\\n\\t iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \\\"Email\\\",\\r\\n\\t iff(isnotempty(FileHashValue), \\\"File\\\",\\r\\n\\t iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \\\"Domain\\\",\\r\\n\\t \\\"Other\\\")))))\\r\\n| where IndicatorType == \\\"IP\\\"\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by IndicatorType\\r\\n| render areachart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Azure Sentinel: Threat Intelligence IP Indicators Ingested\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"VMConnection\\r\\n| extend NetworkSourceIP=RemoteIp\\r\\n| where NetworkSourceIP <> \\\"\\\"\\r\\n| join (ThreatIntelligenceIndicator) on NetworkSourceIP\\r\\n| extend Indicator = strcat(NetworkSourceIP, FileHashValue, NetworkIP, NetworkDestinationIP, Url, EmailSourceIpAddress, EmailSenderAddress, DomainName)\\r\\n| extend Source=SourceSystem1\\r\\n| summarize count () by ThreatType, Action, Indicator, Direction, _ResourceId, RemoteCountry, RemoteIp, Source\\r\\n| sort by count_ desc\\r\\n| limit 250\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Threat Intelligence: IP Denylisting\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatType\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"2\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RiskIQ_Lookup\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"RiskIQ Lookup >\"}},{\"columnMatch\":\"RemoteCountry\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Globe\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Source\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"View\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"VirusTotalURL\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"VirusTotal Lookup >\"}}],\"filter\":true},\"mapSettings\":{\"locInfo\":\"CountryRegion\",\"locInfoColumn\":\"RemoteCountry\",\"latitude\":\"RemoteLatitude\",\"longitude\":\"RemoteLongitude\",\"sizeSettings\":\"RemoteCountry\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"RemoteCountry\",\"legendMetric\":\"RemoteCountry\",\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"RemoteIp\",\"colorAggregation\":\"Count\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"redBright\"}]}}},\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Threat Intelligence: IP Denylisting\"}]},\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"IP Denylisting\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Host Containment](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nHost containment protections enable a network to revoke or quarantine a host’s access to the network.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Security Orchestration, Automation, and Response (SOAR) in Azure Sentinel](https://docs.microsoft.com/azure/sentinel/automation-in-azure-sentinel)
\\r\\n💡 [How to Isolate an Azure VM Using Azure Security Center’s Workflow Automation](https://techcommunity.microsoft.com/t5/azure-security-center/how-to-isolate-an-azure-vm-using-azure-security-center-s/ba-p/1250985)
\\r\\n💡 [Isolate Endpoints from the Network](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#isolate-endpoints-from-the-network)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Sentinel](https://azure.microsoft.com/services/azure-sentinel/)
\\r\\n\\r\\n### Microsoft Portals \\r\\n🔄 [Azure Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\\r\\n🔄 [Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\\r\\n🔄 [Microsoft 365 Security Center](https://security.microsoft.com/)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC, PR.IP, PR.PT](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"logic\\\"\\r\\n| where id contains \\\"block\\\" or id contains \\\"isolate\\\" or id contains \\\"lock\\\" or id contains \\\"revoke\\\" or id contains \\\"quarantine\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Containment Automations Configured\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Host Containment\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Network Segmentation](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nNetwork segmentation separates a given network into subnetworks, facilitating security controls between the subnetworks, and decreasing the attack surface of the network.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Implement Network Segmentation Patterns on Azure](https://docs.microsoft.com/azure/architecture/framework/security/design-network-segmentation)
\\r\\n💡 [What is Azure Virtual Network?](https://docs.microsoft.com/azure/virtual-network/virtual-networks-overview)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Virtual Network](https://azure.microsoft.com/services/virtual-network/)\\r\\n✳️ [Azure Firewall](https://azure.microsoft.com/services/azure-firewall/)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Virtual Networks](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FvirtualNetworks)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"network\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Networking Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Network Segmentation\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Microsegmentation](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nMicrosegmentation divides the network, either physically or virtually, according to the communication needs of application and data workflows, facilitating security controls to protect the data.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Network Security & Containment](https://docs.microsoft.com/azure/virtual-network/virtual-networks-overview)
\\r\\n💡 [What is Azure Virtual Network?](https://docs.microsoft.com/azure/virtual-network/virtual-networks-overview)
\\r\\n💡 [Tutorial: Deploy and Configure Azure Firewall using the Azure Portal](https://docs.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal)
\\r\\n💡 [Application Security Groups](https://docs.microsoft.com/azure/virtual-network/application-security-groups)
\\r\\n💡 [Tutorial: Filter Network Traffic with a Network Security Group using the Azure portal](https://docs.microsoft.com/azure/virtual-network/tutorial-filter-network-traffic)
\\r\\n💡 [What is Azure Web Application Firewall?](https://docs.microsoft.com/azure/web-application-firewall/overview)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Virtual Network](https://azure.microsoft.com/services/virtual-network/)\\r\\n✳️ [Azure Firewall](https://azure.microsoft.com/services/azure-firewall/)
\\r\\n✳️ [Application Gateway](https://azure.microsoft.com/services/application-gateway/) \\r\\n✳️ [Azure Web Application Firewall](https://azure.microsoft.com/services/web-application-firewall/)\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Virtual Networks](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FvirtualNetworks)
\\r\\n🔄 [Application Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FvirtualNetworks)
\\r\\n🔄 [Network Security Groups](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FNetworkSecurityGroups)
\\r\\n🔄 [Firewalls](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FazureFirewalls)
\\r\\n🔄 [Web Application Firewall Policies](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/loadBalancers)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC, PR.DS, PR.IP, PR.PT](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"networksecuritygroup\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Network Security Groups\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isNetworkingVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Microsegmentation\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"# ✳️ [Resiliency](https://www.cisa.gov/trusted-internet-connections)\\r\\n---\\r\\nResiliency measures including DDoS protections, elastic expansion, and regional delivery.\\r\\n\"},\"conditionalVisibility\":{\"parameterName\":\"isResiliencyVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"customWidth\":\"50\",\"name\":\"Resiliency Capabilities Guide\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"e728810c-697f-4b67-a00e-1941c3b84194\",\"cellValue\":\"DDoS Protections\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ DDoS Protections\",\"style\":\"link\"},{\"id\":\"38a64817-5a62-418f-8944-041ab50fee2c\",\"cellValue\":\"Elastic Expansion\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Elastic Expansion\",\"style\":\"link\"},{\"id\":\"b984f173-f46a-412d-a835-d4a2f66709b8\",\"cellValue\":\"Regional Delivery\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Regional Delivery\",\"style\":\"link\"}]},\"conditionalVisibility\":{\"parameterName\":\"isResiliencyVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"customWidth\":\"50\",\"name\":\"Resiliency Capabilities Selector\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [DDoS Protections](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDDoS protections mitigate the effects of distributed denial of service attacks.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Azure DDoS Protection Standard Overview](https://docs.microsoft.com/azure/ddos-protection/ddos-protection-overview)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure DDoS Protection]( https://azure.microsoft.com/services/ddos-protection/)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [DDoS Protection Plans](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FddosProtectionPlans)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isResiliencyVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Resources\\r\\n| where type contains \\\"microsoft.network/ddosprotectionplans\\\"\\r\\n| extend RG = substring(id, 0, indexof(id, '/providers'))\\r\\n| extend virtualNetworks = properties.virtualNetworks\\r\\n| mvexpand bagexpansion=array virtualNetworks\\r\\n| extend VNETid = virtualNetworks.id\\r\\n| project-away kind, managedBy, sku, plan, identity, zones, extendedLocation, name, tenantId, properties, tags, virtualNetworks, resourceGroup\",\"size\":0,\"showAnalytics\":true,\"title\":\"DDoS Protection Plans\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Subscription}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"type\",\"formatter\":16,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"location\",\"formatter\":17},{\"columnMatch\":\"subscriptionId\",\"formatter\":15,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"VNETid\",\"formatter\":13,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"id\",\"label\":\"Name\"},{\"columnId\":\"type\",\"label\":\"Type\"},{\"columnId\":\"location\",\"label\":\"Region\"},{\"columnId\":\"subscriptionId\",\"label\":\"Subscription\"},{\"columnId\":\"VNETid\",\"label\":\"Virtual Networks\"}]}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isResiliencyVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"DDoSPlans\"}]},\"conditionalVisibility\":{\"parameterName\":\"isResiliencyVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"DDoS Protections\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Elastic Expansion](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nElastic expansion enables agencies to dynamically expand the resources available for services as conditions require.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [What are Virtual Machine Scale Sets?](https://docs.microsoft.com/azure/virtual-machine-scale-sets/overview) 
\\r\\n💡 [Elastic Pools Help You Manage and Scale Multiple Databases in Azure SQL Database](https://www.cisa.gov/trusted-internet-connections)
\\r\\n💡 [What is Azure Load Balancer?](https://docs.microsoft.com/azure/load-balancer/load-balancer-overview)
\\r\\n💡 [What is Traffic Manager?](https://docs.microsoft.com/azure/traffic-Manager/traffic-Manager-overview)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Virtual Machine Scale Sets](https://azure.microsoft.com/services/virtual-machine-scale-sets/) ✳️ [Traffic Manager]( https://azure.microsoft.com/services/traffic-manager/) ✳️ [Load Balancer]( https://azure.microsoft.com/services/load-balancer/)✳️ [Azure Availability Zones]( https://azure.microsoft.com/global-infrastructure/availability-zones/)\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Virtual Machine Scale Sets](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Compute%2FvirtualMachineScaleSets)
🔄 [Azure SQL](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Sql%2Fazuresql)
🔄 [Load Balancer](https://portal.azure.com/#blade/Microsoft_Azure_Network/LoadBalancingHubMenuBlade/loadBalancers)
🔄 [Traffic Manager Profiles](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2Ftrafficmanagerprofiles)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.AM, PR.DS](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isResiliencyVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"scale\\\" or type contains \\\"traffic\\\" or type contains \\\"load\\\" or type contains \\\"balance\\\" or type contains \\\"pool\\\" or type contains \\\"set\\\" or type contains \\\"manager\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Elasticly Scaling Assets (Scale Sets, Pooling, Load Balancing, Traffic Managers)\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isResiliencyVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isResiliencyVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Elastic Expansion\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Regional Delivery](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nRegional delivery technologies enable the deployment of agency services across geographically diverse locations.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Building Solutions for High Availability Using Availability Zones](https://docs.microsoft.com/azure/architecture/high-availability/building-solutions-for-high-availability)
 \\r\\n💡 [Azure Infrastructure Availability](https://docs.microsoft.com/azure/security/fundamentals/infrastructure-availability) 
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter)\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Availability Sets](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FavailabilitySets)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.AM, PR.AC, PR.DS](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isResiliencyVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| project id,type,location,resourceGroup\\r\\n| summarize count() by location\\r\\n| sort by count_ desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Assets by Location\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"location\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Globe\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isResiliencyVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isResiliencyVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Regional Delivery\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"# ✳️ [DNS](https://www.cisa.gov/trusted-internet-connections)\\r\\n---\\r\\nDNS measures including DNS blackholing, DNSSEC for clients, and DNSSEC for domains. \\r\\n\"},\"conditionalVisibility\":{\"parameterName\":\"isDNSVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"customWidth\":\"50\",\"name\":\"DNS Capability Guide\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"9641ace6-28a6-492a-a264-cf997a0b2929\",\"cellValue\":\"DNS Sinkholing\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ DNS Sinkholing\",\"style\":\"link\"},{\"id\":\"58350f74-c87b-4110-aa84-2d34f0b7b76d\",\"cellValue\":\"DNSSEC for Agency Clients\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ DNSSEC for Agency Clients\",\"style\":\"link\"},{\"id\":\"69514c8d-8a19-48db-a53d-02c1e12cf332\",\"cellValue\":\"DNSSEC for Agency Domains\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ DNSSEC for Agency Domains\",\"style\":\"link\"}]},\"conditionalVisibility\":{\"parameterName\":\"isDNSVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"customWidth\":\"50\",\"name\":\"DNS Capability Selector\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [DNS Sinkholing](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDNS sinkholing protections are a form of denylisting that protect clients from accessing malicious domains by responding to DNS queries for those domains.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [What is Azure DNS?](https://docs.microsoft.com/azure/dns/dns-overview)
\\r\\n💡 [Administer DNS and Create Conditional Forwarders in an Azure Active Directory Domain Services Managed Domain](https://docs.microsoft.com/azure/active-directory-domain-services/manage-dns)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure DNS](https://azure.microsoft.com/services/dns/) \\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [DNS Zones](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FdnsZones)
🔄 [Windows Admin Center](https://www.microsoft.com/evalcenter/evaluate-windows-admin-center)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isDNSVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"domain\\\" or type contains \\\"dns\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"DNS Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isDNSVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isDNSVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"DNS Sinkholing\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [DNSSEC for Agency Clients](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDNSSEC protections ensure that domain name lookups from agency clients, whether for internal or external domains, are validated.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Enabling Central Visibility For DNS Using Azure Firewall Custom DNS and DNS Proxy](https://techcommunity.microsoft.com/t5/azure-network-security/enabling-central-visibility-for-dns-using-azure-firewall-custom/ba-p/2156331)
\\r\\n💡 [DANE Support](https://docs.microsoft.com/windows-server/networking/dns/what-s-new-in-dns-server#dane-support)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Azure Firewall]( https://azure.microsoft.com/services/azure-firewall/) \\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Firewall Manager](https://portal.azure.com/#blade/Microsoft_Azure_HybridNetworking/FirewallManagerMenuBlade/firewallManagerOverview)
\\r\\n🔄 [Virtual Machines](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines)
\\r\\n🔄 [Windows Admin Center](https://www.microsoft.com/evalcenter/evaluate-windows-admin-center)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isDNSVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\r\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\r\\n| project-away msg_s\\r\\n| summarize by TimeGenerated, ResourceId, ClientIP, ClientPort, QueryID, Request_Type, Request_Class, Request_Name, Request_Protocol, Request_Size, EDNSO_DO, EDNS0_Buffersize, Responce_Code, Responce_Flags, Responce_Size, Response_Duration, SubscriptionId\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by Request_Type\\r\\n| render areachart \",\"size\":0,\"showAnalytics\":true,\"title\":\"Azure Firewall: DNS Proxy Actions over Time\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isDNSVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 2\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isDNSVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"DNSSEC for Agency Clients\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [DNSSEC for Agency Domains](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDNSSEC protections ensure that all agency domain names are secured using DNSSEC, enabling external entities to validate their resolution the domain names.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [What is Azure DNS?](https://docs.microsoft.com/azure/dns/dns-overview)
\\r\\n💡 [Security Recommendations in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-recommendations)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) ✳️ [Azure Security Center](https://azure.microsoft.com/services/security-center/)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\\r\\n🔄 [DNS Zones](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FdnsZones)
\\r\\n🔄 [Microsoft 365 Admin Center](https://admin.microsoft.com/)
\\r\\n🔄 [Windows Admin Center](https://www.microsoft.com/evalcenter/evaluate-windows-admin-center)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isDNSVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityRegulatoryCompliance\\r\\n| where RecommendationName contains \\\"dns\\\"\\r\\n| summarize count() by RecommendationName, AssessedResourceId, RecommendationLink\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"DNS Recommendations\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Recommendation >>\"}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isDNSVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isDNSVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"DNSSEC for Agency Domains\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"# ✳️ [Intrusion Detection](https://www.cisa.gov/trusted-internet-connections)\\r\\n---\\r\\nIntrusion Detection measures including endpoint detection & response, intrusion protection systems, adaptive access control, deception platforms, and certificate transparency log monitoring.\"},\"conditionalVisibility\":{\"parameterName\":\"isIntrusionDetectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"customWidth\":\"50\",\"name\":\"Intrusion Detection Capability Guide\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"732ea879-9952-465c-b6a5-f85cef33927f\",\"cellValue\":\"Endpoint Detection and Response\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Endpoint Detection and Response\",\"style\":\"link\"},{\"id\":\"d09eb27c-cab6-4ae8-978f-5bcc50a361f5\",\"cellValue\":\"Intrusion Protection Systems (IPS)\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Intrusion Protection Systems (IPS)\",\"style\":\"link\"},{\"id\":\"e22ab1a8-ded0-43e0-b8df-68d75ca8d073\",\"cellValue\":\"Adaptive Access Control\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Adaptive Access Control\",\"style\":\"link\"},{\"id\":\"5a55295b-0d64-4e5f-a84e-25a7bad66f5f\",\"cellValue\":\"Deception Platforms\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Deception Platforms\",\"style\":\"link\"},{\"id\":\"2674ad60-398d-42aa-a24d-7cbe20aa79a7\",\"cellValue\":\"Certificate Transparency Log Monitoring\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Certificate Transparency Log Monitoring\",\"style\":\"link\"}]},\"conditionalVisibility\":{\"parameterName\":\"isIntrusionDetectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"customWidth\":\"50\",\"name\":\"Intrusion Detection Capability Selector\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Endpoint Detection and Response](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nEndpoint detection and response tools combine endpoint and network event data to aid in the detection of malicious activity.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Overview of Endpoint Detection and Response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityalert) ✳️ [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/security/endpoint-defender)\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Microsoft 365 Security Center](https://security.microsoft.com/)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[DE.AE, DE.CM, RS.AN](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isIntrusionDetectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| where ProviderName == \\\"MDATP\\\"\\r\\n| summarize count() by AlertName\\r\\n| sort by count_ desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Microsoft Defender for Endpoint Alerts\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isIntrusionDetectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isIntrusionDetectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Endpoint Detection and Response\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Intrusion Protection Systems (IPS)](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nIntrusion protection systems detect malicious activity, attempt to stop the activity, and report the activity.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Azure Firewall Premium: IDPS](https://docs.microsoft.com/azure/firewall/premium-features#idps)
\\r\\n\\r\\n### Required Log (Log Source)\\r\\n🔷 [AzureDiagnostics](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azurediagnostics) ✳️ [Azure Firewall]( https://azure.microsoft.com/services/azure-firewall/)\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Firewalls](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FazureFirewalls)
\\r\\n🔄 [Firewall Policies](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FfirewallPolicies)
\\r\\n\\r\\n### Trusted Internet Connections\\r\\n💡 [TIC 3.0 Model](https://www.cisa.gov/trusted-internet-connections)\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[DE.AE, DE.CM, DE.DP, RS.AN](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isIntrusionDetectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\r\\n| where OperationName == \\\"AzureFirewallIDSLog\\\"\\r\\n| parse msg_s with * \\\"TCP request from \\\" Source \\\" to \\\" Destination \\\". Action: \\\" ActionTaken \\\". Rule: \\\" IDPSSig \\\". IDS: \\\" IDSMessage \\\". Priority: \\\" Priority \\\". Classification: \\\" Classification\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by OperationName\\r\\n| render areachart \",\"size\":0,\"showAnalytics\":true,\"title\":\"Azure Firewall: IDPS Alerts over Time\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isIntrusionDetectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isIntrusionDetectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Intrusion Protection Systems (IPS)\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Adaptive Access Control](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nAdaptive access control technologies factor in additional context, like security risk, operational needs, and other heuristics, when evaluating access control decisions.\\r\\n\\r\\n### Microsoft Reference \\r\\n💡 [What is Conditional Access?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC, DE.CM](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isIntrusionDetectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let data = SigninLogs\\r\\n | where AppDisplayName in ('*') or '*' in ('*')\\r\\n | where UserDisplayName in ('*') or '*' in ('*')\\r\\n | extend CAStatus = case(ConditionalAccessStatus == \\\"success\\\", \\\"Successful\\\",\\r\\n ConditionalAccessStatus == \\\"failure\\\", \\\"Failed\\\", \\r\\n ConditionalAccessStatus == \\\"notApplied\\\", \\\"Not applied\\\", \\r\\n isempty(ConditionalAccessStatus), \\\"Not applied\\\", \\r\\n \\\"Disabled\\\")\\r\\n | mvexpand ConditionalAccessPolicies\\r\\n | extend CAGrantControlName = tostring(ConditionalAccessPolicies.enforcedGrantControls[0])\\r\\n | extend CAGrantControl = case(CAGrantControlName contains \\\"MFA\\\", \\\"Require MFA\\\", \\r\\n CAGrantControlName contains \\\"Terms of Use\\\", \\\"Require Terms of Use\\\", \\r\\n CAGrantControlName contains \\\"Privacy\\\", \\\"Require Privacy Statement\\\", \\r\\n CAGrantControlName contains \\\"endpoint\\\", \\\"Require endpoint Compliant\\\", \\r\\n CAGrantControlName contains \\\"Azure AD Joined\\\", \\\"Require Hybird Azure AD Joined endpoint\\\", \\r\\n CAGrantControlName contains \\\"Apps\\\", \\\"Require Approved Apps\\\",\\r\\n \\\"Other\\\");\\r\\ndata\\r\\n| summarize Count = dcount(Id) by CAStatus\\r\\n| join kind = inner (data\\r\\n | make-series Trend = dcount(Id) default = 0 on TimeGenerated in range(ago(14d), now(), 6h) by CAStatus\\r\\n )\\r\\n on CAStatus\\r\\n| project-away CAStatus1, TimeGenerated\\r\\n| order by Count desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Conditional Access Status\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"CAStatus\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isIntrusionDetectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3 - Copy\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isIntrusionDetectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Adaptive Access Control\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Deception Platforms](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nDeception platform technologies provide decoy environments, from individual machines to entire networks, that can be used to deflect attacks away from the operational systems supporting agency missions/business functions.\\r\\n\\r\\n### Microsoft Reference \\r\\n💡 [Manage Sensitive or Honeytoken Accounts](https://docs.microsoft.com/defender-for-identity/manage-sensitive-honeytoken-accounts)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityalert) ✳️ [Microsoft Defender for Identity](https://www.microsoft.com/microsoft-365/security/identity-defender) \\r\\n\\r\\n### Microsoft Portal\\r\\n🔄 [Microsoft Defender for Identity Portal](https://portal.atp.azure.com/)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, DE.AE, RS.AN](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isIntrusionDetectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| where ProviderName == \\\"Azure Advanced Threat Protection\\\"\\r\\n| summarize count() by AlertName\\r\\n| sort by count_ desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Microsoft Defender for Identity Alerts\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isIntrusionDetectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isIntrusionDetectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Deception Platforms\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Certificate Transparency Log Monitoring](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nCertificate transparency log monitoring allows agencies to discover when new certificates are issued for agency domains.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Get Started with Key Vault Certificates](https://docs.microsoft.com/azure/key-vault/certificates/certificate-scenarios)
\\r\\n💡 [Security Recommendations in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-recommendations)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Key Vault](https://azure.microsoft.com/services/key-vault/)
\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) ✳️ [Azure Security Center](https://azure.microsoft.com/services/security-center/)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults)
\\r\\n🔄 [Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[DE.CM](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isIntrusionDetectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"key\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Key Vault Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isIntrusionDetectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityRecommendation\\r\\n| where RecommendationName contains \\\"cert\\\"\\r\\n| summarize count() by RecommendationName, AssessedResourceId, RecommendationLink\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Certificate Recommendations\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Recommendation >>\"}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isIntrusionDetectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3 - Copy\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isIntrusionDetectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Certificate Transparency Log Monitoring\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"# ✳️ [Enterprise](https://www.cisa.gov/trusted-internet-connections)\\r\\n---\\r\\nEnterprise-based controls including security orchestration automation & response, shadow IT detection, and virtual private networks. \"},\"conditionalVisibility\":{\"parameterName\":\"isEnterpriseVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"customWidth\":\"50\",\"name\":\"Enterprise Capabilities Guide\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"d492afb3-4b6e-482e-8d63-6f8e42b9c8b5\",\"cellValue\":\"Security Orchestration, Automation, and Response (SOAR)\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Security Orchestration, Automation, and Response (SOAR)\",\"style\":\"link\"},{\"id\":\"d600f262-56b1-46d3-990f-1237edaa8eb5\",\"cellValue\":\"Shadow IT Detection\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Shadow IT Detection\",\"style\":\"link\"},{\"id\":\"008f3aaa-4b7d-4b10-a000-3b249bffa4f4\",\"cellValue\":\"Virtual Private Network (VPN)\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Virtual Private Network (VPN)\",\"style\":\"link\"}]},\"conditionalVisibility\":{\"parameterName\":\"isEnterpriseVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"customWidth\":\"50\",\"name\":\"Enterprise Capabilities Selector\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Security Orchestration, Automation, and Response (SOAR)](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nSecurity Orchestration, Automation, and Response (SOAR) tools define, prioritize, and automate the response to security incidents.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Tutorial: Setup Automated Threat Responses in Azure Sentinel](https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [Azure Sentinel](https://azure.microsoft.com/services/azure-sentinel/)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Azure Sentinel](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/microsoft.securityinsightsarg%2Fsentinel)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[DE.AE, DE.CM, DE.DP, RS.CO, RS.AN, RC.RP](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEnterpriseVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type == \\\"microsoft.logic/workflows\\\"\\r\\n| extend Connection = parse_json(properties)[\\\"parameters\\\"][\\\"$connections\\\"][\\\"value\\\"]\\r\\n| where Connection has \\\"managedApis/azuresentinel\\\"\\r\\n| project id, type, resourceGroup\",\"size\":0,\"showAnalytics\":true,\"title\":\"Automation Playbooks Configured\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEnterpriseVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3 - Copy\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isEnterpriseVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Security Orchestration, Automation, and Response (SOAR)\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Shadow IT Detection](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nShadow IT detection systems detect the presence of unauthorized software and systems in use by an agency.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Tutorial: Discover and Manage Shadow IT in Your Network](https://docs.microsoft.com/cloud-app-security/tutorial-shadow-it)
\\r\\n💡 [Review Your Security Recommendations](https://docs.microsoft.com/azure/security-center/security-center-recommendations)
\\r\\n💡 [Endpoint Discovery - Navigating Your Way Through Unmanaged Devices](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/endpoint-discovery-navigating-your-way-through-unmanaged-devices/ba-p/2248909)
\\r\\n💡 [Device Discovery Overview](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/device-discovery)
\\r\\n💡 [Welcome to Azure Defender for IoT](https://docs.microsoft.com/azure/defender-for-iot/overview)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityAlert](https://docs.microsoft.com/azure/azure-monitor/reference/tables/securityalert) ✳️ [Microsoft Cloud App Security](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security) \\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Microsoft Cloud App Security Portal](https://portal.cloudappsecurity.com/)
\\r\\n🔄 [Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\\r\\n🔄 [Microsoft 365 Security Center](https://security.microsoft.com/)
\\r\\n🔄 [Azure Defender for IoT](https://portal.azure.com/#blade/Microsoft_Azure_IoT_Defender/IoTDefenderDashboard/Getting_Started)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.IP, PR.MA, DE.CM](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEnterpriseVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n| where AlertType contains \\\"discovery\\\"\\r\\n| summarize count() by AlertName\\r\\n| sort by count_ desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Shadow IT Alerts\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Alert\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEnterpriseVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isEnterpriseVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Shadow IT Detection\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Virtual Private Network (VPN)](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nVirtual private network (VPN) solutions provide a secure communications mechanism between networks that may traverse across unprotected or public networks.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [What is VPN Gateway?](https://docs.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpngateways)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [Resources](https://docs.microsoft.com/azure/governance/resource-graph/samples/starter) ✳️ [VPN Gateway]( https://azure.microsoft.com/services/vpn-gateway/)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Virtual Network Gateways](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Network%2FvirtualNetworkGateways)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC, PR.DS, PR.IP, PR.MA, PR.PT](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEnterpriseVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"resources\\r\\n| where type contains \\\"gate\\\" or type contains \\\"bastion\\\" or type contains \\\"route\\\" or type contains \\\"privateend\\\"\\r\\n| project id,type,location,resourceGroup\\r\\n| order by location asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"VPN Assets\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"showExportToExcel\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isEnterpriseVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"isEnterpriseVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Virtual Private Network (VPN)\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"# ✳️ [Unified Communications & Collaboration](https://www.cisa.gov/trusted-internet-connections)\\r\\n---\\r\\nUCC measures including identity verification, encrypted communications, connection terminations, and data loss prevention. \\r\\n\"},\"conditionalVisibility\":{\"parameterName\":\"isUnifiedCommunicationsCollaborationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"customWidth\":\"50\",\"name\":\"Unified Communications & Collaboration Capabilities Guide\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"fdf75962-e198-458c-a72e-e09df349b23a\",\"cellValue\":\"UCC Identity Verification\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ UCC Identity Verification\",\"style\":\"link\"},{\"id\":\"d0d78efd-c1d1-4444-9dd9-dc8e7654895c\",\"cellValue\":\"UCC Encrypted Communication\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ UCC Encrypted Communication\\t\",\"style\":\"link\"},{\"id\":\"bd2d8df1-8c53-48ea-97a6-11d0e04c1201\",\"cellValue\":\"UCC Connection Termination\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ UCC Connection Termination\",\"style\":\"link\"},{\"id\":\"792ebae5-b8f3-4842-b97d-d57514d1a22c\",\"cellValue\":\"UCC Data Loss Prevention\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ UCC Data Loss Prevention\",\"style\":\"link\"}]},\"conditionalVisibility\":{\"parameterName\":\"isUnifiedCommunicationsCollaborationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"customWidth\":\"50\",\"name\":\"Unified Communications & Collaboration Capabilities Selector\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [UCC Identity Verification](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nIdentity verification ensures that access to the virtual meeting is limited to appropriate individuals. Waiting room features, where the meeting host authorizes vetted individuals to join the meeting can also be utilized.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Security and Microsoft Teams](https://docs.microsoft.com/microsoftteams/teams-security-guide)
\\r\\n💡 [Identity Models and Authentication for Microsoft Teams](https://docs.microsoft.com/microsoftteams/identify-models-authentication)
\\r\\n💡 [Azure Sentinel and Microsoft Teams](https://docs.microsoft.com/microsoftteams/teams-sentinel-guide)
\\r\\n💡 [Microsoft Teams Meeting Attendance Report](https://docs.microsoft.com/microsoftteams/teams-analytics-and-reports/meeting-attendance-report)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [OfficeActivity](https://docs.microsoft.com/azure/azure-monitor/reference/tables/officeactivity) ✳️ [Microsoft Defender for Office 365]( https://www.microsoft.com/microsoft-365/security/office-365-defender)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Microsoft 365 Admin Center](https://admin.microsoft.com/)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUnifiedCommunicationsCollaborationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"OfficeActivity\\r\\n| where RecordType == \\\"MicrosoftTeams\\\"\\r\\n| where Operation == \\\"MemberAdded\\\"\\r\\n| extend DisplayName_ = tostring(Members[0].DisplayName)\\r\\n| summarize count() by DisplayName_\\r\\n| sort by count_ desc \\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Microsoft Teams: Members Added\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"DisplayName_\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUnifiedCommunicationsCollaborationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"OfficeActivity\\r\\n| where RecordType == \\\"MicrosoftTeams\\\"\\r\\n| summarize count() by Operation\\r\\n| render piechart \",\"size\":0,\"showAnalytics\":true,\"title\":\"Microsoft Teams Meetings: Operation Count\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUnifiedCommunicationsCollaborationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3 - Copy - Copy\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isUnifiedCommunicationsCollaborationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"UCC Identity Verification\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [UCC Encrypted Communication](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nCommunication between virtual meeting participants and any data exchanged is encrypted at rest and in transit. Some UCC offerings support end-to-end encryption, where encryption is performed on the clients and can only be decrypted by the other authenticated participants and cannot be decrypted by the UCC vendor.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Security and Microsoft Teams](https://docs.microsoft.com/microsoftteams/teams-security-guide)
\\r\\n💡 [Azure Sentinel and Microsoft Teams](https://docs.microsoft.com/microsoftteams/teams-sentinel-guide)
\\r\\n💡 [Trustworthy by Default](https://docs.microsoft.com/microsoftteams/teams-security-guide#trustworthy-by-default)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [OfficeActivity](https://docs.microsoft.com/azure/azure-monitor/reference/tables/officeactivity) ✳️ [Microsoft Defender for Office 365]( https://www.microsoft.com/microsoft-365/security/office-365-defender)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Microsoft 365 Admin Center](https://admin.microsoft.com/)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.PT, PR.DS](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUnifiedCommunicationsCollaborationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"OfficeActivity\\r\\n| where RecordType == \\\"MicrosoftTeams\\\"\\r\\n| extend TeamsMembers = strcat(Members)\\r\\n| distinct Operation, UserId, TeamsMembers, TimeGenerated\\r\\n| sort by TimeGenerated desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Microsoft Teams Logs\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Operation\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"UserId\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUnifiedCommunicationsCollaborationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isUnifiedCommunicationsCollaborationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"UCC Encrypted Communication\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [UCC Connection Termination](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nMechanisms that ensure the meeting host can positively control participation. These can include inactivity timeouts, on-demand prompts, unique access codes for each meeting, host participant eviction, and even meeting duration limits.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Manage Meeting Policies in Teams](https://docs.microsoft.com/microsoftteams/meeting-policies-in-teams)
\\r\\n💡 [Manage Microsoft Teams Rooms](https://docs.microsoft.com/microsoftteams/rooms/rooms-manage)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Microsoft 365 Admin Center](https://admin.microsoft.com/)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC, PR.IP, PR.AT](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUnifiedCommunicationsCollaborationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":1,\"content\":{\"json\":\"### ✳️ [Leverage Microsoft Teams for UCC Connection Termination Controls via Meeting Policies](https://docs.microsoft.com/microsoftteams/meeting-policies-in-teams?WT.mc_id=Portal-fx)\\r\\n![Image Name](https://docs.microsoft.com/microsoftteams/media/designated-presenter-role.png) \\r\\n\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUnifiedCommunicationsCollaborationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isUnifiedCommunicationsCollaborationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"UCC Connection Termination\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [UCC Data Loss Prevention](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nMechanisms for controlling the sharing of information between UCC participants, intentional or incidental. This may be integrated into additional agency data loss prevention technologies and can include keyword matching, attachment file type or existence prohibitions, attachment size limitations, or even audio/visual filters.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Data Loss Prevention and Microsoft Teams](https://docs.microsoft.com/microsoft-365/compliance/dlp-microsoft-teams)
\\r\\n💡[Communication Compliance in Microsoft 365](https://docs.microsoft.com/microsoft-365/compliance/communication-compliance-solution-overview)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [InformationProtectionLogs_CL](https://docs.microsoft.com/azure/information-protection/audit-logs) ✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Microsoft 365 Security Center](https://security.microsoft.com/)
\\r\\n🔄 [Microsoft 365 Compliance Center](https://compliance.microsoft.com/)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.DS](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUnifiedCommunicationsCollaborationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 2\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InformationProtectionLogs_CL\\r\\n| summarize count() by ApplicationName_s, LabelName_s\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"DLP Logs by Application/Label\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isUnifiedCommunicationsCollaborationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"isUnifiedCommunicationsCollaborationVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"UCC Data Loss Prevention\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"# ✳️ [Data Protection](https://www.cisa.gov/trusted-internet-connections)\\r\\n---\\r\\nData protection measures including access control, protections for data at rest, protections for data in transit, data loss prevention, and data access & use telemetry. \"},\"conditionalVisibility\":{\"parameterName\":\"isDataProtectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"customWidth\":\"50\",\"name\":\"Data Protection Capabilities Guide\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"9c4b9c9f-7222-4a89-8f5e-bf41698143fb\",\"cellValue\":\"Access Control_DP\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Access Control\",\"style\":\"link\"},{\"id\":\"51c9b125-5b22-48b0-ae6d-2504c7efb4cd\",\"cellValue\":\"Protections for Data at Rest\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Protections for Data at Rest\",\"style\":\"link\"},{\"id\":\"1327dfc1-236b-4f1a-b92c-7b4a6999d964\",\"cellValue\":\"Protections for Data in Transit\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Protections for Data in Transit\",\"style\":\"link\"},{\"id\":\"b0db0ea1-f337-4c8c-9d17-3cb221dc4378\",\"cellValue\":\"Data Loss Prevention_DP\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Data Loss Prevention \",\"style\":\"link\"},{\"id\":\"6f3d353f-c9dc-4197-836b-98243db6c707\",\"cellValue\":\"Data Access and Use Telemetry\",\"linkTarget\":\"step\",\"linkLabel\":\"✳️ Data Access and Use Telemetry\",\"style\":\"link\"}]},\"conditionalVisibility\":{\"parameterName\":\"isDataProtectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"customWidth\":\"50\",\"name\":\"Data Protection Capabilities Selector\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Access Control](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nAccess control technologies allow an agency to define policies concerning the allowable activities of users and entities to data and resources.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [How Access Management in Azure AD works](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-manage-groups#how-access-management-in-azure-ad-works)
\\r\\n\\r\\n### Required Log (Log Source)\\r\\n🔷 [AzureActivity](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azureactivity) ✳️ [Azure Monitor]( https://azure.microsoft.com/services/monitor/)
\\r\\n🔷 [SigninLogs](https://docs.microsoft.com/azure/azure-monitor/reference/tables/signinlogs) ✳️ [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.AC, PR.IP, DE.CM](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isDataProtectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureActivity\\r\\n| summarize count() by Caller, OperationName\\r\\n| where Caller <> \\\"\\\"\\r\\n| sort by count_ desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"User Actions\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Caller\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"OperationName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Runs\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"TrendList\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isDataProtectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\\r\\n| where Location <> \\\"\\\"\\r\\n| extend latitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).latitude)\\r\\n| extend longitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).longitude)\\r\\n| extend city_ = tostring(LocationDetails.city)\\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"User Sign-Ins by Geolocation\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"map\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Caller\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"OperationName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Runs\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"TrendList\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}},\"showBorder\":false},\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"Location\",\"latitude\":\"latitude_\",\"longitude\":\"longitude_\",\"sizeSettings\":\"city_\",\"sizeAggregation\":\"Count\",\"labelSettings\":\"city_\",\"legendMetric\":\"city_\",\"numberOfMetrics\":10,\"legendAggregation\":\"Count\",\"itemColorSettings\":{\"nodeColorField\":\"state_\",\"colorAggregation\":\"Count\",\"type\":\"heatmap\",\"heatmapPalette\":\"coldHot\"},\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}}},\"conditionalVisibility\":{\"parameterName\":\"isDataProtectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"showPin\":false,\"name\":\"query - 4\"}]},\"conditionalVisibility\":{\"parameterName\":\"isDataProtectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Access Control_DP\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Protections for Data at Rest](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nData protection at rest aims to secure data stored on any endpoint or storage medium.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Azure Data Encryption at Rest](https://docs.microsoft.com/azure/security/fundamentals/encryption-atrest)
\\r\\n💡 [About Azure Key Vault](https://docs.microsoft.com/azure/key-vault/general/overview)
\\r\\n💡 [Use Azure Security Center Recommendations to Enhance Security](https://docs.microsoft.com/azure/security-center/security-center-using-recommendations)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) ✳️ [Azure Security Center](https://azure.microsoft.com/services/security-center/)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\\r\\n🔄 [Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.DS](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isDataProtectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityRecommendation\\r\\n|where RecommendationName contains \\\"encrypt\\\" \\r\\n| summarize count() by RecommendationName, AssessedResourceId, RecommendationLink\\r\\n| sort by count_ desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Data at Rest Recommenations\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Recommendation >>\"}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isDataProtectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isDataProtectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Protections for Data at Rest\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Protections for Data in Transit](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nData protection in transit, or data in motion, aims to secure data that is actively moving from one location to another, such as across the internet or through a private enterprise network.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [Azure Data Encryption in Transit](https://docs.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit)
\\r\\n💡 [About Azure Key Vault](https://docs.microsoft.com/azure/key-vault/general/overview)\\r\\n💡 [Use Azure Security Center Recommendations to Enhance Security](https://docs.microsoft.com/azure/security-center/security-center-using-recommendations)
\\r\\n💡 [Encryption for Data in Transit](https://docs.microsoft.com/compliance/assurance/assurance-encryption-in-transit)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [SecurityRecommendation](https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal#what-data-types-can-be-exported) ✳️ [Azure Security Center](https://azure.microsoft.com/services/security-center/)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0)
\\r\\n🔄 [Key Vaults](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.DS](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isDataProtectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityRecommendation\\r\\n|where RecommendationName contains \\\"HTTP\\\" or RecommendationName contains \\\"FTP\\\" or RecommendationName contains \\\"traffic\\\" or RecommendationName contains \\\"SSL\\\" or RecommendationName contains \\\"TLS\\\" or RecommendationName contains \\\"Secure Socket\\\" or RecommendationName contains \\\"server-side\\\"\\r\\n| summarize count() by RecommendationName, AssessedResourceId, RecommendationLink\\r\\n| sort by count_ desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Data in Transit Recommenations\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"RecommendationName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Gear\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"RecommendationLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Recommendation >>\"}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isDataProtectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isDataProtectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Protections for Data in Transit\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Data Loss Prevention](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nData loss prevention technologies detect instances of the exfiltration, either malicious or accidental, of agency data.\\r\\n\\r\\n### Microsoft References \\r\\n💡 [What is Azure Information Protection?](https://docs.microsoft.com/azure/information-protection/what-is-information-protection)
\\r\\n💡 [Quickstart: Deploying the Azure Information Protection (AIP) Unified Labeling Client](https://docs.microsoft.com/azure/information-protection/quickstart-deploy-client)
\\r\\n💡 [Azure Information Protection (AIP) Labeling, Classification, and Protection](https://docs.microsoft.com/azure/information-protection/aip-classification-and-protection)
\\r\\n💡 [What is Azure Purview?](https://docs.microsoft.com/azure/purview/overview)
\\r\\n💡 [Overview of Data Loss Prevention](https://docs.microsoft.com/microsoft-365/compliance/data-loss-prevention-policies)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [InformationProtectionLogs_CL](https://docs.microsoft.com/azure/information-protection/audit-logs) ✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade)
\\r\\n🔄 [Purview Accounts](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Purview%2FAccounts)
\\r\\n🔄 [Microsoft 365 Compliance Center](https://compliance.microsoft.com/)
\\t\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[PR.DS](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isDataProtectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InformationProtectionLogs_CL\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by Activity_s, Operation_s, LabelName_s, ApplicationName_s\\r\\n| render areachart \",\"size\":0,\"showAnalytics\":true,\"title\":\"DLP Actions over Time\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isDataProtectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isDataProtectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Data Loss Prevention_DP\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# [Data Access and Use Telemetry](https://www.cisa.gov/publication/tic-30-core-guidance-documents)\\r\\nIdentify agency sensitive data stored, processed, or transmitted, including those located at a service provider. Enforce detailed logging for access or changes to sensitive data.\\r\\n\\r\\n### Microsoft Reference \\r\\n💡 [What is Azure Information Protection?](https://docs.microsoft.com/azure/information-protection/what-is-information-protection)
\\r\\n💡 [Tutorial: Discovering Your Sensitive Content with the Azure Information Protection (AIP) scanner](https://docs.microsoft.com/azure/information-protection/tutorial-scan-networks-and-content)
\\r\\n💡 [Quickstart: Deploying the Azure Information Protection (AIP) Unified Labeling Client](https://docs.microsoft.com/azure/information-protection/quickstart-deploy-client)
\\r\\n💡 [Azure Information Protection (AIP) Labeling, Classification, and Protection](https://docs.microsoft.com/azure/information-protection/aip-classification-and-protection)
\\r\\n💡 [Overview of Data Loss Prevention](https://docs.microsoft.com/microsoft-365/compliance/data-loss-prevention-policies)
\\r\\n\\r\\n### Recommended Logs\\r\\n🔷 [InformationProtectionLogs_CL](https://docs.microsoft.com/azure/information-protection/audit-logs) ✳️ [Azure Information Protection](https://azure.microsoft.com/services/information-protection/)
\\r\\n\\r\\n### Microsoft Portals\\r\\n🔄 [Azure Information Protection](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade)
\\r\\n🔄 [Microsoft 365 Compliance Center](https://compliance.microsoft.com/)
\\r\\n\\r\\n### NIST Cybersecurity Framework Mapping\\r\\n[ID.AM, PR.AC, PR.DS, PR.PT, DE.AE, DE.CM](https://www.nist.gov/cyberframework)\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isDataProtectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"text - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InformationProtectionLogs_CL\\r\\n| summarize count() by UserId_s, LabelName_s, ApplicationName_s_s, Operation_s_s, Platform_s_s, Activity_s_s, IPv4_s_s\\r\\n| sort by count_ desc\\r\\n| limit 250\",\"size\":0,\"showAnalytics\":true,\"title\":\"Data Access and Use Telemetry\",\"noDataMessage\":\"An Empty Panel Provides Opportunity To Explore This Control Further and Implement Solutions • Confirm Licensing, Availability, and Health of Respective Offerings • Confirm Log Source is Onboarded to Azure Sentinel Workspace • Adjust the Time Paramenter for a Larger Data-Set • Panels Can Display 'No Data' if All Recommendations are Fully Implemented, See Azure Security Center Recommendations • Third Party Tooling: Adjust Respective Panel KQL Query for Third Pary Tooling Requirements\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserId_s\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Person\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"count_\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"isDataProtectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"isDataProtectionVisible\",\"comparison\":\"isEqualTo\",\"value\":\"true\"},\"name\":\"Data Access and Use Telemetry\",\"styleSettings\":{\"showBorder\":true}}],\"fromTemplateId\":\"sentinel-ZeroTrust(TIC3.0)\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "version": "1.0", + "sourceId": "[variables('_workbook-source')]", + "category": "sentinel" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic1-id'))]", + "apiVersion": "2020-01-01", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines", + "displayName": "(Preview) ZeroTrust(TIC3.0) DNS Control Family Monitoring", + "enabled": false, + "query": "let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nSecurityRecommendation\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\n | where Family == 'DNS'\n | summarize\n Assessments = count(),\n Success = countif(RecommendationState == 'Healthy' or RecommendationState == 'NotApplicable' or RecommendationState == 'Removed'),\n Failed = countif(RecommendationState == 'Unhealthy')\n by Capability, Family, RecommendationDisplayName\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\n | extend RemediationLink = strcat('https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22')\n | project\n Capability,\n Family,\n RecommendationDisplayName,\n Assessments,\n SuccessRatePercentage,\n FailedRatePercentage,\n RemediationLink\n | where RecommendationDisplayName <> ''\n // | where RecommendationName <> '' //Filter Out or Suppress Recommendations\n | where FailedRatePercentage > 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\n | sort by FailedRatePercentage desc\n | limit 250\n | extend URLCustomEntity = RemediationLink\n", + "queryFrequency": "P7D", + "queryPeriod": "P7D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "Discovery" + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic2-id'))]", + "apiVersion": "2020-01-01", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines", + "displayName": "(Preview) ZeroTrust(TIC3.0) Data Protection Control Family Monitoring", + "enabled": false, + "query": "let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nSecurityRecommendation\n| join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\n| where Family == 'Data Protection'\n| summarize\n Assessments = count(),\n Success = countif(RecommendationState == 'Healthy' or RecommendationState == 'NotApplicable' or RecommendationState == 'Removed'),\n Failed = countif(RecommendationState == 'Unhealthy')\n by Capability, Family, RecommendationDisplayName\n| extend SuccessRatePercentage = (Success * 100 / Assessments)\n| extend FailedRatePercentage = (Failed * 100 / Assessments)\n| extend RemediationLink = strcat('https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22')\n| project\n Capability,\n Family,\n RecommendationDisplayName,\n Assessments,\n SuccessRatePercentage,\n FailedRatePercentage,\n RemediationLink\n| where RecommendationDisplayName <> ''\n// | where RecommendationName <> '' //Filter Out or Suppress Recommendations\n| where FailedRatePercentage > 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\n| sort by FailedRatePercentage desc\n| limit 250\n| extend URLCustomEntity = RemediationLink\n", + "queryFrequency": "P7D", + "queryPeriod": "P7D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "Discovery" + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic3-id'))]", + "apiVersion": "2020-01-01", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines", + "displayName": "(Preview) ZeroTrust(TIC3.0) Email Control Family Monitoring", + "enabled": false, + "query": "let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nSecurityRecommendation\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\n | where Family == 'Email'\n | summarize\n Assessments = count(),\n Success = countif(RecommendationState == 'Healthy' or RecommendationState == 'NotApplicable' or RecommendationState == 'Removed'),\n Failed = countif(RecommendationState == 'Unhealthy')\n by Capability, Family, RecommendationDisplayName\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\n | extend RemediationLink = strcat('https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22')\n | project\n Capability,\n Family,\n RecommendationDisplayName,\n Assessments,\n SuccessRatePercentage,\n FailedRatePercentage,\n RemediationLink\n | where RecommendationDisplayName <> ''\n // | where RecommendationName <> '' //Filter Out or Suppress Recommendations\n | where FailedRatePercentage > 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\n | sort by FailedRatePercentage desc\n | limit 250\n | extend URLCustomEntity = RemediationLink\n", + "queryFrequency": "P7D", + "queryPeriod": "P7D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "Discovery" + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic4-id'))]", + "apiVersion": "2020-01-01", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines", + "displayName": "(Preview) ZeroTrust(TIC3.0) Enterprise Control Family Monitoring", + "enabled": false, + "query": "let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nSecurityRecommendation\n| join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\n| where Family == 'Enterprise'\n| summarize\n Assessments = count(),\n Success = countif(RecommendationState == 'Healthy' or RecommendationState == 'NotApplicable' or RecommendationState == 'Removed'),\n Failed = countif(RecommendationState == 'Unhealthy')\n by Capability, Family, RecommendationDisplayName\n| extend SuccessRatePercentage = (Success * 100 / Assessments)\n| extend FailedRatePercentage = (Failed * 100 / Assessments)\n| extend RemediationLink = strcat('https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22')\n| project\n Capability,\n Family,\n RecommendationDisplayName,\n Assessments,\n SuccessRatePercentage,\n FailedRatePercentage,\n RemediationLink\n| where RecommendationDisplayName <> ''\n// | where RecommendationName <> '' //Filter Out or Suppress Recommendations\n| where FailedRatePercentage > 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\n| sort by FailedRatePercentage desc\n| limit 250\n| extend URLCustomEntity = RemediationLink\n", + "queryFrequency": "P7D", + "queryPeriod": "P7D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "Discovery" + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic5-id'))]", + "apiVersion": "2020-01-01", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines", + "displayName": "(Preview) ZeroTrust(TIC3.0) Files Control Family Monitoring", + "enabled": false, + "query": "let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nSecurityRecommendation\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\n | where Family == 'Files'\n | summarize\n Assessments = count(),\n Success = countif(RecommendationState == 'Healthy' or RecommendationState == 'NotApplicable' or RecommendationState == 'Removed'),\n Failed = countif(RecommendationState == 'Unhealthy')\n by Capability, Family, RecommendationDisplayName\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\n | extend RemediationLink = strcat('https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22')\n | project\n Capability,\n Family,\n RecommendationDisplayName,\n Assessments,\n SuccessRatePercentage,\n FailedRatePercentage,\n RemediationLink\n | where RecommendationDisplayName <> ''\n // | where RecommendationName <> '' //Filter Out or Suppress Recommendations\n | where FailedRatePercentage > 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\n | sort by FailedRatePercentage desc\n | limit 250\n | extend URLCustomEntity = RemediationLink\n", + "queryFrequency": "P7D", + "queryPeriod": "P7D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "Discovery" + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic6-id'))]", + "apiVersion": "2020-01-01", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines", + "displayName": "(Preview) ZeroTrust(TIC3.0) Intrusion Detection Control Family Monitoring", + "enabled": false, + "query": "let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nSecurityRecommendation\n| join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\n| where Family == 'Intrusion Detection'\n| summarize\n Assessments = count(),\n Success = countif(RecommendationState == 'Healthy' or RecommendationState == 'NotApplicable' or RecommendationState == 'Removed'),\n Failed = countif(RecommendationState == 'Unhealthy')\n by Capability, Family, RecommendationDisplayName\n| extend SuccessRatePercentage = (Success * 100 / Assessments)\n| extend FailedRatePercentage = (Failed * 100 / Assessments)\n| extend RemediationLink = strcat('https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22')\n| project\n Capability,\n Family,\n RecommendationDisplayName,\n Assessments,\n SuccessRatePercentage,\n FailedRatePercentage,\n RemediationLink\n| where RecommendationDisplayName <> ''\n// | where RecommendationName <> '' //Filter Out or Suppress Recommendations\n| where FailedRatePercentage > 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\n| sort by FailedRatePercentage desc\n| limit 250\n| extend URLCustomEntity = RemediationLink\n", + "queryFrequency": "P7D", + "queryPeriod": "P7D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "Discovery" + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic7-id'))]", + "apiVersion": "2020-01-01", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines", + "displayName": "(Preview) ZeroTrust(TIC3.0) Networking Control Family Monitoring", + "enabled": false, + "query": "let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nSecurityRecommendation\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\n | where Family == 'Networking'\n | summarize\n Assessments = count(),\n Success = countif(RecommendationState == 'Healthy' or RecommendationState == 'NotApplicable' or RecommendationState == 'Removed'),\n Failed = countif(RecommendationState == 'Unhealthy')\n by Capability, Family, RecommendationDisplayName\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\n | extend RemediationLink = strcat('https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22')\n | project\n Capability,\n Family,\n RecommendationDisplayName,\n Assessments,\n SuccessRatePercentage,\n FailedRatePercentage,\n RemediationLink\n | where RecommendationDisplayName <> ''\n // | where RecommendationName <> '' //Filter Out or Suppress Recommendations\n | where FailedRatePercentage > 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\n | sort by FailedRatePercentage desc\n | limit 250\n | extend URLCustomEntity = RemediationLink\n", + "queryFrequency": "P7D", + "queryPeriod": "P7D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "Discovery" + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic8-id'))]", + "apiVersion": "2020-01-01", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines", + "displayName": "(Preview) ZeroTrust(TIC3.0) Resiliency Control Family Monitoring", + "enabled": false, + "query": "let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nSecurityRecommendation\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\n | where Family == 'Resiliency'\n | summarize\n Assessments = count(),\n Success = countif(RecommendationState == 'Healthy' or RecommendationState == 'NotApplicable' or RecommendationState == 'Removed'),\n Failed = countif(RecommendationState == 'Unhealthy')\n by Capability, Family, RecommendationDisplayName\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\n | extend RemediationLink = strcat('https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22')\n | project\n Capability,\n Family,\n RecommendationDisplayName,\n Assessments,\n SuccessRatePercentage,\n FailedRatePercentage,\n RemediationLink\n | where RecommendationDisplayName <> ''\n // | where RecommendationName <> '' //Filter Out or Suppress Recommendations\n | where FailedRatePercentage > 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\n | sort by FailedRatePercentage desc\n | limit 250\n | extend URLCustomEntity = RemediationLink\n", + "queryFrequency": "P7D", + "queryPeriod": "P7D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "Discovery" + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic9-id'))]", + "apiVersion": "2020-01-01", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines", + "displayName": "(Preview) ZeroTrust(TIC3.0) UCC Control Family Monitoring", + "enabled": false, + "query": "let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nSecurityRecommendation\n| join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\n| where Family == 'Unified Communications & Collaboration'\n| summarize\n Assessments = count(),\n Success = countif(RecommendationState == 'Healthy' or RecommendationState == 'NotApplicable' or RecommendationState == 'Removed'),\n Failed = countif(RecommendationState == 'Unhealthy')\n by Capability, Family, RecommendationDisplayName\n| extend SuccessRatePercentage = (Success * 100 / Assessments)\n| extend FailedRatePercentage = (Failed * 100 / Assessments)\n| extend RemediationLink = strcat('https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22')\n| project\n Capability,\n Family,\n RecommendationDisplayName,\n Assessments,\n SuccessRatePercentage,\n FailedRatePercentage,\n RemediationLink\n| where RecommendationDisplayName <> ''\n// | where RecommendationName <> '' //Filter Out or Suppress Recommendations\n| where FailedRatePercentage > 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\n| sort by FailedRatePercentage desc\n| limit 250\n| extend URLCustomEntity = RemediationLink\n", + "queryFrequency": "P7D", + "queryPeriod": "P7D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "Discovery" + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic10-id'))]", + "apiVersion": "2020-01-01", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines", + "displayName": "(Preview) ZeroTrust(TIC3.0) Universal Security Capabilities Control Family Monitoring", + "enabled": false, + "query": "let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nSecurityRecommendation\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\n | where Family == 'Universal Security Capabilities'\n | summarize\n Assessments = count(),\n Success = countif(RecommendationState == 'Healthy' or RecommendationState == 'NotApplicable' or RecommendationState == 'Removed'),\n Failed = countif(RecommendationState == 'Unhealthy')\n by Capability, Family, RecommendationDisplayName\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\n | extend RemediationLink = strcat('https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22')\n | project\n Capability,\n Family,\n RecommendationDisplayName,\n Assessments,\n SuccessRatePercentage,\n FailedRatePercentage,\n RemediationLink\n | where RecommendationDisplayName <> ''\n // | where RecommendationName <> '' //Filter Out or Suppress Recommendations\n | where FailedRatePercentage > 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\n | sort by FailedRatePercentage desc\n | limit 250\n | extend URLCustomEntity = RemediationLink\n", + "queryFrequency": "P7D", + "queryPeriod": "P7D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "Discovery" + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic11-id'))]", + "apiVersion": "2020-01-01", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines", + "displayName": "(Preview) ZeroTrust(TIC3.0) Web Control Family Monitoring", + "enabled": false, + "query": "let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nSecurityRecommendation\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\n | where Family == 'Web'\n | summarize\n Assessments = count(),\n Success = countif(RecommendationState == 'Healthy' or RecommendationState == 'NotApplicable' or RecommendationState == 'Removed'),\n Failed = countif(RecommendationState == 'Unhealthy')\n by Capability, Family, RecommendationDisplayName\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\n | extend RemediationLink = strcat('https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22')\n | project\n Capability,\n Family,\n RecommendationDisplayName,\n Assessments,\n SuccessRatePercentage,\n FailedRatePercentage,\n RemediationLink\n | where RecommendationDisplayName <> ''\n // | where RecommendationName <> '' //Filter Out or Suppress Recommendations\n | where FailedRatePercentage > 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\n | sort by FailedRatePercentage desc\n | limit 250\n | extend URLCustomEntity = RemediationLink\n", + "queryFrequency": "P7D", + "queryPeriod": "P7D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "tactics": [ + "Discovery" + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2021-03-01-preview", + "properties": { + "version": "1.0.5", + "kind": "Solution", + "contentId": "[variables('_sourceId')]", + "parentId": "[variables('_sourceId')]", + "source": { + "kind": "Solution", + "name": "ZeroTrust(TIC3.0)", + "sourceId": "[variables('_sourceId')]" + }, + "author": { + "name": "Nikhil Tripathi", + "email": "v-ntripathi@microsoft.com" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "kind": "Workbook", + "contentId": "[variables('_ZeroTrustTIC3.0_workbook')]", + "version": "1.0.5" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('_ZeroTrustDNSFamilyControlsMonitoring_AnalyticalRules')]", + "version": "1.0.5" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('_ZeroTrustDataProtectionFamilyControlsMonitoring_AnalyticalRules')]", + "version": "1.0.5" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('_ZeroTrustEmailFamilyControlsMonitoring_AnalyticalRules')]", + "version": "1.0.5" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('_ZeroTrustEnterpriseFamilyControlsMonitoring_AnalyticalRules')]", + "version": "1.0.5" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('_ZeroTrustFilesFamilyControlsMonitoring_AnalyticalRules')]", + "version": "1.0.5" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('_ZeroTrustIntrusionDetectionFamilyControlsMonitoring_AnalyticalRules')]", + "version": "1.0.5" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('_ZeroTrustNetworkingFamilyControlsMonitoring_AnalyticalRules')]", + "version": "1.0.5" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('_ZeroTrustResiliencyFamilyControlsMonitoring_AnalyticalRules')]", + "version": "1.0.5" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('_ZeroTrustUCCFamilyControlsMonitoring_AnalyticalRules')]", + "version": "1.0.5" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('_ZeroTrustUniversalSecurityCapabilitiesFamilyControlsMonitoring_AnalyticalRules')]", + "version": "1.0.5" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('_ZeroTrustWebFamilyControlsMonitoring_AnalyticalRules')]", + "version": "1.0.5" + } + ] + }, + "firstPublishDate": "2021-10-20", + "providers": [ + "Microsoft" + ], + "categories": { + "domains": [ + "Identity", + "Security - Others" + ] + } + }, + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_sourceId'))]" + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/src/SecurityInsights/test/deployment-templates/metadata/template.parameters.json b/src/SecurityInsights/test/deployment-templates/metadata/template.parameters.json new file mode 100644 index 000000000000..1e5d3a23f2a4 --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/metadata/template.parameters.json @@ -0,0 +1,9 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "workspace": { + "value": "asptest8xu4wd" + } + } +} diff --git a/src/SecurityInsights/test/deployment-templates/playbooks/template.json b/src/SecurityInsights/test/deployment-templates/playbooks/template.json new file mode 100644 index 000000000000..076966bb2a3f --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/playbooks/template.json @@ -0,0 +1,900 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Playbook1Name": { + "defaultValue": "Block-AADUser-Alert", + "type": "string" + }, + "Playbook2Name": { + "defaultValue": "Block-AADUser-Incident", + "type": "string" + }, + "Playbook3Name": { + "defaultValue": "Confirm-AADRiskyUser-Alert", + "type": "string" + }, + "Playbook4Name": { + "defaultValue": "Confirm-AADRiskyUser-Incident", + "type": "string" + } + }, + "variables": { + "AzureAD1ConnectionName": "[concat('azuread-', parameters('Playbook1Name'))]", + "AzureSentinel1ConnectionName": "[concat('azuresentinel-', parameters('Playbook1Name'))]", + "AzureAD2ConnectionName": "[concat('azuread-', parameters('Playbook2Name'))]", + "AzureSentinel2ConnectionName": "[concat('azuresentinel-', parameters('Playbook2Name'))]", + "AzureAD3ConnectionName": "[concat('azuread-', parameters('Playbook3Name'))]", + "AzureADIP3ConnectionName": "[concat('azureadip-', parameters('Playbook3Name'))]", + "AzureSentinel3ConnectionName": "[concat('azuresentinel-', parameters('Playbook3Name'))]", + "AzureAD4ConnectionName": "[concat('azuread-', parameters('Playbook4Name'))]", + "AzureADIP4ConnectionName": "[concat('azureadip-', parameters('Playbook4Name'))]", + "AzureSentinel4ConnectionName": "[concat('azuresentinel-', parameters('Playbook4Name'))]" + }, + "resources": [ + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('AzureAD1ConnectionName')]", + "location": "[resourceGroup().location]", + "properties": { + "displayName": "[variables('AzureAD1ConnectionName')]", + "customParameterValues": {}, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuread')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('AzureSentinel1ConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('AzureSentinel1ConnectionName')]", + "customParameterValues": {}, + "parameterValueType": "Alternative", + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[parameters('Playbook1Name')]", + "location": "[resourceGroup().location]", + "tags": { + "LogicAppsCategory": "security", + "hidden-SentinelTemplateName": "Block-AADUser_alert", + "hidden-SentinelTemplateVersion": "1.0" + }, + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('AzureAD1ConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('AzureSentinel1ConnectionName'))]" + ], + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "actions": { + "Alert_-_Get_incident": { + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "get", + "path": "/Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}" + }, + "runAfter": {}, + "type": "ApiConnection" + }, + "Entities_-_Get_Accounts": { + "inputs": { + "body": "@triggerBody()?['Entities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/account" + }, + "runAfter": { + "Alert_-_Get_incident": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + }, + "For_each": { + "actions": { + "Condition": { + "actions": { + "Add_comment_to_incident_(V3)": { + "inputs": { + "body": { + "incidentArmId": "@body('Alert_-_Get_incident')?['id']", + "message": "

User was disabled in AAD via playbook

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + }, + "runAfter": {}, + "type": "ApiConnection" + } + }, + "else": { + "actions": { + "Add_comment_to_incident_(V3)_2": { + "inputs": { + "body": { + "incidentArmId": "@body('Alert_-_Get_incident')?['id']", + "message": "

@{body('Update_user')['error']['message']}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + }, + "runAfter": {}, + "type": "ApiConnection" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@body('Update_user')", + null + ] + } + ] + }, + "runAfter": { + "Update_user": [ + "Succeeded", + "Failed" + ] + }, + "type": "If" + }, + "Update_user": { + "inputs": { + "body": { + "accountEnabled": false + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuread']['connectionId']" + } + }, + "method": "patch", + "path": "/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix']))}" + }, + "runAfter": {}, + "type": "ApiConnection" + } + }, + "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", + "runAfter": { + "Entities_-_Get_Accounts": [ + "Succeeded" + ] + }, + "type": "Foreach" + } + }, + "contentVersion": "1.0.0.0", + "outputs": {}, + "parameters": { + "$connections": { + "defaultValue": {}, + "type": "Object" + } + }, + "triggers": { + "When_a_response_to_an_Azure_Sentinel_alert_is_triggered": { + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/subscribe" + }, + "type": "ApiConnectionWebhook" + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuread": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureAD1ConnectionName'))]", + "connectionName": "[variables('AzureAD1ConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuread')]" + }, + "azuresentinel": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinel1ConnectionName'))]", + "connectionName": "[variables('AzureSentinel1ConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('AzureAD2ConnectionName')]", + "location": "[resourceGroup().location]", + "properties": { + "displayName": "[variables('AzureAD2ConnectionName')]", + "customParameterValues": {}, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuread')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('AzureSentinel2ConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('AzureSentinel2ConnectionName')]", + "customParameterValues": {}, + "parameterValueType": "Alternative", + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[parameters('Playbook2Name')]", + "location": "[resourceGroup().location]", + "tags": { + "LogicAppsCategory": "security", + "hidden-SentinelTemplateName": "Block-AADUser", + "hidden-SentinelTemplateVersion": "1.0" + }, + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('AzureAD2ConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('AzureSentinel2ConnectionName'))]" + ], + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "actions": { + "Entities_-_Get_Accounts": { + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/account" + }, + "runAfter": {}, + "type": "ApiConnection" + }, + "For_each": { + "actions": { + "Condition": { + "actions": { + "Add_comment_to_incident_(V3)": { + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

User @{items('For_each')?['Name']} was disabled in AAD via playbook Block-AADUser.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + }, + "runAfter": {}, + "type": "ApiConnection" + } + }, + "else": { + "actions": { + "Add_comment_to_incident_(V3)_2": { + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

Block-AADUser playbook could not disable user @{items('For_each')?['Name']}.
\nError message: @{body('Update_user')['error']['message']}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + }, + "runAfter": {}, + "type": "ApiConnection" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@body('Update_user')", + null + ] + } + ] + }, + "runAfter": { + "Update_user": [ + "Succeeded", + "Failed" + ] + }, + "type": "If" + }, + "Update_user": { + "inputs": { + "body": { + "accountEnabled": false + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuread']['connectionId']" + } + }, + "method": "patch", + "path": "/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix']))}" + }, + "runAfter": {}, + "type": "ApiConnection" + } + }, + "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", + "runAfter": { + "Entities_-_Get_Accounts": [ + "Succeeded" + ] + }, + "type": "Foreach" + } + }, + "contentVersion": "1.0.0.0", + "outputs": {}, + "parameters": { + "$connections": { + "defaultValue": {}, + "type": "Object" + } + }, + "triggers": { + "When_Azure_Sentinel_incident_creation_rule_was_triggered": { + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + }, + "type": "ApiConnectionWebhook" + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuread": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureAD2ConnectionName'))]", + "connectionName": "[variables('AzureAD2ConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuread')]" + }, + "azuresentinel": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinel2ConnectionName'))]", + "connectionName": "[variables('AzureSentinel2ConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('AzureAD3ConnectionName')]", + "location": "[resourceGroup().location]", + "properties": { + "displayName": "user@user.com", + "customParameterValues": {}, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuread')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('AzureADIP3ConnectionName')]", + "location": "[resourceGroup().location]", + "properties": { + "displayName": "user@user.com", + "customParameterValues": {}, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azureadip')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('AzureSentinel3ConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[parameters('Playbook3Name')]", + "customParameterValues": {}, + "parameterValueType": "Alternative", + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[parameters('Playbook3Name')]", + "location": "[resourceGroup().location]", + "tags": { + "LogicAppsCategory": "security", + "hidden-SentinelTemplateName": "Confirm-AADRiskyUser_alert", + "hidden-SentinelTemplateVersion": "1.0" + }, + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('AzureAD3ConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('AzureADIP3ConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('AzureSentinel3ConnectionName'))]" + ], + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "actions": { + "Alert_-_Get_incident": { + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "get", + "path": "/Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}" + }, + "runAfter": {}, + "type": "ApiConnection" + }, + "Entities_-_Get_Accounts": { + "inputs": { + "body": "@triggerBody()?['Entities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/account" + }, + "runAfter": { + "Alert_-_Get_incident": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + }, + "For_each": { + "actions": { + "Add_comment_to_incident_(V3)": { + "inputs": { + "body": { + "incidentArmId": "@body('Alert_-_Get_incident')?['id']", + "message": "

User [@{concat(items('For_each')?['Name'], '@', items('For_each')?['UPNSuffix'])}] was confirmed compromised via playbook.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + }, + "runAfter": { + "Confirm_a_risky_user_as_compromised": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + }, + "Confirm_a_risky_user_as_compromised": { + "inputs": { + "body": { + "userIds": [ + "@items('For_each')?['AadUserId']" + ] + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azureadip']['connectionId']" + } + }, + "method": "post", + "path": "/beta/riskyUsers/confirmCompromised" + }, + "runAfter": { + "Get_user": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + }, + "Get_user": { + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuread']['connectionId']" + } + }, + "method": "get", + "path": "/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@', items('For_each')?['UPNSuffix']))}" + }, + "runAfter": {}, + "type": "ApiConnection" + } + }, + "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", + "runAfter": { + "Entities_-_Get_Accounts": [ + "Succeeded" + ] + }, + "type": "Foreach" + } + }, + "contentVersion": "1.0.0.0", + "outputs": {}, + "parameters": { + "$connections": { + "defaultValue": {}, + "type": "Object" + } + }, + "triggers": { + "When_a_response_to_an_Azure_Sentinel_alert_is_triggered": { + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/subscribe" + }, + "type": "ApiConnectionWebhook" + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuread": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureAD3ConnectionName'))]", + "connectionName": "[variables('AzureAD3ConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuread')]" + }, + "azureadip": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureADIP3ConnectionName'))]", + "connectionName": "[variables('AzureADIP3ConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azureadip')]" + }, + "azuresentinel": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinel3ConnectionName'))]", + "connectionName": "[variables('AzureSentinel3ConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('AzureAD4ConnectionName')]", + "location": "[resourceGroup().location]", + "properties": { + "displayName": "[variables('AzureAD4ConnectionName')]", + "customParameterValues": {}, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuread')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('AzureADIP4ConnectionName')]", + "location": "[resourceGroup().location]", + "properties": { + "displayName": "[variables('AzureADIP4ConnectionName')]", + "customParameterValues": {}, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azureadip')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('AzureSentinel4ConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('AzureSentinel4ConnectionName')]", + "customParameterValues": {}, + "parameterValueType": "Alternative", + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[parameters('Playbook4Name')]", + "location": "[resourceGroup().location]", + "tags": { + "LogicAppsCategory": "security", + "hidden-SentinelTemplateName": "Confirm-AADRiskyUser", + "hidden-SentinelTemplateVersion": "1.0" + }, + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('AzureAD4ConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('AzureADIP4ConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('AzureSentinel4ConnectionName'))]" + ], + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "actions": { + "Entities_-_Get_Accounts": { + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/account" + }, + "runAfter": {}, + "type": "ApiConnection" + }, + "For_each": { + "actions": { + "Add_comment_to_incident_(V3)": { + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

User [@{concat(items('For_each')?['Name'], '@', items('For_each')?['UPNSuffix'])}] was confirmed compromised via playbook.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + }, + "runAfter": { + "Confirm_a_risky_user_as_compromised": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + }, + "Confirm_a_risky_user_as_compromised": { + "inputs": { + "body": { + "userIds": [ + "@items('For_each')?['AadUserId']" + ] + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azureadip']['connectionId']" + } + }, + "method": "post", + "path": "/beta/riskyUsers/confirmCompromised" + }, + "runAfter": { + "Get_user": [ + "Succeeded" + ] + }, + "type": "ApiConnection" + }, + "Get_user": { + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuread']['connectionId']" + } + }, + "method": "get", + "path": "/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@', items('For_each')?['UPNSuffix']))}" + }, + "runAfter": {}, + "type": "ApiConnection" + } + }, + "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", + "runAfter": { + "Entities_-_Get_Accounts": [ + "Succeeded" + ] + }, + "type": "Foreach" + } + }, + "contentVersion": "1.0.0.0", + "outputs": {}, + "parameters": { + "$connections": { + "defaultValue": {}, + "type": "Object" + } + }, + "triggers": { + "When_Azure_Sentinel_incident_creation_rule_was_triggered": { + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + }, + "type": "ApiConnectionWebhook" + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuread": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureAD4ConnectionName'))]", + "connectionName": "[variables('AzureAD4ConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuread')]" + }, + "azureadip": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureADIP4ConnectionName'))]", + "connectionName": "[variables('AzureADIP4ConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azureadip')]" + }, + "azuresentinel": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinel4ConnectionName'))]", + "connectionName": "[variables('AzureSentinel4ConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + } + } + } + ], + "outputs": { + "Playbook1triggerUrl": { + "type": "string", + "value": "[listCallbackUrl(resourceId('Microsoft.Logic/workflows/triggers', parameters('Playbook1Name'), 'When_a_response_to_an_Azure_Sentinel_alert_is_triggered'), '2016-06-01').value]" + }, + "Playbook1LogicAppResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.Logic/workflows', parameters('Playbook1Name'))]" + }, + "Playbook2triggerUrl": { + "type": "string", + "value": "[listCallbackUrl(resourceId('Microsoft.Logic/workflows/triggers', parameters('Playbook2Name'), 'When_Azure_Sentinel_incident_creation_rule_was_triggered'), '2016-06-01').value]" + }, + "Playbook2LogicAppResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.Logic/workflows', parameters('Playbook2Name'))]" + }, + "Playbook3triggerUrl": { + "type": "string", + "value": "[listCallbackUrl(resourceId('Microsoft.Logic/workflows/triggers', parameters('Playbook3Name'), 'When_a_response_to_an_Azure_Sentinel_alert_is_triggered'), '2016-06-01').value]" + }, + "Playbook3LogicAppResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.Logic/workflows', parameters('Playbook3Name'))]" + }, + "Playbook4triggerUrl": { + "type": "string", + "value": "[listCallbackUrl(resourceId('Microsoft.Logic/workflows/triggers', parameters('Playbook4Name'), 'When_Azure_Sentinel_incident_creation_rule_was_triggered'), '2016-06-01').value]" + }, + "Playbook4LogicAppResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.Logic/workflows', parameters('Playbook4Name'))]" + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/deployment-templates/playbooks/template.parameters.json b/src/SecurityInsights/test/deployment-templates/playbooks/template.parameters.json new file mode 100644 index 000000000000..59652581ef84 --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/playbooks/template.parameters.json @@ -0,0 +1,18 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Playbook1Name": { + "value": "Block-AADUser-Alert" + }, + "Playbook2Name": { + "value": "Block-AADUser-Incident" + }, + "Playbook3Name": { + "value": "Confirm-AADRiskyUser-Alert" + }, + "Playbook4Name": { + "value": "Confirm-AADRiskyUser-Incident" + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/deployment-templates/sourceControl/template.json b/src/SecurityInsights/test/deployment-templates/sourceControl/template.json new file mode 100644 index 000000000000..fb215c145101 --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/sourceControl/template.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "sourceControlId": { + "defaultValue": "sourceControlId", + "type": "string" + }, + "sourceControlName": { + "defaultValue": "sourceControlName", + "type": "string" + }, + "url": { + "defaultValue": "url", + "type": "string" + }, + "workspaceName": { + "defaultValue": "workspaceName", + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/providers/sourcecontrols", + "apiVersion": "2021-03-01-preview", + "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/', parameters('sourceControlId'))]", + "properties": { + "contentTypes": [ + "Parser", + "AnalyticsRule", + "AutomationRule", + "HuntingQuery", + "Playbook", + "Workbook" + ], + "displayName": "[parameters('sourceControlName')]", + "repository": { + "branch": "master", + "url": "[parameters('url')]" + }, + "repoType": "GitHub" + } + } + ] +} \ No newline at end of file diff --git a/src/SecurityInsights/test/deployment-templates/sourceControl/template.parameters.json b/src/SecurityInsights/test/deployment-templates/sourceControl/template.parameters.json new file mode 100644 index 000000000000..4b4fec459bc9 --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/sourceControl/template.parameters.json @@ -0,0 +1,18 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "sourceControlId": { + "value": "f37698f7-ff0b-48ae-8876-3a817069722c" + }, + "sourceControlName": { + "value": "GetsourceControl1gabnr" + }, + "url": { + "value": "https://github.com/dicolanl/gettest" + }, + "workspaceName": { + "value": "asptestk9wyb8" + } + } +} diff --git a/src/SecurityInsights/test/deployment-templates/threatIntelligenceIndicator/template.json b/src/SecurityInsights/test/deployment-templates/threatIntelligenceIndicator/template.json new file mode 100644 index 000000000000..0e244d5176dd --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/threatIntelligenceIndicator/template.json @@ -0,0 +1,52 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "threatIntelligenceIndicatorId": { + "defaultValue": "threatIntelligenceIndicatorId", + "type": "string" + }, + "threatIntelligenceIndicatorName": { + "defaultValue": "threatIntelligenceIndicatorName", + "type": "string" + }, + "threatIntelligenceIndicatorDate": { + "defaultValue": "threatIntelligenceIndicatorDate", + "type": "string" + }, + "ip": { + "defaultValue": "ip", + "type": "string" + }, + "workspaceName": { + "defaultValue": "workspaceName", + "type": "string" + } + }, + "variables": { + "ipPattern": "[concat('[ipv4-addr:value = ''', parameters('ip'), ''']')]" + }, + "resources": [ + { + "id": "", + "type": "Microsoft.OperationalInsights/workspaces/providers/threatIntelligence/main/indicators", + "apiVersion": "2021-04-01", + "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/threatIntelligence/main/', parameters('threatIntelligenceIndicatorId'))]", + "kind": "indicator", + "properties": { + "confidence": 0, + "threatTypes": [ + "unknown" + ], + "displayName": "[parameters('threatIntelligenceIndicatorName')]", + "pattern": "[variables('ipPattern')]", + "patternType": "ipv4-addr", + "revoked": false, + "validFrom": "[parameters('threatIntelligenceIndicatorDate')]", + "validUntil": null, + "source": "Azure Sentinel", + "threatIntelligenceTags": [] + } + } + ] +} \ No newline at end of file diff --git a/src/SecurityInsights/test/deployment-templates/threatIntelligenceIndicator/template.parameters.json b/src/SecurityInsights/test/deployment-templates/threatIntelligenceIndicator/template.parameters.json new file mode 100644 index 000000000000..846e6a1c0a3d --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/threatIntelligenceIndicator/template.parameters.json @@ -0,0 +1,21 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "threatIntelligenceIndicatorId": { + "value": "05df7de8-16b9-4b58-a76a-6aafb8a9932a" + }, + "threatIntelligenceIndicatorName": { + "value": "UpdateViaIdthreatIntelligenceIndicatorol6dht" + }, + "threatIntelligenceIndicatorDate": { + "value": "Sun, 12 Dec 2021 01:00:00 GMT" + }, + "ip": { + "value": "8.8.8.5" + }, + "workspaceName": { + "value": "asptest8xu4wd" + } + } +} diff --git a/src/SecurityInsights/test/deployment-templates/workspace/template.json b/src/SecurityInsights/test/deployment-templates/workspace/template.json new file mode 100644 index 000000000000..f36211aa175e --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/workspace/template.json @@ -0,0 +1,139 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "workspaceName": { + "defaultValue": "asps", + "type": "String" + }, + "newOnboardingStateWS": { + "defaultValue": "asps", + "type":"string" + }, + "removeOnboardingStateWS": { + "defaultValue": "asps", + "type":"string" + } + }, + "variables": { + }, + "resources": [ + { + "name": "[parameters('workspaceName')]", + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2015-11-01-preview", + "location": "[resourceGroup().location]", + "properties": { + "retentionInDays": 90, + "features": { + "immediatePurgeDataOn30Days": true + }, + "sku": { + "name": "PerGB2018" + } + } + }, + { + "name": "[concat('SecurityInsights','(', parameters('workspaceName'),')')]", + "type": "Microsoft.OperationsManagement/solutions", + "apiVersion": "2015-11-01-preview", + "location": "[resourceGroup().location]", + "dependsOn": [ + "[resourceId('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]" + ], + "properties": { + "workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspaceName'))]" + }, + "plan": { + "name": "[concat('SecurityInsights','(', parameters('workspaceName'),')')]", + "product": "OMSGallery/SecurityInsights", + "publisher": "Microsoft", + "promotionCode": "" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/onboardingStates", + "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/default')]", + "apiVersion": "2021-03-01-preview", + "dependsOn": [ + "[resourceId('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]" + ], + "properties": { + "customerManagedKey": false + } + }, + { + "name": "[parameters('newOnboardingStateWS')]", + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2015-11-01-preview", + "location": "[resourceGroup().location]", + "properties": { + "retentionInDays": 90, + "features": { + "immediatePurgeDataOn30Days": true + }, + "sku": { + "name": "PerGB2018" + } + } + }, + { + "name": "[parameters('removeOnboardingStateWS')]", + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2015-11-01-preview", + "location": "[resourceGroup().location]", + "properties": { + "retentionInDays": 90, + "features": { + "immediatePurgeDataOn30Days": true + }, + "sku": { + "name": "PerGB2018" + } + } + }, + { + "name": "[concat('SecurityInsights','(', parameters('removeOnboardingStateWS'),')')]", + "type": "Microsoft.OperationsManagement/solutions", + "apiVersion": "2015-11-01-preview", + "location": "[resourceGroup().location]", + "dependsOn": [ + "[resourceId('Microsoft.OperationalInsights/workspaces/', parameters('removeOnboardingStateWS'))]" + ], + "properties": { + "workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('removeOnboardingStateWS'))]" + }, + "plan": { + "name": "[concat('SecurityInsights','(', parameters('removeOnboardingStateWS'),')')]", + "product": "OMSGallery/SecurityInsights", + "publisher": "Microsoft", + "promotionCode": "" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/onboardingStates", + "name": "[concat(parameters('removeOnboardingStateWS'),'/Microsoft.SecurityInsights/default')]", + "apiVersion": "2021-03-01-preview", + "dependsOn": [ + "[resourceId('Microsoft.OperationalInsights/workspaces/', parameters('removeOnboardingStateWS'))]" + ], + "properties": { + "customerManagedKey": false + } + } + ], + "outputs": { + "workspaceId": { + "type": "string", + "value": "[reference(resourceId('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName')), '2015-11-01-preview').customerId]" + }, + "workspaceKey": { + "type": "string", + "value": "[listKeys(resourceId('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName')), '2015-11-01-preview').primarySharedKey]" + }, + "workspaceResourceId": { + "type": "string", + "value": "[resourceId('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]" + } + } +} \ No newline at end of file diff --git a/src/SecurityInsights/test/deployment-templates/workspace/template.parameters.json b/src/SecurityInsights/test/deployment-templates/workspace/template.parameters.json new file mode 100644 index 000000000000..8a59f12eb8a6 --- /dev/null +++ b/src/SecurityInsights/test/deployment-templates/workspace/template.parameters.json @@ -0,0 +1,15 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "workspaceName": { + "value": "asptest8xu4wd" + }, + "newOnboardingStateWS": { + "value": "asptest0u4c9l" + }, + "removeOnboardingStateWS": { + "value": "asptestdlvh1s" + } + } +} diff --git a/src/SecurityInsights/test/env.json b/src/SecurityInsights/test/env.json new file mode 100644 index 000000000000..306ab0c29c22 --- /dev/null +++ b/src/SecurityInsights/test/env.json @@ -0,0 +1,184 @@ +{ + "RemoveincidentRelationIncidentId": "0c5dc585-a174-461c-a546-75dc9d7bedc8", + "UpdateViaIdbookmarkRelationBookmarkName": "UpdateViaIdbookmarkRelationBookmarkName5modef", + "mlRuleGuid": "02874339-f9a1-4ced-bdaf-44b3d8eb57a6", + "GetincidentRelationId": "0ef2e445-e524-42ad-8810-fdd6cbe3e5f7", + "RemoveBookmarkRelationIncidentId": "4908bd22-0eb2-40fc-83ce-b6c8ba7a26a1", + "RemoveViaIdAlertRuleActionId": "49c62647-0f89-442a-8fc1-76a2159daa80", + "RemoveBookmarkRelationName": "RemovebookmarkRelationfmks41", + "UpdateViaIdBookmarkRelationId": "e2e68737-82b4-49f0-822f-f9196f65aac8", + "RemoveViaIdBookmarkRelationId": "e6624397-ccd0-42fd-98b4-9730d7baa0e2", + "Playbook2TriggerUrl": "https://prod-29.centralus.logic.azure.com:443/workflows/10ed265c78bd4fdebbf4cf7fdd6e38ba/triggers/When_Azure_Sentinel_incident_creation_rule_was_triggered/paths/invoke?api-version=2016-06-01&sp=%2Ftriggers%2FWhen_Azure_Sentinel_incident_creation_rule_was_triggered%2Frun&sv=1.0&sig=WpCBTIF6vR0G4L8RL36ZRYDJMKOOuGTaIH8RSwMqpqM", + "UpdateincidentCommentIncidentId": "4d88d68e-1a03-4287-b8d2-919981228c5c", + "RemoveentityQueryActivityName": "RemoveentityQueryActivity6ci45u", + "GetentityQueryActivityId": "1a4fe801-0031-4965-a4a1-5c68929b6d76", + "GetalertRuleActionRuleId": "453b8e9c-424a-4b50-8c6d-58de856d5abf", + "RemoveViaIdbookmarkRelationBookmarkId": "675541b3-2ae4-4199-b3b3-59f4b6c1f5b4", + "RemoveViaIdincidentCommentId": "97010b56-8d45-49b6-9f11-02d55ed685b8", + "UpdateViaIdincidentCommentName": "UpdateViaIdincidentCommentoq4cge", + "UpdateBookmarkRelationIncidentId": "e788124d-3280-4da8-b9f7-3f464296947e", + "UpdateBookmarkName": "Updatebookmarktfriza", + "UpdatebookmarkRelationIncidentName": "UpdatebookmarkRelationIncidentNamehqlcfb", + "RemoveViaIdincidentCommentIncidentId": "754fd7ba-74d1-42cc-8aa0-25593496d4bd", + "UpdateViaIdAutomationRule": "UpdateViaIdAutomationRulezi05h4", + "GetBookmarkRelationId": "4a09f636-6002-4389-80a1-b6a357af8225", + "UpdateincidentRelationIncidentId": "473aa008-13fc-4a61-9ea2-c3fdc64a828c", + "RemoveViaIdbookmarkRelationIncidentName": "RemoveViaIdbookmarkRelationIncidentNameyci6fv", + "GetbookmarkRelationIncidentName": "GetbookmarkRelationIncidentNames3ckzp", + "RemoveincidentRelationId": "969e8896-2438-40e6-9455-f5fd9b30d396", + "UpdateViaIdentityQueryActivityId": "fb33bcbe-0bc0-433f-9910-e474dbfab616", + "workspaceResourceId": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd", + "RemoveViaIdincidentRelationId": "827874ba-8b75-40d5-ad61-57fbb9594309", + "UpdateViaIdAlertRuleName": "UpdateViaIdAlertRuledgk4wi", + "Playbook4LogicAppResourceId": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Incident", + "UpdateViaIdAlertRuleId": "6dde1054-1a0b-4c5a-a9a8-3587c76613a2", + "metadataName": "azuresentinel.azure-sentinel-solution-zerotrust", + "RemoveAutomationRuleId": "a3adc54b-e32d-4c80-8af2-988f5d59f102", + "GetincidentRelationIncidentId": "e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0", + "UpdateViaIdthreatIntelligenceIndicatorIP": "8.8.8.5", + "ASIServicePrinicpal": "ffe300b4-cb65-4eb4-9d60-477cee66dd5e", + "RemovethreatIntelligenceIndicatorName": "RemovethreatIntelligenceIndicatorows6tu", + "RemoveincidentRelationBookmarkId": "ee0bcd82-8a83-41c3-8f97-9502c91951ec", + "GetthreatIntelligenceIndicatorIP": "8.8.8.1", + "GetAlertRuleActionId": "1ce91c05-b6a4-4476-9e83-4df36d224e97", + "UpdateincidentCommentName": "UpdateincidentCommentjmgwit", + "GetincidentRelationBookmarkId": "21e8e280-fe09-4a83-a662-4b0711e9c127", + "GetBookmarkRelationIncidentId": "69e3141d-30e8-49d1-9152-33f3b44cf6b0", + "RemoveBookmarkRelationId": "adad6e56-9f94-4fba-ba3b-96f4616cdf68", + "RemoveViaIdentityQueryActivityId": "f75cff94-cd35-4d3e-a20b-4c4eee51dd8e", + "RemovealertRuleActionRuleName": "RemovealertRuleActionRuleNamerey7av", + "RemoveViaIdBookmarkName": "RemoveViaIdbookmark061i4x", + "RemoveViaIdAutomationRule": "RemoveViaIdAutomationRule1whyd4", + "RemoveBookmarkName": "Removebookmarkorux9k", + "UpdateincidentRelationId": "defc1116-f142-4647-a377-6869110f6e77", + "RemoveViaIdthreatIntelligenceIndicatorId": "b37ddba1-7a4f-1feb-9959-e1161d3bf335", + "ExpandBookmarkName": "Expandbookmarkq42uhy", + "UpdateAlertRuleId": "98981b11-0c0a-40bb-adc9-63f3693592bf", + "UpdateViaIdAutomationRuleId": "61701d90-8353-4d61-b435-f9905a31142d", + "RemoveViaIdAlertRuleId": "952fd6df-a3b8-4d0c-825a-53dcc519a480", + "RemoveincidentCommentIncidentId": "39c0047a-27bf-41d3-940d-bfb849d18460", + "ExpandBookmarkId": "b35d430d-02ac-4025-a10e-32cd2ffbe46b", + "GetAutomationRuleId": "34534660-0566-46ea-98f2-4f5ff70d51e4", + "RemovebookmarkRelationBookmarkId": "20d8a730-18a5-4a76-9420-a32e46ce5888", + "UpdateViaIdincidentId": "85b206c3-bf60-48e0-b492-71a79bb8503a", + "UpdateViaIdincidentRelationIncidentId": "43aedae6-3726-41c1-b0e8-9876df66aa2d", + "RemoveViaIdAlertRuleName": "RemoveViaIdAlertRule62imtb", + "UpdateBookmarkId": "c6b3fee2-4b8e-4966-aaa7-94bd47e67021", + "RemoveentityQueryActivityId": "6feafad3-e3a9-4c0f-b9a7-f74b31c2c4db", + "UpdateViaIdBookmarkName": "UpdateViaIdbookmark63g7uz", + "disabledRuleGuid": "10a698ca-8310-4b90-a86e-2f43fe285e56", + "updateDataConnectorId": "b4b8bb52-2917-4179-a28d-fb197dc52aa6", + "Playbook4TriggerUrl": "https://prod-03.centralus.logic.azure.com:443/workflows/b350a92d152342fb8f3b1a63b7a0df71/triggers/When_Azure_Sentinel_incident_creation_rule_was_triggered/paths/invoke?api-version=2016-06-01&sp=%2Ftriggers%2FWhen_Azure_Sentinel_incident_creation_rule_was_triggered%2Frun&sv=1.0&sig=K2SOIlHPdarAt8bekyIFV4MNNTS2APO1E1EZrN2hmns", + "RemovebookmarkRelationIncidentName": "RemovebookmarkRelationIncidentNamehynb4o", + "UpdateincidentRelationName": "UpdateincidentRelationNamesk65ol", + "GetthreatIntelligenceIndicatorId": "711bdb9e-2ecc-abba-d962-171ce4710199", + "RemoveincidentCommentName": "RemoveincidentCommentmhcwg3", + "RemoveAutomationRule": "RemoveAutomationRule0cjsva", + "UpdateAutomationRule": "UpdateAutomationRule1ceigy", + "RemoveViaIdincidentCommentName": "RemoveViaIdincidentComment8ftdy3", + "UpdateViaIdincidentCommentIncidentId": "aa0c1725-78eb-4c1e-87b8-9dd801ebf670", + "GetAutomationRule": "GetAutomationRulezbilmf", + "UpdateentityQueryActivityId": "64feba96-1f57-4f3d-8068-a1532ed4e2dc", + "GetincidentRelationName": "GetincidentRelationNamek8m1ts", + "UpdateViaIdalertRuleActionRuleName": "UpdateViaIdalertRuleActionRuleNameymswnj", + "UpdateBookmarkRelationId": "3106728c-12de-4dad-b0c6-603a9285765e", + "UpdateViaIdthreatIntelligenceIndicatorId": "e43bf713-da7f-8329-80bb-e1556c70abdd", + "UpdateViaIdalertRuleActionRuleId": "a555c523-e318-4501-bfe8-b9c6da354af7", + "RemoveViaIdincidentRelationName": "RemoveViaIdincidentRelationNameq9l2gm", + "UpdateViaIdincidentRelationBookmarkName": "UpdateViaIdincidentRelationBookmarkNamehd50fa", + "location": "Central US", + "GetentityQueryActivityName": "GetentityQueryActivity6pi5by", + "RemoveViaIdincidentName": "RemoveViaIdincidentt6k39e", + "workspaceName": "asptest8xu4wd", + "RemoveViaIdincidentRelationIncidentId": "7bfb344d-ad2a-431d-9e39-78747ac51f54", + "UpdatebookmarkRelationBookmarkId": "6548e330-d18d-4690-b6fa-b5ba7f5eac27", + "RemoveViaIdthreatIntelligenceIndicatorIP": "8.8.8.3", + "UpdateViaIdBookmarkId": "e19c0b42-e8cf-4fae-8690-7d632b11beaf", + "GetAlertRuleId": "aa4274ad-8144-44e6-8dc2-669dc0b5ea0d", + "RemoveViaIdincidentRelationBookmarkId": "3dcbfb4e-d6fb-40df-a64a-29695148826d", + "UpdateViaIdentityQueryActivityName": "UpdateViaIdentityQueryActivity4n9kre", + "GetincidentRelationBookmarkName": "GetincidentRelationBookmarkNameib8ohc", + "UpdateViaIdthreatIntelligenceIndicatorName": "UpdateViaIdthreatIntelligenceIndicatorol6dht", + "UpdateincidentRelationBookmarkId": "201247f4-bb20-4a3b-8e89-3609968c888f", + "GetAlertRuleName": "GetAlertRulez4ros0", + "UpdatethreatIntelligenceIndicatorId": "857acee8-b9d5-9c49-56c4-93496d0bf3bf", + "RemoveViaIdentityQueryActivityName": "RemoveViaIdentityQueryActivityt6dc5y", + "RemoveViaIdalertRuleActionRuleId": "a2dda58f-98fd-44db-ac37-397a9ccd9e25", + "UpdateincidentRelationIncidentName": "UpdateincidentRelationIncidentNametdo819", + "SubscriptionId": "1c61ccbf-70b3-45a3-a1fb-848ce46d70a6", + "RemoveViaIdincidentId": "1f88da2c-e158-4900-8d6e-a467f72fdd34", + "UpdateViaIdincidentRelationId": "b03e0e3c-97ce-4eb5-a1f0-e096bbeeddd4", + "RemovealertRuleActionRuleId": "3e459759-acb2-48cd-b091-f325a2618fb6", + "UpdateincidentId": "23dc6b0b-2413-4b21-94b3-242f576b73c2", + "UpdateViaIdincidentRelationIncidentName": "UpdateViaIdincidentRelationIncidentNameewut32", + "RemovethreatIntelligenceIndicatorId": "ccfb7869-be18-0f44-ff2c-a9b36e598fd1", + "newOnboardingStateWS": "asptest0u4c9l", + "UpdateViaIdincidentCommentId": "c3bc7c2d-a384-4bb5-8fde-e2ee44fc18be", + "UpdateincidentCommentId": "2e3b2f73-ae6b-4e88-be17-6fd85a9400ee", + "RemoveViaIdAutomationRuleId": "37a50acc-05b0-41ad-be1d-7a53c88ff383", + "GetincidentCommentId": "1b475d8b-b763-4d91-9dc9-c2125a6531e9", + "RemoveViaIdincidentRelationBookmarkName": "RemoveViaIdincidentRelationBookmarkNamebtlx8k", + "UpdatealertRuleActionRuleId": "09b5716f-9b0b-4663-8302-e17b94a12ead", + "UpdatethreatIntelligenceIndicatorName": "UpdatethreatIntelligenceIndicator9tg8p7", + "UpdatealertRuleActionRuleName": "UpdatealertRuleActionRuleName1lirvu", + "RemoveAlertRuleId": "fdbab4a1-bd45-4dc1-a93b-e4aa20d16262", + "RemoveBookmarkId": "9ff7b322-3212-4574-bfad-4408206875f8", + "RemoveViaIdBookmarkRelationIncidentId": "7d56a89d-59f4-4b3a-aa71-34494c2f5f5c", + "RemoveViaIdalertRuleActionRuleName": "RemoveViaIdalertRuleActionRuleNamea13fz8", + "GetincidentRelationIncidentName": "GetincidentRelationIncidentNamerea364", + "Tenant": "5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b", + "UpdateincidentRelationBookmarkName": "UpdateincidentRelationBookmarkNamewqmnkf", + "UpdateAutomationRuleId": "6b61f56c-c075-4127-9f2a-56a855dee096", + "GetincidentCommentIncidentId": "03f0e7ca-255a-49dc-a98d-19f65584d06c", + "UpdateBookmarkRelationName": "UpdatebookmarkRelationg84prd", + "RemoveViaIdBookmarkId": "4327ac2f-6115-4602-9616-83cf991298a5", + "UpdateAlertRuleName": "UpdateAlertRulevi15sc", + "RemoveViaIdincidentRelationIncidentName": "RemoveViaIdincidentRelationIncidentName150wxv", + "RemoveViaIdthreatIntelligenceIndicatorName": "RemoveViaIdthreatIntelligenceIndicatornqcsd9", + "UpdatethreatIntelligenceIndicatorIP": "8.8.8.4", + "RemoveincidentId": "cc0a7c84-b29b-4136-acbb-648a7237df0a", + "GetbookmarkRelationBookmarkId": "5df694bf-7774-49cf-a84b-282fd43a926b", + "RemovebookmarkRelationBookmarkName": "RemovebookmarkRelationBookmarkNamepvhuk4", + "GetBookmarkRelationName": "GetbookmarkRelationt8sg7i", + "UpdateentityQueryActivityName": "UpdateentityQueryActivity1ewg7d", + "GetBookmarkName": "Getbookmark3k6sjz", + "Playbook3LogicAppResourceId": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Alert", + "GetincidentId": "853e143c-97fd-48f1-86df-c8a68dbb87f1", + "RemovethreatIntelligenceIndicatorIP": "8.8.8.2", + "UpdateAlertRuleActionId": "5ec4ff48-a958-4a95-aab5-4ae7e8cddbdf", + "UpdateViaIdincidentName": "UpdateViaIdincident1anj4u", + "GetBookmarkId": "6eca09df-59e8-44f1-b96e-d316b4d3ad08", + "Playbook1LogicAppResourceId": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Alert", + "GetalertRuleActionRuleName": "GetalertRuleActionRuleName1539nb", + "resourceGroupName": "aspstest91v7fr", + "removeOnboardingStateWS": "asptestdlvh1s", + "RemoveincidentRelationName": "RemoveincidentRelationNamewlc2fd", + "solarigateRuleGuid": "af03fc0e-d33f-447a-8397-d60726aa92c5", + "RemoveincidentRelationIncidentName": "RemoveincidentRelationIncidentNameuk6d50", + "Playbook2LogicAppResourceId": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident", + "Playbook1TriggerUrl": "https://prod-07.centralus.logic.azure.com:443/workflows/3647b421918e40f19a5e9346dc633c61/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2016-06-01&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=8SgwCaNwsGFFEsJ0yKJoTXy329Qt949c0AsSDlv48sQ", + "UpdateViaIdBookmarkRelationIncidentId": "6cbc4e33-d46b-4993-96e4-ecb0e44415cb", + "bookmarkExpansionId": "29d93f68-3f52-46b9-960c-ca3ea7bb8fa2", + "GetincidentCommentName": "GetincidentComment48q5k9", + "RemoveViaIdbookmarkRelationBookmarkName": "RemoveViaIdbookmarkRelationBookmarkNamexlrb8u", + "UpdatebookmarkRelationBookmarkName": "UpdatebookmarkRelationBookmarkNamecawzes", + "RemoveAlertRuleName": "RemoveAlertRulesuagz6", + "RemoveincidentName": "Removeincidentwy9zj7", + "UpdateViaIdBookmarkRelationName": "UpdateViaIdbookmarkRelationxgibse", + "UpdateincidentName": "Updateincident59odxy", + "RemoveAlertRuleActionId": "d359018e-774c-4345-aad4-eaf449a72b0c", + "RemoveViaIdBookmarkRelationName": "RemoveViaIdbookmarkRelationy7rd6c", + "UpdateViaIdincidentRelationBookmarkId": "f18e48e7-15f9-49c8-bb2b-fdf166e7cf9a", + "GetthreatIntelligenceIndicatorName": "GetthreatIntelligenceIndicator2c47h8", + "RemoveincidentCommentId": "2305a5f7-84eb-482c-bc88-33d76495c69c", + "UpdateViaIdincidentRelationName": "UpdateViaIdincidentRelationNamepuj3oy", + "RemoveincidentRelationBookmarkName": "RemoveincidentRelationBookmarkName72z1my", + "Playbook3TriggerUrl": "https://prod-29.centralus.logic.azure.com:443/workflows/6e83051f6df6465c872c5540c8c167f5/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2016-06-01&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=7_edWmU4wZ31-sXPdtbxReXl11jbmLX99HIT9l134Wo", + "dataConnectorId": "88da8507-46cb-4c34-9cf3-189e58b34c9e", + "GetincidentName": "Getincidentj0bimh", + "UpdateViaIdbookmarkRelationBookmarkId": "463b2e8b-17c1-48d6-94a3-7443b0ba2cbf", + "UpdateViaIdAlertRuleActionId": "34ec4b87-3f90-443e-9034-c32e77c5fb6e", + "UpdateViaIdbookmarkRelationIncidentName": "UpdateViaIdbookmarkRelationIncidentName84x0ne", + "GetbookmarkRelationBookmarkName": "GetbookmarkRelationBookmarkNamezks1qr", + "workspaceId": "04acdb04-b6a1-4292-a956-621f955f6a5f" +} diff --git a/src/SecurityInsights/test/loadEnv.ps1 b/src/SecurityInsights/test/loadEnv.ps1 new file mode 100644 index 000000000000..5f079e89615e --- /dev/null +++ b/src/SecurityInsights/test/loadEnv.ps1 @@ -0,0 +1,29 @@ +# ---------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# http://www.apache.org/licenses/LICENSE-2.0 +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# Code generated by Microsoft (R) AutoRest Code Generator.Changes may cause incorrect behavior and will be lost if the code +# is regenerated. +# ---------------------------------------------------------------------------------- +$envFile = 'env.json' +if ($TestMode -eq 'live') { + $envFile = 'localEnv.json' +} + +if (Test-Path -Path (Join-Path $PSScriptRoot $envFile)) { + $envFilePath = Join-Path $PSScriptRoot $envFile +} else { + $envFilePath = Join-Path $PSScriptRoot '..\$envFile' +} +$env = @{} +if (Test-Path -Path $envFilePath) { + $env = Get-Content (Join-Path $PSScriptRoot $envFile) | ConvertFrom-Json + $PSDefaultParameterValues=@{"*:SubscriptionId"=$env.SubscriptionId; "*:Tenant"=$env.Tenant} +} \ No newline at end of file diff --git a/src/SecurityInsights/test/localEnv.json b/src/SecurityInsights/test/localEnv.json new file mode 100644 index 000000000000..e962799eccb0 --- /dev/null +++ b/src/SecurityInsights/test/localEnv.json @@ -0,0 +1,184 @@ +{ + "RemoveincidentName": "Removeincidentqlkgre", + "RemoveViaIdAutomationRuleId": "28b2a84c-15cb-4489-9653-060065dbb994", + "location": "Central US", + "ExpandBookmarkName": "Expandbookmarkt9lrd1", + "UpdateViaIdBookmarkRelationId": "e178d52f-0000-42ae-85a9-b4097cfa102f", + "UpdateBookmarkRelationIncidentId": "7333ddd9-da05-4e39-9e33-cb6891c08c0e", + "RemoveBookmarkName": "Removebookmarkcnu6jz", + "disabledRuleGuid": "7b87d568-20ef-40f8-b4f6-7b7815d1ae1c", + "UpdateincidentCommentIncidentId": "31707c99-9240-4185-9a17-f045c1d97e5d", + "GetincidentRelationBookmarkId": "8fdf4085-d70b-4f42-bc52-3247c106ec22", + "RemoveViaIdBookmarkId": "f2b22ba6-000a-4cf0-9d11-07bfd7105b2d", + "UpdateViaIdAutomationRuleId": "98d8b78a-ca81-4ced-bd2d-41f061158847", + "GetBookmarkRelationIncidentId": "c50576c1-8ae5-4d69-9c84-51b915442aee", + "Tenant": "5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b", + "UpdateViaIdBookmarkRelationName": "UpdateViaIdbookmarkRelationjkmlgd", + "GetBookmarkRelationId": "8982fd8b-83e6-45e0-9799-5868e0cb905f", + "GetincidentRelationId": "5eaf5909-4185-448d-bad3-ceb48bac3a74", + "GetbookmarkRelationBookmarkId": "23fd78f1-f483-4745-8108-a825fc54c668", + "GetthreatIntelligenceIndicatorId": "d1b1f160-d4aa-355f-8b9e-597adc93450a", + "UpdateViaIdAutomationRule": "UpdateViaIdAutomationRulezkfopl", + "workspaceResourceId": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstestsxeqa6/providers/Microsoft.OperationalInsights/workspaces/asptesttb8qd4", + "UpdateBookmarkRelationName": "UpdatebookmarkRelation6vhqpe", + "RemovethreatIntelligenceIndicatorId": "1b395a61-f885-1ab0-0a09-95821fa26aa7", + "GetBookmarkRelationName": "GetbookmarkRelationlfse2c", + "UpdatebookmarkRelationIncidentName": "UpdatebookmarkRelationIncidentNamelmuts7", + "UpdateViaIdincidentRelationBookmarkId": "4b202976-d8f7-494a-a224-39d45b7d0cff", + "RemoveViaIdbookmarkRelationBookmarkId": "594263e9-423e-4092-8ae8-0583423e4c8d", + "GetincidentCommentName": "GetincidentCommentgxebuw", + "RemoveAlertRuleActionId": "633b140d-ca59-4a48-8f9f-cd43f9b73261", + "GetalertRuleActionRuleId": "f101d542-c309-4567-a2e9-1cc325569b5d", + "UpdateViaIdthreatIntelligenceIndicatorId": "f030be42-7bcf-82fe-9fff-c79d02081c70", + "Playbook2TriggerUrl": "https://prod-31.centralus.logic.azure.com:443/workflows/fb7bc41bf47343e4b8f00f55feb90295/triggers/When_Azure_Sentinel_incident_creation_rule_was_triggered/paths/invoke?api-version=2016-06-01&sp=%2Ftriggers%2FWhen_Azure_Sentinel_incident_creation_rule_was_triggered%2Frun&sv=1.0&sig=ZKfu53ftc6aVUBP7k9OzIY94f_-0lHaxyi8eXboRHLQ", + "GetAutomationRule": "GetAutomationRuleuym980", + "resourceGroupName": "aspstestsxeqa6", + "solarigateRuleGuid": "2cb844f2-371c-4d04-aa0f-da7d8c1da714", + "UpdateincidentCommentId": "3cdc19ee-8fa9-4af7-9007-1d26a715c4c6", + "UpdateBookmarkId": "db7538eb-c83f-4329-86cf-52fc5c72aa6a", + "UpdateBookmarkRelationId": "848acdc1-cbf2-4cb5-841a-9c4e5cd18316", + "RemoveincidentRelationIncidentId": "c3d6462a-4906-4fdf-b6cd-f2bceb154012", + "Playbook4LogicAppResourceId": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstestsxeqa6/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Incident", + "UpdateViaIdincidentRelationIncidentId": "787c7546-c409-4fc6-8557-970600748338", + "UpdateincidentRelationId": "30d3137c-ca38-42fb-b1d1-dd26231c3464", + "ExpandBookmarkId": "89b10d75-fe89-44f5-aed9-bc10efe6885e", + "UpdateentityQueryActivityId": "5b4f4f50-5f46-4e63-8a36-d8dc4174f6cd", + "UpdatethreatIntelligenceIndicatorIP": "8.8.8.4", + "RemoveViaIdBookmarkRelationName": "RemoveViaIdbookmarkRelationogjnp8", + "GetBookmarkId": "85eabd01-5f4a-4c18-b19f-f56c4dce112e", + "GetincidentCommentIncidentId": "aba444f2-6a0b-4259-b0ab-1980b691b823", + "Playbook2LogicAppResourceId": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstestsxeqa6/providers/Microsoft.Logic/workflows/Block-AADUser-Incident", + "RemoveincidentId": "80072504-9637-4da1-92ee-f7bd513cb295", + "RemoveViaIdincidentRelationName": "RemoveViaIdincidentRelationNamenvqgmf", + "RemoveBookmarkRelationIncidentId": "a1c3e870-d61c-4937-b209-99f8d995e556", + "UpdateViaIdentityQueryActivityId": "8b85577f-e233-4b0d-aef6-9344ecc571aa", + "RemoveViaIdincidentRelationIncidentId": "5ca2173d-19be-41f5-a77b-a863fccd26ad", + "GetAlertRuleName": "GetAlertRuleyrgq5k", + "RemoveViaIdentityQueryActivityId": "a0cc7385-57ea-4037-ad6c-c9bb037eea5f", + "removeOnboardingStateWS": "asptestocpbvt", + "RemoveentityQueryActivityName": "RemoveentityQueryActivitypr8m91", + "GetincidentRelationIncidentId": "0a92e0ee-c2ec-46ba-972f-477097330ac0", + "mlRuleGuid": "3f4b8ca9-def5-4f66-afd5-2074a5bf0082", + "UpdateincidentName": "Updateincidentz5xmas", + "RemoveViaIdincidentRelationBookmarkName": "RemoveViaIdincidentRelationBookmarkNamem0uzno", + "UpdateViaIdalertRuleActionRuleId": "f3992c63-7d9d-4e0b-8721-b9be19a79eec", + "RemoveincidentRelationBookmarkId": "d0aa7348-155b-44c5-a248-3758caa8622b", + "UpdateViaIdAlertRuleActionId": "cdb065bf-5d8c-430d-bdd9-1b19fecaef78", + "UpdateViaIdincidentRelationId": "efe4cdcc-e040-4dba-a14d-f9b79cd060b7", + "RemoveViaIdthreatIntelligenceIndicatorIP": "8.8.8.3", + "Playbook4TriggerUrl": "https://prod-26.centralus.logic.azure.com:443/workflows/d11ac7194c4a439cbaab4fff7e1c2ad7/triggers/When_Azure_Sentinel_incident_creation_rule_was_triggered/paths/invoke?api-version=2016-06-01&sp=%2Ftriggers%2FWhen_Azure_Sentinel_incident_creation_rule_was_triggered%2Frun&sv=1.0&sig=OR8RFdoiKx_lO0u8Z71Yb-qUgOeDh1feyin0ZppXb3k", + "UpdateAutomationRuleId": "0b3b4818-7e4a-47ea-b1be-3dd02503ce7b", + "GetbookmarkRelationBookmarkName": "GetbookmarkRelationBookmarkNamep5q8gb", + "UpdateViaIdBookmarkName": "UpdateViaIdbookmarko0bj1a", + "UpdateViaIdbookmarkRelationBookmarkName": "UpdateViaIdbookmarkRelationBookmarkNamega43se", + "RemovealertRuleActionRuleId": "2e249e48-e8a7-4e47-b69b-c9d41f751b50", + "RemoveViaIdentityQueryActivityName": "RemoveViaIdentityQueryActivitycsp8zk", + "RemovethreatIntelligenceIndicatorName": "RemovethreatIntelligenceIndicator7odgnj", + "RemoveincidentCommentIncidentId": "ebcc4150-0a62-4c60-8c79-412d61397a0f", + "UpdateAlertRuleId": "bbbec7e8-5e76-4092-b183-9bdf001cc9e7", + "RemoveentityQueryActivityId": "6ed85318-1c68-4b9c-aed6-e721e3bbde9a", + "RemoveViaIdthreatIntelligenceIndicatorId": "712311c9-2f77-f167-7c61-62935fa5d49d", + "RemoveViaIdbookmarkRelationBookmarkName": "RemoveViaIdbookmarkRelationBookmarkName8tclhr", + "RemovebookmarkRelationBookmarkName": "RemovebookmarkRelationBookmarkNameg4jvqn", + "RemoveincidentCommentName": "RemoveincidentCommentchevml", + "RemoveincidentRelationName": "RemoveincidentRelationName81itvb", + "UpdateViaIdalertRuleActionRuleName": "UpdateViaIdalertRuleActionRuleNamebak41c", + "UpdateAlertRuleActionId": "020f10bb-9108-40b2-82b8-6c3d96150c24", + "RemoveBookmarkRelationId": "40999731-ca81-45ed-8323-7bdf8c8e0592", + "UpdateViaIdAlertRuleId": "0f2c489b-891e-47fe-a876-28a4dcae7129", + "UpdateViaIdincidentRelationName": "UpdateViaIdincidentRelationName1xd3of", + "UpdateincidentRelationBookmarkId": "702d8e66-6c4f-4285-8c54-3064c6713ee7", + "RemoveViaIdAutomationRule": "RemoveViaIdAutomationRulepb9037", + "UpdateViaIdincidentCommentName": "UpdateViaIdincidentCommentu07v8a", + "RemoveViaIdincidentId": "b96b299e-8a07-428c-90e8-a9925726ed45", + "UpdatethreatIntelligenceIndicatorName": "UpdatethreatIntelligenceIndicatoret45oy", + "metadataName": "azuresentinel.azure-sentinel-solution-zerotrust", + "ASIServicePrinicpal": "ffe300b4-cb65-4eb4-9d60-477cee66dd5e", + "GetincidentCommentId": "6754ad39-2e25-4b61-a931-8797fa4742cf", + "GetthreatIntelligenceIndicatorIP": "8.8.8.1", + "UpdateViaIdincidentCommentId": "7336a21d-525b-43f0-91cc-d58af6ebddcb", + "UpdatebookmarkRelationBookmarkId": "29a94766-52e8-46d4-90aa-3ece020b836a", + "GetincidentRelationIncidentName": "GetincidentRelationIncidentNameh8ixuv", + "UpdateViaIdbookmarkRelationIncidentName": "UpdateViaIdbookmarkRelationIncidentNamev7bxe6", + "RemoveViaIdincidentRelationBookmarkId": "8aa5fa2e-321e-4663-b1bc-1f73d73aedc7", + "RemoveAutomationRuleId": "94ca78d2-0bcf-4f44-aa36-136d40ec8a3a", + "RemoveincidentRelationBookmarkName": "RemoveincidentRelationBookmarkNameiux6cn", + "RemoveAlertRuleName": "RemoveAlertRuleiamp95", + "RemoveViaIdincidentRelationId": "fa4ec427-fc28-4926-a0ef-9300313c48e6", + "UpdateViaIdincidentId": "a4fff7db-5896-435a-91b8-4efa9f287eed", + "RemoveViaIdincidentCommentId": "afe1f474-cc63-4c1c-9198-952438781715", + "Playbook3LogicAppResourceId": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstestsxeqa6/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Alert", + "GetincidentRelationName": "GetincidentRelationNameclg6xw", + "GetbookmarkRelationIncidentName": "GetbookmarkRelationIncidentNamehks4oz", + "Playbook3TriggerUrl": "https://prod-02.centralus.logic.azure.com:443/workflows/0ccd0d021db94a059cff9733217f26dd/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2016-06-01&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=TOg5dFUmA5ar1zjTL85yE9WzxYlQBcxLOUiUe1LC06w", + "UpdatebookmarkRelationBookmarkName": "UpdatebookmarkRelationBookmarkName2xuftl", + "UpdateincidentCommentName": "UpdateincidentCommentlcjsfe", + "GetAutomationRuleId": "967770b5-4642-4d5f-865d-c9cd372c746e", + "UpdateViaIdthreatIntelligenceIndicatorIP": "8.8.8.5", + "UpdateViaIdincidentCommentIncidentId": "27a64d51-9f07-4451-ae16-976d68857423", + "RemoveBookmarkRelationName": "RemovebookmarkRelation7tspcu", + "Playbook1LogicAppResourceId": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstestsxeqa6/providers/Microsoft.Logic/workflows/Block-AADUser-Alert", + "UpdateViaIdthreatIntelligenceIndicatorName": "UpdateViaIdthreatIntelligenceIndicator0ge1km", + "GetAlertRuleId": "4be22fd3-5d4f-4a29-a527-57f9a2dae2f0", + "GetincidentName": "Getincidentvmrcqe", + "RemovealertRuleActionRuleName": "RemovealertRuleActionRuleNamewukm9n", + "UpdateViaIdincidentRelationIncidentName": "UpdateViaIdincidentRelationIncidentName31yd8e", + "SubscriptionId": "1c61ccbf-70b3-45a3-a1fb-848ce46d70a6", + "UpdateViaIdincidentName": "UpdateViaIdincidentx791sq", + "newOnboardingStateWS": "asptestk42pgv", + "UpdateViaIdAlertRuleName": "UpdateViaIdAlertRule8whjl7", + "UpdateentityQueryActivityName": "UpdateentityQueryActivityj2x9oy", + "RemoveViaIdincidentName": "RemoveViaIdincidentqrg6vs", + "UpdateincidentRelationName": "UpdateincidentRelationName2xeun0", + "RemoveViaIdAlertRuleName": "RemoveViaIdAlertRulezk9y4v", + "UpdateViaIdBookmarkRelationIncidentId": "99d13007-8893-437d-b7d7-0c213ae7b3db", + "UpdateincidentRelationIncidentId": "ed0cfad2-f9e9-446c-a1ec-659194145750", + "RemoveBookmarkId": "3871571d-3110-4105-8104-e727f3b4d371", + "GetAlertRuleActionId": "3dd36704-ec12-4d83-87d1-f7e05bb46e26", + "UpdateViaIdentityQueryActivityName": "UpdateViaIdentityQueryActivityvwk3a6", + "UpdateViaIdBookmarkId": "18bd8f59-8475-412f-8ac6-5bda97dce895", + "RemovebookmarkRelationIncidentName": "RemovebookmarkRelationIncidentNamepo9tax", + "GetentityQueryActivityId": "9c01fde5-a458-4564-a710-3ec6afedc6ac", + "GetentityQueryActivityName": "GetentityQueryActivityaw7qsx", + "RemoveViaIdalertRuleActionRuleId": "9bed28fb-87c7-4530-b655-c3dcf14e637e", + "dataConnectorId": "f731f4fd-0336-445f-8672-8196f49236c6", + "RemoveAutomationRule": "RemoveAutomationRule7zhtoe", + "RemoveViaIdAlertRuleActionId": "865181a1-0f22-4a3c-a49f-c5e1af8b42ee", + "UpdateincidentRelationBookmarkName": "UpdateincidentRelationBookmarkName1pliw8", + "RemoveViaIdBookmarkName": "RemoveViaIdbookmarkf8byrj", + "RemoveViaIdAlertRuleId": "8b62bd9b-fdaf-4b8e-b141-9a102f054770", + "Playbook1TriggerUrl": "https://prod-08.centralus.logic.azure.com:443/workflows/062a9e68aa874175b8f47d291cb891fc/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2016-06-01&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=48ORoEBUQ8w7epFI-VcmaNJNq7wu1kfdbI7A-jl267o", + "RemoveincidentRelationId": "09fd1812-cd51-4a0e-b6c8-2c68f4a489d3", + "RemoveViaIdalertRuleActionRuleName": "RemoveViaIdalertRuleActionRuleNamex28bvi", + "RemoveViaIdthreatIntelligenceIndicatorName": "RemoveViaIdthreatIntelligenceIndicatortmcixj", + "UpdateincidentRelationIncidentName": "UpdateincidentRelationIncidentNamep4hb2t", + "RemoveincidentCommentId": "927c5e0d-139f-4446-8ee5-27b139498267", + "RemoveViaIdincidentCommentName": "RemoveViaIdincidentCommentksd6cw", + "UpdateincidentId": "4f96f5d6-22c7-4ec1-bde0-da5502846eee", + "GetthreatIntelligenceIndicatorName": "GetthreatIntelligenceIndicatorcmxphj", + "UpdateViaIdbookmarkRelationBookmarkId": "ccb53d45-5a9c-4b72-a88e-fe90158d9642", + "RemoveViaIdincidentCommentIncidentId": "c8c2adc7-50aa-4ee7-9c90-972f547b0a19", + "UpdateBookmarkName": "Updatebookmarkt1wq40", + "UpdateAutomationRule": "UpdateAutomationRulen6cw3k", + "UpdatethreatIntelligenceIndicatorId": "aeb7c6c3-fb45-61a6-9453-d69f7e98ffa6", + "bookmarkExpansionId": "b6c6ba8e-3173-4784-b4d7-50d9c5dad904", + "GetBookmarkName": "Getbookmark2ywan5", + "UpdatealertRuleActionRuleId": "a4d250d6-460c-417a-952d-4c50f444165b", + "RemovethreatIntelligenceIndicatorIP": "8.8.8.2", + "RemovebookmarkRelationBookmarkId": "0fa74f90-4c76-4ba4-8ced-42557229bb0e", + "UpdateViaIdincidentRelationBookmarkName": "UpdateViaIdincidentRelationBookmarkNameyduxnr", + "workspaceName": "asptesttb8qd4", + "GetincidentId": "8701f6ec-cf8f-4c11-84dd-bc6c82d87a6e", + "RemoveViaIdBookmarkRelationId": "4d7b81af-e639-4a95-b5a4-21fc4418c656", + "GetalertRuleActionRuleName": "GetalertRuleActionRuleName94evnz", + "workspaceId": "e6526ca0-d207-42ee-b3ad-2f9bac77f370", + "updateDataConnectorId": "ceed24f3-9d49-446f-905f-be0edd531832", + "RemoveAlertRuleId": "524a0399-9e2c-4e79-9a72-c870910c6330", + "RemoveViaIdbookmarkRelationIncidentName": "RemoveViaIdbookmarkRelationIncidentNamelf0hcd", + "UpdatealertRuleActionRuleName": "UpdatealertRuleActionRuleNamexc0get", + "UpdateAlertRuleName": "UpdateAlertRulegi5cnk", + "RemoveincidentRelationIncidentName": "RemoveincidentRelationIncidentNameb4xl1t", + "GetincidentRelationBookmarkName": "GetincidentRelationBookmarkNameedqyn4", + "RemoveViaIdincidentRelationIncidentName": "RemoveViaIdincidentRelationIncidentName27k90i", + "RemoveViaIdBookmarkRelationIncidentId": "2c25ce36-be91-424b-9681-ae377e825b16" +} diff --git a/src/SecurityInsights/test/sampleData/AuditLogs.csv b/src/SecurityInsights/test/sampleData/AuditLogs.csv new file mode 100644 index 000000000000..25a470ed95a0 --- /dev/null +++ b/src/SecurityInsights/test/sampleData/AuditLogs.csv @@ -0,0 +1,6 @@ +OperationName,TenantId,AADTenantId,ActivityDateTime,ResourceId,CorrelationId,SourceSystem,OperationVersion,Category,ResultType,ResultSignature,ResultDescription,DurationMs,Resource,ResourceGroup,ResourceProvider,Identity,Level,Location,AdditionalDetails,Id,InitiatedBy,LoggedByService,Result,ResultReason,TargetResources,ActivityDisplayName,AADOperationType,Type +Update application – Certificates and secrets management ,,,,,9cee9603-bca7-4e62-9634-f1bfdc39ca2f,Azure AD,1,ApplicationManagement,,None,,0,Microsoft.aadiam,Microsoft.aadiam,,,4,,"[{""value"":""Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36 Edg/92.0.902.62"",""key"":""User-Agent""}]",Directory_9cee9603-bca7-4e62-9634-f1bfdc39ca2f_1261B_35670955,"{""user"":{""displayName"":null,""userPrincipalName"":""victim@buildseccxpninja.onmicrosoft.com"",""ipAddress"":""45.153.160.2"",""roles"":[],""id"":""34070915-82ff-492a-801f-e90484e79248""}}",Core Directory,success,,"[{""administrativeUnits"":[],""modifiedProperties"":[{""displayName"":""KeyDescription"",""oldValue"":""[\""[KeyIdentifier=4245f2f5-4052-4c5b-afe8-1d7885d9bb39,KeyType=Password,KeyUsage=Verify,DisplayName=purview-api]\""]"",""newValue"":""[\""[KeyIdentifier=4245f2f5-4052-4c5b-afe8-1d7885d9bb39,KeyType=Password,KeyUsage=Verify,DisplayName=purview-api]\"",\""[KeyIdentifier=11ca002d-d846-4692-8e1f-501db99f485a,KeyType=Password,KeyUsage=Verify,DisplayName=key 2]\""]""},{""displayName"":""Included Updated Properties"",""oldValue"":null,""newValue"":""\""KeyDescription\""""}],""displayName"":""purview-spn-user099"",""type"":""Application"",""id"":""020c2630-81fb-5678-9a9c-ce9984a45458""}]",Update application – Certificates and secrets management ,Update,AuditLogs +Update application – Certificates and secrets management ,,,,,05cb7360-e689-4ce0-ba41-90aea748f764,Azure AD,1,ApplicationManagement,,None,,0,Microsoft.aadiam,Microsoft.aadiam,,,4,,"[{""value"":""Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36 Edg/92.0.902.62"",""key"":""User-Agent""}]",Directory_05cb7360-e689-4ce0-ba41-90aea748f764_40B6F_20567843,"{""user"":{""displayName"":null,""userPrincipalName"":""VadimJ@buildseccxpninja.onmicrosoft.com"",""ipAddress"":""192.168.5.8"",""roles"":[],""id"":""04dc7a40-2617-4044-b6e7-fdd8771b88a2""}}",Core Directory,success,,"[{""administrativeUnits"":[],""modifiedProperties"":[{""displayName"":""KeyDescription"",""oldValue"":""[]"",""newValue"":""[\""[KeyIdentifier=1714a3cf-c8dc-40e6-bc2a-fdfaf55baf42,KeyType=Password,KeyUsage=Verify,DisplayName=PurviewAppAccess]\""]""},{""displayName"":""Included Updated Properties"",""oldValue"":null,""newValue"":""\""KeyDescription\""""}],""displayName"":""EntApp01"",""type"":""Application"",""id"":""a05db9f5-91e6-4bba-xxxx-cf38984e89fc""}]",Update application – Certificates and secrets management ,Update,AuditLogs +Update application – Certificates and secrets management ,,,,,c12b4df2-9263-4f72-aeac-a0947ee77886,Azure AD,1,ApplicationManagement,,None,,0,Microsoft.aadiam,Microsoft.aadiam,,,4,,"[{""value"":""python/3.8.9 (Windows-10-10.0.19041-SP0) msrest/0.6.21 msrest_azure/0.6.3 azure-graphrbac/0.60.0 Azure-SDK-For-Python AZURECLI/2.27.0 (MSI)"",""key"":""User-Agent""}]",Directory_c12b4df2-9263-4f72-aeac-a0947ee77886_T6RO5_48034739,"{""user"":{""displayName"":null,""userPrincipalName"":""VadimJ@buildseccxpninja.onmicrosoft.com"",""ipAddress"":""185.20.35.69"",""roles"":[],""id"":""5a1c81ba-786d-41bc-a8f0-5e999da7b7c9""}}",Core Directory,success,,"[{""administrativeUnits"":[],""modifiedProperties"":[{""displayName"":""KeyDescription"",""oldValue"":""[]"",""newValue"":""[\""[KeyIdentifier=8c123b9d-31e6-4f50-a21f-88eabc8857e5,KeyType=Password,KeyUsage=Verify,DisplayName=]\""]""},{""displayName"":""Included Updated Properties"",""oldValue"":null,""newValue"":""\""KeyDescription\""""}],""displayName"":""EntApp02"",""type"":""Application"",""id"":""a9929be8-b429-4918-ab41-0604fc9356b4""}]",Update application – Certificates and secrets management ,Update,AuditLogs +Update application – Certificates and secrets management ,,,,,eb556ded-81df-427f-9552-e9a7161db0de,Azure AD,1,ApplicationManagement,,None,,0,Microsoft.aadiam,Microsoft.aadiam,,,4,,"[{""value"":""python/3.8.9 (Windows-10-10.0.19041-SP0) msrest/0.6.21 msrest_azure/0.6.3 azure-graphrbac/0.60.0 Azure-SDK-For-Python AZURECLI/2.27.0 (MSI)"",""key"":""User-Agent""}]",Directory_eb556ded-81df-427f-9552-e9a7161db0de_DZ0PK_68632943,"{""user"":{""displayName"":null,""userPrincipalName"":""VadimJ@buildseccxpninja.onmicrosoft.com"",""ipAddress"":""33.88.24.12"",""roles"":[],""id"":""5a1c81ba-786d-41bc-a8f0-5e999da7b7c9""}}",Core Directory,success,,"[{""administrativeUnits"":[],""modifiedProperties"":[{""displayName"":""KeyDescription"",""oldValue"":""[]"",""newValue"":""[\""[KeyIdentifier=bd3aa4f4-0737-42be-8506-1d2378a2ff0b,KeyType=Password,KeyUsage=Verify,DisplayName=]\""]""},{""displayName"":""Included Updated Properties"",""oldValue"":null,""newValue"":""\""KeyDescription\""""}],""displayName"":""EntApp03"",""type"":""Application"",""id"":""20bdf178-f471-41bd-936f-2d4e0970b66c""}]",Update application – Certificates and secrets management ,Update,AuditLogs +Update application – Certificates and secrets management ,,,,,61576753-576a-47ba-8c1c-69047fd50427,Azure AD,1,ApplicationManagement,,None,,0,Microsoft.aadiam,Microsoft.aadiam,,,4,,"[{""value"":""python/3.8.9 (Windows-10-10.0.19041-SP0) msrest/0.6.21 msrest_azure/0.6.3 azure-graphrbac/0.60.0 Azure-SDK-For-Python AZURECLI/2.27.0 (MSI)"",""key"":""User-Agent""}]",Directory_61576753-576a-47ba-8c1c-69047fd50427_UETZH_76356316,"{""user"":{""displayName"":null,""userPrincipalName"":""VadimJ@buildseccxpninja.onmicrosoft.com"",""ipAddress"":""172.19.53.7"",""roles"":[],""id"":""5a1c81ba-786d-41bc-a8f0-5e999da7b7c9""}}",Core Directory,success,,"[{""administrativeUnits"":[],""modifiedProperties"":[{""displayName"":""KeyDescription"",""oldValue"":""[]"",""newValue"":""[\""[KeyIdentifier=a9d6190a-ee00-45ba-9975-4fa0b00bd4f4,KeyType=Password,KeyUsage=Verify,DisplayName=]\""]""},{""displayName"":""Included Updated Properties"",""oldValue"":null,""newValue"":""\""KeyDescription\""""}],""displayName"":""EntApp04"",""type"":""Application"",""id"":""b89ea4f7-3fb2-4731-b1cf-a4ee5d5624b9""}]",Update application – Certificates and secrets management ,Update,AuditLogs diff --git a/src/SecurityInsights/test/sampleData/AzureAcitivity.csv b/src/SecurityInsights/test/sampleData/AzureAcitivity.csv new file mode 100644 index 000000000000..c959ee300bcb --- /dev/null +++ b/src/SecurityInsights/test/sampleData/AzureAcitivity.csv @@ -0,0 +1,1232 @@ +TenantId,SourceSystem,CallerIpAddress,CategoryValue,CorrelationId,Authorization,Authorization_d,Claims,Claims_d,Level,OperationNameValue,Properties,Properties_d,Caller,EventDataId,EventSubmissionTimestamp [UTC],HTTPRequest,OperationId,ResourceGroup,ResourceProviderValue,ActivityStatusValue,ActivitySubstatusValue,Hierarchy,TimeGenerated,SubscriptionId,OperationName,ActivityStatus,ActivitySubstatus,Category,ResourceId,ResourceProvider,Resource,Type,_ResourceId +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure,37.142.150.162,Administrative,a2bba39a-d17f-404d-9919-e59039e73ad4,"{ + ""scope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/Sentinel-MainRG/providers/Microsoft.Web/sites/Okta-new"", + ""action"": ""Microsoft.Web/sites/delete"", + ""evidence"": { + ""role"": ""Contributor"", + ""roleAssignmentScope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"", + ""roleAssignmentId"": ""9ddc3bf8125f4918ad9f9dd31a0ae60f"", + ""roleDefinitionId"": ""b24988ac618042a0ab8820f7382dd24c"", + ""principalId"": ""9b117c67170e4aed9702658b3fddc889"", + ""principalType"": ""User"" + } +}","{""scope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/Sentinel-MainRG/providers/Microsoft.Web/sites/Okta-new"",""action"":""Microsoft.Web/sites/delete"",""evidence"":{""role"":""Contributor"",""roleAssignmentScope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"",""roleAssignmentId"":""9ddc3bf8125f4918ad9f9dd31a0ae60f"",""roleDefinitionId"":""b24988ac618042a0ab8820f7382dd24c"",""principalId"":""9b117c67170e4aed9702658b3fddc889"",""principalType"":""User""}}","{ + ""aud"": ""https://management.core.windows.net/"", + ""iss"": ""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"", + ""iat"": ""1619619948"", + ""nbf"": ""1619619948"", + ""exp"": ""1619623848"", + ""http://schemas.microsoft.com/claims/authnclassreference"": ""1"", + ""aio"": ""ATQAy/8TAAAARk47FymlkYjF8aD5qw9R6mifAuz/IGhhTRBHWebW9HOR9MgLKM4YcDn72FFfKrZz"", + ""http://schemas.microsoft.com/claims/authnmethodsreferences"": ""pwd"", + ""appid"": ""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"", + ""appidacr"": ""2"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"": ""Vance"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"": ""Adele"", + ""groups"": ""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"", + ""ipaddr"": ""37.142.150.162"", + ""name"": ""Adele Vance"", + ""http://schemas.microsoft.com/identity/claims/objectidentifier"": ""9b117c67-170e-4aed-9702-658b3fddc889"", + ""puid"": ""10032000C757D25F"", + ""rh"": ""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."", + ""http://schemas.microsoft.com/identity/claims/scope"": ""user_impersonation"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"": ""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"", + ""http://schemas.microsoft.com/identity/claims/tenantid"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""uti"": ""thrQim_Tb0K8ZxSi9VWAAQ"", + ""ver"": ""1.0"", + ""xms_tcdt"": ""1591748537"" +}","{""aud"":""https://management.core.windows.net/"",""iss"":""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"",""iat"":""1619619948"",""nbf"":""1619619948"",""exp"":""1619623848"",""http://schemas.microsoft.com/claims/authnclassreference"":""1"",""aio"":""ATQAy/8TAAAARk47FymlkYjF8aD5qw9R6mifAuz/IGhhTRBHWebW9HOR9MgLKM4YcDn72FFfKrZz"",""http://schemas.microsoft.com/claims/authnmethodsreferences"":""pwd"",""appid"":""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"",""appidacr"":""2"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"":""Vance"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"":""Adele"",""groups"":""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"",""ipaddr"":""37.142.150.162"",""name"":""Adele Vance"",""http://schemas.microsoft.com/identity/claims/objectidentifier"":""9b117c67-170e-4aed-9702-658b3fddc889"",""puid"":""10032000C757D25F"",""rh"":""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."",""http://schemas.microsoft.com/identity/claims/scope"":""user_impersonation"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"":""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"",""http://schemas.microsoft.com/identity/claims/tenantid"":""2ad3fc79-1859-42fa-9011-6f8df2251b22"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"":""AdeleV@M365x816222.OnMicrosoft.com"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"":""AdeleV@M365x816222.OnMicrosoft.com"",""uti"":""thrQim_Tb0K8ZxSi9VWAAQ"",""ver"":""1.0"",""xms_tcdt"":""1591748537""}",,MICROSOFT.WEB/SITES/DELETE,"{ + ""eventCategory"": ""Administrative"", + ""entity"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/Sentinel-MainRG/providers/Microsoft.Web/sites/Okta-new"", + ""message"": ""Microsoft.Web/sites/delete"", + ""hierarchy"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"", + ""caller"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""eventDataId"": ""6f5ca24c-de95-451a-b91e-7a7ab209c28b"", + ""eventSubmissionTimestamp"": ""2021-04-28T14:32:14.0298107Z"", + ""httpRequest"": ""{\""clientIpAddress\"":\""37.142.150.162\""}"", + ""resource"": ""okta-new"", + ""resourceGroup"": ""SENTINEL-MAINRG"", + ""resourceProviderValue"": ""MICROSOFT.WEB"", + ""subscriptionId"": ""8F153238-E602-427E-A7C0-3043FBE50918"", + ""activityStatusValue"": ""Success"" +}","{""eventCategory"":""Administrative"",""entity"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/Sentinel-MainRG/providers/Microsoft.Web/sites/Okta-new"",""message"":""Microsoft.Web/sites/delete"",""hierarchy"":""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"",""caller"":""AdeleV@M365x816222.OnMicrosoft.com"",""eventDataId"":""6f5ca24c-de95-451a-b91e-7a7ab209c28b"",""eventSubmissionTimestamp"":""2021-04-28T14:32:14.0298107Z"",""httpRequest"":""{\""clientIpAddress\"":\""37.142.150.162\""}"",""resource"":""okta-new"",""resourceGroup"":""SENTINEL-MAINRG"",""resourceProviderValue"":""MICROSOFT.WEB"",""subscriptionId"":""8f153238-e602-427e-a7c0-3043fbe50918"",""activityStatusValue"":""Success""}",AdeleV@M365x816222.OnMicrosoft.com,6f5ca24c-de95-451a-b91e-7a7ab209c28b,"4/28/2021, 2:32:14.029 PM","{""clientIpAddress"":""37.142.150.162""}",,SENTINEL-MAINRG,MICROSOFT.WEB,Success,,2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918,"4/28/2021, 2:32:14.029 PM",8f153238-e602-427e-a7c0-3043fbe50918,,,,,,,,AzureActivity,/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/sentinel-mainrg/providers/microsoft.web/sites/okta-new +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure,37.142.150.162,Administrative,22c5c3ad-e049-48b1-be62-19076302c6e4,"{ + ""scope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/sentinelyanivsh/providers/Microsoft.OperationalInsights/workspaces/centricdemo/providers/Microsoft.SecurityInsights/alertRules/017c0f30-87ea-4ab0-802a-51def37b0721"", + ""action"": ""Microsoft.SecurityInsights/alertRules/write"", + ""evidence"": { + ""role"": ""Contributor"", + ""roleAssignmentScope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"", + ""roleAssignmentId"": ""9ddc3bf8125f4918ad9f9dd31a0ae60f"", + ""roleDefinitionId"": ""b24988ac618042a0ab8820f7382dd24c"", + ""principalId"": ""9b117c67170e4aed9702658b3fddc889"", + ""principalType"": ""User"" + } +}","{""scope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/sentinelyanivsh/providers/Microsoft.OperationalInsights/workspaces/centricdemo/providers/Microsoft.SecurityInsights/alertRules/017c0f30-87ea-4ab0-802a-51def37b0721"",""action"":""Microsoft.SecurityInsights/alertRules/write"",""evidence"":{""role"":""Contributor"",""roleAssignmentScope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"",""roleAssignmentId"":""9ddc3bf8125f4918ad9f9dd31a0ae60f"",""roleDefinitionId"":""b24988ac618042a0ab8820f7382dd24c"",""principalId"":""9b117c67170e4aed9702658b3fddc889"",""principalType"":""User""}}","{ + ""aud"": ""https://management.core.windows.net/"", + ""iss"": ""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"", + ""iat"": ""1619619948"", + ""nbf"": ""1619619948"", + ""exp"": ""1619623848"", + ""http://schemas.microsoft.com/claims/authnclassreference"": ""1"", + ""aio"": ""ATQAy/8TAAAARk47FymlkYjF8aD5qw9R6mifAuz/IGhhTRBHWebW9HOR9MgLKM4YcDn72FFfKrZz"", + ""http://schemas.microsoft.com/claims/authnmethodsreferences"": ""pwd"", + ""appid"": ""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"", + ""appidacr"": ""2"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"": ""Vance"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"": ""Adele"", + ""groups"": ""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"", + ""ipaddr"": ""37.142.150.162"", + ""name"": ""Adele Vance"", + ""http://schemas.microsoft.com/identity/claims/objectidentifier"": ""9b117c67-170e-4aed-9702-658b3fddc889"", + ""puid"": ""10032000C757D25F"", + ""rh"": ""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."", + ""http://schemas.microsoft.com/identity/claims/scope"": ""user_impersonation"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"": ""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"", + ""http://schemas.microsoft.com/identity/claims/tenantid"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""uti"": ""thrQim_Tb0K8ZxSi9VWAAQ"", + ""ver"": ""1.0"", + ""xms_tcdt"": ""1591748537"" +}","{""aud"":""https://management.core.windows.net/"",""iss"":""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"",""iat"":""1619619948"",""nbf"":""1619619948"",""exp"":""1619623848"",""http://schemas.microsoft.com/claims/authnclassreference"":""1"",""aio"":""ATQAy/8TAAAARk47FymlkYjF8aD5qw9R6mifAuz/IGhhTRBHWebW9HOR9MgLKM4YcDn72FFfKrZz"",""http://schemas.microsoft.com/claims/authnmethodsreferences"":""pwd"",""appid"":""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"",""appidacr"":""2"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"":""Vance"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"":""Adele"",""groups"":""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"",""ipaddr"":""37.142.150.162"",""name"":""Adele Vance"",""http://schemas.microsoft.com/identity/claims/objectidentifier"":""9b117c67-170e-4aed-9702-658b3fddc889"",""puid"":""10032000C757D25F"",""rh"":""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."",""http://schemas.microsoft.com/identity/claims/scope"":""user_impersonation"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"":""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"",""http://schemas.microsoft.com/identity/claims/tenantid"":""2ad3fc79-1859-42fa-9011-6f8df2251b22"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"":""AdeleV@M365x816222.OnMicrosoft.com"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"":""AdeleV@M365x816222.OnMicrosoft.com"",""uti"":""thrQim_Tb0K8ZxSi9VWAAQ"",""ver"":""1.0"",""xms_tcdt"":""1591748537""}",,MICROSOFT.SECURITYINSIGHTS/ALERTRULES/WRITE,"{ + ""statusCode"": ""Created"", + ""serviceRequestId"": null, + ""eventCategory"": ""Administrative"", + ""entity"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/sentinelyanivsh/providers/Microsoft.OperationalInsights/workspaces/centricdemo/providers/Microsoft.SecurityInsights/alertRules/017c0f30-87ea-4ab0-802a-51def37b0721"", + ""message"": ""Microsoft.SecurityInsights/alertRules/write"", + ""hierarchy"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"", + ""caller"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""eventDataId"": ""ce96bc52-0093-49aa-af81-f1d22a72e6f0"", + ""eventSubmissionTimestamp"": ""2021-04-28T14:35:00.6739282Z"", + ""httpRequest"": ""{\""clientIpAddress\"":\""37.142.150.162\""}"", + ""resource"": ""centricdemo/microsoft.securityinsights/017c0f30-87ea-4ab0-802a-51def37b0721"", + ""resourceGroup"": ""SENTINELYANIVSH"", + ""resourceProviderValue"": ""MICROSOFT.OPERATIONALINSIGHTS"", + ""subscriptionId"": ""8F153238-E602-427E-A7C0-3043FBE50918"", + ""activityStatusValue"": ""Success"", + ""activitySubstatusValue"": ""Created"" +}","{""statusCode"":""Created"",""serviceRequestId"":null,""eventCategory"":""Administrative"",""entity"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/sentinelyanivsh/providers/Microsoft.OperationalInsights/workspaces/centricdemo/providers/Microsoft.SecurityInsights/alertRules/017c0f30-87ea-4ab0-802a-51def37b0721"",""message"":""Microsoft.SecurityInsights/alertRules/write"",""hierarchy"":""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"",""caller"":""AdeleV@M365x816222.OnMicrosoft.com"",""eventDataId"":""ce96bc52-0093-49aa-af81-f1d22a72e6f0"",""eventSubmissionTimestamp"":""2021-04-28T14:35:00.6739282Z"",""httpRequest"":""{\""clientIpAddress\"":\""37.142.150.162\""}"",""resource"":""centricdemo/microsoft.securityinsights/017c0f30-87ea-4ab0-802a-51def37b0721"",""resourceGroup"":""SENTINELYANIVSH"",""resourceProviderValue"":""MICROSOFT.OPERATIONALINSIGHTS"",""subscriptionId"":""8f153238-e602-427e-a7c0-3043fbe50918"",""activityStatusValue"":""Success"",""activitySubstatusValue"":""Created""}",AdeleV@M365x816222.OnMicrosoft.com,ce96bc52-0093-49aa-af81-f1d22a72e6f0,"4/28/2021, 2:35:00.673 PM","{""clientIpAddress"":""37.142.150.162""}",,SENTINELYANIVSH,MICROSOFT.OPERATIONALINSIGHTS,Success,Created,2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918,"4/28/2021, 2:35:00.673 PM",8f153238-e602-427e-a7c0-3043fbe50918,,,,,,,,AzureActivity,/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/sentinelyanivsh/providers/microsoft.operationalinsights/workspaces/centricdemo/providers/microsoft.securityinsights/alertrules/017c0f30-87ea-4ab0-802a-51def37b0721 +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure,37.142.150.162,Administrative,af709074-16dd-47b6-bf04-f159bc0a0fb1,"{ + ""scope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/BTPOC"", + ""action"": ""Microsoft.Resources/subscriptions/resourceGroups/delete"", + ""evidence"": { + ""role"": ""Contributor"", + ""roleAssignmentScope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"", + ""roleAssignmentId"": ""9ddc3bf8125f4918ad9f9dd31a0ae60f"", + ""roleDefinitionId"": ""b24988ac618042a0ab8820f7382dd24c"", + ""principalId"": ""9b117c67170e4aed9702658b3fddc889"", + ""principalType"": ""User"" + } +}","{""scope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/BTPOC"",""action"":""Microsoft.Resources/subscriptions/resourceGroups/delete"",""evidence"":{""role"":""Contributor"",""roleAssignmentScope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"",""roleAssignmentId"":""9ddc3bf8125f4918ad9f9dd31a0ae60f"",""roleDefinitionId"":""b24988ac618042a0ab8820f7382dd24c"",""principalId"":""9b117c67170e4aed9702658b3fddc889"",""principalType"":""User""}}","{ + ""aud"": ""https://management.core.windows.net/"", + ""iss"": ""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"", + ""iat"": ""1619620278"", + ""nbf"": ""1619620278"", + ""exp"": ""1619624178"", + ""http://schemas.microsoft.com/claims/authnclassreference"": ""1"", + ""aio"": ""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"", + ""http://schemas.microsoft.com/claims/authnmethodsreferences"": ""pwd"", + ""appid"": ""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"", + ""appidacr"": ""2"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"": ""Vance"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"": ""Adele"", + ""groups"": ""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"", + ""ipaddr"": ""37.142.150.162"", + ""name"": ""Adele Vance"", + ""http://schemas.microsoft.com/identity/claims/objectidentifier"": ""9b117c67-170e-4aed-9702-658b3fddc889"", + ""puid"": ""10032000C757D25F"", + ""rh"": ""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."", + ""http://schemas.microsoft.com/identity/claims/scope"": ""user_impersonation"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"": ""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"", + ""http://schemas.microsoft.com/identity/claims/tenantid"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""uti"": ""H9u_0K6Ph0a_X_ZpaCFwAQ"", + ""ver"": ""1.0"", + ""xms_tcdt"": ""1591748537"" +}","{""aud"":""https://management.core.windows.net/"",""iss"":""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"",""iat"":""1619620278"",""nbf"":""1619620278"",""exp"":""1619624178"",""http://schemas.microsoft.com/claims/authnclassreference"":""1"",""aio"":""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"",""http://schemas.microsoft.com/claims/authnmethodsreferences"":""pwd"",""appid"":""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"",""appidacr"":""2"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"":""Vance"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"":""Adele"",""groups"":""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"",""ipaddr"":""37.142.150.162"",""name"":""Adele Vance"",""http://schemas.microsoft.com/identity/claims/objectidentifier"":""9b117c67-170e-4aed-9702-658b3fddc889"",""puid"":""10032000C757D25F"",""rh"":""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."",""http://schemas.microsoft.com/identity/claims/scope"":""user_impersonation"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"":""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"",""http://schemas.microsoft.com/identity/claims/tenantid"":""2ad3fc79-1859-42fa-9011-6f8df2251b22"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"":""AdeleV@M365x816222.OnMicrosoft.com"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"":""AdeleV@M365x816222.OnMicrosoft.com"",""uti"":""H9u_0K6Ph0a_X_ZpaCFwAQ"",""ver"":""1.0"",""xms_tcdt"":""1591748537""}",,MICROSOFT.WEB/CUSTOMAPIS/DELETE,"{ + ""eventCategory"": ""Administrative"", + ""entity"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/BTPOC/providers/Microsoft.Web/customApis/Resilent"", + ""message"": ""Microsoft.Web/customApis/delete"", + ""hierarchy"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"", + ""caller"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""eventDataId"": ""a2594dff-d22d-42c1-b1e7-37184a3f0683"", + ""eventSubmissionTimestamp"": ""2021-04-28T14:44:00.317969Z"", + ""httpRequest"": ""{\""clientIpAddress\"":\""37.142.150.162\""}"", + ""resource"": ""resilent"", + ""resourceGroup"": ""BTPOC"", + ""resourceProviderValue"": ""MICROSOFT.WEB"", + ""subscriptionId"": ""8F153238-E602-427E-A7C0-3043FBE50918"", + ""activityStatusValue"": ""Success"" +}","{""eventCategory"":""Administrative"",""entity"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/BTPOC/providers/Microsoft.Web/customApis/Resilent"",""message"":""Microsoft.Web/customApis/delete"",""hierarchy"":""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"",""caller"":""AdeleV@M365x816222.OnMicrosoft.com"",""eventDataId"":""a2594dff-d22d-42c1-b1e7-37184a3f0683"",""eventSubmissionTimestamp"":""2021-04-28T14:44:00.3179690Z"",""httpRequest"":""{\""clientIpAddress\"":\""37.142.150.162\""}"",""resource"":""resilent"",""resourceGroup"":""BTPOC"",""resourceProviderValue"":""MICROSOFT.WEB"",""subscriptionId"":""8f153238-e602-427e-a7c0-3043fbe50918"",""activityStatusValue"":""Success""}",AdeleV@M365x816222.OnMicrosoft.com,a2594dff-d22d-42c1-b1e7-37184a3f0683,"4/28/2021, 2:44:00.317 PM","{""clientIpAddress"":""37.142.150.162""}",,BTPOC,MICROSOFT.WEB,Success,,2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918,"4/28/2021, 2:44:00.317 PM",8f153238-e602-427e-a7c0-3043fbe50918,,,,,,,,AzureActivity,/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/btpoc/providers/microsoft.web/customapis/resilent +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure,37.142.150.162,Administrative,b62b273a-d336-4ead-b1ac-223f3220e772,"{ + ""scope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/GBB01/providers/Microsoft.KeyVault/vaults/OneLoginLogs1234"", + ""action"": ""Microsoft.KeyVault/vaults/delete"", + ""evidence"": { + ""role"": ""Contributor"", + ""roleAssignmentScope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"", + ""roleAssignmentId"": ""9ddc3bf8125f4918ad9f9dd31a0ae60f"", + ""roleDefinitionId"": ""b24988ac618042a0ab8820f7382dd24c"", + ""principalId"": ""9b117c67170e4aed9702658b3fddc889"", + ""principalType"": ""User"" + } +}","{""scope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/GBB01/providers/Microsoft.KeyVault/vaults/OneLoginLogs1234"",""action"":""Microsoft.KeyVault/vaults/delete"",""evidence"":{""role"":""Contributor"",""roleAssignmentScope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"",""roleAssignmentId"":""9ddc3bf8125f4918ad9f9dd31a0ae60f"",""roleDefinitionId"":""b24988ac618042a0ab8820f7382dd24c"",""principalId"":""9b117c67170e4aed9702658b3fddc889"",""principalType"":""User""}}","{ + ""aud"": ""https://management.core.windows.net/"", + ""iss"": ""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"", + ""iat"": ""1619620278"", + ""nbf"": ""1619620278"", + ""exp"": ""1619624178"", + ""http://schemas.microsoft.com/claims/authnclassreference"": ""1"", + ""aio"": ""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"", + ""http://schemas.microsoft.com/claims/authnmethodsreferences"": ""pwd"", + ""appid"": ""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"", + ""appidacr"": ""2"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"": ""Vance"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"": ""Adele"", + ""groups"": ""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"", + ""ipaddr"": ""37.142.150.162"", + ""name"": ""Adele Vance"", + ""http://schemas.microsoft.com/identity/claims/objectidentifier"": ""9b117c67-170e-4aed-9702-658b3fddc889"", + ""puid"": ""10032000C757D25F"", + ""rh"": ""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."", + ""http://schemas.microsoft.com/identity/claims/scope"": ""user_impersonation"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"": ""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"", + ""http://schemas.microsoft.com/identity/claims/tenantid"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""uti"": ""H9u_0K6Ph0a_X_ZpaCFwAQ"", + ""ver"": ""1.0"", + ""xms_tcdt"": ""1591748537"" +}","{""aud"":""https://management.core.windows.net/"",""iss"":""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"",""iat"":""1619620278"",""nbf"":""1619620278"",""exp"":""1619624178"",""http://schemas.microsoft.com/claims/authnclassreference"":""1"",""aio"":""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"",""http://schemas.microsoft.com/claims/authnmethodsreferences"":""pwd"",""appid"":""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"",""appidacr"":""2"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"":""Vance"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"":""Adele"",""groups"":""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"",""ipaddr"":""37.142.150.162"",""name"":""Adele Vance"",""http://schemas.microsoft.com/identity/claims/objectidentifier"":""9b117c67-170e-4aed-9702-658b3fddc889"",""puid"":""10032000C757D25F"",""rh"":""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."",""http://schemas.microsoft.com/identity/claims/scope"":""user_impersonation"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"":""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"",""http://schemas.microsoft.com/identity/claims/tenantid"":""2ad3fc79-1859-42fa-9011-6f8df2251b22"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"":""AdeleV@M365x816222.OnMicrosoft.com"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"":""AdeleV@M365x816222.OnMicrosoft.com"",""uti"":""H9u_0K6Ph0a_X_ZpaCFwAQ"",""ver"":""1.0"",""xms_tcdt"":""1591748537""}",,MICROSOFT.KEYVAULT/VAULTS/DELETE,"{ + ""eventCategory"": ""Administrative"", + ""entity"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/GBB01/providers/Microsoft.KeyVault/vaults/OneLoginLogs1234"", + ""message"": ""Microsoft.KeyVault/vaults/delete"", + ""hierarchy"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"", + ""caller"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""eventDataId"": ""5027afa0-8274-40bd-84fc-8652c20e259d"", + ""eventSubmissionTimestamp"": ""2021-04-28T14:42:47.6410254Z"", + ""httpRequest"": ""{\""clientIpAddress\"":\""37.142.150.162\""}"", + ""resource"": ""oneloginlogs1234"", + ""resourceGroup"": ""GBB01"", + ""resourceProviderValue"": ""MICROSOFT.KEYVAULT"", + ""subscriptionId"": ""8F153238-E602-427E-A7C0-3043FBE50918"", + ""activityStatusValue"": ""Start"" +}","{""eventCategory"":""Administrative"",""entity"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/GBB01/providers/Microsoft.KeyVault/vaults/OneLoginLogs1234"",""message"":""Microsoft.KeyVault/vaults/delete"",""hierarchy"":""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"",""caller"":""AdeleV@M365x816222.OnMicrosoft.com"",""eventDataId"":""5027afa0-8274-40bd-84fc-8652c20e259d"",""eventSubmissionTimestamp"":""2021-04-28T14:42:47.6410254Z"",""httpRequest"":""{\""clientIpAddress\"":\""37.142.150.162\""}"",""resource"":""oneloginlogs1234"",""resourceGroup"":""GBB01"",""resourceProviderValue"":""MICROSOFT.KEYVAULT"",""subscriptionId"":""8f153238-e602-427e-a7c0-3043fbe50918"",""activityStatusValue"":""Start""}",AdeleV@M365x816222.OnMicrosoft.com,5027afa0-8274-40bd-84fc-8652c20e259d,"4/28/2021, 2:42:47.641 PM","{""clientIpAddress"":""37.142.150.162""}",,GBB01,MICROSOFT.KEYVAULT,Start,,2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918,"4/28/2021, 2:42:47.641 PM",8f153238-e602-427e-a7c0-3043fbe50918,,,,,,,,AzureActivity,/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/gbb01/providers/microsoft.keyvault/vaults/oneloginlogs1234 +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure,37.142.150.162,Administrative,b62b273a-d336-4ead-b1ac-223f3220e772,"{ + ""scope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/GBB01/providers/Microsoft.KeyVault/vaults/OneLoginLogs1234"", + ""action"": ""Microsoft.KeyVault/vaults/delete"", + ""evidence"": { + ""role"": ""Contributor"", + ""roleAssignmentScope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"", + ""roleAssignmentId"": ""9ddc3bf8125f4918ad9f9dd31a0ae60f"", + ""roleDefinitionId"": ""b24988ac618042a0ab8820f7382dd24c"", + ""principalId"": ""9b117c67170e4aed9702658b3fddc889"", + ""principalType"": ""User"" + } +}","{""scope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/GBB01/providers/Microsoft.KeyVault/vaults/OneLoginLogs1234"",""action"":""Microsoft.KeyVault/vaults/delete"",""evidence"":{""role"":""Contributor"",""roleAssignmentScope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"",""roleAssignmentId"":""9ddc3bf8125f4918ad9f9dd31a0ae60f"",""roleDefinitionId"":""b24988ac618042a0ab8820f7382dd24c"",""principalId"":""9b117c67170e4aed9702658b3fddc889"",""principalType"":""User""}}","{ + ""aud"": ""https://management.core.windows.net/"", + ""iss"": ""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"", + ""iat"": ""1619620278"", + ""nbf"": ""1619620278"", + ""exp"": ""1619624178"", + ""http://schemas.microsoft.com/claims/authnclassreference"": ""1"", + ""aio"": ""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"", + ""http://schemas.microsoft.com/claims/authnmethodsreferences"": ""pwd"", + ""appid"": ""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"", + ""appidacr"": ""2"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"": ""Vance"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"": ""Adele"", + ""groups"": ""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"", + ""ipaddr"": ""37.142.150.162"", + ""name"": ""Adele Vance"", + ""http://schemas.microsoft.com/identity/claims/objectidentifier"": ""9b117c67-170e-4aed-9702-658b3fddc889"", + ""puid"": ""10032000C757D25F"", + ""rh"": ""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."", + ""http://schemas.microsoft.com/identity/claims/scope"": ""user_impersonation"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"": ""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"", + ""http://schemas.microsoft.com/identity/claims/tenantid"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""uti"": ""H9u_0K6Ph0a_X_ZpaCFwAQ"", + ""ver"": ""1.0"", + ""xms_tcdt"": ""1591748537"" +}","{""aud"":""https://management.core.windows.net/"",""iss"":""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"",""iat"":""1619620278"",""nbf"":""1619620278"",""exp"":""1619624178"",""http://schemas.microsoft.com/claims/authnclassreference"":""1"",""aio"":""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"",""http://schemas.microsoft.com/claims/authnmethodsreferences"":""pwd"",""appid"":""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"",""appidacr"":""2"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"":""Vance"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"":""Adele"",""groups"":""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"",""ipaddr"":""37.142.150.162"",""name"":""Adele Vance"",""http://schemas.microsoft.com/identity/claims/objectidentifier"":""9b117c67-170e-4aed-9702-658b3fddc889"",""puid"":""10032000C757D25F"",""rh"":""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."",""http://schemas.microsoft.com/identity/claims/scope"":""user_impersonation"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"":""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"",""http://schemas.microsoft.com/identity/claims/tenantid"":""2ad3fc79-1859-42fa-9011-6f8df2251b22"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"":""AdeleV@M365x816222.OnMicrosoft.com"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"":""AdeleV@M365x816222.OnMicrosoft.com"",""uti"":""H9u_0K6Ph0a_X_ZpaCFwAQ"",""ver"":""1.0"",""xms_tcdt"":""1591748537""}",,MICROSOFT.KEYVAULT/VAULTS/DELETE,"{ + ""statusCode"": ""OK"", + ""serviceRequestId"": ""c1c4dc22-3b83-4b2e-ae58-1a829989b8e4"", + ""eventCategory"": ""Administrative"", + ""entity"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/GBB01/providers/Microsoft.KeyVault/vaults/OneLoginLogs1234"", + ""message"": ""Microsoft.KeyVault/vaults/delete"", + ""hierarchy"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"", + ""caller"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""eventDataId"": ""63139859-0aaf-474c-98b9-ed18b7d4b6a7"", + ""eventSubmissionTimestamp"": ""2021-04-28T14:42:51.9161118Z"", + ""httpRequest"": ""{\""clientIpAddress\"":\""37.142.150.162\""}"", + ""resource"": ""oneloginlogs1234"", + ""resourceGroup"": ""GBB01"", + ""resourceProviderValue"": ""MICROSOFT.KEYVAULT"", + ""subscriptionId"": ""8F153238-E602-427E-A7C0-3043FBE50918"", + ""activityStatusValue"": ""Success"", + ""activitySubstatusValue"": ""OK"" +}","{""statusCode"":""OK"",""serviceRequestId"":""c1c4dc22-3b83-4b2e-ae58-1a829989b8e4"",""eventCategory"":""Administrative"",""entity"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/GBB01/providers/Microsoft.KeyVault/vaults/OneLoginLogs1234"",""message"":""Microsoft.KeyVault/vaults/delete"",""hierarchy"":""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"",""caller"":""AdeleV@M365x816222.OnMicrosoft.com"",""eventDataId"":""63139859-0aaf-474c-98b9-ed18b7d4b6a7"",""eventSubmissionTimestamp"":""2021-04-28T14:42:51.9161118Z"",""httpRequest"":""{\""clientIpAddress\"":\""37.142.150.162\""}"",""resource"":""oneloginlogs1234"",""resourceGroup"":""GBB01"",""resourceProviderValue"":""MICROSOFT.KEYVAULT"",""subscriptionId"":""8f153238-e602-427e-a7c0-3043fbe50918"",""activityStatusValue"":""Success"",""activitySubstatusValue"":""OK""}",AdeleV@M365x816222.OnMicrosoft.com,63139859-0aaf-474c-98b9-ed18b7d4b6a7,"4/28/2021, 2:42:51.916 PM","{""clientIpAddress"":""37.142.150.162""}",,GBB01,MICROSOFT.KEYVAULT,Success,OK,2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918,"4/28/2021, 2:42:51.916 PM",8f153238-e602-427e-a7c0-3043fbe50918,,,,,,,,AzureActivity,/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/gbb01/providers/microsoft.keyvault/vaults/oneloginlogs1234 +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure,37.142.150.162,Administrative,a2bba39a-d17f-404d-9919-e59039e73ad4,"{ + ""scope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/Sentinel-MainRG/providers/Microsoft.Web/sites/Okta-new"", + ""action"": ""Microsoft.Web/sites/delete"", + ""evidence"": { + ""role"": ""Contributor"", + ""roleAssignmentScope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"", + ""roleAssignmentId"": ""9ddc3bf8125f4918ad9f9dd31a0ae60f"", + ""roleDefinitionId"": ""b24988ac618042a0ab8820f7382dd24c"", + ""principalId"": ""9b117c67170e4aed9702658b3fddc889"", + ""principalType"": ""User"" + } +}","{""evidence"":{""roleAssignmentScope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"",""roleAssignmentId"":""9ddc3bf8125f4918ad9f9dd31a0ae60f"",""roleDefinitionId"":""b24988ac618042a0ab8820f7382dd24c"",""principalType"":""User"",""principalId"":""9b117c67170e4aed9702658b3fddc889"",""role"":""Contributor""},""action"":""Microsoft.Web/sites/delete"",""scope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/Sentinel-MainRG/providers/Microsoft.Web/sites/Okta-new""}","{ + ""aud"": ""https://management.core.windows.net/"", + ""iss"": ""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"", + ""iat"": ""1619619948"", + ""nbf"": ""1619619948"", + ""exp"": ""1619623848"", + ""http://schemas.microsoft.com/claims/authnclassreference"": ""1"", + ""aio"": ""ATQAy/8TAAAARk47FymlkYjF8aD5qw9R6mifAuz/IGhhTRBHWebW9HOR9MgLKM4YcDn72FFfKrZz"", + ""http://schemas.microsoft.com/claims/authnmethodsreferences"": ""pwd"", + ""appid"": ""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"", + ""appidacr"": ""2"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"": ""Vance"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"": ""Adele"", + ""groups"": ""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"", + ""ipaddr"": ""37.142.150.162"", + ""name"": ""Adele Vance"", + ""http://schemas.microsoft.com/identity/claims/objectidentifier"": ""9b117c67-170e-4aed-9702-658b3fddc889"", + ""puid"": ""10032000C757D25F"", + ""rh"": ""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."", + ""http://schemas.microsoft.com/identity/claims/scope"": ""user_impersonation"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"": ""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"", + ""http://schemas.microsoft.com/identity/claims/tenantid"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""uti"": ""thrQim_Tb0K8ZxSi9VWAAQ"", + ""ver"": ""1.0"", + ""xms_tcdt"": ""1591748537"" +}","{""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"":""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"",""http://schemas.microsoft.com/identity/claims/objectidentifier"":""9b117c67-170e-4aed-9702-658b3fddc889"",""http://schemas.microsoft.com/identity/claims/tenantid"":""2ad3fc79-1859-42fa-9011-6f8df2251b22"",""xms_tcdt"":""1591748537"",""appidacr"":""2"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"":""AdeleV@M365x816222.OnMicrosoft.com"",""http://schemas.microsoft.com/claims/authnmethodsreferences"":""pwd"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"":""Adele"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"":""Vance"",""http://schemas.microsoft.com/claims/authnclassreference"":""1"",""appid"":""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"",""http://schemas.microsoft.com/identity/claims/scope"":""user_impersonation"",""nbf"":""1619619948"",""exp"":""1619623848"",""aio"":""ATQAy/8TAAAARk47FymlkYjF8aD5qw9R6mifAuz/IGhhTRBHWebW9HOR9MgLKM4YcDn72FFfKrZz"",""uti"":""thrQim_Tb0K8ZxSi9VWAAQ"",""ver"":""1.0"",""aud"":""https://management.core.windows.net/"",""iss"":""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"",""iat"":""1619619948"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"":""AdeleV@M365x816222.OnMicrosoft.com"",""rh"":""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."",""groups"":""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"",""ipaddr"":""37.142.150.162"",""name"":""Adele Vance"",""puid"":""10032000C757D25F""}",,MICROSOFT.WEB/SITES/DELETE,"{ + ""eventCategory"": ""Administrative"", + ""entity"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/Sentinel-MainRG/providers/Microsoft.Web/sites/Okta-new"", + ""message"": ""Microsoft.Web/sites/delete"", + ""hierarchy"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"", + ""caller"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""eventDataId"": ""b925d0cb-46c9-450e-9f6d-4fbf69a34dfe"", + ""eventSubmissionTimestamp"": ""2021-04-28T14:31:30.0219975Z"", + ""httpRequest"": ""{\""clientIpAddress\"":\""37.142.150.162\""}"", + ""resource"": ""okta-new"", + ""resourceGroup"": ""SENTINEL-MAINRG"", + ""resourceProviderValue"": ""MICROSOFT.WEB"", + ""subscriptionId"": ""8F153238-E602-427E-A7C0-3043FBE50918"", + ""activityStatusValue"": ""Start"" +}","{""eventSubmissionTimestamp"":""2021-04-28T14:31:30.0219975Z"",""resourceProviderValue"":""MICROSOFT.WEB"",""activityStatusValue"":""Start"",""subscriptionId"":""8f153238-e602-427e-a7c0-3043fbe50918"",""eventCategory"":""Administrative"",""resourceGroup"":""SENTINEL-MAINRG"",""eventDataId"":""b925d0cb-46c9-450e-9f6d-4fbf69a34dfe"",""httpRequest"":""{\""clientIpAddress\"":\""37.142.150.162\""}"",""hierarchy"":""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"",""resource"":""okta-new"",""message"":""Microsoft.Web/sites/delete"",""caller"":""AdeleV@M365x816222.OnMicrosoft.com"",""entity"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/Sentinel-MainRG/providers/Microsoft.Web/sites/Okta-new""}",AdeleV@M365x816222.OnMicrosoft.com,b925d0cb-46c9-450e-9f6d-4fbf69a34dfe,"4/28/2021, 2:31:30.021 PM","{""clientIpAddress"":""37.142.150.162""}",,SENTINEL-MAINRG,MICROSOFT.WEB,Start,,2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918,"4/28/2021, 2:31:30.021 PM",8f153238-e602-427e-a7c0-3043fbe50918,,,,,,,,AzureActivity,/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/sentinel-mainrg/providers/microsoft.web/sites/okta-new +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure,37.142.150.162,Administrative,a2bba39a-d17f-404d-9919-e59039e73ad4,"{ + ""scope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/Sentinel-MainRG/providers/Microsoft.Web/sites/Okta-new"", + ""action"": ""Microsoft.Web/sites/delete"", + ""evidence"": { + ""role"": ""Contributor"", + ""roleAssignmentScope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"", + ""roleAssignmentId"": ""9ddc3bf8125f4918ad9f9dd31a0ae60f"", + ""roleDefinitionId"": ""b24988ac618042a0ab8820f7382dd24c"", + ""principalId"": ""9b117c67170e4aed9702658b3fddc889"", + ""principalType"": ""User"" + } +}","{""evidence"":{""roleAssignmentScope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"",""roleAssignmentId"":""9ddc3bf8125f4918ad9f9dd31a0ae60f"",""roleDefinitionId"":""b24988ac618042a0ab8820f7382dd24c"",""principalType"":""User"",""principalId"":""9b117c67170e4aed9702658b3fddc889"",""role"":""Contributor""},""action"":""Microsoft.Web/sites/delete"",""scope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/Sentinel-MainRG/providers/Microsoft.Web/sites/Okta-new""}","{ + ""aud"": ""https://management.core.windows.net/"", + ""iss"": ""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"", + ""iat"": ""1619619948"", + ""nbf"": ""1619619948"", + ""exp"": ""1619623848"", + ""http://schemas.microsoft.com/claims/authnclassreference"": ""1"", + ""aio"": ""ATQAy/8TAAAARk47FymlkYjF8aD5qw9R6mifAuz/IGhhTRBHWebW9HOR9MgLKM4YcDn72FFfKrZz"", + ""http://schemas.microsoft.com/claims/authnmethodsreferences"": ""pwd"", + ""appid"": ""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"", + ""appidacr"": ""2"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"": ""Vance"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"": ""Adele"", + ""groups"": ""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"", + ""ipaddr"": ""37.142.150.162"", + ""name"": ""Adele Vance"", + ""http://schemas.microsoft.com/identity/claims/objectidentifier"": ""9b117c67-170e-4aed-9702-658b3fddc889"", + ""puid"": ""10032000C757D25F"", + ""rh"": ""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."", + ""http://schemas.microsoft.com/identity/claims/scope"": ""user_impersonation"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"": ""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"", + ""http://schemas.microsoft.com/identity/claims/tenantid"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""uti"": ""thrQim_Tb0K8ZxSi9VWAAQ"", + ""ver"": ""1.0"", + ""xms_tcdt"": ""1591748537"" +}","{""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"":""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"",""http://schemas.microsoft.com/identity/claims/objectidentifier"":""9b117c67-170e-4aed-9702-658b3fddc889"",""http://schemas.microsoft.com/identity/claims/tenantid"":""2ad3fc79-1859-42fa-9011-6f8df2251b22"",""xms_tcdt"":""1591748537"",""appidacr"":""2"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"":""AdeleV@M365x816222.OnMicrosoft.com"",""http://schemas.microsoft.com/claims/authnmethodsreferences"":""pwd"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"":""Adele"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"":""Vance"",""http://schemas.microsoft.com/claims/authnclassreference"":""1"",""appid"":""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"",""http://schemas.microsoft.com/identity/claims/scope"":""user_impersonation"",""nbf"":""1619619948"",""exp"":""1619623848"",""aio"":""ATQAy/8TAAAARk47FymlkYjF8aD5qw9R6mifAuz/IGhhTRBHWebW9HOR9MgLKM4YcDn72FFfKrZz"",""uti"":""thrQim_Tb0K8ZxSi9VWAAQ"",""ver"":""1.0"",""aud"":""https://management.core.windows.net/"",""iss"":""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"",""iat"":""1619619948"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"":""AdeleV@M365x816222.OnMicrosoft.com"",""rh"":""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."",""groups"":""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"",""ipaddr"":""37.142.150.162"",""name"":""Adele Vance"",""puid"":""10032000C757D25F""}",,MICROSOFT.WEB/SITES/DELETE,"{ + ""statusCode"": ""OK"", + ""serviceRequestId"": ""c5b3981e-03ba-4e01-9703-1de27cb9218f"", + ""eventCategory"": ""Administrative"", + ""entity"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/Sentinel-MainRG/providers/Microsoft.Web/sites/Okta-new"", + ""message"": ""Microsoft.Web/sites/delete"", + ""hierarchy"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"", + ""caller"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""eventDataId"": ""bd53ca1f-63d8-4886-9a3e-6869172bd5f2"", + ""eventSubmissionTimestamp"": ""2021-04-28T14:31:40.3331458Z"", + ""httpRequest"": ""{\""clientIpAddress\"":\""37.142.150.162\""}"", + ""resource"": ""okta-new"", + ""resourceGroup"": ""SENTINEL-MAINRG"", + ""resourceProviderValue"": ""MICROSOFT.WEB"", + ""subscriptionId"": ""8F153238-E602-427E-A7C0-3043FBE50918"", + ""activityStatusValue"": ""Success"", + ""activitySubstatusValue"": ""OK"" +}","{""eventSubmissionTimestamp"":""2021-04-28T14:31:40.3331458Z"",""resourceProviderValue"":""MICROSOFT.WEB"",""activityStatusValue"":""Success"",""subscriptionId"":""8f153238-e602-427e-a7c0-3043fbe50918"",""eventCategory"":""Administrative"",""resourceGroup"":""SENTINEL-MAINRG"",""eventDataId"":""bd53ca1f-63d8-4886-9a3e-6869172bd5f2"",""httpRequest"":""{\""clientIpAddress\"":\""37.142.150.162\""}"",""activitySubstatusValue"":""OK"",""hierarchy"":""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"",""resource"":""okta-new"",""serviceRequestId"":""c5b3981e-03ba-4e01-9703-1de27cb9218f"",""message"":""Microsoft.Web/sites/delete"",""caller"":""AdeleV@M365x816222.OnMicrosoft.com"",""entity"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/Sentinel-MainRG/providers/Microsoft.Web/sites/Okta-new"",""statusCode"":""OK""}",AdeleV@M365x816222.OnMicrosoft.com,bd53ca1f-63d8-4886-9a3e-6869172bd5f2,"4/28/2021, 2:31:40.333 PM","{""clientIpAddress"":""37.142.150.162""}",,SENTINEL-MAINRG,MICROSOFT.WEB,Success,OK,2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918,"4/28/2021, 2:31:40.333 PM",8f153238-e602-427e-a7c0-3043fbe50918,,,,,,,,AzureActivity,/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/sentinel-mainrg/providers/microsoft.web/sites/okta-new +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure,37.142.150.162,Administrative,22c5c3ad-e049-48b1-be62-19076302c6e4,"{ + ""scope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/sentinelyanivsh/providers/Microsoft.OperationalInsights/workspaces/centricdemo/providers/Microsoft.SecurityInsights/alertRules/017c0f30-87ea-4ab0-802a-51def37b0721"", + ""action"": ""Microsoft.SecurityInsights/alertRules/write"", + ""evidence"": { + ""role"": ""Contributor"", + ""roleAssignmentScope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"", + ""roleAssignmentId"": ""9ddc3bf8125f4918ad9f9dd31a0ae60f"", + ""roleDefinitionId"": ""b24988ac618042a0ab8820f7382dd24c"", + ""principalId"": ""9b117c67170e4aed9702658b3fddc889"", + ""principalType"": ""User"" + } +}","{""evidence"":{""roleAssignmentScope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"",""roleAssignmentId"":""9ddc3bf8125f4918ad9f9dd31a0ae60f"",""roleDefinitionId"":""b24988ac618042a0ab8820f7382dd24c"",""principalType"":""User"",""principalId"":""9b117c67170e4aed9702658b3fddc889"",""role"":""Contributor""},""action"":""Microsoft.SecurityInsights/alertRules/write"",""scope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/sentinelyanivsh/providers/Microsoft.OperationalInsights/workspaces/centricdemo/providers/Microsoft.SecurityInsights/alertRules/017c0f30-87ea-4ab0-802a-51def37b0721""}","{ + ""aud"": ""https://management.core.windows.net/"", + ""iss"": ""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"", + ""iat"": ""1619619948"", + ""nbf"": ""1619619948"", + ""exp"": ""1619623848"", + ""http://schemas.microsoft.com/claims/authnclassreference"": ""1"", + ""aio"": ""ATQAy/8TAAAARk47FymlkYjF8aD5qw9R6mifAuz/IGhhTRBHWebW9HOR9MgLKM4YcDn72FFfKrZz"", + ""http://schemas.microsoft.com/claims/authnmethodsreferences"": ""pwd"", + ""appid"": ""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"", + ""appidacr"": ""2"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"": ""Vance"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"": ""Adele"", + ""groups"": ""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"", + ""ipaddr"": ""37.142.150.162"", + ""name"": ""Adele Vance"", + ""http://schemas.microsoft.com/identity/claims/objectidentifier"": ""9b117c67-170e-4aed-9702-658b3fddc889"", + ""puid"": ""10032000C757D25F"", + ""rh"": ""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."", + ""http://schemas.microsoft.com/identity/claims/scope"": ""user_impersonation"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"": ""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"", + ""http://schemas.microsoft.com/identity/claims/tenantid"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""uti"": ""thrQim_Tb0K8ZxSi9VWAAQ"", + ""ver"": ""1.0"", + ""xms_tcdt"": ""1591748537"" +}","{""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"":""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"",""http://schemas.microsoft.com/identity/claims/objectidentifier"":""9b117c67-170e-4aed-9702-658b3fddc889"",""http://schemas.microsoft.com/identity/claims/tenantid"":""2ad3fc79-1859-42fa-9011-6f8df2251b22"",""xms_tcdt"":""1591748537"",""appidacr"":""2"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"":""AdeleV@M365x816222.OnMicrosoft.com"",""http://schemas.microsoft.com/claims/authnmethodsreferences"":""pwd"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"":""Adele"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"":""Vance"",""http://schemas.microsoft.com/claims/authnclassreference"":""1"",""appid"":""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"",""http://schemas.microsoft.com/identity/claims/scope"":""user_impersonation"",""nbf"":""1619619948"",""exp"":""1619623848"",""aio"":""ATQAy/8TAAAARk47FymlkYjF8aD5qw9R6mifAuz/IGhhTRBHWebW9HOR9MgLKM4YcDn72FFfKrZz"",""uti"":""thrQim_Tb0K8ZxSi9VWAAQ"",""ver"":""1.0"",""aud"":""https://management.core.windows.net/"",""iss"":""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"",""iat"":""1619619948"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"":""AdeleV@M365x816222.OnMicrosoft.com"",""rh"":""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."",""groups"":""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"",""ipaddr"":""37.142.150.162"",""name"":""Adele Vance"",""puid"":""10032000C757D25F""}",,MICROSOFT.SECURITYINSIGHTS/ALERTRULES/WRITE,"{ + ""eventCategory"": ""Administrative"", + ""entity"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/sentinelyanivsh/providers/Microsoft.OperationalInsights/workspaces/centricdemo/providers/Microsoft.SecurityInsights/alertRules/017c0f30-87ea-4ab0-802a-51def37b0721"", + ""message"": ""Microsoft.SecurityInsights/alertRules/write"", + ""hierarchy"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"", + ""caller"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""eventDataId"": ""133ceed0-b1f0-42be-867b-a6c32858cff2"", + ""eventSubmissionTimestamp"": ""2021-04-28T14:34:58.2130169Z"", + ""httpRequest"": ""{\""clientIpAddress\"":\""37.142.150.162\""}"", + ""resource"": ""centricdemo/microsoft.securityinsights/017c0f30-87ea-4ab0-802a-51def37b0721"", + ""resourceGroup"": ""SENTINELYANIVSH"", + ""resourceProviderValue"": ""MICROSOFT.OPERATIONALINSIGHTS"", + ""subscriptionId"": ""8F153238-E602-427E-A7C0-3043FBE50918"", + ""activityStatusValue"": ""Start"" +}","{""eventSubmissionTimestamp"":""2021-04-28T14:34:58.2130169Z"",""resourceProviderValue"":""MICROSOFT.OPERATIONALINSIGHTS"",""activityStatusValue"":""Start"",""subscriptionId"":""8f153238-e602-427e-a7c0-3043fbe50918"",""eventCategory"":""Administrative"",""resourceGroup"":""SENTINELYANIVSH"",""eventDataId"":""133ceed0-b1f0-42be-867b-a6c32858cff2"",""httpRequest"":""{\""clientIpAddress\"":\""37.142.150.162\""}"",""hierarchy"":""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"",""resource"":""centricdemo/microsoft.securityinsights/017c0f30-87ea-4ab0-802a-51def37b0721"",""message"":""Microsoft.SecurityInsights/alertRules/write"",""caller"":""AdeleV@M365x816222.OnMicrosoft.com"",""entity"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/sentinelyanivsh/providers/Microsoft.OperationalInsights/workspaces/centricdemo/providers/Microsoft.SecurityInsights/alertRules/017c0f30-87ea-4ab0-802a-51def37b0721""}",AdeleV@M365x816222.OnMicrosoft.com,133ceed0-b1f0-42be-867b-a6c32858cff2,"4/28/2021, 2:34:58.213 PM","{""clientIpAddress"":""37.142.150.162""}",,SENTINELYANIVSH,MICROSOFT.OPERATIONALINSIGHTS,Start,,2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918,"4/28/2021, 2:34:58.213 PM",8f153238-e602-427e-a7c0-3043fbe50918,,,,,,,,AzureActivity,/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/sentinelyanivsh/providers/microsoft.operationalinsights/workspaces/centricdemo/providers/microsoft.securityinsights/alertrules/017c0f30-87ea-4ab0-802a-51def37b0721 +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure,37.142.150.162,Administrative,3387cf7f-24b2-482f-9f4e-1ef7ceb08c14,"{ + ""scope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/VM-RG01/providers/Microsoft.Compute/virtualMachines/Linux01"", + ""action"": ""Microsoft.Compute/virtualMachines/delete"", + ""evidence"": { + ""role"": ""Contributor"", + ""roleAssignmentScope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"", + ""roleAssignmentId"": ""9ddc3bf8125f4918ad9f9dd31a0ae60f"", + ""roleDefinitionId"": ""b24988ac618042a0ab8820f7382dd24c"", + ""principalId"": ""9b117c67170e4aed9702658b3fddc889"", + ""principalType"": ""User"" + } +}","{""scope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/VM-RG01/providers/Microsoft.Compute/virtualMachines/Linux01"",""action"":""Microsoft.Compute/virtualMachines/delete"",""evidence"":{""role"":""Contributor"",""roleAssignmentScope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"",""roleAssignmentId"":""9ddc3bf8125f4918ad9f9dd31a0ae60f"",""roleDefinitionId"":""b24988ac618042a0ab8820f7382dd24c"",""principalId"":""9b117c67170e4aed9702658b3fddc889"",""principalType"":""User""}}","{ + ""aud"": ""https://management.core.windows.net/"", + ""iss"": ""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"", + ""iat"": ""1619620278"", + ""nbf"": ""1619620278"", + ""exp"": ""1619624178"", + ""http://schemas.microsoft.com/claims/authnclassreference"": ""1"", + ""aio"": ""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"", + ""http://schemas.microsoft.com/claims/authnmethodsreferences"": ""pwd"", + ""appid"": ""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"", + ""appidacr"": ""2"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"": ""Vance"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"": ""Adele"", + ""groups"": ""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"", + ""ipaddr"": ""37.142.150.162"", + ""name"": ""Adele Vance"", + ""http://schemas.microsoft.com/identity/claims/objectidentifier"": ""9b117c67-170e-4aed-9702-658b3fddc889"", + ""puid"": ""10032000C757D25F"", + ""rh"": ""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."", + ""http://schemas.microsoft.com/identity/claims/scope"": ""user_impersonation"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"": ""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"", + ""http://schemas.microsoft.com/identity/claims/tenantid"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""uti"": ""H9u_0K6Ph0a_X_ZpaCFwAQ"", + ""ver"": ""1.0"", + ""xms_tcdt"": ""1591748537"" +}","{""aud"":""https://management.core.windows.net/"",""iss"":""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"",""iat"":""1619620278"",""nbf"":""1619620278"",""exp"":""1619624178"",""http://schemas.microsoft.com/claims/authnclassreference"":""1"",""aio"":""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"",""http://schemas.microsoft.com/claims/authnmethodsreferences"":""pwd"",""appid"":""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"",""appidacr"":""2"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"":""Vance"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"":""Adele"",""groups"":""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"",""ipaddr"":""37.142.150.162"",""name"":""Adele Vance"",""http://schemas.microsoft.com/identity/claims/objectidentifier"":""9b117c67-170e-4aed-9702-658b3fddc889"",""puid"":""10032000C757D25F"",""rh"":""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."",""http://schemas.microsoft.com/identity/claims/scope"":""user_impersonation"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"":""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"",""http://schemas.microsoft.com/identity/claims/tenantid"":""2ad3fc79-1859-42fa-9011-6f8df2251b22"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"":""AdeleV@M365x816222.OnMicrosoft.com"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"":""AdeleV@M365x816222.OnMicrosoft.com"",""uti"":""H9u_0K6Ph0a_X_ZpaCFwAQ"",""ver"":""1.0"",""xms_tcdt"":""1591748537""}",,MICROSOFT.COMPUTE/VIRTUALMACHINES/DELETE,"{ + ""eventCategory"": ""Administrative"", + ""entity"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/VM-RG01/providers/Microsoft.Compute/virtualMachines/Linux01"", + ""message"": ""Microsoft.Compute/virtualMachines/delete"", + ""hierarchy"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"", + ""caller"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""eventDataId"": ""d6b94a7d-d7d3-44ac-8771-dc7a2a2048fb"", + ""eventSubmissionTimestamp"": ""2021-04-28T14:36:53.0422877Z"", + ""httpRequest"": ""{\""clientIpAddress\"":\""37.142.150.162\""}"", + ""resource"": ""linux01"", + ""resourceGroup"": ""VM-RG01"", + ""resourceProviderValue"": ""MICROSOFT.COMPUTE"", + ""subscriptionId"": ""8F153238-E602-427E-A7C0-3043FBE50918"", + ""activityStatusValue"": ""Start"" +}","{""eventCategory"":""Administrative"",""entity"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/VM-RG01/providers/Microsoft.Compute/virtualMachines/Linux01"",""message"":""Microsoft.Compute/virtualMachines/delete"",""hierarchy"":""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"",""caller"":""AdeleV@M365x816222.OnMicrosoft.com"",""eventDataId"":""d6b94a7d-d7d3-44ac-8771-dc7a2a2048fb"",""eventSubmissionTimestamp"":""2021-04-28T14:36:53.0422877Z"",""httpRequest"":""{\""clientIpAddress\"":\""37.142.150.162\""}"",""resource"":""linux01"",""resourceGroup"":""VM-RG01"",""resourceProviderValue"":""MICROSOFT.COMPUTE"",""subscriptionId"":""8f153238-e602-427e-a7c0-3043fbe50918"",""activityStatusValue"":""Start""}",AdeleV@M365x816222.OnMicrosoft.com,d6b94a7d-d7d3-44ac-8771-dc7a2a2048fb,"4/28/2021, 2:36:53.042 PM","{""clientIpAddress"":""37.142.150.162""}",,VM-RG01,MICROSOFT.COMPUTE,Start,,2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918,"4/28/2021, 2:36:53.042 PM",8f153238-e602-427e-a7c0-3043fbe50918,,,,,,,,AzureActivity,/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/vm-rg01/providers/microsoft.compute/virtualmachines/linux01 +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure,37.142.150.162,Administrative,3387cf7f-24b2-482f-9f4e-1ef7ceb08c14,"{ + ""scope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/VM-RG01/providers/Microsoft.Compute/virtualMachines/Linux01"", + ""action"": ""Microsoft.Compute/virtualMachines/delete"", + ""evidence"": { + ""role"": ""Contributor"", + ""roleAssignmentScope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"", + ""roleAssignmentId"": ""9ddc3bf8125f4918ad9f9dd31a0ae60f"", + ""roleDefinitionId"": ""b24988ac618042a0ab8820f7382dd24c"", + ""principalId"": ""9b117c67170e4aed9702658b3fddc889"", + ""principalType"": ""User"" + } +}","{""scope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/VM-RG01/providers/Microsoft.Compute/virtualMachines/Linux01"",""action"":""Microsoft.Compute/virtualMachines/delete"",""evidence"":{""role"":""Contributor"",""roleAssignmentScope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"",""roleAssignmentId"":""9ddc3bf8125f4918ad9f9dd31a0ae60f"",""roleDefinitionId"":""b24988ac618042a0ab8820f7382dd24c"",""principalId"":""9b117c67170e4aed9702658b3fddc889"",""principalType"":""User""}}","{ + ""aud"": ""https://management.core.windows.net/"", + ""iss"": ""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"", + ""iat"": ""1619620278"", + ""nbf"": ""1619620278"", + ""exp"": ""1619624178"", + ""http://schemas.microsoft.com/claims/authnclassreference"": ""1"", + ""aio"": ""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"", + ""http://schemas.microsoft.com/claims/authnmethodsreferences"": ""pwd"", + ""appid"": ""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"", + ""appidacr"": ""2"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"": ""Vance"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"": ""Adele"", + ""groups"": ""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"", + ""ipaddr"": ""37.142.150.162"", + ""name"": ""Adele Vance"", + ""http://schemas.microsoft.com/identity/claims/objectidentifier"": ""9b117c67-170e-4aed-9702-658b3fddc889"", + ""puid"": ""10032000C757D25F"", + ""rh"": ""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."", + ""http://schemas.microsoft.com/identity/claims/scope"": ""user_impersonation"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"": ""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"", + ""http://schemas.microsoft.com/identity/claims/tenantid"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""uti"": ""H9u_0K6Ph0a_X_ZpaCFwAQ"", + ""ver"": ""1.0"", + ""xms_tcdt"": ""1591748537"" +}","{""aud"":""https://management.core.windows.net/"",""iss"":""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"",""iat"":""1619620278"",""nbf"":""1619620278"",""exp"":""1619624178"",""http://schemas.microsoft.com/claims/authnclassreference"":""1"",""aio"":""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"",""http://schemas.microsoft.com/claims/authnmethodsreferences"":""pwd"",""appid"":""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"",""appidacr"":""2"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"":""Vance"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"":""Adele"",""groups"":""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"",""ipaddr"":""37.142.150.162"",""name"":""Adele Vance"",""http://schemas.microsoft.com/identity/claims/objectidentifier"":""9b117c67-170e-4aed-9702-658b3fddc889"",""puid"":""10032000C757D25F"",""rh"":""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."",""http://schemas.microsoft.com/identity/claims/scope"":""user_impersonation"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"":""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"",""http://schemas.microsoft.com/identity/claims/tenantid"":""2ad3fc79-1859-42fa-9011-6f8df2251b22"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"":""AdeleV@M365x816222.OnMicrosoft.com"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"":""AdeleV@M365x816222.OnMicrosoft.com"",""uti"":""H9u_0K6Ph0a_X_ZpaCFwAQ"",""ver"":""1.0"",""xms_tcdt"":""1591748537""}",,MICROSOFT.COMPUTE/VIRTUALMACHINES/DELETE,"{ + ""statusCode"": ""Accepted"", + ""serviceRequestId"": ""4b895e78-45c6-421a-a904-adb1f810bf99"", + ""eventCategory"": ""Administrative"", + ""entity"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/VM-RG01/providers/Microsoft.Compute/virtualMachines/Linux01"", + ""message"": ""Microsoft.Compute/virtualMachines/delete"", + ""hierarchy"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"", + ""caller"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""eventDataId"": ""9a0ebf0f-aa1f-4a59-b0d6-cb0f10e134ec"", + ""eventSubmissionTimestamp"": ""2021-04-28T14:36:53.2672695Z"", + ""httpRequest"": ""{\""clientIpAddress\"":\""37.142.150.162\""}"", + ""resource"": ""linux01"", + ""resourceGroup"": ""VM-RG01"", + ""resourceProviderValue"": ""MICROSOFT.COMPUTE"", + ""subscriptionId"": ""8F153238-E602-427E-A7C0-3043FBE50918"", + ""activityStatusValue"": ""Accept"", + ""activitySubstatusValue"": ""Accepted"" +}","{""statusCode"":""Accepted"",""serviceRequestId"":""4b895e78-45c6-421a-a904-adb1f810bf99"",""eventCategory"":""Administrative"",""entity"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/VM-RG01/providers/Microsoft.Compute/virtualMachines/Linux01"",""message"":""Microsoft.Compute/virtualMachines/delete"",""hierarchy"":""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"",""caller"":""AdeleV@M365x816222.OnMicrosoft.com"",""eventDataId"":""9a0ebf0f-aa1f-4a59-b0d6-cb0f10e134ec"",""eventSubmissionTimestamp"":""2021-04-28T14:36:53.2672695Z"",""httpRequest"":""{\""clientIpAddress\"":\""37.142.150.162\""}"",""resource"":""linux01"",""resourceGroup"":""VM-RG01"",""resourceProviderValue"":""MICROSOFT.COMPUTE"",""subscriptionId"":""8f153238-e602-427e-a7c0-3043fbe50918"",""activityStatusValue"":""Accept"",""activitySubstatusValue"":""Accepted""}",AdeleV@M365x816222.OnMicrosoft.com,9a0ebf0f-aa1f-4a59-b0d6-cb0f10e134ec,"4/28/2021, 2:36:53.267 PM","{""clientIpAddress"":""37.142.150.162""}",,VM-RG01,MICROSOFT.COMPUTE,Accept,Accepted,2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918,"4/28/2021, 2:36:53.267 PM",8f153238-e602-427e-a7c0-3043fbe50918,,,,,,,,AzureActivity,/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/vm-rg01/providers/microsoft.compute/virtualmachines/linux01 +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure,37.142.150.162,Administrative,3387cf7f-24b2-482f-9f4e-1ef7ceb08c14,"{ + ""scope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/VM-RG01/providers/Microsoft.Compute/virtualMachines/Linux01"", + ""action"": ""Microsoft.Compute/virtualMachines/delete"", + ""evidence"": { + ""role"": ""Contributor"", + ""roleAssignmentScope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"", + ""roleAssignmentId"": ""9ddc3bf8125f4918ad9f9dd31a0ae60f"", + ""roleDefinitionId"": ""b24988ac618042a0ab8820f7382dd24c"", + ""principalId"": ""9b117c67170e4aed9702658b3fddc889"", + ""principalType"": ""User"" + } +}","{""scope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/VM-RG01/providers/Microsoft.Compute/virtualMachines/Linux01"",""action"":""Microsoft.Compute/virtualMachines/delete"",""evidence"":{""role"":""Contributor"",""roleAssignmentScope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"",""roleAssignmentId"":""9ddc3bf8125f4918ad9f9dd31a0ae60f"",""roleDefinitionId"":""b24988ac618042a0ab8820f7382dd24c"",""principalId"":""9b117c67170e4aed9702658b3fddc889"",""principalType"":""User""}}","{ + ""aud"": ""https://management.core.windows.net/"", + ""iss"": ""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"", + ""iat"": ""1619620278"", + ""nbf"": ""1619620278"", + ""exp"": ""1619624178"", + ""http://schemas.microsoft.com/claims/authnclassreference"": ""1"", + ""aio"": ""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"", + ""http://schemas.microsoft.com/claims/authnmethodsreferences"": ""pwd"", + ""appid"": ""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"", + ""appidacr"": ""2"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"": ""Vance"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"": ""Adele"", + ""groups"": ""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"", + ""ipaddr"": ""37.142.150.162"", + ""name"": ""Adele Vance"", + ""http://schemas.microsoft.com/identity/claims/objectidentifier"": ""9b117c67-170e-4aed-9702-658b3fddc889"", + ""puid"": ""10032000C757D25F"", + ""rh"": ""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."", + ""http://schemas.microsoft.com/identity/claims/scope"": ""user_impersonation"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"": ""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"", + ""http://schemas.microsoft.com/identity/claims/tenantid"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""uti"": ""H9u_0K6Ph0a_X_ZpaCFwAQ"", + ""ver"": ""1.0"", + ""xms_tcdt"": ""1591748537"" +}","{""aud"":""https://management.core.windows.net/"",""iss"":""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"",""iat"":""1619620278"",""nbf"":""1619620278"",""exp"":""1619624178"",""http://schemas.microsoft.com/claims/authnclassreference"":""1"",""aio"":""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"",""http://schemas.microsoft.com/claims/authnmethodsreferences"":""pwd"",""appid"":""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"",""appidacr"":""2"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"":""Vance"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"":""Adele"",""groups"":""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"",""ipaddr"":""37.142.150.162"",""name"":""Adele Vance"",""http://schemas.microsoft.com/identity/claims/objectidentifier"":""9b117c67-170e-4aed-9702-658b3fddc889"",""puid"":""10032000C757D25F"",""rh"":""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."",""http://schemas.microsoft.com/identity/claims/scope"":""user_impersonation"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"":""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"",""http://schemas.microsoft.com/identity/claims/tenantid"":""2ad3fc79-1859-42fa-9011-6f8df2251b22"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"":""AdeleV@M365x816222.OnMicrosoft.com"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"":""AdeleV@M365x816222.OnMicrosoft.com"",""uti"":""H9u_0K6Ph0a_X_ZpaCFwAQ"",""ver"":""1.0"",""xms_tcdt"":""1591748537""}",,MICROSOFT.COMPUTE/VIRTUALMACHINES/DELETE,"{ + ""eventCategory"": ""Administrative"", + ""entity"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/VM-RG01/providers/Microsoft.Compute/virtualMachines/Linux01"", + ""message"": ""Microsoft.Compute/virtualMachines/delete"", + ""hierarchy"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"", + ""caller"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""eventDataId"": ""095e97d1-1189-4e03-8988-027b8484659f"", + ""eventSubmissionTimestamp"": ""2021-04-28T14:36:57.5457406Z"", + ""httpRequest"": ""{\""clientIpAddress\"":\""37.142.150.162\""}"", + ""resource"": ""linux01"", + ""resourceGroup"": ""VM-RG01"", + ""resourceProviderValue"": ""MICROSOFT.COMPUTE"", + ""subscriptionId"": ""8F153238-E602-427E-A7C0-3043FBE50918"", + ""activityStatusValue"": ""Success"" +}","{""eventCategory"":""Administrative"",""entity"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/VM-RG01/providers/Microsoft.Compute/virtualMachines/Linux01"",""message"":""Microsoft.Compute/virtualMachines/delete"",""hierarchy"":""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"",""caller"":""AdeleV@M365x816222.OnMicrosoft.com"",""eventDataId"":""095e97d1-1189-4e03-8988-027b8484659f"",""eventSubmissionTimestamp"":""2021-04-28T14:36:57.5457406Z"",""httpRequest"":""{\""clientIpAddress\"":\""37.142.150.162\""}"",""resource"":""linux01"",""resourceGroup"":""VM-RG01"",""resourceProviderValue"":""MICROSOFT.COMPUTE"",""subscriptionId"":""8f153238-e602-427e-a7c0-3043fbe50918"",""activityStatusValue"":""Success""}",AdeleV@M365x816222.OnMicrosoft.com,095e97d1-1189-4e03-8988-027b8484659f,"4/28/2021, 2:36:57.545 PM","{""clientIpAddress"":""37.142.150.162""}",,VM-RG01,MICROSOFT.COMPUTE,Success,,2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918,"4/28/2021, 2:36:57.545 PM",8f153238-e602-427e-a7c0-3043fbe50918,,,,,,,,AzureActivity,/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/vm-rg01/providers/microsoft.compute/virtualmachines/linux01 +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure,37.142.150.162,Administrative,af709074-16dd-47b6-bf04-f159bc0a0fb1,"{ + ""scope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/BTPOC"", + ""action"": ""Microsoft.Resources/subscriptions/resourceGroups/delete"", + ""evidence"": { + ""role"": ""Contributor"", + ""roleAssignmentScope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"", + ""roleAssignmentId"": ""9ddc3bf8125f4918ad9f9dd31a0ae60f"", + ""roleDefinitionId"": ""b24988ac618042a0ab8820f7382dd24c"", + ""principalId"": ""9b117c67170e4aed9702658b3fddc889"", + ""principalType"": ""User"" + } +}","{""scope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/BTPOC"",""action"":""Microsoft.Resources/subscriptions/resourceGroups/delete"",""evidence"":{""role"":""Contributor"",""roleAssignmentScope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"",""roleAssignmentId"":""9ddc3bf8125f4918ad9f9dd31a0ae60f"",""roleDefinitionId"":""b24988ac618042a0ab8820f7382dd24c"",""principalId"":""9b117c67170e4aed9702658b3fddc889"",""principalType"":""User""}}","{ + ""aud"": ""https://management.core.windows.net/"", + ""iss"": ""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"", + ""iat"": ""1619620278"", + ""nbf"": ""1619620278"", + ""exp"": ""1619624178"", + ""http://schemas.microsoft.com/claims/authnclassreference"": ""1"", + ""aio"": ""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"", + ""http://schemas.microsoft.com/claims/authnmethodsreferences"": ""pwd"", + ""appid"": ""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"", + ""appidacr"": ""2"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"": ""Vance"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"": ""Adele"", + ""groups"": ""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"", + ""ipaddr"": ""37.142.150.162"", + ""name"": ""Adele Vance"", + ""http://schemas.microsoft.com/identity/claims/objectidentifier"": ""9b117c67-170e-4aed-9702-658b3fddc889"", + ""puid"": ""10032000C757D25F"", + ""rh"": ""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."", + ""http://schemas.microsoft.com/identity/claims/scope"": ""user_impersonation"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"": ""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"", + ""http://schemas.microsoft.com/identity/claims/tenantid"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""uti"": ""H9u_0K6Ph0a_X_ZpaCFwAQ"", + ""ver"": ""1.0"", + ""xms_tcdt"": ""1591748537"" +}","{""aud"":""https://management.core.windows.net/"",""iss"":""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"",""iat"":""1619620278"",""nbf"":""1619620278"",""exp"":""1619624178"",""http://schemas.microsoft.com/claims/authnclassreference"":""1"",""aio"":""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"",""http://schemas.microsoft.com/claims/authnmethodsreferences"":""pwd"",""appid"":""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"",""appidacr"":""2"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"":""Vance"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"":""Adele"",""groups"":""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"",""ipaddr"":""37.142.150.162"",""name"":""Adele Vance"",""http://schemas.microsoft.com/identity/claims/objectidentifier"":""9b117c67-170e-4aed-9702-658b3fddc889"",""puid"":""10032000C757D25F"",""rh"":""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."",""http://schemas.microsoft.com/identity/claims/scope"":""user_impersonation"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"":""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"",""http://schemas.microsoft.com/identity/claims/tenantid"":""2ad3fc79-1859-42fa-9011-6f8df2251b22"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"":""AdeleV@M365x816222.OnMicrosoft.com"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"":""AdeleV@M365x816222.OnMicrosoft.com"",""uti"":""H9u_0K6Ph0a_X_ZpaCFwAQ"",""ver"":""1.0"",""xms_tcdt"":""1591748537""}",,MICROSOFT.WEB/CONNECTIONS/DELETE,"{ + ""eventCategory"": ""Administrative"", + ""entity"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/BTPOC/providers/Microsoft.Web/connections/azuresentinel-Create-ReslientIncident"", + ""message"": ""Microsoft.Web/connections/delete"", + ""hierarchy"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"", + ""caller"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""eventDataId"": ""efcc6aed-66df-4275-af35-d193fa592064"", + ""eventSubmissionTimestamp"": ""2021-04-28T14:44:00.7229035Z"", + ""httpRequest"": ""{\""clientIpAddress\"":\""37.142.150.162\""}"", + ""resource"": ""azuresentinel-create-reslientincident"", + ""resourceGroup"": ""BTPOC"", + ""resourceProviderValue"": ""MICROSOFT.WEB"", + ""subscriptionId"": ""8F153238-E602-427E-A7C0-3043FBE50918"", + ""activityStatusValue"": ""Success"" +}","{""eventCategory"":""Administrative"",""entity"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/BTPOC/providers/Microsoft.Web/connections/azuresentinel-Create-ReslientIncident"",""message"":""Microsoft.Web/connections/delete"",""hierarchy"":""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"",""caller"":""AdeleV@M365x816222.OnMicrosoft.com"",""eventDataId"":""efcc6aed-66df-4275-af35-d193fa592064"",""eventSubmissionTimestamp"":""2021-04-28T14:44:00.7229035Z"",""httpRequest"":""{\""clientIpAddress\"":\""37.142.150.162\""}"",""resource"":""azuresentinel-create-reslientincident"",""resourceGroup"":""BTPOC"",""resourceProviderValue"":""MICROSOFT.WEB"",""subscriptionId"":""8f153238-e602-427e-a7c0-3043fbe50918"",""activityStatusValue"":""Success""}",AdeleV@M365x816222.OnMicrosoft.com,efcc6aed-66df-4275-af35-d193fa592064,"4/28/2021, 2:44:00.722 PM","{""clientIpAddress"":""37.142.150.162""}",,BTPOC,MICROSOFT.WEB,Success,,2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918,"4/28/2021, 2:44:00.722 PM",8f153238-e602-427e-a7c0-3043fbe50918,,,,,,,,AzureActivity,/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/btpoc/providers/microsoft.web/connections/azuresentinel-create-reslientincident +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure,37.142.150.162,Administrative,84fcb0a6-91db-4f09-a74e-97d1d41f2c6f,"{ + ""scope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/EY_Demo"", + ""action"": ""Microsoft.Resources/subscriptions/resourceGroups/delete"", + ""evidence"": { + ""role"": ""Contributor"", + ""roleAssignmentScope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"", + ""roleAssignmentId"": ""9ddc3bf8125f4918ad9f9dd31a0ae60f"", + ""roleDefinitionId"": ""b24988ac618042a0ab8820f7382dd24c"", + ""principalId"": ""9b117c67170e4aed9702658b3fddc889"", + ""principalType"": ""User"" + } +}","{""scope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/EY_Demo"",""action"":""Microsoft.Resources/subscriptions/resourceGroups/delete"",""evidence"":{""role"":""Contributor"",""roleAssignmentScope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"",""roleAssignmentId"":""9ddc3bf8125f4918ad9f9dd31a0ae60f"",""roleDefinitionId"":""b24988ac618042a0ab8820f7382dd24c"",""principalId"":""9b117c67170e4aed9702658b3fddc889"",""principalType"":""User""}}","{ + ""aud"": ""https://management.core.windows.net/"", + ""iss"": ""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"", + ""iat"": ""1619620278"", + ""nbf"": ""1619620278"", + ""exp"": ""1619624178"", + ""http://schemas.microsoft.com/claims/authnclassreference"": ""1"", + ""aio"": ""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"", + ""http://schemas.microsoft.com/claims/authnmethodsreferences"": ""pwd"", + ""appid"": ""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"", + ""appidacr"": ""2"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"": ""Vance"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"": ""Adele"", + ""groups"": ""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"", + ""ipaddr"": ""37.142.150.162"", + ""name"": ""Adele Vance"", + ""http://schemas.microsoft.com/identity/claims/objectidentifier"": ""9b117c67-170e-4aed-9702-658b3fddc889"", + ""puid"": ""10032000C757D25F"", + ""rh"": ""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."", + ""http://schemas.microsoft.com/identity/claims/scope"": ""user_impersonation"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"": ""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"", + ""http://schemas.microsoft.com/identity/claims/tenantid"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""uti"": ""H9u_0K6Ph0a_X_ZpaCFwAQ"", + ""ver"": ""1.0"", + ""xms_tcdt"": ""1591748537"" +}","{""aud"":""https://management.core.windows.net/"",""iss"":""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"",""iat"":""1619620278"",""nbf"":""1619620278"",""exp"":""1619624178"",""http://schemas.microsoft.com/claims/authnclassreference"":""1"",""aio"":""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"",""http://schemas.microsoft.com/claims/authnmethodsreferences"":""pwd"",""appid"":""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"",""appidacr"":""2"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"":""Vance"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"":""Adele"",""groups"":""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"",""ipaddr"":""37.142.150.162"",""name"":""Adele Vance"",""http://schemas.microsoft.com/identity/claims/objectidentifier"":""9b117c67-170e-4aed-9702-658b3fddc889"",""puid"":""10032000C757D25F"",""rh"":""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."",""http://schemas.microsoft.com/identity/claims/scope"":""user_impersonation"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"":""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"",""http://schemas.microsoft.com/identity/claims/tenantid"":""2ad3fc79-1859-42fa-9011-6f8df2251b22"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"":""AdeleV@M365x816222.OnMicrosoft.com"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"":""AdeleV@M365x816222.OnMicrosoft.com"",""uti"":""H9u_0K6Ph0a_X_ZpaCFwAQ"",""ver"":""1.0"",""xms_tcdt"":""1591748537""}",,MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE,"{ + ""eventCategory"": ""Administrative"", + ""entity"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/EY_Demo"", + ""message"": ""Microsoft.Resources/subscriptions/resourceGroups/delete"", + ""hierarchy"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"", + ""caller"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""eventDataId"": ""c5f9284b-9db9-4f6a-b40c-ea217b795b2a"", + ""eventSubmissionTimestamp"": ""2021-04-28T14:43:47.9541343Z"", + ""httpRequest"": ""{\""clientIpAddress\"":\""37.142.150.162\""}"", + ""resourceGroup"": ""EY_DEMO"", + ""subscriptionId"": ""8F153238-E602-427E-A7C0-3043FBE50918"", + ""activityStatusValue"": ""Start"" +}","{""eventCategory"":""Administrative"",""entity"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/EY_Demo"",""message"":""Microsoft.Resources/subscriptions/resourceGroups/delete"",""hierarchy"":""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"",""caller"":""AdeleV@M365x816222.OnMicrosoft.com"",""eventDataId"":""c5f9284b-9db9-4f6a-b40c-ea217b795b2a"",""eventSubmissionTimestamp"":""2021-04-28T14:43:47.9541343Z"",""httpRequest"":""{\""clientIpAddress\"":\""37.142.150.162\""}"",""resourceGroup"":""EY_DEMO"",""subscriptionId"":""8f153238-e602-427e-a7c0-3043fbe50918"",""activityStatusValue"":""Start""}",AdeleV@M365x816222.OnMicrosoft.com,c5f9284b-9db9-4f6a-b40c-ea217b795b2a,"4/28/2021, 2:43:47.954 PM","{""clientIpAddress"":""37.142.150.162""}",,EY_DEMO,,Start,,2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918,"4/28/2021, 2:43:47.954 PM",8f153238-e602-427e-a7c0-3043fbe50918,,,,,,,,AzureActivity,/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/ey_demo +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure,37.142.150.162,Administrative,84fcb0a6-91db-4f09-a74e-97d1d41f2c6f,"{ + ""scope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/EY_Demo"", + ""action"": ""Microsoft.Resources/subscriptions/resourceGroups/delete"", + ""evidence"": { + ""role"": ""Contributor"", + ""roleAssignmentScope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"", + ""roleAssignmentId"": ""9ddc3bf8125f4918ad9f9dd31a0ae60f"", + ""roleDefinitionId"": ""b24988ac618042a0ab8820f7382dd24c"", + ""principalId"": ""9b117c67170e4aed9702658b3fddc889"", + ""principalType"": ""User"" + } +}","{""scope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/EY_Demo"",""action"":""Microsoft.Resources/subscriptions/resourceGroups/delete"",""evidence"":{""role"":""Contributor"",""roleAssignmentScope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"",""roleAssignmentId"":""9ddc3bf8125f4918ad9f9dd31a0ae60f"",""roleDefinitionId"":""b24988ac618042a0ab8820f7382dd24c"",""principalId"":""9b117c67170e4aed9702658b3fddc889"",""principalType"":""User""}}","{ + ""aud"": ""https://management.core.windows.net/"", + ""iss"": ""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"", + ""iat"": ""1619620278"", + ""nbf"": ""1619620278"", + ""exp"": ""1619624178"", + ""http://schemas.microsoft.com/claims/authnclassreference"": ""1"", + ""aio"": ""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"", + ""http://schemas.microsoft.com/claims/authnmethodsreferences"": ""pwd"", + ""appid"": ""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"", + ""appidacr"": ""2"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"": ""Vance"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"": ""Adele"", + ""groups"": ""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"", + ""ipaddr"": ""37.142.150.162"", + ""name"": ""Adele Vance"", + ""http://schemas.microsoft.com/identity/claims/objectidentifier"": ""9b117c67-170e-4aed-9702-658b3fddc889"", + ""puid"": ""10032000C757D25F"", + ""rh"": ""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."", + ""http://schemas.microsoft.com/identity/claims/scope"": ""user_impersonation"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"": ""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"", + ""http://schemas.microsoft.com/identity/claims/tenantid"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""uti"": ""H9u_0K6Ph0a_X_ZpaCFwAQ"", + ""ver"": ""1.0"", + ""xms_tcdt"": ""1591748537"" +}","{""aud"":""https://management.core.windows.net/"",""iss"":""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"",""iat"":""1619620278"",""nbf"":""1619620278"",""exp"":""1619624178"",""http://schemas.microsoft.com/claims/authnclassreference"":""1"",""aio"":""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"",""http://schemas.microsoft.com/claims/authnmethodsreferences"":""pwd"",""appid"":""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"",""appidacr"":""2"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"":""Vance"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"":""Adele"",""groups"":""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"",""ipaddr"":""37.142.150.162"",""name"":""Adele Vance"",""http://schemas.microsoft.com/identity/claims/objectidentifier"":""9b117c67-170e-4aed-9702-658b3fddc889"",""puid"":""10032000C757D25F"",""rh"":""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."",""http://schemas.microsoft.com/identity/claims/scope"":""user_impersonation"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"":""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"",""http://schemas.microsoft.com/identity/claims/tenantid"":""2ad3fc79-1859-42fa-9011-6f8df2251b22"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"":""AdeleV@M365x816222.OnMicrosoft.com"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"":""AdeleV@M365x816222.OnMicrosoft.com"",""uti"":""H9u_0K6Ph0a_X_ZpaCFwAQ"",""ver"":""1.0"",""xms_tcdt"":""1591748537""}",,MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE,"{ + ""statusCode"": ""Accepted"", + ""serviceRequestId"": null, + ""eventCategory"": ""Administrative"", + ""entity"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/EY_Demo"", + ""message"": ""Microsoft.Resources/subscriptions/resourceGroups/delete"", + ""hierarchy"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"", + ""caller"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""eventDataId"": ""a16b075b-6bc3-4b66-8745-6b7a36adb050"", + ""eventSubmissionTimestamp"": ""2021-04-28T14:43:48.5341324Z"", + ""httpRequest"": ""{\""clientIpAddress\"":\""37.142.150.162\""}"", + ""resourceGroup"": ""EY_DEMO"", + ""subscriptionId"": ""8F153238-E602-427E-A7C0-3043FBE50918"", + ""activityStatusValue"": ""Accept"", + ""activitySubstatusValue"": ""Accepted"" +}","{""statusCode"":""Accepted"",""serviceRequestId"":null,""eventCategory"":""Administrative"",""entity"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/EY_Demo"",""message"":""Microsoft.Resources/subscriptions/resourceGroups/delete"",""hierarchy"":""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"",""caller"":""AdeleV@M365x816222.OnMicrosoft.com"",""eventDataId"":""a16b075b-6bc3-4b66-8745-6b7a36adb050"",""eventSubmissionTimestamp"":""2021-04-28T14:43:48.5341324Z"",""httpRequest"":""{\""clientIpAddress\"":\""37.142.150.162\""}"",""resourceGroup"":""EY_DEMO"",""subscriptionId"":""8f153238-e602-427e-a7c0-3043fbe50918"",""activityStatusValue"":""Accept"",""activitySubstatusValue"":""Accepted""}",AdeleV@M365x816222.OnMicrosoft.com,a16b075b-6bc3-4b66-8745-6b7a36adb050,"4/28/2021, 2:43:48.534 PM","{""clientIpAddress"":""37.142.150.162""}",,EY_DEMO,,Accept,Accepted,2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918,"4/28/2021, 2:43:48.534 PM",8f153238-e602-427e-a7c0-3043fbe50918,,,,,,,,AzureActivity,/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/ey_demo +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure,37.142.150.162,Administrative,af709074-16dd-47b6-bf04-f159bc0a0fb1,"{ + ""scope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/BTPOC"", + ""action"": ""Microsoft.Resources/subscriptions/resourceGroups/delete"", + ""evidence"": { + ""role"": ""Contributor"", + ""roleAssignmentScope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"", + ""roleAssignmentId"": ""9ddc3bf8125f4918ad9f9dd31a0ae60f"", + ""roleDefinitionId"": ""b24988ac618042a0ab8820f7382dd24c"", + ""principalId"": ""9b117c67170e4aed9702658b3fddc889"", + ""principalType"": ""User"" + } +}","{""scope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/BTPOC"",""action"":""Microsoft.Resources/subscriptions/resourceGroups/delete"",""evidence"":{""role"":""Contributor"",""roleAssignmentScope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"",""roleAssignmentId"":""9ddc3bf8125f4918ad9f9dd31a0ae60f"",""roleDefinitionId"":""b24988ac618042a0ab8820f7382dd24c"",""principalId"":""9b117c67170e4aed9702658b3fddc889"",""principalType"":""User""}}","{ + ""aud"": ""https://management.core.windows.net/"", + ""iss"": ""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"", + ""iat"": ""1619620278"", + ""nbf"": ""1619620278"", + ""exp"": ""1619624178"", + ""http://schemas.microsoft.com/claims/authnclassreference"": ""1"", + ""aio"": ""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"", + ""http://schemas.microsoft.com/claims/authnmethodsreferences"": ""pwd"", + ""appid"": ""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"", + ""appidacr"": ""2"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"": ""Vance"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"": ""Adele"", + ""groups"": ""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"", + ""ipaddr"": ""37.142.150.162"", + ""name"": ""Adele Vance"", + ""http://schemas.microsoft.com/identity/claims/objectidentifier"": ""9b117c67-170e-4aed-9702-658b3fddc889"", + ""puid"": ""10032000C757D25F"", + ""rh"": ""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."", + ""http://schemas.microsoft.com/identity/claims/scope"": ""user_impersonation"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"": ""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"", + ""http://schemas.microsoft.com/identity/claims/tenantid"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""uti"": ""H9u_0K6Ph0a_X_ZpaCFwAQ"", + ""ver"": ""1.0"", + ""xms_tcdt"": ""1591748537"" +}","{""aud"":""https://management.core.windows.net/"",""iss"":""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"",""iat"":""1619620278"",""nbf"":""1619620278"",""exp"":""1619624178"",""http://schemas.microsoft.com/claims/authnclassreference"":""1"",""aio"":""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"",""http://schemas.microsoft.com/claims/authnmethodsreferences"":""pwd"",""appid"":""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"",""appidacr"":""2"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"":""Vance"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"":""Adele"",""groups"":""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"",""ipaddr"":""37.142.150.162"",""name"":""Adele Vance"",""http://schemas.microsoft.com/identity/claims/objectidentifier"":""9b117c67-170e-4aed-9702-658b3fddc889"",""puid"":""10032000C757D25F"",""rh"":""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."",""http://schemas.microsoft.com/identity/claims/scope"":""user_impersonation"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"":""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"",""http://schemas.microsoft.com/identity/claims/tenantid"":""2ad3fc79-1859-42fa-9011-6f8df2251b22"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"":""AdeleV@M365x816222.OnMicrosoft.com"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"":""AdeleV@M365x816222.OnMicrosoft.com"",""uti"":""H9u_0K6Ph0a_X_ZpaCFwAQ"",""ver"":""1.0"",""xms_tcdt"":""1591748537""}",,MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE,"{ + ""statusCode"": ""OK"", + ""eventCategory"": ""Administrative"", + ""entity"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/BTPOC"", + ""message"": ""Microsoft.Resources/subscriptions/resourcegroups/delete"", + ""hierarchy"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"", + ""caller"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""eventDataId"": ""c7f9c8cd-350d-4e40-8f9b-fd43b5232b36"", + ""eventSubmissionTimestamp"": ""2021-04-28T14:44:55.6152351Z"", + ""httpRequest"": ""{\""clientIpAddress\"":\""37.142.150.162\""}"", + ""resourceGroup"": ""BTPOC"", + ""subscriptionId"": ""8F153238-E602-427E-A7C0-3043FBE50918"", + ""activityStatusValue"": ""Success"" +}","{""statusCode"":""OK"",""eventCategory"":""Administrative"",""entity"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/BTPOC"",""message"":""Microsoft.Resources/subscriptions/resourcegroups/delete"",""hierarchy"":""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"",""caller"":""AdeleV@M365x816222.OnMicrosoft.com"",""eventDataId"":""c7f9c8cd-350d-4e40-8f9b-fd43b5232b36"",""eventSubmissionTimestamp"":""2021-04-28T14:44:55.6152351Z"",""httpRequest"":""{\""clientIpAddress\"":\""37.142.150.162\""}"",""resourceGroup"":""BTPOC"",""subscriptionId"":""8f153238-e602-427e-a7c0-3043fbe50918"",""activityStatusValue"":""Success""}",AdeleV@M365x816222.OnMicrosoft.com,c7f9c8cd-350d-4e40-8f9b-fd43b5232b36,"4/28/2021, 2:44:55.615 PM","{""clientIpAddress"":""37.142.150.162""}",,BTPOC,,Success,,2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918,"4/28/2021, 2:44:55.615 PM",8f153238-e602-427e-a7c0-3043fbe50918,,,,,,,,AzureActivity,/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/btpoc +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure,37.142.150.162,Administrative,6ba231ee-8a6b-4ddb-9bce-cbaa4000fc5f,"{ + ""scope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/RG77/providers/Microsoft.KeyVault/vaults/MessageTraceRG77"", + ""action"": ""Microsoft.KeyVault/vaults/delete"", + ""evidence"": { + ""role"": ""Contributor"", + ""roleAssignmentScope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"", + ""roleAssignmentId"": ""9ddc3bf8125f4918ad9f9dd31a0ae60f"", + ""roleDefinitionId"": ""b24988ac618042a0ab8820f7382dd24c"", + ""principalId"": ""9b117c67170e4aed9702658b3fddc889"", + ""principalType"": ""User"" + } +}","{""scope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/RG77/providers/Microsoft.KeyVault/vaults/MessageTraceRG77"",""action"":""Microsoft.KeyVault/vaults/delete"",""evidence"":{""role"":""Contributor"",""roleAssignmentScope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"",""roleAssignmentId"":""9ddc3bf8125f4918ad9f9dd31a0ae60f"",""roleDefinitionId"":""b24988ac618042a0ab8820f7382dd24c"",""principalId"":""9b117c67170e4aed9702658b3fddc889"",""principalType"":""User""}}","{ + ""aud"": ""https://management.core.windows.net/"", + ""iss"": ""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"", + ""iat"": ""1619620278"", + ""nbf"": ""1619620278"", + ""exp"": ""1619624178"", + ""http://schemas.microsoft.com/claims/authnclassreference"": ""1"", + ""aio"": ""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"", + ""http://schemas.microsoft.com/claims/authnmethodsreferences"": ""pwd"", + ""appid"": ""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"", + ""appidacr"": ""2"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"": ""Vance"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"": ""Adele"", + ""groups"": ""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"", + ""ipaddr"": ""37.142.150.162"", + ""name"": ""Adele Vance"", + ""http://schemas.microsoft.com/identity/claims/objectidentifier"": ""9b117c67-170e-4aed-9702-658b3fddc889"", + ""puid"": ""10032000C757D25F"", + ""rh"": ""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."", + ""http://schemas.microsoft.com/identity/claims/scope"": ""user_impersonation"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"": ""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"", + ""http://schemas.microsoft.com/identity/claims/tenantid"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""uti"": ""H9u_0K6Ph0a_X_ZpaCFwAQ"", + ""ver"": ""1.0"", + ""xms_tcdt"": ""1591748537"" +}","{""aud"":""https://management.core.windows.net/"",""iss"":""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"",""iat"":""1619620278"",""nbf"":""1619620278"",""exp"":""1619624178"",""http://schemas.microsoft.com/claims/authnclassreference"":""1"",""aio"":""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"",""http://schemas.microsoft.com/claims/authnmethodsreferences"":""pwd"",""appid"":""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"",""appidacr"":""2"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"":""Vance"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"":""Adele"",""groups"":""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"",""ipaddr"":""37.142.150.162"",""name"":""Adele Vance"",""http://schemas.microsoft.com/identity/claims/objectidentifier"":""9b117c67-170e-4aed-9702-658b3fddc889"",""puid"":""10032000C757D25F"",""rh"":""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."",""http://schemas.microsoft.com/identity/claims/scope"":""user_impersonation"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"":""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"",""http://schemas.microsoft.com/identity/claims/tenantid"":""2ad3fc79-1859-42fa-9011-6f8df2251b22"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"":""AdeleV@M365x816222.OnMicrosoft.com"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"":""AdeleV@M365x816222.OnMicrosoft.com"",""uti"":""H9u_0K6Ph0a_X_ZpaCFwAQ"",""ver"":""1.0"",""xms_tcdt"":""1591748537""}",,MICROSOFT.KEYVAULT/VAULTS/DELETE,"{ + ""eventCategory"": ""Administrative"", + ""entity"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/RG77/providers/Microsoft.KeyVault/vaults/MessageTraceRG77"", + ""message"": ""Microsoft.KeyVault/vaults/delete"", + ""hierarchy"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"", + ""caller"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""eventDataId"": ""7a47678a-ccc4-4ee7-8097-7ff38462770a"", + ""eventSubmissionTimestamp"": ""2021-04-28T14:42:38.1773722Z"", + ""httpRequest"": ""{\""clientIpAddress\"":\""37.142.150.162\""}"", + ""resource"": ""messagetracerg77"", + ""resourceGroup"": ""RG77"", + ""resourceProviderValue"": ""MICROSOFT.KEYVAULT"", + ""subscriptionId"": ""8F153238-E602-427E-A7C0-3043FBE50918"", + ""activityStatusValue"": ""Start"" +}","{""eventCategory"":""Administrative"",""entity"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/RG77/providers/Microsoft.KeyVault/vaults/MessageTraceRG77"",""message"":""Microsoft.KeyVault/vaults/delete"",""hierarchy"":""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"",""caller"":""AdeleV@M365x816222.OnMicrosoft.com"",""eventDataId"":""7a47678a-ccc4-4ee7-8097-7ff38462770a"",""eventSubmissionTimestamp"":""2021-04-28T14:42:38.1773722Z"",""httpRequest"":""{\""clientIpAddress\"":\""37.142.150.162\""}"",""resource"":""messagetracerg77"",""resourceGroup"":""RG77"",""resourceProviderValue"":""MICROSOFT.KEYVAULT"",""subscriptionId"":""8f153238-e602-427e-a7c0-3043fbe50918"",""activityStatusValue"":""Start""}",AdeleV@M365x816222.OnMicrosoft.com,7a47678a-ccc4-4ee7-8097-7ff38462770a,"4/28/2021, 2:42:38.177 PM","{""clientIpAddress"":""37.142.150.162""}",,RG77,MICROSOFT.KEYVAULT,Start,,2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918,"4/28/2021, 2:42:38.177 PM",8f153238-e602-427e-a7c0-3043fbe50918,,,,,,,,AzureActivity,/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/rg77/providers/microsoft.keyvault/vaults/messagetracerg77 +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure,37.142.150.162,Administrative,6ba231ee-8a6b-4ddb-9bce-cbaa4000fc5f,"{ + ""scope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/RG77/providers/Microsoft.KeyVault/vaults/MessageTraceRG77"", + ""action"": ""Microsoft.KeyVault/vaults/delete"", + ""evidence"": { + ""role"": ""Contributor"", + ""roleAssignmentScope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"", + ""roleAssignmentId"": ""9ddc3bf8125f4918ad9f9dd31a0ae60f"", + ""roleDefinitionId"": ""b24988ac618042a0ab8820f7382dd24c"", + ""principalId"": ""9b117c67170e4aed9702658b3fddc889"", + ""principalType"": ""User"" + } +}","{""scope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/RG77/providers/Microsoft.KeyVault/vaults/MessageTraceRG77"",""action"":""Microsoft.KeyVault/vaults/delete"",""evidence"":{""role"":""Contributor"",""roleAssignmentScope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"",""roleAssignmentId"":""9ddc3bf8125f4918ad9f9dd31a0ae60f"",""roleDefinitionId"":""b24988ac618042a0ab8820f7382dd24c"",""principalId"":""9b117c67170e4aed9702658b3fddc889"",""principalType"":""User""}}","{ + ""aud"": ""https://management.core.windows.net/"", + ""iss"": ""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"", + ""iat"": ""1619620278"", + ""nbf"": ""1619620278"", + ""exp"": ""1619624178"", + ""http://schemas.microsoft.com/claims/authnclassreference"": ""1"", + ""aio"": ""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"", + ""http://schemas.microsoft.com/claims/authnmethodsreferences"": ""pwd"", + ""appid"": ""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"", + ""appidacr"": ""2"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"": ""Vance"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"": ""Adele"", + ""groups"": ""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"", + ""ipaddr"": ""37.142.150.162"", + ""name"": ""Adele Vance"", + ""http://schemas.microsoft.com/identity/claims/objectidentifier"": ""9b117c67-170e-4aed-9702-658b3fddc889"", + ""puid"": ""10032000C757D25F"", + ""rh"": ""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."", + ""http://schemas.microsoft.com/identity/claims/scope"": ""user_impersonation"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"": ""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"", + ""http://schemas.microsoft.com/identity/claims/tenantid"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""uti"": ""H9u_0K6Ph0a_X_ZpaCFwAQ"", + ""ver"": ""1.0"", + ""xms_tcdt"": ""1591748537"" +}","{""aud"":""https://management.core.windows.net/"",""iss"":""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"",""iat"":""1619620278"",""nbf"":""1619620278"",""exp"":""1619624178"",""http://schemas.microsoft.com/claims/authnclassreference"":""1"",""aio"":""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"",""http://schemas.microsoft.com/claims/authnmethodsreferences"":""pwd"",""appid"":""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"",""appidacr"":""2"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"":""Vance"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"":""Adele"",""groups"":""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"",""ipaddr"":""37.142.150.162"",""name"":""Adele Vance"",""http://schemas.microsoft.com/identity/claims/objectidentifier"":""9b117c67-170e-4aed-9702-658b3fddc889"",""puid"":""10032000C757D25F"",""rh"":""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."",""http://schemas.microsoft.com/identity/claims/scope"":""user_impersonation"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"":""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"",""http://schemas.microsoft.com/identity/claims/tenantid"":""2ad3fc79-1859-42fa-9011-6f8df2251b22"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"":""AdeleV@M365x816222.OnMicrosoft.com"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"":""AdeleV@M365x816222.OnMicrosoft.com"",""uti"":""H9u_0K6Ph0a_X_ZpaCFwAQ"",""ver"":""1.0"",""xms_tcdt"":""1591748537""}",,MICROSOFT.KEYVAULT/VAULTS/DELETE,"{ + ""statusCode"": ""OK"", + ""serviceRequestId"": ""b51752c4-842f-4ff2-b73a-c0c40ef626e5"", + ""eventCategory"": ""Administrative"", + ""entity"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/RG77/providers/Microsoft.KeyVault/vaults/MessageTraceRG77"", + ""message"": ""Microsoft.KeyVault/vaults/delete"", + ""hierarchy"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"", + ""caller"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""eventDataId"": ""58af7909-cccb-4c7c-bb13-e37cdea744aa"", + ""eventSubmissionTimestamp"": ""2021-04-28T14:42:44.7701036Z"", + ""httpRequest"": ""{\""clientIpAddress\"":\""37.142.150.162\""}"", + ""resource"": ""messagetracerg77"", + ""resourceGroup"": ""RG77"", + ""resourceProviderValue"": ""MICROSOFT.KEYVAULT"", + ""subscriptionId"": ""8F153238-E602-427E-A7C0-3043FBE50918"", + ""activityStatusValue"": ""Success"", + ""activitySubstatusValue"": ""OK"" +}","{""statusCode"":""OK"",""serviceRequestId"":""b51752c4-842f-4ff2-b73a-c0c40ef626e5"",""eventCategory"":""Administrative"",""entity"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/RG77/providers/Microsoft.KeyVault/vaults/MessageTraceRG77"",""message"":""Microsoft.KeyVault/vaults/delete"",""hierarchy"":""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"",""caller"":""AdeleV@M365x816222.OnMicrosoft.com"",""eventDataId"":""58af7909-cccb-4c7c-bb13-e37cdea744aa"",""eventSubmissionTimestamp"":""2021-04-28T14:42:44.7701036Z"",""httpRequest"":""{\""clientIpAddress\"":\""37.142.150.162\""}"",""resource"":""messagetracerg77"",""resourceGroup"":""RG77"",""resourceProviderValue"":""MICROSOFT.KEYVAULT"",""subscriptionId"":""8f153238-e602-427e-a7c0-3043fbe50918"",""activityStatusValue"":""Success"",""activitySubstatusValue"":""OK""}",AdeleV@M365x816222.OnMicrosoft.com,58af7909-cccb-4c7c-bb13-e37cdea744aa,"4/28/2021, 2:42:44.770 PM","{""clientIpAddress"":""37.142.150.162""}",,RG77,MICROSOFT.KEYVAULT,Success,OK,2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918,"4/28/2021, 2:42:44.770 PM",8f153238-e602-427e-a7c0-3043fbe50918,,,,,,,,AzureActivity,/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/rg77/providers/microsoft.keyvault/vaults/messagetracerg77 +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure,37.142.150.162,Administrative,b62b273a-d336-4ead-b1ac-223f3220e772,"{ + ""scope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/GBB01/providers/Microsoft.KeyVault/vaults/OneLoginLogs1234"", + ""action"": ""Microsoft.KeyVault/vaults/delete"", + ""evidence"": { + ""role"": ""Contributor"", + ""roleAssignmentScope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"", + ""roleAssignmentId"": ""9ddc3bf8125f4918ad9f9dd31a0ae60f"", + ""roleDefinitionId"": ""b24988ac618042a0ab8820f7382dd24c"", + ""principalId"": ""9b117c67170e4aed9702658b3fddc889"", + ""principalType"": ""User"" + } +}","{""scope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/GBB01/providers/Microsoft.KeyVault/vaults/OneLoginLogs1234"",""action"":""Microsoft.KeyVault/vaults/delete"",""evidence"":{""role"":""Contributor"",""roleAssignmentScope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"",""roleAssignmentId"":""9ddc3bf8125f4918ad9f9dd31a0ae60f"",""roleDefinitionId"":""b24988ac618042a0ab8820f7382dd24c"",""principalId"":""9b117c67170e4aed9702658b3fddc889"",""principalType"":""User""}}","{ + ""aud"": ""https://management.core.windows.net/"", + ""iss"": ""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"", + ""iat"": ""1619620278"", + ""nbf"": ""1619620278"", + ""exp"": ""1619624178"", + ""http://schemas.microsoft.com/claims/authnclassreference"": ""1"", + ""aio"": ""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"", + ""http://schemas.microsoft.com/claims/authnmethodsreferences"": ""pwd"", + ""appid"": ""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"", + ""appidacr"": ""2"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"": ""Vance"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"": ""Adele"", + ""groups"": ""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"", + ""ipaddr"": ""37.142.150.162"", + ""name"": ""Adele Vance"", + ""http://schemas.microsoft.com/identity/claims/objectidentifier"": ""9b117c67-170e-4aed-9702-658b3fddc889"", + ""puid"": ""10032000C757D25F"", + ""rh"": ""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."", + ""http://schemas.microsoft.com/identity/claims/scope"": ""user_impersonation"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"": ""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"", + ""http://schemas.microsoft.com/identity/claims/tenantid"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""uti"": ""H9u_0K6Ph0a_X_ZpaCFwAQ"", + ""ver"": ""1.0"", + ""xms_tcdt"": ""1591748537"" +}","{""aud"":""https://management.core.windows.net/"",""iss"":""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"",""iat"":""1619620278"",""nbf"":""1619620278"",""exp"":""1619624178"",""http://schemas.microsoft.com/claims/authnclassreference"":""1"",""aio"":""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"",""http://schemas.microsoft.com/claims/authnmethodsreferences"":""pwd"",""appid"":""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"",""appidacr"":""2"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"":""Vance"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"":""Adele"",""groups"":""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"",""ipaddr"":""37.142.150.162"",""name"":""Adele Vance"",""http://schemas.microsoft.com/identity/claims/objectidentifier"":""9b117c67-170e-4aed-9702-658b3fddc889"",""puid"":""10032000C757D25F"",""rh"":""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."",""http://schemas.microsoft.com/identity/claims/scope"":""user_impersonation"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"":""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"",""http://schemas.microsoft.com/identity/claims/tenantid"":""2ad3fc79-1859-42fa-9011-6f8df2251b22"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"":""AdeleV@M365x816222.OnMicrosoft.com"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"":""AdeleV@M365x816222.OnMicrosoft.com"",""uti"":""H9u_0K6Ph0a_X_ZpaCFwAQ"",""ver"":""1.0"",""xms_tcdt"":""1591748537""}",,MICROSOFT.KEYVAULT/VAULTS/DELETE,"{ + ""eventCategory"": ""Administrative"", + ""entity"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/GBB01/providers/Microsoft.KeyVault/vaults/OneLoginLogs1234"", + ""message"": ""Microsoft.KeyVault/vaults/delete"", + ""hierarchy"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"", + ""caller"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""eventDataId"": ""994afaf9-56c9-4492-a8ef-2690c4d1294b"", + ""eventSubmissionTimestamp"": ""2021-04-28T14:43:25.2241883Z"", + ""httpRequest"": ""{\""clientIpAddress\"":\""37.142.150.162\""}"", + ""resource"": ""oneloginlogs1234"", + ""resourceGroup"": ""GBB01"", + ""resourceProviderValue"": ""MICROSOFT.KEYVAULT"", + ""subscriptionId"": ""8F153238-E602-427E-A7C0-3043FBE50918"", + ""activityStatusValue"": ""Success"" +}","{""eventCategory"":""Administrative"",""entity"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/GBB01/providers/Microsoft.KeyVault/vaults/OneLoginLogs1234"",""message"":""Microsoft.KeyVault/vaults/delete"",""hierarchy"":""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"",""caller"":""AdeleV@M365x816222.OnMicrosoft.com"",""eventDataId"":""994afaf9-56c9-4492-a8ef-2690c4d1294b"",""eventSubmissionTimestamp"":""2021-04-28T14:43:25.2241883Z"",""httpRequest"":""{\""clientIpAddress\"":\""37.142.150.162\""}"",""resource"":""oneloginlogs1234"",""resourceGroup"":""GBB01"",""resourceProviderValue"":""MICROSOFT.KEYVAULT"",""subscriptionId"":""8f153238-e602-427e-a7c0-3043fbe50918"",""activityStatusValue"":""Success""}",AdeleV@M365x816222.OnMicrosoft.com,994afaf9-56c9-4492-a8ef-2690c4d1294b,"4/28/2021, 2:43:25.224 PM","{""clientIpAddress"":""37.142.150.162""}",,GBB01,MICROSOFT.KEYVAULT,Success,,2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918,"4/28/2021, 2:43:25.224 PM",8f153238-e602-427e-a7c0-3043fbe50918,,,,,,,,AzureActivity,/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/gbb01/providers/microsoft.keyvault/vaults/oneloginlogs1234 +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure,37.142.150.162,Administrative,84fcb0a6-91db-4f09-a74e-97d1d41f2c6f,"{ + ""scope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/EY_Demo"", + ""action"": ""Microsoft.Resources/subscriptions/resourceGroups/delete"", + ""evidence"": { + ""role"": ""Contributor"", + ""roleAssignmentScope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"", + ""roleAssignmentId"": ""9ddc3bf8125f4918ad9f9dd31a0ae60f"", + ""roleDefinitionId"": ""b24988ac618042a0ab8820f7382dd24c"", + ""principalId"": ""9b117c67170e4aed9702658b3fddc889"", + ""principalType"": ""User"" + } +}","{""scope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/EY_Demo"",""action"":""Microsoft.Resources/subscriptions/resourceGroups/delete"",""evidence"":{""role"":""Contributor"",""roleAssignmentScope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"",""roleAssignmentId"":""9ddc3bf8125f4918ad9f9dd31a0ae60f"",""roleDefinitionId"":""b24988ac618042a0ab8820f7382dd24c"",""principalId"":""9b117c67170e4aed9702658b3fddc889"",""principalType"":""User""}}","{ + ""aud"": ""https://management.core.windows.net/"", + ""iss"": ""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"", + ""iat"": ""1619620278"", + ""nbf"": ""1619620278"", + ""exp"": ""1619624178"", + ""http://schemas.microsoft.com/claims/authnclassreference"": ""1"", + ""aio"": ""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"", + ""http://schemas.microsoft.com/claims/authnmethodsreferences"": ""pwd"", + ""appid"": ""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"", + ""appidacr"": ""2"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"": ""Vance"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"": ""Adele"", + ""groups"": ""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"", + ""ipaddr"": ""37.142.150.162"", + ""name"": ""Adele Vance"", + ""http://schemas.microsoft.com/identity/claims/objectidentifier"": ""9b117c67-170e-4aed-9702-658b3fddc889"", + ""puid"": ""10032000C757D25F"", + ""rh"": ""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."", + ""http://schemas.microsoft.com/identity/claims/scope"": ""user_impersonation"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"": ""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"", + ""http://schemas.microsoft.com/identity/claims/tenantid"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""uti"": ""H9u_0K6Ph0a_X_ZpaCFwAQ"", + ""ver"": ""1.0"", + ""xms_tcdt"": ""1591748537"" +}","{""aud"":""https://management.core.windows.net/"",""iss"":""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"",""iat"":""1619620278"",""nbf"":""1619620278"",""exp"":""1619624178"",""http://schemas.microsoft.com/claims/authnclassreference"":""1"",""aio"":""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"",""http://schemas.microsoft.com/claims/authnmethodsreferences"":""pwd"",""appid"":""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"",""appidacr"":""2"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"":""Vance"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"":""Adele"",""groups"":""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"",""ipaddr"":""37.142.150.162"",""name"":""Adele Vance"",""http://schemas.microsoft.com/identity/claims/objectidentifier"":""9b117c67-170e-4aed-9702-658b3fddc889"",""puid"":""10032000C757D25F"",""rh"":""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."",""http://schemas.microsoft.com/identity/claims/scope"":""user_impersonation"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"":""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"",""http://schemas.microsoft.com/identity/claims/tenantid"":""2ad3fc79-1859-42fa-9011-6f8df2251b22"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"":""AdeleV@M365x816222.OnMicrosoft.com"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"":""AdeleV@M365x816222.OnMicrosoft.com"",""uti"":""H9u_0K6Ph0a_X_ZpaCFwAQ"",""ver"":""1.0"",""xms_tcdt"":""1591748537""}",,MICROSOFT.LOGIC/WORKFLOWS/DELETE,"{ + ""eventCategory"": ""Administrative"", + ""entity"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/EY_Demo/providers/Microsoft.Logic/workflows/Sentinel-Ingest-AAD-SignInLog"", + ""message"": ""Microsoft.Logic/workflows/delete"", + ""hierarchy"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"", + ""caller"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""eventDataId"": ""7213d612-94b6-4ddb-856f-bb723409f48c"", + ""eventSubmissionTimestamp"": ""2021-04-28T14:44:22.9477862Z"", + ""httpRequest"": ""{\""clientIpAddress\"":\""37.142.150.162\""}"", + ""resource"": ""sentinel-ingest-aad-signinlog"", + ""resourceGroup"": ""EY_DEMO"", + ""resourceProviderValue"": ""MICROSOFT.LOGIC"", + ""subscriptionId"": ""8F153238-E602-427E-A7C0-3043FBE50918"", + ""activityStatusValue"": ""Success"" +}","{""eventCategory"":""Administrative"",""entity"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/EY_Demo/providers/Microsoft.Logic/workflows/Sentinel-Ingest-AAD-SignInLog"",""message"":""Microsoft.Logic/workflows/delete"",""hierarchy"":""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"",""caller"":""AdeleV@M365x816222.OnMicrosoft.com"",""eventDataId"":""7213d612-94b6-4ddb-856f-bb723409f48c"",""eventSubmissionTimestamp"":""2021-04-28T14:44:22.9477862Z"",""httpRequest"":""{\""clientIpAddress\"":\""37.142.150.162\""}"",""resource"":""sentinel-ingest-aad-signinlog"",""resourceGroup"":""EY_DEMO"",""resourceProviderValue"":""MICROSOFT.LOGIC"",""subscriptionId"":""8f153238-e602-427e-a7c0-3043fbe50918"",""activityStatusValue"":""Success""}",AdeleV@M365x816222.OnMicrosoft.com,7213d612-94b6-4ddb-856f-bb723409f48c,"4/28/2021, 2:44:22.947 PM","{""clientIpAddress"":""37.142.150.162""}",,EY_DEMO,MICROSOFT.LOGIC,Success,,2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918,"4/28/2021, 2:44:22.947 PM",8f153238-e602-427e-a7c0-3043fbe50918,,,,,,,,AzureActivity,/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/ey_demo/providers/microsoft.logic/workflows/sentinel-ingest-aad-signinlog +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure,37.142.150.162,Administrative,84fcb0a6-91db-4f09-a74e-97d1d41f2c6f,"{ + ""scope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/EY_Demo"", + ""action"": ""Microsoft.Resources/subscriptions/resourceGroups/delete"", + ""evidence"": { + ""role"": ""Contributor"", + ""roleAssignmentScope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"", + ""roleAssignmentId"": ""9ddc3bf8125f4918ad9f9dd31a0ae60f"", + ""roleDefinitionId"": ""b24988ac618042a0ab8820f7382dd24c"", + ""principalId"": ""9b117c67170e4aed9702658b3fddc889"", + ""principalType"": ""User"" + } +}","{""scope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/EY_Demo"",""action"":""Microsoft.Resources/subscriptions/resourceGroups/delete"",""evidence"":{""role"":""Contributor"",""roleAssignmentScope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"",""roleAssignmentId"":""9ddc3bf8125f4918ad9f9dd31a0ae60f"",""roleDefinitionId"":""b24988ac618042a0ab8820f7382dd24c"",""principalId"":""9b117c67170e4aed9702658b3fddc889"",""principalType"":""User""}}","{ + ""aud"": ""https://management.core.windows.net/"", + ""iss"": ""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"", + ""iat"": ""1619620278"", + ""nbf"": ""1619620278"", + ""exp"": ""1619624178"", + ""http://schemas.microsoft.com/claims/authnclassreference"": ""1"", + ""aio"": ""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"", + ""http://schemas.microsoft.com/claims/authnmethodsreferences"": ""pwd"", + ""appid"": ""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"", + ""appidacr"": ""2"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"": ""Vance"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"": ""Adele"", + ""groups"": ""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"", + ""ipaddr"": ""37.142.150.162"", + ""name"": ""Adele Vance"", + ""http://schemas.microsoft.com/identity/claims/objectidentifier"": ""9b117c67-170e-4aed-9702-658b3fddc889"", + ""puid"": ""10032000C757D25F"", + ""rh"": ""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."", + ""http://schemas.microsoft.com/identity/claims/scope"": ""user_impersonation"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"": ""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"", + ""http://schemas.microsoft.com/identity/claims/tenantid"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""uti"": ""H9u_0K6Ph0a_X_ZpaCFwAQ"", + ""ver"": ""1.0"", + ""xms_tcdt"": ""1591748537"" +}","{""aud"":""https://management.core.windows.net/"",""iss"":""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"",""iat"":""1619620278"",""nbf"":""1619620278"",""exp"":""1619624178"",""http://schemas.microsoft.com/claims/authnclassreference"":""1"",""aio"":""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"",""http://schemas.microsoft.com/claims/authnmethodsreferences"":""pwd"",""appid"":""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"",""appidacr"":""2"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"":""Vance"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"":""Adele"",""groups"":""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"",""ipaddr"":""37.142.150.162"",""name"":""Adele Vance"",""http://schemas.microsoft.com/identity/claims/objectidentifier"":""9b117c67-170e-4aed-9702-658b3fddc889"",""puid"":""10032000C757D25F"",""rh"":""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."",""http://schemas.microsoft.com/identity/claims/scope"":""user_impersonation"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"":""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"",""http://schemas.microsoft.com/identity/claims/tenantid"":""2ad3fc79-1859-42fa-9011-6f8df2251b22"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"":""AdeleV@M365x816222.OnMicrosoft.com"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"":""AdeleV@M365x816222.OnMicrosoft.com"",""uti"":""H9u_0K6Ph0a_X_ZpaCFwAQ"",""ver"":""1.0"",""xms_tcdt"":""1591748537""}",,MICROSOFT.WEB/CONNECTIONS/DELETE,"{ + ""eventCategory"": ""Administrative"", + ""entity"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/EY_Demo/providers/Microsoft.Web/connections/azureloganalyticsdatacollector"", + ""message"": ""Microsoft.Web/connections/delete"", + ""hierarchy"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"", + ""caller"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""eventDataId"": ""4af29ade-c9eb-418b-b5f5-54d0ac892c7f"", + ""eventSubmissionTimestamp"": ""2021-04-28T14:44:22.2177653Z"", + ""httpRequest"": ""{\""clientIpAddress\"":\""37.142.150.162\""}"", + ""resource"": ""azureloganalyticsdatacollector"", + ""resourceGroup"": ""EY_DEMO"", + ""resourceProviderValue"": ""MICROSOFT.WEB"", + ""subscriptionId"": ""8F153238-E602-427E-A7C0-3043FBE50918"", + ""activityStatusValue"": ""Success"" +}","{""eventCategory"":""Administrative"",""entity"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/EY_Demo/providers/Microsoft.Web/connections/azureloganalyticsdatacollector"",""message"":""Microsoft.Web/connections/delete"",""hierarchy"":""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"",""caller"":""AdeleV@M365x816222.OnMicrosoft.com"",""eventDataId"":""4af29ade-c9eb-418b-b5f5-54d0ac892c7f"",""eventSubmissionTimestamp"":""2021-04-28T14:44:22.2177653Z"",""httpRequest"":""{\""clientIpAddress\"":\""37.142.150.162\""}"",""resource"":""azureloganalyticsdatacollector"",""resourceGroup"":""EY_DEMO"",""resourceProviderValue"":""MICROSOFT.WEB"",""subscriptionId"":""8f153238-e602-427e-a7c0-3043fbe50918"",""activityStatusValue"":""Success""}",AdeleV@M365x816222.OnMicrosoft.com,4af29ade-c9eb-418b-b5f5-54d0ac892c7f,"4/28/2021, 2:44:22.217 PM","{""clientIpAddress"":""37.142.150.162""}",,EY_DEMO,MICROSOFT.WEB,Success,,2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918,"4/28/2021, 2:44:22.217 PM",8f153238-e602-427e-a7c0-3043fbe50918,,,,,,,,AzureActivity,/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/ey_demo/providers/microsoft.web/connections/azureloganalyticsdatacollector +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure,37.142.150.162,Administrative,6ba231ee-8a6b-4ddb-9bce-cbaa4000fc5f,"{ + ""scope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/RG77/providers/Microsoft.KeyVault/vaults/MessageTraceRG77"", + ""action"": ""Microsoft.KeyVault/vaults/delete"", + ""evidence"": { + ""role"": ""Contributor"", + ""roleAssignmentScope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"", + ""roleAssignmentId"": ""9ddc3bf8125f4918ad9f9dd31a0ae60f"", + ""roleDefinitionId"": ""b24988ac618042a0ab8820f7382dd24c"", + ""principalId"": ""9b117c67170e4aed9702658b3fddc889"", + ""principalType"": ""User"" + } +}","{""scope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/RG77/providers/Microsoft.KeyVault/vaults/MessageTraceRG77"",""action"":""Microsoft.KeyVault/vaults/delete"",""evidence"":{""role"":""Contributor"",""roleAssignmentScope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"",""roleAssignmentId"":""9ddc3bf8125f4918ad9f9dd31a0ae60f"",""roleDefinitionId"":""b24988ac618042a0ab8820f7382dd24c"",""principalId"":""9b117c67170e4aed9702658b3fddc889"",""principalType"":""User""}}","{ + ""aud"": ""https://management.core.windows.net/"", + ""iss"": ""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"", + ""iat"": ""1619620278"", + ""nbf"": ""1619620278"", + ""exp"": ""1619624178"", + ""http://schemas.microsoft.com/claims/authnclassreference"": ""1"", + ""aio"": ""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"", + ""http://schemas.microsoft.com/claims/authnmethodsreferences"": ""pwd"", + ""appid"": ""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"", + ""appidacr"": ""2"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"": ""Vance"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"": ""Adele"", + ""groups"": ""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"", + ""ipaddr"": ""37.142.150.162"", + ""name"": ""Adele Vance"", + ""http://schemas.microsoft.com/identity/claims/objectidentifier"": ""9b117c67-170e-4aed-9702-658b3fddc889"", + ""puid"": ""10032000C757D25F"", + ""rh"": ""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."", + ""http://schemas.microsoft.com/identity/claims/scope"": ""user_impersonation"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"": ""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"", + ""http://schemas.microsoft.com/identity/claims/tenantid"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""uti"": ""H9u_0K6Ph0a_X_ZpaCFwAQ"", + ""ver"": ""1.0"", + ""xms_tcdt"": ""1591748537"" +}","{""aud"":""https://management.core.windows.net/"",""iss"":""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"",""iat"":""1619620278"",""nbf"":""1619620278"",""exp"":""1619624178"",""http://schemas.microsoft.com/claims/authnclassreference"":""1"",""aio"":""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"",""http://schemas.microsoft.com/claims/authnmethodsreferences"":""pwd"",""appid"":""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"",""appidacr"":""2"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"":""Vance"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"":""Adele"",""groups"":""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"",""ipaddr"":""37.142.150.162"",""name"":""Adele Vance"",""http://schemas.microsoft.com/identity/claims/objectidentifier"":""9b117c67-170e-4aed-9702-658b3fddc889"",""puid"":""10032000C757D25F"",""rh"":""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."",""http://schemas.microsoft.com/identity/claims/scope"":""user_impersonation"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"":""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"",""http://schemas.microsoft.com/identity/claims/tenantid"":""2ad3fc79-1859-42fa-9011-6f8df2251b22"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"":""AdeleV@M365x816222.OnMicrosoft.com"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"":""AdeleV@M365x816222.OnMicrosoft.com"",""uti"":""H9u_0K6Ph0a_X_ZpaCFwAQ"",""ver"":""1.0"",""xms_tcdt"":""1591748537""}",,MICROSOFT.KEYVAULT/VAULTS/DELETE,"{ + ""eventCategory"": ""Administrative"", + ""entity"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/RG77/providers/Microsoft.KeyVault/vaults/MessageTraceRG77"", + ""message"": ""Microsoft.KeyVault/vaults/delete"", + ""hierarchy"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"", + ""caller"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""eventDataId"": ""0d0db332-83b8-4a90-9be5-47685712c9cf"", + ""eventSubmissionTimestamp"": ""2021-04-28T14:43:20.660355Z"", + ""httpRequest"": ""{\""clientIpAddress\"":\""37.142.150.162\""}"", + ""resource"": ""messagetracerg77"", + ""resourceGroup"": ""RG77"", + ""resourceProviderValue"": ""MICROSOFT.KEYVAULT"", + ""subscriptionId"": ""8F153238-E602-427E-A7C0-3043FBE50918"", + ""activityStatusValue"": ""Success"" +}","{""eventCategory"":""Administrative"",""entity"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/RG77/providers/Microsoft.KeyVault/vaults/MessageTraceRG77"",""message"":""Microsoft.KeyVault/vaults/delete"",""hierarchy"":""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"",""caller"":""AdeleV@M365x816222.OnMicrosoft.com"",""eventDataId"":""0d0db332-83b8-4a90-9be5-47685712c9cf"",""eventSubmissionTimestamp"":""2021-04-28T14:43:20.6603550Z"",""httpRequest"":""{\""clientIpAddress\"":\""37.142.150.162\""}"",""resource"":""messagetracerg77"",""resourceGroup"":""RG77"",""resourceProviderValue"":""MICROSOFT.KEYVAULT"",""subscriptionId"":""8f153238-e602-427e-a7c0-3043fbe50918"",""activityStatusValue"":""Success""}",AdeleV@M365x816222.OnMicrosoft.com,0d0db332-83b8-4a90-9be5-47685712c9cf,"4/28/2021, 2:43:20.660 PM","{""clientIpAddress"":""37.142.150.162""}",,RG77,MICROSOFT.KEYVAULT,Success,,2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918,"4/28/2021, 2:43:20.660 PM",8f153238-e602-427e-a7c0-3043fbe50918,,,,,,,,AzureActivity,/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/rg77/providers/microsoft.keyvault/vaults/messagetracerg77 +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure,37.142.150.162,Administrative,af709074-16dd-47b6-bf04-f159bc0a0fb1,"{ + ""scope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/BTPOC"", + ""action"": ""Microsoft.Resources/subscriptions/resourceGroups/delete"", + ""evidence"": { + ""role"": ""Contributor"", + ""roleAssignmentScope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"", + ""roleAssignmentId"": ""9ddc3bf8125f4918ad9f9dd31a0ae60f"", + ""roleDefinitionId"": ""b24988ac618042a0ab8820f7382dd24c"", + ""principalId"": ""9b117c67170e4aed9702658b3fddc889"", + ""principalType"": ""User"" + } +}","{""scope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/BTPOC"",""action"":""Microsoft.Resources/subscriptions/resourceGroups/delete"",""evidence"":{""role"":""Contributor"",""roleAssignmentScope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"",""roleAssignmentId"":""9ddc3bf8125f4918ad9f9dd31a0ae60f"",""roleDefinitionId"":""b24988ac618042a0ab8820f7382dd24c"",""principalId"":""9b117c67170e4aed9702658b3fddc889"",""principalType"":""User""}}","{ + ""aud"": ""https://management.core.windows.net/"", + ""iss"": ""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"", + ""iat"": ""1619620278"", + ""nbf"": ""1619620278"", + ""exp"": ""1619624178"", + ""http://schemas.microsoft.com/claims/authnclassreference"": ""1"", + ""aio"": ""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"", + ""http://schemas.microsoft.com/claims/authnmethodsreferences"": ""pwd"", + ""appid"": ""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"", + ""appidacr"": ""2"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"": ""Vance"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"": ""Adele"", + ""groups"": ""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"", + ""ipaddr"": ""37.142.150.162"", + ""name"": ""Adele Vance"", + ""http://schemas.microsoft.com/identity/claims/objectidentifier"": ""9b117c67-170e-4aed-9702-658b3fddc889"", + ""puid"": ""10032000C757D25F"", + ""rh"": ""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."", + ""http://schemas.microsoft.com/identity/claims/scope"": ""user_impersonation"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"": ""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"", + ""http://schemas.microsoft.com/identity/claims/tenantid"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""uti"": ""H9u_0K6Ph0a_X_ZpaCFwAQ"", + ""ver"": ""1.0"", + ""xms_tcdt"": ""1591748537"" +}","{""aud"":""https://management.core.windows.net/"",""iss"":""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"",""iat"":""1619620278"",""nbf"":""1619620278"",""exp"":""1619624178"",""http://schemas.microsoft.com/claims/authnclassreference"":""1"",""aio"":""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"",""http://schemas.microsoft.com/claims/authnmethodsreferences"":""pwd"",""appid"":""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"",""appidacr"":""2"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"":""Vance"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"":""Adele"",""groups"":""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"",""ipaddr"":""37.142.150.162"",""name"":""Adele Vance"",""http://schemas.microsoft.com/identity/claims/objectidentifier"":""9b117c67-170e-4aed-9702-658b3fddc889"",""puid"":""10032000C757D25F"",""rh"":""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."",""http://schemas.microsoft.com/identity/claims/scope"":""user_impersonation"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"":""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"",""http://schemas.microsoft.com/identity/claims/tenantid"":""2ad3fc79-1859-42fa-9011-6f8df2251b22"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"":""AdeleV@M365x816222.OnMicrosoft.com"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"":""AdeleV@M365x816222.OnMicrosoft.com"",""uti"":""H9u_0K6Ph0a_X_ZpaCFwAQ"",""ver"":""1.0"",""xms_tcdt"":""1591748537""}",,MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE,"{ + ""eventCategory"": ""Administrative"", + ""entity"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/BTPOC"", + ""message"": ""Microsoft.Resources/subscriptions/resourceGroups/delete"", + ""hierarchy"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"", + ""caller"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""eventDataId"": ""6bad33c9-7732-47b4-b6ce-ed842811213c"", + ""eventSubmissionTimestamp"": ""2021-04-28T14:43:19.9929621Z"", + ""httpRequest"": ""{\""clientIpAddress\"":\""37.142.150.162\""}"", + ""resourceGroup"": ""BTPOC"", + ""subscriptionId"": ""8F153238-E602-427E-A7C0-3043FBE50918"", + ""activityStatusValue"": ""Start"" +}","{""eventCategory"":""Administrative"",""entity"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/BTPOC"",""message"":""Microsoft.Resources/subscriptions/resourceGroups/delete"",""hierarchy"":""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"",""caller"":""AdeleV@M365x816222.OnMicrosoft.com"",""eventDataId"":""6bad33c9-7732-47b4-b6ce-ed842811213c"",""eventSubmissionTimestamp"":""2021-04-28T14:43:19.9929621Z"",""httpRequest"":""{\""clientIpAddress\"":\""37.142.150.162\""}"",""resourceGroup"":""BTPOC"",""subscriptionId"":""8f153238-e602-427e-a7c0-3043fbe50918"",""activityStatusValue"":""Start""}",AdeleV@M365x816222.OnMicrosoft.com,6bad33c9-7732-47b4-b6ce-ed842811213c,"4/28/2021, 2:43:19.992 PM","{""clientIpAddress"":""37.142.150.162""}",,BTPOC,,Start,,2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918,"4/28/2021, 2:43:19.992 PM",8f153238-e602-427e-a7c0-3043fbe50918,,,,,,,,AzureActivity,/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/btpoc +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure,37.142.150.162,Administrative,af709074-16dd-47b6-bf04-f159bc0a0fb1,"{ + ""scope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/BTPOC"", + ""action"": ""Microsoft.Resources/subscriptions/resourceGroups/delete"", + ""evidence"": { + ""role"": ""Contributor"", + ""roleAssignmentScope"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"", + ""roleAssignmentId"": ""9ddc3bf8125f4918ad9f9dd31a0ae60f"", + ""roleDefinitionId"": ""b24988ac618042a0ab8820f7382dd24c"", + ""principalId"": ""9b117c67170e4aed9702658b3fddc889"", + ""principalType"": ""User"" + } +}","{""scope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/BTPOC"",""action"":""Microsoft.Resources/subscriptions/resourceGroups/delete"",""evidence"":{""role"":""Contributor"",""roleAssignmentScope"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918"",""roleAssignmentId"":""9ddc3bf8125f4918ad9f9dd31a0ae60f"",""roleDefinitionId"":""b24988ac618042a0ab8820f7382dd24c"",""principalId"":""9b117c67170e4aed9702658b3fddc889"",""principalType"":""User""}}","{ + ""aud"": ""https://management.core.windows.net/"", + ""iss"": ""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"", + ""iat"": ""1619620278"", + ""nbf"": ""1619620278"", + ""exp"": ""1619624178"", + ""http://schemas.microsoft.com/claims/authnclassreference"": ""1"", + ""aio"": ""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"", + ""http://schemas.microsoft.com/claims/authnmethodsreferences"": ""pwd"", + ""appid"": ""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"", + ""appidacr"": ""2"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"": ""Vance"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"": ""Adele"", + ""groups"": ""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"", + ""ipaddr"": ""37.142.150.162"", + ""name"": ""Adele Vance"", + ""http://schemas.microsoft.com/identity/claims/objectidentifier"": ""9b117c67-170e-4aed-9702-658b3fddc889"", + ""puid"": ""10032000C757D25F"", + ""rh"": ""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."", + ""http://schemas.microsoft.com/identity/claims/scope"": ""user_impersonation"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"": ""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"", + ""http://schemas.microsoft.com/identity/claims/tenantid"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""uti"": ""H9u_0K6Ph0a_X_ZpaCFwAQ"", + ""ver"": ""1.0"", + ""xms_tcdt"": ""1591748537"" +}","{""aud"":""https://management.core.windows.net/"",""iss"":""https://sts.windows.net/2ad3fc79-1859-42fa-9011-6f8df2251b22/"",""iat"":""1619620278"",""nbf"":""1619620278"",""exp"":""1619624178"",""http://schemas.microsoft.com/claims/authnclassreference"":""1"",""aio"":""ATQAy/8TAAAA7zVpz1MTiN5PcZ84YU7VvUqYvGDj8M8XljPirr2ynbiIAMHm6UVn78uuUS6hpfLV"",""http://schemas.microsoft.com/claims/authnmethodsreferences"":""pwd"",""appid"":""c44b4083-3bb0-49c1-b47d-974e53cbdf3c"",""appidacr"":""2"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"":""Vance"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"":""Adele"",""groups"":""b8ebf801-537d-4ef0-9353-545d8b161a4c,4dee65d3-7474-4a57-b550-19b1435e6fdc,dc8c1d8a-5cbe-4db7-a252-ed6e77a9bac6,72d050bc-1235-43d2-be81-4029fbfbd6c7,0d569539-ca8f-4e1b-bfbd-35e57b0d4bf1,8041dfc5-efef-4035-8241-74179adf4b9f"",""ipaddr"":""37.142.150.162"",""name"":""Adele Vance"",""http://schemas.microsoft.com/identity/claims/objectidentifier"":""9b117c67-170e-4aed-9702-658b3fddc889"",""puid"":""10032000C757D25F"",""rh"":""0.AVIAefzTKlkY-kKQEW-N8iUbIoNAS8SwO8FJtH2XTlPL3zxSAJg."",""http://schemas.microsoft.com/identity/claims/scope"":""user_impersonation"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"":""ZkJagYHGZD8_R8qCe2VRG3nD8dGJehXAuGi58QDeOtM"",""http://schemas.microsoft.com/identity/claims/tenantid"":""2ad3fc79-1859-42fa-9011-6f8df2251b22"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"":""AdeleV@M365x816222.OnMicrosoft.com"",""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"":""AdeleV@M365x816222.OnMicrosoft.com"",""uti"":""H9u_0K6Ph0a_X_ZpaCFwAQ"",""ver"":""1.0"",""xms_tcdt"":""1591748537""}",,MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE,"{ + ""statusCode"": ""Accepted"", + ""serviceRequestId"": null, + ""eventCategory"": ""Administrative"", + ""entity"": ""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/BTPOC"", + ""message"": ""Microsoft.Resources/subscriptions/resourceGroups/delete"", + ""hierarchy"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"", + ""caller"": ""AdeleV@M365x816222.OnMicrosoft.com"", + ""eventDataId"": ""e6092106-d8c4-4a36-87d4-356f9b6b701d"", + ""eventSubmissionTimestamp"": ""2021-04-28T14:43:23.1230263Z"", + ""httpRequest"": ""{\""clientIpAddress\"":\""37.142.150.162\""}"", + ""resourceGroup"": ""BTPOC"", + ""subscriptionId"": ""8F153238-E602-427E-A7C0-3043FBE50918"", + ""activityStatusValue"": ""Accept"", + ""activitySubstatusValue"": ""Accepted"" +}","{""statusCode"":""Accepted"",""serviceRequestId"":null,""eventCategory"":""Administrative"",""entity"":""/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourceGroups/BTPOC"",""message"":""Microsoft.Resources/subscriptions/resourceGroups/delete"",""hierarchy"":""2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918"",""caller"":""AdeleV@M365x816222.OnMicrosoft.com"",""eventDataId"":""e6092106-d8c4-4a36-87d4-356f9b6b701d"",""eventSubmissionTimestamp"":""2021-04-28T14:43:23.1230263Z"",""httpRequest"":""{\""clientIpAddress\"":\""37.142.150.162\""}"",""resourceGroup"":""BTPOC"",""subscriptionId"":""8f153238-e602-427e-a7c0-3043fbe50918"",""activityStatusValue"":""Accept"",""activitySubstatusValue"":""Accepted""}",AdeleV@M365x816222.OnMicrosoft.com,e6092106-d8c4-4a36-87d4-356f9b6b701d,"4/28/2021, 2:43:23.123 PM","{""clientIpAddress"":""37.142.150.162""}",,BTPOC,,Accept,Accepted,2ad3fc79-1859-42fa-9011-6f8df2251b22/CONTOSO-MG/8f153238-e602-427e-a7c0-3043fbe50918,"4/28/2021, 2:43:23.123 PM",8f153238-e602-427e-a7c0-3043fbe50918,,,,,,,,AzureActivity,/subscriptions/8f153238-e602-427e-a7c0-3043fbe50918/resourcegroups/btpoc diff --git a/src/SecurityInsights/test/sampleData/Cisco_Umbrella_dns.csv b/src/SecurityInsights/test/sampleData/Cisco_Umbrella_dns.csv new file mode 100644 index 000000000000..af1bda393f48 --- /dev/null +++ b/src/SecurityInsights/test/sampleData/Cisco_Umbrella_dns.csv @@ -0,0 +1,2 @@ +Timestamp,Policy Identity,Identities/0,InternalIp,ExternalIp,Action,QueryType,ResponseCode,Domain,Categories/0,Categories/1,Categories/2,Policy Identity Type,Identity Types/0,Blocked Categories,EventType +2019-09-12T20:00:00.625Z,HOSTNAME,HOSTNAME, 17.81.146.1,15.230.137.45,Allowed,1 (A),NOERROR,avsvmcloud.com,Software/Technology,Business Services,Infrastructure,,Anyconnect Roaming Client,,dnslogs diff --git a/src/SecurityInsights/test/sampleData/CommonSecurityLog.csv b/src/SecurityInsights/test/sampleData/CommonSecurityLog.csv new file mode 100644 index 000000000000..a7d3f5e3d5d8 --- /dev/null +++ b/src/SecurityInsights/test/sampleData/CommonSecurityLog.csv @@ -0,0 +1,2 @@ +TenantId,SourceSystem,ReceiptTime,DeviceVendor,DeviceProduct,DeviceEventClassID,LogSeverity,OriginalLogSeverity,DeviceAction,SimplifiedDeviceAction,Computer,CommunicationDirection,DeviceFacility,DestinationPort,DestinationIP,DeviceAddress,DeviceName,Message,Protocol,SourcePort,SourceIP,RemoteIP,RemotePort_string,RemotePort_int,MaliciousIP,ThreatSeverity,IndicatorThreatType,ThreatDescription,ThreatConfidence,ReportReferenceLink,MaliciousIPLongitude,MaliciousIPLatitude,MaliciousIPCountry,DeviceVersion,Activity,ApplicationProtocol,EventCount,DestinationDnsDomain,DestinationServiceName,DestinationTranslatedAddress,DestinationTranslatedPort,DeviceDnsDomain,DeviceExternalID,DeviceInboundInterface,DeviceNtDomain,DeviceOutboundInterface,DevicePayloadId,ProcessName,DeviceTranslatedAddress,DestinationHostName,DestinationMACAddress,DestinationNTDomain,DestinationProcessId,DestinationUserPrivileges,DestinationProcessName,DeviceTimeZone,DestinationUserID,DestinationUserName,DeviceMacAddress,ProcessID,ExternalID,FileCreateTime,FileHash,FileID,FileModificationTime,FilePath,FilePermission,FileType,FileName,FileSize,ReceivedBytes,OldFileCreateTime,OldFileHash,OldFileID,OldFileModificationTime,OldFileName,OldFilePath,OldFilePermission,OldFileSize,OldFileType,SentBytes,RequestURL,RequestClientApplication,RequestContext,RequestCookies,RequestMethod,SourceHostName,SourceMACAddress,SourceNTDomain,SourceDnsDomain,SourceServiceName,SourceTranslatedAddress,SourceTranslatedPort,SourceProcessId,SourceUserPrivileges,SourceProcessName,SourceUserID,SourceUserName,EventType,DeviceCustomIPv6Address1,DeviceCustomIPv6Address1Label,DeviceCustomIPv6Address2,DeviceCustomIPv6Address2Label,DeviceCustomIPv6Address3,DeviceCustomIPv6Address3Label,DeviceCustomIPv6Address4,DeviceCustomIPv6Address4Label,DeviceCustomFloatingPoint1,DeviceCustomFloatingPoint1Label,DeviceCustomFloatingPoint2,DeviceCustomFloatingPoint2Label,DeviceCustomFloatingPoint3,DeviceCustomFloatingPoint3Label,DeviceCustomFloatingPoint4,DeviceCustomFloatingPoint4Label,DeviceCustomNumber1,DeviceCustomNumber1Label,DeviceCustomNumber2,DeviceCustomNumber2Label,DeviceCustomNumber3,DeviceCustomNumber3Label,DeviceCustomString1,DeviceCustomString1Label,DeviceCustomString2,DeviceCustomString2Label,DeviceCustomString3,DeviceCustomString3Label,DeviceCustomString4,DeviceCustomString4Label,DeviceCustomString5,DeviceCustomString5Label,DeviceCustomString6,DeviceCustomString6Label,DeviceCustomDate1,DeviceCustomDate1Label,DeviceCustomDate2,DeviceCustomDate2Label,FlexDate1,FlexDate1Label,FlexNumber1,FlexNumber1Label,FlexNumber2,FlexNumber2Label,FlexString1,FlexString1Label,FlexString2,FlexString2Label,AdditionalExtensions,StartTime [UTC],EndTime,Type,_ResourceId +8ecf8077-cf51-4820-aadd-14040956f35d,OpsManager,,Vectra Networks,X Series,hidden_https_tunnel_cnc,2.2,,,,,,,443,15.230.137.45,192.168.52.37,ClientPc.contoso.com,type1,tcp,,17.81.146.1,,,,,,,,,,,,,6.6,Hidden HTTPS Tunnel,,,,,,,,,,,,,,,07605jn8l36uranbtvef0b12eu1.appsync-api.us-east-1.avsvmcloud.com,,,,,,,,,,,54,,,,,,,,,,56296,,,,,,,,,,1748,,,,,,IP-10.10.1.130,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,https://x29-1-37.sc.tvec/detections/54?detail_id\=322,Vectra Event URL,FALSE,triaged,,,,,,,,,22,threat,64,certainty,,,,,cat=COMMAND & CONTROL;start=1617770662000;end=1617772463000,,,CommonSecurityLog,/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8de0176f/resourcegroups/soc-fortinet/providers/microsoft.compute/virtualmachines/soc-fw-cef diff --git a/src/SecurityInsights/test/sampleData/OfficeActivity.csv b/src/SecurityInsights/test/sampleData/OfficeActivity.csv new file mode 100644 index 000000000000..58d4a21391f2 --- /dev/null +++ b/src/SecurityInsights/test/sampleData/OfficeActivity.csv @@ -0,0 +1,583 @@ +TenantId,Application,UserDomain,ApplicationId,UserAgent,RecordType,TimeGenerated [UTC],Operation,OrganizationId,OrganizationId_,UserType,UserKey,OfficeWorkload,ResultStatus,ResultReasonType,OfficeObjectId,UserId,UserId_,ClientIP,ClientIP_,Scope,Site_,ItemType,EventSource,Source_Name,MachineDomainInfo,MachineId,Site_Url,Site_Url_,SourceRelativeUrl,SourceRelativeUrl_,SourceFileName,SourceFileName_,SourceFileExtension,DestinationRelativeUrl,DestinationFileName,DestinationFileExtension,UserSharedWith,SharingType,CustomEvent,Event_Data,ModifiedObjectResolvedName,Parameters,ExternalAccess,OriginatingServer,OrganizationName,Logon_Type,InternalLogonType,MailboxGuid,MailboxOwnerUPN,MailboxOwnerSid,MailboxOwnerMasterAccountSid,LogonUserSid,LogonUserDisplayName,ClientInfoString,Client_IPAddress,ClientMachineName,ClientProcessName,ClientVersion,Folder,CrossMailboxOperations,DestMailboxId,DestMailboxOwnerUPN,DestMailboxOwnerSid,DestMailboxOwnerMasterAccountSid,DestFolder,Folders,AffectedItems,Item,ModifiedProperties,SendAsUserSmtp,SendAsUserMailboxGuid,SendOnBehalfOfUserSmtp,SendonBehalfOfUserMailboxGuid,ExtendedProperties,Client,LoginStatus,Actor,ActorContextId,ActorIpAddress,InterSystemsId,IntraSystemId,SupportTicketId,TargetContextId,DataCenterSecurityEventType,EffectiveOrganization,ElevationTime [UTC],ElevationApprover,ElevationApprovedTime [UTC],ElevationRequestId,ElevationRole,ElevationDuration,GenericInfo,SourceSystem,OfficeId,SourceRecordId,AzureActiveDirectory_EventType,AADTarget,Start_Time [UTC],OfficeTenantId,OfficeTenantId_,TargetUserOrGroupName,TargetUserOrGroupType,MessageId,Members,TeamName,TeamGuid,ChannelType,ChannelName,ChannelGuid,ExtraProperties,AddOnType,AddonName,TabType,Name,OldValue,NewValue,ItemName,ChatThreadId,ChatName,CommunicationType,AADGroupId,AddOnGuid,AppDistributionMode,TargetUserId,OperationScope,AzureADAppId,OperationProperties,AppId,ClientAppId,Type,_ResourceId +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,ExchangeAdmin,New-InboxRule,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Admin,10032000C757D25F,Exchange,TRUE,TRUE,NAMPR06A003.prod.outlook.com/Microsoft Exchange Hosted Organizations/contoso.onmicrosoft.com/AdeleV\rule2,AdeleV@contoso.OnMicrosoft.com,AdeleV@contoso.OnMicrosoft.com,[2a01:110:8068:7:9bf8:aa87:e00a:5f1f]:36185,[2a01:110:8068:7:9bf8:aa87:e00a:5f1f]:36185,,,,,,,,,,,,,,,,,,,,,,,"[ + { + ""Name"": ""AlwaysDeleteOutlookRulesBlob"", + ""Value"": ""False"" + }, + { + ""Name"": ""Force"", + ""Value"": ""False"" + }, + { + ""Name"": ""MoveToFolder"", + ""Value"": ""Junk Email"" + }, + { + ""Name"": ""Name"", + ""Value"": ""rule2"" + }, + { + ""Name"": ""SubjectContainsWords"", + ""Value"": ""do not open"" + }, + { + ""Name"": ""StopProcessingRules"", + ""Value"": ""True"" + } +]",FALSE,MWHPR06MB3440 (15.20.4065.026),contoso.onmicrosoft.com,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/26/2021, 7:17:10.000 AM",,,,,,,OfficeActivityManager,d28096ba-03b1-4c2a-1503-08d908826606,d28096ba-03b1-4c2a-1503-08d908826606,,,"4/26/2021, 7:17:10.000 AM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,00000002-0000-0ff1-ce00-000000000000,,OfficeActivity,, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,ExchangeAdmin,New-InboxRule,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Admin,10032000C757D25F,Exchange,TRUE,TRUE,NAMPR06A003.prod.outlook.com/Microsoft Exchange Hosted Organizations/contoso.onmicrosoft.com/AdeleV\my_rule1,AdeleV@contoso.OnMicrosoft.com,AdeleV@contoso.OnMicrosoft.com,[2a01:110:8068:7:9bf8:aa87:e00a:5f1f]:45955,[2a01:110:8068:7:9bf8:aa87:e00a:5f1f]:45955,,,,,,,,,,,,,,,,,,,,,,,"[ + { + ""Name"": ""AlwaysDeleteOutlookRulesBlob"", + ""Value"": ""False"" + }, + { + ""Name"": ""Force"", + ""Value"": ""False"" + }, + { + ""Name"": ""Name"", + ""Value"": ""my_rule1"" + }, + { + ""Name"": ""BodyContainsWords"", + ""Value"": ""covid-19"" + }, + { + ""Name"": ""DeleteMessage"", + ""Value"": ""True"" + }, + { + ""Name"": ""StopProcessingRules"", + ""Value"": ""True"" + } +]",FALSE,MWHPR06MB3440 (15.20.4065.026),contoso.onmicrosoft.com,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/26/2021, 6:37:32.000 AM",,,,,,,OfficeActivityManager,d2d1b1e1-4327-4c24-b9eb-08d9087c624c,d2d1b1e1-4327-4c24-b9eb-08d9087c624c,,,"4/26/2021, 6:37:32.000 AM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,00000002-0000-0ff1-ce00-000000000000,,OfficeActivity,, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 3:05:26.000 PM",PageViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c7584fec@live.com,SharePoint,,,https://m365x816222-admin.sharepoint.com/_layouts/15/online/handlers/SpoSuiteLinks.ashx,admin@m365x816222.onmicrosoft.com,admin@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,6fecb81b-38cb-4ba7-a842-d529c504f4d9,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 3:13:17.000 PM",,,,,,,OfficeActivityManager,84365963-570a-4424-38da-08d90a570e02,84365963-570a-4424-38da-08d90a570e02,,,"4/28/2021, 3:13:17.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 3:05:24.000 PM",PageViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c7584fec@live.com,SharePoint,,,https://m365x816222-admin.sharepoint.com/_layouts/15/online/AdminHome.aspx,admin@m365x816222.onmicrosoft.com,admin@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,6fecb81b-38cb-4ba7-a842-d529c504f4d9,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 3:13:17.000 PM",,,,,,,OfficeActivityManager,38d99a5f-e6d7-4786-59cd-08d90a570cc0,38d99a5f-e6d7-4786-59cd-08d90a570cc0,,,"4/28/2021, 3:13:17.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,50,"4/28/2021, 2:54:37.000 PM",MailItemsAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,10032000C757D25F,Exchange,Succeeded,Succeeded,,AdeleV@M365x816222.OnMicrosoft.com,AdeleV@M365x816222.OnMicrosoft.com,,,,,,,,,,,,,,,,,,,,,,,,,,FALSE,"MWHPR06MB3440 (15.20.4065.028) +",M365x816222.onmicrosoft.com,Owner,0,1799af14-918d-4035-98f7-536ec791ef58,AdeleV@M365x816222.OnMicrosoft.com,S-1-5-21-430410588-604023349-2071471134-35151074,,S-1-5-21-430410588-604023349-2071471134-35151074,,Client=REST;Client=RESTSystem;;,2603:10b6:5:345::11,,,,,,,,,,,"[ + { + ""FolderItems"": [ + { + ""InternetMessageId"": """" + } + ], + ""Id"": ""LgAAAAC4lQ2Ye4hSS4if7gF6ji8JAQA45WDUjdASSYqMiyC3ZEqOAAAAAAEMAAAB"", + ""Path"": ""\\Inbox"" + }, + { + ""FolderItems"": [ + { + ""InternetMessageId"": """" + }, + { + ""InternetMessageId"": """" + } + ], + ""Id"": ""LgAAAAC4lQ2Ye4hSS4if7gF6ji8JAQA45WDUjdASSYqMiyC3ZEqOAAAAAAEJAAAB"", + ""Path"": ""\\Sent Items"" + } +]",,,,,,,,,,,,,,,,,,,,"4/28/2021, 3:01:57.000 PM",,,,,,,OfficeActivityManager,2ad854c0-d9c3-43b5-95d8-826aea0d10ca,2ad854c0-d9c3-43b5-95d8-826aea0d10ca,,,"4/28/2021, 3:01:57.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,"[{""Value"":""Bind"",""Name"":""MailAccessType""},{""Value"":""False"",""Name"":""IsThrottled""}]",8a18aa92-0a1e-4e06-abd0-e118fa4787b1,3c8e478f-21ca-493a-b87c-c7366d664d54,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,OfficePods,SharePointFileOperation,"4/28/2021, 2:50:22.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/Documents/QT1000 Marketing Plan.pptx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,52.232.229.242,52.232.229.242,,1ae92c12-26d9-4542-95cc-267570cb587e,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,Documents,Documents,QT1000 Marketing Plan.pptx,QT1000 Marketing Plan.pptx,pptx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:58:17.000 PM",,,,,,,OfficeActivityManager,fa28f91d-86c4-40a8-f621-08d90a54f336,fa28f91d-86c4-40a8-f621-08d90a54f336,,,"4/28/2021, 2:58:17.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:50:14.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/Documents/office_activity_inbox_rule.csv,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,Documents,Documents,office_activity_inbox_rule.csv,office_activity_inbox_rule.csv,csv,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:58:17.000 PM",,,,,,,OfficeActivityManager,5fa8e714-cec1-4673-1ba3-08d90a54eebb,5fa8e714-cec1-4673-1ba3-08d90a54eebb,,,"4/28/2021, 2:58:17.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:45:26.000 PM",FileDeleted,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/Documents/Timesheet_AdeleV.xlsx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,Documents,Documents,Timesheet_AdeleV.xlsx,Timesheet_AdeleV.xlsx,xlsx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,56dab345-b820-4018-489b-08d90a5442ac,56dab345-b820-4018-489b-08d90a5442ac,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,ComplianceDLPSharePoint,"4/28/2021, 2:44:51.000 PM",DLPRuleUndo,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,System,DlpPolicyEventBasedAssistantOneDriveForBusiness,OneDrive,,,c15e9245-9033-4eb7-9e2a-9c277fdfa8cd,DlpPolicyEventBasedAssistantOneDriveForBusiness,DlpPolicyEventBasedAssistantOneDriveForBusiness,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,9b7c3de9-b51a-4a38-9704-2eed1debdb05,9b7c3de9-b51a-4a38-9704-2eed1debdb05,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,ComplianceDLPSharePoint,"4/28/2021, 2:44:51.000 PM",DLPRuleUndo,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,System,DlpPolicyEventBasedAssistantOneDriveForBusiness,OneDrive,,,c15e9245-9033-4eb7-9e2a-9c277fdfa8cd,DlpPolicyEventBasedAssistantOneDriveForBusiness,DlpPolicyEventBasedAssistantOneDriveForBusiness,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,49d454d7-eb96-4969-b444-3c6f0f71fc02,49d454d7-eb96-4969-b444-3c6f0f71fc02,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:44:24.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/Documents/Forms/All.aspx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,Documents/Forms,Documents/Forms,All.aspx,All.aspx,aspx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,a2cffea7-7da5-4407-a864-08d90a541e05,a2cffea7-7da5-4407-a864-08d90a541e05,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:44:24.000 PM",PageViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222-my.sharepoint.com/_layouts/15/OfficeExtensionManager.aspx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,2c048610-040c-4327-a973-fc1fc6a3aadd,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,3648c7b9-e69b-447d-55ec-08d90a541e09,3648c7b9-e69b-447d-55ec-08d90a541e09,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,ExchangeItem,"4/28/2021, 2:44:22.000 PM",Send,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,10032000C757D25F,Exchange,Succeeded,Succeeded,,AdeleV@M365x816222.OnMicrosoft.com,AdeleV@M365x816222.OnMicrosoft.com,40.69.136.121,40.69.136.121,,,,,,,,,,,,,,,,,,,,,,,,FALSE,"MWHPR06MB3440 (15.20.4065.028) +",M365x816222.onmicrosoft.com,Owner,0,1799af14-918d-4035-98f7-536ec791ef58,AdeleV@M365x816222.OnMicrosoft.com,S-1-5-21-430410588-604023349-2071471134-35151074,,S-1-5-21-430410588-604023349-2071471134-35151074,,Client=REST;;,40.69.136.121,,,,,,,,,,,,,"{ + ""Attachments"": ""AttachedImage (3165b); AttachedImage (1665b); AttachedImage (2603b); AttachedImage (5423b); AttachedImage (3675b)"", + ""Id"": ""Unknown"", + ""InternetMessageId"": """", + ""Subject"": ""Adele Vance shared \""Contoso Purchasing Data - Q1\"" with you."" +}",,,,,,,,,,,,,,,,,,"4/28/2021, 2:51:59.000 PM",,,,,,,OfficeActivityManager,1cbba653-5d7b-44a0-1e31-08d90a541cfb,1cbba653-5d7b-44a0-1e31-08d90a541cfb,,,"4/28/2021, 2:51:59.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,3138fe80-4087-4b04-80a6-8866c738028a,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,SharePointFileOperation,"4/28/2021, 2:44:20.000 PM",FilePreviewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/Documents/QT1000 Marketing Plan.pptx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,52.232.229.242,52.232.229.242,,1ae92c12-26d9-4542-95cc-267570cb587e,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,Documents,Documents,QT1000 Marketing Plan.pptx,QT1000 Marketing Plan.pptx,pptx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,ca575319-064c-47e7-57b7-08d90a541b50,ca575319-064c-47e7-57b7-08d90a541b50,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,SharePointFileOperation,"4/28/2021, 2:44:19.000 PM",FilePreviewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/Documents/QT1000 Marketing Plan.pptx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,52.232.229.242,52.232.229.242,,1ae92c12-26d9-4542-95cc-267570cb587e,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,Documents,Documents,QT1000 Marketing Plan.pptx,QT1000 Marketing Plan.pptx,pptx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,fb9fed54-1565-49ca-b006-08d90a541b0f,fb9fed54-1565-49ca-b006-08d90a541b0f,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,SharePointFileOperation,"4/28/2021, 2:44:19.000 PM",FilePreviewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/Documents/QT1000 Marketing Plan.pptx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,52.226.109.30,52.226.109.30,,1ae92c12-26d9-4542-95cc-267570cb587e,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,Documents,Documents,QT1000 Marketing Plan.pptx,QT1000 Marketing Plan.pptx,pptx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,f365ee81-1b32-4248-4d2e-08d90a541ad1,f365ee81-1b32-4248-4d2e-08d90a541ad1,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,SharePointFileOperation,"4/28/2021, 2:44:19.000 PM",FilePreviewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/Documents/QT1000 Marketing Plan.pptx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,52.226.109.30,52.226.109.30,,1ae92c12-26d9-4542-95cc-267570cb587e,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,Documents,Documents,QT1000 Marketing Plan.pptx,QT1000 Marketing Plan.pptx,pptx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,d07894e6-b3f1-44e0-22a4-08d90a541ad7,d07894e6-b3f1-44e0-22a4-08d90a541ad7,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:44:18.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/Documents/QT1000 Marketing Plan.pptx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,Documents,Documents,QT1000 Marketing Plan.pptx,QT1000 Marketing Plan.pptx,pptx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,a763ee1b-ae57-4b54-5679-08d90a541a77,a763ee1b-ae57-4b54-5679-08d90a541a77,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,SharePointSharingOperation,"4/28/2021, 2:44:16.000 PM",AddedToGroup,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,,,,1ae92c12-26d9-4542-95cc-267570cb587e,Web,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,,,,,,,,,,,,Limited Access System Group For List d4e597a4-bb33-4357-addb-b1ce84043e62,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,533f4a65-dc0f-49e1-2038-08d90a541912,533f4a65-dc0f-49e1-2038-08d90a541912,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,johns@m365x816222.onmicrosoft.com,Member,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,SharePointSharingOperation,"4/28/2021, 2:44:16.000 PM",AddedToGroup,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,,,,1ae92c12-26d9-4542-95cc-267570cb587e,Web,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,,,,,,,,,,,,Limited Access System Group For Web 91712858-b19e-4aa3-9678-0bff2599b6b7,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,7a9151c0-fd8a-4507-840f-08d90a541914,7a9151c0-fd8a-4507-840f-08d90a541914,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,johns@m365x816222.onmicrosoft.com,Member,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointSharingOperation,"4/28/2021, 2:44:16.000 PM",AnonymousLinkCreated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/Documents/Contoso Purchasing Data - Q1.xlsx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,Documents/Contoso Purchasing Data - Q1.xlsx,Documents/Contoso Purchasing Data - Q1.xlsx,Contoso Purchasing Data - Q1.xlsx,Contoso Purchasing Data - Q1.xlsx,xlsx,,,,,,,EditFalse,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,51bc597a-c8cf-41d1-ac7f-08d90a5418fc,51bc597a-c8cf-41d1-ac7f-08d90a5418fc,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointSharingOperation,"4/28/2021, 2:44:16.000 PM",AddedToGroup,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,Web,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,,,,,,,,,,,,SharingLinks.c15e9245-9033-4eb7-9e2a-9c277fdfa8cd.AnonymousEdit.b7617884-851c-4d88-94fe-a5b9c5dde90c,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,774a0589-09b6-43d3-be05-08d90a54190f,774a0589-09b6-43d3-be05-08d90a54190f,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,johns@m365x816222.onmicrosoft.com,Member,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:44:15.000 PM",GroupAdded,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,Site,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"[ + { + ""Name"": ""Name"", + ""NewValue"": ""SharingLinks.c15e9245-9033-4eb7-9e2a-9c277fdfa8cd.AnonymousEdit.b7617884-851c-4d88-94fe-a5b9c5dde90c"" + } +]",,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,8d035a8d-f330-4785-1738-08d90a541845,8d035a8d-f330-4785-1738-08d90a541845,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointSharingOperation,"4/28/2021, 2:44:15.000 PM",SharingSet,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/Documents/Contoso Purchasing Data - Q1.xlsx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,Documents/Contoso Purchasing Data - Q1.xlsx,Documents/Contoso Purchasing Data - Q1.xlsx,Contoso Purchasing Data - Q1.xlsx,Contoso Purchasing Data - Q1.xlsx,xlsx,,,,,,,System.LimitedEditFalse,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,cd723b64-5a01-48fd-ef7f-08d90a54185c,cd723b64-5a01-48fd-ef7f-08d90a54185c,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,d932bf970e2864062aa6dc2207522f615d0910004eec23187293fa28d27de578,SecurityGroup,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointSharingOperation,"4/28/2021, 2:44:15.000 PM",SharingInheritanceBroken,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/Documents/Contoso Purchasing Data - Q1.xlsx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,Documents/Contoso Purchasing Data - Q1.xlsx,Documents/Contoso Purchasing Data - Q1.xlsx,Contoso Purchasing Data - Q1.xlsx,Contoso Purchasing Data - Q1.xlsx,xlsx,,,,,,,TrueFalse,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,72385cdd-5a9b-4f9e-c727-08d90a541855,72385cdd-5a9b-4f9e-c727-08d90a541855,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointSharingOperation,"4/28/2021, 2:44:15.000 PM",AddedToGroup,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,Web,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,,,,,,,,,,,,Limited Access System Group For List d4e597a4-bb33-4357-addb-b1ce84043e62,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,016bd739-4bb2-4a66-d963-08d90a541868,016bd739-4bb2-4a66-d963-08d90a541868,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,d932bf970e2864062aa6dc2207522f615d0910004eec23187293fa28d27de578,SecurityGroup,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:44:15.000 PM",GroupAdded,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,Site,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"[ + { + ""Name"": ""Name"", + ""NewValue"": ""Limited Access System Group For Web 91712858-b19e-4aa3-9678-0bff2599b6b7"" + } +]",,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,e11154e0-9398-462b-9e54-08d90a54186d,e11154e0-9398-462b-9e54-08d90a54186d,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:44:15.000 PM",GroupAdded,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,Site,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"[ + { + ""Name"": ""Name"", + ""NewValue"": ""Limited Access System Group For List d4e597a4-bb33-4357-addb-b1ce84043e62"" + } +]",,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,5fa59cbf-4fca-4f67-7708-08d90a541866,5fa59cbf-4fca-4f67-7708-08d90a541866,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointSharingOperation,"4/28/2021, 2:44:15.000 PM",AddedToGroup,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,Web,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,,,,,,,,,,,,Limited Access System Group For Web 91712858-b19e-4aa3-9678-0bff2599b6b7,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,e96e77a7-7eb7-4b89-00c8-08d90a541870,e96e77a7-7eb7-4b89-00c8-08d90a541870,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,d932bf970e2864062aa6dc2207522f615d0910004eec23187293fa28d27de578,SecurityGroup,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointSharingOperation,"4/28/2021, 2:44:15.000 PM",SharingSet,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/Documents/Contoso Purchasing Data - Q1.xlsx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,Documents/Contoso Purchasing Data - Q1.xlsx,Documents/Contoso Purchasing Data - Q1.xlsx,Contoso Purchasing Data - Q1.xlsx,Contoso Purchasing Data - Q1.xlsx,xlsx,,,,,,,ContributeFalse,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,de5c60c3-0c85-41c1-4f8c-08d90a54187e,de5c60c3-0c85-41c1-4f8c-08d90a54187e,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,SharingLinks.c15e9245-9033-4eb7-9e2a-9c277fdfa8cd.AnonymousEdit.b7617884-851c-4d88-94fe-a5b9c5dde90c,SharePointGroup,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointSharingOperation,"4/28/2021, 2:44:15.000 PM",SharingSet,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/Documents/Contoso Purchasing Data - Q1.xlsx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,Documents/Contoso Purchasing Data - Q1.xlsx,Documents/Contoso Purchasing Data - Q1.xlsx,Contoso Purchasing Data - Q1.xlsx,Contoso Purchasing Data - Q1.xlsx,xlsx,,,,,,,Limited AccessFalse,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,50fed770-a196-455b-277c-08d90a541877,50fed770-a196-455b-277c-08d90a541877,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,Limited Access System Group For List d4e597a4-bb33-4357-addb-b1ce84043e62,SharePointGroup,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointSharingOperation,"4/28/2021, 2:44:15.000 PM",SharingInheritanceBroken,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com//personal/adelev_m365x816222_onmicrosoft_com/Sharing Links,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,List,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,Sharing Links,Sharing Links,,,,,,,,,,FalseFalse,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,3d461d97-1c52-41b7-85b4-08d90a5418d6,3d461d97-1c52-41b7-85b4-08d90a5418d6,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:44:11.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222-my.sharepoint.com/User Photos/Profile Pictures/JoniS_M365x816222_OnMicrosoft_com_SThumb.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,2c048610-040c-4327-a973-fc1fc6a3aadd,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/,https://m365x816222-my.sharepoint.com/,User Photos/Profile Pictures,User Photos/Profile Pictures,JoniS_M365x816222_OnMicrosoft_com_SThumb.jpg,JoniS_M365x816222_OnMicrosoft_com_SThumb.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,ebc3a15d-7af9-43d7-d4b8-08d90a54161c,ebc3a15d-7af9-43d7-d4b8-08d90a54161c,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:44:07.000 PM",PermissionLevelAdded,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,Web,SharePoint,,,,,,,,,,,,,,,,,"Restricted ViewViewListItems, ViewFormPages, Open, ViewPages, BrowseUserInfo, UseClientIntegration, UseRemoteAPIs, ViewItemsRequiresOpen",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,277c2f29-b918-4d70-8da0-08d90a54139c,277c2f29-b918-4d70-8da0-08d90a54139c,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:44:07.000 PM",PermissionLevelAdded,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,Web,SharePoint,,,,,,,,,,,,,,,,,"System.LimitedViewViewListItems, OpenItems, ViewFormPages, Open, ViewPages, BrowseUserInfo, UseClientIntegration, UseRemoteAPIs",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,ff8a20e8-4509-4332-c917-08d90a541397,ff8a20e8-4509-4332-c917-08d90a541397,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:44:07.000 PM",PermissionLevelAdded,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,Web,SharePoint,,,,,,,,,,,,,,,,,"System.LimitedEditViewListItems, AddListItems, EditListItems, OpenItems, ViewFormPages, Open, ViewPages, BrowseUserInfo, UseClientIntegration, UseRemoteAPIs",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,a275cf54-d8f7-4dce-2b5c-08d90a54139a,a275cf54-d8f7-4dce-2b5c-08d90a54139a,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:44:06.000 PM",PageViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/_layouts/15/sharedialog.aspx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,d7f3dec2-ece8-4b3b-413d-08d90a541304,d7f3dec2-ece8-4b3b-413d-08d90a541304,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:44:05.000 PM",FolderModified,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/Documents,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,Folder,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,,,Documents,Documents,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,dc1d317c-fde8-49ec-fa8a-08d90a541253,dc1d317c-fde8-49ec-fa8a-08d90a541253,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:44:05.000 PM",FolderModified,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/Documents,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,Folder,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,,,Documents,Documents,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,17211a9a-6f1d-4384-6305-08d90a54125e,17211a9a-6f1d-4384-6305-08d90a54125e,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:44:05.000 PM",FolderModified,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/Documents,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,Folder,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,,,Documents,Documents,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,63e418f2-408b-45c9-750b-08d90a541265,63e418f2-408b-45c9-750b-08d90a541265,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:44:05.000 PM",FolderModified,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/Documents,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,Folder,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,,,Documents,Documents,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,1ec86e06-b3d3-432a-e9ce-08d90a54125d,1ec86e06-b3d3-432a-e9ce-08d90a54125d,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:44:05.000 PM",FolderModified,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/Documents,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,Folder,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,,,Documents,Documents,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,8c2300d9-72bc-49ca-ed9e-08d90a5412c3,8c2300d9-72bc-49ca-ed9e-08d90a5412c3,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:44:05.000 PM",FolderModified,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/Documents,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,Folder,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,,,Documents,Documents,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,ebbe74eb-4e9e-44a2-8691-08d90a541255,ebbe74eb-4e9e-44a2-8691-08d90a541255,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:44:05.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/salesandmarketing/siteassets/salesandmarketing.png,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,99b8b27e-7485-40d0-a36a-3f092cdddda2,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/SalesAndMarketing/,https://m365x816222.sharepoint.com/sites/SalesAndMarketing/,siteassets,siteassets,salesandmarketing.png,salesandmarketing.png,png,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,ae41ad25-b50d-4b39-946c-08d90a54128f,ae41ad25-b50d-4b39-946c-08d90a54128f,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:44:04.000 PM",FolderModified,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/Documents,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,Folder,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,,,Documents,Documents,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,abf8d286-f125-400a-434c-08d90a541223,abf8d286-f125-400a-434c-08d90a541223,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:44:04.000 PM",FolderModified,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/Documents,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,Folder,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,,,Documents,Documents,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,730efc8c-1424-499c-a8bf-08d90a5411c8,730efc8c-1424-499c-a8bf-08d90a5411c8,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:44:04.000 PM",FolderModified,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/Documents,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,Folder,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,,,Documents,Documents,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,e9742edd-302c-45fc-62b9-08d90a5411cf,e9742edd-302c-45fc-62b9-08d90a5411cf,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:44:04.000 PM",FolderModified,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/Documents,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,Folder,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,,,Documents,Documents,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,68423f49-0574-4d5c-525e-08d90a5411dc,68423f49-0574-4d5c-525e-08d90a5411dc,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:44:04.000 PM",FolderModified,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/Documents,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,Folder,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,,,Documents,Documents,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,0f67a031-f4a7-4633-c5cc-08d90a541210,0f67a031-f4a7-4633-c5cc-08d90a541210,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:44:03.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/hr/siteassets/hr.png,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,5a7058ee-6173-4590-a0aa-f89c496608a6,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/HR/,https://m365x816222.sharepoint.com/sites/HR/,siteassets,siteassets,hr.png,hr.png,png,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,977a227c-6321-4420-f5c2-08d90a5411ad,977a227c-6321-4420-f5c2-08d90a5411ad,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:44:03.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/siteassets/operations.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/operations/,https://m365x816222.sharepoint.com/sites/operations/,../Operations/siteassets,../Operations/siteassets,operations.jpg,operations.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,930fe169-3168-4a86-2acc-08d90a5411a1,930fe169-3168-4a86-2acc-08d90a5411a1,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:44:03.000 PM",FolderModified,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/Documents,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,Folder,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,,,Documents,Documents,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,e1ca2031-efca-4b37-ca62-08d90a541174,e1ca2031-efca-4b37-ca62-08d90a541174,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:44:02.000 PM",PageViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/_layouts/15/online/handlers/SpoSuiteLinks.ashx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,eedd7ec5-3367-4c4e-8421-08d90a5410f1,eedd7ec5-3367-4c4e-8421-08d90a5410f1,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:44:01.000 PM",PageViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/_layouts/15/onedrive.aspx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:53:20.000 PM",,,,,,,OfficeActivityManager,c3b6a4ad-c245-4161-139a-08d90a541026,c3b6a4ad-c245-4161-139a-08d90a541026,,,"4/28/2021, 2:53:20.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,ODMTADocCache/1.0,56,"4/28/2021, 2:38:20.000 PM",ListColumnCreated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint,SharePoint,,,https://m365x816222.sharepoint.com/sites/teams-public/858ecfba-5d1a-46d5-a450-db4e4759fd1c/b887b6b2-4dcf-34fc-98b1-d5a42c605755,app@sharepoint,app@sharepoint,40.77.66.240,40.77.66.240,,a7d013ca-6c80-4f1b-a5cf-59bf7077af79,Field,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:48:18.000 PM",,,,,,,OfficeActivityManager,0d31156c-d0f2-4cf0-d8dc-08d90a534509,0d31156c-d0f2-4cf0-d8dc-08d90a534509,,,"4/28/2021, 2:48:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,ODMTADocCache/1.0,36,"4/28/2021, 2:38:20.000 PM",ListUpdated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint,SharePoint,,,https://m365x816222.sharepoint.com/sites/teams-public/858ecfba-5d1a-46d5-a450-db4e4759fd1c,app@sharepoint,app@sharepoint,40.77.66.240,40.77.66.240,,a7d013ca-6c80-4f1b-a5cf-59bf7077af79,List,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:48:18.000 PM",,,,,,,OfficeActivityManager,189e8ae5-b55f-4467-9da2-08d90a53450e,189e8ae5-b55f-4467-9da2-08d90a53450e,,,"4/28/2021, 2:48:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,ODMTADocCache/1.0,56,"4/28/2021, 2:38:20.000 PM",ListColumnCreated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint,SharePoint,,,https://m365x816222.sharepoint.com/sites/teams-public/858ecfba-5d1a-46d5-a450-db4e4759fd1c/617f8947-74b2-36bc-9f7e-21ded7029bb5,app@sharepoint,app@sharepoint,40.77.66.240,40.77.66.240,,a7d013ca-6c80-4f1b-a5cf-59bf7077af79,Field,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:48:18.000 PM",,,,,,,OfficeActivityManager,19a0527b-8b90-4a02-762b-08d90a534507,19a0527b-8b90-4a02-762b-08d90a534507,,,"4/28/2021, 2:48:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,OfficeWordWRS,SharePointFileOperation,"4/28/2021, 2:36:07.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/Shared Documents/Document - Copy.docx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,104.146.232.173,104.146.232.173,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/operations/,https://m365x816222.sharepoint.com/sites/operations/,Shared Documents,Shared Documents,Document - Copy.docx,Document - Copy.docx,docx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:48:18.000 PM",,,,,,,OfficeActivityManager,af10cbdb-ce72-439b-8cf1-08d90a52f5a5,af10cbdb-ce72-439b-8cf1-08d90a52f5a5,,,"4/28/2021, 2:48:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,MSWAC,SharePointFileOperation,"4/28/2021, 2:36:06.000 PM",FileDownloaded,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/Shared Documents/Document - Copy.docx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,52.184.242.64,52.184.242.64,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/operations/,https://m365x816222.sharepoint.com/sites/operations/,Shared Documents,Shared Documents,Document - Copy.docx,Document - Copy.docx,docx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,61dc5a79-7d18-4abf-3ead-08d90a52f4d4,61dc5a79-7d18-4abf-3ead-08d90a52f4d4,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:36:05.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/Shared Documents/Document - Copy.docx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/operations/,https://m365x816222.sharepoint.com/sites/operations/,Shared Documents,Shared Documents,Document - Copy.docx,Document - Copy.docx,docx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:48:18.000 PM",,,,,,,OfficeActivityManager,7e92f739-fcc3-4a9c-969a-08d90a52f48e,7e92f739-fcc3-4a9c-969a-08d90a52f48e,,,"4/28/2021, 2:48:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,MSWAC,SharePointFileOperation,"4/28/2021, 2:36:04.000 PM",FileUploaded,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/Shared Documents/Document - Copy.docx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,52.108.79.45,52.108.79.45,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/operations/,https://m365x816222.sharepoint.com/sites/operations/,Shared Documents,Shared Documents,Document - Copy.docx,Document - Copy.docx,docx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,7f562b2f-5160-4a93-bebb-08d90a52f3c7,7f562b2f-5160-4a93-bebb-08d90a52f3c7,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,MSWAC,SharePointFileOperation,"4/28/2021, 2:36:03.000 PM",FileModifiedExtended,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/Shared Documents/Document.docx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,52.108.79.45,52.108.79.45,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/operations/,https://m365x816222.sharepoint.com/sites/operations/,Shared Documents,Shared Documents,Document.docx,Document.docx,docx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,78827ca2-7cb2-4203-9c44-19364e7fdafc,78827ca2-7cb2-4203-9c44-19364e7fdafc,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:35:56.000 PM",PageViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/_layouts/15/OfficeExtensionManager.aspx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,8fd7ff5c-115c-46de-af73-b9cdf4458bc3,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,0a3d02a4-3267-44ce-b358-08d90a52eedc,0a3d02a4-3267-44ce-b358-08d90a52eedc,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,MSWAC,SharePointFileOperation,"4/28/2021, 2:35:51.000 PM",FileModified,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/Shared Documents/Document.docx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,104.45.184.177,104.45.184.177,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/operations/,https://m365x816222.sharepoint.com/sites/operations/,Shared Documents,Shared Documents,Document.docx,Document.docx,docx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,41e78588-bebf-4d18-27d0-08d90a52ec34,41e78588-bebf-4d18-27d0-08d90a52ec34,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:49.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/Shared Documents/Document.docx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/operations/,https://m365x816222.sharepoint.com/sites/operations/,Shared Documents,Shared Documents,Document.docx,Document.docx,docx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,83374c4f-eaa0-459a-01ef-08d90a52eb02,83374c4f-eaa0-459a-01ef-08d90a52eb02,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:49.000 PM",FileUploaded,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/Shared Documents/Document.docx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/operations/,https://m365x816222.sharepoint.com/sites/operations/,Shared Documents,Shared Documents,Document.docx,Document.docx,docx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,284a81e3-e8ed-426f-ce9b-08d90a52eae2,284a81e3-e8ed-426f-ce9b-08d90a52eae2,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",36,"4/28/2021, 2:35:47.000 PM",ListUpdated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/fb27c059-5c1f-48c4-b6bc-e0dbce67c947,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,List,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,74b7686d-8585-4ad1-c2a0-08d90a52e9a2,74b7686d-8585-4ad1-c2a0-08d90a52e9a2,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",36,"4/28/2021, 2:35:47.000 PM",ListUpdated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/fb27c059-5c1f-48c4-b6bc-e0dbce67c947,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,List,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,f4171818-c9eb-4b31-9bfe-08d90a52e99b,f4171818-c9eb-4b31-9bfe-08d90a52e99b,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",36,"4/28/2021, 2:35:47.000 PM",ListUpdated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/fb27c059-5c1f-48c4-b6bc-e0dbce67c947,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,List,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,41c1aff3-41f6-4122-382a-08d90a52e9b8,41c1aff3-41f6-4122-382a-08d90a52e9b8,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",36,"4/28/2021, 2:35:45.000 PM",ListViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/fb27c059-5c1f-48c4-b6bc-e0dbce67c947,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,List,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,c1de6dfb-867c-46d5-1876-08d90a52e85f,c1de6dfb-867c-46d5-1876-08d90a52e85f,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:44.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/Shared Documents/Forms/AllItems.aspx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/operations/,https://m365x816222.sharepoint.com/sites/operations/,Shared Documents/Forms,Shared Documents/Forms,AllItems.aspx,AllItems.aspx,aspx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,97c7e8a7-84a4-4980-ef0b-08d90a52e837,97c7e8a7-84a4-4980-ef0b-08d90a52e837,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:35:44.000 PM",PageViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/_layouts/15/listhost.aspx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,9ec5c14c-a43f-441c-c670-08d90a52e7fa,9ec5c14c-a43f-441c-c670-08d90a52e7fa,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:36.000 PM",FilePreviewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/Shared Documents/Annotated Litware Contract.docx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/operations/,https://m365x816222.sharepoint.com/sites/operations/,Shared Documents,Shared Documents,Annotated Litware Contract.docx,Annotated Litware Contract.docx,docx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,35f1379d-1ffb-4acf-488c-08d90a52e2f1,35f1379d-1ffb-4acf-488c-08d90a52e2f1,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:36.000 PM",FilePreviewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/SiteAssets/Piggy-Bank.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/operations/,https://m365x816222.sharepoint.com/sites/operations/,SiteAssets,SiteAssets,Piggy-Bank.jpg,Piggy-Bank.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,ec005006-0eac-46ce-7176-08d90a52e2f4,ec005006-0eac-46ce-7176-08d90a52e2f4,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:36.000 PM",FilePreviewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/Shared Documents/Computer Systems Information.pptx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/operations/,https://m365x816222.sharepoint.com/sites/operations/,Shared Documents,Shared Documents,Computer Systems Information.pptx,Computer Systems Information.pptx,pptx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,df8ba47d-8d80-4d6c-0ca9-08d90a52e300,df8ba47d-8d80-4d6c-0ca9-08d90a52e300,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:35.000 PM",FilePreviewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/SiteAssets/HardwareUpdates.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/operations/,https://m365x816222.sharepoint.com/sites/operations/,SiteAssets,SiteAssets,HardwareUpdates.jpg,HardwareUpdates.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,45f2f319-0c9b-4a8b-1b44-08d90a52e2a4,45f2f319-0c9b-4a8b-1b44-08d90a52e2a4,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:35.000 PM",FilePreviewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/Shared Documents/Denver Legislative Codes.docx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/operations/,https://m365x816222.sharepoint.com/sites/operations/,Shared Documents,Shared Documents,Denver Legislative Codes.docx,Denver Legislative Codes.docx,docx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,13250b83-2fe3-4342-30be-08d90a52e2c6,13250b83-2fe3-4342-30be-08d90a52e2c6,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:35.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222-my.sharepoint.com/User Photos/Profile Pictures/MeganB_M365x816222_OnMicrosoft_com_SThumb.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,2c048610-040c-4327-a973-fc1fc6a3aadd,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/,https://m365x816222-my.sharepoint.com/,User Photos/Profile Pictures,User Photos/Profile Pictures,MeganB_M365x816222_OnMicrosoft_com_SThumb.jpg,MeganB_M365x816222_OnMicrosoft_com_SThumb.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,de265f0c-c147-4b38-b222-08d90a52e2b7,de265f0c-c147-4b38-b222-08d90a52e2b7,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:35.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222-my.sharepoint.com/User Photos/Profile Pictures/JoniS_M365x816222_OnMicrosoft_com_SThumb.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,2c048610-040c-4327-a973-fc1fc6a3aadd,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/,https://m365x816222-my.sharepoint.com/,User Photos/Profile Pictures,User Photos/Profile Pictures,JoniS_M365x816222_OnMicrosoft_com_SThumb.jpg,JoniS_M365x816222_OnMicrosoft_com_SThumb.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,d3752358-8b59-4d44-23d7-08d90a52e2ab,d3752358-8b59-4d44-23d7-08d90a52e2ab,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,OneDriveMpc-Transform_Thumbnail/1.0,SharePointFileOperation,"4/28/2021, 2:35:35.000 PM",FilePreviewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/SiteAssets/HR.png,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/operations/,https://m365x816222.sharepoint.com/sites/operations/,SiteAssets,SiteAssets,HR.png,HR.png,png,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,0656d2ff-17d7-451a-1deb-08d90a52e264,0656d2ff-17d7-451a-1deb-08d90a52e264,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,OneDriveMpc-Transform_Thumbnail/1.0,SharePointFileOperation,"4/28/2021, 2:35:35.000 PM",FilePreviewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/SiteAssets/legal.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/operations/,https://m365x816222.sharepoint.com/sites/operations/,SiteAssets,SiteAssets,legal.jpg,legal.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:48:18.000 PM",,,,,,,OfficeActivityManager,bf79bd1b-aee6-4923-cc92-08d90a52e26d,bf79bd1b-aee6-4923-cc92-08d90a52e26d,,,"4/28/2021, 2:48:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:35.000 PM",FilePreviewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/SiteAssets/SurfaceDevices.png,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/operations/,https://m365x816222.sharepoint.com/sites/operations/,SiteAssets,SiteAssets,SurfaceDevices.png,SurfaceDevices.png,png,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,7b819fde-84f0-4878-0d2c-08d90a52e2dd,7b819fde-84f0-4878-0d2c-08d90a52e2dd,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:35.000 PM",FilePreviewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/SiteAssets/downtown-denver.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/operations/,https://m365x816222.sharepoint.com/sites/operations/,SiteAssets,SiteAssets,downtown-denver.jpg,downtown-denver.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,73769e6b-6a5d-4c39-fc34-08d90a52e2ca,73769e6b-6a5d-4c39-fc34-08d90a52e2ca,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,OneDriveMpc-Transform_Thumbnail/1.0,SharePointFileOperation,"4/28/2021, 2:35:34.000 PM",FilePreviewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/SiteAssets/finance.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/operations/,https://m365x816222.sharepoint.com/sites/operations/,SiteAssets,SiteAssets,finance.jpg,finance.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,e35ebb4b-bbf4-447b-9fd5-08d90a52e24c,e35ebb4b-bbf4-447b-9fd5-08d90a52e24c,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,OneDriveMpc-Transform_Thumbnail/1.0,SharePointFileOperation,"4/28/2021, 2:35:34.000 PM",FilePreviewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/SiteAssets/productsupport.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/operations/,https://m365x816222.sharepoint.com/sites/operations/,SiteAssets,SiteAssets,productsupport.jpg,productsupport.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:48:18.000 PM",,,,,,,OfficeActivityManager,523297d1-0bcf-4628-d7a7-08d90a52e24c,523297d1-0bcf-4628-d7a7-08d90a52e24c,,,"4/28/2021, 2:48:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:33.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222-my.sharepoint.com/User Photos/Profile Pictures/PradeepG_M365x816222_OnMicrosoft_com_LThumb.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,2c048610-040c-4327-a973-fc1fc6a3aadd,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/,https://m365x816222-my.sharepoint.com/,User Photos/Profile Pictures,User Photos/Profile Pictures,PradeepG_M365x816222_OnMicrosoft_com_LThumb.jpg,PradeepG_M365x816222_OnMicrosoft_com_LThumb.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,8b9543e3-3101-4a7f-bf17-08d90a52e19d,8b9543e3-3101-4a7f-bf17-08d90a52e19d,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:33.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222-my.sharepoint.com/User Photos/Profile Pictures/AllanD_M365x816222_OnMicrosoft_com_LThumb.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,2c048610-040c-4327-a973-fc1fc6a3aadd,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/,https://m365x816222-my.sharepoint.com/,User Photos/Profile Pictures,User Photos/Profile Pictures,AllanD_M365x816222_OnMicrosoft_com_LThumb.jpg,AllanD_M365x816222_OnMicrosoft_com_LThumb.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,85d68a60-a017-4a9e-1658-08d90a52e15b,85d68a60-a017-4a9e-1658-08d90a52e15b,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:33.000 PM",FilePreviewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/SiteAssets/SurfaceDevices.png,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/operations/,https://m365x816222.sharepoint.com/sites/operations/,SiteAssets,SiteAssets,SurfaceDevices.png,SurfaceDevices.png,png,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,47ba6784-9fe9-4704-35bd-08d90a52e197,47ba6784-9fe9-4704-35bd-08d90a52e197,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:33.000 PM",FilePreviewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/SiteAssets/HardwareUpdates.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/operations/,https://m365x816222.sharepoint.com/sites/operations/,SiteAssets,SiteAssets,HardwareUpdates.jpg,HardwareUpdates.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,2b3289b2-3368-401a-a8bf-08d90a52e1a6,2b3289b2-3368-401a-a8bf-08d90a52e1a6,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,OneDriveMpc-Transform_Thumbnail/1.0,SharePointFileOperation,"4/28/2021, 2:35:33.000 PM",FilePreviewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/SiteAssets/User-NestorW.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/operations/,https://m365x816222.sharepoint.com/sites/operations/,SiteAssets,SiteAssets,User-NestorW.jpg,User-NestorW.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,f7e79b8b-20dd-4c70-8aec-08d90a52e139,f7e79b8b-20dd-4c70-8aec-08d90a52e139,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:33.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222-my.sharepoint.com/User Photos/Profile Pictures/JoniS_M365x816222_OnMicrosoft_com_LThumb.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,2c048610-040c-4327-a973-fc1fc6a3aadd,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/,https://m365x816222-my.sharepoint.com/,User Photos/Profile Pictures,User Photos/Profile Pictures,JoniS_M365x816222_OnMicrosoft_com_LThumb.jpg,JoniS_M365x816222_OnMicrosoft_com_LThumb.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,be7f9269-95ad-4713-41a7-08d90a52e1a8,be7f9269-95ad-4713-41a7-08d90a52e1a8,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:33.000 PM",FilePreviewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/SiteAssets/Expense-Notes.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/operations/,https://m365x816222.sharepoint.com/sites/operations/,SiteAssets,SiteAssets,Expense-Notes.jpg,Expense-Notes.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,8449887f-5944-47c0-9798-08d90a52e199,8449887f-5944-47c0-9798-08d90a52e199,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,OneDriveMpc-Transform_Thumbnail/1.0,SharePointFileOperation,"4/28/2021, 2:35:33.000 PM",FilePreviewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/SiteAssets/User-AllanD.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/operations/,https://m365x816222.sharepoint.com/sites/operations/,SiteAssets,SiteAssets,User-AllanD.jpg,User-AllanD.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:48:18.000 PM",,,,,,,OfficeActivityManager,328dcb24-45a2-4dc9-821a-08d90a52e16e,328dcb24-45a2-4dc9-821a-08d90a52e16e,,,"4/28/2021, 2:48:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:33.000 PM",FilePreviewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/SiteAssets/Piggy-Bank.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/operations/,https://m365x816222.sharepoint.com/sites/operations/,SiteAssets,SiteAssets,Piggy-Bank.jpg,Piggy-Bank.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,67b6d5f8-09d9-4d96-35b2-08d90a52e182,67b6d5f8-09d9-4d96-35b2-08d90a52e182,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:33.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222-my.sharepoint.com/User Photos/Profile Pictures/AlexW_M365x816222_OnMicrosoft_com_LThumb.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,2c048610-040c-4327-a973-fc1fc6a3aadd,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/,https://m365x816222-my.sharepoint.com/,User Photos/Profile Pictures,User Photos/Profile Pictures,AlexW_M365x816222_OnMicrosoft_com_LThumb.jpg,AlexW_M365x816222_OnMicrosoft_com_LThumb.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,1f4e50d7-65d7-4efc-cf61-08d90a52e19c,1f4e50d7-65d7-4efc-cf61-08d90a52e19c,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:35:31.000 PM",PagePrefetched,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,9c2f87a8-9ff9-45cf-a7e2-08d90a52e010,9c2f87a8-9ff9-45cf-a7e2-08d90a52e010,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:31.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/_catalogs/theme/Themed/6D9736C8/theme.spcolor,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/operations/,https://m365x816222.sharepoint.com/sites/operations/,_catalogs/theme/Themed/6D9736C8,_catalogs/theme/Themed/6D9736C8,theme.spcolor,theme.spcolor,spcolor,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,c2b25706-d1fb-4414-f6e5-08d90a52e018,c2b25706-d1fb-4414-f6e5-08d90a52e018,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:35:31.000 PM",PageViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations/_layouts/15/online/handlers/SpoSuiteLinks.ashx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,ec75c2be-72d3-424f-dfd0-08d90a52e082,ec75c2be-72d3-424f-dfd0-08d90a52e082,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:35:30.000 PM",PageViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/operations,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,868bc0a3-8f5e-4dda-9a7f-c79074ec9463,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,0ba8ab86-1251-4db9-fb87-08d90a52dfd6,0ba8ab86-1251-4db9-fb87-08d90a52dfd6,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:26.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222-my.sharepoint.com/User Photos/Profile Pictures/NestorW_M365x816222_OnMicrosoft_com_LThumb.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,2c048610-040c-4327-a973-fc1fc6a3aadd,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/,https://m365x816222-my.sharepoint.com/,User Photos/Profile Pictures,User Photos/Profile Pictures,NestorW_M365x816222_OnMicrosoft_com_LThumb.jpg,NestorW_M365x816222_OnMicrosoft_com_LThumb.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,09b997ed-414f-40c8-414c-08d90a52dd34,09b997ed-414f-40c8-414c-08d90a52dd34,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:26.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222-my.sharepoint.com/User Photos/Profile Pictures/PattiF_M365x816222_OnMicrosoft_com_LThumb.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,2c048610-040c-4327-a973-fc1fc6a3aadd,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/,https://m365x816222-my.sharepoint.com/,User Photos/Profile Pictures,User Photos/Profile Pictures,PattiF_M365x816222_OnMicrosoft_com_LThumb.jpg,PattiF_M365x816222_OnMicrosoft_com_LThumb.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,91c8fcd4-6226-4219-1124-08d90a52dd61,91c8fcd4-6226-4219-1124-08d90a52dd61,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:26.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222-my.sharepoint.com/User Photos/Profile Pictures/adelev_m365x816222_onmicrosoft_com_LThumb.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,2c048610-040c-4327-a973-fc1fc6a3aadd,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/,https://m365x816222-my.sharepoint.com/,User Photos/Profile Pictures,User Photos/Profile Pictures,adelev_m365x816222_onmicrosoft_com_LThumb.jpg,adelev_m365x816222_onmicrosoft_com_LThumb.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,343cc3be-e70f-407f-0226-08d90a52dd33,343cc3be-e70f-407f-0226-08d90a52dd33,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:26.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222-my.sharepoint.com/User Photos/Profile Pictures/DiegoS_M365x816222_OnMicrosoft_com_LThumb.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,2c048610-040c-4327-a973-fc1fc6a3aadd,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/,https://m365x816222-my.sharepoint.com/,User Photos/Profile Pictures,User Photos/Profile Pictures,DiegoS_M365x816222_OnMicrosoft_com_LThumb.jpg,DiegoS_M365x816222_OnMicrosoft_com_LThumb.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,6390286e-9a3d-4f19-98ee-08d90a52dd1c,6390286e-9a3d-4f19-98ee-08d90a52dd1c,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,OneDriveMpc-Transform_Thumbnail/1.0,SharePointFileOperation,"4/28/2021, 2:35:25.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/HR/SiteAssets/How-to-design.jpeg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,5a7058ee-6173-4590-a0aa-f89c496608a6,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/HR/,https://m365x816222.sharepoint.com/sites/HR/,SiteAssets,SiteAssets,How-to-design.jpeg,How-to-design.jpeg,jpeg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,982e3ca7-b7ae-4bf4-b4db-08d90a52dcdd,982e3ca7-b7ae-4bf4-b4db-08d90a52dcdd,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,OneDriveMpc-Transform_Thumbnail/1.0,SharePointFileOperation,"4/28/2021, 2:35:25.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/HR/SiteAssets/getpreview.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,5a7058ee-6173-4590-a0aa-f89c496608a6,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/HR/,https://m365x816222.sharepoint.com/sites/HR/,SiteAssets,SiteAssets,getpreview.jpg,getpreview.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:48:18.000 PM",,,,,,,OfficeActivityManager,9c892b91-23be-4f73-c8a9-08d90a52dce7,9c892b91-23be-4f73-c8a9-08d90a52dce7,,,"4/28/2021, 2:48:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:24.000 PM",FileVersionsAllDeleted,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,S-1-0-0,SharePoint,,,https://m365x816222.sharepoint.com/sites/Work/_catalogs/hubsite/a8529422-33db-4250-bece-f955b0d46788-1033.json,SHAREPOINT\system,SHAREPOINT\system,175.45.176.99,175.45.176.99,,a8529422-33db-4250-bece-f955b0d46788,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/Work/,https://m365x816222.sharepoint.com/sites/Work/,_catalogs/hubsite,_catalogs/hubsite,a8529422-33db-4250-bece-f955b0d46788-1033.json,a8529422-33db-4250-bece-f955b0d46788-1033.json,json,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,fd359f60-40ca-41d0-2003-08d90a52dc1b,fd359f60-40ca-41d0-2003-08d90a52dc1b,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:24.000 PM",FileVersionsAllDeleted,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,S-1-0-0,SharePoint,,,https://m365x816222.sharepoint.com/sites/HR/_catalogs/hubsite/a8529422-33db-4250-bece-f955b0d46788-1033.json,SHAREPOINT\system,SHAREPOINT\system,175.45.176.99,175.45.176.99,,5a7058ee-6173-4590-a0aa-f89c496608a6,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/HR/,https://m365x816222.sharepoint.com/sites/HR/,_catalogs/hubsite,_catalogs/hubsite,a8529422-33db-4250-bece-f955b0d46788-1033.json,a8529422-33db-4250-bece-f955b0d46788-1033.json,json,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,1bd13ef0-061e-4e9f-0910-08d90a52dc46,1bd13ef0-061e-4e9f-0910-08d90a52dc46,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:24.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/HR/_catalogs/theme/Themed/6D9736C8/theme.spcolor,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,5a7058ee-6173-4590-a0aa-f89c496608a6,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/HR/,https://m365x816222.sharepoint.com/sites/HR/,_catalogs/theme/Themed/6D9736C8,_catalogs/theme/Themed/6D9736C8,theme.spcolor,theme.spcolor,spcolor,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,088a9411-c18d-426d-f540-08d90a52dbc1,088a9411-c18d-426d-f540-08d90a52dbc1,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:35:24.000 PM",PageViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/HR/_layouts/15/online/handlers/SpoSuiteLinks.ashx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,5a7058ee-6173-4590-a0aa-f89c496608a6,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,f5d0b284-bebb-4b22-267a-08d90a52dbf1,f5d0b284-bebb-4b22-267a-08d90a52dbf1,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:35:23.000 PM",PageViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/HR,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,5a7058ee-6173-4590-a0aa-f89c496608a6,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,d8c31616-acab-460b-ea64-08d90a52db94,d8c31616-acab-460b-ea64-08d90a52db94,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:35:23.000 PM",PagePrefetched,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/HR,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,5a7058ee-6173-4590-a0aa-f89c496608a6,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,6ec7f303-36bd-460c-80c9-08d90a52dbb2,6ec7f303-36bd-460c-80c9-08d90a52dbb2,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:22.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222-my.sharepoint.com/User Photos/Profile Pictures/admin_m365x816222_onmicrosoft_com_SThumb.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,2c048610-040c-4327-a973-fc1fc6a3aadd,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/,https://m365x816222-my.sharepoint.com/,User Photos/Profile Pictures,User Photos/Profile Pictures,admin_m365x816222_onmicrosoft_com_SThumb.jpg,admin_m365x816222_onmicrosoft_com_SThumb.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,22827908-7ec4-47ca-31f6-08d90a52db1e,22827908-7ec4-47ca-31f6-08d90a52db1e,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:35:22.000 PM",PagePrefetched,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d4f13dd6-160e-4be9-8826-f7e29399d6d2,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,9aa6dc01-2536-4908-997d-08d90a52da92,9aa6dc01-2536-4908-997d-08d90a52da92,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:35:21.000 PM",PagePrefetched,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Retail,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,df982fae-217f-4cc3-9599-4516027e6db3,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,47a86431-56e6-4194-a440-08d90a52da5f,47a86431-56e6-4194-a440-08d90a52da5f,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:20.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1/SiteAssets/Meeting.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d4f13dd6-160e-4be9-8826-f7e29399d6d2,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1/,https://m365x816222.sharepoint.com/sites/ContosoWeb1/,SiteAssets,SiteAssets,Meeting.jpg,Meeting.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,60e0ede9-a9ec-4149-0080-08d90a52d9d3,60e0ede9-a9ec-4149-0080-08d90a52d9d3,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:20.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1/SiteAssets/breather.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d4f13dd6-160e-4be9-8826-f7e29399d6d2,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1/,https://m365x816222.sharepoint.com/sites/ContosoWeb1/,SiteAssets,SiteAssets,breather.jpg,breather.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,9f07a0c3-163b-44e0-3dd8-08d90a52d9c3,9f07a0c3-163b-44e0-3dd8-08d90a52d9c3,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:35:20.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/SalesAndMarketing/SiteAssets/NewVPN.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,99b8b27e-7485-40d0-a36a-3f092cdddda2,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/SalesAndMarketing/,https://m365x816222.sharepoint.com/sites/SalesAndMarketing/,SiteAssets,SiteAssets,NewVPN.jpg,NewVPN.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,c7132cbe-0f0a-4bf2-3584-08d90a52d9d9,c7132cbe-0f0a-4bf2-3584-08d90a52d9d9,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:34:23.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/Documents/office_activity_inbox_rule.csv,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,1ae92c12-26d9-4542-95cc-267570cb587e,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,Documents,Documents,office_activity_inbox_rule.csv,office_activity_inbox_rule.csv,csv,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,fb4f8817-f8a0-4a1d-e0a7-08d90a52b7d4,fb4f8817-f8a0-4a1d-e0a7-08d90a52b7d4,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:34:06.000 PM",FileUploaded,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/Documents/office_activity_inbox_rule.csv,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,40.126.35.152,40.126.35.152,,1ae92c12-26d9-4542-95cc-267570cb587e,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,https://m365x816222-my.sharepoint.com/personal/adelev_m365x816222_onmicrosoft_com/,Documents,Documents,office_activity_inbox_rule.csv,office_activity_inbox_rule.csv,csv,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,e0d29b8f-e1d6-4d63-1287-08d90a52ad85,e0d29b8f-e1d6-4d63-1287-08d90a52ad85,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:33:40.000 PM",FileModified,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1/SitePages/tvwh58kk.aspx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d4f13dd6-160e-4be9-8826-f7e29399d6d2,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1/,https://m365x816222.sharepoint.com/sites/ContosoWeb1/,SitePages,SitePages,tvwh58kk.aspx,tvwh58kk.aspx,aspx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,8112fc68-2aec-40ae-d77c-08d90a529e3c,8112fc68-2aec-40ae-d77c-08d90a529e3c,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",36,"4/28/2021, 2:33:37.000 PM",ListUpdated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1/02978ea5-6005-4b42-b97e-beb977001d59,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d4f13dd6-160e-4be9-8826-f7e29399d6d2,List,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,7f7ecfad-fc1c-4e32-10ad-08d90a529c32,7f7ecfad-fc1c-4e32-10ad-08d90a529c32,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",36,"4/28/2021, 2:33:37.000 PM",ListUpdated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1/02978ea5-6005-4b42-b97e-beb977001d59,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d4f13dd6-160e-4be9-8826-f7e29399d6d2,List,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,ddcc1ded-ba79-46f5-fdaf-08d90a529c1e,ddcc1ded-ba79-46f5-fdaf-08d90a529c1e,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",36,"4/28/2021, 2:33:37.000 PM",ListUpdated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1/02978ea5-6005-4b42-b97e-beb977001d59,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d4f13dd6-160e-4be9-8826-f7e29399d6d2,List,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,b9a3de44-c0f3-4101-3561-08d90a529c58,b9a3de44-c0f3-4101-3561-08d90a529c58,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:33:35.000 PM",FileUploaded,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1/SitePages/tvwh58kk.aspx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d4f13dd6-160e-4be9-8826-f7e29399d6d2,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1/,https://m365x816222.sharepoint.com/sites/ContosoWeb1/,SitePages,SitePages,tvwh58kk.aspx,tvwh58kk.aspx,aspx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,a288a713-92cd-4d2d-44ca-08d90a529af0,a288a713-92cd-4d2d-44ca-08d90a529af0,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:33:32.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222-my.sharepoint.com/User Photos/Profile Pictures/adelev_m365x816222_onmicrosoft_com_MThumb.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,2c048610-040c-4327-a973-fc1fc6a3aadd,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/,https://m365x816222-my.sharepoint.com/,User Photos/Profile Pictures,User Photos/Profile Pictures,adelev_m365x816222_onmicrosoft_com_MThumb.jpg,adelev_m365x816222_onmicrosoft_com_MThumb.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,0721b2af-329b-4f27-6896-08d90a529905,0721b2af-329b-4f27-6896-08d90a529905,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:33:29.000 PM",PageViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1/_layouts/15/sitepagepreview.aspx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d4f13dd6-160e-4be9-8826-f7e29399d6d2,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,794cd399-90a1-4124-09a4-08d90a529735,794cd399-90a1-4124-09a4-08d90a529735,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:33:26.000 PM",FilePreviewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1/SiteAssets/Drone.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d4f13dd6-160e-4be9-8826-f7e29399d6d2,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1/,https://m365x816222.sharepoint.com/sites/ContosoWeb1/,SiteAssets,SiteAssets,Drone.jpg,Drone.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,ca2bb736-3a7a-4175-4cf7-08d90a5295b7,ca2bb736-3a7a-4175-4cf7-08d90a5295b7,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,OneDriveMpc-Transform_Thumbnail/1.0,SharePointFileOperation,"4/28/2021, 2:33:25.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1/SiteAssets/Drone.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d4f13dd6-160e-4be9-8826-f7e29399d6d2,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1/,https://m365x816222.sharepoint.com/sites/ContosoWeb1/,SiteAssets,SiteAssets,Drone.jpg,Drone.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,31b4a077-277c-4b68-f22d-08d90a529500,31b4a077-277c-4b68-f22d-08d90a529500,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:33:23.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1/_catalogs/theme/Themed/6D9736C8/theme.spcolor,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d4f13dd6-160e-4be9-8826-f7e29399d6d2,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1/,https://m365x816222.sharepoint.com/sites/ContosoWeb1/,_catalogs/theme/Themed/6D9736C8,_catalogs/theme/Themed/6D9736C8,theme.spcolor,theme.spcolor,spcolor,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,32dce92e-61b7-4cdc-0658-08d90a5293ab,32dce92e-61b7-4cdc-0658-08d90a5293ab,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:33:23.000 PM",PageViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1/_layouts/15/online/handlers/SpoSuiteLinks.ashx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d4f13dd6-160e-4be9-8826-f7e29399d6d2,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:43:18.000 PM",,,,,,,OfficeActivityManager,224a7e99-2225-4b4f-779c-08d90a52941d,224a7e99-2225-4b4f-779c-08d90a52941d,,,"4/28/2021, 2:43:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,ExchangeAdmin,"4/28/2021, 2:33:14.000 PM",New-InboxRule,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Admin,10032000C757D25F,Exchange,TRUE,TRUE,NAMPR06A003.prod.outlook.com/Microsoft Exchange Hosted Organizations/M365x816222.onmicrosoft.com/AdeleV\junk,AdeleV@M365x816222.OnMicrosoft.com,AdeleV@M365x816222.OnMicrosoft.com,175.45.176.99:17362,175.45.176.99:17362,,,,,,,,,,,,,,,,,,,,,,,"[ + { + ""Name"": ""AlwaysDeleteOutlookRulesBlob"", + ""Value"": ""False"" + }, + { + ""Name"": ""Force"", + ""Value"": ""False"" + }, + { + ""Name"": ""Name"", + ""Value"": ""junk"" + }, + { + ""Name"": ""SubjectContainsWords"", + ""Value"": ""legal"" + }, + { + ""Name"": ""PinMessage"", + ""Value"": ""True"" + }, + { + ""Name"": ""StopProcessingRules"", + ""Value"": ""True"" + } +]",FALSE,MWHPR06MB3440 (15.20.4065.028),M365x816222.onmicrosoft.com,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:41:58.000 PM",,,,,,,OfficeActivityManager,5fe96415-d129-4e4b-64b7-08d90a528ec7,5fe96415-d129-4e4b-64b7-08d90a528ec7,,,"4/28/2021, 2:41:58.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,00000002-0000-0ff1-ce00-000000000000,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,50,"4/28/2021, 2:32:47.000 PM",MailItemsAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,10032000C757D25F,Exchange,Succeeded,Succeeded,,AdeleV@M365x816222.OnMicrosoft.com,AdeleV@M365x816222.OnMicrosoft.com,,,,,,,,,,,,,,,,,,,,,,,,,,FALSE,"MWHPR06MB3440 (15.20.4065.028) +",M365x816222.onmicrosoft.com,Owner,0,1799af14-918d-4035-98f7-536ec791ef58,AdeleV@M365x816222.OnMicrosoft.com,S-1-5-21-430410588-604023349-2071471134-35151074,,S-1-5-21-430410588-604023349-2071471134-35151074,,"Client=OWA;Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49;",175.45.176.99,,,,,,,,,,,"[ + { + ""FolderItems"": [ + { + ""InternetMessageId"": """" + } + ], + ""Id"": ""LgAAAAC4lQ2Ye4hSS4if7gF6ji8JAQA45WDUjdASSYqMiyC3ZEqOAAAAAAEMAAAB"", + ""Path"": ""\\Inbox"" + } +]",,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:41:58.000 PM",,,,,,,OfficeActivityManager,82090d3a-0ed7-4bb6-8fc4-330415f4808d,82090d3a-0ed7-4bb6-8fc4-330415f4808d,,,"4/28/2021, 2:41:58.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,"[{""Value"":""Bind"",""Name"":""MailAccessType""},{""Value"":""False"",""Name"":""IsThrottled""}]",,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,ExchangeItem,"4/28/2021, 2:32:47.000 PM",Update,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,10032000C757D25F,Exchange,Succeeded,Succeeded,,AdeleV@M365x816222.OnMicrosoft.com,AdeleV@M365x816222.OnMicrosoft.com,175.45.176.99,175.45.176.99,,,,,,,,,,,,,,,,,,,,,,,,FALSE,"MWHPR06MB3440 (15.20.4065.028) +",M365x816222.onmicrosoft.com,Owner,0,1799af14-918d-4035-98f7-536ec791ef58,AdeleV@M365x816222.OnMicrosoft.com,S-1-5-21-430410588-604023349-2071471134-35151074,,S-1-5-21-430410588-604023349-2071471134-35151074,,"Client=OWA;Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49;",175.45.176.99,,,,,,,,,,,,,"{ + ""Attachments"": ""Northwind CEO.jpg (834476b); Northwind Financials.xlsx (16711b); Northwind Acquisition Outline.pptx (842521b); Northwind Acquisition Proposal.docx (104356b)"", + ""Id"": ""RgAAAAC4lQ2Ye4hSS4if7gF6ji8JBwA45WDUjdASSYqMiyC3ZEqOAAAAAAEMAAA45WDUjdASSYqMiyC3ZEqOAAAAM0XUAAAJ"", + ""InternetMessageId"": """", + ""IsRecord"": false, + ""ParentFolder"": { + ""Id"": ""LgAAAAC4lQ2Ye4hSS4if7gF6ji8JAQA45WDUjdASSYqMiyC3ZEqOAAAAAAEMAAAB"", + ""Path"": ""\\Inbox"" + }, + ""Subject"": ""Northwind Acquisition Details"" +}","[ + ""AttachmentCollection"" +]",,,,,,,,,,,,,,,,,"4/28/2021, 2:41:58.000 PM",,,,,,,OfficeActivityManager,b4f857db-dc5e-4781-7557-08d90a527ebf,b4f857db-dc5e-4781-7557-08d90a527ebf,,,"4/28/2021, 2:41:58.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,ExchangeItem,"4/28/2021, 2:32:44.000 PM",Send,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,10032000C757D25F,Exchange,Succeeded,Succeeded,,AdeleV@M365x816222.OnMicrosoft.com,AdeleV@M365x816222.OnMicrosoft.com,175.45.176.99,175.45.176.99,,,,,,,,,,,,,,,,,,,,,,,,FALSE,"MWHPR06MB3440 (15.20.4065.028) +",M365x816222.onmicrosoft.com,Owner,0,1799af14-918d-4035-98f7-536ec791ef58,AdeleV@M365x816222.OnMicrosoft.com,S-1-5-21-430410588-604023349-2071471134-35151074,,S-1-5-21-430410588-604023349-2071471134-35151074,,"Client=OWA;Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49;",175.45.176.99,,,,,,,,,,,,,"{ + ""Id"": ""RgAAAAC4lQ2Ye4hSS4if7gF6ji8JBwA45WDUjdASSYqMiyC3ZEqOAAAAAAEPAAA45WDUjdASSYqMiyC3ZEqOAADT/RnWAAAJ"", + ""InternetMessageId"": """", + ""ParentFolder"": { + ""Id"": ""LgAAAAC4lQ2Ye4hSS4if7gF6ji8JAQA45WDUjdASSYqMiyC3ZEqOAAAAAAEPAAAB"", + ""Path"": ""\\Drafts"" + }, + ""Subject"": ""email from HR"" +}",,,,,,,,,,,,,,,,,,"4/28/2021, 2:41:58.000 PM",,,,,,,OfficeActivityManager,c8b6ba59-89e6-43f7-8e10-08d90a527ca9,c8b6ba59-89e6-43f7-8e10-08d90a527ca9,,,"4/28/2021, 2:41:58.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,00000002-0000-0ff1-ce00-000000000000,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,MicrosoftTeams,"4/28/2021, 2:30:58.000 PM",MemberAdded,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Application,62b732f7-fc71-40bc-b27d-35efcb0509de,MicrosoftTeams,,,,Microsoft Teams Sync,Microsoft Teams Sync,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:37:21.000 PM",,,,,,,OfficeActivityManager,2c375d38-2410-5b98-81bf-c25d47d06855,2c375d38-2410-5b98-81bf-c25d47d06855,,,"4/28/2021, 2:37:21.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,"[{""DisplayName"":""JohnS"",""Role"":2,""UPN"":""JohnS@m365x816222.onmicrosoft.com""}]",Contoso,19:eedd8dfb45a54bd691d019e15ae19096@thread.tacv2,,,,[],,,,,,,Contoso,,,Team,6fa90788-d066-47c9-90e4-5ad27625d45f,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:30:53.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222-my.sharepoint.com/User Photos/Profile Pictures/AdeleV_M365x816222_OnMicrosoft_com_SThumb.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,2c048610-040c-4327-a973-fc1fc6a3aadd,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/,https://m365x816222-my.sharepoint.com/,User Photos/Profile Pictures,User Photos/Profile Pictures,AdeleV_M365x816222_OnMicrosoft_com_SThumb.jpg,AdeleV_M365x816222_OnMicrosoft_com_SThumb.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:38:19.000 PM",,,,,,,OfficeActivityManager,aad56edf-bda3-4c84-0c6e-08d90a523a69,aad56edf-bda3-4c84-0c6e-08d90a523a69,,,"4/28/2021, 2:38:19.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:30:49.000 PM",PageViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Retail,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,df982fae-217f-4cc3-9599-4516027e6db3,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:38:19.000 PM",,,,,,,OfficeActivityManager,b933e9b5-9774-4772-d0cf-08d90a5237d6,b933e9b5-9774-4772-d0cf-08d90a5237d6,,,"4/28/2021, 2:38:19.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:30:49.000 PM",PagePrefetched,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d4f13dd6-160e-4be9-8826-f7e29399d6d2,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:38:19.000 PM",,,,,,,OfficeActivityManager,a372912e-bb3c-4ecb-53b2-08d90a52385c,a372912e-bb3c-4ecb-53b2-08d90a52385c,,,"4/28/2021, 2:38:19.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:30:49.000 PM",PageViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1/SitePages/2020-Campus-remodel-updates.aspx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d4f13dd6-160e-4be9-8826-f7e29399d6d2,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:38:19.000 PM",,,,,,,OfficeActivityManager,17833927-5988-4384-7847-08d90a5237f2,17833927-5988-4384-7847-08d90a5237f2,,,"4/28/2021, 2:38:19.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:30:49.000 PM",PagePrefetched,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Retail,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,df982fae-217f-4cc3-9599-4516027e6db3,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:38:19.000 PM",,,,,,,OfficeActivityManager,9c00decc-aac6-4286-01d9-08d90a52385a,9c00decc-aac6-4286-01d9-08d90a52385a,,,"4/28/2021, 2:38:19.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:30:49.000 PM",PageViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1/SitePages/Consumer-drone-series-product-training.aspx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d4f13dd6-160e-4be9-8826-f7e29399d6d2,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:38:19.000 PM",,,,,,,OfficeActivityManager,ac41d886-097d-4304-82e7-08d90a5237e7,ac41d886-097d-4304-82e7-08d90a5237e7,,,"4/28/2021, 2:38:19.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:30:49.000 PM",PageViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d4f13dd6-160e-4be9-8826-f7e29399d6d2,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:38:19.000 PM",,,,,,,OfficeActivityManager,060797cd-4b54-476c-e594-08d90a523807,060797cd-4b54-476c-e594-08d90a523807,,,"4/28/2021, 2:38:19.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:30:48.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222-my.sharepoint.com/User Photos/Profile Pictures/MiriamG_M365x816222_OnMicrosoft_com_SThumb.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,2c048610-040c-4327-a973-fc1fc6a3aadd,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/,https://m365x816222-my.sharepoint.com/,User Photos/Profile Pictures,User Photos/Profile Pictures,MiriamG_M365x816222_OnMicrosoft_com_SThumb.jpg,MiriamG_M365x816222_OnMicrosoft_com_SThumb.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:38:19.000 PM",,,,,,,OfficeActivityManager,f9cc8d43-344e-4cef-3857-08d90a52379a,f9cc8d43-344e-4cef-3857-08d90a52379a,,,"4/28/2021, 2:38:19.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:30:48.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222-my.sharepoint.com/User Photos/Profile Pictures/AllanD_M365x816222_OnMicrosoft_com_SThumb.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,2c048610-040c-4327-a973-fc1fc6a3aadd,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/,https://m365x816222-my.sharepoint.com/,User Photos/Profile Pictures,User Photos/Profile Pictures,AllanD_M365x816222_OnMicrosoft_com_SThumb.jpg,AllanD_M365x816222_OnMicrosoft_com_SThumb.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:38:19.000 PM",,,,,,,OfficeActivityManager,e5e894cd-e37f-4b12-07f9-08d90a5237a0,e5e894cd-e37f-4b12-07f9-08d90a5237a0,,,"4/28/2021, 2:38:19.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:30:47.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222-my.sharepoint.com/User Photos/Profile Pictures/PattiF_M365x816222_OnMicrosoft_com_SThumb.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,2c048610-040c-4327-a973-fc1fc6a3aadd,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/,https://m365x816222-my.sharepoint.com/,User Photos/Profile Pictures,User Photos/Profile Pictures,PattiF_M365x816222_OnMicrosoft_com_SThumb.jpg,PattiF_M365x816222_OnMicrosoft_com_SThumb.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:38:19.000 PM",,,,,,,OfficeActivityManager,f205f3da-b058-412c-42ca-08d90a52373d,f205f3da-b058-412c-42ca-08d90a52373d,,,"4/28/2021, 2:38:19.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:30:47.000 PM",FilePreviewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/SalesAndMarketing/SiteAssets/flags.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,99b8b27e-7485-40d0-a36a-3f092cdddda2,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/SalesAndMarketing/,https://m365x816222.sharepoint.com/sites/SalesAndMarketing/,SiteAssets,SiteAssets,flags.jpg,flags.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:38:19.000 PM",,,,,,,OfficeActivityManager,15d77064-d12a-414a-548b-08d90a5236d5,15d77064-d12a-414a-548b-08d90a5236d5,,,"4/28/2021, 2:38:19.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:30:47.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222-my.sharepoint.com/User Photos/Profile Pictures/PradeepG_M365x816222_OnMicrosoft_com_SThumb.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,2c048610-040c-4327-a973-fc1fc6a3aadd,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/,https://m365x816222-my.sharepoint.com/,User Photos/Profile Pictures,User Photos/Profile Pictures,PradeepG_M365x816222_OnMicrosoft_com_SThumb.jpg,PradeepG_M365x816222_OnMicrosoft_com_SThumb.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:38:19.000 PM",,,,,,,OfficeActivityManager,0bd50c6c-c3c5-4c77-8873-08d90a52372d,0bd50c6c-c3c5-4c77-8873-08d90a52372d,,,"4/28/2021, 2:38:19.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:30:47.000 PM",FilePreviewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/SalesAndMarketing/SiteAssets/NewVPN.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,99b8b27e-7485-40d0-a36a-3f092cdddda2,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/SalesAndMarketing/,https://m365x816222.sharepoint.com/sites/SalesAndMarketing/,SiteAssets,SiteAssets,NewVPN.jpg,NewVPN.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:38:19.000 PM",,,,,,,OfficeActivityManager,03c5eb7d-4838-49b6-84c6-08d90a5236fb,03c5eb7d-4838-49b6-84c6-08d90a5236fb,,,"4/28/2021, 2:38:19.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:30:46.000 PM",FilePreviewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1/SiteAssets/breather.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d4f13dd6-160e-4be9-8826-f7e29399d6d2,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1/,https://m365x816222.sharepoint.com/sites/ContosoWeb1/,SiteAssets,SiteAssets,breather.jpg,breather.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:38:19.000 PM",,,,,,,OfficeActivityManager,b6ad60a5-0c8c-4b2f-d7bd-08d90a523667,b6ad60a5-0c8c-4b2f-d7bd-08d90a523667,,,"4/28/2021, 2:38:19.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:30:46.000 PM",FilePreviewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1/SiteAssets/mentorship.jpeg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d4f13dd6-160e-4be9-8826-f7e29399d6d2,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1/,https://m365x816222.sharepoint.com/sites/ContosoWeb1/,SiteAssets,SiteAssets,mentorship.jpeg,mentorship.jpeg,jpeg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:38:19.000 PM",,,,,,,OfficeActivityManager,1f03fdcd-29fb-4764-dffc-08d90a52369f,1f03fdcd-29fb-4764-dffc-08d90a52369f,,,"4/28/2021, 2:38:19.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:30:46.000 PM",FilePreviewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1/SiteAssets/Drone.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d4f13dd6-160e-4be9-8826-f7e29399d6d2,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1/,https://m365x816222.sharepoint.com/sites/ContosoWeb1/,SiteAssets,SiteAssets,Drone.jpg,Drone.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:38:19.000 PM",,,,,,,OfficeActivityManager,44109e61-dcf4-456b-c106-08d90a52365a,44109e61-dcf4-456b-c106-08d90a52365a,,,"4/28/2021, 2:38:19.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:30:46.000 PM",FilePreviewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1/SiteAssets/Meeting.jpg,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d4f13dd6-160e-4be9-8826-f7e29399d6d2,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/ContosoWeb1/,https://m365x816222.sharepoint.com/sites/ContosoWeb1/,SiteAssets,SiteAssets,Meeting.jpg,Meeting.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:38:19.000 PM",,,,,,,OfficeActivityManager,ae3b851e-a3f8-4ca4-cdc5-08d90a52364f,ae3b851e-a3f8-4ca4-cdc5-08d90a52364f,,,"4/28/2021, 2:38:19.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:30:39.000 PM",PageViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/_layouts/15/online/handlers/SpoSuiteLinks.ashx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,8fd7ff5c-115c-46de-af73-b9cdf4458bc3,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:38:19.000 PM",,,,,,,OfficeActivityManager,75efa127-a286-4069-0e19-08d90a523263,75efa127-a286-4069-0e19-08d90a523263,,,"4/28/2021, 2:38:19.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:30:38.000 PM",PageViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/_layouts/15/sharepoint.aspx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,8fd7ff5c-115c-46de-af73-b9cdf4458bc3,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:38:19.000 PM",,,,,,,OfficeActivityManager,0da0829c-5897-4773-a4b6-08d90a52318b,0da0829c-5897-4773-a4b6-08d90a52318b,,,"4/28/2021, 2:38:19.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:30:18.000 PM",FileModified,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/teams-public/Shared Documents/General/first_day_in_org.docx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,a7d013ca-6c80-4f1b-a5cf-59bf7077af79,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/teams-public/,https://m365x816222.sharepoint.com/sites/teams-public/,Shared Documents/General,Shared Documents/General,first_day_in_org.docx,first_day_in_org.docx,docx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:38:19.000 PM",,,,,,,OfficeActivityManager,8d2d88ac-12fd-4d62-b532-08d90a5225b3,8d2d88ac-12fd-4d62-b532-08d90a5225b3,,,"4/28/2021, 2:38:19.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:30:16.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/teams-public/Shared Documents/General/first_day_in_org.docx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,a7d013ca-6c80-4f1b-a5cf-59bf7077af79,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/teams-public/,https://m365x816222.sharepoint.com/sites/teams-public/,Shared Documents/General,Shared Documents/General,first_day_in_org.docx,first_day_in_org.docx,docx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:38:19.000 PM",,,,,,,OfficeActivityManager,da0c7a1b-506a-4f7a-0e10-08d90a5224ab,da0c7a1b-506a-4f7a-0e10-08d90a5224ab,,,"4/28/2021, 2:38:19.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,SkypeSpaces/1.0a$*+,SharePointFileOperation,"4/28/2021, 2:30:15.000 PM",FileUploaded,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/teams-public/Shared Documents/General/first_day_in_org.docx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,52.114.128.197,52.114.128.197,,a7d013ca-6c80-4f1b-a5cf-59bf7077af79,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/teams-public/,https://m365x816222.sharepoint.com/sites/teams-public/,Shared Documents/General,Shared Documents/General,first_day_in_org.docx,first_day_in_org.docx,docx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:38:19.000 PM",,,,,,,OfficeActivityManager,af2040ab-233a-4134-919c-08d90a5223cc,af2040ab-233a-4134-919c-08d90a5223cc,,,"4/28/2021, 2:38:19.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",36,"4/28/2021, 2:29:56.000 PM",ListViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/teams-public/858ecfba-5d1a-46d5-a450-db4e4759fd1c,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,a7d013ca-6c80-4f1b-a5cf-59bf7077af79,List,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:38:19.000 PM",,,,,,,OfficeActivityManager,6fe14943-2149-440b-5fc0-08d90a52184a,6fe14943-2149-440b-5fc0-08d90a52184a,,,"4/28/2021, 2:38:19.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:29:56.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/teams-public/Shared Documents/Forms/AllItems.aspx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,a7d013ca-6c80-4f1b-a5cf-59bf7077af79,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/teams-public/,https://m365x816222.sharepoint.com/sites/teams-public/,Shared Documents/Forms,Shared Documents/Forms,AllItems.aspx,AllItems.aspx,aspx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:38:19.000 PM",,,,,,,OfficeActivityManager,9a32207a-90c7-4aba-ead3-08d90a521872,9a32207a-90c7-4aba-ead3-08d90a521872,,,"4/28/2021, 2:38:19.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,ExchangeItemGroup,"4/28/2021, 2:29:22.000 PM",MoveToDeletedItems,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,10032000C757D25F,Exchange,Succeeded,Succeeded,,AdeleV@M365x816222.OnMicrosoft.com,AdeleV@M365x816222.OnMicrosoft.com,175.45.176.99,175.45.176.99,,,,,,,,,,,,,,,,,,,,,,,,FALSE,"MWHPR06MB3440 (15.20.4065.028) +",M365x816222.onmicrosoft.com,Owner,0,1799af14-918d-4035-98f7-536ec791ef58,AdeleV@M365x816222.OnMicrosoft.com,S-1-5-21-430410588-604023349-2071471134-35151074,,S-1-5-21-430410588-604023349-2071471134-35151074,,"Client=OWA;Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49;",175.45.176.99,,,,"{ + ""Id"": ""LgAAAAC4lQ2Ye4hSS4if7gF6ji8JAQA45WDUjdASSYqMiyC3ZEqOAAAAAAEMAAAB"", + ""Path"": ""\\Inbox"" +}",,,,,,"{ + ""Id"": ""LgAAAAC4lQ2Ye4hSS4if7gF6ji8JAQA45WDUjdASSYqMiyC3ZEqOAAAAAAEKAAAB"", + ""Path"": ""\\Deleted Items"" +}",,"[ + { + ""Attachments"": ""f339bfc4-d87d-4f3c-a7a1-d0d1a07d105d (3328b); 6329babb-2d4f-47d3-8a76-edcf5fc25644 (1805b); 7f8360ca-631b-4ca5-923c-72437006e5a0 (2242b); 405f2be0-ec95-41d3-95c4-4a21b8ef64b2 (5586b); e6eda73f-9b43-42b8-a6c0-c3d88a9cb412 (3838b)"", + ""Id"": ""RgAAAAC4lQ2Ye4hSS4if7gF6ji8JBwA45WDUjdASSYqMiyC3ZEqOAAAAAAEMAAA45WDUjdASSYqMiyC3ZEqOAADT/M9uAAAJ"", + ""InternetMessageId"": """", + ""ParentFolder"": { + ""Id"": ""LgAAAAC4lQ2Ye4hSS4if7gF6ji8JAQA45WDUjdASSYqMiyC3ZEqOAAAAAAEMAAAB"", + ""Path"": ""\\Inbox"" + }, + ""Subject"": ""JohnS shared \""Document\"" with you."" + } +]",,,,,,,,,,,,,,,,,,,"4/28/2021, 2:41:58.000 PM",,,,,,,OfficeActivityManager,8ad5ae00-73a9-41e5-c35d-08d90a520461,8ad5ae00-73a9-41e5-c35d-08d90a520461,,,"4/28/2021, 2:41:58.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,00000002-0000-0ff1-ce00-000000000000,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,50,"4/28/2021, 2:29:15.000 PM",MailItemsAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,10032000C757D25F,Exchange,Succeeded,Succeeded,,AdeleV@M365x816222.OnMicrosoft.com,AdeleV@M365x816222.OnMicrosoft.com,,,,,,,,,,,,,,,,,,,,,,,,,,FALSE,"MWHPR06MB3440 (15.20.4065.028) +",M365x816222.onmicrosoft.com,Owner,0,1799af14-918d-4035-98f7-536ec791ef58,AdeleV@M365x816222.OnMicrosoft.com,S-1-5-21-430410588-604023349-2071471134-35151074,,S-1-5-21-430410588-604023349-2071471134-35151074,,"Client=OWA;Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49;",175.45.176.99,,,,,,,,,,,"[ + { + ""FolderItems"": [ + { + ""InternetMessageId"": """" + }, + { + ""InternetMessageId"": """" + }, + { + ""InternetMessageId"": """" + }, + { + ""InternetMessageId"": """" + }, + { + ""InternetMessageId"": """" + }, + { + ""InternetMessageId"": """" + }, + { + ""InternetMessageId"": """" + }, + { + ""InternetMessageId"": """" + }, + { + ""InternetMessageId"": """" + }, + { + ""InternetMessageId"": """" + } + ], + ""Id"": ""LgAAAAC4lQ2Ye4hSS4if7gF6ji8JAQA45WDUjdASSYqMiyC3ZEqOAAAAAAEMAAAB"", + ""Path"": ""\\Inbox"" + } +]",,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:41:58.000 PM",,,,,,,OfficeActivityManager,987a6a22-4008-4682-bf04-fccf5e7e6d6c,987a6a22-4008-4682-bf04-fccf5e7e6d6c,,,"4/28/2021, 2:41:58.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,"[{""Value"":""Bind"",""Name"":""MailAccessType""},{""Value"":""False"",""Name"":""IsThrottled""}]",00000002-0000-0ff1-ce00-000000000000,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,OfficeWordCA,SharePointFileOperation,"4/28/2021, 2:28:02.000 PM",FilePreviewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/Shared Documents/Document.docx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/Contoso/,https://m365x816222.sharepoint.com/sites/Contoso/,Shared Documents,Shared Documents,Document.docx,Document.docx,docx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:38:19.000 PM",,,,,,,OfficeActivityManager,77683faa-288c-4f3a-cc73-08d90a51d469,77683faa-288c-4f3a-cc73-08d90a51d469,,,"4/28/2021, 2:38:19.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,OneDriveMpc-Transform_Thumbnail/1.0,SharePointFileOperation,"4/28/2021, 2:28:01.000 PM",FilePreviewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c757d25f@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/Shared Documents/Document.docx,adelev@m365x816222.onmicrosoft.com,adelev@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/Contoso/,https://m365x816222.sharepoint.com/sites/Contoso/,Shared Documents,Shared Documents,Document.docx,Document.docx,docx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:38:19.000 PM",,,,,,,OfficeActivityManager,f54d7c8b-9d8a-4bc4-17e5-08d90a51d407,f54d7c8b-9d8a-4bc4-17e5-08d90a51d407,,,"4/28/2021, 2:38:19.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:23:54.000 PM",FileModified,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/teams-public/Shared Documents/General/Windows Event Filtering Preview Document (1).pdf,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,a7d013ca-6c80-4f1b-a5cf-59bf7077af79,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/teams-public/,https://m365x816222.sharepoint.com/sites/teams-public/,Shared Documents/General,Shared Documents/General,Windows Event Filtering Preview Document (1).pdf,Windows Event Filtering Preview Document (1).pdf,pdf,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:33:18.000 PM",,,,,,,OfficeActivityManager,f0e5919a-5f47-48bd-6764-08d90a5140e9,f0e5919a-5f47-48bd-6764-08d90a5140e9,,,"4/28/2021, 2:33:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,SkypeSpaces/1.0a$*+,SharePointFileOperation,"4/28/2021, 2:23:48.000 PM",FileUploaded,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/teams-public/Shared Documents/General/Windows Event Filtering Preview Document (1).pdf,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,52.114.159.193,52.114.159.193,,a7d013ca-6c80-4f1b-a5cf-59bf7077af79,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/teams-public/,https://m365x816222.sharepoint.com/sites/teams-public/,Shared Documents/General,Shared Documents/General,Windows Event Filtering Preview Document (1).pdf,Windows Event Filtering Preview Document (1).pdf,pdf,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:33:18.000 PM",,,,,,,OfficeActivityManager,116819de-25f5-43ec-9d39-08d90a513d29,116819de-25f5-43ec-9d39-08d90a513d29,,,"4/28/2021, 2:33:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,MicrosoftTeams,"4/28/2021, 2:23:38.000 PM",TeamSettingChanged,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Application,,MicrosoftTeams,,,,Application,Application,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:32:22.000 PM",,,,,,,OfficeActivityManager,054bf48c-9728-4e32-b3ce-431d1707b35a,054bf48c-9728-4e32-b3ce-431d1707b35a,,,"4/28/2021, 2:32:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,teams-public,19:136aed63e2e74a68afea390ffb61e01f@thread.tacv2,,,,,,,,Team description,,teams-public,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,onenoteapi,56,"4/28/2021, 2:23:19.000 PM",ListColumnUpdated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint,SharePoint,,,https://m365x816222.sharepoint.com/sites/teams-public/67ed90ec-d55e-4a14-af0e-77f3b78f9802/0c5e0085-eb30-494b-9cdd-ece1d3c649a2,app@sharepoint,app@sharepoint,137.117.35.212,137.117.35.212,,a7d013ca-6c80-4f1b-a5cf-59bf7077af79,Field,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:33:18.000 PM",,,,,,,OfficeActivityManager,cdcaaf0a-f303-4f9a-e6da-08d90a512c18,cdcaaf0a-f303-4f9a-e6da-08d90a512c18,,,"4/28/2021, 2:33:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,onenoteapi,56,"4/28/2021, 2:23:19.000 PM",ListColumnUpdated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint,SharePoint,,,https://m365x816222.sharepoint.com/sites/teams-public/858ecfba-5d1a-46d5-a450-db4e4759fd1c/0c5e0085-eb30-494b-9cdd-ece1d3c649a2,app@sharepoint,app@sharepoint,137.117.35.212,137.117.35.212,,a7d013ca-6c80-4f1b-a5cf-59bf7077af79,Field,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:33:18.000 PM",,,,,,,OfficeActivityManager,f4c92fc1-81a7-443a-fb05-08d90a512c0c,f4c92fc1-81a7-443a-fb05-08d90a512c0c,,,"4/28/2021, 2:33:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,onenoteapi,56,"4/28/2021, 2:23:19.000 PM",ListColumnUpdated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint,SharePoint,,,https://m365x816222.sharepoint.com/sites/teams-public/858ecfba-5d1a-46d5-a450-db4e4759fd1c/03e45e84-1992-4d42-9116-26f756012634,app@sharepoint,app@sharepoint,137.117.35.212,137.117.35.212,,a7d013ca-6c80-4f1b-a5cf-59bf7077af79,Field,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:33:18.000 PM",,,,,,,OfficeActivityManager,0a9856e7-f6d8-466b-bfab-08d90a512c11,0a9856e7-f6d8-466b-bfab-08d90a512c11,,,"4/28/2021, 2:33:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,onenoteapi,56,"4/28/2021, 2:23:19.000 PM",ListColumnUpdated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint,SharePoint,,,https://m365x816222.sharepoint.com/sites/teams-public/67ed90ec-d55e-4a14-af0e-77f3b78f9802/39360f11-34cf-4356-9945-25c44e68dade,app@sharepoint,app@sharepoint,137.117.35.212,137.117.35.212,,a7d013ca-6c80-4f1b-a5cf-59bf7077af79,Field,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:33:18.000 PM",,,,,,,OfficeActivityManager,b4070979-3493-4562-847e-08d90a512c16,b4070979-3493-4562-847e-08d90a512c16,,,"4/28/2021, 2:33:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,onenoteapi,56,"4/28/2021, 2:23:19.000 PM",ListColumnUpdated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint,SharePoint,,,https://m365x816222.sharepoint.com/sites/teams-public/858ecfba-5d1a-46d5-a450-db4e4759fd1c/39360f11-34cf-4356-9945-25c44e68dade,app@sharepoint,app@sharepoint,137.117.35.212,137.117.35.212,,a7d013ca-6c80-4f1b-a5cf-59bf7077af79,Field,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:33:18.000 PM",,,,,,,OfficeActivityManager,d8f6d8e0-ab02-4f24-0f4f-08d90a512c01,d8f6d8e0-ab02-4f24-0f4f-08d90a512c01,,,"4/28/2021, 2:33:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,onenoteapi,56,"4/28/2021, 2:23:19.000 PM",ListColumnUpdated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint,SharePoint,,,https://m365x816222.sharepoint.com/sites/teams-public/67ed90ec-d55e-4a14-af0e-77f3b78f9802/03e45e84-1992-4d42-9116-26f756012634,app@sharepoint,app@sharepoint,137.117.35.212,137.117.35.212,,a7d013ca-6c80-4f1b-a5cf-59bf7077af79,Field,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:33:18.000 PM",,,,,,,OfficeActivityManager,64c12ba5-1790-4e33-ac78-08d90a512c1d,64c12ba5-1790-4e33-ac78-08d90a512c1d,,,"4/28/2021, 2:33:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",36,"4/28/2021, 2:23:16.000 PM",ListViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/teams-public/858ecfba-5d1a-46d5-a450-db4e4759fd1c,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,a7d013ca-6c80-4f1b-a5cf-59bf7077af79,List,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:33:18.000 PM",,,,,,,OfficeActivityManager,36637dd5-fc8a-4e1f-b60f-08d90a512a34,36637dd5-fc8a-4e1f-b60f-08d90a512a34,,,"4/28/2021, 2:33:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:23:16.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/teams-public/Shared Documents/Forms/AllItems.aspx,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,a7d013ca-6c80-4f1b-a5cf-59bf7077af79,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/teams-public/,https://m365x816222.sharepoint.com/sites/teams-public/,Shared Documents/Forms,Shared Documents/Forms,AllItems.aspx,AllItems.aspx,aspx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:33:18.000 PM",,,,,,,OfficeActivityManager,4575ae3b-b5eb-42b8-0284-08d90a512a62,4575ae3b-b5eb-42b8-0284-08d90a512a62,,,"4/28/2021, 2:33:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,SkypeSpaces/1.0a$*+,36,"4/28/2021, 2:23:15.000 PM",ListUpdated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/teams-public/67ed90ec-d55e-4a14-af0e-77f3b78f9802,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,52.114.159.198,52.114.159.198,,a7d013ca-6c80-4f1b-a5cf-59bf7077af79,List,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:33:18.000 PM",,,,,,,OfficeActivityManager,474db61f-5a11-4e5e-c827-08d90a5129a4,474db61f-5a11-4e5e-c827-08d90a5129a4,,,"4/28/2021, 2:33:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,SkypeSpaces/1.0a$*+,36,"4/28/2021, 2:23:15.000 PM",ListCreated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/teams-public/SiteAssets,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,52.114.159.198,52.114.159.198,,a7d013ca-6c80-4f1b-a5cf-59bf7077af79,List,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:33:18.000 PM",,,,,,,OfficeActivityManager,30d220fc-498b-4c53-1b7c-08d90a512956,30d220fc-498b-4c53-1b7c-08d90a512956,,,"4/28/2021, 2:33:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,SkypeSpaces/1.0a$*+,56,"4/28/2021, 2:23:13.000 PM",ListColumnUpdated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/teams-public/858ecfba-5d1a-46d5-a450-db4e4759fd1c/28cf69c5-fa48-462a-b5cd-27b6f9d2bd5f,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,52.114.159.198,52.114.159.198,,a7d013ca-6c80-4f1b-a5cf-59bf7077af79,Field,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:33:18.000 PM",,,,,,,OfficeActivityManager,28249322-f441-4256-8e98-08d90a512849,28249322-f441-4256-8e98-08d90a512849,,,"4/28/2021, 2:33:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,SkypeSpaces/1.0a$*+,SharePointFileOperation,"4/28/2021, 2:23:12.000 PM",FolderCreated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/teams-public/Shared Documents/General,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,52.114.159.198,52.114.159.198,,a7d013ca-6c80-4f1b-a5cf-59bf7077af79,Folder,SharePoint,,,,https://m365x816222.sharepoint.com/sites/teams-public/,https://m365x816222.sharepoint.com/sites/teams-public/,Shared Documents,Shared Documents,General,General,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:33:18.000 PM",,,,,,,OfficeActivityManager,28eed7ae-ebd4-44cd-aa31-08d90a5127a2,28eed7ae-ebd4-44cd-aa31-08d90a5127a2,,,"4/28/2021, 2:33:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,MicrosoftTeams,"4/28/2021, 2:23:12.000 PM",MemberAdded,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,14dc6e86-42b9-4f0a-8da0-8b5bdc62e336,MicrosoftTeams,,,,JohnS@m365x816222.onmicrosoft.com,JohnS@m365x816222.onmicrosoft.com,52.114.159.193,52.114.159.193,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:37:21.000 PM",,,,,,,OfficeActivityManager,d8f1008f-25c5-5922-ab51-9da675ab9305,d8f1008f-25c5-5922-ab51-9da675ab9305,,,"4/28/2021, 2:37:21.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,"[{""DisplayName"":""Adele Vance"",""Role"":1,""UPN"":""AdeleV@M365x816222.OnMicrosoft.com""}]",teams-public,19:136aed63e2e74a68afea390ffb61e01f@thread.tacv2,,,,[],,,,,,,teams-public,,,Team,94c578e8-d0f4-41ef-83d2-be2a76a1400f,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,ExchangeItem,"4/28/2021, 2:23:06.000 PM",ModifyFolderPermissions,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Admin,S-1-5-18,Exchange,Succeeded,Succeeded,,S-1-5-18,S-1-5-18,::1,::1,,,,,,,,,,,,,,,,,,,,,,,,TRUE,"SJ0PR06MB6863 (15.20.4065.027) +",M365x816222.onmicrosoft.com,Admin,1,f1372c66-dab0-45f8-87df-5e742c5bd903,teams-public@M365x816222.onmicrosoft.com,S-1-5-21-430410588-604023349-2071471134-42767878,S-1-5-10,S-1-5-18,,Client=WebServices;Action=ConfigureGroupMailbox,::1,,,,,,,,,,,,,"{ + ""Id"": ""LgAAAACRWujRwNJ9RKSKOkph68UvAQDQUEVAC21wS7ULV3upjkXiAAAAAAENAAAC"", + ""ParentFolder"": { + ""Id"": ""LgAAAACRWujRwNJ9RKSKOkph68UvAQDQUEVAC21wS7ULV3upjkXiAAAAAAENAAAC"", + ""MemberRights"": ""ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed"", + ""MemberSid"": ""S-1-8-4046924902-1173936816-1952374663-64576300-0"", + ""MemberUpn"": ""Owner@local"", + ""Name"": ""Calendar"", + ""Path"": ""\\Calendar"" + } +}",,,,,,,,,,,,,,,,,,"4/28/2021, 2:32:02.000 PM",,,,,,,OfficeActivityManager,16509af4-82ea-4c4f-0a65-08d90a512428,16509af4-82ea-4c4f-0a65-08d90a512428,,,"4/28/2021, 2:32:02.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,ExchangeItem,"4/28/2021, 2:23:06.000 PM",ModifyFolderPermissions,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Admin,S-1-5-18,Exchange,Succeeded,Succeeded,,S-1-5-18,S-1-5-18,::1,::1,,,,,,,,,,,,,,,,,,,,,,,,TRUE,"SJ0PR06MB6863 (15.20.4065.027) +",M365x816222.onmicrosoft.com,Admin,1,f1372c66-dab0-45f8-87df-5e742c5bd903,teams-public@M365x816222.onmicrosoft.com,S-1-5-21-430410588-604023349-2071471134-42767878,S-1-5-10,S-1-5-18,,Client=WebServices;Action=ConfigureGroupMailbox,::1,,,,,,,,,,,,,"{ + ""Id"": ""LgAAAACRWujRwNJ9RKSKOkph68UvAQDQUEVAC21wS7ULV3upjkXiAAAAAAENAAAC"", + ""ParentFolder"": { + ""Id"": ""LgAAAACRWujRwNJ9RKSKOkph68UvAQDQUEVAC21wS7ULV3upjkXiAAAAAAENAAAC"", + ""MemberRights"": ""ReadAny, Create, EditOwned, DeleteOwned, EditAny, DeleteAny, Visible, FreeBusySimple, FreeBusyDetailed"", + ""MemberSid"": ""S-1-8-4046924902-1173936816-1952374663-64576300-1"", + ""MemberUpn"": ""Member@local"", + ""Name"": ""Calendar"", + ""Path"": ""\\Calendar"" + } +}",,,,,,,,,,,,,,,,,,"4/28/2021, 2:32:02.000 PM",,,,,,,OfficeActivityManager,8e40642e-e06b-4eb5-0a65-08d90a512428,8e40642e-e06b-4eb5-0a65-08d90a512428,,,"4/28/2021, 2:32:02.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,ExchangeItem,"4/28/2021, 2:23:05.000 PM",Create,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Admin,S-1-5-18,Exchange,Succeeded,Succeeded,,S-1-5-18,S-1-5-18,::1,::1,,,,,,,,,,,,,,,,,,,,,,,,TRUE,"SJ0PR06MB6863 (15.20.4065.027) +",M365x816222.onmicrosoft.com,Admin,1,f1372c66-dab0-45f8-87df-5e742c5bd903,teams-public@M365x816222.onmicrosoft.com,S-1-5-21-430410588-604023349-2071471134-42767878,S-1-5-10,S-1-5-18,,Client=WebServices;Action=ConfigureGroupMailbox,::1,,,,,,,,,,,,,"{ + ""Attachments"": ""warming_email_03_2017_calendar.png (646b); warming_email_03_2017_conversation.png (661b); warming_email_03_2017_links.png (1450b); google_play_store_badge.png (4871b); apple_store_badge.png (4493b); windows_store_badge.png (3728b); warming_email_03_2017_files.png (856b); warming_email_03_2017_sharePoint.png (1479b)"", + ""Id"": ""RgAAAACRWujRwNJ9RKSKOkph68UvBwDQUEVAC21wS7ULV3upjkXiAAAAAAEMAADQUEVAC21wS7ULV3upjkXiAAAAAAk9AAAJ"", + ""InternetMessageId"": """", + ""IsRecord"": false, + ""ParentFolder"": { + ""Id"": ""LgAAAACRWujRwNJ9RKSKOkph68UvAQDQUEVAC21wS7ULV3upjkXiAAAAAAEMAAAB"", + ""Path"": ""\\Inbox"" + }, + ""Subject"": ""The new teams-public group is ready"" +}",,,,,,,,,,,,,,,,,,"4/28/2021, 2:32:02.000 PM",,,,,,,OfficeActivityManager,f4c49b0a-a982-434b-9901-08d90a512382,f4c49b0a-a982-434b-9901-08d90a512382,,,"4/28/2021, 2:32:02.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,SharePointSharingOperation,"4/28/2021, 2:23:05.000 PM",AddedToGroup,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint,SharePoint,,,https://m365x816222.sharepoint.com/sites/teams-public,app@sharepoint,app@sharepoint,,,,a7d013ca-6c80-4f1b-a5cf-59bf7077af79,Web,SharePoint,,,,https://m365x816222.sharepoint.com/sites/teams-public,https://m365x816222.sharepoint.com/sites/teams-public,,,,,,,,,,,,Site Members,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:33:18.000 PM",,,,,,,OfficeActivityManager,c927aff1-50c9-4ceb-a7e0-08d90a51234c,c927aff1-50c9-4ceb-a7e0-08d90a51234c,,,"4/28/2021, 2:33:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,Everyone except external users,SecurityGroup,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,SharePointSharingOperation,"4/28/2021, 2:23:04.000 PM",AddedToGroup,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint,SharePoint,,,https://m365x816222.sharepoint.com/sites/teams-public,app@sharepoint,app@sharepoint,,,,a7d013ca-6c80-4f1b-a5cf-59bf7077af79,Web,SharePoint,,,,https://m365x816222.sharepoint.com/sites/teams-public,https://m365x816222.sharepoint.com/sites/teams-public,,,,,,,,,,,,Site Members,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:33:18.000 PM",,,,,,,OfficeActivityManager,84e64a2a-9307-4cbd-e7bc-08d90a5122ea,84e64a2a-9307-4cbd-e7bc-08d90a5122ea,,,"4/28/2021, 2:33:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,teams-public Members,SecurityGroup,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,SharePointSharingOperation,"4/28/2021, 2:23:04.000 PM",AddedToGroup,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint,SharePoint,,,https://m365x816222.sharepoint.com/sites/teams-public,app@sharepoint,app@sharepoint,,,,a7d013ca-6c80-4f1b-a5cf-59bf7077af79,Web,SharePoint,,,,https://m365x816222.sharepoint.com/sites/teams-public,https://m365x816222.sharepoint.com/sites/teams-public,,,,,,,,,,,,Site Owners,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:33:18.000 PM",,,,,,,OfficeActivityManager,e0f6f4be-eb10-4d23-83fa-08d90a512307,e0f6f4be-eb10-4d23-83fa-08d90a512307,,,"4/28/2021, 2:33:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,SHAREPOINT\system,Member,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,SharePointSharingOperation,"4/28/2021, 2:23:04.000 PM",AddedToGroup,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint,SharePoint,,,https://m365x816222.sharepoint.com/sites/teams-public,app@sharepoint,app@sharepoint,,,,a7d013ca-6c80-4f1b-a5cf-59bf7077af79,Web,SharePoint,,,,https://m365x816222.sharepoint.com/sites/teams-public,https://m365x816222.sharepoint.com/sites/teams-public,,,,,,,,,,,,Site Owners,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:33:18.000 PM",,,,,,,OfficeActivityManager,469553bf-6c4c-4a79-999d-08d90a5122dc,469553bf-6c4c-4a79-999d-08d90a5122dc,,,"4/28/2021, 2:33:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,SHAREPOINT\system,Member,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,SharePointSharingOperation,"4/28/2021, 2:23:04.000 PM",AddedToGroup,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint,SharePoint,,,https://m365x816222.sharepoint.com/sites/teams-public,app@sharepoint,app@sharepoint,,,,a7d013ca-6c80-4f1b-a5cf-59bf7077af79,Web,SharePoint,,,,https://m365x816222.sharepoint.com/sites/teams-public,https://m365x816222.sharepoint.com/sites/teams-public,,,,,,,,,,,,Site Owners,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:33:18.000 PM",,,,,,,OfficeActivityManager,f2e8e5d8-c81f-491e-712e-08d90a5122f4,f2e8e5d8-c81f-491e-712e-08d90a5122f4,,,"4/28/2021, 2:33:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,teams-public Owners,SecurityGroup,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,SharePoint,"4/28/2021, 2:23:03.000 PM",SiteCollectionCreated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint,SharePoint,,,https://m365x816222.sharepoint.com/sites/teams-public,app@sharepoint,app@sharepoint,,,,a7d013ca-6c80-4f1b-a5cf-59bf7077af79,Site,SharePoint,,,,,,,,,,,,,,,,,TeamsServiceTrueFalse,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:33:18.000 PM",,,,,,,OfficeActivityManager,b73f4c1b-6f2b-4e01-c682-08d90a512267,b73f4c1b-6f2b-4e01-c682-08d90a512267,,,"4/28/2021, 2:33:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,SharePointSharingOperation,"4/28/2021, 2:23:02.000 PM",AddedToGroup,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint,SharePoint,,,https://m365x816222.sharepoint.com/sites/teams-public,app@sharepoint,app@sharepoint,,,,a7d013ca-6c80-4f1b-a5cf-59bf7077af79,Web,SharePoint,,,,https://m365x816222.sharepoint.com/sites/teams-public,https://m365x816222.sharepoint.com/sites/teams-public,,,,,,,,,,,,Site Owners,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:33:18.000 PM",,,,,,,OfficeActivityManager,61fd91ef-a12d-4721-0613-08d90a512206,61fd91ef-a12d-4721-0613-08d90a512206,,,"4/28/2021, 2:33:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,teams-public Owners,SecurityGroup,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,SharePointSharingOperation,"4/28/2021, 2:23:02.000 PM",AddedToGroup,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint,SharePoint,,,https://m365x816222.sharepoint.com/sites/teams-public,app@sharepoint,app@sharepoint,,,,a7d013ca-6c80-4f1b-a5cf-59bf7077af79,Web,SharePoint,,,,https://m365x816222.sharepoint.com/sites/teams-public,https://m365x816222.sharepoint.com/sites/teams-public,,,,,,,,,,,,Site Owners,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:33:18.000 PM",,,,,,,OfficeActivityManager,664786b1-701f-4420-46a6-08d90a5121a4,664786b1-701f-4420-46a6-08d90a5121a4,,,"4/28/2021, 2:33:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,SHAREPOINT\system,Member,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,MicrosoftTeams,"4/28/2021, 2:22:58.000 PM",TeamCreated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,14dc6e86-42b9-4f0a-8da0-8b5bdc62e336,MicrosoftTeams,,,,JohnS@m365x816222.onmicrosoft.com,JohnS@m365x816222.onmicrosoft.com,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:32:22.000 PM",,,,,,,OfficeActivityManager,0812be53-9eaf-4304-bcfe-4b81aeb9a367,0812be53-9eaf-4304-bcfe-4b81aeb9a367,,,"4/28/2021, 2:32:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,teams-public,19:136aed63e2e74a68afea390ffb61e01f@thread.tacv2,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,MicrosoftTeams,"4/28/2021, 2:22:58.000 PM",MemberAdded,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,14dc6e86-42b9-4f0a-8da0-8b5bdc62e336,MicrosoftTeams,,,,JohnS@m365x816222.onmicrosoft.com,JohnS@m365x816222.onmicrosoft.com,52.114.159.198,52.114.159.198,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:32:22.000 PM",,,,,,,OfficeActivityManager,84dba6d5-0e56-5921-a92c-20878b528c38,84dba6d5-0e56-5921-a92c-20878b528c38,,,"4/28/2021, 2:32:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,"[{""DisplayName"":""JohnS"",""Role"":2,""UPN"":""JohnS@m365x816222.onmicrosoft.com""}]",teams-public,19:136aed63e2e74a68afea390ffb61e01f@thread.tacv2,,,,[],,,,,,,teams-public,,,Team,94c578e8-d0f4-41ef-83d2-be2a76a1400f,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,ODMTADocCache/1.0,56,"4/28/2021, 2:21:11.000 PM",ListColumnCreated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/fb27c059-5c1f-48c4-b6bc-e0dbce67c947/b887b6b2-4dcf-34fc-98b1-d5a42c605755,app@sharepoint,app@sharepoint,104.146.232.168,104.146.232.168,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,Field,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,6f33ad8e-0af4-4c7b-9a10-08d90a50dfa5,6f33ad8e-0af4-4c7b-9a10-08d90a50dfa5,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,ODMTADocCache/1.0,36,"4/28/2021, 2:21:11.000 PM",ListUpdated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/fb27c059-5c1f-48c4-b6bc-e0dbce67c947,app@sharepoint,app@sharepoint,104.146.232.168,104.146.232.168,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,List,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,01d9f43b-8260-4a94-fc4b-08d90a50dfa7,01d9f43b-8260-4a94-fc4b-08d90a50dfa7,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,ODMTADocCache/1.0,56,"4/28/2021, 2:21:11.000 PM",ListColumnCreated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/fb27c059-5c1f-48c4-b6bc-e0dbce67c947/617f8947-74b2-36bc-9f7e-21ded7029bb5,app@sharepoint,app@sharepoint,104.146.232.168,104.146.232.168,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,Field,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,90ae59e0-ae77-4ea3-ae20-08d90a50df99,90ae59e0-ae77-4ea3-ae20-08d90a50df99,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,MSWAC,SharePointFileOperation,"4/28/2021, 2:21:09.000 PM",FileDownloaded,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/Shared Documents/New-Hr.docx,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,52.184.241.63,52.184.241.63,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/Contoso/,https://m365x816222.sharepoint.com/sites/Contoso/,Shared Documents,Shared Documents,New-Hr.docx,New-Hr.docx,docx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,50e65a09-be09-409c-a7b0-08d90a50de85,50e65a09-be09-409c-a7b0-08d90a50de85,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,OfficeWordWRS,SharePointFileOperation,"4/28/2021, 2:21:09.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/Shared Documents/New-Hr.docx,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,104.146.232.168,104.146.232.168,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/Contoso/,https://m365x816222.sharepoint.com/sites/Contoso/,Shared Documents,Shared Documents,New-Hr.docx,New-Hr.docx,docx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,42ef1ab8-a9ba-483d-97b5-08d90a50de92,42ef1ab8-a9ba-483d-97b5-08d90a50de92,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:21:08.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/Shared Documents/New-Hr.docx,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/Contoso/,https://m365x816222.sharepoint.com/sites/Contoso/,Shared Documents,Shared Documents,New-Hr.docx,New-Hr.docx,docx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,464cb3cc-f3e1-4b23-6b39-08d90a50ddd8,464cb3cc-f3e1-4b23-6b39-08d90a50ddd8,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,MSWAC,SharePointFileOperation,"4/28/2021, 2:21:08.000 PM",FileUploaded,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/Shared Documents/New-Hr.docx,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,52.184.244.53,52.184.244.53,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/Contoso/,https://m365x816222.sharepoint.com/sites/Contoso/,Shared Documents,Shared Documents,New-Hr.docx,New-Hr.docx,docx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:33:18.000 PM",,,,,,,OfficeActivityManager,f8404e73-04e8-44e8-6188-08d90a50ddac,f8404e73-04e8-44e8-6188-08d90a50ddac,,,"4/28/2021, 2:33:18.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,56,"4/28/2021, 2:21:03.000 PM",ListColumnCreated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/johns_m365x816222_onmicrosoft_com/Lists/02eb2a63-a513-4593-b1fc-84633ab01bba/4fd1640e-2988-4908-8a5e-d723068965ca,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,40.69.136.121,40.69.136.121,,2dab06c0-d0ca-4ce3-b75a-e036b7ce1290,Field,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,eb0c8af7-35f9-49b6-84e1-08d90a50dabf,eb0c8af7-35f9-49b6-84e1-08d90a50dabf,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,56,"4/28/2021, 2:21:03.000 PM",ListColumnCreated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/johns_m365x816222_onmicrosoft_com/Lists/02eb2a63-a513-4593-b1fc-84633ab01bba/5ccc8eb5-72e1-49c4-aa67-95298073a01e,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,40.69.136.121,40.69.136.121,,2dab06c0-d0ca-4ce3-b75a-e036b7ce1290,Field,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,052ddcbe-8189-4898-362b-08d90a50dab1,052ddcbe-8189-4898-362b-08d90a50dab1,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,56,"4/28/2021, 2:21:03.000 PM",ListColumnCreated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/johns_m365x816222_onmicrosoft_com/Lists/02eb2a63-a513-4593-b1fc-84633ab01bba/62a871a6-8aa7-4231-85ad-d7d49d9723be,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,40.69.136.121,40.69.136.121,,2dab06c0-d0ca-4ce3-b75a-e036b7ce1290,Field,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,c46ace86-3d94-4a88-ab46-08d90a50dac6,c46ace86-3d94-4a88-ab46-08d90a50dac6,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,SharePointSharingOperation,"4/28/2021, 2:21:03.000 PM",SharingInheritanceBroken,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/johns_m365x816222_onmicrosoft_com//personal/johns_m365x816222_onmicrosoft_com/Lists/userActivityFeedHiddenListF4387007BE61432F8BDB85E6,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,40.69.136.121,40.69.136.121,,2dab06c0-d0ca-4ce3-b75a-e036b7ce1290,List,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/johns_m365x816222_onmicrosoft_com,https://m365x816222-my.sharepoint.com/personal/johns_m365x816222_onmicrosoft_com,userActivityFeedHiddenListF4387007-BE61-432F-8BDB-85E6B9679E4B,userActivityFeedHiddenListF4387007-BE61-432F-8BDB-85E6B9679E4B,,,,,,,,,,FalseTrue,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,021b4380-f558-4cdc-95c6-08d90a50daf1,021b4380-f558-4cdc-95c6-08d90a50daf1,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,56,"4/28/2021, 2:21:03.000 PM",ListColumnCreated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/johns_m365x816222_onmicrosoft_com/Lists/02eb2a63-a513-4593-b1fc-84633ab01bba/c4fdb640-7a62-4dc3-a296-afd7f136c203,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,40.69.136.121,40.69.136.121,,2dab06c0-d0ca-4ce3-b75a-e036b7ce1290,Field,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,fa41f235-25af-49f5-c00a-08d90a50daba,fa41f235-25af-49f5-c00a-08d90a50daba,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,56,"4/28/2021, 2:21:03.000 PM",ListColumnCreated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/johns_m365x816222_onmicrosoft_com/Lists/02eb2a63-a513-4593-b1fc-84633ab01bba/32e71079-0f25-48c7-8451-7e6b01a9156e,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,40.69.136.121,40.69.136.121,,2dab06c0-d0ca-4ce3-b75a-e036b7ce1290,Field,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,eb07b5aa-26fa-46aa-e52f-08d90a50dae0,eb07b5aa-26fa-46aa-e52f-08d90a50dae0,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,36,"4/28/2021, 2:21:03.000 PM",ListCreated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/johns_m365x816222_onmicrosoft_com/Lists/userActivityFeedHiddenListF4387007BE61432F8BDB85E6,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,40.69.136.121,40.69.136.121,,2dab06c0-d0ca-4ce3-b75a-e036b7ce1290,List,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,b92fb798-d8c9-4a27-37d9-08d90a50da92,b92fb798-d8c9-4a27-37d9-08d90a50da92,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,36,"4/28/2021, 2:21:03.000 PM",ListUpdated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/johns_m365x816222_onmicrosoft_com/Lists/02eb2a63-a513-4593-b1fc-84633ab01bba,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,40.69.136.121,40.69.136.121,,2dab06c0-d0ca-4ce3-b75a-e036b7ce1290,List,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,282e8810-50aa-425d-0cd7-08d90a50dae8,282e8810-50aa-425d-0cd7-08d90a50dae8,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,56,"4/28/2021, 2:21:03.000 PM",ListColumnCreated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/johns_m365x816222_onmicrosoft_com/Lists/02eb2a63-a513-4593-b1fc-84633ab01bba/d701a8fb-2a7c-4f58-90f9-43ff22a1f992,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,40.69.136.121,40.69.136.121,,2dab06c0-d0ca-4ce3-b75a-e036b7ce1290,Field,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,1c08da14-f57f-4055-34ed-08d90a50dad0,1c08da14-f57f-4055-34ed-08d90a50dad0,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,56,"4/28/2021, 2:21:03.000 PM",ListColumnCreated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/johns_m365x816222_onmicrosoft_com/Lists/02eb2a63-a513-4593-b1fc-84633ab01bba/b8e37b3a-af31-4edb-b734-b3e868bc6458,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,40.69.136.121,40.69.136.121,,2dab06c0-d0ca-4ce3-b75a-e036b7ce1290,Field,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,a1bc15eb-dc71-4149-7001-08d90a50dacb,a1bc15eb-dc71-4149-7001-08d90a50dacb,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,56,"4/28/2021, 2:21:03.000 PM",ListColumnCreated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/johns_m365x816222_onmicrosoft_com/Lists/02eb2a63-a513-4593-b1fc-84633ab01bba/d251efe5-08da-4434-8c87-5a6c7962c1e0,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,40.69.136.121,40.69.136.121,,2dab06c0-d0ca-4ce3-b75a-e036b7ce1290,Field,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,fb6ad07c-e3b4-4458-ab32-08d90a50dae5,fb6ad07c-e3b4-4458-ab32-08d90a50dae5,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,SharePointFileOperation,"4/28/2021, 2:21:03.000 PM",FolderModified,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/johns_m365x816222_onmicrosoft_com/Lists/userActivityFeedHiddenListF4387007BE61432F8BDB85E6,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,40.69.136.121,40.69.136.121,,2dab06c0-d0ca-4ce3-b75a-e036b7ce1290,Folder,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/johns_m365x816222_onmicrosoft_com/,https://m365x816222-my.sharepoint.com/personal/johns_m365x816222_onmicrosoft_com/,Lists,Lists,userActivityFeedHiddenListF4387007BE61432F8BDB85E6,userActivityFeedHiddenListF4387007BE61432F8BDB85E6,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,18f90bab-f977-47f7-476b-08d90a50db02,18f90bab-f977-47f7-476b-08d90a50db02,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,56,"4/28/2021, 2:21:03.000 PM",ListColumnCreated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/johns_m365x816222_onmicrosoft_com/Lists/02eb2a63-a513-4593-b1fc-84633ab01bba/51c44bb4-8390-4585-9a2c-1601d941627c,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,40.69.136.121,40.69.136.121,,2dab06c0-d0ca-4ce3-b75a-e036b7ce1290,Field,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,60ad692c-9459-4ba4-5c1b-08d90a50dad7,60ad692c-9459-4ba4-5c1b-08d90a50dad7,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,56,"4/28/2021, 2:21:03.000 PM",ListColumnCreated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/johns_m365x816222_onmicrosoft_com/Lists/02eb2a63-a513-4593-b1fc-84633ab01bba/610bb61a-21f3-4d80-8451-fca45a094b9e,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,40.69.136.121,40.69.136.121,,2dab06c0-d0ca-4ce3-b75a-e036b7ce1290,Field,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,f9297936-3094-409a-20d3-08d90a50dadc,f9297936-3094-409a-20d3-08d90a50dadc,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,56,"4/28/2021, 2:21:03.000 PM",ListColumnCreated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/johns_m365x816222_onmicrosoft_com/Lists/02eb2a63-a513-4593-b1fc-84633ab01bba/1b2d1c75-f84a-41be-9091-fa2a7af7959c,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,40.69.136.121,40.69.136.121,,2dab06c0-d0ca-4ce3-b75a-e036b7ce1290,Field,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,eca10cff-f076-43f1-4a79-08d90a50dac4,eca10cff-f076-43f1-4a79-08d90a50dac4,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,56,"4/28/2021, 2:21:03.000 PM",ListColumnCreated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/johns_m365x816222_onmicrosoft_com/Lists/02eb2a63-a513-4593-b1fc-84633ab01bba/2abfd0f0-38ca-4a1d-9d84-57d1a46ae03a,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,40.69.136.121,40.69.136.121,,2dab06c0-d0ca-4ce3-b75a-e036b7ce1290,Field,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,54e0e672-151c-494c-f99a-08d90a50dad4,54e0e672-151c-494c-f99a-08d90a50dad4,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,56,"4/28/2021, 2:20:53.000 PM",ListColumnCreated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/fb27c059-5c1f-48c4-b6bc-e0dbce67c947/d3c9caf7-044c-4c71-ae64-092981e54b33,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,,,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,Field,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,411a0fbe-10de-4249-9007-08d90a50d4be,411a0fbe-10de-4249-9007-08d90a50d4be,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,36,"4/28/2021, 2:20:53.000 PM",ListUpdated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/fb27c059-5c1f-48c4-b6bc-e0dbce67c947,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,,,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,List,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,d69ef225-3253-4be9-f243-08d90a50d4c0,d69ef225-3253-4be9-f243-08d90a50d4c0,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,56,"4/28/2021, 2:20:52.000 PM",SiteColumnCreated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/00000000-0000-0000-0000-000000000000/ef991a83-108d-4407-8ee5-ccc0c3d836b9,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,,,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,Field,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,b44f37b0-e68c-45f4-e523-08d90a50d450,b44f37b0-e68c-45f4-e523-08d90a50d450,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,ExchangeAdmin,"4/28/2021, 2:20:52.000 PM",Set-SyncUser,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,DcAdmin,SpoolsProvisioning-ApplicationAccount@namprd06.prod.outlook.com,Exchange,TRUE,TRUE,NAMPR06A003.prod.outlook.com/Microsoft Exchange Hosted Organizations/M365x816222.onmicrosoft.com/JohnS,SpoolsProvisioning-ApplicationAccount@namprd06.prod.outlook.com,SpoolsProvisioning-ApplicationAccount@namprd06.prod.outlook.com,52.179.168.21:53108,52.179.168.21:53108,,,,,,,,,,,,,,,,,,,,,,,"[ + { + ""Name"": ""Identity"", + ""Value"": ""MmFkM2ZjNzktMTg1OS00MmZhLTkwMTEtNmY4ZGYyMjUxYjIyXDYxZjA4MjUwLTk5ZTUtNGQ4NS04MjEwLWNkOGY5NTcwYmIwZQ2"" + }, + { + ""Name"": ""EmailAddresses"", + ""Value"": ""SPO:SPO_2dab06c0-d0ca-4ce3-b75a-e036b7ce1290@SPO_2ad3fc79-1859-42fa-9011-6f8df2251b22"" + } +]",TRUE,BL0PR06MB4673 (15.20.4065.027),M365x816222.onmicrosoft.com,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:32:02.000 PM",,,,,,,OfficeActivityManager,116fce8b-21f6-464d-ba7e-08d90a50d497,116fce8b-21f6-464d-ba7e-08d90a50d497,,,"4/28/2021, 2:32:02.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,61109738-7d2b-4a0b-9fe3-660b1ff83505,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,56,"4/28/2021, 2:20:52.000 PM",SiteColumnCreated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/00000000-0000-0000-0000-000000000000/d3c9caf7-044c-4c71-ae64-092981e54b33,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,,,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,Field,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,8db688cb-522e-4d05-07e9-08d90a50d496,8db688cb-522e-4d05-07e9-08d90a50d496,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,SharePoint,"4/28/2021, 2:20:52.000 PM",GroupAdded,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,,,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,Site,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"[ + { + ""Name"": ""Name"", + ""NewValue"": ""Limited Access System Group For List fb27c059-5c1f-48c4-b6bc-e0dbce67c947"" + } +]",,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,3c96632e-5c83-4405-2261-08d90a50d40e,3c96632e-5c83-4405-2261-08d90a50d40e,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,SharePoint,"4/28/2021, 2:20:52.000 PM",GroupAdded,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,,,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,Site,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"[ + { + ""Name"": ""Name"", + ""NewValue"": ""Limited Access System Group For Web d0c1b100-1414-49bf-a2f2-9d993d091b8d"" + } +]",,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,9947076d-a5c2-4e91-4998-08d90a50d415,9947076d-a5c2-4e91-4998-08d90a50d415,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,SharePointSharingOperation,"4/28/2021, 2:20:52.000 PM",AddedToGroup,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,,,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,Web,SharePoint,,,,https://m365x816222.sharepoint.com/sites/Contoso,https://m365x816222.sharepoint.com/sites/Contoso,,,,,,,,,,,,Limited Access System Group For Web d0c1b100-1414-49bf-a2f2-9d993d091b8d,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,1dd2011b-fe5b-4f78-abbe-08d90a50d417,1dd2011b-fe5b-4f78-abbe-08d90a50d417,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,adelev@m365x816222.onmicrosoft.com,Member,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,56,"4/28/2021, 2:20:52.000 PM",ListColumnCreated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/fb27c059-5c1f-48c4-b6bc-e0dbce67c947/ef991a83-108d-4407-8ee5-ccc0c3d836b9,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,,,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,Field,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,d417c472-18cc-4c70-f55b-08d90a50d482,d417c472-18cc-4c70-f55b-08d90a50d482,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,SharePointSharingOperation,"4/28/2021, 2:20:52.000 PM",AddedToGroup,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,,,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,Web,SharePoint,,,,https://m365x816222.sharepoint.com/sites/Contoso,https://m365x816222.sharepoint.com/sites/Contoso,,,,,,,,,,,,SharingLinks.5dab2cdb-219b-4c2d-9da1-a31eed19c2e7.OrganizationEdit.08ac0b39-8bb1-47f4-9360-128ce3b44429,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,218e00e2-79cc-45a7-fc23-08d90a50d406,218e00e2-79cc-45a7-fc23-08d90a50d406,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,adelev@m365x816222.onmicrosoft.com,Member,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,SharePointSharingOperation,"4/28/2021, 2:20:52.000 PM",AddedToGroup,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,,,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,Web,SharePoint,,,,https://m365x816222.sharepoint.com/sites/Contoso,https://m365x816222.sharepoint.com/sites/Contoso,,,,,,,,,,,,Limited Access System Group For List fb27c059-5c1f-48c4-b6bc-e0dbce67c947,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,71a4f3bb-bb06-4696-85d1-08d90a50d410,71a4f3bb-bb06-4696-85d1-08d90a50d410,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,adelev@m365x816222.onmicrosoft.com,Member,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,36,"4/28/2021, 2:20:52.000 PM",ListUpdated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/fb27c059-5c1f-48c4-b6bc-e0dbce67c947,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,,,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,List,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,4e9514fd-616d-4222-58da-08d90a50d485,4e9514fd-616d-4222-58da-08d90a50d485,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",36,"4/28/2021, 2:20:52.000 PM",ListViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/fb27c059-5c1f-48c4-b6bc-e0dbce67c947,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,List,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,370ed3f6-2df2-48ee-c748-08d90a50d416,370ed3f6-2df2-48ee-c748-08d90a50d416,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointSharingOperation,"4/28/2021, 2:20:51.000 PM",CompanyLinkCreated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/Shared Documents/Document.docx,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/Contoso,https://m365x816222.sharepoint.com/sites/Contoso,Shared Documents/Document.docx,Shared Documents/Document.docx,Document.docx,Document.docx,docx,,,,,,,EditTrue,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,82bf93dc-2f8a-4a1f-37cd-08d90a50d3e3,82bf93dc-2f8a-4a1f-37cd-08d90a50d3e3,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointSharingOperation,"4/28/2021, 2:20:51.000 PM",SharingInheritanceBroken,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso//sites/Contoso/Sharing Links,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,List,SharePoint,,,,https://m365x816222.sharepoint.com/sites/Contoso,https://m365x816222.sharepoint.com/sites/Contoso,Sharing Links,Sharing Links,,,,,,,,,,FalseFalse,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,034005dc-8afd-4d24-1299-08d90a50d3bd,034005dc-8afd-4d24-1299-08d90a50d3bd,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:20:50.000 PM",GroupAdded,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,Site,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"[ + { + ""Name"": ""Name"", + ""NewValue"": ""SharingLinks.5dab2cdb-219b-4c2d-9da1-a31eed19c2e7.OrganizationEdit.08ac0b39-8bb1-47f4-9360-128ce3b44429"" + } +]",,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,bf703254-6652-4955-04b6-08d90a50d34d,bf703254-6652-4955-04b6-08d90a50d34d,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointSharingOperation,"4/28/2021, 2:20:50.000 PM",SharingSet,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/Shared Documents/Document.docx,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/Contoso,https://m365x816222.sharepoint.com/sites/Contoso,Shared Documents/Document.docx,Shared Documents/Document.docx,Document.docx,Document.docx,docx,,,,,,,ContributeTrue,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,2a3675ff-f722-45fd-b4b6-08d90a50d35d,2a3675ff-f722-45fd-b4b6-08d90a50d35d,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,SharingLinks.5dab2cdb-219b-4c2d-9da1-a31eed19c2e7.OrganizationEdit.08ac0b39-8bb1-47f4-9360-128ce3b44429,SharePointGroup,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointSharingOperation,"4/28/2021, 2:20:50.000 PM",SharingInheritanceBroken,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/Shared Documents/Document.docx,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/Contoso,https://m365x816222.sharepoint.com/sites/Contoso,Shared Documents/Document.docx,Shared Documents/Document.docx,Document.docx,Document.docx,docx,,,,,,,TrueFalse,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,263ac451-693b-484e-8d9f-08d90a50d356,263ac451-693b-484e-8d9f-08d90a50d356,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointSharingOperation,"4/28/2021, 2:20:50.000 PM",SharingInheritanceBroken,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso//sites/Contoso/Shared Documents,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,DocumentLibrary,SharePoint,,,,https://m365x816222.sharepoint.com/sites/Contoso,https://m365x816222.sharepoint.com/sites/Contoso,Documents,Documents,,,,,,,,,,TrueFalse,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,82db0f67-1b83-4916-c8de-08d90a50d351,82db0f67-1b83-4916-c8de-08d90a50d351,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:20:48.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222-my.sharepoint.com/User Photos/Profile Pictures/AdeleV_M365x816222_OnMicrosoft_com_SThumb.jpg,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,2c048610-040c-4327-a973-fc1fc6a3aadd,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/,https://m365x816222-my.sharepoint.com/,User Photos/Profile Pictures,User Photos/Profile Pictures,AdeleV_M365x816222_OnMicrosoft_com_SThumb.jpg,AdeleV_M365x816222_OnMicrosoft_com_SThumb.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,cf6fbef6-ea2c-41ff-76e3-08d90a50d20e,cf6fbef6-ea2c-41ff-76e3-08d90a50d20e,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:20:39.000 PM",PermissionLevelAdded,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,Web,SharePoint,,,,,,,,,,,,,,,,,"System.LimitedViewViewListItems, OpenItems, ViewFormPages, Open, ViewPages, BrowseUserInfo, UseClientIntegration, UseRemoteAPIs",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,c3765379-38bd-4a29-1047-08d90a50cc4f,c3765379-38bd-4a29-1047-08d90a50cc4f,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:20:39.000 PM",PermissionLevelAdded,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,Web,SharePoint,,,,,,,,,,,,,,,,,"Restricted ViewViewListItems, ViewFormPages, Open, ViewPages, BrowseUserInfo, UseClientIntegration, UseRemoteAPIs, ViewItemsRequiresOpen",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,c2831e4b-b2a8-4890-d542-08d90a50cc53,c2831e4b-b2a8-4890-d542-08d90a50cc53,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:20:39.000 PM",PermissionLevelAdded,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,Web,SharePoint,,,,,,,,,,,,,,,,,"System.LimitedEditViewListItems, AddListItems, EditListItems, OpenItems, ViewFormPages, Open, ViewPages, BrowseUserInfo, UseClientIntegration, UseRemoteAPIs",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,d4990786-9ab8-4cd8-72f0-08d90a50cc51,d4990786-9ab8-4cd8-72f0-08d90a50cc51,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:20:38.000 PM",PageViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/_layouts/15/sharedialog.aspx,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,f9968a63-14af-4c49-fd46-08d90a50cbf2,f9968a63-14af-4c49-fd46-08d90a50cbf2,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,MSWAC,SharePointFileOperation,"4/28/2021, 2:20:36.000 PM",FileModifiedExtended,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/Shared Documents/Document.docx,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,52.184.246.81,52.184.246.81,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/Contoso/,https://m365x816222.sharepoint.com/sites/Contoso/,Shared Documents,Shared Documents,Document.docx,Document.docx,docx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,1e6c39ad-46ed-4b5d-9b16-8ad94beaacb9,1e6c39ad-46ed-4b5d-9b16-8ad94beaacb9,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:20:31.000 PM",PageViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/_layouts/15/OfficeExtensionManager.aspx,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,8fd7ff5c-115c-46de-af73-b9cdf4458bc3,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,0dbdc667-f6fe-4830-738e-08d90a50c79d,0dbdc667-f6fe-4830-738e-08d90a50c79d,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",36,"4/28/2021, 2:20:30.000 PM",ListViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/fb27c059-5c1f-48c4-b6bc-e0dbce67c947,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,List,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,b0bde7e9-df19-4adc-d226-08d90a50c756,b0bde7e9-df19-4adc-d226-08d90a50c756,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",36,"4/28/2021, 2:20:30.000 PM",ListViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/fb27c059-5c1f-48c4-b6bc-e0dbce67c947,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,List,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,f7be2edb-b583-4164-9e9a-08d90a50c712,f7be2edb-b583-4164-9e9a-08d90a50c712,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:20:28.000 PM",PageViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/_layouts/15/IdleWarning.aspx,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,8fd7ff5c-115c-46de-af73-b9cdf4458bc3,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,85d6ea26-68df-4380-b4c6-08d90a50c603,85d6ea26-68df-4380-b4c6-08d90a50c603,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,MSWAC,SharePointFileOperation,"4/28/2021, 2:20:27.000 PM",FileModified,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/Shared Documents/Document.docx,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,52.184.243.211,52.184.243.211,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/Contoso/,https://m365x816222.sharepoint.com/sites/Contoso/,Shared Documents,Shared Documents,Document.docx,Document.docx,docx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,90580a19-45c1-4eec-9292-08d90a50c5f8,90580a19-45c1-4eec-9292-08d90a50c5f8,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:20:25.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/Shared Documents/Document.docx,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/Contoso/,https://m365x816222.sharepoint.com/sites/Contoso/,Shared Documents,Shared Documents,Document.docx,Document.docx,docx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,e8216e72-9aed-4625-e416-08d90a50c3ff,e8216e72-9aed-4625-e416-08d90a50c3ff,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:20:24.000 PM",FileUploaded,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/Shared Documents/Document.docx,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/Contoso/,https://m365x816222.sharepoint.com/sites/Contoso/,Shared Documents,Shared Documents,Document.docx,Document.docx,docx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,511f3f5c-21a3-4856-8423-08d90a50c3de,511f3f5c-21a3-4856-8423-08d90a50c3de,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",36,"4/28/2021, 2:20:21.000 PM",ListUpdated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/fb27c059-5c1f-48c4-b6bc-e0dbce67c947,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,List,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,ac58679f-2b49-4f60-31b2-08d90a50c202,ac58679f-2b49-4f60-31b2-08d90a50c202,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",36,"4/28/2021, 2:20:21.000 PM",ListUpdated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/fb27c059-5c1f-48c4-b6bc-e0dbce67c947,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,List,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,95a3cb0d-984d-4bcd-0a7f-08d90a50c1fb,95a3cb0d-984d-4bcd-0a7f-08d90a50c1fb,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",36,"4/28/2021, 2:20:21.000 PM",ListUpdated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/fb27c059-5c1f-48c4-b6bc-e0dbce67c947,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,List,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,9220538d-0499-4823-a66f-08d90a50c217,9220538d-0499-4823-a66f-08d90a50c217,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",36,"4/28/2021, 2:20:18.000 PM",ListViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/fb27c059-5c1f-48c4-b6bc-e0dbce67c947,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,List,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,ee43528f-085a-4133-cedd-08d90a50c047,ee43528f-085a-4133-cedd-08d90a50c047,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:20:17.000 PM",ClientViewSignaled,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/Shared Documents/Forms/AllItems.aspx,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,3bf4ef74-5c8a-4d65-3542-08d90a50bf2b,3bf4ef74-5c8a-4d65-3542-08d90a50bf2b,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",36,"4/28/2021, 2:20:16.000 PM",ListViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/fb27c059-5c1f-48c4-b6bc-e0dbce67c947,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,List,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,01bda5b8-6bac-4ab3-4c46-08d90a50beac,01bda5b8-6bac-4ab3-4c46-08d90a50beac,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:20:15.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222-my.sharepoint.com/User Photos/Profile Pictures/admin_m365x816222_onmicrosoft_com_SThumb.jpg,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,2c048610-040c-4327-a973-fc1fc6a3aadd,File,SharePoint,,,,https://m365x816222-my.sharepoint.com/,https://m365x816222-my.sharepoint.com/,User Photos/Profile Pictures,User Photos/Profile Pictures,admin_m365x816222_onmicrosoft_com_SThumb.jpg,admin_m365x816222_onmicrosoft_com_SThumb.jpg,jpg,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,c1609139-20c5-423f-845c-08d90a50be32,c1609139-20c5-423f-845c-08d90a50be32,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:20:13.000 PM",PageViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/_layouts/15/listhost.aspx,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,5d819f12-7341-44fe-9570-08d90a50bd1b,5d819f12-7341-44fe-9570-08d90a50bd1b,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",36,"4/28/2021, 2:20:13.000 PM",ListViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/fb27c059-5c1f-48c4-b6bc-e0dbce67c947,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,List,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,a772b0f7-69db-49ab-d706-08d90a50bd0f,a772b0f7-69db-49ab-d706-08d90a50bd0f,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",36,"4/28/2021, 2:20:11.000 PM",ListViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/fb27c059-5c1f-48c4-b6bc-e0dbce67c947,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,List,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,aecd9a7c-3f57-4e70-8f95-08d90a50bbd2,aecd9a7c-3f57-4e70-8f95-08d90a50bbd2,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointFileOperation,"4/28/2021, 2:20:11.000 PM",FileAccessed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/Shared Documents/Forms/AllItems.aspx,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,File,SharePoint,,,,https://m365x816222.sharepoint.com/sites/Contoso/,https://m365x816222.sharepoint.com/sites/Contoso/,Shared Documents/Forms,Shared Documents/Forms,AllItems.aspx,AllItems.aspx,aspx,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,681cfea7-290e-4167-5424-08d90a50bbf6,681cfea7-290e-4167-5424-08d90a50bbf6,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:20:09.000 PM",PageViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso/_layouts/15/online/handlers/SpoSuiteLinks.ashx,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,ccfddcb0-7ac2-49b1-c2e3-08d90a50bac2,ccfddcb0-7ac2-49b1-c2e3-08d90a50bac2,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:20:07.000 PM",PageViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,SharePoint,,,https://m365x816222.sharepoint.com/sites/Contoso,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,d0a3a060-a8b6-4ec4-9ecf-e414950ba509,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,42e1b87e-2a57-491e-8a3c-08d90a50b996,42e1b87e-2a57-491e-8a3c-08d90a50b996,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:20:02.000 PM",SharingPolicyChanged,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/johns_m365x816222_onmicrosoft_com,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,20.190.163.29,20.190.163.29,,2dab06c0-d0ca-4ce3-b75a-e036b7ce1290,Site,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"[ + { + ""Name"": ""ShareUsingAnonymousLinks"", + ""NewValue"": ""Enabled"", + ""OldValue"": ""Disabled"" + } +]",,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,ebaef089-bc0f-4f7e-4561-08d90a50b63f,ebaef089-bc0f-4f7e-4561-08d90a50b63f,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointSharingOperation,"4/28/2021, 2:20:01.000 PM",SiteCollectionAdminRemoved,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/johns_m365x816222_onmicrosoft_com,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,20.190.163.29,20.190.163.29,,2dab06c0-d0ca-4ce3-b75a-e036b7ce1290,Web,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/johns_m365x816222_onmicrosoft_com,https://m365x816222-my.sharepoint.com/personal/johns_m365x816222_onmicrosoft_com,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"[ + { + ""Name"": ""SiteAdmin"", + ""NewValue"": """", + ""OldValue"": """" + } +]",,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,51c422a3-539c-4fc5-67c4-08d90a50b5a2,51c422a3-539c-4fc5-67c4-08d90a50b5a2,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,SHAREPOINT\system,Member,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:20:01.000 PM",SiteCollectionCreated,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/johns_m365x816222_onmicrosoft_com,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,20.190.163.29,20.190.163.29,,2dab06c0-d0ca-4ce3-b75a-e036b7ce1290,Site,SharePoint,,,,,,,,,,,,,,,,,APITrueFalse,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,394b0f40-24a7-4231-49ea-08d90a50b5e2,394b0f40-24a7-4231-49ea-08d90a50b5e2,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:20:00.000 PM",SharingPolicyChanged,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/johns_m365x816222_onmicrosoft_com,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,20.190.163.29,20.190.163.29,,2dab06c0-d0ca-4ce3-b75a-e036b7ce1290,Site,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"[ + { + ""Name"": ""ShareWithGuests"", + ""NewValue"": ""Enabled"", + ""OldValue"": ""Disabled"" + } +]",,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,3fbbc20b-6350-4147-a0e8-08d90a50b536,3fbbc20b-6350-4147-a0e8-08d90a50b536,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePointSharingOperation,"4/28/2021, 2:20:00.000 PM",SiteCollectionAdminAdded,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|1003200131f31800@live.com,OneDrive,,,https://m365x816222-my.sharepoint.com/personal/johns_m365x816222_onmicrosoft_com,johns@m365x816222.onmicrosoft.com,johns@m365x816222.onmicrosoft.com,20.190.163.29,20.190.163.29,,2dab06c0-d0ca-4ce3-b75a-e036b7ce1290,Web,SharePoint,,,,https://m365x816222-my.sharepoint.com/personal/johns_m365x816222_onmicrosoft_com,https://m365x816222-my.sharepoint.com/personal/johns_m365x816222_onmicrosoft_com,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"[ + { + ""Name"": ""SiteAdmin"", + ""NewValue"": ""JohnS@m365x816222.onmicrosoft.com"", + ""OldValue"": """" + } +]",,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,93fcbc97-2013-40e3-9c89-08d90a50b593,93fcbc97-2013-40e3-9c89-08d90a50b593,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,johns@m365x816222.onmicrosoft.com,Member,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:19:30.000 PM",PageViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c7584fec@live.com,SharePoint,,,https://m365x816222-admin.sharepoint.com/_layouts/15/online/handlers/SpoSuiteLinks.ashx,admin@m365x816222.onmicrosoft.com,admin@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,6fecb81b-38cb-4ba7-a842-d529c504f4d9,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,d7709296-8b97-4f33-4a81-08d90a50a334,d7709296-8b97-4f33-4a81-08d90a50a334,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",SharePoint,"4/28/2021, 2:19:28.000 PM",PageViewed,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,Regular,i:0h.f|membership|10032000c7584fec@live.com,SharePoint,,,https://m365x816222-admin.sharepoint.com/_layouts/15/online/AdminHome.aspx,admin@m365x816222.onmicrosoft.com,admin@m365x816222.onmicrosoft.com,175.45.176.99,175.45.176.99,,6fecb81b-38cb-4ba7-a842-d529c504f4d9,Page,SharePoint,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 2:28:22.000 PM",,,,,,,OfficeActivityManager,2b4016e5-f2ce-4875-6596-08d90a50a230,2b4016e5-f2ce-4875-6596-08d90a50a230,,,"4/28/2021, 2:28:22.000 PM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,,,,,ExchangeAdmin,"4/28/2021, 4:43:51.000 AM",New-Mailbox,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,DcAdmin,NT AUTHORITY\SYSTEM (w3wp),Exchange,TRUE,TRUE,NAMPR06A003.prod.outlook.com/Microsoft Exchange Hosted Organizations/M365x816222.onmicrosoft.com/SearchInsightsConnector01_33b68b23-a6c2-4684-99a0-fa3832792226,NT AUTHORITY\SYSTEM (w3wp),NT AUTHORITY\SYSTEM (w3wp),[2603:1036:4:3f::5]:1672,[2603:1036:4:3f::5]:1672,,,,,,,,,,,,,,,,,,,,,,,"[ + { + ""Name"": ""Arbitration"", + ""Value"": ""True"" + }, + { + ""Name"": ""OrgPartition"", + ""Value"": ""True"" + }, + { + ""Name"": ""OrgPartitionOwner"", + ""Value"": ""33b68b23-a6c2-4684-99a0-fa3832792226"" + }, + { + ""Name"": ""DomainController"", + ""Value"": ""BN6PR06A03DC004.NAMPR06A003.prod.outlook.com"" + }, + { + ""Name"": ""SkipEapForArbitration"", + ""Value"": ""True"" + }, + { + ""Name"": ""Organization"", + ""Value"": ""2ad3fc79-1859-42fa-9011-6f8df2251b22"" + } +]",TRUE,DM5PR06MB2489 (15.20.4065.026),M365x816222.onmicrosoft.com,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"4/28/2021, 4:51:57.000 AM",,,,,,,OfficeActivityManager,993271dd-415e-441f-cfe9-08d90a003866,993271dd-415e-441f-cfe9-08d90a003866,,,"4/28/2021, 4:51:57.000 AM",$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,33b68b23-a6c2-4684-99a0-fa3832792226,3c8e478f-21ca-493a-b87c-c7366d664d54,OfficeActivity, diff --git a/src/SecurityInsights/test/sampleData/SecurityEvent.csv b/src/SecurityInsights/test/sampleData/SecurityEvent.csv new file mode 100644 index 000000000000..e351284bde89 --- /dev/null +++ b/src/SecurityInsights/test/sampleData/SecurityEvent.csv @@ -0,0 +1,76458 @@ +Account,AccountType,Computer,EventSourceName,Channel,Task,Level,EventData,EventID,Activity,SourceComputerId,EventOriginId,TimeCollected [UTC],AccessList,AccessMask,AdditionalInfo,AdditionalInfo2,AuthenticationPackageName,CallerProcessId,RelativeTargetName +\AZUREUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2afc94b0-5a4b-40e6-8542-bf5d5d26a141,"4/16/2021, 9:09:00.730 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0c121ccf-e504-46d5-8567-05f2260bc1ff,"4/16/2021, 9:09:00.730 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,35f834b1-df79-4044-ab1b-009992bd04e8,"4/16/2021, 9:09:00.730 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6cd803ef-2aa3-40dc-a938-e565b3c221a4,"4/16/2021, 9:09:00.730 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4791ede3-61fe-4247-901e-249e2c390049,"4/16/2021, 9:09:00.730 AM",,,,,NTLM,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + Security + File + C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Temp\PSScriptOutputs\PSScript_Stderr_{6C8F3EC3-E2DF-4561-93DA-611598C47952}.txt + 0x284 + 583da945-62af-10e8-4902-a8f205c72b2e + %%4418 + 0x10000 + 0x1498 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe + S:AI +",5145,5145 - A network share object was checked to see whether client can be granted desired access.,5503048d-aae9-48b7-bda5-46b931ec9ed1,3104d44c-3956-4b4c-ba3a-15c834a6f6e4,"4/16/2021, 8:46:43.862 AM","%%4418 ",0x10000,,,NTLM,,583da945-62af-10e8-4902-a8f205c72b2e +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,21e6ec12-275e-4245-be9a-09c325d65b85,"4/16/2021, 9:09:00.730 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3a6db7a5-a2d0-4595-9dc0-b44fb7afc5bf,"4/16/2021, 9:09:00.730 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + Security + File + C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Temp\PSScriptOutputs\PSScript_Stderr_{6C8F3EC3-E2DF-4561-93DA-611598C47952}.txt + 0x284 + 583da945-62af-10e8-4902-a8f205c72b2e + %%4418 + 0x10000 + 0x1498 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe + S:AI +",5145,5145 - A network share object was checked to see whether client can be granted desired access.,f6638b82-98a5-4542-8bec-6bc0977f793f,3104d44c-3956-4b4c-ba3a-15c834a6f6e4,"4/16/2021, 8:46:42.862 AM","%%4418 ",0x10000,,,NTLM,,583da945-62af-10e8-4902-a8f205c72b2e +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0a319007-db4c-466b-a4cd-d5f7adb349d9,"4/16/2021, 9:09:00.730 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e6d8d965-a986-46e0-ab38-89b04a5a88fd,"4/16/2021, 9:09:00.730 AM",,,,,,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,06b66dab-f97e-4c31-9c5a-72b007f63103,"4/16/2021, 9:09:00.730 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5ea28324-812c-483f-9533-43bb9fd05f49,"4/16/2021, 9:09:00.730 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d8af8e21-e459-4a24-8554-e2561f001dc4,"4/16/2021, 9:09:00.730 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b4793792-e5ab-44ed-b2ca-f440043ac112,"4/16/2021, 9:09:00.730 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d1198161-f8be-4d2f-8217-80dc3c9760da,"4/16/2021, 9:09:00.730 AM",,,,,NTLM,, +\PJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,487c4039-8108-4c55-aab6-e0ec00f23585,"4/16/2021, 9:09:00.730 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1b1f3ea4-d42f-413f-928b-426cb71271cb,"4/16/2021, 9:09:00.730 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,07afcff3-3e1a-49ae-92f3-f954932ba5aa,"4/16/2021, 9:09:00.730 AM",,,,,NTLM,, +\USER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ec3e4f94-c07a-41d8-a57b-094f4ce2b0ce,"4/16/2021, 9:09:00.730 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1c18979c-fc2d-4ee7-9005-9e9a5b28caaa,"4/16/2021, 9:09:00.730 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8a28d3eb-ab69-46ba-bb35-9f5214897293,"4/16/2021, 9:09:00.730 AM",,,,,NTLM,, +\ADMINISTRATEUR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,74a7c1e5-c11b-4eed-a53b-b5ea52ac224c,"4/16/2021, 9:11:13.620 AM",,,,,NTLM,, +\SERVER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,50922fc2-e327-4aa4-93d0-9253cc9e6bcd,"4/16/2021, 9:11:13.620 AM",,,,,NTLM,, +\HELPDESK,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,06ab4987-55ac-4647-a46a-52537e6bbf87,"4/16/2021, 9:11:13.620 AM",,,,,NTLM,, +\MIKE,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c78102f7-2a19-42c8-9255-9a662eae56d7,"4/16/2021, 9:11:13.620 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,7131d2c1-286f-428b-9e83-83d2ec5c8729,"4/16/2021, 9:11:13.620 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f1c70f04-0111-4620-9bee-127f7ae6014c,"4/16/2021, 9:11:13.620 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,91095df4-0a32-4077-a592-64e793105d3b,"4/16/2021, 9:11:13.620 AM",,,,,,, +\PC,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3f1e835a-8003-4137-a40e-584a2fe1de31,"4/16/2021, 9:11:13.620 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7904 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,af02b155-e5d4-480e-b570-3f551355730c,"4/16/2021, 9:11:13.620 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3652 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,71f49696-21dd-416c-8e01-5a15f5b265c4,"4/16/2021, 9:11:13.620 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8108 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,598614d0-089b-4feb-a42c-58a0758f92a6,"4/16/2021, 9:11:56.124 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,748ef16c-4f58-4e37-acdf-36cc2db7fa12,"4/16/2021, 9:11:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2038142-efec-4f23-9e85-2d3b1e0d902f,"4/16/2021, 9:11:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5b0840e1-375d-45e5-88ae-050d4a8f0e74,"4/16/2021, 9:11:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b8103eac-fccd-487e-9870-33168811fe3e,"4/16/2021, 9:11:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,79b66b42-3303-4e02-9c70-9c1206cd3993,"4/16/2021, 9:11:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d1f40fbc-6636-4244-aad7-0069d9ce9e51,"4/16/2021, 9:11:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,edd025da-19a6-4d40-a7ef-a509ddaec3cf,"4/16/2021, 9:11:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa87e824-fbdc-4aca-8606-e4bff0e0ce71,"4/16/2021, 9:11:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bf928687-66b3-4189-9506-fc4dc48fa5aa,"4/16/2021, 9:11:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6e6f2b53-c28c-427f-a790-22766cedd83c,"4/16/2021, 9:11:56.124 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,91643cdd-0f44-4dfa-92b2-ee53cedf25e5,"4/16/2021, 9:11:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f1e05a0c-6056-4abb-a29a-4eefb2006e39,"4/16/2021, 9:11:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6198d064-d870-4cb1-98cc-5a3870391117,"4/16/2021, 9:11:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6bbef50f-c2bc-47ae-928d-a38b91d81c4c,"4/16/2021, 9:11:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,220c9c13-cb24-4096-9781-e358e0854e03,"4/16/2021, 9:11:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8cd7e3c0-ee95-44a9-bf42-25e86aae360a,"4/16/2021, 9:11:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2e16e7e-b86a-4906-a28d-2c19387c070c,"4/16/2021, 9:11:56.124 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,289c4013-1a35-4459-9d42-5b10f63aab59,"4/16/2021, 9:11:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aa72c459-826e-43dc-bbde-ece9213c4324,"4/16/2021, 9:11:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,577ac2b4-deb7-44a4-ac91-c1906d3f64d8,"4/16/2021, 9:11:56.124 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2dd9a234-93f3-4151-a364-37fd8ad66a04,"4/16/2021, 9:11:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b4e73f31-2aad-4cc6-bf55-df2bde6e6be4,"4/16/2021, 9:11:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51c4e864-b51f-4690-acc8-17eb10a07e98,"4/16/2021, 9:11:56.124 AM",,,,,NTLM,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,530f05e9-9bb3-4cb7-aed7-e168f84d9bf1,"4/16/2021, 9:11:56.124 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,42749d15-2708-43e1-8301-751e15314ad2,"4/16/2021, 9:15:55.623 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6608 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,7b452d3b-da57-40ac-bb7a-a99773525d38,"4/16/2021, 9:15:55.623 AM",,,,,,, +CONTOSO\CLIENTPC$,Machine,ClientPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + Security + File + C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Temp\PSScriptOutputs\PSScript_Stderr_{6C8F3EC3-E2DF-4561-93DA-611598C47952}.txt + 0x284 + 583da945-62af-10e8-4902-a8f205c72b2e + %%4418 + 0x10000 + 0x1498 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe + S:AI +",5145,5145 - A network share object was checked to see whether client can be granted desired access.,f6638b82-98a5-4542-8bec-6bc0977f793f,3104d44c-3956-4b4c-ba3a-15c834a6f6e4,"4/16/2021, 8:46:42.862 AM","%%4418 ",0x10000,,,NTLM,,583da945-62af-10e8-4902-a8f205c72b2e +NT AUTHORITY\LOCAL SERVICE,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 7136 + 34 + %SYSTEM32%\APPIDCERTSTORECHECK.EXE + 32 + E649E7E40B3CFC0011491AE742A6E8E697C7A48033F49DB9BA714A2891B99818 + 131 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\APPIDCERTSTORECHECK.EXE\10.0.18362.1474 + 0x3e5 + 43 + C:\windows\system32\appidcertstorecheck.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,09fe1526-7583-4b2d-a6fb-110527cfd993,"4/16/2021, 9:15:55.623 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 9136 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e5 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,ba031d91-b7d5-4316-a91d-4e17a2e5653c,"4/16/2021, 9:15:55.623 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,385d6080-092d-4df3-8d4f-31e01274c8b7,"4/16/2021, 9:15:55.623 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,2e8f8e0d-c463-4f58-b0ff-3014b1cbd01d,"4/16/2021, 9:15:55.623 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3272 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,2f70b662-0576-4e8f-91c6-11da9cef9716,"4/16/2021, 9:17:09.881 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3880 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,c658b483-b06e-4f90-9766-769fc6faec1a,"4/16/2021, 9:17:09.881 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,7f6904cd-84f1-4e83-8201-62e0b787042c,"4/16/2021, 9:17:09.881 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,bbd976fc-3fe1-45f3-928b-ee2b503c637a,"4/16/2021, 9:17:09.881 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b81d1c64-82bf-4a66-b43a-25a18d1c3c19,"4/16/2021, 9:17:09.881 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,adf9be15-46b7-47be-8371-a504bd42c5f4,"4/16/2021, 9:17:09.881 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6824 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\Windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,44ba7a56-fe2f-4dc4-8d91-c5b4689b3790,"4/16/2021, 9:17:09.881 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1d0e5844-78a0-4c10-b57d-542f63ac2284,"4/16/2021, 9:18:58.129 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a78d9fa6-9506-4156-bbac-f57de9753b12,"4/16/2021, 9:18:58.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e61bd567-276d-400d-b13d-0b4557668df1,"4/16/2021, 9:18:58.129 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0b717bf9-01f1-4ebe-aa89-e9cd981cabef,"4/16/2021, 9:18:58.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e670311d-c87f-46e5-bbf3-8eaff97d433e,"4/16/2021, 9:18:58.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1e8f14b1-3ca6-4644-95fd-5c6ee5e5580a,"4/16/2021, 9:18:58.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a3dec98d-e1af-4bfe-b4e4-04c65917ca41,"4/16/2021, 9:18:58.129 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,371e9b90-1712-472a-a42c-48e152f3b43e,"4/16/2021, 9:18:58.129 AM",,,,,NTLM,, +\webadminuser,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ee974d4a-27e7-478b-b6fb-36a0c0498491,"4/16/2021, 9:18:58.129 AM",,,,,NTLM,, +\VEEAM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e5d42939-cd6f-49f5-a42a-5ab2364de2f4,"4/16/2021, 9:18:58.129 AM",,,,,NTLM,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a7dcd60-8b05-4d5f-ba60-1ad6a585f238,"4/16/2021, 9:18:58.129 AM",,,,,NTLM,, +\marcelo,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1b93ceb9-c3fe-48a5-a5bc-847208222a2c,"4/16/2021, 9:18:58.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eaff5596-56ed-476f-bd38-a1a963369b0c,"4/16/2021, 9:18:58.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6fbda712-1df3-4c49-8131-648bfe93f9d2,"4/16/2021, 9:18:58.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7aa547ba-8469-4f71-8f2e-83b769ce1309,"4/16/2021, 9:18:58.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c4bfdb86-1b8e-4de5-a338-71c079295009,"4/16/2021, 9:18:58.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,effdf36e-0b48-4381-830b-d5c1eaae56a7,"4/16/2021, 9:18:58.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c6212810-a75c-4533-a4b5-e59354a22b06,"4/16/2021, 9:18:58.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f2f62f7-e9f3-442f-9f43-ebd2843220aa,"4/16/2021, 9:18:58.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a281a655-484b-4def-8e74-08c40e9ee3b7,"4/16/2021, 9:18:58.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ba75a1b-4b95-4ffc-81ed-1f20edfab632,"4/16/2021, 9:18:58.129 AM",,,,,NTLM,, +\user18,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0bdb2a5a-9b36-44f2-bba2-165a22896e46,"4/16/2021, 9:18:58.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d2f3cc54-0a33-4ced-abbd-02623a2f96ba,"4/16/2021, 9:18:58.129 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f1e6188-d9d6-47ec-bc2c-a9af7f94ee9d,"4/16/2021, 9:18:58.129 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d49501ff-6972-42c4-99ab-46beb39519c9,"4/16/2021, 9:20:55.723 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7c80f327-7a79-4170-9c7c-66e31fe418bf,"4/16/2021, 9:20:55.723 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,92fc7c07-d515-4219-8aa8-552ff7cd7190,"4/16/2021, 9:20:55.723 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,acc5f42f-25c9-4b0b-85b7-b2bf8ba3b3e0,"4/16/2021, 9:20:55.723 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0b72faa8-f37f-4894-ae73-6143c7a6ceca,"4/16/2021, 9:20:55.723 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a202a0f8-3176-4daa-84a3-48ce6b66ea9b,"4/16/2021, 9:20:55.723 AM",,,,,NTLM,, +\VPN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a8c37aa9-0ac3-4f8d-9949-af063b68c9e7,"4/16/2021, 9:20:55.723 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,186849e0-1378-4435-95ad-ec62eaaab8dd,"4/16/2021, 9:20:55.723 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,988ce9cd-a463-4ad3-b90e-e7b2a485ee6e,"4/16/2021, 9:20:55.723 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d4a67b73-bbbc-40aa-a76e-0d1c79b992c3,"4/16/2021, 9:20:55.723 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a18dd436-9638-4573-96a3-6a81785cece0,"4/16/2021, 9:20:55.723 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5e206dc3-4ef9-43be-a856-19d541085fc2,"4/16/2021, 9:20:55.723 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,929fbd13-5c76-496e-bab5-67db856f3f42,"4/16/2021, 9:20:55.723 AM",,,,,NTLM,, +\OJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b5bd7dfe-ceee-4491-b2d0-0cad3b8bde71,"4/16/2021, 9:20:55.723 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,52e70cf7-4fd2-478b-ab8b-e21790590738,"4/16/2021, 9:20:55.723 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8c1daf4a-e8cb-41e0-a4fb-2d02ae9f886b,"4/16/2021, 9:20:55.723 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,592c3258-30be-4fa9-8a36-45797d91dc62,"4/16/2021, 9:20:55.723 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5f3a64f8-f2d0-42ce-be5e-48f3a76eb7f0,"4/16/2021, 9:20:55.723 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,95822958-e34a-4d81-9d86-b42636a06c36,"4/16/2021, 9:20:55.723 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,deea6189-4bae-4055-a571-e39076e887c5,"4/16/2021, 9:20:55.723 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bb4db752-bc7a-44a2-a848-8a1a848867aa,"4/16/2021, 9:20:55.723 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,10171458-e743-4cfd-80c7-c742c9a8dc57,"4/16/2021, 9:20:55.723 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a84b8599-8a8e-46d5-ae7e-da9cc55793cc,"4/16/2021, 9:20:55.723 AM",,,,,NTLM,, +\CHRIS,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4568cd9b-75b8-4e29-a37a-47294e38023b,"4/16/2021, 9:20:55.723 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a87080d-f922-4fda-bcb1-f43bad6ab6cd,"4/16/2021, 9:27:21.152 AM",,,,,NTLM,, +\SECURITY,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f99cbc4c-2d77-4df3-a95f-fa69c39034c9,"4/16/2021, 9:27:21.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8ba70a2d-bfbe-4f29-b953-36ccc6a8ff55,"4/16/2021, 9:27:21.152 AM",,,,,NTLM,, +\JJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0e601f55-f9ec-44be-ac01-83a85ce9a350,"4/16/2021, 9:27:21.152 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e7a21b36-488e-4f07-b052-4cca10b2c358,"4/16/2021, 9:27:21.152 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1328f471-04ca-4799-b96d-0ef6a29f16e1,"4/16/2021, 9:27:21.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67ecdfee-14cc-418f-a9aa-c4b44ccd3e56,"4/16/2021, 9:27:21.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bdf8a92f-c089-4432-a6cb-5de0483e3b7e,"4/16/2021, 9:27:21.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,90d39516-26f9-4098-af84-b01950a1ca69,"4/16/2021, 9:27:21.152 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ef3edf3-1d5e-4a5d-a7b5-5152b38f7549,"4/16/2021, 9:27:21.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ec1b74e-17e3-4913-b58d-e2c1580fa8a7,"4/16/2021, 9:27:21.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8ab3a174-f245-4e54-865a-2a845f72676e,"4/16/2021, 9:27:21.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aa5f50db-f638-4ed6-8837-ea292f73d6a2,"4/16/2021, 9:27:21.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,60bd652c-bfc7-4ac1-9f0f-cd7632bd36a6,"4/16/2021, 9:27:21.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5eead84f-b121-4531-af31-7199c381bfa0,"4/16/2021, 9:27:21.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fbdf2c90-baef-4711-8f66-1d225d201de1,"4/16/2021, 9:27:21.152 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c05ab43-71a3-4973-a0b9-c2d50b70763c,"4/16/2021, 9:27:21.152 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,377247c5-fc18-4457-99bf-41245b3c263d,"4/16/2021, 9:27:21.152 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3212 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,406e324d-bc2c-4faa-afa3-fd53720e7be9,"4/16/2021, 9:27:21.152 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6752 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,6d528969-e394-4079-8131-eede3a038e0b,"4/16/2021, 9:27:21.152 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3678371b-168f-4196-8a6e-da728a21922b,"4/16/2021, 9:27:21.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88e71220-d4de-498d-ad61-844ffcc68694,"4/16/2021, 9:27:21.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c88f909d-a0f4-41c0-92be-4e1c18afb237,"4/16/2021, 9:27:21.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a68a5990-ea1c-439a-903f-3e7883696ab9,"4/16/2021, 9:27:21.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0729c130-54e3-487d-8101-2bbd50dd991d,"4/16/2021, 9:27:21.152 AM",,,,,NTLM,, +\BACKUP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b23c987-7423-402b-96c8-0fd59d89af64,"4/16/2021, 9:27:52.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb0d35b9-df1c-411f-9490-7b5896aa5bc8,"4/16/2021, 9:27:52.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ec089bd9-deaa-4660-b033-c181e7117c79,"4/16/2021, 9:27:52.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,34d4106d-f8d8-4656-9842-1c29c08a6ce4,"4/16/2021, 9:27:52.134 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a0b207ed-9ad8-409d-87fd-2d1d94887c54,"4/16/2021, 9:27:52.134 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f00d68e0-39ae-492c-af71-e096f4676ea1,"4/16/2021, 9:27:52.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,080e6e07-8fcf-43b1-9fe0-2509894d37a5,"4/16/2021, 9:27:52.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,63ca5565-d591-4bf1-b345-4cf96d44559f,"4/16/2021, 9:27:52.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7af80eb8-948d-410a-b281-0d535fef5caf,"4/16/2021, 9:27:52.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff32ea37-c46b-4aa7-94db-64b99a2f7ab7,"4/16/2021, 9:27:52.134 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,38235f00-0152-4df2-ba33-125f886f088d,"4/16/2021, 9:27:52.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,908ba274-d612-401b-9431-8f891ab7a927,"4/16/2021, 9:27:52.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1dda9f06-5730-4868-b32c-e1c8dd370cac,"4/16/2021, 9:27:52.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b86ae05f-1ce7-495c-a1ca-209cffe23fdb,"4/16/2021, 9:27:52.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6d07f04b-03c7-4c0d-a7cd-e5e01febbca3,"4/16/2021, 9:27:52.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa838a5b-1b31-466d-83ad-03eaa34e51f4,"4/16/2021, 9:27:52.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab5ee819-f85a-4b9d-aab5-70bea757f5dc,"4/16/2021, 9:27:52.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fdf83348-3f6d-4eb9-855c-fb49ea341d02,"4/16/2021, 9:27:52.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d03facaf-0bd1-4eb5-a819-9f23f9cdb2f6,"4/16/2021, 9:27:52.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,85b4fdbd-6297-43ac-9523-13e1efabc679,"4/16/2021, 9:27:52.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,31b17381-9cc9-4b7b-b7bc-ec1fc5dc0b07,"4/16/2021, 9:27:52.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cbe5093e-0a47-4c29-aee2-e7f2a998e24f,"4/16/2021, 9:27:52.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,408867fc-70ed-4387-80b7-7db2c88f3ab0,"4/16/2021, 9:27:52.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e860d3d8-f876-4f69-809a-91ee360da2ce,"4/16/2021, 9:27:52.134 AM",,,,,NTLM,, +\ADMINISTRATEUR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c727065a-75f9-4ced-8010-9413941ab423,"4/16/2021, 9:27:52.134 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0d69e4b5-4c63-468d-ba05-83ac1aa2333b,"4/16/2021, 9:27:52.134 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1a0f93d0-b08d-4a24-8f5d-34c25ee73c11,"4/16/2021, 9:28:21.748 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1fbec15f-61e0-4c8a-88da-2dc1cac18640,"4/16/2021, 9:28:21.748 AM",,,,,NTLM,, +\JOKER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b0f33521-411c-45a4-bcd7-40c8359e8e33,"4/16/2021, 9:28:21.748 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fa6fdde4-b5e8-4f0e-8723-54d041510f99,"4/16/2021, 9:28:21.748 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ffd1329f-b285-4280-a9b9-3147ca05fc2c,"4/16/2021, 9:28:21.748 AM",,,,,NTLM,, +\SQLSERVICE,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,29861c41-c580-42b1-9c89-142f4336ba64,"4/16/2021, 9:28:21.748 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f29a2cc4-97cf-4dd1-a929-e5779c02776d,"4/16/2021, 9:28:21.748 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b72a22f0-3da8-40f4-94be-5dccdd5fd9f8,"4/16/2021, 9:28:21.748 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5c081d23-b7d7-4053-8021-ff81e2c5304d,"4/16/2021, 9:28:21.748 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4758f83c-3a94-443b-a0bc-885dbc88e500,"4/16/2021, 9:28:21.748 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,759a5dce-c36a-4a6a-8594-608820a6ee93,"4/16/2021, 9:28:21.748 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dc28ab5d-5343-42db-bdd0-d15b08997717,"4/16/2021, 9:28:21.748 AM",,,,,NTLM,, +\SJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9c0b554c-0453-4f99-a6de-cf2bb1017cc4,"4/16/2021, 9:28:21.748 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,36316e0e-1015-402d-961c-5238f977c41e,"4/16/2021, 9:28:21.748 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f6656ec6-31dd-4245-8319-3658c6a3efc6,"4/16/2021, 9:28:21.748 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c4b16068-ea26-4e08-9b6f-eff6f4e34b98,"4/16/2021, 9:28:21.748 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3ee63892-105d-425f-9c7a-bac85b993644,"4/16/2021, 9:28:21.748 AM",,,,,NTLM,, +\TEST3,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,67c88dc6-a9a8-4625-aecf-b7bad61b1c92,"4/16/2021, 9:28:21.748 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f214b44a-9ae3-43ba-84a0-941a52383f21,"4/16/2021, 9:28:21.748 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,46d4e6ea-ae1d-4750-9392-93e080f0ef4e,"4/16/2021, 9:28:21.748 AM",,,,,NTLM,, +\STOMPYSTEVE,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4c0deae8-d951-41c3-b7e4-099375d00b88,"4/16/2021, 9:28:21.748 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2887dc84-8b7c-44d8-985a-934c6885d2d7,"4/16/2021, 9:28:21.748 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2576 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,61641557-bad7-4477-b5b7-455560445897,"4/16/2021, 9:28:49.420 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 13228 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,05c0cc7e-2eb3-48a1-90c3-2273faec307b,"4/16/2021, 9:28:49.420 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 12772 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 61FF6233DB141BE35A91025614CB7A6504D2E20174CD6298F6E0B02700C3F819 + 121 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.14393.206 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,18fed45a-7a7e-4eab-ac4b-790c40a0bedf,"4/16/2021, 9:28:49.420 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4568 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,07952245-8247-45c5-8d08-22d2203074cc,"4/16/2021, 9:28:49.420 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6336 + 118 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\MONITORING HOST TEMPORARY FILES 16\749\PMFEXE.EXE + 32 + 904F5575C1F607E5F05C4641A9A0964007FA2C1F1DAD3C96320DF45D377C737D + 98 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\PROCESS INVESTIGATOR\PMFEXE.EXE\1.20.607.01 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,064a0d33-e648-45c3-9e34-2328153d0df5,"4/16/2021, 9:28:49.420 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10492 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,7736b92a-905d-4ee4-8730-e56260459427,"4/16/2021, 9:28:49.420 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,186b98b2-5c7a-41d7-acad-6a22171dc3e4,"4/16/2021, 9:29:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,10415b9a-5d7b-4098-bf09-6ee6821ca71c,"4/16/2021, 9:29:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6a857b92-80af-4ccf-9c96-88eca7cbe154,"4/16/2021, 9:29:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,27910d8f-d3d9-4844-9620-e1bfb1ce5181,"4/16/2021, 9:29:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d133cbd8-4e17-42f2-8152-25638ce3754b,"4/16/2021, 9:29:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,666e7394-573f-4cce-ad1c-889ab9cad8ed,"4/16/2021, 9:29:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c8c0ecb-04fb-45e0-88a6-3d3517b025a6,"4/16/2021, 9:29:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9fbc264b-7a64-42be-b52a-96ad039216dc,"4/16/2021, 9:29:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4ca1bef6-d8ba-4ba9-953d-ba92aee8c982,"4/16/2021, 9:29:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,15cc4985-39ca-466d-bd2c-8a58eb957868,"4/16/2021, 9:29:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d8560bbe-2d5c-4595-8d52-0f4b396a147a,"4/16/2021, 9:29:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fca8ec70-083b-4f6b-b234-7f52300fb830,"4/16/2021, 9:29:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b522af9-d730-4c1f-b328-98e01bdb4b99,"4/16/2021, 9:29:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f9717052-e0f8-4c5f-8816-b3c6e77c79aa,"4/16/2021, 9:29:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,61b0a096-9d92-435c-8361-4dc5265545de,"4/16/2021, 9:29:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c4710db-94d6-45e5-940f-7046e7ee0616,"4/16/2021, 9:29:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f75233d-f9dc-4e6a-839a-fbaebf566d69,"4/16/2021, 9:29:14.138 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d70387ae-907c-40d5-93a7-a59b93781e36,"4/16/2021, 9:29:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,944f7bd4-861e-448d-828e-2ded5637cccc,"4/16/2021, 9:29:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,08b213a9-5f56-4470-8c7f-f5dda6ded2ab,"4/16/2021, 9:29:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5975c529-5cd5-4fc3-9537-55e45963dfea,"4/16/2021, 9:29:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,28652eb3-f36b-4344-86e2-57e9cc465134,"4/16/2021, 9:29:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,94b23e74-15f4-4940-a40d-726ff8ae3059,"4/16/2021, 9:29:14.138 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,07f4b6e7-0719-4e25-8df3-7402fd28c7c6,"4/16/2021, 9:29:16.106 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b173322f-bcd6-41c1-9582-ab49cbf0ea2a,"4/16/2021, 9:29:16.106 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,d701ffda-3cb7-42b6-accd-8e4bcbeb9970,"4/16/2021, 9:29:16.106 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,8840829f-bced-4fc5-abdb-ea3167c33646,"4/16/2021, 9:29:16.106 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2eefda3a-a6e2-4475-8f6e-a919621bad7d,"4/16/2021, 9:29:16.106 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5f17a3fb-6b60-42f7-a1f9-8aa654518377,"4/16/2021, 9:29:16.106 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,6d460e2b-b764-4bca-8fce-01ff15e02c6c,"4/16/2021, 9:29:16.106 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,f7ba93f5-bc7b-4683-a081-4c3b585f4b6b,"4/16/2021, 9:29:16.106 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,9de2c752-694a-4a43-87ef-914c2d169bb8,"4/16/2021, 9:29:16.106 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c9d76f56-4a57-4ad0-ba41-a33ccdb8ee1b,"4/16/2021, 9:29:16.106 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,a9de9a4b-0ca2-49f7-96d1-3824aff29f13,"4/16/2021, 9:29:16.106 AM",,,,,,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7b3dc9f8-6c47-4e06-91d3-3e04be4fdcd9,"4/16/2021, 9:29:20.760 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,41fd5d5e-e7e5-451d-95e6-831439247c23,"4/16/2021, 9:29:20.760 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7a9c87e7-64cc-452f-b771-16809ced1107,"4/16/2021, 9:29:20.760 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,af18ab81-0e79-48cf-b3a7-932c46374627,"4/16/2021, 9:29:20.760 AM",,,,,NTLM,, +\EYF,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,36649dd8-1339-4404-9ddd-af7e36d642ef,"4/16/2021, 9:29:20.760 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6431becb-062e-4316-96e7-e866b425781f,"4/16/2021, 9:29:20.760 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,41072343-a895-489f-a0b6-1798e89af178,"4/16/2021, 9:29:20.760 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,238767e2-043c-4a8d-ba77-244c3d0f3703,"4/16/2021, 9:29:20.760 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1509d6f8-bfb0-47d6-8f1e-ed97196f0846,"4/16/2021, 9:29:20.760 AM",,,,,NTLM,, +\BACKUP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1447ec71-935a-4477-ad7a-ad24e2cca1db,"4/16/2021, 9:29:20.760 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cb3c1893-76e1-4db8-b7bf-5446df1b930c,"4/16/2021, 9:29:20.760 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5f4a1eed-3451-4488-9ddf-df8de70e9087,"4/16/2021, 9:29:20.760 AM",,,,,NTLM,, +\TEST,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a17e6ac2-33ea-4b42-b1bf-2bf80fce78f1,"4/16/2021, 9:29:20.760 AM",,,,,NTLM,, +\TESTUSER1,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,70037179-ec76-4826-8b7b-e682bad2b1f4,"4/16/2021, 9:29:20.760 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ee3e829b-8c10-4506-8ae8-5b465d27ee82,"4/16/2021, 9:29:20.760 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d6fe0c0c-00bb-4475-824d-56a585f8d0fe,"4/16/2021, 9:29:20.760 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b07fc3e4-79e6-4898-9c19-e210fe177752,"4/16/2021, 9:29:20.760 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7f4a2708-713f-401a-bfb1-8d74c830c1ce,"4/16/2021, 9:29:20.760 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3c94ad00-08ee-40d0-9ed1-3e32063fe9ab,"4/16/2021, 9:29:20.760 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,806d367e-eb34-494d-86aa-751b8eb0503b,"4/16/2021, 9:29:20.760 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cff3d1e9-7017-443f-a5a4-3a1c5ca4f09c,"4/16/2021, 9:29:20.760 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fd12b61f-1dd6-453e-b17b-33e50f26f7e8,"4/16/2021, 9:29:20.760 AM",,,,,NTLM,, +NT AUTHORITY\LOCAL SERVICE,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 13724 + 34 + %SYSTEM32%\APPIDCERTSTORECHECK.EXE + 32 + 4907DF27D7E70A824E8BD9BCDF3B222C3D8FB687A9986541432520AE204173FE + 131 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\APPIDCERTSTORECHECK.EXE\10.0.18362.1049 + 0x3e5 + 43 + C:\windows\system32\appidcertstorecheck.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,11e77326-5cc6-40d9-916a-1d2ec62f42ef,"4/16/2021, 9:29:30.876 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 13456 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e5 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,40b72e3c-9c24-4d92-add0-6ef9fdc7633f,"4/16/2021, 9:29:30.876 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,1012935d-728a-403c-b095-2a7b3fbe2258,"4/16/2021, 9:29:30.876 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,f756de01-8b02-4f49-853e-73208e3ae632,"4/16/2021, 9:29:30.876 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,8bed84e5-6ccd-4d6d-b836-f8fd6194f7a1,"4/16/2021, 9:29:30.876 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,80be7a54-8d7a-4920-9f94-b691bc37c174,"4/16/2021, 9:29:36.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c4b78a23-6f9e-4d73-829d-1d21455bb6a8,"4/16/2021, 9:29:36.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9faa1d22-3ad0-4354-b038-f197d9376a84,"4/16/2021, 9:29:36.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0f47f4f6-6b55-460b-9479-e5ea4039331b,"4/16/2021, 9:29:36.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0967ddec-b475-4b82-938c-3d942fcd7523,"4/16/2021, 9:29:36.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3b34ebda-0949-4c5c-8ca1-d747db2d1b78,"4/16/2021, 9:29:36.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1731f6f6-7640-47a9-8306-cd6c617d5965,"4/16/2021, 9:29:36.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f53ff7a4-f0f8-4d72-b6c5-8c06ed1fcdfe,"4/16/2021, 9:29:36.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f6b0150a-67bc-455e-9d0b-dca38dc0e411,"4/16/2021, 9:29:36.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2f7fddf-e21d-4076-a79c-ebfe894ca948,"4/16/2021, 9:29:36.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fda498ff-7a97-41e9-ada4-641d54c917ff,"4/16/2021, 9:29:36.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b726085d-cb69-4aa5-bd1b-4fde354f37ef,"4/16/2021, 9:29:36.137 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,3b0fb28e-1b0b-4f19-bf5f-9e5c44463779,"4/16/2021, 9:29:36.137 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,397b09e9-9bd7-4fb2-be98-a68a4f5ca8f8,"4/16/2021, 9:29:36.137 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,be5766bc-1aee-42f4-aca2-a7609949eddf,"4/16/2021, 9:29:36.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e7d6f8bd-fcb6-455c-a5f8-12b76571eee8,"4/16/2021, 9:29:36.137 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aff446f2-a230-4f03-a086-d81a4d9ac07d,"4/16/2021, 9:29:36.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f28fab94-5579-442f-936f-004c17d0e939,"4/16/2021, 9:29:36.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a13a15d-8091-4fe0-98fb-b20ab5b31250,"4/16/2021, 9:29:36.137 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,70f09c95-142e-4aba-81b0-c02644929342,"4/16/2021, 9:29:36.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e7a36cf-6dfd-4913-8c41-c7a195a93427,"4/16/2021, 9:29:36.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bbab25f1-0379-42f1-9727-24ced1884e2d,"4/16/2021, 9:29:36.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,31a57c16-9656-4135-b327-894b9924ca66,"4/16/2021, 9:29:36.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a4d3f4d-e1f2-40f6-8961-8e1c2c34b157,"4/16/2021, 9:29:36.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cdaac4fc-8c05-4cfa-bdec-54da2de02cca,"4/16/2021, 9:29:36.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4a2cc78f-20ee-4cf1-a201-448b3aed7cff,"4/16/2021, 9:29:36.137 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53d87ddc-be2d-49b2-89e8-ee416dfb92ed,"4/16/2021, 9:29:51.186 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,376549c5-d05a-461c-8e3a-19897aa7ba80,"4/16/2021, 9:29:51.186 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca2f950c-302e-4fe5-b36b-72c410ee56e3,"4/16/2021, 9:29:51.186 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,15be7f46-ecfa-44f6-90ab-f3cf588a81aa,"4/16/2021, 9:29:51.186 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2624b8e3-e706-48a5-b6c6-fe834c6eb364,"4/16/2021, 9:29:51.186 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c33a1bec-48a6-4e24-be97-23174edc0383,"4/16/2021, 9:29:51.186 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f0c211ae-c1b7-48ee-a666-b9d4098e6488,"4/16/2021, 9:29:51.186 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ae85cb40-2fa2-40eb-a289-e2da415e8f8e,"4/16/2021, 9:29:51.186 AM",,,,,NTLM,, +\AZUREUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9bfb1ccc-b7f4-42e7-840f-03cd737593b8,"4/16/2021, 9:29:51.186 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b6e0e794-46b9-4b63-befd-45109a3d2d1e,"4/16/2021, 9:29:51.186 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a32927a9-77d3-4ecf-b463-b1075b602ca4,"4/16/2021, 9:29:51.186 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f59ab155-78f6-41c7-bd0e-f32225180277,"4/16/2021, 9:29:51.186 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a21d7e4a-0a1f-489d-83e8-a200075e799c,"4/16/2021, 9:29:51.186 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2743d6c3-5174-4244-a793-04aa2e1b7e81,"4/16/2021, 9:29:51.186 AM",,,,,NTLM,, +\AZUREUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,21fd05fb-5785-46b5-9c78-81b7a5797143,"4/16/2021, 9:29:51.186 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,73ca37da-a612-43b9-80a6-fb8fa803da4c,"4/16/2021, 9:29:51.186 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,64261849-366b-43fa-b446-70fafc4a046e,"4/16/2021, 9:29:51.186 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7b3b7af6-88f4-4df3-a6ce-66ad344e3fd1,"4/16/2021, 9:29:51.186 AM",,,,,NTLM,, +\AZUREUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5922d5a8-a71c-4157-b555-d3b97092350b,"4/16/2021, 9:29:51.186 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,01aea61c-78ef-449b-8b1d-e9497be39aa2,"4/16/2021, 9:29:51.186 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd526568-62ab-4a5e-b973-5500ed84d215,"4/16/2021, 9:29:51.186 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eb8fdc5a-18aa-4231-924a-c6779d1d70fb,"4/16/2021, 9:29:51.186 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,10b151c0-ea87-481a-9642-796b7d236d3b,"4/16/2021, 9:29:51.186 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,34c3780d-88e7-47d9-8f65-ed503d8c83e9,"4/16/2021, 9:29:51.186 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b56145f6-2564-4a8f-9d94-1c4615ae054b,"4/16/2021, 9:29:51.186 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a8bbeee5-b1fa-47cd-a993-1379303a2453,"4/16/2021, 9:29:51.186 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,063b6145-aa30-45ba-94b5-a5a2835ca120,"4/16/2021, 9:29:51.186 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d749f16-2890-4162-8f73-cba4af484778,"4/16/2021, 9:29:51.186 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c54d103c-eb45-46fe-ab96-71b436dc3822,"4/16/2021, 9:30:02.771 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5cd3cae5-3acf-4b74-a4c4-45da5d600d3b,"4/16/2021, 9:30:02.771 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c29976d7-0360-4298-9bc1-cfbd90812f36,"4/16/2021, 9:30:02.771 AM",,,,,NTLM,, +\ALAMB,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,02ff41a9-6edd-4e82-9533-c49d6f6803a9,"4/16/2021, 9:30:02.771 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,97a9352d-1df8-45fb-87a0-7e96f8648252,"4/16/2021, 9:30:02.771 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a926b7f7-f555-4f33-b645-1e5fb1841e0b,"4/16/2021, 9:30:02.771 AM",,,,,NTLM,, +\AZUREADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,38d9240a-515a-405c-ad47-3854363941c9,"4/16/2021, 9:30:02.771 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d3910961-8865-4688-b5f6-3e4a3cf34fef,"4/16/2021, 9:30:02.771 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a35f881c-9a77-4e7b-a843-120f501e835b,"4/16/2021, 9:30:02.771 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c44fc5e0-9235-486f-8f6b-abd8f9d79f9f,"4/16/2021, 9:30:02.771 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a6622ac9-da61-4553-b2fe-e9d38ff052d5,"4/16/2021, 9:30:02.771 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2b90b793-a581-492b-9dcb-0c85d2671ddf,"4/16/2021, 9:30:02.771 AM",,,,,,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,94902f0f-c1ae-4454-9ca6-8a6c3dba251d,"4/16/2021, 9:30:02.771 AM",,,,,,, +\KASSA,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,723a252a-cd99-438b-9f61-26dad5ca960e,"4/16/2021, 9:30:02.771 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,16a535ef-8354-4ce3-948b-913ec801e437,"4/16/2021, 9:30:02.771 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b9d7744d-46fb-4a5a-8514-ea4a429e2732,"4/16/2021, 9:30:02.771 AM",,,,,NTLM,, +\BACKUP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,96edb98b-41b8-47c6-a62d-d49b216c3aad,"4/16/2021, 9:30:02.771 AM",,,,,NTLM,, +\AZUREUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3098713a-6c19-454b-9e7d-ebf4e8d0587d,"4/16/2021, 9:30:02.771 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c10d8e35-dac4-44fb-9737-b9992a10dbae,"4/16/2021, 9:30:02.771 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,46afb60f-e04d-4631-bc1d-2fc697a58a2f,"4/16/2021, 9:30:02.771 AM",,,,,NTLM,, +\VEEAM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fa7a5266-16d8-478f-8b48-b0e531eb834d,"4/16/2021, 9:30:02.771 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9b1e9a14-b16a-4bde-bd34-eb62977e00e2,"4/16/2021, 9:30:02.771 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6d7973a7-fa56-457b-b76c-a1421086c894,"4/16/2021, 9:30:02.771 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aef2c974-098e-4886-a31e-64052a09cd3d,"4/16/2021, 9:30:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4bd2e7c7-5b47-4b83-933e-4be45a673c63,"4/16/2021, 9:30:06.139 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0607c3ee-614c-4606-bc0c-5fb2be1a45e8,"4/16/2021, 9:30:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e513b19e-898c-43d5-bc9f-13e6d292cabd,"4/16/2021, 9:30:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,90f8a517-b5e4-409f-ac08-10e9cc19a04d,"4/16/2021, 9:30:06.139 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7bd122ca-aa48-4842-9584-f05d10e61c9e,"4/16/2021, 9:30:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54183ff1-117f-4b60-8f6b-40d8a09b90dc,"4/16/2021, 9:30:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a5d2f16f-9b31-45bc-b6eb-6a652b319274,"4/16/2021, 9:30:06.139 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c311d0aa-fc26-4578-b7bf-77218ba056bb,"4/16/2021, 9:30:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3b3f0daa-b865-4270-b876-56c45d967187,"4/16/2021, 9:30:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9bf71b28-f675-4030-a6eb-9044ae220886,"4/16/2021, 9:30:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f31f6c32-0019-46d8-879e-784ee68af95f,"4/16/2021, 9:30:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c24a39cd-7173-4b37-8ce7-60c6b7254d56,"4/16/2021, 9:30:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e29e2fef-5162-4164-b3f3-0ff91f9fe508,"4/16/2021, 9:30:06.139 AM",,,,,NTLM,, +\CREST HILL,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,867b4ffb-1ceb-4c4d-93be-374309fac2a8,"4/16/2021, 9:30:06.139 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c185d2e-0c41-4dc7-82e2-85e9d6a714dd,"4/16/2021, 9:30:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,04c1b898-9ffd-446a-9bf3-5f634941928d,"4/16/2021, 9:30:06.139 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b4d12209-3e63-47d9-997b-f6ba661122e4,"4/16/2021, 9:30:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f8c9b506-9937-4ce0-b99c-ca5fc79f9383,"4/16/2021, 9:30:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ae8e1d77-6afe-4d8e-9bef-ae42e2eee253,"4/16/2021, 9:30:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,76353c95-b7cb-4fd4-bb66-cf3ec6f9a26e,"4/16/2021, 9:30:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f2fe3a0d-d684-497e-833c-a920348da16e,"4/16/2021, 9:30:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f1ed07ae-e5e1-4722-bce0-6fd72ec46614,"4/16/2021, 9:30:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,28c02c8f-5109-4085-8f3c-4fafca2dfd67,"4/16/2021, 9:30:06.139 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,7ec3b14a-c58c-4e3a-b993-5a1ad0173949,"4/16/2021, 9:30:06.647 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,c4937b66-956a-4166-9d9d-62d686b639e0,"4/16/2021, 9:30:06.647 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4620 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 8542576A51D515DA19781689F9E5E561E4398C4DE19B14AF1E8EF1C7D2551843 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.18362.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,b113dbf8-07dd-4756-90fa-d461f5f615ff,"4/16/2021, 9:30:06.647 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1140 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,bdb3bcf3-9c71-4ed7-84bc-ec932b099ed4,"4/16/2021, 9:30:06.647 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,1e34ea16-3747-4ddb-a56c-98a003afa00d,"4/16/2021, 9:30:06.647 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5144 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,b5781231-ddd9-48b8-b3af-a6183c2c8690,"4/16/2021, 9:30:06.647 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,c7b3d2f2-5f6a-4d98-9ef9-34c8c9e0d859,"4/16/2021, 9:30:06.647 AM",,,,,,, +CONTOSO.AZURE\AATPService,User,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,f6638b82-98a5-4542-8bec-6bc0977f793f,a525dcf8-4221-4dce-8f8b-390a7a095744,"4/16/2021, 9:30:06.647 AM",,,,,Kerberos,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-0-0 + - + - + 0x0 + S-1-5-21-1661583231-2311428937-3957907789-1106 + AATPService + CONTOSO.AZURE + 0x41fd3ba + 3 + 1 + 1 + %{S-1-5-21-1661583231-2311428937-3957907789-513} %{S-1-1-0} %{S-1-5-32-545} %{S-1-5-2} %{S-1-5-11} %{S-1-5-15} %{S-1-18-1} %{S-1-16-8192} +",4627,4627 - Group membership information.,f6638b82-98a5-4542-8bec-6bc0977f793f,ce346c6e-b616-4947-b365-dc282dbb76c4,"4/16/2021, 9:30:06.647 AM",,,,,,, +CONTOSO.AZURE\AATPService,User,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,f6638b82-98a5-4542-8bec-6bc0977f793f,c1864669-413d-40c2-898a-10b9647d8569,"4/16/2021, 9:30:06.647 AM",,,,,Kerberos,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-0-0 + - + - + 0x0 + S-1-5-21-1661583231-2311428937-3957907789-1106 + AATPService + CONTOSO.AZURE + 0x41fd40f + 3 + 1 + 1 + %{S-1-5-21-1661583231-2311428937-3957907789-513} %{S-1-1-0} %{S-1-5-32-545} %{S-1-5-2} %{S-1-5-11} %{S-1-5-15} %{S-1-18-1} %{S-1-16-8192} +",4627,4627 - Group membership information.,f6638b82-98a5-4542-8bec-6bc0977f793f,53c37fd8-1af4-4778-84dc-171b66284ead,"4/16/2021, 9:30:06.647 AM",,,,,,, +CONTOSO.AZURE\AATPService,User,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,f6638b82-98a5-4542-8bec-6bc0977f793f,b9150960-3d1c-4c21-8fb4-971b054a2d0e,"4/16/2021, 9:30:06.647 AM",,,,,Kerberos,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-0-0 + - + - + 0x0 + S-1-5-21-1661583231-2311428937-3957907789-1106 + AATPService + CONTOSO.AZURE + 0x41fd41f + 3 + 1 + 1 + %{S-1-5-21-1661583231-2311428937-3957907789-513} %{S-1-1-0} %{S-1-5-32-545} %{S-1-5-2} %{S-1-5-11} %{S-1-5-15} %{S-1-18-1} %{S-1-16-8192} +",4627,4627 - Group membership information.,f6638b82-98a5-4542-8bec-6bc0977f793f,6beec2c4-175e-4b65-957e-f1bbf564a482,"4/16/2021, 9:30:06.647 AM",,,,,,, +CONTOSO.AZURE\AATPService,User,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,f6638b82-98a5-4542-8bec-6bc0977f793f,e1ae52aa-161f-407b-912c-1dc757d51a38,"4/16/2021, 9:30:06.647 AM",,,,,Kerberos,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-0-0 + - + - + 0x0 + S-1-5-21-1661583231-2311428937-3957907789-1106 + AATPService + CONTOSO.AZURE + 0x41fd434 + 3 + 1 + 1 + %{S-1-5-21-1661583231-2311428937-3957907789-513} %{S-1-1-0} %{S-1-5-32-545} %{S-1-5-2} %{S-1-5-11} %{S-1-5-15} %{S-1-18-1} %{S-1-16-8192} +",4627,4627 - Group membership information.,f6638b82-98a5-4542-8bec-6bc0977f793f,019a4c11-b436-4055-a180-ca0d93055b2c,"4/16/2021, 9:30:06.647 AM",,,,,,, +CONTOSO\AATPService,User,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12545,8,,4634,4634 - An account was logged off.,f6638b82-98a5-4542-8bec-6bc0977f793f,2a7f3582-511b-4b50-b040-750dea99ce4a,"4/16/2021, 9:30:06.647 AM",,,,,,, +CONTOSO\AATPService,User,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12545,8,,4634,4634 - An account was logged off.,f6638b82-98a5-4542-8bec-6bc0977f793f,0dbc8eb5-a5d5-4ed0-a329-f9ff63cf0e02,"4/16/2021, 9:30:06.647 AM",,,,,,, +CONTOSO\AATPService,User,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12545,8,,4634,4634 - An account was logged off.,f6638b82-98a5-4542-8bec-6bc0977f793f,c2646bde-e41f-4ee1-b5cc-29f90a5a8088,"4/16/2021, 9:30:06.647 AM",,,,,,, +CONTOSO\AATPService,User,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13826,8," + Administrators + Builtin + S-1-5-32-544 + S-1-5-21-1661583231-2311428937-3957907789-1106 + AATPService + CONTOSO + 0x41fd3ba + 0x0 + - +",4799,4799 - A security-enabled local group membership was enumerated,f6638b82-98a5-4542-8bec-6bc0977f793f,4668191a-ddc7-476b-bd35-6116da85e17c,"4/16/2021, 9:30:06.647 AM",,,,,,0x0, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4648,4648 - A logon was attempted using explicit credentials.,f6638b82-98a5-4542-8bec-6bc0977f793f,eee8a3d4-a6ec-493e-96ec-b12781853dae,"4/16/2021, 9:30:06.647 AM",,,,,,, +CONTOSO\RonHD,User,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,f6638b82-98a5-4542-8bec-6bc0977f793f,c8deb033-a50d-4cbe-9119-68f33d3e1d28,"4/16/2021, 9:30:06.647 AM",,,,,Negotiate,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + S-1-5-21-1661583231-2311428937-3957907789-1105 + RonHD + CONTOSO + 0x41fd270 + 4 + 1 + 1 + %{S-1-5-21-1661583231-2311428937-3957907789-513} %{S-1-1-0} %{S-1-5-32-545} %{S-1-5-32-544} %{S-1-5-3} %{S-1-2-1} %{S-1-5-11} %{S-1-5-15} %{S-1-2-0} %{S-1-5-21-1661583231-2311428937-3957907789-1111} %{S-1-18-1} %{S-1-16-12288} +",4627,4627 - Group membership information.,f6638b82-98a5-4542-8bec-6bc0977f793f,06da85ac-c06b-426d-ac8a-90a5585a2a47,"4/16/2021, 9:30:06.647 AM",,,,,,, +CONTOSO\RonHD,User,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,f6638b82-98a5-4542-8bec-6bc0977f793f,2aab6744-c156-4973-9ee4-02c8d14ca303,"4/16/2021, 9:30:06.647 AM",,,,,,, +CONTOSO\RonHD,User,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12545,8,,4634,4634 - An account was logged off.,f6638b82-98a5-4542-8bec-6bc0977f793f,ffc7259e-eed1-4d29-9bd2-0486d7eff1d8,"4/16/2021, 9:30:06.647 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,afcafa10-9dc4-4fda-ad6f-da8f3da25de0,"4/16/2021, 9:30:10.916 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,71b5756b-8a9f-4f06-94a8-d69b0d742c45,"4/16/2021, 9:30:10.916 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4648,4648 - A logon was attempted using explicit credentials.,5503048d-aae9-48b7-bda5-46b931ec9ed1,ff29c70c-9703-4afc-9ed2-cb2530be1b7e,"4/16/2021, 9:30:10.916 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,5503048d-aae9-48b7-bda5-46b931ec9ed1,3ce625ae-f164-449d-a319-7db12c2dc1df,"4/16/2021, 9:30:10.916 AM",,,,,Negotiate,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + S-1-5-21-1661583231-2311428937-3957907789-1103 + SamiraA + CONTOSO + 0x241bf090 + 4 + 1 + 1 + %{S-1-5-21-1661583231-2311428937-3957907789-513} %{S-1-1-0} %{S-1-5-32-555} %{S-1-5-32-545} %{S-1-5-32-544} %{S-1-5-3} %{S-1-2-1} %{S-1-5-11} %{S-1-5-15} %{S-1-2-0} %{S-1-5-21-1661583231-2311428937-3957907789-512} %{S-1-5-21-1661583231-2311428937-3957907789-519} %{S-1-18-1} %{S-1-5-21-1661583231-2311428937-3957907789-572} %{S-1-16-12288} +",4627,4627 - Group membership information.,5503048d-aae9-48b7-bda5-46b931ec9ed1,dc235730-08c5-4284-9e72-6a7171f248f5,"4/16/2021, 9:30:10.916 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,5503048d-aae9-48b7-bda5-46b931ec9ed1,0be4bb2b-f747-402e-86d2-ee16304eaa72,"4/16/2021, 9:30:10.916 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12545,8,,4634,4634 - An account was logged off.,5503048d-aae9-48b7-bda5-46b931ec9ed1,c87e85e4-a7cc-4574-962b-3e3e5d25cc07,"4/16/2021, 9:30:10.916 AM",,,,,,, +\AZUREADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,73edda84-64e9-403c-bf3c-84b744035502,"4/16/2021, 9:30:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d39b434e-bc3e-4d40-8f54-3023f688465b,"4/16/2021, 9:30:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,551c6ef0-01d1-4775-b228-4f3d42d95039,"4/16/2021, 9:30:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de7eacaf-37ad-4c2e-b890-51715a1fa59b,"4/16/2021, 9:30:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,720eb0c0-9875-4521-88f7-85a91421ed06,"4/16/2021, 9:30:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4ada8633-873e-4d38-906e-34ae70fcd422,"4/16/2021, 9:30:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad1bb554-a227-4d07-b017-13a60eecd64b,"4/16/2021, 9:30:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49008419-1a25-412a-83f3-9a8165d8efbc,"4/16/2021, 9:30:14.138 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a37bdb27-c921-4cca-bf53-05e6de7ef720,"4/16/2021, 9:30:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a212b3c-2d1a-46d4-a73f-612409a5b075,"4/16/2021, 9:30:14.138 AM",,,,,NTLM,, +\ADMINISTRATEUR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dbe01abb-5a01-4b17-8c02-69b84fb249ee,"4/16/2021, 9:30:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8cb0e867-7cf4-4255-857f-40eab6943b92,"4/16/2021, 9:30:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53df7fb4-00b3-4492-8848-f093f95e36a8,"4/16/2021, 9:30:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,50c02b63-d0ee-4771-a5a9-bfa84982bd65,"4/16/2021, 9:30:14.138 AM",,,,,NTLM,, +\AZUREADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98b39538-8dbc-4edf-9c34-c97cfd3d907f,"4/16/2021, 9:30:14.138 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cba7c8b5-ea9c-4bfd-aedb-3a5f771741a6,"4/16/2021, 9:30:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bd1b4893-96bf-498f-a7bd-5c92113dc94d,"4/16/2021, 9:30:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a18c674f-d393-4c91-bd51-cfbf564ea8f2,"4/16/2021, 9:30:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,796aeb17-caf6-43b3-a912-acae0d410abb,"4/16/2021, 9:30:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5925af93-5572-4d4b-b881-14c9d5a514cc,"4/16/2021, 9:30:14.138 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1361b7ac-3203-4260-9d6c-f621906566b5,"4/16/2021, 9:30:14.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,221001e8-73b2-4270-95a5-ce49d8c11ac4,"4/16/2021, 9:30:14.138 AM",,,,,NTLM,, +\ANA,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8c0dc44f-cc30-4b23-9467-ee6221b27f7f,"4/16/2021, 9:30:19.411 AM",,,,,NTLM,, +\INTERNET,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,bc83453f-7132-4db7-9eb3-935ada8b72cf,"4/16/2021, 9:30:19.411 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,15fd5c29-5a8c-43d3-a5d9-31d339980f84,"4/16/2021, 9:30:19.411 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,fa109d8b-6e28-4041-8e43-1dd54110c8d5,"4/16/2021, 9:30:19.411 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 212 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 68705285F7914823244E19E4F6DBC4A75C4DE807EA1CF128AEC2CCAFCE5FE109 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.17763.01 + 0x3e7 + 57 + C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ee790083-3fe3-412e-9180-5e0fa3b9570e,"4/16/2021, 9:30:19.411 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4796 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,071e4143-a292-4e54-b241-31aa731723af,"4/16/2021, 9:30:19.411 AM",,,,,,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d5cc691c-b512-48e8-b72e-482708387673,"4/16/2021, 9:30:19.411 AM",,,,,NTLM,, +\GUARD,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8965e8f9-2150-46e8-9c84-50caac0896a4,"4/16/2021, 9:30:19.411 AM",,,,,NTLM,, +\TEST1,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8cadfe8a-0367-430b-8aa3-a08fa6f4edcd,"4/16/2021, 9:30:19.411 AM",,,,,NTLM,, +\AZUREUSER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f6ba0b10-621e-454e-b295-7ad2b26ab5dd,"4/16/2021, 9:30:19.411 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,772811cf-f59e-43c1-8d1f-c3a3bd3646b4,"4/16/2021, 9:30:19.411 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,86f6c7d4-4039-41e6-98f5-1d06ff818a79,"4/16/2021, 9:30:19.411 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4852 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1fa67fd5-1e28-4f33-9ad1-83875b08ff8c,"4/16/2021, 9:30:19.411 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4060 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b1e5a9bf-61c3-41b8-9ebe-5610ab092014,"4/16/2021, 9:30:19.411 AM",,,,,,, +\PRAXIS,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,bf78993c-dd9d-497a-9036-165550d4c2a4,"4/16/2021, 9:30:19.411 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,af3375d6-1c74-490a-be6d-a9ca1bf67284,"4/16/2021, 9:30:19.411 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4f11b248-49ac-4556-bd93-0b33771f29ba,"4/16/2021, 9:30:20.766 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,10b6ed06-fb88-4be0-baeb-62363c18aba5,"4/16/2021, 9:30:20.766 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bf8f11f8-626a-499d-a34e-574323e6c9d9,"4/16/2021, 9:30:20.766 AM",,,,,NTLM,, +\USER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f34650d5-10ee-4e89-9869-fa302219e3ce,"4/16/2021, 9:30:20.766 AM",,,,,NTLM,, +\OFFICE2,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8ad7b1ea-f7cc-48f9-adbe-2244411e1363,"4/16/2021, 9:30:20.766 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,26d09fd4-d169-45aa-852e-a57ccc9bd644,"4/16/2021, 9:30:20.766 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6f0a20ef-24d4-41e2-a34a-b4a7c1be0f66,"4/16/2021, 9:30:20.766 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2e933cad-5043-4ddd-b5ec-29433b6c4ff9,"4/16/2021, 9:30:20.766 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,284561ef-87f4-4a81-8506-5b04b1fedc55,"4/16/2021, 9:30:20.766 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,65f3e2c1-cf34-461c-9708-888412627913,"4/16/2021, 9:30:20.766 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5decbbb0-4aca-4395-aa9a-70ac272d7501,"4/16/2021, 9:30:20.766 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,37e614a5-d3c1-4df1-92a7-e701c4ec1f83,"4/16/2021, 9:30:20.766 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0c0cf37a-36c1-4ec1-aa9d-70cc0d71e554,"4/16/2021, 9:30:20.766 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d7e66444-d93f-4aec-8c10-3b02d6338c16,"4/16/2021, 9:30:20.766 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,70f9f3be-530f-4655-b5f8-b8f94c7338aa,"4/16/2021, 9:30:20.766 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,95622bef-bb20-439e-9291-7f0e29a623e9,"4/16/2021, 9:30:20.766 AM",,,,,NTLM,, +\FRONTDESK,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,50e22f44-a327-4e36-9f06-7673fe413de6,"4/16/2021, 9:30:20.766 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,202bcbf6-51a0-4f93-9d4e-7b911f5e7472,"4/16/2021, 9:30:20.766 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2b33f228-6250-42cb-9acd-a77657b620a8,"4/16/2021, 9:30:20.766 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,918ad498-60c8-4472-ba02-450e4d93fe0e,"4/16/2021, 9:30:20.766 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bc728b0d-1f17-47c6-9649-18031dcde604,"4/16/2021, 9:30:20.766 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,25a711aa-66ce-4841-a3de-45f98cdff51d,"4/16/2021, 9:30:20.766 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6368 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,c5d85041-5c68-4f6f-91dc-d8296729b257,"4/16/2021, 9:30:39.640 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,2e81cb28-57a6-4151-bd9d-d385d2932886,"4/16/2021, 9:30:39.640 AM",,,,,,, +CONTOSO\AATPService,User,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12545,8,,4634,4634 - An account was logged off.,f6638b82-98a5-4542-8bec-6bc0977f793f,567cc234-18d4-4589-bd65-7ddf7fd89754,"4/16/2021, 9:30:39.640 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4168 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,b8dd2c60-25fd-4005-879f-96bc23ab91f0,"4/16/2021, 9:30:39.640 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3152 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,248dc0eb-afd5-42ee-884c-0c1322619835,"4/16/2021, 9:30:39.640 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,7b3fc153-742b-414b-bf96-293468504803,"4/16/2021, 9:30:39.640 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,dc0b1c15-fdb9-4ae3-89ab-e87f97bc0ab7,"4/16/2021, 9:30:39.640 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,7c46be3a-3ef1-4c23-acdd-c478c7dda600,"4/16/2021, 9:30:39.640 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,2ab8147b-6199-4884-a6dc-2778e33acd7a,"4/16/2021, 9:30:39.640 AM","%%5649 ",0x2,-,-,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11144 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,5f3c5748-5274-4566-862a-914c9410e18b,"4/16/2021, 9:30:39.809 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8187b6ba-b47b-49e3-b647-fe04a11b438d,"4/16/2021, 9:30:56.757 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8422c491-72db-4f92-8a1d-6b18fde0c05a,"4/16/2021, 9:30:56.757 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b8223193-488f-4131-9989-734c15f5908f,"4/16/2021, 9:30:56.757 AM",,,,,NTLM,, +\OTTIS,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f18820b1-092e-4bf3-b95f-1b45bbe59a0e,"4/16/2021, 9:30:56.757 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4228501f-4ae8-46b6-97ff-e720245b95cc,"4/16/2021, 9:30:56.757 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,83d973b2-f521-43e8-af6b-f30bb51c3da2,"4/16/2021, 9:30:56.757 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ea82f0da-488f-4926-b553-ec6b31463450,"4/16/2021, 9:30:56.757 AM",,,,,NTLM,, +\AZUREUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9a6d6ad2-87f8-4d29-8748-8309eed2caeb,"4/16/2021, 9:30:56.757 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fedf49ff-bada-4682-ab6a-8010bf20bdb1,"4/16/2021, 9:30:56.757 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9291cb63-a730-4668-8699-e3186d18a8e6,"4/16/2021, 9:30:56.757 AM",,,,,NTLM,, +\USUARIO1,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9953c5c7-f553-4281-92a0-b7e86dbdf7be,"4/16/2021, 9:30:56.757 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,71942d38-b363-43f4-9e17-abc18a3bf4dd,"4/16/2021, 9:30:56.757 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9fbf8b22-dd0b-4b64-8272-64e4f35a636f,"4/16/2021, 9:30:56.757 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a2bbdc78-be2b-4485-9383-d2ecf2a3c306,"4/16/2021, 9:30:56.757 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7ffee648-43b3-4019-afb6-04b205a4fe77,"4/16/2021, 9:30:56.757 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,be3432fe-6f55-4513-b141-c7fdc91b6ddb,"4/16/2021, 9:30:56.757 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6e84073d-339e-4d92-93cf-0d466f6529ea,"4/16/2021, 9:30:56.757 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b3a5c0ab-ec85-4217-bfb7-5e367df65e6f,"4/16/2021, 9:30:56.757 AM",,,,,,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d718c342-0be4-4cc6-a6b3-26a2f2e3051b,"4/16/2021, 9:30:56.757 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,01a9675f-7497-4f30-bd56-ce2c3532708c,"4/16/2021, 9:30:56.757 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b35c2a8f-71b4-493b-a3e5-170681be55b5,"4/16/2021, 9:30:56.757 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,68cd3806-93af-44cd-92c2-b2e3b43b816c,"4/16/2021, 9:30:56.757 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,654c5be9-b6f2-487b-9ba5-c3ea7a5ab72e,"4/16/2021, 9:31:03.067 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c066c4ce-c34b-4c9f-a57d-d14f0de73cec,"4/16/2021, 9:31:03.067 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,872aa609-c8b9-4c16-a3fb-8e5878e9bbc1,"4/16/2021, 9:31:03.067 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,44e7610a-2567-444d-a039-b97f8eafe059,"4/16/2021, 9:31:03.067 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,eb989e40-3d9b-4afc-bc18-0cf457ff396d,"4/16/2021, 9:31:03.067 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,dbf35d01-5d83-4c57-aee5-52ee17b3ef32,"4/16/2021, 9:31:03.067 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,37183ea9-0166-442e-b9e7-1a67047187af,"4/16/2021, 9:31:03.067 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,1d5094b4-d19f-4492-aa4c-7224ccc12c75,"4/16/2021, 9:31:03.067 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,f1e1c408-3c18-4fd1-8ce2-9e9e7f3ae672,"4/16/2021, 9:31:03.067 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b526773c-c205-412b-856f-da60844c4cf7,"4/16/2021, 9:31:03.067 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b00f8d3a-d7fd-4af8-b66a-72a6f12294af,"4/16/2021, 9:31:03.067 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,179d6394-15bc-4965-9083-611592d7ee99,"4/16/2021, 9:31:09.885 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,2e272afc-1e98-490a-b651-ad6db709e655,"4/16/2021, 9:31:09.885 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3964 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,700653ca-5c41-4296-b337-8522e133878f,"4/16/2021, 9:31:09.885 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4136 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b99b26b7-d448-4370-95a5-c57f204bd674,"4/16/2021, 9:31:09.885 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b3f12141-1382-4c11-8361-fe1dc4f9ea81,"4/16/2021, 9:31:09.885 AM",,,,,,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5c9a85f1-80e3-44aa-b673-2da5f6d8a492,"4/16/2021, 9:31:12.764 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5cb9770c-772b-4c57-a531-f06a42a255a9,"4/16/2021, 9:31:12.764 AM",,,,,NTLM,, +\KEVIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a90ca108-2648-430a-8def-99a64e1b7625,"4/16/2021, 9:31:12.764 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fed23cc9-36cd-4c24-951b-a4369af2f0ec,"4/16/2021, 9:31:12.764 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9d8cfbda-e98c-4efa-8e60-d3b7c816ce17,"4/16/2021, 9:31:12.764 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bdea8e84-a9bd-4894-bc0c-19258b76b0c3,"4/16/2021, 9:31:12.764 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8c69b3e8-8513-4b1b-a662-0d10c80b329d,"4/16/2021, 9:31:12.764 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,380dd7fc-2d2d-47b6-9d62-b9279eed9280,"4/16/2021, 9:31:12.764 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9721bfe3-a0cb-41c0-a210-ae198bfdd011,"4/16/2021, 9:31:12.764 AM",,,,,NTLM,, +\GTTSPORTS,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,44ffbd49-d42f-47ea-9f43-d82bbaccf8af,"4/16/2021, 9:31:12.764 AM",,,,,NTLM,, +\SJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0cd6fb5a-b94b-47eb-b06b-c6f6a2c1e314,"4/16/2021, 9:31:12.764 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4a9cdda6-00bc-4b1c-b632-434b7f728a84,"4/16/2021, 9:31:12.764 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a7d89c16-fd5e-491e-9243-fb421c2da3bd,"4/16/2021, 9:31:12.764 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4cf0be55-9c33-4897-b8f7-7788e67fd2c0,"4/16/2021, 9:31:12.764 AM",,,,,NTLM,, +\DEMOADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7f9e47a9-7f8a-4f8d-b8fb-1d1154eeeaab,"4/16/2021, 9:31:12.764 AM",,,,,NTLM,, +\SYMANTEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,75dd716f-ebd0-4bb1-8858-8828dff33afa,"4/16/2021, 9:31:12.764 AM",,,,,NTLM,, +\ORACLE,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1def9bb8-3908-4b89-9259-239a45a92e4b,"4/16/2021, 9:31:12.764 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3479f164-3b9e-41f6-ab8c-c9a78f6558da,"4/16/2021, 9:31:12.764 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2847ae93-be56-48a9-a38c-81f15235e959,"4/16/2021, 9:31:12.764 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a6e06398-8ae2-466c-850a-00634f354aa4,"4/16/2021, 9:31:12.764 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,22819b57-b373-4abb-8cb4-588f84f0b723,"4/16/2021, 9:31:12.764 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,769acfda-a22d-4985-b94e-6bedce4d378d,"4/16/2021, 9:31:12.764 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f6b9791f-e721-4277-8b07-9d871d21333b,"4/16/2021, 9:31:18.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,66c2833d-35d7-4e83-bbf7-3e109cf7028d,"4/16/2021, 9:31:18.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e9c374b3-01f0-46ee-b093-a7be66364614,"4/16/2021, 9:31:18.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a12771a9-3d89-4920-b011-78dba77708c2,"4/16/2021, 9:31:18.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0feffd19-1957-4774-b2fe-9d4e8446f1b2,"4/16/2021, 9:31:18.144 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,349822d7-544a-4729-b934-d43caa72aff9,"4/16/2021, 9:31:18.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,395f5445-d0ed-4d63-b36d-822ba5931ce0,"4/16/2021, 9:31:18.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,30193c0f-354e-4996-8324-5a090ca7632d,"4/16/2021, 9:31:18.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67234858-5301-414a-943c-46ad46dcfbd4,"4/16/2021, 9:31:18.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c12ec80-3717-477e-b7c6-f8677ff3d53e,"4/16/2021, 9:31:18.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2453ccb9-b589-40b8-8200-51f293dffff9,"4/16/2021, 9:31:18.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dac96ff6-f4aa-4fa8-9544-19e8dedd3464,"4/16/2021, 9:31:18.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bd91376a-e89b-44af-9538-c9c00405439c,"4/16/2021, 9:31:18.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4896aad3-838e-4bc6-9a12-f832593aa650,"4/16/2021, 9:31:18.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd077f3f-682f-4f6a-9ba5-0aecb299e363,"4/16/2021, 9:31:18.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce715a6e-6d68-42d6-a4c7-2d8dffc43e2d,"4/16/2021, 9:31:18.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d80dff4d-972e-49a8-ac3d-a3b0a23e286d,"4/16/2021, 9:31:18.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1d4d9357-8a72-48eb-9148-0ccc8f63ac18,"4/16/2021, 9:31:18.144 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb4d824d-8def-4c1f-825a-5eb6bb591d53,"4/16/2021, 9:31:18.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4bcd6cfe-84c6-4b2e-9965-aea2883a1b66,"4/16/2021, 9:31:18.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ab828af-5f16-4ed4-8b11-facf444df0dd,"4/16/2021, 9:31:18.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d82dcc8c-608c-47ab-80dc-d3ee42fba129,"4/16/2021, 9:31:18.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f2f49cfc-5bc8-4c02-9b91-0b1b4bae4231,"4/16/2021, 9:31:18.144 AM",,,,,NTLM,, +\RDP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7c79bd74-aa97-49c2-a04b-45b5bc22e64f,"4/16/2021, 9:31:18.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,14edbecb-acfb-4090-85a1-37328ca3bf6f,"4/16/2021, 9:31:18.144 AM",,,,,NTLM,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,428212a3-2595-43d1-9c37-1277047a2c66,"4/16/2021, 9:31:26.645 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,e7c633b5-7c21-4fa6-b20e-cd4e881f1a69,"4/16/2021, 9:31:26.645 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2716 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,a7ace934-1342-4e52-94b9-ae46f5d32bce,"4/16/2021, 9:31:26.645 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,8a3bd912-14fb-4553-89c5-0bd691ef2d6a,"4/16/2021, 9:31:26.645 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,02d8139e-2051-4f4d-aea2-a28afdd4141e,"4/16/2021, 9:31:26.645 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5148 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,4076a238-f6de-4a94-b5bc-e04457f51d24,"4/16/2021, 9:31:26.645 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5504 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,b82cbea4-3ddd-4989-8750-80c5dac8b70e,"4/16/2021, 9:31:26.645 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 9624 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e5 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,7d1a98f1-f103-44c4-8a9e-e34d50cbec48,"4/16/2021, 9:31:26.645 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,358e54fa-0966-482c-a3e3-94c83b09a552,"4/16/2021, 9:31:26.645 AM",,,,,,, +\TEST123,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a6baf04d-621b-496a-b489-9307cc9fe0e7,"4/16/2021, 9:31:26.412 AM",,,,,NTLM,, +\SERVER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,93bd61b5-9d6d-48db-9eba-9936536439e3,"4/16/2021, 9:31:26.412 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,7a01c05c-df64-4551-ba7d-50e56cf72486,"4/16/2021, 9:31:26.412 AM",,,,,NTLM,, +\WEBADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3232acae-05ee-4b20-bc0a-7b00bec3167f,"4/16/2021, 9:31:26.412 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1ce02923-87a3-4f81-862d-812b4d462d6a,"4/16/2021, 9:31:26.412 AM",,,,,NTLM,, +\TESTING,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,15f7a2ad-6564-4dd2-87d6-5a6834f3ed1c,"4/16/2021, 9:31:26.412 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9df4e6c3-80c2-4746-8e26-d602d46b1096,"4/16/2021, 9:31:26.412 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6c280147-3467-4552-b6da-7822679e7f33,"4/16/2021, 9:31:26.412 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6120 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,20257f29-e759-4017-8049-595c7070b259,"4/16/2021, 9:31:26.412 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4416 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0081ca02-2329-4bb5-a517-dc913addc68d,"4/16/2021, 9:31:26.412 AM",,,,,,, +\UTENTE,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,670e8be6-6deb-42ef-946c-b7db535f3abf,"4/16/2021, 9:31:26.412 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8cac4724-db67-4513-87c0-80b6c2c1c428,"4/16/2021, 9:31:26.412 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,fb1d3728-2a04-4cc9-8171-b93b257abab6,"4/16/2021, 9:31:26.412 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e6a9ee6c-da47-4de0-ad61-5b3f8b29ac79,"4/16/2021, 9:31:26.412 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6272 + 52 + %OSDRIVE%\WINDOWSAZURE\PACKAGES\COLLECTGUESTLOGS.EXE + 32 + 9CBE23B245E1ED128DF262318D623E57C98A79AFDD407B13BD8A2C82CA79796E + 101 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\COLLECTGUESTLOGS\COLLECTGUESTLOGS.EXE\2.7.0.00 + 0x3e7 + 45 + C:\WindowsAzure\Packages\CollectGuestLogs.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,5720bd6d-0f39-4338-b95f-6fa7c2cb4007,"4/16/2021, 9:31:26.412 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1100 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c6cc340e-65ca-449f-827f-fbc097a026cc,"4/16/2021, 9:31:26.412 AM",,,,,,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4c46fc24-abc9-4baa-bdec-3867b801da8c,"4/16/2021, 9:31:26.412 AM",,,,,NTLM,, +\ITADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,dcb3ac47-b6fc-4afd-84fd-c37b382e92db,"4/16/2021, 9:31:26.412 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c69f2699-8427-4cd9-838b-1d146f267ff5,"4/16/2021, 9:31:26.412 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0e82e235-eaa8-48c3-b576-51f39f8146fa,"4/16/2021, 9:31:26.412 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6492 + 18 + %SYSTEM32%\CMD.EXE + 32 + 5F98D08805D4EEE36337C81914F0D82191A4D58D24EA2FF2E522A95A5D6E5B73 + 115 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CMD.EXE\10.0.17763.1697 + 0x3e7 + 27 + C:\Windows\SYSTEM32\cmd.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,76a8979e-b57a-4d69-b465-7c184ec582ba,"4/16/2021, 9:31:26.412 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5332 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d9658e76-d14c-4643-ba64-df9b6d3b3138,"4/16/2021, 9:31:26.412 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4aae07ce-d0ca-4616-a8f5-bcb88e6e9235,"4/16/2021, 9:31:28.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,05e74777-390c-4eab-a7c8-29e4e9780f25,"4/16/2021, 9:31:28.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,053163a0-dbcb-43d3-b912-52857c35b499,"4/16/2021, 9:31:28.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3f1d4b27-1aea-49e0-a61a-b2dd22030270,"4/16/2021, 9:31:28.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a812768f-ef30-4664-b99f-090b3cd23215,"4/16/2021, 9:31:28.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1b9cb1fb-6693-407a-ac7c-a40f616b26ff,"4/16/2021, 9:31:28.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d2ce057e-bf02-4818-9260-06a39bf8d7b9,"4/16/2021, 9:31:28.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c4ecc85-0a16-4095-9c8a-f5916762412f,"4/16/2021, 9:31:28.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e687b0ec-0667-4b90-b604-d1fef2236ce3,"4/16/2021, 9:31:28.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,414aba70-74b4-4ae8-8f09-8539cfda70ae,"4/16/2021, 9:31:28.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff54fd5a-780e-4568-9946-4a0f682d41fe,"4/16/2021, 9:31:28.135 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,39c27efb-e561-4abd-ad36-2972ffe6dbfb,"4/16/2021, 9:31:28.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff95fe4f-a55a-4162-83c6-75e761346b27,"4/16/2021, 9:31:28.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc79af41-9222-433d-8202-a316636f565e,"4/16/2021, 9:31:28.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db730485-0594-4a6b-9e6d-accbecc6f066,"4/16/2021, 9:31:28.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7b1b260c-a31d-4b06-813f-7d39426d8809,"4/16/2021, 9:31:28.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ffee8c2d-e4b8-4e87-b5a7-ad03a04e6701,"4/16/2021, 9:31:28.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46eaf6c6-72d2-4ae2-be85-42a9dce3fdc7,"4/16/2021, 9:31:28.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d6c525b-f1c4-4d6e-a1b8-0eaab4c8fd8a,"4/16/2021, 9:31:28.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd929390-b676-4945-ad98-f16b67f40907,"4/16/2021, 9:31:28.135 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1482d49-bffb-4092-b0c2-165198de4b4a,"4/16/2021, 9:31:28.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49c593a2-3bae-40a2-a811-eac8c25c2f38,"4/16/2021, 9:31:28.135 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7092e5bc-ab33-4a13-a316-851e46f4d75b,"4/16/2021, 9:31:28.135 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a3f0080e-05de-44a3-afca-2c183b66d189,"4/16/2021, 9:31:28.763 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ffee5728-c0cb-4918-a076-6ca17f58e5db,"4/16/2021, 9:31:28.763 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b2cd2e9b-68a2-45c8-b933-0fdbae616672,"4/16/2021, 9:31:28.763 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a314589d-a616-4697-aa22-f2995f9e169c,"4/16/2021, 9:31:28.763 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,37cfa15f-c380-4fdc-8985-ad5b69f498c4,"4/16/2021, 9:31:28.763 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c6d3baf5-086a-42d3-9fd7-2e839bade2c6,"4/16/2021, 9:31:28.763 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7a9f519b-f864-44ef-b374-3ec85f239f46,"4/16/2021, 9:31:28.763 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d2415496-c75d-4cce-bc46-466646c50aa4,"4/16/2021, 9:31:28.763 AM",,,,,NTLM,, +\MEDIA,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8e28250b-1587-486f-971b-b0f31e52ae59,"4/16/2021, 9:31:28.763 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f69f862a-7b78-4d34-91c7-77c72854f908,"4/16/2021, 9:31:28.763 AM",,,,,NTLM,, +\LIMITED,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,51c1a619-b410-4829-bca7-ac30d1fe21d6,"4/16/2021, 9:31:28.763 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,03099462-749e-4605-88f8-825fda0cbf32,"4/16/2021, 9:31:28.763 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,50858b80-5af1-499d-ba93-de1c0c06dafd,"4/16/2021, 9:31:28.763 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0bc2dca6-f567-4cc4-b134-8862c1ef03b1,"4/16/2021, 9:31:28.763 AM",,,,,NTLM,, +\BACKUPEXEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0ee21436-384f-4e2d-926e-b752e1299e44,"4/16/2021, 9:31:28.763 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7f291c49-4578-4aed-9c89-126eaf25cccc,"4/16/2021, 9:31:28.763 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,67265a94-69b8-4b75-8b39-8ea3d382ecc9,"4/16/2021, 9:31:28.763 AM",,,,,NTLM,, +\VEEAM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2a142ec8-2f80-4fce-8fec-9fcc8fdc5412,"4/16/2021, 9:31:28.763 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2027afc6-84c9-44b9-97bb-fbfb9256ffbb,"4/16/2021, 9:31:28.763 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c7fdb435-6217-4a15-a985-80ff0a14d292,"4/16/2021, 9:31:28.763 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,41601a5b-0108-472f-9afb-7b2a8f2da4d3,"4/16/2021, 9:31:28.763 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1d982e6e-d84c-483c-b1e6-d55faa982442,"4/16/2021, 9:31:28.763 AM",,,,,NTLM,, +\WEBADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,94c6e589-e2a3-43e4-bac6-24a137804f06,"4/16/2021, 9:31:28.763 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,533459f3-f4be-490a-a29b-2bc4a30dbe8e,"4/16/2021, 9:31:36.088 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3e0483df-14c4-4fd2-ab3b-8b1bd12667d8,"4/16/2021, 9:31:36.088 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,7ae2262c-9382-4d21-9b99-870a6568aaf1,"4/16/2021, 9:31:36.088 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,9ad18c12-d9e5-4601-acff-f1b9cf71d156,"4/16/2021, 9:31:36.088 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,23ace130-6a81-4bad-9dcf-42cd7cf2e75e,"4/16/2021, 9:31:36.088 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,cca907c0-2c56-4a9d-ba94-79f2dab70c28,"4/16/2021, 9:31:36.088 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,4b71a63d-09f8-4b62-8cc2-47cda5ae7dee,"4/16/2021, 9:31:36.088 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,9962c5e2-e5c2-4c09-8b73-9874d8c74dc3,"4/16/2021, 9:31:36.088 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,47d7ed01-0f08-45f6-8076-e57299505d0e,"4/16/2021, 9:31:38.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,65b16206-e8db-472b-9466-59546d7cf60d,"4/16/2021, 9:31:38.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,04e74070-26db-40db-919d-0f5adbf40d03,"4/16/2021, 9:31:38.135 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c5135715-b11d-49f7-a5ee-09285f0eaec1,"4/16/2021, 9:31:38.135 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,bebc92d9-e0d9-43c6-9b38-9bed855b8831,"4/16/2021, 9:31:38.135 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d5534a0-131a-4edd-ba33-eb0f453924a4,"4/16/2021, 9:31:38.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3f3a6d9d-67b1-4d83-a1da-50d79fbbae17,"4/16/2021, 9:31:38.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c95c3aae-f4e7-4c6d-883d-bee4ed8bf5b1,"4/16/2021, 9:31:38.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,243a5e2d-9457-4813-ad29-195e8859ca1b,"4/16/2021, 9:31:38.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8cae96ae-f74e-4471-a31c-2ed91dd80e3d,"4/16/2021, 9:31:38.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,94aaef22-1693-4237-9f33-dfe41d7fe94d,"4/16/2021, 9:31:38.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b9302b28-66dc-4cf6-824d-c4b2e301bff1,"4/16/2021, 9:31:38.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,012f2c74-7c93-403f-9fe9-58f8c9bb71a9,"4/16/2021, 9:31:38.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9688911a-214d-4867-982a-f711251d7dd0,"4/16/2021, 9:31:38.135 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,771b64c6-5bf8-4d73-9809-305ac710e29d,"4/16/2021, 9:31:38.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,304aa6dd-adad-4165-9658-704b85715400,"4/16/2021, 9:31:38.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19637028-8373-4545-8982-d9c780784343,"4/16/2021, 9:31:38.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8f29777a-31e8-43ed-a3bc-ba30c922a103,"4/16/2021, 9:31:38.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dd1376b8-60f6-4c3f-bba7-fd9c84096e23,"4/16/2021, 9:31:38.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0b5b6366-bc74-4ae7-8709-05ec7cdd5516,"4/16/2021, 9:31:38.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4e3319f2-7741-440c-b78a-486692e388b9,"4/16/2021, 9:31:38.135 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,282ed092-7563-40a6-97ac-7bb751f53d2a,"4/16/2021, 9:31:38.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc9b6f40-9368-4c39-adfc-33c89b492ba9,"4/16/2021, 9:31:38.135 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,409941d1-0df4-4602-9c91-b4e912a2ab4f,"4/16/2021, 9:31:38.135 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2f6c58ef-fdad-4c23-b9f3-047fd6fdee4e,"4/16/2021, 9:31:42.761 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5ac6c500-4e1f-45d3-a357-32ceba3c2764,"4/16/2021, 9:31:42.761 AM",,,,,NTLM,, +\OPERATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4b218cfa-ece0-43dc-97e2-26b646275ac9,"4/16/2021, 9:31:42.761 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f5a2980d-29dc-40f3-8cbe-04ea36435479,"4/16/2021, 9:31:42.761 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,52fce6e9-accc-4c49-8f31-5fb339628f52,"4/16/2021, 9:31:42.761 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,93f294a7-882e-42d7-aaa2-53a065dc3c56,"4/16/2021, 9:31:42.761 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,796f273b-cfe8-478a-a86e-c70167335710,"4/16/2021, 9:31:42.761 AM",,,,,NTLM,, +\XJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d8efd5a3-566a-44cf-bfce-04c45c2672ab,"4/16/2021, 9:31:42.761 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d89f6899-b6cd-4116-ab56-58def68b1591,"4/16/2021, 9:31:42.761 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,88d61b54-84a1-42ef-8f07-7741fc8491f7,"4/16/2021, 9:31:42.761 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9293eb35-7edc-401b-9674-7b0c4d82104f,"4/16/2021, 9:31:42.761 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,55f2463e-dacb-4e72-b680-aad02cbfabeb,"4/16/2021, 9:31:42.761 AM",,,,,NTLM,, +\VEEAM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,685a993f-2a40-417f-855a-72d1f926af72,"4/16/2021, 9:31:42.761 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,027ce62d-e630-4978-a89d-f82f059ed349,"4/16/2021, 9:31:42.761 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c84b505c-b590-4018-8a75-ce582726e2d4,"4/16/2021, 9:31:42.761 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ed016ea0-42f0-42b2-ae65-195124d0ade5,"4/16/2021, 9:31:42.761 AM",,,,,NTLM,, +\HP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c1469932-ea9d-4edc-ad26-b48ae4a82330,"4/16/2021, 9:31:42.761 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,10a35ec9-bdb1-48cd-b1ce-cc351e8cef44,"4/16/2021, 9:31:42.761 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e8a7dc71-c4b5-4679-9082-22bbcdc0613a,"4/16/2021, 9:31:42.761 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f0971eae-873e-4436-8cfe-49433d2e0eb1,"4/16/2021, 9:31:42.761 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7429ecb5-fc37-4a1b-9f47-63885130034f,"4/16/2021, 9:31:42.761 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4a00147f-3186-4203-bce6-82c460fcad7c,"4/16/2021, 9:31:42.761 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,699012d7-082c-4afa-8880-733a92e89743,"4/16/2021, 9:31:46.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,71f30dc6-7248-4cc9-bc7d-82f512584a6a,"4/16/2021, 9:31:46.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51a90ee6-1c1b-4c73-8d14-8943ef70cf6d,"4/16/2021, 9:31:46.137 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a58cc38d-35e6-4e4d-9ac1-e84a3e7621e3,"4/16/2021, 9:31:46.137 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b7a5eb0-eb01-4172-b6a3-495508113118,"4/16/2021, 9:31:46.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd8bb1cd-79ec-4a93-a65f-49e98e77988c,"4/16/2021, 9:31:46.137 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f3db4c08-1fb0-49c5-a1ea-8afce12ce198,"4/16/2021, 9:31:46.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89150223-8a95-4f0c-b1f7-2ff9ea4c850d,"4/16/2021, 9:31:46.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0457e3c0-bc90-4456-828d-35b2e7a3f38a,"4/16/2021, 9:31:46.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f757e955-da76-4620-b95b-5ceb0bbbffd3,"4/16/2021, 9:31:46.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d97869d-7a64-4dcd-8c0f-eac581f82d35,"4/16/2021, 9:31:46.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b50bdc8-5293-4caf-9e44-0723b0cf347c,"4/16/2021, 9:31:46.137 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f38d4d35-8989-4e72-a174-5deddaf4c656,"4/16/2021, 9:31:46.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d57a27cc-0407-44db-bb66-90038c4ea2da,"4/16/2021, 9:31:46.137 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f03e20a0-363d-403a-8a39-8a42ddb7b73a,"4/16/2021, 9:31:46.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7a422087-ab7d-44fd-9bb4-c10938ec7214,"4/16/2021, 9:31:46.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,84a2dc0f-73c6-4fbb-ae9b-55c9af5768b2,"4/16/2021, 9:31:46.137 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a807a0ba-2832-4901-9217-8cf5c14b65aa,"4/16/2021, 9:31:46.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7786edf9-6aa1-46ca-9711-d2ea79f29b5e,"4/16/2021, 9:31:46.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f80dce79-f4a0-4497-9084-af5c644c2e45,"4/16/2021, 9:31:46.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,085f5875-6e4a-4c92-b86f-3a330559389f,"4/16/2021, 9:31:46.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d702831-40e7-49e7-8ec7-ffa015cbf5e7,"4/16/2021, 9:31:46.137 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2252 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 8542576A51D515DA19781689F9E5E561E4398C4DE19B14AF1E8EF1C7D2551843 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.18362.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,0a4d5011-15e5-466a-a74f-e54c6b1174dd,"4/16/2021, 9:31:46.725 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3308 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,b1ce6773-3231-4ad7-a66e-a8253965e529,"4/16/2021, 9:31:46.725 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,b194c271-9885-4283-a90a-4cef7bc0ccd6,"4/16/2021, 9:31:46.725 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,bf43b7e0-eea9-402a-a105-624c718d2dbf,"4/16/2021, 9:31:46.725 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,ce2a5b88-696d-414b-8049-c59b27e4cf0e,"4/16/2021, 9:31:46.725 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,b358ebe0-e900-44f2-9ba6-52b5e31a40eb,"4/16/2021, 9:31:46.725 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4860 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,6e566e19-b073-4eb9-9c32-a7ab3035ff98,"4/16/2021, 9:31:46.725 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6168 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,b2614903-c470-45e0-bd0d-83d187cb4507,"4/16/2021, 9:31:46.725 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,96d12a17-8551-424b-9f66-bf4431d84a53,"4/16/2021, 9:31:46.725 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,36d5d3f2-8e4c-4b2f-9934-9859529fee3d,"4/16/2021, 9:31:46.725 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,72c3a317-6368-431d-99a9-7625d39bf4b6,"4/16/2021, 9:31:46.725 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5816 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,147dd9ad-cbf0-43a1-b603-8aba41bc696a,"4/16/2021, 9:31:46.725 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8784 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,8b6e4198-e220-4f3a-a15b-1f6f607ce779,"4/16/2021, 9:31:50.276 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6432 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,452a38e4-78b1-4ef8-bf11-3914595bea64,"4/16/2021, 9:31:50.276 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cf09aa68-65d3-4061-bbd3-3a40763efa4f,"4/16/2021, 9:31:59.765 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,583b26a9-e5f1-4020-9253-b5bbf44e39b0,"4/16/2021, 9:31:59.765 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dabdc879-dc1c-478b-a20c-c42276df7f0a,"4/16/2021, 9:31:59.765 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eaff4f30-44a0-43c5-b848-fb922cb7d808,"4/16/2021, 9:31:59.765 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,07cb6cf0-e5bc-4570-99ad-8c04fc8b1b6e,"4/16/2021, 9:31:59.765 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,911e9804-7fd7-4391-a02a-58bf055c9889,"4/16/2021, 9:31:59.765 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,082500ae-b2a8-450e-9a34-8757fd43f486,"4/16/2021, 9:31:59.765 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d53b718d-a71f-4914-af28-5463569b3633,"4/16/2021, 9:31:59.765 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bc4c2d49-879d-4e67-bb49-78da2548dce2,"4/16/2021, 9:31:59.765 AM",,,,,NTLM,, +\ANGELA,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,45e94b44-8daa-462b-834a-ed057880b222,"4/16/2021, 9:31:59.765 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5918d22f-c458-4a7c-963d-2b2948970c2e,"4/16/2021, 9:31:59.765 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c3bb7d34-62a4-49e1-a64d-c035367ea473,"4/16/2021, 9:31:59.765 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,89bf7664-fe83-4e7d-9a34-ecda350b235b,"4/16/2021, 9:31:59.765 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,07c1959a-d0b6-42f6-98ce-2a2ec1d66a3e,"4/16/2021, 9:31:59.765 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5e4e3366-b981-4251-8b67-2795085b437c,"4/16/2021, 9:31:59.765 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ba31972e-0d93-4444-8225-7efa406e5f9d,"4/16/2021, 9:31:59.765 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d8a8c1ae-b148-40b5-81a2-f42383e068f1,"4/16/2021, 9:31:59.765 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2b32b577-239f-4735-9f5a-7ac70a9ac982,"4/16/2021, 9:31:59.765 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e52f8ff1-4522-4954-84ad-71e098c56b39,"4/16/2021, 9:31:59.765 AM",,,,,NTLM,, +\GUEST,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bdee2413-29dd-4b68-b4a3-3ce009c5eb6f,"4/16/2021, 9:31:59.765 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1bf3940c-6964-4ab2-b3ac-4d8530a7498f,"4/16/2021, 9:31:59.765 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f5297e9e-142e-4f9f-b419-42bff5643327,"4/16/2021, 9:31:59.765 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,15624397-722b-48e5-9045-b34e5f648fd9,"4/16/2021, 9:31:59.144 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ef5c35c-2e74-42af-8e5d-aaa485fc2d40,"4/16/2021, 9:31:59.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,478690a4-1c96-4e6f-aac0-54f295450f6f,"4/16/2021, 9:31:59.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,66f81ef0-5db8-43b7-b811-5d54e37d3e1a,"4/16/2021, 9:31:59.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98d0bf38-08fe-4ba9-ba5f-369e39aac48a,"4/16/2021, 9:31:59.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1c552627-238e-46c4-b6d7-06b2197d24fd,"4/16/2021, 9:31:59.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,598162a3-0b51-4697-a3be-aed4f7a20bb5,"4/16/2021, 9:31:59.144 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,78a8978d-986a-46ad-b715-eda1c05309d0,"4/16/2021, 9:31:59.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7c44ef16-6a0f-44fe-a8e3-cb7005a445eb,"4/16/2021, 9:31:59.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,482a7cc0-a18d-4fca-a79e-e99122400caa,"4/16/2021, 9:31:59.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c15fe5e-7eee-4283-a472-ff5cf390eb76,"4/16/2021, 9:31:59.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5628bcf2-264a-49e7-8348-338a508b1d58,"4/16/2021, 9:31:59.144 AM",,,,,NTLM,, +\AAA,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,da2e6189-154f-498a-a33d-dcc987fc52ef,"4/16/2021, 9:31:59.144 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1951652-afba-4dcf-a256-604dfe2210c4,"4/16/2021, 9:31:59.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe570712-7c6b-42a1-973f-23432ba13f6e,"4/16/2021, 9:31:59.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4d03b33f-b326-4ea8-83bf-b72636f380df,"4/16/2021, 9:31:59.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5c4d4b9f-27e3-4bea-859c-91433f9e252e,"4/16/2021, 9:31:59.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,523bd884-93b7-4346-afbc-aedc1fc92da1,"4/16/2021, 9:31:59.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,25a2c7a9-c905-42ad-b560-ee696e42b781,"4/16/2021, 9:31:59.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,37a78591-2eea-4b5b-8c3a-70363b298028,"4/16/2021, 9:31:59.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,15faef56-ec1f-423d-bec9-b46d5089204c,"4/16/2021, 9:31:59.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea314fb6-c598-4f20-b144-43c795d89faa,"4/16/2021, 9:31:59.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b209976-cf96-45a4-a635-1cec756b96c4,"4/16/2021, 9:31:59.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a9c0922-bccf-4011-9417-b86faf2b3867,"4/16/2021, 9:31:59.144 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9684 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,4b6c3b6c-e478-4785-8080-9684d26f80e6,"4/16/2021, 9:31:56.999 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 15216 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,65bebe03-0280-4f81-8b64-9d9e1dca7181,"4/16/2021, 9:31:56.999 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7276 + 118 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\ICT 2\CMF-64\DESIREDSTATECONFIGURATION\DSCRUN.EXE + 32 + FD398814FCB0D126DEC81443B928D502C7F2EC649E1C0866E0155C61BC7CAC19 + 111 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\WINDOWS (R) WIN 7 DDK DRIVER\DSCRUN.EXE\10.0.10011.16384 + 0x3e7 + 120 + C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\ICT 2\CMF-64\DesiredStateConfiguration\DscRun.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,353078e6-3b1d-4fe2-958d-cb42933ddfcd,"4/16/2021, 9:31:56.999 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2032 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,e1a6e82f-e99c-4f0c-af03-aa8c65d78952,"4/16/2021, 9:31:56.999 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4612 + 93 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\RESOURCES\330\PMFEXE.EXE + 32 + 6708CEA6F2F26E9B4AFF6300A4BE88433CF28688427E669CFB3FB43F94E0BE6A + 98 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\PROCESS INVESTIGATOR\PMFEXE.EXE\1.21.311.01 + 0x3e7 + 95 + C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Resources\330\pmfexe.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,de77105d-e114-4c67-b02f-e6953138400e,"4/16/2021, 9:32:05.896 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5124 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,a5073e4f-03d3-434b-b585-c5bfc6ff0424,"4/16/2021, 9:32:05.896 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,e2097b30-1439-4af0-abb4-d44ed4449119,"4/16/2021, 9:32:05.896 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,8ed6fd98-7ed5-4829-894e-0641ab13e183,"4/16/2021, 9:32:05.896 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 4660 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e5 + 37 + C:\Windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,18e9e419-207a-46a2-9709-4aed40124df2,"4/16/2021, 9:32:05.896 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 484 + 39 + %WINDIR%\SERVICING\TRUSTEDINSTALLER.EXE + 32 + 5AAB6030A17E092A3F547292BF75BBE5E777C3C6C3E1759A023CA59FE87F6D98 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\TRUSTEDINSTALLER.EXE\10.0.17763.1098 + 0x3e7 + 41 + C:\Windows\servicing\TrustedInstaller.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,352fc978-4317-480e-b0ea-94aaf31e8e85,"4/16/2021, 9:32:05.896 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5740 + 122 + %WINDIR%\WINSXS\AMD64_MICROSOFT-WINDOWS-SERVICINGSTACK_31BF3856AD364E35_10.0.17763.1876_NONE_56BCCE8F993D30E7\TIWORKER.EXE + 32 + 7EC24C6DAEE289FBD40C13635DA56FB1E9F868B65E3120B59D480D394ACD8285 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\TIWORKER.EXE\10.0.17763.01 + 0x3e7 + 124 + C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.17763.1876_none_56bcce8f993d30e7\TiWorker.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,06fda63e-2dc9-438b-904a-ebdcf78b3d1a,"4/16/2021, 9:32:05.896 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3680 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,54355f9b-83e6-4efe-8c98-9afdb2e505d7,"4/16/2021, 9:32:05.896 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3692 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,478c33aa-c3c2-41a9-b22b-8bc2f06ee74a,"4/16/2021, 9:32:05.896 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,f779de95-3363-47bc-9a4a-72fbb8e10156,"4/16/2021, 9:32:05.896 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,be70600b-4173-49c6-9223-7058e77a7ca4,"4/16/2021, 9:32:05.896 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,ca2e9e35-172c-4cf3-a450-1f7efb1bc08e,"4/16/2021, 9:32:05.896 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,cf25fca0-5fd0-482b-8130-134a8a2f6742,"4/16/2021, 9:32:05.896 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,d1e46e04-e664-4d3f-9563-cc59ebfb66bc,"4/16/2021, 9:32:05.896 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,805484fe-cc9e-4e8c-a335-1bfa807ee256,"4/16/2021, 9:32:05.896 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,7a78c1f5-7647-4f91-91e1-c7ee9802c382,"4/16/2021, 9:32:05.896 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,9f70b9ee-04fe-4997-9e5b-a2b11d1c174a,"4/16/2021, 9:32:05.896 AM",,,,,,, +\CAMERAS,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6a9fd30a-ae63-4e57-b484-a065e51d7fce,"4/16/2021, 9:32:04.406 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,83fe7795-c26f-4ed9-9188-a39ece08a304,"4/16/2021, 9:32:04.406 AM",,,,,NTLM,, +\PONTO,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3ead00cf-9863-40b3-adba-2ade1821c284,"4/16/2021, 9:32:04.406 AM",,,,,NTLM,, +\RDP,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ca46196a-060e-4d7c-9985-2643f00519d1,"4/16/2021, 9:32:04.406 AM",,,,,NTLM,, +\SANDRA,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d72b5fb0-0d73-4d60-b085-7fab6c462e3c,"4/16/2021, 9:32:04.406 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3a8c1d4b-b8f2-49e1-ab7f-63d89c6c3372,"4/16/2021, 9:32:04.406 AM",,,,,NTLM,, +\VIDEO,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,821da723-ff73-483c-a090-7ae3763f1d11,"4/16/2021, 9:32:04.406 AM",,,,,NTLM,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,dfb0b7c0-a474-456c-865d-97e03aeb3370,"4/16/2021, 9:32:08.281 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,1935b4c9-a52d-411f-825b-28096773137b,"4/16/2021, 9:32:08.281 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,dfe1e703-838a-4fa3-8737-f6bdff67ecf6,"4/16/2021, 9:32:08.281 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,0e5a4eb7-1a44-4bfa-8a8a-c6123f5865f1,"4/16/2021, 9:32:08.281 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,0450c75a-404b-44fd-919f-76051448f127,"4/16/2021, 9:32:08.281 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,68f5b5c6-b75e-45eb-b0a8-d474e5507a43,"4/16/2021, 9:32:08.281 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,bc7f9136-f00a-4b42-b560-8668a109f8fd,"4/16/2021, 9:32:08.281 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,afd7a040-c670-414c-85b2-bc7234a9a30f,"4/16/2021, 9:32:08.281 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3d54eb91-ae86-4123-a501-59366e4127bc,"4/16/2021, 9:32:08.281 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,796b7d9a-098d-40d9-a3c3-b3741f69c22a,"4/16/2021, 9:32:08.281 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,54843e01-f736-4c58-bd24-f138fc39bf6d,"4/16/2021, 9:32:08.281 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 31876 + 2021-04-14T16:00:03.789305300Z + Microsoft Software Key Storage Provider + UNKNOWN + 35f63034-6119-4cd2-853d-c4e5105c8365 + %%2499 + C:\ProgramData\Microsoft\Crypto\Keys\bb1a46eca1f0af0f21a0f9b0c8a6d6b7_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d7b6b16d-2c35-4844-9441-704c1d8074c1,"4/16/2021, 9:32:08.281 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + 35f63034-6119-4cd2-853d-c4e5105c8365 + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,ff4177d1-5886-4d79-a9d1-6909c08055ba,"4/16/2021, 9:32:08.281 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 31876 + 2021-04-14T16:00:03.789305300Z + Microsoft Software Key Storage Provider + RSA + 35f63034-6119-4cd2-853d-c4e5105c8365 + %%2499 + %%2464 + 0x0 +",5059,5059 - Key migration operation.,0b31dee3-5401-43d7-802a-7c8aab820390,7649283a-f819-4dcf-9f13-ab91ed0db273,"4/16/2021, 9:32:08.281 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 31876 + 2021-04-14T16:00:03.789305300Z + Microsoft Software Key Storage Provider + RSA + 35f63034-6119-4cd2-853d-c4e5105c8365 + %%2499 + %%2464 + 0x0 +",5059,5059 - Key migration operation.,0b31dee3-5401-43d7-802a-7c8aab820390,4a1c0f92-b57a-4502-8ff8-7f4b3eb8b9a9,"4/16/2021, 9:32:08.281 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e30f133-4776-4a7d-8ee9-2492a10d2e70,"4/16/2021, 9:32:11.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c8affea-4a80-4180-80f9-cd481e32d930,"4/16/2021, 9:32:11.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de62bdb4-3d2f-44e2-98cf-4aa08ea3f5fe,"4/16/2021, 9:32:11.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8f0cfb95-aaee-4bcf-976e-2791894e72ed,"4/16/2021, 9:32:11.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,04007b75-a668-48be-b491-bfc7129c3b03,"4/16/2021, 9:32:11.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f42abe27-02e7-4c90-a452-5e035cd67b81,"4/16/2021, 9:32:11.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f4ee270e-55ef-4678-a6bf-9c0756fc16a1,"4/16/2021, 9:32:11.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c04f15a-1496-48a1-9d9f-e40b455fd246,"4/16/2021, 9:32:11.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e641d48-8ff7-403d-9229-b8e3a14b6ee8,"4/16/2021, 9:32:11.141 AM",,,,,NTLM,, +\BACKUP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7dd28e8d-4191-4151-87f8-4aa908257850,"4/16/2021, 9:32:11.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,033f55e7-4f1e-45aa-b591-e3d2cbe2ad9f,"4/16/2021, 9:32:11.141 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9eae227d-6904-4c2a-abb2-2a499ecac3cd,"4/16/2021, 9:32:11.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8ba6e268-c06f-4968-addd-afb88572230c,"4/16/2021, 9:32:11.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98453a0d-40db-46de-aedd-803a92156668,"4/16/2021, 9:32:11.141 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,26d1b5b0-1323-4b9e-8f9a-00b5b43927b5,"4/16/2021, 9:32:11.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,402541a8-688c-49e6-b70e-b520be3dbacd,"4/16/2021, 9:32:11.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a3bc20dc-f2fe-4aad-8b0d-2b5aa1a253d6,"4/16/2021, 9:32:11.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e845e757-f74d-4d9a-95c5-cca374dff87e,"4/16/2021, 9:32:11.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b4d2b9f2-b2f5-42f0-8400-ff10922f1ad9,"4/16/2021, 9:32:11.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac45b385-933c-4243-aeb0-df813e277dd5,"4/16/2021, 9:32:11.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ed65a2bf-d9d3-4740-9e25-81a6f3098682,"4/16/2021, 9:32:11.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a8164ce3-9f04-4b23-89b8-e6bcd3f73afd,"4/16/2021, 9:32:11.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5b812219-f87b-4a2e-8f55-89ed5e837f26,"4/16/2021, 9:32:11.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d6b1fc11-674e-4cb7-9610-d3a59ce6c351,"4/16/2021, 9:32:11.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cd73d2b4-d5f4-4e7b-8d11-61780bb7ecd2,"4/16/2021, 9:32:11.141 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fe4e5814-16f2-437b-b130-83d97ab7f492,"4/16/2021, 9:32:14.753 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d3870942-a9b4-4f3e-9596-d91a6a3dca70,"4/16/2021, 9:32:14.753 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9dd65595-2bca-4eb4-9723-c181785ff3d7,"4/16/2021, 9:32:14.753 AM",,,,,NTLM,, +\ROOT,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8206465d-8abc-49ac-a4c0-0ccb1070279b,"4/16/2021, 9:32:14.753 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f347b737-366e-492f-89fb-2318ef637838,"4/16/2021, 9:32:14.753 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d380249f-bc56-4dd1-bfed-dc83ebdf3205,"4/16/2021, 9:32:14.753 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9e6c095a-c91f-4374-a895-1779b80aab53,"4/16/2021, 9:32:14.753 AM",,,,,NTLM,, +\TJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8d354b25-94d8-41b0-b09e-7a07aa5b92bb,"4/16/2021, 9:32:14.753 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bcd3905e-4156-48dd-b7f4-a6d7fd482408,"4/16/2021, 9:32:14.753 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,05ab1555-267c-4e1d-a72a-93688cdf5341,"4/16/2021, 9:32:14.753 AM",,,,,NTLM,, +\VEEAM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,827e4a6a-820d-4d3c-a273-63041dcbb87f,"4/16/2021, 9:32:14.753 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e7bcddc0-b16c-44cb-b325-52edc89099c1,"4/16/2021, 9:32:14.753 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,019e986c-da8c-4c5d-868a-5bf1a4afd7b6,"4/16/2021, 9:32:14.753 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bd31e2ad-376d-4b03-9e77-48a410915d77,"4/16/2021, 9:32:14.753 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,068edccb-ae4e-4c1a-a515-17696e469979,"4/16/2021, 9:32:14.753 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,67768644-d89e-4b7a-8608-f1c982173146,"4/16/2021, 9:32:14.753 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1036d21b-80c7-4964-81c8-b9b14a86d80e,"4/16/2021, 9:32:14.753 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dd1aa0ff-ffdd-4c41-9f50-3b9bf99b4c4b,"4/16/2021, 9:32:14.753 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e6dc2273-45fb-4d44-a01b-bc677bdfb4fd,"4/16/2021, 9:32:14.753 AM",,,,,NTLM,, +\ACCOUNTING,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a5db7e4a-dee9-4054-80c4-94881d0ade4a,"4/16/2021, 9:32:14.753 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c1f063f2-ea4a-48d0-a9a0-fd6e7980f86f,"4/16/2021, 9:32:14.753 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,42081583-a072-4314-aae0-bbc0b0267b73,"4/16/2021, 9:32:14.753 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f0bdce1b-60d2-46d1-a15d-44598fef6a58,"4/16/2021, 9:32:14.753 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,96046fab-5f6d-4a9b-917e-c8543daad79d,"4/16/2021, 9:32:14.753 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2a75eb1a-6eb6-4209-9af6-9a99f65ac2f2,"4/16/2021, 9:32:14.753 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,75030502-2d40-4d88-a98e-ca36aa555cd2,"4/16/2021, 9:32:16.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,581ab9c2-40ee-4a85-87d8-b163e91bf879,"4/16/2021, 9:32:16.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c70914f7-6dea-455f-9a72-a882129aed1e,"4/16/2021, 9:32:16.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e5d86bfb-e447-4459-b3cc-3e439efe83ee,"4/16/2021, 9:32:16.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,984218fa-15d4-4afe-8eda-048309adf24a,"4/16/2021, 9:32:16.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b50b4034-0063-4b44-916e-8ac8fc412915,"4/16/2021, 9:32:16.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,97dd1cac-38e7-4012-886e-7a29fe64b8c1,"4/16/2021, 9:32:16.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e3a93fa-7fcd-461f-ae5b-baacd270efaf,"4/16/2021, 9:32:16.139 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a16364c-dc34-4dcd-b89b-4f8b012b0d53,"4/16/2021, 9:32:16.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b01527ed-3181-4d76-851b-466d3d4ed0c7,"4/16/2021, 9:32:16.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,995402f9-8a04-488a-ba1b-2138bc8f7fb3,"4/16/2021, 9:32:16.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,691a2178-6419-4793-b5fb-d47c3b367134,"4/16/2021, 9:32:16.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e067ac8a-959a-4d44-a6a2-a4c9cf89f80e,"4/16/2021, 9:32:16.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,549980b7-a133-4bef-8b42-8a9928f5a7bc,"4/16/2021, 9:32:16.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8ce3f06c-4494-4e82-be07-b08f6009611d,"4/16/2021, 9:32:16.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8eb31824-f45d-4471-b354-4e9369e76af8,"4/16/2021, 9:32:16.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,914bb242-1c28-477e-a431-e82194ccd90b,"4/16/2021, 9:32:16.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dd0e0939-20b3-49d1-9559-f1a952d50c2e,"4/16/2021, 9:32:16.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4e0f73dd-45f7-4b6a-902b-cdf341f7ab9d,"4/16/2021, 9:32:16.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d2b65802-2421-4f87-857a-8711637b7ed5,"4/16/2021, 9:32:16.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4a76b79b-c447-4431-b95b-224d34cba9c1,"4/16/2021, 9:32:16.139 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a6e1877b-9187-4394-bcc4-bf141cf35484,"4/16/2021, 9:32:16.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4e3b8bf4-d9da-44cc-bcc9-ffd72fba9a5e,"4/16/2021, 9:32:16.139 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,75f9e12f-ef3a-4dfd-a21b-9ade338f052c,"4/16/2021, 9:32:21.655 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10592 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,0fb417f8-0269-41f1-9b41-39c628f32daa,"4/16/2021, 9:32:21.655 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6920 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,1f091ddc-5a5a-44b7-bb8b-0e82b96f89ee,"4/16/2021, 9:32:21.655 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11088 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,663c0bf8-21d3-4e28-bb01-7e679a2f2094,"4/16/2021, 9:32:21.655 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7912 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,a971b169-07dc-493e-99cf-e42fe1579f5a,"4/16/2021, 9:32:21.655 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3084 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e7 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,630f0f8b-ab48-452e-97d6-be68e1e882b8,"4/16/2021, 9:32:21.655 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,a393ea3b-28a4-4e9c-aa4f-f426e644c02e,"4/16/2021, 9:32:21.655 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,765f9f9b-c880-4e39-bea0-648e5e445875,"4/16/2021, 9:32:21.655 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,34742d31-84bf-4988-a0be-2b3eaf22ae33,"4/16/2021, 9:32:21.655 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\microsofttpm,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,1bdc30a9-8765-4879-be35-424916f8189f,"4/16/2021, 9:32:21.655 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:SELECT * FROM Win32_TPM,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,f9e66245-2f4f-4d0c-a63d-ee7d038b0551,"4/16/2021, 9:32:21.655 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:Select * from __ClassProviderRegistration,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,7b751d72-b208-4e2d-9e31-ceda01b3a21d,"4/16/2021, 9:32:21.655 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,fd665dbc-c674-4e1f-8ede-c978fb219610,"4/16/2021, 9:32:21.655 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,3902d68f-c896-4a73-a40f-96f1e7b83819,"4/16/2021, 9:32:21.655 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,b61b7fbb-8f97-40ee-aadd-b781020be008,"4/16/2021, 9:32:21.655 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,ed52f7b0-c8d3-4d7a-818b-14e431559278,"4/16/2021, 9:32:21.655 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:Win32_Tpm,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,5b97b0d0-ab8f-4684-963b-49a9bc5decca,"4/16/2021, 9:32:21.655 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:__ExtendedStatus,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,0a9f8d7d-5c8e-48bf-a231-d24b96262102,"4/16/2021, 9:32:21.655 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftVolumeEncryption,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,cb4dc4ff-785c-43b7-911b-23634a7f397e,"4/16/2021, 9:32:21.655 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:SELECT * FROM Win32_EncryptableVolume,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,2681ccb2-241d-443c-9ac2-38b101fc9c2f,"4/16/2021, 9:32:21.655 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:Select * from __ClassProviderRegistration,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,9260ccd3-4fdb-45f6-910f-a76544b82b95,"4/16/2021, 9:32:21.655 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,03f31966-2475-4896-bd57-2422ff9ab79e,"4/16/2021, 9:32:21.655 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,5a3e3cad-cc1f-4d6a-90c4-b236fc9bdb8d,"4/16/2021, 9:32:21.655 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,1de8f97b-12f7-4867-bc6b-700606ff2dbd,"4/16/2021, 9:32:21.655 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,d4335e9c-c56d-42f7-86a1-8041583d45d3,"4/16/2021, 9:32:21.655 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,8225c970-16dd-4d9c-9b17-97cdeca43e1c,"4/16/2021, 9:32:21.655 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:__ExtendedStatus,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,4783961b-4225-485d-b27e-a1f17bb4bc40,"4/16/2021, 9:32:21.655 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{14fa800d-0000-0000-0000-100000000000}\\""::GetLockStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,fdd71513-c393-4e79-9762-fb8503ae482c,"4/16/2021, 9:32:21.655 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{14fa800d-0000-0000-0000-100000000000}\\""::GetProtectionStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,d20100ca-a316-4ae5-a165-00c5a28e6dd5,"4/16/2021, 9:32:21.655 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{14fa800d-0000-0000-0000-100000000000}\\""::GetConversionStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,0ac5d8e5-69e9-49f6-ad18-2518b6155bd7,"4/16/2021, 9:32:21.655 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetLockStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,4afba10e-a4cd-4d83-8eee-fc93f7bb1f88,"4/16/2021, 9:32:21.655 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetProtectionStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,b358485c-fe63-4bd2-91d0-a14bafca938d,"4/16/2021, 9:32:21.655 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetConversionStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,37cb0045-d242-4e5f-8827-031cf3f6b076,"4/16/2021, 9:32:21.655 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,f6638b82-98a5-4542-8bec-6bc0977f793f,bdbb81c3-505f-4fd6-9ed2-0fe7396c2ad8,"4/16/2021, 9:32:21.655 AM",,,,,Negotiate,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + 1 + 1 + %{S-1-5-32-544} %{S-1-1-0} %{S-1-5-11} %{S-1-16-16384} +",4627,4627 - Group membership information.,f6638b82-98a5-4542-8bec-6bc0977f793f,968de064-b83c-4f49-8fba-78fc00321f52,"4/16/2021, 9:32:21.655 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,f6638b82-98a5-4542-8bec-6bc0977f793f,6457d3f2-9f47-4aa9-8d0e-8f263cc59dbc,"4/16/2021, 9:32:21.655 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,fcfcda53-49d5-495f-8ba0-a3b9a8a9fedc,"4/16/2021, 9:32:21.655 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,14d5ebc5-0309-49fc-a3ed-c9a299d3b165,"4/16/2021, 9:32:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a86cf592-d1d8-4d25-a276-4d87097b5754,"4/16/2021, 9:32:30.135 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd86b90d-f3db-44aa-ac29-bba8951a887d,"4/16/2021, 9:32:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,66d63505-3ceb-474a-8910-7133cfaa82a4,"4/16/2021, 9:32:30.135 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,10ad5087-f626-44a5-8a02-507bb210b272,"4/16/2021, 9:32:30.135 AM",,,,,NTLM,, +\SJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f7140eab-333f-4db8-bbc4-62dfc3e6db79,"4/16/2021, 9:32:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe49cea2-a01d-4fac-a913-faa69da1e6f1,"4/16/2021, 9:32:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9de5748f-23bd-4481-aefa-31ff6561f60e,"4/16/2021, 9:32:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2954b0eb-e53f-4d1c-9fc9-6202656b39df,"4/16/2021, 9:32:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a4e927c6-e5eb-4203-98b9-bdaa5a930321,"4/16/2021, 9:32:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,96fbce07-ada5-48bc-bcde-66d70ead3db2,"4/16/2021, 9:32:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b70acc38-aebc-477f-9a9f-eb4c0e2f5606,"4/16/2021, 9:32:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a48e551f-52b2-4bf0-a7d8-b6724e477b7b,"4/16/2021, 9:32:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a069020a-eb2b-4a2f-8205-59c999509c00,"4/16/2021, 9:32:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,562e7ef7-0703-4d74-8ea9-456b769ddd84,"4/16/2021, 9:32:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22c014cc-3010-4fa3-b366-4fe32a706b76,"4/16/2021, 9:32:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f4ef70fb-e849-43f0-aef2-95ade9219b77,"4/16/2021, 9:32:30.135 AM",,,,,NTLM,, +\ADMINISTRATEUR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2731be7-2c38-4a20-abad-fadfac4122ce,"4/16/2021, 9:32:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c5135f2-bdb8-45c9-b63c-53ae967d4676,"4/16/2021, 9:32:30.135 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ed0cfbc8-cb01-4275-b2f9-81dbfbec0be6,"4/16/2021, 9:32:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,77a88899-c102-4740-8871-c92840aea211,"4/16/2021, 9:32:30.135 AM",,,,,NTLM,, +\AZUREUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,875d5ab2-9b6d-4c55-afb8-0c803bfcee17,"4/16/2021, 9:32:30.135 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5daf8cf9-2dda-422e-b207-4cd2dbdb8db4,"4/16/2021, 9:32:31.776 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c2d3c732-e219-4a06-9081-3ed417176e8f,"4/16/2021, 9:32:31.776 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2b985337-491f-48c9-a268-a612e2bcf34e,"4/16/2021, 9:32:31.776 AM",,,,,NTLM,, +\SYMANTEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eb58969b-8b46-44b1-90d1-3440e59e0976,"4/16/2021, 9:32:31.776 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6979c82f-3d10-4757-aee4-046fadfbd81e,"4/16/2021, 9:32:31.776 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4e288fef-32df-4e04-8046-506ff39ffd9d,"4/16/2021, 9:32:31.776 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a92c4791-0c44-41fe-8f5c-6b0bb8ce3fe2,"4/16/2021, 9:32:31.776 AM",,,,,NTLM,, +\MARK,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9b7b1f28-5421-4c2c-bcb4-5233ce4dd291,"4/16/2021, 9:32:31.776 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b1d8239b-c75c-41ab-b381-663a2287cc09,"4/16/2021, 9:32:31.776 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,533e35d6-657e-4bc5-b082-76663a502257,"4/16/2021, 9:32:31.776 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,061a31e3-e3d7-42d5-9a54-6d9036a49b7a,"4/16/2021, 9:32:31.776 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f24950c2-e818-4906-992d-6a3c2d4e8856,"4/16/2021, 9:32:31.776 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,400f5166-c36b-42c2-8d27-0af0168964f7,"4/16/2021, 9:32:31.776 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,150f1ca7-430e-43d1-ae83-50e39f7fe6b4,"4/16/2021, 9:32:31.776 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dc1034e4-1d27-4a10-8464-f711832e261d,"4/16/2021, 9:32:31.776 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2362c07e-91cc-4c2e-a9a5-fcbf2a63f4d8,"4/16/2021, 9:32:31.776 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4cda6327-ef0d-48a3-89f6-6a052907865b,"4/16/2021, 9:32:31.776 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1d0ff7cb-c3a4-4270-be4a-9e7b2d10740f,"4/16/2021, 9:32:31.776 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,53edc279-cd46-4047-bb5b-39f557d529b8,"4/16/2021, 9:32:31.776 AM",,,,,NTLM,, +\BACKUP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e368ba79-03d8-4109-9fc9-4a20f4f7f660,"4/16/2021, 9:32:31.776 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b309c9f1-e565-40f7-bdc7-f8a57006ccf3,"4/16/2021, 9:32:31.776 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4d85ce31-10cd-48a6-844d-d6e3a125c163,"4/16/2021, 9:32:31.776 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f7f91311-18e3-47c5-9dab-6a824de150f4,"4/16/2021, 9:32:31.776 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c07ba830-7636-4205-8922-10f92a21e9a5,"4/16/2021, 9:32:38.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ff4fe25-d011-4f6c-8c70-6bb475144722,"4/16/2021, 9:32:38.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,92e4c19f-041a-4037-a1dc-f0d933d4bc80,"4/16/2021, 9:32:38.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,26bc71dc-ba2a-456e-bed7-cf6ac5a50a02,"4/16/2021, 9:32:38.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cca7d4d6-6907-4808-9be7-699861a7e571,"4/16/2021, 9:32:38.145 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,749744ca-ad3d-418d-a253-0fce3bc2a9f6,"4/16/2021, 9:32:38.145 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d548d1bc-efdb-4b63-a595-5e316d4499e9,"4/16/2021, 9:32:38.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,423b94a4-20c9-486a-b020-326b874f1029,"4/16/2021, 9:32:38.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a0a8c363-274f-4cf9-88d1-f779d7fe7a24,"4/16/2021, 9:32:38.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b67ed26c-73ea-400b-8086-09be6bade4c3,"4/16/2021, 9:32:38.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,661f1330-bca7-461d-8057-4e89532d9d5f,"4/16/2021, 9:32:38.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a76d209a-acbc-427e-8ded-3634a21745e8,"4/16/2021, 9:32:38.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0aae14c0-7842-4f6a-ab30-5529df08b925,"4/16/2021, 9:32:38.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,93498e8c-f12c-41fd-8581-8c49691dff05,"4/16/2021, 9:32:38.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0f84802d-1a0b-42cb-95de-7d04d92e9af0,"4/16/2021, 9:32:38.145 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,046e0ebe-b739-44dc-bb82-f64ab4112ee3,"4/16/2021, 9:32:38.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,061967bc-79be-4fce-ad79-5042652ca83d,"4/16/2021, 9:32:38.145 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7053a8c7-16b2-4f39-a4bd-4ff91bc20e69,"4/16/2021, 9:32:38.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e06e125c-8cb9-4b2b-97f8-5dc3501d23dc,"4/16/2021, 9:32:38.145 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,793b5d61-1655-4c76-a2e2-d4e43c981083,"4/16/2021, 9:32:38.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aa0d4962-81cf-4127-9c0e-18946d07d359,"4/16/2021, 9:32:38.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a89a79a-a721-4a4c-a189-5e20cb39af89,"4/16/2021, 9:32:38.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b8febd5c-3845-4903-8fa0-3bc928295ad0,"4/16/2021, 9:32:38.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b6fc4c2-7542-47d9-b891-abecc649e5c5,"4/16/2021, 9:32:38.145 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6941f787-9dbb-47a1-9e07-3777196aa731,"4/16/2021, 9:32:41.413 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6ab133d0-fd42-4743-8a84-bb806bf2f7b4,"4/16/2021, 9:32:41.413 AM",,,,,,, +\LOCALADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,12feccd4-8edb-404a-8bfa-861974eb2c66,"4/16/2021, 9:32:41.413 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7868 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,7640a5b1-f492-4481-81b1-74d4ce9d1462,"4/16/2021, 9:32:41.413 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2172 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a63f49b5-b61b-4439-b9e9-1786a0b9ec84,"4/16/2021, 9:32:41.413 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e4e9bd29-b661-468d-8e0f-593807fa2c28,"4/16/2021, 9:32:41.413 AM",,,,,,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4655114a-e2b9-425c-bb3d-580d5666050c,"4/16/2021, 9:32:41.413 AM",,,,,NTLM,, +\PC1,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1c843f36-84db-4aa1-a4b6-c7778823e7e2,"4/16/2021, 9:32:41.413 AM",,,,,NTLM,, +\TUSER1,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,95b74469-7b50-4699-a218-963d58b74b13,"4/16/2021, 9:32:41.413 AM",,,,,NTLM,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,276b690a-50f3-458a-8e0c-1ece9e541a53,"4/16/2021, 9:32:41.413 AM",,,,,NTLM,, +\OBQ,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6369cf4b-3703-42b6-9d15-6578e11a8c48,"4/16/2021, 9:32:41.413 AM",,,,,NTLM,, +\PRAKTIKANT,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0add7c9b-842e-4e83-973b-e85aed5168de,"4/16/2021, 9:32:41.413 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,29a7ad55-cfcd-474e-a4db-a9fb68c35100,"4/16/2021, 9:32:43.114 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,572ddcde-f201-4398-8f24-bcea92cf2a7c,"4/16/2021, 9:32:43.114 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,d548b0c5-c947-40b9-974b-e91903f8aaf9,"4/16/2021, 9:32:43.114 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,5bc2ee50-1819-4974-945a-6cf6e4c39f4a,"4/16/2021, 9:32:43.114 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,707bf8cb-1768-407c-85a9-3bf028097e2e,"4/16/2021, 9:32:43.114 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5411df3d-1a9f-443b-b720-60d659a46b1f,"4/16/2021, 9:32:43.114 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,13a08ff6-cca2-4620-a29f-f7456f34415c,"4/16/2021, 9:32:43.114 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,9d7a1546-3557-4f89-aebc-2cf4738a1cd8,"4/16/2021, 9:32:43.114 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,1c5bcdb9-f151-4b20-8d51-db684f6b6a72,"4/16/2021, 9:32:43.114 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,32492ec3-3092-4322-890d-4326db7787ee,"4/16/2021, 9:32:43.114 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,cc26750c-0bc7-41cb-8ec6-c68f5a4e2efd,"4/16/2021, 9:32:43.114 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,c685d2d7-1455-4f82-8ac1-44371982930b,"4/16/2021, 9:32:43.114 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c39015aa-fe85-4250-b662-16afa54cdb8a,"4/16/2021, 9:32:48.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e15d3a42-92c5-4597-84ea-7de1d10d010e,"4/16/2021, 9:32:48.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,858b2e9b-e33b-4c92-9564-038ff43890f9,"4/16/2021, 9:32:48.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb44c996-f4b8-4321-a9b7-ec88df56d53a,"4/16/2021, 9:32:48.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,86ddd888-46bb-4555-90a9-cb401cc16122,"4/16/2021, 9:32:48.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,35e5764f-dc12-4686-b073-65adac5b7939,"4/16/2021, 9:32:48.140 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dd63e633-9aba-4aca-86ef-ec0d2add5dd8,"4/16/2021, 9:32:48.140 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a8ff79d-0b6d-4b70-95ac-dc53d09cf6af,"4/16/2021, 9:32:48.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c654224b-80bd-4581-b963-a7591a574bfa,"4/16/2021, 9:32:48.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca152ebc-106a-4ef9-8ffb-7209d9bf3d59,"4/16/2021, 9:32:48.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,807b5781-ecd0-4a65-b97c-d4eed09fbec9,"4/16/2021, 9:32:48.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,655e41c9-34c9-4fd2-b3a0-32a179176b8c,"4/16/2021, 9:32:48.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c25f20b4-d135-458e-bb29-aaaafd7d24f0,"4/16/2021, 9:32:48.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9818aaa6-c827-4b67-8c2e-18ac29b81af9,"4/16/2021, 9:32:48.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c9cb65fc-45fc-45b4-a9ea-c491142678d0,"4/16/2021, 9:32:48.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,913f7154-319d-4c74-bd7d-c4031a95cf1f,"4/16/2021, 9:32:48.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea69c435-49ac-40fe-a0af-00406d85cd04,"4/16/2021, 9:32:48.140 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c082fa1-9c84-4bdf-ad3b-2d969dfb3da3,"4/16/2021, 9:32:48.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c6901d7c-73f2-4698-b69e-6aa2af30a2c2,"4/16/2021, 9:32:48.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6bd25b36-6563-4ef3-a0fc-b8b53cbc1620,"4/16/2021, 9:32:48.140 AM",,,,,NTLM,, +\TEST1,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19e6cef6-5e06-497d-94eb-6328e4862152,"4/16/2021, 9:32:48.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d5435434-32c5-4ffb-843d-2e28e9738464,"4/16/2021, 9:32:48.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b3070704-7ae7-4ca7-8732-2cc59c773231,"4/16/2021, 9:32:48.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cdbff877-184e-4e6f-b6a2-9cecb2c29c12,"4/16/2021, 9:32:48.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d5ebe68b-aa60-4dbe-bb9d-4139649d0e42,"4/16/2021, 9:32:48.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,098a4ad6-b4d6-493c-9835-39d94dc984e6,"4/16/2021, 9:32:48.140 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 12296 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,56d1f7a3-c44e-42f2-9f33-0c876a17712d,"4/16/2021, 9:32:49.306 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 12372 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,54761803-f894-4752-b579-ee33fee1ef9b,"4/16/2021, 9:32:49.306 AM",,,,,,, +\SMART,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bf08a702-36de-4140-b6d3-f90554e78e9f,"4/16/2021, 9:32:48.796 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,547c2049-7503-4832-aac3-b145aab10271,"4/16/2021, 9:32:48.796 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0fb9719f-222e-45a5-be2a-0a6ac69dc48e,"4/16/2021, 9:32:48.796 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,46fde760-00dd-461e-bf6e-efe2d66abdc6,"4/16/2021, 9:32:48.796 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2745c0cd-6cc3-44b0-962a-ae7f0a0dfdf1,"4/16/2021, 9:32:48.796 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3dc24c40-b449-4601-ba48-28eedbcd7f77,"4/16/2021, 9:32:48.796 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f5e04ca6-5375-4363-a85f-77bb9f52c4b1,"4/16/2021, 9:32:48.796 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b87fe8a0-21e2-4692-a251-2fa42d3f1470,"4/16/2021, 9:32:48.796 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fc48e10e-6089-4de7-9712-3c86c1900007,"4/16/2021, 9:32:48.796 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dfec6632-22da-44a2-9af8-71e1b12cefb5,"4/16/2021, 9:32:48.796 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b6e37437-a2e7-4085-89aa-68c016015237,"4/16/2021, 9:32:48.796 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0fb0a436-1b9e-478d-8b85-9c1d92eb15b9,"4/16/2021, 9:32:48.796 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d8915e87-4fb0-422c-b1f7-5b7cb952ee91,"4/16/2021, 9:32:48.796 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d02b52d1-7014-42c9-99a2-d61790e73867,"4/16/2021, 9:32:48.796 AM",,,,,NTLM,, +\SCANUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,30dd0292-1470-4e2c-a016-e7f62610bf67,"4/16/2021, 9:32:48.796 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dd141d91-2333-4b72-919a-f7f6648faaa6,"4/16/2021, 9:32:48.796 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,17731223-aa27-42c8-82c3-d6261e1842a5,"4/16/2021, 9:32:48.796 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6edc385f-9e2b-440d-ba92-bc86a889d8d0,"4/16/2021, 9:32:48.796 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,425a72f5-5bc7-4c2f-b186-c758c0e999c9,"4/16/2021, 9:32:48.796 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5d011ad8-c00f-4a96-9620-0195c2750c3a,"4/16/2021, 9:32:48.796 AM",,,,,NTLM,, +\STUDENT,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0819979a-9602-4d66-a919-64b1bcd32141,"4/16/2021, 9:32:48.796 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d2f8be24-7978-4855-b69d-312200d8bb58,"4/16/2021, 9:32:48.796 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6528 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,1041abd1-14c2-45f3-9c84-eb4b1bd413a0,"4/16/2021, 9:32:52.725 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2012 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,ffd4aca2-880d-421b-9188-6168d6031957,"4/16/2021, 9:32:52.725 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,b9983c65-7beb-4be9-82b8-20822a0bf53e,"4/16/2021, 9:32:52.725 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,509fd3e0-8638-415f-b0d0-8c18ffdcdb22,"4/16/2021, 9:32:52.725 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,1550df7c-cccc-413b-805d-6d4b1010dd45,"4/16/2021, 9:32:52.725 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,d3e9e951-361b-4d13-b2ec-3eac26ee1e3d,"4/16/2021, 9:32:52.725 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,da39c4e9-1014-4b3a-869f-1598b03c61c8,"4/16/2021, 9:32:54.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,82f21d35-ca73-484f-bafd-9f8070c62152,"4/16/2021, 9:32:54.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51603d9d-5dbe-47ad-9af4-31efbc9de9cf,"4/16/2021, 9:32:54.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,107a9d13-93d5-4c2b-89c0-cd76b333b031,"4/16/2021, 9:32:54.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,548263c5-29dd-403d-b821-61c494c566eb,"4/16/2021, 9:32:54.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1b2a09ca-e4f1-4c36-98ac-d4ec9363cdab,"4/16/2021, 9:32:54.165 AM",,,,,NTLM,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6416e985-2494-42d3-a901-f826c599cb61,"4/16/2021, 9:32:54.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8913bff2-b048-4122-8e75-aa33fba180f9,"4/16/2021, 9:32:54.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e70a8de5-0cac-4167-a566-75e632e14da3,"4/16/2021, 9:32:54.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bd526693-56b7-444d-bc06-c3c518f930d4,"4/16/2021, 9:32:54.165 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2907053c-52b8-4f5b-a6e8-e2b735d82e1a,"4/16/2021, 9:32:54.165 AM",,,,,NTLM,, +\CAO1,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7663dbeb-0f56-484f-afb5-ce56bff34b63,"4/16/2021, 9:32:54.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b397c615-4e64-4aac-944d-65668825dec5,"4/16/2021, 9:32:54.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,42f18832-9b6e-4087-80e4-d6421e921276,"4/16/2021, 9:32:54.165 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,419c751e-f332-4593-84ba-01ca77867489,"4/16/2021, 9:32:54.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,99429c33-909c-4445-82aa-a02635552b86,"4/16/2021, 9:32:54.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3511587e-934e-4a32-96c2-492dc8460637,"4/16/2021, 9:32:54.165 AM",,,,,NTLM,, +\XJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,44d61dbf-303c-4582-a9a9-d2ef8877227a,"4/16/2021, 9:32:54.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,59331540-8677-499a-b3a9-ba332ae9334d,"4/16/2021, 9:32:54.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c0f06be9-076d-417d-afa5-70630c2b12ac,"4/16/2021, 9:32:54.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,36d5c96a-3c50-4549-9f9f-246a0390559c,"4/16/2021, 9:32:54.165 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7494eea5-2d44-438d-990b-f6dd4868bbf0,"4/16/2021, 9:32:54.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,975c13da-9de9-4d30-aecb-969894366cda,"4/16/2021, 9:32:54.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46ab8fca-4cb7-4238-93ee-db8cc9f46081,"4/16/2021, 9:32:54.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1d28b14e-331b-47c6-89b4-a8281534331e,"4/16/2021, 9:32:54.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5feaba14-cc03-44d6-a506-57524deb83ad,"4/16/2021, 9:32:54.165 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5280 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,5e05ed18-ca52-4724-b8bc-d90035146c3d,"4/16/2021, 9:32:57.019 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 12872 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,7f1e239f-d93b-4df4-afa2-dfa46d472a34,"4/16/2021, 9:32:57.019 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6aa1adc5-b161-432f-aa2e-b34607a8f8bb,"4/16/2021, 9:32:59.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c22eae83-d678-40e4-904d-3a3274551d23,"4/16/2021, 9:32:59.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,18a7f9a5-b9f0-4f23-9edd-7dd26cb8749f,"4/16/2021, 9:32:59.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,da612b30-f0b6-4e51-b052-846305aa956e,"4/16/2021, 9:32:59.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f6b2dc92-74ad-4dae-80f0-d7c41bf6134b,"4/16/2021, 9:32:59.140 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5fdacb34-a5f1-4db9-a32e-09648e68f26b,"4/16/2021, 9:32:59.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3ebd0f39-d29d-4269-94c1-0bc28e8f0039,"4/16/2021, 9:32:59.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1784eeb-6dfb-4f2e-a60b-506afa219f06,"4/16/2021, 9:32:59.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ed11e6aa-313c-4c57-8446-78c7bacfb369,"4/16/2021, 9:32:59.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,61838f04-32f1-42ad-87f4-572ca9d1bedb,"4/16/2021, 9:32:59.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,407f0c9d-9653-4ade-bcce-4ec0a43b6e87,"4/16/2021, 9:32:59.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,00ce0b52-a4db-4917-8c77-b706da575a04,"4/16/2021, 9:32:59.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4086056a-92bd-4741-8c77-b7b6f69433b7,"4/16/2021, 9:32:59.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e568e5a9-7b6f-4d13-bb54-736bc4b0c49a,"4/16/2021, 9:32:59.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5cee93e2-d90e-4110-ae44-60498ed210e2,"4/16/2021, 9:32:59.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cb88c15f-2b47-4230-93ee-51a5cec2730c,"4/16/2021, 9:32:59.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a0eed18-facb-43af-88cf-ed3f6b96a070,"4/16/2021, 9:32:59.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fbc31c67-f6b3-4bb6-85a1-1e29c841c324,"4/16/2021, 9:32:59.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,693fc492-9687-42b3-9105-91c343376e83,"4/16/2021, 9:32:59.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ab56ecc-71bb-48f8-b626-26aa79730002,"4/16/2021, 9:32:59.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,175ba6a3-5321-4fcb-84ca-971a6962885e,"4/16/2021, 9:32:59.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9228c7a2-7752-4652-814c-c58f262033f0,"4/16/2021, 9:32:59.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9212fc98-782e-4495-b88c-107fbf033de5,"4/16/2021, 9:32:59.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a496b6a1-0f88-46b8-b890-765f99ecfbae,"4/16/2021, 9:32:59.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,378568ac-5a7b-4ec2-ba18-b31e23f649ee,"4/16/2021, 9:32:59.140 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,852fc7d4-f6a2-4d26-97c3-290c87fb601f,"4/16/2021, 9:33:03.767 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2e36a08c-b736-4b33-8184-14f1023dc2cb,"4/16/2021, 9:33:03.767 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1e54a720-fc0f-450e-b157-aeb6e6a2c8fd,"4/16/2021, 9:33:03.767 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,af47d9c8-699b-41d3-a0f9-ae4d998d1c6a,"4/16/2021, 9:33:03.767 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5790d879-a3b9-4c03-b169-9852c0d27be6,"4/16/2021, 9:33:03.767 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,abbe30d5-8594-4311-ad18-78a61c749480,"4/16/2021, 9:33:03.767 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,53ba4b14-dc7e-4b12-b2fb-9200d6f0c92e,"4/16/2021, 9:33:03.767 AM",,,,,NTLM,, +\FINANCE,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ae070f93-7e7b-4e71-9a65-b60ba6321f9e,"4/16/2021, 9:33:03.767 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b230016d-5d31-430d-bfc3-e01b70cce792,"4/16/2021, 9:33:03.767 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0cd2be89-663c-4f42-98bf-609474446f9c,"4/16/2021, 9:33:03.767 AM",,,,,NTLM,, +\OBQ,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cf57dca4-3297-415e-ba90-a24203d70a65,"4/16/2021, 9:33:03.767 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,32e9f9a9-5038-428a-a168-1220fff82d2a,"4/16/2021, 9:33:03.767 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dc5c8196-979a-4d6b-a8b6-d12144b99a98,"4/16/2021, 9:33:03.767 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bd85e3a5-7ffc-4b40-a19e-bdd9e79ee2b6,"4/16/2021, 9:33:03.767 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,46f5d283-8e90-44b7-bfec-7d5947704a2b,"4/16/2021, 9:33:03.767 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,442f6080-ae6d-4195-939f-3f9925e10e08,"4/16/2021, 9:33:03.767 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bc77df39-2b2e-4f41-99b8-d89bf3e8f8ec,"4/16/2021, 9:33:03.767 AM",,,,,NTLM,, +\SERVER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5508f3cb-aef3-4202-a2e9-306102847724,"4/16/2021, 9:33:03.767 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9f25c1b9-68f5-4b88-9064-c198e4e4ca1b,"4/16/2021, 9:33:03.767 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,98127f55-354b-4e79-8de9-1792f68371f3,"4/16/2021, 9:33:03.767 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,98aa97e2-7a2f-4e18-9c25-f15d84235d24,"4/16/2021, 9:33:03.767 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cf843e3e-61c7-47b7-ae52-add5a6c9e0cf,"4/16/2021, 9:33:03.767 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4410fcd4-7661-4c33-974a-04b979618f7b,"4/16/2021, 9:33:03.767 AM",,,,,,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,10937e25-befc-465c-bb96-ad5eaa61fe3d,"4/16/2021, 9:33:03.767 AM",,,,,NTLM,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,05346356-4f9c-4878-a999-d47a61f1134d,"4/16/2021, 9:33:07.889 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,ede273e1-6aa0-4831-802d-cf2abe5236b5,"4/16/2021, 9:33:07.889 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5448 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,93973a35-3df3-43ad-8a3b-63b9ab4ce6eb,"4/16/2021, 9:33:07.889 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 464 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,84ba234b-9e07-4ba5-a047-058029652886,"4/16/2021, 9:33:07.889 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6004 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,e1eb7443-b791-4674-a9c0-eeba36d42d9b,"4/16/2021, 9:33:07.889 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3504 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,1d90703e-59dc-4a01-b1ec-e7288ba40791,"4/16/2021, 9:33:07.889 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,a82f70a9-00a6-402c-9da7-5ae7a0a81aab,"4/16/2021, 9:33:07.889 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,7151750e-13cf-4d8e-9d40-16d00cd88107,"4/16/2021, 9:33:07.889 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,004a1ee9-eb36-4e4a-8db6-1dce13aec451,"4/16/2021, 9:33:07.889 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,4f851e50-dc07-4a69-bc1d-8bd0d1d111c1,"4/16/2021, 9:33:13.648 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5156 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,d5486fcd-ea4e-4ef4-95fd-cf05ec3a3cfe,"4/16/2021, 9:33:13.648 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,a25a34d2-7cc5-4be4-abf8-9673d18e88a1,"4/16/2021, 9:33:13.648 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,0b31dee3-5401-43d7-802a-7c8aab820390,fdadfb24-2b09-44a3-bbcf-938de57504eb,"4/16/2021, 9:33:14.070 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,0b31dee3-5401-43d7-802a-7c8aab820390,bee820ba-be3b-4833-9979-14b20d303fe4,"4/16/2021, 9:33:14.070 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,2302c807-5a48-46ec-a8a1-9ce824b1430d,"4/16/2021, 9:33:14.070 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,50851812-849d-4fe0-afc2-69f2ab82d4c9,"4/16/2021, 9:33:14.070 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b9913cf1-c8d2-4618-9e71-4f294d4ac91e,"4/16/2021, 9:33:14.070 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,42565043-a331-4250-9bb5-fae62533c3d9,"4/16/2021, 9:33:14.070 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,0b31dee3-5401-43d7-802a-7c8aab820390,6f84c799-ae56-465f-b829-0da63a27278b,"4/16/2021, 9:33:14.070 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,0b31dee3-5401-43d7-802a-7c8aab820390,886e4e59-fa5a-4a34-8bc4-bb4c6878c8d0,"4/16/2021, 9:33:14.070 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,5e2d321d-d485-4c20-b6ba-b0a92d2b5f22,"4/16/2021, 9:33:14.070 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + Administrators + Builtin + S-1-5-32-544 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x88fc + C:\Windows\System32\svchost.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,e61b9803-8bde-4568-bd43-277460efaf90,"4/16/2021, 9:33:14.070 AM",,,,,,0x88fc, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + Backup Operators + Builtin + S-1-5-32-551 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x88fc + C:\Windows\System32\svchost.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,9bc2aa09-18d7-48cf-a79f-e6c30a9b43e2,"4/16/2021, 9:33:14.070 AM",,,,,,0x88fc, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,0b31dee3-5401-43d7-802a-7c8aab820390,50e618f5-a46a-4338-a530-1ebc74920a45,"4/16/2021, 9:33:14.070 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,0b31dee3-5401-43d7-802a-7c8aab820390,29a693d0-56ef-4ea7-b1a9-bd7a1c8e5087,"4/16/2021, 9:33:14.070 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,265a40b9-1012-40ce-88ba-2cd44ed4ee29,"4/16/2021, 9:33:14.070 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,c01c8c33-1aee-4cd3-8303-c10e949a526f,"4/16/2021, 9:33:14.070 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,10a6e81c-0731-4ce6-8f26-646c3001079a,"4/16/2021, 9:33:14.070 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,dc229e1e-d47e-4e8c-a0f4-245bbe0f20d5,"4/16/2021, 9:33:14.070 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,96c98397-6653-4f56-975a-25d5d5c7c572,"4/16/2021, 9:33:14.070 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,950848de-1a19-435a-860f-7a3e76ab7712,"4/16/2021, 9:33:14.070 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,26b22d57-7299-45f6-8337-a0d36cb448b1,"4/16/2021, 9:33:14.070 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3bc902cc-9c3f-4596-bc48-f67689d1b05b,"4/16/2021, 9:33:14.070 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,563c0100-8dcb-4373-9a01-98d8a2197eab,"4/16/2021, 9:33:14.070 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,782364a4-76f8-4937-ac8a-34422cf35d90,"4/16/2021, 9:33:14.070 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,aa3c9219-0735-4519-998a-834be0aaecbf,"4/16/2021, 9:33:14.070 AM",,,,,,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b38cb1b0-eaf9-45db-8fff-553f6a943459,"4/16/2021, 9:33:15.161 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eb0b0179-d9b8-4761-bad6-c6018fc3a9dc,"4/16/2021, 9:33:15.161 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe50554e-227a-4f0f-b494-8a4a737c2c47,"4/16/2021, 9:33:15.161 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc56527c-4264-4121-b32f-af5a316f757e,"4/16/2021, 9:33:15.161 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,212e77e8-a4c9-4f10-8232-f81afc82f8e3,"4/16/2021, 9:33:15.161 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,780ea4e3-4aba-46a2-bbcd-01059b4e35be,"4/16/2021, 9:33:15.161 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,949bd9dc-dd6b-4ced-a34a-556229644f57,"4/16/2021, 9:33:15.161 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c2b9e47a-d48e-4748-8b58-5d17fb740598,"4/16/2021, 9:33:15.161 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d52511c7-c7a9-4f64-9b9c-0b974d2de6cd,"4/16/2021, 9:33:15.161 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3dc333e6-eab8-4100-ae10-bef5e1251dec,"4/16/2021, 9:33:15.161 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa8ac4fa-a6a8-4b0a-b2b2-adec12a1fc41,"4/16/2021, 9:33:15.161 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,447243bf-0ea7-491c-b8a4-22e2121efdc4,"4/16/2021, 9:33:15.161 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c3fd7a4-9858-413a-abec-489bf24e35a9,"4/16/2021, 9:33:15.161 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8d8d99b0-2aac-4690-a261-88e82867ce9b,"4/16/2021, 9:33:15.161 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6842b8be-8a3a-4d76-9b91-62f68e47b090,"4/16/2021, 9:33:15.161 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,43c4480a-e4d5-4c1e-83e9-af9832932dff,"4/16/2021, 9:33:15.161 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4d57075a-5d3a-419d-88f4-ff2955c27867,"4/16/2021, 9:33:15.161 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c58ff95f-e03e-49ab-95d0-20719d39cdfe,"4/16/2021, 9:33:15.161 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5247afef-e586-474c-9b04-dd4b5e318bd9,"4/16/2021, 9:33:15.161 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9571bb69-2ad8-4803-99e6-3704f19b7595,"4/16/2021, 9:33:15.161 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c18523f2-64a0-4cc7-adde-1a0b7f6f1e8b,"4/16/2021, 9:33:15.161 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,64a53c5d-155d-4305-b9c8-b0de5dfa3dda,"4/16/2021, 9:33:15.161 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d91c064b-d00c-4776-aed2-6c2450d3d342,"4/16/2021, 9:33:15.161 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8d0db620-0eea-407f-800e-8ad21e38bbad,"4/16/2021, 9:33:15.161 AM",,,,,NTLM,, +\VMADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,49c15afb-2ec0-4614-a954-f0342b22b558,"4/16/2021, 9:33:15.422 AM",,,,,NTLM,, +\BILLING,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,12b43a1b-54a4-4621-9312-f69ae53dc63d,"4/16/2021, 9:33:15.422 AM",,,,,NTLM,, +\USER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,766c3ce2-616d-42d3-8465-3eecf7b5a30a,"4/16/2021, 9:33:15.422 AM",,,,,NTLM,, +\CAP,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d6cf9e0a-7153-4453-b32d-31a21789dca9,"4/16/2021, 9:33:15.422 AM",,,,,NTLM,, +\MAINTENANCE,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,953a81fa-782e-4146-8a20-5e787f164790,"4/16/2021, 9:33:15.422 AM",,,,,NTLM,, +\TEST,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,437d051a-959e-4383-a437-dc3da9fc0892,"4/16/2021, 9:33:15.422 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c056e094-61ac-4c91-a509-824b8badc995,"4/16/2021, 9:33:15.422 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a821ed7f-5107-4279-9f17-84cf297aeeb4,"4/16/2021, 9:33:15.422 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7212 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8a73973c-241a-4b19-b6e6-0ac9ea642f2a,"4/16/2021, 9:33:15.422 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6180 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ba277ede-7de0-41af-960f-86dd108d02dc,"4/16/2021, 9:33:15.422 AM",,,,,,, +\AZUREADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,cbe5d1f2-f329-4f17-822b-f1cd0512934a,"4/16/2021, 9:33:15.422 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,397f2e93-abb7-4077-8e45-2d07e20d92e6,"4/16/2021, 9:33:20.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc5b61c7-1e8b-4c1b-b4d5-ff3aaf50bad6,"4/16/2021, 9:33:20.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0bfcc27c-ef28-44ae-8254-eeca3def2339,"4/16/2021, 9:33:20.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,615b6455-ded3-4491-b8ec-c2e6703887b4,"4/16/2021, 9:33:20.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fbc29114-384d-498f-adf8-897df68c38f3,"4/16/2021, 9:33:20.136 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f7fcd3e-0f71-440e-bbcb-631d48256e93,"4/16/2021, 9:33:20.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,294ea6ba-32e5-4bad-81df-c6e0314e5819,"4/16/2021, 9:33:20.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b9af7324-54d5-48d4-8044-17a251cf3260,"4/16/2021, 9:33:20.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db6bad38-03cf-49c6-8d0b-caea83ee7ba7,"4/16/2021, 9:33:20.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,887ac9c2-c5ab-4218-8f83-e1d0580839c4,"4/16/2021, 9:33:20.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,01f4dedf-fbfd-4d78-b13d-8056da42bf4f,"4/16/2021, 9:33:20.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ee5c0883-f0b3-4fd6-8b83-30c9ec8b829d,"4/16/2021, 9:33:20.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,370c4d07-fd0d-44b2-bed6-2aa21916bfd4,"4/16/2021, 9:33:20.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b33b97d5-e165-4656-bcde-4304f530f8cf,"4/16/2021, 9:33:20.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c2375714-4bb9-4465-9396-3d3666cc822f,"4/16/2021, 9:33:20.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fbb1bdc0-aa2a-4e50-9fb0-eaeab5319cc8,"4/16/2021, 9:33:20.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b018e7fa-598c-4779-980c-a517d81dcd71,"4/16/2021, 9:33:20.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a2da6d7-4113-45eb-9e82-6bf0c69cbdd7,"4/16/2021, 9:33:20.136 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,56cc5866-9c19-4b9a-abed-2126edd991f3,"4/16/2021, 9:33:20.136 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,384283c4-3cc8-4131-85a6-c1fc4a95580b,"4/16/2021, 9:33:20.136 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3341a948-b4f7-4f5c-92de-e9f84c11fa1d,"4/16/2021, 9:33:20.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7bc42aeb-b985-49c8-bd99-e0210b5d593b,"4/16/2021, 9:33:20.136 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 832 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,3c8c3bf1-c7c0-4f29-ba06-b332cc741b00,"4/16/2021, 9:33:20.136 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7620 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,103ddd7c-3388-499d-8666-68e96c6e11a9,"4/16/2021, 9:33:20.136 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d7aff4b7-9175-4885-bac0-5a1fc36ff2ec,"4/16/2021, 9:33:26.148 AM",,,,,NTLM,, +\WEBADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,05d54df2-dac3-444c-a747-50f29a69d33c,"4/16/2021, 9:33:26.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b8ffa50-bc29-4b2c-8bfe-be0a1cdb1d38,"4/16/2021, 9:33:26.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2042905b-5f4b-4ea5-bf5a-706d3caca301,"4/16/2021, 9:33:26.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b6bd3290-c4e5-48f1-9b1f-7f1124ba0094,"4/16/2021, 9:33:26.148 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,351f9be4-3129-48fd-9807-3a95e77a6fe8,"4/16/2021, 9:33:26.148 AM",,,,,NTLM,, +\BACKUP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a5d05c7e-c264-4eff-a936-f93cbeb1d09a,"4/16/2021, 9:33:26.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a96797b-d81e-47ad-8399-036ceaa2276b,"4/16/2021, 9:33:26.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5bbbcf3e-118d-4134-b3fd-7a74690cc660,"4/16/2021, 9:33:26.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,27b64918-9b77-478c-87fa-045fa932ec6a,"4/16/2021, 9:33:26.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb859ea4-9df4-40a6-95d6-e96e0a14bf55,"4/16/2021, 9:33:26.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8d4691fe-2aa8-47d9-8605-0758607e9d10,"4/16/2021, 9:33:26.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5dce3f50-b6d1-4a52-afa9-c820571593c0,"4/16/2021, 9:33:26.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d44fd60f-5794-42ad-b3ae-917edb800024,"4/16/2021, 9:33:26.148 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c0486405-78ed-4627-8055-24ea688456b6,"4/16/2021, 9:33:26.148 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b9936ea4-7a3d-4689-8630-a88b3a45f19e,"4/16/2021, 9:33:26.148 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c5a482b-6c25-46fc-ab08-37e8d1ca7846,"4/16/2021, 9:33:26.148 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,59906b48-f1f0-48c0-89aa-efc8ea6c50ca,"4/16/2021, 9:33:26.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ee37d680-4fa4-4e54-8aec-9b91933a5400,"4/16/2021, 9:33:26.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d211d1f-2af8-4df0-b284-70e12cee3dfd,"4/16/2021, 9:33:26.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a8e33719-9713-4dfd-8f38-66bd29d8f5ad,"4/16/2021, 9:33:26.148 AM",,,,,NTLM,, +\TJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b7fb45cd-b010-4687-9d54-aed5a690d727,"4/16/2021, 9:33:26.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bab47686-ff71-4cb6-9158-7c7cef2c8ae8,"4/16/2021, 9:33:33.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4d252097-52a9-4a17-8746-726f03e5d82c,"4/16/2021, 9:33:33.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,08bbc8be-1f3c-424d-9a7f-15e48ed163de,"4/16/2021, 9:33:33.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19e9a2c7-cd53-4df7-a63a-686c2fd29a24,"4/16/2021, 9:33:33.139 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,82674319-2874-41b4-8288-9272d79affe2,"4/16/2021, 9:33:33.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8dfa45d0-51cd-4ee1-8829-dc19f1e29a9c,"4/16/2021, 9:33:33.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d893689-3ad1-446d-a365-3f3eccd2c243,"4/16/2021, 9:33:33.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a3a5f88f-00f0-419b-b13d-07509e3e7241,"4/16/2021, 9:33:33.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3b542a99-2074-49c3-8f32-957bbf22244c,"4/16/2021, 9:33:33.139 AM",,,,,NTLM,, +\AZUREUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,992585ab-f5da-4f6d-971a-8ab82dc27f84,"4/16/2021, 9:33:33.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,02d49e73-e45d-4969-8fa6-19ce487e4b51,"4/16/2021, 9:33:33.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3defa3e4-8552-4c42-bad7-ba5aca18860a,"4/16/2021, 9:33:33.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ebb9a54-b41b-49df-994b-e4bbb0cddca4,"4/16/2021, 9:33:33.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e7861719-e965-4e16-9b78-debfa4c12045,"4/16/2021, 9:33:33.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,efe80037-f0c8-475b-990a-976607b4b5e5,"4/16/2021, 9:33:33.139 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,7c92fa70-fd7c-4fbe-ba2a-44ff56419e18,"4/16/2021, 9:33:33.139 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c7a3b09c-8e74-4601-8c23-637528bf187b,"4/16/2021, 9:33:33.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e0e447a0-898b-454d-a195-94fa47cef76b,"4/16/2021, 9:33:33.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,69bbfd57-b030-446d-86b1-8ccb12216398,"4/16/2021, 9:33:33.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f2e87295-e180-4f0a-bedc-af745b7f7cf4,"4/16/2021, 9:33:33.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22862313-8203-445c-b6db-fb96751dfd28,"4/16/2021, 9:33:33.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4555b823-bc13-47e7-89b7-af315eb52559,"4/16/2021, 9:33:33.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,82483bee-d699-4e05-9b0a-27ecb2f71867,"4/16/2021, 9:33:33.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c799394-d9b8-45ac-b02f-3aebaa84c946,"4/16/2021, 9:33:42.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ec911179-a25e-4d2e-9003-3dd49747221e,"4/16/2021, 9:33:42.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,baf8ffe6-ff00-4814-a153-70f030d365bb,"4/16/2021, 9:33:42.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c2bca72a-201f-4636-9219-2b62ff866cef,"4/16/2021, 9:33:42.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fcda2cc9-b39d-4170-a09d-8b6ae4c713ac,"4/16/2021, 9:33:42.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a9520be3-b232-4ce1-9998-6747eafea802,"4/16/2021, 9:33:42.146 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4ecbc1e7-d54b-4971-abad-51c3cb68a933,"4/16/2021, 9:33:42.146 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98cebf08-0483-4ed5-aff3-c4e0fa9db587,"4/16/2021, 9:33:42.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,90f16a1a-141f-4121-a490-b950c25cdae1,"4/16/2021, 9:33:42.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c87e1d8f-5962-4c17-8e33-f944230355da,"4/16/2021, 9:33:42.146 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,901ba064-c5c1-4091-af4f-1f60d48554c3,"4/16/2021, 9:33:42.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c3847e98-728f-4a7a-938b-7d48d86850fd,"4/16/2021, 9:33:42.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d8000bc-e765-4502-b82a-31162f1d8c8d,"4/16/2021, 9:33:42.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,843e5c0c-3700-4f23-8eca-7cc156a341d1,"4/16/2021, 9:33:42.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,480915f1-cf5d-42f7-94a9-b10e42de4081,"4/16/2021, 9:33:42.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,14e099f3-21e7-4ffc-9552-86a14f717348,"4/16/2021, 9:33:42.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c2300876-bbbb-462f-bbec-31a5933c55ff,"4/16/2021, 9:33:42.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3176e962-5006-4e40-a7dd-bb93d4057100,"4/16/2021, 9:33:42.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b278bdf-9013-4d76-9986-880a1c901dd6,"4/16/2021, 9:33:42.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,249cfa6d-3782-453c-9ffc-80cddd8307a6,"4/16/2021, 9:33:42.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ae9e5aeb-ed74-4a6a-b854-899d49f33c23,"4/16/2021, 9:33:42.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe26107a-f03a-42a4-90bb-9d53a43b5483,"4/16/2021, 9:33:42.146 AM",,,,,NTLM,, +\BACKUP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de2c691e-2909-483e-a48c-6b3a25214d74,"4/16/2021, 9:33:42.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a50d355-1970-43ee-852b-14f378025ff3,"4/16/2021, 9:33:42.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bee952c4-ba06-4113-b560-147ca4cde4b6,"4/16/2021, 9:33:42.146 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,040905a8-10f2-480e-824c-8c4bf846ad1b,"4/16/2021, 9:08:13.636 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4384 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,9f4776cd-d3e3-40e5-89f0-a639b59d0bdc,"4/16/2021, 9:08:13.636 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9664 + 24 + %SYSTEM32%\USOCLIENT.EXE + 32 + 3942ED22D1D683E626E94ACCD9538E1999E488EE68D1DB541B383E35E4280E84 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\USOCLIENT\10.0.18362.1411 + 0x3e7 + 33 + C:\windows\system32\usoclient.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,40a2f6b8-509b-4277-be2f-07110859e53e,"4/16/2021, 9:08:13.636 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5580 + 28 + %SYSTEM32%\USOCOREWORKER.EXE + 32 + 13B908CA0D2AC90F4398E5FBABCD1C442B07297B524C2BBA890FD106D4591742 + 125 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\USOCOREWORKER.EXE\10.0.18362.1474 + 0x3e7 + 37 + C:\Windows\System32\usocoreworker.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,5050de5a-f5d3-466b-aae5-4de9015b4a6c,"4/16/2021, 9:08:13.636 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,04e8fab1-c0de-4443-84f4-17d2570979f3,"4/16/2021, 9:08:13.636 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + \Microsoft\Windows\Flighting\OneSettings\RefreshCache + <?xml version=""1.0"" encoding=""UTF-16""?> <Task version=""1.6"" xmlns=""http://schemas.microsoft.com/windows/2004/02/mit/task""> <RegistrationInfo> <Source>$(@%systemroot%\system32\wosc.dll,-602)</Source> <Author>$(@%systemroot%\system32\wosc.dll,-601)</Author> <Description>$(@%systemroot%\system32\wosc.dll,-603)</Description> <URI>\Microsoft\Windows\Flighting\OneSettings\RefreshCache</URI> <SecurityDescriptor>D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FRFX;;;AU)</SecurityDescriptor> </RegistrationInfo> <Triggers> <TimeTrigger> <Repetition> <Interval>PT239M</Interval> <StopAtDurationEnd>false</StopAtDurationEnd> </Repetition> <StartBoundary>2021-04-16T09:58:46.045Z</StartBoundary> <Enabled>true</Enabled> <RandomDelay>PT1H</RandomDelay> </TimeTrigger> <WnfStateChangeTrigger> <Enabled>true</Enabled> <StateName>7538BCA33A019502</StateName> </WnfStateChangeTrigger> </Triggers> <Principals> <Principal id=""LocalSystem""> <UserId>S-1-5-18</UserId> <RunLevel>LeastPrivilege</RunLevel> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>false</StartWhenAvailable> <RunOnlyIfNetworkAvailable>true</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>false</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession> <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT5M</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context=""LocalSystem""> <ComHandler> <ClassId>{E07647F7-AED2-48D9-9720-939BC24A8A3C}</ClassId> </ComHandler> </Actions> </Task> + 13510798882111596 + 3612 + 528 + 0 + VictimPc.Contoso.Azure +",4702,4702 - A scheduled task was updated.,f6638b82-98a5-4542-8bec-6bc0977f793f,87f075ee-ff52-4e6b-8d6e-6db41eea21d6,"4/16/2021, 9:08:13.636 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,a653d5de-36ff-43b2-9e27-ba8100a0c833,"4/16/2021, 9:08:13.636 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,6cb56322-e35c-4a43-a948-97e86fcd8570,"4/16/2021, 9:08:13.636 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,3c0de5f4-d581-4fb6-9dde-be907e874e14,"4/16/2021, 9:08:13.636 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2e3231e6-9d59-414a-84bc-92570097b768,"4/16/2021, 9:08:43.055 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d8322ed3-5513-4979-bdb4-6cd225e9050e,"4/16/2021, 9:08:43.055 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,fd38a019-063e-4d0c-b5cd-ebc0e1cdf1a0,"4/16/2021, 9:08:43.055 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d4746328-4a5a-4e02-ba1c-725f17b187e7,"4/16/2021, 9:08:43.055 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5a7e7356-8a60-4890-808e-1b3e3ac47312,"4/16/2021, 9:08:43.055 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,418d2392-6a6d-4f58-8486-879269ed69c8,"4/16/2021, 9:08:43.055 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,8f53b8fe-3391-4f18-8689-e601cda33c89,"4/16/2021, 9:08:43.055 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,21848aea-279f-46e5-9a5e-6c2ac379e4fa,"4/16/2021, 9:08:43.055 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7228 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,772e084c-a74a-4b3f-8eb1-6617349efab7,"4/16/2021, 9:08:49.302 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1496 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,17d38657-9693-4b1b-97f0-ecef51bfdbb6,"4/16/2021, 9:08:49.302 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 196 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 61FF6233DB141BE35A91025614CB7A6504D2E20174CD6298F6E0B02700C3F819 + 121 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.14393.206 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,1878529d-f3b5-4cb0-8100-d257fa46c78d,"4/16/2021, 9:08:49.302 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11708 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,3f70b3e0-b75c-4ccf-9b06-8191c94eb071,"4/16/2021, 9:08:49.302 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8016 + 118 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\MONITORING HOST TEMPORARY FILES 16\749\PMFEXE.EXE + 32 + 904F5575C1F607E5F05C4641A9A0964007FA2C1F1DAD3C96320DF45D377C737D + 98 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\PROCESS INVESTIGATOR\PMFEXE.EXE\1.20.607.01 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,0a06cea9-63b4-4665-a3c0-de9d5e225731,"4/16/2021, 9:08:49.302 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4724 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,48a11fca-bbb0-4717-9bca-a00825035c59,"4/16/2021, 9:08:49.302 AM",,,,,,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f3dd61e6-d782-42bd-8474-a58cdb7885a7,"4/16/2021, 9:09:32.408 AM",,,,,NTLM,, +\PRINT,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1dbdc13e-057d-4100-85a0-d3e0e3473b97,"4/16/2021, 9:09:32.408 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,819675f1-2aa1-4197-9ff0-a65799fb77e5,"4/16/2021, 9:09:32.408 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7256 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,03451957-2d52-44b6-b055-5693be634ca7,"4/16/2021, 9:09:32.408 AM",,,,,,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f6cc42a7-392c-40dc-890e-f4eeae9034b9,"4/16/2021, 9:09:32.408 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7192 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,92acb77c-695b-4f8a-b39c-eaace92cb887,"4/16/2021, 9:09:32.408 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1164 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e595fe7f-26dc-4a9e-9f54-78a943a64034,"4/16/2021, 9:09:32.408 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ed7314df-227a-4bc5-8cde-9673db39c801,"4/16/2021, 9:09:32.408 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,40d93ef9-9377-4025-be22-afdb2669a4ea,"4/16/2021, 9:09:32.408 AM",,,,,,, +\SCANS,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,673c6e26-c50d-4a82-8987-7ce2cf4abdfa,"4/16/2021, 9:09:32.408 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d4ec8c63-021b-47cf-976e-b747ed0a7fda,"4/16/2021, 9:09:32.408 AM",,,,,,, +\TEST2,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0a398882-b129-41d9-ae54-9872295ab4a1,"4/16/2021, 9:09:32.408 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,09a48bc1-4b3d-4cd4-9961-46377c419c41,"4/16/2021, 9:09:32.408 AM",,,,,NTLM,, +\SQLADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d92c3bf3-52e1-4a4f-baea-23b39fedb6f7,"4/16/2021, 9:09:32.408 AM",,,,,NTLM,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a6d508a5-e3e2-4aaa-9db3-bd124e41a51a,"4/16/2021, 9:09:41.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e824db3e-32cd-47ba-aed0-15d7e50dd371,"4/16/2021, 9:09:41.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22fa0ab5-2b63-4017-97a7-1cf3e010bff2,"4/16/2021, 9:09:41.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6c594cf7-6b61-4e55-bc1d-dc4bca5a836f,"4/16/2021, 9:09:41.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5c25e028-fb2f-419d-aa08-dbc3f036fc2c,"4/16/2021, 9:09:41.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,abf2193a-c32f-4a53-becc-81edcbec1120,"4/16/2021, 9:09:41.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,64b654cb-2e41-4cb0-bd90-21575935caac,"4/16/2021, 9:09:41.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,372bb7ff-b31f-4dd4-a72c-7d99b8834900,"4/16/2021, 9:09:41.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53b803a3-072d-473d-ba50-57626c64bd51,"4/16/2021, 9:09:41.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cac31b27-07fb-4578-a6c1-4bede8946749,"4/16/2021, 9:09:41.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,24fce3a4-1c85-4f55-a632-9349209b897f,"4/16/2021, 9:09:41.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6d3d7b91-0f97-437d-b038-2a39553e0d83,"4/16/2021, 9:09:41.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,69bfcab3-ee1f-48be-9258-2074877e422b,"4/16/2021, 9:09:41.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6f4b5575-00b6-4856-8f58-1d510596412d,"4/16/2021, 9:09:41.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16bba3c0-77fc-4248-b335-16b97c33ceeb,"4/16/2021, 9:09:41.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1afbe84f-c0d6-4e34-9a0b-c720847110f9,"4/16/2021, 9:09:41.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,520d9a89-a552-4e62-acbe-93f2d72e9523,"4/16/2021, 9:09:41.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89d6f77e-ec89-460d-ad9d-cc5870446e28,"4/16/2021, 9:09:41.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9643d7c9-b987-48f2-8d6e-1bb757626e28,"4/16/2021, 9:09:41.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a6133e2-83d3-41ea-aa90-7ddb765c21ed,"4/16/2021, 9:09:41.131 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e086bc0f-ac5a-4707-b306-127ea2ca7aa3,"4/16/2021, 9:09:41.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa99ced6-ec26-44cf-b848-d48a5283a88c,"4/16/2021, 9:09:41.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0744761a-c44c-455c-896f-d442d906c963,"4/16/2021, 9:09:41.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0f8beec1-71c3-4b89-9054-5feb0b4e4248,"4/16/2021, 9:09:41.131 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,45f73bb8-caea-4fa7-8c0d-158b6775aa6b,"4/16/2021, 9:10:24.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,95b47ec3-ab01-4f8f-ad7c-1e7ce343e825,"4/16/2021, 9:10:24.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,370288bf-654a-4c6a-9970-a3f76865243f,"4/16/2021, 9:10:24.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,636b0c77-da54-4b8e-9e03-d61c7ee1afdc,"4/16/2021, 9:10:24.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,7ae909cd-be46-4c0a-a299-068d2f0aed9c,"4/16/2021, 9:10:24.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2d8518f8-7bbb-403a-969a-090b30457f93,"4/16/2021, 9:10:24.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,eb8f6071-a7fb-49f1-9fff-8053da850642,"4/16/2021, 9:10:24.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,60e64e77-c8f1-47bc-b660-6e11d116f100,"4/16/2021, 9:10:24.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,bd2dad27-31c8-4441-9e80-58b2613fce47,"4/16/2021, 9:10:24.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,21beb027-e45a-4882-853c-310bd0733b13,"4/16/2021, 9:10:24.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,fbfca30f-175d-4dc8-8fae-3d7729496d24,"4/16/2021, 9:10:24.056 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db96574c-8fbe-4d7e-a2c8-7c5ab7a276d8,"4/16/2021, 9:10:24.128 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,56a96d9c-d5b3-4689-8be1-6f5ec59a89ff,"4/16/2021, 9:10:24.128 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad7e741d-8859-4fc3-985f-bd8a85cd9901,"4/16/2021, 9:10:24.128 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ced41299-2c4f-4893-81b5-df2bc0802ac4,"4/16/2021, 9:10:24.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,acae88fd-9bfe-424a-963f-ef9dd77cb4b1,"4/16/2021, 9:10:24.128 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4676 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,3fbd1dce-cf91-4de4-826d-c9203824f7a6,"4/16/2021, 9:10:24.128 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8280 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,39e19458-da0e-45a1-a5f7-9c00d3392f99,"4/16/2021, 9:10:24.128 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0e819d3b-a296-4091-b4c1-9514737a477c,"4/16/2021, 9:10:24.128 AM",,,,,NTLM,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5daa4c35-db3d-4355-807f-efc56af92449,"4/16/2021, 9:10:24.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6812ed57-d1d4-4d9d-8ae9-f4eeb48f45c3,"4/16/2021, 9:10:24.128 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,944d7d6f-4f60-48df-b71d-26cd82feca44,"4/16/2021, 9:10:24.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,547fa3db-0190-4146-b313-a90b6ae8ab78,"4/16/2021, 9:10:24.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5400e77-8dde-4b28-a04d-bef1fb610018,"4/16/2021, 9:10:24.128 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,10f82f62-886e-44d3-87b1-0891f3870a4c,"4/16/2021, 9:10:24.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,95299852-bd19-4aab-b372-413ff1b6233a,"4/16/2021, 9:10:24.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d2c4d6ee-691e-4cc3-a306-f88499073bbf,"4/16/2021, 9:10:24.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,94d65b94-74b0-460b-bda6-67182be64dab,"4/16/2021, 9:10:24.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,798d901a-63cb-4642-b3cd-f5512cc6b3bf,"4/16/2021, 9:10:24.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,94b8c64d-525a-46e3-8b53-ec2a1aa6cda8,"4/16/2021, 9:10:24.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cf6db27d-1bd3-40cf-b99e-5bde20960513,"4/16/2021, 9:10:24.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19385eaf-9053-4908-9a0a-cf4bb8247307,"4/16/2021, 9:10:24.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c211afc6-1688-400e-9725-91717772cc03,"4/16/2021, 9:10:24.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea4ee37f-fb1d-4781-aebb-0e98518de4f2,"4/16/2021, 9:10:24.128 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,24b615b6-7b3d-4dd7-a863-34cf489a8e38,"4/16/2021, 9:10:29.687 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,41347ac4-b671-4500-99d8-14d724aa7ba5,"4/16/2021, 9:10:29.687 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4680b9dd-accb-4c05-848d-651dc081420a,"4/16/2021, 9:10:29.687 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,42574ecd-bc4b-48f7-a7f9-83e2e5c56d33,"4/16/2021, 9:10:29.687 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b056a51a-4c3e-4261-84b5-617e386a9760,"4/16/2021, 9:10:29.687 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b43a8965-f5d0-437b-9f2c-74ce686a174b,"4/16/2021, 9:10:29.687 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7e4d0df9-054d-46f1-b769-0060609b1a10,"4/16/2021, 9:10:29.687 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8c0a6995-d615-4c4e-9fe7-2ba491a8a2c6,"4/16/2021, 9:10:29.687 AM",,,,,NTLM,, +\BACKUP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bc9bfb45-0387-4745-b760-a4be1000f226,"4/16/2021, 9:10:29.687 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bd29db08-d658-40af-ade5-f221500e17cd,"4/16/2021, 9:10:29.687 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1931911f-6634-4fdb-bc71-8f760fcc4229,"4/16/2021, 9:10:29.687 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e95c0491-dc17-4eb3-b1d7-0d00be2f8f58,"4/16/2021, 9:10:29.687 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,67fb8e7d-2603-49c5-95fc-2a47b35b39d1,"4/16/2021, 9:10:29.687 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,849d567e-ca9a-4354-a28c-00772c0de91e,"4/16/2021, 9:10:29.687 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bb8414b1-eab1-4803-b4c0-23248090bd7e,"4/16/2021, 9:10:29.687 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,332401b0-16dd-4561-a73b-f42f32a2473c,"4/16/2021, 9:10:29.687 AM",,,,,NTLM,, +\QJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7f23dee2-bdc1-41cf-b784-3224f6f64ef0,"4/16/2021, 9:10:29.687 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ec056d4b-ff3d-404f-bb5b-275897c502b4,"4/16/2021, 9:10:29.687 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9840a2bc-b3be-41b5-adff-bc5649c223e7,"4/16/2021, 9:10:29.687 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,964af361-3ee3-4575-bc89-cfd8f7f25eed,"4/16/2021, 9:10:29.687 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,661a857b-9621-4650-a930-b42dda156ccf,"4/16/2021, 9:10:29.687 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fcac89dd-4dc4-4e55-ac22-86784ba68326,"4/16/2021, 9:10:29.687 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,05f6f1ca-e91d-4810-b509-c911667ca4bc,"4/16/2021, 9:10:29.687 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0735797d-7831-41de-a9b3-21ce305febc5,"4/16/2021, 9:10:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3048c11e-f6b5-482c-bea5-34af66aa78e1,"4/16/2021, 9:10:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff5644bf-555b-4f5f-ab27-87c6d9f4ac67,"4/16/2021, 9:10:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d4bfb01e-d042-4c9e-9b45-663bf7ba7877,"4/16/2021, 9:10:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,34b02472-1e6d-4df3-8b6c-887620a7f160,"4/16/2021, 9:10:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f2b56ad9-8858-44c3-b0a2-e9e46118d133,"4/16/2021, 9:10:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7993abf1-eaa8-4faa-bf97-619a180bb069,"4/16/2021, 9:10:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4736467c-f086-4ec8-b1f7-9a3201cff429,"4/16/2021, 9:10:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f11aa790-af77-4c78-8e18-308fd67538e8,"4/16/2021, 9:10:46.122 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aa576a08-53f6-4843-9e73-f43e2075024f,"4/16/2021, 9:10:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,78be4ee9-634e-4ec4-9e04-0eea7901bfac,"4/16/2021, 9:10:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0aa335b5-5274-4013-990c-6092d53bdc4b,"4/16/2021, 9:10:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,70f22974-4588-4690-9bab-8a68eb799ca7,"4/16/2021, 9:10:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2ded57f1-5162-4130-82ee-16a3e13f5339,"4/16/2021, 9:10:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,da22ff27-0d4e-44b5-a9e5-5c585ee85966,"4/16/2021, 9:10:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dd6a91f4-15e0-49a7-948b-e010e0308786,"4/16/2021, 9:10:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19b056fd-b3c0-4f95-85c4-5258355c74e0,"4/16/2021, 9:10:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12733aac-9ed6-458f-8994-13c0cf84a742,"4/16/2021, 9:10:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98a5c50c-a8f9-485d-8221-a106acbef98e,"4/16/2021, 9:10:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8980885b-a2d0-4ab4-b5ba-da5d761220bb,"4/16/2021, 9:10:46.122 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1dcee186-acd0-46d3-aee8-7eb0f39b0475,"4/16/2021, 9:10:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,43df10e9-db08-4980-af46-6ac1392a6c43,"4/16/2021, 9:10:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,644ee7a4-2202-480a-bba4-b09f3c8a9e2e,"4/16/2021, 9:10:46.122 AM",,,,,NTLM,, +NT AUTHORITY\LOCAL SERVICE,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 7796 + 34 + %SYSTEM32%\APPIDCERTSTORECHECK.EXE + 32 + D783370D0C3716126E1F2130E165DBCF9EA52A431FB5BF0AB5E3D9D3D479AC08 + 129 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\APPIDCERTSTORECHECK.EXE\10.0.17763.01 + 0x3e5 + 43 + C:\windows\system32\appidcertstorecheck.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,9e344bf6-00f3-4ff6-ab50-2dfb4eda7737,"4/16/2021, 9:11:33.999 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 14244 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e5 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,a87d8137-254c-4b27-bae5-d64bc3c00333,"4/16/2021, 9:11:33.999 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 12988 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,b03f9516-c4c3-4342-bb00-9d5883cd8c76,"4/16/2021, 9:11:33.999 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5068 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,a212302a-bdd7-4ae7-bb9f-e563bccd3e7a,"4/16/2021, 9:11:33.999 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 12656 + 115 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\ICT 2\CMF\DESIREDSTATECONFIGURATION\DSCRUN.EXE + 32 + 5D35920AEDE05DD39279B42A07B84E7EAC7A77F4E420A04FE25B82F0B2CAF5C0 + 111 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\WINDOWS (R) WIN 7 DDK DRIVER\DSCRUN.EXE\10.0.10011.16384 + 0x3e7 + 117 + C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\ICT 2\CMF\DesiredStateConfiguration\DscRun.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,ab653b2c-5b8a-4910-b85f-c63b699cd6f9,"4/16/2021, 9:11:33.999 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7224 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,6550fd15-d811-4789-b767-e7c6520f6d76,"4/16/2021, 9:11:33.999 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,4088e653-9ea4-4acb-a600-5efe62a8bcc9,"4/16/2021, 9:12:09.882 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,edafa536-5a8d-4a1b-83f7-27c705e02139,"4/16/2021, 9:12:09.882 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2260 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,2c970927-791c-4620-900e-e2bd24bd7446,"4/16/2021, 9:12:09.882 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6628 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,cfb20e38-11ca-41b0-b952-583174e34874,"4/16/2021, 9:12:09.882 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,1565de65-5742-4122-a90f-d4b2536873a0,"4/16/2021, 9:12:09.882 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,af13ca0f-4859-4863-afc3-7721711aaa54,"4/16/2021, 9:12:22.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2ac90e90-7045-489f-a569-e2c8b452e4fb,"4/16/2021, 9:12:22.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a0f7eda1-bf4d-40a2-8eab-cd95f77f4c75,"4/16/2021, 9:12:22.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,535406ae-d0c3-4c01-aacc-77d0ddd42982,"4/16/2021, 9:12:22.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f6d11950-e63e-451c-8e09-5ed941f1788c,"4/16/2021, 9:12:22.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cbc5cccc-959d-4337-b1f3-edefdb4bcf29,"4/16/2021, 9:12:22.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b155dff9-e528-45de-a7d7-826dd1d72de3,"4/16/2021, 9:12:22.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,15f6490f-9df1-4f76-87be-ac55acd0781f,"4/16/2021, 9:12:22.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d957495b-aacf-4843-9fb2-938c89103e5b,"4/16/2021, 9:12:22.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2663d37f-1580-456d-9645-4e9750a69744,"4/16/2021, 9:12:22.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f82f1404-af2f-423d-af0b-6d8270605689,"4/16/2021, 9:12:22.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bb83ee3e-e8c6-4341-9fef-3f549d8d6bf1,"4/16/2021, 9:12:22.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e509c4f0-83b8-4083-b4aa-edf4fe2136b9,"4/16/2021, 9:12:22.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b77cbe1d-7f10-41ac-8aa5-a281b361bf23,"4/16/2021, 9:12:22.128 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8644 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,684895ec-57b8-4825-b222-b3a1d744458f,"4/16/2021, 9:12:22.128 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1980 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,a7eebb1c-7ff0-40d4-937e-434dfb160ff0,"4/16/2021, 9:12:22.128 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,55da67ee-afda-419d-ac4c-25ba799c3544,"4/16/2021, 9:12:22.128 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,c78cceef-e738-4579-b94c-d287a4a21b22,"4/16/2021, 9:12:22.128 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7cb1ca08-8e3c-434c-b1e1-379cbfbacd5b,"4/16/2021, 9:12:22.128 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b13d3611-f145-4b28-9bd2-ad224d57b6e3,"4/16/2021, 9:12:22.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,30057e02-40e5-436b-b96a-bb11f011a1f5,"4/16/2021, 9:12:22.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56d8f744-c75c-4e47-88d6-f7c4f81d6b2a,"4/16/2021, 9:12:22.128 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49552382-dbfd-4b5a-a221-5fe2e9dda457,"4/16/2021, 9:12:22.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c529202a-bed6-4939-977c-0a6886ff98d4,"4/16/2021, 9:12:22.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,37998e2e-2c53-4f24-9785-2b9c716ef1e6,"4/16/2021, 9:12:22.128 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fa71244b-4a54-4b0c-8a23-79d38c75a80e,"4/16/2021, 9:13:52.708 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,257b0917-2d32-41a6-83dd-c637483e341b,"4/16/2021, 9:13:52.708 AM",,,,,NTLM,, +\RECEPTION,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a81c65dd-b761-4fb6-a34a-dc8257717968,"4/16/2021, 9:13:52.708 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eb0234f3-a6bf-4c9e-955b-c94c2e7d639b,"4/16/2021, 9:13:52.708 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,85083bbe-af03-454a-b151-c40f5aa83b12,"4/16/2021, 9:13:52.708 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1987a5c1-6cfe-4a5c-aa17-8400e7afb2a9,"4/16/2021, 9:13:52.708 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f8bc6acb-5cda-4c75-8154-d985291886ca,"4/16/2021, 9:13:52.708 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4f4acc3a-77b8-4f6d-be7e-64cc935ee609,"4/16/2021, 9:13:52.708 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6a56fac6-af51-489f-a412-d22d05f56cf8,"4/16/2021, 9:13:52.708 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c55001f9-d306-47f7-a43e-70d80adb43cd,"4/16/2021, 9:13:52.708 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,66745ff7-c5f0-410f-be4d-a1a9a81eb35c,"4/16/2021, 9:13:52.708 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,75f553fb-1f75-4e14-bf28-e65d525e3fdf,"4/16/2021, 9:13:52.708 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9424fdcb-5f38-4012-8e27-33e8c165b6d6,"4/16/2021, 9:13:52.708 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6866baf1-7581-4d9f-b66f-b789aa8ef17b,"4/16/2021, 9:13:52.708 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3dfcdf6a-8072-4f8b-94f0-46962b9de963,"4/16/2021, 9:13:52.708 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c3236f77-51e0-4ffd-ba04-c60b77054f3e,"4/16/2021, 9:13:52.708 AM",,,,,NTLM,, +\GAST,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a61e6947-37dd-440a-b023-c5bf76373a94,"4/16/2021, 9:13:52.708 AM",,,,,NTLM,, +\GUEST,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4048cced-6de7-4050-92ae-49b48b07be8c,"4/16/2021, 9:13:52.708 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,559d5c33-f3d9-4f02-a323-b3de54b1ca5b,"4/16/2021, 9:13:52.708 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eca8e936-9b77-4783-bb10-8b29f1ea3dff,"4/16/2021, 9:13:52.708 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,166b95d4-5d56-429a-91ad-df0e8d1e24eb,"4/16/2021, 9:13:52.708 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3ab8d093-8541-46cc-aeab-974c15c28688,"4/16/2021, 9:13:52.708 AM",,,,,NTLM,, +\BACKUPEXEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2a80cd54-1c4e-48b2-9c97-e77c8294731f,"4/16/2021, 9:13:52.708 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4a964c9a-3411-4136-b225-ecb1a9ef4329,"4/16/2021, 9:13:52.708 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e842399-c420-4005-ac4d-30b753a860e0,"4/16/2021, 9:14:02.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ddbe569-88a4-474c-973c-558a241c6949,"4/16/2021, 9:14:02.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3e45b72e-ca92-48e2-90d1-78d5b96af742,"4/16/2021, 9:14:02.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,96c102ab-15e7-4055-a25c-a9194f7f6a74,"4/16/2021, 9:14:02.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,09bc1bb4-e6a0-4382-8ceb-3a4852c4e5d3,"4/16/2021, 9:14:02.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,983a0f7c-ac9b-4e13-9b61-c0939d01b177,"4/16/2021, 9:14:02.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d1a6f2d4-6e97-4485-a5e6-18edcb3f41cf,"4/16/2021, 9:14:02.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f167b7c6-9b2d-4945-adc2-ae51431d15df,"4/16/2021, 9:14:02.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dfa4872d-777e-4198-805e-58a03e092de0,"4/16/2021, 9:14:02.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,26dc02be-a47b-4ad6-9b34-8528d0a85d81,"4/16/2021, 9:14:02.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d451140-aa8e-44f5-961a-27883fac6030,"4/16/2021, 9:14:02.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0de90ae7-a80b-4b86-a95d-f5917f3b7ae2,"4/16/2021, 9:14:02.130 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,28f77063-c164-47e6-a499-3a55d2c7ddc6,"4/16/2021, 9:14:02.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22817d6b-6dcd-4d39-9931-1016927f8055,"4/16/2021, 9:14:02.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,17ffdd71-b071-431d-b8d1-db779ded7424,"4/16/2021, 9:14:02.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8020cef7-2b71-471f-9fd2-755a611e9927,"4/16/2021, 9:14:02.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0b6488c5-8606-4c7d-8a39-37a39a3a99cb,"4/16/2021, 9:14:02.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67a69332-8fab-4f59-a043-9106b95886d6,"4/16/2021, 9:14:02.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,40a290ee-afef-4613-ae2a-4ef4b606a844,"4/16/2021, 9:14:02.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,78d3528c-f646-4899-bb24-19d3f9517261,"4/16/2021, 9:14:02.130 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f27d41e2-11c8-4de1-8b2e-0036cecbfbc4,"4/16/2021, 9:14:02.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1d44383-768a-4c8d-8c47-f26e0986d527,"4/16/2021, 9:14:02.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6c4b892c-1900-43bc-a0c2-92bffeb9a903,"4/16/2021, 9:14:02.130 AM",,,,,NTLM,, +\OPERADOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3d54929d-24b7-4f7a-8b99-0be8579b51f0,"4/16/2021, 9:14:06.410 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,56a23765-098d-4a77-b856-1d4707324345,"4/16/2021, 9:14:06.410 AM",,,,,NTLM,, +\TEMPADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,feee3a59-dce5-4f49-b0e9-436cc92f350f,"4/16/2021, 9:14:06.410 AM",,,,,NTLM,, +\POSTMASTER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,89907111-4dfb-4789-b997-f302d4804198,"4/16/2021, 9:14:06.410 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2172 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\Windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,945a6149-859b-4486-aecb-04a1c94f4b22,"4/16/2021, 9:14:06.410 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c7343937-b9b1-4bc2-8d43-5a3385bc92a3,"4/16/2021, 9:14:06.410 AM",,,,,,, +\OVN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,aea2b5f1-2a00-4c3a-bf4f-bf9fa825dbe4,"4/16/2021, 9:14:06.410 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,83fd83df-118e-447f-960d-2d8cdcffef1a,"4/16/2021, 9:14:06.410 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,aeeacc63-2cd0-4bb5-b173-db58764d9fce,"4/16/2021, 9:14:06.410 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1a71aa6b-f5f3-4eff-b308-38e78110c001,"4/16/2021, 9:14:06.410 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + WindowsLive:(token):name=02qqkfsjkrsmszgz;serviceuri=* + 0 + 0 + %%8100 + 3221226021 + 2021-04-16T09:13:58.899833800Z + 6768 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,92a1ccdc-ff94-4788-b906-9efd331c061d,"4/16/2021, 9:14:06.410 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + WindowsLive:(cert):name=02qqkfsjkrsmszgz;serviceuri=* + 0 + 0 + %%8100 + 3221226021 + 2021-04-16T09:13:58.899833800Z + 6768 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3c401957-b566-444b-97da-69ff8242df32,"4/16/2021, 9:14:06.410 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + WindowsLive:target=virtualapp/didlogical + 0 + 1 + %%8100 + 0 + 2021-04-16T09:13:58.899833800Z + 6768 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,14ff1282-6894-4332-aa91-e29d3181de21,"4/16/2021, 9:14:06.410 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + MicrosoftAccount:user=02qqkfsjkrsmszgz + 0 + 0 + %%8100 + 3221226021 + 2021-04-16T09:13:58.899833800Z + 6768 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9d3202bd-32f3-447d-96f4-95afda2a1947,"4/16/2021, 9:14:06.410 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + WindowsLive:(token):name=02qqkfsjkrsmszgz;serviceuri=* + 0 + 0 + %%8100 + 3221226021 + 2021-04-16T09:13:58.899833800Z + 6768 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0f19b45e-6327-40a1-8130-1d3458040af7,"4/16/2021, 9:14:06.410 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + WindowsLive:(cert):name=02qqkfsjkrsmszgz;serviceuri=* + 0 + 0 + %%8100 + 3221226021 + 2021-04-16T09:13:58.899833800Z + 6768 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,625df995-21ce-4e59-a440-4709a29a7655,"4/16/2021, 9:14:06.410 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + MicrosoftAccount:user=02qqkfsjkrsmszgz + 0 + 0 + %%8100 + 3221226021 + 2021-04-16T09:13:58.899833800Z + 6768 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6c84c7dc-6f19-4b3f-a5ed-e2d755cbcf0e,"4/16/2021, 9:14:06.410 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + MicrosoftAccount:user=02qqkfsjkrsmszgz + 0 + 0 + %%8100 + 3221226021 + 2021-04-16T09:13:58.899833800Z + 6768 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0ca70e36-ef4f-4130-9ec5-db8d59c15db9,"4/16/2021, 9:14:06.410 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + MicrosoftAccount:user=02qqkfsjkrsmszgz + 0 + 0 + %%8100 + 3221226021 + 2021-04-16T09:13:58.899833800Z + 6768 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,76631edb-f277-4184-87bf-a764305de86f,"4/16/2021, 9:14:06.410 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + MicrosoftAccount:user=02qqkfsjkrsmszgz + 0 + 0 + %%8100 + 3221226021 + 2021-04-16T09:13:58.899833800Z + 6768 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,cc9aeb2e-61c0-41e4-afdf-09e48c793671,"4/16/2021, 9:14:06.410 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6768 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + A42A20DA16F83B8467DCED74AB028B58D5927D15D9D74C5C7B0D5C9DAC042CB2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.17763.01 + 0x3e7 + 31 + C:\Windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c1f69993-8ab9-4352-ab08-d95cf313f29c,"4/16/2021, 9:14:06.410 AM",,,,,,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,fdb09cb0-e1a3-4716-bbcb-367ce837d76c,"4/16/2021, 9:14:06.410 AM",,,,,NTLM,, +\CANON,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8c04eaa7-ff76-4e69-a5b7-96325372f75c,"4/16/2021, 9:14:06.410 AM",,,,,NTLM,, +\VJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e538ce3c-6ce6-4806-9dff-bd47c66b5b00,"4/16/2021, 9:14:08.709 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,af89dbb2-adfe-4114-9ed2-87ea2f901cfa,"4/16/2021, 9:14:08.709 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d358c3ea-121a-4896-8a8e-fc0e8dc26fb3,"4/16/2021, 9:14:08.709 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fd011556-2fb3-452a-a6a9-964bded11389,"4/16/2021, 9:14:08.709 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,94e03610-e52c-4285-af3c-5f8520c9465a,"4/16/2021, 9:14:08.709 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,055ffcb1-0314-4f74-8447-171daa20c6f9,"4/16/2021, 9:14:08.709 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4c84a112-c342-4e0b-8754-a95db3785545,"4/16/2021, 9:14:08.709 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,202e086b-d84e-4fbf-aa30-6e2e2e1c438b,"4/16/2021, 9:14:08.709 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6d9162fd-0555-49f2-8ede-3e96f86ef004,"4/16/2021, 9:14:08.709 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6832bd75-62e9-4bdb-a11e-fd413d2e4dba,"4/16/2021, 9:14:08.709 AM",,,,,NTLM,, +\RJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,26e3ffd0-8792-4d22-8ef4-884e708b3b68,"4/16/2021, 9:14:08.709 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5bc64700-e85e-41ea-8549-28370cf1d071,"4/16/2021, 9:14:08.709 AM",,,,,NTLM,, +\REMOTE,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fb44a730-283d-4461-b1b5-eada2b03a3d1,"4/16/2021, 9:14:08.709 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,13f9384f-8e1c-4785-84bf-427250cfa0a3,"4/16/2021, 9:14:08.709 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cfdf833e-2ed2-424d-aff5-0d68b6707db8,"4/16/2021, 9:14:08.709 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a4e180cd-9e2d-4a41-9429-103e327e994e,"4/16/2021, 9:14:08.709 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ac3101e1-57b9-4cd1-8668-9eb86bb555bc,"4/16/2021, 9:14:08.709 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6497b40a-8e8a-4428-ae9e-c97ca0c35390,"4/16/2021, 9:14:08.709 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4a21c618-fd83-45e8-aeeb-abd1512adcd7,"4/16/2021, 9:14:08.709 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b37a7b97-ea7d-45d2-aec1-63f6435c8b0d,"4/16/2021, 9:14:08.709 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4d3cb208-f946-4501-b109-545f7e49a1ea,"4/16/2021, 9:14:08.709 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,199a77ff-6874-4c18-bee0-8a5bb26018e0,"4/16/2021, 9:14:08.709 AM",,,,,NTLM,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,3d97743a-16fb-4acb-88dd-6a4ba0bf4b64,"4/16/2021, 9:14:09.947 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,337c65a9-d629-4535-aa2a-fb291d2922e6,"4/16/2021, 9:14:09.947 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1856 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,ef95c335-5c28-4194-8317-d0a5d7792ec9,"4/16/2021, 9:14:09.947 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6960 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,af6b1ef7-08ba-46eb-ab20-55d987cf06d7,"4/16/2021, 9:14:09.947 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,0b698c86-a3ce-4a17-ab5e-1439e1f2baf0,"4/16/2021, 9:14:09.947 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,20183f8b-3657-4a80-8491-d3e7b245b2df,"4/16/2021, 9:14:14.196 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e9df740c-7170-4752-8008-f22b5bebfcf6,"4/16/2021, 9:14:14.196 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89363341-eeb0-4ed0-9ebb-9dfba8473adb,"4/16/2021, 9:14:14.196 AM",,,,,NTLM,, +\QJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9a004112-5450-4c7b-874a-42c5218ba528,"4/16/2021, 9:14:14.196 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc525a18-ec96-4888-8f28-e6fe0b235a41,"4/16/2021, 9:14:14.196 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56128189-34c2-4d75-8bfb-9049b2110db5,"4/16/2021, 9:14:14.196 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f30798ef-d743-49c8-8ef7-d542bf1f3aa5,"4/16/2021, 9:14:14.196 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b30b674b-e56d-44cc-a41d-90f3ddf59dcc,"4/16/2021, 9:14:14.196 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de2f68f3-cc93-4334-87db-33b9b147a106,"4/16/2021, 9:14:14.196 AM",,,,,NTLM,, +\DEMOUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c7b6ab4a-9ae9-408f-8e53-b809af71ccb1,"4/16/2021, 9:14:14.196 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7f75f461-a0d1-437f-bff4-5db13aaf83d0,"4/16/2021, 9:14:14.196 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e904a64a-8df0-4066-9d3b-166b934deb25,"4/16/2021, 9:14:14.196 AM",,,,,NTLM,, +\LOCALADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d45f4594-658c-4d61-a217-ee251e7b978a,"4/16/2021, 9:14:14.196 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d0373903-8d52-4757-969e-a46c049229c0,"4/16/2021, 9:14:14.196 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6bae6a98-cd75-40ed-a21d-8a4be07056b3,"4/16/2021, 9:14:14.196 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1fae265-e018-45b4-a210-97b024e8879b,"4/16/2021, 9:14:14.196 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7c715894-6f9d-4419-8c65-f2d2ddf8515e,"4/16/2021, 9:14:14.196 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a5cf824-ca82-4240-a0fc-0d80b66c2734,"4/16/2021, 9:14:14.196 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2352b0cb-c5d5-4b45-8e27-5be81b7e34d5,"4/16/2021, 9:14:14.196 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b000757c-5d71-4970-91ce-525f35a2a8d7,"4/16/2021, 9:14:14.196 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9435c12c-ee9d-4a55-845a-42095be6aa16,"4/16/2021, 9:14:14.196 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,552fd8ed-5cc1-4903-ab00-e374c4dcd793,"4/16/2021, 9:14:14.196 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,460c9839-f9b1-4ad6-b103-15152ff1e3e2,"4/16/2021, 9:14:14.196 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e7da16b8-1ea1-4f48-80c5-0b8942221080,"4/16/2021, 9:14:14.196 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc902188-c65c-462b-9ff1-4e842bac2aee,"4/16/2021, 9:14:20.215 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d493ea9-4183-43c2-9488-2d57f4982f29,"4/16/2021, 9:14:20.215 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a5643385-5e46-440b-88d0-622382aa06fb,"4/16/2021, 9:14:20.215 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a3ac86f-e9b0-490e-97d9-6c0b8b619d12,"4/16/2021, 9:14:20.215 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5831863-e7e1-45fe-a922-0a065747dd18,"4/16/2021, 9:14:20.215 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e6a422b3-ac99-4f2e-9da2-a19ce1b7298c,"4/16/2021, 9:14:20.215 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aa4d514a-6be0-4668-9d51-ab9170e3cb97,"4/16/2021, 9:14:20.215 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,203f7aa1-d4d0-4c18-a13f-d5e456328eb6,"4/16/2021, 9:14:20.215 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,064702eb-883f-442b-8919-eb5aa780f78e,"4/16/2021, 9:14:20.215 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,75c3ecc2-41bd-4ed4-9fde-d887d8952f57,"4/16/2021, 9:14:20.215 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,96faeeda-2b90-431c-80b3-79ed94acf49d,"4/16/2021, 9:14:20.215 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49728e3c-628f-4f10-8873-02be81c4e2f4,"4/16/2021, 9:14:20.215 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b9dc31b6-2508-4b58-bd07-0bc6e2dfa093,"4/16/2021, 9:14:20.215 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b89855bd-f625-470e-900e-515e5a7a59b7,"4/16/2021, 9:14:20.215 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f4901e4-1e3b-46ef-8b1a-4cb1721f272c,"4/16/2021, 9:14:20.215 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d5625b32-c37d-4c33-8f3f-4ea34848126f,"4/16/2021, 9:14:20.215 AM",,,,,NTLM,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1cb6361-6486-4da2-a44a-4d25d8c72f78,"4/16/2021, 9:14:20.215 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,1e24d27e-b966-4b0f-bc63-41e6ae80dd27,"4/16/2021, 9:14:20.215 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,58d6335d-5175-42d6-941c-2431796087c8,"4/16/2021, 9:14:20.215 AM",,,,,,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,debca454-78d7-4d85-82e8-ca8278bedefc,"4/16/2021, 9:14:20.215 AM",,,,,NTLM,, +\REMOTE,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,00cf4b2e-b721-4150-ade3-6de115b5c47c,"4/16/2021, 9:14:20.215 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,13d55631-bb14-476c-ad4f-a5f0fe8b8916,"4/16/2021, 9:14:20.215 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0fb13602-9ded-4111-b416-846fd0acbcf0,"4/16/2021, 9:14:20.215 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8420 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,e3b33f0e-763a-458a-82ec-e26b3eb6af73,"4/16/2021, 9:14:20.215 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6172 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,575eb4e1-81e7-4788-9e35-672ce35ba959,"4/16/2021, 9:14:20.215 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,65963791-fda9-4347-a126-22d2f1a4b092,"4/16/2021, 9:14:33.130 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e28f331f-5c5e-47bd-877e-6afa2791ca9b,"4/16/2021, 9:14:33.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,146801fc-c32e-412d-b5bd-9ef30a8c5699,"4/16/2021, 9:14:33.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3e9880a1-21d4-4d65-b369-b5cdbefb90ae,"4/16/2021, 9:14:33.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2909d42-7bd3-4ff7-a46d-06f23b84ca84,"4/16/2021, 9:14:33.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2ab48cc5-3d00-40b2-b1cb-669607fe385d,"4/16/2021, 9:14:33.130 AM",,,,,NTLM,, +\INFO2,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c001b0dc-1315-49a9-af40-445c040a2f9f,"4/16/2021, 9:14:33.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d339c131-6beb-43ee-b06e-2237518cec87,"4/16/2021, 9:14:33.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3e00d77c-1257-4e1f-83d3-d8b0e6a201d1,"4/16/2021, 9:14:33.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c55e4931-314e-4852-9a8e-1e78a6aa6950,"4/16/2021, 9:14:33.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ef6bd00d-cfc7-4c88-adfd-49382ab31c86,"4/16/2021, 9:14:33.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,022ec20a-b9ac-4bf4-94a4-23edde068e8d,"4/16/2021, 9:14:33.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d7965fa-7d3b-4a78-b0e9-2b9d3e4b4b30,"4/16/2021, 9:14:33.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,527b9027-97fe-452c-9e8d-9fb82b41d59f,"4/16/2021, 9:14:33.130 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,b79008be-9ea6-40cc-ba0b-c663482eb300,"4/16/2021, 9:14:33.130 AM",,,,,,, +\BACKUPEXEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d0ed88ec-206e-4822-9108-21be9141f656,"4/16/2021, 9:14:33.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,096a6993-a91d-40ae-97a5-c41ca46f5e53,"4/16/2021, 9:14:33.130 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8808ac0c-1ee0-4204-9f52-4fa7c777c874,"4/16/2021, 9:14:33.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,24bdd7a4-ef0d-4b38-9ee6-eb8e70a7e4b2,"4/16/2021, 9:14:33.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6a05882a-8e86-483e-a3c3-33f17b2a3d02,"4/16/2021, 9:14:33.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,541865dc-05f4-4165-9dff-39e416ac9fc2,"4/16/2021, 9:14:33.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc41fa34-0adf-4b0a-b2e8-17b8e75a0150,"4/16/2021, 9:14:33.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,707ba565-92c2-4092-9c8c-80f64699d686,"4/16/2021, 9:14:33.130 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2d2e4d40-2d8b-43a8-9aee-7fd61566637e,"4/16/2021, 9:14:36.709 AM",,,,,NTLM,, +\USER3,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f8d80a4d-a102-48ad-869c-6d869f1caae1,"4/16/2021, 9:14:36.709 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ebffa7fb-b7ae-43b8-b197-bdbb3266be96,"4/16/2021, 9:14:36.709 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ab5f7997-b2d9-4dd9-9640-6a3837bf443c,"4/16/2021, 9:14:36.709 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f4bda16d-0a3f-4918-8dcc-6c34a01da2ad,"4/16/2021, 9:14:36.709 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b3695acc-024a-43e9-aad1-5d822d7a872d,"4/16/2021, 9:14:36.709 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8b93acc9-846d-4788-91d4-57517c4d07cd,"4/16/2021, 9:14:36.709 AM",,,,,NTLM,, +\VEEAM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,513bb109-ddcc-4f3c-9d24-7ab2021f295b,"4/16/2021, 9:14:36.709 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,980dc98d-fcd6-4e2a-a599-6ca1f34936ce,"4/16/2021, 9:14:36.709 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7dd68b73-193f-43a5-aa09-b5948c2162f1,"4/16/2021, 9:14:36.709 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cdea8c3e-de94-46f6-afc1-3c18e3ecae5a,"4/16/2021, 9:14:36.709 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3231c7db-f0ba-4327-afbc-601fc49ac2f2,"4/16/2021, 9:14:36.709 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,26aa5d86-6c53-4761-a063-a1950ff15c01,"4/16/2021, 9:14:36.709 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1030a3d3-fdbc-49f7-92cd-339d602fc683,"4/16/2021, 9:14:36.709 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c70c6174-49a1-49aa-bbb4-0fbedc5c711e,"4/16/2021, 9:14:36.709 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,72231977-e988-4f91-87ce-3ee5beba5f90,"4/16/2021, 9:14:36.709 AM",,,,,NTLM,, +\TEMP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e2c2bce9-3dfe-4c22-b6f1-2b763992d80f,"4/16/2021, 9:14:36.709 AM",,,,,NTLM,, +\VMADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ce7c7e23-d07e-4847-8f05-4422082519b5,"4/16/2021, 9:14:36.709 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,16631159-bb7a-43f1-893d-3f33faadc6f1,"4/16/2021, 9:14:36.709 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c9bb2203-1a43-4690-832e-c739e4080f9c,"4/16/2021, 9:14:36.709 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7390dc65-c24b-4f99-9e5d-734373038235,"4/16/2021, 9:14:36.709 AM",,,,,NTLM,, +\SYMANTEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,792c81f1-cd3a-45c6-8f83-a1c309defe36,"4/16/2021, 9:14:36.709 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,24564d0e-17ff-4fa8-bb11-4521e9c8976d,"4/16/2021, 9:14:36.709 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,79b5527b-9a75-420c-be07-9d10d48b5027,"4/16/2021, 9:14:36.709 AM",,,,,NTLM,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,1d5bf885-7294-42a5-9ad5-d03cd079c091,"4/16/2021, 9:14:45.867 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d5628ad1-50fa-4c56-9065-974d6ee29d5d,"4/16/2021, 9:14:49.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b40f67d8-825c-475a-9deb-09cd5af9df81,"4/16/2021, 9:14:49.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6d02b741-11f9-495b-afa0-fdd3670a3051,"4/16/2021, 9:14:49.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,86edddd8-655a-4408-ae44-db63a46a8621,"4/16/2021, 9:14:49.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f0f081a-c35a-47a8-aae3-b36af30f1b11,"4/16/2021, 9:14:49.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6daf24d2-a16b-47a1-a2a5-2b76dd3f2b0f,"4/16/2021, 9:14:49.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dea35be4-3efb-487b-899e-9655ef0ac7e6,"4/16/2021, 9:14:49.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,129d1201-bf6a-4738-bd86-83d67c35a0d7,"4/16/2021, 9:14:49.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a673919-a400-4bd6-bbcc-0789d49c5356,"4/16/2021, 9:14:49.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4ed54343-adf5-4838-aa52-7ca6b9c6fc84,"4/16/2021, 9:14:49.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,43d83cc8-abe1-4f8c-b635-5bfbe416e4c1,"4/16/2021, 9:14:49.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,abec1129-a7bc-4fd6-b904-f026f5e96012,"4/16/2021, 9:14:49.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,64512bda-ce74-4606-8a41-ab7dc8868787,"4/16/2021, 9:14:49.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5e9f581-877d-4813-a2d4-12af20b2f874,"4/16/2021, 9:14:49.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2c55bb5-55a2-4eeb-b4b5-a63d1e018dea,"4/16/2021, 9:14:49.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e19cd82-d575-4925-96c9-a94c59b611f1,"4/16/2021, 9:14:49.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3e5eb6dc-cebd-40b9-8ef1-3d3285f1d3db,"4/16/2021, 9:14:49.155 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f60768db-1001-45cc-9cfb-43f635a45a42,"4/16/2021, 9:14:49.155 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e904729-5659-4a15-aa16-bbeb317d9b25,"4/16/2021, 9:14:49.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,06a080de-1c3e-4b89-a29d-aa4458f61ad7,"4/16/2021, 9:14:49.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ee8a745b-2525-49ed-83d9-9e3c352efa31,"4/16/2021, 9:14:49.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,090b9f1b-c732-4c7e-a885-4e5429e82f45,"4/16/2021, 9:14:49.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eed2d5b6-cd9a-4664-bf4e-8ee9aa210792,"4/16/2021, 9:14:49.155 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,1d210780-fdab-417d-b474-f9aaf76cef48,"4/16/2021, 9:14:51.603 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,246997bf-16f0-43fe-a1b1-f9e4c815bc5b,"4/16/2021, 9:14:51.603 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11156 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,dc7f044b-3ddc-44ab-8cb8-5efcdc158650,"4/16/2021, 9:14:51.603 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2604 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,b9b1a1a5-065c-4a9c-ad15-3b790a544efc,"4/16/2021, 9:14:51.603 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,ac2ef537-dfc7-4424-8a92-3bf5a031e166,"4/16/2021, 9:14:51.603 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10564 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,bf41cb10-a831-4635-83f6-dbc0892c84b0,"4/16/2021, 9:14:51.603 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9996 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 8542576A51D515DA19781689F9E5E561E4398C4DE19B14AF1E8EF1C7D2551843 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.18362.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,960ebbcb-e751-4288-98e2-339c56f01bdc,"4/16/2021, 9:14:51.603 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8044 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,891ddce9-43fc-4f8a-8be0-129a4c22b83e,"4/16/2021, 9:14:51.603 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,2e598d97-123e-4b4f-b8b3-c424dce783f5,"4/16/2021, 9:14:51.603 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,ae506a47-c1bf-49b5-a69f-f78e322fbdc9,"4/16/2021, 9:14:51.603 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7616 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,9e4889ce-c134-44fa-a55d-b6ba77c4ccb1,"4/16/2021, 9:14:49.272 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5460 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,f2419aec-d240-48fe-9a86-89631af0994c,"4/16/2021, 9:14:49.272 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8d4a20a7-4535-4bcc-a005-8518d7f52217,"4/16/2021, 9:14:55.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c433cf61-a921-4304-b890-7fddb77be458,"4/16/2021, 9:14:55.126 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a4c1d53-6232-49c0-9254-876062f14c14,"4/16/2021, 9:14:55.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,09b5203d-0caa-423b-bdd9-6081e6deecd8,"4/16/2021, 9:14:55.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2588653b-a874-4b42-902c-b1e8ab149c23,"4/16/2021, 9:14:55.126 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d29cc2c2-c296-499b-8150-dfb1ac9e79e1,"4/16/2021, 9:14:55.126 AM",,,,,NTLM,, +\WEBADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3e1c5c9e-d28c-4274-a270-5d7fa94f17ec,"4/16/2021, 9:14:55.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,06833cc3-7256-4b7c-b4a6-0e0d19f09a8c,"4/16/2021, 9:14:55.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,142fc2d8-d9b8-47db-9e88-a0f54893dff7,"4/16/2021, 9:14:55.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,afa37735-a62d-4c52-8fdc-630abf40a8b6,"4/16/2021, 9:14:55.126 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48389e17-44e8-4986-bf7d-4a78592bc383,"4/16/2021, 9:14:55.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,773ad2f0-ae46-4b6d-a585-7648cc2941ee,"4/16/2021, 9:14:55.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2146d4aa-0d6f-4107-8922-332b710cbc90,"4/16/2021, 9:14:55.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0059a97c-b831-4d21-9f1b-23692f135094,"4/16/2021, 9:14:55.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,92a31ffb-8ce3-43eb-9a19-cc0429cd2bf3,"4/16/2021, 9:14:55.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4dd494aa-5254-41aa-864f-d4bb5a1ef940,"4/16/2021, 9:14:55.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,13defcb3-0271-4df3-8081-23e3b2fccfd5,"4/16/2021, 9:14:55.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e561220-ed7d-4ab0-b5b5-e2b307d0ea04,"4/16/2021, 9:14:55.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,af7d99ea-d855-4aac-b9b5-dade5f2bd0d1,"4/16/2021, 9:14:55.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b237096e-70af-4940-bce0-8e909c63e943,"4/16/2021, 9:14:55.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e25a5392-bef6-4a67-93e3-9fa639d66379,"4/16/2021, 9:14:55.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,006f4c5f-9b6d-4744-b9e7-9ccbc6354155,"4/16/2021, 9:14:55.126 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4316 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,bc4b8636-fc79-432d-a148-f9eca4dde9dc,"4/16/2021, 9:14:57.007 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9036 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,bcc7eb81-fb42-468d-9474-4b508df434d7,"4/16/2021, 9:14:57.007 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 5840 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e5 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,243bd508-7032-4a24-9992-b982727ebd8f,"4/16/2021, 9:14:57.007 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11328 + 39 + %WINDIR%\SERVICING\TRUSTEDINSTALLER.EXE + 32 + 5AAB6030A17E092A3F547292BF75BBE5E777C3C6C3E1759A023CA59FE87F6D98 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\TRUSTEDINSTALLER.EXE\10.0.17763.1098 + 0x3e7 + 41 + C:\windows\servicing\TrustedInstaller.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,32725abd-c64f-4d71-a441-230ecc726d59,"4/16/2021, 9:14:57.007 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2096 + 122 + %WINDIR%\WINSXS\AMD64_MICROSOFT-WINDOWS-SERVICINGSTACK_31BF3856AD364E35_10.0.17763.1812_NONE_56B727F399423259\TIWORKER.EXE + 32 + 7EC24C6DAEE289FBD40C13635DA56FB1E9F868B65E3120B59D480D394ACD8285 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\TIWORKER.EXE\10.0.17763.01 + 0x3e7 + 124 + C:\windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.17763.1812_none_56b727f399423259\TiWorker.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,c53ba320-08b0-4710-9149-9963e6e005bb,"4/16/2021, 9:14:57.007 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5848 + 93 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\RESOURCES\490\PMFEXE.EXE + 32 + 6708CEA6F2F26E9B4AFF6300A4BE88433CF28688427E669CFB3FB43F94E0BE6A + 98 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\PROCESS INVESTIGATOR\PMFEXE.EXE\1.21.311.01 + 0x3e7 + 95 + C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Resources\490\pmfexe.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,752e67ed-b954-47d0-bc0a-5b78cd313748,"4/16/2021, 9:14:57.007 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 544 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,a9324cce-9ad7-4d2f-a4ee-a3b95074e8a3,"4/16/2021, 9:14:57.007 AM",,,,,,, +\AZUREUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,38950517-2e11-44d9-867e-8d382efff749,"4/16/2021, 9:15:02.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9e99bcf1-45a3-4220-b7b6-80055c7a96be,"4/16/2021, 9:15:02.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d29fd322-d660-474d-bd02-6b3a8f2b05d5,"4/16/2021, 9:15:02.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7486f187-0a1f-4b9e-b53a-6f4ef88dda7e,"4/16/2021, 9:15:02.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b820c3dd-5778-4d36-bae2-9295270436a5,"4/16/2021, 9:15:02.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b014c78e-1cf4-4621-be50-aa47474a43e9,"4/16/2021, 9:15:02.128 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,04e19ea5-727d-44a8-9de9-030d16909fb9,"4/16/2021, 9:15:02.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6084d521-931a-4300-83a3-0c9afb94e64a,"4/16/2021, 9:15:02.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b12bf86b-f41c-4d19-81eb-c06c92693eb8,"4/16/2021, 9:15:02.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,39b7ac17-3ff7-463a-ab40-59b73bc3dd0d,"4/16/2021, 9:15:02.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8588379e-98a2-46f9-befa-e8f35fb07489,"4/16/2021, 9:15:02.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6f75dd10-9143-495c-930b-8097c5b64390,"4/16/2021, 9:15:02.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7f2601f5-f41d-4d6d-b397-0888343344b0,"4/16/2021, 9:15:02.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d1925fb4-3f3d-4180-97b7-f3e34b7b7a82,"4/16/2021, 9:15:02.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cfaef545-58b0-4102-a5d5-67ce24624391,"4/16/2021, 9:15:02.128 AM",,,,,NTLM,, +\VJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,927fb63e-e834-459c-bfd6-eb09c6f41ecc,"4/16/2021, 9:15:02.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7c7009c8-d907-4687-9191-262b6d315845,"4/16/2021, 9:15:02.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,668cb099-0696-4393-b689-d3076a0db4d4,"4/16/2021, 9:15:02.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce137959-7693-4b35-b36b-092e3f00bb0a,"4/16/2021, 9:15:02.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f8deddb-2602-42cd-8504-17b9622a277f,"4/16/2021, 9:15:02.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,50b29359-3114-4174-a73f-9448fcf94221,"4/16/2021, 9:15:02.128 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9da5ffd0-bc3a-446c-b44c-aac4e0728057,"4/16/2021, 9:15:02.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1838179b-21a6-4dfa-8544-66f0796e9f0c,"4/16/2021, 9:15:02.128 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d8c5725d-8300-4594-987e-913eaa7ba17c,"4/16/2021, 9:15:02.128 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,72fc2a24-0ed2-4428-9525-b24a2a791e5e,"4/16/2021, 9:15:06.417 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\microsofttpm,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,5002cc4f-2970-4b3c-9b6b-6a2fe2539cf6,"4/16/2021, 9:15:06.417 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:SELECT * FROM Win32_TPM,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ee4127ae-99bf-4a7e-9b2e-c4d0ab4dd16b,"4/16/2021, 9:15:06.417 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:Select * from __ClassProviderRegistration,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9637a4e6-2df5-460a-9fe5-90199c33ea5c,"4/16/2021, 9:15:06.417 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,537578ec-1080-44f2-8125-211ab0de70df,"4/16/2021, 9:15:06.417 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6b3ec015-e5a2-4142-9117-272c2ffd1477,"4/16/2021, 9:15:06.417 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,dd6fd3f5-ec35-406f-97f0-d5c10f6c2776,"4/16/2021, 9:15:06.417 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e9ea716e-b15e-4802-bb90-a5f9161c6b8c,"4/16/2021, 9:15:06.417 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:Win32_Tpm,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,01d9c676-5fe8-47c8-82f7-9dcd238ff771,"4/16/2021, 9:15:06.417 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:__ExtendedStatus,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,74affa3e-7c87-41d1-8ac1-d7df543450e5,"4/16/2021, 9:15:06.417 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftVolumeEncryption,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,03a2668d-7952-4392-ae91-c8ffa971ea22,"4/16/2021, 9:15:06.417 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:SELECT * FROM Win32_EncryptableVolume,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,83c663f4-c16c-4907-a973-278630cfef47,"4/16/2021, 9:15:06.417 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:Select * from __ClassProviderRegistration,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,21e8747a-04b2-4866-90f8-7df7f275c279,"4/16/2021, 9:15:06.417 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d4ff8a29-b868-435e-bf08-645ee52e5f22,"4/16/2021, 9:15:06.417 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,53929899-8fb9-4535-b60f-e91391e2b9e6,"4/16/2021, 9:15:06.417 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,849e8214-99af-4060-9ae7-ea8a8e46a460,"4/16/2021, 9:15:06.417 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,7ea58205-3917-4e66-b546-ddf28a106d51,"4/16/2021, 9:15:06.417 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,62b968b9-1bc8-4e3b-bcd2-293199469064,"4/16/2021, 9:15:06.417 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:__ExtendedStatus,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e119e02d-d535-48ae-b5d3-a9f830182121,"4/16/2021, 9:15:06.417 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{d035a0c7-0000-0000-0000-100000000000}\\""::GetLockStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,be96f2d6-abaa-4441-8079-3f358c9c3f54,"4/16/2021, 9:15:06.417 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{d035a0c7-0000-0000-0000-100000000000}\\""::GetProtectionStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1d85539b-6fa4-4fb0-a71f-482c3aabb43d,"4/16/2021, 9:15:06.417 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{d035a0c7-0000-0000-0000-100000000000}\\""::GetConversionStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,920b9779-d442-4ead-a1b5-9a6062208fb5,"4/16/2021, 9:15:06.417 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ad0f04ca-0000-0000-0000-501f00000000}\\""::GetLockStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0e70790d-c057-4ab1-b531-6c16076069e2,"4/16/2021, 9:15:06.417 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ad0f04ca-0000-0000-0000-501f00000000}\\""::GetProtectionStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,af008f54-7520-472f-9ce3-2d8df4601091,"4/16/2021, 9:15:06.417 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ad0f04ca-0000-0000-0000-501f00000000}\\""::GetConversionStatus",,, +\CYG_SERVER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,66d4d564-723c-45e4-a9f7-c49be37efeda,"4/16/2021, 9:15:06.417 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,70c888cc-decd-48cf-998f-1eca7f39d998,"4/16/2021, 9:15:06.417 AM",,,,,NTLM,, +\TRAINING1,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d168b160-a6fb-4445-b37e-0ae0c8578e50,"4/16/2021, 9:15:06.417 AM",,,,,NTLM,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3c78dc4a-1d2b-4b0c-920c-5db54449a2e6,"4/16/2021, 9:15:06.417 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,bb620cc4-33d2-46ce-a954-4b5b98247dcb,"4/16/2021, 9:15:06.417 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,069353f1-4adf-44a8-b1f8-f23743aa6f63,"4/16/2021, 9:15:06.417 AM",,,,,,, +\JESSICA,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,2e977666-047b-41b5-9243-12574a788172,"4/16/2021, 9:15:06.417 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 692 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 68705285F7914823244E19E4F6DBC4A75C4DE807EA1CF128AEC2CCAFCE5FE109 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.17763.01 + 0x3e7 + 57 + C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,93e38552-0315-4515-9e14-6db23d75411e,"4/16/2021, 9:15:06.417 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6908 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1db62746-fc12-4ed8-b2a6-02c8df69d1ee,"4/16/2021, 9:15:06.417 AM",,,,,,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ffe5aee1-4d50-4ff9-960f-b976ce9a57fb,"4/16/2021, 9:15:06.417 AM",,,,,NTLM,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,fc430cec-f255-4367-9301-6748e0268cc7,"4/16/2021, 9:15:09.892 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,8565510f-7a2a-401d-b6e5-644f3e256a4a,"4/16/2021, 9:15:09.892 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4136 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,42bf9906-ae63-454e-8eec-dc3084364dd7,"4/16/2021, 9:15:09.892 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6640 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,3dc0c43d-c19e-46fb-8996-7250c2e6eb05,"4/16/2021, 9:15:09.892 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,e9192c45-3a3a-4b1b-ad65-108b1b03bb26,"4/16/2021, 9:15:09.892 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5f807ae1-2d22-431c-a8b7-45bcb955195a,"4/16/2021, 9:15:20.715 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2a4f0b43-80ca-4a6b-8d8c-85038f755e8e,"4/16/2021, 9:15:20.715 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2d8a3a4d-415f-4b3e-a62b-a94d175e400a,"4/16/2021, 9:15:20.715 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7062361c-389a-4290-9bc2-4ba116c59a70,"4/16/2021, 9:15:20.715 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0a4791bc-d8c1-4d70-bb43-3975e3ba8b1d,"4/16/2021, 9:15:20.715 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,478de325-2e37-481e-aff0-6ef982c3d3d7,"4/16/2021, 9:15:20.715 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,71d44552-cfb8-4820-80f1-8bafa69974d5,"4/16/2021, 9:15:20.715 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b435f00e-1d76-4bc6-8761-0bf62e402331,"4/16/2021, 9:15:20.715 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4dbbeb55-a0da-4600-805c-74094b7c381a,"4/16/2021, 9:15:20.715 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,35c2eca8-41d5-4445-910d-1a642b43078d,"4/16/2021, 9:15:20.715 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,822569d7-a6c0-4c10-bec8-1a5381d08e6d,"4/16/2021, 9:15:20.715 AM",,,,,NTLM,, +\USER01,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f51ebd67-b348-4e75-b79a-d416eded8125,"4/16/2021, 9:15:20.715 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,76033931-0de0-4899-a8c6-e66deb5d1246,"4/16/2021, 9:15:20.715 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6cf2b0e1-3a91-442c-a7a0-7bc123393a8a,"4/16/2021, 9:15:20.715 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,492bd954-23cb-489e-ba29-e49cd4e83e43,"4/16/2021, 9:15:20.715 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9e4992d7-5f4a-4081-a946-7e1cc8bd4f60,"4/16/2021, 9:15:20.715 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7b149f78-b96e-408a-8091-c3d5f29b1dc7,"4/16/2021, 9:15:20.715 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4d8d59de-2689-4b54-abda-3ebe2256612e,"4/16/2021, 9:15:20.715 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ab42a39b-ae17-4739-b3e0-bc15a8883fb1,"4/16/2021, 9:15:20.715 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0f862b75-2f99-4337-ae5b-f5a6d27ba058,"4/16/2021, 9:15:20.715 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,794fc106-22ac-4717-bc14-91a5b4807fd3,"4/16/2021, 9:15:20.715 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,abb8f771-45b8-49fd-8320-a719d970b1d9,"4/16/2021, 9:15:20.715 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,cb2f8e00-6bfe-409c-a0f2-d1e51c76f95f,"4/16/2021, 9:15:24.609 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10796 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,b428ea7d-2e23-4a8c-9944-ac17abf2a70d,"4/16/2021, 9:15:24.609 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,d66381a8-940e-42b7-8676-2c08543cb8a4,"4/16/2021, 9:15:24.609 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,f518b1fa-f10c-46d3-9336-a10d65b0bd4d,"4/16/2021, 9:15:24.609 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,bd03830d-9fce-433c-b9bd-197a09d84881,"4/16/2021, 9:15:24.609 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10664 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,81352a72-70e5-4417-97a9-696bb1c90ae7,"4/16/2021, 9:15:24.609 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6748 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,849c1547-31dc-48f6-bc1b-4751d828c760,"4/16/2021, 9:15:24.609 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4648,4648 - A logon was attempted using explicit credentials.,5503048d-aae9-48b7-bda5-46b931ec9ed1,a3131519-f7c1-4846-aa67-2544a1cd26b4,"4/16/2021, 9:15:32.874 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,5503048d-aae9-48b7-bda5-46b931ec9ed1,bfee6b13-d661-47c1-a372-f810db366173,"4/16/2021, 9:15:32.874 AM",,,,,Negotiate,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + S-1-5-21-1661583231-2311428937-3957907789-1103 + SamiraA + CONTOSO + 0x24199fb5 + 4 + 1 + 1 + %{S-1-5-21-1661583231-2311428937-3957907789-513} %{S-1-1-0} %{S-1-5-32-555} %{S-1-5-32-545} %{S-1-5-32-544} %{S-1-5-3} %{S-1-2-1} %{S-1-5-11} %{S-1-5-15} %{S-1-2-0} %{S-1-5-21-1661583231-2311428937-3957907789-512} %{S-1-5-21-1661583231-2311428937-3957907789-519} %{S-1-18-1} %{S-1-5-21-1661583231-2311428937-3957907789-572} %{S-1-16-12288} +",4627,4627 - Group membership information.,5503048d-aae9-48b7-bda5-46b931ec9ed1,421b9442-783c-4b18-8f0c-8ec87a9acbdd,"4/16/2021, 9:15:32.874 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,5503048d-aae9-48b7-bda5-46b931ec9ed1,692b52bc-3f01-43e2-9d84-1950b2e12b3e,"4/16/2021, 9:15:32.874 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12545,8,,4634,4634 - An account was logged off.,5503048d-aae9-48b7-bda5-46b931ec9ed1,3808ef6b-b7a3-47af-a785-d818c6e17f8d,"4/16/2021, 9:15:32.874 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,e62607f8-695a-4176-9a10-ec68bee64aa8,"4/16/2021, 9:15:32.874 AM",,,,,,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ed177c1f-96bc-419e-8fcf-afcfc3064ac7,"4/16/2021, 9:15:35.738 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,17ee450f-2983-4100-8d25-579691cd8f86,"4/16/2021, 9:15:35.738 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,634d32b6-67c0-40ed-b8e5-9242ff4c7b20,"4/16/2021, 9:15:35.738 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f13d7576-241a-4e54-9628-925665958bbe,"4/16/2021, 9:15:35.738 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2e864cc2-a841-4d70-9ae4-ff1f7b6c3b2d,"4/16/2021, 9:15:35.738 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,25b7e999-2d15-4e8b-b34e-0c26253c790f,"4/16/2021, 9:15:35.738 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,720233f9-34ec-470c-8df5-76242b8b5809,"4/16/2021, 9:15:35.738 AM",,,,,NTLM,, +\TESTE,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0f445a21-7a3e-442f-a5cf-ad8a833c5ea4,"4/16/2021, 9:15:35.738 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cc882357-bc1a-4063-b562-2fe52aeb8eb9,"4/16/2021, 9:15:35.738 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,beac9a25-8350-4f36-af51-440c487381c9,"4/16/2021, 9:15:35.738 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2a7a378e-0e6e-4ef3-afdc-b65499e0673c,"4/16/2021, 9:15:35.738 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,48f8da70-2786-423d-b616-91810ad2c90e,"4/16/2021, 9:15:35.738 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,84357f91-5f3d-40ec-8bd6-2b7d4233e48a,"4/16/2021, 9:15:35.738 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4466a92d-954b-48ec-a2e8-638c319d6134,"4/16/2021, 9:15:35.738 AM",,,,,NTLM,, +\IJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,efadc3bd-7cc2-4f2f-b672-03199e2fc3ae,"4/16/2021, 9:15:35.738 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,401714d3-827a-4d51-914d-404bbfcbd5b5,"4/16/2021, 9:15:35.738 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2a34e595-bf7b-4fee-aed9-7178da16dce3,"4/16/2021, 9:15:35.738 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ab05451f-1115-432b-8fa8-f4ee549ab701,"4/16/2021, 9:15:35.738 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,384d9cd9-95d4-49ac-84c5-dd5f7abdd922,"4/16/2021, 9:15:35.738 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f4f7f62d-fe90-4cc3-8d51-19f52c46889b,"4/16/2021, 9:15:35.738 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f6028f03-4ba6-4b7c-9d9b-16aff7ee5a78,"4/16/2021, 9:15:35.738 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,41d77ada-1c08-42f2-9dee-d324291925af,"4/16/2021, 9:15:35.738 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2db3bc5f-856d-417e-99f1-31d98d570644,"4/16/2021, 9:15:35.738 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ec1fe361-ddcc-4cc7-ba7e-2ea7fd3ee4f0,"4/16/2021, 9:15:35.738 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c85629a1-af4f-4396-9edd-c520c4ae87d8,"4/16/2021, 9:15:36.072 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,62219800-d0be-457b-a99f-210a32a8be84,"4/16/2021, 9:15:36.072 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,eef18ad9-a754-4d1e-a1fb-1466bae8448e,"4/16/2021, 9:15:36.072 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d8d6bf39-2974-40e6-b251-c594e90c5c16,"4/16/2021, 9:15:36.072 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c56583e7-4dae-40c0-9b59-86a9d58d1d14,"4/16/2021, 9:15:36.072 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,dbda723c-4af7-4a67-80ea-5a54e5d38cc8,"4/16/2021, 9:15:36.072 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,ce6e459c-2141-4c04-a385-b4cccd41b49a,"4/16/2021, 9:15:36.072 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,7c150bda-e9ca-43d0-9988-04e03cd7ebfd,"4/16/2021, 9:15:36.072 AM",,,,,,, +\POSTGRES,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e122b477-c343-4d31-9d13-7c45e6c0fa01,"4/16/2021, 9:15:41.414 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0fe35e04-226d-42c6-91c2-3bbfa46c350f,"4/16/2021, 9:15:41.414 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,21ac5958-386c-4b67-a704-37d650040aa8,"4/16/2021, 9:15:41.414 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5592 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,7b03eb5a-3034-4a7b-b894-1dcb2df77167,"4/16/2021, 9:15:41.414 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8040 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1024d312-e72d-42a7-ac55-1b63ec15adff,"4/16/2021, 9:15:41.414 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e86c3115-1c85-4d9b-a07a-4e4c9b33012f,"4/16/2021, 9:15:41.414 AM",,,,,,, +\USER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,af609b2c-9c04-4625-9820-de4a3d196f8b,"4/16/2021, 9:15:41.414 AM",,,,,NTLM,, +\INFODBA,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,7fa8c86e-3ef4-421b-adb1-b3b4497add0d,"4/16/2021, 9:15:41.414 AM",,,,,NTLM,, +\DEMOADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c5238989-aab1-49ec-bc6a-d90aec75894f,"4/16/2021, 9:15:41.414 AM",,,,,NTLM,, +\PRUEBA,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f59f2fab-19dc-4a06-9884-6a2adb33b39b,"4/16/2021, 9:15:41.414 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7904 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + A42A20DA16F83B8467DCED74AB028B58D5927D15D9D74C5C7B0D5C9DAC042CB2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.17763.01 + 0x3e7 + 31 + C:\Windows\System32\svchost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,2f31aeac-7946-48b0-8f86-772313828494,"4/16/2021, 9:15:41.414 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6697f12a-8f9c-4d6e-8ad3-1f27f45fe4c8,"4/16/2021, 9:15:41.414 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6a1052f0-a934-447e-96f2-12b981537e50,"4/16/2021, 9:15:41.414 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,2a957d0a-2cdf-42a4-8ac8-f2ed828158bd,"4/16/2021, 9:15:41.414 AM",,,,,,, +\STAGIAIRE,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,19477a4d-c7ec-41d0-96e1-4b01f40d4e39,"4/16/2021, 9:15:41.414 AM",,,,,NTLM,, +\TEST,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,05157b80-257b-4307-a2b0-7f2fd686ac0e,"4/16/2021, 9:15:41.414 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,238786a5-01b0-41f0-84d4-7d835032428c,"4/16/2021, 9:15:45.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b386ebce-463a-4806-ba4d-1ec97b5ac1a6,"4/16/2021, 9:15:45.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,15edcb90-2b92-446e-8a60-faf005337609,"4/16/2021, 9:15:45.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,978796e5-3abc-4bda-a943-50a912d62840,"4/16/2021, 9:15:45.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,25f182a1-bfbb-454d-be56-16f971b94261,"4/16/2021, 9:15:45.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f8b0a164-638d-49cc-a9ae-cf02aa1d6148,"4/16/2021, 9:15:45.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d486c8f-0660-44ee-925c-5ca906f1a55f,"4/16/2021, 9:15:45.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f939806-75cd-4b02-95eb-217aa1c881be,"4/16/2021, 9:15:45.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4314cb5a-1ff9-4b37-aea9-b599103a5704,"4/16/2021, 9:15:45.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,21622f51-62b8-40da-92ee-ebb79ef816e5,"4/16/2021, 9:15:45.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,34dd121f-2ede-4575-ac0f-44087b270a9b,"4/16/2021, 9:15:45.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,96a96903-247b-4453-9434-ae10e25d49b7,"4/16/2021, 9:15:45.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a3b326e-3b9f-47bb-a88d-9c82b6e9e998,"4/16/2021, 9:15:45.125 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8082d511-f629-46c5-8a9d-8b91c1edeeb1,"4/16/2021, 9:15:45.125 AM",,,,,NTLM,, +\BACKUPEXEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bf1d09ad-e224-473b-9381-2a0e6214dfc4,"4/16/2021, 9:15:45.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6eda9d33-9352-47d4-8843-b9f245e28996,"4/16/2021, 9:15:45.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,333b7723-4c88-4d8f-a5fe-87de14c52314,"4/16/2021, 9:15:45.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7cc88fea-72d2-4d03-9e4d-062df8b24c20,"4/16/2021, 9:15:45.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f38a293e-d3ca-4461-b55e-e663b6ba1869,"4/16/2021, 9:15:45.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ecfd1421-0708-42b9-b037-e1290632baa8,"4/16/2021, 9:15:45.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a13d25bd-f2ba-4b5c-8c25-2cfbf7f87ee7,"4/16/2021, 9:15:45.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce65831b-dfc8-4f45-a415-f56a7b675745,"4/16/2021, 9:15:45.125 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e9965b61-b740-44a8-897e-741c9583a05b,"4/16/2021, 9:15:45.125 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8824 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,02c81cbf-1fa7-4a1b-8708-c1c9ce25a0cc,"4/16/2021, 9:15:49.273 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4268 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,8989d5be-9b3d-4c40-a651-3c9fe7397e55,"4/16/2021, 9:15:49.273 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9192 + 73 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\MOMPERFSNAPSHOTHELPER.EXE + 32 + E9EA37CA32AC25AAE3D798E42BB986FA63B54A87F03472E30A4F1AC2626B5BC7 + 122 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT MONITORING AGENT\MOMPERFSNAPSHOTHELPER.EXE\10.20.18053.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,602a3c3d-5e32-4c7d-ac18-bc82e856d887,"4/16/2021, 9:15:49.273 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5792 + 28 + %SYSTEM32%\WBEM\WMIAPSRV.EXE + 32 + 98A2CC07E5F2C0CA555F4ACA46556611B42FDA3BDD1F108E52E02FCB22E7B40E + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIAPSRV.EXE\10.0.14393.2515 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,cb892692-0709-466d-bb0f-cdf1cd69acdd,"4/16/2021, 9:15:49.273 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1512 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + E083DBF5FD891B0254E4021330270719E66D6B0C7F6543BDBA19C4CF5D37395D + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7411.17763.1697 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,c25d4a36-ed60-46b5-83a3-44dfc90994f2,"4/16/2021, 9:15:46.999 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 10260 + 84 + %OSDRIVE%\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\PLATFORM\4.18.2103.7-0\MPCMDRUN.EXE + 32 + C7A18C474A47F5335593A567F0C714D4F658E28D07DC27F6EAE5D5641788E813 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\MPCMDRUN.EXE\4.18.2103.07 + 0x3e4 + 77 + C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2103.7-0\MpCmdRun.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,5746580c-0322-4c10-bad1-9a1eb3e5c9c9,"4/16/2021, 9:15:46.999 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7080 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,6c3bd3f7-a8d5-4a40-99bf-60c8bb9e57b1,"4/16/2021, 9:15:46.999 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2672 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,b1d50bdd-b530-462c-bb41-b551557ec10e,"4/16/2021, 9:15:46.999 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d7997d1f-a81e-4a65-aef4-e11cffcde5c2,"4/16/2021, 9:15:52.712 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,18757fd3-1dce-40be-aae1-a2f453a560f5,"4/16/2021, 9:15:52.712 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,147d7e68-6830-42a6-a10e-daf6d3efc464,"4/16/2021, 9:15:52.712 AM",,,,,NTLM,, +\SERVER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dcc1ec11-9943-4737-9dc2-947433f66504,"4/16/2021, 9:15:52.712 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f03e70e0-9834-489a-b19d-4202899d8b4e,"4/16/2021, 9:15:52.712 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,53104bae-bebd-4406-af86-81379be61360,"4/16/2021, 9:15:52.712 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,182de4f8-0512-4f95-b22d-d939d8e360b3,"4/16/2021, 9:15:52.712 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1d6ed301-1136-4175-906a-79211cb47439,"4/16/2021, 9:15:52.712 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6bd7d5ab-20b3-4f0c-94fe-e9dde15bb725,"4/16/2021, 9:15:52.712 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a06dcfc5-7041-4560-846e-d9541adbd1e5,"4/16/2021, 9:15:52.712 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c473a87a-3343-4ab8-a88d-249960ff6f06,"4/16/2021, 9:15:52.712 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7219a6ee-4caa-455f-ba61-07da267d39ec,"4/16/2021, 9:15:52.712 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c89f032e-da2e-4aae-8c26-2422a94264a2,"4/16/2021, 9:15:52.712 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0ba667e2-8d99-46f5-97f3-8cb6d854abe7,"4/16/2021, 9:15:52.712 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8bf94799-d612-453e-807a-e5cb7adf8d1f,"4/16/2021, 9:15:52.712 AM",,,,,NTLM,, +\PRINT,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1c6c8fcd-dc25-4316-b747-8800e28d36e3,"4/16/2021, 9:15:52.712 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8fb7bdc6-9213-4f63-b002-f88820f1c197,"4/16/2021, 9:15:52.712 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9c11e2cd-0d51-4062-8bfb-4cbc58e21a60,"4/16/2021, 9:15:52.712 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b859e6a5-1807-40cc-be73-5293f6759318,"4/16/2021, 9:15:52.712 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9ed6e27d-117d-4abb-8633-dbec0458fec9,"4/16/2021, 9:15:52.712 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,efecd885-fb0f-47c5-8d61-42e0bb14d224,"4/16/2021, 9:15:52.712 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9bb5aeef-ca56-4943-b6e6-56a9f0385837,"4/16/2021, 9:15:52.712 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,96ceec55-2291-42fb-a993-e679729c9d9d,"4/16/2021, 9:15:52.712 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c5b471d7-6dfe-44e2-a173-7012a950d585,"4/16/2021, 9:16:06.713 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ed9c5a41-fec0-4d89-927e-86f29e0cf2af,"4/16/2021, 9:16:06.713 AM",,,,,,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,79322a38-ecc1-4afa-b3e9-01b9d372f661,"4/16/2021, 9:16:06.713 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,39f6daf1-c8d5-4747-8f3b-b4b628a707e2,"4/16/2021, 9:16:06.713 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5ca818da-71fb-4e97-b00a-33757b36b6c5,"4/16/2021, 9:16:06.713 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1ba79623-553f-4ce4-9afa-b228802ec7ba,"4/16/2021, 9:16:06.713 AM",,,,,NTLM,, +\DEMOADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,71f3e686-46b6-4744-8e31-0367665ceacb,"4/16/2021, 9:16:06.713 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,37bfb583-64e8-4c11-9272-a7998e1c2d84,"4/16/2021, 9:16:06.713 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,836e7946-0914-4e21-b008-59df42533889,"4/16/2021, 9:16:06.713 AM",,,,,NTLM,, +\SCANS,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d4d1a88b-5889-458a-81c1-096f9e4358e9,"4/16/2021, 9:16:06.713 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,06e6bb63-e024-403d-8dc7-fefb5e2603ca,"4/16/2021, 9:16:06.713 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8250a30c-0e20-4c61-8196-9bc32a91a4c0,"4/16/2021, 9:16:06.713 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f331026c-999e-4289-b042-38f9e03429f8,"4/16/2021, 9:16:06.713 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9a290b28-371f-4810-93d0-339b212bfd73,"4/16/2021, 9:16:06.713 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9662ae2e-eb66-42b2-99d4-72fec05fe8d9,"4/16/2021, 9:16:06.713 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6f93c012-bc50-461d-81ce-276f970f613b,"4/16/2021, 9:16:06.713 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dd230545-3e9d-465e-860f-ea6942c1b3ca,"4/16/2021, 9:16:06.713 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,868a5585-d361-4e33-91f0-16a58d02adac,"4/16/2021, 9:16:06.713 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4c34703f-dfb0-44f7-b33e-8d5d13dadd09,"4/16/2021, 9:16:06.713 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cc6faea0-dd3e-479a-9e45-d5bc0a41fde8,"4/16/2021, 9:16:06.713 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,17d5756c-2cd9-4c40-8fdc-e3ee28c6c302,"4/16/2021, 9:16:06.713 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d0c7db31-e6b5-48aa-849c-4f2e9b52268e,"4/16/2021, 9:16:06.713 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d214c18c-e3c2-47a3-8f64-b5e887eafe71,"4/16/2021, 9:16:06.713 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f6f542c5-7a65-431c-83c5-6982b50b8b54,"4/16/2021, 9:16:06.713 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ed2eb443-9528-4e58-abe8-dd95dd62891e,"4/16/2021, 9:16:06.713 AM",,,,,,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1f51886c-0900-4504-94ff-b11ecf414e56,"4/16/2021, 9:16:06.713 AM",,,,,NTLM,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,e5f5d040-9630-4c12-96af-c5e0052ba131,"4/16/2021, 9:16:08.062 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,79a87cb1-de18-4c2c-b5da-8d168c01639d,"4/16/2021, 9:16:08.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,ae7b535a-b4dc-4b2a-b3e9-1e5cd8e7592e,"4/16/2021, 9:16:08.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2ccae8fe-1969-4344-9259-c9cf77523ec1,"4/16/2021, 9:16:08.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,7e38cdb2-c6d2-45e0-92d9-db4975ee04ed,"4/16/2021, 9:16:08.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,7ee05460-068e-4fca-ab4e-add9f753f989,"4/16/2021, 9:16:08.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,e6665bc6-55bb-4a36-a69f-99cff99caee1,"4/16/2021, 9:16:08.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,e949cb79-7900-4c42-8401-55ae91382a6a,"4/16/2021, 9:16:08.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,21351daa-bee6-4516-872c-e7dcbd935cad,"4/16/2021, 9:16:08.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,01aa5f50-c7e8-4209-a0d0-9bd8811b482e,"4/16/2021, 9:16:08.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d0fdc6de-06fa-48a3-b572-b1f7a6508378,"4/16/2021, 9:16:08.062 AM",,,,,,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,01befa16-2b27-4521-bad0-2728682f269d,"4/16/2021, 9:16:13.410 AM",,,,,NTLM,, +\STAFF,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,444c2ab0-942f-492e-a946-2a4139bf1767,"4/16/2021, 9:16:13.410 AM",,,,,NTLM,, +\USER5,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ca761d40-f756-4158-954a-7cf004565899,"4/16/2021, 9:16:13.410 AM",,,,,NTLM,, +\SERVER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,37166b76-358b-4a2e-b890-fdc52728d1ed,"4/16/2021, 9:16:13.410 AM",,,,,NTLM,, +\TUSER2,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c6a964a0-dcf1-4402-845c-c232e6026f23,"4/16/2021, 9:16:13.410 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3900 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,174ccd0b-329f-4a64-8d19-915a53c5b9d4,"4/16/2021, 9:16:13.410 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6960 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,7c4dfe80-afb9-4d39-8d9d-9924aa36ab55,"4/16/2021, 9:16:13.410 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,09b2f5f1-38bf-41e1-a615-eecd6079f974,"4/16/2021, 9:16:13.410 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,28cba675-a875-411b-80fc-6fa3fe4d200d,"4/16/2021, 9:16:13.410 AM",,,,,,, +\WEBADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,7ebb2be3-85a3-40bc-9f57-27bfeb8cd4eb,"4/16/2021, 9:16:13.410 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3ab14939-a17d-4c95-a40f-bd36e20a9957,"4/16/2021, 9:16:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,75194733-c50f-421e-bb52-3b1a050a35e6,"4/16/2021, 9:16:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1cf9354f-de5a-4af1-9ec3-f683f5a4aed8,"4/16/2021, 9:16:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6877b32a-9350-4e57-854e-f2fc77a0b271,"4/16/2021, 9:16:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c83efa15-291f-4dfb-b2f8-7f774f4cd588,"4/16/2021, 9:16:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ef6721d-1145-48d6-a84b-bc4724d59fe7,"4/16/2021, 9:16:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d6839d13-c7aa-4b86-a9b0-2e567671e97b,"4/16/2021, 9:16:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db612474-4432-4488-b324-8bff9689b3ae,"4/16/2021, 9:16:17.137 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b0d2cb83-a0c5-483b-abd5-358ad84ed091,"4/16/2021, 9:16:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b6bce0f2-fd9a-4a62-8cae-2afb2c73d05a,"4/16/2021, 9:16:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,45ec1726-cc84-4e37-bc64-1bda69e29d8a,"4/16/2021, 9:16:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4fdfc3d3-feb1-4358-9a3d-45e42bceabf8,"4/16/2021, 9:16:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c3376bf5-45a9-4d59-96a0-188ee400c025,"4/16/2021, 9:16:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b70b19b2-7925-408d-9521-1670278699c6,"4/16/2021, 9:16:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cae5a0d2-989e-4882-a317-7b6ab2ac7adb,"4/16/2021, 9:16:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe43e0f7-481b-435b-ae6f-0e37b6d2c7c1,"4/16/2021, 9:16:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab896c94-2a6d-4ceb-8a52-4ce75d446bb4,"4/16/2021, 9:16:17.137 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,deda3532-7821-4a6f-b24a-a2f51f590d52,"4/16/2021, 9:16:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,14d6d36f-b67d-4ced-9293-c39481f42024,"4/16/2021, 9:16:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,59b3b86a-5ab5-4609-a89e-53788868804b,"4/16/2021, 9:16:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d5da1df4-6ac2-4d28-9f53-057167ebd1af,"4/16/2021, 9:16:17.137 AM",,,,,NTLM,, +\ADMINISTRATEUR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7afa107a-19a4-4abd-a341-fd7356baaadf,"4/16/2021, 9:16:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2682137f-dd6f-4255-a7ea-7c72a81173f4,"4/16/2021, 9:16:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d65612c1-9a43-4d03-9c1e-ecc6a46033e1,"4/16/2021, 9:16:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f22adfad-fd1b-4aa2-a123-154f0bd36cae,"4/16/2021, 9:16:24.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a601402-8e4e-4a54-87c9-153240d86c13,"4/16/2021, 9:16:24.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,879402a9-62b4-440b-96cc-18d617bd8a90,"4/16/2021, 9:16:24.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,62cf750d-f0bd-475c-b48c-b0ea9b675f3e,"4/16/2021, 9:16:24.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2debfdeb-a541-40b4-bfc5-ca0a40f7176c,"4/16/2021, 9:16:24.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b4e2fd7-ebf2-4b62-96d7-2aa773d48229,"4/16/2021, 9:16:24.129 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2983dc12-46ba-4747-b11c-53bc9f6e46e4,"4/16/2021, 9:16:24.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2fdb5ab-bd3d-4173-b561-9f43343971bf,"4/16/2021, 9:16:24.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bd758552-c5fa-443a-879d-6e044e679d54,"4/16/2021, 9:16:24.129 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,e40f5a4a-ee1f-48cd-9659-bed7b82257aa,"4/16/2021, 9:16:24.129 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,87c13018-cde8-4299-86b6-d54b03d4da16,"4/16/2021, 9:16:24.129 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe85ca9e-0475-4f4b-a82e-8fb7eec4a738,"4/16/2021, 9:16:24.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,737252c2-fa33-407c-aa84-84122e3f81ca,"4/16/2021, 9:16:24.129 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9204 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,4cc13d09-6a30-472d-9d24-d1711d67a87e,"4/16/2021, 9:16:24.129 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5660 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,1d41a65a-35bc-449b-8937-8ca620cf1def,"4/16/2021, 9:16:24.129 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7af39c80-a3f8-4043-9978-0215bd5ce688,"4/16/2021, 9:16:24.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd412c02-2787-4cc5-9d47-7648764b3db6,"4/16/2021, 9:16:24.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8ca42674-e3fa-4401-a8ec-3708e24fbae8,"4/16/2021, 9:16:24.129 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d19d38ef-5e51-4eda-b7b1-b7357fd48d93,"4/16/2021, 9:16:24.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a5923709-04f7-479b-890f-596a3de3a695,"4/16/2021, 9:16:24.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48760b65-e2e6-4dfc-91b1-da4aee5f27a0,"4/16/2021, 9:16:24.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,253083f0-34d7-4c4b-8f3d-89c6bc626f4b,"4/16/2021, 9:16:24.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ddf362dd-58a2-4df7-835b-43007ed143df,"4/16/2021, 9:16:24.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e536f917-ec91-4f85-bb2c-072c503f5bff,"4/16/2021, 9:16:24.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff7914fe-decc-4ace-b7d9-77fff02e2e21,"4/16/2021, 9:16:24.129 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,47921518-45de-45bb-9c55-beacee5ac875,"4/16/2021, 9:16:20.705 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cadda89f-3da7-46a4-b308-9ea2e7d6a4a7,"4/16/2021, 9:16:20.705 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f9beaec2-5897-4df8-98d5-b948c13853a1,"4/16/2021, 9:16:20.705 AM",,,,,NTLM,, +\STAGIAIRE,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,69286549-b425-4aea-a797-621c0ab06eda,"4/16/2021, 9:16:20.705 AM",,,,,NTLM,, +\TEST2,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3fbc04d4-bfd8-4c1a-86dd-f4db0bffbeee,"4/16/2021, 9:16:20.705 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3b98a703-9347-43d2-b96e-ac53d45e3fda,"4/16/2021, 9:16:20.705 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fe1bc337-31d7-4a5b-a471-f97e31072569,"4/16/2021, 9:16:20.705 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9c1a078e-345a-47ae-80f8-101c23a9e4a6,"4/16/2021, 9:16:20.705 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,65512e07-55db-4c08-86b5-2f54b32c78c7,"4/16/2021, 9:16:20.705 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6a253a22-84b1-4afa-a28e-b210a501bd0e,"4/16/2021, 9:16:20.705 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4f0b9dc1-6263-44bb-a9ca-9e6be72c17e8,"4/16/2021, 9:16:20.705 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3cebf78f-1eb2-4926-bf15-d59c393a9234,"4/16/2021, 9:16:20.705 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,536f642f-05c2-491e-b688-90fb9185136c,"4/16/2021, 9:16:20.705 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dd1d3af6-6a6c-4166-bdc9-00c5be2e67e2,"4/16/2021, 9:16:20.705 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c83ef794-697a-4ca4-b55f-85ae10b25f76,"4/16/2021, 9:16:20.705 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fa34c5a5-3a8c-4be9-8165-81ad8a3f5f3f,"4/16/2021, 9:16:20.705 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1d404e9c-dbab-4543-9c5a-0c284e357869,"4/16/2021, 9:16:20.705 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,92f1788c-ab5b-43e3-aeb6-e9eafbc4487e,"4/16/2021, 9:16:20.705 AM",,,,,NTLM,, +\TERM1,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,28e9c809-7c7a-46f5-bd12-e44e5648271d,"4/16/2021, 9:16:20.705 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,07b00071-2722-418b-ac28-4b217c296df8,"4/16/2021, 9:16:20.705 AM",,,,,NTLM,, +\SQLADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4a631cce-8491-4923-93a3-e1d2923bce5d,"4/16/2021, 9:16:20.705 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6974ed59-faee-4cb6-849d-8fcaa44a1a45,"4/16/2021, 9:16:20.705 AM",,,,,NTLM,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,ddc020d0-638e-416f-98eb-aa7e1659de04,"4/16/2021, 9:16:23.870 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11468 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + 3E1A41FE3000D5ED15DE27C3BD6199E0427A1608B401E19E22D021627841AC19 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1411 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,9e86ce12-af12-48b9-864c-593fc573c4cf,"4/16/2021, 9:16:23.870 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,b63129d0-8247-4822-a930-e57753d03bbf,"4/16/2021, 9:16:23.870 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,fac80d25-5906-4612-bba1-77b41c099967,"4/16/2021, 9:16:26.627 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,2db7b5dc-b07e-4ca8-84fd-b048f104dd61,"4/16/2021, 9:16:26.627 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8400 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,5ca25446-88be-4f04-b6ac-57395a036ec6,"4/16/2021, 9:16:26.627 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,aea431b1-9bb0-484d-b2e9-62eca174f8c8,"4/16/2021, 9:16:26.627 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,79aa0ad2-f3d8-45e3-8c79-69ebb146fb55,"4/16/2021, 9:16:26.627 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9304 + 115 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\ICT 2\CMF\DESIREDSTATECONFIGURATION\DSCRUN.EXE + 32 + 5D35920AEDE05DD39279B42A07B84E7EAC7A77F4E420A04FE25B82F0B2CAF5C0 + 111 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\WINDOWS (R) WIN 7 DDK DRIVER\DSCRUN.EXE\10.0.10011.16384 + 0x3e7 + 117 + C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\ICT 2\CMF\DesiredStateConfiguration\DscRun.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,5910298e-b1b7-43c9-900e-d86d278e702a,"4/16/2021, 9:16:26.627 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3736 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,00d33245-cf0b-4fb1-b285-073b171b6026,"4/16/2021, 9:16:26.627 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,e71b45b6-d4c6-410c-b649-8c03485e167e,"4/16/2021, 9:16:26.627 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,0f1d7cf9-ac69-439b-bda8-283be2d72438,"4/16/2021, 9:16:26.627 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6112 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,bdc4632f-b249-4b0a-b2f0-f71a4c92565f,"4/16/2021, 9:16:26.627 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5264 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,1e130702-06ae-4fa8-bcb1-752822db5d07,"4/16/2021, 9:16:26.627 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 2636 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e5 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,e5f568aa-be60-40d7-9464-4222088a9b16,"4/16/2021, 9:16:26.627 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,9e36583e-d39f-4442-bba2-4b4025ce6408,"4/16/2021, 9:16:26.627 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,80d76bf4-d905-4361-a686-7b76182ef1dd,"4/16/2021, 9:16:32.716 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,71ce040e-069c-4156-b3a1-bd4670ff9f30,"4/16/2021, 9:16:32.716 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,024d8ac2-6389-4fab-8a61-4e2f6bd59594,"4/16/2021, 9:16:32.716 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9bf65fb2-6ed4-4152-85b1-80753a405f08,"4/16/2021, 9:16:32.716 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6f0b72c2-473c-47aa-ad96-b72a07c6dea2,"4/16/2021, 9:16:32.716 AM",,,,,NTLM,, +\DJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4343223e-be97-4fc2-ad97-f2f8a84fd78e,"4/16/2021, 9:16:32.716 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1ecab7ca-cdad-48b0-80e7-a44867fa6be3,"4/16/2021, 9:16:32.716 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b0c3afe9-d934-4191-85ed-dba46d47b10a,"4/16/2021, 9:16:32.716 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d0d206c8-427c-4858-a5c7-f8794e92c5cf,"4/16/2021, 9:16:32.716 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,647080a7-1610-40a2-b42a-0ffdb403bdcf,"4/16/2021, 9:16:32.716 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ce198108-c707-41df-8e11-7d61f3db705e,"4/16/2021, 9:16:32.716 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d91dffbf-3895-4928-b6a0-034da31aaa24,"4/16/2021, 9:16:32.716 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,53001abd-a28f-459f-9298-642a9642261b,"4/16/2021, 9:16:32.716 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,34062aa2-b514-4f3c-9f6f-697a3efa953e,"4/16/2021, 9:16:32.716 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2152d374-2fa6-4aeb-90e6-865e2e80fe0f,"4/16/2021, 9:16:32.716 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a070ce4e-366f-4170-95e4-d17c2acf345f,"4/16/2021, 9:16:32.716 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b3f89638-eb14-46f0-bbeb-e5d3fa35b5b2,"4/16/2021, 9:16:32.716 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4dbfa05d-1cf6-4a60-af80-9893511aaaf6,"4/16/2021, 9:16:32.716 AM",,,,,NTLM,, +\TRAINING,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0a105935-3685-4e37-8cf6-6499f98be047,"4/16/2021, 9:16:32.716 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c0b9ff02-dadf-46b6-bf42-e072c3f1750a,"4/16/2021, 9:16:32.716 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ea6ef2e8-3657-495d-a9f8-7313cb262d76,"4/16/2021, 9:16:32.716 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,99496125-d730-4789-833c-89f652df2862,"4/16/2021, 9:16:32.716 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49910c18-f9d9-4afd-b433-19b851ae44df,"4/16/2021, 9:16:40.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b8d6ec3f-5f49-4dc7-b5f8-74d067443daa,"4/16/2021, 9:16:40.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eb284ce1-b3c6-401a-8682-75b6fdb00f69,"4/16/2021, 9:16:40.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f95b505-e8e2-49a2-a2ab-32d27d53c1a3,"4/16/2021, 9:16:40.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,44983751-3417-4512-b9d7-af302e2086ac,"4/16/2021, 9:16:40.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6f3da76f-e158-49fe-8b0e-e6aea66be38d,"4/16/2021, 9:16:40.133 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,334711e1-28b0-43ad-8ec9-f9d0ce7f8256,"4/16/2021, 9:16:40.133 AM",,,,,NTLM,, +\ABCD,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0b9515f4-e9e3-4f34-a509-4092e10c03a9,"4/16/2021, 9:16:40.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aedacc90-b409-46e7-a54f-2ec90a48f8f5,"4/16/2021, 9:16:40.133 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,373b6bd7-e34c-430d-ac8f-b96d99220dcf,"4/16/2021, 9:16:40.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,588c97b4-bf28-47a2-9aad-d106b33bdc8e,"4/16/2021, 9:16:40.133 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1583c48c-c113-42c5-a2e4-18a2b4458a68,"4/16/2021, 9:16:40.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a1abfa24-a3d4-4251-87cd-f7967ef3420f,"4/16/2021, 9:16:40.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,07a100c8-6e14-4b57-9aaf-576bc0ca1226,"4/16/2021, 9:16:40.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67c84dcc-c586-4ffe-8ef5-2106c14f7e54,"4/16/2021, 9:16:40.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a5e985ba-db0b-43a8-8367-77a129c4091f,"4/16/2021, 9:16:40.133 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c9703d2c-15c8-4cc8-9e87-676adcd112e1,"4/16/2021, 9:16:40.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd56cf09-2dd4-4985-8c16-b4d0525194be,"4/16/2021, 9:16:40.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1b6d2ef5-c4d9-41f3-ac8c-50072717c3f7,"4/16/2021, 9:16:40.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1415d7fc-250b-4664-914b-ce37e07dce15,"4/16/2021, 9:16:40.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1c384f3-8978-47f6-9e99-8aa0cac833be,"4/16/2021, 9:16:40.133 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,711b3646-661e-4cf7-98d5-5b02bfbbe590,"4/16/2021, 9:16:40.133 AM",,,,,NTLM,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0beb329e-f435-43eb-bdcd-f0df8afb4ada,"4/16/2021, 9:16:40.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,14e9b270-46ce-4a69-becc-c97f3d857dff,"4/16/2021, 9:16:40.133 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,acf18694-40d6-4d31-8062-13fdb65795c9,"4/16/2021, 9:16:40.133 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\microsofttpm,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff30401f-034b-4c5d-a1bc-66cc74f927a0,"4/16/2021, 9:16:40.133 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:SELECT * FROM Win32_TPM,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f699963-c30a-46ee-949f-73ba112ba894,"4/16/2021, 9:16:40.133 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:Select * from __ClassProviderRegistration,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,45178845-3cea-4a63-a00e-9a2aca48f1d5,"4/16/2021, 9:16:40.133 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,64f6395d-30f1-4cda-a667-0340a381a98b,"4/16/2021, 9:16:40.133 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,70222c8c-1f90-4c8a-9e99-1244ef04522b,"4/16/2021, 9:16:40.133 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,5eeadd3d-7cfd-4cbc-8640-fcd63a5fbee5,"4/16/2021, 9:16:40.133 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,c0d7b249-1543-49fc-8770-8af11f397e0e,"4/16/2021, 9:16:40.133 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:Win32_Tpm,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,ee6f3b7f-b4fd-4ff0-978f-1abe4353e013,"4/16/2021, 9:16:40.133 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:__ExtendedStatus,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,300a3ee4-5e36-4c90-b991-20abfeaf02f8,"4/16/2021, 9:16:40.133 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftVolumeEncryption,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,12b369c9-2013-4a3d-a519-ce6b9101b8b9,"4/16/2021, 9:16:40.133 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:SELECT * FROM Win32_EncryptableVolume,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,78ac0694-b293-4235-a8ab-e23cd67f6ca2,"4/16/2021, 9:16:40.133 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:Select * from __ClassProviderRegistration,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,25ff13dc-8d03-4a49-a535-19ce0464dcac,"4/16/2021, 9:16:40.133 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,4a28a811-f08f-4ec6-9dfe-7edd482fa257,"4/16/2021, 9:16:40.133 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d76ef93-55ab-43b7-b528-24f604afc854,"4/16/2021, 9:16:40.133 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a0e2da4-c935-4f35-ae8a-e1208ae7bb17,"4/16/2021, 9:16:40.133 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,9bd84fc5-7ad7-404c-90e3-c0d369ca2bfe,"4/16/2021, 9:16:40.133 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,388d451b-909a-461d-a54f-36b16a1ded27,"4/16/2021, 9:16:40.133 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,28cac47b-4e72-4a05-8205-81264128935f,"4/16/2021, 9:16:40.133 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:__ExtendedStatus,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c513a394-6c67-4ad4-96c5-7988b081cb35,"4/16/2021, 9:16:40.133 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,05707b6f-9dff-411b-986a-2d1d23a61ce7,"4/16/2021, 9:16:40.133 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{9a771a90-0000-0000-0000-100000000000}\\""::GetLockStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,395a4e5c-e12e-4f01-9161-2ea0c440619a,"4/16/2021, 9:16:40.133 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{9a771a90-0000-0000-0000-100000000000}\\""::GetProtectionStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,b245fa70-f5fa-4e31-b267-b062df5e1f6b,"4/16/2021, 9:16:40.133 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{9a771a90-0000-0000-0000-100000000000}\\""::GetConversionStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,ccb059d1-0ef1-42f1-b503-f1b46d642dff,"4/16/2021, 9:16:40.133 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{6129dd30-0000-0000-0000-501f00000000}\\""::GetLockStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,291d02a0-bd77-4ed4-9880-60dd1eb442c5,"4/16/2021, 9:16:40.133 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{6129dd30-0000-0000-0000-501f00000000}\\""::GetProtectionStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1b7f097-3fc5-4dfd-ae39-f75d38a13d9c,"4/16/2021, 9:16:40.133 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{6129dd30-0000-0000-0000-501f00000000}\\""::GetConversionStatus",,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,36761d8e-8987-47e9-9843-56226ce72bdb,"4/16/2021, 9:16:40.133 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d7310fe6-7592-41cd-85af-e37a3e0f0e99,"4/16/2021, 9:16:43.058 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,190cf2c4-e8b3-4c95-8a9e-b7f642c2b168,"4/16/2021, 9:16:43.058 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,f49fe399-77ca-437f-b407-4ed57915e5d5,"4/16/2021, 9:16:43.058 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,564f3888-fe1b-4e97-9b50-1de5ec2178bb,"4/16/2021, 9:16:43.058 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,4d452ab7-2da5-42fd-8763-c881a43076e7,"4/16/2021, 9:16:43.058 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,9fea088b-e2e2-474d-b6e9-acadba8b2975,"4/16/2021, 9:16:43.058 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,aa96a17b-00df-46fd-8bb0-1e3d950c1f60,"4/16/2021, 9:16:43.058 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,2375b47d-40d6-40e4-a177-2c21e4a40c64,"4/16/2021, 9:16:43.058 AM",,,,,,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,804dd1c6-a206-49c4-81c4-e41e33eec1a5,"4/16/2021, 9:16:45.724 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ee085fed-0048-4d3a-a10f-a711ecba5770,"4/16/2021, 9:16:45.724 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,50095b21-63c1-43c0-8eba-c40e30c1d88b,"4/16/2021, 9:16:45.724 AM",,,,,NTLM,, +\RMEDINA,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1ebe78fa-1486-407c-ada7-99c0f03d563e,"4/16/2021, 9:16:45.724 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7975939a-79c3-465b-8646-9a6188873983,"4/16/2021, 9:16:45.724 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,de90e6c6-fd19-4886-a683-f5e23e884571,"4/16/2021, 9:16:45.724 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e4d278bd-81d7-4c75-bc7a-2363c46e4b62,"4/16/2021, 9:16:45.724 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,703ecd31-2581-4c11-bc4a-97376a2493a4,"4/16/2021, 9:16:45.724 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,62ed23bb-fd9c-407f-9be7-847e773bdf30,"4/16/2021, 9:16:45.724 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5adcb861-29ab-451e-a662-0b1ff12cdf54,"4/16/2021, 9:16:45.724 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,528456c6-6997-4a1b-8684-ffe61f0a3c48,"4/16/2021, 9:16:45.724 AM",,,,,NTLM,, +\WEBADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,838cfd9d-2847-4e07-ac1d-1ed8ee9de52e,"4/16/2021, 9:16:45.724 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5a3c6e9d-e22a-4fc9-b908-9ea6c88997e6,"4/16/2021, 9:16:45.724 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7fd59739-63fd-427b-a8de-d12dcaa24863,"4/16/2021, 9:16:45.724 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5d6749aa-5b02-4c1a-bdbc-af6ccf433f3d,"4/16/2021, 9:16:45.724 AM",,,,,NTLM,, +\INFO,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6fdf65a8-7ea4-445a-9651-52343a2e19a8,"4/16/2021, 9:16:45.724 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,16665701-382b-4384-accc-71aff92e2c93,"4/16/2021, 9:16:45.724 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bf74d87d-de59-4290-b3be-c7537bd16980,"4/16/2021, 9:16:45.724 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1c8862d4-be31-46ed-84cf-0e68ebfccba5,"4/16/2021, 9:16:45.724 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,446c56dd-0901-43c8-a2c1-47929f9c851e,"4/16/2021, 9:16:45.724 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,56bb3609-f068-40c5-9130-87b0bfb454f6,"4/16/2021, 9:16:45.724 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a1d69384-258a-40e5-8a3d-5b18d91ea631,"4/16/2021, 9:16:45.724 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f73e5e3a-7bc0-43e2-8847-45630a1aed76,"4/16/2021, 9:16:45.724 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6383aa6f-b687-40bd-a1fc-fc6d85c2dea0,"4/16/2021, 9:16:45.724 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b2fc78a-17cf-4150-adda-8d4de08aa84d,"4/16/2021, 9:16:46.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,597913b9-1889-4aa8-afc7-0f9801a1628a,"4/16/2021, 9:16:46.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bf0e03fc-91ac-4c40-9353-cbe2b4631812,"4/16/2021, 9:16:46.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,06007359-6cd9-4757-a010-849a7afff610,"4/16/2021, 9:16:46.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,593beebb-63cc-468f-9733-9f28506ae1b2,"4/16/2021, 9:16:46.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d300a71f-5172-495f-857b-b212fd38e655,"4/16/2021, 9:16:46.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,02507f5e-2503-4417-a363-d9acf2013bd4,"4/16/2021, 9:16:46.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb08da15-986c-485f-a76a-5bd2b8c9d13b,"4/16/2021, 9:16:46.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce38fb1c-178a-49e2-b78a-131c943cf539,"4/16/2021, 9:16:46.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,99802637-7822-4b2d-999f-f0fe37163010,"4/16/2021, 9:16:46.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ddd43fb1-7197-4d1d-8050-dc5ea2eb3686,"4/16/2021, 9:16:46.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6d099d1c-6d7b-42d3-af23-fffac595c5e4,"4/16/2021, 9:16:46.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,506af2a0-2428-431e-8798-2961e4612548,"4/16/2021, 9:16:46.129 AM",,,,,NTLM,, +\IJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c57728d6-244c-4dd7-a84b-06fea7626447,"4/16/2021, 9:16:46.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,52abe594-0627-4a71-a4f1-7c9f9cec1196,"4/16/2021, 9:16:46.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2628acbe-1d7b-4aff-a7f6-84439a01cbc4,"4/16/2021, 9:16:46.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2560af09-a478-4a65-a5bb-a3d513145f47,"4/16/2021, 9:16:46.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c3969ba6-b3fd-45cd-8260-f1ede791c08b,"4/16/2021, 9:16:46.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f18fd1c5-23de-443e-8623-55715d616e0d,"4/16/2021, 9:16:46.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bae15b9a-3e54-46b8-a1d2-17fb2806f361,"4/16/2021, 9:16:46.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0096cd89-fb11-4797-9937-c8a86403fa6f,"4/16/2021, 9:16:46.129 AM",,,,,NTLM,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ca37653-4f04-4906-8b11-f2064cfb8de5,"4/16/2021, 9:16:46.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8479b38e-3888-4b0c-9515-dd669c604ad4,"4/16/2021, 9:16:46.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6a8848a4-a0bb-4f59-b615-9dc9f9bb9138,"4/16/2021, 9:16:46.129 AM",,,,,NTLM,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,5898d452-cb92-4876-addb-74510ba9a1be,"4/16/2021, 9:16:46.731 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,37dcf962-e96b-4469-a536-1d3893c035a1,"4/16/2021, 9:16:46.731 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5424 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 8542576A51D515DA19781689F9E5E561E4398C4DE19B14AF1E8EF1C7D2551843 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.18362.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,f4eb94ac-0613-4914-a676-9149b4fd9001,"4/16/2021, 9:16:46.731 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4628 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,f8a00c70-25db-46ae-ad16-61dde6a5af11,"4/16/2021, 9:16:46.731 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,c17042bc-4a77-442b-b0d8-161effd41c6f,"4/16/2021, 9:16:46.731 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,42f2bdde-a954-47f0-83e1-b07b3ca836ed,"4/16/2021, 9:16:46.731 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5320 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,3caf9368-b16b-4a20-8df8-bf72ca46b607,"4/16/2021, 9:16:46.731 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6052 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,09805d63-0cc2-4930-8004-d51c655c2874,"4/16/2021, 9:16:46.731 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,b97af5b4-3254-4d1d-ba18-e5769784aba2,"4/16/2021, 9:16:46.731 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,f144cf83-2686-4556-9e34-6b5ee8e71f81,"4/16/2021, 9:16:46.731 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,2b0a982e-a7bd-4687-ade4-7346435648e5,"4/16/2021, 9:16:46.731 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1056 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,235722c0-9b61-424b-b767-47e9220812bf,"4/16/2021, 9:16:46.731 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 12432 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,b155ce72-e076-4fc9-917a-9fefaf14a7af,"4/16/2021, 9:16:49.282 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10948 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,ed5cf947-bf12-4ad5-b741-c48be1e40cbc,"4/16/2021, 9:16:49.282 AM",,,,,,, +\IT,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,54912d90-342f-4483-a701-a673f19435e5,"4/16/2021, 9:16:48.551 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0732dbfa-ff15-4784-8165-49ee49512f2c,"4/16/2021, 9:16:48.551 AM",,,,,,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9911e264-6e29-4d84-973f-3e82d78c603b,"4/16/2021, 9:16:48.551 AM",,,,,NTLM,, +\REMOTO,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,cedb851e-234d-4c8c-9a1e-96fdc4b70f74,"4/16/2021, 9:16:48.551 AM",,,,,NTLM,, +\FTPUSER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c090ba61-1d26-421f-b3bd-f4aafea5139c,"4/16/2021, 9:16:48.551 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,7d20cd16-d8f6-46e6-b6e1-ab91a4306fce,"4/16/2021, 9:16:48.551 AM",,,,,NTLM,, +\VMADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c79d7791-e11c-4883-acc0-62f13b113581,"4/16/2021, 9:16:48.551 AM",,,,,NTLM,, +\MARKETING,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c681e3a0-2e3c-444a-ab74-3bbdc6335883,"4/16/2021, 9:16:48.551 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e4e5c908-9e42-4632-bf9f-7c307511cccb,"4/16/2021, 9:16:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6baae6ea-36c2-41cc-981f-c73b07572ae7,"4/16/2021, 9:16:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ba9a353b-9802-4ae9-b5ad-688580c8792e,"4/16/2021, 9:16:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a6bb050-09ec-44df-aa9e-12b47391d73f,"4/16/2021, 9:16:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54231d16-46ef-404c-8ac6-7b0992869b0c,"4/16/2021, 9:16:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d001d66c-f4f3-43aa-ac66-14b579db06c8,"4/16/2021, 9:16:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,62911359-0b5a-4b99-9809-733da6fae510,"4/16/2021, 9:16:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a70fb6d1-80c9-4012-b506-91b28bc7b413,"4/16/2021, 9:16:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,feb88b5e-6031-4bcc-addb-e152ede22c3d,"4/16/2021, 9:16:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,faa06ddb-0319-478d-b61d-966c3c2b4c24,"4/16/2021, 9:16:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,493336be-e387-4c92-a0ea-9ec110b95ebe,"4/16/2021, 9:16:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b6c7585-fdd7-4c43-bd2b-6816b10c9271,"4/16/2021, 9:16:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,544c07f2-fc61-43e4-9fa7-0525953b3411,"4/16/2021, 9:16:51.129 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,d91a9fbf-fad4-4260-b479-6ce60632f2fb,"4/16/2021, 9:16:51.129 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a7a2f14-494b-44d8-adc8-20cd0529a33a,"4/16/2021, 9:16:51.129 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,08a9ca40-0ab5-428e-ba7b-e765607e48fb,"4/16/2021, 9:16:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,13530f6e-bad1-44c4-a480-7c890ccd8cf5,"4/16/2021, 9:16:51.129 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1428 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,bedf4470-94d2-4e89-9a7b-28452f56395b,"4/16/2021, 9:16:51.129 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7dcc6d0e-d4b6-4bd6-bedc-ec89f5f0ab37,"4/16/2021, 9:16:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,29269d66-f529-488d-9047-c89239263b93,"4/16/2021, 9:16:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7065da8a-f145-410c-a975-353d7422380e,"4/16/2021, 9:16:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,29e0eb76-0111-4155-ac60-8525e48c10ff,"4/16/2021, 9:16:51.129 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c3602244-89f3-4a67-9c8a-cb08c729e9c1,"4/16/2021, 9:16:51.129 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,f5d94aea-8472-4c56-863d-19a38b482d65,"4/16/2021, 9:16:57.610 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8984 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,26ad7ddb-93cd-42d7-928a-d92f9f6eae24,"4/16/2021, 9:16:57.610 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,cbdeefbb-2955-448e-9e9d-42a640cffd7c,"4/16/2021, 9:16:57.610 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,9c6fa695-02d6-431a-a466-29abf6817a7f,"4/16/2021, 9:16:55.878 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 4420 + 84 + %OSDRIVE%\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\PLATFORM\4.18.2103.7-0\MPCMDRUN.EXE + 32 + C7A18C474A47F5335593A567F0C714D4F658E28D07DC27F6EAE5D5641788E813 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\MPCMDRUN.EXE\4.18.2103.07 + 0x3e4 + 77 + C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2103.7-0\MpCmdRun.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,f1f50dec-d1cb-4a99-bbfd-8998c8e7b2e8,"4/16/2021, 9:16:55.878 AM",,,,,,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8b1dc59a-1ded-4961-982a-ef31de1a0b3f,"4/16/2021, 9:16:59.706 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5574870f-b6b8-49da-9bd3-2d528fceb284,"4/16/2021, 9:16:59.706 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ef630e6a-d465-467d-b985-78da0374bb6c,"4/16/2021, 9:16:59.706 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ed39b0e1-4d8d-4bf6-a344-5a36ba032c03,"4/16/2021, 9:16:59.706 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e1511bfc-00ed-47ea-9c1a-ae53d19d86e1,"4/16/2021, 9:16:59.706 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b3edfc8b-3472-499c-b06f-3cbf0d082685,"4/16/2021, 9:16:59.706 AM",,,,,NTLM,, +\USUARIO,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1c81cfcd-bc57-4f38-9527-cac29a5898cb,"4/16/2021, 9:16:59.706 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,591f0dc8-f41e-45d1-9ee1-02c9a3eede06,"4/16/2021, 9:16:59.706 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3e76b6fc-3685-4854-9610-b3ea3ebd3da1,"4/16/2021, 9:16:59.706 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5637ede5-4345-4a0b-b139-9f5548618dd5,"4/16/2021, 9:16:59.706 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,81d5a049-809c-48a5-b854-29f9032d5b55,"4/16/2021, 9:16:59.706 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,24963b91-6cdc-4cbd-9f06-c292baa24f83,"4/16/2021, 9:16:59.706 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a52ba0cb-a041-4cad-b714-37105e19adec,"4/16/2021, 9:16:59.706 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,23a43d82-1ea2-46fa-a02f-be5775421fdd,"4/16/2021, 9:16:59.706 AM",,,,,,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,042f98db-612a-43a2-b5c2-a5c2fbf9e6cd,"4/16/2021, 9:16:59.706 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,871273bd-0a81-400f-8522-dc1c345084cd,"4/16/2021, 9:16:59.706 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0925c371-9783-4bf5-bb01-c609c23b440a,"4/16/2021, 9:16:59.706 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,66a14d80-491e-48ae-bf13-c821622cf2d2,"4/16/2021, 9:16:59.706 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7581199b-cea8-4e36-a9b9-1898f6e71ba0,"4/16/2021, 9:16:59.706 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9d4d8b23-1334-4a9a-a390-8b088551d126,"4/16/2021, 9:16:59.706 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,95ae5254-54ec-42fb-963a-cfae902ccd98,"4/16/2021, 9:16:59.706 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a16f0f88-1d67-4897-a93f-4ec55454e687,"4/16/2021, 9:16:59.706 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f322e82d-bc22-441e-a9f1-914905323aff,"4/16/2021, 9:16:59.706 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,17adca3c-e4fe-4e6d-9f7f-75dcc68d1ff8,"4/16/2021, 9:17:12.717 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9737c6d2-9ce4-4a92-b4eb-593d9d403014,"4/16/2021, 9:17:12.717 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,40d5a7a9-59ac-49b7-b64b-d3e67f472f48,"4/16/2021, 9:17:12.717 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0a0142f2-fb22-461d-b116-d64351bbb175,"4/16/2021, 9:17:12.717 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7b5ab254-cafa-4262-a7ba-abed8b1a15e8,"4/16/2021, 9:17:12.717 AM",,,,,NTLM,, +\TESTTEST,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,316de0d7-9b87-4871-a9b0-8d085ec27a6d,"4/16/2021, 9:17:12.717 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0103df9c-b2c1-4e59-8fbe-692c06c76a92,"4/16/2021, 9:17:12.717 AM",,,,,,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f4003ea0-0ee1-4c7d-83c6-ff068724e1ff,"4/16/2021, 9:17:12.717 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0273dcfc-e699-4880-92e1-5e680046f153,"4/16/2021, 9:17:12.717 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e064b77e-7d21-4dd6-9e0f-2f9aa9a7b2f8,"4/16/2021, 9:17:12.717 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,28d1ebe4-342c-4c55-9e66-a0e2c227497d,"4/16/2021, 9:17:12.717 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,39620b44-7755-4b54-891a-731d59d668c7,"4/16/2021, 9:17:12.717 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,925a6549-853c-431b-8969-bedd2fb838a4,"4/16/2021, 9:17:12.717 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,73ec5e53-219f-4bea-8eaa-b7fd44d21c0d,"4/16/2021, 9:17:12.717 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ac0269a0-ec97-46af-acc6-5d2ad4051e8b,"4/16/2021, 9:17:12.717 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8df9367f-100c-438a-9d63-714edf57b425,"4/16/2021, 9:17:12.717 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,95c70115-ca9d-4ab6-b926-261e61fef8a8,"4/16/2021, 9:17:12.717 AM",,,,,NTLM,, +\VMADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b7e489d5-96e1-4953-9945-aa83fdabb19b,"4/16/2021, 9:17:12.717 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,429106ff-10df-4d39-b749-e1239de7eee3,"4/16/2021, 9:17:12.717 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,01282718-68f8-451c-93ae-b5695755b771,"4/16/2021, 9:17:12.717 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8e31c4e1-fe55-45e9-93c6-e56c5cbb348c,"4/16/2021, 9:17:12.717 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e0b7ae5c-d78a-4a45-8f13-b37de00ced2e,"4/16/2021, 9:17:12.717 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e1852a39-aca0-4678-ab16-fa33d3f0a30f,"4/16/2021, 9:17:12.717 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d2e2acdb-6d20-45ca-b852-f78f86bf9670,"4/16/2021, 9:17:12.717 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,acfe49e8-b900-41eb-b239-e5626e109f9b,"4/16/2021, 9:17:12.717 AM",,,,,NTLM,, +\XEROX,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b01e223a-88d9-40ad-ba05-829a3d1de74b,"4/16/2021, 9:17:12.717 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,0240f077-b749-40cd-9c79-3866ecce3885,"4/16/2021, 9:17:16.122 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,cde7119a-30da-41b4-8f09-e256117ca8a8,"4/16/2021, 9:17:16.122 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,ab7623e2-ea55-4524-ae0a-567824759ccd,"4/16/2021, 9:17:16.122 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,9cb3cd47-dfac-475a-9631-93e46d5cfc60,"4/16/2021, 9:17:16.122 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,cadf9ef7-8ca4-42a4-aa13-6b775bee0668,"4/16/2021, 9:17:16.122 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,322f442c-90ff-4a9c-8aa7-3582c8303e73,"4/16/2021, 9:17:16.122 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,27a219ac-0e40-4577-a381-152db023f680,"4/16/2021, 9:17:16.122 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,55672be8-8908-4d75-8305-4f19d05c23fb,"4/16/2021, 9:17:16.122 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,8fc380ff-b110-43e5-8313-1a515d23a7b5,"4/16/2021, 9:17:16.122 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,eff7e7da-fefd-42ba-bc44-95502e395c99,"4/16/2021, 9:17:16.122 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,8c2133ca-d4de-44ba-88d4-51d720706687,"4/16/2021, 9:17:16.122 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67f74d5b-fd07-4286-b7d3-542cd4def0c5,"4/16/2021, 9:17:21.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fbddb3a0-d22d-413e-a83d-16c0f1ac99d7,"4/16/2021, 9:17:21.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7283aa15-ebd3-4648-8e5d-ce4d7576f6ac,"4/16/2021, 9:17:21.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,83db2614-e52f-4f33-a3eb-e939a08fddc2,"4/16/2021, 9:17:21.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e66d319b-040e-4439-90cf-60a9d211a01a,"4/16/2021, 9:17:21.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ea44a87-9e39-40b9-ba3d-ed0090011c33,"4/16/2021, 9:17:21.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a4893a5c-fbfe-4cfa-b77b-c7e7d8f63a6f,"4/16/2021, 9:17:21.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,55e4cfaa-8946-4849-8869-5c023783df44,"4/16/2021, 9:17:21.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98ff5331-90a4-4a22-aee5-e51ac468ccc2,"4/16/2021, 9:17:21.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,59e6a108-8954-4e48-b6ea-dd3ef604db8b,"4/16/2021, 9:17:21.129 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a18be614-8572-468d-a8db-ce250eebc982,"4/16/2021, 9:17:21.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5b01b779-20b7-4bf0-b842-7d4d07beedc8,"4/16/2021, 9:17:21.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4d676e34-beb8-4a20-879d-12c5baac847d,"4/16/2021, 9:17:21.129 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,52f39d23-1a44-4453-a82b-46203280f2f4,"4/16/2021, 9:17:21.129 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,09c45b79-c9bd-4b35-bd93-3df0752ae6ee,"4/16/2021, 9:17:21.129 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f385b6d-e1c5-4760-b7e0-e97fa26f7632,"4/16/2021, 9:17:21.129 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2792 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,f03462bc-c8eb-457e-968a-2127b18cec5c,"4/16/2021, 9:17:21.129 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8504 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c769ebf-d759-44a4-ac75-623d8820cb22,"4/16/2021, 9:17:21.129 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,187f11f7-ae8b-4f97-bff8-359c183343e5,"4/16/2021, 9:17:21.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2e1ba140-3f46-4017-a543-5ba647b02c7f,"4/16/2021, 9:17:21.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c0cabda-83b5-4bbe-b206-d2b254e7e249,"4/16/2021, 9:17:21.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98d45009-e42a-461b-9233-8bc94dc743a5,"4/16/2021, 9:17:21.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d2b3587a-ff73-49ab-95d7-8880f1c7a5c9,"4/16/2021, 9:17:21.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b097043d-ae53-4f93-a1f4-adcda158bd1e,"4/16/2021, 9:17:21.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,08805ba4-df9c-4c42-8779-d71154d53ef6,"4/16/2021, 9:17:26.287 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,975d5ec2-366c-4195-a198-c089c48d10d7,"4/16/2021, 9:17:26.287 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,30cfa161-1472-45f8-b432-31114da5bc16,"4/16/2021, 9:17:26.287 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,81b186c1-acb1-4d65-85d2-254f39c657fc,"4/16/2021, 9:17:26.287 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eb51e140-68f0-49f6-bca0-5091d08bbbfa,"4/16/2021, 9:17:26.287 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,64c72360-83bc-4ca5-bc11-03496b03f8fb,"4/16/2021, 9:17:26.287 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de5bc9a8-7400-4864-ba83-7aa279ffa98a,"4/16/2021, 9:17:26.287 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,571c998e-f073-4e74-ab87-8165208083db,"4/16/2021, 9:17:26.287 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5478ad76-8c56-44da-b34f-c3117bb23305,"4/16/2021, 9:17:26.287 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,41d9760f-46f8-4a0d-8610-70fae00017a3,"4/16/2021, 9:17:26.287 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,add4508f-3f8f-4d67-a626-0036f75a46b3,"4/16/2021, 9:17:26.287 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,40058061-3497-48c6-a63e-a5917247a7ae,"4/16/2021, 9:17:26.287 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a9abb857-6662-41fa-a215-7d538e4276b4,"4/16/2021, 9:17:26.287 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ba1545e8-a28b-4335-8026-1cbd08b7859f,"4/16/2021, 9:17:26.287 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e396bbd9-ef14-4fba-888b-83147fe4235d,"4/16/2021, 9:17:26.287 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2edcccdc-d508-4792-b64a-80c69687b186,"4/16/2021, 9:17:26.287 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d0de06ce-e4b2-4d2c-93c7-793ee090237b,"4/16/2021, 9:17:26.287 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6995c32a-2293-4f28-8632-732a07012a88,"4/16/2021, 9:17:26.287 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f040fbc8-3c3c-42d6-b7e0-7a517265568b,"4/16/2021, 9:17:26.287 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,94af08a8-529d-4989-98b0-badf9561ee77,"4/16/2021, 9:17:26.287 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,477effba-4f60-4be2-ba5b-61be5531970b,"4/16/2021, 9:17:26.287 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,84a3ce2e-a55d-4dc3-bdbc-85c54274eadf,"4/16/2021, 9:17:26.287 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a39f711-b8ca-40bc-a59d-5a3e122d1fd4,"4/16/2021, 9:17:26.287 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,207ab2b6-49f7-4649-9b0a-9fe00af377dd,"4/16/2021, 9:17:26.287 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7b2d3533-7830-4575-a60d-5d8660416ab3,"4/16/2021, 9:17:26.287 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,8c487c15-3b2a-458a-8872-60167b2b1c73,"4/16/2021, 9:17:28.707 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1772 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,894c0b30-c185-4180-81fb-3928d24bdff1,"4/16/2021, 9:17:28.707 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,a3bcdc35-b224-4cbb-ada4-e4757881b8d7,"4/16/2021, 9:17:28.707 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1888 + 28 + %SYSTEM32%\USOCOREWORKER.EXE + 32 + 13B908CA0D2AC90F4398E5FBABCD1C442B07297B524C2BBA890FD106D4591742 + 125 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\USOCOREWORKER.EXE\10.0.18362.1474 + 0x3e7 + 37 + C:\Windows\System32\usocoreworker.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,b03afcb5-b04f-4801-bf24-32f6bce53de1,"4/16/2021, 9:17:28.707 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,26dd4ad6-89cf-4209-9600-b20de1fd4ae2,"4/16/2021, 9:17:28.707 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,9090e6bf-ba8b-4fa0-84ea-544964e66e67,"4/16/2021, 9:17:28.707 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8736 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,a1582304-44b6-4198-ac0c-c63bee5301b1,"4/16/2021, 9:17:28.707 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8620 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,cf4845fd-ebc8-4698-af08-3c8281660ce2,"4/16/2021, 9:17:28.707 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,2a01ce7b-313a-4148-9ea4-957c4b18eee4,"4/16/2021, 9:17:28.707 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4716 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,9990db00-c72f-4afc-88f6-b52fe1bbe85d,"4/16/2021, 9:17:28.707 AM",,,,,,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,36fdfa42-03f8-4e7d-86ac-7385047d7c2f,"4/16/2021, 9:17:30.723 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,92fe2edf-b121-4404-87fa-45be31c594a8,"4/16/2021, 9:17:30.723 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b0461eae-3aa4-40c4-8eb4-2163d19288e6,"4/16/2021, 9:17:30.723 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bb469e82-f71c-41b2-957a-6d735f984459,"4/16/2021, 9:17:30.723 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0b48a949-5368-44da-a494-92aab4aa330f,"4/16/2021, 9:17:30.723 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e8e0d88b-8675-46cf-9f30-75980ab60884,"4/16/2021, 9:17:30.723 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c2bb5eec-4640-4766-84e3-41ce6a09c735,"4/16/2021, 9:17:30.723 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f4118ba3-be88-4879-9a0b-362643f64a74,"4/16/2021, 9:17:30.723 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,03899869-ef0f-467a-80e3-31eab15a5e84,"4/16/2021, 9:17:30.723 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d8b60102-3a33-432e-89ae-8240f5ff66b8,"4/16/2021, 9:17:30.723 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e4dff8c5-df1d-4aed-b5d8-de7c65f90734,"4/16/2021, 9:17:30.723 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,04c6db13-2b0c-40a7-94cb-4b29cbf83e7d,"4/16/2021, 9:17:30.723 AM",,,,,NTLM,, +\DEMO,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,26dd68a6-e539-42b3-aac7-4d604de0cd44,"4/16/2021, 9:17:30.723 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f7cb811f-d8f7-4528-9fcb-a779dcd90706,"4/16/2021, 9:17:30.723 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1f52a06e-0fca-4573-a516-af480a5b376d,"4/16/2021, 9:17:30.723 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7a188ce2-f34e-48b9-82aa-b27cada2e75f,"4/16/2021, 9:17:30.723 AM",,,,,NTLM,, +\SIGLABOO,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a2f3081b-0020-4f4b-847e-87ea71fc9a14,"4/16/2021, 9:17:30.723 AM",,,,,NTLM,, +\QJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,13acd710-6847-467a-b8d9-a75bdf13e615,"4/16/2021, 9:17:30.723 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,821d5d5f-06cf-42e3-877f-e6a9765eb82b,"4/16/2021, 9:17:30.723 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7bf636e9-f361-4e9e-b39f-ded8442d2808,"4/16/2021, 9:17:30.723 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5cdb1cd7-762b-47e8-999b-fabeee0f2315,"4/16/2021, 9:17:30.723 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6c044673-4360-41a7-8b91-197d5a7e12b3,"4/16/2021, 9:17:30.723 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,101359ca-ae12-4d2f-a3fe-2c6135f9bb33,"4/16/2021, 9:17:30.723 AM",,,,,NTLM,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,eb4702d7-ac73-4385-a8c9-94d44daaa2d0,"4/16/2021, 9:17:45.881 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c02f0833-f827-40b3-9af8-ca73b8b9ad3b,"4/16/2021, 9:17:46.723 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,718cdb5b-b92d-4bf9-8f88-ad5f7653303f,"4/16/2021, 9:17:46.723 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,928c842b-5509-4d22-9078-eb17a2eeef87,"4/16/2021, 9:17:46.723 AM",,,,,NTLM,, +\LOCALADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bf8d448c-2b99-4f0b-a3ff-7f7c5c0f7617,"4/16/2021, 9:17:46.723 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,debca76d-b848-4536-8d48-1f5d62e162a4,"4/16/2021, 9:17:46.723 AM",,,,,NTLM,, +\OFFICE,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,57a1269a-cd76-40cc-bb6f-bee997235d68,"4/16/2021, 9:17:46.723 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a424d4e2-1180-4063-80de-005460ebbbf8,"4/16/2021, 9:17:46.723 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2203d959-e72b-432f-bbfe-683a996679e2,"4/16/2021, 9:17:46.723 AM",,,,,NTLM,, +\ALDEBRA,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3a8e9620-6658-46fc-b2dd-e439cd60640a,"4/16/2021, 9:17:46.723 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eeb491a4-86c7-4325-9992-683ec17ef217,"4/16/2021, 9:17:46.723 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f966f37e-06fd-43d3-b7e7-e2dc5725b700,"4/16/2021, 9:17:46.723 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c0dd50a7-418c-472c-87f0-e4231e137ec2,"4/16/2021, 9:17:46.723 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2a13c16a-e6c0-4844-89bb-127a60eec795,"4/16/2021, 9:17:46.723 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,301ba37e-fda9-44e2-8c04-12d8c8b272e4,"4/16/2021, 9:17:46.723 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5f28ce0c-84ae-4f31-8946-1e76b584d665,"4/16/2021, 9:17:46.723 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,605514b0-fdf5-47d6-ba2d-00874757c91e,"4/16/2021, 9:17:46.723 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,533afc0b-a3aa-4f12-bb8e-95110c78ef34,"4/16/2021, 9:17:46.723 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bd9b8472-09e1-4b39-be9e-87f60ce4c041,"4/16/2021, 9:17:46.723 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d2a35434-afe1-4edd-aca2-8ff536298180,"4/16/2021, 9:17:46.723 AM",,,,,NTLM,, +\DB2ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,866ab78f-56b5-45a2-bbe2-42e46a1482c7,"4/16/2021, 9:17:46.723 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8d141a8a-d04b-416b-b46b-f965e9d180b0,"4/16/2021, 9:17:46.723 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,92d6aaf1-2d38-412b-903e-b2b325baeafa,"4/16/2021, 9:17:46.723 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e8d1dfd6-6fed-4fb7-a3d8-88097bfa0c18,"4/16/2021, 9:17:46.723 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8a4f5dda-3881-4b86-bd3d-8db1c0ed0016,"4/16/2021, 9:17:50.412 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6ae29e17-3464-4f13-b4bf-8cb70266dafd,"4/16/2021, 9:17:50.412 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,88caeffd-2683-449f-ae34-5420154aabec,"4/16/2021, 9:17:50.412 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,cfd69428-b2a5-4d9f-a06a-d4ea9091504f,"4/16/2021, 9:17:50.412 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9cb4c1ac-13b7-4fe3-adbf-692f9875db8f,"4/16/2021, 9:17:50.412 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 4872 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e5 + 37 + C:\Windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,605cdca5-44bf-4934-bbb2-ca7301d1011d,"4/16/2021, 9:17:50.412 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8072 + 39 + %WINDIR%\SERVICING\TRUSTEDINSTALLER.EXE + 32 + 5AAB6030A17E092A3F547292BF75BBE5E777C3C6C3E1759A023CA59FE87F6D98 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\TRUSTEDINSTALLER.EXE\10.0.17763.1098 + 0x3e7 + 41 + C:\Windows\servicing\TrustedInstaller.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,89cd6122-2a8f-4577-a91d-e10b42d673eb,"4/16/2021, 9:17:50.412 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2376 + 122 + %WINDIR%\WINSXS\AMD64_MICROSOFT-WINDOWS-SERVICINGSTACK_31BF3856AD364E35_10.0.17763.1876_NONE_56BCCE8F993D30E7\TIWORKER.EXE + 32 + 7EC24C6DAEE289FBD40C13635DA56FB1E9F868B65E3120B59D480D394ACD8285 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\TIWORKER.EXE\10.0.17763.01 + 0x3e7 + 124 + C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.17763.1876_none_56bcce8f993d30e7\TiWorker.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f5f52ad2-1fe2-47fa-9c77-08b6eda4c576,"4/16/2021, 9:17:50.412 AM",,,,,,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b0ccca56-009a-4e9d-b952-7ea5ce255090,"4/16/2021, 9:17:50.412 AM",,,,,NTLM,, +\DANIEL,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ecb4c086-14e7-49b5-b2ef-b71ae82b4f30,"4/16/2021, 9:17:50.412 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3340 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + A42A20DA16F83B8467DCED74AB028B58D5927D15D9D74C5C7B0D5C9DAC042CB2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.17763.01 + 0x3e7 + 31 + C:\Windows\System32\svchost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,48a15a80-f78c-4891-93b4-bb31c9ff80fc,"4/16/2021, 9:17:50.412 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6dae5a35-7545-4dd2-86f1-ed674391b5e6,"4/16/2021, 9:17:50.412 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1c958d32-f438-49d6-a7eb-3a90651a2cbb,"4/16/2021, 9:17:50.412 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,43bf0f94-5461-496d-99a5-1c75308a604b,"4/16/2021, 9:17:50.412 AM",,,,,,, +\COPIER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,111c30c8-2df6-4649-88a1-b417fd112a58,"4/16/2021, 9:17:50.412 AM",,,,,NTLM,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,71532545-67ff-4021-afe6-ef899c17cccb,"4/16/2021, 9:17:50.412 AM",,,,,NTLM,, +\123,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,cdfae17b-39e8-429a-9fea-459ac859af91,"4/16/2021, 9:17:50.412 AM",,,,,NTLM,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,6cdea24b-e033-4588-8436-e222b6e535ba,"4/16/2021, 9:17:52.071 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,bdb94e0c-6136-4132-affb-3c7b2dc90181,"4/16/2021, 9:17:52.071 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,4735270f-44b2-43e9-9ef0-042adfc8399e,"4/16/2021, 9:17:52.071 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,ca8917fa-4ba1-4a73-945d-5f907ebc989d,"4/16/2021, 9:17:52.071 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,74785bd9-d5fa-4554-be74-c48fba5587b3,"4/16/2021, 9:17:52.071 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,09fad265-c2b1-4d6c-8a2a-85b030a5fff4,"4/16/2021, 9:17:52.071 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,be45bf41-acf3-4e5a-bac7-69f3d9b54611,"4/16/2021, 9:17:52.071 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,f99ccc77-24f8-4b9a-b22c-8778702e75c3,"4/16/2021, 9:17:52.071 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,15cac7e9-bf41-4f18-a54d-6e0d87265e84,"4/16/2021, 9:17:52.071 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5c905584-b2c3-4e4f-a7d1-59e415c628ed,"4/16/2021, 9:17:52.071 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 372 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,0623a679-6fbc-4305-b78c-9f07d0146873,"4/16/2021, 9:17:52.729 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6904 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,4558ca18-7838-4aac-92d9-6b7686bdca42,"4/16/2021, 9:17:52.729 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,9bdc47a7-b387-4b3b-9775-ee4a6b6d307a,"4/16/2021, 9:17:52.729 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,7efad8b0-7191-4f87-a436-617a6af623ca,"4/16/2021, 9:17:52.729 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,dc830f2e-0bfb-4cd0-b6d1-4e0f46ecf4d9,"4/16/2021, 9:17:52.729 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,6b855a9c-1b66-406f-bd2e-708785c04223,"4/16/2021, 9:17:52.729 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f2253497-839c-4a3b-9cb2-63172b7f8e27,"4/16/2021, 9:17:55.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,74b82f2d-a92e-460f-9e67-78da494ff72c,"4/16/2021, 9:17:55.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a0eac4c8-4aa1-47fc-90c2-a569675ea7dd,"4/16/2021, 9:17:55.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,daa3fc36-543c-4a7a-bcda-6882f6ffb5b1,"4/16/2021, 9:17:55.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,da2826d2-e858-4e84-8412-c439a539e005,"4/16/2021, 9:17:55.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,77becdf8-b8c0-4c47-b8c3-afcc0b1f73eb,"4/16/2021, 9:17:55.144 AM",,,,,NTLM,, +\AAJZ,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,467780c4-d4a6-4570-b1c7-107aabecfdb7,"4/16/2021, 9:17:55.144 AM",,,,,NTLM,, +\BACKUP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4eefc75d-0c21-4944-982e-a785eb4b17ea,"4/16/2021, 9:17:55.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4d52b3f8-6a50-41e0-bdcb-d3d57fa1bbf5,"4/16/2021, 9:17:55.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1cf3a319-a3f8-44e1-91cd-d5f41da70c19,"4/16/2021, 9:17:55.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,78618e42-b12f-4c0e-9928-fc93535b4720,"4/16/2021, 9:17:55.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7eedbdae-1a7d-4039-8202-01d0954b8937,"4/16/2021, 9:17:55.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,31653abf-e513-456c-8a6a-c8b42555e1fe,"4/16/2021, 9:17:55.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,982ef87a-3739-420c-8ec5-e7dd112e02f0,"4/16/2021, 9:17:55.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3b705bc5-5847-4adf-9fc5-ac7de43d774a,"4/16/2021, 9:17:55.144 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3320f6f3-d1bf-4ee6-8205-9058528478ee,"4/16/2021, 9:17:55.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ecbbfa45-ae80-41a9-9d8c-d718f0a9c4b3,"4/16/2021, 9:17:55.144 AM",,,,,NTLM,, +\DEMOADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4593a4fd-4133-4b38-917a-999ed4f79eab,"4/16/2021, 9:17:55.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,477a9aa0-4b4a-4f97-8c64-fd27d5fe45ff,"4/16/2021, 9:17:55.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2421b746-09ad-42b1-bf4f-4ee91861d8b1,"4/16/2021, 9:17:55.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3f4f99a1-0606-4b0d-9d4b-c3bbe764cd0f,"4/16/2021, 9:17:55.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48c0f3fe-1c25-4136-aaf9-9c3f99b11f5c,"4/16/2021, 9:17:55.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b707bf9b-6223-41b3-a568-2648ccdbc4a6,"4/16/2021, 9:17:55.144 AM",,,,,NTLM,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,68d87d0f-6ca8-4a64-966b-0a68e01787d8,"4/16/2021, 9:18:03.881 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\microsofttpm,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,c39a2081-2143-4a89-b707-491b9da70001,"4/16/2021, 9:18:03.881 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:SELECT * FROM Win32_TPM,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,068e2054-c56f-4e93-a980-3558cd142f47,"4/16/2021, 9:18:03.881 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:Select * from __ClassProviderRegistration,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,9c2b37ad-6959-4833-94ee-bafb6bfe4c59,"4/16/2021, 9:18:03.881 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,71a4fdf3-04d8-4337-be2e-7db4f1f30841,"4/16/2021, 9:18:03.881 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,222c62f8-d582-4728-b7d1-0d5bcb218f6c,"4/16/2021, 9:18:03.881 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,fdee43d7-4754-49a4-aa8c-69fbfb8f5a28,"4/16/2021, 9:18:03.881 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,0724ecf4-1009-4c5f-8af8-774caf484e0e,"4/16/2021, 9:18:03.881 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:Win32_Tpm,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,3bfe316a-d3d9-4a6c-84c9-e871cccffdb4,"4/16/2021, 9:18:03.881 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:__ExtendedStatus,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,08f5251c-4dc8-456a-a7db-a1295dc5bd0a,"4/16/2021, 9:18:03.881 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftVolumeEncryption,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,e4af53ee-8e76-4a54-8157-38c5fd69922e,"4/16/2021, 9:18:03.881 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:SELECT * FROM Win32_EncryptableVolume,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,7f79fab8-bc9a-4bb6-a40b-04a808c4ff9d,"4/16/2021, 9:18:03.881 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:Select * from __ClassProviderRegistration,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,b2ad5134-3732-4cb0-8611-51b8fb719daf,"4/16/2021, 9:18:03.881 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,7dd02b9c-b96e-45b0-8892-1074f708b435,"4/16/2021, 9:18:03.881 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,35481254-cc66-45f7-ad60-9268bdf80c62,"4/16/2021, 9:18:03.881 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,9170a9d9-36aa-4572-9fcd-12b60f53af94,"4/16/2021, 9:18:03.881 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,4068172b-06ab-42e5-b1ca-bffd32a1694c,"4/16/2021, 9:18:03.881 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,61314406-d08d-4660-b988-5aba3e03d666,"4/16/2021, 9:18:03.881 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:__ExtendedStatus,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,1dad5dc0-79ce-4cf1-8a6c-45aa9c85bd5a,"4/16/2021, 9:18:03.881 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ae151378-0000-0000-0000-100000000000}\\""::GetLockStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,e9d9cbf1-0bbc-4ab1-ac1b-25d14a439f23,"4/16/2021, 9:18:03.881 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ae151378-0000-0000-0000-100000000000}\\""::GetProtectionStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,49c47c9e-f299-4691-8d6e-ae96566a4a72,"4/16/2021, 9:18:03.881 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ae151378-0000-0000-0000-100000000000}\\""::GetConversionStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,cafb407f-dbf0-4044-af53-3d184ba20d21,"4/16/2021, 9:18:03.881 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetLockStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,9185b4d7-3df3-4a5b-9cde-e99ec91866c5,"4/16/2021, 9:18:03.881 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetProtectionStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,21ebb0b2-ed33-4d24-9fb2-67a683517819,"4/16/2021, 9:18:03.881 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetConversionStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,31c4bbe6-e5fb-4268-bbbd-3b87ac9dd739,"4/16/2021, 9:18:03.881 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,5503048d-aae9-48b7-bda5-46b931ec9ed1,4bfb4990-9e5e-4593-afce-a67dc1d429a0,"4/16/2021, 9:18:03.881 AM",,,,,Negotiate,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + 1 + 1 + %{S-1-5-32-544} %{S-1-1-0} %{S-1-5-11} %{S-1-16-16384} +",4627,4627 - Group membership information.,5503048d-aae9-48b7-bda5-46b931ec9ed1,4275e87e-50a6-40bd-bc45-0bda034bc2f1,"4/16/2021, 9:18:03.881 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,5503048d-aae9-48b7-bda5-46b931ec9ed1,54b5b9a3-28dc-405a-a330-bd9c1ddfd911,"4/16/2021, 9:18:03.881 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,a0fa9539-cf22-46cd-8af9-cdd62282c9ea,"4/16/2021, 9:18:03.881 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5712 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,badbb887-d4f3-400b-a663-31d095e69663,"4/16/2021, 9:18:03.881 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 12308 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e7 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,dbc3e646-fd5b-41ca-963b-90bd2769d1ef,"4/16/2021, 9:18:03.881 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,4d4232a2-b70c-4bfa-ac55-b737cf79719f,"4/16/2021, 9:18:03.881 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,e897ed56-c48d-4c62-879c-3dfe439323a3,"4/16/2021, 9:18:03.881 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3752 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + 3E1A41FE3000D5ED15DE27C3BD6199E0427A1608B401E19E22D021627841AC19 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1411 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,f5998efc-0dab-4082-a5b8-276f03cfe79b,"4/16/2021, 9:18:03.881 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4360 + 23 + %SYSTEM32%\SGRMLPAC.EXE + 32 + 884A078F302053019A3FE11B1C2BAE826C6B1600D3542A8C0FA4511FE88C0320 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SGRMLPAC.EXE\10.0.18362.01 + 0x3e7 + 32 + C:\windows\system32\SgrmLpac.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,0a52d545-3d93-4dd6-b041-105a8c759749,"4/16/2021, 9:18:03.881 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a9288fa-b5d5-4adc-b805-be38b7c791e2,"4/16/2021, 9:18:04.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ed1273fd-5bde-44dc-ae39-420d17480d86,"4/16/2021, 9:18:04.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,83bc991a-fb20-4c69-a238-c42a9a6bdad9,"4/16/2021, 9:18:04.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1b1a789b-64d8-4bc1-ad7c-b99af01b1408,"4/16/2021, 9:18:04.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,540482ce-9072-4e7a-b729-70fc7ec9a306,"4/16/2021, 9:18:04.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,28fa6332-cbfd-4586-abb8-5c96f7eaf8a5,"4/16/2021, 9:18:04.140 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4ed7f3a5-de32-4df6-985f-af44fef43599,"4/16/2021, 9:18:04.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,97847baa-3a8b-428a-9498-1dc2f3a38e29,"4/16/2021, 9:18:04.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6f83d35d-5566-4441-b6b4-2a75cdfac950,"4/16/2021, 9:18:04.140 AM",,,,,NTLM,, +\VEEAM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,391406ec-faa2-4443-b902-a23ec3bc4adf,"4/16/2021, 9:18:04.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e6fb829-c8fb-425a-914e-bc1a21f7e8db,"4/16/2021, 9:18:04.140 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e3eeac91-aff0-4d3d-9be0-869c9b865f03,"4/16/2021, 9:18:04.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a02ba8e-7ef0-447d-a8c6-38d24f04ca4e,"4/16/2021, 9:18:04.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4a4f34dd-84cf-428b-98a6-44ffe3467ee5,"4/16/2021, 9:18:04.140 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df92f39e-beae-487a-885a-160767d32988,"4/16/2021, 9:18:04.140 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6e88ff95-153c-497e-8d23-442dc3488133,"4/16/2021, 9:18:04.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0fef74b3-1e25-4b50-8def-630c27b004a9,"4/16/2021, 9:18:04.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c53f42e-0339-436b-b958-6121eaa8c3eb,"4/16/2021, 9:18:04.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f657094e-d6bb-4b67-99bd-8337a63dcde8,"4/16/2021, 9:18:04.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ec15a08a-da13-4a4d-9221-7662c12cea5e,"4/16/2021, 9:18:04.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ef060bc5-68d5-4110-bc32-75ff2eda390f,"4/16/2021, 9:18:04.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b9b40988-0689-4981-ad4c-8fbe65aff3ef,"4/16/2021, 9:18:04.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12b5cebb-4c63-46dd-9ea8-0eb691568c48,"4/16/2021, 9:18:04.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9f1fd581-5e87-4edd-832f-921a348c3274,"4/16/2021, 9:18:15.182 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,f7c98458-d378-4d64-8af9-5340b48f5721,"4/16/2021, 9:18:15.182 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f196fce1-396e-410b-a8e8-08bda761ed4d,"4/16/2021, 9:18:15.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,62f45344-cc5d-4ddd-9193-900c0dde1d7d,"4/16/2021, 9:18:15.182 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ef8d0b7-742f-4d37-b2d1-e2bb4b649b37,"4/16/2021, 9:18:15.182 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,41502da5-21b7-48ec-81c9-baeea8d7d669,6ed62c9d-7eec-4374-967e-24fccd924ceb,"4/16/2021, 9:18:15.182 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,01a8d900-4036-4ccf-8685-8d5d92bf881f,"4/16/2021, 9:18:15.182 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,65b35362-9a05-4bf5-8863-78bf5917ed26,"4/16/2021, 9:18:15.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,71388a2a-928b-4079-99b7-cf06cb68838a,"4/16/2021, 9:18:15.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a62a4797-5bf1-4c80-bc52-d7cec6e133dc,"4/16/2021, 9:18:15.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2938f64b-89f0-4035-90e2-a29816fd5a3f,"4/16/2021, 9:18:15.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bdc8d3b2-de2e-4167-a053-67aa618cc5f3,"4/16/2021, 9:18:15.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cae4fe89-f543-4203-abd2-c2e4a393b8bb,"4/16/2021, 9:18:15.182 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c72d6aa5-70d5-4081-bb74-ef6822785fbf,"4/16/2021, 9:18:15.182 AM",,,,,NTLM,, +NT AUTHORITY\LOCAL SERVICE,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 8520 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e5 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,232e3239-4ff5-468b-a0d9-d794d1c1f5e1,"4/16/2021, 9:18:15.182 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6072 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + A42A20DA16F83B8467DCED74AB028B58D5927D15D9D74C5C7B0D5C9DAC042CB2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.17763.01 + 0x3e7 + 31 + C:\windows\System32\svchost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,c4764ef6-a7f6-4db5-b8b1-ffed6daf6357,"4/16/2021, 9:18:15.182 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,170acbd5-7d35-4afd-8a55-5d9f5e53dbc2,"4/16/2021, 9:18:15.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,86f7fc04-bc6d-4166-89b5-b938565172d2,"4/16/2021, 9:18:15.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,248c2cce-bde3-4b83-9fdb-8f027dbfca82,"4/16/2021, 9:18:15.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,20c02b95-8b72-4683-acfe-ee86916c5ec4,"4/16/2021, 9:18:15.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1d7e8023-252f-4e29-85a8-c8cceb4ccda0,"4/16/2021, 9:18:15.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89e0f24b-1da3-4b26-8384-6c1427462ce7,"4/16/2021, 9:18:15.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6fab238d-febd-4faf-b984-88060c160de8,"4/16/2021, 9:18:15.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1d229228-a7c4-47bd-a1cc-d5e0759f0602,"4/16/2021, 9:18:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c42cec2c-8ad6-47ba-81d7-5c1fb1c1ba00,"4/16/2021, 9:18:20.140 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,a1285ea8-7299-4a89-8883-8d56561db3ca,"4/16/2021, 9:18:20.140 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4488 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,41e0c154-6a73-444a-b613-14e237d341e2,"4/16/2021, 9:18:20.140 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,690e845b-a2f2-4c82-8fa8-bf06ea55a2de,"4/16/2021, 9:18:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e6b639ab-2ea8-470e-a941-bcd1ced81233,"4/16/2021, 9:18:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,18b6b01f-09dd-473e-b990-8885c8c56526,"4/16/2021, 9:18:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,74c0a972-82c4-4e0e-b201-6a5cc31afaaf,"4/16/2021, 9:18:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12eb176d-7d5a-4948-81f4-c8af6e0acde1,"4/16/2021, 9:18:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4251ba00-40e2-4f60-887f-9a67ab0ebfde,"4/16/2021, 9:18:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2bb6a8e3-fb7a-4400-bcba-e2887e494208,"4/16/2021, 9:18:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b2e4aaed-5ac5-4d2d-a1c1-ce4b198130ff,"4/16/2021, 9:18:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bf9c0b6c-ab93-4675-b5d5-4b6970534bf4,"4/16/2021, 9:18:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03db7b41-c576-47e5-95bf-6d1c3d9ffd4b,"4/16/2021, 9:18:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89efb4eb-e4ff-4a04-ae4d-7f36d57b7338,"4/16/2021, 9:18:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7aa37080-1214-4389-b8d6-7e7feed9ba6c,"4/16/2021, 9:18:20.140 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,1e19134e-fa8c-4962-a85a-3f1e12276972,"4/16/2021, 9:18:20.140 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,f768cdf2-dc48-4aab-b5fa-de37a5112bc8,"4/16/2021, 9:18:20.140 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,87ac6ac1-d36d-4206-8732-37634358cd44,"4/16/2021, 9:18:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,445426e1-a553-41fb-9436-f38da697e830,"4/16/2021, 9:18:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d59e8124-3ef9-475e-90a5-c03690636287,"4/16/2021, 9:18:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e95fc4d-e0c9-42ff-a0aa-f2635bd6eb8c,"4/16/2021, 9:18:20.140 AM",,,,,NTLM,, +\herman,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,847e7bbf-5872-4c47-be9a-fed7656f5a91,"4/16/2021, 9:18:20.140 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4220 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,f24926d1-e5f2-421d-a7dd-4a03a2f23c35,"4/16/2021, 9:18:20.140 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3860 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5df6855-abb4-4bd8-bb43-9866cc592f82,"4/16/2021, 9:18:20.140 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,0083b858-5a45-4019-a650-912cbb240a44,"4/16/2021, 9:18:24.070 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5d965a77-65c6-4a76-8253-a3f91975c168,"4/16/2021, 9:18:24.070 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,0df0d530-4106-4ff3-aa34-aaa24e2440d8,"4/16/2021, 9:18:24.070 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b9c3d28e-f784-4c4a-99ae-df3b8cb8bfad,"4/16/2021, 9:18:24.070 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,ab6f2808-0755-4170-ab1d-94190bd31754,"4/16/2021, 9:18:24.070 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d97308bf-b57e-4c51-94f8-409d97d6a55d,"4/16/2021, 9:18:24.070 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,f2508c46-f6a0-4038-834f-c57ca05bb565,"4/16/2021, 9:18:24.070 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,33412b6c-4360-471f-8591-bef5d1feee40,"4/16/2021, 9:18:24.070 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,724a04d0-59f9-4c37-a449-ea8630e93600,"4/16/2021, 9:18:24.070 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,011e484a-63f0-4f99-ac70-66cfecd96523,"4/16/2021, 9:18:24.070 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,37fdb470-f766-4085-bd96-2383b37e966d,"4/16/2021, 9:18:24.070 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11828 + 59 + %PROGRAMFILES%\MICROSOFT\EDGEUPDATE\MICROSOFTEDGEUPDATE.EXE + 32 + 433D72D5919A339637AEA7EDE5FE9A6643400637BB84825DDC307974AFB486CF + 104 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT EDGE UPDATE\MSEDGEUPDATE.DLL\1.3.129.31 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,dc07613b-f1a8-4b5b-955a-b6c625c544ad,"4/16/2021, 9:18:25.271 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 13108 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,d1e37ed9-f8e9-4c16-8ad9-aa74ad372723,"4/16/2021, 9:18:25.271 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6876 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,97ca52ae-d700-4b92-bd93-d2d0e5c957a9,"4/16/2021, 9:18:25.271 AM",,,,,,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a592ad06-b6d1-4957-a21c-a6af5aceda81,"4/16/2021, 9:18:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6b5ec3a8-4513-4660-a643-f54fbfa8ffaa,"4/16/2021, 9:18:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7829cb29-c9a0-4155-9488-22be0a024930,"4/16/2021, 9:18:27.126 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,61058a8b-df7b-4a07-8dca-9e7952c409c1,"4/16/2021, 9:18:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,95f7a563-9058-4332-b6bc-59164e9c0e9f,"4/16/2021, 9:18:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,400e75e0-98c0-49ce-bbf4-358acb4559d9,"4/16/2021, 9:18:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ff102aa-74cf-4114-840a-c3d98aaaaf00,"4/16/2021, 9:18:27.126 AM",,,,,NTLM,, +\remoto3,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5a033a4-e582-4eb1-a87e-5ac7b54934f3,"4/16/2021, 9:18:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,77b5e268-48a5-4532-b22c-ca29f08cece8,"4/16/2021, 9:18:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,61d34458-d0a6-47f7-93f7-9cb3f25f73e5,"4/16/2021, 9:18:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2ba273e8-c045-4637-8e0e-b5e959720968,"4/16/2021, 9:18:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,352f3b17-918b-4ca6-864f-f3b088c4b71f,"4/16/2021, 9:18:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67b63b5b-7f6f-426c-940b-5f0f94e7678f,"4/16/2021, 9:18:27.126 AM",,,,,NTLM,, +\secretariadireccion,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea14796d-8b64-47c2-8ece-921c95ab2582,"4/16/2021, 9:18:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6a887681-e7b1-4308-a9ed-0af41baac279,"4/16/2021, 9:18:27.126 AM",,,,,NTLM,, +\PDV3,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d669fb17-46d7-41b6-b616-9920502b70e5,"4/16/2021, 9:18:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e90296d-46b6-4612-bc6e-6fca9bf56dc5,"4/16/2021, 9:18:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6673d5c8-106e-4655-b9c4-94502db4ceaa,"4/16/2021, 9:18:27.126 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6ed6603c-99ae-4c0d-a2e2-767e135872fe,"4/16/2021, 9:18:27.126 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7a2b89e6-149b-42f5-ac32-0ced2b0a130c,"4/16/2021, 9:18:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,05045534-97e7-46e8-9907-3879599589b9,"4/16/2021, 9:18:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f9d1db8-b84a-4f2b-8748-124eb985a327,"4/16/2021, 9:18:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a302621-5ac8-4b9a-a5d6-8c71e74e0845,"4/16/2021, 9:18:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,187616c3-96f2-490f-90a6-cf4d59bd5a41,"4/16/2021, 9:18:27.126 AM",,,,,NTLM,, +\carolyn,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,77fc5192-08d4-4c48-acd7-d8c8a34be257,"4/16/2021, 9:18:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,107b13ff-687e-4ee7-beeb-a1d675168ebe,"4/16/2021, 9:18:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,78a216e7-e923-4865-9df6-b8d631dffe87,"4/16/2021, 9:18:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e7e81bbb-3f3f-435d-b62b-84f500c901d3,"4/16/2021, 9:18:33.127 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,18453e12-a2da-4cd7-ba0a-916731c85c9b,"4/16/2021, 9:18:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d1054eb0-202f-4cf9-bb53-2c200e605ed5,"4/16/2021, 9:18:33.127 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c49c20d5-08d5-4f88-b1dc-d18e326872d5,"4/16/2021, 9:18:33.127 AM",,,,,NTLM,, +\fep,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98c00820-54a8-4696-8c31-6eae3c13e221,"4/16/2021, 9:18:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6499af52-c3e3-4d40-87c6-141fe83cf8db,"4/16/2021, 9:18:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,99687c23-8fe5-4cc3-983f-726991853555,"4/16/2021, 9:18:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,defe4392-0f0e-4549-88eb-8f1d242181d3,"4/16/2021, 9:18:33.127 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d642f24c-5d43-4ed2-b209-71d57e12c95a,"4/16/2021, 9:18:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a16e2871-fd5d-472d-8577-ac404d9334b4,"4/16/2021, 9:18:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f6fab184-54a1-49b9-91a8-26d06cb11b24,"4/16/2021, 9:18:33.127 AM",,,,,NTLM,, +\1,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b842837f-4eee-40f9-bdf4-9b76ee4a146d,"4/16/2021, 9:18:33.127 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,436d20ac-9ab9-4bfe-9c64-280b8b5f40d8,"4/16/2021, 9:18:33.127 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f0e2f91-71ea-48ce-993f-a2315b41ad01,"4/16/2021, 9:18:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,17dcc807-16ef-497f-807e-ac80f60cc4e0,"4/16/2021, 9:18:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,41775590-89c7-4c7d-b212-a7fb97589bf0,"4/16/2021, 9:18:33.127 AM",,,,,NTLM,, +\user2,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5c173633-0a08-4080-afaf-723db443cbb0,"4/16/2021, 9:18:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,da531564-ed82-415b-bd6c-99eee8da98a1,"4/16/2021, 9:18:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f30f1b0b-d6f6-459e-8552-dbb19d1cf035,"4/16/2021, 9:18:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b4728f43-a66f-457d-8704-9da59e6ca9a4,"4/16/2021, 9:18:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c4ee53e0-9e14-4b88-8ba9-eac6d067f4ee,"4/16/2021, 9:18:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8dfa10f8-ef44-4053-8ebe-c656f663cfa4,"4/16/2021, 9:18:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3bdc245a-dc5b-4dce-844c-8bd80aeb1fea,"4/16/2021, 9:18:33.127 AM",,,,,NTLM,, +\WEBADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3d08f8cc-edb9-492d-a822-301aebd55b02,"4/16/2021, 9:18:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,920642d4-cdc6-4f6c-a10d-f0b87581e0b2,"4/16/2021, 9:18:33.127 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,91b47f08-7892-4976-86c8-4c1b424d6ac7,"4/16/2021, 9:18:36.713 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1be3ce1b-9c5d-4ada-b310-242384899ea4,"4/16/2021, 9:18:36.713 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6751321e-b16b-43ce-b5ed-5b8b13d6113d,"4/16/2021, 9:18:36.713 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8d6ac35b-d695-4dba-9c26-bac183e00992,"4/16/2021, 9:18:36.713 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f75d6636-6a00-4066-b3df-3f82ff2e652d,"4/16/2021, 9:18:36.713 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1369c982-8821-438f-96cf-f6924cefae11,"4/16/2021, 9:18:36.713 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,69fce817-df32-4124-b98c-c98d9b11aae9,"4/16/2021, 9:18:36.713 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,95406ba6-5e10-4400-8d8e-66a8a26832fe,"4/16/2021, 9:18:36.713 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,abc2ee15-da44-4de1-b6aa-530ccbca7a85,"4/16/2021, 9:18:36.713 AM",,,,,NTLM,, +\MIKE,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d249781c-9d1f-4629-a152-4327e144e1ca,"4/16/2021, 9:18:36.713 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d3747450-1db6-4e04-9093-adb5453d2d6b,"4/16/2021, 9:18:36.713 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,61af6976-08ac-441a-8de4-c977a484c75e,"4/16/2021, 9:18:36.713 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dc2f5c74-eccf-4465-a3b8-e99495475115,"4/16/2021, 9:18:36.713 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9eb4891f-15b3-4855-9372-f2ad8e13c89a,"4/16/2021, 9:18:36.713 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,08019dde-4063-4734-83f8-3d13939cd990,"4/16/2021, 9:18:36.713 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f018ebea-b00d-4a1e-9b1e-58671c5b3e7f,"4/16/2021, 9:18:36.713 AM",,,,,NTLM,, +\TEST,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,856389af-65ea-4655-8dc2-d0384e2f41c5,"4/16/2021, 9:18:36.713 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c076e78c-8cd7-490f-8192-5091e767b863,"4/16/2021, 9:18:36.713 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5b6a8d0a-ab80-4e76-961f-170ce30695b6,"4/16/2021, 9:18:36.713 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dc3ecb99-0917-450c-8819-7dcf80dbe0b5,"4/16/2021, 9:18:36.713 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,393cf3cf-a094-457e-b7a2-a06f590f8090,"4/16/2021, 9:18:36.713 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,043d95ed-44d0-472b-8051-9e2b6c7e14c3,"4/16/2021, 9:18:36.713 AM",,,,,NTLM,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,97d9dc92-2303-4770-bb47-f5d6921950fd,"4/16/2021, 9:18:36.870 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7736 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + 3E1A41FE3000D5ED15DE27C3BD6199E0427A1608B401E19E22D021627841AC19 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1411 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,593a4fdd-dd19-4929-825a-d191171e9c60,"4/16/2021, 9:18:36.870 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6276 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + 3E1A41FE3000D5ED15DE27C3BD6199E0427A1608B401E19E22D021627841AC19 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1411 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,f06230c0-976a-4c12-bc37-f90ee80e17ee,"4/16/2021, 9:18:36.870 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,6244e4da-628d-4823-83a4-cec16cdb2937,"4/16/2021, 9:18:36.870 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,abed8bbc-7563-4cd2-aa69-52688d0d9372,"4/16/2021, 9:18:36.870 AM",,,,,,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9482ff60-90cd-4c54-9eea-269a63a334cb,"4/16/2021, 9:19:04.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,82f09716-3f71-4917-86b9-0befb8c6abc9,"4/16/2021, 9:19:04.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ba49fd25-e3cc-4200-adb8-46fe51efc535,"4/16/2021, 9:19:04.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bffb37c2-6f27-4dca-a89f-152265d63502,"4/16/2021, 9:19:04.138 AM",,,,,NTLM,, +\ABUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,349208ee-7cdf-4279-9c22-f6e15824a19c,"4/16/2021, 9:19:04.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a4ac177e-08dd-4af1-a7a0-d8ec8b005dbb,"4/16/2021, 9:19:04.138 AM",,,,,NTLM,, +\VEEAM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,04efd068-c3a6-4fe6-95bb-b3c9349c8f29,"4/16/2021, 9:19:04.138 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e59a06ed-0ac8-47ba-b506-7a0e1387d2bb,"4/16/2021, 9:19:04.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b412a66-726b-4f8d-8483-219e285cfe63,"4/16/2021, 9:19:04.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5bc9c2bf-c097-42a4-a261-11c79ca44185,"4/16/2021, 9:19:04.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,faad942a-5e7b-4293-bbc5-19f90e09739b,"4/16/2021, 9:19:04.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,01ed1518-f1f2-4d3c-b987-281e0cbab73d,"4/16/2021, 9:19:04.138 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fec5765d-4f7f-480e-b44c-34ea5e8879a0,"4/16/2021, 9:19:04.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a9ba6f65-09ae-4874-9be1-dd51b45c5eac,"4/16/2021, 9:19:04.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48e41114-e193-4c9d-8cf5-af60aa19d2f6,"4/16/2021, 9:19:04.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0eef7c67-d09a-4293-8e79-603d76802f5d,"4/16/2021, 9:19:04.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5cbb687e-adbb-4ac3-ac03-f5450f8852d5,"4/16/2021, 9:19:04.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d53fbf1-ff8c-4cda-8fb0-732f55fe9d38,"4/16/2021, 9:19:04.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22de707d-fbcd-45f1-b25b-6087826162c8,"4/16/2021, 9:19:04.138 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d2a4ef1-62a1-4d09-b4d8-a04b31ee1c2e,"4/16/2021, 9:19:04.138 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,0705dbaf-a7c2-43c8-8856-266d14edc9ec,"4/16/2021, 9:19:04.138 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7264 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 68705285F7914823244E19E4F6DBC4A75C4DE807EA1CF128AEC2CCAFCE5FE109 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.17763.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,423b1676-651f-4c6a-a879-af7230c69414,"4/16/2021, 9:19:04.138 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 968 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,67e7a476-0349-4fbb-b1c6-d3bf4d36fb72,"4/16/2021, 9:19:04.138 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8f9427ca-6fa9-47d3-9fe8-b5a7683d6d40,"4/16/2021, 9:19:04.138 AM",,,,,NTLM,, +\dental,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d7a7da52-5735-48d8-99db-8b477ccb8735,"4/16/2021, 9:19:04.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,82fdb94c-303a-44d8-8033-5f25dc6cd245,"4/16/2021, 9:19:04.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,76b50249-1cb0-46be-a206-a7639678c9d9,"4/16/2021, 9:19:04.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5876a0aa-09c4-4d38-a1e1-72c2248f1dc2,"4/16/2021, 9:19:04.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ef366811-f7e0-47db-b6df-1308eaf610fe,"4/16/2021, 9:19:04.138 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,04e23627-cc07-4ecd-858a-9819823753df,"4/16/2021, 9:19:08.715 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5e4d6c5d-3e40-43c0-99b4-fab49cb563b7,"4/16/2021, 9:19:08.715 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6b8e3a5d-32f8-48aa-b754-3b69153fc838,"4/16/2021, 9:19:08.715 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fde82964-edae-4b49-89e6-b2b47e9a749d,"4/16/2021, 9:19:08.715 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b9a8f352-4fd0-4959-8f90-2fb0d7c26025,"4/16/2021, 9:19:08.715 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6231924d-9b5a-40cc-9ea1-f087ad09df51,"4/16/2021, 9:19:08.715 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b2c5a741-3a1b-40d8-adbd-905f6229278b,"4/16/2021, 9:19:08.715 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,354b0e04-d52f-43f6-90f4-705891139abb,"4/16/2021, 9:19:08.715 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5a6a0912-1dda-4e6e-9b50-7a5b655b5b0f,"4/16/2021, 9:19:08.715 AM",,,,,NTLM,, +\RICOH,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e3aa4ee6-170f-4d09-94ad-20240d1a2eac,"4/16/2021, 9:19:08.715 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0928e16b-341a-495d-bb3d-98e3afc629e0,"4/16/2021, 9:19:08.715 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bf8960af-ef76-4c2b-a82d-a3a82e78b647,"4/16/2021, 9:19:08.715 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,971ba7e8-72e4-4674-bd30-b714ea8e2b98,"4/16/2021, 9:19:08.715 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2affc6a5-4062-4b50-9b8c-ce655e70309e,"4/16/2021, 9:19:08.715 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c47a26cc-2ab4-4377-9223-69ea5a841285,"4/16/2021, 9:19:08.715 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1c604b8f-261e-4185-b467-a79f8fb39f28,"4/16/2021, 9:19:08.715 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dfb5cd7b-6e88-46ca-bdc7-c2457e37b959,"4/16/2021, 9:19:08.715 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b3d49e9b-29a8-49b5-8d48-d8417f15d743,"4/16/2021, 9:19:08.715 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9f69f388-f267-4ae6-acfd-94d343b5d6c9,"4/16/2021, 9:19:08.715 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,53dae543-f013-4dd7-b72a-83ce43b927d4,"4/16/2021, 9:19:08.715 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,37e4ce79-80cf-4cd0-848b-b280624e93f3,"4/16/2021, 9:19:08.715 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ecedad22-a156-4ca0-8da8-7bc0c2e5088b,"4/16/2021, 9:19:08.715 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b959eddb-c2e6-4660-9aef-41cca4769f09,"4/16/2021, 9:19:08.715 AM",,,,,NTLM,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,2d06bf6d-a9a0-4795-8664-fa8183e12025,"4/16/2021, 9:19:09.880 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,8777da3b-7319-40d7-812e-c2c239356b1e,"4/16/2021, 9:19:09.880 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5964 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,05910937-7dc7-43a0-ae06-799a7381249f,"4/16/2021, 9:19:09.880 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6960 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,6922bb03-8a39-49d6-acfe-5af97f062736,"4/16/2021, 9:19:09.880 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,43b57241-6a64-48e1-8471-10dbc852266f,"4/16/2021, 9:19:09.880 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 1588 + 34 + %SYSTEM32%\APPIDCERTSTORECHECK.EXE + 32 + 52F861EBAFBD8F6ACF0499614FCEB0E64E14A9A871504B1004F6797C8E01BD50 + 131 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\APPIDCERTSTORECHECK.EXE\10.0.17763.1852 + 0x3e5 + 43 + C:\Windows\system32\appidcertstorecheck.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,39d59d48-df1f-4230-a14f-2b11a233f43c,"4/16/2021, 9:19:09.880 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 5444 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e5 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,2684c21c-6dff-4f4b-8b6b-fd3b06726233,"4/16/2021, 9:19:09.880 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,19d2ddfc-553f-4485-8f5b-fdf62ee18589,"4/16/2021, 9:19:09.880 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,f11be8a1-3e16-4456-afd3-bef074cd6d48,"4/16/2021, 9:19:09.880 AM",,,,,,, +\USER4,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3d33d769-72bb-4488-8c95-da13b2b056fb,"4/16/2021, 9:19:22.723 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b37bea93-c4bd-4ba1-b6e1-3e969df4980e,"4/16/2021, 9:19:22.723 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,56acac7f-7c4e-41e2-b212-8cc1edc30856,"4/16/2021, 9:19:22.723 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9abaf164-16b2-416d-aff7-2404c17221d3,"4/16/2021, 9:19:22.723 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3695c5df-14b9-42ab-a348-883fba1ea48b,"4/16/2021, 9:19:22.723 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,93d8c487-3f95-4a0f-a7de-95192d0d9f1f,"4/16/2021, 9:19:22.723 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,51569da2-0da0-4afa-a730-52a7e9a43bf0,"4/16/2021, 9:19:22.723 AM",,,,,NTLM,, +\CEMPTING,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d47b4668-f588-4861-a711-9a7d887f7b6b,"4/16/2021, 9:19:22.723 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e9d5bcea-58fe-4a3f-bcec-7df2e435cf04,"4/16/2021, 9:19:22.723 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3d89b32c-d9e7-4f9a-9571-6c84502b340d,"4/16/2021, 9:19:22.723 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a5726465-23cd-4f3c-9542-cb7f78b49961,"4/16/2021, 9:19:22.723 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3b0e962c-f82b-4cc8-a89d-cc84d975b651,"4/16/2021, 9:19:22.723 AM",,,,,NTLM,, +\BACKUPEXEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,583c6af7-8915-4698-a4fd-65ce112b6f6c,"4/16/2021, 9:19:22.723 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1897fd97-bf67-464c-9595-4e0de32a84b8,"4/16/2021, 9:19:22.723 AM",,,,,NTLM,, +\FTPUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,573ac9e5-f91a-429e-b950-bc426e77e527,"4/16/2021, 9:19:22.723 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c8ce747d-3096-45d9-ac46-a2a71efff32a,"4/16/2021, 9:19:22.723 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0aa87f28-c209-4982-8c21-bb9634e63c36,"4/16/2021, 9:19:22.723 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,de611358-df0b-4c68-a2cb-4f3a4339e3de,"4/16/2021, 9:19:22.723 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7bcbae36-e8d8-46c5-b246-849f7d5008b7,"4/16/2021, 9:19:22.723 AM",,,,,NTLM,, +\ACCOUNTS,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,41e53380-be75-4d12-9aea-438e1f9c86bb,"4/16/2021, 9:19:22.723 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ba6ca284-557a-431d-92f5-fd9452de9340,"4/16/2021, 9:19:22.723 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3460a10c-b642-4eb9-b6dd-c82da9bf493e,"4/16/2021, 9:19:22.723 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,66373227-e802-4462-9d0c-6284e8600126,"4/16/2021, 9:19:22.723 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6632 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,dd21cfdc-f1ea-4b61-9b47-0b27802c3382,"4/16/2021, 9:20:09.886 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6844 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,e49a9289-5e7a-468f-98c1-022b2e93e853,"4/16/2021, 9:20:09.886 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,e998afb1-ef2e-4207-ba53-9f61568c073a,"4/16/2021, 9:20:09.886 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,ea15bbc1-c983-4a59-9298-e921e360af18,"4/16/2021, 9:20:09.886 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,c7e20256-53a8-4f16-a677-4c061da4b01e,"4/16/2021, 9:20:09.886 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10220 + 103 + %OSDRIVE%\WINDOWSAZURE\GUESTAGENT_2.7.41491.1009_2021-04-03_031925\GUESTAGENT\FINDVOLUME\FINDVOLUME.EXE + 32 + 46E1C7D915C93EAF6E557C426DF1311480444C62DEA616D670C574AC8D7CE513 + 96 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® COREXT\FINDVOLUME.EXE\1.0.9.89 + 0x3e7 + 96 + C:\WindowsAzure\GuestAgent_2.7.41491.1009_2021-04-03_031925\GuestAgent\FindVolume\FindVolume.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,65479a9e-2b6b-41a4-8c84-5d79ac72abcb,"4/16/2021, 9:20:40.623 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9116 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,d6c6d57f-bb94-4b10-bcab-526dd0aea5eb,"4/16/2021, 9:20:40.623 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,d9beed41-d0cf-487c-8cfc-ef01b14a66b7,"4/16/2021, 9:20:40.623 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,7dee2d91-ac74-44a8-acb1-e5d262f93243,"4/16/2021, 9:20:40.623 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,afb9f090-6ea0-468f-8a06-2647a6cc504d,"4/16/2021, 9:20:40.623 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,a44f81a6-2f36-470b-83fa-d83320ba5407,"4/16/2021, 9:20:40.623 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9288 + 87 + %OSDRIVE%\WINDOWSAZURE\GUESTAGENT_2.7.41491.1009_2021-04-03_031925\COLLECTGUESTLOGS.EXE + 32 + 5F015B97D51CEA34CDCF041C69FDBA12514061C624A787BD89FC2FB61BDF67E7 + 101 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\COLLECTGUESTLOGS\COLLECTGUESTLOGS.EXE\2.7.0.00 + 0x3e7 + 80 + C:\WindowsAzure\GuestAgent_2.7.41491.1009_2021-04-03_031925\CollectGuestLogs.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,7d23ecd3-bd36-439c-896a-ed67aa034dd5,"4/16/2021, 9:20:40.623 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7568 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,d08e1ee4-e259-41e7-ba24-b4c6cf4f7df3,"4/16/2021, 9:20:40.623 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8308 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,04bbe6b6-8b48-4e67-8b35-3c474035bf48,"4/16/2021, 9:20:40.623 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3836 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,fa4562e2-6780-4bc8-b68e-59e88802f1fa,"4/16/2021, 9:20:40.623 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,b47f4d55-2c2c-47ea-bb3e-fd1011d74e2c,"4/16/2021, 9:20:40.623 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,0412d452-e0fa-4b74-8faa-36105c41804a,"4/16/2021, 9:20:40.623 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,edcf9251-b1d1-4a2d-88bc-430f7e8720a9,"4/16/2021, 9:20:40.623 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,cbfaa11e-a8da-47e7-81ed-f2aa2b0a3f4a,"4/16/2021, 9:20:40.623 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5464 + 18 + %SYSTEM32%\CMD.EXE + 32 + 25D4CAE189AA05EF5AC50A92649774E9527603140F67BACC08CB5B59E4C33B26 + 115 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CMD.EXE\10.0.18362.1316 + 0x3e7 + 27 + C:\windows\SYSTEM32\cmd.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,78453c18-2275-4433-8eed-bbb4e62a92fb,"4/16/2021, 9:20:40.623 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5280 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,e0685d3f-d8f4-4279-9ff2-eb85655424bd,"4/16/2021, 9:20:40.623 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,c7ab3055-65ae-4817-b532-e7f6bba12754,"4/16/2021, 9:20:40.623 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9492 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,b5109655-d0d2-40a1-808c-208ac564b46a,"4/16/2021, 9:20:40.623 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d7625ba2-3c65-4e79-aa10-aae4cb90e99b,"4/16/2021, 9:20:41.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cdc100ca-8199-4d57-b65f-aab9520f1135,"4/16/2021, 9:20:41.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,32ab8a61-f3f2-4216-a1d0-86cf0859a9e2,"4/16/2021, 9:20:41.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0e4ad820-3a58-4c6c-bb39-8521ed9fec2e,"4/16/2021, 9:20:41.155 AM",,,,,NTLM,, +\testuser,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d7f33b94-94d4-463a-9a9c-d405fbec8581,"4/16/2021, 9:20:41.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a05a6d1f-f6cc-481d-b103-e7b753f9d70b,"4/16/2021, 9:20:41.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad8c77c1-9587-4c72-983f-76aaa4766c1e,"4/16/2021, 9:20:41.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4d15254f-bc2a-4faa-974d-c74e83dc3d67,"4/16/2021, 9:20:41.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cec7cf6b-74a4-423c-947c-01ccb6d2d551,"4/16/2021, 9:20:41.155 AM",,,,,NTLM,, +\reception,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,06a40a31-1d25-47aa-9774-a8bb25379b5b,"4/16/2021, 9:20:41.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6745da17-a356-41dd-91bb-2bfac60722a6,"4/16/2021, 9:20:41.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,318a2265-be5a-4265-a26d-46dd19eee8b7,"4/16/2021, 9:20:41.155 AM",,,,,NTLM,, +\dance,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad76fcc5-87e1-4ab5-9e8a-5a401b2551c0,"4/16/2021, 9:20:41.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ec1580ef-0bbf-439a-840f-608d65bc4a2d,"4/16/2021, 9:20:41.155 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c8f6e81-da6b-4165-9f38-09d10d484cc5,"4/16/2021, 9:20:41.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d32f6cb7-d718-440f-8c34-4ff6b07acef8,"4/16/2021, 9:20:41.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16f36ae0-aff5-4ece-ae71-e4ca4b13e1ba,"4/16/2021, 9:20:41.155 AM",,,,,NTLM,, +\wf7610,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0094dd9b-9bf2-4ef7-a70f-553a93e3213a,"4/16/2021, 9:20:41.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,72c17d68-9be9-4e8d-8539-0711784dd616,"4/16/2021, 9:20:41.155 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,01b2b910-1eda-4f0b-83e9-1f1564340482,"4/16/2021, 9:20:41.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,75caa653-2db5-4b6d-97aa-b36c8cc2858c,"4/16/2021, 9:20:41.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,406e4360-e192-465a-80f1-d9dea811dc6a,"4/16/2021, 9:20:41.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,818bc62b-42f1-43e0-bb19-b97f838d4ac0,"4/16/2021, 9:20:41.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1de4fa7-b23c-4a25-ba6e-dc8607ffc881,"4/16/2021, 9:20:41.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6934f2d0-e839-4f95-97b5-9d2abe3096a8,"4/16/2021, 9:20:41.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,967397d0-2744-460f-9642-7e0170495222,"4/16/2021, 9:20:41.155 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0712f34a-41de-4b80-abfd-488836a8b26f,"4/16/2021, 9:22:20.738 AM",,,,,NTLM,, +\INFORMATICA,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b19ba8db-1b23-4c86-be8f-414d57ac3ac4,"4/16/2021, 9:22:20.738 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7b17a128-95f3-46b8-9370-02a80b328969,"4/16/2021, 9:22:20.738 AM",,,,,NTLM,, +\ADMIN1,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8ebe7bc6-764e-4043-89b2-e7ba38fc5340,"4/16/2021, 9:22:20.738 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,13e6881c-3deb-4cb3-b0ba-e83b3ebf2496,"4/16/2021, 9:22:20.738 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,de1ec4e0-acef-462b-88ef-12d1d89cb665,"4/16/2021, 9:22:20.738 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,60f293fd-a670-4117-a0b4-309306735f99,"4/16/2021, 9:22:20.738 AM",,,,,NTLM,, +\VEEAM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e64d2b2a-365b-4999-b9a8-63df1b6de0e8,"4/16/2021, 9:22:20.738 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,410942d6-9f23-4a2a-96b3-2a1a6ac9e706,"4/16/2021, 9:22:20.738 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,af14c933-f138-487c-9600-4346d7cc1a4d,"4/16/2021, 9:22:20.738 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,31d66abc-e672-4e8c-af47-d1ce8d8af001,"4/16/2021, 9:22:20.738 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c9455262-2364-4961-b465-6e045898f0e8,"4/16/2021, 9:22:20.738 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,db073a10-9ea0-46a4-b010-e44122e2a919,"4/16/2021, 9:22:20.738 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1ed0e2f6-0d7b-4284-ae3b-bccfeb7317a7,"4/16/2021, 9:22:20.738 AM",,,,,NTLM,, +\ADM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4a5383cd-e4b7-4f50-bad6-02a6877608d9,"4/16/2021, 9:22:20.738 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,22b4bd06-5125-43da-96c1-37c8da7e22bb,"4/16/2021, 9:22:20.738 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ffe84939-7545-4230-a962-5ba4dbfb6ffc,"4/16/2021, 9:22:20.738 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,243f24c1-ef25-47d0-8c56-90c37a5433d9,"4/16/2021, 9:22:20.738 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5ebc5092-b97a-4820-b330-22543ab25b3d,"4/16/2021, 9:22:20.738 AM",,,,,NTLM,, +\LAPTOP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b84817f9-87a3-4304-81c0-a83ad498ba0f,"4/16/2021, 9:22:20.738 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b7df92f7-c7e1-494e-b595-21bf72c11326,"4/16/2021, 9:22:20.738 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bfce5e2a-64da-48ca-b370-ce90ada8b4a6,"4/16/2021, 9:22:20.738 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8328 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,23692789-c9b6-4776-a106-2155834d0325,"4/16/2021, 9:25:42.002 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5924 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + E083DBF5FD891B0254E4021330270719E66D6B0C7F6543BDBA19C4CF5D37395D + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7411.17763.1697 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,53a55323-acbe-45a7-86e1-7c6996700b89,"4/16/2021, 9:25:42.002 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5048 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,764b5fb3-f657-4eab-8e28-a58609c493d6,"4/16/2021, 9:25:42.002 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4184 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,ec0a81f8-4db4-4b50-ae9d-d83aa6c75d87,"4/16/2021, 9:25:42.002 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e007f2b7-8882-4c2c-b0b8-0421e3333e1a,"4/16/2021, 9:27:22.745 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b32ef470-f0c9-41e2-8258-9f6ebf627aa8,"4/16/2021, 9:27:22.745 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9b08afc1-15f6-484c-9545-46dfcff2d32b,"4/16/2021, 9:27:22.745 AM",,,,,NTLM,, +\RMEDINA,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b42481b7-f6f6-4dc8-9de3-281e6a9b5289,"4/16/2021, 9:27:22.745 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,80030417-2e18-4e7a-8c76-535f210fa107,"4/16/2021, 9:27:22.745 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,58c18216-f24c-4b56-9bc5-0dd114092d04,"4/16/2021, 9:27:22.745 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,72531110-61d5-4a57-8632-89e024cb23d3,"4/16/2021, 9:27:22.745 AM",,,,,NTLM,, +\SHIPPING,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1eea8782-eb1c-4206-9f3a-e0998dde83dc,"4/16/2021, 9:27:22.745 AM",,,,,NTLM,, +\EJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,55d64c0a-e61d-449f-8bb4-6994742741d0,"4/16/2021, 9:27:22.745 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b76b7104-0d0c-48d1-a9b4-bfcb0aec71f4,"4/16/2021, 9:27:22.745 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,117ef1e0-6447-411c-b426-00bc2bf35155,"4/16/2021, 9:27:22.745 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,55380dd4-b958-44fb-80c2-4bcf3fe5a002,"4/16/2021, 9:27:22.745 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4554151b-6e25-4e6f-a06b-3b0604bc8d88,"4/16/2021, 9:27:22.745 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2f1c0bc5-757c-43e9-a0c3-a1dbfd6cb018,"4/16/2021, 9:27:22.745 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5a4e305d-fb5c-45a9-8bc1-d80bb981e771,"4/16/2021, 9:27:22.745 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9ed19ae9-7523-415a-a9fb-da62e0038f80,"4/16/2021, 9:27:22.745 AM",,,,,NTLM,, +\MMAZZOLA,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6bd55415-0fb0-4453-a255-0d4fc23c76de,"4/16/2021, 9:27:22.745 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c5d6954b-d3a4-4658-a6ec-d53aad3a4608,"4/16/2021, 9:27:22.745 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,793edaa1-ca18-4d6b-9e1d-51b5f8b95395,"4/16/2021, 9:27:22.745 AM",,,,,NTLM,, +\LOCALADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3667a1cc-adc3-4e9b-a6c2-81149bd1bab9,"4/16/2021, 9:27:22.745 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,97ec86c1-a52f-43d4-b3e4-d9b9dee5a851,"4/16/2021, 9:27:22.745 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,932eb54c-8936-4269-a326-59532e60b3db,"4/16/2021, 9:27:22.745 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6884 + 115 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\ICT 2\CMF\DESIREDSTATECONFIGURATION\DSCRUN.EXE + 32 + 5D35920AEDE05DD39279B42A07B84E7EAC7A77F4E420A04FE25B82F0B2CAF5C0 + 111 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\WINDOWS (R) WIN 7 DDK DRIVER\DSCRUN.EXE\10.0.10011.16384 + 0x3e7 + 117 + C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\ICT 2\CMF\DesiredStateConfiguration\DscRun.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,d626e7e5-1112-4586-b8fb-6e9c455563f6,"4/16/2021, 9:27:32.158 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8384 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5f51f1f-c53d-4c1e-9a77-5c9c2ca4a321,"4/16/2021, 9:27:32.158 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d2d2b12c-12e0-4e9b-8043-b8503972979f,"4/16/2021, 9:27:32.158 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,306a390c-d180-479f-a3ec-86dc97f843ed,"4/16/2021, 9:27:32.158 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,64c65f00-ffa7-4941-a4ac-bbb591de248d,"4/16/2021, 9:27:32.158 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c21956de-8692-4789-97e0-5ed27745f0c3,"4/16/2021, 9:27:32.158 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,39533936-899f-421f-918b-5393c1a37c9d,"4/16/2021, 9:27:32.158 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c2297c15-5f49-48e3-bb34-0c8e8789312c,"4/16/2021, 9:27:32.158 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9672bfe7-e2d4-4258-9d28-db06c4af7d54,"4/16/2021, 9:27:32.158 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,533dea62-d399-48c7-9b65-172c82f57fce,"4/16/2021, 9:27:32.158 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b8b3bd0-c73e-4d63-88d4-67ce1c2d00eb,"4/16/2021, 9:27:32.158 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,efad12ab-cc7a-49b7-889a-1da015833a3c,"4/16/2021, 9:27:32.158 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c434433-7f00-4ba3-8ef9-d1b465805f91,"4/16/2021, 9:27:32.158 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ef148f71-6b09-4ed5-a21c-298413238a74,"4/16/2021, 9:27:32.158 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,69a51c27-6d62-47e1-a6e3-efd248e5462c,"4/16/2021, 9:27:32.158 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,053fe717-47a3-4892-9b07-ba242a553f65,"4/16/2021, 9:27:32.158 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e959cd7f-9e3c-4f5b-bff7-b5b8611772ef,"4/16/2021, 9:27:32.158 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c1ec5e5-5011-4c07-9aef-14c2678b160c,"4/16/2021, 9:27:32.158 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ce26665-91f5-40d2-ba6f-09f96693520b,"4/16/2021, 9:27:32.158 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,ec15ab3c-81d5-4da3-9e3c-8c1794be8d65,"4/16/2021, 9:27:32.158 AM",,,,,,, +\PDV4,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c2d45f50-2e32-47be-9ae3-228742388dd4,"4/16/2021, 9:27:32.158 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bbf17973-19f5-4fb5-933d-ed26bfdf87e5,"4/16/2021, 9:27:32.158 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6e0c0df8-88e7-408d-a31f-5a4432f326db,"4/16/2021, 9:27:32.158 AM",,,,,NTLM,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,7a28ff36-ca21-4a35-bbee-05f9bb63ae45,"4/16/2021, 9:28:45.879 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,4987228c-8ee8-4119-8823-ae2cb4883a2a,"4/16/2021, 9:28:45.879 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,bb817882-224d-4ed0-85f2-458b4de3cee0,"4/16/2021, 9:29:02.896 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,cd51c019-13b8-48e3-8d59-ef5f87ea38b1,"4/16/2021, 9:29:02.896 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3668 + 115 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\ICT 2\CMF\DESIREDSTATECONFIGURATION\DSCRUN.EXE + 32 + 5D35920AEDE05DD39279B42A07B84E7EAC7A77F4E420A04FE25B82F0B2CAF5C0 + 111 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\WINDOWS (R) WIN 7 DDK DRIVER\DSCRUN.EXE\10.0.10011.16384 + 0x3e7 + 117 + C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\ICT 2\CMF\DesiredStateConfiguration\DscRun.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,11795f49-8266-4b28-9a18-8299dd9ed674,"4/16/2021, 9:29:02.896 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6376 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,08a885e2-53db-4f01-b61f-f2f0bf197799,"4/16/2021, 9:29:02.896 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1656 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,25cb018f-289a-4105-80eb-02419cef80fa,"4/16/2021, 9:29:02.896 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5984 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,a209e560-467e-4991-be2e-384b78856388,"4/16/2021, 9:29:02.896 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3540 + 118 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\ICT 2\CMF-64\DESIREDSTATECONFIGURATION\DSCRUN.EXE + 32 + FD398814FCB0D126DEC81443B928D502C7F2EC649E1C0866E0155C61BC7CAC19 + 111 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\WINDOWS (R) WIN 7 DDK DRIVER\DSCRUN.EXE\10.0.10011.16384 + 0x3e7 + 120 + C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\ICT 2\CMF-64\DesiredStateConfiguration\DscRun.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,bc403e75-3fe0-40c2-9b97-710bf0a4c162,"4/16/2021, 9:29:02.896 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5032 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,32a462f9-e446-40cb-884a-7d86f673437c,"4/16/2021, 9:29:02.896 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,95ef75dd-544b-4b9a-a4f4-8286ad1872bb,"4/16/2021, 9:29:02.896 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,964cb01b-1354-4cbb-a1e7-24358c17bc7f,"4/16/2021, 9:29:02.896 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,81e477fb-e1f3-4876-b4dd-e53969e30cd9,"4/16/2021, 9:29:02.896 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,26e11238-ad2a-44d2-abff-d4d3208662cd,"4/16/2021, 9:29:02.896 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b2037c96-6022-43b8-8d24-5a98ce028a6f,"4/16/2021, 9:29:02.896 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3784 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + A42A20DA16F83B8467DCED74AB028B58D5927D15D9D74C5C7B0D5C9DAC042CB2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.17763.01 + 0x3e7 + 31 + C:\Windows\System32\svchost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,972583e3-82d8-4e86-bc55-c7a426af23b1,"4/16/2021, 9:29:02.896 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,1e253fa3-7fb8-42d6-a89f-d2bfc6c89756,"4/16/2021, 9:29:02.896 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,912917cb-2706-44a8-b90d-18abd004dc32,"4/16/2021, 9:29:02.896 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,0fe8cac9-009a-4da2-8ebb-a728a8ed7e08,"4/16/2021, 9:29:02.896 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 144 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,8913d27b-b1d4-4a9f-9360-175d36108722,"4/16/2021, 9:30:49.280 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8200 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,a2abb0a5-a80a-47a9-bad4-4b3bbba2030b,"4/16/2021, 9:30:49.280 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9792 + 115 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\ICT 2\CMF\DESIREDSTATECONFIGURATION\DSCRUN.EXE + 32 + 5D35920AEDE05DD39279B42A07B84E7EAC7A77F4E420A04FE25B82F0B2CAF5C0 + 111 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\WINDOWS (R) WIN 7 DDK DRIVER\DSCRUN.EXE\10.0.10011.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,aca7ee28-c7d1-41a5-8dab-1db5b98c6587,"4/16/2021, 9:30:49.280 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7804 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,e1888086-23aa-4d19-88ce-4b36bcd7fcba,"4/16/2021, 9:30:49.280 AM",,,,,,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,95015134-4254-47bf-b3fb-d046e022e78c,"4/16/2021, 9:31:22.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,adf32be0-4292-43b5-bbd8-b93ea6e6313f,"4/16/2021, 9:31:22.148 AM",,,,,NTLM,, +\FTPUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cbdf06a5-4ca7-41b1-adf2-e2ad148262bc,"4/16/2021, 9:31:22.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f4520ae0-edbd-424b-83b5-81f01317e66b,"4/16/2021, 9:31:22.148 AM",,,,,NTLM,, +\AZUREUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9a11fa78-2533-489a-89e3-c0cee2fff507,"4/16/2021, 9:31:22.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d466ce28-2057-4b2d-91dd-62da6aef6288,"4/16/2021, 9:31:22.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,733bc346-79c2-4b07-9c34-ffc2f8401f6a,"4/16/2021, 9:31:22.148 AM",,,,,NTLM,, +\SAGEHELP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b71d7d73-f520-43a6-9a13-ba34f17d4d2f,"4/16/2021, 9:31:22.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0728fa59-c365-47e7-98e7-5d972c7cb679,"4/16/2021, 9:31:22.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb10cfc0-a605-4506-b3bc-57b858ffff19,"4/16/2021, 9:31:22.148 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,c445a5ca-09fe-4805-bbc5-93638ecb01e1,"4/16/2021, 9:31:22.148 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,3638bdb9-c243-4e4d-8304-e46618360586,"4/16/2021, 9:31:22.148 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,62e13ecc-ed64-497d-911b-544b25e01870,"4/16/2021, 9:31:22.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,104e0808-2e26-4d61-b2af-ec1bb48a44cd,"4/16/2021, 9:31:22.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,943dd5c1-7270-45bd-9065-2957ee424e70,"4/16/2021, 9:31:22.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f18f13a5-52db-4247-915d-49fa294a8a55,"4/16/2021, 9:31:22.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5c6ba3fd-ff6c-4752-b04e-ff3ce3435f69,"4/16/2021, 9:31:22.148 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b290a112-8bf7-4e37-8984-f3366dff1ece,"4/16/2021, 9:31:22.148 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6264 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,f65af24f-e12f-4575-9e02-a874906c535e,"4/16/2021, 9:31:22.148 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7400 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,ed3e85f9-7745-4d66-83b1-215c645f470c,"4/16/2021, 9:31:22.148 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a139d83-0d34-434d-a702-731aa8bf24ee,"4/16/2021, 9:31:22.148 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c205d5a-b97a-41a6-af42-48ac431473f7,"4/16/2021, 9:31:22.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,34afab50-6514-4965-9422-ff779a3340f1,"4/16/2021, 9:31:22.148 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c99f0f10-4e6d-4067-b0c6-6d6ff8e60e6f,"4/16/2021, 9:31:22.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc406f88-06a6-40a1-9621-ae868f3794f4,"4/16/2021, 9:31:22.148 AM",,,,,NTLM,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,aa610425-ff55-4057-8e9b-b95047607bbe,"4/16/2021, 9:31:45.879 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 13444 + 84 + %OSDRIVE%\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\PLATFORM\4.18.2103.7-0\MPCMDRUN.EXE + 32 + C7A18C474A47F5335593A567F0C714D4F658E28D07DC27F6EAE5D5641788E813 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\MPCMDRUN.EXE\4.18.2103.07 + 0x3e4 + 77 + C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2103.7-0\MpCmdRun.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,ad56111e-c8d3-4ad7-a143-bd0c773edbba,"4/16/2021, 9:31:45.879 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,73941774-71b4-41c3-97b2-c765e6a3f945,"4/16/2021, 9:31:45.879 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b6ea1c64-d681-4f58-a415-51b4d11abf62,"4/16/2021, 9:32:23.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0b8f3a7c-915f-4c56-baec-275da740bd29,"4/16/2021, 9:32:23.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12cfb29b-bd18-44b5-af8c-1c65d50c088f,"4/16/2021, 9:32:23.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f3f599c-0665-4881-8a2c-8f8f9a00bb57,"4/16/2021, 9:32:23.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bd456227-26cb-474f-8eb7-e972556ae315,"4/16/2021, 9:32:23.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ae193637-e48c-4f07-b2ff-ac1beb6cf9d8,"4/16/2021, 9:32:23.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,20b35612-ebcd-4ed1-b9c9-1593348487c3,"4/16/2021, 9:32:23.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab393de8-ad5c-4165-929f-52320a675d62,"4/16/2021, 9:32:23.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3fd7fa5b-d9db-4459-bfcd-382eb87420c0,"4/16/2021, 9:32:23.136 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,736baaee-22c6-4667-9a41-deedc18f813e,"4/16/2021, 9:32:23.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d3f1cf6e-2fc8-40c2-b88f-c8ea2bfaefca,"4/16/2021, 9:32:23.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67e191b9-9169-41e2-a0a3-99c8b7bce807,"4/16/2021, 9:32:23.136 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,48783d72-1fc5-4c96-a870-bb2abd195d28,"4/16/2021, 9:32:23.136 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5b19c2d-80ee-460c-9de1-6c9a55c7f9ef,"4/16/2021, 9:32:23.136 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d6264f2-87e2-4700-9e4d-9da732a332d4,"4/16/2021, 9:32:23.136 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7348 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,753c3adc-89d9-48bc-8e25-1ffa12821451,"4/16/2021, 9:32:23.136 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7372 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,b0ae6ede-a5c7-4bf9-8322-ba39bfc1a382,"4/16/2021, 9:32:23.136 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,708c290a-be3c-429e-8116-6f54bfc1092a,"4/16/2021, 9:32:23.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8ebe484c-3170-4e22-b325-f1d404aafb2a,"4/16/2021, 9:32:23.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,61a67def-40f0-46d4-88c0-82d06acbd620,"4/16/2021, 9:32:23.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1de0e38-e142-457c-b573-4c17ac5b5976,"4/16/2021, 9:32:23.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,08aa55fb-1fa8-4f1d-95a4-6d4e52b0ddde,"4/16/2021, 9:32:23.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f8c5e752-f417-4cc7-9e1c-679ad90e3864,"4/16/2021, 9:32:23.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,699ff0c4-c176-44f8-8799-af41e2b3fdbd,"4/16/2021, 9:32:23.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9bf8ac31-f01a-4f33-ba61-d8b7f55c4906,"4/16/2021, 9:32:23.136 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f41b0243-c865-4fb0-8628-1782c8fcda3a,"4/16/2021, 8:41:24.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,65c5e577-c2fa-486a-b09b-a9d638e57d7c,"4/16/2021, 8:41:24.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,583a9ab5-5469-4536-94f1-cfaad172c58d,"4/16/2021, 8:41:24.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,009ec6f3-9834-4b8f-a379-2e53db83d2c6,"4/16/2021, 8:41:24.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,23975399-df04-4f93-bde5-6a3e3e04b7ae,"4/16/2021, 8:41:24.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,750df3d9-d6bb-4c9d-945f-db78f69ffea8,"4/16/2021, 8:41:24.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eadffed4-2b21-4a4f-ae15-675562c21e3a,"4/16/2021, 8:41:24.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3bfaa4a3-3b67-4aa6-a3b7-c95403d3075a,"4/16/2021, 8:41:24.101 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,3780d3bc-b2f5-4a01-b2bd-502491b0b03d,"4/16/2021, 8:41:24.101 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,28f9f1d5-037f-4b92-a401-759717da276c,"4/16/2021, 8:41:24.101 AM",,,,,,, +\ADMINISTRATEUR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,07c21897-ed14-482b-970c-8d720b968249,"4/16/2021, 8:41:24.101 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b971d7fa-3d68-4598-b10d-c3f974daccf0,"4/16/2021, 8:41:24.101 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e09fac73-e066-43ee-8f30-54508d71df6a,"4/16/2021, 8:41:24.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab0e0c7c-eaa7-402a-9f04-dd347ce8983f,"4/16/2021, 8:41:24.101 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7452 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,8456b906-46d9-4177-8331-37e41f5a5542,"4/16/2021, 8:41:24.101 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1016 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,eaeb4d77-b536-4450-85ba-bec7f2f3b468,"4/16/2021, 8:41:24.101 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd8ea025-d7d2-48d8-834c-22ebe83ffde9,"4/16/2021, 8:41:24.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cfbda5ea-baab-4015-87bc-2ec9698ade1a,"4/16/2021, 8:41:24.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0bc0b308-7ac6-4991-99fd-ea7879221dc6,"4/16/2021, 8:41:24.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,41fef5e1-21e6-4cdc-a197-5e07bd32df8c,"4/16/2021, 8:41:24.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7953e5bd-497f-4752-96f0-3b450a0242d7,"4/16/2021, 8:41:24.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53ff5f5c-3fdd-4811-83a9-2264bccd7a54,"4/16/2021, 8:41:24.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a8d737a2-a7f6-4a41-8fe5-6a9620655399,"4/16/2021, 8:41:24.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4596c3c2-a659-4952-9cd4-a2c1ea5fb09f,"4/16/2021, 8:41:24.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,204b1ae5-8d97-47ba-b329-315dc258eb6e,"4/16/2021, 8:41:24.101 AM",,,,,NTLM,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,de2c7070-de3c-48da-9eeb-1d070b903109,"4/16/2021, 8:41:26.527 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,60577089-189e-49f7-9a00-3bd0ae224781,"4/16/2021, 8:41:26.527 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5912 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,bd4c6ba6-efb1-4633-9a18-830200ced555,"4/16/2021, 8:41:26.527 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,82ed5afd-902a-4710-a53f-50581c0acac9,"4/16/2021, 8:41:26.527 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,bba919c0-f579-4a28-a6d3-809d546f5db9,"4/16/2021, 8:41:26.527 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10076 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,7bda87db-3acc-4a15-88ce-2e9d58828356,"4/16/2021, 8:41:26.527 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10112 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,d74ebdd9-0c31-44cf-9582-24162e5ed6ad,"4/16/2021, 8:41:26.527 AM",,,,,,, +\DEMOADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ad76f399-4297-4ae5-a098-23313bd752a3,"4/16/2021, 8:41:30.412 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4507c7bb-d985-47e9-b57e-9adda56c4a92,"4/16/2021, 8:41:30.412 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9c954bb6-3d56-4c37-bc37-a5c5da9f7318,"4/16/2021, 8:41:30.412 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,93f3231f-3133-4d5b-a517-23df410a95d1,"4/16/2021, 8:41:30.412 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5640 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,7636dddb-c529-4d9a-b0d2-259dc1bf99dd,"4/16/2021, 8:41:30.412 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6912 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,72414e6b-ee86-4ab0-82e1-8c830f3f6471,"4/16/2021, 8:41:30.412 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6a7863a1-825b-4e49-bbc5-c5d0cdead848,"4/16/2021, 8:41:30.412 AM",,,,,,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f4fc2de6-99e1-4cbd-9228-e56e454216a9,"4/16/2021, 8:41:30.412 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8699adc9-8978-417b-96cf-08b1217e2a3d,"4/16/2021, 8:41:31.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a296bff-7bf5-4210-9660-607ba6ea260e,"4/16/2021, 8:41:31.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e8ca50e6-2b5b-4122-90e3-c18eacd4348b,"4/16/2021, 8:41:31.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5feb42e2-aa51-4dbc-9870-170d0397cec8,"4/16/2021, 8:41:31.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f62d167-2adf-4fb5-a336-1bded9fc3b38,"4/16/2021, 8:41:31.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,487cd937-6958-476b-a32f-660ef77d1d2f,"4/16/2021, 8:41:31.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9aad35ef-7619-48b2-9a43-092b3ae81f75,"4/16/2021, 8:41:31.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c9a81c13-0396-4eed-a725-bd263ff2346e,"4/16/2021, 8:41:31.165 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,05daf40d-ed8c-4a1d-a5cd-5d16f2ce5d17,"4/16/2021, 8:41:31.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8fa36777-76a9-43c3-9c6c-f39fb9fdbdbb,"4/16/2021, 8:41:31.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,af9a696a-5be2-4286-8c8b-a86bfc019eaa,"4/16/2021, 8:41:31.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8743c125-ae87-4012-a849-b8fabd3ccbea,"4/16/2021, 8:41:31.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea79bea6-0cad-4641-9d67-2560700a8378,"4/16/2021, 8:41:31.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,09cc54cb-204d-4937-939e-31572c0e2733,"4/16/2021, 8:41:31.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b75ff30-4ae2-421b-9914-bc7c6ded184f,"4/16/2021, 8:41:31.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3dd86aea-2b27-4c55-914b-04c8fa74da50,"4/16/2021, 8:41:31.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a0e8ba9d-ac5c-4237-985e-0a1d6e6f94cb,"4/16/2021, 8:41:31.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b1e237f-3eac-467a-a6c2-0b864fe0c05f,"4/16/2021, 8:41:31.165 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1e39c7d-b4b5-48ef-bf24-f0b132f849ca,"4/16/2021, 8:41:31.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48a26943-5da2-46b9-8864-8589b36e5f93,"4/16/2021, 8:41:31.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7172bd73-70e4-43f8-a3ea-7f48ee9ae28e,"4/16/2021, 8:41:31.165 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,d58011df-141c-4390-8b0a-42d308e7ba91,"4/16/2021, 8:41:31.165 AM",,,,,,, +\MJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,918fcc14-11c6-4e72-9300-7715ea9b0b80,"4/16/2021, 8:41:31.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b740962-4130-4925-a609-f2c1d20f37e4,"4/16/2021, 8:41:31.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9a6c65f1-4aa9-43a0-8882-9f9b17264649,"4/16/2021, 8:41:31.165 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db7b3022-8f58-4f2a-bdd6-b4160c7a4919,"4/16/2021, 8:41:31.165 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0116d9b1-6090-4df0-a054-c68e118df206,"4/16/2021, 8:41:31.605 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fc8dabba-7bbb-4d69-ba1c-89185610b360,"4/16/2021, 8:41:31.605 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cda51b6e-f921-44b5-8e0b-f410d0e195ac,"4/16/2021, 8:41:31.605 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8f890f20-ff5a-49d6-ad05-f138d4d123fb,"4/16/2021, 8:41:31.605 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a87c43e7-b741-4422-9a79-8b6a3f4dd32e,"4/16/2021, 8:41:31.605 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,59ef9dd8-adb9-4577-8477-a83905bae587,"4/16/2021, 8:41:31.605 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,56d2a063-2d6f-4746-a031-21b298f245e0,"4/16/2021, 8:41:31.605 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5f9256c5-ba4b-493c-885c-54bdc7859952,"4/16/2021, 8:41:31.605 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,859aace8-cbde-40a4-bad0-fddfbf8da169,"4/16/2021, 8:41:31.605 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0212477b-ef08-4836-b9df-c3b0cc463a31,"4/16/2021, 8:41:31.605 AM",,,,,NTLM,, +\DEMOADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,301a516d-aac4-42ce-a9ca-9089e73f8dd2,"4/16/2021, 8:41:31.605 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c7ae96f0-be0b-485d-8d97-ee400f9eb4af,"4/16/2021, 8:41:31.605 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c798a595-1da6-4ad8-a543-f0580b31b005,"4/16/2021, 8:41:31.605 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,33ec0a09-8fd3-4b55-ab10-e106228116e8,"4/16/2021, 8:41:31.605 AM",,,,,NTLM,, +\TEST,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,27af5ded-3854-4fd1-b6ed-6953f296df4f,"4/16/2021, 8:41:31.605 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,79b79bbc-98c2-4017-86e0-d10a657c5313,"4/16/2021, 8:41:31.605 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f10af08a-d276-41e5-9986-72ca3d1c153e,"4/16/2021, 8:41:31.605 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,84b4109b-39ff-47c5-a55a-889ebbd78e9e,"4/16/2021, 8:41:31.605 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,70316477-9137-46c0-8fcf-8f0a3294c0ae,"4/16/2021, 8:41:31.605 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d70635e0-45fb-442a-ba57-7a34c3ef1eaa,"4/16/2021, 8:41:31.605 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2efc2af6-90ca-4a19-b21b-4ecbcf329b86,"4/16/2021, 8:41:31.605 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3c3b8d29-b05f-4712-b6b6-c5d1774733ce,"4/16/2021, 8:41:31.605 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dd3054e0-68b5-491a-9260-f5e5a4837916,"4/16/2021, 8:41:31.605 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ccfc37fa-8de6-4a29-84e7-6022855aacff,"4/16/2021, 8:41:31.605 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dbd1421e-9862-4da6-8873-fd0549a3af01,"4/16/2021, 8:41:31.605 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5112 + 94 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\RESOURCES\1299\PMFEXE.EXE + 32 + 6708CEA6F2F26E9B4AFF6300A4BE88433CF28688427E669CFB3FB43F94E0BE6A + 98 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\PROCESS INVESTIGATOR\PMFEXE.EXE\1.21.311.01 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,76b49315-be9a-44c7-9b71-067e00a469ef,"4/16/2021, 8:41:34.257 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8108 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,855a5365-bbd5-436a-b0e3-55a74a5e46e8,"4/16/2021, 8:41:34.257 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4268 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,f83d1384-c1ff-4bda-86fb-398848fbce0d,"4/16/2021, 8:41:34.257 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 12096 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,66d64f34-cb6d-4baa-a0fc-d833dfcbcae8,"4/16/2021, 8:41:34.257 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b996e81d-96d1-4b33-88d0-232fa541a7be,"4/16/2021, 8:41:42.600 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,198888f7-e4b4-41ae-9785-b488835e5e00,"4/16/2021, 8:41:42.600 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ef1b3f3f-88ad-4046-85a0-74ab2606e0d0,"4/16/2021, 8:41:42.600 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1ef994fa-0d98-4ee1-8eeb-f4024240f19b,"4/16/2021, 8:41:42.600 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ad057552-2312-4626-9fb6-b8411c02ca29,"4/16/2021, 8:41:42.600 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f65fa620-8c1b-443d-8821-848f4c9b9cda,"4/16/2021, 8:41:42.600 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,82400a3f-cc9b-4566-b8f7-1f61fc1f9363,"4/16/2021, 8:41:42.600 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b2b8f6f9-df2d-4a9c-b6c1-ba19736f00b2,"4/16/2021, 8:41:42.600 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b5ab82db-18f2-40f8-b3b7-35f8d5ef3d5d,"4/16/2021, 8:41:42.600 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7625f6ba-cbb2-44b5-a675-570c5b30cfe1,"4/16/2021, 8:41:42.600 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f71fd00d-33b3-455a-b63d-41724d1ec0a4,"4/16/2021, 8:41:42.600 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,abf340c7-af1c-4ad8-b33c-1488bb0e3920,"4/16/2021, 8:41:42.600 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b054bd46-f75e-4032-8be5-cc3c69779e74,"4/16/2021, 8:41:42.600 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ce06b272-97b0-4dec-888d-626679b63200,"4/16/2021, 8:41:42.600 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ed3b81d5-d9f9-4605-abe6-2d1eea397f86,"4/16/2021, 8:41:42.600 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2878451a-6cf9-4b39-a7b1-b90f6b5055b1,"4/16/2021, 8:41:42.600 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d7b0525c-5cbb-4012-8af7-a9109df8a625,"4/16/2021, 8:41:42.600 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1dbf0ad9-8e66-4a15-8fe1-172d07f9da3a,"4/16/2021, 8:41:42.600 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2a0180a2-2cb6-4308-a292-9fcbe5895007,"4/16/2021, 8:41:42.600 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fde7a676-9740-44e1-acf5-c91ca6a44af3,"4/16/2021, 8:41:42.600 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,00d19b7b-d0c4-4d18-add2-5f9c114cc287,"4/16/2021, 8:41:42.600 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f15d158b-e7ad-4f5e-a41c-80291e49ec41,"4/16/2021, 8:41:42.600 AM",,,,,NTLM,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,3d5e3902-b13f-4768-9aab-24845173e47e,"4/16/2021, 8:41:44.860 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,07240afb-edf6-464b-89e9-1faf092e9ed8,"4/16/2021, 8:41:47.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ad87f63-4715-43be-ac5a-ad7159138541,"4/16/2021, 8:41:47.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f38a9571-540e-45e2-9142-c0b579302cf0,"4/16/2021, 8:41:47.134 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dab5080f-3451-476d-9d70-d386c8216942,"4/16/2021, 8:41:47.134 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d54a87bb-3146-4ef3-9142-cb673ef86a82,"4/16/2021, 8:41:47.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2efdde7-2538-478f-bde7-c1077c413ff3,"4/16/2021, 8:41:47.134 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6e466b52-8280-40ea-b26c-70910e1673d9,"4/16/2021, 8:41:47.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc8c5798-e071-46bb-866d-27337e322868,"4/16/2021, 8:41:47.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2dd3fd23-5cff-4150-b25f-d73d6221feed,"4/16/2021, 8:41:47.134 AM",,,,,NTLM,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,936333b4-9c69-4108-a9fe-20be26f8a77b,"4/16/2021, 8:41:47.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,32aea48e-7153-47f4-b2fe-990fc1347117,"4/16/2021, 8:41:47.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,18187706-fd65-45c9-8e11-24ce5486e5d9,"4/16/2021, 8:41:47.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8123f449-3347-4bea-bcdf-caaf031fbb4a,"4/16/2021, 8:41:47.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c4689b9-ee6a-47e4-abde-b16ca4a6e598,"4/16/2021, 8:41:47.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ee1f839-c9a7-450a-95d9-58bd98f093ab,"4/16/2021, 8:41:47.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,81b1b73a-3d17-47f7-9095-3b61899d1244,"4/16/2021, 8:41:47.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c0fc10db-e68f-46a6-a42c-a6de20fde353,"4/16/2021, 8:41:47.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3909d747-5e71-417e-b945-385e3ba8b85f,"4/16/2021, 8:41:47.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1777046a-41f5-479c-ba7f-8063388e5148,"4/16/2021, 8:41:47.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,839ba95f-1cd1-4011-b701-e330fc06afda,"4/16/2021, 8:41:47.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,467ea384-32c0-4a1e-bd1f-9dcd92531709,"4/16/2021, 8:41:47.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46cf42a8-37eb-4280-80ed-004a8b08d70b,"4/16/2021, 8:41:47.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,392b5dce-285a-4851-829e-8d25b35ca717,"4/16/2021, 8:41:47.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd5dd98d-31e2-442c-9c6f-acbec6bc643c,"4/16/2021, 8:41:47.134 AM",,,,,NTLM,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,f1165524-d0b6-4045-86a9-ef3f09ec58e6,"4/16/2021, 8:43:26.534 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 8596 + 34 + %SYSTEM32%\APPIDCERTSTORECHECK.EXE + 32 + E649E7E40B3CFC0011491AE742A6E8E697C7A48033F49DB9BA714A2891B99818 + 131 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\APPIDCERTSTORECHECK.EXE\10.0.18362.1474 + 0x3e5 + 43 + C:\windows\system32\appidcertstorecheck.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,bc26350d-9f05-4e41-b4c8-6cb70f53226a,"4/16/2021, 8:43:26.534 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 1616 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e5 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,43189fdc-00bb-4f4b-9a72-b2ab87127d51,"4/16/2021, 8:43:26.534 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,6d756249-fb34-4785-b88e-7a8baa754697,"4/16/2021, 8:43:26.534 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,2cac5085-6db6-4a31-9421-0ea876242451,"4/16/2021, 8:43:26.534 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,a161bb94-31e2-42d0-b24e-9bf1c908ca34,"4/16/2021, 8:43:26.534 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2140 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,9bb7c552-c134-4dbe-8a1e-787c091d8604,"4/16/2021, 8:43:26.534 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3104 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,52ef3313-7818-41ff-bde0-206706b95272,"4/16/2021, 8:43:26.534 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3880 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,d0e7d87a-3393-4a70-83a6-fa3090a30a67,"4/16/2021, 8:43:26.534 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,8409e171-1ab8-4ac6-9a0a-63c26d78a85f,"4/16/2021, 8:43:26.534 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,f46ada4e-e3b3-48ad-82c3-3fcc84685825,"4/16/2021, 8:43:26.534 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,02996683-06f1-47d1-9d76-c43d344bbaae,"4/16/2021, 8:41:46.740 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,cf85d882-8c4e-4255-9368-b6f20a39d35c,"4/16/2021, 8:41:46.740 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7116 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 8542576A51D515DA19781689F9E5E561E4398C4DE19B14AF1E8EF1C7D2551843 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.18362.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,429e8d0d-ea37-41ce-8358-ddb1c9cd85e0,"4/16/2021, 8:41:46.740 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3908 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,0daa8c5c-4299-4cf0-b533-cfc3679ab3cd,"4/16/2021, 8:41:46.740 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6052 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,a770e149-5fb6-407c-8837-3f00487732e0,"4/16/2021, 8:41:46.740 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3644 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,dde684aa-fc26-438d-b889-f61b0a786e6f,"4/16/2021, 8:41:46.740 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,a2e27efe-0eff-40b8-a29f-1d571b939761,"4/16/2021, 8:41:46.740 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,e4937c1c-ca8d-4ed3-bc0d-26ece936fad5,"4/16/2021, 8:41:46.740 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,da02359b-0309-4205-b7d0-077c889089fb,"4/16/2021, 8:41:46.740 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,0a809339-6d85-4cef-abf0-b305566c6ddb,"4/16/2021, 8:41:46.740 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1e3fe312-e996-47bf-b1ad-8d9147f22a07,"4/16/2021, 8:43:57.599 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d2668057-a0b9-4776-a42d-bc0643ad224a,"4/16/2021, 8:43:57.599 AM",,,,,NTLM,, +\USER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,58002fbc-eb9a-4a82-882d-2507df4ed690,"4/16/2021, 8:43:57.599 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5c9664e8-c8a0-4d4f-b02e-556f50433577,"4/16/2021, 8:43:57.599 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,20b7031a-6064-46f1-837c-a9e8e34a027a,"4/16/2021, 8:43:57.599 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,538b07d3-8d5e-4124-911d-c119a167d38e,"4/16/2021, 8:43:57.599 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c5e9a69b-4f45-4b35-a4f6-5f01eac2fd49,"4/16/2021, 8:43:57.599 AM",,,,,NTLM,, +\DEMOUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cf6b49dd-0d9a-44eb-ab1b-cfb77d27142e,"4/16/2021, 8:43:57.599 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d6d78836-3eb8-4ba6-aaba-3392ed5dd57a,"4/16/2021, 8:43:57.599 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6128ad8a-e4d4-48a9-a552-4474fd5b1ff3,"4/16/2021, 8:43:57.599 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,daf0b5eb-14f2-4b48-9b10-60137f46ea03,"4/16/2021, 8:43:57.599 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1c237986-d2a2-43ad-aaeb-3e8ec614cd47,"4/16/2021, 8:43:57.599 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,49901728-cca6-445f-b4e0-bf41a507faa2,"4/16/2021, 8:43:57.599 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e9aa5a32-007e-4d0b-b292-7d2e9986c78a,"4/16/2021, 8:43:57.599 AM",,,,,,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3e57e91b-b8d9-49c0-9947-baa97fa45664,"4/16/2021, 8:43:57.599 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f877d994-1508-447d-9013-b24f0ad10870,"4/16/2021, 8:43:57.599 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8120eaa5-44ee-4884-9914-f9a8a82e066a,"4/16/2021, 8:43:57.599 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6d11fae8-c56f-493c-8aea-ea59dde4e79a,"4/16/2021, 8:43:57.599 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7f1041dd-5d18-4d67-9d60-756cf348a39e,"4/16/2021, 8:43:57.599 AM",,,,,NTLM,, +\WEBADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8fe2589c-a043-4012-9355-f7b4cced03d6,"4/16/2021, 8:43:57.599 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,17bf6e14-754a-4fb0-a4ac-5418d78eb6f9,"4/16/2021, 8:43:57.599 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,927a32ea-873e-447f-968f-826e13150c17,"4/16/2021, 8:43:57.599 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,73f1f811-681e-48da-91c4-7e000f8fc017,"4/16/2021, 8:43:57.599 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2b70d473-aeac-4df3-893b-7cc79c9c9fda,"4/16/2021, 8:41:52.603 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e8f0ff7f-cd33-47a0-bbb0-44dbe5bf81b3,"4/16/2021, 8:41:52.603 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1453932a-0be9-4157-a226-45f22a692297,"4/16/2021, 8:41:52.603 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d24a52ee-f730-4137-bee5-265a3805dad0,"4/16/2021, 8:41:52.603 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e51a24c7-4de7-4aef-97a3-6d8b49379b7d,"4/16/2021, 8:41:52.603 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1936d1de-dd0c-436f-8fcf-e27ba8b89f3c,"4/16/2021, 8:41:52.603 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8c5a0145-d905-4e7a-a204-a92deb553f45,"4/16/2021, 8:41:52.603 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,acd8d2d7-31dc-4f0d-b20c-7cd5f7e36d7a,"4/16/2021, 8:41:52.603 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9a486669-e7b1-4167-9bfe-4e51deb7973f,"4/16/2021, 8:41:52.603 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,21f53b6e-f130-487a-bac0-be3f122c4d06,"4/16/2021, 8:41:52.603 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f3d3a175-b888-4f8f-8d80-110b0353bf61,"4/16/2021, 8:41:52.603 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,96995f76-48bb-46e3-8452-5288d9ef932a,"4/16/2021, 8:41:52.603 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e955a34c-12a5-419d-889e-294540b5abf4,"4/16/2021, 8:41:52.603 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,28eb572a-c7fd-4af4-9989-b277a43016c9,"4/16/2021, 8:41:52.603 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f5e11454-18eb-43b3-9221-5ad98507acc4,"4/16/2021, 8:41:52.603 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,71b01df9-3a63-4d07-b592-2364fb620f8a,"4/16/2021, 8:41:52.603 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,879c4062-1308-4f82-a245-c4f17aa39ff1,"4/16/2021, 8:41:52.603 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,18ebe6c1-6423-4711-8794-3aa90f691789,"4/16/2021, 8:41:52.603 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2234d7f9-36f6-4f54-a890-fddb8ffe6b90,"4/16/2021, 8:41:52.603 AM",,,,,NTLM,, +\PLUTOS,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8b134018-d241-4c5b-8e7d-66cabdca8525,"4/16/2021, 8:41:52.603 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2ed3c876-a4ea-4c04-81c6-0833aa8ee3ac,"4/16/2021, 8:41:52.603 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9b0dcebf-ce60-4b6c-be4c-70479d8a3c4d,"4/16/2021, 8:41:52.603 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,789bbb15-0dc7-49c3-82c6-917a961bfc1a,"4/16/2021, 8:41:52.603 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,616074d0-85a4-45d7-ab1f-cca8b50bbe5a,"4/16/2021, 8:44:03.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,15181b21-b64a-4915-a0c8-278090f90ee8,"4/16/2021, 8:44:03.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,68ba6acd-fce4-47d5-8567-8088d2ec3d42,"4/16/2021, 8:44:03.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df30d2f1-e17a-44f5-b043-80eaa21b7483,"4/16/2021, 8:44:03.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b4c8661-bce3-4d2c-841f-09ea88f405d4,"4/16/2021, 8:44:03.102 AM",,,,,NTLM,, +\SHARP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5c75ece2-7670-4254-9cb6-49184c5609f9,"4/16/2021, 8:44:03.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,be0fd07d-7a3b-4b25-bad0-206c7b28af5b,"4/16/2021, 8:44:03.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3ea1dd25-3743-4210-aeb4-ff652f4837ad,"4/16/2021, 8:44:03.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,05340f77-261d-4b77-afad-31b54d28ef70,"4/16/2021, 8:44:03.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,61421d80-bc3e-4e65-adb1-4dd878521d5d,"4/16/2021, 8:44:03.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8cc990c8-99bc-4795-992b-9aabed40520b,"4/16/2021, 8:44:03.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,96377107-7e72-4adb-b975-2c97a3092061,"4/16/2021, 8:44:03.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,91dfa193-f182-43e2-a75f-b5a3b4cd9ef9,"4/16/2021, 8:44:03.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5f255ca-a9ae-439e-b76b-cbd833062e66,"4/16/2021, 8:44:03.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,317eaa35-d8f6-4f9b-a41e-a13140f1978d,"4/16/2021, 8:44:03.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,33064ae1-0285-4034-a07f-1e554c995694,"4/16/2021, 8:44:03.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a769178-25af-49ce-b0e9-753dd17fc915,"4/16/2021, 8:44:03.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1d9acb84-03aa-4f12-99f6-78e36bc28a1b,"4/16/2021, 8:44:03.102 AM",,,,,NTLM,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4ce0d902-f57e-49c8-9dfc-d4ffaff5451b,"4/16/2021, 8:44:03.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22d4a5de-8467-4a7a-8d84-31ce4adf610a,"4/16/2021, 8:44:03.102 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,39546c06-cbd3-4691-a887-824af677a472,"4/16/2021, 8:44:03.102 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,96407840-0f35-4d2e-be8f-b8b58434114d,"4/16/2021, 8:44:03.102 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df112b16-5471-4866-8af1-9ba2778118f9,"4/16/2021, 8:44:03.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,09c9a568-035c-4e5b-af26-897f1ec62df1,"4/16/2021, 8:44:03.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56577f36-ab2c-47f5-a677-7cbc99fb91fc,"4/16/2021, 8:44:03.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,be72ed72-4279-4382-be66-83ab475ebb8a,"4/16/2021, 8:41:40.102 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eac20b04-ef03-4d99-b141-e639a20d0487,"4/16/2021, 8:41:40.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16904d6a-92c4-4a9d-8311-fe0e617f31c1,"4/16/2021, 8:41:40.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,43ab5c55-0dc8-43c1-b106-4a1a0476cd6f,"4/16/2021, 8:41:40.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,05ca6827-608b-48a9-a7b4-83655295dcfa,"4/16/2021, 8:41:40.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,90ae7dbf-4d3d-4fe1-b391-505a71a4bfab,"4/16/2021, 8:41:40.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,977cab78-fea8-412e-abfc-81a0b2568247,"4/16/2021, 8:41:40.102 AM",,,,,NTLM,, +\BACKUP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,52e9da79-ab7a-4484-949d-26a0651b26a1,"4/16/2021, 8:41:40.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,02b26ee9-06f2-4abc-ad10-7110573b305b,"4/16/2021, 8:41:40.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a6257f60-98ff-43ff-b273-51a930ab6ae5,"4/16/2021, 8:41:40.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d3cc7428-583b-4d12-91e4-30a358afd066,"4/16/2021, 8:41:40.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,978934bb-1d9e-47d2-9b73-63e8846ba88e,"4/16/2021, 8:41:40.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,90717d6e-6dd4-4f69-b81e-f41669faf221,"4/16/2021, 8:41:40.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c3fae29-63e6-444c-b96c-727378c9c31c,"4/16/2021, 8:41:40.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1abf6fbe-fceb-4665-b36a-d18672584556,"4/16/2021, 8:41:40.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fde35bff-78ae-44a6-96da-a2233d45fb47,"4/16/2021, 8:41:40.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16f5b205-0b7a-4bab-8c25-5fc5fb58e0ce,"4/16/2021, 8:41:40.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a51fbcb-3492-4ab6-bf8b-1c4f9f2daa29,"4/16/2021, 8:41:40.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e08222fe-9b00-4bbd-90bf-6d1b65a358e4,"4/16/2021, 8:41:40.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e559e1ab-8ce0-49dc-bc97-44cecc20cd67,"4/16/2021, 8:41:40.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,257b25e4-6153-4d8f-bf40-dbf972105fa3,"4/16/2021, 8:41:40.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,28ebd8f4-4f8e-4c77-ab2d-f64ee6c92055,"4/16/2021, 8:41:40.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9a64d8ef-9e8d-4a63-b56c-6b92c501dbc7,"4/16/2021, 8:41:40.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac35b61f-06da-4e4d-a7e2-cc2364d5fa5a,"4/16/2021, 8:41:40.102 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,a41a6bcc-e80c-4d7a-a7a0-ea2716f99794,"4/16/2021, 8:44:45.540 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10392 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,9858dc59-a710-48d3-971a-2f9b1f1a6680,"4/16/2021, 8:44:45.540 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,038743f0-cd1b-45f5-b413-f85c24e3ecb3,"4/16/2021, 8:44:45.540 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,cbb8d953-e692-4cf7-bd4f-497e3078e1e8,"4/16/2021, 8:44:45.540 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4352 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,b2b04af4-0d40-4f55-94ea-a5bc71540bbe,"4/16/2021, 8:44:45.540 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1280 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,0efb889c-f2de-42ed-81af-348161f57b15,"4/16/2021, 8:44:45.540 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10156 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 8542576A51D515DA19781689F9E5E561E4398C4DE19B14AF1E8EF1C7D2551843 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.18362.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,2538703a-981c-4cf4-a4f8-17a2f6f05ce8,"4/16/2021, 8:44:45.540 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7340 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,04d11709-c61e-4b44-8d9f-cc2e6f9f89c1,"4/16/2021, 8:44:45.540 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,df00ed12-de02-460f-ab89-b9abce20d9af,"4/16/2021, 8:44:45.540 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,9aab58ef-90d3-4464-9347-22333f0488bf,"4/16/2021, 8:44:45.540 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,09881c63-2a97-4e59-ac41-cd31a334f802,"4/16/2021, 8:41:53.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,8553d675-5d3e-4cb4-922e-0584f1c67795,"4/16/2021, 8:41:53.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,97c83361-a131-4ff3-8be0-f71ff6d632a2,"4/16/2021, 8:41:53.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,cf1f5721-589d-4c88-8ea8-55b3be9b46c8,"4/16/2021, 8:41:53.052 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,8e225a2c-b343-483d-9d2a-873e6031cff6,"4/16/2021, 8:41:53.052 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,fbbc5cd9-576d-4b57-9220-daeee7d204f8,"4/16/2021, 8:41:53.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,9ed2539d-7d80-4bd8-8506-d59b8d4c33f1,"4/16/2021, 8:41:53.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,13180a6f-24c3-481a-ac75-468ebc86731a,"4/16/2021, 8:41:53.052 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,587301ee-2e81-459b-a5dc-d41197dc885d,"4/16/2021, 8:46:03.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eef6fabe-0bdb-475a-93ad-d68d57144214,"4/16/2021, 8:46:03.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d36901b-0e09-4395-8add-a4cf971fc497,"4/16/2021, 8:46:03.106 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,482f097f-0a8d-499b-abaa-2e9564939d06,"4/16/2021, 8:46:03.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bd91db20-2b00-4afa-a233-792bc72d9b67,"4/16/2021, 8:46:03.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89d88c71-99c6-4681-a44a-c9212087eca6,"4/16/2021, 8:46:03.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bb2721b5-7644-4ab2-b54e-b431856cf706,"4/16/2021, 8:46:03.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e43b17e7-8a0c-4e01-8732-414cdefd807d,"4/16/2021, 8:46:03.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3f2875d2-a555-46d5-b2af-8521032a05ce,"4/16/2021, 8:46:03.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6ca9cb1f-9001-4cc9-8c3a-388e498d5d87,"4/16/2021, 8:46:03.106 AM",,,,,NTLM,, +\ADMINISTRATEUR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2555132c-83da-4401-aa9b-3338577ff2a0,"4/16/2021, 8:46:03.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,270d1da3-b318-4313-9764-0ed8cf4214fa,"4/16/2021, 8:46:03.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a4c9e3b-7744-4e6b-bd2f-ee63e026132c,"4/16/2021, 8:46:03.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1bbdb490-3e9b-4c1b-addf-000b23056ba3,"4/16/2021, 8:46:03.106 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1e875046-9b24-42bc-9148-61bb2539b4e2,"4/16/2021, 8:46:03.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6e9d5d86-9a22-4337-ae03-5d4775ddccef,"4/16/2021, 8:46:03.106 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aba1d71d-5d91-4023-bca3-4cc51c51f655,"4/16/2021, 8:46:03.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3eb91449-29cf-404c-8da0-afb6036aafb0,"4/16/2021, 8:46:03.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e250a56b-a2b5-4606-9581-3b11d099eaea,"4/16/2021, 8:46:03.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5270f476-6cee-4cdb-af20-6c1bf4d4fa48,"4/16/2021, 8:46:03.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ee3a50a-a226-4c94-a33d-7fe690632091,"4/16/2021, 8:46:03.106 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,698009ec-d581-4c04-977c-b9ee91683a29,"4/16/2021, 8:46:03.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7de94016-f033-47f1-87e5-678e52db5441,"4/16/2021, 8:46:03.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,854aaed8-fd87-4b98-8aae-33e0e46e79ed,"4/16/2021, 8:46:03.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,23830434-2b8d-4395-b48c-33517cbaf248,"4/16/2021, 8:46:03.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ff3a00a-83f8-4f21-89a8-8fdcba31f0d0,"4/16/2021, 8:46:03.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8ebcee10-167d-46d4-a6a9-2de893e79e67,"4/16/2021, 8:46:03.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea481651-4faa-442c-a222-acb9d990c2d3,"4/16/2021, 8:41:53.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1e31d857-db41-4217-811a-fa93039fa006,"4/16/2021, 8:41:53.167 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,55ae37e8-a16a-49ae-b241-9f20a9d093c7,"4/16/2021, 8:41:53.167 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,38020053-3670-4cc5-bbb9-db0bcecaff28,"4/16/2021, 8:41:53.167 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a1ea86ae-9b72-4bf3-ac8d-89fdeabb8d2c,"4/16/2021, 8:41:53.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,763b3519-29bc-41a8-aba6-8205fa2f4a2c,"4/16/2021, 8:41:53.167 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6596 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc5716ad-7c87-4b5c-a683-dfef38c981d1,"4/16/2021, 8:41:53.167 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7784 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ac8e45f-9194-4de4-ab4e-5bea00faed53,"4/16/2021, 8:41:53.167 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6296 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,59756055-5432-4f11-a2b6-d7c3e40d4185,"4/16/2021, 8:41:53.167 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b4c680ba-83b1-47a9-af47-b3dddf3e49e3,"4/16/2021, 8:41:53.167 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,32bf7be6-b18f-4ef6-8df1-a75ae0e5077f,"4/16/2021, 8:41:53.167 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,09862994-ce52-4eee-8303-2fd9f320c1c3,"4/16/2021, 8:41:53.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6d3b2249-84ff-4346-9c16-73fbb8107f87,"4/16/2021, 8:41:53.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea862a97-5c0b-49da-b76b-dc99efdc0a90,"4/16/2021, 8:41:53.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,da4b4f69-0611-4964-ad27-953771cc9e38,"4/16/2021, 8:41:53.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4508e173-a3f8-441e-8949-9783fbdaabc4,"4/16/2021, 8:41:53.167 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e838437d-88ba-4757-8bd0-8a0d12f6e3be,"4/16/2021, 8:41:53.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b832b038-d81c-4279-9662-ea3a83ec5629,"4/16/2021, 8:41:53.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a4f57caf-9871-4f72-b41e-d9eb09ad1294,"4/16/2021, 8:41:53.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,74c2ba07-bc42-4f41-aad7-9ecd8ac52a44,"4/16/2021, 8:41:53.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,faf38be4-8db1-4555-996a-61e58972a119,"4/16/2021, 8:41:53.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4bb05e68-191a-4e40-8d26-a735484f17de,"4/16/2021, 8:41:53.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2e152be2-bf4e-46b2-aa91-a9b854f68509,"4/16/2021, 8:41:53.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e59d5bb2-6507-4b73-9a9f-931f7a305696,"4/16/2021, 8:41:53.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de5edbe3-a754-4449-b7c6-bc3bd329079d,"4/16/2021, 8:41:53.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0d644c0a-d15a-4b4d-a199-b8a589087992,"4/16/2021, 8:41:58.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5865621f-23ff-40f9-be52-a36600b55451,"4/16/2021, 8:41:58.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,729f86db-91eb-4da0-8f48-ae4c4f14ba42,"4/16/2021, 8:41:58.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,52341dc3-85ee-40c6-8a8c-fd26094a83e4,"4/16/2021, 8:41:58.105 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd833c2a-3110-4408-b1eb-83b3aa9ab9d1,"4/16/2021, 8:41:58.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,20ee6e65-2279-44b6-b1e1-a14b20d0a376,"4/16/2021, 8:41:58.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea0a0b30-d67d-4ff0-8d49-5e465718bfce,"4/16/2021, 8:41:58.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,26f27932-4648-40db-a557-3ea03180380b,"4/16/2021, 8:41:58.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b7150bc0-c083-4c86-83a4-39c2d0aefe1d,"4/16/2021, 8:41:58.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f6823dc5-0e31-4075-9aac-83790c7cffb5,"4/16/2021, 8:41:58.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cfcffce6-5518-47d8-82e0-55ef2c811ae8,"4/16/2021, 8:41:58.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,10bbb4f2-46c4-4c0c-85c9-c296ef9813bf,"4/16/2021, 8:41:58.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,328f9a65-802b-406b-9b53-07f7ad1098ef,"4/16/2021, 8:41:58.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,83c50c05-b7fb-495c-b0b2-7758e0c81111,"4/16/2021, 8:41:58.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e83494ee-9b2f-4c05-b5f4-6b10f309081a,"4/16/2021, 8:41:58.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6aca7107-875b-4150-8444-1c1986680fa3,"4/16/2021, 8:41:58.105 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c6934d9-89f9-4d40-bdb5-cc067c14d2b6,"4/16/2021, 8:41:58.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,07460ac0-8392-47be-8810-489d06fdf5d9,"4/16/2021, 8:41:58.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1198445-44d5-4cc8-90b3-0a991336ae7c,"4/16/2021, 8:41:58.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,034b4b79-65b5-4470-8c3a-57ca97151fb5,"4/16/2021, 8:41:58.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f716a9b0-288a-4326-a9d9-9143a9e85017,"4/16/2021, 8:41:58.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0516f38d-865e-4d2a-afff-87e413702454,"4/16/2021, 8:41:58.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d4ca3c3f-2391-48cf-801e-ade40bc1fc01,"4/16/2021, 8:41:58.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c02634d-1c31-4911-a27f-cb0b5f94bf5e,"4/16/2021, 8:41:58.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,09c03aa4-7fe0-4646-8563-8ebb0c5096a7,"4/16/2021, 8:41:58.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e7639648-a643-466b-93a9-f0c8b02d7dcb,"4/16/2021, 8:46:48.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2779fd64-1a41-4ae7-8963-70258429259d,"4/16/2021, 8:46:48.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c8a5cf9d-ab61-41b3-84ad-8072546fe109,"4/16/2021, 8:46:48.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1938c5c-6502-4926-812e-3504e1457681,"4/16/2021, 8:46:48.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,696a6c69-71e9-442f-98e6-99bdc8bad5aa,"4/16/2021, 8:46:48.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ddf376c3-c9a2-4372-98a8-dd421be68f42,"4/16/2021, 8:46:48.103 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c1c5f0a-69b0-4c8d-b82a-c0a6937bb4a3,"4/16/2021, 8:46:48.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e06be9da-927a-4c2c-8307-fffcc3ba5a89,"4/16/2021, 8:46:48.103 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2ee4f242-8e2b-46c9-881e-c8d9f8465db1,"4/16/2021, 8:46:48.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b81f7fe7-c427-47a4-bffa-ebdfba0b38bb,"4/16/2021, 8:46:48.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,85fdee5e-d2cb-4643-b7f0-3b5366f6d67e,"4/16/2021, 8:46:48.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f98c476-c479-462d-8244-5daeb520b61d,"4/16/2021, 8:46:48.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3fb99e52-7f3e-40f3-81c5-be6a9bce0b05,"4/16/2021, 8:46:48.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d0a183ff-dc99-4943-b70e-a9d7ba687fd2,"4/16/2021, 8:46:48.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,693ffa2d-4ecf-44a2-b2dd-47a1a30a3173,"4/16/2021, 8:46:48.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f1af015-7aaa-4253-b3ee-18bd4ecc0c04,"4/16/2021, 8:46:48.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de810de2-c489-4d9c-8cfa-29f5c087d76f,"4/16/2021, 8:46:48.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,61374246-bc9b-4f06-a176-50a7f9055de3,"4/16/2021, 8:46:48.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,93293108-0206-4f65-b7e3-93eb963726b7,"4/16/2021, 8:46:48.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3139b3f0-09b5-410d-baa9-644a0a616507,"4/16/2021, 8:46:48.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b0747a2f-7ace-4a6e-b6ac-67f7cf8370aa,"4/16/2021, 8:46:48.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,58e3c242-c864-4e5f-8361-63169cfe6216,"4/16/2021, 8:46:48.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc5e3c34-d0a6-4a6b-a9c6-f41fcd9caae7,"4/16/2021, 8:46:48.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b0aea507-5a20-43c3-b564-15bc8ea3d91d,"4/16/2021, 8:42:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e938bedb-b561-4509-859b-6de8c6a50478,"4/16/2021, 8:42:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a4859ba4-8696-4d90-8d8b-0bd66f4e87ca,"4/16/2021, 8:42:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,85d7d242-c0da-406e-8d82-0834a1c0cb26,"4/16/2021, 8:42:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5481a453-4fa0-48de-8f26-8f7aaf2016ed,"4/16/2021, 8:42:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b0ce404c-cff9-4617-ab8f-22ed66d9edb5,"4/16/2021, 8:42:04.098 AM",,,,,NTLM,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ba40dc0-accc-45a1-b760-513de5b09a85,"4/16/2021, 8:42:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,744e643c-d1f9-4f2d-99c6-8de7aaaea608,"4/16/2021, 8:42:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,835b4bcc-f4e9-4145-a3b7-bfada889e2ca,"4/16/2021, 8:42:04.098 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4fccae4f-380d-4105-80fe-18cdc1f09398,"4/16/2021, 8:42:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a77c5b1-1d0c-4401-bb09-64ee57605a39,"4/16/2021, 8:42:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d8d1ef9-1d93-4045-af78-80bbaa83c077,"4/16/2021, 8:42:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3ca80e82-f214-462e-a65a-3b3a5173afaa,"4/16/2021, 8:42:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6b89eef7-1996-4f79-b936-43b6187e4bb1,"4/16/2021, 8:42:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f8f252ad-5aad-4359-a1d8-26d3f1daea71,"4/16/2021, 8:42:04.098 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,612d99c5-b527-4b66-b9c7-5573ca072d3f,"4/16/2021, 8:42:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,86342f11-4f3e-4091-a063-0455935e79f0,"4/16/2021, 8:42:04.098 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c2fce074-4702-4ced-b3c4-7e2c58d4b0af,"4/16/2021, 8:42:04.098 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,932c1ddd-b53f-4524-9b7a-a5af99ecbd33,"4/16/2021, 8:42:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,77bf150a-907c-4f0e-a7af-b00a0ece9e35,"4/16/2021, 8:42:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0bf5ec10-cd43-4370-8d8a-313f714a941c,"4/16/2021, 8:42:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,18525f0b-a785-437e-974a-6981d98dd39e,"4/16/2021, 8:42:04.098 AM",,,,,NTLM,, +\DEMOUSER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b1536b37-275e-4a87-a030-85a930498fa0,"4/16/2021, 8:43:19.415 AM",,,,,NTLM,, +\USER1,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b230f328-edbe-4af4-9aa6-e43940986c53,"4/16/2021, 8:43:19.415 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f6b838dd-6836-4517-8497-e18f948fb79f,"4/16/2021, 8:43:19.415 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,31d1fdd5-c188-490b-96b8-58e23f2fae4c,"4/16/2021, 8:43:19.415 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,958afe3c-2afb-44d3-82b3-0d2e0d06484f,"4/16/2021, 8:43:19.415 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3344 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d5b76e9e-921f-46e7-a340-842245ca725e,"4/16/2021, 8:43:19.415 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 788 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,04b8e963-3752-4bc1-bfbf-0503e8c41c16,"4/16/2021, 8:43:19.415 AM",,,,,,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,44c53f1a-f056-4972-9e26-ce9978478471,"4/16/2021, 8:43:19.415 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b79eaa79-1646-4540-be3c-13d345aff623,"4/16/2021, 8:43:19.415 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54ccfe68-c65d-4de7-be76-18466ceab217,"4/16/2021, 8:47:03.194 AM",,,,,NTLM,, +\WRADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,00ce70b0-7161-4a4d-8cc6-15945eea3266,"4/16/2021, 8:47:03.194 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b845d613-3bde-4f27-be15-22ad5b40d6be,"4/16/2021, 8:47:03.194 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c66b1051-8bd1-4196-aba7-50b17844b171,"4/16/2021, 8:47:03.194 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6747db2a-8933-4c16-bbf8-77cd5a5fbc52,"4/16/2021, 8:47:03.194 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bb3e0b54-e671-40db-a8a8-b5ba39363655,"4/16/2021, 8:47:03.194 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,93a3fa03-8c27-4207-9757-5b14619f3e68,"4/16/2021, 8:47:03.194 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5fabaa51-1fa9-41a7-9f76-bb1b75fcac3a,"4/16/2021, 8:47:03.194 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a1da7953-9609-46ed-8e99-61b36171cf54,"4/16/2021, 8:47:03.194 AM",,,,,NTLM,, +\VMADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,127c28d7-9096-43ba-9b41-8df1469161fc,"4/16/2021, 8:47:03.194 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7b05b301-cfef-4beb-986d-fa36d4f5836a,"4/16/2021, 8:47:03.194 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a885c3f9-5948-4bf4-bfdf-95597e57d349,"4/16/2021, 8:47:03.194 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a7c7a9f-55b2-4985-9bd0-621b2a27e9d6,"4/16/2021, 8:47:03.194 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5cd0e8c8-f918-4e04-978c-3bc7ac39eea6,"4/16/2021, 8:47:03.194 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3ff8db6b-b3db-4208-8892-c9ccf2b64728,"4/16/2021, 8:47:03.194 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1de2cd49-129f-487e-8ec8-5b9323e6e685,"4/16/2021, 8:47:03.194 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eb37d770-c2b6-4aa3-ac91-e66ff04cc884,"4/16/2021, 8:47:03.194 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e0d47baf-d935-4a57-9e3c-fd123053bc99,"4/16/2021, 8:47:03.194 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8bffbe9f-76be-4b0a-9946-06049a585459,"4/16/2021, 8:47:03.194 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7206191b-78f9-4040-9038-068f8bf7b469,"4/16/2021, 8:47:03.194 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,554b16e3-76ea-4bb3-8607-7313afe0094f,"4/16/2021, 8:47:03.194 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,353836b5-a7a0-4a71-9198-c1dedf3f7998,"4/16/2021, 8:47:03.194 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f25f3e50-a61a-4c21-af28-112f4344e06a,"4/16/2021, 8:47:03.194 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,857bcf9e-6aa0-4dc2-857a-cc06b0555515,"4/16/2021, 8:47:03.194 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,70f6852d-5d7e-48ee-bc87-6e599926ce1e,"4/16/2021, 8:47:03.194 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3288 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,81ed2aa5-2b6f-4600-a970-38080d648890,"4/16/2021, 8:41:57.078 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1596 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,acf1f94a-ba63-4b2b-907d-3b3543892eac,"4/16/2021, 8:41:57.078 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11888 + 115 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\ICT 2\CMF\DESIREDSTATECONFIGURATION\DSCRUN.EXE + 32 + 5D35920AEDE05DD39279B42A07B84E7EAC7A77F4E420A04FE25B82F0B2CAF5C0 + 111 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\WINDOWS (R) WIN 7 DDK DRIVER\DSCRUN.EXE\10.0.10011.16384 + 0x3e7 + 117 + C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\ICT 2\CMF\DesiredStateConfiguration\DscRun.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,1fd12977-791b-4be7-afa6-646bc8d68d91,"4/16/2021, 8:41:57.078 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11844 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,3854416e-3eb2-494e-ac4f-9cb54840c16d,"4/16/2021, 8:41:57.078 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11040 + 118 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\ICT 2\CMF-64\DESIREDSTATECONFIGURATION\DSCRUN.EXE + 32 + FD398814FCB0D126DEC81443B928D502C7F2EC649E1C0866E0155C61BC7CAC19 + 111 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\WINDOWS (R) WIN 7 DDK DRIVER\DSCRUN.EXE\10.0.10011.16384 + 0x3e7 + 120 + C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\ICT 2\CMF-64\DesiredStateConfiguration\DscRun.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,06c26ddc-bc75-4f84-8b5a-70bdc079cdcf,"4/16/2021, 8:41:57.078 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11384 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,a58491d9-ef8a-4515-9277-6de9881725eb,"4/16/2021, 8:41:57.078 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9fb90d0d-0cbb-4493-81e6-63ca1b8bb2f1,"4/16/2021, 8:42:02.600 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,db211e03-6c06-41d7-9dd7-27c991781d1d,"4/16/2021, 8:42:02.600 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a0ef1c05-4daf-46f1-89ec-d952968f5cf9,"4/16/2021, 8:42:02.600 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6464917f-5309-468c-89a4-7fb6dfd87675,"4/16/2021, 8:42:02.600 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,615f387b-f329-48d3-92af-44d65daaeacc,"4/16/2021, 8:42:02.600 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c7b73389-6592-4974-a512-be412d589937,"4/16/2021, 8:42:02.600 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3f8aaaa0-52e2-4457-8d4b-6e2a82c9dcd3,"4/16/2021, 8:42:02.600 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d1571021-d337-4cd0-9eda-a643a1398456,"4/16/2021, 8:42:02.600 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,68c6cd39-8b25-474e-8f6a-35dee299a2a9,"4/16/2021, 8:42:02.600 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e095e28b-d925-4776-8501-830d77bac8c6,"4/16/2021, 8:42:02.600 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3e04f2c4-5416-41dc-a8e4-ddc24c0275f5,"4/16/2021, 8:42:02.600 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a27c0a5e-a9d3-4eb4-9bde-a2392ffd1730,"4/16/2021, 8:42:02.600 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7d964d87-dcce-4b40-944e-3040f2b859d0,"4/16/2021, 8:42:02.600 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fab2b406-9373-4e13-9acd-2dfd7b7e3f3b,"4/16/2021, 8:42:02.600 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3f38cffd-be2e-49c6-9a88-7d111e39c245,"4/16/2021, 8:42:02.600 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,97fe3cf3-85e6-423c-88d5-815e0e67a62b,"4/16/2021, 8:42:02.600 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ebabc5c7-10d9-403c-9567-576c9fdfff5a,"4/16/2021, 8:42:02.600 AM",,,,,NTLM,, +\CUSTOMERSERVICE,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a8e1a0c1-e847-4b32-b2e9-3acbc4e5a154,"4/16/2021, 8:42:02.600 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,35065ac3-9311-44db-b5e0-b84d9d4698e9,"4/16/2021, 8:42:02.600 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,af3a9f7f-2e75-41de-bdb2-fd4736483320,"4/16/2021, 8:42:02.600 AM",,,,,NTLM,, +\ACC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f49c992e-2099-43b1-b0ce-f9f8549b4b41,"4/16/2021, 8:42:02.600 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7752861f-f656-45df-be51-5109dc01f04a,"4/16/2021, 8:42:02.600 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e48fa2f0-f810-4e00-a3f4-7350eb5ecdce,"4/16/2021, 8:42:02.600 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,56785a86-b27e-42c7-b52f-5b37396facbe,"4/16/2021, 8:42:02.600 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5e34bf02-bd8e-4363-b093-1ec946abd8fe,"4/16/2021, 8:42:02.600 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ee967845-cad1-4da0-81d4-8ba5ddd4f6b1,"4/16/2021, 8:42:02.600 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,6c5c50d1-0580-4b11-93a1-52131124a436,"4/16/2021, 8:43:36.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b4073946-1ec6-48ca-b5ac-c79cefc2321b,"4/16/2021, 8:43:36.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,bd8da57a-bd07-4e24-9f53-335bf9e2401b,"4/16/2021, 8:43:36.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,9d29c69e-d14b-452d-a54f-c1e8bd2cce98,"4/16/2021, 8:43:36.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,41dcda9e-58b0-4588-a3bd-d58d780e75d8,"4/16/2021, 8:43:36.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c6149040-c1cf-4a8a-9054-d1065b00cc5d,"4/16/2021, 8:43:36.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d605c2e3-c33b-4701-a6f0-471ba0c0ff4c,"4/16/2021, 8:43:36.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,ab2c1ae0-6ca0-4f99-9947-93351538efc7,"4/16/2021, 8:43:36.052 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,098d57da-2848-4892-bf46-0bb52de53724,"4/16/2021, 8:49:39.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,374d62ab-f571-4227-9037-ce23505a175b,"4/16/2021, 8:49:39.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f1716f3b-a3eb-461d-9ca0-30c089406766,"4/16/2021, 8:49:39.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f60284fe-8cb7-4bf6-b93d-fed0b6243b7f,"4/16/2021, 8:49:39.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,877350df-f530-48f3-8b43-9f836b519958,"4/16/2021, 8:49:39.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cba7f385-0aee-4ea7-ae14-e21bf684f100,"4/16/2021, 8:49:39.108 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,473bc8cf-4068-4e86-b428-2723f587d18a,"4/16/2021, 8:49:39.108 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4eecdfd0-dc7a-4ff6-b1b7-6f9fa0ad8294,"4/16/2021, 8:49:39.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,69d8924d-959a-47ca-8930-ff9812c8fa46,"4/16/2021, 8:49:39.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,20aa8278-7f6c-4387-8595-71f9b3d95af7,"4/16/2021, 8:49:39.108 AM",,,,,NTLM,, +\AZUREADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,be2375ee-6b87-4165-9d36-3452ed9cb43e,"4/16/2021, 8:49:39.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,77d08740-415a-4a99-bc2c-f76178735553,"4/16/2021, 8:49:39.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a88feb7b-6594-4539-9975-fc9dd0af3c24,"4/16/2021, 8:49:39.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03c5bd14-ae63-4b0b-8e3e-4241019eb414,"4/16/2021, 8:49:39.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c9cec883-4606-4c4d-9293-ea06f834aea3,"4/16/2021, 8:49:39.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,37f50143-c5f4-442e-92fe-916bb8ffb4a2,"4/16/2021, 8:49:39.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a97c4960-244a-494f-9cb3-3835870c5ae2,"4/16/2021, 8:49:39.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e05b5500-1262-4523-b4f8-ba5ef0f81d54,"4/16/2021, 8:49:39.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,05c1cf67-f2c7-4673-88e8-4bbd4a52e682,"4/16/2021, 8:49:39.108 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a52e390-f879-40ba-9361-63509521b999,"4/16/2021, 8:49:39.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b7681752-2ac8-46d4-809b-ec3ff482dfce,"4/16/2021, 8:49:39.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4de372a5-da33-49cd-ba6e-216f2080550b,"4/16/2021, 8:49:39.108 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,8f50835a-0e3a-46e0-a4b7-0b1061196f97,"4/16/2021, 8:43:03.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,9d643ca6-4add-4fe8-a494-2c62cd8c49c7,"4/16/2021, 8:43:03.052 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,63ef03da-d4f7-4c42-80e8-eed1157644b1,"4/16/2021, 8:43:03.052 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,0fc39054-6335-4c5a-b9f4-980dc3746960,"4/16/2021, 8:43:03.052 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + \Microsoft\Windows\WindowsUpdate\Scheduled Start + <?xml version=""1.0"" encoding=""UTF-16""?> <Task version=""1.4"" xmlns=""http://schemas.microsoft.com/windows/2004/02/mit/task""> <RegistrationInfo> <Source>Microsoft Corporation.</Source> <Author>Microsoft Corporation.</Author> <Description>This task is used to start the Windows Update service when needed to perform scheduled operations such as scans.</Description> <URI>\Microsoft\Windows\WindowsUpdate\Scheduled Start</URI> <SecurityDescriptor>D:(A;;FA;;;SY)(A;;FRFX;;;LS)(A;;FA;;;BA)</SecurityDescriptor> </RegistrationInfo> <Triggers> <TimeTrigger> <StartBoundary>2021-04-16T18:39:04Z</StartBoundary> <Enabled>true</Enabled> <RandomDelay>PT1M</RandomDelay> </TimeTrigger> <SessionStateChangeTrigger> <Enabled>false</Enabled> <StateChange>ConsoleDisconnect</StateChange> </SessionStateChangeTrigger> <SessionStateChangeTrigger> <Enabled>false</Enabled> <StateChange>RemoteDisconnect</StateChange> </SessionStateChangeTrigger> <WnfStateChangeTrigger> <Enabled>false</Enabled> <StateName>7508BCA3380C960C</StateName> <Data>01</Data> <DataOffset>0</DataOffset> </WnfStateChangeTrigger> </Triggers> <Principals> <Principal id=""LocalSystem""> <RunLevel>LeastPrivilege</RunLevel> <UserId>NT AUTHORITY\SYSTEM</UserId> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <Duration>PT10M</Duration> <WaitTimeout>PT1H</WaitTimeout> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>false</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession> <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT72H</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context=""LocalSystem""> <Exec> <Command>C:\WINDOWS\system32\sc.exe</Command> <Arguments>start wuauserv</Arguments> </Exec> </Actions> </Task> +",4702,4702 - A scheduled task was updated.,0b31dee3-5401-43d7-802a-7c8aab820390,794e2b45-393f-4eb8-98e2-86fc9872562b,"4/16/2021, 8:43:03.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,6c090c74-e640-4448-8035-1a0a12ff8745,"4/16/2021, 8:43:03.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3421c599-6b81-4996-acd9-238de7aeb8de,"4/16/2021, 8:43:03.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,b1b39702-15b8-4f90-9bab-1af8d23abedc,"4/16/2021, 8:43:03.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,14012868-03d3-4c94-9c92-ea1739b2f287,"4/16/2021, 8:43:03.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,384e6b1a-af4f-4016-98c2-9534adfef188,"4/16/2021, 8:43:03.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,e60d2b43-ec69-4995-b6e1-69dec8860187,"4/16/2021, 8:43:03.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,60b65e37-cc6f-4c90-8586-8053ffa1bb76,"4/16/2021, 8:43:03.052 AM",,,,,,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,81f3e88a-124b-4ea3-b99d-f23c119c10c9,"4/16/2021, 8:44:22.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc4cdb69-1ffc-40f0-b3e2-b9c9631ddc64,"4/16/2021, 8:44:22.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88030631-8821-4d4c-8540-4f6bedf30ee8,"4/16/2021, 8:44:22.104 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,57dedfa2-4ea1-46e2-9d04-2b4b964de0f6,"4/16/2021, 8:44:22.104 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,96a97f8a-1094-4c7f-b4e5-170047aa284b,"4/16/2021, 8:44:22.104 AM",,,,,,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2dc6e8fa-fa82-4d0f-8a12-0fceb6230d15,"4/16/2021, 8:44:22.104 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,06671137-d22c-4e7b-beba-52cf02d5eb48,"4/16/2021, 8:44:22.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3002beb7-b1c6-401e-bde5-1c7cac574944,"4/16/2021, 8:44:22.104 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5860 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,37a95af2-1cf3-4230-99f4-7a5b844278af,"4/16/2021, 8:44:22.104 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4748 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,33da8809-050f-4284-8153-2b8705266d77,"4/16/2021, 8:44:22.104 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,55892456-852d-478e-b766-596be40812ce,"4/16/2021, 8:44:22.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7b76eff4-3d04-44e1-8110-636b2f5fa8f8,"4/16/2021, 8:44:22.104 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c240a54e-1439-4b5e-8ce0-d774c26a3be9,"4/16/2021, 8:44:22.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46d65e32-ebf0-4bfc-9305-35c56b26b731,"4/16/2021, 8:44:22.104 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,57fd173d-8b9f-4ded-855b-00683a264efd,"4/16/2021, 8:44:22.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,104ed79e-a45d-42ed-806d-97b1fa871ccb,"4/16/2021, 8:44:22.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4d5550b6-1e4c-4d9a-9e77-e3795312cb7f,"4/16/2021, 8:44:22.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,15e8ea1b-5b35-48ef-af7d-03274a4209b8,"4/16/2021, 8:44:22.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bac65d63-09ad-4ae2-a3cf-c4f237874484,"4/16/2021, 8:44:22.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce486a59-9046-4cc0-89b4-1c4468a91584,"4/16/2021, 8:44:22.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6284cf6f-842b-43ed-b326-82bc3c5e2a9d,"4/16/2021, 8:44:22.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,17615b83-fd47-4837-af25-a8f69706d802,"4/16/2021, 8:44:22.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,907841c6-50db-498e-ab8b-4d3091e5ae4c,"4/16/2021, 8:44:22.104 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,62fd76b9-897d-422a-b812-4d3b49f177c9,"4/16/2021, 8:44:22.104 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1740 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,a7ea80b8-636d-45fd-a398-c50cda8f4dea,"4/16/2021, 8:42:09.852 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1776 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,20270f98-e0a6-4f4c-82f4-230b4de67fed,"4/16/2021, 8:42:09.852 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,541b1937-0982-441f-821e-1d4d367555bd,"4/16/2021, 8:42:09.852 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,efd99710-5b30-4000-a7d3-5210a84ffd38,"4/16/2021, 8:42:09.852 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,2943ab24-b818-4a5e-a201-8dff66d2ce4e,"4/16/2021, 8:42:09.852 AM",,,,,,, +\DEMOADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,29084632-1968-4bdd-8cb2-88c65c12135c,"4/16/2021, 8:50:27.414 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6560 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 68705285F7914823244E19E4F6DBC4A75C4DE807EA1CF128AEC2CCAFCE5FE109 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.17763.01 + 0x3e7 + 57 + C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,2918b68a-1cb6-4884-a79c-54565aa80a57,"4/16/2021, 8:50:27.414 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 988 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,7c019483-968c-4424-ae52-dc53e01bda32,"4/16/2021, 8:50:27.414 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,563cace2-c2dd-4371-92ae-f86e5e292fed,"4/16/2021, 8:50:27.414 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a1ed4bd8-9524-444c-bd58-0316e628edb4,"4/16/2021, 8:50:27.414 AM",,,,,,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e3992bbe-341f-469c-a33c-e141ff8336b5,"4/16/2021, 8:50:27.414 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f7240761-7316-4b3a-8936-ba1e574a51e6,"4/16/2021, 8:50:27.414 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,71806d5e-3239-4f52-b6bc-8763727e348b,"4/16/2021, 8:50:27.414 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3804 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a2798a24-2bd2-4c34-b616-43715f04d5cd,"4/16/2021, 8:50:27.414 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7644 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b879add5-b7bc-4b87-83f8-62c895b3e367,"4/16/2021, 8:50:27.414 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b8c0c916-c73c-4a29-aacb-dfdd5631ffe2,"4/16/2021, 8:50:27.414 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,2f241feb-4731-4da2-a57e-32f554aaa257,"4/16/2021, 8:50:27.414 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,05af7800-661a-4f36-8347-bdb1023b990c,"4/16/2021, 8:50:27.414 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 752 + 34 + %SYSTEM32%\APPIDCERTSTORECHECK.EXE + 32 + 52F861EBAFBD8F6ACF0499614FCEB0E64E14A9A871504B1004F6797C8E01BD50 + 131 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\APPIDCERTSTORECHECK.EXE\10.0.17763.1852 + 0x3e5 + 43 + C:\Windows\system32\appidcertstorecheck.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,fba7bbd0-c862-4dc8-9b11-105b8e098c24,"4/16/2021, 8:50:27.414 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 3352 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e5 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c78717f8-5bd3-4637-9217-22fd4de52ece,"4/16/2021, 8:50:27.414 AM",,,,,,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c495cd14-fefb-4914-bd95-7b14b5eefcd9,"4/16/2021, 8:50:27.414 AM",,,,,NTLM,, +\LAB,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a7685f8d-d768-4796-8046-1202694b166a,"4/16/2021, 8:43:00.599 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1d00c535-50e4-48c7-b953-5604d6994e68,"4/16/2021, 8:43:00.599 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a38ca990-b1dd-44ef-95b3-f4bb78652a91,"4/16/2021, 8:43:00.599 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2e9ab3b9-5647-4a84-ac21-b67f5af4986f,"4/16/2021, 8:43:00.599 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5b8d800c-14c7-44b3-ac85-caeed1faff5f,"4/16/2021, 8:43:00.599 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,426e3cea-d3e6-4e44-ade0-5ab6b2128396,"4/16/2021, 8:43:00.599 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d7e8035f-3c24-4536-8d10-08d9ab233874,"4/16/2021, 8:43:00.599 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6c995e9f-92a7-4922-9d17-8c2cff46891c,"4/16/2021, 8:43:00.599 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1b4baaf3-2214-4bd0-83d6-3a1a2bca0f32,"4/16/2021, 8:43:00.599 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d52e270e-eeb0-4cd4-9e5b-0b064bdf08f4,"4/16/2021, 8:43:00.599 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ecb2e9ff-aad9-4b0d-849a-e87c17183cc6,"4/16/2021, 8:43:00.599 AM",,,,,,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,57a2ffb7-6abb-4b1b-8f44-0458f6706ffc,"4/16/2021, 8:43:00.599 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,990b213f-5ce1-442c-b76d-d90c4463e7be,"4/16/2021, 8:43:00.599 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f145f3ee-3254-403e-823d-0e78d9dd3189,"4/16/2021, 8:43:00.599 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bab927df-eec9-4b9e-8178-8bec73b7fe71,"4/16/2021, 8:43:00.599 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,de01a33b-cdfd-44d4-a601-e41c83ca320a,"4/16/2021, 8:43:00.599 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f8dffbd4-9a6b-4ff8-b91a-54b085c61e91,"4/16/2021, 8:43:00.599 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cc4b87fe-d455-49e3-bdd6-e9366d262f4d,"4/16/2021, 8:43:00.599 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9fa601c3-e982-4ae1-892e-33e650e8597b,"4/16/2021, 8:43:00.599 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f3c33a68-65df-4e02-963f-24a24ed57300,"4/16/2021, 8:43:00.599 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,99e4aa19-dd73-4776-a212-43d10142af79,"4/16/2021, 8:43:00.599 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,410892f2-a2a2-434b-9ea1-04d7e03c274c,"4/16/2021, 8:43:00.599 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9ca0f60c-8201-4e40-80d9-1088fc38ca9f,"4/16/2021, 8:43:00.599 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,488a34e7-38ab-4ecb-b95c-bdedaac93901,"4/16/2021, 8:42:11.538 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9252 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,cb72b9c6-34c5-47f4-9c45-2e0eb097f98b,"4/16/2021, 8:42:11.538 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,b8329bdb-2752-4923-afa7-9fd42ee23be6,"4/16/2021, 8:42:11.538 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,4bce80d4-e2a2-4790-b3f3-c198e93a8252,"4/16/2021, 8:42:11.538 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,df0c96f8-6189-4081-8888-0da540f9cfc9,"4/16/2021, 8:42:11.538 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6161ba09-97a9-4665-9e7c-d3b198134ed8,"4/16/2021, 8:43:28.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,974c8dcd-ef28-4095-bdb6-09cf7655a54e,"4/16/2021, 8:43:28.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,852872bc-888e-4011-b8d7-e88aba1c1b10,"4/16/2021, 8:43:28.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f64ef818-4bc8-4394-8459-44520b860fc0,"4/16/2021, 8:43:28.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe55429e-e5ce-4fdb-ab96-e9ebf73a3ff0,"4/16/2021, 8:43:28.112 AM",,,,,NTLM,, +\DEMOUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c8b5599f-a801-4e2b-82d4-b435f19c57eb,"4/16/2021, 8:43:28.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0b6941f6-0749-4a5a-bbb4-20964010c128,"4/16/2021, 8:43:28.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,365b9409-a22d-41df-9636-a16c449bac02,"4/16/2021, 8:43:28.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,115f48fb-a36d-4535-b212-a44b27039093,"4/16/2021, 8:43:28.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46316c3e-af94-46f5-a797-d0a42ea4349f,"4/16/2021, 8:43:28.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,70235bd5-aad3-4778-9695-f49b85e71ee3,"4/16/2021, 8:43:28.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8269b621-9abd-4446-a26f-5fc614503b3e,"4/16/2021, 8:43:28.112 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98878809-7985-4a19-8765-c89a4f3c638c,"4/16/2021, 8:43:28.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d9caf86-9d95-40a6-b660-7ef6ed04bfbc,"4/16/2021, 8:43:28.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,60a320c1-ca72-4517-b5cc-c87dd16e6239,"4/16/2021, 8:43:28.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce660012-1cd2-4fe6-bba8-4803d661bbe7,"4/16/2021, 8:43:28.112 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,78f2dde4-8178-4429-9893-bc4eb11a1e66,"4/16/2021, 8:43:28.112 AM",,,,,NTLM,, +\CONTADOR2,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9057728b-00e5-4b19-bc1e-5753d6db64a8,"4/16/2021, 8:43:28.112 AM",,,,,NTLM,, +\VEEAM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5b970f3d-9396-4425-b96a-d03b58677625,"4/16/2021, 8:43:28.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a70a0dc-5751-47b6-a2b9-0ae543a9d7ca,"4/16/2021, 8:43:28.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df9a9dce-d247-4f5b-9d11-d592345d6cad,"4/16/2021, 8:43:28.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1d862dd2-a31b-46c6-9543-4a8058f7be67,"4/16/2021, 8:43:28.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5381cfb4-443a-43cc-8324-dc32a568c7e9,"4/16/2021, 8:43:28.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,58a76075-15d5-43d7-8550-27c24abe2418,"4/16/2021, 8:43:28.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98947387-83a5-459e-8261-dedfbf002cb2,"4/16/2021, 8:43:28.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8eec89c9-2952-4909-920c-c057a9c90d36,"4/16/2021, 8:50:30.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d220f4b8-a12c-47ac-94ee-32fc51f2ee53,"4/16/2021, 8:50:30.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ba828f5c-918e-4636-84ee-3b79de605eff,"4/16/2021, 8:50:30.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a13f22c-aa0e-40f7-b876-4fd1550f2e33,"4/16/2021, 8:50:30.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4fd794cc-f2d0-48eb-ae14-965228ea34e2,"4/16/2021, 8:50:30.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22a1885c-7cfc-4f0c-8a01-3e9ae24079ac,"4/16/2021, 8:50:30.119 AM",,,,,NTLM,, +\BACKUPEXEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ececac89-a31d-45af-bebc-b4e4afb4d547,"4/16/2021, 8:50:30.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48969665-f96e-4948-a378-aec8495a0725,"4/16/2021, 8:50:30.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b7808f5-8e8d-497f-9b7d-19c6328c9562,"4/16/2021, 8:50:30.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ca771b8-eaf2-407e-bd18-5750dade938e,"4/16/2021, 8:50:30.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5c0d2e0d-a0ba-4bb1-8423-9da8cb9a6a87,"4/16/2021, 8:50:30.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fbddc0ac-b012-48b5-bd08-d2366278267f,"4/16/2021, 8:50:30.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,13223f50-82b3-4470-b5c7-be4157f25df9,"4/16/2021, 8:50:30.119 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ebf4f377-81b5-41bc-aa76-9f8b38b2541b,"4/16/2021, 8:50:30.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,08f7210c-dd3b-41cc-af0b-ec9596b67e4b,"4/16/2021, 8:50:30.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3aa3d14f-7862-40ac-8e96-d66a179e18e6,"4/16/2021, 8:50:30.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0878b2b5-080f-4c5a-bb78-b7422210b4d6,"4/16/2021, 8:50:30.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ee21c2e3-184e-409e-abf4-5a1249c066a4,"4/16/2021, 8:50:30.119 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,be3a9aaa-8397-4a6a-9c40-a04d44c74b38,"4/16/2021, 8:50:30.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f4c72b8f-cc57-4c3a-aeba-b08678441d3b,"4/16/2021, 8:50:30.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df6ab38d-a87d-4b09-9d87-b3098afcebbe,"4/16/2021, 8:50:30.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b2db089e-9560-4786-b88e-e5b4b66031a2,"4/16/2021, 8:50:30.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff5e517d-fcfb-422f-99d8-6ab1ef72dd03,"4/16/2021, 8:50:30.119 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9f217fa6-b82d-4d80-a695-8781e3aabd43,"4/16/2021, 8:47:33.653 AM",,,,,NTLM,, +\AGUSTROM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1e6832c6-b3a7-43a1-9931-901939fac3dd,"4/16/2021, 8:47:33.653 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7617322e-d383-4d63-b262-f5968fde8cac,"4/16/2021, 8:47:33.653 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e964828a-be04-4937-a9d4-6993f0fbdcdf,"4/16/2021, 8:47:33.653 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,006441cf-7094-46ab-96c4-c933eca4b258,"4/16/2021, 8:47:33.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,49274841-7115-474b-bf5e-788f7c1fbc23,"4/16/2021, 8:47:33.653 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a8ceb561-32ed-4870-bc4e-00f69d204731,"4/16/2021, 8:47:33.653 AM",,,,,NTLM,, +\AZUREADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0e1b5467-8c18-4620-807d-4deb061ed881,"4/16/2021, 8:47:33.653 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2d823849-dd54-4cfc-b0b4-27a1f2f1086e,"4/16/2021, 8:47:33.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bd95708c-eed2-4064-b07a-6d528399f65c,"4/16/2021, 8:47:33.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fd564d26-8d41-4cad-8e69-54be7db67bae,"4/16/2021, 8:47:33.653 AM",,,,,NTLM,, +\SYMANTEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5e5d6a37-d9b6-47f8-b683-17a2301e68ca,"4/16/2021, 8:47:33.653 AM",,,,,NTLM,, +\COMPUTER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,039c0a67-f208-4b73-aa59-1bba0ee21f9a,"4/16/2021, 8:47:33.653 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,237a8146-fa0e-420d-9a51-3f3abc0183d5,"4/16/2021, 8:47:33.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2250c355-02d9-4bbe-9d85-7eb5241e30cd,"4/16/2021, 8:47:33.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3d64155e-592a-4eb3-9cf9-7251a38811fd,"4/16/2021, 8:47:33.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2bbda385-58b2-4155-9e56-7b1779ee37d3,"4/16/2021, 8:47:33.653 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2d204ff3-4ce9-405a-aa1a-4cf03395f145,"4/16/2021, 8:47:33.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f3e205f0-7bbb-4359-a324-ff4c6ce75184,"4/16/2021, 8:47:33.653 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dfc0fe58-f99b-42e1-afa0-9af735a91a74,"4/16/2021, 8:47:33.653 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,03e4fb09-ba03-4c9a-b6fc-aca2ad173d5f,"4/16/2021, 8:47:33.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1d487dad-e2fb-424d-bb0c-c18151998996,"4/16/2021, 8:47:33.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,20cabcb7-91cc-4b5c-9e27-095d6f2b94a0,"4/16/2021, 8:42:14.596 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fcac6206-3d96-46f0-b2e0-f2c5b755b8de,"4/16/2021, 8:42:14.596 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8215c9bc-60c2-4e7a-b8b9-214433bad5d4,"4/16/2021, 8:42:14.596 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,453ccad0-85b4-402b-a26e-73e6702af10c,"4/16/2021, 8:42:14.596 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5f36d816-e18a-491c-8f0f-f094544b1af0,"4/16/2021, 8:42:14.596 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5a276ea3-51a5-4c5f-bdb3-6b130eba1483,"4/16/2021, 8:42:14.596 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f1b73638-c1bc-485b-ab40-04ee50b9b681,"4/16/2021, 8:42:14.596 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,553c5471-4ec7-409b-88a6-cce9283da5ae,"4/16/2021, 8:42:14.596 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a63644a5-ed89-4910-bcad-607dd9922334,"4/16/2021, 8:42:14.596 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,64e08ccd-b69b-4148-97a4-1b0c25cb90dd,"4/16/2021, 8:42:14.596 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8b90b5ff-3b31-4e56-8f89-9bca2bd334d4,"4/16/2021, 8:42:14.596 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6fdfd8af-963a-4b63-83ba-aadfcb88c91f,"4/16/2021, 8:42:14.596 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e655822b-6e4e-444a-9d45-c85fff1f6399,"4/16/2021, 8:42:14.596 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a8ba204e-4e16-4629-8ee9-a2c279577704,"4/16/2021, 8:42:14.596 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d7135213-e861-43f7-8704-4b7f4f755f2a,"4/16/2021, 8:42:14.596 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6300dccb-71a2-48ad-8a53-7caa2fdc0b0d,"4/16/2021, 8:42:14.596 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e91450c6-f82d-4c5c-ba5e-d09d4d7f8994,"4/16/2021, 8:42:14.596 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,60b8ceef-f568-4d3e-8d18-0a343c209c4c,"4/16/2021, 8:42:14.596 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6d49fe07-5912-4fa3-9d56-43669c0c1ed6,"4/16/2021, 8:42:14.596 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0979d7d6-f029-4b84-a420-b218e13618f2,"4/16/2021, 8:42:14.596 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,deeb4adf-9e7f-4128-bd9e-43d9587b8653,"4/16/2021, 8:42:14.596 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,38f0747b-8bde-4c08-a88a-dfba542b463e,"4/16/2021, 8:42:14.596 AM",,,,,NTLM,, +\NJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,279fd04a-e387-44a4-bd11-7fd62025f890,"4/16/2021, 8:42:14.596 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7f4b4f85-3cd1-4739-a579-955188760d8c,"4/16/2021, 8:42:12.156 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e47a71ff-18e5-4368-ab81-87a88d9ec51a,"4/16/2021, 8:42:12.156 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b92f44b-90d1-4901-976e-1111ee0d6781,"4/16/2021, 8:42:12.156 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,413008f2-db6e-4d74-bd21-ee3357e67be6,"4/16/2021, 8:42:12.156 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e26a46d-6be0-4e66-8e63-e96c448ce338,"4/16/2021, 8:42:12.156 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df8a9afa-e110-418c-9ec5-f10db20d0819,"4/16/2021, 8:42:12.156 AM",,,,,NTLM,, +\BACKUP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e153fbad-8748-4f46-b55d-9e855e1f6b52,"4/16/2021, 8:42:12.156 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7f9250ed-1ad7-401a-881d-63a950c614ac,"4/16/2021, 8:42:12.156 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a7caeda1-4956-4808-ba85-6a4aefb5e226,"4/16/2021, 8:42:12.156 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aebdb2fc-8fef-4c3f-beb7-867339a7ea5f,"4/16/2021, 8:42:12.156 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,537f3021-7ad6-4eba-bacc-e2170a8357f1,"4/16/2021, 8:42:12.156 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c430596-6552-48dc-8c30-56b1484280ed,"4/16/2021, 8:42:12.156 AM",,,,,NTLM,, +\BACKUP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46513e30-2293-45c1-bbd1-27b961cc15d7,"4/16/2021, 8:42:12.156 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ee39ab3c-c418-4784-a917-b0e0e35523f9,"4/16/2021, 8:42:12.156 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c5616b31-d61f-417c-9b3a-f2cd072eab40,"4/16/2021, 8:42:12.156 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8fd25fbd-c69b-4a3e-a5c2-4013aa290cf7,"4/16/2021, 8:42:12.156 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f33072b-7e11-428b-af14-ca00996c8416,"4/16/2021, 8:42:12.156 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ace8ed97-7974-4921-94fe-9c70934e07b7,"4/16/2021, 8:42:12.156 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3325d402-ce75-44f1-8d74-3375303eced5,"4/16/2021, 8:42:12.156 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,665def06-99b5-4996-a30c-eed6c0b5d398,"4/16/2021, 8:42:12.156 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ba3b7b3-6234-4827-b385-02073e9271c9,"4/16/2021, 8:42:12.156 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f68c264d-7f1e-442f-9482-c5f599cdfa24,"4/16/2021, 8:42:12.156 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e78de1b8-7ed5-499b-a1e6-4cf7cd93d92a,"4/16/2021, 8:42:12.156 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d8e55272-5e00-4ac3-a481-544006310122,"4/16/2021, 8:42:12.156 AM",,,,,NTLM,, +\AZUREUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e7bc6238-ec9a-45d7-8c2c-931985f2d557,"4/16/2021, 8:42:12.156 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98a43bc2-b78a-4efd-a964-390b7f74f48a,"4/16/2021, 8:42:12.156 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,257bfead-b1b8-4376-828c-4d1a7a982936,"4/16/2021, 8:42:12.156 AM",,,,,NTLM,, +\USER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f147fda6-cae0-4c37-845e-3867d18c0e4a,"4/16/2021, 8:42:17.444 AM",,,,,NTLM,, +\DEMOADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8c5919e2-3354-4987-b088-0e675d8f768c,"4/16/2021, 8:42:17.444 AM",,,,,NTLM,, +\TEST,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,277a63ca-fd71-4ae7-b10c-55915afefe68,"4/16/2021, 8:42:17.444 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9ba428df-f14b-46a1-b20d-6f6d49d1de3d,"4/16/2021, 8:42:17.444 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f0a73981-b6c0-4a6b-8e7b-f6e4c5dcc8e2,"4/16/2021, 8:42:17.444 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 932 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c534bf82-1caf-4c32-9ecc-defc225496d1,"4/16/2021, 8:42:17.444 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2548 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ab397089-5e17-4849-bf38-4908e9436c7b,"4/16/2021, 8:42:17.444 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e9559721-7051-402a-9176-f9b3bdb77656,"4/16/2021, 8:42:18.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2786128b-5cc6-4e93-b5cd-b513398cc6ce,"4/16/2021, 8:42:18.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f3cdb10-ed75-46c7-a315-bd1698408883,"4/16/2021, 8:42:18.100 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d5fab10e-7838-41fe-92ce-228abcffb52a,"4/16/2021, 8:42:18.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1b1d4d52-c125-467e-a8a1-a51b8ee21188,"4/16/2021, 8:42:18.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea822ed5-a4cd-4da6-bfde-c37aee5d08e1,"4/16/2021, 8:42:18.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a1251210-f590-4dd4-8fa3-6d3b4ab7dfb8,"4/16/2021, 8:42:18.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c64124b4-2223-4b76-a1a5-c29d1e52a98d,"4/16/2021, 8:42:18.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e18134ee-0d03-4e7a-84c0-c415835eb38b,"4/16/2021, 8:42:18.100 AM",,,,,NTLM,, +\DEMOUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,21def242-37e5-47ce-aead-744808e791d2,"4/16/2021, 8:42:18.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,066b02c5-70b9-4a29-b2e5-db63589c1b27,"4/16/2021, 8:42:18.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,92e5e45f-39f1-4d25-99fa-ed8b745e6a6b,"4/16/2021, 8:42:18.100 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2f172d1-6774-495b-ae2c-2ea4912f12a1,"4/16/2021, 8:42:18.100 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ae413f6-3476-4d70-b04c-a7b58d49e1d2,"4/16/2021, 8:42:18.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6a4b2cc1-0641-4cf8-8d7a-406a8cb502ae,"4/16/2021, 8:42:18.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b594c078-b24c-4a28-a5bc-02b0f4652a7d,"4/16/2021, 8:42:18.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dcbcd51f-fb71-4830-ae5d-6e3ef58d91d3,"4/16/2021, 8:42:18.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,28aa7208-1d38-4b26-9a26-ebcbd83e000e,"4/16/2021, 8:42:18.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ebfe1c1-82c3-408d-8f3b-7de8ab5ebabd,"4/16/2021, 8:42:18.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f303dcf7-f730-4297-a7b5-976126da4802,"4/16/2021, 8:42:18.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3fc44ce7-fa6a-46bb-b898-df67f024aca6,"4/16/2021, 8:42:18.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,252658c3-53ac-449e-a117-ea16f472c82e,"4/16/2021, 8:42:18.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4772c7dc-0598-4a3b-bb97-3ae7c46b76e0,"4/16/2021, 8:42:18.100 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,da444c41-eb37-4ea7-b4a3-04769b7a6114,"4/16/2021, 8:42:18.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,332ce0c3-802d-4d2f-915c-eac370668303,"4/16/2021, 8:42:18.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cae4240b-df21-4faa-9499-396f6d35a695,"4/16/2021, 8:42:18.100 AM",,,,,NTLM,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,a962f096-8e94-416c-bcc9-64d53afb5189,"4/16/2021, 8:49:44.875 AM",,,,,,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e9a720c6-d436-4e33-9def-8af1ea6da617,"4/16/2021, 8:50:43.622 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,732d4885-af3c-4de8-b470-ba44a0844adf,"4/16/2021, 8:50:43.622 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9d51ce78-7944-4b45-995c-e007dd44091a,"4/16/2021, 8:50:43.622 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,373208f1-2210-4b47-85d9-15cfc2c7d5a3,"4/16/2021, 8:50:43.622 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6b3a6e1d-d9b2-46af-9869-dfb4ab87ab02,"4/16/2021, 8:50:43.622 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,06afdb5b-0842-4b56-b5d7-149781cd2e91,"4/16/2021, 8:50:43.622 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f91a8ebe-85e8-4038-b803-e7b4e790d079,"4/16/2021, 8:50:43.622 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,498dcd8a-ce81-438c-b969-21d522da2adb,"4/16/2021, 8:50:43.622 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3ccc907b-9ebb-4bf8-83ce-dee604e2541b,"4/16/2021, 8:50:43.622 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7820116e-a4f4-4370-bb16-ca84fb908876,"4/16/2021, 8:50:43.622 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dee409e2-5827-4326-b346-00107856849f,"4/16/2021, 8:50:43.622 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e2776bed-d3d6-49ae-b93b-884b94686de7,"4/16/2021, 8:50:43.622 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a5c34f6e-ecfd-47d3-89bc-a711c23b75d0,"4/16/2021, 8:50:43.622 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,64f85e11-ee5e-4e7b-9dfc-8785256adb76,"4/16/2021, 8:50:43.622 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,999a5598-59f3-42fa-af59-6835b0fd149a,"4/16/2021, 8:50:43.622 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f1ab1f1c-d140-46bc-b3e4-b7434b7547dc,"4/16/2021, 8:50:43.622 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,858f7303-d173-4721-a306-81dfb049dc8a,"4/16/2021, 8:50:43.622 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e0562585-1a41-4905-8bb6-46f216df001a,"4/16/2021, 8:50:43.622 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f993c1a9-e594-4c86-bccd-11927873d77e,"4/16/2021, 8:50:43.622 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5fab3b39-1268-47cb-8a36-784dc8906e19,"4/16/2021, 8:50:43.622 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,68b89cd5-5387-4584-9c16-6446670e1c9e,"4/16/2021, 8:50:43.622 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3b022d81-9790-4ae2-8f94-56a034023abd,"4/16/2021, 8:50:43.622 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,59cb1392-f8e7-433a-a169-80b7138028b7,"4/16/2021, 8:43:34.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,103b073d-623c-4500-9100-6358a2540ae7,"4/16/2021, 8:43:34.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5849792-1dbe-4a48-a6c2-49348fb3c5e2,"4/16/2021, 8:43:34.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,21655437-c08a-4bf1-9423-621edfdf7fdc,"4/16/2021, 8:43:34.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f6fb8da3-107f-4206-8311-1c03efb851f3,"4/16/2021, 8:43:34.103 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,93c44e05-7946-47f9-94b7-5525e72e9ad1,"4/16/2021, 8:43:34.103 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,4ae52c7d-d0f9-46b5-bb4f-6d3933ae6e72,"4/16/2021, 8:43:34.103 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22e982fd-7136-4749-8aa4-f8ca5699d6e7,"4/16/2021, 8:43:34.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7fc35033-749d-492d-bea6-81795e5f4a6c,"4/16/2021, 8:43:34.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6536b229-dcfb-4766-befb-5d06ae1218bf,"4/16/2021, 8:43:34.103 AM",,,,,NTLM,, +\NJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,758ea8ee-9ffd-451f-9d47-c0c19343e7f8,"4/16/2021, 8:43:34.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bcfcd688-89ed-414c-bd06-eaa8f129d097,"4/16/2021, 8:43:34.103 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc673d65-d1e9-4269-8276-a14ceb86675c,"4/16/2021, 8:43:34.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ed49e5ea-8a53-4497-815f-328978278465,"4/16/2021, 8:43:34.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aa7522d4-42f1-410e-8239-c80463f39198,"4/16/2021, 8:43:34.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9482de8d-239e-498a-bd1d-01c703c248b6,"4/16/2021, 8:43:34.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,634f83a5-7231-4449-a25a-da06b7ea4916,"4/16/2021, 8:43:34.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5418e2e-97a3-4155-913e-abf8d246e73a,"4/16/2021, 8:43:34.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c39951a2-7c3e-493c-87b9-d02fd5ce2dcf,"4/16/2021, 8:43:34.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c4d2cab-d30a-4f90-8c9a-4fe4df15b5e8,"4/16/2021, 8:43:34.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,394b78dd-faff-41a3-bd99-5fbf9c549dab,"4/16/2021, 8:43:34.103 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3262f404-fb8f-4db8-83cf-7e92e44ac04d,"4/16/2021, 8:43:34.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b0eca4d8-e6eb-4433-bad5-e0be656c02c1,"4/16/2021, 8:43:34.103 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 884 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,4b66e6cc-6e10-4f03-9527-537e65ffd773,"4/16/2021, 8:42:19.551 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,523c336c-94fd-4c01-90f6-105c80565c88,"4/16/2021, 8:42:19.551 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10876 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,6ddecf2e-8cc3-49fb-96da-026cf40d13d7,"4/16/2021, 8:42:19.551 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7172 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e7 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,ea3a9b01-17d7-4b2a-bd99-4366c16ecaf0,"4/16/2021, 8:42:19.551 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 5644 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e5 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,bb94b530-34ec-49f1-bc73-1c785fc6e792,"4/16/2021, 8:42:19.551 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,171c0744-a497-4326-8091-6be0a123fc56,"4/16/2021, 8:42:19.551 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,f6638b82-98a5-4542-8bec-6bc0977f793f,5424437e-94ef-42e6-96c3-2962430f6653,"4/16/2021, 8:42:19.551 AM",,,,,Negotiate,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + 1 + 1 + %{S-1-5-32-544} %{S-1-1-0} %{S-1-5-11} %{S-1-16-16384} +",4627,4627 - Group membership information.,f6638b82-98a5-4542-8bec-6bc0977f793f,e0056852-c6bf-491f-830f-0161d604e725,"4/16/2021, 8:42:19.551 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,f6638b82-98a5-4542-8bec-6bc0977f793f,6b9b10a6-288c-4c49-8300-668e5963141b,"4/16/2021, 8:42:19.551 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,df1cb61f-0845-487d-b532-c3eabaae4e7e,"4/16/2021, 8:42:19.551 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,bfb9d6de-aff1-47bc-b7f8-9f99dd05a92f,"4/16/2021, 8:42:19.551 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,0765255b-1d83-4aba-98fa-eb55c7022696,"4/16/2021, 8:42:19.551 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\microsofttpm,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,ba373feb-c9e8-409f-bcd6-f65b2065d953,"4/16/2021, 8:42:19.551 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:SELECT * FROM Win32_TPM,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,6ee8bbb8-0b11-40e4-9e7a-84bb5cd7c365,"4/16/2021, 8:42:19.551 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:Select * from __ClassProviderRegistration,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,f382a4d7-ae73-4a73-9a11-2b7fe6cb642c,"4/16/2021, 8:42:19.551 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,0f532b1b-c157-4a73-9329-c35f043bf293,"4/16/2021, 8:42:19.551 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,d04ea79c-73c9-4f84-9b94-aff88125acba,"4/16/2021, 8:42:19.551 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,481f0868-db77-48f3-b64f-7cfaaf31a59d,"4/16/2021, 8:42:19.551 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,994e4aa3-322d-43d1-a9af-2de968d1ac0b,"4/16/2021, 8:42:19.551 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:Win32_Tpm,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,7212243a-6dc0-490b-934d-8c7147a7b6ff,"4/16/2021, 8:42:19.551 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:__ExtendedStatus,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,6e497b7a-7813-4c12-a13f-90f70265975d,"4/16/2021, 8:42:19.551 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftVolumeEncryption,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,6f3b40f6-e8f8-42cd-ab91-af6bb5d10f27,"4/16/2021, 8:42:19.551 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:SELECT * FROM Win32_EncryptableVolume,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,f7e91ed9-39eb-4a20-97f8-86bc758ade60,"4/16/2021, 8:42:19.551 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:Select * from __ClassProviderRegistration,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,37c76442-a4e9-457b-93ac-7dfd8ffb4d6c,"4/16/2021, 8:42:19.551 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,a089efc0-498f-4809-94d0-4ac8f8e1e33c,"4/16/2021, 8:42:19.551 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,4f5733a3-7bc1-4afc-a470-23d17cd36825,"4/16/2021, 8:42:19.551 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,8c35647d-5c50-4cd2-9cca-21a0d9ec2c3e,"4/16/2021, 8:42:19.551 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,2abe5792-b49f-4166-8517-2146ea7329c4,"4/16/2021, 8:42:19.551 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,fc4362b6-b6aa-4856-8a81-f89a1a64d840,"4/16/2021, 8:42:19.551 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:__ExtendedStatus,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,69270f9e-95f5-4a3e-a4bf-c50bc7a123df,"4/16/2021, 8:42:19.551 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{14fa800d-0000-0000-0000-100000000000}\\""::GetLockStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,3a5e9396-4f6b-4a61-81c0-8769d1cf68a1,"4/16/2021, 8:42:19.551 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{14fa800d-0000-0000-0000-100000000000}\\""::GetProtectionStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,59758ece-0450-4e6e-aa79-951ec3cd8c68,"4/16/2021, 8:42:19.551 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{14fa800d-0000-0000-0000-100000000000}\\""::GetConversionStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,e16370de-e88b-4402-bf3a-a0462dfe2897,"4/16/2021, 8:42:19.551 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetLockStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,3fc5b1d8-4d67-47fd-98e4-6351a2211092,"4/16/2021, 8:42:19.551 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetProtectionStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,af881bcc-ee70-46d3-846b-ecd03fc9d895,"4/16/2021, 8:42:19.551 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetConversionStatus",,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,b4b8f24d-0fac-4f8e-96b3-179d4c03ca33,"4/16/2021, 8:42:24.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,e600303a-675b-4d9b-9dff-4e57d974b36c,"4/16/2021, 8:42:24.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,baf19e6d-1864-46c3-b442-24165e6eac06,"4/16/2021, 8:42:24.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,86fa3004-2fa6-4edf-b89e-eb9e2b0171ba,"4/16/2021, 8:42:24.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,127f7656-9eab-4054-8270-cb9734aa2596,"4/16/2021, 8:42:24.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2aa737bf-872f-4d79-aa6c-c4201e140ecc,"4/16/2021, 8:42:24.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,0510c3fb-6ae3-4ee3-8d99-e7d075a3c394,"4/16/2021, 8:42:24.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,275f0675-771d-425c-97ba-02709e483558,"4/16/2021, 8:42:24.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,937d9430-8b45-4cbb-9f95-6f270d2ef2ab,"4/16/2021, 8:42:24.052 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,0b31dee3-5401-43d7-802a-7c8aab820390,38a1850e-8255-4571-9821-80aa5757c424,"4/16/2021, 8:42:24.052 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,0b31dee3-5401-43d7-802a-7c8aab820390,ed53b59c-6ce1-40d9-82a7-0f479ed55ca8,"4/16/2021, 8:42:24.052 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,a6d1e5ab-4473-4f99-a33d-4b7cb19118a1,"4/16/2021, 8:42:24.052 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + Administrators + Builtin + S-1-5-32-544 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x783c + C:\Windows\System32\svchost.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,53c5bd42-724c-48fc-9f54-20a16ea81d75,"4/16/2021, 8:42:24.052 AM",,,,,,0x783c, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + Backup Operators + Builtin + S-1-5-32-551 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x783c + C:\Windows\System32\svchost.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,598bee00-7968-4bcd-8c6b-d1611641908c,"4/16/2021, 8:42:24.052 AM",,,,,,0x783c, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,0b31dee3-5401-43d7-802a-7c8aab820390,c35d3ce2-64dc-4f0c-8f10-bef39d59d59a,"4/16/2021, 8:42:24.052 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,0b31dee3-5401-43d7-802a-7c8aab820390,a366efc7-1818-4146-b8c5-25bf671f0b6c,"4/16/2021, 8:42:24.052 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,c04fb119-6c94-4694-bcd3-c9d4afb37557,"4/16/2021, 8:42:24.052 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,88f04ad8-875d-4132-aed3-70288205b85e,"4/16/2021, 8:42:24.052 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,338d2b02-0c6d-4370-afbd-dee405d6f123,"4/16/2021, 8:42:24.052 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,76b80efd-2782-42aa-99e6-e1cbb11e502a,"4/16/2021, 8:42:24.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,e7d339b2-255d-4e45-88ab-cc31d6ad5a3d,"4/16/2021, 8:42:24.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5962e200-9906-4da3-94d6-4c3fe30f9465,"4/16/2021, 8:42:24.052 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f881984c-7b0f-4235-8282-3305889cd095,"4/16/2021, 8:42:26.610 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,806be3e5-138d-4d77-bc21-7e8989c3a182,"4/16/2021, 8:42:26.610 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,377d400e-e96d-4510-96c3-e0606734e0d3,"4/16/2021, 8:42:26.610 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,00f2ae44-c2d1-4e1f-89c7-d069a51537ae,"4/16/2021, 8:42:26.610 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f762fe83-1b80-4cfc-ac58-1bd5c54c3b0e,"4/16/2021, 8:42:26.610 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,04348875-70e5-4b17-89f5-1a74bdbffd97,"4/16/2021, 8:42:26.610 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d6090ea5-6dbd-424f-a91b-e1098f42d6a0,"4/16/2021, 8:42:26.610 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,623bb6e7-9d29-4f10-a0fa-6e71e157851f,"4/16/2021, 8:42:26.610 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f186e708-176f-49f7-b051-c729e0c986c9,"4/16/2021, 8:42:26.610 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fbefdb75-2568-4a56-bb5a-452795eef533,"4/16/2021, 8:42:26.610 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d63751ec-52db-4d85-a61c-f9cf6ae99d69,"4/16/2021, 8:42:26.610 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4d2c3f51-738a-4515-84c3-d16e631c5030,"4/16/2021, 8:42:26.610 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,842db297-4aaa-4abd-9bc7-1161256cd8b9,"4/16/2021, 8:42:26.610 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e9cfe4a2-e081-4882-bc8d-0e22857102df,"4/16/2021, 8:42:26.610 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,97ad9e07-debc-41c8-b766-c23297773211,"4/16/2021, 8:42:26.610 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6d0d7e05-b11f-4f84-bd5b-bb3f89e94571,"4/16/2021, 8:42:26.610 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b8edeabd-501f-468e-8898-c00698accb64,"4/16/2021, 8:42:26.610 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0759dab9-cc25-49fd-bc49-e527514fba16,"4/16/2021, 8:42:26.610 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c0dba440-f46f-4397-bc2f-aeef5868c871,"4/16/2021, 8:42:26.610 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,09b14511-f2a6-4e21-9f19-9a57ac5f0171,"4/16/2021, 8:42:26.610 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,15ed94a0-d1cc-4219-acd3-ebaf9fdf545e,"4/16/2021, 8:42:26.610 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c1e2e9ad-7e7c-4fe4-a03c-36f8ca297cd7,"4/16/2021, 8:42:26.610 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,85303d9d-7b22-4062-a1c8-5d5157c69706,"4/16/2021, 8:42:26.610 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6326542f-02ec-4fbe-8199-cfce5cb8b2a8,"4/16/2021, 8:42:26.610 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8152c059-ef8a-479d-88a5-edb6ddea771b,"4/16/2021, 8:42:28.104 AM",,,,,NTLM,, +\FISCAL,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,36c0362e-b1ec-47f7-8fb3-f590e73088ac,"4/16/2021, 8:42:28.104 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,91a01168-65c2-42b8-9649-51853e67a4c6,"4/16/2021, 8:42:28.104 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,da98e473-cd3a-4ae2-94b2-cf95a9af83fa,"4/16/2021, 8:42:28.104 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4476 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad7392e7-45a9-40d6-a6ce-3df23614923a,"4/16/2021, 8:42:28.104 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5224 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,5fbb46f7-0543-4c0a-a6d1-e0ead5ab7832,"4/16/2021, 8:42:28.104 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,63068eec-57ae-41ef-87a7-c5ba4654e263,"4/16/2021, 8:42:28.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9aacf49d-0724-44fa-adda-59fce8056ad2,"4/16/2021, 8:42:28.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,955909e9-0cd1-41cd-bd85-fe209060a7ba,"4/16/2021, 8:42:28.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b83bc7b6-7695-401a-955c-0f7025ccf3e8,"4/16/2021, 8:42:28.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,09e09488-db61-40be-97f5-896804262e96,"4/16/2021, 8:42:28.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ef4e71c1-2888-4f03-b320-9d9e40647dbb,"4/16/2021, 8:42:28.104 AM",,,,,NTLM,, +\ADMINISTRATION,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8302171a-4d46-42fc-8420-6bc49a8cda3f,"4/16/2021, 8:42:28.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,58f778f5-23b9-4a01-993a-3f85c924a79a,"4/16/2021, 8:42:28.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,24f5f336-c752-4f7f-8b57-5e9722a57043,"4/16/2021, 8:42:28.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,11978764-5b94-4040-9222-3d4d52b8126f,"4/16/2021, 8:42:28.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,91f0406b-6eac-4065-820a-196b9fb6d672,"4/16/2021, 8:42:28.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c18fd52-ff16-44f1-b1f0-5b061551222e,"4/16/2021, 8:42:28.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,423d4923-97eb-4fa9-8a85-3bf209bee0cf,"4/16/2021, 8:42:28.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f540b01e-1899-4341-95e8-5da7578fddaf,"4/16/2021, 8:42:28.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d175e76-8217-42e5-9c67-3e063ae7e2b0,"4/16/2021, 8:42:28.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f320572d-336f-4192-803a-d2ca3a12a106,"4/16/2021, 8:42:28.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3451f428-52fe-427b-8467-89b4fec92eca,"4/16/2021, 8:42:28.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ed70946-3b68-4cfe-89c9-ff40ca17caf9,"4/16/2021, 8:42:28.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c1b7526-fff8-491e-9548-a82aa19d4669,"4/16/2021, 8:42:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5b63447-8c6f-472c-9c3a-a3260f21e731,"4/16/2021, 8:42:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,17ddbc92-b198-4a90-a73d-ef7ac3e227c8,"4/16/2021, 8:42:36.102 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3baeb852-6299-407d-a9de-887327e9c6d1,"4/16/2021, 8:42:36.102 AM",,,,,NTLM,, +\WGONZALEZ,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd63da02-bae2-4b06-b886-d315fa002dfc,"4/16/2021, 8:42:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a9e0546e-005f-4012-8de9-4a871dd411e1,"4/16/2021, 8:42:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6fa00372-73ad-4918-a21b-99fb41000682,"4/16/2021, 8:42:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca98649f-e2c1-4f6a-927b-b3aaf3a7f741,"4/16/2021, 8:42:36.102 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,c44dd601-7148-49ba-b0ba-5fe8279c1565,"4/16/2021, 8:42:36.102 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d5885a3c-2c07-4762-990c-cb25873f5933,"4/16/2021, 8:42:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,29552348-3b65-4f40-ab62-cac374faf2d9,"4/16/2021, 8:42:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d5b405e3-c914-4035-92ac-06051ca09304,"4/16/2021, 8:42:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c4c55057-1e9a-430b-9dc9-87010c607156,"4/16/2021, 8:42:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0f6baace-5e08-44a9-a316-355781b2238d,"4/16/2021, 8:42:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c1e68b9-3faa-4e0b-8fec-f369ae47d9dc,"4/16/2021, 8:42:36.102 AM",,,,,NTLM,, +\BACKUPEXEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,538d6883-f188-4efc-9275-af8371511593,"4/16/2021, 8:42:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b6ac3487-8d15-49f0-964b-fa9a4b45445f,"4/16/2021, 8:42:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98793deb-9b41-4268-ae6b-7d3b8b23e5f6,"4/16/2021, 8:42:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b883e40-11d1-4757-976e-d303822db022,"4/16/2021, 8:42:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ba0d057f-7cb5-4a6d-bde6-f9d223b489ff,"4/16/2021, 8:42:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc6f54c5-be5a-4c49-b358-4cdb7ffb34b9,"4/16/2021, 8:42:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,da5e93d1-6ad5-4b48-bba1-f58fd80cff6f,"4/16/2021, 8:42:36.102 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aa23ff38-2411-4541-b345-b306a4e066f1,"4/16/2021, 8:42:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9129e8dc-0332-4ef2-871f-5cf82df8d42c,"4/16/2021, 8:42:36.102 AM",,,,,NTLM,, +\OVC,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,06b76f10-0a3d-4d77-a395-a2588495475e,"4/16/2021, 8:46:21.409 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e50e7b9f-d724-480c-9941-3dca43925975,"4/16/2021, 8:46:21.409 AM",,,,,NTLM,, +\VMADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,95cc09a5-633b-4d39-9d4a-247f193b09ca,"4/16/2021, 8:46:21.409 AM",,,,,NTLM,, +\MANAGER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,16bbbce1-2263-488e-83c8-8dc01245840f,"4/16/2021, 8:46:21.409 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,5d52c93a-d742-4bc3-9979-b00775e36249,"4/16/2021, 8:46:21.409 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ff17c10d-b887-4151-95b9-c81afe22b1b6,"4/16/2021, 8:46:21.409 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4528 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,bde11ebd-78f6-42e7-af17-b7daf11b0f52,"4/16/2021, 8:46:21.409 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5960 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d4488a4e-2b5b-4eea-8f42-801d4c6fabb2,"4/16/2021, 8:46:21.409 AM",,,,,,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,5b1f3212-9631-4998-95b5-be8a7242e1ce,"4/16/2021, 8:46:21.409 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f8c6e658-2873-4f9a-ab12-1b6891f62488,"4/16/2021, 8:46:21.409 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4560 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,b612af60-6f32-4106-99cd-845c6c17e2b6,"4/16/2021, 8:50:49.258 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3496 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,77786095-65fe-49b5-b49c-1001d9c03023,"4/16/2021, 8:50:49.258 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ee3c818d-e4b8-444f-81ab-4ad399de113b,"4/16/2021, 8:50:17.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dcc38f30-a8dc-45a5-a63b-99354d1b079d,"4/16/2021, 8:50:17.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,826fdb56-afba-4a4a-ba3c-89a876337da6,"4/16/2021, 8:50:17.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f3c55525-0890-4b05-aab0-69acb8e7784c,"4/16/2021, 8:50:17.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b8870732-efc8-49de-b4c8-12622c4530b9,"4/16/2021, 8:50:17.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,09805081-68c6-4456-8b2f-a5e2e8cd273a,"4/16/2021, 8:50:17.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,24d44736-f4fc-4c72-ab64-0aba745b2834,"4/16/2021, 8:50:17.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d324d6dc-2e41-4418-a85b-8709b723c208,"4/16/2021, 8:50:17.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,371f3adc-b827-4b3c-8117-fc0173a4c1e8,"4/16/2021, 8:50:17.106 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0bc1aadf-f81f-4dcc-b389-f4fa83f7874f,"4/16/2021, 8:50:17.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,40cbc00a-c5c2-47f9-8641-29f55eb8c7aa,"4/16/2021, 8:50:17.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a8ec0fb2-ea7b-48c3-81c6-b65c52000ae3,"4/16/2021, 8:50:17.106 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9afab2e0-1021-4da1-b452-e2f3c330bbf1,"4/16/2021, 8:50:17.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,748ce352-a3cd-459d-b37a-3fecd7b7ce5e,"4/16/2021, 8:50:17.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc923449-9996-4843-af4f-7c242a6f3fc7,"4/16/2021, 8:50:17.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e6e878a4-c796-4e08-84ab-be933f5cd8c7,"4/16/2021, 8:50:17.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b66fd5d2-d944-4874-836c-cb46b74175dc,"4/16/2021, 8:50:17.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0eb82329-a3d3-4606-81cc-e95bc499dbb3,"4/16/2021, 8:50:17.106 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3ac82504-85a2-430f-a1fc-28753010b4e3,"4/16/2021, 8:50:17.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,773f82f2-4084-4e78-b305-c3a71b9983ab,"4/16/2021, 8:50:17.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cfe53e26-24fa-4a71-9c89-ba26183f6550,"4/16/2021, 8:50:17.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2e4b1902-8a62-455a-9462-fc8bafb17560,"4/16/2021, 8:50:17.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,26487670-6f69-4349-8116-81ab1663d33f,"4/16/2021, 8:50:17.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a784219b-8871-4751-804c-f6d0a38d1dd0,"4/16/2021, 8:50:17.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5eabd00e-e246-423d-85c3-06a7c6f8a432,"4/16/2021, 8:50:17.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d2fd8b7d-441a-4d04-83c7-c257333b4f49,"4/16/2021, 8:50:17.106 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c5b88f40-33c0-42cb-9ded-259dab7028ec,"4/16/2021, 8:42:38.604 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,66edf482-c3a3-4bb3-b3c0-995586e766ce,"4/16/2021, 8:42:38.604 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4cbbbf37-83fc-4d61-a9f6-90e92a0cc1b0,"4/16/2021, 8:42:38.604 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1347da28-65e2-407c-8612-9ccc4722ae39,"4/16/2021, 8:42:38.604 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4af27f73-6522-4885-930b-a95701c80d3d,"4/16/2021, 8:42:38.604 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b0b4c330-3f78-4cfd-bb12-f1b0565b9ece,"4/16/2021, 8:42:38.604 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f60dbe4d-bb11-4de3-8228-194dc7cdb565,"4/16/2021, 8:42:38.604 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b03dd918-b558-4a94-9537-9261146dc450,"4/16/2021, 8:42:38.604 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e50259b0-8cf4-4f5a-a6e8-aaf37a4509c3,"4/16/2021, 8:42:38.604 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3eb3b953-db74-41d5-9048-1e19a6387b36,"4/16/2021, 8:42:38.604 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6d903324-4687-4cc6-be31-891d5c3e6343,"4/16/2021, 8:42:38.604 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,25b3d43c-76bc-416f-823e-32a806d8aa29,"4/16/2021, 8:42:38.604 AM",,,,,NTLM,, +\CHEF,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,887471d5-75a8-4e56-a16d-bbabcd34ce2b,"4/16/2021, 8:42:38.604 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,20094e86-ef93-4302-a76f-3fa6e38e2751,"4/16/2021, 8:42:38.604 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6fb50a1d-6e64-4acb-873c-2816a648d768,"4/16/2021, 8:42:38.604 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,df8efda1-456d-48ff-b62c-701b21afaf7b,"4/16/2021, 8:42:38.604 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d6d38e3f-c6f8-4c45-bff2-06f996e89234,"4/16/2021, 8:42:38.604 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,16fa5d5f-0ade-448d-b975-3ba4f6ece43d,"4/16/2021, 8:42:38.604 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bb755ab5-e748-4ecf-b3e1-f310ae28789d,"4/16/2021, 8:42:38.604 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2a5b6f5a-5140-41b1-b4b7-a4d503d74666,"4/16/2021, 8:42:38.604 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0ade6d19-3227-4532-83ad-9c71c5ea6ab7,"4/16/2021, 8:42:38.604 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e95ebcfc-d77e-448d-8d1b-68caeaff316f,"4/16/2021, 8:42:38.604 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d86727df-2ae0-4a40-82c2-dca022eb296e,"4/16/2021, 8:42:43.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9fd88758-114a-41c9-997d-7e120284092e,"4/16/2021, 8:42:43.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fcfdaf5a-9bde-4e18-9bf9-5f6e844ce0c8,"4/16/2021, 8:42:43.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ee5f0d4-a144-45dc-9f8b-3a986cff521c,"4/16/2021, 8:42:43.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f31d0a72-240e-4e95-ab80-67479d3d4a40,"4/16/2021, 8:42:43.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,91c54edc-d0af-45fc-a07b-ebf267908266,"4/16/2021, 8:42:43.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,01b063e9-61b3-4f0b-b282-6bd4881563a7,"4/16/2021, 8:42:43.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,23f86ebd-61b8-48f0-a1c8-ee2548e1ae9e,"4/16/2021, 8:42:43.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,21944a7d-9f03-450e-b2e0-8706f4ceb8fb,"4/16/2021, 8:42:43.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0320acd1-ed09-4157-9f12-d84c716bae8f,"4/16/2021, 8:42:43.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,20c2842a-5813-49a0-9943-9ca9a4623851,"4/16/2021, 8:42:43.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dd0ee99e-5ed7-4fe1-8e4c-304a76f9e9b2,"4/16/2021, 8:42:43.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7c7a8d53-fd22-4746-a613-2c5ac0c30de5,"4/16/2021, 8:42:43.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,be1a6a3b-9c62-44ad-ae88-0f07667bab37,"4/16/2021, 8:42:43.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3d631ef0-65f8-48ac-a6b1-9816a3aaa434,"4/16/2021, 8:42:43.100 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,75099efc-e323-494f-93cf-7a2ec12e7ad1,"4/16/2021, 8:42:43.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6cd6fe07-ab9a-4e12-b7e5-2c1ffc1eb215,"4/16/2021, 8:42:43.100 AM",,,,,NTLM,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6abc57ae-c3bd-4ee2-9748-9721a179c0c1,"4/16/2021, 8:42:43.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e9fdc7df-162f-4f5d-adeb-ef7343ae4fdc,"4/16/2021, 8:42:43.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d963822f-449e-4a77-8421-6867badd094a,"4/16/2021, 8:42:43.100 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c690ad5e-0779-4c2c-bba0-a3eb42ebf04e,"4/16/2021, 8:42:43.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a2a2867-fd69-466b-abfb-627d3ee0588d,"4/16/2021, 8:42:43.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51a58600-626e-483b-a7eb-c549dea4a66d,"4/16/2021, 8:42:43.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f89dd044-da2c-492a-b049-2645cba1e2e4,"4/16/2021, 8:42:43.100 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a3f93c1-f78a-4c47-962e-f3f1ebd78848,"4/16/2021, 8:42:43.100 AM",,,,,NTLM,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,6333af83-2db8-4e83-bfa6-cbff3ea31eba,"4/16/2021, 8:42:44.854 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46052041-5bf5-4b62-9549-2ead57011d17,"4/16/2021, 8:42:48.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,220bdc49-d937-4f9b-ba8f-0f8622449e78,"4/16/2021, 8:42:48.101 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6ee98589-4118-4e71-8ca4-5e1d7efcccae,"4/16/2021, 8:42:48.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4d2a8beb-49b2-4cd5-a8d0-f1005bc5d1f3,"4/16/2021, 8:42:48.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e01d27bb-33af-49d8-9852-4a4d6bbf20bd,"4/16/2021, 8:42:48.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4bb1af95-21b3-4f3a-86e6-2585baa67eeb,"4/16/2021, 8:42:48.101 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,41b84292-0529-4840-89c7-2bdc3ca18b3e,"4/16/2021, 8:42:48.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5dbc347e-3fb0-4789-aead-30088a75bf87,"4/16/2021, 8:42:48.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2368f81b-c939-4deb-a286-b32c014a4d49,"4/16/2021, 8:42:48.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a3907c56-e39e-4456-8ec9-810f5e29046b,"4/16/2021, 8:42:48.101 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9704c79c-06a9-4d91-af84-c0d12cd8d44d,"4/16/2021, 8:42:48.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,041c5519-c282-49ba-8f56-0c00524f66b5,"4/16/2021, 8:42:48.101 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,abe5ef23-823b-4087-90a6-dee14cd121f9,"4/16/2021, 8:42:48.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4e9ab397-dd90-49db-af5a-8cb2ecad3b97,"4/16/2021, 8:42:48.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,370a5d5c-dde8-4920-b1bb-9110f85a4dc3,"4/16/2021, 8:42:48.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e3a1a494-1411-4658-8e40-c2e114bfc262,"4/16/2021, 8:42:48.101 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,39e37eca-465e-4415-bee7-c0be7824f5ac,"4/16/2021, 8:42:48.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7607a0b2-393b-4403-ba5a-13026bd97605,"4/16/2021, 8:42:48.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e021e988-fe6c-4922-8ff0-89ffd6f3fc0e,"4/16/2021, 8:42:48.101 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce03d01b-3df1-4056-bff3-ae94dfc06c86,"4/16/2021, 8:42:48.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1890392-d0c5-4616-8f19-2a29bd9a80fb,"4/16/2021, 8:42:48.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,65770fb2-ed28-4fab-874a-f971bf238694,"4/16/2021, 8:42:48.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,79d3d657-9e7e-4658-9779-09944a5822db,"4/16/2021, 8:42:48.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b90bfd3b-5880-41da-a494-8f77c8f81507,"4/16/2021, 8:42:48.101 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1c67ee9b-9012-4311-a2e7-5277075b974e,"4/16/2021, 8:42:48.411 AM",,,,,,, +\SERVER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a0783755-8246-43f2-8744-3c91e811a046,"4/16/2021, 8:42:48.411 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3608 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,81ce7db8-6c14-4a16-8125-7a5888af034d,"4/16/2021, 8:47:09.855 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6448 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b2690a14-399f-4104-a516-353276405de9,"4/16/2021, 8:47:09.855 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,e70425af-6d14-4f94-a686-0cdcf089473b,"4/16/2021, 8:47:09.855 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,2c844427-70bb-48bb-b17f-1934cb43f111,"4/16/2021, 8:47:09.855 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,d341c260-20be-4e41-b81c-8eee7a69d2f1,"4/16/2021, 8:47:09.855 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8fc4c3b2-585d-4401-a1e5-ddcac82689fd,"4/16/2021, 8:50:52.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d01a56ba-9cd8-4cbd-b8d6-38294f524ef3,"4/16/2021, 8:50:52.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5b68a60a-619b-4801-aa65-a357ef410bc0,"4/16/2021, 8:50:52.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c8b766d-5c7e-4031-9a5a-926362221df7,"4/16/2021, 8:50:52.110 AM",,,,,NTLM,, +\SAGEHELP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8fd63743-733e-4267-923b-233f58b2c742,"4/16/2021, 8:50:52.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b3e0ebcf-9c1f-4437-8fa4-e4ce667edc87,"4/16/2021, 8:50:52.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ded08ed5-8fee-4966-9989-70a6281f8882,"4/16/2021, 8:50:52.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bd2a99ac-5bba-4b42-a0da-534c38a243d8,"4/16/2021, 8:50:52.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,30631ee9-103c-4c9a-a29b-2246e9a1b668,"4/16/2021, 8:50:52.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4cc2c823-c8d2-4a48-b33b-1f358817c17d,"4/16/2021, 8:50:52.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,321b1484-4942-4206-b6aa-c54382f80840,"4/16/2021, 8:50:52.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7667e4ce-de59-4f76-9d72-95ce1347ddd4,"4/16/2021, 8:50:52.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49c63677-4f57-45ff-8fb4-d26cec786e6c,"4/16/2021, 8:50:52.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f9a7bc09-6cbc-443a-87ac-bd53d7a11a45,"4/16/2021, 8:50:52.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,95fb57e5-7c2b-4e0e-bbbe-4ea0c0ac5c67,"4/16/2021, 8:50:52.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2e662945-0362-4e08-8bb5-fc3e9ab2a4f2,"4/16/2021, 8:50:52.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,769101e1-4036-4a11-a606-12d87cebf52f,"4/16/2021, 8:50:52.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5975d18e-8b44-4003-8768-a39c578b3901,"4/16/2021, 8:50:52.110 AM",,,,,NTLM,, +\CRESCENT CITY,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b163762f-fa44-449a-9c88-217a4f20600f,"4/16/2021, 8:50:52.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c5e3ff7e-5f89-4b3f-9cb1-96442424aa1b,"4/16/2021, 8:50:52.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56f603e9-94ea-4476-b319-a8d911d0af01,"4/16/2021, 8:50:52.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a683ab00-b2f4-495c-8687-97acd06f7463,"4/16/2021, 8:50:52.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,11528cfc-d527-4426-9b7f-1e18bba8d3f6,"4/16/2021, 8:50:52.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ae4d697-bfcb-486e-9233-4e17d07fafc3,"4/16/2021, 8:50:52.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,42ddda18-65c3-40de-a9e0-fd15028f7b7b,"4/16/2021, 8:50:52.110 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 13252 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,e64b4833-d85b-4cea-bb8d-908b6f59abde,"4/16/2021, 8:42:49.278 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10008 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,dbac8c72-c908-4c36-973d-2071bbdc46cf,"4/16/2021, 8:42:49.278 AM",,,,,,, +\DEMOADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c98b18a3-7ef3-45cc-8f9c-ee0988d3fc72,"4/16/2021, 8:42:48.600 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,efd55951-181b-4eaf-8401-4d8c68ad103b,"4/16/2021, 8:42:48.600 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,73b84d78-effc-457e-81bb-21fd66e2753d,"4/16/2021, 8:42:48.600 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,47f3b2a6-93b5-4591-9895-727d591fbc21,"4/16/2021, 8:42:48.600 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,14d8a9c6-6178-4d9d-a9c9-9dfc9714ba14,"4/16/2021, 8:42:48.600 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3b0e424f-a752-47c4-b6b5-32adfd50ff78,"4/16/2021, 8:42:48.600 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,16c34012-0ce6-444b-b997-182cc09108da,"4/16/2021, 8:42:48.600 AM",,,,,NTLM,, +\WINNER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b71d57f9-ba85-4c1d-b328-5b9f2993f0a7,"4/16/2021, 8:42:48.600 AM",,,,,NTLM,, +\BOSS,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,582a1525-0690-4e77-b31b-e6f1da10bca6,"4/16/2021, 8:42:48.600 AM",,,,,NTLM,, +\WAREHOUSE,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fde94077-fda4-4e10-84c4-9ad05eab8446,"4/16/2021, 8:42:48.600 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c5f33149-50b5-47d1-b722-7f2d0a8da528,"4/16/2021, 8:42:48.600 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,04420d6c-3896-456a-ad43-f8afdf63ad5b,"4/16/2021, 8:42:48.600 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,580ef6dd-bb33-457d-a72e-7645dfa76137,"4/16/2021, 8:42:48.600 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a0d1742a-b73c-421c-a886-8a9f2db38062,"4/16/2021, 8:42:48.600 AM",,,,,NTLM,, +\USER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b5358452-614a-4e74-bf12-dc49b1180d69,"4/16/2021, 8:42:48.600 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bdcab576-96f6-4b79-9e8a-f3e2998696d0,"4/16/2021, 8:42:48.600 AM",,,,,NTLM,, +\ASP.NET,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c5714e02-f371-43ab-9fc1-86c57fc950f9,"4/16/2021, 8:42:48.600 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0c7e6254-bec8-407d-b82b-8fc2b12cdc3d,"4/16/2021, 8:42:48.600 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,12cd97c5-b52a-43ee-92cd-e96e63db050c,"4/16/2021, 8:42:48.600 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a577a2af-c7ce-4550-8852-b4833ed4e004,"4/16/2021, 8:42:48.600 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e204d206-658a-4102-b60e-46e739bcdc67,"4/16/2021, 8:42:48.600 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8c1a6608-af24-4af6-a22f-69f43d7f74bf,"4/16/2021, 8:42:48.600 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b746e834-b504-471b-96fb-c3ecdd1e701a,"4/16/2021, 8:42:48.600 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1a772410-e882-4e80-bf8f-306cc0a4d310,"4/16/2021, 8:42:48.600 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11540 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,9d9bf0fe-2dfc-451f-90b1-0814e24ec15b,"4/16/2021, 8:51:49.360 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1756 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,4f860a1c-c54f-4992-93af-e63030cbdfd8,"4/16/2021, 8:51:49.360 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4664 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 3D9080EFAB633588A800733E89C0E9CF155587ED965C4294E3B5807ACCA7196A + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.14393.2155 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,32f6224a-79ec-4a65-9b6e-09f11ed5bdf1,"4/16/2021, 8:51:49.360 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5624 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 3D9080EFAB633588A800733E89C0E9CF155587ED965C4294E3B5807ACCA7196A + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.14393.2155 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,9ea42e37-a8f0-4918-b02e-72d1ebb046b6,"4/16/2021, 8:51:49.360 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 11252 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 3D9080EFAB633588A800733E89C0E9CF155587ED965C4294E3B5807ACCA7196A + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.14393.2155 + 0x3e5 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,4d850f79-c186-4bcb-b809-a3d1680e08de,"4/16/2021, 8:51:49.360 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9088 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,b9961b39-1781-438b-8ea9-40bc0b497eaf,"4/16/2021, 8:42:51.599 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8200 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,4ec5b64b-2497-4d40-aebe-3e45d6fc8ab8,"4/16/2021, 8:42:51.599 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,5379718b-da65-4907-9504-5da38d3ae0f7,"4/16/2021, 8:42:51.599 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,fd390f65-a51c-473b-aa51-aace1c181d3a,"4/16/2021, 8:42:51.599 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,565c5625-b701-4a35-9a4d-21e2bfcde496,"4/16/2021, 8:42:51.599 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6028 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,ed1faab5-5e40-4c52-8d99-81c9f3ccba20,"4/16/2021, 8:42:51.599 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1428 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,87fd73e7-bcec-4726-880e-5ac2e72c1fe8,"4/16/2021, 8:42:52.740 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6992 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,91e444c3-5d9b-494c-a376-09c322d3ae56,"4/16/2021, 8:42:52.740 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,69df85d8-2b14-4c9f-8672-9045eb5e74dc,"4/16/2021, 8:42:52.740 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,fa2a1358-050f-4523-a901-0d9e5a972628,"4/16/2021, 8:42:52.740 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,ea7712b2-ed81-419b-b9e8-62520ecc5886,"4/16/2021, 8:42:52.740 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,b7b4b909-2cc5-463d-ab5d-411f180dfa6f,"4/16/2021, 8:42:52.740 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4e1cda49-365f-4be2-b92c-d31d84b3578c,"4/16/2021, 8:42:55.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19b64dd7-2a20-444e-a55b-54d3893dfc8b,"4/16/2021, 8:42:55.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,06abfcd7-48a7-48fd-9069-15cfdc51dd9d,"4/16/2021, 8:42:55.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e7c08843-8a3b-47cf-8226-fbcccf1947ed,"4/16/2021, 8:42:55.100 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1dac0633-9209-473e-b26f-df9a7fe751d6,"4/16/2021, 8:42:55.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f133eea-50a3-41d0-883c-79305727e073,"4/16/2021, 8:42:55.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e8a0911a-5b4e-49e0-aaaf-de19713deeb8,"4/16/2021, 8:42:55.100 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc8f1a2c-c53a-437d-aac4-1ae588fe86f9,"4/16/2021, 8:42:55.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,40d1c30c-e30e-4885-8e1a-1981cdbad4b9,"4/16/2021, 8:42:55.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46821dcd-3238-4af4-b601-d5f76ced2aed,"4/16/2021, 8:42:55.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,94a88f87-e0dc-4c90-b5fc-09e0a25f7c9e,"4/16/2021, 8:42:55.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1e8530ed-f273-4992-b964-6d5d3cddba69,"4/16/2021, 8:42:55.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f6bcce37-0ebd-4c10-9990-2852a7aff39e,"4/16/2021, 8:42:55.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b17fa32-69e5-4a2b-92eb-b01e32200fcf,"4/16/2021, 8:42:55.100 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,058fd389-9b45-4cbf-9530-3b2aead505eb,"4/16/2021, 8:42:55.100 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,32735667-f136-4e8a-aceb-e584e12ec158,"4/16/2021, 8:42:55.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,59fa5e4e-a086-4679-b77e-3d2491b486fa,"4/16/2021, 8:42:55.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,86d5883b-f745-4d7b-931c-671767676300,"4/16/2021, 8:42:55.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,225d4598-23b1-4104-93fc-15fa6b285879,"4/16/2021, 8:42:55.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,348aac2a-18bb-4787-85b2-6db80f65d952,"4/16/2021, 8:42:55.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,70dbec17-4f0f-4311-af87-425d896145d6,"4/16/2021, 8:42:55.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a24ff925-5f7e-411b-ba77-341c9e455f31,"4/16/2021, 8:42:55.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,72cc7c5b-09e9-45b3-8413-c5c63d97be48,"4/16/2021, 8:42:55.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,61e21157-c770-4d6e-a2a8-f86b5dedadc5,"4/16/2021, 8:42:55.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aef6c797-af1f-4272-81b5-7d6477254368,"4/16/2021, 8:42:55.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49cbd5a1-d54a-4e48-92f5-eb761de70470,"4/16/2021, 8:42:55.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b20f8122-58b6-4951-bdc4-7d1a797003eb,"4/16/2021, 8:42:55.100 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,24d9b65c-3e14-4aa4-83f2-6afb6e7e0db6,"4/16/2021, 8:51:15.634 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,010c512a-17bd-4f87-9efc-b936a7ab19bb,"4/16/2021, 8:51:15.634 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,36c77fea-8a98-4845-b922-d9ab0c038717,"4/16/2021, 8:51:15.634 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,70f732fc-3e7e-40f6-976f-5204e5e73e9f,"4/16/2021, 8:51:15.634 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,710170fa-a9ae-4f3a-bf70-34c490345238,"4/16/2021, 8:51:15.634 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3e039c0e-9c4e-4a04-bb62-b2f885c84eac,"4/16/2021, 8:51:15.634 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ef4cd6a1-b750-4d19-a051-fe6e34b96798,"4/16/2021, 8:51:15.634 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e6cfcdc6-0b8c-4a0b-b8c6-6d17acfd4441,"4/16/2021, 8:51:15.634 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,174095a5-c1e7-49c2-b790-0fa63ffb92d0,"4/16/2021, 8:51:15.634 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,785d46ee-8f04-40fc-bad1-b26dbd1b8030,"4/16/2021, 8:51:15.634 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f518017c-b038-47c2-a49a-4034108d9c10,"4/16/2021, 8:51:15.634 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2dc348ed-698b-41b3-b346-d3f5e8c82040,"4/16/2021, 8:51:15.634 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,027540e5-0f14-4f9e-a114-afba1de7834a,"4/16/2021, 8:51:15.634 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,93a2b15a-22da-48c3-a464-f006e2d0c8f6,"4/16/2021, 8:51:15.634 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bef39287-f9a0-4f78-833e-49d581f5a6e6,"4/16/2021, 8:51:15.634 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7c1df5a9-10cb-430f-9894-4035f4d446ee,"4/16/2021, 8:51:15.634 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b5259a76-55cb-4e05-8c4b-563bb59d511f,"4/16/2021, 8:51:15.634 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0fd0135b-135a-4bee-9fe3-afa1f4c2aeef,"4/16/2021, 8:51:15.634 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,64190d0d-fc85-4d8b-9627-40b2b05d89c9,"4/16/2021, 8:51:15.634 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a0fde6e2-f368-4904-96ef-7099979c00ec,"4/16/2021, 8:51:15.634 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dd2811a8-08e7-431c-b95a-31775f197607,"4/16/2021, 8:51:15.634 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,109403c2-cca2-4fbf-9cf5-506d3e0119e0,"4/16/2021, 8:51:15.634 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6fd29d86-d3f1-41a1-8ac1-660c76d06d03,"4/16/2021, 8:51:15.634 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1276 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,cf1ca46b-006c-47ad-b25c-78210ac8c95f,"4/16/2021, 8:42:55.986 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7480 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,4b237b63-3b37-47fa-8a0a-8b6e53557afb,"4/16/2021, 8:42:55.986 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,24ea20e1-a3cc-4594-9fec-34bc7932516a,"4/16/2021, 8:52:21.192 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc961adf-cfa3-419d-b34f-0f4530e40007,"4/16/2021, 8:52:21.192 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f840daa1-1ec4-49bd-bd97-5a897558fa79,"4/16/2021, 8:52:21.192 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,157b3296-65d8-4d62-ad53-e888da988ed0,"4/16/2021, 8:52:21.192 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,65b072b1-6589-4731-88a0-36e306ef467e,"4/16/2021, 8:52:21.192 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a484638-959b-49ae-8ca3-202b05fc8edc,"4/16/2021, 8:52:21.192 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,30d10801-105e-4602-b557-360f2f00112e,"4/16/2021, 8:52:21.192 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c60ae13-61dc-481b-8a52-c602c7412159,"4/16/2021, 8:52:21.192 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a5abd3ca-f77e-41f9-afad-a667566eda33,"4/16/2021, 8:52:21.192 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cf51b92a-a7b8-4b6c-86d2-37393f7bd955,"4/16/2021, 8:52:21.192 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ee3199d3-8353-4d11-b867-5981480be94a,"4/16/2021, 8:52:21.192 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc5223c0-1606-440d-869b-5b6f29a2518c,"4/16/2021, 8:52:21.192 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d9cac82d-11ee-4d39-9d10-ccd111207669,"4/16/2021, 8:52:21.192 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,dbbdb298-a44f-4447-bbfb-dc055db61fce,"4/16/2021, 8:52:21.192 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,bf871e81-6e2f-41a3-a33a-6e11b8b302a0,"4/16/2021, 8:52:21.192 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8184 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b30ca5a-b380-4e04-821f-6fae7fa3d404,"4/16/2021, 8:52:21.192 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8012 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,5db14a1a-c89e-4f6e-96bb-a188b85fea14,"4/16/2021, 8:52:21.192 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0e391b48-81ef-4ce8-8f78-2281064b1f46,"4/16/2021, 8:52:21.192 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,68a83e66-5326-4253-bdc3-d246a312b603,"4/16/2021, 8:52:21.192 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49b1f9eb-547e-46f3-8b72-a60d8632ea89,"4/16/2021, 8:52:21.192 AM",,,,,NTLM,, +\BACKUPEXEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49acc1d2-5085-4baf-9b4a-e55a6e4490c4,"4/16/2021, 8:52:21.192 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,235aeaa7-a5ca-45d5-85f3-a4b1aa730931,"4/16/2021, 8:52:21.192 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0408094b-0335-4ffe-820b-39b95a55fec1,"4/16/2021, 8:52:21.192 AM",,,,,NTLM,, +\USER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c5186cb1-d76b-47c3-8af5-67abf0e02a9a,"4/16/2021, 8:51:01.414 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + 3024 + 2021-04-15T01:13:28.220444600Z + Microsoft Software Key Storage Provider + UNKNOWN + 9af6eb98-f039-4b69-b4af-16bce622fb2d + %%2499 + C:\ProgramData\Microsoft\Crypto\Keys\ecc84254804e00c8a407d222b20947e8_2c28d2a6-9a4f-493a-825b-4dd06262f38f + %%2458 + 0x0 +",5058,5058 - Key file operation.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,809be781-600f-4cff-a92c-8a98503848f4,"4/16/2021, 8:51:01.414 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + 9af6eb98-f039-4b69-b4af-16bce622fb2d + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,81bea5fe-c358-4d6a-8a51-5a21ab8b6b8c,"4/16/2021, 8:51:01.414 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + 3024 + 2021-04-15T01:13:28.220444600Z + Microsoft Software Key Storage Provider + RSA + 9af6eb98-f039-4b69-b4af-16bce622fb2d + %%2499 + %%2464 + 0x0 +",5059,5059 - Key migration operation.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,2c2bfdf1-c965-4c99-919e-010aca53f134,"4/16/2021, 8:51:01.414 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + 3024 + 2021-04-15T01:13:28.220444600Z + Microsoft Software Key Storage Provider + RSA + 9af6eb98-f039-4b69-b4af-16bce622fb2d + %%2499 + %%2464 + 0x0 +",5059,5059 - Key migration operation.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,76f0aa93-0a1b-4162-98a3-5ffe4e2a1d96,"4/16/2021, 8:51:01.414 AM",,,,,,, +\DEMOUSER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,159c21b3-036a-4536-88a9-4314b922b2e7,"4/16/2021, 8:51:01.414 AM",,,,,NTLM,, +\TEST,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,829cca74-47ff-4c5d-928e-0097408034b3,"4/16/2021, 8:51:01.414 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce219848-3054-4dae-a508-af4b8e16b89c,"4/16/2021, 8:43:02.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,575a2cf9-7f31-42a9-83b7-6cd19b491dfd,"4/16/2021, 8:43:02.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7644ef0a-e615-4edb-8f66-bdf996d5c87b,"4/16/2021, 8:43:02.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b4a472bd-8de1-4bf4-b42f-1f33f15c3d90,"4/16/2021, 8:43:02.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9a090ce2-0a67-4524-9d0e-1111a2df252a,"4/16/2021, 8:43:02.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ee84a49b-8375-4e2e-8f2f-21ace192190f,"4/16/2021, 8:43:02.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a729b3e7-f005-4c00-b908-571c8eff3b4b,"4/16/2021, 8:43:02.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0fdfad49-9ab8-4183-86d2-089823015c06,"4/16/2021, 8:43:02.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d45a4c72-6873-4440-b8b1-ce77b205f5d3,"4/16/2021, 8:43:02.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6d9a17fe-0259-44c3-9678-a02aca520b8a,"4/16/2021, 8:43:02.106 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f8a0423-512f-4bcf-a51a-d73793f51080,"4/16/2021, 8:43:02.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,813ae4b3-50d7-43a8-a28a-1aa0dc56593d,"4/16/2021, 8:43:02.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e724c97b-7100-4d7d-aa38-802af8e82fa5,"4/16/2021, 8:43:02.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f0e95cdf-bab0-49a2-8210-86ce7db1bce4,"4/16/2021, 8:43:02.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0cd67318-d56b-4ca8-ad53-af1eb3f49862,"4/16/2021, 8:43:02.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,902ec3c9-c5c0-4076-a999-d6c07a2bad7a,"4/16/2021, 8:43:02.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,28858ddf-a73b-4bfc-b4ae-9aa19ee83341,"4/16/2021, 8:43:02.106 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,14186fe8-56fd-4464-b2db-7f6a60ebf106,"4/16/2021, 8:43:02.106 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,27cfd0ba-5b50-4309-baa6-8ed4f34080a7,"4/16/2021, 8:43:02.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,82da0645-6c98-4d11-bea9-6962600fbd00,"4/16/2021, 8:43:02.106 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5237068f-21a6-4bc8-a000-d7e5e1defc82,"4/16/2021, 8:43:02.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a98f42d3-f629-4416-8b78-1ce61e6d0e2b,"4/16/2021, 8:43:02.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b9b45402-62df-42ac-9d33-c0c81492e005,"4/16/2021, 8:43:02.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a7bc20f7-9d7a-4ae3-b9df-f5bb9ecba32b,"4/16/2021, 8:43:02.106 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4548 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\Windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,65618be7-0f48-432a-a9a3-481d530d270d,"4/16/2021, 8:43:07.851 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5764 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,0c267027-fede-4b90-b52b-9c1f635c768d,"4/16/2021, 8:43:07.851 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6468 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,48e1db24-6033-4750-b667-f799ddf97d9f,"4/16/2021, 8:43:07.851 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,eefc10b7-495e-46d4-980e-41a2f90cfe3a,"4/16/2021, 8:43:07.851 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,ddc5856f-5175-4894-8a1c-3e5ac04a28dd,"4/16/2021, 8:43:07.851 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,ee477f01-1e0e-44fb-8fd2-0f9b71005766,"4/16/2021, 8:43:07.851 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,e035a890-2b87-4bec-bdcf-8e4e643d59d8,"4/16/2021, 8:43:07.851 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,353a36f8-5512-4bcf-b206-2477375f6d0d,"4/16/2021, 8:43:07.851 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4308 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,9c55b01f-d4df-4a7c-bbe6-e3248f29bc5c,"4/16/2021, 8:43:07.851 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5244 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,8c011bd5-bc12-4697-af44-46dbf2d9486f,"4/16/2021, 8:43:07.851 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,29d0004e-2e62-4a2a-9bd7-eb2835339aa6,"4/16/2021, 8:43:07.851 AM",,,,,,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,32c1e709-9b4b-4467-a5c1-c7b82c6b4e75,"4/16/2021, 8:43:10.605 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e549aa9e-da7c-4576-bd70-f894a7de0156,"4/16/2021, 8:43:10.605 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,00bcc44d-a56f-4037-95b3-83a6a2b14031,"4/16/2021, 8:43:10.605 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cacfcc06-1e67-49da-b7ea-fa0dd5927d0d,"4/16/2021, 8:43:10.605 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,609c55c8-c3a2-4761-a1c2-ccc5d54b52aa,"4/16/2021, 8:43:10.605 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5f0c6e74-5550-4039-9b96-77669c457194,"4/16/2021, 8:43:10.605 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dfb89455-ca6d-41fb-88d8-3644dbfc141e,"4/16/2021, 8:43:10.605 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,87f1c61e-f656-4f15-9491-84b747b5cdcd,"4/16/2021, 8:43:10.605 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f49a6717-6d7e-4419-bc13-b57225f87861,"4/16/2021, 8:43:10.605 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7b8a08dc-eedd-469c-b6cd-577848008469,"4/16/2021, 8:43:10.605 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1567a02d-37bd-4991-b950-f8c92a0e8154,"4/16/2021, 8:43:10.605 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,de909014-5586-40c9-b048-542e033d8034,"4/16/2021, 8:43:10.605 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,70ea5852-1e35-4b7d-b1fe-a37a963b05f2,"4/16/2021, 8:43:10.605 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a493fe02-6330-457b-a8f5-95516ed589fe,"4/16/2021, 8:43:10.605 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c633bcc4-b675-48ef-9469-2e616efc21f3,"4/16/2021, 8:43:10.605 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3c0ccf99-07c2-48d4-a968-b54775f483ef,"4/16/2021, 8:43:10.605 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fd7209c3-9969-41c2-9f88-528d76642990,"4/16/2021, 8:43:10.605 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,195babf5-8b4b-4d25-9a4a-f751e6212377,"4/16/2021, 8:43:10.605 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dd7d8b9a-c7f1-44e8-9c93-84e009035eb5,"4/16/2021, 8:43:10.605 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,706387fc-d68e-43a2-8487-f5ccc47ea982,"4/16/2021, 8:43:10.605 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,741e2a79-180e-4f79-bcf4-019560559627,"4/16/2021, 8:43:10.605 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2511e2b7-13e6-4c12-b58f-ceef8260b24a,"4/16/2021, 8:43:10.605 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,750e0653-beea-4593-83fe-1517b3e24634,"4/16/2021, 8:43:11.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b9cd8927-a448-4ffa-bb85-d3dd40b5a2b7,"4/16/2021, 8:43:11.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,78fcf899-8972-4d54-806b-e564b11236d3,"4/16/2021, 8:43:11.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,61bff960-a313-4785-ba2c-98b55e94fba3,"4/16/2021, 8:43:11.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1466aeb3-1cd3-428e-868c-92e0f8a2fe58,"4/16/2021, 8:43:11.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,af73514f-438e-4eb5-8413-dc7ee7c5ef7d,"4/16/2021, 8:43:11.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aba464a8-2d85-4106-97eb-4ffc92f6e1ff,"4/16/2021, 8:43:11.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,77de9a64-d99b-4b8a-b11f-808abed0822d,"4/16/2021, 8:43:11.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,235508b0-a38d-49dd-b7e8-12a46b33f432,"4/16/2021, 8:43:11.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,649022df-f1f9-40ba-9472-75f33f56544a,"4/16/2021, 8:43:11.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89937670-ef34-4647-8045-38b69709bf50,"4/16/2021, 8:43:11.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b888c753-e737-4d7c-b799-3e216a2cc171,"4/16/2021, 8:43:11.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c3e17bdb-bc44-4fab-9302-17197aa75138,"4/16/2021, 8:43:11.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8f2fef60-75ad-4f4d-9b80-c5e9ca5aa34f,"4/16/2021, 8:43:11.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2ce9a705-4c7f-4a44-9bf3-14d605157262,"4/16/2021, 8:43:11.101 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,14b22528-c4d1-49cd-b9e9-778e5568a841,"4/16/2021, 8:43:11.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4815bb41-944c-4e86-8d7b-c6e6886fc846,"4/16/2021, 8:43:11.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2365f325-e731-4990-aebc-bececeebf984,"4/16/2021, 8:43:11.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ef6a3aa8-709f-46a2-998f-a07aba5f1aae,"4/16/2021, 8:43:11.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1608de51-4ed4-4458-94a5-8f53a1033031,"4/16/2021, 8:43:11.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c75bc69-b4ad-44e6-84b0-acec63d0a8fd,"4/16/2021, 8:43:11.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c1379ca-c87b-420e-b656-1dfcd940f3dc,"4/16/2021, 8:43:11.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb069cfb-8d0c-49eb-96a1-585f4ae1acc3,"4/16/2021, 8:43:11.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6ff2450a-a3eb-422f-b00d-4e4acfb560f1,"4/16/2021, 8:43:11.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4ef94a41-1f7b-4597-9f0c-188876a24d3f,"4/16/2021, 8:43:11.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b2c403a3-6fa4-48e8-8876-b5914d43c786,"4/16/2021, 8:43:11.101 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5304 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,67e68432-cd30-49bf-9ce1-d7edbb65b049,"4/16/2021, 8:51:41.408 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4424 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e8604db8-2794-4e6d-a86b-46fa2c0c154b,"4/16/2021, 8:51:41.408 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ea437671-9806-4df0-825e-7693d74b80f0,"4/16/2021, 8:51:41.408 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3addf799-c88c-4e14-afaa-3ecdc0a4d170,"4/16/2021, 8:51:41.408 AM",,,,,,, +\SERVER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e38d6fc9-d996-41de-80ac-418df3c3be81,"4/16/2021, 8:51:41.408 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,49977df3-d138-48e7-826e-44200943dcd3,"4/16/2021, 8:51:41.408 AM",,,,,,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,7a6f6e5b-583f-4bcd-b6c0-54b75f75806d,"4/16/2021, 8:51:41.408 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,288bef1f-a1b6-457a-a394-ac93d78ba635,"4/16/2021, 8:43:21.599 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,49fb9a39-eb98-46fc-9a7a-0e632869decf,"4/16/2021, 8:43:21.599 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8b480318-4168-47de-ba54-f01d188a4213,"4/16/2021, 8:43:21.599 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c706046f-15a9-4590-9b9c-6801e1acf6d1,"4/16/2021, 8:43:21.599 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e844f136-c4d7-47df-b30f-b9b1f1bfc4dc,"4/16/2021, 8:43:21.599 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c6106014-fb5b-4a15-bbfe-f224d497caa6,"4/16/2021, 8:43:21.599 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3be4f3ac-4956-4259-92e6-76229cb1b078,"4/16/2021, 8:43:21.599 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e294a436-f870-4f9d-abbe-dbe5ce53201f,"4/16/2021, 8:43:21.599 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,acce0df5-fb5d-41d3-933b-2a6674abed9d,"4/16/2021, 8:43:21.599 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c1a86754-63ff-4164-b1bc-46dc8e3a3481,"4/16/2021, 8:43:21.599 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,438c8537-8616-42ec-9d91-f7e0a51a3cde,"4/16/2021, 8:43:21.599 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,99e13d4c-d79a-410c-a949-0be7462c46d5,"4/16/2021, 8:43:21.599 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,036d5b16-1b62-47c9-89c2-bc821f3fa094,"4/16/2021, 8:43:21.599 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dfc7c05e-311a-4ee6-aefa-5d5e93b8d34c,"4/16/2021, 8:43:21.599 AM",,,,,NTLM,, +\JOKER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,24c3b103-7b0e-4727-a638-8ae9e9fb8281,"4/16/2021, 8:43:21.599 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,579da6cd-b0e6-4eec-865d-c5c0af229596,"4/16/2021, 8:43:21.599 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,654830a3-7636-477c-a85e-b714cf915253,"4/16/2021, 8:43:21.599 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fc396cb2-54fa-4284-93fa-3dfb2ff47769,"4/16/2021, 8:43:21.599 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5633f546-27fb-49c7-9268-7b6971b49655,"4/16/2021, 8:43:21.599 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,642f9003-fe85-4d01-b743-f680830c7fb1,"4/16/2021, 8:43:21.599 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6b6a209d-799b-4054-8930-a08a1d354899,"4/16/2021, 8:43:21.599 AM",,,,,NTLM,, +\SYMANTEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bb1a73da-29a5-4fe1-85a6-2e06aad93668,"4/16/2021, 8:43:21.599 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,79caa4b1-4d73-4097-b381-2ed6e5a5b178,"4/16/2021, 8:43:21.599 AM",,,,,NTLM,, +\CHRISTOPHE,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,75863261-867c-4e75-8fda-d3f2b2da2fd8,"4/16/2021, 8:53:26.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,813c67d1-24f0-4751-9bdd-cf907ce38edd,"4/16/2021, 8:53:26.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c248f17a-c951-4f4b-a495-1b902a674f23,"4/16/2021, 8:53:26.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,481e90c3-ee58-4a49-abda-a105d7932ecb,"4/16/2021, 8:53:26.106 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8896ddbb-a2c7-4950-b202-c7a705f913e9,"4/16/2021, 8:53:26.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,019a511b-79ce-4251-98ec-88cc0592e30e,"4/16/2021, 8:53:26.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bf3097c5-5f1c-488a-99d5-73190c7f9629,"4/16/2021, 8:53:26.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9898268e-1e26-4b5b-b5ba-2c9f15c34f7d,"4/16/2021, 8:53:26.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aeb25d6d-12db-4d1b-9853-885e975cd3ae,"4/16/2021, 8:53:26.106 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a4f3a02-a56b-4ba2-adf1-a305bed35923,"4/16/2021, 8:53:26.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bd3a4123-53d7-4f4a-bbeb-3acd7608049d,"4/16/2021, 8:53:26.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9bdc7f3b-fcf4-4897-ab9e-7b9e86242aea,"4/16/2021, 8:53:26.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1cffdf3a-7e26-4c6e-a932-e1f818424249,"4/16/2021, 8:53:26.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,45b3d51b-6785-4adc-9e3b-aa47d3c675b7,"4/16/2021, 8:53:26.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,474b4608-9c7f-4e41-98a0-36a1722edce5,"4/16/2021, 8:53:26.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d5f8a0b-2012-4123-ba26-e2f3829c6514,"4/16/2021, 8:53:26.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e883e683-7475-44af-88b1-3524b48ba970,"4/16/2021, 8:53:26.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e3af04ba-4982-4ba3-a999-2aafe0d138eb,"4/16/2021, 8:53:26.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,73f414a1-e6e6-4bca-b15b-4d2cc690d3f6,"4/16/2021, 8:53:26.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f4b1b5a4-4251-440a-8536-fffe38c0ea70,"4/16/2021, 8:53:26.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48a3034a-43e5-43e5-8616-5ff06da00470,"4/16/2021, 8:53:26.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f93b9063-3d23-4f31-bae4-6fd8b5088774,"4/16/2021, 8:53:26.106 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f2c6a77f-c5c1-4308-9793-33884270d4d2,"4/16/2021, 8:53:26.106 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e962c999-82e8-42ca-8977-29f837568f54,"4/16/2021, 8:53:26.106 AM",,,,,NTLM,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,71406a45-43fe-4a3e-9a46-dd5339dbdfd9,"4/16/2021, 8:51:44.857 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4a2f396c-2be7-478c-8ccb-582439e6e4bc,"4/16/2021, 8:43:20.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c29544a0-f4d9-4ce1-8280-5bd031342938,"4/16/2021, 8:43:20.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,24257684-39df-42c4-a4ba-c39117514ecf,"4/16/2021, 8:43:20.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,68ac3464-81df-4db9-a9fc-52e78ea09370,"4/16/2021, 8:43:20.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a8eee5ec-c10b-4602-9682-5e2cdce034e6,"4/16/2021, 8:43:20.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac021cbb-ad35-47d1-80ec-7a343b1d0d6b,"4/16/2021, 8:43:20.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,efe504f8-358a-4938-8e38-63a9aa66f465,"4/16/2021, 8:43:20.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,41debe2e-f77f-49c6-91c1-d0d2f673f02c,"4/16/2021, 8:43:20.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,190d715d-98ac-40c4-8eed-96b3d6c818a7,"4/16/2021, 8:43:20.110 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2725048c-314d-4b05-b01c-fa410d179ab2,"4/16/2021, 8:43:20.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b07efb3c-a9ca-4425-aa38-9fc5c02f89f9,"4/16/2021, 8:43:20.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ce4b9a4-829e-48e7-9c02-2964ee863867,"4/16/2021, 8:43:20.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03d96dd3-da0e-4632-8fb1-76863788a681,"4/16/2021, 8:43:20.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,69ab27a8-14e1-4cec-b96b-80deeea223ed,"4/16/2021, 8:43:20.110 AM",,,,,NTLM,, +\DEMOADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6f342516-ef2a-4da1-be46-6a1b5b4b6967,"4/16/2021, 8:43:20.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e91e9a4-8be5-4878-9fc0-47ada19148e9,"4/16/2021, 8:43:20.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ff53782-2ec2-4315-aec7-28498390e235,"4/16/2021, 8:43:20.110 AM",,,,,NTLM,, +\VEEAM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,42c546ff-cc6f-496e-912e-40f135de847e,"4/16/2021, 8:43:20.110 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a896f35-389f-4d22-a427-c218e663e0b5,"4/16/2021, 8:43:20.110 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,7fbe8733-2bf2-4888-8cd9-fb4a2cb4ef60,"4/16/2021, 8:43:20.110 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,110aea2c-0d1c-4877-a0ac-a0ff4b403d55,"4/16/2021, 8:43:20.110 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7784 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,86128bd3-2bb4-4bee-9f14-27fd8ed32016,"4/16/2021, 8:43:20.110 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4704 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,98ce99fa-570f-4cf2-887f-b91fc0c8fc8a,"4/16/2021, 8:43:20.110 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,f29e6a29-bee8-46ef-ac05-447f88ac5918,"4/16/2021, 8:43:32.973 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,5503048d-aae9-48b7-bda5-46b931ec9ed1,a57f2de4-2ba4-4be4-b666-73bb1eb09289,"4/16/2021, 8:43:32.973 AM",,,,,Negotiate,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + 1 + 1 + %{S-1-5-32-544} %{S-1-1-0} %{S-1-5-11} %{S-1-16-16384} +",4627,4627 - Group membership information.,5503048d-aae9-48b7-bda5-46b931ec9ed1,9bf65537-a683-498a-b596-3502df7cbbc2,"4/16/2021, 8:43:32.973 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,5503048d-aae9-48b7-bda5-46b931ec9ed1,b6736f67-4feb-4b31-96fb-044c11d8188b,"4/16/2021, 8:43:32.973 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,9de8db5d-dc70-461f-a6fe-f970fad9c9b8,"4/16/2021, 8:43:32.973 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10372 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,a8cd24fd-bcfb-4548-a408-9886e0b8262d,"4/16/2021, 8:43:32.973 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9412 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e7 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,b1c24baa-d6e2-42f9-9b0d-8beff7935aaa,"4/16/2021, 8:43:32.973 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,4acc0c6f-91ac-46f6-9f7c-7b273e9b604b,"4/16/2021, 8:43:32.973 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7068 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + 3E1A41FE3000D5ED15DE27C3BD6199E0427A1608B401E19E22D021627841AC19 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1411 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,ed61a7bc-2ecb-4614-b994-33c5496cd25c,"4/16/2021, 8:43:32.973 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,1fce392a-7b69-4910-b57b-e9ab70d78367,"4/16/2021, 8:43:32.973 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e28503c1-607b-4764-9c40-2984c5f15030,"4/16/2021, 8:43:34.630 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,533ed9b7-5664-4339-a060-2e91245173ce,"4/16/2021, 8:43:34.630 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ed2281b8-a450-44a0-a852-35cca7dba717,"4/16/2021, 8:43:34.630 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5980ae4c-775b-4bc1-bfe0-7d792d7ba218,"4/16/2021, 8:43:34.630 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c4ddc647-e876-4175-812a-ed650d5110b1,"4/16/2021, 8:43:34.630 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8e8dc10d-3786-4589-b97b-2812c61017d0,"4/16/2021, 8:43:34.630 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,027787ef-75f9-41e1-bf21-a5147afcda13,"4/16/2021, 8:43:34.630 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,60363280-2fdb-411e-9d85-09e7f0ffed30,"4/16/2021, 8:43:34.630 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,efa553ea-64b8-43c3-b349-f6a2b4da8f62,"4/16/2021, 8:43:34.630 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5b47374c-ac23-43d6-9252-d5fc8603b053,"4/16/2021, 8:43:34.630 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1821f205-01c7-46dc-a689-39defd9db17b,"4/16/2021, 8:43:34.630 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8566b171-7e31-470d-8f7f-4bdb0132b391,"4/16/2021, 8:43:34.630 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0e9f8642-2804-4d7d-8f98-d82155b37717,"4/16/2021, 8:43:34.630 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,85cbc98a-26c5-4fc2-a9b6-be6cd6355ff4,"4/16/2021, 8:43:34.630 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,072c1044-d4b2-46ac-96fe-e6b0851717a1,"4/16/2021, 8:43:34.630 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9e715e4d-2b0b-43b9-9639-3cb5b1107f1a,"4/16/2021, 8:43:34.630 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,529e727f-9ded-49a9-b3b9-185662f5534b,"4/16/2021, 8:43:34.630 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e7b40127-c65a-48ed-b0ee-6ffdde126cad,"4/16/2021, 8:43:34.630 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2ab13602-8315-48ae-926c-312a57c884df,"4/16/2021, 8:43:34.630 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3020d8fd-aac5-46ef-9352-6bf62ae1c1dd,"4/16/2021, 8:43:34.630 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,de807406-7822-4705-9e02-56b87e31f979,"4/16/2021, 8:43:34.630 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,869cfec8-01d2-404a-9277-ba7fc54a3e12,"4/16/2021, 8:43:34.630 AM",,,,,NTLM,, +\KJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6f07e2d6-e224-41f3-9d3d-975b6377679a,"4/16/2021, 8:43:34.630 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a3185332-694f-4869-88a2-05c248a68dc0,"4/16/2021, 8:43:34.630 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1d349cd1-5b84-466d-bcba-e558f0c4ee50,"4/16/2021, 8:43:41.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,75f750d4-0354-41a2-a077-cbfc97d6cd85,"4/16/2021, 8:43:41.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b8771094-62db-45ea-9f11-38b2d2ba434a,"4/16/2021, 8:43:41.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,370eb69d-d7b1-4ad2-a4c2-1e0c54a73ec8,"4/16/2021, 8:43:41.101 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,312fa1a5-e255-4125-9dfa-8354a0f1d876,"4/16/2021, 8:43:41.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a0aaa32-d51d-4480-a267-d535071ed86f,"4/16/2021, 8:43:41.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22410178-8f53-4f5c-9e0d-b5516b3d9af8,"4/16/2021, 8:43:41.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e0ad7509-f9e2-464a-924b-0c1e771ce6f7,"4/16/2021, 8:43:41.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,492ee693-212c-4fe1-8b7c-b51f86cf5f70,"4/16/2021, 8:43:41.101 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ceb1c1bd-e920-41da-8e9d-3272fa8a4b52,"4/16/2021, 8:43:41.101 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2554f4c6-915c-42df-a14e-65b1c4ce9ded,"4/16/2021, 8:43:41.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ecf736cb-9fa5-4fb7-ae2b-f5e810d7dd44,"4/16/2021, 8:43:41.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f48b7616-57fa-4487-a9f7-14db0cd462db,"4/16/2021, 8:43:41.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2ec6ddc6-2172-4420-8ecd-38d74bb416b4,"4/16/2021, 8:43:41.101 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,673c2168-c9b0-436a-92b9-3a7bca11ce7a,"4/16/2021, 8:43:41.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a7e9305c-fbe3-4d18-bc6f-ae1d4e7ec382,"4/16/2021, 8:43:41.101 AM",,,,,NTLM,, +\ADMINISTRATEUR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8ceca7ee-1557-4f56-9757-825ac3bc260d,"4/16/2021, 8:43:41.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,40a3a29b-8a3c-4a8b-b985-e4459bebeda2,"4/16/2021, 8:43:41.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6cba0a02-f4ba-454a-aafc-d19852d94322,"4/16/2021, 8:43:41.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2399b31d-1b20-4ea7-836d-cc58ccc8aea4,"4/16/2021, 8:43:41.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc40f47b-5d91-4764-8ae7-6b02eb3fd0de,"4/16/2021, 8:43:41.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0bed67d4-6c0c-4759-b06a-47a7f1dc8f5e,"4/16/2021, 8:43:41.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d39cf131-4508-40ef-847b-2c8b72f79d8c,"4/16/2021, 8:43:41.101 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aab491ad-dfc5-4dd0-ad50-6a3c5a2c63f1,"4/16/2021, 8:43:41.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b05cd42c-81d4-4d07-9cc2-3e00fc7c19bf,"4/16/2021, 8:43:41.101 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b48caf36-8ae5-4182-bfd8-d702baa64938,"4/16/2021, 8:56:51.655 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9db7605e-d9f5-4e30-90f1-f4c301a7dd08,"4/16/2021, 8:56:51.655 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c18f7f50-3248-4d53-908c-5738aed3766c,"4/16/2021, 8:56:51.655 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7f39ccfe-fa26-4b74-b55b-99113b9eeca1,"4/16/2021, 8:56:51.655 AM",,,,,NTLM,, +\BACKUP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8ac63d30-2651-41a0-9fdb-cd7beeb901e2,"4/16/2021, 8:56:51.655 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,656dd64e-9798-418b-b5ef-50625feaaf61,"4/16/2021, 8:56:51.655 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5e99c616-c6a0-4fcc-bca0-edbd0935bf85,"4/16/2021, 8:56:51.655 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,61eb13f4-182f-4175-9645-44732f5dc23c,"4/16/2021, 8:56:51.655 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ec530aa2-bf6c-4e28-9048-3fd7638a004b,"4/16/2021, 8:56:51.655 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,104451cd-ff2b-42f3-9986-c965eac0b615,"4/16/2021, 8:56:51.655 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,69fc74bb-d062-4167-8e00-ccf2359ed9f8,"4/16/2021, 8:56:51.655 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,121ffbd4-372e-4ef5-8bda-22e43256d20a,"4/16/2021, 8:56:51.655 AM",,,,,NTLM,, +\DEMOADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,be1ef088-ba06-4646-ab2c-8430a1492968,"4/16/2021, 8:56:51.655 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3d2d26ec-c754-4a77-9d8e-9b2c58a4358f,"4/16/2021, 8:56:51.655 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,768e93d6-1afa-4826-9175-092ea6ed0502,"4/16/2021, 8:56:51.655 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b380e94b-d28c-4516-bfaf-2c703582002d,"4/16/2021, 8:56:51.655 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f7c0bb5c-eaf2-455a-8d77-66f03cd1e155,"4/16/2021, 8:56:51.655 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,445fd3fa-5ed9-4e57-998c-ff8bd70b9bc2,"4/16/2021, 8:56:51.655 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,660316eb-2d6f-4ba7-bd47-da33d836ac15,"4/16/2021, 8:56:51.655 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e9d04169-06b7-41da-8bbb-94f434108cd0,"4/16/2021, 8:56:51.655 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,942f60a3-f5e6-4f58-aade-8393031a0b25,"4/16/2021, 8:56:51.655 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8eff5af8-f021-425a-84c0-e209f1672242,"4/16/2021, 8:56:51.655 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,869dcd89-8271-4e06-80e5-8dc88200a20d,"4/16/2021, 8:53:43.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,35985eb5-ff7a-4498-be53-3ae25edc20a0,"4/16/2021, 8:53:43.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1d09c818-9e92-4482-9b37-962bbf00b91d,"4/16/2021, 8:53:43.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,052eb06c-08ec-48e1-9157-216e78e3e907,"4/16/2021, 8:53:43.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ef237d57-b46b-475f-bb0d-400b3bc23e96,"4/16/2021, 8:53:43.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ba1a2e7-8f20-4ae8-a5fd-2f368881a2bb,"4/16/2021, 8:53:43.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c96ba27b-f625-4e0f-8c4d-7d8b67fd0f31,"4/16/2021, 8:53:43.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,58f8feaa-ae49-48ac-a3d0-4acaf4ed9e0a,"4/16/2021, 8:53:43.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d136193b-7158-4f1e-8cfe-aad23272d241,"4/16/2021, 8:53:43.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,78af005d-6a56-4acb-a61c-f87b77ef7c97,"4/16/2021, 8:53:43.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8f720e69-a4a9-4b7f-b0db-24eed7cbe9ec,"4/16/2021, 8:53:43.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f80e8aef-973e-4dfa-a380-b977d4d91a45,"4/16/2021, 8:53:43.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d0e81eee-2c31-44b3-bfd0-bac44180ba2f,"4/16/2021, 8:53:43.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2430535b-f1ff-49e4-b8fb-fa0b4092a1a2,"4/16/2021, 8:53:43.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1717983f-ddf5-4e7a-b66e-4dc543c91242,"4/16/2021, 8:53:43.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b80c908-4148-487b-b557-bb8256471036,"4/16/2021, 8:53:43.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f3020832-1af3-4a7a-9de2-de6947f433fc,"4/16/2021, 8:53:43.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5ea34cb-d373-4003-8851-20145e997883,"4/16/2021, 8:53:43.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,99053e7b-224c-4cc0-aaea-60bb2043d9d0,"4/16/2021, 8:53:43.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,21b83840-ac84-40ca-8a61-c811d0293b47,"4/16/2021, 8:53:43.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,75d2e454-0f42-4110-b039-c2a60c8f92f5,"4/16/2021, 8:53:43.107 AM",,,,,NTLM,, +\SCANS3,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,216e03cd-ebc1-43c1-82f7-a5638baab4b2,"4/16/2021, 8:53:43.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c0d256b-a89c-403a-817d-1122fb498304,"4/16/2021, 8:51:44.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e4ece7b3-4164-474a-9cc0-65a526d75dca,"4/16/2021, 8:51:44.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dfbd19e1-1c3f-4db5-873f-e2dc3e4b726c,"4/16/2021, 8:51:44.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,26310224-bba8-4c96-ab5f-c2b177f4dc2d,"4/16/2021, 8:51:44.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,42e160b7-c92e-424d-a719-291a2ced7471,"4/16/2021, 8:51:44.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fdc62095-1da6-441b-bcf0-6c1022f0e9a6,"4/16/2021, 8:51:44.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,be2062c1-ca51-4def-946b-0c3b3b6a2836,"4/16/2021, 8:51:44.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3bc0cc81-dd99-49a7-a77d-8e0e8a001635,"4/16/2021, 8:51:44.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22b75703-9c92-401d-a8ba-b3521c03d8b8,"4/16/2021, 8:51:44.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,11e450a1-faa3-4fbd-b1da-2bd93b3b3c06,"4/16/2021, 8:51:44.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,26ebb291-f6bd-4d24-b113-09929f121c25,"4/16/2021, 8:51:44.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f87cbe4-b5fa-4351-8179-a997b7b41d46,"4/16/2021, 8:51:44.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ba5606b-8644-4fae-a364-cb1099b83b12,"4/16/2021, 8:51:44.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b0b891a5-4892-4051-a42e-c8e524b9b3da,"4/16/2021, 8:51:44.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a823520c-4172-494e-8c3b-a4cc9572c165,"4/16/2021, 8:51:44.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5297b195-6c98-48fe-b93b-10d4752a3ac6,"4/16/2021, 8:51:44.104 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d3eab533-4d7c-4626-934b-18856af27789,"4/16/2021, 8:51:44.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,970cb64b-2172-4905-8181-d9159a9886b4,"4/16/2021, 8:51:44.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,817fbe66-a302-4f7e-a869-ed7536e97427,"4/16/2021, 8:51:44.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5beb91d8-f333-467c-8a03-0a2533d0af6a,"4/16/2021, 8:51:44.104 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f07eba22-0bc0-4b33-98d1-0e28ca0833ce,"4/16/2021, 8:51:44.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,93d75d9a-b3e8-4753-88d5-e931805beb93,"4/16/2021, 8:51:44.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff811107-a533-4e16-ba4c-691c4d2b3ba5,"4/16/2021, 8:51:44.104 AM",,,,,NTLM,, +\MULETTO,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d86c269d-8c42-4da2-a04c-37927a23687e,"4/16/2021, 8:43:46.608 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,76ce7bfd-2880-4f6d-a02a-e2840dfcd393,"4/16/2021, 8:43:46.608 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9589952c-2dfa-41ce-bf72-59f2abe9bef6,"4/16/2021, 8:43:46.608 AM",,,,,NTLM,, +\DATA,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bcbd8eaf-9b2d-49c3-81a7-4fa32d4ef7e6,"4/16/2021, 8:43:46.608 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3de97a19-001d-4700-b42b-69ecbaee2200,"4/16/2021, 8:43:46.608 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4b00b570-4eeb-44cc-b6c2-9edc8fb9c297,"4/16/2021, 8:43:46.608 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2fe31743-1e8b-46b2-9ada-c055470e8b49,"4/16/2021, 8:43:46.608 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,404409dc-c4a7-4eb9-9bb7-eae4c7c6130d,"4/16/2021, 8:43:46.608 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cd4c9fee-41ea-4a34-97f1-e78af4a1b4a5,"4/16/2021, 8:43:46.608 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f9565dd7-4dd2-48a8-8abf-719d9dd1cb5b,"4/16/2021, 8:43:46.608 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5621a918-764e-4a6d-ab6e-090f0bcb79a2,"4/16/2021, 8:43:46.608 AM",,,,,NTLM,, +\EYY,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dee44ac3-79fa-44e7-8764-ed062bdc5828,"4/16/2021, 8:43:46.608 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ba88a2a8-9937-447f-ad49-742011473475,"4/16/2021, 8:43:46.608 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7740b2b2-2891-4bbd-94ae-23b5515c2adc,"4/16/2021, 8:43:46.608 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,857537bc-85b1-4da7-9c7b-383c4b72bbc8,"4/16/2021, 8:43:46.608 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f0261625-bfd9-4667-bf5a-2e9a6531c057,"4/16/2021, 8:43:46.608 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6f9b0461-dea3-4f6c-a9a0-43cab4928caf,"4/16/2021, 8:43:46.608 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cf4aa3eb-5fed-459d-a54a-c6776585f913,"4/16/2021, 8:43:46.608 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6355241b-9998-472e-8d8d-9b49c770972d,"4/16/2021, 8:43:46.608 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c44ca7e5-2d6d-431d-837c-445ca9f75a7e,"4/16/2021, 8:43:46.608 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2ad97758-34cd-4636-ae51-e67b64f353c4,"4/16/2021, 8:43:46.608 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,73ef332a-b9c8-4771-90bf-dab318afdc3b,"4/16/2021, 8:43:46.608 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bdd31bf9-5aa5-48e2-9d00-401a289406e7,"4/16/2021, 8:43:46.608 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,da624d2d-82fc-4be3-993d-dd4aaff857be,"4/16/2021, 8:43:46.608 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ecf4ed8-8ce5-436a-ac45-7063704a9097,"4/16/2021, 8:43:49.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6bdb8caa-a090-407e-99a9-bbc1596aa1a2,"4/16/2021, 8:43:49.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9857acc6-1cdb-4b36-87bb-1496a8249474,"4/16/2021, 8:43:49.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,af7132aa-9e0e-431d-b843-d28da3b59c47,"4/16/2021, 8:43:49.103 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,1eec41e7-864d-4139-a900-368db151a995,"4/16/2021, 8:43:49.103 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7fb35dc2-eef9-4d50-80c6-4d8d419542be,"4/16/2021, 8:43:49.103 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 8260 + 84 + %OSDRIVE%\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\PLATFORM\4.18.2103.7-0\MPCMDRUN.EXE + 32 + C7A18C474A47F5335593A567F0C714D4F658E28D07DC27F6EAE5D5641788E813 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\MPCMDRUN.EXE\4.18.2103.07 + 0x3e4 + 77 + C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2103.7-0\MpCmdRun.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f48e39f-bd8e-4f33-9223-05781fc5e29c,"4/16/2021, 8:43:49.103 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f02c8f99-9549-4b5d-a33d-5554155a80d8,"4/16/2021, 8:43:49.103 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,92df5a88-bc8a-4977-8b74-7fc2a2876355,"4/16/2021, 8:43:49.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d25103eb-7c54-497a-9f53-172e52be1e01,"4/16/2021, 8:43:49.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2f3424a-c6cf-4fe6-8040-cbd38bffdea3,"4/16/2021, 8:43:49.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1be6e12c-42ce-4ac9-a073-f08518d124b7,"4/16/2021, 8:43:49.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a049373b-e0b1-41fe-9b58-abe07bad591b,"4/16/2021, 8:43:49.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a81fabe7-ef2e-4fa3-8326-6eaa1efeb355,"4/16/2021, 8:43:49.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,539f4785-850d-4bf1-8c84-ce28c7233f68,"4/16/2021, 8:43:49.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a90ef961-4067-4130-957c-25e2e3364d40,"4/16/2021, 8:43:49.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,438b2a76-d82e-435b-9ecb-c3a334ebd5ab,"4/16/2021, 8:43:49.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd114cfc-18ff-424e-b358-2e35ba48e964,"4/16/2021, 8:43:49.103 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff451f74-8756-42e8-813b-63438259aeed,"4/16/2021, 8:43:49.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1b3f5039-904c-407a-a146-2b4484b4a4e5,"4/16/2021, 8:43:49.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4431b13a-b509-419e-8201-534d0b93c01c,"4/16/2021, 8:43:49.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5affc4d8-88db-4da2-b027-b7b4d6cd23e8,"4/16/2021, 8:43:49.103 AM",,,,,NTLM,, +\VEEAM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,041f49ac-c1df-476f-bdb4-36e8d6452f4b,"4/16/2021, 8:43:49.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b79098a5-891e-4fc0-b7a4-eb2d6e2ac7f0,"4/16/2021, 8:43:49.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,17d8d917-23a7-49c9-a143-66a32e40737b,"4/16/2021, 8:43:49.103 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8356 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,b10df299-698e-41d1-b326-a39e02b30882,"4/16/2021, 8:43:49.321 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 636 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,1f82302c-1f2a-4fab-9ecb-86e76dbee482,"4/16/2021, 8:43:49.321 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5704 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 61FF6233DB141BE35A91025614CB7A6504D2E20174CD6298F6E0B02700C3F819 + 121 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.14393.206 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,565be31b-82dd-4e3e-ba79-73c9dc641c48,"4/16/2021, 8:43:49.321 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7828 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,4686d62f-dc85-4f6a-ad28-abac0a5aa006,"4/16/2021, 8:43:49.321 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13826,8," + Remote Desktop Users + Builtin + S-1-5-32-555 + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + 0xe50 + C:\WindowsAzure\GuestAgent_2.7.41491.1009_2021-04-14_172937\WaAppAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,84c304ac-358a-4d8a-b0db-5faaac59a6fa,"4/16/2021, 8:43:51.863 AM",,,,,,0xe50, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13826,8," + Administrators + Builtin + S-1-5-32-544 + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + 0xe50 + C:\WindowsAzure\GuestAgent_2.7.41491.1009_2021-04-14_172937\WaAppAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,d919c3ac-fa2b-4eaf-99eb-9dd3657ee375,"4/16/2021, 8:43:51.863 AM",,,,,,0xe50, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + ContosoAdmin + TrustedVMDemo + S-1-5-21-17237524-3693279347-3277880188-500 + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + 0xe50 + C:\WindowsAzure\GuestAgent_2.7.41491.1009_2021-04-14_172937\WaAppAgent.exe +",4798,4798 - A user's local group membership was enumerated.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,4362bd1d-f9b9-4f61-a0d2-bdfea71491e3,"4/16/2021, 8:43:51.863 AM",,,,,,0xe50, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + ContosoAdmin + TrustedVMDemo + S-1-5-21-17237524-3693279347-3277880188-500 + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + 0x1978 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,d84f0bc6-c5b5-4306-946e-40d7cbb9c86d,"4/16/2021, 8:43:51.863 AM",,,,,,0x1978, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + DefaultAccount + TrustedVMDemo + S-1-5-21-17237524-3693279347-3277880188-503 + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + 0x1978 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,559f434a-176d-4dd2-ab6e-ab93ae4e8232,"4/16/2021, 8:43:51.863 AM",,,,,,0x1978, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + Guest + TrustedVMDemo + S-1-5-21-17237524-3693279347-3277880188-501 + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + 0x1978 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,0f65a999-dad5-4319-8985-4b1a9f053320,"4/16/2021, 8:43:51.863 AM",,,,,,0x1978, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + WDAGUtilityAccount + TrustedVMDemo + S-1-5-21-17237524-3693279347-3277880188-504 + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + 0x1978 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,8c21bcbb-f82e-439a-8bf2-2c2e8698570c,"4/16/2021, 8:43:51.863 AM",,,,,,0x1978, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + ContosoAdmin + TrustedVMDemo + S-1-5-21-17237524-3693279347-3277880188-500 + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + 0xe50 + C:\WindowsAzure\GuestAgent_2.7.41491.1009_2021-04-14_172937\WaAppAgent.exe +",4798,4798 - A user's local group membership was enumerated.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,1853aa25-c11f-4568-ab56-0a1224eb5ebd,"4/16/2021, 8:43:51.863 AM",,,,,,0xe50, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + ContosoAdmin + TrustedVMDemo + S-1-5-21-17237524-3693279347-3277880188-500 + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + 0x0 + - +",4798,4798 - A user's local group membership was enumerated.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,9fe1dd25-524c-480f-8334-b2405a0eace4,"4/16/2021, 8:43:51.863 AM",,,,,,0x0, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,c73ad341-4d6b-4ad4-95e3-1cff9330e157,"4/16/2021, 8:43:51.863 AM",,,,,,, +NT AUTHORITY\NETWORK SERVICE,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 2988 + 21 + %SYSTEM32%\SPPSVC.EXE + 32 + ABC5B9672ACC57A4AAF472FA028985FE6C0D545FA7EFAC34A313D1F3F8C360BD + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SPPSVC.EXE\10.0.17763.1879 + 0x3e4 + 30 + C:\Windows\system32\sppsvc.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,e7c710d8-1d2c-4e4e-ac46-936fb3ff8f7d,"4/16/2021, 8:43:51.863 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1148 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,8f0279d2-5a4a-4990-8b5d-66df3631f0c3,"4/16/2021, 8:43:51.863 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7012 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,46a4da64-3caf-4ce4-8775-22768bdf844d,"4/16/2021, 8:43:51.863 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,cf4da72f-55b4-4768-9f53-72fc389716ad,"4/16/2021, 8:43:51.863 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,6e717a18-2cfa-44b9-a389-06d99b837b87,"4/16/2021, 8:43:51.863 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,f3c6b2ef-f68f-48fe-b4f8-5592b92a97fe,"4/16/2021, 8:43:51.863 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,216d056e-2980-4da1-8474-68158d169b02,"4/16/2021, 8:43:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5991ad8d-8644-416d-9b2b-61dd83fdc34a,"4/16/2021, 8:43:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8df09221-b5ac-4a6b-9201-3267869d836e,"4/16/2021, 8:43:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,811fd72d-ddf3-4449-9f7c-639c44e44fe2,"4/16/2021, 8:43:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,addf483e-5cdd-439d-a68d-23b685c30f31,"4/16/2021, 8:43:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b836d370-1008-4957-8e39-204084cb7242,"4/16/2021, 8:43:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7cc2c0db-487f-4ef8-87f2-97ac75e15d5b,"4/16/2021, 8:43:55.103 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03959060-fa4f-4fa5-8a1b-21aff7c507c8,"4/16/2021, 8:43:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,28a611b4-75ab-49a1-9645-0a5bcce062e0,"4/16/2021, 8:43:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8941c829-ea25-43b6-aaca-8d8b5c36f908,"4/16/2021, 8:43:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,730efac7-b434-48f7-b2fc-f21c2cf83a57,"4/16/2021, 8:43:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ca2d0b7-d086-4b39-9bfb-4107b30b50da,"4/16/2021, 8:43:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db5dfa96-df5c-4f79-a448-3950bfd0085e,"4/16/2021, 8:43:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ee476dbf-7861-478a-95ef-227205a6ebff,"4/16/2021, 8:43:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e4f64d8b-43ee-4610-89ef-d8dd79ae5f7e,"4/16/2021, 8:43:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e0ed8b4e-c75a-4e02-9ff1-0f94f568a220,"4/16/2021, 8:43:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cd58a618-5ec9-4c8b-9036-1a1b25516a47,"4/16/2021, 8:43:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,edf8ed26-5d34-459b-ab7c-88accc4fa62d,"4/16/2021, 8:43:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d4e8c0d3-dbb2-4522-94a5-e96b14c8aed8,"4/16/2021, 8:43:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b2fceaa7-2061-43bf-b5c8-542b6812c192,"4/16/2021, 8:43:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b9b2bfec-8378-4e47-b3e9-761591d94dcf,"4/16/2021, 8:43:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48779e43-6e09-4955-a14d-ea3e6d676668,"4/16/2021, 8:43:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3278d9db-2b43-4e52-8254-27735bcf7d8b,"4/16/2021, 8:43:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1003a96a-4cf6-44bd-bbdb-9017603ed13e,"4/16/2021, 8:43:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a42790f3-0ac8-475a-a7b1-fe3097afeae8,"4/16/2021, 8:43:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,824ac432-5f0e-40ca-973b-6ec9f21f8b39,"4/16/2021, 8:43:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,288f212a-aac9-4631-a745-259cd1e10823,"4/16/2021, 8:43:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bf9f498d-d4b0-4d2f-9c78-6b365d9e5a9c,"4/16/2021, 8:43:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a08a99ab-a2b2-4768-b89b-fbb094e8167c,"4/16/2021, 8:43:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce982485-4767-4fc9-afae-4774e30bc530,"4/16/2021, 8:43:55.103 AM",,,,,NTLM,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,540af7b0-5e8a-465e-a948-1fdfbaf95c2a,"4/16/2021, 8:51:46.761 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,05a9111b-9edd-49a5-8651-da269afcfd47,"4/16/2021, 8:51:46.761 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7084 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 8542576A51D515DA19781689F9E5E561E4398C4DE19B14AF1E8EF1C7D2551843 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.18362.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,4fa7d2c7-7763-464b-afdb-98151681a77c,"4/16/2021, 8:51:46.761 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 612 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,c1d4f282-670c-463d-a589-40eb205caaff,"4/16/2021, 8:51:46.761 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7116 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,a7989b64-5a9e-4833-9a12-5a8e4ce04f51,"4/16/2021, 8:51:46.761 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2896 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,42c97bd6-2665-47b9-937a-b54abb02fcad,"4/16/2021, 8:51:46.761 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,783414c9-5659-41db-bfb2-1859215f212a,"4/16/2021, 8:51:46.761 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,39052360-6b2b-49db-b6f0-57c1c42d47f4,"4/16/2021, 8:51:46.761 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,a8e64bbd-9a2e-4caa-b0bc-396168f29a92,"4/16/2021, 8:51:46.761 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4620 + 28 + %SYSTEM32%\USOCOREWORKER.EXE + 32 + 13B908CA0D2AC90F4398E5FBABCD1C442B07297B524C2BBA890FD106D4591742 + 125 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\USOCOREWORKER.EXE\10.0.18362.1474 + 0x3e7 + 37 + C:\Windows\System32\usocoreworker.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,5cb383ca-c903-4458-855d-c5822b5697bb,"4/16/2021, 8:51:46.761 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,450f2795-d12a-403e-89b0-129f1b074b76,"4/16/2021, 8:51:46.761 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,ea816216-ceeb-4c3f-a4af-eef5ba031d70,"4/16/2021, 8:51:46.761 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0771d4f6-25a0-4065-8ffd-e2623c20cf47,"4/16/2021, 8:57:20.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cce72214-58d2-4c7a-9253-3523ca89027a,"4/16/2021, 8:57:20.653 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6d07c1ad-e6cf-4dfc-920d-661d13e3fdb2,"4/16/2021, 8:57:20.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,335e367f-8152-4b49-8c98-0224ca5f1fef,"4/16/2021, 8:57:20.653 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8c0cf9c6-2bd6-40d4-8240-5d0deb407642,"4/16/2021, 8:57:20.653 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0e5d2115-eac6-45a8-bfbc-7dca37893bcf,"4/16/2021, 8:57:20.653 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,391ef2bb-9190-448c-9637-4e297f382833,"4/16/2021, 8:57:20.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d3fe039d-4259-44ea-988c-77ef5948a035,"4/16/2021, 8:57:20.653 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e1905c32-a709-4190-9016-4d8c4a23e8bb,"4/16/2021, 8:57:20.653 AM",,,,,NTLM,, +\TPV1,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2a3af64a-c7fa-4f9e-98cf-f5ab1c4124ef,"4/16/2021, 8:57:20.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e6169bf2-e363-4bd3-b4c0-2803849573a6,"4/16/2021, 8:57:20.653 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2ae6ef0b-9e13-4392-b776-2b2b0c8c60d0,"4/16/2021, 8:57:20.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d600c536-e431-4d3d-9636-042b90a5ad07,"4/16/2021, 8:57:20.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,725638c4-5697-4b23-a061-a72a4928f6f3,"4/16/2021, 8:57:20.653 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,49721529-a377-4a0f-b65a-5d623f1a4a96,"4/16/2021, 8:57:20.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bb5c063f-85a5-4558-b987-d0f6952f861b,"4/16/2021, 8:57:20.653 AM",,,,,NTLM,, +\TEST,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b52f3d93-15ac-4c1c-802a-bbdd42ae8d8f,"4/16/2021, 8:57:20.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4282a29c-0f94-4a20-b51a-506f77cda137,"4/16/2021, 8:57:20.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a540aae8-7f17-4b63-a370-7b8438febf30,"4/16/2021, 8:57:20.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bfd2988a-0e8e-40e3-9a57-66a7a678fb06,"4/16/2021, 8:57:20.653 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,680f06ce-5239-4af4-97e9-4adcc5eb0da4,"4/16/2021, 8:57:20.653 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1e1927a8-5821-4a83-8389-1fbe0910ad7d,"4/16/2021, 8:57:20.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ab7709af-0463-4b39-9701-c86965dcbee7,"4/16/2021, 8:57:20.653 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7d3720de-dc3e-4b9c-b486-ec33a97d0f74,"4/16/2021, 8:57:20.653 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,ec9372ce-597c-4106-a080-3d373a19a65a,"4/16/2021, 8:54:24.054 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,067cf272-afda-4866-a850-bae32efd2616,"4/16/2021, 8:54:24.054 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,8ff7bcec-7b9e-4f14-b289-92139d0781a6,"4/16/2021, 8:54:24.054 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,4d5faa8e-5c3d-4e37-a6f7-bac15ae7886a,"4/16/2021, 8:54:24.054 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,425127b1-6004-460b-a4ac-fb29c9031309,"4/16/2021, 8:54:24.054 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,f83c587c-1ccc-4b43-a0be-509bb10fb17e,"4/16/2021, 8:54:24.054 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,fa8baf16-6a8b-4410-abd2-44725af86b0a,"4/16/2021, 8:54:24.054 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,8271b490-83eb-4620-9c62-55648c17cbd5,"4/16/2021, 8:54:24.054 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,814305f0-478d-4619-b0dc-ae8a2f4583f5,"4/16/2021, 8:54:24.054 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,a0f43217-868b-4f53-ac72-74ed4c96d2e2,"4/16/2021, 8:54:24.054 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,6e0d4811-affb-43b1-ae49-a6c0225ac19e,"4/16/2021, 8:54:24.054 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,c0a5b56e-7a59-4e1e-9aa3-b0d877bc6652,"4/16/2021, 8:43:52.738 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,d986e69b-58b5-4bb5-a5f5-a8551eec0a01,"4/16/2021, 8:43:52.738 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5648 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,a984ac0a-0fe2-4882-886d-b575ac7e5653,"4/16/2021, 8:43:52.738 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3064 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,2c38652f-dcf4-4aa2-96c4-0d03017fb99e,"4/16/2021, 8:43:52.738 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,0ac2656f-a2cb-44ed-8542-7ac3af6ac8ca,"4/16/2021, 8:43:52.738 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,1e4f376b-6ea4-4a06-a893-512be80e9e29,"4/16/2021, 8:43:52.738 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9984 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,a2a08b20-e33b-4df3-9555-d8e12896a9e8,"4/16/2021, 8:43:56.992 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2180 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,f87a221f-257d-4af2-becd-acbaf23433c5,"4/16/2021, 8:43:56.992 AM",,,,,,, +\WEBADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8f44f052-1f18-4472-9714-c56026dc8a45,"4/16/2021, 8:43:59.418 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0667b819-374d-4c58-ab4a-977a49becae4,"4/16/2021, 8:43:59.418 AM",,,,,NTLM,, +\AZUREUSER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,5a457203-97fe-40b7-bd39-4428ac74a25d,"4/16/2021, 8:43:59.418 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,51bddcd0-79c9-42d2-bb8e-bdff906ae6d4,"4/16/2021, 8:43:59.418 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,350bd875-780d-48bd-9c84-49fb37a5b5ae,"4/16/2021, 8:43:59.418 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\microsofttpm,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,2fcf3e4a-aac9-452d-8014-85c4fa69ebda,"4/16/2021, 8:43:59.418 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:SELECT * FROM Win32_TPM,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f27f5f96-aa71-48fc-b60c-bf3d78b414be,"4/16/2021, 8:43:59.418 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:Select * from __ClassProviderRegistration,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,5514f6db-de80-4bc3-9577-098c6b06d59c,"4/16/2021, 8:43:59.418 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3d96ca81-0774-4287-825c-377084111e69,"4/16/2021, 8:43:59.418 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,217cabfd-8ed8-4a60-bfcc-235b0f671b05,"4/16/2021, 8:43:59.418 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4d18229f-313a-40f9-925a-079a1d063959,"4/16/2021, 8:43:59.418 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0714acfb-6015-496f-a6d7-f11a7193404e,"4/16/2021, 8:43:59.418 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:Win32_Tpm,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d2064102-d615-4324-a7b0-98834eb93488,"4/16/2021, 8:43:59.418 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:__ExtendedStatus,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e11b873b-4a8d-4052-81de-d3cf433c82f1,"4/16/2021, 8:43:59.418 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftVolumeEncryption,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,31f97c86-36d6-4eca-93bd-1587a6ad6b82,"4/16/2021, 8:43:59.418 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:SELECT * FROM Win32_EncryptableVolume,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0fd4597c-5c6e-4efb-9faa-4213b83f0a34,"4/16/2021, 8:43:59.418 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:Select * from __ClassProviderRegistration,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0820655c-9b27-4e7a-9f47-1cfaebe8244f,"4/16/2021, 8:43:59.418 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,12934b44-1387-4a4b-b9eb-12f3d8f2cc65,"4/16/2021, 8:43:59.418 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,87e9d2b7-53c3-47e5-a51a-7d214fe7af2e,"4/16/2021, 8:43:59.418 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4c4f31eb-0b20-4de3-a1e5-92961b67ea55,"4/16/2021, 8:43:59.418 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,cfa80f43-44a0-487d-9d13-a9a9861fa7a2,"4/16/2021, 8:43:59.418 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1ae1b303-54f5-4e59-9de2-3bf9a9d60bf4,"4/16/2021, 8:43:59.418 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:__ExtendedStatus,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9b3d8ab8-ca5c-45b2-95c9-5b56b4546903,"4/16/2021, 8:43:59.418 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{d035a0c7-0000-0000-0000-100000000000}\\""::GetLockStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,5d00e12b-6b02-4a4d-80c0-4152ca984cc6,"4/16/2021, 8:43:59.418 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{d035a0c7-0000-0000-0000-100000000000}\\""::GetProtectionStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8730a731-04c7-4e81-8c0c-a37c8fadf95c,"4/16/2021, 8:43:59.418 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{d035a0c7-0000-0000-0000-100000000000}\\""::GetConversionStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,988915c8-ae89-4b05-b6ca-226b52cdd72b,"4/16/2021, 8:43:59.418 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ad0f04ca-0000-0000-0000-501f00000000}\\""::GetLockStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,332605fe-0aaa-4674-a561-441bc3d6cef8,"4/16/2021, 8:43:59.418 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ad0f04ca-0000-0000-0000-501f00000000}\\""::GetProtectionStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9a9c2bde-825e-40d1-a26a-855c42bc7f94,"4/16/2021, 8:43:59.418 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ad0f04ca-0000-0000-0000-501f00000000}\\""::GetConversionStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3cc313ad-deed-431a-926c-ea8cdcaeccce,"4/16/2021, 8:43:59.418 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7224 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\Windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,eb941370-2d97-421a-b2f6-6e0b213a2179,"4/16/2021, 8:43:59.418 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,cb384fde-d8c5-4125-9dee-d6964a92977b,"4/16/2021, 8:44:08.048 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,cb7a0c8f-f415-402e-a9b1-9e26cc66a801,"4/16/2021, 8:44:08.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,78619ce7-4929-46e6-9989-0b748cfc296c,"4/16/2021, 8:44:08.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,e0b9aa8d-b4cb-4baa-9c7f-15b585bf02b1,"4/16/2021, 8:44:08.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,3005e81e-3a31-410f-9e7b-e641565995b2,"4/16/2021, 8:44:08.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,e2a7b494-8562-4746-973f-ec27e22ce08f,"4/16/2021, 8:44:08.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,e97e5d1e-e274-4ace-9634-8cae5e8fb78d,"4/16/2021, 8:44:08.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,cd108b69-c119-4fae-b290-687b21830672,"4/16/2021, 8:44:08.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,beb013d6-ee8f-487c-bf47-8b9335ac5185,"4/16/2021, 8:44:08.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5c372869-bfae-41a7-9fbc-30c4ae1828dd,"4/16/2021, 8:44:08.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,074a2b16-bef2-46ee-abd7-e55677117879,"4/16/2021, 8:44:08.048 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8936 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,5bc03843-1bbe-4816-b417-60db36a86171,"4/16/2021, 8:44:08.534 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,2ab58512-03d4-44c3-953d-9033bf1e0c0a,"4/16/2021, 8:44:08.534 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,7f53cab1-d488-4c81-8340-c4c3c01cd85c,"4/16/2021, 8:44:08.534 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10556 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,ebd7914f-7dbb-4cdd-a541-ad1028fc370a,"4/16/2021, 8:44:08.534 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6504 + 21 + %SYSTEM32%\WERMGR.EXE + 32 + A755A5ACC9A49F7587EBF7F27E60D1D61F3ACBA2C7556A72D74F329073408C7D + 114 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WERMGR\10.0.18362.1474 + 0x3e7 + 30 + C:\windows\system32\wermgr.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,4aef179e-b1ce-4016-b9bb-a3d5854995b1,"4/16/2021, 8:44:08.534 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,609720aa-09a5-4d01-8357-fdd4155a938f,"4/16/2021, 8:44:08.534 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,746cabaa-4e23-4bd0-916f-d004f0944f48,"4/16/2021, 8:44:08.534 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,a9c04ebf-2207-4ae9-80ad-f7692a51c290,"4/16/2021, 8:55:03.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b8612ab0-6557-44c0-b07d-0d79eba37f44,"4/16/2021, 8:55:03.057 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,75e6b891-a811-48db-8bb2-0c2d5a4ad3a0,"4/16/2021, 8:55:03.057 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,5d269483-b613-4555-ad18-f0ac4657519c,"4/16/2021, 8:55:03.057 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,45a4cfae-9773-41fa-92e3-6e7b793dba44,"4/16/2021, 8:55:03.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b242b2cd-a972-4e7b-aeb0-0e8236bb3878,"4/16/2021, 8:55:03.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,14edfd26-ce8b-4262-b96d-d0e1639561df,"4/16/2021, 8:55:03.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,0dfea799-78b4-4359-a4b8-63ebacf2bb5f,"4/16/2021, 8:55:03.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c9920dcb-5cf6-480a-8c93-2420f3fb683c,"4/16/2021, 8:55:03.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,4eeaad39-e27f-411a-b058-c3b48b0705a4,"4/16/2021, 8:55:03.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2df87c1a-b67f-4b31-a7c6-8ed45907c586,"4/16/2021, 8:55:03.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,83dffb21-707b-4909-ac43-22fe9287ccb7,"4/16/2021, 8:55:03.057 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1400 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,04603982-e4ea-44f1-9fbc-e4240c62119a,"4/16/2021, 8:58:09.938 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4944 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,0f1f876c-c066-4aee-b7ca-c17b5b444620,"4/16/2021, 8:58:09.938 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5596 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,2f5f0644-6870-4584-9588-f280993978b6,"4/16/2021, 8:58:09.938 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,865f76eb-241b-4617-accd-cff854e35ae8,"4/16/2021, 8:58:09.938 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,68c35f3c-4521-4650-92ce-78f8e57b3554,"4/16/2021, 8:58:09.938 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,8fee0628-a328-41c9-b615-f2511d161ee3,"4/16/2021, 8:58:09.938 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,56ee519a-a57c-4ea6-a6cf-8c986ab1c46b,"4/16/2021, 8:58:09.938 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,a8499790-54c6-418c-968f-11abcf9ae027,"4/16/2021, 8:58:09.938 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\microsofttpm,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,351b3fd2-4303-499b-98c7-a8cfb41b4c7f,"4/16/2021, 8:58:09.938 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:SELECT * FROM Win32_TPM,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,6d12a0e8-207a-4d4a-a8ec-e3198855cdd3,"4/16/2021, 8:58:09.938 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:Select * from __ClassProviderRegistration,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,174fd110-ecc2-49f4-a6bd-2c75482411be,"4/16/2021, 8:58:09.938 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,d20b6666-f8c9-4a3d-ab6d-ef3fbf4e82de,"4/16/2021, 8:58:09.938 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,7a75eca5-f3a4-44bd-962f-ce47e478493b,"4/16/2021, 8:58:09.938 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,0eec8eca-94c1-4b30-999c-5c731adb44c2,"4/16/2021, 8:58:09.938 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,a44d596a-b0d3-4842-89f0-2ea1c3960135,"4/16/2021, 8:58:09.938 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:Win32_Tpm,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,3a0a2413-1550-4712-a5b4-1f8f5d9d1ee2,"4/16/2021, 8:58:09.938 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:__ExtendedStatus,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,ea33a65f-b11a-4bfe-a5bb-c8a7e194aa51,"4/16/2021, 8:58:09.938 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftVolumeEncryption,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,ec901f0d-db26-43d6-8e49-202701593517,"4/16/2021, 8:58:09.938 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:SELECT * FROM Win32_EncryptableVolume,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,1aa68e84-23fb-4db3-935c-aaa0b8af3135,"4/16/2021, 8:58:09.938 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:Select * from __ClassProviderRegistration,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,76400ea6-0663-4c08-bfff-7e7d1ca303f1,"4/16/2021, 8:58:09.938 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,c98d2c2b-ae63-45b7-8faa-977b1ebadb84,"4/16/2021, 8:58:09.938 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,07b2af58-24a5-4a4c-b23e-3ba9e31eaaba,"4/16/2021, 8:58:09.938 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,8bfc9473-877d-4df4-8371-ee6928b7a6f1,"4/16/2021, 8:58:09.938 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,915b1ee5-afba-434d-8f9d-ac50ea9b16f2,"4/16/2021, 8:58:09.938 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,9c58cafd-2af9-4895-be7a-fd7db9cc9c07,"4/16/2021, 8:58:09.938 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:__ExtendedStatus,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,cb1ad798-518c-4f90-99ab-888c291069ed,"4/16/2021, 8:58:09.938 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{18dd199a-9fca-4ac4-af18-3e5e3b15c067}\\""::GetLockStatus",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,56de3180-8073-46a7-a235-5514cf82e03b,"4/16/2021, 8:58:09.938 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{18dd199a-9fca-4ac4-af18-3e5e3b15c067}\\""::GetProtectionStatus",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,1946bc80-f389-4490-a007-f6ff45255f65,"4/16/2021, 8:58:09.938 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{18dd199a-9fca-4ac4-af18-3e5e3b15c067}\\""::GetConversionStatus",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,eca0ed25-cf61-4a8f-89b7-bbef86b47172,"4/16/2021, 8:58:09.938 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{944f36e4-0000-0000-0000-100000000000}\\""::GetLockStatus",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,7d666e6e-402e-4a64-aa70-84a8ecc5bcdd,"4/16/2021, 8:58:09.938 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{944f36e4-0000-0000-0000-100000000000}\\""::GetProtectionStatus",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,c35c3835-4909-49dd-b32b-cfcb17af9e1d,"4/16/2021, 8:58:09.938 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{944f36e4-0000-0000-0000-100000000000}\\""::GetConversionStatus",,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,df14ca82-039e-46e9-a6cc-90ae14aa4c0f,"4/16/2021, 8:44:09.604 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,acddd2aa-ff41-436c-86ae-79877ed5f364,"4/16/2021, 8:44:09.604 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4e64f799-729f-4aff-bd0f-42c0d1a56e6b,"4/16/2021, 8:44:09.604 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c701bc8b-7065-4a5a-bccb-a8187bff0671,"4/16/2021, 8:44:09.604 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6cb84519-9271-492f-aa72-ea15737ad645,"4/16/2021, 8:44:09.604 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8eff92bc-d0fa-4027-9373-b6f0150f3859,"4/16/2021, 8:44:09.604 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,aac82275-9787-4118-8611-615145d28efb,"4/16/2021, 8:44:09.604 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,15f16051-3d2a-4d17-a672-d324ea0261db,"4/16/2021, 8:44:09.604 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,02e23de7-3d71-45e5-a756-cc816414b3af,"4/16/2021, 8:44:09.604 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e217273c-2c05-4439-82ce-6c39b4e2ff4e,"4/16/2021, 8:44:09.604 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7314f99b-3aec-4c07-8e43-9f8e0543e77b,"4/16/2021, 8:44:09.604 AM",,,,,,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,30cd9557-66ba-4681-ae43-ef4dc62389e8,"4/16/2021, 8:44:09.604 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bd03f36b-b96d-492b-9117-6f3c9a94a49c,"4/16/2021, 8:44:09.604 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5c89cc35-0250-4aa5-8d0e-de9bc3b47446,"4/16/2021, 8:44:09.604 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,92fc482b-28ed-430b-9867-a3eb886592b4,"4/16/2021, 8:44:09.604 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b57325ea-4bf5-4864-b773-0e2301de7b38,"4/16/2021, 8:44:09.604 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,af7bb817-e000-4860-b286-c7635acc84d7,"4/16/2021, 8:44:09.604 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ceb52bd1-c5ea-42fd-b93c-f8c8454b04a4,"4/16/2021, 8:44:09.604 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e34932ca-05b0-4143-94b0-5b74062c629b,"4/16/2021, 8:44:09.604 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b61e0c81-dd0b-4952-99a6-02d09a162f12,"4/16/2021, 8:44:09.604 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2dcb0861-4da0-4c74-9ec9-b2ef1b080187,"4/16/2021, 8:44:09.604 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,67ce5b6d-651d-4a36-b193-55244308be0a,"4/16/2021, 8:44:09.604 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a8ecba86-8ef4-4f31-b161-92616ecf4486,"4/16/2021, 8:44:09.604 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,adcce357-22f7-44d1-9159-adcec3d074f7,"4/16/2021, 8:44:09.604 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,e4ff92fe-f2bf-40b0-90f3-834fd2aa3512,"4/16/2021, 8:51:57.658 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4616 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,c5d1aeda-b95e-4b54-b9a4-232c29590a2e,"4/16/2021, 8:51:57.658 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,425f54d1-7ed2-43be-ac9f-db257ce770ba,"4/16/2021, 8:51:57.658 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,fb14e28a-cff0-4ea8-8e5e-50793b6ae1f1,"4/16/2021, 8:51:57.658 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10732 + 94 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\RESOURCES\1299\PMFEXE.EXE + 32 + 6708CEA6F2F26E9B4AFF6300A4BE88433CF28688427E669CFB3FB43F94E0BE6A + 98 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\PROCESS INVESTIGATOR\PMFEXE.EXE\1.21.311.01 + 0x3e7 + 96 + C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Resources\1299\pmfexe.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,3111c9bb-1d6a-462b-aca9-6c2d0b055674,"4/16/2021, 8:51:57.658 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9440 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,525f136c-d0e5-4c52-b1e9-885040ad6b98,"4/16/2021, 8:51:57.658 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,c816ccdd-65c5-4520-951c-4e095eebbff1,"4/16/2021, 8:51:57.658 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,34a0f1ff-e9e3-433d-8512-feba00e6c166,"4/16/2021, 8:51:57.658 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7032 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 68705285F7914823244E19E4F6DBC4A75C4DE807EA1CF128AEC2CCAFCE5FE109 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.17763.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,054487c0-0aaa-47f7-90f2-5cccd22febee,"4/16/2021, 8:44:12.103 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7728 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc6181cd-676a-420f-9e12-60e11f918bb2,"4/16/2021, 8:44:12.103 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d216e68-03fd-4cbd-8c47-0a8fb5dcdcea,"4/16/2021, 8:44:12.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,572bceb2-d8c9-459f-9b08-3d087d29e435,"4/16/2021, 8:44:12.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b682ac0e-1ec3-421c-b310-151af902d51e,"4/16/2021, 8:44:12.103 AM",,,,,NTLM,, +\BACKUP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fbcabbe3-c0b1-49a0-8b98-54ac7eff536f,"4/16/2021, 8:44:12.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a60d177e-4a52-4bf7-ba10-f95532da1821,"4/16/2021, 8:44:12.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4229ee43-8438-431a-86f3-f8515ff0f31c,"4/16/2021, 8:44:12.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1c2a2b28-8320-4fb6-8c7b-a97b37b3c593,"4/16/2021, 8:44:12.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c50261d-63bd-43ed-8ab2-652c17294693,"4/16/2021, 8:44:12.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c2b764bf-8bd1-4ded-99ee-663106da2ee3,"4/16/2021, 8:44:12.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,af5fbddb-0b36-4436-9c7e-b706780fa1f0,"4/16/2021, 8:44:12.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,15244616-bb37-4f8f-8e16-7dab1a37be75,"4/16/2021, 8:44:12.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2e6a5238-c491-48c3-9959-729d2da89a29,"4/16/2021, 8:44:12.103 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d0aeda75-b0b7-4623-b6df-defaeacf3f37,"4/16/2021, 8:44:12.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd0d6c8c-b11b-43be-bcdb-88603333b9bc,"4/16/2021, 8:44:12.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c9a888b2-ed76-4c8d-8fae-768ef5bb79c1,"4/16/2021, 8:44:12.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0f808f0c-707e-4a0e-af74-35e41a206b54,"4/16/2021, 8:44:12.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,45250490-ddc4-4987-8217-2fff67a79f34,"4/16/2021, 8:44:12.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,626bcb8e-40ad-43c6-891c-a848989f83f5,"4/16/2021, 8:44:12.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b321395a-ad65-4d85-a55e-0cb43d438432,"4/16/2021, 8:44:12.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,78cd6999-4b80-4b59-9654-8ada32dda02e,"4/16/2021, 8:44:12.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,35829ed0-5b71-4aff-b6cf-9a6300d1dbc4,"4/16/2021, 8:44:12.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0f43ae9f-2cf4-483c-a415-25ec9ebdd54c,"4/16/2021, 8:44:19.109 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d9b6ca8c-0bd3-4402-ab6a-88d009a6099a,"4/16/2021, 8:44:19.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1652d169-0b51-498e-9a6d-cc88f5a35131,"4/16/2021, 8:44:19.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6d2379fd-56e2-450f-9181-2d954dbe9a76,"4/16/2021, 8:44:19.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,81cc4095-e0fd-4e40-9883-aab983e9a4cf,"4/16/2021, 8:44:19.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,87198ab8-fef4-4785-a622-8aae6658aa0b,"4/16/2021, 8:44:19.109 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca24c7d7-f2a2-4d80-a918-ced27025176e,"4/16/2021, 8:44:19.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e94a0348-22db-48f4-a610-91b5616d8b06,"4/16/2021, 8:44:19.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b3b22004-971e-48c3-a9e2-193075e61e04,"4/16/2021, 8:44:19.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89ee73ef-6c6a-4b98-9a46-78a72d184bdd,"4/16/2021, 8:44:19.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6da4c831-9ae2-43e8-9db6-6077172dc3b0,"4/16/2021, 8:44:19.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1b4870bd-71ac-4e45-a7f6-cc966e825694,"4/16/2021, 8:44:19.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2bd6c538-9b96-4436-b656-9ea957912542,"4/16/2021, 8:44:19.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c5f84332-6d15-4556-aa95-f9f05c63844e,"4/16/2021, 8:44:19.109 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,17faaacc-435d-4825-b1ea-a9fdf72efa6e,"4/16/2021, 8:44:19.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1bfac935-8384-4134-adf4-68ff616c4ee2,"4/16/2021, 8:44:19.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f8ad862d-d34c-43f9-9090-a5185cf45a81,"4/16/2021, 8:44:19.109 AM",,,,,NTLM,, +\KEVIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89c5f6db-44f6-4ac0-ba4b-dbf7bc83db29,"4/16/2021, 8:44:19.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e13b6721-4484-409d-af1e-06f5231ad0ee,"4/16/2021, 8:44:19.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,318319da-dc2b-49f8-bc4d-2fb36db0dacf,"4/16/2021, 8:44:19.109 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9fd1ad94-6966-4da3-846d-a87610d9cfb9,"4/16/2021, 8:44:19.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7032defc-23de-41ba-8946-2e183b5ef15d,"4/16/2021, 8:44:19.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f29d6c8d-f0c7-48be-9224-9e07bad0c666,"4/16/2021, 8:44:19.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b6764c21-91c3-44d6-90b3-c01624316eef,"4/16/2021, 8:44:19.109 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1fac9412-532c-4930-a628-69dffd86bd27,"4/16/2021, 8:44:20.606 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,72e47cf1-352e-4ef9-a0c9-3c727c5a34f1,"4/16/2021, 8:44:20.606 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f7870b61-2773-492f-b719-661682df959e,"4/16/2021, 8:44:20.606 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cd064285-d45c-4200-a151-f4a333434e76,"4/16/2021, 8:44:20.606 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ac3c629c-cd7f-41b1-8b81-67d2fb040359,"4/16/2021, 8:44:20.606 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,91ab3283-dd20-44a2-92a2-23adba85917c,"4/16/2021, 8:44:20.606 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0662c3ba-b814-451a-b057-0cd4ec970429,"4/16/2021, 8:44:20.606 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,982113c0-656b-46b6-b6c9-565d802e62f6,"4/16/2021, 8:44:20.606 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,53ff9d8d-ecc9-4489-b922-6f5bff7718ca,"4/16/2021, 8:44:20.606 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0f51a350-958e-4921-9201-1d4b4a6660d9,"4/16/2021, 8:44:20.606 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0c73f63e-2917-4e6e-aa40-5dbd76a2e2af,"4/16/2021, 8:44:20.606 AM",,,,,NTLM,, +\VBHELP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7e67ded1-c90f-4a2b-a37f-ad3b4646c10c,"4/16/2021, 8:44:20.606 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bb1cc9f1-227b-47cc-863f-47699dd8c30c,"4/16/2021, 8:44:20.606 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fef0f741-ad14-40d8-a3c4-a944db4adc15,"4/16/2021, 8:44:20.606 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e970e2bb-9e80-4fc9-8c0d-f5875126e81f,"4/16/2021, 8:44:20.606 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5304212a-c13c-4144-8e4d-f21e5ed9ed1c,"4/16/2021, 8:44:20.606 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,178f32ac-2ee4-4e41-9519-7255c25a7ad7,"4/16/2021, 8:44:20.606 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,851a1ee3-dcd2-4966-a0dd-d6e3e4b71206,"4/16/2021, 8:44:20.606 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,01b6b1f5-2ac0-45d8-9a73-c8bd9366074a,"4/16/2021, 8:44:20.606 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6c84df7d-552f-4572-b277-de0e5200e072,"4/16/2021, 8:44:20.606 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,841b185e-cc3a-41c7-a41e-c64a4f9cc601,"4/16/2021, 8:44:20.606 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7c97f661-a77e-4c43-aa76-36c5fa6cb90c,"4/16/2021, 8:44:20.606 AM",,,,,NTLM,, +\AJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5de029ab-6227-4557-89b6-ae1788f7e597,"4/16/2021, 8:44:20.606 AM",,,,,NTLM,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,b3968c6e-57fa-4cb8-a3eb-84dd13bfc8fd,"4/16/2021, 8:44:26.856 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2612 + 59 + %PROGRAMFILES%\MICROSOFT\EDGEUPDATE\MICROSOFTEDGEUPDATE.EXE + 32 + 433D72D5919A339637AEA7EDE5FE9A6643400637BB84825DDC307974AFB486CF + 104 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT EDGE UPDATE\MSEDGEUPDATE.DLL\1.3.129.31 + 0x3e7 + 67 + C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,4ac1ec74-6cf1-4ee4-9e90-9f6ee0a10300,"4/16/2021, 8:44:26.856 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,0ff370af-7d4d-4396-95e7-dfdcaddb7711,"4/16/2021, 8:44:26.856 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,244fdff8-eec1-4b77-ab4d-07919f18b8b8,"4/16/2021, 8:44:26.856 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7772 + 59 + %PROGRAMFILES%\MICROSOFT\EDGEUPDATE\MICROSOFTEDGEUPDATE.EXE + 32 + 433D72D5919A339637AEA7EDE5FE9A6643400637BB84825DDC307974AFB486CF + 104 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT EDGE UPDATE\MSEDGEUPDATE.DLL\1.3.129.31 + 0x3e7 + 67 + C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,61969c54-45a1-4c6c-a9c7-269e270df387,"4/16/2021, 8:44:26.856 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,48c66a25-5e85-477f-8a9b-d31e51fe599d,"4/16/2021, 9:02:50.657 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f3348f62-3478-4bcd-82db-61214c560e89,"4/16/2021, 9:02:50.657 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5a5aa6ca-836c-4fc9-87ef-2d0c3f7a7ee7,"4/16/2021, 9:02:50.657 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dd80b639-2356-4b98-95a6-2f53d6821448,"4/16/2021, 9:02:50.657 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,151aa36b-57db-41d3-bc64-2a47049de093,"4/16/2021, 9:02:50.657 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,985f6f7a-0e3e-4efc-b2aa-ebda8dde8ff0,"4/16/2021, 9:02:50.657 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,32111d45-6990-4b9f-abe8-be457dab92b4,"4/16/2021, 9:02:50.657 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e7ede1f3-e8e6-4ec8-9c7a-787640fd335b,"4/16/2021, 9:02:50.657 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1ec65431-318a-49bd-8be9-f73316361d70,"4/16/2021, 9:02:50.657 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,aa5afe12-e48a-4e63-a5e8-08a7326f0bce,"4/16/2021, 9:02:50.657 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4892868d-b1aa-4725-b2ce-facfee06b1a1,"4/16/2021, 9:02:50.657 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,037c1e58-c381-4a3b-adc6-48e792e26bb4,"4/16/2021, 9:02:50.657 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,47ae8279-7573-48e5-a6bb-cf8d29e12db6,"4/16/2021, 9:02:50.657 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f61c0b29-1f81-43ad-922a-cb0a01d5a5f1,"4/16/2021, 9:02:50.657 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6a91bc5f-cab4-4c01-a835-a8421b8db5fb,"4/16/2021, 9:02:50.657 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,72b9d40f-ee62-42fc-9d50-affedc2ab229,"4/16/2021, 9:02:50.657 AM",,,,,NTLM,, +\VEEAM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b7be25b5-ec50-495d-96a0-5ecf96521b01,"4/16/2021, 9:02:50.657 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f033a108-b9ef-4eb6-9134-0d5239bd00ed,"4/16/2021, 9:02:50.657 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4fdd9f96-636f-478f-992d-2c37c4d2abdb,"4/16/2021, 9:02:50.657 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,34ca4fd9-0253-417e-83c0-70d0bcfde62f,"4/16/2021, 9:02:50.657 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,176181c8-c1d7-42b5-86ae-83df9fa3f9bc,"4/16/2021, 9:02:50.657 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b67adc32-f895-43de-a0c5-68a3c1aaae5f,"4/16/2021, 9:02:50.657 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5e35f996-b534-4bd9-a601-19fb33576aff,"4/16/2021, 9:02:50.657 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,91d16db0-da78-45c8-b53e-61d5142d51ea,"4/16/2021, 9:02:50.657 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e01af0ff-63cf-4860-9392-5bb0135ee9ee,"4/16/2021, 9:02:50.657 AM",,,,,NTLM,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,c706b341-ec32-4955-8e8c-be3a4deef772,"4/16/2021, 8:55:09.858 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,a880d369-8dd4-40d4-82bc-8c17a97762e5,"4/16/2021, 8:55:09.858 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5488 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,67424163-2491-4a80-a314-2ed9bf7b72f8,"4/16/2021, 8:55:09.858 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 548 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,d90a73b0-fd90-4ffe-8cd1-b96a8e32956c,"4/16/2021, 8:55:09.858 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,833fedef-7161-4f58-9c36-b324164256fc,"4/16/2021, 8:55:09.858 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,80638046-dec5-43bd-8f80-b6cc3e75b2f0,"4/16/2021, 8:44:32.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2eced67b-1853-4aba-97c6-e4c49815a21d,"4/16/2021, 8:44:32.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ec079d7-82fe-4f07-a35e-b70dbd4955f5,"4/16/2021, 8:44:32.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f82b244e-d343-4909-92e9-4bddabf341af,"4/16/2021, 8:44:32.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1c9de9d8-4726-4dbb-9d4e-36b4427c54b5,"4/16/2021, 8:44:32.103 AM",,,,,NTLM,, +\AZUREADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d80d68ce-3e02-4f1a-ab34-e1f5ff5746b3,"4/16/2021, 8:44:32.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a759dd22-34ba-4af1-820b-74418b91b716,"4/16/2021, 8:44:32.103 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ec0c5cf7-6ed9-4439-8f70-369aa92cb794,"4/16/2021, 8:44:32.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,47aadc12-e596-4ad1-a02f-3e7e02065900,"4/16/2021, 8:44:32.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,80171d85-efaa-4002-b0b5-406f70deeacd,"4/16/2021, 8:44:32.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df4bdf95-fe4b-49b1-a21a-a604acd9d3fb,"4/16/2021, 8:44:32.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7f678db0-d9b2-4c9b-877d-fd09dde8bc9d,"4/16/2021, 8:44:32.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03c9d282-d9ec-449b-a028-42b03754f513,"4/16/2021, 8:44:32.103 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b47e8f32-1f5d-4cc8-975c-01f9a8e1e55b,"4/16/2021, 8:44:32.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,695e2bd4-cf99-416d-8280-fa28eeed8caf,"4/16/2021, 8:44:32.103 AM",,,,,NTLM,, +\BACKUP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,45711359-6367-4ece-8020-1a907843a928,"4/16/2021, 8:44:32.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,27b2ffc0-ac9d-4751-ab52-c5eb744ae837,"4/16/2021, 8:44:32.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d68da32-c913-4174-8d2a-a40eb224601e,"4/16/2021, 8:44:32.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,462c6b1a-53c3-4d6b-85fe-863fc668a9b9,"4/16/2021, 8:44:32.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,481ee658-5d90-4162-bc4c-de3bafba78dd,"4/16/2021, 8:44:32.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,110ade64-3d06-4ed8-8d45-e2c0a2d55923,"4/16/2021, 8:44:32.103 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,e0016d2a-d852-4368-aa39-bffeefb7944e,"4/16/2021, 8:44:32.103 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d82b30e6-60f6-488c-b1e9-68b992fde343,"4/16/2021, 8:44:32.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9a06dc75-afd7-4a47-9df9-622f02b7cf24,"4/16/2021, 8:44:32.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,23f0dd76-217e-4e79-8cbf-5499362905fe,"4/16/2021, 8:44:32.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c5d07e8b-5104-475b-824d-b12abdc34607,"4/16/2021, 8:44:32.103 AM",,,,,NTLM,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8," + S-1-5-20 + TrustedVMDemo$ + WORKGROUP + 0x3e4 + \Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask + <?xml version=""1.0"" encoding=""UTF-16""?> <Task version=""1.6"" xmlns=""http://schemas.microsoft.com/windows/2004/02/mit/task""> <RegistrationInfo> <Source>$(@%systemroot%\system32\sppc.dll,-200)</Source> <Author>$(@%systemroot%\system32\sppc.dll,-200)</Author> <Version>1.0</Version> <Description>$(@%systemroot%\system32\sppc.dll,-201)</Description> <URI>\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask</URI> <SecurityDescriptor>D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-87-2912274048-3994893941-1669128114-1310430903-1263774323)</SecurityDescriptor> </RegistrationInfo> <Triggers> <CalendarTrigger> <StartBoundary>2021-04-18T16:11:58Z</StartBoundary> <Enabled>true</Enabled> <ScheduleByDay> <DaysInterval>1</DaysInterval> </ScheduleByDay> </CalendarTrigger> </Triggers> <Principals> <Principal id=""NetworkService""> <UserId>S-1-5-20</UserId> <RunLevel>LeastPrivilege</RunLevel> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>true</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession> <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT0S</ExecutionTimeLimit> <Priority>7</Priority> <RestartOnFailure> <Interval>PT1M</Interval> <Count>3</Count> </RestartOnFailure> </Settings> <Actions Context=""NetworkService""> <ComHandler> <ClassId>{B1AEBB5D-EAD9-4476-B375-9C3ED9F32AFC}</ClassId> <Data><![CDATA[timer]]></Data> </ComHandler> </Actions> </Task> + 844424930140027 + 2988 + 740 + 0 + TrustedVMDemo +",4702,4702 - A scheduled task was updated.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,db861031-1d7b-4c95-81de-08b1b1286406,"4/16/2021, 8:44:29.848 AM",,,,,,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,efbe7372-0357-42c9-b9ed-7e0ec7ca6320,"4/16/2021, 8:52:02.788 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6d64aa65-80b5-47e7-8f46-4a8e0c40a18d,"4/16/2021, 8:52:02.788 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3b3df6ff-5919-42d0-8118-ddaecee9c9ad,"4/16/2021, 8:52:02.788 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eed77931-cc97-47ec-afd9-ae4e366e26c3,"4/16/2021, 8:52:02.788 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fad2b039-d18f-434d-871b-d6bb5c8b164f,"4/16/2021, 8:52:02.788 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a2bf40d6-ec8f-4a27-8de2-52072c90b6f4,"4/16/2021, 8:52:02.788 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0e14e507-c7ec-42ba-a1ad-452e4dd22bd3,"4/16/2021, 8:52:02.788 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d7a9794b-13ee-4e80-8b07-aa528af1e3e5,"4/16/2021, 8:52:02.788 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9027b5ce-13cc-4b13-a81c-8580ffa0cb52,"4/16/2021, 8:52:02.788 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a7782fe9-141d-47d3-a1ee-aadfb6e31a88,"4/16/2021, 8:52:02.788 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,881898a0-8b30-4825-b50c-1f8708c7b7a3,"4/16/2021, 8:52:02.788 AM",,,,,NTLM,, +\FTPUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9b108739-7f3a-4a58-913d-37667ead2a0f,"4/16/2021, 8:52:02.788 AM",,,,,NTLM,, +\AZUREADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,77c9a909-7c4a-42ec-b8df-1b8673f365dd,"4/16/2021, 8:52:02.788 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0aa60687-58c0-4ccd-a816-8c7d38c8cdae,"4/16/2021, 8:52:02.788 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,002d44fb-b853-4804-976d-0a0b45ad03b7,"4/16/2021, 8:52:02.788 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7e3f40e1-f723-435e-a65f-132714184c33,"4/16/2021, 8:52:02.788 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,70db8479-486e-48cb-9510-fc10cbfec4e0,"4/16/2021, 8:52:02.788 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,81b47800-6925-4f78-b8a1-cc2faeb23dda,"4/16/2021, 8:52:02.788 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,38e129bd-f860-45bf-8232-b7f48f5b6b9a,"4/16/2021, 8:52:02.788 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,29875784-c505-4a13-bcd7-2c5ea53838b7,"4/16/2021, 8:52:02.788 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a2965674-0c7c-4b70-b742-d8d381b74b1b,"4/16/2021, 8:52:02.788 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,64d743f5-4fff-45fb-9a92-265c8e71983c,"4/16/2021, 8:52:02.788 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a291e4d9-bdab-4d49-aa78-b5af57d9bf73,"4/16/2021, 8:52:02.788 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3b457fae-173a-4f75-968a-8c0751626a97,"4/16/2021, 8:52:02.788 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2ce571cf-dbc3-48f7-bcf1-5ef61a815f08,"4/16/2021, 8:44:32.605 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2c4028d0-8a7e-4392-8078-7991e52f8abb,"4/16/2021, 8:44:32.605 AM",,,,,NTLM,, +\FJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8e428ed0-6514-437a-9ba5-7e9d315cd1ea,"4/16/2021, 8:44:32.605 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,83001843-65de-46d5-8a60-692f7cb94780,"4/16/2021, 8:44:32.605 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f1489c49-402e-4d0c-8372-472766fa0407,"4/16/2021, 8:44:32.605 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ba8d96b4-46c5-4b9a-a7c6-b580cc8d641e,"4/16/2021, 8:44:32.605 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d78dcbc7-f118-4a29-93ed-11c0f03e693d,"4/16/2021, 8:44:32.605 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e858fd14-e394-4ba0-b3e6-9ed4a5a23d46,"4/16/2021, 8:44:32.605 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a09f93e1-9043-4c8f-919a-06e19901c00e,"4/16/2021, 8:44:32.605 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,13c9af4f-ca83-48ad-80bb-8ef1015d7180,"4/16/2021, 8:44:32.605 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,aa468564-c2fb-4211-924b-ff0b96f52f8a,"4/16/2021, 8:44:32.605 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f15bdd35-69ea-452d-b775-fa5f5b776f3f,"4/16/2021, 8:44:32.605 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5e204a3b-d2c1-4ac9-8a89-1aec09c1eaa6,"4/16/2021, 8:44:32.605 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,453b6788-df38-4974-98e3-0e0b3375d168,"4/16/2021, 8:44:32.605 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,326b35bf-895d-40ed-92cf-59ce4135f798,"4/16/2021, 8:44:32.605 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9ddffe75-05ae-47a6-a28d-185defff4aea,"4/16/2021, 8:44:32.605 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7590c262-8bbb-4537-ba2b-1cbeef4c3e7b,"4/16/2021, 8:44:32.605 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,427332b3-78d3-43da-9daf-2808cf1de257,"4/16/2021, 8:44:32.605 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3e8febca-a85b-44e0-a99b-2eb04fbc9c0c,"4/16/2021, 8:44:32.605 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ff96a5fb-e8fe-4978-801e-6a38b0cdbbef,"4/16/2021, 8:44:32.605 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,25bb2ed0-723e-406b-a42b-e999379f2192,"4/16/2021, 8:44:32.605 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bf937ad2-cc26-45c4-abaa-0a9ed2e2dd89,"4/16/2021, 8:44:32.605 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c57e8fad-43f0-4c5f-9004-52d154d4830b,"4/16/2021, 8:44:32.605 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f050e90c-d29d-4aa1-ac48-3bc8aeb321ac,"4/16/2021, 8:44:37.434 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5872 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4ffdf29b-beff-4fe1-8530-fa96a9cfe681,"4/16/2021, 8:44:37.434 AM",,,,,,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0e5614f0-4c43-4c9f-9fa4-b86d2d43134f,"4/16/2021, 8:44:37.434 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,772d1b53-07dd-42fa-85b1-bd88075fe692,"4/16/2021, 8:44:37.434 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,2deb1dae-77e6-4961-8a8e-d6ed921df3da,"4/16/2021, 8:44:37.434 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7740 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,68d77640-728e-4597-bfb4-657531b88051,"4/16/2021, 8:44:37.434 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6428 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1a6b485f-b560-4d46-bef1-b071615eb1e7,"4/16/2021, 8:44:37.434 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6492 + 115 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\ICT 2\CMF\DESIREDSTATECONFIGURATION\DSCRUN.EXE + 32 + 5D35920AEDE05DD39279B42A07B84E7EAC7A77F4E420A04FE25B82F0B2CAF5C0 + 111 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\WINDOWS (R) WIN 7 DDK DRIVER\DSCRUN.EXE\10.0.10011.16384 + 0x3e7 + 117 + C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\ICT 2\CMF\DesiredStateConfiguration\DscRun.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,906654ad-85ec-401a-844a-fa3dbf8c54d6,"4/16/2021, 8:44:37.434 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4420 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,aa5dbe7b-b016-47da-ab9b-6028aab77ee5,"4/16/2021, 8:44:37.434 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,fb0f9273-41cc-4449-8a89-28b1599a2460,"4/16/2021, 8:44:37.434 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a694fdcc-1120-4478-b79d-c88332e21754,"4/16/2021, 8:44:37.434 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,13e1012c-1463-4fc8-b18f-75fb360de00a,"4/16/2021, 8:44:37.434 AM",,,,,,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,5814a03e-5d72-4b0b-95d1-841ad13ffb16,"4/16/2021, 8:44:37.434 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1982be2f-8ac2-40da-9b7a-5a9dae277e6f,"4/16/2021, 8:44:37.434 AM",,,,,,, +NT AUTHORITY\NETWORK SERVICE,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 2272 + 21 + %SYSTEM32%\SPPSVC.EXE + 32 + ABC5B9672ACC57A4AAF472FA028985FE6C0D545FA7EFAC34A313D1F3F8C360BD + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SPPSVC.EXE\10.0.17763.1879 + 0x3e4 + 30 + C:\Windows\system32\sppsvc.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c7cebf3f-0458-43e5-bec0-8827b86bced2,"4/16/2021, 8:44:37.434 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,30dd2d10-1c67-4c9e-82d4-c2c49d1646a9,"4/16/2021, 8:44:37.434 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6288de4a-93e9-4791-ae8d-fd4d77c87c96,"4/16/2021, 8:44:37.434 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8aa9f6f2-9c61-41a8-a41b-0645d30861d3,"4/16/2021, 8:44:37.434 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a033983e-3b83-4150-af0b-bc178ab762fd,"4/16/2021, 8:44:37.434 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8036 + 39 + %WINDIR%\SERVICING\TRUSTEDINSTALLER.EXE + 32 + 5AAB6030A17E092A3F547292BF75BBE5E777C3C6C3E1759A023CA59FE87F6D98 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\TRUSTEDINSTALLER.EXE\10.0.17763.1098 + 0x3e7 + 41 + C:\Windows\servicing\TrustedInstaller.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,146a4f34-7cbc-4c94-a0ff-97fcc0271ca6,"4/16/2021, 8:44:37.434 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2592 + 122 + %WINDIR%\WINSXS\AMD64_MICROSOFT-WINDOWS-SERVICINGSTACK_31BF3856AD364E35_10.0.17763.1876_NONE_56BCCE8F993D30E7\TIWORKER.EXE + 32 + 7EC24C6DAEE289FBD40C13635DA56FB1E9F868B65E3120B59D480D394ACD8285 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\TIWORKER.EXE\10.0.17763.01 + 0x3e7 + 124 + C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.17763.1876_none_56bcce8f993d30e7\TiWorker.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4dea5b20-9ae6-4a00-a77e-f1ff33086e34,"4/16/2021, 8:44:37.434 AM",,,,,,, +\VMADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f0eb5814-fbb9-46dc-844f-762d41c7b0d3,"4/16/2021, 8:44:37.434 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3903bd73-ecdd-4f38-a210-742b739271ba,"4/16/2021, 8:44:38.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,661296e5-b058-49d7-b992-185b581c8faf,"4/16/2021, 8:44:38.100 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4ebfbac0-1628-4a4b-a3c4-08bf6127922c,"4/16/2021, 8:44:38.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67b6aa37-e54b-40df-b285-50f7e7528311,"4/16/2021, 8:44:38.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e43c91a3-554e-4e15-8234-42a710599444,"4/16/2021, 8:44:38.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d49d4d84-0092-4660-82cf-8583afeca871,"4/16/2021, 8:44:38.100 AM",,,,,NTLM,, +\DEMOADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe98d38f-b9ab-4288-b26a-f06edbf41250,"4/16/2021, 8:44:38.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,08546e7a-3133-4da6-a694-a0c389865f5f,"4/16/2021, 8:44:38.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,da6ee05d-4e34-4f7e-80e4-694eec284eaa,"4/16/2021, 8:44:38.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe29848b-2c6a-447c-8a6b-0e5cd8fbaced,"4/16/2021, 8:44:38.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dfac0cf8-89f2-43a1-9e16-1bd401344cf1,"4/16/2021, 8:44:38.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a5386478-7024-406e-852b-6e99affed631,"4/16/2021, 8:44:38.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,92f2c390-8280-4b19-825d-0c8fc498d442,"4/16/2021, 8:44:38.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb59ffbe-bc4c-47c3-b368-03189325a02b,"4/16/2021, 8:44:38.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1457e204-c9c7-4cbb-a4f2-b455470f8c29,"4/16/2021, 8:44:38.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a3640877-f67a-44fb-8ab3-55c9d5a9b8fb,"4/16/2021, 8:44:38.100 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,50bdec2b-c075-4747-82a3-8eaa5e2ab7e5,"4/16/2021, 8:44:38.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7c615d3c-2949-4590-9c28-ef81443360b1,"4/16/2021, 8:44:38.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,068f331e-e3d7-4db9-a518-c3bcaa7d4ed5,"4/16/2021, 8:44:38.100 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1d8169ff-42a3-4cc9-b966-5b710ebd428d,"4/16/2021, 8:44:38.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,18b51b33-5eb6-42c1-8908-49a7df50ebd6,"4/16/2021, 8:44:38.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7a09eb62-fa01-4dd0-abe3-b57573762272,"4/16/2021, 8:44:38.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,91a344e5-47f6-4c0f-a2ea-d0cc80edd4db,"4/16/2021, 8:55:08.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b61e8a91-2825-415b-831c-96260d829e66,"4/16/2021, 8:55:08.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,15611f6c-8c1d-45f2-931f-b468a5c6ef7a,"4/16/2021, 8:55:08.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff5da0da-5b90-4559-9cf9-327909e0b778,"4/16/2021, 8:55:08.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,42787010-ce02-41e9-9834-0e3b202df156,"4/16/2021, 8:55:08.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,050c1576-5f89-4f84-bbd9-94a9e452bc27,"4/16/2021, 8:55:08.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ed8128bb-769a-4688-8199-a2e9d19bb929,"4/16/2021, 8:55:08.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0cac80c6-9cb9-40b8-a820-c6811754b969,"4/16/2021, 8:55:08.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,745c6739-783f-433c-9dda-41b19ed6d550,"4/16/2021, 8:55:08.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e4f4b3e8-b515-4996-a2ea-c843480632f0,"4/16/2021, 8:55:08.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aae1747a-066f-4071-b0cb-c9bf5085bd9f,"4/16/2021, 8:55:08.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ddec8166-9561-4978-965a-e833ba489259,"4/16/2021, 8:55:08.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53907eb6-0d6c-41d0-82ec-45cfbdd1eff0,"4/16/2021, 8:55:08.111 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,435f9a3b-9a3b-4df3-875b-e6969aaeabfc,"4/16/2021, 8:55:08.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dac1515a-0c70-4704-a047-1b92d3853421,"4/16/2021, 8:55:08.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9de0d192-9d2f-4d64-b944-ee143a0e3523,"4/16/2021, 8:55:08.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a615a1fe-f107-428f-82d5-383d53496460,"4/16/2021, 8:55:08.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dabe6692-ebc1-4edc-b1bc-82973808a65e,"4/16/2021, 8:55:08.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,78506a3d-7efa-4541-b1d0-1b4058391fd8,"4/16/2021, 8:55:08.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2eac1aca-1d84-40e9-aa71-192d136e7432,"4/16/2021, 8:55:08.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8cd780eb-0981-4602-93d8-7372bf359fe3,"4/16/2021, 8:55:08.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d1025adb-bcb6-4539-bf4a-a2127b5f1902,"4/16/2021, 8:55:08.111 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,f07a7a33-30e7-4feb-882d-223af27ca75f,"4/16/2021, 8:44:43.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,4745b196-b323-471e-86f4-16ff39f83376,"4/16/2021, 8:44:43.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c1979024-aaf2-4975-a3d5-cac3d7cd497f,"4/16/2021, 8:44:43.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,6cd650b3-d819-4c9c-8089-e7347e5746bd,"4/16/2021, 8:44:43.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,92e6d821-677e-4a23-8cb0-d287e6667aa1,"4/16/2021, 8:44:43.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5693323a-aa04-4d58-a1a9-0ff9df8dee87,"4/16/2021, 8:44:43.048 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,5b065f24-e781-4d39-ac02-10d0a5373634,"4/16/2021, 8:44:43.048 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,5a24959b-4114-4938-9e3c-81eb27acf954,"4/16/2021, 8:44:43.048 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e2901c26-f98b-4bf0-b3fe-c6a4de520054,"4/16/2021, 8:44:43.607 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1efd5110-fdf4-45ce-9d78-b3d133b1b5c0,"4/16/2021, 8:44:43.607 AM",,,,,NTLM,, +\AZUREUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e8341f9a-5eed-4a6c-8195-124d28affa8e,"4/16/2021, 8:44:43.607 AM",,,,,NTLM,, +\AALZ,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bc2484e4-54a8-4f61-886c-06e74136211a,"4/16/2021, 8:44:43.607 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,625333df-4d91-41cd-a2cd-1a7e3a5aee4f,"4/16/2021, 8:44:43.607 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fda18cfc-55c1-4898-8910-04eae32d47d1,"4/16/2021, 8:44:43.607 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,da21a598-7ddf-4bcd-8a2f-940e41f1bceb,"4/16/2021, 8:44:43.607 AM",,,,,NTLM,, +\JOUNITO,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1f577311-7748-40ee-8c18-f541d31519af,"4/16/2021, 8:44:43.607 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b782f411-8451-4807-b299-09e07b5add24,"4/16/2021, 8:44:43.607 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,94c96e39-d589-432e-8dde-0e38166566a0,"4/16/2021, 8:44:43.607 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6de8dd1a-3756-43ab-ada3-e89d0b1621b1,"4/16/2021, 8:44:43.607 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,931124e5-6937-4c39-9455-d1e3df641232,"4/16/2021, 8:44:43.607 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c9d351bd-83dc-4c78-b24d-f4ca420ef12a,"4/16/2021, 8:44:43.607 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b2575341-e1f3-4f83-89e2-e1394db53845,"4/16/2021, 8:44:43.607 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,218985cf-af63-4214-b018-41381ae6906b,"4/16/2021, 8:44:43.607 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9a5909b4-5989-4ef7-82d3-ed82f62c664c,"4/16/2021, 8:44:43.607 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6a555870-f39b-46f4-a1aa-d3cd9fca1ef9,"4/16/2021, 8:44:43.607 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,358713eb-98da-4743-a254-a25d4ee11130,"4/16/2021, 8:44:43.607 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,37d5ad6f-6d75-443c-9dc7-96da81e7da57,"4/16/2021, 8:44:43.607 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,62f83757-c35e-4469-b224-9caea8170655,"4/16/2021, 8:44:43.607 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,700f5b42-8fa3-4f41-87cc-5e50179a0240,"4/16/2021, 8:44:43.607 AM",,,,,NTLM,, +\BACKUPEXEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d629747e-a20e-45c2-9bcc-b47273b577b5,"4/16/2021, 8:44:43.607 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e90850a3-77bb-442f-9805-a2895b0b9893,"4/16/2021, 8:44:43.607 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e4f0d73c-7b97-4557-bce8-410985ab9ba8,"4/16/2021, 8:44:43.607 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4ab995f6-382b-4a21-9edd-c6d95395e00a,"4/16/2021, 8:44:43.607 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8461a903-a753-4c80-a56f-2565b90ef566,"4/16/2021, 8:52:08.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0bb31630-1d44-4341-acfc-8344b26e63c3,"4/16/2021, 8:52:08.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2310eacb-9e41-4f93-910d-6efde272fb2d,"4/16/2021, 8:52:08.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1cf1e75-e400-419a-aafd-08c1c24189d0,"4/16/2021, 8:52:08.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,791f9141-836d-4a29-a6b2-9fdf31b8033a,"4/16/2021, 8:52:08.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9918ec9a-d574-4911-8820-df82dac78d8b,"4/16/2021, 8:52:08.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f2c942a3-49da-4e3b-93ad-66c49a45d3c4,"4/16/2021, 8:52:08.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67c9940c-bcf7-4aee-afbc-c1afe3c4fdf3,"4/16/2021, 8:52:08.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ac560b8-62c6-4aa4-8833-ae0054ef074f,"4/16/2021, 8:52:08.107 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c8d0f0a8-539d-4712-9ffd-7b8c7ff8ae5d,"4/16/2021, 8:52:08.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,99c48aca-9e23-417f-8c79-22443cb24b58,"4/16/2021, 8:52:08.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8f01eace-bd24-49fe-ac2c-58fdf09f9977,"4/16/2021, 8:52:08.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e9627746-465a-43c3-88e2-fd5b3f996bd9,"4/16/2021, 8:52:08.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c9dd5e6a-6b65-495a-a227-d858d5e2e449,"4/16/2021, 8:52:08.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c23eb53-3d6f-426c-bc88-245043176f06,"4/16/2021, 8:52:08.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8581d5fd-49fe-4730-a4b8-916ee94f96c5,"4/16/2021, 8:52:08.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,efa8fbe4-7d8d-41dd-830c-ea6646eff4da,"4/16/2021, 8:52:08.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,29faaa3a-5c29-4c2e-adaf-6d0b5582f0bd,"4/16/2021, 8:52:08.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca5a292a-3afd-4c80-9125-9a43a0d2666c,"4/16/2021, 8:52:08.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7f6eeee3-3cf5-4b3d-9e42-039e12b210c7,"4/16/2021, 8:52:08.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb79e3c2-bd0b-4921-91c4-be8cdc36f0c7,"4/16/2021, 8:52:08.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad5e83b4-5780-45bc-8654-1d1f6fb782c6,"4/16/2021, 8:52:08.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,82bf566f-5e49-44f8-9623-94cf0133b731,"4/16/2021, 8:44:46.225 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d4f82ea0-990c-4ab2-ba03-e2a331731fc1,"4/16/2021, 8:44:46.225 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,018e1734-6aae-48cd-991d-b564a60a1442,"4/16/2021, 8:44:46.225 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,262e550b-99ee-4d93-bbc4-b35db8a357b3,"4/16/2021, 8:44:46.225 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aa4f8ac9-3e08-47fd-b30c-4a47f19e07b1,"4/16/2021, 8:44:46.225 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,25c41cbe-5948-4d8b-9a0e-6609d1648dc3,"4/16/2021, 8:44:46.225 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,789e7578-e6d3-47b3-99e7-8e543d89f6d9,"4/16/2021, 8:44:46.225 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6d8a9430-7fc8-4a18-968e-88fa4307bc3b,"4/16/2021, 8:44:46.225 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,829d1aaf-fc13-400d-a07f-2bfd71a8b2fb,"4/16/2021, 8:44:46.225 AM",,,,,NTLM,, +\GUEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f7ca7ebb-83cf-42ff-ad97-04bfbe4b0746,"4/16/2021, 8:44:46.225 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3f518ef7-7428-4159-bcc2-a824a39fe247,"4/16/2021, 8:44:46.225 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d5a55604-8969-445b-bf03-9b537bd5ba67,"4/16/2021, 8:44:46.225 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8eab6afd-88bf-47b5-a529-f20abbe60c45,"4/16/2021, 8:44:46.225 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac11fea0-8ba1-427b-9bc3-5eae6dfed842,"4/16/2021, 8:44:46.225 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,25f31ad4-840f-428d-a06e-9af0c9396fa7,"4/16/2021, 8:44:46.225 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f774c105-4245-462e-84ca-8ad0ca00d22c,"4/16/2021, 8:44:46.225 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,68348020-8a17-4d72-a21b-534b7ccb6f8c,"4/16/2021, 8:44:46.225 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e15e89b-1567-449b-a1fb-b691d6ae3b2f,"4/16/2021, 8:44:46.225 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6575cc27-c4d7-450a-9162-dd34d4228077,"4/16/2021, 8:44:46.225 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0dbc2c1d-f0f5-4dee-a3b0-11fc84068b75,"4/16/2021, 8:44:46.225 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dacdc023-9248-4151-a9ad-176fdd1f4440,"4/16/2021, 8:44:46.225 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,95a0b209-3e8c-4570-92a3-1f5d04bdf6df,"4/16/2021, 8:44:46.225 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e14a5053-9b93-4ffc-924f-d950da99004a,"4/16/2021, 8:44:46.225 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d0f30c0-f03b-45e9-8a5b-c8d2b049f9b7,"4/16/2021, 8:44:46.225 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c9ced26-5ead-42bc-a699-6a0c348c1f09,"4/16/2021, 8:44:46.225 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0cc7a2a7-3eb5-45bf-b8c6-64c4e51b96f3,"4/16/2021, 9:03:03.743 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,043ca8b6-95fa-4a77-bbc7-e969973499e1,"4/16/2021, 9:03:03.743 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c10a213a-38bc-44c3-bc04-96afc1ea1ad4,"4/16/2021, 9:03:03.743 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,63495b25-2eaf-4646-91ad-9383ac5f0437,"4/16/2021, 9:03:03.743 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fd777dcf-8762-4ae9-bedf-cb27f1ecf866,"4/16/2021, 9:03:03.743 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,be4fadb7-69fa-45f1-bd30-0594be1c9c25,"4/16/2021, 9:03:03.743 AM",,,,,NTLM,, +\MJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,86bb4378-5f03-455c-b3fe-f3dc989a8fb1,"4/16/2021, 9:03:03.743 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c4c8e670-37e7-4509-a2b4-dc936651c6ab,"4/16/2021, 9:03:03.743 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a7966243-dbe3-48de-a00d-372a2f86716f,"4/16/2021, 9:03:03.743 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8ab11926-663c-445c-b2a7-03276feef9c0,"4/16/2021, 9:03:03.743 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5016f6c8-bd29-426f-8e47-ab39228df05e,"4/16/2021, 9:03:03.743 AM",,,,,NTLM,, +\AZUREADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f88184ce-75ac-4ffa-81ac-950d1a2766fa,"4/16/2021, 9:03:03.743 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,007a9f77-708e-4bcf-ae75-0d9776e54326,"4/16/2021, 9:03:03.743 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,91acbf85-9a92-47e3-81aa-295685859a57,"4/16/2021, 9:03:03.743 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8b2c6ec7-bc4e-44ea-a5e4-3b9523f480ce,"4/16/2021, 9:03:03.743 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4ee50599-d24f-473b-9e83-2115a85b2954,"4/16/2021, 9:03:03.743 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,105acde5-42cc-4189-9391-c493dc5b6be8,"4/16/2021, 9:03:03.743 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c713c6cb-07fb-452d-bddf-77a55f3480db,"4/16/2021, 9:03:03.743 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2b4cf488-e7b2-42a6-8daf-e0db066204ee,"4/16/2021, 9:03:03.743 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3df495a9-9637-4427-921d-436e6cd9c5aa,"4/16/2021, 9:03:03.743 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1af82d7b-f8fd-4713-8502-854d86cce440,"4/16/2021, 9:03:03.743 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,25807db7-985a-489c-b7e3-76043b4865c5,"4/16/2021, 9:03:03.743 AM",,,,,,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f1252ffc-7db9-42d6-ab40-3712c73f0906,"4/16/2021, 9:03:03.743 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11252 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,fa47670a-758f-40cb-af43-2484bbbef3c4,"4/16/2021, 8:44:49.268 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 12704 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,2ca97013-92fc-4bc1-8ade-321f409e368b,"4/16/2021, 8:44:49.268 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7100 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,04943ea6-b990-45ef-a283-94fe333248a0,"4/16/2021, 8:44:52.744 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6204 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,ae8a6357-8c54-43b3-b793-d96cabafd3b8,"4/16/2021, 8:44:52.744 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,bbb4d1db-d2bf-4047-a4be-f17c19432a17,"4/16/2021, 8:44:52.744 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,5e94f7f6-1a07-4383-a3f6-39fed1c9b7c6,"4/16/2021, 8:44:52.744 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,c09940c3-fa3e-422e-98d9-f012f3ebb429,"4/16/2021, 8:44:52.744 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,65f0106b-69e8-423e-839e-8b9f305e9776,"4/16/2021, 8:44:52.744 AM",,,,,,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,78a8500a-41eb-490a-9b22-3c2e69be6334,"4/16/2021, 8:52:13.628 AM",,,,,,, +\TEST,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8d31b81a-6caf-4ca3-a996-8b5e6a20e8ca,"4/16/2021, 8:52:13.628 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3fa84fb9-feb6-4d05-8aa3-76e4f6f11df4,"4/16/2021, 8:52:13.628 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e663ed4e-9177-4ea2-8f4d-9c536d6a3677,"4/16/2021, 8:52:13.628 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,17e24e6e-9428-4aae-90d7-000285dda2b0,"4/16/2021, 8:52:13.628 AM",,,,,,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,82dd9a4e-3219-485c-98c5-3b247aee4f27,"4/16/2021, 8:52:13.628 AM",,,,,,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c4a8fdfc-1d89-42d8-8e43-84e5ca81158e,"4/16/2021, 8:52:13.628 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1dfddb91-627c-435b-b638-14ce284f48d3,"4/16/2021, 8:52:13.628 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e81acd28-9705-4b66-88d4-2dea0f474de5,"4/16/2021, 8:52:13.628 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,33d402a6-e739-472f-bb6c-2712fa5f9058,"4/16/2021, 8:52:13.628 AM",,,,,,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2c29254d-7ff5-4502-ab47-eeb2c04914cf,"4/16/2021, 8:52:13.628 AM",,,,,,, +\MEXAL,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,21a84cfc-1a40-4658-945b-ec33c0de4fd4,"4/16/2021, 8:52:13.628 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4f34acf2-cd04-4eb8-800f-7848e5c58ae6,"4/16/2021, 8:52:13.628 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1688ab06-348d-460d-bd3c-77e2b889ac98,"4/16/2021, 8:52:13.628 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0c6ef09d-2e39-48e0-971c-215fb4113b0e,"4/16/2021, 8:52:13.628 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0d2ee7de-9f96-4d8d-a222-72dd16fab6c0,"4/16/2021, 8:52:13.628 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1571b42d-d186-4f1f-a81f-c180ebf9d941,"4/16/2021, 8:52:13.628 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,17091ca3-d147-4959-a359-45d6e9a00cc7,"4/16/2021, 8:52:13.628 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,18a8e3ea-40e0-4e34-bbda-061323d68b9a,"4/16/2021, 8:52:13.628 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e2892f28-1fa8-4297-99ee-dda7f4776a50,"4/16/2021, 8:52:13.628 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9a1a0513-373a-4aee-8d63-10645fc08021,"4/16/2021, 8:52:13.628 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8a68bb98-f7ad-4c5a-9a8f-54a7beb355eb,"4/16/2021, 8:52:13.628 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cd98f828-6821-441b-8d5a-5cadb02ffb2f,"4/16/2021, 8:44:53.603 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f30b3e64-6787-4192-bacc-9658c3cd7e67,"4/16/2021, 8:44:53.603 AM",,,,,NTLM,, +\NJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a820da96-e8bf-490e-8550-7aa7caf6b804,"4/16/2021, 8:44:53.603 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6e988075-cf37-47ad-b5ae-b23a713a20da,"4/16/2021, 8:44:53.603 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,14b8b064-44af-46ee-81a4-f0eea423111c,"4/16/2021, 8:44:53.603 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,59c547b0-2b98-4265-bf3f-151f502e63c7,"4/16/2021, 8:44:53.603 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ba364b12-759d-47cd-abed-6b5ab24089e1,"4/16/2021, 8:44:53.603 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3018ca53-7aaf-4c35-95a5-f88402d6984d,"4/16/2021, 8:44:53.603 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b67f4e5a-e581-4933-a447-a7a757b79069,"4/16/2021, 8:44:53.603 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4052a7f5-7275-444e-83d3-dd08d7d15944,"4/16/2021, 8:44:53.603 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,36de6c83-1d4e-4258-a3d9-a12c8738d11b,"4/16/2021, 8:44:53.603 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fef1e7c2-5954-4129-bdcd-84a65d52ad4b,"4/16/2021, 8:44:53.603 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,940634fa-a297-4858-9a40-cedc301cb13d,"4/16/2021, 8:44:53.603 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,288bf6d9-814e-421f-8ba0-edc245ad289d,"4/16/2021, 8:44:53.603 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d8e8970a-7140-4eaf-a739-18981cdfb3d0,"4/16/2021, 8:44:53.603 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cc1941cd-a50f-439e-9912-2bff30365806,"4/16/2021, 8:44:53.603 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ef9579d6-3c35-4eaa-8fef-f3c6cea70767,"4/16/2021, 8:44:53.603 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f5c67d01-4fa4-4937-9616-d18a9857f5b4,"4/16/2021, 8:44:53.603 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,83008f53-cea2-4dc4-861a-51a87c3164fe,"4/16/2021, 8:44:53.603 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f3dd4cbc-4bb7-4493-b6b2-2aac95e8bf2c,"4/16/2021, 8:44:53.603 AM",,,,,NTLM,, +\OFICINA2,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6c60aaf2-4a01-44fc-ba58-9ab43ee4057e,"4/16/2021, 8:44:53.603 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f8ec8016-3975-468e-9ce6-04ddb5dded8b,"4/16/2021, 8:44:53.603 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,65dac9de-adaa-4c39-b1e3-41c333789aee,"4/16/2021, 8:44:53.603 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,27383e32-e7a8-471f-97f5-83eec3c9f926,"4/16/2021, 8:55:14.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cf8a7e69-6f22-4769-b62f-3f9b60b01cdc,"4/16/2021, 8:55:14.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,873cde56-577a-47a2-b521-bbe2b14cfea7,"4/16/2021, 8:55:14.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8279260b-fb91-4709-bee8-b7267ca2b36a,"4/16/2021, 8:55:14.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f57e3a5-d668-4dd7-a827-731e427aeea8,"4/16/2021, 8:55:14.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bcaf069f-0e47-4598-8c74-b362ccfa2784,"4/16/2021, 8:55:14.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea1fb1aa-e4ff-463e-a670-a97b0549747b,"4/16/2021, 8:55:14.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cf896ead-9b06-49dd-be80-89b17d7696e1,"4/16/2021, 8:55:14.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6b7e62c8-5194-4bb8-81a4-162bd9fc3324,"4/16/2021, 8:55:14.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4a03cc14-a06f-4dc9-8549-30b6b9cfedc1,"4/16/2021, 8:55:14.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8292fff8-b8a3-4930-b93a-ae4fa3b9547b,"4/16/2021, 8:55:14.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff1a5ca1-bdb8-4d4c-a65a-7f1d3b7e56bf,"4/16/2021, 8:55:14.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2ede7b4a-af6c-4ebd-a34b-80622767cd55,"4/16/2021, 8:55:14.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f1fe0134-650f-48aa-88a0-0337c8af536d,"4/16/2021, 8:55:14.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0968bb55-f8f5-4e1f-8a03-4e4ea976f4d7,"4/16/2021, 8:55:14.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c041555f-1af1-4785-a1a1-21dc114f5aa6,"4/16/2021, 8:55:14.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,63214e92-c823-42d7-ab71-b911de9f1a66,"4/16/2021, 8:55:14.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6fdf5c74-7da5-4805-a3ef-32c16fcfd811,"4/16/2021, 8:55:14.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6edc8f72-c72e-4ceb-b4db-a38803740d19,"4/16/2021, 8:55:14.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3ca26c18-9fe0-4edb-ba5b-1493b5bc8bf5,"4/16/2021, 8:55:14.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,18cfb006-bfa6-4ccc-9f8c-77b84950d7e9,"4/16/2021, 8:55:14.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19e7c887-f068-44cb-9146-fa794f084f21,"4/16/2021, 8:55:14.143 AM",,,,,NTLM,, +\ADMINISTRATEUR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4bebc747-4abe-4f23-9eed-4b5077f07302,"4/16/2021, 8:55:14.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9aa638a5-85a0-4d74-a447-40b5c823ee47,"4/16/2021, 8:55:14.143 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d4634e0-e829-496c-a399-8fc08cdcedd9,"4/16/2021, 9:03:05.184 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4ad0c66b-03ac-41bc-a610-60f55ee4a758,"4/16/2021, 9:03:05.184 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,21ca82a4-f826-45f1-aa82-7f253e572ec9,"4/16/2021, 9:03:05.184 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f02ff41-45fb-4784-8454-e029b240cca5,"4/16/2021, 9:03:05.184 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,749a4c19-a191-4c99-81f8-47622678d455,"4/16/2021, 9:03:05.184 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f12cfba5-31de-4ad3-ad15-7d326e17c2c1,"4/16/2021, 9:03:05.184 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8d52f56a-8665-468f-b39e-dca4bf76218c,"4/16/2021, 9:03:05.184 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d84b858a-04ae-4acf-90e0-10d1fd4ae658,"4/16/2021, 9:03:05.184 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,63d26ccd-e439-4780-8472-affc5a7a2496,"4/16/2021, 9:03:05.184 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,01fb5ed7-8b57-4a75-83dd-d477e2b288e6,"4/16/2021, 9:03:05.184 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9cb3db8e-bdac-4d3b-85be-a12268172998,"4/16/2021, 9:03:05.184 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a83751a-d510-4f93-98e6-9cac1eeaa1f7,"4/16/2021, 9:03:05.184 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d0c2f23-5a7b-40af-92de-4ff6c29c7e09,"4/16/2021, 9:03:05.184 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,66a5d82a-cabe-468c-84e1-d98eb3eb751a,"4/16/2021, 9:03:05.184 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a288512e-ac9f-4955-824e-ba9fa92b9527,"4/16/2021, 9:03:05.184 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,782dbb16-1bfe-4048-a276-443b6ccf0960,"4/16/2021, 9:03:05.184 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0b636cda-0c6e-4d71-9788-787faa921217,"4/16/2021, 9:03:05.184 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f98f1358-1e2b-404a-8fb4-f8f8965a60bd,"4/16/2021, 9:03:05.184 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,268b10ec-59a2-4ff4-a70f-f948e997c4cf,"4/16/2021, 9:03:05.184 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89db44ec-6b2e-4fc5-b4ea-b6d67f6a0769,"4/16/2021, 9:03:05.184 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f60b0963-4d4f-45fc-93af-69b54c197a96,"4/16/2021, 9:03:05.184 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d509c6de-f835-4d1a-8dc7-7cf1075cd6cd,"4/16/2021, 9:03:05.184 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,59b94278-58b1-4159-9414-2b8b09b968b9,"4/16/2021, 9:03:05.184 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f7e9ff25-2cfd-4721-b083-a94030eeef4e,"4/16/2021, 9:03:05.184 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e3dd0fd-ea80-44f1-a5dc-ec91fb5f177e,"4/16/2021, 9:03:05.184 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ed786152-62e6-4379-88ca-8f8bcd2889d8,"4/16/2021, 8:44:55.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b588d49b-d620-4f8f-a250-871a0a245403,"4/16/2021, 8:44:55.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a4eeb55b-c698-40d6-9a12-5b84d1f1dc33,"4/16/2021, 8:44:55.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d497ba6b-81c1-4638-97ba-86edf4661cea,"4/16/2021, 8:44:55.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c584621-9fff-4822-88b5-49902ab6dee2,"4/16/2021, 8:44:55.106 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b9496946-9b67-4ce7-9a32-dc96df8eacfe,"4/16/2021, 8:44:55.106 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03b8ebf8-d9ff-4d7d-b95e-a217c980e625,"4/16/2021, 8:44:55.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4283a8fe-e547-469c-94cf-f737069ac46a,"4/16/2021, 8:44:55.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7b121ba0-1dfd-4a1c-97da-e686b33f03d8,"4/16/2021, 8:44:55.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,caf7c7be-62f5-416b-ae7e-f901cabcef36,"4/16/2021, 8:44:55.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b328e6d-93f1-42ad-9aea-63111ce62d8d,"4/16/2021, 8:44:55.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eb62c657-f12a-43fa-be4c-b7eec6de01d1,"4/16/2021, 8:44:55.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b94bb805-eafd-40b7-81cb-4b797857df7a,"4/16/2021, 8:44:55.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1724956d-8d14-483e-847b-03c0663189e4,"4/16/2021, 8:44:55.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,92512efb-be64-4a32-a084-2a808610a39b,"4/16/2021, 8:44:55.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5b423708-27b8-40d8-a8c7-9f53d141f858,"4/16/2021, 8:44:55.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce443974-a0f3-456c-8345-9e544f342d0e,"4/16/2021, 8:44:55.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,940da95e-f5dc-4c03-b511-c1f97e6a4379,"4/16/2021, 8:44:55.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,00ff7534-917c-41fe-a7a3-e50de6ab3e72,"4/16/2021, 8:44:55.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa87c219-06ce-4d30-9a69-a9b524eb7494,"4/16/2021, 8:44:55.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f8aa29b0-ac26-40e9-8247-30083ba5d503,"4/16/2021, 8:44:55.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,39b2279b-3acd-4fc7-ba93-7bf8e334a730,"4/16/2021, 8:44:55.106 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3800 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,d6cb01e7-2798-4d41-b0e4-5ccfb3d0e7c3,"4/16/2021, 8:44:56.977 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 14720 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,8833ec16-d37f-4899-b04a-e999c7a77b93,"4/16/2021, 8:44:56.977 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df2a17dc-aa03-43df-90ce-ed83a2f34449,"4/16/2021, 8:44:59.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54011efd-c0ae-4503-9386-afd868ed975a,"4/16/2021, 8:44:59.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,715a4655-c67b-49b0-b0bf-305ea655fc67,"4/16/2021, 8:44:59.105 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,845b4809-428c-4cda-b56f-70701505f6d3,"4/16/2021, 8:44:59.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1646e8e9-fe11-4ad2-9a6a-106c4d6554c9,"4/16/2021, 8:44:59.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6e2a299a-9d3f-445e-96d1-590a842ddb9d,"4/16/2021, 8:44:59.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc727b03-4ac5-40a9-9e98-c0848dcb1a6b,"4/16/2021, 8:44:59.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9be8ef65-0f9e-4758-bbcb-f60ec8974f6d,"4/16/2021, 8:44:59.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f9e7030-ed02-45e8-b5e8-1b7e00564287,"4/16/2021, 8:44:59.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c4ec4abd-029b-4d7f-8d21-41a9518f38ed,"4/16/2021, 8:44:59.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ac479ea-2603-42d8-bdbe-bc66d83c5bd3,"4/16/2021, 8:44:59.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5087db4e-50a2-4040-9411-ca6221ad93e9,"4/16/2021, 8:44:59.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e12c8e3-3e96-4cba-b548-82b364e3cf17,"4/16/2021, 8:44:59.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2e3ab209-86f5-4211-bd1f-8f26cbd60212,"4/16/2021, 8:44:59.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4003a83b-5e59-48a2-86e3-79e50481004f,"4/16/2021, 8:44:59.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db0b752e-e2b1-4bb0-96cb-6692ac905238,"4/16/2021, 8:44:59.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b7a4917b-59aa-499e-81ca-0449cc071167,"4/16/2021, 8:44:59.105 AM",,,,,NTLM,, +\KJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f80f84fe-91fa-43e9-9c57-962204e54ab5,"4/16/2021, 8:44:59.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7b8544a9-c4b5-4694-a214-c2b305e33c39,"4/16/2021, 8:44:59.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b86c5781-13af-4ee9-9f91-0e82d715543e,"4/16/2021, 8:44:59.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,095550cf-a315-4ad3-ae44-75f7413675f0,"4/16/2021, 8:44:59.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0e06b549-8f5a-489f-8320-2417fc7ad99b,"4/16/2021, 8:44:59.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,83b3f3b9-d67f-4c52-a787-ea002b36a6b4,"4/16/2021, 8:44:59.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bf79e044-cad1-42e4-8302-1089efa897c0,"4/16/2021, 8:44:59.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6089ba51-3c2d-4ff1-baf4-cb3bb86f8051,"4/16/2021, 8:44:59.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98070345-557f-4cb0-8271-f5e1e24e2023,"4/16/2021, 8:45:06.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db51637c-390e-4fcf-9f8f-cc1fd90a190b,"4/16/2021, 8:45:06.114 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7f1acf16-b982-4e27-b3eb-79d6a88ad74b,"4/16/2021, 8:45:06.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,21d82b39-dbac-46c5-adc6-4e5392e552f7,"4/16/2021, 8:45:06.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,13fdf972-1362-4798-b50b-48ddaad3d4a0,"4/16/2021, 8:45:06.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e5dca03-2ef0-498c-a552-2afa8da42859,"4/16/2021, 8:45:06.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4cc2f78a-7543-4a07-a91d-ca922f31018c,"4/16/2021, 8:45:06.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,944feee3-7b8a-4a2a-9588-c5bdc6885aad,"4/16/2021, 8:45:06.114 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c972b090-85ab-4ffd-b8b3-7ff1ffa21d94,"4/16/2021, 8:45:06.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b9e3b1fe-4ed5-4509-930d-c0574e218bcf,"4/16/2021, 8:45:06.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3d1f7cc4-8a0b-4ddd-9fb9-17849342943b,"4/16/2021, 8:45:06.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e9661426-972f-43c2-9f79-02b91f8c35cf,"4/16/2021, 8:45:06.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c8113384-26a5-4d03-bcbf-7ae36c997a6b,"4/16/2021, 8:45:06.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a1528c62-c1a1-4d57-8a37-17309d683b71,"4/16/2021, 8:45:06.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b75947d0-7c9a-4d1a-8052-3236daa8ac3b,"4/16/2021, 8:45:06.114 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e089d197-ec81-46bf-b663-bd27af269e81,"4/16/2021, 8:45:06.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ec1eaa12-b356-4d48-9416-484eb801644e,"4/16/2021, 8:45:06.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48dfd5f8-2530-48b6-bbd4-c8024e24aa53,"4/16/2021, 8:45:06.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8fea1bee-56a0-4bd0-b97d-86347641e2e8,"4/16/2021, 8:45:06.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8ea22a69-61ef-426d-a917-e60593a7a026,"4/16/2021, 8:45:06.114 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1b414884-5bc8-4a2b-acac-7467d0e7c59c,"4/16/2021, 8:45:06.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c0432679-b12c-4782-9b2a-8ec21872a1b1,"4/16/2021, 8:45:06.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,76cae2aa-dd66-46fd-b6a6-7ba8c0855f33,"4/16/2021, 8:45:06.114 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ca02a87c-f372-4423-9128-262611781d8a,"4/16/2021, 9:03:17.680 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,361b9d93-a787-471c-aad1-7347498ce4b4,"4/16/2021, 9:03:17.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e50bdb09-947b-4ac5-91a1-97aeb542b66f,"4/16/2021, 9:03:17.680 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0ef5a74e-ae3e-4d53-971f-cfabec5c5279,"4/16/2021, 9:03:17.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a9504f66-6c1c-475a-9831-3ee0bc62190f,"4/16/2021, 9:03:17.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,727bd7f9-b33f-4eef-b9f7-3e31069bc004,"4/16/2021, 9:03:17.680 AM",,,,,NTLM,, +\DEMOUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d1ff530e-f936-4184-bf8a-ef191622477a,"4/16/2021, 9:03:17.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6a3bc5f8-e593-42ae-b20e-9ef233605e16,"4/16/2021, 9:03:17.680 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,03246d89-e10d-4096-92ad-378cb7af619f,"4/16/2021, 9:03:17.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4059f254-9127-4637-8e06-d7e1982bfb64,"4/16/2021, 9:03:17.680 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,92017372-57a8-4ccd-a5bb-50ed348f8626,"4/16/2021, 9:03:17.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b1bee9c2-e7d9-42d0-96cb-343daeeffd60,"4/16/2021, 9:03:17.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6f64b36a-7f5d-418a-9a94-c77ffacd9c3d,"4/16/2021, 9:03:17.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4a2bf5eb-ab17-41c8-82af-b64d137557c3,"4/16/2021, 9:03:17.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,657f5da5-529e-4f55-86a3-4c35fb755ec8,"4/16/2021, 9:03:17.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d78ec107-0db1-44e7-bcb5-c499035a754e,"4/16/2021, 9:03:17.680 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,be8344d6-82e3-4e3e-8944-167e540eb04c,"4/16/2021, 9:03:17.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b7f1346d-e37c-4c31-b0dd-7ea55f549974,"4/16/2021, 9:03:17.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f97240b8-3825-4129-9251-e04dadd9d0e1,"4/16/2021, 9:03:17.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cb734fff-6df0-4ec1-8559-a4b416193b80,"4/16/2021, 9:03:17.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,915e8904-a282-4e2e-af86-0f1fae87f22d,"4/16/2021, 9:03:17.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,95224e08-77eb-49f5-84d7-4445a03f3998,"4/16/2021, 9:03:17.680 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,95f9b940-3b53-43df-90e3-ff0697ad2fc7,"4/16/2021, 9:03:17.680 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6c77c416-a470-4fc8-af7d-30fe68c7443f,"4/16/2021, 9:03:17.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,347016ab-3d59-4324-858e-0c51c10274c3,"4/16/2021, 9:03:17.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,24382fbc-9954-4980-8be5-5497f2f5d460,"4/16/2021, 9:03:17.680 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac23337a-e581-4668-8ea5-2f4b9a7ce75d,"4/16/2021, 8:55:43.120 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4a8dbe03-94e6-466b-9ff0-6970431597de,"4/16/2021, 8:55:43.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c319d0e5-c964-4394-abda-79927593d667,"4/16/2021, 8:55:43.120 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a768565b-04a3-469c-9266-7d88cb9ba0b0,"4/16/2021, 8:55:43.120 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,02502f23-662f-4b87-be6d-b593ad54ebdc,"4/16/2021, 8:55:43.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,806d59e9-cd48-48fe-bf2a-58c3dd0c7edb,"4/16/2021, 8:55:43.120 AM",,,,,NTLM,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ed08e745-8956-4851-a408-f935135d7b18,"4/16/2021, 8:55:43.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc79b209-e913-44eb-8561-383464112233,"4/16/2021, 8:55:43.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1fec4da7-40a9-4d26-bcff-4b1d1e819a8e,"4/16/2021, 8:55:43.120 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,99835229-dc2f-4c0e-aa17-cbe7a4a08990,"4/16/2021, 8:55:43.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d71671b-52c9-4ac7-8123-d23ed57ea6d7,"4/16/2021, 8:55:43.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,79eefb3b-c01f-4d9b-b978-dda2eb3b2242,"4/16/2021, 8:55:43.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,62a08d99-2fda-4615-b052-4b7ac4bf7dbf,"4/16/2021, 8:55:43.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9cdb5669-8514-4feb-b30b-6808cb1a340a,"4/16/2021, 8:55:43.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d9446cbc-6352-48f1-993f-273f847d4c2f,"4/16/2021, 8:55:43.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f98013d-238b-4149-9867-7ff060a79fae,"4/16/2021, 8:55:43.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d6899e3e-4fc0-484d-ad39-012277199a8d,"4/16/2021, 8:55:43.120 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,15c193cd-ea53-4bfe-aa9d-a24b3cce3e3b,"4/16/2021, 8:55:43.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4dfa2438-9492-430d-b896-52a02c62d0be,"4/16/2021, 8:55:43.120 AM",,,,,NTLM,, +\CRESCENT LAKE,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d9160df-b7b5-48ce-a999-81292ecdef79,"4/16/2021, 8:55:43.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a22d38a7-ab13-41df-ab48-640ce97628f8,"4/16/2021, 8:55:43.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce49c081-cd9f-4f11-b93d-3bd6e90f675a,"4/16/2021, 8:55:43.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d0b3c1c9-fe45-4cd0-826a-218b0624abdd,"4/16/2021, 8:55:43.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a6317d7-7fc6-4e8b-97d8-0da326ae2db5,"4/16/2021, 8:55:43.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d6420a79-bae4-4fae-9bba-1da926793893,"4/16/2021, 8:55:43.120 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,760fd76c-e40a-476d-a4f4-42e1da68fbf3,"4/16/2021, 8:55:43.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b693084a-3118-465d-8b3b-ae48f2d11306,"4/16/2021, 8:52:14.106 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2fb09f2e-3a68-41b4-84ae-197bfb485b38,"4/16/2021, 8:52:14.106 AM",,,,,NTLM,, +\ADMINISTRATION,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c0e2ab0c-6eec-44ef-af39-ea9f4d892da5,"4/16/2021, 8:52:14.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,57984897-6f78-47fc-bd37-ae145cac3f00,"4/16/2021, 8:52:14.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e09d8eb4-6ae0-4ab5-ba7f-009b9ac42573,"4/16/2021, 8:52:14.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ebbc641e-de8e-471d-bca8-370dc774d889,"4/16/2021, 8:52:14.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,61764e20-7fa7-4b78-9946-23b30e861925,"4/16/2021, 8:52:14.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ae3145ba-5e9a-405d-b39f-7e119fa98ada,"4/16/2021, 8:52:14.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88a87951-62eb-457d-9695-610a79673f43,"4/16/2021, 8:52:14.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,239cb7a4-f83f-4450-b53d-d9ec42c20487,"4/16/2021, 8:52:14.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4fc3ee46-1791-4f86-889a-967601bb4f00,"4/16/2021, 8:52:14.106 AM",,,,,NTLM,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,84fde3d0-9fe6-4a20-a29d-8637ec12e94a,"4/16/2021, 8:52:14.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5be8f948-36b5-44c1-a6da-001aeaa1d3c0,"4/16/2021, 8:52:14.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,657c164d-7184-4982-93d1-b760b4eff2c2,"4/16/2021, 8:52:14.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,129c9a1c-7547-4db9-998e-a6999799adcf,"4/16/2021, 8:52:14.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,28fb2cb8-6599-468c-b26f-a1b79f4ab510,"4/16/2021, 8:52:14.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,31959965-dc3f-4033-bb5b-84a4d08c51e1,"4/16/2021, 8:52:14.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12c9773c-b6c7-41e6-a64e-8593a07d4a4f,"4/16/2021, 8:52:14.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,81b57f80-dd05-444a-b5b1-76a702ee086c,"4/16/2021, 8:52:14.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,161073dd-2e3c-4afc-9fab-e0fcdf49c087,"4/16/2021, 8:52:14.106 AM",,,,,NTLM,, +\BACKUPEXEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,01c37d29-4407-4493-9baf-ea5ff32c91b3,"4/16/2021, 8:52:14.106 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53913897-ee2d-4519-9319-305e41e8fbd7,"4/16/2021, 8:52:14.106 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,504b92df-fb49-4a63-8630-32429e66fcc1,"4/16/2021, 8:45:03.608 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,62ddbbab-124f-4398-b492-4c29b51bf11e,"4/16/2021, 8:45:03.608 AM",,,,,NTLM,, +\SYMANTEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,664fa29a-b386-46ae-b7f4-a4efee31b265,"4/16/2021, 8:45:03.608 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,733c1439-eccc-4c70-8a73-9dbe8ea8bb3e,"4/16/2021, 8:45:03.608 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2e0c1ec2-151e-4099-8105-edd6cd680fc5,"4/16/2021, 8:45:03.608 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9ffff210-ea37-43d6-bb48-9b20c4362ea8,"4/16/2021, 8:45:03.608 AM",,,,,,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4640817c-9072-41dd-a77f-8ca690a109d6,"4/16/2021, 8:45:03.608 AM",,,,,,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d744880e-e6fa-43b6-bca1-763518bf9cf8,"4/16/2021, 8:45:03.608 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fb35c70f-5569-4574-be50-30c9bf0aea3c,"4/16/2021, 8:45:03.608 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,aa6ddbf9-f4fa-49b8-ab1e-825c631bea1a,"4/16/2021, 8:45:03.608 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,93759e9d-22a7-431a-a993-3a7e05be892c,"4/16/2021, 8:45:03.608 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,83282d82-75e0-4c93-837a-23d63baa7996,"4/16/2021, 8:45:03.608 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ff255b0d-2a1e-4891-9557-2af88ca27a4b,"4/16/2021, 8:45:03.608 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,12151c1a-0be1-4133-a444-dd1d963b38fa,"4/16/2021, 8:45:03.608 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,26bf3c84-b5a6-41ca-8894-15715dc3952e,"4/16/2021, 8:45:03.608 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c571bb51-d1c0-47f5-8529-b02512b01ec4,"4/16/2021, 8:45:03.608 AM",,,,,NTLM,, +\VEEAM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1ad16798-0622-45d9-9ccf-02cb6742417f,"4/16/2021, 8:45:03.608 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,01e86bbd-0d5e-4037-b7d4-f4ed9b9bbbcc,"4/16/2021, 8:45:03.608 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6d9ad0ee-97a6-4b9d-a6a5-0de1ae3abc76,"4/16/2021, 8:45:03.608 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5e6d626c-aeb8-42a3-a068-b1ad0b8dbf64,"4/16/2021, 8:45:03.608 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5abf2589-a926-43a4-93dd-7c5fe637f285,"4/16/2021, 8:45:03.608 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c7d1bd18-5742-4144-88b3-0891e1f471b5,"4/16/2021, 8:45:03.608 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,42423e43-9de1-4365-b068-e600f80a4594,"4/16/2021, 8:45:03.608 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0c6ddd16-4a23-4ee3-8472-e17f632645dc,"4/16/2021, 8:45:03.608 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3f3c8d42-5ecf-4a2f-8ab8-935852de9cb7,"4/16/2021, 8:45:03.608 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,09a3660b-e7fc-4b78-999b-8489fc07e6a2,"4/16/2021, 8:45:03.608 AM",,,,,NTLM,, +\USER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d7216f64-8363-42b5-a28f-1147d4624d84,"4/16/2021, 8:45:11.416 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3121b0cb-e49f-44d3-9dc1-7d92ff6fcdb6,"4/16/2021, 8:45:11.416 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,07d68ce4-ccca-4928-9ff8-28e63ff042ca,"4/16/2021, 8:45:11.416 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8," + S-1-5-20 + SHIR-SAP$ + WORKGROUP + 0x3e4 + \Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask + <?xml version=""1.0"" encoding=""UTF-16""?> <Task version=""1.6"" xmlns=""http://schemas.microsoft.com/windows/2004/02/mit/task""> <RegistrationInfo> <Source>$(@%systemroot%\system32\sppc.dll,-200)</Source> <Author>$(@%systemroot%\system32\sppc.dll,-200)</Author> <Version>1.0</Version> <Description>$(@%systemroot%\system32\sppc.dll,-201)</Description> <URI>\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask</URI> <SecurityDescriptor>D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-87-2912274048-3994893941-1669128114-1310430903-1263774323)</SecurityDescriptor> </RegistrationInfo> <Triggers> <CalendarTrigger> <StartBoundary>2021-04-19T17:17:53Z</StartBoundary> <Enabled>true</Enabled> <ScheduleByDay> <DaysInterval>1</DaysInterval> </ScheduleByDay> </CalendarTrigger> </Triggers> <Principals> <Principal id=""NetworkService""> <UserId>S-1-5-20</UserId> <RunLevel>LeastPrivilege</RunLevel> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>true</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession> <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT0S</ExecutionTimeLimit> <Priority>7</Priority> <RestartOnFailure> <Interval>PT1M</Interval> <Count>3</Count> </RestartOnFailure> </Settings> <Actions Context=""NetworkService""> <ComHandler> <ClassId>{B1AEBB5D-EAD9-4476-B375-9C3ED9F32AFC}</ClassId> <Data><![CDATA[timer]]></Data> </ComHandler> </Actions> </Task> + 844424930139302 + 2272 + 812 + 0 + SHIR-SAP +",4702,4702 - A scheduled task was updated.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,edd37253-8c4f-466e-865d-85de7760e52e,"4/16/2021, 8:45:11.416 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,262bda18-5374-4963-905f-d2a5d950709b,"4/16/2021, 8:45:11.416 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c88dac78-aac7-4a67-8973-40c31745fa90,"4/16/2021, 8:45:11.416 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3980 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 68705285F7914823244E19E4F6DBC4A75C4DE807EA1CF128AEC2CCAFCE5FE109 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.17763.01 + 0x3e7 + 57 + C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,fb729171-32d3-425b-b2f0-a3fdf3cb3c56,"4/16/2021, 8:45:11.416 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3084 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,274e7f15-1ad9-4fe6-9788-d9c30e3a8da8,"4/16/2021, 8:45:11.416 AM",,,,,,, +\TEST,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1d9bee70-23e5-48cc-93e0-e3597df4ee4b,"4/16/2021, 8:45:11.416 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1368 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e9bb1fb5-4dbe-4bb3-89d3-c668f86df426,"4/16/2021, 8:45:11.416 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3120 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6aae56fb-afa0-42a9-ab7c-8dd0e3a67d65,"4/16/2021, 8:45:11.416 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,907566bc-563f-4129-820e-2ccc09fcd749,"4/16/2021, 8:45:11.416 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3cda41ce-5e72-46a0-9b40-ff0f187cbd41,"4/16/2021, 8:45:11.416 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,0f4fecb8-915f-4a97-9871-c24ab906018a,"4/16/2021, 8:45:09.860 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,6278ac7f-a0e7-4646-b8e9-adbb58e03e08,"4/16/2021, 8:45:09.860 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5428 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,ab80064f-a540-41c8-ab07-b28ea257d7f9,"4/16/2021, 8:45:09.860 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5100 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,de86ba29-2256-40d8-bc42-ab51704de01b,"4/16/2021, 8:45:09.860 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,db5f603a-ec0a-4f2a-932f-076875e6bcc9,"4/16/2021, 8:45:09.860 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,0d1021ca-9652-41db-bfb5-955b95d4669d,"4/16/2021, 8:45:16.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,70912d6c-9a6e-4a97-8344-7a3e490e3156,"4/16/2021, 8:45:16.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,2ff695ae-7596-4091-b28e-2333d32494b7,"4/16/2021, 8:45:16.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2c85b630-8167-4978-a54f-5b887109d1e1,"4/16/2021, 8:45:16.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2702ddbb-d101-445a-a4c2-afe5ce2292cf,"4/16/2021, 8:45:16.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,726ead25-cdb4-4697-a6a8-7d461e40f075,"4/16/2021, 8:45:16.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,8ae5da5e-b579-44df-b443-08a048fff398,"4/16/2021, 8:45:16.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,ae57fb10-f5d8-4ab6-8a3f-bb90c3b5f3d1,"4/16/2021, 8:45:16.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c14336ab-f5cc-4e98-8591-43fb50500ce6,"4/16/2021, 8:45:16.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,0c75c8a1-3b13-4653-ae8f-2dbd5e1496e7,"4/16/2021, 8:45:16.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,cebedaea-5dc6-403a-b74d-4abff4cbe4c9,"4/16/2021, 8:45:16.050 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,bce35cd5-4828-4fa2-a9e7-f5eeb9ea9cf0,"4/16/2021, 8:45:16.539 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5856 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,cd1ad5a2-eb76-4ff6-a82c-6fbc1f32e5d0,"4/16/2021, 8:45:16.539 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,df1cc295-e086-4ae3-8a81-02e5b73a0a9e,"4/16/2021, 8:45:16.539 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9ca2ca9e-1432-4d26-af40-5a5fe7adf040,"4/16/2021, 9:03:31.662 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f46d156b-18c8-4511-bf8a-f9771cb981e0,"4/16/2021, 9:03:31.662 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6619cb55-b795-42ed-bd51-fd5c39dac75a,"4/16/2021, 9:03:31.662 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6ae6b4a5-ab20-4e2e-8563-4c8011f5a598,"4/16/2021, 9:03:31.662 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5c2e4419-6e58-4bed-a1f5-0fa204e96b04,"4/16/2021, 9:03:31.662 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,48e4686e-b8c9-4db8-a65e-a6aeca5f12bc,"4/16/2021, 9:03:31.662 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3da65007-6cdb-4321-b9a2-2b9781d396fb,"4/16/2021, 9:03:31.662 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7a4d09cf-da62-400c-9f07-3190ded76456,"4/16/2021, 9:03:31.662 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ee44bffd-0081-461e-9f72-8fef512d0604,"4/16/2021, 9:03:31.662 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,37d8c329-e0de-4401-a270-37d7b9484d7d,"4/16/2021, 9:03:31.662 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,13184430-aabe-4356-b065-c6aa27e91937,"4/16/2021, 9:03:31.662 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d214991c-262a-4c32-b417-fae66be58d7d,"4/16/2021, 9:03:31.662 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2783d7e1-17b7-492d-87c2-9dc9f47bdaa3,"4/16/2021, 9:03:31.662 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1a6acda4-3e13-43dc-81d0-8853dd4ce799,"4/16/2021, 9:03:31.662 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f125b8e9-44ab-48c7-b271-986cfbb57f01,"4/16/2021, 9:03:31.662 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,12886984-d9d8-43c8-9053-3fe751be5d73,"4/16/2021, 9:03:31.662 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,da8fac08-e1d1-4386-a7f8-69bbdd487fb1,"4/16/2021, 9:03:31.662 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,67502fce-1224-471a-a45c-b5d8297d042a,"4/16/2021, 9:03:31.662 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b36cd61d-000b-48b9-8be9-b4edc1a7225f,"4/16/2021, 9:03:31.662 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2c9b3bc5-efc2-4f25-ae8a-7dc04289978a,"4/16/2021, 9:03:31.662 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b24d1d7e-0537-481d-bf1d-a758bb66c67a,"4/16/2021, 9:03:31.662 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8e0100e4-e606-4592-902a-af22cf6075b6,"4/16/2021, 9:03:31.662 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a61b1f92-2b29-471f-a92c-7af81967147e,"4/16/2021, 8:55:39.644 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8f75c82a-ba7d-4594-8731-f5f5ac5c3f47,"4/16/2021, 8:55:39.644 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4d07df1d-2329-4213-89e8-eff84f015731,"4/16/2021, 8:55:39.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7de96a43-e600-4a2c-ba2c-17b55e654815,"4/16/2021, 8:55:39.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b2745c73-da65-476a-9f53-07da59dfda3c,"4/16/2021, 8:55:39.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,59f06446-b350-4b00-a484-ebab364ee204,"4/16/2021, 8:55:39.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,04e32b57-8c32-4596-b035-c692ac73fe32,"4/16/2021, 8:55:39.644 AM",,,,,NTLM,, +\ALEXANDER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,01a9f43a-cf70-4856-8bef-0338496e6f0c,"4/16/2021, 8:55:39.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,662fd875-20e8-4706-983b-6fb6ce45a5bf,"4/16/2021, 8:55:39.644 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,811da4b8-a34b-4932-a351-e224dae21bdd,"4/16/2021, 8:55:39.644 AM",,,,,NTLM,, +\OVV,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3054780b-21f3-426b-b6cf-593de7a8f9b1,"4/16/2021, 8:55:39.644 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,be72eaa5-b023-413b-b8a1-7a0395bf6f61,"4/16/2021, 8:55:39.644 AM",,,,,NTLM,, +\VMADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,414e9a69-88e7-4d61-a203-9cfe586403ff,"4/16/2021, 8:55:39.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c3350246-d0e8-4bd7-9afd-b9e5e76bb440,"4/16/2021, 8:55:39.644 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6cc9e3a0-a828-4bf1-87af-5d2ff993150a,"4/16/2021, 8:55:39.644 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eb77d10e-56c8-42e0-96b5-fcb949c7d408,"4/16/2021, 8:55:39.644 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bcd3c586-6dea-47aa-b4ec-2f96a69822a3,"4/16/2021, 8:55:39.644 AM",,,,,NTLM,, +\PJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d07819dc-d665-4aef-b990-cff43106c207,"4/16/2021, 8:55:39.644 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,57a0f461-f390-47b5-aca1-58bc840754b2,"4/16/2021, 8:55:39.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0afecaa3-292b-421c-9311-48fa49c80271,"4/16/2021, 8:55:39.644 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,df9a037a-c2ca-4291-b78b-37610dd91945,"4/16/2021, 8:55:39.644 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,38722ae9-dd64-4990-8883-3dba801f86d2,"4/16/2021, 8:55:39.644 AM",,,,,NTLM,, +\SERVER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c13a82ba-3b83-4465-8026-1f22d4a20a9c,"4/16/2021, 8:52:23.410 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e86e440c-8df2-4087-9d63-ccf63c49a5d0,"4/16/2021, 8:52:23.410 AM",,,,,NTLM,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8d556216-1ff3-4eaa-abe2-de1ea17fe79e,"4/16/2021, 8:52:23.410 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6954d489-8659-4e88-a0d3-d684956f11bc,"4/16/2021, 8:52:23.410 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,179e19cc-05c8-4a33-96b5-e815a7ab9346,"4/16/2021, 8:52:23.410 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6312 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,7e500d66-2dcd-4ccc-9b3e-63dfc7a33c6c,"4/16/2021, 8:52:23.410 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6028 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b865fee3-2e57-4601-91b6-8be8280323a0,"4/16/2021, 8:52:23.410 AM",,,,,,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,83197e2d-7b43-4422-b77e-829769b7ff83,"4/16/2021, 8:52:23.410 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6ccb7787-4af7-49d2-87dc-32fd29657add,"4/16/2021, 8:52:23.410 AM",,,,,,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d521abb2-5199-4144-a020-fef4bb08798e,"4/16/2021, 8:45:14.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7bf3701d-18df-421c-b90e-b8ca8818f7eb,"4/16/2021, 8:45:14.101 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12ff8cdf-5499-4c8b-8317-76aa27c64aa4,"4/16/2021, 8:45:14.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49c205f4-8c43-47e4-a046-9e9f5087765e,"4/16/2021, 8:45:14.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc1d5e7c-6a88-4399-88a3-96459f7a98f2,"4/16/2021, 8:45:14.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0f0124c6-334a-4daa-932a-314398d9e466,"4/16/2021, 8:45:14.101 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4e5a9e23-710d-4a79-b99d-17aa55a04640,"4/16/2021, 8:45:14.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6ae60fb4-e5ca-4385-8f4b-8e876127ad57,"4/16/2021, 8:45:14.101 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,943fb451-296c-4a9b-8aa8-dfb0eb6b72a8,"4/16/2021, 8:45:14.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,272a7b00-b0f5-4cdd-aec6-4a066c0fc8b6,"4/16/2021, 8:45:14.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ac31834-c31f-42b6-9934-451d490a54a9,"4/16/2021, 8:45:14.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bf46cfb2-63fb-4bf3-8cdc-dbdb84a888a3,"4/16/2021, 8:45:14.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5b577f3-b809-4660-9f28-24b0619b73bd,"4/16/2021, 8:45:14.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd2e27da-8956-46bb-a34e-8054c98b66a7,"4/16/2021, 8:45:14.101 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f7cb0265-a498-479f-b723-3535a4fdafa6,"4/16/2021, 8:45:14.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3474bdbe-27ea-47a2-ad45-0a8c2ac097a5,"4/16/2021, 8:45:14.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,227b145d-2a31-480c-86ea-8b95e60b1275,"4/16/2021, 8:45:14.101 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fdf2e7a8-c0f8-423a-801e-072bfd7afab0,"4/16/2021, 8:45:14.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b127d0cf-9e09-44bd-8da0-77b3024b17d3,"4/16/2021, 8:45:14.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a818acf-3378-465a-b4c0-2dae8463e2a5,"4/16/2021, 8:45:14.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b1d41fe-14b7-4682-a272-615a14ab0fc0,"4/16/2021, 8:45:14.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,76022a3a-a1d7-413a-8120-14c1681c04e1,"4/16/2021, 8:45:14.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3dfea27e-1837-4918-9746-0f3c52d2b39b,"4/16/2021, 8:45:14.101 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0d08d7a6-8b32-4644-a236-28a974d4e57e,"4/16/2021, 8:45:14.609 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,94ceb7e2-adf9-450d-9048-2aed83b19410,"4/16/2021, 8:45:14.609 AM",,,,,NTLM,, +\VMADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7ea86e9b-2c33-4908-811a-b4ede2081eb0,"4/16/2021, 8:45:14.609 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8705d126-f352-4f06-8991-e061052cfda4,"4/16/2021, 8:45:14.609 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,71fbb1d5-8281-4907-a42a-52ea1896f544,"4/16/2021, 8:45:14.609 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,730da0d6-6d32-4c41-a973-c81b3d9fa098,"4/16/2021, 8:45:14.609 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d4b0acd4-4dfb-49ea-a8a3-8bc5ce47b966,"4/16/2021, 8:45:14.609 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,af7450a5-056f-415b-94d8-a97e98228965,"4/16/2021, 8:45:14.609 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cc9eaa7e-4d5e-4b86-b76e-3b9c0023c425,"4/16/2021, 8:45:14.609 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7ad82e01-106a-4f2d-9dc4-5b3e401ab70f,"4/16/2021, 8:45:14.609 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ee221fb5-0522-4a6a-9bd5-a20ae70a28d2,"4/16/2021, 8:45:14.609 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,38e41c33-f4a2-4651-b32d-3039de1198e6,"4/16/2021, 8:45:14.609 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6d28ce86-a765-4e0e-947c-f63f40c7b1e0,"4/16/2021, 8:45:14.609 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,524726b0-5bb6-4b10-b3ff-f8b51ac19086,"4/16/2021, 8:45:14.609 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,21eda717-1ac3-4b70-88ed-9869ec55f665,"4/16/2021, 8:45:14.609 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,56350baa-5011-436f-b4e1-f853094078e5,"4/16/2021, 8:45:14.609 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f2e87876-164e-4ba7-ac2c-810f5a44a1e5,"4/16/2021, 8:45:14.609 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,818c54f7-5913-4fb3-b75a-ead08688eaa9,"4/16/2021, 8:45:14.609 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,98c8a408-42db-4582-b348-50118de456f5,"4/16/2021, 8:45:14.609 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8d1a6cc0-c12c-456e-b286-8bbfe2d9f663,"4/16/2021, 8:45:14.609 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e59e2d31-9ff2-4cfa-9a2c-44b88f00f6b5,"4/16/2021, 8:45:14.609 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,791b50d2-46b2-4b99-86dc-19aca3eb655a,"4/16/2021, 8:45:14.609 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dd3b2b79-eefb-4c2a-ae55-3fbf6d70dc1a,"4/16/2021, 8:45:14.609 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6b87dae7-ebdf-4300-85ab-401820c6f22d,"4/16/2021, 8:45:14.609 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1cd46206-6f01-447b-ba51-b86cef184141,"4/16/2021, 8:45:14.609 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,646e350e-7b4c-4472-bd5d-a3444a81b44b,"4/16/2021, 8:45:20.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0e38489c-8a84-4e8e-82a5-d377edc31eb9,"4/16/2021, 8:45:20.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d26de61a-cf9d-460f-8b6e-d7f2d3a2a607,"4/16/2021, 8:45:20.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dd1260c0-69fe-41af-bcc3-2acb7ee6e2d2,"4/16/2021, 8:45:20.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fda4ea99-7bd6-41d1-ab55-756cdc1bac50,"4/16/2021, 8:45:20.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ef28401-397f-408a-ad59-4bd395c679ed,"4/16/2021, 8:45:20.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1fda9406-9f8f-438b-aa23-2c027b9ee906,"4/16/2021, 8:45:20.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6f819b98-2d07-4562-ac62-365e31be0a7f,"4/16/2021, 8:45:20.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d4761418-739c-4910-81db-4fde9ebd3243,"4/16/2021, 8:45:20.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a715943f-12aa-4660-8609-071dd01901ef,"4/16/2021, 8:45:20.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,87cfd260-e28a-4e2d-8b29-09532f6d7429,"4/16/2021, 8:45:20.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d856f509-37f5-4822-8fe5-41432ce2a17b,"4/16/2021, 8:45:20.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0cc6a69b-270f-4233-b5c9-5cf548ec4817,"4/16/2021, 8:45:20.104 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,26dc8d7c-8070-4f4c-bb60-ee7b5e6776e0,"4/16/2021, 8:45:20.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,77683db7-be0d-4b17-aa6a-3e8a717e9722,"4/16/2021, 8:45:20.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5d22489-de29-47a9-b38b-4ae4d8fd3b7a,"4/16/2021, 8:45:20.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d82cbe37-a4ae-4f94-acfe-84eeff873d70,"4/16/2021, 8:45:20.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ec3e9997-1c21-4ef2-9f4e-2328964b1cc9,"4/16/2021, 8:45:20.104 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,3ed8cd57-8077-4931-b148-6e95263b96d0,"4/16/2021, 8:45:20.104 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a400c52-8bd5-4b7b-a26a-9c1c355ea10e,"4/16/2021, 8:45:20.104 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d3a86575-aca1-4fd9-9113-12003de53ab9,"4/16/2021, 8:45:20.104 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5652 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,82015ed7-811a-4ee0-92f6-8f06274fac54,"4/16/2021, 8:45:20.104 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7672 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,f85b5711-f15c-48ab-98ab-9bf120d689af,"4/16/2021, 8:45:20.104 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cfcc3e97-29d5-4ab8-87cb-3a3a87165512,"4/16/2021, 8:45:24.666 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8a4a7dc9-890d-47ba-aed8-0c486b849dc5,"4/16/2021, 8:45:24.666 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,72f8dc4d-2a04-493e-8b46-07aac0b03689,"4/16/2021, 8:45:24.666 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,63d742af-d34e-4740-b66d-8f70ffa19dd5,"4/16/2021, 8:45:24.666 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,46a9043f-7961-40c0-ac4a-f04e81b3a5c2,"4/16/2021, 8:45:24.666 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9bbcaac1-46d9-4a7f-8d51-1d6f38f18135,"4/16/2021, 8:45:24.666 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d0e72d46-6ba3-4699-9cca-42003e7e6442,"4/16/2021, 8:45:24.666 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5cfe2b5c-5be1-4b60-b248-1ff5c1a11a42,"4/16/2021, 8:45:24.666 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,75a647d8-0c0b-4af7-8ca4-903ced996d97,"4/16/2021, 8:45:24.666 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0b0ca36e-89db-4fcc-92e2-778c09b925c5,"4/16/2021, 8:45:24.666 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9e1951b5-8a57-44b6-896e-e623e199a80d,"4/16/2021, 8:45:24.666 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1beca6b9-1d70-4210-aae1-4c8edac723d1,"4/16/2021, 8:45:24.666 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f12b249e-2dc3-478c-874d-868861e04d12,"4/16/2021, 8:45:24.666 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e9eb664c-866d-4752-ba33-6dfb0b6a7e5c,"4/16/2021, 8:45:24.666 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,224cfa2b-90b3-4e22-9525-777a8f02c582,"4/16/2021, 8:45:24.666 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,00b765cc-6830-4f4e-a4a1-ab5f29b31c9d,"4/16/2021, 8:45:24.666 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,103b192a-c1bb-4a7a-aeb9-5bf501007bd4,"4/16/2021, 8:45:24.666 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,75dcfe2e-9516-46f7-beb8-89a0b9a2c8c8,"4/16/2021, 8:45:24.666 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,350e933e-89b7-4fe2-b19d-b5613bf373ed,"4/16/2021, 8:45:24.666 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0b5522a7-9d03-4ed5-b8ae-1d553f781ac7,"4/16/2021, 8:45:24.666 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,61dcd31c-f9c1-4e03-b832-f4010c1dab10,"4/16/2021, 8:45:24.666 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d0f583cf-60e3-4063-ada5-711920795929,"4/16/2021, 8:45:24.666 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1d8d7fd-aa1e-4b00-8d2e-2b74736df5bd,"4/16/2021, 8:45:28.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f2ac53d8-3fd3-4915-b1f6-3e2c3bd23b1e,"4/16/2021, 8:45:28.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ecde94c0-b78e-4d03-8822-07d617f27f1c,"4/16/2021, 8:45:28.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,99c167b0-d9cc-429f-abdc-5273d8dfeca3,"4/16/2021, 8:45:28.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,297c4b50-0bba-4dd5-ae25-51635f1f572f,"4/16/2021, 8:45:28.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,63395c1a-5625-45c9-a306-204d72a7994f,"4/16/2021, 8:45:28.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a9f8a404-b203-430b-a328-d1e5b8007cdd,"4/16/2021, 8:45:28.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ed08aa18-105f-4a50-9d13-ff4d3d74ee2b,"4/16/2021, 8:45:28.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db6ac1a6-751b-4c13-b4dc-063b3cefacc1,"4/16/2021, 8:45:28.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,712cee39-d451-48cc-a836-7e039b010e3e,"4/16/2021, 8:45:28.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2ce04b9-7ba3-44eb-aa88-0efa9b26613a,"4/16/2021, 8:45:28.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a34c2377-0a7b-4042-a94b-11f39960cbb8,"4/16/2021, 8:45:28.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bdf126df-5847-43e3-9b6b-7de2ec5088aa,"4/16/2021, 8:45:28.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,682cb234-903e-4d5a-a38d-239fd1c40d58,"4/16/2021, 8:45:28.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,05322e43-7f7c-48b0-a473-2b01a6cd1577,"4/16/2021, 8:45:28.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c9afb797-8c03-4aa2-a8e2-21a50d08c7dd,"4/16/2021, 8:45:28.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6528ba14-8d12-4042-9653-3033205f5bba,"4/16/2021, 8:45:28.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ec515e8-3594-49a3-b51e-5f0bc7e425e7,"4/16/2021, 8:45:28.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eb5380f5-f814-42af-b241-784ecc0418ed,"4/16/2021, 8:45:28.103 AM",,,,,NTLM,, +\UNA77,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa75a19b-a16d-4441-ac42-8756561e972f,"4/16/2021, 8:45:28.103 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e3b2108b-a8ee-4da8-a17b-7a6be20b0e22,"4/16/2021, 8:45:28.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,214b28ec-64fb-4dfe-9424-4686b1fd7007,"4/16/2021, 8:45:28.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,201a9163-c626-4d07-9390-125605b65e03,"4/16/2021, 8:45:28.103 AM",,,,,NTLM,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4648,4648 - A logon was attempted using explicit credentials.,5503048d-aae9-48b7-bda5-46b931ec9ed1,7e46c48e-dd76-4a45-b3d9-087868d710f3,"4/16/2021, 8:45:32.869 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,5503048d-aae9-48b7-bda5-46b931ec9ed1,fceca01f-4420-477a-a516-0572462f3f80,"4/16/2021, 8:45:32.869 AM",,,,,Negotiate,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + S-1-5-21-1661583231-2311428937-3957907789-1103 + SamiraA + CONTOSO + 0x2415668d + 4 + 1 + 1 + %{S-1-5-21-1661583231-2311428937-3957907789-513} %{S-1-1-0} %{S-1-5-32-555} %{S-1-5-32-545} %{S-1-5-32-544} %{S-1-5-3} %{S-1-2-1} %{S-1-5-11} %{S-1-5-15} %{S-1-2-0} %{S-1-5-21-1661583231-2311428937-3957907789-512} %{S-1-5-21-1661583231-2311428937-3957907789-519} %{S-1-18-1} %{S-1-5-21-1661583231-2311428937-3957907789-572} %{S-1-16-12288} +",4627,4627 - Group membership information.,5503048d-aae9-48b7-bda5-46b931ec9ed1,0b5c3b36-c46d-478e-a143-fc30ae9a079a,"4/16/2021, 8:45:32.869 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,5503048d-aae9-48b7-bda5-46b931ec9ed1,5728522d-5c9a-45a6-b54b-6f58f83fd8d7,"4/16/2021, 8:45:32.869 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12545,8,,4634,4634 - An account was logged off.,5503048d-aae9-48b7-bda5-46b931ec9ed1,5fdb2a01-33a6-411b-80d3-221fae68fe89,"4/16/2021, 8:45:32.869 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,1f15cbce-ecbb-4ed7-8fa8-9523979d08ec,"4/16/2021, 8:45:32.869 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,2a8c330a-9250-43bb-b1a0-61aff7fd03c4,"4/16/2021, 8:45:32.869 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5272 + 70 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSEIR.EXE + 32 + 3B36E67E5EBE93E1709041FF64102DC50FC2C820671221C97DFA601D808E95A3 + 122 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSEIR.EXE\10.7740.18362.1411 + 0x3e7 + 72 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,c15cf2d0-fc61-41d2-9026-fa091d63a6f0,"4/16/2021, 8:45:32.869 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 4356 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 8542576A51D515DA19781689F9E5E561E4398C4DE19B14AF1E8EF1C7D2551843 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.18362.01 + 0x3e5 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,1f8547bd-85e7-4b9f-91c4-1ccff8a7c5fa,"4/16/2021, 8:45:32.869 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 10268 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e5 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,6f0814dd-468d-4cde-b498-423b8615d90b,"4/16/2021, 8:45:32.869 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,a2cb9d73-5008-4e7d-a392-84b58bd80041,"4/16/2021, 8:45:32.869 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,44835932-945e-4c60-af12-b7c1509c79a6,"4/16/2021, 8:45:32.869 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,efc26cc9-ddda-428d-a8c5-1be17bd0d409,"4/16/2021, 8:45:34.615 AM",,,,,NTLM,, +\VMADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dd50c992-cd5a-4d24-8e2a-9cf0e4753190,"4/16/2021, 8:45:34.615 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,55e8431b-146c-4cc9-97b3-830fa4f1c93f,"4/16/2021, 8:45:34.615 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d5fe436d-90d0-461f-bb73-65e7f42a567f,"4/16/2021, 8:45:34.615 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,06771e3e-5916-442a-a6ef-06531606596c,"4/16/2021, 8:45:34.615 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8652933c-1431-4344-9259-041afd4e7d12,"4/16/2021, 8:45:34.615 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,82210c62-f444-4d63-9d01-51323250b2f8,"4/16/2021, 8:45:34.615 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,37c57c29-d964-4c9b-a336-9a056fda21a8,"4/16/2021, 8:45:34.615 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7fb7df08-a3f2-4168-b3a2-8eb8d84134fd,"4/16/2021, 8:45:34.615 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8b2ec295-e8f0-4833-954e-a7d5c45ad049,"4/16/2021, 8:45:34.615 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c38e6e6a-62e3-4921-9e6d-c5c83f5ceb12,"4/16/2021, 8:45:34.615 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,050c40a3-8f42-4a3d-a9c8-2af9762441ce,"4/16/2021, 8:45:34.615 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1d684556-5ea8-4c51-9ef8-195845bd8594,"4/16/2021, 8:45:34.615 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,915c123b-396b-4dfe-94e6-12a47aaab5b6,"4/16/2021, 8:45:34.615 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,30638fdd-5811-47c5-b404-fc5b169b9fba,"4/16/2021, 8:45:34.615 AM",,,,,NTLM,, +\BACKUPEXEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fcb915bc-1f81-4741-9379-8186f12e6131,"4/16/2021, 8:45:34.615 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eb5bd14a-198b-4459-90d0-9ae3fae04673,"4/16/2021, 8:45:34.615 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8f33446f-97de-453c-83b3-797b204971f3,"4/16/2021, 8:45:34.615 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ff2f6c3f-8ef8-4c9a-9bd4-656a19247a15,"4/16/2021, 8:45:34.615 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,700ed3f0-ed7c-4a46-bab7-449b418976db,"4/16/2021, 8:45:34.615 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7e310ff5-d157-486c-a855-56cde001282e,"4/16/2021, 8:45:34.615 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,29ee13e0-41ec-4f8f-ad83-62ac8fa4efee,"4/16/2021, 8:45:34.615 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,f6638b82-98a5-4542-8bec-6bc0977f793f,e27b6654-3ac1-4275-ace8-f9480d3a4d11,"4/16/2021, 8:52:24.757 AM",,,,,Negotiate,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + 1 + 1 + %{S-1-5-32-544} %{S-1-1-0} %{S-1-5-11} %{S-1-16-16384} +",4627,4627 - Group membership information.,f6638b82-98a5-4542-8bec-6bc0977f793f,2bd6544a-cc48-4f27-ab5d-dc981058e2cf,"4/16/2021, 8:52:24.757 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,f6638b82-98a5-4542-8bec-6bc0977f793f,edf592de-d2d3-4388-aff1-2a7383771928,"4/16/2021, 8:52:24.757 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,68176ac1-524f-4e62-8218-6b94c9013503,"4/16/2021, 8:52:24.757 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,59977b0a-50c7-48c8-b1a5-7457391afba2,"4/16/2021, 8:52:24.757 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2176 + 39 + %WINDIR%\SERVICING\TRUSTEDINSTALLER.EXE + 32 + A68F28B7A6B48B6CD6CAB57C5C6411BCF3A6186B4FC6823F03D9F2A8828CFD02 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\TRUSTEDINSTALLER.EXE\10.0.18362.1016 + 0x3e7 + 41 + C:\windows\servicing\TrustedInstaller.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,d828db1e-f1f9-49c2-90f9-5f30629ec542,"4/16/2021, 8:52:24.757 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7228 + 122 + %WINDIR%\WINSXS\AMD64_MICROSOFT-WINDOWS-SERVICINGSTACK_31BF3856AD364E35_10.0.18362.1497_NONE_16F5D4B32A2EF7C6\TIWORKER.EXE + 32 + BC24C913F9E2EED11FE1DD49061E0D4286CF68A1A36EC6CE4CF89FA5002E105D + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\TIWORKER.EXE\10.0.18362.1497 + 0x3e7 + 124 + C:\windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.1497_none_16f5d4b32a2ef7c6\TiWorker.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,6d0a9120-e699-44ba-aa1b-3bdad6a44999,"4/16/2021, 8:52:24.757 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + Andrew + VictimPc + S-1-5-21-1778951011-109519560-3417497144-1030 + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + 0x1128 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,f6638b82-98a5-4542-8bec-6bc0977f793f,db778e17-0b6f-41be-809a-37b039de57c0,"4/16/2021, 8:52:24.757 AM",,,,,,0x1128, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + ContosoAdmin + VictimPc + S-1-5-21-1778951011-109519560-3417497144-500 + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + 0x1128 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,f6638b82-98a5-4542-8bec-6bc0977f793f,fd49cdfe-ba19-4d9c-a182-5d351ad5e01a,"4/16/2021, 8:52:24.757 AM",,,,,,0x1128, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + DefaultAccount + VictimPc + S-1-5-21-1778951011-109519560-3417497144-503 + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + 0x1128 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,f6638b82-98a5-4542-8bec-6bc0977f793f,d394bcca-5057-4a8e-a48d-7a8587e286e0,"4/16/2021, 8:52:24.757 AM",,,,,,0x1128, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + Guest + VictimPc + S-1-5-21-1778951011-109519560-3417497144-501 + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + 0x1128 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,f6638b82-98a5-4542-8bec-6bc0977f793f,05d10cac-8f3e-4272-b373-f608e6a87449,"4/16/2021, 8:52:24.757 AM",,,,,,0x1128, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + WDAGUtilityAccount + VictimPc + S-1-5-21-1778951011-109519560-3417497144-504 + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + 0x1128 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,f6638b82-98a5-4542-8bec-6bc0977f793f,723513db-749a-4e98-8808-514cf775e1da,"4/16/2021, 8:52:24.757 AM",,,,,,0x1128, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,dc342a67-e880-4831-b0a3-4a2c9f483cb0,"4/16/2021, 8:52:24.757 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,d5d8c570-63e3-45d1-9ed1-d9c93ba0d296,"4/16/2021, 8:52:24.757 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5204 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,cbf3d23b-c9f0-4bf9-b8af-0ba9fb34cee3,"4/16/2021, 8:52:24.757 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7260 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,11d91d5b-468b-4bea-bf16-0860841e07a9,"4/16/2021, 8:52:24.757 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,c2b9f3d5-a746-4617-93a0-0346e0710bc1,"4/16/2021, 8:52:24.757 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,f6638b82-98a5-4542-8bec-6bc0977f793f,ca495b8d-0fbf-43ea-8655-eb1ccb2f512e,"4/16/2021, 8:52:24.757 AM",,,,,Negotiate,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + 1 + 1 + %{S-1-5-32-544} %{S-1-1-0} %{S-1-5-11} %{S-1-16-16384} +",4627,4627 - Group membership information.,f6638b82-98a5-4542-8bec-6bc0977f793f,46615fd9-e730-421a-8385-bdbb3a266e44,"4/16/2021, 8:52:24.757 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,f6638b82-98a5-4542-8bec-6bc0977f793f,a140c5e4-0974-4f64-85d5-e12242f0f665,"4/16/2021, 8:52:24.757 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,f4b11b5e-225b-45d6-811d-dd20cd5ee54b,"4/16/2021, 8:52:24.757 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,58b387f7-3437-4753-96dc-f4c36049388f,"4/16/2021, 8:52:24.757 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,4c209b89-e7b3-4109-9b62-d7b49d240022,"4/16/2021, 8:52:24.757 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\microsofttpm,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,7b54cb90-303a-4ed7-b80b-d448e8083e1d,"4/16/2021, 8:52:24.757 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:SELECT * FROM Win32_TPM,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,8c8ab2c6-98ef-49d8-a5ff-d7e8d17bc5b7,"4/16/2021, 8:52:24.757 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:Select * from __ClassProviderRegistration,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,df4b2098-7cf6-4ff8-bd2e-f0078fd88713,"4/16/2021, 8:52:24.757 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,6060c39f-9909-48f7-b8ae-e3a9dc49e377,"4/16/2021, 8:52:24.757 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6112 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,51b58a25-589b-4c2a-b592-b5c38bd70e3e,"4/16/2021, 8:52:24.757 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4108 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e7 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,7ac5289e-fb6b-4f70-b31d-2316ca017a22,"4/16/2021, 8:52:24.757 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 1100 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e5 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,4c265ef1-4056-4841-bfae-86711a33ba31,"4/16/2021, 8:52:24.757 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,2e6f52d0-79bb-4585-a327-14ec670bc89f,"4/16/2021, 8:52:24.757 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,d3b7ae36-b101-4d10-ab0d-5a47f12add2d,"4/16/2021, 8:52:24.757 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,2e4e0d36-febf-44a4-b5e9-6dee6b8ad8ad,"4/16/2021, 8:52:24.757 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:Win32_Tpm,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,b56c2e09-b964-4216-8b60-860c2631768f,"4/16/2021, 8:52:24.757 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:__ExtendedStatus,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,8de588df-3253-4da1-84be-762808f0e497,"4/16/2021, 8:52:24.757 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftVolumeEncryption,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,8834515e-4b87-4bec-841d-15e8a33f5a14,"4/16/2021, 8:52:24.757 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:SELECT * FROM Win32_EncryptableVolume,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,3f0c4a7b-52f7-4cb3-82e2-370092b8287e,"4/16/2021, 8:52:24.757 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:Select * from __ClassProviderRegistration,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,d0a98e45-2c12-4648-927e-8404fb25dd21,"4/16/2021, 8:52:24.757 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,3ca063e4-e5f6-478a-a2bc-624323784d2a,"4/16/2021, 8:52:24.757 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,ae81a231-698b-4d4d-b20b-4f8b23d1fc44,"4/16/2021, 8:52:24.757 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,1ce15bac-bde5-4067-9535-9b12e4ba9fd1,"4/16/2021, 8:52:24.757 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,d884c800-b4b4-4c66-b991-6bf57bba62f1,"4/16/2021, 8:52:24.757 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,23ec98bc-6742-4cac-9c0c-5a72c35c8d39,"4/16/2021, 8:52:24.757 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:__ExtendedStatus,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,0fb8940b-c775-47c5-9b2e-3f16903e0d0a,"4/16/2021, 8:52:24.757 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{14fa800d-0000-0000-0000-100000000000}\\""::GetLockStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,0e78d7eb-b381-4474-b869-f65de9ebbda8,"4/16/2021, 8:52:24.757 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{14fa800d-0000-0000-0000-100000000000}\\""::GetProtectionStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,97c0720d-2b31-4bd4-82de-81d62372ae48,"4/16/2021, 8:52:24.757 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{14fa800d-0000-0000-0000-100000000000}\\""::GetConversionStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,b7ec9b8c-c636-41cd-b19a-5d3651a6c20d,"4/16/2021, 8:52:24.757 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetLockStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,0a7a0aa5-4522-4063-9a1f-2e3fdb98011d,"4/16/2021, 8:52:24.757 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetProtectionStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,cfa31b96-3250-4704-a9d6-b448de883bc8,"4/16/2021, 8:52:24.757 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetConversionStatus",,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3f962982-87b7-487b-8ef8-981620e6592a,"4/16/2021, 8:55:53.647 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,278b0c88-6cb6-4c50-ac75-3902cffe2a6e,"4/16/2021, 8:55:53.647 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d1b17e29-d846-4ed9-9d12-c70ba98ae17e,"4/16/2021, 8:55:53.647 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,187ef168-0f56-481a-bb4f-fafad54e0c7d,"4/16/2021, 8:55:53.647 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,62d56613-13fb-4e51-8a2e-8e4663700c57,"4/16/2021, 8:55:53.647 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c6b49c16-cd22-4787-a45b-00832ae836d1,"4/16/2021, 8:55:53.647 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2083a5a7-3b54-4d43-84e8-9a075f23d0f4,"4/16/2021, 8:55:53.647 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b7892e76-cbe3-4190-b98e-d6e1763ee755,"4/16/2021, 8:55:53.647 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ebd6026b-04ef-4465-9f7b-b02165311adb,"4/16/2021, 8:55:53.647 AM",,,,,NTLM,, +\GUEST,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b0340f57-296e-45b0-a3e1-cb622df6e06c,"4/16/2021, 8:55:53.647 AM",,,,,NTLM,, +\TJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,74473b98-cf6d-45f9-9757-731715a9ad2e,"4/16/2021, 8:55:53.647 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3ed4d847-9109-4b96-8e80-c6947b175b30,"4/16/2021, 8:55:53.647 AM",,,,,NTLM,, +\ODA,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6ffa1011-b1fa-4be7-8404-61094dcfc4b7,"4/16/2021, 8:55:53.647 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1f2ea494-1a22-4f93-ac37-74dac5286fc1,"4/16/2021, 8:55:53.647 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,404804cb-648c-4037-a71f-12227b2fda56,"4/16/2021, 8:55:53.647 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2708d238-d6f6-4d1b-853f-02f93f0fe550,"4/16/2021, 8:55:53.647 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d026719c-27b8-4688-832a-616ea039c237,"4/16/2021, 8:55:53.647 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f3e288fb-48ef-4fc7-adc6-6bf4407d2e57,"4/16/2021, 8:55:53.647 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9a556e8e-7e71-4219-b6c0-fcdfaea86502,"4/16/2021, 8:55:53.647 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ef2adaa7-48f9-450f-b609-6f3ff4c0abe4,"4/16/2021, 8:55:53.647 AM",,,,,NTLM,, +\VEEAM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8e3e9c05-2d1a-4ec4-9ea5-a9591e981a7c,"4/16/2021, 8:55:53.647 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dcc1b5ab-7eec-4d11-83cd-1292d4588bc5,"4/16/2021, 8:55:53.647 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fd369bc1-6e0c-44e6-ace0-306a5143d0e8,"4/16/2021, 8:55:53.647 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f659bf4f-6efc-40e8-8e45-2072463cea54,"4/16/2021, 9:03:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,347d2434-bc60-4e75-af74-636a1f65c8bc,"4/16/2021, 9:03:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc84a7d1-9ac8-47d2-a953-b2e1b9f9f714,"4/16/2021, 9:03:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f4007b1e-f5af-40d1-b2fb-e037def4dde4,"4/16/2021, 9:03:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c77b770-1939-40a6-8f3c-caef001c61ae,"4/16/2021, 9:03:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d94e9b28-36e8-41ca-9942-9287350dd4b9,"4/16/2021, 9:03:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0788c8f3-9311-457b-a56f-48a393e60437,"4/16/2021, 9:03:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0558e721-1a21-48f3-8027-bca17b5617db,"4/16/2021, 9:03:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,97f98f7f-e41f-4cad-a57f-b3cc18689d0d,"4/16/2021, 9:03:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a77c4806-4cb6-4090-a0d6-e860eaecf489,"4/16/2021, 9:03:36.123 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,1119f8db-ceb9-45f3-8731-ae0cbce5442c,"4/16/2021, 9:03:36.123 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,66363f64-0078-4c7b-87e6-c7f399a73108,"4/16/2021, 9:03:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e039840-1d96-4651-9739-36cee816320f,"4/16/2021, 9:03:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e74b88f2-1d4c-457b-8040-425f7b2771f2,"4/16/2021, 9:03:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e25a639-9c4d-40af-b307-aeb80671a831,"4/16/2021, 9:03:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d00eeea8-141d-46bd-b4b6-fa44907df3e1,"4/16/2021, 9:03:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f7670f47-f2bd-4aef-949c-032bcfdb1eaa,"4/16/2021, 9:03:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e5d3e5b3-7168-4482-860f-2bc142e710b8,"4/16/2021, 9:03:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,66cb2056-3b65-488c-a3df-52d5d7b40524,"4/16/2021, 9:03:36.123 AM",,,,,NTLM,, +\ROOT,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,68ba7ae8-2cb5-4b99-a99b-4f3269a76a08,"4/16/2021, 9:03:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e563f6bd-46fe-42cf-a932-582444507c01,"4/16/2021, 9:03:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe774a37-400c-4809-b149-d9bec91e4bd9,"4/16/2021, 9:03:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,23b1b66f-7c61-4914-8dc9-35f1e7c2ba21,"4/16/2021, 9:03:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3bcd006f-c7e7-4487-a8ae-7d78a9c97762,"4/16/2021, 9:03:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1e459528-dcd2-441c-8066-ec0294355c95,"4/16/2021, 9:03:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6b0dea74-a9f5-4870-96cf-33292e47e20f,"4/16/2021, 9:03:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b885617d-7cbc-4c62-adfa-14ff6b26ad33,"4/16/2021, 9:03:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,08e44a4d-d84e-428f-980f-fac213e6af65,"4/16/2021, 8:45:37.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e75f9933-f542-4d07-937d-77ae5bbcfb7a,"4/16/2021, 8:45:37.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,caf43a96-7560-453a-8920-4a73bdf3f043,"4/16/2021, 8:45:37.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1fd3119c-7ac5-4dc8-a99a-839c9f2cfbc6,"4/16/2021, 8:45:37.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc3da7ed-ea09-4728-b804-f7ff9ac8faca,"4/16/2021, 8:45:37.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4e334416-53bd-4031-908b-419115a8d0ab,"4/16/2021, 8:45:37.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2bbbef99-4feb-4340-827a-d756d25c2e7a,"4/16/2021, 8:45:37.107 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,2a04984e-5dcb-47e0-a900-a1f15022a06a,"4/16/2021, 8:45:37.107 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,66b850b8-1e49-4a2f-a9ec-4e1608723e98,"4/16/2021, 8:45:37.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b44edee5-9f58-444c-9a04-18c79fb2394f,"4/16/2021, 8:45:37.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a7af621-278a-4395-b161-2eecad67b744,"4/16/2021, 8:45:37.107 AM",,,,,NTLM,, +\MANAGER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0581f177-9923-423b-8677-55031023e1c4,"4/16/2021, 8:45:37.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bb35c66f-baa9-48c7-b4d9-4697c819b937,"4/16/2021, 8:45:37.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,52c475df-e8aa-4da4-b525-895fb607140e,"4/16/2021, 8:45:37.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4013c140-6f3b-4b26-94ce-403636b31437,"4/16/2021, 8:45:37.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,81c40e54-cad2-4571-87bb-7e57486afffe,"4/16/2021, 8:45:37.107 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,08d239c4-ef42-4604-8749-b1568f80f51d,"4/16/2021, 8:45:37.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff5fce39-a6c0-4d12-9b2a-8975aecb1eee,"4/16/2021, 8:45:37.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2bc4ddb0-0b17-488d-935d-c0d51adcb014,"4/16/2021, 8:45:37.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,791274ea-d391-4c3a-b0d6-e457cebeaa33,"4/16/2021, 8:45:37.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa249ee7-caa8-4f66-9742-618aaa56117b,"4/16/2021, 8:45:37.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16dcd2fb-7320-4f14-aedd-2a5a2e6c2fa1,"4/16/2021, 8:45:37.107 AM",,,,,NTLM,, +\CRESCENT BEACH,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,17b6d377-6838-4d7b-9de4-f5c86d07fef3,"4/16/2021, 8:45:37.107 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab25b8b4-1416-4671-a162-9212009a8da1,"4/16/2021, 8:45:37.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2514227d-5298-49c3-aaea-486e65431c87,"4/16/2021, 8:45:45.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,21a8291f-a779-402a-9bed-aa23253e4353,"4/16/2021, 8:45:45.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c9f6660c-3c3b-4e4b-b269-25e50765a0b2,"4/16/2021, 8:45:45.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b628b4b-1d14-4b4e-80f6-32dd6e970889,"4/16/2021, 8:45:45.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ebce8944-af4a-4f8b-8a63-4f15d01016ad,"4/16/2021, 8:45:45.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dbc483b0-991d-40e7-8cfe-6c36119ff022,"4/16/2021, 8:45:45.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,10e95ca9-eda8-4e09-ba93-df683c5f18fb,"4/16/2021, 8:45:45.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f97557fd-88d1-4941-94d9-5dc3b164d141,"4/16/2021, 8:45:45.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d2e79283-78d1-4830-b759-0156d629fd10,"4/16/2021, 8:45:45.113 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc2ec251-779e-4e01-90c2-fe4ee5e96649,"4/16/2021, 8:45:45.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a05790f-d871-44d1-85e6-fa51827039b9,"4/16/2021, 8:45:45.113 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5bf3448c-2fe7-4b02-ac9b-a24b200d6fb7,"4/16/2021, 8:45:45.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46eb2d5c-4b07-4444-85bc-9a9d97276225,"4/16/2021, 8:45:45.113 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,44a571e3-be8c-408b-b28b-b7ec2ebf2d44,"4/16/2021, 8:45:45.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a05746d-f0f5-41a5-9ebd-f8b0fcf19b1b,"4/16/2021, 8:45:45.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c477c50c-009b-41df-b461-2efa35da3c22,"4/16/2021, 8:45:45.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b53b0ee4-d302-4568-a6e4-fcbdb14867e8,"4/16/2021, 8:45:45.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ef9c3cd-2ec4-4c93-a08c-c0bd0e986cfd,"4/16/2021, 8:45:45.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b24bf71f-1249-4539-b70b-e3b50790c099,"4/16/2021, 8:45:45.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f3192ce8-e00e-421c-90ce-720a495fef27,"4/16/2021, 8:45:45.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,447ced85-94ed-452f-9d7f-bdb0c00cab4d,"4/16/2021, 8:45:45.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4620d41c-41a0-412a-8b08-abaeab214ede,"4/16/2021, 8:45:45.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1db7d378-0c3c-4a1b-99f9-92fff21fab72,"4/16/2021, 8:45:45.113 AM",,,,,NTLM,, +\FJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88a52c0c-aef7-41fd-8db4-05de1ab09711,"4/16/2021, 8:45:45.113 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4d23a0b7-9769-4caf-98b7-1e86b6219b24,"4/16/2021, 8:45:45.615 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7f74a835-599c-4e81-b45a-21d6eb50d4e7,"4/16/2021, 8:45:45.615 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eb4ed938-5211-4379-b9b3-ebc97fc1732d,"4/16/2021, 8:45:45.615 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6fe9b18f-acdf-498f-90fe-d14ad878caef,"4/16/2021, 8:45:45.615 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e4254b71-5e4e-49b5-bfa9-d44696b2f41a,"4/16/2021, 8:45:45.615 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,97f9e53a-9f92-4355-9507-031152a2f843,"4/16/2021, 8:45:45.615 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0999a554-71dc-4a91-bb8a-8dac32d0626c,"4/16/2021, 8:45:45.615 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c0746502-73dd-4bc6-96dd-c82fba402639,"4/16/2021, 8:45:45.615 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8789dac2-3b17-453d-b62f-e5664f92c88f,"4/16/2021, 8:45:45.615 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c2d145e2-f2eb-46a4-98be-d0cfa835919a,"4/16/2021, 8:45:45.615 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8a6c765f-ef50-4e27-92c3-c92a95aee548,"4/16/2021, 8:45:45.615 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c694b67e-3d17-481d-b482-8fef97df2b1a,"4/16/2021, 8:45:45.615 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7fbd7d5d-6955-4177-bdb7-449f2d64b86f,"4/16/2021, 8:45:45.615 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,23d30728-a260-483c-ab64-379ef6ee13c3,"4/16/2021, 8:45:45.615 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,40129e46-3a59-463d-9ed7-9463813be76f,"4/16/2021, 8:45:45.615 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e650c8e0-5d56-4849-b5bf-4a7193c77522,"4/16/2021, 8:45:45.615 AM",,,,,NTLM,, +\USER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d66ad51a-5ac3-482e-b6cc-6e80b5a6d940,"4/16/2021, 8:45:45.615 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b1baea92-1c9b-44f3-b509-4bdd5a1a13a5,"4/16/2021, 8:45:45.615 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e7dc3de1-e283-498d-9ed4-4ebab355d77e,"4/16/2021, 8:45:45.615 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4d513e58-654c-440d-ba4f-496663252446,"4/16/2021, 8:45:45.615 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b6749dcf-4a2f-491f-9dd2-7317a2ea2992,"4/16/2021, 8:45:45.615 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5dcce33f-6402-4e4b-a46e-dce9b06bbe4d,"4/16/2021, 8:45:45.615 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ad301d8c-fbcb-4266-aa33-2843a484c7ea,"4/16/2021, 8:45:45.615 AM",,,,,NTLM,, +\PC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2a312db9-3054-44d4-afaa-604dfc516e85,"4/16/2021, 8:45:45.615 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,04992a09-8c9b-4a1d-b8b9-ab2c056bb77e,"4/16/2021, 8:45:45.615 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,be73bb7a-0659-4e6e-ae5c-c7f0c9b93ae2,"4/16/2021, 8:56:24.737 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,081e8ba2-9274-41c9-bc47-f22145749500,"4/16/2021, 8:56:24.737 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2e7bed15-ecc6-48fd-bd63-002bffa539b4,"4/16/2021, 8:56:24.737 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c78801e9-c869-4d25-99c4-d17e1b0d4251,"4/16/2021, 8:56:24.737 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,82cb51c3-e734-46d8-b3ac-5876d0d046bc,"4/16/2021, 8:56:24.737 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ca9b7373-f1a6-44c9-852c-9e16072cbe08,"4/16/2021, 8:56:24.737 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,66ad60b8-ae3e-4136-b06f-235938f327c3,"4/16/2021, 8:56:24.737 AM",,,,,NTLM,, +\SYMANTEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a940dccf-37be-4299-bb0f-364aee7e3a4e,"4/16/2021, 8:56:24.737 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5cbd9a9e-12c6-4123-8bcf-071747bc9cf1,"4/16/2021, 8:56:24.737 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,01629912-fa30-4471-834e-d82f167af48c,"4/16/2021, 8:56:24.737 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,04db212c-5dcb-4afe-b9df-e10288a4f0f8,"4/16/2021, 8:56:24.737 AM",,,,,NTLM,, +\VEEAM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e53f2b2c-15e5-44c6-a260-18e1ca6b6120,"4/16/2021, 8:56:24.737 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dc068bc6-d1ac-4832-b70c-db9e9713ab97,"4/16/2021, 8:56:24.737 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a4ab10e0-9d67-4138-8699-303ecd9d65c4,"4/16/2021, 8:56:24.737 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,96ea5dbb-1661-4ff1-9b10-2d704a4b6dc9,"4/16/2021, 8:56:24.737 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5b7036ee-3a1a-4e34-ba69-807d170836e0,"4/16/2021, 8:56:24.737 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,de568837-c4a5-486e-af99-5dcc362b635d,"4/16/2021, 8:56:24.737 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,49ffdd8e-1610-49e5-ae60-56c4663f43ba,"4/16/2021, 8:56:24.737 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,952f5ffb-77fb-49fe-bd79-3cf1b8d7c050,"4/16/2021, 8:56:24.737 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,054a48df-7fba-42c4-9d16-b862af4a2d8c,"4/16/2021, 8:56:24.737 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c481db70-f576-4e21-bbe2-c21636db8df1,"4/16/2021, 8:56:24.737 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,152872e0-183e-405c-a6de-a1afa37e88c8,"4/16/2021, 8:56:24.737 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6f409f3f-22ee-4fb5-ae03-219b64186781,"4/16/2021, 8:56:24.737 AM",,,,,NTLM,, +\DEMOUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,10d43f09-c18c-4374-8901-0460c615299a,"4/16/2021, 8:56:24.737 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d23eca0a-734e-4490-8abe-0c8b086bd9d2,"4/16/2021, 8:56:24.737 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3ee2c546-ee4c-4ed3-8746-23e1a8e6acfe,"4/16/2021, 8:56:24.737 AM",,,,,NTLM,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,83b2da25-6400-4b95-96f7-0716c111e650,"4/16/2021, 8:52:42.989 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 12204 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,1471ff57-c828-4c3b-8f29-50ee31246ffd,"4/16/2021, 8:52:42.989 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,206c65b7-bda6-4166-a236-f8ec55ca2f08,"4/16/2021, 8:52:42.989 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,35fe29fb-9739-4630-a54e-34e3b749add9,"4/16/2021, 8:52:42.989 AM","%%5649 ",0x2,-,-,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67b8e0fe-f87b-4b3a-b803-15e119be649f,"4/16/2021, 9:03:48.174 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4e57a916-9733-43d4-9fad-b03f62c60af5,"4/16/2021, 9:03:48.174 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6572cfff-747e-40b0-849b-2ce0c6b1b047,"4/16/2021, 9:03:48.174 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3462f54b-62ed-4962-b9b8-1bebde7011fb,"4/16/2021, 9:03:48.174 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1311d5c-d6c7-4300-bdb7-9b8336d34763,"4/16/2021, 9:03:48.174 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,86334fd9-4db2-438b-ae1b-721a1ac530e7,"4/16/2021, 9:03:48.174 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88a33b46-f585-4926-8ff1-3f4542971dfe,"4/16/2021, 9:03:48.174 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,467b33f8-e333-4f0c-a39d-a5912420227f,"4/16/2021, 9:03:48.174 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,92f1f2d2-3acb-4377-8eab-6d3a90a7bf59,"4/16/2021, 9:03:48.174 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4893f8c7-bb5d-43c4-8f98-7ac44ab54488,"4/16/2021, 9:03:48.174 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3df5017f-6a5e-49d9-93fc-658b1216ac1a,"4/16/2021, 9:03:48.174 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,add226be-1f59-4fa6-a722-d12e0a83ea21,"4/16/2021, 9:03:48.174 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dbbe6f05-4482-4e77-92f3-e33f359440b6,"4/16/2021, 9:03:48.174 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,96c40056-dfff-4a4f-a371-ce6ec4aad934,"4/16/2021, 9:03:48.174 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1c9df25-e5c4-4b9a-9075-43da885aed1f,"4/16/2021, 9:03:48.174 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3efe5ab2-e60d-4c6a-a800-0539de63b72b,"4/16/2021, 9:03:48.174 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,14b68048-c72c-4e97-8bdf-d347cd09970e,"4/16/2021, 9:03:48.174 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d79e4156-5480-4270-8af6-7632f268974b,"4/16/2021, 9:03:48.174 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4606433f-939b-4a22-a873-f10f95cba320,"4/16/2021, 9:03:48.174 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f52e7f75-44ed-4b29-9feb-585cefb64baa,"4/16/2021, 9:03:48.174 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,45ee5430-5809-4e01-81cd-e71aaed4c716,"4/16/2021, 9:03:48.174 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9852cef3-4738-447d-bf7a-501adcb9c03f,"4/16/2021, 9:03:48.174 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,76afc70d-156d-4a45-aee6-80e590082e70,"4/16/2021, 8:45:47.541 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9284 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,5ea46f48-73fc-4a8b-92bc-a475e3abeac0,"4/16/2021, 8:45:47.541 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,a5a2a1ab-b5b2-4c02-acf9-93ec8ac701a1,"4/16/2021, 8:45:47.541 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,a2bbf9d8-e5f8-4157-a971-3e633e5ba3b5,"4/16/2021, 8:45:47.541 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3256 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,bda10e26-ac00-4d63-ad49-aaedbd5f824c,"4/16/2021, 8:45:47.541 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6792 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,42dc0c83-a1f2-4ee8-a3ac-70fa9bee1a7f,"4/16/2021, 8:45:47.541 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7372 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,a2251656-fadb-48ee-8ca7-7c78fff4078c,"4/16/2021, 8:45:49.263 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2612 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,80be981f-6ce5-4068-940c-7f9cf17d7573,"4/16/2021, 8:45:49.263 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4052 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + E083DBF5FD891B0254E4021330270719E66D6B0C7F6543BDBA19C4CF5D37395D + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7411.17763.1697 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,e6109c39-3645-442f-bd40-cbf96f8bdcd7,"4/16/2021, 8:45:45.988 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 13984 + 84 + %OSDRIVE%\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\PLATFORM\4.18.2103.7-0\MPCMDRUN.EXE + 32 + C7A18C474A47F5335593A567F0C714D4F658E28D07DC27F6EAE5D5641788E813 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\MPCMDRUN.EXE\4.18.2103.07 + 0x3e4 + 77 + C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2103.7-0\MpCmdRun.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,145905f3-668b-41a9-a23d-452302738604,"4/16/2021, 8:45:45.988 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9676 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + E083DBF5FD891B0254E4021330270719E66D6B0C7F6543BDBA19C4CF5D37395D + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7411.17763.1697 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,38f1520e-cefe-4b8f-8345-a6be998a615a,"4/16/2021, 8:45:45.988 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8012 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,fb606d6d-577d-4b08-b143-00c1fbe84c0d,"4/16/2021, 8:45:45.988 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 15156 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,8ecf6918-6799-4ab8-a549-32dcbdc967a0,"4/16/2021, 8:45:45.988 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e912796c-bf96-48cd-8e64-0d435ecd349e,"4/16/2021, 8:45:48.413 AM",,,,,,, +\WPSERVER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e5f63330-05ae-4a56-bc01-b1611ad4ed89,"4/16/2021, 8:45:48.413 AM",,,,,NTLM,, +\SERVER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,cfe7e223-01e6-4f2a-8c55-b02bd7bf001e,"4/16/2021, 8:45:48.413 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d96fd52c-993f-4f4f-8699-95a1b4c37b63,"4/16/2021, 8:45:48.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4d775854-7c70-402b-9701-eef3d1655e3c,"4/16/2021, 8:45:48.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b78b4b5-8764-4829-8200-388b81aa46d6,"4/16/2021, 8:45:48.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a0c79b10-b20b-4c8a-8146-210a25ec7da5,"4/16/2021, 8:45:48.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f1f7fcba-8bd3-4d33-a559-c6f1982b3681,"4/16/2021, 8:45:48.106 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c4b9498c-e7ee-4d6f-883f-714d2ead0e3a,"4/16/2021, 8:45:48.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b802ffee-fa85-4f74-9b13-2500fb2ddbef,"4/16/2021, 8:45:48.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cca8b9d0-82c5-4aa6-88be-f1ad0bc7b66a,"4/16/2021, 8:45:48.106 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b9764ca4-57e9-4d3d-96ad-b734e48af329,"4/16/2021, 8:45:48.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6721b97c-3911-490f-b097-8f121d8b03a0,"4/16/2021, 8:45:48.106 AM",,,,,NTLM,, +\AJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d94d24e1-1077-40b8-9904-bd27180a6eae,"4/16/2021, 8:45:48.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,50377523-691d-407f-bb8b-66be2fffc4e3,"4/16/2021, 8:45:48.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6e07e902-ecde-44eb-b48f-1315238e6756,"4/16/2021, 8:45:48.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1ff5cfa-bd8d-40a2-a319-12c0a0557b57,"4/16/2021, 8:45:48.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9cb044d7-540c-4f79-b198-fd742281d193,"4/16/2021, 8:45:48.106 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,595d8254-ba89-4901-89a0-2ed911835800,"4/16/2021, 8:45:48.106 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,898e485d-eba8-477c-959a-edec93baa055,"4/16/2021, 8:45:48.106 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6f298a93-ebdb-4cb4-bdd8-abd5bfc4a101,"4/16/2021, 8:45:48.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,feb31019-a992-47a5-89f9-50b5a7580efb,"4/16/2021, 8:45:48.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,17c02572-502d-4fcb-9cb8-f7752d2a645f,"4/16/2021, 8:45:48.106 AM",,,,,NTLM,, +\DB2ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2c0960f-7ada-47a2-85b8-fdb93d620ce9,"4/16/2021, 8:45:48.106 AM",,,,,NTLM,, +NT AUTHORITY\LOCAL SERVICE,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 7296 + 34 + %SYSTEM32%\APPIDCERTSTORECHECK.EXE + 32 + 52F861EBAFBD8F6ACF0499614FCEB0E64E14A9A871504B1004F6797C8E01BD50 + 131 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\APPIDCERTSTORECHECK.EXE\10.0.17763.1852 + 0x3e5 + 43 + C:\windows\system32\appidcertstorecheck.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,e0620507-a67d-4ee8-91d7-b9cc642cdce0,"4/16/2021, 8:45:48.106 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 3236 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e5 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,52d8411d-e765-40f0-91e4-905ab8f45823,"4/16/2021, 8:45:48.106 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,761f5a80-97d9-46db-afec-c72871d509bc,"4/16/2021, 9:03:44.681 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a5c87a6f-fe30-46b9-a40f-35a81dbaf15a,"4/16/2021, 9:03:44.681 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,98ba4375-81e2-4f85-bcbb-d5adae7a9cbb,"4/16/2021, 9:03:44.681 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bfcff4ef-da64-4f4c-ab67-d7101bf935b9,"4/16/2021, 9:03:44.681 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f11af98e-1010-4ddf-b2d6-fe8c8a2d5d50,"4/16/2021, 9:03:44.681 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,60a0de14-beaf-49d0-b834-b5b0c4baebab,"4/16/2021, 9:03:44.681 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2be7c12a-ccc9-43bd-b78f-de53d80643aa,"4/16/2021, 9:03:44.681 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,57f6b48b-3199-4aa0-8946-4ff153b71b22,"4/16/2021, 9:03:44.681 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e5c4d343-ea51-400e-bbb8-4a7f20e833a5,"4/16/2021, 9:03:44.681 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8a7dfe01-80fc-4cc2-916c-b9c7e27b72e2,"4/16/2021, 9:03:44.681 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c1a66d53-c467-4d3d-b00a-b02a3c239464,"4/16/2021, 9:03:44.681 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a479b564-7a00-46bd-a2e5-32a310f8732b,"4/16/2021, 9:03:44.681 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,aa500497-a8cc-4f97-9b13-99073b47cc34,"4/16/2021, 9:03:44.681 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,07f6c168-edf8-4ee5-ae29-d5367a0ba679,"4/16/2021, 9:03:44.681 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f3156614-ac9e-4f43-88c4-03dd327d8212,"4/16/2021, 9:03:44.681 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3bbad5f5-c615-4234-986e-d9d2c48654a5,"4/16/2021, 9:03:44.681 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6a0c8389-bee0-4ba7-8d83-b1dff163531a,"4/16/2021, 9:03:44.681 AM",,,,,NTLM,, +\ASDFGHJKL,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4528c352-bad0-436c-bcb4-3ab968465c10,"4/16/2021, 9:03:44.681 AM",,,,,NTLM,, +\PJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7100e15c-327b-4d0e-8086-bb1c30621aa8,"4/16/2021, 9:03:44.681 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,36447924-8640-4db3-aa93-4b16f7c5be6b,"4/16/2021, 9:03:44.681 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,99e10179-50b9-4b97-be2a-a26091f4f5bf,"4/16/2021, 9:03:44.681 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bb1391ca-d06f-4edc-b521-00f3576122e1,"4/16/2021, 9:03:44.681 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4804 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,fe089730-b63e-47a7-8c98-ffd54806f805,"4/16/2021, 8:45:52.740 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6036 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,665c2d68-7b7c-4941-8e36-061b070c6e28,"4/16/2021, 8:45:52.740 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,e5f9e5e9-7334-47b0-b314-d6cc231d9138,"4/16/2021, 8:45:52.740 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,af0e84e4-3a2d-4c6c-8655-49d3178945d0,"4/16/2021, 8:45:52.740 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,03205a3c-03ec-42d6-b123-cc0455ea956c,"4/16/2021, 8:45:52.740 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,9f0f560e-fc9e-4496-ba1f-e55a22407e85,"4/16/2021, 8:45:52.740 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,37e7aaa0-e52f-45da-9698-d4ab76de7072,"4/16/2021, 8:56:25.149 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ad4b249-e27c-4833-8ab5-24fad57f317c,"4/16/2021, 8:56:25.149 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,00157d83-b5e7-4957-b07a-5895d2a7ac4f,"4/16/2021, 8:56:25.149 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,420b85e4-1fc8-4b32-a306-ea823893a47a,"4/16/2021, 8:56:25.149 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6ee48da5-58a2-4560-85c9-f16ab21bdf5c,"4/16/2021, 8:56:25.149 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc587214-c2d2-4bc0-828b-af7f3ed48b7c,"4/16/2021, 8:56:25.149 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a3c22109-e6b6-4013-8c86-ccea95740a85,"4/16/2021, 8:56:25.149 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,abfe136c-bd24-497d-a4d8-ffb0670cc003,"4/16/2021, 8:56:25.149 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c7a509fd-7301-47fb-86db-75d3eab31f9a,"4/16/2021, 8:56:25.149 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d8c43423-47e6-44b3-b8a6-c5938a2963f2,"4/16/2021, 8:56:25.149 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1e583995-af0c-412c-8dec-78111378b9f2,"4/16/2021, 8:56:25.149 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19b6761c-ddc0-497d-ae6d-67061d9556c3,"4/16/2021, 8:56:25.149 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,68c4a633-1119-42b5-a6ff-0fb1437da9b7,"4/16/2021, 8:56:25.149 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4e3572a0-f46a-4acf-8c74-8e38a891a6af,"4/16/2021, 8:56:25.149 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,83ca274d-4f3d-451e-ad31-3748a498f44a,"4/16/2021, 8:56:25.149 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a9461954-ecbb-4261-9107-08a09cd6e311,"4/16/2021, 8:56:25.149 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,24a205ce-0c79-44ba-aedb-4d386e126580,"4/16/2021, 8:56:25.149 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9da0c954-ca08-4d00-bd3c-e24b140b9ce7,"4/16/2021, 8:56:25.149 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88172891-6710-4ea7-ab63-fc85f437f2f9,"4/16/2021, 8:56:25.149 AM",,,,,NTLM,, +\GJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,30e72185-e575-48d5-954c-586076f558ea,"4/16/2021, 8:56:25.149 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,52249cc9-4950-42b5-91ff-da8fdf9f2e00,"4/16/2021, 8:56:25.149 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6eb6d051-f2cd-4ed3-ad84-56fd1f65e6d8,"4/16/2021, 8:56:25.149 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,59b150fe-1291-47d1-a45d-41e74bf0b95f,"4/16/2021, 8:56:25.149 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c2ae1453-7b26-446a-a34f-ec7c1babc575,"4/16/2021, 8:56:25.149 AM",,,,,NTLM,, +\DESTER4,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,835b02b2-357b-4d99-876d-b0792101f03f,"4/16/2021, 8:56:25.149 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,003b91a8-1035-4167-b33a-32a29a1a75a8,"4/16/2021, 8:52:43.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,f45e13c2-4642-4d3e-8fe0-07e7d7bba1c5,"4/16/2021, 8:52:43.056 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,aab129b1-040c-475f-9564-ddc9aa55b2b1,"4/16/2021, 8:52:43.056 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,7cc2a24a-cde2-4d2f-8a9d-c342f196a821,"4/16/2021, 8:52:43.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,f4ba7c95-fed1-44cf-b029-49ba0b32325b,"4/16/2021, 8:52:43.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,8770b7e4-c4c9-4ba7-a714-42bcd88d5ccd,"4/16/2021, 8:52:43.056 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,0b31dee3-5401-43d7-802a-7c8aab820390,90a1fa11-83ba-4048-a4ea-5c468a5b1a10,"4/16/2021, 8:52:43.056 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,0b31dee3-5401-43d7-802a-7c8aab820390,d235d386-43ce-482e-9f25-a0a0a2f53962,"4/16/2021, 8:52:43.056 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,38830a11-1a20-4f2b-bed2-4672c7582750,"4/16/2021, 8:52:43.056 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + Administrators + Builtin + S-1-5-32-544 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x8b38 + C:\Windows\System32\svchost.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,18f712c9-7a3f-4306-b28f-635838308213,"4/16/2021, 8:52:43.056 AM",,,,,,0x8b38, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + Backup Operators + Builtin + S-1-5-32-551 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x8b38 + C:\Windows\System32\svchost.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,fdc7f754-0917-4e1a-a4d4-3fc6e739066c,"4/16/2021, 8:52:43.056 AM",,,,,,0x8b38, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,0b31dee3-5401-43d7-802a-7c8aab820390,433e3edd-0e3c-4e27-b177-b21e80e60d5a,"4/16/2021, 8:52:43.056 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,0b31dee3-5401-43d7-802a-7c8aab820390,e08bd6ec-7655-466c-91ea-630b5d7d5bb7,"4/16/2021, 8:52:43.056 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,80bf6681-bdb7-4d5f-afce-2d1fd5480731,"4/16/2021, 8:52:43.056 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,9a2ddd43-f04f-475c-87af-e16d96fe595a,"4/16/2021, 8:52:43.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,14dab4de-d87d-4bf4-9d78-eca8a5471f9d,"4/16/2021, 8:52:43.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,953cf42c-783d-428f-978b-399afe999ab9,"4/16/2021, 8:52:43.056 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,d9ca1f85-b0f4-4f59-be1e-495dc9723778,"4/16/2021, 8:52:43.056 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,e8faca51-1d93-4444-ac22-c8e197c24225,"4/16/2021, 8:52:43.056 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,a664b868-240c-43c9-b409-af37fa91c56d,"4/16/2021, 8:52:43.056 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,e91b6120-5bbd-40b3-989f-3b0852666715,"4/16/2021, 8:52:43.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,cdfe8d5d-8a56-417f-88f5-b895642238ec,"4/16/2021, 8:45:53.049 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,f00527e2-68e3-4502-a48a-d0fdb997d969,"4/16/2021, 8:45:53.049 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2dbadda6-faf3-40bc-af5a-d7a1e9a270d9,"4/16/2021, 8:45:53.049 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,7fcb58e3-3238-425a-b7c6-5dac161a8d79,"4/16/2021, 8:45:53.049 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,a1a42297-fb54-40f0-896a-a2fdca6e504d,"4/16/2021, 8:45:53.049 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,338c0acd-dfd4-482e-8a7e-c46e259674e2,"4/16/2021, 8:45:53.049 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,a9ec137f-eabe-4390-a6bd-15bd66ba2097,"4/16/2021, 8:45:53.049 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,9db26bb9-168e-4904-97e9-046d773c4c34,"4/16/2021, 8:45:53.049 AM",,,,,,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19127c18-7ab8-4d0e-9c3a-feeeb4f4f1cc,"4/16/2021, 8:45:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6f9ae0d3-2419-4f32-8475-1a45a053b913,"4/16/2021, 8:45:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c9ca9f64-d6ae-4516-a2b5-a6309c15f4d5,"4/16/2021, 8:45:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e4600367-b6b9-4387-9e89-f1044fe84105,"4/16/2021, 8:45:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12251f3f-539f-4e42-840f-c3b752c15817,"4/16/2021, 8:45:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b4b2ce75-b0e1-4cc7-82ea-fb3e3f6fb124,"4/16/2021, 8:45:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1eb40f55-cfe2-4861-b921-0c0faa93a4ac,"4/16/2021, 8:45:55.103 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aa152e48-4896-4568-b4a2-d7e654e5523d,"4/16/2021, 8:45:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1026115-262a-4176-a6c4-10d28091ef84,"4/16/2021, 8:45:55.103 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2ba8771-412b-4868-8c76-2cd85f72d21f,"4/16/2021, 8:45:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51ec8a24-b74d-4758-8828-d41944b3327c,"4/16/2021, 8:45:55.103 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4aacffba-bf41-4556-8cc2-03622d26bc02,"4/16/2021, 8:45:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a9dd356-9c05-486b-af82-4f1aa77f21d5,"4/16/2021, 8:45:55.103 AM",,,,,NTLM,, +\WEBADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dd0358a8-1bbf-4d88-98d1-e18c5486f89c,"4/16/2021, 8:45:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,317637a2-a8d7-442c-bb0f-df4dffd3970f,"4/16/2021, 8:45:55.103 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,10d559bf-7ade-4008-bb7d-34f91adf4fab,"4/16/2021, 8:45:55.103 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,21e92c24-80ab-43bf-a112-9e242e327129,"4/16/2021, 8:45:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b18f3003-307c-475a-ae25-ad341166c157,"4/16/2021, 8:45:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6dbe2684-3a77-41cc-a8e4-5e7262c908c7,"4/16/2021, 8:45:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,af498e9a-4bea-44e8-9f23-22aa8dbd78b7,"4/16/2021, 8:45:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ec4224f-21ec-4257-87a4-1505587422b5,"4/16/2021, 8:45:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d5cd482-17fb-4582-b519-8b30fef394bc,"4/16/2021, 8:45:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,90af74d3-8527-4071-8640-bd38755e6901,"4/16/2021, 8:45:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,85f9858e-082a-4e21-b34d-abe0b4f38c33,"4/16/2021, 8:45:55.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,69ee042e-04e3-4fd7-bfbb-15ae983d2d3c,"4/16/2021, 8:45:55.103 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6e165ee3-8840-4270-a159-b341cbe3a92e,"4/16/2021, 8:45:55.621 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7c856c6f-fa60-426e-beaf-7386d76bef39,"4/16/2021, 8:45:55.621 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c9dc4988-eaad-4f01-bbca-099ee53dcfd2,"4/16/2021, 8:45:55.621 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,40bb598e-cc69-42fe-a3eb-64b2d16ccc2d,"4/16/2021, 8:45:55.621 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cb72abf6-043e-4e73-9d11-ac9afee519a5,"4/16/2021, 8:45:55.621 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,35b2f3f8-59ec-49b2-8dfa-57f5614b3189,"4/16/2021, 8:45:55.621 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e1d3dc5a-8509-461f-8126-3ba3f8bd291a,"4/16/2021, 8:45:55.621 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a655afd2-7588-44e5-abc5-6fd9e10028ac,"4/16/2021, 8:45:55.621 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4dc3cbcb-b583-41df-9669-bebb23bdf726,"4/16/2021, 8:45:55.621 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9fda5229-3ed3-495b-9520-bf91e5265b8f,"4/16/2021, 8:45:55.621 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,81825af5-f75c-40b5-8f73-3b1ef8782d1d,"4/16/2021, 8:45:55.621 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c6f6523d-ca6a-4557-b086-0930fbce4965,"4/16/2021, 8:45:55.621 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,14fb157a-2c29-4426-bd1f-b65ee1cf984c,"4/16/2021, 8:45:55.621 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8a990ff6-162b-41f9-8900-64ff7ceb9dba,"4/16/2021, 8:45:55.621 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1cc4d3b6-d540-4901-aa56-cc9b92d2307a,"4/16/2021, 8:45:55.621 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9c1ecbfa-eaba-438d-81bd-e357122fdd09,"4/16/2021, 8:45:55.621 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7359f734-f6a9-494b-9f84-d8edd65f9579,"4/16/2021, 8:45:55.621 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3c7a03e9-17bf-4330-baa8-956046393759,"4/16/2021, 8:45:55.621 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b6385376-0b0b-4356-abec-092d955c16f4,"4/16/2021, 8:45:55.621 AM",,,,,NTLM,, +\BACKUPEXEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bcc37155-c701-44ab-82ab-281b21bef351,"4/16/2021, 8:45:55.621 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,34e03f36-93ff-4613-bcb7-387a28bb6996,"4/16/2021, 8:45:55.621 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fb4cee16-6b75-4577-b747-5406b83e017d,"4/16/2021, 8:45:55.621 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b6531a5f-340f-4cc6-b5fe-19e416a87c7c,"4/16/2021, 8:45:55.621 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d18ed982-f824-4c92-8484-d23eea04c2c0,"4/16/2021, 8:45:55.621 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,18060173-23d2-44d3-8a2f-3a35d8b3ab74,"4/16/2021, 8:46:06.618 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,74a150b9-148c-4a44-975b-fb54af9993c2,"4/16/2021, 8:46:06.618 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7b9eb789-1d19-4b32-bf6c-5f708c0111e9,"4/16/2021, 8:46:06.618 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2783c8d4-4040-44f8-bb36-e52b0cde790d,"4/16/2021, 8:46:06.618 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,44cf3196-7e54-49f5-bea4-54e2f47bba01,"4/16/2021, 8:46:06.618 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,384f0390-d1ed-4c28-907f-7108df9bbf46,"4/16/2021, 8:46:06.618 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c038dda3-d440-4255-9564-677e616ab6a8,"4/16/2021, 8:46:06.618 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,280c9d64-00aa-41b2-9c36-e1957137c4b1,"4/16/2021, 8:46:06.618 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6b445fbc-4363-4107-ba6a-89a9acaec7e2,"4/16/2021, 8:46:06.618 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ba9251a7-4349-4919-960b-3c8791d7b7f3,"4/16/2021, 8:46:06.618 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,933f0488-d27b-4c7e-9fce-b36240bd38d2,"4/16/2021, 8:46:06.618 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8007002d-af95-4886-82cd-7152eba57b3f,"4/16/2021, 8:46:06.618 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e8607d0f-6140-4058-befe-88e674f66be9,"4/16/2021, 8:46:06.618 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bc079d84-09ad-4585-b0de-cb799c888470,"4/16/2021, 8:46:06.618 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c52ce30a-4600-46a0-ac31-a4584548a849,"4/16/2021, 8:46:06.618 AM",,,,,,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6762a8d6-99ee-4c03-9571-df6618152dbd,"4/16/2021, 8:46:06.618 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c66680fb-0e2c-487a-95cf-3b5ec34cdc76,"4/16/2021, 8:46:06.618 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d1e65597-1e0b-42af-a913-4b888b611c89,"4/16/2021, 8:46:06.618 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9193448f-3bdb-44ae-a254-d075aa502551,"4/16/2021, 8:46:06.618 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,882616ad-6a96-46d1-ae8b-f30050b3aa05,"4/16/2021, 8:46:06.618 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,61ab71b2-1da8-4b38-8fcf-7e3e9283ed6e,"4/16/2021, 8:46:06.618 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8dfb22e0-6823-439c-9ac5-9d5456e77a4e,"4/16/2021, 8:46:06.618 AM",,,,,NTLM,, +\VEEAM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,422d43e9-3930-4621-b76d-c0bc9e57e230,"4/16/2021, 8:46:06.618 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5d47ef60-29d5-4883-af37-24e1cc624086,"4/16/2021, 8:46:06.618 AM",,,,,NTLM,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,ab3e0cf9-7384-4a4b-a142-c7b71079db4f,"4/16/2021, 8:56:26.565 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,58069854-473f-4fee-98e4-deb8049e8a0d,"4/16/2021, 8:56:26.565 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,931e2408-73db-4332-94d2-f2b33e8d18d4,"4/16/2021, 8:56:26.565 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1328 + 118 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\ICT 2\CMF-64\DESIREDSTATECONFIGURATION\DSCRUN.EXE + 32 + FD398814FCB0D126DEC81443B928D502C7F2EC649E1C0866E0155C61BC7CAC19 + 111 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\WINDOWS (R) WIN 7 DDK DRIVER\DSCRUN.EXE\10.0.10011.16384 + 0x3e7 + 120 + C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\ICT 2\CMF-64\DesiredStateConfiguration\DscRun.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,7ac9ed78-cd9e-4796-8b97-e39d0872b027,"4/16/2021, 8:56:26.565 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9872 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,d8aa1f48-efcd-43e5-9be8-ba63b02df814,"4/16/2021, 8:56:26.565 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,37fd7ce6-2802-45b8-89ff-9eab8dc87483,"4/16/2021, 8:56:26.565 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3596 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,9366b463-3df8-4dbc-8e98-507da6238d75,"4/16/2021, 8:56:26.565 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9824 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,ef9b1886-6fb8-4213-a1d5-1f17b5af874d,"4/16/2021, 8:56:26.565 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4516 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,92cf682c-ad3d-46ae-a42d-67354bab7c4f,"4/16/2021, 8:56:26.565 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,e48f98bd-3980-44d8-bc99-dd09b1225790,"4/16/2021, 8:56:26.565 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,beeb3403-6b2e-4c8c-ae59-d6010a46d785,"4/16/2021, 8:56:26.565 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,af204e11-a680-4e19-bd5d-8f9fada7f090,"4/16/2021, 8:56:26.565 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 9752 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e5 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,c7aa7359-0820-4261-ac43-99d1d1791022,"4/16/2021, 8:56:26.565 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6200 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,c0c7238b-3f62-4c04-85a3-ff3b29f6ca6a,"4/16/2021, 9:03:49.416 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2360 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,fdc8350e-7847-4275-ad01-008de8ad2229,"4/16/2021, 9:03:49.416 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 3932 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 3D9080EFAB633588A800733E89C0E9CF155587ED965C4294E3B5807ACCA7196A + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.14393.2155 + 0x3e5 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,46159227-8f49-4a80-8514-9af3f87386e7,"4/16/2021, 9:03:49.416 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9212 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 61FF6233DB141BE35A91025614CB7A6504D2E20174CD6298F6E0B02700C3F819 + 121 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.14393.206 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,a5fa41d2-7ffc-4f7a-a848-4c8d761c6c4f,"4/16/2021, 9:03:49.416 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5564 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,03e45852-f7c5-4b6c-a564-caf295a4f96d,"4/16/2021, 9:03:49.416 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6536 + 39 + %WINDIR%\SERVICING\TRUSTEDINSTALLER.EXE + 32 + FF7B647787C49A3CB19B63470B8958B6FB6162AA4EC4B03E78AE1F6AE1ECFBF3 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\TRUSTEDINSTALLER.EXE\10.0.14393.3564 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,1c3e0899-3768-4566-9f5e-2b5e7e16ee0a,"4/16/2021, 9:03:49.416 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11004 + 122 + %WINDIR%\WINSXS\AMD64_MICROSOFT-WINDOWS-SERVICINGSTACK_31BF3856AD364E35_10.0.14393.3622_NONE_7EE8048822057142\TIWORKER.EXE + 32 + 5529E1D5191D7E786D8395381584628F04EAB2687886D41DC981B6AD056305F3 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\TIWORKER.EXE\10.0.14393.3622 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,cbb8c2c6-3074-4637-8281-0836abfd17fe,"4/16/2021, 9:03:49.416 AM",,,,,,, +CONTOSO\SamiraA,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-21-1661583231-2311428937-3957907789-1103 + 10908 + 52 + %PROGRAMFILES%\MICROSOFT\EDGE\APPLICATION\MSEDGE.EXE + 32 + 1B66B6FF0E061B988938C66FE3AC87B2BD86CBD2554D9EA703B2F5B5D7C47AF7 + 92 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT EDGE\MSEDGE.EXE\89.0.774.57 + 0xbe79b17 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,5bc96799-ed3d-4420-9d82-0950a2a8ac61,"4/16/2021, 9:03:49.416 AM",,,,,,, +CONTOSO\SamiraA,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-21-1661583231-2311428937-3957907789-1103 + 12680 + 52 + %PROGRAMFILES%\MICROSOFT\EDGE\APPLICATION\MSEDGE.EXE + 32 + 1B66B6FF0E061B988938C66FE3AC87B2BD86CBD2554D9EA703B2F5B5D7C47AF7 + 92 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT EDGE\MSEDGE.EXE\89.0.774.57 + 0xbe79b17 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,3f504cff-16fe-4412-8cc8-8e906ac2153d,"4/16/2021, 9:03:49.416 AM",,,,,,, +\WGONZALEZ,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,86a330b4-926c-447e-b0cd-c47d30ab1d95,"4/16/2021, 8:52:52.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1d78e01-0bdd-4a4d-8e9c-019f44af0b6d,"4/16/2021, 8:52:52.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,06cb34a6-fec9-4187-895f-dedff14ed663,"4/16/2021, 8:52:52.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d71dc8da-e7e7-47ec-87bd-1139eb026f55,"4/16/2021, 8:52:52.108 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0f40d658-8bd2-4c8a-8325-a01b7f5a4c9c,"4/16/2021, 8:52:52.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,41f91438-184c-455b-8064-741e68a016b6,"4/16/2021, 8:52:52.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d61c5ef8-3793-4bfd-a3ba-0e43af0123b4,"4/16/2021, 8:52:52.108 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab785161-22d3-4462-824c-f621bff922e1,"4/16/2021, 8:52:52.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e7a67e4f-d9d6-4dbb-9c51-5385df46d515,"4/16/2021, 8:52:52.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,953af1ec-b246-4f3f-87e8-e878ce15c4de,"4/16/2021, 8:52:52.108 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,36b9e30a-b865-4221-a686-c69a051f19fc,"4/16/2021, 8:52:52.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c98f957-b3d1-4dee-bc5f-23c7f8283064,"4/16/2021, 8:52:52.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a3498265-56f0-4c00-8fa5-12997278bb74,"4/16/2021, 8:52:52.108 AM",,,,,NTLM,, +\BACKUPEXEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,41e01990-ea88-490d-8cc8-b03b9ef2af34,"4/16/2021, 8:52:52.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f7af06a6-6c33-4eb7-8e36-e862f0b54493,"4/16/2021, 8:52:52.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,41e690b8-9738-4989-9afd-6041c1fcfff2,"4/16/2021, 8:52:52.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,342da179-0242-4b81-9965-85b8e8058cad,"4/16/2021, 8:52:52.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,469005d1-37e1-4d1d-9644-a9f2a4a4e2f2,"4/16/2021, 8:52:52.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2044a7f0-d0e1-4fdb-8772-023bfc10db10,"4/16/2021, 8:52:52.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac3d64d3-401f-4b2f-8c3f-489496262a40,"4/16/2021, 8:52:52.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d7a8d883-362f-40db-9794-6f7b34dd7e95,"4/16/2021, 8:52:52.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,531374be-02c6-425c-9908-439655d26ca5,"4/16/2021, 8:52:52.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1c00cb6-8d0a-411e-bf97-26e96f26e2f9,"4/16/2021, 8:52:52.108 AM",,,,,NTLM,, +\AZUREADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6a5aa128-014d-4594-a1e4-4d69002ec85a,"4/16/2021, 8:52:52.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,91fe9cba-a943-4498-97f7-c12c337cf170,"4/16/2021, 8:46:10.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4274c696-b765-480f-927e-988cf299ff99,"4/16/2021, 8:46:10.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0cb61df0-d9bc-4d8a-9f72-027e64f84975,"4/16/2021, 8:46:10.103 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d6d2a45-959a-4893-a24e-f668334a91e0,"4/16/2021, 8:46:10.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ef428f7-7b27-47ff-9104-e106249d44e1,"4/16/2021, 8:46:10.103 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a7157c4-2ed5-49d2-ac06-b0f17b8b81a7,"4/16/2021, 8:46:10.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7fa3f456-d28b-454d-9a8d-d0b853ae6591,"4/16/2021, 8:46:10.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cf6c72e8-242a-4f8e-aecd-75ed2a83a23a,"4/16/2021, 8:46:10.103 AM",,,,,NTLM,, +\NJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7b017687-2baf-4bc7-bdec-d9a5eed6c9b0,"4/16/2021, 8:46:10.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,75e60eae-b77b-4c77-896d-b0387866148d,"4/16/2021, 8:46:10.103 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc015a07-d3e8-44d5-9fa4-0088b275257f,"4/16/2021, 8:46:10.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c257304e-1145-43ef-95cb-170a404482fe,"4/16/2021, 8:46:10.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f8e57a21-deb1-4e21-a317-5ae1278437b6,"4/16/2021, 8:46:10.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a9f2634c-b179-4532-a26e-ef2232aecbb4,"4/16/2021, 8:46:10.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d4c88b8-0e45-415d-8526-beb6d822ef06,"4/16/2021, 8:46:10.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f999fdf-43d5-46bd-8c66-ae57539a874d,"4/16/2021, 8:46:10.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dd9276f6-fee8-4467-b2bc-1735a11b4ba0,"4/16/2021, 8:46:10.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd91dd8a-32fa-4be9-bf48-c75c24ef617e,"4/16/2021, 8:46:10.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,930cd4f3-8713-425d-aca3-5c164691adeb,"4/16/2021, 8:46:10.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d87a93c-15ba-4dd6-a798-9fc4f8f1da3e,"4/16/2021, 8:46:10.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,109455fb-5ab3-4021-b33b-306f41d3c377,"4/16/2021, 8:46:10.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ec18fcc1-c2c2-4abd-b069-91642d3efa6b,"4/16/2021, 8:46:10.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d3a4f51-ac84-448e-96ee-e4fc1af7d010,"4/16/2021, 8:46:10.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,311199f5-802b-494f-89bc-183bf5d81b44,"4/16/2021, 8:46:10.103 AM",,,,,NTLM,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,92cf05cd-acff-422c-98b0-e243e47b3dd5,"4/16/2021, 8:46:09.860 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,01d0f49c-f98b-424a-843a-66cea34c8967,"4/16/2021, 8:46:09.860 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6640 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,2d083414-c888-4c78-bf88-87ec33406abe,"4/16/2021, 8:46:09.860 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4956 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,56ab36f0-d14a-43e6-9bfd-16e41b039a82,"4/16/2021, 8:46:09.860 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,f3781f89-22aa-4414-b285-0265787dff08,"4/16/2021, 8:46:09.860 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,3c6a4091-3a56-475b-8101-9e566c116d46,"4/16/2021, 8:46:12.868 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,3461322d-94b0-4e35-9e55-2d6723c21908,"4/16/2021, 8:46:12.868 AM",,,,,,, +NT AUTHORITY\NETWORK SERVICE,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 8944 + 23 + %SYSTEM32%\GPUPDATE.EXE + 32 + 4E2D85458A3020FD0DBFC227C5779B02C4E80437A5BAD96766B0FAC8D955615C + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\GPUPDATE.EXE\10.0.18362.1139 + 0x3e4 + 32 + C:\windows\system32\gpupdate.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,516f5020-e088-4091-a0bf-eba5c8c5c122,"4/16/2021, 8:46:12.868 AM",,,,,,, +NT AUTHORITY\NETWORK SERVICE,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 11900 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e4 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,65e7508e-6a06-4d59-94c8-cab0729c5c0b,"4/16/2021, 8:46:12.868 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 15060 + 53 + %WINDIR%\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\CSC.EXE + 32 + 86AC160930EC07CC4F9998073167D40A5E5A6486CD3430EE0F9837DCD0A73CD4 + 100 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® .NET FRAMEWORK\CSC.EXE\4.8.3752.00 + 0x3e5 + 55 + C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,a187982e-2ac7-4fed-8303-ea8b289875eb,"4/16/2021, 8:46:12.868 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,eb56e0f3-aa90-4ccc-a913-b65a71a20846,"4/16/2021, 8:46:12.868 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,19e83219-5bf1-4ef3-b97d-36978ae88582,"4/16/2021, 8:46:12.868 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,34533559-d511-4dd0-9fee-e0aba510d04e,"4/16/2021, 8:46:12.868 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 6636 + 56 + %WINDIR%\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\CVTRES.EXE + 32 + 9DED0B484DAB4C855638FF211AA738AB5ACFE45E12331060A363F0FC33FA365C + 106 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® .NET FRAMEWORK\CVTRES.EXE\14.10.25028.00 + 0x3e5 + 58 + C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,be83126c-c86f-452c-b582-aa30774efbf5,"4/16/2021, 8:46:12.868 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 8072 + 53 + %WINDIR%\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\CSC.EXE + 32 + 86AC160930EC07CC4F9998073167D40A5E5A6486CD3430EE0F9837DCD0A73CD4 + 100 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® .NET FRAMEWORK\CSC.EXE\4.8.3752.00 + 0x3e5 + 55 + C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,6b8dc5c2-cf25-422f-bef7-3336a0b05f14,"4/16/2021, 8:46:12.868 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,20bc288b-b018-45c5-bff3-d3964e0b5a64,"4/16/2021, 8:46:14.602 AM",,,,,NTLM,, +\OVC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,84edee9c-7b9f-47cf-a605-262b2142cbe1,"4/16/2021, 8:46:14.602 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c5340348-b27b-4deb-bd3f-84a59f0060f6,"4/16/2021, 8:46:14.602 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a0ffde17-befb-4293-93ba-be38594fdd18,"4/16/2021, 8:46:14.602 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a5bbdd85-f128-454c-af3b-2d7a43bc96ab,"4/16/2021, 8:46:14.602 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cf786db9-cd43-4ec0-bdf7-6958471611a8,"4/16/2021, 8:46:14.602 AM",,,,,NTLM,, +\WPSERVER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1082cc71-a748-440c-bf02-e287fd09d385,"4/16/2021, 8:46:14.602 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2eb0e826-89a1-436b-a26f-bb24c5ce07f9,"4/16/2021, 8:46:14.602 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e118b5ea-74c8-4f9b-a684-171ecd9065d5,"4/16/2021, 8:46:14.602 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,96b79c3e-40af-4aab-9572-915f86043799,"4/16/2021, 8:46:14.602 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,36420470-3d87-46cf-820b-7848c355b32f,"4/16/2021, 8:46:14.602 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4f78547e-cf15-43d3-99a2-2ff66fee7300,"4/16/2021, 8:46:14.602 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1cec0771-6110-4bb1-9d81-06da29e9108c,"4/16/2021, 8:46:14.602 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,468c58bb-b832-441a-99f6-2600fec2953d,"4/16/2021, 8:46:14.602 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0bdd5d14-4a98-40f7-84f4-3f32ee32e7eb,"4/16/2021, 8:46:14.602 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,53c6c53e-6919-406f-98e7-1be477d32798,"4/16/2021, 8:46:14.602 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b8533f19-bbb1-43d2-b8f5-40e3e4164113,"4/16/2021, 8:46:14.602 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6e701f77-05e9-404a-a7c0-8b43ca2a70e7,"4/16/2021, 8:46:14.602 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,15e8ce0f-a193-45c5-a7e1-76f04ba99495,"4/16/2021, 8:46:14.602 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,80b621e2-16eb-4deb-89ec-476f67b72500,"4/16/2021, 8:46:14.602 AM",,,,,NTLM,, +\OJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1f90d890-6c16-44c2-9829-9246a1e6d774,"4/16/2021, 8:46:14.602 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3d041adc-8682-47c9-9cc9-1ca5e4953b24,"4/16/2021, 8:46:14.602 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,99425a26-5ceb-4f28-8f9f-7df42b8aa748,"4/16/2021, 8:46:14.602 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd66353e-1117-4b09-a7c8-ba5a28296f90,"4/16/2021, 9:03:56.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7576abc7-bc20-4f2d-b3d1-9d4f33cfb245,"4/16/2021, 9:03:56.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3fe7f94e-dc99-449f-aae6-ab7a2bdb9618,"4/16/2021, 9:03:56.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,601b24af-2de2-4dba-821f-f728e47d23ab,"4/16/2021, 9:03:56.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6d4e5e4e-473d-4270-b615-7fa78e9b2e64,"4/16/2021, 9:03:56.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c822d31e-4208-469a-811d-0ff433e1e950,"4/16/2021, 9:03:56.155 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,40b4eefc-7fcd-463e-98c7-5d7cce7ecc7f,"4/16/2021, 9:03:56.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ddaca78e-69d4-4d7d-9660-29bdfc27551f,"4/16/2021, 9:03:56.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7a43b626-666a-4c1b-9eb6-46b0f4e5a526,"4/16/2021, 9:03:56.155 AM",,,,,NTLM,, +\DEMOUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,565b9f1e-6a87-4d3d-97b3-843a5196d0d8,"4/16/2021, 9:03:56.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b0e9fb2-b673-4f65-8e9f-9a56476e9ad7,"4/16/2021, 9:03:56.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4e5548da-1021-4e83-98f4-9da091b4a20e,"4/16/2021, 9:03:56.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0401b32e-63d6-48b2-b1cb-5afbeee39fd7,"4/16/2021, 9:03:56.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,80163434-72a6-4a72-aaab-a8f9b711c8b4,"4/16/2021, 9:03:56.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,64c6762f-35e1-4294-9d25-71914b4350b1,"4/16/2021, 9:03:56.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0356b9ae-d2b2-41f1-8e9d-3b41b2848df7,"4/16/2021, 9:03:56.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,65b57646-6a8e-487f-928f-24acd57d4e98,"4/16/2021, 9:03:56.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,00a9caaf-ea06-4d23-ad75-9f1608537e9c,"4/16/2021, 9:03:56.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,daa41118-c410-4832-81d3-69489aabb674,"4/16/2021, 9:03:56.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51988c98-88c4-419a-872c-343bee000d9d,"4/16/2021, 9:03:56.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,af726e4f-b860-4941-8050-bc31b45f55cb,"4/16/2021, 9:03:56.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1525b2cc-c114-456f-9ec4-c8db60ee825b,"4/16/2021, 9:03:56.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,13d4779b-05df-4d74-9aa1-c61b6f80cc43,"4/16/2021, 9:03:56.155 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,38754537-4089-40ff-82ed-d34390cb713e,"4/16/2021, 9:03:56.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2ff47d4-6840-4450-8b53-f245a0ce7535,"4/16/2021, 9:03:56.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a59e25d9-d82a-41ce-94ce-42a84791ab09,"4/16/2021, 9:03:56.155 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5cc75295-9dc9-4cf4-aafb-2839ab624192,"4/16/2021, 9:03:56.155 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f76082f2-a638-4a26-bbda-c264aab0e519,"4/16/2021, 9:04:08.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7f11a89e-33a4-4639-9e91-66c8278471ed,"4/16/2021, 9:04:08.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5efd0709-3c95-4a07-b7a2-08a6cb3a479c,"4/16/2021, 9:04:08.680 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c5f037d3-e7c7-4935-a402-43ba1a8ba452,"4/16/2021, 9:04:08.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ec0d6a76-9303-4f74-a483-e6dee4707180,"4/16/2021, 9:04:08.680 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d472a76d-e0e1-4946-b833-d4f95e66db78,"4/16/2021, 9:04:08.680 AM",,,,,NTLM,, +\VEEAM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,50326f89-c0ff-4537-9c44-b391da5a6365,"4/16/2021, 9:04:08.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,70d9e9f2-5f93-410a-993a-5c62b1bb82e9,"4/16/2021, 9:04:08.680 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1e1f55bd-3172-4d89-adb5-dc6ce0da6d0a,"4/16/2021, 9:04:08.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,05facc0c-6839-4102-b8e3-dc10d9305541,"4/16/2021, 9:04:08.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5f0e529b-6080-4cd3-9061-3072302b7a80,"4/16/2021, 9:04:08.680 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ebcb510f-773c-4ee8-8ade-9b8f518c6988,"4/16/2021, 9:04:08.680 AM",,,,,,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fa30aaaa-3e2e-4328-a941-ac8d40de5b5f,"4/16/2021, 9:04:08.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1426d4ba-8e44-411d-b303-2e56c20f4678,"4/16/2021, 9:04:08.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d44c6dcd-43e1-4a03-b641-1ede21a85cdb,"4/16/2021, 9:04:08.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,78e79fbd-a2c9-4478-8d80-c06d42153613,"4/16/2021, 9:04:08.680 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13826,8," + Remote Desktop Users + Builtin + S-1-5-32-555 + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + 0x654 + C:\WindowsAzure\Packages\WaAppAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8c0cfe54-e2a0-4c20-8773-25c1b428577f,"4/16/2021, 9:04:08.680 AM",,,,,,0x654, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,81eabfd1-ab24-4f50-bebe-0ae0e96f6ed6,"4/16/2021, 9:04:08.680 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13826,8," + Administrators + Builtin + S-1-5-32-544 + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + 0x654 + C:\WindowsAzure\Packages\WaAppAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b0a538e9-e3a8-49a4-b048-a6ab241be870,"4/16/2021, 9:04:08.680 AM",,,,,,0x654, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + shir_admin + SHIR-Hive + S-1-5-21-1890177919-1503440122-3635296324-500 + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + 0x654 + C:\WindowsAzure\Packages\WaAppAgent.exe +",4798,4798 - A user's local group membership was enumerated.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8ba1cbd4-f3a7-460d-bf3f-d9ddca31bd3c,"4/16/2021, 9:04:08.680 AM",,,,,,0x654, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + DefaultAccount + SHIR-Hive + S-1-5-21-1890177919-1503440122-3635296324-503 + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + 0x25d0 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9eb77083-022e-436a-99ff-802adf16e810,"4/16/2021, 9:04:08.680 AM",,,,,,0x25d0, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + Guest + SHIR-Hive + S-1-5-21-1890177919-1503440122-3635296324-501 + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + 0x25d0 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f611a9d4-1b0e-4075-ba30-1b678b47157a,"4/16/2021, 9:04:08.680 AM",,,,,,0x25d0, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + shir_admin + SHIR-Hive + S-1-5-21-1890177919-1503440122-3635296324-500 + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + 0x25d0 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c82062dc-279c-430a-b15d-37ba31e55705,"4/16/2021, 9:04:08.680 AM",,,,,,0x25d0, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + WDAGUtilityAccount + SHIR-Hive + S-1-5-21-1890177919-1503440122-3635296324-504 + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + 0x25d0 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8c30caf6-f5e9-4fec-be50-fe05e8bd8737,"4/16/2021, 9:04:08.680 AM",,,,,,0x25d0, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9746e2eb-30ee-4681-8123-5cc034ba5308,"4/16/2021, 9:04:08.680 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,65d98bf9-6856-46ba-9c91-f87b8f62b7b4,"4/16/2021, 9:04:08.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,549e70ff-85e0-48c4-9741-4ff2b79fcf01,"4/16/2021, 9:04:08.680 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + shir_admin + SHIR-Hive + S-1-5-21-1890177919-1503440122-3635296324-500 + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + 0x654 + C:\WindowsAzure\Packages\WaAppAgent.exe +",4798,4798 - A user's local group membership was enumerated.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,00cb31e4-eea3-449c-96dc-2b83bb4105f2,"4/16/2021, 9:04:08.680 AM",,,,,,0x654, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + shir_admin + SHIR-Hive + S-1-5-21-1890177919-1503440122-3635296324-500 + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + 0x0 + - +",4798,4798 - A user's local group membership was enumerated.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3baf03e0-2f08-4181-b5b6-a07ae149abd6,"4/16/2021, 9:04:08.680 AM",,,,,,0x0, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5596 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,3f94bdd7-bec1-4608-994f-7fa53c6db57a,"4/16/2021, 8:52:52.737 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 884 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,cce0ef6f-26c3-4b34-a694-ff2b429b473e,"4/16/2021, 8:52:52.737 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,230fdb74-cbfd-4a03-97dd-8cbf5379a11b,"4/16/2021, 8:52:52.737 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,900d35b6-602f-4779-9b8d-c34f71375fff,"4/16/2021, 8:52:52.737 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,b22ee61d-b048-47eb-b406-c427a33de5f6,"4/16/2021, 8:52:52.737 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,706c9064-fde0-4fe7-a248-f6eddaf0ecc8,"4/16/2021, 8:52:52.737 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67ecd913-66eb-40aa-82ca-e8ef1555f8e8,"4/16/2021, 8:46:18.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,905f1df6-6bd4-4a39-b1ff-ccb146f8582d,"4/16/2021, 8:46:18.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,60be912b-f1c3-43e1-8ea5-68c4f1e9c569,"4/16/2021, 8:46:18.102 AM",,,,,NTLM,, +\MULETTO,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d80f2cb9-7bb5-480f-b54b-46ce64c5a69f,"4/16/2021, 8:46:18.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,899f8e94-47cc-4655-8c64-777b90d66c77,"4/16/2021, 8:46:18.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,26f0786e-bee8-4f87-8647-c13886678a78,"4/16/2021, 8:46:18.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,82f92920-0ff7-4e34-9f48-5e65eb8fd577,"4/16/2021, 8:46:18.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49e65797-82b7-433d-853a-7ab6d4626deb,"4/16/2021, 8:46:18.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c810c6e9-89fb-407b-8239-fd8c7ff0520a,"4/16/2021, 8:46:18.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d645b626-d120-4c62-8e93-7edadf52e084,"4/16/2021, 8:46:18.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a364bacb-04a9-4223-a2e4-86e1197641bd,"4/16/2021, 8:46:18.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c8dd3522-7bb1-4eed-9865-d39372262ec5,"4/16/2021, 8:46:18.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c4e3eca-8666-4e40-b074-666db06231b4,"4/16/2021, 8:46:18.102 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8cb90f5a-ace8-4d2a-9492-3093d91c4e0e,"4/16/2021, 8:46:18.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eeb1f6e0-ed87-4b74-96f7-e6070baa6a26,"4/16/2021, 8:46:18.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e6a7965c-bfd3-4991-9369-80eabc305fde,"4/16/2021, 8:46:18.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f55b8f26-ed15-4ccf-adc4-160f6132dce4,"4/16/2021, 8:46:18.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,584247e8-ce14-481f-96ac-c02126e8e600,"4/16/2021, 8:46:18.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0238e029-14dd-4500-b8e0-b1c4d39306e4,"4/16/2021, 8:46:18.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6baef184-762e-47f1-bd5a-b05af84ea0eb,"4/16/2021, 8:46:18.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3167fe54-babc-4927-9eb2-3a42d54b5d7d,"4/16/2021, 8:46:18.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0105625a-4a0e-4e49-943b-2d6dd6f4f23c,"4/16/2021, 8:46:18.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b6eb1bd-2751-4e7d-8d9a-3d076dd3193f,"4/16/2021, 8:46:18.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8d3b0fe7-da9f-455c-ba5f-b9fb379d696e,"4/16/2021, 8:46:18.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,74a09fc5-6931-4577-8d0a-14f6407fec2a,"4/16/2021, 8:46:18.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,39f0eb4f-20fe-4eda-b168-4b546e76bc31,"4/16/2021, 8:46:18.102 AM",,,,,NTLM,, +\ACC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,60bd466e-c7a3-4e7c-abed-54237082b85e,"4/16/2021, 8:56:39.667 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,302e4d66-5403-4eba-859c-aa409fa97090,"4/16/2021, 8:56:39.667 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b0ad49d6-8a9e-42d1-a09f-55a87ba78d26,"4/16/2021, 8:56:39.667 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,597a0102-17aa-4145-a11d-b77dc9696cca,"4/16/2021, 8:56:39.667 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4acdfc4e-815c-4da9-94f1-9005204717a3,"4/16/2021, 8:56:39.667 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1dd6f971-899b-4211-ad11-a4e7964ef7ca,"4/16/2021, 8:56:39.667 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2537d9eb-92ad-466c-b7c0-ea5bb8ac2b0a,"4/16/2021, 8:56:39.667 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3651feb5-8ced-4524-a101-ebf904d25229,"4/16/2021, 8:56:39.667 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3041eb53-0000-4e60-83d3-d37d31cd14fa,"4/16/2021, 8:56:39.667 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2923c18b-0ddf-484d-af8b-7e1b1769b237,"4/16/2021, 8:56:39.667 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,af079ae7-4f79-4a69-95e9-b258fb47e37f,"4/16/2021, 8:56:39.667 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3aa8511b-ff6e-4086-b2bd-f7434f91f28d,"4/16/2021, 8:56:39.667 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fefb8996-b0ba-406f-b5df-435ed435ebbc,"4/16/2021, 8:56:39.667 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fb1b26af-7182-4635-96f7-b463362fcb3e,"4/16/2021, 8:56:39.667 AM",,,,,NTLM,, +\VEEAM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6c25f1e1-152a-4147-ad9c-e107935ce28f,"4/16/2021, 8:56:39.667 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,034ba8bd-0ec0-4207-a736-6376b485b887,"4/16/2021, 8:56:39.667 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ce89e299-c64c-4168-a824-bd35f025a34b,"4/16/2021, 8:56:39.667 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,57bc96b6-ae16-4356-bf64-425b630fe3c4,"4/16/2021, 8:56:39.667 AM",,,,,NTLM,, +\BACKUP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,34526a17-c6df-40f8-bdd0-f785438fa9d8,"4/16/2021, 8:56:39.667 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7b5e0ec6-1d23-455e-aca8-6f729b7843bb,"4/16/2021, 8:56:39.667 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,62c8b990-9808-4ac1-b61d-65a2ad71359d,"4/16/2021, 8:56:39.667 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,27816f96-a51a-45d7-8e5b-346fcbefc520,"4/16/2021, 8:56:39.667 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,571ecec7-4dec-4c68-a59e-09f1e24c407d,"4/16/2021, 8:56:39.667 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,55d07552-9cbf-4160-99d6-07ad42a8461c,"4/16/2021, 8:46:18.920 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,32bbdfc2-4e20-4077-b6e3-7ddfa3fc13ad,"4/16/2021, 8:46:18.920 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6876 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,8ec2d657-346c-468d-923b-813338f99f4f,"4/16/2021, 8:46:18.920 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 10548 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e5 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,e3da754f-9af4-4bda-90fc-2c9f68cea745,"4/16/2021, 8:46:18.920 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5280 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,a527daf4-1e51-4301-a4e8-cd11e5b799d7,"4/16/2021, 8:46:18.815 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,ba76bd50-d5b1-41f8-97f7-7b0fca5ef5a3,"4/16/2021, 8:46:18.815 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,d4d1044d-29fa-445b-ac01-29a04f05aae7,"4/16/2021, 8:46:18.815 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,acda2c8e-98b9-4f3d-8e3c-160c3abcd296,"4/16/2021, 8:46:18.815 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7028 + 115 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\ICT 2\CMF\DESIREDSTATECONFIGURATION\DSCRUN.EXE + 32 + 5D35920AEDE05DD39279B42A07B84E7EAC7A77F4E420A04FE25B82F0B2CAF5C0 + 111 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\WINDOWS (R) WIN 7 DDK DRIVER\DSCRUN.EXE\10.0.10011.16384 + 0x3e7 + 117 + C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\ICT 2\CMF\DesiredStateConfiguration\DscRun.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,bb725146-8d92-46b9-ae0b-2990a4634353,"4/16/2021, 8:46:18.815 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10616 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,41bdcd29-f112-4506-bf95-4b6ac06b5db9,"4/16/2021, 8:46:18.815 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,c6c27074-0484-4fb1-bda2-1f2d70e4ea32,"4/16/2021, 8:46:18.815 AM",,,,,,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1a857e68-07e0-44da-9ce3-b6a36d414caf,"4/16/2021, 8:46:22.608 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,337942b8-e3f6-47e3-876c-f64ca3c40421,"4/16/2021, 8:46:22.608 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5c71ddba-1af4-4eca-ad85-dd049d3e83a6,"4/16/2021, 8:46:22.608 AM",,,,,NTLM,, +\AZUREUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,859f732b-11d6-4642-ba6f-88fba8869147,"4/16/2021, 8:46:22.608 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e4b7ec39-7e69-4059-ace1-48d60ba42e79,"4/16/2021, 8:46:22.608 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,72169514-f9d4-40d7-8327-fc58f50bac37,"4/16/2021, 8:46:22.608 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a704aad9-575c-4f08-ac00-2f462715059a,"4/16/2021, 8:46:22.608 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bdd0fec6-fa95-43b6-bede-6552c7830eb2,"4/16/2021, 8:46:22.608 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,797ac411-2269-4691-b276-f635b566a335,"4/16/2021, 8:46:22.608 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,878680bc-e47d-4a7a-bf7b-6a0fbc087586,"4/16/2021, 8:46:22.608 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,857fa38b-8b69-419e-bade-bbf9496eb2a2,"4/16/2021, 8:46:22.608 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ae31d485-15a5-4d76-97a1-d7e8e040b9d3,"4/16/2021, 8:46:22.608 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,877fa24b-bc7c-433f-9004-c73934393c8b,"4/16/2021, 8:46:22.608 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d2deeb11-0739-4368-aa28-ca5072640971,"4/16/2021, 8:46:22.608 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1e3a3c4f-f9ea-43b4-a350-aa7dec7ce8c4,"4/16/2021, 8:46:22.608 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8b970d58-2cee-4a95-af7a-6e76aae19d6b,"4/16/2021, 8:46:22.608 AM",,,,,NTLM,, +\VMADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b05b1600-65c5-4760-80d3-6fc7bab94814,"4/16/2021, 8:46:22.608 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,87e43168-8e0c-4405-86d4-60b8caddb122,"4/16/2021, 8:46:22.608 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,688a9993-40f4-4380-94e6-fb973df75bb3,"4/16/2021, 8:46:22.608 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9a3796d7-e99b-40e9-a004-1a06ec39d0d2,"4/16/2021, 8:46:22.608 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8617b1c3-393d-4a86-aab7-68b4ed9dde9a,"4/16/2021, 8:46:22.608 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2f668295-f45a-4f51-89c0-2241760152f9,"4/16/2021, 8:46:22.608 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1fa1b7b0-cd0c-44c8-9ca1-dfd0718e306e,"4/16/2021, 8:46:22.608 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,ac81e9f3-9e67-4b90-8fa2-f8027d1cdee9,"4/16/2021, 8:46:24.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,fd046fef-9f84-4b2b-9f3b-39fa8e958e48,"4/16/2021, 8:46:24.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d18498e6-9656-4add-b4cb-a252cf76839d,"4/16/2021, 8:46:24.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c983c5f5-601a-49e5-9a8d-7153f68ed4a6,"4/16/2021, 8:46:24.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,35d30f99-9cc8-4c56-84a0-6ac06f8887cd,"4/16/2021, 8:46:24.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5d7e9917-8b1a-43a6-bb58-6534c4650e2a,"4/16/2021, 8:46:24.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,fbb11d53-4afd-45b8-ac99-5e5bfa64dcab,"4/16/2021, 8:46:24.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,49f27d4b-ff51-45e2-a169-af034d1bda31,"4/16/2021, 8:46:24.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,ac05673a-0f01-42ae-8d91-c094b622c712,"4/16/2021, 8:46:24.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c3a73a32-d7a8-4271-af69-e854790d3734,"4/16/2021, 8:46:24.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b6c21afd-c6b0-49c4-8cae-d67ee6063b18,"4/16/2021, 8:46:24.052 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,9d7648bc-a656-41d0-aad1-fe9a585a1627,"4/16/2021, 8:52:58.587 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8200 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,7af53679-e772-4eb0-8edc-3c3cc5645b60,"4/16/2021, 8:52:58.587 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,81d36ec5-4a60-4fc8-bf4c-d7d4fcbe7334,"4/16/2021, 8:52:58.587 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3224 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 68705285F7914823244E19E4F6DBC4A75C4DE807EA1CF128AEC2CCAFCE5FE109 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.17763.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,31457aeb-1936-4399-8380-9bb8c2a1a81f,"4/16/2021, 9:04:12.241 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6036 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,a34f5be9-d2d3-4dac-a585-7d39087ac04f,"4/16/2021, 9:04:12.241 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,628d115d-b49e-4e80-8dfd-bd56e34ebbce,"4/16/2021, 9:04:12.241 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9bbc8402-47c5-41d0-8ae4-9570dc17713f,"4/16/2021, 9:04:12.241 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,08243fa8-d1e1-4a30-a448-b7cf9a7d18c8,"4/16/2021, 9:04:12.241 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ba9cae2-7d27-4f1a-9be2-55366dad6b76,"4/16/2021, 9:04:12.241 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d41f05c-6935-498c-b39f-f61858bc9365,"4/16/2021, 9:04:12.241 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5772de35-2919-4516-84b5-baa32cfb7d78,"4/16/2021, 9:04:12.241 AM",,,,,NTLM,, +\VMADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,420576e1-0bd2-4a80-9094-4d1413d4d00c,"4/16/2021, 9:04:12.241 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b0d3dc10-c1c8-43f9-9887-8cf4cb2dec41,"4/16/2021, 9:04:12.241 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f6a46622-bdc4-4e4d-9524-fca7850333ab,"4/16/2021, 9:04:12.241 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f9d9e6bb-9d10-4146-bb3c-8b006b283b6c,"4/16/2021, 9:04:12.241 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b97e5b80-c3c4-4a34-b057-696289ab44f5,"4/16/2021, 9:04:12.241 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ec2e75d4-9a7b-4c19-ab78-3067057a3af9,"4/16/2021, 9:04:12.241 AM",,,,,NTLM,, +\BACKUP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,36bf9831-8a20-4b12-ab29-a80f83989bcc,"4/16/2021, 9:04:12.241 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8313006c-132f-4e34-9fe4-787bcdd648cf,"4/16/2021, 9:04:12.241 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ba4d25f-b316-450f-9a66-397e393931e4,"4/16/2021, 9:04:12.241 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,058dbcdb-3ab7-41ca-8b83-827924835738,"4/16/2021, 9:04:12.241 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56b3f09b-0770-43c4-a7a6-3aa8503692a2,"4/16/2021, 9:04:12.241 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc39ef2d-dc81-478c-8fb5-3776026df166,"4/16/2021, 9:04:12.241 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,28f89c01-3318-4f9e-bbd3-6ff71c774a7b,"4/16/2021, 9:04:12.241 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,34dae2f0-a8bf-49cf-95b3-b060551e1b7c,"4/16/2021, 9:04:12.241 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,544b4b63-7c03-4174-99cc-28ac61950922,"4/16/2021, 9:04:12.241 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c0f8a63a-a160-49b8-8d3f-e1c6def6ca32,"4/16/2021, 8:56:43.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,e34ddbef-d60b-4f86-817d-55dfcf5b56f8,"4/16/2021, 8:56:43.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,e9799440-0510-478d-ab0b-7e2870eee295,"4/16/2021, 8:56:43.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,782721b7-45d0-49f9-97bd-3742ab4ae9da,"4/16/2021, 8:56:43.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b47b713d-cee1-402d-b57c-828ba53efeb5,"4/16/2021, 8:56:43.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c0234516-d31e-4953-9c2d-b999616bdd7c,"4/16/2021, 8:56:43.052 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,38401673-711d-43d8-8036-d63a5b4fa27a,"4/16/2021, 8:56:43.052 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,50ab5e6b-367c-487b-9903-68b9a06b07c2,"4/16/2021, 8:56:43.052 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6750a66c-0336-41e9-a8fd-b9080da2366f,"4/16/2021, 8:46:27.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd12588b-f365-4210-b3e9-bedd98c5153d,"4/16/2021, 8:46:27.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc7517bb-c57d-4058-9b93-fac0185c2b9e,"4/16/2021, 8:46:27.105 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,e984beed-5cff-4994-944e-1d784c2d59b5,"4/16/2021, 8:46:27.105 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,8ddf9518-7b6f-4e4b-ac7e-b427bbd5461b,"4/16/2021, 8:46:27.105 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dcd9c00c-5fbc-4da4-b367-fb03c74767ce,"4/16/2021, 8:46:27.105 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4020 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f4ca4e0-8909-4cec-bea2-62c9033dc3a5,"4/16/2021, 8:46:27.105 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1948 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f43ce84-0ee1-4e9b-bfc5-48a90bc4666e,"4/16/2021, 8:46:27.105 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,115d9ea5-0964-415a-9a46-5f1fe779bd39,"4/16/2021, 8:46:27.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,39b41068-fdf6-4c4f-b0ad-bd40f32d8056,"4/16/2021, 8:46:27.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d488fcba-1279-41ae-b497-906c2cbac01e,"4/16/2021, 8:46:27.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c0ff5e9-407c-4161-b119-8bfeab1b053e,"4/16/2021, 8:46:27.105 AM",,,,,NTLM,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7f784011-2397-4145-8ea9-e04aa028834a,"4/16/2021, 8:46:27.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6a378153-e805-495c-a340-16a9ef58a892,"4/16/2021, 8:46:27.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a6810edd-4728-4ce8-ba55-af5adeefa49e,"4/16/2021, 8:46:27.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b732eddf-3414-415e-82b4-0d78526549df,"4/16/2021, 8:46:27.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db0febdf-cfe2-492b-bb6c-01fccdc74210,"4/16/2021, 8:46:27.105 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cb78902e-459f-4303-8a71-5449f8624710,"4/16/2021, 8:46:27.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d18515f0-5a17-4833-824a-b8d00b5bcc77,"4/16/2021, 8:46:27.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0629886d-1987-43b5-91a2-ad9ead7107f4,"4/16/2021, 8:46:27.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,112b014a-2648-4ef0-a4ef-02de98f074ce,"4/16/2021, 8:46:27.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,36944be6-bfe4-486b-b41c-456e25dc2fbd,"4/16/2021, 8:46:27.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,629e5ae2-bc5a-4c77-a1d6-7810eeeb85e3,"4/16/2021, 8:46:27.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bbf0ae89-fc9d-4dc3-b0d5-651ef1202e6a,"4/16/2021, 8:46:27.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0f78508e-fdda-4802-92a3-6f61ced5f8a1,"4/16/2021, 8:46:27.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,02129a66-b2eb-450e-804f-3365eb3364ab,"4/16/2021, 8:46:34.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9e1cd294-031e-4bc7-801c-9696bd2ce453,"4/16/2021, 8:46:34.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,52fe8bbc-5888-45c7-b2a8-6540749630f4,"4/16/2021, 8:46:34.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bd541eb9-28ff-49d6-a013-c2bc18830dc3,"4/16/2021, 8:46:34.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3f1c912c-ce66-4f15-9ef9-7908b67e0a22,"4/16/2021, 8:46:34.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bcbc98c9-28c0-49ca-a934-1344c6c77463,"4/16/2021, 8:46:34.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e29429cc-6271-443c-b4ac-7a5311d34531,"4/16/2021, 8:46:34.104 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3b1dc493-1f30-4f6b-a45b-d2689ca0041d,"4/16/2021, 8:46:34.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,59c44338-d7d5-4f0a-bac4-16276be31446,"4/16/2021, 8:46:34.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e0d703ce-6434-4ad6-baea-ba6fb4815e84,"4/16/2021, 8:46:34.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c87a04f-3838-448e-bddd-083bb05b93a6,"4/16/2021, 8:46:34.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89c9c20e-aad3-4e0e-9962-6e9e20003c54,"4/16/2021, 8:46:34.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,71b553c6-e6e7-4ff1-a838-6f568da5d565,"4/16/2021, 8:46:34.104 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,3556a71a-e145-41ac-b8fa-31cecc6f9a6a,"4/16/2021, 8:46:34.104 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dfaf5379-b642-46e1-8746-c7c21392c019,"4/16/2021, 8:46:34.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,30e1de66-3504-4f89-be97-647cecc65673,"4/16/2021, 8:46:34.104 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,63a2c5e3-583a-4607-9faf-6a58b8f4f61e,"4/16/2021, 8:46:34.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d517748-79e3-41df-bbc2-8d4868fd18ec,"4/16/2021, 8:46:34.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,975e35e1-c9ac-476a-96b8-677e4932dbe1,"4/16/2021, 8:46:34.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48d89956-d4cc-454f-bab4-13d10363b78c,"4/16/2021, 8:46:34.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,310c154c-a9fa-413a-9bda-aba2084bd38b,"4/16/2021, 8:46:34.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,06f4a847-29e9-429b-9bff-c98c28334461,"4/16/2021, 8:46:34.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fdb25147-f14d-4e48-899e-fc670427cf1a,"4/16/2021, 8:46:34.104 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5744e340-c70c-4f10-a569-d47ebd0b0afe,"4/16/2021, 8:46:34.104 AM",,,,,NTLM,, +\DEMOADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,16a04c8d-358b-4d8d-b5e9-ddba0208cde1,"4/16/2021, 8:53:02.410 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e179f012-17af-45e3-b4cd-113aedf47a74,"4/16/2021, 8:53:02.410 AM",,,,,NTLM,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3ab6ac3d-f052-488b-8add-55546191f0da,"4/16/2021, 8:53:02.410 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,877656bb-c85f-4e13-8563-9513477c04a4,"4/16/2021, 8:46:33.619 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1fa1212a-0e77-4d5c-bd7b-c64ad8c2c8c1,"4/16/2021, 8:46:33.619 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,86d1db40-50ef-40fd-ab2a-d17556ba8cfc,"4/16/2021, 8:46:33.619 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0cb4d86c-d556-4074-a208-c250832570ae,"4/16/2021, 8:46:33.619 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a3562544-5ddb-4ec9-b003-79e99e5a25d1,"4/16/2021, 8:46:33.619 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b2deb80a-c366-4177-a0be-f38907a863c7,"4/16/2021, 8:46:33.619 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,323c4553-08a1-4dfe-8841-832abd06a96a,"4/16/2021, 8:46:33.619 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f54777c0-c7b8-4c2c-9676-3021b440fd45,"4/16/2021, 8:46:33.619 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c1bd6394-df1b-4a67-a331-468bddd475ff,"4/16/2021, 8:46:33.619 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3d55e738-2e33-44e5-a52a-95d43f18e51f,"4/16/2021, 8:46:33.619 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b21891ab-51b7-4f08-a9f3-58e147c5ea25,"4/16/2021, 8:46:33.619 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c66adb36-b018-4173-a816-46e686d2f688,"4/16/2021, 8:46:33.619 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,be73856a-c10c-4b6b-acbb-90ad625ff90c,"4/16/2021, 8:46:33.619 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1384f7bc-ff3d-4886-8732-c042e66f270a,"4/16/2021, 8:46:33.619 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a3599879-c862-45bb-b117-2789a4d14da6,"4/16/2021, 8:46:33.619 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,aa77f962-9f0d-497b-96e5-a034ee7e6a69,"4/16/2021, 8:46:33.619 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b699dcf2-4e58-468f-9f37-4a8847b50a09,"4/16/2021, 8:46:33.619 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e05dc979-6999-419f-9e8c-1fb5b63fc3de,"4/16/2021, 8:46:33.619 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0728ad73-c7ce-4ad1-a11f-9985b93e6c4f,"4/16/2021, 8:46:33.619 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,53a42bd4-8969-452e-9771-516bd1494347,"4/16/2021, 8:46:33.619 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1e750c14-01be-4173-879e-7ed872910763,"4/16/2021, 8:46:33.619 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,60e589f5-86a7-45fe-81ba-81c1ab421bb6,"4/16/2021, 8:46:33.619 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cbd4949e-53f9-4322-8780-acde79eb9591,"4/16/2021, 8:46:33.619 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4521f6bc-abbc-4724-ad59-c99bc2997b37,"4/16/2021, 8:46:33.619 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,951f8ffb-c136-40c2-a914-189fa5a59a50,"4/16/2021, 8:46:40.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1836fac2-6d52-40a8-8db0-bf29be5bf030,"4/16/2021, 8:46:40.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,47afcbfc-79f2-403e-af18-0d90e09d365f,"4/16/2021, 8:46:40.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bb5e67aa-8c62-4c79-8c20-22df51eb3168,"4/16/2021, 8:46:40.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,97d7cf2a-f13d-49ec-9b48-ae769fc1e8a9,"4/16/2021, 8:46:40.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a06f0458-ef1d-42d3-b5cf-711244c643ac,"4/16/2021, 8:46:40.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ae6026c3-4f85-4adc-aa84-73501b5a4111,"4/16/2021, 8:46:40.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8cf2e9a6-8374-4a6b-8348-942d66ca2758,"4/16/2021, 8:46:40.105 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5e08337-f5ce-44ce-87a5-015c2a814986,"4/16/2021, 8:46:40.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,536d7094-ad2e-43f7-8e13-e336d831e492,"4/16/2021, 8:46:40.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c914540-83ed-4634-94dd-de926ce391e0,"4/16/2021, 8:46:40.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ad326bc-63dd-4ac5-9fcc-e246f327c7b7,"4/16/2021, 8:46:40.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,62155f9a-8f9a-401a-a8cd-c3bd92802546,"4/16/2021, 8:46:40.105 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ccbc6ade-3fff-4da4-bd37-8f4893d2430e,"4/16/2021, 8:46:40.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6f4045c2-a045-4698-9226-32476739eb8b,"4/16/2021, 8:46:40.105 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,30d4be58-5b66-4c67-8271-c5d0ca8388dd,"4/16/2021, 8:46:40.105 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,aa1e7dfd-b4fc-482a-bdfd-e06f228227e7,"4/16/2021, 8:46:40.105 AM",,,,,,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,34eed136-6264-41c8-b82d-663fdb5c8cae,"4/16/2021, 8:46:40.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad26e36c-9da9-4de7-b959-7c6d1ecdb8fd,"4/16/2021, 8:46:40.105 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,86df0976-d5b5-41f6-af95-496aa8aaa7c7,"4/16/2021, 8:46:40.105 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 536 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,b83ea803-c11c-449d-ac0f-fcaa6b8e8fbd,"4/16/2021, 8:46:40.105 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad5cba91-d360-4df3-a0b4-4ba5980f6426,"4/16/2021, 8:46:40.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,58d3ecca-8fbe-44ae-8c95-d5cc332bbef8,"4/16/2021, 8:46:40.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e7960710-fd71-4bc9-9f53-b3a727caf2f8,"4/16/2021, 8:46:40.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6ac759e3-9fbe-4a3f-8e83-0116d59f33ae,"4/16/2021, 8:46:40.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d68cb4b-a5fb-442d-a9c2-99d23be7108c,"4/16/2021, 8:46:40.105 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,84573fa9-b3ae-4eed-8819-02cb8eb43f36,"4/16/2021, 8:53:09.690 AM",,,,,NTLM,, +\ADMINISTRATÖR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e0233d71-cc13-413f-a4b4-7595ed02b016,"4/16/2021, 8:53:09.690 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6d4c7e4e-42fe-492b-b12f-af8d3202c0ca,"4/16/2021, 8:53:09.690 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8ad2fcce-f398-4b38-b349-31ef62b2ae52,"4/16/2021, 8:53:09.690 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6d86c9c9-b0e7-46b7-a40f-1ef3cabc302b,"4/16/2021, 8:53:09.690 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,63c40037-e3ea-448f-9d25-aefaf6f29539,"4/16/2021, 8:53:09.690 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f99b06a2-f73f-4a72-aa30-b772d3f77af1,"4/16/2021, 8:53:09.690 AM",,,,,NTLM,, +\VEEAM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,be89cc82-48be-4580-a06b-170b1d5ca848,"4/16/2021, 8:53:09.690 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dc3cb1ad-866a-4915-895a-3172cbe9d2d9,"4/16/2021, 8:53:09.690 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,242c7882-2873-449a-965d-d44d39fe63a5,"4/16/2021, 8:53:09.690 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7c82a660-e12e-4b4e-bab9-f927d7e1c89a,"4/16/2021, 8:53:09.690 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d79a64e5-1bd5-43eb-b4a4-a95876cbe475,"4/16/2021, 8:53:09.690 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7bd537c2-4a1e-488c-89d8-914a0098d8ed,"4/16/2021, 8:53:09.690 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,da4190bf-918f-4742-b53f-dfba483c1972,"4/16/2021, 8:53:09.690 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,79cf7b5b-63a8-4f29-8f5f-8eeecb7bdaaf,"4/16/2021, 8:53:09.690 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,35e68376-c979-44c9-b089-ab88d7fa19f1,"4/16/2021, 8:53:09.690 AM",,,,,NTLM,, +\REMOTE,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a58468e4-f475-4559-965a-e99cf99348ef,"4/16/2021, 8:53:09.690 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8309cb51-5685-4872-934c-a4fb71cf52e0,"4/16/2021, 8:53:09.690 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9d728609-32a0-4219-b839-5987ef70e9e8,"4/16/2021, 8:53:09.690 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,72326f90-8943-43d0-922a-4217c3131c3a,"4/16/2021, 8:53:09.690 AM",,,,,NTLM,, +\DXX,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0f5808e1-9710-4390-81b2-aa92e47b17a1,"4/16/2021, 8:53:09.690 AM",,,,,NTLM,, +\DXY,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,64e1870a-7da5-4289-94fc-09d57db291bf,"4/16/2021, 8:53:09.690 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d9b07022-6459-4ab4-8850-47519680a067,"4/16/2021, 9:04:25.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1189fd4-d56f-4f9d-b11b-45629919a851,"4/16/2021, 9:04:25.121 AM",,,,,NTLM,, +\ODA,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d3a3adb-f7b0-40fe-af44-eb30ed8b6c30,"4/16/2021, 9:04:25.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1421d61-3895-41e8-b6dc-33edef1f0fb7,"4/16/2021, 9:04:25.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,21949dd5-e6e5-4bf6-82a6-fa02bfa29707,"4/16/2021, 9:04:25.121 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e5414411-9f6a-42a7-947f-4a3703d52c0b,"4/16/2021, 9:04:25.121 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c65ecd8-404d-450c-946a-ab7482f25217,"4/16/2021, 9:04:25.121 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,28eb67ef-62a3-4d60-bd0c-5ceffa746541,"4/16/2021, 9:04:25.121 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e07db90-4506-4d78-9cfa-0b18f0e66d5f,"4/16/2021, 9:04:25.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d64643f4-96a6-4d5f-8856-b2ee75d0f54e,"4/16/2021, 9:04:25.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,74ebcaeb-b581-4baf-8ec1-7cef5e3a421b,"4/16/2021, 9:04:25.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc3838eb-1fa3-4b0a-8f3a-bbaa95445ad1,"4/16/2021, 9:04:25.121 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1636 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,29cfacc6-7dad-4296-800c-761badc8e1c9,"4/16/2021, 9:04:25.121 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5368 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,29c01b33-2edf-4913-8805-375c2529a8cd,"4/16/2021, 9:04:25.121 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,95d6df1d-72b0-43a8-a5db-756ab86f608a,"4/16/2021, 9:04:25.121 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8ee7b14b-a77a-4226-a5e4-4125792f693d,"4/16/2021, 9:04:25.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0e8311b4-80f9-4b17-a572-dc13e83bbacb,"4/16/2021, 9:04:25.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3f42a7a6-2b44-47ba-96ba-72add2b664b3,"4/16/2021, 9:04:25.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,62db7137-409c-4ef6-a612-189793500c80,"4/16/2021, 9:04:25.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1b95e28a-de69-4476-bcfb-daba1b851d0d,"4/16/2021, 9:04:25.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b4ea982f-c3d6-46c9-9b26-15540ab7c059,"4/16/2021, 9:04:25.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b4084f6-c2e3-4a45-b269-e80b61974732,"4/16/2021, 9:04:25.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,00039051-5191-47c5-a616-ba4c48d7e054,"4/16/2021, 9:04:25.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19eb1084-348e-443d-a118-f6aeeb74ddcb,"4/16/2021, 9:04:25.121 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fed4a089-ccfd-4d4b-940e-05f74a11a0b4,"4/16/2021, 9:04:25.121 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1b629e81-876b-4222-b65d-8abdaf156dc2,"4/16/2021, 8:46:42.608 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,58db2a12-b6bc-4ec8-b4ae-bbea68a0e187,"4/16/2021, 8:46:42.608 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5f0b2938-8f28-4a7d-86c7-2e23c6297045,"4/16/2021, 8:46:42.608 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ae3ca937-46a4-403f-bcd3-eb5fd3956f09,"4/16/2021, 8:46:42.608 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,010a9ead-1803-4ae8-8048-3ab236eca3a7,"4/16/2021, 8:46:42.608 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2ca7326c-4582-4a0e-9f0e-956a3943498d,"4/16/2021, 8:46:42.608 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,16212ac5-6dfe-4331-8ec4-6add061cfaa3,"4/16/2021, 8:46:42.608 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,39695573-db10-4e22-9ea1-9932e5749951,"4/16/2021, 8:46:42.608 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6bef658b-b974-4905-ac7f-7a9ee24d9655,"4/16/2021, 8:46:42.608 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a4c7d409-1bd4-450c-907d-845b0c91f7af,"4/16/2021, 8:46:42.608 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,de15d7e5-2871-4750-9ff2-f1edf65eccba,"4/16/2021, 8:46:42.608 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f2e89c42-0764-4deb-a481-693999e62389,"4/16/2021, 8:46:42.608 AM",,,,,NTLM,, +\HELP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3586a552-5d42-44a0-b04e-61bf20a04deb,"4/16/2021, 8:46:42.608 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,455e58d6-7132-4336-8692-30f58aa1592a,"4/16/2021, 8:46:42.608 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,681968a3-8b71-41d2-aca7-36dc456d1e75,"4/16/2021, 8:46:42.608 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5ed0ff3e-60a3-4f3d-a127-e73f5c62339c,"4/16/2021, 8:46:42.608 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4ef2b846-43c6-4a43-9866-54c939b7b169,"4/16/2021, 8:46:42.608 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6cd64f19-c801-4551-a584-fa8eb311d74e,"4/16/2021, 8:46:42.608 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1fe11899-1746-4bd8-8b19-9dcdf3b84fbd,"4/16/2021, 8:46:42.608 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2568cf9e-caef-4cbb-b614-84ea82e866a0,"4/16/2021, 8:46:42.608 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f1e4ad19-eae6-40e2-9420-a1b8330e9e66,"4/16/2021, 8:46:42.608 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,69008d15-468f-439c-96c6-718e2327ca1c,"4/16/2021, 8:46:42.608 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3b2cd93f-2346-4ded-ba5b-f5061ea819cf,"4/16/2021, 8:46:42.608 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6224 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 8542576A51D515DA19781689F9E5E561E4398C4DE19B14AF1E8EF1C7D2551843 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.18362.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,38c6c1a8-5ad0-4bd7-9a0c-38989a6d5d44,"4/16/2021, 8:46:46.763 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1372 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,e5d943e9-0f6d-499d-b541-876416c2014c,"4/16/2021, 8:46:46.763 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4260 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,bd36ee6a-0b42-43c0-b1cf-c6fd28b807e5,"4/16/2021, 8:34:49.257 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5392 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,8fbbe7ae-1edc-4f34-8237-99f27a57e003,"4/16/2021, 8:34:49.257 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 13084 + 87 + %OSDRIVE%\WINDOWSAZURE\GUESTAGENT_2.7.41491.1008_2021-01-28_130107\COLLECTGUESTLOGS.EXE + 32 + 9CBE23B245E1ED128DF262318D623E57C98A79AFDD407B13BD8A2C82CA79796E + 101 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\COLLECTGUESTLOGS\COLLECTGUESTLOGS.EXE\2.7.0.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,d68aa9bb-e51b-484a-a13b-d56699ab1ae0,"4/16/2021, 8:34:49.257 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11320 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,65f48051-7a46-4a4e-9372-0e6dc176cc67,"4/16/2021, 8:34:49.257 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,95a35c01-b55a-4d6c-a7eb-54f6b08a6cd3,"4/16/2021, 8:36:05.597 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c6d7f3fc-d3b2-468c-90ce-63ef36891fcc,"4/16/2021, 8:36:05.597 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b91b21bd-8333-4487-aca6-229741a3bca4,"4/16/2021, 8:36:05.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,37b9d661-2be4-407f-8089-e6efa860c638,"4/16/2021, 8:36:05.597 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,31cb2025-fac8-4678-b1db-e408b1ff18d0,"4/16/2021, 8:36:05.597 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8966baa9-8058-4d9e-bc99-0f3234ccf3b6,"4/16/2021, 8:36:05.597 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c28fe850-39ae-4292-9534-dcf6b7619725,"4/16/2021, 8:36:05.597 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,500e2f26-0e45-4f76-b6b7-89c402a5c306,"4/16/2021, 8:36:05.597 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,709ac71c-b229-4863-941c-3acba30efb1e,"4/16/2021, 8:36:05.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,319c8ef2-f229-4490-90d9-613eace56cea,"4/16/2021, 8:36:05.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e1b71d92-4266-413c-a7c3-c4474789436e,"4/16/2021, 8:36:05.597 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,89b69814-527e-49f2-9fd2-a5701d8051c6,"4/16/2021, 8:36:05.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4af03bf7-d8a6-4e90-9bb5-bbefc5d39cec,"4/16/2021, 8:36:05.597 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5374a22a-34b4-4650-9894-d3a2077979de,"4/16/2021, 8:36:05.597 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,067e6f3f-a1ee-4bc4-bc5d-bfbcb841b003,"4/16/2021, 8:36:05.597 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fc194e2f-92c2-4498-8313-59fe5f2b5676,"4/16/2021, 8:36:05.597 AM",,,,,,, +\WGONZALEZ,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5c95cb18-ec90-4e37-814d-7fe9b837af8a,"4/16/2021, 8:36:05.597 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,57cebd85-9f1c-4ec8-9b6d-067e634d5954,"4/16/2021, 8:36:05.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a601245d-db0d-4685-bbf4-6ceb860fc2a0,"4/16/2021, 8:36:05.597 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,871b7913-c201-4729-a5e9-c3df48e0038a,"4/16/2021, 8:36:05.597 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7c81d0b7-58e8-4fbf-9ef7-dd7c7d000aa7,"4/16/2021, 8:36:05.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ab87f1e7-3c3f-48c3-8b06-1c484cea0af9,"4/16/2021, 8:36:05.597 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,882946d0-25c3-404e-945a-bb1bc50243e6,"4/16/2021, 8:36:05.597 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,49104693-f006-49f6-9881-4a753b9c3fc7,"4/16/2021, 8:36:05.597 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 184 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,63844b5b-ed4a-41df-aa5a-5cfa97e91b07,"4/16/2021, 8:36:49.279 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6588 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,e7210320-d52a-4a2f-9194-10eae01e2949,"4/16/2021, 8:36:49.279 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8368 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 3D9080EFAB633588A800733E89C0E9CF155587ED965C4294E3B5807ACCA7196A + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.14393.2155 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,d87c4818-3965-426f-8351-3f90ea104505,"4/16/2021, 8:36:49.279 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9560 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 3D9080EFAB633588A800733E89C0E9CF155587ED965C4294E3B5807ACCA7196A + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.14393.2155 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,856cd6e1-80d2-4aa6-bd62-604890ddc4fa,"4/16/2021, 8:36:49.279 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 5780 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 3D9080EFAB633588A800733E89C0E9CF155587ED965C4294E3B5807ACCA7196A + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.14393.2155 + 0x3e5 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,8af0ca7e-ddb0-48b7-a402-5df76b2299a8,"4/16/2021, 8:36:49.279 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10636 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,51aba4a1-3beb-42cc-b3f4-e1ace1100c92,"4/16/2021, 8:37:34.526 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,ff161b60-7146-419a-9ce7-cf9c286c014c,"4/16/2021, 8:37:34.526 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,ab4e992a-139b-49b2-8a8a-a7d37522aa92,"4/16/2021, 8:37:34.526 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8432 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,44be4562-13c2-403d-b01c-718725d170ec,"4/16/2021, 8:37:34.526 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9052 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,c11a16ef-1327-43c9-a936-b11a6557bd26,"4/16/2021, 8:37:34.526 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,56fe9790-9224-4f1b-aabb-427d6c49462f,"4/16/2021, 8:37:34.526 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5760 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,aa88d071-faa3-4435-be05-e1f24e15246c,"4/16/2021, 8:37:34.526 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,eaa547de-e58f-481a-afc5-7f6ce13eceba,"4/16/2021, 8:46:46.763 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,e81c9016-9762-4324-9fba-907fbe477bca,"4/16/2021, 8:46:46.763 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,dccdb772-e5be-43f1-84b7-d838212804ca,"4/16/2021, 8:46:46.763 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,7a18979d-3312-474d-aa18-024cac4708a0,"4/16/2021, 8:46:46.763 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5448 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,918935a2-5550-4383-a811-aa5cd94c1c2d,"4/16/2021, 8:46:46.763 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5460 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,b0e63eb2-64e7-4e3e-b653-6913600ba4c8,"4/16/2021, 8:46:46.763 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,18a3bcf0-7984-4eb7-a0fd-85b23d48678b,"4/16/2021, 8:46:46.763 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,2949292b-bc43-436f-aa97-2e018cdabdd7,"4/16/2021, 8:46:46.763 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,c1b1e0fa-150c-4d9d-b2a7-e012a89ae7af,"4/16/2021, 8:46:46.763 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4144 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,20c27eeb-6f88-4937-8f5a-88a891b30a68,"4/16/2021, 8:46:46.763 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 5536 + 56 + %WINDIR%\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\CVTRES.EXE + 32 + 9DED0B484DAB4C855638FF211AA738AB5ACFE45E12331060A363F0FC33FA365C + 106 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® .NET FRAMEWORK\CVTRES.EXE\14.10.25028.00 + 0x3e5 + 58 + C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,f419e40f-6bf4-48c1-af41-b47e331bf6c9,"4/16/2021, 8:46:43.862 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,be1e7d8e-7b11-4415-850e-fb985e292a08,"4/16/2021, 8:46:43.862 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,12f8b4c7-bf86-4357-85de-e1dc9745d335,"4/16/2021, 8:46:43.862 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,9963d796-a6e6-4ccd-8a62-7505ee2977c8,"4/16/2021, 8:46:43.862 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 4484 + 84 + %OSDRIVE%\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\PLATFORM\4.18.2103.7-0\MPCMDRUN.EXE + 32 + C7A18C474A47F5335593A567F0C714D4F658E28D07DC27F6EAE5D5641788E813 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\MPCMDRUN.EXE\4.18.2103.07 + 0x3e4 + 77 + C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2103.7-0\MpCmdRun.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,17a473df-924c-41a1-9e02-06a63d4e2fc5,"4/16/2021, 8:46:43.862 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,9b7c21b3-ac4f-4d6a-a26d-e18433812b66,"4/16/2021, 8:46:43.862 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,352f27ba-5215-4bd5-8b6e-8f17894593ae,"4/16/2021, 8:46:43.862 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-21-1661583231-2311428937-3957907789-1103 + 3372 + 32 + %SYSTEM32%\MUSNOTIFICATIONUX.EXE + 32 + 76828F80AF11966F0857B066E3E402F41F46983D159864096576C84731EC1F37 + 129 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\MUSNOTIFICATIONUX.EXE\10.0.18362.1411 + 0x7a17996 + 41 + C:\windows\system32\MusNotificationUx.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,ef283921-e3cc-4166-a0ef-ae379b90aece,"4/16/2021, 8:46:43.862 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10272 + 24 + %SYSTEM32%\USOCLIENT.EXE + 32 + 3942ED22D1D683E626E94ACCD9538E1999E488EE68D1DB541B383E35E4280E84 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\USOCLIENT\10.0.18362.1411 + 0x3e7 + 33 + C:\windows\System32\usoclient.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,ee162e36-43db-450b-9b33-3555ba8e437e,"4/16/2021, 8:46:43.862 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + Security + File + C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Temp\PSScriptOutputs\PSScript_Stderr_{6C8F3EC3-E2DF-4561-93DA-611598C47952}.txt + 0x284 + %%1537 + 0x10000 + 0x1498 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe + S:AI +",4663,4663 - An attempt was made to access an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,3104d44c-3956-4b4c-ba3a-15c834a6f6e4,"4/16/2021, 8:46:43.862 AM","%%1537 ",0x10000,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + Security + 0x284 + 0x1498 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe + {00000000-0000-0000-0000-000000000000} +",4660,4660 - An object was deleted.,5503048d-aae9-48b7-bda5-46b931ec9ed1,057c4e1d-d777-4345-a289-5d1f159db682,"4/16/2021, 8:46:43.862 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + Security + File + C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Temp\PSScriptOutputs\PSScript_Output_{6C8F3EC3-E2DF-4561-93DA-611598C47952}.txt + 0x284 + %%1537 + 0x10000 + 0x1498 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe + S:AI +",4663,4663 - An attempt was made to access an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,8aabcebb-1e29-4df8-ad25-8e8c7db31d6a,"4/16/2021, 8:46:43.862 AM","%%1537 ",0x10000,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + Security + 0x284 + 0x1498 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe + {00000000-0000-0000-0000-000000000000} +",4660,4660 - An object was deleted.,5503048d-aae9-48b7-bda5-46b931ec9ed1,d9d95464-6175-454d-a524-0aa3780d429b,"4/16/2021, 8:46:43.862 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5344 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,30f45b5d-b4f1-4b34-b5b7-39696ab595c3,"4/16/2021, 8:46:49.266 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 12864 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,3dc2cd3d-4f41-404d-a02d-8fcd964748bf,"4/16/2021, 8:46:49.266 AM",,,,,,, +\TEST,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4721644a-c499-4a6d-b547-c9ce5fec4821,"4/16/2021, 8:46:53.608 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a41ab327-bf83-4fcc-972b-247978250809,"4/16/2021, 8:46:53.608 AM",,,,,NTLM,, +\SJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,194b80fa-c1f9-4948-b2c5-a2c9d9b3c3b4,"4/16/2021, 8:46:53.608 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e7340f99-a066-43e6-bc23-ffbd93a420a8,"4/16/2021, 8:46:53.608 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3f549fcd-e15e-44ee-80a9-29dfaaa272c0,"4/16/2021, 8:46:53.608 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2aefc795-6a2a-49ab-b56c-3fc788626fcb,"4/16/2021, 8:46:53.608 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ffed04a2-4a41-4caa-97a3-aa356001b39e,"4/16/2021, 8:46:53.608 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,beb3215d-e5eb-425b-b463-ef2d02507780,"4/16/2021, 8:46:53.608 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f7d45bd5-9c89-480f-9634-cfb81e53c365,"4/16/2021, 8:46:53.608 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3279749b-996a-4770-8f60-9a36e9dc33e6,"4/16/2021, 8:46:53.608 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9c45d093-a60f-4d46-b7ad-2c20a3a1453f,"4/16/2021, 8:46:53.608 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9d8ebb03-796a-4cee-95a9-e23ed724da86,"4/16/2021, 8:46:53.608 AM",,,,,NTLM,, +\ROOT,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3d71f0dc-6d60-4015-bdc4-78f94294d924,"4/16/2021, 8:46:53.608 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5e3775e2-9b25-4008-aa76-62a8e11dc951,"4/16/2021, 8:46:53.608 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0332dcf1-2e64-4ec5-84fe-589ff1b262d3,"4/16/2021, 8:46:53.608 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,88914dea-1aae-40da-bbb8-01d16cf680cb,"4/16/2021, 8:46:53.608 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c30b6c73-fbb4-4daa-9bc9-109573a570f4,"4/16/2021, 8:46:53.608 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7bca0056-5659-4fc6-87a1-4f9ae8cdd509,"4/16/2021, 8:46:53.608 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,30eaf443-69b9-4e4d-bf24-26f0dda37fed,"4/16/2021, 8:46:53.608 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,84bb148f-d65e-43d1-be45-d03887e0e0be,"4/16/2021, 8:46:53.608 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e7b36215-3bb7-468e-9520-7844f163a631,"4/16/2021, 8:46:53.608 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,222dfa4e-d3a5-4147-9f0d-4ac6280d99d4,"4/16/2021, 8:46:53.608 AM",,,,,NTLM,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,18c73f9e-4bb0-4c00-aea3-11faadcb0603,"4/16/2021, 8:53:09.862 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,013b1e81-f602-42c0-8267-a740a89614d8,"4/16/2021, 8:53:09.862 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,8ca0c45c-85ab-4cf9-afda-57247cfbd01a,"4/16/2021, 8:53:09.862 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4112 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,478830f1-baaf-453a-a404-f504506c59f3,"4/16/2021, 8:53:09.862 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1400 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,aafb22e4-1fd7-4537-8540-c43300fe266d,"4/16/2021, 8:53:09.862 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6508 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,359a4d2b-7935-4f18-80c2-620536ce434a,"4/16/2021, 8:53:09.862 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,6a992f9e-34ae-4bc5-9f31-935d254a91cf,"4/16/2021, 8:53:09.862 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + 2880 + 2021-04-14T17:26:46.227217700Z + Microsoft Software Key Storage Provider + UNKNOWN + 2c73c11d-0249-4684-a777-1d4acfaea90e + %%2499 + C:\ProgramData\Microsoft\Crypto\Keys\dae75cc8e42badfb4c6fab1e32d87778_c950dff7-78b1-4d88-9861-fed650de2b5e + %%2458 + 0x0 +",5058,5058 - Key file operation.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,f392c0d5-dc08-4770-bed2-0941e2bb5b91,"4/16/2021, 8:53:09.862 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + 2c73c11d-0249-4684-a777-1d4acfaea90e + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,e9e8ecdf-3d36-47d4-b0b3-4ca1f2f64784,"4/16/2021, 8:53:09.862 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + 2880 + 2021-04-14T17:26:46.227217700Z + Microsoft Software Key Storage Provider + RSA + 2c73c11d-0249-4684-a777-1d4acfaea90e + %%2499 + %%2464 + 0x0 +",5059,5059 - Key migration operation.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,589778d3-e330-438e-a9fb-87321c1af16e,"4/16/2021, 8:53:09.862 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + 2880 + 2021-04-14T17:26:46.227217700Z + Microsoft Software Key Storage Provider + RSA + 2c73c11d-0249-4684-a777-1d4acfaea90e + %%2499 + %%2464 + 0x0 +",5059,5059 - Key migration operation.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b7377695-ce6b-49e3-a55e-12ad63a206be,"4/16/2021, 8:53:09.862 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d101290-281c-44e9-add8-50740f3a96a8,"4/16/2021, 8:56:47.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6885b649-db16-4a81-98df-84a0eed7e05a,"4/16/2021, 8:56:47.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c3e84ab9-f159-4227-99be-65d2f9c1175a,"4/16/2021, 8:56:47.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,865d5507-740f-4891-9088-ec1e20245f23,"4/16/2021, 8:56:47.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,00fe7488-53d2-4a7b-8b87-9974e0631b01,"4/16/2021, 8:56:47.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e42232f7-6b18-406c-a223-ba1d1719e928,"4/16/2021, 8:56:47.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ae3be0f-886b-49e2-861e-dc6e9d373bda,"4/16/2021, 8:56:47.110 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,94823bca-d91c-44c6-83fb-8d416548a6b0,"4/16/2021, 8:56:47.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a5fdacb9-d160-49db-89c4-b3f53550a9d8,"4/16/2021, 8:56:47.110 AM",,,,,NTLM,, +\LAB,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51a7e645-eb49-4451-85db-a5a4dcc15903,"4/16/2021, 8:56:47.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1779bee0-9a5e-4fa6-98f6-06d35d4d4086,"4/16/2021, 8:56:47.110 AM",,,,,NTLM,, +\BJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a2c9874-73a1-4671-94bd-ce2cbda39762,"4/16/2021, 8:56:47.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e78f61cf-30dd-4d07-9bdc-888bfd9a8627,"4/16/2021, 8:56:47.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b9ac436-dda4-43c7-9a71-e2c509bc3ffb,"4/16/2021, 8:56:47.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f9de0f4b-d457-47e4-aaf3-b426160de2e5,"4/16/2021, 8:56:47.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8138329d-135f-4661-a0ce-fff903719861,"4/16/2021, 8:56:47.110 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7df69060-3510-4ccb-8532-8154b46bf41d,"4/16/2021, 8:56:47.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0601272e-51b0-4b6b-aa4e-d35dea796c14,"4/16/2021, 8:56:47.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e68857fb-0bae-41f9-b5fd-908333455bfd,"4/16/2021, 8:56:47.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,14796e4a-b68b-4f04-ab47-1ea41cee3a25,"4/16/2021, 8:56:47.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,174092b4-eb98-4b85-8fab-1b0b09d51c50,"4/16/2021, 8:56:47.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cb6a7022-40fe-4f12-bd31-928511eb5514,"4/16/2021, 8:56:47.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e73d9892-697b-4899-9bdc-49a1fb3ac7ff,"4/16/2021, 8:56:47.110 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,248ffa3a-17db-455d-8b43-646fedbcf626,"4/16/2021, 8:56:47.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e4c73849-22eb-4ebf-bc39-3ccc6e1ae47a,"4/16/2021, 8:56:47.110 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3aab571b-2d87-49b4-8cf8-0d317c8761aa,"4/16/2021, 8:53:16.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5cf7c2dc-19a4-441a-b86a-be4041e15537,"4/16/2021, 8:53:16.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,b80044df-d184-4792-8678-00e51c671550,"4/16/2021, 8:53:16.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d9927b5c-932a-4658-a4e3-3e9642d0c905,"4/16/2021, 8:53:16.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,6cdfbebe-f05c-4ba6-b529-1de0e5bf2b37,"4/16/2021, 8:53:16.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,f6f81851-f5f8-4956-952e-b7c8b8794073,"4/16/2021, 8:53:16.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3d8cccea-f271-4e6a-a53d-e9703da87c81,"4/16/2021, 8:53:16.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,cea01450-4726-4d7e-8b3d-5dba046d840a,"4/16/2021, 8:53:16.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,8e168590-7127-46d2-ad7e-c26d4b189e77,"4/16/2021, 8:53:16.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,4de641cb-d566-49d2-882f-f5e7f7cf60e8,"4/16/2021, 8:53:16.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,ebb00c2a-80ca-42ef-9e3f-ed612ab4d611,"4/16/2021, 8:53:16.053 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,4bd19f0b-380e-4704-af4e-ff641002aebe,"4/16/2021, 8:46:51.546 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,dc164dbe-ed07-4369-b305-6f69f464a57d,"4/16/2021, 8:46:51.546 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7448 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,9c4e9c79-c69a-47f3-bbe2-d20fb4d8426b,"4/16/2021, 8:46:51.546 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10732 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,4f1b23d3-b776-40d0-a200-df48526233f4,"4/16/2021, 8:46:51.546 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,82cd14b4-2d6a-4425-b3fc-55060b7b8618,"4/16/2021, 8:46:51.546 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ba4afe27-e60e-4f01-9ecd-a310bd5033a8,"4/16/2021, 8:38:07.098 AM",,,,,NTLM,, +\VMADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eac1b9f3-282a-4003-8e4c-123a6143aeea,"4/16/2021, 8:38:07.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,18874c0c-3c21-4cdf-ac13-1e5d9893acf2,"4/16/2021, 8:38:07.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b39ad0a4-e481-4dbb-8fd1-6d817fe4d2aa,"4/16/2021, 8:38:07.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,caac423b-c402-47aa-a6bd-d7cf5a990a5d,"4/16/2021, 8:38:07.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eeb42fde-2952-429b-be45-51e7b25dd471,"4/16/2021, 8:38:07.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,26c7ef50-418a-49f5-a77f-bbb12e55f133,"4/16/2021, 8:38:07.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,310f4270-61c1-48f9-aacb-620de85b0195,"4/16/2021, 8:38:07.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,85a0bdfc-e240-4a08-ae3e-5474b0f9eaea,"4/16/2021, 8:38:07.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca1a783e-8bc2-47b3-a898-a3ba09275c22,"4/16/2021, 8:38:07.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b29273ab-f86e-4544-afff-3364ff5b802f,"4/16/2021, 8:38:07.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2cc210a0-456e-474e-96c6-232d33ee6683,"4/16/2021, 8:38:07.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2beb02e8-6589-4027-82b4-0180366b2cdb,"4/16/2021, 8:38:07.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2072dbee-57e1-4898-bebb-194340a922dd,"4/16/2021, 8:38:07.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f9ca5e9-0692-4bdb-840f-07ccc4ae9ee8,"4/16/2021, 8:38:07.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,28dbebd5-0449-4ffe-9f7e-e429e90a59c9,"4/16/2021, 8:38:07.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,badc2182-5838-4531-b27e-2a83ae70a1d4,"4/16/2021, 8:38:07.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3b03b659-b771-4c03-9a94-9de128ae3899,"4/16/2021, 8:38:07.098 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e4b9552-4c33-4adf-b8ee-64452569279b,"4/16/2021, 8:38:07.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1765dfe7-7f4f-4219-bd53-c29ede73a833,"4/16/2021, 8:38:07.098 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b21617fe-644a-4636-9411-3ab5165e9606,"4/16/2021, 8:38:07.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6ee0cb75-2365-44f8-982b-ac296bb0aed9,"4/16/2021, 8:38:07.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9412e80c-043f-4b17-b73b-7728401f8389,"4/16/2021, 8:38:07.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4837f58a-6afc-47df-be46-b92ca4fcd9f3,"4/16/2021, 8:38:07.098 AM",,,,,NTLM,, +\NJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7acb8b97-d0fb-4bcf-b196-29c0c760fc7b,"4/16/2021, 8:38:07.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,709fda0d-d8db-4de1-9592-0e0a6f13abc7,"4/16/2021, 8:38:07.098 AM",,,,,NTLM,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,216858e7-9b4d-4ba3-85cf-b3d5dc21b761,"4/16/2021, 8:38:09.898 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,5c426a32-757d-439f-807a-6b09e2b2ea79,"4/16/2021, 8:38:09.898 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6204 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,3229d391-fee5-4330-b36f-1b007441f951,"4/16/2021, 8:38:09.898 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5696 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,9203c3ca-05cf-478d-8e2d-64b5cc57cf37,"4/16/2021, 8:38:09.898 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,6ccde3a8-a691-4b80-8ef6-a5e6c733f547,"4/16/2021, 8:38:09.898 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3648 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,c67af8d0-4b8b-4d61-b43c-72131877c73a,"4/16/2021, 8:38:09.898 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,134c0d3d-eeca-4958-baf4-f01d6f337786,"4/16/2021, 8:38:09.898 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,11372bce-01ff-47a5-9ac5-787dc0341d17,"4/16/2021, 8:38:09.898 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\microsofttpm,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,3001af19-25c6-4ddf-b3b2-cd15e8a5e410,"4/16/2021, 8:38:09.898 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:SELECT * FROM Win32_TPM,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b9f5b969-fbf6-4e05-8140-97ed46ca88d7,"4/16/2021, 8:38:09.898 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:Select * from __ClassProviderRegistration,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,f37b1920-8669-4b0e-b2c1-a30fb0b7d343,"4/16/2021, 8:38:09.898 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,205a09d0-8292-402b-be45-389d0691465e,"4/16/2021, 8:38:09.898 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,83a69a6b-1716-48cf-a516-fd92a6e4ce8b,"4/16/2021, 8:38:09.898 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,e1e58ccf-f407-4965-ae5d-1d41cd9f2a97,"4/16/2021, 8:38:09.898 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,db74f9de-37c3-450a-a386-eab08b9717e3,"4/16/2021, 8:38:09.898 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:Win32_Tpm,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,58573a93-a860-409b-a2df-5f08164508a5,"4/16/2021, 8:38:09.898 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:__ExtendedStatus,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,8b838c3f-989a-4897-ae3a-36c6d8b2edca,"4/16/2021, 8:38:09.898 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftVolumeEncryption,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,49017ed8-71e7-435e-9ebd-ce341f6783dc,"4/16/2021, 8:38:09.898 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:SELECT * FROM Win32_EncryptableVolume,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,863a0feb-cc4b-419e-b7fd-ad71a4824672,"4/16/2021, 8:38:09.898 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:Select * from __ClassProviderRegistration,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,eab22404-a43a-46da-9046-6bde44f6e725,"4/16/2021, 8:38:09.898 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,1eb103cf-b951-4a85-9cb6-d5e89fcfbd81,"4/16/2021, 8:38:09.898 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,f9a0b19c-57d8-4a36-9bc0-37ce8f619d6e,"4/16/2021, 8:38:09.898 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,471c7f97-41a3-4490-ae21-7099a8c6c537,"4/16/2021, 8:38:09.898 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,fd080312-25c3-4838-94ed-cac446c567f5,"4/16/2021, 8:38:09.898 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,2e873669-7be6-4c3c-a4af-50368837d6f3,"4/16/2021, 8:38:09.898 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:__ExtendedStatus,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,a01d07f8-b2c6-48da-b864-5e12903229e8,"4/16/2021, 8:38:09.898 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{18dd199a-9fca-4ac4-af18-3e5e3b15c067}\\""::GetLockStatus",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,2e818f61-39c6-4dd4-b9cf-b3e7c86731dc,"4/16/2021, 8:38:09.898 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{18dd199a-9fca-4ac4-af18-3e5e3b15c067}\\""::GetProtectionStatus",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,4b184560-f9db-4b6b-9d41-eb6734fd32f4,"4/16/2021, 8:38:09.898 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{18dd199a-9fca-4ac4-af18-3e5e3b15c067}\\""::GetConversionStatus",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,0bf33626-fd27-48eb-aef1-33af1546fc1e,"4/16/2021, 8:38:09.898 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{944f36e4-0000-0000-0000-100000000000}\\""::GetLockStatus",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,e1ac6a09-e36d-4f48-b034-4f00eb4021fc,"4/16/2021, 8:38:09.898 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{944f36e4-0000-0000-0000-100000000000}\\""::GetProtectionStatus",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b02291db-f646-45e1-961d-f27e4199541c,"4/16/2021, 8:38:09.898 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{944f36e4-0000-0000-0000-100000000000}\\""::GetConversionStatus",,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,480b56dd-48dc-4c4e-a650-ee810a53ecc3,"4/16/2021, 8:38:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,084b39fd-0b39-49fa-95f9-a7726b3e65ed,"4/16/2021, 8:38:36.123 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,9643f5dc-92f7-4313-8190-5b42e3736b5e,"4/16/2021, 8:38:36.123 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,38bc5301-6483-4835-8bda-aa46043a1af4,"4/16/2021, 8:38:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,632370b7-6f2d-4301-9658-9ca29bbe35fb,"4/16/2021, 8:38:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88b27019-f12d-4cda-afb8-3d427321693d,"4/16/2021, 8:38:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2e2971e2-a2aa-4ea7-9532-7f45b6627274,"4/16/2021, 8:38:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,47a5bbe2-074a-41ac-aa57-779e925b5d52,"4/16/2021, 8:38:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0740f92e-2930-4a7f-b945-03beaa842b24,"4/16/2021, 8:38:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c37ea0c-5993-4a60-8f44-f870782438f3,"4/16/2021, 8:38:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,23224d67-f5de-49a5-a050-d077f5b398a3,"4/16/2021, 8:38:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fbb4f4d4-9736-49b7-909d-cd2541163fea,"4/16/2021, 8:38:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e78ec088-51d3-4104-9ecf-8457ab31941c,"4/16/2021, 8:38:36.123 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,542433fb-a835-40dd-968e-96d40fd6218c,"4/16/2021, 8:38:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ec70c756-d757-434d-b312-5e0a4cfdd0e3,"4/16/2021, 8:38:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8da934e8-b9e8-4d92-bd89-2884f8c91c9b,"4/16/2021, 8:38:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4658789d-18a9-498c-864d-eca02c8b63dd,"4/16/2021, 8:38:36.123 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,769f435a-eb16-4954-a498-4db55b550f9c,"4/16/2021, 8:38:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bce65a21-9e56-4078-b002-00242fb65a04,"4/16/2021, 8:38:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19e6dd07-6b91-4027-86f3-6797866ebedf,"4/16/2021, 8:38:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51310e2e-f05e-45fa-8344-b297eff01740,"4/16/2021, 8:38:36.123 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,219cea5b-995c-4a84-906b-52bd58082e3f,"4/16/2021, 8:38:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a37de75-008f-46a6-887b-da5423517417,"4/16/2021, 8:38:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,047517ed-c8af-49d0-999b-2799dd47c934,"4/16/2021, 8:38:36.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,926a2747-38e8-4e55-8825-6c1ed9f3e961,"4/16/2021, 8:38:42.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3d5660bd-bdff-45c6-97d1-b193ccd2114e,"4/16/2021, 8:38:42.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cba1c123-559c-46f7-83ae-6f172b0a2237,"4/16/2021, 8:38:42.100 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67b97703-45f5-42b8-8bee-3f76aa282cf5,"4/16/2021, 8:38:42.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b52d6ea0-8953-48ca-97a1-95fb96145bc2,"4/16/2021, 8:38:42.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,02174d46-0002-44d9-b469-f607978c519b,"4/16/2021, 8:38:42.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6444a904-d3ad-425d-9ced-eb4a358ec4fb,"4/16/2021, 8:38:42.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca33da45-89a1-4218-8714-712a2b645885,"4/16/2021, 8:38:42.100 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,34f5a8d3-c7c7-476b-8fc9-cc047bd0fc95,"4/16/2021, 8:38:42.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6d2e0fbc-2e75-49ab-8d9f-cf6a0c05649f,"4/16/2021, 8:38:42.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3af1db51-9248-4b0d-b312-ae26ddee327b,"4/16/2021, 8:38:42.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1e8297cd-cb16-417a-aac3-86f9aee30412,"4/16/2021, 8:38:42.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9fe6f7a2-62f8-404a-820d-4393074239b6,"4/16/2021, 8:38:42.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cd15d012-5e14-47c5-a039-2efa216824f1,"4/16/2021, 8:38:42.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,426b77c1-5719-477b-a5d6-20bce313ef93,"4/16/2021, 8:38:42.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac0229b9-6052-4030-8e55-b3674f4ed2cd,"4/16/2021, 8:38:42.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,14585b39-f197-4c8e-8fe6-e43fd689f575,"4/16/2021, 8:38:42.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8ef65fd1-6f0d-455d-88a8-b59df0edd244,"4/16/2021, 8:38:42.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,169b4acc-a72d-4e26-9921-f276ce551f7b,"4/16/2021, 8:38:42.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,715d0fd0-fbe2-4981-b84f-e18266b9a580,"4/16/2021, 8:38:42.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5327b96e-5901-4715-82e2-1a91b8d2cb6a,"4/16/2021, 8:38:42.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d5ac7fb-4d8e-4340-89a1-34c9fe769276,"4/16/2021, 8:38:42.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c15f8ca-aaa7-4b73-8e1b-c9e8ad9eaf86,"4/16/2021, 8:38:42.100 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,843b3711-b294-4892-b2fa-05c79fba5441,"4/16/2021, 8:38:52.586 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b5399fa4-03db-453e-ae44-5a863b39cfcc,"4/16/2021, 8:38:52.586 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,487b0b61-3ae1-46ca-acaa-409b003a58db,"4/16/2021, 8:38:52.586 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,201fa444-03c5-43a3-b955-1911395faf28,"4/16/2021, 8:38:52.586 AM",,,,,NTLM,, +\VEEAM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d2de0fc9-5759-47cf-9f8a-540aa7fb39bc,"4/16/2021, 8:38:52.586 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2dc6f536-d9f6-4ec9-8a55-8610a7138173,"4/16/2021, 8:38:52.586 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a4da2e6b-9cee-4ae6-9f5c-95b52a2f607a,"4/16/2021, 8:38:52.586 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6cb4492a-0774-4bce-a8a2-76ca7c712815,"4/16/2021, 8:38:52.586 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dbd9cf9b-a0eb-4191-be03-5996cc69ffd9,"4/16/2021, 8:38:52.586 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0d0d285e-b211-4844-897b-163fdb4c99d6,"4/16/2021, 8:38:52.586 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3b19c885-4ca7-49fa-9db3-43f580548409,"4/16/2021, 8:38:52.586 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f38eefce-2bc5-455c-aa57-cf90a286ef00,"4/16/2021, 8:38:52.586 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d07af5ea-4104-4d06-a2d8-40f8bf4bf4f0,"4/16/2021, 8:38:52.586 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6f13c5dd-fcb0-4fef-b2ba-3a9d28d70864,"4/16/2021, 8:38:52.586 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bfcefb91-7544-431a-8ae1-d24ac298dede,"4/16/2021, 8:38:52.586 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9f03ddc3-0cc1-48f6-b447-eb444d329644,"4/16/2021, 8:38:52.586 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,97c9266b-0cee-4a7d-b5e3-a1185bea1423,"4/16/2021, 8:38:52.586 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e0f191d0-12ec-475f-bf66-1901c98a6675,"4/16/2021, 8:38:52.586 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,62df658f-1259-4b66-93bb-baf93bca6a3b,"4/16/2021, 8:38:52.586 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cca72bfa-d1d0-4f9e-89ab-4e20ecdc873e,"4/16/2021, 8:38:52.586 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f94e8b97-0780-4306-8f04-2ff0a07a66c3,"4/16/2021, 8:38:52.586 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,60582b12-9dd2-4f51-ae57-f65632ee2023,"4/16/2021, 8:38:52.586 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4528 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,0ed6cf66-c976-45d9-888b-ad2f96c24234,"4/16/2021, 8:46:51.546 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f4fc6478-208c-41fe-8cd6-61da622be071,"4/16/2021, 8:46:55.122 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,f72dc8e5-8f77-492b-a97f-48d8bf3df040,"4/16/2021, 8:46:55.122 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6928 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,cbfff4a5-b5e4-4dde-b62b-d1b3aa2971fc,"4/16/2021, 8:46:55.122 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de3b4c43-1494-4d88-9fac-d4a0f1c1c6d3,"4/16/2021, 8:46:55.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c6c2bca9-7917-4e3a-b0eb-59337f8311ca,"4/16/2021, 8:46:55.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ac90892-392c-44f1-8335-ab2dbcfc6f2d,"4/16/2021, 8:46:55.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,91cb240b-1e47-4a36-9102-774b4f0d0add,"4/16/2021, 8:46:55.122 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e67a879d-aca0-4507-bfd2-20528945f53f,"4/16/2021, 8:46:55.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,403e742e-ae23-416b-947c-d7393a9167c3,"4/16/2021, 8:46:55.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc10e73f-0a92-4873-9c82-2e688c5ead82,"4/16/2021, 8:46:55.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f0bf4c17-2e5c-4b12-b8ba-064848e388e4,"4/16/2021, 8:46:55.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1c19e1cd-3fbd-45dc-b188-689028e2bdad,"4/16/2021, 8:46:55.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,665824eb-d4c4-4044-b6e9-45f68515de22,"4/16/2021, 8:46:55.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,945521fa-a673-4921-97f5-b8b2548be75e,"4/16/2021, 8:46:55.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22f0eb96-54c6-4a21-bb75-19c7d3ca016a,"4/16/2021, 8:46:55.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,137cbe0d-ee07-46ed-ad4c-4dc1d6c8bb3e,"4/16/2021, 8:46:55.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2de16f6e-69df-466e-91f9-c11a27fc668e,"4/16/2021, 8:46:55.122 AM",,,,,NTLM,, +\MAIL,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e35669c6-2590-4468-89d1-8ec27b05a40e,"4/16/2021, 8:46:55.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b3c07c5a-f607-47b5-9fa8-a08985cafef9,"4/16/2021, 8:46:55.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3ed1dfcc-3f73-41fe-9767-0bb81622f7a3,"4/16/2021, 8:46:55.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,abb113dd-4f61-4af9-8746-8baa7af04de1,"4/16/2021, 8:46:55.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1d12f1e4-4ce2-4cc6-8c2e-2079d950b712,"4/16/2021, 8:46:55.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,08485c03-c523-471d-99eb-ca3eb88bf5e5,"4/16/2021, 8:46:55.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54074425-11e7-42ab-9b3e-a6ed20e076bc,"4/16/2021, 8:46:55.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,327a544f-bf5b-4956-8784-614be507537d,"4/16/2021, 9:04:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,70e30f0d-5fc9-4920-aaed-be49ff886686,"4/16/2021, 9:04:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1fa7d06b-39a8-4d01-a938-c52e7927c326,"4/16/2021, 9:04:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3db3ec03-114b-4280-ab45-6354a87ed76b,"4/16/2021, 9:04:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,add1937a-a450-40c5-89b8-787845aa42d0,"4/16/2021, 9:04:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6dff035d-e0a6-46c3-ace8-8464ff6d9c70,"4/16/2021, 9:04:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,acefc177-dd4a-4d0d-b137-9c834c447b73,"4/16/2021, 9:04:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56b4cefc-e34c-48ad-bc70-11a958322be6,"4/16/2021, 9:04:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,47712486-d316-4c25-be29-96055db53440,"4/16/2021, 9:04:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b035d7dc-8942-4f30-865e-cf691ad60156,"4/16/2021, 9:04:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8af270b6-fe08-4005-971c-45286563e0ea,"4/16/2021, 9:04:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12230559-aa66-44f5-b6da-45570e060ac4,"4/16/2021, 9:04:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,816ae907-ade0-44be-887a-5892916e2039,"4/16/2021, 9:04:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,493c43b0-b6a9-4983-b130-33b0bca73369,"4/16/2021, 9:04:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0031e81c-7800-4fd6-82fc-6938f8316ca8,"4/16/2021, 9:04:33.120 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,a1721f9f-8d92-4c91-b301-7688f5adf596,"4/16/2021, 9:04:33.120 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6c16184c-6218-4520-9e62-198771e9ae52,"4/16/2021, 9:04:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,485d7e71-da27-40b2-a2c6-f55894c2776f,"4/16/2021, 9:04:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9400da99-514a-406c-8bfd-d2916dd5217a,"4/16/2021, 9:04:33.120 AM",,,,,NTLM,, +\ADMINISTRATEUR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d80a019d-f1b6-4936-830c-4e475b60183a,"4/16/2021, 9:04:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c72c76d-4afc-4880-a652-06702eb6f8d3,"4/16/2021, 9:04:33.120 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a9b9e83-a47e-4260-8d8e-85d2fbe5b92a,"4/16/2021, 9:04:33.120 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bed793df-cf92-44e4-9801-87eb34badf91,"4/16/2021, 9:04:33.120 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 12016 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,805140dd-0722-41aa-9387-f08d80e11463,"4/16/2021, 8:46:57.116 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10744 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,0e17d748-538e-4f74-9cd4-cc5dde58630c,"4/16/2021, 8:46:57.116 AM",,,,,,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4eb6c8bd-edfd-40a6-a837-8ffdb4b20d0c,"4/16/2021, 8:47:02.612 AM",,,,,,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cb486bac-440a-4bd2-bced-1a6795154c5c,"4/16/2021, 8:47:02.612 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c03d219d-f8c0-4b2c-95ea-80e206417a43,"4/16/2021, 8:47:02.612 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1cd9d6f3-35d2-4869-b130-893db9ad0c0c,"4/16/2021, 8:47:02.612 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,196a9a0c-5e5a-4708-83e1-9601de400b3c,"4/16/2021, 8:47:02.612 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3df2df53-13d2-424a-8ce7-0f7ffebfa5ba,"4/16/2021, 8:47:02.612 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7156 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,b362bc9b-5ef8-4a09-b3ff-08b7174275ad,"4/16/2021, 8:38:52.739 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6648 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,845bec05-c6bd-4957-a1d1-de6790e3dbba,"4/16/2021, 8:38:52.739 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,791ac912-694f-4fb7-868e-d4db9d5f7253,"4/16/2021, 8:38:52.739 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,e4b76968-fcf2-49c4-bcae-a56d327a837a,"4/16/2021, 8:38:52.739 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,94e46d6e-ad74-462c-a883-8431537935c9,"4/16/2021, 8:38:52.739 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,c839bb80-4589-4591-b68e-1b9a0bd46bcd,"4/16/2021, 8:38:52.739 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,59152071-0e0b-4c4f-9260-d0d51e898187,"4/16/2021, 8:39:02.526 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9184 + 59 + %PROGRAMFILES%\MICROSOFT\EDGEUPDATE\MICROSOFTEDGEUPDATE.EXE + 32 + 433D72D5919A339637AEA7EDE5FE9A6643400637BB84825DDC307974AFB486CF + 104 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT EDGE UPDATE\MSEDGEUPDATE.DLL\1.3.129.31 + 0x3e7 + 67 + C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,0a41f76e-6eb4-4412-ab6f-38e76e7b0d0b,"4/16/2021, 8:39:02.526 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10564 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,2ac39f05-4742-40a9-94ca-581863a63d7a,"4/16/2021, 8:39:02.526 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,b57a115c-2d77-410d-8951-588effd584b2,"4/16/2021, 8:39:02.526 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,b3edd799-eaaa-4100-b074-d49659d2478d,"4/16/2021, 8:39:02.526 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,1372a5a2-b4d3-494a-9420-ee18d0b3cd77,"4/16/2021, 8:39:02.526 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,f9648e15-96ad-4351-878b-a06e613a4c8f,"4/16/2021, 8:39:02.526 AM",,,,,,, +NT AUTHORITY\NETWORK SERVICE,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 10392 + 23 + %SYSTEM32%\GPUPDATE.EXE + 32 + 4E2D85458A3020FD0DBFC227C5779B02C4E80437A5BAD96766B0FAC8D955615C + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\GPUPDATE.EXE\10.0.18362.1139 + 0x3e4 + 32 + C:\windows\system32\gpupdate.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,df3e6ff5-f610-461b-854c-ab5bbded24e0,"4/16/2021, 8:39:02.526 AM",,,,,,, +NT AUTHORITY\NETWORK SERVICE,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 6080 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e4 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,17fbff9d-7ca9-4672-adda-48d8fc9bb281,"4/16/2021, 8:39:02.526 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1776 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e7 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,3c770642-cb85-49a2-8f07-408df10719bc,"4/16/2021, 8:39:02.526 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + \Microsoft\Windows\GroupPolicy\{A7719E0F-10DB-4640-AD8C-490CC6AD5202} + <?xml version=""1.0"" encoding=""UTF-16""?> <Task version=""1.4"" xmlns=""http://schemas.microsoft.com/windows/2004/02/mit/task""> <RegistrationInfo> <Author>VICTIMPC$</Author> <URI>\Microsoft\Windows\GroupPolicy\{A7719E0F-10DB-4640-AD8C-490CC6AD5202}</URI> </RegistrationInfo> <Triggers> <TimeTrigger id=""GP Periodic Timer Trigger""> <Repetition> <Interval>PT1H45M</Interval> <StopAtDurationEnd>false</StopAtDurationEnd> </Repetition> <StartBoundary>2021-04-15T20:23:50+00:00</StartBoundary> <Enabled>true</Enabled> </TimeTrigger> <WnfStateChangeTrigger id=""GP WNF Trigger""> <Enabled>false</Enabled> <StateName>7508BCA33A0D8B41</StateName> <Data>01</Data> <DataOffset>28</DataOffset> </WnfStateChangeTrigger> </Triggers> <Principals> <Principal id=""Author""> <RunLevel>LeastPrivilege</RunLevel> <UserId>S-1-5-20</UserId> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <Duration>PT10M</Duration> <WaitTimeout>PT1H</WaitTimeout> <StopOnIdleEnd>false</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession> <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT72H</ExecutionTimeLimit> <Priority>6</Priority> </Settings> <Actions Context=""Author""> <Exec id=""Group Policy Background Processing""> <Command>gpupdate.exe</Command> <Arguments>/target:user</Arguments> </Exec> </Actions> </Task> + 13510798882126355 + 1776 + 780 + 0 + VictimPc.Contoso.Azure +",4702,4702 - A scheduled task was updated.,f6638b82-98a5-4542-8bec-6bc0977f793f,7854e7ca-a660-43f7-81cd-9bb953428bf3,"4/16/2021, 8:39:02.526 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,e232f0b3-a635-4f73-93da-b0b95615ffa5,"4/16/2021, 8:39:02.526 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2cf64193-5579-461d-bec1-8285bd4e6293,"4/16/2021, 8:39:04.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d559f4d-7fbc-44c0-9f5d-e216b81230ea,"4/16/2021, 8:39:04.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aeb8fd23-1cbf-4418-bebb-ce29d719e338,"4/16/2021, 8:39:04.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc46e13e-4caf-4b74-9360-ede9920999fb,"4/16/2021, 8:39:04.102 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9fdfc938-5f24-46d8-9928-e1f1798d3361,"4/16/2021, 8:39:04.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54dc21bb-bf90-4744-845e-d8fc5b622d59,"4/16/2021, 8:39:04.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7cd2d12b-52fc-474f-9b96-0427b1a5ae4a,"4/16/2021, 8:39:04.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,adbe7a64-25d7-44db-8ce8-4d737220fdea,"4/16/2021, 8:39:04.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,708e9143-060f-4956-86a3-7ae6b77e8a1c,"4/16/2021, 8:39:04.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a808db03-7c0c-466e-9322-6c52a39babc0,"4/16/2021, 8:39:04.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5b0257f7-0650-4a07-bc6e-d2c659c03f39,"4/16/2021, 8:39:04.102 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6952e2be-be1f-44d6-881a-42b8d759291a,"4/16/2021, 8:39:04.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e16a74d-7bf7-471f-86e2-26f182836bf0,"4/16/2021, 8:39:04.102 AM",,,,,NTLM,, +\ADMINISTRATEUR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f49ac74-6b9b-4e74-ba3b-4e9b41d8f52f,"4/16/2021, 8:39:04.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5f4793e-8709-4b52-b16b-ba09230471de,"4/16/2021, 8:39:04.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,013518aa-553e-44af-9c7f-de6e47f748d3,"4/16/2021, 8:39:04.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ef14b58b-db98-4ceb-a680-04e91e404d25,"4/16/2021, 8:39:04.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54b31c8f-0df4-4344-a7e5-55c7c3bcf99c,"4/16/2021, 8:39:04.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dcccacc8-bfd5-4cee-9313-8d56a800b518,"4/16/2021, 8:39:04.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,605e2cb7-3a40-4b19-9f5a-00514b7141ae,"4/16/2021, 8:39:04.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e6ec49e4-6c07-4326-8d47-e5d20a5151be,"4/16/2021, 8:39:04.102 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,c3f49db0-fda9-4f2d-a47c-cfa50e7c18c7,"4/16/2021, 8:39:04.102 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,69ec868a-5ac7-4a3f-beff-37bd4a7928b0,"4/16/2021, 8:39:04.102 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,062119f5-9076-4e49-95a7-145ba5396ebd,"4/16/2021, 8:39:04.102 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5cd68af3-5d9a-4b32-b3b9-cbff414833f6,"4/16/2021, 8:39:04.102 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7704 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 68705285F7914823244E19E4F6DBC4A75C4DE807EA1CF128AEC2CCAFCE5FE109 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.17763.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac421573-692b-4032-aea4-d0e73611431a,"4/16/2021, 8:39:04.102 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8520 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,b90a5ca7-bce0-42de-a49b-bf31c1fbf5af,"4/16/2021, 8:39:04.102 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1092 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,578e6163-cf49-4aef-9670-c60847443624,"4/16/2021, 8:39:09.861 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3480 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,18d11c83-665d-4181-aa15-094da240a347,"4/16/2021, 8:39:09.861 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6120 + 118 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\ICT 2\CMF-64\DESIREDSTATECONFIGURATION\DSCRUN.EXE + 32 + FD398814FCB0D126DEC81443B928D502C7F2EC649E1C0866E0155C61BC7CAC19 + 111 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\WINDOWS (R) WIN 7 DDK DRIVER\DSCRUN.EXE\10.0.10011.16384 + 0x3e7 + 120 + C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\ICT 2\CMF-64\DesiredStateConfiguration\DscRun.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,eaf796bf-96bf-4eca-a8a9-e5bc2dafda7c,"4/16/2021, 8:39:09.861 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6492 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,297cccf2-d752-47f4-a60d-318fa9c3dc9a,"4/16/2021, 8:39:09.861 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b5f989f6-9640-4a5d-841a-12b92cb18bef,"4/16/2021, 8:39:09.861 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,66775c10-b195-430c-b307-fcf58d0751d6,"4/16/2021, 8:39:09.861 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,5914a077-38b8-4328-bc3f-8bf8f4c0ec5c,"4/16/2021, 8:39:09.861 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,219669e4-201f-4375-8d77-dcdcc74f2319,"4/16/2021, 8:39:09.861 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,2445f7b5-7540-475b-882b-9827a7c4a697,"4/16/2021, 8:39:09.861 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,015e130b-0402-49b6-a2d1-40e60c45825e,"4/16/2021, 8:39:19.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,23d5839a-869a-4944-93e5-94224ee724ab,"4/16/2021, 8:39:19.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6d934c21-b280-47f3-9557-29aabf223d42,"4/16/2021, 8:39:19.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12fa6f8f-3c4a-497f-903c-710288faa87e,"4/16/2021, 8:39:19.113 AM",,,,,NTLM,, +\TEMP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56e9abc0-ca99-4317-b602-456f815372a7,"4/16/2021, 8:39:19.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a82b645f-f657-485e-bb1e-94fbeb7390e3,"4/16/2021, 8:39:19.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5af801e8-9dd6-42e0-830a-77a7db4c70d4,"4/16/2021, 8:39:19.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,04cf3327-7eb2-4c82-a4e7-ebd2a99533b4,"4/16/2021, 8:39:19.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,035f9c5d-3b2e-4596-b5cb-2d7c3364e413,"4/16/2021, 8:39:19.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,372b644d-3dbe-4fa9-b6d2-690f8b82973d,"4/16/2021, 8:39:19.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6f74dd93-21fc-4895-b0c4-23ae887d3b96,"4/16/2021, 8:39:19.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,93b56033-3287-4a80-b379-c75ca34af40e,"4/16/2021, 8:39:19.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,38bd2a15-b9f9-4ea7-a14d-bc853c06aae1,"4/16/2021, 8:39:19.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,02fa7382-6738-4173-9c93-01dcf8657b4f,"4/16/2021, 8:39:19.113 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e425acbc-2f72-4fd6-85c0-823eeb4f1fff,"4/16/2021, 8:39:19.113 AM",,,,,NTLM,, +\BACKUP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,843599d0-e4c5-4911-a591-57d52118c4ea,"4/16/2021, 8:39:19.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6fec89cf-deee-42c9-9085-1bc8abbec401,"4/16/2021, 8:39:19.113 AM",,,,,NTLM,, +\SCANS3,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,15ae1621-805b-413d-a115-ff84767e456e,"4/16/2021, 8:39:19.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,522830e7-3f88-4c6e-8a95-16e9a6b603c9,"4/16/2021, 8:39:19.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,76fd5571-0cef-4e48-9671-381964c718cb,"4/16/2021, 8:39:19.113 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,08d500f8-cc18-4b19-a5cd-5cd68f9af1da,"4/16/2021, 8:39:19.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d2c8e85-beff-411f-8af4-13a8da2c188c,"4/16/2021, 8:39:19.113 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,da963e42-2786-49d4-b541-8ab679598912,"4/16/2021, 8:39:19.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f9c1161-9d0f-4d40-8779-339f4ad2c42b,"4/16/2021, 8:39:19.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,73398ac4-4497-4163-bad1-511139cbda0d,"4/16/2021, 8:39:19.113 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a99c0ab9-3f3c-4dc8-b27c-c466f6feae54,"4/16/2021, 8:47:02.612 AM",,,,,NTLM,, +\VEEAM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1d647092-f6c7-4adb-8869-fd952d72e206,"4/16/2021, 8:47:02.612 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9535a494-9021-4f05-aa21-61d3b533a7bc,"4/16/2021, 8:47:02.612 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,459eb0f5-ef7b-44ae-88e7-d482175dec1a,"4/16/2021, 8:47:02.612 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d1305caf-2914-4aa5-9b74-247c1864809e,"4/16/2021, 8:47:02.612 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a273b469-55dd-4661-887a-d667effab381,"4/16/2021, 8:47:02.612 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d5cb1e27-2943-477b-ab0c-a91c9fa2c8eb,"4/16/2021, 8:47:02.612 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a810e4b1-2a9e-41ba-9dc5-1f5b96d8caa7,"4/16/2021, 8:47:02.612 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,54890450-5e18-46d9-ba6e-9b52f8889e0a,"4/16/2021, 8:47:02.612 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5d64f0f9-e7a0-4079-9825-fc1f48526ab5,"4/16/2021, 8:47:02.612 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,06222cc5-f480-49cc-afc0-f03c1e28e72b,"4/16/2021, 8:47:02.612 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c2a78df0-ed2b-448b-98e4-b13ab72449b0,"4/16/2021, 8:47:02.612 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d9842084-5f21-47f1-a8e3-6c8cec74f816,"4/16/2021, 8:47:02.612 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9695654c-003b-4c4e-b991-445273cd52dc,"4/16/2021, 8:47:02.612 AM",,,,,NTLM,, +\AZUREADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,644c1cb8-f89f-4e43-96c7-309d0c03a689,"4/16/2021, 8:47:02.612 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f05abff5-543b-410a-bc86-7dd6eb48d334,"4/16/2021, 8:47:02.612 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,eafc9ed2-d2c7-416a-b193-4a860830f44b,"4/16/2021, 8:47:03.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c943d223-1be7-43e0-bae2-fdcefd087ebb,"4/16/2021, 8:47:03.050 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,ddd4caa4-7ddf-4852-87ca-c4212157c05d,"4/16/2021, 8:47:03.050 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,2a342416-312c-4687-b6c3-5c684751a8ed,"4/16/2021, 8:47:03.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,50e34a40-7d2d-487b-ba63-d95236786d05,"4/16/2021, 8:47:03.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c50d0a04-2530-4233-a634-4582f870da33,"4/16/2021, 8:47:03.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,c730f682-29b2-4d19-8917-09cfd1a906a0,"4/16/2021, 8:47:03.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3c8cd37c-1d30-48eb-9b31-e9a0047b53f8,"4/16/2021, 8:47:03.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,02b431ec-dc24-4ae7-86f5-a06a8d3b9b44,"4/16/2021, 8:47:03.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,531e2e11-9730-4251-b3a1-c95961b911e0,"4/16/2021, 8:47:03.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3e1f500d-cd1f-4776-a710-5c4839addfcc,"4/16/2021, 8:47:03.050 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f5b53bd-e8af-4ddb-b8a7-7cbba7c37ccf,"4/16/2021, 9:04:40.169 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46607032-446b-4102-a962-b2f4b10b69a6,"4/16/2021, 9:04:40.169 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,385b3246-2b61-4bdb-97ff-10ffdcec3a3d,"4/16/2021, 9:04:40.169 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ada02890-3692-495f-9d49-aa33bf3c78dd,"4/16/2021, 9:04:40.169 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,692da997-1eca-4caf-84e6-21b9015f74bd,"4/16/2021, 9:04:40.169 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,954f376c-1afc-419b-b58d-5c56df4cb642,"4/16/2021, 9:04:40.169 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54f363df-f46b-4c5c-9d4b-1d54900e651a,"4/16/2021, 9:04:40.169 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aa9e2fbb-e5fa-4a5b-89e8-d21ff0be06d4,"4/16/2021, 9:04:40.169 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9294e14e-8bb4-4b8f-9c0a-c221a8174d81,"4/16/2021, 9:04:40.169 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de3bea25-d116-4b77-8850-5523dce6dd9b,"4/16/2021, 9:04:40.169 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,425b8d89-ec74-4040-acb8-e0507914dde5,"4/16/2021, 9:04:40.169 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6cf345f6-a28c-4cda-9e49-a48ffd66686b,"4/16/2021, 9:04:40.169 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4fc1d0e2-67f2-464b-8ed2-b5c52f5ecb61,"4/16/2021, 9:04:40.169 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a5ffba9-63cd-4994-b0d3-317e43e38ee6,"4/16/2021, 9:04:40.169 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,561b45f5-c470-4c9c-8bf3-177e8cf44cf0,"4/16/2021, 9:04:40.169 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,30f79886-6e6b-463a-ac84-a22668b16aa3,"4/16/2021, 9:04:40.169 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,13992120-13e3-42cc-90cc-15d42efa0e39,"4/16/2021, 9:04:40.169 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,789f57ff-390a-4380-9513-1b81e83a68fa,"4/16/2021, 9:04:40.169 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,416dcbb0-3b19-406c-bf9c-722c3863b6c8,"4/16/2021, 9:04:40.169 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5353c41f-712e-467d-a729-e29b1a700fbf,"4/16/2021, 9:04:40.169 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,65d358cf-9804-44cd-a224-6877dfab70f6,"4/16/2021, 9:04:40.169 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b28e47d-a5b0-41c1-991b-7becd7c11f61,"4/16/2021, 9:04:40.169 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa4c8f19-6891-41b5-bf55-8d3906cd0c95,"4/16/2021, 9:04:40.169 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a4b1393-3c38-4cb7-ba81-2d26e25910ce,"4/16/2021, 9:04:40.169 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a0c20a86-be38-49a9-a8b4-b7740f07e33d,"4/16/2021, 9:04:40.169 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e993fc4b-0f7a-4c36-be16-1d9f5e85a89a,"4/16/2021, 9:04:40.169 AM",,,,,NTLM,, +\DEMOUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,41667fec-0a98-492d-8928-664e50e7e891,"4/16/2021, 9:04:40.169 AM",,,,,NTLM,, +NT AUTHORITY\LOCAL SERVICE,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 7000 + 34 + %SYSTEM32%\APPIDCERTSTORECHECK.EXE + 32 + E649E7E40B3CFC0011491AE742A6E8E697C7A48033F49DB9BA714A2891B99818 + 131 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\APPIDCERTSTORECHECK.EXE\10.0.18362.1474 + 0x3e5 + 43 + C:\windows\system32\appidcertstorecheck.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,a2822dc1-5ce7-4a7c-a7ce-539f430d8ba6,"4/16/2021, 8:56:45.774 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 6796 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e5 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,98356859-da10-43fe-a3c5-bb55055747a3,"4/16/2021, 8:56:45.774 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6520 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 8542576A51D515DA19781689F9E5E561E4398C4DE19B14AF1E8EF1C7D2551843 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.18362.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,c5440b9d-b926-4ce8-a681-c68c1f987265,"4/16/2021, 8:56:45.774 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1384 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,7cc8f6c3-386f-4ecb-ad14-d1bb32a3d6fa,"4/16/2021, 8:56:45.774 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,9b66b14c-1867-4ede-a66e-b86af692bdd5,"4/16/2021, 8:56:45.774 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,cc869075-50fe-4d18-a39f-51dc66932bdf,"4/16/2021, 8:56:45.774 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,e83e37e9-7b06-45bd-9f66-0ef0583614a0,"4/16/2021, 8:56:45.774 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,93d7e0cb-ef72-4955-affb-5d73f82a0107,"4/16/2021, 8:56:45.774 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,14a1e903-78da-4c96-b40d-8798c22b4a78,"4/16/2021, 8:56:45.774 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,51d44a8f-3633-4538-bc62-d5ba84ab4530,"4/16/2021, 8:56:45.774 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6764 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,b6aca89b-7271-4147-a469-5b4f645dbc66,"4/16/2021, 8:56:45.774 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2036 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,34cb1e5b-33d6-4b64-bc39-43182a833d38,"4/16/2021, 8:56:45.774 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,19d4d9ee-0187-4b8a-b157-d7a79eef9ed6,"4/16/2021, 8:56:45.774 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,fc162002-7e93-40c3-b115-ab476c5c2450,"4/16/2021, 8:56:45.774 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13826,8," + Remote Desktop Users + Builtin + S-1-5-32-555 + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + 0x88c + C:\WindowsAzure\GuestAgent_2.7.41491.1009_2021-03-31_005118\WaAppAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,86cb8a29-76b9-42a1-8e84-dded5ec29f5c,"4/16/2021, 8:56:45.774 AM",,,,,,0x88c, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13826,8," + Administrators + Builtin + S-1-5-32-544 + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + 0x88c + C:\WindowsAzure\GuestAgent_2.7.41491.1009_2021-03-31_005118\WaAppAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,26ba2c57-cc47-426e-ba2d-029c02860d47,"4/16/2021, 8:56:45.774 AM",,,,,,0x88c, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + ContosoAdmin + AdminPc2 + S-1-5-21-4064141627-2216470730-1920950221-500 + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + 0x88c + C:\WindowsAzure\GuestAgent_2.7.41491.1009_2021-03-31_005118\WaAppAgent.exe +",4798,4798 - A user's local group membership was enumerated.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,fd8e7a12-13e1-4fa8-b34a-179a9df9a5df,"4/16/2021, 8:56:45.774 AM",,,,,,0x88c, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + ContosoAdmin + AdminPc2 + S-1-5-21-4064141627-2216470730-1920950221-500 + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + 0x122c + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,07e4d87b-3570-41b6-8df9-44d166198da4,"4/16/2021, 8:56:45.774 AM",,,,,,0x122c, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + DefaultAccount + AdminPc2 + S-1-5-21-4064141627-2216470730-1920950221-503 + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + 0x122c + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,82250447-8781-4d4d-b672-fa6135dc2194,"4/16/2021, 8:56:45.774 AM",,,,,,0x122c, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + Guest + AdminPc2 + S-1-5-21-4064141627-2216470730-1920950221-501 + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + 0x122c + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,035faaff-2f97-451c-a841-80f25dfc50cb,"4/16/2021, 8:56:45.774 AM",,,,,,0x122c, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + WDAGUtilityAccount + AdminPc2 + S-1-5-21-4064141627-2216470730-1920950221-504 + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + 0x122c + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,5c6e6930-0e6a-4090-88eb-6d314a94da12,"4/16/2021, 8:56:45.774 AM",,,,,,0x122c, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + ContosoAdmin + AdminPc2 + S-1-5-21-4064141627-2216470730-1920950221-500 + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + 0x88c + C:\WindowsAzure\GuestAgent_2.7.41491.1009_2021-03-31_005118\WaAppAgent.exe +",4798,4798 - A user's local group membership was enumerated.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,1df8e28b-21d6-4c72-8372-59f1a47e2ad3,"4/16/2021, 8:56:45.774 AM",,,,,,0x88c, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + ContosoAdmin + AdminPc2 + S-1-5-21-4064141627-2216470730-1920950221-500 + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + 0x0 + - +",4798,4798 - A user's local group membership was enumerated.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,a240e544-6cb6-49e2-96c5-2d2530c4339f,"4/16/2021, 8:56:45.774 AM",,,,,,0x0, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6dcd3b77-4a18-4dc8-8787-2af337101d38,"4/16/2021, 8:53:16.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1824aa4-5ae2-4d87-a0a6-4c3ccd623fd9,"4/16/2021, 8:53:16.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,76763d43-b0c8-4ca9-b629-08c8f9e7e4a7,"4/16/2021, 8:53:16.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f747b137-9abd-4ca0-a905-ff9f40ddb692,"4/16/2021, 8:53:16.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8252fc77-3fa5-4a16-97c0-bcbbbfbcaf9d,"4/16/2021, 8:53:16.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,944598fb-81aa-407a-9414-5dc90e5ba581,"4/16/2021, 8:53:16.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e032dd65-efaf-4b31-87f2-c3c2afbcbb7e,"4/16/2021, 8:53:16.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a59a761-8b44-4180-960f-7376b723b338,"4/16/2021, 8:53:16.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c4c5e36a-9ecf-4262-a14a-0d7887ab5e53,"4/16/2021, 8:53:16.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5fd5951f-be7a-4331-a785-2d189cf00926,"4/16/2021, 8:53:16.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f502d281-cf3c-4b71-b411-a9eb1b7252a3,"4/16/2021, 8:53:16.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3cfada2c-8ccd-4dc8-84e0-5eef0e9c881f,"4/16/2021, 8:53:16.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e5a9f775-9077-4361-bf9f-50d439903c1b,"4/16/2021, 8:53:16.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d24d540f-d9aa-4a52-9abf-9db23273e153,"4/16/2021, 8:53:16.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7962131c-a117-42a3-a746-3b7a0562dca3,"4/16/2021, 8:53:16.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d81879f2-a6d5-4681-8c3f-73a82a8ac252,"4/16/2021, 8:53:16.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4d720031-55fb-46f1-89f7-9a6da14dbd5c,"4/16/2021, 8:53:16.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,627af539-79a3-4714-90a7-77b13d59c720,"4/16/2021, 8:53:16.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e484633a-79b2-4d39-a360-bb48bec494e1,"4/16/2021, 8:53:16.113 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88b7160c-6e90-4080-aadc-62404d1ee142,"4/16/2021, 8:53:16.113 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b953404-f196-463b-a969-8b873c34cba4,"4/16/2021, 8:53:16.113 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f46fc572-ee51-40a7-ba23-484e7fb5a93a,"4/16/2021, 8:53:16.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8250e447-c17d-49c8-b792-d6d6f30fa5e3,"4/16/2021, 8:53:16.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4344fdd5-fe1d-44d9-b75c-81ae442df9ee,"4/16/2021, 8:53:16.113 AM",,,,,NTLM,, +\DEMOUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ae73f4d-2167-4e22-b2b8-8f2b819c9242,"4/16/2021, 8:53:16.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,93bdf0e8-5326-4d94-9c53-4e1d7c7375d7,"4/16/2021, 8:53:16.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d25218c-5f1d-42e6-b0b7-0457261cac17,"4/16/2021, 8:53:16.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0dd7a962-2548-49aa-aab5-300f0f9ec92d,"4/16/2021, 8:53:16.113 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4ff69aba-823f-4ba7-be4c-e5cf0b7ba548,"4/16/2021, 8:47:04.413 AM",,,,,NTLM,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c7ccd3db-9178-4858-a2a2-a88d92f24e27,"4/16/2021, 8:47:04.413 AM",,,,,NTLM,, +\AZUREADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1397a700-faae-4387-aa8e-d125a0ea60c2,"4/16/2021, 8:47:04.413 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e2efc68c-51a0-411c-9214-90cce09766bd,"4/16/2021, 8:47:04.413 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c6d800e6-74bb-406e-b35b-4a9455ce4e63,"4/16/2021, 8:47:10.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,31851ebe-4347-4923-8353-0b25c8b6ba01,"4/16/2021, 8:47:10.101 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ccd0e06a-1059-4727-9c2e-23ca497bbc17,"4/16/2021, 8:47:10.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e091bb47-42dc-4cea-8bda-1c8d2f609e03,"4/16/2021, 8:47:10.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f26d1308-44aa-4fc1-9483-65383eada6cf,"4/16/2021, 8:47:10.101 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b29ed158-1647-494d-83de-9883305626ca,"4/16/2021, 8:39:33.651 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,466bd705-1017-4afa-a466-efe0774ce121,"4/16/2021, 8:39:33.651 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,27fd7b66-6e60-42d7-950a-a9ad439f857d,"4/16/2021, 8:39:33.651 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4e3f53d9-101f-4dfd-8d1f-1c228dd9fc7d,"4/16/2021, 8:39:33.651 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dace5395-7eec-4dfe-8a06-ad9509d93205,"4/16/2021, 8:39:33.651 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,73a825dc-df9e-4cd8-8c5e-9b48c2b3fc4f,"4/16/2021, 8:39:33.651 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a383821c-7fed-42df-8513-29e8f9d6ecac,"4/16/2021, 8:39:33.651 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,26eccec6-3dd6-44d0-ae0d-f8888e02a3f0,"4/16/2021, 8:39:33.651 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8a0ad26f-cd0f-4576-a5ce-2e2e96f82ecc,"4/16/2021, 8:39:33.651 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c90190c2-e465-44b7-815e-ecf11923a1b4,"4/16/2021, 8:39:33.651 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,26f9ecef-0838-46c3-b9dc-9e9ca1069d6d,"4/16/2021, 8:39:33.651 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d2558cc8-54cc-44b0-9363-39d8fc2e8d04,"4/16/2021, 8:39:33.651 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b10f690f-5aed-4958-9d72-82bb0674003d,"4/16/2021, 8:39:33.651 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,19f021dd-9787-4a7b-8515-ed8f22c4f2df,"4/16/2021, 8:39:33.651 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e3f91128-bd57-4a6a-af04-186c6cf746be,"4/16/2021, 8:39:33.651 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,910b1443-7042-4de2-b285-3750306237fe,"4/16/2021, 8:39:33.651 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2be4b1c6-dd63-445d-b405-3e3d1009a01c,"4/16/2021, 8:39:33.651 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e6e37203-41be-47d3-a40e-ba865b320321,"4/16/2021, 8:39:33.651 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9728544c-164a-4f72-81fe-f8dd23f160e2,"4/16/2021, 8:39:33.651 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4592071b-0087-4a18-898e-b16dd42c203b,"4/16/2021, 8:39:33.651 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d028d014-04e6-49b2-955e-65489282a617,"4/16/2021, 8:39:33.651 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,076d078e-1fff-4c13-b3e4-37c7c214c526,"4/16/2021, 8:39:33.651 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cbfa3569-588d-49e2-9139-6ca5296bd050,"4/16/2021, 8:39:33.651 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ad6ec8fa-585e-4040-99ad-338ea71425c7,"4/16/2021, 8:39:33.651 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,03de0c89-459a-4eb8-bb98-c735e11c1022,"4/16/2021, 8:39:36.414 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4648 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,fba7cc5a-71be-4b61-b69d-1106d3b34399,"4/16/2021, 8:39:36.414 AM",,,,,,, +\TEST,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,56df71d6-518d-43fe-ba71-c2048775c850,"4/16/2021, 8:39:36.414 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8008 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8a5728cc-6a1d-4642-ad4b-b85d4d165081,"4/16/2021, 8:39:36.414 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3760 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,648b1811-b394-4fb9-aa1a-274fd44d372e,"4/16/2021, 8:39:36.414 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3ba74dcf-bd64-44ab-a800-408542ad6721,"4/16/2021, 8:39:36.414 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,fa5a07aa-05ea-419c-853b-2a7be894a987,"4/16/2021, 8:39:36.414 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ef0f6f89-f32e-4140-b2cd-6a73027c0695,"4/16/2021, 8:39:36.414 AM",,,,,,, +\SERVER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e406ec13-6c99-4021-a9eb-2a1b8cc5cf11,"4/16/2021, 8:39:36.414 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3b1dcc37-9a03-46f4-91a8-32b995202c38,"4/16/2021, 8:39:36.414 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 8116 + 84 + %OSDRIVE%\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\PLATFORM\4.18.2103.7-0\MPCMDRUN.EXE + 32 + C7A18C474A47F5335593A567F0C714D4F658E28D07DC27F6EAE5D5641788E813 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\MPCMDRUN.EXE\4.18.2103.07 + 0x3e4 + 77 + C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2103.7-0\MpCmdRun.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c82f703f-d410-4535-8369-ca8cc8621bb2,"4/16/2021, 8:39:36.414 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6252 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,b6afe19e-7a9c-4a08-9172-160a9da2af08,"4/16/2021, 8:39:52.741 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 504 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,e18a124a-f78b-4636-b00f-822322ce734c,"4/16/2021, 8:39:52.741 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,6d7dca8e-b908-4cbb-8453-34e1e2b8c12d,"4/16/2021, 8:39:52.741 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,6bd1bcc7-392a-4839-9007-f89f8162f395,"4/16/2021, 8:39:52.741 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,3a1e9d64-8230-4fef-ad60-74ee083cf96d,"4/16/2021, 8:39:52.741 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,e33aad67-8993-43ab-8dc1-94b731c7d9f1,"4/16/2021, 8:39:52.741 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,91ef9c3f-c980-4c4d-af1f-013aa7294e5e,"4/16/2021, 8:39:57.624 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5e885968-5dc0-495c-9c63-453fcf720612,"4/16/2021, 8:39:57.624 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7f575e99-c9b1-4bbf-8b74-ddcc9890e718,"4/16/2021, 8:39:57.624 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,df0857a5-d2ef-41a5-a47f-47a79863d95c,"4/16/2021, 8:39:57.624 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,666db14f-5a55-417f-b165-8ce776344d8d,"4/16/2021, 8:39:57.624 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,850db5af-0cb0-4df8-bbe1-319d3c1bf152,"4/16/2021, 8:39:57.624 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6aa195db-14dd-4349-85c3-3426d2d62ee2,"4/16/2021, 8:39:57.624 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7c7c34d3-62e5-4e8f-81a3-56d99f0a719e,"4/16/2021, 8:39:57.624 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7dd956c1-8686-492c-bdfc-7b7cb9a1c5db,"4/16/2021, 8:39:57.624 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d4d34754-6530-45ee-a485-7ca018ac75a0,"4/16/2021, 8:39:57.624 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,82211dad-9f7e-4206-a795-ef11e0c704dc,"4/16/2021, 8:39:57.624 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f558c05c-3ffe-4c85-900d-dc0dac68f090,"4/16/2021, 8:39:57.624 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eca0a065-5f51-4a1a-8365-e937c5f19672,"4/16/2021, 8:39:57.624 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,66668d01-e9ab-46de-9056-f644f5b16205,"4/16/2021, 8:39:57.624 AM",,,,,,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4736bdfc-2264-4920-975b-afb28d7bb0c4,"4/16/2021, 8:39:57.624 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,042a1a9e-e045-493d-a2b4-28d926b9357b,"4/16/2021, 8:39:57.624 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9803ba64-cd7a-469c-a5fe-ba6d9e36f2c0,"4/16/2021, 8:39:57.624 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8d682b74-2b50-453f-b932-48c3bc09634b,"4/16/2021, 8:39:57.624 AM",,,,,,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a9f027a2-9e25-41aa-a7c4-efcf8ca6c5d3,"4/16/2021, 8:39:57.624 AM",,,,,,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,969a2018-70a2-4b47-9cd3-46bb76b1df30,"4/16/2021, 8:39:57.624 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7d0fb0e4-6f82-43dc-8a40-38849f3e5c16,"4/16/2021, 8:39:57.624 AM",,,,,NTLM,, +\BACKUP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d476a522-fe92-469b-97c3-ac9ebbee2e6e,"4/16/2021, 8:39:57.624 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bc3919e0-94a7-4af9-acaf-1bf580877834,"4/16/2021, 8:39:57.624 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,12687576-642c-4f4f-a33a-84a615304064,"4/16/2021, 8:39:57.624 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f5f6737e-24fd-4e14-9552-38a58b4f353e,"4/16/2021, 8:39:57.624 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dceae1ef-b2b2-4cca-935a-0a7013318d3c,"4/16/2021, 8:40:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac2ea75b-9f56-4945-b81b-eae5f0584d18,"4/16/2021, 8:40:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53658f30-8c04-4c44-a18c-e429862c4643,"4/16/2021, 8:40:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53eb70ff-6a5c-4570-9410-278c5ba2f583,"4/16/2021, 8:40:00.101 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a1b08bb5-2553-49dd-979e-c2fb71c20a3e,"4/16/2021, 8:40:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,18c46e9f-800a-4963-91b0-c54257ecaff4,"4/16/2021, 8:40:00.101 AM",,,,,NTLM,, +\BACKUP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fabbe414-faf1-409e-aac0-ba554a4af5b2,"4/16/2021, 8:40:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a09cda4e-12db-46d1-ae03-176462087803,"4/16/2021, 8:40:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6046ac8b-633e-420a-9d58-ede35f788a74,"4/16/2021, 8:40:00.101 AM",,,,,NTLM,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7daeeeda-6ac4-4ff2-bf91-d0ab915aad66,"4/16/2021, 8:40:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc11765d-149d-4eb6-9ada-c3b1631fbf13,"4/16/2021, 8:40:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,162d6150-8c87-4b8f-b770-b801237581a4,"4/16/2021, 8:40:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f2aa50ee-9668-4f9c-8c6f-48866ccc2652,"4/16/2021, 8:40:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ebd9dedb-587a-43ee-807b-ee368f6c5121,"4/16/2021, 8:40:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,58e9a900-671e-4083-b786-1f6c64c6514a,"4/16/2021, 8:40:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a98ea804-4bcd-4742-98e5-847dc51d40e1,"4/16/2021, 8:40:00.101 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc68de26-91c2-4c00-856f-395df88de7e8,"4/16/2021, 8:40:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cad48c50-ab99-4168-b4ba-c85bba6e234f,"4/16/2021, 8:40:00.101 AM",,,,,NTLM,, +\SUPPORT,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc4b1af4-2712-4c9b-bcd1-ef6f362bcf75,"4/16/2021, 8:40:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,58cd8a59-4a5c-4e0d-9022-3705275c6454,"4/16/2021, 8:40:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c305d820-d605-42cf-b258-ecf5ffb4c78f,"4/16/2021, 8:40:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c5d25afc-2b49-4261-865a-430259b22cf2,"4/16/2021, 8:40:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,61189f85-570d-42cd-b3e1-bcdbf55a5b0d,"4/16/2021, 8:40:00.101 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e7085d55-bc61-40ee-82da-47e1802fec07,"4/16/2021, 8:40:06.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3c9d7db7-6334-4767-8966-f8d937833adb,"4/16/2021, 8:40:06.597 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c6c083f5-b3ce-4d34-96a3-fcff433352cc,"4/16/2021, 8:40:06.597 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d6ac2044-dbcb-40e4-b7fc-4155d67a1b63,"4/16/2021, 8:40:06.597 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1b20d600-0413-4e66-9964-d1f48788c7a6,"4/16/2021, 8:40:06.597 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6ccd598f-9e4f-4c45-bb58-586a15773127,"4/16/2021, 8:40:06.597 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a1912898-df40-436e-ace1-16fc93bbf014,"4/16/2021, 8:40:06.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,16cdc4fb-3976-47b7-bd6c-7f38b642e2a9,"4/16/2021, 8:40:06.597 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f086dc84-9b22-4ab4-9892-758e36f505b2,"4/16/2021, 8:40:06.597 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,05bded83-9589-4fda-9e6a-6c7bb3b589ef,"4/16/2021, 8:40:06.597 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,079f966a-5f2c-401c-a02c-e33a0995bc20,"4/16/2021, 8:40:06.597 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1e5c2370-7369-4d72-a816-6a12006e663e,"4/16/2021, 8:40:06.597 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6e6fed5d-a5c6-4d4c-91ea-15b98dfb1298,"4/16/2021, 8:40:06.597 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cbe0cd6c-92af-406b-87d4-e27646bc5931,"4/16/2021, 8:40:06.597 AM",,,,,,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9971d951-ac3d-4be1-ab97-81478ed7f550,"4/16/2021, 8:40:06.597 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,761f0c41-8ce6-4fad-8304-a28b487166ff,"4/16/2021, 8:40:06.597 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bc1921b0-fb39-4dce-8b53-a564b1f991a6,"4/16/2021, 8:40:06.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3bd42f4e-1558-4a34-a65e-cd808233ba50,"4/16/2021, 8:40:06.597 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7c325987-7f86-46bc-9011-8d22d531c4c5,"4/16/2021, 8:40:06.597 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a42329ec-bde0-4714-8467-970b85946cf0,"4/16/2021, 8:40:06.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,990deb34-2c75-4af4-8d10-2c59120f5b6d,"4/16/2021, 8:40:06.597 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,98a1e59e-f465-4cab-970f-2e7c20218153,"4/16/2021, 8:40:06.597 AM",,,,,NTLM,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,f3aba687-f525-46dd-8dec-971bf2ed7dde,"4/16/2021, 8:40:08.044 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,f862773b-d78b-456b-92a0-b68b08d8183e,"4/16/2021, 8:40:08.044 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,0480b041-9551-4f75-8184-31a1b42c6e98,"4/16/2021, 8:40:08.044 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,df5be273-7bca-447a-9c1c-8f57ed5acce1,"4/16/2021, 8:40:08.044 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,3ab4f58e-4e06-4a01-96d7-003c8199cd85,"4/16/2021, 8:40:08.044 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,63b1a709-7839-4b63-b37a-38ebac88b22f,"4/16/2021, 8:40:08.044 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,ec7f09dd-b71d-4724-a6fa-29670b9da0c6,"4/16/2021, 8:40:08.044 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,02d201b7-f30c-4148-97c8-a6e626919b41,"4/16/2021, 8:47:10.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c2a71fcf-aa90-4a9e-b602-06335844ad4a,"4/16/2021, 8:47:10.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6c9bb65d-4052-48c3-aaa4-5b4420d43523,"4/16/2021, 8:47:10.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,393b148e-892e-4ba4-b64a-fccc638d4601,"4/16/2021, 8:47:10.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8363663b-5e28-4ab6-b2b4-991f39e5f78b,"4/16/2021, 8:47:10.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d74a039c-d9ac-47e4-a2bd-217bc40061e2,"4/16/2021, 8:47:10.101 AM",,,,,NTLM,, +\OBED,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9eaf5f55-d094-4d90-baff-8cdbb94de54d,"4/16/2021, 8:47:10.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16a04fcc-bab2-44d1-81fe-a088c026a9f3,"4/16/2021, 8:47:10.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f17f8297-0a9f-4215-b779-62387ec7dfb9,"4/16/2021, 8:47:10.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ae0c6d0b-ce84-418f-9602-9e4e0eae0ece,"4/16/2021, 8:47:10.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d1145af-3a97-4880-b905-e715015c7aa4,"4/16/2021, 8:47:10.101 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a5651319-0abb-4d71-ba27-f6f007e9b868,"4/16/2021, 8:47:10.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,584720ef-2882-46af-bbde-0ecbbb7de743,"4/16/2021, 8:47:10.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,92c9c957-5a94-4ebf-add6-b202018a86b3,"4/16/2021, 8:47:10.101 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,049a0319-0253-4ceb-b802-c502b6c21ccd,"4/16/2021, 8:47:10.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a479eef-bfc7-4240-9e91-e4df72da6c77,"4/16/2021, 8:47:10.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0e4b8d46-732f-466a-ac20-31e595e71286,"4/16/2021, 8:47:10.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4a5ea970-7100-4a05-b0e9-37b1884b19f0,"4/16/2021, 8:47:16.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e899e785-6f8f-4bef-95ab-f053e0545ebc,"4/16/2021, 8:47:16.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a97ee524-9861-433f-a8d7-3b98b2c61d41,"4/16/2021, 8:47:16.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,17b41576-f902-4da4-ba09-6391192a603e,"4/16/2021, 8:47:16.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab508f56-c6ea-4b87-8d96-f33c703a5936,"4/16/2021, 8:47:16.102 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d0c657bc-6fd5-4c54-8f78-9eb73e94a984,"4/16/2021, 8:47:16.102 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,52d4d9b5-8530-4b66-89f2-9aee0a319134,"4/16/2021, 8:47:16.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6f6ad56f-4f42-4eac-bf10-24c763bff3f1,"4/16/2021, 8:47:16.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,da918624-6663-4d8b-a769-a1e52cc81daf,"4/16/2021, 8:47:16.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0fa711cf-293b-48ac-9b28-a354de6138c1,"4/16/2021, 8:47:16.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a10e1055-bfd7-4a1b-9bc0-34dd26604817,"4/16/2021, 8:47:16.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,91bbfa52-1645-486f-8b70-352f4441b852,"4/16/2021, 8:47:16.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e4644076-6257-411c-94cf-49034decb74e,"4/16/2021, 8:47:16.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,24121b6e-8d64-45b3-86cb-8023c3f2ca76,"4/16/2021, 8:47:16.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1156cbf-efef-47ee-9132-a4a98c0a1bb7,"4/16/2021, 8:47:16.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53cf7ae0-6447-4a4f-b843-da0c8aeec3ee,"4/16/2021, 8:47:16.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d9468488-92a7-4b03-b5e2-00d471e62868,"4/16/2021, 8:47:16.102 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c898cf8-87cb-4648-ac68-fa403900f57a,"4/16/2021, 8:47:16.102 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ee59232e-2301-4b03-867e-d2b3c24ec6da,"4/16/2021, 8:47:16.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b80d4d6e-c928-4361-9c51-752b110d63ab,"4/16/2021, 8:47:16.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad1ba8a2-60c9-4649-b5b5-a1456e82d73f,"4/16/2021, 8:47:16.102 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,496531a5-543c-431d-b99f-eec3e914960e,"4/16/2021, 8:47:16.102 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bd382f20-0cba-4179-9ffc-cd6f029acc10,"4/16/2021, 8:47:17.617 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1acf5e53-5971-421b-a149-4d6b35faeba2,"4/16/2021, 8:47:17.617 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9b9029af-4e46-47e6-ac2f-bdb88b8fe8ce,"4/16/2021, 8:47:17.617 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,61c995e7-cc8e-4717-a9a3-581be440d3d3,"4/16/2021, 8:47:17.617 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d56e40b8-18df-4333-9037-b8fa5cdd8847,"4/16/2021, 8:47:17.617 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e4c0e86c-0d15-4421-aecd-d3a9ae2cbb78,"4/16/2021, 8:47:17.617 AM",,,,,NTLM,, +\BACKUPEXEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a3506560-2bb7-4d9f-9893-c611f24fcb0a,"4/16/2021, 8:47:17.617 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2cb49527-cba9-4753-9354-47709c5d0771,"4/16/2021, 8:47:17.617 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,66ef3adf-798e-46a1-bc28-adb8690aa4dc,"4/16/2021, 8:47:17.617 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7cadd1ca-00a7-46f5-92c6-42814d2ae9f4,"4/16/2021, 8:47:17.617 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2a817f93-f59d-4394-af21-0b944236e066,"4/16/2021, 8:47:17.617 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ee918c3e-f6ac-417b-94b4-9c2e5eae2aff,"4/16/2021, 8:47:17.617 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,40abfe43-7111-4f11-88f8-6095b9689327,"4/16/2021, 8:47:17.617 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1b83ec94-9f11-4e45-ba95-aed427897eeb,"4/16/2021, 8:47:17.617 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b9c5c95d-cd58-44ab-aa0f-f7bd90325651,"4/16/2021, 8:47:17.617 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f3695893-f069-409a-9c69-4b14af51c13f,"4/16/2021, 8:47:17.617 AM",,,,,NTLM,, +\SYMANTEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5b0166d6-9d79-4753-aa3e-f522218ccfbe,"4/16/2021, 8:47:17.617 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a82d16aa-c45c-4171-a5e4-6b70dea6beac,"4/16/2021, 8:47:17.617 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ee20edef-fd42-40a8-9e42-343217146318,"4/16/2021, 8:47:17.617 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6a37da45-8697-4565-937c-3d4cb9add005,"4/16/2021, 8:47:17.617 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e35ff0ef-4f4b-4870-8d75-2e36a0623cab,"4/16/2021, 8:47:17.617 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ad9d0a2c-1eca-4cd3-a21c-d1adc5673712,"4/16/2021, 8:47:17.617 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d41dd4b4-f5d3-418b-8217-20debf509603,"4/16/2021, 8:47:20.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e56a1ce7-dc4d-4899-9024-51a65f3bd1ee,"4/16/2021, 8:47:20.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54201595-1d69-4105-ab2a-000ed394bfcc,"4/16/2021, 8:47:20.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8f63b78a-a8b9-4121-8211-7da11749fa5e,"4/16/2021, 8:47:20.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc02605a-1ae4-4ced-9ac7-edef9a54b61b,"4/16/2021, 8:47:20.117 AM",,,,,NTLM,, +\DEMOUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,371d97d5-9ac6-4e7b-8e5c-e1498fdfc2ff,"4/16/2021, 8:47:20.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ef7259a-5b6c-4be8-9ac3-fd138003f823,"4/16/2021, 8:47:20.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b689f06f-7ce2-45b1-b32e-71a757ebfaec,"4/16/2021, 8:47:20.117 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,00e2636b-7ff2-46c5-995d-6733522a8ce9,"4/16/2021, 8:47:20.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2de48b9b-8fe0-4132-837e-a959d1d31de7,"4/16/2021, 8:47:20.117 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,1293d5bc-07ec-4374-8e19-d28da82e422f,"4/16/2021, 8:47:20.117 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\microsofttpm,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,387ed380-2397-456c-81f7-2ecd5f3383ba,"4/16/2021, 8:47:20.117 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:SELECT * FROM Win32_TPM,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,b6173ce0-4f9c-4708-a9d6-2159b5e67618,"4/16/2021, 8:47:20.117 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:Select * from __ClassProviderRegistration,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,b75aa25a-b098-4368-bb9a-8d90feb651c3,"4/16/2021, 8:47:20.117 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,cd3de3a2-a989-43ef-a826-a44d773db42e,"4/16/2021, 8:47:20.117 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,26792edb-8102-4816-92bf-4dba4c8e8839,"4/16/2021, 8:47:20.117 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,eae1ccc7-5808-4a5b-a6dd-8239730405a1,"4/16/2021, 8:47:20.117 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,73ef023b-0642-43ab-88c7-8022b36ea1c9,"4/16/2021, 8:47:20.117 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:Win32_Tpm,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,61e956d3-9798-4c35-a325-f1e4429ec07e,"4/16/2021, 8:47:20.117 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:__ExtendedStatus,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f5c023b-4030-4814-b535-753d1e0600d3,"4/16/2021, 8:47:20.117 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftVolumeEncryption,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,e43d16fa-d4f9-4d1e-9a04-ebbaff633c2a,"4/16/2021, 8:47:20.117 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:SELECT * FROM Win32_EncryptableVolume,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,dd0f3ea2-3426-4a65-a809-bcb96056992e,"4/16/2021, 8:47:20.117 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:Select * from __ClassProviderRegistration,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ea104be-f0df-4754-b390-45ed208c0129,"4/16/2021, 8:47:20.117 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,f6a99cb2-e7a2-4371-812d-879c3bf5b91b,"4/16/2021, 8:47:20.117 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,45ff7002-c37f-4d99-a21a-ab664db46d2c,"4/16/2021, 8:47:20.117 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,3848957e-5559-4d9d-b8cf-dab07a4db0c4,"4/16/2021, 8:47:20.117 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,470990ab-6250-433c-82dd-80ace40588d5,"4/16/2021, 8:47:20.117 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,503ad8c5-ecaf-487e-8434-215d5bd9ad27,"4/16/2021, 8:47:20.117 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:__ExtendedStatus,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,f7826bcc-9fe2-4627-9cd7-eb2de4db36b4,"4/16/2021, 8:47:20.117 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{9a771a90-0000-0000-0000-100000000000}\\""::GetLockStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca0ff4fe-7e9a-4a92-b71f-c3f5b5f93c4a,"4/16/2021, 8:47:20.117 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{9a771a90-0000-0000-0000-100000000000}\\""::GetProtectionStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,c974e44e-926b-4bd2-a986-f0fe7e0b666f,"4/16/2021, 8:47:20.117 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{9a771a90-0000-0000-0000-100000000000}\\""::GetConversionStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,55ad5c7e-7a96-4c7c-ac67-4f65fb94b86c,"4/16/2021, 8:47:20.117 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{6129dd30-0000-0000-0000-501f00000000}\\""::GetLockStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,3d195515-c193-472e-86ff-3d865fc68c9c,"4/16/2021, 8:47:20.117 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{6129dd30-0000-0000-0000-501f00000000}\\""::GetProtectionStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,1e1081a8-7935-4a01-9626-d184864f4fc4,"4/16/2021, 8:47:20.117 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{6129dd30-0000-0000-0000-501f00000000}\\""::GetConversionStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,e28a0dba-7444-4bc2-9b67-418d16e321f7,"4/16/2021, 8:47:20.117 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,7aa4bf8d-7161-41ae-8e5d-01f2ed737c04,"4/16/2021, 8:47:20.117 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8409f1d4-b731-4565-b7d1-acf889e60e19,"4/16/2021, 8:47:20.117 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7296 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,c3b0ce8a-fc03-4020-8e25-9c88c8ad7da7,"4/16/2021, 8:47:20.117 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6432 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,78ff5ec9-3f9e-483a-a3c3-19fd105721e6,"4/16/2021, 8:47:20.117 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,1e1e358c-347e-4c86-bea5-b0bb363087d7,"4/16/2021, 8:53:29.590 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6540 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,7707150a-179b-4e3e-8352-c27c8a05f786,"4/16/2021, 8:53:29.590 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f528149-4ab7-4745-9f00-307db53303fa,"4/16/2021, 9:07:57.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c7a6e225-c754-440b-93e9-ad831313e33e,"4/16/2021, 9:07:57.126 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ba509f6-403b-4af3-bdaf-df937f0c4b67,"4/16/2021, 9:07:57.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5b88c630-f25b-4d3e-8f17-2a3c54eed510,"4/16/2021, 9:07:57.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,64574b63-6a7b-4433-8fc4-34bd500222f7,"4/16/2021, 9:07:57.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4773f382-5e9d-4969-bbb1-666f06312538,"4/16/2021, 9:07:57.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6d324182-775c-4aea-a9f3-b44c155d1f45,"4/16/2021, 9:07:57.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,109becc6-4a58-4991-aabd-a4eed9baab34,"4/16/2021, 9:07:57.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,247a528e-e173-4f06-a166-4962be54e9a1,"4/16/2021, 9:07:57.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2344653e-b27a-46fd-b4db-71fc24f2de61,"4/16/2021, 9:07:57.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,13dd5486-12c9-47c3-8ee1-d92cd06880a7,"4/16/2021, 9:07:57.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,38d2c318-9cd1-4e91-aea2-084386c1bfa5,"4/16/2021, 9:07:57.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8ef99a8c-3671-4936-9a20-760bf120144d,"4/16/2021, 9:07:57.126 AM",,,,,NTLM,, +\SCANS3,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cf86dd86-a114-4478-b668-eb6ba90ea391,"4/16/2021, 9:07:57.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,47edc78f-6c12-4f7b-8514-85bc5f598ef1,"4/16/2021, 9:07:57.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c15e861a-1cfb-4c9a-a0b3-7b9c756ba661,"4/16/2021, 9:07:57.126 AM",,,,,NTLM,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,105cc94b-b373-4e5d-b649-bd2f43036229,"4/16/2021, 9:07:57.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0519a7f6-d78f-4182-89bf-bff32bf31ce2,"4/16/2021, 9:07:57.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a67725b-3d7a-4965-b6e7-8c982af402be,"4/16/2021, 9:07:57.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b548e38-c1a9-44d4-b8dd-18ddaa60a62e,"4/16/2021, 9:07:57.126 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,47104012-e067-4e47-a432-1e890f59dd95,"4/16/2021, 9:07:57.126 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5263fb93-3798-47bc-81fa-415ec5e00095,"4/16/2021, 9:07:57.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,05d838da-5b7d-4b71-94ef-1f6386945a92,"4/16/2021, 9:07:57.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a3154dbc-1a2e-41d9-8cf9-13e56e23246d,"4/16/2021, 9:07:57.126 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 13968 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,7f52aa0d-bcaf-413f-b240-a0ee13287ccb,"4/16/2021, 9:07:57.172 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11536 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,94e85259-5cb9-42be-a66a-70a2a6cf8b26,"4/16/2021, 9:07:57.172 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2e658ed7-2110-48a8-915d-296295ee66fd,"4/16/2021, 9:08:02.680 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bfceabaf-0a27-43b3-8c83-fc2a2e14226b,"4/16/2021, 9:08:02.680 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,453b123b-fb82-446a-8993-3e5c642fcb9e,"4/16/2021, 9:08:02.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bd63ef9f-cf10-4a51-8839-d57a87ad23be,"4/16/2021, 9:08:02.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,aac44d71-3ebb-46fd-8fd5-b277b2b09afd,"4/16/2021, 9:08:02.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fad46d39-af77-4a21-942a-bf8d4790883a,"4/16/2021, 9:08:02.680 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2a237cab-ea1c-497b-a5ae-461fe81c9e69,"4/16/2021, 9:08:02.680 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1210b9c1-de02-41d5-8e95-56e07c7a64f6,"4/16/2021, 9:08:02.680 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b4558b9c-9862-4819-8f88-3ab858bafb62,"4/16/2021, 9:08:02.680 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,36cbee26-5216-44a3-a549-1ab2d89011e6,"4/16/2021, 9:08:02.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,11392a1c-c3a6-4037-ac53-4eff617e7baf,"4/16/2021, 9:08:02.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9b805d26-ff95-4ac8-9c26-6c9dac9340cb,"4/16/2021, 9:08:02.680 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,afe58ad4-4ae5-4a9a-905a-fb23482fbb17,"4/16/2021, 9:08:02.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8c97b7b9-5db6-4959-882f-87d7a2e96cda,"4/16/2021, 9:08:02.680 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,95edb4af-a65b-48a5-a5ff-7f2b57e1e567,"4/16/2021, 9:08:02.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2d158de3-d4a2-4182-97ee-373c94d62fd3,"4/16/2021, 9:08:02.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6f9d14c8-4b59-4d3a-9f0f-869b7c3f8169,"4/16/2021, 9:08:02.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d6e21dac-56c4-45de-8d6d-38d66a5076b7,"4/16/2021, 9:08:02.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,338c4abd-140a-4ca5-969a-137fe1e4ee4d,"4/16/2021, 9:08:02.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8b45b60c-5b3b-4365-95ca-5610de4b1109,"4/16/2021, 9:08:02.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,73120bab-7251-4016-bdad-3b94428e60cd,"4/16/2021, 9:08:02.680 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a72da889-070a-4e48-ab6f-32a92236a76b,"4/16/2021, 9:08:02.680 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,899c3cd9-0836-429b-9b20-e4bae4142468,"4/16/2021, 9:08:06.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6254ce54-a253-4a7e-a8f2-24207b391206,"4/16/2021, 9:08:06.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,befaec83-29c6-4f2a-a35d-7233de19c75f,"4/16/2021, 9:08:06.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c784a8de-5941-4aca-acee-4c244317bbbe,"4/16/2021, 9:08:06.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,21d67c05-a35f-47cc-a496-fa4f01c9212b,"4/16/2021, 9:08:06.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12de6b68-60a0-4339-8700-90b8d784f44f,"4/16/2021, 9:08:06.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fdfecdea-ca04-42a8-83ab-1f5e062603ac,"4/16/2021, 9:08:06.123 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7b5b3dab-d4a9-4a77-b2d1-678a44cad7c0,"4/16/2021, 9:08:06.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03477680-ccc1-4746-8275-384df6ccc852,"4/16/2021, 9:08:06.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4a08500f-3199-4654-9dcb-acf9b9a912ce,"4/16/2021, 9:08:06.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,379296ab-5eb8-4017-bded-cf88209ac975,"4/16/2021, 9:08:06.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,456eafb6-5f5a-411b-b5a6-67927607ee45,"4/16/2021, 9:08:06.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7998c160-4c64-4a17-808c-4b9799444236,"4/16/2021, 9:08:06.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0fbb9d1e-1065-45bf-b8f9-070ebc852105,"4/16/2021, 9:08:06.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c8949cb4-5e9d-408c-9cb7-af4735699716,"4/16/2021, 9:08:06.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2048fb39-8f1b-478f-807b-0d0c9fe87e74,"4/16/2021, 9:08:06.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d2dde12c-a077-41ba-8c21-05e9a6545053,"4/16/2021, 9:08:06.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,85192d5a-1849-41c0-9c5a-11d25b874896,"4/16/2021, 9:08:06.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4d1d670e-266c-4806-ad64-eb82d5edbfb0,"4/16/2021, 9:08:06.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b8471fe3-2982-4cdc-a056-ce3f3efb7a5f,"4/16/2021, 9:08:06.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,812f1906-0f79-442a-8f70-2c023f4c01e1,"4/16/2021, 9:08:06.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67da6534-c728-4a75-91a8-ee59c0285341,"4/16/2021, 9:08:06.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3e2d1e54-ae51-46f7-b24d-bc15640993f9,"4/16/2021, 9:08:06.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,39472f72-831d-4240-b579-4aef6efe6047,"4/16/2021, 9:08:06.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bebab64b-8264-4d14-a095-8b409bae171e,"4/16/2021, 9:08:06.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c67e077e-2e0f-4e8d-86ef-9a0a4b3c8b1c,"4/16/2021, 9:08:06.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,503eb8de-442c-4d53-b1d3-f038f62119ba,"4/16/2021, 9:08:06.123 AM",,,,,NTLM,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,3434ec46-6251-4f47-98bc-49205c629aad,"4/16/2021, 9:08:07.877 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,5d29e091-73d0-4014-88d3-0ae885f02f3b,"4/16/2021, 9:08:07.877 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6188 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,47d26e5a-dd49-4fe3-b21c-ee534df9d46f,"4/16/2021, 9:08:07.877 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4668 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,c185740d-4cb0-4165-abf0-fda190076388,"4/16/2021, 9:08:07.877 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,af614b74-4a4b-46e4-885f-2066e6e39764,"4/16/2021, 9:08:07.877 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,8bf62e80-d1ca-4d2f-aee7-c964904989ab,"4/16/2021, 9:08:07.877 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6364 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,f364954f-6ba8-4cc1-a13d-c8f680862ac7,"4/16/2021, 9:08:07.877 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2108 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,c3fd86a3-99f2-47c4-be2b-6e4f4a29be44,"4/16/2021, 9:08:07.877 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,19b5b1c4-cd37-46fd-89b4-01974653881f,"4/16/2021, 9:08:07.877 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,4cf53f4d-37d0-4ec6-a144-573439f8c649,"4/16/2021, 9:08:08.057 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,83a1ac2d-6c61-46e8-9287-be8b4fbc6a5f,"4/16/2021, 9:08:08.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,e8819b56-8f11-43ff-bc7a-db1648cb8a5e,"4/16/2021, 9:08:08.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,572ccb40-f349-45c2-ac57-e4e700c532dd,"4/16/2021, 9:08:08.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,b999bc0a-13de-4134-af64-34a3aad31b49,"4/16/2021, 9:08:08.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5039d724-c835-40ac-a68d-1e6adbf57b8c,"4/16/2021, 9:08:08.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,9a8c6dc3-9618-467d-9aca-87f451f631c4,"4/16/2021, 9:08:08.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c440d6c9-e841-4695-9cb6-7502c4bcacbc,"4/16/2021, 9:08:08.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d89e1d64-83df-49d0-b8aa-ed66e3a15576,"4/16/2021, 9:08:08.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,6d27e75c-68b4-498e-b8cc-e8f7a76ef2ab,"4/16/2021, 9:08:08.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,88edb50f-e937-4c30-9fe7-0b63f8f1cbd8,"4/16/2021, 9:08:08.057 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,83d93b71-1839-4c5b-a98d-9e42b4e6aef2,"4/16/2021, 9:08:09.890 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\microsofttpm,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,d1ce4d98-7618-4a10-95a3-c1828169d58b,"4/16/2021, 9:08:09.890 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:SELECT * FROM Win32_TPM,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,02e630d5-2af2-459d-b088-9239ccbfde68,"4/16/2021, 9:08:09.890 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:Select * from __ClassProviderRegistration,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,72888e1e-1482-4193-9b3e-6194c18f6ef1,"4/16/2021, 9:08:09.890 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,22fca395-cbfa-4226-991f-efd72b067d5a,"4/16/2021, 9:08:09.890 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,4b1baa79-c278-4ff7-ac14-1826e6a1215f,"4/16/2021, 9:08:09.890 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,e4be814b-b02e-4840-a76e-07a0bc739af3,"4/16/2021, 9:08:09.890 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,90ec083d-51af-40dc-a642-d3ceabad9caa,"4/16/2021, 9:08:09.890 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:Win32_Tpm,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,ea4248b1-b389-48a2-8eb4-460138340fdf,"4/16/2021, 9:08:09.890 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:__ExtendedStatus,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,f7242424-417e-4f38-99f2-80ab21248828,"4/16/2021, 9:08:09.890 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftVolumeEncryption,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,d1809390-7634-46ba-94ba-82c2c29ff717,"4/16/2021, 9:08:09.890 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:SELECT * FROM Win32_EncryptableVolume,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,e4a838e4-a9bf-490d-9ffa-eb8e8055fc82,"4/16/2021, 9:08:09.890 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:Select * from __ClassProviderRegistration,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,765a54dd-42a3-4912-b430-bf6e450b6e0c,"4/16/2021, 9:08:09.890 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,26c2b291-e67b-4a02-b1eb-68c2f6642bb5,"4/16/2021, 9:08:09.890 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,d6f02ce6-193b-4942-9941-fce2a202929d,"4/16/2021, 9:08:09.890 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,3f08e3ce-9111-4d73-b21d-2d35d4874c5b,"4/16/2021, 9:08:09.890 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,a14c364c-6fa1-4d73-8e71-aec755e67de8,"4/16/2021, 9:08:09.890 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,efd0f6e9-b74e-419d-9c9b-13df26d42f06,"4/16/2021, 9:08:09.890 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:__ExtendedStatus,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,46822ec0-7d86-4df2-b02d-ec3412c5fa8a,"4/16/2021, 9:08:09.890 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ae151378-0000-0000-0000-100000000000}\\""::GetLockStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,32f3db91-a007-4e03-8f6c-e8850f0eb605,"4/16/2021, 9:08:09.890 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ae151378-0000-0000-0000-100000000000}\\""::GetProtectionStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,778c0550-092c-4ccf-b26d-b98659fe4316,"4/16/2021, 9:08:09.890 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ae151378-0000-0000-0000-100000000000}\\""::GetConversionStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,8d3d343f-07c4-4c49-877e-ad1bbace53ee,"4/16/2021, 9:08:09.890 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetLockStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,f3f02e08-b615-4182-9a70-e05fae82a5f3,"4/16/2021, 9:08:09.890 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetProtectionStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,03a6a241-c5c6-4bca-9f80-91979658f467,"4/16/2021, 9:08:09.890 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetConversionStatus",,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7120 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,ebb78c11-d025-40ce-b218-f577bee1648e,"4/16/2021, 9:08:09.890 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10888 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e7 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,07fb1ef7-7b02-49ad-baf4-4faa143841a8,"4/16/2021, 9:08:09.890 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 12876 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e5 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,561c81d6-db91-4c66-90ee-95e2fcf85013,"4/16/2021, 9:08:09.890 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,b294c9dd-246b-4789-a4f2-667fba434dd6,"4/16/2021, 9:08:09.890 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,5503048d-aae9-48b7-bda5-46b931ec9ed1,6c636f3e-518d-49aa-9013-3dee5a929f1c,"4/16/2021, 9:08:09.890 AM",,,,,Negotiate,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + 1 + 1 + %{S-1-5-32-544} %{S-1-1-0} %{S-1-5-11} %{S-1-16-16384} +",4627,4627 - Group membership information.,5503048d-aae9-48b7-bda5-46b931ec9ed1,ebc85c6b-9f58-47ec-9ccb-ffe5de0dc063,"4/16/2021, 9:08:09.890 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,5503048d-aae9-48b7-bda5-46b931ec9ed1,bf88dbc3-a7ca-410e-8455-d1fc836f5158,"4/16/2021, 9:08:09.890 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,124c9728-ae39-4b82-a455-6bee790ce201,"4/16/2021, 9:08:09.890 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,155049a1-d1b1-4052-b02e-41633e959c5b,"4/16/2021, 9:08:09.890 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,6605cd27-2009-4d88-b0a0-95443bd6720e,"4/16/2021, 9:08:09.890 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5436 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + 3E1A41FE3000D5ED15DE27C3BD6199E0427A1608B401E19E22D021627841AC19 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1411 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,a9c6cdbb-fef9-4cfe-8b6e-d11f91cbcf37,"4/16/2021, 9:08:09.890 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,39dab6fc-92cd-4130-8c53-b98b70cf2839,"4/16/2021, 9:08:11.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c30ff5c3-61b1-4c10-afbd-6494834e6de3,"4/16/2021, 9:08:11.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,364e9f3d-0bac-40d1-800b-48c3bf41015c,"4/16/2021, 9:08:11.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a7c500b-0eb5-4719-a8de-90ba050e4f35,"4/16/2021, 9:08:11.119 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,74bd1a02-4618-4223-96a8-9575ee36619f,"4/16/2021, 9:08:11.119 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,561e7b41-e9d0-4d42-ab91-51267bea5279,"4/16/2021, 9:08:11.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f48bea9-0956-4360-a6e4-9637bfeb76c4,"4/16/2021, 9:08:11.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,20803eaa-5af3-41e0-96fa-e6d4ddcb8eb4,"4/16/2021, 9:08:11.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3f0eebc9-76df-496f-98ef-c70bcf4e63dc,"4/16/2021, 9:08:11.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0d516db3-af8c-4cd5-a4ce-e61b7d9ac325,"4/16/2021, 9:08:11.119 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48a38a63-0080-4d18-8a32-06d26a788e09,"4/16/2021, 9:08:11.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,532160fa-9ae7-4532-ae69-f3e6e264ce90,"4/16/2021, 9:08:11.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3f84d8a9-b53a-49ed-ba78-3375039ac451,"4/16/2021, 9:08:11.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1c7eceec-e509-46f8-b02c-db8f0fb0d88f,"4/16/2021, 9:08:11.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bb40236e-76e4-4edb-83a9-c781936b758d,"4/16/2021, 9:08:11.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aaec5677-037a-473c-9313-f92515c4964e,"4/16/2021, 9:08:11.119 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,af07ab6d-0316-4b62-b927-28ee605654c5,"4/16/2021, 9:08:11.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,009d0c00-0419-4ad5-a7d9-062adeed046c,"4/16/2021, 9:08:11.119 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,ddb4aec6-496e-4ddc-b01b-6249aaedef89,"4/16/2021, 9:08:11.119 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bfa0d64e-1b22-4939-b67e-4df500189dfe,"4/16/2021, 9:08:11.119 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4eee9e5b-fb6c-4aaa-a5dc-00a31b028b66,"4/16/2021, 9:08:11.119 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,41502da5-21b7-48ec-81c9-baeea8d7d669,e622aaf3-ed8f-49aa-b917-f1d3b319de8e,"4/16/2021, 9:08:11.119 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,4bc90b16-f878-493e-aacb-67498710bdb5,"4/16/2021, 9:08:11.119 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 112 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,d1a21331-7e5d-4703-b906-624c2f49a723,"4/16/2021, 9:08:13.724 AM",,,,,,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9798646d-1046-4986-9459-a372efb3cea5,"4/16/2021, 9:08:16.817 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2f16d37e-ea5f-494b-8331-0d4fba194161,"4/16/2021, 9:08:16.817 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,24342442-3eda-4f54-b8bd-d145e365c92e,"4/16/2021, 9:08:16.817 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,31c75b8b-5fff-4228-92a0-453ac2723f9c,"4/16/2021, 9:08:16.817 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1d58bd91-2edf-4774-840f-a0cbae85045e,"4/16/2021, 9:08:16.817 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,aa975652-5a62-4e7d-bac7-e56b78d63751,"4/16/2021, 9:08:16.817 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bdc7c9d1-a259-4bad-9897-febe125d8c05,"4/16/2021, 9:08:16.817 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,36e695f8-0e69-49a1-93a6-d6e664384712,"4/16/2021, 9:08:16.817 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a25188b6-2e76-417a-9e0e-77482cc89939,"4/16/2021, 9:08:16.817 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6c426c5d-cb33-4a48-8e79-113db34bfe22,"4/16/2021, 9:08:16.817 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7855e420-43f6-48fa-b122-92a1f9fa9487,"4/16/2021, 9:08:16.817 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e91d4e9b-9ca3-449a-a6b0-5ee9e76cebcf,"4/16/2021, 9:08:16.817 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b2e34ff3-71e8-464c-a7f0-afdc923ac113,"4/16/2021, 9:08:16.817 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e2603f93-a87d-4046-a189-5184643eca64,"4/16/2021, 9:08:16.817 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,230c97c4-3088-4ccf-bdbb-d75cac8f8e96,"4/16/2021, 9:08:16.817 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2d98f62a-0a0a-4a9f-abc2-49b0523f478d,"4/16/2021, 9:08:16.817 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f8838f46-949e-490e-8db5-6cbe4ed54a21,"4/16/2021, 9:08:16.817 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,61412c5d-ba9c-4771-81ac-ab2c340e308f,"4/16/2021, 9:08:16.817 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5b4e9eb4-4336-4754-a540-9b210742133e,"4/16/2021, 9:08:16.817 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2d2ef6ed-1b42-4b0f-a58f-c99a0154ce5a,"4/16/2021, 9:08:16.817 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9c4a928c-e5e8-46e3-93ad-a21d8ad598e2,"4/16/2021, 9:08:16.817 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4941ac3e-ef5d-4b7a-a03c-2436aa718159,"4/16/2021, 9:08:16.817 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,12b0d5ef-440b-4dae-a58b-714281f89257,"4/16/2021, 9:08:16.817 AM",,,,,NTLM,, +NT AUTHORITY\LOCAL SERVICE,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 7144 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e5 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,29855d97-dde8-4c3c-9cc0-f216e2946356,"4/16/2021, 9:08:20.123 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8532 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + A42A20DA16F83B8467DCED74AB028B58D5927D15D9D74C5C7B0D5C9DAC042CB2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.17763.01 + 0x3e7 + 31 + C:\windows\System32\svchost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,3e0d1d1a-512c-4f73-ab6e-2ba180ea1b79,"4/16/2021, 9:08:20.123 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9efe6e5d-81d0-4dc0-a105-0ba3458ebf1f,"4/16/2021, 9:08:20.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,733b3076-e634-428c-8239-d544fa125b88,"4/16/2021, 9:08:20.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df97dc14-355e-4580-968a-1d10b6f317ef,"4/16/2021, 9:08:20.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cd7efdda-b155-4daa-996a-b28395ec9658,"4/16/2021, 9:08:20.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3bb3e655-1c59-4c40-b73c-da0c124373f9,"4/16/2021, 9:08:20.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc351fd3-bfee-4dc6-ae51-c028b7caf0d3,"4/16/2021, 9:08:20.123 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,17641a83-87d3-4c7e-99fc-cacedcc63b32,"4/16/2021, 9:08:20.123 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 636 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,c8808f5d-848d-4e03-9b12-45df86093996,"4/16/2021, 9:08:20.123 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e69420fe-77fe-414c-a2ad-9d375bcbd59a,"4/16/2021, 9:08:20.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,211a55ea-40c3-4ff8-b99f-3e2234560ad7,"4/16/2021, 9:08:20.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b11d166b-2493-4740-b633-ee91f0f6311d,"4/16/2021, 9:08:20.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fad6bab6-9a3b-4f64-8797-65e875e6a8b1,"4/16/2021, 9:08:20.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,31afc0f2-b046-44d4-bc5c-05624e8581cb,"4/16/2021, 9:08:20.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a5b0097c-d931-49a1-b9de-7058c10ec3a5,"4/16/2021, 9:08:20.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc81608c-4011-48ab-a98e-e41a9e6f2b65,"4/16/2021, 9:08:20.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f2426ad-73d5-4480-a60c-16b6e9d86084,"4/16/2021, 9:08:20.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8465d825-b9be-4a75-b91a-7dcef1c73294,"4/16/2021, 9:08:20.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,760c255e-c8f1-42de-a702-81a021e67367,"4/16/2021, 9:08:20.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54de491d-043a-4e35-976b-0bbc8b2f25ec,"4/16/2021, 9:08:20.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,18cd00e6-af82-4545-8b49-3ab3450f9dae,"4/16/2021, 9:08:20.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a18286d0-7610-44d1-95c8-582235de4cc2,"4/16/2021, 9:08:20.123 AM",,,,,NTLM,, +\DEMOUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,38a166e6-b82a-4f5c-9d4a-ac28874a80a1,"4/16/2021, 9:08:20.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3000a9b4-821c-40ac-8826-30c2cfb2bc0d,"4/16/2021, 9:08:20.123 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,f4ad2221-6289-46c3-a605-a170cac27996,"4/16/2021, 9:08:20.123 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,806ecd95-889c-46c3-8de8-4b738577d9d8,"4/16/2021, 9:08:20.123 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,901f7556-b235-4634-8733-eb91aec3a837,"4/16/2021, 9:08:20.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,205e73a8-a869-45f7-b539-6e8f0b7ae128,"4/16/2021, 9:08:20.123 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bbf84c80-c39d-4c21-b743-6e30fb1c9489,"4/16/2021, 9:08:20.123 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7276 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,2bbfd25d-9548-4800-b974-e376f2f91323,"4/16/2021, 9:08:20.123 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6052 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,f31143e5-d804-47d5-bce3-edb18d98cd2c,"4/16/2021, 9:08:20.123 AM",,,,,,, +\USER1,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,62f4cbb1-0a37-4d9f-8205-8c15eb5de9ff,"4/16/2021, 9:08:26.176 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,86f1a628-15a7-4b25-86b9-4e57cbabb50a,"4/16/2021, 9:08:26.176 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,250f85c1-e742-4153-a4e3-09d43e505228,"4/16/2021, 9:08:26.176 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1e0af898-9c7f-47ef-9ebf-72686af9ed67,"4/16/2021, 9:08:26.176 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9799b69e-25fc-42d6-ab42-f62d47390d27,"4/16/2021, 9:08:26.176 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8199cb29-68e2-4b32-a048-6d2645e7cadb,"4/16/2021, 9:08:26.176 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6b74da50-3277-4a20-9ba4-0e2cfcfd6d57,"4/16/2021, 9:08:26.176 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49e99b43-5330-4318-976f-d2e6702b1525,"4/16/2021, 9:08:26.176 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aa62f887-59ad-41af-b6f1-30483cb4e21a,"4/16/2021, 9:08:26.176 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d989a0a-4942-42b2-95bd-535bfc6fb444,"4/16/2021, 9:08:26.176 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2e11ff93-0a4e-4442-80e6-34384c363f7c,"4/16/2021, 9:08:26.176 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1012e212-e518-4984-8acf-c4a25f78dc96,"4/16/2021, 9:08:26.176 AM",,,,,NTLM,, +\SCAN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d735d6ce-bcf0-427f-a0a6-5d797fa471ab,"4/16/2021, 9:08:26.176 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2242866a-d210-4073-aa84-e9628df8235e,"4/16/2021, 9:08:26.176 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7b5374c6-7390-45cc-a438-4037e02c60b8,"4/16/2021, 9:08:26.176 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c46d26d2-e98b-42d7-bbb1-fde88d8b3edc,"4/16/2021, 9:08:26.176 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ead59eb-7d18-4c63-8fac-121c2685a8b1,"4/16/2021, 9:08:26.176 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a25db62a-dca6-46cf-a6bc-a7a7d02a9d4d,"4/16/2021, 9:08:26.176 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1cea871a-4df7-4253-a77e-ca13e04f0362,"4/16/2021, 9:08:26.176 AM",,,,,NTLM,, +\DYA,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cfd0f055-5b0e-4e65-bbef-3fd87e5898f8,"4/16/2021, 9:08:26.176 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eb1e7325-86ac-4ada-b74e-f5b0dfd31e3f,"4/16/2021, 9:08:26.176 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,20fe5cbb-b953-4e03-848a-2cfe0ef2adb1,"4/16/2021, 9:08:26.176 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8cf851a0-627f-4bbe-a50d-b1bcc7a1efd4,"4/16/2021, 9:08:26.176 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22396021-cad6-45df-b4c0-f6d2f075c65c,"4/16/2021, 9:08:26.176 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89704baf-d19a-4a9e-a76e-d71a8164406b,"4/16/2021, 9:08:26.176 AM",,,,,NTLM,, +\USER3,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,cbddd6b4-08a2-4daa-beb8-f0d09283c8e1,"4/16/2021, 9:08:27.410 AM",,,,,NTLM,, +\SERVER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,cdc38998-8d53-44a1-a07c-f9f8d3128aaa,"4/16/2021, 9:08:27.410 AM",,,,,NTLM,, +\TEMP,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,38c7cd5b-f1d6-4cc7-9bd2-f75b94732e42,"4/16/2021, 9:08:27.410 AM",,,,,NTLM,, +\DEMOUSER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,26814506-8dab-4253-8057-d45cfead38f0,"4/16/2021, 9:08:27.410 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,73398171-db49-4522-997f-d968757752f9,"4/16/2021, 9:08:27.410 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,279cb46f-39ce-4005-9ae5-d0143c000fbd,"4/16/2021, 9:08:27.410 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7868 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8fd6b6ec-73d3-40db-aaa3-d4ada26f7f1d,"4/16/2021, 9:08:27.410 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6392 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,fc3a5103-0b1d-48c0-8377-d481f3aa9a90,"4/16/2021, 9:08:27.410 AM",,,,,,, +\SALES,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d64d41d0-2a1f-46cb-b201-840f11d0af6c,"4/16/2021, 9:08:27.410 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3c0a2105-776c-446e-ba35-208d35b6ef83,"4/16/2021, 9:08:27.410 AM",,,,,,, +\A,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,34f852c6-5f6f-4a54-b2a0-f80f7e77a778,"4/16/2021, 9:08:27.410 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,cdcbf364-1b36-4060-a5fc-a85bcdfa8fd9,"4/16/2021, 9:08:27.410 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a4fcdfae-6753-42bf-b74e-98ca00ce990c,"4/16/2021, 9:08:30.682 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,76bfbe62-8b69-43ca-80ac-a6db5daea306,"4/16/2021, 9:08:30.682 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9fd6bac2-05e1-4a83-a440-7aced4544830,"4/16/2021, 9:08:30.682 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7e0fc871-42b8-4cf1-8359-8017aa267cf9,"4/16/2021, 9:08:30.682 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d6952398-2ab1-441f-8055-4287037cc9ea,"4/16/2021, 9:08:30.682 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0068506c-a229-47b0-b037-23902475f0cc,"4/16/2021, 9:08:30.682 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4f0c5bfd-2275-46cc-b64a-ccd0ed14c7b6,"4/16/2021, 9:08:30.682 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,23874e96-6e64-4ab7-8d9d-337bd437b62a,"4/16/2021, 9:08:30.682 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f42948b8-55e9-48f7-bdbd-0be259e67e9f,"4/16/2021, 9:08:30.682 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b7c52097-e2a9-405d-b5ad-1f94b74c4820,"4/16/2021, 9:08:30.682 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1b6fd35f-0e21-404c-b25a-22b1e5523405,"4/16/2021, 9:08:30.682 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,024a3b53-e613-41df-8bb7-ff213eb49a5c,"4/16/2021, 9:08:30.682 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fba51882-67ef-493a-bcba-397133bcc2fd,"4/16/2021, 9:08:30.682 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7baf3c25-3a54-42d0-b342-0731dafae107,"4/16/2021, 9:08:30.682 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5bfb3e12-77a4-43e0-963f-fba0d38cd463,"4/16/2021, 9:08:30.682 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,38ec428c-725d-4b96-845e-a2eb97b7d530,"4/16/2021, 9:08:30.682 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5a39d4b9-8bbb-46fe-9f51-12b37efa78a8,"4/16/2021, 9:08:30.682 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b7960716-23d1-4675-9722-ece6969119ff,"4/16/2021, 9:08:30.682 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2d98b065-2d86-4647-a1ed-0102d0ac431d,"4/16/2021, 9:08:30.682 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bcf3a5dc-741d-4b61-9e6e-e8280fa7615e,"4/16/2021, 9:08:30.682 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,659d78b5-7089-4b80-b6eb-9b4f6ccede9e,"4/16/2021, 9:08:30.682 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,def84706-ce62-458d-8a01-da00631a3d9d,"4/16/2021, 9:08:30.682 AM",,,,,NTLM,, +\BACKUPEXEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bee009d8-e734-41fe-818e-6e9f139066db,"4/16/2021, 9:08:30.682 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,02c5d7f8-ce17-4fba-9e23-b77817ca67ce,"4/16/2021, 9:08:34.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f39f9cd-a183-47e2-8a46-a4dc741ee646,"4/16/2021, 9:08:34.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a3fc50d-2593-4a0c-aa42-7a2c9cb974ad,"4/16/2021, 9:08:34.122 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f7842d31-d2a8-42c3-a38a-4236c7ff148f,"4/16/2021, 9:08:34.122 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,398b9303-fa60-4bc0-a795-07a6df90d7e3,"4/16/2021, 9:08:34.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ed984ea6-abb1-43d4-bf15-44c5d517e5b4,"4/16/2021, 9:08:34.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e39688b-3397-441d-9e46-4bb7ab5ee34d,"4/16/2021, 9:08:34.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d6d5b8f-47bc-40b0-8603-6e3cd2f82d20,"4/16/2021, 9:08:34.122 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,05c4ebfd-8d35-41e0-ab99-7f3648938c0d,"4/16/2021, 9:08:34.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a43a948-c88e-452d-9f4a-7e3bf066817b,"4/16/2021, 9:08:34.122 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d176d90a-c76b-4ce0-b4a6-2b57652a82d4,"4/16/2021, 9:08:34.122 AM",,,,,NTLM,, +\AZUREUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8182b79d-f327-48d8-a9b9-5b63827b4299,"4/16/2021, 9:08:34.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f2e14a6-f24d-4260-9fe9-ef6aca75aa12,"4/16/2021, 9:08:34.122 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,75395e45-1940-42c4-a100-79bad742fa76,"4/16/2021, 9:08:34.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16879dc4-07ad-4515-95b3-36866b026ee1,"4/16/2021, 9:08:34.122 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1918391-3e4e-4e30-9e84-15cc62030ea9,"4/16/2021, 9:08:34.122 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,68c60e4b-3b2e-4bfd-a3fb-72a766c03402,"4/16/2021, 9:08:34.122 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2412430c-96c2-41ed-aeb6-a8a7a225e9e6,"4/16/2021, 9:08:34.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6689bf20-1ebd-4798-ad34-9fcdbf40a73a,"4/16/2021, 9:08:34.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19584800-5a0e-4690-a881-07ba654dc67e,"4/16/2021, 9:08:34.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dff075c7-01b5-4722-916e-06cc9e8059ca,"4/16/2021, 9:08:34.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,effe7105-62a8-4939-8c9c-c90f58f8c6ee,"4/16/2021, 9:08:34.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3fb10e84-8b29-4233-a10a-0ea32692e34f,"4/16/2021, 9:08:34.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d542722f-7060-459e-945e-210b54dee7e4,"4/16/2021, 9:08:34.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19ddadd1-9bb2-4898-8a74-1242c1494ac8,"4/16/2021, 9:08:42.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,813ea1ce-c553-4b5d-8501-c1cf501a4dc4,"4/16/2021, 9:08:42.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,137295d8-adf0-43bc-b434-c230ee3fbcb2,"4/16/2021, 9:08:42.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,127fca4f-ece2-4d48-9e1f-baf4a8c931df,"4/16/2021, 9:08:42.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,34262af9-e8a7-4df6-9fba-5809426b6dd1,"4/16/2021, 9:08:42.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03353d20-5738-4ba5-a5d2-42b440edd642,"4/16/2021, 9:08:42.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,377c103d-1b7f-4fdd-8f04-a160d58512c8,"4/16/2021, 9:08:42.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,60dbb361-f77e-4438-b3c2-b72716b03db6,"4/16/2021, 9:08:42.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b281af7b-77f4-43ba-a719-4c028234362e,"4/16/2021, 9:08:42.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3e592e02-c0c9-4bbb-8007-dc566057d677,"4/16/2021, 9:08:42.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48947b1c-4422-4414-843e-2a29553eeef7,"4/16/2021, 9:08:42.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49fb19b3-2431-415c-9dd5-e5386f230b27,"4/16/2021, 9:08:42.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,61473c6b-724f-43db-95ff-bacdc9521a45,"4/16/2021, 9:08:42.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a5f6ba20-f55a-4476-afb0-28f179d54960,"4/16/2021, 9:08:42.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce55ad2b-5677-448b-9199-eeb3d1cab529,"4/16/2021, 9:08:42.119 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16a6bbc0-b179-410b-98f1-c7df78e1e603,"4/16/2021, 9:08:42.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,352409d8-d372-4a59-8980-1ed23602118d,"4/16/2021, 9:08:42.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d55533b9-2042-4467-9f1d-216eb7abae4b,"4/16/2021, 9:08:42.119 AM",,,,,NTLM,, +\BACKUP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd321297-13c4-4214-a681-e9346b915f00,"4/16/2021, 9:08:42.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a4666206-1353-4f19-b911-2fe3b4fbf9ba,"4/16/2021, 9:08:42.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b79c22b-32a4-49eb-aee6-c88fa4ced42f,"4/16/2021, 9:08:42.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ca3d21c-edec-457c-8adb-6e0d159908b6,"4/16/2021, 9:08:42.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,80062b5a-795f-4b3c-aea7-dde10c7a59a2,"4/16/2021, 9:08:42.119 AM",,,,,NTLM,, +\LOCALADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad805f93-8590-4d3d-b2c1-c5b801ccf22a,"4/16/2021, 9:08:42.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7064adc3-0b6a-4c28-baf9-6e135d907293,"4/16/2021, 9:08:42.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3dc57de2-a202-43d7-8bfc-168581572096,"4/16/2021, 9:08:42.119 AM",,,,,NTLM,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,45a13561-337a-40ec-a8f8-7523afa15375,"4/16/2021, 9:08:44.865 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e6678810-ab5b-4ab0-8b2b-65379c28a5da,"4/16/2021, 9:08:45.684 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,15ad07a9-720a-4041-9572-7489baf21b37,"4/16/2021, 9:08:45.684 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,496d3017-e024-4fea-8e18-783de7edf850,"4/16/2021, 9:08:45.684 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7d64b5f5-1e0c-46da-a4e7-8db2af4d02c4,"4/16/2021, 9:08:45.684 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,30d95043-4c53-40cc-b29c-1319a61f3810,"4/16/2021, 9:08:45.684 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8f438498-f72e-4519-9e56-1e36f0c3e0d6,"4/16/2021, 9:08:45.684 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,402a5c95-17b6-43e1-b1e6-a29340c4111b,"4/16/2021, 9:08:45.684 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7d9d9050-4069-4ff9-b244-36349b4a8a7f,"4/16/2021, 9:08:45.684 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,091bb075-e9e5-4c45-9a39-566cc2170445,"4/16/2021, 9:08:45.684 AM",,,,,NTLM,, +\DEMOUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e2ea004f-fd85-477d-ae3a-1e678d9da0d7,"4/16/2021, 9:08:45.684 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e6c057c8-97e5-438b-bc9f-a483a2df8d4b,"4/16/2021, 9:08:45.684 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ecd1d26b-4dc6-48c2-8ade-876aa498499a,"4/16/2021, 9:08:45.684 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bdd5e88f-ff0b-41b0-b4ca-1d1d50e4130b,"4/16/2021, 9:08:45.684 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,65472be2-1046-41c7-8926-da92ac7631e5,"4/16/2021, 9:08:45.684 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,90d9c482-49f0-4b0d-b824-ec604e538943,"4/16/2021, 9:08:45.684 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d3583493-bfa2-401c-872d-785fa825d4ef,"4/16/2021, 9:08:45.684 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,72b0461f-a6d8-4235-b459-67c2181ecb53,"4/16/2021, 9:08:45.684 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c6964002-9cee-4657-8238-327378133157,"4/16/2021, 9:08:45.684 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8bb0a14e-60d3-4be6-a7ea-e4aaf56dede6,"4/16/2021, 9:08:45.684 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,00a94c95-83a7-4ab8-8064-1cb6cf90a686,"4/16/2021, 9:08:45.684 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,512fb32b-8467-4dfd-850f-1fdd87e62400,"4/16/2021, 9:08:45.684 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,26257724-32e1-42c3-aefa-c35a5a978404,"4/16/2021, 9:08:45.684 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad933e7a-16d7-42af-accc-5a546822c890,"4/16/2021, 9:08:48.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,955b1b90-199d-4c09-97ab-56b2f5c4e463,"4/16/2021, 9:08:48.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d41d5434-7552-408a-b4ee-8ad7b96ab487,"4/16/2021, 9:08:48.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5c4c97b-c444-42b7-a1f6-d468f72aaaaa,"4/16/2021, 9:08:48.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1beb5b9d-83e1-4b70-a2c3-f58c1aeddc45,"4/16/2021, 9:08:48.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5eb6dd7-b18a-4bc3-8400-2b30f2589e1f,"4/16/2021, 9:08:48.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1bdaccc1-a828-4845-94f6-e069a24bd584,"4/16/2021, 9:08:48.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,24cb45e9-a2e9-48d4-b59d-401246a659c5,"4/16/2021, 9:08:48.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db64a2dc-7953-4247-b0b3-1b35cde36450,"4/16/2021, 9:08:48.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,def25773-5f99-4a48-bfea-c114fc6667e1,"4/16/2021, 9:08:48.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,15114b41-a6d2-4c52-ad21-afd990107e2e,"4/16/2021, 9:08:48.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e76be4ca-b2a9-4441-a068-043cf89647eb,"4/16/2021, 9:08:48.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,00ab9ee1-19a6-466d-8bb4-2684977fe594,"4/16/2021, 9:08:48.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6ca25906-e1a3-437e-a5ef-5f7461c8bb0b,"4/16/2021, 9:08:48.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5423c03-77b9-49db-9875-0b47cc7a1eb4,"4/16/2021, 9:08:48.123 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,125e4872-b325-45b3-9ef6-2b1b1f7d661b,"4/16/2021, 9:08:48.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc6005bf-3bea-43bd-a8e2-6aa293a1bc3d,"4/16/2021, 9:08:48.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1003171e-f735-4fc3-bc67-3eb8fc4ddf15,"4/16/2021, 9:08:48.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b6299f63-f4bc-4d88-998f-850be5f54f95,"4/16/2021, 9:08:48.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bca77a24-e22f-4892-86e5-6269c39de333,"4/16/2021, 9:08:48.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d1deeaf5-497a-4e13-ae89-628b54f7dfb3,"4/16/2021, 9:08:48.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e7900497-33e2-4c42-9088-af7545f648bc,"4/16/2021, 9:08:48.123 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,aaf224ca-de38-4bfe-8f38-460775b97295,"4/16/2021, 9:08:51.613 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,f6abb16f-8cb0-4557-8c47-d642b0bb1d00,"4/16/2021, 9:08:51.613 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10936 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,18f98072-ad20-4d0f-be85-fed5da8b8ad3,"4/16/2021, 9:08:51.613 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3620 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,30cbd196-5f2c-4842-87d7-ee4d42ce624e,"4/16/2021, 9:08:51.613 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,ada4c104-132e-40cc-9c60-4225645dac01,"4/16/2021, 9:08:51.613 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8764 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,37510603-db9f-4c14-8170-2e11801d0440,"4/16/2021, 9:08:51.613 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7080 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,086555c6-e32e-45f8-aee9-f142d8427fa1,"4/16/2021, 9:08:52.733 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6476 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,e3a14638-9c02-4905-bb04-6e5191265990,"4/16/2021, 9:08:52.733 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,a92ac037-bdf9-47e5-ba63-3b8e1a403365,"4/16/2021, 9:08:52.733 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,1cf4a5d2-9a8d-4631-9e46-73617168d9a4,"4/16/2021, 9:08:52.733 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,0aab661c-6822-4f20-9533-62b2d80958a3,"4/16/2021, 9:08:52.733 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,556be887-1516-4b2e-974e-78d0147fe9a3,"4/16/2021, 9:08:52.733 AM",,,,,,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6b84efdc-51c2-49dd-aec1-18010604bbac,"4/16/2021, 9:08:54.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b424415-c05a-4024-8f25-ab3d4ee5b1fb,"4/16/2021, 9:08:54.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de665c54-aa2d-43cf-8951-2f3348c3ae2d,"4/16/2021, 9:08:54.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,637cdad8-a080-45ee-a3f8-c26269992756,"4/16/2021, 9:08:54.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c07df4e-3145-441d-8da2-996ef0e18f0f,"4/16/2021, 9:08:54.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3244af8c-a9b0-4292-8b4a-582f6ad08357,"4/16/2021, 9:08:54.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2bf1a78b-ae4a-4993-9f1a-ac609933c559,"4/16/2021, 9:08:54.136 AM",,,,,NTLM,, +\BACKUPEXEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,99adbee6-8409-4f2b-b183-79a12b2fb726,"4/16/2021, 9:08:54.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67916ccb-89a8-4e67-85f6-1fdcf85c0411,"4/16/2021, 9:08:54.136 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4817bc59-6af9-40d9-8283-4d50c84cf156,"4/16/2021, 9:08:54.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f253c6b-d24e-4fc4-967e-66cb7d557565,"4/16/2021, 9:08:54.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ea9e2fb-d6f6-4ef8-b1ee-b132dc3974be,"4/16/2021, 9:08:54.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,79503f00-9fcc-4619-a029-5a925573e896,"4/16/2021, 9:08:54.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d0bafe1-f149-47d5-aa22-d375ae7c6b01,"4/16/2021, 9:08:54.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1cf3e166-a39c-4ec1-b82d-ff9e71dcd872,"4/16/2021, 9:08:54.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,44e852e4-c172-467d-8c10-86c36bfc8c0f,"4/16/2021, 9:08:54.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,47e0c392-7db5-4bc2-ab03-086b22f269df,"4/16/2021, 9:08:54.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16936d79-208a-46f2-86fd-7fce2eb8309a,"4/16/2021, 9:08:54.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dbbecb84-0992-46a0-800e-9888adb3530a,"4/16/2021, 9:08:54.136 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a662db5-779d-42f6-bb49-7bd27f05e2b2,"4/16/2021, 9:08:54.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5889ad89-4940-4ef2-884e-334d05e65d47,"4/16/2021, 9:08:54.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9f70431c-991d-4630-9d17-18cfecb9127a,"4/16/2021, 9:08:54.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dcfe822c-65c9-40db-8bef-063ce7df8b76,"4/16/2021, 9:08:54.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,929ab71c-527d-4d20-976c-99369017bc77,"4/16/2021, 9:08:54.136 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56c1b3fc-1d8f-43ca-8f9f-b1d054f74d03,"4/16/2021, 9:08:54.136 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 12800 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,46790abf-41c0-47d1-aacd-00dea72aa62f,"4/16/2021, 9:08:57.026 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7796 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,6d7ad0b4-948a-45df-b46e-3445a4b0cc9d,"4/16/2021, 9:08:57.026 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 12144 + 103 + %OSDRIVE%\WINDOWSAZURE\GUESTAGENT_2.7.41491.1009_2021-04-06_211148\GUESTAGENT\FINDVOLUME\FINDVOLUME.EXE + 32 + 46E1C7D915C93EAF6E557C426DF1311480444C62DEA616D670C574AC8D7CE513 + 96 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® COREXT\FINDVOLUME.EXE\1.0.9.89 + 0x3e7 + 96 + C:\WindowsAzure\GuestAgent_2.7.41491.1009_2021-04-06_211148\GuestAgent\FindVolume\FindVolume.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,1f7b8f80-da95-4c8c-a4f0-083d5308e5f6,"4/16/2021, 9:08:57.026 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2712 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,a339f012-8c4e-492c-91cd-1c49d53ed7a4,"4/16/2021, 9:08:57.026 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6880 + 87 + %OSDRIVE%\WINDOWSAZURE\GUESTAGENT_2.7.41491.1009_2021-04-06_211148\COLLECTGUESTLOGS.EXE + 32 + 5F015B97D51CEA34CDCF041C69FDBA12514061C624A787BD89FC2FB61BDF67E7 + 101 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\COLLECTGUESTLOGS\COLLECTGUESTLOGS.EXE\2.7.0.00 + 0x3e7 + 80 + C:\WindowsAzure\GuestAgent_2.7.41491.1009_2021-04-06_211148\CollectGuestLogs.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,371e694f-8f35-40a8-be58-19455f0c239e,"4/16/2021, 9:08:57.026 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9004 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,2914be43-7428-4497-987a-95a50f95c527,"4/16/2021, 9:08:57.026 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4496 + 18 + %SYSTEM32%\CMD.EXE + 32 + 5F98D08805D4EEE36337C81914F0D82191A4D58D24EA2FF2E522A95A5D6E5B73 + 115 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CMD.EXE\10.0.17763.1697 + 0x3e7 + 27 + C:\windows\SYSTEM32\cmd.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,54baf6c4-7935-4c88-943b-30cb530edd70,"4/16/2021, 9:08:57.026 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3568 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,1243ec3a-3acc-47c2-9ac5-b071dc7bb91d,"4/16/2021, 9:08:57.026 AM",,,,,,, +\PRINTER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,124c65b4-961c-438d-8070-57847f52d7f4,"4/16/2021, 9:09:00.412 AM",,,,,NTLM,, +\USER01,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,71f45bc4-4a52-4819-bd65-15f72c0df7cc,"4/16/2021, 9:09:00.412 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,38dca0f6-d7fb-4f47-9c38-efc632c89fdc,"4/16/2021, 9:09:00.412 AM",,,,,NTLM,, +\TESTE,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6648e422-1639-4fea-a065-fe978e4290e5,"4/16/2021, 9:09:00.412 AM",,,,,NTLM,, +\SCAN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c79983e3-b3c5-4db6-a456-e1fb34bd9956,"4/16/2021, 9:09:00.412 AM",,,,,NTLM,, +\SERVER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,704d4e68-1683-4290-bdd1-21b6405edb69,"4/16/2021, 9:09:00.412 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b66dc819-f3d0-4a71-a0e7-5cdba3b40c27,"4/16/2021, 9:09:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2aa0478f-1439-4641-99aa-7e8ce1ed750f,"4/16/2021, 9:09:02.121 AM",,,,,NTLM,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e6981e1e-ee2d-45a7-84cb-15ceaa86edc2,"4/16/2021, 9:09:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,085c7b39-41e9-4066-84be-ddbb3909530b,"4/16/2021, 9:09:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4117c968-f8b5-43f0-b790-fc29f10a3069,"4/16/2021, 9:09:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5527047-b5af-4414-a533-946293bc1d98,"4/16/2021, 9:09:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ef78942-2220-4513-9889-bce731cae0ac,"4/16/2021, 9:09:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1e1fadd-1d6f-421f-adc4-9e90ce264bd4,"4/16/2021, 9:09:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc443373-9339-495e-8c08-2fca86021531,"4/16/2021, 9:09:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,097b8eea-6b53-480b-9947-9519db92af74,"4/16/2021, 9:09:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,01ae815a-b043-4b2a-8da2-458b0df63444,"4/16/2021, 9:09:02.121 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c4a485a-90d6-469a-9ad5-29339f7e2266,"4/16/2021, 9:09:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bec7d5b6-849d-401f-ab63-767515585f8e,"4/16/2021, 9:09:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e9d717fd-2145-4b0d-bfd9-03d1bf3735d7,"4/16/2021, 9:09:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ec4ea1a-810a-4a07-9e28-2e02b7a1ad47,"4/16/2021, 9:09:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,32ba3a67-a225-41b5-80ae-734574e32c40,"4/16/2021, 9:09:02.121 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2eb694f4-2887-42e8-a436-a56d349fc12a,"4/16/2021, 9:09:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,797440e5-ddbc-4330-9690-de1fc6081615,"4/16/2021, 9:09:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1a8c047-45f7-469c-ac8f-0b8a67225aed,"4/16/2021, 9:09:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,10c6fad1-475d-4f8c-ab7a-2d44fb3bb3f0,"4/16/2021, 9:09:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a88b59e6-3a74-42df-84ed-ea5f21431772,"4/16/2021, 9:09:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9f09fe8e-f771-4221-abba-c1d4a29d55e6,"4/16/2021, 9:09:02.121 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ee659ba-32b6-4b17-95d2-780fd7e3a1ff,"4/16/2021, 9:09:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,95f88e10-db3d-44f9-8081-20be109fd24e,"4/16/2021, 9:09:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3d42f1aa-f22f-4eda-9181-475096db6a04,"4/16/2021, 9:09:08.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,80d2ed0c-b8c5-4602-8f3c-1b205f41f654,"4/16/2021, 9:09:08.123 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,b32e15fc-a535-4682-a7d6-2dc78c0cd406,"4/16/2021, 9:09:08.123 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,a6760a33-3d0d-43f0-8e5b-d99e77772f20,"4/16/2021, 9:09:08.123 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4db17c56-63c4-4377-9ee6-9bc71583ed7b,"4/16/2021, 9:09:08.123 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4640 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 68705285F7914823244E19E4F6DBC4A75C4DE807EA1CF128AEC2CCAFCE5FE109 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.17763.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ba9791f-290e-4d0e-892e-0b12d8a5cf63,"4/16/2021, 9:09:08.123 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7652 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,da9deded-3998-4f27-92f2-216a5c8eb923,"4/16/2021, 9:09:08.123 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,25c5ea41-1a3a-4bed-9fcf-a949f9914182,"4/16/2021, 9:09:08.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ecad7140-db54-4a79-8b7e-d95d7b6df50c,"4/16/2021, 9:09:08.123 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bd03dae1-221f-4ea3-a4fe-6e37851e8615,"4/16/2021, 9:09:08.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cd2eeb77-b9a5-41d3-a341-023ce282eec5,"4/16/2021, 9:09:08.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0f23afe6-8653-4592-8c29-3eca1282dd24,"4/16/2021, 9:09:08.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,170474b6-5798-4701-8aee-4b40eefcfee2,"4/16/2021, 9:09:08.123 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,faa5f3f6-c04b-439f-bb64-0fd1d091250a,"4/16/2021, 9:09:08.123 AM",,,,,NTLM,, +\VEEAM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,38613b64-5953-40d8-9573-6e770e5c5b85,"4/16/2021, 9:09:08.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f2a4bf8d-111a-48f0-a422-2e9e56d7520d,"4/16/2021, 9:09:08.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b103d4e4-d6ad-4077-9dfd-a0142020f667,"4/16/2021, 9:09:08.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12986321-d753-4b58-b941-612d9b976601,"4/16/2021, 9:09:08.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8f86f96d-f469-4422-b862-5e8a25ea9d25,"4/16/2021, 9:09:08.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6a4bdb40-9b22-42f5-b210-713df6a6493a,"4/16/2021, 9:09:08.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d107222c-85b6-4ca3-aa23-54fc5792696d,"4/16/2021, 9:09:08.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,84bc20d4-f0c0-4f17-bb07-1f95eb7afa82,"4/16/2021, 9:09:08.123 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3c731518-6188-4054-9f8b-9d097d6e5842,"4/16/2021, 9:09:08.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c019912d-0686-4d21-8089-3f28ed41f936,"4/16/2021, 9:09:08.123 AM",,,,,NTLM,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,e1b27709-4b45-400a-9c18-a779994a098b,"4/16/2021, 9:09:09.871 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,85e22bcc-3803-47c6-bff5-8d5536b07ee8,"4/16/2021, 9:09:09.871 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4844 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,f88052c8-f8d9-4512-8d1f-d4650b5c02e6,"4/16/2021, 9:09:09.871 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6800 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,78e23aeb-9ab5-4cd9-b24c-984b429c616a,"4/16/2021, 9:09:09.871 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,2d925f8a-be27-4348-8a55-43722a4aab13,"4/16/2021, 9:09:09.871 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5465e912-82b0-49eb-bb70-5a67e8a3366c,"4/16/2021, 9:09:13.694 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,70a74113-b12c-446d-b336-36c276af0332,"4/16/2021, 9:09:13.694 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5a550224-e9b7-428a-9801-cf5abf83e4b3,"4/16/2021, 9:09:13.694 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c1c515cf-4ca0-4925-87b8-a58a1eaaccfd,"4/16/2021, 9:09:13.694 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5093243c-d8dd-4c8a-8ff4-8b44ee823a8d,"4/16/2021, 9:09:13.694 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d7c69976-ee69-4f4d-a779-25431d4e054d,"4/16/2021, 9:09:13.694 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fa8e925e-82f3-4a78-a7e7-90ec124e9432,"4/16/2021, 9:09:13.694 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4f295f42-01fb-44e6-a9d9-9f4aefbd6307,"4/16/2021, 9:09:13.694 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4ae261a6-fb2f-4350-b40f-97d3ede959a0,"4/16/2021, 9:09:13.694 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,698eb8c5-fd43-4cfa-8639-155046ade525,"4/16/2021, 9:09:13.694 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1d1e941b-483b-4396-b828-8bdbd3e51383,"4/16/2021, 9:09:13.694 AM",,,,,NTLM,, +\GIULIA,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4ce5e76a-ff82-4f26-aadb-f7cc3a6a33e3,"4/16/2021, 9:09:13.694 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c8b3cc8a-9386-46f1-a597-be8c9bbbfb8c,"4/16/2021, 9:09:13.694 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f92fa863-2a73-4919-bc25-a343f440da5f,"4/16/2021, 9:09:13.694 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,44b479a2-b186-4bb7-8e6d-817622e6ec61,"4/16/2021, 9:09:13.694 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,933356c4-897b-42e7-9441-242dace891d5,"4/16/2021, 9:09:13.694 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a0593cca-3136-4281-a45f-cdede231c766,"4/16/2021, 9:09:13.694 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1eee3f9b-ef3a-405d-abcc-a3a7c1b8b5d5,"4/16/2021, 9:09:13.694 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,12a4e69c-b02c-49ac-9478-62802dcc81dd,"4/16/2021, 9:09:13.694 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7403d0d9-7150-4e6a-8fd1-7990b2a09dbd,"4/16/2021, 9:09:13.694 AM",,,,,NTLM,, +\WOUTERMB,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9335b2f8-92e2-4f76-80c9-116f76bbee15,"4/16/2021, 9:09:13.694 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f0e14777-c848-4089-9358-2b409b389b4f,"4/16/2021, 9:09:13.694 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a5f77c23-3075-4ced-a1d2-1c937165fe16,"4/16/2021, 9:09:13.694 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7243eacc-1578-4358-bf42-b60a03cdce11,"4/16/2021, 9:09:13.694 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48c49f41-d01a-45db-aa46-5cce2ee15d77,"4/16/2021, 9:09:21.200 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c8f6dbc8-bc82-40e3-8d98-ed9a0f3276b1,"4/16/2021, 9:09:21.200 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,327d73d7-2b36-45ad-977b-efadac948b8d,"4/16/2021, 9:09:21.200 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98deaed6-1f34-4f91-b70a-db579a4714ba,"4/16/2021, 9:09:21.200 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a49c18ce-4073-438c-afca-0bd58f4ab078,"4/16/2021, 9:09:21.200 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a5005c40-b124-4010-93da-7fdc39d97ad4,"4/16/2021, 9:09:21.200 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,915337fd-f23d-4e6f-8d2f-70cae9eca017,"4/16/2021, 9:09:21.200 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,79b39dd3-bea4-4844-905f-831a42cbc373,"4/16/2021, 9:09:21.200 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d0baae95-7362-4343-8030-cd1907b41aa0,"4/16/2021, 9:09:21.200 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a43c852-2e80-4ef7-9eb6-ea7c70efbf20,"4/16/2021, 9:09:21.200 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bce9cde5-e0fd-471c-b102-d2d2b82555a0,"4/16/2021, 9:09:21.200 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3508a4f4-0321-4398-9fd6-b5aa8ed0ae37,"4/16/2021, 9:09:21.200 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f1d55391-f4af-4cd0-86e4-2747fde62e5f,"4/16/2021, 9:09:21.200 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b796d4b-8fc9-4672-9f62-865f588283da,"4/16/2021, 9:09:21.200 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1d5ae89d-426c-403f-9116-444ea59080f0,"4/16/2021, 9:09:21.200 AM",,,,,NTLM,, +\PDV2,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c52d17c0-e88f-4958-a1e2-eec8354d370c,"4/16/2021, 9:09:21.200 AM",,,,,NTLM,, +\OVB,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d8515140-2324-4df0-9158-f324ebdc1a1d,"4/16/2021, 9:09:21.200 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,a74fb0e5-bf74-4433-9b86-3cf2b9df5906,"4/16/2021, 9:09:21.200 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,77545c1f-2dd1-4954-9c02-3208704a2256,"4/16/2021, 9:09:21.200 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7916 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,b7405d45-09d6-4d96-b718-fc28e7ef2a34,"4/16/2021, 9:09:21.200 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8088 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,3d79a74b-dd9b-4329-adc2-31e42771c8fe,"4/16/2021, 9:09:21.200 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,29f963a8-0707-405c-b721-308a560588bc,"4/16/2021, 9:09:21.200 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a7d28b38-7ac0-4ec6-90cd-51cdc47dbbd0,"4/16/2021, 9:09:21.200 AM",,,,,NTLM,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,26740993-f5b2-4f52-ab3e-8b18c6c4b4ca,"4/16/2021, 9:09:22.922 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,3499cb87-b1a4-4c0e-98ab-9a0bd640137d,"4/16/2021, 9:09:22.922 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 8664 + 34 + %SYSTEM32%\APPIDCERTSTORECHECK.EXE + 32 + 4907DF27D7E70A824E8BD9BCDF3B222C3D8FB687A9986541432520AE204173FE + 131 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\APPIDCERTSTORECHECK.EXE\10.0.18362.1049 + 0x3e5 + 43 + C:\windows\system32\appidcertstorecheck.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,fe013890-f351-4a2b-a911-e7e1a13a63b5,"4/16/2021, 9:09:22.922 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 8372 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e5 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,8023b4bd-873b-4aa7-9daa-4fa8fa8608c9,"4/16/2021, 9:09:22.922 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,7ba092cc-cb99-4c32-b02d-0147b0f76d59,"4/16/2021, 9:09:22.922 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,9388da18-e632-4878-a494-d5042820e8c0,"4/16/2021, 9:09:16.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3ccc2f9e-901c-444e-a664-4a89bee77946,"4/16/2021, 9:09:16.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,7a54320b-986e-471f-90c9-d9804f9976ce,"4/16/2021, 9:09:16.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,40f6512c-5ccf-488e-bec9-a9b6b024eeac,"4/16/2021, 9:09:16.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,bdf36b90-8922-45ec-a62f-6e6536332ac6,"4/16/2021, 9:09:16.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b7440f16-ea56-430b-8e75-1e109a2f4c27,"4/16/2021, 9:09:16.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,73bb3a20-6f6a-43cf-97e1-5f5a49c6d567,"4/16/2021, 9:09:16.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,73d00ab4-7bb8-43e4-b0ed-4e032d2d2166,"4/16/2021, 9:09:16.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,86f058c3-1aa8-49d2-9341-7614f98e485c,"4/16/2021, 9:09:16.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,614632e8-29ee-4d0b-bf0c-9cd1194e5838,"4/16/2021, 9:09:16.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,748929e3-af92-4ef2-817e-41d682664bc1,"4/16/2021, 9:09:16.057 AM",,,,,,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,236bd32f-6746-408c-91d5-a2c02f58cffc,"4/16/2021, 9:09:14.223 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fbab48c3-f536-4939-8a49-5c76c1c89533,"4/16/2021, 9:09:14.223 AM",,,,,NTLM,, +\SCPAB,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a393463f-9df8-4437-bd0c-0e3eabf74674,"4/16/2021, 9:09:14.223 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4cd8f203-3333-4964-a1ba-238957647123,"4/16/2021, 9:09:14.223 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,14ef0be9-0b38-49fd-be86-d92a7b6b616e,"4/16/2021, 9:09:14.223 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,34d1bf35-3e4e-406d-a6ad-33b78aaba89b,"4/16/2021, 9:09:14.223 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b51159fa-2b42-4b4e-ae5f-2d2d4ba91363,"4/16/2021, 9:09:14.223 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,449520d2-fbe7-47e4-b229-e5b3fc23db1c,"4/16/2021, 9:09:14.223 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b3db6e4b-da60-48d0-992e-b1efda5ef385,"4/16/2021, 9:09:14.223 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f15abac6-7aea-419e-b9aa-55eb20804fc9,"4/16/2021, 9:09:14.223 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b2c6099-abe6-40ca-95e1-8a9c264aa922,"4/16/2021, 9:09:14.223 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c33380a2-71f4-45ff-9a3a-999898896cbd,"4/16/2021, 9:09:14.223 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de852f71-a4bb-4cba-a520-722784f08d27,"4/16/2021, 9:09:14.223 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,31aff50e-342d-46a6-ae70-4c33a6fcdd2c,"4/16/2021, 9:09:14.223 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f706d7d-cad8-4a7d-9667-b78a254c028a,"4/16/2021, 9:09:14.223 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ed7322b-0842-4f6f-acfd-5c0dd259f132,"4/16/2021, 9:09:14.223 AM",,,,,NTLM,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,af27c2c3-8a64-4039-a781-8ef1b75fa793,"4/16/2021, 9:09:14.223 AM",,,,,NTLM,, +\ADMINISTRATEUR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ef84a24f-c49f-40fd-a751-f76a6541c46c,"4/16/2021, 9:09:14.223 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,625e704a-c141-4d74-ac87-8c66470ddf64,"4/16/2021, 9:09:14.223 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22f385e6-22a9-4e27-87c4-965a8b60267e,"4/16/2021, 9:09:14.223 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cfc8a16d-40b3-4239-aa3c-90888dff68ad,"4/16/2021, 9:09:14.223 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c555b3b-1539-455d-b999-252ddff830d6,"4/16/2021, 9:09:14.223 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eefc7d6d-23b9-40ce-be31-da720f54d96b,"4/16/2021, 9:09:14.223 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6474b4a8-87ea-4725-a47c-440a83a28ec7,"4/16/2021, 9:09:14.223 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e3938df-ce6d-4fca-ba82-5ec27d92c8d7,"4/16/2021, 9:09:14.223 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,78f7528b-7f2e-4176-b3a4-0a2948dbce94,"4/16/2021, 9:09:14.223 AM",,,,,NTLM,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,f7fbc0fa-1196-4218-8b92-214bba20a9fd,"4/16/2021, 9:09:26.601 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,86ded7b6-3c0a-4dc5-8d7f-cf76eabe5c05,"4/16/2021, 9:09:26.601 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10272 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,0940bb81-5679-48cb-943f-4ecbddbfbe3e,"4/16/2021, 9:09:26.601 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,051b3e50-de05-4e1c-bece-a2e2b9888122,"4/16/2021, 9:09:26.601 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,7397c434-d13b-46d7-9233-139fa583d410,"4/16/2021, 9:09:26.601 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8768 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,b05a7fcd-3e5b-4b0a-aad6-a875868d5ef9,"4/16/2021, 9:09:26.601 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5508 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,0a0274af-5bd2-4803-9823-394442b52463,"4/16/2021, 9:09:26.601 AM",,,,,,, +\DEMOADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8927cef6-e5e4-4df0-b7cb-2e32e54464fa,"4/16/2021, 9:09:30.122 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0be71b1c-c6bb-48e3-9f84-9395b96362e0,"4/16/2021, 9:09:30.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7b4de4c9-16b5-4d34-ad9f-469d1b4c4e75,"4/16/2021, 9:09:30.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d72bd684-c237-416c-97da-b91bc5b245cd,"4/16/2021, 9:09:30.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9144ebda-319c-4cd5-a3b9-dad3428e7053,"4/16/2021, 9:09:30.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,57824eec-20d3-4817-be8d-2daffa3170a5,"4/16/2021, 9:09:30.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce0a1b53-ed0c-49fc-a801-9b8e079c5d39,"4/16/2021, 9:09:30.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,08c69e72-c0fa-476d-8efd-ea492f3651a1,"4/16/2021, 9:09:30.122 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,da9d820e-3d2d-429e-9248-7ce08fce6b3b,"4/16/2021, 9:09:30.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1593d3f2-229e-4f12-871f-21369c183593,"4/16/2021, 9:09:30.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7a4dc3f1-cc4e-4b56-b709-250f962178e6,"4/16/2021, 9:09:30.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3bd5be68-2079-49c6-b5e3-cf75be55b81a,"4/16/2021, 9:09:30.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89c3b7df-af3c-4333-9603-4c7f961cac01,"4/16/2021, 9:09:30.122 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3279a8bb-8d78-4181-b578-5079806f1088,"4/16/2021, 9:09:30.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8dabc315-1695-4cf8-b599-bf2c09990abd,"4/16/2021, 9:09:30.122 AM",,,,,NTLM,, +\BACKUPEXEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d8ac5623-2cdf-4b79-90b0-3f08009eb203,"4/16/2021, 9:09:30.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,271d25f6-caa6-485b-aa09-75e10b1b9549,"4/16/2021, 9:09:30.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bfeb172e-3ac4-4d88-8ca4-8a99d82286a5,"4/16/2021, 9:09:30.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac569f43-ed5e-4db0-a1c6-d2b8d0e21e9c,"4/16/2021, 9:09:30.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f3f74a83-81d3-4cf5-ac87-36d6c898522b,"4/16/2021, 9:09:30.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5055caf7-6c46-4972-a4dd-19d78c6fc210,"4/16/2021, 9:09:30.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0994aa8f-a0c3-468e-bab4-1f66b8cb9c45,"4/16/2021, 9:09:30.122 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,aaf6718a-76f0-4f54-9f28-03b932cbb6b6,"4/16/2021, 9:09:29.693 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8110a1b6-cbfb-471c-a7a9-515c2c18f94f,"4/16/2021, 9:09:29.693 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f3daadbe-08a2-464b-9243-73ee70853485,"4/16/2021, 9:09:29.693 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,395c4490-46b8-4487-8268-ed5b3aa98383,"4/16/2021, 9:09:29.693 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ed75549b-028d-4de2-a7e6-fa0d09b77295,"4/16/2021, 9:09:29.693 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3a6f9601-90e6-43ff-b097-ae0dc5a8b94f,"4/16/2021, 9:09:29.693 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6989f9f5-ddac-42f9-bbcb-6780505e5931,"4/16/2021, 9:09:29.693 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0c21573a-a5f5-43bd-85ab-e063b4ba43af,"4/16/2021, 9:09:29.693 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e3637fab-36ec-48bf-94ad-9916bd5d0223,"4/16/2021, 9:09:29.693 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,910f86a5-40bd-4065-9d9a-c660b583d6be,"4/16/2021, 9:09:29.693 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bdb6d351-2997-47a5-9048-6a7b1622a0d5,"4/16/2021, 9:09:29.693 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,187a2cd9-8284-4047-a0af-18f15bd64481,"4/16/2021, 9:09:29.693 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b3dc788d-5dc2-4cd2-a74e-772d34fa0b70,"4/16/2021, 9:09:29.693 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1bb23f94-9ddc-4e83-a1cf-9b0bf53a535a,"4/16/2021, 9:09:29.693 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,57431f6d-1f66-4619-b2ad-5ab59ce80010,"4/16/2021, 9:09:29.693 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2bd760e5-7235-4f84-aa94-bb322fa80820,"4/16/2021, 9:09:29.693 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,346c0a07-031d-4a8c-911f-c80c3b04f622,"4/16/2021, 9:09:29.693 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,817da80f-b39b-4a9f-8553-c365b3a58788,"4/16/2021, 9:09:29.693 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b4622b32-0f39-4a35-98e7-7f492cecaad7,"4/16/2021, 9:09:29.693 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6f3c49f5-0d3a-4dc7-b7e2-19dcb4a7d7c7,"4/16/2021, 9:09:29.693 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,af6d74e4-c191-4021-968c-386c9790bb32,"4/16/2021, 9:09:29.693 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c80f0dee-8ff9-4351-90c1-131738396c82,"4/16/2021, 9:09:29.693 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f4d27329-2e0c-442b-9a47-80ca92649b73,"4/16/2021, 9:09:29.693 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e5a5b9a2-53db-4157-95e1-12b8cad3b4eb,"4/16/2021, 9:09:35.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,11afac53-424c-4f40-9160-4f8d55d4493e,"4/16/2021, 9:09:35.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea536b57-8430-4edf-ba41-be967e12a64f,"4/16/2021, 9:09:35.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,85157ea8-b5a5-4dae-a76f-40ed6cf02e4f,"4/16/2021, 9:09:35.119 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,ec76b516-5a86-4755-b114-dabf069225da,"4/16/2021, 9:09:35.119 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c486eb9-22c9-450a-91ef-d24719cf5c48,"4/16/2021, 9:09:35.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea428951-ab6d-448c-ae87-4894c29006f7,"4/16/2021, 9:09:35.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a89184b3-8012-44c3-a6a2-27cbc205d487,"4/16/2021, 9:09:35.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,889462ce-a5c0-48b2-ba78-09c1d33196ee,"4/16/2021, 9:09:35.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6aa2a9bd-a032-4a9b-b838-817a746c45c5,"4/16/2021, 9:09:35.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5b1b6b2b-1813-434e-8c78-3a41e0e77b2f,"4/16/2021, 9:09:35.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f939fcdb-900f-44ff-b813-0350f7ce16a3,"4/16/2021, 9:09:35.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56837e03-bc22-4b49-8dd5-350b101445ee,"4/16/2021, 9:09:35.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67e5c8f8-c619-4306-9779-e045b46df46a,"4/16/2021, 9:09:35.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88bd71dd-ced7-4262-9f08-7b11c835111b,"4/16/2021, 9:09:35.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b7dac572-d608-46d6-8eb0-9763c5462092,"4/16/2021, 9:09:35.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f7ebf244-82ca-4eea-9165-d1632486bb1a,"4/16/2021, 9:09:35.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e8b8896b-6cbd-4901-99d3-425b50296b80,"4/16/2021, 9:09:35.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,123dc9c5-c64d-4a35-9a5f-0abedeb8c5a2,"4/16/2021, 9:09:35.119 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e70881fa-548d-4c91-af0f-5cb71770e6ef,"4/16/2021, 9:09:35.119 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + 2600 + 2021-04-14T04:56:12.746425400Z + Microsoft Software Key Storage Provider + UNKNOWN + ef4f84fd-c4f6-418e-a341-bea15d4281df + %%2499 + C:\ProgramData\Microsoft\Crypto\Keys\954e38042ca68b27d4d706c2e7747a10_212bc69c-5ce6-4002-a8fa-f266ac5ca24a + %%2458 + 0x0 +",5058,5058 - Key file operation.,41502da5-21b7-48ec-81c9-baeea8d7d669,84af09ec-8809-457d-8a45-7f172ffa4e48,"4/16/2021, 9:09:35.119 AM",,,,,,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + ef4f84fd-c4f6-418e-a341-bea15d4281df + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,41502da5-21b7-48ec-81c9-baeea8d7d669,43d736fb-1ad0-461d-82ad-2532eec9964e,"4/16/2021, 9:09:35.119 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + 2600 + 2021-04-14T04:56:12.746425400Z + Microsoft Software Key Storage Provider + RSA + ef4f84fd-c4f6-418e-a341-bea15d4281df + %%2499 + %%2464 + 0x0 +",5059,5059 - Key migration operation.,41502da5-21b7-48ec-81c9-baeea8d7d669,a4885420-faee-4b1a-88f6-955413342bd1,"4/16/2021, 9:09:35.119 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + 2600 + 2021-04-14T04:56:12.746425400Z + Microsoft Software Key Storage Provider + RSA + ef4f84fd-c4f6-418e-a341-bea15d4281df + %%2499 + %%2464 + 0x0 +",5059,5059 - Key migration operation.,41502da5-21b7-48ec-81c9-baeea8d7d669,2e638cff-7ad6-42c7-8182-2791d0334e08,"4/16/2021, 9:09:35.119 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f8697878-3aea-48a1-9abb-b6087e6ae7b7,"4/16/2021, 9:09:41.686 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3208b1de-058d-4f1e-9de9-59fd6ba0b45e,"4/16/2021, 9:09:41.686 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1519c6c0-cd98-4a52-8d38-9f9314316d9d,"4/16/2021, 9:09:41.686 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,26f9ef31-f0d0-48dd-a2b6-fa5f7b978232,"4/16/2021, 9:09:41.686 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1105dccd-93c1-4c77-9f0e-eab81cb06a60,"4/16/2021, 9:09:41.686 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,73c789a8-6165-4f6b-b66c-e359869b543a,"4/16/2021, 9:09:41.686 AM",,,,,NTLM,, +\WP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d532c9fe-b6cc-46c4-8fdd-e52f63d9a121,"4/16/2021, 9:09:41.686 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fcb251c4-2f8b-4399-98da-9c8a33fbb12f,"4/16/2021, 9:09:41.686 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2b0a2353-dd1b-4f65-84fd-cefdc8f77bf5,"4/16/2021, 9:09:41.686 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d98cd935-6000-4656-9e3d-01747fca2cd5,"4/16/2021, 9:09:41.686 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e97197fc-6680-41b3-a464-af2a86dfecbf,"4/16/2021, 9:09:41.686 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,764cac8c-8b6d-4e62-9595-57fe76f52a6b,"4/16/2021, 9:09:41.686 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,efba0126-940d-49d8-b212-b4f0a2249313,"4/16/2021, 9:09:41.686 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fd5b0c20-72f2-432d-ab6f-773e149ac714,"4/16/2021, 9:09:41.686 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f1ce66ef-9267-4231-8dcf-b48c0e944035,"4/16/2021, 9:09:41.686 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dfb34dce-ee4c-4ef0-aec6-c67fee8bc3c6,"4/16/2021, 9:09:41.686 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,17c51901-e01e-4ff3-ad9a-5adcebe14bfe,"4/16/2021, 9:09:41.686 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,148d526e-64ff-4fbf-a6c3-2c70c07d4ea8,"4/16/2021, 9:09:41.686 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bd7f360a-506e-4dae-b519-12aac5d2427e,"4/16/2021, 9:09:41.686 AM",,,,,NTLM,, +\MIRIAM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,80918000-8312-4eab-b38f-a332512cd9f9,"4/16/2021, 9:09:41.686 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,10951ede-0891-4a39-827f-4904b3c2ae1f,"4/16/2021, 9:09:41.686 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,abdab6c3-0298-41a1-b3d1-1db67716a06e,"4/16/2021, 9:09:41.686 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6964 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,d02becb0-baba-47f9-a1e5-e0da749a64ad,"4/16/2021, 9:09:49.618 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11368 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,30044390-987e-49fa-85ff-24769e8e6e55,"4/16/2021, 9:09:49.618 AM",,,,,,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c4120d8a-3b9c-4071-97c1-9f43d59c0577,"4/16/2021, 9:09:49.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ba1a31ab-8ac0-453d-a051-1b9b60292a1f,"4/16/2021, 9:09:49.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d9119170-5ba7-4604-844e-08854099d190,"4/16/2021, 9:09:49.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6e5f48d1-0ac4-4f00-a635-3c461077d6e9,"4/16/2021, 9:09:49.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc602452-de7f-4c6d-bd91-80521894f60e,"4/16/2021, 9:09:49.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f6848b5d-574a-4e24-95a6-12d98484fcc0,"4/16/2021, 9:09:49.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c6e3bba-93b3-41b7-a7d4-12e7a8a7c9ce,"4/16/2021, 9:09:49.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d317f45e-0977-47e7-b2a0-d146a0e36139,"4/16/2021, 9:09:49.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,29233fed-9748-4f63-b2a9-be13232dcc28,"4/16/2021, 9:09:49.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a12904d-1f14-462a-a484-d8d9a1c61d51,"4/16/2021, 9:09:49.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16f13f16-162a-491e-ab5a-694dbff0c4d8,"4/16/2021, 9:09:49.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,83ed9530-8dee-40cf-b41a-f53ea3a7e510,"4/16/2021, 9:09:49.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2627cba3-3928-4ab8-a964-f8039d03853c,"4/16/2021, 9:09:49.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a18ea71c-b1b4-454e-b5bf-897527518293,"4/16/2021, 9:09:49.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e28b2807-7f50-4f9a-8ce3-d1b55c1efa9f,"4/16/2021, 9:09:49.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b432ddb1-f02c-4c35-98c0-b5c3f362d97c,"4/16/2021, 9:09:49.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,07732e1d-8e40-4248-b9b3-b84643888250,"4/16/2021, 9:09:49.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,23840ba2-0112-4aa6-abf0-d6f49cbcdd3a,"4/16/2021, 9:09:49.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,efc19973-0667-4a92-b04a-542a354d403e,"4/16/2021, 9:09:49.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1064a13a-3685-4fd6-9df3-1c7e24a097a3,"4/16/2021, 9:09:49.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56720401-4c2b-4862-9633-3f3f77745850,"4/16/2021, 9:09:49.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2bfdd3e6-4e0e-48cc-8e65-50b80c731c1a,"4/16/2021, 9:09:49.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,31e17304-21cb-4ad3-8dc2-94498e3ff227,"4/16/2021, 9:09:49.122 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2132 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,6eba195c-5851-46ff-8ab4-38f11b690206,"4/16/2021, 9:09:52.738 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6592 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,cedb88f8-2c84-47f6-a4ab-18326f4e1a2a,"4/16/2021, 9:09:52.738 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,1bc5db37-6372-4fe8-a753-2fd6f294cea7,"4/16/2021, 9:09:52.738 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,5ed82079-215d-4c9c-bdd4-1ed6ea4f16a6,"4/16/2021, 9:09:52.738 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,4e0c7011-3e83-47c1-9f3f-eb8a3c0d6ba6,"4/16/2021, 9:09:52.738 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,cbd39433-99b2-478c-9118-902da4d37e59,"4/16/2021, 9:09:52.738 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,045eb0c0-f1ef-41a2-a283-e8858827ae44,"4/16/2021, 9:09:52.738 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6772 + 59 + %PROGRAMFILES%\MICROSOFT\EDGEUPDATE\MICROSOFTEDGEUPDATE.EXE + 32 + 433D72D5919A339637AEA7EDE5FE9A6643400637BB84825DDC307974AFB486CF + 104 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT EDGE UPDATE\MSEDGEUPDATE.DLL\1.3.129.31 + 0x3e7 + 67 + C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,290c14ca-5b16-4cf5-9122-3b1a45aeda70,"4/16/2021, 9:09:52.738 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3ea1432b-ef98-4eff-a871-eb96163105cb,"4/16/2021, 9:09:53.061 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,df4ac5ac-fec0-48bd-9531-9152c127907f,"4/16/2021, 9:09:53.061 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b0ccb9d9-43d5-435c-9118-47dffda1dbcb,"4/16/2021, 9:09:53.061 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,000a41ae-b1f0-4818-836a-63019f0f0da8,"4/16/2021, 9:09:53.061 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,3aaab76b-f279-4573-af2a-6c4c814d5fdf,"4/16/2021, 9:09:53.061 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,57e6b768-bb39-43d0-b7f8-774af54149a5,"4/16/2021, 9:09:53.061 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,1b11e0a4-5bce-49fe-93ba-b2efcfeb72d0,"4/16/2021, 9:09:53.061 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,8ac0bacf-59a0-4ca5-895d-d08486090019,"4/16/2021, 9:09:53.061 AM",,,,,,, +\BACKUPEXEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d87c13be-9213-4c7c-aabc-d48bb2c142d5,"4/16/2021, 9:09:53.688 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7dcb8e33-f106-47b1-86dd-57ede299e921,"4/16/2021, 9:09:53.688 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,46e39b3f-b739-4662-b055-495e34e0f17c,"4/16/2021, 9:09:53.688 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c138ba6d-f62f-42f2-811b-98d0aa79a64d,"4/16/2021, 9:09:53.688 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,529f090a-1725-41e8-8670-7089c78c3218,"4/16/2021, 9:09:53.688 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,44230092-09f8-4c28-b664-976cc8855c2b,"4/16/2021, 9:09:53.688 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cfed3c6d-c48a-405f-9e1b-f6857a3a723c,"4/16/2021, 9:09:53.688 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,44842ff4-4b64-4db5-8fd2-3c32958c24b1,"4/16/2021, 9:09:53.688 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,22577885-6cd3-4847-8979-3698aa27f501,"4/16/2021, 9:09:53.688 AM",,,,,NTLM,, +\AZUREUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3e34d85a-a2e3-4e36-96c9-1e19f227243d,"4/16/2021, 9:09:53.688 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,37009a38-4eca-4e30-af96-99c7f6094c35,"4/16/2021, 9:09:53.688 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d0c822c8-c5e6-4e77-89ad-560424f310e1,"4/16/2021, 9:09:53.688 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fec5f467-be2e-4c93-9ee8-48c6915b672f,"4/16/2021, 9:09:53.688 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ccb3f135-e7ba-4a38-8b88-55f88e9f5347,"4/16/2021, 9:09:53.688 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ffd950ab-68a7-40b0-b4d5-3e0c002ca657,"4/16/2021, 9:09:53.688 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,91dd9e08-f502-4c19-bc85-efe8210018a5,"4/16/2021, 9:09:53.688 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d73d963a-d794-44ae-94e3-05ca1236a49a,"4/16/2021, 9:09:53.688 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,71eab432-8e5c-4281-91a2-c3886196539b,"4/16/2021, 9:09:53.688 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6529b7cb-8dd2-4052-b1bf-62931127552e,"4/16/2021, 9:09:53.688 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,227986c5-f3e9-4c7f-a1fb-6075dadc9af3,"4/16/2021, 9:09:53.688 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8cf06a18-bfa7-4ee0-813c-94f221d71f25,"4/16/2021, 9:09:53.688 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a617a519-da88-4943-b1b6-bcb0c5f886fb,"4/16/2021, 9:09:53.688 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,efa181b4-d94c-492d-98d2-5ebef06538c9,"4/16/2021, 9:09:53.688 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,af88e610-4859-4049-b583-0d5a54e9433e,"4/16/2021, 9:09:53.688 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,9e4820cc-0246-44e2-a836-5c4ff45202ff,"4/16/2021, 9:10:06.593 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,27c63913-7ee9-4e96-a3bb-8dcc0b90f186,"4/16/2021, 9:10:06.593 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6080 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 8542576A51D515DA19781689F9E5E561E4398C4DE19B14AF1E8EF1C7D2551843 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.18362.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,54bc2894-6890-4cec-ae5c-1a8c9294b711,"4/16/2021, 9:10:06.593 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9608 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,140a426b-1eba-4918-98d1-c1c5dd349c0c,"4/16/2021, 9:10:06.593 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,e20c609f-adf5-41b4-a654-8de79292ff85,"4/16/2021, 9:10:06.593 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6252 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,887945e5-edb7-4680-a00b-95ba272f5aed,"4/16/2021, 9:10:06.593 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,1918cbe7-7319-40e9-8fb8-f2f9d7114467,"4/16/2021, 9:10:06.593 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4648,4648 - A logon was attempted using explicit credentials.,f6638b82-98a5-4542-8bec-6bc0977f793f,51d067a8-075e-43e5-b93b-4c41cfd1f6bd,"4/16/2021, 9:10:06.593 AM",,,,,,, +CONTOSO\RonHD,User,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,f6638b82-98a5-4542-8bec-6bc0977f793f,b1344fc5-bc62-4e2c-a8c7-2efa8c51f03b,"4/16/2021, 9:10:06.593 AM",,,,,Negotiate,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + S-1-5-21-1661583231-2311428937-3957907789-1105 + RonHD + CONTOSO + 0x417171d + 4 + 1 + 1 + %{S-1-5-21-1661583231-2311428937-3957907789-513} %{S-1-1-0} %{S-1-5-32-545} %{S-1-5-32-544} %{S-1-5-3} %{S-1-2-1} %{S-1-5-11} %{S-1-5-15} %{S-1-2-0} %{S-1-5-21-1661583231-2311428937-3957907789-1111} %{S-1-18-1} %{S-1-16-12288} +",4627,4627 - Group membership information.,f6638b82-98a5-4542-8bec-6bc0977f793f,0b918d74-77a3-4f3e-9613-59e1cb322eda,"4/16/2021, 9:10:06.593 AM",,,,,,, +CONTOSO\RonHD,User,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,f6638b82-98a5-4542-8bec-6bc0977f793f,52a206a9-8415-4174-895c-898ccbc85c8f,"4/16/2021, 9:10:06.593 AM",,,,,,, +CONTOSO\RonHD,User,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12545,8,,4634,4634 - An account was logged off.,f6638b82-98a5-4542-8bec-6bc0977f793f,3bb23178-67e5-4678-ab28-30cc1f3af142,"4/16/2021, 9:10:06.593 AM",,,,,,, +\LOCALADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,95db58d9-d9d8-4fde-8c2f-fea128977616,"4/16/2021, 9:10:05.411 AM",,,,,NTLM,, +\TRAINING,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,956a7286-1041-48b2-9f63-f9435a9ae5aa,"4/16/2021, 9:10:05.411 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 6064 + 84 + %OSDRIVE%\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\PLATFORM\4.18.2103.7-0\MPCMDRUN.EXE + 32 + C7A18C474A47F5335593A567F0C714D4F658E28D07DC27F6EAE5D5641788E813 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\MPCMDRUN.EXE\4.18.2103.07 + 0x3e4 + 77 + C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2103.7-0\MpCmdRun.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,2b63ae41-b794-4ef1-8a2d-e2be8b4f5d4b,"4/16/2021, 9:10:05.411 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,335bcf2e-99ff-426c-9d17-dce41b454b03,"4/16/2021, 9:10:05.411 AM",,,,,,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1c2dc237-c902-4dfc-b618-4e1a91d49a1b,"4/16/2021, 9:10:05.411 AM",,,,,NTLM,, +\INFO,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a7791c91-87ee-4b39-bceb-80ec90197621,"4/16/2021, 9:10:05.411 AM",,,,,NTLM,, +\USUARIO,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e07627bd-eb0a-423d-94cd-ebdd9b99651c,"4/16/2021, 9:10:05.411 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7136 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 68705285F7914823244E19E4F6DBC4A75C4DE807EA1CF128AEC2CCAFCE5FE109 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.17763.01 + 0x3e7 + 57 + C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b0404085-45df-4b4f-a28f-e5dcfa61e88f,"4/16/2021, 9:10:05.411 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6544 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b3ec4c48-4d06-4e09-8dbe-155f1e3c461c,"4/16/2021, 9:10:05.411 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,59104820-24a7-4212-8e9a-beb46df1803e,"4/16/2021, 9:10:05.411 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,5eab9086-5cd7-4026-aed6-3560f3e89d78,"4/16/2021, 9:10:05.411 AM",,,,,,, +\TESTTEST,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b2e44533-76fc-45dd-aa58-babd469e3d38,"4/16/2021, 9:10:05.411 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 12936 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,41e5198b-bd08-4434-b761-8b1ceab08ea8,"4/16/2021, 9:09:57.002 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2648 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,0e39e2cd-729a-432f-8f4b-89678a8572f9,"4/16/2021, 9:09:57.002 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,31137f5f-836d-4629-a3b4-4686ef0061d1,"4/16/2021, 9:09:58.868 AM","%%5649 ",0x2,-,-,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4e1817b9-fc15-4bba-a369-8ecf2af57962,"4/16/2021, 9:10:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1837b223-df89-46a1-8cff-4175b1691b82,"4/16/2021, 9:10:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f97b2a9e-6eaf-45d3-8a20-e6b5bb4ed276,"4/16/2021, 9:10:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d67e1a92-59f2-44a0-bab3-2a5bb47f6955,"4/16/2021, 9:10:03.143 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,779b89bc-8fe5-46c9-8cc4-581653f3090c,"4/16/2021, 9:10:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22aefa64-9cb5-4e92-8d23-4506dcaae976,"4/16/2021, 9:10:03.143 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e04f3c84-2857-4609-a1d2-fad8ca9e0ec0,"4/16/2021, 9:10:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb935acd-99fa-4fcc-b41d-866ffdee8107,"4/16/2021, 9:10:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2e058fb9-4970-4b35-a86f-28ef1e7ce52a,"4/16/2021, 9:10:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3537dbbc-0143-44e9-acf6-ed91ef315d36,"4/16/2021, 9:10:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cca64b2e-c687-4630-b077-cb03cd4e4422,"4/16/2021, 9:10:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d9c677ea-0071-4b80-b4f4-e14575f24954,"4/16/2021, 9:10:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a8f3edd6-8e5e-4f00-a3da-ec1365cb32a3,"4/16/2021, 9:10:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2ee9d5da-81a1-43ce-9306-e76d13e9b46b,"4/16/2021, 9:10:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,43df7332-0e0c-46cc-8baa-a245d0fe45ee,"4/16/2021, 9:10:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a371cb2-6ca2-4fc7-b020-1d626f800a5b,"4/16/2021, 9:10:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6a9b5442-36c7-47f8-832a-0e28a84e89c8,"4/16/2021, 9:10:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b3f501d8-b991-4a9c-a4b4-c55594f7fc06,"4/16/2021, 9:10:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,add6c815-d57c-4976-9273-2e3b4aaef45d,"4/16/2021, 9:10:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e4e8d82-b50f-45fa-9dca-70f2f5a3f3fe,"4/16/2021, 9:10:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3f9ef84a-aaa1-4d00-bda5-b0182c182aab,"4/16/2021, 9:10:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,958609c7-03d6-49d0-aec4-55c5943a9826,"4/16/2021, 9:10:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2de6f469-9218-4a29-a424-6a19a13f9e2f,"4/16/2021, 9:10:03.143 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,410838e8-a58c-4c6c-938d-48c486ef3f98,"4/16/2021, 9:10:04.697 AM",,,,,NTLM,, +\CONTADOR1,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9311c312-378a-47b6-9719-78990cc6e8e6,"4/16/2021, 9:10:04.697 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f79e0b8f-3961-407e-8ab3-2e6bb25eadb4,"4/16/2021, 9:10:04.697 AM",,,,,,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,50c938df-0bdb-40e7-b468-1345e21432dd,"4/16/2021, 9:10:04.697 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e2e92a9e-6bac-43e1-949a-35c16eb95ee6,"4/16/2021, 9:10:04.697 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f8b07f8b-d0f5-4111-8a24-423d80eeb1d9,"4/16/2021, 9:10:04.697 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,69143d5c-2a3b-4feb-80b5-0bd14d0d8c85,"4/16/2021, 9:10:04.697 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2fa4e91a-1c6b-4771-870a-6cbe821b034c,"4/16/2021, 9:10:04.697 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,309f06ec-19c1-4e09-94df-6c1f9c77923f,"4/16/2021, 9:10:04.697 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,320b12f2-c139-44b6-a7a1-9a58eb725514,"4/16/2021, 9:10:04.697 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d936541e-e3d0-4e43-b58f-21fabfc4e1ea,"4/16/2021, 9:10:04.697 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b26fa52e-9666-4910-bffe-b11bc75e569b,"4/16/2021, 9:10:04.697 AM",,,,,NTLM,, +\LOCALADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b9ff542f-10a8-41fe-9347-6b6830e9552c,"4/16/2021, 9:10:04.697 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7b3d2150-8885-494e-a8fc-bd2415ac6eb4,"4/16/2021, 9:10:04.697 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e9b4e2c1-ad83-4c12-aa69-8bf7f2116b1e,"4/16/2021, 9:10:04.697 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,292f8c8d-bd2e-44de-b26f-f0f3d425473f,"4/16/2021, 9:10:04.697 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,59b8277b-26fe-4731-b778-0e7a514ce78b,"4/16/2021, 9:10:04.697 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,30e6f88a-caac-41f1-b764-7d8afad0afba,"4/16/2021, 9:10:04.697 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0427addc-ce12-4779-873a-a9fdff854984,"4/16/2021, 9:10:04.697 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,128c0b63-2738-4a48-8fcc-fccee4ffc662,"4/16/2021, 9:10:04.697 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2c2158cc-6f34-4b9e-9811-71fdb20ad23c,"4/16/2021, 9:10:04.697 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0f3f83b6-a5f7-41c5-adab-42d95b8265d2,"4/16/2021, 9:10:04.697 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c0cf9b2f-41c6-4cac-8805-e9c9301d528b,"4/16/2021, 9:10:04.697 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22a1985a-3b37-47aa-8e78-cdf40064bcec,"4/16/2021, 9:09:57.124 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,153a14ec-e218-452c-a61f-1d20260d6935,"4/16/2021, 9:09:57.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0368717f-5f88-48ca-874b-6e652b0ab538,"4/16/2021, 9:09:57.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a76492e6-a969-4876-908c-42abf0856273,"4/16/2021, 9:09:57.124 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7049147a-f1c0-406a-a016-c48390b508f8,"4/16/2021, 9:09:57.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b9b5eac-67aa-4eec-b387-facc2c6ae0c2,"4/16/2021, 9:09:57.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cf9c298c-c4bd-411d-903d-51630020bef6,"4/16/2021, 9:09:57.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9f327611-5ff7-4de9-b512-4fd0bd09ddf6,"4/16/2021, 9:09:57.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,858e8cbe-bc86-409c-a49b-ebf0cfc554b7,"4/16/2021, 9:09:57.124 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7aaa7f82-31aa-421f-b74b-74d7de99ef2b,"4/16/2021, 9:09:57.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc7df14e-dca6-43da-a05f-d28de016059d,"4/16/2021, 9:09:57.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9501179f-6386-4c02-9faa-a8005f058495,"4/16/2021, 9:09:57.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fcb58264-4c10-42a5-8e27-1c1ff0878328,"4/16/2021, 9:09:57.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c91cd8d3-98bf-4588-a439-e48e2ce8255e,"4/16/2021, 9:09:57.124 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f96a1b21-7547-4c00-9822-9f66c74d333f,"4/16/2021, 9:09:57.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,95718e5a-7164-4b02-b053-17be96cae4bd,"4/16/2021, 9:09:57.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,090f5691-39d0-47bd-81db-cff85a38d3ec,"4/16/2021, 9:09:57.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d64b528-cf4a-4412-86e3-8e7ea8ba0e71,"4/16/2021, 9:09:57.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,017a73b8-307d-44f7-b073-521e081ad0dc,"4/16/2021, 9:09:57.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,458d1ffe-98f6-4d0a-8155-3cc1166c323d,"4/16/2021, 9:09:57.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,258c6008-9cc8-4eee-b40f-6fde9941850a,"4/16/2021, 9:09:57.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff18893b-ef4b-49ae-9e58-34b6935b8f1f,"4/16/2021, 9:09:57.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5935933b-9dc1-4199-bfad-de22cde97ba2,"4/16/2021, 9:09:57.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,343bd848-3d89-4ea9-90de-e47abed63a1f,"4/16/2021, 9:09:57.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eebf2224-3a3e-4a7f-a59f-b49336b61d9d,"4/16/2021, 9:09:57.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5724617d-70ea-455f-9b37-bddef245bb75,"4/16/2021, 9:09:57.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,883838b5-8feb-4254-883d-a930af564fb4,"4/16/2021, 9:09:57.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b8fc3dd8-de29-4fa3-b08e-a897aaf60ccc,"4/16/2021, 9:10:10.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c3d01d94-58a9-43ea-a1c3-89feff01dd76,"4/16/2021, 9:10:10.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dff58e0c-3f0f-4910-9f2e-253ed464ff30,"4/16/2021, 9:10:10.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fbb5adb2-89cf-426c-92e4-d0608917ad2b,"4/16/2021, 9:10:10.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54522ae9-c8ec-4829-a612-60e25b60fb5c,"4/16/2021, 9:10:10.142 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a5f110a1-72a2-494c-bd81-1e419b642527,"4/16/2021, 9:10:10.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2760665-444b-4392-87a4-2499d4161d81,"4/16/2021, 9:10:10.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,27e87c96-0ed0-421a-9221-4db5e3d8e667,"4/16/2021, 9:10:10.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,972d5ef0-5f2d-4ea5-b198-e583ee2aad37,"4/16/2021, 9:10:10.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,09f908fe-202a-4d3b-9706-df3c770f564c,"4/16/2021, 9:10:10.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,81452705-15c4-4205-9058-4e87971d5899,"4/16/2021, 9:10:10.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a68ea8d-f348-403d-878c-60448e87aaa0,"4/16/2021, 9:10:10.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3de45a4e-c63e-47bf-8795-bc33b068035c,"4/16/2021, 9:10:10.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e535f09d-a746-4b37-8cba-859215fea4b2,"4/16/2021, 9:10:10.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1116712-0b61-43c8-ac2c-af3fcb97b8cd,"4/16/2021, 9:10:10.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e73903fe-dc50-4473-bb90-ebc142747e7f,"4/16/2021, 9:10:10.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,04951bdf-b5be-499a-98b4-2c788e6af487,"4/16/2021, 9:10:10.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d227981-f9e1-4941-a945-f3d2d90425fc,"4/16/2021, 9:10:10.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dbd3b44f-1767-419b-b279-489bab0ce070,"4/16/2021, 9:10:10.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4af37a60-6286-45c7-b3c3-278fac1e91ef,"4/16/2021, 9:10:10.142 AM",,,,,NTLM,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ceaaa80a-4c8e-4857-a997-858889d4f5d8,"4/16/2021, 9:10:10.142 AM",,,,,NTLM,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe46408f-327d-4d48-9338-c3a21d8a931a,"4/16/2021, 9:10:10.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,94d90109-2174-47a4-8d58-a21643b88c25,"4/16/2021, 9:10:19.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,feebb97b-6a17-4867-872e-c5f973b54fe5,"4/16/2021, 9:10:19.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fed3ca47-44b8-4d84-9d8a-29ee9bfd9c45,"4/16/2021, 9:10:19.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5c8d876a-4c73-417a-b626-deb83be654eb,"4/16/2021, 9:10:19.127 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,34a427fe-5e8e-4261-a269-85efd31de7a7,"4/16/2021, 9:10:19.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,59379b97-6ba1-4065-9ddc-1623524c033b,"4/16/2021, 9:10:19.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c07db06-553b-4f61-beb7-686774f058bc,"4/16/2021, 9:10:19.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aa0c72f8-6d92-4462-a2f2-c4e960f70645,"4/16/2021, 9:10:19.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c98249c-81c9-491c-a92b-d54db3d65af2,"4/16/2021, 9:10:19.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6c455543-1c84-41cc-909b-4570ccbd5f77,"4/16/2021, 9:10:19.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,497a8c5d-5e93-4bdb-8f20-0e5861bbeb8c,"4/16/2021, 9:10:19.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,74fff5bc-ab71-4aa9-a261-18a79fbb516c,"4/16/2021, 9:10:19.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bee92464-5371-4084-9ece-9e6b62e287e8,"4/16/2021, 9:10:19.127 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cd100f27-0a9e-407e-8648-7b2ebe5054a2,"4/16/2021, 9:10:19.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,054eb2e3-438d-4dae-a269-799a87bf80f3,"4/16/2021, 9:10:19.127 AM",,,,,NTLM,, +\PJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e5dd8785-3140-4cdc-b23b-45b087887485,"4/16/2021, 9:10:19.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7534f553-b34c-4f90-bc94-bf2a5c4522e3,"4/16/2021, 9:10:19.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc265815-5f5c-48ef-9ba0-fe2fcd6bb238,"4/16/2021, 9:10:19.127 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d11a32b4-d86f-418d-860c-af8f93fc39a6,"4/16/2021, 9:10:19.127 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad6b33ed-1bac-40fc-add7-177a5608a4ac,"4/16/2021, 9:10:19.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ccc29cf7-ac72-4f7a-bc47-4c3e01361b32,"4/16/2021, 9:10:19.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9a314a84-be36-4e5b-bb8b-b7285b493ba8,"4/16/2021, 9:10:19.127 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,830b940c-176e-45f3-b399-6f6b2fa3ff45,"4/16/2021, 9:10:17.706 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4e735ed1-d4ee-4851-9ac4-3c348c2c57b6,"4/16/2021, 9:10:17.706 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c51422e9-e94d-4d50-a7e1-12ac58e3c80d,"4/16/2021, 9:10:17.706 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,518d7d0e-53f3-49f2-902d-c182cce068ec,"4/16/2021, 9:10:17.706 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,96d1e4e7-026c-46e3-b957-81ab9e1de32b,"4/16/2021, 9:10:17.706 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b7fdb130-c70f-4b10-9d63-ea1a33df5fdb,"4/16/2021, 9:10:17.706 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,123cbbab-377f-4f14-a0b9-9f2e51648699,"4/16/2021, 9:10:17.706 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4cccf26d-2452-4317-b6c0-dc819a87ce07,"4/16/2021, 9:10:17.706 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7a2c6a1a-c996-4406-b011-7cbcb2d2e31e,"4/16/2021, 9:10:17.706 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b6fc2f43-f41a-42b6-a49c-8282222453e6,"4/16/2021, 9:10:17.706 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b222bbd9-a4ec-4ba2-9a27-7f235b5df943,"4/16/2021, 9:10:17.706 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fb2bb3e8-1fa6-4ef2-9d65-77e0b32de9fa,"4/16/2021, 9:10:17.706 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f0b6d762-cb45-4c52-b3e5-2a97cd72021b,"4/16/2021, 9:10:17.706 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2fab1f73-579e-4eac-b226-f991e5869fd8,"4/16/2021, 9:10:17.706 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4df43622-d3cf-44fb-b9b0-d1d33bd0b4ff,"4/16/2021, 9:10:17.706 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,22e30fdc-9b94-4fc1-80b2-4e83e2da9ac3,"4/16/2021, 9:10:17.706 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0e6ae82e-9e51-471c-9663-3c6b864bba7b,"4/16/2021, 9:10:17.706 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cd139057-8b77-49c6-aef9-dbc161e6da4b,"4/16/2021, 9:10:17.706 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,65b5352f-cfa6-4569-a5f9-cd9d4577b5db,"4/16/2021, 9:10:17.706 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5704a270-7b26-4139-aa58-abf9bdaae772,"4/16/2021, 9:10:17.706 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3483378b-71cd-425f-9659-fb9554de456d,"4/16/2021, 9:10:17.706 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cb9330e6-6dfe-4a95-ae2b-bdfd8058e55d,"4/16/2021, 9:10:17.706 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4a470377-0e55-48c4-acba-89b91da9559b,"4/16/2021, 9:10:17.706 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2b6635d-cb2a-4af2-95d9-a20f8c9edf74,"4/16/2021, 9:10:30.132 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5001e40-e972-4829-b1f6-615956a7d8ec,"4/16/2021, 9:10:30.132 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8753f63e-5bee-4692-bd22-bed2218439ef,"4/16/2021, 9:10:30.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,01a252cf-0f81-4d6e-8418-bbe0a076fbc8,"4/16/2021, 9:10:30.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2140715-f71f-4540-b67c-a3c7d903eee6,"4/16/2021, 9:10:30.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,26a5beac-3f57-4397-9f02-bc86a67ded80,"4/16/2021, 9:10:30.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,278d22aa-228d-4852-a909-a41e9ffbbac5,"4/16/2021, 9:10:30.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c10b394b-c889-479d-b194-c839124fde1b,"4/16/2021, 9:10:30.132 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3fa5a503-098d-4a5b-8da2-744ec2be3711,"4/16/2021, 9:10:30.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,108a9825-dc50-4e1f-85f8-ca65362a1b32,"4/16/2021, 9:10:30.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2846524a-2ba9-48d6-85a6-d20f96692f05,"4/16/2021, 9:10:30.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dd6f472d-3ebf-446c-b648-0e3c83d3e9b3,"4/16/2021, 9:10:30.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3b839abe-1ae7-40dd-a8ed-f3226dac2a05,"4/16/2021, 9:10:30.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,26d0cfe1-c275-421d-8c50-631181ba2522,"4/16/2021, 9:10:30.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,169a01a9-888a-47bc-84e0-dc5dd8bf149c,"4/16/2021, 9:10:30.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a17e972d-619c-4519-ab12-697538cf530e,"4/16/2021, 9:10:30.132 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe75046e-416c-49d0-a9b1-43585b630de0,"4/16/2021, 9:10:30.132 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c4d7c687-d437-426d-840e-1cc01ffddb4e,"4/16/2021, 9:10:30.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3e67a54a-cb87-483e-9572-e15b9f32e07d,"4/16/2021, 9:10:30.132 AM",,,,,NTLM,, +\CRESCO,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ec9967d7-576c-4c2b-a69a-5f69dd6bb4ae,"4/16/2021, 9:10:30.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,663444a4-9fc0-4b63-8c37-1ebf28d68d64,"4/16/2021, 9:10:30.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6ec4d6f0-7253-4001-9e6d-eaa6a4c78835,"4/16/2021, 9:10:30.132 AM",,,,,NTLM,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4648,4648 - A logon was attempted using explicit credentials.,5503048d-aae9-48b7-bda5-46b931ec9ed1,a51607ca-ade0-4074-9ccc-588d1f6ad6f5,"4/16/2021, 9:10:31.868 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,5503048d-aae9-48b7-bda5-46b931ec9ed1,03c08628-90ca-47b7-9bbb-a818d30b4a20,"4/16/2021, 9:10:31.868 AM",,,,,Negotiate,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + S-1-5-21-1661583231-2311428937-3957907789-1103 + SamiraA + CONTOSO + 0x24194fcd + 4 + 1 + 1 + %{S-1-5-21-1661583231-2311428937-3957907789-513} %{S-1-1-0} %{S-1-5-32-555} %{S-1-5-32-545} %{S-1-5-32-544} %{S-1-5-3} %{S-1-2-1} %{S-1-5-11} %{S-1-5-15} %{S-1-2-0} %{S-1-5-21-1661583231-2311428937-3957907789-512} %{S-1-5-21-1661583231-2311428937-3957907789-519} %{S-1-18-1} %{S-1-5-21-1661583231-2311428937-3957907789-572} %{S-1-16-12288} +",4627,4627 - Group membership information.,5503048d-aae9-48b7-bda5-46b931ec9ed1,91a3ed7c-9cf2-4686-b356-28af2f78df4c,"4/16/2021, 9:10:31.868 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,5503048d-aae9-48b7-bda5-46b931ec9ed1,2d519224-df42-4785-b0a8-5084cf2ecdc4,"4/16/2021, 9:10:31.868 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12545,8,,4634,4634 - An account was logged off.,5503048d-aae9-48b7-bda5-46b931ec9ed1,19457f78-e470-475c-aa8c-8ce38a7bc3d4,"4/16/2021, 9:10:31.868 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,3087b6ba-34f2-4bc7-ac89-46011ffb35be,"4/16/2021, 9:10:31.868 AM",,,,,,, +\USER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,97aaf097-77f6-416a-8eb6-c3bd6750b462,"4/16/2021, 9:10:36.412 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6880 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4e962ed8-77d3-452c-9be6-10e7d8b801b4,"4/16/2021, 9:10:36.412 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2400 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f2bf5664-313f-4b59-a57f-8ac3090067f4,"4/16/2021, 9:10:36.412 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b26ed9fd-1d13-4372-9706-8a77be400001,"4/16/2021, 9:10:36.412 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0bc4001a-e3b7-472d-8654-e8ecf2d62587,"4/16/2021, 9:10:36.412 AM",,,,,,, +\XEROX,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,df1b7c9a-61e3-4c2c-8b93-2815c5da98ea,"4/16/2021, 9:10:36.412 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3431a6b2-4cce-443f-a10a-fdd6c43d3d38,"4/16/2021, 9:10:36.412 AM",,,,,,, +\OFFICE,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,2cd75eff-d781-420d-a02b-a0d02895c413,"4/16/2021, 9:10:36.412 AM",,,,,NTLM,, +\TEST,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,17b4136b-fc9a-491d-9139-8b256318ce18,"4/16/2021, 9:10:36.412 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6f1dac72-c973-4091-b203-aa719ddf1de5,"4/16/2021, 9:10:36.412 AM",,,,,NTLM,, +\DB2ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,14a2af0a-99f0-48e8-894c-92f537e856cc,"4/16/2021, 9:10:36.412 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff4d488e-6f45-4fdb-b493-df8ac11cb3e8,"4/16/2021, 9:10:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51e23edb-5a0b-4cb3-9e63-9a779876d79d,"4/16/2021, 9:10:39.127 AM",,,,,NTLM,, +\VEEAM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3053d3f6-a5f5-422c-8705-cb824757359b,"4/16/2021, 9:10:39.127 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,77e08b18-7a80-4e44-899c-5c2f368b08eb,"4/16/2021, 9:10:39.127 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b9972842-ef12-45e3-bb9b-44a3bd0b7091,"4/16/2021, 9:10:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8316d931-c907-4642-a34a-33db5cc89868,"4/16/2021, 9:10:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b19d1d3f-f47d-440a-ba74-5cedff02a5e7,"4/16/2021, 9:10:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea1afb7a-74a9-4e5d-8b76-b5067252adc6,"4/16/2021, 9:10:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12420d84-0609-4b12-b203-333c9a47267a,"4/16/2021, 9:10:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a3c9c28-fd43-4f78-9271-d3baa277f2ee,"4/16/2021, 9:10:39.127 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22859bc7-89cc-4e20-8bc1-aa0ea1feb932,"4/16/2021, 9:10:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ba2a43af-23fc-4392-8417-a514c3e78c1c,"4/16/2021, 9:10:39.127 AM",,,,,NTLM,, +\DEMOUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5c8cc1f7-4a30-4624-9776-55ce07a69326,"4/16/2021, 9:10:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6282e926-e6a9-465e-9855-2956e5a5812c,"4/16/2021, 9:10:39.127 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9765b48c-4649-4cb9-ab46-3617d42d53d2,"4/16/2021, 9:10:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f6acce7-f300-4006-a849-a040b1f32ed8,"4/16/2021, 9:10:39.127 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,af9bfe18-099e-47e7-b4c7-94e90bc4226c,"4/16/2021, 9:10:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,608697d3-5c31-4228-b061-f9e5a47b1b96,"4/16/2021, 9:10:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f123916c-e1f0-4d67-bc05-7348e08c5b7c,"4/16/2021, 9:10:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f66e5c3-2486-422c-9b38-1fbd54a8ce0a,"4/16/2021, 9:10:39.127 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0af45919-e667-4db4-b942-49b7c8dd46e6,"4/16/2021, 9:10:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,088babc2-09e0-413f-baf7-005df04fa060,"4/16/2021, 9:10:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,728a6a68-c2a0-4fdd-b663-a7411dda0022,"4/16/2021, 9:10:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,844dbe86-635a-444d-9e71-8cdf3eb834fd,"4/16/2021, 9:10:39.127 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,be10ca0d-8ac3-432e-b517-aa8d506758dc,"4/16/2021, 9:10:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6fde8aef-411e-428d-bc85-6b1641310bd6,"4/16/2021, 9:10:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,566287e1-0e21-4ee2-a980-3884fd9d2e15,"4/16/2021, 9:10:39.127 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,81eef13c-db0c-4967-9477-817984538b79,"4/16/2021, 9:10:42.684 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4735ded1-b1a9-495b-98ea-c2383d64af78,"4/16/2021, 9:10:42.684 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6f88fbee-539b-4c40-9dfe-a7fb0a8ac710,"4/16/2021, 9:10:42.684 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9244c70b-8de5-4cb4-99b2-34586425aeec,"4/16/2021, 9:10:42.684 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9a79ca40-f2c5-4670-a5b9-2c0a1c68817a,"4/16/2021, 9:10:42.684 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,39bcdae6-d063-4061-904b-524dddd6ff8f,"4/16/2021, 9:10:42.684 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dbbf73f2-4dcc-4b3a-8f75-8b4d0da1d10d,"4/16/2021, 9:10:42.684 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,840c2778-42e3-4c37-86ef-bb7671e545c2,"4/16/2021, 9:10:42.684 AM",,,,,NTLM,, +\DONB,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,24e9c20b-f397-4f48-b86f-dd9697563b2d,"4/16/2021, 9:10:42.684 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,97fffbf0-38e1-4b58-a461-9e35aa146646,"4/16/2021, 9:10:42.684 AM",,,,,NTLM,, +\ABCD,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,835dae7e-74ad-44d0-8e2b-7588b489aa8e,"4/16/2021, 9:10:42.684 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,316020a8-fcd1-4666-abb3-b571b0110759,"4/16/2021, 9:10:42.684 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2fc6ed69-623a-4785-93ad-ad96246d237c,"4/16/2021, 9:10:42.684 AM",,,,,NTLM,, +\BACKUPEXEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a913dcf8-908f-4565-b314-9f02f0d01391,"4/16/2021, 9:10:42.684 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d1bbbdbc-aefd-413a-beb2-7a6c93817a8a,"4/16/2021, 9:10:42.684 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0aeba048-21f3-46ad-b69a-ab3a05566669,"4/16/2021, 9:10:42.684 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,25e96de2-e336-4bee-ad84-cdcf40bfe879,"4/16/2021, 9:10:42.684 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e55e9c15-2a68-46ce-87a2-c485e82acbff,"4/16/2021, 9:10:42.684 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,be6ab541-feaf-4caf-a7c5-c3d69b86be42,"4/16/2021, 9:10:42.684 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0e373a57-f7cb-49b6-8bc4-c9fdf3b467e9,"4/16/2021, 9:10:42.684 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a8e7c341-263b-45e9-b4c5-9bd9af0cd8e4,"4/16/2021, 9:10:42.684 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7bae5060-2461-4ee1-b278-ff8ccdf8a1e9,"4/16/2021, 9:10:42.684 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,ba71c848-d90b-4507-a3a4-517de30e92e6,"4/16/2021, 9:10:43.600 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 9384 + 84 + %OSDRIVE%\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\PLATFORM\4.18.2103.7-0\MPCMDRUN.EXE + 32 + C7A18C474A47F5335593A567F0C714D4F658E28D07DC27F6EAE5D5641788E813 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\MPCMDRUN.EXE\4.18.2103.07 + 0x3e4 + 77 + C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2103.7-0\MpCmdRun.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,576b88d7-667c-4131-8752-e02b53b1f728,"4/16/2021, 9:10:43.600 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,e52b97d1-d1cb-492c-9ded-c8793d923c53,"4/16/2021, 9:10:43.600 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7004 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,120e00f7-ef7a-4ff6-abd8-9bf1a02e07ad,"4/16/2021, 9:10:43.600 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,9ec93b70-50dd-4504-9bb6-a6553e928e56,"4/16/2021, 9:10:43.600 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,4cb86af0-80d3-4d01-8676-1f9f56a417a9,"4/16/2021, 9:10:43.600 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10964 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,44e2c77a-5e87-4c23-a8ea-b083ae562a53,"4/16/2021, 9:10:43.600 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10244 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,f4ee3329-3ef6-4e24-85c6-85a3f886eb79,"4/16/2021, 9:10:43.600 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 12964 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,30544896-33da-4647-a513-9f2e6749c0d9,"4/16/2021, 9:10:50.289 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8212 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,c09f0739-b08f-49f6-b864-1c167e925993,"4/16/2021, 9:10:50.289 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,872f7df6-9d54-4d7d-a3c6-e10aa615afcf,"4/16/2021, 9:10:53.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8fc56b65-aaed-44f1-92a4-7e416c4eee9d,"4/16/2021, 9:10:53.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,991e2f31-f4f1-49b7-ab85-bfa3ceacedb4,"4/16/2021, 9:10:53.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c987b08b-b2a8-4dfe-a5b5-2aa185f343dd,"4/16/2021, 9:10:53.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c194b937-1d2c-4d01-9bc4-190f62e15bbf,"4/16/2021, 9:10:53.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,608f03f4-e539-4188-8eb9-8f8a75fa6ad8,"4/16/2021, 9:10:53.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,385ee6cc-31ad-4f2b-ba75-6bf79496313a,"4/16/2021, 9:10:53.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,798e2fba-0492-4842-a7e0-a969e83b0937,"4/16/2021, 9:10:53.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c199f77c-77f2-470e-9f9c-f36cbe3553f1,"4/16/2021, 9:10:53.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ba0ca421-5f28-4c56-b2aa-06f2d4247ea4,"4/16/2021, 9:10:53.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3f06197e-21d3-4ddd-b53e-690932cc156f,"4/16/2021, 9:10:53.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eec2aa99-d3ff-45d4-9dfe-f585d2bafd59,"4/16/2021, 9:10:53.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,adfa01cf-a0ba-4aea-808f-3f51598b1d80,"4/16/2021, 9:10:53.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f6a2b8e2-50b1-4768-bb83-cd5af23c3ccc,"4/16/2021, 9:10:53.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,461731a2-c614-4059-ba41-f6ff3e16152e,"4/16/2021, 9:10:53.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ef0175a1-6e5c-4a60-8cae-14a37588fde6,"4/16/2021, 9:10:53.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ae0bdad-a289-4a9b-bc1e-2d2dbd14a8bd,"4/16/2021, 9:10:53.121 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9fef1bdc-fd66-46a4-8d8d-a954d4f1a489,"4/16/2021, 9:10:53.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3cddee46-de0d-42ce-879e-8aa5c643e362,"4/16/2021, 9:10:53.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eb53ee8d-1baa-484f-8a55-8474d9047810,"4/16/2021, 9:10:53.121 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,daaeb663-371e-41e6-b40e-07b7f5f7c345,"4/16/2021, 9:10:53.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ef1b5807-91f4-491e-a26b-4a4efeea0b11,"4/16/2021, 9:10:53.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bd7fb416-88d8-4a7c-b55c-bdc7e54d64e5,"4/16/2021, 9:10:53.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53423e25-66c0-493d-9fbd-03882b0d3265,"4/16/2021, 9:10:53.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f2ff61e9-b303-494c-bb26-83a85622f26d,"4/16/2021, 9:10:53.121 AM",,,,,NTLM,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,0d0ec920-fa76-4643-8bdd-7591519a2d52,"4/16/2021, 9:10:52.731 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,e049efd0-2a9b-47b5-a69f-5b0615ee7ec9,"4/16/2021, 9:10:52.731 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5132 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,dd38168a-11f7-4f8b-9b02-5379afc9eacf,"4/16/2021, 9:10:52.731 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5052 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,cc60a56c-2446-485d-99f7-04e5227a2f40,"4/16/2021, 9:10:52.731 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,3566f69d-6c6f-4a66-842a-c5b8b84ecbf2,"4/16/2021, 9:10:52.731 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,bfe27a65-017f-4c67-aeb1-d014d9e1e41e,"4/16/2021, 9:10:52.731 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d74eab10-29c0-424e-a2ff-f3f717ac6b8f,"4/16/2021, 9:10:59.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ae568764-90c7-4598-8e64-6755a4f1b3ca,"4/16/2021, 9:10:59.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f53c46d1-803d-4124-b49b-0c665e392a96,"4/16/2021, 9:10:59.122 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f38047bc-7b18-42b5-a5d2-59cbe1136cfe,"4/16/2021, 9:10:59.122 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a102422-fa04-42ca-8b71-c9d1cdc92c64,"4/16/2021, 9:10:59.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7510cd91-67b4-471b-87c1-9f0d1fd9026d,"4/16/2021, 9:10:59.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c00ab6f-f2d8-4273-8933-f8b511bd72ca,"4/16/2021, 9:10:59.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9676c39b-609d-47f4-bda2-1bd0fdb91570,"4/16/2021, 9:10:59.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,47f9be47-9191-4f0a-bb27-477e58711983,"4/16/2021, 9:10:59.122 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e6634b38-88df-470d-938e-afab6937c1f8,"4/16/2021, 9:10:59.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bdcd6cbe-89f0-42f5-ac79-b01f44d73590,"4/16/2021, 9:10:59.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5618b154-498e-428a-8a6f-886497e1e4f8,"4/16/2021, 9:10:59.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2829a7e-849d-4b46-9f04-f720c9a007d4,"4/16/2021, 9:10:59.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12845014-84c9-44c1-8dcf-84418428add3,"4/16/2021, 9:10:59.122 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,438cbcd1-f68b-428e-98c3-d1748c457f59,"4/16/2021, 9:10:59.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8f903ce5-51c8-4894-8e36-8fa050d97f42,"4/16/2021, 9:10:59.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d4d63638-2944-4c57-af97-373d79ce8433,"4/16/2021, 9:10:59.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d4fba65c-b054-4204-878d-fff498442102,"4/16/2021, 9:10:59.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,385da942-c94e-4675-ac7b-b25134961ee9,"4/16/2021, 9:10:59.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,71dc152a-522f-4533-9e0d-6a1002c163a7,"4/16/2021, 9:10:59.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2353a27a-014b-440f-828d-e2192dce7654,"4/16/2021, 9:10:59.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6ab75562-6c68-4d38-bb45-69ed37c385e1,"4/16/2021, 9:10:59.122 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bcc117bb-a9a6-46e3-9ce5-e1d28bd86dfd,"4/16/2021, 9:10:59.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19cc69ea-1e79-4aa5-b4f6-e045cbebe395,"4/16/2021, 9:10:59.122 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c630c736-05a7-4157-ab6b-f81bafa431f3,"4/16/2021, 9:11:03.060 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,686c4154-3acd-4956-8f40-8a85c760c1e0,"4/16/2021, 9:11:03.060 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,2d0ffb5f-4686-4d35-aa28-b62671355304,"4/16/2021, 9:11:03.060 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,fce49ce6-f7e9-47e8-b5d9-bd4a9d81fb6b,"4/16/2021, 9:11:03.060 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,fd8ee710-e5c9-40b9-b2ea-610326e38d9b,"4/16/2021, 9:11:03.060 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,42d46dea-d2b8-4be9-8814-abe7d2cd492b,"4/16/2021, 9:11:03.060 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,c9441bb2-1d67-44ba-b48d-f70e739f9a84,"4/16/2021, 9:11:03.060 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,08c46872-c59a-4636-a20d-746dff049920,"4/16/2021, 9:11:03.060 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,7bf41a9f-54d7-49b8-b3e6-cbb78a4fa99e,"4/16/2021, 9:11:03.060 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,10923e31-d135-4554-b7cc-0c70d3d3120f,"4/16/2021, 9:11:03.060 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5e282987-d322-45d8-8cda-08d1a09d0d03,"4/16/2021, 9:11:03.060 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,968075d2-1239-4ef1-8879-5b8422d69fd0,"4/16/2021, 9:11:00.724 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ed7e5860-da80-42a7-a114-dede2323322d,"4/16/2021, 9:11:00.724 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,61bb9d4f-6267-4087-91d6-e57672e63a65,"4/16/2021, 9:11:00.724 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d0e357e6-f3f4-4b87-aaa2-e2e76d8bc66d,"4/16/2021, 9:11:00.724 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2d88d26c-1f97-44b9-900a-7437732e197f,"4/16/2021, 9:11:00.724 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d455e7d6-d80d-49d8-b1cf-dd10b6feac6c,"4/16/2021, 9:11:00.724 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,24acbb3c-b690-4fdf-839f-2fc89e94ea13,"4/16/2021, 9:11:00.724 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4563b27d-bcd7-4623-81af-ed56117e5914,"4/16/2021, 9:11:00.724 AM",,,,,NTLM,, +\TEST,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,be4b709a-f9a5-4db7-ada3-90487657abd1,"4/16/2021, 9:11:00.724 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,329ba780-545d-46f4-a2f5-fd5f1f1eb852,"4/16/2021, 9:11:00.724 AM",,,,,NTLM,, +\DEMOUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,29f07283-2e9c-434f-8b0d-b9049b1bb62d,"4/16/2021, 9:11:00.724 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0b304cba-ea48-47db-bcd6-a0f88a50d083,"4/16/2021, 9:11:00.724 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1ca657cb-930e-4203-9b91-5c9ea13b6364,"4/16/2021, 9:11:00.724 AM",,,,,,, +\BACKUP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d51be18b-0172-4f83-84a9-49a51d8132a4,"4/16/2021, 9:11:00.724 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,71e1b3ba-8851-4d31-8aa9-59e3b3d98b8f,"4/16/2021, 9:11:00.724 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,94d60033-fb42-42f8-a5e2-682b3099c146,"4/16/2021, 9:11:00.724 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,68f1cf6f-88e7-49a4-80ff-2184ec5f9bae,"4/16/2021, 9:11:00.724 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bd9f58e5-71b7-4a6d-80d2-aece01f4f93b,"4/16/2021, 9:11:00.724 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c8c429a9-9118-42e8-a353-5e2d62acff22,"4/16/2021, 9:11:00.724 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bad30ea0-48b0-4b64-820e-f70131756f4b,"4/16/2021, 9:11:00.724 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3730b11a-7120-4e51-b508-e69822519fc0,"4/16/2021, 9:11:00.724 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ac7251ab-4e94-4e83-a366-7d930db363ba,"4/16/2021, 9:11:00.724 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,00ecee55-fd9e-4b8d-bf43-92fc147c4dd9,"4/16/2021, 9:11:07.180 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d3bd3c32-6a01-454d-8565-2ff1153abcb4,"4/16/2021, 9:11:07.180 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e91ca9d-d332-4846-92c1-ccc385d19ac4,"4/16/2021, 9:11:07.180 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8926ea03-5d74-4d1d-a725-d8df765261bc,"4/16/2021, 9:11:07.180 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1718b2c9-b72d-4a70-acf2-9ebbf828f4f2,"4/16/2021, 9:11:07.180 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,50568a95-d7b9-442c-87d8-aa64243d140a,"4/16/2021, 9:11:07.180 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4838ed82-e244-4348-86a3-cdc7712b88b5,"4/16/2021, 9:11:07.180 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b0be8535-4540-429c-9208-bd2d8198c42b,"4/16/2021, 9:11:07.180 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,880b7df8-d457-43c4-b93f-2a8f99dacead,"4/16/2021, 9:11:07.180 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53e16664-d4c8-44d8-b19a-dc24f9dccae4,"4/16/2021, 9:11:07.180 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9a07e17e-d0bd-404f-89fc-68e3bcdc437f,"4/16/2021, 9:11:07.180 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ee9feee5-dc4a-4ffc-97e9-f3cb972511ee,"4/16/2021, 9:11:07.180 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc94398a-d128-4dc9-a8d1-c98aabaac25f,"4/16/2021, 9:11:07.180 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,851d2273-9143-49f4-9f47-ccf061fb2351,"4/16/2021, 9:11:07.180 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c430989a-f45a-41f8-8599-b78d37246dee,"4/16/2021, 9:11:07.180 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c7a8b635-7bf6-48d7-858f-3af044051779,"4/16/2021, 9:11:07.180 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7f67d2a0-9dff-4e65-a507-db9d85e976e2,"4/16/2021, 9:11:07.180 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,57163521-1d2a-41a3-9254-f047ff3f7af0,"4/16/2021, 9:11:07.180 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9f6ed943-e2b4-41f1-a0e5-af7da3a2a4f6,"4/16/2021, 9:11:07.180 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0d2c6d80-8a21-4f8d-a57d-2ddeda343b80,"4/16/2021, 9:11:07.180 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,274eb9f4-e5f9-4b8a-99b3-dc391a8d6d69,"4/16/2021, 9:11:07.180 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe219874-3716-40c2-8bae-0dfe70611960,"4/16/2021, 9:11:07.180 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a9164fa9-06f8-4916-a0eb-0fdf7a84b84d,"4/16/2021, 9:11:07.180 AM",,,,,NTLM,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,3e453e7e-32a8-424f-a20a-701a0c3d9122,"4/16/2021, 9:11:09.882 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b5927f49-25bb-4a33-bae6-061d84f0e38d,"4/16/2021, 9:11:09.882 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4104 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,06945577-4ba0-4f34-ba6b-3adce2f0c907,"4/16/2021, 9:11:09.882 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3964 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,52bf1564-62a2-4ba7-835f-521033c66b00,"4/16/2021, 9:11:09.882 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,74d64438-7248-4993-8dd2-453352fec2da,"4/16/2021, 9:11:09.882 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 6996 + 84 + %OSDRIVE%\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\PLATFORM\4.18.2103.7-0\MPCMDRUN.EXE + 32 + C7A18C474A47F5335593A567F0C714D4F658E28D07DC27F6EAE5D5641788E813 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\MPCMDRUN.EXE\4.18.2103.07 + 0x3e4 + 77 + C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2103.7-0\MpCmdRun.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,c6023474-d721-485a-84c9-4f9ac9747543,"4/16/2021, 9:11:09.882 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,90c90d97-315f-4d38-9b4f-85e05c93c64a,"4/16/2021, 9:11:09.882 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,63afd8d7-eed6-459e-ac0d-bb10a646d14e,"4/16/2021, 9:11:13.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,93dba52b-7f66-4a4f-a60b-f861f5702229,"4/16/2021, 9:11:13.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc1dc24f-41be-445d-af23-7a124861d022,"4/16/2021, 9:11:13.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f3f902be-54fb-4f09-88b9-f8fbf16392a7,"4/16/2021, 9:11:13.120 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3de9e16e-727c-4d7b-8765-1f8e76dc22ce,"4/16/2021, 9:11:13.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,738c034d-7acb-4a10-9a06-2f5b1d04680a,"4/16/2021, 9:11:13.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f79f75a2-847c-4f87-9b50-f08e836609e7,"4/16/2021, 9:11:13.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4219f38f-d1df-434a-a254-b9907d6d1493,"4/16/2021, 9:11:13.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2eb1f34b-f621-4188-9326-5995027ae28a,"4/16/2021, 9:11:13.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8f595160-be41-47bb-9231-5ef092fa2d59,"4/16/2021, 9:11:13.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,96bec34f-2c84-4387-b7a1-9863dd247bd0,"4/16/2021, 9:11:13.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03408799-8fb1-490e-a99c-21c4f74c9e85,"4/16/2021, 9:11:13.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d8d2c6fa-4e8f-4320-b6d7-6d08e946975f,"4/16/2021, 9:11:13.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a14c92a0-0647-4317-899d-a4bea820c3bd,"4/16/2021, 9:11:13.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,224b17af-f021-4f16-aa7f-a8c08d3c9512,"4/16/2021, 9:11:13.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dce49fee-8b68-4cdb-a00e-21e231e207d1,"4/16/2021, 9:11:13.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ef80cea0-f878-4603-88b8-899f33417cbd,"4/16/2021, 9:11:13.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98695171-1988-4af8-9e62-0076b27cd836,"4/16/2021, 9:11:13.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c142f0b6-c721-4a1f-ab17-4ad683f22f51,"4/16/2021, 9:11:13.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5da7788e-7e32-4b0c-8c9a-dfe11128ebad,"4/16/2021, 9:11:13.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ed00e06-6ebd-48b9-9450-a63d43b73c63,"4/16/2021, 9:11:13.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6069795f-7752-47bc-9a76-cb329a0cd8c8,"4/16/2021, 9:11:13.120 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9a4e0d9f-2e42-48ff-8bcd-f2c5966c4a59,"4/16/2021, 9:11:13.120 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5cf3876f-1b36-44d6-93c5-84b59a845a87,"4/16/2021, 9:11:16.701 AM",,,,,NTLM,, +\GUEST,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,aab0bc1f-34c2-45df-a925-9ade018f4834,"4/16/2021, 9:11:16.701 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9816459a-a463-493f-aaa9-66d68edf5c4f,"4/16/2021, 9:11:16.701 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ce403c54-8552-4c6e-9df9-26a6c90b312b,"4/16/2021, 9:11:16.701 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5a7c22fc-8f4e-4ce8-b17e-5e7ca16c78a1,"4/16/2021, 9:11:16.701 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fba01455-f995-4781-ae7c-9e64066ba899,"4/16/2021, 9:11:16.701 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eed2ffe6-be36-42af-813a-8f5663326bfb,"4/16/2021, 9:11:16.701 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dd4b627d-98c6-4358-ab5e-83e957817f8e,"4/16/2021, 9:11:16.701 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0c28a789-d450-470f-b788-74babfdb5e49,"4/16/2021, 9:11:16.701 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,51074e6c-f383-4fdc-90c8-ce36a7cb9105,"4/16/2021, 9:11:16.701 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,214b1806-86fe-492f-976d-594fef428bc1,"4/16/2021, 9:11:16.701 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c587225b-4761-4343-967b-72012e38ba1a,"4/16/2021, 9:11:16.701 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,675bf432-7e7b-4ddf-ba80-5b29686c5837,"4/16/2021, 9:11:16.701 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3d52f021-7637-4993-82af-215ee81be9dc,"4/16/2021, 9:11:16.701 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,87ee277b-8fb7-4f1a-ae11-81638494c58c,"4/16/2021, 9:11:16.701 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,467f4596-d82e-42a3-aabb-d0a058e89803,"4/16/2021, 9:11:16.701 AM",,,,,NTLM,, +\USER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5a05e689-b147-4e7d-8ede-13188d87faec,"4/16/2021, 9:11:16.701 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,84155fca-e73c-45dd-92c0-17d29bfcb998,"4/16/2021, 9:11:16.701 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c1e928b0-3b74-436c-9434-086b91f1d671,"4/16/2021, 9:11:16.701 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,05377178-291b-4d63-a0f0-64e364706970,"4/16/2021, 9:11:16.701 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,13b884e1-45af-4689-ab8e-94e2f70a5b73,"4/16/2021, 9:11:16.701 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d07aa28d-6fc9-4d4d-aeef-6d1a9f61dd1f,"4/16/2021, 9:11:16.701 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,c41695b3-aadb-4117-9041-37bf14b74fdc,"4/16/2021, 9:11:18.601 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9136 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,6f42ca69-9737-4051-8387-5c33caf8b586,"4/16/2021, 9:11:18.601 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,0e6c3f00-1cfa-4637-b369-5c04b6831b9b,"4/16/2021, 9:11:18.601 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,9d82b5d0-6696-4572-a90e-0ca900580cba,"4/16/2021, 9:11:18.601 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9624 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,46490597-4d85-4c1c-89a6-21e07fae7836,"4/16/2021, 9:11:18.601 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3cf300e6-dd6f-43fe-bf0a-f5e47159bd4f,"4/16/2021, 9:11:20.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,11338210-5e55-43c4-8e9f-5c4c1977a5b2,"4/16/2021, 9:11:20.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,626370fc-20da-460b-b39e-aff6bfd97237,"4/16/2021, 9:11:20.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f8ffad4d-0482-4f51-a6d6-ae108761504c,"4/16/2021, 9:11:20.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c19dd86-1b66-408b-850d-a8a662e798ad,"4/16/2021, 9:11:20.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a60d4303-889b-491f-ace3-9336bdaadfde,"4/16/2021, 9:11:20.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2e5be0b8-3233-40c1-9d4c-5aa1eecd0edd,"4/16/2021, 9:11:20.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a2e63c7-df2f-4bfa-917e-fdf3153bccde,"4/16/2021, 9:11:20.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5fbc2843-2dc6-4c7a-87b5-c27ce90b5789,"4/16/2021, 9:11:20.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,140d9c6d-872f-4d9f-8e02-65405ba25e1e,"4/16/2021, 9:11:20.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f30b997d-ffa5-4c8c-aa37-7af97a3902a7,"4/16/2021, 9:11:20.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,80379ce3-43e9-4a95-8196-35b43a0a126a,"4/16/2021, 9:11:20.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,18264e54-36d3-4838-b19f-994dc2172b0f,"4/16/2021, 9:11:20.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7dc6459e-da42-4cb7-99e9-9a15b827b101,"4/16/2021, 9:11:20.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a51ed409-b868-422c-839b-7323509fe31f,"4/16/2021, 9:11:20.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6dc3aa6f-7149-4cbe-a8d9-46b7bd0e3962,"4/16/2021, 9:11:20.126 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f50cbca1-d988-46a1-b9a1-c2f7305b6db7,"4/16/2021, 9:11:20.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a086a6cf-0a40-4c3d-a236-e36a78edf32f,"4/16/2021, 9:11:20.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3509299e-3134-4146-bc3c-c7744787216c,"4/16/2021, 9:11:20.126 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,961324aa-e8db-4c08-add9-9bb01468807f,"4/16/2021, 9:11:20.126 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,35cd37df-4fda-43bb-9bdb-eb379b914967,"4/16/2021, 9:11:20.126 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,35477adb-e388-4249-b2fd-84391d36bcf8,"4/16/2021, 9:11:20.126 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ecb4d3f-c5d8-4358-98de-948aea740022,"4/16/2021, 9:11:20.126 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3336 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,0320cd0d-627f-43fc-b331-cd050443b68c,"4/16/2021, 9:11:20.126 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3316 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,447bc178-0ea5-468f-86e0-cad4c8efc3f9,"4/16/2021, 9:11:20.126 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,102c360c-38bd-49c6-89f2-a126c594530f,"4/16/2021, 9:11:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9be721fa-a70c-48fb-8625-cd50c6f4bba5,"4/16/2021, 9:11:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b754f7ec-5d68-4a15-be71-b770040fd389,"4/16/2021, 9:11:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a556f259-e3b5-4696-b443-553b4bbbac5b,"4/16/2021, 9:11:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc50c5d2-1f58-4c10-b345-b2091d21982a,"4/16/2021, 9:11:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3f883d70-eb72-4b12-9f9b-87ade9c5b03f,"4/16/2021, 9:11:27.126 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d666a1bc-a993-43bf-a85c-12f730318d65,"4/16/2021, 9:11:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de96c09f-0c85-4dc6-bbcc-9a086af2219b,"4/16/2021, 9:11:27.126 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,23b2f1dd-af0f-4c1d-81d4-e1e196617027,"4/16/2021, 9:11:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d8415a36-5541-4464-9d1d-46100b3ac14c,"4/16/2021, 9:11:27.126 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b622e2d6-9e5a-4547-8371-7976aecb7be0,"4/16/2021, 9:11:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,620ac9e7-10f2-4126-92ca-33cac1e12031,"4/16/2021, 9:11:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,73172588-3e79-4ea4-8150-5ada04642bc0,"4/16/2021, 9:11:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,778a472e-2bba-4859-bed4-39c8d1141661,"4/16/2021, 9:11:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c8457b42-61df-4e78-9f73-348b618bac4a,"4/16/2021, 9:11:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,05ec07ce-801b-46a1-8799-a6b7a2c99ca6,"4/16/2021, 9:11:27.126 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c2dadb2e-7b6b-47b8-807e-4e75ae8230c4,"4/16/2021, 9:11:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b44766db-5b0f-46d5-b5a2-2047cae9a621,"4/16/2021, 9:11:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ddcc9d23-f351-4027-a408-3c144afec72b,"4/16/2021, 9:11:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad6c4dee-9647-4767-b920-5f409503c60b,"4/16/2021, 9:11:27.126 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,87adbbd6-4c4a-45b1-9189-4f513155d4bf,"4/16/2021, 9:11:27.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc745f2e-02b5-4c27-b73f-8ec132aa0865,"4/16/2021, 9:11:27.126 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c04860bd-2b25-4202-b512-553f142bbb8f,"4/16/2021, 9:11:32.691 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e84a6008-ed3a-4016-8c76-05d2ea72b324,"4/16/2021, 9:11:32.691 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f0269b40-91e3-4d73-80fa-9d725819780f,"4/16/2021, 9:11:32.691 AM",,,,,NTLM,, +\MANAGER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6120075c-da5f-409c-ab0b-d280d2eb6736,"4/16/2021, 9:11:32.691 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,21311089-59cc-48af-bc78-350f4956bdaa,"4/16/2021, 9:11:32.691 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a21eae87-3baf-4bfc-a2a8-e960fa0cbd2f,"4/16/2021, 9:11:32.691 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5ae67791-fa5d-4138-80f1-f31cd03e738c,"4/16/2021, 9:11:32.691 AM",,,,,NTLM,, +\SCANNER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f3c134ed-b5da-479b-bffe-01f73cabea36,"4/16/2021, 9:11:32.691 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7a90cad5-72fd-4fa5-8787-3ee436f95868,"4/16/2021, 9:11:32.691 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,796fa3e6-cb3f-4641-ae46-2f6e5999cd9f,"4/16/2021, 9:11:32.691 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,338c6de0-1939-49f3-bf78-1ee1b84248ca,"4/16/2021, 9:11:32.691 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ab305137-e4d4-42ee-8c27-45c092db4f00,"4/16/2021, 9:11:32.691 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ad4a5960-b0d3-407f-9dad-31986d60d0e9,"4/16/2021, 9:11:32.691 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1c1fc59e-a6aa-4dfd-b3d0-6e17b3266260,"4/16/2021, 9:11:32.691 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,71c3c64d-1c3f-41bd-b804-fdf325b5774c,"4/16/2021, 9:11:32.691 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4a9617b5-6972-4bd7-9b64-59f18299726f,"4/16/2021, 9:11:32.691 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,242d09a2-36fb-47d0-a317-aae42f3403c9,"4/16/2021, 9:11:32.691 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,854bebac-3b74-4e91-9b5c-6376cd501a12,"4/16/2021, 9:11:32.691 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1bc7c599-c588-491c-86fe-0a19278c731b,"4/16/2021, 9:11:32.691 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,edc36fd4-b48d-46bb-97f4-2536c088830b,"4/16/2021, 9:11:32.691 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a77ec6d5-304e-4070-abd7-a6c199322703,"4/16/2021, 9:11:32.691 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,212bb93c-695a-4897-ab3b-c41cefa1e56b,"4/16/2021, 9:11:32.691 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a8e757b9-47ca-4726-9f44-c86fb1808fcf,"4/16/2021, 9:11:32.691 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1570a11c-5460-490f-87b3-6066db29751e,"4/16/2021, 9:11:32.691 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e6c0ed67-8e60-4345-ae3e-45e5caec3142,"4/16/2021, 9:11:35.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,34d3e027-f6d5-4f0a-9190-5520f9f5ec40,"4/16/2021, 9:11:35.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a5c435be-ad12-4c92-81f8-518b35b65c16,"4/16/2021, 9:11:35.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4d6a71b5-43e0-4883-a872-0611cad5b2bd,"4/16/2021, 9:11:35.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,efa64173-af6a-4c33-bd7c-d480a29fe0a5,"4/16/2021, 9:11:35.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1db98f7f-c381-40dd-a6bd-378e2fc9a12f,"4/16/2021, 9:11:35.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d6e23abe-e38c-4cd5-815f-4fbc14ec4a90,"4/16/2021, 9:11:35.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1fce35cd-2442-4ff9-b896-3e2d1f86afae,"4/16/2021, 9:11:35.142 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac109a5e-c9a1-4a5d-8ee8-9d42bcc32900,"4/16/2021, 9:11:35.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d950560e-1f95-4373-bf9c-297ffb907ded,"4/16/2021, 9:11:35.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bbfb2881-41f4-4f8e-b791-e67b6baea7a6,"4/16/2021, 9:11:35.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d542441b-7d54-458a-81c2-91dd019c51df,"4/16/2021, 9:11:35.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2304405d-208b-4678-9e2f-bde28b1d4be8,"4/16/2021, 9:11:35.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,26c4707f-9761-4b1a-9f6f-76e16fd9c257,"4/16/2021, 9:11:35.142 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,a1caafc5-d12f-47e8-8e04-f9856d4b769c,"4/16/2021, 9:11:35.142 AM",,,,,,, +\ADMINISTRATEUR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6c793795-c228-4564-aaa2-65bacb5c7291,"4/16/2021, 9:11:35.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,08ce831b-8fd6-404d-a4ac-ee45166eb230,"4/16/2021, 9:11:35.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51cb94de-e107-4046-a07d-2ffb768511c1,"4/16/2021, 9:11:35.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc26183e-4c10-4d05-8cf6-eb9bef6e8dcc,"4/16/2021, 9:11:35.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c9cb86a1-aab5-433f-af79-adb6fa68d92f,"4/16/2021, 9:11:35.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,512166df-fea4-459d-b75d-863ada59e7ca,"4/16/2021, 9:11:35.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3e729cda-a69d-4ae9-91ed-5c918572d503,"4/16/2021, 9:11:35.142 AM",,,,,NTLM,, +\SHARP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b64e3bcf-f0e8-4af9-b16c-57fa37aebba8,"4/16/2021, 9:11:35.142 AM",,,,,NTLM,, +\AZUREUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0533d688-2f4c-44d0-b144-037e2a19fb48,"4/16/2021, 9:11:35.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7f27d2eb-2a24-413d-96e9-c3ae038d618d,"4/16/2021, 9:11:35.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fab8cc2e-e706-47e3-aaa2-1828f8d1b427,"4/16/2021, 9:11:35.142 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,8631f116-5db9-4104-98d8-1931d91f6245,"4/16/2021, 9:11:36.060 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,a7a6f806-a37a-4f26-93e9-fa1b713dfbf8,"4/16/2021, 9:11:36.060 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,70d757e8-1425-476f-9d6a-dc1ce546e5e7,"4/16/2021, 9:11:36.060 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,57f5099e-d857-4e92-820b-37604691308f,"4/16/2021, 9:11:36.060 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,316b6807-159f-47a0-b79f-357f93982448,"4/16/2021, 9:11:36.060 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,7f075963-bbc4-4d2c-abdf-f0f3ee69563b,"4/16/2021, 9:11:36.060 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,ba05cccb-a470-4274-97d7-2f1047c93311,"4/16/2021, 9:11:36.060 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,60ce6b5c-38ba-460b-bb11-ac00ddc6c9ae,"4/16/2021, 9:11:36.060 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,57da6942-a8b8-4311-8185-4874f9dad108,"4/16/2021, 9:11:45.224 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bbeb960b-0a1d-4d1e-9f93-6fe9e4f570f6,"4/16/2021, 9:11:45.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2ad92f2f-65f6-41d1-b22a-a88a1ca2e416,"4/16/2021, 9:11:45.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,394d6b7b-489d-4645-806c-f19962245334,"4/16/2021, 9:11:45.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad605f4c-00bf-434f-b81f-c08c46aefaa0,"4/16/2021, 9:11:45.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c896abba-41b0-4664-a92d-0627e3de7463,"4/16/2021, 9:11:45.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a0d075fa-a036-460a-99d0-a5e7e3071652,"4/16/2021, 9:11:45.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aaf809fa-4d67-4af1-9093-e0fe3daecfd3,"4/16/2021, 9:11:45.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e326f45f-ae6b-4e45-bf67-3525c532f7b4,"4/16/2021, 9:11:45.224 AM",,,,,NTLM,, +\GIULIA,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a4c6d217-3191-4705-b0a2-26d5736018eb,"4/16/2021, 9:11:45.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1ae949d-0707-4a61-8930-21c0726fefcb,"4/16/2021, 9:11:45.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,283801a5-a0b4-49ad-a4f6-ff4c5e617beb,"4/16/2021, 9:11:45.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,23b32f4a-09ba-4a6d-b21b-fd57a835f04a,"4/16/2021, 9:11:45.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e4814c9b-1b35-4ce9-ba57-c2b21b84f943,"4/16/2021, 9:11:45.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b97acbee-fc03-40d7-9195-930b66630e6c,"4/16/2021, 9:11:45.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,da8db467-254d-41f6-90fb-870ae879bd18,"4/16/2021, 9:11:45.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2a626b8-1ae6-40ce-b3eb-b27243103a2d,"4/16/2021, 9:11:45.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e2fca46-1ab0-462b-913c-4a0232872851,"4/16/2021, 9:11:45.224 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,605d68df-208a-400e-be66-36cf080274cb,"4/16/2021, 9:11:45.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e916f22e-80cc-456e-97e1-441846927558,"4/16/2021, 9:11:45.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,baa9ac12-3a38-4910-951a-f3ba44bd6205,"4/16/2021, 9:11:45.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5cff90eb-82b8-4d22-bc68-34d074f6ff81,"4/16/2021, 9:11:45.224 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4860 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 8542576A51D515DA19781689F9E5E561E4398C4DE19B14AF1E8EF1C7D2551843 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.18362.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,348d4450-12dd-4dfd-9b27-ad16725a9523,"4/16/2021, 9:11:46.835 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6988 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,c1430515-468e-4493-919d-782882646f9b,"4/16/2021, 9:11:46.835 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,12f061d3-3013-4fe6-be95-3dce25d7089a,"4/16/2021, 9:11:46.835 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,bd966a87-0468-4444-a68a-d067c2be8dc0,"4/16/2021, 9:11:46.835 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1612 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,39ceaa07-9d8b-4257-aadd-71f579276d73,"4/16/2021, 9:11:46.835 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6836 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,4e9e18f5-2820-4e39-88e4-1f3df33dade2,"4/16/2021, 9:11:46.835 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,1e540553-dccb-49c0-9a42-0a8388dd83d5,"4/16/2021, 9:11:46.835 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,d2536120-7c06-483e-8277-458d9ded4f7c,"4/16/2021, 9:11:46.835 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,62ad83b9-0d26-41f1-b432-ec27e43104a4,"4/16/2021, 9:11:46.835 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,a47e038a-eb48-460b-ad57-b1a9045c85a7,"4/16/2021, 9:11:46.835 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3952 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,81f3db33-d78a-4486-90a5-0c144ddbd2e5,"4/16/2021, 9:11:49.272 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7268 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,e5c70f59-b598-4276-8747-3d0b658cec3d,"4/16/2021, 9:11:49.272 AM",,,,,,, +\WEBADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9b3cba2f-aa2b-436f-90ef-3fb13e412c79,"4/16/2021, 9:11:47.410 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,58c36e86-4772-4c9c-87de-415788c84150,"4/16/2021, 9:11:47.410 AM",,,,,,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,68e077c1-8f95-4014-92ab-79d0fa85f900,"4/16/2021, 9:11:47.410 AM",,,,,NTLM,, +\POS,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6bf1d49c-c82c-4221-ac61-e7c53c2325be,"4/16/2021, 9:11:47.410 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,bcf24924-441f-443b-9887-48caf4c91247,"4/16/2021, 9:11:47.410 AM",,,,,NTLM,, +\RICOH,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6ff8daae-39d3-40d0-84f6-bc8b0bdc2b92,"4/16/2021, 9:11:47.410 AM",,,,,NTLM,, +\USER4,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,121819e5-ba06-4faa-877b-fce73885c060,"4/16/2021, 9:11:47.410 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,574471e5-c11f-4c75-b216-653dc91c27d1,"4/16/2021, 9:11:47.410 AM",,,,,NTLM,, +\LOCALADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,24a03a99-b387-445f-9fd7-d6ae4e7632ce,"4/16/2021, 9:11:47.410 AM",,,,,NTLM,, +\TESTUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,03b9516b-9036-4e7f-ba60-51d9aa6d7c7f,"4/16/2021, 9:11:49.702 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ed76833d-b6fc-416c-82a7-37909e8fdb8a,"4/16/2021, 9:11:49.702 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d3091c41-a322-4691-9e9f-5083a8afe374,"4/16/2021, 9:11:49.702 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fa2262a4-414e-451d-8dc6-f99891207d93,"4/16/2021, 9:11:49.702 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7cbc09af-783f-44c4-8a90-1aa709671453,"4/16/2021, 9:11:49.702 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bbedf53a-804d-4be3-9949-b6fc56b87617,"4/16/2021, 9:11:49.702 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,42f3fdf2-d973-41ee-859a-6a7499c75a2f,"4/16/2021, 9:11:49.702 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c38795ce-38f0-45dc-911f-d3cfbe880491,"4/16/2021, 9:11:49.702 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,28bef4b7-96e8-4266-b216-221ae7308313,"4/16/2021, 9:11:49.702 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fbcf1dc7-a969-4b66-8156-deec7e9061e8,"4/16/2021, 9:11:49.702 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,68a73a85-02da-4ab6-adf3-4e986758cd3c,"4/16/2021, 9:11:49.702 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7015a220-68b9-432c-99f5-24f0cba72836,"4/16/2021, 9:11:49.702 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,98bfe686-aeef-4d28-8829-733cb9d4f8ec,"4/16/2021, 9:11:49.702 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,69fe6251-b113-44d7-999e-801ffb783e04,"4/16/2021, 9:11:49.702 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1c87ce55-2a53-4233-8bc5-600f73447ccf,"4/16/2021, 9:11:49.702 AM",,,,,NTLM,, +\SCAN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,301db968-d613-43b4-8aab-02e09dc51731,"4/16/2021, 9:11:49.702 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dd8ad945-5d01-462f-adf5-29857c512468,"4/16/2021, 9:11:49.702 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,51628440-4b1d-4750-84d2-7362313f5ba1,"4/16/2021, 9:11:49.702 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,37d47214-4011-4c53-bb49-592b1d7a5036,"4/16/2021, 9:11:49.702 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5b3d8033-0a5d-4983-8486-416a599e5007,"4/16/2021, 9:11:49.702 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1cf431d8-e8e5-4e7b-a45d-fa3ab36bce61,"4/16/2021, 9:11:49.702 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3c1c0136-5f19-4b96-b865-b24538549a51,"4/16/2021, 9:11:49.702 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,97a20985-a1c1-4963-bfd1-5f2046488fb4,"4/16/2021, 9:11:49.702 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f03eca55-0dd6-4840-b5b5-d9ea0a942dba,"4/16/2021, 9:11:49.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eeb97ab1-29fc-423e-8616-9ed62c535cf8,"4/16/2021, 9:11:49.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,761fc746-f8a6-4f99-8969-22d1d7e0f6a8,"4/16/2021, 9:11:49.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c41132f-f289-475e-a4a3-431bf2110093,"4/16/2021, 9:11:49.126 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d19ab91b-f8d7-468b-b86b-992601ff3b85,"4/16/2021, 9:11:49.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f6fef7bd-efa1-41f7-a60e-ebc08385baf0,"4/16/2021, 9:11:49.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,34d50c5e-a76d-4d78-9276-227163f358c4,"4/16/2021, 9:11:49.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a89c4177-c232-45c5-8205-7a5ee3dbe811,"4/16/2021, 9:11:49.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,775b0189-3c38-4d37-b8f3-47298acf1cfe,"4/16/2021, 9:11:49.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1121511a-20d8-4d87-9cde-445fdc4e828c,"4/16/2021, 9:11:49.126 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,685b9ebb-fbe9-4dac-9b6d-5eb4b0d9db50,"4/16/2021, 9:11:49.126 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2515feff-fcac-468c-9a4f-78880d3d7557,"4/16/2021, 9:11:49.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,34b36d4a-9732-46c6-8253-c2fd7e2052ae,"4/16/2021, 9:11:49.126 AM",,,,,NTLM,, +\QJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2650df8c-a540-496e-b76f-0f0fcad956c5,"4/16/2021, 9:11:49.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ab91f18-1911-4fe1-9ab3-011252c90493,"4/16/2021, 9:11:49.126 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5584 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,a176a91a-21c8-4d4a-aafa-16eceb94c55a,"4/16/2021, 9:11:49.126 AM",,,,,,, +\LOCALADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e2bb62b-effd-4eef-b1c9-8a8ed45b9760,"4/16/2021, 9:11:49.126 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc9558ac-1fdc-4652-a951-dba64734e97c,"4/16/2021, 9:11:49.126 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51efa458-cb7f-481d-89bc-336b0797e9c7,"4/16/2021, 9:11:49.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,24d01bcb-e2e8-43e9-862a-c82ba128868b,"4/16/2021, 9:11:49.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4447700e-0a15-4cbc-b114-60f1d0a670c4,"4/16/2021, 9:11:49.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2272ef4-988b-49fc-8015-5e39d370b41f,"4/16/2021, 9:11:49.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c01926d-bc82-4835-835d-441a3d2c0fca,"4/16/2021, 9:11:49.126 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2e9fd9d6-3015-48cc-8136-37cc17a5751f,"4/16/2021, 9:11:49.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e323db2-becd-4f7d-9eaa-318f312798ba,"4/16/2021, 9:11:49.126 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,280cf903-184b-434d-a3f7-dd9c5c22e2b1,"4/16/2021, 9:11:51.600 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,505be1ff-e614-408e-9483-199ae266d9ec,"4/16/2021, 9:11:51.600 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6112 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,538d49a8-19af-45b5-b79e-5da8ee9337a7,"4/16/2021, 9:11:51.600 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5156 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,49a31f16-cc9a-46d4-9d9e-8361b43f9a93,"4/16/2021, 9:11:51.600 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,223b275f-d4db-4965-adab-7a0fb1e23bae,"4/16/2021, 9:11:51.600 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11084 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,a01562b2-eace-48bc-afa2-5347a440c9b9,"4/16/2021, 9:11:51.600 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b7d5f705-a85c-498e-bd3d-9c4957e91998,"4/16/2021, 9:12:02.735 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,37d8bc3c-319d-4f28-91d0-eaf9c2c3dadf,"4/16/2021, 9:12:02.735 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e59a4303-1817-456d-aa95-21ef2a33901e,"4/16/2021, 9:12:02.735 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2d9b0353-6065-4f7a-9eb1-59db36ba05b2,"4/16/2021, 9:12:02.735 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9cb2b60c-97de-4410-9e9e-a9780150ba92,"4/16/2021, 9:12:02.735 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,22b7aabf-9d31-4d17-842f-1a6966b83ab0,"4/16/2021, 9:12:02.735 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,77858c6b-b437-4050-8583-c9c425675097,"4/16/2021, 9:12:02.735 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8db3dc7b-44c0-485e-9c57-1865698759c2,"4/16/2021, 9:12:02.735 AM",,,,,,, +\DEFAULT,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3b48e2ee-dffa-49c1-859a-dceb4be5df98,"4/16/2021, 9:12:02.735 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f55b2811-1c3e-409b-a6ca-a22012d60525,"4/16/2021, 9:12:02.735 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,22ac7829-d82d-496e-a7ab-00ae12d4af7e,"4/16/2021, 9:12:02.735 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4fa029cd-cc43-4723-8c0e-eaf724a6fa05,"4/16/2021, 9:12:02.735 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,36709247-7a05-43b0-9667-d6503b9c0ed4,"4/16/2021, 9:12:02.735 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b685bda6-acda-4f4e-a370-3785e61aa070,"4/16/2021, 9:12:02.735 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e08216a5-8322-4b64-b279-b7f87f70c7c3,"4/16/2021, 9:12:02.735 AM",,,,,NTLM,, +\BITMINERANON23,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a0a0cdd5-a11e-4539-8a96-892cfc946670,"4/16/2021, 9:12:02.735 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9256a571-8f72-49ef-9920-20a8eec9abd8,"4/16/2021, 9:12:02.735 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5814bfbb-9102-41cc-bd96-4774bd253511,"4/16/2021, 9:12:02.735 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f7c0559d-485d-4b3a-be2b-941aa6a0111d,"4/16/2021, 9:12:02.735 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,77afd59d-ce67-4cfd-8add-d7e4a8866739,"4/16/2021, 9:12:02.735 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6e4d28c9-3f48-4107-92f1-dd7726d0b775,"4/16/2021, 9:12:02.735 AM",,,,,NTLM,, +\WEBADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5b7067b9-06d9-4455-930c-c1516d33b02a,"4/16/2021, 9:12:02.735 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,db4d5ff2-ab24-405e-95ff-785d0cd0d50f,"4/16/2021, 9:12:02.735 AM",,,,,NTLM,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,c6bbacdf-3e0b-40d7-9b01-2972cadcbea3,"4/16/2021, 9:12:08.081 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,282a3257-ed6b-4150-b7d0-7acbc3ca8b86,"4/16/2021, 9:12:08.081 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,270aea9c-3cb6-4c89-b13f-ce8340ff9a85,"4/16/2021, 9:12:08.081 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,42c3a718-f35b-4e46-a1bb-145777ddfa0a,"4/16/2021, 9:12:08.081 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,ac1e77fc-21ff-41cb-a30d-f0c54688e51e,"4/16/2021, 9:12:08.081 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3b9025a2-af86-4e19-8052-807aee90996a,"4/16/2021, 9:12:08.081 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d08417b1-4956-4cf0-8b0e-b4b5501f6908,"4/16/2021, 9:12:08.081 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,97dcc713-fda8-4c4d-b747-877d352324f8,"4/16/2021, 9:12:08.081 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2d39850e-0b6f-4b72-950f-8a74409b5a1b,"4/16/2021, 9:12:08.081 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,f06bd9bd-a0e7-45fc-abaa-c381837e82ae,"4/16/2021, 9:12:08.081 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,9f30768c-6fe8-45eb-a258-d117f665657b,"4/16/2021, 9:12:08.081 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + pcadmin + SOC-FW-RDP + S-1-5-21-952482744-1076764539-379410180-500 + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + 0xaa0 + C:\WindowsAzure\GuestAgent_2.7.41491.1008_2021-02-10_045418\WaAppAgent.exe +",4798,4798 - A user's local group membership was enumerated.,41502da5-21b7-48ec-81c9-baeea8d7d669,e91e0068-536d-49e8-87fb-87261d28d091,"4/16/2021, 9:12:08.128 AM",,,,,,0xaa0, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + pcadmin + SOC-FW-RDP + S-1-5-21-952482744-1076764539-379410180-500 + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + 0x0 + - +",4798,4798 - A user's local group membership was enumerated.,41502da5-21b7-48ec-81c9-baeea8d7d669,8587b7d0-a23d-4f5f-9b43-9b2c149684a8,"4/16/2021, 9:12:08.128 AM",,,,,,0x0, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e67a606a-d1a3-4ce3-824c-365aab60d2fa,"4/16/2021, 9:12:08.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,38a21018-e671-4807-85c8-087565cfe9d9,"4/16/2021, 9:12:08.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a6590da7-9d9d-4e5d-b7dc-2506a72d4153,"4/16/2021, 9:12:08.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e92868ae-d224-4261-bf30-90c054c958c1,"4/16/2021, 9:12:08.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bd29858c-5935-4cf0-8710-4c8997b6e0b4,"4/16/2021, 9:12:08.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6e5b04f6-9a2c-4345-ac59-d328889ebf82,"4/16/2021, 9:12:08.128 AM",,,,,NTLM,, +\DEMOADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f57a1876-d2b8-4a79-9d7e-c7c9fb387447,"4/16/2021, 9:12:08.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5cdb217d-eebc-4059-9d51-5c1884870a57,"4/16/2021, 9:12:08.128 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98ceb328-df85-41c6-9dfb-4ef3edbc2b68,"4/16/2021, 9:12:08.128 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a5621d3-306a-45b7-b6ed-d38fd2ff01a2,"4/16/2021, 9:12:08.128 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6e7e2505-7005-49a1-a966-5cde00234848,"4/16/2021, 9:12:08.128 AM",,,,,NTLM,, +NT AUTHORITY\NETWORK SERVICE,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 2740 + 21 + %SYSTEM32%\SPPSVC.EXE + 32 + ABC5B9672ACC57A4AAF472FA028985FE6C0D545FA7EFAC34A313D1F3F8C360BD + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SPPSVC.EXE\10.0.17763.1879 + 0x3e4 + 30 + C:\windows\system32\sppsvc.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,7646376d-5de9-4655-aac1-1483adda9f39,"4/16/2021, 9:12:08.128 AM",,,,,,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b132bd44-4e3b-4a67-89e5-f0177ac0efc8,"4/16/2021, 9:12:08.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6dba2ced-6d74-4e8a-b8da-83d601b751fb,"4/16/2021, 9:12:08.128 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ef3ade96-1d39-482d-8842-5c9dc0598501,"4/16/2021, 9:12:08.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b92769eb-e593-48ca-8fd4-9e7211679c93,"4/16/2021, 9:12:08.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f2af7ec1-0fb8-4e6b-ae7e-6069c1ce092b,"4/16/2021, 9:12:08.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e8e903a8-eefa-4bab-bdf7-c33160af2260,"4/16/2021, 9:12:08.128 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c6fe4b7-7346-43b9-a037-fcd535656574,"4/16/2021, 9:12:08.128 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0f10e59d-a05c-4475-b7c7-0b10896bcf29,"4/16/2021, 9:12:08.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,91d10e5e-1281-45a8-b730-75ce033ce06a,"4/16/2021, 9:12:08.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,73ee1d3d-8106-4c64-ab5d-ad316ff0e157,"4/16/2021, 9:12:08.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,24ac5887-bf2e-4c3e-a29f-86f7b587c595,"4/16/2021, 9:12:08.128 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4f38b072-3c6e-43d9-a059-4fbc874d1652,"4/16/2021, 9:12:14.692 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e181cfa2-abbd-4107-a19c-9ae24b35be5c,"4/16/2021, 9:12:14.692 AM",,,,,,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e2145e56-09e9-4634-b201-cbe5a5a850b2,"4/16/2021, 9:12:14.692 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bd477b8d-2de4-427e-be03-fec57b70a1ac,"4/16/2021, 9:12:14.692 AM",,,,,NTLM,, +\DEMO,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8b0c8010-3952-4cc2-bcc1-e0f5e4b95a76,"4/16/2021, 9:12:14.692 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b3c156aa-8a71-4c41-b5d8-fc0c356a1d82,"4/16/2021, 9:12:14.692 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5a9498a0-4aed-4fef-953d-3bc5f984da3a,"4/16/2021, 9:12:14.692 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bff32587-6932-4326-a22f-96a11da69d22,"4/16/2021, 9:12:14.692 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2d614a0a-fd0d-4d8d-a93d-5db76e1cf685,"4/16/2021, 9:12:14.692 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2c7ced87-214d-48e3-9de9-1ac73cc9864f,"4/16/2021, 9:12:14.692 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,335dd7d1-8da7-47a8-894b-43cad762489c,"4/16/2021, 9:12:14.692 AM",,,,,NTLM,, +\SYMANTEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2a463863-c8cb-4f85-b3f0-6b6552eb00d7,"4/16/2021, 9:12:14.692 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2390ad00-d8a9-49fd-abb2-bd5fea898b39,"4/16/2021, 9:12:14.692 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3a2793ea-4769-48bd-95ad-5577791ac121,"4/16/2021, 9:12:14.692 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fda4a616-3a6b-44e3-991f-cff9f6b87468,"4/16/2021, 9:12:14.692 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ca214ef4-79df-43ad-a819-5b24cd287463,"4/16/2021, 9:12:14.692 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,98950a25-3c6b-429f-b4e1-0ab50d7266bf,"4/16/2021, 9:12:14.692 AM",,,,,NTLM,, +\EYA,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3e595041-fd05-4f19-a5a8-ba36a68e9ad5,"4/16/2021, 9:12:14.692 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cddc2d51-8f0c-4e78-b1a7-57e02e3d7fdf,"4/16/2021, 9:12:14.692 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,efe25586-6526-4534-b750-b5c8d990bfba,"4/16/2021, 9:12:14.692 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bf463e10-2525-4bda-8780-dd0791db15a8,"4/16/2021, 9:12:14.692 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,82045daa-c6ee-45e7-9480-6e2437e28936,"4/16/2021, 9:12:14.692 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ef5af25-3a7c-4c14-9d79-6b3eaf3c97f3,"4/16/2021, 9:12:15.131 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,273d109b-6d1d-4ccd-8d17-9f5b359a4354,"4/16/2021, 9:12:15.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,023d6c1a-9d13-45a0-ae1d-4f9713f7f867,"4/16/2021, 9:12:15.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5ac0899-4a3e-47ad-851a-b7336df95755,"4/16/2021, 9:12:15.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e57c930-7638-4c5a-aea2-cf8c590f228b,"4/16/2021, 9:12:15.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,054bf3de-429e-411a-9e3a-8b128ffc10dd,"4/16/2021, 9:12:15.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ec24bc69-d2c9-466b-88f1-06f7bd120bcd,"4/16/2021, 9:12:15.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,10178a5b-1245-4305-a8c3-3d92c93e9919,"4/16/2021, 9:12:15.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6dc97d9c-5dc3-4405-9690-c08f944f542e,"4/16/2021, 9:12:15.131 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eb5cf5fd-16fc-44c9-aaaa-b6bd9e9aa083,"4/16/2021, 9:12:15.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cf3d65c8-0161-42d0-b6c1-5f83ac2af557,"4/16/2021, 9:12:15.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,36daf11b-0f2f-4d8c-9ae8-515a55466a19,"4/16/2021, 9:12:15.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e4fdb79f-32d3-46c3-a072-6c1551e172d8,"4/16/2021, 9:12:15.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ec9dc920-30da-43d3-88f3-f88c39ac03ee,"4/16/2021, 9:12:15.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,26caa98c-9aac-4c43-a396-5656f9ffccbe,"4/16/2021, 9:12:15.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0332baa8-a1e4-46be-82a0-63a8d05f9343,"4/16/2021, 9:12:15.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a41396fa-c588-453d-847e-96d25aa7feb0,"4/16/2021, 9:12:15.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,59a235c7-553e-4bfb-af75-d9e609b5b864,"4/16/2021, 9:12:15.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a851682c-7043-4592-87d1-3a5a2dcb1efd,"4/16/2021, 9:12:15.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ccb0ab45-516b-4a88-80ba-4babe532c215,"4/16/2021, 9:12:15.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,161cb3f0-3880-451b-8195-6d5b2f7b4d0d,"4/16/2021, 9:12:15.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ec9eb180-036e-439c-b646-7a2585827424,"4/16/2021, 9:12:15.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c8dd9fcb-e9a4-4e09-bdb8-9a6bc942a3a2,"4/16/2021, 9:12:15.131 AM",,,,,NTLM,, +\ACCOUNTS,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4a54a26d-99fc-481b-8af6-bac61095f621,"4/16/2021, 9:12:20.421 AM",,,,,NTLM,, +\USER02,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a041bbd1-cdd4-4f05-b68f-44fede10f803,"4/16/2021, 9:12:20.421 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a4b2a8c1-b2ec-4273-af0c-bebee1d25cb9,"4/16/2021, 9:12:20.421 AM",,,,,NTLM,, +\DELL,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d05b1d3c-12b4-4445-ba08-d3e5d7216033,"4/16/2021, 9:12:20.421 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2108 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8dfb2414-082f-4fd2-91e9-5afe70126f1a,"4/16/2021, 9:12:20.421 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1804 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b127627c-bcc5-4e85-937c-ccdb0a4c5d0e,"4/16/2021, 9:12:20.421 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a14f2932-49e4-4aee-8b1b-7bac5c9fdc23,"4/16/2021, 9:12:20.421 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,91820377-6e11-4e4d-ab1f-887fd49becef,"4/16/2021, 9:12:20.421 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,36512a56-a99c-459a-a4a3-8f53495e58b5,"4/16/2021, 9:12:20.421 AM",,,,,,, +\OWNER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9579885e-021e-4dd8-9fd4-825898b82fe8,"4/16/2021, 9:12:20.421 AM",,,,,NTLM,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,bf4777fc-e089-4069-9dea-ce653bed8ae6,"4/16/2021, 9:12:21.611 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,42f33bbd-36a1-47cd-b00b-64f32c79b4ad,"4/16/2021, 9:12:21.611 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,268450fa-683a-4a49-918d-13d51c22740c,"4/16/2021, 9:12:21.611 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,d5680c3a-5d0d-442b-96b4-a347060402f5,"4/16/2021, 9:12:21.611 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 636 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,fb3577d6-fbfa-4ef5-8459-ad7a625e557f,"4/16/2021, 9:12:21.611 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6868 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,855bbd08-74bd-4a2a-9738-527faf274a2b,"4/16/2021, 9:12:21.611 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10628 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,7f10f0f6-fd81-4582-97ba-236ea5f3d51e,"4/16/2021, 9:12:21.611 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4604 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,2d816135-aeb3-4ae3-aaa3-30a4aff23f7c,"4/16/2021, 9:12:21.611 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,940bdd31-edb2-4e3b-81ec-1a6dd9ace0d1,"4/16/2021, 9:12:21.611 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,e68ae3d0-f915-4177-ba8e-1cfd5ecc4f16,"4/16/2021, 9:12:21.611 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,d7baae32-080f-482e-b7fe-b45116ccb5b7,"4/16/2021, 9:12:21.611 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\microsofttpm,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,c032384d-e27c-4b39-b8c3-bb5571c67f3a,"4/16/2021, 9:12:21.611 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:SELECT * FROM Win32_TPM,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,40114497-454a-4ff3-aa6e-d0ccd6d62ea8,"4/16/2021, 9:12:21.611 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:Select * from __ClassProviderRegistration,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,d2cf9254-7c2a-4178-9be6-56404a6ab2c6,"4/16/2021, 9:12:21.611 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,ff479299-aba4-4a8f-b40b-574fd59e62e4,"4/16/2021, 9:12:21.611 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,677111d7-1511-44d8-a952-a6e0b2eaf355,"4/16/2021, 9:12:21.611 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,a8549166-089e-4924-b0a6-56036dc52c8b,"4/16/2021, 9:12:21.611 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,0ae9c058-012b-441e-8b15-708c3d5228ab,"4/16/2021, 9:12:21.611 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:Win32_Tpm,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,0f1c2aca-5701-4060-9a6e-307817042a16,"4/16/2021, 9:12:21.611 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:__ExtendedStatus,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,ee1cc971-bf88-4a22-9cd9-5d42feedd7ed,"4/16/2021, 9:12:21.611 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftVolumeEncryption,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,45a360df-8e3d-48a3-aa6c-027352e9e131,"4/16/2021, 9:12:21.611 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:SELECT * FROM Win32_EncryptableVolume,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,2ea2160d-1b8f-4412-af59-ca8c2215134b,"4/16/2021, 9:12:21.611 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:Select * from __ClassProviderRegistration,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,9e6537b4-833f-4807-8028-8a2fbc0a8aa3,"4/16/2021, 9:12:21.611 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,45e63ca6-4ed9-4acc-8796-708bf544e6ca,"4/16/2021, 9:12:21.611 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,150ed739-4bf7-4f40-b16b-78845b5aeaa0,"4/16/2021, 9:12:21.611 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,c7ab9760-f8c3-4621-8c06-7f7ae53fbac9,"4/16/2021, 9:12:21.611 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,e6449290-8ea4-43dd-a26a-878e92efb2c7,"4/16/2021, 9:12:21.611 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,c98a2a6c-9fbb-4d4c-8d45-1b3a0596a879,"4/16/2021, 9:12:21.611 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:__ExtendedStatus,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,12b1e820-7012-41f0-b191-5fde0c5a24a8,"4/16/2021, 9:12:21.611 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{14fa800d-0000-0000-0000-100000000000}\\""::GetLockStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,8ad153b1-c981-499e-8422-8d598c38100b,"4/16/2021, 9:12:21.611 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{14fa800d-0000-0000-0000-100000000000}\\""::GetProtectionStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,3604077a-83b5-44f8-8fdb-8a6fef473705,"4/16/2021, 9:12:21.611 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{14fa800d-0000-0000-0000-100000000000}\\""::GetConversionStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,e7fe0ccf-d323-43f7-9f3b-c8847d275f30,"4/16/2021, 9:12:21.611 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetLockStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,53b5a8aa-c949-4bcc-a8ca-9478b1cbeab6,"4/16/2021, 9:12:21.611 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetProtectionStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,c1bb689c-1108-4f13-befa-93f3a4015396,"4/16/2021, 9:12:21.611 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetConversionStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,d7de46d7-8b61-4cb3-bcba-77482ce1163c,"4/16/2021, 9:12:21.611 AM",,,,,,, +\USER1,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2007e7a3-216c-4ab8-bbe3-0f6b4da6943a,"4/16/2021, 9:12:30.702 AM",,,,,NTLM,, +\LOCALADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,10ede72e-60c7-4339-9790-c9be910fd7da,"4/16/2021, 9:12:30.702 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d16ac162-30e7-4fe9-922f-273f9c5e57cd,"4/16/2021, 9:12:30.702 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,849129d8-aa1f-4f32-84f5-39d787d612a8,"4/16/2021, 9:12:30.702 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0b918840-8855-4bdb-85a3-fecf11efc882,"4/16/2021, 9:12:30.702 AM",,,,,NTLM,, +\AZUREADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dabb8385-77e3-48b0-8499-c5485a9f7930,"4/16/2021, 9:12:30.702 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5f27aa2c-6bab-4b82-b5c6-f7459df3094a,"4/16/2021, 9:12:30.702 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f290acaf-a727-4450-82d1-5e3a8b743e68,"4/16/2021, 9:12:30.702 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,83735c0a-e570-4d78-b757-5faf6e0bbd72,"4/16/2021, 9:12:30.702 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,318d391d-7ec7-4cd9-842b-65a52ea80759,"4/16/2021, 9:12:30.702 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,64c34d1c-80c3-4e0a-b794-1a6e41da86a6,"4/16/2021, 9:12:30.702 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,68aa075a-ffcb-4fa4-b6ad-e58526ffbb2b,"4/16/2021, 9:12:30.702 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,324f3ac3-10bf-4768-b233-710f800f8245,"4/16/2021, 9:12:30.702 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,93469205-96dd-43ac-82b6-ba66fb57d34a,"4/16/2021, 9:12:30.702 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,71313dd3-297c-4008-a174-7b43d7645abc,"4/16/2021, 9:12:30.702 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b0ed7698-9361-4747-91fd-042a2d95de0d,"4/16/2021, 9:12:30.702 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c4ff5e23-ed32-4817-9c56-14c68a183404,"4/16/2021, 9:12:30.702 AM",,,,,NTLM,, +\USER2,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e97ffb57-65e3-493d-8710-d23e8ca51522,"4/16/2021, 9:12:30.702 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9e5b73a4-66ab-4e40-9039-d76fa86ab812,"4/16/2021, 9:12:30.702 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c8311ec6-a155-4b99-9b7a-64a74f059b2b,"4/16/2021, 9:12:30.702 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ef4b408c-de73-45d4-9fd8-f75c1c0209ae,"4/16/2021, 9:12:30.702 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e8730295-c0d2-49c4-acee-ad28d2a64077,"4/16/2021, 9:12:30.702 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4ddbd4e6-acf5-4607-9b81-10c1f5cf34cc,"4/16/2021, 9:12:30.702 AM",,,,,NTLM,, +\ADMINISTRATÖR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9fd7e899-1804-480f-9e35-d28f86600130,"4/16/2021, 9:12:30.702 AM",,,,,NTLM,, +\NJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0a4c8eff-4ca0-49b2-9acf-f60e74c788d6,"4/16/2021, 9:12:30.702 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a76e8863-143c-4405-b46b-fbd860a83057,"4/16/2021, 9:12:30.702 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 14312 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + A42A20DA16F83B8467DCED74AB028B58D5927D15D9D74C5C7B0D5C9DAC042CB2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.17763.01 + 0x3e7 + 31 + C:\windows\System32\svchost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,3ceb5b53-986b-4140-99f4-741d8e82a417,"4/16/2021, 9:12:28.992 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10632 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,55d4fbec-682b-448e-b6ad-29a7a67f98dd,"4/16/2021, 9:12:28.992 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11144 + 39 + %WINDIR%\SERVICING\TRUSTEDINSTALLER.EXE + 32 + 5AAB6030A17E092A3F547292BF75BBE5E777C3C6C3E1759A023CA59FE87F6D98 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\TRUSTEDINSTALLER.EXE\10.0.17763.1098 + 0x3e7 + 41 + C:\windows\servicing\TrustedInstaller.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,ab812765-1f20-4719-90e2-020496c06a75,"4/16/2021, 9:12:28.992 AM",,,,,,, +NT AUTHORITY\NETWORK SERVICE,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 12108 + 21 + %SYSTEM32%\SPPSVC.EXE + 32 + 4791D7CD9D154D3F2C59B47259D2689FA47FBFB1E9FF7A41A5F03B3B66EC67D3 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SPPSVC.EXE\10.0.17763.1757 + 0x3e4 + 30 + C:\windows\system32\sppsvc.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,144df349-5b1e-4bf6-9e22-c347c9cdf4a3,"4/16/2021, 9:12:28.992 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3028 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,ac991de6-d7a6-4450-95af-a5d7615b5bbb,"4/16/2021, 9:12:28.992 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10404 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,1e1f91dd-8e69-43cd-a6cb-2a1eda225b4f,"4/16/2021, 9:12:28.992 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,feb46ce0-79a4-4b9c-aef3-d4472f2cc7a6,"4/16/2021, 9:12:31.205 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4407984b-952b-4143-965c-a83289c2ec07,"4/16/2021, 9:12:31.205 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8db7cbf0-90ce-4deb-9c10-aef941c7682a,"4/16/2021, 9:12:31.205 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,72fc45d0-c27d-4b09-a020-b4f970aa5041,"4/16/2021, 9:12:31.205 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1417a4d5-054c-4eee-9434-8beadc27a982,"4/16/2021, 9:12:31.205 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9996e592-d3bf-48ae-b36f-d704c284c82e,"4/16/2021, 9:12:31.205 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eae9350f-d810-421c-a780-ffb8b46afe8e,"4/16/2021, 9:12:31.205 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8af230de-cbcd-4cd8-8ab4-eb8447ecd26d,"4/16/2021, 9:12:31.205 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d0c784be-b0c6-466f-81e5-1b0a86b4e97b,"4/16/2021, 9:12:31.205 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e6f5bc69-0438-4841-b0c2-1a4031ec48c8,"4/16/2021, 9:12:31.205 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,217544db-f75e-4207-9a5e-ab7da0e2dbc2,"4/16/2021, 9:12:31.205 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,015ce6b1-6bd6-4c77-a48a-1ff9e4623331,"4/16/2021, 9:12:31.205 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9120e52f-09cd-4e94-b037-90a89c6eebe0,"4/16/2021, 9:12:31.205 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c6764c28-dfd3-447a-9402-91bebcc75572,"4/16/2021, 9:12:31.205 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8239b159-a73b-476d-aee9-ef074bebe17e,"4/16/2021, 9:12:31.205 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc1b7cc3-3693-4c1e-980a-2aafe2fa10b2,"4/16/2021, 9:12:31.205 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48c285e4-cbc1-45e8-8dc1-40e0196c6da4,"4/16/2021, 9:12:31.205 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5456a687-7825-47e1-9504-e24f0ec29d23,"4/16/2021, 9:12:31.205 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,25a69d78-8844-4fa8-8e44-be9ba13ad551,"4/16/2021, 9:12:31.205 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,933492a0-3ff2-4dff-bf58-8fa1f072d731,"4/16/2021, 9:12:31.205 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0d7686ad-b7e5-48ce-90ca-0794e6112e68,"4/16/2021, 9:12:31.205 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e647f06e-4efd-42e7-b585-d4a1e71733f3,"4/16/2021, 9:12:31.205 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,4429a4ba-8459-4513-a3dd-d7a85486b5c2,"4/16/2021, 9:12:31.205 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,85d107e9-549c-4947-85e7-550ff0934e93,"4/16/2021, 9:12:31.205 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9542984c-f834-4845-ad5b-b2d41cef5663,"4/16/2021, 9:12:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7f22ab6b-8049-4bdc-bce3-e1514c6a9f06,"4/16/2021, 9:12:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a48fd9d-5ef6-4927-b3d6-a55c981c8731,"4/16/2021, 9:12:39.127 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c7cb21b6-0a17-4cea-a68b-978bcf479b7a,"4/16/2021, 9:12:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6de6ab0d-c548-4c47-886b-1bc59177b800,"4/16/2021, 9:12:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f4629588-efff-463d-a13e-a5eb074c4157,"4/16/2021, 9:12:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f4abc940-3569-43b2-a373-c01687a1d722,"4/16/2021, 9:12:39.127 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8," + S-1-5-20 + SOC-FW-RDP$ + WORKGROUP + 0x3e4 + \Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask + <?xml version=""1.0"" encoding=""UTF-16""?> <Task version=""1.6"" xmlns=""http://schemas.microsoft.com/windows/2004/02/mit/task""> <RegistrationInfo> <Source>$(@%systemroot%\system32\sppc.dll,-200)</Source> <Author>$(@%systemroot%\system32\sppc.dll,-200)</Author> <Version>1.0</Version> <Description>$(@%systemroot%\system32\sppc.dll,-201)</Description> <URI>\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask</URI> <SecurityDescriptor>D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-87-2912274048-3994893941-1669128114-1310430903-1263774323)</SecurityDescriptor> </RegistrationInfo> <Triggers> <CalendarTrigger> <StartBoundary>2021-04-17T04:56:33Z</StartBoundary> <Enabled>true</Enabled> <ScheduleByDay> <DaysInterval>1</DaysInterval> </ScheduleByDay> </CalendarTrigger> </Triggers> <Principals> <Principal id=""NetworkService""> <UserId>S-1-5-20</UserId> <RunLevel>LeastPrivilege</RunLevel> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>true</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession> <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT0S</ExecutionTimeLimit> <Priority>7</Priority> <RestartOnFailure> <Interval>PT1M</Interval> <Count>3</Count> </RestartOnFailure> </Settings> <Actions Context=""NetworkService""> <ComHandler> <ClassId>{B1AEBB5D-EAD9-4476-B375-9C3ED9F32AFC}</ClassId> <Data><![CDATA[timer]]></Data> </ComHandler> </Actions> </Task> + 2251799813697265 + 2740 + 752 + 0 + SOC-FW-RDP +",4702,4702 - A scheduled task was updated.,41502da5-21b7-48ec-81c9-baeea8d7d669,6dda2784-4316-40e1-a8a2-aef99068ac2a,"4/16/2021, 9:12:39.127 AM",,,,,,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d4b49d21-a870-4f1b-8860-aad2f41e95d4,"4/16/2021, 9:12:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b635ead7-1496-4faf-8017-f388d912baf3,"4/16/2021, 9:12:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,499702ba-a323-428f-a39d-094e102ab368,"4/16/2021, 9:12:39.127 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f035f673-a460-465e-a5b6-681129ef1163,"4/16/2021, 9:12:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c21512d8-dccf-447b-882f-fe3378c083b1,"4/16/2021, 9:12:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,919b86f1-0a5a-4a8a-950f-13c6811e8c5a,"4/16/2021, 9:12:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c92c6702-5085-4f03-897e-31f550100e83,"4/16/2021, 9:12:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c56f3400-2234-46e5-ae6c-93889a95d9ae,"4/16/2021, 9:12:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a938eef-8fc2-4dec-a578-d67f9a5281d7,"4/16/2021, 9:12:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,75e7ce3b-5c1b-4d2a-b519-1e100bb3f486,"4/16/2021, 9:12:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c54c5b7c-e098-4ded-b5f0-9219c7b952ff,"4/16/2021, 9:12:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7736fad0-dc88-4d1a-addf-6d659cf911c8,"4/16/2021, 9:12:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,47ade6bb-3226-47c7-816b-08c3825f0064,"4/16/2021, 9:12:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c0d6b9ad-5cd3-497a-b116-8960462314d8,"4/16/2021, 9:12:39.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,87c28d44-5a00-4858-94c9-597bbd9859e0,"4/16/2021, 9:12:39.127 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,a039ce2d-a30d-4048-8eda-cb8c0efa30f5,"4/16/2021, 9:12:43.061 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,9b72df3d-583b-432c-befd-aefd1fa30870,"4/16/2021, 9:12:43.061 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,7dda7709-b026-4f42-b3e6-5d58b6c6d02b,"4/16/2021, 9:12:43.061 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,019498b0-2138-42cf-bf9b-8a8b79c12a7d,"4/16/2021, 9:12:43.061 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b6d08c4d-9e39-42eb-8bc4-fcc6444915f6,"4/16/2021, 9:12:43.061 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3d9dee60-e941-44f7-9035-fc2d9db37120,"4/16/2021, 9:12:43.061 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,f0af60e0-e0bd-43b2-87ef-76dfa5cd95f2,"4/16/2021, 9:12:43.061 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,f724d600-5342-493e-a08c-e935ff46b440,"4/16/2021, 9:12:43.061 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,0b31dee3-5401-43d7-802a-7c8aab820390,73307c64-44e5-45bd-a187-d09077bd8ed7,"4/16/2021, 9:12:43.061 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,0b31dee3-5401-43d7-802a-7c8aab820390,7595bfee-3084-473d-844d-15e0caba2ce0,"4/16/2021, 9:12:43.061 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,9981df73-8a24-45dd-91f2-c7831cab8cf5,"4/16/2021, 9:12:43.061 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,02c6be9e-214e-4a9b-bd89-4e23284ce66d,"4/16/2021, 9:12:43.061 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,52700954-540c-4cb3-9813-0bb51c10d079,"4/16/2021, 9:12:43.061 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + Administrators + Builtin + S-1-5-32-544 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x8a44 + C:\Windows\System32\svchost.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,5032c558-6173-4dbb-ba4e-a2dd4a206c91,"4/16/2021, 9:12:43.061 AM",,,,,,0x8a44, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + Backup Operators + Builtin + S-1-5-32-551 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x8a44 + C:\Windows\System32\svchost.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,c5b96002-f5b0-4442-8ae7-d6e511534c28,"4/16/2021, 9:12:43.061 AM",,,,,,0x8a44, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,0b31dee3-5401-43d7-802a-7c8aab820390,ebf9be15-344b-443e-bd01-5db8024898b0,"4/16/2021, 9:12:43.061 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,0b31dee3-5401-43d7-802a-7c8aab820390,92c87bcc-6576-457c-9d9e-8960e926804f,"4/16/2021, 9:12:43.061 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,5de83a73-a8a8-4883-b92a-af9bb0f9f7e2,"4/16/2021, 9:12:43.061 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4e24891c-c66d-4acb-9372-06a2b770a780,"4/16/2021, 9:12:46.126 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e28dc3e8-a15b-4919-8874-a43762da6ae8,"4/16/2021, 9:12:46.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,30439f54-73d2-453a-9df9-83fd6fc66d7e,"4/16/2021, 9:12:46.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e76b71d6-058e-4459-a8cc-4daaf9b4fc2e,"4/16/2021, 9:12:46.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc206b31-d3a6-41f3-82c0-bf76ca6a3430,"4/16/2021, 9:12:46.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,09039629-65cc-4b16-b838-7324dd1c8828,"4/16/2021, 9:12:46.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,62f5afd1-2c3e-4998-8ff1-b5eeb1de1a9d,"4/16/2021, 9:12:46.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ed43b409-04fd-4e83-9b13-89280a7eb41a,"4/16/2021, 9:12:46.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5202e6d-f360-4106-ac88-7924af1e51d7,"4/16/2021, 9:12:46.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f0e9ee9a-b26f-4261-8ff4-90a14dade151,"4/16/2021, 9:12:46.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea293d2b-4181-483a-81b2-7d5ee4f255ca,"4/16/2021, 9:12:46.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a8a56ba0-5f46-4909-ba79-5841d4933833,"4/16/2021, 9:12:46.126 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5e07bd2-0e57-497c-9508-92c40b1096df,"4/16/2021, 9:12:46.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16ae4715-a8ea-4cf3-9ee7-1044d26c0593,"4/16/2021, 9:12:46.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e0fa41f1-d82e-4609-be8f-12db0de30fa0,"4/16/2021, 9:12:46.126 AM",,,,,NTLM,, +\COMPUTER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,30454c69-2ab4-45d7-af8c-cfb52d7579e9,"4/16/2021, 9:12:46.126 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ed71d75d-ae1f-497e-b0bc-7dc35fb736d7,"4/16/2021, 9:12:46.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f45b14fa-d3d0-4d8a-8ca7-fa36bb8c2599,"4/16/2021, 9:12:46.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5dd5cf41-254b-4ec9-9e93-139625eed521,"4/16/2021, 9:12:46.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,479c0dff-b04f-4a29-992a-a2237f481148,"4/16/2021, 9:12:46.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,02d3e890-90bb-437b-b482-c19a576d05a6,"4/16/2021, 9:12:46.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d7c91422-4093-47f7-8fc9-84ad5067ffb8,"4/16/2021, 9:12:46.126 AM",,,,,NTLM,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,be80d28d-c95e-49b9-9f7c-250dbf5a78f6,"4/16/2021, 9:12:45.871 AM",,,,,,, +\VEEAM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d6efba0e-74ed-4e79-941e-cb3b6063432f,"4/16/2021, 9:12:47.697 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a8995c3e-28e7-421d-a2f1-ca1b9c243df3,"4/16/2021, 9:12:47.697 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,66336ac5-9630-417f-81f0-a19c6d738772,"4/16/2021, 9:12:47.697 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4b2fb68d-e35e-4929-aa11-c05e5e4ecb7d,"4/16/2021, 9:12:47.697 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3bc38c49-9f87-4890-8ad7-4ae34df0bd78,"4/16/2021, 9:12:47.697 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,93c4efe6-e9a3-4411-aa5c-12821efb1d3e,"4/16/2021, 9:12:47.697 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9a073506-897a-4c47-9859-b440469e83de,"4/16/2021, 9:12:47.697 AM",,,,,NTLM,, +\BACKUP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5d85b692-4cbe-47fa-b07e-2fde9891750a,"4/16/2021, 9:12:47.697 AM",,,,,NTLM,, +\ADMINISTRADOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dbdd1def-f974-4227-8848-5ec9f83b5923,"4/16/2021, 9:12:47.697 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fa742784-3a59-4c8d-8136-dde129efbedf,"4/16/2021, 9:12:47.697 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cb8dcce3-fdea-461b-9422-3e2cf135bf1c,"4/16/2021, 9:12:47.697 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,03c1acb1-5fba-4eab-8f6f-90e5e77b1c0b,"4/16/2021, 9:12:47.697 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,98b5483d-392a-4146-8b26-1c2f6d013c90,"4/16/2021, 9:12:47.697 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ae840f75-3d3c-41be-a22d-6a70f70e59a8,"4/16/2021, 9:12:47.697 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,25e8c27b-0b11-4f90-905b-fbbe16134807,"4/16/2021, 9:12:47.697 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,efe440f2-7e1f-4d71-9574-4c5761b71eab,"4/16/2021, 9:12:47.697 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fb54ee6d-a2ea-43c4-a40e-6833444fe289,"4/16/2021, 9:12:47.697 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f76be6b0-513e-496e-9af1-3cb8a8a3b264,"4/16/2021, 9:12:47.697 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9f88037e-0246-4000-a8eb-55c27e4ede57,"4/16/2021, 9:12:47.697 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,04dfffe7-8595-446d-9f28-1a00c0bc3cdd,"4/16/2021, 9:12:47.697 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,20d6e2b2-41e9-4a20-96ff-37521aae5102,"4/16/2021, 9:12:47.697 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ddebf33c-ca30-4eb8-887d-4b1da1bd3902,"4/16/2021, 9:12:47.697 AM",,,,,NTLM,, +\TEST,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d5e56732-620b-41c3-b64a-e2eb4e49a525,"4/16/2021, 9:12:47.697 AM",,,,,NTLM,, +\1,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e8effbcd-54b4-4e4e-b7ff-1c36ffad85b6,"4/16/2021, 9:12:47.697 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6001e795-9e07-48dd-8b7a-e645a121567e,"4/16/2021, 9:12:47.697 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 12704 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,609908ec-55c3-471a-9760-a7d388efb2ad,"4/16/2021, 9:12:49.268 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11856 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,6ff952e8-9947-4523-8bcd-500930281cdf,"4/16/2021, 9:12:49.268 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,230c7318-317e-4aa9-a9ce-194dd5b8e43d,"4/16/2021, 9:12:52.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0cf3cb63-fe3b-4a20-8a17-d3d9b78c8fa7,"4/16/2021, 9:12:52.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e0ec356f-e5af-4b4f-bc11-8719e21f453c,"4/16/2021, 9:12:52.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4ac975b7-6d4e-43e2-99f6-4018d7e069f7,"4/16/2021, 9:12:52.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5c4731a1-d35a-4c74-abc4-d08e1ed7f08e,"4/16/2021, 9:12:52.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,74ca1091-1059-4e76-84f1-c60d68e2b9f3,"4/16/2021, 9:12:52.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5659c0c1-90bc-4dd6-8c9c-bd59ca37789e,"4/16/2021, 9:12:52.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f798161d-3bb2-47a6-9c60-fe43f4b1815d,"4/16/2021, 9:12:52.123 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,17bf9c72-615b-44b2-98e3-2f57a52bdbeb,"4/16/2021, 9:12:52.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,af3063dd-1e1d-400d-99a9-e0ca54fd0210,"4/16/2021, 9:12:52.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,65a24e40-43d8-42b7-bb44-5a9d1e66b7b0,"4/16/2021, 9:12:52.123 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d25f07de-e304-4886-957a-e60d621f1407,"4/16/2021, 9:12:52.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b3ad85b5-76ba-47b1-ace9-413288a4e4ea,"4/16/2021, 9:12:52.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12e44b29-e8ff-4eb7-959d-762c80a59788,"4/16/2021, 9:12:52.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e0f8107e-db66-4be3-bd1f-8d3504f3dc8c,"4/16/2021, 9:12:52.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,132f4ad0-a2ba-4bc2-9dd7-94b0cd1ff585,"4/16/2021, 9:12:52.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9356ea29-5e2a-4384-a335-8c5580e237c0,"4/16/2021, 9:12:52.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6d3eb2bd-2ef2-4f65-a670-523b8265b14e,"4/16/2021, 9:12:52.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,87c8c3a0-4413-4e56-ab8b-d394c1c8ccde,"4/16/2021, 9:12:52.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b537d78b-91a9-443a-8bda-d81d730e0ff9,"4/16/2021, 9:12:52.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,17739c4e-dad7-4ea3-862b-f950c4a820ea,"4/16/2021, 9:12:52.123 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,047199db-d85d-4a89-84df-306c32787dc2,"4/16/2021, 9:12:52.123 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0bd38d21-29dc-4f3b-bd3e-6ca70da776e4,"4/16/2021, 9:12:52.123 AM",,,,,NTLM,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,fe3bb4ec-990e-40d9-9151-b2d7c0e86cf9,"4/16/2021, 9:12:53.414 AM",,,,,NTLM,, +\INSTALL,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4f3ceb42-456b-444a-a2c2-55a27efbd357,"4/16/2021, 9:12:53.414 AM",,,,,NTLM,, +\AZUREUSER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a89521b5-476b-4a77-80df-b5fbc0c81c01,"4/16/2021, 9:12:53.414 AM",,,,,NTLM,, +\DAVID,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,97af0421-d228-4d6f-b215-2e218dbfb6c8,"4/16/2021, 9:12:53.414 AM",,,,,NTLM,, +\USER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6f2a715e-8647-4b55-9b68-e17178cdf928,"4/16/2021, 9:12:53.414 AM",,,,,NTLM,, +\USER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4632c6c8-dba3-4aef-952c-b87dfa561417,"4/16/2021, 9:12:53.414 AM",,,,,NTLM,, +\HR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,bdd24843-d8f1-4fbe-9978-6b68f371a746,"4/16/2021, 9:12:53.414 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,f6638b82-98a5-4542-8bec-6bc0977f793f,54740500-7464-4d33-b154-c271f274a93c,"4/16/2021, 9:12:52.604 AM",,,,,Negotiate,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + 1 + 1 + %{S-1-5-32-544} %{S-1-1-0} %{S-1-5-11} %{S-1-16-16384} +",4627,4627 - Group membership information.,f6638b82-98a5-4542-8bec-6bc0977f793f,2c2baca2-6578-4b0c-a01d-370f1b6bb67e,"4/16/2021, 9:12:52.604 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,f6638b82-98a5-4542-8bec-6bc0977f793f,d97ddc02-7006-460d-b382-b162badfdc68,"4/16/2021, 9:12:52.604 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,0d78c723-df62-4dc3-98af-aed6ffe4ee16,"4/16/2021, 9:12:52.604 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,bff87220-7113-4f5e-a132-57279a2d5ed6,"4/16/2021, 9:12:52.604 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10800 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e7 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,e5eb2e12-54b7-4ee2-b5d5-46d17fba4bbe,"4/16/2021, 9:12:52.604 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 9288 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e5 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,8e30405c-08f9-4017-8775-c9dee827bf95,"4/16/2021, 9:12:52.604 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,b396a938-1511-4ac8-9f2e-e36ba8bee8a4,"4/16/2021, 9:12:52.604 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9956 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,85fbee7f-8090-41a5-b8fe-128fd3883cc8,"4/16/2021, 9:12:52.604 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4812 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,58146215-7619-4df5-b4af-636fb682df2f,"4/16/2021, 9:12:52.735 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1576 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,2a3e0ece-5a18-47f9-a3f1-ddb5325d1583,"4/16/2021, 9:12:52.735 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,221519b5-0e43-4b16-88c9-5e87cb7cb3bd,"4/16/2021, 9:12:52.735 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,b7b0bf4a-5bde-419d-8960-a9f2113e1c7c,"4/16/2021, 9:12:52.735 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,b51784ac-a926-443d-82d6-e945b2fd7fc2,"4/16/2021, 9:12:52.735 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,97933fdd-5e9a-4a48-9f77-3b9e9cea486f,"4/16/2021, 9:12:52.735 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,84ea1719-5cd0-4b6c-a369-1d9acbbdd943,"4/16/2021, 9:12:58.122 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6d10d17c-c67d-4cb9-b3bc-ed92090eefe1,"4/16/2021, 9:12:58.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b74a4fad-070e-4924-b447-ad59beb52a0d,"4/16/2021, 9:12:58.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,600901d0-d655-4b6f-ab59-232020476e7a,"4/16/2021, 9:12:58.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,85dedec4-0694-4306-8f43-4ce43d342706,"4/16/2021, 9:12:58.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,32479c6e-8ecd-4b7d-8997-5ad88921cc38,"4/16/2021, 9:12:58.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce74374b-d5fc-4458-b8ae-85950a7778ad,"4/16/2021, 9:12:58.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de9e9978-261d-4113-a9fd-58f3f489dfde,"4/16/2021, 9:12:58.122 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bd89afb2-9f63-4778-86e0-a06429e342f5,"4/16/2021, 9:12:58.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e99cef22-440e-483b-87e9-c9faad54a0b8,"4/16/2021, 9:12:58.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,564abb62-bc7d-4696-b5ec-159bffea2c87,"4/16/2021, 9:12:58.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd9bb780-e1e8-412c-8b85-319f7a8317a0,"4/16/2021, 9:12:58.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b3f27ad-99df-4de0-8ace-22537e44e9f6,"4/16/2021, 9:12:58.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,08226296-6286-4c7d-82ec-9ece5f9fa091,"4/16/2021, 9:12:58.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,18a8677b-a2a3-4436-91ad-75adc0bb6e19,"4/16/2021, 9:12:58.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1423de09-ace0-49be-ba77-508b7738374e,"4/16/2021, 9:12:58.122 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a0c644d4-c3fe-47c7-bb9b-9897a3d7cd87,"4/16/2021, 9:12:58.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c4bea2c6-c0ca-4063-8a57-fed50cf8659c,"4/16/2021, 9:12:58.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,da5c9d83-eb8b-407d-8f6c-46e1c6584a4d,"4/16/2021, 9:12:58.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,77647004-b3b0-45d1-ae44-a8a44889d65a,"4/16/2021, 9:12:58.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,73e0bc96-7f3f-455b-8bbc-f2e8eb8e0abf,"4/16/2021, 9:12:58.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4a5726d2-611a-40bf-aeb2-25b01a0455fd,"4/16/2021, 9:12:58.122 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,31a05feb-ea52-42a2-a491-51191ec65287,"4/16/2021, 9:12:58.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,533a6996-2e8a-4ebb-af26-dd75f1d70cad,"4/16/2021, 9:12:58.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db468fb0-961c-428b-8a5f-2a6466260ae6,"4/16/2021, 9:12:58.122 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,31f0b573-273e-4496-a560-94e173759f80,"4/16/2021, 9:13:02.705 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b825cd98-90dd-474e-8728-baacfa414b8d,"4/16/2021, 9:13:02.705 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5d371157-15e5-4427-be32-3fb02771e0bb,"4/16/2021, 9:13:02.705 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f87ccfe0-f2d3-4d71-a388-c96c80bec202,"4/16/2021, 9:13:02.705 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a47a4c94-c3c1-487e-a7d3-035c19077137,"4/16/2021, 9:13:02.705 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,78c3244a-3d0a-4ddc-8947-a931e4de6b9d,"4/16/2021, 9:13:02.705 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8fd911c6-3b9a-4d46-88c6-89ac5619cfad,"4/16/2021, 9:13:02.705 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,78101e71-e770-4243-8c91-e0ac3e813fa1,"4/16/2021, 9:13:02.705 AM",,,,,,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4aa63116-d650-47b6-8bc9-8cac6daf8d24,"4/16/2021, 9:13:02.705 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fc6999ab-b55e-44dc-af9a-893d604f6c33,"4/16/2021, 9:13:02.705 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0c1580ea-67ca-4721-9cca-7e8de3ec5487,"4/16/2021, 9:13:02.705 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,892f3881-01ee-473e-998f-e3a195b96da1,"4/16/2021, 9:13:02.705 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7da10c4d-dd9e-4727-8f0c-c8a07c4bcea5,"4/16/2021, 9:13:02.705 AM",,,,,NTLM,, +\BACKUP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f52d8be8-e943-42a2-8113-9dfd40fab272,"4/16/2021, 9:13:02.705 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d2944aac-9266-4f51-8ce4-50848247e88a,"4/16/2021, 9:13:02.705 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0190e8c2-41bd-4581-8b79-780589fd94e0,"4/16/2021, 9:13:02.705 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fbf500c8-fec7-4b0f-b805-996b6934aa26,"4/16/2021, 9:13:02.705 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ddc3cca0-dd40-446b-9984-c06456980131,"4/16/2021, 9:13:02.705 AM",,,,,NTLM,, +\QJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,47636f90-6b32-40cb-8826-8c4d8209e637,"4/16/2021, 9:13:02.705 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4a10b995-66ce-43af-9629-61de2fd287d4,"4/16/2021, 9:13:02.705 AM",,,,,NTLM,, +\AZUREUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cd3675b8-346b-4a7c-9602-13a1cee68ae5,"4/16/2021, 9:13:02.705 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,50486efc-2f7c-42a3-a36b-2d9e1148d8c8,"4/16/2021, 9:13:02.705 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c121995d-64c5-4f73-b1c9-2ba3eb5a599e,"4/16/2021, 9:13:02.705 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c93326f4-5a26-45a3-945b-b037b5a9bc20,"4/16/2021, 9:13:02.705 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4220c9a5-4dee-4003-9792-a0d024999ba0,"4/16/2021, 9:13:02.705 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7581cf9b-80bd-46a2-a72b-8413e6e996f9,"4/16/2021, 9:13:06.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4ccc96de-6389-43e9-bcd6-6d8e110e3bcd,"4/16/2021, 9:13:06.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0d0b1b57-6b72-48c2-818d-3da3ff0a03d9,"4/16/2021, 9:13:06.135 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6e8228f8-4293-438c-87e4-0804a0f10584,"4/16/2021, 9:13:06.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e16b3e6-acb9-47ba-951f-f684c1ecf508,"4/16/2021, 9:13:06.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e884c791-2a9e-47c4-9789-c3a5b4915389,"4/16/2021, 9:13:06.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,af3b2962-23b7-4bf0-8494-dd5c129dbdfa,"4/16/2021, 9:13:06.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e3f47a61-ff25-4844-957a-6b1f5af1eb21,"4/16/2021, 9:13:06.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b3044556-6c39-4e86-9f76-8157b22e3632,"4/16/2021, 9:13:06.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6d82f817-e5a3-41a6-b597-7082f4688b4d,"4/16/2021, 9:13:06.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6026ec79-e2bb-4d29-bac1-304d80402e28,"4/16/2021, 9:13:06.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7aff2658-ecea-4e66-8d87-6de751803f8b,"4/16/2021, 9:13:06.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aa3cb177-4148-42dd-8a74-2c43fd670661,"4/16/2021, 9:13:06.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad59aafa-2336-495a-9228-8c8c1eaaf17a,"4/16/2021, 9:13:06.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,729d3f20-c847-4229-a594-3c9e472f1ec8,"4/16/2021, 9:13:06.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,957ef31c-f306-465b-ab0c-b33261f42dbb,"4/16/2021, 9:13:06.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,222ada86-d02c-49cd-a70d-b026d7ba44a0,"4/16/2021, 9:13:06.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,220844d1-bc37-4a47-a3f0-9c63e83fcdab,"4/16/2021, 9:13:06.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5edd6c6-679b-4456-b5c9-589b90c90392,"4/16/2021, 9:13:06.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5c639804-4830-4e25-9b7e-b46f59783238,"4/16/2021, 9:13:06.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,96935f4f-3f92-420f-a642-a6f89bd14d8c,"4/16/2021, 9:13:06.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3944673e-a364-4e24-81bd-61a43a2c17e3,"4/16/2021, 9:13:06.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7132695d-e9cb-4129-a04c-f0bf3ad3c756,"4/16/2021, 9:13:06.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ef1cf70c-9227-4d6e-95e6-e3f5e6cf8229,"4/16/2021, 9:13:06.135 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,738b83d4-c571-47c4-aafd-2ebbd53ba9bb,"4/16/2021, 9:13:06.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5700b45-6027-487e-ae09-a12e42102c01,"4/16/2021, 9:13:06.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89b390a2-38fb-478e-979e-b3fe9e0c4edc,"4/16/2021, 9:13:06.135 AM",,,,,NTLM,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,e9937107-b793-4a40-bc3b-1b58392260d2,"4/16/2021, 9:13:07.920 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6176 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\Windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b96955ea-ca9c-44b0-adae-95b5dfebd072,"4/16/2021, 9:13:07.920 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,84c53c29-529b-4757-9b59-55d6052f1a42,"4/16/2021, 9:13:07.920 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,32581155-8211-4c66-8122-96d118ad80a5,"4/16/2021, 9:13:07.920 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,f12d7832-9f86-4879-a522-760fe38b8369,"4/16/2021, 9:13:07.920 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2208 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,40292640-2819-4bdc-a7cf-122bfb53cb70,"4/16/2021, 9:13:07.920 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7132 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,5837002a-e9fa-4f35-91c9-a37121b8383e,"4/16/2021, 9:13:07.920 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5316 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,784279c7-7b2c-4dc6-88b4-4c5e019d2c41,"4/16/2021, 9:13:07.920 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,0e2245d2-e606-45a7-8432-d2fd1490af4d,"4/16/2021, 9:13:07.920 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d34f2690-46dd-4cc8-bc55-60186e7f1a01,"4/16/2021, 9:13:13.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d7b79b05-e973-48e5-97de-130fe443a484,"4/16/2021, 9:13:13.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88eb887d-372b-410e-bf5f-ad088e689b45,"4/16/2021, 9:13:13.122 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,87a77380-b11b-4ce2-b4a7-4b0696330f12,"4/16/2021, 9:13:13.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,70ff66e9-b4f7-4955-b68c-a874ddd4927f,"4/16/2021, 9:13:13.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,18b3bd6d-2e6f-4e66-ad1c-904d16d4a408,"4/16/2021, 9:13:13.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab8145af-ee27-430c-b930-6b5f64a1e13f,"4/16/2021, 9:13:13.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1c502967-d801-4827-8032-62a98cd7864e,"4/16/2021, 9:13:13.122 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e979009-28e6-4040-b72d-eb4c7380c27b,"4/16/2021, 9:13:13.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a83c2db-c687-4415-b3a3-5afab99cdc48,"4/16/2021, 9:13:13.122 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,937fdb44-7a56-49d7-a57a-63e7ae7064a8,"4/16/2021, 9:13:13.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f8478a99-a1b9-49df-95f9-527a0be99b41,"4/16/2021, 9:13:13.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3dd90d86-e030-45f3-8156-7625a6a42c57,"4/16/2021, 9:13:13.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,178813b3-362b-4bbb-bce5-316a627fb1cb,"4/16/2021, 9:13:13.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46dd84bf-3328-4393-9093-2db7ccdaea50,"4/16/2021, 9:13:13.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c9e7feec-7b42-4b95-8fc1-1a7de351c150,"4/16/2021, 9:13:13.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e30a2e50-78b4-4869-98f5-8a98e63bb298,"4/16/2021, 9:13:13.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c033bce1-755b-43ca-b0c6-72d28bf6f6fb,"4/16/2021, 9:13:13.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ec49aebc-43a8-4c1b-b606-ffd811f593de,"4/16/2021, 9:13:13.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,36b20c69-b2f5-4e04-a743-39c1ad63daed,"4/16/2021, 9:13:13.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,32a81a25-6500-4017-ab9d-3d51b5ffa2f0,"4/16/2021, 9:13:13.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4af587d6-34e6-41a2-9fa5-554d5f3ffc3e,"4/16/2021, 9:13:13.122 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3e47f3b5-bd90-463c-82b4-ee7355a4dd50,"4/16/2021, 9:13:16.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,030bf418-d899-4584-b5ff-10323f507594,"4/16/2021, 9:13:16.056 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + \Microsoft\Windows\WindowsUpdate\Scheduled Start + <?xml version=""1.0"" encoding=""UTF-16""?> <Task version=""1.4"" xmlns=""http://schemas.microsoft.com/windows/2004/02/mit/task""> <RegistrationInfo> <Source>Microsoft Corporation.</Source> <Author>Microsoft Corporation.</Author> <Description>This task is used to start the Windows Update service when needed to perform scheduled operations such as scans.</Description> <URI>\Microsoft\Windows\WindowsUpdate\Scheduled Start</URI> <SecurityDescriptor>D:(A;;FA;;;SY)(A;;FRFX;;;LS)(A;;FA;;;BA)</SecurityDescriptor> </RegistrationInfo> <Triggers> <TimeTrigger> <StartBoundary>2021-04-16T18:39:04Z</StartBoundary> <Enabled>true</Enabled> <RandomDelay>PT1M</RandomDelay> </TimeTrigger> <SessionStateChangeTrigger> <Enabled>false</Enabled> <StateChange>ConsoleDisconnect</StateChange> </SessionStateChangeTrigger> <SessionStateChangeTrigger> <Enabled>false</Enabled> <StateChange>RemoteDisconnect</StateChange> </SessionStateChangeTrigger> <WnfStateChangeTrigger> <Enabled>false</Enabled> <StateName>7508BCA3380C960C</StateName> <Data>01</Data> <DataOffset>0</DataOffset> </WnfStateChangeTrigger> </Triggers> <Principals> <Principal id=""LocalSystem""> <RunLevel>LeastPrivilege</RunLevel> <UserId>NT AUTHORITY\SYSTEM</UserId> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <Duration>PT10M</Duration> <WaitTimeout>PT1H</WaitTimeout> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>false</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession> <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT72H</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context=""LocalSystem""> <Exec> <Command>C:\WINDOWS\system32\sc.exe</Command> <Arguments>start wuauserv</Arguments> </Exec> </Actions> </Task> +",4702,4702 - A scheduled task was updated.,0b31dee3-5401-43d7-802a-7c8aab820390,4c68e4e0-392c-489d-80e6-9cfc2f82a670,"4/16/2021, 9:13:16.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,8733b570-3c6f-4403-973b-37c683f755df,"4/16/2021, 9:13:16.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,0671bc63-d1cb-4b37-a4fc-adcc394e640a,"4/16/2021, 9:13:16.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,6daceeb7-138a-4bf4-a0ba-13818d251385,"4/16/2021, 9:13:16.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,55a0fd8f-564e-4b17-89d8-a5b941dc2217,"4/16/2021, 9:13:16.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,71b7c9b1-0441-4667-a661-4a800db31079,"4/16/2021, 9:13:16.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,97bd6717-2a89-4f34-8902-6b854b47908b,"4/16/2021, 9:13:16.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,796699b7-2cef-4b43-babd-720da3a1de73,"4/16/2021, 9:13:16.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,9835b390-f68c-4c3d-a5b6-008f87b2e6be,"4/16/2021, 9:13:16.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,f4bfa30e-3b59-4b9d-b553-cad93e176d08,"4/16/2021, 9:13:16.056 AM",,,,,,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4abb93d2-d5e4-4f7a-b012-8adcac673b63,"4/16/2021, 9:13:19.702 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,218bd9ca-3c38-4487-b55a-c235981d5be6,"4/16/2021, 9:13:19.702 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,606c8929-09ef-4335-8cfc-5cc3ce56ec35,"4/16/2021, 9:13:19.702 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2a33a062-6e76-4d17-bf4c-619db93ccead,"4/16/2021, 9:13:19.702 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,87f5a6e5-6bdb-43c2-9023-d4b83b3ea2b2,"4/16/2021, 9:13:19.702 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7bdcd2a6-297d-45be-9457-0c63f296b834,"4/16/2021, 9:13:19.702 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a82389d6-66f3-4ba3-bece-5ceba1f6b3b4,"4/16/2021, 9:13:19.702 AM",,,,,NTLM,, +\JOHN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f9cd1fd8-e498-42a8-be4f-de39a2330be8,"4/16/2021, 9:13:19.702 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e541f903-5697-479e-ad3a-15e559c6f79b,"4/16/2021, 9:13:19.702 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6645273e-bdda-4d8b-b56a-0c9b67014a92,"4/16/2021, 9:13:19.702 AM",,,,,NTLM,, +\ORREN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b0c9069a-01ca-4458-82a4-0324cee374f9,"4/16/2021, 9:13:19.702 AM",,,,,NTLM,, +\VEEAM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6f40d1a9-97bd-4858-b379-572a196b5f68,"4/16/2021, 9:13:19.702 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,170faaf2-49ec-4010-ac01-7de917bba404,"4/16/2021, 9:13:19.702 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b7f1b039-148e-45e6-bbc6-0d4109103847,"4/16/2021, 9:13:19.702 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4b7489af-edc7-4696-8368-c91e26eec3a0,"4/16/2021, 9:13:19.702 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,06674450-1e94-46d8-a0f1-d8c24b3d6f61,"4/16/2021, 9:13:19.702 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6484fac2-7068-45a8-b4de-a8a7ecb74ddb,"4/16/2021, 9:13:19.702 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,966d6462-8184-421d-90a5-5528e2728f30,"4/16/2021, 9:13:19.702 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0b3dc47f-110e-4db9-97f9-3c9c0df64075,"4/16/2021, 9:13:19.702 AM",,,,,NTLM,, +\BACKUP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8ad6f0d5-8d31-42b3-b27d-bc91cada03d4,"4/16/2021, 9:13:19.702 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a05190c4-3e3e-4474-ac53-60b7282e1e40,"4/16/2021, 9:13:19.702 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eaeb3ba8-3ebb-4fb8-813c-9be3e341917e,"4/16/2021, 9:13:19.702 AM",,,,,NTLM,, +\TEST1,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,269ed9a6-f8aa-43fd-b553-55ceef63b356,"4/16/2021, 9:13:19.702 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,887992ac-34ee-4842-a59f-e61ff6a9d7a2,"4/16/2021, 9:13:20.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f7c5390d-5170-4141-bcad-8693eec8b8ed,"4/16/2021, 9:13:20.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,788efe87-e64d-400d-9fa8-021072bac667,"4/16/2021, 9:13:20.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d700e91-34bc-42b6-a0f3-ec8f03946506,"4/16/2021, 9:13:20.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,18c77e6d-8eb9-4f86-94d9-6ab78586e384,"4/16/2021, 9:13:20.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3b446fa7-d572-43de-924b-a37684b29c61,"4/16/2021, 9:13:20.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c0e6fa4-831a-4fd8-a336-a447393200c1,"4/16/2021, 9:13:20.122 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a47ba3fd-942d-44df-96ec-1938d41536f4,"4/16/2021, 9:13:20.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fdde882e-dff3-4139-83b3-e9e4c931c89a,"4/16/2021, 9:13:20.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bb2a719f-62d6-417a-88ee-8a150255cbc4,"4/16/2021, 9:13:20.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3feee409-569b-44b5-b95c-3143f5a80ef2,"4/16/2021, 9:13:20.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb4738ba-e484-40c5-a5c9-2f3b8f056c16,"4/16/2021, 9:13:20.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b4b8289e-08f6-4ad0-8aa1-417f5a0f2d77,"4/16/2021, 9:13:20.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c33f2751-292f-416d-9816-95e4fb37d87c,"4/16/2021, 9:13:20.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,312e3cf9-04e7-4cf4-b145-acd0b5eac0d7,"4/16/2021, 9:13:20.122 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1020a7a-4eed-4e68-a19b-c011619cdde1,"4/16/2021, 9:13:20.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,44d51583-a527-4210-8f27-d1e89033b3d8,"4/16/2021, 9:13:20.122 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a83df3d8-e94d-4ca9-8663-df45313ab37c,"4/16/2021, 9:13:20.122 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,ec7a37db-4fcd-405f-be51-64c91ac6e7ee,"4/16/2021, 9:13:20.122 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,c4d333e0-13a3-441e-8cce-fca0398aa320,"4/16/2021, 9:13:20.122 AM",,,,,,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,04cedb1f-6ac2-4e51-9729-812c96b12f1e,"4/16/2021, 9:13:20.122 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8008 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,492730f0-78b3-4d52-b3f1-51545c87b224,"4/16/2021, 9:13:20.122 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3300 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad07db4c-6d9b-4bda-8467-c795b443a60d,"4/16/2021, 9:13:20.122 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,3e020c93-35ec-4ec8-a79e-3433a25bd269,"4/16/2021, 9:13:26.602 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4728 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,c93bf6e2-56bd-44cd-bc2a-701f6e24a1f4,"4/16/2021, 9:13:26.602 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10740 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,47fbd5ed-62f1-4cfc-9aa6-2f141fbe0edb,"4/16/2021, 9:13:26.602 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9828 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,54bb55e4-6ffc-4425-ba61-27f42635577f,"4/16/2021, 9:13:26.602 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,33fb127b-a2cf-4ac2-abbc-d3b9ade34eed,"4/16/2021, 9:13:26.602 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,ed5c321f-19cc-4ca9-bb88-541f53c76858,"4/16/2021, 9:13:26.602 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,615db40f-b280-4df8-b2c8-ed96378fd177,"4/16/2021, 9:13:26.602 AM",,,,,,, +\WAREHOUSE,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b8cc788f-92d9-46ba-8f75-4126df2ef2e9,"4/16/2021, 9:13:27.440 AM",,,,,NTLM,, +\TEST,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c290c139-eb06-4987-b563-5f75fd3e36c6,"4/16/2021, 9:13:27.440 AM",,,,,NTLM,, +\DEMOADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,536b7aa1-7c54-4067-8e11-ffb1ac91f981,"4/16/2021, 9:13:27.440 AM",,,,,NTLM,, +\VPN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0e5d2b4c-c178-4560-9bdc-d26c0fe33a07,"4/16/2021, 9:13:27.440 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8156 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,46558d91-4f1e-4e00-a8c5-0350735b9192,"4/16/2021, 9:13:27.440 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1352 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a328634b-9cbf-4f1c-a255-d9ad58faedcc,"4/16/2021, 9:13:27.440 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,bcb082aa-25b0-4250-a789-269401cce0f2,"4/16/2021, 9:13:27.440 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1304a204-a055-4624-a9e9-c8187af32f5e,"4/16/2021, 9:13:27.440 AM",,,,,,, +\CHRIS,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,58a7af6f-bdda-45be-a281-346e4ce7337b,"4/16/2021, 9:13:27.440 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f1df6e38-948c-457e-b0cd-dac3da73ed17,"4/16/2021, 9:13:27.440 AM",,,,,,, +\SERVER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6028d419-6829-4dd1-9783-8eeaa42b0641,"4/16/2021, 9:13:27.440 AM",,,,,NTLM,, +\ADMIN2,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,db44fc36-24d3-4b08-b565-d26fc1ad00a7,"4/16/2021, 9:13:27.440 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,37178952-c563-49aa-a98f-530dd66bed98,"4/16/2021, 9:13:29.125 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7762828a-8439-442e-9bc9-807c6c5da3c7,"4/16/2021, 9:13:29.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc34232d-8b95-4b55-81d2-e106c6dd8815,"4/16/2021, 9:13:29.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3e80027d-1793-45eb-8889-e562508d4350,"4/16/2021, 9:13:29.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e6395fbf-4e47-494c-a9e2-c23e51370313,"4/16/2021, 9:13:29.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,95b0d6bf-b4f8-4a05-8713-93fc8775d242,"4/16/2021, 9:13:29.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51a41282-c9e4-4a72-8c09-e63a6eb19547,"4/16/2021, 9:13:29.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,71dfde76-1fc1-49e5-b492-1b742ce49aa4,"4/16/2021, 9:13:29.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7f9ca98e-fa1f-4003-90de-c56c48ba69d2,"4/16/2021, 9:13:29.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c7a1ffaa-6d90-4d26-873d-47b7511fcd69,"4/16/2021, 9:13:29.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dbd269d1-055a-4cf2-8a24-fd8d6c2695ef,"4/16/2021, 9:13:29.125 AM",,,,,NTLM,, +\MIRIAM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3efa3b06-dcdb-4c72-97c3-62de3149bde9,"4/16/2021, 9:13:29.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c567b89a-00b3-4b2a-a74f-f1677be1fe9c,"4/16/2021, 9:13:29.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d6602699-8795-47f7-ad18-830060f21ef5,"4/16/2021, 9:13:29.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,40f664a1-839d-4c4b-904f-b0db2e740b7f,"4/16/2021, 9:13:29.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a71a6a6-3f33-4676-85e9-40b8c0cc91c1,"4/16/2021, 9:13:29.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,336dcad3-860b-469f-bb56-8affe169e93a,"4/16/2021, 9:13:29.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e11483e4-7ae8-4eb7-b709-ed54a3b1d2ee,"4/16/2021, 9:13:29.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c33cf0e9-ab78-4cb5-8cf2-b251d39dca72,"4/16/2021, 9:13:29.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f02469e1-9ead-42bf-a931-43f66d3e3f55,"4/16/2021, 9:13:29.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d78df4d5-3897-42f6-a2ee-e6e9a20d94a2,"4/16/2021, 9:13:29.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48f59411-afe7-42a3-9cf5-3b47bfa51355,"4/16/2021, 9:13:29.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a8aa827-ec94-4846-9ce8-e338db5ee163,"4/16/2021, 9:13:29.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7a909b70-d21b-4172-943a-199bc3b6b694,"4/16/2021, 9:13:29.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9f90a010-d2fd-4115-84a1-bf0c68fd669b,"4/16/2021, 9:13:29.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,65e1bc1f-0b29-43f2-a61e-31e44253b85c,"4/16/2021, 9:13:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4a59b2ab-b556-4a63-8689-2ee44a9c6ee3,"4/16/2021, 9:13:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,43efea70-1f57-4c0b-af03-73775a9fdc95,"4/16/2021, 9:13:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,20b24cb7-459f-4748-bbe6-aca39a8b7a74,"4/16/2021, 9:13:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f2d8f55-b02c-44ad-8363-ec797c5a3bb2,"4/16/2021, 9:13:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb2177bd-91fc-4cd4-bc8b-fdaa0b75fc48,"4/16/2021, 9:13:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b441055c-badb-4595-a922-cc28a5112f05,"4/16/2021, 9:13:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,235cedb9-125c-4d27-8f00-2ced22f62255,"4/16/2021, 9:13:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c6452f7b-f434-4fad-af2b-b5a5f9f43ca4,"4/16/2021, 9:13:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48ea3340-69ea-4032-8f6a-b38ead03aaf7,"4/16/2021, 9:13:33.127 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88d55b4a-32fe-465f-a1c0-fc08484beaf9,"4/16/2021, 9:13:33.127 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,b788c9a6-c7a0-4d6e-8ea7-f996c0bba95f,"4/16/2021, 9:13:33.127 AM",,,,,,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c623c05a-8678-4257-a39f-d53bf6203ee5,"4/16/2021, 9:13:33.127 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6d961fce-d783-4ca9-b4ff-2d346d1d2b32,"4/16/2021, 9:13:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,29c6e01e-511e-49a5-81d8-d028d8899ea3,"4/16/2021, 9:13:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e1a2e83-30bb-460d-b8a9-940bb9f4af43,"4/16/2021, 9:13:33.127 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,402cba6d-567e-4dec-91bd-f4a21598bbc6,"4/16/2021, 9:13:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,400f6fa4-a192-441c-93b2-1617ea25f1bd,"4/16/2021, 9:13:33.127 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0b2cbb4e-c9f3-47d0-addb-ff4af134138a,"4/16/2021, 9:13:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bd64a9e2-163a-459c-a75a-9473d5e0d972,"4/16/2021, 9:13:33.127 AM",,,,,NTLM,, +\NJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cf5808ff-3dc8-4e5c-9ebe-f74a5ce1a6a3,"4/16/2021, 9:13:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16606f65-707e-4b59-8395-015e6f5e30ef,"4/16/2021, 9:13:33.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eb14f0e1-7af2-4d31-89a3-e5c34a9b4356,"4/16/2021, 9:13:33.127 AM",,,,,NTLM,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,33c7f790-5c86-4794-9011-0fbb4d9a9e16,"4/16/2021, 9:13:32.877 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,5503048d-aae9-48b7-bda5-46b931ec9ed1,a4ed5720-e48c-4bad-aa79-252794df36d5,"4/16/2021, 9:13:32.877 AM",,,,,Negotiate,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + 1 + 1 + %{S-1-5-32-544} %{S-1-1-0} %{S-1-5-11} %{S-1-16-16384} +",4627,4627 - Group membership information.,5503048d-aae9-48b7-bda5-46b931ec9ed1,33a0b12a-5774-4385-b6ee-816630e9f4c4,"4/16/2021, 9:13:32.877 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,5503048d-aae9-48b7-bda5-46b931ec9ed1,b277f80d-bae9-4a66-8035-d886a91695e4,"4/16/2021, 9:13:32.877 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,17226360-f4b3-4a08-a831-e9ac51733b81,"4/16/2021, 9:13:32.877 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11088 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,6c920e00-d01b-4cc7-959c-eab1a0fc1575,"4/16/2021, 9:13:32.877 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9440 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e7 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,f3f5a211-18b5-408d-9626-f1d8b7c11cbc,"4/16/2021, 9:13:32.877 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,7bc1c396-ac37-4963-9595-50208a27e843,"4/16/2021, 9:13:32.877 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 14476 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + 3E1A41FE3000D5ED15DE27C3BD6199E0427A1608B401E19E22D021627841AC19 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1411 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,aefba3dd-c763-4479-a8c7-01091a98fb2b,"4/16/2021, 9:13:32.877 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,9c44baf3-b040-42c8-b33b-d2180d5faf9d,"4/16/2021, 9:13:32.877 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cea93236-d049-42cf-9094-780a1c9d2b71,"4/16/2021, 9:13:37.697 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a7dcbeda-b0ba-45eb-8812-ffb9fbe627ea,"4/16/2021, 9:13:37.697 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,908c53d2-3919-43be-b9f5-2a827bdca236,"4/16/2021, 9:13:37.697 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d4305f2f-cd60-4bed-bd09-56a0d08b13ee,"4/16/2021, 9:13:37.697 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,10e478c2-55d1-482a-bf1b-005c15bf4aab,"4/16/2021, 9:13:37.697 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f6de827e-0e67-4f0b-bb93-ad783d041e19,"4/16/2021, 9:13:37.697 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c04710d2-f9d1-4360-b6b9-beefa3e3c28f,"4/16/2021, 9:13:37.697 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6aeac17b-1b1b-494b-8029-f6ee36da8990,"4/16/2021, 9:13:37.697 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e2bd7d47-3b43-4090-b5f9-8aaa133947dd,"4/16/2021, 9:13:37.697 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,09fec6b8-ee32-4148-8e0a-af71a0afdc85,"4/16/2021, 9:13:37.697 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e8e87479-bc36-4c6a-8449-7531c785578b,"4/16/2021, 9:13:37.697 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,72274ed6-b9e2-4d38-97ef-159516cd20ed,"4/16/2021, 9:13:37.697 AM",,,,,NTLM,, +\STUDENT,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1f00fba3-02a2-438d-843b-b5ed97a7b819,"4/16/2021, 9:13:37.697 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,817514e8-3b9c-4ef3-9ff7-601a882decf8,"4/16/2021, 9:13:37.697 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,51a21111-4710-4dd2-92f6-761608f1b6f7,"4/16/2021, 9:13:37.697 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e241ade8-22ad-4bc8-b3a7-6dacbe2c3e27,"4/16/2021, 9:13:37.697 AM",,,,,NTLM,, +\SYMANTEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4670cfe4-19c5-4ecb-83cc-a2d43837234a,"4/16/2021, 9:13:37.697 AM",,,,,NTLM,, +\DEMOADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1373f90d-cf25-49bc-892a-72c4cd881258,"4/16/2021, 9:13:37.697 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8b328c4e-d159-48f6-9401-9cb1fb6ddeeb,"4/16/2021, 9:13:37.697 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,769be534-dfd1-4ea4-b2d8-a56c2cb593fa,"4/16/2021, 9:13:37.697 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,01fb237a-e569-4f9a-a74f-560cd2e95952,"4/16/2021, 9:13:37.697 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d051639e-2a3e-4c7d-a58a-8b6641c08180,"4/16/2021, 9:13:37.697 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e63b1a1e-9492-4568-92ff-e1850d531562,"4/16/2021, 9:13:37.697 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53838d18-c0bd-4b94-b9dd-374b0f3522fc,"4/16/2021, 9:13:41.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f7c41bb2-679d-4a4b-82c0-ae17aeb5b16a,"4/16/2021, 9:13:41.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d1869503-476a-4e49-9c09-574571da01f6,"4/16/2021, 9:13:41.126 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,86f56f6d-f35c-4a4f-9d2e-a8924ba91617,"4/16/2021, 9:13:41.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c20ec936-0933-4891-8f8e-26b7ef13584a,"4/16/2021, 9:13:41.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d33c4135-fbd4-4b1c-b0e7-332a2109d660,"4/16/2021, 9:13:41.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,caa53b14-e46c-4ac7-97cd-fbf0f0f3d3f4,"4/16/2021, 9:13:41.126 AM",,,,,NTLM,, +\DB2ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b895cf01-6f79-4796-a27b-20d956c420bd,"4/16/2021, 9:13:41.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ddce614e-d17c-4e9d-99a3-8a971f683e89,"4/16/2021, 9:13:41.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f89331c2-7aae-4bfb-b40c-8033f000f76e,"4/16/2021, 9:13:41.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,60189fed-b1b6-45b2-9d98-45e77185a8f3,"4/16/2021, 9:13:41.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dd363d23-dc27-4aa5-aa32-d0343b65535b,"4/16/2021, 9:13:41.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,108948cd-ef61-47bc-88ff-6fdbb8f98b13,"4/16/2021, 9:13:41.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8769f889-ef4a-432b-9fc4-40177e124ab4,"4/16/2021, 9:13:41.126 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,64db500e-e9de-4fc2-9c58-0e022d5b730b,"4/16/2021, 9:13:41.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,089ade1b-0f47-4317-8ec6-6878b7081ff2,"4/16/2021, 9:13:41.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e5e19eac-c937-4a58-a9d6-c31cc13ef406,"4/16/2021, 9:13:41.126 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,20d96e25-4e1f-44a7-bd4d-f3c86ae44956,"4/16/2021, 9:13:41.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,99ac1312-7656-4f3d-b164-8c171f297f6a,"4/16/2021, 9:13:41.126 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c28fd87f-7307-44ae-88c8-4ac36612120a,"4/16/2021, 9:13:41.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,76241684-6510-468b-be5c-ffdcee4311c7,"4/16/2021, 9:13:41.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,74254f5f-8c6a-488b-b3fe-d7b1a97f5d4b,"4/16/2021, 9:13:41.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7befcf45-f57a-4364-b550-d924da1081e7,"4/16/2021, 9:13:41.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ad15b20-1e2e-49f5-917e-873a7c55b36a,"4/16/2021, 9:13:41.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c2f41013-933a-4376-88db-812e3a1e7c27,"4/16/2021, 9:13:41.126 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 12028 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,2a2b423d-6bc8-42f4-a668-79988922ea12,"4/16/2021, 9:13:49.277 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11712 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,083e7000-8297-4fa3-b928-70aeae1b62c6,"4/16/2021, 9:13:49.277 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 13048 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 61FF6233DB141BE35A91025614CB7A6504D2E20174CD6298F6E0B02700C3F819 + 121 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.14393.206 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,90934290-9a8c-473f-9702-70c76dc7bbbc,"4/16/2021, 9:13:49.277 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9200 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,3fbc7d23-fe42-4d4f-82b5-a7213dbe8dc5,"4/16/2021, 9:13:49.277 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,680e52dd-55c0-4575-bf2e-4a0f31a972d1,"4/16/2021, 9:13:50.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,47f5b7ba-8672-449a-8551-87cdfcade7e8,"4/16/2021, 9:13:50.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc53dd7c-934b-42a2-97bd-0047a8b8ca05,"4/16/2021, 9:13:50.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e0047ab2-7a08-4f4c-afa3-df4119eefed2,"4/16/2021, 9:13:50.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0fa8179e-0865-4acd-9617-0ba3b0df9bd1,"4/16/2021, 9:13:50.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a27678a1-a29e-4b6b-b832-00a37886dbd5,"4/16/2021, 9:13:50.131 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d0bc6527-22a5-4370-bea0-25ad7a53e776,"4/16/2021, 9:13:50.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e68d6bc8-84c9-4e81-8797-513e65bdd9d0,"4/16/2021, 9:13:50.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,78238de2-a08c-4d54-abd5-5318ebb362ff,"4/16/2021, 9:13:50.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46a6befa-8604-4028-a0d4-5eaed7717e56,"4/16/2021, 9:13:50.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac5a04dd-177f-4bcd-9abe-c587f0b2898c,"4/16/2021, 9:13:50.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e5fafd14-8b0a-44cc-9479-70274707022b,"4/16/2021, 9:13:50.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0fd84af8-23dd-47ee-8c38-99f9166757d8,"4/16/2021, 9:13:50.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,36b944fa-d3a0-4d76-a7f3-1f9e45b76b67,"4/16/2021, 9:13:50.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4a217d88-bf64-437a-9d29-f3f25611f5d1,"4/16/2021, 9:13:50.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12377a05-c78a-46f8-882f-d1aa1cc314b9,"4/16/2021, 9:13:50.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,96ce4985-0a72-43cb-ad74-cdc49f5da1cb,"4/16/2021, 9:13:50.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab6a808e-f2d3-4251-987b-a0ef5bd2e1e7,"4/16/2021, 9:13:50.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df68c197-0c77-4fd1-bed4-1fa590b30348,"4/16/2021, 9:13:50.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b658c2b1-7603-4628-a18d-02ee8aa22bea,"4/16/2021, 9:13:50.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5dd1a434-5757-41dc-bcce-4800102f2dbb,"4/16/2021, 9:13:50.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d074eeab-4fbf-4334-9573-b8a1d6389bf7,"4/16/2021, 9:13:50.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,283bf05e-f323-4d70-af15-9257e36df904,"4/16/2021, 9:13:50.131 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,43a5e9b3-92d6-4da0-a8f0-bcf985d715da,"4/16/2021, 9:13:50.131 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,95101187-4aed-4cff-8e39-c42ca2409171,"4/16/2021, 9:13:53.063 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,a524aa5a-5c97-4065-8974-6ee3c3618d01,"4/16/2021, 9:13:53.063 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,54ae3c16-5893-432b-9d29-fa5f0b7cc8f4,"4/16/2021, 9:13:53.063 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,175acefb-c548-4e55-80e8-67dc536983b8,"4/16/2021, 9:13:53.063 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,17af1465-5c51-489f-9a67-19238b90863d,"4/16/2021, 9:13:53.063 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,5eea316b-812c-46e9-b6b3-d0c18d983f43,"4/16/2021, 9:13:53.063 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,a6b57d37-8e29-4a53-83e2-0bf2b943876f,"4/16/2021, 9:13:53.063 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,756471b3-fe34-4a1f-8e36-304517691e4e,"4/16/2021, 9:13:53.063 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5704 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,4da0e3ce-45a2-4757-95a7-591053726bfd,"4/16/2021, 9:13:52.727 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6660 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,25890328-78bf-4db7-9618-072820027356,"4/16/2021, 9:13:52.727 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,2fdf2a6f-b920-4247-a784-09dc444de3b8,"4/16/2021, 9:13:52.727 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,384cf224-808b-46c3-97ed-b9cfb23c8374,"4/16/2021, 9:13:52.727 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,9664e217-740f-434c-974a-8f423a34047d,"4/16/2021, 9:13:52.727 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,2f950bde-7282-472b-a401-9b685272c7c0,"4/16/2021, 9:13:52.727 AM",,,,,,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d63dc36-f23a-4d1d-9cb0-08c1637b1228,"4/16/2021, 9:13:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,858346f8-2763-4931-a01a-efc257febe34,"4/16/2021, 9:13:56.124 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d0ae18f2-3ce2-401b-89b7-9bde4c09ad34,"4/16/2021, 9:13:56.124 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,65c0b07a-33ec-4a2d-b73d-aa648bf86817,"4/16/2021, 9:13:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ebefe0e-1481-45d6-93fb-bd655b12a47f,"4/16/2021, 9:13:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c4cb6c56-63de-4785-901a-794fca799920,"4/16/2021, 9:13:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,00c294a5-9bf7-44e5-b3a2-cb849055e4dd,"4/16/2021, 9:13:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,78cf78d8-9439-4a4c-ba70-114cc26a98ee,"4/16/2021, 9:13:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,92ad2694-b0f8-4d2b-8db3-6788d3d94477,"4/16/2021, 9:13:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,61de34c6-7db6-4913-a975-312c427f1b24,"4/16/2021, 9:13:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c14cab9-6afd-42b0-a89a-22b438b9169d,"4/16/2021, 9:13:56.124 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,aaec6d77-6565-486f-a9bb-fb75ff3ab3b7,"4/16/2021, 9:13:56.124 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f31f63db-759a-4fbd-96fc-0a56604c7a64,"4/16/2021, 9:13:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca078aed-135f-40c7-a0d3-7daeab6180e9,"4/16/2021, 9:13:56.124 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 428 + 84 + %OSDRIVE%\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\PLATFORM\4.18.2103.7-0\MPCMDRUN.EXE + 32 + C7A18C474A47F5335593A567F0C714D4F658E28D07DC27F6EAE5D5641788E813 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\MPCMDRUN.EXE\4.18.2103.07 + 0x3e4 + 77 + C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2103.7-0\MpCmdRun.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,e221f1c1-d3ae-4209-9bf0-40de20155f0f,"4/16/2021, 9:13:56.124 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,074e4f7a-3492-4297-aa8a-aa8d3adf4721,"4/16/2021, 9:13:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,34210d92-5a7c-4cca-9f58-d47e79b5038d,"4/16/2021, 9:13:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9598544e-3615-45d5-997b-ca137f21ffe1,"4/16/2021, 9:13:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,199ee7ea-c8b7-4e6d-8519-7388ccb94a3e,"4/16/2021, 9:13:56.124 AM",,,,,NTLM,, +\BODEGA,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f9a2bc5-2bba-4d1b-94dd-073436386b62,"4/16/2021, 9:13:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,43cf3e76-01f0-4af7-91a3-0f9493d0fddd,"4/16/2021, 9:13:56.124 AM",,,,,NTLM,, +\ADMINISTRATEUR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b43be99-4359-485f-8307-261a69e50eb2,"4/16/2021, 9:13:56.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c16fd670-3023-4096-8840-5057bb3cc0d0,"4/16/2021, 9:13:56.124 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10720 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,a39161d7-b436-40b6-b867-b159c2d22255,"4/16/2021, 9:13:57.000 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8136 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,963a9059-d793-41db-ae79-a309e0627211,"4/16/2021, 9:13:57.000 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,29d496e6-8736-48fa-9b4c-facd5b41a9c9,"4/16/2021, 9:14:06.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67b99110-dea7-419e-9a8c-600d578581d9,"4/16/2021, 9:14:06.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2436ab66-c5ae-4323-844b-29ac4ca09a18,"4/16/2021, 9:14:06.126 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,7028d34b-3737-4146-bda7-3a5807a1766f,"4/16/2021, 9:14:06.126 AM",,,,,,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cd3f9800-3135-4f50-ba62-8c502f9bfc99,"4/16/2021, 9:14:06.126 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,f157d055-4ad9-4875-a800-d68d1c302eb8,"4/16/2021, 9:14:06.126 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,78fd8e83-102b-4b99-9682-d45ac992a988,"4/16/2021, 9:14:06.126 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5188 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 68705285F7914823244E19E4F6DBC4A75C4DE807EA1CF128AEC2CCAFCE5FE109 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.17763.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,628b9ded-6976-44a0-9a64-fa9f0671a96c,"4/16/2021, 9:14:06.126 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5568 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,f800d72d-7917-496e-ae58-9a0a74797edc,"4/16/2021, 9:14:06.126 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a19545e9-9c0f-4d88-ac56-ab4422855faf,"4/16/2021, 9:14:06.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab86338d-3c0d-40f1-afa1-a844697c55e6,"4/16/2021, 9:14:06.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3d04f7b5-5823-4a19-a84f-c464d7db4fb7,"4/16/2021, 9:14:06.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6945078b-d022-483e-9f09-b703a7309ea4,"4/16/2021, 9:14:06.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a0e3343-0dd1-432d-9d33-192ca4d1e812,"4/16/2021, 9:14:06.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b163ea6a-134a-4ba8-8eb4-fafad4a0d0cb,"4/16/2021, 9:14:06.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,28deb7dc-8af4-479f-869c-4744b53d20de,"4/16/2021, 9:14:06.126 AM",,,,,NTLM,, +\SCANNER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9697f51c-516a-4aea-a01d-475772a6c4a5,"4/16/2021, 9:14:06.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1d541cc9-8526-49dd-a3ea-7a19d25dba94,"4/16/2021, 9:14:06.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7c7bf0b6-0cc9-4407-8aec-593940b717be,"4/16/2021, 9:14:06.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c183cba5-36be-4f06-94d4-44db8807efd5,"4/16/2021, 9:14:06.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,93affa63-a986-4e09-8cea-bb66aab8b4ed,"4/16/2021, 9:14:06.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f745700b-6dcc-4876-99d5-987097468d4d,"4/16/2021, 9:14:06.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ccdd6cb8-9ad6-47c5-a8f0-30dbe0a2871d,"4/16/2021, 9:14:06.126 AM",,,,,NTLM,, +NT AUTHORITY\LOCAL SERVICE,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,02d0c27e-362e-4b8b-9b4b-3e5c24e12e7c,"4/16/2021, 9:14:06.603 AM","%%5649 ",0x2,-,-,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2744 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,3864b632-187e-4120-aa95-890aef170289,"4/16/2021, 9:14:06.603 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,b7c39238-9996-43e3-8c30-eb504863b1c8,"4/16/2021, 9:14:06.603 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,197caadb-aadc-434a-a3a4-7ca7767ce36f,"4/16/2021, 9:14:06.603 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9712 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,eeeb1b62-421d-4202-aa88-9ed1b393f9a3,"4/16/2021, 9:14:06.603 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,797992d1-7744-44d2-addb-6a7518b9f44e,"4/16/2021, 9:14:06.603 AM",,,,,,, +\USER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b1739b5e-1bc0-4b39-9868-5d6e4c63c70c,"4/16/2021, 9:14:21.710 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3ce9d07a-d105-4430-8690-5b9df4beff31,"4/16/2021, 9:14:21.710 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4ec709ab-59c6-40b8-ac91-4b8f26abe6a4,"4/16/2021, 9:14:21.710 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,42850b6f-3c6d-4070-b9fa-29b94eff99aa,"4/16/2021, 9:14:21.710 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,55002199-0030-4b24-b4da-60459d8487bd,"4/16/2021, 9:14:21.710 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f96a08ad-66b9-4472-8a90-1a7a8159da04,"4/16/2021, 9:14:21.710 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d8a68f3b-e7c7-4503-befe-b0fe6ed02242,"4/16/2021, 9:14:21.710 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b58b1685-bb0f-48a5-9a3a-c9dac9662eb6,"4/16/2021, 9:14:21.710 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b4880994-4946-4929-94e9-1a0a4832a185,"4/16/2021, 9:14:21.710 AM",,,,,NTLM,, +\SUPPORT,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9b9b07a1-d2bf-4aec-82d4-8e0319ce6295,"4/16/2021, 9:14:21.710 AM",,,,,NTLM,, +\OVN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,45e5f1f0-27b2-4b83-9535-af0cdcace40d,"4/16/2021, 9:14:21.710 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1acad2e0-d9ea-40c9-abf0-0393ea4b1f0b,"4/16/2021, 9:14:21.710 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c3084d19-ca85-405b-8fe3-e8f6f0e7c7a7,"4/16/2021, 9:14:21.710 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8954ffc0-cc54-4f10-a868-2c3c1be734e7,"4/16/2021, 9:14:21.710 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,81291813-15d3-4154-9c33-191c89dc2950,"4/16/2021, 9:14:21.710 AM",,,,,NTLM,, +\VEEAM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,75619dbc-06e6-41af-bdd6-73f99f9ca535,"4/16/2021, 9:14:21.710 AM",,,,,NTLM,, +\AZUREADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9803b11c-e4b6-4960-b0c2-0c9bec8d858e,"4/16/2021, 9:14:21.710 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c44bb3a2-024b-4d81-9113-9f2c58482cac,"4/16/2021, 9:14:21.710 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1309300c-d569-439d-8ced-cd97ba0f5b3a,"4/16/2021, 9:14:21.710 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,14d9759a-f70f-4854-a485-dbbcc86f3f22,"4/16/2021, 9:14:21.710 AM",,,,,NTLM,, +\VEEAM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d13254b6-27b5-4618-bbdf-4d134d4d9fdc,"4/16/2021, 9:14:21.710 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,784bc186-c82e-4475-b09a-baa61cc37b71,"4/16/2021, 9:14:21.710 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,860ac7b7-12de-4e0d-9522-0665852ecf8b,"4/16/2021, 9:14:21.710 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,64ec505e-3831-4e36-8b3b-dae333b316ef,"4/16/2021, 9:14:24.118 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,110dce4a-6e73-4255-99fd-431c276c3ce2,"4/16/2021, 9:14:24.118 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,a9d6cf58-fb59-49f2-95a4-7b4906e37422,"4/16/2021, 9:14:24.118 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,a2f6dd37-2cbe-409c-86c1-721b44326e10,"4/16/2021, 9:14:24.118 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,0b7c763c-a9b1-4117-9989-e0b7a448639f,"4/16/2021, 9:14:24.118 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,4b842492-9416-4597-9de7-d24e547cde81,"4/16/2021, 9:14:24.118 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,cffaf9d3-c5f2-43fe-8a04-3a57407998d4,"4/16/2021, 9:14:24.118 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,4084e165-394d-4dde-b774-f407849c8a11,"4/16/2021, 9:14:24.118 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2663ca04-3734-49d4-9c5d-ec6a97550bd0,"4/16/2021, 9:14:24.118 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,822f1569-fb4b-4439-af46-2545da235cef,"4/16/2021, 9:14:24.118 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,76251c4f-6fb8-42be-b641-5ad7aa9bc080,"4/16/2021, 9:14:24.118 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,daa4a2bd-2be7-461f-beec-68f875c6a62d,"4/16/2021, 9:14:28.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,81edb629-c155-4ab3-b094-f0bddcdcdf62,"4/16/2021, 9:14:28.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a4dcc0a-e219-44ec-ae52-216a8440613c,"4/16/2021, 9:14:28.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e54442f7-9956-47a3-9b89-032dfa6f8e08,"4/16/2021, 9:14:28.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bbe0e089-dd21-474c-a9a0-021e82d73110,"4/16/2021, 9:14:28.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,02be946d-0047-4d02-a9a1-eebad6ed7757,"4/16/2021, 9:14:28.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,73bba9fd-75c1-4c22-a542-4dcaf9b341eb,"4/16/2021, 9:14:28.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ba3175a3-f351-4a91-8ade-96f9eef9aa23,"4/16/2021, 9:14:28.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5453d817-d772-42e1-ade1-fae0e923e410,"4/16/2021, 9:14:28.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de5b40cb-5c62-4888-8359-c75dbfb488ae,"4/16/2021, 9:14:28.134 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8947f5dc-f1b8-41b0-abcb-6098b0e67bf4,"4/16/2021, 9:14:28.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2d7a63c-2879-48fa-959c-f549a681bd91,"4/16/2021, 9:14:28.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d6291bd2-ee1a-476f-95d1-eb5ab54152c1,"4/16/2021, 9:14:28.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49ea0ae7-6450-44ac-8a72-4fe013b7e11e,"4/16/2021, 9:14:28.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89b48f9d-f150-49b7-b902-f3f8a4a9099f,"4/16/2021, 9:14:28.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1406994d-564f-43f5-8c2f-bec781fc3295,"4/16/2021, 9:14:28.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e39d6104-1f10-4e7e-bce2-f1137c911f1f,"4/16/2021, 9:14:28.134 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c96051fd-fd03-4652-b3ee-591c097ecd5e,"4/16/2021, 9:14:28.134 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,44565af2-e4a7-4557-8fc3-f4d08c3b9c61,"4/16/2021, 9:14:28.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f3cf16ef-fac1-49c4-b3d1-4459c8bb2c56,"4/16/2021, 9:14:28.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48fb178e-a53d-411a-8858-c4e53d2dff42,"4/16/2021, 9:14:28.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,376657a0-7807-4f38-8b97-e554c15c1443,"4/16/2021, 9:14:28.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6dc0bf3d-0b9c-4435-84d8-7a4cdeb24aac,"4/16/2021, 9:14:28.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca83b0ab-2dc1-4669-b270-2cffe3cafb0b,"4/16/2021, 9:14:28.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1e889fac-e45e-4fde-8fee-cf64f2fe67b2,"4/16/2021, 9:14:28.134 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2772 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,422b75bb-a132-4603-9c8a-1b6095cfcf9c,"4/16/2021, 9:14:38.453 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1287d147-dcc5-4d85-b428-bb1120f0a566,"4/16/2021, 9:14:38.453 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7876 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,02c2d8b5-3fa0-4011-adfc-eaf67dbf199d,"4/16/2021, 9:14:38.453 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7404 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3b17abdf-627d-4081-87c1-ed56f51cb672,"4/16/2021, 9:14:38.453 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5304 + 115 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\ICT 2\CMF\DESIREDSTATECONFIGURATION\DSCRUN.EXE + 32 + 5D35920AEDE05DD39279B42A07B84E7EAC7A77F4E420A04FE25B82F0B2CAF5C0 + 111 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\WINDOWS (R) WIN 7 DDK DRIVER\DSCRUN.EXE\10.0.10011.16384 + 0x3e7 + 117 + C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\ICT 2\CMF\DesiredStateConfiguration\DscRun.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,94180f73-3291-4a70-8e7f-3d2d95f9ccb6,"4/16/2021, 9:14:38.453 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7008 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,07365176-7e03-47c3-bd1a-b0a26222cede,"4/16/2021, 9:14:38.453 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,bd3acc77-7e79-4da5-ac07-ae91eab00408,"4/16/2021, 9:14:38.453 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,926cf7aa-6ef5-481e-a8cd-b5e471159d25,"4/16/2021, 9:14:38.453 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4d67daa9-a5dd-4fc6-9b91-b4f9e660a338,"4/16/2021, 9:14:38.453 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9a06f5ae-7dba-4e4d-aea6-16a7314b5cc4,"4/16/2021, 9:14:38.453 AM",,,,,,, +\LAURA,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,68faa33b-bd52-4473-b443-433836a2c11e,"4/16/2021, 9:14:38.453 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c852277d-7489-4b20-94a6-1df8c07e4e83,"4/16/2021, 9:14:38.453 AM",,,,,,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b11177b2-e0bf-4b92-be90-9c026a4876ed,"4/16/2021, 9:14:38.453 AM",,,,,NTLM,, +\ADMIN1,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9b00e162-e555-4df0-a419-48a953165a34,"4/16/2021, 9:14:38.453 AM",,,,,NTLM,, +\LAPTOP,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b7da7234-5efa-4e91-82ae-a100b8d5e535,"4/16/2021, 9:14:38.453 AM",,,,,NTLM,, +\SCANNER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9c7893f2-3271-4ceb-87cd-2eae46273ac3,"4/16/2021, 9:14:38.453 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a3a37b3-cd33-402e-845b-e75813bb36f0,"4/16/2021, 9:14:43.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1c981621-8855-423f-9b70-12d6235a88e6,"4/16/2021, 9:14:43.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,835be4e8-cdab-43b5-97a6-4c7e581a93f0,"4/16/2021, 9:14:43.131 AM",,,,,NTLM,, +\AMANDA,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0bbc215b-8528-4921-9eee-79aca8f37f44,"4/16/2021, 9:14:43.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d71bcfba-55aa-4678-87b8-caed199e78b8,"4/16/2021, 9:14:43.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cffa6a77-16d6-4d21-8da7-06d174c817d8,"4/16/2021, 9:14:43.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa15cac7-e8ee-4229-a072-8ec4353bf95b,"4/16/2021, 9:14:43.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ee5d86e-6b8f-496a-9646-886266dcbca5,"4/16/2021, 9:14:43.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e54c9b39-527e-47a4-99d7-bc644b315f4a,"4/16/2021, 9:14:43.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c221ae10-49c0-45e2-bbd2-9e56af9804ee,"4/16/2021, 9:14:43.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,702db224-8e6c-4c01-bfa4-f5dc2ad1bee7,"4/16/2021, 9:14:43.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c740851-b4d1-4a55-b9e3-cfc57f8919bb,"4/16/2021, 9:14:43.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fbc6b3be-cd0a-4399-bca3-bdecaa35a2b8,"4/16/2021, 9:14:43.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19f596ec-b598-498e-8084-5f796311663c,"4/16/2021, 9:14:43.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2518cdd4-cfcc-42d4-9f02-6fdb75e3b578,"4/16/2021, 9:14:43.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,adf0a6fc-3de5-4ca2-bc69-ae52b2b02234,"4/16/2021, 9:14:43.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b0d11968-ed6b-4d34-bc44-91953b587d1e,"4/16/2021, 9:14:43.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c8433f75-0093-4ce7-8b53-4d80557ed2ee,"4/16/2021, 9:14:43.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a32a269-1367-4773-8165-b222d0730ed2,"4/16/2021, 9:14:43.131 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4afb8171-dc82-48a2-8c64-196f747e3718,"4/16/2021, 9:14:43.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,033e1a5b-9c25-4c18-b7d5-1bc988ec8273,"4/16/2021, 9:14:43.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,021c3f31-8946-48a8-99f2-df227dcd3e31,"4/16/2021, 9:14:43.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e7e5dbc2-c815-428c-9cc4-52984182f517,"4/16/2021, 9:14:43.131 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4156 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,2fe2492d-e2fd-44e1-8872-da70eedcae3f,"4/16/2021, 9:14:52.729 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4548 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,e6f01b26-80d8-4b42-9cd6-f4e6a7b33bda,"4/16/2021, 9:14:52.729 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,f278c156-81d3-468d-b73f-66962deb7d95,"4/16/2021, 9:14:52.729 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,3809fbc1-832d-4257-9b39-aa4eb044ea3a,"4/16/2021, 9:14:52.729 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,7f65ad0c-ae92-430d-8b2d-f7a9eeafbc1c,"4/16/2021, 9:14:52.729 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,37a73572-b538-4b72-bbb5-6f77eb352e05,"4/16/2021, 9:14:52.729 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,949cd0d4-8765-4ffd-ba41-38cf0e3a067a,"4/16/2021, 9:14:53.712 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fd1d4726-ddea-4e37-ad07-bd248005dce6,"4/16/2021, 9:14:53.712 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eeecb775-e015-4303-981f-99407cedff66,"4/16/2021, 9:14:53.712 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bcbc4f95-ec15-4aef-9cfa-2400095a672a,"4/16/2021, 9:14:53.712 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9589af0b-a889-4b00-bf05-c1905a156b65,"4/16/2021, 9:14:53.712 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,57afdf1b-3fc0-42bb-821c-f8ed3253970c,"4/16/2021, 9:14:53.712 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2c953b4f-1b90-4b62-9879-cc5d3ee7de89,"4/16/2021, 9:14:53.712 AM",,,,,NTLM,, +\ERNYJONES75,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,918d9315-07d7-464e-b133-e0eb5de82010,"4/16/2021, 9:14:53.712 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,09556fd8-d49c-47e5-b99b-f006d608c562,"4/16/2021, 9:14:53.712 AM",,,,,NTLM,, +\SALES,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b98b9878-d140-4033-998c-73437ff7a818,"4/16/2021, 9:14:53.712 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,20aab48c-6c99-458f-a1fb-050a7cd00f34,"4/16/2021, 9:14:53.712 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,504e49e3-407c-45b4-a321-a17237553c9c,"4/16/2021, 9:14:53.712 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c600ee1b-1b98-44d8-8b5b-c5d973005830,"4/16/2021, 9:14:53.712 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cdad0b62-df3f-4257-8612-af22cc1c6531,"4/16/2021, 9:14:53.712 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b25ab34a-cdc7-4faa-b7af-83e1a8b63a63,"4/16/2021, 9:14:53.712 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4d51835d-a865-4e85-9dcc-27f698a30f2b,"4/16/2021, 9:14:53.712 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9ec26c9e-5c33-4353-a547-14bb7bc97e65,"4/16/2021, 9:14:53.712 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,86883163-7e0a-4dde-96aa-791f3d936c05,"4/16/2021, 9:14:53.712 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5aa00b93-2b0a-4400-a932-a8b51ca1e1cf,"4/16/2021, 9:14:53.712 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,36e53ed2-5987-4505-a840-c79a4ae61df7,"4/16/2021, 9:14:53.712 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,983617b1-5f44-4182-967a-5da98b2c1359,"4/16/2021, 9:14:53.712 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b68eed72-649a-4e8d-a6df-da16c5c9c472,"4/16/2021, 9:14:53.712 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,504cf874-d950-484a-9bce-683eca3a77df,"4/16/2021, 9:15:03.061 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,e0746415-87d9-4abe-bff4-387e6fbd13f8,"4/16/2021, 9:15:03.061 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,7f52e161-ec56-47fa-a48c-5dff1abeb35e,"4/16/2021, 9:15:03.061 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,b22af77e-30dc-4a63-ae3c-30825d6531e2,"4/16/2021, 9:15:03.061 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2a9a36f7-21cc-4461-97a4-bceecbfff837,"4/16/2021, 9:15:03.061 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,efa49ad7-286f-4a01-b33a-7506987b57d7,"4/16/2021, 9:15:03.061 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,318872af-c193-4bb7-a28a-5518659a2990,"4/16/2021, 9:15:03.061 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,26c82514-aa4a-46ca-ab35-9138c85baac0,"4/16/2021, 9:15:03.061 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,41316cc3-fdde-4223-98d5-eb6b5499136c,"4/16/2021, 9:15:03.061 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,45ce4476-3a5f-423f-9cf9-eaa7e4183d26,"4/16/2021, 9:15:03.061 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,7c8e32f8-54bb-46fa-94d4-77a5e0ce0147,"4/16/2021, 9:15:03.061 AM",,,,,,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6783f7e3-454e-4ba2-8ada-4b61443eff88,"4/16/2021, 9:15:05.710 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bf8e0576-ba60-4ec7-a982-9d0e9eb32d2a,"4/16/2021, 9:15:05.710 AM",,,,,,, +\A,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1e6715f4-d34d-46bb-a293-0c653aba5355,"4/16/2021, 9:15:05.710 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b0cd1642-4eb3-48d8-b711-d7869318c510,"4/16/2021, 9:15:05.710 AM",,,,,,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,63d6e5a5-bb18-4579-bde0-0124a7a9bf93,"4/16/2021, 9:15:05.710 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,04385f1d-814e-4721-9adb-acfbfd43dd6c,"4/16/2021, 9:15:05.710 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,791920e8-0d4f-4ce8-a90c-75aea6436425,"4/16/2021, 9:15:05.710 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ed66dcad-adda-4389-aa3f-d41b546eb27e,"4/16/2021, 9:15:05.710 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,80d32afc-b199-4e30-bffc-c712697e65ad,"4/16/2021, 9:15:05.710 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7c108fde-9535-4c77-a968-ce80719e96c3,"4/16/2021, 9:15:05.710 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,16eb195e-a33e-4bb5-8158-857535d22668,"4/16/2021, 9:15:05.710 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,705bd659-9958-4bde-b8db-4a06efeda857,"4/16/2021, 9:15:05.710 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ce4e2b70-9a18-4a56-af83-52ba0e62dc2d,"4/16/2021, 9:15:05.710 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a4435453-2186-4f0a-95cb-67dd9813ebc8,"4/16/2021, 9:15:05.710 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,25aeb1a5-106c-43d6-9221-db89a5c969ac,"4/16/2021, 9:15:05.710 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bf9db08e-ffce-4d41-bbc8-aacfbf152d66,"4/16/2021, 9:15:05.710 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8ae6e585-b0dc-4632-a88c-de0a3f27db7a,"4/16/2021, 9:15:05.710 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7913d863-f935-40c8-8abd-abb860740d6f,"4/16/2021, 9:15:05.710 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c8b7764e-c471-4f99-8d1d-eaf62abec2b5,"4/16/2021, 9:15:05.710 AM",,,,,,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,33a15336-9bcb-45b5-afe3-3a7038df64bc,"4/16/2021, 9:15:05.710 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,205febb0-dc56-42ef-9795-edff97cb08ab,"4/16/2021, 9:15:05.710 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,db1f6461-88c4-42c1-b36b-f1a4baaee2fa,"4/16/2021, 9:15:05.710 AM",,,,,NTLM,, +\PRINTER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,afdd1091-b1e8-4ba9-b42e-4f7ccfaa8774,"4/16/2021, 9:15:05.710 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fcf58e23-d5bf-4ee4-a738-c9f9a4fee1b3,"4/16/2021, 9:15:05.710 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c467de19-029e-4d25-88a9-9618157c57a5,"4/16/2021, 9:15:08.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dfa36de9-c26b-4426-94a7-9ec374b8ffda,"4/16/2021, 9:15:08.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,740e5a28-30fc-4351-bff8-d87b9938e104,"4/16/2021, 9:15:08.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,35f69336-d8ff-428d-8553-0be331019fd4,"4/16/2021, 9:15:08.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a473d666-93cc-4c29-8e93-37d6709956a7,"4/16/2021, 9:15:08.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d403dc94-abe6-480f-ab20-46ab1eb1995b,"4/16/2021, 9:15:08.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bcad2a6e-d5da-4a61-9eea-6b3512133058,"4/16/2021, 9:15:08.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67d4dc55-beac-4a80-87ea-8b90c55b7b19,"4/16/2021, 9:15:08.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9acaf1e5-a29d-47b5-8c8e-a4268e42893e,"4/16/2021, 9:15:08.130 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c04b224-8696-4ae1-8ccf-4d857eb18ae6,"4/16/2021, 9:15:08.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab178e97-a6f7-4efc-bdac-3c78141d2c59,"4/16/2021, 9:15:08.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6b8e04cc-fe74-43c9-ac65-22b6be213f80,"4/16/2021, 9:15:08.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f56209e6-7bb4-4a5c-88eb-6ece0087e2e7,"4/16/2021, 9:15:08.130 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4fe6bb28-3ecc-49d1-a411-494ef88d9bea,"4/16/2021, 9:15:08.130 AM",,,,,NTLM,, +\RJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f0c77fe-8556-4af3-aeff-dc2a8d7fe0e3,"4/16/2021, 9:15:08.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a991c69-92f2-44fa-8fdd-a908df23301b,"4/16/2021, 9:15:08.130 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e5dd7c5a-d02b-4fa0-ada2-aef4fabefe69,"4/16/2021, 9:15:08.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,216b57bc-deae-42b3-ab30-d67718dc49b7,"4/16/2021, 9:15:08.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6cd1fb7d-bf3c-4066-9318-e19c4e2a92b7,"4/16/2021, 9:15:08.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de03ffcb-7922-41c3-b564-1bede23deb16,"4/16/2021, 9:15:08.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5c0ddc18-302a-40ef-9ff3-74fe434b28ea,"4/16/2021, 9:15:08.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd4c692a-2d54-4d31-a3ef-0bf76afaffbf,"4/16/2021, 9:15:08.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d810a795-f563-4172-8378-6f445fe79521,"4/16/2021, 9:15:08.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c56fc76d-b8fa-4fbe-bcbd-0ee5dd182a8e,"4/16/2021, 9:15:15.136 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8d066f72-6ea0-431a-8cfb-814c5fa3e28a,"4/16/2021, 9:15:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,da8c26a1-797b-4505-9717-1ac0a964eea6,"4/16/2021, 9:15:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5c679fc8-cb72-4021-bc4e-0d5a3fa15dd5,"4/16/2021, 9:15:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,70c3dae3-1d9e-47d8-894f-b479936b909f,"4/16/2021, 9:15:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e8d12616-7533-484c-95fe-e0045caffaa3,"4/16/2021, 9:15:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7311fd4d-51c4-4d45-bf60-a517502f6b47,"4/16/2021, 9:15:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7df78c64-b1e3-4582-9d84-9339f512061e,"4/16/2021, 9:15:15.136 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6507e9df-b5e4-430b-8ac1-5bdc412e4820,"4/16/2021, 9:15:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd6044b6-8d70-4e33-a39a-770df3e8f38e,"4/16/2021, 9:15:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,615dd499-8f56-4108-a718-9f41ebdb69ff,"4/16/2021, 9:15:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22ecdfb2-0d42-4aae-9ba5-80ed4ef3a7c2,"4/16/2021, 9:15:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,87a88bdd-c9d8-4ea3-b28c-6c393e26836d,"4/16/2021, 9:15:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ee531553-569a-4a9a-8e7a-867399417999,"4/16/2021, 9:15:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e3274f49-e3a7-4839-8bfb-c6cd65bdf8a7,"4/16/2021, 9:15:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a579f241-e192-48d4-93b6-3107f21adb91,"4/16/2021, 9:15:15.136 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0d9f4dd5-030c-4194-96d4-2f47e11a0374,"4/16/2021, 9:15:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa0ddf24-5c13-4b02-b9cd-f39b326c8233,"4/16/2021, 9:15:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a0083e69-c08a-4c81-bcfc-ba3d341b5f81,"4/16/2021, 9:15:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2dce7e89-0802-4bd5-8ee7-fc8b1c125825,"4/16/2021, 9:15:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,73885f23-69c0-48e0-8e0b-4b5f682f3a6c,"4/16/2021, 9:15:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,413d0065-f719-45b6-9403-646297195557,"4/16/2021, 9:15:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4e0a12e4-57af-4708-80c5-fb17601a65ad,"4/16/2021, 9:15:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad99f894-1bd8-4013-aadb-7b6aeea94afa,"4/16/2021, 9:15:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7eb7cb1a-d676-487e-96fd-bdcf4262a671,"4/16/2021, 9:15:21.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88e24668-9d23-4aaf-b51b-2116edfd1c62,"4/16/2021, 9:15:21.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d61d137-c39f-4957-93e1-933b18ac6a35,"4/16/2021, 9:15:21.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7bba8e15-8199-4c6a-95eb-6650a3c8de31,"4/16/2021, 9:15:21.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6e4c8264-9110-45a7-adaf-eade8e118cf5,"4/16/2021, 9:15:21.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,264346be-f988-48aa-919b-3dfd0a04f68f,"4/16/2021, 9:15:21.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7716d353-680d-43fa-b016-e0a7826555f7,"4/16/2021, 9:15:21.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9e065128-0215-491f-bfc0-bb318c20f5f8,"4/16/2021, 9:15:21.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,23788b00-39f5-4644-a1ae-45556f708ae5,"4/16/2021, 9:15:21.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89497999-b0ea-4939-82a8-1a4ddeb21aea,"4/16/2021, 9:15:21.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48b0e7f4-57ee-4074-86dd-e0a9baa7481d,"4/16/2021, 9:15:21.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b51de1f6-cdc5-4784-a3f2-f805b887ae11,"4/16/2021, 9:15:21.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ed454367-0781-46e2-ac2e-f2310588f670,"4/16/2021, 9:15:21.127 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,b0b90f57-d8df-4489-b686-6d0626e6c102,"4/16/2021, 9:15:21.127 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,09ced2b9-0ba9-4766-bed4-7fc1dc2ef70c,"4/16/2021, 9:15:21.127 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5b58c886-1737-42e1-9c43-104487bd9ac3,"4/16/2021, 9:15:21.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8138a9fa-0283-4187-9cc9-1dc55df0073c,"4/16/2021, 9:15:21.127 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8520 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,725fea40-6411-4a3d-b5cd-376bebb3a6e3,"4/16/2021, 9:15:21.127 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1780 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,2ebfbd45-2ab7-4efc-b474-16314f1f2e25,"4/16/2021, 9:15:21.127 AM",,,,,,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bb4224c3-6974-4de2-92d4-4e9919a8f63b,"4/16/2021, 9:15:21.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9dca5528-2372-4eba-8911-395c70f0353a,"4/16/2021, 9:15:21.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a1d5eea-59e5-491b-9484-be48b226f7f4,"4/16/2021, 9:15:21.127 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f1a732ce-cf41-4786-aaf6-ab951030d3b7,"4/16/2021, 9:15:21.127 AM",,,,,NTLM,, +\CRESSKILL,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56e18c75-ee24-420c-a26b-ccde6adaea80,"4/16/2021, 9:15:30.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3020c860-95cd-4326-94a0-bdac8d3a2724,"4/16/2021, 9:15:30.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7794b4da-ab3f-49cf-b5cf-24b9377c9f02,"4/16/2021, 9:15:30.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,65b7aaec-f2ed-479d-875e-ba7d479a4f21,"4/16/2021, 9:15:30.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,29b96507-4a6c-435a-95b3-19ec4b93b302,"4/16/2021, 9:15:30.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56fbae52-2833-468c-bf27-4c9eb3b4388c,"4/16/2021, 9:15:30.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,59e38e66-d41f-47fa-8113-435572aa2b43,"4/16/2021, 9:15:30.141 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1504cddd-52a3-4273-8985-964ac719818f,"4/16/2021, 9:15:30.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a0090f31-cb38-4628-8272-13a9d40f7474,"4/16/2021, 9:15:30.141 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,164971d3-db2b-49d5-bfd9-1a954b04eacd,"4/16/2021, 9:15:30.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aab58a11-296d-4373-b54e-3797d29c68c0,"4/16/2021, 9:15:30.141 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df08cb27-81bf-4323-8299-aa6ccd1204e5,"4/16/2021, 9:15:30.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a83359dd-59c1-4fce-b802-8985d79e377e,"4/16/2021, 9:15:30.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,168b7688-4c85-48ae-8117-a79fb3e041a8,"4/16/2021, 9:15:30.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,948f416e-abe4-41fe-bd45-e16a3e65bdb6,"4/16/2021, 9:15:30.141 AM",,,,,NTLM,, +\DEMOADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1066bf5e-ac22-405b-9205-b6ec110345e2,"4/16/2021, 9:15:30.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4dd38a20-1f6d-4a4f-afbe-bf569e041879,"4/16/2021, 9:15:30.141 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,acbdded1-c6cb-48ab-8b07-2e2d813a2608,"4/16/2021, 9:15:30.141 AM",,,,,NTLM,, +\ACUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,449d966d-8e53-4c30-96c4-8a975db73aac,"4/16/2021, 9:15:30.141 AM",,,,,NTLM,, +\BACKUP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7a957549-cedb-41e7-bae9-36be2db6ef47,"4/16/2021, 9:15:30.141 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d037eec-1d54-47d5-9ec1-14771b378483,"4/16/2021, 9:15:30.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5fc88aad-832d-48ee-ba9e-2f975b502bd3,"4/16/2021, 9:15:30.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1c3973bf-a48a-4ccb-9b70-b2f31ad3a58a,"4/16/2021, 9:15:30.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,542d14c6-61da-4229-873a-9aa802aa6bf8,"4/16/2021, 9:15:30.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,20332092-e7f1-4acb-9d83-47617ca35839,"4/16/2021, 9:15:38.138 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46d63d79-9b55-4553-857d-567c0339b4a9,"4/16/2021, 9:15:38.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7c5108de-fce9-49cb-9192-943295d64d6a,"4/16/2021, 9:15:38.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,66d3cfbd-8817-43f1-a2bd-f2bbf16f5fc0,"4/16/2021, 9:15:38.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7608584e-67f0-42c9-9cbe-b6d4b4b11b55,"4/16/2021, 9:15:38.138 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,c66cebe0-0b4f-48f4-a601-14d9f190ef25,"4/16/2021, 9:15:38.138 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,43176116-fa67-483e-baf8-18119b640157,"4/16/2021, 9:15:38.138 AM",,,,,NTLM,, +\WP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0721f2f1-1612-4b84-af03-0c7349eefe39,"4/16/2021, 9:15:38.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b662bab-d9b7-4c0e-962f-0390e358ce4f,"4/16/2021, 9:15:38.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8379e4c1-f29b-429f-abd7-874aeef98d2c,"4/16/2021, 9:15:38.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3ecb0dfb-d368-4af2-ae2e-f5af563b7cf1,"4/16/2021, 9:15:38.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b8abc178-3c06-4898-b9bf-68d96fd2e836,"4/16/2021, 9:15:38.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,288e3033-b4a1-45f1-b9ea-306054c4ea4c,"4/16/2021, 9:15:38.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fae65cf7-9174-499a-b3aa-f93232c30b41,"4/16/2021, 9:15:38.138 AM",,,,,NTLM,, +\AAUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7cdbc56c-75a2-4a36-bfea-197d90bc5a32,"4/16/2021, 9:15:38.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2321995c-0ce7-4b83-972b-72b9f1404636,"4/16/2021, 9:15:38.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,568a5c62-af98-4845-a7f1-bc458a62d2a8,"4/16/2021, 9:15:38.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,003ff8d2-3a40-4458-aafc-1d240e79a820,"4/16/2021, 9:15:38.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,00e0cc0b-96f6-4844-9fa7-31d1fd34d38d,"4/16/2021, 9:15:38.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,136b6c1f-1c92-4de8-b202-61c50c566366,"4/16/2021, 9:15:38.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3e68f238-64f7-40a0-87f1-d25378dc61f3,"4/16/2021, 9:15:38.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1c451ccd-a97f-4f94-b00f-8a16e1146b5e,"4/16/2021, 9:15:38.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,577ca4ed-2b57-4add-9997-e6257a8b1d7d,"4/16/2021, 9:15:38.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e817b3e4-91e2-43e0-afb7-846d97d28940,"4/16/2021, 9:15:38.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cb9871d0-bfd1-4a45-a662-bac07c6186b9,"4/16/2021, 9:15:51.127 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b098f0c3-0759-4b90-8b27-bd3a0a37d5a9,"4/16/2021, 9:15:51.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c2addb6e-0a34-4f64-a49b-db4fbc1e8432,"4/16/2021, 9:15:51.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8148852a-b89f-4971-9e1e-505ece41a764,"4/16/2021, 9:15:51.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d7120358-1bd8-49e3-8f61-a94a93bf5939,"4/16/2021, 9:15:51.127 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bf439c26-700c-4541-aa08-910b75c131bb,"4/16/2021, 9:15:51.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,deeb99ac-2ad5-4e6d-a149-176a03743860,"4/16/2021, 9:15:51.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,11ef0c92-347f-41fe-914c-836089726034,"4/16/2021, 9:15:51.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3f7a5f22-1a53-4050-b115-e3b87a24aec6,"4/16/2021, 9:15:51.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a6f3385-6925-42e1-b41c-a77aebac822e,"4/16/2021, 9:15:51.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c5cd1fbe-33a6-43f9-ae47-6d00ba015ed9,"4/16/2021, 9:15:51.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0e1e0afa-9ee8-4d6f-a52d-592f7477db4d,"4/16/2021, 9:15:51.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8f2c38e0-9d35-45df-b987-6ef6691c5bd9,"4/16/2021, 9:15:51.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,10cb97e5-2ed4-4376-b01d-273cdcd4a6c5,"4/16/2021, 9:15:51.127 AM",,,,,NTLM,, +\BACKUP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1e2ae3d-6fa2-413c-9979-d8acfb252e0d,"4/16/2021, 9:15:51.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d899c4f5-a4b2-4b55-906d-dde64ce85664,"4/16/2021, 9:15:51.127 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e0d8da8a-a0b5-48a0-9f81-29aa93d9413c,"4/16/2021, 9:15:51.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c381f032-9119-41aa-9263-aae5dd3a5917,"4/16/2021, 9:15:51.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d975a167-16d7-43f7-9317-51a062f995a0,"4/16/2021, 9:15:51.127 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e9148739-535c-4b99-8bd8-7fb40531c250,"4/16/2021, 9:15:51.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,02b0fd83-8be7-4bb1-8daa-fe28072ccada,"4/16/2021, 9:15:51.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c087a8f3-67fc-414a-b925-5fc5672255a8,"4/16/2021, 9:15:51.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f4a27f99-3606-46b4-9186-72f304f66258,"4/16/2021, 9:15:51.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,66b6e122-520d-4744-97fd-876d9eacfaf6,"4/16/2021, 9:15:55.128 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,28f111c0-ba6f-44cc-be5c-9260000e9a3f,"4/16/2021, 9:15:55.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f97d8800-d21e-4b09-bdb0-f0010253a093,"4/16/2021, 9:15:55.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6b0146d5-c76f-4b90-affe-bc31fdc7e427,"4/16/2021, 9:15:55.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a705a1d-a78c-4776-9d9e-e41a1ebdc668,"4/16/2021, 9:15:55.128 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12853d03-e3d8-4740-8d4f-f24f570e6f70,"4/16/2021, 9:15:55.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,914c7e08-fcd0-41e9-a3ff-95cf0b544b8f,"4/16/2021, 9:15:55.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,faacd5a0-de6c-4510-b17c-f6d3362e9df8,"4/16/2021, 9:15:55.128 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,355e5fa5-0177-495d-8b46-530b7da11c3c,"4/16/2021, 9:15:55.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dccd7d78-5b4e-4aa2-b5cd-0c45ffa16937,"4/16/2021, 9:15:55.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,559ee6ef-c4a5-43d4-a5a8-6889a841d7fe,"4/16/2021, 9:15:55.128 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ffd96160-9254-4f14-9686-b76f6b3f41fb,"4/16/2021, 9:15:55.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5c76325d-ee68-40c4-bd45-c9c85a0cfcdd,"4/16/2021, 9:15:55.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5976da11-23e6-4b7e-8018-25bff9693681,"4/16/2021, 9:15:55.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b95da42-0cd1-4323-af71-4b209c930c43,"4/16/2021, 9:15:55.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,31969c44-a6fc-4a0d-8cfa-33c99f7140b6,"4/16/2021, 9:15:55.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a9a69f7a-21f7-49ed-9f0a-683290dbfa1a,"4/16/2021, 9:15:55.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f0bde656-7a8d-40d4-b011-a8c3c5fd4c92,"4/16/2021, 9:15:55.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,31682c78-fb78-4262-bc8f-983700ad9cfa,"4/16/2021, 9:15:55.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,33aab45e-b26e-4d4f-b71f-c37d90055339,"4/16/2021, 9:15:55.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,daac3264-8223-4bb2-b168-e70c358f9466,"4/16/2021, 9:15:55.128 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f7bacb9a-51f2-44ce-be8f-a6b3f8c5e056,"4/16/2021, 9:15:55.128 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e59714d-0e58-473b-bdf3-d13f00b13373,"4/16/2021, 9:16:02.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a018a08-7dc0-4801-a33f-cc8c5885f93f,"4/16/2021, 9:16:02.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c343f938-b20c-4e1e-996f-93a298cac6b2,"4/16/2021, 9:16:02.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f4c03cc6-b77d-45d6-9995-4a3bd6b5a58f,"4/16/2021, 9:16:02.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98c90cc0-ffea-44c8-b5b5-ecd754e10872,"4/16/2021, 9:16:02.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d698e0c-d563-4fde-a8d8-b16e1a7354bf,"4/16/2021, 9:16:02.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,40f533a7-4142-4409-9b73-88d90a504cf5,"4/16/2021, 9:16:02.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bf22632b-59ea-4a2e-86f3-b979768c5acb,"4/16/2021, 9:16:02.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0f2b07fc-288d-4882-8d75-a6ba8b2a36c0,"4/16/2021, 9:16:02.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7b4d753a-50e8-4f91-9052-6b9c69e31f98,"4/16/2021, 9:16:02.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,78ccba23-4136-4be9-9b6f-d6cfa64b94cc,"4/16/2021, 9:16:02.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c183ee4-8c5c-441b-ac51-ce76c9cec012,"4/16/2021, 9:16:02.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f00bc96a-8695-4fdc-8754-1df71f2fbd65,"4/16/2021, 9:16:02.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b83f20b7-716a-4a54-8254-b1e81b252900,"4/16/2021, 9:16:02.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,78ec7cdf-618e-4c73-be27-c3f614bd5199,"4/16/2021, 9:16:02.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,066531b6-d36b-47cb-bf3c-60c8af6aeb0f,"4/16/2021, 9:16:02.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2ef40cbc-9752-42b8-a544-559dbad8ba3f,"4/16/2021, 9:16:02.127 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b055476e-7941-4430-9626-1ad24cbe8d10,"4/16/2021, 9:16:02.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff42c9ba-2429-457d-84d5-71eaeddd2212,"4/16/2021, 9:16:02.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff59c467-debe-482b-aee7-9ef1fd43ccd9,"4/16/2021, 9:16:02.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,856d88ac-e1ca-42b2-9639-4dd6f17445c5,"4/16/2021, 9:16:02.127 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e7b6f438-4964-4ec6-aa00-06911dd64dfa,"4/16/2021, 9:16:02.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51c98aec-99bf-4aa7-923d-a0f49452a61f,"4/16/2021, 9:16:02.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ff06761-4603-483a-adb9-0ad3f808bcf9,"4/16/2021, 9:16:02.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b768524f-4f18-4c28-b8e7-8449f6c27eae,"4/16/2021, 9:16:08.179 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2fc6c680-a365-4f66-991a-6ef98c8761c5,"4/16/2021, 9:16:08.179 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,14d27808-b3b3-4391-ac35-5e50c873605f,"4/16/2021, 9:16:08.179 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,06f0ad1f-e3cd-409a-ae12-9b433000dbcc,"4/16/2021, 9:16:08.179 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,13dee330-925b-4af0-ae39-5776618c1e58,"4/16/2021, 9:16:08.179 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0b274c33-66f5-4db6-8c9c-6695494300b7,"4/16/2021, 9:16:08.179 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,722f7f52-0fc9-40f6-ac9e-a0445b7a2096,"4/16/2021, 9:16:08.179 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,145c0b72-2739-4f66-b0a4-21eecd92add6,"4/16/2021, 9:16:08.179 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b964fe24-3b68-4ebe-97d4-361759f74e6c,"4/16/2021, 9:16:08.179 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2d0e6f9-8359-4d50-be86-4f997e29b44b,"4/16/2021, 9:16:08.179 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4a7cbfdc-efa9-42b8-a046-c7384d569b45,"4/16/2021, 9:16:08.179 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,31f2b2ac-85de-42c6-bf94-8afede10f8f0,"4/16/2021, 9:16:08.179 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,35bc3b77-e9cc-43b5-bb7b-6f2c7fa72a0d,"4/16/2021, 9:16:08.179 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,73730ccf-5469-439e-8730-c9ed6824951f,"4/16/2021, 9:16:08.179 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9608df17-f279-4fce-870c-172eec676b47,"4/16/2021, 9:16:08.179 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,43e01187-ba6b-41f4-a07b-5d78e819985c,"4/16/2021, 9:16:08.179 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4282fe73-8487-4f3e-9e22-f2adb347d386,"4/16/2021, 9:16:08.179 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3ea7d259-bba7-48f5-828a-d57b85de8669,"4/16/2021, 9:16:08.179 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5cbc3760-590b-4bd4-9498-0cb54f702be8,"4/16/2021, 9:16:08.179 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6342edb4-9cb8-49be-a305-50d97eec5b84,"4/16/2021, 9:16:08.179 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b9af6c98-02dd-4d6b-9b54-c50583428449,"4/16/2021, 9:16:08.179 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a247e5a7-4563-4818-9df6-b61b82518721,"4/16/2021, 9:16:08.179 AM",,,,,NTLM,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,66ee34a7-000a-4d78-ad5e-c125f53bc15f,"4/16/2021, 9:16:04.729 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,4742ae26-9845-40f6-9051-539fbc9b039c,"4/16/2021, 9:16:04.729 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,3f8ddabc-29a8-4679-b168-47073c83267e,"4/16/2021, 9:16:09.882 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,fe59a270-5906-4644-8ad5-7257a1f48828,"4/16/2021, 9:16:09.882 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6980 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,08789140-981b-41c3-9e60-e780133effca,"4/16/2021, 9:16:09.882 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4548 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,8a04de1b-5604-4467-bd67-96fe5293563e,"4/16/2021, 9:16:09.882 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,3566d089-4f2f-4f3b-b3ed-2cd6b932cfe9,"4/16/2021, 9:16:09.882 AM",,,,,,, +\BACKUPEXEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f24a542e-4d5b-4a9c-a243-564fde758dcc,"4/16/2021, 9:16:32.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d6b85917-d1bf-437a-b6cc-156f674c3bbd,"4/16/2021, 9:16:32.125 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12fe53cb-bb61-4c2a-9919-7af45356a464,"4/16/2021, 9:16:32.125 AM",,,,,NTLM,, +\AZUREADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c2cb7bc3-d64e-4f9f-8c98-b6f88cb1a8b1,"4/16/2021, 9:16:32.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7cda14a7-af8d-4b9e-beaf-c9373bc090c2,"4/16/2021, 9:16:32.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0099a552-347b-4e31-8d17-cb5579167f16,"4/16/2021, 9:16:32.125 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c82621aa-5966-4dd1-917f-c43232d4ebe9,"4/16/2021, 9:16:32.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,47d55987-b583-4979-98f3-11f56f60fabb,"4/16/2021, 9:16:32.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e6a6c994-bc35-42fb-a252-7dec312cff36,"4/16/2021, 9:16:32.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,23c08c0a-b53d-4054-a7de-cf72cbb963ba,"4/16/2021, 9:16:32.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,daf0eea6-dfe4-4446-80e0-88ba6cfb344d,"4/16/2021, 9:16:32.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c8eb6df2-7745-4399-abcc-663f58f2efdd,"4/16/2021, 9:16:32.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,14614af0-1d8d-4b62-864a-b2a5fbacdc48,"4/16/2021, 9:16:32.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,71840705-d971-406d-b845-575d981ad845,"4/16/2021, 9:16:32.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,720b6780-a9ae-4118-bedd-fcc0c184ed3f,"4/16/2021, 9:16:32.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6ea966e4-47e2-422a-86cb-32f99df9a31a,"4/16/2021, 9:16:32.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aa66e4fb-89fe-4ba9-9ae2-3b2ee7780dbe,"4/16/2021, 9:16:32.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dbe8cb35-6a5c-4abd-84c4-b6aa18a590e1,"4/16/2021, 9:16:32.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e6213eab-e4d4-432c-829d-179ad975eafe,"4/16/2021, 9:16:32.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,847b2075-6f47-4e80-ae95-b6b08d986a39,"4/16/2021, 9:16:32.125 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fbc367f4-d3ef-498d-a9c1-da06f89aa14b,"4/16/2021, 9:16:32.125 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,45e56c9b-eb1c-4f7c-a063-05429feda5f9,"4/16/2021, 9:16:32.125 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0cbb0c48-d046-49f0-9547-77b6eaa05130,"4/16/2021, 9:16:32.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bfea3473-7930-49ae-a9d6-1ad0b3661e15,"4/16/2021, 9:16:32.125 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 15280 + 50 + %OSDRIVE%\WINDOWSAZURE\SECAGENT\WASECAGENTPROV.EXE + 32 + D9D6BF2584834D2A5C628EB1A641A9464AFDD6A134FD604DF5BB1FB0A4B8A411 + 89 + CN=MICROSOFT AZURE DEPENDENCY CODE SIGN\MICROSOFT® COREXT\WASECAGENTPROV.EXE\3.18.1722.00 + 0x3e7 + 43 + C:\WindowsAzure\SecAgent\WaSecAgentProv.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,feec217e-161c-47bf-bc87-d68316091e06,"4/16/2021, 9:16:49.997 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1832 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,e3fd3530-4044-45c6-b51b-af932da75cda,"4/16/2021, 9:16:49.997 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3992 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,02007515-4a6a-4432-bb49-a9163ca02f10,"4/16/2021, 9:16:49.997 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10852 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,e1acfb99-cb46-442c-8630-15239bebbaac,"4/16/2021, 9:16:49.997 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4799837f-af12-4b12-9077-1dce971f3a6b,"4/16/2021, 9:17:07.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,18d1626d-3e64-4be8-addf-4655b4ab46e9,"4/16/2021, 9:17:07.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8fe933ca-9ada-4c15-b235-aa2ab078166f,"4/16/2021, 9:17:07.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98839ef4-b42e-42c6-8ed6-c357e2ef199e,"4/16/2021, 9:17:07.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3bb773e9-824e-4a52-978d-fd613876ace7,"4/16/2021, 9:17:07.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3c3a070d-34e5-4e95-89ef-0e43eb4220d2,"4/16/2021, 9:17:07.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fac3c70e-4bf4-4ff7-8f9f-673581ea3ea8,"4/16/2021, 9:17:07.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b39f81c-c6da-470f-991c-dc6605174b70,"4/16/2021, 9:17:07.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bf467561-eab0-44aa-81a8-b1d910a71265,"4/16/2021, 9:17:07.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5cc2b315-2e21-40b9-b83d-42dac8e39e11,"4/16/2021, 9:17:07.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d3ba8bb3-2896-4dd8-960a-59dc54e852fd,"4/16/2021, 9:17:07.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d0f23cb4-d358-4950-a64a-5b88b230948b,"4/16/2021, 9:17:07.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,36f67901-be44-4025-8015-ba596d800818,"4/16/2021, 9:17:07.141 AM",,,,,NTLM,, +\NICO,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bd3482ad-1736-4d13-a6a9-f1ba5ffe94f8,"4/16/2021, 9:17:07.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,15cac0c0-b1f7-4cd0-9166-af782e734737,"4/16/2021, 9:17:07.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3523898d-124d-43ca-abeb-1fc1fbc06cb5,"4/16/2021, 9:17:07.141 AM",,,,,NTLM,, +\CRLSALES,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1d2d4287-104e-4a93-89d7-481763954c1f,"4/16/2021, 9:17:07.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bfd2d3f9-80af-48b1-a3bf-c634410fa1fd,"4/16/2021, 9:17:07.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,611d3179-c005-4248-9564-3d26b3e03965,"4/16/2021, 9:17:07.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fdd4416a-a336-479f-beb8-9bebba17c88f,"4/16/2021, 9:17:07.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac313715-a4e4-451b-9dde-73821935c03b,"4/16/2021, 9:17:07.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2e12a2de-43b0-4801-aa1d-5eb18ed08eca,"4/16/2021, 9:17:07.141 AM",,,,,NTLM,, +\AZUREADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5950638c-7449-4130-adf6-dba29cb65436,"4/16/2021, 9:17:15.132 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,333a2a82-b59e-4268-9e05-c864a56de8cb,"4/16/2021, 9:17:15.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,552c0abb-fa4b-48f8-95cd-b3b174bfde2d,"4/16/2021, 9:17:15.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4195bfaa-ba69-40bf-a735-447b27e1b452,"4/16/2021, 9:17:15.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a690524e-0476-476e-8e4a-65deba6bea77,"4/16/2021, 9:17:15.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6b7117c5-a2a7-4947-821b-37d000829a14,"4/16/2021, 9:17:15.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d4948e35-eafe-44fd-8563-865cb87e6b16,"4/16/2021, 9:17:15.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,80edc59d-f9ee-4e6e-b0c6-14f9b3c8e745,"4/16/2021, 9:17:15.132 AM",,,,,NTLM,, +\BACKUP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6da85d67-2482-4db7-8632-7ea45fbe7d98,"4/16/2021, 9:17:15.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6c575c94-f1d6-49d3-b107-babaf11b9c1c,"4/16/2021, 9:17:15.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e56c365c-d698-4465-97d7-e72c826ddd2b,"4/16/2021, 9:17:15.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2efef459-bea0-4f02-94b7-eb1835ef0c3f,"4/16/2021, 9:17:15.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,865fbce0-674a-4de3-811b-666c84f733ee,"4/16/2021, 9:17:15.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a0d09bb-9d67-45ad-a2f2-87ffa8fc2c51,"4/16/2021, 9:17:15.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e86489f1-1421-4c84-b14f-e706d88ff463,"4/16/2021, 9:17:15.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,26949f48-ac61-446b-af67-d8b642c43c4c,"4/16/2021, 9:17:15.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1265c619-dfbf-4556-b27b-814d468ab3d7,"4/16/2021, 9:17:15.132 AM",,,,,NTLM,, +\VEEAM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a3b09847-2c35-434b-91f2-ce3059fd4a0d,"4/16/2021, 9:17:15.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a6ade599-2603-4213-a140-a056cf91185d,"4/16/2021, 9:17:15.132 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aa3a190f-c2b9-454f-b6a1-874f15bef5c0,"4/16/2021, 9:17:15.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f67f34d4-b28d-4c87-b614-b351675afb88,"4/16/2021, 9:17:15.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,84db4be1-500e-4d3b-b3fd-955ee43e9fda,"4/16/2021, 9:17:15.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e20c42a1-5327-47c9-9d31-f5412b21a0c5,"4/16/2021, 9:17:15.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88387d12-d768-426d-ba6c-898d9466061e,"4/16/2021, 9:17:15.132 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,84af25b2-538d-4690-9d48-8383627aabed,"4/16/2021, 9:17:15.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,933c620b-0c19-4fe1-8a74-898522a6e9a0,"4/16/2021, 9:17:15.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,27d4a913-987a-4297-acd4-139ef473db20,"4/16/2021, 9:17:15.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8fe6b6d4-4b97-4ed4-8452-cb4636734f87,"4/16/2021, 9:17:15.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,681876b2-834e-45c7-bc5c-a27437102fda,"4/16/2021, 9:17:35.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6153812d-9e26-4003-9721-f309ade02cc6,"4/16/2021, 9:17:35.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ee91109b-45ef-4c14-a182-4ade6053f6df,"4/16/2021, 9:17:35.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6a1bc966-aed3-4293-b3e9-53db250ff72a,"4/16/2021, 9:17:35.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e180fa36-690c-4cd8-a2cf-07be8f74ba9d,"4/16/2021, 9:17:35.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a500eb43-3d6c-4a6e-b96c-d5c6e23c443a,"4/16/2021, 9:17:35.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,58c6b9b4-4984-41b7-a691-4d5271aa7972,"4/16/2021, 9:17:35.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eb7aa57f-f801-49da-9bc8-1c1347fc592a,"4/16/2021, 9:17:35.128 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,606b270c-43f0-4d42-8e37-7270101a8287,"4/16/2021, 9:17:35.128 AM",,,,,,, +\AZUREUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,544fe875-8dcd-46f6-ac12-e8b25c0c8416,"4/16/2021, 9:17:35.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,10251e47-700c-40e5-9e6f-d07b60c0d678,"4/16/2021, 9:17:35.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,17bc1fd0-2133-4d11-ad2c-1309c34edb1e,"4/16/2021, 9:17:35.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3194cf35-78be-4b89-a26b-74e91f94a174,"4/16/2021, 9:17:35.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc7e3700-b5ce-4235-a683-38e965eb3068,"4/16/2021, 9:17:35.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67ac54c1-8c21-4b38-8e70-ed76c0791e56,"4/16/2021, 9:17:35.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a00b51f4-bd9c-4d8e-a229-f4fa06850ee5,"4/16/2021, 9:17:35.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1fee9465-48f3-4162-855a-dac78a465ecf,"4/16/2021, 9:17:35.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f43ceba4-d05f-4994-919e-1ed203325f3f,"4/16/2021, 9:17:35.128 AM",,,,,NTLM,, +\ROOT,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d423497e-c202-4488-8f8e-a63f6c77f386,"4/16/2021, 9:17:35.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc6bf9bb-8462-4075-a84a-99e88c772935,"4/16/2021, 9:17:35.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7de31ed7-8cd6-42ea-b608-e22f05082144,"4/16/2021, 9:17:35.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,90f27c40-1b73-4ce6-b4a8-b77675c72bf6,"4/16/2021, 9:17:35.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b69fd04-091c-4e37-af76-1a11c1959af7,"4/16/2021, 9:17:42.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6cb9a126-59c2-4048-b068-d7c99266add9,"4/16/2021, 9:17:42.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7165f5c3-ebfb-4a9c-94c1-7e6ad2791bbe,"4/16/2021, 9:17:42.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6f7b3c56-be7a-494d-995b-182cd4e533ad,"4/16/2021, 9:17:42.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc57696f-8401-44e1-b258-97f97094dbd1,"4/16/2021, 9:17:42.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d58cdc03-1537-4e75-bc78-c76daaac9109,"4/16/2021, 9:17:42.129 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ae42067d-bc28-4cd2-89d5-be88599dff7d,"4/16/2021, 9:17:42.129 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e4d2c3a3-6b36-4b57-a6df-d5dad3fcc4d8,"4/16/2021, 9:17:42.129 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b8ec9a60-e335-4c09-bc70-d485f5e20f0f,"4/16/2021, 9:17:42.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8caff9db-dcf6-44cc-aa54-dd07f7955d75,"4/16/2021, 9:17:42.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c0cbf553-df29-43a1-8f0f-7287e8783bac,"4/16/2021, 9:17:42.129 AM",,,,,NTLM,, +\DJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a838c173-3383-44e2-a8dc-8a68d1317a1b,"4/16/2021, 9:17:42.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b89e0a34-03a6-4007-bd77-cd4a19b7b387,"4/16/2021, 9:17:42.129 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b3c1b710-bf91-4a08-982b-978e081cd38f,"4/16/2021, 9:17:42.129 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,36c20f8a-2a2e-4afa-954b-e3469a3a85c7,"4/16/2021, 9:17:42.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ddb16a8-42f5-4fee-8ec3-59aa4fde13e9,"4/16/2021, 9:17:42.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eb43d967-f7b6-4ca9-b81e-6cb03d0f99b8,"4/16/2021, 9:17:42.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b627e686-b480-4184-86a6-a69a308fce14,"4/16/2021, 9:17:42.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2500abe6-c64e-4cd3-a893-d78383c40546,"4/16/2021, 9:17:42.129 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fed87c62-0227-4e85-a618-b8175f6ff32c,"4/16/2021, 9:17:42.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e0305ab8-1b22-4907-b78f-b801fae45eed,"4/16/2021, 9:17:42.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,39187ff9-c243-4a50-80b4-13bf096fcb85,"4/16/2021, 9:17:42.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,27030091-4c2d-4b5e-a11b-7e2aebbfa432,"4/16/2021, 9:17:42.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6359a9a2-8adb-4638-a1ce-348c46e50bc4,"4/16/2021, 9:17:42.129 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 13348 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,c1bb5a5d-7553-4223-8151-5546bd3fe5b3,"4/16/2021, 9:17:57.074 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1368 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,13a0442a-69eb-471c-bdb0-1a9f63b03488,"4/16/2021, 9:17:57.074 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,06954fe1-d4d3-4fbb-a4fe-7b264d0f19b4,"4/16/2021, 9:20:23.738 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,582d8cc1-2524-456b-b5d4-48859598b1cf,"4/16/2021, 9:20:23.738 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b3f42e73-a5d6-4dff-8e65-6a24da333680,"4/16/2021, 9:20:23.738 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1286f552-30e4-4c30-a4cb-d39b808e708f,"4/16/2021, 9:20:23.738 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d4896cb7-ae6b-4d73-a6b1-a2682dbd13bd,"4/16/2021, 9:20:23.738 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,05b7d91c-0e07-47be-9611-d87b39549e04,"4/16/2021, 9:20:23.738 AM",,,,,NTLM,, +\DOOGLUS,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,62dbf2e4-2fab-4137-81f4-a9537b5968da,"4/16/2021, 9:20:23.738 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b771c100-ec81-4908-934d-106b942400a3,"4/16/2021, 9:20:23.738 AM",,,,,NTLM,, +\DAVID,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4e419b2e-16c0-4a64-879c-6d4999b7a309,"4/16/2021, 9:20:23.738 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ab186621-e883-49d0-8e2e-12874459afe8,"4/16/2021, 9:20:23.738 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,669cfccc-f754-4bfa-934e-ba16175067b5,"4/16/2021, 9:20:23.738 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b4764512-aa16-4ebc-a454-ac0157c2209f,"4/16/2021, 9:20:23.738 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,91be5039-9b2a-4dfa-a6e3-48fd87cc51c1,"4/16/2021, 9:20:23.738 AM",,,,,NTLM,, +\VMADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,06c5931f-d666-4e78-975d-3bf7832fa146,"4/16/2021, 9:20:23.738 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a42bcedc-3e1d-43b6-b6cb-45fa1dfd01c7,"4/16/2021, 9:20:23.738 AM",,,,,NTLM,, +\AZUREADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,be39919b-efb7-4fb2-af00-2f5d5a804deb,"4/16/2021, 9:20:23.738 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8adc4ad8-c9a5-4723-848d-616ea22786b7,"4/16/2021, 9:20:23.738 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ecfa9993-f928-452d-a0cb-a68d83d26d5b,"4/16/2021, 9:20:23.738 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9bb70633-70e5-4333-8667-56b3baaddfab,"4/16/2021, 9:20:23.738 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,20b51e03-f577-4818-ba8b-99ee30bc03ce,"4/16/2021, 9:20:23.738 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,45d8de6a-a6cc-4423-89fd-4ce2cb80c94e,"4/16/2021, 9:20:23.738 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a071f6ae-ae3a-435e-b25f-7fd850e4fabb,"4/16/2021, 9:20:23.738 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,94afbd90-1fa9-41ed-a804-0c6b39fff2b1,"4/16/2021, 9:20:23.738 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,05bde192-34ad-45dc-af54-17beb04b6ef2,"4/16/2021, 9:20:23.738 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,257f4bd5-813a-4357-968b-81a9948d2a80,"4/16/2021, 9:20:23.738 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cc1ac3fb-ee4f-4863-8e56-2f1e2695e711,"4/16/2021, 9:20:23.738 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c4a37ed9-9125-455f-816b-7e1957b6cde5,"4/16/2021, 9:20:23.738 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a3ab0a0-3a4a-4409-8d6d-b2bb3fbafbc7,"4/16/2021, 9:20:26.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db1df8f7-aaf2-4dad-b278-46726501fd20,"4/16/2021, 9:20:26.138 AM",,,,,NTLM,, +\LOCALADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d4535d88-cc4a-499e-a5f0-3dec75e11726,"4/16/2021, 9:20:26.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,68442f3c-38fe-47cd-9037-891b9d679aee,"4/16/2021, 9:20:26.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1cd56e8a-0d83-42d3-8758-d109cebb94a2,"4/16/2021, 9:20:26.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ee32e43-3699-4bbc-823c-cf28498e7005,"4/16/2021, 9:20:26.138 AM",,,,,NTLM,, +\biblioteca,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb2d6096-b227-46b0-b95c-f2a5327ce4ec,"4/16/2021, 9:20:26.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a07da7b-a1c2-48a1-a24f-7c8b82e12fe2,"4/16/2021, 9:20:26.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3dd7383a-3976-4983-a5fb-7735691efd67,"4/16/2021, 9:20:26.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d90bda93-645f-4863-a87c-ba362799e0f0,"4/16/2021, 9:20:26.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a49b1ec9-042a-4e79-99d4-d525b5e88d97,"4/16/2021, 9:20:26.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f382494b-a3c7-4be1-b7b9-45434a618885,"4/16/2021, 9:20:26.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b7347d1d-3f6b-4e7d-ae8a-624a0a621acc,"4/16/2021, 9:20:26.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cb167292-2af7-4f2a-88d3-89a5c8501524,"4/16/2021, 9:20:26.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3b35c851-7d4d-48e9-bd3f-88194f32a5e2,"4/16/2021, 9:20:26.138 AM",,,,,NTLM,, +\brqadmin,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,21fbf319-632b-49b6-8ccd-d5472a4984da,"4/16/2021, 9:20:26.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2e96a921-93ae-4bce-9110-ceab6127630e,"4/16/2021, 9:20:26.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2fe825bb-09a5-47ea-9b97-6c90bd9edd3b,"4/16/2021, 9:20:26.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0d9493fe-7fa8-4daf-be8c-6faa840e866f,"4/16/2021, 9:20:26.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f7f79cbe-72e2-41d0-bfb3-c9c745309185,"4/16/2021, 9:20:26.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,161acea0-3315-44d3-9539-f4f566bafb2e,"4/16/2021, 9:20:26.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3d6eccb2-c4b7-4f70-8d10-cd7d98fc1262,"4/16/2021, 9:20:26.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a747298b-6e5b-42bb-a8da-3a362aa1d509,"4/16/2021, 9:20:26.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1d7ee0f-21cf-4baf-9aeb-93b3c5365d9a,"4/16/2021, 9:20:26.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0e49281e-c23e-47b9-afd8-c1ebd9e7dab2,"4/16/2021, 9:20:26.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,68055d70-5b96-40f0-a1cc-f9340b73e5fa,"4/16/2021, 9:20:26.138 AM",,,,,NTLM,, +\butik,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ccc0b7bd-af1a-495f-9339-b7d512e0a3f6,"4/16/2021, 9:20:26.138 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1bcc1ba7-cda1-44f3-96fd-6324d1f500f9,"4/16/2021, 9:21:48.409 AM",,,,,,, +\KASSA,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ea377ef6-9dd0-4938-b2bc-924a96292f4e,"4/16/2021, 9:21:48.409 AM",,,,,NTLM,, +\AZUREUSER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,7070ae4c-b0b1-41bb-abb7-9fcfb6d943f0,"4/16/2021, 9:21:48.409 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,32b4d561-e5fe-4c4a-b0dd-ca544815927c,"4/16/2021, 9:21:48.409 AM",,,,,NTLM,, +\OFFICE2,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f2f968d0-df71-4dc1-8fe6-cd37d61623a4,"4/16/2021, 9:21:48.409 AM",,,,,NTLM,, +\FRONTDESK,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4a55b6ec-fa38-4a40-a46f-37f4efd43835,"4/16/2021, 9:21:48.409 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b1a45c28-b893-445d-a6c0-37ba716ac14d,"4/16/2021, 9:21:48.409 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,92581030-8fd9-42fc-bd30-348f5e406b18,"4/16/2021, 9:22:01.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,169f242e-d4cb-4217-9bf9-9b5fed43b7a0,"4/16/2021, 9:22:01.133 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d1f9ac27-8a86-4a62-b978-27b29cd0f19f,"4/16/2021, 9:22:01.133 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6a04062d-e637-4b1f-9387-7d2c8b4c3908,"4/16/2021, 9:22:01.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ae92ba50-f8bc-4b55-a209-949e5719d396,"4/16/2021, 9:22:01.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,18f2e5ba-dc0a-4903-a348-d503655d2ed5,"4/16/2021, 9:22:01.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,039fcf15-46d3-4951-8598-c365c5de13c9,"4/16/2021, 9:22:01.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ededb10d-a4b5-4cb2-884e-24a917b1c123,"4/16/2021, 9:22:01.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d96ede54-c386-4996-afdf-afee2d19b587,"4/16/2021, 9:22:01.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1e9450be-0578-40e0-b295-4f42e141377a,"4/16/2021, 9:22:01.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2952982-cad8-46d4-b07a-28e933cee522,"4/16/2021, 9:22:01.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5802d83d-de5d-4ab3-aa93-8c01253024f7,"4/16/2021, 9:22:01.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e7b5ca34-598e-4f88-b8d1-3e53ae9acb33,"4/16/2021, 9:22:01.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,26423ff5-14fd-4520-b186-0cdcb7fd00e1,"4/16/2021, 9:22:01.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb4049e1-d712-43ae-9268-6986fdf80a31,"4/16/2021, 9:22:01.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b397ba4-f04e-43d2-9adb-be153d3d4d3a,"4/16/2021, 9:22:01.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6539efaa-e09b-4b26-950b-e0a2a3611839,"4/16/2021, 9:22:01.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1cb158c-0029-4351-87ac-f589a56f95af,"4/16/2021, 9:22:01.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a468edbe-9cdf-4f20-a20f-860718382d26,"4/16/2021, 9:22:01.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,569ee4cc-8328-4bff-bfbb-577030a9de0d,"4/16/2021, 9:22:01.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ed31b3d9-189a-46cb-8697-7f5d87ca2fbd,"4/16/2021, 9:22:01.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,345c7ccc-2f05-4f31-9358-0888a81f785d,"4/16/2021, 9:22:01.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f7f4a6f5-fbb8-43f1-afe6-abc6244d93ce,"4/16/2021, 9:22:01.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cb0b61c6-ff87-4c31-a8d3-3107648b4464,"4/16/2021, 9:22:01.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4fa68e64-bab9-43f2-a24e-1508e610f116,"4/16/2021, 9:22:23.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,263f83dc-c38a-460a-a783-f8e22bab1651,"4/16/2021, 9:22:23.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12fbb6e8-3585-49ec-b428-be1ed2945c4d,"4/16/2021, 9:22:23.131 AM",,,,,NTLM,, +\BRUCE,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c3fc538e-1423-4354-90c9-f940a3a426b9,"4/16/2021, 9:22:23.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,77cc2cad-d45d-4707-bf1e-e2e18e57c4ee,"4/16/2021, 9:22:23.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fba7da1c-43d4-4cef-ae47-20e626db079f,"4/16/2021, 9:22:23.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03f0ff70-3e78-4185-9687-cd28edd55638,"4/16/2021, 9:22:23.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0cd841ec-b268-4b6f-ad7f-91f0dc3f2f61,"4/16/2021, 9:22:23.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,17d07c3b-e68b-4a7a-b680-9c881e99e36e,"4/16/2021, 9:22:23.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c74612b4-8422-4032-8439-e67dc0ebda6a,"4/16/2021, 9:22:23.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff74e5cf-1da6-4173-abcf-78d73754ea1b,"4/16/2021, 9:22:23.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,593a6563-1a63-46ab-a4a3-cece7aee1cb1,"4/16/2021, 9:22:23.131 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,5c548185-eb93-4499-b87d-58eccb686b08,"4/16/2021, 9:22:23.131 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ffc43ca-0980-4545-90e2-7a27e16ab17a,"4/16/2021, 9:22:23.131 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f9a407ff-c9bc-4016-a4bb-8684725601e6,"4/16/2021, 9:22:23.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b97b9450-807a-414e-ac27-3ad03dbd7330,"4/16/2021, 9:22:23.131 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9192 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,c683d7bc-b785-44a7-a0be-cd82a409ebef,"4/16/2021, 9:22:23.131 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7848 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,664fa8e1-4e8d-4504-978b-efa3372dfe7e,"4/16/2021, 9:22:23.131 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,923f7f4b-1825-4dfa-9e91-3e4ea0a46e23,"4/16/2021, 9:22:23.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe15e0ab-cb11-4513-b3dc-410b1be80eca,"4/16/2021, 9:22:23.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a4754a0-ba10-46a5-bc2d-adb25a7d8425,"4/16/2021, 9:22:23.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dce0b929-788f-49e6-aa8b-407093a4db41,"4/16/2021, 9:22:23.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb310f29-d895-47f7-a230-8a76e29d968c,"4/16/2021, 9:22:23.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,04c7fc24-9795-4b5d-9ac1-dd04b2112fa4,"4/16/2021, 9:22:23.131 AM",,,,,NTLM,, +\TERM1,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e33a68e6-41ec-47f2-90d4-65b2e4b5ff4b,"4/16/2021, 9:22:23.131 AM",,,,,NTLM,, +NT AUTHORITY\LOCAL SERVICE,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 2724 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e5 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,c44813d1-deac-45a5-963d-3f6c628f1b8f,"4/16/2021, 9:22:52.673 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,ecd02251-21d3-46e7-ad89-a4b2d2b59621,"4/16/2021, 9:22:52.673 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8576 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,475caa4f-0391-4127-b0a4-71dcd5c1617e,"4/16/2021, 9:22:52.673 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9804 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,a47e3f8a-3303-4c69-b381-4244b50e81bf,"4/16/2021, 9:22:52.673 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,026fa2ae-57ac-4e94-a1a2-7c4b88705e31,"4/16/2021, 9:22:52.673 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,b85a8c39-160f-4d4b-b77f-d9922a42661e,"4/16/2021, 9:22:52.673 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,915eb04e-3471-4910-a3ee-d38d510a984f,"4/16/2021, 9:22:52.673 AM",,,,,,, +NT AUTHORITY\NETWORK SERVICE,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 4728 + 21 + %SYSTEM32%\SPPSVC.EXE + 32 + 356D1FC495BBA123EE99EEB2389FB641779AC8E789C2883AC16F26376B3D8081 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SPPSVC.EXE\10.0.18362.1379 + 0x3e4 + 30 + C:\windows\system32\sppsvc.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,1ce4a7d6-b5cb-466b-96ae-437c78da22a0,"4/16/2021, 9:22:52.673 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9840 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e7 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,16f9b972-3e1d-4ebe-bed4-2e7606ed3317,"4/16/2021, 9:22:52.673 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,f6638b82-98a5-4542-8bec-6bc0977f793f,243ebfc7-c6cb-4932-a343-7d4588cebbfa,"4/16/2021, 9:22:52.673 AM",,,,,Negotiate,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + 1 + 1 + %{S-1-5-32-544} %{S-1-1-0} %{S-1-5-11} %{S-1-16-16384} +",4627,4627 - Group membership information.,f6638b82-98a5-4542-8bec-6bc0977f793f,7a424437-b396-4c1f-a50f-11d4e74ba663,"4/16/2021, 9:22:52.673 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,f6638b82-98a5-4542-8bec-6bc0977f793f,5938d3bd-5c31-4e2e-85a1-1d4a3209e9d4,"4/16/2021, 9:22:52.673 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,ab6ba0fb-6f3f-4387-a45f-af11b8f8c7e8,"4/16/2021, 9:22:52.673 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,f6638b82-98a5-4542-8bec-6bc0977f793f,8d3be484-f368-4e7a-afcc-a796b2a0f62a,"4/16/2021, 9:22:52.673 AM",,,,,Negotiate,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + 1 + 1 + %{S-1-5-32-544} %{S-1-1-0} %{S-1-5-11} %{S-1-16-16384} +",4627,4627 - Group membership information.,f6638b82-98a5-4542-8bec-6bc0977f793f,509379b2-e1bb-4e96-9840-f17e1e260dd8,"4/16/2021, 9:22:52.673 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,f6638b82-98a5-4542-8bec-6bc0977f793f,50f2bf59-75f3-49d8-b4c4-b3a4baf84cae,"4/16/2021, 9:22:52.673 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,78760e31-4954-47c7-aee4-bdc107ebd650,"4/16/2021, 9:22:52.673 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5092 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e7 + 31 + C:\windows\System32\svchost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,c156eca8-b090-4548-ba7f-5fda478d4db2,"4/16/2021, 9:22:52.673 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d56c309-51b1-41a6-b7c5-26b1be979301,"4/16/2021, 9:22:55.147 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d1c45cae-3286-422d-a95f-7430f9b722b5,"4/16/2021, 9:22:55.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f839e4b-32ef-4778-ae67-816180d3ecc3,"4/16/2021, 9:22:55.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b295e63-c3f8-49dc-8032-38395d1c0e2b,"4/16/2021, 9:22:55.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,357c7135-1e69-44ad-9a92-a8dd90a9dc2b,"4/16/2021, 9:22:55.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,13c2085d-386f-4a36-a4a4-6c77449389fb,"4/16/2021, 9:22:55.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6bf86e7c-5ffd-45dd-9b8f-8f1f39e98497,"4/16/2021, 9:22:55.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ee8944c5-0f48-4f11-9fde-fb3e72b3571d,"4/16/2021, 9:22:55.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16a22fb9-a497-491a-9acb-1fd6fa9b75ee,"4/16/2021, 9:22:55.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d0af5709-d656-4795-9fe3-f53517f00f16,"4/16/2021, 9:22:55.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,73fc2bbb-05ed-48d5-baae-66ed5216562f,"4/16/2021, 9:22:55.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b531903-2c07-4b4f-97b1-4790cab47414,"4/16/2021, 9:22:55.147 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,80649403-7453-4cff-a015-cedd81c0748a,"4/16/2021, 9:22:55.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d4d043c-314a-4201-b255-796b05815add,"4/16/2021, 9:22:55.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,29d6a96a-bd46-4560-9c2c-345fa721a5f7,"4/16/2021, 9:22:55.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ec1b29b4-8d6f-43aa-ac56-393ecd9b14ce,"4/16/2021, 9:22:55.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7db56f0f-b20c-447c-bc51-b310c9f1e641,"4/16/2021, 9:22:55.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ce2a541-6fe0-4960-abc6-93afa970b254,"4/16/2021, 9:22:55.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ab58257-7179-4c3a-ace3-e411191f7f63,"4/16/2021, 9:22:55.147 AM",,,,,NTLM,, +\RJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22fb8ac0-a650-42e4-99fe-3a842dc8c69c,"4/16/2021, 9:22:55.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67adc43f-0a04-4d77-b48b-660d242209c3,"4/16/2021, 9:22:55.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,333b4996-c97c-4b67-ba83-9e01769f99f7,"4/16/2021, 9:22:55.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c66b8a12-40f2-4355-b259-f83c7f4d826d,"4/16/2021, 9:22:55.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e270493-ef79-41fe-a55c-5e0ac3e5d95c,"4/16/2021, 9:22:55.147 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d42011a-26ca-43ba-88cc-b19fed6d8482,"4/16/2021, 9:23:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fcebbeb8-c818-49f1-9c31-8c26e864f617,"4/16/2021, 9:23:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7dcd378b-1e79-4bbc-81ff-b1df6f64b7ed,"4/16/2021, 9:23:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54e71dba-9fac-4c2e-b835-8d93972a5b5c,"4/16/2021, 9:23:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e523178-fefc-4680-b942-71bd2d2dc126,"4/16/2021, 9:23:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3d48a8d1-2d0f-4d9a-a96f-79d401578e45,"4/16/2021, 9:23:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03de0732-d2ca-4312-9568-844485d0510a,"4/16/2021, 9:23:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51b66f32-6493-4055-adc0-d5ff78765279,"4/16/2021, 9:23:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b0b29932-2f6b-42a3-a5fd-057dad338588,"4/16/2021, 9:23:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,81fcbb99-5897-409d-9093-fcabc949cd63,"4/16/2021, 9:23:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d224816c-7501-4ac6-b789-f708b4029c17,"4/16/2021, 9:23:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df0ea0c4-68f6-4b81-b921-fbfbbcb9b8db,"4/16/2021, 9:23:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67321693-f012-4bd4-b9a9-95785daa7218,"4/16/2021, 9:23:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e0f748ea-6f63-472d-902f-57f1924b9657,"4/16/2021, 9:23:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d915e93-544c-48dc-9105-0c435ca9e87c,"4/16/2021, 9:23:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,77349a24-3256-422a-a7fc-734d4d933c3b,"4/16/2021, 9:23:30.135 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eb4047ee-c1bf-426f-a3b7-780d73b17498,"4/16/2021, 9:23:30.135 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,119bc711-5f19-4700-83bd-ab5c7bc3526f,"4/16/2021, 9:23:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0dddba1b-b6b3-492f-ad9c-58b5d02537c3,"4/16/2021, 9:23:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d3c9b788-7bd0-455f-b729-d5685cb227f1,"4/16/2021, 9:23:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fdfac72d-b935-4a3b-9f8e-9f3048652fd8,"4/16/2021, 9:23:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ba822e0-a981-435c-abd2-8c7b84bed793,"4/16/2021, 9:23:30.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,47744e75-d558-4599-947c-c195a22086fc,"4/16/2021, 9:23:53.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1b53702b-1a1b-4fc8-a33b-7c8c8595d255,"4/16/2021, 9:23:53.131 AM",,,,,NTLM,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a4946c3-3faa-4d46-a72a-0eca042cb091,"4/16/2021, 9:23:53.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2453673-8991-47a2-aa8f-be84560463d0,"4/16/2021, 9:23:53.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9212a9db-16b3-4d64-9efc-ec94cbb2f3ad,"4/16/2021, 9:23:53.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,825af085-840f-43c6-ad25-890fa0cc2601,"4/16/2021, 9:23:53.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6c7ee6f7-1aa4-4b51-96dc-f3a43bc53843,"4/16/2021, 9:23:53.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8605b6a4-3d7e-4caf-8561-6367b394b4ac,"4/16/2021, 9:23:53.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,037901c8-cedc-40ce-be1f-d2ff76abc567,"4/16/2021, 9:23:53.131 AM",,,,,NTLM,, +\BACKUPEXEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,edc4e565-126a-4475-bb8a-f08bd5d1cf36,"4/16/2021, 9:23:53.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d1c6d1d-4618-49d8-b9a9-02725b2e9092,"4/16/2021, 9:23:53.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c4cba87-ec3c-4057-9956-0713a65764f6,"4/16/2021, 9:23:53.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bfb7a908-f738-4833-b5bb-4e550c65f537,"4/16/2021, 9:23:53.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5384c2a5-c891-42ad-bd22-2a5132a7aa72,"4/16/2021, 9:23:53.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6f73523f-fd37-4d92-8096-6ef7bac4e482,"4/16/2021, 9:23:53.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,01d9b461-740b-4496-af31-c6cb93f0b018,"4/16/2021, 9:23:53.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,583cbd7c-0713-4c0b-b07e-d7e1ffcb761b,"4/16/2021, 9:23:53.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2547f9b-8b77-4f28-b21a-2fba360df145,"4/16/2021, 9:23:53.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2842c1c0-1bfd-4ab2-b63d-eb13180d5217,"4/16/2021, 9:23:53.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,82c07504-bc9b-48f3-9854-22f1ed5c25af,"4/16/2021, 9:23:53.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2087e94-78b2-4619-9000-6dcf0b91122a,"4/16/2021, 9:23:53.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6e36b82d-7301-40db-8dab-d49a435757ae,"4/16/2021, 9:23:53.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89f24d17-b6bb-4700-98ab-38c8370c5638,"4/16/2021, 9:23:53.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2cdc398a-7622-443d-a06b-9aa8ed2069db,"4/16/2021, 9:24:57.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54d40441-5aaa-4764-a34a-dab6c046523c,"4/16/2021, 9:24:57.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d15a0444-5fb5-49a7-b848-e035fcf2fd3d,"4/16/2021, 9:24:57.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2dfcb34-0a51-4470-9e21-55a3801d9440,"4/16/2021, 9:24:57.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22d13d6d-77fb-4534-b352-39843f59f4a0,"4/16/2021, 9:24:57.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,75c4c39e-a24d-49a9-93d9-5425110efdeb,"4/16/2021, 9:24:57.131 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f2c53a5-1402-444c-bcb4-b7ddf1e26291,"4/16/2021, 9:24:57.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3960a70f-a538-4691-bb97-82c1d809a1b9,"4/16/2021, 9:24:57.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ffa8f252-be0c-42c6-b6cb-a3d533f7de87,"4/16/2021, 9:24:57.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e47d3a43-6274-4b06-987a-ecbf68e391be,"4/16/2021, 9:24:57.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,39b2d354-16de-4a19-9f54-7b335a13aad0,"4/16/2021, 9:24:57.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c92cbaef-e66a-444b-8f0a-4a2a700266bf,"4/16/2021, 9:24:57.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,87b189de-d211-4b50-9240-660a77691bdd,"4/16/2021, 9:24:57.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e3f61afc-1684-49c2-9d45-b55e0cd50bc1,"4/16/2021, 9:24:57.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e63870d9-e9a5-4948-a2c7-1c7837217de9,"4/16/2021, 9:24:57.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54a8d9f0-8c4b-4136-9612-9091860524f1,"4/16/2021, 9:24:57.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a654fd4-9cb8-456a-94ab-46f52ddacab2,"4/16/2021, 9:24:57.131 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d9c53334-4b04-4c2d-afb6-056aae22fadd,"4/16/2021, 9:24:57.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f0f4505f-708b-496e-be25-07eadeb775c6,"4/16/2021, 9:24:57.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88fd2acb-c38c-48fe-ba4b-0be4c474402c,"4/16/2021, 9:24:57.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,84146b4b-d8b4-402b-b9e2-71b928ab2eeb,"4/16/2021, 9:24:57.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6c40fd72-8cd1-47e2-9696-0adb89159034,"4/16/2021, 9:24:57.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,74357564-8c34-4eba-9831-fbc96341489a,"4/16/2021, 9:24:57.131 AM",,,,,NTLM,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,78f76d15-ef92-434c-8018-5c8b239e5a39,"4/16/2021, 9:26:09.894 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,da18c5c9-5373-4706-adb4-614f5b67542e,"4/16/2021, 9:26:09.894 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6672 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,3f46a708-afda-4507-bb13-936326521202,"4/16/2021, 9:26:09.894 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6224 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b23c5195-e001-4523-85f3-ea636067464f,"4/16/2021, 9:26:09.894 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b8e71ae8-ae80-4d99-b61e-baa9c5735c38,"4/16/2021, 9:26:09.894 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 6300 + 84 + %OSDRIVE%\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\PLATFORM\4.18.2103.7-0\MPCMDRUN.EXE + 32 + C7A18C474A47F5335593A567F0C714D4F658E28D07DC27F6EAE5D5641788E813 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\MPCMDRUN.EXE\4.18.2103.07 + 0x3e4 + 77 + C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2103.7-0\MpCmdRun.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,7a9117ac-3cc5-4fc4-9396-ec1bf5437780,"4/16/2021, 9:26:09.894 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,05287a9f-ba85-4d7a-a18b-9b57e9599c79,"4/16/2021, 9:26:09.894 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,1db0cec7-97e1-474d-9aba-22627060ea39,"4/16/2021, 9:26:26.633 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,173691c9-7c6b-4708-9e9b-a3d410f2da5c,"4/16/2021, 9:26:26.633 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6992 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,5952f720-93a9-4aa6-b65a-e42efb1ae6f6,"4/16/2021, 9:26:26.633 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,f2a4919a-3b83-4cee-bfe6-df3136d2ee01,"4/16/2021, 9:26:26.633 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,46d217c8-56a4-4632-aeec-4c498c80a97e,"4/16/2021, 9:26:26.633 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10448 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,ce3953c2-b4aa-42db-8e36-8783e0e0953b,"4/16/2021, 9:26:26.633 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8584 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,a19fe783-2f82-4c53-8055-762176768026,"4/16/2021, 9:26:26.633 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,04088165-dfd1-4af9-a8f0-94c3a7d121ff,"4/16/2021, 9:26:26.633 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 6540 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e5 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,5d4159aa-84cb-4e93-97df-34946aa230d1,"4/16/2021, 9:26:26.633 AM",,,,,,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7ff7106b-4092-4d74-930b-b352b7a657a6,"4/16/2021, 9:26:54.747 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,57dae51d-6365-46a4-a475-174f9401deaa,"4/16/2021, 9:26:54.747 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d2b7b567-bf90-4589-91d0-2dd74faf51cb,"4/16/2021, 9:26:54.747 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1054c534-f171-4505-8d70-5064b3d9afa0,"4/16/2021, 9:26:54.747 AM",,,,,NTLM,, +\SOPORTE,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8e49faec-a683-4d43-968f-89a044a81219,"4/16/2021, 9:26:54.747 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b2f68387-5da4-404d-99d6-b48cf2deea2d,"4/16/2021, 9:26:54.747 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,df458b24-7b30-41e4-95b9-bba76a9b0e1b,"4/16/2021, 9:26:54.747 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1024b962-ec72-4d4b-8756-a899693ad635,"4/16/2021, 9:26:54.747 AM",,,,,NTLM,, +\HELP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8405d887-3444-490d-bc2e-ad2eeb85b1a0,"4/16/2021, 9:26:54.747 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f621c0c3-e053-4f92-84c2-c3b902f80681,"4/16/2021, 9:26:54.747 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f62e0da4-4030-4e10-a98c-e966ef12630b,"4/16/2021, 9:26:54.747 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9b75f5a6-c90c-454c-8d00-62ebd58a2875,"4/16/2021, 9:26:54.747 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3ccfafd5-8312-404d-917b-3f6898ea450e,"4/16/2021, 9:26:54.747 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0ea782d9-25a8-4394-b3ce-ccf954ab8cd9,"4/16/2021, 9:26:54.747 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f8a6cd95-c019-4aef-b2d6-932e7c10774d,"4/16/2021, 9:26:54.747 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dbca7b0f-a7c7-4319-a7dd-77397bac3926,"4/16/2021, 9:26:54.747 AM",,,,,NTLM,, +\BACKUP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e6a347db-2614-47be-a8a6-d8130ec5eeda,"4/16/2021, 9:26:54.747 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e646e5c4-f444-4355-9c30-9f1ec1da67c7,"4/16/2021, 9:26:54.747 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f9072039-5134-493d-99cb-523549a97142,"4/16/2021, 9:26:54.747 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,32108f24-50d8-45f8-ace6-aaf50619a9ca,"4/16/2021, 9:26:54.747 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,43d95f3a-f96d-4910-a4ee-2c8dbd817570,"4/16/2021, 9:26:54.747 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eef451f6-e113-4d25-a041-c30921f1ba6a,"4/16/2021, 9:26:54.747 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,76ff6374-4eb2-48b8-a59d-7ee3dad3a02c,"4/16/2021, 9:26:54.747 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,f597da8b-6c9e-4fe1-9be1-8698dfae55da,"4/16/2021, 9:27:03.630 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10592 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,44ae3174-72a3-4d34-92b0-eed899b50ccf,"4/16/2021, 9:27:03.630 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,e2e41114-c24d-41a3-90a4-b128b369be65,"4/16/2021, 9:27:03.630 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,162c7ea9-14cc-474a-8739-629e8ed2dc23,"4/16/2021, 9:27:44.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22166d7b-cc0c-45f5-927e-03753b2c0a04,"4/16/2021, 9:27:44.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1fc687e8-c777-4773-b41e-6652c7b6af47,"4/16/2021, 9:27:44.134 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2062b5a1-f3ae-43dd-b82a-9a57d191380b,"4/16/2021, 9:27:44.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46bf3a2f-9623-478c-a1c7-f42e2b67638e,"4/16/2021, 9:27:44.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,44e3647b-ab19-4550-946f-a8983c0d361e,"4/16/2021, 9:27:44.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f61f230f-ee1c-492b-8528-44aa8082f98e,"4/16/2021, 9:27:44.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b858da8-6f0e-48b0-b7bf-0422ad0c31b2,"4/16/2021, 9:27:44.134 AM",,,,,NTLM,, +\VMADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bdb54570-0001-464e-b428-7a6f15912876,"4/16/2021, 9:27:44.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe42f8e5-f00d-4c4f-905b-2b61ff681ca5,"4/16/2021, 9:27:44.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,539c53ff-b405-4396-870d-3ccc9cd143fb,"4/16/2021, 9:27:44.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e3b8d03a-dc0b-42b7-9810-6f08aa92f7ba,"4/16/2021, 9:27:44.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a5ca89f2-6b82-4d17-bfd9-69790022a738,"4/16/2021, 9:27:44.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,70814887-aac2-43ad-a604-b472275eac49,"4/16/2021, 9:27:44.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,24fb7df3-62f3-450b-ae3f-4cb6bdf908d4,"4/16/2021, 9:27:44.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d5c3502b-a692-4b63-8a81-9a074fad7847,"4/16/2021, 9:27:44.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,87e533b1-e77c-4fc2-a67d-8ee3704c1995,"4/16/2021, 9:27:44.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc3152da-663e-458d-8923-c0f9799eb107,"4/16/2021, 9:27:44.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,24b9b64b-ad83-4654-bb53-76c8657335cf,"4/16/2021, 9:27:44.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,084bf5e8-d3b5-4cce-93e9-1480f858b7d5,"4/16/2021, 9:27:44.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,351c4416-219a-4669-8a36-3fa1d98caa1e,"4/16/2021, 9:27:44.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,37bd66ab-c03e-411f-adca-a01bc859c222,"4/16/2021, 9:27:44.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5dce0686-fde6-4fa6-8640-7d38fcec0916,"4/16/2021, 9:27:44.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b2841a2-4eb4-459c-abfe-895e9052fff6,"4/16/2021, 9:27:44.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,34f53bf8-021d-4b40-b465-442e37efa8e1,"4/16/2021, 9:27:57.222 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,681acee0-5de0-40dc-aa48-a1f34569cae8,"4/16/2021, 9:27:57.222 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3b873756-7d33-4de1-8788-91735d30be91,"4/16/2021, 9:27:57.222 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3e05b5a8-2436-40eb-883d-4dcd4c1def74,"4/16/2021, 9:27:57.222 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8," + S-1-5-20 + SOC-FW-RDP$ + WORKGROUP + 0x3e4 + \Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask + <?xml version=""1.0"" encoding=""UTF-16""?> <Task version=""1.6"" xmlns=""http://schemas.microsoft.com/windows/2004/02/mit/task""> <RegistrationInfo> <Source>$(@%systemroot%\system32\sppc.dll,-200)</Source> <Author>$(@%systemroot%\system32\sppc.dll,-200)</Author> <Version>1.0</Version> <Description>$(@%systemroot%\system32\sppc.dll,-201)</Description> <URI>\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask</URI> <SecurityDescriptor>D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-87-2912274048-3994893941-1669128114-1310430903-1263774323)</SecurityDescriptor> </RegistrationInfo> <Triggers> <CalendarTrigger> <StartBoundary>2021-04-17T04:56:53Z</StartBoundary> <Enabled>true</Enabled> <ScheduleByDay> <DaysInterval>1</DaysInterval> </ScheduleByDay> </CalendarTrigger> </Triggers> <Principals> <Principal id=""NetworkService""> <UserId>S-1-5-20</UserId> <RunLevel>LeastPrivilege</RunLevel> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>true</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession> <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT0S</ExecutionTimeLimit> <Priority>7</Priority> <RestartOnFailure> <Interval>PT1M</Interval> <Count>3</Count> </RestartOnFailure> </Settings> <Actions Context=""NetworkService""> <ComHandler> <ClassId>{B1AEBB5D-EAD9-4476-B375-9C3ED9F32AFC}</ClassId> <Data><![CDATA[timer]]></Data> </ComHandler> </Actions> </Task> + 2251799813697315 + 1212 + 752 + 0 + SOC-FW-RDP +",4702,4702 - A scheduled task was updated.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a62b0ac-271f-4e20-8ed5-815f3d770457,"4/16/2021, 9:27:57.222 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b3df92de-1bf1-4f33-84fa-e9fbb7090674,"4/16/2021, 9:27:57.222 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fdb047fb-0bb7-4b41-97b3-674e8c47d82b,"4/16/2021, 9:27:57.222 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f1726da4-9f2a-41cd-b171-9ca1eaffc60e,"4/16/2021, 9:27:57.222 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4ec9d26a-1b7d-4df6-8567-5c4d20e33338,"4/16/2021, 9:27:57.222 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c74b5043-dfd1-4de6-a693-984939bac713,"4/16/2021, 9:27:57.222 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2e5964ae-8457-4ab5-893f-34d95a76a9c3,"4/16/2021, 9:27:57.222 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3762ed85-bf2c-40d2-8f38-f3970abf769f,"4/16/2021, 9:27:57.222 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,857f5062-85bd-4df9-8f05-aa4b06d2834b,"4/16/2021, 9:27:57.222 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,801b4084-7261-459f-bbf7-3bd1136757b3,"4/16/2021, 9:27:57.222 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c4b2f8eb-a1be-462f-a7fb-678389d8452b,"4/16/2021, 9:27:57.222 AM",,,,,NTLM,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8226d139-799f-4b8d-b763-46fe911cc569,"4/16/2021, 9:27:57.222 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,41c6095a-234f-4126-b188-782298928d9d,"4/16/2021, 9:27:57.222 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a8df7c93-4484-4eb4-8579-5c4822aa5227,"4/16/2021, 9:27:57.222 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6ff1795e-fdd3-46d5-9371-83a92471dbc9,"4/16/2021, 9:27:57.222 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bd141461-3bac-4a05-98f9-191e7b2148d0,"4/16/2021, 9:27:57.222 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5cd99a1a-a51f-4b12-b36a-da1e1c99ce0b,"4/16/2021, 9:27:57.222 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e11f1f98-e288-449d-81e1-e8064c947350,"4/16/2021, 9:27:57.222 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,f90a8b0c-e468-4e62-bac8-ddbd137959d2,"4/16/2021, 9:28:05.637 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7584 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,db532b68-c9ac-4345-b3e7-dcc3264be934,"4/16/2021, 9:28:05.637 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,837b2a8c-e659-4f7d-8f95-867cd2182e00,"4/16/2021, 9:28:05.637 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,ed113615-fe5f-4b34-bd75-5d463334970d,"4/16/2021, 9:28:05.637 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9048 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,24b980ff-e36a-44f7-a5a3-766669f8b890,"4/16/2021, 9:28:05.637 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,843497fa-3400-4a62-8240-578adb2c256f,"4/16/2021, 9:28:09.910 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,5b83f05d-2cea-41bc-9b69-6d473e6cef0e,"4/16/2021, 9:28:09.910 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6112 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,f22df49f-313d-4385-bc23-bfb958ae4a2e,"4/16/2021, 9:28:09.910 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4192 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,38af5b36-2599-46d4-bf97-a2ba235e017d,"4/16/2021, 9:28:09.910 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3024 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,6d7d6a52-1b2e-4199-94d8-3e0c3f2eadff,"4/16/2021, 9:28:09.910 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b3eca402-c9bc-4cd7-a8aa-f48571822f0f,"4/16/2021, 9:28:09.910 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,a435f293-d944-47c0-86d1-40c08e92e070,"4/16/2021, 9:28:09.910 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,076ee4d7-a838-4d0f-b868-cf217c8cbdd1,"4/16/2021, 9:28:09.910 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\microsofttpm,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,e5249190-a680-4274-8c8b-939ffa70c89c,"4/16/2021, 9:28:09.910 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:SELECT * FROM Win32_TPM,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,fb92fb06-b740-4431-a5f4-dd0db5dd99c3,"4/16/2021, 9:28:09.910 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:Select * from __ClassProviderRegistration,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,a940f381-a0f4-49a5-8dbf-83e40f613211,"4/16/2021, 9:28:09.910 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,e7995c91-4f9f-4b0e-a89f-78eb769c678f,"4/16/2021, 9:28:09.910 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,cd7ccd91-c7a1-4492-a2f3-87f2145f0cad,"4/16/2021, 9:28:09.910 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,14c3027a-478d-4513-90b1-fa92b890c4d7,"4/16/2021, 9:28:09.910 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,e29de3c6-c85f-4019-af28-2fba82d5ba3c,"4/16/2021, 9:28:09.910 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:Win32_Tpm,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,86bfaa6a-a6b8-486f-b547-012a2c4fa138,"4/16/2021, 9:28:09.910 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:__ExtendedStatus,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,05a5f19b-5581-48b9-ae62-b8820c2374fd,"4/16/2021, 9:28:09.910 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftVolumeEncryption,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b1b7b699-83b3-4292-bacf-ce0934dc45cb,"4/16/2021, 9:28:09.910 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:SELECT * FROM Win32_EncryptableVolume,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,a7bc3eca-8cb4-489b-a2ea-70603754b81c,"4/16/2021, 9:28:09.910 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:Select * from __ClassProviderRegistration,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,addcb2ca-5f58-46db-b686-5a64e971afff,"4/16/2021, 9:28:09.910 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,28546f40-2c54-43a5-94f0-9b4b025ce5bd,"4/16/2021, 9:28:09.910 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,8c356e18-a0f0-49f2-bc8a-f4616171cb47,"4/16/2021, 9:28:09.910 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,f061f1d4-173b-4be5-9043-25a6573115da,"4/16/2021, 9:28:09.910 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,76a4435a-2747-4a21-958d-18dd6984e281,"4/16/2021, 9:28:09.910 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b4e3a42c-b8b2-49dc-8e4c-56eb6b91009d,"4/16/2021, 9:28:09.910 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:__ExtendedStatus,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b7f81f8a-785b-484e-b521-4219f3328d1b,"4/16/2021, 9:28:09.910 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{18dd199a-9fca-4ac4-af18-3e5e3b15c067}\\""::GetLockStatus",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,cf7b4659-43c9-48c4-aa1b-f43798a63ee7,"4/16/2021, 9:28:09.910 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{18dd199a-9fca-4ac4-af18-3e5e3b15c067}\\""::GetProtectionStatus",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,969d5df0-2a87-4119-8149-fdd61589b0ba,"4/16/2021, 9:28:09.910 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{18dd199a-9fca-4ac4-af18-3e5e3b15c067}\\""::GetConversionStatus",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,f49d5a30-56e3-47ca-be9b-580634f5cf3b,"4/16/2021, 9:28:09.910 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{944f36e4-0000-0000-0000-100000000000}\\""::GetLockStatus",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,c49824a8-c448-4583-a410-5a5e241d0e71,"4/16/2021, 9:28:09.910 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{944f36e4-0000-0000-0000-100000000000}\\""::GetProtectionStatus",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,97fc5b47-f867-4eb9-8b2b-bbad8e418c81,"4/16/2021, 9:28:09.910 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{944f36e4-0000-0000-0000-100000000000}\\""::GetConversionStatus",,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1748 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,e5972366-f86a-468a-a568-647db1b07ecd,"4/16/2021, 9:28:52.728 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5704 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,6dcd6c3e-5afc-43a7-b9e4-a198a843fa6a,"4/16/2021, 9:28:52.728 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,b58945a9-1607-41bc-85b8-dbdebd344d48,"4/16/2021, 9:28:52.728 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,b426d02e-6ef7-4d44-b8a3-81e5cf4c0bcd,"4/16/2021, 9:28:52.728 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,d24e1e08-e516-4d52-bb31-bb154ca319c5,"4/16/2021, 9:28:52.728 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,03ee0109-56cf-4ebc-8094-09704a7927e3,"4/16/2021, 9:28:52.728 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a111102-3158-4f4d-9aea-873afb786dbb,"4/16/2021, 9:28:53.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e406a30a-de1c-4545-84ef-806b12ce236a,"4/16/2021, 9:28:53.137 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9031ec0e-a693-4ad2-a7c6-e9670d762896,"4/16/2021, 9:28:53.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9879ce44-ae1f-47e9-8c08-b2736fa61537,"4/16/2021, 9:28:53.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b6dbc37-e1c2-4d60-aedb-43391e7b96cc,"4/16/2021, 9:28:53.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c4378bc0-1296-409f-b504-94ac8221662d,"4/16/2021, 9:28:53.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8f353113-6fec-48d8-88c2-5cdd96444393,"4/16/2021, 9:28:53.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea6ce0e7-a50f-4927-8c4e-e967a051d718,"4/16/2021, 9:28:53.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e093e6c-6c15-487c-ab6b-2a02dcfa6fb4,"4/16/2021, 9:28:53.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,efc3f06f-8d7b-45a9-9db1-3c117f05f0cc,"4/16/2021, 9:28:53.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c986897a-ecee-4051-907e-a3f2395fc680,"4/16/2021, 9:28:53.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,942df248-26a2-4c58-b226-701fc440f086,"4/16/2021, 9:28:53.137 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4eaed68e-c71b-4614-870c-736352dcd007,"4/16/2021, 9:28:53.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4996e785-d4b0-4673-a889-d3ae41e9e566,"4/16/2021, 9:28:53.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad37610c-407a-461d-9a51-469c232adc29,"4/16/2021, 9:28:53.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e33194d4-fbec-4954-8325-84088b9a3bc5,"4/16/2021, 9:28:53.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8969512a-e649-43b1-83d3-e7f2ff1a54a7,"4/16/2021, 9:28:53.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,43e5e446-30b0-456a-8c22-414a18d2fe09,"4/16/2021, 9:28:53.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,169ed59d-08f2-46b8-8142-f3aeeaecb13b,"4/16/2021, 9:28:53.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6a3d06dc-53af-4c20-8906-6fa9c2fe5760,"4/16/2021, 9:28:53.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e5f60954-b093-4867-bee7-d57d9d54ea60,"4/16/2021, 9:28:53.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cdc0c2ad-9a89-40e3-b6c1-645786f33412,"4/16/2021, 9:28:53.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2833fef1-3130-45a0-91af-2be4845a029f,"4/16/2021, 9:28:53.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e4810909-a92e-40fd-9a45-b72c8e1f3a5a,"4/16/2021, 9:28:53.137 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8feb0810-a7f0-4c16-a150-f53e20ffd44c,"4/16/2021, 9:29:02.756 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6130cf92-37ed-40dd-b71d-7785f1a740aa,"4/16/2021, 9:29:02.756 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4d6cee4c-8343-4b2d-ba67-4d94d2223ebf,"4/16/2021, 9:29:02.756 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8b49357b-211d-4177-84da-a6ce07f3da19,"4/16/2021, 9:29:02.756 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,94a02271-36bb-4a1a-98cd-8ec6da9497fb,"4/16/2021, 9:29:02.756 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7d602416-6209-499f-8b4b-9aaa3618da9c,"4/16/2021, 9:29:02.756 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f2a40bc1-ec51-47a5-8d98-ea2ee3dfbb22,"4/16/2021, 9:29:02.756 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,18c69645-eee4-48d7-b3ba-d1009c456994,"4/16/2021, 9:29:02.756 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,49fbe606-8d5a-481d-ac0b-89a6face2642,"4/16/2021, 9:29:02.756 AM",,,,,NTLM,, +\ALEX,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,813598a0-4996-4c5c-861e-5b79b33ff0b8,"4/16/2021, 9:29:02.756 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9201156e-93bf-4f13-afe3-0732d5d4bf46,"4/16/2021, 9:29:02.756 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a5220801-1bfb-41e0-ad63-02350371ae71,"4/16/2021, 9:29:02.756 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,256b57f4-2ebf-4401-bc3b-80639d975363,"4/16/2021, 9:29:02.756 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,35d2cac6-ac9b-4319-bc09-26ebadba6a8d,"4/16/2021, 9:29:02.756 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,55876428-5545-4323-8cf1-91d7dc0d97fa,"4/16/2021, 9:29:02.756 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,37ef41d8-a4ce-4148-bb37-277709237a62,"4/16/2021, 9:29:02.756 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,69d6d622-8110-4d24-a8b8-f5a2c785e975,"4/16/2021, 9:29:02.756 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d94e3044-f36c-4ec2-9c3c-32d700a9fc07,"4/16/2021, 9:29:02.756 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,05a6ca5f-eb2b-4e11-ba6a-93f10e79a1a0,"4/16/2021, 9:29:02.756 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c41bb349-c343-49de-9142-233cd56bf866,"4/16/2021, 9:29:02.756 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cdce85b3-0c1d-4047-bdc9-156c5f374e81,"4/16/2021, 9:29:02.756 AM",,,,,NTLM,, +\LAB,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fe8b6290-a5d1-44d2-a405-aab3a1b2c70e,"4/16/2021, 9:29:02.756 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2667c6e1-39ea-42ea-9a80-0c7693cb5de3,"4/16/2021, 9:29:02.756 AM",,,,,NTLM,, +\DB2ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d964c823-603d-4e5d-b4e0-05af83cf6c5a,"4/16/2021, 9:29:02.756 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,062ae350-f619-4103-9f66-d218c90223e0,"4/16/2021, 9:29:02.756 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,947b9709-5de8-42b8-b71e-21e5273d4e6f,"4/16/2021, 9:29:05.222 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,11dac9dc-5875-43c1-b2eb-ce30be13825e,"4/16/2021, 9:29:05.222 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,75431d0c-697a-4f83-9de8-5d44978e21ae,"4/16/2021, 9:29:05.222 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49c774a4-e0cf-45a5-aa8c-9b4a6cd898d6,"4/16/2021, 9:29:05.222 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b2789d98-1567-4819-aba1-d4ec3006b777,"4/16/2021, 9:29:05.222 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,07752613-7e51-48c2-927f-b35f80b42701,"4/16/2021, 9:29:05.222 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,72218258-59b2-4e7d-8429-f383804e52c5,"4/16/2021, 9:29:05.222 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,557ce3df-3cc6-4604-a7cc-d0757a6895c7,"4/16/2021, 9:29:05.222 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,64a5adcf-4968-4f34-9522-9dc42ec53f0e,"4/16/2021, 9:29:05.222 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c04eb67-9159-4619-b0f6-fda07422158c,"4/16/2021, 9:29:05.222 AM",,,,,,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a95d08bf-4f77-442a-baae-dcb296d85544,"4/16/2021, 9:29:05.222 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b40a69b-c4aa-446d-9b4c-1d46b3ea58d1,"4/16/2021, 9:29:05.222 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7292cfb1-84d8-4bac-aaf5-c0d03a07e459,"4/16/2021, 9:29:05.222 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c87b0a76-7ec3-4825-952e-d5a0e0e3bdac,"4/16/2021, 9:29:05.222 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3612 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 68705285F7914823244E19E4F6DBC4A75C4DE807EA1CF128AEC2CCAFCE5FE109 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.17763.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,62588ac8-9a5c-4c4f-8e35-872117790487,"4/16/2021, 9:29:05.222 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4024 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,8dfc1217-cac7-4acc-8c31-ddf6d2d595c8,"4/16/2021, 9:29:05.222 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,733c1fb0-3440-4886-be10-f3e928b1bca1,"4/16/2021, 9:29:05.222 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49349718-5587-4929-9b72-d5f8b94d218a,"4/16/2021, 9:29:05.222 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,94de271c-26cd-48ba-a309-b394baa05fef,"4/16/2021, 9:29:05.222 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0993a3e2-a6d6-4a95-a5b6-d462ea358003,"4/16/2021, 9:29:05.222 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,945ea54e-848a-4941-b7a5-fdc3c5bf0d70,"4/16/2021, 9:29:05.222 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,95917fce-4773-4b50-a522-94b1207f5fc6,"4/16/2021, 9:29:05.222 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df2db01d-25f7-41eb-8f25-fb720bd5e015,"4/16/2021, 9:29:05.222 AM",,,,,NTLM,, +\DIRECCION,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d713c5d5-7ef3-4e91-aae4-09c9e1fd5774,"4/16/2021, 9:29:12.409 AM",,,,,NTLM,, +\CITRIX,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1c5ab733-75e6-4906-b53c-2171e9c0e229,"4/16/2021, 9:29:12.409 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b5733e66-9c32-439b-ba12-f955f32028c4,"4/16/2021, 9:29:12.409 AM",,,,,NTLM,, +\SHOWROOM,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e9e3a98b-c585-469d-afe3-8d4b84f4728a,"4/16/2021, 9:29:12.409 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b66586f7-a16a-4e37-a6f8-59ac56d6d70b,"4/16/2021, 9:29:12.409 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6612 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,20ebae6a-c598-4388-807c-62e8c56410ce,"4/16/2021, 9:29:12.409 AM",,,,,,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,021da549-b131-4c0e-8391-507089c82ce9,"4/16/2021, 9:29:12.409 AM",,,,,NTLM,, +\KIOSK,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d524fe06-c500-443c-8466-9d0ce3443b45,"4/16/2021, 9:29:12.409 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6980 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,28299ed7-bebf-4313-8130-dc9bcede0cb8,"4/16/2021, 9:29:12.409 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5464 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3bcc9500-6192-463d-b4fe-4d568837152f,"4/16/2021, 9:29:12.409 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,69bae35f-2875-49d0-af98-6ec1bab9e311,"4/16/2021, 9:29:12.409 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8e2eb349-25b3-413e-802c-07b8c9f6bbd2,"4/16/2021, 9:29:12.409 AM",,,,,,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5cbe2b1-f30d-43bc-b06b-8efe1358e196,"4/16/2021, 9:29:20.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa1e9cc2-f349-4e6d-b23a-bbcc109bd3c1,"4/16/2021, 9:29:20.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1e17ff98-1f1b-4b1e-bcd8-3bd7d1b61c79,"4/16/2021, 9:29:20.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ec72622-7478-4f50-b535-467c26fd44f3,"4/16/2021, 9:29:20.138 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7034db80-7dc0-485c-8614-aba5816c7d9d,"4/16/2021, 9:29:20.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b531697-d8ee-48f4-9999-ee063cfdd8fa,"4/16/2021, 9:29:20.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ba12d75b-2f91-46f9-add7-794d717d86d4,"4/16/2021, 9:29:20.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d7cd1ed1-ba11-44a0-94fb-a23ddc1190ef,"4/16/2021, 9:29:20.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ee7d798d-395d-40f9-9919-335603163022,"4/16/2021, 9:29:20.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1629e18-e767-4a48-8df0-fa4407365e1c,"4/16/2021, 9:29:20.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2173dbeb-659f-49c6-8b7a-f44aa9108d94,"4/16/2021, 9:29:20.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46c68cfe-7327-497c-8c20-4312b4d9ef52,"4/16/2021, 9:29:20.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a18040e4-788a-46bf-aa06-3617be00b2ff,"4/16/2021, 9:29:20.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19f60670-8268-43aa-af92-41e95bf2ed2c,"4/16/2021, 9:29:20.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,75fa9bf1-4f0a-4033-9ff7-ecab6b4686fb,"4/16/2021, 9:29:20.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f849a571-b790-4436-b688-8751bd09cff7,"4/16/2021, 9:29:20.138 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,90535e2b-8d38-4aa5-b4f9-16b6903f3b35,"4/16/2021, 9:29:20.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc02e61c-c226-4e70-8047-9f6a59fecf1f,"4/16/2021, 9:29:20.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,68646d59-993f-4734-b04a-af9c03706d11,"4/16/2021, 9:29:20.138 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,0caa7b9c-4ae4-4854-8db2-dfac24eaef38,"4/16/2021, 9:29:20.138 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,23241d5c-8bc8-4717-b77c-d16d6518b79b,"4/16/2021, 9:29:20.138 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca822e49-babc-453a-9df7-915b1db09b58,"4/16/2021, 9:29:20.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8517da9d-0646-47c5-9e31-071baeb24a6b,"4/16/2021, 9:29:20.138 AM",,,,,NTLM,, +\LOCALADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9cd7bdbd-e028-4b6d-ad46-7b875aa0949b,"4/16/2021, 9:29:20.138 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8536 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,f3000d1a-00da-4f5b-8b5f-1410001488f8,"4/16/2021, 9:29:20.138 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8064 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,0aa5a871-1eda-463c-8a40-39ffc1da8c06,"4/16/2021, 9:29:20.138 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,6c3187ff-1063-4298-b478-df8642b28043,"4/16/2021, 9:29:26.636 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,aa818a70-c6b8-428a-a63a-4df2a7f801cb,"4/16/2021, 9:29:26.636 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3232 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,ac469668-c16a-4290-9dbf-7716f6b251e8,"4/16/2021, 9:29:26.636 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + 2320 + 2021-04-14T17:41:07.027217500Z + Microsoft Software Key Storage Provider + UNKNOWN + 47060022-38c1-4dd8-942a-7c6547cf2453 + %%2499 + C:\ProgramData\Microsoft\Crypto\Keys\477963e0afbda1ad94ebb8343d06ce9e_66a852df-f27e-42df-9eb2-fbca054a24b7 + %%2458 + 0x0 +",5058,5058 - Key file operation.,f6638b82-98a5-4542-8bec-6bc0977f793f,6b83e43c-d0b5-411a-8c05-334d3f8a2d43,"4/16/2021, 9:29:26.636 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + Microsoft Software Key Storage Provider + RSA + 47060022-38c1-4dd8-942a-7c6547cf2453 + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,f6638b82-98a5-4542-8bec-6bc0977f793f,7ab07766-5266-4fde-b91a-29ebd6347c3e,"4/16/2021, 9:29:26.636 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + 2320 + 2021-04-14T17:41:07.027217500Z + Microsoft Software Key Storage Provider + RSA + 47060022-38c1-4dd8-942a-7c6547cf2453 + %%2499 + %%2464 + 0x0 +",5059,5059 - Key migration operation.,f6638b82-98a5-4542-8bec-6bc0977f793f,5e6b95d5-ca29-40c0-9079-83589ff79b08,"4/16/2021, 9:29:26.636 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + 2320 + 2021-04-14T17:41:07.027217500Z + Microsoft Software Key Storage Provider + RSA + 47060022-38c1-4dd8-942a-7c6547cf2453 + %%2499 + %%2464 + 0x0 +",5059,5059 - Key migration operation.,f6638b82-98a5-4542-8bec-6bc0977f793f,8d33e9cf-7dd6-42af-8f65-276428e3a63c,"4/16/2021, 9:29:26.636 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,82ac106e-f9ce-4e3b-852a-f39001438415,"4/16/2021, 9:29:26.636 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,67f19492-8179-4b5d-800f-bc08babb51d0,"4/16/2021, 9:29:26.636 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11024 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,b923fa36-bae9-429a-b14c-df22c3dbf9ce,"4/16/2021, 9:29:26.636 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4228 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,23a7d8be-30c7-4b80-a268-6f9a9804ea25,"4/16/2021, 9:29:26.636 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,140c721a-0bc4-4cba-b99a-20bc8d6e0e35,"4/16/2021, 9:29:45.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd387c82-d447-419f-92b7-78750924e46b,"4/16/2021, 9:29:45.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ee5215b1-0c54-4776-b24b-92779c91442f,"4/16/2021, 9:29:45.136 AM",,,,,NTLM,, +\SJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,becf07f7-9913-486c-a743-c158b03441e4,"4/16/2021, 9:29:45.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1ae94ec-a5fd-4c81-ac72-b55f22594ee8,"4/16/2021, 9:29:45.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f61d2167-5117-437c-b405-9419ce373340,"4/16/2021, 9:29:45.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,605a9a23-12dd-4029-abe9-b517a9964d72,"4/16/2021, 9:29:45.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5eb1f4c0-9b89-45e5-9fda-20d843526d96,"4/16/2021, 9:29:45.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2bafdcd9-ca07-475c-8316-5c5c6daa0268,"4/16/2021, 9:29:45.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3ac6ca76-4fcf-4510-a150-5bd2964ba994,"4/16/2021, 9:29:45.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b40c036-ec46-4b35-aa66-bb2671b117cc,"4/16/2021, 9:29:45.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,68771f66-5f8e-4540-bf1d-bccd9e2090b4,"4/16/2021, 9:29:45.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,94869552-6023-40d6-bda8-4ea62cdbe2e2,"4/16/2021, 9:29:45.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df162e00-23f4-4565-ac14-d1dba60953dd,"4/16/2021, 9:29:45.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f37cbcbc-46a6-4436-82bd-bd4c7be976b6,"4/16/2021, 9:29:45.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc77aee5-bceb-4011-ba5b-70d7c15b7590,"4/16/2021, 9:29:45.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a747cded-fb5c-41e3-8974-256158063398,"4/16/2021, 9:29:45.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c0e4171-a1f9-4afe-b9fa-b5dfb8506b8e,"4/16/2021, 9:29:45.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a04d28e-f843-43a6-8a92-0866e47b2b77,"4/16/2021, 9:29:45.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,054981fa-8a38-4f6d-bdaf-fe895f8b0c89,"4/16/2021, 9:29:45.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,05811cf7-8396-4a99-a876-5f7226a6c721,"4/16/2021, 9:29:45.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,157a897a-6909-417d-bedf-ee5ce45947bd,"4/16/2021, 9:29:45.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c5916a8f-25c5-4d25-b324-39f38a30d002,"4/16/2021, 9:29:45.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9e099dcd-c679-40c7-83e2-29da4d17bf2b,"4/16/2021, 9:29:45.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4bc3af47-6580-4391-93d1-57bc1215aa51,"4/16/2021, 9:29:45.136 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0ada4919-c1c2-4103-beb3-fb98f6a50cfd,"4/16/2021, 9:29:48.404 AM",,,,,,, +\USUARIO2,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1a827db6-5ca1-4637-bfe2-fe33d913e039,"4/16/2021, 9:29:48.404 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8a41db5d-2c5d-4cf8-8c77-e6fb7a5fdaf1,"4/16/2021, 9:29:48.404 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e1aa445d-f452-4f6b-a1ca-484fcae22138,"4/16/2021, 9:29:48.404 AM",,,,,NTLM,, +\ANDRE,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4d34eb39-8ff8-40c0-aa7f-95c07d86d079,"4/16/2021, 9:29:48.404 AM",,,,,NTLM,, +\JSMITH,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0e3639b5-946f-4fa2-ab81-3cb839fea61a,"4/16/2021, 9:29:48.404 AM",,,,,NTLM,, +\AZUREUSER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4ed72a92-ba67-49c5-87ad-a002450dd598,"4/16/2021, 9:29:48.404 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f6edb94a-daee-480c-99c0-fc5f6ceb3cfb,"4/16/2021, 9:29:48.404 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 212 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,795f9749-14ac-4c7d-9c43-e05ea6b61b2b,"4/16/2021, 9:29:57.007 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9508 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,a0943ca6-0424-4fd1-a9b5-888a3c230297,"4/16/2021, 9:29:57.007 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e830dfef-4e8f-4164-ad50-780ef49c5795,"4/16/2021, 9:30:39.835 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,023677ed-a4f3-4937-93c3-790ccf4d8c7d,"4/16/2021, 9:30:39.835 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0d5422db-0010-4539-b08b-5cc42141471b,"4/16/2021, 9:30:39.835 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1cf88a68-8f5a-41d7-8f60-bcfa87bd2f93,"4/16/2021, 9:30:39.835 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0f3c2cc6-22d6-4f6e-ba79-750de920f19b,"4/16/2021, 9:30:39.835 AM",,,,,NTLM,, +\BOARDROOM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,47e5c0c9-f0c0-47ab-8cba-c4929f1ffea4,"4/16/2021, 9:30:39.835 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,69c629b9-e62a-420e-80e8-ca4c71a1f498,"4/16/2021, 9:30:39.835 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d22810c0-4489-4379-b436-63aadde1dd46,"4/16/2021, 9:30:39.835 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7bc01409-a44d-475a-ac92-3a0b60352f8d,"4/16/2021, 9:30:39.835 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c4a87f4a-dedc-409d-811b-9ad94ca28a18,"4/16/2021, 9:30:39.835 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,34ab5bfa-1fc0-41fd-9bb9-a643a8461163,"4/16/2021, 9:30:39.835 AM",,,,,NTLM,, +\USER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f058853f-453f-4592-a455-7913fcb65f9e,"4/16/2021, 9:30:39.835 AM",,,,,NTLM,, +\TERM1,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2f39a7ad-1858-4412-909d-514f48c3b76c,"4/16/2021, 9:30:39.835 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,214312f0-fede-4151-a9be-91c19c693f97,"4/16/2021, 9:30:39.835 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,930f2366-11e7-4be9-9e4c-784746b96144,"4/16/2021, 9:30:39.835 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ba990554-bc41-4661-a0e8-8419b52f2809,"4/16/2021, 9:30:39.835 AM",,,,,NTLM,, +\PJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c47f14b3-b257-49ed-8b18-720108227c9d,"4/16/2021, 9:30:39.835 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fd94ccc4-ace5-4770-a4b3-e09a7642397c,"4/16/2021, 9:30:39.835 AM",,,,,NTLM,, +\2,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e5b1c1b7-6561-4e61-ba4d-104d05afa0c8,"4/16/2021, 9:30:39.835 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e624092e-6e3e-4272-85d2-59b5b3de2690,"4/16/2021, 9:30:39.835 AM",,,,,NTLM,, +\AZUREUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c07e3875-9d90-46d2-b6d5-742d65ec3245,"4/16/2021, 9:30:39.835 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fa734714-76c7-436d-8d66-3a0acb2e3c1f,"4/16/2021, 9:30:39.835 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,13187d52-f60e-4028-ae2f-b44bafe732c6,"4/16/2021, 9:30:39.835 AM",,,,,NTLM,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,a55751fe-f811-4354-937f-f3b82453b6db,"4/16/2021, 9:30:45.877 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8cea8fd8-a92b-4f96-abbc-f00dbd7f4820,"4/16/2021, 9:30:49.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e5ac20f-a01a-4440-92e6-7989ac2bc78b,"4/16/2021, 9:30:49.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6ebaf11a-6c9d-4d59-846f-379588335ea1,"4/16/2021, 9:30:49.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,90c14060-ef03-4e05-8885-820c3c090bf6,"4/16/2021, 9:30:49.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d1dd3560-7957-4d7b-9bfa-032cfa71aad3,"4/16/2021, 9:30:49.135 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5e15bfa-8300-4f9a-a71a-64e44089a8c6,"4/16/2021, 9:30:49.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,69f1f65d-0efe-4c93-8015-34ef0a9be11a,"4/16/2021, 9:30:49.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,97969b7a-4456-444b-9d73-b51a84699d92,"4/16/2021, 9:30:49.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bdb55d86-2091-4656-a119-972e61a57273,"4/16/2021, 9:30:49.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1b1e261d-1e5f-48e0-9e9f-618afbd82c53,"4/16/2021, 9:30:49.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b0ac9c11-7d5a-42bb-9e15-c3b2d5ed2d5c,"4/16/2021, 9:30:49.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a16a0a6-6fb9-4335-bb20-4c5850811f2f,"4/16/2021, 9:30:49.135 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0653fbce-7537-46c3-af35-e0b77c937c4e,"4/16/2021, 9:30:49.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19421ef7-009c-44fd-85e1-102ecbf2825d,"4/16/2021, 9:30:49.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c546a26-c03c-4850-9287-c1f3bc910e84,"4/16/2021, 9:30:49.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc5fed9c-8fd4-41af-90fb-b87239785166,"4/16/2021, 9:30:49.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,24033ab6-ee8f-40a5-a1f4-de4d8c4dccff,"4/16/2021, 9:30:49.135 AM",,,,,NTLM,, +\MANAGER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f3f35df4-ef0a-429f-b01a-e442576d79e6,"4/16/2021, 9:30:49.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1138b44a-fb98-495a-a912-71f43625dcab,"4/16/2021, 9:30:49.135 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,6bb44cdc-2745-43c1-9928-f42a488538b5,"4/16/2021, 9:30:49.135 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,a46beb4d-b2fd-4a55-a9e1-43f50e9bb9e4,"4/16/2021, 9:30:49.135 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,991a4405-ef5f-4ea2-a88a-2b617bac4d01,"4/16/2021, 9:30:49.135 AM",,,,,NTLM,, +\ABCD,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,77ddcaad-a66d-4f20-8114-57cadc5778d1,"4/16/2021, 9:30:49.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cf80e872-5e40-4fd5-ab44-9175eb3b9440,"4/16/2021, 9:30:49.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,90e70a15-482a-431e-9492-66ef587cb783,"4/16/2021, 9:30:49.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1bdf264-04d8-44fe-9d8c-ab4b72746aa3,"4/16/2021, 9:30:49.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,62cdbd95-543a-401c-9d4d-fc11b106c34d,"4/16/2021, 9:31:03.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd1b17a1-d8ff-4255-836b-2ade547aaf7a,"4/16/2021, 9:31:03.164 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,29ce41a8-1aa1-4877-ab21-02d1f9283e14,"4/16/2021, 9:31:03.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8d923a5c-3935-4d60-ab99-c79d170d8224,"4/16/2021, 9:31:03.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,45e815c5-17bd-4341-a4b9-70e47ccd84ff,"4/16/2021, 9:31:03.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,62481135-42c9-4e73-a274-3c0f7c374dca,"4/16/2021, 9:31:03.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,036f5193-1c1f-4523-9e5b-4f9c5c1e4dda,"4/16/2021, 9:31:03.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,42ed14d2-497b-4351-81f8-1e811916d8da,"4/16/2021, 9:31:03.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f1512406-f2b5-42c8-aea7-e5ae093d0d44,"4/16/2021, 9:31:03.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9fc3f782-18f6-4b78-b4f6-4544a83dac8c,"4/16/2021, 9:31:03.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98efb93a-c027-4151-b416-6f4a236e41d2,"4/16/2021, 9:31:03.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,39835a87-da77-41ef-b45b-f704adcdf4b9,"4/16/2021, 9:31:03.164 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,203bd720-53e1-4a2d-a350-d1ed7fcf9c4b,"4/16/2021, 9:31:03.164 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,64e58d03-67ad-4603-9a29-60a67136979a,"4/16/2021, 9:31:03.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d9b6faa1-f7b3-4e03-b23b-940df30a458c,"4/16/2021, 9:31:03.164 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1cbf4a4d-eb20-4883-9d36-d8b623b6fecf,"4/16/2021, 9:31:03.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,38eed3e1-4fb9-49e5-a7ff-ce0b7b8b28ab,"4/16/2021, 9:31:03.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a8a2dd16-779a-4b86-bd29-815b6e66dc21,"4/16/2021, 9:31:03.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,984777a6-ed37-4733-8c4b-826b4e58df06,"4/16/2021, 9:31:03.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e574d09b-cf37-4f6c-9f65-ea2f5d5f79a4,"4/16/2021, 9:31:03.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f35f5ee-5151-4e1b-af24-ecf797d79599,"4/16/2021, 9:31:03.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d132cd50-6160-4ed9-a8a0-dbee791d581f,"4/16/2021, 9:31:03.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54623eca-9045-4b55-a700-8367b514730a,"4/16/2021, 9:31:03.164 AM",,,,,NTLM,, +\WAHELP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c14846a8-0b1a-4dea-9e80-ecd9db927f11,"4/16/2021, 9:31:03.164 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,60a40415-2b58-4a6b-802c-16a0858e7fca,"4/16/2021, 9:31:03.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,17485717-7850-4d58-a45c-1d50eaf3db23,"4/16/2021, 9:31:11.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6b4e3f1a-436b-4f8b-a796-c4d84d1a9a72,"4/16/2021, 9:31:11.138 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3b7ec689-95b4-4d32-9968-210544757efe,"4/16/2021, 9:31:11.138 AM",,,,,NTLM,, +\ADMINISTRATION,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,77cd05a4-a958-4ad2-86b7-96b8530a0b2b,"4/16/2021, 9:31:11.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4166e1e1-f9d0-4cbb-88b1-f071718ce995,"4/16/2021, 9:31:11.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a89baab6-f092-48da-9e67-38d628f2b7f9,"4/16/2021, 9:31:11.138 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,80aae32e-9972-4f82-bea9-a92b5d5d7fc0,"4/16/2021, 9:31:11.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4992f7a3-3f81-4405-8934-4c50e254407d,"4/16/2021, 9:31:11.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b45fa271-3ada-4943-8e06-f7bacbd83635,"4/16/2021, 9:31:11.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3d5edbc5-8651-4fe0-9e86-47de7ec80a20,"4/16/2021, 9:31:11.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e81e2e44-7590-4186-86dc-80774897826e,"4/16/2021, 9:31:11.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d8e26f7-9269-4cc0-a705-93eb709efd03,"4/16/2021, 9:31:11.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aec01094-fc37-4fab-98b0-1aa37a53246a,"4/16/2021, 9:31:11.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e41662d4-1ae4-4ba7-b412-501259330446,"4/16/2021, 9:31:11.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5a47a12-490d-4c04-a031-27a11752167b,"4/16/2021, 9:31:11.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d3318f6-158f-4382-9a57-6934e7add84c,"4/16/2021, 9:31:11.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9266fcb1-4d66-4b87-b487-6f81232f24ba,"4/16/2021, 9:31:11.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9518d5fa-0dea-4dde-a93c-1c59ff1b4d3e,"4/16/2021, 9:31:11.138 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cde09455-fc8c-4395-9d64-7984504642ba,"4/16/2021, 9:31:11.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,15cfd2b2-7658-4864-9213-95def3a4b893,"4/16/2021, 9:31:11.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eb713724-45ce-4504-bb55-4326a76064f5,"4/16/2021, 9:31:11.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d75a4ccb-d997-4ba0-8bd5-4d48e410d505,"4/16/2021, 9:31:11.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,33665106-51d6-466d-8e92-4d16e37c98e6,"4/16/2021, 9:31:11.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5308f533-7da9-47ce-89b1-5ab671178271,"4/16/2021, 9:31:53.138 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,26254252-61a3-4694-8931-56a555b7c25b,"4/16/2021, 9:31:53.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a5719d0-322d-4183-9de0-5ca2105d2369,"4/16/2021, 9:31:53.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c411e7da-278f-41ff-a96b-f29f2b3ba13a,"4/16/2021, 9:31:53.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,530f4b63-6e75-4130-a43a-4ef7dae901ed,"4/16/2021, 9:31:53.138 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,a3a6522f-f641-4ea3-8851-10fb1a20df40,"4/16/2021, 9:31:53.138 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4412 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,026afbb2-8e1b-4e79-9f7e-1ae8cf87de1c,"4/16/2021, 9:31:53.138 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6196 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,3eb6b986-5063-4cd9-827c-8e46089f5522,"4/16/2021, 9:31:53.138 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,97860ac3-1c98-4352-9833-02dbda639a43,"4/16/2021, 9:31:53.138 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,311d90d7-7a3b-4638-8c7f-0040a547ef22,"4/16/2021, 9:31:53.138 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,82c9af40-fe66-47f4-a1e7-96c733a989f2,"4/16/2021, 9:31:53.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e42e3352-5f9b-4fae-afe6-45f4f4515f86,"4/16/2021, 9:31:53.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a3a5bb1-e8f4-472a-947c-e15609b6c8b2,"4/16/2021, 9:31:53.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db7df872-91b2-4abc-a5b5-fc6440de3b90,"4/16/2021, 9:31:53.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,278e488f-e533-4534-bab8-9e6572450ed3,"4/16/2021, 9:31:53.138 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,57f912e2-27ab-4cf5-aa3d-7d007a1c119f,"4/16/2021, 9:31:53.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,953c2af3-4505-47e9-a078-1a1d59b0fa00,"4/16/2021, 9:31:53.138 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a18f9037-151d-4b7f-842c-c1b41b10b1db,"4/16/2021, 9:31:53.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe5eb386-11e5-4ff0-ab20-1f16b968e728,"4/16/2021, 9:31:53.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a0337062-5df3-4707-a3ac-a8a0dd922d84,"4/16/2021, 9:31:53.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1bc1114c-365b-4102-a1b5-f39e81496625,"4/16/2021, 9:31:53.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0cd7f434-b52d-4052-aead-ec6ef047822f,"4/16/2021, 9:31:53.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4e3c4130-fcd0-43a1-b5f5-03483f3c6f35,"4/16/2021, 9:31:53.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a78811e-7a50-4363-a145-2a415b7a4c64,"4/16/2021, 9:31:53.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,58a5d231-7a47-4a6e-8941-7270730648d9,"4/16/2021, 9:31:53.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bafc759f-d97e-475d-92bb-a61cddec132d,"4/16/2021, 9:31:53.138 AM",,,,,NTLM,, +\PJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a880c39c-6a57-4b89-a030-13721ea4efc3,"4/16/2021, 9:31:53.138 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3e02c296-8f29-4354-9289-9a1cb272aa7c,"4/16/2021, 9:31:53.138 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,2db3935a-313e-43ef-b4ec-9e2825ffd035,"4/16/2021, 9:32:11.646 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10244 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,1154c1c6-dfdf-4c9f-8446-b51b0ec417b7,"4/16/2021, 9:32:11.646 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,c88b4d2c-dcca-472f-a8d7-344d126341e1,"4/16/2021, 9:32:11.646 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,32bfee51-5013-48e4-88dd-0512d5c061e3,"4/16/2021, 9:33:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f258ba96-e8bd-4918-b9cd-f88d3837ff9d,"4/16/2021, 9:33:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e309fe06-b5a9-408c-8d27-a40eac97e744,"4/16/2021, 9:33:06.139 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b8b91a0b-6638-4a49-bbae-d34a52ad75a4,"4/16/2021, 9:33:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,651100ba-f562-44ed-8933-100d613b1efe,"4/16/2021, 9:33:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3eb3afcf-a776-4e51-8a97-3db7ebeab10b,"4/16/2021, 9:33:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,af0f959e-9a5a-4e1a-8183-520be2589a79,"4/16/2021, 9:33:06.139 AM",,,,,NTLM,, +\AZUREADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,989e9466-4a5c-4842-8876-2b76a8557987,"4/16/2021, 9:33:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,efde936a-d647-422f-811b-0ac549ed3d4a,"4/16/2021, 9:33:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa9ff4d1-c852-4761-b844-3cb0408bedc8,"4/16/2021, 9:33:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,499db3f9-eb1a-4e7d-8b53-25b2e9c39924,"4/16/2021, 9:33:06.139 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8cb4d25b-595c-47a5-aa39-d1724d2b7f6d,"4/16/2021, 9:33:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6f39c227-38ff-4bd0-9039-8669643ba38d,"4/16/2021, 9:33:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a3b7e43c-7e42-4f66-804f-3e644a53b671,"4/16/2021, 9:33:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d85b5b19-d37e-40c2-b025-3235f62fa65e,"4/16/2021, 9:33:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff63472c-7509-40ce-b732-67b3a19fc2dc,"4/16/2021, 9:33:06.139 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8fca88ac-9764-4ee4-8bf1-5d6510c18a89,"4/16/2021, 9:33:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df9822a9-cf70-4f4c-beb5-8bc5e2f59fb0,"4/16/2021, 9:33:06.139 AM",,,,,NTLM,, +\DEMOADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6f433d6f-f76e-49d9-9ff1-6d33fd24bcea,"4/16/2021, 9:33:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12d5fae9-a23c-48f3-ac1a-fb2afbdcb5de,"4/16/2021, 9:33:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aad8c414-4a7e-4ee2-929a-2f67edaa0611,"4/16/2021, 9:33:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a5e8d040-0a6e-4b61-89d8-c8b915276cd5,"4/16/2021, 9:33:06.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,604d1d25-3715-41bb-b361-ff205835bb09,"4/16/2021, 9:33:06.139 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ead10197-3de3-4c00-be96-a8aed84c1ef9,"4/16/2021, 9:33:17.798 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3124d8e8-d248-49ab-a9a5-eb446fdebe08,"4/16/2021, 9:33:17.798 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1620936b-6dbc-4961-9a54-f4efad7a39cc,"4/16/2021, 9:33:17.798 AM",,,,,NTLM,, +\NOMAN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3745dece-ef0e-476f-a536-9c81a39ae6a3,"4/16/2021, 9:33:17.798 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,22e36417-86c5-46ee-8e37-67b02437302e,"4/16/2021, 9:33:17.798 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ebd798a5-15bc-47c6-b574-41ec61c12f6e,"4/16/2021, 9:33:17.798 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cef76f5e-68f7-44e2-a5be-e4cf6735e4c9,"4/16/2021, 9:33:17.798 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b8fc153c-cc01-4d61-845d-cd428d00d560,"4/16/2021, 9:33:17.798 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b2e29257-0514-4402-9eeb-7468fb4a4638,"4/16/2021, 9:33:17.798 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,231a5b1d-e327-4be5-84c8-fb5442349b68,"4/16/2021, 9:33:17.798 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3dfc4612-f9f4-4335-988f-9eee424d2f59,"4/16/2021, 9:33:17.798 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b3850b4e-2cdc-4bb2-8c04-8a19c9380c87,"4/16/2021, 9:33:17.798 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7bdbb9bf-bdc2-499a-82bb-6e21696283a4,"4/16/2021, 9:33:17.798 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d7252f06-7eb7-4c39-bb28-a956d3db8a0e,"4/16/2021, 9:33:17.798 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bc86bf93-d3bd-4096-a328-9144241a0aed,"4/16/2021, 9:33:17.798 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3a5e3217-18ec-4d09-bbbb-799d708c9021,"4/16/2021, 9:33:17.798 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,02dcff5d-1187-48a6-b068-1849148720bc,"4/16/2021, 9:33:17.798 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3f81e058-5268-4a4e-8313-edec5d859e75,"4/16/2021, 9:33:17.798 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,aa2dbcbf-3251-4352-9031-64170aaf0dad,"4/16/2021, 9:33:17.798 AM",,,,,NTLM,, +\MEETING,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a3e67391-1e2c-483f-8a48-6706d74a9de5,"4/16/2021, 9:33:17.798 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9d04c804-54cb-4552-805b-3fe4c94f0c91,"4/16/2021, 9:33:17.798 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bee0222f-fadf-439a-af50-cfc267e9d9cc,"4/16/2021, 9:33:17.798 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8abbea2e-d6f0-458d-bde6-e50cb8ae8ae9,"4/16/2021, 9:33:17.798 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e52ee363-c838-420c-8ce5-185b78082354,"4/16/2021, 9:33:31.776 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,74e4a726-0f93-48d5-8bbf-d8702e981451,"4/16/2021, 9:33:31.776 AM",,,,,NTLM,, +\BACKUPEXEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3ef61a4c-b27b-472a-bf5a-da951938a026,"4/16/2021, 9:33:31.776 AM",,,,,NTLM,, +\VEEAM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5e199a81-aec4-43fd-b208-1f2ae36358c0,"4/16/2021, 9:33:31.776 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,db4071be-05f9-4bc3-934a-508c22a299b6,"4/16/2021, 9:33:31.776 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2d646ab4-7d54-40d9-8269-1760aa5c8e56,"4/16/2021, 9:33:31.776 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4347edf7-094a-40a6-bfcd-b25a6c221ad8,"4/16/2021, 9:33:31.776 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2298e6f8-e109-4161-9c9c-60e5011e376c,"4/16/2021, 9:33:31.776 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c3734f22-8222-49b4-8aa5-352f8121bdf0,"4/16/2021, 9:33:31.776 AM",,,,,NTLM,, +\PILAR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,beaf305f-8dbb-42be-b056-0880a804b217,"4/16/2021, 9:33:31.776 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,736b4288-8ef0-4c03-a90d-2f633c1a8a56,"4/16/2021, 9:33:31.776 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,69d8b673-8a3e-4bcf-b28f-e2cf44197ab0,"4/16/2021, 9:33:31.776 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f35f151d-9575-40d5-a0a9-6fcf7d6a1540,"4/16/2021, 9:33:31.776 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,da6071e1-1d4b-4f13-a7cd-943ffd36cd8f,"4/16/2021, 9:33:31.776 AM",,,,,NTLM,, +\TONY,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,17cc4e10-f628-4e88-932c-94e09b12ca5d,"4/16/2021, 9:33:31.776 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3dfbf42f-85f7-4deb-8137-783b0a5e1801,"4/16/2021, 9:33:31.776 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f053c3c9-0b6d-4b9d-9b23-e3e889900c04,"4/16/2021, 9:33:31.776 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c34710bf-0beb-495e-87ab-00d75c70805b,"4/16/2021, 9:33:31.776 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9b5bbbd3-a31a-4f8e-803c-def3640baef0,"4/16/2021, 9:33:31.776 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bc46825f-6597-402a-915b-d3e822a2f30b,"4/16/2021, 9:33:31.776 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,441e0f5d-b836-49d2-b634-07e74e0b1a57,"4/16/2021, 9:33:31.776 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e7c5744c-9b96-416e-867c-5c97be918255,"4/16/2021, 9:33:31.776 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c2339a6b-83c0-4050-b4ac-94c19b441d37,"4/16/2021, 9:33:31.776 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,413df73d-991a-4798-a0a6-94eb1ca6c1ab,"4/16/2021, 9:33:31.776 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,98259ef8-513a-48d7-89ce-b74149f967a4,"4/16/2021, 9:33:31.776 AM",,,,,NTLM,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,79d01385-8e5f-46f8-9078-aebce37e5a16,"4/16/2021, 9:10:09.954 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,a50207d5-4d10-42ec-ab3a-ca514042917a,"4/16/2021, 9:10:09.954 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6856 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,da8d1f00-501b-4b99-aa39-a903496a1250,"4/16/2021, 9:10:09.954 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5680 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,d0e1ce04-b23c-4a6e-856e-128260cfcf31,"4/16/2021, 9:10:09.954 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,f3964bed-4c1b-4a07-b104-341a4a48cc14,"4/16/2021, 9:10:09.954 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2036 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,cc284b3c-9061-4ef6-a541-638c7d1f30d0,"4/16/2021, 9:10:41.991 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11740 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + E083DBF5FD891B0254E4021330270719E66D6B0C7F6543BDBA19C4CF5D37395D + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7411.17763.1697 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,260de810-e796-41a1-9965-8bd3e7333ace,"4/16/2021, 9:10:41.991 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10900 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + E083DBF5FD891B0254E4021330270719E66D6B0C7F6543BDBA19C4CF5D37395D + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7411.17763.1697 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,d4a971dd-05df-486d-a532-753ad17c36cc,"4/16/2021, 9:10:41.991 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3532 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,7fc75a5f-e634-44d3-ad75-c70b8cd18e08,"4/16/2021, 9:10:41.991 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 14636 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,33e1fdbc-e639-4e99-a2a5-d9f4aaba19ae,"4/16/2021, 9:10:41.991 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,b13f2ba0-6a81-4777-975c-01ffdc80ec13,"4/16/2021, 9:11:45.931 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7b498e1d-029d-4c60-83c3-587c062853d3,"4/16/2021, 9:12:00.151 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8033416d-b9ae-4c7f-913c-2b9d1a414c46,"4/16/2021, 9:12:00.151 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5233a0cb-45e4-4999-be75-7baae13c25b0,"4/16/2021, 9:12:00.151 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c5822ec-e011-4307-8aba-5f191ea8e51e,"4/16/2021, 9:12:00.151 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,24ec9a37-ef87-4a64-8b6b-063ed452ae75,"4/16/2021, 9:12:00.151 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13826,8," + Remote Desktop Users + Builtin + S-1-5-32-555 + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + 0xaa0 + C:\WindowsAzure\GuestAgent_2.7.41491.1008_2021-02-10_045418\WaAppAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,41502da5-21b7-48ec-81c9-baeea8d7d669,79e77747-65e0-4e98-a0ff-aa718b8c281c,"4/16/2021, 9:12:00.151 AM",,,,,,0xaa0, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,af02a9d9-109c-447f-a083-93a9b0c7355d,"4/16/2021, 9:12:00.151 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fea9cd29-6afa-45fe-ba75-2f8da077f3ca,"4/16/2021, 9:12:00.151 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a01a2c63-f6ad-4175-a28b-c6c5c18b1436,"4/16/2021, 9:12:00.151 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1699544-2a2c-4bf7-9602-a1ccf05ab8c1,"4/16/2021, 9:12:00.151 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b560961b-693c-463f-99fc-9d2afaeaa393,"4/16/2021, 9:12:00.151 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eab52d85-6f40-499e-a94d-e8f6db957740,"4/16/2021, 9:12:00.151 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13826,8," + Administrators + Builtin + S-1-5-32-544 + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + 0xaa0 + C:\WindowsAzure\GuestAgent_2.7.41491.1008_2021-02-10_045418\WaAppAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,41502da5-21b7-48ec-81c9-baeea8d7d669,86ae6919-1720-4d45-bde7-9666f1375371,"4/16/2021, 9:12:00.151 AM",,,,,,0xaa0, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + pcadmin + SOC-FW-RDP + S-1-5-21-952482744-1076764539-379410180-500 + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + 0xaa0 + C:\WindowsAzure\GuestAgent_2.7.41491.1008_2021-02-10_045418\WaAppAgent.exe +",4798,4798 - A user's local group membership was enumerated.,41502da5-21b7-48ec-81c9-baeea8d7d669,e67f14fd-24bf-434b-a9ab-70bf158268d7,"4/16/2021, 9:12:00.151 AM",,,,,,0xaa0, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + DefaultAccount + SOC-FW-RDP + S-1-5-21-952482744-1076764539-379410180-503 + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + 0x2358 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,41502da5-21b7-48ec-81c9-baeea8d7d669,295dcf0a-8623-4de1-8dda-5994871e0f06,"4/16/2021, 9:12:00.151 AM",,,,,,0x2358, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + Guest + SOC-FW-RDP + S-1-5-21-952482744-1076764539-379410180-501 + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + 0x2358 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,41502da5-21b7-48ec-81c9-baeea8d7d669,7a7ab2d2-fedc-43b0-a00e-78f9462deb74,"4/16/2021, 9:12:00.151 AM",,,,,,0x2358, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + pcadmin + SOC-FW-RDP + S-1-5-21-952482744-1076764539-379410180-500 + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + 0x2358 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d016bcb-80d1-4868-90e3-98f61f75267f,"4/16/2021, 9:12:00.151 AM",,,,,,0x2358, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + WDAGUtilityAccount + SOC-FW-RDP + S-1-5-21-952482744-1076764539-379410180-504 + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + 0x2358 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c6f7db8-6e93-4919-add8-258fd9deabe8,"4/16/2021, 9:12:00.151 AM",,,,,,0x2358, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f7996d74-f072-4801-9ad7-03ac62c9a2dd,"4/16/2021, 9:12:00.151 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8aab31d6-8b8f-4991-bc00-d8cd1cfcd026,"4/16/2021, 9:12:00.151 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1fda531b-7c81-4b67-99f7-2fbe8d17767d,"4/16/2021, 9:12:00.151 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fdf24dd8-5e2a-4d49-ab65-100f9fc79ddf,"4/16/2021, 9:12:00.151 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,996494e7-415b-4eb1-b511-46a96ad88302,"4/16/2021, 9:12:00.151 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a31eb4b8-274a-4538-902c-b7824560f9a2,"4/16/2021, 9:12:00.151 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49d4dab4-b0b4-4b2d-b5fc-b811fb3eb8e0,"4/16/2021, 9:12:00.151 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b252c2fd-16d8-43c7-bc30-9af93e6f26a6,"4/16/2021, 9:12:00.151 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1de495e4-5a79-48da-9948-92ad736d0858,"4/16/2021, 9:12:00.151 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,73d6eb72-a275-4947-81e4-b1218dbdfcea,"4/16/2021, 9:12:00.151 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2674ac63-b250-48d7-b858-ebf547ebe432,"4/16/2021, 9:12:00.151 AM",,,,,NTLM,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + 3248 + 2021-04-15T17:46:32.492836100Z + Microsoft Software Key Storage Provider + UNKNOWN + 3e342d9c-691f-48a5-aa16-5b4cfaad0de8 + %%2499 + C:\ProgramData\Microsoft\Crypto\Keys\6236f8d93a08713ba009654cf3672978_1f416c82-3ea4-474a-b230-f653aae1986d + %%2458 + 0x0 +",5058,5058 - Key file operation.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,7caf5719-5a90-4561-b52a-5961534f0197,"4/16/2021, 9:15:24.734 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + Microsoft Software Key Storage Provider + RSA + 3e342d9c-691f-48a5-aa16-5b4cfaad0de8 + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,309657ee-ad86-4cd4-8505-488cec165edf,"4/16/2021, 9:15:24.734 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + 3248 + 2021-04-15T17:46:32.492836100Z + Microsoft Software Key Storage Provider + RSA + 3e342d9c-691f-48a5-aa16-5b4cfaad0de8 + %%2499 + %%2464 + 0x0 +",5059,5059 - Key migration operation.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,e46e7084-c68c-4fda-835f-52add253152c,"4/16/2021, 9:15:24.734 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + 3248 + 2021-04-15T17:46:32.492836100Z + Microsoft Software Key Storage Provider + RSA + 3e342d9c-691f-48a5-aa16-5b4cfaad0de8 + %%2499 + %%2464 + 0x0 +",5059,5059 - Key migration operation.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,25dac5f2-754a-4b07-8787-121743b4c94d,"4/16/2021, 9:15:24.734 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 968 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,b8607586-56ac-4e88-9cfb-90bfbced07ee,"4/16/2021, 9:15:24.734 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5760 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,fb8dc457-70c3-4ed0-8136-e35a3982e8f0,"4/16/2021, 9:15:24.734 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,42d1e853-3695-474e-8f73-66fad29056e1,"4/16/2021, 9:15:24.734 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,39d4e475-3f50-4812-9689-63aa46f4ced2,"4/16/2021, 9:15:24.734 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d96b86e4-8286-4ea8-a9fd-41f880ad0a20,"4/16/2021, 9:16:59.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6194afb5-ec3f-4a5c-bb17-5b68e4635925,"4/16/2021, 9:16:59.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df4c523f-a72b-4221-a15f-73ce1e2052f3,"4/16/2021, 9:16:59.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d443888d-80fa-4f19-a9bc-247213b7d525,"4/16/2021, 9:16:59.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca16b427-21a7-4144-8c09-5af41003025a,"4/16/2021, 9:16:59.224 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b32bfdeb-13b2-44c1-b3fb-881c7ad0846a,"4/16/2021, 9:16:59.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b32e7c31-b4ed-4c0f-894e-ced7435fba45,"4/16/2021, 9:16:59.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5af333c5-855b-4b82-9f13-f22b856f8c83,"4/16/2021, 9:16:59.224 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,124509ea-94e7-43b1-8864-43e453249a1d,"4/16/2021, 9:16:59.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d80e6501-5d6c-49b1-9a45-30573f83c9f6,"4/16/2021, 9:16:59.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54f127f3-b8d6-4429-bc90-c6042985dc98,"4/16/2021, 9:16:59.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4e72800e-733f-4b28-96cd-d08c31a912ff,"4/16/2021, 9:16:59.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53403756-46f8-4537-8ab1-a46527b28b9b,"4/16/2021, 9:16:59.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,79d8b3e3-3048-45d8-ba87-c76d1820ae13,"4/16/2021, 9:16:59.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,892004ad-0764-4bf4-882a-50353bd66ba1,"4/16/2021, 9:16:59.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e5757de7-9b6e-430d-95a5-09d96c3743bf,"4/16/2021, 9:16:59.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f4888c6d-f20a-4bd2-a64a-a19595196040,"4/16/2021, 9:16:59.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b965c98d-7d48-435d-90a6-912ce44bf64b,"4/16/2021, 9:16:59.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c81e2795-99a5-47e3-8bda-fb871955fbe1,"4/16/2021, 9:16:59.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cebf9835-f774-4d8e-af50-512d63c94f82,"4/16/2021, 9:16:59.224 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a424a493-d75b-4fbf-b12c-69060d73400f,"4/16/2021, 9:16:59.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6e6bcc6e-1ad5-4a36-a4eb-9a27314e5da3,"4/16/2021, 9:16:59.224 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f2ecd9dc-2885-4af7-9817-6432355a93a2,"4/16/2021, 9:16:59.224 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c6c6cd41-d7a7-4e20-8348-8b40f7bd923f,"4/16/2021, 9:16:59.224 AM",,,,,NTLM,, +\LOCALADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0926239a-d895-47d0-9ae5-1e6ed8cd417b,"4/16/2021, 9:17:19.412 AM",,,,,NTLM,, +\MARIA,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,eeff4476-e1b0-45a2-994c-053a7aec31ad,"4/16/2021, 9:17:19.412 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,eac4acc5-0ee3-4595-8c31-c0e21607adee,"4/16/2021, 9:17:19.412 AM",,,,,NTLM,, +\MANAGER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,779b8a18-ab6f-4b1d-9e8a-ea97756d92a1,"4/16/2021, 9:17:19.412 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b5606580-2b46-476d-9d9f-e6a3e8a11dc7,"4/16/2021, 9:17:19.412 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6b47d455-9bcf-4ec5-8509-2ff5591a7027,"4/16/2021, 9:17:19.412 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7012 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8dcea471-2c4a-4144-81c1-7c4cc4431ee1,"4/16/2021, 9:17:19.412 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4628 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,94b7f2ef-ef7f-4996-b786-56cfd7fca893,"4/16/2021, 9:17:19.412 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8180 + 93 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\RESOURCES\150\PMFEXE.EXE + 32 + 6708CEA6F2F26E9B4AFF6300A4BE88433CF28688427E669CFB3FB43F94E0BE6A + 98 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\PROCESS INVESTIGATOR\PMFEXE.EXE\1.21.311.01 + 0x3e7 + 95 + C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Resources\150\pmfexe.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8d234145-a356-485c-a5b9-6777ae619195,"4/16/2021, 9:17:19.412 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6976 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c8ae0821-08c0-4cb9-892e-b29ca0d55d58,"4/16/2021, 9:17:19.412 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,24089d62-04c5-4917-a65c-1ddf1b2d24bb,"4/16/2021, 9:17:19.412 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f472e185-b245-49b0-96ec-d95391ae1e26,"4/16/2021, 9:17:19.412 AM",,,,,,, +\LOGMEINREMOTEUSER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b2c18100-69e5-463e-b161-00428ee5239f,"4/16/2021, 9:17:19.412 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8940a0ed-2445-473f-ab1c-a87c7e51cb71,"4/16/2021, 9:17:19.412 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6592 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,2f3d6b8b-7c6c-4dd3-a62a-d9f85aa1d19c,"4/16/2021, 9:17:49.272 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6536 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,abe04a37-a615-4c2a-8924-3b67f661ba30,"4/16/2021, 9:17:49.272 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,68551ed0-d747-4c7f-8596-5ca3fed0056e,"4/16/2021, 9:17:50.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d5876fcb-a270-420a-81e4-2227a5202e6d,"4/16/2021, 9:17:50.132 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2701bc8-855c-4f61-b3d0-1e0f5f64e41a,"4/16/2021, 9:17:50.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ba26b95-05f8-48f0-ba0f-fbef9c69847d,"4/16/2021, 9:17:50.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,794c0d8e-e513-4dc9-91b9-2c148aea4865,"4/16/2021, 9:17:50.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,57286877-79a0-4f91-8707-e60e6b453188,"4/16/2021, 9:17:50.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,06754dc0-6fac-4e6e-8162-22ce4eb80bd6,"4/16/2021, 9:17:50.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,39bb8717-8fee-4a1b-8e03-a5d645ef8643,"4/16/2021, 9:17:50.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,18010817-f9e4-4630-aa08-d8b38c03a66b,"4/16/2021, 9:17:50.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,36f73721-e6ae-484f-9397-7991235aa81b,"4/16/2021, 9:17:50.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e439143-049a-414f-a9f8-63faa14bacee,"4/16/2021, 9:17:50.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,87f2297d-d430-49de-8960-d1ad0999f7b0,"4/16/2021, 9:17:50.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b9f43861-2749-4229-a93b-02e50a273883,"4/16/2021, 9:17:50.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,864a6cda-e40e-431e-a0b2-d3e6c2c835c5,"4/16/2021, 9:17:50.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f8c81b8-e61e-45a8-95e6-5662e265b7ba,"4/16/2021, 9:17:50.132 AM",,,,,NTLM,, +\VEEAM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d869f2b9-5753-4e3f-a99d-32b899753aa4,"4/16/2021, 9:17:50.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1b7740e-77a7-455f-a213-9164c0f64153,"4/16/2021, 9:17:50.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8ffcdc4b-d17e-4e43-a5bb-c6ccdd02d06f,"4/16/2021, 9:17:50.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7c5ba2c7-c951-4f54-abc8-72a0f8594faf,"4/16/2021, 9:17:50.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,55c9592c-91cd-4330-a3f7-1e56d225aa33,"4/16/2021, 9:17:50.132 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,202832e2-9d36-4f9d-8f08-4f500e436dd1,"4/16/2021, 9:17:50.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b24112da-d393-4433-8568-58fc7827c4c6,"4/16/2021, 9:17:50.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b0a16d32-d6b6-45c6-80c9-9e3b78f01467,"4/16/2021, 9:17:50.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a42205ee-a9e9-44f4-b08c-dfa299569c0b,"4/16/2021, 9:17:50.132 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3174cd34-d88b-4f56-abe2-4ead06334f10,"4/16/2021, 9:17:59.720 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eb8eeded-bd16-49af-a4ec-74853ae89dfd,"4/16/2021, 9:17:59.720 AM",,,,,NTLM,, +\WAHELP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cc58b5e2-f729-4ad3-8f89-eb0cc2656145,"4/16/2021, 9:17:59.720 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d2ca1430-d14b-4f61-88d4-d6a56ddf749a,"4/16/2021, 9:17:59.720 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,24628b32-4e2e-4b9e-b51e-965d6ce93f13,"4/16/2021, 9:17:59.720 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b0ba5558-8005-4fb9-af95-7f94219e5f72,"4/16/2021, 9:17:59.720 AM",,,,,NTLM,, +\ASP.NET,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c183ad8f-d7ae-4b67-b921-d6f071c0fda7,"4/16/2021, 9:17:59.720 AM",,,,,NTLM,, +\EYS,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fdef2454-0914-4090-bdd7-6fe447ce3b4d,"4/16/2021, 9:17:59.720 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9d6fb6ab-3e08-4bd9-a6a2-69ce15027a0a,"4/16/2021, 9:17:59.720 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,56ae1859-ea4a-435f-a41d-98d4d57f68df,"4/16/2021, 9:17:59.720 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,76f31b20-4249-4086-a90a-aa0bd276720c,"4/16/2021, 9:17:59.720 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,940551ed-ba5a-4a3e-8471-5aede4ca52f8,"4/16/2021, 9:17:59.720 AM",,,,,,, +\ADMINISTRATEUR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d252b7d4-016e-4ee7-b608-83746ddc7d22,"4/16/2021, 9:17:59.720 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b5afce76-f86d-49e3-875c-da387f3bad56,"4/16/2021, 9:17:59.720 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,faaef9a7-28a0-42a7-adaa-21569f0ae013,"4/16/2021, 9:17:59.720 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9ec0f531-e63f-455c-bbc7-afe4110f24e3,"4/16/2021, 9:17:59.720 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,00d25632-6067-439b-8c04-e45110fcf17b,"4/16/2021, 9:17:59.720 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,126c960c-3b7d-4032-914c-34902542107b,"4/16/2021, 9:17:59.720 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f1708d62-4488-4511-ac87-01b2bcff1094,"4/16/2021, 9:17:59.720 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,489a34e8-9f64-41da-93cf-df6b43acefa8,"4/16/2021, 9:17:59.720 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d0d0fa29-122e-46be-b745-c79d162e807e,"4/16/2021, 9:17:59.720 AM",,,,,NTLM,, +\SAGEHELP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,44307ba1-7f87-410d-a3f3-fff7efbb5203,"4/16/2021, 9:17:59.720 AM",,,,,NTLM,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,ac5fb7f4-a1f5-4a0c-8130-dd5ffeff7bce,"4/16/2021, 9:18:10.007 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,d3bcfcf8-f121-4c38-a9ca-0c2ff114f850,"4/16/2021, 9:18:10.007 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,8b7b8d5c-481f-4d1c-a456-07b6783bc1b3,"4/16/2021, 9:18:10.007 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4520 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,ae57d995-c27e-4c57-b9bd-a194d01820ae,"4/16/2021, 9:18:10.007 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2560 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,01754751-58cd-400d-8f73-e22ec6299660,"4/16/2021, 9:18:10.007 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7164 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,e23d9b6b-ca3d-4641-bdc7-646a2de2731d,"4/16/2021, 9:18:10.007 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,28b454e6-80c0-4d88-8440-0a5fa8364165,"4/16/2021, 9:18:10.007 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,f8b38eff-84b4-463c-bb74-cfe782d3ac9c,"4/16/2021, 9:18:10.007 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\microsofttpm,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,c7b79155-770d-430a-9e97-1f8800b24410,"4/16/2021, 9:18:10.007 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:SELECT * FROM Win32_TPM,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,0d9bb524-2e82-4417-8c59-684d7bdef5f6,"4/16/2021, 9:18:10.007 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:Select * from __ClassProviderRegistration,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,0c5bfe49-1954-4a75-aae0-d8a5947b1863,"4/16/2021, 9:18:10.007 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,d6764935-888f-4aa4-8695-9f6cd621d7a3,"4/16/2021, 9:18:10.007 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b75a989d-9591-4c3a-a814-eeb9f6324214,"4/16/2021, 9:18:10.007 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,0ef91fd7-6861-4c91-8813-e0c6dda72c63,"4/16/2021, 9:18:10.007 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,22035a5d-2482-45c7-8ef5-a5723607e8a2,"4/16/2021, 9:18:10.007 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:Win32_Tpm,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,a5b93d7c-1664-419a-b16e-e71056a13474,"4/16/2021, 9:18:10.007 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:__ExtendedStatus,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,5c94eed0-f6a0-4c6f-bbf0-3b40bcec0716,"4/16/2021, 9:18:10.007 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftVolumeEncryption,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,247693e4-bc83-4e23-957a-615824f066ca,"4/16/2021, 9:18:10.007 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:SELECT * FROM Win32_EncryptableVolume,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,47db2c27-da14-47cb-9ba0-1157ec7ae79c,"4/16/2021, 9:18:10.007 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:Select * from __ClassProviderRegistration,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,6d9230be-05e5-406f-aff0-85974ea629bb,"4/16/2021, 9:18:10.007 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,be622eb3-b060-48f6-a769-8016289c6319,"4/16/2021, 9:18:10.007 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,a17e4c31-befb-4c6a-9c14-04eb0219b052,"4/16/2021, 9:18:10.007 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,710c2e6c-7961-45e7-8910-2721e4758905,"4/16/2021, 9:18:10.007 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,e82bfe71-92ac-40b8-9260-ef64cb56ee75,"4/16/2021, 9:18:10.007 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,75ce724e-e810-4ec7-97e5-037286fcb8ae,"4/16/2021, 9:18:10.007 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:__ExtendedStatus,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,d9a2e633-4eb4-4fa2-879d-4c5e51fd83d0,"4/16/2021, 9:18:10.007 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{18dd199a-9fca-4ac4-af18-3e5e3b15c067}\\""::GetLockStatus",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,c8ab2529-7661-48a5-abd7-115106f9507c,"4/16/2021, 9:18:10.007 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{18dd199a-9fca-4ac4-af18-3e5e3b15c067}\\""::GetProtectionStatus",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,59566193-0f8e-4500-9cb8-4d766c87aec9,"4/16/2021, 9:18:10.007 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{18dd199a-9fca-4ac4-af18-3e5e3b15c067}\\""::GetConversionStatus",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,273dcbdc-3e77-4086-8d4b-0bff198ede75,"4/16/2021, 9:18:10.007 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{944f36e4-0000-0000-0000-100000000000}\\""::GetLockStatus",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,10073d83-cb2b-4f48-816f-cb5cbe0b82b2,"4/16/2021, 9:18:10.007 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{944f36e4-0000-0000-0000-100000000000}\\""::GetProtectionStatus",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,35e1ed6a-64a8-4d2f-b6be-cae4c330a561,"4/16/2021, 9:18:10.007 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{944f36e4-0000-0000-0000-100000000000}\\""::GetConversionStatus",,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,604bdad3-cc1a-46df-89d2-765af0fa0239,"4/16/2021, 9:18:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7f38b67e-1494-451c-a566-455c68c4d2b1,"4/16/2021, 9:18:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a3d31e9-e94f-4b0c-ac53-31ee2de2969c,"4/16/2021, 9:18:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,850e95ab-f434-4ae9-842c-f2aabce3de64,"4/16/2021, 9:18:11.132 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53dcfb04-1976-4213-b957-b1d2fadd6545,"4/16/2021, 9:18:11.132 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,79af33cb-a0d9-4e46-8e5b-dc70719dc97c,"4/16/2021, 9:18:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0feacf46-d87c-43ca-ab49-445f6007bffa,"4/16/2021, 9:18:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5c1d14e2-f6e4-4872-9103-655644bfb056,"4/16/2021, 9:18:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,80dbe167-2759-49e9-a8c2-dcc651a85c5e,"4/16/2021, 9:18:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3292cb8b-1846-4570-a785-e5b9d85b13a8,"4/16/2021, 9:18:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de75e2ea-dc15-4355-ab55-5e0571fc5ad0,"4/16/2021, 9:18:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b5b5f09-6411-44ab-820b-e49df72a0124,"4/16/2021, 9:18:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56b3839c-ebee-470a-b177-57e5fa66be91,"4/16/2021, 9:18:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5310471a-54bf-4795-a56b-29c61105128f,"4/16/2021, 9:18:11.132 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,55ec4b71-c70c-4677-aca6-abe3030c297c,"4/16/2021, 9:18:11.132 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce8c5b88-2489-4ddf-b919-05ec3c2ced97,"4/16/2021, 9:18:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a5ac835-1ea3-4f50-acaa-44cbb7cf2933,"4/16/2021, 9:18:11.132 AM",,,,,NTLM,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ae02e291-84ea-4806-9fe6-191acd42680a,"4/16/2021, 9:18:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e50837cd-b15f-44dc-a112-0c9c3a96b493,"4/16/2021, 9:18:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e127ae01-958f-4ce6-bcf7-8ca48d96f38d,"4/16/2021, 9:18:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4d74a969-9a81-45ed-ab74-d0162575650c,"4/16/2021, 9:18:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,80ac2918-0b6d-4c44-8d25-1a68405bb67f,"4/16/2021, 9:18:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e6183665-2506-4b8f-8cf8-0aee7fe5fe98,"4/16/2021, 9:18:11.132 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e44f7cf9-283b-4498-9188-c99d389ea00f,"4/16/2021, 9:18:16.714 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2d871851-8308-4e65-818a-7c3d5d28951e,"4/16/2021, 9:18:16.714 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dbe9ff91-c3ca-4618-aa74-34880faf3af9,"4/16/2021, 9:18:16.714 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d4af6aba-e115-4f38-b80d-5c5d7968f0c3,"4/16/2021, 9:18:16.714 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,33a3cf2f-e05d-4ff1-a5f3-da5543f729cd,"4/16/2021, 9:18:16.714 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eed7ecdc-725a-46de-862a-5cc9da53f289,"4/16/2021, 9:18:16.714 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a9c4cb2d-e7c4-484f-95fa-30e516eda7df,"4/16/2021, 9:18:16.714 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b411819d-8bbd-4fc9-8348-5abf5210cfa0,"4/16/2021, 9:18:16.714 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,68afae4b-6fb0-49c8-a94e-e63879e4c296,"4/16/2021, 9:18:16.714 AM",,,,,NTLM,, +\HELPDESK,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,58298881-9e56-4674-a7fa-09bba0cdf5f3,"4/16/2021, 9:18:16.714 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c368732e-6475-49ee-a016-0ddd0f529746,"4/16/2021, 9:18:16.714 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,363dae8e-56bd-4b26-9095-e2c496d2ebd0,"4/16/2021, 9:18:16.714 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,df8c476c-ed74-4f3a-ae81-77568045ea02,"4/16/2021, 9:18:16.714 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ddcbec4a-7255-4af8-b38c-7fb6dcdc98a0,"4/16/2021, 9:18:16.714 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,31cbd373-c974-4721-80fa-88c687dbbaf5,"4/16/2021, 9:18:16.714 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d054758a-c569-4fd9-8085-048615a226e7,"4/16/2021, 9:18:16.714 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0bcd68fd-86ca-428e-9fbb-e962d7789dc0,"4/16/2021, 9:18:16.714 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1b44a915-e718-422e-9739-fdbb1910c046,"4/16/2021, 9:18:16.714 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6e75d759-4af0-41b2-86dd-e05863cc7e1f,"4/16/2021, 9:18:16.714 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a3be728c-b94c-4861-b8ac-99b0ce43f6a3,"4/16/2021, 9:18:16.714 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,136c3c7d-e305-48cf-98a9-178923d55fc9,"4/16/2021, 9:18:16.714 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,56cb911a-4a15-4331-8e08-476da1c0376e,"4/16/2021, 9:18:16.714 AM",,,,,NTLM,, +\DEFAULT,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6e6634dd-7fe8-477d-a242-95abd9a630f9,"4/16/2021, 9:18:16.714 AM",,,,,NTLM,, +\RECEPCION,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d4bc0515-c5a3-43ec-a68c-4ee93637043c,"4/16/2021, 9:18:23.413 AM",,,,,NTLM,, +\USER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,45eccf13-1000-40d7-a962-d677053e57f4,"4/16/2021, 9:18:23.413 AM",,,,,NTLM,, +\SHOP,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6cddf0c9-ce3d-478a-a90e-301139187077,"4/16/2021, 9:18:23.413 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4326a80a-6620-424c-938d-a6872cad790f,"4/16/2021, 9:18:23.413 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,333d2268-4000-4034-9daf-500933de21e1,"4/16/2021, 9:18:23.413 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6376 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3eef2d3d-d6e6-4b1f-9a11-044b88532a41,"4/16/2021, 9:18:23.413 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4680 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a1d0e30b-fe10-40e5-aa61-eaf3b5f2d535,"4/16/2021, 9:18:23.413 AM",,,,,,, +\TECH,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,26f5553c-81c6-48ef-a43c-3554bc3ef296,"4/16/2021, 9:18:23.413 AM",,,,,NTLM,, +\TEST,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b2ed79bd-dec8-4751-9176-722273169d19,"4/16/2021, 9:18:23.413 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,75a67885-29ed-48c5-9fc1-d483118428d8,"4/16/2021, 9:18:23.413 AM",,,,,,, +\ACCUEIL,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ca558117-a131-4785-9473-11b15ae4f2a2,"4/16/2021, 9:18:23.413 AM",,,,,NTLM,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,7abb54e2-c226-412a-aef7-80ec867ac959,"4/16/2021, 9:18:26.620 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,c43fbdcf-84d8-4861-9965-126e6533b815,"4/16/2021, 9:18:26.620 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3752 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,0521c3be-7213-4031-8f86-82d7e4eb3de9,"4/16/2021, 9:18:26.620 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,f11cd38a-aa38-4c92-b8b4-e6bd1a815918,"4/16/2021, 9:18:26.620 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,989f5405-7532-410d-a205-4f0be704e221,"4/16/2021, 9:18:26.620 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8532 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,1992df97-bb6e-4c17-900e-8db41640936e,"4/16/2021, 9:18:26.620 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4868 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,815d5544-5f7d-4fee-a41f-3cefbbab537d,"4/16/2021, 9:18:26.620 AM",,,,,,, +\compartidos,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a37b29b-246e-47ae-80b3-30639a9e44e0,"4/16/2021, 9:18:41.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,340b8e5f-f526-4742-8eab-baee68214295,"4/16/2021, 9:18:41.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1d105407-76b4-40fa-a7d9-1dfa631f5db6,"4/16/2021, 9:18:41.130 AM",,,,,NTLM,, +\ADMINISTRATEUR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,852c57ac-9678-4c24-b0ea-4ce472705284,"4/16/2021, 9:18:41.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f3dddf2-0407-4b5b-9f3a-10f4348d5ca2,"4/16/2021, 9:18:41.130 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c585fab9-e478-41da-aced-b3b571d7af9b,"4/16/2021, 9:18:41.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,30450c44-d77b-43fe-b84e-7e1f9d5989cc,"4/16/2021, 9:18:41.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac71055b-20c5-41e7-84a0-955d69a4ba8d,"4/16/2021, 9:18:41.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cb52e494-d916-4210-9639-0397c2469f78,"4/16/2021, 9:18:41.130 AM",,,,,NTLM,, +\khotn,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6a3160cd-8ad8-475f-82fd-8bdd1dd0f8b8,"4/16/2021, 9:18:41.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5fc97d04-b5c5-47b1-b30f-6081493dc4a3,"4/16/2021, 9:18:41.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b6c94e69-0aff-40aa-a041-1eb7046e2c2e,"4/16/2021, 9:18:41.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d5700ab-60f1-4a27-a8c4-0608744b8856,"4/16/2021, 9:18:41.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,44b5659a-1569-4fca-96cc-37e31ee1bdc3,"4/16/2021, 9:18:41.130 AM",,,,,NTLM,, +\test,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b04af824-00cd-4b40-9e30-bd69a91c844e,"4/16/2021, 9:18:41.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03c439f3-33df-420b-a4da-689d8c318f1d,"4/16/2021, 9:18:41.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ed14b4f7-5ee6-4be8-87cb-c7a3f078de53,"4/16/2021, 9:18:41.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d5b8f747-4f2a-4c35-af59-a472e6f7e29e,"4/16/2021, 9:18:41.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3b0d3d2b-fd5c-4cac-88f6-f5f9b54c42bb,"4/16/2021, 9:18:41.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,23aaac35-2cd9-438b-aebb-d519750acd72,"4/16/2021, 9:18:41.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b078ab4f-02b8-42a3-9dee-777f696f8f7e,"4/16/2021, 9:18:41.130 AM",,,,,NTLM,, +\praktikant,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,151a0496-7424-4a4e-8ff2-3ebc444290f4,"4/16/2021, 9:18:41.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6c303b3e-7f88-4394-9c56-4572f8b7c083,"4/16/2021, 9:18:41.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ef7f1bb7-3739-4857-bade-a256dc9d25e6,"4/16/2021, 9:18:47.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,86a4770b-e1d2-48d0-9f99-41f4b01b346e,"4/16/2021, 9:18:47.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,09ecc112-a1f3-420f-945d-6940c9585aa9,"4/16/2021, 9:18:47.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8cbf61c3-250d-434a-b303-f3e98f101a62,"4/16/2021, 9:18:47.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cdf96533-b880-4a0a-96c5-386625eb82c1,"4/16/2021, 9:18:47.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ba6ea35e-417b-4393-9b45-4feecaeb376f,"4/16/2021, 9:18:47.127 AM",,,,,NTLM,, +\byzz,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67e7d3b4-9c84-43f0-91e5-0bca9010ccbb,"4/16/2021, 9:18:47.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ba7c630-0b7f-493c-b3f1-0114592bf93a,"4/16/2021, 9:18:47.127 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,34985155-7397-4831-a475-72f0e9f4199f,"4/16/2021, 9:18:47.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,71b4ad6c-1d70-46fb-a3be-4edcd99ac454,"4/16/2021, 9:18:47.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2e3f79ac-4467-4e5d-90f5-b16eddb50400,"4/16/2021, 9:18:47.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0fd52be4-142f-4d41-9446-fbb24981c42f,"4/16/2021, 9:18:47.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d316da95-4b76-48ef-9d20-38683240af91,"4/16/2021, 9:18:47.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2acd6df2-d69f-44bd-ab34-dfa3626b3c9b,"4/16/2021, 9:18:47.127 AM",,,,,NTLM,, +\gcuser,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0315e9de-6adb-49ca-90bd-9cca1ad92ae2,"4/16/2021, 9:18:47.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9410949f-277d-4a44-8d6f-20e454288ad7,"4/16/2021, 9:18:47.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a65ad1f-58fa-41c3-b0fa-8432c30a0d7c,"4/16/2021, 9:18:47.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb809431-9e91-4c9d-8930-c8e96044d69c,"4/16/2021, 9:18:47.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c8d025c8-28dc-44ee-a26e-6b1ba0b190b7,"4/16/2021, 9:18:47.127 AM",,,,,NTLM,, +\sale,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe6b5c7f-bc97-420a-9451-8991e9dc9fbe,"4/16/2021, 9:18:47.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b883217-76f7-4f9a-8997-51a8f4b3d568,"4/16/2021, 9:18:47.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3741293d-9330-4e4f-af4e-2f6021f1c6a6,"4/16/2021, 9:18:47.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,05cdca6a-9d28-4b09-a968-432cb5012bfe,"4/16/2021, 9:18:47.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b890f698-1a5a-4061-abd9-ebd3d54ef145,"4/16/2021, 9:18:47.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9fe7a585-9feb-445d-84f9-898d2567ba2f,"4/16/2021, 9:18:52.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a076e85-e370-4632-b8b3-3fae5e902dee,"4/16/2021, 9:18:52.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d11adb88-7dae-4fbc-8734-50b952b34126,"4/16/2021, 9:18:52.137 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eb4f3469-9239-435b-9242-fd1e91297ca3,"4/16/2021, 9:18:52.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1fc6e45b-7500-4235-b0b0-ef23c2939443,"4/16/2021, 9:18:52.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc64264c-0cd0-4dee-82ef-f57da090cf1f,"4/16/2021, 9:18:52.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa8bbe9d-e95d-4dc1-b19a-c8edca5f783f,"4/16/2021, 9:18:52.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5bced83-2c8e-4ef3-9f7b-a2d97a045f51,"4/16/2021, 9:18:52.137 AM",,,,,NTLM,, +\OVN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ae835869-ec65-4a5a-b523-3c7705cf5802,"4/16/2021, 9:18:52.137 AM",,,,,NTLM,, +\QJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ef233fea-1bbe-4fe3-8beb-9d5e70bda37e,"4/16/2021, 9:18:52.137 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,570e3d84-797f-4f8e-9378-be1ef4480e03,"4/16/2021, 9:18:52.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46127cb7-6e91-4ac1-b6f0-e1642372ba48,"4/16/2021, 9:18:52.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f4f7d582-9261-4524-a884-22877d15902e,"4/16/2021, 9:18:52.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,659b8513-9383-45d7-a5e9-22783f88aae7,"4/16/2021, 9:18:52.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1f598c1-b153-4378-80fe-9cde28693efb,"4/16/2021, 9:18:52.137 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc5f38b2-48e4-4dc5-86dd-1c8d274d7faf,"4/16/2021, 9:18:52.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0b887a49-82eb-4a11-9032-e9818b715fd3,"4/16/2021, 9:18:52.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab5462d6-1314-41ea-80e5-0e3055b6a42d,"4/16/2021, 9:18:52.137 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,04566cb8-aae7-44a8-a2ee-3639616df404,"4/16/2021, 9:18:52.137 AM",,,,,NTLM,, +\user,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c2d309d-c389-4d9b-ab76-65c319cdcf95,"4/16/2021, 9:18:52.137 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46610329-af5b-41c6-9e81-bb0e291197a3,"4/16/2021, 9:18:52.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c0422ec0-263a-4d6f-b5ef-62edab3cdb26,"4/16/2021, 9:18:52.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4d2ce200-abb5-429a-8d95-271cc3cef471,"4/16/2021, 9:18:52.137 AM",,,,,NTLM,, +\PC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f31f9d1a-b5bd-464f-91a8-b75fe2fe90b2,"4/16/2021, 9:18:52.728 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fefc4f15-f93a-42a4-bceb-e0bf15e42670,"4/16/2021, 9:18:52.728 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3d329db4-f64f-4493-a453-bae710dedc86,"4/16/2021, 9:18:52.728 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9e038719-1cf7-4be4-859f-8d43856fa4fe,"4/16/2021, 9:18:52.728 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,948ba1e8-88d7-460f-b9f6-fb5153b990a3,"4/16/2021, 9:18:52.728 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f9f6df99-d6c2-4bb7-b971-722f148ba776,"4/16/2021, 9:18:52.728 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7964b377-4b01-4cef-a4e3-340f278bf226,"4/16/2021, 9:18:52.728 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5b7cf3e3-c1c9-476b-8718-d58f5d45bb53,"4/16/2021, 9:18:52.728 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,60144bc8-cccf-47a3-a753-05f2f3a500ff,"4/16/2021, 9:18:52.728 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8cf12691-cd7e-4067-bad4-e05d70799d4b,"4/16/2021, 9:18:52.728 AM",,,,,NTLM,, +\RJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,60a820a1-ceef-402c-82fe-222ea83259e7,"4/16/2021, 9:18:52.728 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0bb489b2-f74e-4311-b1ab-2552b45a5acc,"4/16/2021, 9:18:52.728 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b51a53ee-b835-4a13-b67a-56f3b4ad0f0f,"4/16/2021, 9:18:52.728 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fba038af-708d-48b4-96c6-65e9bb10e836,"4/16/2021, 9:18:52.728 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,35e9adc0-deeb-4bc8-b839-0c80ab2455a8,"4/16/2021, 9:18:52.728 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d2f93e46-2383-4832-a101-8dfe605ea666,"4/16/2021, 9:18:52.728 AM",,,,,NTLM,, +\POS,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9f803d6f-0478-4b95-9f95-ba7792e8641c,"4/16/2021, 9:18:52.728 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6406066e-699d-420c-880f-3afd098a313c,"4/16/2021, 9:18:52.728 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e1c7241d-4538-4446-bcb9-45a93e5a24bc,"4/16/2021, 9:18:52.728 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3f7a19a9-9a15-4a2d-9203-cdaa215d4afc,"4/16/2021, 9:18:52.728 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,47b1a192-c262-46aa-98b8-460fece697be,"4/16/2021, 9:18:52.728 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,74a72b94-04f3-49fd-8c6e-9efdc156e3e2,"4/16/2021, 9:18:52.728 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0afcb16a-db19-4346-9bf7-8838175175b7,"4/16/2021, 9:18:52.728 AM",,,,,NTLM,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,5ec18453-5b25-40bb-8f07-62c41b82886d,"4/16/2021, 9:18:52.733 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,009423c7-de89-41a4-9372-6a0ed52b7fa3,"4/16/2021, 9:18:52.733 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3352 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,67484e34-5bbe-4cb8-98f0-71e42fc1668a,"4/16/2021, 9:18:52.733 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3536 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,42de3d48-dadd-43d1-8dab-b850ab6da121,"4/16/2021, 9:18:52.733 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,ade186e7-250f-4277-b31f-2f9840ebd2fa,"4/16/2021, 9:18:52.733 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,7d8c1cbf-d4d4-4d74-9b8a-10b914e05f3c,"4/16/2021, 9:18:52.733 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 12316 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 61FF6233DB141BE35A91025614CB7A6504D2E20174CD6298F6E0B02700C3F819 + 121 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.14393.206 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,05259742-5903-4648-b162-e66c3f09807e,"4/16/2021, 9:18:57.344 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 12660 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,c5dff0dd-8f33-4dcb-b9c0-1cfc402434d7,"4/16/2021, 9:18:57.344 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7108 + 118 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\MONITORING HOST TEMPORARY FILES 16\749\PMFEXE.EXE + 32 + 904F5575C1F607E5F05C4641A9A0964007FA2C1F1DAD3C96320DF45D377C737D + 98 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\PROCESS INVESTIGATOR\PMFEXE.EXE\1.20.607.01 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,91d9cc39-101d-41ad-b817-e9ce30730027,"4/16/2021, 9:18:57.344 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8420 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,eb42e810-feb2-4397-968b-af9712609b70,"4/16/2021, 9:18:57.344 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 13072 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,9ca6e53e-0a85-4b94-86d5-3e9dcc49cc64,"4/16/2021, 9:18:57.007 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 13004 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,dafcd013-366e-417b-b9db-5be8a46d0a76,"4/16/2021, 9:18:57.007 AM",,,,,,, +\AZUREUSER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3b03c51a-f976-4af8-9830-0c7184fe8852,"4/16/2021, 9:18:58.413 AM",,,,,NTLM,, +\USER1,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f63bb2b8-7743-48a3-9236-f3e5c5e210e4,"4/16/2021, 9:18:58.413 AM",,,,,NTLM,, +\SOPORTE,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0e2d0c2e-54ad-4c81-88ae-6c76f6a1edcd,"4/16/2021, 9:18:58.413 AM",,,,,NTLM,, +\SERVER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,7a789f8a-106b-4caf-b214-107819afc0a3,"4/16/2021, 9:18:58.413 AM",,,,,NTLM,, +\AUDIT,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c397fb85-5c4e-43e1-8ede-cbfd7e78f574,"4/16/2021, 9:18:58.413 AM",,,,,NTLM,, +\BACKUPEXEC,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,01d0b4dc-e020-4cbf-9c5c-34f7a1268fce,"4/16/2021, 9:18:58.413 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,2c681598-eb2c-408b-8554-d7f2deefc11a,"4/16/2021, 9:18:58.413 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,3c13256d-54fe-4549-a2ce-0a269db640a9,"4/16/2021, 9:19:00.617 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3560 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,99796845-70b9-41a6-91bb-503745aa5235,"4/16/2021, 9:19:00.617 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,96b67f78-36c5-4754-b4e8-51797816e4cf,"4/16/2021, 9:19:00.617 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,04cf9206-e23d-4cb5-ad25-3a758466d58c,"4/16/2021, 9:19:03.063 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3feceabb-11c0-455b-a117-736b131ecfbd,"4/16/2021, 9:19:03.063 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,ed0a2560-581f-4e58-916d-648d6b5ae301,"4/16/2021, 9:19:03.063 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,4a1ce0ce-03dd-41f9-9464-477cd40561e5,"4/16/2021, 9:19:03.063 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d4300a3b-414b-4051-97e8-8f465e5d53ae,"4/16/2021, 9:19:03.063 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,bca76982-fa31-409f-8790-d0e16d9d3176,"4/16/2021, 9:19:03.063 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,47297c50-07f9-43db-acbe-0b262c66908f,"4/16/2021, 9:19:03.063 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3b38a88e-f3b9-4cba-9fb2-06c38c42d0b7,"4/16/2021, 9:19:03.063 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,faaa3c90-73e3-4363-8028-f3eed6bdfb1f,"4/16/2021, 9:19:03.063 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,06b144a9-e421-4e20-87d7-2e4384b8b49c,"4/16/2021, 9:19:03.063 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d0c66120-fcef-45c0-a729-624a1d61d53e,"4/16/2021, 9:19:03.063 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3c0a3142-3161-4905-bbd7-713e3a08c06a,"4/16/2021, 9:19:10.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,59633b96-bd24-4501-991f-45629c4e7ae0,"4/16/2021, 9:19:10.130 AM",,,,,NTLM,, +\classroom,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6d406c85-65fb-487a-a1e5-e83a672b023c,"4/16/2021, 9:19:10.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f463ef2e-5ca2-4ae3-ad44-f662d029c78c,"4/16/2021, 9:19:10.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cbd34f5f-065c-4248-a26a-5338776717e2,"4/16/2021, 9:19:10.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,42b68336-595b-46d2-8519-2e84be9276e9,"4/16/2021, 9:19:10.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad057a52-7d1e-4586-afee-5b2c6d9fd35d,"4/16/2021, 9:19:10.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d635b758-de3f-45a9-a417-5777a51ddc29,"4/16/2021, 9:19:10.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,20cf0b1a-2110-456f-bfb1-2de9100478ad,"4/16/2021, 9:19:10.130 AM",,,,,NTLM,, +\sandra,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce856550-8abf-43d4-8f26-9bb8440fe659,"4/16/2021, 9:19:10.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f6a5697-91d2-463e-a3be-a7d6bed8c209,"4/16/2021, 9:19:10.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4d91553b-1e44-40a6-b943-80673bd0e32f,"4/16/2021, 9:19:10.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c169d5b1-dfff-4717-a6d2-518960fb8969,"4/16/2021, 9:19:10.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9e8b7d8b-7c37-4ac3-a612-691344b40ebd,"4/16/2021, 9:19:10.130 AM",,,,,NTLM,, +\VEEAM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b573dcce-92ca-4734-a5cc-8bdfb1ef0e5f,"4/16/2021, 9:19:10.130 AM",,,,,NTLM,, +\VMADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,40ecb2f0-6e78-4611-8b33-489cecf7d706,"4/16/2021, 9:19:10.130 AM",,,,,NTLM,, +\user1,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,41a0e5e5-9ffe-4a22-a234-f8011f1cf130,"4/16/2021, 9:19:10.130 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d6cee24e-ac1f-4df8-a3c6-e30ca1be6896,"4/16/2021, 9:19:10.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b9911e2a-7561-4238-935d-a89180d0d549,"4/16/2021, 9:19:10.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a64a7ee-e9e8-4b5a-ac10-547dfa6071ed,"4/16/2021, 9:19:10.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cfb62a15-86ba-4252-afa3-5ce61bbabba8,"4/16/2021, 9:19:10.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e9e6a013-bff1-4125-81f6-d75fec24e717,"4/16/2021, 9:19:10.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6d191872-b991-43a0-b607-893a0bebeb7c,"4/16/2021, 9:19:10.130 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,974fefba-ea0b-463b-8f82-3429df27557e,"4/16/2021, 9:19:16.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ed23a725-fc55-48c4-ae88-2af2bc1afad1,"4/16/2021, 9:19:16.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,032f6964-a864-429a-ab5c-4c502a7c005c,"4/16/2021, 9:19:16.130 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,84afdb28-5b48-4104-98ce-8a565355d130,"4/16/2021, 9:19:16.130 AM",,,,,NTLM,, +\giseli,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,96cd035e-3b2d-4f67-a214-3d28570c258b,"4/16/2021, 9:19:16.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ebb60f2e-0cbb-4b2f-b47e-af7b4867819b,"4/16/2021, 9:19:16.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac3cf409-d780-4906-b36e-09fd341e67d9,"4/16/2021, 9:19:16.130 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a076c572-56f0-44d6-bf6a-ecd674dda52f,"4/16/2021, 9:19:16.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,58706630-2b17-42e1-ba92-19ca92bba76e,"4/16/2021, 9:19:16.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4d429ca5-321d-42e8-ba29-1484bd86e109,"4/16/2021, 9:19:16.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8ba38ef1-660e-4561-a9c9-f1bd64f555de,"4/16/2021, 9:19:16.130 AM",,,,,NTLM,, +\user,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d6fcc6df-102d-4b56-aef3-d81a08d40b9f,"4/16/2021, 9:19:16.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,765480ef-fa6d-4b08-827f-63664e4753e7,"4/16/2021, 9:19:16.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e58ae94-4d04-4956-8314-c8ac03d4233b,"4/16/2021, 9:19:16.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,427e3750-af5a-4bdb-b805-0fda1c05aeb2,"4/16/2021, 9:19:16.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9be8c640-3b83-4af5-8a12-d8c6d3897313,"4/16/2021, 9:19:16.130 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,37726295-d25f-41c2-8150-4268f184fb0e,"4/16/2021, 9:19:16.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5585b7cb-dae1-4014-90cf-0ae97d749a0c,"4/16/2021, 9:19:16.130 AM",,,,,NTLM,, +\ekogan,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6880e477-0b47-41f5-b2b9-086375680de4,"4/16/2021, 9:19:16.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5c9d42f6-a8d8-470e-9762-7d21d95ccbd8,"4/16/2021, 9:19:16.130 AM",,,,,NTLM,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c0b9558-e063-420a-881a-92e77c67636d,"4/16/2021, 9:19:16.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f18f0e41-3b11-4163-b989-e0c2642ab5a3,"4/16/2021, 9:19:16.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e7b06deb-e5fc-4a79-9a64-8ddeb2097f1d,"4/16/2021, 9:19:16.130 AM",,,,,NTLM,, +\priscila,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c83136b2-3cbc-4b60-9441-226aa39ccc94,"4/16/2021, 9:19:21.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d60b3be7-cbd5-448c-b177-e41810d7ed9e,"4/16/2021, 9:19:21.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cdf1eedc-3f9b-42f0-a17d-bfaf1d8d9017,"4/16/2021, 9:19:21.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,63b50f8c-b71a-4798-bdad-6f179b44b2c4,"4/16/2021, 9:19:21.140 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5726c143-f004-4ad3-86a2-78b2289d44bb,"4/16/2021, 9:19:21.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc298905-a625-40bc-915f-54e17559cffe,"4/16/2021, 9:19:21.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,951ccdff-3366-4a37-b11a-a6df37632075,"4/16/2021, 9:19:21.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,acafc0a4-ffc1-4305-bd03-b203d2ae006d,"4/16/2021, 9:19:21.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f28c4c85-1187-4fc7-919e-75eb0a860ec7,"4/16/2021, 9:19:21.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,86c7fa41-5029-4fcc-8c7c-04ae9bf9b086,"4/16/2021, 9:19:21.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b87da15d-13fd-43fc-a628-83c74ba43262,"4/16/2021, 9:19:21.140 AM",,,,,NTLM,, +\christene,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3b058cd7-1284-43eb-8dd8-13e356569a0d,"4/16/2021, 9:19:21.140 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c376072a-8889-410f-a3bd-dbade3015ff7,"4/16/2021, 9:19:21.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a7ce9f3-1f77-413c-95ac-6be4a34290d0,"4/16/2021, 9:19:21.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e92d332f-1f5a-490d-af37-837c00fb9540,"4/16/2021, 9:19:21.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8697d1b4-c176-4e03-b333-452a5fdb8b68,"4/16/2021, 9:19:21.140 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,d13d07b4-a34b-4f4a-abf2-da54c75fcd3a,"4/16/2021, 9:19:21.140 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b2f02a6-2f2f-44f7-9a5f-4f387440d289,"4/16/2021, 9:19:21.140 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6152 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,32dcc7b6-fdb3-4c87-b9c3-6e6871904e02,"4/16/2021, 9:19:21.140 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4176 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,b3303afa-cd48-4f7d-8378-e07a8489e7cd,"4/16/2021, 9:19:21.140 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce0015bc-b347-44db-b9fb-edebe90e3b95,"4/16/2021, 9:19:21.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7255ce9c-ace5-4e12-9add-4e8e11227e80,"4/16/2021, 9:19:21.140 AM",,,,,NTLM,, +\mms4,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,405cb0fe-2b20-4d96-af0e-dba08e3c4b11,"4/16/2021, 9:19:21.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,87bbbdc3-9b3e-4d5d-a0e2-8afd1c902167,"4/16/2021, 9:19:26.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4da34260-18e3-4afa-838f-578c15f68194,"4/16/2021, 9:19:26.128 AM",,,,,NTLM,, +\test,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22fca539-f40e-4e5d-ae02-c9ece3d77dad,"4/16/2021, 9:19:26.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de839633-c5da-47a2-9e12-7989c8e11cdd,"4/16/2021, 9:19:26.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,908508f5-16b7-4a7c-b0b3-f23653b80ae0,"4/16/2021, 9:19:26.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6ee20d02-10c8-40b7-acac-16423410cb17,"4/16/2021, 9:19:26.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b7bd3f9-66fa-4a2d-bbd9-9b1e94f286a5,"4/16/2021, 9:19:26.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3100a891-3cb1-464c-a23b-f6e6739cda80,"4/16/2021, 9:19:26.128 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5b35c08-469e-4578-975c-a9849a4fbcde,"4/16/2021, 9:19:26.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,42d77955-9d6f-4723-bc78-e03a7cb113d8,"4/16/2021, 9:19:26.128 AM",,,,,NTLM,, +\printer,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,291940f8-6335-4339-b79c-c98daecec80f,"4/16/2021, 9:19:26.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,30f593fc-55c9-4d43-9e0f-0af7506fffd9,"4/16/2021, 9:19:26.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a3e707f3-5805-401c-9f54-b5891e42e5f3,"4/16/2021, 9:19:26.128 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5bfd9e2e-df1d-40bd-9432-9b6d8ed49ab3,"4/16/2021, 9:19:26.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7f1a78c4-9fef-473d-90b1-f520341e84df,"4/16/2021, 9:19:26.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,69540d67-04dd-4936-9df1-6f609fda7c4d,"4/16/2021, 9:19:26.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,13ac1bcf-d8b7-459c-9b9e-192425603f19,"4/16/2021, 9:19:26.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d725826e-a8b3-4ea9-9e15-cb63835ca4c5,"4/16/2021, 9:19:26.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,21e36f92-6ae5-4162-88b4-792dba6f8346,"4/16/2021, 9:19:26.128 AM",,,,,NTLM,, +\isii,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bb1b6a6e-e75f-4e0a-ac24-35cb6943d5ce,"4/16/2021, 9:19:26.128 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,18428f09-f19d-4420-9b5e-cfe49410c1f3,"4/16/2021, 9:19:26.128 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac4de375-e62e-4327-8cae-de9f64559ab7,"4/16/2021, 9:19:26.128 AM",,,,,NTLM,, +\SHIPPING,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,5c923c8e-2834-43da-a70f-db3bfc357a63,"4/16/2021, 9:19:30.408 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c04128f0-d4e1-45f8-b927-8db205b6b949,"4/16/2021, 9:19:30.408 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5936 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e503033c-febf-41d0-a4de-37075104f87a,"4/16/2021, 9:19:30.408 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d42bc089-fd7a-4446-8643-e858b5768a7b,"4/16/2021, 9:19:30.408 AM",,,,,,, +\MICHELLE,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,be171d0c-8a3d-4d9b-849d-2fd07bef8bc7,"4/16/2021, 9:19:30.408 AM",,,,,NTLM,, +\VMADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d1918395-72fa-40c0-9ea0-698e89b1956d,"4/16/2021, 9:19:30.408 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2184 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4ed83c4a-bbe9-458f-87f2-f08ca2a220dc,"4/16/2021, 9:19:30.408 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8100 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,2bb8911c-dd8b-40ac-ae84-a9a4b031f50a,"4/16/2021, 9:19:30.408 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a11d4561-281a-44e8-880c-fd5c00d2ae6d,"4/16/2021, 9:19:30.408 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e8db4dc4-5488-436f-a2cf-17941271d040,"4/16/2021, 9:19:30.408 AM",,,,,,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9fe08658-0e60-440a-8028-79b1e67ec418,"4/16/2021, 9:19:30.408 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,00615084-cb48-42d3-9882-358b42f1622a,"4/16/2021, 9:19:30.408 AM",,,,,,, +\SHARE,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,47218769-c043-424c-9f2f-f44cb80db41e,"4/16/2021, 9:19:30.408 AM",,,,,NTLM,, +\FAX,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1a3a53f2-4e90-4e47-9444-ffdad62e4e05,"4/16/2021, 9:19:30.408 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,78d12a8e-d954-4280-8fd2-911293a7d63c,"4/16/2021, 9:19:31.619 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8216 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,a315e1d4-5593-42d4-b636-e43f4852ef9b,"4/16/2021, 9:19:31.619 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8856 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,65fb96b7-eeb8-43d7-bd9b-ab1bd90fe615,"4/16/2021, 9:19:31.619 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7196 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,f04e0f27-fcd1-4624-a8cd-e74ae98849fa,"4/16/2021, 9:19:31.619 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,30424537-343c-49aa-997b-d228319cd672,"4/16/2021, 9:19:31.619 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,cb343117-b1bf-4e6a-b90c-584a4864d82b,"4/16/2021, 9:19:31.619 AM",,,,,,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7cc21946-eec0-4357-a76e-737be0d9b061,"4/16/2021, 9:19:34.177 AM",,,,,NTLM,, +\dell,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f1d5ff93-146e-41e8-9a69-d667701e68da,"4/16/2021, 9:19:34.177 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67aec2b7-b0e6-43db-9140-f7db462ca0fa,"4/16/2021, 9:19:34.177 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5c099b5-1160-4f66-9a43-4650dc1df45e,"4/16/2021, 9:19:34.177 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bf412065-0ad5-4101-b2bf-431a3d549fbb,"4/16/2021, 9:19:34.177 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,424034b9-97a3-4b96-b30d-c405571f12bd,"4/16/2021, 9:19:34.177 AM",,,,,NTLM,, +\almoxarifado,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3e2afc6d-4c11-4507-b97e-2e21441da331,"4/16/2021, 9:19:34.177 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d78112f2-0f6a-49ab-a119-911f94a43f3b,"4/16/2021, 9:19:34.177 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,01e83a7c-1a19-4af5-b8e9-ea99341627c1,"4/16/2021, 9:19:34.177 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,004bc48f-e130-4f21-b497-897d4e8df6a6,"4/16/2021, 9:19:34.177 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2ef0a988-a5ef-485d-a7e3-f3a621fae18b,"4/16/2021, 9:19:34.177 AM",,,,,NTLM,, +\cctv,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a8264413-ba73-4b25-beb8-d15f216b5682,"4/16/2021, 9:19:34.177 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2c76c72-8d76-403d-af61-b343b491c842,"4/16/2021, 9:19:34.177 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,776dd623-6b2c-4bd5-9133-556e587427e4,"4/16/2021, 9:19:34.177 AM",,,,,,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4bf6ea36-fe79-4b47-b06b-d24d21c7d7ad,"4/16/2021, 9:19:34.177 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0e311ed2-2f16-45b2-b857-2593d69510f0,"4/16/2021, 9:19:34.177 AM",,,,,NTLM,, +\jinny,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d37bee60-9338-4c4a-a527-47db184ee71b,"4/16/2021, 9:19:34.177 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0bf073ec-9fcb-41db-a393-1a5aad506bb6,"4/16/2021, 9:19:34.177 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2faaff99-3b66-4d8b-b879-e313bcc71400,"4/16/2021, 9:19:34.177 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7cde8000-91c9-4ea6-9550-5d6ae358614f,"4/16/2021, 9:19:34.177 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0afc450b-d146-4252-8201-db2fb5f6cef2,"4/16/2021, 9:19:34.177 AM",,,,,NTLM,, +\digital,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b6a59981-8fe3-4ee6-9e3c-87ac8f155a9f,"4/16/2021, 9:19:34.177 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e3cddc75-1f61-4295-bfd2-6eef7f1f713c,"4/16/2021, 9:19:34.177 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2f698c1-331c-4b75-b14c-d8e985f3458d,"4/16/2021, 9:19:34.177 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,57991563-c81a-4830-b620-24a0c955ba00,"4/16/2021, 9:19:34.177 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4cf69481-4ad7-4523-b7e9-68961c9ea6a0,"4/16/2021, 9:19:34.177 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d6f86d39-f82c-479d-bd65-a8d5a39d07e5,"4/16/2021, 9:19:34.177 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e6b572f7-40aa-45b5-9a7d-cdc2653b248f,"4/16/2021, 9:19:34.177 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e75a0c2-63a2-4e87-a147-a8dde63b7453,"4/16/2021, 9:19:34.177 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c7e46512-e594-4b91-940b-2f2a730576fe,"4/16/2021, 9:19:36.065 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d934e202-1214-4e94-98f0-20772de77c64,"4/16/2021, 9:19:36.065 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d20e7bff-28d5-4ec8-9aab-6368f715cd3e,"4/16/2021, 9:19:36.065 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,1c94f44c-5c86-4fbe-83c7-6ed203674eb6,"4/16/2021, 9:19:36.065 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,68d2dc9b-8660-4e3b-ad1d-db289ef00fef,"4/16/2021, 9:19:36.065 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,50c1ff66-b85b-40bc-9b1e-eec93ba3e9f5,"4/16/2021, 9:19:36.065 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3c2eefa8-bac7-4381-b01d-513b0404e5ef,"4/16/2021, 9:19:36.065 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,698facad-c0e0-476e-9540-c69645f39824,"4/16/2021, 9:19:36.065 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,368b17bc-cfdc-4ec4-9f75-c9649d5bea4b,"4/16/2021, 9:19:38.727 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ebb1a925-f22c-48d9-a3fb-5c521d67f23e,"4/16/2021, 9:19:38.727 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9fcdd1c3-024d-495d-98b4-733414de79ca,"4/16/2021, 9:19:38.727 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,25ae03cc-c9b6-4275-87ff-74032aaeb061,"4/16/2021, 9:19:38.727 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d59095ca-880d-4ac9-a2f7-9dfa5957f3ab,"4/16/2021, 9:19:38.727 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4b93aec3-2012-4b17-bf2c-38badb2108d7,"4/16/2021, 9:19:38.727 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0b33a842-12e4-4ec8-9e9f-12a568605cd9,"4/16/2021, 9:19:38.727 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d921f914-776c-4240-8acd-1767f41e4547,"4/16/2021, 9:19:38.727 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,988981f4-f4b7-4e84-a9c7-9d2bb57bdc8f,"4/16/2021, 9:19:38.727 AM",,,,,NTLM,, +\AZUREUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e62eccbb-94c6-4914-a097-8684c269696f,"4/16/2021, 9:19:38.727 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d817eee8-40c4-4ae2-9032-0d3eb41ba88e,"4/16/2021, 9:19:38.727 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,187597ee-78fc-4272-b060-e29a77742e36,"4/16/2021, 9:19:38.727 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,68ba4d78-4d0d-462e-b75d-e32d143cfb85,"4/16/2021, 9:19:38.727 AM",,,,,NTLM,, +\BACKUP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f586baec-9847-45c3-b89d-bc2ad83e2cbd,"4/16/2021, 9:19:38.727 AM",,,,,NTLM,, +\USER02,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fcc8ed43-cbfb-4e57-a9cd-023f02badfc9,"4/16/2021, 9:19:38.727 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3e147291-f132-42d8-8277-e7caa56c249d,"4/16/2021, 9:19:38.727 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5b843c3d-b181-4fbe-8c74-970b21f0efb6,"4/16/2021, 9:19:38.727 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bdae98c9-2ecd-4f98-8ca2-a0f0c559ed7d,"4/16/2021, 9:19:38.727 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f73259f4-8d71-4ae3-aad3-f8ddc97061f0,"4/16/2021, 9:19:38.727 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0b17abbc-fb01-4dd1-b9b9-ebedf58695d1,"4/16/2021, 9:19:38.727 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bc803635-5f5c-43f6-bf47-c608e3fd44b0,"4/16/2021, 9:19:38.727 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7be0eaee-1d63-41de-9098-edf94110ffa8,"4/16/2021, 9:19:38.727 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9156e419-fb56-44e0-bf46-9952194cc39a,"4/16/2021, 9:19:38.727 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d004bc5-064f-4feb-95df-328f0ae3c539,"4/16/2021, 9:19:41.127 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f1eb8d7-b58d-4861-b189-4d57698c9dbd,"4/16/2021, 9:19:41.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c5b62cad-cc83-4469-8c45-ad6a1f2407dd,"4/16/2021, 9:19:41.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49ed660c-627c-443a-9462-1ddb713c8694,"4/16/2021, 9:19:41.127 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0348e9bd-3e9b-4c6e-ba86-b792a54e17c2,"4/16/2021, 9:19:41.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,62d1edbc-15c7-4409-860e-6a8b7285eaa7,"4/16/2021, 9:19:41.127 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3e98c838-2627-408a-b8f8-1e1bd3a35b94,"4/16/2021, 9:19:41.127 AM",,,,,NTLM,, +\visitor,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,69ac596c-d444-48d0-ac00-56d4e805c19f,"4/16/2021, 9:19:41.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5597be27-0d6f-43eb-9dea-e8a0679f7908,"4/16/2021, 9:19:41.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,af6cd900-e513-471a-8dd0-da21f12bbc95,"4/16/2021, 9:19:41.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,87c303d8-18d1-4158-a47c-f65d39113eec,"4/16/2021, 9:19:41.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f009f089-4995-4fc5-a37b-04b7d679f25b,"4/16/2021, 9:19:41.127 AM",,,,,NTLM,, +\asp.net,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1e3ab29-f4ca-4787-9dea-c227764b2aab,"4/16/2021, 9:19:41.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,157bd83f-b627-4130-a51e-fc5bbd1fd742,"4/16/2021, 9:19:41.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff9a408d-1e49-4317-9686-39b9bd2b1e8e,"4/16/2021, 9:19:41.127 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c9ecd3f2-1594-4598-bcc7-133576353b3b,"4/16/2021, 9:19:41.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de5a67bc-c11b-4805-9f08-f1bfe6c14f44,"4/16/2021, 9:19:41.127 AM",,,,,NTLM,, +\perini,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9fe58bc8-5f0d-4658-8ba9-6612f2c03b0c,"4/16/2021, 9:19:41.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,82dcc8e0-1987-42a4-bb0d-4a9e9a70f7c2,"4/16/2021, 9:19:41.127 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5091602a-7183-48fc-bd2e-6b8628d20ac6,"4/16/2021, 9:19:41.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dcddb1d2-839b-498e-834d-1b5a8242ac6f,"4/16/2021, 9:19:41.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,02d10156-f073-4609-95e5-171a2bb6fa18,"4/16/2021, 9:19:41.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e1fd037-aac1-479c-8fb0-542db2167016,"4/16/2021, 9:19:46.251 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,52c9be44-8091-41e8-83fd-309d2be4b30a,"4/16/2021, 9:19:46.251 AM",,,,,NTLM,, +\student,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c205b87c-da8c-43ba-a1f0-e62c8e9bd557,"4/16/2021, 9:19:46.251 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d9aed65-24db-4333-8b61-eac90a86f5ad,"4/16/2021, 9:19:46.251 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c48edb85-c20c-4ab8-9919-593eadd35842,"4/16/2021, 9:19:46.251 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,78863dec-6711-474e-9f43-1e3229c4267a,"4/16/2021, 9:19:46.251 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b2c2732-3a90-482f-858d-2f6ee663e58d,"4/16/2021, 9:19:46.251 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,27a39143-1f1a-4560-9d52-993a5459aa74,"4/16/2021, 9:19:46.251 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e80c6bfd-fb4b-4339-a18d-cd51717f41a4,"4/16/2021, 9:19:46.251 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c5df1ab-3098-413c-a260-61de4bc55d70,"4/16/2021, 9:19:46.251 AM",,,,,NTLM,, +\gardi,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dfd47125-74c7-40c1-ba33-c100acb7f497,"4/16/2021, 9:19:46.251 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c78ef1af-00f8-4599-ace0-830b46ad94d0,"4/16/2021, 9:19:46.251 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce128b8d-f18a-4374-b3ff-629f0c989ba3,"4/16/2021, 9:19:46.251 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1489fd92-0560-4d2e-978a-80245a8bfe3f,"4/16/2021, 9:19:46.251 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8465c0fa-2e08-4f78-b75f-a19988f3268f,"4/16/2021, 9:19:46.251 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,848c5164-7f27-428a-88dd-8843a111b032,"4/16/2021, 9:19:46.251 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d06536a1-9eb5-46b6-bcbb-5d8e03a5bfa7,"4/16/2021, 9:19:46.251 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e2ebc1a-bbd9-4a69-99cd-46e5ff29571f,"4/16/2021, 9:19:46.251 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2af05f90-e412-4d88-a533-8caa8f4e483c,"4/16/2021, 9:19:46.251 AM",,,,,NTLM,, +\user1,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,87e5da60-643f-414c-9b5b-28f927154340,"4/16/2021, 9:19:46.251 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8924b1bc-8244-4d38-ab62-0fcb44daf420,"4/16/2021, 9:19:46.251 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7825442e-9dd3-4ff3-a64f-3ee1e0854cae,"4/16/2021, 9:19:46.251 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,440ad9f1-581b-4ba7-8a21-afa11d9de568,"4/16/2021, 9:19:46.251 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab61e14d-734a-4f2f-9059-b6934e7fc23b,"4/16/2021, 9:19:46.251 AM",,,,,NTLM,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,e742ed18-9db5-4db2-abb9-9c617451131b,"4/16/2021, 9:19:45.871 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3464 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,ad90d7a4-ea4b-4608-acc9-dfbd9f4ad43c,"4/16/2021, 9:19:50.286 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7432 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,ce94962d-c51e-44ae-909b-fe5add739725,"4/16/2021, 9:19:50.286 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,da0935d0-4de6-4c85-8139-ca8b1e935c33,"4/16/2021, 9:19:51.129 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bec343a4-7aeb-4bc0-895c-f8bc08ac1b23,"4/16/2021, 9:19:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ae7a3876-0c75-44e1-ad99-9a280589f3f6,"4/16/2021, 9:19:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b4b68241-9e08-4bd2-94c2-9e90661c2942,"4/16/2021, 9:19:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c05bc8a2-2eb0-4feb-9031-06bbc207b913,"4/16/2021, 9:19:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4dc16139-c2cd-4e91-b34d-8fa4b6c87a14,"4/16/2021, 9:19:51.129 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de434843-b4c5-4156-ab6e-877b810651c4,"4/16/2021, 9:19:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,07e73302-d508-45e4-97ff-43448e729b9d,"4/16/2021, 9:19:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6248489a-cd5c-482c-934f-4d643a9711aa,"4/16/2021, 9:19:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1525a633-8f7e-46f0-a634-a8ab965397c1,"4/16/2021, 9:19:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d91ddca7-b00e-43f4-899e-273b513abb0a,"4/16/2021, 9:19:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4bd9dabe-abd1-4928-8230-83578105e746,"4/16/2021, 9:19:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,104471ea-5aa3-45b0-ac7e-ebce48f937a4,"4/16/2021, 9:19:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e840a13-ebbe-45b9-905b-68abc8aa50ca,"4/16/2021, 9:19:51.129 AM",,,,,NTLM,, +\meeting,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7543bc15-a8f3-412c-970b-b21424faabb6,"4/16/2021, 9:19:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,35f3fcb4-aa31-4873-81d8-ef4eddad4111,"4/16/2021, 9:19:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,30c32365-bb2a-4136-af98-6095766141c4,"4/16/2021, 9:19:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a65ebf27-486e-4964-a8ee-9d14b7997d85,"4/16/2021, 9:19:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d259be29-af77-4613-9fa4-ad4d3156d5cc,"4/16/2021, 9:19:51.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0fa6d07d-1afc-4ab9-b645-937db842180d,"4/16/2021, 9:19:51.129 AM",,,,,NTLM,, +\VEEAM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,10b6ad18-2577-4cd2-a728-d093d649f641,"4/16/2021, 9:19:51.129 AM",,,,,NTLM,, +\fatima,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dfa4394c-975d-46a4-9889-a40cd275c777,"4/16/2021, 9:19:51.129 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b53b5458-8f4b-4a42-a468-e1998db32590,"4/16/2021, 9:19:52.779 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e34712da-49b4-4a80-beb3-0b94de43e9b1,"4/16/2021, 9:19:52.779 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,23cce481-9776-49a7-b204-0f7ff4c2c6de,"4/16/2021, 9:19:52.779 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,960e9a81-3549-4df8-b3b6-999cd2b95565,"4/16/2021, 9:19:52.779 AM",,,,,NTLM,, +\DELL,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3e81a422-695a-47eb-a55b-340ef4eda28f,"4/16/2021, 9:19:52.779 AM",,,,,NTLM,, +\VMADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,89213552-72f7-4d2e-90d8-0e45c50fe2bf,"4/16/2021, 9:19:52.779 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7d02f331-4de9-4157-87b6-40140c01a483,"4/16/2021, 9:19:52.779 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,03b3923f-7c16-41cb-8b94-5ad220d044c7,"4/16/2021, 9:19:52.779 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cb58978f-d12d-4934-8361-6fdb7936d384,"4/16/2021, 9:19:52.779 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6e0698e0-b23d-4f03-a4eb-ada0177082ff,"4/16/2021, 9:19:52.779 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,767d582e-ac04-41cc-b251-92ccd91527fb,"4/16/2021, 9:19:52.779 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4ce71f6d-1599-4ce7-983f-2503705ab9b0,"4/16/2021, 9:19:52.779 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9c88d80d-7940-4109-bb00-b7584d18ab5e,"4/16/2021, 9:19:52.779 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0739dddd-e850-4618-acb9-d2a423783884,"4/16/2021, 9:19:52.779 AM",,,,,NTLM,, +\USER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,03979928-d2a8-421a-bbb8-295625e9290a,"4/16/2021, 9:19:52.779 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bb18dbd4-f644-4a59-9005-734d158058c9,"4/16/2021, 9:19:52.779 AM",,,,,NTLM,, +\VMADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e636e471-56d4-46aa-b5b6-297aec5f9807,"4/16/2021, 9:19:52.779 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8a337d53-62b6-4736-aaf5-abe4e5129928,"4/16/2021, 9:19:52.779 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,81d49fa9-05be-482f-af48-916df82494c8,"4/16/2021, 9:19:52.779 AM",,,,,NTLM,, +\OWNER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,89dd36f2-5e91-4741-823c-5c252377e594,"4/16/2021, 9:19:52.779 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5972b79e-bc86-48e8-b873-cea473fe4cfb,"4/16/2021, 9:19:52.779 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e48a32ed-79c7-4872-9fb9-dc9bb296fbb5,"4/16/2021, 9:19:52.779 AM",,,,,NTLM,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,708a01e2-0905-4e10-996d-1c0b49edece0,"4/16/2021, 9:19:52.730 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,08cbc015-7a02-4cd7-acfe-11cfa8e5c953,"4/16/2021, 9:19:52.730 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,28eaa858-1e6c-424d-a63a-6ad728f8de0a,"4/16/2021, 9:19:52.730 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,1cab037e-4713-40ac-b559-447e110823cb,"4/16/2021, 9:19:52.730 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5588 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,9c6563e8-5acb-4313-a081-80ab8863fb0d,"4/16/2021, 9:19:52.730 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6012 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,1eb5764f-c14b-4936-b20b-d1ba60266381,"4/16/2021, 9:19:52.730 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4896 + 115 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\ICT 2\CMF\DESIREDSTATECONFIGURATION\DSCRUN.EXE + 32 + 5D35920AEDE05DD39279B42A07B84E7EAC7A77F4E420A04FE25B82F0B2CAF5C0 + 111 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\WINDOWS (R) WIN 7 DDK DRIVER\DSCRUN.EXE\10.0.10011.16384 + 0x3e7 + 117 + C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\ICT 2\CMF\DesiredStateConfiguration\DscRun.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,a21328a0-8447-4345-a8a2-f57bc55d6199,"4/16/2021, 9:19:52.730 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5276 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,37bb856f-d3e0-4556-a3b8-a48211b8923e,"4/16/2021, 9:19:52.730 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,857254de-8727-4e98-ae44-7d4e2ac68713,"4/16/2021, 9:19:52.730 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,b01ea0d0-75f3-457a-8e90-9b0d3d3c6031,"4/16/2021, 9:19:52.730 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc383736-2832-436a-a0c0-48355a2fd3e6,"4/16/2021, 9:19:57.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d9c242d2-1372-416f-8de8-e86f33ad9c6f,"4/16/2021, 9:19:57.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a96857d0-0668-4706-a433-07d3078635be,"4/16/2021, 9:19:57.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8f3e5d7d-a73c-47e6-8dcb-2ed77b33758e,"4/16/2021, 9:19:57.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca441905-b307-4f71-8d7d-53ae24a21f48,"4/16/2021, 9:19:57.139 AM",,,,,NTLM,, +\contabilidad,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,abc00704-054a-41ee-bbdf-ca142d3b29a2,"4/16/2021, 9:19:57.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ee4de243-c602-4b94-a564-d6c2959f6dc8,"4/16/2021, 9:19:57.139 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19c2b6f1-117d-42d2-a197-bf023a7ae7d0,"4/16/2021, 9:19:57.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,add7b405-119d-4b3a-adfe-cd082738d377,"4/16/2021, 9:19:57.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ceb411f7-eb98-4be8-b087-fa34391188c5,"4/16/2021, 9:19:57.139 AM",,,,,NTLM,, +\PC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16af80c6-10c4-4a63-9fcc-0cd8e7b3c44d,"4/16/2021, 9:19:57.139 AM",,,,,NTLM,, +\user03,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cf4d53d7-c409-4865-8e3c-18db83e05808,"4/16/2021, 9:19:57.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4eb566aa-06ec-43df-b9ef-40d51bbe06a1,"4/16/2021, 9:19:57.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,055c9f8a-a5df-4ff0-9566-5f9f44fb3e2d,"4/16/2021, 9:19:57.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9a85ea6a-58f3-4d3f-ae7c-23bb605acde6,"4/16/2021, 9:19:57.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0069af41-898c-4b5f-b159-ae70d63ca668,"4/16/2021, 9:19:57.139 AM",,,,,NTLM,, +\sal01,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,38236537-456c-40d3-bdbb-96b4ad3bb9a4,"4/16/2021, 9:19:57.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ee12df3e-c660-4018-860c-28ee0a546c49,"4/16/2021, 9:19:57.139 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,07756df4-134c-4007-87a5-23c56b9dea4a,"4/16/2021, 9:19:57.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a01e5d9b-1734-4e02-a4f2-f19a42008d3f,"4/16/2021, 9:19:57.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,600a47b7-70b7-40a3-b2fe-50d7b3189647,"4/16/2021, 9:19:57.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c3c71851-fc58-412d-92ce-1ba09a27f2e6,"4/16/2021, 9:19:57.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d7bf24fe-08bc-456e-ae6d-5ce2c08c2b34,"4/16/2021, 9:19:57.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2beb3fd-8877-4af2-a76c-89b64d818ca4,"4/16/2021, 9:19:57.139 AM",,,,,NTLM,, +\admin,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d4a2028b-9341-4847-8d04-f5289e7540a7,"4/16/2021, 9:19:57.139 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3980 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,e0719312-2ab0-4729-9543-d6583a622a4c,"4/16/2021, 9:19:57.047 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11644 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,fff2a4a6-6014-4606-b27e-b5b7232a7fb6,"4/16/2021, 9:19:57.047 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,ac794c6d-7d6c-472f-a5d2-79eef954602b,"4/16/2021, 9:20:02.621 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11156 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,14037b9e-d227-442d-aa47-e6139236c610,"4/16/2021, 9:20:02.621 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,c1f0711d-ba00-4f34-b20f-2d23e5d35bfe,"4/16/2021, 9:20:02.621 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,d7a9e4c2-0188-4dad-b419-1e4776cd1b4b,"4/16/2021, 9:20:02.621 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6836 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 8542576A51D515DA19781689F9E5E561E4398C4DE19B14AF1E8EF1C7D2551843 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.18362.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,8f49c3b7-00a2-4504-9c91-43cc93c59195,"4/16/2021, 9:20:02.621 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9212 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,d25b93f6-b4fb-40db-9066-8e841ec8aff3,"4/16/2021, 9:20:02.621 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,f512df1e-14de-45ed-8ef2-57b83d987695,"4/16/2021, 9:20:02.621 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8692 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,1f256feb-4016-4ec6-977b-b4c957ce151c,"4/16/2021, 9:20:02.621 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4648,4648 - A logon was attempted using explicit credentials.,f6638b82-98a5-4542-8bec-6bc0977f793f,97fe2119-c5e6-49c0-8d1b-f794ae0977b7,"4/16/2021, 9:20:02.621 AM",,,,,,, +CONTOSO\RonHD,User,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,f6638b82-98a5-4542-8bec-6bc0977f793f,54877b1e-be8e-4ae7-be1d-aaa485b31790,"4/16/2021, 9:20:02.621 AM",,,,,Negotiate,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + S-1-5-21-1661583231-2311428937-3957907789-1105 + RonHD + CONTOSO + 0x41a4c03 + 4 + 1 + 1 + %{S-1-5-21-1661583231-2311428937-3957907789-513} %{S-1-1-0} %{S-1-5-32-545} %{S-1-5-32-544} %{S-1-5-3} %{S-1-2-1} %{S-1-5-11} %{S-1-5-15} %{S-1-2-0} %{S-1-5-21-1661583231-2311428937-3957907789-1111} %{S-1-18-1} %{S-1-16-12288} +",4627,4627 - Group membership information.,f6638b82-98a5-4542-8bec-6bc0977f793f,39a793fe-e7be-4ed4-8c9f-b715e3e90e5d,"4/16/2021, 9:20:02.621 AM",,,,,,, +CONTOSO\RonHD,User,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,f6638b82-98a5-4542-8bec-6bc0977f793f,a7cd2254-5446-470b-b50e-68acc146a2e3,"4/16/2021, 9:20:02.621 AM",,,,,,, +CONTOSO\RonHD,User,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12545,8,,4634,4634 - An account was logged off.,f6638b82-98a5-4542-8bec-6bc0977f793f,f235ed1f-cd19-487e-bdd2-4ed4a7349650,"4/16/2021, 9:20:02.621 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,ebe65330-774e-43b2-ad7b-7da539dd0a91,"4/16/2021, 9:20:02.621 AM",,,,,,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,5bee6ddd-fa14-4566-8866-ccff6e3fe655,"4/16/2021, 9:20:05.411 AM",,,,,NTLM,, +\ANDREA,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ce487108-b211-4911-a730-7168e3eb18f1,"4/16/2021, 9:20:05.411 AM",,,,,NTLM,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,cb1d9e0d-b826-4aa9-9b58-79cdeba52ed5,"4/16/2021, 9:20:05.411 AM",,,,,NTLM,, +\SQLSERVICE,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d22876e2-69de-4911-872e-72486e55e42e,"4/16/2021, 9:20:05.411 AM",,,,,NTLM,, +\AZUREADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,869d91d6-48a0-4408-8822-d599f6da6acf,"4/16/2021, 9:20:05.411 AM",,,,,NTLM,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c018fe8f-966f-4e66-9668-05af6723c009,"4/16/2021, 9:20:05.411 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,078b8344-ebe3-46d4-81cd-083b92d23861,"4/16/2021, 9:20:05.411 AM",,,,,NTLM,, +\TEST3,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,55857ef8-fe74-497d-b1d9-061309957e5e,"4/16/2021, 9:20:05.411 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,7a8ee048-1f0f-43e7-b745-efe71a58eab6,"4/16/2021, 9:20:05.411 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4dec154d-2e54-454b-9850-1a5706a25409,"4/16/2021, 9:20:05.411 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6568 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 68705285F7914823244E19E4F6DBC4A75C4DE807EA1CF128AEC2CCAFCE5FE109 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.17763.01 + 0x3e7 + 57 + C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,85e256f1-aef0-44f7-b22e-939e2c60f42f,"4/16/2021, 9:20:05.411 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1476 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e9cacede-0af9-4da7-9da5-88d18a135f90,"4/16/2021, 9:20:05.411 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,93aadcbd-0423-4624-bd5c-e233d8cbe09c,"4/16/2021, 9:20:05.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,496843dc-096a-43be-93cb-d00cecfb0ae8,"4/16/2021, 9:20:05.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3e7b737d-602f-4608-9484-d74f2940f073,"4/16/2021, 9:20:05.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e5dc51e6-fbe7-4817-8cfe-5afed8332ab8,"4/16/2021, 9:20:05.145 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,21b41f29-03fd-4966-b710-856319d866a4,"4/16/2021, 9:20:05.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ec213e0a-9ea4-4b73-8cde-5347e6ad3182,"4/16/2021, 9:20:05.145 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,182bb7c8-4c26-48ca-a8e8-df13aa5f0e46,"4/16/2021, 9:20:05.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7b885548-2e5f-4601-be9b-29186174c1de,"4/16/2021, 9:20:05.145 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,454ab236-dffe-4a18-ba33-788f18ab87a4,"4/16/2021, 9:20:05.145 AM",,,,,NTLM,, +\admin1040,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d9da5ce2-f452-45a9-b7e3-69047b5baafb,"4/16/2021, 9:20:05.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f915bba9-e294-4f79-8217-91a1ff830b18,"4/16/2021, 9:20:05.145 AM",,,,,NTLM,, +\training,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,86099665-80e9-4239-a71a-0e5140de288f,"4/16/2021, 9:20:05.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7500532e-0081-4353-8979-39da20fefb3a,"4/16/2021, 9:20:05.145 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dd2a7442-2339-48b0-a894-f012824b6c96,"4/16/2021, 9:20:05.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0d458c45-7709-4766-bb58-f8d2dc34989b,"4/16/2021, 9:20:05.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2efc75d4-23e4-435e-b7d1-d803a63a5f85,"4/16/2021, 9:20:05.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0fc871c3-f6af-4391-ae50-c43eeca9a112,"4/16/2021, 9:20:05.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7882b6d5-35af-45fd-b097-b4f13d3ae49f,"4/16/2021, 9:20:05.145 AM",,,,,NTLM,, +\sistema,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a6a62fc0-ab83-4411-8c4a-d293b103a9c4,"4/16/2021, 9:20:05.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d6863531-edeb-4761-a5a9-5e06a22ed24f,"4/16/2021, 9:20:05.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5083e969-3933-4b58-bb2a-c85164ec39be,"4/16/2021, 9:20:05.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c6cddc8-52ff-41fa-ab06-268ffda93c5e,"4/16/2021, 9:20:05.145 AM",,,,,NTLM,, +\RJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,866aa48f-f468-4a35-ad0a-77e556f27ec9,"4/16/2021, 9:20:05.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,710123f6-45af-4487-90d2-dcefb7dcfb95,"4/16/2021, 9:20:05.752 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,90cd7992-6e4d-4e85-b4f9-a26cbb60d303,"4/16/2021, 9:20:05.752 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,000e406c-83fb-468e-be47-2c709e744008,"4/16/2021, 9:20:05.752 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5568f1c6-0ab8-41ae-9d7d-5bf36d2bc757,"4/16/2021, 9:20:05.752 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ff5e5302-ab2b-4597-b70f-e5c9a1cb9a03,"4/16/2021, 9:20:05.752 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b8bf8350-ce92-4511-b78f-7bf50e7ce50f,"4/16/2021, 9:20:05.752 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,99b1f757-1a97-482d-ba94-02a5f787699a,"4/16/2021, 9:20:05.752 AM",,,,,,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0fbeeebc-5732-40e9-a404-4b1b160455fc,"4/16/2021, 9:20:05.752 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ca773371-e717-46e0-938d-67969dd27a5d,"4/16/2021, 9:20:05.752 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,329df517-f355-4677-b9a8-226d2ca130fb,"4/16/2021, 9:20:05.752 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8027d348-98b9-4c61-ac06-5d0a5a45c811,"4/16/2021, 9:20:05.752 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c05c3d40-5f6d-43f8-9136-6f41e1b9ff49,"4/16/2021, 9:20:05.752 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0cff0de9-8e36-45ed-a42c-28abdc71b4e2,"4/16/2021, 9:20:05.752 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1496da77-fadd-4096-9246-686ab0fc0ce9,"4/16/2021, 9:20:05.752 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,abdb3393-1d96-4e2b-90a7-0fdb392372a0,"4/16/2021, 9:20:05.752 AM",,,,,NTLM,, +\INSTALL,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,abd6ee2a-b077-4fc2-9fbf-c8ccbe98480e,"4/16/2021, 9:20:05.752 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e18fc951-1583-44b5-897a-4ffc94671f03,"4/16/2021, 9:20:05.752 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d3241aed-d393-4b05-8d2b-75d0e0089192,"4/16/2021, 9:20:05.752 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,751da7f4-497d-441e-9d8c-3cef2107adce,"4/16/2021, 9:20:05.752 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5c6bfdf8-45f9-4dcc-9432-e5e2bf118686,"4/16/2021, 9:20:05.752 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d7e73d0c-7810-44ed-b89c-76d2fc83c0e5,"4/16/2021, 9:20:05.752 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2dad1537-fd63-44f3-80bc-696ebd7ea15c,"4/16/2021, 9:20:05.752 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bb642ff4-3dbd-4483-a5e9-86b0109fb80d,"4/16/2021, 9:20:05.752 AM",,,,,NTLM,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,7e183ee3-14aa-4960-bf3e-a4c98ec6fa6c,"4/16/2021, 9:20:08.241 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,59dbe509-0181-4cc4-a3e5-91f9054ebb1e,"4/16/2021, 9:20:08.241 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2dd4fda5-7495-4db3-861d-4e3c2800e485,"4/16/2021, 9:20:08.241 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,0a6c1ae3-7abf-4618-90e3-94790d42f42b,"4/16/2021, 9:20:08.241 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,c4a0849b-914a-4e92-ad51-82548982f139,"4/16/2021, 9:20:08.241 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,8245ea06-1392-42fe-a2f8-2fdbfced5970,"4/16/2021, 9:20:08.241 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,7d2255fc-45fb-4a5e-b9a8-a474f1614e0d,"4/16/2021, 9:20:08.241 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,021ae612-8203-4e4b-8e90-e748bc5b333c,"4/16/2021, 9:20:08.241 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,53d4d842-8b2c-4bb8-9983-22d0c9f5bde0,"4/16/2021, 9:20:08.241 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,23d38111-cbf3-4f4b-b351-1d69027d40be,"4/16/2021, 9:20:08.241 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,32040f7c-207b-4883-995c-4b835ea9c284,"4/16/2021, 9:20:08.241 AM",,,,,,, +\ftpuser,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6b039861-7493-4a42-a2db-49dff4c3378b,"4/16/2021, 9:20:11.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,131573ea-90a0-49c2-92e8-0696d50792a6,"4/16/2021, 9:20:11.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,70014429-f937-4544-bb6f-73ad778c7945,"4/16/2021, 9:20:11.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b82c37dd-207e-419e-b2a5-4d292c7b4a48,"4/16/2021, 9:20:11.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6f66e92a-bffe-4817-9674-ad6b9ba526ec,"4/16/2021, 9:20:11.148 AM",,,,,NTLM,, +\vpn2,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f1ec3714-3acc-49f5-98e7-7045fba964e1,"4/16/2021, 9:20:11.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,99d015fb-25ca-4fb4-ab10-83524ebdfeed,"4/16/2021, 9:20:11.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1067901c-d19a-4e89-a42f-a1f40d5e9acd,"4/16/2021, 9:20:11.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6d02edb2-c224-4cae-8e35-4465d1b05dc4,"4/16/2021, 9:20:11.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,be885451-d733-4ddb-9fde-5d4d21c49af8,"4/16/2021, 9:20:11.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,847af373-acd2-4ad1-91b6-0bfa87d7591e,"4/16/2021, 9:20:11.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3c45b010-010e-4f82-9da5-5e73f95b4e5e,"4/16/2021, 9:20:11.148 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d92e9c3-af1e-4cec-8bb2-20c0a3e2ac63,"4/16/2021, 9:20:11.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc56cdd7-ff26-4009-81ab-49209d0084de,"4/16/2021, 9:20:11.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7df04e0d-4fb0-406b-a67e-2c9f8bf601e9,"4/16/2021, 9:20:11.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cd248dab-e33a-4cf6-8fb3-a3479db85902,"4/16/2021, 9:20:11.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a08f811a-e1c2-4a5a-821e-88ffabec1be1,"4/16/2021, 9:20:11.148 AM",,,,,NTLM,, +\infuse,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,488a377d-d4d6-4f4d-b318-dd9508e2d896,"4/16/2021, 9:20:11.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4418075c-801b-40b4-b3be-738a9372af48,"4/16/2021, 9:20:11.148 AM",,,,,NTLM,, +\BACKUPEXEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f44925d3-bf4b-4655-8ae8-6f0ef02c524a,"4/16/2021, 9:20:11.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea738881-33f2-48d6-b4b8-dbaf5f0903a0,"4/16/2021, 9:20:11.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e9de9c1a-5fca-4f99-bb03-2cc3876bb92f,"4/16/2021, 9:20:11.148 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03d2701c-9a56-498b-a886-904f5adecf2a,"4/16/2021, 9:20:11.148 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d6c5c8c0-ae34-4549-9fed-e73945581d99,"4/16/2021, 9:20:11.148 AM",,,,,NTLM,, +\ALDEBRA,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cb1cc82c-df3c-4c8d-bc4b-b5878a2c1dc2,"4/16/2021, 9:20:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,192cfc6c-49bd-42fa-8c30-3bd7df2ebaa9,"4/16/2021, 9:20:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9295b12b-6f94-4795-822b-254ca3455725,"4/16/2021, 9:20:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8636c3ed-338e-441f-8c35-1a2da773f9bd,"4/16/2021, 9:20:17.137 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6af2057e-386f-4176-af25-4a40ff7b5d49,"4/16/2021, 9:20:17.137 AM",,,,,NTLM,, +\agus,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc19c212-714c-432c-ac94-f972ea22978a,"4/16/2021, 9:20:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e09c255-32ef-4f56-ab2d-42cecc6d045f,"4/16/2021, 9:20:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,093a978a-5b66-4402-bd79-88ab0bf00753,"4/16/2021, 9:20:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cacdce47-3319-4813-8d74-a61d2e961ccc,"4/16/2021, 9:20:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51ffb2b0-b23c-431b-984d-f6728e3f658d,"4/16/2021, 9:20:17.137 AM",,,,,NTLM,, +\sngpc,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9db6113b-297e-4e03-8ced-7a076fd50469,"4/16/2021, 9:20:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,050a2459-5758-461e-9c07-c98f70999888,"4/16/2021, 9:20:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fda0d0c6-af3d-4ad9-8e28-7a37f60ff6a3,"4/16/2021, 9:20:17.137 AM",,,,,NTLM,, +\CRESSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d03b206-524d-4828-be1b-735811ecdb65,"4/16/2021, 9:20:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1953eac3-361b-4595-a765-ea097bf714de,"4/16/2021, 9:20:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d85e2504-09f8-4386-9570-f20b017b2026,"4/16/2021, 9:20:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88b92110-e40e-44f6-b22c-267f3bf61eca,"4/16/2021, 9:20:17.137 AM",,,,,NTLM,, +\ricoh,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2ce7155-0dfd-4c59-ac2d-ee6128154892,"4/16/2021, 9:20:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4d6fbbab-ec1a-4fa3-9c99-cd2f17f120a1,"4/16/2021, 9:20:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd0c7ecb-38f1-4149-88a1-85a92757182d,"4/16/2021, 9:20:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c68aa616-1734-44f7-ac08-7786381587de,"4/16/2021, 9:20:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b7213a55-b35b-48c0-b9c9-e38d7e64b2c9,"4/16/2021, 9:20:17.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,63620e32-b815-4a34-aef7-2d808ba07f89,"4/16/2021, 9:20:21.135 AM",,,,,NTLM,, +\RUSSELL,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5c1a4957-4e61-4c5a-ac97-7d60d96e77f5,"4/16/2021, 9:20:21.135 AM",,,,,NTLM,, +\compta,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,116c6ddf-726f-4b2b-812f-59ff0a78bd72,"4/16/2021, 9:20:21.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,189ff81a-9728-4d60-8ad2-852f612e7ca3,"4/16/2021, 9:20:21.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7cfdeafc-ff3a-4359-af51-42c2c195b97a,"4/16/2021, 9:20:21.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe5b9585-6c69-46f6-9128-50293ab5a4b1,"4/16/2021, 9:20:21.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12f63ede-9e4d-4539-a490-9e1a279e4cec,"4/16/2021, 9:20:21.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6eec7f2e-70df-45f0-8a5a-5f586046925f,"4/16/2021, 9:20:21.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,57a71c0f-cfd2-4212-8921-5f2477edbeb0,"4/16/2021, 9:20:21.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,129ba1fb-2e01-435b-b3f6-7c75abb1b4c5,"4/16/2021, 9:20:21.135 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,84fdc9a8-e760-49b1-8087-7406933ee2c9,"4/16/2021, 9:20:21.135 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eb07418f-945b-470c-8be3-464eb03ef58b,"4/16/2021, 9:20:21.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,525ac56c-9e03-4e17-9041-d2987f873c65,"4/16/2021, 9:20:21.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a4e76129-4b3b-4935-9082-5f16f27801eb,"4/16/2021, 9:20:21.135 AM",,,,,NTLM,, +\ben,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df8444ab-f5de-4a50-8b3e-a9c13e51aa0e,"4/16/2021, 9:20:21.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0e5367f6-4d51-4d8f-91c3-b1f11cf668e4,"4/16/2021, 9:20:21.135 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,7f016d8e-7138-4fb4-bcde-78af3f566ee5,"4/16/2021, 9:20:21.135 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,e5d1a3bb-6d8f-4435-a062-bbc5e78adac7,"4/16/2021, 9:20:21.135 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9188 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,82a7bd2c-19c4-444d-ad8e-a4a1710e596b,"4/16/2021, 9:20:21.135 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1612 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,d530a585-1f40-4b3c-8f10-1c3e8ec53d63,"4/16/2021, 9:20:21.135 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d5fdd20d-f3f3-4b94-a269-37bdd79b560f,"4/16/2021, 9:20:21.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f5eef00-d2aa-4b91-a355-84d8181f06f0,"4/16/2021, 9:20:21.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0918f912-1ec2-4123-aeec-9d10123036cb,"4/16/2021, 9:20:21.135 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0fb233c7-ca00-4dc9-95f6-d173556629a6,"4/16/2021, 9:20:21.135 AM",,,,,NTLM,, +\bbg2,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1009437-2954-4e05-9327-b4fec3a3302f,"4/16/2021, 9:20:21.135 AM",,,,,NTLM,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4648,4648 - A logon was attempted using explicit credentials.,5503048d-aae9-48b7-bda5-46b931ec9ed1,a991cdf4-4b04-45a5-9959-950454452f81,"4/16/2021, 9:20:31.873 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,5503048d-aae9-48b7-bda5-46b931ec9ed1,219680f7-fa7f-41b0-a651-086402f0371e,"4/16/2021, 9:20:31.873 AM",,,,,Negotiate,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + S-1-5-21-1661583231-2311428937-3957907789-1103 + SamiraA + CONTOSO + 0x241a9dd2 + 4 + 1 + 1 + %{S-1-5-21-1661583231-2311428937-3957907789-513} %{S-1-1-0} %{S-1-5-32-555} %{S-1-5-32-545} %{S-1-5-32-544} %{S-1-5-3} %{S-1-2-1} %{S-1-5-11} %{S-1-5-15} %{S-1-2-0} %{S-1-5-21-1661583231-2311428937-3957907789-512} %{S-1-5-21-1661583231-2311428937-3957907789-519} %{S-1-18-1} %{S-1-5-21-1661583231-2311428937-3957907789-572} %{S-1-16-12288} +",4627,4627 - Group membership information.,5503048d-aae9-48b7-bda5-46b931ec9ed1,f73f2fba-cafe-448a-9e10-dea717d39ecf,"4/16/2021, 9:20:31.873 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,5503048d-aae9-48b7-bda5-46b931ec9ed1,5105bda1-12d2-4bee-a7e1-09c41d72ab37,"4/16/2021, 9:20:31.873 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12545,8,,4634,4634 - An account was logged off.,5503048d-aae9-48b7-bda5-46b931ec9ed1,c626dceb-5b47-4e3d-bc27-edf7d01152a7,"4/16/2021, 9:20:31.873 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,737ab988-3e84-4513-b109-9db570cfd3aa,"4/16/2021, 9:20:31.873 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a1695ff-7d40-463f-8bad-8b428869dd7f,"4/16/2021, 9:20:34.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,28382dfc-8356-4784-8e42-4d0565640ac5,"4/16/2021, 9:20:34.132 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d545234-0c23-4fe9-aef0-9e7157f8692c,"4/16/2021, 9:20:34.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,33832484-89e2-4fa8-89cc-555b0e8534b5,"4/16/2021, 9:20:34.132 AM",,,,,NTLM,, +\sales,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c16f811b-58f2-4ecd-a10b-3c018366ccb2,"4/16/2021, 9:20:34.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e5e29e52-5f52-4784-92ec-09ba083d5123,"4/16/2021, 9:20:34.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c5d7dad3-cc7d-4f17-ba34-6015e66a2eab,"4/16/2021, 9:20:34.132 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ffd1775-ff01-4dc1-9595-f45361a8cb85,"4/16/2021, 9:20:34.132 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1985e8ab-3495-48f3-806f-d3be193a5138,"4/16/2021, 9:20:34.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc127a58-c92a-454e-8bdd-3bd7b81d0a05,"4/16/2021, 9:20:34.132 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c0a29bf1-b3dd-4030-867d-4b99d7c0d7a4,"4/16/2021, 9:20:34.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2074e66-5e5a-4c9c-8270-8437432fb7d3,"4/16/2021, 9:20:34.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7a4d131c-0526-43e2-8c9d-27acc631905d,"4/16/2021, 9:20:34.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c036095-2e4d-47b1-ad2f-ce18e41cc4ac,"4/16/2021, 9:20:34.132 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,780976f0-74ea-42f4-97f4-104eff595eec,"4/16/2021, 9:20:34.132 AM",,,,,,, +\tempuser,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ede0d4c-a071-4340-a633-93ca355051d6,"4/16/2021, 9:20:34.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e62471a6-0530-404a-ba7e-c578249fe402,"4/16/2021, 9:20:34.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,152f4fd4-7606-4c7f-b6e9-f4c129e42eff,"4/16/2021, 9:20:34.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,502dd5cf-76a8-45b1-ba14-19e02d35952c,"4/16/2021, 9:20:34.132 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,443e73b8-113e-4e23-bc6c-cdbf01497b60,"4/16/2021, 9:20:34.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,66a484c9-aab2-49f1-a07e-8c253affceeb,"4/16/2021, 9:20:34.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,06e7cc6c-847d-4d7b-8de4-13aaed7615d2,"4/16/2021, 9:20:34.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,caf17351-007b-440d-b8ad-389cad6603b0,"4/16/2021, 9:20:34.132 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ba83a76-578d-4dae-a2be-b66ece1322ff,"4/16/2021, 9:20:34.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a6d3c020-e523-4061-8e17-32204be9980e,"4/16/2021, 9:20:34.132 AM",,,,,NTLM,, +\TESTER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,60d64338-1d9d-4fe0-9de6-859e680ffca3,"4/16/2021, 9:20:37.413 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1778dab6-ff75-436e-9e17-163c94dcabe6,"4/16/2021, 9:20:37.413 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0d8ccf83-06c6-4210-b157-951090608e3a,"4/16/2021, 9:20:37.413 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8168 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e3d16148-8ca7-4a83-b68a-ddec9c0b7487,"4/16/2021, 9:20:37.413 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 744 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,5b9ff30d-d1f7-44d8-a693-1fe192f23ca6,"4/16/2021, 9:20:37.413 AM",,,,,,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9515ebef-ebac-4c7f-9508-2a6bced2e8e2,"4/16/2021, 9:20:37.413 AM",,,,,NTLM,, +\CONFERENCE,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,48247b38-ea5d-47d6-8da2-43920524732d,"4/16/2021, 9:20:37.413 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,58a19f1f-8f50-412b-80ae-f7f136522647,"4/16/2021, 9:20:37.413 AM",,,,,,, +\PC,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,956089d1-4669-4c2e-a349-36fbe71e1b5b,"4/16/2021, 9:20:37.413 AM",,,,,NTLM,, +\ALEX,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f9be79f0-e1de-4873-9e49-b5e06b6d8008,"4/16/2021, 9:20:37.413 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d561f24d-1719-49e5-9b76-f236e3e7b386,"4/16/2021, 9:20:37.413 AM",,,,,NTLM,, +\USER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,01a8a6b4-550d-440d-b199-8bab08fa6750,"4/16/2021, 9:20:37.413 AM",,,,,NTLM,, +\LAB,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8e087aa6-5332-4c66-bbf8-85d9873a21c7,"4/16/2021, 9:20:37.413 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7876 + 39 + %WINDIR%\SERVICING\TRUSTEDINSTALLER.EXE + 32 + 5AAB6030A17E092A3F547292BF75BBE5E777C3C6C3E1759A023CA59FE87F6D98 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\TRUSTEDINSTALLER.EXE\10.0.17763.1098 + 0x3e7 + 41 + C:\windows\servicing\TrustedInstaller.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,967b6159-cc95-4c15-98c7-5ff3a36a2f2d,"4/16/2021, 9:20:36.009 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 14848 + 122 + %WINDIR%\WINSXS\AMD64_MICROSOFT-WINDOWS-SERVICINGSTACK_31BF3856AD364E35_10.0.17763.1812_NONE_56B727F399423259\TIWORKER.EXE + 32 + 7EC24C6DAEE289FBD40C13635DA56FB1E9F868B65E3120B59D480D394ACD8285 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\TIWORKER.EXE\10.0.17763.01 + 0x3e7 + 124 + C:\windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.17763.1812_none_56b727f399423259\TiWorker.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,8b3e84f5-16c5-45ce-9be9-0d5984b2969f,"4/16/2021, 9:20:36.009 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8988 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + E083DBF5FD891B0254E4021330270719E66D6B0C7F6543BDBA19C4CF5D37395D + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7411.17763.1697 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,c2adeb79-f48f-4a7b-8896-bf6027f81609,"4/16/2021, 9:20:36.009 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 15324 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,54dc33a5-8b77-437c-b89d-19e3188acd7c,"4/16/2021, 9:20:36.009 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7436 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,05f8f1ec-79d3-455d-bc8e-b6641aaf7cb3,"4/16/2021, 9:20:36.009 AM",,,,,,, +\HR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f8851f96-8616-428a-9135-028b0712cfd6,"4/16/2021, 9:20:40.733 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,995d988f-ce69-4a5d-b679-9918f08866c3,"4/16/2021, 9:20:40.733 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b1b555ac-4abc-48fc-ab9e-33a998e1c74d,"4/16/2021, 9:20:40.733 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4bdce845-7c24-4ad7-8708-b8cdd1f31368,"4/16/2021, 9:20:40.733 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5c3dba18-7135-45d2-a3d0-b3bf29f8ff19,"4/16/2021, 9:20:40.733 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fd6ab534-03d9-4e98-872d-070ddd5caa3f,"4/16/2021, 9:20:40.733 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,710affb1-9f46-4287-9307-259310bc9c62,"4/16/2021, 9:20:40.733 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,835c168d-9c5f-4567-923e-d97b8430dbb3,"4/16/2021, 9:20:40.733 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,74b8020d-4900-4925-8aba-55672dd54c8b,"4/16/2021, 9:20:40.733 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,94ba0b11-f4f4-40f4-b307-e8657fa575d6,"4/16/2021, 9:20:40.733 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fe5ae92d-fbb8-45a6-bc76-3f5cc81d14ba,"4/16/2021, 9:20:40.733 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,23857b93-32cb-4f48-bfe1-f8d3a885db21,"4/16/2021, 9:20:40.733 AM",,,,,NTLM,, +\WAREHOUSE,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cd339173-00a6-4df1-bd83-3455f83000bf,"4/16/2021, 9:20:40.733 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6902c6ec-02bb-4adf-aa8b-3f17b1d0e21c,"4/16/2021, 9:20:40.733 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2fc59a3b-c87b-4f69-83fc-0c5a65692415,"4/16/2021, 9:20:40.733 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1a6cc0bb-91e6-4e94-85a3-43af3b127c88,"4/16/2021, 9:20:40.733 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,408550d5-1db8-4ffb-aca6-8bf630a53084,"4/16/2021, 9:20:40.733 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1e0a1836-de1c-462d-b709-260d32a48f90,"4/16/2021, 9:20:40.733 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a95ae133-a595-47b2-8565-edc4d9ed95b0,"4/16/2021, 9:20:40.733 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b569feb2-90ad-4c65-9509-ffdea7b61411,"4/16/2021, 9:20:40.733 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4b1542a0-62ff-40c0-9033-708fe859618e,"4/16/2021, 9:20:40.733 AM",,,,,NTLM,, +\VEEAM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dedb3ce7-3918-4c14-83b3-e93af2637b92,"4/16/2021, 9:20:40.733 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,38f76748-dd0a-4872-bd24-9e54dd84c3f8,"4/16/2021, 9:20:43.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,ef75e1eb-2e1c-4120-b228-525d7bcfc76a,"4/16/2021, 9:20:43.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,91ac615e-b4b1-4662-8d83-cd360500753c,"4/16/2021, 9:20:43.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5dd0ae06-2934-444c-b099-4d0812ac3815,"4/16/2021, 9:20:43.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,724c38d0-9371-4ad1-9b89-dde01d4e1f4d,"4/16/2021, 9:20:43.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c454678e-a979-4c9d-a101-910883f27e5d,"4/16/2021, 9:20:43.062 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,83b94344-17c1-412c-8e9b-6659a56b3184,"4/16/2021, 9:20:43.062 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,0c7d8ae9-86dd-4afe-a53d-5683cd490a9b,"4/16/2021, 9:20:43.062 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9a3d004f-5939-4298-8cf0-9467cd2bc069,"4/16/2021, 9:20:47.152 AM",,,,,NTLM,, +\user_dist_checkout,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9a5e8a57-cde9-49e4-b369-0f462ab8f2f9,"4/16/2021, 9:20:47.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,04333491-6a7d-4091-b0a1-f3323a2b52be,"4/16/2021, 9:20:47.152 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2656a2e-ddb6-4363-a1f7-1ffbfab223ee,"4/16/2021, 9:20:47.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1d602bed-6b8c-4584-b6ed-9a8fbfb670f3,"4/16/2021, 9:20:47.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a36ab900-56be-4fe7-af0a-298abdd476c3,"4/16/2021, 9:20:47.152 AM",,,,,NTLM,, +\surfeur tranquille,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab8b98d7-0551-484b-b173-adabd4c31ea3,"4/16/2021, 9:20:47.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,95927148-c876-41de-8dd6-37c77fa7e1f5,"4/16/2021, 9:20:47.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,63910b4f-48cf-483a-afe5-c265f59c0f40,"4/16/2021, 9:20:47.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3d68f8d9-d44c-42d8-ab7f-34e0c5fa5b55,"4/16/2021, 9:20:47.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d6621a23-3f69-4b4d-b6ac-12c7a3391c9b,"4/16/2021, 9:20:47.152 AM",,,,,NTLM,, +\mapple,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aa105b68-739e-453d-a016-d9e4692f8879,"4/16/2021, 9:20:47.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a80b420c-82f2-465b-90ec-a4932e03bcc6,"4/16/2021, 9:20:47.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7cdae376-46c9-4006-9da7-96934edfe730,"4/16/2021, 9:20:47.152 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,04cdcf72-095b-467f-8f8d-35cf1857f688,"4/16/2021, 9:20:47.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9281983c-0268-4a15-8ee5-3374406d56d8,"4/16/2021, 9:20:47.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9bc79174-4ce7-42b0-8c7a-a991c93fccf7,"4/16/2021, 9:20:47.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f7eaf3db-aaa1-4301-a7f0-841f50a65451,"4/16/2021, 9:20:47.152 AM",,,,,NTLM,, +\libreria,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f54e660c-bf29-48e5-a9fa-ca1a4d50152a,"4/16/2021, 9:20:47.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9e36f84e-ab48-49df-965b-297331a5402e,"4/16/2021, 9:20:47.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc8c18d5-3ac6-4973-acbe-c461c95cadc1,"4/16/2021, 9:20:47.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a5201eb4-9959-43f4-b5a7-bd66b8e0026a,"4/16/2021, 9:20:47.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a59a0ac8-4259-4e21-9252-c4d7a6fcf8f6,"4/16/2021, 9:20:47.152 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 112 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,1b37e1b4-6d09-408a-af5b-6e120aa3a585,"4/16/2021, 9:20:52.730 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6336 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,e94050c2-8c3a-41bd-b445-19fe3ca7583d,"4/16/2021, 9:20:52.730 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,00fdc717-9985-448b-b065-6acc222965bc,"4/16/2021, 9:20:52.730 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,a397d072-5b01-4e74-8335-4e3c6481e164,"4/16/2021, 9:20:52.730 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,8d0a8839-a78c-40e2-b3fd-2df8498ce519,"4/16/2021, 9:20:52.730 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,94928e65-48db-4e24-9ac6-f43b5a8aa223,"4/16/2021, 9:20:52.730 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6924 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,9ae688e6-1dbf-4734-ade0-226785abaca4,"4/16/2021, 9:20:49.401 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7972 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,46c81206-ce4a-441b-817e-ebe86f00dafb,"4/16/2021, 9:20:49.401 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 328 + 118 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\ICT 2\CMF-64\DESIREDSTATECONFIGURATION\DSCRUN.EXE + 32 + FD398814FCB0D126DEC81443B928D502C7F2EC649E1C0866E0155C61BC7CAC19 + 111 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\WINDOWS (R) WIN 7 DDK DRIVER\DSCRUN.EXE\10.0.10011.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,23e05daf-778a-473d-ba17-ce3fa986df35,"4/16/2021, 9:20:49.401 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9188 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,33e51ffd-acc0-4049-8fb0-bb030d0ad142,"4/16/2021, 9:20:49.401 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4df1323c-b78b-4f95-99cf-7fcadf0adaba,"4/16/2021, 9:20:52.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,35dc3d2d-5eda-40e9-a71f-4cfda54aadb9,"4/16/2021, 9:20:52.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16e69587-ea05-4753-85fc-410121d5e51f,"4/16/2021, 9:20:52.131 AM",,,,,NTLM,, +\scanner,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac909b17-00cc-48e4-b2db-e9ac08c6e438,"4/16/2021, 9:20:52.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3d3c7bb9-9cf8-48f5-8f0f-efe50e4266cb,"4/16/2021, 9:20:52.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b356eb80-81b7-4fcc-a983-496591193775,"4/16/2021, 9:20:52.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eb95067f-1a17-46cc-9c6d-98faaa927f5b,"4/16/2021, 9:20:52.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b6b00165-8b17-453f-ad61-aeb0dbdd60ae,"4/16/2021, 9:20:52.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,942e6f43-0c92-4962-a20b-124ad4962319,"4/16/2021, 9:20:52.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,04e44d69-1181-4ac1-8ad7-1ae6b73bc66e,"4/16/2021, 9:20:52.131 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de8dc323-60a7-4e95-927e-04f525303d56,"4/16/2021, 9:20:52.131 AM",,,,,NTLM,, +\ftp_user02,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b4fda17c-e279-48fc-b095-63731c49cade,"4/16/2021, 9:20:52.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,92aef134-7b0a-4ed0-900b-ef9025a8673a,"4/16/2021, 9:20:52.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,42fa2add-b350-4dbe-94a7-c08522aab990,"4/16/2021, 9:20:52.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,05d02ec0-ef8e-4d47-9e01-9f1ddb014d60,"4/16/2021, 9:20:52.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b913d099-8c80-4007-9bda-35abc6dfd7dc,"4/16/2021, 9:20:52.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,82288173-bb1a-4993-8775-adb3e8bf64db,"4/16/2021, 9:20:52.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,af51d3a0-9502-42a3-98dd-5ebe66f20b94,"4/16/2021, 9:20:52.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,75287b60-9575-4768-8825-69eec553f4c1,"4/16/2021, 9:20:52.131 AM",,,,,NTLM,, +\017,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eec71e65-c29d-43f9-b360-f4fd01b9338d,"4/16/2021, 9:20:52.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,722b7295-b6f0-4e01-ae0c-9496fce33795,"4/16/2021, 9:20:52.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,52c1bc47-79d9-4257-814f-a2c276856d78,"4/16/2021, 9:20:52.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,90b1b9a6-7f69-4744-bee3-014693f06869,"4/16/2021, 9:20:58.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f164056a-ebe1-476d-930f-35fb06ad55b2,"4/16/2021, 9:20:58.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f2f091e-564f-4510-9ec9-f4572daa5c60,"4/16/2021, 9:20:58.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac10cf77-7f81-4c05-bddc-de2f0ef5d1b2,"4/16/2021, 9:20:58.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d92c237f-8e3d-47c0-ad20-b6144942900d,"4/16/2021, 9:20:58.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aa224fa3-fb8f-4a73-92ed-6dd1f02d86b7,"4/16/2021, 9:20:58.139 AM",,,,,NTLM,, +\titech,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,62da589a-1023-4a50-b129-56ce0fd96960,"4/16/2021, 9:20:58.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,79d69506-f07c-42bf-9330-277734952768,"4/16/2021, 9:20:58.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4933ed83-81e2-4019-a84d-e102edbeb933,"4/16/2021, 9:20:58.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c176732e-9c41-4340-9645-c6b69b351c77,"4/16/2021, 9:20:58.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a493c44-e711-4e7e-82e9-5bfb9f39c5eb,"4/16/2021, 9:20:58.139 AM",,,,,NTLM,, +\ADMINISTRATEUR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c1721a1-6209-45df-8580-f2d74960b064,"4/16/2021, 9:20:58.139 AM",,,,,NTLM,, +\GUEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,55d702f6-5c72-4588-a54d-e50efaf22278,"4/16/2021, 9:20:58.139 AM",,,,,NTLM,, +\pos2,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5bc3a1da-f230-4dd1-95d2-cabd132a5c08,"4/16/2021, 9:20:58.139 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b3c7d861-46d3-4ef5-a05b-5e97e8d99b27,"4/16/2021, 9:20:58.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,010d136f-a5f4-4506-a4b8-4c8b5898f245,"4/16/2021, 9:20:58.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c384da2-d53b-4b4a-bee6-3e6e7478ad4d,"4/16/2021, 9:20:58.139 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b9f277e0-7c59-4c98-93c1-c78cd504367d,"4/16/2021, 9:20:58.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b2d02b2-0173-4654-a18c-a06d06ae28cf,"4/16/2021, 9:20:58.139 AM",,,,,NTLM,, +\ftp,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,23e94e46-2daa-4375-b32d-3fde1c0672c4,"4/16/2021, 9:20:58.139 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa4cf106-a071-4001-baea-817beaac93f2,"4/16/2021, 9:20:58.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,061d1066-5fd3-4c7b-9cb9-d65bb2844ab6,"4/16/2021, 9:20:58.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ba29f935-9bdb-4ea0-8767-c42e2c0f2e43,"4/16/2021, 9:20:58.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,26eca5eb-09ff-4154-9f99-b6c7a27dd672,"4/16/2021, 9:20:58.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,69bae950-22c5-4b4c-9d39-10b7b4513452,"4/16/2021, 9:20:58.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,81b8f7e5-bb7a-4f2b-99d9-da2af74698c2,"4/16/2021, 9:20:58.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea45ce33-e6fb-480e-8ed2-0a82553bc3d6,"4/16/2021, 9:20:58.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7604a436-2cad-4285-8a5f-5d55e8ffd25f,"4/16/2021, 9:20:58.139 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,01a2e606-ae30-484f-9261-a762e8f62277,"4/16/2021, 9:20:58.139 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3efed7cd-6810-43f1-b91c-b89e832cec87,"4/16/2021, 9:21:05.722 AM",,,,,NTLM,, +\BACKUPEXEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e62686ba-b59c-4d26-a412-1b0259edf83a,"4/16/2021, 9:21:05.722 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8cbf980f-6dc9-497a-8c43-ec10648ff9a4,"4/16/2021, 9:21:05.722 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,68aa083f-aa56-450b-b64f-a3a53454c1c7,"4/16/2021, 9:21:05.722 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eac2ba8a-cf3c-483d-82b4-ea5399f66b30,"4/16/2021, 9:21:05.722 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a1838af9-95fa-45e3-ac74-d0d52a78cb22,"4/16/2021, 9:21:05.722 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bcc9399c-cf8c-430b-9190-58eba56676b4,"4/16/2021, 9:21:05.722 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,70ccece0-7000-4f91-a74f-c984b790b892,"4/16/2021, 9:21:05.722 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,666563e1-c5e9-43eb-97dc-3becc84286e8,"4/16/2021, 9:21:05.722 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ae8e08d8-39ae-4501-9f24-06aacd3495d6,"4/16/2021, 9:21:05.722 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ef980b41-04b4-4ec8-8e65-e81ca1e6b1fc,"4/16/2021, 9:21:05.722 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,93024d87-fd93-4e97-abca-f7fcc083da14,"4/16/2021, 9:21:05.722 AM",,,,,NTLM,, +\BACKUPEXEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9b5f99a8-4397-47cf-9ee4-4132097843c6,"4/16/2021, 9:21:05.722 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2797d2f9-043a-4842-a527-e7c8d764c7cb,"4/16/2021, 9:21:05.722 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,da213165-5403-4a34-a104-77af181e751a,"4/16/2021, 9:21:05.722 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3871880d-aeed-4c47-8221-924f4b67ab57,"4/16/2021, 9:21:05.722 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d551d141-c36b-4835-a8a7-e9a06e340443,"4/16/2021, 9:21:05.722 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ea6c7cc9-0723-478f-ba05-2015879bff97,"4/16/2021, 9:21:05.722 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,67f916e6-563e-4299-80bf-16078557a3a4,"4/16/2021, 9:21:05.722 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fbe57778-16b2-45e1-9942-69f3861cdeba,"4/16/2021, 9:21:05.722 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bb32849e-6252-4b9f-a021-2b636ec82322,"4/16/2021, 9:21:05.722 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fcb332af-f069-4ce2-b15a-45faabe13efa,"4/16/2021, 9:21:05.722 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9a4ce7d4-6c06-449c-b2b8-38df39b44fc6,"4/16/2021, 9:21:07.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,727ad94f-9f60-4bae-b163-e58ca7864d47,"4/16/2021, 9:21:07.140 AM",,,,,NTLM,, +\magda,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3130b976-3bba-46fd-a7ea-678d6f4b0fd1,"4/16/2021, 9:21:07.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5c99a71d-b042-4c77-a0bd-2404c323c10f,"4/16/2021, 9:21:07.140 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5209ec00-53ca-479b-a246-873fee02e943,"4/16/2021, 9:21:07.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b01b44a6-b8ff-436b-91ac-fc253b81f88c,"4/16/2021, 9:21:07.140 AM",,,,,NTLM,, +\training,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,36b61aaf-b3cd-4cbe-b064-04b99b8a1b06,"4/16/2021, 9:21:07.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8bb2d2fa-9266-420b-9be5-2fb42f824b2a,"4/16/2021, 9:21:07.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc4cd009-9a11-47a4-8cae-d8492cc6e5a2,"4/16/2021, 9:21:07.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c61563f4-4f7e-46d0-9904-bae3012d2336,"4/16/2021, 9:21:07.140 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5080aa34-c325-4576-a5c0-e6fbd41872dc,"4/16/2021, 9:21:07.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2be95df-df8c-4da6-93cc-0297afebf9b4,"4/16/2021, 9:21:07.140 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c013af1-68b9-456b-be7e-c991b6b8c2f8,"4/16/2021, 9:21:07.140 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46bef2db-588f-4ee4-9505-6511f3222f8c,"4/16/2021, 9:21:07.140 AM",,,,,NTLM,, +\info,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2d499d5-4765-4f27-92aa-660cd037c318,"4/16/2021, 9:21:07.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3ee693d6-ec82-4498-b1b4-a0786d26d536,"4/16/2021, 9:21:07.140 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b9009b6e-d038-47ab-b8c8-a19f9856b7b4,"4/16/2021, 9:21:07.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,916c5fd4-4417-4168-98f2-87596e33b7e5,"4/16/2021, 9:21:07.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2ae1936-0912-4818-a974-88debe60ca57,"4/16/2021, 9:21:07.140 AM",,,,,NTLM,, +\test,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48b29969-8498-49a9-a308-1f9b816aca41,"4/16/2021, 9:21:07.140 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,64171b5f-a60f-48ad-836d-06f02c1e6ca3,"4/16/2021, 9:21:07.140 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,30f30c4f-80c6-48b4-87e1-c3bc3f486c57,"4/16/2021, 9:21:07.140 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db8f6e94-12df-4f06-bb18-abb478f1c631,"4/16/2021, 9:21:07.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e6eed97f-225d-4cd6-8960-9208091efdd3,"4/16/2021, 9:21:07.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a11cf77-a680-440d-b2cd-ee89b6f1034a,"4/16/2021, 9:21:07.140 AM",,,,,NTLM,, +\interno,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,17d673d1-5ed8-4cc5-b38a-8fc13b102663,"4/16/2021, 9:21:07.140 AM",,,,,NTLM,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,8832e321-53a3-4136-8b6b-209a400432ef,"4/16/2021, 9:21:09.892 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,8aff2039-c816-4b64-a8ea-d6b18b436bae,"4/16/2021, 9:21:09.892 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6728 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,ee97c60b-be9a-4ad3-923d-842aeaec1fb2,"4/16/2021, 9:21:09.892 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5476 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,a4e4a24c-cce2-4114-8914-99a543986db4,"4/16/2021, 9:21:09.892 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,22f93a77-bfd8-4b42-b1c9-a0dc69c2f9e9,"4/16/2021, 9:21:09.892 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,14629c22-3f4c-4b16-aa85-43ecae16a8c8,"4/16/2021, 9:21:13.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,76f70f4f-15f5-4bb8-8ab3-035315c986a8,"4/16/2021, 9:21:13.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,977d1828-8859-4308-b1e3-331bfd912f3b,"4/16/2021, 9:21:13.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,21c3bfc9-52bb-424c-863f-6fb7f4788651,"4/16/2021, 9:21:13.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,14124cf2-0173-415f-8393-b04037d1a57f,"4/16/2021, 9:21:13.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d19c0e0-4f44-4924-b276-c5262f8de5a6,"4/16/2021, 9:21:13.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f4094f2a-fe21-4daa-a7d9-833425da1357,"4/16/2021, 9:21:13.133 AM",,,,,NTLM,, +\compta,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3625ec44-e047-42ca-9ee7-9d776af18a7d,"4/16/2021, 9:21:13.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a5b4f8d-b96d-41b7-854a-f9e8f3ad2782,"4/16/2021, 9:21:13.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,720e027a-9641-4d8f-94dc-0becfd517ee7,"4/16/2021, 9:21:13.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7816b122-617a-4bfe-a74e-9caea99e20ac,"4/16/2021, 9:21:13.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bdc8f389-675f-4b2f-bb1d-6c10dd24a418,"4/16/2021, 9:21:13.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,40b833e8-209c-44e8-a239-68dc7d660c26,"4/16/2021, 9:21:13.133 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9a0f07a5-82d6-42a1-a02c-27c33695e0bd,"4/16/2021, 9:21:13.133 AM",,,,,NTLM,, +\RMEDINA,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1d60ba2e-97ed-47ce-8e16-91c94bf35453,"4/16/2021, 9:21:13.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,919a937f-5d3c-4e26-8360-d591fa8cf75e,"4/16/2021, 9:21:13.133 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b8d93780-9c37-4295-a74b-1cafffdce09c,"4/16/2021, 9:21:13.133 AM",,,,,NTLM,, +\RMEDINA,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d7800512-a4cf-49b6-ba75-9a2326bf9018,"4/16/2021, 9:21:13.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e5f58f8-7fae-42c6-8b3a-fe37ce1e29ee,"4/16/2021, 9:21:13.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,217c026b-c576-499e-a048-f5661d753e9f,"4/16/2021, 9:21:13.133 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f516b4b5-8590-4c3c-88b4-5d40442fd8c0,"4/16/2021, 9:21:13.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,be467c31-56f7-4318-9282-bd810d5e7b78,"4/16/2021, 9:21:13.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,da59950a-ede6-43a8-8746-d39fb22e08a1,"4/16/2021, 9:21:13.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cf648840-3220-4a05-8c33-4991d1ba6700,"4/16/2021, 9:21:13.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc33013f-412a-499a-aba2-880cb15b99a7,"4/16/2021, 9:21:13.133 AM",,,,,NTLM,, +NT AUTHORITY\NETWORK SERVICE,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 5360 + 21 + %SYSTEM32%\SPPSVC.EXE + 32 + 4791D7CD9D154D3F2C59B47259D2689FA47FBFB1E9FF7A41A5F03B3B66EC67D3 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SPPSVC.EXE\10.0.17763.1757 + 0x3e4 + 30 + C:\windows\system32\sppsvc.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,8ba6244a-b368-4293-a500-4f35ab3d028e,"4/16/2021, 9:21:15.004 AM",,,,,,, +\TESTUSER1,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,7bebdfdd-a2a5-44d7-b752-7529aa7e90b0,"4/16/2021, 9:21:15.412 AM",,,,,NTLM,, +\TEST,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,2c8bce0b-3952-4ee0-9b01-adc2f7027d59,"4/16/2021, 9:21:15.412 AM",,,,,NTLM,, +\CONTABILIDAD,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d5d1ca59-f991-4b80-90ee-8a6cf49ba2dc,"4/16/2021, 9:21:15.412 AM",,,,,NTLM,, +\SHYANNE,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4bfa2b65-a986-4735-ae3f-710677069f9a,"4/16/2021, 9:21:15.412 AM",,,,,NTLM,, +\SERVER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a7463114-677f-42cb-a33b-60d277c847a5,"4/16/2021, 9:21:15.412 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8a261e66-d4af-4d32-8296-cbccc8c7b606,"4/16/2021, 9:21:15.412 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,643f009b-4b5b-4aa4-8534-17417269d280,"4/16/2021, 9:21:15.412 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7252 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b1efc7b6-0fed-4830-b1a8-0d4933e83d5e,"4/16/2021, 9:21:15.412 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3256 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,104cd826-a502-4060-9fef-cfe13ef4d399,"4/16/2021, 9:21:15.412 AM",,,,,,, +\AUDITOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,abf41d56-b461-4768-a98c-cc84d1362f27,"4/16/2021, 9:21:15.412 AM",,,,,NTLM,, +\ADMIN2,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,034fde91-d973-4932-8e87-fd7ac13bb936,"4/16/2021, 9:21:15.725 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e9992e77-8d2a-4491-800e-cd4b87462cc2,"4/16/2021, 9:21:15.725 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,63a638b8-b5d9-4864-a40a-4dea5c9acdbc,"4/16/2021, 9:21:15.725 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d503338f-a395-4718-9296-f3923e029fed,"4/16/2021, 9:21:15.725 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fd862732-e4f8-4a10-a819-b4877afb4e5e,"4/16/2021, 9:21:15.725 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4e4249ce-a044-4fe8-94b9-0d92b7043ca5,"4/16/2021, 9:21:15.725 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ed5d3a33-5c87-44af-bd67-7b87f7dc2d44,"4/16/2021, 9:21:15.725 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cb062f18-eaf4-4fb3-9ff7-de99dd1dd0e7,"4/16/2021, 9:21:15.725 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9276a015-657a-4b64-a5cb-58b5df0559df,"4/16/2021, 9:21:15.725 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,39507f01-f278-4c77-9497-2d624a5b0ce8,"4/16/2021, 9:21:15.725 AM",,,,,NTLM,, +\BACKUP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,95750416-13df-4292-8af8-d346a0d2aa16,"4/16/2021, 9:21:15.725 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b6d60635-997b-48b7-8590-1177c85e8b9a,"4/16/2021, 9:21:15.725 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eda4ef11-eefb-4f15-bb3d-f98ef4433e5f,"4/16/2021, 9:21:15.725 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,65eabad5-a221-403e-8bca-84bd622dfd18,"4/16/2021, 9:21:15.725 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b46bdf8f-7183-4d85-8436-1527e52d24f5,"4/16/2021, 9:21:15.725 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d747dc11-736c-4f73-ad90-0fc704d1aac1,"4/16/2021, 9:21:15.725 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1cc187de-32a3-4249-a24e-4ff3e432d804,"4/16/2021, 9:21:15.725 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,771001d9-6257-4f0d-ae48-0394cdcc1dca,"4/16/2021, 9:21:15.725 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b417d145-5639-4dca-952f-09da0c7ab249,"4/16/2021, 9:21:15.725 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d000f612-5465-4d89-9035-4f8ff733a01c,"4/16/2021, 9:21:15.725 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,36299dff-16c9-4eb0-a3d3-e708f2016ef0,"4/16/2021, 9:21:15.725 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b0cfd663-6aaa-4369-9ac3-faf518497131,"4/16/2021, 9:21:15.725 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,99eda277-72b8-4d9c-8404-99d0e33bdd3a,"4/16/2021, 9:21:16.064 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,7b43fa14-ea78-4012-bf85-52b3015c9fd6,"4/16/2021, 9:21:16.064 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,fc773232-b4f8-4c34-b0b6-5741661697e4,"4/16/2021, 9:21:16.064 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,a43618bc-f310-475e-b2ff-b9f1f5575d36,"4/16/2021, 9:21:16.064 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,85b77aa7-5966-42d0-9918-21cf2e0ad44a,"4/16/2021, 9:21:16.064 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,ad0f86bd-d326-44ee-83c4-d58f57cf1a56,"4/16/2021, 9:21:16.064 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,fe154437-7a5d-40ab-b252-ef2c3ec89282,"4/16/2021, 9:21:16.064 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,4be83a54-1398-4a73-b82f-62f1f30b19c2,"4/16/2021, 9:21:16.064 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,8f685535-197b-4760-8a08-6aebccc271ac,"4/16/2021, 9:21:16.064 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b4fb455a-02d5-49d9-a14e-3206a2078bca,"4/16/2021, 9:21:16.064 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,ea22b970-2856-441c-8384-68976485ea6f,"4/16/2021, 9:21:16.064 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3876e7f2-8be1-47b3-92f8-e4150b8c661a,"4/16/2021, 9:21:19.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2e89a14d-0495-4f7e-9bb5-8cc2db63f139,"4/16/2021, 9:21:19.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,77b66e4e-7015-4861-87c6-3a9bb614150c,"4/16/2021, 9:21:19.140 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,628d3f3b-df97-4c0f-a2e1-f8218580d06b,"4/16/2021, 9:21:19.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12e9accd-f4b4-485f-ac5e-8f1eeb33cf29,"4/16/2021, 9:21:19.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,195d5b13-dc7c-4d72-9297-20027a0c30b6,"4/16/2021, 9:21:19.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa247f39-3a51-4728-8f98-241d8c9d846b,"4/16/2021, 9:21:19.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,76122274-62bd-484c-a66a-5f8d637f7648,"4/16/2021, 9:21:19.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5624a83-ffa7-46b8-b6fc-2559979da377,"4/16/2021, 9:21:19.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d8deb09f-1fa5-4835-b7b0-6acff61508dd,"4/16/2021, 9:21:19.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2e92cac-000b-4170-a98b-8c7019331290,"4/16/2021, 9:21:19.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aa674e3a-c233-4ab9-b02e-fe3e950ba1fc,"4/16/2021, 9:21:19.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b58c2dd-527b-41ec-9d83-658d55e6b94e,"4/16/2021, 9:21:19.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a3e48ab-13a9-4d68-82f8-631af7164c1f,"4/16/2021, 9:21:19.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,861bba14-17e4-4869-b64c-efd614f1dd0e,"4/16/2021, 9:21:19.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dd861ce9-889d-49d4-82de-b6d32a228a04,"4/16/2021, 9:21:19.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c47f53e0-f33f-4c5d-b35b-c2c0b6e5ec54,"4/16/2021, 9:21:19.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f1df79d1-c378-418e-8147-9f5e6b90aafe,"4/16/2021, 9:21:19.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e6822e90-faf5-4c1c-97ad-a27315124801,"4/16/2021, 9:21:19.140 AM",,,,,NTLM,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a14d8558-c893-490c-9a2c-add615028e47,"4/16/2021, 9:21:19.140 AM",,,,,NTLM,, +\BACKUPEXEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,826e0287-8402-4da9-958e-844f4a3c06ba,"4/16/2021, 9:21:19.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0f619b53-0d1c-42d7-9125-8058c7584821,"4/16/2021, 9:21:19.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e445e79f-a66e-4484-8b12-82c039175be7,"4/16/2021, 9:21:24.137 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,260d0769-26a4-4673-b53e-f3d418eeb04f,"4/16/2021, 9:21:24.137 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,d7d5b14b-867b-4674-be47-2cd375123608,"4/16/2021, 9:21:24.137 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,a975299c-8b40-4540-bb18-6998a041754a,"4/16/2021, 9:21:24.137 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,13fca1f4-b77a-4c40-9cf0-8ee8de3dc930,"4/16/2021, 9:21:24.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cd3d4f10-76c0-46a0-88c5-d4ce7c379b19,"4/16/2021, 9:21:24.137 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8248 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,885e9255-077c-424a-a3bb-4fe01229518f,"4/16/2021, 9:21:24.137 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8796 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,9bc373ae-fc32-4096-acd7-0d4bb43cd2cd,"4/16/2021, 9:21:24.137 AM",,,,,,, +\ADMINISTRATION,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d41538b8-7961-42a1-aaaf-fa19e264cf3b,"4/16/2021, 9:21:24.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc6a8337-f232-4958-9847-8cd4e9e98876,"4/16/2021, 9:21:24.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6a6542d5-affc-452f-be63-0b1521e122b0,"4/16/2021, 9:21:24.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c0b363d-264a-4b04-ab18-eede2328a17d,"4/16/2021, 9:21:24.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f513a325-bdc1-4be1-ab8e-b649a9288bf5,"4/16/2021, 9:21:24.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0e750861-adac-475d-a7bc-b1ec6a0c6eb4,"4/16/2021, 9:21:24.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df1e698d-6b1d-4634-848d-85a009c23a02,"4/16/2021, 9:21:24.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d10b4a48-0c37-4d32-8aba-ad1fdfd7ce73,"4/16/2021, 9:21:24.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b5c6d2a-72fc-4463-98d8-66f24b745e28,"4/16/2021, 9:21:24.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a676bb7a-ac04-4106-8b85-ffffc34da9e0,"4/16/2021, 9:21:24.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,66958fb8-00c4-47aa-befe-dba4113ac28d,"4/16/2021, 9:21:24.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a4394605-b0f3-4bc4-a36b-03e4b970cbb4,"4/16/2021, 9:21:24.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,55b862a8-88e0-426e-adad-810a83375542,"4/16/2021, 9:21:24.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f53a673-9669-49b4-9213-c53a9264980a,"4/16/2021, 9:21:24.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,95027de3-4709-4012-b095-8f19b44e71fc,"4/16/2021, 9:21:24.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc145e5a-fe5f-4a46-8a6a-951b847365f7,"4/16/2021, 9:21:24.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,377b1b01-2526-44a8-a66c-566da3d6e89b,"4/16/2021, 9:21:24.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9dd95ef4-3791-4a8b-8ec4-4b0df630ece1,"4/16/2021, 9:21:24.137 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,809056ef-8238-4917-8afe-f1b354caa1a9,"4/16/2021, 9:21:24.734 AM",,,,,NTLM,, +\OPERADOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,edd6e1bc-5e7f-42ab-9180-8df2203428f3,"4/16/2021, 9:21:24.734 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,41fb7254-70fe-43a7-beb7-3f8b27428cab,"4/16/2021, 9:21:24.734 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bc7f1ec8-5599-4359-8627-c6c2228e178e,"4/16/2021, 9:21:24.734 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,31b0e05a-d29d-4401-be47-cc03bb67fbaa,"4/16/2021, 9:21:24.734 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,718dfcfd-eec6-47cf-bad1-ba7ede7f3039,"4/16/2021, 9:21:24.734 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0e41b719-bd89-4132-8609-7c956860978a,"4/16/2021, 9:21:24.734 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fc6222ca-6d2e-44c4-9fcc-1b0383231d3f,"4/16/2021, 9:21:24.734 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f9b42272-acfe-4710-8b3f-2b0c67e05969,"4/16/2021, 9:21:24.734 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,20a8aabe-c1e0-4395-ae16-f8e03f1f3fb0,"4/16/2021, 9:21:24.734 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b4c502cf-2705-498a-8540-b3b6bc84df1f,"4/16/2021, 9:21:24.734 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,76be2298-f6f8-48fd-846e-4a62e9d3816c,"4/16/2021, 9:21:24.734 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,04e9753e-2a69-4517-a390-a3bd8c987c10,"4/16/2021, 9:21:24.734 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9ba1415e-597c-4fc1-bf9a-4bf131abd61a,"4/16/2021, 9:21:24.734 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e13d33d6-dbe6-4d0c-9d05-c92e31f030f5,"4/16/2021, 9:21:24.734 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ed26f0df-6ac6-4c20-80a5-a7453c17c385,"4/16/2021, 9:21:24.734 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7870f3df-704c-4ee3-a951-9701d5e21560,"4/16/2021, 9:21:24.734 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,75b0de30-553f-4303-b7dc-863f58d16ce0,"4/16/2021, 9:21:24.734 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,74fd5868-e5f7-4e2b-afc7-ac41cfae3cc1,"4/16/2021, 9:21:24.734 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,597bba72-772a-4e63-af0e-a6fa3399be77,"4/16/2021, 9:21:24.734 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4fb7dcb6-5929-4ee0-8b9c-e87b5d8c4c6a,"4/16/2021, 9:21:24.734 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a9c61ae0-5811-453e-a102-b1998d792b0e,"4/16/2021, 9:21:24.734 AM",,,,,NTLM,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,2c584afa-9446-4ac9-b059-01838b792a93,"4/16/2021, 9:21:26.629 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,906113a8-f8d6-4487-b449-b0975d818674,"4/16/2021, 9:21:26.629 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9624 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,7d324bde-f4e2-41d0-8e88-0eeec8e749a5,"4/16/2021, 9:21:26.629 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,28b6a73b-9a76-41e2-bb90-77d38437abd3,"4/16/2021, 9:21:26.629 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,c515cb78-e048-4640-97e5-c0357e7411b2,"4/16/2021, 9:21:26.629 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3280 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,a30d5521-a3db-4b0a-b633-af931c2c2e3a,"4/16/2021, 9:21:26.629 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3156 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,d2f39261-0394-4391-b176-9c66f113e376,"4/16/2021, 9:21:26.629 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e607f060-efc2-4164-a212-b07ea3b7b597,"4/16/2021, 9:21:33.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1102fe4-87c6-4dfb-aef9-71870b6973ae,"4/16/2021, 9:21:33.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9f4feb1a-b8fc-4bd8-b8a4-f8cbc8a3fd09,"4/16/2021, 9:21:33.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c93e4fe-e442-4add-9555-e171fb0262ad,"4/16/2021, 9:21:33.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a0d63c4-54ff-403e-9b77-e1fab721017e,"4/16/2021, 9:21:33.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f8c3d1f7-443c-4632-92da-be335be116f0,"4/16/2021, 9:21:33.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f7a9b61-aa40-408b-8527-0f7430458a46,"4/16/2021, 9:21:33.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fee5a8a5-63bb-4aa3-85ea-1280420c0049,"4/16/2021, 9:21:33.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,535c2de6-67fc-4865-898d-65c90de95f6b,"4/16/2021, 9:21:33.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,47244f57-6d7d-4c6a-b229-d2ad4db4cd8a,"4/16/2021, 9:21:33.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dd43f6ec-0ef2-4b29-9752-2d746781a1ab,"4/16/2021, 9:21:33.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,028e05f9-4a18-413e-a618-1a5913850cb0,"4/16/2021, 9:21:33.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df64791e-3951-4c78-b65d-d68eae0d4096,"4/16/2021, 9:21:33.129 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,881a39d3-ae12-4a66-9d0f-15599a034b89,"4/16/2021, 9:21:33.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f9bebb15-e5f0-4af2-8594-913fc4e1fc94,"4/16/2021, 9:21:33.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8d55e7d4-e2fc-4320-a413-f30c72ec9180,"4/16/2021, 9:21:33.129 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,40e7ab32-e638-49fb-8d92-7be54a807599,"4/16/2021, 9:21:33.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4292272d-0a65-45a2-b0bd-beb1bd2d5cd4,"4/16/2021, 9:21:33.129 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,0809e298-1ad0-4ed7-96ae-95bed0ca1939,"4/16/2021, 9:21:33.129 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5cb8a0cd-739d-401c-a42b-3fac624a1f23,"4/16/2021, 9:21:33.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c050ba9-a526-4629-b664-94e1f97fa148,"4/16/2021, 9:21:33.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fdee8e8e-d1d5-4b69-bd7a-686a7788e6f3,"4/16/2021, 9:21:33.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,77ca6422-5d0d-4f7a-b982-9ebe2ba3d7e3,"4/16/2021, 9:21:33.129 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0ea48a2d-8ed4-4469-91f5-0e72a7d117af,"4/16/2021, 9:21:35.732 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0cc36f21-3258-4c30-953d-77e2170b6b87,"4/16/2021, 9:21:35.732 AM",,,,,NTLM,, +\TEMPADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5a217748-729c-4276-a7c0-e08a39423d25,"4/16/2021, 9:21:35.732 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f73ea00f-8216-4c92-afc0-eb82bf53c6ce,"4/16/2021, 9:21:35.732 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,13d3a1d2-f6ba-4740-822f-fedb0347e52a,"4/16/2021, 9:21:35.732 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9a0fd5e2-4597-48fe-8792-c32c4f84c921,"4/16/2021, 9:21:35.732 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8d7e004f-1784-49e7-a57b-c6dfc63400b7,"4/16/2021, 9:21:35.732 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0884615b-d477-4342-9597-0a56d6bb303a,"4/16/2021, 9:21:35.732 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0f8afb7b-b47a-4fd3-99c8-1379d11dea80,"4/16/2021, 9:21:35.732 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,14a05b58-6880-4c62-b32e-30f1bd47f1d4,"4/16/2021, 9:21:35.732 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0df40339-1870-45ba-991a-e9dff3741729,"4/16/2021, 9:21:35.732 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9dc807c8-5628-4a19-b5f6-9f25797a27b2,"4/16/2021, 9:21:35.732 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6e018ec6-5d64-4365-adbc-ef0ca7811fe9,"4/16/2021, 9:21:35.732 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a54edf26-5d1c-4d35-b6a0-55eb82b8098b,"4/16/2021, 9:21:35.732 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3dd54d43-0f3d-4dc7-8c76-711cd32aacc7,"4/16/2021, 9:21:35.732 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ca530e1c-995f-4f04-bad5-5222298ec0c1,"4/16/2021, 9:21:35.732 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0836e7dd-6dff-4d86-98cc-9eea3216f3ec,"4/16/2021, 9:21:35.732 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ef1c7d32-b8c3-4804-be9e-879def5acbe8,"4/16/2021, 9:21:35.732 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9c1c390c-1c0d-4801-bed8-e04a84a33c1f,"4/16/2021, 9:21:35.732 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5ad4a36c-8c1a-404e-aba4-6bf0230c3883,"4/16/2021, 9:21:35.732 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2ebdc4be-85c6-4e9e-a7fa-dafbfacb5a10,"4/16/2021, 9:21:35.732 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e59274b0-175b-4766-9049-199186500f36,"4/16/2021, 9:21:35.732 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,24d3215c-fb46-457b-b83e-72d495f228ab,"4/16/2021, 9:21:35.732 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b8c8fed1-8801-4afd-97f3-571235ef008e,"4/16/2021, 9:21:42.162 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c18c9304-31d2-4c77-b146-234d7703f493,"4/16/2021, 9:21:42.162 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,178ad0b9-16b5-4b3e-8b2a-329218b1fd66,"4/16/2021, 9:21:42.162 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,115ec2f1-c4ca-4726-8cbf-6891583e6a4b,"4/16/2021, 9:21:42.162 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5c7b6f23-2329-4c30-9252-6b1f8ddb7c00,"4/16/2021, 9:21:42.162 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,57bba8cd-e036-4459-9e2d-3f7b697a3aa7,"4/16/2021, 9:21:42.162 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5e8aec1-e885-4839-94cf-5fda6090c0ba,"4/16/2021, 9:21:42.162 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,465c3908-ccf2-40cd-8b14-a0000c3e0243,"4/16/2021, 9:21:42.162 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,68f07ca5-d3b4-4804-a62d-06938e9ef909,"4/16/2021, 9:21:42.162 AM",,,,,NTLM,, +\VMADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0960600d-8700-4268-82e8-3a6e0320bbb4,"4/16/2021, 9:21:42.162 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df3b9a54-e3d3-4c02-888f-92c1117ffabe,"4/16/2021, 9:21:42.162 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f65ed879-6667-4747-bcad-345c207208e7,"4/16/2021, 9:21:42.162 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,05f5d409-64b1-4141-920c-920372f46537,"4/16/2021, 9:21:42.162 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4d722673-199b-4f1e-9056-ab254822c48c,"4/16/2021, 9:21:42.162 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3df7a810-ca10-4494-b580-81d9e65c84fa,"4/16/2021, 9:21:42.162 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d7c8f1a1-60c0-4137-bf03-e761ece10d3d,"4/16/2021, 9:21:42.162 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46d90566-1e3f-40a3-83be-cc22f7ab5ac2,"4/16/2021, 9:21:42.162 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d6e5fc17-3fda-41c3-af1d-d382e684c87c,"4/16/2021, 9:21:42.162 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,061b43cd-7cdc-4fd7-90c9-31369ce23840,"4/16/2021, 9:21:42.162 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e34e46bd-c2a5-4c4c-851d-cb90e3a89709,"4/16/2021, 9:21:42.162 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c22e9765-7274-45aa-9898-cf690ae755bd,"4/16/2021, 9:21:42.162 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a263da80-ce88-481f-af5c-5985b5de7375,"4/16/2021, 9:21:42.162 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b160b048-16bc-49d3-8700-81b1d0bbd0b8,"4/16/2021, 9:21:42.162 AM",,,,,NTLM,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,528fa468-3e97-4bdf-918d-13b1baf5a5db,"4/16/2021, 9:21:45.871 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,a038367b-b343-4cf5-8144-42617ddadbe2,"4/16/2021, 9:21:46.729 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,6de7330b-55a0-4cf9-a6b5-7dea41a19bcd,"4/16/2021, 9:21:46.729 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2356 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 8542576A51D515DA19781689F9E5E561E4398C4DE19B14AF1E8EF1C7D2551843 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.18362.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,6389b59f-6ab2-4220-9ed5-219469bc51ab,"4/16/2021, 9:21:46.729 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6860 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,23fd1b67-61e8-45e8-96ad-2b9fae2e5f5e,"4/16/2021, 9:21:46.729 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,63d9eaa5-5839-44ce-a068-317e0af44aa9,"4/16/2021, 9:21:46.729 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,266deefa-8a8a-4355-9bf7-7fb90e0fbc83,"4/16/2021, 9:21:46.729 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2844 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,e194b019-225c-4e76-b2e0-74aff67fb033,"4/16/2021, 9:21:46.729 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6524 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,c96f8656-2cfe-4838-b93c-28f54cbdfb90,"4/16/2021, 9:21:46.729 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,c0284608-47d0-48a8-ba29-ae3b102dffbc,"4/16/2021, 9:21:46.729 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5528 + 28 + %SYSTEM32%\USOCOREWORKER.EXE + 32 + 13B908CA0D2AC90F4398E5FBABCD1C442B07297B524C2BBA890FD106D4591742 + 125 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\USOCOREWORKER.EXE\10.0.18362.1474 + 0x3e7 + 37 + C:\Windows\System32\usocoreworker.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,34509f26-5bdf-4c97-945f-c38e85eef831,"4/16/2021, 9:21:46.729 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,dce00246-0936-4cf2-a5ee-6475f214a916,"4/16/2021, 9:21:46.729 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,18650a45-3152-4dce-b599-c69d68a3008e,"4/16/2021, 9:21:46.729 AM",,,,,,, +\RJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7c6e8753-a8de-46c3-a024-4f049a98922c,"4/16/2021, 9:21:45.724 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,19862e00-edf4-41d1-94f7-aebbaae2f3e5,"4/16/2021, 9:21:45.724 AM",,,,,NTLM,, +\POSTMASTER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,099f12a8-3e86-4b5e-b10a-894d3f20044f,"4/16/2021, 9:21:45.724 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,51a96735-ad3c-46d2-922b-689e5448a3ae,"4/16/2021, 9:21:45.724 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4a7e2ebf-42b7-454d-8662-f7715579eacc,"4/16/2021, 9:21:45.724 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3b4ea380-d85e-4cfa-8615-2c09c0eabfe6,"4/16/2021, 9:21:45.724 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a3b5433e-1f96-454e-8cf2-c098532213ee,"4/16/2021, 9:21:45.724 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bdbe6821-68ae-4ad9-a154-229520669c03,"4/16/2021, 9:21:45.724 AM",,,,,NTLM,, +\SYMANTEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eda74e6f-4d0f-40e9-a5b3-52f8fb2c299d,"4/16/2021, 9:21:45.724 AM",,,,,NTLM,, +\BACKUPEXEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c2c637b1-0b9f-4b05-8450-507aa4ede5d8,"4/16/2021, 9:21:45.724 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c95b1af1-00dc-4e25-835a-dc7f0ae590a7,"4/16/2021, 9:21:45.724 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,438d412e-4f05-4c64-9945-b87c777c2538,"4/16/2021, 9:21:45.724 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,341eac01-b491-4e82-9bc0-789a101297ad,"4/16/2021, 9:21:45.724 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,35611007-6caa-404a-b3ab-02bacc36befe,"4/16/2021, 9:21:45.724 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,04d3fd2d-c7c4-4d96-a6e0-20ed1119d5b1,"4/16/2021, 9:21:45.724 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,58a7abfc-d4c5-483d-9143-8b436c12a38d,"4/16/2021, 9:21:45.724 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,181423d7-5097-4059-8b6a-b219a503d729,"4/16/2021, 9:21:45.724 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ed1f0639-85c4-4d7e-a0d2-c6493646ae72,"4/16/2021, 9:21:45.724 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,26bb13ed-9586-48e7-8da7-3702fe4e71a7,"4/16/2021, 9:21:45.724 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,260fb095-b66c-44a2-a3e3-6e250c7783e0,"4/16/2021, 9:21:45.724 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ce414b2b-160f-45f7-9b1b-6984af4f672f,"4/16/2021, 9:21:45.724 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,99c045bc-8e31-4925-8bda-abe5a493c270,"4/16/2021, 9:21:45.724 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d0e72f92-0462-4a4e-9deb-42d2cdae611c,"4/16/2021, 9:21:45.724 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,62c17a35-bded-484b-b6cf-85c0201db9c6,"4/16/2021, 9:21:47.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3321cfeb-8efd-46fb-a5b8-2c874af01dee,"4/16/2021, 9:21:47.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,713de71a-3d27-4d38-bab2-4dd44cc16cdc,"4/16/2021, 9:21:47.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,226e9af9-2aaf-4737-b094-63c8e0765133,"4/16/2021, 9:21:47.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6f1c5c0b-ccb2-4e73-80a8-d77c87d72166,"4/16/2021, 9:21:47.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3f4ec71a-cb2c-4410-8fba-64b03e29f504,"4/16/2021, 9:21:47.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f9f8727c-2d1b-478d-b5ef-1b8445228d3a,"4/16/2021, 9:21:47.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,23fc76c8-3c1c-472c-9808-5d78cd6d5db1,"4/16/2021, 9:21:47.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56f4289d-90f7-471c-8e77-1da1a1c58d8c,"4/16/2021, 9:21:47.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4d864551-d56f-4f05-9408-78658dc2656c,"4/16/2021, 9:21:47.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,999f3ada-fc0a-421f-8c85-ab99fae23c39,"4/16/2021, 9:21:47.129 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1060eda8-6171-4a1b-ba00-431723b46d72,"4/16/2021, 9:21:47.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7925cee4-0965-4765-8c7b-e231dc541ad2,"4/16/2021, 9:21:47.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,313b1910-5921-4603-88d3-31565d347395,"4/16/2021, 9:21:47.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cd9dd306-e7b2-4c36-a55a-42b809cb5db7,"4/16/2021, 9:21:47.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6e38e575-9d42-4db3-8725-c312c0268c0f,"4/16/2021, 9:21:47.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2cc8e944-72a6-46d0-a5a9-e40f671448ee,"4/16/2021, 9:21:47.129 AM",,,,,NTLM,, +\ORREN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,94d41001-fea4-43c9-8509-70472aa27a05,"4/16/2021, 9:21:47.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c379cc56-92b4-4444-ade8-e72ec27f68f1,"4/16/2021, 9:21:47.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d02d4df3-4665-400a-b44c-54c2d7fd437a,"4/16/2021, 9:21:47.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c44ba945-a19d-484e-9c64-ec4cbd0723c3,"4/16/2021, 9:21:47.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b6bf781-cedf-4d89-9c4b-3eb8c85a5065,"4/16/2021, 9:21:47.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,271abf83-7391-4eae-80fc-f4d3702b6d1a,"4/16/2021, 9:21:47.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,93e70293-f895-4692-80c9-4f36f32e1422,"4/16/2021, 9:21:47.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8ddf3c06-4427-4f2f-89e7-8bf42f3c988d,"4/16/2021, 9:21:47.129 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10008 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,000a5ffd-1f55-4d61-867f-208de95f7c2c,"4/16/2021, 9:21:49.368 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5948 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,c5922eec-ecc5-4830-bba3-e6502514008e,"4/16/2021, 9:21:49.368 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11956 + 73 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\MOMPERFSNAPSHOTHELPER.EXE + 32 + E9EA37CA32AC25AAE3D798E42BB986FA63B54A87F03472E30A4F1AC2626B5BC7 + 122 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT MONITORING AGENT\MOMPERFSNAPSHOTHELPER.EXE\10.20.18053.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,0b5b46ab-b736-40e1-b821-33efc3628f1c,"4/16/2021, 9:21:49.368 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11324 + 28 + %SYSTEM32%\WBEM\WMIAPSRV.EXE + 32 + 98A2CC07E5F2C0CA555F4ACA46556611B42FDA3BDD1F108E52E02FCB22E7B40E + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIAPSRV.EXE\10.0.14393.2515 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,4154a51f-a2c5-41d8-9709-e3aec2e9d580,"4/16/2021, 9:21:49.368 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5788 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 3D9080EFAB633588A800733E89C0E9CF155587ED965C4294E3B5807ACCA7196A + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.14393.2155 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,636bf2b5-15a3-4920-b8c5-f46ae7367ea4,"4/16/2021, 9:21:49.368 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5164 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 3D9080EFAB633588A800733E89C0E9CF155587ED965C4294E3B5807ACCA7196A + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.14393.2155 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,e5801e70-2aa2-4be5-b85b-1ade4c91aa2c,"4/16/2021, 9:21:49.368 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 5792 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 3D9080EFAB633588A800733E89C0E9CF155587ED965C4294E3B5807ACCA7196A + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.14393.2155 + 0x3e5 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,c9b37e5c-2e59-4380-9556-da8cdd117243,"4/16/2021, 9:21:49.368 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,fc2bab3e-07f8-4214-aff4-4580049affa3,"4/16/2021, 9:21:53.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2cf410ee-1d38-4d3f-9d4c-771d3b2121df,"4/16/2021, 9:21:53.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,9584c00a-c910-41d6-b48a-0e9ef24e27a2,"4/16/2021, 9:21:53.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,a66db103-0df2-4bde-971f-dde1f425a988,"4/16/2021, 9:21:53.062 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,a8ce6dec-6747-4c95-a51a-ff78884a80c9,"4/16/2021, 9:21:53.062 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,52643c31-2609-4ca4-ba0e-89a08ff103b4,"4/16/2021, 9:21:53.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5f8710ef-7aca-4673-bcfa-3f228de22948,"4/16/2021, 9:21:53.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,80919a94-9fc2-4747-aed8-0411cd587f9a,"4/16/2021, 9:21:53.062 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6148 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,dbc09a25-4e02-4cce-baae-3a50fa19d52d,"4/16/2021, 9:21:57.007 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 13424 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,feda3d4c-ea78-4ede-b622-be93df3e8b0e,"4/16/2021, 9:21:57.007 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,85a22bd8-adc5-4776-ab27-d77e9e392e76,"4/16/2021, 9:21:55.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,588ebf9a-f4ed-4f66-9847-03c7afa80a8b,"4/16/2021, 9:21:55.136 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,08c7fc7e-6ed3-4986-8cf3-4c781249f9f1,"4/16/2021, 9:21:55.136 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa34f912-60be-48d4-8e29-08e79983de3f,"4/16/2021, 9:21:55.136 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,dcee8d68-aeef-4c03-aff8-8c403da57d7c,"4/16/2021, 9:21:55.136 AM",,,,,,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,62dd9c36-fc38-4b78-97e3-02263f6c835a,"4/16/2021, 9:21:55.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ef24820-6ee3-4451-a37b-ff872aaf1e3f,"4/16/2021, 9:21:55.136 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2248 + 59 + %PROGRAMFILES%\MICROSOFT\EDGEUPDATE\MICROSOFTEDGEUPDATE.EXE + 32 + 130734F7BC6F667B8260746B96229494E3C8DCFA059F50EDA667F1C4BC6DC0B6 + 104 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT EDGE UPDATE\MSEDGEUPDATE.DLL\1.3.137.99 + 0x3e7 + 67 + C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,855ef573-05cd-45e1-93be-a740552fc904,"4/16/2021, 9:21:55.136 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6460 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a7dfb05-aea2-46de-85f7-78016f9e0f33,"4/16/2021, 9:21:55.136 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d3c4ee0a-47cc-4e49-81df-0e01e4cd0f2c,"4/16/2021, 9:21:55.136 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ce274c4-49cb-4ac9-9f5b-7dd0bef3b022,"4/16/2021, 9:21:55.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac463a7c-2201-4c3f-9d3d-85bfe5bb148a,"4/16/2021, 9:21:55.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa6626d4-0a72-4c32-a77d-6faa542a50cf,"4/16/2021, 9:21:55.136 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc1a5ec8-11bd-400a-8e63-630c0131f19f,"4/16/2021, 9:21:55.136 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,da91e213-4e7c-4684-af0f-afe60dc841b8,"4/16/2021, 9:21:55.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1e579ca-8854-48df-b456-0ddc0b1c5082,"4/16/2021, 9:21:55.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2eff1ab2-473b-4c54-ab2b-85e9f3838108,"4/16/2021, 9:21:55.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bdd7b567-e852-4ae5-83ea-6e202b67bcb0,"4/16/2021, 9:21:55.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,861d009a-516a-48e7-a9c9-74d21f1ba3d5,"4/16/2021, 9:21:55.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bb40a534-42be-4d1f-bcfb-52f1b52b7d8e,"4/16/2021, 9:21:55.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b45e1518-83cf-47e6-859e-03abf684a9b7,"4/16/2021, 9:21:55.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d29aea96-1129-44cb-b9de-8009b5438570,"4/16/2021, 9:21:55.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,24e985cd-5848-4238-989a-0db5040d8896,"4/16/2021, 9:21:55.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,39ee43e9-4a80-4672-825a-209b3fa93f60,"4/16/2021, 9:21:55.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d55fdb94-30b5-4d0a-bc22-644ea13d086c,"4/16/2021, 9:21:55.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a4734ca-1757-4f02-98e2-c3da00016626,"4/16/2021, 9:21:55.136 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,52906d1d-eab0-4a1f-b9c8-967062100d70,"4/16/2021, 9:21:56.729 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,276c9474-123e-4400-8f31-eb7c3496d27e,"4/16/2021, 9:21:56.729 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a091c919-d244-474f-be2f-0e65ec4af9af,"4/16/2021, 9:21:56.729 AM",,,,,NTLM,, +\ERIC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ffd32054-689d-4f6f-a151-f528c6f713f9,"4/16/2021, 9:21:56.729 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f7f5ca8e-d251-44e4-8a7a-b3d85837ff0b,"4/16/2021, 9:21:56.729 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,07fe2a06-8038-4afd-a305-029e2c6d7a16,"4/16/2021, 9:21:56.729 AM",,,,,NTLM,, +\CANON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ed397fbd-9adc-4abf-9cff-9d86ccd236bb,"4/16/2021, 9:21:56.729 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c315e46c-7a54-4b07-bd89-c8b64f7770d8,"4/16/2021, 9:21:56.729 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,80035baf-613c-4b3c-948b-cc4b03f17572,"4/16/2021, 9:21:56.729 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f68d9227-e4f8-49df-bb71-d3a61e64bcae,"4/16/2021, 9:21:56.729 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5e11f051-65d4-4ca1-8d8d-d5dafbc7be58,"4/16/2021, 9:21:56.729 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,94b7d942-4311-48e9-9037-dba899479e2f,"4/16/2021, 9:21:56.729 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,34f9d4fb-456e-43c4-9610-439f30a12eed,"4/16/2021, 9:21:56.729 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e89c2ae9-c1c6-4b6a-8b61-c79a8c872e53,"4/16/2021, 9:21:56.729 AM",,,,,NTLM,, +\BACKUP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7d139467-73a2-4091-9e15-3aab22d385e8,"4/16/2021, 9:21:56.729 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,46d6e024-5ed8-4946-9be0-c845d02ee788,"4/16/2021, 9:21:56.729 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6093299a-16a0-4ba1-af5a-edecb98cd894,"4/16/2021, 9:21:56.729 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a9815895-6e77-4de4-8d33-bcbb1045abb2,"4/16/2021, 9:21:56.729 AM",,,,,,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a2a5d8d3-bd00-4e8b-b384-d0aa61f1e267,"4/16/2021, 9:21:56.729 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6da936e8-aee5-4e6d-8473-b032adcbe667,"4/16/2021, 9:21:56.729 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cbd57ece-ef6c-4412-87a7-eaf9fb8479cb,"4/16/2021, 9:21:56.729 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,631635d2-819e-4ec5-9727-aae506918bd7,"4/16/2021, 9:21:56.729 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,efe24b63-9b00-4027-92d9-02679df8c5fb,"4/16/2021, 9:21:56.729 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,5642d4af-67d5-4551-98e1-3d2acd98cb3c,"4/16/2021, 9:22:05.623 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10632 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,3a6e80a8-9ed9-41e8-81f6-44de511579b2,"4/16/2021, 9:22:05.623 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,5a5ba5c8-f751-4b43-8006-73a2cbfca053,"4/16/2021, 9:22:05.623 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,65c29b8b-4c97-4e2e-953e-4e56ce4344eb,"4/16/2021, 9:22:09.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6761e7ab-5f07-4ab6-b956-7058e5b66ecf,"4/16/2021, 9:22:09.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c553ceda-5908-44bc-be3d-5b0b668b97fc,"4/16/2021, 9:22:09.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f1828015-a0e7-44fc-9ffc-7c92c553a417,"4/16/2021, 9:22:09.146 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d02a528c-0df2-4dab-83e3-93aaf99f804a,"4/16/2021, 9:22:09.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f4d38743-de91-4f6f-b653-08e7fb36adb6,"4/16/2021, 9:22:09.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,11cf02b7-ec54-4ebc-8171-3c2d0a7a50db,"4/16/2021, 9:22:09.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d6eae477-1a68-4f85-9541-b1d3bd2437cf,"4/16/2021, 9:22:09.146 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d48bcce-e0f8-4290-94eb-2ded5b45e90e,"4/16/2021, 9:22:09.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e0470007-dfb8-43a6-8312-b11847a46f63,"4/16/2021, 9:22:09.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1bfa556-a63e-4e27-a520-be97ca81ff3a,"4/16/2021, 9:22:09.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b8f2c357-c6fb-46d9-a08b-523c96f8541a,"4/16/2021, 9:22:09.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a628b37-5bef-410e-8e12-79bdb9f2094a,"4/16/2021, 9:22:09.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ca49a88-4652-40dd-95b0-14a5a0a28a0c,"4/16/2021, 9:22:09.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e90ff6b2-0ca0-47af-a438-ca70c131e6ad,"4/16/2021, 9:22:09.146 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c55f2c47-8f3d-4641-b11b-153da1a33bca,"4/16/2021, 9:22:09.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,28c9ec26-05f1-464b-8728-c0a451103b47,"4/16/2021, 9:22:09.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a1d2923-0e06-4ad7-a5f3-de02f0a6eb3c,"4/16/2021, 9:22:09.146 AM",,,,,NTLM,, +\AZUREADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5cb6af3-db18-4a8c-a1c7-0865b1101356,"4/16/2021, 9:22:09.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e9537c39-df68-47ec-b6d6-5150c58b1736,"4/16/2021, 9:22:09.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9742def2-c48e-48ee-9250-2440e5aa4c92,"4/16/2021, 9:22:09.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e9eb7886-9d41-4aac-8b93-88699311b499,"4/16/2021, 9:22:09.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2157421-61bd-42b9-ae91-541fd485646a,"4/16/2021, 9:22:09.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8f7b188c-b089-463c-923f-e2a0d2364d0d,"4/16/2021, 9:22:09.146 AM",,,,,NTLM,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,6816cab0-a339-43b6-be4f-67fcfd682c57,"4/16/2021, 9:22:09.895 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,ab1891ca-5f64-4f86-b9b0-278ed42fffb9,"4/16/2021, 9:22:09.895 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6972 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b0f0ed5d-bc34-49cc-b8a3-51284bea435a,"4/16/2021, 9:22:09.895 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4552 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,c0727bd6-b881-4b83-874a-a49d36903bdf,"4/16/2021, 9:22:09.895 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,72db455c-618c-4d04-9e07-0faa93fda40f,"4/16/2021, 9:22:09.895 AM",,,,,,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f19befb3-737a-4b45-81e7-ff8e2a3f1fdc,"4/16/2021, 9:22:06.750 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9e877092-efe8-4476-a3d6-41764541741d,"4/16/2021, 9:22:06.750 AM",,,,,NTLM,, +\SYMANTEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c9e87a20-7006-43ab-8fc2-76c0f39c9d99,"4/16/2021, 9:22:06.750 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2aadb5ff-1857-4759-8d21-8da0b3b17b22,"4/16/2021, 9:22:06.750 AM",,,,,NTLM,, +\LAURA,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f474892a-1702-4e07-94a6-a6af320e9811,"4/16/2021, 9:22:06.750 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f551620c-f2ea-4bdd-b622-a1410bb4c086,"4/16/2021, 9:22:06.750 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0680e9be-dc9a-4480-8b27-87d0c948b9b4,"4/16/2021, 9:22:06.750 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7b4e3eec-1825-461d-96a1-461098f6f1b3,"4/16/2021, 9:22:06.750 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,15eca3cf-daf3-41ce-bbb0-7b545c2d1018,"4/16/2021, 9:22:06.750 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2cca0c25-b98b-499d-a953-3b9d8a11bbe8,"4/16/2021, 9:22:06.750 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1f29ddcc-8b4d-4ad9-b511-fc1bbf08eb06,"4/16/2021, 9:22:06.750 AM",,,,,,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7aa4173c-eecc-4998-8b5c-e6b7a4dc93f0,"4/16/2021, 9:22:06.750 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a5410565-8642-4802-898e-73a9b77f0876,"4/16/2021, 9:22:06.750 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8d39557b-ab3a-4b23-a4f9-dc0e79dec1c9,"4/16/2021, 9:22:06.750 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9886d2b5-6f23-47bd-aa6c-36ff86215072,"4/16/2021, 9:22:06.750 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f12ebf85-703a-418a-ae6c-8b7df196822d,"4/16/2021, 9:22:06.750 AM",,,,,NTLM,, +\RMEDINA,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b5342eef-95e6-4822-9736-bd821d6e37a1,"4/16/2021, 9:22:06.750 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,05bcdc64-bea0-45b0-916a-f1b7e64c7e08,"4/16/2021, 9:22:06.750 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,315b7d8a-7a52-422e-ad36-c44401eb68b1,"4/16/2021, 9:22:06.750 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7badc8b5-a04a-4205-948c-26af5012e025,"4/16/2021, 9:22:06.750 AM",,,,,,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,befae6a7-31ce-4b0d-a29b-2624c463f5b0,"4/16/2021, 9:22:06.750 AM",,,,,,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1f407e0e-445d-46b2-aa7d-49c0032ac0cc,"4/16/2021, 9:22:06.750 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,031e4f38-c445-466e-b7a4-5b6c9e20b79b,"4/16/2021, 9:22:06.750 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,07d54854-7dd4-4971-b6cb-ef35fb69ac63,"4/16/2021, 9:22:06.750 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d17e399-fa98-4176-bdfe-7cbc72bf90a4,"4/16/2021, 9:22:15.268 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3c001176-3bd4-491d-919b-c6eb9def9f2e,"4/16/2021, 9:22:15.268 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c4fd5787-f744-4359-92a7-237d3da75757,"4/16/2021, 9:22:15.268 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f91e04c7-5a92-4140-bc1f-65dd0f881bee,"4/16/2021, 9:22:15.268 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,34ec202c-7ca5-4ca2-babe-f09181a74574,"4/16/2021, 9:22:15.268 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a8146b9b-7623-4a05-b5bc-4d0541c590a0,"4/16/2021, 9:22:15.268 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6814d7b8-ba56-48bb-a54a-7f0b7b8c21cf,"4/16/2021, 9:22:15.268 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d198e432-5fe5-45f9-b41f-12c616058de7,"4/16/2021, 9:22:15.268 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,09d65b12-8877-4cf8-9aa1-3c9c062b48d6,"4/16/2021, 9:22:15.268 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,edef1cda-36bf-44e7-b3a3-23c544e9eab0,"4/16/2021, 9:22:15.268 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c2efad2c-8c42-4573-8942-6b948963003a,"4/16/2021, 9:22:15.268 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2e66e203-d165-4784-8127-ca488b05a7d4,"4/16/2021, 9:22:15.268 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7cbde62e-904d-4fce-a802-831a28eb16a1,"4/16/2021, 9:22:15.268 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cb796196-b1ce-4cbb-b531-b5f8543e072c,"4/16/2021, 9:22:15.268 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0603e46c-f09e-4bdc-b8b1-8332cc687f93,"4/16/2021, 9:22:15.268 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6c531e88-4641-4105-9587-1eab4e478c07,"4/16/2021, 9:22:15.268 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b11811d4-4248-4a39-a2de-c476f7402ee3,"4/16/2021, 9:22:15.268 AM",,,,,NTLM,, +\OJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c003f39-84df-4b51-8b5d-50cc414378d0,"4/16/2021, 9:22:15.268 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,308b5fb4-f430-4cc1-ac09-0f7a97568f04,"4/16/2021, 9:22:15.268 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53de9e9e-611e-47ec-bdb4-401b28ea4d01,"4/16/2021, 9:22:15.268 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0b0ae986-11d9-4bfc-9cb3-d2f139326f96,"4/16/2021, 9:22:15.268 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d2213de3-46c5-4f06-b2f2-301ef07323cb,"4/16/2021, 9:22:15.268 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3580a23e-da40-4a0e-adea-61d96c04fdf8,"4/16/2021, 9:22:15.268 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,b7bb0819-5d27-4a8e-9084-8706c4e3144e,"4/16/2021, 9:22:21.634 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1632 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,0c3704d6-6f23-4146-a0f7-925b26408b95,"4/16/2021, 9:22:21.634 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10688 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,3ac5e276-380d-4698-bb1a-b00b7a02b8c5,"4/16/2021, 9:22:21.634 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10540 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,c781d425-cacb-4d32-9ac1-c0e0aa03c939,"4/16/2021, 9:22:21.634 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10320 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,c4f6731b-3eb4-4285-9573-6dc3da7c0014,"4/16/2021, 9:22:21.634 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8800 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e7 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,203cc3d3-b439-44b5-a23b-56a00937280c,"4/16/2021, 9:22:21.634 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,e7f63d8f-e844-47a7-9e58-fc8e214d5955,"4/16/2021, 9:22:21.634 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,60b15b46-2f9d-478f-bc00-f3dd6a384f80,"4/16/2021, 9:22:21.634 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,62c15807-82ae-43b2-be99-7c33d9d212d4,"4/16/2021, 9:22:21.634 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\microsofttpm,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,42132bef-f590-48ca-9268-56257bb4a813,"4/16/2021, 9:22:21.634 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:SELECT * FROM Win32_TPM,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,86f4e4f2-d9d2-4151-8e06-c43c406625aa,"4/16/2021, 9:22:21.634 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:Select * from __ClassProviderRegistration,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,ee9360a8-af39-487b-9a17-2733ee5df208,"4/16/2021, 9:22:21.634 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,c238a82f-af7a-4b6a-a4b8-c5e6161578fe,"4/16/2021, 9:22:21.634 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,b1cd5045-455a-4d8c-a90e-8f03c5350d9b,"4/16/2021, 9:22:21.634 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,1ac7ac16-1a3f-4de1-8570-adb455ccd7d7,"4/16/2021, 9:22:21.634 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,02de14d1-4829-4d42-b99c-358f60b3a48d,"4/16/2021, 9:22:21.634 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:Win32_Tpm,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,d0e6d52e-540e-40ca-b6d5-60c76bb16009,"4/16/2021, 9:22:21.634 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:__ExtendedStatus,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,8a127361-2d82-4188-8be7-bddbf01804ba,"4/16/2021, 9:22:21.634 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftVolumeEncryption,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,8e2bf284-edd8-473b-a545-0e6809369b43,"4/16/2021, 9:22:21.634 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:SELECT * FROM Win32_EncryptableVolume,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,4439b71f-53db-4903-a0ae-e3105c6b2b55,"4/16/2021, 9:22:21.634 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:Select * from __ClassProviderRegistration,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,8ebc5457-1eb9-44d0-8635-971cf3033c38,"4/16/2021, 9:22:21.634 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,be4a784d-5b1f-4dae-afa7-30c2d1f9ea39,"4/16/2021, 9:22:21.634 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,de194628-9594-4ce1-baf3-2f9740126198,"4/16/2021, 9:22:21.634 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,bea87efc-5c68-4c3a-be98-5642a5555a4b,"4/16/2021, 9:22:21.634 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,e07fc2c8-cf4e-494e-828c-ed7254840f95,"4/16/2021, 9:22:21.634 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,08025dcb-7009-4492-882c-1a77a4731b2e,"4/16/2021, 9:22:21.634 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:__ExtendedStatus,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,12585790-7276-4386-a3f9-b471eaeb0c63,"4/16/2021, 9:22:21.634 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{14fa800d-0000-0000-0000-100000000000}\\""::GetLockStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,263fdf95-cdc6-4814-b4e0-95cee46af58d,"4/16/2021, 9:22:21.634 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{14fa800d-0000-0000-0000-100000000000}\\""::GetProtectionStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,3b2cb9ae-0d38-418a-8683-54a96ba595e1,"4/16/2021, 9:22:21.634 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{14fa800d-0000-0000-0000-100000000000}\\""::GetConversionStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,bad4251b-7a64-48bf-b15c-15794a141112,"4/16/2021, 9:22:21.634 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetLockStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,e97766a8-5afb-4491-88cc-10fc26baefbf,"4/16/2021, 9:22:21.634 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetProtectionStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,679512f9-fff6-41f3-84be-8e92ca911867,"4/16/2021, 9:22:21.634 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetConversionStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,8a9c29a5-3d99-4557-8d2f-ede2b8703347,"4/16/2021, 9:22:21.634 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,f6638b82-98a5-4542-8bec-6bc0977f793f,0dc251dd-08e7-4b89-9701-a535a8a80ee8,"4/16/2021, 9:22:21.634 AM",,,,,Negotiate,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + 1 + 1 + %{S-1-5-32-544} %{S-1-1-0} %{S-1-5-11} %{S-1-16-16384} +",4627,4627 - Group membership information.,f6638b82-98a5-4542-8bec-6bc0977f793f,773b34e7-7d42-47bf-b647-b522c17131f6,"4/16/2021, 9:22:21.634 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,f6638b82-98a5-4542-8bec-6bc0977f793f,66d25573-7929-458a-aecf-57172d8c6b6b,"4/16/2021, 9:22:21.634 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,9e8f63e0-814c-4db9-854e-9901cef2f1dd,"4/16/2021, 9:22:21.634 AM",,,,,,, +\BOARDROOM,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,19846643-f77c-4eeb-a9cf-4b27f90081e2,"4/16/2021, 9:22:22.409 AM",,,,,NTLM,, +\2,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,57f5d4f8-8843-4bf9-a46c-f92475fe7e9a,"4/16/2021, 9:22:22.409 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,792d02df-4c0f-4b9e-882b-c3f7903ed0f8,"4/16/2021, 9:22:22.409 AM",,,,,NTLM,, +\USUARIO1,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,631f9f46-e14f-4c79-863a-16448065071e,"4/16/2021, 9:22:22.409 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9d607178-d67c-471d-9506-239ce6718427,"4/16/2021, 9:22:22.409 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,46d0bd33-7a30-48bf-9b15-daeea0bc92ef,"4/16/2021, 9:22:22.409 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7496 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,05c5ac83-dbb4-4f84-ba43-bbb4bdd3c59f,"4/16/2021, 9:22:22.409 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7508 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e3306d8c-a5e7-4a66-8c65-d2b4cf53aad2,"4/16/2021, 9:22:22.409 AM",,,,,,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,67eeb122-5953-4aea-9657-dca80f358e54,"4/16/2021, 9:22:22.409 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8b067c85-f246-409d-8731-512df8074fc9,"4/16/2021, 9:22:22.409 AM",,,,,,, +\KEVIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,824d5d6a-a651-43b3-94f0-87257f18caa9,"4/16/2021, 9:22:22.409 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b6216313-0201-4b87-9f8b-8af41c08aeef,"4/16/2021, 9:22:22.409 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,3d32a2a9-6b9e-4353-97bd-e2c5b1a43ddb,"4/16/2021, 9:22:24.063 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2c474946-a60f-4652-81a7-7a5df87f8410,"4/16/2021, 9:22:24.063 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,e1bfd9ac-808e-4305-a60d-805139ae68f2,"4/16/2021, 9:22:24.063 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d903d9d3-e883-4d02-8f37-2ccbe0cb100e,"4/16/2021, 9:22:24.063 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,89436341-c632-4f63-a018-1c73c0d9959a,"4/16/2021, 9:22:24.063 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c4bad632-2a05-494e-b2bd-1cf326768e34,"4/16/2021, 9:22:24.063 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,183c09c3-ca05-4193-ae18-b5afb607f044,"4/16/2021, 9:22:24.063 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,25f8efab-fcbf-4630-9bc3-a91042a9f049,"4/16/2021, 9:22:24.063 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,ae23a7d1-eacf-4e47-93a7-39ae14b9ebc1,"4/16/2021, 9:22:24.063 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,cd51e1a4-71b6-413d-83d6-f996853ec60d,"4/16/2021, 9:22:24.063 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,a65e212f-50e3-4dcf-b6d8-016ece2bfaa5,"4/16/2021, 9:22:24.063 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,32911c41-b5b6-4f83-9bb3-d48b6f76bd3b,"4/16/2021, 9:22:24.063 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,96828939-2ea9-425b-b9c2-5a3ee4f539f1,"4/16/2021, 9:22:24.063 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f52474d4-2f52-42b4-85fa-3bb03bcd88f8,"4/16/2021, 9:22:29.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b6524458-30e6-4d91-ad54-e8ccd92c29a7,"4/16/2021, 9:22:29.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e94ea5ae-c994-48bc-970f-f20f13b3301d,"4/16/2021, 9:22:29.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f4c33a6-acbf-4347-8cc5-3e0c28ef4204,"4/16/2021, 9:22:29.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,39900235-61a5-4595-a441-3394868aab34,"4/16/2021, 9:22:29.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0103f73d-ca4b-4309-82b9-e3b9e86810d4,"4/16/2021, 9:22:29.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0d1df34a-5d36-4d2d-90b5-71497c546ed9,"4/16/2021, 9:22:29.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,edc06586-968b-4c42-92e8-fe11754d1d79,"4/16/2021, 9:22:29.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12231668-493c-44e9-992e-05e5afdc1a64,"4/16/2021, 9:22:29.132 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fce4ae25-ca7f-4aa2-be5d-3f1c26428469,"4/16/2021, 9:22:29.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9201e9c9-de2a-4f78-9619-8899359040d6,"4/16/2021, 9:22:29.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd6bee20-86fe-4dab-8b4f-4727d0952323,"4/16/2021, 9:22:29.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b3b19a3a-3823-49a0-9d91-e366f3435a41,"4/16/2021, 9:22:29.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,13a770d8-650e-4c50-96b8-cf9849dd4720,"4/16/2021, 9:22:29.132 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8172f974-4c14-4d1d-a5ad-7d0baab88140,"4/16/2021, 9:22:29.132 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03a90af1-acca-4ba4-a8ed-d54f3e725a50,"4/16/2021, 9:22:29.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,236bdab1-8d91-4aad-97ef-c90869057034,"4/16/2021, 9:22:29.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1efa3b3-ffc3-4ceb-8094-52c41abcf8f9,"4/16/2021, 9:22:29.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb60d4cb-b603-4251-9c53-18b80ac7f44d,"4/16/2021, 9:22:29.132 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,623a2583-4611-44af-98b7-7e9fc1441fd1,"4/16/2021, 9:22:29.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c6947e2c-938b-4378-af7b-5850aa179847,"4/16/2021, 9:22:29.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,677868a3-5c79-41e8-bf00-2d739962185f,"4/16/2021, 9:22:29.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa1b1029-82a2-4d03-9601-79946b805f62,"4/16/2021, 9:22:29.132 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8b839669-b7af-4283-835b-aff4c66ead76,"4/16/2021, 9:22:33.727 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1fe6c3cd-a8f7-4061-a0d8-1a2cab139fed,"4/16/2021, 9:22:33.727 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0626b6be-e438-4f63-8c2a-5936682835e0,"4/16/2021, 9:22:33.727 AM",,,,,,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,78f97ea7-781f-4e9e-9dcc-bdefa4fa3658,"4/16/2021, 9:22:33.727 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4f60898a-4832-4672-8dda-cb20b08f5fb2,"4/16/2021, 9:22:33.727 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a0a531f3-89a6-4773-8937-0b309ff3536c,"4/16/2021, 9:22:33.727 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4f40769f-83b7-4043-bde6-6cbcba9a5182,"4/16/2021, 9:22:33.727 AM",,,,,,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8ce60eb3-af0c-45d3-8db4-5510b4849749,"4/16/2021, 9:22:33.727 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bd63fb5b-16b0-4280-bc38-6892c80a90bd,"4/16/2021, 9:22:33.727 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1d682d73-b463-447d-91c4-063411e4d8b9,"4/16/2021, 9:22:33.727 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,095a646a-7dc3-4dd2-99d6-c521455bf7a4,"4/16/2021, 9:22:33.727 AM",,,,,NTLM,, +\WJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d11a0eda-5cb6-4fd3-9d02-13681a2f4268,"4/16/2021, 9:22:33.727 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,074cc5f4-f520-40c2-818f-fa9bc8be0ce4,"4/16/2021, 9:22:33.727 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a3ae90a7-2f1f-47f8-9bed-9a507da5f5cb,"4/16/2021, 9:22:33.727 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e29c6b7e-59fe-4d01-aac6-6140166a9bc7,"4/16/2021, 9:22:33.727 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9467053d-e504-4f1b-8073-0a42e153162c,"4/16/2021, 9:22:33.727 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1d91b8ba-b7cc-4535-942e-9b050e68fa16,"4/16/2021, 9:22:33.727 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,358a3adc-c60a-440d-bbdb-bb1ba0d3e691,"4/16/2021, 9:22:33.727 AM",,,,,NTLM,, +\CYG_SERVER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cd44a241-7490-4abb-8405-429df72bee4a,"4/16/2021, 9:22:33.727 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,16330a09-577a-4930-83b1-e1055c7954e9,"4/16/2021, 9:22:33.727 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4e64e036-f3e9-488c-a0a8-bc4c04203de9,"4/16/2021, 9:22:33.727 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4751cdfd-c5e9-46dc-baa7-1dfff328457f,"4/16/2021, 9:22:33.727 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,93d78fb2-a2cf-45d8-8b3a-82e41e39eb3f,"4/16/2021, 9:22:34.129 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bd683514-7b6b-4b6a-8ae7-4c6033335926,"4/16/2021, 9:22:34.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4780a2f8-f9bb-4657-8b8f-41ca480308af,"4/16/2021, 9:22:34.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4bd34258-fa15-4d77-8a5f-ca438b44b882,"4/16/2021, 9:22:34.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,be864434-7b85-49a8-b271-3a96a085c924,"4/16/2021, 9:22:34.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,20a39e47-0bb2-469f-903b-af5c77bbde12,"4/16/2021, 9:22:34.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e0c6b4e6-fce6-4b7d-a5b3-08f38a057554,"4/16/2021, 9:22:34.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2610b72d-aff6-42eb-ad1a-eb56cf8342c0,"4/16/2021, 9:22:34.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e8542347-93d4-4761-9813-cd6ab3a27c14,"4/16/2021, 9:22:34.129 AM",,,,,NTLM,, +\IMAGES,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e9c510f-f66a-4ed6-8c65-7e30ad7a2ba7,"4/16/2021, 9:22:34.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ea44f69-f0df-4870-aa10-0813ee42cd00,"4/16/2021, 9:22:34.129 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,7f1ca04a-9455-4418-93ef-657cf414794c,"4/16/2021, 9:22:34.129 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9aab7237-67c4-4318-8a33-1ca43276b352,"4/16/2021, 9:22:34.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c9fe5659-206a-4242-83fb-da1acbcdbfce,"4/16/2021, 9:22:34.129 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a6dac36-1965-4a2e-8c68-a49c5f0f150f,"4/16/2021, 9:22:34.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,63d41510-8bde-4eb5-9daa-81030b2e4f85,"4/16/2021, 9:22:34.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2c5432b-1296-49d4-9e9d-b809381e088a,"4/16/2021, 9:22:34.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,91d35247-24c3-408d-ab8b-31d709164fe1,"4/16/2021, 9:22:34.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3ab8eab4-7be1-461e-bf96-66a51697dde2,"4/16/2021, 9:22:34.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,451256c8-9b02-44fa-930a-464f968a478f,"4/16/2021, 9:22:34.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,99614456-d4d6-4506-997b-c00fb94a4525,"4/16/2021, 9:22:34.129 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5073252b-d0b3-4a69-a90c-89fb2651cdce,"4/16/2021, 9:22:34.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,818c5a6a-4239-4245-8f60-2cabfe266b52,"4/16/2021, 9:22:34.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5eae6dd6-6cc2-45d1-a4f8-02474f94e1f6,"4/16/2021, 9:22:34.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,312e80d6-ea12-4b1e-b19f-3689675a3317,"4/16/2021, 9:22:40.192 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a3bb5d3e-0c61-42c2-829c-335aafe4c513,"4/16/2021, 9:22:40.192 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0e1de61c-6e80-4a8f-bd91-274504333e1e,"4/16/2021, 9:22:40.192 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,348dec6f-714d-4d43-b297-3eaf65daa995,"4/16/2021, 9:22:40.192 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d5088776-2176-4167-80be-24a778825f70,"4/16/2021, 9:22:40.192 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,94b99f95-8b8e-445f-89f1-15004c9f621f,"4/16/2021, 9:22:40.192 AM",,,,,NTLM,, +\VMADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5244b9a9-f883-4ec2-8af6-0b382cc3c65f,"4/16/2021, 9:22:40.192 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b2c6c2b-6cf2-4f67-becb-f7c1829c4a5a,"4/16/2021, 9:22:40.192 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,95ac0712-56b1-44fd-ae4b-d8814ec7507d,"4/16/2021, 9:22:40.192 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5b713e8-a166-46fe-b0e9-709a9bdd3996,"4/16/2021, 9:22:40.192 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a0e7f1a8-db53-49cb-9936-0f67f05ff098,"4/16/2021, 9:22:40.192 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,80685801-6d82-4d15-8753-c602339bf8ec,"4/16/2021, 9:22:40.192 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,605b9e06-9a0c-441b-b5c6-90d51b6d0380,"4/16/2021, 9:22:40.192 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5d14ade-0408-4040-b0a4-a6847300a742,"4/16/2021, 9:22:40.192 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,faacc124-efdd-42c2-a940-239bd85a971b,"4/16/2021, 9:22:40.192 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,373a88c4-e21a-4da8-bca5-61cfee8ac4fc,"4/16/2021, 9:22:40.192 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0178f1f8-517f-4323-8779-ab8e58338e61,"4/16/2021, 9:22:40.192 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,be3318e4-c561-4428-9b29-d67dfea9b4af,"4/16/2021, 9:22:40.192 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98bf4962-5116-412b-8185-00b6da235971,"4/16/2021, 9:22:40.192 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f3865d96-1fc7-4105-bcf9-0e99c44554d3,"4/16/2021, 9:22:40.192 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2571eeae-14c9-4946-be14-dcde2c4eaf17,"4/16/2021, 9:22:40.192 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd40e93d-700f-44ba-a3d2-d569327db0f9,"4/16/2021, 9:22:40.192 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7684 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,3b3b3fca-efe8-4128-a56c-469624f964d0,"4/16/2021, 9:22:42.872 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,163b571c-c024-4b5c-a2dd-0f8ba83850e9,"4/16/2021, 9:22:42.872 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,f1f80170-e608-4d46-ba24-cdbf84b58bd6,"4/16/2021, 9:22:42.872 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7740 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,f4b17b6e-33ba-4614-a3f0-ac2b66eeee40,"4/16/2021, 9:22:49.282 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4032 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,3a780b5a-c18d-4eb2-84d3-b4890424fea9,"4/16/2021, 9:22:49.282 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e4636e48-7a57-4564-89c0-b6a24e769973,"4/16/2021, 9:22:48.735 AM",,,,,NTLM,, +\REMOTE,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1acded2c-2690-4426-882f-7a3f1fbf845c,"4/16/2021, 9:22:48.735 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,94d7447c-731a-484d-ae35-61a3080360a8,"4/16/2021, 9:22:48.735 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f4a7df27-6ace-4e4d-afa8-b4de50b7f9ef,"4/16/2021, 9:22:48.735 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a707ee89-07d7-4d27-909b-02365bf88e1d,"4/16/2021, 9:22:48.735 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,aaf79998-69e8-42fe-97fb-544ae3db3d7f,"4/16/2021, 9:22:48.735 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ba5b2ad2-a716-4810-9fc9-5b3968744b3b,"4/16/2021, 9:22:48.735 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,669b9381-cbeb-4f82-a331-2c700f1c9a09,"4/16/2021, 9:22:48.735 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3c65a379-f6d6-4f9f-acd2-fc9914094322,"4/16/2021, 9:22:48.735 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9d3ce535-9e08-44e2-a6eb-fe59e87b4d92,"4/16/2021, 9:22:48.735 AM",,,,,NTLM,, +\TRAINING1,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d5048b89-70fc-4826-91cb-8afb5f894160,"4/16/2021, 9:22:48.735 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0294bacc-dceb-455a-bb99-4cdaddf3297f,"4/16/2021, 9:22:48.735 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,356e2bae-e4ad-40dd-be3c-f7708f3cc945,"4/16/2021, 9:22:48.735 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a5274262-3545-4c0c-9cef-61fe03d1b9d2,"4/16/2021, 9:22:48.735 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,36dfcf97-1d6a-41ec-9cb4-301934467535,"4/16/2021, 9:22:48.735 AM",,,,,NTLM,, +\SJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ee27f428-b7b9-4423-8aea-e5710812332c,"4/16/2021, 9:22:48.735 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6f63c9df-b3f1-4f9c-b898-062bb1f11b4b,"4/16/2021, 9:22:48.735 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d78f10af-e553-4c22-bd59-dc1e93786321,"4/16/2021, 9:22:48.735 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,40928250-7d03-490e-9a03-d417628d1f6d,"4/16/2021, 9:22:48.735 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,81b62aaa-29ed-4e6b-9235-9c74a281bbdb,"4/16/2021, 9:22:48.735 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b939ff2f-3ee6-431b-ae16-ef692eff3c7a,"4/16/2021, 9:22:48.735 AM",,,,,NTLM,, +\SYMANTEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c598ab98-d011-4908-b034-67115044f7ab,"4/16/2021, 9:22:48.735 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dafabd71-9fe6-41bd-8b8c-220a773225c8,"4/16/2021, 9:22:50.141 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,66c37d4c-9b7f-4440-ad8f-31792960b791,"4/16/2021, 9:22:50.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff0e2a2a-d896-4843-8616-5c6bddac414a,"4/16/2021, 9:22:50.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f6c862da-1487-46b6-aa7d-a69023a76bde,"4/16/2021, 9:22:50.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46e728c0-2339-4194-b5e4-0bbed453dc0f,"4/16/2021, 9:22:50.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51e76b13-b7e5-4d90-9640-9b07e9c697ec,"4/16/2021, 9:22:50.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e002e9dc-e8b2-4496-a96b-dccb9d549933,"4/16/2021, 9:22:50.141 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4302926a-cc40-49b8-bbe6-ca3326a2e7b5,"4/16/2021, 9:22:50.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,78f2ebca-de3d-4efc-ac71-080e8d6ba7d6,"4/16/2021, 9:22:50.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2e3a1d4b-31fd-4439-a292-65445fb61585,"4/16/2021, 9:22:50.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19bca247-0ed7-41a1-9805-2ea2e8585e50,"4/16/2021, 9:22:50.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6c263e94-537d-4ffa-83be-82c966013a22,"4/16/2021, 9:22:50.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa96a1c7-db76-420d-b7a3-172bd8f4f03f,"4/16/2021, 9:22:50.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ec6ee99-33b0-4df0-ba29-f53f2ef0c5e1,"4/16/2021, 9:22:50.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c6485ef4-500f-4b4c-a936-243081112bd0,"4/16/2021, 9:22:50.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b771e3e-d6f8-4c62-9a22-0e6b0f8c16f0,"4/16/2021, 9:22:50.141 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c8a7ab45-8d70-440a-b61b-e224cbd65c52,"4/16/2021, 9:22:50.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6a7ec84e-f0af-4b01-98ee-13230996c078,"4/16/2021, 9:22:50.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,84fcb97e-f27e-47dc-acbd-2afaeb552e3e,"4/16/2021, 9:22:50.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea220ed7-5bcc-4be7-b214-da9254300419,"4/16/2021, 9:22:50.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f850163a-d998-43a9-96e1-16893ed9c59f,"4/16/2021, 9:22:50.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,902b029c-19ac-445c-894b-959d2d1d5c32,"4/16/2021, 9:22:50.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,11aa238c-83f8-432b-97df-19363a0d27f0,"4/16/2021, 9:22:50.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b8411ec9-9119-4148-a2b8-32fc9e13eae5,"4/16/2021, 9:22:50.141 AM",,,,,NTLM,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,4cfd0578-7819-4ea8-8338-771cb6eb9091,"4/16/2021, 9:22:52.732 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,de3e8021-c01c-4774-a34e-423fd4062a6c,"4/16/2021, 9:22:52.732 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2828 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,e39ab594-aeef-4eb7-80c7-019325ece866,"4/16/2021, 9:22:52.732 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 884 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,232e4a52-c448-44f6-83f6-919e73a18759,"4/16/2021, 9:22:52.732 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,0b88026c-fd3c-456c-92ff-941af8edc5b4,"4/16/2021, 9:22:52.732 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,1f591609-a10f-4e2e-b6c5-7eac8034b8f1,"4/16/2021, 9:22:52.732 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9616 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,5584a7f7-7714-4dd8-89b7-02f0bcd8a0e9,"4/16/2021, 9:22:56.997 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 14960 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,2152cf48-e671-4b97-aeb3-b45cbb185def,"4/16/2021, 9:22:56.997 AM",,,,,,, +\ORACLE,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a523c447-244f-4838-bf92-f526db1deea9,"4/16/2021, 9:23:00.407 AM",,,,,NTLM,, +\MEDIA,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a4248180-27db-4ba7-8cee-2df287cf8874,"4/16/2021, 9:23:00.407 AM",,,,,NTLM,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f66b7727-657e-4caa-bd96-64c993c19635,"4/16/2021, 9:23:00.407 AM",,,,,NTLM,, +\OPERATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a7cf4e15-67ff-492b-9d76-76ef95b03f3a,"4/16/2021, 9:23:00.407 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8e2a62dc-926b-4a27-a526-436bc4495d73,"4/16/2021, 9:23:00.407 AM",,,,,NTLM,, +\USER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8297a776-ffbd-4092-b4ed-03932128af26,"4/16/2021, 9:23:00.407 AM",,,,,NTLM,, +\HP,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3a465427-25b0-40e0-a33d-fbd30a0dfa34,"4/16/2021, 9:23:00.407 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0233595e-ad10-46d9-83bd-4161842e72c1,"4/16/2021, 9:23:02.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bd69a126-61e5-4fea-b47a-9d74a6467b62,"4/16/2021, 9:23:02.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c9b7543-b46f-43fc-856e-de34dfbb5e99,"4/16/2021, 9:23:02.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f23c7f8b-e4bb-4e56-9718-42446bbb13fd,"4/16/2021, 9:23:02.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12a0e98b-82e2-44de-8640-df680ffd2979,"4/16/2021, 9:23:02.132 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,39f7b27c-693e-4ea9-8b82-26dd44b7b851,"4/16/2021, 9:23:02.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b550ef02-1b0a-4742-b0d8-7d04d4a3d4f5,"4/16/2021, 9:23:02.132 AM",,,,,NTLM,, +\MANAGER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,425a982a-fd3b-4cb0-80cd-7fb37df81f45,"4/16/2021, 9:23:02.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2653b497-2f8c-4572-a1ed-46a03d889cf8,"4/16/2021, 9:23:02.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,43a1a95e-f00f-4fec-9d22-72db2a6841bc,"4/16/2021, 9:23:02.132 AM",,,,,NTLM,, +\AZUREUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bb9f4fb7-5259-48ee-bd50-035b69f55b24,"4/16/2021, 9:23:02.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d33300c9-5515-4a0b-96d6-ba6e7a3ca6b3,"4/16/2021, 9:23:02.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,27bd0e1d-5941-46cd-aab7-7edcf4376982,"4/16/2021, 9:23:02.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51625208-6917-4b13-b145-7c7483470fed,"4/16/2021, 9:23:02.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f0ca082-d3a7-4c8e-b372-b4556fd0edef,"4/16/2021, 9:23:02.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc0aa30f-2f3b-4992-b2f3-976837133fe0,"4/16/2021, 9:23:02.132 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,25227f55-1ac9-41e8-b350-02ddfdf7de69,"4/16/2021, 9:23:02.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,64a08f30-fa35-417f-a911-be0f0400e41a,"4/16/2021, 9:23:02.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d8e83eae-7a52-4a8a-bb37-f0c1ede76250,"4/16/2021, 9:23:02.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,77ebec1d-c53c-4ef3-985c-b8845f87c854,"4/16/2021, 9:23:02.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,65dbb489-2ff5-41c9-8f38-c3b317fb1eb9,"4/16/2021, 9:23:02.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f492228a-abb1-45a5-a458-da7a25119aac,"4/16/2021, 9:23:02.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,995dea4b-9097-461d-bb93-4d851dd3b911,"4/16/2021, 9:23:02.132 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,ebb1aa1f-2211-4e2d-8fb3-64ebf8981fcf,"4/16/2021, 9:23:03.066 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,1f51a1f1-96cb-42b8-bd5c-304f7cc6cfc2,"4/16/2021, 9:23:03.066 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,9be55075-9714-4010-a751-45ab95eabcf2,"4/16/2021, 9:23:03.066 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,55f80da4-8874-4a97-a7c4-511d04544dab,"4/16/2021, 9:23:03.066 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,0b31dee3-5401-43d7-802a-7c8aab820390,4dcbd80a-57bb-4efa-b957-dec6d5bda227,"4/16/2021, 9:23:03.066 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,0b31dee3-5401-43d7-802a-7c8aab820390,ef9301e6-0839-486f-87cc-56d4c86c21b1,"4/16/2021, 9:23:03.066 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,1801ddbc-8375-4bd0-bdd9-f23b0ff6a312,"4/16/2021, 9:23:03.066 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,41b2031c-ac45-46c5-8c6b-eee46c26b8c5,"4/16/2021, 9:23:03.066 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,e6d554b0-2ed2-413f-aa50-83715434875e,"4/16/2021, 9:23:03.066 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + Administrators + Builtin + S-1-5-32-544 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x865c + C:\Windows\System32\svchost.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,58726cdf-7490-4089-b57a-a8e41cd62c8d,"4/16/2021, 9:23:03.066 AM",,,,,,0x865c, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + Backup Operators + Builtin + S-1-5-32-551 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x865c + C:\Windows\System32\svchost.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,2b988848-2984-4a60-8a30-eaed1d325c6b,"4/16/2021, 9:23:03.066 AM",,,,,,0x865c, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,0b31dee3-5401-43d7-802a-7c8aab820390,93f51299-6a0b-413b-ac56-6d5bcf77b88f,"4/16/2021, 9:23:03.066 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,0b31dee3-5401-43d7-802a-7c8aab820390,3e4074eb-79ae-4e5b-a2c6-d1e2a63b0384,"4/16/2021, 9:23:03.066 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,25be3d06-edd8-4f1f-b501-ebacd141b9c8,"4/16/2021, 9:23:03.066 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,5368446c-2b9d-4c56-aade-286fd4636826,"4/16/2021, 9:23:03.066 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,9366b106-b0f6-49d0-8eec-172dcb17c2e2,"4/16/2021, 9:23:03.066 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,72724226-0626-435d-8b87-64ee118f049c,"4/16/2021, 9:23:03.066 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,e5ce450f-4f0a-4f64-b1cf-da0525f64a6e,"4/16/2021, 9:23:03.066 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,427472f1-11b4-43db-b26c-b10eb5215faa,"4/16/2021, 9:23:03.066 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c06b54ce-5d9f-4c37-b5b7-f9ffed34f0dc,"4/16/2021, 9:23:03.066 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,0f4d97cb-570f-4471-822d-e4c7598a011e,"4/16/2021, 9:23:09.896 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,72263b32-70b3-4311-9472-0c5af41504e0,"4/16/2021, 9:23:09.896 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,92840329-9e91-4673-999f-0dceffe6feda,"4/16/2021, 9:23:09.896 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4840 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,591ce745-1eab-4658-b4f6-a4957f26f669,"4/16/2021, 9:23:09.896 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6984 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,da9bb33d-b851-4259-8105-240886a17b98,"4/16/2021, 9:23:09.896 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4652 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,0e47d284-b99f-42cd-84e4-2a145a91057f,"4/16/2021, 9:23:09.896 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,133f497a-0de6-421e-a0f8-7723147a52fe,"4/16/2021, 9:23:09.896 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f3373768-d206-44a5-9d9a-ba7b2f8f9927,"4/16/2021, 9:23:11.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d52d67ab-1b47-4772-add1-0798291f4d52,"4/16/2021, 9:23:11.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c63db52-22fe-453d-adf5-e7900682ff4f,"4/16/2021, 9:23:11.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eda0263f-cd30-4a2d-b0b0-b65e54255d7d,"4/16/2021, 9:23:11.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,15941b1d-5b48-4e7a-a26e-dd026399c95e,"4/16/2021, 9:23:11.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2250ef41-5301-4f01-b4ad-135f40de60e4,"4/16/2021, 9:23:11.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cd036473-7f89-44cf-9e45-f3e3af1d91e2,"4/16/2021, 9:23:11.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,602edc9c-81d0-454a-9571-990cc5362d6e,"4/16/2021, 9:23:11.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,713bd0d2-e80a-4340-9593-09e585f48c5f,"4/16/2021, 9:23:11.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d3fc1841-71b2-443d-9e2d-116f31afa866,"4/16/2021, 9:23:11.152 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1d097e2-d071-4b61-bf99-7909d1f51526,"4/16/2021, 9:23:11.152 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e6298878-c9d9-46e5-8f8d-31e0720856e9,"4/16/2021, 9:23:11.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,72aa4256-248c-439c-83a7-95e661a2a448,"4/16/2021, 9:23:11.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,605b8971-4a6b-4d97-8359-8eb269da6b78,"4/16/2021, 9:23:11.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6bf86abe-605e-40b6-9a94-6c0878275a78,"4/16/2021, 9:23:11.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49e15768-12b4-4ef7-b39d-7d384f400757,"4/16/2021, 9:23:11.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,20096e36-e82d-49d4-90c4-8a6d4a831dd6,"4/16/2021, 9:23:11.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,99c6acba-d85d-49eb-ae89-ed04fdcd3d80,"4/16/2021, 9:23:11.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca492995-f8c1-40f9-a85a-785ae10b3c01,"4/16/2021, 9:23:11.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,81ee6176-2754-4f22-ae66-6ee141d2e121,"4/16/2021, 9:23:11.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b7c3bb4e-8a16-4553-87be-9f3d0faf68a0,"4/16/2021, 9:23:11.152 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5b7bba98-874c-40a7-acd2-a9e884b1f062,"4/16/2021, 9:23:11.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,24d80803-c5bb-4889-9cd9-7a4367486fde,"4/16/2021, 9:23:11.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9dac8d0a-5c1a-4c3a-888f-043432bb0544,"4/16/2021, 9:23:11.152 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e805041b-6394-44ba-9424-8a7d9e3a486e,"4/16/2021, 9:23:05.726 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9198f19c-a33d-4300-82a1-dce52a284b1c,"4/16/2021, 9:23:05.726 AM",,,,,NTLM,, +\JESSICA,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0b95ecf4-f867-4f4c-a1bd-26282bfbbc83,"4/16/2021, 9:23:05.726 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f1f37b2b-e7c1-4bfe-847c-005bdb43dd4c,"4/16/2021, 9:23:05.726 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,003aa844-143d-4216-b5fc-432b91b0882b,"4/16/2021, 9:23:05.726 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,106e2603-6948-41a5-9e06-2ba990c587a0,"4/16/2021, 9:23:05.726 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2412659d-5dbf-4537-84a7-00c4043de726,"4/16/2021, 9:23:05.726 AM",,,,,NTLM,, +\DOGEMOBBIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fde11043-370a-4b0b-a83d-6d7b3bbe1aa2,"4/16/2021, 9:23:05.726 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,65d12bfb-69ef-48e3-8343-d22889c893dc,"4/16/2021, 9:23:05.726 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,de1c7476-73dc-4df1-807f-883132682c78,"4/16/2021, 9:23:05.726 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8f136c8b-deac-4f5c-a0a2-751bb7e5cf11,"4/16/2021, 9:23:05.726 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7be2f7be-29d0-415a-abb3-21ed3d9c9d03,"4/16/2021, 9:23:05.726 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7b1977c9-9671-4ce9-8f4c-27c9b24fa0d4,"4/16/2021, 9:23:05.726 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a71a2928-1818-400d-b1d3-123e8554a47f,"4/16/2021, 9:23:05.726 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,826bf915-bd05-41d0-92a4-5b077c9d5685,"4/16/2021, 9:23:05.726 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ed27134b-a887-4e17-986f-e53d716f9ccd,"4/16/2021, 9:23:05.726 AM",,,,,NTLM,, +\POSTGRES,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3a82477f-2438-4758-93a0-c36fec747dfb,"4/16/2021, 9:23:05.726 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cad05c3a-a28c-411d-8d12-9857020ac3d8,"4/16/2021, 9:23:05.726 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2e8773b0-a541-49f3-9487-2faf7a66383f,"4/16/2021, 9:23:05.726 AM",,,,,,, +\AZUREADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,53a66c28-9ea9-4b37-95ee-365f4e1e5475,"4/16/2021, 9:23:05.726 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7cde8e87-f354-44bf-8ec6-9422560f4f98,"4/16/2021, 9:23:05.726 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,612b2c28-3ce8-47f3-a791-85afab3b57e6,"4/16/2021, 9:23:05.726 AM",,,,,NTLM,, +\SYMANTEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,498e13e5-a779-41af-ba74-2ee908d8ea91,"4/16/2021, 9:23:05.726 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a936e334-cfaf-479d-883d-25a28bc1cdfa,"4/16/2021, 9:23:21.740 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e3b63c14-4165-4519-8c69-d126a92848f7,"4/16/2021, 9:23:21.740 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,04d1735c-4685-4c65-80b9-24226758f9c0,"4/16/2021, 9:23:21.740 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,84079961-4e64-4603-9f5c-a879197c86dc,"4/16/2021, 9:23:21.740 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9f12cb76-4014-4d45-8d9e-185123e45fcd,"4/16/2021, 9:23:21.740 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e4eaf8d0-51e9-48b4-9424-4e9e4aa5fdd6,"4/16/2021, 9:23:21.740 AM",,,,,NTLM,, +\INFODBA,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,14c78b4d-23aa-4ad0-802f-b3811e3828c4,"4/16/2021, 9:23:21.740 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b7b3e4b1-09f7-450a-b26c-0d991fad7995,"4/16/2021, 9:23:21.740 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,adb2b226-6e79-4f27-897a-4eba3be95e44,"4/16/2021, 9:23:21.740 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,52bd2fe7-b925-48b6-94c0-1528721b9c95,"4/16/2021, 9:23:21.740 AM",,,,,NTLM,, +\COMPUTER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,25e32bce-ce53-42aa-8a3c-b8b11735cdad,"4/16/2021, 9:23:21.740 AM",,,,,NTLM,, +\VEEAM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,53bc94d1-e52e-419e-91c3-611d1e51392e,"4/16/2021, 9:23:21.740 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d274b55f-44c4-4833-9b77-8d119b722d0e,"4/16/2021, 9:23:21.740 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,517726c3-71ef-4a1a-b95d-28acbcd6792a,"4/16/2021, 9:23:21.740 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,86672a15-925b-4083-85a8-a2f4c3c6ff3c,"4/16/2021, 9:23:21.740 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,87459e48-484d-4aeb-b4b6-2d445abe9842,"4/16/2021, 9:23:21.740 AM",,,,,NTLM,, +\AZUREUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5263c69a-7e0a-4412-95b9-706278b29678,"4/16/2021, 9:23:21.740 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cf634d05-5dda-447b-a6fc-30eb101b7e7c,"4/16/2021, 9:23:21.740 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,787eaaed-a26c-40cc-9879-c25909b2d432,"4/16/2021, 9:23:21.740 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,42842055-4339-4eff-a792-a0568d030687,"4/16/2021, 9:23:21.740 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cf39dd82-6f00-4985-b645-0cb6acbf62e1,"4/16/2021, 9:23:21.740 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fd78523e-1cf6-4b66-baaa-7423ddb54973,"4/16/2021, 9:23:21.740 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5ce8044b-d8b6-408e-accb-b46eb0d4568c,"4/16/2021, 9:23:21.740 AM",,,,,NTLM,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,760510ce-07ff-46fe-a7ae-7031f3165d9c,"4/16/2021, 9:23:26.629 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,7c99cf94-a3b9-4b52-a575-220cd7181eca,"4/16/2021, 9:23:26.629 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 520 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,da3c9c9f-ace3-4fff-984f-7e6d6473a68f,"4/16/2021, 9:23:26.629 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7672 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e7 + 31 + C:\windows\System32\svchost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,ee5969db-2bbf-4a67-bc39-71aefa77f3a3,"4/16/2021, 9:23:26.629 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,f6638b82-98a5-4542-8bec-6bc0977f793f,0787bc4d-adc6-4a9f-9244-4a5b8d340c52,"4/16/2021, 9:23:26.629 AM",,,,,Negotiate,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + 1 + 1 + %{S-1-5-32-544} %{S-1-1-0} %{S-1-5-11} %{S-1-16-16384} +",4627,4627 - Group membership information.,f6638b82-98a5-4542-8bec-6bc0977f793f,c8c7854a-d253-45d2-9e08-ab6708013ea8,"4/16/2021, 9:23:26.629 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,f6638b82-98a5-4542-8bec-6bc0977f793f,dd4a2310-eee0-43da-b7fa-912505caffe1,"4/16/2021, 9:23:26.629 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,8df7d56c-ac29-4139-b01f-6c1edec67d18,"4/16/2021, 9:23:26.629 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,8a067f24-18b3-4f72-92dd-01e00708459e,"4/16/2021, 9:23:26.629 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,a95d6910-b60d-41b5-8731-5a18946b13e1,"4/16/2021, 9:23:26.629 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9460 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,8bccf2b1-16a1-469a-b599-05c946d51b93,"4/16/2021, 9:23:26.629 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8836 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,bf0759d1-3a48-4f4c-a57c-2b2d3be1df4f,"4/16/2021, 9:23:26.629 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7002e1d4-d53b-42a0-bfa4-8fb974b7101f,"4/16/2021, 9:23:18.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c207d318-f6f0-4192-b461-996a254e0b84,"4/16/2021, 9:23:18.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f3920a54-14ed-4807-a245-8b09ea01679e,"4/16/2021, 9:23:18.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9030e54c-0f60-4df8-8fa7-c807a0bc98b3,"4/16/2021, 9:23:18.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,150989ef-72b6-40cf-80f5-06744f3cd419,"4/16/2021, 9:23:18.140 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b2bbd035-fd02-4987-9ddc-5cebb5f04903,"4/16/2021, 9:23:18.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ecb3303b-278d-4302-815e-d7fbb3aaa9d7,"4/16/2021, 9:23:18.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de506f80-b6df-4208-9b70-07a223be6cc1,"4/16/2021, 9:23:18.140 AM",,,,,NTLM,, +\ADMINISTRATEUR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2291233e-22f6-4700-a3e0-acd6eaa027f9,"4/16/2021, 9:23:18.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a965a08-551d-49fe-ab77-2b72dc0847ca,"4/16/2021, 9:23:18.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,422c46cf-082b-48eb-ab93-795066b8328e,"4/16/2021, 9:23:18.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9dade73e-22ea-4c20-b9fe-f6d13b9ba612,"4/16/2021, 9:23:18.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b9b86d63-bc6b-4624-bd4a-6c9a2a5473dd,"4/16/2021, 9:23:18.140 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,346a8479-eda1-44c0-91bb-f0d0b8258a36,"4/16/2021, 9:23:18.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,21a58d99-8de7-43db-9958-e20f1c0463fa,"4/16/2021, 9:23:18.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,32c01d28-cc81-4f40-ae4c-6ab22185ba71,"4/16/2021, 9:23:18.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a6bb2f7-e383-46fe-8211-b0f31cfe93d2,"4/16/2021, 9:23:18.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eaaf0503-8ee0-445d-89c4-0d1ecda2ef23,"4/16/2021, 9:23:18.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56fc9956-ab0b-4a46-8c56-86abd8ee7e0b,"4/16/2021, 9:23:18.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e0c6da2-7713-43a1-9a58-20e47c5f7815,"4/16/2021, 9:23:18.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1d147acc-4768-4b6b-bafc-04a37d413278,"4/16/2021, 9:23:18.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ae0bfca5-243a-45ef-849d-921e4068f824,"4/16/2021, 9:23:18.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f6d09ea-15b9-415f-b728-ee703af8d1f2,"4/16/2021, 9:23:18.140 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de269657-b7fd-4b69-ac24-3e722e320207,"4/16/2021, 9:23:18.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0618065d-e142-4594-97b7-780645f10ff3,"4/16/2021, 9:23:25.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,01ba09d6-5cf4-4002-8a1f-240fc7f9d8ed,"4/16/2021, 9:23:25.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2a60e34-5272-40c3-9c97-111a1dab458c,"4/16/2021, 9:23:25.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cb121160-bf6a-4da0-961b-8450dabc9ee3,"4/16/2021, 9:23:25.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,81b850bd-08e1-46b3-a58e-1b5a56102b0f,"4/16/2021, 9:23:25.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a50bb00e-629c-4f68-bc90-87899ba64de6,"4/16/2021, 9:23:25.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,73cd0a4a-42ab-4cbc-b11c-5f101621701b,"4/16/2021, 9:23:25.141 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7080 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,ef2ecf81-b54a-41cb-964a-46708c9d9a09,"4/16/2021, 9:23:25.141 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3940 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,93d2e4c2-a61d-4c78-881e-c3e706b39ed7,"4/16/2021, 9:23:25.141 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,831968c9-4e75-415e-9b73-3b7890e2ae62,"4/16/2021, 9:23:25.141 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,6e04b667-b12e-448e-8fa5-1790ce920f70,"4/16/2021, 9:23:25.141 AM",,,,,,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b8d2be56-45c3-46be-8307-be40a125008a,"4/16/2021, 9:23:25.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,00d24a3b-9317-4d17-898c-e739954c0a82,"4/16/2021, 9:23:25.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,84d11953-0754-4e70-9717-7777a3aac71f,"4/16/2021, 9:23:25.141 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c93d45d-b39e-457f-9a29-527dd49c8477,"4/16/2021, 9:23:25.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a5488e62-0520-44ea-8fc5-8d763041faf7,"4/16/2021, 9:23:25.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4310a596-7f83-428e-9522-8a86bd158a92,"4/16/2021, 9:23:25.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,09b6a1a8-3f33-4946-ae7c-1779f488f829,"4/16/2021, 9:23:25.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,24b737c3-ed5d-41dc-a972-bc73280ab64b,"4/16/2021, 9:23:25.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f033d861-ddb4-4b98-94ac-eef227a2e428,"4/16/2021, 9:23:25.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6dd6ae2e-6c05-4145-a739-c93d6ee38a2d,"4/16/2021, 9:23:25.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b50f0f54-8d38-4437-bec9-d3c14157ae70,"4/16/2021, 9:23:25.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1b0776ef-18a0-4384-961c-9e0988378aaf,"4/16/2021, 9:23:25.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,79e335c2-748e-4401-a57a-28c8334f10fc,"4/16/2021, 9:23:25.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f75fff4-46f5-44ff-8abb-d07435c5f0eb,"4/16/2021, 9:23:25.141 AM",,,,,NTLM,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,df09f72c-917f-464d-8a59-be9ea6d331a7,"4/16/2021, 9:23:23.729 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,f2fea2ae-3220-4106-b7e1-3ac7b3ecfafb,"4/16/2021, 9:23:23.729 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6188 + 103 + %OSDRIVE%\WINDOWSAZURE\GUESTAGENT_2.7.41491.1009_2021-03-31_005118\GUESTAGENT\FINDVOLUME\FINDVOLUME.EXE + 32 + 46E1C7D915C93EAF6E557C426DF1311480444C62DEA616D670C574AC8D7CE513 + 96 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® COREXT\FINDVOLUME.EXE\1.0.9.89 + 0x3e7 + 96 + C:\WindowsAzure\GuestAgent_2.7.41491.1009_2021-03-31_005118\GuestAgent\FindVolume\FindVolume.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,af80f5ed-0455-44b8-ab6a-55dde4abdef5,"4/16/2021, 9:23:23.729 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5324 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,e97376fa-2483-4bf5-baf4-1327c5b3d108,"4/16/2021, 9:23:23.729 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,705ce005-f727-4db2-b998-ceec3bff15fc,"4/16/2021, 9:23:23.729 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,d369ee7e-5b19-4913-a46f-e4efd4251c72,"4/16/2021, 9:23:23.729 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 832 + 87 + %OSDRIVE%\WINDOWSAZURE\GUESTAGENT_2.7.41491.1009_2021-03-31_005118\COLLECTGUESTLOGS.EXE + 32 + 5F015B97D51CEA34CDCF041C69FDBA12514061C624A787BD89FC2FB61BDF67E7 + 101 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\COLLECTGUESTLOGS\COLLECTGUESTLOGS.EXE\2.7.0.00 + 0x3e7 + 80 + C:\WindowsAzure\GuestAgent_2.7.41491.1009_2021-03-31_005118\CollectGuestLogs.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,94bfdc9a-fe6d-4d9a-80f1-17c9d2e74f83,"4/16/2021, 9:23:23.729 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 496 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,dd9c9039-da3e-4c8f-9db8-f062c9b466f9,"4/16/2021, 9:23:23.729 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6256 + 18 + %SYSTEM32%\CMD.EXE + 32 + 25D4CAE189AA05EF5AC50A92649774E9527603140F67BACC08CB5B59E4C33B26 + 115 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CMD.EXE\10.0.18362.1316 + 0x3e7 + 27 + C:\windows\SYSTEM32\cmd.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,bf4d9e1b-41db-4c70-b0f6-7c6f68b2b7fb,"4/16/2021, 9:23:23.729 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3288 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,d8aa8b19-b78a-477e-bdaf-05100e067880,"4/16/2021, 9:23:23.729 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,3e90781f-c2a4-4a35-be95-25dc47f286b8,"4/16/2021, 9:23:23.729 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,0631ed01-2cfc-4ecd-9ead-fbf30a218b36,"4/16/2021, 9:23:23.729 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,20e1ae72-344f-4bdb-9cc1-72e505d66485,"4/16/2021, 9:23:23.729 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,afcd03cd-6f2b-49eb-990d-b0042559ed0b,"4/16/2021, 9:23:23.729 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4804 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,107233c7-c4bc-46b1-a59d-09e01776b3df,"4/16/2021, 9:23:23.729 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3592 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,84b08b6f-9992-43d5-9adc-ea2f82e2af66,"4/16/2021, 9:23:23.729 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,af446d71-520e-44d9-8af1-a151c50a024d,"4/16/2021, 9:23:38.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,38f086b5-18e0-4080-be8e-913fccd83d68,"4/16/2021, 9:23:38.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,25d76174-9ab3-4789-a869-8dcc4e19f0a0,"4/16/2021, 9:23:38.136 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,54155c87-c8b6-4e7c-99bb-88de598e26e6,"4/16/2021, 9:23:38.136 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d24783d6-eb76-4017-b170-292ca811a90e,"4/16/2021, 9:23:38.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ceb9482-c49d-4f22-93fd-bab8e25dd9a4,"4/16/2021, 9:23:38.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,73741b81-2638-4385-94cf-8cff7713ed9a,"4/16/2021, 9:23:38.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a9250c36-4163-4c64-a425-fd63bb8afef6,"4/16/2021, 9:23:38.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e3f3af68-f7b4-4058-b574-13c035f67d96,"4/16/2021, 9:23:38.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,facc30bd-39cf-49ee-a53b-fdaf994f284e,"4/16/2021, 9:23:38.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d8bdbf2e-6b60-479c-943c-cde933a094ea,"4/16/2021, 9:23:38.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,82bf534e-ddbe-48e5-a180-401b7a7d1704,"4/16/2021, 9:23:38.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,62e5c0f4-9636-4514-867d-45675dd5a24f,"4/16/2021, 9:23:38.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd73d08c-5871-4dce-9e6a-f0a9875ed666,"4/16/2021, 9:23:38.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d69664dd-9390-4e28-a0c3-95e3f080d98e,"4/16/2021, 9:23:38.136 AM",,,,,NTLM,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3f3b2972-5f62-4c0f-9351-f79be37863c7,"4/16/2021, 9:23:38.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,135fd5bb-a9c5-4245-a077-b1f00cc6b048,"4/16/2021, 9:23:38.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a96aea0f-779d-4208-bccb-d69767467609,"4/16/2021, 9:23:38.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca27f9c7-abf7-4e02-a56e-5f7bc5bac66f,"4/16/2021, 9:23:38.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0242d6e1-2d55-47c1-be7e-e16bb8ac88aa,"4/16/2021, 9:23:38.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,94a818b0-0132-4195-a3df-42390c609df1,"4/16/2021, 9:23:38.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0b334ae7-ef57-45c7-984a-43be9ea69810,"4/16/2021, 9:23:38.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,238d29a5-4df2-4850-a29e-7b06c3081abb,"4/16/2021, 9:23:38.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7c0cdd7d-00aa-4a08-a0af-8dbcda582dd3,"4/16/2021, 9:23:38.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,989f8f34-ea0d-41b0-b234-60029e7ca29b,"4/16/2021, 9:23:38.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,29bd506b-7e24-47a4-a101-625790367772,"4/16/2021, 9:23:38.136 AM",,,,,NTLM,, +\ANGELA,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,71f64fca-c3a5-447c-8f16-0ffd99aad4c8,"4/16/2021, 9:23:38.412 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ed7e3f84-d9ae-4333-8a19-7a1ac48927eb,"4/16/2021, 9:23:38.412 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,51f0f704-6fc5-4c25-a2fb-fa4c9f17b905,"4/16/2021, 9:23:38.412 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4308 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a0a500df-af3e-4791-a7c1-9f71bdb5ffd5,"4/16/2021, 9:23:38.412 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6776 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,708fa6fc-afb8-4653-82c4-95939a95b1e4,"4/16/2021, 9:23:38.412 AM",,,,,,, +\TEST,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,eb514a5a-bc26-473d-b3da-77d083060954,"4/16/2021, 9:23:38.412 AM",,,,,NTLM,, +\ROOT,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,156fddc9-cb57-4853-9471-ca90b9226c94,"4/16/2021, 9:23:38.412 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,cb56a842-7a49-46e0-8ee2-c103c4d623ff,"4/16/2021, 9:23:38.412 AM",,,,,,, +\OVM,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8f630f9a-4656-4418-ae46-cff0ff7a1742,"4/16/2021, 9:23:38.412 AM",,,,,NTLM,, +\DEMOUSER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,2810d628-6235-46f4-93bb-c8c59e03e76a,"4/16/2021, 9:23:38.412 AM",,,,,NTLM,, +\ACCOUNTING,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,82818148-8f83-422a-b44f-52e682b7cc6b,"4/16/2021, 9:23:38.412 AM",,,,,NTLM,, +\SERVER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,5c0c01bf-ad0c-4b80-80cb-8020fadbb8f5,"4/16/2021, 9:23:38.412 AM",,,,,NTLM,, +\MARK,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ba129ada-f767-4521-aeb1-3d959000ca7c,"4/16/2021, 9:23:38.412 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c753780b-0919-4e3e-a8f4-1d8a01d425ea,"4/16/2021, 9:23:36.732 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,94135370-3b5a-4092-9710-c9381e988417,"4/16/2021, 9:23:36.732 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6f97e331-2052-4dc2-b14f-4b30e98b3c34,"4/16/2021, 9:23:36.732 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1da1977f-8d40-4a68-bdea-4c71bae86451,"4/16/2021, 9:23:36.732 AM",,,,,NTLM,, +\PRUEBA,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a3149970-c9ac-48f7-9242-93a2377e4ad5,"4/16/2021, 9:23:36.732 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ad2b8073-991f-4b27-a0a6-bef782bfb91a,"4/16/2021, 9:23:36.732 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,71217257-18ed-43fa-bc78-945c3060f6cb,"4/16/2021, 9:23:36.732 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,906ff8df-eb73-4268-bcdb-7dd7dc62ab2c,"4/16/2021, 9:23:36.732 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,114f5454-dd19-493b-b153-5e63c816ffa0,"4/16/2021, 9:23:36.732 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,30291f20-6c17-47a7-a7d6-4af8e219a27a,"4/16/2021, 9:23:36.732 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5fff473f-3197-4049-a926-bf864a85b9eb,"4/16/2021, 9:23:36.732 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,42efc1bc-b855-4ef6-bf94-3c4865f38658,"4/16/2021, 9:23:36.732 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ce1c9a88-c08a-4e0d-ae1d-9c48c716ca2d,"4/16/2021, 9:23:36.732 AM",,,,,NTLM,, +\AZUREUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2036fbb1-e2cf-4316-9a54-7c309a7a08d8,"4/16/2021, 9:23:36.732 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fa48797e-6bc3-4e94-92a8-f64b61056bbf,"4/16/2021, 9:23:36.732 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f70508dd-c815-4c90-b13f-607390d9e9db,"4/16/2021, 9:23:36.732 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4af5aad4-fe3b-441c-a734-7ed15c60bf7f,"4/16/2021, 9:23:36.732 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d0a5aee6-59ae-40cd-8edd-a82a7923a7df,"4/16/2021, 9:23:36.732 AM",,,,,NTLM,, +\STAGIAIRE,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,95d31c40-f7b8-4789-b731-ce2d6a9a3f7b,"4/16/2021, 9:23:36.732 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4ff6129f-6d9b-4ff5-bab4-1b22165b9387,"4/16/2021, 9:23:36.732 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,015bfb62-536f-43ee-bd78-c64b8e08ce15,"4/16/2021, 9:23:36.732 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a0ed36bf-bb28-458a-89ea-76288fd47a0b,"4/16/2021, 9:23:36.732 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ad4ded40-6c47-40b9-ab06-9e5d8b900bc9,"4/16/2021, 9:23:36.732 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,ec297d8f-bb07-4e12-b794-1c64dd67c5ca,"4/16/2021, 9:23:36.118 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,80e6af1b-6e22-4053-a023-94bd94d5c265,"4/16/2021, 9:23:36.118 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,4d75b3c5-445b-48cb-8be3-4c99a7c0818f,"4/16/2021, 9:23:36.118 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,942d3058-f81a-4f3f-966b-a47e64f27e03,"4/16/2021, 9:23:36.118 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b3b08121-55d5-473f-80a7-c88f3cf484a7,"4/16/2021, 9:23:36.118 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,37eac97c-3740-4b6d-8900-12b5c166c598,"4/16/2021, 9:23:36.118 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,88435e2c-1338-47e6-b7e8-f44cdff55e92,"4/16/2021, 9:23:36.118 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,fe0a19e0-6073-4813-a937-a33a744562cc,"4/16/2021, 9:23:36.118 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4484 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + 3E1A41FE3000D5ED15DE27C3BD6199E0427A1608B401E19E22D021627841AC19 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1411 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,edcb22fb-e4a9-4f43-8ef5-1841cbb55ebe,"4/16/2021, 9:23:38.877 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,5a74cb98-bbe8-406f-8143-3424ff14dadb,"4/16/2021, 9:23:38.877 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,06b39a0c-a9f6-4926-a05d-0b782704cabb,"4/16/2021, 9:23:38.877 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d2700f4d-a60b-47d7-ab01-752d2ee2ea1d,"4/16/2021, 9:23:51.729 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9b161477-8024-4c15-9235-85180302a9b5,"4/16/2021, 9:23:51.729 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7db0b56f-681f-47da-aec4-88a1998b721d,"4/16/2021, 9:23:51.729 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e430e432-d7c2-46d1-83bb-a2eead1e27c0,"4/16/2021, 9:23:51.729 AM",,,,,NTLM,, +\OVM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d5b9574b-4f51-4846-93a1-858862bc8443,"4/16/2021, 9:23:51.729 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,15301f3e-d63c-40d6-be87-b7735022a5ad,"4/16/2021, 9:23:51.729 AM",,,,,NTLM,, +\EYD,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,080bb8c7-81e5-47fd-a7b8-9c19522d4284,"4/16/2021, 9:23:51.729 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,40a0bdd8-89c9-4451-b4e5-0bff96c0274e,"4/16/2021, 9:23:51.729 AM",,,,,NTLM,, +\STAFF,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2f0f61c0-79fb-463d-b6e0-ecd7010ca6e6,"4/16/2021, 9:23:51.729 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1717b359-be4b-480e-9811-a9e8528854e2,"4/16/2021, 9:23:51.729 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c97a0cdd-47b8-4efd-9688-a741b6846d82,"4/16/2021, 9:23:51.729 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c271df4a-c925-4318-bbe9-ae4486e30f07,"4/16/2021, 9:23:51.729 AM",,,,,NTLM,, +\TEST,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,166a0834-1e58-487b-ab0c-b5bd3d623ca1,"4/16/2021, 9:23:51.729 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fc0f4313-5225-4db3-87a1-32103c6552a5,"4/16/2021, 9:23:51.729 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,879e0932-d023-4c54-8bf7-9aeafa3ec12d,"4/16/2021, 9:23:51.729 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2eaa36c0-4b5c-4318-a919-74b34ad29d18,"4/16/2021, 9:23:51.729 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,039f5b25-ef2b-4edf-961d-fbfb077c6057,"4/16/2021, 9:23:51.729 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3ca66115-1f85-46b0-b32e-d334a62ec7fd,"4/16/2021, 9:23:51.729 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7c0cdce8-0d3b-4ffa-b7f9-3c093ee26673,"4/16/2021, 9:23:51.729 AM",,,,,NTLM,, +\SYMANTEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b4e37693-e81a-4a0c-9a19-aba5396a387a,"4/16/2021, 9:23:51.729 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9761efe4-fec2-4979-8db8-8b116e9793c1,"4/16/2021, 9:23:51.729 AM",,,,,NTLM,, +\DEMOUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7767b959-ce5f-4666-8891-64b53601bdde,"4/16/2021, 9:23:51.729 AM",,,,,NTLM,, +\GUEST,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7145320d-e248-4fa2-bde8-2c8463deede0,"4/16/2021, 9:23:51.729 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0b8f11af-9a20-4e45-9f01-3b21884aad88,"4/16/2021, 9:23:51.729 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,95e5b883-de73-4a05-b346-c93bae287ef4,"4/16/2021, 9:24:01.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1c0ed39d-a6ab-45ab-8e5c-151e9034a3a4,"4/16/2021, 9:24:01.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,77a996d1-171a-4ef4-b680-9c7f86f7003b,"4/16/2021, 9:24:01.130 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,30635c21-923c-4112-b9e8-efbf63f4aa58,"4/16/2021, 9:24:01.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,944a76e3-7f4e-4789-9745-4fd99438ca79,"4/16/2021, 9:24:01.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,784d8c81-2c40-4aba-97a8-7ba1f7c54b28,"4/16/2021, 9:24:01.130 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aee88b5f-a82c-484b-a1af-61b083cf15c4,"4/16/2021, 9:24:01.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,18ced35b-13ff-4660-ad2b-78b62115c370,"4/16/2021, 9:24:01.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3037b995-0644-4da4-bfcc-f37c378cec60,"4/16/2021, 9:24:01.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,28bc3d7c-1624-4554-84f9-35f398960ace,"4/16/2021, 9:24:01.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0e6e4b21-19fc-43e5-9022-dbb82eb6b2ca,"4/16/2021, 9:24:01.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4cd81c09-9133-49f9-9ccd-0d459fdafac4,"4/16/2021, 9:24:01.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,714d6709-e9ab-44d2-934a-089cd19366ff,"4/16/2021, 9:24:01.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6545a7d3-5a59-4111-914c-26d195c07338,"4/16/2021, 9:24:01.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,717b86a8-1b66-4fa8-89d0-59b06be0bd37,"4/16/2021, 9:24:01.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f909201e-e8b1-4a7a-a009-04912d30eb01,"4/16/2021, 9:24:01.130 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d8b1a47-d826-4ae1-9587-6b6b6ac65cb3,"4/16/2021, 9:24:01.130 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d35429e-fc81-4ec9-97ac-9eedb56201a7,"4/16/2021, 9:24:01.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6611f8b1-a21b-4894-9222-0618f51c47d4,"4/16/2021, 9:24:01.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9cbd6ca4-a052-44d1-8c2f-0a4deb2988f4,"4/16/2021, 9:24:01.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d2134c7-4636-4f3a-bc25-5ce79507d281,"4/16/2021, 9:24:01.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d95856a2-56f7-400d-a7cb-91258284f688,"4/16/2021, 9:24:01.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f9bc0773-3537-496a-b62f-f435380473eb,"4/16/2021, 9:24:01.130 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8736 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,d69c3c5c-b580-415d-8607-8178f5cc1bb2,"4/16/2021, 9:23:56.999 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10652 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,15ba80a0-64af-4b3f-b6ea-c8b8b81673ff,"4/16/2021, 9:23:56.999 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f559c941-7b46-433a-8a8c-1c9c39ef4356,"4/16/2021, 9:23:45.167 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f0104c46-c672-4980-acdb-8863caf834b3,"4/16/2021, 9:23:45.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c2e5192-b1c9-4819-8bb8-a930e9195112,"4/16/2021, 9:23:45.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9721e096-f3e2-4482-a7fa-14885ba4fa90,"4/16/2021, 9:23:45.167 AM",,,,,NTLM,, +\WJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,643433e0-4d66-4654-bb96-5248bc13c89a,"4/16/2021, 9:23:45.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8faf44e8-d614-49ab-9627-9eec98cb39ab,"4/16/2021, 9:23:45.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,72f8b459-b836-43b0-a13b-5a669bc26698,"4/16/2021, 9:23:45.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,14a59e6a-27f1-4b4b-9c43-6c8ee03e65ee,"4/16/2021, 9:23:45.167 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cd7ed6cd-e5ca-4338-99ec-587f10bc878d,"4/16/2021, 9:23:45.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7169379c-d3f2-4185-97fe-4a6a3116ea52,"4/16/2021, 9:23:45.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,45e97342-f6fd-48e6-b12d-4f2957c7f81c,"4/16/2021, 9:23:45.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,96d2e15a-f3b1-4d02-9b9c-cd82f6c44596,"4/16/2021, 9:23:45.167 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b11fc8fd-d420-479d-9872-b48f41dc4da8,"4/16/2021, 9:23:45.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad3a7a0f-aff7-4ff2-a685-92d220f0fce4,"4/16/2021, 9:23:45.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,94c43bef-0f83-4616-aaf5-6c5c5413803c,"4/16/2021, 9:23:45.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1cb792f-cb87-495d-9e23-1b85626b0ae8,"4/16/2021, 9:23:45.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8f42101f-4132-4651-8104-53b9c2aae0f8,"4/16/2021, 9:23:45.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc7c04e4-a230-48d1-8b1d-7311d65b0b19,"4/16/2021, 9:23:45.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,457b0892-3635-4eec-b9d2-eea20740d5b7,"4/16/2021, 9:23:45.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd8b94a4-f729-4ced-b2cd-70f751bd9539,"4/16/2021, 9:23:45.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d7a08807-b924-407a-a809-c4c091835026,"4/16/2021, 9:23:45.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7144fb2c-2c17-4134-8e4a-81f7f7bedf79,"4/16/2021, 9:23:45.167 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f07d48a6-a602-4581-b6ea-45498fd36709,"4/16/2021, 9:23:45.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bdf69acf-2ba6-4421-913d-ed2743d30969,"4/16/2021, 9:23:45.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e977236-c85b-4474-b0f8-4efff6da6040,"4/16/2021, 9:23:45.167 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,115dd27a-9cd2-4674-94bc-5e65ebd1b6e6,"4/16/2021, 9:23:45.167 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5088 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,0d0066bd-e7ec-4f10-820a-4c85b176e83a,"4/16/2021, 9:23:49.274 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8200 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,6ea54e1d-d261-426c-bb77-3e4f8ce192ac,"4/16/2021, 9:23:49.274 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5372 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 61FF6233DB141BE35A91025614CB7A6504D2E20174CD6298F6E0B02700C3F819 + 121 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.14393.206 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,2f670634-ae04-4403-9d0b-5327dd51c013,"4/16/2021, 9:23:49.274 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3332 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,9e7c349c-1758-45dc-a1ff-6c0f620c3035,"4/16/2021, 9:23:49.274 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,a2ec6d65-82a9-4dea-8351-31b24a5cfbf4,"4/16/2021, 9:23:53.073 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,4254db98-5800-4fe8-8c76-816b15b5ff3e,"4/16/2021, 9:23:53.073 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,14657c55-3747-41a5-85b2-b93375b6a22b,"4/16/2021, 9:23:53.073 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,67ccdb65-efd3-4465-b93d-948bb7783057,"4/16/2021, 9:23:53.073 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,0b31dee3-5401-43d7-802a-7c8aab820390,aed49f10-d3de-4467-9c32-5cc7f4c96974,"4/16/2021, 9:23:53.073 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\Microsoftvolumeencryption,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,0b31dee3-5401-43d7-802a-7c8aab820390,2886ef42-c299-4b7a-b75b-315306d200c7,"4/16/2021, 9:23:53.073 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\Microsoftvolumeencryption:SELECT ConversionStatus,DeviceID,DriveLetter,EncryptionMethod,IsVolumeInitializedForProtection,PersistentVolumeID,ProtectionStatus,VolumeType From Win32_encryptablevolume",,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,0b31dee3-5401-43d7-802a-7c8aab820390,95946082-6918-4ab8-8a87-51c722a1959a,"4/16/2021, 9:23:53.073 AM","%%1552 ",0x1,Local Read (ExecQuery),ROOT\CIMV2\Security\MicrosoftVolumeEncryption:Select * from __ClassProviderRegistration,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,0b31dee3-5401-43d7-802a-7c8aab820390,190dfffa-7181-4779-8724-670669ad8b6a,"4/16/2021, 9:23:53.073 AM","%%1552 ",0x1,Local Read (GetObject),"ROOT\CIMV2\Security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,0b31dee3-5401-43d7-802a-7c8aab820390,3b50bd5d-7f37-4035-b521-1d93d50a6bf1,"4/16/2021, 9:23:53.073 AM","%%1552 ",0x1,Local Read (ExecQuery),"ROOT\CIMV2\Security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,0b31dee3-5401-43d7-802a-7c8aab820390,802c6e0a-5fa0-4036-b97a-2a5b6c80829a,"4/16/2021, 9:23:53.073 AM","%%1552 ",0x1,Local Read (GetObject),"ROOT\CIMV2\Security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,0b31dee3-5401-43d7-802a-7c8aab820390,d38e9cc2-3eed-4a7c-9e79-9a1b4b6438e5,"4/16/2021, 9:23:53.073 AM","%%1552 ",0x1,Local Read (ExecQuery),"ROOT\CIMV2\Security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,0b31dee3-5401-43d7-802a-7c8aab820390,848ba33d-1b66-453a-b91b-dc14d7e1e52c,"4/16/2021, 9:23:53.073 AM","%%1552 ",0x1,Local Read (GetObject),ROOT\CIMV2\Security\MicrosoftVolumeEncryption:Win32_EncryptableVolume,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,0b31dee3-5401-43d7-802a-7c8aab820390,33583c22-deae-4101-af71-403ba3ef4878,"4/16/2021, 9:23:53.073 AM","%%1552 ",0x1,Local Read (GetObject),ROOT\CIMV2\Security\MicrosoftVolumeEncryption:__ExtendedStatus,,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,0b31dee3-5401-43d7-802a-7c8aab820390,d8745e1a-c5f5-4ad4-800c-26e81c31827a,"4/16/2021, 9:23:53.073 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,0b31dee3-5401-43d7-802a-7c8aab820390,c285c8ee-c5f1-4e8c-bd82-91b89ae44fa9,"4/16/2021, 9:23:53.073 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,744e38a8-93b1-4a21-a4e7-db3ec5e5a114,"4/16/2021, 9:23:53.073 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,0b31dee3-5401-43d7-802a-7c8aab820390,a2ecab9c-b390-4fd8-a042-9f1b0d8335af,"4/16/2021, 9:23:53.073 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftTpm,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,0b31dee3-5401-43d7-802a-7c8aab820390,25d61e44-9699-4c77-b36d-f5432deb2e46,"4/16/2021, 9:23:53.073 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftTpm:select SpecVersion from Win32_Tpm where ManufacturerId = 1229346816,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,0b31dee3-5401-43d7-802a-7c8aab820390,b6b3dabb-c717-4eda-b508-c61c49e7aaa1,"4/16/2021, 9:23:53.073 AM","%%1552 ",0x1,Local Read (ExecQuery),ROOT\CIMV2\Security\MicrosoftTpm:Select * from __ClassProviderRegistration,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,0b31dee3-5401-43d7-802a-7c8aab820390,20f4eaba-18d7-4a2d-9f62-a85c5b52bc43,"4/16/2021, 9:23:53.073 AM","%%1552 ",0x1,Local Read (GetObject),"ROOT\CIMV2\Security\MicrosoftTpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,0b31dee3-5401-43d7-802a-7c8aab820390,2403c182-9b26-4ab5-a412-21a38314f672,"4/16/2021, 9:23:53.073 AM","%%1552 ",0x1,Local Read (ExecQuery),"ROOT\CIMV2\Security\MicrosoftTpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,0b31dee3-5401-43d7-802a-7c8aab820390,6f35b08d-d2b4-4df2-b49c-d894b848ef42,"4/16/2021, 9:23:53.073 AM","%%1552 ",0x1,Local Read (GetObject),"ROOT\CIMV2\Security\MicrosoftTpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,0b31dee3-5401-43d7-802a-7c8aab820390,635949a6-1df2-426b-bcd5-a2b3ddac0d00,"4/16/2021, 9:23:53.073 AM","%%1552 ",0x1,Local Read (ExecQuery),"ROOT\CIMV2\Security\MicrosoftTpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,0b31dee3-5401-43d7-802a-7c8aab820390,6f336887-ceba-4f44-89a3-2a41812d26ae,"4/16/2021, 9:23:53.073 AM","%%1552 ",0x1,Local Read (GetObject),ROOT\CIMV2\Security\MicrosoftTpm:Win32_Tpm,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,0b31dee3-5401-43d7-802a-7c8aab820390,d8ce6410-a48c-4bd5-8e4e-00c92c67ae49,"4/16/2021, 9:23:53.073 AM","%%1552 ",0x1,Local Read (GetObject),ROOT\CIMV2\Security\MicrosoftTpm:__ExtendedStatus,,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,0b31dee3-5401-43d7-802a-7c8aab820390,c7dfaa6a-901c-45fc-8734-e29202352a16,"4/16/2021, 9:23:53.073 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,0b31dee3-5401-43d7-802a-7c8aab820390,8bb69a2d-c6d6-4f30-aa8f-a2113db6be32,"4/16/2021, 9:23:53.073 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,fd5cb39d-bc75-43d1-a8d6-ff8da48ac58e,"4/16/2021, 9:23:53.073 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,06c29c76-2c97-4f3f-877a-f295c6e0e1f3,"4/16/2021, 9:23:53.073 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,0b31dee3-5401-43d7-802a-7c8aab820390,123214ea-8b01-46c3-a9c5-70dd254dddf1,"4/16/2021, 9:23:53.073 AM","%%1552 ",0x1,Local Read (ConnectServer),root\CIMv2\Security\MicrosoftVolumeEncryption,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,0b31dee3-5401-43d7-802a-7c8aab820390,5c700d33-58c9-4093-b2a6-04ebd6c13cc8,"4/16/2021, 9:23:53.073 AM","%%1552 ",0x1,Local Read (ExecQuery),root\CIMv2\Security\MicrosoftVolumeEncryption:select EncryptionMethod from Win32_EncryptableVolume,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,0b31dee3-5401-43d7-802a-7c8aab820390,9a985e89-6ae7-4638-b195-b180c63c2481,"4/16/2021, 9:23:53.073 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftTpm,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,0b31dee3-5401-43d7-802a-7c8aab820390,5e2ce69c-cab6-41eb-86c2-c4003fc96b05,"4/16/2021, 9:23:53.073 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftTpm:select ManufacturerVersionFull20 from Win32_Tpm,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,0b31dee3-5401-43d7-802a-7c8aab820390,16a4fb03-f509-4990-a986-47603ef67bc3,"4/16/2021, 9:23:53.073 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftTpm,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,0b31dee3-5401-43d7-802a-7c8aab820390,eb74f91c-c286-465f-9de8-8fda7f9eab06,"4/16/2021, 9:23:53.073 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftTpm:select IsEnabled_InitialValue from Win32_Tpm where ManufacturerId = 1229346816,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,0b31dee3-5401-43d7-802a-7c8aab820390,9bb26bb6-9d7a-4646-b458-2e20f9e8a7fb,"4/16/2021, 9:23:53.073 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftTpm,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,0b31dee3-5401-43d7-802a-7c8aab820390,c3752976-0615-4e5f-9d4d-51674a954c70,"4/16/2021, 9:23:53.073 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftTpm:select ManufacturerVersion from Win32_Tpm where ManufacturerId = 1229346816,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,07ac4b3d-e999-472f-9403-e27861113822,"4/16/2021, 9:23:53.073 AM",,,,,,, +\SMART,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,873bb16c-e178-4429-8899-6f7f39ea89de,"4/16/2021, 9:24:01.423 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,802cf0e7-4e2e-4a07-9684-970121502a9e,"4/16/2021, 9:24:01.423 AM",,,,,NTLM,, +\SCANUSER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a2b34b79-39f0-495d-a2ae-3485628910bb,"4/16/2021, 9:24:01.423 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c8a73b94-6c3e-4517-9ab6-1d9a57871143,"4/16/2021, 9:24:01.423 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8b926730-2b75-4edf-932c-ef717b28bbdb,"4/16/2021, 9:24:01.423 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0493a495-0621-4e0b-843b-d3f3f559a339,"4/16/2021, 9:24:01.423 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ef76b027-5610-4254-a6b7-ee9e64210f77,"4/16/2021, 9:24:01.423 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6912 + 39 + %WINDIR%\SERVICING\TRUSTEDINSTALLER.EXE + 32 + 5AAB6030A17E092A3F547292BF75BBE5E777C3C6C3E1759A023CA59FE87F6D98 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\TRUSTEDINSTALLER.EXE\10.0.17763.1098 + 0x3e7 + 41 + C:\Windows\servicing\TrustedInstaller.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,95a988c7-284b-4862-9470-1767b8810f37,"4/16/2021, 9:24:01.423 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6764 + 122 + %WINDIR%\WINSXS\AMD64_MICROSOFT-WINDOWS-SERVICINGSTACK_31BF3856AD364E35_10.0.17763.1876_NONE_56BCCE8F993D30E7\TIWORKER.EXE + 32 + 7EC24C6DAEE289FBD40C13635DA56FB1E9F868B65E3120B59D480D394ACD8285 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\TIWORKER.EXE\10.0.17763.01 + 0x3e7 + 124 + C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.17763.1876_none_56bcce8f993d30e7\TiWorker.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a8061a91-e6c4-4a0a-8322-35432a092595,"4/16/2021, 9:24:01.423 AM",,,,,,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,2b4776c0-f605-423a-bb35-f3abac4d04a2,"4/16/2021, 9:24:01.423 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + adminSHIRSAP + SHIR-SAP + S-1-5-21-214039100-3055723427-1440978600-500 + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + 0xbec + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,2b688e2d-5819-490e-88de-ff8f77e0c521,"4/16/2021, 9:24:01.423 AM",,,,,,0xbec, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + DefaultAccount + SHIR-SAP + S-1-5-21-214039100-3055723427-1440978600-503 + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + 0xbec + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e0cee89b-c198-45cb-959f-23c8cb610846,"4/16/2021, 9:24:01.423 AM",,,,,,0xbec, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + Guest + SHIR-SAP + S-1-5-21-214039100-3055723427-1440978600-501 + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + 0xbec + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,96242e81-1563-459c-a7a3-bd59425fa6de,"4/16/2021, 9:24:01.423 AM",,,,,,0xbec, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + WDAGUtilityAccount + SHIR-SAP + S-1-5-21-214039100-3055723427-1440978600-504 + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + 0xbec + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0a84f340-0fb3-4ebd-b0b3-4498fdec26cb,"4/16/2021, 9:24:01.423 AM",,,,,,0xbec, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1beff2fa-c1b8-4c70-9bed-903f20cc4022,"4/16/2021, 9:24:01.423 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\microsofttpm,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,aef56ce9-df61-4ed4-9cac-af8462d7e4de,"4/16/2021, 9:24:01.423 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:SELECT * FROM Win32_TPM,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3cf14fcc-2386-45c1-82cf-b3fa664c9a3d,"4/16/2021, 9:24:01.423 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:Select * from __ClassProviderRegistration,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,455cc38d-9b38-47c1-9f79-6048ea5db490,"4/16/2021, 9:24:01.423 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,bf6c2aa5-3a1b-420c-851a-01d4bec0b7a4,"4/16/2021, 9:24:01.423 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,37437b6a-1bbd-49f2-a020-c1fbbf3f9f7e,"4/16/2021, 9:24:01.423 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,391f1530-4029-4d25-8d04-f170beee1da8,"4/16/2021, 9:24:01.423 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ffb70ab7-c2cf-4e90-bd9b-fa0b08f8657c,"4/16/2021, 9:24:01.423 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:Win32_Tpm,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c4e61f38-1f32-4a05-84b3-2a5f9f5d5510,"4/16/2021, 9:24:01.423 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:__ExtendedStatus,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,43323556-b59d-4226-be22-94d10d6f5e55,"4/16/2021, 9:24:01.423 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftVolumeEncryption,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3cf3b349-84ad-4aa0-b409-c657ef7cb898,"4/16/2021, 9:24:01.423 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:SELECT * FROM Win32_EncryptableVolume,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0934eec0-7687-4dc5-a4a6-209619d16300,"4/16/2021, 9:24:01.423 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:Select * from __ClassProviderRegistration,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c64fd303-37ba-4643-98f6-3127107063d4,"4/16/2021, 9:24:01.423 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0f1b9d3c-22b1-4d1d-be4e-ee9c3c162d40,"4/16/2021, 9:24:01.423 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,53b85b49-2e7d-4ffd-a0d2-6b992e9ef221,"4/16/2021, 9:24:01.423 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a9428086-6dbc-4317-bdca-0943657b02ce,"4/16/2021, 9:24:01.423 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b305d806-2165-4741-8b2e-bdc053791cac,"4/16/2021, 9:24:01.423 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e3e785dc-dfbf-42cb-a129-7153e625a4bf,"4/16/2021, 9:24:01.423 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:__ExtendedStatus,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,fc16742b-42a6-45e5-b8e8-d49e2c6294ea,"4/16/2021, 9:24:01.423 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{d035a0c7-0000-0000-0000-100000000000}\\""::GetLockStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c2492043-267e-403a-8181-9804318a71a3,"4/16/2021, 9:24:01.423 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{d035a0c7-0000-0000-0000-100000000000}\\""::GetProtectionStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8372b9ee-3c4f-4ecd-8c47-904a7069e0ac,"4/16/2021, 9:24:01.423 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{d035a0c7-0000-0000-0000-100000000000}\\""::GetConversionStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,5acc5ffb-1c77-4615-97f7-14f5783bec4c,"4/16/2021, 9:24:01.423 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ad0f04ca-0000-0000-0000-501f00000000}\\""::GetLockStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,2d8c6b5e-ad32-4d0f-a698-389c0b875883,"4/16/2021, 9:24:01.423 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ad0f04ca-0000-0000-0000-501f00000000}\\""::GetProtectionStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b2d36fa7-e0da-4690-8bdd-14f55933040b,"4/16/2021, 9:24:01.423 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ad0f04ca-0000-0000-0000-501f00000000}\\""::GetConversionStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,26ffeea1-0e7a-4229-bb60-cbbad1ddf23f,"4/16/2021, 9:24:01.423 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1560 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\Windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b471ddca-0625-4f1c-b1a6-a8b6986b22c3,"4/16/2021, 9:24:01.423 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b8388ad5-5210-4eb8-b6c9-fdf1b46417ee,"4/16/2021, 9:24:07.136 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,595293bf-68c9-4ec6-accf-fdbd6ea3682d,"4/16/2021, 9:24:07.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,86d6ed56-d703-46bd-a737-885eecca9f11,"4/16/2021, 9:24:07.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab2f5166-41a6-4093-924f-5252fc5030e7,"4/16/2021, 9:24:07.136 AM",,,,,NTLM,, +\SJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0bb6571e-0e77-46c8-ad36-73da70fc3f21,"4/16/2021, 9:24:07.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e7b710d0-ca69-4bf8-8078-becbee4dd152,"4/16/2021, 9:24:07.136 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ede6237e-36e9-4246-b265-e0bb28898111,"4/16/2021, 9:24:07.136 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c33ac1d-caa8-4150-bca9-f95c30440fb9,"4/16/2021, 9:24:07.136 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,860f8bbb-6edb-485c-8cfa-67daecfa642f,"4/16/2021, 9:24:07.136 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,39137c8a-9287-4abd-949d-036ab7bfd8d1,"4/16/2021, 9:24:07.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0701e44c-d558-4c68-ac86-7fcb202f7a82,"4/16/2021, 9:24:07.136 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4976 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 68705285F7914823244E19E4F6DBC4A75C4DE807EA1CF128AEC2CCAFCE5FE109 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.17763.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,6fe4eed0-4220-4bc5-976b-03e2fea3a53a,"4/16/2021, 9:24:07.136 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8972 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,327b810c-c344-435e-95c8-f8add0bd9042,"4/16/2021, 9:24:07.136 AM",,,,,,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c4e7c461-6a46-43df-811a-7ccaff0a05ca,"4/16/2021, 9:24:07.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,990fc5d3-45c0-40ac-92af-dba69ddd4800,"4/16/2021, 9:24:07.136 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6d61a143-b67a-43be-9c9f-1e63d20c8984,"4/16/2021, 9:24:07.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,00fb2d04-ba4a-42e2-90e0-2661197816b1,"4/16/2021, 9:24:07.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b96b8903-3f6c-40db-889b-30b03d511306,"4/16/2021, 9:24:07.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5864c94d-6db8-41eb-908b-ff5c58c282c8,"4/16/2021, 9:24:07.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b6cb9bb-403a-47be-987a-43775cfa1621,"4/16/2021, 9:24:07.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c0488a94-6b22-47c5-8954-c9a2db1d80ca,"4/16/2021, 9:24:07.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9198093d-12ea-48dc-8f8b-fdb2803b3511,"4/16/2021, 9:24:07.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9860203c-3cad-4e1e-a978-617298853d14,"4/16/2021, 9:24:07.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,35db45cf-01ce-48e9-88d5-233aa008c474,"4/16/2021, 9:24:07.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4463cabd-bcba-4a51-bc48-40cf5d73782d,"4/16/2021, 9:24:07.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,215a34b8-e1e2-4f9d-8cd7-db716c03d23d,"4/16/2021, 9:24:07.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c73388fb-84e6-4b4b-aefb-eea85573ddec,"4/16/2021, 9:24:07.136 AM",,,,,NTLM,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,3bd31cc2-1047-4a97-ab66-6edd7cb9b5fa,"4/16/2021, 9:24:04.726 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,36fbbb63-c8d0-454e-96bc-080e9914be2f,"4/16/2021, 9:24:04.726 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,e639c9bf-ee61-49db-92f1-903d990b40f5,"4/16/2021, 9:23:58.631 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7492 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,8c74b917-db3c-45b9-90c2-0fe3d8bdecd4,"4/16/2021, 9:23:58.631 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,b08def9e-f7d2-44c6-aa95-9269ea546692,"4/16/2021, 9:23:58.631 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5436 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,97ffa1c6-0db6-47ac-a3f2-e08dca0b49c5,"4/16/2021, 9:24:09.890 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1848 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,739305ec-e73b-45ad-8b6f-387bbd75f5fd,"4/16/2021, 9:24:09.890 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,113b2359-596c-40ee-97f5-f37153929a17,"4/16/2021, 9:24:09.890 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,d409f24f-8e91-4087-9a6f-ce1be5faebd8,"4/16/2021, 9:24:09.890 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,7e09a5ea-4023-41ee-ad0a-0153f1965377,"4/16/2021, 9:24:09.890 AM",,,,,,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cec6133d-7ff1-4e90-9c49-38d972819f8c,"4/16/2021, 9:24:06.782 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,892a35f0-b7ca-4077-8258-4cba5e07dd0d,"4/16/2021, 9:24:06.782 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6da9effd-14d1-44dd-9205-cae8d0e62894,"4/16/2021, 9:24:06.782 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,25878e96-5ea8-47c7-8c4c-36f1f078eff9,"4/16/2021, 9:24:06.782 AM",,,,,NTLM,, +\USER5,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3a40a2b4-64f9-463e-97c0-5e9fb3c271d0,"4/16/2021, 9:24:06.782 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,665f48db-998d-4a3d-a94a-16863869e38c,"4/16/2021, 9:24:06.782 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,33aa3f91-44dc-4c3e-898e-1a80b4000261,"4/16/2021, 9:24:06.782 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1564d8e1-3916-4d2b-9a6c-28f9c7850cbf,"4/16/2021, 9:24:06.782 AM",,,,,NTLM,, +\WP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d87cbcf9-aed3-457c-b45a-f9bb9b014b6c,"4/16/2021, 9:24:06.782 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b95bd43b-6942-4145-a681-86a074e3898b,"4/16/2021, 9:24:06.782 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,788076c5-05c5-4f8e-825f-5cb909f0f9de,"4/16/2021, 9:24:06.782 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7b866a73-5a3f-4278-b128-bfb32144e1e1,"4/16/2021, 9:24:06.782 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,db7b1cf8-6c57-42e3-bc98-0bab9ded4927,"4/16/2021, 9:24:06.782 AM",,,,,NTLM,, +\WBHELP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bfa586c9-b043-433b-ae00-babd0529275b,"4/16/2021, 9:24:06.782 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d98757c2-0c88-417b-bb2c-06b53573f1e6,"4/16/2021, 9:24:06.782 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fd6075ad-c1c2-41c6-85cf-282a51a5be48,"4/16/2021, 9:24:06.782 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ea7608bd-8946-4976-b02b-5ba1f2b00282,"4/16/2021, 9:24:06.782 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f804f48c-e759-4450-bb4c-7c454fd0fae0,"4/16/2021, 9:24:06.782 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,545c4be1-8a9d-4d5e-92bf-1e1a8fc76287,"4/16/2021, 9:24:06.782 AM",,,,,NTLM,, +\TUSER2,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5fbd2736-59c3-41f3-b462-460524fed429,"4/16/2021, 9:24:06.782 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5b8020ca-e554-4ffd-8d70-546763df2048,"4/16/2021, 9:24:06.782 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,484932ba-90d4-4f4e-abed-5947e11bb330,"4/16/2021, 9:24:06.782 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e607a14a-0aa0-4631-af20-4afead77c5bd,"4/16/2021, 9:24:16.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,00db0008-d5b3-4379-888b-1b67ef5c5500,"4/16/2021, 9:24:16.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,21260010-4db4-4430-9bcf-bc295f05d366,"4/16/2021, 9:24:16.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a86d43c8-93f1-4a50-be77-bceb0a91762e,"4/16/2021, 9:24:16.133 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7a30541f-8308-4ae1-8d7f-00ea044d41e4,"4/16/2021, 9:24:16.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f7915e4b-957d-47a6-8fc2-84ad78cceabe,"4/16/2021, 9:24:16.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d0c5447-8331-4a76-971c-7368122b7c15,"4/16/2021, 9:24:16.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,829e21a5-d025-4ea0-ad25-9fe6207ee047,"4/16/2021, 9:24:16.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,07d4121c-818b-49f2-a812-070e70c3164a,"4/16/2021, 9:24:16.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,18e77d5b-f8b7-4947-bc3a-e26a59ba4da3,"4/16/2021, 9:24:16.133 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48ad5f7e-785a-405c-91c4-c3b0480f3c1e,"4/16/2021, 9:24:16.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,183a8223-b8be-4f58-9724-b1ec9421e520,"4/16/2021, 9:24:16.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a9f549b-978c-4a91-9694-78aa82b7551d,"4/16/2021, 9:24:16.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,277df1d7-cb88-4f70-a719-076a8a27e269,"4/16/2021, 9:24:16.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d74e8216-344c-45b4-96bc-742b766f793c,"4/16/2021, 9:24:16.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,531db2a4-68be-437c-bb7e-40971c000f0d,"4/16/2021, 9:24:16.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,687b998a-ea42-4fc7-9fe9-ab848d393fe9,"4/16/2021, 9:24:16.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f124886c-290c-4aee-b87a-27d1f0849203,"4/16/2021, 9:24:16.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0dc93642-7c98-42d9-96c0-d605c872b37d,"4/16/2021, 9:24:16.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,242f58bf-d21b-4f09-8137-67df5d6ea61e,"4/16/2021, 9:24:16.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bd5e6ccf-455c-4d35-81dd-30d9be2f5246,"4/16/2021, 9:24:16.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,42625887-cd96-4eac-aed9-5dd1ca09d6e6,"4/16/2021, 9:24:16.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,92c3be08-7b57-4166-92f6-52547aa95110,"4/16/2021, 9:24:16.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,47f22808-9fde-4b42-bd48-c67d2a348b5f,"4/16/2021, 9:24:16.133 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1efe6223-ba25-4a18-95d2-a50ecb6c785b,"4/16/2021, 9:24:21.130 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d8a018b4-341a-46f9-95d6-f3596b5b0523,"4/16/2021, 9:24:21.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1efecaba-14c2-4d33-8b57-ed447c1a94f4,"4/16/2021, 9:24:21.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f84f555a-e1e0-4f6f-bdbd-131bad80a0df,"4/16/2021, 9:24:21.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2be7f40b-6b0f-4c9f-8f79-8f5b6f75086e,"4/16/2021, 9:24:21.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac26a613-3ab4-422c-a2c2-a5bd11c84bf4,"4/16/2021, 9:24:21.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,745a757a-8362-4980-9737-29b68a6ac480,"4/16/2021, 9:24:21.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,afc8e01f-0a3e-49e7-98a8-ab97618d35c0,"4/16/2021, 9:24:21.130 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,29b75fe2-bf90-44cd-90c4-4d9feda85b12,"4/16/2021, 9:24:21.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0275d143-10e9-4baf-bfa8-ee582a503354,"4/16/2021, 9:24:21.130 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,85a12519-46c5-4e74-8ccc-a84bb065841b,"4/16/2021, 9:24:21.130 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,1e55eed3-391e-4467-89e8-bbd41f95e51c,"4/16/2021, 9:24:21.130 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ba52034-4909-4e3c-b32f-0a62714b02a6,"4/16/2021, 9:24:21.130 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7644 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,2ead84fa-2816-4a7e-97ac-20cc9f542005,"4/16/2021, 9:24:21.130 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4220 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea28a16b-307b-4baa-89e3-aec70f6924e8,"4/16/2021, 9:24:21.130 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,50555a19-d430-4126-8007-ba83307afe08,"4/16/2021, 9:24:21.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,81bcd92e-7759-4d4c-92d0-2d5e2c26a289,"4/16/2021, 9:24:21.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c18e6a78-ceb5-4927-9d93-4eb9d8830140,"4/16/2021, 9:24:21.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f6256ce0-dfa5-4f11-99d6-0e05c79927e8,"4/16/2021, 9:24:21.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8d50461e-fb08-4cc1-96dc-c4d309c7dc81,"4/16/2021, 9:24:21.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,889854da-f866-46cb-9c42-dd9f88c756cc,"4/16/2021, 9:24:21.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,404dc4c3-a6a0-4665-aee0-8bb1bd765da7,"4/16/2021, 9:24:21.130 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c7100c87-c73f-42e4-ae40-a76850befc4b,"4/16/2021, 9:24:21.130 AM",,,,,NTLM,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,0b31dee3-5401-43d7-802a-7c8aab820390,f6c96a36-ae32-4ddb-9b7b-cca405dd131d,"4/16/2021, 9:24:24.062 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftTpm,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,0b31dee3-5401-43d7-802a-7c8aab820390,f75910fe-c58f-403a-b25f-01dc9c3dd7c0,"4/16/2021, 9:24:24.062 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftTpm:select IsActivated_InitialValue, IsEnabled_InitialValue,ManufacturerId, PhysicalPresenceVersionInfo,SpecVersion from Win32_Tpm",,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,0b31dee3-5401-43d7-802a-7c8aab820390,4a0f962f-5d6f-4464-a883-c23e5725e1be,"4/16/2021, 9:24:24.062 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftTpm,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,0b31dee3-5401-43d7-802a-7c8aab820390,a3e11606-e764-4a24-83fb-6a3a69b2d888,"4/16/2021, 9:24:24.062 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftTpm:select ManufacturerVersion from Win32_Tpm,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,a21a2e2d-7350-479e-8175-23714ea68240,"4/16/2021, 9:24:24.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,e4b7597a-1993-4f78-96df-9d45c7106a33,"4/16/2021, 9:24:24.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,ea1c5f2c-8c54-46b1-a783-c3e6caa62d35,"4/16/2021, 9:24:24.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,61a33274-d4f6-45e5-b170-b131bf0ffcaf,"4/16/2021, 9:24:24.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,6b121c78-a907-49cc-8360-331e9346bb68,"4/16/2021, 9:24:24.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2c484425-6f0c-48b8-b00d-d9c8e8ec5470,"4/16/2021, 9:24:24.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2ebe86ab-e966-43df-8aa4-23507c2f9966,"4/16/2021, 9:24:24.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,8b5fe064-2626-4390-9939-e181787acbb7,"4/16/2021, 9:24:24.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,bfe98135-cf7d-475e-b604-29cf0383e807,"4/16/2021, 9:24:24.062 AM",,,,,,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d4d08282-db66-4c9c-878e-479ac3b00c39,"4/16/2021, 9:24:25.753 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e0d75c14-3270-41a6-b77d-4c946630241e,"4/16/2021, 9:24:25.753 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8534c190-c342-4394-acc4-5c9f452bc0c4,"4/16/2021, 9:24:25.753 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f4ff2089-a244-4af3-a3cf-67846ff54163,"4/16/2021, 9:24:25.753 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9eb1f137-7a3f-46a8-8bfe-c5b24e05fb82,"4/16/2021, 9:24:25.753 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,665ff2df-ca54-430d-91fb-612f81dcb5b2,"4/16/2021, 9:24:25.753 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,848308d5-1481-4efb-88e3-e37f63519d12,"4/16/2021, 9:24:25.753 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,72e39190-001e-464c-be6a-a7f6cc807b04,"4/16/2021, 9:24:25.753 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3e16ec07-5a38-415a-a578-2f1ff8c3aab2,"4/16/2021, 9:24:25.753 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c3d38fc7-e5bd-4948-9925-425cec9ab9af,"4/16/2021, 9:24:25.753 AM",,,,,NTLM,, +\IT,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,40ddae79-494d-4b6d-b8c4-ff0ed9bf3174,"4/16/2021, 9:24:25.753 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,614cd5b3-2064-4ad6-bed8-396ecfaa5c6e,"4/16/2021, 9:24:25.753 AM",,,,,NTLM,, +\STATION,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d2d416c1-3c31-4b1d-b657-7805412c91b9,"4/16/2021, 9:24:25.753 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fc72908f-befd-464e-8a3d-09cc62b6ebcf,"4/16/2021, 9:24:25.753 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bd9fbe10-35f6-4ed5-ba33-b6ce6879de3a,"4/16/2021, 9:24:25.753 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,83859d05-d50f-49a5-b559-6c7028d3a273,"4/16/2021, 9:24:25.753 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,639687d4-f595-4fce-a671-5a07ef10fb37,"4/16/2021, 9:24:25.753 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3ef5c08c-eaba-40e9-8cca-32b23876b7eb,"4/16/2021, 9:24:25.753 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cc260a81-16e2-4c9b-b7c7-e20659472a40,"4/16/2021, 9:24:25.753 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,41bc0cfb-ffc8-4505-9f11-d3d28c9f4ba6,"4/16/2021, 9:24:25.753 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5e178905-1dbb-43a1-8b9b-3c4349f726a9,"4/16/2021, 9:24:25.753 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,29d20ebd-7ff5-48ac-a672-ac241c38d1d6,"4/16/2021, 9:24:25.753 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ef160e6d-472d-43ab-b4ff-0b673b480f0f,"4/16/2021, 9:24:29.135 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df1fbc33-7946-4f71-a3d6-a7d3980d3270,"4/16/2021, 9:24:29.135 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98df3615-b07d-4255-8273-ac866e131ce1,"4/16/2021, 9:24:29.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,14bdc3c4-021d-4635-80c7-43060c30d243,"4/16/2021, 9:24:29.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,178f1878-5d6b-4768-8dc1-5061133eb8ab,"4/16/2021, 9:24:29.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,235f9687-4ec0-4a6d-b157-dac4f1f2d182,"4/16/2021, 9:24:29.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51bd6a33-2150-4e04-a939-c0c2d957b8b6,"4/16/2021, 9:24:29.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,74bbadd4-2e78-4ca0-982c-bbf1a6c8763e,"4/16/2021, 9:24:29.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6a4c2258-6a39-4228-b3c0-7233009f98c2,"4/16/2021, 9:24:29.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4cffafc8-8674-40eb-9507-91a05d549e98,"4/16/2021, 9:24:29.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,29a7335c-6380-45e9-a518-e835fc994bde,"4/16/2021, 9:24:29.135 AM",,,,,NTLM,, +\VMADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b64365df-b410-4c91-9cde-1c419c78cf82,"4/16/2021, 9:24:29.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,42761769-620c-4c4f-a277-79f3bba129cd,"4/16/2021, 9:24:29.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,190116a3-9ed6-4c7e-b53f-f3662e30a68c,"4/16/2021, 9:24:29.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,974d97b3-020b-42b9-bf7e-640dbca95135,"4/16/2021, 9:24:29.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,99968766-d72d-49d1-ba8e-dd1c930f7b65,"4/16/2021, 9:24:29.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b867b05-212e-4fc1-8aa9-b6e3073b53d9,"4/16/2021, 9:24:29.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e73a5d60-4347-4b40-9b01-79f9ccb0bbe8,"4/16/2021, 9:24:29.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b3b8e7a-6218-444c-b352-ea9ed175f5d9,"4/16/2021, 9:24:29.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a3a9981d-2fce-4713-b0e5-37c34a3a79a8,"4/16/2021, 9:24:29.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,15ffcea5-90ad-456d-b11d-4343137eaa8f,"4/16/2021, 9:24:29.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0928a54a-f7c0-44c3-b0bd-ffe0905f3524,"4/16/2021, 9:24:29.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5aca9633-c960-4c85-ba63-721312df83b7,"4/16/2021, 9:24:29.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ec12e0db-2c4a-4b1b-85b8-42776c9d1a99,"4/16/2021, 9:24:29.135 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3932 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,f9c0c76e-82c1-4b8d-b4d7-8de1c4a063b2,"4/16/2021, 9:24:29.636 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,3be5a1f5-af12-4c6a-b6ac-7e46eb5eff73,"4/16/2021, 9:24:29.636 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + \Microsoft\Windows\UpdateOrchestrator\Universal Orchestrator Start + <?xml version=""1.0"" encoding=""UTF-16""?> <Task version=""1.2"" xmlns=""http://schemas.microsoft.com/windows/2004/02/mit/task""> <RegistrationInfo> <URI>\Microsoft\Windows\UpdateOrchestrator\Universal Orchestrator Start</URI> <SecurityDescriptor>D:P(A;;FA;;;SY)(A;;FRFX;;;LS)(A;;FRFX;;;BA)</SecurityDescriptor> </RegistrationInfo> <Triggers> <TimeTrigger> <StartBoundary>2021-04-16T17:07:00.000Z</StartBoundary> <Enabled>true</Enabled> </TimeTrigger> </Triggers> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>false</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <Duration>PT10M</Duration> <WaitTimeout>PT1H</WaitTimeout> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT72H</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context=""Author""> <Exec> <Command>%systemroot%\system32\usoclient.exe</Command> <Arguments>StartUWork</Arguments> </Exec> </Actions> <Principals> <Principal id=""Author""> <UserId>S-1-5-18</UserId> <RunLevel>LeastPrivilege</RunLevel> </Principal> </Principals> </Task> + 13510798882111748 + 4840 + 780 + 0 + VictimPc.Contoso.Azure +",4698,4698 - A scheduled task was created.,f6638b82-98a5-4542-8bec-6bc0977f793f,2eebf44b-67a0-4b58-800b-c4b7d183320f,"4/16/2021, 9:24:29.636 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2300 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,b1f931b4-6a36-465c-ae34-4f851ea195c0,"4/16/2021, 9:24:29.636 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10888 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,bb8c0a38-6fa8-44cb-94aa-8afa0414a579,"4/16/2021, 9:24:29.636 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,3359f0bc-687b-4a9a-a9a1-7111beadccec,"4/16/2021, 9:24:29.636 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,eed03a6b-baeb-49e8-8b54-1e93f22ef9ef,"4/16/2021, 9:24:29.636 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6708 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,5c7255f3-07dd-49e9-b686-9f961d4b2b69,"4/16/2021, 9:24:35.413 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2184 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ca148fea-a9d0-44fe-9ca4-3f5c256f110e,"4/16/2021, 9:24:35.413 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,feb57cd5-4dc7-4f67-91a0-9c606456fe0d,"4/16/2021, 9:24:35.413 AM",,,,,,, +\FINANCE,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,926007cf-e9a4-4bdb-bdde-4fd5809621b3,"4/16/2021, 9:24:35.413 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0f0f0481-f70e-4b01-af5c-099d9ee70c4e,"4/16/2021, 9:24:35.413 AM",,,,,,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4974ba5c-0171-496c-9cb8-8308721b5df2,"4/16/2021, 9:24:35.413 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a9d8c724-b601-49e7-b64e-e53bf2cec8a3,"4/16/2021, 9:24:35.413 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b51774ca-be7d-44d7-9878-94049e17cd7a,"4/16/2021, 9:24:35.413 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1592 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,fc1a2b8b-240e-4f71-a23f-6a29d601cdde,"4/16/2021, 9:24:35.413 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6392 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,5c42db24-3767-4cc7-bfaa-2cdd7cac5166,"4/16/2021, 9:24:35.413 AM",,,,,,, +\NOMAN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6b59f281-3308-40f8-bc09-c8dacc651de1,"4/16/2021, 9:24:35.413 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f5fb4caa-d12c-4b9d-a4a5-8fcf8082111e,"4/16/2021, 9:24:35.413 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13826,8," + Remote Desktop Users + Builtin + S-1-5-32-555 + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + 0xbc4 + C:\WindowsAzure\Packages\WaAppAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,790738c2-d2df-4c61-b9ce-1fa1ba028f27,5f004ec3-0760-4a79-88f5-a55612b781a7,"4/16/2021, 9:24:35.413 AM",,,,,,0xbc4, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13826,8," + Administrators + Builtin + S-1-5-32-544 + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + 0xbc4 + C:\WindowsAzure\Packages\WaAppAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a609d2e8-a867-4cde-adc2-9a41d298f163,"4/16/2021, 9:24:35.413 AM",,,,,,0xbc4, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + adminSHIRSAP + SHIR-SAP + S-1-5-21-214039100-3055723427-1440978600-500 + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + 0xbc4 + C:\WindowsAzure\Packages\WaAppAgent.exe +",4798,4798 - A user's local group membership was enumerated.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,780a03e2-ef6f-4ad7-8346-3affe0a5fedd,"4/16/2021, 9:24:35.413 AM",,,,,,0xbc4, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + adminSHIRSAP + SHIR-SAP + S-1-5-21-214039100-3055723427-1440978600-500 + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + 0xbec + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d478cc6d-38cd-4e31-ac57-09f2e35df72d,"4/16/2021, 9:24:35.413 AM",,,,,,0xbec, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + DefaultAccount + SHIR-SAP + S-1-5-21-214039100-3055723427-1440978600-503 + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + 0xbec + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d704e7ae-4448-4c6e-8bcf-8f7077c06c65,"4/16/2021, 9:24:35.413 AM",,,,,,0xbec, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + Guest + SHIR-SAP + S-1-5-21-214039100-3055723427-1440978600-501 + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + 0xbec + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6c06ac5e-ddd5-42d4-8a22-5a8285e1d7d1,"4/16/2021, 9:24:35.413 AM",,,,,,0xbec, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + WDAGUtilityAccount + SHIR-SAP + S-1-5-21-214039100-3055723427-1440978600-504 + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + 0xbec + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6066bdbe-cd16-4dd7-946c-d8763c79bb53,"4/16/2021, 9:24:35.413 AM",,,,,,0xbec, +\MEETING,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d684d7f0-c493-4e4d-9857-90dcf25dff0b,"4/16/2021, 9:24:35.413 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + adminSHIRSAP + SHIR-SAP + S-1-5-21-214039100-3055723427-1440978600-500 + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + 0xbc4 + C:\WindowsAzure\Packages\WaAppAgent.exe +",4798,4798 - A user's local group membership was enumerated.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,cdd5171c-7f2b-4332-bcf9-2428211d5d2a,"4/16/2021, 9:24:35.413 AM",,,,,,0xbc4, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + adminSHIRSAP + SHIR-SAP + S-1-5-21-214039100-3055723427-1440978600-500 + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + 0x0 + - +",4798,4798 - A user's local group membership was enumerated.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d9165f5e-3252-482d-a61a-2bc84bc9e105,"4/16/2021, 9:24:35.413 AM",,,,,,0x0, +\TEST,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,dea8e8e4-7acc-4d8b-888b-024b64764752,"4/16/2021, 9:24:35.413 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,93c91bda-2cb6-43be-aa4d-18912c19ca46,"4/16/2021, 9:24:35.413 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,88e91099-bf60-4735-b74b-80c9318e9bba,"4/16/2021, 9:24:35.413 AM",,,,,,, +NT AUTHORITY\NETWORK SERVICE,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 1824 + 21 + %SYSTEM32%\SPPSVC.EXE + 32 + ABC5B9672ACC57A4AAF472FA028985FE6C0D545FA7EFAC34A313D1F3F8C360BD + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SPPSVC.EXE\10.0.17763.1879 + 0x3e4 + 30 + C:\Windows\system32\sppsvc.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6119623e-d982-4eb1-9c05-29b1b0b57b97,"4/16/2021, 9:24:35.413 AM",,,,,,, +\TONY,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3f074ca6-7221-463b-a900-fe7827eca8a8,"4/16/2021, 9:24:35.413 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,42c78450-6894-4aa4-b55f-30418ea38994,"4/16/2021, 9:24:34.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,63e48baa-acab-49ce-bb18-3a957bb848d9,"4/16/2021, 9:24:34.134 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,be118ae2-1043-465c-986b-339215faf2aa,"4/16/2021, 9:24:34.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c8288ea-8f44-4da1-9a32-a738327c89c8,"4/16/2021, 9:24:34.134 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,27b8b15c-13fd-4c3d-bdf5-cf5631b0d594,"4/16/2021, 9:24:34.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,478d18c6-5f07-4c47-bd81-768b5bb2ad8e,"4/16/2021, 9:24:34.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,82777da8-40d8-4517-b75c-6c95964fd2b0,"4/16/2021, 9:24:34.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,560348d8-33bf-4897-942c-bc8036ad1f49,"4/16/2021, 9:24:34.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,800422ae-ee9d-4ec7-b0a6-7feda03ea830,"4/16/2021, 9:24:34.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8d82899e-979b-4a5e-be40-304deb835b41,"4/16/2021, 9:24:34.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0870160b-9823-4ba1-9e14-ded32916ef67,"4/16/2021, 9:24:34.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ef86ff81-d9e0-4f25-b673-460179c9ff95,"4/16/2021, 9:24:34.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,402fd5e1-3055-41b8-9b63-c0a8bb3fcf3d,"4/16/2021, 9:24:34.134 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,b58e21cb-30d8-4fb4-ae51-1fdd41cf2af5,"4/16/2021, 9:24:34.134 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f8b93dfd-a821-4d47-8553-2cede8e45831,"4/16/2021, 9:24:34.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f56b3364-429c-4d78-a53b-94860a2e2197,"4/16/2021, 9:24:34.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b08fdefa-fca8-4384-8346-0309d99b6b6f,"4/16/2021, 9:24:34.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,26de944e-84da-4466-ab23-d46f3379a077,"4/16/2021, 9:24:34.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7c357da6-cd24-41b9-9d5f-b759c9f1ec6a,"4/16/2021, 9:24:34.134 AM",,,,,NTLM,, +\ADMINISTRATOR ,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a35f787-fc79-4e82-a2c1-fcbeedb7d7a5,"4/16/2021, 9:24:34.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3e0c1abb-c27a-4623-a68b-10c003553bc5,"4/16/2021, 9:24:34.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,341ef736-9008-4ba8-95f5-ea7559329934,"4/16/2021, 9:24:34.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1c5eabdb-7f3e-4191-b66e-575a0e743865,"4/16/2021, 9:24:34.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,04a3d359-4fe4-45d8-b7ea-2e64c2715c88,"4/16/2021, 9:24:34.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5633dac4-278e-46e4-9fb6-bf420449fb40,"4/16/2021, 9:24:34.134 AM",,,,,NTLM,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Program Files\Windows Defender Advanced Threat Protection + 0x664 + %%1542 + 0x1000000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,76733afe-1138-4694-9845-08304ece8e56,"4/16/2021, 9:24:44.109 AM","%%1542 ",0x1000000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Program Files\Windows Defender Advanced Threat Protection + 0x664 + %%1542 + 0x1000000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,a395f218-ea84-4c93-92dd-e07591e657b0,"4/16/2021, 9:24:44.109 AM","%%1542 ",0x1000000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe + 0x664 + %%1542 + 0x1000000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,2cd12d88-d886-4613-99c1-ce3ec0ef3ace,"4/16/2021, 9:24:44.109 AM","%%1542 ",0x1000000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe + 0x664 + %%1542 + 0x1000000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,f1b775cf-301a-42fd-b099-cac3f9365df5,"4/16/2021, 9:24:44.109 AM","%%1542 ",0x1000000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Program Files\Windows Defender Advanced Threat Protection + 0x664 + %%1542 + 0x1000000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,1f20700c-2e23-4ec5-b421-85a94b1d4980,"4/16/2021, 9:24:44.109 AM","%%1542 ",0x1000000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Program Files\Windows Defender Advanced Threat Protection + 0x664 + %%1542 + 0x1000000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,42102f46-76b7-4946-b524-47a2bb980ca3,"4/16/2021, 9:24:44.109 AM","%%1542 ",0x1000000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\servicing + 0x7f4 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,244bf681-b9bf-4714-bd43-2fcd6841eb2e,"4/16/2021, 9:24:44.109 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\servicing + 0x7f4 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,18c7789e-aac8-44fd-909d-2834ff20f935,"4/16/2021, 9:24:44.109 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\servicing + 0x7f4 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,d54f3ac8-f326-4e35-a950-28cb03e14689,"4/16/2021, 9:24:44.109 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\servicing + 0x7f4 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,0faefd03-bee1-4610-af39-7cf1fe37cd09,"4/16/2021, 9:24:44.109 AM","%%1538 ",0x20000,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,84dd3c32-a778-4535-baf9-385a65a89f57,"4/16/2021, 9:24:44.109 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,78d4d168-3eef-41a8-9eb6-ebd98a4459c8,"4/16/2021, 9:24:44.109 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,d9273d62-6858-431c-816c-09afcefac60d,"4/16/2021, 9:24:44.109 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,86e74cb3-9e12-4e89-b436-319f630e91b6,"4/16/2021, 9:24:44.109 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f90d03b8-303d-4faa-bd37-74ee09336b82,"4/16/2021, 9:24:42.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,810667c1-bb02-4719-8a3b-2401a2d6fa44,"4/16/2021, 9:24:42.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cdddd211-1844-4022-8a75-5374b2f25700,"4/16/2021, 9:24:42.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1203fa0e-be48-4a68-9d43-f4843e28be85,"4/16/2021, 9:24:42.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6fb9e609-511c-40df-a5ba-b9900c9af279,"4/16/2021, 9:24:42.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5b694917-9e29-4516-babf-a9fa8af66264,"4/16/2021, 9:24:42.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,961aba3d-441c-4736-8e17-f7a1808eab01,"4/16/2021, 9:24:42.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,819c82d7-b7fd-490c-bdcf-89968ba418a7,"4/16/2021, 9:24:42.137 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca05dc2c-b012-4ccb-a0a3-a214e29301b8,"4/16/2021, 9:24:42.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f7957589-70db-4f4a-a340-082618ed03ea,"4/16/2021, 9:24:42.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0971d9ff-e792-493e-bb33-b9ecc330ed7d,"4/16/2021, 9:24:42.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1808dccb-fb59-451e-b7ec-8486522cdb29,"4/16/2021, 9:24:42.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4a001944-6551-4b4f-82f3-d78dfdf5fa87,"4/16/2021, 9:24:42.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,42f5d4c9-a9b3-44c3-9c89-b91e1f201ae8,"4/16/2021, 9:24:42.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,13312355-32d4-4019-ac14-c94bfbcfc848,"4/16/2021, 9:24:42.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,84c02521-b946-41c5-a56d-e5a0d24b7176,"4/16/2021, 9:24:42.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ec0d90b8-0e4c-4e02-a983-72f63dfa033b,"4/16/2021, 9:24:42.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,127b6305-83b4-4002-a605-a3e50094eda8,"4/16/2021, 9:24:42.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d6c8c7df-b413-4501-b059-df1fa225c6c1,"4/16/2021, 9:24:42.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ba013f56-a28d-4668-b907-268c2505a9b6,"4/16/2021, 9:24:42.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e4b778b8-0398-4e20-b867-4f27e98f4996,"4/16/2021, 9:24:42.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,755d873a-b7e1-45e2-bc1e-bcb8d194cda8,"4/16/2021, 9:24:42.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,57f11693-9e42-472b-8dff-1540ef64a500,"4/16/2021, 9:24:42.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a77f4e5-977f-44e1-8f9e-87ceee9cfa03,"4/16/2021, 9:24:42.137 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,911975c1-886e-4737-b349-f643dd91cd75,"4/16/2021, 9:24:43.348 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,fb6167ba-998b-41bf-af2d-c66d2f3ff2dd,"4/16/2021, 9:24:43.348 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9584 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,53802ac1-8b13-4acd-aadb-5abcb7cb093a,"4/16/2021, 9:24:49.339 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9140 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,440c8aac-eff5-4013-998a-7d6b9dfa4f82,"4/16/2021, 9:24:49.339 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,baa0683f-fdb4-4a63-99ad-fa18773b9f94,"4/16/2021, 9:24:45.871 AM",,,,,,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4911fed0-5875-454e-bcf5-aba57c51f802,"4/16/2021, 9:24:47.741 AM",,,,,NTLM,, +\REMOTO,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,099715bd-7dd6-4480-8fc5-60da643edf0d,"4/16/2021, 9:24:47.741 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7553dab5-4817-4d75-bd6b-3e742e617e0d,"4/16/2021, 9:24:47.741 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fe0f2838-123d-4038-b4d3-75645352c1e1,"4/16/2021, 9:24:47.741 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,834124c6-a510-41e7-be6d-65f391818806,"4/16/2021, 9:24:47.741 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,92c2582e-b558-4ca7-8264-c11db203fbd5,"4/16/2021, 9:24:47.741 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cf1a908c-ace2-4bef-a7a3-a76bb104ca4b,"4/16/2021, 9:24:47.741 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,50605fde-d2af-4210-abc0-8228ebccce01,"4/16/2021, 9:24:47.741 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,76fc94d1-5b1e-495f-9ae4-031486ba18e6,"4/16/2021, 9:24:47.741 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8def95a6-9513-4b51-a6c8-24ca536fe69b,"4/16/2021, 9:24:47.741 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a50e3ef3-e662-44c1-8144-b207da8224d1,"4/16/2021, 9:24:47.741 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,53f68f59-c9bd-4153-9bf4-8fd4aef9b81d,"4/16/2021, 9:24:47.741 AM",,,,,NTLM,, +\FTPUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7f4cc2df-c847-4605-9cbb-c0579ae9c1ed,"4/16/2021, 9:24:47.741 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e49f4da0-74b8-4d73-aa2e-e8b9c98216c9,"4/16/2021, 9:24:47.741 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7b4f86bc-de28-475a-8ab4-502203d29f7e,"4/16/2021, 9:24:47.741 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,66ba4488-a272-4913-a511-7348d91f5494,"4/16/2021, 9:24:47.741 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,38a04537-ae15-4c3f-993e-45be953f31b4,"4/16/2021, 9:24:47.741 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1de73ceb-b5eb-4db5-aade-bd366a6036e7,"4/16/2021, 9:24:47.741 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,af667c1e-640f-4f71-8f8b-37a89e5e02e6,"4/16/2021, 9:24:47.741 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d60f4533-7aef-47e3-b792-cecca563e4a3,"4/16/2021, 9:24:47.741 AM",,,,,NTLM,, +\MARKETING,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1b907787-53b8-4895-a9d5-a256da856edc,"4/16/2021, 9:24:47.741 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5fc37bc0-4bc0-427a-bab5-f55649f710d5,"4/16/2021, 9:24:47.741 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6460 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,f74b9fd4-e3e2-4ebb-a02f-ec5198784d3d,"4/16/2021, 9:24:52.736 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4628 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,c2710552-fd64-4629-bb2f-3964b1dce4dd,"4/16/2021, 9:24:52.736 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,e4e6c3c6-5c6c-4c7e-9071-9fd27cca780c,"4/16/2021, 9:24:52.736 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,9f3b4b90-0f6e-4bb9-93b9-973993abbc42,"4/16/2021, 9:24:52.736 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,da3c7207-6ff5-4fb6-9b70-6d9d3b65d186,"4/16/2021, 9:24:52.736 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,c9052e3e-9657-4f1e-865f-14b1fa640e49,"4/16/2021, 9:24:52.736 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0f9406bb-e964-48e2-b163-c3aa0b819624,"4/16/2021, 9:24:51.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49e9819e-b008-48c8-87cf-912a3ef4de51,"4/16/2021, 9:24:51.134 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f85dfa74-e7a3-4482-b319-92b96e8297c2,"4/16/2021, 9:24:51.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,45d3d095-f350-437d-aa04-38f788a80a6b,"4/16/2021, 9:24:51.134 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a904234f-e9ed-46fb-ac65-9bb29646ea2d,"4/16/2021, 9:24:51.134 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,06e1765a-35bf-4ce1-8dea-3fc8e15c060e,"4/16/2021, 9:24:51.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5890de7-76ad-461b-a2e1-5f7a70eae575,"4/16/2021, 9:24:51.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19eb697c-d860-453a-9283-4c9d5ecd88e6,"4/16/2021, 9:24:51.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f3e69db5-d6cf-472c-baa5-a274eefff315,"4/16/2021, 9:24:51.134 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3aeb4140-2d65-4c0a-947b-dd611ca3e477,"4/16/2021, 9:24:51.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,792f2884-4129-4c44-a9bf-edca8b8ea19d,"4/16/2021, 9:24:51.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,13adfda6-3410-4a8f-b49a-c124d7e2fc3e,"4/16/2021, 9:24:51.134 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,585f86e3-88e5-44de-ad5c-3b360bdd0dc5,"4/16/2021, 9:24:51.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ceb7591-b76a-4014-9316-930dfeee5088,"4/16/2021, 9:24:51.134 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bb45afae-257a-4c54-94c1-79ceb991595f,"4/16/2021, 9:24:51.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4afab60a-ff1c-4693-b7bf-8b9ddb0409d4,"4/16/2021, 9:24:51.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d6f0643c-6c96-4851-9a2c-ebf27402cd2e,"4/16/2021, 9:24:51.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,993e6bb0-ec56-420b-85ab-1c684758e3ea,"4/16/2021, 9:24:51.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,06707d6a-de1e-45ce-b7ba-3cb03a830d42,"4/16/2021, 9:24:51.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ee69f44d-f523-46cd-8e8d-4ce03c98baa9,"4/16/2021, 9:24:51.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,04ae20a2-8f42-4500-bafc-be2aceb71769,"4/16/2021, 9:24:51.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a901acc2-73a7-4af9-830d-89b332215dd2,"4/16/2021, 9:24:51.134 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3f2af23f-9a73-4a35-9788-7a6ee964a2ee,"4/16/2021, 9:24:51.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e70750b-1c66-450c-a17f-53d3f4745c63,"4/16/2021, 9:24:51.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f64e9e5-ab84-4388-a475-9392c0dd1bdc,"4/16/2021, 9:24:51.134 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9076 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,7f2686d8-e315-410b-a2e9-b0e7d2f5a199,"4/16/2021, 9:24:57.009 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9332 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,b51fd54c-135c-4827-b2d7-5ed1d52258c1,"4/16/2021, 9:24:57.009 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,f3f00404-c2e1-4769-87ec-f626401d1c94,"4/16/2021, 9:25:00.643 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 852 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,74b9f45e-1d41-47fc-9a00-7fd7d69c5dd4,"4/16/2021, 9:25:00.643 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8," + S-1-5-20 + VICTIMPC$ + CONTOSO + 0x3e4 + \Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask + <?xml version=""1.0"" encoding=""UTF-16""?> <Task version=""1.6"" xmlns=""http://schemas.microsoft.com/windows/2004/02/mit/task""> <RegistrationInfo> <Source>$(@%systemroot%\system32\sppc.dll,-200)</Source> <Author>$(@%systemroot%\system32\sppc.dll,-200)</Author> <Version>1.0</Version> <Description>$(@%systemroot%\system32\sppc.dll,-201)</Description> <URI>\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask</URI> <SecurityDescriptor>D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-87-2912274048-3994893941-1669128114-1310430903-1263774323)</SecurityDescriptor> </RegistrationInfo> <Triggers> <CalendarTrigger> <StartBoundary>2021-04-16T11:26:29Z</StartBoundary> <Enabled>true</Enabled> <ScheduleByDay> <DaysInterval>1</DaysInterval> </ScheduleByDay> </CalendarTrigger> </Triggers> <Principals> <Principal id=""NetworkService""> <UserId>S-1-5-20</UserId> <RunLevel>LeastPrivilege</RunLevel> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>true</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession> <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT0S</ExecutionTimeLimit> <Priority>7</Priority> <RestartOnFailure> <Interval>PT1M</Interval> <Count>3</Count> </RestartOnFailure> </Settings> <Actions Context=""NetworkService""> <ComHandler> <ClassId>{B1AEBB5D-EAD9-4476-B375-9C3ED9F32AFC}</ClassId> <Data><![CDATA[timer]]></Data> </ComHandler> </Actions> </Task> + 13510798882126614 + 4728 + 780 + 0 + VictimPc.Contoso.Azure +",4702,4702 - A scheduled task was updated.,f6638b82-98a5-4542-8bec-6bc0977f793f,29202f83-f593-441e-bcb4-924b2fc21be5,"4/16/2021, 9:25:00.643 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8612 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 8542576A51D515DA19781689F9E5E561E4398C4DE19B14AF1E8EF1C7D2551843 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.18362.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,8040bd85-07f3-4062-80d2-a89e7ee349d6,"4/16/2021, 9:25:00.643 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8224 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,35c23b78-b11b-4cde-b8e6-dabad8cbb97f,"4/16/2021, 9:25:00.643 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,979b8c1f-f7db-4905-b650-7293064858d4,"4/16/2021, 9:25:00.643 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,abf69c88-2a4a-4695-9845-f5250c7e45c1,"4/16/2021, 9:25:00.643 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,f9758f50-b14d-442e-a7e1-ae3b7fdf2f4b,"4/16/2021, 9:25:00.643 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,79b1d937-e7b5-487e-be89-394f29105957,"4/16/2021, 9:25:02.743 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,21adced3-72bf-4eda-afce-25391a9e1d1b,"4/16/2021, 9:25:02.743 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,70f8191c-2b5f-40dd-994c-d5cc9f362031,"4/16/2021, 9:25:02.743 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b0e65c1e-3770-4eb0-9cd6-28d6cec47c00,"4/16/2021, 9:25:02.743 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,80d0b164-dd39-4aed-b3a5-6ab0b83f1e51,"4/16/2021, 9:25:02.743 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,66495312-615a-4bfe-b335-afc6897b5931,"4/16/2021, 9:25:02.743 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0adf5f9f-6f8d-4cf6-b04c-c9a82cc34523,"4/16/2021, 9:25:02.743 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fd441941-2b30-4223-a98f-79bf71190993,"4/16/2021, 9:25:02.743 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b57a85f0-b700-4309-bd9c-b2866f6075f0,"4/16/2021, 9:25:02.743 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,582cd899-b925-40fd-8d3d-a45bbfbf1f01,"4/16/2021, 9:25:02.743 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b7fd278f-26da-4384-a553-95d628be4cd4,"4/16/2021, 9:25:02.743 AM",,,,,,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,05ed88ac-1be1-461a-8763-dd91ba74ded7,"4/16/2021, 9:25:02.743 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2d758886-d773-44e2-a760-237c23b6d8e5,"4/16/2021, 9:25:02.743 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9b6c5efe-98a5-4367-b777-9d12feb432f2,"4/16/2021, 9:25:02.743 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9deb7432-843c-4b7d-8fa8-7a5b59156dac,"4/16/2021, 9:25:02.743 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1b8af673-d5e1-4306-9aa8-83805972d0db,"4/16/2021, 9:25:02.743 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,38924484-4be7-4641-acc1-4dad57844195,"4/16/2021, 9:25:02.743 AM",,,,,NTLM,, +\MARIA,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f3734ab9-59f7-4f63-8d65-f8aa3abb5cf5,"4/16/2021, 9:25:02.743 AM",,,,,NTLM,, +\ABCD,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fce6f1f6-8e11-45b1-a279-90af19d1be2d,"4/16/2021, 9:25:02.743 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3d047a45-6ae7-4876-bdf8-59047d11f7eb,"4/16/2021, 9:25:02.743 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,592b68be-b2c8-4bc4-86a8-469492f7f780,"4/16/2021, 9:25:02.743 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,edeb1737-7cdd-4fca-a25b-0c0296a92be4,"4/16/2021, 9:25:02.743 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7ab8485b-64ed-42f5-91ec-b16352076c7d,"4/16/2021, 9:25:02.743 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3d4616b0-3ec9-4b0d-b236-f94250c5f8ce,"4/16/2021, 9:25:04.141 AM",,,,,NTLM,, +\MARIES,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,02339a52-be14-41c9-9aa3-e3d3ffca09af,"4/16/2021, 9:25:04.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6207a1ee-20b7-4dbb-bd43-3fab1cfc7432,"4/16/2021, 9:25:04.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eb0e8a26-3d87-40cb-aa24-0bc32375f796,"4/16/2021, 9:25:04.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,882281ea-46b5-4d55-a015-925606629c45,"4/16/2021, 9:25:04.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f13f4c70-5583-4b2c-ad95-f307c591a537,"4/16/2021, 9:25:04.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d94ffe9-4ef9-4416-b2c5-8b2a672b9cb5,"4/16/2021, 9:25:04.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b786cf97-7aab-4532-be7a-4792d1f78db2,"4/16/2021, 9:25:04.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6a5e3692-0f68-4d1c-9c1a-7494b2383615,"4/16/2021, 9:25:04.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2eafa41-1ccd-4074-a64d-964ac9ea011c,"4/16/2021, 9:25:04.141 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,844f1792-5551-4350-8456-cddc52ab684f,"4/16/2021, 9:25:04.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4fb62cde-d173-4ed8-b90e-3748d7657c6d,"4/16/2021, 9:25:04.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56c131fc-8d16-4e4d-a704-4c0602f20d71,"4/16/2021, 9:25:04.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b21bf33-42e6-444b-95c1-fabe3f0f364e,"4/16/2021, 9:25:04.141 AM",,,,,NTLM,, +\ASP.NET,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3785dfad-6d2a-4454-bb11-42c5c8f8c10f,"4/16/2021, 9:25:04.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c21320c-9d99-4443-a46d-d3444d39d4b0,"4/16/2021, 9:25:04.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f03a6d18-7751-4501-ae3b-04e9796845e6,"4/16/2021, 9:25:04.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d55527fb-dc3c-4bc2-90ea-9d6a80b88e37,"4/16/2021, 9:25:04.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,311c7958-b761-4c0d-9f0a-008c8bd097cf,"4/16/2021, 9:25:04.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,689f9e21-4654-4f86-ac2b-c0d3268f2a92,"4/16/2021, 9:25:04.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,334cc8b7-76b5-4dc9-b24c-2cc14e7008f1,"4/16/2021, 9:25:04.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53be3987-fe4d-47b7-8114-45c8fd8801f6,"4/16/2021, 9:25:04.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e42489bc-5ccd-4c69-8efa-98232beda58a,"4/16/2021, 9:25:04.141 AM",,,,,NTLM,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,4fa12a96-787b-4d12-bf1b-da3eaba2c7a9,"4/16/2021, 9:25:09.893 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,54900f23-7cc5-4317-b48e-7008b73c3dc4,"4/16/2021, 9:25:09.893 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1516 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,6ebf292c-d392-4bd2-b037-813aceb5ac4b,"4/16/2021, 9:25:09.893 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3400 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,259d0dd8-998d-425c-bf51-ad168b804f5a,"4/16/2021, 9:25:09.893 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,794c2bb7-e90d-417e-8e51-8fb9fda38664,"4/16/2021, 9:25:09.893 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a237cc3f-1535-4895-93e3-e5496cdfb664,"4/16/2021, 9:25:11.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ffed8b78-1dfa-4b3e-be0c-b4a35ddcbc97,"4/16/2021, 9:25:11.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b9436af-d456-49f3-98df-9b837fdb5a23,"4/16/2021, 9:25:11.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,774d2641-4db7-4ed0-b525-0fc8a5d9023e,"4/16/2021, 9:25:11.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8cc78c33-1abd-48b2-a2da-20ede6dab2a8,"4/16/2021, 9:25:11.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c6b5de01-e0ac-409e-8191-afa2be8867bd,"4/16/2021, 9:25:11.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,76bdec8b-86f8-438d-9fc4-507b4f5c3388,"4/16/2021, 9:25:11.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,af5b6f81-4a09-4f35-b352-3acb89395ee5,"4/16/2021, 9:25:11.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6f4f3fa1-9f4d-4bc3-9496-b2c7d3c6c60e,"4/16/2021, 9:25:11.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53bcfa14-875c-4436-b084-fdad74cd479c,"4/16/2021, 9:25:11.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bf9b3183-8537-4959-8d24-1c6ed5ceda92,"4/16/2021, 9:25:11.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dcf1ea44-45b6-432d-977d-261f7b839d89,"4/16/2021, 9:25:11.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98219a5b-bd3d-44bf-b7b2-1b53a3d73b8b,"4/16/2021, 9:25:11.134 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a88bef98-1e88-43a0-a62d-d8783b4e273a,"4/16/2021, 9:25:11.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,95a835f5-dee2-46b0-917d-f6bbbca17cca,"4/16/2021, 9:25:11.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b172d38-d8d5-446f-89db-1b69ada8072e,"4/16/2021, 9:25:11.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b2712a0-fc86-444a-83aa-c8b452576737,"4/16/2021, 9:25:11.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc8d0c40-19f0-4030-bff3-25080827e318,"4/16/2021, 9:25:11.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4846fc38-a120-4400-b5b5-56c29c580143,"4/16/2021, 9:25:11.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1b26da9c-4676-4532-a0ac-0d5ceec0e762,"4/16/2021, 9:25:11.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,acb7ee6e-df9e-4eac-b31d-b10a4a6372ff,"4/16/2021, 9:25:11.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4393bd8e-0dcb-4584-aa57-592ca450d06a,"4/16/2021, 9:25:11.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,520b8e39-f9da-44e9-953d-4bc92873b1dc,"4/16/2021, 9:25:11.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1bd18c2c-5fbb-40d8-bae1-1035b3eb3821,"4/16/2021, 9:25:13.423 AM",,,,,NTLM,, +\SOPHOS,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6038c076-0dc6-4bad-b9b2-aac1621e3ca5,"4/16/2021, 9:25:13.423 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 7984 + 84 + %OSDRIVE%\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\PLATFORM\4.18.2103.7-0\MPCMDRUN.EXE + 32 + C7A18C474A47F5335593A567F0C714D4F658E28D07DC27F6EAE5D5641788E813 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\MPCMDRUN.EXE\4.18.2103.07 + 0x3e4 + 77 + C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2103.7-0\MpCmdRun.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ed2227bd-de61-44c0-9ab7-2c8c5178f037,"4/16/2021, 9:25:13.423 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,84268ca2-27ce-4d95-acbf-92d68f077b56,"4/16/2021, 9:25:13.423 AM",,,,,,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,245a2de0-de38-4865-ba04-fb3d1c1d5daf,"4/16/2021, 9:25:13.423 AM",,,,,NTLM,, +\MICHAEL,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,65d383dc-5894-4c34-8aa9-b8f9078e439f,"4/16/2021, 9:25:13.423 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,7fb6779a-50fb-402c-a5e0-b4d797073e78,"4/16/2021, 9:25:13.423 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,de98d44a-6917-43d9-b599-15dea7102227,"4/16/2021, 9:25:13.423 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8," + S-1-5-20 + SHIR-SAP$ + WORKGROUP + 0x3e4 + \Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask + <?xml version=""1.0"" encoding=""UTF-16""?> <Task version=""1.6"" xmlns=""http://schemas.microsoft.com/windows/2004/02/mit/task""> <RegistrationInfo> <Source>$(@%systemroot%\system32\sppc.dll,-200)</Source> <Author>$(@%systemroot%\system32\sppc.dll,-200)</Author> <Version>1.0</Version> <Description>$(@%systemroot%\system32\sppc.dll,-201)</Description> <URI>\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask</URI> <SecurityDescriptor>D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-87-2912274048-3994893941-1669128114-1310430903-1263774323)</SecurityDescriptor> </RegistrationInfo> <Triggers> <CalendarTrigger> <StartBoundary>2021-04-19T17:18:00Z</StartBoundary> <Enabled>true</Enabled> <ScheduleByDay> <DaysInterval>1</DaysInterval> </ScheduleByDay> </CalendarTrigger> </Triggers> <Principals> <Principal id=""NetworkService""> <UserId>S-1-5-20</UserId> <RunLevel>LeastPrivilege</RunLevel> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>true</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession> <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT0S</ExecutionTimeLimit> <Priority>7</Priority> <RestartOnFailure> <Interval>PT1M</Interval> <Count>3</Count> </RestartOnFailure> </Settings> <Actions Context=""NetworkService""> <ComHandler> <ClassId>{B1AEBB5D-EAD9-4476-B375-9C3ED9F32AFC}</ClassId> <Data><![CDATA[timer]]></Data> </ComHandler> </Actions> </Task> + 844424930139434 + 1824 + 812 + 0 + SHIR-SAP +",4702,4702 - A scheduled task was updated.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,81b36a81-5d73-4737-bef7-a3fd1698eaeb,"4/16/2021, 9:25:13.423 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5640 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 68705285F7914823244E19E4F6DBC4A75C4DE807EA1CF128AEC2CCAFCE5FE109 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.17763.01 + 0x3e7 + 57 + C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3c527af8-600e-4881-baec-cf40c10db0f2,"4/16/2021, 9:25:13.423 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7548 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,fb6b9330-b38a-4f52-9975-c3ebce408086,"4/16/2021, 9:25:13.423 AM",,,,,,, +\SYSADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,19dc36eb-4bc2-4902-85f2-4ea7b29dcb70,"4/16/2021, 9:25:13.423 AM",,,,,NTLM,, +\AZUREUSER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1fd8eeee-a403-451a-bbd0-321c652ab36d,"4/16/2021, 9:25:13.423 AM",,,,,NTLM,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,51c5cfb6-9a1b-4d39-8aac-76e0db30d744,"4/16/2021, 9:25:13.423 AM",,,,,NTLM,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,213d0fb3-4acb-414c-94a6-eeebbee4a91e,"4/16/2021, 9:25:13.423 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,91344c9d-6d89-43e7-9880-11f4d8fc2ab2,"4/16/2021, 9:25:13.423 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c80d3adc-6bba-4829-91e4-ca151ea5aa5a,"4/16/2021, 9:25:13.423 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1584 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9bd8e069-33a2-439a-bfa3-d10344c54347,"4/16/2021, 9:25:13.423 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5380 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,21320e5a-013f-4421-9a4c-e0d27d3f99d7,"4/16/2021, 9:25:13.423 AM",,,,,,, +\BACKUPADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6b80f94f-4f7a-424f-9dd2-44e5a54041ad,"4/16/2021, 9:25:13.423 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,981d7506-63a1-4679-89c3-4f2f5e9a089b,"4/16/2021, 9:25:15.734 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1dd2f33c-c344-4203-b4ff-f5afe5362e07,"4/16/2021, 9:25:15.734 AM",,,,,,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,747d64af-3ae7-49cd-89ae-4b32d4678938,"4/16/2021, 9:25:15.734 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,832bcb2c-2ae9-440e-ab07-a7404a376293,"4/16/2021, 9:25:15.734 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3e26fed0-66d0-4614-8b9e-7679c382c59c,"4/16/2021, 9:25:15.734 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2ed43edf-ed7e-45f6-a01c-088dd487fec5,"4/16/2021, 9:25:15.734 AM",,,,,NTLM,, +\USER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5a61d7f9-7880-450a-9151-453ce90c676a,"4/16/2021, 9:25:15.734 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8aaa2705-42f9-4be8-acde-69d0d50d1075,"4/16/2021, 9:25:15.734 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4183d193-90a6-4e9b-b0cc-d7ff047cf6dc,"4/16/2021, 9:25:15.734 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ca6338f2-c11b-4e4a-986e-ed44a12d4bac,"4/16/2021, 9:25:15.734 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e7f849b0-e99e-4cd2-ba9d-9b15baaad3a1,"4/16/2021, 9:25:15.734 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,795d1c05-02f4-41e3-95fc-7ad972032b83,"4/16/2021, 9:25:15.734 AM",,,,,NTLM,, +\MANAGER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cccf17d3-813a-487f-9c79-96ce2c9bb825,"4/16/2021, 9:25:15.734 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7b308da4-ba47-477d-82e2-0d11cee9cd9e,"4/16/2021, 9:25:15.734 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3134af62-841a-4f7a-9207-8df60372e26f,"4/16/2021, 9:25:15.734 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,88891b31-c03a-4369-b8a3-6309ad22f14b,"4/16/2021, 9:25:15.734 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9b55f817-288e-4233-a9f0-2be7127813bd,"4/16/2021, 9:25:15.734 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d625e958-fe01-4ba2-a4e9-48e28ff674bd,"4/16/2021, 9:25:15.734 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5851e31b-7ffc-4227-a4f3-420244e276dd,"4/16/2021, 9:25:15.734 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e49481cc-9f92-4232-8db4-0a1b3987f034,"4/16/2021, 9:25:15.734 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1b4413b8-f8a5-48e7-9c05-799cf2f9bb6a,"4/16/2021, 9:25:15.734 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,42c19764-9f31-4732-a0a1-17dc2f5a610c,"4/16/2021, 9:25:15.734 AM",,,,,NTLM,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8," + S-1-5-20 + VictimPC2$ + WORKGROUP + 0x3e4 + \Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask + <?xml version=""1.0"" encoding=""UTF-16""?> <Task version=""1.6"" xmlns=""http://schemas.microsoft.com/windows/2004/02/mit/task""> <RegistrationInfo> <Source>$(@%systemroot%\system32\sppc.dll,-200)</Source> <Author>$(@%systemroot%\system32\sppc.dll,-200)</Author> <Version>1.0</Version> <Description>$(@%systemroot%\system32\sppc.dll,-201)</Description> <URI>\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask</URI> <SecurityDescriptor>D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-87-2912274048-3994893941-1669128114-1310430903-1263774323)</SecurityDescriptor> </RegistrationInfo> <Triggers> <CalendarTrigger> <StartBoundary>2021-04-19T18:46:21Z</StartBoundary> <Enabled>true</Enabled> <ScheduleByDay> <DaysInterval>1</DaysInterval> </ScheduleByDay> </CalendarTrigger> </Triggers> <Principals> <Principal id=""NetworkService""> <UserId>S-1-5-20</UserId> <RunLevel>LeastPrivilege</RunLevel> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>true</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession> <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT0S</ExecutionTimeLimit> <Priority>7</Priority> <RestartOnFailure> <Interval>PT1M</Interval> <Count>3</Count> </RestartOnFailure> </Settings> <Actions Context=""NetworkService""> <ComHandler> <ClassId>{B1AEBB5D-EAD9-4476-B375-9C3ED9F32AFC}</ClassId> <Data><![CDATA[timer]]></Data> </ComHandler> </Actions> </Task> +",4702,4702 - A scheduled task was updated.,0b31dee3-5401-43d7-802a-7c8aab820390,bcd73d37-4a7a-4243-b688-088515a4a828,"4/16/2021, 9:25:15.064 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,95c8ee35-4725-4bcb-99f0-335b74233cdf,"4/16/2021, 9:25:15.064 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,9ff58a68-f026-44b9-bc42-c59a320a65bf,"4/16/2021, 9:25:15.064 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,1324c0e1-fb34-4ff7-b19f-391abe5f63e6,"4/16/2021, 9:25:15.064 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,f5a2dc51-92a8-4359-97d2-939b960635d6,"4/16/2021, 9:25:15.064 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c2799311-f1b9-456f-a07f-9e5ed6e5e1d8,"4/16/2021, 9:25:15.064 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,019060c4-4122-4b15-89d3-c6214c7426c4,"4/16/2021, 9:25:15.064 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,9a23cfe6-543a-428a-b7c3-4b4f61f98b8a,"4/16/2021, 9:25:15.064 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,cabb6603-816c-4067-82cc-3ef8da9ef54b,"4/16/2021, 9:25:15.064 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d4aaca77-16b9-49ec-a15f-3a0f0eb6595d,"4/16/2021, 9:25:15.064 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,458bf508-3239-4384-abdf-387086e106a2,"4/16/2021, 9:25:15.064 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b46a4467-d5bb-4b0d-a6e5-44e5064b8bf0,"4/16/2021, 9:25:15.064 AM",,,,,,, +\CRESSONA,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5d39a8f-e2d7-45c5-975e-21001a941270,"4/16/2021, 9:25:20.189 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d9a69d28-f125-48e3-97ff-6254b5638f8f,"4/16/2021, 9:25:20.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,388c0d7c-7418-435b-8410-338e44c72842,"4/16/2021, 9:25:20.189 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,50dcc2e2-449a-4638-8b1f-a50951ee0587,"4/16/2021, 9:25:20.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9941b0a3-6580-49db-be1a-decf8983323b,"4/16/2021, 9:25:20.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b54753af-3c2b-4817-8a78-9150d7fa4f3e,"4/16/2021, 9:25:20.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f335abf-c5f8-467c-a334-48da8e2d52ab,"4/16/2021, 9:25:20.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e886e09-9685-4abc-8037-5200337fe23f,"4/16/2021, 9:25:20.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,261caa12-eed4-44fb-bbca-df72026df213,"4/16/2021, 9:25:20.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8484f726-216d-40d4-a871-3a7f2352834f,"4/16/2021, 9:25:20.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c7e3405f-e9e5-4d35-a7c4-0b260169ba58,"4/16/2021, 9:25:20.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c4ab27ec-c364-45de-bcf1-6015f6fb47a9,"4/16/2021, 9:25:20.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,93b21e71-6418-429b-a34a-0edcccb2c133,"4/16/2021, 9:25:20.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce67940a-d831-42c4-813e-47b74fc00857,"4/16/2021, 9:25:20.189 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a106b830-6d07-44e6-acd8-023619b07c2c,"4/16/2021, 9:25:20.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2cc6f0a4-e728-4336-b798-5d2bfd183068,"4/16/2021, 9:25:20.189 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c5eded83-84d6-4cb3-aa34-bf34cf6aa4dd,"4/16/2021, 9:25:20.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53e9d534-60c6-4605-976b-0bdb99fa4e71,"4/16/2021, 9:25:20.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6942c649-58a4-47a5-b56f-160fa6366d24,"4/16/2021, 9:25:20.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a21e4584-f360-425e-88f0-c27a73473339,"4/16/2021, 9:25:20.189 AM",,,,,NTLM,, +\VEEAM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b8b3bd21-5522-4d20-aa83-7cdc48a2fb35,"4/16/2021, 9:25:20.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,10e661ee-b275-49ac-bcff-39ccefe514fd,"4/16/2021, 9:25:20.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,47601a4f-ba9b-4caf-834c-7eb6c2f8bcd2,"4/16/2021, 9:25:20.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca702a14-2c75-4c4b-83c8-5b846d750ea6,"4/16/2021, 9:25:20.189 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f82bf72-26c7-417c-b8e0-179853eea67c,"4/16/2021, 9:25:20.189 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,7dcb24b0-787b-4620-a161-f51dfc699f33,"4/16/2021, 9:25:20.189 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03057e01-30c7-4083-86d5-196bd9e74938,"4/16/2021, 9:25:20.189 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3332 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,f38609e7-ff76-43fc-8592-91e2e7b9fac2,"4/16/2021, 9:25:20.189 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5276 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1e18943-25e4-4498-b95d-275520c58f83,"4/16/2021, 9:25:20.189 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4584 + 73 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\MOMPERFSNAPSHOTHELPER.EXE + 32 + E9EA37CA32AC25AAE3D798E42BB986FA63B54A87F03472E30A4F1AC2626B5BC7 + 122 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT MONITORING AGENT\MOMPERFSNAPSHOTHELPER.EXE\10.20.18053.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,7603904d-095b-414c-b09e-095e28da9e94,"4/16/2021, 9:25:23.375 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 184 + 28 + %SYSTEM32%\WBEM\WMIAPSRV.EXE + 32 + 98A2CC07E5F2C0CA555F4ACA46556611B42FDA3BDD1F108E52E02FCB22E7B40E + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIAPSRV.EXE\10.0.14393.2515 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,8900721c-23d6-411e-b6ec-26560f802338,"4/16/2021, 9:25:23.375 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8088 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,39422181-2823-406c-8f71-a941405cbe45,"4/16/2021, 9:25:23.375 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5416 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,8d10ded9-e0ac-412a-8d4c-2c38f98ed6ac,"4/16/2021, 9:25:23.375 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2df7dc76-2afe-4cfc-93f0-b67c6367de8a,"4/16/2021, 9:25:27.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,41abd6a8-7d05-4c33-afd7-665a834573ed,"4/16/2021, 9:25:27.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1346ee46-7cae-4967-844d-d54128993c7f,"4/16/2021, 9:25:27.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3238f2ad-c371-4e7e-85c3-38938c519662,"4/16/2021, 9:25:27.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,609ee5a9-2c50-4c7f-a5ef-0166a31b2891,"4/16/2021, 9:25:27.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a756b7c2-cbae-4b45-8d67-d5f79a845fb6,"4/16/2021, 9:25:27.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f11fcd6-f501-430f-869c-622d9ff3ae37,"4/16/2021, 9:25:27.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89ab9ebb-8c97-41bf-b287-ebbc038cbe31,"4/16/2021, 9:25:27.133 AM",,,,,NTLM,, +\SHARP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,14f99c1f-d122-4e75-9150-acb1768fde86,"4/16/2021, 9:25:27.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,30692b59-13c2-4e69-b8a7-f88ba0c3bcc7,"4/16/2021, 9:25:27.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4197e6cb-896b-4d8b-be26-6747f296cb02,"4/16/2021, 9:25:27.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,deb26f1f-e322-4b5b-8a4d-565c94fbb37a,"4/16/2021, 9:25:27.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,abf82fc8-e699-42a1-94d0-d039607f7a53,"4/16/2021, 9:25:27.133 AM",,,,,NTLM,, +\BACKUPEXEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b3d9e059-5718-4682-9434-0ec3656f8d0a,"4/16/2021, 9:25:27.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad23ddcb-cab1-43b6-b03e-d342cfdad967,"4/16/2021, 9:25:27.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,94dba182-8111-4847-8055-4e6931cf0ee2,"4/16/2021, 9:25:27.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4fa0f5c4-1e01-4b99-b24b-35a8299e2dbc,"4/16/2021, 9:25:27.133 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc949c11-6b8f-4786-916f-b0aeb4f7dfed,"4/16/2021, 9:25:27.133 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e5a0826b-4edc-4b2d-a4d9-4a35a46f4020,"4/16/2021, 9:25:27.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0888c875-f534-4bde-ab8f-8ffcb3b22eb9,"4/16/2021, 9:25:27.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b3936790-8f25-4b00-8651-9dc66ba289dd,"4/16/2021, 9:25:27.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,52e0be25-b4dd-4f33-bf47-da2983f5b2f2,"4/16/2021, 9:25:27.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad4c46af-9604-41ac-a139-8598bc23a16a,"4/16/2021, 9:25:27.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b42dd534-787a-4448-aa65-01d9c702d4f0,"4/16/2021, 9:25:27.133 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9ab4022a-3bc5-4ee0-86e2-587ab3fff0b0,"4/16/2021, 9:25:27.792 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ecbc9bc7-6e0b-4a29-b784-e75ffacbace5,"4/16/2021, 9:25:27.792 AM",,,,,NTLM,, +\DEMOUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9f7ee02b-6bd0-42ab-acae-c24039df8973,"4/16/2021, 9:25:27.792 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b10f933e-7352-4989-acdb-4a5c4f5bf2e2,"4/16/2021, 9:25:27.792 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,650ec794-2cc5-4fa6-88db-c03c5d905443,"4/16/2021, 9:25:27.792 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2b10fcb6-1b8c-4d54-bf9f-d5f6e9dad8dc,"4/16/2021, 9:25:27.792 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,56abf1c9-adb5-4799-af8f-97cf11ccbdd4,"4/16/2021, 9:25:27.792 AM",,,,,NTLM,, +\LOGMEINREMOTEUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dc04d2c9-9b6f-4268-9965-3400b21441a6,"4/16/2021, 9:25:27.792 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2a196948-7258-41fe-bf26-c57fc7ba2706,"4/16/2021, 9:25:27.792 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e9d20b82-88c7-4fb2-a91f-cf8bcef921ba,"4/16/2021, 9:25:27.792 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a4092b51-74c3-40f0-872a-12e0413deec5,"4/16/2021, 9:25:27.792 AM",,,,,NTLM,, +\TEST,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f7c1cfab-d5f2-4e79-9b3e-24cbcda04bad,"4/16/2021, 9:25:27.792 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,164af097-4c86-477d-becf-7419ee65d19c,"4/16/2021, 9:25:27.792 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9a59a809-232b-4361-aa69-eb155b1397fc,"4/16/2021, 9:25:27.792 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d0d7d70b-30e7-40bc-94cd-bfe2784d8fa4,"4/16/2021, 9:25:27.792 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c6785aff-5fe6-4754-811a-9847ca46e94b,"4/16/2021, 9:25:27.792 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ebc7ff07-7fd1-4dcc-aecc-7f5e17a3864e,"4/16/2021, 9:25:27.792 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1513a68f-0c17-4d93-96ea-06099722798d,"4/16/2021, 9:25:27.792 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,aa827aac-2a08-4519-a552-cf4a1b3e059f,"4/16/2021, 9:25:27.792 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,28281e45-e363-4512-8b23-d891c1b6a19d,"4/16/2021, 9:25:27.792 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,659165cf-1553-4de9-900c-8e1e9ef2e1d5,"4/16/2021, 9:25:27.792 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a7ddc4eb-37af-4980-8927-7db630de0c08,"4/16/2021, 9:25:27.792 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1701c183-9c28-4d74-b41f-15c0ce4da93a,"4/16/2021, 9:25:27.792 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,733da87a-8b8e-4dba-a55e-ca68041c6d9c,"4/16/2021, 9:25:27.792 AM",,,,,NTLM,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4648,4648 - A logon was attempted using explicit credentials.,5503048d-aae9-48b7-bda5-46b931ec9ed1,8db65a34-5c05-4bc6-a7e7-2ba6e3a0b08c,"4/16/2021, 9:25:31.875 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,5503048d-aae9-48b7-bda5-46b931ec9ed1,4f9cd191-3f36-4aa3-8274-df5a6993e228,"4/16/2021, 9:25:31.875 AM",,,,,Negotiate,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + S-1-5-21-1661583231-2311428937-3957907789-1103 + SamiraA + CONTOSO + 0x241aecdf + 4 + 1 + 1 + %{S-1-5-21-1661583231-2311428937-3957907789-513} %{S-1-1-0} %{S-1-5-32-555} %{S-1-5-32-545} %{S-1-5-32-544} %{S-1-5-3} %{S-1-2-1} %{S-1-5-11} %{S-1-5-15} %{S-1-2-0} %{S-1-5-21-1661583231-2311428937-3957907789-512} %{S-1-5-21-1661583231-2311428937-3957907789-519} %{S-1-18-1} %{S-1-5-21-1661583231-2311428937-3957907789-572} %{S-1-16-12288} +",4627,4627 - Group membership information.,5503048d-aae9-48b7-bda5-46b931ec9ed1,3407f5a4-546a-4968-abfe-52f123cfbf06,"4/16/2021, 9:25:31.875 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,5503048d-aae9-48b7-bda5-46b931ec9ed1,e8ae498a-255c-4ab9-ac56-890e9480012d,"4/16/2021, 9:25:31.875 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12545,8,,4634,4634 - An account was logged off.,5503048d-aae9-48b7-bda5-46b931ec9ed1,0880baf7-e43d-4caa-b334-e7adb5b75210,"4/16/2021, 9:25:31.875 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,21b1be9a-dadc-4801-b828-306d9bcd1352,"4/16/2021, 9:25:31.875 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,60b1fa3d-29e4-4698-a705-0c25b4ac8c48,"4/16/2021, 9:25:31.630 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6936 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,9e6a8516-8c0d-47bb-8909-05fd14bf12c2,"4/16/2021, 9:25:31.630 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,70b3690b-dfce-4eeb-989c-ba6e3ff1253b,"4/16/2021, 9:25:31.630 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 2744 + 84 + %OSDRIVE%\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\PLATFORM\4.18.2103.7-0\MPCMDRUN.EXE + 32 + C7A18C474A47F5335593A567F0C714D4F658E28D07DC27F6EAE5D5641788E813 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\MPCMDRUN.EXE\4.18.2103.07 + 0x3e4 + 77 + C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2103.7-0\MpCmdRun.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,bc551cb0-7c0a-4298-9bc2-4e506d20db87,"4/16/2021, 9:25:31.630 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,0da2d8d3-d9c8-4b86-b9d9-3c755bae274e,"4/16/2021, 9:25:31.630 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,8ca38732-aa1a-4d9c-9972-2dd523b3dcf8,"4/16/2021, 9:25:31.630 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11000 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,866ebd74-31c5-464d-91bf-3ed41db99747,"4/16/2021, 9:25:31.630 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9580 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,25035cf0-bb87-4258-b128-ac8316dabf0c,"4/16/2021, 9:25:31.630 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,1d19d6df-4ba6-468b-b887-0390221a7883,"4/16/2021, 9:25:31.630 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8864 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,bcd6a9b0-cc48-434b-a0b9-79920efaeab2,"4/16/2021, 9:25:31.630 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bf34975a-c72e-45ab-8bd3-4a774d7951bf,"4/16/2021, 9:25:33.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,beab2cf9-dad0-420c-aefa-0b72b55d289f,"4/16/2021, 9:25:33.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7a9137ef-633c-4c34-a608-9444d6f8cb6a,"4/16/2021, 9:25:33.132 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,555cb236-5b53-4775-aaba-52602b1d08fb,"4/16/2021, 9:25:33.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,58d49397-6b5a-4ca3-b781-5739984c6757,"4/16/2021, 9:25:33.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b36f10b3-e111-4833-a8aa-c6830d2c3176,"4/16/2021, 9:25:33.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d869f36-09d9-4e15-a18f-dfffb769eac1,"4/16/2021, 9:25:33.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,47f221f6-ff65-45f3-b5b1-824959672142,"4/16/2021, 9:25:33.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f6ef144-560b-4c52-ac1b-4671a63100e8,"4/16/2021, 9:25:33.132 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ed887fe-52c8-4b74-a897-4ff2375ca365,"4/16/2021, 9:25:33.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f546fac1-0917-4c72-ad1a-b14bd5f4c1eb,"4/16/2021, 9:25:33.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,112b6d7a-fadd-4142-b998-080f0a6cbb37,"4/16/2021, 9:25:33.132 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,d9e489ed-584c-4b18-ba7e-5bba9f8ff199,"4/16/2021, 9:25:33.132 AM",,,,,,, +\ADMINISTRATEUR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,503fd2ba-8e21-42de-b2e8-d6930c42f187,"4/16/2021, 9:25:33.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9127e60e-7cf9-4f6d-a7e5-09d5a694e74e,"4/16/2021, 9:25:33.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,364fd9c7-eb90-46d6-8d73-df254a244806,"4/16/2021, 9:25:33.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8360b183-9d67-4d23-8d70-a8049af9bff0,"4/16/2021, 9:25:33.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,edab3bab-cf7e-40df-b417-f29922168895,"4/16/2021, 9:25:33.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d7048b08-5919-413c-87e2-209fb1977e0d,"4/16/2021, 9:25:33.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49c39535-fe2e-4083-8d89-1cd20ee791a2,"4/16/2021, 9:25:33.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c587ba9-14de-45d8-b5df-c378de858778,"4/16/2021, 9:25:33.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ea330d9-a55b-4ba1-93ec-8e2f880c3182,"4/16/2021, 9:25:33.132 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9e63402a-c745-470f-8cb1-f2a80341cc04,"4/16/2021, 9:25:33.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3e654faa-d50c-447d-b685-8e7def6a1399,"4/16/2021, 9:25:38.751 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8cf742e7-a854-491e-bde9-1104b30ac381,"4/16/2021, 9:25:38.751 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f4007f0f-dfb8-4532-b5fd-16068173d75b,"4/16/2021, 9:25:38.751 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,467e87d2-1688-4b27-a225-40eebdb45c73,"4/16/2021, 9:25:38.751 AM",,,,,NTLM,, +\DANIEL,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7b0367fa-5f8b-4ce2-a349-397df545f0fc,"4/16/2021, 9:25:38.751 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b449ea06-9c33-4b89-b03f-b6939404220a,"4/16/2021, 9:25:38.751 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,705b69c3-c4d1-419f-bd2b-7f90738ccf3b,"4/16/2021, 9:25:38.751 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9d92e869-fb15-4418-9d9f-39723ab941b0,"4/16/2021, 9:25:38.751 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e25d4c6b-4aa3-4c32-9075-cbce633d2d67,"4/16/2021, 9:25:38.751 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1b55343a-876a-4c77-8a07-9d342c21d26d,"4/16/2021, 9:25:38.751 AM",,,,,NTLM,, +\CONSOLE,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dbe036d1-c76e-4f28-9d4f-3421b0f23211,"4/16/2021, 9:25:38.751 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e45d6000-f98c-41e3-a3c8-31c330ba05b0,"4/16/2021, 9:25:38.751 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d3c345b5-e2bd-4916-8c73-2730fe7555a5,"4/16/2021, 9:25:38.751 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,92b02da9-01f4-4a6e-9d9d-de477f026294,"4/16/2021, 9:25:38.751 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f1460af8-85e3-47de-b510-e4cebffe594b,"4/16/2021, 9:25:38.751 AM",,,,,NTLM,, +\AZUREUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8372857f-a6e4-451e-9bf0-ed8935062f9c,"4/16/2021, 9:25:38.751 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,12608c7e-c2bc-4cc7-9718-fb6f60a3f8a3,"4/16/2021, 9:25:38.751 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c5758586-697f-44dc-92c0-b0ae647d200c,"4/16/2021, 9:25:38.751 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3e04256a-cfd1-4920-91b4-247286d79598,"4/16/2021, 9:25:38.751 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,914875b6-cf63-4f97-82be-e07967de96fc,"4/16/2021, 9:25:38.751 AM",,,,,NTLM,, +\VOLKADOT,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,57e051cd-9605-47f8-9571-33b5305a467c,"4/16/2021, 9:25:38.751 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ab495e0c-0ad5-4afe-b954-f4867915b0b4,"4/16/2021, 9:25:38.751 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d37fc859-d32d-478b-ab81-2d2a4186c0e3,"4/16/2021, 9:25:38.751 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1c306298-0ea4-4aee-bb3b-2de3424fbd82,"4/16/2021, 9:25:38.751 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1151fa3b-b826-40f7-bfcc-ec5956969d60,"4/16/2021, 9:25:41.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b9fbea6b-b429-4eb5-bb17-48d7760c1222,"4/16/2021, 9:25:41.136 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,07822e8a-1da6-43df-8cb3-ac8cc89d2b6c,"4/16/2021, 9:25:41.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,58e1413b-c11b-4504-bbcd-efc7abba4d91,"4/16/2021, 9:25:41.136 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c62f47dc-81a4-4d2d-ab7d-ccc0f482b946,"4/16/2021, 9:25:41.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9a799854-ac55-4fd7-bce7-a0387bfafcf2,"4/16/2021, 9:25:41.136 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,781c81b0-69df-4959-a930-d697a4402a74,"4/16/2021, 9:25:41.136 AM",,,,,NTLM,, +\MYPC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,73c45aa9-16fb-4d70-a855-c0fb876956d7,"4/16/2021, 9:25:41.136 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3b4b5850-db80-4b5c-95fb-aca792a1d295,"4/16/2021, 9:25:41.136 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12427082-96c0-460e-8b5b-648f792607d0,"4/16/2021, 9:25:41.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b10110f7-5a19-4a19-9b08-30e0fd296d94,"4/16/2021, 9:25:41.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,897980c7-d4a9-474a-bf81-52138f25b83c,"4/16/2021, 9:25:41.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1b39caf9-5974-41e2-b027-8ea7acfc49e7,"4/16/2021, 9:25:41.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e540ea86-f472-46e4-b556-ddb8e7b27c92,"4/16/2021, 9:25:41.136 AM",,,,,NTLM,, +\INFORMATICA,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e47d50e4-6554-49ec-8515-bd4a7c379777,"4/16/2021, 9:25:41.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,07bb0a80-622d-422c-b444-0300fdd808b4,"4/16/2021, 9:25:41.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9a6bffe9-45cf-4c8e-89c9-0f6a455bb44d,"4/16/2021, 9:25:41.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,44e0945c-2143-4039-914a-675377cac317,"4/16/2021, 9:25:41.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,64761e45-096d-4aa4-bb12-beb52d9a47ff,"4/16/2021, 9:25:41.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7483a8cb-b085-42aa-9a05-974d1ee04632,"4/16/2021, 9:25:41.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a15f039-8e67-450e-8548-20cadc4ab5b6,"4/16/2021, 9:25:41.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4857efc8-d47b-4ac1-8447-d2f03623a117,"4/16/2021, 9:25:41.136 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,50c32910-ffdf-4cc2-83d9-0451158189c8,"4/16/2021, 9:25:41.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,79a3cb72-cef3-4154-8865-f734117fa191,"4/16/2021, 9:25:41.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8f783b1f-ec63-4c8c-a574-aeb3a485a487,"4/16/2021, 9:25:41.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8450122a-abd6-4df3-8801-c11b9a811954,"4/16/2021, 9:25:41.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de443f9f-ffa2-46bd-9398-cc480d9e4f61,"4/16/2021, 9:25:41.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,faa45d37-b420-4134-93a2-3c7c5469795f,"4/16/2021, 9:25:41.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,57ef7755-27ea-4019-b544-9e1284ce9289,"4/16/2021, 9:25:50.140 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6bae2057-225f-4efa-b681-dffd81e2384b,"4/16/2021, 9:25:50.140 AM",,,,,NTLM,, +\DEMOUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,475a4ce2-4b91-425f-aaee-395628f16044,"4/16/2021, 9:25:50.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e757160e-a0a3-49d2-8993-14fe39723740,"4/16/2021, 9:25:50.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ade45465-c4a5-4fb3-8781-b4fb6b20e3b1,"4/16/2021, 9:25:50.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e643c2a-3649-4e82-8662-4b3b475fac64,"4/16/2021, 9:25:50.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b141151d-07a9-4dba-b0c6-549ac41f1b5b,"4/16/2021, 9:25:50.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c016f352-073d-41b7-99bb-8b5e979a1a4a,"4/16/2021, 9:25:50.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bfa5f94d-556d-426e-915e-88b8a6ec9e12,"4/16/2021, 9:25:50.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eb694a3e-6146-4616-91f5-0cd5ea5bea22,"4/16/2021, 9:25:50.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0f7f1836-9d6c-4894-ba5d-3b55524f7123,"4/16/2021, 9:25:50.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,876c29ce-42cf-438f-b910-22ae754cf264,"4/16/2021, 9:25:50.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9fdea6ab-57b3-47f5-8070-f1c2efe16150,"4/16/2021, 9:25:50.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3dcdca5d-5821-4a43-a657-039465a04369,"4/16/2021, 9:25:50.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,09b8d416-8e03-4238-9dc4-41ccb371d395,"4/16/2021, 9:25:50.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b83271d5-8254-40ac-bfab-d6b7bd75ed73,"4/16/2021, 9:25:50.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fce4d877-097c-4036-bd0c-bd9c92d7c40f,"4/16/2021, 9:25:50.140 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bcf1890d-9b1f-4389-bf88-f744d84ced38,"4/16/2021, 9:25:50.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a9fa97c-bf62-47c7-a8a7-1a85b21782d9,"4/16/2021, 9:25:50.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9f945ffd-ae97-4510-b0a6-992104770b23,"4/16/2021, 9:25:50.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2965e364-9b9b-42fa-9ed5-dbfcde8414be,"4/16/2021, 9:25:50.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa9e3b90-5fb2-4c44-af6a-7fa8055e3d21,"4/16/2021, 9:25:50.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,26785983-6b34-4c2b-a7bf-74f5f82a4463,"4/16/2021, 9:25:50.140 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0bcf481f-5e45-487e-aa87-8765b234bfd7,"4/16/2021, 9:25:48.412 AM",,,,,,, +\TUSER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,5e7202e3-8581-4e2c-a362-1299bd8fc9a6,"4/16/2021, 9:25:48.412 AM",,,,,NTLM,, +\USER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e8e43aea-c425-4f72-ac72-71f55647268a,"4/16/2021, 9:25:48.412 AM",,,,,NTLM,, +\LABORATORIO,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,349c70f6-0f7d-494b-8b68-29a7be9bf985,"4/16/2021, 9:25:48.412 AM",,,,,NTLM,, +\AZUREADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ae81b700-479b-4f49-bdad-12ab8b551796,"4/16/2021, 9:25:48.412 AM",,,,,NTLM,, +\USER6,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4b4a8a8e-1b2f-4d2a-ad6e-6332f48c1d49,"4/16/2021, 9:25:48.412 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f3967c5e-29b3-4f04-8272-c2229929ce6f,"4/16/2021, 9:25:48.412 AM",,,,,NTLM,, +\TEST,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9cab5ad5-a3e5-4df7-a542-75b77d2df935,"4/16/2021, 9:25:48.412 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1284 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,6dbf87bd-abc6-48ce-ad18-fc959ae0d70b,"4/16/2021, 9:25:52.745 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5188 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,df3a53a4-95d0-439f-a026-6bd63347b7b7,"4/16/2021, 9:25:52.745 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,5f3c2314-a3c8-4abb-986f-fc5e15f962cf,"4/16/2021, 9:25:52.745 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,c2ded62c-21d9-44d5-bc54-37f6cab557d9,"4/16/2021, 9:25:52.745 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,e8c13d4d-da9a-4dba-8ee4-f31f98ef8632,"4/16/2021, 9:25:52.745 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,099835ff-aea7-4db0-8db2-d9f94e4eaf88,"4/16/2021, 9:25:52.745 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3f50a947-ac5b-4085-8d73-793d55069198,"4/16/2021, 9:25:53.069 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,45d5a5b1-3948-4d75-a1c8-f1aab1bf0677,"4/16/2021, 9:25:53.069 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,98a91497-52a3-4733-b6af-922facfe1625,"4/16/2021, 9:25:53.069 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,017b0872-4648-4316-8931-c566c33523c5,"4/16/2021, 9:25:53.069 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,fe1c67a2-86a1-4ff9-b149-f784b3029de1,"4/16/2021, 9:25:53.069 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,5333136f-e46a-4f98-afd4-4f0260049629,"4/16/2021, 9:25:53.069 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\AdvancedInstallers + 0x564 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,3b270ae5-bd4b-42e4-a474-4794580804e9,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\AdvancedInstallers + 0x564 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,898c28d4-63b8-4ca4-b971-291125338eb7,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\Boot + 0x568 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,419e9731-6e3e-4576-b544-5c2f37bcfa51,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\Boot + 0x568 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,7e39cbe8-afec-4fe4-acbd-84abb1c60d4f,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\Bthprops + 0x568 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,7aed098f-b8ae-4715-834a-0e11866a4c6f,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\Bthprops + 0x568 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,e1486621-f325-4c8f-892a-3da672093082,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\en-US\Licenses + 0x664 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,83eea122-5df4-4ca7-8d35-0ee0e4c46e9a,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\en-US\Licenses + 0x664 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,a4b0217c-acf5-432c-a397-97863e3c4d29,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\icsxml + 0x648 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,cf6ee625-b953-4205-9233-436036ee652d,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\icsxml + 0x648 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,dd2e582a-f2bd-4409-a17d-9acf9ab47ed9,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\PointOfService\ProtocolProviders + 0x664 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,3ba3329e-ecaf-423b-8c9a-c3bf05ce1d6f,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\PointOfService\ProtocolProviders + 0x664 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,d1e14c4e-38ab-4fb0-ba4c-3e9445643d7b,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\ProximityToast + 0x648 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,40c8da6a-e027-48d9-90ff-8e88937bbb71,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\ProximityToast + 0x648 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,d89188c3-3363-4739-9bfd-5f4426b72b78,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\RasToast + 0x648 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,8925a584-0d99-45e3-9b4f-75ff4620b64a,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\RasToast + 0x648 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,8597f54f-9fee-48f6-8cfb-544de8b829e9,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\SecureBootUpdates + 0x648 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,fecae592-5c83-4aef-8b31-e34d4eb20497,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\SecureBootUpdates + 0x648 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,51ad5050-b120-475f-9da6-498799f34cda,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\Speech\Common + 0x664 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,fc268b67-8c71-4af9-976d-27241d7734d3,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\Speech\Common + 0x664 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,1e55dd4e-7d20-483e-b661-c3f23afdddbe,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\Speech\SpeechUX + 0x664 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,268398b8-9a58-48f8-bebe-25f9362d44dc,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\Speech\SpeechUX + 0x664 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,d15a3da5-2037-4632-803d-696a00d31e54,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\Speech_OneCore\common + 0x664 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,2428e243-dbaf-4e8f-a7c1-2da281144e27,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\Speech_OneCore\common + 0x664 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,c2fd818d-a4b0-4bb6-8116-ecd3b361e974,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\Speech_OneCore\VoiceActivation + 0x664 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,9951ec69-7e12-4a32-8f8e-9c3b6c0281d0,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\Speech_OneCore\VoiceActivation + 0x664 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,3500198d-b519-49f3-a5e8-adee9dfa9a64,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\SystemResetPlatform + 0x648 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,4bcf9ca6-6394-4e53-be71-5a9b1cfc9b30,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\SystemResetPlatform + 0x648 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,45c0e16a-9de8-4453-8862-9d3df6825a18,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\SystemResetPlatform\en-US + 0x664 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,2d39bb84-d988-4bf9-8291-64a55d371cdb,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\SystemResetPlatform\en-US + 0x664 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,4bc3de1c-b8af-4773-8083-8f7cef650758,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\WinMetadata + 0x648 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,12a87c3a-062f-45ba-a007-9d4d7eaec513,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\System32\WinMetadata + 0x648 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,4abc7952-26dd-4bc8-ae33-6540998999e2,"4/16/2021, 9:25:53.069 AM","%%1538 ",0x20000,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,fc207d6e-ff7b-4282-bbe8-95077856360e,"4/16/2021, 9:25:53.069 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d2286031-ed14-4bcc-850d-40371decea14,"4/16/2021, 9:25:53.069 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,22603e74-720b-4545-b723-853dba3c75f1,"4/16/2021, 9:25:52.739 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eac0c7e7-28b4-4b03-867c-a4d2e3e8e367,"4/16/2021, 9:25:52.739 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2f1495a7-af90-4ae9-ae26-23bad08f0d1a,"4/16/2021, 9:25:52.739 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,79604098-71e3-4154-a9d1-ec0c1a5fb38c,"4/16/2021, 9:25:52.739 AM",,,,,NTLM,, +\COPIER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7399afa9-186d-46ef-947d-84fd86d4a714,"4/16/2021, 9:25:52.739 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4d04b61b-55d9-4a2b-a121-f196d95c8704,"4/16/2021, 9:25:52.739 AM",,,,,NTLM,, +SHIR-HIVE\Admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,727c7216-8b70-4300-8df5-25eb56a94480,"4/16/2021, 9:25:52.739 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1fc222ee-4dd1-4db0-8857-0c47bcb7d949,"4/16/2021, 9:25:52.739 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7197ceec-304b-4a01-9345-bdfbe53e5e1e,"4/16/2021, 9:25:52.739 AM",,,,,NTLM,, +\Admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0f55a17d-b855-46a4-9372-a0e076282ef5,"4/16/2021, 9:25:52.739 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a348c376-0a16-4bd9-838f-a338bad5f2b7,"4/16/2021, 9:25:52.739 AM",,,,,NTLM,, +SHIR-HIVE\Admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,13587ca4-8831-4778-8dcf-ed08512cf4b7,"4/16/2021, 9:25:52.739 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,948cfdc5-f214-49de-a661-f620bd43da5b,"4/16/2021, 9:25:52.739 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,44c39e7e-10b1-4558-92b3-f12fcc33a5d7,"4/16/2021, 9:25:52.739 AM",,,,,NTLM,, +\Admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,035c1b18-98dc-4356-880e-1ae3d28a184a,"4/16/2021, 9:25:52.739 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0e8a94d5-f304-44db-92e4-58b1ea55a547,"4/16/2021, 9:25:52.739 AM",,,,,NTLM,, +SHIR-HIVE\Admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,25640601-741b-4e20-a6a0-0f6356c0937c,"4/16/2021, 9:25:52.739 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cd15f11a-9628-4342-80b8-8711ef5bca0b,"4/16/2021, 9:25:52.739 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dacdd2de-309f-4a71-9f4c-16a420469f67,"4/16/2021, 9:25:52.739 AM",,,,,NTLM,, +\Admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f2b89346-0d22-49b9-aa0d-057ee20ab373,"4/16/2021, 9:25:52.739 AM",,,,,NTLM,, +\123,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ae9dc8c3-3e4b-4fb2-9570-0d8222cfaeeb,"4/16/2021, 9:25:52.739 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b6db0462-c272-4b42-9d4f-963242f4f932,"4/16/2021, 9:25:52.739 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5556c423-6484-483b-ade8-516fa3789be1,"4/16/2021, 9:25:52.739 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,31476bd7-8478-4b19-b86a-3b49029712ea,"4/16/2021, 9:25:55.302 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6c83b776-7ba4-4daa-bceb-9090bb765f73,"4/16/2021, 9:25:55.302 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,60b1ada3-7628-4b3f-9d95-1ad104251cdc,"4/16/2021, 9:25:55.302 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6401bf3c-a675-4b3b-ac6f-709ad88628fa,"4/16/2021, 9:25:55.302 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b5b3cd7-7778-444e-ae86-628e71b03674,"4/16/2021, 9:25:55.302 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6c85aa7a-e1c1-439c-9db0-392fed9f0c53,"4/16/2021, 9:25:55.302 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,52b7e02a-7a74-4317-80f8-8c7cce81ef8f,"4/16/2021, 9:25:55.302 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c3775e86-70c3-4f39-92fa-e269db113c94,"4/16/2021, 9:25:55.302 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a33e42a-e9e1-4f93-9eff-7d8d213db06c,"4/16/2021, 9:25:55.302 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,78d971fa-a9b7-43c0-873b-de582802ce3f,"4/16/2021, 9:25:55.302 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bd9333a3-1bf7-48db-a650-b2a699d4d318,"4/16/2021, 9:25:55.302 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a55ba092-cef2-42c5-b684-2e91cf9a8995,"4/16/2021, 9:25:55.302 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e24ecf27-e563-4435-96f5-afb7c4415641,"4/16/2021, 9:25:55.302 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eaae7bff-bcc0-47d4-af99-0743f8d5fe98,"4/16/2021, 9:25:55.302 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c20c8c34-6bfa-4bb2-b05d-b3e84bd466ac,"4/16/2021, 9:25:55.302 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3625110b-23ce-4d91-aa84-4d7137918dc1,"4/16/2021, 9:25:55.302 AM",,,,,NTLM,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c335fe1a-77a4-4115-a6f2-e3a06a8f3da8,"4/16/2021, 9:25:55.302 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,21ff087f-7d41-49db-90ef-588b00c454fe,"4/16/2021, 9:25:55.302 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b20d5f37-f806-4fae-b6fe-38727055981a,"4/16/2021, 9:25:55.302 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b73d15f-310a-44da-bae0-ec14006ec99e,"4/16/2021, 9:25:55.302 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,605c7280-f671-4e9f-92cb-f79ffe4f0256,"4/16/2021, 9:25:55.302 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cde369d2-f5a2-4a7c-8050-d44c28f70f8b,"4/16/2021, 9:25:55.302 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,848b7b0c-6d35-47a5-9a3d-37e8e71dc26e,"4/16/2021, 9:25:55.302 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,77f05db0-6654-46bc-a350-16ae6baa2c12,"4/16/2021, 9:26:01.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d0a0ef64-fcf1-4ea2-b794-256b1991faa4,"4/16/2021, 9:26:01.137 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e8f6f168-7ee1-4222-94fb-f790eaf3d311,"4/16/2021, 9:26:01.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8824d1d8-e835-46b1-957a-9d1d89a38f9f,"4/16/2021, 9:26:01.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5950a8bc-40c5-422b-a45b-b80a13b04096,"4/16/2021, 9:26:01.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b3ea4a8-eefb-45d2-8032-7c97ec4d116c,"4/16/2021, 9:26:01.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,29f6e34e-715d-462b-b4bc-ab0b96bca03f,"4/16/2021, 9:26:01.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1313f3b1-f908-490a-a7aa-b9eb42cfdd91,"4/16/2021, 9:26:01.137 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d44a2564-dd95-4f47-a099-1a2b71b3e990,"4/16/2021, 9:26:01.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,97f47f37-c692-4eae-86cb-0e4a8428ad6b,"4/16/2021, 9:26:01.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4ef5c91e-f8d0-4b2b-b9cb-8d70bf4e11af,"4/16/2021, 9:26:01.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0e682b6c-44ef-4dc6-8aad-be67be7a8a5e,"4/16/2021, 9:26:01.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,428299fe-c62d-41bf-b43d-165bdcb98bb2,"4/16/2021, 9:26:01.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6ee9bd78-593d-4d93-b604-35dbff3842f9,"4/16/2021, 9:26:01.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,723ca371-53d2-4a45-b0fe-1d79411c1b8e,"4/16/2021, 9:26:01.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,458de3a7-d995-4afb-bf98-c39bd78ec5a6,"4/16/2021, 9:26:01.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1fa122b-e5b6-41b4-a8b7-fe3a63bbca2c,"4/16/2021, 9:26:01.137 AM",,,,,NTLM,, +\BACKUP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d8536354-72a6-47df-9024-d79dc7c0876c,"4/16/2021, 9:26:01.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2aa8792b-1654-458f-a434-089a5c076093,"4/16/2021, 9:26:01.137 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,824909d2-14cf-42c9-81d6-02d6acea7f44,"4/16/2021, 9:26:01.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e3b970d4-dc8a-46c8-b266-e114056e9ad7,"4/16/2021, 9:26:01.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0758c73c-b43e-439b-9021-7757f70f8e0b,"4/16/2021, 9:26:01.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd16ade4-b4a4-4a97-ada8-b8a6656c2ecc,"4/16/2021, 9:26:01.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e024b13e-5e00-49f3-84ff-3c9c0e285e3a,"4/16/2021, 9:26:01.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c50e370e-4808-4b32-9494-7c7a43f07ed8,"4/16/2021, 9:26:01.137 AM",,,,,NTLM,, +SHIR-HIVE\Admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ba7052c2-d4f8-4cc7-bae0-d1ec0870cc2e,"4/16/2021, 9:26:02.778 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dbda7668-6074-4f17-8cf0-5719bd366891,"4/16/2021, 9:26:02.778 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,87097bdd-a972-4817-be63-2ec89bbe7525,"4/16/2021, 9:26:02.778 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,719cf390-f022-4424-af0a-a2804a75bee3,"4/16/2021, 9:26:02.778 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d64ab8b6-f169-4216-8751-fb1501d544cd,"4/16/2021, 9:26:02.778 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1d9bf1d5-fa1c-4ec5-9549-408c06712591,"4/16/2021, 9:26:02.778 AM",,,,,NTLM,, +\Admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a559f041-ff60-4b2c-a147-ffe2abd052fe,"4/16/2021, 9:26:02.778 AM",,,,,NTLM,, +\JJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d64af410-bcb8-46b2-ba99-135378f8f4ff,"4/16/2021, 9:26:02.778 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3c121d03-6618-4eed-b15a-248489772743,"4/16/2021, 9:26:02.778 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,64a28ffc-2833-45f5-ad34-a9bb431740b9,"4/16/2021, 9:26:02.778 AM",,,,,NTLM,, +SHIR-HIVE\Admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2e8ca846-81d3-45cc-8da4-2942e8674071,"4/16/2021, 9:26:02.778 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1906f2cd-fddf-4fc9-a925-be94cea23df0,"4/16/2021, 9:26:02.778 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,22ad6068-a0ab-4734-917a-05c6cc8aec4a,"4/16/2021, 9:26:02.778 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,28bdd031-7951-47f6-9b81-60bbdb5848c4,"4/16/2021, 9:26:02.778 AM",,,,,NTLM,, +\Admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,00fc5c39-f80e-42c9-8b3f-42272af01b86,"4/16/2021, 9:26:02.778 AM",,,,,NTLM,, +\RMEDINA,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4aabe8e6-3c04-4e26-bebf-57ae643f3c3e,"4/16/2021, 9:26:02.778 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e27dd538-b8e9-47b8-a1a2-b33f10c4350f,"4/16/2021, 9:26:02.778 AM",,,,,NTLM,, +SHIR-HIVE\Admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e5c916eb-a6c0-4606-9727-746f7b53e34d,"4/16/2021, 9:26:02.778 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eac257a8-5f4f-431f-af8c-fd11f4702d44,"4/16/2021, 9:26:02.778 AM",,,,,NTLM,, +\RECEPCION,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,93c97ba9-44de-4d36-8216-d4777396943a,"4/16/2021, 9:26:02.778 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,937d1fad-e3a9-493b-9c6d-18a10355aa78,"4/16/2021, 9:26:02.778 AM",,,,,NTLM,, +\Admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,277b372f-b808-42d5-b5dc-896905f6356a,"4/16/2021, 9:26:02.778 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4a9dec70-49ea-4db5-b4d0-37fae998fe21,"4/16/2021, 9:26:02.778 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,93014925-37ef-4a3f-98c5-4c0bc71b5ad6,"4/16/2021, 9:26:12.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e70167b-f8ed-49da-96ea-136c7e5861db,"4/16/2021, 9:26:12.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,66b17774-28a3-4052-b164-0c30f1339c73,"4/16/2021, 9:26:12.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,003304f4-f6d8-4574-b114-a55d10d9679d,"4/16/2021, 9:26:12.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b632e20-03d1-479f-8779-bda8544fab81,"4/16/2021, 9:26:12.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,14f635bc-d83b-4a7d-8898-78fe8f5a8b70,"4/16/2021, 9:26:12.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2ac41692-969c-43a9-a598-b9bffa181f9f,"4/16/2021, 9:26:12.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2472b592-811a-4fc5-ac7f-3b0e560d87fa,"4/16/2021, 9:26:12.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f292afb8-1515-4c87-a5d0-eb2eb44fe473,"4/16/2021, 9:26:12.189 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,362e6d07-2ac4-49e1-a157-7b6f0dc1d9ae,"4/16/2021, 9:26:12.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c3b1314-a77a-4c1e-9e4e-c4db84057c41,"4/16/2021, 9:26:12.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,423f29b2-1a6a-4924-ba9f-a130ab0b8b05,"4/16/2021, 9:26:12.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53f212d0-8db5-4173-a4b0-fdd20c8bc8c3,"4/16/2021, 9:26:12.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,87cb9aa8-8009-4bb1-80dd-949557534208,"4/16/2021, 9:26:12.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46dc8200-c27c-488d-bb03-8b8a0344b056,"4/16/2021, 9:26:12.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,24ddad0a-f5e1-4ef2-b7e1-f6615cd818c2,"4/16/2021, 9:26:12.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,08a2d445-c8c8-4857-b2bf-4160c5b7eb38,"4/16/2021, 9:26:12.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f4427b7a-1470-4a8b-9fbf-56457e8a4134,"4/16/2021, 9:26:12.189 AM",,,,,NTLM,, +\BACKUPEXEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a99bc6a1-8406-4bc3-92d1-98777652bfeb,"4/16/2021, 9:26:12.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d12500fc-3b16-4105-9173-39decf39e359,"4/16/2021, 9:26:12.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a1f7fd07-7ed6-416a-8739-8e0f381dd725,"4/16/2021, 9:26:12.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22bd033c-1fec-460a-89f0-1a6f0396f149,"4/16/2021, 9:26:12.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4377afa9-4fc9-4a8f-97a8-baaf9412f977,"4/16/2021, 9:26:12.189 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ff3ec0b0-392c-4f88-9e78-5c73c988be9c,"4/16/2021, 9:26:14.742 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2b86aea9-d3f9-424d-9ed5-f07e1b9c878a,"4/16/2021, 9:26:14.742 AM",,,,,NTLM,, +SHIR-HIVE\Admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b4c17bc2-cc29-457c-ae2d-31434fa87b54,"4/16/2021, 9:26:14.742 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3c321213-f79b-493e-96f5-3e507adf7801,"4/16/2021, 9:26:14.742 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c0b3b4f9-cca2-457b-9e5a-3d41be6508e9,"4/16/2021, 9:26:14.742 AM",,,,,NTLM,, +\Admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8b5b0845-e0df-468b-ac4b-67eb61814d43,"4/16/2021, 9:26:14.742 AM",,,,,NTLM,, +\ACQUISTI,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,298ff602-1e08-461c-af62-05f35392b5e3,"4/16/2021, 9:26:14.742 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f653db3a-e0b1-4078-93f2-da9eb07e3485,"4/16/2021, 9:26:14.742 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0a9ab785-22ed-47ba-8c8a-65aef4ea2c4b,"4/16/2021, 9:26:14.742 AM",,,,,NTLM,, +SHIR-HIVE\Admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2925fc4c-08a0-413c-b165-ca167ecc50d2,"4/16/2021, 9:26:14.742 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d801a639-b890-46d7-90b7-bdbebb418c3f,"4/16/2021, 9:26:14.742 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,049ff3e4-1952-41eb-8c38-ed9a3e33efcb,"4/16/2021, 9:26:14.742 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0770acaf-ba8a-4224-9bf0-1d9d333ece53,"4/16/2021, 9:26:14.742 AM",,,,,NTLM,, +\Admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bc6fd2fc-c1d7-4d34-8379-b566e3c837c4,"4/16/2021, 9:26:14.742 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1440256f-aeef-4dd6-b694-e206a16b335b,"4/16/2021, 9:26:14.742 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,76714c6f-eedb-41ad-a7c4-da9c3e1c356c,"4/16/2021, 9:26:14.742 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,27705ac1-ba0e-44bf-8ccc-10243f26b22c,"4/16/2021, 9:26:14.742 AM",,,,,NTLM,, +SHIR-HIVE\Admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1acbd1c1-9011-435d-9aae-c85443a241ad,"4/16/2021, 9:26:14.742 AM",,,,,NTLM,, +\SHOP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,78b10b25-f099-4085-8bf3-5a0cd5923a05,"4/16/2021, 9:26:14.742 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fc7342e1-7ad0-4947-885e-03d76f176243,"4/16/2021, 9:26:14.742 AM",,,,,NTLM,, +\Admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,65eb202f-5e1e-495e-90d5-c9246af314a4,"4/16/2021, 9:26:14.742 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dfe81b6c-753e-4ec7-83e2-3bf1fd83effb,"4/16/2021, 9:26:14.742 AM",,,,,NTLM,, +\PAYROLL,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,48948200-d1e8-4774-a104-f9f42418bc7a,"4/16/2021, 9:26:20.428 AM",,,,,NTLM,, +\INTERN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3e042367-28c7-4fd7-b246-218c6cb69e4b,"4/16/2021, 9:26:20.428 AM",,,,,NTLM,, +\SERVER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1cd941e2-a529-43c7-b097-ca491dc18a14,"4/16/2021, 9:26:20.428 AM",,,,,NTLM,, +\MYPC,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,14846944-5720-4ba8-8588-9d36bcb30110,"4/16/2021, 9:26:20.428 AM",,,,,NTLM,, +\SARA,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c557a717-1487-4fb1-bc80-18b8373c160c,"4/16/2021, 9:26:20.428 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,02633e0a-fd37-4fe0-a527-890ce48ba28c,"4/16/2021, 9:26:20.428 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b6342ace-72e3-49dc-b056-f1681bbe904c,"4/16/2021, 9:26:20.428 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 932 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b99d5e92-7e7b-414a-93ae-a34213ca1a94,"4/16/2021, 9:26:20.428 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4320 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4fa98d83-7e2e-4d6c-9434-0cf4001d915b,"4/16/2021, 9:26:20.428 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,120b295b-b141-4dc0-a98e-677b0ebf45c1,"4/16/2021, 9:26:20.428 AM",,,,,,, +\FTP,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ca8ad36c-598c-4979-9559-60eb16c5cbac,"4/16/2021, 9:26:20.428 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89584742-a3b9-4584-a072-5df2ff23245d,"4/16/2021, 9:26:18.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c31f67a2-57f3-4da4-a931-537b5544aff0,"4/16/2021, 9:26:18.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6b9e65c0-ca03-463c-a7ce-14f1e66bba19,"4/16/2021, 9:26:18.167 AM",,,,,NTLM,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0cbe82b9-2b45-46a3-a263-a9768fa720cb,"4/16/2021, 9:26:18.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1c2b46dc-c413-42b2-96c1-e347294207e5,"4/16/2021, 9:26:18.167 AM",,,,,NTLM,, +\ADMINISTRATION,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6cfd8cda-a77e-4613-95bc-456c84993a82,"4/16/2021, 9:26:18.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b36d2046-0499-4edb-bfa0-9927b1c6637b,"4/16/2021, 9:26:18.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,15e81491-05a3-4909-855d-8e2ec26f449e,"4/16/2021, 9:26:18.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b454dd9d-9080-436b-9040-dacd87833fc7,"4/16/2021, 9:26:18.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d2418e56-616c-4f19-bcf8-8a78bc41a615,"4/16/2021, 9:26:18.167 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b4fec3df-c3c8-4bed-b022-2a914e4ef409,"4/16/2021, 9:26:18.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,38d92e50-0b83-4525-805c-08000331f980,"4/16/2021, 9:26:18.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4bf7ff37-dd10-4830-b928-d66443c4cb12,"4/16/2021, 9:26:18.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8fb0c0c8-51e3-400c-ae19-e1a206398414,"4/16/2021, 9:26:18.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dbdee290-66b2-462d-8ab9-4613d5ea9870,"4/16/2021, 9:26:18.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,99fa7b4a-1b16-4825-8ea9-f36a2f102751,"4/16/2021, 9:26:18.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cd249d06-8df1-47b8-bfc5-615231e87846,"4/16/2021, 9:26:18.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e9b310aa-0a46-4662-ba98-837c91f65efa,"4/16/2021, 9:26:18.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c4bfb08-fe7b-4c39-89bf-a14c6fcef41c,"4/16/2021, 9:26:18.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6b5992ee-85ae-4ca2-ac52-f7d316733144,"4/16/2021, 9:26:18.167 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3cb42192-be4d-4378-b16b-9f0f3ecf89c6,"4/16/2021, 9:26:18.167 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c782ebb0-8f37-4b98-9d2e-5de2da20595f,"4/16/2021, 9:26:18.167 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,b5f52417-9ff9-4468-94b5-ecc1a63ccff2,"4/16/2021, 9:26:24.068 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b8f23617-3c60-4ce4-a3b3-5d0e345f5e3b,"4/16/2021, 9:26:24.068 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,1371b498-d211-45f1-a4b9-3cea924cbf0c,"4/16/2021, 9:26:24.068 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,a1462616-7bc7-43af-a824-9e9b6aa566e2,"4/16/2021, 9:26:24.068 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,30ba4a7a-0d17-4854-8da0-cd68eccbd3bb,"4/16/2021, 9:26:24.068 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5b7be24c-b646-417b-941e-62c193e9e8f8,"4/16/2021, 9:26:24.068 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d68d4232-c167-4fc9-809a-92b78ee838ed,"4/16/2021, 9:26:24.068 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,87b69702-56c7-468c-bc09-653bb59276b4,"4/16/2021, 9:26:24.068 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,ce112dc3-4777-4486-b32d-4772f2386a2c,"4/16/2021, 9:26:24.068 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\SysWOW64\AdvancedInstallers + 0x73c + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,167c3253-e12d-4765-8b68-9084fe750c83,"4/16/2021, 9:26:24.068 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\SysWOW64\AdvancedInstallers + 0x73c + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,1d370b77-ef10-4e2f-8d73-e27b0c3a3d94,"4/16/2021, 9:26:24.068 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\SysWOW64\Bthprops + 0x73c + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,24de0c24-610c-4c24-8760-6b7c374ab263,"4/16/2021, 9:26:24.068 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\SysWOW64\Bthprops + 0x73c + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,3be45df3-da3d-4ea8-8b3e-644bab8ea6f5,"4/16/2021, 9:26:24.068 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\SysWOW64\en-US\Licenses + 0x6c8 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,8cb58344-2938-42f9-a52d-e993367d885e,"4/16/2021, 9:26:24.068 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\SysWOW64\en-US\Licenses + 0x6c8 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,e88a9b7c-fc50-4d66-80ba-9c193bfaf3f9,"4/16/2021, 9:26:24.068 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\SysWOW64\icsxml + 0x73c + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,b21a3f3f-5823-44cb-9cde-de49151c2b03,"4/16/2021, 9:26:24.068 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\SysWOW64\icsxml + 0x73c + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,48e0ca9a-1fb8-41a7-a84e-efe4a060d891,"4/16/2021, 9:26:24.068 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\SysWOW64\RasToast + 0x73c + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,081ffbbc-fcad-4fe8-9f88-e9a53578f840,"4/16/2021, 9:26:24.068 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\SysWOW64\RasToast + 0x73c + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,0bdbcea1-a28a-4449-ab4c-a8a466ecb859,"4/16/2021, 9:26:24.068 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\SysWOW64\Speech\Common + 0x6c8 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,8e7966c0-4db6-4802-9419-fa3c500d0d36,"4/16/2021, 9:26:24.068 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\SysWOW64\Speech\Common + 0x6c8 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,dea0e7f8-507d-489c-8ce3-1da4154fde05,"4/16/2021, 9:26:24.068 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\SysWOW64\Speech\SpeechUX + 0x6c8 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,d8a7e12f-9054-43ee-87da-69990bbcbf2b,"4/16/2021, 9:26:24.068 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\SysWOW64\Speech\SpeechUX + 0x6c8 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,95cba4c5-dfa3-4222-a681-707ed8999fdd,"4/16/2021, 9:26:24.068 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\SysWOW64\Speech_OneCore\Common + 0x6c8 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,10a54d90-e674-4caf-ba46-5ec1cc46b93e,"4/16/2021, 9:26:24.068 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\SysWOW64\Speech_OneCore\Common + 0x6c8 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,3f35e70c-3ad7-48e2-8f75-43f20b1cfe6f,"4/16/2021, 9:26:24.068 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\SysWOW64\Speech_OneCore\VoiceActivation + 0x6c8 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,aaf8b242-2287-45f0-9935-cbd889394889,"4/16/2021, 9:26:24.068 AM","%%1538 ",0x20000,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12800,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Security + File + C:\Windows\SysWOW64\Speech_OneCore\VoiceActivation + 0x6c8 + %%1538 + 0x20000 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe + S:AI +",4663,4663 - An attempt was made to access an object.,0b31dee3-5401-43d7-802a-7c8aab820390,e58a54a5-b2b1-461b-bb34-2fadc1783383,"4/16/2021, 9:26:24.068 AM","%%1538 ",0x20000,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,1195916c-0bd5-4f53-8b4f-b93c63f8c2a0,"4/16/2021, 9:26:24.068 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,426b2246-31ca-4f2b-8669-b0e709f759ed,"4/16/2021, 9:26:24.068 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e0ab6794-9e60-47c4-b6c3-5a7b94b7f0ee,"4/16/2021, 9:26:23.144 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,74700258-0bb5-46cc-8bca-d02bbffa9411,"4/16/2021, 9:26:23.144 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e08ee63b-f59f-42e5-bb9e-70f42afeda2a,"4/16/2021, 9:26:23.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd9ffa91-242c-42b2-8f74-9a98ceefac93,"4/16/2021, 9:26:23.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c7ee3646-6d11-4d21-b56e-1f76820d7ed0,"4/16/2021, 9:26:23.144 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f6b2d14-8a81-48f5-85af-f5a366406d51,"4/16/2021, 9:26:23.144 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,a8a0ad63-b4af-4727-8a95-949d1358cb19,"4/16/2021, 9:26:23.144 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a6ac6c5-83b8-4238-a51b-8a2cb68f4375,"4/16/2021, 9:26:23.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,efe245d8-e2dc-49f4-a3d9-d328db01a4f3,"4/16/2021, 9:26:23.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,92d603ea-4451-4f62-8ad7-82ab9b6284ce,"4/16/2021, 9:26:23.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,26bcb6b9-4e7d-476d-8ff6-856566aa627b,"4/16/2021, 9:26:23.144 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6156 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c5f5f1e-f1e1-4aa6-b884-10f5307de17d,"4/16/2021, 9:26:23.144 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5796 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,73d8e674-33fe-48e8-9004-becd8d088b55,"4/16/2021, 9:26:23.144 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,76438a34-11c1-490d-b456-52d37653496f,"4/16/2021, 9:26:23.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,23c9e9e9-2a65-4429-8887-e25e5498bf40,"4/16/2021, 9:26:23.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16fcbebb-08cf-4d63-bd4d-db14af31c009,"4/16/2021, 9:26:23.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,635858b2-1f88-4aa9-a21c-c39d50cb7a4b,"4/16/2021, 9:26:23.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eff2046e-1b44-419e-a70f-1338e073b4fc,"4/16/2021, 9:26:23.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d3a67197-7615-4362-9092-f7effa12b38a,"4/16/2021, 9:26:23.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,82505cbb-035d-4a3f-90e1-be239d683b4a,"4/16/2021, 9:26:23.144 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7f9da335-1134-4b69-9011-2af94a6df2bd,"4/16/2021, 9:26:23.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5751f2a4-cd42-4b13-801c-b54780eedeb7,"4/16/2021, 9:26:23.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9192404e-b13e-4435-a8b1-eb436708d70a,"4/16/2021, 9:26:23.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c783b597-8add-4be3-8599-5d6163099bd1,"4/16/2021, 9:26:23.144 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b6c75e7e-8d14-42c1-a6b1-dc5e211ee536,"4/16/2021, 9:26:27.761 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,90159251-d2d0-47e9-96f8-7bbee023d9cd,"4/16/2021, 9:26:27.761 AM",,,,,NTLM,, +SHIR-HIVE\Admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ccdbbc00-bcc4-4f69-8caa-eca6e1887c0c,"4/16/2021, 9:26:27.761 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cae78b96-29d7-4db8-a950-9b79c1d7793e,"4/16/2021, 9:26:27.761 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0b0b0a78-46dc-489e-8f87-f3bdbce0d4c2,"4/16/2021, 9:26:27.761 AM",,,,,NTLM,, +\Admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1b9f8717-2c63-44fb-ad0d-060d2a30b78e,"4/16/2021, 9:26:27.761 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6d836261-d208-4b2e-804e-899c2378b2a0,"4/16/2021, 9:26:27.761 AM",,,,,NTLM,, +SHIR-HIVE\Admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,369a39e4-b83c-4303-b280-dbb9ff354dde,"4/16/2021, 9:26:27.761 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cadfc15a-04c9-4b86-b8ae-118a68085f23,"4/16/2021, 9:26:27.761 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f41c65d3-9b87-433a-a700-baba68236bfa,"4/16/2021, 9:26:27.761 AM",,,,,NTLM,, +\Admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8ae1694f-138e-456d-92ac-8388e6e700c8,"4/16/2021, 9:26:27.761 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8fbeebb0-feaf-4d99-82ef-c3e663819c01,"4/16/2021, 9:26:27.761 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,33c84835-307f-4c1f-8a06-676d206066c4,"4/16/2021, 9:26:27.761 AM",,,,,NTLM,, +SHIR-HIVE\Admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5b771b23-05a2-4cdb-af30-58c2b44bd018,"4/16/2021, 9:26:27.761 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,50378dda-bdf6-4f27-a75e-b3cdc6ff1ea9,"4/16/2021, 9:26:27.761 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,60c138d9-827c-4301-ab28-c9003c534a68,"4/16/2021, 9:26:27.761 AM",,,,,NTLM,, +\TECH,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3604e157-01e6-4374-b641-f9bf20d86a45,"4/16/2021, 9:26:27.761 AM",,,,,NTLM,, +\Admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,62963cc1-b1eb-4f30-a2e9-85b54c9a56fa,"4/16/2021, 9:26:27.761 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f511115f-8eaf-4d2e-890a-7436e6ed010b,"4/16/2021, 9:26:27.761 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b378e552-ebda-4f3c-9526-53c19922832f,"4/16/2021, 9:26:27.761 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9d588936-9c4f-4a7d-9329-fff8ff0669d4,"4/16/2021, 9:26:27.761 AM",,,,,NTLM,, +SHIR-HIVE\Admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c5e8d280-3586-4d46-bb13-caa6db9c1ded,"4/16/2021, 9:26:27.761 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9c3485fb-d5bf-4e43-ade4-7e5ec0e49b9e,"4/16/2021, 9:26:27.761 AM",,,,,NTLM,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + Access Control Assistance Operators + Builtin + S-1-5-32-579 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,62c06b43-a249-4332-85ff-0828f9bf0d21,"4/16/2021, 9:26:30.076 AM",,,,,,0x6c8c, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + Administrators + Builtin + S-1-5-32-544 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,424fbff5-f93d-42fa-b9d9-e857cb6f329e,"4/16/2021, 9:26:30.076 AM",,,,,,0x6c8c, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + Backup Operators + Builtin + S-1-5-32-551 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,f05853ee-8cf6-4f46-a753-89e31b64bade,"4/16/2021, 9:26:30.076 AM",,,,,,0x6c8c, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + Cryptographic Operators + Builtin + S-1-5-32-569 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,70a43e17-c9b6-4405-973e-028f9742814c,"4/16/2021, 9:26:30.076 AM",,,,,,0x6c8c, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + Device Owners + Builtin + S-1-5-32-583 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,ee675371-cd82-4aec-a225-23708d331ca6,"4/16/2021, 9:26:30.076 AM",,,,,,0x6c8c, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + Distributed COM Users + Builtin + S-1-5-32-562 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,a6e9b44b-7a55-40ba-9dcc-be2bf234ea0c,"4/16/2021, 9:26:30.076 AM",,,,,,0x6c8c, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + Event Log Readers + Builtin + S-1-5-32-573 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,f1ad2a48-c023-4fd6-bbfb-edbc0e75aa04,"4/16/2021, 9:26:30.076 AM",,,,,,0x6c8c, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + Guests + Builtin + S-1-5-32-546 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,722de269-3de4-4d87-9abe-fde0c9f77897,"4/16/2021, 9:26:30.076 AM",,,,,,0x6c8c, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + Hyper-V Administrators + Builtin + S-1-5-32-578 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,cbc13d69-05ec-4524-ac79-b21431350467,"4/16/2021, 9:26:30.076 AM",,,,,,0x6c8c, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + IIS_IUSRS + Builtin + S-1-5-32-568 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,915beb9a-dd69-4e72-9bef-62dbbd3d4958,"4/16/2021, 9:26:30.076 AM",,,,,,0x6c8c, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + Network Configuration Operators + Builtin + S-1-5-32-556 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,d9c9b309-2878-44f7-9066-747a0baa75ba,"4/16/2021, 9:26:30.076 AM",,,,,,0x6c8c, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + Performance Log Users + Builtin + S-1-5-32-559 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,7d68c10b-626e-48a4-96d6-78930fce9c6b,"4/16/2021, 9:26:30.076 AM",,,,,,0x6c8c, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + Performance Monitor Users + Builtin + S-1-5-32-558 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,d614edd1-cc55-4cbe-9b59-f9e9ece5619a,"4/16/2021, 9:26:30.076 AM",,,,,,0x6c8c, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + Power Users + Builtin + S-1-5-32-547 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,aa5cac83-e307-405d-abff-5d728ce85942,"4/16/2021, 9:26:30.076 AM",,,,,,0x6c8c, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + Remote Desktop Users + Builtin + S-1-5-32-555 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,d255d0c2-fb45-4bd9-b695-0739afe0f160,"4/16/2021, 9:26:30.076 AM",,,,,,0x6c8c, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + Remote Management Users + Builtin + S-1-5-32-580 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,73abc14b-5d16-4b36-a6b8-90e2a925dfb5,"4/16/2021, 9:26:30.076 AM",,,,,,0x6c8c, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + Replicator + Builtin + S-1-5-32-552 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,a5bde225-4e28-487f-9f05-d980e5e814ba,"4/16/2021, 9:26:30.076 AM",,,,,,0x6c8c, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + System Managed Accounts Group + Builtin + S-1-5-32-581 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,8a1a6eea-5c84-427a-bdf5-aa4e69d35794,"4/16/2021, 9:26:30.076 AM",,,,,,0x6c8c, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + Users + Builtin + S-1-5-32-545 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,80632f6a-11f8-4726-af2d-9e387632c9fa,"4/16/2021, 9:26:30.076 AM",,,,,,0x6c8c, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,442a230f-280f-4cc4-969c-a77289740ee9,"4/16/2021, 9:26:30.076 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,b5d440b6-732e-4c7f-ab6a-50444506873b,"4/16/2021, 9:26:30.076 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,a1f678ce-fd14-4be1-81ee-fc9250dfb29b,"4/16/2021, 9:26:30.076 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,768939a1-3221-41ed-ad90-7d79257d825a,"4/16/2021, 9:26:30.076 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,5d01bfcc-b1a2-4246-a303-91c76d74df6a,"4/16/2021, 9:26:30.076 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,c37c72f7-b4bb-4d10-8437-a19f22bc2745,"4/16/2021, 9:26:30.076 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,c6df9076-b740-43ff-aa4a-515af534f4a9,"4/16/2021, 9:26:30.076 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,4c45c249-5321-4428-b8bf-669de3a22e2f,"4/16/2021, 9:26:30.076 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,44d48648-2824-4d3b-93a0-64c3d32a7421,"4/16/2021, 9:26:30.076 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,6c6f3410-33da-4632-b8bf-760dcc1e419f,"4/16/2021, 9:26:30.076 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,fd94a196-1001-449d-b706-9b7d564399e2,"4/16/2021, 9:26:30.076 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,0b31dee3-5401-43d7-802a-7c8aab820390,ebe67b85-8212-46a4-a86f-f8420466681d,"4/16/2021, 9:26:30.076 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,0b31dee3-5401-43d7-802a-7c8aab820390,ee06d0b2-6624-42ba-8a9e-9b9af25eeb37,"4/16/2021, 9:26:30.076 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,3c2dcf83-5ee6-4425-afa6-d7ede4e9169e,"4/16/2021, 9:26:30.076 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + WindowsLive:(token):name=02dfmnqdobgphxye;serviceuri=* + 0 + 0 + %%8100 + 3221226021 + 2021-04-16T09:26:27.967223400Z + 31032 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,5dfe2cd4-1787-4d0e-a945-7d41382607fc,"4/16/2021, 9:26:30.076 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + WindowsLive:(cert):name=02dfmnqdobgphxye;serviceuri=* + 0 + 0 + %%8100 + 3221226021 + 2021-04-16T09:26:27.967223400Z + 31032 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,bb26acdc-9cf1-4ce4-a6f0-6b54e573198b,"4/16/2021, 9:26:30.076 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + WindowsLive:target=virtualapp/didlogical + 0 + 1 + %%8100 + 0 + 2021-04-16T09:26:27.967223400Z + 31032 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,b92f471a-52af-4081-bd9d-c277b4484cb5,"4/16/2021, 9:26:30.076 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + \Microsoft\Windows\Flighting\OneSettings\RefreshCache + <?xml version=""1.0"" encoding=""UTF-16""?> <Task version=""1.6"" xmlns=""http://schemas.microsoft.com/windows/2004/02/mit/task""> <RegistrationInfo> <Source>$(@%systemroot%\system32\wosc.dll,-602)</Source> <Author>$(@%systemroot%\system32\wosc.dll,-601)</Author> <Description>$(@%systemroot%\system32\wosc.dll,-603)</Description> <URI>\Microsoft\Windows\Flighting\OneSettings\RefreshCache</URI> <SecurityDescriptor>D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FRFX;;;AU)</SecurityDescriptor> </RegistrationInfo> <Triggers> <TimeTrigger> <Repetition> <Interval>PT273M</Interval> <StopAtDurationEnd>false</StopAtDurationEnd> </Repetition> <StartBoundary>2021-04-16T09:56:28.049Z</StartBoundary> <Enabled>true</Enabled> <RandomDelay>PT1H</RandomDelay> </TimeTrigger> <WnfStateChangeTrigger> <Enabled>true</Enabled> <StateName>7538BCA33A019502</StateName> </WnfStateChangeTrigger> </Triggers> <Principals> <Principal id=""LocalSystem""> <UserId>S-1-5-18</UserId> <RunLevel>LeastPrivilege</RunLevel> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>false</StartWhenAvailable> <RunOnlyIfNetworkAvailable>true</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>false</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession> <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT5M</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context=""LocalSystem""> <ComHandler> <ClassId>{E07647F7-AED2-48D9-9720-939BC24A8A3C}</ClassId> </ComHandler> </Actions> </Task> +",4702,4702 - A scheduled task was updated.,0b31dee3-5401-43d7-802a-7c8aab820390,b24ffa38-18a6-40c6-af2f-8a5cd5f719b1,"4/16/2021, 9:26:30.076 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,43160724-a2a4-4268-be3f-41f561a510f6,"4/16/2021, 9:26:30.076 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,cbe6edd7-5ac8-48ba-95b0-046493b8f4f9,"4/16/2021, 9:26:30.076 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,34c9ff85-d8e9-4fd9-a281-801ff5c0e9fe,"4/16/2021, 9:26:30.076 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,2f355c70-eaed-49fc-a6a7-611beebadb0b,"4/16/2021, 9:26:30.076 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,968186d3-f048-47b9-b926-6a6bcf5281c2,"4/16/2021, 9:26:30.076 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e26cd317-994d-4624-931e-5233d7249ce3,"4/16/2021, 9:26:30.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7a4147db-b181-4e95-91e7-1b7c217f001b,"4/16/2021, 9:26:30.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ae44bcc-691b-487e-8719-eb6bd2e112f5,"4/16/2021, 9:26:30.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,869efce3-2f4f-4aa8-a6b4-d613101e1eb4,"4/16/2021, 9:26:30.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ba4d3625-242a-4aab-a9df-276ea988575e,"4/16/2021, 9:26:30.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e91f9488-93e5-46c4-b31e-b6956fcfa77b,"4/16/2021, 9:26:30.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4571e02a-060f-47e1-8584-a7aa01a147e2,"4/16/2021, 9:26:30.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e0fcc537-6263-417b-911d-3379ddecba83,"4/16/2021, 9:26:30.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9269dbb0-be86-4465-9876-30a9a841cfea,"4/16/2021, 9:26:30.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,199b7d7d-8b24-473c-a493-778982169797,"4/16/2021, 9:26:30.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f0e78e1-94f9-44a3-b308-9723f361b20b,"4/16/2021, 9:26:30.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4e460e36-b6f2-4f36-9459-8196d8bc93da,"4/16/2021, 9:26:30.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,897318c8-697e-4ad2-ad8d-103043c89fb9,"4/16/2021, 9:26:30.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,41b6a174-f026-4a1e-b2e2-475dc7ed5636,"4/16/2021, 9:26:30.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a69cb96-bfdb-4a40-91ff-6127b344fb62,"4/16/2021, 9:26:30.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,00a75128-958c-4c94-b2ec-c93bc45b19bf,"4/16/2021, 9:26:30.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03e11532-5cf7-47b1-87b5-79185636591c,"4/16/2021, 9:26:30.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53d4c0c2-e49d-4d4c-85cc-172a3d51f6a0,"4/16/2021, 9:26:30.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d431c0a-beea-4c2c-b96f-da4d313f26b8,"4/16/2021, 9:26:30.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53b7506d-7a79-4342-8ae5-f6818e5aac58,"4/16/2021, 9:26:30.136 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4df60341-3c82-483d-9708-11b36d7e198f,"4/16/2021, 9:26:30.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,549c8ac7-8a3a-46a5-a01f-ba7e5b9affae,"4/16/2021, 9:26:30.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,66888e8f-1116-43c0-a919-da9c63281419,"4/16/2021, 9:26:30.136 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,571bd420-4bc1-4b9a-8243-d5b593ed0c68,"4/16/2021, 9:26:30.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1c80328f-de99-477a-8ca6-10ce13487cde,"4/16/2021, 9:26:37.133 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,b436c9c1-f6f5-41c5-8637-34a07533cca1,"4/16/2021, 9:26:37.133 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d8adde17-966f-482b-941d-6998af298c4b,"4/16/2021, 9:26:37.133 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bbd3f54a-a634-497d-a888-3df77a80a477,"4/16/2021, 9:26:37.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b45f06f9-36a7-4481-ae79-4ce84348f80b,"4/16/2021, 9:26:37.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,483d510d-bde0-4079-be20-0f97b255eeab,"4/16/2021, 9:26:37.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d68367eb-e7c4-452c-ba05-36dcd6f175e4,"4/16/2021, 9:26:37.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,05780e0d-8e12-469a-9a50-227844dfb4a8,"4/16/2021, 9:26:37.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,30d82aed-fa76-4aae-a1d1-3d5770b1e326,"4/16/2021, 9:26:37.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9977bf3f-a21a-459d-b9fb-33f424fa074e,"4/16/2021, 9:26:37.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f95c418e-efb0-48a3-b741-6c842518a721,"4/16/2021, 9:26:37.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f161ad38-be6e-4682-9576-ebf22adbe3ea,"4/16/2021, 9:26:37.133 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aba157c7-3d62-4086-bd49-d369dd74eff0,"4/16/2021, 9:26:37.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,95f42d9c-4271-438c-9a60-1c694565354e,"4/16/2021, 9:26:37.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8436e4b9-8040-47f2-aa2c-076da61911d2,"4/16/2021, 9:26:37.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22a97633-6bc8-482d-bb0e-75d3e9497f77,"4/16/2021, 9:26:37.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56921cb1-d5e3-455f-af57-11284209ec40,"4/16/2021, 9:26:37.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6ab72eca-f1c0-4fa5-bc86-ff5e91312adb,"4/16/2021, 9:26:37.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,342bf1e0-7f93-444f-a07e-452a4b870a58,"4/16/2021, 9:26:37.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a4bbebd0-9b61-416a-9ccf-8cf918f428b8,"4/16/2021, 9:26:37.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,59630c70-2613-482f-b047-9a0e15175e02,"4/16/2021, 9:26:37.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d5208b54-5b9b-4415-bdd9-6adfc8ec4ff8,"4/16/2021, 9:26:37.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9f1e6c8a-36ca-45a3-8f69-e4e8009b1614,"4/16/2021, 9:26:37.133 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d004cfdc-355a-4f7a-9c9e-2058dd98281a,"4/16/2021, 9:26:40.745 AM",,,,,NTLM,, +\Admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ebca6d2d-f42f-463a-89a3-5b20b9bc7a4d,"4/16/2021, 9:26:40.745 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,11753b20-2ece-42b5-b135-08ee675bebee,"4/16/2021, 9:26:40.745 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,00bf7f9b-ce0b-40dc-9ac1-31c2f18f54dc,"4/16/2021, 9:26:40.745 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,badffc56-940d-431d-9d21-986f18becbb1,"4/16/2021, 9:26:40.745 AM",,,,,NTLM,, +SHIR-HIVE\Admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bce80726-d840-4ba4-9e24-bdaae7c64cb5,"4/16/2021, 9:26:40.745 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5021e56c-9a97-4237-b918-5e44d6109e89,"4/16/2021, 9:26:40.745 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,31527faa-a36d-4f34-933f-47a04e78c9b3,"4/16/2021, 9:26:40.745 AM",,,,,NTLM,, +\Admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d776de5f-aa42-4344-bbd4-4ea7225feb3b,"4/16/2021, 9:26:40.745 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2368495a-b1e0-4795-bdc0-bafaa347fdeb,"4/16/2021, 9:26:40.745 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1a86a928-fa27-4245-97a6-9ff7028fe00c,"4/16/2021, 9:26:40.745 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,542f886a-2c60-476f-aa3b-b727c7af2320,"4/16/2021, 9:26:40.745 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c83da1bd-2469-4627-903b-45101b82602a,"4/16/2021, 9:26:40.745 AM",,,,,NTLM,, +\ACCUEIL,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0a6454c8-2f9f-4f17-a7e2-57be6e737666,"4/16/2021, 9:26:40.745 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8385bf38-eccf-4419-89dc-1fb20e77e63d,"4/16/2021, 9:26:40.745 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e1c9d3ff-9ae1-49ae-a9b1-ff3f6e508bf9,"4/16/2021, 9:26:40.745 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f3437392-8d8f-4c79-a347-3138f2032b08,"4/16/2021, 9:26:40.745 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d20631cf-f295-4620-806e-2c46eeb47098,"4/16/2021, 9:26:40.745 AM",,,,,NTLM,, +\AZUREADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,67a0bab1-a73e-45e4-a63e-eee621c8baec,"4/16/2021, 9:26:40.745 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,be9f07d0-04c8-4cce-9440-eef4968e9b98,"4/16/2021, 9:26:40.745 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f6c51eb5-3159-4099-ab20-a4fe3d2c192c,"4/16/2021, 9:26:40.745 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f7170ff8-05e1-4002-8e70-f8c848117da7,"4/16/2021, 9:26:40.745 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e439796f-26c3-43f0-80bb-3277dabb614f,"4/16/2021, 9:26:41.141 AM",,,,,NTLM,, +\CRLSALESZ,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db8a4220-a822-41d7-90dc-f391685f3fab,"4/16/2021, 9:26:41.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b48894e-0c7d-482b-b6c0-971456ccafe3,"4/16/2021, 9:26:41.141 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,99d3a93f-e6b4-46c5-ba54-847b246e7140,"4/16/2021, 9:26:41.141 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\microsofttpm,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff2b612a-ae0d-42a2-aa03-0ce024fef268,"4/16/2021, 9:26:41.141 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:SELECT * FROM Win32_TPM,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,da5edb59-7d39-4f61-acbf-942299656f44,"4/16/2021, 9:26:41.141 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:Select * from __ClassProviderRegistration,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,09b885fa-b171-41ce-880f-fa9566a3d586,"4/16/2021, 9:26:41.141 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,b9f1de0e-a0c2-49e9-86c1-13d31b70c5c6,"4/16/2021, 9:26:41.141 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,0bf3044c-25d7-4e4c-bb7c-1e812cd323de,"4/16/2021, 9:26:41.141 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,44e042fa-193a-451c-96d0-a6939d612113,"4/16/2021, 9:26:41.141 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,3db62aeb-ee69-40d9-85c8-db94809cf51b,"4/16/2021, 9:26:41.141 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:Win32_Tpm,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,277d7367-7ef4-40f9-bc6d-c1c2c6086492,"4/16/2021, 9:26:41.141 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:__ExtendedStatus,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,e4ae7e2b-b64a-45a1-b26e-4a3a72f16593,"4/16/2021, 9:26:41.141 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftVolumeEncryption,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,3fa96f20-e6aa-4e81-be06-8731ce35f815,"4/16/2021, 9:26:41.141 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:SELECT * FROM Win32_EncryptableVolume,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc7732ff-e755-49ce-9731-af2e33a6092c,"4/16/2021, 9:26:41.141 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:Select * from __ClassProviderRegistration,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,58ee85f7-3742-4c25-a6e9-4edfad790d3f,"4/16/2021, 9:26:41.141 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,3d61492f-bffe-41f1-b5ad-e9444ea932a9,"4/16/2021, 9:26:41.141 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,3536e18a-6d3a-44d1-97af-32cf11a6f94a,"4/16/2021, 9:26:41.141 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,223f2eb5-23a9-427c-84a4-4d6613b7f41e,"4/16/2021, 9:26:41.141 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,85192978-ea5d-4bc2-aac5-3051203a6bf4,"4/16/2021, 9:26:41.141 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,6116f295-6b0b-4e2d-856f-7461f96a5094,"4/16/2021, 9:26:41.141 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:__ExtendedStatus,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,796c06c5-57a3-41f5-b202-72c15209fa8f,"4/16/2021, 9:26:41.141 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{9a771a90-0000-0000-0000-100000000000}\\""::GetLockStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,a85637ec-c950-43ce-8920-a54d433da4a9,"4/16/2021, 9:26:41.141 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{9a771a90-0000-0000-0000-100000000000}\\""::GetProtectionStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ea501af-130f-4255-be68-317da61e2b25,"4/16/2021, 9:26:41.141 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{9a771a90-0000-0000-0000-100000000000}\\""::GetConversionStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,da43f171-3c7e-4cbc-9ca5-8e3e4b96555d,"4/16/2021, 9:26:41.141 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{6129dd30-0000-0000-0000-501f00000000}\\""::GetLockStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc6dff58-849a-4059-bacb-f4a39556e8b5,"4/16/2021, 9:26:41.141 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{6129dd30-0000-0000-0000-501f00000000}\\""::GetProtectionStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,856434c5-4727-47e3-a31b-09d88c93b12d,"4/16/2021, 9:26:41.141 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{6129dd30-0000-0000-0000-501f00000000}\\""::GetConversionStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,2e467b45-8cd2-4534-b85c-6d9c0644474a,"4/16/2021, 9:26:41.141 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,beba7231-5261-4d93-9b3d-0e85abefaf28,"4/16/2021, 9:26:41.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b236a65a-a14f-4456-96c1-91916b2014b7,"4/16/2021, 9:26:41.141 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8688 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,9e575cf6-c0e6-40cf-97b2-8b9ee1216a60,"4/16/2021, 9:26:41.141 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,09c1249f-de45-46ba-8a5e-6b6acfaf4c8f,"4/16/2021, 9:26:41.141 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b33d1efa-960e-4e3e-b6e3-0a994e712498,"4/16/2021, 9:26:41.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,15b3f9a8-66a2-4045-af4c-7eb9fe75ddd9,"4/16/2021, 9:26:41.141 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,69cff757-18e7-48d6-a31f-829f2fe0fd94,"4/16/2021, 9:26:41.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9865a3c1-e942-4df2-b37a-b840276eb2ea,"4/16/2021, 9:26:41.141 AM",,,,,NTLM,, +\AZUREUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b259a476-ca8f-4efd-9dcb-ab4a496b66a0,"4/16/2021, 9:26:41.141 AM",,,,,NTLM,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,86ce6717-a26c-40f5-b1ff-c2d5f873ee6e,"4/16/2021, 9:26:45.874 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,9cd1b4da-f5a6-4a11-a504-819e1cedc19a,"4/16/2021, 9:26:45.874 AM","%%5649 ",0x2,-,-,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f2e9654a-d919-4c3a-8eac-440c37e2082d,"4/16/2021, 9:26:46.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0f40e842-6688-44d0-94af-98a612c9ccf1,"4/16/2021, 9:26:46.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,39ada161-6951-4610-b9e1-d5c77a3d0643,"4/16/2021, 9:26:46.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a5ff5a91-2279-4554-845d-3b551ab4d26c,"4/16/2021, 9:26:46.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1be62472-f45f-44ca-a2e4-cdccec1c2f65,"4/16/2021, 9:26:46.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03c0d285-5dfc-42ca-8099-457e11dca809,"4/16/2021, 9:26:46.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,74325cd5-4933-4eeb-8f05-2007e60566e2,"4/16/2021, 9:26:46.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2b15655-79bd-47ed-a9b5-6d7bca316bf5,"4/16/2021, 9:26:46.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a126d541-25c8-4506-a36b-797709cbe162,"4/16/2021, 9:26:46.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f7413ed3-675f-4571-9593-e41f5ee44af3,"4/16/2021, 9:26:46.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,760a2984-d175-451c-ab9d-9e14cf07bafb,"4/16/2021, 9:26:46.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cb2fd33a-741b-4be4-8112-6cca4101a5bc,"4/16/2021, 9:26:46.136 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c9bb1504-7826-4129-848d-d05eb8e43265,"4/16/2021, 9:26:46.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c942d0a0-2548-498a-b109-db2d3a14a423,"4/16/2021, 9:26:46.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5199b902-ae33-4f10-b8f2-6cdcb98a7ba7,"4/16/2021, 9:26:46.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db2f413c-930b-4f92-ba0b-58eacd406cb6,"4/16/2021, 9:26:46.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a6f23f51-7e7b-4447-a7d4-f2d9ac79833f,"4/16/2021, 9:26:46.136 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d4141c25-e85a-40c2-9cb2-d64561f07475,"4/16/2021, 9:26:46.136 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c461c7c9-56af-4f74-9e75-386890fb7901,"4/16/2021, 9:26:46.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c974c29-a3ea-4ffc-bcd7-2eeef72c5e54,"4/16/2021, 9:26:46.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,01031f70-63f5-4a9d-93d1-faaf4f2b605a,"4/16/2021, 9:26:46.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a0473ae2-d671-4014-9519-0d53f6cbdbad,"4/16/2021, 9:26:46.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d2268144-ebfa-4a93-a228-6e3c01df9883,"4/16/2021, 9:26:46.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b7943df-2355-4753-a12a-13b539a2c2bd,"4/16/2021, 9:26:46.136 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11644 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,eaabf254-897c-4d0f-9838-06d49fdfb1d4,"4/16/2021, 9:26:50.275 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11532 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,14d0f88a-bab1-4fce-ab66-22271d1ab577,"4/16/2021, 9:26:50.275 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,fd0d9896-a3bd-4db5-a905-8d880d4fa1f4,"4/16/2021, 9:26:46.725 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,64b08386-6f4c-4ec3-8a79-810f07f0503e,"4/16/2021, 9:26:46.725 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2172 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 8542576A51D515DA19781689F9E5E561E4398C4DE19B14AF1E8EF1C7D2551843 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.18362.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,a2f82a2e-a855-4e75-9bff-a7887e2669d0,"4/16/2021, 9:26:46.725 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1712 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,e8c1a21a-35e9-4524-a679-6adb7d66f2c0,"4/16/2021, 9:26:46.725 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5664 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,85db433f-7ba1-443b-81a4-0e60240e783e,"4/16/2021, 9:26:46.725 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1272 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,1b6b2e48-e685-455f-9420-90952963d5d4,"4/16/2021, 9:26:46.725 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,dae3ac2d-8adc-4f49-bb4f-f7b4d2b2222d,"4/16/2021, 9:26:46.725 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,af4ebfa1-b32c-46b6-85ce-cc1f0ce69e74,"4/16/2021, 9:26:46.725 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,fd7caf0e-9bc3-47ce-aea2-25b7ee5978cf,"4/16/2021, 9:26:46.725 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,a92aba75-1bb0-42ba-ad54-6fbc70d20e04,"4/16/2021, 9:26:46.725 AM",,,,,,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,471afeda-0fb8-44a0-a728-d3116d456f83,"4/16/2021, 9:26:54.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c6535fd4-c785-4281-9b84-1c87c0d631c1,"4/16/2021, 9:26:54.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3639211c-8793-481a-a525-dd307725db4f,"4/16/2021, 9:26:54.134 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cbac3c18-a600-457c-8750-c1aa46bdc176,"4/16/2021, 9:26:54.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c5ca63b3-8019-428b-bc69-7d01e8c1579a,"4/16/2021, 9:26:54.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ccd8a42-0ddd-4045-8edd-838df5540a54,"4/16/2021, 9:26:54.134 AM",,,,,NTLM,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,053bd71a-9b06-478e-9ae4-20eb806d9c42,"4/16/2021, 9:26:54.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c50cb1f7-cc9c-417a-a07c-65cda0f4f297,"4/16/2021, 9:26:54.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,775e2f05-77e2-482a-a1de-5d819607698f,"4/16/2021, 9:26:54.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,55693c70-50c8-42ea-b4ba-608017e2a8b2,"4/16/2021, 9:26:54.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d227ebee-dde3-4b99-be52-59b37d297bb3,"4/16/2021, 9:26:54.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,862fdb0d-a832-4334-b555-aab2b3d01888,"4/16/2021, 9:26:54.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9789c003-7c1e-4a31-8a24-24bbf9e28d41,"4/16/2021, 9:26:54.134 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,b4079f67-fc4a-4a75-8e54-599206145895,"4/16/2021, 9:26:54.134 AM",,,,,,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,545058bc-1b17-4f7a-928e-ed15bc450d62,"4/16/2021, 9:26:54.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,65e607d4-4942-44b8-9fae-7640e379653a,"4/16/2021, 9:26:54.134 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6204 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,076d0824-4eb9-41d1-9cd0-9faf3525795b,"4/16/2021, 9:26:54.134 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,57e9b291-0a98-49cc-b0d8-a3c4c917490c,"4/16/2021, 9:26:54.134 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,502286f4-35f8-47aa-92cc-ce6b45a4fe64,"4/16/2021, 9:26:54.134 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9a0d15e0-bf32-4b32-91e9-c424edee167e,"4/16/2021, 9:26:54.134 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b5f98b7-7f40-4c01-bab1-010d100e69cd,"4/16/2021, 9:26:54.134 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bfe08113-e530-4ce5-adf3-07b0668b0eae,"4/16/2021, 9:26:54.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,181922ae-1056-4c75-bdc0-cffd303aa07f,"4/16/2021, 9:26:54.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f532e13c-b5b3-4e2f-b279-98aa6f88e71a,"4/16/2021, 9:26:54.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,01013f9a-f515-4bca-8544-d0e4d33c26e1,"4/16/2021, 9:26:54.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e865c895-419b-4c40-9ded-f57e88a823bc,"4/16/2021, 9:26:59.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3b783e77-3c05-49db-b6c5-2ebf96dceb72,"4/16/2021, 9:26:59.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4d689f27-53fa-448b-9fa5-76f9bdb13430,"4/16/2021, 9:26:59.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dadec441-659b-4073-b72e-02e4f6e25604,"4/16/2021, 9:26:59.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4d941f01-f80c-40b1-a017-a7ea15a7405b,"4/16/2021, 9:26:59.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,816b4bb5-4e46-451d-87b5-52d857e941dc,"4/16/2021, 9:26:59.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,081735dc-89df-4f14-a108-a71936bc10f7,"4/16/2021, 9:26:59.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1d12ef10-06a0-4965-b3ac-fff211d785dd,"4/16/2021, 9:26:59.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e25e7481-4455-4068-aaa6-533fff37f0d5,"4/16/2021, 9:26:59.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9878af16-cd48-48cc-b40b-fffe6b2cbc56,"4/16/2021, 9:26:59.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,91686493-3bf9-4a63-ad51-2f48b68aa318,"4/16/2021, 9:26:59.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,69b5c5ef-ffae-4859-b351-f21df06814ea,"4/16/2021, 9:26:59.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89189c80-7f73-4526-aca9-6b84c7f9414f,"4/16/2021, 9:26:59.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5b0c0d15-e023-4179-9d5c-94e1c82dfab7,"4/16/2021, 9:26:59.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54a6d8d7-1d65-44cd-bac5-68da33f86a0e,"4/16/2021, 9:26:59.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,55610779-7061-4adc-910e-0952975756b9,"4/16/2021, 9:26:59.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,91d58f16-4f1d-46be-aaa4-8d657234d24f,"4/16/2021, 9:26:59.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,937563cc-3b9f-450e-b719-5de65b1514b7,"4/16/2021, 9:26:59.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,18a51727-d70c-4a32-82c9-0ca92647a708,"4/16/2021, 9:26:59.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,62f67cfc-8bb1-4f16-bd34-372991316681,"4/16/2021, 9:26:59.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a0cf909-96be-45e5-a7cb-37aa4ada0ea9,"4/16/2021, 9:26:59.131 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7f82928f-83a4-4d42-bbff-58de96719c7c,"4/16/2021, 9:26:59.131 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c00abc1-0229-44b4-914a-b13ac58f1919,"4/16/2021, 9:26:59.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b7e61e7d-b9f1-4610-8544-3f9f1acdbb14,"4/16/2021, 9:26:59.131 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9316 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,f4660cd7-b460-4c9b-851b-0f474178e3f6,"4/16/2021, 9:26:57.014 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1068 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,2e880323-ccf3-4826-b48d-d31f15b63638,"4/16/2021, 9:26:57.014 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 11808 + 34 + %SYSTEM32%\APPIDCERTSTORECHECK.EXE + 32 + D783370D0C3716126E1F2130E165DBCF9EA52A431FB5BF0AB5E3D9D3D479AC08 + 129 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\APPIDCERTSTORECHECK.EXE\10.0.17763.01 + 0x3e5 + 43 + C:\windows\system32\appidcertstorecheck.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,ef2305c8-cf48-461a-a15f-17d72092ef73,"4/16/2021, 9:26:57.014 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 14648 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e5 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,0f8a570a-09fd-4e7c-b01e-e746fc9ffc72,"4/16/2021, 9:26:57.014 AM",,,,,,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,5612dee4-e925-440d-a02e-6ca34de3133f,"4/16/2021, 9:26:55.410 AM",,,,,NTLM,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,5e5ff400-6028-45c6-837b-9f6017821333,"4/16/2021, 9:26:55.410 AM",,,,,NTLM,, +\STORES,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9f58e60c-a9f5-4639-adda-35e0f275da99,"4/16/2021, 9:26:55.410 AM",,,,,NTLM,, +\PAUL,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9c613a18-3167-4769-afbf-59fa56f35fcb,"4/16/2021, 9:26:55.410 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,640000e1-f415-4c5d-9a2a-9eddfcaea4fe,"4/16/2021, 9:26:55.410 AM",,,,,NTLM,, +\ACRONIS,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a1e8b94d-8317-40d4-a250-327e438c4224,"4/16/2021, 9:26:55.410 AM",,,,,NTLM,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + cris + VictimPC2 + S-1-5-21-217498627-1229392085-2738327920-1001 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe +",4798,4798 - A user's local group membership was enumerated.,0b31dee3-5401-43d7-802a-7c8aab820390,49293f44-2019-42c9-8351-e6eb777018f1,"4/16/2021, 9:27:02.067 AM",,,,,,0x6c8c, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + DefaultAccount + VictimPC2 + S-1-5-21-217498627-1229392085-2738327920-503 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe +",4798,4798 - A user's local group membership was enumerated.,0b31dee3-5401-43d7-802a-7c8aab820390,74a3a254-b8a9-417f-b450-0033c53c44cf,"4/16/2021, 9:27:02.067 AM",,,,,,0x6c8c, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + Guest + VictimPC2 + S-1-5-21-217498627-1229392085-2738327920-501 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe +",4798,4798 - A user's local group membership was enumerated.,0b31dee3-5401-43d7-802a-7c8aab820390,219dae01-dcaa-47c5-bbdb-53478714fe91,"4/16/2021, 9:27:02.067 AM",,,,,,0x6c8c, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + juliango + VictimPC2 + S-1-5-21-217498627-1229392085-2738327920-500 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe +",4798,4798 - A user's local group membership was enumerated.,0b31dee3-5401-43d7-802a-7c8aab820390,5eb739f1-809e-4753-b239-cd548b2cb4d7,"4/16/2021, 9:27:02.067 AM",,,,,,0x6c8c, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + sarahf + VictimPC2 + S-1-5-21-217498627-1229392085-2738327920-1000 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe +",4798,4798 - A user's local group membership was enumerated.,0b31dee3-5401-43d7-802a-7c8aab820390,450b40e7-ce81-4d6c-9ca3-ee9877f6df02,"4/16/2021, 9:27:02.067 AM",,,,,,0x6c8c, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + WDAGUtilityAccount + VictimPC2 + S-1-5-21-217498627-1229392085-2738327920-504 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x6c8c + C:\Program Files\Qualys\QualysAgent\QualysAgent.exe +",4798,4798 - A user's local group membership was enumerated.,0b31dee3-5401-43d7-802a-7c8aab820390,6cbeedf7-e183-4cf9-ae9b-fbdbbd62484f,"4/16/2021, 9:27:02.067 AM",,,,,,0x6c8c, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,515141d5-9ccb-4da6-96bd-cc21d54fde2b,"4/16/2021, 9:27:02.067 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,a1302ef2-ccaa-425b-98d1-f8853e1d6752,"4/16/2021, 9:27:02.067 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,976382a8-d6a3-46f7-b2ea-2d6d09291d7c,"4/16/2021, 9:27:02.067 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,d824b9ac-2784-4a5d-b318-3b0994edafb9,"4/16/2021, 9:27:02.067 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,98d110bb-1cb7-4aea-b60f-abc68ede21d0,"4/16/2021, 9:27:02.067 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,76b71857-4c5a-4fe6-9bf3-11e906605c51,"4/16/2021, 9:27:02.067 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,8c6642ab-478d-49d4-a288-b9f9561b9c7f,"4/16/2021, 9:27:02.067 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,4fd886ef-bb15-441d-b768-0a29ae28667c,"4/16/2021, 9:27:02.067 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2d794eed-1afd-4602-b1fc-ef3234149f30,"4/16/2021, 9:27:02.067 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,85cff5ed-ddda-4290-9a4b-3ae7c7f2977d,"4/16/2021, 9:27:02.067 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,a178a715-d00c-4145-8e80-6b944c3c236b,"4/16/2021, 9:27:02.067 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8," + S-1-5-20 + VictimPC2$ + WORKGROUP + 0x3e4 + \Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask + <?xml version=""1.0"" encoding=""UTF-16""?> <Task version=""1.6"" xmlns=""http://schemas.microsoft.com/windows/2004/02/mit/task""> <RegistrationInfo> <Source>$(@%systemroot%\system32\sppc.dll,-200)</Source> <Author>$(@%systemroot%\system32\sppc.dll,-200)</Author> <Version>1.0</Version> <Description>$(@%systemroot%\system32\sppc.dll,-201)</Description> <URI>\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask</URI> <SecurityDescriptor>D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-87-2912274048-3994893941-1669128114-1310430903-1263774323)</SecurityDescriptor> </RegistrationInfo> <Triggers> <CalendarTrigger> <StartBoundary>2021-04-19T18:45:58Z</StartBoundary> <Enabled>true</Enabled> <ScheduleByDay> <DaysInterval>1</DaysInterval> </ScheduleByDay> </CalendarTrigger> </Triggers> <Principals> <Principal id=""NetworkService""> <UserId>S-1-5-20</UserId> <RunLevel>LeastPrivilege</RunLevel> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>true</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession> <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT0S</ExecutionTimeLimit> <Priority>7</Priority> <RestartOnFailure> <Interval>PT1M</Interval> <Count>3</Count> </RestartOnFailure> </Settings> <Actions Context=""NetworkService""> <ComHandler> <ClassId>{B1AEBB5D-EAD9-4476-B375-9C3ED9F32AFC}</ClassId> <Data><![CDATA[timer]]></Data> </ComHandler> </Actions> </Task> +",4702,4702 - A scheduled task was updated.,0b31dee3-5401-43d7-802a-7c8aab820390,b9f4e47b-4850-4fd9-9edc-572f83909014,"4/16/2021, 9:27:02.067 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bfa0c1a5-35fb-4d07-a56f-919e3c676aac,"4/16/2021, 9:27:07.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f80138b1-8ad7-43b9-bd51-87f6ba6599ac,"4/16/2021, 9:27:07.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f902075c-cab2-414c-9a9e-08768f164b24,"4/16/2021, 9:27:07.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a2b8bd8-f00c-4c64-83f6-71bb361d724f,"4/16/2021, 9:27:07.134 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ae9c5253-ec1f-42c5-8e0c-6a4e69f2bacc,"4/16/2021, 9:27:07.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,edb277e1-ca6e-45df-8a86-aea4429b4563,"4/16/2021, 9:27:07.134 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa01c375-afda-4a9d-80a7-39fb469713ae,"4/16/2021, 9:27:07.134 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,047aaafc-af2b-4018-90d4-f731e4bca361,"4/16/2021, 9:27:07.134 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5fe36f8-2b63-4acc-a4de-eb709194bf5d,"4/16/2021, 9:27:07.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc1a7b02-a122-433e-8a1a-05482426487e,"4/16/2021, 9:27:07.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ebcde6c9-c913-4734-9d35-6467d2f4b48f,"4/16/2021, 9:27:07.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f59464a4-6773-44a5-ae13-6a9dd26fc3a1,"4/16/2021, 9:27:07.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,29b3be02-f685-47d3-ac85-a1528320430a,"4/16/2021, 9:27:07.134 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1318f570-a83a-41ec-b869-04b0e50a0b44,"4/16/2021, 9:27:07.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e336d37f-5106-4b76-b369-7961cd8a02a5,"4/16/2021, 9:27:07.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,07e933ea-bd94-44d6-99fb-a0eccb44d80b,"4/16/2021, 9:27:07.134 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4a34effe-759a-4fad-b225-543b33d835fd,"4/16/2021, 9:27:07.134 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cf0d0b05-3232-4884-a653-ebf34c743aed,"4/16/2021, 9:27:07.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d97d58d0-9766-4f4a-91b2-69576b185210,"4/16/2021, 9:27:07.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d58e5cd4-07e4-4ada-8113-692e82b92ee0,"4/16/2021, 9:27:07.134 AM",,,,,NTLM,, +\VEEAM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,07a30a33-5b64-4228-b5af-94d6ebeb46cb,"4/16/2021, 9:27:07.134 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,090c3422-f873-409e-9d03-f37c6aeb834c,"4/16/2021, 9:27:07.134 AM",,,,,NTLM,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,04793fa6-5689-4960-94cb-c5b81f707b0c,"4/16/2021, 9:27:09.880 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,58d2a3c2-49f2-4978-8197-818e659f91d2,"4/16/2021, 9:27:09.880 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 896 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,1af5b9ca-0dee-405b-930a-e086601062a7,"4/16/2021, 9:27:09.880 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7036 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,59a02917-9abb-4ae1-a774-0396b7b1275f,"4/16/2021, 9:27:09.880 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,39be3b97-d998-42e5-867d-79472ab54999,"4/16/2021, 9:27:09.880 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,7298bc45-d7b5-4e45-902d-6229e2a49862,"4/16/2021, 9:27:09.880 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 900 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\Windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,567a88f2-360c-485a-8f97-a91c9f4ff589,"4/16/2021, 9:27:09.880 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2545d831-4c94-4eef-8e52-c09b4badf5a7,"4/16/2021, 9:27:10.810 AM",,,,,NTLM,, +\AUDIT,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7bdbff09-16b3-4f48-bc52-90c613ba3472,"4/16/2021, 9:27:10.810 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,579bf353-6103-40e1-b070-e1dc0ed68cda,"4/16/2021, 9:27:10.810 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5d91b609-a03c-4964-8565-24af119d7daf,"4/16/2021, 9:27:10.810 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e10a65d3-b1d5-4492-82af-6f43f6b34db1,"4/16/2021, 9:27:10.810 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b7e8e540-3486-483e-8f7b-689b93ebd201,"4/16/2021, 9:27:10.810 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,52c73408-33c2-4674-abd1-67a6fb91871c,"4/16/2021, 9:27:10.810 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bf6c262c-6565-4e89-80e8-c6f9316c0876,"4/16/2021, 9:27:10.810 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b4b178df-1370-4399-b2bf-c16e3c69020e,"4/16/2021, 9:27:10.810 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,83f83ffb-dc52-4a2a-8ca6-84af7288c19f,"4/16/2021, 9:27:10.810 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6e0235d4-cc99-45a9-a91d-3b54dad30bb5,"4/16/2021, 9:27:10.810 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a31a3201-6e40-4e97-81e5-0d4a1e4a4d4c,"4/16/2021, 9:27:10.810 AM",,,,,NTLM,, +\RJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ff245f4a-9b04-40d2-827a-d6903def938e,"4/16/2021, 9:27:10.810 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8546d7d2-7a35-444a-901c-78ca4e11ca3a,"4/16/2021, 9:27:10.810 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fe84e4bc-cde1-44d9-a3a6-e26ba9bd241f,"4/16/2021, 9:27:10.810 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,596189e9-4a65-4cb4-93d6-e2a4503dde92,"4/16/2021, 9:27:10.810 AM",,,,,NTLM,, +\BACKUPEXEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,de095390-1626-4bc2-8c67-7d6fef009e66,"4/16/2021, 9:27:10.810 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6b95267f-28e6-49b5-bec4-0385675c653f,"4/16/2021, 9:27:10.810 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,37a74d9a-3a6b-4e6b-bf37-d83616d054ea,"4/16/2021, 9:27:10.810 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fa4dc7ab-f66c-4098-ad56-51b716b07aff,"4/16/2021, 9:27:10.810 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cf157c34-d14e-472b-b2de-d9f582821986,"4/16/2021, 9:27:10.810 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e04808d8-f1ab-4531-ad4c-69167a547e0d,"4/16/2021, 9:27:10.810 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a02167a5-e991-41b1-a841-9b07ead8fab3,"4/16/2021, 9:27:10.810 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9ef9418c-6e32-4109-bd92-9be7695d3093,"4/16/2021, 9:27:10.810 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4c49832c-4b74-4efa-8933-a9c2d402ba7f,"4/16/2021, 9:27:10.810 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0835067d-b4a2-4b7a-aa72-e8cc44dcf52b,"4/16/2021, 9:27:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,75fb384b-ad8f-4314-855e-20495b011477,"4/16/2021, 9:27:15.136 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a227853b-20cc-492f-9a15-1c701823f38d,"4/16/2021, 9:27:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a7b6df3b-3cdb-46f9-91ad-bb87d76ecad1,"4/16/2021, 9:27:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9138a719-2d06-4dda-8218-ef1d5556d20a,"4/16/2021, 9:27:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,525bcc13-82ba-4a17-8ccd-65bc5aa0903a,"4/16/2021, 9:27:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8938e6a3-a0aa-41e7-9065-d4cc6f416856,"4/16/2021, 9:27:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab9c43b3-2f70-4608-bcce-8d2a347dfcb3,"4/16/2021, 9:27:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,10ddbc80-46cf-4c15-a196-437390e1bbdf,"4/16/2021, 9:27:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,20a35175-39fd-46cc-86e5-549522501151,"4/16/2021, 9:27:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b2a8578-b1b4-4971-bb25-5aa8c994adcc,"4/16/2021, 9:27:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f2d4b90-374b-4b46-be91-afe92a6d9af3,"4/16/2021, 9:27:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,11e4e4d3-9009-4286-92df-d610c18ffbc4,"4/16/2021, 9:27:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,86eea5a1-6138-4b0d-8692-8722d99dac97,"4/16/2021, 9:27:15.136 AM",,,,,NTLM,, +\SERVICE,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6d86d185-df04-4d38-a83e-e2757ddbecd6,"4/16/2021, 9:27:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,934c9d26-c55e-4b27-86ef-375f8fa9fa8b,"4/16/2021, 9:27:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6b823d8a-6a69-4c6c-8783-313d04627f44,"4/16/2021, 9:27:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b889e39-9ce7-4d9b-992a-d2e4f60891fe,"4/16/2021, 9:27:15.136 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dab7ce81-f53b-4db2-a3fc-cf14fb392abd,"4/16/2021, 9:27:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16f27d2f-ecc7-4557-a920-b4e08be2c2f5,"4/16/2021, 9:27:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,29f2c22b-2f3c-43da-80c5-176107e7b294,"4/16/2021, 9:27:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f7fff850-afbf-4501-9a67-dbdb31e8515e,"4/16/2021, 9:27:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89bbe8ea-c359-4a1a-afa2-fe5826b36552,"4/16/2021, 9:27:15.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,da85ed73-f00b-437a-af01-e1997563226c,"4/16/2021, 9:27:15.136 AM",,,,,NTLM,, +\LOCALADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c6b563ec-82b0-4a61-a7bb-f2a6835e976d,"4/16/2021, 9:27:26.421 AM",,,,,NTLM,, +\GUEST1,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,caffdaf0-dcbd-4ea3-9cdd-7d52f9a4f3e9,"4/16/2021, 9:27:26.421 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,7bae330f-1242-48a6-bf9b-4bf1f14f95f2,"4/16/2021, 9:27:26.421 AM",,,,,NTLM,, +\CARLOS,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e42e49c8-8e85-4134-af12-413f171cbd0b,"4/16/2021, 9:27:26.421 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1e3dbf26-febf-4f07-a154-403d207c2460,"4/16/2021, 9:27:26.421 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6a3742c3-48e3-40fa-9942-87b4841c4ce2,"4/16/2021, 9:27:26.421 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3316 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b62999e7-2bff-4efd-b55e-652b0d735e2c,"4/16/2021, 9:27:26.421 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8076 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,66bdd2ce-e691-4866-95af-5ee3fa77bbce,"4/16/2021, 9:27:26.421 AM",,,,,,, +\SECURITY,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e4c5a791-1fb7-40e3-beea-d3ac60814823,"4/16/2021, 9:27:26.421 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,7a766f25-4333-4847-9cf3-3de547bd59d8,"4/16/2021, 9:27:26.421 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,83b62f90-7ada-41a8-957e-0aa5c4901062,"4/16/2021, 9:27:26.421 AM",,,,,,, +\PRODUCTION,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e2272509-5166-4fdc-9d00-2aa890614939,"4/16/2021, 9:27:26.421 AM",,,,,NTLM,, +NT AUTHORITY\NETWORK SERVICE,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 1212 + 21 + %SYSTEM32%\SPPSVC.EXE + 32 + ABC5B9672ACC57A4AAF472FA028985FE6C0D545FA7EFAC34A313D1F3F8C360BD + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SPPSVC.EXE\10.0.17763.1879 + 0x3e4 + 30 + C:\windows\system32\sppsvc.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,dbbc806a-4342-4112-b411-01d196cd3094,"4/16/2021, 9:27:27.142 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,f9a39060-3938-4683-bde4-c551d8ce851c,"4/16/2021, 9:27:27.142 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ff8eb72-4243-4960-8a8c-f41765b1e5b9,"4/16/2021, 9:27:27.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d0f35cac-6915-4af3-a424-3e60e6b7d441,"4/16/2021, 9:27:27.142 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,41502da5-21b7-48ec-81c9-baeea8d7d669,985e6347-4b65-4b7c-856d-4186550738ba,"4/16/2021, 9:27:27.142 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,41502da5-21b7-48ec-81c9-baeea8d7d669,1b1ed9ce-55e0-4db4-8ed2-83557b6a8159,"4/16/2021, 9:27:27.142 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,a722822f-5b0d-4274-b575-5f066fdb8fdb,"4/16/2021, 9:27:27.142 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5928 + 39 + %WINDIR%\SERVICING\TRUSTEDINSTALLER.EXE + 32 + 5AAB6030A17E092A3F547292BF75BBE5E777C3C6C3E1759A023CA59FE87F6D98 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\TRUSTEDINSTALLER.EXE\10.0.17763.1098 + 0x3e7 + 41 + C:\windows\servicing\TrustedInstaller.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,19cf3388-508f-43ad-b6dc-98949de38ccc,"4/16/2021, 9:27:27.142 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8524 + 122 + %WINDIR%\WINSXS\AMD64_MICROSOFT-WINDOWS-SERVICINGSTACK_31BF3856AD364E35_10.0.17763.1876_NONE_56BCCE8F993D30E7\TIWORKER.EXE + 32 + 7EC24C6DAEE289FBD40C13635DA56FB1E9F868B65E3120B59D480D394ACD8285 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\TIWORKER.EXE\10.0.17763.01 + 0x3e7 + 124 + C:\windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.17763.1876_none_56bcce8f993d30e7\TiWorker.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe2ea0be-363b-47b3-9ac1-2deee948c2ca,"4/16/2021, 9:27:27.142 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,0cbad22e-2851-45a9-9027-d21202d4a047,"4/16/2021, 9:27:27.142 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,18e36272-6db6-4a70-b89d-adf59d9aea1b,"4/16/2021, 9:27:27.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f46aa4b-3641-40a9-bcff-6b26c0f330c8,"4/16/2021, 9:27:27.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,81d706f8-86e3-4976-861e-a9a7116fb259,"4/16/2021, 9:27:27.142 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 832 + 22 + %SYSTEM32%\DLLHOST.EXE + 32 + 993991710080440F1678B9A877B554F7C7A21349A42D0173557E1B0A94A491FE + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\DLLHOST.EXE\10.0.17763.01 + 0x3e7 + 31 + C:\windows\system32\DllHost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ee3b33e-01b4-475d-a2d7-065d5abd0d5d,"4/16/2021, 9:27:27.142 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,5461b5dc-4849-4252-b3b9-30c96fcdbc54,"4/16/2021, 9:27:27.142 AM",,,,,,, +\BACKUPEXEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d0c0dfc2-5700-41c2-823e-025e944b3946,"4/16/2021, 9:27:27.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,95760e97-1e01-46cd-b538-b617596981e7,"4/16/2021, 9:27:27.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,41eddcc7-9672-4955-8ff3-4bfa5f2d50dd,"4/16/2021, 9:27:27.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a42ad835-18b2-468d-9ab0-21bab41fd11c,"4/16/2021, 9:27:27.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,28dab97f-8edf-46ad-a029-8f7b6571a74f,"4/16/2021, 9:27:27.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a067ffb9-95db-4239-9ef4-17cc27b4bd16,"4/16/2021, 9:27:27.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df848a52-c243-40c6-8088-f9435241660b,"4/16/2021, 9:27:27.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,928d9372-6eee-4dff-9a3e-515e8b8d301d,"4/16/2021, 9:27:27.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,92f0951f-1789-430e-82fa-2032ab4c0813,"4/16/2021, 9:27:27.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5334ad45-26fd-4fc7-8b54-7cb99930c4a6,"4/16/2021, 9:27:27.142 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,1b739078-e383-4d40-a61c-673558916ec7,"4/16/2021, 9:27:27.142 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,64b553e9-6f1f-4d05-afd9-c6304532cb1d,"4/16/2021, 9:27:27.142 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,39681b50-7da0-4c7f-a8a6-be166c167ac6,"4/16/2021, 9:27:27.142 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,5c49a894-59c0-47f6-ba43-64a9496794ff,"4/16/2021, 9:27:34.758 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10348 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,a9a5845c-5fbc-4369-8a31-9ccd18ddfd69,"4/16/2021, 9:27:34.758 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10540 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,3a0b4262-e429-4e58-91ae-e741d093f183,"4/16/2021, 9:27:34.758 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3348 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,6a3cf4b9-f13c-4ddf-a943-04b6b682df92,"4/16/2021, 9:27:34.758 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,5c4b5851-0a45-48ca-ac77-ca2730326e68,"4/16/2021, 9:27:34.758 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,77f7b488-638b-4404-a027-e67bb8ad4760,"4/16/2021, 9:27:34.758 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10732 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,c1502637-a310-42fc-b350-cbebefebf06b,"4/16/2021, 9:27:34.758 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9020 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e7 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,274eec34-56f9-4bcc-a591-3743d3ffd113,"4/16/2021, 9:27:34.758 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,33c23573-f940-46d2-ab96-e5b3fb38424c,"4/16/2021, 9:27:34.758 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,f6638b82-98a5-4542-8bec-6bc0977f793f,4572ca05-9971-4109-9250-e17923eaad36,"4/16/2021, 9:27:34.758 AM",,,,,Negotiate,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + 1 + 1 + %{S-1-5-32-544} %{S-1-1-0} %{S-1-5-11} %{S-1-16-16384} +",4627,4627 - Group membership information.,f6638b82-98a5-4542-8bec-6bc0977f793f,d4076c0f-bc00-4825-be98-ab3f76e49466,"4/16/2021, 9:27:34.758 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,f6638b82-98a5-4542-8bec-6bc0977f793f,9e7c5d86-6e50-44a6-a4be-e698137a0492,"4/16/2021, 9:27:34.758 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,b06e0f63-ae3e-4163-a686-e5a85d00ab85,"4/16/2021, 9:27:34.758 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8d353116-87b1-453e-adc4-dfc868644e3c,"4/16/2021, 9:27:36.777 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,16021334-6fdf-4d5d-947b-75c64d2e4c42,"4/16/2021, 9:27:36.777 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,836b8924-d53e-408b-8d0e-cf22635e94a3,"4/16/2021, 9:27:36.777 AM",,,,,NTLM,, +\MICHELLE,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0b93b1e6-4c6c-4360-9170-0c8e94f89bc7,"4/16/2021, 9:27:36.777 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,aab52fff-9ce1-47b4-ae25-cbeeac3b6e77,"4/16/2021, 9:27:36.777 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ee5c025d-1ae2-447d-91b0-1703f375e851,"4/16/2021, 9:27:36.777 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0ca2d8a6-f1ef-48b3-b94b-158f5230db25,"4/16/2021, 9:27:36.777 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bc86f2bc-bea8-4303-9fec-c3311798dd52,"4/16/2021, 9:27:36.777 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,72d49ebb-fc2c-4d21-bf7f-fbc9d5897ff6,"4/16/2021, 9:27:36.777 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ebf73bd6-b350-473c-ae77-478fa2cd5888,"4/16/2021, 9:27:36.777 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,83e45485-fb35-4f70-b622-1e65fd0c545f,"4/16/2021, 9:27:36.777 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e8c9f209-fe0f-44fb-bcaf-a67ae4767803,"4/16/2021, 9:27:36.777 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,748759be-7877-42b5-8348-144899fba9b0,"4/16/2021, 9:27:36.777 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bd51a5e9-e08e-4892-95b8-96f64905f8ca,"4/16/2021, 9:27:36.777 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,62ed0885-ba88-4ce9-a119-82dd215f3a9f,"4/16/2021, 9:27:36.777 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f03e09ce-6a97-4b69-a64c-90518a8cd463,"4/16/2021, 9:27:36.777 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e7ca6286-50ab-40f3-8b6a-541b8cc089a0,"4/16/2021, 9:27:36.777 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f5c0730e-d6bd-4447-a5b2-d7d57c88d56f,"4/16/2021, 9:27:36.777 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3f9ba6ba-1d0f-4511-bb85-22e51388067b,"4/16/2021, 9:27:36.777 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1e1feb65-0971-4a44-a37d-56f323af6cba,"4/16/2021, 9:27:36.777 AM",,,,,NTLM,, +\BACKUP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,59896017-35bf-4e32-9d75-acd7805d4676,"4/16/2021, 9:27:36.777 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f95769a6-0212-41c9-b2b8-8cdce33bd1cf,"4/16/2021, 9:27:36.777 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,78f92b8c-3ab2-4a4f-9b91-536c092da02a,"4/16/2021, 9:27:36.777 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,f214b628-e790-428d-99c0-da1ac9b55be9,"4/16/2021, 9:27:36.066 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,77354244-c138-46b9-9fb9-deab587785ca,"4/16/2021, 9:27:36.066 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,ee577629-c94c-4ab0-b9c0-e80c38c293ee,"4/16/2021, 9:27:36.066 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5d0ced76-c881-41d9-ad81-91fd503e4e54,"4/16/2021, 9:27:36.066 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,6b8b7378-37f0-4a8b-a5c7-58e0f7210a98,"4/16/2021, 9:27:36.066 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,80c85d42-6d06-4694-b7e7-31793df2661c,"4/16/2021, 9:27:36.066 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,187e5d6d-cf46-4d30-8a55-0d07a5884855,"4/16/2021, 9:27:36.066 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b95f556a-fb72-48f8-9ebc-d7ccaa9829dc,"4/16/2021, 9:27:36.066 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,cf77e600-c192-4f6a-9e4c-9725e754fd1b,"4/16/2021, 9:27:36.066 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d6848088-c9d3-4e74-9df2-f5181082912b,"4/16/2021, 9:27:36.066 AM",,,,,,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b2cb3fbb-4ec5-4e52-9d99-307a301974d1,"4/16/2021, 9:27:39.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b5ea7b3-7224-42f1-b4bf-8b9ca6f7a15a,"4/16/2021, 9:27:39.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9bbce6aa-7520-428a-9701-5510f3c4fdab,"4/16/2021, 9:27:39.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6fb7c855-fa27-45ca-8c50-468c0aabade0,"4/16/2021, 9:27:39.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dfb0a22a-9c31-4661-bd21-7577247758a7,"4/16/2021, 9:27:39.150 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,058fdead-d70a-42ea-9627-3e48a7498f3f,"4/16/2021, 9:27:39.150 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,ecca576e-720a-4a90-b301-d844305c3394,"4/16/2021, 9:27:39.150 AM",,,,,,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46f204aa-4df9-47cc-9748-b725fdfefd9c,"4/16/2021, 9:27:39.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,457e234d-7530-4c22-8f7a-848bb62238e9,"4/16/2021, 9:27:39.150 AM",,,,,NTLM,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,391aa057-9b1b-4f7e-bd85-7d6e948dafa2,"4/16/2021, 9:27:39.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,abdf062a-17ec-4e4d-93ec-ac5841e5d001,"4/16/2021, 9:27:39.150 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1000 + 118 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\ICT 2\CMF-64\DESIREDSTATECONFIGURATION\DSCRUN.EXE + 32 + FD398814FCB0D126DEC81443B928D502C7F2EC649E1C0866E0155C61BC7CAC19 + 111 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\WINDOWS (R) WIN 7 DDK DRIVER\DSCRUN.EXE\10.0.10011.16384 + 0x3e7 + 120 + C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\ICT 2\CMF-64\DesiredStateConfiguration\DscRun.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c5d9beb-b14c-46df-8270-43ad3af56b60,"4/16/2021, 9:27:39.150 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3684 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,d6e97a0f-4377-437a-8db4-bc679046c603,"4/16/2021, 9:27:39.150 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6bf13011-e186-48e1-b1f9-56a3f13fd51b,"4/16/2021, 9:27:39.150 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46a373af-96ce-41ff-85c9-eb3b56fd6f4e,"4/16/2021, 9:27:39.150 AM",,,,,NTLM,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e8f55999-159b-4592-9b4e-3f3a86304adc,"4/16/2021, 9:27:39.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9862263a-c322-4a41-8543-b913e43fefad,"4/16/2021, 9:27:39.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e1b97e0-cc8c-4371-b70e-147ef4dc8bae,"4/16/2021, 9:27:39.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,99319f03-8bbd-422e-b0bc-1f407d3321bd,"4/16/2021, 9:27:39.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19feb4f8-2e39-4e61-8f67-810ec36e26ca,"4/16/2021, 9:27:39.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d14739f0-0f6f-4eec-a58b-4d46ebed8074,"4/16/2021, 9:27:39.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,04721f38-49db-4d5d-b0f7-9ba6ea07aa53,"4/16/2021, 9:27:39.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,859f941b-286b-4626-a671-e53f2129f0c6,"4/16/2021, 9:27:39.150 AM",,,,,NTLM,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,21a7da13-acd7-4374-8fe7-ea099e813ec1,"4/16/2021, 9:27:45.877 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 328 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,f2245d6f-6f68-4151-92be-3828e7f75d6d,"4/16/2021, 9:27:49.419 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9188 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,442fc6f0-f840-48bf-83cc-bb316c44f7cd,"4/16/2021, 9:27:49.419 AM",,,,,,, +\SHARE,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,17746167-e808-40cf-9c1b-c3582352f440,"4/16/2021, 9:27:49.781 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,af13a381-75e1-4b18-bd9a-66a2bd8b325a,"4/16/2021, 9:27:49.781 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,aac27606-2288-4338-9ff3-ade0eb79c6ef,"4/16/2021, 9:27:49.781 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6844cfc6-4aab-4eff-9029-e5699cee3a87,"4/16/2021, 9:27:49.781 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4f003683-7355-42af-b539-602d41b0780c,"4/16/2021, 9:27:49.781 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4a7a467d-47ee-4088-b070-e880908a50f9,"4/16/2021, 9:27:49.781 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,529a9145-9f4d-4d05-ad8c-722229ebc5f9,"4/16/2021, 9:27:49.781 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,24363cf8-fb2d-4f0b-8961-197fcda5c2a2,"4/16/2021, 9:27:49.781 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2408a4a5-a218-4167-a98b-d9f42cbc034d,"4/16/2021, 9:27:49.781 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d40ca508-742e-419d-8435-537116f50084,"4/16/2021, 9:27:49.781 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dde96bb7-3994-4c30-b752-4299cddb77b4,"4/16/2021, 9:27:49.781 AM",,,,,NTLM,, +\WINNER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,04c79cc8-abdd-47ce-a590-ef120d37103a,"4/16/2021, 9:27:49.781 AM",,,,,NTLM,, +\BOSS,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b399ab82-9aeb-4f76-841e-d9170a5464a1,"4/16/2021, 9:27:49.781 AM",,,,,NTLM,, +\WAREHOUSE,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,759ebcb9-3111-4732-880a-a71d3ab9f18c,"4/16/2021, 9:27:49.781 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1d7dce81-a1b4-4994-96c3-653d510373ca,"4/16/2021, 9:27:49.781 AM",,,,,NTLM,, +\LAB,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ca82d05f-70b3-43a0-8e90-edc2d644d688,"4/16/2021, 9:27:49.781 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,83fbdacc-11bd-48e6-852d-62037ea0dd63,"4/16/2021, 9:27:49.781 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b4fce881-4d3f-455e-9983-f96d9fa3bde4,"4/16/2021, 9:27:49.781 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,39ab01a6-8371-48f2-ac6b-dfd6110dfbcc,"4/16/2021, 9:27:49.781 AM",,,,,NTLM,, +\FAX,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,407fed53-bda7-4a2a-aad9-27d0f47413be,"4/16/2021, 9:27:49.781 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,434918ff-517e-44e0-8313-27c44d160e40,"4/16/2021, 9:27:49.781 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,aea1a2ee-5993-4cb4-8c5e-0721e26a969a,"4/16/2021, 9:27:49.781 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c954f81a-74e1-4d55-ad3c-c9258ba492d1,"4/16/2021, 9:27:49.781 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,83a44e38-7dc6-44a6-baf5-08ed79436481,"4/16/2021, 9:27:49.781 AM",,,,,NTLM,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,520a4add-3150-468c-9a6d-ad74c8209e94,"4/16/2021, 9:27:52.726 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,8860fafd-21ea-4cdb-83ff-2cb7f384046a,"4/16/2021, 9:27:52.726 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4604 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,abf64813-9a83-4339-93e5-850b11e21358,"4/16/2021, 9:27:52.726 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6256 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,1c86c963-d932-419f-a03c-372b1577cb10,"4/16/2021, 9:27:52.726 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,0d4f1a8a-d2f2-408f-b0b9-a8b7b11eb094,"4/16/2021, 9:27:52.726 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,6db73add-78b8-4038-b59e-30306dc81e08,"4/16/2021, 9:27:52.726 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 13552 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,7fa394b6-8302-40b0-a9a5-8f726652dd43,"4/16/2021, 9:27:57.009 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10500 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,318dd615-8735-45a4-95f3-d72cba0c3da1,"4/16/2021, 9:27:57.009 AM",,,,,,, +\AZUREUSER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,86523d73-5ecb-4b5c-bf7b-9fb51c4e63d9,"4/16/2021, 9:27:59.412 AM",,,,,NTLM,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0838964c-1e74-4078-b023-17156bed3dac,"4/16/2021, 9:27:59.412 AM",,,,,NTLM,, +\USER03,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,cd383c01-2917-4741-a346-ca728fb9460b,"4/16/2021, 9:27:59.412 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,cc44c955-eb7a-4cfc-af78-9d8837bd198d,"4/16/2021, 9:27:59.412 AM",,,,,NTLM,, +\C,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3e9eca0b-b852-4116-b45c-bc710ed6410c,"4/16/2021, 9:27:59.412 AM",,,,,NTLM,, +\AZUREUSER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ad5cf35d-2965-4544-907f-e842b46a1516,"4/16/2021, 9:27:59.412 AM",,,,,NTLM,, +\USER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,961e4950-2f3a-43c2-97aa-1fcd8e3ed5c2,"4/16/2021, 9:27:59.412 AM",,,,,NTLM,, +\PETER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,517155d2-986e-4118-a926-7bef6319e432,"4/16/2021, 9:27:59.412 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d09706d7-0f18-428b-bf7c-4b4484781416,"4/16/2021, 9:28:03.747 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9deab43f-9b17-4e6c-a232-f36646e5123e,"4/16/2021, 9:28:03.747 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,02078c2c-c167-49fb-b123-5df09f305bc4,"4/16/2021, 9:28:03.747 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bff4342c-7e25-4b29-836e-6108370f047b,"4/16/2021, 9:28:03.747 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,aea3557e-16d4-4c8b-ba6d-9a7027bf4b89,"4/16/2021, 9:28:03.747 AM",,,,,NTLM,, +\AZUREUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,31ef0c78-ab49-461f-9eb7-d0ec6fff7db6,"4/16/2021, 9:28:03.747 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c00f098e-8a89-4517-a2de-6c94f6d986f5,"4/16/2021, 9:28:03.747 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a8528328-2c38-426b-9d72-7e3dafe6a0d3,"4/16/2021, 9:28:03.747 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0c7335b6-7a4c-49fd-8853-9f4d95653f82,"4/16/2021, 9:28:03.747 AM",,,,,NTLM,, +\AZUREUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9629d791-ca0e-47f3-8aab-a3906ef9061c,"4/16/2021, 9:28:03.747 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,48afb5a9-27b8-4dd4-9387-d286c689c9a6,"4/16/2021, 9:28:03.747 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c88603bf-9941-4c1f-a738-5f3c8c13f493,"4/16/2021, 9:28:03.747 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4ac872e1-bf8f-4136-a73f-ee1233819539,"4/16/2021, 9:28:03.747 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c6e583a5-dbcf-4685-ae56-a8fc34454f27,"4/16/2021, 9:28:03.747 AM",,,,,NTLM,, +\ANDREA,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a83d9621-a99b-4c73-a9ce-b0ba0964695c,"4/16/2021, 9:28:03.747 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,afed63fd-3641-4ee6-be7c-537c01d170b4,"4/16/2021, 9:28:03.747 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1fd9005b-4691-44a3-9eac-5e5fd8db5d5a,"4/16/2021, 9:28:03.747 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f6516450-7d8e-400c-b3c2-3b93be24d14a,"4/16/2021, 9:28:03.747 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e066e23d-e6b2-4811-988d-b50e2f743ad5,"4/16/2021, 9:28:03.747 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,72360e99-e3c9-4d97-85ad-bb1da2cad171,"4/16/2021, 9:28:03.747 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ae67e237-4658-4b62-86dd-91aec6ca10aa,"4/16/2021, 9:28:03.747 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,97ee901f-2880-4157-869b-c0a536bfcc7c,"4/16/2021, 9:28:03.747 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e8c7a560-79f7-4e41-a8f2-faf236b18313,"4/16/2021, 9:28:03.747 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1be7f20d-4422-4d0b-8504-18d2f2a83002,"4/16/2021, 9:28:04.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89dddf68-7464-4fb0-ba70-e9fb9e7ccf92,"4/16/2021, 9:28:04.137 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d5f3d3cb-0a71-4eae-9f8d-279a8b15b106,"4/16/2021, 9:28:04.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b2878c7c-b371-422a-a699-c085a02f2a4b,"4/16/2021, 9:28:04.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4badf9fc-f365-4137-8dfc-58cc121df41e,"4/16/2021, 9:28:04.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d8138ef2-49a6-43a3-b97d-ef7a85d5a536,"4/16/2021, 9:28:04.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12a244c6-11b0-4fa4-ad9d-13239b262406,"4/16/2021, 9:28:04.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cd10d079-4d57-412b-9e63-223d512b98c7,"4/16/2021, 9:28:04.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a3bdbbf4-bb0a-44d1-8f9d-d9f5f81e66d5,"4/16/2021, 9:28:04.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe1ef143-5617-4d3d-91f8-350432f32f29,"4/16/2021, 9:28:04.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,25f006e9-244a-4bb2-b3e6-1afed38d251d,"4/16/2021, 9:28:04.137 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,890e21c0-766e-4232-933b-59033b010c27,"4/16/2021, 9:28:04.137 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f810d609-d844-42c6-8685-4aa87a9fc459,"4/16/2021, 9:28:04.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,35aec125-6bf4-490d-87bd-1cd10398fd81,"4/16/2021, 9:28:04.137 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,83b85518-d08a-42f7-ae79-09c029c3694b,"4/16/2021, 9:28:04.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,142e0718-7d4b-4039-ae64-83266ce806d5,"4/16/2021, 9:28:04.137 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6ee483de-5fba-497f-a486-263eae14026a,"4/16/2021, 9:28:04.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9e97688a-598a-4e58-9f25-30a406574033,"4/16/2021, 9:28:04.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8719b2dd-8b69-401c-8690-9a8a9336b317,"4/16/2021, 9:28:04.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98b4ca57-af03-4cfa-9db4-1f27b41c553c,"4/16/2021, 9:28:04.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc64f52e-a5ed-4ee5-9edd-f5a5a6bea86e,"4/16/2021, 9:28:04.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de468c1a-83c1-4675-b96b-910d167123e6,"4/16/2021, 9:28:04.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,77cf56fe-a313-483b-acc9-65b5aac6c1dc,"4/16/2021, 9:28:04.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bfdf13af-c8de-4d2b-826a-62766698ee5c,"4/16/2021, 9:28:12.160 AM",,,,,NTLM,, +\DEMOUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,533c3bb0-e52f-48f0-b66a-cace00223bc9,"4/16/2021, 9:28:12.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6c250207-e42d-485f-8d39-0556f662ba89,"4/16/2021, 9:28:12.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03689196-1593-420e-bcae-bd26d3a6d06f,"4/16/2021, 9:28:12.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f9a43d54-d2b3-4ca3-a995-337720523361,"4/16/2021, 9:28:12.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c62053ae-47d9-44aa-b2e8-edd052638934,"4/16/2021, 9:28:12.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c9dc3b3-91d3-41c5-96f1-1fd3698d548d,"4/16/2021, 9:28:12.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3aa6b7a5-390d-401a-b8c0-158ede1fcc20,"4/16/2021, 9:28:12.160 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,65596a28-2d63-47a4-8140-94ece5bf469f,"4/16/2021, 9:28:12.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a5f74b9f-9565-423b-95ac-947a68eda6c8,"4/16/2021, 9:28:12.160 AM",,,,,NTLM,, +\OVM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1e03de3-9828-4ff2-a16f-bcc0f2de1153,"4/16/2021, 9:28:12.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5b836378-8491-4d03-a3f9-3b4af662bd13,"4/16/2021, 9:28:12.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ccfb7c67-e2a7-4dfc-bc92-ab2416e0ad18,"4/16/2021, 9:28:12.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2f73736-8e30-4cc1-b023-ba21c93065d5,"4/16/2021, 9:28:12.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8d26d46d-699b-44f8-802b-3c7dd4e6ad68,"4/16/2021, 9:28:12.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,78c1732c-23fa-40b0-9011-d0ab3393b3c6,"4/16/2021, 9:28:12.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67406a46-14e2-4194-904d-e4a87b23a3d0,"4/16/2021, 9:28:12.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac2ed3f9-e7fd-4807-ac48-5bbd5dfff64e,"4/16/2021, 9:28:12.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8f93e3b7-3354-4917-a68a-08ae8c484f95,"4/16/2021, 9:28:12.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b36d001e-e78c-47b8-a7cd-b7bec6027f31,"4/16/2021, 9:28:12.160 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,0cad2d00-a4e3-44dc-bae7-5df3c471e3e8,"4/16/2021, 9:28:12.160 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b3bf6dce-6105-4e71-a1ec-d98c6f6a09cc,"4/16/2021, 9:28:12.160 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,41502da5-21b7-48ec-81c9-baeea8d7d669,969f7878-2b48-4607-8187-05de6dbf525d,"4/16/2021, 9:28:12.160 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,70f27859-f8d2-4b5b-9b0f-e3d63ffc5c63,"4/16/2021, 9:28:12.160 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4031304c-9050-4daa-9d95-8de247740277,"4/16/2021, 9:28:12.160 AM",,,,,NTLM,, +NT AUTHORITY\LOCAL SERVICE,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 5836 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e5 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,661114db-e29a-4637-843e-7dace0ca89a3,"4/16/2021, 9:28:12.160 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8264 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + A42A20DA16F83B8467DCED74AB028B58D5927D15D9D74C5C7B0D5C9DAC042CB2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.17763.01 + 0x3e7 + 31 + C:\windows\System32\svchost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2e17dd5-197c-45b5-a883-64b748fd66c7,"4/16/2021, 9:28:12.160 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,aa0f4f18-ccfc-4f40-a05e-4bfd4f355db2,"4/16/2021, 9:28:09.891 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\microsofttpm,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,c6effcc6-e1d4-40f6-a112-0a877902f758,"4/16/2021, 9:28:09.891 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:SELECT * FROM Win32_TPM,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,257c8a5c-ca33-4bc2-9a82-f5f29ba190c4,"4/16/2021, 9:28:09.891 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:Select * from __ClassProviderRegistration,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,a4598f0a-e04b-4851-96cc-d3abce52847f,"4/16/2021, 9:28:09.891 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,709d2929-0dff-4022-be8c-61cbd7a5e77d,"4/16/2021, 9:28:09.891 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,7fbf77f6-39eb-40be-8049-0cf6982afc6d,"4/16/2021, 9:28:09.891 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,0d473191-9d7e-44a5-91b3-cadf4040201f,"4/16/2021, 9:28:09.891 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,024c4cdb-f034-41e7-8dd8-ea877cdcba25,"4/16/2021, 9:28:09.891 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:Win32_Tpm,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,b8a991b8-a824-4da8-adb7-ec0dc9147893,"4/16/2021, 9:28:09.891 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:__ExtendedStatus,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,ecd370a5-292e-4d5e-bd6e-d2ea58adc951,"4/16/2021, 9:28:09.891 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftVolumeEncryption,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,bc522bcf-e026-4ced-b39a-8a5e9a336c63,"4/16/2021, 9:28:09.891 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:SELECT * FROM Win32_EncryptableVolume,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,adb5b26f-b353-4fb0-8e68-d5a86b923d4e,"4/16/2021, 9:28:09.891 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:Select * from __ClassProviderRegistration,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,a1552598-d16a-45bc-a023-713224f3d72b,"4/16/2021, 9:28:09.891 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,e5f6e0ef-67f2-4e80-962b-ecc45a946f8a,"4/16/2021, 9:28:09.891 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,97c1f80d-4b43-4de1-9017-f7887035c7ed,"4/16/2021, 9:28:09.891 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,cf9858af-5842-4040-ab83-3f9eae9aeef7,"4/16/2021, 9:28:09.891 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,08346b80-c4a5-468e-878b-6733e54db7c9,"4/16/2021, 9:28:09.891 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,a3474f57-0281-4a3d-8ec3-64dd928d6522,"4/16/2021, 9:28:09.891 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:__ExtendedStatus,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,1f1a966a-64a9-4516-9c61-30e853a871d0,"4/16/2021, 9:28:09.891 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ae151378-0000-0000-0000-100000000000}\\""::GetLockStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,4a1ba841-acd9-451c-a784-f28ff879e7e6,"4/16/2021, 9:28:09.891 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ae151378-0000-0000-0000-100000000000}\\""::GetProtectionStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,1f0a872f-c127-4dee-bef2-75091af1e8ea,"4/16/2021, 9:28:09.891 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ae151378-0000-0000-0000-100000000000}\\""::GetConversionStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,b0b307bd-e581-4088-b0cf-b7fcfa279c90,"4/16/2021, 9:28:09.891 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetLockStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,29db87b9-f698-4f50-8ea1-e72d77fd9936,"4/16/2021, 9:28:09.891 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetProtectionStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,ecf3a7ab-21e9-4c38-a32e-5d44bd2a22a2,"4/16/2021, 9:28:09.891 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetConversionStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,55575737-1592-47d9-bc32-90737da88070,"4/16/2021, 9:28:09.891 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,5503048d-aae9-48b7-bda5-46b931ec9ed1,e6a30ef1-2838-4687-9a80-99fb7c94c532,"4/16/2021, 9:28:09.891 AM",,,,,Negotiate,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + 1 + 1 + %{S-1-5-32-544} %{S-1-1-0} %{S-1-5-11} %{S-1-16-16384} +",4627,4627 - Group membership information.,5503048d-aae9-48b7-bda5-46b931ec9ed1,2a9421c1-c785-4e68-a996-fd80807df6e5,"4/16/2021, 9:28:09.891 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,5503048d-aae9-48b7-bda5-46b931ec9ed1,d6aa1bec-f1d8-457a-9277-3b5a8c04a7c6,"4/16/2021, 9:28:09.891 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,6eefcde5-2aa5-4307-b0f8-3528f0a23af5,"4/16/2021, 9:28:09.891 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,7c4505bb-6147-4d17-8609-b05d068e6aa5,"4/16/2021, 9:28:09.891 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 12080 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,e07a43d1-3a6c-430e-b496-c74fd30562df,"4/16/2021, 9:28:09.891 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2892 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e7 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,ea0b225a-094d-4984-bc96-57881dab17e8,"4/16/2021, 9:28:09.891 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 6944 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e5 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,253aef35-7a3d-40b5-b90e-7accd961122f,"4/16/2021, 9:28:09.891 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5012 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + 3E1A41FE3000D5ED15DE27C3BD6199E0427A1608B401E19E22D021627841AC19 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1411 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,fc9cc09c-de45-49b9-bc01-7de9bf6e732a,"4/16/2021, 9:28:09.891 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,f3c7a5eb-6e55-4ff6-910b-565fbb159d45,"4/16/2021, 9:28:09.891 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,ba934052-99fd-4865-8cb6-e493f0d8f7b8,"4/16/2021, 9:28:08.062 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,cfa7752e-4e07-4df0-b428-80f70a2f28da,"4/16/2021, 9:28:08.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5a0f63f6-257d-441b-a837-898e0fcb3fe2,"4/16/2021, 9:28:08.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3b2680c8-eb89-4520-acbf-b0b5b4426b08,"4/16/2021, 9:28:08.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,89757c25-36ca-4b36-a233-a5ec2bdfd393,"4/16/2021, 9:28:08.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5bd3aad4-ed80-4d3c-aa04-7c4048e25539,"4/16/2021, 9:28:08.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,89793512-0e26-4c47-b5dd-57444ed5e68b,"4/16/2021, 9:28:08.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,31e2626b-ff03-4d3c-afd7-aefa7ff22e25,"4/16/2021, 9:28:08.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,04ae90a2-87b7-4408-b366-a330a9092209,"4/16/2021, 9:28:08.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,eaccc941-3f0e-4c3e-9667-3058fc9ef977,"4/16/2021, 9:28:08.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,13bf56cd-1e3e-4b14-af8f-5d0df7642afe,"4/16/2021, 9:28:08.062 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1792ccba-4486-4706-9de5-8138f961421a,"4/16/2021, 9:28:17.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ba6a21e-8f61-422f-a7bd-8c43d8b3c10f,"4/16/2021, 9:28:17.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,84b0f44e-ae75-4342-9c77-cdf6c535db8e,"4/16/2021, 9:28:17.141 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f71ef5b-63bc-42d3-829b-1841024b58c0,"4/16/2021, 9:28:17.141 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,85924e58-7800-45d6-ad96-d7a14bdc48c3,"4/16/2021, 9:28:17.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,76e25a97-c5ee-4f2f-b2ba-d25ea0557d35,"4/16/2021, 9:28:17.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,38d2b8ce-c4cc-4c10-9412-9eee3c56e7db,"4/16/2021, 9:28:17.141 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4400 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,00f235a9-5a02-4003-aea9-346e31018d08,"4/16/2021, 9:28:17.141 AM",,,,,,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,61759a51-83aa-41a6-8370-c4200310b71d,"4/16/2021, 9:28:17.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,189f2b04-e709-48de-bca9-9568625c86fb,"4/16/2021, 9:28:17.141 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1b4e78c-f322-46d2-bb5f-d965aef2df35,"4/16/2021, 9:28:17.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f7bc07d9-09c4-440c-8f66-d674c5c61d56,"4/16/2021, 9:28:17.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,74cbaedf-f48e-47a4-85c5-d0f6d595d69c,"4/16/2021, 9:28:17.141 AM",,,,,NTLM,, +\VEEAM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,61b86620-c4fb-4716-9923-6544b012b0cb,"4/16/2021, 9:28:17.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f3e4579d-fd71-4233-9ec1-3937da259d10,"4/16/2021, 9:28:17.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e7359547-9627-42d4-8c70-e7209ab53ac2,"4/16/2021, 9:28:17.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16c00b89-9c8d-4480-86f5-ded337d8f97c,"4/16/2021, 9:28:17.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c32eb30d-0eb5-4c75-ae67-f92bb1fbfb07,"4/16/2021, 9:28:17.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f80d8c76-7530-4e64-91b3-6b944804ad68,"4/16/2021, 9:28:17.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7302ff9f-d988-4ad4-b1e6-d08e634f645c,"4/16/2021, 9:28:17.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa5f53bc-4a4a-4804-813a-dc5d57716afe,"4/16/2021, 9:28:17.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6e011bb3-b3e2-4237-adad-39fc074e24a7,"4/16/2021, 9:28:17.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e5bcbe26-96ec-41ba-9f7d-f85126d0b35e,"4/16/2021, 9:28:17.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e6bc5975-e5fe-4adb-a869-a36ffdefa507,"4/16/2021, 9:28:17.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3ed0e28a-1149-4ef9-a7f5-754562b17c18,"4/16/2021, 9:28:17.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a76ce7df-d656-468b-8bc4-0bf490f44853,"4/16/2021, 9:28:17.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,27c8639c-fcc5-4732-b779-f1371c0059be,"4/16/2021, 9:28:17.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,81850e49-e413-4018-bc27-6d74fe75a554,"4/16/2021, 9:28:17.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,00041360-1356-42ea-bd14-d8d39956a9f9,"4/16/2021, 9:28:17.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d7a88c5-324b-46f2-a4d6-7357928cea36,"4/16/2021, 9:28:17.141 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9179b7df-8227-42d4-857c-b87bfb7246ec,"4/16/2021, 9:28:22.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f12ccd1d-270b-42ef-bb4a-84692edc3ad0,"4/16/2021, 9:28:22.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9623a45b-090c-41e4-b06f-b33f53b53ccf,"4/16/2021, 9:28:22.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d65ada37-7094-46e0-bcdf-d9d3fae9a4e0,"4/16/2021, 9:28:22.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,85f04562-c39a-4ade-8452-f85403101a73,"4/16/2021, 9:28:22.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,af6b2689-4b77-4daf-92a1-ee441845c71f,"4/16/2021, 9:28:22.189 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b429bb35-38cb-4c28-b703-d024318625e0,"4/16/2021, 9:28:22.189 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,155341f4-e533-41b2-8a4a-3562bc20d00f,"4/16/2021, 9:28:22.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,93513f4e-f32a-4134-8e39-7f5659baeb54,"4/16/2021, 9:28:22.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7b09cddc-4226-4488-9386-61a0a13bc472,"4/16/2021, 9:28:22.189 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c8e981fd-d3b6-41fe-ad32-e53a0c8ac526,"4/16/2021, 9:28:22.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,489664b8-a17e-4fb7-8fab-b16093c1dfc5,"4/16/2021, 9:28:22.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd552256-dd4d-466c-8843-4b878256f922,"4/16/2021, 9:28:22.189 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,292a228a-64fa-431e-af2c-d4c7b0bcb264,"4/16/2021, 9:28:22.189 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,4675661d-c565-4138-a6ed-d9c6ae2d8219,"4/16/2021, 9:28:22.189 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5728 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,637da719-c342-4397-bd6c-e722a7200a50,"4/16/2021, 9:28:22.189 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 184 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,38f7163c-1c07-40c6-96ac-4a6778e5dc36,"4/16/2021, 9:28:22.189 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,da6d66cf-f784-4176-a05e-5ce10c5a7bdc,"4/16/2021, 9:28:22.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,294c28db-8b44-4111-807e-bece51f6281c,"4/16/2021, 9:28:22.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,261af535-5f57-4f29-b04e-7975d6d5cb5c,"4/16/2021, 9:28:22.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1e731b4d-2048-4304-8f6b-b1194d167212,"4/16/2021, 9:28:22.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7a29af5c-7338-4b18-bde7-93e1c717a6cd,"4/16/2021, 9:28:22.189 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a4d20a7-b594-4620-b7b2-0ed0530d9046,"4/16/2021, 9:28:22.189 AM",,,,,NTLM,, +\BACKUP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,09b66deb-7312-46a9-a76b-8c769602548e,"4/16/2021, 9:28:22.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,211fc451-dd13-4d70-b229-63c4d5e8c081,"4/16/2021, 9:28:22.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e6cd5085-b8ed-4501-8ef6-614d87c4304e,"4/16/2021, 9:28:33.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16f3fa65-37c4-4e7b-8d1c-4f2c9971a48f,"4/16/2021, 9:28:33.140 AM",,,,,NTLM,, +\RJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cd5245f5-0404-4430-8de9-a98e4aa434f7,"4/16/2021, 9:28:33.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c0c5d9b1-2c88-4b9d-ac4c-dac8306108e9,"4/16/2021, 9:28:33.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3529636c-6032-4f06-a54a-08a525a1d4e9,"4/16/2021, 9:28:33.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,62516305-b8aa-4311-9d50-59c053d9aaca,"4/16/2021, 9:28:33.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f82e6bbb-6e0b-41dd-b7f6-40d7e4f3882e,"4/16/2021, 9:28:33.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,848363f8-4ee2-466e-b765-d479f836cc93,"4/16/2021, 9:28:33.140 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cabcad59-1b11-4518-b4af-01e3e8299eab,"4/16/2021, 9:28:33.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f963399-a862-4769-8ebb-be9bcacf25fc,"4/16/2021, 9:28:33.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b773a03f-9cab-4d50-b8e5-5c22f0593465,"4/16/2021, 9:28:33.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e62bb4ff-3f4b-409f-8721-197abd38d4ad,"4/16/2021, 9:28:33.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3ac4b85a-8123-41fe-94c2-16da5984d14c,"4/16/2021, 9:28:33.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67eb563a-70df-4531-aaf9-7209058d86e1,"4/16/2021, 9:28:33.140 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dd6ddadc-01a1-4135-97f7-913d1b19468c,"4/16/2021, 9:28:33.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c875c09-b431-436f-b3cd-b0a3e6fda9db,"4/16/2021, 9:28:33.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a97b3e31-07be-4b03-8eb4-1a6692e00e6c,"4/16/2021, 9:28:33.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f767014b-8326-4a2d-8972-82cf6fecf072,"4/16/2021, 9:28:33.140 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac524045-33f0-404f-a067-9a60e6aa23a9,"4/16/2021, 9:28:33.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0605b8b3-e643-4bed-a8b3-8ee3b7271467,"4/16/2021, 9:28:33.140 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,17c7e945-e19a-49e7-bc3e-869ab2cca41a,"4/16/2021, 9:28:33.140 AM",,,,,,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,62684d56-b399-4e08-9980-7467ae3fe69d,"4/16/2021, 9:28:33.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a0430c0f-be93-4ee1-8455-9ae44bf68d37,"4/16/2021, 9:28:33.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2412035c-2f9a-4011-9cc3-f40a00bc42a2,"4/16/2021, 9:28:33.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a14a425-75b8-4bc2-8d4b-5e38d1e1c7c0,"4/16/2021, 9:28:33.140 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ce45134-b095-4c82-83c7-416111fb6ebd,"4/16/2021, 9:28:33.140 AM",,,,,NTLM,, +\VISITOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,dfc83c3d-b3e5-4f86-a721-75d50a6e0adc,"4/16/2021, 9:28:34.405 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f8986d2e-924d-4605-ac62-3733a8ea759c,"4/16/2021, 9:28:34.405 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,52b54ad9-8efc-4a53-8874-69ee6a48cfb2,"4/16/2021, 9:28:34.405 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7708 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,2ab62f99-da55-479f-bd4f-55c5ba6a4fca,"4/16/2021, 9:28:34.405 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7116 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,5e4d003b-2d51-4bb1-ade7-84f4faa00c01,"4/16/2021, 9:28:34.405 AM",,,,,,, +\TEST,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e56487fd-a5d5-4fd8-b0bc-1942544300de,"4/16/2021, 9:28:34.405 AM",,,,,NTLM,, +\USER10,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,01054f10-fe97-496d-9944-60d5d8635917,"4/16/2021, 9:28:34.405 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,bc22eb1d-6e8a-4783-807c-30224237b6b5,"4/16/2021, 9:28:34.405 AM",,,,,,, +\T1,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,66ae664e-3f87-41fb-bed4-c4bcba5f702f,"4/16/2021, 9:28:34.405 AM",,,,,NTLM,, +\SERVER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e7847c91-2beb-442b-b98b-db2a6bd747c2,"4/16/2021, 9:28:34.405 AM",,,,,NTLM,, +\LIBRARY,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,814c576b-b60e-4594-a0f8-4d7a2d1dcdfc,"4/16/2021, 9:28:34.405 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c212b8b-e7b5-475b-9770-91c606c3b23a,"4/16/2021, 9:28:40.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fdb8345b-1cf4-4ce9-a83e-9e9d60ff22fb,"4/16/2021, 9:28:40.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d2cb85dc-8ae6-4407-ba54-45663a59cd03,"4/16/2021, 9:28:40.137 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,abcd5c40-43ef-4d5b-9ab5-f4b5b61ec4e9,"4/16/2021, 9:28:40.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e9483409-6489-4b0b-b368-afe726bdb872,"4/16/2021, 9:28:40.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c22a6ae-d046-4f87-834b-c781578b269c,"4/16/2021, 9:28:40.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4488c520-c149-4506-bcca-45d9b5235d43,"4/16/2021, 9:28:40.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,faecba70-86e5-458a-829d-7ed8f179647b,"4/16/2021, 9:28:40.137 AM",,,,,NTLM,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b612701-5e52-41cc-9be2-a65dcf2e1534,"4/16/2021, 9:28:40.137 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b5bc99b-a390-4416-a272-c03e61a44053,"4/16/2021, 9:28:40.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea61dbf9-f96d-4648-ba14-2f8eaaa91cf4,"4/16/2021, 9:28:40.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d46159be-7d13-4d2e-a81d-9655989f561e,"4/16/2021, 9:28:40.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d63a9276-737b-40bd-9489-93d8bab213f7,"4/16/2021, 9:28:40.137 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2fb95e68-2585-46c3-83aa-68a61b9b563a,"4/16/2021, 9:28:40.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a25bdab-db10-433d-be51-945be2f638e0,"4/16/2021, 9:28:40.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,297d94ac-a31d-4271-903d-3368ce14e095,"4/16/2021, 9:28:40.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d8d789f0-40a0-4b60-9f70-d50c22cdeaef,"4/16/2021, 9:28:40.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc7dce92-0762-480e-8c23-faeb2bb641f8,"4/16/2021, 9:28:40.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,14add4b6-a4ac-4020-9687-db2bf501cf53,"4/16/2021, 9:28:40.137 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c6e772e-a98a-44b0-92b2-50ea7c125fc9,"4/16/2021, 9:28:40.137 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a790332-5f18-4e3d-aaf4-74e076c5f67b,"4/16/2021, 9:28:40.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e03cd0ac-22d9-4d8a-b9b9-82b5ad838ade,"4/16/2021, 9:28:40.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3c4c0a2f-6b2d-495f-93f2-c285ca02374f,"4/16/2021, 9:28:40.137 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,84a6c849-4902-4170-b872-3612fd11ebd3,"4/16/2021, 9:28:41.755 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,58832deb-9620-4493-84a1-4940b9ac0487,"4/16/2021, 9:28:41.755 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6204db90-2eee-42f5-904d-bcc5fab5bbc7,"4/16/2021, 9:28:41.755 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a14ca548-f92a-4cbf-ba87-a27d47e407f4,"4/16/2021, 9:28:41.755 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2b339404-cad5-420a-a30c-d8b6b9f012e8,"4/16/2021, 9:28:41.755 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6b018d8b-4d70-477c-be20-0bb0430f52c4,"4/16/2021, 9:28:41.755 AM",,,,,NTLM,, +\DATA,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1c74bfae-1730-4e2e-a135-c18fe3f8283f,"4/16/2021, 9:28:41.755 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,50d5566c-2af5-4a41-a54c-42df37fd3e99,"4/16/2021, 9:28:41.755 AM",,,,,NTLM,, +\AZUREUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2d80532c-05bc-452e-982a-f591511d42f8,"4/16/2021, 9:28:41.755 AM",,,,,NTLM,, +\TESTER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,97fda0ae-1996-47ed-9b5e-a05c10f1a1b7,"4/16/2021, 9:28:41.755 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c3c07ace-107e-42d8-88d5-33a2f1a0d6b8,"4/16/2021, 9:28:41.755 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ce6ae08a-7987-4a8e-86c4-0fa68d96d4b4,"4/16/2021, 9:28:41.755 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,907ea5b1-5b5c-4aa8-b66b-faa7a076cbb0,"4/16/2021, 9:28:41.755 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8796e8bb-7d55-43d3-8eee-3359da3c4271,"4/16/2021, 9:28:41.755 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0e057e15-9440-4291-b73b-56708ebb8da1,"4/16/2021, 9:28:41.755 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,87195494-0597-44c7-81d7-3ea041e44cdb,"4/16/2021, 9:28:41.755 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2fd70f8c-090d-4230-abb7-bdc271c1d516,"4/16/2021, 9:28:41.755 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2724027a-50ac-407c-82a8-2693cda41b11,"4/16/2021, 9:28:41.755 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ca1e6240-06a9-43fe-96bf-62581d3ae4d5,"4/16/2021, 9:28:41.755 AM",,,,,NTLM,, +\CONFERENCE,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,88bab14e-1d9b-4e9d-881e-a578272d13ad,"4/16/2021, 9:28:41.755 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b0306872-780a-4a93-b644-ecf4f8499e39,"4/16/2021, 9:28:41.755 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f614b3ad-f63b-45ec-a050-e75fee5d54af,"4/16/2021, 9:28:41.755 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d945a894-ca7c-44da-a6c2-2ce4a2fdadae,"4/16/2021, 9:28:43.066 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,849078c1-a8fa-4079-93c7-68835e0343bf,"4/16/2021, 9:28:43.066 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,19636df6-19b5-45f6-8538-5b8c23c1e07b,"4/16/2021, 9:28:43.066 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c3e950e3-2cf6-4f7d-ad8b-11b5cc9f9288,"4/16/2021, 9:28:43.066 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,0bb352f2-d9bb-44f0-9a83-5b2d3b6d7cf9,"4/16/2021, 9:28:43.066 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,52b92078-486a-4de8-91e5-aaf94f0d31a0,"4/16/2021, 9:28:43.066 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,fc8823c4-bc61-4ba5-8242-5b735e47f2de,"4/16/2021, 9:28:43.066 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,2931fd9e-366b-4655-8019-232c23757896,"4/16/2021, 9:28:43.066 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e64f8e80-ba93-42c5-bb4d-68f66e17f3c8,"4/16/2021, 9:28:47.143 AM",,,,,NTLM,, +\ACQUISTI,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,55ae9c89-96ea-43c4-9b5e-27578dcb24fb,"4/16/2021, 9:28:47.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d5bbbd35-503e-4e97-9e39-2f92ad38b389,"4/16/2021, 9:28:47.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3767b250-86a9-48c8-80c7-0f9614d20546,"4/16/2021, 9:28:47.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8192ee8f-e8a0-4dcc-9399-88784da74a34,"4/16/2021, 9:28:47.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56ec5316-8cb0-4636-af75-95296b328f31,"4/16/2021, 9:28:47.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,08cbff31-efe2-4c50-8a86-fb134db8970c,"4/16/2021, 9:28:47.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3acc5d27-f6d4-4c8d-8729-f3eb1edbd6df,"4/16/2021, 9:28:47.143 AM",,,,,NTLM,, +\EJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,34c96daa-87a1-42ea-a056-ead71ffb4fa3,"4/16/2021, 9:28:47.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,456dedad-d933-43ee-86b5-0f26305e293e,"4/16/2021, 9:28:47.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2c1194f-5071-4149-bca7-b27d2f36e299,"4/16/2021, 9:28:47.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de856471-5859-4ace-9032-78331ffe19e4,"4/16/2021, 9:28:47.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,97ef5b13-3325-4f9d-a423-b412dc3ebae1,"4/16/2021, 9:28:47.143 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3d5cd759-3734-4c25-88d0-7474fc09b6e0,"4/16/2021, 9:28:47.143 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ae710535-9565-4a27-ba91-a0dac63139cd,"4/16/2021, 9:28:47.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c5ea043f-31cd-402f-a512-bdff5dc11dc2,"4/16/2021, 9:28:47.143 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,21013f19-7aa5-4f01-a4fd-3199030c04ff,"4/16/2021, 9:28:47.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e48bb804-16db-428c-879d-56f0f5449a9e,"4/16/2021, 9:28:47.143 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98ed7f0f-a876-4153-be27-e17478fa022e,"4/16/2021, 9:28:47.143 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe5505f4-f071-4ba6-949a-8b3e16a2e55c,"4/16/2021, 9:28:47.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f77d9ed-b8b5-455a-a5fb-9fe876260874,"4/16/2021, 9:28:47.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc345ef3-3324-4daa-b1e1-cde13ff0418c,"4/16/2021, 9:28:47.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,da0e8164-96ba-4960-b03f-453d92b11b9f,"4/16/2021, 9:28:47.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,905bd570-bc72-4499-90fd-09dcf032028f,"4/16/2021, 9:28:47.143 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4312 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,1e5c3c0d-e208-4bff-9c65-2c1f8363e00b,"4/16/2021, 9:28:51.641 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9236 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,ea597aab-fc06-4817-babe-e03ebb6979ca,"4/16/2021, 9:28:51.641 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,852f2d69-fe29-48c7-9f5d-c19f2584dbe3,"4/16/2021, 9:28:51.641 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,33aa4512-797e-4172-9573-8ccd0fd20ceb,"4/16/2021, 9:28:51.641 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,821aacf9-7606-4c20-9b6b-5af536bf617a,"4/16/2021, 9:28:51.641 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8476 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,c1e67ec8-ca4e-4680-ba55-df58c996941e,"4/16/2021, 9:28:51.641 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2068 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,7d1b101c-d1df-4511-afd0-193dcf89234e,"4/16/2021, 9:28:51.641 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,1d2c1f6c-a924-49fb-8455-8d165b7370ce,"4/16/2021, 9:28:51.641 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11488 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,6439f524-1501-482d-920f-049902c852e3,"4/16/2021, 9:28:57.010 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9600 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,119c750d-81ac-41fa-a94b-cdf6f9778c5f,"4/16/2021, 9:28:57.010 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2dd69611-c1bc-4ad6-929f-10e85b1f155f,"4/16/2021, 9:29:00.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5a1b774-a6cd-4dcf-84c0-22b1c70fa0cf,"4/16/2021, 9:29:00.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3ed2ad42-de57-469e-a805-a2def9c206cc,"4/16/2021, 9:29:00.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cd27f726-90d9-46b3-8ac6-b80371f2aaa7,"4/16/2021, 9:29:00.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c38c0ddd-8a92-4756-b225-290721ae23e4,"4/16/2021, 9:29:00.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2dd76a83-6552-403a-ab20-15c80e5bb6a1,"4/16/2021, 9:29:00.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7bf2b1bc-c723-4e37-b6d7-9e6e8f132c6b,"4/16/2021, 9:29:00.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9f06fea3-896a-4e41-9a66-5fc65a096f78,"4/16/2021, 9:29:00.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6a4a926a-e583-4c4c-84b3-eb2db8220269,"4/16/2021, 9:29:00.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,86ccea06-aca5-4ac5-badc-8ecc58170caf,"4/16/2021, 9:29:00.144 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,949933e9-a2a3-42ee-92d8-8001ffcbec32,"4/16/2021, 9:29:00.144 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1d1a1c65-dae8-4ed1-8bce-cd75574f8573,"4/16/2021, 9:29:00.144 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 7020 + 84 + %OSDRIVE%\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\PLATFORM\4.18.2103.7-0\MPCMDRUN.EXE + 32 + C7A18C474A47F5335593A567F0C714D4F658E28D07DC27F6EAE5D5641788E813 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\MPCMDRUN.EXE\4.18.2103.07 + 0x3e4 + 77 + C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2103.7-0\MpCmdRun.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,18d98ae2-24dc-4150-962f-47bb1e2c379d,"4/16/2021, 9:29:00.144 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b2ee9d9c-cee6-4aa0-a152-5de063b0ca0b,"4/16/2021, 9:29:00.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,97cde0d4-0b9d-4a17-9e87-cb1dcbd92cbb,"4/16/2021, 9:29:00.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fdca477d-e009-4b93-a22f-0ac8ddd4ec34,"4/16/2021, 9:29:00.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,59a02eb7-9fed-4c99-95f6-391e776afb3e,"4/16/2021, 9:29:00.144 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1127a18-1794-47f0-85dc-1d70d5d0a518,"4/16/2021, 9:29:00.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce457360-8ce1-48a6-9ed2-fe51042b0aaf,"4/16/2021, 9:29:00.144 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,972ef732-4cbf-4746-a969-9af0b4c6b9a5,"4/16/2021, 9:29:00.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,414b95dd-8406-4041-9fdb-29c4f01d63d6,"4/16/2021, 9:29:00.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,17de29f3-85cc-4f05-89da-200d757d82d0,"4/16/2021, 9:29:00.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c0f44128-5243-45e4-bd78-883b88081277,"4/16/2021, 9:29:27.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,59595962-d61f-46af-bd25-1efb23719a76,"4/16/2021, 9:29:27.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a9861fb4-186d-4a06-96a4-d8e189816f94,"4/16/2021, 9:29:27.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a7a3dc9b-3339-4b64-8f7d-fa280cdc3ed4,"4/16/2021, 9:29:27.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0dabcaec-1e42-4404-8290-14a78d838595,"4/16/2021, 9:29:27.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89216df5-507d-4f35-8b9b-c2c5990ffb86,"4/16/2021, 9:29:27.150 AM",,,,,NTLM,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d05da6f-f4ce-4f08-bd1e-60e551f880f5,"4/16/2021, 9:29:27.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,79a98e53-9c85-4e82-aea1-3fc117eeca05,"4/16/2021, 9:29:27.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a7bd939e-5a76-4c55-9761-7f52d3a0d9c7,"4/16/2021, 9:29:27.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1a63f67-bdaf-4504-8171-c10d6657400d,"4/16/2021, 9:29:27.150 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,02cd9d52-132c-4e12-9f21-f98c3db50585,"4/16/2021, 9:29:27.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8ad2ee40-a280-4ba9-886d-7b5e172b0c74,"4/16/2021, 9:29:27.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1874f4a5-d44e-4e83-a253-592c4f9b73d0,"4/16/2021, 9:29:27.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9daa9dc8-ae8f-46cb-9ab7-1c2a44ee5c6f,"4/16/2021, 9:29:27.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,abe17566-0c57-47d3-88b5-d76adae67503,"4/16/2021, 9:29:27.150 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ada0dc24-6ace-44e5-9e32-bb8e465287ed,"4/16/2021, 9:29:27.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,27b47f82-48c3-4e5c-8759-0f652b798424,"4/16/2021, 9:29:27.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc621c79-3df9-4835-9e3a-6767aadc5fd7,"4/16/2021, 9:29:27.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,78b34c64-b08d-4f77-ad23-ca0d34549b5b,"4/16/2021, 9:29:27.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de120cc3-c796-417a-a156-1af475b1cb15,"4/16/2021, 9:29:27.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,051be30f-92e0-4699-9489-089b7e2a3fac,"4/16/2021, 9:29:27.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d51c1410-26e5-4c2e-a07d-6af6b81674c3,"4/16/2021, 9:29:27.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4ec23500-ff7e-47e4-8b2e-1e00aeec5f43,"4/16/2021, 9:29:27.150 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b62c0b3c-2df8-45ed-92ab-0aa178af761b,"4/16/2021, 9:29:27.150 AM",,,,,NTLM,, +\SYMANTEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,da12e81f-c5fe-4acd-8309-65e74fb5f937,"4/16/2021, 9:29:44.757 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ef6fcb0c-73df-4e06-9dc5-7b0ab5c7ab0d,"4/16/2021, 9:29:44.757 AM",,,,,NTLM,, +\CONTABILIDAD,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8b05e8ba-c20c-4e51-8d02-3f2312adcc4c,"4/16/2021, 9:29:44.757 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0fa45d38-4a85-4012-8da9-1b573c9dd9a9,"4/16/2021, 9:29:44.757 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,825e2f92-d0d2-4e8e-9b42-7890226f7d01,"4/16/2021, 9:29:44.757 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1aca1fba-410c-4ae8-8e7f-8ff47434a11b,"4/16/2021, 9:29:44.757 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5a63e19a-8837-4320-b471-bcd6eccdbcbd,"4/16/2021, 9:29:44.757 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,210206ae-ddd0-4cda-a12e-7bba227402d5,"4/16/2021, 9:29:44.757 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7c4a0ee9-3102-4a5e-a079-dbaa5593a3ea,"4/16/2021, 9:29:44.757 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2aa20b43-44ba-4867-8033-8d60b045cb26,"4/16/2021, 9:29:44.757 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3a7bd3ef-4d5a-4de4-a330-37175e9df410,"4/16/2021, 9:29:44.757 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6133d5e0-5070-4bb3-a741-c816bd803456,"4/16/2021, 9:29:44.757 AM",,,,,NTLM,, +\SHYANNE,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0446bac8-95d1-4be9-86ba-db6dcc186b40,"4/16/2021, 9:29:44.757 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,21f01b8c-5a4b-4bfc-bdbd-73e1fca1bfb1,"4/16/2021, 9:29:44.757 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,da9ddf2d-b8d2-4f28-a28f-5ad6a5f2090f,"4/16/2021, 9:29:44.757 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,995dc3b9-e04a-4953-846b-9282afc69661,"4/16/2021, 9:29:44.757 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6de28bea-c411-410d-830d-a2783026c9c3,"4/16/2021, 9:29:44.757 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4b100376-0c63-4b88-b2a8-5724055c6e57,"4/16/2021, 9:29:44.757 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ea5f7714-894f-4a26-ab6b-3107dad02df8,"4/16/2021, 9:29:44.757 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fa6e8c2f-9c3f-42e1-bb2b-3c8c37427bba,"4/16/2021, 9:29:44.757 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2d02fcad-ae6a-43cf-8fce-a067909676ab,"4/16/2021, 9:29:44.757 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,23d24f75-9307-4ad2-a7ac-1274eebb1187,"4/16/2021, 9:29:44.757 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e476ac19-3fc3-43e1-a2e5-7bb6de13b913,"4/16/2021, 9:29:44.757 AM",,,,,NTLM,, +\AUDITOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bd6faf26-2e77-46be-8155-3018fde5ddca,"4/16/2021, 9:29:44.757 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8580 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,c29c5efc-778c-4248-9e50-9869d91bd33c,"4/16/2021, 9:29:49.274 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5976 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,14b8effe-afb4-474f-9e37-7632db58a29f,"4/16/2021, 9:29:49.274 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,e94c05fe-c1f1-40c6-b7e0-10212709b2f9,"4/16/2021, 9:29:53.067 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,59ec4c75-ee50-42e2-807e-8643f148a7df,"4/16/2021, 9:29:53.067 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,40ce1ecb-ba6e-49d1-a56f-91ea36eb9a88,"4/16/2021, 9:29:53.067 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,da331f57-de03-4709-995e-38b38ab7694c,"4/16/2021, 9:29:53.067 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,af62ba0a-4fde-4c4e-9873-65f7d6c10ea9,"4/16/2021, 9:29:53.067 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,840d08b3-0ba7-4fcf-8bec-3a77b5001f1a,"4/16/2021, 9:29:53.067 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,bc578498-951f-45a4-b02b-6ca0dc3f40c4,"4/16/2021, 9:29:53.067 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,aeb04330-e16c-4109-a4c2-0256477f1f0d,"4/16/2021, 9:29:53.067 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2996 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,0653c802-1869-439c-957e-9f4fd95057ea,"4/16/2021, 9:29:52.728 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1136 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,1a4f01eb-4307-4d80-bf6e-9cc7fc6e7248,"4/16/2021, 9:29:52.728 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,caac1ec8-be5f-462f-a244-dc70a03801a9,"4/16/2021, 9:29:52.728 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,75111642-9325-4375-b9a3-7b12bd42de3c,"4/16/2021, 9:29:52.728 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,2d34a5bb-84cc-41f4-a018-1e13677907e9,"4/16/2021, 9:29:52.728 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,cccdf12d-4179-4137-a32f-bf414d193c5f,"4/16/2021, 9:29:52.728 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4fa9eab2-4ce3-42f7-b3c9-2c69768066f0,"4/16/2021, 9:29:58.188 AM",,,,,NTLM,, +\WP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cbc27b78-2500-4677-9f85-0cb73d769d4f,"4/16/2021, 9:29:58.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,63bad84f-d49e-4188-958e-3b0bc2081e7d,"4/16/2021, 9:29:58.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d2ee3afa-3088-4d7d-90be-8ea68481b6fa,"4/16/2021, 9:29:58.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f55987e7-7585-42db-be6b-aea1e9ec916c,"4/16/2021, 9:29:58.188 AM",,,,,NTLM,, +\VISION,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5eb6987d-23c5-404b-803b-3784bf370e19,"4/16/2021, 9:29:58.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,43d48745-4eb1-4976-85a1-4f185401acb1,"4/16/2021, 9:29:58.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc7fedf5-5a5b-4824-b952-5b57e8341e3b,"4/16/2021, 9:29:58.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,343bd5e4-850d-45ea-a335-b4097097fb59,"4/16/2021, 9:29:58.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4a5fa0f7-67ad-4bc2-a560-2971f9d5c42b,"4/16/2021, 9:29:58.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0cca6f92-5f91-4ccf-9e3e-d53044a23ccd,"4/16/2021, 9:29:58.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1e6057d-d329-400f-aae2-69c7b9d89453,"4/16/2021, 9:29:58.188 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a5318dc3-dc3a-4252-b23b-3e5a756a7d51,"4/16/2021, 9:29:58.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4eee451c-56a8-4074-8223-8e8a37c99aeb,"4/16/2021, 9:29:58.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,71fb1f30-3482-4eb2-8ef3-34dbd33b1255,"4/16/2021, 9:29:58.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8595084b-7f93-4f27-844e-d02735d9a4d6,"4/16/2021, 9:29:58.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cf9b5324-05db-4837-908d-ced0c98f4e67,"4/16/2021, 9:29:58.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c0943cc-51c9-450b-b8f1-f61631f5a6eb,"4/16/2021, 9:29:58.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0413557c-9b9a-4d46-adec-1ce6b342378e,"4/16/2021, 9:29:58.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,04ebeb33-7a3a-479a-86d5-3b10a57fdf32,"4/16/2021, 9:29:58.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,37db2ee6-ff1b-45cc-b28c-142c08154131,"4/16/2021, 9:29:58.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,52b64583-e82d-430b-b724-ba5739fbfd1b,"4/16/2021, 9:29:58.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a119c45-8330-4964-a79e-fa9d06bdbc91,"4/16/2021, 9:29:58.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,84f2f77a-8a32-4334-8f9e-07643dc52721,"4/16/2021, 9:29:58.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d14ab60a-6ae0-453a-b486-f619a9559ae2,"4/16/2021, 9:29:58.188 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,45ecf4de-842b-46a6-a966-7fff0ed5da58,"4/16/2021, 9:29:58.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12206568-a2d8-492e-93a9-91b92b583036,"4/16/2021, 9:29:58.188 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5240 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,79a3d9aa-0e26-4438-a17e-325df68e40d0,"4/16/2021, 9:30:09.890 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7148 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,728851a6-cf09-411e-a460-78563ad4cc9b,"4/16/2021, 9:30:09.890 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,2ea35e8e-f282-4924-aadf-5eb333ebba60,"4/16/2021, 9:30:09.890 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b377019b-c887-4e44-a464-30503eded1db,"4/16/2021, 9:30:09.890 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,153f5988-433e-4c6f-82ff-e95facd61166,"4/16/2021, 9:30:09.890 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c05ec513-eff7-4f4b-992f-dfb4655a4b57,"4/16/2021, 9:30:19.170 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1964cba2-f0e8-4527-8aa1-bc24af7a7c94,"4/16/2021, 9:30:19.170 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,02c05b16-e5a8-4c5c-bfac-221f24db2a18,"4/16/2021, 9:30:19.170 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f76efad9-1564-4a2b-bd90-941041566c81,"4/16/2021, 9:30:19.170 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,037970f7-a82c-4653-b037-5ae1bd9605d2,"4/16/2021, 9:30:19.170 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,86d27507-acdf-4ae1-9145-4cc63c18aaa5,"4/16/2021, 9:30:19.170 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e7bf3a18-ef98-4e49-a346-9da7d26be6bc,"4/16/2021, 9:30:19.170 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,96c7925a-a375-4b09-8d14-b07784050b10,"4/16/2021, 9:30:19.170 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,37109668-23e0-47a6-8b9e-4ea4448a464a,"4/16/2021, 9:30:19.170 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0455a5ee-f2a6-4688-b383-4cf67e431d5c,"4/16/2021, 9:30:19.170 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1009910c-c4a4-4b47-9e59-d89b83c3a46a,"4/16/2021, 9:30:19.170 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0e353d75-aa7a-4a7f-a122-b2c872b8836b,"4/16/2021, 9:30:19.170 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b0bd1cd0-233b-4207-bb4e-5a40caed9035,"4/16/2021, 9:30:19.170 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1837b832-f183-43af-a0d7-a809c884102e,"4/16/2021, 9:30:19.170 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7198f27f-dd29-4358-abc9-4e0ecaaa8436,"4/16/2021, 9:30:19.170 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c007b7a6-1bc8-4a31-bf41-4a8a4f51465f,"4/16/2021, 9:30:19.170 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6daf590c-e231-4e42-a448-6e3b198a0704,"4/16/2021, 9:30:19.170 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,58342ffa-5c64-49b5-9907-d16995a42ea2,"4/16/2021, 9:30:19.170 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1fedb8f2-8ebc-490e-86c1-01989de6b04d,"4/16/2021, 9:30:19.170 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8834972b-c1bc-484f-a18d-901e9859c38e,"4/16/2021, 9:30:19.170 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48e9d505-6286-4804-b8e5-646d4480335f,"4/16/2021, 9:30:19.170 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,81a2d489-279a-4f0a-9b79-c182c08c5815,"4/16/2021, 9:30:19.170 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a31d0fa3-7f61-438b-8b29-291444483860,"4/16/2021, 9:30:19.170 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c903dec-46ce-4d3b-9348-84b7e5bb7bb6,"4/16/2021, 9:30:19.170 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,efdb5830-298f-4d0e-a99a-d458209a9001,"4/16/2021, 9:30:19.170 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,50a9c652-cb87-4a25-8cd0-ec0cf7d1ddb0,"4/16/2021, 9:30:24.067 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,8acc15e8-f2e6-48b6-acfa-96e575ba2726,"4/16/2021, 9:30:24.067 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,48433a44-ccd9-4cd8-a567-754714e18a24,"4/16/2021, 9:30:24.067 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,166e142e-7bd4-4634-bdac-727556b0645d,"4/16/2021, 9:30:24.067 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,7b34d376-cba4-4a8a-98b8-7b08c48a710e,"4/16/2021, 9:30:24.067 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,fc923aa1-4e71-4c33-85aa-d4e47e38d35a,"4/16/2021, 9:30:24.067 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,4e76c8e3-bf5b-40ca-8a57-5ce062ba4d47,"4/16/2021, 9:30:24.067 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d7205996-2ef4-4932-8c7a-82d19cc89968,"4/16/2021, 9:30:24.067 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,7ed7287b-5f1f-4cef-badd-0d891552e21a,"4/16/2021, 9:30:24.067 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,8f3df7f3-d041-4399-b89f-f267fcd71603,"4/16/2021, 9:30:24.067 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,4358f280-55dd-43ab-9bdd-8b56a081c5b3,"4/16/2021, 9:30:24.067 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 92 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,d26687a0-ac7b-4613-8d01-78b9cdbada6f,"4/16/2021, 9:30:24.144 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2684 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,b0f82e86-aca4-4855-870a-3589c24f076d,"4/16/2021, 9:30:24.144 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,36c6a5a7-d120-4dd1-8edc-b05f4451f489,"4/16/2021, 9:30:24.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6274ba2d-40b4-4819-9956-b42c8a9f363c,"4/16/2021, 9:30:24.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aee76784-d6dc-4be0-88bb-b2ca1d13ba91,"4/16/2021, 9:30:24.144 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,09f00f5b-41d3-44dd-8e8b-f5734064d21b,"4/16/2021, 9:30:24.144 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e1feebb-f07d-4539-b124-f17402277f7f,"4/16/2021, 9:30:24.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b61b3dc-2886-417a-8bc0-5e82657aa6e3,"4/16/2021, 9:30:24.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ae139936-e223-47ff-b90e-7226e96b7f18,"4/16/2021, 9:30:24.144 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8772f616-b154-4271-9170-6e92ea6425b5,"4/16/2021, 9:30:24.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c0a2fbc0-786f-422a-9d09-c0fb50590e66,"4/16/2021, 9:30:24.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88866553-c0b4-4aa0-92b8-233df3f49e72,"4/16/2021, 9:30:24.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,31f3c437-3568-4dfe-85bb-1113319dfa1d,"4/16/2021, 9:30:24.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c7036833-d3cf-405f-a721-44ee80fb9225,"4/16/2021, 9:30:24.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f73a6c3-5f8f-453c-b4e2-4ee3be1e7716,"4/16/2021, 9:30:24.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,347d0932-37fa-4ba3-a0e7-d61735861e4e,"4/16/2021, 9:30:24.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8f36fcff-874a-452f-91f6-a7517d9d0ad5,"4/16/2021, 9:30:24.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,054f099a-4697-46aa-8c64-358f212793c2,"4/16/2021, 9:30:24.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0d17c31a-e6a6-4034-9233-19827e530649,"4/16/2021, 9:30:24.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f6b702f2-5dba-4c64-8062-a661635225f2,"4/16/2021, 9:30:24.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,91f5c332-3244-4ae8-a1e3-f49cc79fad13,"4/16/2021, 9:30:24.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a165506-00a5-4509-83aa-5262edd7ac68,"4/16/2021, 9:30:24.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,402f5137-d82d-453c-9988-dc5c99e9639b,"4/16/2021, 9:30:24.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c1186d6-7d7d-4ca7-ae3c-8f151b056a3b,"4/16/2021, 9:30:24.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,113bbcb7-814e-4250-a8ba-b493867352d0,"4/16/2021, 9:30:24.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6f1d6c66-2810-41ec-a059-bf0c17d1a3ff,"4/16/2021, 9:30:24.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e62d25d6-e153-4553-a836-6348512ab0b6,"4/16/2021, 9:30:24.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b427352e-5180-4598-93dd-975d5d4dcc03,"4/16/2021, 9:30:24.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,52b31021-18c1-4301-af3b-abc7e504d23c,"4/16/2021, 9:30:24.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03e9ad60-8692-4c34-83a2-22ee129f1b9b,"4/16/2021, 9:30:33.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,44d7d58e-4d8d-4c76-bf80-35e30c275f90,"4/16/2021, 9:30:33.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ba8f2f62-1c7b-446d-b165-38b3c7e2aced,"4/16/2021, 9:30:33.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1fc61a95-0ee2-4657-8259-d57bd93505d8,"4/16/2021, 9:30:33.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,210ff9e2-352e-42ab-a6e4-5f0df333989e,"4/16/2021, 9:30:33.135 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f536f9bb-5d6e-4494-bff3-d75cae54ebc2,"4/16/2021, 9:30:33.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,493cb6e4-1c99-405f-b86d-f09529cf155a,"4/16/2021, 9:30:33.135 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,78459624-c2d4-46e3-96cf-2d781da17b2a,"4/16/2021, 9:30:33.135 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1e832a4d-55be-4a54-8ef8-c07f598f313e,"4/16/2021, 9:30:33.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a296886-6a74-4790-aa37-ab5a039e8093,"4/16/2021, 9:30:33.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bcd94477-7fa1-4f05-becb-f0bb8efb48ed,"4/16/2021, 9:30:33.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88e7a017-0a16-4670-a0a6-ae454257986a,"4/16/2021, 9:30:33.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,563a1170-b209-4950-99f5-c9c266d19f74,"4/16/2021, 9:30:33.135 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,174729a3-960f-44f5-a104-6752f481382a,"4/16/2021, 9:30:33.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a94459e8-4234-4ffa-9625-0d3a43d4f65f,"4/16/2021, 9:30:33.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,69888807-004b-43f2-b58c-9d1618a5f1f2,"4/16/2021, 9:30:33.135 AM",,,,,NTLM,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,afb0f881-eb85-463f-a097-fe745fd1b0b4,"4/16/2021, 9:30:33.135 AM",,,,,NTLM,, +\COMPUTER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bbcaf7d4-f5f3-429c-b99e-36469c92bb34,"4/16/2021, 9:30:33.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,82dddd09-ea4d-4154-9424-dd0868e57c53,"4/16/2021, 9:30:33.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d1bc6abf-92b8-4526-9f8e-dcc94c252d13,"4/16/2021, 9:30:33.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,60cff7c2-959c-4cc2-b656-203fd116d8ae,"4/16/2021, 9:30:33.135 AM",,,,,NTLM,, +\CONTADOR1,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,70b9e67d-f4e6-4d7d-b8ad-e33b814a8975,"4/16/2021, 9:30:33.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7dc20b0f-d27e-4bdb-91f5-5249044c14ba,"4/16/2021, 9:30:43.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7a3234cc-6d6e-48c7-906c-1ce873257c9c,"4/16/2021, 9:30:43.136 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46c9c7e3-6737-4345-ae2d-c1c9f28946a5,"4/16/2021, 9:30:43.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e5173e7f-6711-471b-9c52-1c907172b879,"4/16/2021, 9:30:43.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b09cc18a-6644-4edc-a1e2-bd5cb9718f17,"4/16/2021, 9:30:43.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f1222908-62e9-402b-8ba4-c0736ad29bee,"4/16/2021, 9:30:43.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a6ea5d7-ba24-409a-bb2c-b635a45f3e8e,"4/16/2021, 9:30:43.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c7f1edb-19f3-41d4-885f-306b4d51a60a,"4/16/2021, 9:30:43.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,73e943c8-7abe-4524-8954-56929046d794,"4/16/2021, 9:30:43.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2449c8f6-c3ff-47dc-9935-668c3dd45ea9,"4/16/2021, 9:30:43.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e1a0daa-1edd-4115-87f3-b6525d15ef84,"4/16/2021, 9:30:43.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc79322d-43b9-4a6d-8a02-729bced4e2c1,"4/16/2021, 9:30:43.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac6febe0-a3b0-401d-8adc-8dfba7abf94e,"4/16/2021, 9:30:43.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a354c8cb-2a56-4b9c-9753-7e6b26232770,"4/16/2021, 9:30:43.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,40f98c38-07f3-4119-8376-b4dcb20cfb40,"4/16/2021, 9:30:43.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bd8bdb75-8cad-40b0-9a90-691b9b3356a7,"4/16/2021, 9:30:43.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f835783-b8d9-4c05-9148-8021eb40ee1d,"4/16/2021, 9:30:43.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c4d816fe-f8e3-40fa-b125-43d129a918de,"4/16/2021, 9:30:43.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22a4cb8a-0b91-4f38-8bd8-dafef2bc68dc,"4/16/2021, 9:30:43.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,013df5dd-d04b-4d05-b3f8-48a9a7ed75e8,"4/16/2021, 9:30:43.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bec7ced8-d0d3-4ed4-a0fb-d29357e32917,"4/16/2021, 9:30:43.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,af46d321-8523-414f-9a25-d747cd1882f6,"4/16/2021, 9:30:43.136 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 15236 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,d3974a9b-713e-4c43-a6d3-2f40bc4d4d4f,"4/16/2021, 9:30:46.009 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9968 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + E083DBF5FD891B0254E4021330270719E66D6B0C7F6543BDBA19C4CF5D37395D + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7411.17763.1697 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,952912f9-982f-4e99-bcba-d6edf3cdd4f0,"4/16/2021, 9:30:46.009 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 14612 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,89b57e63-1d5f-459f-bb17-df0dfa0bca65,"4/16/2021, 9:30:46.009 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 13840 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,835cd305-c078-413b-be74-143be1ba3236,"4/16/2021, 9:30:46.009 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 12340 + 84 + %OSDRIVE%\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\PLATFORM\4.18.2103.7-0\MPCMDRUN.EXE + 32 + C7A18C474A47F5335593A567F0C714D4F658E28D07DC27F6EAE5D5641788E813 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\MPCMDRUN.EXE\4.18.2103.07 + 0x3e4 + 77 + C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2103.7-0\MpCmdRun.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,95c65dac-5e1b-4eab-9f95-0aceb91e7638,"4/16/2021, 9:30:46.009 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6088 + 45 + %PROGRAMFILES%\GOOGLE\UPDATE\GOOGLEUPDATE.EXE + 32 + 062FFE3E27A7A52316D300284F95BDCFD70C633E79C22B67159DE8E05633BFDE + 90 + O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CALIFORNIA, C=US\GOOGLE UPDATE\GOOGLEUPDATE.EXE\1.3.36.71 + 0x3e7 + 53 + C:\Program Files (x86)\Google\Update\GoogleUpdate.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,6433d5ad-c653-460a-a9bc-b3c52257624f,"4/16/2021, 9:30:46.009 AM",,,,,,, +\USER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,37f84a70-428c-4d9b-b426-04078942ef1e,"4/16/2021, 9:30:50.412 AM",,,,,NTLM,, +\TEST01,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,33996af8-05e1-4c09-a1ae-bc5e754237ea,"4/16/2021, 9:30:50.412 AM",,,,,NTLM,, +\LIMITED,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0e431359-a503-4fc0-b884-74310b51c8f0,"4/16/2021, 9:30:50.412 AM",,,,,NTLM,, +\ALMACEN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,5f5bf958-1c40-4aea-a152-919f715e82be,"4/16/2021, 9:30:50.412 AM",,,,,NTLM,, +\TEST,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,06aefc42-661a-4c70-b35d-3d0e6b612006,"4/16/2021, 9:30:50.412 AM",,,,,NTLM,, +\DEMOADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,337ae5ef-af1f-4420-850d-622108a0423b,"4/16/2021, 9:30:50.412 AM",,,,,NTLM,, +\SQL,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,35605680-aa5d-43fb-ae46-6cd92db4efaf,"4/16/2021, 9:30:50.412 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6044 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,0ebee2ae-f622-4015-861b-322db9a48ac9,"4/16/2021, 9:30:52.726 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4584 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,7b2bbe07-9fea-44d2-826f-064aba85f005,"4/16/2021, 9:30:52.726 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,b4b01532-00c3-41df-bc29-b5a4d18ef385,"4/16/2021, 9:30:52.726 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,0dda6c76-cf66-4123-8ce6-94ce53f6c85d,"4/16/2021, 9:30:52.726 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,52866afe-054d-4740-9db5-5cdcf877e858,"4/16/2021, 9:30:52.726 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,83744afe-f04e-47b9-87f6-67d096c7f920,"4/16/2021, 9:30:52.726 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 6596 + 34 + %SYSTEM32%\APPIDCERTSTORECHECK.EXE + 32 + 52F861EBAFBD8F6ACF0499614FCEB0E64E14A9A871504B1004F6797C8E01BD50 + 131 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\APPIDCERTSTORECHECK.EXE\10.0.17763.1852 + 0x3e5 + 43 + C:\windows\system32\appidcertstorecheck.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,add03a95-438d-484a-b630-ee18fafb4260,"4/16/2021, 9:30:56.146 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 1420 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e5 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,adfd9093-5e1c-4dff-a356-c04ee3b3a524,"4/16/2021, 9:30:56.146 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,65be4a6b-661b-4582-90c3-2116cbb1053b,"4/16/2021, 9:30:56.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2627ed6e-06ce-46ce-8504-259b0e0d3404,"4/16/2021, 9:30:56.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ec05b8b-1212-4273-9a17-ba25556b270e,"4/16/2021, 9:30:56.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3f6767d9-887a-449a-b532-0ee02ebf1420,"4/16/2021, 9:30:56.146 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,affbe88d-d49b-44e0-8731-d324c23c64c3,"4/16/2021, 9:30:56.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa47e3b0-8552-4c6c-8ff7-fb8ab8b152f2,"4/16/2021, 9:30:56.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,daf0a756-7d9c-4037-b0ff-8435771ee718,"4/16/2021, 9:30:56.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,be72f150-2e99-4a83-a7bc-a658e1edc620,"4/16/2021, 9:30:56.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,be730331-cb96-4d49-a185-1cafd63613b4,"4/16/2021, 9:30:56.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b940922f-6857-46e5-8c6d-6f9597b4f4f0,"4/16/2021, 9:30:56.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e19ee695-878f-4bc2-b58e-e4e0d218ef1e,"4/16/2021, 9:30:56.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,059ff47b-9d47-4750-b469-7ac2c67d7444,"4/16/2021, 9:30:56.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b507e798-b678-42d9-b397-761b9372eff9,"4/16/2021, 9:30:56.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b4c69db3-c66a-4bd5-82ad-104ae49dfc1b,"4/16/2021, 9:30:56.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd9de45b-6fbf-46f6-9e1f-8a17affa837d,"4/16/2021, 9:30:56.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cb4fcb7f-39fd-4eab-a8a5-1ed0666ed476,"4/16/2021, 9:30:56.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bb21f4f2-4de6-480f-aa23-0ca0be1c174f,"4/16/2021, 9:30:56.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa166a60-8771-4d65-8038-0b4e4f1d2e05,"4/16/2021, 9:30:56.146 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d020534-5aa0-4641-b0b8-6f22388a6b62,"4/16/2021, 9:30:56.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9e9cc5cc-f255-494d-928e-a7cac9f6d4bd,"4/16/2021, 9:30:56.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7655c7c0-830b-464d-9a76-e45fba09f6b1,"4/16/2021, 9:30:56.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,897b9672-dbe6-4387-b992-4a0398e863ee,"4/16/2021, 9:30:56.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aebd783f-6499-417a-a6be-bf6e94da95a9,"4/16/2021, 9:30:56.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c8672a2-36e0-44ce-9472-cdccc952f863,"4/16/2021, 9:30:56.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e972bade-139d-466a-aa67-78c9cc2a4c70,"4/16/2021, 9:30:56.146 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5946663c-e197-41b5-b9bf-80c390299219,"4/16/2021, 9:32:05.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4bcfe41a-520a-437a-b38a-990af0f140cc,"4/16/2021, 9:32:05.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3e29d1f8-2a10-4485-92ee-d0b9a689932f,"4/16/2021, 9:32:05.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,33b6cb14-5b34-4a9c-bb86-5292b646cec6,"4/16/2021, 9:32:05.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b2265127-8686-4437-bf2d-e8a219d52b4d,"4/16/2021, 9:32:05.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a059fba-4e57-4318-81d2-1bc50a7072ca,"4/16/2021, 9:32:05.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,41ac584b-75dd-4f5a-8831-2c9972a8c1ac,"4/16/2021, 9:32:05.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,30a66643-6134-4527-86c8-6b7df5234e9c,"4/16/2021, 9:32:05.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a751c160-f502-48d8-977e-61b8cf720cec,"4/16/2021, 9:32:05.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ee6cc86b-5917-4797-9991-21d3b73523b4,"4/16/2021, 9:32:05.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3eef09a1-96b8-4bce-b5f6-cf2dbc618b10,"4/16/2021, 9:32:05.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4ae6ddd2-2b19-41db-8360-b3c2e9cfb491,"4/16/2021, 9:32:05.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b4c54b5e-69b8-48a2-a7da-c71ef0cec0e7,"4/16/2021, 9:32:05.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,126780d0-eb44-410e-9535-2e467148912f,"4/16/2021, 9:32:05.140 AM",,,,,NTLM,, +\RMEDINA,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d140db38-5695-48e9-9d6d-ee93dfc18a4d,"4/16/2021, 9:32:05.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03841f8e-81f4-48f2-aad4-7977345e53f2,"4/16/2021, 9:32:05.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ba137e30-36e3-4bd2-b80a-21bace39b8bc,"4/16/2021, 9:32:05.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f30af07-ff44-4104-a010-c21c921ed5ec,"4/16/2021, 9:32:05.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3d313f72-5735-4edf-9847-20ecc8019f07,"4/16/2021, 9:32:05.140 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7b019747-6eec-4992-9dbf-a604b6d238a3,"4/16/2021, 9:32:05.140 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,824368c6-18bc-4d9f-9fdd-3eb4dfabb781,"4/16/2021, 9:32:05.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,808eb302-23d2-4c5c-befb-e1734744cd0e,"4/16/2021, 9:32:05.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,951cb6fe-8342-4504-bce4-921ee44688ce,"4/16/2021, 9:32:05.140 AM",,,,,NTLM,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,6e18e966-6080-476f-9bf8-891fc34b85d5,"4/16/2021, 9:32:45.885 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,843d29e2-de86-4198-b8f2-fd12d54f4ef1,"4/16/2021, 8:40:08.044 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,27188a72-19d3-4285-adc9-bb10dee0fa31,"4/16/2021, 8:40:08.044 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,dd5151f7-57bd-40db-ab39-1879c903f909,"4/16/2021, 8:40:08.044 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,caa12544-851e-4c9b-bc78-ac7a8d78c517,"4/16/2021, 8:40:08.044 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5596 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,7c453875-a62b-48d3-94d2-eeafa3328cbf,"4/16/2021, 8:40:09.853 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5144 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,176ecee4-f017-4d6f-9c43-47a4bdbb89d8,"4/16/2021, 8:40:09.853 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,a3ac3a2e-83ba-48ee-abb3-a7bb02d59a8d,"4/16/2021, 8:40:09.853 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,23f5ac52-1c6c-4e0f-9e4d-fe3b92b2a597,"4/16/2021, 8:40:09.853 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,26f36a56-6232-4f2b-8ec7-5937aa574e0e,"4/16/2021, 8:40:09.853 AM",,,,,,, +\AZUREUSER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1aaf3146-dcdf-40d3-af39-32d997ced982,"4/16/2021, 8:40:21.503 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,573da621-b77c-49f2-9488-de0541f0ec9f,"4/16/2021, 8:40:21.503 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ae5ff55f-3e38-445d-9138-c02ce21cec25,"4/16/2021, 8:40:21.503 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,33b19935-721d-403f-8bf0-a67a2df91659,"4/16/2021, 8:40:21.503 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7748 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 68705285F7914823244E19E4F6DBC4A75C4DE807EA1CF128AEC2CCAFCE5FE109 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.17763.01 + 0x3e7 + 57 + C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1a096438-497d-411b-b5af-b67c6d423e17,"4/16/2021, 8:40:21.503 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5876 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,284e1117-d362-41d3-972b-642f25958cfd,"4/16/2021, 8:40:21.503 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e93f8212-e8d0-442f-96ba-cb88d7ded0db,"4/16/2021, 8:40:21.503 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6328 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,af717561-469f-4671-b72c-2d7bed2473bd,"4/16/2021, 8:40:21.503 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6896 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,11e2766c-42d4-48d7-90f1-642cfc56b98d,"4/16/2021, 8:40:21.503 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4d07baee-b298-494b-b57f-9740f2a951cb,"4/16/2021, 8:40:21.503 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,46510e6e-b5e9-4e62-9c94-a58ab208df00,"4/16/2021, 8:40:21.503 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d40620b8-ee6b-4b02-b3ee-604c8cf00f32,"4/16/2021, 8:40:24.595 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ba8c4121-ee14-452c-b9cc-38a4d84b696c,"4/16/2021, 8:40:24.595 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3012c956-7785-49f6-b76c-2784861813c8,"4/16/2021, 8:40:24.595 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6e923bdc-fafb-403c-b5ac-8dbd55278b1c,"4/16/2021, 8:40:24.595 AM",,,,,,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,42e84546-10e8-4701-b96f-7b36489cfc9a,"4/16/2021, 8:40:24.595 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,48bb7b85-d2d9-4f2e-992c-36ccb531bc4d,"4/16/2021, 8:40:24.595 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a3dec3f5-717e-4f13-a4ca-45ee4497ed67,"4/16/2021, 8:40:24.595 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0cf5313f-9dc3-43e7-b4cc-ed3098a24f57,"4/16/2021, 8:40:24.595 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6cc9b68a-4f2f-4afe-8215-be9c1f31728f,"4/16/2021, 8:40:24.595 AM",,,,,NTLM,, +\AZUREUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,877c5470-4636-47e3-99f0-cfa16166be53,"4/16/2021, 8:40:24.595 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ae27d486-282c-43d1-9a4b-554a2d22f44c,"4/16/2021, 8:40:24.595 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fbd0424c-50ca-4ddc-9b30-dd17b1d7b2ab,"4/16/2021, 8:40:24.595 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d235e08e-7d0f-44ea-80fd-4c0c795734f6,"4/16/2021, 8:40:24.595 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b191efa7-1073-44ef-a5ad-c9cb8583afb6,"4/16/2021, 8:40:24.595 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,98803a58-5672-48a2-99b6-0050ebc1c4f5,"4/16/2021, 8:40:24.595 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5c0ca6e7-aed0-4a2f-be11-e391105aa7ae,"4/16/2021, 8:40:24.595 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bb635bb0-bc99-4cb5-b096-fee40c12c3ec,"4/16/2021, 8:40:24.595 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9025b3c9-b3ba-4932-8c90-cbf1a3703976,"4/16/2021, 8:40:24.595 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,522062ac-7ef3-4488-beb3-df2ab10f6aa8,"4/16/2021, 8:40:24.595 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0a694d30-0509-4bd8-8bf7-12d921889f80,"4/16/2021, 8:40:24.595 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6243fb09-2000-4923-b604-f53d0be161e5,"4/16/2021, 8:40:24.595 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2ded2706-6b92-4054-8c60-420c9dfaedc3,"4/16/2021, 8:40:24.595 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a8493842-d697-4141-a025-a067d1d46dee,"4/16/2021, 8:40:24.595 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,db763d77-b76a-4335-be2c-f58890532307,"4/16/2021, 8:40:24.595 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8944 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,e6e7cd6e-7e5b-4b57-8139-97c266be1b6b,"4/16/2021, 8:53:29.590 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7736 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,68ac72e7-2ecc-48b5-b32e-5fbbd55705d6,"4/16/2021, 8:53:29.590 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,9b905f4a-0d3e-4232-8f6a-a76421ecfa5a,"4/16/2021, 8:53:29.590 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,78603911-cb16-4c12-9602-1c7ea833fc9e,"4/16/2021, 8:53:29.590 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c6b1baa0-e97e-4a1e-b059-1148478bb946,"4/16/2021, 8:56:55.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,866f93a2-2ec7-4fba-af3b-ff10a403edb7,"4/16/2021, 8:56:55.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,050f9495-b441-4592-bee2-1850eb0d418d,"4/16/2021, 8:56:55.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f4120b5-52cf-482b-88b8-e45ac6c9528d,"4/16/2021, 8:56:55.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e3eca58-2169-4053-9aeb-1a31d328ca69,"4/16/2021, 8:56:55.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e001b5ad-72e9-478a-98af-949a7ff3f30d,"4/16/2021, 8:56:55.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f645c6fd-17a1-46b4-95b3-7803c9ca5096,"4/16/2021, 8:56:55.111 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,38faf047-f356-4393-97e0-a16f786f9adc,"4/16/2021, 8:56:55.111 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8388 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,ee3d342a-f5da-483d-9366-0bdb763e92dd,"4/16/2021, 8:56:55.111 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,87defba1-acd8-4339-a5a2-43df3c2a89d2,"4/16/2021, 8:56:55.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2900c61c-25eb-4287-b632-b32dee2d20ba,"4/16/2021, 8:56:55.111 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,a068eee1-5ff2-41a5-aa12-13923db36191,"4/16/2021, 8:56:55.111 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,3bcca165-61fa-488e-b3ad-136d35cf1ad4,"4/16/2021, 8:56:55.111 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c64b8e04-63ab-4197-8fc9-de0592021d9e,"4/16/2021, 8:56:55.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ddf5edd0-e2e9-4872-9115-48b1675eaf70,"4/16/2021, 8:56:55.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e7e0d907-48f9-48af-9a3b-c435fbca9c7b,"4/16/2021, 8:56:55.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8117c408-3172-4712-a12d-f1e78e0f3103,"4/16/2021, 8:56:55.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa7e2304-ab3a-43c5-b27e-4ae6195c2f86,"4/16/2021, 8:56:55.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bccefe94-2277-42e1-bc14-628f2dc697ad,"4/16/2021, 8:56:55.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,02bdacec-291f-4b2b-a4ee-e6da44189560,"4/16/2021, 8:56:55.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ee2e10b-6d52-4104-a639-0c8b48532d2f,"4/16/2021, 8:56:55.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d95bc9b-1f8f-4363-85ff-8c56b9bfe261,"4/16/2021, 8:56:55.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,281700d0-6dad-476d-bb02-fa544cc40e43,"4/16/2021, 8:56:55.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,deb26d23-25ee-4b6c-81b8-187ebf8d2d88,"4/16/2021, 8:56:55.111 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4847ea0a-bddd-4c83-95f2-b31c9e1a7392,"4/16/2021, 9:04:53.708 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6d4d61da-87c0-4274-ac51-80d1c740da5e,"4/16/2021, 9:04:53.708 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,688efc1c-5e74-4b7c-9cd2-1e0b764e999d,"4/16/2021, 9:04:53.708 AM",,,,,NTLM,, +\VMADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d84bdae2-53da-44c2-8181-1f65872aed1e,"4/16/2021, 9:04:53.708 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,46ae65ff-8920-452b-98ea-03cc8f9a0d12,"4/16/2021, 9:04:53.708 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b04ec409-254e-4146-a89b-60546cddefb0,"4/16/2021, 9:04:53.708 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3a4aedab-1460-4430-ba5c-689ee00b3fc2,"4/16/2021, 9:04:53.708 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ce3760b6-4eea-4f02-b13b-9012f81cda06,"4/16/2021, 9:04:53.708 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,34401770-2bb3-45c0-8723-ded52bcad9a1,"4/16/2021, 9:04:53.708 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ab9dd68a-d928-4154-8a7e-6cd375393259,"4/16/2021, 9:04:53.708 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3c05d62a-d0e3-422d-aad5-7018182a298c,"4/16/2021, 9:04:53.708 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,212e8535-ac04-48f7-a2f2-2d56ebf1f9ab,"4/16/2021, 9:04:53.708 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,87c27290-dee2-414b-b88e-25c2fd51acd0,"4/16/2021, 9:04:53.708 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,11989094-3a58-441f-97cc-ee18a0425331,"4/16/2021, 9:04:53.708 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8a5059ee-1236-4c4f-af47-6e5fa6f30ba6,"4/16/2021, 9:04:53.708 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,24feb2de-f6e4-4d58-bc28-da23b8729587,"4/16/2021, 9:04:53.708 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dbd0fa1f-d737-4722-8d5b-ab6d496340f1,"4/16/2021, 9:04:53.708 AM",,,,,NTLM,, +\OVB,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1292f52c-a9d2-4f11-a0a9-587508efe8fe,"4/16/2021, 9:04:53.708 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5af40926-0a41-4c85-83b1-1535ce30d235,"4/16/2021, 9:04:53.708 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b51711a4-6d34-4038-8d4b-ae485b08d13e,"4/16/2021, 9:04:53.708 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0437495c-6367-4293-b7fb-8a0a7e7c5d9c,"4/16/2021, 9:04:53.708 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,be95af80-9d9c-45e9-a3d6-9ac99acd7fbc,"4/16/2021, 9:04:53.708 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,825f65c8-f239-473f-9a37-8a2eac34c5bb,"4/16/2021, 8:47:25.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,55e078d0-fdef-4fff-bcba-33e5e95649b4,"4/16/2021, 8:47:25.102 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6a9c4d98-c868-49b0-bacc-c47069248844,"4/16/2021, 8:47:25.102 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,031e8c57-f781-4c3e-bf94-d80a9a101b35,"4/16/2021, 8:47:25.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5e9a3ca-a476-4aa2-abed-97bfcab68f8f,"4/16/2021, 8:47:25.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b00a882b-b47e-4540-b3b6-f7d5da63aadf,"4/16/2021, 8:47:25.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d3012916-f687-46f9-a577-679c4aeed41f,"4/16/2021, 8:47:25.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ebd881d-4981-426b-b242-46a355029d93,"4/16/2021, 8:47:25.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5576d926-1f86-44e1-a084-c421f1a1f411,"4/16/2021, 8:47:25.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,79a7ba66-8be9-4ab7-9bc3-588330135bbe,"4/16/2021, 8:47:25.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,04d8cc27-9266-4add-a196-e2ebac3150a0,"4/16/2021, 8:47:25.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8ef81a5e-b8d3-43da-bd72-6ca03d7471fc,"4/16/2021, 8:47:25.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fbd8b441-8161-4ac7-a418-b0c8a86f0838,"4/16/2021, 8:47:25.102 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8cf7a315-9ac0-4b69-ae8d-95596d6ef87a,"4/16/2021, 8:47:25.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,850ae4b7-b543-45f4-b00a-df8f26324c60,"4/16/2021, 8:47:25.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7b108c6a-84c2-4c5f-9682-9ba34d6295da,"4/16/2021, 8:47:25.102 AM",,,,,NTLM,, +\AZUREUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f8750029-47b2-4172-99e1-5530a1512b2e,"4/16/2021, 8:47:25.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,21b861b5-3c58-4abd-91db-8b30b499c0d3,"4/16/2021, 8:47:25.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1975fe28-c703-4b89-8b06-4e38ae9a110b,"4/16/2021, 8:47:25.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b36c2181-c188-434c-8ceb-d524f2eb6048,"4/16/2021, 8:47:25.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9f7f2f40-4547-4c31-a5f6-620b8f09a9b1,"4/16/2021, 8:47:25.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ace22db-4c54-47fc-9d12-18f653b5bb2d,"4/16/2021, 8:47:25.102 AM",,,,,NTLM,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,5e1829e9-f233-47ea-973e-458e8f688dd0,"4/16/2021, 8:47:26.542 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,dcb93d87-4cdb-44c6-a001-ea3e4a3f6e31,"4/16/2021, 8:47:26.542 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5132 + 28 + %SYSTEM32%\USOCOREWORKER.EXE + 32 + 13B908CA0D2AC90F4398E5FBABCD1C442B07297B524C2BBA890FD106D4591742 + 125 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\USOCOREWORKER.EXE\10.0.18362.1474 + 0x3e7 + 37 + C:\Windows\System32\usocoreworker.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,23e9433f-2f0f-4f5d-9825-d2fd14558721,"4/16/2021, 8:47:26.542 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,b29ab16d-fb14-4127-bc44-a3f18942f0ec,"4/16/2021, 8:47:26.542 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,8e4b3543-9123-4526-ab52-29285a216020,"4/16/2021, 8:47:26.542 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,565bd2ff-fd54-4844-aa09-650d4ffdeb52,"4/16/2021, 8:47:26.542 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8668 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,1d676bf6-e517-45c2-bc1e-463c722fa748,"4/16/2021, 8:47:26.542 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10624 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,e2bde169-d320-45bc-83d8-f7f5beea049d,"4/16/2021, 8:47:26.542 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 884 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,93d2249c-977e-4dc2-8aaa-8c05adce3094,"4/16/2021, 8:47:26.542 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,398e9cf4-1d76-4bbf-b844-dde545b7f3a8,"4/16/2021, 8:47:32.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6764852f-8962-4adf-b15c-b8df3e677f31,"4/16/2021, 8:47:32.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6dc52913-565b-4ab6-8864-ea519f0228bf,"4/16/2021, 8:47:32.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b3c04648-6ad0-47e7-a6ac-38b72d19a6e8,"4/16/2021, 8:47:32.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa5d50f7-a523-46f0-bbaa-8e2e7cd18f58,"4/16/2021, 8:47:32.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,baaab09a-d2ee-4383-83ef-b98930c262c4,"4/16/2021, 8:47:32.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,28c6fbe1-55f7-4e80-b2c9-41ba54ee2ddb,"4/16/2021, 8:47:32.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,203308a4-1eef-4148-9969-06b17def515b,"4/16/2021, 8:47:32.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b655f240-1139-41af-9f92-212ccf24675f,"4/16/2021, 8:47:32.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54a3a4ef-a5ee-4ed5-8d4d-27d419ae9fd4,"4/16/2021, 8:47:32.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0e649f8d-62e5-4ef0-abbe-8fc2f1bfc362,"4/16/2021, 8:47:32.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1722d236-a3b0-4ee6-83d7-18665adb6400,"4/16/2021, 8:47:32.102 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,771ef88f-3f9e-4281-a022-569423bd7bcd,"4/16/2021, 8:47:32.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,02dfdc65-e972-4dac-bf89-d6efc40a6045,"4/16/2021, 8:47:32.102 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c5378c4-4510-45b9-ae97-c35f7bdb650a,"4/16/2021, 8:47:32.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6711e0d3-e085-4663-bc42-40bd9a0fb688,"4/16/2021, 8:47:32.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ccc624e0-8005-430c-ae94-c7427148dbf3,"4/16/2021, 8:47:32.102 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,543306e0-a669-477d-93ab-ed9a5d8952f1,"4/16/2021, 8:47:32.102 AM",,,,,,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2325437f-2664-45bd-9a16-6002904069eb,"4/16/2021, 8:47:32.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3c491e0d-ce6d-428d-ad24-f3a4dea89f7c,"4/16/2021, 8:47:32.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c43774fa-3205-4069-9371-3599727b6e02,"4/16/2021, 8:47:32.102 AM",,,,,NTLM,, +\OJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,37749456-607d-4b46-9a9a-ad3495f6e576,"4/16/2021, 8:47:32.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,590f1f96-507f-4287-8ebb-920d9cd5c4f7,"4/16/2021, 8:47:32.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d0cc3eb7-313c-4931-9b7c-39e7ab7518f1,"4/16/2021, 8:47:32.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f2780942-fda0-482a-87b7-d5aff154f605,"4/16/2021, 8:47:32.102 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,7e1266bd-493b-42ad-a550-984837149e03,"4/16/2021, 8:47:36.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,6861ba6b-46bf-4d3a-8446-db96c6483485,"4/16/2021, 8:47:36.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,f00fc198-d6de-4c3b-89a8-c0bfad20bc32,"4/16/2021, 8:47:36.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,db1c63c2-05a9-41b9-bba5-641c6fa78bd0,"4/16/2021, 8:47:36.048 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,d8ca3cf0-2e31-4d6c-8e1f-e2a53fdf3b23,"4/16/2021, 8:47:36.048 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,0d94d564-cec3-4b92-8ab3-c0f4ca13032e,"4/16/2021, 8:47:36.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3beeee42-3bcd-4031-8b55-54b7996b524c,"4/16/2021, 8:47:36.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,db442ef3-7016-447e-b1a5-fc4b70570e4f,"4/16/2021, 8:47:36.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,6598c8df-d7d0-41b1-9506-aebd98774f52,"4/16/2021, 8:47:36.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,f3d9ae61-8b3b-4635-8638-89f0de2ead3c,"4/16/2021, 8:47:36.048 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8f82dadb-6759-428b-bf42-b901f3e381ad,"4/16/2021, 8:47:41.106 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98358e78-eac5-46e1-a416-75389de8e841,"4/16/2021, 8:47:41.106 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b4ffdf7d-0e58-44ee-a5e8-7403be0ed5cf,"4/16/2021, 8:47:41.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bbaa3a82-dd34-4157-bd07-889f7cf2ccc1,"4/16/2021, 8:47:41.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,50512757-b0cb-41b8-9a55-b708915013a6,"4/16/2021, 8:47:41.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d23cb331-880c-4c38-bb23-2318b558fc21,"4/16/2021, 8:47:41.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,01a40956-cc92-4bdc-8aeb-ba79d9954239,"4/16/2021, 8:47:41.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c646123-3e9f-4fa1-b577-c53b917fe166,"4/16/2021, 8:47:41.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5044f9cb-8aad-4d6d-b51c-a1cc3f24779b,"4/16/2021, 8:47:41.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0766c470-5f73-46f0-8749-2b1d24a644de,"4/16/2021, 8:47:41.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1c9f15a1-1845-4cb0-a989-36e5369e10fc,"4/16/2021, 8:47:41.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a090b99-15cd-44c5-add4-7aebc9fbd22b,"4/16/2021, 8:47:41.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,40240c08-a269-4d56-bf2c-1df9581696a7,"4/16/2021, 8:47:41.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c20f23c-c49f-4c8f-894c-96f6c0656f1d,"4/16/2021, 8:47:41.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56c9a63b-82b3-4c89-8e40-eda62461417d,"4/16/2021, 8:47:41.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4720b425-f64a-43d6-bd6b-843eafa455c1,"4/16/2021, 8:47:41.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb34b078-8bc3-4562-8c99-a8129a5cf983,"4/16/2021, 8:47:41.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,43d1660a-5bd2-48e6-85e1-54daf2b8eb19,"4/16/2021, 8:47:41.106 AM",,,,,NTLM,, +\WGONZALEZ,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2507cd98-c8b2-4aa5-abdb-ea8ba2d75031,"4/16/2021, 8:47:41.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0cd15312-990b-49b4-af03-88d85c81dfb3,"4/16/2021, 8:47:41.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bb0a4ce5-27f1-4612-9a24-3da218ef40d7,"4/16/2021, 8:47:41.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b1e9f00-b19a-4cc5-af36-693fc8c35855,"4/16/2021, 8:47:41.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,14102481-2184-4fb4-be06-18692a419a51,"4/16/2021, 8:47:41.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d7511156-d712-4c10-a1da-1e2d38f6a9ec,"4/16/2021, 9:04:59.121 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0cbb9144-87eb-4d98-b721-0b9121fc302a,"4/16/2021, 9:04:59.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c1d3223-12b2-4ac3-bd8c-7bbe37ebc78a,"4/16/2021, 9:04:59.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,165ec5ce-0db8-42e4-aa25-eb8e1eb8cb87,"4/16/2021, 9:04:59.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d3592264-a938-473d-9332-e477c0df6593,"4/16/2021, 9:04:59.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cdb2b9b9-0cf2-42c6-a9b9-abc14f5f4564,"4/16/2021, 9:04:59.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,52bc2ee8-3578-4f54-b467-602bed26f7dd,"4/16/2021, 9:04:59.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3801ed9e-4e84-4704-8179-97ca2de5f006,"4/16/2021, 9:04:59.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e06e98c7-8da3-46ce-88cc-07e23f767302,"4/16/2021, 9:04:59.121 AM",,,,,NTLM,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,973adf3a-e751-40ae-99e7-b11b6e84f02a,"4/16/2021, 9:04:59.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b5c7ce1-a843-422c-9ead-dd1f1ffb0b8d,"4/16/2021, 9:04:59.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3fcb4e1f-5c45-4528-b89e-7792877fc479,"4/16/2021, 9:04:59.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff08ab83-aed2-4638-95e4-6f3d8e351b9e,"4/16/2021, 9:04:59.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,29c8cacd-5c8b-44dd-a50f-b41b65a38a30,"4/16/2021, 9:04:59.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,91dae080-9c11-402d-8e12-6ea3241d5971,"4/16/2021, 9:04:59.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f165cfc1-5db7-4b0a-be12-c9ca67b738f8,"4/16/2021, 9:04:59.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0cb30f75-b7c6-40f5-8c6c-8516c030c17c,"4/16/2021, 9:04:59.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d1b931d0-23d3-4654-a876-2e7f3e9d5cd2,"4/16/2021, 9:04:59.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,998fa223-8428-4cec-ad3c-8fea76572f11,"4/16/2021, 9:04:59.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7c0362e4-6216-4af3-81a3-6880c43100db,"4/16/2021, 9:04:59.121 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4fb5c1da-53ad-4c20-abcd-14797b692a66,"4/16/2021, 9:04:59.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6412fd8a-b2df-44ca-8213-43642e7cf1c2,"4/16/2021, 9:04:59.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6f156d13-80c1-4a85-b917-43dca2ce6e93,"4/16/2021, 9:04:59.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f3f9fef6-0316-4e1a-b95d-f3e7dbe84072,"4/16/2021, 9:04:59.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a13df46-018c-47d7-9745-8df4a102fbf9,"4/16/2021, 9:04:59.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,363e1784-5d85-479b-b0b8-f1ec5f84be88,"4/16/2021, 9:04:59.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7cb70724-1bb8-4bc2-9696-3b012375dfd2,"4/16/2021, 9:04:59.121 AM",,,,,NTLM,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4648,4648 - A logon was attempted using explicit credentials.,5503048d-aae9-48b7-bda5-46b931ec9ed1,c38d4b3c-451c-4a28-9801-fc94fc7b9d1b,"4/16/2021, 8:40:31.859 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,5503048d-aae9-48b7-bda5-46b931ec9ed1,cc25e30b-c95f-4ec5-a94a-29e6a1cebd89,"4/16/2021, 8:40:31.859 AM",,,,,Negotiate,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + S-1-5-21-1661583231-2311428937-3957907789-1103 + SamiraA + CONTOSO + 0x24150234 + 4 + 1 + 1 + %{S-1-5-21-1661583231-2311428937-3957907789-513} %{S-1-1-0} %{S-1-5-32-555} %{S-1-5-32-545} %{S-1-5-32-544} %{S-1-5-3} %{S-1-2-1} %{S-1-5-11} %{S-1-5-15} %{S-1-2-0} %{S-1-5-21-1661583231-2311428937-3957907789-512} %{S-1-5-21-1661583231-2311428937-3957907789-519} %{S-1-18-1} %{S-1-5-21-1661583231-2311428937-3957907789-572} %{S-1-16-12288} +",4627,4627 - Group membership information.,5503048d-aae9-48b7-bda5-46b931ec9ed1,5b3d6a30-d5fa-451d-be05-e6168d911201,"4/16/2021, 8:40:31.859 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,5503048d-aae9-48b7-bda5-46b931ec9ed1,2e7d0a75-7177-4027-ad51-109b83f176ce,"4/16/2021, 8:40:31.859 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12545,8,,4634,4634 - An account was logged off.,5503048d-aae9-48b7-bda5-46b931ec9ed1,df6ac821-24cd-4a8c-98e1-2738936f05d9,"4/16/2021, 8:40:31.859 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,733f12cc-7fc3-4fd4-ad5a-9dffe5b06fe0,"4/16/2021, 8:40:31.859 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5c02e2e6-06cb-4ef2-aa27-a584f981bdbe,"4/16/2021, 8:40:32.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a298ca66-2643-45ac-b074-5c5b22a5bd44,"4/16/2021, 8:40:32.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,11e10bdb-e6e4-43cf-a1e6-1d45076faf49,"4/16/2021, 8:40:32.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8265c387-1c1e-429a-a04b-b73296efdac3,"4/16/2021, 8:40:32.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f939227-8dd0-43e7-b2c9-1984afbb9e54,"4/16/2021, 8:40:32.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7a71123a-b3a8-4e91-9a57-905c66ded362,"4/16/2021, 8:40:32.109 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,235385f6-ab88-40a2-99bd-2eb18642505c,"4/16/2021, 8:40:32.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1d7fa0dd-b4f5-403a-bc4a-6da92f1991d4,"4/16/2021, 8:40:32.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,539e887f-eef4-4e35-a373-5332d014a34f,"4/16/2021, 8:40:32.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,162428ba-3a9c-459c-be58-14339952366a,"4/16/2021, 8:40:32.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6308470e-d62c-49e9-97a6-7501d755609c,"4/16/2021, 8:40:32.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,72b49dcd-34a7-41b7-8fb2-c93f65c11efd,"4/16/2021, 8:40:32.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5cf6a1a8-730e-4ce9-a3d9-3adf5762e946,"4/16/2021, 8:40:32.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c2dca2be-d53e-4afe-8c1b-859093bc725f,"4/16/2021, 8:40:32.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6b021b21-1e6d-47d9-b8ec-2bbbc8e58894,"4/16/2021, 8:40:32.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,71cfe2cb-d757-4699-8793-ecf3ec8848f3,"4/16/2021, 8:40:32.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f6d5edc-4145-4dc1-8c65-81b649789f7f,"4/16/2021, 8:40:32.109 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff3cf123-ba23-4f70-bbe4-307ea5126723,"4/16/2021, 8:40:32.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54c95a5d-8541-4b57-99e1-321a6e2578f4,"4/16/2021, 8:40:32.109 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad90091b-4e16-46fa-9a57-35ecb03841de,"4/16/2021, 8:40:32.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c9c6c9b-2324-490f-ada3-38814642cbd9,"4/16/2021, 8:40:32.109 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,081e4c99-4fce-4c0b-8389-4b460b898ce5,"4/16/2021, 8:40:32.109 AM",,,,,,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ffab43a1-229e-44a9-bc2d-c9c0d5825a3a,"4/16/2021, 8:40:32.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,60beab1e-42b7-4bf5-8dca-6ec173c064c7,"4/16/2021, 8:40:32.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ebd5505-afb5-4431-8b77-575b6f88ee30,"4/16/2021, 8:40:32.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,92d2b961-b3b2-4a95-831f-de84574f6223,"4/16/2021, 8:40:32.109 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53c9b77f-d6b5-4f30-867d-fa57c57eadab,"4/16/2021, 8:40:32.109 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2e161f6f-86b7-4996-b846-b0d6f2d7b626,"4/16/2021, 8:40:36.591 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,27afd389-176e-441c-8433-a650d6cd7ddb,"4/16/2021, 8:40:36.591 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2cb69ff6-7c44-4176-a105-66803e7767f3,"4/16/2021, 8:40:36.591 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b1e7e368-59fe-498b-bf1b-bf88d8a6b127,"4/16/2021, 8:40:36.591 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1375a39f-5241-4ad4-97c5-4e459e1a3b03,"4/16/2021, 8:40:36.591 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4313da85-ee8a-4a80-a9fc-cb1cbda97fdc,"4/16/2021, 8:40:36.591 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b74cf399-9140-4f4b-8292-6de762b1f88f,"4/16/2021, 8:40:36.591 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1e5d07e7-61a6-4812-861a-60c8964286fa,"4/16/2021, 8:40:36.591 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6bc4fe37-ac38-40e1-9e5f-1d94f6945ec8,"4/16/2021, 8:40:36.591 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11024 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,5548bd8c-dbe4-4235-a9c0-92faacae1258,"4/16/2021, 8:56:57.075 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 15036 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,3775d347-3c28-42b8-998e-a0e7a10abad0,"4/16/2021, 8:56:57.075 AM",,,,,,, +\AZUREADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,626e6b07-c493-44fb-9b2e-5cdb4bd47eed,"4/16/2021, 8:47:40.433 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1f49611c-535b-4f1a-ac34-fabf157a7168,"4/16/2021, 8:47:40.433 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,993ec157-4bb9-4d65-b6e1-eae766d80ccb,"4/16/2021, 8:47:40.433 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3648 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ac5c2dae-944b-4db5-bbfd-57268bdec267,"4/16/2021, 8:47:40.433 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5472 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,056ad3df-527e-4597-8fc2-f978da13fe9a,"4/16/2021, 8:47:40.433 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,90b48916-e17e-47f0-8ab0-e04bb572e7e5,"4/16/2021, 8:47:40.433 AM",,,,,,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,7ae00bbd-a6b6-4454-b3a5-7f4b4c1a1aea,"4/16/2021, 8:47:40.433 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d86b67f6-ee59-461b-9e90-9a19f05c7f6c,"4/16/2021, 8:53:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6022991f-6897-4b08-aa49-eb832ca31c23,"4/16/2021, 8:53:35.107 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,32eca8bc-f2a8-4d3f-8769-3397fa611273,"4/16/2021, 8:53:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d8c12091-f489-4da2-991c-27ff1d7d668a,"4/16/2021, 8:53:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,95e6e503-62c4-4f12-bc0e-5871b50b8264,"4/16/2021, 8:53:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,155bddf9-9e1c-44a7-a6ed-fd07baddd153,"4/16/2021, 8:53:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c5093f5-c04b-48fb-adac-03692e4e6364,"4/16/2021, 8:53:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,61e201b7-abd6-4a59-9254-5c55873ff8df,"4/16/2021, 8:53:35.107 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,47317468-7a5f-470a-8019-5fdbb8c2a35a,"4/16/2021, 8:53:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7c2f0cfc-33ed-49be-bc47-06263209f7ca,"4/16/2021, 8:53:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a9f2912d-6271-498d-9b9b-0469d03c35f6,"4/16/2021, 8:53:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b3985c2-03cd-445c-8ff4-e477b6ca404b,"4/16/2021, 8:53:35.107 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,2577abd1-7331-4447-8364-41abe8ee61d8,"4/16/2021, 8:53:35.107 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3f3b76e8-4690-4d93-85ca-8b122ba28c20,"4/16/2021, 8:53:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a5150380-9fdc-45f2-a161-791eff0a4c80,"4/16/2021, 8:53:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c8df830b-b1dd-4cc9-b083-f4aa7e476d26,"4/16/2021, 8:53:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89a4e8cb-f128-4aa0-84ba-ca650703ad8c,"4/16/2021, 8:53:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fab8c996-f236-4a73-b6e0-dfe2aa1f7b4d,"4/16/2021, 8:53:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e921bb3e-6269-4c86-aec4-b628d5392c3d,"4/16/2021, 8:53:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2d9f9d5-48c8-4019-a7ce-e3b42c7a2601,"4/16/2021, 8:53:35.107 AM",,,,,NTLM,, +\BACKUPEXEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,939d9823-608c-4a29-94b4-048258d85e9b,"4/16/2021, 8:53:35.107 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3b9ec1f2-c915-4dc7-ba72-9bcb8301215c,"4/16/2021, 8:53:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc586349-78d5-40d0-b9ec-834ed42cc315,"4/16/2021, 8:53:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d72e151-fc5c-4275-91bb-6fd5c92cdf05,"4/16/2021, 8:53:35.107 AM",,,,,NTLM,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,74ff14de-b37c-451e-81ae-157b54a3562f,"4/16/2021, 8:47:44.855 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,994ca9ad-a101-4959-89b4-3656c1e76bce,"4/16/2021, 8:47:47.619 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5d8fd35c-e20b-4a29-8595-2b4e314accac,"4/16/2021, 8:47:47.619 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c9e7ba1e-ab05-45df-8ed0-60fe173ed097,"4/16/2021, 8:47:47.619 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b5c70b57-dacb-41ab-870a-6b6bd29e8cfb,"4/16/2021, 8:47:47.619 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,431dd281-247c-443b-9718-249df5fbc14f,"4/16/2021, 8:47:47.619 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8aa7bd15-2d72-4f42-9fb8-88439b758522,"4/16/2021, 8:47:47.619 AM",,,,,NTLM,, +\BACKUPEXEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cc31b73e-34e5-4785-b2ca-91c0e66ac809,"4/16/2021, 8:47:47.619 AM",,,,,NTLM,, +\BACKUP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bdcb394d-c61d-472a-b0de-1667a8832df9,"4/16/2021, 8:47:47.619 AM",,,,,NTLM,, +\SCANS3,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,50ae81ae-33fd-431c-aad8-87ed8609d794,"4/16/2021, 8:47:47.619 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e8d827d9-8927-4088-b26b-43ee34f3f303,"4/16/2021, 8:47:47.619 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,edb1a09b-5f0a-4e9b-9085-dc470f4a75c8,"4/16/2021, 8:47:47.619 AM",,,,,NTLM,, +\AZUREADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,57c17aed-6564-4364-9aa7-b198d0907d90,"4/16/2021, 8:47:47.619 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0f598c61-50e4-4e0e-9d06-2f3bacf83a30,"4/16/2021, 8:47:47.619 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1f61be22-d49b-4ce8-a0c8-39a0fcf9d496,"4/16/2021, 8:47:47.619 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,02d29881-9392-462f-a94f-b3aa03dd396d,"4/16/2021, 8:47:47.619 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,097d5fe5-3867-44df-8c11-4614fd102487,"4/16/2021, 8:47:47.619 AM",,,,,NTLM,, +\HP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,52efed91-d6ba-43c2-98c4-4adfd870b05a,"4/16/2021, 8:47:47.619 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ec904bdc-cc29-4306-a988-060451e654dc,"4/16/2021, 8:47:47.619 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,af899646-773a-447f-aad0-f986d01bfcff,"4/16/2021, 8:47:47.619 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eeac8c5d-29c0-4d1a-b442-d0528d791598,"4/16/2021, 8:47:47.619 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d1f54553-38a5-4481-9ea6-39ae27a44659,"4/16/2021, 8:47:47.619 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c901c783-d79f-450e-853a-18557e853b6a,"4/16/2021, 8:47:47.619 AM",,,,,NTLM,, +\SYMANTEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7721e736-be60-4b07-b7b5-af8aaadee5fc,"4/16/2021, 8:47:47.619 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,57b00e4a-37cb-44d2-a1ce-70f7d745f7db,"4/16/2021, 8:47:47.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,abda2a60-8f9c-4189-b224-9b628573743c,"4/16/2021, 8:47:47.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,20148bc7-3bcb-4404-83d9-45ce7f52edfd,"4/16/2021, 8:47:47.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ed34d636-2fed-442d-acb4-9e6802a0d125,"4/16/2021, 8:47:47.107 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9be2b3aa-bc41-488d-b0ac-0fc5251ecb9b,"4/16/2021, 8:47:47.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8bc5ac8b-bfa1-4e59-a397-b2794574aa38,"4/16/2021, 8:47:47.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e6a28a74-9556-4ed2-8c2e-e2bf023c6c8b,"4/16/2021, 8:47:47.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,63f35d2d-65d8-43c8-b469-68987ddd86b4,"4/16/2021, 8:47:47.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c788981f-f1e9-407e-9f57-8d83ac996124,"4/16/2021, 8:47:47.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,83a76fba-abea-4fd8-b9a2-86188fa4e252,"4/16/2021, 8:47:47.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,794c9d92-f8a4-4685-8db9-fe4f12f1bb40,"4/16/2021, 8:47:47.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,42fad4f0-2c93-414e-b547-0b5dad65a0c2,"4/16/2021, 8:47:47.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0af0e236-6fad-4c8c-bdd8-6d43627a7403,"4/16/2021, 8:47:47.107 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51747cbe-506c-4158-a802-647d1dd249ce,"4/16/2021, 8:47:47.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8defc1db-2462-4dc3-b93e-45d3f22dc175,"4/16/2021, 8:47:47.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cda984d6-6d0d-40c8-bb06-bcbb75963c36,"4/16/2021, 8:47:47.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d90546ef-5ee7-4d97-a469-b2e3887ec085,"4/16/2021, 8:47:47.107 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,46e5fc9b-3025-4e34-bb3a-50f264fbd62a,"4/16/2021, 8:40:36.591 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,95e65abc-102d-4e8f-8ddb-e7ede377f20f,"4/16/2021, 8:40:36.591 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,613571b6-e584-4998-b49d-9194d6af71b7,"4/16/2021, 8:40:36.591 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1dff85a8-8591-4e64-9be2-5e8d3cc1122d,"4/16/2021, 8:40:36.591 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,001908b8-4798-49d3-a53f-4917d525816c,"4/16/2021, 8:40:36.591 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8d473016-ca25-4681-8a47-489c7908df8d,"4/16/2021, 8:40:36.591 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8dca4a0d-8d02-498d-b669-89451048acd9,"4/16/2021, 8:40:36.591 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,702b38ac-0f75-4cea-b106-a0537cc393d5,"4/16/2021, 8:40:36.591 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4a920935-46da-4262-a559-5b4cabfbfdf9,"4/16/2021, 8:40:36.591 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ebfb83bf-8c5d-4f72-981a-d142d51be432,"4/16/2021, 8:40:36.591 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5a3bf484-af81-442b-a01f-d6de8fc91e4b,"4/16/2021, 8:40:36.591 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f93d541f-d682-48e8-a73d-e3b9f9856255,"4/16/2021, 8:40:36.591 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d1ceddab-61aa-4f89-8c59-b6483a945e9b,"4/16/2021, 8:40:36.591 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9b27aa5b-ce6f-49d1-8cb0-f0deac091466,"4/16/2021, 8:40:36.591 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1eaea7c3-a7bb-48ae-a1fb-b21757b0b615,"4/16/2021, 8:40:38.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b0914bf7-1016-4308-b89c-c0a8bd485b92,"4/16/2021, 8:40:38.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,50346d04-d2e4-4f0c-97e7-5f6e53209bc9,"4/16/2021, 8:40:38.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a5afaff9-2c4f-4983-abaa-e807986edc75,"4/16/2021, 8:40:38.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,43cbdca4-e4a1-4b11-a13d-d58607958f8e,"4/16/2021, 8:40:38.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3ec71af9-dfb0-473b-a561-c1596c36296d,"4/16/2021, 8:40:38.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,be37c22e-db89-4180-b789-04ad3d233d04,"4/16/2021, 8:40:38.110 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,10d20c9a-a7d5-43ec-a95b-f6cecc65145b,"4/16/2021, 8:40:38.110 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d26827ad-d3b1-4d8b-9bf0-c7b81af3bc24,"4/16/2021, 8:40:38.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,984026e5-5c2a-4413-9c63-6c02be26a051,"4/16/2021, 8:40:38.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,91aa4ddd-f38a-405a-9f92-9941899f3f1b,"4/16/2021, 8:40:38.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,36533584-ec09-4777-adb1-ac930f141e2f,"4/16/2021, 8:40:38.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff3cb93a-f78a-4a65-98fb-22f7201076da,"4/16/2021, 8:40:38.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad2bd238-f5ab-4300-94ad-4708830cf2c7,"4/16/2021, 8:40:38.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a64c51c4-31c5-4aba-90fe-944dcfbf9251,"4/16/2021, 8:40:38.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,61f65871-b03a-4ec6-8a7b-f318114dcb58,"4/16/2021, 8:40:38.110 AM",,,,,NTLM,, +\AZUREUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53cc3527-54ea-4179-b95d-ca44b801fa62,"4/16/2021, 8:40:38.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b09268b9-cb1c-402f-a971-1027b8d98c64,"4/16/2021, 8:40:38.110 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f886d62f-8cb8-44d8-ad2e-63b27448de8a,"4/16/2021, 8:40:38.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,595a5c5a-fb68-45c2-b8e2-822ef7b45e3e,"4/16/2021, 8:40:38.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,76f9acf7-31b7-41bf-b603-ffe61e08af14,"4/16/2021, 8:40:38.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a5b32a2-edba-426f-8a9e-abfbb01c4458,"4/16/2021, 8:40:38.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,552bb68f-c678-4f86-91c6-c4b125fbffe5,"4/16/2021, 8:40:38.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,932e2b44-1904-4038-867c-9f9f70953ae5,"4/16/2021, 8:40:38.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,063672af-2770-41b3-b125-f15551c7f757,"4/16/2021, 8:40:38.110 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,397b8e5b-4c11-40be-812d-f8aa53810758,"4/16/2021, 8:40:39.556 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9560 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,ab0edae8-71f7-40de-8341-b7b231c40a4a,"4/16/2021, 8:40:39.556 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10672 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,ebef8431-1de7-4bab-a617-f0052c737480,"4/16/2021, 8:40:39.556 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2176 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,0ce0b02c-fccd-4af1-b464-4d32743ded7a,"4/16/2021, 8:40:39.556 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,5354c8c4-a8e4-4eda-9374-48f209efb5bc,"4/16/2021, 8:40:39.556 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,5b5b4eef-f09d-4ff1-9525-98097c51374c,"4/16/2021, 8:40:39.556 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,6eeef678-db06-428e-a98d-ebfe764e4aa8,"4/16/2021, 8:40:39.556 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6148 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,0e809a28-9e57-4d60-9dab-b2045812cccc,"4/16/2021, 8:40:39.556 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8492 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,06dc9732-ca03-4879-89bd-79b50a67bdcf,"4/16/2021, 8:40:41.980 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10692 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + E083DBF5FD891B0254E4021330270719E66D6B0C7F6543BDBA19C4CF5D37395D + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7411.17763.1697 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,40f0a43c-426d-4e69-8520-0687dd1f8d39,"4/16/2021, 8:40:41.980 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9104 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,1456805b-af83-4bcb-bdfa-315d5eb44340,"4/16/2021, 8:40:41.980 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5484 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,f0e10e62-d776-4750-a1ed-b763523d1bfe,"4/16/2021, 8:40:41.980 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,4f829974-09a0-4fe3-82bc-e10a170600b1,"4/16/2021, 8:40:43.061 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,798b1766-862d-4731-9d7e-4c1c7bb01688,"4/16/2021, 8:40:43.061 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,78371ccb-6867-425f-ad22-707ceb2fc04f,"4/16/2021, 8:40:43.061 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,ac1e930b-d09c-4a15-9b9d-8cead56138ad,"4/16/2021, 8:40:43.061 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5b4e8286-5491-4eea-a9af-2cd331b62829,"4/16/2021, 8:40:43.061 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,41dd4a79-a965-4663-81db-c501f0f24424,"4/16/2021, 8:40:43.061 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,08ccbabd-d124-4fd5-970f-79187cc7c0cd,"4/16/2021, 8:40:43.061 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,ef4414b4-ab74-4e74-be0e-dc45e3b8a8d2,"4/16/2021, 8:40:43.061 AM",,,,,,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,46700572-e7d7-4934-b240-85d242cf9c1d,"4/16/2021, 8:40:47.592 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cd7b2199-36bf-4e56-99d3-81b4f551595c,"4/16/2021, 8:40:47.592 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fdba5f5c-58c6-47cf-be72-af22811f4a18,"4/16/2021, 8:40:47.592 AM",,,,,NTLM,, +\DEMOUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d07b6097-45bc-4aac-b4a7-245b694dab7c,"4/16/2021, 8:40:47.592 AM",,,,,NTLM,, +\USER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5503b8be-2444-4a13-8fab-7a9f984f88b8,"4/16/2021, 8:40:47.592 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f67fc3e2-163f-4658-abae-ad372945f91f,"4/16/2021, 8:40:47.592 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,07ed9a8f-a6a9-4e42-be3a-cbd339d46225,"4/16/2021, 8:40:47.592 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b58daea5-49dd-4d34-aba8-25574e63af1d,"4/16/2021, 8:40:47.592 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,50e058fe-acf1-4e18-873f-c193eb8dcf51,"4/16/2021, 8:40:47.592 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5edd83af-fb57-424a-b43b-9c969ad3c92e,"4/16/2021, 8:40:47.592 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,08e84a18-f73c-44d9-ba4e-6a31ae6c8065,"4/16/2021, 8:40:47.592 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,19c96179-e593-45fe-9716-9475cd0c3367,"4/16/2021, 8:40:47.592 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e20c244d-c26f-4456-aaff-20ca26bda5e9,"4/16/2021, 8:40:47.592 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1dd1f46f-74f6-4dbc-bacc-116ea10b8c2e,"4/16/2021, 8:40:47.592 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,784a54d3-d694-45af-ba27-5c977d1be147,"4/16/2021, 8:40:47.592 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,01ee5f6a-9bdb-4ed0-a71b-00d260d43f76,"4/16/2021, 8:40:47.592 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fec4b0a2-27df-4705-8b54-5931358c9cf9,"4/16/2021, 8:40:47.592 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9237f21a-4f9e-4682-ada6-97a5d3e8331b,"4/16/2021, 8:40:47.592 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e55457ad-0738-4506-b828-bcedac23e14a,"4/16/2021, 8:40:47.592 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,88117cb3-6f73-4c5f-adea-7ebb844f09ba,"4/16/2021, 8:40:47.592 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b9a9d5b0-216f-4c3c-a6f3-668e323f051a,"4/16/2021, 8:40:47.592 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,47034714-0b2b-4e59-bc8c-65ca4f3e7581,"4/16/2021, 8:40:47.592 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,341ac40d-5304-4de8-ad1a-b790ff2ff1b8,"4/16/2021, 8:40:54.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f3832f6-a042-48a7-b2c2-06ad2c4e963c,"4/16/2021, 8:40:54.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0566128e-3ffd-465f-8481-424f986d6ee2,"4/16/2021, 8:40:54.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c03c75e3-948e-42cb-9277-834e7fc85b1d,"4/16/2021, 8:40:54.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,81f2caaf-6dea-456e-9fe4-667a955da74b,"4/16/2021, 8:47:47.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4555d2eb-fb2b-412c-865b-6a44865d545c,"4/16/2021, 8:47:47.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4460cfa4-f8cf-448a-b699-1a9a05386e32,"4/16/2021, 8:47:47.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ade7f19-89a8-4fbb-ae78-1c481a43824a,"4/16/2021, 8:47:47.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fbc1b5f5-5e1e-4ecd-8ce3-3dbc3847769f,"4/16/2021, 8:47:47.107 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10572 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,55b504e8-cb66-4415-aab3-1cafe88d2c1d,"4/16/2021, 8:47:49.270 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11420 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,d572cbe0-b085-45f7-b8cc-33c457b4a61e,"4/16/2021, 8:47:49.270 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 12452 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + 3E1A41FE3000D5ED15DE27C3BD6199E0427A1608B401E19E22D021627841AC19 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1411 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,f80941eb-d4ed-4f46-a707-ab5f678dc10c,"4/16/2021, 8:53:33.862 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 15084 + 23 + %SYSTEM32%\SGRMLPAC.EXE + 32 + 884A078F302053019A3FE11B1C2BAE826C6B1600D3542A8C0FA4511FE88C0320 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SGRMLPAC.EXE\10.0.18362.01 + 0x3e7 + 32 + C:\windows\system32\SgrmLpac.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,a45ac430-1360-4d29-adcd-299dd6f30f85,"4/16/2021, 8:53:33.862 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,9e172241-3208-4008-9193-4428b35f88f0,"4/16/2021, 8:53:33.862 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,939b0f74-faeb-451c-bd91-f7d776e5b9b6,"4/16/2021, 8:53:33.862 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,67071b0a-7629-48c8-9ecc-e54b521342ba,"4/16/2021, 8:53:33.862 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,fcf3eb29-058e-41e9-987a-0f78280a57cd,"4/16/2021, 8:53:33.862 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6180 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + 3E1A41FE3000D5ED15DE27C3BD6199E0427A1608B401E19E22D021627841AC19 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1411 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,62da381e-2ecc-4f70-ba6a-6c5f1b291dd0,"4/16/2021, 8:53:33.862 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4220 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + 3E1A41FE3000D5ED15DE27C3BD6199E0427A1608B401E19E22D021627841AC19 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1411 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,e2a92efc-9d83-4a60-a7dc-5f3f080196fb,"4/16/2021, 8:53:33.862 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,a78758dc-33c3-40a8-8228-50e033b29098,"4/16/2021, 8:53:33.862 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3bc24228-5217-4b2d-a1e3-935f52d4507b,"4/16/2021, 9:05:16.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,82cca7d0-0829-4037-a8e9-de43359e5335,"4/16/2021, 9:05:16.121 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,784d65c6-2917-4c33-a1ef-4a77599f2f28,"4/16/2021, 9:05:16.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48512a81-fd52-4011-85b7-283b907c459d,"4/16/2021, 9:05:16.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2362120e-0a7e-46b4-be55-e5941fba1cb2,"4/16/2021, 9:05:16.121 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f24ebe64-dc27-426e-b785-2dd039bebb23,"4/16/2021, 9:05:16.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d3113ab9-d6af-4a00-b903-c22f35e856f5,"4/16/2021, 9:05:16.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,847c33e1-1c9c-4a8c-8a6a-82588e97a27b,"4/16/2021, 9:05:16.121 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dee5b353-1c7d-4f2f-84a8-9ce08d74565b,"4/16/2021, 9:05:16.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,194030f9-d00f-4e0e-9ad1-40892df6d05a,"4/16/2021, 9:05:16.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b936940-0041-458d-9b37-5f170eafc573,"4/16/2021, 9:05:16.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d8cc461-0945-47ed-9c53-d6be2edfa909,"4/16/2021, 9:05:16.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab181292-6bf1-4771-b6fd-14c5f33da407,"4/16/2021, 9:05:16.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5eacc18d-1822-45af-836b-7355bccf257d,"4/16/2021, 9:05:16.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,af307bba-5103-42d0-97e1-262bd0ea1c48,"4/16/2021, 9:05:16.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5552e5fc-aa9e-456b-b688-f36f3f24e343,"4/16/2021, 9:05:16.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6ceb3ccd-38e3-40c3-a71b-3352c975f276,"4/16/2021, 9:05:16.121 AM",,,,,NTLM,, +\BACKUP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dfbb4a55-4d4b-440b-870d-9ead0cfcae9d,"4/16/2021, 9:05:16.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,81870ee4-7bb7-4777-b36e-49280918fe4d,"4/16/2021, 9:05:16.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2787ac67-81ae-4b1b-9f05-cec6784de820,"4/16/2021, 9:05:16.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0895ae37-1724-414a-aeec-cd16280d2b37,"4/16/2021, 9:05:16.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,461d98ba-bd7d-4e46-a75f-399664d833bd,"4/16/2021, 9:05:16.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,25fcd4af-5fd1-4b9f-a7ee-334dacd3f2ca,"4/16/2021, 9:05:16.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e45ef453-c8db-4627-8ab9-b18fd2ac6051,"4/16/2021, 9:05:16.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,430c4724-2d61-4764-b847-5d30d3d99c76,"4/16/2021, 8:57:00.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,36d966ad-b215-4f28-9620-0435cf2f5e70,"4/16/2021, 8:57:00.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b9be3c1-c5bb-47f0-8760-3d56cb14e341,"4/16/2021, 8:57:00.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dad1b182-1fba-47a1-a11e-381980f8fbb1,"4/16/2021, 8:57:00.112 AM",,,,,NTLM,, +\LOCALADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,256ca04a-bb1c-4370-9af5-e7f63fa43ea1,"4/16/2021, 8:57:00.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88bcb7db-4432-488b-bd46-6edb4909cb8b,"4/16/2021, 8:57:00.112 AM",,,,,NTLM,, +\PJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56382218-30a4-4180-9da6-99c3fee55861,"4/16/2021, 8:57:00.112 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad8cf4f6-5a73-43a6-8e8d-1f06e3d5c7fa,"4/16/2021, 8:57:00.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,43ab72db-08e4-435a-97a8-c39882788cda,"4/16/2021, 8:57:00.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b837615b-7a8d-429a-816b-7eb54e44f4f7,"4/16/2021, 8:57:00.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8592afc2-011f-4a5a-85bd-814bbc6732c7,"4/16/2021, 8:57:00.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,585f182c-2e68-45bf-bad3-76af6afd5a0f,"4/16/2021, 8:57:00.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b84da924-6ff8-45fa-8aef-e2712f1c7b44,"4/16/2021, 8:57:00.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2b2d93f-9e9b-41d2-9f01-d59e1ce345b8,"4/16/2021, 8:57:00.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3613ae30-88ae-4535-a8c5-4aa220228b05,"4/16/2021, 8:57:00.112 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,57e762ac-e169-486f-8678-3a1b1c2aed74,"4/16/2021, 8:57:00.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5710345f-9af7-4202-a1f8-cbe4f7edea3f,"4/16/2021, 8:57:00.112 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c0cbe5e7-bf13-440e-8b05-8bdc6e8a2ef0,"4/16/2021, 8:57:00.112 AM",,,,,NTLM,, +\TEST1,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,20fd1e3e-8ddd-4ff8-a10e-3b08561930c0,"4/16/2021, 8:57:00.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a12f7ad7-4e93-4186-9641-95c444407226,"4/16/2021, 8:57:00.112 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,103b141a-06bf-4e1b-ae14-a68a3bf61173,"4/16/2021, 8:57:00.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a5055f2f-9a46-4348-bdcf-61de95b7b4ed,"4/16/2021, 8:57:00.112 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6924 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,baeac26d-7aae-4a1e-93bf-0c62f69a7cc3,"4/16/2021, 8:47:52.741 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6644 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,71631c21-71d8-4b26-a3c6-843aa77ef86c,"4/16/2021, 8:47:52.741 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,34fb7350-2ac9-40d2-9a1a-10c1c5d947a3,"4/16/2021, 8:47:52.741 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,bf0ffd00-7539-4e57-96d0-01a75495c92d,"4/16/2021, 8:47:52.741 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,a1fce91e-a45d-4d5f-bf97-04efe3c4397a,"4/16/2021, 8:47:52.741 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,860d0d07-eba7-4c40-8475-97646dd7124e,"4/16/2021, 8:47:52.741 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f2c082b5-31e7-4507-a89c-e0afca1489c6,"4/16/2021, 8:47:55.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d7315b3f-3b1e-4c3d-a24a-ca2f12344a42,"4/16/2021, 8:47:55.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e00b355b-b417-4c04-b3d1-a558dee18acc,"4/16/2021, 8:47:55.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de12818a-0635-4fa5-acbf-e63285efcb89,"4/16/2021, 8:47:55.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,66b4bbfa-5d6d-4f45-a3ba-b9515b0d0bab,"4/16/2021, 8:47:55.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d215aa46-305d-479f-a5bb-059e524c6e4d,"4/16/2021, 8:47:55.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e5f994c9-bbcd-401b-bb93-63bc9615d1b6,"4/16/2021, 8:47:55.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b32be6d3-7fe8-450d-bdf4-78b2e7bf4bef,"4/16/2021, 8:47:55.102 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,58be95df-84b5-434c-8a4c-73c783a51575,"4/16/2021, 8:47:55.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2322a28-bf88-4cf3-83fd-cebd68baf703,"4/16/2021, 8:47:55.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03bd4519-aee2-464f-ac4b-efdc97a27e0f,"4/16/2021, 8:47:55.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,abf08767-9a19-4966-a664-36eaa58c0a68,"4/16/2021, 8:47:55.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,feb13bb7-fb82-4140-8184-6a24017d8b0f,"4/16/2021, 8:47:55.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46966370-5ed8-4221-97b9-fcad2aca5a27,"4/16/2021, 8:47:55.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1174d3a9-a40d-4764-9929-ce5c0c4e2433,"4/16/2021, 8:47:55.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,edc45436-b2e5-419f-919d-449291241c13,"4/16/2021, 8:47:55.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a7218a50-6324-4359-adf8-24e0f9d7ae42,"4/16/2021, 8:47:55.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ee12d4cb-da21-4c83-834f-d8b225131bb3,"4/16/2021, 8:47:55.102 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,59a1f513-d5de-46a6-a2d5-04fec67a7681,"4/16/2021, 8:47:55.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a8f0c052-3d63-4e55-9194-5f9f7a4deb42,"4/16/2021, 8:47:55.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc855300-8d76-4a2b-9d3e-1b98132e2ae5,"4/16/2021, 8:47:55.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7b19cbb5-271f-487c-a76a-6688223583c0,"4/16/2021, 8:47:55.102 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4496 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,4e26dc28-c044-4192-a2e0-d77db3540d2b,"4/16/2021, 8:47:56.986 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11224 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,e20f1e54-9d4e-4898-9012-a6e0b0806c83,"4/16/2021, 8:47:56.986 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dabea4fb-8d32-40c2-88ab-0cfb959e7ddf,"4/16/2021, 8:48:00.101 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,86296c37-7264-4504-9d2a-da7745be4e49,"4/16/2021, 8:48:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7fa15548-3ae6-426b-9a5c-8dda84cbb6f8,"4/16/2021, 8:48:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,564ad671-d59a-4d20-8539-1b364837f829,"4/16/2021, 8:48:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b8e0dda6-1098-4168-84de-ca9202e614fa,"4/16/2021, 8:48:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c99e8a18-fb76-4bcb-8c57-bf3272ded2fd,"4/16/2021, 8:48:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d3581fac-7a14-4cde-a15a-e9be8c024816,"4/16/2021, 8:48:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,79967c56-760f-4f7f-a4d1-8dedf05d577f,"4/16/2021, 8:48:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,70ace9f1-fcb1-4d00-bd39-6cbe6638914c,"4/16/2021, 8:48:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a730ba9d-9c1f-40e4-9f4e-6921a290a552,"4/16/2021, 8:48:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,871bfb69-dbeb-4e78-b6de-bb953240f474,"4/16/2021, 8:48:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8bd18908-9f0e-4719-8833-86d0aac2b580,"4/16/2021, 8:48:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a4f647d-2ec6-4e2b-b055-865aed469000,"4/16/2021, 8:48:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2d3c57e-3ccd-44a7-aa9a-6e4b681a3e4e,"4/16/2021, 8:48:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c2b24239-800b-45ad-88ca-88178a0bd693,"4/16/2021, 8:48:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,af0e1274-8ea0-4660-bb9b-959715ae7d83,"4/16/2021, 8:48:00.101 AM",,,,,NTLM,, +\ACC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dffe4243-776f-46a2-a89f-b5d9ae502f7a,"4/16/2021, 8:48:00.101 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0efceb56-1af9-4075-ad29-398be6ad60e6,"4/16/2021, 8:48:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c0b2d762-921b-4a8d-92bf-d3fbbdaa7dc8,"4/16/2021, 8:48:00.101 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b9556d59-9dae-4a9a-af83-613466d8acce,"4/16/2021, 8:48:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7a55f091-8f76-4bc1-ae05-7e4a84460773,"4/16/2021, 8:48:00.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b41c3b96-d3d1-4aff-8d8a-16c914c5fea3,"4/16/2021, 8:48:00.101 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,752e47c1-fdd1-43b7-8a00-2686ddfbf250,"4/16/2021, 8:48:03.620 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,70ba7392-6691-4791-bf96-0d9050c6bc07,"4/16/2021, 8:48:03.620 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4f810b61-4548-4d46-9d90-27ed7e9dac77,"4/16/2021, 8:48:03.620 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7d96a2f5-d1b1-413d-8e6d-4d5baaf3e499,"4/16/2021, 8:48:03.620 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,09962384-9e9f-467f-aa2c-763eb4ac2769,"4/16/2021, 8:48:03.620 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7903d5e4-4413-4c2b-b6eb-c056f95d170c,"4/16/2021, 8:48:03.620 AM",,,,,NTLM,, +\BACKUPEXEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4b9e02c3-00ec-4f9e-8427-dc0865ddb457,"4/16/2021, 8:48:03.620 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,81086513-06f2-4f36-912e-b42841bba9ab,"4/16/2021, 8:48:03.620 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b2cc3d3c-f3a0-413f-b8cc-6093f9c5061d,"4/16/2021, 8:48:03.620 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5c0e066f-165b-4d05-ae53-4e5922785ecb,"4/16/2021, 8:48:03.620 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f79490d5-b87f-488b-bee2-1241adda7b73,"4/16/2021, 8:48:03.620 AM",,,,,NTLM,, +\AAHZ,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b2771e2f-5427-4ef0-b2db-56aea363fb5e,"4/16/2021, 8:48:03.620 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0487c74f-f781-4771-8439-f900dfc057fd,"4/16/2021, 8:48:03.620 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,74fbefdd-984c-4290-a1fe-2d905aacbc81,"4/16/2021, 8:48:03.620 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,931629bb-7c3c-4190-9d0c-abc0aee973dc,"4/16/2021, 8:48:03.620 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,562addbc-df19-4d90-96ea-ac6988fa2f8f,"4/16/2021, 8:48:03.620 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d21ec3e3-a667-4ba7-bcdd-8622cf5b51fc,"4/16/2021, 8:48:03.620 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7c5ad168-97fc-4627-8cc3-97824122e0d7,"4/16/2021, 8:48:03.620 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ddf9fcd6-3b54-4e65-8abe-84c52545cd47,"4/16/2021, 8:48:03.620 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,abf3338d-54e3-438c-a391-53b79d6c4167,"4/16/2021, 8:48:03.620 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9839e658-09fa-402c-90b7-8619d7aab8ae,"4/16/2021, 8:48:03.620 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0373ce3d-3045-40f8-b6ab-9a91bd213c6c,"4/16/2021, 8:48:03.620 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bf2cd56f-14a9-4d61-bab1-63ea6658ba98,"4/16/2021, 8:48:03.620 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e8dcaa1e-a9f3-48b2-8a95-a54dbca8f921,"4/16/2021, 8:48:03.620 AM",,,,,NTLM,, +\USER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,613f3098-4e32-4866-9033-41b776ff7f33,"4/16/2021, 8:48:03.620 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,a3271407-3cb5-49ea-81c4-12c7ab1612c1,"4/16/2021, 9:05:16.078 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,65b8b11c-a0de-45c1-8045-8155ec9f4070,"4/16/2021, 9:05:16.078 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,c5e7d413-edc3-4d63-bbd7-b7702d6e0351,"4/16/2021, 9:05:16.078 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3f81bf2a-c3a9-4974-8662-0d1281daf226,"4/16/2021, 9:05:16.078 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,e864be67-d6aa-42af-93de-4751c83660e7,"4/16/2021, 9:05:16.078 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2faa7a19-e96f-4245-9860-363c811f0f28,"4/16/2021, 9:05:16.078 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5cc71232-5159-41ad-b61b-cde08688e198,"4/16/2021, 9:05:16.078 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2f764024-c080-42b5-bdda-59ee5239d72a,"4/16/2021, 9:05:16.078 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,6e2d966e-27c8-459d-a175-7144f201d662,"4/16/2021, 9:05:16.078 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,91819802-a251-4135-9ff6-639978e6732e,"4/16/2021, 9:05:16.078 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,dd08a43a-340c-4eb8-9b02-98fa6ae57a7d,"4/16/2021, 9:05:16.078 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,216ade6c-018d-4097-8154-eb1770c384d2,"4/16/2021, 8:48:06.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5877a3dc-f596-43cd-890b-9db3ca88bde6,"4/16/2021, 8:48:06.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88366b6f-a2bc-4eb9-9bfa-9e771e494bf7,"4/16/2021, 8:48:06.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8533d109-e1bb-429a-a21b-5f7fc8951cd6,"4/16/2021, 8:48:06.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,677eea7b-84af-4042-b72e-4abe4af1fcb4,"4/16/2021, 8:48:06.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a5db633f-eda6-48a5-ae80-777b1771484a,"4/16/2021, 8:48:06.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,78d63ca7-dedd-4f5d-ae38-ec0dd071f91c,"4/16/2021, 8:48:06.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a34fd22-2904-4832-9b3b-1c13a5bf97a7,"4/16/2021, 8:48:06.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3d541c30-8391-4c75-849d-0b31c24478df,"4/16/2021, 8:48:06.103 AM",,,,,NTLM,, +\SJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,00f2f6b0-5b6c-4d98-994a-d2c15ceb98d5,"4/16/2021, 8:48:06.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c93b79a0-a7ef-418a-829e-971212fad2b0,"4/16/2021, 8:48:06.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51d4539f-ac85-4a73-85ee-9b4a83f26696,"4/16/2021, 8:48:06.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e4934f63-417d-414e-a55d-24a5b3eda3d1,"4/16/2021, 8:48:06.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,68bda1c9-9e6e-4cd5-b801-f21d7e5a9e77,"4/16/2021, 8:48:06.103 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1ab91f5-6461-4459-bfb1-9093e4e15983,"4/16/2021, 8:48:06.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2921373e-e83f-44ea-8d2f-80aab36e1544,"4/16/2021, 8:48:06.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f27469d6-fbc4-4dc6-9929-f0a9e1dcd4a2,"4/16/2021, 8:48:06.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,85bdd42a-851f-4fc8-8673-168ea9180329,"4/16/2021, 8:48:06.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,654219a5-9457-4bd7-a016-26c5ac45a83d,"4/16/2021, 8:48:06.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4097564d-4887-4aeb-868f-78b5a49b5939,"4/16/2021, 8:48:06.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49397c55-db2a-4c65-86ab-d496c1080277,"4/16/2021, 8:48:06.103 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,25f5eaab-a424-45b4-a433-f15bf0e39c4a,"4/16/2021, 8:48:06.103 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,90ebb85f-57b6-4e42-8602-6ed568dbacea,"4/16/2021, 8:48:06.103 AM",,,,,NTLM,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,78003b8f-e73a-4e47-9446-688a2fa3f21e,"4/16/2021, 8:48:08.057 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,59643d59-d706-422b-b1c6-3549f672eee1,"4/16/2021, 8:48:08.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,e6e5ac09-9787-48ee-893d-d1d4f56ce406,"4/16/2021, 8:48:08.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,01a0256b-fa3e-4c00-9232-a5b3045352d6,"4/16/2021, 8:48:08.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,3dd9517e-98c7-4aa9-ba77-5be3f15d0304,"4/16/2021, 8:48:08.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,39719b07-7bff-4c24-8ffc-a4928ba6e265,"4/16/2021, 8:48:08.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b9ae438a-8b18-482d-ab68-71a5c4f8d708,"4/16/2021, 8:48:08.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,9d783c69-f39b-485b-bde0-1577a56bf0bb,"4/16/2021, 8:48:08.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,dbce3eab-837e-45f1-adb6-fca351b1e822,"4/16/2021, 8:48:08.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,9edc1d4f-4c86-4167-b323-758d33da3150,"4/16/2021, 8:48:08.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,ef1e2ae3-01fa-4653-bf49-48968f664d7b,"4/16/2021, 8:48:08.057 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8f349002-3f98-4636-8430-06ee2ee1452e,"4/16/2021, 8:57:04.652 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,398753fa-edab-47ea-b1e2-450df99d6670,"4/16/2021, 8:57:04.652 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,67a7158b-d67b-40dc-aabc-3140291c5947,"4/16/2021, 8:57:04.652 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4596ebb3-408c-45ad-964c-4ddf43e2cecd,"4/16/2021, 8:57:04.652 AM",,,,,,, +\ROOT,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e7735c94-f692-4923-84d2-39413077bf7a,"4/16/2021, 8:57:04.652 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,198653d8-b387-4f8f-a7a0-c39a99796c56,"4/16/2021, 8:57:04.652 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f60ac48b-1bd7-44ea-b320-b0638cca861f,"4/16/2021, 8:57:04.652 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0c109f33-d9c4-4dd8-9176-f4bf1634e9a2,"4/16/2021, 8:57:04.652 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3963c18e-9827-417e-a834-658bdbc8e22a,"4/16/2021, 8:57:04.652 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1a4288ac-1e17-4213-8a7f-c29cab17acbf,"4/16/2021, 8:57:04.652 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49c25e0b-263e-4e8d-8469-f7781fb197bb,"4/16/2021, 8:40:54.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6cdff5f1-b00d-4247-8dfd-f8701ea91ba0,"4/16/2021, 8:40:54.102 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0f2b777a-c1ea-4b32-adbd-a19cc711e71f,"4/16/2021, 8:40:54.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c8761cd-bb30-41f0-866f-1e71ef903288,"4/16/2021, 8:40:54.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89e769cf-3498-4693-b7d0-89585de12fd7,"4/16/2021, 8:40:54.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d32a82f5-226c-44cc-bd52-d11c0019e7a0,"4/16/2021, 8:40:54.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,13abca8a-d193-4981-b90b-d1c8954207a0,"4/16/2021, 8:40:54.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c4b8152-5bec-48a7-abc7-f67b00aacbb6,"4/16/2021, 8:40:54.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3ad189a9-16a3-4443-ab81-6f03b519db69,"4/16/2021, 8:40:54.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56976598-6404-4475-aadb-5ebaeb618a22,"4/16/2021, 8:40:54.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7a480126-0f05-43ef-8593-0a61fec03f49,"4/16/2021, 8:40:54.102 AM",,,,,NTLM,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5cbbb2f5-7f44-46bb-b4ad-68bc3e88483b,"4/16/2021, 8:40:54.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c4f3bcf2-e8f1-4eac-b386-7c6213e1b6e5,"4/16/2021, 8:40:54.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,306dc408-1d1f-40d3-a7de-7cd64ac73299,"4/16/2021, 8:40:54.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ae41114-b5b0-4f14-8df1-42c7f4114dd0,"4/16/2021, 8:40:54.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dbebcbbb-3d0f-4707-ac06-3ce081bb62aa,"4/16/2021, 8:40:54.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1cbdd6ce-76a1-4755-a9e8-caf4ad7c122b,"4/16/2021, 8:40:54.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a4bfcfe4-67a0-4ff2-800c-95214d71cae5,"4/16/2021, 8:40:54.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,39ff7e3d-90a6-46b7-a644-5fa18884bf92,"4/16/2021, 8:40:54.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,13aa4c7d-07ad-4245-9ee5-7fc79e3d9d2b,"4/16/2021, 8:40:54.102 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,fc00c2c7-fb17-4f7f-8625-4d10ad2a2aa6,"4/16/2021, 8:40:52.509 AM",,,,,NTLM,, +\SUPPORT,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9a089d7e-441c-45ed-aca8-1d770edf1a14,"4/16/2021, 8:40:52.509 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,31c9b062-4bc6-4f07-89a7-d31f29fef912,"4/16/2021, 8:40:52.509 AM",,,,,NTLM,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,1bf5a7d3-ba9e-4927-b70a-b9f172afc186,"4/16/2021, 8:40:52.739 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,a9f39aa3-4966-41a3-b3a8-627c2f82886c,"4/16/2021, 8:40:52.739 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5420 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,e67a8c1d-11e0-4c87-b367-bad25dcb9a0d,"4/16/2021, 8:40:52.739 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5616 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,576890cb-49ef-4616-9daf-87ef833ff2c5,"4/16/2021, 8:40:52.739 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,74cefede-8dca-45fe-b5b3-8f01691b06b8,"4/16/2021, 8:40:52.739 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,8959f022-27f5-427f-a87a-5ea00e43c258,"4/16/2021, 8:40:52.739 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1fea8e17-4cc1-4fdf-8ea1-9d6ad21e2c78,"4/16/2021, 8:40:57.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6459b2a8-2632-40ef-992f-77ef802466af,"4/16/2021, 8:40:57.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1b414d7-ebd6-4ec2-8093-f2c582e38545,"4/16/2021, 8:40:57.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d1ab90af-4adb-40a4-953f-4722fae61ea8,"4/16/2021, 8:40:57.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,66272a54-98ae-403b-8bee-1b130d697ec5,"4/16/2021, 8:40:57.142 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,352f2ee3-0005-4850-94c0-b0d0e4704b2d,"4/16/2021, 8:40:57.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3841c673-f502-4eb9-8cb1-2520ccf0a276,"4/16/2021, 8:40:57.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cb02c52c-ad42-4204-affe-28f92e85d153,"4/16/2021, 8:40:57.142 AM",,,,,NTLM,, +\LOCALADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5690a8fb-d8e1-44ed-93be-7ffa00a4b8af,"4/16/2021, 8:40:57.142 AM",,,,,NTLM,, +\CRESCENT,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56522035-8c25-49f1-a3c8-394517c8c299,"4/16/2021, 8:40:57.142 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,182bc085-b92f-477e-b5d1-972d75868f4c,"4/16/2021, 8:40:57.142 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,01100244-919f-44a9-b89c-4034779e6bfb,"4/16/2021, 8:40:57.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,137c5788-9b60-4629-aa85-921e721b41e3,"4/16/2021, 8:40:57.142 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,47040401-09c3-408d-9b15-0ae8191c1ec2,"4/16/2021, 8:57:04.652 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9ba4bb62-e49d-4885-9f58-5fb9b1611551,"4/16/2021, 8:57:04.652 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,37c974f0-3daa-400e-8db9-224d4098374c,"4/16/2021, 8:57:04.652 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,17db49b9-0bcd-4c1b-be84-325edf089218,"4/16/2021, 8:57:04.652 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,61500459-e7bc-4d16-b13e-772f00baf6f1,"4/16/2021, 8:57:04.652 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,905d952a-1307-4ad7-82af-f7325327c098,"4/16/2021, 8:57:04.652 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0b10b1a2-3357-4968-9128-e3dcac9633d1,"4/16/2021, 8:57:04.652 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c0185749-03df-4c23-a252-2030958bcb5f,"4/16/2021, 8:57:04.652 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9d7bee72-3e2b-489c-a8b6-ac8f3f504f26,"4/16/2021, 8:57:04.652 AM",,,,,,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7def9b7f-cab7-43f6-82c1-c559ddce0dfd,"4/16/2021, 8:57:04.652 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,13e46855-994f-4872-9995-b60ad015b8d3,"4/16/2021, 8:57:04.652 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,febc323a-422c-4d77-8c06-5c267301cc11,"4/16/2021, 8:57:04.652 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5deed450-8016-4542-b48b-aa261168baf6,"4/16/2021, 8:57:04.652 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fb6944b8-ef74-401b-93ac-09eea0c4fd50,"4/16/2021, 8:57:04.652 AM",,,,,NTLM,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,ce513f4e-bdf3-4e60-a7f8-69c2f4267310,"4/16/2021, 8:48:08.862 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,4c0ef5e2-6476-4601-9e86-a11505100cbf,"4/16/2021, 8:48:08.862 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,c44e8752-65d0-4888-8601-1f1b45ff3ec6,"4/16/2021, 8:48:08.862 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5020 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,537328e8-3b60-41d6-81b3-71a9faac1cc3,"4/16/2021, 8:48:08.862 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5800 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,5e97da92-b69f-42a1-930b-b3c25ad18bb8,"4/16/2021, 8:48:08.862 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2628 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,dc2eae24-7a4b-49cc-9dcc-6e4ddcad37d6,"4/16/2021, 8:48:08.862 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,95db5483-7deb-4614-8b6b-873fe1c68b17,"4/16/2021, 8:48:08.862 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,1f98930a-06d4-4eb0-b535-43e5b00a9fec,"4/16/2021, 8:48:08.862 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\microsofttpm,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b5f8f4d5-30fb-4edd-88e3-0c988b8d1f90,"4/16/2021, 8:48:08.862 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:SELECT * FROM Win32_TPM,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,897d7c66-cda2-4da8-98bb-5b139d5aeed1,"4/16/2021, 8:48:08.862 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:Select * from __ClassProviderRegistration,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,4a2075d6-20c7-4ee0-97b1-d7f66e2deb92,"4/16/2021, 8:48:08.862 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,bf1c44a1-974b-40bc-bca3-2cd049c9396a,"4/16/2021, 8:48:08.862 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,2b6c34ea-d82c-4ea0-a3bf-7575f9ee9c4a,"4/16/2021, 8:48:08.862 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,d1a1048e-d180-4197-b204-a7335ac0cfdb,"4/16/2021, 8:48:08.862 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b4e0db46-b912-4bed-8f60-07c4dde74d78,"4/16/2021, 8:48:08.862 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:Win32_Tpm,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,526b2d2a-66bc-4928-902a-4686eb4d2d44,"4/16/2021, 8:48:08.862 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:__ExtendedStatus,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,f4177ad7-56a7-4405-95c1-d5d8ad0af370,"4/16/2021, 8:48:08.862 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftVolumeEncryption,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,74599a3a-ebe2-49e8-87ad-d724a61d93dd,"4/16/2021, 8:48:08.862 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:SELECT * FROM Win32_EncryptableVolume,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,79b96ffd-db4a-444b-99d1-219d12908a59,"4/16/2021, 8:48:08.862 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:Select * from __ClassProviderRegistration,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,8e2e7c72-a421-48e7-a8f2-f98ab4696779,"4/16/2021, 8:48:08.862 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,005002ec-9b99-4ffb-bae0-aaa81adc879b,"4/16/2021, 8:48:08.862 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,c817a146-3347-46d1-a91e-8591ad9acf05,"4/16/2021, 8:48:08.862 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,732bd88b-e996-4263-9190-7be9dc8577d1,"4/16/2021, 8:48:08.862 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,5e215859-0273-461c-8e92-40ecef5fa2fe,"4/16/2021, 8:48:08.862 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,489b927e-6c87-496d-a174-a0ed524c5ac3,"4/16/2021, 8:48:08.862 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:__ExtendedStatus,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,cbb2c572-7034-4993-b9d7-4272441885ef,"4/16/2021, 8:48:08.862 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{18dd199a-9fca-4ac4-af18-3e5e3b15c067}\\""::GetLockStatus",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,e25b0fe8-4fc0-4647-aa36-0dfadfd966c6,"4/16/2021, 8:48:08.862 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{18dd199a-9fca-4ac4-af18-3e5e3b15c067}\\""::GetProtectionStatus",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,2c4a501d-a0fe-4484-bae2-ea8e93b3529b,"4/16/2021, 8:48:08.862 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{18dd199a-9fca-4ac4-af18-3e5e3b15c067}\\""::GetConversionStatus",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,6e507d5f-e959-49c4-9255-f02be9ed0c1e,"4/16/2021, 8:48:08.862 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{944f36e4-0000-0000-0000-100000000000}\\""::GetLockStatus",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,c1f7e004-7925-40bc-a012-e5673f6c6ac2,"4/16/2021, 8:48:08.862 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{944f36e4-0000-0000-0000-100000000000}\\""::GetProtectionStatus",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,d93a3fe1-c7f9-4473-8fb5-d667da96ef27,"4/16/2021, 8:48:08.862 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{944f36e4-0000-0000-0000-100000000000}\\""::GetConversionStatus",,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a1e755c4-deba-4ac2-a5f2-2608746f40b5,"4/16/2021, 8:53:42.634 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,aabf98e6-3e57-4daf-8a2b-4a7e3d96fb98,"4/16/2021, 8:53:42.634 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b0b3649a-b7b5-4bc3-b14f-d180249ff85d,"4/16/2021, 8:53:42.634 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1b68ed86-2ea0-424d-b84e-a80f65576fc0,"4/16/2021, 8:53:42.634 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fcc73a28-0379-4132-80d0-22da75a62a19,"4/16/2021, 8:53:42.634 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,47055872-9636-4438-8903-40cb7ba7123e,"4/16/2021, 8:53:42.634 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e328bed6-e5ec-4cd3-8f13-ad882abf92ac,"4/16/2021, 8:53:42.634 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4d958168-bca0-42b6-9250-412f30163bf1,"4/16/2021, 8:53:42.634 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,82585ede-0b52-47f7-9849-83d8b84abcfb,"4/16/2021, 8:53:42.634 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,59201407-278c-4a14-9687-14ecd558d090,"4/16/2021, 8:53:42.634 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,21b88dde-9b59-4ff7-a924-76aaa50cd781,"4/16/2021, 8:53:42.634 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6d701c9f-a8cc-4d6a-a91e-549bd1799e5c,"4/16/2021, 8:53:42.634 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e9aff055-2a01-4737-9a18-ae1de6e06af3,"4/16/2021, 8:53:42.634 AM",,,,,NTLM,, +\REMOTE,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8cb9757b-7713-4137-a6d4-375573bd803e,"4/16/2021, 8:53:42.634 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,39fa70b2-bd42-4bbf-ae63-bcd74690fdaf,"4/16/2021, 8:53:42.634 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a3d87ee9-d565-4ae1-a29d-10d953a0df25,"4/16/2021, 8:53:42.634 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,17d78669-f8f1-4482-a463-a8fdb92b5749,"4/16/2021, 8:53:42.634 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2b64b984-83d2-466d-ad5d-ea14b35966a5,"4/16/2021, 8:53:42.634 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d0a5774d-922e-4068-a154-4147df7ea873,"4/16/2021, 8:53:42.634 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ad8e3ca3-9152-41d5-844e-5dcc50b53501,"4/16/2021, 8:53:42.634 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,119cf06b-f229-433a-a02a-ea77cb9b3ee6,"4/16/2021, 8:53:42.634 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9e492dcd-026b-45a7-9e8c-86823691dc05,"4/16/2021, 8:53:42.634 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e3f0bd84-42be-48dd-9302-7eb197aebf6c,"4/16/2021, 8:53:42.634 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,448e10a2-25df-4411-9a24-32065cc223f1,"4/16/2021, 8:48:12.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,08c96612-9a82-4a4d-9c8f-d302c274d7da,"4/16/2021, 8:48:12.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2aabb02b-526f-4521-9969-d05305667c2e,"4/16/2021, 8:48:12.109 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ecf48d61-1b57-46e1-bd50-2eb418eb652f,"4/16/2021, 8:48:12.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,052ed5db-118f-4344-b4e6-a988da7457bf,"4/16/2021, 8:48:12.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6b8a479c-b08c-40a0-aa68-a760b7c8f9a7,"4/16/2021, 8:48:12.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d8a8a58f-376f-4604-a149-ae36d5156713,"4/16/2021, 8:48:12.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,05f449a5-2feb-478c-a9d2-d248da964aab,"4/16/2021, 8:48:12.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1e2a3135-f076-4e11-a6a8-2ce571646617,"4/16/2021, 8:48:12.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,47de0e65-3ea5-42b4-8195-8c248a6654a0,"4/16/2021, 8:48:12.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,36a8a8ff-1278-4f35-9356-bd38a795fe45,"4/16/2021, 8:48:12.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f80df8ff-ff03-4c08-b17b-230906de0465,"4/16/2021, 8:48:12.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea32d0ab-9e02-46b5-8e90-9cd59e5f93e4,"4/16/2021, 8:48:12.109 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc509068-7be0-45bd-a7fb-71844c0234f5,"4/16/2021, 8:48:12.109 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,518c73f3-2c2e-4d72-aaa9-c7b8a05c0e23,"4/16/2021, 8:48:12.109 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,13e0b949-7ca4-4192-baec-55785294dec4,"4/16/2021, 8:48:12.109 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,41502da5-21b7-48ec-81c9-baeea8d7d669,75e8807d-738c-46c8-914b-868e9ba95277,"4/16/2021, 8:48:12.109 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c73d071-53f1-4184-af17-697059eb42e5,"4/16/2021, 8:48:12.109 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b388c5c-8bf0-4a56-b02f-fbe964a36ebe,"4/16/2021, 8:48:12.109 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe8ff9ed-4ec1-45f2-abf3-15bcd5f87b52,"4/16/2021, 8:48:12.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b673c026-626f-44d0-9bf6-54e64c2513c6,"4/16/2021, 8:48:12.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,771eed9f-cbae-4a3c-bf63-80e8cac126e3,"4/16/2021, 8:48:12.109 AM",,,,,NTLM,, +NT AUTHORITY\LOCAL SERVICE,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 4412 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e5 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,a39a11a1-5518-45a0-9514-ff41231e0971,"4/16/2021, 8:48:12.109 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7528 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + A42A20DA16F83B8467DCED74AB028B58D5927D15D9D74C5C7B0D5C9DAC042CB2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.17763.01 + 0x3e7 + 31 + C:\windows\System32\svchost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,d626b5e5-eac6-449f-a82a-ef46a7fdbbb8,"4/16/2021, 8:48:12.109 AM",,,,,,, +\USER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,cc0fc85f-45c9-4449-bfd0-4c2d7b8bf9d4,"4/16/2021, 8:48:13.408 AM",,,,,NTLM,, +\TEST,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,637c05ff-4406-447f-842a-9a7b36950990,"4/16/2021, 8:48:13.408 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6204 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e6f93ce8-60b9-4d24-8374-de9fda902df8,"4/16/2021, 8:48:13.408 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6628 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0348c905-84d8-4768-ba8c-59ab2598c7dd,"4/16/2021, 8:48:13.408 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1339953c-97cc-4105-8f08-7b3f49f57e1e,"4/16/2021, 8:48:13.408 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ffe5ac89-0bd5-4a52-952d-91a960c06691,"4/16/2021, 8:48:13.408 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6672 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,44dec685-c052-4a27-a9e9-ec856b12de22,"4/16/2021, 8:57:09.862 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6092 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,dc4e67a6-8224-40f5-8a84-1ee64fa71647,"4/16/2021, 8:57:09.862 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,47e85599-701a-48a7-92c3-29b7eae3684e,"4/16/2021, 8:57:09.862 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,2c307e4c-27a6-425f-8bc6-0518e7768181,"4/16/2021, 8:57:09.862 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,8b3a4b56-5222-4169-abb5-e4c47a9a876c,"4/16/2021, 8:57:09.862 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6752 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\Windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,6d594f2b-b2d1-43c9-bf43-85ce4cf1b369,"4/16/2021, 8:57:09.862 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,3fa144ed-1b0c-4183-904c-9e30d0ed267c,"4/16/2021, 8:57:09.862 AM",,,,,,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5d369d5b-631e-4642-9aa1-71e3f0fd2c47,"4/16/2021, 8:48:18.621 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,16b6d31d-178b-4101-898d-23516f9d8d17,"4/16/2021, 8:48:18.621 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,58731e72-4246-4fb7-b1f9-73c77bd54dc2,"4/16/2021, 8:48:18.621 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b9a88bbf-09b2-48bc-a130-247d80e11c17,"4/16/2021, 8:48:18.621 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,26ed72d8-625b-4736-9322-497a264950f2,"4/16/2021, 8:48:18.621 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8d057dc1-0ef1-46c7-988a-cd53bca7c3f1,"4/16/2021, 8:48:18.621 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b271b16b-87f5-4720-9424-ba50f2991e61,"4/16/2021, 8:48:18.621 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,468593e4-0319-4046-b95a-c6a32726ac7c,"4/16/2021, 8:48:18.621 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1b4eed92-7e43-40f4-a262-a0de53680a9f,"4/16/2021, 8:48:18.621 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1beaf85d-062c-489a-bb89-3f5fea30a816,"4/16/2021, 8:48:18.621 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,11e930a2-b386-446a-9bbf-cc3890066fef,"4/16/2021, 8:48:18.621 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,79c76eef-0e36-40e8-8e4f-7d11f43daf4a,"4/16/2021, 8:48:18.621 AM",,,,,NTLM,, +\AZUREADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,512b1a77-edd9-4315-9a0e-9e5a0c82e3a9,"4/16/2021, 8:48:18.621 AM",,,,,NTLM,, +\RUSLAN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d61f9b36-11c3-458d-b434-f3414997a7fd,"4/16/2021, 8:48:18.621 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,28efed55-0703-4b8b-bddb-14b4ea87c1ea,"4/16/2021, 8:48:18.621 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e6fe899e-a3bf-462b-a74b-bae1b2386e71,"4/16/2021, 8:48:18.621 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b58a5fc1-d67a-42d5-89b2-de6af588792c,"4/16/2021, 8:48:18.621 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b3fb19e7-2501-44b6-9ab2-f74faf9364de,"4/16/2021, 8:48:18.621 AM",,,,,NTLM,, +\BACKUPEXEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8f629199-1888-48fd-a1fb-11e404dac903,"4/16/2021, 8:48:18.621 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,41ff1f42-7f7c-4f50-8d7d-a492f9a1773d,"4/16/2021, 8:48:18.621 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,37dff4fb-8199-4dae-b32e-b0388d480651,"4/16/2021, 8:48:18.621 AM",,,,,NTLM,, +\VMADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a89802f1-a026-4c9c-b4b5-2fcf29af7ce9,"4/16/2021, 8:48:18.621 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e0e7b8d4-26ba-4ced-912a-da0eb4cbc0a3,"4/16/2021, 8:48:18.621 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8cd7e455-4006-48c7-b188-f8f2c080fb06,"4/16/2021, 9:05:23.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,237e6098-d1cf-4bbd-8586-05ba2eadbfe7,"4/16/2021, 9:05:23.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c8b23fac-f45b-47a3-aeb1-4937370de231,"4/16/2021, 9:05:23.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5b59391c-9854-4511-be23-4ccac97597e5,"4/16/2021, 9:05:23.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,90e8416a-0fc0-47b7-af12-ba4d45a91604,"4/16/2021, 9:05:23.120 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,81a70046-e110-48ad-ae76-70f052776896,"4/16/2021, 9:05:23.120 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d5093fb-b848-450b-8a4f-177ea0f8b173,"4/16/2021, 9:05:23.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ea1747e-fc7b-4e21-847f-67dc1d3448a6,"4/16/2021, 9:05:23.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a3015f08-83e8-446d-b217-7bac55a7f11a,"4/16/2021, 9:05:23.120 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,55704390-50b8-4b97-9066-02026c41b299,"4/16/2021, 9:05:23.120 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,d413072d-b371-492e-b3c7-51a593bb4c55,"4/16/2021, 9:05:23.120 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d167fc05-6b68-42dd-995e-7298d06420a2,"4/16/2021, 9:05:23.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bf68bf7b-36b8-4eda-8060-21ca7bd4c1ca,"4/16/2021, 9:05:23.120 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4756 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f45fc8e-a501-440a-bb78-3c7e0727c0f1,"4/16/2021, 9:05:23.120 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8952 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,02acf414-9db5-4422-a71a-c85bf508b10f,"4/16/2021, 9:05:23.120 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ca73af2-8ea4-4aa3-bf62-b29397699369,"4/16/2021, 9:05:23.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ec1bcdd-aecd-4cc5-9213-75da28371354,"4/16/2021, 9:05:23.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d728ecc2-cd12-43f1-b153-b1d97e3565be,"4/16/2021, 9:05:23.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a43209d-d872-418f-a076-0708815bc6bb,"4/16/2021, 9:05:23.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c7407a70-db86-4d0f-9f71-15ab1c77253c,"4/16/2021, 9:05:23.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,318d7a4d-10c3-4213-95ad-da9131a6378e,"4/16/2021, 9:05:23.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dd306e6e-dcc5-4730-be14-9f5c3d5f6e01,"4/16/2021, 9:05:23.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e25a890f-7f27-448a-9693-bf9bb381eae9,"4/16/2021, 9:05:23.120 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9364 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,5d44a485-a78e-4f12-86d1-c5562ebc1f5c,"4/16/2021, 8:53:49.264 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8464 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,cd006efb-d83e-4bcd-81c3-6bb73d93d2eb,"4/16/2021, 8:53:49.264 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 12032 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 61FF6233DB141BE35A91025614CB7A6504D2E20174CD6298F6E0B02700C3F819 + 121 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.14393.206 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,911a5088-b8eb-4b2b-b57f-f2219e18454f,"4/16/2021, 8:53:49.264 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11924 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,55e31df0-d7c0-4d7f-ab3e-c2304d20dc02,"4/16/2021, 8:53:49.264 AM",,,,,,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9e069e03-1b4a-45aa-95c4-d7cccfcd062b,"4/16/2021, 8:48:19.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f82eaf73-8efd-4a01-8c54-e796770f683a,"4/16/2021, 8:48:19.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dd9b1fc0-dd92-4b8f-be66-ecaad1eef081,"4/16/2021, 8:48:19.107 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,360034ad-7f71-459c-bc7f-3cb1efca4bd1,"4/16/2021, 8:48:19.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b83a8bc3-325c-4db4-987a-aae2553ab9f1,"4/16/2021, 8:48:19.107 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,d87fd997-6740-4d7a-9108-f5d675190e3b,"4/16/2021, 8:48:19.107 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,693fb513-78c8-44bb-8228-4f9df752e8d9,"4/16/2021, 8:48:19.107 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3784 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,37f9ce9b-0e05-42e0-adfd-885037f6e0cb,"4/16/2021, 8:48:19.107 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8902e091-0a98-4f51-85ac-0d8e117dd49a,"4/16/2021, 8:48:19.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bef4f5a9-7018-4e5c-baa9-b918987e350a,"4/16/2021, 8:48:19.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ad9ffe9-3853-4ddd-beb8-7bb3b06c3d9a,"4/16/2021, 8:48:19.107 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,21d09abd-ece2-47ca-8a7e-5353badfd447,"4/16/2021, 8:48:19.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fffbe1d4-3cd1-49b1-bfe1-8210eccceb4a,"4/16/2021, 8:48:19.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dbe94c7c-db7b-4acf-818f-edd876a5f896,"4/16/2021, 8:48:19.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,daed8efa-21e9-444d-8ba6-084f83881b0e,"4/16/2021, 8:48:19.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,09ed628a-5464-4db6-9f9f-54d539066c66,"4/16/2021, 8:48:19.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1c0dace-147c-4c19-8f53-5a89ccc718c7,"4/16/2021, 8:48:19.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c37b94f-080c-4029-a3db-0df372d3e408,"4/16/2021, 8:48:19.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,76d93f2c-0d59-471b-aabc-0abea9f32ff2,"4/16/2021, 8:48:19.107 AM",,,,,NTLM,, +\ADMINISTRATEUR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d918229-dbe5-4ff5-8037-a36a2e13ab5f,"4/16/2021, 8:48:19.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,55caa39d-c0cd-4703-a062-8843d121ec62,"4/16/2021, 8:48:19.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3e013c0b-107d-49ad-8633-22c18d39a4d8,"4/16/2021, 8:48:19.107 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e356a9d-c216-44ab-8a99-9795b3d47374,"4/16/2021, 8:48:19.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1e6fd1cf-9241-4377-a37f-1ee4f2e99cec,"4/16/2021, 8:48:19.107 AM",,,,,NTLM,, +\VMADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,27db87a0-6158-40f5-b170-f3d6463119a6,"4/16/2021, 8:48:19.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d30154ba-5b92-4b4a-b52e-8c249f4e8cb2,"4/16/2021, 8:48:19.107 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,518cbddb-74fb-4ec7-bfa6-149f027e15d2,"4/16/2021, 8:48:21.547 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3428 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,ffd9a02f-3a90-43ec-ab62-cf32fd3a0c29,"4/16/2021, 8:48:21.547 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,275c01af-088c-424f-955d-259aaa2db02f,"4/16/2021, 8:48:21.547 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,a6dace26-14b1-45ad-88f5-10b7c5a11112,"4/16/2021, 8:48:21.547 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,09979620-6544-4907-81ed-53b2c137a07d,"4/16/2021, 8:48:21.547 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,9fa817d1-06a8-4389-b69c-34f922687071,"4/16/2021, 8:48:21.547 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9580 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,ebe48ab6-0001-4475-8802-d9ef02e8cd5a,"4/16/2021, 8:48:21.547 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2764 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,34ac25a2-7fdd-437f-9f83-fa0e5ef7e5c7,"4/16/2021, 8:48:21.547 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9000 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,3915df37-f7e4-41e4-bb75-e4767cc7b50b,"4/16/2021, 8:48:21.547 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5568 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,07e8c9a9-67fd-48df-b6d0-d25072c34683,"4/16/2021, 8:48:29.108 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1780 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,58ca33a5-f790-4cb6-ac4e-2fe27533e369,"4/16/2021, 8:48:29.108 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,b7c78122-0e01-4a53-b023-20b1e487a175,"4/16/2021, 8:48:29.108 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,aa387a58-2565-4266-a108-4db62ee785b0,"4/16/2021, 8:48:29.108 AM",,,,,,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,802a0a58-a1f8-45e1-98f2-57dee9135dd8,"4/16/2021, 8:48:29.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f8f5c3f0-2896-453f-89d2-a8d1ebdedfb0,"4/16/2021, 8:48:29.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3ff8e58e-b91a-4039-855c-5f4dbfad11d4,"4/16/2021, 8:48:29.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f0f07989-f49a-4cb6-a446-881d9efdae96,"4/16/2021, 8:48:29.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4860435c-74a3-45db-b325-b40215526c83,"4/16/2021, 8:48:29.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a440d888-86c7-49db-86fd-288cf4d7d2d9,"4/16/2021, 8:48:29.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fea4a41c-9a1d-4f1e-991c-9b3824969231,"4/16/2021, 8:48:29.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,24b7d93c-38c1-45c6-8c2c-26b418aa048b,"4/16/2021, 8:48:29.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,14b2a942-742e-46ec-bc5b-bf2377bf2a4f,"4/16/2021, 8:48:29.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9fe5e9c4-ec4f-4520-8850-865df18305c5,"4/16/2021, 8:48:29.108 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,61502b3e-c7e1-4844-b590-13494d230bbc,"4/16/2021, 8:48:29.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d9333670-01f9-4702-a5f3-f5e431b82129,"4/16/2021, 8:48:29.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d9b9e886-ed49-4d1f-9b40-88a3677a3831,"4/16/2021, 8:48:29.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,76776d91-44e2-4d98-881c-0ef45a6fadb4,"4/16/2021, 8:48:29.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6b956de4-8c17-487f-a2ad-309b9727a9f0,"4/16/2021, 8:48:29.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6b4ce8c8-85db-44d4-b147-31242a7bb93b,"4/16/2021, 8:48:29.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,96f6b354-d48a-415c-960f-7d78b18deb0d,"4/16/2021, 8:48:29.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1bf8d1c-3df8-44cc-9437-87a9fad73b33,"4/16/2021, 8:48:29.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,69815bcd-7dde-42d9-bd3d-c16618feb731,"4/16/2021, 8:48:29.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,715868c0-4a83-479c-adce-b8fb88f4c457,"4/16/2021, 8:48:29.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,33a8a21a-ab4f-45d4-9ae1-1d4e4a952d54,"4/16/2021, 8:48:29.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f182720e-29c4-4552-b7d4-af1777c65646,"4/16/2021, 8:48:29.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bfd2e5c0-160e-4477-86a1-6cc3ac3d02e6,"4/16/2021, 8:48:29.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4d22200a-1448-488b-bff1-6131add3e799,"4/16/2021, 8:57:11.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,72d1500a-12ae-44d4-9dfe-bf82c3c1f952,"4/16/2021, 8:57:11.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c14c6daf-0833-48c5-908a-05f7a3254c98,"4/16/2021, 8:57:11.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22cbf730-4ff5-42cd-b2b0-628daa24e612,"4/16/2021, 8:57:11.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8dd4ee94-cd32-4f3f-8f08-7c3f6f058661,"4/16/2021, 8:57:11.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c761fc8c-7a0a-46a4-8588-946b7cf1342f,"4/16/2021, 8:57:11.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ee424a94-dd33-4e92-9777-981d2effed4d,"4/16/2021, 8:57:11.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f7b9aeb4-3efd-4579-88a5-092479e40999,"4/16/2021, 8:57:11.110 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3dc84009-63b7-4427-855d-10294c6baeb0,"4/16/2021, 8:57:11.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e241c8b9-0759-4d2d-ac90-bff63c28737d,"4/16/2021, 8:57:11.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0369d4f6-4141-4533-89ca-b35708783768,"4/16/2021, 8:57:11.110 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,15b33002-975a-45d7-acd3-a2190a17cd45,"4/16/2021, 8:57:11.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,65b2af7a-e5f4-4d56-bc07-885e2e8bc23a,"4/16/2021, 8:57:11.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,44cb49fc-0a8d-4655-801c-fb848e6849be,"4/16/2021, 8:57:11.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f95ea3d4-cc75-492e-8c62-044d663d8558,"4/16/2021, 8:57:11.110 AM",,,,,NTLM,, +\TJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1c06646e-f727-479f-97ca-497dee512fc5,"4/16/2021, 8:57:11.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7488e442-4d19-4081-b405-828b4083a05b,"4/16/2021, 8:57:11.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc5b07eb-cf01-4e60-b2df-837a7fcef9bf,"4/16/2021, 8:57:11.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48bf917c-63ff-4c4f-a9fc-22ad8fe32d33,"4/16/2021, 8:57:11.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2db1628a-a81a-4530-b7a6-1f679eeff628,"4/16/2021, 8:57:11.110 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4e46949c-4de2-4272-96ad-288f07dcc6dd,"4/16/2021, 8:57:11.110 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a0426151-ea04-4415-ae5c-cdda6330df2a,"4/16/2021, 8:57:11.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,983755d5-8887-415d-9ea1-fa0af73414bd,"4/16/2021, 8:57:11.110 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac7e299e-4140-4c3b-9f3d-5229122824da,"4/16/2021, 8:57:11.110 AM",,,,,NTLM,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,5868ba8b-58e1-42de-8e42-d6dd4818a992,"4/16/2021, 8:57:17.733 AM",,,,,,, +NT AUTHORITY\NETWORK SERVICE,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 4036 + 21 + %SYSTEM32%\SPPSVC.EXE + 32 + 356D1FC495BBA123EE99EEB2389FB641779AC8E789C2883AC16F26376B3D8081 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SPPSVC.EXE\10.0.18362.1379 + 0x3e4 + 30 + C:\windows\system32\sppsvc.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,61acf026-e4a5-497e-b763-003766ba7547,"4/16/2021, 8:57:17.733 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,4c204e0f-2eee-49f8-86f8-a5c71b078620,"4/16/2021, 8:57:17.733 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6624 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,a6d14b5f-39b1-487b-b050-47b60f3c27a4,"4/16/2021, 8:57:17.733 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,60a6d498-73ed-45a3-b810-842cd3b1d9dc,"4/16/2021, 8:53:52.739 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,b9311c7a-f75b-4422-b067-dfa6d494884a,"4/16/2021, 8:53:52.739 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7060 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,dab2a34d-90cf-4bfc-99d9-0ed5995ac679,"4/16/2021, 8:53:52.739 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3040 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,e67cd458-0f6e-4484-a48d-43fa18d9ef1f,"4/16/2021, 8:53:52.739 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,eeec3ca5-8bfe-4905-bba7-b01ec95adc06,"4/16/2021, 8:53:52.739 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,4b4a313e-d81d-4929-a01c-57c65e0f20db,"4/16/2021, 8:53:52.739 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4648,4648 - A logon was attempted using explicit credentials.,5503048d-aae9-48b7-bda5-46b931ec9ed1,77058c31-975e-44bc-9b8a-29ed235e3237,"4/16/2021, 9:05:31.872 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,5503048d-aae9-48b7-bda5-46b931ec9ed1,c8ad90d5-cfc4-4243-bc76-8bfa76eec5eb,"4/16/2021, 9:05:31.872 AM",,,,,Negotiate,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + S-1-5-21-1661583231-2311428937-3957907789-1103 + SamiraA + CONTOSO + 0x24184285 + 4 + 1 + 1 + %{S-1-5-21-1661583231-2311428937-3957907789-513} %{S-1-1-0} %{S-1-5-32-555} %{S-1-5-32-545} %{S-1-5-32-544} %{S-1-5-3} %{S-1-2-1} %{S-1-5-11} %{S-1-5-15} %{S-1-2-0} %{S-1-5-21-1661583231-2311428937-3957907789-512} %{S-1-5-21-1661583231-2311428937-3957907789-519} %{S-1-18-1} %{S-1-5-21-1661583231-2311428937-3957907789-572} %{S-1-16-12288} +",4627,4627 - Group membership information.,5503048d-aae9-48b7-bda5-46b931ec9ed1,6b6037b1-85f2-4514-b209-474d4ec851a7,"4/16/2021, 9:05:31.872 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,5503048d-aae9-48b7-bda5-46b931ec9ed1,c9d94bbc-8827-487e-9cc8-61d887c24a94,"4/16/2021, 9:05:31.872 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12545,8,,4634,4634 - An account was logged off.,5503048d-aae9-48b7-bda5-46b931ec9ed1,bc7567e3-90ff-4a6a-ae53-b580072f5207,"4/16/2021, 9:05:31.872 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,e1581970-e51f-49ea-a650-954a7b6ad3d5,"4/16/2021, 9:05:31.872 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5b9ddeae-8733-48a6-b0be-eb660598e2fd,"4/16/2021, 8:48:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,06869ed2-29b1-4e0c-a5b1-f73fe7b05258,"4/16/2021, 8:48:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bb0a5c58-8709-495b-95e9-a8cdfd300b5d,"4/16/2021, 8:48:36.102 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,1114c7a3-61d6-495c-bac4-174e61d7edc6,"4/16/2021, 8:48:36.102 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e4e0d536-e36d-47b2-9a1f-4d701ab3c7cc,"4/16/2021, 8:48:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e7b672b2-d82b-457f-b7f0-dc74b043c1b3,"4/16/2021, 8:48:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cba49ab1-3465-4624-a2e3-242fbfe2dbe9,"4/16/2021, 8:48:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,17c1a9a8-110f-4add-badf-82f0c458dc59,"4/16/2021, 8:48:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,efe0aa3c-befa-448f-ad37-8e038cb88cc1,"4/16/2021, 8:48:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2e8c5d75-c673-4783-9b1b-0d168369173a,"4/16/2021, 8:48:36.102 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d02a1b50-7dac-4284-9b49-947253db3fc2,"4/16/2021, 8:48:36.102 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + \Microsoft\Windows\UpdateOrchestrator\Schedule Scan + <?xml version=""1.0"" encoding=""UTF-16""?> <Task version=""1.4"" xmlns=""http://schemas.microsoft.com/windows/2004/02/mit/task""> <RegistrationInfo> <URI>\Microsoft\Windows\UpdateOrchestrator\Schedule Scan</URI> </RegistrationInfo> <Triggers> <TimeTrigger> <Repetition> <Interval>PT1320M</Interval> <StopAtDurationEnd>false</StopAtDurationEnd> </Repetition> <StartBoundary>2020-10-14T22:21:50+00:00</StartBoundary> <Enabled>true</Enabled> <RandomDelay>PT240M</RandomDelay> </TimeTrigger> </Triggers> <Principals> <Principal id=""Author""> <UserId>S-1-5-18</UserId> <RunLevel>LeastPrivilege</RunLevel> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>true</RunOnlyIfNetworkAvailable> <IdleSettings> <Duration>PT10M</Duration> <WaitTimeout>PT1H</WaitTimeout> <StopOnIdleEnd>false</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession> <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT72H</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context=""Author""> <Exec> <Command>%systemroot%\system32\usoclient.exe</Command> <Arguments>StartScan</Arguments> </Exec> </Actions> </Task> + 2251799813685442 + 6352 + 752 + 0 + SOC-FW-RDP +",4702,4702 - A scheduled task was updated.,41502da5-21b7-48ec-81c9-baeea8d7d669,6fb1dc5b-84b7-4ee1-877c-a1505f57d250,"4/16/2021, 8:40:57.142 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,41502da5-21b7-48ec-81c9-baeea8d7d669,739f3dbf-f58d-4d6a-99a2-ae063a7f7d83,"4/16/2021, 8:40:57.142 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,41502da5-21b7-48ec-81c9-baeea8d7d669,7895e236-9b9a-48e7-a47f-4adfb55c1a90,"4/16/2021, 8:40:57.142 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,e40bedbd-9fcb-40f4-892c-bb43002226b8,"4/16/2021, 8:40:57.142 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + \Microsoft\Windows\UpdateOrchestrator\Schedule Scan + <?xml version=""1.0"" encoding=""UTF-16""?> <Task version=""1.4"" xmlns=""http://schemas.microsoft.com/windows/2004/02/mit/task""> <RegistrationInfo> <URI>\Microsoft\Windows\UpdateOrchestrator\Schedule Scan</URI> </RegistrationInfo> <Triggers> <TimeTrigger> <Repetition> <Interval>PT22H</Interval> <StopAtDurationEnd>false</StopAtDurationEnd> </Repetition> <StartBoundary>2020-10-14T22:21:50+00:00</StartBoundary> <Enabled>true</Enabled> <RandomDelay>PT4H</RandomDelay> </TimeTrigger> </Triggers> <Principals> <Principal id=""Author""> <UserId>S-1-5-18</UserId> <RunLevel>LeastPrivilege</RunLevel> <LogonType>InteractiveToken</LogonType> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>true</RunOnlyIfNetworkAvailable> <IdleSettings> <Duration>PT10M</Duration> <WaitTimeout>PT1H</WaitTimeout> <StopOnIdleEnd>false</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession> <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT72H</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context=""Author""> <Exec> <Command>%systemroot%\system32\usoclient.exe</Command> <Arguments>StartScan</Arguments> </Exec> </Actions> </Task> + 2251799813697152 + 3760 + 752 + 0 + SOC-FW-RDP +",4702,4702 - A scheduled task was updated.,41502da5-21b7-48ec-81c9-baeea8d7d669,bab30a1d-d422-435e-a918-69406ca782ae,"4/16/2021, 8:40:57.142 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8146aee7-a95b-4459-a7c5-594542dd205e,"4/16/2021, 8:40:57.142 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + \Microsoft\Windows\UpdateOrchestrator\Schedule Scan + <?xml version=""1.0"" encoding=""UTF-16""?> <Task version=""1.4"" xmlns=""http://schemas.microsoft.com/windows/2004/02/mit/task""> <RegistrationInfo> <URI>\Microsoft\Windows\UpdateOrchestrator\Schedule Scan</URI> </RegistrationInfo> <Triggers> <TimeTrigger> <Repetition> <Interval>PT1320M</Interval> <StopAtDurationEnd>false</StopAtDurationEnd> </Repetition> <StartBoundary>2020-10-14T22:21:50+00:00</StartBoundary> <Enabled>true</Enabled> <RandomDelay>PT240M</RandomDelay> </TimeTrigger> </Triggers> <Principals> <Principal id=""Author""> <UserId>S-1-5-18</UserId> <RunLevel>LeastPrivilege</RunLevel> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>true</RunOnlyIfNetworkAvailable> <IdleSettings> <Duration>PT10M</Duration> <WaitTimeout>PT1H</WaitTimeout> <StopOnIdleEnd>false</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession> <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT72H</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context=""Author""> <Exec> <Command>%systemroot%\system32\usoclient.exe</Command> <Arguments>StartScan</Arguments> </Exec> </Actions> </Task> + 2251799813685442 + 6352 + 752 + 0 + SOC-FW-RDP +",4702,4702 - A scheduled task was updated.,41502da5-21b7-48ec-81c9-baeea8d7d669,553e4ac3-5c78-4916-8c02-bd82e902e384,"4/16/2021, 8:40:57.142 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + \Microsoft\Windows\UpdateOrchestrator\Schedule Scan + <?xml version=""1.0"" encoding=""UTF-16""?> <Task version=""1.4"" xmlns=""http://schemas.microsoft.com/windows/2004/02/mit/task""> <RegistrationInfo> <URI>\Microsoft\Windows\UpdateOrchestrator\Schedule Scan</URI> </RegistrationInfo> <Triggers> <TimeTrigger> <Repetition> <Interval>PT22H</Interval> <StopAtDurationEnd>false</StopAtDurationEnd> </Repetition> <StartBoundary>2020-10-14T22:21:50+00:00</StartBoundary> <Enabled>true</Enabled> <RandomDelay>PT4H</RandomDelay> </TimeTrigger> </Triggers> <Principals> <Principal id=""Author""> <UserId>S-1-5-18</UserId> <RunLevel>LeastPrivilege</RunLevel> <LogonType>InteractiveToken</LogonType> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>true</RunOnlyIfNetworkAvailable> <IdleSettings> <Duration>PT10M</Duration> <WaitTimeout>PT1H</WaitTimeout> <StopOnIdleEnd>false</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession> <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT72H</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context=""Author""> <Exec> <Command>%systemroot%\system32\usoclient.exe</Command> <Arguments>StartScan</Arguments> </Exec> </Actions> </Task> + 2251799813697152 + 3760 + 752 + 0 + SOC-FW-RDP +",4702,4702 - A scheduled task was updated.,41502da5-21b7-48ec-81c9-baeea8d7d669,bacff23a-c551-41da-94e3-0a884c2f1491,"4/16/2021, 8:40:57.142 AM",,,,,,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + \Microsoft\Windows\UpdateOrchestrator\AC Power Download + <?xml version=""1.0"" encoding=""UTF-16""?> <Task version=""1.4"" xmlns=""http://schemas.microsoft.com/windows/2004/02/mit/task""> <RegistrationInfo> <URI>\Microsoft\Windows\UpdateOrchestrator\AC Power Download</URI> </RegistrationInfo> <Triggers> <WnfStateChangeTrigger> <Enabled>true</Enabled> <StateName>7508BCA3380C960C</StateName> <Data>01000000</Data> <DataOffset>0</DataOffset> </WnfStateChangeTrigger> </Triggers> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <Duration>PT10M</Duration> <WaitTimeout>PT1H</WaitTimeout> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession> <UseUnifiedSchedulingEngine>false</UseUnifiedSchedulingEngine> <WakeToRun>true</WakeToRun> <ExecutionTimeLimit>PT72H</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context=""Author""> <Exec> <Command>%systemroot%\system32\usoclient.exe</Command> <Arguments>StartDownload</Arguments> </Exec> </Actions> <Principals> <Principal id=""Author""> <UserId>S-1-5-18</UserId> <RunLevel>LeastPrivilege</RunLevel> </Principal> </Principals> </Task> + 2251799813685442 + 6352 + 752 + 0 + SOC-FW-RDP +",4698,4698 - A scheduled task was created.,41502da5-21b7-48ec-81c9-baeea8d7d669,54361f73-7338-4895-a128-1abd54694845,"4/16/2021, 8:40:57.142 AM",,,,,,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,468e040b-e435-4eac-8327-56e0b03c3cbd,"4/16/2021, 8:40:57.142 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3ac70a84-1c3c-491f-bfda-86bb04b5204e,"4/16/2021, 8:40:57.142 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7260 + 24 + %SYSTEM32%\USOCLIENT.EXE + 32 + A314458338BF571D155F76D519341F55B387C6049EC07C7ABADD8F543D333A12 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\USOCLIENT\10.0.17763.1007 + 0x3e7 + 33 + C:\windows\system32\usoclient.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,00d11525-a636-4159-a9e8-89aed4655b7e,"4/16/2021, 8:40:57.142 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3760 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + A42A20DA16F83B8467DCED74AB028B58D5927D15D9D74C5C7B0D5C9DAC042CB2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.17763.01 + 0x3e7 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b2a7f7f-41f1-4101-ade1-b0c9fd667704,"4/16/2021, 8:40:57.142 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb4db1d6-9f0c-4070-b526-efc9d6891a41,"4/16/2021, 8:41:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ae247e1f-5cc6-4870-ad99-9032b8974118,"4/16/2021, 8:41:05.099 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + \Microsoft\Windows\UpdateOrchestrator\AC Power Download + + 2251799813685442 + 6352 + 752 + 0 + SOC-FW-RDP +",4699,4699 - A scheduled task was deleted.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5cf9482-37e6-4536-8d11-9aa701264c18,"4/16/2021, 8:41:05.099 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f85684f-550b-4174-a266-0f730e288040,"4/16/2021, 8:41:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,65ee09b7-6946-45c8-b0c3-e9d42bb472a6,"4/16/2021, 8:41:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,afadcfc6-add3-46a4-96dd-b6857a83d335,"4/16/2021, 8:41:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a26fa67-a614-4bc4-812b-fb07e4ca6e25,"4/16/2021, 8:41:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c5138233-d876-4020-90d7-1398ff4e5a19,"4/16/2021, 8:41:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0dd706cc-15ea-4b98-a0d2-e5e2a188dfa7,"4/16/2021, 8:41:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,37e5f988-fac0-495a-b603-fe670708aac1,"4/16/2021, 8:41:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,463feb4c-e04f-443d-a18e-5b3dae032191,"4/16/2021, 8:41:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5bfb60fb-2af6-4eaa-b5f8-b6f1c526f13a,"4/16/2021, 8:41:05.099 AM",,,,,NTLM,, +\BACKUP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a51015cf-3ee1-448d-b90a-d9b2fce8a35e,"4/16/2021, 8:41:05.099 AM",,,,,NTLM,, +\VEEAM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f326e6eb-856b-4124-ba2f-0f0a3328cb0e,"4/16/2021, 8:41:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,99bb2699-79dd-4f4e-a4d3-43599acfb25c,"4/16/2021, 8:41:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,29072b44-5372-48fc-8422-66ab51bae2a0,"4/16/2021, 8:41:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c5b25307-5c50-4b59-979a-b56225ef2438,"4/16/2021, 8:41:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,95652cb9-dd88-47c4-be8e-694a916df6a9,"4/16/2021, 8:41:05.099 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a32f572c-9204-409e-8c78-0c888e13f627,"4/16/2021, 8:41:05.099 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,55f231ed-37ff-4647-88ac-60e7c38923df,"4/16/2021, 8:41:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fbed40e3-fc8c-47e8-b0b5-9a0c8b8e501a,"4/16/2021, 8:41:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,142f7372-9867-47b0-8b61-af01707d6c96,"4/16/2021, 8:41:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d4884f37-a8a4-4047-8578-4b472d224c20,"4/16/2021, 8:41:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c65b85a3-b277-44da-8e45-c927aa00c27f,"4/16/2021, 8:41:05.099 AM",,,,,NTLM,, +\WRADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,09ed5fec-7e9f-415a-822a-dcea0709b54d,"4/16/2021, 8:41:08.598 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,77a31009-f188-4175-bea2-b2309efad19b,"4/16/2021, 8:41:08.598 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a6244447-f385-4a3a-848e-945db3710436,"4/16/2021, 8:41:08.598 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a82622ba-a96c-4b32-80a2-ab07533a2546,"4/16/2021, 8:41:08.598 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ea4357c0-1388-494d-97fa-636758392512,"4/16/2021, 8:41:08.598 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,259fe89b-abce-43be-8a0e-a4371c9b7c38,"4/16/2021, 8:41:08.598 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,abf49060-f57f-45df-a34d-6dd0f1064588,"4/16/2021, 8:41:08.598 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a80eea95-f646-4463-bdd4-1b9932df3ad0,"4/16/2021, 8:41:08.598 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,67e7c046-6ccd-4536-b639-b3816ad5f33d,"4/16/2021, 8:41:08.598 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,16ea2e5a-18f6-4a7a-8fe4-5ef8cb864ab5,"4/16/2021, 8:41:08.598 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,514b3501-9e69-4317-b5bf-d2c087282fcb,"4/16/2021, 8:41:08.598 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3f0da5ab-02eb-471b-91f1-54bada9fd720,"4/16/2021, 8:41:08.598 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,57ac40c0-8abc-4d97-a6d6-93c7057e14cc,"4/16/2021, 8:41:08.598 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cce78040-c20a-4070-9ff0-d7f785af5a61,"4/16/2021, 8:41:08.598 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5f53f1f4-9fae-458e-a220-17b6f820ccd1,"4/16/2021, 8:41:08.598 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,591d29b3-dab6-4446-966f-2f7e8513f906,"4/16/2021, 8:41:08.598 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bb1bb019-b475-4072-b300-67dafc4286b6,"4/16/2021, 8:41:08.598 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f10f1bf9-85ad-401e-bb87-0ee29b380c09,"4/16/2021, 8:41:08.598 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e9d78bd8-6db4-4c4a-a8f1-8c4bffb52f4b,"4/16/2021, 8:41:08.598 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d50cfd00-9221-474c-aa6e-fe63a9eb5354,"4/16/2021, 8:41:08.598 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,534ff8f0-0439-4db1-abc9-be4b5e8d534f,"4/16/2021, 8:41:08.598 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e4bd86d2-f20b-4fb1-8c25-6deee18a181b,"4/16/2021, 8:41:08.598 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2e000842-ed44-4f1f-b385-5e7fb24cb7c9,"4/16/2021, 8:41:08.598 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54745ea2-cdd3-40dd-ae03-76d810211005,"4/16/2021, 8:41:11.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc696a1f-bcd0-4379-bc17-4740c380ccc0,"4/16/2021, 8:41:11.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,10c4a6fc-e960-4241-97d9-048a823ea7b7,"4/16/2021, 8:41:11.097 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,27935c56-6242-4997-89b5-80a13fbf623e,"4/16/2021, 8:41:11.097 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c21d0f3f-f3f5-4c4b-9f75-5b567a32d5eb,"4/16/2021, 8:41:11.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,026b06b5-271f-4162-86bf-9f4562e22580,"4/16/2021, 8:41:11.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,02338001-4b99-4234-bd28-6644e66622bb,"4/16/2021, 8:41:11.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c4cc33c-402d-4a02-bd6e-0b05f0ea3289,"4/16/2021, 8:41:11.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,248a73e4-a700-4158-a975-76769d159432,"4/16/2021, 8:41:11.097 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b7f0c0c-27d6-4785-94f0-c51808662ce5,"4/16/2021, 8:41:11.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6dd10e40-9560-4f2e-8b8d-548d09552ace,"4/16/2021, 8:41:11.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac600869-87b5-4e45-904a-16633fb1ee19,"4/16/2021, 8:41:11.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5fc10201-8473-4260-87ae-a28da15bc946,"4/16/2021, 8:41:11.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca11c453-95d0-4ef9-b6bb-cb694acf1b55,"4/16/2021, 8:41:11.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,addbb05f-d0c7-41c2-af45-30447c594197,"4/16/2021, 8:41:11.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4ec57a94-995c-4284-bd05-f217717900c4,"4/16/2021, 8:41:11.097 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,93effe31-a26e-4459-8054-f28b0a53c714,"4/16/2021, 8:41:11.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,50774b92-35c2-420b-879c-6841e3dd58a8,"4/16/2021, 8:41:11.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f45a4ed-9464-4fdb-ae0c-12bcd482dccf,"4/16/2021, 8:41:11.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7a20c661-cef2-472f-84c6-66c2b1db1ba3,"4/16/2021, 8:41:11.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c0e711d3-4528-4ae2-a704-5299b374298a,"4/16/2021, 8:41:11.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4cc44b5f-61a3-4760-af48-4a969b578d3a,"4/16/2021, 8:41:11.097 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,395783ad-ac4e-4615-b498-4e973217c4a9,"4/16/2021, 8:41:16.044 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3a4e844e-aef3-4a0e-8996-f85b1a9c6d35,"4/16/2021, 8:41:16.044 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,0526a359-0bc1-420e-9ad1-268d2bf89474,"4/16/2021, 8:41:16.044 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b4abbbf0-a1a4-488e-bfa1-64365eb42119,"4/16/2021, 8:41:16.044 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5b512019-39c8-49d3-98d9-09a93d144215,"4/16/2021, 8:41:16.044 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c9ed98a8-e544-45fe-8941-a2ed52d30399,"4/16/2021, 8:41:16.044 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,003c4adc-a217-4a92-9494-70b90479b4af,"4/16/2021, 8:41:16.044 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5117f6ae-f326-4589-b727-9733d023ed2b,"4/16/2021, 8:41:16.044 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b4fb1b23-129c-4b91-b065-f9bff7660111,"4/16/2021, 8:41:16.044 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2536a7b5-d4ca-4c4d-a53d-943b4912eab6,"4/16/2021, 8:41:16.044 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2a70fdaf-9887-446e-be82-793b43d44705,"4/16/2021, 8:41:16.044 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6292e194-ac5c-4860-82fd-602f749922a3,"4/16/2021, 8:41:17.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa478250-9c37-4764-b5eb-495d37d335c1,"4/16/2021, 8:41:17.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de537989-e9e5-4025-bb19-b9b1374c6f76,"4/16/2021, 8:41:17.099 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,66d206b7-f6bd-4d71-b8a1-f929419c2152,"4/16/2021, 8:41:17.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54333639-31dc-4041-bc60-4d40e914ccac,"4/16/2021, 8:41:17.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,40f07ab9-5c6c-40c9-9e2f-4cf4c9f1c335,"4/16/2021, 8:41:17.099 AM",,,,,NTLM,, +\OVX,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a129f9d8-4897-4ded-b25f-af11f1a30a93,"4/16/2021, 8:41:17.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d72eb97-693c-4313-abc1-a0604f4f55f2,"4/16/2021, 8:41:17.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad88a639-ecf0-4e60-b5b1-3d783aeb47d7,"4/16/2021, 8:41:17.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4ade7f1d-3002-4b66-9a76-d60664df3869,"4/16/2021, 8:41:17.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,962d1570-2284-439d-b3f6-a88c7dd10b63,"4/16/2021, 8:41:17.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2abcf471-99df-4023-9efe-75106968bc65,"4/16/2021, 8:41:17.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ccb8f91-caf1-4be3-9fa4-4084f592e2f5,"4/16/2021, 8:41:17.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c0d638f2-68bf-45d7-8170-fc105eb894fc,"4/16/2021, 8:41:17.099 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dcd7b5dc-dafa-4afb-a5b7-3afd74351fa4,"4/16/2021, 8:41:17.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c14dbbaf-21b8-4866-ad17-c06d456a22c8,"4/16/2021, 8:41:17.099 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6e9641bb-c5a9-492c-957e-57546c3a6410,"4/16/2021, 8:41:17.099 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,29001c68-605a-4bf7-ae29-f181d61d4d94,"4/16/2021, 8:41:17.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df3b6c88-f5b9-4b84-afe6-c47ef90f167b,"4/16/2021, 8:41:17.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e26653e0-be44-4f4b-badf-917db074695f,"4/16/2021, 8:41:17.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a1fe471-8809-4099-a5b5-0d805fa598fc,"4/16/2021, 8:41:17.099 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bae502b8-d15c-4444-9704-98d555b7f3cf,"4/16/2021, 8:41:17.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f9543cf7-58ae-425c-a611-f08dcd658ba3,"4/16/2021, 8:48:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,50d796ba-3c9d-4915-8985-25c24b75ecb2,"4/16/2021, 8:48:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,86f72495-f945-40eb-b4b1-871fbb27d3c6,"4/16/2021, 8:48:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,630a2026-09ca-4c61-b600-93fe21331a98,"4/16/2021, 8:48:36.102 AM",,,,,NTLM,, +\OFICINA2,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,965ae4db-5ffb-4db8-b8e9-5b73ff5d7a93,"4/16/2021, 8:48:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e1c6d36-0cfd-4fd5-9577-f219ba66dec4,"4/16/2021, 8:48:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0b4b7ce8-69b9-4082-947d-471b30dd3998,"4/16/2021, 8:48:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,414b5e06-00f5-43d9-b060-3a8ceaf71475,"4/16/2021, 8:48:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5dbbf125-a711-4a24-860c-4a7ed1d636f6,"4/16/2021, 8:48:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,454e275c-9550-43ba-b33b-0c681d6c2e28,"4/16/2021, 8:48:36.102 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5c13ff1a-bd68-4f01-907b-40613ba4015b,"4/16/2021, 8:48:36.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7beb90e0-2a89-4d0e-a3d2-93980fee9f6c,"4/16/2021, 8:48:36.102 AM",,,,,NTLM,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,e6110c3a-7aae-4699-9295-83ef2115aeb3,"4/16/2021, 8:48:32.872 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\microsofttpm,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,ce35abad-2c17-4507-967d-3c79172b7cb1,"4/16/2021, 8:48:32.872 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:SELECT * FROM Win32_TPM,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,034c959f-916b-42f6-ac90-7afebe508417,"4/16/2021, 8:48:32.872 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:Select * from __ClassProviderRegistration,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,a69c8074-01ba-4829-a20b-80bd025d0eed,"4/16/2021, 8:48:32.872 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,ab8cf077-f1a0-4e5a-b9a0-737e357d03f8,"4/16/2021, 8:48:32.872 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,1f72e8fd-8bd6-4f77-b5d8-1874ac741fe0,"4/16/2021, 8:48:32.872 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,737a6061-9d01-4821-9ca5-cadfa959ed7d,"4/16/2021, 8:48:32.872 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,67d1fa40-0fef-472d-ab4f-554d7f3f7e76,"4/16/2021, 8:48:32.872 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:Win32_Tpm,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,15de7b0d-7bed-44a1-a346-65e940ba9b1c,"4/16/2021, 8:48:32.872 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:__ExtendedStatus,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,5e4acc9c-1c4a-4ba2-a03b-90ddeac1268f,"4/16/2021, 8:48:32.872 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftVolumeEncryption,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,dfb999bc-86e4-486e-8c2d-c90aba76646e,"4/16/2021, 8:48:32.872 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:SELECT * FROM Win32_EncryptableVolume,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,9d9e6014-a823-4766-bf5c-6cef2bacc8ab,"4/16/2021, 8:48:32.872 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:Select * from __ClassProviderRegistration,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,574a6f91-47db-46ca-b177-5eaecb9c31f0,"4/16/2021, 8:48:32.872 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,5ff1caf4-d776-4940-99b0-a455b649cd18,"4/16/2021, 8:48:32.872 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,8d678d16-ce98-4308-8122-49f6b925aaa2,"4/16/2021, 8:48:32.872 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,e760ca01-aeaf-4ed2-8f1e-6c43fb4f42c1,"4/16/2021, 8:48:32.872 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,806a24ab-3fa0-4624-9312-4e70dc405e50,"4/16/2021, 8:48:32.872 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,1c86db38-eda7-4adf-99fe-a62422bb3083,"4/16/2021, 8:48:32.872 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:__ExtendedStatus,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,0a8f4903-1960-4fd3-95bf-09419646c335,"4/16/2021, 8:48:32.872 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ae151378-0000-0000-0000-100000000000}\\""::GetLockStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,283ffd6b-da5e-4d17-b023-21a35df4500b,"4/16/2021, 8:48:32.872 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ae151378-0000-0000-0000-100000000000}\\""::GetProtectionStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,2d094a58-cdf2-4fad-bdae-3e328fadcff3,"4/16/2021, 8:48:32.872 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ae151378-0000-0000-0000-100000000000}\\""::GetConversionStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,c368792e-882c-4c36-8e26-f2327cd33c9e,"4/16/2021, 8:48:32.872 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetLockStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,5ea807e5-c6e3-4fec-9249-e013e570af7e,"4/16/2021, 8:48:32.872 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetProtectionStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,8de056ce-946d-4310-8de7-5106e8e84cc1,"4/16/2021, 8:48:32.872 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetConversionStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,6f7427d4-29ff-461b-acb6-1f07f07b4fdc,"4/16/2021, 8:48:32.872 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,5503048d-aae9-48b7-bda5-46b931ec9ed1,4f2e4ea2-f481-49a8-ab43-bd0451223b94,"4/16/2021, 8:48:32.872 AM",,,,,Negotiate,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + 1 + 1 + %{S-1-5-32-544} %{S-1-1-0} %{S-1-5-11} %{S-1-16-16384} +",4627,4627 - Group membership information.,5503048d-aae9-48b7-bda5-46b931ec9ed1,7d49a807-81c3-44c2-9231-c16755dcd126,"4/16/2021, 8:48:32.872 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,5503048d-aae9-48b7-bda5-46b931ec9ed1,8b2c4855-5be4-430a-8777-306b4deae3c1,"4/16/2021, 8:48:32.872 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,fdf8947f-ff5b-4b12-9672-62ad69452160,"4/16/2021, 8:48:32.872 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11312 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,1b59b50e-3159-4134-abf6-41516da75a54,"4/16/2021, 8:48:32.872 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8632 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e7 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,d6e9b5dd-4e40-4586-9679-0e7e0b078eb3,"4/16/2021, 8:48:32.872 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,e6beb2d6-6f50-45ae-9253-84ca3f966278,"4/16/2021, 8:48:32.872 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10624 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + 3E1A41FE3000D5ED15DE27C3BD6199E0427A1608B401E19E22D021627841AC19 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1411 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,dc5afe5f-1b90-4e22-b530-255dced2ba96,"4/16/2021, 8:48:32.872 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,97f10c12-8c8e-4fbd-9a66-b2cb1c842ea2,"4/16/2021, 8:48:32.872 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d30efcaf-d191-42de-8530-53e4725b9e75,"4/16/2021, 8:48:37.625 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f3741abb-f818-494f-8ef1-733790a8c92e,"4/16/2021, 8:48:37.625 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cdcea8d3-0017-41e6-b407-810187302320,"4/16/2021, 8:48:37.625 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cfb42d64-3fa1-41e6-83ce-ebc2de9f76d3,"4/16/2021, 8:48:37.625 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3c98c840-1774-4e89-a881-80f9ffb550fc,"4/16/2021, 8:48:37.625 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,948538d0-90da-47ac-a5b9-997579d2ac6a,"4/16/2021, 8:48:37.625 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,42328b2c-1058-467d-84d9-33536d873210,"4/16/2021, 8:48:37.625 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,318f4ead-80ab-46c2-9710-29c47b3b9c37,"4/16/2021, 8:48:37.625 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ba8f1ef0-1cde-478c-9ed1-c92a87f66a7e,"4/16/2021, 8:48:37.625 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dd8222bd-3cc3-4989-b493-17c646e26421,"4/16/2021, 8:48:37.625 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,afae9770-d377-4320-a67b-edc0bbd35109,"4/16/2021, 8:48:37.625 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dbd38e60-77f8-4e1e-9730-b3b52bc2083e,"4/16/2021, 8:48:37.625 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,af3f2c65-d398-4724-8d51-9548858d2789,"4/16/2021, 8:48:37.625 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9e63f6cf-2765-488a-9345-78d7e8ec3e2b,"4/16/2021, 8:48:37.625 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2b3909b7-50ba-4716-8422-e4ee4234ffc1,"4/16/2021, 8:48:37.625 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5dcd8fe2-d970-42b3-810a-e88c2285b459,"4/16/2021, 8:48:37.625 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,db807c71-2d46-4a46-a579-cd96aa36af01,"4/16/2021, 8:48:37.625 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6689f40b-cf1c-4ead-9d40-8effc4336a3d,"4/16/2021, 8:48:37.625 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bd9c9c7d-9af1-4e16-a49e-51cad5e7f75f,"4/16/2021, 8:48:37.625 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b9fc728f-a3c2-4b43-8042-4540805bb479,"4/16/2021, 8:48:37.625 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bb0cc510-59d9-48e4-b076-c2c47885b68a,"4/16/2021, 8:48:37.625 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1d698a53-26da-4211-b93c-61fea963194a,"4/16/2021, 8:48:37.625 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,851327fd-573d-4636-8383-9fbabd338408,"4/16/2021, 8:48:42.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aecc058a-5ef5-422e-b499-21bd7a764c2d,"4/16/2021, 8:48:42.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6db3e232-0319-4154-bb27-4dcf2eae1662,"4/16/2021, 8:48:42.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b608fbe4-ca16-4221-bf7e-27c77f9db7bd,"4/16/2021, 8:48:42.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,92bed456-773f-4396-97d9-f4d9046a56d4,"4/16/2021, 8:48:42.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de0ce874-478b-4101-8c8b-007573ece079,"4/16/2021, 8:48:42.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9fe39341-6d80-4c6e-8b1f-41d8854d3e41,"4/16/2021, 8:48:42.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,620a4ffb-dcb5-4e9a-8e63-3088df16538e,"4/16/2021, 8:48:42.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ae44de8f-9166-48ce-92b8-7bd6a15da3c4,"4/16/2021, 8:48:42.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a3bfc51-f165-45c4-afec-a9118115c3f2,"4/16/2021, 8:48:42.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce924529-fed0-47ef-bae0-0d6301057707,"4/16/2021, 8:48:42.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0f3448ac-5e85-4e24-84c2-bc101ebc09a2,"4/16/2021, 8:48:42.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,350ec951-66cc-4ddf-9199-31f53a965811,"4/16/2021, 8:48:42.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dad2059f-f744-47b2-a4fb-5f740a69c03f,"4/16/2021, 8:48:42.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c051c98-292c-4198-ae05-e5676ccdffa0,"4/16/2021, 8:48:42.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d80934e6-4e24-43de-b49e-12ddbb6029be,"4/16/2021, 8:48:42.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,760e16e7-1e4c-4dfb-b767-fc69b25b81ea,"4/16/2021, 8:48:42.107 AM",,,,,NTLM,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,02fb4cc6-3d01-4342-8144-ae11135b41da,"4/16/2021, 8:48:42.107 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aef3fcd8-186f-4cb0-97eb-2abe6c7741a7,"4/16/2021, 8:48:42.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,15d0259b-9230-4084-9c56-e6c429c62a14,"4/16/2021, 8:48:42.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ae7e19ff-35ae-429f-844c-87a9acd48a15,"4/16/2021, 8:48:42.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5bd0d88b-546d-446e-bfa1-3d0855f4fa75,"4/16/2021, 8:48:42.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bda96c3d-8a8a-4a70-a2cf-4bf6b4cc7e38,"4/16/2021, 8:48:42.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,42d349a3-522b-402c-b1af-5931e985de0a,"4/16/2021, 8:48:42.107 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,447263d2-5d64-47ea-90f9-6c09928f09d1,"4/16/2021, 8:48:43.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,e9867ea0-ded2-47cb-bc84-dbf41c16269a,"4/16/2021, 8:48:43.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,8460f623-18ac-42da-bb9c-6d4f9919519b,"4/16/2021, 8:48:43.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,607ccb37-f30b-495d-aaad-030f068365c6,"4/16/2021, 8:48:43.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,61d0132b-f6d4-45c2-af5b-3fdcba633523,"4/16/2021, 8:48:43.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b0c715b6-8ac0-4eac-b14b-c1ea42f0644c,"4/16/2021, 8:48:43.048 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,d648149c-5803-4f5a-941c-a9163850403c,"4/16/2021, 8:48:43.048 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,3550a0ac-a272-4818-8437-7b31a43ce2b8,"4/16/2021, 8:48:43.048 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,63a71906-128a-4d98-8a52-b7d2289506d1,"4/16/2021, 8:48:49.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f00765a-c80a-4d61-af98-ba56d06b5a0d,"4/16/2021, 8:48:49.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8d38a241-0539-437a-a0b9-95f9e5c3f248,"4/16/2021, 8:48:49.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5ac98d0-2b50-47a0-96b3-349aeaa2d3c0,"4/16/2021, 8:48:49.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3877603f-890a-454e-9c30-0a66a5be6668,"4/16/2021, 8:48:49.107 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad57d881-7547-44fb-a30a-073f34a9dd26,"4/16/2021, 8:48:49.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,73db1235-d4fd-4126-9ce1-f1700656bde4,"4/16/2021, 8:48:49.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e016c4e9-fd8a-4b5a-947d-d5246e64be6c,"4/16/2021, 8:48:49.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98985912-bd41-4c7a-b16d-ad8481d39aa3,"4/16/2021, 8:48:49.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88d36ed3-214b-443d-8a3d-5ac75598b415,"4/16/2021, 8:48:49.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89fd2466-fa71-4d97-8427-5a93fd6a1069,"4/16/2021, 8:48:49.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3df368b4-2342-4474-8d96-21574145bab3,"4/16/2021, 8:48:49.107 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5b9affa7-b6dc-404d-a711-ff7a013f11b1,"4/16/2021, 8:48:49.107 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b6cbb3ce-8a76-425c-8931-c12c67bce2bf,"4/16/2021, 8:48:49.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,37fb9f90-7765-42c9-ac7a-d19c09d8f5bf,"4/16/2021, 8:48:49.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,78fdfa30-0fef-40d1-aa3c-8711c5e2f335,"4/16/2021, 8:48:49.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c51ad45-90e6-48a8-8bf1-736822a348e5,"4/16/2021, 8:48:49.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f88ec3e9-ac77-42e9-8dc8-72d405c3abae,"4/16/2021, 8:48:49.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b13bb987-ee90-4757-bc50-4998d3a0ad61,"4/16/2021, 8:48:49.107 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,284710f6-78f5-4528-9bae-67fdcaccbe9d,"4/16/2021, 8:48:49.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2741048d-12fc-4271-bda0-a3217d516ef3,"4/16/2021, 8:48:49.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,30187b12-ff74-486b-b421-f4f7f018b7df,"4/16/2021, 8:48:49.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19c62319-2aa9-4e79-bb2c-e3d69a7bbf5c,"4/16/2021, 8:48:49.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c05551d-74bb-4d40-a538-6888764c052c,"4/16/2021, 8:57:23.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c7c4bfe0-d386-4805-a8a9-846d91c3e063,"4/16/2021, 8:57:23.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aeaf0dfa-8083-41ac-8dc9-c87b742d0f7a,"4/16/2021, 8:57:23.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,41657b98-d1b7-4266-bb20-9b806a0e0821,"4/16/2021, 8:57:23.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9663836f-910f-4112-8109-30d482329e5b,"4/16/2021, 8:57:23.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f87961a5-83f8-4cdb-b99b-7b1eb28200ba,"4/16/2021, 8:57:23.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bbee9ad7-edb2-4499-9430-9893cf89b862,"4/16/2021, 8:57:23.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,47ef5057-3178-42a0-848d-74cd2b44d417,"4/16/2021, 8:57:23.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1da0acf9-a545-43a0-8aa3-42a73f207085,"4/16/2021, 8:57:23.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc3a9817-50f4-48cf-bda2-e4242d42474e,"4/16/2021, 8:57:23.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e27d1c59-8073-4586-b07d-bc3268187339,"4/16/2021, 8:57:23.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,82d51bf2-eeb5-4aad-b216-2c88a62d8420,"4/16/2021, 8:57:23.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,298b3354-39e8-4ac1-9d5e-1d69bca64a1d,"4/16/2021, 8:57:23.111 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,74ee931b-3392-40b1-8919-c4ba4abd3d58,"4/16/2021, 8:57:23.111 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,0835e892-091d-432b-b7e6-f3585fd976d9,"4/16/2021, 8:57:23.111 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8424 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,5cb7ac79-d706-4302-a630-a3341e24b8b0,"4/16/2021, 8:57:23.111 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5564 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,faca501e-c52b-4dbf-9502-809b07436589,"4/16/2021, 8:57:23.111 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bf9da94b-c592-455f-a415-e7d8c8271acf,"4/16/2021, 8:57:23.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,deec490d-7bd0-40a5-ae7a-4af00f4aac56,"4/16/2021, 8:57:23.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9bd2020f-94cb-4a54-b8e9-b32070e013dd,"4/16/2021, 8:57:23.111 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d47eb9d-eaa7-43aa-b292-5c829511678b,"4/16/2021, 8:57:23.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad4ba2b5-13d1-41b7-b3e9-cd9c79966201,"4/16/2021, 8:57:23.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7de0828f-6c49-4ce7-bedc-519ce703a2aa,"4/16/2021, 8:57:23.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,419d76ec-19a8-4e7c-9825-17be99b1764b,"4/16/2021, 8:57:23.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,02748b3b-a632-474c-b92f-ddf80fca41c6,"4/16/2021, 8:57:23.111 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d6e88726-2fb1-47b2-9acc-01e3e7a2d965,"4/16/2021, 8:57:23.111 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5920 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,866fd08e-d2b3-46f6-a3cc-75f69147fc11,"4/16/2021, 8:48:49.331 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8128 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,0e647a8a-0281-48ad-9d66-0471c4c5353e,"4/16/2021, 8:48:49.331 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5716 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 61FF6233DB141BE35A91025614CB7A6504D2E20174CD6298F6E0B02700C3F819 + 121 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.14393.206 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,812df333-d8d3-4b69-a517-2d6ff3e0999e,"4/16/2021, 8:48:49.331 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7648 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,5990f3f9-9b10-4b3b-b16a-5845397894a0,"4/16/2021, 8:48:49.331 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 13084 + 118 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\MONITORING HOST TEMPORARY FILES 16\749\PMFEXE.EXE + 32 + 904F5575C1F607E5F05C4641A9A0964007FA2C1F1DAD3C96320DF45D377C737D + 98 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\PROCESS INVESTIGATOR\PMFEXE.EXE\1.20.607.01 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,fbd913fa-e17a-4861-ae34-494c213f8afa,"4/16/2021, 8:48:49.331 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2836 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,95b3e1a5-3dfc-4707-a6c5-883d6335b287,"4/16/2021, 8:48:49.331 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,261e89be-b9de-4d5d-9c06-cb1b483ec491,"4/16/2021, 8:53:54.868 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,d1f09a5f-ff40-4865-b489-e77a4712e89e,"4/16/2021, 8:53:54.868 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3684 + 103 + %OSDRIVE%\WINDOWSAZURE\GUESTAGENT_2.7.41491.1009_2021-04-14_172937\GUESTAGENT\FINDVOLUME\FINDVOLUME.EXE + 32 + 46E1C7D915C93EAF6E557C426DF1311480444C62DEA616D670C574AC8D7CE513 + 96 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® COREXT\FINDVOLUME.EXE\1.0.9.89 + 0x3e7 + 96 + C:\WindowsAzure\GuestAgent_2.7.41491.1009_2021-04-14_172937\GuestAgent\FindVolume\FindVolume.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,e53245f7-334e-4fb3-adea-25b5090ad7ea,"4/16/2021, 8:53:54.868 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6788 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,ea0f2a74-ed56-41c5-b9a7-96d5fd655a5c,"4/16/2021, 8:53:54.868 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6236 + 87 + %OSDRIVE%\WINDOWSAZURE\GUESTAGENT_2.7.41491.1009_2021-04-14_172937\COLLECTGUESTLOGS.EXE + 32 + 5F015B97D51CEA34CDCF041C69FDBA12514061C624A787BD89FC2FB61BDF67E7 + 101 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\COLLECTGUESTLOGS\COLLECTGUESTLOGS.EXE\2.7.0.00 + 0x3e7 + 80 + C:\WindowsAzure\GuestAgent_2.7.41491.1009_2021-04-14_172937\CollectGuestLogs.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,61e7ec12-b7db-4964-af31-bedeb27e9dee,"4/16/2021, 8:53:54.868 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4212 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,948831f2-8864-4c6b-a138-cffa6f4cec8e,"4/16/2021, 8:53:54.868 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,2a4cd791-7bd0-4b45-8eb2-89a527a3f192,"4/16/2021, 8:53:54.868 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,3d4bdc13-8cfb-4af7-a046-9c308349b920,"4/16/2021, 8:53:54.868 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7124 + 18 + %SYSTEM32%\CMD.EXE + 32 + 5F98D08805D4EEE36337C81914F0D82191A4D58D24EA2FF2E522A95A5D6E5B73 + 115 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CMD.EXE\10.0.17763.1697 + 0x3e7 + 27 + C:\Windows\SYSTEM32\cmd.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,8d7f367e-a3a4-44b3-965d-0d7d15d6ad07,"4/16/2021, 8:53:54.868 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6060 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,239692df-b381-4895-922d-f64e2447b513,"4/16/2021, 8:53:54.868 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,27b7c9f4-b2db-4b3b-937e-357fc069e00c,"4/16/2021, 8:53:54.868 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,a544f68b-b072-4e13-9efd-3d0463eccbf5,"4/16/2021, 8:53:54.868 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3844 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,a570b75c-5dfb-4f72-94b6-c4e0ae6f75d3,"4/16/2021, 8:53:54.868 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5124 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,6c63c3fa-3bf2-4702-8d46-e6b813fc4d0d,"4/16/2021, 8:53:54.868 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,20fc8bd9-ddcc-4517-ac64-7c1daaa91301,"4/16/2021, 8:53:54.868 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,3992d4d8-051a-405a-91f8-266fe9182ec2,"4/16/2021, 8:53:54.868 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,4080f07f-f459-4e60-a8d6-cb659a655397,"4/16/2021, 8:53:54.868 AM",,,,,,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a695b83b-0830-4078-a0b4-24480033ff41,"4/16/2021, 8:48:48.409 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,87021c0e-565d-493b-a7e5-2bbef2b0e5a8,"4/16/2021, 8:48:48.409 AM",,,,,,, +\SERVER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c1606c18-c967-4e50-bd1a-74e3e8f5676e,"4/16/2021, 8:48:48.409 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,036f5719-e75b-44e7-bd52-8a2d7814d391,"4/16/2021, 8:48:48.409 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,30252b5c-9787-4db2-a4dd-3bf72d2a0b4a,"4/16/2021, 9:05:34.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,def01fbd-0a15-4ada-b0f5-0f8fc2cc81aa,"4/16/2021, 9:05:34.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c7f524c8-2192-4248-ab1b-d88611e4ab9e,"4/16/2021, 9:05:34.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b6285ae-e6ea-4e47-bf4b-261d67f48f44,"4/16/2021, 9:05:34.143 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e3d9d8f0-5819-4750-8ce8-bea9e247f1e1,"4/16/2021, 9:05:34.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f2f9ed40-167b-451a-9cf9-a99c73a1321a,"4/16/2021, 9:05:34.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,947355ad-8904-4610-8bcf-5960451716e2,"4/16/2021, 9:05:34.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d87fb4ee-0a04-4167-8225-343c687f699f,"4/16/2021, 9:05:34.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5cbe8312-bb5a-4166-88fe-7a3865b5ea69,"4/16/2021, 9:05:34.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ef7c086-0e8d-44da-9ef6-f7e5d03446e2,"4/16/2021, 9:05:34.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d66e3b11-a1c1-4da0-b25e-867af46a0e80,"4/16/2021, 9:05:34.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53cd9dd2-27db-4284-8662-4d2e25b077f2,"4/16/2021, 9:05:34.143 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,49ffa6e2-8e1e-47ea-9b23-c9af79bc2805,"4/16/2021, 9:05:34.143 AM",,,,,,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67968d32-8c60-430f-83a4-265d97cd538f,"4/16/2021, 9:05:34.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a6e6eb4f-cc23-4be6-a3bf-e7bb8abeabab,"4/16/2021, 9:05:34.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,78ad7f97-93ba-4396-9d80-6f425b166483,"4/16/2021, 9:05:34.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c92c0c31-072e-4beb-8973-a92b39dda788,"4/16/2021, 9:05:34.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0af4c89e-f014-4d20-b43d-912a46855445,"4/16/2021, 9:05:34.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e87c97f-9023-42b9-85a2-da822e222fb8,"4/16/2021, 9:05:34.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,58350711-d41e-4f17-a64c-5798c2fc9bf7,"4/16/2021, 9:05:34.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0d5db663-3183-4d3d-ba48-b0db35cdcbac,"4/16/2021, 9:05:34.143 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a674133-2a34-48db-8dc4-b911e5e77c88,"4/16/2021, 9:05:34.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,724c8dc5-ecfb-4050-aff0-92cc6256d9ec,"4/16/2021, 9:05:34.143 AM",,,,,NTLM,, +\CRESCENT SPRINGS,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7467b0e8-f1c9-454e-bbf1-61a168bb264a,"4/16/2021, 9:05:34.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d2ea365-1da9-4096-9d3b-9828f878d545,"4/16/2021, 9:05:34.143 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5624 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,a1287787-c408-4b6b-8245-9faafda68b7b,"4/16/2021, 8:48:52.738 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5900 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,0d52dc0b-2659-44e5-a7a3-bc8b7b624392,"4/16/2021, 8:48:52.738 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,02835ecd-7803-4e82-bbf6-ce12ea987657,"4/16/2021, 8:48:52.738 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,f5c309e9-cb9b-4571-8777-495d49f55d9f,"4/16/2021, 8:48:52.738 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,ee6422a4-934d-453d-b051-9ace2b337f9b,"4/16/2021, 8:48:52.738 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,de47771a-1009-4061-b5e8-f54e06ece2d3,"4/16/2021, 8:48:52.738 AM",,,,,,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e3dd65a2-63ea-403f-a1bf-f1a1e71fa674,"4/16/2021, 8:48:52.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7a5422b8-d48c-4527-96b8-dc94cc08824b,"4/16/2021, 8:48:52.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,14c547b2-82f5-4001-b9b6-7e428a7135ff,"4/16/2021, 8:48:52.644 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,56f46aec-b017-4e33-be20-a368adc67b14,"4/16/2021, 8:48:52.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4e89f5b6-2424-4765-bf22-00f987a696ab,"4/16/2021, 8:48:52.644 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,386e2052-497b-42f5-b3db-ad8ed8f71ec1,"4/16/2021, 8:48:52.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,147e2a3c-34ed-43c0-aaa0-29464adb7d8f,"4/16/2021, 8:48:52.644 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,afa54bf1-f3b0-4e2f-a583-c41a0beed575,"4/16/2021, 8:48:52.644 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9728a517-4977-4a33-81b6-0598aa96ad7f,"4/16/2021, 8:48:52.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,87d45a23-cbfa-44f2-b85a-01fd5a0faaf0,"4/16/2021, 8:48:52.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d5dfa1c1-9b4a-4270-985a-a82a73086e4c,"4/16/2021, 8:48:52.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d189a995-dc9f-4dd2-9ffd-a616d5773ed8,"4/16/2021, 8:48:52.644 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,32cf1fb4-7831-45e9-9456-3a3ea2b21975,"4/16/2021, 8:48:52.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1d4eeb5f-aa41-4b42-9f18-2a0c790d7680,"4/16/2021, 8:48:52.644 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ad1d35e9-7737-4ec8-8381-20fafd0d58db,"4/16/2021, 8:48:52.644 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e81cc8c6-ae9a-428e-9493-2477b466b22c,"4/16/2021, 8:48:52.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8005c3ad-7f0b-4a03-a3f3-ad10ea08d77d,"4/16/2021, 8:48:52.644 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ed650c1c-22e9-4863-b7d4-1193b709298a,"4/16/2021, 8:48:52.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3465b529-57dc-417b-82ec-f82984253427,"4/16/2021, 8:48:52.644 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c46066df-e732-42e8-8c2f-d7a3fdb61357,"4/16/2021, 8:48:52.644 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0c07b648-ef34-44ec-9b93-56eef63beca9,"4/16/2021, 8:48:52.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1d837c59-b6f0-45f4-a805-6f2e76c12298,"4/16/2021, 8:48:52.644 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eec3e00a-44f9-4ccf-878f-6bd198080fa2,"4/16/2021, 9:05:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b1c3177-2928-4931-97c6-84f8469f2c48,"4/16/2021, 9:05:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,894e17e3-35fd-4a4c-9218-416ffbdcc958,"4/16/2021, 9:05:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16fca4c9-77bc-4a18-90e4-f1996d8a57c9,"4/16/2021, 9:05:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4765f1e9-74b0-4d37-8d3e-f8956424a5d7,"4/16/2021, 9:05:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,73cbbc7e-54ee-4488-a175-104978c282cd,"4/16/2021, 9:05:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1f8daab-d0ec-49ef-a4a1-3b5c5d451abb,"4/16/2021, 9:05:46.122 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f0c03503-77bb-49ec-ba77-669d7cf2bd0a,"4/16/2021, 9:05:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9527ee4b-7fe3-4728-9f2c-6d7a1a73e27d,"4/16/2021, 9:05:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,69ac2f22-8e6a-449c-b454-4b372ae9b0b2,"4/16/2021, 9:05:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ac9a3c8-2660-4bfa-82e5-43ce4af56639,"4/16/2021, 9:05:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,25ed30cc-f7a3-4f5e-8da8-2db28a0b7344,"4/16/2021, 9:05:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,93fb73ab-0e81-4d47-a0e3-99eb6a7d2567,"4/16/2021, 9:05:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6e94f5e7-4eb2-4a0e-a5de-c4a552b607d2,"4/16/2021, 9:05:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,01b21db0-4388-48ad-b8b1-caef7a196724,"4/16/2021, 9:05:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e34b02cb-6cf3-456b-96ca-76e5f2dcf302,"4/16/2021, 9:05:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d1ba2df6-458e-408f-9ea8-3822b49dbcf3,"4/16/2021, 9:05:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,15789caf-5110-426c-ae17-03e9d8e89248,"4/16/2021, 9:05:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7cdcad2c-075e-4452-b8d1-dc4f52f93676,"4/16/2021, 9:05:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51e21060-a123-4b11-85d4-90788186be82,"4/16/2021, 9:05:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4dadd415-4eb8-4529-8375-d536a1f4b81a,"4/16/2021, 9:05:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4ab897db-1e73-4f87-9dd2-3bf727f1d576,"4/16/2021, 9:05:46.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d3236f30-7587-4783-807d-36eb309d9460,"4/16/2021, 8:48:57.108 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a971ac30-c1fd-4ca1-91a3-1f1a52b078ea,"4/16/2021, 8:48:57.108 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,80eeefce-b08e-474b-bce7-38f41a648033,"4/16/2021, 8:48:57.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc32521c-048e-4f7e-8208-9ee309afd211,"4/16/2021, 8:48:57.108 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ba271561-7a4e-458b-9f34-ba23637f296f,"4/16/2021, 8:48:57.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dad4867a-56b8-4def-b1a0-e72629e87840,"4/16/2021, 8:48:57.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc346ecc-6795-4f15-99bc-60276b6ef9f5,"4/16/2021, 8:48:57.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f9ce3dc-11e7-4630-acdc-1ab493cd1cf2,"4/16/2021, 8:48:57.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46f9785a-e981-4523-993c-441571551d5d,"4/16/2021, 8:48:57.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca726973-e5a9-4b0c-8ce4-c7fa5a26815f,"4/16/2021, 8:48:57.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ee8dad45-5346-450b-b17f-bdb35a04595c,"4/16/2021, 8:48:57.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e3ae6b9d-704b-4517-8df1-384a2e7a6fdf,"4/16/2021, 8:48:57.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d277ce03-63a8-4039-90a3-6e6fc9bc33e9,"4/16/2021, 8:48:57.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7657cd91-e803-4a16-af4e-3e1ec6495313,"4/16/2021, 8:48:57.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f07f2f07-4627-4c2b-bdf9-29618c8b8c80,"4/16/2021, 8:48:57.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dd2b9834-3843-425e-a07d-c5d97504ef89,"4/16/2021, 8:48:57.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a30b912f-8d9e-4552-9a1f-03f392c9c164,"4/16/2021, 8:48:57.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aa140981-b600-45a0-834a-692d90d85789,"4/16/2021, 8:48:57.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,25bb2fa2-48f3-4e53-aadb-fd0266e7c26a,"4/16/2021, 8:48:57.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,652cc3f8-63a9-46ae-a440-3c5cb6ef36a9,"4/16/2021, 8:48:57.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,13e42895-f9fd-441a-93be-b0a3432ba651,"4/16/2021, 8:48:57.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ddff00c7-3b7d-4688-ac6a-c7bc8ed85fb3,"4/16/2021, 8:48:57.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b2844cce-4748-4d99-999b-c575a277c1a2,"4/16/2021, 8:48:57.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e0493035-a3be-43a3-98ce-b786f11d09b6,"4/16/2021, 8:48:57.108 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5af1107b-190b-46cc-b96a-fa3f2bff1186,"4/16/2021, 8:48:57.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b51a1c26-a876-45c9-94f4-3a560a57ae85,"4/16/2021, 8:48:57.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,85b13578-675b-4beb-87c7-d1d0ed32e4c6,"4/16/2021, 8:48:57.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48fda027-d68f-4daa-bb55-e9c2e0802089,"4/16/2021, 8:48:57.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c51ec116-1076-4da3-b5df-0df8b3e2c4be,"4/16/2021, 8:48:57.108 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 15284 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,4b44e1b3-cb72-4bc6-a176-327084a2dffc,"4/16/2021, 8:53:57.089 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4516 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,bbe2a532-a0bb-4850-b3ea-f06c1849ec2d,"4/16/2021, 8:53:57.089 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 14648 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,f834aa9a-1406-4f17-af94-32e163bf9a43,"4/16/2021, 8:48:56.991 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 13520 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,ccec598d-292f-40de-a8fd-9967e2da21ad,"4/16/2021, 8:48:56.991 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4cfc6667-ec1e-449a-bc32-368e7e8ee091,"4/16/2021, 8:49:03.167 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,637701aa-e5f8-4caf-8d6a-f924b9e2a36a,"4/16/2021, 8:49:03.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f0664d5b-bf9a-49b6-af73-4abd76fc8749,"4/16/2021, 8:49:03.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7432d9c5-6de7-4766-97f1-d50352fbd138,"4/16/2021, 8:49:03.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c3e17da3-273f-4318-9f58-741e5d5de45b,"4/16/2021, 8:49:03.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bd4d7c29-a331-495a-87dc-9e783b98cc84,"4/16/2021, 8:49:03.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,596fa81f-453d-4aea-9e27-366b70585cc7,"4/16/2021, 8:49:03.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,93bd3056-b97a-4e2c-bd7f-c6949537c418,"4/16/2021, 8:49:03.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,83f5c558-b0a9-4497-830b-8b4bb3f3b0ec,"4/16/2021, 8:49:03.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4793e1a7-42e0-4cd9-98f1-cac46b2efa7c,"4/16/2021, 8:49:03.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d52bb03e-0fdb-497b-9dcb-4e85c6ce0cd3,"4/16/2021, 8:49:03.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7128f43b-c29e-4abc-a00e-74f5add63582,"4/16/2021, 8:49:03.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,138c69c4-5413-443c-8523-3a0f0d320cd5,"4/16/2021, 8:49:03.167 AM",,,,,NTLM,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1d507353-fb56-494a-906a-aba51afde140,"4/16/2021, 8:49:03.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e3276011-03fa-453d-8416-b4802e2331e9,"4/16/2021, 8:49:03.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca4ce9b1-d911-45aa-84b9-89cca4c6bb83,"4/16/2021, 8:49:03.167 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0b7246bb-f089-43a1-a10b-e55f7eafa0da,"4/16/2021, 8:49:03.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c5f047dd-d13c-4079-a2b2-a3a8f0d76fc4,"4/16/2021, 8:49:03.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ba886fa7-459d-43e6-84f6-8ca277440a36,"4/16/2021, 8:49:03.167 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,49c936a6-46ba-47a6-84f0-76f822b0c4be,"4/16/2021, 8:49:03.167 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,4e48298b-1171-4806-bff4-12068587dd74,"4/16/2021, 8:49:03.167 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7c9e2827-58ef-4b73-ad17-9e30ee371160,"4/16/2021, 8:49:03.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d8b96f9-b7df-4cef-8e74-cd7467198bb5,"4/16/2021, 8:49:03.167 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f28d4ffa-4ea1-46e0-9685-7c3ee151b93d,"4/16/2021, 8:49:03.167 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6240 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,9d27b646-8034-4dd5-8e6f-902b692c7ccb,"4/16/2021, 8:49:09.870 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3172 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,df72de34-a5c8-45b6-9935-c1a331818e95,"4/16/2021, 8:49:09.870 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,c6d11011-fd76-40d3-898a-835794226f67,"4/16/2021, 8:49:09.870 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,85a57734-ba90-4fd3-8577-769e171f7a63,"4/16/2021, 8:49:09.870 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,dd4f54e3-4f79-42d8-afc0-ef66de15dec3,"4/16/2021, 8:49:09.870 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9ec4a0c6-88ce-4001-99bc-a5478767ea7b,"4/16/2021, 8:49:09.628 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0d819dcb-c792-4b13-958d-b5023f7aeb33,"4/16/2021, 8:49:09.628 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0bb8de7b-ed4b-43f0-bd1a-b8d6a462b82e,"4/16/2021, 8:49:09.628 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,099f2428-3b7a-43a9-a342-991ce357dba9,"4/16/2021, 8:49:09.628 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,77777be9-ad1a-49e6-a650-5616dc63749c,"4/16/2021, 8:49:09.628 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,30e602cf-7b84-4546-a4cc-655da66d6da9,"4/16/2021, 8:49:09.628 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9d6b5404-f843-4c9e-ad46-bd90d4a80d3a,"4/16/2021, 8:49:09.628 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,928f03c6-219d-414d-bd1b-8f4d038dfbe3,"4/16/2021, 8:49:09.628 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8a89c9bb-0442-4544-b23d-28c86f51e700,"4/16/2021, 8:49:09.628 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,99d29671-5464-4d2a-b64f-fb565eea35e6,"4/16/2021, 8:49:09.628 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,25a16337-5daa-47a5-bbbe-69d62d230604,"4/16/2021, 8:49:09.628 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f4c08591-5c85-4ff3-977c-a76cf23abbc7,"4/16/2021, 8:49:09.628 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0fcec099-b377-4af1-9a3f-5327defec953,"4/16/2021, 8:49:09.628 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1acda4f7-6958-4ffc-8a2c-cba1ffa315cc,"4/16/2021, 8:49:09.628 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,50b4bd55-d9e0-4fe2-9752-121cedc70b1e,"4/16/2021, 8:49:09.628 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fc96e4e8-e077-45a3-a86a-e40866f3fb24,"4/16/2021, 8:49:09.628 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9ba74eb6-f65e-4773-b922-ac2bcb410e51,"4/16/2021, 8:49:09.628 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4c7b108c-ef29-4e41-b365-98fbffefcd98,"4/16/2021, 8:49:09.628 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,33b3aeaa-ddd0-4dd3-88d4-58a4e7a23701,"4/16/2021, 8:49:09.628 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,caab8334-d6b0-4886-9c32-eeafd2560498,"4/16/2021, 8:49:09.628 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e7c357e5-2c20-496a-85a8-900ac1b6ceb6,"4/16/2021, 8:49:09.628 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6b31a336-9958-4c11-acc7-a8acc3ebec92,"4/16/2021, 8:49:09.628 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8052 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 68705285F7914823244E19E4F6DBC4A75C4DE807EA1CF128AEC2CCAFCE5FE109 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.17763.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,74760c08-cdc6-468f-a71a-8d8ba5a4a255,"4/16/2021, 8:49:12.114 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1264 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,0dab7c94-a6f8-4dd9-b34d-816d32931359,"4/16/2021, 8:49:12.114 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,da8f1b81-4105-4cd0-9384-557a2293948b,"4/16/2021, 8:49:12.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c30bce45-b7bd-4058-a8a9-992f77f77ccf,"4/16/2021, 8:49:12.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a393caf4-a922-4f20-8259-61c1bce07b4f,"4/16/2021, 8:49:12.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,50858704-35d4-46e7-869f-7517ba265afa,"4/16/2021, 8:49:12.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fcfd81d4-fd86-4c45-a89a-2acd6919e274,"4/16/2021, 8:49:12.114 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,457820f5-d662-4f26-b904-6692e09cf8cf,"4/16/2021, 8:49:12.114 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c0611a5-30f0-4a26-988e-393c9339d71a,"4/16/2021, 8:49:12.114 AM",,,,,NTLM,, +\AZUREUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f7ab05f5-8771-4762-a90a-d4fc31337b81,"4/16/2021, 8:49:12.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9a5f5377-0174-4bb9-ac84-3c2cde8733df,"4/16/2021, 8:49:12.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d01e2e7-10e8-4055-bad5-301fe040f0b7,"4/16/2021, 8:49:12.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,05738e09-4320-44b4-9451-defc4c7c1e59,"4/16/2021, 8:49:12.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2ae4d24c-9b55-4688-b34b-c6430265dbb5,"4/16/2021, 8:49:12.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e5d1e90-3760-4db2-8754-a7056cf98056,"4/16/2021, 8:49:12.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d27a6704-30eb-4d67-bd35-9790054bb46e,"4/16/2021, 8:49:12.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4794f242-a364-493e-98a8-2eadd1e08f99,"4/16/2021, 8:49:12.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7fa2b717-916b-4b85-9e61-60035af54ead,"4/16/2021, 8:49:12.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4307d5d9-95bc-458c-aa69-8ad8b2fffc7c,"4/16/2021, 8:49:12.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8fd8bf9b-cfdf-442b-9756-b5b8c596ddfc,"4/16/2021, 8:49:12.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67e41331-c032-4113-9137-a10eba2f0982,"4/16/2021, 8:49:12.114 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5b1d0317-2d9c-4f5a-bd60-0c5f549ab83f,"4/16/2021, 8:49:12.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2470e5ca-531f-4ac0-8841-fdb8460deb63,"4/16/2021, 8:49:12.114 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2f4adc4f-40d0-4d40-9a9e-5c8dfd46fce3,"4/16/2021, 9:05:45.667 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,986f2f6f-f96c-466f-9a3e-4bf77ffcfbae,"4/16/2021, 9:05:45.667 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7a2635fd-e267-473a-8e09-a453b1aee679,"4/16/2021, 9:05:45.667 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7b021edf-0335-4b75-bb69-909b8d3963c5,"4/16/2021, 9:05:45.667 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3c5c8d2e-49dc-44aa-b3e3-e919a72dc772,"4/16/2021, 9:05:45.667 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fea042cb-e4be-4586-8563-f09ee9a902e9,"4/16/2021, 9:05:45.667 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2fc2a70b-79ec-43ef-b282-d48bb9c65d45,"4/16/2021, 9:05:45.667 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,124ceaa0-fc88-4e65-a761-e2f0c417010d,"4/16/2021, 9:05:45.667 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9866480f-62dd-44ca-bae4-f8cd71e767a9,"4/16/2021, 9:05:45.667 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a88bc45b-e57f-4f88-b50b-99be3d6cd727,"4/16/2021, 9:05:45.667 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,325338d7-48a6-4063-956f-14d806aa357f,"4/16/2021, 9:05:45.667 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e0a3a76c-a1ad-4a6b-9a04-6c3cb3ae1161,"4/16/2021, 9:05:45.667 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f1c292c9-e367-4dfe-8592-57a479fd5a50,"4/16/2021, 9:05:45.667 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e8cec10a-bb60-4cac-9e87-aebd534469c4,"4/16/2021, 9:05:45.667 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f1b703ca-ffee-4a0c-a08f-09cc47bbd411,"4/16/2021, 9:05:45.667 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,decd587e-89fe-4463-8f6b-aca993048ee6,"4/16/2021, 9:05:45.667 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0e6ae802-c828-465d-972f-52e8c7c264a4,"4/16/2021, 9:05:45.667 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,127ef862-9f30-42fa-9f9c-db0237bea3e7,"4/16/2021, 9:05:45.667 AM",,,,,NTLM,, +\HJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6835c0e6-7246-418f-825c-7716affc832e,"4/16/2021, 9:05:45.667 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f4c84401-3374-41dc-a5ec-56c64877abbf,"4/16/2021, 9:05:45.667 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e31f06f7-119e-492d-a1ce-1ce7b52568db,"4/16/2021, 9:05:45.667 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,efbb770e-0924-4850-8fa0-0f48c47e2a4d,"4/16/2021, 9:05:45.667 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,08e0cfac-6e28-4862-a3a9-962786f7635f,"4/16/2021, 9:05:45.667 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,7294ca3c-7e5f-45eb-82c5-d837e4d1720b,"4/16/2021, 8:49:16.047 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d8c82828-16dc-42a5-9199-f771732896a7,"4/16/2021, 8:49:16.047 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,2843dca0-94fb-48f5-abf0-59d01a9534e9,"4/16/2021, 8:49:16.047 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5f30c080-b691-4f06-aff1-007359dd4e9d,"4/16/2021, 8:49:16.047 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,bdae6fb5-a97c-4501-ad19-c6de583ca6aa,"4/16/2021, 8:49:16.047 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,9697334c-c611-4471-a2d5-f2f385a20c48,"4/16/2021, 8:49:16.047 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,7bb67878-3838-432a-b728-569ae6f18da7,"4/16/2021, 8:49:16.047 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,4a64ee98-cd45-4204-90e7-65df8600372a,"4/16/2021, 8:49:16.047 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,86ec936b-845e-4004-bfb0-ce71c5f7acfb,"4/16/2021, 8:49:16.047 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d7f497c8-a4f0-4f1e-80eb-f49d285dd540,"4/16/2021, 8:49:16.047 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,9d2566bc-b5f2-4062-a69e-1625b946891a,"4/16/2021, 8:49:16.047 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a3145853-59ad-4626-a671-bedcd6cc9236,"4/16/2021, 8:49:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,59f9d4ce-a0ac-4948-884d-3e1a1a99a99d,"4/16/2021, 8:49:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1b86f3fc-196b-4455-b90e-115983e327b4,"4/16/2021, 8:49:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,31335a97-182a-494c-8605-8fc7072f12b1,"4/16/2021, 8:49:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,650a6f5b-a213-4ff6-a467-96990478c04a,"4/16/2021, 8:49:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f1487d00-ec8c-4743-9cde-27f070947478,"4/16/2021, 8:49:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8d70b8e1-9ef8-4ce2-a007-09becef9e447,"4/16/2021, 8:49:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c4e66315-2355-486a-9ba4-61a596afd771,"4/16/2021, 8:49:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48356d52-f451-430b-8fef-5e9ae9bc5cbc,"4/16/2021, 8:49:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,472cf196-fc64-4cd7-a677-1ceafb49b02d,"4/16/2021, 8:49:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb0271d2-4a98-4407-9ecf-27d72f299a08,"4/16/2021, 8:49:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d5a81a98-029f-4014-b451-bdc219011dca,"4/16/2021, 8:49:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1387035c-eb7b-439c-8efa-664eaeb294e4,"4/16/2021, 8:49:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7b8eab86-84a1-4173-868b-ddcc7b58c0e9,"4/16/2021, 8:49:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e73b516-001c-435e-8bd7-61bbcec1fb8c,"4/16/2021, 8:49:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c16df77-9018-4325-bb6a-c6e8d38e2c0c,"4/16/2021, 8:49:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7553e54d-c7be-4ac5-85a7-f84d27332a95,"4/16/2021, 8:49:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6b5d6df7-cd4e-4368-937e-e7b43adf5461,"4/16/2021, 8:49:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,62f75807-af2b-49f7-a933-d1ebc1dfcd16,"4/16/2021, 8:49:20.140 AM",,,,,NTLM,, +\ORDERS,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,18d39310-7f32-4be6-8fdb-bd24b5ae6020,"4/16/2021, 8:49:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,78d0ac90-87e1-442b-8a19-13e0e5cfec40,"4/16/2021, 8:49:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6d28be53-5673-4198-a988-ed5627f11b2d,"4/16/2021, 8:49:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,80ff1942-6357-4506-bc12-79f8eea718d1,"4/16/2021, 8:49:20.140 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fde8d407-a587-4e1d-a634-e3741a1afdd3,"4/16/2021, 8:49:20.140 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a31c9db-fb19-44e8-81fc-f7d78899426c,"4/16/2021, 8:49:20.140 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,43ec9a13-b190-43aa-96f9-b00cded9dff4,"4/16/2021, 8:49:20.140 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c8191434-f36a-4b86-9a99-ba60022cc64c,"4/16/2021, 8:49:20.140 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4116 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,34801bc6-19b5-4c66-a8b1-d1341f8b243b,"4/16/2021, 8:49:20.140 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4632 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,debf3dcb-fe8b-4460-a6bc-f21abff3cde1,"4/16/2021, 8:49:20.140 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f0488d1e-e7be-477c-8ac2-d00d5617a82e,"4/16/2021, 8:57:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7a2a857c-ae38-4921-84aa-01cef6e1f983,"4/16/2021, 8:57:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4ae51ac9-3463-4047-957c-8a79bb3f9284,"4/16/2021, 8:57:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d513c45e-6fe1-4f02-b5b4-011ccbc9149b,"4/16/2021, 8:57:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22a894fb-4693-43cd-be3d-c14b6c76c5e8,"4/16/2021, 8:57:28.118 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9079b918-df86-4687-8d0a-a7fe01725fb3,"4/16/2021, 8:57:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d8436b02-1dc0-4c59-aa2c-0519a2542020,"4/16/2021, 8:57:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eea2307d-6a8c-4481-9866-e00e2e08b4e3,"4/16/2021, 8:57:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6db737f7-c1a0-40bc-9b7a-57d08fa85501,"4/16/2021, 8:57:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d0178b5a-5c0f-4dfc-a34c-b796b1543bb1,"4/16/2021, 8:57:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8ba8ce63-4771-4eb5-9700-fcf3dcb3bde8,"4/16/2021, 8:57:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ec20d1a8-0644-413a-b0f3-132d5b4f6d17,"4/16/2021, 8:57:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,10539c42-8cc8-4f56-abd4-725b9ca4e8fc,"4/16/2021, 8:57:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,363e273c-e781-4859-8bb6-aa381e6cc883,"4/16/2021, 8:57:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,914def06-edcf-4a7e-b232-578c5136072a,"4/16/2021, 8:57:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,242c12c5-b713-45fb-b4cf-d863a7705624,"4/16/2021, 8:57:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,00c7b58d-5915-4562-a02f-52ca52e9bce8,"4/16/2021, 8:57:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1e4e03ae-6115-4814-8f93-36418fa95396,"4/16/2021, 8:57:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1b648ffe-d6b5-4bc2-92a5-d6aafbb67cde,"4/16/2021, 8:57:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,81d5ed7d-4dd1-4af4-b0a7-e394313c4108,"4/16/2021, 8:57:28.118 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,a39ac27e-5001-4897-92e0-27c9923fd6c3,"4/16/2021, 8:57:28.118 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,e85859df-2725-4a5b-a1fa-10690ffbae2b,"4/16/2021, 8:57:28.118 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,43caa06b-aa58-4ac7-ae85-037ba505c820,"4/16/2021, 8:57:28.118 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7628 + 115 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\ICT 2\CMF\DESIREDSTATECONFIGURATION\DSCRUN.EXE + 32 + 5D35920AEDE05DD39279B42A07B84E7EAC7A77F4E420A04FE25B82F0B2CAF5C0 + 111 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\WINDOWS (R) WIN 7 DDK DRIVER\DSCRUN.EXE\10.0.10011.16384 + 0x3e7 + 117 + C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\ICT 2\CMF\DesiredStateConfiguration\DscRun.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,86504a5a-02a8-4ab6-9040-832bd83446e3,"4/16/2021, 8:57:28.118 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3604 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d366092-f1c6-4485-a487-6dfd6b50d00c,"4/16/2021, 8:57:28.118 AM",,,,,,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c0bdf568-1411-4f06-9b70-32ad5f54951a,"4/16/2021, 8:53:59.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1955018d-c935-45d1-8172-c5368a4485ba,"4/16/2021, 8:53:59.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e0bb2249-a8b8-40cd-840c-144d4e078090,"4/16/2021, 8:53:59.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c28671de-5ee9-4cfd-a768-25b8652893a6,"4/16/2021, 8:53:59.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c738fdab-c450-4726-9677-692df5b6bf74,"4/16/2021, 8:53:59.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,447cf199-5685-4ee8-8699-61d80fa25e24,"4/16/2021, 8:53:59.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a252ebf-6fcc-434a-b872-faf22672956f,"4/16/2021, 8:53:59.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1fce5c1-b2da-4727-a58a-4ca8676326d0,"4/16/2021, 8:53:59.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4e55fa6e-1387-4931-a8f2-a76be9557f54,"4/16/2021, 8:53:59.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc3213d1-9754-4b84-af8f-cca2ae6e8b5c,"4/16/2021, 8:53:59.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,17541c3f-feef-4428-b04c-77d4002eeb87,"4/16/2021, 8:53:59.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,919068a3-895b-4d47-8a17-77b55c122dea,"4/16/2021, 8:53:59.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,61ba2683-a685-466d-9468-3ec5651fa236,"4/16/2021, 8:53:59.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c7a549a-75af-484f-b6ce-5334d572dfbf,"4/16/2021, 8:53:59.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3859f21b-7f7d-4e04-814f-967a9b430f1f,"4/16/2021, 8:53:59.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0f9788ac-d0d4-46d8-b7d0-a0e5a8f08054,"4/16/2021, 8:53:59.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4117175d-bcf4-42ab-b175-b1d12560229d,"4/16/2021, 8:53:59.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c9c58cf-c071-4dd2-971c-a2d031bbeb01,"4/16/2021, 8:53:59.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,994be81b-5db0-40e2-9f38-a1d28eb66802,"4/16/2021, 8:53:59.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7097ee6f-22bb-4936-be8d-2fe7890e88a8,"4/16/2021, 8:53:59.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1e97fa61-5340-4251-a872-ff05fd4711a5,"4/16/2021, 8:53:59.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d3313398-24fb-4e3b-b1fc-31493f1772bd,"4/16/2021, 8:53:59.112 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,90ad5a05-5766-424e-91ff-d5a94feaada3,"4/16/2021, 8:53:59.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a3847e1-c78e-442b-afe1-4ca76a4dab1d,"4/16/2021, 8:53:59.112 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7912 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,c487ac86-df07-4399-971e-6a0d245186ee,"4/16/2021, 8:49:23.736 AM",,,,,,, +\TEST,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3e380837-19e8-4f09-9056-62ab5452c071,"4/16/2021, 8:49:22.428 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,401dce98-70f0-40fb-a65e-3d2789dc0368,"4/16/2021, 8:49:22.428 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,852cf3c0-090a-4fba-a58d-b7be136b0289,"4/16/2021, 8:49:22.428 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4580 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,2cfbb9c3-e893-4a04-97bf-f242cb65605a,"4/16/2021, 8:49:22.428 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2628 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b3eac1f3-afb5-4226-bfca-fb56c9f6e31c,"4/16/2021, 8:49:22.428 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7228 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d9a35c0d-1fbc-4341-b7aa-aedff1a5ff05,"4/16/2021, 8:49:22.428 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,68e5211b-9aa1-4a32-b1c7-d189fa51e0cf,"4/16/2021, 8:49:22.428 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,26e89b74-9e88-4f22-bb33-30252f6f9de3,"4/16/2021, 8:49:22.428 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e51034c9-7d32-41a8-ac52-518517d9ece3,"4/16/2021, 8:49:22.428 AM",,,,,,, +\AZUREADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,327018f1-4609-40df-bb3f-cd80a68e48b8,"4/16/2021, 8:49:22.428 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,d791f6c1-93a6-44c5-ad48-23b40f6e9657,"4/16/2021, 8:49:23.597 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5980 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,b37108cf-5ee7-425c-b8bc-be4f6481dca3,"4/16/2021, 8:49:23.597 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,2bd0aeac-1907-4bdd-8328-0e2493334a5b,"4/16/2021, 8:49:23.597 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 9512 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e5 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,4dfc714f-2558-4acc-ae80-b74c502bbbe7,"4/16/2021, 8:49:23.597 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,b509ed68-80db-4ffb-bca0-293c2ba1a2ed,"4/16/2021, 8:49:23.597 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,f6638b82-98a5-4542-8bec-6bc0977f793f,51c64d33-d29c-48db-afe3-e77a34f88964,"4/16/2021, 8:49:23.597 AM",,,,,Negotiate,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + 1 + 1 + %{S-1-5-32-544} %{S-1-1-0} %{S-1-5-11} %{S-1-16-16384} +",4627,4627 - Group membership information.,f6638b82-98a5-4542-8bec-6bc0977f793f,9eef5471-22c5-4d54-9f4e-a6c45db7db64,"4/16/2021, 8:49:23.597 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,f6638b82-98a5-4542-8bec-6bc0977f793f,174130c4-843e-434e-96f4-0894da68701a,"4/16/2021, 8:49:23.597 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,b15739e8-fa01-42fc-95c2-d98f0bfa14a2,"4/16/2021, 8:49:23.597 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,125eefbd-2cbb-4b13-8d0f-434c90e08391,"4/16/2021, 8:49:23.597 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10808 + 39 + %WINDIR%\SERVICING\TRUSTEDINSTALLER.EXE + 32 + A68F28B7A6B48B6CD6CAB57C5C6411BCF3A6186B4FC6823F03D9F2A8828CFD02 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\TRUSTEDINSTALLER.EXE\10.0.18362.1016 + 0x3e7 + 41 + C:\windows\servicing\TrustedInstaller.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,7f8d22e8-064b-4daa-91bc-b92d42405d2a,"4/16/2021, 8:49:23.597 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6228 + 122 + %WINDIR%\WINSXS\AMD64_MICROSOFT-WINDOWS-SERVICINGSTACK_31BF3856AD364E35_10.0.18362.1497_NONE_16F5D4B32A2EF7C6\TIWORKER.EXE + 32 + BC24C913F9E2EED11FE1DD49061E0D4286CF68A1A36EC6CE4CF89FA5002E105D + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\TIWORKER.EXE\10.0.18362.1497 + 0x3e7 + 124 + C:\windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.1497_none_16f5d4b32a2ef7c6\TiWorker.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,7af47c22-1cde-49da-8251-64003fe1d846,"4/16/2021, 8:49:23.597 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9456 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e7 + 31 + C:\windows\System32\svchost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,4e65a499-7893-4877-affb-fae466fb9f0f,"4/16/2021, 8:49:23.597 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,f6638b82-98a5-4542-8bec-6bc0977f793f,8695bed0-3650-44ca-8d7f-e6656a644612,"4/16/2021, 8:49:23.597 AM",,,,,Negotiate,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + 1 + 1 + %{S-1-5-32-544} %{S-1-1-0} %{S-1-5-11} %{S-1-16-16384} +",4627,4627 - Group membership information.,f6638b82-98a5-4542-8bec-6bc0977f793f,ac9921cf-f239-4e3f-8a7e-b4826f9232b7,"4/16/2021, 8:49:23.597 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,f6638b82-98a5-4542-8bec-6bc0977f793f,6ec8d7ba-2909-4b43-8d45-2892a438d389,"4/16/2021, 8:49:23.597 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,947b425e-8303-4308-a4fb-5ac071ca0beb,"4/16/2021, 8:49:23.597 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10668 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,c30e6fa3-a3b1-4f0d-becd-6dcffa855218,"4/16/2021, 8:49:23.597 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7464 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,9befc914-e1ab-41bf-9a75-dbf07367733a,"4/16/2021, 8:49:23.597 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,459b5902-74d3-4c6a-bee8-d3004e488c1f,"4/16/2021, 8:49:23.597 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,016f120f-87b5-4fe0-8c13-c9a0cc0ca111,"4/16/2021, 8:49:23.597 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,31c6a877-cf23-4a8f-bb93-7d91a8e0edb6,"4/16/2021, 8:49:23.597 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e20455e9-70d4-4862-b007-5dfc0cbae4b8,"4/16/2021, 8:49:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8837e4b4-d159-4dc2-aae1-495db6b7792f,"4/16/2021, 8:49:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d5c01b4-1cac-4d38-9b7b-7a624c08d71f,"4/16/2021, 8:49:29.110 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c7910336-9261-4637-805e-6f6aafb3e3fc,"4/16/2021, 8:49:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ebdd2a45-d68e-4825-8ea3-e1e8e2779c10,"4/16/2021, 8:49:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,660d0e6c-3e6d-481f-ac42-ec0a96be8d23,"4/16/2021, 8:49:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b2607a30-ea3b-4339-b435-4b9bd1520e26,"4/16/2021, 8:49:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ed42ceb-a424-4f6b-8277-ec60bf29b0f4,"4/16/2021, 8:49:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d22b5b79-1ac1-449e-b550-2e54e6420d20,"4/16/2021, 8:49:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de45110d-d358-4258-909d-70eecf2d8c7c,"4/16/2021, 8:49:29.110 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c02ed4b3-1e2c-4f6e-ab2d-9368f11dfd2a,"4/16/2021, 8:49:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d3efde0f-1cfc-4f92-afd9-47d4e6c10a94,"4/16/2021, 8:49:29.110 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f3fc36c-781a-4d95-8536-afb3a7d11226,"4/16/2021, 8:49:29.110 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7637290a-6a69-4709-9e19-c7eccef838bc,"4/16/2021, 8:49:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1de139e-5475-4965-9c60-81e97f6f5187,"4/16/2021, 8:49:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ead51fe-ef31-44d8-bc00-1f894e67927d,"4/16/2021, 8:49:29.110 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5db3fce7-030a-429d-8110-22f2e24e83c3,"4/16/2021, 8:49:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0cd4e570-901c-401f-8c0c-7d819603a0aa,"4/16/2021, 8:49:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b355d171-47c9-42d2-bfd1-9c97802e87bc,"4/16/2021, 8:49:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,505511d4-4b27-4ee3-8c99-e3f45f71ea0d,"4/16/2021, 8:49:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a27e156-55d7-478f-8ba7-37d3bfdba928,"4/16/2021, 8:49:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,97a73ffe-7f33-4d86-82c0-b19de1e33596,"4/16/2021, 8:49:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7fa70efc-ca3c-4db5-bb67-35db47080712,"4/16/2021, 8:49:29.110 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ea73a81b-bc1d-4251-87a5-24eb061f6f8c,"4/16/2021, 8:54:00.632 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b3dda5ad-eb16-4039-8224-a9f9815f3061,"4/16/2021, 8:54:00.632 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4a94e10d-2c14-464a-8e02-34d5945e09f9,"4/16/2021, 8:54:00.632 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dcbf083a-98e6-43e0-950c-c130c7eaaa1b,"4/16/2021, 8:54:00.632 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b21abab8-b431-4d0e-8cb5-b039ca998c8a,"4/16/2021, 8:54:00.632 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e537280b-47a0-468e-ac1c-50be7313f8c1,"4/16/2021, 8:54:00.632 AM",,,,,NTLM,, +\A.FUMOUX,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,126eef0f-b5e2-4b1e-b6ae-3699f962c3af,"4/16/2021, 8:54:00.632 AM",,,,,NTLM,, +\SYMANTEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bb48a8bd-404d-4c00-95ba-43f14f76b49f,"4/16/2021, 8:54:00.632 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f27787d2-a2db-40ae-a85f-1daa506339e2,"4/16/2021, 8:54:00.632 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6db4df3b-a5f6-4f02-9fac-8da70ea17209,"4/16/2021, 8:54:00.632 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d55265fd-7139-41dd-9ce0-dfecdceba54b,"4/16/2021, 8:54:00.632 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5b241659-4334-4b54-a045-abbe0ef63dcf,"4/16/2021, 8:54:00.632 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b2fcdc74-e44e-4ca3-b077-76d8cf8ce093,"4/16/2021, 8:54:00.632 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2df07b4c-d8a1-4385-b25a-3792eaefb1a4,"4/16/2021, 8:54:00.632 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5b1f5376-3e91-46f2-88a3-689b53810211,"4/16/2021, 8:54:00.632 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,45dd67d1-ecf0-4c80-b52a-8972c496eb8e,"4/16/2021, 8:54:00.632 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,74105444-3609-4ddc-b84f-6ffc9299fdca,"4/16/2021, 8:54:00.632 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c7b4b645-43bd-46e4-9ea3-f058810df39e,"4/16/2021, 8:54:00.632 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3bdb0365-774b-4616-bb49-7d4f90946930,"4/16/2021, 8:54:00.632 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,62d07f53-f1b8-4547-b5d8-3fd0ee07dc81,"4/16/2021, 8:54:00.632 AM",,,,,NTLM,, +\DYA,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,31205a04-851b-482b-93c6-b67180c57323,"4/16/2021, 8:54:00.632 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ab8185f7-a019-4eb9-bbd9-a3b26bf332c4,"4/16/2021, 8:54:00.632 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,57c3f0a0-c7af-42be-aa6e-50bed1c41b55,"4/16/2021, 8:49:31.621 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,29415ed1-54b6-49a1-98b6-0138bda95b13,"4/16/2021, 8:49:31.621 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8a9ea798-c2cf-426c-a3ae-738422bc88b8,"4/16/2021, 8:49:31.621 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5a9f048b-d014-4968-98b4-e720ffed99fa,"4/16/2021, 8:49:31.621 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7e0592be-90b3-401a-9ef0-00e6acf44bce,"4/16/2021, 8:49:31.621 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,80498344-fa32-4061-9ff8-bfcb6c5a862d,"4/16/2021, 8:49:31.621 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d32ed64c-1d78-4cfd-aa3a-2b70160f6b34,"4/16/2021, 8:49:31.621 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,aa3ea056-d769-4bbc-a2a8-25d34858164b,"4/16/2021, 8:49:31.621 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,38489ff9-7462-41e8-bdd3-877932284f96,"4/16/2021, 8:49:31.621 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5e198c72-4a30-4317-bb02-05793572f1bf,"4/16/2021, 8:49:31.621 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5d38845f-b0d6-4086-932b-09c295dd27fa,"4/16/2021, 8:49:31.621 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,372bbe4a-9837-4ce9-b490-3bb91f0ccbd3,"4/16/2021, 8:49:31.621 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,932be286-9b2d-4fed-abe7-acda110c7425,"4/16/2021, 8:49:31.621 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,21b55d1e-0d9c-4001-8d2e-713da4aa4f68,"4/16/2021, 8:49:31.621 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,82dab8cc-699a-4be9-8a3b-6ffb700e6b7b,"4/16/2021, 8:49:31.621 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5e502f40-b2c3-4fad-88d1-c085f18e956d,"4/16/2021, 8:49:31.621 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0dc01875-7c85-4e29-9780-87d2ea57aa7b,"4/16/2021, 8:49:31.621 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,61b98fb5-48f4-4614-bbbb-77adb590272c,"4/16/2021, 8:49:31.621 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1c6b36b8-7f15-461b-9f40-9fb27588bfc7,"4/16/2021, 8:49:31.621 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3a033f32-4ee8-4c58-ab87-8c53f8def787,"4/16/2021, 8:49:31.621 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fb1ea52c-9bc0-4dfe-9fe7-c5096e05b31f,"4/16/2021, 8:49:31.621 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0823ccbc-3f2c-496f-ad49-99e59b21dbfb,"4/16/2021, 8:49:31.621 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1f90e8eb-437a-4b49-a845-33c77431d83c,"4/16/2021, 8:49:31.621 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6760 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,d3fb87d4-e959-4a51-964d-cfc124f18668,"4/16/2021, 9:05:49.381 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8248 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,1cab6642-e38c-41e9-bb3b-024f55773efd,"4/16/2021, 9:05:49.381 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,b66b6f5c-355e-4563-8992-288e3f250acd,"4/16/2021, 8:57:36.567 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 192 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,3dc52595-6f03-473c-b37c-b68dd050ab58,"4/16/2021, 8:57:36.567 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6876 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,4caae823-8ecc-466e-9019-5d16f86d21ae,"4/16/2021, 8:57:36.567 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5824 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,c5aa26eb-5cc2-49db-b645-534a5b738438,"4/16/2021, 8:57:36.567 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,04dc7fc4-ab80-452e-871d-6ea0db51ac77,"4/16/2021, 8:57:36.567 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,ff7e45c2-39ab-46f1-9a5b-af40319ca1b2,"4/16/2021, 8:57:36.567 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9932 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,2c23545e-85de-48f0-b943-f5a4ad28018e,"4/16/2021, 8:57:36.567 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7336 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,92515840-041f-4d88-b7da-902583a68cfe,"4/16/2021, 8:57:36.567 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7848 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e7 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,68f275b2-2ec9-4fe7-9b1a-9bc94b0fba04,"4/16/2021, 8:57:36.567 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3336 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,e4e99a2f-e7cb-4f27-8063-a1714b5f0ba7,"4/16/2021, 8:57:36.567 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,a439c4ad-9b86-4a71-bb15-de09c0d8e545,"4/16/2021, 8:57:36.567 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,1086d27f-7d8f-49c6-bc62-da9003bc6269,"4/16/2021, 8:57:36.567 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,f6638b82-98a5-4542-8bec-6bc0977f793f,2fc92dad-6b07-44f6-8590-1a7f1d073f97,"4/16/2021, 8:57:36.567 AM",,,,,Negotiate,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + 1 + 1 + %{S-1-5-32-544} %{S-1-1-0} %{S-1-5-11} %{S-1-16-16384} +",4627,4627 - Group membership information.,f6638b82-98a5-4542-8bec-6bc0977f793f,b10f1e1b-fd0b-42ca-be42-9d8d987c5381,"4/16/2021, 8:57:36.567 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,f6638b82-98a5-4542-8bec-6bc0977f793f,6ed1fb10-0d8a-4848-8a9c-b2a92265b25e,"4/16/2021, 8:57:36.567 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,d23d8d45-97c6-49be-8bff-31664b3fe650,"4/16/2021, 8:57:36.567 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,e50c1b0b-843e-4181-8371-1bbd9187bbd9,"4/16/2021, 8:57:36.567 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d96c4dbd-9347-4f40-86e7-9ddc0051aed2,"4/16/2021, 8:49:35.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c018aab-9814-4c82-a84e-a9e50208f93b,"4/16/2021, 8:49:35.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e562a5ab-e219-4d00-8a3a-6726cffc1b3b,"4/16/2021, 8:49:35.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,489bb527-232d-471e-a071-f2c61caee38f,"4/16/2021, 8:49:35.105 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8cf2c8ce-9155-4177-8b77-8a825a97ca21,"4/16/2021, 8:49:35.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,32b2c9c0-ef70-4e20-82aa-65fece9c0ec2,"4/16/2021, 8:49:35.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,23c73a1e-9d3c-4e76-a76e-584eb59262fb,"4/16/2021, 8:49:35.105 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,c4aa258c-d028-4b87-ac80-7c91e505de87,"4/16/2021, 8:49:35.105 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cd6920c3-c7b1-4843-9541-4f4e328d7a6c,"4/16/2021, 8:49:35.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,76fcfc69-c094-49de-b296-c58d4e94f6ea,"4/16/2021, 8:49:35.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,690002f1-384c-409a-baf2-353ab82a255e,"4/16/2021, 8:49:35.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e62c3388-338d-4ab7-ba46-3e913dbf1889,"4/16/2021, 8:49:35.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e5ac7889-7559-4ccb-a338-52c0962a07e7,"4/16/2021, 8:49:35.105 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a8ab9b09-bb2a-4c6c-882e-bd7c169eb52b,"4/16/2021, 8:49:35.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e23ba54f-c8d9-4375-bb8b-92c38b5d19ac,"4/16/2021, 8:49:35.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bb18749b-1916-4319-900e-bcb22c8d6b5a,"4/16/2021, 8:49:35.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f73f34ae-f792-4d79-bc10-dcffaa57f00d,"4/16/2021, 8:49:35.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b6f0728-dfa2-40d6-87ef-c818e3312559,"4/16/2021, 8:49:35.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6ecffd1a-ad02-45c9-97b3-4c5aba62abf2,"4/16/2021, 8:49:35.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,30649805-3730-4640-a7d7-5b9f50cb092a,"4/16/2021, 8:49:35.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,400500d9-b368-4a51-a100-06e329aac1ee,"4/16/2021, 8:49:35.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6dcdf044-7bc5-44d5-8379-fe4641419fe3,"4/16/2021, 8:49:35.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,44b005b2-cba3-4034-9180-987901b4925a,"4/16/2021, 8:49:44.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a348657-8417-43c8-b0bf-9bde3c5a6b94,"4/16/2021, 8:49:44.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,312e551d-bd89-4335-97c4-fbce5e3a33f0,"4/16/2021, 8:49:44.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,94b876f3-f491-4e1b-9c35-7431998b06d6,"4/16/2021, 8:49:44.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db1cc7ee-c65c-45e6-b431-213783ac6803,"4/16/2021, 8:49:44.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9968e969-9cd4-475c-8939-969fdb5b3747,"4/16/2021, 8:49:44.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d119ce11-6659-413f-a352-3903077630c1,"4/16/2021, 8:49:44.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c67280ce-cb23-41a7-81cc-5177cb9bda0d,"4/16/2021, 8:49:44.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9608f441-fd5a-40e1-967d-ea47371ea8db,"4/16/2021, 8:49:44.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4a6c0b58-cdba-4aa0-b098-3adface69f6b,"4/16/2021, 8:49:44.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c05d8a2-a8f7-4e16-80c1-71823c7f4509,"4/16/2021, 8:49:44.106 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b0cec81f-f244-488e-96d0-97e7514ab676,"4/16/2021, 8:49:44.106 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,059a1eda-ba94-44a8-b61a-33bfaa43054f,"4/16/2021, 8:49:44.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ec888f8-856a-4df3-8b20-b4a41bfb0c8b,"4/16/2021, 8:49:44.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6a535b4c-f866-4042-9565-d0a92aaa38ce,"4/16/2021, 8:49:44.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,59aa3cf8-4bfd-4dcb-a19f-0bcccab0c37d,"4/16/2021, 8:49:44.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f7f220c7-5b0c-4ca1-995c-d9122389bb4e,"4/16/2021, 8:49:44.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a139d175-77c3-4012-89d5-5f2f6061e7cd,"4/16/2021, 8:49:44.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,460192e8-0801-41a3-8cd4-95d3a634df66,"4/16/2021, 8:49:44.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d7629283-9aa4-4e96-b2a7-796d15b24e86,"4/16/2021, 8:49:44.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,910cf8a9-338e-40f3-975e-1ce2604fa4cf,"4/16/2021, 8:49:44.106 AM",,,,,NTLM,, +\VEEAM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,82052946-edc7-4a68-bb83-0bc4d5410bde,"4/16/2021, 8:49:44.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc5b609b-5d4e-4c61-8f9f-d85af51c4f9e,"4/16/2021, 8:49:44.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,29f873b6-99b7-4c8e-be17-5ee87d133eee,"4/16/2021, 8:49:44.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3e97c07b-171f-4934-9c86-a0f431e7adf7,"4/16/2021, 8:49:44.106 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d7c0dbfc-4471-4c2f-8dd0-964ffc5e398b,"4/16/2021, 8:49:50.637 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,afec7417-2799-4490-ba1d-e407652e99c7,"4/16/2021, 8:49:50.637 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3d1ca9f6-4a4e-4912-b50c-02bb3846a5b5,"4/16/2021, 8:49:50.637 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1abd9296-a962-417d-9c08-3843f6e60baa,"4/16/2021, 8:49:50.637 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0ad3ff2d-f153-4d94-a6fc-fe15ffef7b03,"4/16/2021, 8:49:50.637 AM",,,,,NTLM,, +\EYU,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9a488673-9799-4a63-9053-17726b7064e5,"4/16/2021, 8:49:50.637 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b7662eaa-cbbc-4f3b-8f46-ef98c23c79b1,"4/16/2021, 8:49:50.637 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b856ef94-9b3a-4eab-bcc2-97aefe7dbd07,"4/16/2021, 8:49:50.637 AM",,,,,NTLM,, +\NJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ae4cbeae-edeb-428f-bb8c-bbd7fb1d9d19,"4/16/2021, 8:49:50.637 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fca70bd4-3414-4a98-ac98-864061cb4b06,"4/16/2021, 8:49:50.637 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eabc019f-1e80-458c-a101-741ffa7364f7,"4/16/2021, 8:49:50.637 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e354979f-c356-4c29-a25b-5d00612f1991,"4/16/2021, 8:49:50.637 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bcdb6454-96ae-4a73-a3cf-d361f21635ec,"4/16/2021, 8:49:50.637 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,de3655cf-a139-4e4e-b926-37af6aa70222,"4/16/2021, 8:49:50.637 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6e51afba-8659-4247-abd5-43d98df69a60,"4/16/2021, 8:49:50.637 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,77d2450b-a296-47ba-9d43-d44bc118b8e5,"4/16/2021, 8:49:50.637 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,48e088a6-e6c3-4e27-86b7-d9cd968756cf,"4/16/2021, 8:49:50.637 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,74199599-163d-4423-b139-d561654823a1,"4/16/2021, 8:49:50.637 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7b40a162-5150-4b83-8c82-6461693b29b3,"4/16/2021, 8:49:50.637 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,52df77cb-5139-4ecd-a42a-5b5ea5f1e81b,"4/16/2021, 8:49:50.637 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,013d38fd-1318-4025-93fd-0fd9992bc55d,"4/16/2021, 8:49:50.637 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d1f261c9-83d3-4f7d-82c6-c4330bb6319a,"4/16/2021, 8:49:50.637 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,abb95dba-ec74-4726-ac79-2abbefb0107d,"4/16/2021, 8:49:50.637 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8440 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,8e144f3b-a7ee-437a-923b-bf30acffad9e,"4/16/2021, 8:49:49.318 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5312 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,3a89eaf9-11d1-47bc-8568-2ca7185688c6,"4/16/2021, 8:49:49.318 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,242f9ada-1cfc-477d-bb88-4c8ca20543c7,"4/16/2021, 8:54:06.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,45314145-cbc7-493a-a83a-1cb35d742be2,"4/16/2021, 8:54:06.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7811dc4f-00b9-4562-9da8-1fcefb6bf8f6,"4/16/2021, 8:54:06.108 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,317d2ac3-1f88-4a09-bd9f-55534efabdb0,"4/16/2021, 8:54:06.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f807e8d-6cfd-42d9-bccb-73b3c11aa5a7,"4/16/2021, 8:54:06.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c844424-d273-40a7-b2dc-f9fdd8f8eea0,"4/16/2021, 8:54:06.108 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,d11271be-a8b9-41ea-8786-901f56ac0810,"4/16/2021, 8:54:06.108 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d6cbc44-9043-4e0b-9854-0960fc0f97e7,"4/16/2021, 8:54:06.108 AM",,,,,,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,72f6979f-1122-4c76-827c-c3131668fcd0,"4/16/2021, 8:54:06.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,23a8c118-cbc1-4301-be45-96bc2b008f4a,"4/16/2021, 8:54:06.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c7dca8a9-5e52-41c9-8778-3ff5e3aad37e,"4/16/2021, 8:54:06.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,33ecd040-1923-4dac-9a94-14d56e315300,"4/16/2021, 8:54:06.108 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6668 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 68705285F7914823244E19E4F6DBC4A75C4DE807EA1CF128AEC2CCAFCE5FE109 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.17763.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,82062461-c8e1-4faa-a062-be4df67ec547,"4/16/2021, 8:54:06.108 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9152 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad6c0bf2-2439-4564-97f1-5e05dc17d6de,"4/16/2021, 8:54:06.108 AM",,,,,,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,61802f94-5be5-42de-b498-d14823881af4,"4/16/2021, 8:54:06.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c0c53429-1b8d-4501-a06b-74e606a38a53,"4/16/2021, 8:54:06.108 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f93dbed2-4c38-4320-a65c-d0a42f838aed,"4/16/2021, 8:54:06.108 AM",,,,,NTLM,, +\BACKUP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea8e2657-2df6-4d6f-8911-aaada4955e7c,"4/16/2021, 8:54:06.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,31d2725c-9e31-4609-bde2-bd4c380865c5,"4/16/2021, 8:54:06.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,08a341d1-e105-454e-90b2-9d80055029f7,"4/16/2021, 8:54:06.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a3300b3-925c-4849-bdda-897d015e4062,"4/16/2021, 8:54:06.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7dc87345-fa42-49a7-9f9a-ffd37182cb73,"4/16/2021, 8:54:06.108 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b846ef7-e168-4e92-af56-4cca35e3732c,"4/16/2021, 8:54:06.108 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9399ff63-28ad-4cdd-9a49-05bdf2c84652,"4/16/2021, 8:57:35.651 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1698d6c4-9ed5-4962-bcf7-12494e9b2578,"4/16/2021, 8:57:35.651 AM",,,,,NTLM,, +\DEMOUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ff4f8607-6294-4810-991c-2e1d38c93a96,"4/16/2021, 8:57:35.651 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0e3376b4-9c65-4c93-ad1e-b32254623e81,"4/16/2021, 8:57:35.651 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ba312056-2e98-448a-b482-2f73ed3377fd,"4/16/2021, 8:57:35.651 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,07f7075a-60a3-4d4c-963c-1a96106c9c16,"4/16/2021, 8:57:35.651 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e0731c3c-b165-4594-b53b-8a5c6f15302d,"4/16/2021, 8:57:35.651 AM",,,,,NTLM,, +\VMADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,35a054b6-9024-4843-84db-cc5c507a7593,"4/16/2021, 8:57:35.651 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4e06066a-925f-4252-b991-6505e48cb9e4,"4/16/2021, 8:57:35.651 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,43f5f86d-03e6-493f-a1ff-ed91cf680c41,"4/16/2021, 8:57:35.651 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f3cac50c-809e-4ef5-80df-58c54799d43e,"4/16/2021, 8:57:35.651 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a8cfde43-762d-4bcf-891e-2a8c26b1478f,"4/16/2021, 8:57:35.651 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6bc6365a-2ab6-453c-b264-ff220c3f33d9,"4/16/2021, 8:57:35.651 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,53dcd2b6-5c12-40aa-904b-d9f89b7a068a,"4/16/2021, 8:57:35.651 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9496752a-f738-490c-8e64-e98bb64bcb40,"4/16/2021, 8:57:35.651 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,43dc892b-7ef3-4390-993b-77b9d09b8bb1,"4/16/2021, 8:57:35.651 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d222e7e9-5927-44a0-b997-840c5ac387ff,"4/16/2021, 8:57:35.651 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fc6e936c-03f3-46fe-90eb-a5eb78b0037a,"4/16/2021, 8:57:35.651 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fd212556-0c5b-45c2-b223-37ed574431ee,"4/16/2021, 8:57:35.651 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9903b52a-feae-4f45-b1e9-6a2961011e79,"4/16/2021, 8:57:35.651 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,753f2872-caf9-4d16-ad5a-8da6fa326619,"4/16/2021, 8:57:35.651 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,76ed05e2-210d-457d-ba68-b95894835f03,"4/16/2021, 8:57:35.651 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10048 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + E083DBF5FD891B0254E4021330270719E66D6B0C7F6543BDBA19C4CF5D37395D + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7411.17763.1697 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,71c080b2-3e22-46cb-83d3-c8f23c07ba9d,"4/16/2021, 9:05:48.999 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11176 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,372da49b-6320-4150-8bbd-795e80da9d2b,"4/16/2021, 9:05:48.999 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11880 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,f7c3ff08-1edb-4bae-8cb2-b7f0378652c8,"4/16/2021, 9:05:48.999 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,d463c436-0557-44a3-93f3-a82cf6b6f5c9,"4/16/2021, 8:49:52.740 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,09425e31-871c-46b4-a742-29b3766b8615,"4/16/2021, 8:49:52.740 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,215af64d-d35c-400b-a123-df8de3c41ade,"4/16/2021, 8:49:52.740 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,55b58b8e-be5b-4f92-962d-c889c5ea9d47,"4/16/2021, 8:49:52.740 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2644 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,6d643cbe-39f9-4de2-a599-62418d7625c2,"4/16/2021, 8:49:52.740 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6384 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,7d2e3747-c206-4121-8d24-647a906c8a2f,"4/16/2021, 8:49:52.740 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7000 + 115 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\ICT 2\CMF\DESIREDSTATECONFIGURATION\DSCRUN.EXE + 32 + 5D35920AEDE05DD39279B42A07B84E7EAC7A77F4E420A04FE25B82F0B2CAF5C0 + 111 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\WINDOWS (R) WIN 7 DDK DRIVER\DSCRUN.EXE\10.0.10011.16384 + 0x3e7 + 117 + C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\ICT 2\CMF\DesiredStateConfiguration\DscRun.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,9eab2fd2-f777-44ac-b32d-10f7bc64cdf7,"4/16/2021, 8:49:52.740 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6592 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,96e6117f-12c9-45cb-8480-647faaa37182,"4/16/2021, 8:49:52.740 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,30ff6863-6151-492e-a8a5-c8e1bd7590ff,"4/16/2021, 8:49:52.740 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,917bc94b-7f88-4f52-87eb-6418a6feec95,"4/16/2021, 8:49:52.740 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b9640190-1cfe-43d1-aef9-d64130a43ee1,"4/16/2021, 8:49:53.055 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3f7e2d62-908b-46e3-b6ef-cb410ebe96d8,"4/16/2021, 8:49:53.055 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3cbcd7a6-c573-4132-acbb-a597c623bbbe,"4/16/2021, 8:49:53.055 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,7882caa1-b9a6-42b6-a28d-b5526ee0fc3a,"4/16/2021, 8:49:53.055 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,48edce95-e218-46b2-8d54-5a79cc4bee1c,"4/16/2021, 8:49:53.055 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,a53fad4b-8bb9-4e3b-8905-6c7c468449fa,"4/16/2021, 8:49:53.055 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,314aba7d-d449-4b85-892d-92b45dbca580,"4/16/2021, 8:49:53.055 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,8ca5417e-80e1-491d-a10e-1fc715b2a3ae,"4/16/2021, 8:49:53.055 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3df74259-dd32-4640-85e7-cc6e4f6cbb34,"4/16/2021, 8:49:53.106 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,87cda7f9-e573-4483-a987-5889723ea2ae,"4/16/2021, 8:49:53.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab2d56de-c192-487f-ab48-29622211caf1,"4/16/2021, 8:49:53.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1e9ecaed-9e8f-45c0-b971-7df057142776,"4/16/2021, 8:49:53.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,17d328f9-e551-4b26-8af8-679bd6a91aab,"4/16/2021, 8:49:53.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,691e1ecf-25a7-4db0-8e38-116128a23927,"4/16/2021, 8:49:53.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2e954988-02bf-4fda-b90b-cc61aa80a899,"4/16/2021, 8:49:53.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc7f817c-4d8f-4073-8637-ee2bab302d93,"4/16/2021, 8:49:53.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ae653b87-3145-42bb-a741-2a3386507f45,"4/16/2021, 8:49:53.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1630fe3-6919-4479-a3cb-5ce82baa1df5,"4/16/2021, 8:49:53.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d011572-6c8c-49bd-9c2f-93e0cbc4caa4,"4/16/2021, 8:49:53.106 AM",,,,,NTLM,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56e0f8b1-eaa7-4db0-beb8-1321086a39ae,"4/16/2021, 8:49:53.106 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8d3ccb76-1aff-45b3-aba1-c4f2a48697b1,"4/16/2021, 8:49:53.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,255d51df-450b-425b-ae4b-00de74fd6e0e,"4/16/2021, 8:49:53.106 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,13a2c00a-ddec-4cfd-b954-156e2154f99c,"4/16/2021, 8:49:53.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,97c10f2d-4703-4320-ad09-8d4d364cbe22,"4/16/2021, 8:49:53.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ebfed54b-5fc5-49b7-be3d-2762b3a0a9d6,"4/16/2021, 8:49:53.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,be7b182c-bfbf-46c6-b144-9d66bbe0e150,"4/16/2021, 8:49:53.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3dd9f707-b200-45dd-be7e-4d0e7031cca3,"4/16/2021, 8:49:53.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51a303ec-626f-40a0-b382-769ff8f9dea1,"4/16/2021, 8:49:53.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c0eefbae-5cf8-458a-b982-be85062ca23f,"4/16/2021, 8:49:53.106 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d988f7e1-d0b5-4a3f-9fbb-b7d8f5a5c939,"4/16/2021, 8:49:53.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e2f1ce80-3938-434c-93d1-50dcda87352d,"4/16/2021, 8:49:56.437 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,53dea92d-80f5-43b0-908a-7b892bbf02b3,"4/16/2021, 8:49:56.437 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,071481d1-2974-404c-947b-d053151b070f,"4/16/2021, 8:49:56.437 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8f478666-3767-4fb9-9b1c-1f25ee0133ca,"4/16/2021, 8:49:56.437 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 13860 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,a7cad165-ba40-4488-973b-7623cc9a6f08,"4/16/2021, 8:49:56.990 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3256 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,94163ce9-6a72-4992-bef4-2921bac66e03,"4/16/2021, 8:49:56.990 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df91dd3a-d730-4e0d-a9c5-1da52ca1ef62,"4/16/2021, 8:50:00.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e4ae873d-d438-41bf-a9c2-426c65e55886,"4/16/2021, 8:50:00.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1031c6bb-6da3-46e3-a503-fa0409b87c87,"4/16/2021, 8:50:00.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,93392c4f-884e-4e11-8ab5-c68b9392e131,"4/16/2021, 8:50:00.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f57346b9-c9a0-491b-8a01-fcce019c5455,"4/16/2021, 8:50:00.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5e59909-113b-4832-b3d0-a5cf72d24441,"4/16/2021, 8:50:00.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e9c275e8-3bbe-42bf-a380-ed15b8e5792b,"4/16/2021, 8:50:00.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,02f77d81-5c01-4569-b5f4-0e25bdb261f2,"4/16/2021, 8:50:00.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,41ca77f8-c291-4517-af50-13e195592845,"4/16/2021, 8:50:00.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1d7a38f9-3c28-47b3-932d-a70c7a2a5d3b,"4/16/2021, 8:50:00.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,44c767c2-842c-4aea-8c1e-755db4ea6d44,"4/16/2021, 8:50:00.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,85fd2d95-46ac-4e1d-84b8-33781141e696,"4/16/2021, 8:50:00.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f149094-43ea-4dc3-94cc-b25082054e6c,"4/16/2021, 8:50:00.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,94db094f-b52c-4646-b7d8-4fae16ce04d4,"4/16/2021, 8:50:00.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,762a9e4e-f8f6-492f-b135-4bee87e22bbd,"4/16/2021, 8:50:00.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ed621bc8-1b17-4661-96ae-4111b0c3b50f,"4/16/2021, 8:50:00.109 AM",,,,,NTLM,, +\ASP.NET,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f7aeefca-ebda-47d2-a09f-ae8f8c6737f6,"4/16/2021, 8:50:00.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2ddd0ca7-11d8-4cd3-95a8-64818cd1d0ab,"4/16/2021, 8:50:00.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f4576cb3-850b-449c-b334-dc8b5c62d900,"4/16/2021, 8:50:00.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7433df2a-cf64-41f4-b6fd-8d33cb74f60d,"4/16/2021, 8:50:00.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7951329f-57be-44c5-9a70-f440889d27c9,"4/16/2021, 8:50:00.109 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ca312a3-093d-4c8f-8de5-8bc584a1de4f,"4/16/2021, 8:50:00.109 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,44a26e22-693a-4d9a-96c8-453cdaff4328,"4/16/2021, 8:54:12.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e7c4d6d3-36eb-4a39-be3b-ba1e60c1b6ba,"4/16/2021, 8:54:12.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c03f09f-fcdf-4dc1-9639-66443b87ccff,"4/16/2021, 8:54:12.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c536522-3372-4bfc-ac0c-8dbb608924ee,"4/16/2021, 8:54:12.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6eb23e75-53bb-4493-9044-ccfeed094602,"4/16/2021, 8:54:12.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,76ce18f7-97af-4212-ac97-dbd4051d4bcb,"4/16/2021, 8:54:12.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ba8bf22-7e5a-4466-8e09-69fd6a7f9c59,"4/16/2021, 8:54:12.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1b888f82-6482-4eee-9087-34c89a9da51e,"4/16/2021, 8:54:12.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6fc78e69-8c2c-4b7e-b64b-b573f6158009,"4/16/2021, 8:54:12.121 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cfca755e-f744-4a3d-98df-c85d8e7987ba,"4/16/2021, 8:54:12.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,85ce5308-6fbd-41af-9757-e4469029491e,"4/16/2021, 8:54:12.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9feab0cc-1ffa-40a1-a7dc-e7f111523f81,"4/16/2021, 8:54:12.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c8fe7d7-0cb6-44c1-be13-12cf73065472,"4/16/2021, 8:54:12.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,07340a7e-2673-47f0-8afe-e779b382a5ec,"4/16/2021, 8:54:12.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,84df1f5d-fc77-49d9-bcaf-7759ebf72d82,"4/16/2021, 8:54:12.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b492e970-da9b-45a4-8036-7c68acbca202,"4/16/2021, 8:54:12.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,041c9293-cddc-428a-a597-4cf47cd5d1b1,"4/16/2021, 8:54:12.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,75ba3b29-37e3-49b9-abe8-54516ed4a819,"4/16/2021, 8:54:12.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,85c4cee4-2c2a-470a-aa40-ba90e0501172,"4/16/2021, 8:54:12.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56b3371e-c281-45e7-8fdd-5df2f782e2b5,"4/16/2021, 8:54:12.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,af6cdc21-0ec3-4579-b40f-dd5372120d6e,"4/16/2021, 8:54:12.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,184f0a09-4153-4a0a-a67f-62a8858c8bdb,"4/16/2021, 8:54:12.121 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fa5e44bf-f831-42b9-9e0e-0fa942b1ea36,"4/16/2021, 8:50:04.648 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2326b750-43d8-42ce-b1bf-58593ff20ea0,"4/16/2021, 8:50:04.648 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bed46ccc-c0bb-4a2a-8569-217f3cf3c029,"4/16/2021, 8:50:04.648 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a7260e83-b058-469a-8d67-22c8eb83cb37,"4/16/2021, 8:50:04.648 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ed8631d4-58e9-475d-8f65-8f81e8ca19a8,"4/16/2021, 8:50:04.648 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dcd50136-1d86-4b57-95ce-dace4f70d15f,"4/16/2021, 8:50:04.648 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4323bdc3-8fe9-4d18-a35a-12de66d8ca37,"4/16/2021, 8:50:04.648 AM",,,,,,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c5b55f99-f23e-4824-ac51-393908b262ce,"4/16/2021, 8:50:04.648 AM",,,,,,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,35b2cdfd-016d-430b-99f0-b5eb81b0ce3f,"4/16/2021, 8:50:04.648 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a1df5c8a-05b0-4c9a-bf85-a2492f740369,"4/16/2021, 8:50:04.648 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,97b6553d-c553-434b-b05f-52546cefcd7f,"4/16/2021, 8:50:04.648 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4268176e-243a-4abc-8480-041caed8a85c,"4/16/2021, 8:50:04.648 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4bd98704-5272-4f0c-9ba5-12f29dc7feb3,"4/16/2021, 8:50:04.648 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a3167c73-3f1c-4c62-98e4-31675c32b964,"4/16/2021, 8:50:04.648 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,007e8758-8f37-4cbd-813d-b2e0dd8896ff,"4/16/2021, 8:50:04.648 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,20adfa84-bd56-4b52-b039-378d6f01947e,"4/16/2021, 8:50:04.648 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d4adf58a-d47a-4f23-a3b6-db9ba45b6b12,"4/16/2021, 8:50:04.648 AM",,,,,NTLM,, +\JOHNYNOPROBLEMS,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5f9e58b8-3702-4528-93d2-6c1a9d9b98e1,"4/16/2021, 8:50:04.648 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,72994b48-a7ac-44d3-8b40-2052e2a0fde2,"4/16/2021, 8:50:04.648 AM",,,,,,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,27f15fd1-b8be-4d57-bd34-151b0ab830ae,"4/16/2021, 8:50:04.648 AM",,,,,NTLM,, +\AZUREADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d62a2b00-8b50-400c-a030-37e9486980c7,"4/16/2021, 8:50:04.648 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5fcc8e3f-b87a-4615-a95b-9e7474b85a58,"4/16/2021, 8:50:04.648 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,06287ee6-1ee5-4a77-8201-7f83ffcf5b7d,"4/16/2021, 8:50:04.648 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,352f7172-1bbf-4538-a42d-0eb1ee1b3cdd,"4/16/2021, 8:50:04.648 AM",,,,,NTLM,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,f1f46b87-8104-4765-b3cb-5a9538444f2f,"4/16/2021, 9:05:52.774 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,dbdfa75f-f866-4f17-93d1-73b9d73a31ad,"4/16/2021, 9:05:52.774 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4616 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,0525a088-14e9-49f7-927f-c31d8ea9eb11,"4/16/2021, 9:05:52.774 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3536 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,489b4706-026d-46ff-8545-2e1ae33f9b93,"4/16/2021, 9:05:52.774 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,d36ecb8a-4993-4078-a0ba-a54b1e2efabe,"4/16/2021, 9:05:52.774 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,4fb5e112-0b42-41ca-adb6-0807c20eb49b,"4/16/2021, 9:05:52.774 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aa4c4059-a9d1-4670-ae5b-68936821262d,"4/16/2021, 8:57:36.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,78a0ef6e-e237-418a-b3ac-04032b0e4d2b,"4/16/2021, 8:57:36.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,add90f0e-8940-42f3-aa34-eb6bef549555,"4/16/2021, 8:57:36.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,80fbc4a2-f5dd-4b0c-83fa-0c5915c501b6,"4/16/2021, 8:57:36.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e923777a-32f9-4784-8abe-ca0ffa085133,"4/16/2021, 8:57:36.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4a0eaeae-414a-453c-989c-12e5f5ccc3ce,"4/16/2021, 8:57:36.111 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f1138ded-bbf5-425d-a277-7d83ec16f6d6,"4/16/2021, 8:57:36.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5192541-f4cc-4f12-9290-9f735dbf6fa6,"4/16/2021, 8:57:36.111 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,e65596ae-726b-4046-b9a2-4bd0b5cfcd8b,"4/16/2021, 8:57:36.111 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e4cfd502-2635-4138-8c1d-cfd5789bbcde,"4/16/2021, 8:57:36.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f53f1faa-b1ef-478f-b392-68760c174bb1,"4/16/2021, 8:57:36.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d5ffbe17-825c-43d2-b510-6d8a18257aed,"4/16/2021, 8:57:36.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,66ac6631-2ef0-4900-81a3-c89be980cc84,"4/16/2021, 8:57:36.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b858ecf-4f51-43f8-ba97-cbdffc2ea705,"4/16/2021, 8:57:36.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c81a7fa-816d-4965-9c25-2d6f94473b17,"4/16/2021, 8:57:36.111 AM",,,,,NTLM,, +\ADMINISTRATEUR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9524ac24-769a-49a5-a7a9-4f47d8b67fb0,"4/16/2021, 8:57:36.111 AM",,,,,NTLM,, +\DATA,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d9da5016-fd37-42a6-9fa2-b364228cd0a5,"4/16/2021, 8:57:36.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,75ca9ae5-f54d-4d5a-8f31-3d84122838ec,"4/16/2021, 8:57:36.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3f7c3e09-fdfa-4e9f-a804-8eca96124e11,"4/16/2021, 8:57:36.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e8b51bb1-417d-431b-a03c-b016437b2021,"4/16/2021, 8:57:36.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a1612969-6f3d-4475-ba39-a37059957647,"4/16/2021, 8:57:36.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cb31df56-3e7c-4f9b-b3a9-14b986b5b89a,"4/16/2021, 8:57:36.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a7b16050-fc9e-4348-a0a6-d2869e4af2bf,"4/16/2021, 8:57:36.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fda13472-f55b-466e-9df4-16cdbc8b184b,"4/16/2021, 8:57:36.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,20400873-2468-461a-9f5b-02c09fbae567,"4/16/2021, 8:57:36.111 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,75296833-f214-43df-bf30-f2113f989859,"4/16/2021, 8:57:36.111 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,9d24791b-6999-4d50-b14e-bdb1b4ac494a,"4/16/2021, 8:50:06.546 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,dd5aba3b-8ea0-48c4-8726-5101d999521a,"4/16/2021, 8:50:06.546 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7344 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 8542576A51D515DA19781689F9E5E561E4398C4DE19B14AF1E8EF1C7D2551843 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.18362.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,6710ba06-e15e-4060-8f47-a1741e004b5f,"4/16/2021, 8:50:06.546 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11016 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,77a19318-3a23-4aac-9a3f-1ebfa61a293c,"4/16/2021, 8:50:06.546 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,d5979420-3616-4721-8cff-745fcdbd1ed1,"4/16/2021, 8:50:06.546 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6832 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,45ca5afb-522c-440e-811d-489c937c5ba1,"4/16/2021, 8:50:06.546 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,75ea5d32-8b09-4300-b3f8-0c3ebfc5b388,"4/16/2021, 8:50:06.546 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4648,4648 - A logon was attempted using explicit credentials.,f6638b82-98a5-4542-8bec-6bc0977f793f,f6068b78-b955-42aa-bce8-4c36deb27de1,"4/16/2021, 8:50:06.546 AM",,,,,,, +CONTOSO\RonHD,User,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,f6638b82-98a5-4542-8bec-6bc0977f793f,2172db88-aa90-42c9-a285-bcec6d04c04c,"4/16/2021, 8:50:06.546 AM",,,,,Negotiate,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + S-1-5-21-1661583231-2311428937-3957907789-1105 + RonHD + CONTOSO + 0x40f6f78 + 4 + 1 + 1 + %{S-1-5-21-1661583231-2311428937-3957907789-513} %{S-1-1-0} %{S-1-5-32-545} %{S-1-5-32-544} %{S-1-5-3} %{S-1-2-1} %{S-1-5-11} %{S-1-5-15} %{S-1-2-0} %{S-1-5-21-1661583231-2311428937-3957907789-1111} %{S-1-18-1} %{S-1-16-12288} +",4627,4627 - Group membership information.,f6638b82-98a5-4542-8bec-6bc0977f793f,a887430a-319e-4437-9bce-c9a97b4b5080,"4/16/2021, 8:50:06.546 AM",,,,,,, +CONTOSO\RonHD,User,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,f6638b82-98a5-4542-8bec-6bc0977f793f,0d30a2ab-2ffd-46b6-b933-fd7fb0d44e23,"4/16/2021, 8:50:06.546 AM",,,,,,, +CONTOSO\RonHD,User,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12545,8,,4634,4634 - An account was logged off.,f6638b82-98a5-4542-8bec-6bc0977f793f,c137d9f8-d612-4899-8a8b-99c10e2b1111,"4/16/2021, 8:50:06.546 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,f1590ce1-b0ca-41f7-bf91-ec434aa3222f,"4/16/2021, 8:50:09.853 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,ace91aba-2f88-45e4-8430-8f28627a2ae4,"4/16/2021, 8:50:09.853 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4620 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,31ea18ed-a0e5-451d-b8f2-b6246fb9549d,"4/16/2021, 8:50:09.853 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1516 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,e71a31e7-edc9-4e09-a23e-1d82120542b1,"4/16/2021, 8:50:09.853 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,3535bfec-5975-42f0-9716-4f311fc49afc,"4/16/2021, 8:50:09.853 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,645abae8-f540-42ec-bf7a-f6d7f853db75,"4/16/2021, 8:50:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9cf96f62-bbe4-4e7e-9517-aaed16de8ad4,"4/16/2021, 8:50:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f1f8d4ba-a002-48b6-bb87-4e6c9dff9c7f,"4/16/2021, 8:50:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e3ed307-66a2-46ad-b70a-abf608ea64b7,"4/16/2021, 8:50:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,87b1f972-4ec6-423d-ac1a-6f25baae9782,"4/16/2021, 8:50:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22abd2a8-9a38-441a-a272-f8daf35ffbe6,"4/16/2021, 8:50:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ba8dfd8f-bbc6-47ee-848e-4fe643ad9784,"4/16/2021, 8:50:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,96e80def-7973-4e71-8ee5-bae014fccd45,"4/16/2021, 8:50:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,664e94f5-440a-474f-be1c-cc52cc23bc50,"4/16/2021, 8:50:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3e90c9ac-3a76-4fe3-a955-4bea676402cc,"4/16/2021, 8:50:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,97384b3d-a580-4812-967b-dcd143660782,"4/16/2021, 8:50:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bedb1b24-ad41-4de1-8dac-33d6a0c03337,"4/16/2021, 8:50:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c7a7dcd4-32a1-4445-a575-e10dbf4a476f,"4/16/2021, 8:50:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,99448d72-0745-4b81-af84-2545414a5fc6,"4/16/2021, 8:50:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a465dfa9-0fde-47f7-af4e-611361156ab4,"4/16/2021, 8:50:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3c3847b5-0176-410c-82ae-387d8c626d0d,"4/16/2021, 8:50:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c62ae997-38a4-476f-9943-0ba385372681,"4/16/2021, 8:50:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a357ff8-c91a-43eb-8cc5-2ae69b3e9adf,"4/16/2021, 8:50:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d4387019-c90c-49b4-9e30-79e3ced91313,"4/16/2021, 8:50:10.107 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e4b29016-8572-4416-9a18-31e3f8871217,"4/16/2021, 8:50:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,049b390a-5249-4a73-8227-26d4d4451c49,"4/16/2021, 8:50:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df22397e-e57c-4a38-a232-a61bb97ff4e8,"4/16/2021, 8:50:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a9f9a06c-9708-458f-bc3a-995d74a5a17d,"4/16/2021, 8:50:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d9079b1-ec1b-4475-9c1f-0c9bb8585756,"4/16/2021, 8:50:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,603b47af-1fc0-48de-81a0-2a5633a918eb,"4/16/2021, 8:50:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,465379e9-98f8-431e-985b-0ea63e860aa7,"4/16/2021, 8:50:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,20075e0b-a614-4fdf-89b9-6d73618ffaa3,"4/16/2021, 8:50:10.107 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51f31804-7c5c-4fd0-b819-ebfcb876207b,"4/16/2021, 8:50:10.107 AM",,,,,NTLM,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,90880ed8-9be4-4bd5-8b29-85c80c2bd2bf,"4/16/2021, 8:57:44.861 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,1592783e-b2e7-41d7-b2ce-a95d8394e986,"4/16/2021, 9:05:53.068 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,da0ade06-ea01-4b6b-9322-b5b6fa21721f,"4/16/2021, 9:05:53.068 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,7678d737-3be0-4412-abb6-8358b2059272,"4/16/2021, 9:05:53.068 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,4823709d-5511-4e41-89ae-f301ee5ecef9,"4/16/2021, 9:05:53.068 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,7d9482a7-fdf8-4fa9-9a2c-30128158f036,"4/16/2021, 9:05:53.068 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,47c283f4-8b70-4e51-83fb-86ab26195a2c,"4/16/2021, 9:05:53.068 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b52e1bf4-bf35-496f-ba60-8133e17512f5,"4/16/2021, 9:05:53.068 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b024c36b-979c-4665-ac6b-f02bdbc7f65a,"4/16/2021, 9:05:53.068 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,353c856c-bf84-431b-b032-593c20d2b011,"4/16/2021, 9:05:53.068 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,0b31dee3-5401-43d7-802a-7c8aab820390,fd38bbc8-68ca-4a52-b940-8754a8560f6d,"4/16/2021, 9:05:53.068 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,0b31dee3-5401-43d7-802a-7c8aab820390,dfe600e1-1c85-46e8-b3a4-a36bb2b67b3a,"4/16/2021, 9:05:53.068 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,4df63200-0ff2-4fa1-b3f6-6b33dec891cc,"4/16/2021, 9:05:53.068 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,5478720a-e665-472a-9042-bb691f8cd41b,"4/16/2021, 9:05:53.068 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,0b31dee3-5401-43d7-802a-7c8aab820390,e7824ab8-4261-4b19-8a33-d182dc610835,"4/16/2021, 9:05:53.068 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,0b31dee3-5401-43d7-802a-7c8aab820390,5fb55af0-d71c-4abd-aabf-2dc97d1e79e6,"4/16/2021, 9:05:53.068 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,3eabfa81-b8b0-4b40-ab78-93baa1d17d55,"4/16/2021, 9:05:53.068 AM",,,,,,, +\TEST,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,25be24ff-85e3-41b1-9817-28f0976798c0,"4/16/2021, 8:54:12.423 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a436e4b6-b3d5-4530-9c43-4f2b413b146f,"4/16/2021, 8:54:12.423 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\microsofttpm,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a0873401-0ea5-4448-a74a-35375af67000,"4/16/2021, 8:54:12.423 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:SELECT * FROM Win32_TPM,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4268e15d-b538-4465-a28b-9bfc94db09c3,"4/16/2021, 8:54:12.423 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:Select * from __ClassProviderRegistration,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,be3a3648-f73b-4132-9fb2-74851c290294,"4/16/2021, 8:54:12.423 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,08b66441-0bba-44a7-97e8-c5899fb546c4,"4/16/2021, 8:54:12.423 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,77b6be97-bf3e-4b58-8d1a-ef42cc324dd9,"4/16/2021, 8:54:12.423 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,fbdca074-d88c-442c-a73a-de76619d0620,"4/16/2021, 8:54:12.423 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e22847e2-b13b-43ad-98ba-137ba095b625,"4/16/2021, 8:54:12.423 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:Win32_Tpm,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,58aa23ef-e4ea-45af-bc75-22ea45a07b6a,"4/16/2021, 8:54:12.423 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:__ExtendedStatus,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,70b9fef6-cd2f-410a-b83c-d4f66b128bb0,"4/16/2021, 8:54:12.423 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftVolumeEncryption,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,baca7cf8-c52e-493c-988e-a795bb4f3186,"4/16/2021, 8:54:12.423 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:SELECT * FROM Win32_EncryptableVolume,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,56d8061b-1ecf-46ad-bf6c-83aae3a2fb6c,"4/16/2021, 8:54:12.423 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:Select * from __ClassProviderRegistration,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,7ce00339-7b81-4cf5-a76b-ff467acc39b1,"4/16/2021, 8:54:12.423 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0f63138a-02cc-4163-99a9-fc794bd7b6af,"4/16/2021, 8:54:12.423 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b281c154-e706-4983-9863-27ca1d0b2a4b,"4/16/2021, 8:54:12.423 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,042b02eb-21ae-46cc-a02c-c164f142aedb,"4/16/2021, 8:54:12.423 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b98f4862-46bc-4b5e-8b49-4cbdb1062b7f,"4/16/2021, 8:54:12.423 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c584f36a-878a-4e3b-86fa-6f7d0afb0f94,"4/16/2021, 8:54:12.423 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:__ExtendedStatus,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c1793c71-f001-4acd-ab4d-641c7dec72b7,"4/16/2021, 8:54:12.423 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{d035a0c7-0000-0000-0000-100000000000}\\""::GetLockStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b19014a2-d5e6-4ebd-a393-88a049578e2a,"4/16/2021, 8:54:12.423 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{d035a0c7-0000-0000-0000-100000000000}\\""::GetProtectionStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8f5bf0ef-82d4-4904-ab02-def1b0eb91ab,"4/16/2021, 8:54:12.423 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{d035a0c7-0000-0000-0000-100000000000}\\""::GetConversionStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6a14c128-4e27-4081-9cfd-71d32e68fdec,"4/16/2021, 8:54:12.423 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ad0f04ca-0000-0000-0000-501f00000000}\\""::GetLockStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,594d7b05-0e24-48dd-93c3-f58f00db9d48,"4/16/2021, 8:54:12.423 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ad0f04ca-0000-0000-0000-501f00000000}\\""::GetProtectionStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,30e3cff5-3726-4017-a90c-bd7e2675ffd9,"4/16/2021, 8:54:12.423 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ad0f04ca-0000-0000-0000-501f00000000}\\""::GetConversionStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,23cceb66-308a-42ed-9064-2dbed3b23f69,"4/16/2021, 8:54:12.423 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5648 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\Windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4194c4f8-f065-4f1b-b600-fd357c281bb5,"4/16/2021, 8:54:12.423 AM",,,,,,, +\SERVER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0e44ebdc-02e2-4fd2-8934-f6d75de1efb3,"4/16/2021, 8:54:12.423 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f19b2a28-137b-4ab2-9463-8297e012de82,"4/16/2021, 8:54:12.423 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4512 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3847a99b-f011-48f3-a282-b3957bfeac4f,"4/16/2021, 8:54:12.423 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6ea55c4b-7c3a-4b97-8798-b4b39514d6dd,"4/16/2021, 8:54:12.423 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,34ee67e2-916d-4d84-9245-0547f6c3cdde,"4/16/2021, 8:54:12.423 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7848 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,35d91bf1-0c89-421a-bd87-37b42ea821e5,"4/16/2021, 8:54:12.423 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5640 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6fd31193-4428-4c6a-a3a7-182678e9cdbe,"4/16/2021, 8:54:12.423 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,cee0189a-a1a9-40fb-9f96-d503bce3e5c9,"4/16/2021, 8:54:12.423 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,cc4b589c-a801-41d4-8aa4-30fd1d255498,"4/16/2021, 8:54:12.423 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7284 + 118 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\ICT 2\CMF-64\DESIREDSTATECONFIGURATION\DSCRUN.EXE + 32 + FD398814FCB0D126DEC81443B928D502C7F2EC649E1C0866E0155C61BC7CAC19 + 111 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\WINDOWS (R) WIN 7 DDK DRIVER\DSCRUN.EXE\10.0.10011.16384 + 0x3e7 + 120 + C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\ICT 2\CMF-64\DesiredStateConfiguration\DscRun.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,2bd43ae5-36b8-4b4d-9929-4fa0ed005602,"4/16/2021, 8:54:12.423 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5556 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,2e1d1fbe-8b27-4a95-8c23-153faf8606f1,"4/16/2021, 8:54:12.423 AM",,,,,,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d32e9b0-d735-48b7-b56b-db6f625e38a3,"4/16/2021, 8:50:23.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f534b52-2b48-4613-8817-2af47426ce84,"4/16/2021, 8:50:23.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b9408fc1-e2a7-4135-b6dd-d386c7801170,"4/16/2021, 8:50:23.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff0521f3-0bda-4c20-913e-d3890b1cda13,"4/16/2021, 8:50:23.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,140670b1-e23a-49b0-9e20-88112fd9ea11,"4/16/2021, 8:50:23.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0e93ca02-2648-4cc0-9109-7851fedf88ec,"4/16/2021, 8:50:23.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1cdf9e25-b4eb-4f57-8b8d-0e872b1c8a24,"4/16/2021, 8:50:23.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,73a48c5d-a29c-4fc2-8aa7-e95dd44f4141,"4/16/2021, 8:50:23.108 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,903a97b2-a3f7-45cc-9a5f-84c62e0f666d,"4/16/2021, 8:50:23.108 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,f858e0d4-e16b-4f41-b9b5-9d9dded68897,"4/16/2021, 8:50:23.108 AM",,,,,,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,68b697fe-8af4-4b54-b7ae-22c0302c49be,"4/16/2021, 8:50:23.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a4735f50-4bbc-4b8a-8fff-3040faae04d2,"4/16/2021, 8:50:23.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd5bacbd-140f-4fb8-ac5a-36d80b45585d,"4/16/2021, 8:50:23.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6a074197-9aea-4246-98ea-4ac674920bab,"4/16/2021, 8:50:23.108 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7929e9c7-1ea4-4269-8db7-d1c2120914e2,"4/16/2021, 8:50:23.108 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8968 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,23183a23-c304-43ee-8239-541bd65aaede,"4/16/2021, 8:50:23.108 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1016 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,72bb7220-5835-4334-bba2-557689776796,"4/16/2021, 8:50:23.108 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c02fcd84-ffb6-428c-9c03-7d5015f91f2f,"4/16/2021, 8:50:23.108 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,06e14bf2-13a3-4e0b-a0a0-617c7f748ec9,"4/16/2021, 8:50:23.108 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,42fccf75-6d26-4f91-a2ad-a1469f3d5ce7,"4/16/2021, 8:50:23.108 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bb618d4d-7dfa-42e7-b9cc-80f69b9da365,"4/16/2021, 8:50:23.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7a15f258-ca14-42b4-ba06-0c4bd33ca0ca,"4/16/2021, 8:50:23.108 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f55aaf5d-49f9-40b0-b389-9ec17f739e46,"4/16/2021, 8:50:23.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a456765f-35ff-4902-b0d1-1e3c853a26da,"4/16/2021, 8:50:23.108 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,24c059b1-3372-4e23-a79d-1af8edd14b95,"4/16/2021, 8:50:24.049 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,51476e10-8a44-4ffd-8ac0-257df62c22cf,"4/16/2021, 8:50:24.049 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3c331f58-a6e4-4ef9-91cb-e71080182401,"4/16/2021, 8:50:24.049 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b8871ca5-fb12-4013-92e3-c04274072f1f,"4/16/2021, 8:50:24.049 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b41d2ab1-e907-44dc-aad6-af4f1ea166b7,"4/16/2021, 8:50:24.049 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,0df283b2-0a0c-420a-bb7d-bbcf3e3b3dc9,"4/16/2021, 8:50:24.049 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,51745e01-dab5-4e50-a2c3-28d720ff754f,"4/16/2021, 8:50:24.049 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d3f5277b-e415-4620-acc0-a09d5e4a0209,"4/16/2021, 8:50:24.049 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2e48fdef-bf6a-41bb-b2c9-d649295ff921,"4/16/2021, 8:50:24.049 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,8f962ddf-88b8-466d-b2bf-a2fe02fd7c66,"4/16/2021, 8:50:24.049 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,dacf66f6-2044-4979-b4f1-cbb5fd24419c,"4/16/2021, 8:50:24.049 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,6bc1c01c-b3de-4cd8-a50d-2dbe12513143,"4/16/2021, 8:50:24.741 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,9e466098-e77b-4586-a121-0c3d7cd9a182,"4/16/2021, 8:50:24.741 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5420 + 118 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\ICT 2\CMF-64\DESIREDSTATECONFIGURATION\DSCRUN.EXE + 32 + FD398814FCB0D126DEC81443B928D502C7F2EC649E1C0866E0155C61BC7CAC19 + 111 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\WINDOWS (R) WIN 7 DDK DRIVER\DSCRUN.EXE\10.0.10011.16384 + 0x3e7 + 120 + C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\ICT 2\CMF-64\DesiredStateConfiguration\DscRun.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,19521cd8-dba1-4ca0-a57c-24249e90ce1f,"4/16/2021, 8:50:24.741 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6504 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,086d3889-d506-4b48-a85c-2390a893a7e1,"4/16/2021, 8:50:24.741 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5456 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,dd609272-750d-437a-bed6-8c856dd826d6,"4/16/2021, 8:50:24.741 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5940 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,6a043268-ba89-4a11-8951-f551ed0c381c,"4/16/2021, 8:50:24.741 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,0edb2ddd-3504-4974-865f-10326f25e248,"4/16/2021, 8:50:24.741 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,986c647e-bc07-4217-a28a-8070faddf810,"4/16/2021, 8:50:24.741 AM",,,,,,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c1dabf28-489b-409d-b3e9-85dfc59a28b6,"4/16/2021, 8:50:24.630 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7c3f2fe3-75ff-4cab-b60f-728659c2b94e,"4/16/2021, 8:50:24.630 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7e222883-d3c3-44b9-a960-86bcef112ca5,"4/16/2021, 8:50:24.630 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a02bac6b-8da4-4a6c-af62-064cbc1c6854,"4/16/2021, 8:50:24.630 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,83dfd20e-f500-44cb-89a7-a0818713abba,"4/16/2021, 8:50:24.630 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,475adf52-3063-441a-a6a1-5d30b1d37bb2,"4/16/2021, 8:50:24.630 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2713d50e-3e6a-425a-869f-cff288f3c7d9,"4/16/2021, 8:50:24.630 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a0c6b727-24f2-4dcf-adb3-06158b928483,"4/16/2021, 8:50:24.630 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,532ded93-6bf0-4dc7-9a63-5851d34478db,"4/16/2021, 8:50:24.630 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a6071460-88dc-4614-974b-610fe818b443,"4/16/2021, 8:50:24.630 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1b79eec9-78e6-4436-b7b2-f95d683feaab,"4/16/2021, 8:50:24.630 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,812f015e-7f4b-4cd5-b418-12f49541ccb6,"4/16/2021, 8:50:24.630 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1f78b4c6-dd0e-423a-b786-00b63d0f6bdb,"4/16/2021, 8:50:24.630 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,052b877c-5d87-4be3-9364-0dcfbf246d9d,"4/16/2021, 8:50:24.630 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,355bdcba-fa18-49ab-9878-bae908d8f4bd,"4/16/2021, 8:50:24.630 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,de33139c-1abf-49c1-a7b0-7c93b0f9055a,"4/16/2021, 8:50:24.630 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7832d515-304e-4605-9645-0fd7381dffc5,"4/16/2021, 8:50:24.630 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,527a1ff3-15e7-4dba-8935-c61dbe537c30,"4/16/2021, 8:50:24.630 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d5350cf9-405b-4989-aca9-11bd46ac723b,"4/16/2021, 8:50:24.630 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0638aedf-e3e2-4523-bf54-1d23dcb5f8c6,"4/16/2021, 8:50:24.630 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,47fdc91c-fb6b-44e0-bcbd-12d03d6e12ab,"4/16/2021, 8:50:24.630 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2e037f51-aff7-4b0d-8845-97b6019f0c32,"4/16/2021, 8:50:24.630 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,749da945-efde-4b76-89be-03b0b2e86ab1,"4/16/2021, 8:50:24.630 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ebf0c4bc-975e-4630-b50c-642bd57caeb7,"4/16/2021, 8:50:24.630 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19e1e357-2449-42dc-95ae-40e10545ff15,"4/16/2021, 8:57:44.115 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5141794a-0bf3-48cc-9b75-49d3d798412a,"4/16/2021, 8:57:44.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,353a5719-88ac-422f-b1d0-efe500c19254,"4/16/2021, 8:57:44.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,06c7e136-3d90-463b-85bc-bc8546542632,"4/16/2021, 8:57:44.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2209ce2d-d284-490b-a868-f5c194c2fdd5,"4/16/2021, 8:57:44.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16b5c761-1a91-4dd9-bb6f-a2b12a5c7049,"4/16/2021, 8:57:44.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f6f9ede3-0bb0-4d86-ba53-88f910115d5d,"4/16/2021, 8:57:44.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e74d1be2-0d69-43af-8d45-4cc0326d373d,"4/16/2021, 8:57:44.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bfb1d286-0ff1-401d-bd4d-c559989d3092,"4/16/2021, 8:57:44.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,37aa4fd3-ea49-403c-a281-6a7673e2b0af,"4/16/2021, 8:57:44.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d02abff0-319d-4ab0-b682-bb6f7baeb424,"4/16/2021, 8:57:44.115 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,96b642fd-fdc4-49cb-a22a-5182047c1095,"4/16/2021, 8:57:44.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9158b5d5-7bf9-4a2e-b192-4b7d1327cbf6,"4/16/2021, 8:57:44.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ba51b2ed-1402-494e-bf4d-c82855e5eda5,"4/16/2021, 8:57:44.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a7b38e94-a3db-4152-8616-9fa0a2c2a7a1,"4/16/2021, 8:57:44.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,013a5340-d63f-4ed0-95e3-fb3e8c1997db,"4/16/2021, 8:57:44.115 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bd988efd-c52d-4b08-a513-05afad0c5eaa,"4/16/2021, 8:57:44.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2e51aaf-d2ce-49d0-806c-0ea06d6135f3,"4/16/2021, 8:57:44.115 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8bbe0781-35ba-4d4d-b539-ea7e278c95c8,"4/16/2021, 8:57:44.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1bef7d63-f7af-427a-8e3f-027668034f90,"4/16/2021, 8:57:44.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df884838-cdb1-4fca-a748-a663f1ef8e89,"4/16/2021, 8:57:44.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e37f848b-0e24-421f-b70d-c86e22cf19c9,"4/16/2021, 8:57:44.115 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,63862cc4-1e1e-45d4-8527-e76a539b3a8c,"4/16/2021, 8:57:44.115 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0d3bfd23-7901-47a3-9fd4-08e3a23b33a7,"4/16/2021, 8:54:17.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1743b116-4e39-4141-a072-f90df7ce9c18,"4/16/2021, 8:54:17.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f088ed27-9f42-4fbb-9929-fbc80bd34547,"4/16/2021, 8:54:17.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,394b6b50-e9ae-4e6b-8c40-26d9d2110b45,"4/16/2021, 8:54:17.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,004b3d0f-4990-475a-8cf9-13621a9ab9c7,"4/16/2021, 8:54:17.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab9cea62-8faa-46c5-9049-b5b7e4b59f05,"4/16/2021, 8:54:17.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,942d39bd-76c5-4e89-926b-af375a0eb733,"4/16/2021, 8:54:17.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1676596c-15b3-4204-bfcc-22608133179a,"4/16/2021, 8:54:17.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c349769-ecc5-4421-be46-28897be29bb4,"4/16/2021, 8:54:17.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b665c0c3-c870-4690-af91-247a7ee4a1c3,"4/16/2021, 8:54:17.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e40dcc5-e0c1-4595-bda9-f216101b2194,"4/16/2021, 8:54:17.112 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3faace05-b4a3-4e6b-b347-5e245ee4c33d,"4/16/2021, 8:54:17.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cda9e85e-a419-4e4e-b22f-ab65f21d08c5,"4/16/2021, 8:54:17.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,08ca8356-68b4-4b5a-af33-c985d66f7e5a,"4/16/2021, 8:54:17.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e474dd15-fa61-48ab-ac9c-e6a064f4c112,"4/16/2021, 8:54:17.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b7bb41f-f462-4ed8-9f42-6bca20498901,"4/16/2021, 8:54:17.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a957a2f-0a5c-4a81-becb-ab954f7dbffe,"4/16/2021, 8:54:17.112 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a011663c-48de-43e4-8326-a3dd32b58f18,"4/16/2021, 8:54:17.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,843656da-8e2b-4892-acea-180b7a91a3a0,"4/16/2021, 8:54:17.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3c178250-5dd6-42fb-96b0-debaa82c926b,"4/16/2021, 8:54:17.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db6c1443-e09f-4dee-b212-8f5a61751aa9,"4/16/2021, 8:54:17.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,921e1610-1e10-4440-afcf-2b80ab7d4835,"4/16/2021, 8:54:17.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1cd8df2e-c22b-4462-9685-e2f702c00e3f,"4/16/2021, 8:54:17.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e5322312-7b96-44a2-8d89-c9565a09d70b,"4/16/2021, 8:54:17.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4a70bbbc-c346-4143-b95b-b1ea82dbe030,"4/16/2021, 8:54:17.112 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,adec0012-f617-40af-80bc-ae83a713b11e,"4/16/2021, 8:54:17.112 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6c41c551-2c7f-4041-a1fc-cf7c496d6625,"4/16/2021, 9:05:59.683 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ecf53763-ea08-4fea-947b-b0cf4dbe30b8,"4/16/2021, 9:05:59.683 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eedb7a69-9149-45b3-a952-f77eb42e7568,"4/16/2021, 9:05:59.683 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,848ae14f-2aa5-4969-b005-88036de3cb84,"4/16/2021, 9:05:59.683 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b29a5a3d-5731-4170-9744-e9910ebc980e,"4/16/2021, 9:05:59.683 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e4ed7d53-8414-4f92-918e-d9df81a06ab1,"4/16/2021, 9:05:59.683 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,87cbd98e-18a7-4b57-aab8-49eba95a3cae,"4/16/2021, 9:05:59.683 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9093e19b-b5da-43e9-a651-9ab230bb9b10,"4/16/2021, 9:05:59.683 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,83d4b679-8bc3-4fea-ab63-f5c4edb88069,"4/16/2021, 9:05:59.683 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,aaacca3c-46b0-4106-a4ca-2f618dc45cc9,"4/16/2021, 9:05:59.683 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bc8f2cb1-a2b7-44f2-832d-75bbe3c790ad,"4/16/2021, 9:05:59.683 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b31c7c89-5d10-43b6-8773-174038685bfc,"4/16/2021, 9:05:59.683 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,23a2a98b-a5d5-4b56-8401-95ae7c79ef27,"4/16/2021, 9:05:59.683 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d3f67a6f-3d9a-43b4-83e7-8b0f1e0d4249,"4/16/2021, 9:05:59.683 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,765a1e8f-8034-44c7-908c-e0b8b21eca5b,"4/16/2021, 9:05:59.683 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,06b794fd-dc44-4d8b-8d00-19c00f271e4e,"4/16/2021, 9:05:59.683 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4472241c-bcd7-479e-ab4a-899371a0c812,"4/16/2021, 9:05:59.683 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2dad2dfe-930d-40d0-9515-57c281685deb,"4/16/2021, 9:05:59.683 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,303f9ad1-64ad-4fbf-93d8-fe4abd5408d7,"4/16/2021, 9:05:59.683 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,74ef45cc-d64d-4d05-9f76-e4d34ceed598,"4/16/2021, 9:05:59.683 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,edda9b20-799b-41f8-8a93-30e2839c3511,"4/16/2021, 9:05:59.683 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,923a8a08-365d-4fdb-8521-c48d2f0ec028,"4/16/2021, 9:05:59.683 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7319de6d-738a-4c84-8307-311b9395e2a1,"4/16/2021, 8:57:51.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d26d151e-667a-49a1-b112-a4dd7477e0ba,"4/16/2021, 8:57:51.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de2cb910-faa4-41c3-a3bb-f8741f0416c9,"4/16/2021, 8:57:51.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d1db126-b38c-4fcb-8470-850dd4324350,"4/16/2021, 8:57:51.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a99f7e3a-ece2-4f1c-b595-fc2fae2f72e5,"4/16/2021, 8:57:51.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3db8c151-41a6-4d0d-86d4-a254c2a027d0,"4/16/2021, 8:57:51.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d0ab85d4-ed36-4a58-bf5b-b42be0b52808,"4/16/2021, 8:57:51.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe5dedf2-eccb-4811-affe-4d1703ee97e8,"4/16/2021, 8:57:51.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e70c1335-d428-458c-8ac1-9085a20108f7,"4/16/2021, 8:57:51.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb755665-905a-45d8-baa0-d02a4d552277,"4/16/2021, 8:57:51.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f772b338-2754-4f12-9377-a8c7cd5db4ac,"4/16/2021, 8:57:51.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53e6a4b3-dc6f-4f81-bc9c-a8465dfd721b,"4/16/2021, 8:57:51.110 AM",,,,,NTLM,, +\VEEAM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e49f24cc-3d9e-4cf8-bbdd-3aa325453ec4,"4/16/2021, 8:57:51.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,da447902-739b-472b-b51a-a56ea1b55549,"4/16/2021, 8:57:51.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6e899b90-57a2-4df1-8b36-7543b9edd0ac,"4/16/2021, 8:57:51.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cda95c8d-709f-4460-9c24-f4e1e9b1382f,"4/16/2021, 8:57:51.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8f7e42dd-5d08-40bd-aa8c-4a664e7aaa34,"4/16/2021, 8:57:51.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,92f5fa22-7924-4e40-bd9e-a9855ad3cb18,"4/16/2021, 8:57:51.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,129886c8-6843-4042-84b4-b07250e2bac2,"4/16/2021, 8:57:51.110 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d445ad57-64e0-4c65-af10-1a49577c9259,"4/16/2021, 8:57:51.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,199d3b49-ebe8-4c8d-8109-7b3682500e33,"4/16/2021, 8:57:51.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e439c532-c377-41a2-a743-fe5b9f12ed20,"4/16/2021, 8:57:51.110 AM",,,,,NTLM,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4648,4648 - A logon was attempted using explicit credentials.,5503048d-aae9-48b7-bda5-46b931ec9ed1,5d3dc261-a5e2-4209-b109-94dba7133bfc,"4/16/2021, 8:50:31.860 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,5503048d-aae9-48b7-bda5-46b931ec9ed1,f53eecaf-3990-4f97-bbc4-63ba02ca0533,"4/16/2021, 8:50:31.860 AM",,,,,Negotiate,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + S-1-5-21-1661583231-2311428937-3957907789-1103 + SamiraA + CONTOSO + 0x2416b7d7 + 4 + 1 + 1 + %{S-1-5-21-1661583231-2311428937-3957907789-513} %{S-1-1-0} %{S-1-5-32-555} %{S-1-5-32-545} %{S-1-5-32-544} %{S-1-5-3} %{S-1-2-1} %{S-1-5-11} %{S-1-5-15} %{S-1-2-0} %{S-1-5-21-1661583231-2311428937-3957907789-512} %{S-1-5-21-1661583231-2311428937-3957907789-519} %{S-1-18-1} %{S-1-5-21-1661583231-2311428937-3957907789-572} %{S-1-16-12288} +",4627,4627 - Group membership information.,5503048d-aae9-48b7-bda5-46b931ec9ed1,162150d7-9b65-4e77-9ff7-896dbafb9132,"4/16/2021, 8:50:31.860 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,5503048d-aae9-48b7-bda5-46b931ec9ed1,5e5c6ad8-6681-46a8-bdc4-e76d22aecae8,"4/16/2021, 8:50:31.860 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12545,8,,4634,4634 - An account was logged off.,5503048d-aae9-48b7-bda5-46b931ec9ed1,416d9329-98de-474d-9b47-ab1c3abff171,"4/16/2021, 8:50:31.860 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,20162c42-2562-496b-8778-3cb59499445a,"4/16/2021, 8:50:31.860 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,247b9b37-4097-4834-a3d8-4c6ffd8def5c,"4/16/2021, 8:50:37.105 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,903f5b9b-3be0-4d4b-8cfd-d449c5f8f4de,"4/16/2021, 8:50:37.105 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,66beaa7b-86e6-4a0d-af6b-c027c3c7e59d,"4/16/2021, 8:50:37.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca0678a8-3390-4d49-a50e-a322c523baeb,"4/16/2021, 8:50:37.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4de60739-cc76-4fb7-85e9-f1fe85c7c374,"4/16/2021, 8:50:37.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aecf83d3-7a12-4335-b39a-98794731d587,"4/16/2021, 8:50:37.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,307e3a76-cabc-4965-826d-777f6ed4e76a,"4/16/2021, 8:50:37.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1c81e0c4-06fa-42f2-84c9-d6d0a09995a1,"4/16/2021, 8:50:37.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f3fb23aa-a8fa-4d7e-a08e-ded6831265c9,"4/16/2021, 8:50:37.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46512883-034c-4233-95e0-44a67305a562,"4/16/2021, 8:50:37.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4fd95f23-8336-4944-bde9-c23a48cc1db6,"4/16/2021, 8:50:37.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,788b3e50-0e95-4967-be5d-91aac55a97ab,"4/16/2021, 8:50:37.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,74c4ddaf-61d5-4d03-9978-3f397c67164e,"4/16/2021, 8:50:37.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,746af6c9-50d0-4806-a221-7a9c6907028c,"4/16/2021, 8:50:37.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bfcee1cf-4aae-4702-a8d1-848470ba186c,"4/16/2021, 8:50:37.105 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,52cdc7cf-5005-420e-9d18-de3463f25526,"4/16/2021, 8:50:37.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3850430e-8269-433c-ac2e-5a2328f6dab9,"4/16/2021, 8:50:37.105 AM",,,,,NTLM,, +\ADMINISTRATEUR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d615cb1-7f00-47bf-a8b5-6780f003aa82,"4/16/2021, 8:50:37.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5acce280-8f33-423e-84b4-2189af88015a,"4/16/2021, 8:50:37.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f792780e-1de0-461f-b506-5934d7fed659,"4/16/2021, 8:50:37.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,41b124e4-1e1d-4e84-90e4-d1ace90081ad,"4/16/2021, 8:50:37.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7dbfe974-464d-40b8-b9b0-40dae863edb0,"4/16/2021, 8:50:37.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1ca571a-f668-4526-bcf7-dcff911a2bc5,"4/16/2021, 8:50:37.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,baf915ff-a2be-4af0-a941-3491e133bdb1,"4/16/2021, 8:50:43.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,75259232-5f58-4e65-b427-0df168c9387b,"4/16/2021, 8:50:43.109 AM",,,,,NTLM,, +\VAHELP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e54f47a-bd59-44a8-9897-0c0667fb0ae5,"4/16/2021, 8:50:43.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d74e35e-1cb8-4243-a4d4-48f4cff1a625,"4/16/2021, 8:50:43.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b60547cd-6852-4779-b178-d5a2b4a2601e,"4/16/2021, 8:50:43.109 AM",,,,,NTLM,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,11526c4e-f095-48c3-a6e5-3228d10a6727,"4/16/2021, 8:50:43.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bf94ff38-de2a-4f68-b98d-3269ed0805f9,"4/16/2021, 8:50:43.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db10068b-2067-4883-8940-6c278268c718,"4/16/2021, 8:50:43.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f79252d3-e040-437f-b418-604b6a8fadb2,"4/16/2021, 8:50:43.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,33612ed6-fb32-4c5e-9e73-ea2debbb9394,"4/16/2021, 8:50:43.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e8e07f19-f6b4-4b5c-8dfa-7b8357d49bc0,"4/16/2021, 8:50:43.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4d843177-32ec-42cf-89cf-56c6daa1ece3,"4/16/2021, 8:50:43.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e5583ded-6860-412d-b261-727b1a368197,"4/16/2021, 8:50:43.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5c6ce75c-3b4d-4a3c-aac0-21676da0ffd7,"4/16/2021, 8:50:43.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a071f248-69a3-4d71-8688-5631a263a71c,"4/16/2021, 8:50:43.109 AM",,,,,NTLM,, +\OVC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa54258a-9e45-4581-a42a-6c0130db5283,"4/16/2021, 8:50:43.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3e70e9e8-7327-47bc-9ff6-5144e3873d84,"4/16/2021, 8:50:43.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c060ae97-811d-48ef-aecd-de547ab12e7b,"4/16/2021, 8:50:43.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16e662c7-e738-4fd0-9bd9-1a8e4c078ea1,"4/16/2021, 8:50:43.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b4ae0134-460b-462a-b885-94ce12f786c7,"4/16/2021, 8:50:43.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dfb557c1-5c1e-416e-bcdb-9b5276d41a26,"4/16/2021, 8:50:43.109 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9a4fb9cb-3a05-4599-8ddf-5dc1271ef1fd,"4/16/2021, 8:50:43.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,00b9db0a-9f80-4213-b3e3-aa3312a0e00a,"4/16/2021, 8:50:43.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cd2646f2-486a-4903-b9f7-e6e0185cfb2d,"4/16/2021, 8:50:43.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6a6884bd-9be6-44a1-a83a-f59d8cd53ec4,"4/16/2021, 8:50:43.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1101142c-afa7-4123-b51d-1f65ac2753a6,"4/16/2021, 8:50:43.109 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6888 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,3aabb526-66d3-484b-b5fd-bcf1ba108f52,"4/16/2021, 8:50:46.998 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 15060 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + E083DBF5FD891B0254E4021330270719E66D6B0C7F6543BDBA19C4CF5D37395D + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7411.17763.1697 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,50e721d4-7f34-4f18-a036-537571360c2f,"4/16/2021, 8:50:46.998 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 14184 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,c19d42ae-9b1d-4eca-a5a6-b7a42696611a,"4/16/2021, 8:50:46.998 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 13920 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,8c9e173e-d72d-4499-a334-7d6574d2344d,"4/16/2021, 8:50:46.998 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a6a3c2c-5448-448e-8ed0-52734b9185df,"4/16/2021, 8:54:24.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ee17591f-572d-4687-a385-3ba6d1b18621,"4/16/2021, 8:54:24.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,63981633-7965-4c50-862e-366dd0395abd,"4/16/2021, 8:54:24.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5547bfcc-561a-40a7-b141-d86e246b8c29,"4/16/2021, 8:54:24.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5600619a-757f-4c1a-bbaf-e252e668079d,"4/16/2021, 8:54:24.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6bf6206e-5ec4-4431-85ac-9528d5c3e9a5,"4/16/2021, 8:54:24.132 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88b3c700-24f7-45b5-b3a6-8c2eeb6c2a65,"4/16/2021, 8:54:24.132 AM",,,,,NTLM,, +\BACKUPEXEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,702dd68f-8023-4073-b7d5-665e852a8aad,"4/16/2021, 8:54:24.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3c922ed3-b4f2-444f-99a7-52968a07ed8d,"4/16/2021, 8:54:24.132 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac2dffa0-9272-477e-9acc-ca6d25dd2958,"4/16/2021, 8:54:24.132 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,35b62368-f788-48b9-bd57-87543530486d,"4/16/2021, 8:54:24.132 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3c0cc03e-7168-4718-ae39-7d56b68030a9,"4/16/2021, 8:54:24.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6955df17-9061-4094-a96f-ea1e565524d4,"4/16/2021, 8:54:24.132 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4448 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,4d946124-25a8-4f91-ba19-3e0a1979db9c,"4/16/2021, 8:54:24.132 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7448 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,eaf22316-f60d-49cb-be93-d13005803633,"4/16/2021, 8:54:24.132 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,abfe08e4-4b21-4acb-bbbb-7696b0be6ec2,"4/16/2021, 8:54:24.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d13f9eb-d337-4131-8537-b7bcdbb864c1,"4/16/2021, 8:54:24.132 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b0619a82-9a61-4468-b2d5-067c4214cafe,"4/16/2021, 8:54:24.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,28827660-fc93-4184-a59c-31311615ebcc,"4/16/2021, 8:54:24.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b14aac75-aef8-4e4d-a94e-9cc861d8b4ad,"4/16/2021, 8:54:24.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7c168fc6-9938-41f4-a60a-3501c570c418,"4/16/2021, 8:54:24.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2524136c-1d65-4b0f-b308-bacf1444e4b1,"4/16/2021, 8:54:24.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,550ed4d2-bb34-4a4d-9e15-a88d6b532fbc,"4/16/2021, 8:54:24.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67a0bf52-6127-4a48-b2a7-c33657f6481c,"4/16/2021, 8:54:24.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5bcbbd48-b4ca-4832-814e-9e447eb4dbd0,"4/16/2021, 8:54:24.132 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,01e6aacf-7eb6-4fd8-b82a-5fd15ca25874,"4/16/2021, 8:50:51.607 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,177e32e7-099e-4244-ab77-fcada3361af7,"4/16/2021, 8:50:51.607 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9708 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,514cf629-385d-4ea6-b274-386e5a17bbf5,"4/16/2021, 8:50:51.607 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8120 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,f4c498b9-8f8e-4b65-80a0-6237b6a6a1c8,"4/16/2021, 8:50:51.607 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,013d3654-57e5-4f43-aeef-98bb9b67f15f,"4/16/2021, 8:50:51.607 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1328 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,edc50dcf-76c1-4277-8f69-441e3d6319ff,"4/16/2021, 8:50:51.607 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,e441526f-a763-48b5-bce3-3adf5b1906e4,"4/16/2021, 8:54:31.743 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,d153c5e5-9c90-44e3-9189-b5942ebb4d2d,"4/16/2021, 8:54:31.743 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4696 + 94 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\RESOURCES\1237\PMFEXE.EXE + 32 + 6708CEA6F2F26E9B4AFF6300A4BE88433CF28688427E669CFB3FB43F94E0BE6A + 98 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\PROCESS INVESTIGATOR\PMFEXE.EXE\1.21.311.01 + 0x3e7 + 96 + C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Resources\1237\pmfexe.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,da4d3ced-f1df-4803-a09e-ecee8acc4f7a,"4/16/2021, 8:54:31.743 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5948 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,23470e52-8730-4f42-9d72-898cd2796c32,"4/16/2021, 8:54:31.743 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6636 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,44a4d0c7-229e-4151-840e-9eee14a74c58,"4/16/2021, 8:54:31.743 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6340 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,bc6a9a47-9742-42fa-bd0b-0ac1137a9989,"4/16/2021, 8:54:31.743 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,738af37d-2464-4e89-ab54-f0cab167ba31,"4/16/2021, 8:54:31.743 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,6d0d9246-b30e-4010-bfd0-2efc16c5ed8b,"4/16/2021, 8:54:31.743 AM",,,,,,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,feec514a-cfbd-4f93-9705-9dfe43e738a4,"4/16/2021, 8:51:00.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bbad19c8-1f84-4a7d-93ff-470284ad31b4,"4/16/2021, 8:51:00.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5126dc25-8222-4817-a3c9-2b248856096d,"4/16/2021, 8:51:00.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0372dea0-2397-4f9c-8b96-b01dbf547b1a,"4/16/2021, 8:51:00.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,609bbd79-07bc-4d09-a306-4060bb12052f,"4/16/2021, 8:51:00.106 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f2d91b28-fa6c-4e06-b5f1-e20cdc3e0e86,"4/16/2021, 8:51:00.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f145685-1bec-4807-9045-b29210de5719,"4/16/2021, 8:51:00.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1e989cd0-30f2-47dc-81c8-0dd5230e5066,"4/16/2021, 8:51:00.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,375efbe7-7b40-4123-a0e2-c3017ae7356f,"4/16/2021, 8:51:00.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,84dcd236-de79-4c02-ade4-e0298e33a566,"4/16/2021, 8:51:00.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c920c5dd-c12f-4808-95af-187c774310e6,"4/16/2021, 8:51:00.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f7cd59d8-eb94-4782-8814-324a5c81bb52,"4/16/2021, 8:51:00.106 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4d2846a6-450a-45ce-a668-5eea93f7d4b6,"4/16/2021, 8:51:00.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,93eb48d1-daae-40a2-8797-499b040ebaab,"4/16/2021, 8:51:00.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e17446e4-4ebd-4487-b5a4-d4af92c8a88a,"4/16/2021, 8:51:00.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,814f0230-462b-4692-aca1-95200a539ece,"4/16/2021, 8:51:00.106 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,725de9da-c1c7-450b-8e7e-56a361b7f4fe,"4/16/2021, 8:51:00.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e0e6e16-958c-4bb5-b528-48ecc4f664fa,"4/16/2021, 8:51:00.106 AM",,,,,NTLM,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b722d0ac-d0d4-4fa0-97f2-6901008df3b6,"4/16/2021, 8:51:00.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,58f418fe-b8a6-46bb-9bef-cbd2bc9296c6,"4/16/2021, 8:51:00.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,42d43a65-4495-4dec-95ba-5864a49b3339,"4/16/2021, 8:51:00.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e313c4fd-875e-47fb-83a4-cca6d13b1550,"4/16/2021, 8:51:00.106 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,688895fd-4ad5-4950-9a93-16469648b4b4,"4/16/2021, 8:50:58.631 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,53d70ab4-e6c3-4ee3-866c-e9a124b1cc78,"4/16/2021, 8:50:58.631 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4d8ead8a-26b0-4d77-8afb-d15be46f911d,"4/16/2021, 8:50:58.631 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eeec1a15-8c89-42c4-aa40-f528edc43a4e,"4/16/2021, 8:50:58.631 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4d7f7675-d392-48ba-95c7-21aff7cdff1a,"4/16/2021, 8:50:58.631 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5948133d-dca5-4b0a-83d2-64ac86195d3a,"4/16/2021, 8:50:58.631 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ba82f746-b843-4468-b8c0-4260d02cd701,"4/16/2021, 8:50:58.631 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,10bd0b3e-392e-4fde-9a42-fe6719a49c65,"4/16/2021, 8:50:58.631 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4aacc4a1-da3b-4346-9b50-de7c71c56e21,"4/16/2021, 8:50:58.631 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e61df01d-f663-4dec-a966-37ce8cec8bb4,"4/16/2021, 8:50:58.631 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bd992e4f-43bc-4864-8d2b-f7f4974a0136,"4/16/2021, 8:50:58.631 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,82ed520e-1923-4f94-b0e5-59bda4dceabe,"4/16/2021, 8:50:58.631 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d30fd244-20b1-46a1-8728-111f7e373b3b,"4/16/2021, 8:50:58.631 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,438915a3-7242-4858-9061-434d68002701,"4/16/2021, 8:50:58.631 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bfbd1776-c49c-4c6d-84cf-a560136ce8d1,"4/16/2021, 8:50:58.631 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,14aff640-1314-4cba-a1cb-ddd39399c247,"4/16/2021, 8:50:58.631 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ceb46ebb-45a9-4ccd-8f6c-6bd70974cbbb,"4/16/2021, 8:50:58.631 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b9c72066-278e-48e7-a765-ba06c2aac819,"4/16/2021, 8:50:58.631 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6e26c0de-f588-4ef9-aec8-1775d3ec4def,"4/16/2021, 8:50:58.631 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a51cde4b-0e8d-420e-8673-507a33e74a0d,"4/16/2021, 8:50:58.631 AM",,,,,NTLM,, +\DEMOADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,629b62a7-e7d3-46d8-b5b1-fb5063553c74,"4/16/2021, 8:50:58.631 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4bc9ccaa-48d2-4879-9fc8-14a4a7b94e58,"4/16/2021, 8:50:58.631 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ab36b4e4-bb7a-430f-83c4-f4f1be86f0f7,"4/16/2021, 8:50:58.631 AM",,,,,NTLM,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,7418f9bb-2ec4-478c-8d16-ebec3c928f6d,"4/16/2021, 8:57:52.738 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,48192bd3-f9d7-4795-8f9b-4382f705754c,"4/16/2021, 8:57:52.738 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6112 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,615efcdb-b27e-4e21-9515-2b54592a8699,"4/16/2021, 8:57:52.738 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5420 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,ed90a956-51f8-47d5-beae-0baafb8f8442,"4/16/2021, 8:57:52.738 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,904a93f1-e152-4f5a-a232-c5758eacd862,"4/16/2021, 8:57:52.738 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,f5bf4f75-cb00-41a0-8169-acab05604055,"4/16/2021, 8:57:52.738 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b6a9b7bc-cfb9-4029-8d6e-64fddd8559d5,"4/16/2021, 9:06:09.120 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8f4f5526-7ca5-434e-92c4-8bd6a9ebf7bd,"4/16/2021, 9:06:09.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e9cbb855-6ce7-4497-bece-5f6c734b818c,"4/16/2021, 9:06:09.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b6c52265-2cca-495b-af2e-e04ff619b9a6,"4/16/2021, 9:06:09.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,022ffdd1-b692-4bf1-a69d-5d523ac92c37,"4/16/2021, 9:06:09.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,37235046-cb78-4adb-91d8-a70c804fa2ec,"4/16/2021, 9:06:09.120 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cf810e97-3470-4385-9f7c-8c559d1cec51,"4/16/2021, 9:06:09.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe029e17-cd90-4b92-ab21-a4003c228327,"4/16/2021, 9:06:09.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,36564512-1867-4f0e-9dcd-7493ee39771c,"4/16/2021, 9:06:09.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f17a402e-27a5-4f6d-8fb9-b4061bc4393d,"4/16/2021, 9:06:09.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1e556036-4a56-4383-b7e3-2861f05aeca2,"4/16/2021, 9:06:09.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b4a9a66b-d5ad-49bc-b94c-36482d087e00,"4/16/2021, 9:06:09.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,47121053-d4a8-4bcc-b23d-4cf626434f2b,"4/16/2021, 9:06:09.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5b96c700-7c13-4038-946e-043b601ca769,"4/16/2021, 9:06:09.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5163061-a86f-4daa-aff4-8c13b9f195f9,"4/16/2021, 9:06:09.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,44cca718-94bc-4f6f-bdc1-6866bbdf4518,"4/16/2021, 9:06:09.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a31de674-7217-4c7a-b059-cd2206c13e82,"4/16/2021, 9:06:09.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,28e74ad1-6d7d-4cbc-b6fd-959a046b191c,"4/16/2021, 9:06:09.120 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ccac9908-aecd-4f9e-8dea-37863be99039,"4/16/2021, 9:06:09.120 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6cc2a16c-1907-43f8-a098-c145dc2ab441,"4/16/2021, 9:06:09.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4a1a6f9c-d88b-4fe3-ab5d-d4f666ffdbe8,"4/16/2021, 9:06:09.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a3505059-671d-4680-9e4a-59c30396bd35,"4/16/2021, 9:06:09.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f6287301-4ec9-4c48-990a-eaa00bb47771,"4/16/2021, 9:06:09.120 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,852396e4-7556-4cfd-b865-d53c074fa5fb,"4/16/2021, 8:51:03.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,ff473031-4d25-43d5-9e5c-24f666d78186,"4/16/2021, 8:51:03.052 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,5a6326d2-dc32-467c-91a5-e2e35ee3a43c,"4/16/2021, 8:51:03.052 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,ede15154-6420-4a94-905e-0a98537b9cb3,"4/16/2021, 8:51:03.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,14be9ff5-4075-413f-84f4-6482fb59431d,"4/16/2021, 8:51:03.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,f95f0276-0053-402a-99de-38986bba64aa,"4/16/2021, 8:51:03.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,6add8886-a0c6-4780-81d3-bebf617071ef,"4/16/2021, 8:51:03.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,75ef33e3-7f3b-40de-be8a-d908d4b3f3f1,"4/16/2021, 8:51:03.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b4065ac2-fafc-42f8-b466-5c1fa5818e2d,"4/16/2021, 8:51:03.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d0324431-2115-4c44-8ee8-8b25fe4ccc4d,"4/16/2021, 8:51:03.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,83881587-2420-4a52-ad77-75a86c98f793,"4/16/2021, 8:51:03.052 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b839da1-7b1b-4ba7-a97c-2d5fb7b064a6,"4/16/2021, 8:51:06.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df8222d0-3820-4cab-a668-baebb989f155,"4/16/2021, 8:51:06.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad0346a1-5977-4940-bffc-09a8c65995e1,"4/16/2021, 8:51:06.108 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e37d72b4-53b9-45c7-88f0-64d32d50c161,"4/16/2021, 8:51:06.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de78f641-31bf-4f9f-ac22-6a924a788e07,"4/16/2021, 8:51:06.108 AM",,,,,NTLM,, +\NJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e9fb1f1d-4648-4aa1-91df-b25268c439c8,"4/16/2021, 8:51:06.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2e0bade-4b92-42eb-ac42-f48b32191e0a,"4/16/2021, 8:51:06.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,abead315-fb0a-41b3-8927-813234902939,"4/16/2021, 8:51:06.108 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e6d3eb23-0489-43fe-b9ef-d8cf4134ead4,"4/16/2021, 8:51:06.108 AM",,,,,NTLM,, +\VEEAM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a3d7a6c5-68ac-4297-8f28-a82a7bfa45cd,"4/16/2021, 8:51:06.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6bf832cd-4ff6-4f90-92f7-72208b177476,"4/16/2021, 8:51:06.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f89f874-8342-4cde-9702-bc88b1a9a66c,"4/16/2021, 8:51:06.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8d216596-7066-4383-9029-9e54bee22f4f,"4/16/2021, 8:51:06.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54bccdc2-a1ab-4915-b3a1-88945b5f348c,"4/16/2021, 8:51:06.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,748bf2b0-48b8-4d67-a8a1-2b99be3c05f2,"4/16/2021, 8:51:06.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bd9a3775-34ad-4602-bcbc-e9cc352a803b,"4/16/2021, 8:51:06.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd61164d-1bd2-4cab-8af1-0eb5ae0c750e,"4/16/2021, 8:51:06.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a213d86b-775f-44c9-9b09-812a37a7b5e7,"4/16/2021, 8:51:06.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5bced286-4113-4d33-8edc-65a019895171,"4/16/2021, 8:51:06.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7dc04e4d-a756-4429-ac1b-d3475811a0e5,"4/16/2021, 8:51:06.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0236dbd8-540d-4a99-8c96-572283d0777c,"4/16/2021, 8:51:06.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7b485993-f015-40d1-8479-0a23b544000a,"4/16/2021, 8:51:06.108 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,310e76c5-3597-4529-a66f-ad64c91954f6,"4/16/2021, 8:51:06.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2619f334-3de1-47d0-a3ba-0edac21e75ae,"4/16/2021, 8:51:06.108 AM",,,,,NTLM,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,3d2de534-075d-432a-8a76-a330b4bb0ef1,"4/16/2021, 9:06:09.865 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,65f88bd9-313d-4964-9d73-1423f1785be4,"4/16/2021, 9:06:09.865 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6592 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,15b8c300-845a-44ad-9378-f177389f4d5b,"4/16/2021, 9:06:09.865 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6604 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,8336f50f-f1fa-469f-9e14-2bc1ffbdf164,"4/16/2021, 9:06:09.865 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,d6696bd2-a438-4447-beda-8b031a7e2683,"4/16/2021, 9:06:09.865 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,419aaf2b-8c2e-49a6-a71f-75532a05d942,"4/16/2021, 8:57:52.053 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,84f2aa61-c27c-4e40-9720-ca09cb4c8d9b,"4/16/2021, 8:57:52.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d7ed8fe4-8ce4-4251-9bfe-4d5361104115,"4/16/2021, 8:57:52.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,90e3e890-a3da-4ac8-a377-c817c8716002,"4/16/2021, 8:57:52.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,23ddadf5-36cb-409c-9b99-b49779dae587,"4/16/2021, 8:57:52.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,bc9cde9b-cf4d-49a2-8552-8835f93a8431,"4/16/2021, 8:57:52.053 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,176e301e-d4e7-4cec-ae07-cd51be36b1cc,"4/16/2021, 8:57:52.053 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,5c4f93f0-d1d1-47d2-a34f-13dd574800be,"4/16/2021, 8:57:52.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,021c7045-adb9-4bd7-89bb-c918714ad2bb,"4/16/2021, 8:57:52.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b7d9317d-a3db-42ce-8064-a64b0df19fe5,"4/16/2021, 8:57:52.053 AM",,,,,,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,a1feb2cc-a9d6-4f6d-9276-904bd168bec0,"4/16/2021, 8:54:37.112 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,132a7c61-cd63-47fe-87e1-9212da428839,"4/16/2021, 8:54:37.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1391f9f-6209-4122-848d-3a279c722f54,"4/16/2021, 8:54:37.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9431f089-c125-43ec-96e6-26d274df69af,"4/16/2021, 8:54:37.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3217b76a-8154-4250-bd45-1ca94c3222c0,"4/16/2021, 8:54:37.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b9ce34fd-47f2-4b78-80f0-a7c5626a815e,"4/16/2021, 8:54:37.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,129e84fb-eec6-4239-b030-63d784985b44,"4/16/2021, 8:54:37.112 AM",,,,,NTLM,, +\LJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0b7f5656-b59c-4f2f-b2f7-d0a087924a02,"4/16/2021, 8:54:37.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c2a262a6-a27d-43d8-961c-a51d0e17a3dd,"4/16/2021, 8:54:37.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1f2a141-76c9-4064-b9ff-6cb0e53a1227,"4/16/2021, 8:54:37.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca25d97e-d07c-414f-8bf6-b97e00786336,"4/16/2021, 8:54:37.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f576ff3-a840-445b-9b52-b9f9e08d8330,"4/16/2021, 8:54:37.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,678f5e82-3b1b-4883-b27c-d57356a36b6e,"4/16/2021, 8:54:37.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff9dcf54-5297-4455-926f-46c7f01b87e9,"4/16/2021, 8:54:37.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,289e15d2-4041-4997-b436-c5e8f0ac942b,"4/16/2021, 8:54:37.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c2c5117f-14f8-4c6c-95c0-79bfb14d9a53,"4/16/2021, 8:54:37.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5814cd2c-aa2d-497b-a0f1-f428a6f78019,"4/16/2021, 8:54:37.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,42b167c9-cfe9-405c-ab7d-b82e54a118b8,"4/16/2021, 8:54:37.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5eeadef-9067-4e4c-b60a-5194461fdf3b,"4/16/2021, 8:54:37.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dad8fed2-dc1e-42bb-8a7b-1a6486b3ce81,"4/16/2021, 8:54:37.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,066295d7-0fe7-4b06-a315-b248d35aad67,"4/16/2021, 8:54:37.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1c57c4b2-154d-4f1a-b9c3-3a637dccccf9,"4/16/2021, 8:54:37.112 AM",,,,,NTLM,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,c81b5a73-5ea5-462d-84c2-9239e643aa77,"4/16/2021, 8:51:03.735 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,8bb551eb-bc7f-49f8-9093-79facd0b5ebf,"4/16/2021, 8:51:03.735 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2836 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,26353355-ddbc-4a92-ba54-41aed58d4421,"4/16/2021, 8:51:09.856 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6020 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,ba394b73-0b92-4f63-8d7a-848b75fe9e56,"4/16/2021, 8:51:09.856 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,1abfdab9-649e-4fae-98c0-d4dc07634c1b,"4/16/2021, 8:51:09.856 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,fe218a77-fb7f-44ae-8795-3f0aae4b679e,"4/16/2021, 8:51:09.856 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,dde1ce42-66c4-4e14-9805-db936b936e00,"4/16/2021, 8:51:09.856 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f10607f2-0b7e-4344-a22e-c51feb59db73,"4/16/2021, 8:51:12.111 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,994dedcd-a4a0-40e0-9535-d6c509746ed2,"4/16/2021, 8:51:12.111 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ec120a3-d3b6-4216-8c58-bea687b55364,"4/16/2021, 8:51:12.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,615fed77-aa95-49cd-b3e5-f6e41141e002,"4/16/2021, 8:51:12.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,40dc8ff1-d0d8-4adf-80fe-bf21bfd4c9a8,"4/16/2021, 8:51:12.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,55554c6b-52e2-4511-ae2c-d7efb1c8aa93,"4/16/2021, 8:51:12.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c70989bf-ab27-4b61-8f35-0305b87c2f5a,"4/16/2021, 8:51:12.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c914122a-7bef-4452-b5b4-fd5f3ddb62b8,"4/16/2021, 8:51:12.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6aff174d-5fcb-457e-9644-500149e86ab3,"4/16/2021, 8:51:12.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c4fd7897-8a3c-4e7b-9b24-c69ef6cb9811,"4/16/2021, 8:51:12.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a0d930a4-563a-4e7c-9cbc-cf86bfc9627e,"4/16/2021, 8:51:12.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd30a460-80fb-4ed8-b3e1-1007c43706e3,"4/16/2021, 8:51:12.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,134890af-b133-4d40-ac06-9f5dcdb58cf7,"4/16/2021, 8:51:12.111 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a584a2e6-725b-431c-b3fb-1757b61d52c7,"4/16/2021, 8:51:12.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ec16816-1309-4054-948c-af06cd8a1396,"4/16/2021, 8:51:12.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22ab9683-2179-4fad-b30f-c4233d6e0097,"4/16/2021, 8:51:12.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a284f40a-6256-41a2-aa6a-ba04d9cc9281,"4/16/2021, 8:51:12.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c24c545-ab53-4c0f-9f48-6c23805f5179,"4/16/2021, 8:51:12.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce560ff8-78ef-44f1-a67a-f76f1a0a15c2,"4/16/2021, 8:51:12.111 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,af5e40e2-8411-4a85-a911-0824df36441d,"4/16/2021, 8:51:12.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,36a5f61c-6f9a-4ce7-9913-02b5013dc4b1,"4/16/2021, 8:51:12.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0aca55c7-8476-4fe5-aa9c-798b146656fa,"4/16/2021, 8:51:12.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e29972d-cf7b-4c64-bc1c-562c6fae18ff,"4/16/2021, 8:51:12.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1045ea7b-98db-434a-b28f-47cf5e496374,"4/16/2021, 8:51:12.111 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e87fcc99-17ac-4270-ab93-002daa15ea89,"4/16/2021, 8:51:12.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,50793941-6246-4652-9b31-8ce61884d451,"4/16/2021, 8:51:12.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eead7374-ebf0-430d-8974-6ac3e8ee9ad0,"4/16/2021, 8:51:12.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eb30549a-c81c-4b04-9849-b36dcaf9cdc6,"4/16/2021, 8:51:18.111 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6d7dd45c-f0c4-4c2d-8f61-7278967a7d4a,"4/16/2021, 8:51:18.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d43f313-ef01-451a-90bc-c03ceba606b2,"4/16/2021, 8:51:18.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,972379f8-9bc5-453b-8edf-c714f2d41954,"4/16/2021, 8:51:18.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b74821b-b7db-4de4-9ef6-d933806df9de,"4/16/2021, 8:51:18.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67ea363d-0b07-4c8e-a1e9-09d649eef277,"4/16/2021, 8:51:18.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c8a425ad-822d-42c5-a986-b200fa1f5092,"4/16/2021, 8:51:18.111 AM",,,,,NTLM,, +\BACKUPEXEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1b67e8e4-680d-4cd6-bf38-e654d8b1ad1c,"4/16/2021, 8:51:18.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac6a7ec1-45a2-4cff-b8d4-03ec8edc91f8,"4/16/2021, 8:51:18.111 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9371cb29-76fc-4c43-90b1-d0e7bccb31af,"4/16/2021, 8:51:18.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b328d7c4-ad0d-452e-aa69-909fbae0ba6b,"4/16/2021, 8:51:18.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b42cefa7-929b-4f99-9760-98ee35cb27ae,"4/16/2021, 8:51:18.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b720caac-f664-43f3-9031-2ac92005edf0,"4/16/2021, 8:51:18.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c631fe38-f51f-4a80-a502-a8e5e27b3b8d,"4/16/2021, 8:51:18.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ee790ab-0cbf-4961-b4e4-cc3041b80ffb,"4/16/2021, 8:51:18.111 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4da7b209-df1e-4c38-9a02-393fa581741d,"4/16/2021, 8:51:18.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0094bc15-eab6-4e2e-aba2-8fc722bb5aa0,"4/16/2021, 8:51:18.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f4a8205-3107-49a7-a6e3-0babbe626b85,"4/16/2021, 8:51:18.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bb629132-287e-4e74-a7a2-24d6d9c43186,"4/16/2021, 8:51:18.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c8cec0d-0868-4fe4-b510-21789e5cb07b,"4/16/2021, 8:51:18.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d2d4ec6-6c35-4557-a8be-f85b1b0c5a10,"4/16/2021, 8:51:18.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7a7ee342-12f1-49c1-895f-e7bcdc29df05,"4/16/2021, 8:51:18.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c56e82d9-27fa-4e97-a22c-60c2635feb98,"4/16/2021, 8:51:18.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,13497cbb-5439-467f-9ba6-a4ca1c4c36dd,"4/16/2021, 8:51:18.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c7b509b8-9bfd-44e9-b200-58ea6dd3d469,"4/16/2021, 8:51:18.111 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,b5cfd85d-9fd0-456e-9a48-202b9bf4a4ea,"4/16/2021, 8:51:26.558 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,69be8a52-07c1-4729-872d-7e6c60c1ad95,"4/16/2021, 8:51:26.558 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8128 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,f425da9b-0d6a-4c35-a030-d18f7b45a25e,"4/16/2021, 8:51:26.558 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8796 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,7a2e3612-49b0-4134-af2e-b039e3533fe8,"4/16/2021, 8:51:26.558 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3348 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,bb42f1cc-93ab-4e3e-8724-8a6932d4e7f9,"4/16/2021, 8:51:26.558 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,53b03c52-5be8-4eda-8ac3-a9caa5c8661a,"4/16/2021, 8:51:26.558 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,0b38db54-b0fc-4db1-9876-5fcb3ef2014a,"4/16/2021, 8:51:26.558 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,95e91855-43f5-4595-8e8d-dd992c5769ce,"4/16/2021, 8:54:44.858 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e11bc5b2-2c98-430b-8d4f-ad4b347e7804,"4/16/2021, 9:06:14.669 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d269c391-3ba2-4517-8361-4ac34e9b43be,"4/16/2021, 9:06:14.669 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5dc3d228-cde6-4ac9-8d96-37aa3d684998,"4/16/2021, 9:06:14.669 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,930261e7-6040-47c8-864b-ddc80fc290c5,"4/16/2021, 9:06:14.669 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9ee7742d-0205-47c3-817d-6cf44412c4d8,"4/16/2021, 9:06:14.669 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ceab502e-2e48-4ff0-8577-a40b47dfbd6d,"4/16/2021, 9:06:14.669 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d1bdf936-d7d2-4345-98a2-aff85fa5c1e9,"4/16/2021, 9:06:14.669 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,efbb3572-84b6-4bf1-ad3c-fa705c62e2d8,"4/16/2021, 9:06:14.669 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1c4b04b5-78c5-4580-8316-841ba9e701e9,"4/16/2021, 9:06:14.669 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,97af48ae-73ff-42bb-8200-f67d07ea9be9,"4/16/2021, 9:06:14.669 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,26e49034-bf57-41ab-9701-3c7bc465ef13,"4/16/2021, 9:06:14.669 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,96031a66-b2df-45f2-adc5-85eb519bca27,"4/16/2021, 9:06:14.669 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a8830295-fd3e-46c6-b0b9-598dbd6f855c,"4/16/2021, 9:06:14.669 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a801f032-2514-48e5-82bd-eb9e6edaa9c3,"4/16/2021, 9:06:14.669 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7ce72122-e108-4635-9969-7e015a206f92,"4/16/2021, 9:06:14.669 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a2bf3ef2-85a0-49ca-97e3-c46758709a39,"4/16/2021, 9:06:14.669 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,004ef133-a91c-473b-873c-6180a2f05d25,"4/16/2021, 9:06:14.669 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,703ff4ab-4842-487e-99ef-385f0f62d269,"4/16/2021, 9:06:14.669 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,29c6e85a-f303-4915-b6bb-e3fccfd1c1c6,"4/16/2021, 9:06:14.669 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,460d3275-f3ac-4c9a-815c-f3b9d7e7e357,"4/16/2021, 9:06:14.669 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5286c35a-103b-4b10-9b07-13c882909a0f,"4/16/2021, 9:06:14.669 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,181b8da5-be56-4b20-a9f6-1fb64abf7ab3,"4/16/2021, 9:06:14.669 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a871838d-4c88-4caa-8521-6ac5a8b96a3e,"4/16/2021, 9:06:14.669 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f18c0c30-2f04-40e3-ae71-d58fe941f86d,"4/16/2021, 9:06:14.669 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,177c48b4-1fd9-48b1-8c30-350ccd81c490,"4/16/2021, 8:51:27.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,47d27517-2777-4546-bc1a-3f5ae4923b1d,"4/16/2021, 8:51:27.108 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5a95665-0c61-424e-b7b4-944559cf2297,"4/16/2021, 8:51:27.108 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,108a9ef5-fa8d-4da1-935f-143e15d71b65,"4/16/2021, 8:51:27.108 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6368 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,8d44c69c-af69-48b4-9f24-3ed49e0b4432,"4/16/2021, 8:51:27.108 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7620 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2eb937d-c17a-4476-bb56-9efab3eb0bb6,"4/16/2021, 8:51:27.108 AM",,,,,,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a9c1b4f-27ad-4696-a05b-be9932821271,"4/16/2021, 8:51:27.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,97c4584f-ad5e-4f23-82c5-24847c8aca37,"4/16/2021, 8:51:27.108 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cdd0b1ed-94aa-409e-bcb7-25c897dc8541,"4/16/2021, 8:51:27.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3b5195c2-2afd-47b4-9d7b-1c78a21725c7,"4/16/2021, 8:51:27.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,473fb93d-5492-4a9c-9a43-60b76faae9fb,"4/16/2021, 8:51:27.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,97d9b575-8001-435a-9353-eecdbb30b622,"4/16/2021, 8:51:27.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,37c16e99-9910-4b00-9d41-742f59acccac,"4/16/2021, 8:51:27.108 AM",,,,,NTLM,, +\THSM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c040545b-8e88-4238-bab5-918a41eb55e1,"4/16/2021, 8:51:27.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a045f863-5bd9-4a25-b259-41100d38fa38,"4/16/2021, 8:51:27.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eed33eeb-d922-4afa-9d25-672e3291bb92,"4/16/2021, 8:51:27.108 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cf36eec6-ba36-4377-9ff9-e85787eccf04,"4/16/2021, 8:51:27.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d8b27385-3d8a-4275-b1db-f72394654606,"4/16/2021, 8:51:27.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,70f0915a-fc04-4fbe-a682-6881d7b97fe6,"4/16/2021, 8:51:27.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4434b98c-6916-4070-bac6-08aa2165b1f6,"4/16/2021, 8:51:27.108 AM",,,,,NTLM,, +\VMADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46b06ec2-77ae-41ce-9262-c4056528a8ce,"4/16/2021, 8:51:27.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e540fe19-3aff-4bd3-8acb-335edefe2a2d,"4/16/2021, 8:51:27.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,47b14d93-8402-4764-a8a5-45c7b7859c29,"4/16/2021, 8:51:27.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a800b971-e674-442c-b418-d9e8cb0e1ad2,"4/16/2021, 8:51:27.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df5e691a-3448-4b94-8508-a3039e22d680,"4/16/2021, 8:51:27.108 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7336 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,ed34d709-0699-43f9-b074-3542c025ef7f,"4/16/2021, 8:57:56.993 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4184 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,d6bee65d-77c8-4cf6-9b6c-8893bec34451,"4/16/2021, 8:57:56.993 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,701c3745-1c0b-497f-8949-ad16c23268a2,"4/16/2021, 8:51:33.643 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e536ef2c-90a7-4ade-8058-0997692192ba,"4/16/2021, 8:51:33.643 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9dab9f67-6ca8-4bec-8c9b-2bb08920931e,"4/16/2021, 8:51:33.643 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9674b729-c543-4651-8c5a-64354669ea83,"4/16/2021, 8:51:33.643 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6b82cda6-9ceb-4b1d-b27c-0a771e0e8585,"4/16/2021, 8:51:33.643 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6a0b98c0-6784-4ae0-9b18-b1e725471f76,"4/16/2021, 8:51:33.643 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e8f665f4-1580-456b-8c56-f392ea00d10e,"4/16/2021, 8:51:33.643 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,26f9631d-d5c4-473c-8818-2b8f860e901e,"4/16/2021, 8:51:33.643 AM",,,,,NTLM,, +\DEMOUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,10771066-17af-4819-a025-fc7e943a3de9,"4/16/2021, 8:51:33.643 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,aae05ceb-b19c-416c-bf1c-3372312133d9,"4/16/2021, 8:51:33.643 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4d95775a-64eb-4740-a47b-2149a707a615,"4/16/2021, 8:51:33.643 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fe949b52-93c4-44c2-a3cc-74bba8d0cdd6,"4/16/2021, 8:51:33.643 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,12b82ac7-eaef-461c-ac83-efd731efb408,"4/16/2021, 8:51:33.643 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9e91cb44-aa92-4fb0-a411-81144ef62398,"4/16/2021, 8:51:33.643 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2e6a8b39-3adb-4570-bb5b-7b174f3b2b4e,"4/16/2021, 8:51:33.643 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8368dfef-5e4e-4508-a178-77475a554751,"4/16/2021, 8:51:33.643 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6a98c299-1fa1-4c5a-9c58-5ff840b13651,"4/16/2021, 8:51:33.643 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,56a18bb0-fc09-4932-9638-4e482e8df018,"4/16/2021, 8:51:33.643 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4eae01a0-6728-404e-b894-baaca66b1ff1,"4/16/2021, 8:51:33.643 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,52f01260-4a3d-40e4-91eb-e1aa466f202e,"4/16/2021, 8:51:33.643 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4b095d0c-c186-4041-bae2-6495eaf3d651,"4/16/2021, 8:51:33.643 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,04c8e8c0-55d4-40ee-9ec4-15ea3660e9b8,"4/16/2021, 8:51:33.643 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,02e3f64d-e528-4ace-9c7a-5548394f3bd6,"4/16/2021, 8:51:33.643 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,a68b544f-119c-4aee-9626-8422d2fb5efb,"4/16/2021, 8:51:36.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c498c0f7-3c5c-4424-ae30-3d814ea25bc0,"4/16/2021, 8:51:36.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,f39e10a0-777b-4730-8e6d-bc12be585eb6,"4/16/2021, 8:51:36.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3e90c4f1-e996-4b83-b70c-792b2103771e,"4/16/2021, 8:51:36.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,0795879a-eb45-4fad-8048-608a914c8807,"4/16/2021, 8:51:36.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,121fb4c4-df01-4313-b8ff-0b1e24421f44,"4/16/2021, 8:51:36.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,84f38cf2-6457-4444-803c-4a878cf10518,"4/16/2021, 8:51:36.048 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2363d16c-d7ac-4b29-be43-13a9df2f687a,"4/16/2021, 8:51:36.048 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,cae370f0-3317-4ed6-b0f1-e6d3ca2c9825,"4/16/2021, 8:54:48.414 AM",,,,,,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d844d7cf-162c-4b95-b6e7-6aab48a0ab4d,"4/16/2021, 8:54:48.414 AM",,,,,NTLM,, +\LOCALADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,176d2021-0047-4650-9049-503bf9b7859e,"4/16/2021, 8:54:48.414 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 5800 + 84 + %OSDRIVE%\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\PLATFORM\4.18.2103.7-0\MPCMDRUN.EXE + 32 + C7A18C474A47F5335593A567F0C714D4F658E28D07DC27F6EAE5D5641788E813 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\MPCMDRUN.EXE\4.18.2103.07 + 0x3e4 + 77 + C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2103.7-0\MpCmdRun.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9682aaa4-5fd6-430c-832a-ad6d30ca22c9,"4/16/2021, 8:54:48.414 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,33017c48-7b95-49c5-8154-b82dbdec31d8,"4/16/2021, 8:54:48.414 AM",,,,,,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,2285ee9f-a341-4f10-a8ab-4cd90e85299d,"4/16/2021, 8:54:48.414 AM",,,,,NTLM,, +\VMADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4de6dcf6-97ad-4224-a615-d65fbc9d6a37,"4/16/2021, 8:54:48.414 AM",,,,,NTLM,, +\TEST1,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,11fe8982-615b-410e-bf50-e7a0b4b28fd6,"4/16/2021, 8:54:48.414 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e99d0acd-b83b-4626-9ebb-66476628d93e,"4/16/2021, 8:51:36.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f8a869c-4cf2-4970-b61c-a0c3af204004,"4/16/2021, 8:51:36.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3256c8bf-6716-4ec5-b2f1-ec4f1a993406,"4/16/2021, 8:51:36.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,279db4fc-e184-424d-9308-985d0b0778db,"4/16/2021, 8:51:36.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,af6c2f9e-4cc2-452f-8807-c9b8ec74873c,"4/16/2021, 8:51:36.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0fffe5b7-1846-44ab-b339-6858733dacd5,"4/16/2021, 8:51:36.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8032f93d-ef71-465a-b6a5-8e8d4ed678d6,"4/16/2021, 8:51:36.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c4afc2ae-7f75-4076-890f-82a749877a1d,"4/16/2021, 8:51:36.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c597826-d624-4623-a663-6e65241d906a,"4/16/2021, 8:51:36.119 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,a9605399-6163-4185-9ba7-bc20116882e9,"4/16/2021, 8:51:36.119 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a58955e2-c1fc-40b9-bcbb-c362cf5b9de3,"4/16/2021, 8:51:36.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ea789f3-8247-4f47-8f82-6ed6b7b233cc,"4/16/2021, 8:51:36.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f37874f2-52ca-411d-b683-294d4b8af22f,"4/16/2021, 8:51:36.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,05d5f202-ae0d-4c99-8c23-34542fbd0aab,"4/16/2021, 8:51:36.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2ef4a68f-ce69-4f92-88c8-880a0b31c19a,"4/16/2021, 8:51:36.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a92c080-bbb3-4045-9886-ba7c4b0faf0f,"4/16/2021, 8:51:36.119 AM",,,,,NTLM,, +\USER1,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,80ab8c4d-6086-4fec-9e0c-56c637ae7bf0,"4/16/2021, 8:51:36.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c2e1e78b-9619-4a7a-8119-da693337d52d,"4/16/2021, 8:51:36.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,648bfe87-e07f-4848-b0b1-f61b04c82690,"4/16/2021, 8:51:36.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a9770c9-0280-4341-838f-98204659dfc1,"4/16/2021, 8:51:36.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c21dc6c1-53e8-4664-800c-accea870b59b,"4/16/2021, 8:51:36.119 AM",,,,,NTLM,, +\WGONZALEZ,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2066e422-7a55-4c10-bb96-73a8941952bf,"4/16/2021, 8:51:36.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9cfaeb4c-fff4-4d64-b8bb-30fb9147efac,"4/16/2021, 8:51:36.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d7db455c-73ad-43c9-bb4b-75d1db8f42fd,"4/16/2021, 9:06:18.152 AM",,,,,NTLM,, +\REMOTE,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b8debb0b-9afd-4fff-9655-3eaca94b339c,"4/16/2021, 9:06:18.152 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,980dee52-a298-4a83-82b7-5c514bc9ef7e,"4/16/2021, 9:06:18.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d5191dc-bddf-463c-8246-74f1a5e35add,"4/16/2021, 9:06:18.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6c9a116b-ccdc-44e5-8bc5-833ed2da24c1,"4/16/2021, 9:06:18.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,85b5c78f-15bf-4ae3-a9f1-118599063bdd,"4/16/2021, 9:06:18.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0919ad28-51b8-4f1d-a62b-85598c93a196,"4/16/2021, 9:06:18.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0eb01a14-713c-416f-b3c7-e3edd5e4dcc6,"4/16/2021, 9:06:18.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dffc8018-e32a-42be-99fe-c18913e26772,"4/16/2021, 9:06:18.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f9f47137-e4da-46bc-9fea-fdff4e55d8ec,"4/16/2021, 9:06:18.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6262ad31-cae7-4ca1-b1c4-7e760d1b2afa,"4/16/2021, 9:06:18.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4a539de1-e1ae-4a16-9714-1fedd7dee020,"4/16/2021, 9:06:18.152 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8871d743-05fc-48cc-bfe0-60b05a7c5e86,"4/16/2021, 9:06:18.152 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a2d372d-4805-427d-a368-f7809e3a4163,"4/16/2021, 9:06:18.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,45fc31f1-f067-4cc0-ae33-3ec0490a7545,"4/16/2021, 9:06:18.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0b1879f7-3460-4591-8f3f-3ec70eeb3da0,"4/16/2021, 9:06:18.152 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b663010d-5176-4779-8c14-116118be4dd6,"4/16/2021, 9:06:18.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9f1c8f34-6528-477e-9392-c79fe86e9586,"4/16/2021, 9:06:18.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0805a5cc-d0fa-413d-bdfc-83292cd82334,"4/16/2021, 9:06:18.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bcf66bec-aee4-4195-85c2-ebd8d94d99f6,"4/16/2021, 9:06:18.152 AM",,,,,NTLM,, +\UJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8ddc6a02-ec61-4072-8db3-9fc85ad0977e,"4/16/2021, 9:06:18.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,38a0c1ec-eca3-4ac4-b05e-e0379837a65e,"4/16/2021, 9:06:18.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3927057f-bc94-4aba-90d8-12b5654c1f2a,"4/16/2021, 9:06:18.152 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ae3a09a-c5a3-4ad2-a856-c5e629c1971c,"4/16/2021, 9:06:18.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,77a67df5-9d86-4e85-bc28-d42ba46ce92e,"4/16/2021, 9:06:18.152 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e66d9806-a8d1-471c-942c-19c9cf74ec15,"4/16/2021, 8:57:57.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5a2b596-da91-4d01-b2dd-6b965ee253c5,"4/16/2021, 8:57:57.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48b1099e-6c6e-4775-984c-a469fc9166ae,"4/16/2021, 8:57:57.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca648ff6-533c-49c1-9252-a038b212ace1,"4/16/2021, 8:57:57.112 AM",,,,,NTLM,, +\AZUREUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a46f70c7-2672-4e35-8f72-45be4cbfbacc,"4/16/2021, 8:57:57.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1306e3b5-2fc9-4fd0-9f7e-ee75c4b60357,"4/16/2021, 8:57:57.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2175de99-2ebc-4ee0-835f-dc5245db7e66,"4/16/2021, 8:57:57.112 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,599c861b-37e7-4895-b0cc-ea72ab57cc06,"4/16/2021, 8:57:57.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,70195c35-0fdf-46bb-9e78-935755d6e8da,"4/16/2021, 8:57:57.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7a0b495d-6ad0-4e07-b417-0d9926cfee6e,"4/16/2021, 8:57:57.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,85f396ae-9cf1-41a6-8945-29a0980e565e,"4/16/2021, 8:57:57.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,63786155-4795-40f2-8f98-feddf5d3de50,"4/16/2021, 8:57:57.112 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b8019503-25c9-45d4-90e6-7cc777e3ae7b,"4/16/2021, 8:57:57.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e4b359fd-1ddd-45bf-ba07-631baa2f7774,"4/16/2021, 8:57:57.112 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8edccc5a-ff45-4404-b2a4-80d719e0200b,"4/16/2021, 8:57:57.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e719214-6127-40a0-95e7-50aa92f3827a,"4/16/2021, 8:57:57.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,da0d2f99-15b6-4f71-a284-eb1d34468286,"4/16/2021, 8:57:57.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1fe07097-0c3a-428e-86e5-9d1700872f42,"4/16/2021, 8:57:57.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,40b0b6d9-0359-49a7-955d-f04e2259f8b3,"4/16/2021, 8:57:57.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,77b868ba-4114-43f6-9007-d721802214a0,"4/16/2021, 8:57:57.112 AM",,,,,NTLM,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a8397b89-ef9e-4fd3-b075-1d47ff2ce963,"4/16/2021, 8:57:57.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b7b2a751-eaf5-4fe7-99af-1d64b7bf7043,"4/16/2021, 8:57:57.112 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,66a92fae-4345-46ba-a3c5-db163fc79a1c,"4/16/2021, 8:57:57.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f51b517d-7b33-4260-a35f-2100cc616cdb,"4/16/2021, 8:57:57.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51243692-b1bc-43ca-97b7-13ab2eff870c,"4/16/2021, 8:57:57.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b61995a8-7b3f-436c-86bf-5c88cc03d70d,"4/16/2021, 8:51:49.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,faadbe4f-c52a-4968-b276-5d0ac67efd9d,"4/16/2021, 8:51:49.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3f0d255e-9a92-476a-ab49-596993f1b0c1,"4/16/2021, 8:51:49.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98d53c36-6dc2-4055-a3a1-0c5e56937e14,"4/16/2021, 8:51:49.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d5eeae44-d9fb-4764-9b40-3b79b54450a5,"4/16/2021, 8:51:49.108 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c95d1719-c8ef-46ce-896e-6d54230d7011,"4/16/2021, 8:51:49.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca1b13b3-959a-437e-93be-7f625122202a,"4/16/2021, 8:51:49.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,edeae433-f635-4a07-885d-f522734aa543,"4/16/2021, 8:51:49.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,42279f18-c325-4272-a2b4-cb22c69cd503,"4/16/2021, 8:51:49.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a6e7a9fe-e896-4871-a33c-8275a17b37f8,"4/16/2021, 8:51:49.108 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5db8f772-387f-4264-9161-33a4c70a16d1,"4/16/2021, 8:51:49.108 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6070c2de-3b01-4071-a3e3-87c40661f97a,"4/16/2021, 8:51:49.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eb0a49df-fb5e-46f5-bc26-173d73503b19,"4/16/2021, 8:51:49.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89bf9aa9-e600-455b-a225-20dedac1ed66,"4/16/2021, 8:51:49.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ae929761-9f4e-4fa0-8155-ca3ce4801cc2,"4/16/2021, 8:51:49.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1bd3104f-c5f2-4682-ad57-38130896b203,"4/16/2021, 8:51:49.108 AM",,,,,NTLM,, +\COPIER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,926e6b89-95fc-458a-bc3d-7af0e8293ae6,"4/16/2021, 8:51:49.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a0204e9f-467f-4eab-a02d-33e2de3e8716,"4/16/2021, 8:51:49.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7f6bc504-d2e3-4b24-968e-eccbf7a8aa5a,"4/16/2021, 8:51:49.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16d6cde5-7d40-434a-85ff-b7036879a48c,"4/16/2021, 8:51:49.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3b9acf62-a10a-4835-9e42-99eb7f969a37,"4/16/2021, 8:51:49.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,573de0db-5de3-42a6-95d7-9e855963eada,"4/16/2021, 8:51:49.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,60c41b29-63b1-41a0-bff7-31053fdc8739,"4/16/2021, 8:51:49.108 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5083a887-015f-4084-92e3-1f02ea0ef97e,"4/16/2021, 8:51:49.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6799b668-dd1d-4d18-8fd8-67a0b8859274,"4/16/2021, 8:51:49.108 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,2915d3a1-d2cc-4625-9af9-973e5f53118e,"4/16/2021, 8:51:49.108 AM",,,,,,, +\SOFSERVERUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,08635f3f-ef37-4949-84e5-430bfb963aed,"4/16/2021, 8:54:48.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,72b9be25-7ffa-4c87-b9cc-31c00136c265,"4/16/2021, 8:54:48.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c5509f76-44d5-491d-90ca-e642d03ba0b7,"4/16/2021, 8:54:48.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b96a9342-e810-4f25-9333-28af3b10796d,"4/16/2021, 8:54:48.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,262af11c-14f9-4c91-b64b-b588b61048fb,"4/16/2021, 8:54:48.109 AM",,,,,NTLM,, +\MEXAL,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1e07274d-ba19-44b4-a94e-1b050061375f,"4/16/2021, 8:54:48.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,36e1a49a-411b-46b4-afa3-827f8ad7a713,"4/16/2021, 8:54:48.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f2061872-3723-44ed-8d7c-6dd2da692b1b,"4/16/2021, 8:54:48.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,31470ca7-fbb5-4204-b000-c7861899d9b5,"4/16/2021, 8:54:48.109 AM",,,,,NTLM,, +\AZUREADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b02a210a-e450-4f1b-ac58-0c7307521f0c,"4/16/2021, 8:54:48.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bae57707-4928-42ae-80e3-44a9067da1b7,"4/16/2021, 8:54:48.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,65d0698f-d960-4e3b-999f-b32326cba202,"4/16/2021, 8:54:48.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,80b830de-a311-4c7a-b650-c172ab300ff7,"4/16/2021, 8:54:48.109 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2528515d-5058-44bf-9cd9-db8c99fc995f,"4/16/2021, 8:54:48.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c9e0f6b6-3c84-4b72-87f7-3fbe47674c07,"4/16/2021, 8:54:48.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,387319d4-cbd4-49f3-9a89-70cd6dee1048,"4/16/2021, 8:54:48.109 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,18487f21-3ab1-4bef-99e8-af0ba15d4dbd,"4/16/2021, 8:54:48.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ec41bf7-28a0-41cf-9d4f-6f93ecc2f86d,"4/16/2021, 8:54:48.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd822d85-a0c1-4d03-b0ba-45ba83a64777,"4/16/2021, 8:54:48.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4283a29f-231a-44e3-b83f-f4d1ef2ceb10,"4/16/2021, 8:54:48.109 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e72a6cd-240c-4d71-a37d-3693e62bf59d,"4/16/2021, 8:54:48.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce0e250f-f515-4174-9845-dd0f66311aa8,"4/16/2021, 8:54:48.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03898278-1ea2-4946-89a8-f16a93509ee5,"4/16/2021, 8:54:48.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,279e0404-b170-4af8-b81c-e89a3f99be5a,"4/16/2021, 8:54:48.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cfba5762-b2f8-4a9d-97b7-af3b182f8b50,"4/16/2021, 8:54:48.109 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7aecc09a-c84b-42a6-a380-c0e45d6e6c09,"4/16/2021, 8:54:48.109 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6689053a-734c-4052-8b75-8ff6e12ab36d,"4/16/2021, 8:51:48.636 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d432e128-b0da-4d36-82ee-b14e64502075,"4/16/2021, 8:51:48.636 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,33d33685-9ac5-4356-900e-8ca0a4b785cb,"4/16/2021, 8:51:48.636 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9e416084-134c-4037-841b-6da925371987,"4/16/2021, 8:51:48.636 AM",,,,,NTLM,, +\OJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,52e72fa0-8a09-4ee1-a400-d3607637bee6,"4/16/2021, 8:51:48.636 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ff49b2a0-a7e8-4a12-8dae-23fa766d6d21,"4/16/2021, 8:51:48.636 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,605923c4-f78e-47d5-bdaa-dbaec30dc1f2,"4/16/2021, 8:51:48.636 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7bd61b3e-a90e-402a-9ff4-d6227390dfc1,"4/16/2021, 8:51:48.636 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1afee850-eece-4f4c-9354-c36218f689b7,"4/16/2021, 8:51:48.636 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c11b6ead-328d-45cf-b595-46258427b822,"4/16/2021, 8:51:48.636 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4ce5e1cf-efac-4913-a8e6-6feb62c9cc86,"4/16/2021, 8:51:48.636 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a1c05638-8a5a-4af0-b686-005fb6af13fa,"4/16/2021, 8:51:48.636 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1790c9e7-63b3-4c88-978c-44605ae0a31c,"4/16/2021, 8:51:48.636 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6b89fa60-358c-41ef-9723-618f1e2e0f94,"4/16/2021, 8:51:48.636 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,163d138d-9afb-408b-9c86-506b00fa8e65,"4/16/2021, 8:51:48.636 AM",,,,,NTLM,, +\AZUREUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d3583652-e610-45b2-898a-005219b3bd2f,"4/16/2021, 8:51:48.636 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a07724ee-6a45-4466-9521-00859e1d0901,"4/16/2021, 8:51:48.636 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5bab7e69-713f-4da9-9734-d2d398f10723,"4/16/2021, 8:51:48.636 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7e10c60d-319b-4126-9821-805af58750b6,"4/16/2021, 8:51:48.636 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,55fd30c5-6418-4264-b65a-6a4a187fdffc,"4/16/2021, 8:51:48.636 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0a388166-c2a2-4f3c-b60c-de1de167f7d0,"4/16/2021, 8:51:48.636 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,03e137a2-5789-4710-a7bb-f8b33d509f48,"4/16/2021, 8:51:48.636 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2b88ced5-ad36-4cb4-bc31-722ad7b7db34,"4/16/2021, 8:51:48.636 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7464 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1feaa80-9905-4b3d-8223-8eeb9d1a6103,"4/16/2021, 8:51:54.110 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7011e7b0-1414-4cb3-879c-a154b43e800e,"4/16/2021, 8:51:54.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0d74af75-f76e-4877-8d18-00c2753ed7f6,"4/16/2021, 8:51:54.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3cd4bb86-faa7-442b-a506-944ec90b0152,"4/16/2021, 8:51:54.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f655e429-1572-47b4-8248-d939e8d87af3,"4/16/2021, 8:51:54.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,84dbccda-1011-4dc0-b7ae-18ca18127123,"4/16/2021, 8:51:54.110 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b4870035-16ef-4eff-a284-0a37304cf3f1,"4/16/2021, 8:51:54.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,872b815a-6a4b-406e-962b-e588c05af8b5,"4/16/2021, 8:51:54.110 AM",,,,,NTLM,, +\VEEAM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d6015ae4-b23c-45cf-a3d9-ae7e8848eeae,"4/16/2021, 8:51:54.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b1b0c9a-59de-4a93-8434-25591db3f7a3,"4/16/2021, 8:51:54.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e195de8b-36af-40e4-837f-2fe09bf001f1,"4/16/2021, 8:51:54.110 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff6dcf04-10b0-4ec4-abd2-30fd5845a960,"4/16/2021, 8:51:54.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,969475de-e083-4c91-96b1-ac006536abe9,"4/16/2021, 8:51:54.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,42b3c88a-e158-4410-97f5-0d454b775a3a,"4/16/2021, 8:51:54.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,428824de-120b-4e06-a537-4616d4dc11b9,"4/16/2021, 8:51:54.110 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f30c779-e78d-4422-a7a4-7b664d42d935,"4/16/2021, 8:51:54.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,faa98daf-2b97-4052-a64a-a4e366c11246,"4/16/2021, 8:51:54.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,32458dd2-6332-4986-b334-ffcd9be05e8c,"4/16/2021, 8:51:54.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cb7372bd-06bb-42bd-b4d0-888823957273,"4/16/2021, 8:51:54.110 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b49b6e49-146e-4a41-a4b5-c29f41b0d96a,"4/16/2021, 8:51:54.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f2b55e6f-a1a9-4cd9-a071-b2f417c0812a,"4/16/2021, 8:51:54.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cde78e6a-a183-4ae6-bbd9-302a4c139a16,"4/16/2021, 8:51:54.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cceab1ed-a6ec-4593-848b-73807be6b414,"4/16/2021, 8:51:54.110 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4df7bad4-20c9-4074-a323-56dae8bea6f1,"4/16/2021, 8:51:54.110 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6536 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,d359132d-f858-4018-878b-b9018e526c66,"4/16/2021, 8:51:57.112 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 13424 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,cb96f1e9-f209-45a6-b8f8-b47077d692a8,"4/16/2021, 8:51:57.112 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 736 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,f0a68d3f-76de-4bbf-9941-ace31c12ab89,"4/16/2021, 8:51:57.797 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce90bdd1-c52b-47f9-9566-e82828bddacc,"4/16/2021, 9:06:23.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,62bb8945-6cb8-463d-b3a8-7188331bddc9,"4/16/2021, 9:06:23.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d37fc26-46bc-4663-b371-ee3bc1df2630,"4/16/2021, 9:06:23.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d98c7ef0-34fc-4bf1-80ed-c784f4d767d2,"4/16/2021, 9:06:23.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,afb3b644-0e3c-4b3b-bbae-0a09fde711c1,"4/16/2021, 9:06:23.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b013fe0f-5a7a-4777-a329-b6e75f2147cb,"4/16/2021, 9:06:23.120 AM",,,,,NTLM,, +\QJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67db3eff-201a-47b0-8203-3609fe6543f9,"4/16/2021, 9:06:23.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,712c691d-d9e8-4eff-99e4-1ca3e2a95b3d,"4/16/2021, 9:06:23.120 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb0f137d-4cc9-46b9-93d8-949ab078a751,"4/16/2021, 9:06:23.120 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,cd51090c-c37b-4cec-973c-11a81d8938a8,"4/16/2021, 9:06:23.120 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1980 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac212cbc-55ae-463e-9407-fd0443062f35,"4/16/2021, 9:06:23.120 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6872 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,e9d1fee7-a5b6-4f9c-89bc-eb581c7a408a,"4/16/2021, 9:06:23.120 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f737a26c-0942-4bf8-9699-ebf609d59c6f,"4/16/2021, 9:06:23.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e38b5eef-fcb7-4dce-87c4-8a44ab794db7,"4/16/2021, 9:06:23.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3bbeb272-417e-4e57-838f-c6a35e3a32ed,"4/16/2021, 9:06:23.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ae9d4722-814f-4091-a6f6-6244a4c2949f,"4/16/2021, 9:06:23.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a952fbec-d216-4bfd-9582-b57e209dcad1,"4/16/2021, 9:06:23.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9e3fecb7-9f3f-452a-9de9-025e485d5a0b,"4/16/2021, 9:06:23.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a7dd8360-847e-4d5d-82ec-fb61371cdf39,"4/16/2021, 9:06:23.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ef8c39ce-899b-4041-86c9-a42f6bbb7cfb,"4/16/2021, 9:06:23.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,875585aa-8129-42fe-bc5a-4caa2aa63666,"4/16/2021, 9:06:23.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88219011-6768-45f2-9b0e-d2d6d69cc822,"4/16/2021, 9:06:23.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d3e40d4f-b818-4b8c-8778-89f54a78ddc0,"4/16/2021, 9:06:23.120 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4ca9856f-f485-4fdb-9247-c326b013a472,"4/16/2021, 8:52:01.106 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f294a539-70a6-4854-afa7-ed7ec6e9f62c,"4/16/2021, 8:52:01.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c7d8b29d-1c3c-428c-be70-f42f0aa7e454,"4/16/2021, 8:52:01.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,740156dd-3e5e-4895-9d1b-844bb84f663f,"4/16/2021, 8:52:01.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,95fb8cdb-d178-44ec-a826-63c1f3f71fd8,"4/16/2021, 8:52:01.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ac0beb6-5f9d-487e-8e33-f2a58eb5191a,"4/16/2021, 8:52:01.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1336b3c0-4579-4072-b5d1-74f8918a1a65,"4/16/2021, 8:52:01.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,94296f4f-ac1f-421a-844e-93fb9c8d54f3,"4/16/2021, 8:52:01.106 AM",,,,,NTLM,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f4bc0408-cc73-460c-b6b9-71b1d25d5684,"4/16/2021, 8:52:01.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e49ef7fe-311a-4a3c-bd24-77e43524deac,"4/16/2021, 8:52:01.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c35486ad-1ac1-4f5a-83f1-dde143269f4a,"4/16/2021, 8:52:01.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ddfeec54-4f03-4fc9-8e56-40e3085d0261,"4/16/2021, 8:52:01.106 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a09ebc23-ba60-47bf-98dc-207636d34f82,"4/16/2021, 8:52:01.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1c220cb-519d-4ac8-8e57-8d3ace697bd4,"4/16/2021, 8:52:01.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,15893c5a-bd2b-4914-82ef-ec1fafecdd0d,"4/16/2021, 8:52:01.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7a22bf74-ab6f-40c3-875a-903919e83c80,"4/16/2021, 8:52:01.106 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f580b659-5396-41f3-a2ac-407b288da3ba,"4/16/2021, 8:52:01.106 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a5108aca-5325-444e-9d5d-265db0ef35e4,"4/16/2021, 8:52:01.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ddf852e1-662c-4f61-9b9f-29ca8793d323,"4/16/2021, 8:52:01.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,794bbef3-659f-409a-9b10-987fa96fa3a9,"4/16/2021, 8:52:01.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,64642a76-eb06-4be0-b5d4-6dfb81e913b0,"4/16/2021, 8:52:01.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca77df7d-4b71-4d70-9a36-2dfae4b7616b,"4/16/2021, 8:52:01.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f0b780e3-d8a5-45b6-a8be-bb0d3af26fb7,"4/16/2021, 8:52:01.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eb8a23ed-dc12-4c97-a392-b2df21f70dcd,"4/16/2021, 8:52:01.106 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d2ffc84-e511-4b60-b107-4f730c68515b,"4/16/2021, 8:54:53.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,137b60b6-fa17-426b-a85c-65ded2fc2e6b,"4/16/2021, 8:54:53.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4fdd187e-3a08-44e5-89f5-cda74819f411,"4/16/2021, 8:54:53.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0671e2eb-eeb0-412d-b183-e56bb5ec8bd6,"4/16/2021, 8:54:53.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a183f090-7348-4012-b46e-271e3b3b8146,"4/16/2021, 8:54:53.113 AM",,,,,NTLM,, +\COMPUTER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4cff0a7d-ab3f-4278-8eb2-c71388aa0880,"4/16/2021, 8:54:53.113 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c8994bc9-f964-44d8-bee5-9cb154924281,"4/16/2021, 8:54:53.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1fefa3eb-5fc6-46fa-85de-1c5d220d6909,"4/16/2021, 8:54:53.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7dbf0698-81b1-479f-a046-5847c6730af0,"4/16/2021, 8:54:53.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2556c73b-4e43-4d30-9c35-59eedb152f47,"4/16/2021, 8:54:53.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,452e3c71-a5f6-44d3-a9fb-4104220442f4,"4/16/2021, 8:54:53.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6eeabd73-6775-4c3d-ab82-08a659e1a0f0,"4/16/2021, 8:54:53.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab8ec5eb-c9f1-4d0b-a358-81d40bcea237,"4/16/2021, 8:54:53.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,43b31953-ee8b-4ce1-8989-ed814fa2887f,"4/16/2021, 8:54:53.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a679053f-d68e-40a6-9038-9edf887449c6,"4/16/2021, 8:54:53.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,338f5843-3aef-4bf2-b0dd-fbc9544edd89,"4/16/2021, 8:54:53.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c8aaf1f6-daf6-4cf8-81cf-5274cb1c319d,"4/16/2021, 8:54:53.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,26a6bc1d-78ff-4b65-94f2-a175e163e051,"4/16/2021, 8:54:53.113 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,10c9d8a0-0f0e-40fe-96da-97a026c018e3,"4/16/2021, 8:54:53.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1cbb312-245c-44ec-be6f-310a793119d7,"4/16/2021, 8:54:53.113 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3552ec9a-76d3-4b76-8a18-19c91ee7a828,"4/16/2021, 8:54:53.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eb206eb0-4678-4f0d-b041-b54311c6d650,"4/16/2021, 8:54:53.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,18912490-b42e-4667-ae31-ba55cd5ef974,"4/16/2021, 8:54:53.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f64c445c-82af-462a-97f9-5d8cc656ce69,"4/16/2021, 8:54:53.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e75a7c0d-bec7-43bb-804f-9fc68bb62c53,"4/16/2021, 8:54:53.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a02836a3-9aed-4893-8792-7bab6ad9cc03,"4/16/2021, 8:54:53.113 AM",,,,,NTLM,, +\TEST1,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,7ce4e0d7-4d80-49da-a43e-3a45911d47c3,"4/16/2021, 8:57:58.464 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6e398183-d45d-4c15-a13d-1f837d60441c,"4/16/2021, 8:57:58.464 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6f352712-9fe7-4b62-8875-5c8f76b03916,"4/16/2021, 8:57:58.464 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1b784609-7daf-436a-be4c-70f50666dee3,"4/16/2021, 8:57:58.464 AM",,,,,NTLM,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,fcad2d86-7bd9-4480-9887-6a2609e0b880,"4/16/2021, 8:52:08.050 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,56565e19-62af-4039-bc3c-dc80de0cddeb,"4/16/2021, 8:52:08.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,dd944841-4093-4085-9b74-d23fd844df6e,"4/16/2021, 8:52:08.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,229047bb-5b80-4905-a395-c49a81214464,"4/16/2021, 8:52:08.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,da97331b-4556-477c-979c-24a28a2da222,"4/16/2021, 8:52:08.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,4911ca7a-2214-4e14-a61f-a1f4397e173a,"4/16/2021, 8:52:08.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,36a46dbd-fb36-4d73-8d3f-2af3cb502617,"4/16/2021, 8:52:08.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,e7f7a83c-2273-49f9-8529-028580118cee,"4/16/2021, 8:52:08.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,431d9002-bbfa-4b98-a879-8bd0e26aca42,"4/16/2021, 8:52:08.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,80d843dc-eb63-4fe1-a474-2e25dfc2c492,"4/16/2021, 8:52:08.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,e602dec5-6d9d-461e-80df-886408e7198f,"4/16/2021, 8:52:08.050 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,0683ecaa-591e-4864-b487-80469591514c,"4/16/2021, 8:52:09.856 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,acaaaabf-ef41-4147-88d4-5a28fabccb68,"4/16/2021, 8:52:09.856 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6704 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b4a5d347-0dee-4971-906b-f651709bf441,"4/16/2021, 8:52:09.856 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2752 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,0b46a72b-1101-44b7-9376-a6ded5a70c79,"4/16/2021, 8:52:09.856 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,3893774b-0b34-4d19-b6ea-4efe95339695,"4/16/2021, 8:52:09.856 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b2b8be4b-afdd-4706-8ee7-b30a94030fb7,"4/16/2021, 8:52:26.653 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9096dde7-15e4-4f01-9298-ada099487f96,"4/16/2021, 8:52:26.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2c62b5f6-1258-42d8-8896-9d291167eecd,"4/16/2021, 8:52:26.653 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,de9d4e0d-34b6-44de-b460-a8174f9bc7b7,"4/16/2021, 8:52:26.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e9023071-3d3e-4186-ae25-3cc9c3cbc054,"4/16/2021, 8:52:26.653 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c8d37fd9-78d2-4389-8381-7c1533c66ebe,"4/16/2021, 8:52:26.653 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,48f5c673-44ba-472a-90eb-ab42960f5f9a,"4/16/2021, 8:52:26.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,94dd2f33-f618-4e45-8441-0fea8751939c,"4/16/2021, 8:52:26.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,efa59576-86cf-49b3-9e0a-f98d6250db33,"4/16/2021, 8:52:26.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3148ce92-5e4c-4103-a193-4de7cbbcc6ca,"4/16/2021, 8:52:26.653 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1b2373a5-b7ad-41f6-a432-10ffeb7c1cd4,"4/16/2021, 8:52:26.653 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,db5dfe57-4d73-4a8a-a749-5917b4a15ca1,"4/16/2021, 8:52:26.653 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,65a50ad9-0174-48e0-96b3-af3f0a0a051d,"4/16/2021, 8:52:26.653 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,33bc72f8-4b32-4eb0-a693-2abc618e836f,"4/16/2021, 8:52:26.653 AM",,,,,,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8af9caf1-552a-480e-82c2-baba0e366136,"4/16/2021, 8:52:26.653 AM",,,,,,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7beba18f-af3d-481b-a040-3bdaeacaded5,"4/16/2021, 8:52:26.653 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,37849d86-f97b-4a26-9f31-3a91336f6f5d,"4/16/2021, 8:52:26.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,18fb2b90-5ce2-430a-b315-52cdc40fef30,"4/16/2021, 8:52:26.653 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,30c7ef9e-ba3f-4026-81a4-9659c686bc7d,"4/16/2021, 8:52:26.653 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4053bbe1-b507-4faf-a0cb-d5df3e7b536f,"4/16/2021, 8:52:26.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7bdd01c6-8c75-4472-b1ab-252de6c5af94,"4/16/2021, 8:52:26.653 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b6589b6e-e5c6-49e4-9d02-ff9a0cb6c019,"4/16/2021, 8:52:26.653 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,44fdaf21-1e36-400f-85d3-6f95efc2c07c,"4/16/2021, 8:52:30.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2aea034-657f-42bc-aba9-b1fb6df0d979,"4/16/2021, 8:52:30.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,81014a64-e778-4424-acea-ea98b627ff1c,"4/16/2021, 8:52:30.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e233eef8-c310-4f5a-aa39-7d5485f11017,"4/16/2021, 8:52:30.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c6663d59-5ba5-4e4a-bcdc-f4e8dabe64c1,"4/16/2021, 8:52:30.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c0efcc13-d09b-405d-be1f-7a0ab451fcfa,"4/16/2021, 8:52:30.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aaa3a3d8-017b-4d6b-a60b-b7216649c4f7,"4/16/2021, 8:52:30.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,47e1631a-cd12-4f39-9e2e-5cd30c838bbf,"4/16/2021, 8:52:30.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,314a3e15-28c8-4d1a-a00f-64a104168fbf,"4/16/2021, 8:52:30.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0558027a-8505-4225-b1cc-a89c7a727fcf,"4/16/2021, 8:52:30.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,09b29be0-6370-4d0d-b4de-cf38d20869e9,"4/16/2021, 8:52:30.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,90da2372-b05f-4e96-adac-41b107053d5e,"4/16/2021, 8:52:30.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7cb6fccb-8ad7-476f-8ef7-6d6b75f33acb,"4/16/2021, 8:52:30.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a909ab0d-9aa8-4ec4-af4b-8fd9b1cf149c,"4/16/2021, 8:52:30.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a3fe666-680c-4016-88e4-d195f12a1cd3,"4/16/2021, 8:52:30.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e8b76848-02b6-4615-9a9c-6d6e6c225a14,"4/16/2021, 8:52:30.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a9b5cb4-163a-4cee-9011-c8b67928a350,"4/16/2021, 8:52:30.105 AM",,,,,NTLM,, +\AZUREADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,31edbe48-695f-4282-85a2-b26b53c696a2,"4/16/2021, 8:52:30.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e156f963-553c-4746-a75a-c7f86e9d18c7,"4/16/2021, 8:52:30.105 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d2a0047e-36de-498d-907f-093e7531b094,"4/16/2021, 8:52:30.105 AM",,,,,NTLM,, +\VMADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f67ef75-d8ca-46ba-84e8-ee2dca37cbc2,"4/16/2021, 8:52:30.105 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,664895b0-96ee-467c-92b2-11aee3f0c689,"4/16/2021, 8:52:30.105 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2372a61-a719-41d8-a359-af1316d66e3a,"4/16/2021, 8:52:30.105 AM",,,,,NTLM,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,4955d1ce-3180-46ec-9545-5a79b430a5ee,"4/16/2021, 8:55:04.846 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,eb69505d-d169-47c6-986f-c5814744b973,"4/16/2021, 8:55:04.846 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,f9a53b8f-2e6a-448a-991b-a6c573c408c7,"4/16/2021, 8:55:04.846 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 5972 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e5 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,cf89e4ec-0d57-4861-9dbc-448bc0c33436,"4/16/2021, 8:55:04.846 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4980 + 39 + %WINDIR%\SERVICING\TRUSTEDINSTALLER.EXE + 32 + A68F28B7A6B48B6CD6CAB57C5C6411BCF3A6186B4FC6823F03D9F2A8828CFD02 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\TRUSTEDINSTALLER.EXE\10.0.18362.1016 + 0x3e7 + 41 + C:\windows\servicing\TrustedInstaller.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,43d24e17-5912-4e12-9f0c-c6842c989e03,"4/16/2021, 8:55:04.846 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5328 + 122 + %WINDIR%\WINSXS\AMD64_MICROSOFT-WINDOWS-SERVICINGSTACK_31BF3856AD364E35_10.0.18362.1497_NONE_16F5D4B32A2EF7C6\TIWORKER.EXE + 32 + BC24C913F9E2EED11FE1DD49061E0D4286CF68A1A36EC6CE4CF89FA5002E105D + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\TIWORKER.EXE\10.0.18362.1497 + 0x3e7 + 124 + C:\windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.1497_none_16f5d4b32a2ef7c6\TiWorker.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,1306457b-e54f-49f7-bce0-9877b29a73a0,"4/16/2021, 8:55:04.846 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,f995acd2-e6c4-4e53-9ab7-534da04c2180,"4/16/2021, 8:55:04.846 AM",,,,,Negotiate,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + 1 + 1 + %{S-1-5-32-544} %{S-1-1-0} %{S-1-5-11} %{S-1-16-16384} +",4627,4627 - Group membership information.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,296519b7-bfca-4bfa-9e09-b5f51b941e4b,"4/16/2021, 8:55:04.846 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,8c827918-6149-46bd-a5a9-ec084ac25479,"4/16/2021, 8:55:04.846 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,11798fa5-0c40-41bb-b769-c014ce556906,"4/16/2021, 8:55:04.846 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,e8d45e84-4c42-4670-9b5b-a414f355e00b,"4/16/2021, 8:55:04.846 AM",,,,,,, +NT AUTHORITY\NETWORK SERVICE,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 5900 + 23 + %SYSTEM32%\GPUPDATE.EXE + 32 + 4E2D85458A3020FD0DBFC227C5779B02C4E80437A5BAD96766B0FAC8D955615C + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\GPUPDATE.EXE\10.0.18362.1139 + 0x3e4 + 32 + C:\windows\system32\gpupdate.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,d3ea0182-74ab-40fa-9ac9-05651c87d748,"4/16/2021, 8:55:04.846 AM",,,,,,, +NT AUTHORITY\NETWORK SERVICE,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 7056 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e4 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,0265a7c6-70f4-447c-b68e-e79ed313300d,"4/16/2021, 8:55:04.846 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2656 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e7 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,0245020e-33b4-45a9-a0ca-e0483dfbd5cc,"4/16/2021, 8:55:04.846 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3964 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e7 + 31 + C:\windows\System32\svchost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,3fb73e03-d79f-4b23-ba41-3bc59099e399,"4/16/2021, 8:55:04.846 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,0c4c62c9-9940-4057-9764-fc0d06649fd0,"4/16/2021, 8:55:04.846 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,e985bde5-9b74-44c6-970d-c2f4d5a1279e,"4/16/2021, 8:55:04.846 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,8436ea99-84ec-49bf-939d-a06739b20d35,"4/16/2021, 8:55:04.846 AM",,,,,Negotiate,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + 1 + 1 + %{S-1-5-32-544} %{S-1-1-0} %{S-1-5-11} %{S-1-16-16384} +",4627,4627 - Group membership information.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,bf294696-33b3-4d50-be4e-a29ce0421c70,"4/16/2021, 8:55:04.846 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,17e11dc2-647f-42d7-abf6-55502ea5db69,"4/16/2021, 8:55:04.846 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,c688f4c3-45f8-4a75-b702-d36a5498dd0d,"4/16/2021, 8:55:04.846 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,cc46fb1f-59e7-4812-93e2-d5b01c56149d,"4/16/2021, 8:55:04.846 AM",,,,,,, +CONTOSO\ADMINPC2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,767b045c-9c32-4f49-83e9-2d2cad22c232,"4/16/2021, 8:55:04.846 AM",,,,,,, +CONTOSO.AZURE\ADMINPC2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,8684d097-18b0-4c25-bebc-adbf77d34f2d,"4/16/2021, 8:55:04.846 AM",,,,,Kerberos,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-0-0 + - + - + 0x0 + S-1-5-18 + ADMINPC2$ + CONTOSO.AZURE + 0x1237845 + 3 + 1 + 1 + %{S-1-5-32-544} %{S-1-1-0} %{S-1-5-32-545} %{S-1-5-2} %{S-1-5-11} %{S-1-5-15} %{S-1-5-21-1661583231-2311428937-3957907789-1112} %{S-1-5-21-1661583231-2311428937-3957907789-515} %{S-1-18-1} %{S-1-16-16384} +",4627,4627 - Group membership information.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,7e9d2fd3-d33a-42b3-99ea-244a7ebd1675,"4/16/2021, 8:55:04.846 AM",,,,,,, +CONTOSO\ADMINPC2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12545,8,,4634,4634 - An account was logged off.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,02f13426-7e37-4f99-b525-c97e240b8f24,"4/16/2021, 8:55:04.846 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9f1e34fb-ba86-4069-90fe-39c2f95942ab,"4/16/2021, 8:52:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8cbb787e-6c79-42eb-b7bb-0fbf037f1256,"4/16/2021, 8:52:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bbd779a4-5724-4c0d-a089-6dd6550ca94d,"4/16/2021, 8:52:35.107 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,bf0c498d-020b-4434-95ec-497b7f520a50,"4/16/2021, 8:52:35.107 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,072b2996-ff58-4ea3-bf7b-a8460873cf3f,"4/16/2021, 8:52:35.107 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab7f8d52-f0b7-4477-8c76-49bb29a48948,"4/16/2021, 8:52:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9238ca01-9fbe-4835-b138-78ec17a823ce,"4/16/2021, 8:52:35.107 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0732308d-b44d-4a74-b888-23c3c618a035,"4/16/2021, 8:52:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db55b397-22a2-4b0a-b199-7af3cb462e57,"4/16/2021, 8:52:35.107 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d273db01-34f8-4cfd-b98e-9993d6ff08bf,"4/16/2021, 8:52:35.107 AM",,,,,NTLM,, +\SQLAGENT,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,20360f3a-9d62-4833-a312-c850d2cfad70,"4/16/2021, 8:52:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b8556b4c-7139-4f9c-a734-aa61e7e4e992,"4/16/2021, 8:52:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3425e1de-c826-44a6-b248-030f27a1f9ec,"4/16/2021, 8:52:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,36f82a91-b8c3-4441-91ff-76083883024e,"4/16/2021, 8:52:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,09c4ab24-240b-4c6a-b790-c02d77244c0c,"4/16/2021, 8:52:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,92622d05-ce73-46ce-84e9-1bb617a73660,"4/16/2021, 8:52:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,99811bf2-f5db-4ea7-a850-25ceb6a7c67d,"4/16/2021, 8:52:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9804edbf-5cea-47d7-a1b3-aa35784ac28b,"4/16/2021, 8:52:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,370de8c1-2ed7-4d1d-8775-74144a5c5ff5,"4/16/2021, 8:52:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53d68a7e-9eec-4493-acaf-5eda11d174f3,"4/16/2021, 8:52:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,80eeffda-ef0f-41a5-81fe-6a8da45d21ae,"4/16/2021, 8:52:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a7b69290-6885-46d9-98f6-bebc30f5dc7f,"4/16/2021, 8:52:35.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b0cd6140-4d7c-498c-bdb0-63e2a7810a1c,"4/16/2021, 8:58:03.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,87a62abe-5e35-4a77-aea1-4a5181bf3447,"4/16/2021, 8:58:03.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,37a46f84-7f47-479b-8d54-33e0350d5ef2,"4/16/2021, 8:58:03.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5109862b-9248-403a-845d-a043a6c11ae9,"4/16/2021, 8:58:03.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,981ae775-8dd4-452e-bbe6-19b621e4833d,"4/16/2021, 8:58:03.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ede3087a-bb60-4150-bf4d-ab34acf78711,"4/16/2021, 8:58:03.113 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d959ef3-d884-4fe7-b106-1442718a29a6,"4/16/2021, 8:58:03.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1e86ebf7-b51e-4cd3-a13a-2baa18310a9c,"4/16/2021, 8:58:03.113 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6e343422-698a-4199-99fa-b5cb09d6d2ae,"4/16/2021, 8:58:03.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d02f19d0-794f-468d-87d0-2187d7e19f4f,"4/16/2021, 8:58:03.113 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,878fe3d8-fbe6-4446-a701-e1690345ed46,"4/16/2021, 8:58:03.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,23b0d3a4-4d79-4df2-8b64-1c090d0617f7,"4/16/2021, 8:58:03.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,01f7e84c-ce3e-4ceb-a4dc-f806ac6a313b,"4/16/2021, 8:58:03.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7203ee70-bc18-4523-8c94-6d0527dd015f,"4/16/2021, 8:58:03.113 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2698695-ab8c-41cf-9a53-be1974724593,"4/16/2021, 8:58:03.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67f73236-8ab1-444a-af68-2e2f0febd76e,"4/16/2021, 8:58:03.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6ee0aeca-9311-41b8-be02-0321c2a2f97a,"4/16/2021, 8:58:03.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce62d16a-b487-4130-b632-a1055a44d325,"4/16/2021, 8:58:03.113 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,34faadb7-80fc-46ca-bff8-4f0b3741d19f,"4/16/2021, 8:58:03.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9e4cdff7-c47c-4229-966a-7294266052a9,"4/16/2021, 8:58:03.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5a28c84-d13b-4d64-8775-ffd270da89e6,"4/16/2021, 8:58:03.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ef7a7b1-ddb0-4b23-bf97-5f3948366180,"4/16/2021, 8:58:03.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,352fdf20-690f-449a-8340-0c5575e7ff32,"4/16/2021, 8:58:03.113 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,382d15cb-ee9e-4ca4-aee8-555744f62b3e,"4/16/2021, 9:06:24.060 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d09cc073-acf1-4937-a53b-b2591fb4f053,"4/16/2021, 9:06:24.060 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,edabda6e-8fa5-4e5a-9668-c0c4caef8f69,"4/16/2021, 9:06:24.060 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,470f978b-51d2-4b55-b25e-79deef13c047,"4/16/2021, 9:06:24.060 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,f06d53f6-f08b-48a5-b601-257bd470280e,"4/16/2021, 9:06:24.060 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,41125bb6-75f2-4cd3-92ca-343f3852d973,"4/16/2021, 9:06:24.060 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,f150a8c8-077e-4e5c-8324-2ad3773aaaab,"4/16/2021, 9:06:24.060 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,fb2c3016-1f01-4fa2-9282-9c78d457fcfe,"4/16/2021, 9:06:24.060 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,bb9340e1-0de9-4332-ab69-1d841efc97cc,"4/16/2021, 9:06:24.060 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,eb774171-520c-4e65-8ac8-fcea85fac78b,"4/16/2021, 9:06:24.060 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,6336b4b3-201d-4cb1-a91b-07ba169b281d,"4/16/2021, 9:06:24.060 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2afe46a0-b3ef-4e61-9a20-1df5e92791c2,"4/16/2021, 9:06:24.060 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,6b9d11c4-5ba0-49b2-8013-cf76817d7c55,"4/16/2021, 9:06:24.060 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5bcc9dc0-9cb5-4c44-a18f-fca34a15ea4f,"4/16/2021, 8:52:40.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,08e83d57-3d6c-42d0-9121-f6e21416086b,"4/16/2021, 8:52:40.106 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e3d8d89-3c75-457e-8dd5-91afd23eafc1,"4/16/2021, 8:52:40.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c6665947-9444-4563-889b-2a54920042d4,"4/16/2021, 8:52:40.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c63330b-4b4d-4d46-85dd-a4bb36b0f4f1,"4/16/2021, 8:52:40.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8fff13c3-ea0e-468e-bc5c-32903b1b0cae,"4/16/2021, 8:52:40.106 AM",,,,,NTLM,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e3460cfc-6f20-475e-becc-05209c32359e,"4/16/2021, 8:52:40.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a30f4167-fb1f-446a-be5e-5405150e4a6c,"4/16/2021, 8:52:40.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,90739f3c-a406-48a0-bf75-a5cb71c5ba7e,"4/16/2021, 8:52:40.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b4d5418-7148-4da0-8638-f59dc1198aeb,"4/16/2021, 8:52:40.106 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,69976a79-980c-405e-b61a-3c2d4719677a,"4/16/2021, 8:52:40.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,69234736-7e11-4165-acc5-e2dbc71f1476,"4/16/2021, 8:52:40.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0fc490f0-3ea2-4d28-b224-3b96ea708913,"4/16/2021, 8:52:40.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,82cb1ce8-0827-4452-8c38-db244fdc7c23,"4/16/2021, 8:52:40.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6f3004d4-06c8-44b1-ae7e-4ffe6d6db0a7,"4/16/2021, 8:52:40.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,347a3e14-9474-40b5-a6eb-77eff74d24ed,"4/16/2021, 8:52:40.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,870ea954-e334-4b5a-a6b4-c04914fab217,"4/16/2021, 8:52:40.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1948f292-7cd7-43e0-a2a3-eea1ea47217e,"4/16/2021, 8:52:40.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab9c16db-cd14-4ffa-b070-6301e325a190,"4/16/2021, 8:52:40.106 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6b62516a-c55c-494e-84b6-29a66452cfc3,"4/16/2021, 8:52:40.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,019b6ed7-5140-408d-983b-34c01879ba92,"4/16/2021, 8:52:40.106 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fbd1b6a7-ab32-4af4-8c21-c5156cb51c67,"4/16/2021, 8:52:40.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c07bdafd-e5d7-4a56-a716-4d0b9e999982,"4/16/2021, 8:52:40.106 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5a0c0c1b-3a98-4403-9a4e-125e58a47bb7,"4/16/2021, 8:52:42.717 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8bf64a04-b49f-40b9-a39c-400f424dd616,"4/16/2021, 8:52:42.717 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,79d77a1e-a549-4daa-a9f7-57213bdf5cf8,"4/16/2021, 8:52:42.717 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4b38d8ef-607e-4617-94f1-da236c1fc941,"4/16/2021, 8:52:42.717 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ef384cbd-9225-4cd9-87c0-22c5fb2feaac,"4/16/2021, 8:52:42.717 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,58a272f4-ca71-45f9-a1f5-d4edf21de734,"4/16/2021, 8:52:42.717 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ac3d3f55-f716-4e51-849f-a345bb57a72f,"4/16/2021, 8:52:42.717 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b75ef5e2-1d2b-4fbf-9949-95a0a725e320,"4/16/2021, 8:52:42.717 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0a57b95a-9bbf-4d1d-8dcd-91101ddcd1f8,"4/16/2021, 8:52:42.717 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,192dd80a-9fc2-47c3-9299-c9cc444872c0,"4/16/2021, 8:52:42.717 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,da16252c-666a-4cec-8a60-8d861a85be9b,"4/16/2021, 8:52:42.717 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,37d13483-6f74-40d6-879d-13864b9c392d,"4/16/2021, 8:52:42.717 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,844fce34-94ab-4b6f-a10b-bb186bf0b277,"4/16/2021, 8:52:42.717 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c5e3d334-bc94-439d-9899-b870ff9faeb2,"4/16/2021, 8:52:42.717 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c5a7b5e6-3e7b-4f96-868b-1dbe99849f24,"4/16/2021, 8:52:42.717 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,34765e29-f0e4-4764-a9db-0f8f1826ad17,"4/16/2021, 8:52:42.717 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d7c465e3-9a27-42a6-a8cd-9b65183ee773,"4/16/2021, 8:52:42.717 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3d623460-c76e-4a60-9d8c-d822cf4fb811,"4/16/2021, 8:52:42.717 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3c2c7f73-0f1d-497c-8a45-1b14ed4d135c,"4/16/2021, 8:52:42.717 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9df2c5e0-ceb6-4555-9e05-c83214465851,"4/16/2021, 8:52:42.717 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9e4b403c-ec11-428d-8972-6e077ae18618,"4/16/2021, 8:52:42.717 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,acbc34ba-b3a9-4fed-9584-5439d010a0b6,"4/16/2021, 8:52:42.717 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1aa2594c-856c-4a4b-929a-24af56656b16,"4/16/2021, 8:52:42.717 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad493a65-534d-41a0-94a5-950000abcd67,"4/16/2021, 8:52:46.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d950efe-87da-4766-9472-3e041ebf2083,"4/16/2021, 8:52:46.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,575a46f2-72b6-4543-8b2f-d03c6f6ef932,"4/16/2021, 8:52:46.106 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a12f241-0245-4d55-973a-1b1949b33f1e,"4/16/2021, 8:52:46.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d9aff459-581d-4e79-84e7-67a80ce80c2d,"4/16/2021, 8:52:46.106 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a26cb1f-6cc5-47c2-8ee1-22a2a5602cef,"4/16/2021, 8:52:46.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5b04fa05-0ee0-46ee-a472-e874fa7f0001,"4/16/2021, 8:52:46.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,da45baf9-c050-4bc4-bca8-3700825d68d5,"4/16/2021, 8:52:46.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c757c240-9a68-421f-93f8-77e8904c20a5,"4/16/2021, 8:52:46.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,356b06ef-52dc-42b2-ba12-b71202f4dedf,"4/16/2021, 8:52:46.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,027f5d73-218c-474e-9909-bf5a5b88cb2b,"4/16/2021, 8:52:46.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51d49669-4450-4e2a-a132-121bf4ee71f5,"4/16/2021, 8:52:46.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b27210a3-7f67-42c7-b830-3761575d78f6,"4/16/2021, 8:52:46.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d698ead9-251c-48ce-8e07-5b7cc90fc6ab,"4/16/2021, 8:52:46.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9f858f89-0ba1-4eab-9c7c-c41f7d62b71f,"4/16/2021, 8:52:46.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,493ea58d-2193-4061-afee-e97e87956ed8,"4/16/2021, 8:52:46.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c56f866c-afb1-484d-b6f1-249c06772959,"4/16/2021, 8:52:46.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,310236d0-7434-4b5d-9127-fbe1e02fdbe0,"4/16/2021, 8:52:46.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b42e75e-a9ea-439a-a0c5-167fbbb1c2c9,"4/16/2021, 8:52:46.106 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,674fcb6a-bc2c-4b2e-817f-bad4bb18d4e3,"4/16/2021, 8:52:46.106 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7bff22af-f3d0-438a-b774-01ef6bcb0c9a,"4/16/2021, 8:52:46.106 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f28e30cc-a96b-497c-8eaf-735f1f0579ab,"4/16/2021, 8:52:46.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8fb947a7-3bc7-4eca-9aa7-bccf7b0e964c,"4/16/2021, 8:52:46.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ec58a55-dfe5-48d7-80c4-090fb2038e9c,"4/16/2021, 8:52:46.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d9a82ab-5989-4c1a-8ffa-b7656ee2a7d3,"4/16/2021, 8:52:46.106 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8692 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,d0f53f91-c0d9-43f9-aa76-c3ddb376a34f,"4/16/2021, 8:52:49.266 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5984 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,70cd4a90-b7da-4d76-8248-6891b6fe854e,"4/16/2021, 8:52:49.266 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,970448a1-c72c-4842-953d-7f2134eae1c4,"4/16/2021, 8:58:03.659 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f5e9e43b-3c97-4a1d-8632-69e7ea39ebb1,"4/16/2021, 8:58:03.659 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,757296ef-474a-49e1-98ba-21bcb00eb526,"4/16/2021, 8:58:03.659 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,864e1f03-4f74-4877-a3b5-c71265744c90,"4/16/2021, 8:58:03.659 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,489235a7-0108-4ccc-b069-ae2ca1bf7a4d,"4/16/2021, 8:58:03.659 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9ed41ec9-c6d7-4eb1-b45d-0d3a73bb854f,"4/16/2021, 8:58:03.659 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b42a4b69-1bf0-491c-aa13-088e76e3db13,"4/16/2021, 8:58:03.659 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a01a2ec3-b6a2-46a1-96a5-8ef7ff700270,"4/16/2021, 8:58:03.659 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9a4c3323-d1a7-48f9-81f9-f03860aadf65,"4/16/2021, 8:58:03.659 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7cde50c5-cba4-4611-ad40-fa38f9f72c0d,"4/16/2021, 8:58:03.659 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,83ff0c83-6ec4-4bc2-9382-75e75bff3b14,"4/16/2021, 8:58:03.659 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e34c3e31-dead-4096-b166-ca75b6a3d544,"4/16/2021, 8:58:03.659 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e2d33777-f23e-4c23-b531-4c24b84957a0,"4/16/2021, 8:58:03.659 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5e1b3e70-8be3-4415-82b2-3476c3ba84c0,"4/16/2021, 8:58:03.659 AM",,,,,NTLM,, +\DEMOUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3eb540bf-54b2-4ade-95df-093df1c0459d,"4/16/2021, 8:58:03.659 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,74c7c3d0-3719-4bf6-8ec6-5806c47faf6b,"4/16/2021, 8:58:03.659 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,81a61f13-376f-41fa-bafb-3ea21dd17fd0,"4/16/2021, 8:58:03.659 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6a99e23a-c26d-4785-beeb-c665b65e7c51,"4/16/2021, 8:58:03.659 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1f7c6f3d-975e-4df1-ae6e-dc11a9ffe444,"4/16/2021, 8:58:03.659 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,897f1ce0-a8b6-49cc-872b-43c8e975ee0c,"4/16/2021, 8:58:03.659 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6fa5ce2d-757c-48c7-8372-0f8553920a87,"4/16/2021, 8:58:03.659 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,38549768-b511-45ad-a3e3-4babacb22b3b,"4/16/2021, 8:58:03.659 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5e29f1a6-3f77-42e5-a7f0-1ce051881cbd,"4/16/2021, 8:58:03.659 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2f05cfd0-d8c5-43b5-a67c-a3329639c033,"4/16/2021, 8:55:08.644 AM",,,,,NTLM,, +\SYMANTEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,983fd7c2-710c-4514-b577-3d878ee59562,"4/16/2021, 8:55:08.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,76ce0875-1fbd-4c74-9b3f-a63b965f66ed,"4/16/2021, 8:55:08.644 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1768e9f0-4965-4c1d-bd3e-e9cb18d26504,"4/16/2021, 8:55:08.644 AM",,,,,NTLM,, +\GJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8ca55cc0-5fd7-4cfe-b633-18d48a507769,"4/16/2021, 8:55:08.644 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c03d5d39-fe9e-4f82-8a4a-806447a5b923,"4/16/2021, 8:55:08.644 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5fa61a6c-2ece-4076-b04e-8708c38c0f5e,"4/16/2021, 8:55:08.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fb2293bb-95d4-4cfd-9192-2510eb1fe682,"4/16/2021, 8:55:08.644 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5dc94c6b-c5ad-4022-a3af-c27400e9c843,"4/16/2021, 8:55:08.644 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d71935e7-42de-4355-8c73-e952ef54dd6c,"4/16/2021, 8:55:08.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,00604140-00c4-4af7-ba38-5c6f70540f0c,"4/16/2021, 8:55:08.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,762269e1-48af-4265-bad7-6d37693c265d,"4/16/2021, 8:55:08.644 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d0a1ae70-a982-49d3-b3af-3dcf0c73a786,"4/16/2021, 8:55:08.644 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,17b8d7f1-81ec-4d11-a9dc-3e50258fe5a9,"4/16/2021, 8:55:08.644 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f5559c2d-c6b5-4774-b221-ed072a62583f,"4/16/2021, 8:55:08.644 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f7928ec1-4861-437a-a6ec-df8e60fdf4bd,"4/16/2021, 8:55:08.644 AM",,,,,,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,81cfe357-5cd0-4de5-9c7e-918e91714220,"4/16/2021, 8:55:08.644 AM",,,,,,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5406b287-7aed-4f8e-8ac4-f219f1c564be,"4/16/2021, 8:55:08.644 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a5b65957-817d-44f2-99f6-6ab92070a5ac,"4/16/2021, 8:55:08.644 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d8da62ab-b99b-43a3-be26-1afa1d979330,"4/16/2021, 8:55:08.644 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bf35a5c5-40ca-4850-bb3a-1cc432d5baf4,"4/16/2021, 8:55:08.644 AM",,,,,,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6b692768-1685-49d5-8eb7-a35313a6331a,"4/16/2021, 8:55:08.644 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e9735eeb-2ba2-474b-9e5b-1dec10819b61,"4/16/2021, 8:55:08.644 AM",,,,,NTLM,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,b9b289bb-0b74-41a9-ace3-5f0a27b151f4,"4/16/2021, 9:06:26.659 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,c7d3e008-df27-4b4a-846e-df6e62e9a0ff,"4/16/2021, 9:06:26.659 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4668 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,232e8269-bd34-4804-ad91-e57bcb9ac629,"4/16/2021, 9:06:26.659 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5228 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,d4b023c5-c114-4264-babf-f75a042770b6,"4/16/2021, 9:06:26.659 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10360 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,e70fef2d-b1b6-4f2b-88a5-13cbc2f30919,"4/16/2021, 9:06:26.659 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,80dca99b-a8a1-4c0c-8888-9cc863784942,"4/16/2021, 9:06:26.659 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,d4142fcf-8d8e-404b-8b3c-aa33ef5585bf,"4/16/2021, 9:06:26.659 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,3f9dbc37-ccb9-4294-939f-0e41b0ded320,"4/16/2021, 9:06:26.659 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 4868 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e5 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,38b52f56-47ff-4233-9514-fe022b8a4d9a,"4/16/2021, 9:06:26.659 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9524 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,b1fb8779-794f-4f6b-b952-117dae7b7d67,"4/16/2021, 8:52:56.986 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 14260 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,9a655013-d322-4057-aea0-c2a6b02b9569,"4/16/2021, 8:52:56.986 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,22ecc8fb-5ebb-4999-9e5a-82b4b6cd9a1c,"4/16/2021, 8:52:56.638 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,31e85e46-e679-4b71-8904-6a145a87cd54,"4/16/2021, 8:52:56.638 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,54868f41-d4ec-460e-a028-cdc0178f291c,"4/16/2021, 8:52:56.638 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d62b616f-f45c-4c90-b120-f35035e78e8f,"4/16/2021, 8:52:56.638 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4c3353c7-a71d-4374-9cae-fce18b951326,"4/16/2021, 8:52:56.638 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9b64028b-6024-4baa-89a8-4d80d866d8c4,"4/16/2021, 8:52:56.638 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6c3affad-35e2-4870-9f95-d21cf9652da2,"4/16/2021, 8:52:56.638 AM",,,,,NTLM,, +\XCODER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,243e8d04-d4c7-4a92-b140-bbe87600fb30,"4/16/2021, 8:52:56.638 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bb9446b2-b989-4afc-8abf-e17837b3e71f,"4/16/2021, 8:52:56.638 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e20d58d6-a5e9-4904-b7ab-a6f4aec8a1e7,"4/16/2021, 8:52:56.638 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6ea69c4f-415e-4df8-8d2d-3ffc1811fc0b,"4/16/2021, 8:52:56.638 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f1a56040-3147-4849-9575-b3e57e2e8bac,"4/16/2021, 8:52:56.638 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0368a5a1-c996-4ce9-b976-8517b098b4c5,"4/16/2021, 8:52:56.638 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c5e01725-c6b3-4186-b67b-102d27210fc7,"4/16/2021, 8:52:56.638 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a329c502-f07d-4c9b-aba1-8fc0bcc47f7a,"4/16/2021, 8:52:56.638 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3a84d189-94a7-471a-9bbc-355929815038,"4/16/2021, 8:52:56.638 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d4300d5b-e621-423f-832f-a4fb86762ecc,"4/16/2021, 8:52:56.638 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,afe6b355-5a2c-4dc3-abbe-21b02e4c13bd,"4/16/2021, 8:52:56.638 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,150fc1bc-c7b7-43ee-bb10-65d0fa4d23d9,"4/16/2021, 8:52:56.638 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,11fb2fa5-1b3d-4bbd-bab5-64cc42adf07c,"4/16/2021, 8:52:56.638 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c4aed14c-4d09-433e-a8db-47299371c311,"4/16/2021, 8:52:56.638 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fab158e5-3848-46b8-95dc-db373a894ed0,"4/16/2021, 8:52:56.638 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,50f6cfd1-a5b3-4786-bfbb-ee58b36809b5,"4/16/2021, 8:52:56.638 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,24065ce8-43c7-4f76-acb0-1a34ed07412c,"4/16/2021, 8:53:01.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8cba0eb5-016f-40bb-9f0e-31b7697be615,"4/16/2021, 8:53:01.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad17df5e-fa7b-4360-9713-f6abbe672b21,"4/16/2021, 8:53:01.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,186cd02d-5b0e-4b0f-8471-7c3b7255e271,"4/16/2021, 8:53:01.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cf03f94a-eefc-43ea-a31b-8bf923e69712,"4/16/2021, 8:53:01.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa938758-19c5-4673-8617-8ce46540d599,"4/16/2021, 8:53:01.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4ac9b646-47b3-4861-8acb-d463ef79fd17,"4/16/2021, 8:53:01.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,672bafe8-bf73-42ea-ae4a-de5493634218,"4/16/2021, 8:53:01.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2568b93f-4fcc-4731-b0cc-7e9d45d970bd,"4/16/2021, 8:53:01.108 AM",,,,,NTLM,, +\ADMINISTRATEUR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,548da6eb-4431-4149-9ef2-e6331bf31399,"4/16/2021, 8:53:01.108 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5956b454-fe08-4361-8493-ccf716d8d04a,"4/16/2021, 8:53:01.108 AM",,,,,NTLM,, +\OJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1b3fed8-2887-4965-9723-60a2c5191ee0,"4/16/2021, 8:53:01.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d559e434-15e6-4a2a-9efa-28cbc3824dac,"4/16/2021, 8:53:01.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,852af42b-65d6-453a-8159-893455312198,"4/16/2021, 8:53:01.108 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e5456f7f-e339-4385-bef8-8f8d42a52279,"4/16/2021, 8:53:01.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e23e3673-204f-48b8-8eb9-a977a9c71b34,"4/16/2021, 8:53:01.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6ebad06c-0fcf-490b-9485-a18928f13a85,"4/16/2021, 8:53:01.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a8a5d412-f862-4bff-972e-bbaa9bb65f88,"4/16/2021, 8:53:01.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a9980dc-a85f-4934-b761-40924d4caf24,"4/16/2021, 8:53:01.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,575df78e-3dba-4344-a7cb-91403bd03f76,"4/16/2021, 8:53:01.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6744f7c6-001c-4b19-b257-8550cbd2ac2c,"4/16/2021, 8:53:01.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,28723db0-ea30-469a-a6a7-a55a23c1cdd0,"4/16/2021, 8:53:01.108 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f199bbd4-4b27-4cdc-a093-384988a79d44,"4/16/2021, 8:53:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b11c5b49-2656-489e-b699-6eda752befa2,"4/16/2021, 8:53:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,294cb041-310f-4f0e-ab10-6d50db5452b0,"4/16/2021, 8:53:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,93057fb1-4edf-4580-9aba-425c8074cae5,"4/16/2021, 8:53:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,02aa4560-b5bb-4eac-959d-7c05f43def33,"4/16/2021, 8:53:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3c1de718-ed02-4b6e-b357-e780194ba4b8,"4/16/2021, 8:53:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,32a4482c-2258-4779-960b-f031487b76e6,"4/16/2021, 8:53:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eb489e91-09d5-4cc6-9c23-570d770478fb,"4/16/2021, 8:53:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1fb1652c-7d5b-4def-a3bd-9ffa8c14021a,"4/16/2021, 8:53:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b39b98ce-bbb8-4ef4-85b1-ac125dba962a,"4/16/2021, 8:53:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca03dcae-e87e-4765-b2b4-bcae1a4343ef,"4/16/2021, 8:53:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f439a8fa-18b3-49e3-b6aa-cfd1e1685a45,"4/16/2021, 8:53:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98378b3a-80cf-49c3-b812-3c887975e96a,"4/16/2021, 8:53:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,76bda2ba-e123-4815-883b-fc389edd6570,"4/16/2021, 8:53:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e567ec85-3af4-4350-ae03-86d1dc1bed6c,"4/16/2021, 8:53:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea19ac9f-9208-40e0-9a49-3a0f47174ee6,"4/16/2021, 8:53:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a824be78-d6d9-48c0-99c3-60ee42e961d4,"4/16/2021, 8:53:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9f9f9ae8-4e67-499f-a1d1-e806e3e5864a,"4/16/2021, 8:53:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1dfb2205-bc5c-4b96-9ad2-1e30153ab88d,"4/16/2021, 8:53:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,73491d66-ba20-4491-88f9-e3af58590863,"4/16/2021, 8:53:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6570f341-b0ef-4c0c-b85b-5654cc0c7311,"4/16/2021, 8:53:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,29e5f7e4-dff7-452d-b54d-9374e162f8c3,"4/16/2021, 8:53:10.107 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,99256244-7bec-4ee7-8a5f-29a62e0017ee,"4/16/2021, 8:53:22.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e81a1083-3356-4695-b1e1-0e556363fa29,"4/16/2021, 8:53:22.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,111aacbe-d11e-4861-8819-d7c929b5ffca,"4/16/2021, 8:53:22.106 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1710cd15-a35b-43d7-abef-22454227d8fe,"4/16/2021, 8:53:22.106 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f2995ca3-76bb-4450-8eff-dc1ff7a0c18d,"4/16/2021, 8:53:22.106 AM",,,,,NTLM,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,68a457c1-7050-4fa0-8c34-58f6068c33a7,"4/16/2021, 8:53:22.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19883183-41ad-4469-b285-5d1c26fe5e78,"4/16/2021, 8:53:22.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,647f7019-c5f3-47ec-8ac1-009bb7c1e309,"4/16/2021, 8:53:22.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,31635820-c012-4a36-9ec8-1b533f00fb06,"4/16/2021, 8:53:22.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2e0ce769-71f8-486c-b516-ed0b3ee69398,"4/16/2021, 8:53:22.106 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,52903282-c2a2-4ea0-92a2-18b95854fdab,"4/16/2021, 8:53:22.106 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6956 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,c432606c-ea56-4ce7-82af-aa2eb5dcbe06,"4/16/2021, 8:53:22.106 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4632 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,2fcc4333-e51b-4394-a0aa-429d0eaf1372,"4/16/2021, 8:53:22.106 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,6dfeaf69-807a-40cd-9cd7-c363b0aa0e09,"4/16/2021, 8:53:22.106 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca92a261-2ab4-465b-8bdc-58685f0f8f5b,"4/16/2021, 8:53:22.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4a674602-b903-4573-a54c-c087d78e832f,"4/16/2021, 8:53:22.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,45e9bb72-919a-4735-98bf-edf9094d0332,"4/16/2021, 8:53:22.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e599996f-cc0f-49cb-bd6f-069fa2c93ba0,"4/16/2021, 8:53:22.106 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e65334d4-7046-4821-a324-c9dd001b0cbb,"4/16/2021, 8:53:22.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19533bd3-5a31-4af9-9816-98598700c1fe,"4/16/2021, 8:53:22.106 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49bb7f3a-5492-428d-af8e-d1d3f3a928aa,"4/16/2021, 8:53:22.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,85266138-b3ee-480d-8f53-8bb1a22a94fd,"4/16/2021, 8:53:22.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4351dda3-951a-4c0a-bbb4-36eb62b0f950,"4/16/2021, 8:53:22.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4863af59-1313-4f51-896d-23c1fca0adcd,"4/16/2021, 9:06:31.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aec4d49c-bbe9-4c27-ac36-1bc3317a11af,"4/16/2021, 9:06:31.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8cf04701-95f3-45bd-8973-891c1f5c44ed,"4/16/2021, 9:06:31.120 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d4980d2a-ae16-4181-bc8c-7fff00441f7a,"4/16/2021, 9:06:31.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,62259acf-0064-43a6-b48b-5545cdd8d4bd,"4/16/2021, 9:06:31.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,680c2f03-e071-4748-acaa-7ca6108ce7f2,"4/16/2021, 9:06:31.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5b5d3a6d-b0e5-4690-b055-69c8bb041720,"4/16/2021, 9:06:31.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1bc3c1dc-10d6-4ebe-8399-1a1e1bc393f6,"4/16/2021, 9:06:31.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f505de5a-8ac6-4cf1-8e23-cd912b4e6099,"4/16/2021, 9:06:31.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1957ca32-a5a1-4a56-ab6d-e3df419efbd6,"4/16/2021, 9:06:31.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d5e34b8f-866e-450a-b50f-2cd871d68602,"4/16/2021, 9:06:31.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4269c212-b9e0-48c5-bd46-ecf3672a2a77,"4/16/2021, 9:06:31.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d46df274-b3e8-438e-bc73-6855a403edce,"4/16/2021, 9:06:31.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e8d17b4c-8929-461c-bcd1-0c68d75aadd0,"4/16/2021, 9:06:31.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1edc4899-ff43-4418-80c0-70f6236ae56b,"4/16/2021, 9:06:31.120 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4818fa9c-4611-42a1-ac79-fe5be675a2cb,"4/16/2021, 9:06:31.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d0a21bf5-ca22-4366-8c2c-c7e3d8a5ba7d,"4/16/2021, 9:06:31.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f3c942fd-ef78-414c-83a6-a1d012bae159,"4/16/2021, 9:06:31.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19937ffc-ff33-4cbf-ab9e-2d587be106f1,"4/16/2021, 9:06:31.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc5f46aa-f7e3-4be6-9d5e-bf4019cf67dc,"4/16/2021, 9:06:31.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,57233f72-d6e5-466a-8183-a0bff82bc541,"4/16/2021, 9:06:31.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,451e63eb-9868-4dd9-9c1b-e6ba162a966e,"4/16/2021, 9:06:31.120 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,32bbdf1d-661f-4782-8bbc-7954a2bf1d6e,"4/16/2021, 9:06:31.120 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cfbf7046-d7e0-40a9-974d-1683e418f211,"4/16/2021, 9:06:31.120 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9de3b187-3b76-43f6-b0cd-90881c1104b1,"4/16/2021, 9:06:31.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5963891-c696-42e0-bfc9-c425b49d0440,"4/16/2021, 9:06:31.120 AM",,,,,NTLM,, +\DXV,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c68d322c-63ed-4413-8dd9-76ead8fd0b33,"4/16/2021, 8:53:23.643 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,59ffc3e2-0f25-4046-9fca-22f03bbf7222,"4/16/2021, 8:53:23.643 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cc6a8003-4145-444f-9aab-31de57095188,"4/16/2021, 8:53:23.643 AM",,,,,NTLM,, +\LJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,106cbd62-93a6-4a5f-9575-874a2d05406a,"4/16/2021, 8:53:23.643 AM",,,,,NTLM,, +\DXW,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5c0be4ec-dc85-4d9a-ae09-61fb66244fcd,"4/16/2021, 8:53:23.643 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9e90b6b8-b049-4ac7-811b-45d207d7703f,"4/16/2021, 8:53:23.643 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,22695a67-6ef4-48f6-a1cd-ada3827b9e1d,"4/16/2021, 8:53:23.643 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,abef385e-61b3-4858-9474-2aba2405a341,"4/16/2021, 8:53:23.643 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ad487761-23dc-43c3-bdcf-b4903b60af39,"4/16/2021, 8:53:23.643 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f304d0e0-4ac0-48cf-b5b7-87edd834be59,"4/16/2021, 8:53:23.643 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8f97aad1-323c-4890-91b0-1531dd34fad9,"4/16/2021, 8:53:23.643 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3d269490-67a7-460d-95e4-4c55303403b7,"4/16/2021, 8:53:23.643 AM",,,,,NTLM,, +\DXZ,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9c932a08-2997-4313-9e05-7b8e77b98f45,"4/16/2021, 8:53:23.643 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4a2fafd2-9c70-4f86-a91d-56825f90bd80,"4/16/2021, 8:53:23.643 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1190e307-da4f-43ce-ba78-3e09416185ed,"4/16/2021, 8:53:23.643 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c68efe31-0c1e-4e5e-b9ec-913721c1023f,"4/16/2021, 8:53:23.643 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1ed4b504-2033-4946-9329-61bde0f5dfa3,"4/16/2021, 8:53:23.643 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9153a974-ec97-476d-871b-df3fa83e5ec5,"4/16/2021, 8:53:23.643 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,41b7f4af-a58c-4596-aedc-c7740fe5b891,"4/16/2021, 8:53:23.643 AM",,,,,NTLM,, +\USER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a1b6dc9d-71f7-4cee-8216-22403f9d0ab2,"4/16/2021, 8:53:23.643 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,15087be6-951d-42a4-acc2-00391cf577ca,"4/16/2021, 8:53:23.643 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b374cf81-0de4-4248-80c3-d1b8d3e12308,"4/16/2021, 8:53:23.643 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,13aedf8a-6ab0-487e-ad15-89bc19f36704,"4/16/2021, 8:53:23.643 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1bde6135-e8b7-48b2-abc9-4807c2fc27ec,"4/16/2021, 8:53:23.643 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 572 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,fbfc6c89-d1eb-4f1c-ac80-69b7e7d1119f,"4/16/2021, 8:53:41.410 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7188 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f6344e91-a0a9-4f91-882e-8a48189694e5,"4/16/2021, 8:53:41.410 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f394a087-0794-4fa8-b50e-a6aa5d72857c,"4/16/2021, 8:53:41.410 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4051c542-12ac-4dd0-b922-5b2b16338c10,"4/16/2021, 8:53:41.410 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,dad9b777-3943-47c1-8988-84845832445f,"4/16/2021, 8:53:41.410 AM",,,,,,, +\USER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e1bb074a-3f13-49bd-b163-50953d7e0180,"4/16/2021, 8:53:41.410 AM",,,,,NTLM,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8ee2f2e5-5883-4e3a-8cec-f39cd8f77d34,"4/16/2021, 8:53:41.410 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,730dc810-6346-438a-9a39-23a42c6b7075,"4/16/2021, 8:53:41.410 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cf8f01bb-1dc4-48c5-9a2d-179873f5361d,"4/16/2021, 8:54:57.634 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,55f1f88a-9c9d-473e-af44-888bb2b5c829,"4/16/2021, 8:54:57.634 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ea0e798f-56ad-49ef-81c1-41421c6d4325,"4/16/2021, 8:54:57.634 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f466763d-3792-4e78-9c8b-5b6f2d75f134,"4/16/2021, 8:54:57.634 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e28d3d94-5aaf-4569-88cc-906df2207038,"4/16/2021, 8:54:57.634 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8e92fe94-0b62-4e4b-9b07-d6453d607a8f,"4/16/2021, 8:54:57.634 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,be6c208e-b7f3-46d3-8fd5-4579d471b39c,"4/16/2021, 8:54:57.634 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,12d77d7c-4cef-43cd-b410-148ae21f6ab5,"4/16/2021, 8:54:57.634 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,226a93e1-01ac-46af-95c9-97d2c481abe5,"4/16/2021, 8:54:57.634 AM",,,,,NTLM,, +\VEEAM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a60039e0-0153-4b94-acad-4a30cb64bc42,"4/16/2021, 8:54:57.634 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,030b612b-a327-4531-a0e1-b21140ffc82c,"4/16/2021, 8:54:57.634 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fd698f1c-8a1e-46fc-8e8c-427b52443037,"4/16/2021, 8:54:57.634 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b6dacc5a-c768-4576-a87a-d00e2d48d6c7,"4/16/2021, 8:54:57.634 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,783c9c67-e329-42ae-955c-81f723110aa9,"4/16/2021, 8:54:57.634 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,40f94038-0969-4d51-a16e-1494bf1baf08,"4/16/2021, 8:54:57.634 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,48ff6577-46a4-414d-94c5-bff8285ca844,"4/16/2021, 8:54:57.634 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e39d6bec-09be-4e3c-954c-11e5a825a65a,"4/16/2021, 8:54:57.634 AM",,,,,,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e90d7b9b-894c-4241-8895-5eb64a04bead,"4/16/2021, 8:54:57.634 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,00b2bd4b-c19b-4306-b4d8-0c5bd5aab848,"4/16/2021, 8:54:57.634 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,63f85e36-60b1-40ee-b83b-cf0e8566fbea,"4/16/2021, 8:54:57.634 AM",,,,,NTLM,, +\LOCALADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,029e1712-d893-4a5b-ba1e-ef891a46f18f,"4/16/2021, 8:54:57.634 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6d64a8ef-fa8e-4327-adfb-6e7cc19bbac8,"4/16/2021, 8:54:57.634 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6a737632-3827-422b-af09-ed87506e2afa,"4/16/2021, 8:54:57.634 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c2abfce2-bef7-493c-b579-7c0ad29fa0fc,"4/16/2021, 8:53:50.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a4af0703-3cc7-481b-98d6-fcd521ce78fa,"4/16/2021, 8:53:50.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9caa5e0f-1bbc-42e3-b387-9a46216af9e9,"4/16/2021, 8:53:50.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c242fd4-2879-4d14-b7de-3b58a2e83cee,"4/16/2021, 8:53:50.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6fd08d11-9c2e-4e83-8c37-3fd6a6cc5764,"4/16/2021, 8:53:50.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe182a30-2570-483e-8fca-5ced4a15e6fe,"4/16/2021, 8:53:50.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03a892fe-e6aa-411b-841b-12b5987cc746,"4/16/2021, 8:53:50.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8be45759-af22-4fb2-a0c1-79d4c27bffbc,"4/16/2021, 8:53:50.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,81a61931-e657-44eb-8757-40cba7d70907,"4/16/2021, 8:53:50.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de815c1c-5303-465e-9744-619391a38939,"4/16/2021, 8:53:50.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f08dd7e8-bc7d-4f23-bb3f-33d9bcd4b93d,"4/16/2021, 8:53:50.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0b101181-3396-44cd-b614-b42c8f24cded,"4/16/2021, 8:53:50.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b72e5033-f2f6-4e95-a991-ff8d1ac5d122,"4/16/2021, 8:53:50.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,740849e1-7df8-4eef-beef-7988865dad05,"4/16/2021, 8:53:50.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,859bb518-3e55-427c-b5d3-47e5fec4b1b0,"4/16/2021, 8:53:50.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dadbfd7a-210f-4bfb-bead-0281e799dfbf,"4/16/2021, 8:53:50.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6e783c90-5ef2-4a65-a13d-4abf76040d61,"4/16/2021, 8:53:50.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,366c7303-f5ca-4f3a-8422-38d2218f73d7,"4/16/2021, 8:53:50.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e32361ba-338a-4c6b-be9e-c067e0c03ff6,"4/16/2021, 8:53:50.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b3b4056b-48f9-4043-bd7c-b9acaf69a5c9,"4/16/2021, 8:53:50.109 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fbb71d46-368f-4be2-848f-52e4527423c2,"4/16/2021, 8:53:50.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0fa3748b-9c29-4e3b-8e19-4214e27e74d1,"4/16/2021, 8:53:50.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88594279-313e-40ef-8913-900bf4324143,"4/16/2021, 8:53:50.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,791d2ca7-6f34-4f22-978d-2f36b4bf2c4c,"4/16/2021, 8:58:11.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9e7690b6-2135-4a27-9179-7ab3ff21c465,"4/16/2021, 8:58:11.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9809b378-0e26-4001-8901-ec6b18aee911,"4/16/2021, 8:58:11.109 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,273df985-c454-4670-83b9-fb3646ad7614,"4/16/2021, 8:58:11.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea8bb349-7a16-43d2-b058-265570965539,"4/16/2021, 8:58:11.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,05d90b8a-7165-429c-951e-dcb82b41caad,"4/16/2021, 8:58:11.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5948c87-7917-4676-acc4-4b15198011fd,"4/16/2021, 8:58:11.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9beaea13-06f3-42bc-b438-f6bcdac10982,"4/16/2021, 8:58:11.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4afa87b8-4365-4a42-a80f-d7ec3ba8bb8a,"4/16/2021, 8:58:11.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8474c750-6365-4f0e-834c-71fbc1d10260,"4/16/2021, 8:58:11.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,68586c41-3aee-4836-a209-49ea4464eac1,"4/16/2021, 8:58:11.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c65c3d5a-6bd2-4be8-8162-6bf93c730d2b,"4/16/2021, 8:58:11.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f8712cfc-5bfc-4541-8b3f-b3724a078614,"4/16/2021, 8:58:11.109 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7aac75e6-b686-4745-b63b-76b4183a5b97,"4/16/2021, 8:58:11.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c654678-1b29-469f-a45b-445b1d494919,"4/16/2021, 8:58:11.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,153a9d61-0b45-4d6f-9c2f-492d52027c4b,"4/16/2021, 8:58:11.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ccb271c5-17f1-4a8d-9144-a80b39782f6a,"4/16/2021, 8:58:11.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c6be6021-4df8-4653-be73-5d05f1c3d3f7,"4/16/2021, 8:58:11.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,051548d7-8114-4e25-acfc-0813543542d4,"4/16/2021, 8:58:11.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,85472090-8dd5-4e9c-bf6a-7137b276c8d9,"4/16/2021, 8:58:11.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bb52454b-e98d-41d9-a2d7-bc2745c61b22,"4/16/2021, 8:58:11.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ed23806b-9800-4b43-b34e-eeb4141abf4a,"4/16/2021, 8:58:11.109 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,7ed527b7-9494-4732-83cf-25806ce1e83a,"4/16/2021, 8:53:53.058 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,6ef8bfb9-9f6a-4e8a-a8cb-02a2c53cddc2,"4/16/2021, 8:53:53.058 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,79b30601-c2fd-46c3-bb44-31e498a234e3,"4/16/2021, 8:53:53.058 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,4c9a3e97-72f3-448f-8f19-e43cd4bfc9dd,"4/16/2021, 8:53:53.058 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,c11a8178-8bb1-45dc-8cdb-020fac325adf,"4/16/2021, 8:53:53.058 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,6c25c320-6f80-4f99-9c25-23d7ff0d19d5,"4/16/2021, 8:53:53.058 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5131ae33-b655-4ea4-b249-7e2ea61277c1,"4/16/2021, 8:53:53.058 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d83fc7bf-f6da-449a-b76d-b96c4f623905,"4/16/2021, 8:53:53.058 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5332 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,66fd648d-4d25-46f7-8460-4f5e3bfd5d89,"4/16/2021, 8:54:00.585 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,cc6df690-cc1e-41c0-b8e2-73e84b9df94d,"4/16/2021, 8:54:00.585 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,7bc1f3a1-724d-4772-a104-035bae89ad19,"4/16/2021, 8:54:00.585 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,530539c8-09bd-48ba-a84e-b90b7544f929,"4/16/2021, 8:55:02.615 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8144 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,6b92f34b-43fb-446c-9f9c-b93d385cb249,"4/16/2021, 8:55:02.615 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,d0a26f94-571c-46db-bc29-9db9e8edee37,"4/16/2021, 8:55:02.615 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,e16d0c25-6ae6-4616-8c4c-f36ddad746e9,"4/16/2021, 8:55:02.615 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1280 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 8542576A51D515DA19781689F9E5E561E4398C4DE19B14AF1E8EF1C7D2551843 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.18362.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,4f4a7e46-d844-4dd7-b9ea-a40cc3ec3692,"4/16/2021, 8:55:02.615 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7116 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,c6ec55ab-83ba-49ea-aba9-f0b341e9b669,"4/16/2021, 8:55:02.615 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,ce1c537c-60da-42cb-879e-48926da877cf,"4/16/2021, 8:55:02.615 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1408 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,1b35c533-acee-43e3-bcbb-956685abd231,"4/16/2021, 8:55:02.615 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,55b8e635-369a-40b7-a696-92f1232a2e6d,"4/16/2021, 8:55:02.615 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,c4324053-d19b-4e7c-8b75-6f862c61d23b,"4/16/2021, 8:58:18.114 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e73111a-2008-43c8-8fe8-6db2c30c1cd2,"4/16/2021, 8:58:18.114 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,41502da5-21b7-48ec-81c9-baeea8d7d669,00890aee-b488-4127-ba63-7b9da65d4aba,"4/16/2021, 8:58:18.114 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,1c591254-960f-4d1d-882e-67b8ac82c532,"4/16/2021, 8:58:18.114 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f405891-97d1-4ab5-8643-efa61841c7ff,"4/16/2021, 8:58:18.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1fa884b3-476e-4e22-a850-ce71ba6787f3,"4/16/2021, 8:58:18.114 AM",,,,,NTLM,, +NT AUTHORITY\LOCAL SERVICE,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 8976 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e5 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,1619d43c-fca0-4b72-9399-f645269b7aeb,"4/16/2021, 8:58:18.114 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5948 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + A42A20DA16F83B8467DCED74AB028B58D5927D15D9D74C5C7B0D5C9DAC042CB2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.17763.01 + 0x3e7 + 31 + C:\windows\System32\svchost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,f28aeeb0-9423-44ff-af74-c354eda10cdb,"4/16/2021, 8:58:18.114 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,96867611-35e5-45cc-8571-112d25769dba,"4/16/2021, 8:58:18.114 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,56224344-47cc-4d61-9f1b-1e849356333c,"4/16/2021, 8:58:18.114 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de3e567e-e746-4cda-9bc7-95d40a269655,"4/16/2021, 8:58:18.114 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2020 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,9cc16b5d-e581-4944-a403-44aea431cc3a,"4/16/2021, 8:58:18.114 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c43c4a86-fc1d-4b5d-ae32-bbaaa75007c1,"4/16/2021, 8:58:18.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df05490c-e6e2-4fe7-b247-b271ca3175ce,"4/16/2021, 8:58:18.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,039c896c-090a-4ab6-bf2d-6b1a8cbb4093,"4/16/2021, 8:58:18.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,42b24cba-6f42-4841-8b89-ae5c32c16e7f,"4/16/2021, 8:58:18.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,14255fa5-abee-4eeb-98a1-04c5b7e80547,"4/16/2021, 8:58:18.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a4bc3b0e-ae1d-4760-8371-510526d1d3e8,"4/16/2021, 8:58:18.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f128f639-5b93-49ce-9cc3-489cb8f5a330,"4/16/2021, 8:58:18.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aa66fbf8-d4b9-43ef-a3ab-6ea4649cdd0a,"4/16/2021, 8:58:18.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c34a24c-e373-4cf3-b3f6-e7c7e9e803dc,"4/16/2021, 8:58:18.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,01082588-5137-4052-9e68-d9eea490005c,"4/16/2021, 8:58:18.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88075cf1-a773-47a1-ae0b-7d90f7bc91b0,"4/16/2021, 8:58:18.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16132891-3533-4331-85df-b69771420be2,"4/16/2021, 8:58:18.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,20975f36-273b-43fe-ba86-9e8843482b3e,"4/16/2021, 8:58:18.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c951a6e7-bd53-4e00-834e-a5cd0b758207,"4/16/2021, 8:58:18.114 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7124 + 39 + %WINDIR%\SERVICING\TRUSTEDINSTALLER.EXE + 32 + FF7B647787C49A3CB19B63470B8958B6FB6162AA4EC4B03E78AE1F6AE1ECFBF3 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\TRUSTEDINSTALLER.EXE\10.0.14393.3564 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,bc86fae6-5313-4101-a8c9-ae9234411da2,"4/16/2021, 9:06:37.280 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8028 + 122 + %WINDIR%\WINSXS\AMD64_MICROSOFT-WINDOWS-SERVICINGSTACK_31BF3856AD364E35_10.0.14393.3622_NONE_7EE8048822057142\TIWORKER.EXE + 32 + 5529E1D5191D7E786D8395381584628F04EAB2687886D41DC981B6AD056305F3 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\TIWORKER.EXE\10.0.14393.3622 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,e1eb6a2e-db44-485f-b207-1f06936fd389,"4/16/2021, 9:06:37.280 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7452 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,a69245a6-4ee3-492f-b1b4-75613392061d,"4/16/2021, 9:06:37.280 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8940 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,8a6470c0-d273-4dfb-8ae9-311e80f0d533,"4/16/2021, 9:06:37.280 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6856 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 3D9080EFAB633588A800733E89C0E9CF155587ED965C4294E3B5807ACCA7196A + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.14393.2155 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,39b236ed-cebc-4eca-9494-f93e75b79410,"4/16/2021, 9:06:37.280 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,73d9e6cb-60f2-4712-876e-4c8ffebdc683,"4/16/2021, 8:54:22.632 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2257b4b6-1b41-47ae-bbca-b776feebdd3f,"4/16/2021, 8:54:22.632 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1d0659cc-bea3-4ab6-b13e-cbd5186734e4,"4/16/2021, 8:54:22.632 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dbbe2b01-95b1-4b12-91f9-4801c4ce3314,"4/16/2021, 8:54:22.632 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4ebfc2c9-61dc-4012-878b-288655c84d12,"4/16/2021, 8:54:22.632 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0c9d6638-7093-45f8-8506-fb33e3942a1e,"4/16/2021, 8:54:22.632 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,09e2482e-86b2-4e9a-a794-5e671141b9ff,"4/16/2021, 8:54:22.632 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0cb5f420-f151-4b17-9fc6-dc5c5dc93c25,"4/16/2021, 8:54:22.632 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0a8ce080-a243-457d-aa8a-b3d27057993a,"4/16/2021, 8:54:22.632 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,61bbc28f-a17c-46f0-abef-ff1440e144b7,"4/16/2021, 8:54:22.632 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f6294fba-f035-4ad2-b4fe-a868cb0e8458,"4/16/2021, 8:54:22.632 AM",,,,,NTLM,, +\OJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2d78ffb3-f8a9-4fc2-98b4-525815ecfbf8,"4/16/2021, 8:54:22.632 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2470a5ac-9b23-437d-9cc2-5d27c6da5bd4,"4/16/2021, 8:54:22.632 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bf2215c0-8405-4808-b40e-d77598c010f4,"4/16/2021, 8:54:22.632 AM",,,,,NTLM,, +\BACKUP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b3f808ef-9a9f-4d57-9450-87ed7274587e,"4/16/2021, 8:54:22.632 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,282da755-3c6d-4d26-adee-216500bed855,"4/16/2021, 8:54:22.632 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,59b0ac00-3c06-4019-9756-a5af5038a2e8,"4/16/2021, 8:54:22.632 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5cff110d-3d94-4800-870d-1d2e254059c5,"4/16/2021, 8:54:22.632 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4883749b-fd7b-4a95-b8e6-70b47e0796a2,"4/16/2021, 8:54:22.632 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a8b6d4c3-68ec-4f0d-af98-4b96184a8708,"4/16/2021, 8:54:22.632 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,20b376b4-e656-4a06-a00d-1e9a93c0e258,"4/16/2021, 8:54:22.632 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ad3cb0f7-d61f-4d6b-ba10-ffcc44ae1d72,"4/16/2021, 8:54:22.632 AM",,,,,NTLM,, +CONTOSO\ContosoDc$,Machine,ContosoDc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13826,8," + Administrators + Builtin + S-1-5-32-544 + S-1-5-18 + ContosoDc$ + CONTOSO + 0x3e7 + 0x908 + C:\WindowsAzure\GuestAgent_2.7.41491.1008_2021-01-28_130107\WaAppAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,9a259efc-db9b-4c88-bb3f-eab070fa783c,3d8998ff-63bd-4342-a204-3d1c4e41e199,"4/16/2021, 8:54:30.270 AM",,,,,,0x908, +NT AUTHORITY\NETWORK SERVICE,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 344 + 21 + %SYSTEM32%\SPPSVC.EXE + 32 + 61725EEE1DAEC49A0B1B0BA1A1D15FE7B3E5AA212C56505FB073538A487CC055 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SPPSVC.EXE\10.0.14393.3541 + 0x3e4 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,d1576d19-5f72-4c2f-b4c3-f75c77487121,"4/16/2021, 8:54:30.270 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 5956 + 34 + %SYSTEM32%\APPIDCERTSTORECHECK.EXE + 32 + D4DA288C309C621E40A1C6D23E008F2C243A57E86613A4D52157CB0661B6B44F + 131 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\APPIDCERTSTORECHECK.EXE\10.0.14393.1198 + 0x3e5 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,f7ea57ab-d71c-42f0-9cc2-bc392b71ab46,"4/16/2021, 8:54:30.270 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 12188 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e5 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,19cd8889-dcea-4b97-83d2-ad6e965004ce,"4/16/2021, 8:54:30.270 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4208 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,9628b539-322f-49e0-b258-f6f3829ab10d,"4/16/2021, 8:54:30.270 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7968 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,73cdfd18-037c-406f-ba21-fcdd476cfe81,"4/16/2021, 8:54:30.270 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8784 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,acd6908d-4b72-4c31-b18b-286025e9cb01,"4/16/2021, 8:54:31.561 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,7f16394f-c39e-4922-9cb6-abd14e40934b,"4/16/2021, 8:54:31.561 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1376 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,45e772c9-897b-4a03-b7e1-116b7aab0070,"4/16/2021, 8:54:31.561 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1616 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,599cb069-743a-4077-9e60-a26b5a2430d7,"4/16/2021, 8:54:31.561 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,f8391614-588f-487f-b9ba-2bbcd0519845,"4/16/2021, 8:54:31.561 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,005da578-2649-4dea-8653-bb1df04e8c2a,"4/16/2021, 8:54:31.561 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56df299e-ece4-405d-adc3-8a78476a6854,"4/16/2021, 8:54:31.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c0b1dd0c-6371-4ce7-8e6d-c2d2187d6b64,"4/16/2021, 8:54:31.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e551c817-5f61-4461-a720-64a0d6c8eca1,"4/16/2021, 8:54:31.135 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fbbe74ab-fc19-4b78-9295-41d9ae87852f,"4/16/2021, 8:54:31.135 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,196a9faa-dbeb-4a46-b20d-d908a3b3e22f,"4/16/2021, 8:54:31.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5387bb1-b2d2-4acd-8c5c-3a645f04614e,"4/16/2021, 8:54:31.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c5b432a8-9404-4cf0-b045-3b63750f508d,"4/16/2021, 8:54:31.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,446e9270-6db1-4a16-a60e-b2ac75b341ba,"4/16/2021, 8:54:31.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2656d7fa-e172-48fc-84dc-5753c1b0a6ed,"4/16/2021, 8:54:31.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,99440288-ccef-4885-ad96-dea90ac07925,"4/16/2021, 8:54:31.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53ed77d8-920d-4abe-861a-62c019943e63,"4/16/2021, 8:54:31.135 AM",,,,,NTLM,, +\DEMOADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,31dba10c-838b-40a2-a2d6-6dfac54851a4,"4/16/2021, 8:54:31.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9208f696-71ea-4dae-9a45-a3688062cd09,"4/16/2021, 8:54:31.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3edd4e3f-e3f3-463e-a7ea-e96b6e0e60ba,"4/16/2021, 8:54:31.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c771dd0c-a041-4f24-a694-48687b78270d,"4/16/2021, 8:54:31.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d6735319-0482-4d60-8cd2-7a97c614d5e5,"4/16/2021, 8:54:31.135 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1510838b-6ade-486c-8c7d-8055f9faa9ee,"4/16/2021, 8:54:31.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,689319bf-512c-40b0-b0ac-1c96fd5e38b0,"4/16/2021, 8:54:31.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ccec7568-cd0e-47c9-844e-3e8d2e0492df,"4/16/2021, 8:54:31.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9fc5d05a-b084-44ba-ab1a-a6f6b0e90721,"4/16/2021, 8:54:31.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fdf7326d-d1e9-4319-b267-decdeed58aba,"4/16/2021, 8:54:31.135 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,00da749f-f508-4450-a1cc-4357b6b291fe,"4/16/2021, 8:54:31.135 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,124a33fe-05c9-4ccd-bd18-85d687800425,"4/16/2021, 8:54:31.135 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8bae9709-87f3-464b-80f6-0f5672b20102,"4/16/2021, 8:54:43.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dee8a4d9-8927-4aab-a733-75e83e156800,"4/16/2021, 8:54:43.644 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7f17515e-cbe9-457c-b166-738f3f2f5756,"4/16/2021, 8:54:43.644 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d5a231f7-35cb-443d-99b1-b13053b49009,"4/16/2021, 8:54:43.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,424309b2-4464-43fc-8c5c-f582f1b0b5ff,"4/16/2021, 8:54:43.644 AM",,,,,NTLM,, +\CORBIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a46db79f-07f9-4169-b9c8-3d922c862624,"4/16/2021, 8:54:43.644 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,79f48ff5-f862-4f93-965b-7a7ba03e6805,"4/16/2021, 8:54:43.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,408c47d0-1ea8-4694-8576-b045560ac0da,"4/16/2021, 8:54:43.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ebd6b614-7cd0-440f-8af7-9184bbaac54f,"4/16/2021, 8:54:43.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2e54d822-cc4a-4b96-8f3e-4a184205dc87,"4/16/2021, 8:54:43.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,21114243-3caa-41cc-8a8a-884b7aa53642,"4/16/2021, 8:54:43.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1f69dfcc-703a-45c4-8942-ac1cd593aaa6,"4/16/2021, 8:54:43.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ff5c2133-f39b-434a-b263-0070d54d478e,"4/16/2021, 8:54:43.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,70af17e6-2ef9-4886-ac7e-3439d220c088,"4/16/2021, 8:54:43.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5e0cdc52-17d1-4909-8c27-90e337489629,"4/16/2021, 8:54:43.644 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2632a3b0-48fc-4747-9b2b-0cd2a004b392,"4/16/2021, 8:54:43.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9fa54715-675b-4317-9c37-5c69f37f3f1d,"4/16/2021, 8:54:43.644 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d8d36229-919a-41b7-af30-3e1697c64203,"4/16/2021, 8:54:43.644 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cc6b4ce9-499c-49c7-a72e-4da1c2dc1454,"4/16/2021, 8:54:43.644 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fa4d7e68-3301-40e7-b466-7da2ecfd732b,"4/16/2021, 8:54:43.644 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,20e28293-2135-49b1-b5ef-c57d83ff1bd0,"4/16/2021, 8:54:43.644 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b91944a9-bbb2-4d84-8bc2-903a4948a1db,"4/16/2021, 8:54:43.644 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10604 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,4e7a46fc-ca9e-4999-a02b-e7d5f6f79cc7,"4/16/2021, 8:54:56.996 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9588 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,f8122f33-7b4a-4910-a1ec-36e9ccbb5500,"4/16/2021, 8:54:56.996 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,27672e73-c604-4635-8df0-9f122aa92408,"4/16/2021, 9:06:42.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac869467-0fee-4818-af69-85c29fcdaadc,"4/16/2021, 9:06:42.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c279d06-3c2c-4ebe-8f8d-106216703dd4,"4/16/2021, 9:06:42.126 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + DefaultAccount + SOC-FW-RDP + S-1-5-21-952482744-1076764539-379410180-503 + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + 0x2358 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,41502da5-21b7-48ec-81c9-baeea8d7d669,7c2f04d0-3a80-4aac-80cd-bd00cc440aac,"4/16/2021, 9:06:42.126 AM",,,,,,0x2358, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + Guest + SOC-FW-RDP + S-1-5-21-952482744-1076764539-379410180-501 + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + 0x2358 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ad41efc-5aac-4306-bc27-3a3340360f03,"4/16/2021, 9:06:42.126 AM",,,,,,0x2358, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + pcadmin + SOC-FW-RDP + S-1-5-21-952482744-1076764539-379410180-500 + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + 0x2358 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,41502da5-21b7-48ec-81c9-baeea8d7d669,ae65760a-95eb-4775-b41d-d668336e5d99,"4/16/2021, 9:06:42.126 AM",,,,,,0x2358, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + WDAGUtilityAccount + SOC-FW-RDP + S-1-5-21-952482744-1076764539-379410180-504 + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + 0x2358 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,41502da5-21b7-48ec-81c9-baeea8d7d669,a3708047-97f7-4b6c-a62f-0195e10f354e,"4/16/2021, 9:06:42.126 AM",,,,,,0x2358, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aaadf8b6-c58f-4205-bb40-a9dec39870b6,"4/16/2021, 9:06:42.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16ea1d78-13ba-4efc-a58c-c4fbc789ddd2,"4/16/2021, 9:06:42.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,284cab4e-972d-40dc-a69b-136058b63747,"4/16/2021, 9:06:42.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6703d190-f9ee-46ec-8ec3-7bda939e28b0,"4/16/2021, 9:06:42.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ae1b5e43-d00d-4b08-882e-d1eba134c3ad,"4/16/2021, 9:06:42.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7da5492f-b139-427c-8b86-46b8299b3cd0,"4/16/2021, 9:06:42.126 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,d1e77658-8b35-4f50-ab83-23a5a79927af,"4/16/2021, 9:06:42.126 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\microsofttpm,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,f666f7d5-e663-48c3-ae62-f8560f2565ad,"4/16/2021, 9:06:42.126 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:SELECT * FROM Win32_TPM,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd2eccec-767e-488f-8127-d356c67ce213,"4/16/2021, 9:06:42.126 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:Select * from __ClassProviderRegistration,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,bbe9a5ed-0ce1-404e-845e-038fef3dd946,"4/16/2021, 9:06:42.126 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,feb65470-e8ca-40b9-9efd-77d5febb8dba,"4/16/2021, 9:06:42.126 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5db9a40-8951-4f76-b08a-08c03677c5f6,"4/16/2021, 9:06:42.126 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,443752fd-043b-47dd-87f0-3edb27015d04,"4/16/2021, 9:06:42.126 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,af1118f7-74e7-4cbe-98d9-561e5d689375,"4/16/2021, 9:06:42.126 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:Win32_Tpm,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,0409e681-db2a-4a24-ad0c-c002dc4265a5,"4/16/2021, 9:06:42.126 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:__ExtendedStatus,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,e6567d0c-c9a1-4b17-8ef2-2c7861ec1a14,"4/16/2021, 9:06:42.126 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftVolumeEncryption,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2de1308-6b0b-4ad6-9950-c20c7eed65c4,"4/16/2021, 9:06:42.126 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:SELECT * FROM Win32_EncryptableVolume,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac79adc8-7b0e-4b15-a1fb-4d0a9c3cc792,"4/16/2021, 9:06:42.126 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:Select * from __ClassProviderRegistration,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,b89a73fd-a899-42e6-a364-270c2a538856,"4/16/2021, 9:06:42.126 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,aefa87b3-7fb4-4954-8b4b-4b212a7269d0,"4/16/2021, 9:06:42.126 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,d1f7b7a4-1969-48c6-a456-28161df17fc9,"4/16/2021, 9:06:42.126 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,f59f423b-87d7-4f86-8f7b-c99614e953ec,"4/16/2021, 9:06:42.126 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,e3c9ca04-b855-42e4-b98e-d4481568a1b1,"4/16/2021, 9:06:42.126 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,f041f2f5-6d69-4dbd-8226-aa1c4322c244,"4/16/2021, 9:06:42.126 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:__ExtendedStatus,,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f0eabeb4-c289-4671-807f-0367e34d59af,"4/16/2021, 9:06:42.126 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e425c3f-33da-4398-a87d-879d9efcb86b,"4/16/2021, 9:06:42.126 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{9a771a90-0000-0000-0000-100000000000}\\""::GetLockStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,6392c84e-adee-42d7-8907-435d57fc486c,"4/16/2021, 9:06:42.126 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{9a771a90-0000-0000-0000-100000000000}\\""::GetProtectionStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a1b490c-c0f0-49a2-b887-748bd1746860,"4/16/2021, 9:06:42.126 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{9a771a90-0000-0000-0000-100000000000}\\""::GetConversionStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,84cc5c7b-1d5e-412a-84ca-6a7ebb42c120,"4/16/2021, 9:06:42.126 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{6129dd30-0000-0000-0000-501f00000000}\\""::GetLockStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,c543a564-0a84-4483-a0d2-2e3a27e11605,"4/16/2021, 9:06:42.126 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{6129dd30-0000-0000-0000-501f00000000}\\""::GetProtectionStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,46e1d3bf-cd64-40c8-9138-94c2ea874fef,"4/16/2021, 9:06:42.126 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{6129dd30-0000-0000-0000-501f00000000}\\""::GetConversionStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,4bd2fb01-64d5-4245-99d3-984cb16e6536,"4/16/2021, 9:06:42.126 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f8d94715-c5f1-4432-b154-49e554cba19b,"4/16/2021, 9:06:42.126 AM",,,,,NTLM,, +\O.MASSARIOL,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3d6124ea-fac1-4af8-a6fd-60b7838d5328,"4/16/2021, 9:06:42.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ed6d9ab-a5de-4a50-97e9-cb3b3c879503,"4/16/2021, 9:06:42.126 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3828 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa625cb8-50a3-498d-bd92-a0bebd1dffdd,"4/16/2021, 9:06:42.126 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6936bc8a-45bd-4692-a1fc-0c3fa8433ea3,"4/16/2021, 8:58:17.667 AM",,,,,NTLM,, +\WEBADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2a00ff84-1c82-4f39-a138-83c1f207f766,"4/16/2021, 8:58:17.667 AM",,,,,NTLM,, +\AZUREADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,14aa4639-03e7-4c5d-9cb5-4eeb205ef1db,"4/16/2021, 8:58:17.667 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,80b17b87-5930-4b69-bda0-acf8821c10d0,"4/16/2021, 8:58:17.667 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1b36ce5d-32d1-46f4-9469-ae72375cdfb3,"4/16/2021, 8:58:17.667 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,750fab03-23aa-4730-a41a-7c1e944dfd43,"4/16/2021, 8:58:17.667 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1d104f20-7458-465e-b4ac-4debb5b877f7,"4/16/2021, 8:58:17.667 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2982f54e-fc48-4571-b543-adea86d5c9c0,"4/16/2021, 8:58:17.667 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1ec988d6-2ccb-4a32-8fd1-d58adf7edb18,"4/16/2021, 8:58:17.667 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7bcd08c0-9395-4d2f-bdf9-ad192c41dade,"4/16/2021, 8:58:17.667 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,19bb2410-94be-4313-adb4-099f1a65c1be,"4/16/2021, 8:58:17.667 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e2ce3c15-dd45-4aa5-91da-0c00b2347149,"4/16/2021, 8:58:17.667 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4b365d5c-c0a1-4fbb-93d1-355b9595bbda,"4/16/2021, 8:58:17.667 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3b3dea8e-d90c-4898-90c6-476ec8810c64,"4/16/2021, 8:58:17.667 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dd1ea56b-ca41-4a57-af61-e22b405afc35,"4/16/2021, 8:58:17.667 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,365e699a-33d1-425b-947d-98e414f63f10,"4/16/2021, 8:58:17.667 AM",,,,,NTLM,, +\VIRENISANINJA,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4b4de2a0-44ae-4b98-b45f-f08f82cf9f67,"4/16/2021, 8:58:17.667 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c62da040-83a2-4bd7-a705-5bec0a1e44ab,"4/16/2021, 8:58:17.667 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,714e739e-133c-4853-afc1-8e5341701462,"4/16/2021, 8:58:17.667 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3c76d3fc-df8a-4899-ad23-37aee7d986e7,"4/16/2021, 8:58:17.667 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0d10ea13-f24c-4692-a4f6-2efa852f6db8,"4/16/2021, 8:58:17.667 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,760abb75-23cb-4ad4-bba2-d8b135e21b9e,"4/16/2021, 8:58:17.667 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7b7866b9-7c22-42b6-aae2-125d727c493b,"4/16/2021, 8:58:17.667 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,82ad0c7f-e543-451b-90c6-185ca73f6657,"4/16/2021, 8:58:17.667 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d0df2955-1f08-4f34-ba5e-27f0b34d93e9,"4/16/2021, 8:55:31.426 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a5924f39-2b05-4406-9281-1ba33ee7366e,"4/16/2021, 8:55:31.426 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6528 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 68705285F7914823244E19E4F6DBC4A75C4DE807EA1CF128AEC2CCAFCE5FE109 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.17763.01 + 0x3e7 + 57 + C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,29b40c49-cd50-48e4-975a-058c8cb6a1bb,"4/16/2021, 8:55:31.426 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3148 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,5c190b6d-8dce-4fcb-8ca7-7eb6934012d4,"4/16/2021, 8:55:31.426 AM",,,,,,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,bc46bbf7-dd59-47b4-b763-99172d28c4e1,"4/16/2021, 8:55:31.426 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4cbff5c4-f873-4b89-bd17-4fdda64347cf,"4/16/2021, 8:55:31.426 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,5af8413d-71a7-4030-b0b5-a3496bc0c4ee,"4/16/2021, 8:55:31.426 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8048 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e835810c-8888-4f2a-87a6-e3706627fadd,"4/16/2021, 8:55:31.426 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5944 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,07ee4315-6dc4-4f7f-b529-1ede22ad0b5f,"4/16/2021, 8:55:31.426 AM",,,,,,, +\OVV,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,09335862-9533-4cbd-a73d-71d5f7b4ae87,"4/16/2021, 8:55:31.426 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,dfd49504-62ca-4186-abaa-27ebe27ff8d4,"4/16/2021, 8:55:31.426 AM",,,,,,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,872c6593-a172-4555-89bc-4ad659fbcddc,"4/16/2021, 8:55:31.426 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5784 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,e5f6b063-4761-4119-bfe3-ff8ee02b8e32,"4/16/2021, 8:55:52.878 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1588 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,73086ed9-e27e-4d99-a1ec-4ec4508b7ebb,"4/16/2021, 8:55:52.878 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,8cb950e4-301f-4a51-a3a3-02e6317c79b0,"4/16/2021, 8:55:52.878 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,9ce150a0-ff84-438e-9984-a22f401a89f3,"4/16/2021, 8:55:52.878 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,9ac2c733-83ec-4433-b896-933d531d622d,"4/16/2021, 8:55:52.878 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,2472d7e2-361e-4b70-820d-0226bef0b3de,"4/16/2021, 8:55:52.878 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,20d4e22b-a1af-4d6e-ac37-ba93475f64c5,"4/16/2021, 8:56:08.196 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,aef1a254-3db0-4613-bd72-e0c5fb04fe8b,"4/16/2021, 8:56:08.196 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,7c8e6d08-601e-4cc1-b5e9-ea1981d70869,"4/16/2021, 8:56:08.196 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,bd62ed39-33f3-4908-883a-889e7dce139b,"4/16/2021, 8:56:08.196 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,510fe15c-de4e-4e88-8e5a-824f920e7daf,"4/16/2021, 8:56:08.196 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,a1ab7756-fa12-4f83-acb9-83bd8dc39906,"4/16/2021, 8:56:08.196 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2ff6387c-4379-4de3-9fba-1cf9dedb6bdb,"4/16/2021, 8:56:08.196 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,53808c42-2855-456c-9257-b5fa5a11d5de,"4/16/2021, 8:56:08.196 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,9b924d5a-e6cd-4047-96e4-8c5e057d679a,"4/16/2021, 8:56:08.196 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,ca7d512d-48a3-463d-9c47-a3071123c551,"4/16/2021, 8:56:08.196 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2ee3916b-fd59-44b3-8f08-664615e30fb8,"4/16/2021, 8:56:08.196 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b77c5350-18bb-4294-accf-57d7becb38ab,"4/16/2021, 8:56:08.639 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c38eb0bb-7688-45fd-bfe6-74e8286b66ad,"4/16/2021, 8:56:08.639 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,11062fb3-d699-49e5-97ba-b02f5db9b1a3,"4/16/2021, 8:56:08.639 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,58782831-0a1c-402f-bcb9-a4e909670970,"4/16/2021, 8:56:08.639 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,622b8667-0058-4368-975d-a38d1d354ab0,"4/16/2021, 8:56:08.639 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,17bd34dd-370a-4ae9-becd-e48f966743ef,"4/16/2021, 8:56:08.639 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9cda258e-c6c6-495f-802d-96578268639f,"4/16/2021, 8:56:08.639 AM",,,,,NTLM,, +\AZUREUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,154e4142-f9aa-4544-a262-1ae659b48106,"4/16/2021, 8:56:08.639 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3654f882-b87f-430d-8e87-4d61345259ac,"4/16/2021, 8:56:08.639 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fdbe54d3-9d73-48db-8cfe-2c3fbc6e2ec2,"4/16/2021, 8:56:08.639 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,86ebe3d9-88cd-44db-824a-370ca9b7b672,"4/16/2021, 8:56:08.639 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,35d63d61-8837-4ceb-9928-7cb64681dd61,"4/16/2021, 8:56:08.639 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1f42a91d-11fd-4c37-937f-62c54028f2c9,"4/16/2021, 8:56:08.639 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2043f704-c704-4038-817b-481844b8b378,"4/16/2021, 8:56:08.639 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,048b013f-c1c8-4624-a0e8-a89a9a550bfc,"4/16/2021, 8:56:08.639 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fc41c6dc-60bf-4033-b769-5d9312cca372,"4/16/2021, 8:56:08.639 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d3d1cf97-3449-4565-85c8-6cbb4681953d,"4/16/2021, 8:56:08.639 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,49b7dcf6-fdc4-441d-abb0-368e141da080,"4/16/2021, 8:56:08.639 AM",,,,,NTLM,, +\BACKUP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cdc8b09b-6e8a-494b-82b3-9566df710204,"4/16/2021, 8:56:08.639 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ab434971-9e36-4bbe-80f5-4680f6c65d67,"4/16/2021, 8:56:08.639 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,46484012-67d9-40a7-a7eb-a1e1d3759484,"4/16/2021, 8:56:08.639 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0fcc03c9-30b0-40fb-bec1-2e576969854b,"4/16/2021, 8:56:08.639 AM",,,,,NTLM,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,c510f667-b420-4073-b8b2-5a30b9bef6cf,"4/16/2021, 8:56:44.863 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,abb10d9a-b976-4765-8886-41be8e63b8fe,"4/16/2021, 9:00:30.660 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8825c14f-db2d-4a62-acdc-f6ffc879a553,"4/16/2021, 9:00:30.660 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3e852684-45bd-47d5-80af-a81ca8470c7a,"4/16/2021, 9:00:30.660 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,431c678e-b9c0-441e-8b4d-caff89c23e59,"4/16/2021, 9:00:30.660 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fe32e6f0-ea76-46ea-9d9e-491389249c19,"4/16/2021, 9:00:30.660 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bb5d9cce-6752-4e49-a421-0699db9af325,"4/16/2021, 9:00:30.660 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,584a065f-8990-4fac-bff3-52fc4f8cbd9b,"4/16/2021, 9:00:30.660 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ab24bef3-6a65-413b-b309-decd7d6c2d46,"4/16/2021, 9:00:30.660 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a30ed30c-d981-44ec-a99a-26c7869115a8,"4/16/2021, 9:00:30.660 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,312d52c9-4fa3-4f5a-ba15-5f98a74d00de,"4/16/2021, 9:00:30.660 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4205576f-8785-42c9-8c50-8e41638e03d3,"4/16/2021, 9:00:30.660 AM",,,,,NTLM,, +\ASP.NET,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2c06de68-6daf-45e5-8c82-da61b58c0f06,"4/16/2021, 9:00:30.660 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b6594d34-325a-4b27-bce7-45380ae229d7,"4/16/2021, 9:00:30.660 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0056dc1b-8a1a-464f-93d0-475c9de8cee1,"4/16/2021, 9:00:30.660 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6f0eae43-97ee-444c-bf6c-bf2383481283,"4/16/2021, 9:00:30.660 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,043bb1f1-952f-44f7-9370-24f81e56255f,"4/16/2021, 9:00:30.660 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,18d4699c-6b92-4c1f-9518-5db9e22c912e,"4/16/2021, 9:00:30.660 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,da198e01-0774-4592-acaf-188408ce50be,"4/16/2021, 9:00:30.660 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4f6a4b3d-c6dd-441f-bd4e-0698c7279db9,"4/16/2021, 9:00:30.660 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a9683f00-c7b2-4201-934a-dbae02765bfd,"4/16/2021, 9:00:30.660 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c3217933-6422-4f80-a707-557f6cf33588,"4/16/2021, 9:00:30.660 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2a3129a7-a61f-4244-a960-7d5003de7e2d,"4/16/2021, 9:00:30.660 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8431d56b-4392-4fc0-bde6-45af56f608e2,"4/16/2021, 9:00:30.660 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,2f8dc243-9507-49c5-8bfa-a01e1fc54028,"4/16/2021, 8:58:24.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,f8327b6f-37fa-4263-8e1f-ddf41e87a566,"4/16/2021, 8:58:24.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,ee8faf94-c880-4076-9cde-c2c74906f8db,"4/16/2021, 8:58:24.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,9e06934b-fe2b-4374-aeee-2fe2b43ad564,"4/16/2021, 8:58:24.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,f98f749a-08f8-4461-ab1b-9ae6737522c6,"4/16/2021, 8:58:24.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2691a3f8-0ad8-43b4-9929-edcbc9b7dbea,"4/16/2021, 8:58:24.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,8577d159-2f37-45f1-a1d1-c0a53d85321f,"4/16/2021, 8:58:24.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,da8b5adc-6b1d-4eed-b79f-c7294d5dcdb8,"4/16/2021, 8:58:24.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2bbb14e8-26d0-48c9-bd0e-aed6ade2c3f0,"4/16/2021, 8:58:24.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,cef56503-f52a-466a-b183-6dce36625de8,"4/16/2021, 8:58:24.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,696f1eee-9eca-4a96-bce3-294797c569f4,"4/16/2021, 8:58:24.053 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6e79006b-f8aa-41a5-a130-0f3c0d4c28c3,"4/16/2021, 8:55:01.111 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,abadc246-b5c9-4f9e-94c2-f4644558fab3,"4/16/2021, 8:55:01.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,84ede4f9-b229-49a7-a8af-433fba852f05,"4/16/2021, 8:55:01.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bb0ba9ce-23b3-4803-b461-a553ba1586cd,"4/16/2021, 8:55:01.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1c5455a-2dca-4316-8cd7-5be6ce0a625f,"4/16/2021, 8:55:01.111 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e945191-a4d8-4f8b-9e89-8cce7f4e5698,"4/16/2021, 8:55:01.111 AM",,,,,NTLM,, +\AZUREUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,23a914e7-cd18-457e-bb19-963d23600e21,"4/16/2021, 8:55:01.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9e1d91cc-c4f5-4895-a565-88c7f13533e4,"4/16/2021, 8:55:01.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ffb41b1-6f37-485d-bce1-a2a5684688d2,"4/16/2021, 8:55:01.111 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5fbde216-73a6-4dc0-a9a5-f8d935cb7904,"4/16/2021, 8:55:01.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,524df82d-f84b-4743-9c2b-3ef6c412522d,"4/16/2021, 8:55:01.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,95259fe4-f5c8-490b-b3e6-a7b8521cd77e,"4/16/2021, 8:55:01.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6643c04d-d737-4819-a685-666cda864cba,"4/16/2021, 8:55:01.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fad7ca12-ac45-4dcc-8a92-72340932cca6,"4/16/2021, 8:55:01.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7bad433a-79ff-4d41-ad64-18cee3f7d576,"4/16/2021, 8:55:01.111 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,797681c2-f7d9-4c28-bb6f-002c0050ffee,"4/16/2021, 8:55:01.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4d41ebb8-611b-4c66-902a-d3bb4ff053a6,"4/16/2021, 8:55:01.111 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd15b873-021d-4e40-9e45-d4ea2e2c688d,"4/16/2021, 8:55:01.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cd326ced-c0e0-40f2-956c-b84b6b1a0009,"4/16/2021, 8:55:01.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e3b226ae-158e-4d9d-b2aa-0080b3b0d7a3,"4/16/2021, 8:55:01.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2625b9b7-ea7c-4301-b820-95c8032268e7,"4/16/2021, 8:55:01.111 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3db36049-3b02-430c-9ef0-fa4642deea7b,"4/16/2021, 8:55:01.111 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,17a018a6-e3cd-4e42-9e71-00aff39a2b99,"4/16/2021, 9:06:43.680 AM",,,,,NTLM,, +\SECURITY,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e4ffca72-6b57-43ae-b7ce-3e2744a468c6,"4/16/2021, 9:06:43.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,37669441-47b5-426f-8bda-d9452a19342d,"4/16/2021, 9:06:43.680 AM",,,,,NTLM,, +\DEMOADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5ddaca8c-da32-4315-93de-fb9ad688df70,"4/16/2021, 9:06:43.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bc86f3c4-33d3-4014-9021-78bdba95972c,"4/16/2021, 9:06:43.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ac964cf4-f2c4-40ce-9de8-607eada06a6f,"4/16/2021, 9:06:43.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4ed54ca0-1644-4961-a8c4-1b1e18508434,"4/16/2021, 9:06:43.680 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7903c535-dae2-4ae7-b81a-2b34c2b77b22,"4/16/2021, 9:06:43.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,badfa633-85f5-4501-9ae9-b80990271c42,"4/16/2021, 9:06:43.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c74a3a76-8378-462c-97e5-9956910debd8,"4/16/2021, 9:06:43.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7342bb83-749f-4a95-a0f1-786edad5da8e,"4/16/2021, 9:06:43.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a4d12c05-8691-4d38-9ba6-8b98937a4e07,"4/16/2021, 9:06:43.680 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0c7aa7a8-12fd-4c4e-bf95-e53a37693e26,"4/16/2021, 9:06:43.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fe5536cf-c487-492d-80a9-be10cd047e45,"4/16/2021, 9:06:43.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2f593829-ce28-48aa-b8bc-025ecfab7f18,"4/16/2021, 9:06:43.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6a0e6a7d-3c92-47fa-b7a6-86a047f066d6,"4/16/2021, 9:06:43.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7dc82994-f027-4806-9f3b-84f7c4f45760,"4/16/2021, 9:06:43.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d1f57107-f709-4bd9-b1eb-267c28f971e6,"4/16/2021, 9:06:43.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e8d75897-bbbd-4072-84bb-9f6541f106f5,"4/16/2021, 9:06:43.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,39a89257-7cef-441b-86a1-4063db692d8a,"4/16/2021, 9:06:43.680 AM",,,,,NTLM,, +\EYP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8c162148-136a-439f-9266-518be2279f46,"4/16/2021, 9:06:43.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1be014dc-71ca-45c6-b730-2598ccf943a0,"4/16/2021, 9:06:43.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e3cc10cd-3823-4a85-bf29-f823af300854,"4/16/2021, 9:06:43.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,35b17682-7e60-4976-b70c-cd7ca2bda865,"4/16/2021, 9:06:43.680 AM",,,,,NTLM,, +NT AUTHORITY\LOCAL SERVICE,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 1200 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e5 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,4a18ad1d-a39a-48f4-8266-e7f516920266,"4/16/2021, 9:00:39.116 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5480 + 39 + %WINDIR%\SERVICING\TRUSTEDINSTALLER.EXE + 32 + 5AAB6030A17E092A3F547292BF75BBE5E777C3C6C3E1759A023CA59FE87F6D98 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\TRUSTEDINSTALLER.EXE\10.0.17763.1098 + 0x3e7 + 41 + C:\windows\servicing\TrustedInstaller.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1b978ec-1616-4b4f-ab36-a720d51f6d7f,"4/16/2021, 9:00:39.116 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7516 + 122 + %WINDIR%\WINSXS\AMD64_MICROSOFT-WINDOWS-SERVICINGSTACK_31BF3856AD364E35_10.0.17763.1876_NONE_56BCCE8F993D30E7\TIWORKER.EXE + 32 + 7EC24C6DAEE289FBD40C13635DA56FB1E9F868B65E3120B59D480D394ACD8285 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\TIWORKER.EXE\10.0.17763.01 + 0x3e7 + 124 + C:\windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.17763.1876_none_56bcce8f993d30e7\TiWorker.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff7435b5-2a20-47cf-87ed-3aa9bebd484c,"4/16/2021, 9:00:39.116 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7a978d3a-1196-499e-9a7c-55ccc8bed36d,"4/16/2021, 9:00:39.116 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,41502da5-21b7-48ec-81c9-baeea8d7d669,d304c97a-9572-4ebe-8d63-863b9ab55bca,"4/16/2021, 9:00:39.116 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,480030a4-3a40-4ead-afc7-000c917e95a0,"4/16/2021, 9:00:39.116 AM",,,,,,, +\BACKUP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,435d81e1-001d-4122-ad7b-db48f857c723,"4/16/2021, 9:00:39.116 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,708f7cfd-057a-4363-83a3-1c24fdf5aa89,"4/16/2021, 9:00:39.116 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,704fa657-2e29-40d2-a5a5-5abb845b436b,"4/16/2021, 9:00:39.116 AM",,,,,NTLM,, +\DEMOADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c0c41d1e-1cc8-45c0-b1b9-6a5c3996aff8,"4/16/2021, 9:00:39.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2668241f-0c70-4ee3-b06d-4dbb5e5c1fd5,"4/16/2021, 9:00:39.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,34aae841-1931-43f3-8acb-dded08967fb7,"4/16/2021, 9:00:39.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d77ccb72-f89c-4528-abfb-d8945741378c,"4/16/2021, 9:00:39.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3603238e-cdf0-4159-92f3-9ab442edf401,"4/16/2021, 9:00:39.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ad0a6a6-cdea-4910-afbf-ab588416fca6,"4/16/2021, 9:00:39.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cb472256-6d9a-4396-bf6e-08701207f30e,"4/16/2021, 9:00:39.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b72846a-9e28-4456-ad84-614c845fc42c,"4/16/2021, 9:00:39.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2aa7e53-6996-40cc-8fb1-8eacc99f73de,"4/16/2021, 9:00:39.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,85fcf148-c53b-43c5-b0f2-2e77cb060968,"4/16/2021, 9:00:39.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5c77c44c-a30d-47ca-b806-d676bf3d7771,"4/16/2021, 9:00:39.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dff38ab1-76fe-4677-8b29-8bd6c8c4923b,"4/16/2021, 9:00:39.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,52d7f3a0-5d00-4c1d-a15c-c13025d40f56,"4/16/2021, 9:00:39.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1ecb2d6-2592-4a55-9080-91c3bd54e048,"4/16/2021, 9:00:39.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8de93637-4af3-480b-8df0-08f7428dbaa3,"4/16/2021, 9:00:39.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,99472edc-0580-4d93-a0f3-4c7d917307e8,"4/16/2021, 9:00:39.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc196841-339b-49d2-bdd3-25a530cdaa3d,"4/16/2021, 9:00:39.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e07910eb-37b0-42d6-bef8-29a3c9c572d4,"4/16/2021, 9:00:39.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3757cbff-026d-470a-9900-d12a4f4df2c8,"4/16/2021, 9:00:39.116 AM",,,,,NTLM,, +\DEMOUSER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,733ec342-3724-4b53-96b1-42f34fdc174c,"4/16/2021, 9:00:47.416 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0072c83f-9598-44f5-bbd5-2906572980b7,"4/16/2021, 9:00:47.416 AM",,,,,,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,bb0f27fa-58db-4b87-bd0e-2b25cf3f52f5,"4/16/2021, 9:00:47.416 AM",,,,,NTLM,, +\AZUREADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3428adb5-e005-492d-8e5f-e7e99b90dcca,"4/16/2021, 9:00:47.416 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4e1892be-0eac-4f36-a99f-7f00cffe41f5,"4/16/2021, 9:00:47.416 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4d83c487-bbc6-4cee-b7b2-6b918732edac,"4/16/2021, 9:00:47.416 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,028ecf01-7d6d-4356-92fe-610d7baf12af,"4/16/2021, 9:01:07.163 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,34f28761-e408-4fe6-8c2d-c971df65bbbb,"4/16/2021, 9:01:07.163 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5c8ad944-aa41-4490-9d9b-3ce44f06424f,"4/16/2021, 9:01:07.163 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e9a8d47e-e00c-4e72-a8ce-86f7f82ceac9,"4/16/2021, 9:01:07.163 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3c7f9f74-771a-44bd-8452-eb1be48194fc,"4/16/2021, 9:01:07.163 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22fc98f1-3ccd-4698-885e-625ab94e0092,"4/16/2021, 9:01:07.163 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ea38655-d212-4438-ba96-5cc206a15561,"4/16/2021, 9:01:07.163 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,76e7b91e-9b66-48fc-b77f-b58ab0e1713a,"4/16/2021, 9:01:07.163 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e17dd07-b158-4e77-b262-7cf9b9bc1182,"4/16/2021, 9:01:07.163 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,64e731cd-2f66-4e92-a63a-53821d6f3020,"4/16/2021, 9:01:07.163 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4739d9c8-352e-4019-811f-13957025b2cb,"4/16/2021, 9:01:07.163 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7dd64cd3-7633-4eaf-9687-a29f79413e17,"4/16/2021, 9:01:07.163 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a3bfac3-ec25-4f6b-b152-91173d615580,"4/16/2021, 9:01:07.163 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a049848-d5c7-464b-a93f-01f945a3742d,"4/16/2021, 9:01:07.163 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b235de6e-92c3-4f5d-895c-90e89228fe7b,"4/16/2021, 9:01:07.163 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a90b88ec-d29e-4d05-8d49-70e457cfde6e,"4/16/2021, 9:01:07.163 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ec37daa0-b021-4f84-a6fe-a5d62c8ea73b,"4/16/2021, 9:01:07.163 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9349fa68-2ef2-4397-adb6-64a72cb52698,"4/16/2021, 9:01:07.163 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b71e978c-8caa-40fd-aef1-3ef8a7d34fa4,"4/16/2021, 9:01:07.163 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6401c3a8-bc66-4a54-ac0a-4ea1a5b6b598,"4/16/2021, 9:01:07.163 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,45a8b205-8922-4054-967d-05871441cf94,"4/16/2021, 9:01:07.163 AM",,,,,NTLM,, +\BACKUP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ef6f411-cf58-467e-a1f7-ac1bfafc13a1,"4/16/2021, 9:01:07.163 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bd76e29b-4637-4d66-87a0-ef5c176a478a,"4/16/2021, 9:01:07.163 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3994f541-5476-4b6b-90d4-0e642a917d3c,"4/16/2021, 9:01:07.163 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7cfc07df-2f68-45c6-98b1-71eb62817880,"4/16/2021, 9:02:51.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a1f08136-8c8d-485d-b649-c55cd0e235aa,"4/16/2021, 9:02:51.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d66b6ab7-346a-43a1-89e2-c82d1aba2769,"4/16/2021, 9:02:51.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,99bd1ed8-b43b-44e7-92a0-bc5f55403e02,"4/16/2021, 9:02:51.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9e282504-8b6c-4450-ac58-d4557f2482d0,"4/16/2021, 9:02:51.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bcedcd6c-1453-49b7-887b-477975f4c945,"4/16/2021, 9:02:51.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,874d9df6-b9f9-4c26-8c66-389b6360efa4,"4/16/2021, 9:02:51.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,78925d7f-09e4-427b-8d44-31f082e7ea65,"4/16/2021, 9:02:51.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e444f77f-38a0-43db-a128-a6d7d486a350,"4/16/2021, 9:02:51.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c79748d1-97c2-43fa-af7f-8690fec9ade9,"4/16/2021, 9:02:51.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,508fcf5d-e205-452f-8278-a80cccfa45e9,"4/16/2021, 9:02:51.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a47cd27-cab8-4bbc-827e-0b990ac29d2b,"4/16/2021, 9:02:51.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aea6e066-c3f8-44a1-8ced-428a6c192ac0,"4/16/2021, 9:02:51.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab32a766-97a3-41cf-b7fa-62073f44ec32,"4/16/2021, 9:02:51.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c32d90d-bc2f-4e9e-8cdf-9c50c09b39fa,"4/16/2021, 9:02:51.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4ab00129-5848-4b0d-8a86-43406ac1eb41,"4/16/2021, 9:02:51.121 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ae480a6-89df-4174-a558-f641235476ad,"4/16/2021, 9:02:51.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,284a61f1-51eb-41c7-85e4-cc4fad3d029a,"4/16/2021, 9:02:51.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,44a71a3a-e699-4942-9e37-16e4f7df764b,"4/16/2021, 9:02:51.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a2c153b-ae6f-4e4d-93ce-af3380179ef3,"4/16/2021, 9:02:51.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d5c20f29-6363-46d8-85a8-a0ae53ce2b18,"4/16/2021, 9:02:51.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d58f9835-cd07-40f2-b111-12010440d005,"4/16/2021, 9:02:51.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6970b5dd-01e7-45d3-b86b-31312f9796f6,"4/16/2021, 9:02:51.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,711a21fd-807b-442c-8bd9-dcf4dcf996b5,"4/16/2021, 8:55:20.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aea920c8-353c-4e74-a79a-39b2ff9ce2a1,"4/16/2021, 8:55:20.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ba7c5f1-b7c9-4b94-980c-a5fcdab87cbf,"4/16/2021, 8:55:20.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,626e3446-f5fb-4060-80a6-51db1b3225d3,"4/16/2021, 8:55:20.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1af038fd-9c1f-41a6-b124-cdb008121b67,"4/16/2021, 8:55:20.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fcbb2bcc-f0b8-41e0-b564-126dfba2c805,"4/16/2021, 8:55:20.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e849f6cd-32c7-43e7-a428-1aa6077dfd00,"4/16/2021, 8:55:20.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,da8ff340-e15d-47b5-b9ce-0e68235852de,"4/16/2021, 8:55:20.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,729825aa-bb91-48bc-acd8-bc8901ab620a,"4/16/2021, 8:55:20.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c989a804-ad65-4666-8ca3-f713d051d250,"4/16/2021, 8:55:20.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e846d0a6-837d-4ad7-9238-ed81656fb1eb,"4/16/2021, 8:55:20.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,201364f6-c348-42b8-af2e-07355a404e3a,"4/16/2021, 8:55:20.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc28c7d9-8d60-4414-8b98-8c0db40e0a30,"4/16/2021, 8:55:20.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9792d8f7-fa61-4b60-a8c1-3e3c490536c4,"4/16/2021, 8:55:20.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3ce9ac67-f88d-45d8-af40-21a5315bd45f,"4/16/2021, 8:55:20.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,751d8e17-fd13-4450-88be-4f7178f30d87,"4/16/2021, 8:55:20.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6bffbeee-6300-497e-8a8b-8d587d32bb40,"4/16/2021, 8:55:20.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d0f3081-42e3-484b-afbe-ea15f2d58383,"4/16/2021, 8:55:20.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b8ef4095-b72f-476b-a55c-716a06d37361,"4/16/2021, 8:55:20.114 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,c694bdd6-10b2-4f4b-a1fb-ca1a083df9f2,"4/16/2021, 8:55:20.114 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,50918329-18b8-4e62-8759-412ab0988d2a,"4/16/2021, 8:55:20.114 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7672 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d87cc64-0e71-47be-a42d-8611143571a9,"4/16/2021, 8:55:20.114 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4568 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c8401c7-529d-4972-8f8f-5ad829528ba4,"4/16/2021, 8:55:20.114 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,2e1e005b-8ba1-44be-b07e-f4437061da9d,"4/16/2021, 9:06:44.892 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,86aa35c3-aad5-4747-a104-1eb99fd563e1,"4/16/2021, 9:03:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe5f67b4-9c53-4a25-af23-ce30db050895,"4/16/2021, 9:03:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e502e948-f370-43ad-8504-288c8c9d6ac6,"4/16/2021, 9:03:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d4585c2d-36ec-49bf-9a2a-0b42c737525f,"4/16/2021, 9:03:20.116 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3fa8ef9f-f769-4dbf-9ee6-8f5469536200,"4/16/2021, 9:03:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c8135d5-935a-4eb4-90ba-50712950e678,"4/16/2021, 9:03:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b32c4c28-a359-469d-8aaa-20ab7408a828,"4/16/2021, 9:03:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,59206e7e-7316-4f17-9d35-7e2fa1ee086f,"4/16/2021, 9:03:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e433161-2300-40ac-97d3-3fdb82c8bafb,"4/16/2021, 9:03:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,44abc2f9-9e73-459c-8263-54b146d2c843,"4/16/2021, 9:03:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,374cde16-d9ee-473f-969c-255918a0cea2,"4/16/2021, 9:03:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,491e64d6-54cc-41a1-a886-8fadd9d1979e,"4/16/2021, 9:03:20.116 AM",,,,,NTLM,, +\WEBADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,941e6d76-217a-4ee7-8496-1875b779a7fb,"4/16/2021, 9:03:20.116 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b19604d-a9bb-4552-bad6-86c0790542d7,"4/16/2021, 9:03:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,382f262b-b11f-4e56-934a-bd6f8b8c4aa5,"4/16/2021, 9:03:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d9638c3-774f-43cb-852b-d1bbcae492cf,"4/16/2021, 9:03:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db527810-2ba6-4863-8a20-86874452c7b8,"4/16/2021, 9:03:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,859cde58-bf46-4fb2-8d27-b87609e97963,"4/16/2021, 9:03:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aeffbd7c-8c22-49ce-8930-9800f4439102,"4/16/2021, 9:03:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4a93b455-10b8-4574-89e6-854a664b627b,"4/16/2021, 9:03:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1db2c879-36b3-4714-b83a-5f1bb9d066ad,"4/16/2021, 9:03:20.116 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,963a092c-26d5-4366-9e0b-5a79129f575c,"4/16/2021, 9:03:20.116 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,2decb642-dd7d-4c4f-8068-f33bb142c9be,"4/16/2021, 9:03:20.116 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6584 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,49361f33-e364-433a-aa3c-a1ef17259020,"4/16/2021, 9:03:20.116 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 636 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,273d2bab-3731-4f61-b532-bc9571ea31bb,"4/16/2021, 9:03:20.116 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67ed7292-8c71-4bbf-a205-6d96ef2313b7,"4/16/2021, 8:58:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a6ad6db2-fb70-46b3-bfa3-af91af3bed88,"4/16/2021, 8:58:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d094680e-f4d3-49bd-a2f0-70c652419ca0,"4/16/2021, 8:58:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,81b3a277-f944-4d2a-950a-060a0719ecf9,"4/16/2021, 8:58:29.110 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bcf18f02-6799-4a69-82a9-c8c41b85656b,"4/16/2021, 8:58:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,42028e5d-2754-442f-a5a2-d841713fff19,"4/16/2021, 8:58:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca27f026-ff12-472a-8ad8-95324c0da02e,"4/16/2021, 8:58:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d0344ca9-12b2-4cd3-ac58-a3f72a815125,"4/16/2021, 8:58:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc2966e5-ca24-4746-9ba2-da264ebb648a,"4/16/2021, 8:58:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,55ed4893-1c23-4b52-8a61-42a25c663b47,"4/16/2021, 8:58:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8fee985f-a728-409c-b081-31ad4eaef913,"4/16/2021, 8:58:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12006c2f-ac25-490d-986c-889dcc832db7,"4/16/2021, 8:58:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f586130d-b6ae-4064-94ae-7ef9ecf340b7,"4/16/2021, 8:58:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7c993d6a-0a93-4fcc-a5ec-f85e93115186,"4/16/2021, 8:58:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a50a6bc3-54d8-4607-9523-4e1a5dab5df6,"4/16/2021, 8:58:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,980d1f75-dc6a-4a2e-8837-48875c34bdd4,"4/16/2021, 8:58:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8479b69e-3b73-444f-b5c7-3fa1746d4a91,"4/16/2021, 8:58:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f681b71e-8441-402c-9514-ea9ba82a4ffd,"4/16/2021, 8:58:29.110 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d3ba76d1-6eb9-48c2-b6a7-0f6c305bd860,"4/16/2021, 8:58:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a8065b67-c2f3-41f2-92b3-818188ac612e,"4/16/2021, 8:58:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e62a31ef-f848-40c8-a5e2-10e7f0ccec61,"4/16/2021, 8:58:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0208d616-a70e-4a55-9cc0-05409955822a,"4/16/2021, 8:58:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9867b2c8-9279-46fa-9392-e3c4f6de35eb,"4/16/2021, 8:58:29.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c5225eb7-1483-4e61-9fc3-a10a72a748c2,"4/16/2021, 9:03:28.137 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0acacdf9-5006-4cb5-ae94-749bf196c74a,"4/16/2021, 9:03:28.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,edf4112d-4f1d-41b1-915f-ba26b9cd5583,"4/16/2021, 9:03:28.137 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4ebb92d4-59d3-4aba-ae97-cc0def99c726,"4/16/2021, 9:03:28.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2afb4ec7-65bf-4c0e-8086-bdd434bf3cb8,"4/16/2021, 9:03:28.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8569a8a6-20fd-4dfb-8fb8-e36470ff1302,"4/16/2021, 9:03:28.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48ee330f-d085-4cc5-aae6-0e4043153f61,"4/16/2021, 9:03:28.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cb91e3be-f9c8-46a9-983c-6610a43d0853,"4/16/2021, 9:03:28.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5bffa856-5873-45df-b3f0-8f3260c25f46,"4/16/2021, 9:03:28.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc847fcc-fdeb-45e8-8497-f89a441e24d8,"4/16/2021, 9:03:28.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f64edaf6-413c-4bbc-9426-e3db998a8610,"4/16/2021, 9:03:28.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,988b3c8e-0f8d-405d-8d95-1a80cbb174ec,"4/16/2021, 9:03:28.137 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c25f496a-9648-458c-a91e-bc9b13014db4,"4/16/2021, 9:03:28.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3c2e2966-41d5-416e-b831-921ad2fa204f,"4/16/2021, 9:03:28.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,809b10a2-a0c6-40f3-ac55-6745b57a5759,"4/16/2021, 9:03:28.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3f48e263-562d-4a0a-88fb-ed21901f8b84,"4/16/2021, 9:03:28.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,853d495e-37b4-495f-bbe0-0267c53ceff6,"4/16/2021, 9:03:28.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c9ba1ae1-9668-4cd6-a0c3-715ad88bc593,"4/16/2021, 9:03:28.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,693c3305-341f-46d0-b128-47a545a9d330,"4/16/2021, 9:03:28.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f0b722bc-249a-4af5-8c0d-76e8ff5ae4d3,"4/16/2021, 9:03:28.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a9fed132-09df-4ced-90da-e57180a162be,"4/16/2021, 9:03:28.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2dfbbb4d-5d21-4135-a9ba-4539857cf9dd,"4/16/2021, 9:03:28.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,06ac1aa6-80d2-42d3-af29-27edd78cbc99,"4/16/2021, 9:03:28.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1587c1c-dc6c-462a-a825-7e97515e0991,"4/16/2021, 9:03:28.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,657e9231-e160-4b0e-9a69-83ec8283a803,"4/16/2021, 9:03:28.137 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5f6c3c4a-744e-4460-a703-b3c9b7424e9e,"4/16/2021, 9:03:55.664 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d1760375-1b09-43af-944f-0bb60e091bbe,"4/16/2021, 9:03:55.664 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f4007edb-f78f-4630-bb68-a79277b45df2,"4/16/2021, 9:03:55.664 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a295c229-89dd-4c87-95f7-cafd89b49c11,"4/16/2021, 9:03:55.664 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,65ec68be-cd02-491f-99b5-49243c58b7a8,"4/16/2021, 9:03:55.664 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,db4652ce-3f5e-459a-b6bf-9855aa97e70d,"4/16/2021, 9:03:55.664 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2b6df9e7-01a6-4e14-a3b9-5eedc17a850b,"4/16/2021, 9:03:55.664 AM",,,,,NTLM,, +\ABUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,08402ae1-f707-465a-847c-a617644761d9,"4/16/2021, 9:03:55.664 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fb44eb8e-9e4e-48f5-9c8c-15b38da09e97,"4/16/2021, 9:03:55.664 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,db0e47ca-2b9b-4e7b-8303-1cb12bafa5dc,"4/16/2021, 9:03:55.664 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,028ba333-207e-423c-8d26-4d8b6a6f378a,"4/16/2021, 9:03:55.664 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4be172be-bc19-4bf0-8351-1186bd31d1b2,"4/16/2021, 9:03:55.664 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a34cec2b-3991-45f6-be1b-e79bfa864f19,"4/16/2021, 9:03:55.664 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d8340dc2-219b-41d0-9862-bd77ac76554c,"4/16/2021, 9:03:55.664 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,381afff9-437d-4f27-b7ba-730d0c602455,"4/16/2021, 9:03:55.664 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,71b742ff-8a91-432a-b7fd-ba4608ee361f,"4/16/2021, 9:03:55.664 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3a01b65f-0bab-47b0-87eb-6f32cfd3a6e7,"4/16/2021, 9:03:55.664 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,086269fe-dce4-4ea2-a888-958e8406e789,"4/16/2021, 9:03:55.664 AM",,,,,NTLM,, +\USER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8ca72953-85bf-4f4d-8dbd-99670c58d99a,"4/16/2021, 9:03:55.664 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,85319120-23a7-4dd0-a03d-9cc370bd5f32,"4/16/2021, 9:03:55.664 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f3fe0dd9-1c50-4dbc-a4eb-29d868d135d7,"4/16/2021, 9:03:55.664 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1a6a970d-42c9-4649-8489-47d4f86cb9c7,"4/16/2021, 9:03:55.664 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,099f2647-644d-4a86-91a9-a08be6f194d5,"4/16/2021, 9:03:55.664 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,692ab4fe-08d5-4b38-82c7-776a061001fa,"4/16/2021, 9:04:53.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,77504ebb-c1ca-460e-8a50-848509c0ae6d,"4/16/2021, 9:04:53.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd20fcd7-4926-4e95-ae10-80316ac5d0d7,"4/16/2021, 9:04:53.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d0a8210b-b566-4062-8ecf-2402d5453f08,"4/16/2021, 9:04:53.127 AM",,,,,NTLM,, +\AZUREADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e87ae470-1b0f-4f6b-9f7f-770586c842b8,"4/16/2021, 9:04:53.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0358a7be-9f32-454f-967f-a522c01e64f4,"4/16/2021, 9:04:53.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,02ac157c-a947-4440-8304-1269fd4c09bb,"4/16/2021, 9:04:53.127 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,adef5667-7204-4743-aae9-b92b6a178c40,"4/16/2021, 9:04:53.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb6ad013-9481-4ade-b6e9-88e61dff5be2,"4/16/2021, 9:04:53.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b71e0e47-a6bf-4cc0-96ee-d66f255c3344,"4/16/2021, 9:04:53.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e98d16e3-820b-48ee-bf07-1f9a4f896236,"4/16/2021, 9:04:53.127 AM",,,,,NTLM,, +\SYSTEM32,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ed1ccca3-d30b-4e12-9448-11d27250c2d4,"4/16/2021, 9:04:53.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0f752642-1b94-4106-974b-646bea6e4ced,"4/16/2021, 9:04:53.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,689d1e6f-4ddb-41a3-b2e3-e1a1ab77f174,"4/16/2021, 9:04:53.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7db89ea0-8b1b-4534-8c12-d5d2f4c019f7,"4/16/2021, 9:04:53.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c198d60-b68b-4ed2-8b7e-2e4a5bfae04d,"4/16/2021, 9:04:53.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,20971a88-2aed-4fde-af47-0aab97938e85,"4/16/2021, 9:04:53.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3f57c54e-a0a5-41c8-a052-ec72bfd6dbc4,"4/16/2021, 9:04:53.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c54b2d40-d619-4438-9809-f8fdc5f1e7f4,"4/16/2021, 9:04:53.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3c40160a-592f-4ff6-b1a0-ffd3938ada08,"4/16/2021, 9:04:53.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d4b23fc-fbfb-43f6-b723-388b8d14e36a,"4/16/2021, 9:04:53.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6d6c0fe2-e99a-446f-bfaf-f1b254f86fb8,"4/16/2021, 9:04:53.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a73f93fb-d3fd-4028-a9d2-4219467d6366,"4/16/2021, 9:04:53.127 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,864741d7-b965-4d6e-8113-5c9574910271,"4/16/2021, 9:06:13.408 AM",,,,,NTLM,, +\TESTUSER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d4e2928f-a430-4220-b9b9-f1678d8c9706,"4/16/2021, 9:06:13.408 AM",,,,,NTLM,, +\DEMOADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,75cc6b6b-d25e-4825-a517-95ba907dbf9c,"4/16/2021, 9:06:13.408 AM",,,,,NTLM,, +\SCAN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4e9c379a-ca69-46fa-a029-a17b16a44fa3,"4/16/2021, 9:06:13.408 AM",,,,,NTLM,, +\DEMOUSER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,42c2056a-a65d-405c-bba8-25f0f8b321ee,"4/16/2021, 9:06:13.408 AM",,,,,NTLM,, +\DEFAULT,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,955060fe-f566-46b2-959f-04342691046f,"4/16/2021, 9:06:13.408 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a1360b14-8ef7-4783-a6e8-8876f406a06e,"4/16/2021, 9:06:13.408 AM",,,,,NTLM,, +\DEMO,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c5e2b182-eee2-4a70-9199-6538f4b03368,"4/16/2021, 9:06:13.408 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6592 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,bc7d0b1e-a391-49a5-b95e-244cea0a0e2d,"4/16/2021, 9:06:13.408 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4864 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b2537209-de7b-4aa4-9541-87238f87b5a5,"4/16/2021, 9:06:13.408 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,12e2fee1-1e8c-4c20-9232-0bc240812812,"4/16/2021, 9:06:13.408 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,42aba100-469b-439d-a9f9-0f1b4e7e0884,"4/16/2021, 9:06:13.408 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,5972a6aa-48ad-4f80-889c-5257fb33ab9c,"4/16/2021, 9:06:46.739 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,95d04633-8c79-45cc-9e00-8a12659df72e,"4/16/2021, 9:06:46.739 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3564 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 8542576A51D515DA19781689F9E5E561E4398C4DE19B14AF1E8EF1C7D2551843 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.18362.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,94c8694d-ab7c-4ae0-9c34-e613ec26280e,"4/16/2021, 9:06:46.739 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5528 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,b1e387dd-2b8d-4dc4-be9f-da778def0407,"4/16/2021, 9:06:46.739 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6544 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,8a3e2b4a-a50b-4915-82b6-805e31dbb9bb,"4/16/2021, 9:06:46.739 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4828 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,e428240c-6058-410a-baed-27778f69972c,"4/16/2021, 9:06:46.739 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,7b9f9043-6a24-482d-b387-2d64f3e6f42c,"4/16/2021, 9:06:46.739 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,c8d3f887-40c8-4eb8-955c-a7019aada3f3,"4/16/2021, 9:06:46.739 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,6de9cbba-50e5-4b2f-b394-e4bbd2159f16,"4/16/2021, 9:06:46.739 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,c2245458-bdb9-4326-9dbd-f499d572777c,"4/16/2021, 9:06:46.739 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98f0b791-96c6-4a46-876b-aec0d65faef0,"4/16/2021, 9:06:39.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1b43310b-a39a-4edb-aca7-5b0a5ccbf37b,"4/16/2021, 9:06:39.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c34bed80-f625-4f76-8db6-35956be388e5,"4/16/2021, 9:06:39.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db153176-1588-4e2f-aa6e-658accabe832,"4/16/2021, 9:06:39.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b4a33202-acad-4bc1-9529-f999f5800e1e,"4/16/2021, 9:06:39.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,55921359-b536-4eb0-9aa9-2a3e698139f6,"4/16/2021, 9:06:39.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d8cfdd5-205a-45f5-b439-31d31929ef89,"4/16/2021, 9:06:39.133 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ec753c6d-f3ea-4558-8ba9-aad7fedb8364,"4/16/2021, 9:06:39.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89ab217a-3865-4d36-9965-47ad328a8787,"4/16/2021, 9:06:39.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c0640e3a-00cb-4b94-b007-79fe624b1024,"4/16/2021, 9:06:39.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac34aada-4ce0-43d4-b83c-e43dc1af7611,"4/16/2021, 9:06:39.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e63bd661-593c-4587-883a-a51fa0ba3a01,"4/16/2021, 9:06:39.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,78c4fa9f-6ca9-4615-b3f8-795a1270af2d,"4/16/2021, 9:06:39.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a00db6f4-fcdc-4027-907c-5c0d7c9ca395,"4/16/2021, 9:06:39.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ed21174-c8dd-4e53-ab15-4f8fc8b34648,"4/16/2021, 9:06:39.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c4f0de81-34f3-41d1-b3aa-99bae95a79cf,"4/16/2021, 9:06:39.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,296586c2-4eaf-4249-b67c-e10b3274d221,"4/16/2021, 9:06:39.133 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ef98133f-21a8-47d7-93db-6624b46ec691,"4/16/2021, 9:06:39.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e0ddbc7-c5d3-4bb2-9af9-c544aeffeefd,"4/16/2021, 9:06:39.133 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3945aab5-87ac-40dc-a1a0-c7629a329a3f,"4/16/2021, 9:06:39.133 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cffa9956-9086-47da-8384-72e6dc132680,"4/16/2021, 9:06:39.133 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,41502da5-21b7-48ec-81c9-baeea8d7d669,34337def-c500-4e21-a2fd-9e95cb9f5abc,"4/16/2021, 9:06:39.133 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,41502da5-21b7-48ec-81c9-baeea8d7d669,5fe39d87-f593-4f1f-92da-154369b85e41,"4/16/2021, 9:06:39.133 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,9bcb634e-d8e6-4558-aced-a4d821cefde7,"4/16/2021, 9:06:39.133 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d843955-ca39-42d5-a7d0-3d5356403efa,"4/16/2021, 9:06:39.133 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7664 + 39 + %WINDIR%\SERVICING\TRUSTEDINSTALLER.EXE + 32 + 5AAB6030A17E092A3F547292BF75BBE5E777C3C6C3E1759A023CA59FE87F6D98 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\TRUSTEDINSTALLER.EXE\10.0.17763.1098 + 0x3e7 + 41 + C:\windows\servicing\TrustedInstaller.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,19987f3b-3f01-4cc2-8d19-07541a648ac8,"4/16/2021, 9:06:39.133 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6444 + 122 + %WINDIR%\WINSXS\AMD64_MICROSOFT-WINDOWS-SERVICINGSTACK_31BF3856AD364E35_10.0.17763.1876_NONE_56BCCE8F993D30E7\TIWORKER.EXE + 32 + 7EC24C6DAEE289FBD40C13635DA56FB1E9F868B65E3120B59D480D394ACD8285 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\TIWORKER.EXE\10.0.17763.01 + 0x3e7 + 124 + C:\windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.17763.1876_none_56bcce8f993d30e7\TiWorker.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,cca5860c-b6ea-4ea9-8561-5162f9ac8ae8,"4/16/2021, 9:06:39.133 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,465ddac5-eebe-4e57-9cf9-f15de0ef958d,"4/16/2021, 8:58:37.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7c07de57-dcf4-45af-a745-ffaabfd3a6b0,"4/16/2021, 8:58:37.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,234e6ac3-b9c5-4dd8-9448-41a8dfe4cd1d,"4/16/2021, 8:58:37.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d2ffd5f9-303c-4b41-8658-fb445c370ed9,"4/16/2021, 8:58:37.114 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,9d95329f-877c-4e5f-a4d4-a9373df4993d,"4/16/2021, 8:58:37.114 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,227a60f0-b641-450a-85f1-d1532950c2bf,"4/16/2021, 8:58:37.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a092132-016c-4274-98a4-9d4ee6c568e3,"4/16/2021, 8:58:37.114 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b825991-1f7f-4e56-9eb3-43cd293c417d,"4/16/2021, 8:58:37.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc409a66-b589-42de-9bab-cea13013b142,"4/16/2021, 8:58:37.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7083106c-a700-44a2-b5fc-17ce16dfa148,"4/16/2021, 8:58:37.114 AM",,,,,NTLM,, +\VEEAM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9097a81c-7fb7-4746-b3ad-ce17fa697fde,"4/16/2021, 8:58:37.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1536f7dc-d96c-4f6a-84df-0080b21a479d,"4/16/2021, 8:58:37.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b1533fa-3487-446c-ada9-7abb8167490b,"4/16/2021, 8:58:37.114 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5dba5af7-6ab0-4d2c-a0d8-c9af0cec8337,"4/16/2021, 8:58:37.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cde9f68d-f5f7-468c-a55a-9f0ac2807d59,"4/16/2021, 8:58:37.114 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab4f44de-7cd4-4312-b728-c9a7f5cf3f82,"4/16/2021, 8:58:37.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,772b65ac-d407-47ce-acd7-dd3331a1c369,"4/16/2021, 8:58:37.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6898b852-ff17-4e92-8916-26bd6280c39b,"4/16/2021, 8:58:37.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ecd2ddba-39fa-4f94-a142-240fe7f5b015,"4/16/2021, 8:58:37.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67a772db-e98d-446d-9458-002fe10f655b,"4/16/2021, 8:58:37.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,83dc4b73-3d0b-4704-82ed-db0935dbadb7,"4/16/2021, 8:58:37.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48e58451-7015-4164-8f3c-36ee217d46f8,"4/16/2021, 8:58:37.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,02121598-8c9c-46c8-882b-d69fe793019a,"4/16/2021, 8:58:37.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,07475d5c-e9f6-4c3e-b44d-77d0be7bd95d,"4/16/2021, 8:58:37.114 AM",,,,,NTLM,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,baf690df-9807-462e-9528-9d7dcb9d39aa,"4/16/2021, 8:58:37.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8f907eeb-770b-43cd-94d3-9a5c0fdaeb86,"4/16/2021, 8:55:27.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,68ea7b87-b037-429a-a5d0-bdce0a73f979,"4/16/2021, 8:55:27.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e3b5dea-defc-4e96-897a-07b2fb7c4e1c,"4/16/2021, 8:55:27.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b9666f4-897e-4bc8-a4b4-5beef6de8946,"4/16/2021, 8:55:27.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,72a1fac3-6b21-4bd1-8b73-a1df21fc860c,"4/16/2021, 8:55:27.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4cbf069c-c20a-4474-b3ee-f6c855fa3e65,"4/16/2021, 8:55:27.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f59ee3d8-e596-4dc7-be69-13212ca21091,"4/16/2021, 8:55:27.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,14e6925b-3c8a-4c57-824a-3f57f6931c06,"4/16/2021, 8:55:27.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,91a8d261-1b06-4ed9-adc9-76155837b20a,"4/16/2021, 8:55:27.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b9ba67aa-a887-4441-b083-5b2c6489b3f9,"4/16/2021, 8:55:27.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5aa50a20-218c-4d15-bbfb-29da75ead4c4,"4/16/2021, 8:55:27.110 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51ef3021-5057-435f-a1ec-8c26eb4048ef,"4/16/2021, 8:55:27.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f6a78889-09b6-40f3-8e7f-10bde28c422b,"4/16/2021, 8:55:27.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,823c42de-91a9-4bea-8726-68f89c13748d,"4/16/2021, 8:55:27.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,730edc9f-eb7d-4265-a538-aff78265e905,"4/16/2021, 8:55:27.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f1a422c-6090-4cb4-abab-9bc7659e550d,"4/16/2021, 8:55:27.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,036ed2ee-79eb-4390-9d5e-2867692a6083,"4/16/2021, 8:55:27.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,36083c32-0878-4de5-a4f8-5350fdc0dab6,"4/16/2021, 8:55:27.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5018e4eb-7d59-4e23-8e9d-daeec2e77404,"4/16/2021, 8:55:27.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a1f1d8d-7ffb-40ba-b2b4-319028bfd287,"4/16/2021, 8:55:27.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ef0ee1f7-6dc6-4cd2-92b8-dc8eccf7bb22,"4/16/2021, 8:55:27.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4e24aadd-b0ae-46c5-890a-22218152eb15,"4/16/2021, 8:55:27.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,52c49b07-6f6f-4afe-bb01-079df9d396ae,"4/16/2021, 8:55:27.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,06fb2519-b090-4e5f-a397-4c9541ff6306,"4/16/2021, 8:55:27.110 AM",,,,,NTLM,, +\BACKUPEXEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b8e05fff-d551-402b-9802-d93dcc6ecc03,"4/16/2021, 8:55:27.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4987ac7a-6cd7-4fa5-9867-da5c841dd29e,"4/16/2021, 8:58:43.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,66e088ee-b3c0-4090-80c2-b91cb93f8584,"4/16/2021, 8:58:43.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db8f4fba-56cb-451b-a3e6-b24991580103,"4/16/2021, 8:58:43.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bb51ed4c-1f9d-40d1-9a46-83ca2735e4c5,"4/16/2021, 8:58:43.110 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,02f913af-425b-4bf8-b1f8-3e9bf6f67234,"4/16/2021, 8:58:43.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,daaaeb09-2d0d-4cee-817e-0e8a1544989d,"4/16/2021, 8:58:43.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,30746bac-b639-4d33-9b39-b252069ae4d0,"4/16/2021, 8:58:43.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f4750045-46a9-4981-81bf-f433f5d20da3,"4/16/2021, 8:58:43.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4ee8a95a-ee2f-4526-ae5e-ccc6a1104de9,"4/16/2021, 8:58:43.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0e03a24f-1619-42a7-aec1-214f5f22f8f5,"4/16/2021, 8:58:43.110 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,21fdc355-7d18-4018-8713-88f80f9ca00c,"4/16/2021, 8:58:43.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d621d5f1-d24e-48dd-a683-d107b9322757,"4/16/2021, 8:58:43.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,834f0285-76c9-426f-b837-c055ad31a7da,"4/16/2021, 8:58:43.110 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fdc52105-2935-47ca-93ce-cdd16248d150,"4/16/2021, 8:58:43.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f97b4cde-6e4c-426f-88c9-cb7cffe87448,"4/16/2021, 8:58:43.110 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a6581490-70a3-4711-977a-39320a9e2fc3,"4/16/2021, 8:58:43.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f9f15ee2-bb4e-43cf-83d0-ebda86163945,"4/16/2021, 8:58:43.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b984c69a-01f6-4cae-86e5-7c9cb6007b02,"4/16/2021, 8:58:43.110 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,36c388ae-c15c-48d3-b9c9-1a243d5b8410,"4/16/2021, 8:58:43.110 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aed7a22c-65c4-4b65-aa01-281490e91378,"4/16/2021, 8:58:43.110 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,caa4890c-d36f-4581-9797-1d7488f4fe39,"4/16/2021, 8:58:43.110 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4ce1bd4d-d647-4a0c-b673-3261093a1f46,"4/16/2021, 8:58:43.110 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc3f095f-a0b3-4528-8b93-9d222bf30814,"4/16/2021, 8:58:43.110 AM",,,,,NTLM,, +\USER1,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,52150d89-806c-4668-987a-dc87855bbcd3,"4/16/2021, 9:06:48.418 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ce02486f-c294-4456-8514-801bd75d45d9,"4/16/2021, 9:06:48.418 AM",,,,,,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1d7e27aa-a3eb-4dbd-9188-af7fa6056cf3,"4/16/2021, 9:06:48.418 AM",,,,,NTLM,, +\USER2,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a408b718-93b5-476f-b073-80d7b66a0331,"4/16/2021, 9:06:48.418 AM",,,,,NTLM,, +\ADMINISTRADOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,06f99f22-87f8-4c5f-9b1a-cab4a3f6ac96,"4/16/2021, 9:06:48.418 AM",,,,,NTLM,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6ce8d3c7-85ea-4938-8bdf-dceb80d218d3,"4/16/2021, 9:06:48.418 AM",,,,,NTLM,, +\1,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,15ef9fd5-af8b-433c-a768-7a495a926027,"4/16/2021, 9:06:48.418 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d47280fa-22f0-4cf9-9e0a-015795aff71c,"4/16/2021, 9:06:48.418 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d5f42311-cfe2-4a44-8a8c-e26b5cc8c27f,"4/16/2021, 8:55:22.641 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,84516b2f-94b6-4da0-ab0a-fc1e04e7647c,"4/16/2021, 8:55:22.641 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bb34ba76-ed68-455d-bc4e-a01f416a23d0,"4/16/2021, 8:55:22.641 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5f9a145f-15aa-47f6-a47e-e7a5095ebc1f,"4/16/2021, 8:55:22.641 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,156283aa-4776-4358-9591-956a27e049f1,"4/16/2021, 8:55:22.641 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,07afe084-69b0-4239-9810-5407bad70149,"4/16/2021, 8:55:22.641 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d5f27482-96b3-4ef7-83fd-f1279cbfb3e8,"4/16/2021, 8:55:22.641 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,120ad440-f31a-4f09-9121-4ee9229938e1,"4/16/2021, 8:55:22.641 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,92085c90-1699-45fd-a52d-460154842887,"4/16/2021, 8:55:22.641 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ac9cc131-411d-4e60-877a-52f66319c7a5,"4/16/2021, 8:55:22.641 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dd577be5-9206-4027-9aa1-514977c97722,"4/16/2021, 8:55:22.641 AM",,,,,NTLM,, +\EYI,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ec99eb62-1d57-468c-a657-2c251926f755,"4/16/2021, 8:55:22.641 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f6294426-da1c-40a7-8fbc-849155fbc1cf,"4/16/2021, 8:55:22.641 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b091aa05-895c-4c73-814b-5cab0e8e16a8,"4/16/2021, 8:55:22.641 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,73cd7077-d26b-40ba-b955-b3162d1d43bd,"4/16/2021, 8:55:22.641 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,08b9f118-5e2b-4957-b1e6-bdddc1a03586,"4/16/2021, 8:55:22.641 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,27dce689-b6ef-499f-b127-024535f3193c,"4/16/2021, 8:55:22.641 AM",,,,,NTLM,, +\WRADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,39578aec-e0e3-4c98-9e44-1bce18403425,"4/16/2021, 8:55:22.641 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2a4180fc-9519-48d6-bfbe-97e2a81d6041,"4/16/2021, 8:55:22.641 AM",,,,,NTLM,, +\BJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,76343f55-92ae-4e70-bc62-3051cc0be976,"4/16/2021, 8:55:22.641 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8002e017-5ba9-4bf4-a933-afaf4fd84e08,"4/16/2021, 8:55:22.641 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2d772af7-226d-4037-b4f6-b2460bd36773,"4/16/2021, 8:55:22.641 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8ce8f58b-dda1-45bb-81d7-2aa6eb6e4d67,"4/16/2021, 8:55:22.641 AM",,,,,NTLM,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4648,4648 - A logon was attempted using explicit credentials.,5503048d-aae9-48b7-bda5-46b931ec9ed1,137a1aa4-a1c8-4964-8be8-c6fcf4a015a4,"4/16/2021, 8:55:31.858 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,5503048d-aae9-48b7-bda5-46b931ec9ed1,17f6ff4b-6a0d-4052-ad2e-a094fc068ccb,"4/16/2021, 8:55:31.858 AM",,,,,Negotiate,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + S-1-5-21-1661583231-2311428937-3957907789-1103 + SamiraA + CONTOSO + 0x24171286 + 4 + 1 + 1 + %{S-1-5-21-1661583231-2311428937-3957907789-513} %{S-1-1-0} %{S-1-5-32-555} %{S-1-5-32-545} %{S-1-5-32-544} %{S-1-5-3} %{S-1-2-1} %{S-1-5-11} %{S-1-5-15} %{S-1-2-0} %{S-1-5-21-1661583231-2311428937-3957907789-512} %{S-1-5-21-1661583231-2311428937-3957907789-519} %{S-1-18-1} %{S-1-5-21-1661583231-2311428937-3957907789-572} %{S-1-16-12288} +",4627,4627 - Group membership information.,5503048d-aae9-48b7-bda5-46b931ec9ed1,e524aab3-156f-48c4-8e36-ef428e77c8f8,"4/16/2021, 8:55:31.858 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,5503048d-aae9-48b7-bda5-46b931ec9ed1,3b6e8fc2-8c3c-4c26-8acb-a138b1731bb4,"4/16/2021, 8:55:31.858 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12545,8,,4634,4634 - An account was logged off.,5503048d-aae9-48b7-bda5-46b931ec9ed1,dcfa689e-7797-4085-a096-3078668b2b63,"4/16/2021, 8:55:31.858 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,910cf79e-3ced-4c33-99b5-ef641f14dfb6,"4/16/2021, 8:55:31.858 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,a49ac29e-3053-407b-a726-7fa9c3017b11,"4/16/2021, 8:58:44.860 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5240 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,6b9e862c-9ed1-41af-8d04-eff18fd6fb84,"4/16/2021, 9:06:56.987 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4540 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,517733ba-cf0b-4913-8d99-faab9ae041d4,"4/16/2021, 9:06:56.987 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4ffd23e2-24da-4501-90e3-fdf82292a359,"4/16/2021, 8:58:48.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0155afa6-0a56-4f49-9cfc-1639c549ee7d,"4/16/2021, 8:58:48.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a92953b-9569-4a0f-a54a-3ef0049c0e3a,"4/16/2021, 8:58:48.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab338903-e0e5-4fe6-afb3-7e5230956cb8,"4/16/2021, 8:58:48.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,06bf5047-160c-49b0-9ecc-12f9b846b0c3,"4/16/2021, 8:58:48.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,41da7fc2-6890-43a2-9760-5405b33ceebd,"4/16/2021, 8:58:48.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,164f10fb-5a65-4e2b-ad25-61196e9fcd0f,"4/16/2021, 8:58:48.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4ae15e9b-bf5a-4ed7-a58d-9bb80d8ac76b,"4/16/2021, 8:58:48.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,32ca1d32-cd66-4b31-9ed8-6fd9bcca1095,"4/16/2021, 8:58:48.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eab3a512-1a78-4164-a26d-03eaa018d16a,"4/16/2021, 8:58:48.189 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,196f210b-fe43-4023-b013-dc0ec36658e7,"4/16/2021, 8:58:48.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3d7211a8-7ffc-4869-85a0-e40856c3bdfd,"4/16/2021, 8:58:48.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,682d2faa-9454-4a94-917f-57cbd76d4b6a,"4/16/2021, 8:58:48.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9920aaec-8fdf-4f65-a73e-42ee66378515,"4/16/2021, 8:58:48.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f09ac347-8912-4d51-91c1-4a92c20600e2,"4/16/2021, 8:58:48.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,844db2c1-dde9-4bec-ab4d-af812becd9e4,"4/16/2021, 8:58:48.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,630b42f5-57f3-4571-afde-36abb18c9e81,"4/16/2021, 8:58:48.189 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,3f4e544d-a14b-43de-b4de-6d824c35a3fb,"4/16/2021, 8:58:48.189 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 3468 + 84 + %OSDRIVE%\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\PLATFORM\4.18.2103.7-0\MPCMDRUN.EXE + 32 + C7A18C474A47F5335593A567F0C714D4F658E28D07DC27F6EAE5D5641788E813 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\MPCMDRUN.EXE\4.18.2103.07 + 0x3e4 + 77 + C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2103.7-0\MpCmdRun.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,22e1e008-b00b-4e00-8e21-76f26b42dfbc,"4/16/2021, 8:58:48.189 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7f35bd0a-ce35-4732-a5bb-da9510e57362,"4/16/2021, 8:58:48.189 AM",,,,,NTLM,, +\BACKUP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0339dea7-31f4-47e8-8ff2-63502315927b,"4/16/2021, 8:58:48.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a51db63-c9f6-4414-b12d-48ab4814f0a8,"4/16/2021, 8:58:48.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a82c268c-1d9c-4fe6-a872-c60655ca073f,"4/16/2021, 8:58:48.189 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,77e89709-735e-40e2-9ba9-dc5003f29173,"4/16/2021, 8:58:48.189 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a83f440f-8f08-44c9-b9fb-a75df4b8daac,"4/16/2021, 8:58:48.189 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a5612ab1-8a78-44b3-b20c-ffe3b4d91bfe,"4/16/2021, 9:07:00.684 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5f1d75c3-fe40-436b-9a55-9d3a8add673a,"4/16/2021, 9:07:00.684 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1aa6bed2-cb1e-419a-acbc-22583e0012e6,"4/16/2021, 9:07:00.684 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d3f68077-db6d-4fcf-9803-a4f9a719f95c,"4/16/2021, 9:07:00.684 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,027729d2-df23-46e9-823b-517fd9ca50a3,"4/16/2021, 9:07:00.684 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,38e2f9fc-b4f1-49ae-b93f-d056953e9bfd,"4/16/2021, 9:07:00.684 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,07fdd5dc-c649-457d-90bd-3fb35f3a3811,"4/16/2021, 9:07:00.684 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4e068c95-fe77-4593-a44b-371195632876,"4/16/2021, 9:07:00.684 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,189bb767-18a9-4fc8-baf3-ed0020c0f837,"4/16/2021, 9:07:00.684 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6b918e43-49c4-42d1-a576-e73883c887a7,"4/16/2021, 9:07:00.684 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,14e528dc-9c9e-4f50-89d9-1c83ed8a33b6,"4/16/2021, 9:07:00.684 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3eeece77-da61-4cf6-853b-835c7f9e7e31,"4/16/2021, 9:07:00.684 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1f3c9364-6fbd-4ac6-b119-1613d19d3a76,"4/16/2021, 9:07:00.684 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,daef3666-b6f2-4c2b-99a1-4f605ed18786,"4/16/2021, 9:07:00.684 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,15fccfc3-4181-401c-a15e-968c6bf790cb,"4/16/2021, 9:07:00.684 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dd9b7198-f00f-42b6-9091-c9884cdb11e9,"4/16/2021, 9:07:00.684 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8667b394-4d2b-411f-9f5e-d04a31bc3d25,"4/16/2021, 9:07:00.684 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,05410152-7396-40d0-acb7-8c9685a74ed2,"4/16/2021, 9:07:00.684 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6b5cc123-d1a3-4fdf-8dfd-be6712a7b07d,"4/16/2021, 9:07:00.684 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,acab6021-a8c8-44fd-aa0b-2e059adba73f,"4/16/2021, 9:07:00.684 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,56ace6b8-864c-4db8-b38a-aa4b65501a39,"4/16/2021, 9:07:00.684 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + 5508 + 2021-03-29T15:51:38.8351258Z + Microsoft Software Key Storage Provider + UNKNOWN + bff16d9c-3715-4f19-8dc1-77cc72246a9e + %%2499 + C:\ProgramData\Microsoft\Crypto\Keys\7ef9ce7839778d36dfa70742ae0c3d53_78f67aa4-178f-4369-9a87-b6c08621234a + %%2458 + 0x0 +",5058,5058 - Key file operation.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,88c538e1-d852-47d7-acf6-54f42748b573,"4/16/2021, 9:07:00.684 AM",,,,,,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + bff16d9c-3715-4f19-8dc1-77cc72246a9e + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2e34fe5a-ae54-4838-888e-741ff8cbe941,"4/16/2021, 9:07:00.684 AM",,,,,,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + 5508 + 2021-03-29T15:51:38.8351258Z + Microsoft Software Key Storage Provider + RSA + bff16d9c-3715-4f19-8dc1-77cc72246a9e + %%2499 + %%2464 + 0x0 +",5059,5059 - Key migration operation.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2181cd10-4e04-4cf1-bdc9-d99beea1353d,"4/16/2021, 9:07:00.684 AM",,,,,,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + 5508 + 2021-03-29T15:51:38.8351258Z + Microsoft Software Key Storage Provider + RSA + bff16d9c-3715-4f19-8dc1-77cc72246a9e + %%2499 + %%2464 + 0x0 +",5059,5059 - Key migration operation.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d342de9c-9738-45f3-a5d4-94134921c7d7,"4/16/2021, 9:07:00.684 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3d3ce829-0e24-4ee4-937d-5298cf17c571,"4/16/2021, 9:07:00.684 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,552208b0-d450-432b-9bf7-70e66e363d09,"4/16/2021, 8:55:35.154 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f45d25bb-d02c-4665-be50-4e181279b2a3,"4/16/2021, 8:55:35.154 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,371e6729-58c1-45a7-8c10-ee0f34b21cee,"4/16/2021, 8:55:35.154 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db32b0d3-9831-4453-921d-e564364d3d5b,"4/16/2021, 8:55:35.154 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7de01af9-c42e-49d7-aca2-d69d742bca56,"4/16/2021, 8:55:35.154 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9581f07b-80d6-4666-82df-c772ae1a970c,"4/16/2021, 8:55:35.154 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a9bb9b4-6bf5-46d7-8c75-1f9268f34133,"4/16/2021, 8:55:35.154 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4995bf17-6bba-4c03-ad1c-b3ab3fe59988,"4/16/2021, 8:55:35.154 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ef5308f7-74f3-44bd-bb41-be98d1892065,"4/16/2021, 8:55:35.154 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce8220c7-ba9c-4674-945a-81a9fa319d72,"4/16/2021, 8:55:35.154 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,05d21790-112e-4681-8825-e016f6edab3b,"4/16/2021, 8:55:35.154 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,e35f33b3-2636-4c8c-9fab-26db1253d13a,"4/16/2021, 8:55:35.154 AM",,,,,,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6aed384c-737e-4151-a242-d7ebea1f2dfd,"4/16/2021, 8:55:35.154 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f3a6cb52-23cc-4998-9a50-c173af55b1a2,"4/16/2021, 8:55:35.154 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8ddfffc2-4e8b-4ee9-9418-6f2a14203508,"4/16/2021, 8:55:35.154 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a02432f-861e-4790-8756-931d56f000bf,"4/16/2021, 8:55:35.154 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2950dcbb-7e90-4589-bf54-f5752e40e7d5,"4/16/2021, 8:55:35.154 AM",,,,,NTLM,, +\OJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,62feb516-28d5-4b49-a1b6-ea53d349a956,"4/16/2021, 8:55:35.154 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe8d5e01-bc58-4903-8935-8c31527e3568,"4/16/2021, 8:55:35.154 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc86cf22-c064-480b-91ae-08831de1ba27,"4/16/2021, 8:55:35.154 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9459f462-da19-470d-88ad-32b080fef7f8,"4/16/2021, 8:55:35.154 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5247551a-6e17-4c73-aedd-29a860a092ca,"4/16/2021, 8:55:35.154 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cf52da42-7a87-455b-8b27-470ad9227f56,"4/16/2021, 8:55:35.154 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b2ce15b6-e811-40e3-9b14-dbdccb9de933,"4/16/2021, 8:55:35.154 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1376 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,af32df5b-619a-4077-9894-c5c15bee4b07,"4/16/2021, 8:58:49.278 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11052 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,fd4baafb-fb07-4c94-bbdc-6f7c520a4723,"4/16/2021, 8:58:49.278 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10340 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 61FF6233DB141BE35A91025614CB7A6504D2E20174CD6298F6E0B02700C3F819 + 121 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.14393.206 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,c4deb20f-7de6-404b-99fc-8c2fbf5a9392,"4/16/2021, 8:58:49.278 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4452 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,9cef2ecd-178f-4312-b023-b13f82f56010,"4/16/2021, 8:58:49.278 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6528 + 118 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\MONITORING HOST TEMPORARY FILES 16\749\PMFEXE.EXE + 32 + 904F5575C1F607E5F05C4641A9A0964007FA2C1F1DAD3C96320DF45D377C737D + 98 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\PROCESS INVESTIGATOR\PMFEXE.EXE\1.20.607.01 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,1e35b397-590f-4e39-8f29-287ed1436bc1,"4/16/2021, 8:58:49.278 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11108 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,2f6f4727-87b5-4c5e-b521-1394a964719e,"4/16/2021, 8:58:49.278 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,0da6956d-72c1-413b-a661-badb37c52994,"4/16/2021, 8:55:36.054 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,cd6acb53-6ab4-43b1-9a57-8d9a715152ff,"4/16/2021, 8:55:36.054 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,23a8fb6f-9e55-40ea-ad3f-95a51171cc58,"4/16/2021, 8:55:36.054 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,8498db05-2064-4cf3-9ad8-13f5b38bcded,"4/16/2021, 8:55:36.054 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,a4f01547-8f06-4289-84ba-1afd6798ba6e,"4/16/2021, 8:55:36.054 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b2874736-4663-4d6b-8de9-388f4032fca7,"4/16/2021, 8:55:36.054 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,78f225f0-d0ec-4495-b73f-b0f2ecfe12d9,"4/16/2021, 8:55:36.054 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,22e21b44-b39b-494a-b78f-94f421ce626f,"4/16/2021, 8:55:36.054 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,cd971467-ddec-40ad-83bf-6b38e872563b,"4/16/2021, 9:07:03.071 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2af9cfde-7636-4dae-a42a-a862e5f07b9b,"4/16/2021, 9:07:03.071 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,3c59131c-0785-4209-b5a0-141ed3434cdc,"4/16/2021, 9:07:03.071 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,7400f33a-7605-4510-b450-1c20addc7ba4,"4/16/2021, 9:07:03.071 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,762db713-7103-4924-962b-90bd328db4b5,"4/16/2021, 9:07:03.071 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,cb30359e-376a-40e2-93f6-d5d57c1893a5,"4/16/2021, 9:07:03.071 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,cd5d6b01-abb3-4580-bd93-76861b9c7cbc,"4/16/2021, 9:07:03.071 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,0b4a0a2e-3191-4575-a0fb-a55a04cdd2ac,"4/16/2021, 9:07:03.071 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5098da6e-c095-4842-85dd-fb0c2e2e3869,"4/16/2021, 9:07:03.071 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,201420d0-2f8b-4426-8d89-a95bade95414,"4/16/2021, 9:07:03.071 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,86e11413-9337-4962-94d5-7f57ace2defc,"4/16/2021, 9:07:03.071 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,af21b519-6725-42c8-b940-789c679a0f7d,"4/16/2021, 8:55:38.564 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 10164 + 84 + %OSDRIVE%\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\PLATFORM\4.18.2103.7-0\MPCMDRUN.EXE + 32 + C7A18C474A47F5335593A567F0C714D4F658E28D07DC27F6EAE5D5641788E813 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\MPCMDRUN.EXE\4.18.2103.07 + 0x3e4 + 77 + C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2103.7-0\MpCmdRun.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,946c0d52-174b-467e-aba6-1f4c15b2d771,"4/16/2021, 8:55:38.564 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6268 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,0d6641ca-9f74-4ccd-b798-6500085bc2d1,"4/16/2021, 8:55:38.564 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11228 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,fdc56031-a6d4-4c44-b536-fad381112372,"4/16/2021, 8:55:38.564 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,583b00dd-962b-4dfe-9dd5-7e7b2f7fce0f,"4/16/2021, 8:55:38.564 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,0e08d0ae-32fe-4ea7-b2a4-b9cae5dfdf99,"4/16/2021, 8:55:38.564 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,ad0cf2ae-9e51-4905-acd2-adca810864c7,"4/16/2021, 8:55:38.564 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5156 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,c8918fe3-d5a4-4505-b247-13930ae90355,"4/16/2021, 8:55:38.564 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,28b89b58-537a-4387-99ef-4ed12cf814b9,"4/16/2021, 8:58:50.660 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8b749b5f-4bc4-4b03-bd77-b5a65f5533aa,"4/16/2021, 8:58:50.660 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,db118e0e-a729-4b25-8b6a-660278304020,"4/16/2021, 8:58:50.660 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,159579bd-dee3-4996-86a8-f9fc9f535329,"4/16/2021, 8:58:50.660 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e58548f0-f79b-4d85-a209-e43675a9e7b0,"4/16/2021, 8:58:50.660 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f8c79f1d-2fa4-4549-beb2-5a740e134447,"4/16/2021, 8:58:50.660 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,906706b0-b08a-4dfb-a6fd-30625fa2e419,"4/16/2021, 8:58:50.660 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e70e61e3-df76-467f-a976-af97006235b9,"4/16/2021, 8:58:50.660 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cc2f477b-771b-42ef-9690-6139cb7572f4,"4/16/2021, 8:58:50.660 AM",,,,,NTLM,, +\DEMOADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fba0e2b7-339a-4e1b-8bbb-e5c94c2de8aa,"4/16/2021, 8:58:50.660 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,be686055-8b45-4ef5-b8d4-29153022eeff,"4/16/2021, 8:58:50.660 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b74919bb-aad4-43dd-a3f9-a9fa72f3d57f,"4/16/2021, 8:58:50.660 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,67646cfb-cbd0-4418-86c6-2ea46fe990cb,"4/16/2021, 8:58:50.660 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eda19e64-47d9-4796-97ad-9f2f1edd933b,"4/16/2021, 8:58:50.660 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,df7b7421-76dd-43f0-bac2-60a897797507,"4/16/2021, 8:58:50.660 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,24d0b9d3-ccc1-4e8f-876c-5ea04f89429f,"4/16/2021, 8:58:50.660 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,738bcaa9-19bd-4662-a392-27d0759a5734,"4/16/2021, 8:58:50.660 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f20fb0b4-529c-49b1-8381-d71816454d86,"4/16/2021, 8:58:50.660 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d265785c-0864-4b43-9ca3-481d0bd2a1f7,"4/16/2021, 8:58:50.660 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,30771742-eb72-4eda-ad8d-830ef6404d05,"4/16/2021, 8:58:50.660 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f0ac8a00-fcc6-4f1a-8c23-930e158f62b3,"4/16/2021, 8:58:50.660 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b49efcb9-8323-4e88-a9a4-1d313f3d69f0,"4/16/2021, 8:58:50.660 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,47aee918-3abe-4c63-906b-1e95fb6f77ba,"4/16/2021, 8:58:50.660 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1240e986-86ea-4462-b95f-9eadf2101a09,"4/16/2021, 8:58:50.660 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5356 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,208804d0-7091-4b7e-9e1a-eefd14196ca4,"4/16/2021, 9:07:09.885 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2348 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,0d6cc992-2944-4056-8dcd-fb0c0b5fccf1,"4/16/2021, 9:07:09.885 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,596ac1e6-f590-463f-8f51-91fcd8366a5c,"4/16/2021, 9:07:09.885 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,d9ac667d-f953-45af-a44b-0ba1c44d16e8,"4/16/2021, 9:07:09.885 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,60788809-9847-4ce2-8e99-c3a0f10b3211,"4/16/2021, 9:07:09.885 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,a8d8f297-17d7-4e66-9a7c-a2d6af6f0930,"4/16/2021, 9:07:09.885 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\microsofttpm,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,4144d032-9fb6-4d37-9e7c-e89b29bd4278,"4/16/2021, 9:07:09.885 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:SELECT * FROM Win32_TPM,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,ce2c538f-2aa6-448b-8c1b-c114760baa47,"4/16/2021, 9:07:09.885 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:Select * from __ClassProviderRegistration,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,7fdc020a-8733-4c6f-a55c-da1387e79ebd,"4/16/2021, 9:07:09.885 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b7355181-19e8-4555-b011-8eda59686c25,"4/16/2021, 9:07:09.885 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,cddab8a5-c8ea-4354-9e49-f1af06058594,"4/16/2021, 9:07:09.885 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,f09af7fc-2509-409a-a5ca-bcac86d950a5,"4/16/2021, 9:07:09.885 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,122f744d-5306-49bd-ac4e-2eb4b9d630eb,"4/16/2021, 9:07:09.885 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:Win32_Tpm,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,95c43e9b-d1ac-4041-a965-78da57fbe712,"4/16/2021, 9:07:09.885 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:__ExtendedStatus,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,760f0e52-7743-457f-bcb7-45b5efcb5f00,"4/16/2021, 9:07:09.885 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftVolumeEncryption,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,2b912419-87f3-4dec-90e6-8f2dccb6d95d,"4/16/2021, 9:07:09.885 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:SELECT * FROM Win32_EncryptableVolume,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,4a030d5e-45a9-4ff9-a2e4-971f0744536b,"4/16/2021, 9:07:09.885 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:Select * from __ClassProviderRegistration,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,936cca3c-835c-40b3-be5d-d403d11f9460,"4/16/2021, 9:07:09.885 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,f9e73144-38d9-4bcf-992c-fe94cc48d7b2,"4/16/2021, 9:07:09.885 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,ad8c9006-b166-44cf-a024-78d112d376ca,"4/16/2021, 9:07:09.885 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,a0661622-0919-4776-833a-e820a835fdf6,"4/16/2021, 9:07:09.885 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,9c1b0d88-39c0-4662-80fe-aeed954c0ef7,"4/16/2021, 9:07:09.885 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,638e2f26-d61d-437e-bb79-d0a1f4b2eb49,"4/16/2021, 9:07:09.885 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:__ExtendedStatus,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b8214ce2-6f1f-429f-b862-f4bc8cc91c1a,"4/16/2021, 9:07:09.885 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{18dd199a-9fca-4ac4-af18-3e5e3b15c067}\\""::GetLockStatus",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b797961c-183b-431c-a3d6-cb011198b36e,"4/16/2021, 9:07:09.885 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{18dd199a-9fca-4ac4-af18-3e5e3b15c067}\\""::GetProtectionStatus",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b29f1a72-fb0f-4918-87f3-8b06b8b7f5b2,"4/16/2021, 9:07:09.885 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{18dd199a-9fca-4ac4-af18-3e5e3b15c067}\\""::GetConversionStatus",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,3d8a1a92-34ea-4cd2-b35f-f32815182a9a,"4/16/2021, 9:07:09.885 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{944f36e4-0000-0000-0000-100000000000}\\""::GetLockStatus",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,08f9e4cc-70b0-43d4-a634-c839929cd36f,"4/16/2021, 9:07:09.885 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{944f36e4-0000-0000-0000-100000000000}\\""::GetProtectionStatus",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,c4bc23d1-d07a-4f4a-a925-3fe307380236,"4/16/2021, 9:07:09.885 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\TrustedVMDemo\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{944f36e4-0000-0000-0000-100000000000}\\""::GetConversionStatus",,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,29ce36cf-0123-4a62-8a9a-f4c51c2914d8,"4/16/2021, 9:07:09.885 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5140 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\Windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b2a561c5-2b20-4593-b852-fed85e13cf0f,"4/16/2021, 9:07:09.885 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7107ff19-0df5-4c86-afe8-63d01053a890,"4/16/2021, 8:58:56.153 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,938f2e9f-3199-4f1a-8037-c4a519c3f1c1,"4/16/2021, 8:58:56.153 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,87fa5c22-6c26-4a0a-b6f0-9fdc9fa2c0ea,"4/16/2021, 8:58:56.153 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,93c9ba54-c523-49b1-97da-c18bf62a54d1,"4/16/2021, 8:58:56.153 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03d7d517-f089-4a42-ba22-7077559410c6,"4/16/2021, 8:58:56.153 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1b640633-f0f1-4db8-b1d7-ef79b7a99b2e,"4/16/2021, 8:58:56.153 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cfb09f84-e1cf-4420-acbb-21437583c95c,"4/16/2021, 8:58:56.153 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b6d14a83-63d9-4154-b360-c8cfc4ac1802,"4/16/2021, 8:58:56.153 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3e420b1a-4069-43de-acb8-1f486d5da028,"4/16/2021, 8:58:56.153 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3e6562c0-e559-4968-93f8-f450b569d3c5,"4/16/2021, 8:58:56.153 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1bf7241-4cfa-4ab0-b84a-b359b5c65e21,"4/16/2021, 8:58:56.153 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9bc15d10-76df-4ffe-b368-860d95bcc6ad,"4/16/2021, 8:58:56.153 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56ae0d79-612a-4716-8522-081e1091c716,"4/16/2021, 8:58:56.153 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,491b049b-b4c1-4479-ba87-d4d0cc56c6d6,"4/16/2021, 8:58:56.153 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d2471934-41ce-4e98-8688-edf4505b38cd,"4/16/2021, 8:58:56.153 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a51631d6-39d1-45b2-b0e1-9718f2d72d9e,"4/16/2021, 8:58:56.153 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9489836f-2024-46df-9e42-0710bcd816cd,"4/16/2021, 8:58:56.153 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d21f0d6a-73a8-4556-9f70-833406569ea7,"4/16/2021, 8:58:56.153 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1d2274a8-d447-4554-8261-4edfb14b7374,"4/16/2021, 8:58:56.153 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,82b2cef0-4503-4382-bd14-6281c7eaec00,"4/16/2021, 8:58:56.153 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7835747d-eaa0-4ea0-b2d8-b6158c3418f9,"4/16/2021, 8:58:56.153 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ceebb1e5-e9d3-476d-b6e1-4313cae0ba76,"4/16/2021, 8:58:56.153 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10804 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,87a8f53f-26f9-413f-a117-b73dd08bc172,"4/16/2021, 8:55:41.988 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10440 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + E083DBF5FD891B0254E4021330270719E66D6B0C7F6543BDBA19C4CF5D37395D + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7411.17763.1697 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,9bb8dec5-81dd-4d0d-a850-29872ebfb3cd,"4/16/2021, 8:55:41.988 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 14604 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,b95e2299-c331-4006-a831-599f836a486d,"4/16/2021, 8:55:41.988 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1308 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,7c1fb82a-defd-424f-a96a-ec550b2efbd9,"4/16/2021, 8:55:41.988 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10500 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,e8cc4088-c724-422d-b407-3b9ed8752d3b,"4/16/2021, 8:58:56.990 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9824 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,6a7307fb-f75e-494b-825e-74c179017c97,"4/16/2021, 8:58:56.990 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6012 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 3D9080EFAB633588A800733E89C0E9CF155587ED965C4294E3B5807ACCA7196A + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.14393.2155 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,68fff945-72c1-4121-be56-ea3209257717,"4/16/2021, 9:07:09.366 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 10572 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 3D9080EFAB633588A800733E89C0E9CF155587ED965C4294E3B5807ACCA7196A + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.14393.2155 + 0x3e5 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,e911f0c8-9683-4551-b441-bb29402bd9d7,"4/16/2021, 9:07:09.366 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4320 + 28 + %SYSTEM32%\WBEM\WMIAPSRV.EXE + 32 + 98A2CC07E5F2C0CA555F4ACA46556611B42FDA3BDD1F108E52E02FCB22E7B40E + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIAPSRV.EXE\10.0.14393.2515 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,5677525d-10fd-4fc9-8b9e-b71b41c4644e,"4/16/2021, 9:07:09.366 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc0049b2-37d9-4fd3-a377-d930d41e9cbb,"4/16/2021, 9:07:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d6827eb-d8d5-4ce5-acd0-f38b70ab060b,"4/16/2021, 9:07:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c168a5c4-0b40-4d51-bed2-d9d8cb346581,"4/16/2021, 9:07:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a3b81c3b-1f01-43bb-a30a-5e16cfb16dec,"4/16/2021, 9:07:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,859f6da6-5edb-4622-bb80-7d00e3393f0f,"4/16/2021, 9:07:11.132 AM",,,,,NTLM,, +\HJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7a15d3c6-9d7f-4df5-8975-9c01526b0f12,"4/16/2021, 9:07:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dfd3438f-2a3d-4e54-a580-c2a84799035e,"4/16/2021, 9:07:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,62cc6665-fd1d-4de3-9cd9-0cbb149858ea,"4/16/2021, 9:07:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,47c19cd0-4a8a-4060-8534-7fec51b41b96,"4/16/2021, 9:07:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,86c6e3bd-b920-4b6f-8ea2-9350844385fc,"4/16/2021, 9:07:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,072cd42c-cb82-438c-89cd-e48ddc6f10d5,"4/16/2021, 9:07:11.132 AM",,,,,NTLM,, +\BACKUPEXEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6cd5e4fd-35b5-45fe-bff1-f5d383492590,"4/16/2021, 9:07:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,08e7d4db-6a77-48d7-8c44-4503ce065ed8,"4/16/2021, 9:07:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,254757c4-464e-4f22-8cbc-0812abb4f384,"4/16/2021, 9:07:11.132 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad6406c6-7570-4a8e-b200-c3ca6fa076dd,"4/16/2021, 9:07:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e4641bdb-5dac-4671-ad97-9929e80722f4,"4/16/2021, 9:07:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bf2d2f59-5041-4955-8227-e994586f9528,"4/16/2021, 9:07:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b10c3401-455a-492f-8444-6882851a7a60,"4/16/2021, 9:07:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2dab6702-6bc1-43c2-8edd-fc6c63a09bd4,"4/16/2021, 9:07:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c19979e4-e73a-4193-ad12-2c26b8404fdb,"4/16/2021, 9:07:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,20020593-3c83-48c5-9adb-92a81ccc4b9c,"4/16/2021, 9:07:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,09ffbd5e-6463-436e-99a7-c674e8089586,"4/16/2021, 9:07:11.132 AM",,,,,NTLM,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4584f6b2-7a2c-418b-930a-d87a5dd208d5,"4/16/2021, 9:07:11.132 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,563539d0-f736-4010-8d34-05a44922b30d,"4/16/2021, 8:55:49.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,92577bad-1d8d-4238-9f30-3aa21e31c7f8,"4/16/2021, 8:55:49.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ef6d1c7e-e8e1-4670-b62f-dbd581563476,"4/16/2021, 8:55:49.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7dfccd32-964e-45ac-a3ed-3fda1a91f531,"4/16/2021, 8:55:49.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3b7f0f6c-deab-4fa3-924c-5e1e91be1872,"4/16/2021, 8:55:49.114 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4e9ddf9d-a6a2-404e-962b-1ffd61e2b801,"4/16/2021, 8:55:49.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c965cff1-7a6c-4dcc-9c5d-becb4f2a8640,"4/16/2021, 8:55:49.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,622ebd80-95ab-4fce-af24-3ce1d62ee649,"4/16/2021, 8:55:49.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b0812c90-26c4-47fe-bedd-116d18d0c794,"4/16/2021, 8:55:49.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,967f6c1c-4d4f-47f8-92e8-46fae7d50f86,"4/16/2021, 8:55:49.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca439395-a042-4579-8aa7-74e0312b2d85,"4/16/2021, 8:55:49.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54c4523d-32f4-4260-b3f2-3bbdc5c56a4f,"4/16/2021, 8:55:49.114 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,496382ce-9f0d-4961-9fd7-22fa2b4bc53d,"4/16/2021, 8:55:49.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce182fef-1225-4fdf-9ff4-fe801496b9ff,"4/16/2021, 8:55:49.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b35778c7-c325-4a09-9f1f-1fabad3493c2,"4/16/2021, 8:55:49.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f0d3d37-315e-4862-b863-8509de73c46a,"4/16/2021, 8:55:49.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5c7bed1e-3723-4c55-81ee-6af77baf662e,"4/16/2021, 8:55:49.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,70170bb1-f042-41b1-b2a2-a378b5486f0a,"4/16/2021, 8:55:49.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b650cc0-3bbc-437f-b8f8-a70ff143a882,"4/16/2021, 8:55:49.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a22b00c4-81ab-41f7-977c-1dd0986a02cd,"4/16/2021, 8:55:49.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f147f7d1-7425-45e0-a506-285ee1d9612c,"4/16/2021, 8:55:49.114 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,593c862c-840a-40c5-9ffb-af0ea0d8d2d3,"4/16/2021, 8:55:49.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a28a52da-0c26-4901-9008-f21f6a2e0bf0,"4/16/2021, 8:55:49.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2689fc2-b829-419f-bdd7-c07250c67b4b,"4/16/2021, 8:55:49.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1d7e84a2-c24f-4b0b-96fc-6a153ab25cb7,"4/16/2021, 8:55:49.114 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d249daae-7e77-4e75-a0be-fe67d2bc3153,"4/16/2021, 8:55:49.114 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d761ba48-7f16-4ae0-9950-90377f367d2f,"4/16/2021, 8:55:49.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db7c15e3-accf-4124-915f-cb9fad6bae8e,"4/16/2021, 8:55:49.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe315df4-ba7e-4095-8d8c-7d553dfc1020,"4/16/2021, 8:55:49.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c7623888-ec43-4d60-ae51-c1b5ead57212,"4/16/2021, 8:55:49.114 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,861a1247-2149-4d9b-8a75-adac54556a48,"4/16/2021, 8:58:58.569 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9436 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,1158c54b-b775-4eb3-95bc-01dc33221495,"4/16/2021, 8:58:58.569 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7804 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,27bd845b-89b8-4ef4-b61d-3418a0605156,"4/16/2021, 8:58:58.569 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,6cd1c2e4-288a-4df2-8d2f-a6356ca1e43e,"4/16/2021, 8:58:58.569 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,643e3846-2841-4cbd-be1a-a9a0f5fd2988,"4/16/2021, 8:58:58.569 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 12296 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,45443ea2-eaaf-4351-b1e8-206a5aa1640c,"4/16/2021, 8:55:49.276 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10076 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,203ffc25-3505-41d2-ba7c-7bffd7c11e21,"4/16/2021, 8:55:49.276 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,ed28f1d2-4f79-4258-ad49-67e2b8abfb7c,"4/16/2021, 8:59:02.862 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,0dd1b7d9-992e-41d3-8de6-f0ce3756af90,"4/16/2021, 8:59:02.862 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2668 + 115 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\ICT 2\CMF\DESIREDSTATECONFIGURATION\DSCRUN.EXE + 32 + 5D35920AEDE05DD39279B42A07B84E7EAC7A77F4E420A04FE25B82F0B2CAF5C0 + 111 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\WINDOWS (R) WIN 7 DDK DRIVER\DSCRUN.EXE\10.0.10011.16384 + 0x3e7 + 117 + C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\ICT 2\CMF\DesiredStateConfiguration\DscRun.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,74fef8ac-193e-4f8f-ad7a-ae23e99ce892,"4/16/2021, 8:59:02.862 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1528 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,d01699cd-5995-4563-aea7-ca534cec6ceb,"4/16/2021, 8:59:02.862 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2440 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b11f6ef3-b406-417c-b886-aacc1e4fb598,"4/16/2021, 8:59:02.862 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7132 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,396bf7d8-90b7-48d8-ae41-189db85179df,"4/16/2021, 8:59:02.862 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,2636a067-e36e-4546-918e-f54dd9a6972a,"4/16/2021, 8:59:02.862 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,553315cf-6b7e-441e-9b7b-ad95ff8ba1d5,"4/16/2021, 8:59:02.862 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,57c04fa7-3d44-49ed-8c60-b7b0cc757ff5,"4/16/2021, 8:59:02.862 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,986c20ce-1e41-4d02-90c0-b1227cc45c24,"4/16/2021, 9:07:11.584 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 484 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,a2520a46-06be-466e-9985-1accdd3fd4ba,"4/16/2021, 9:07:11.584 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,c9a1f760-4990-45d2-b1b5-41af93e0087b,"4/16/2021, 9:07:11.584 AM",,,,,,, +\TOUCHCOM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4938784e-7498-44d6-ae03-4e9ed0f5d874,"4/16/2021, 8:55:56.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f78140d-a7b7-482b-9901-e6a14104c01e,"4/16/2021, 8:55:56.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,904f31a9-4fb3-457e-9a86-a995e2c67826,"4/16/2021, 8:55:56.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2d90742-f08d-42dd-b34e-bebcf72ea01e,"4/16/2021, 8:55:56.113 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,34eb1338-5e2d-4838-b1a4-07f9cf469057,"4/16/2021, 8:55:56.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5acdeaaa-fb1a-4163-9580-4de206ccb32e,"4/16/2021, 8:55:56.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46afa1ad-3daf-4002-b20d-17a44aa87161,"4/16/2021, 8:55:56.113 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7453f967-9a29-4582-a906-3b9eba3e0d6d,"4/16/2021, 8:55:56.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c8bd3841-0258-4feb-94f8-8ade06a7555f,"4/16/2021, 8:55:56.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,804cb130-4c12-4686-938f-bbb49953558a,"4/16/2021, 8:55:56.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,40cfd6a5-ec5b-40e9-95c5-56bcffd14e5c,"4/16/2021, 8:55:56.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c16da09-015f-4935-abc2-c162db0c8301,"4/16/2021, 8:55:56.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2ae54a12-ebe8-4170-9f81-f1ff1738ed88,"4/16/2021, 8:55:56.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1729e6b5-7454-4b38-8d3f-af77d7a70760,"4/16/2021, 8:55:56.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,472e34e7-8e5c-4cff-b45b-f1f4303f0a32,"4/16/2021, 8:55:56.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,81ab8f92-a170-4c77-a35b-45f2ad289486,"4/16/2021, 8:55:56.113 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c79c3087-5139-49ed-be47-00f3e70b6675,"4/16/2021, 8:55:56.113 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,307ee839-bca7-43db-af17-17078cab8e4a,"4/16/2021, 8:55:56.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6b8cc9dc-76d1-4446-a968-4aff9f0da6fd,"4/16/2021, 8:55:56.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d12d89e6-70ff-4c0a-9860-2a97ab6fe735,"4/16/2021, 8:55:56.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac1da5e3-e970-4a4b-8b2e-a2775c71bfc6,"4/16/2021, 8:55:56.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a4db36a0-33b2-4c46-9adb-98b13715fd94,"4/16/2021, 8:55:56.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,799f9766-cef1-4eb0-b9d6-692ce2a72b61,"4/16/2021, 8:55:56.113 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,01c5bafb-1e58-4280-b760-467a6643eb47,"4/16/2021, 8:59:03.731 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f7c1fc4b-b5ea-4e38-9a16-c328032e9286,"4/16/2021, 8:59:03.731 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,901d1789-1958-416a-8122-942df5b605c0,"4/16/2021, 8:59:03.731 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,aa35d434-ad7d-43e6-8b87-4cae7fbcf81f,"4/16/2021, 8:59:03.731 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,567cc785-bd88-4897-8b29-a112ce224449,"4/16/2021, 8:59:03.731 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6502b55b-7c44-4a6a-8c05-b9ca24ee344f,"4/16/2021, 8:59:03.731 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6b7ecf04-98fa-4109-805e-8642165941e2,"4/16/2021, 8:59:03.731 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,00c8bfe8-3dbd-48b9-964f-08616f17e1c9,"4/16/2021, 8:59:03.731 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,072edea3-b103-4d18-adea-e3e81c185c74,"4/16/2021, 8:59:03.731 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,51a69f71-090b-49cd-b917-e473896dfa48,"4/16/2021, 8:59:03.731 AM",,,,,NTLM,, +\BACKUP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9480cd49-5629-4584-bccc-dc0e28e98602,"4/16/2021, 8:59:03.731 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,33e2aac1-97ab-4c14-9608-cc398f58c788,"4/16/2021, 8:59:03.731 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,153e10a7-d26c-435a-98ab-58b943f4237d,"4/16/2021, 8:59:03.731 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1b775dbc-a86a-4f66-8b0d-bd347aef50ea,"4/16/2021, 8:59:03.731 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bb9e70d5-069e-41e2-8fdc-5fa5802a6199,"4/16/2021, 8:59:03.731 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dea83fe3-5371-4a22-b9db-a8f4f1e58c80,"4/16/2021, 8:59:03.731 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ac457e80-2b65-47ab-be32-38779f4f63e2,"4/16/2021, 8:59:03.731 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fc61ba51-2a36-41f9-95fc-b03b9a289c45,"4/16/2021, 8:59:03.731 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,257c5676-697c-48a2-9d65-4a638f0a9253,"4/16/2021, 8:59:03.731 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,546d03eb-ea1b-45a6-a07c-b7f9c0ac2b02,"4/16/2021, 8:59:03.731 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,db09ef19-7c9a-484d-a15d-2bc0a15e6594,"4/16/2021, 8:59:03.731 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3ba90e35-0497-4fa6-a099-7e95c6b77200,"4/16/2021, 8:59:03.731 AM",,,,,,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,20f82b33-926e-4e0b-a2e2-83cc0eb4c149,"4/16/2021, 8:59:03.731 AM",,,,,NTLM,, +\AZUREUSER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,27417a57-0b14-4045-bd25-5fbf76f6e787,"4/16/2021, 8:56:04.408 AM",,,,,NTLM,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,42f32499-ffd0-4c55-9ae8-3cfdac0cf271,"4/16/2021, 8:56:04.408 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a0b44e95-f18d-4fc6-a23e-042e84e16b91,"4/16/2021, 8:56:04.408 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4af5c9f5-3aaa-4337-a2a6-d252b7d3905c,"4/16/2021, 9:07:19.680 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f92e2ef5-4e43-40c6-8961-c2c6e7262173,"4/16/2021, 9:07:19.680 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8fdb9a40-059c-4c04-925a-0fa229cbd721,"4/16/2021, 9:07:19.680 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cbd9a268-2375-44e6-bf40-66990ce130ef,"4/16/2021, 9:07:19.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,845ecbc5-4583-4677-b3f6-9c600ec56e11,"4/16/2021, 9:07:19.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4f50fbd5-ea7d-4ffa-9e3d-6206bd304287,"4/16/2021, 9:07:19.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,305f7100-dbc6-41a8-88e0-630b85a295a9,"4/16/2021, 9:07:19.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a3c0f749-e294-436a-bb7d-6a9a20d701a3,"4/16/2021, 9:07:19.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4f1eaeaa-e0c9-462f-a0eb-f4fe159928c4,"4/16/2021, 9:07:19.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,66b9541b-f7f4-4876-ac64-ee62555106c5,"4/16/2021, 9:07:19.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,94687619-8d0e-4e52-ad07-5fd3a116e81d,"4/16/2021, 9:07:19.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,148c533a-6508-4699-ba83-2adef33c82e0,"4/16/2021, 9:07:19.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,91465815-a13d-45f2-aa8f-23cb2de142c4,"4/16/2021, 9:07:19.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,794403f5-747c-4b4f-93f7-dc502fa35319,"4/16/2021, 9:07:19.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8b8812f8-fc14-4bdf-b446-85313684ed07,"4/16/2021, 9:07:19.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,70987346-3358-45e7-beab-af5eb750ffa0,"4/16/2021, 9:07:19.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,35683be2-3da5-4385-bfb0-51d3192b16fe,"4/16/2021, 9:07:19.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8ebb0a7d-3bef-49ff-a208-a09424d24c95,"4/16/2021, 9:07:19.680 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0032d0f8-a673-462e-a56b-ecf872bd3505,"4/16/2021, 9:07:19.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,170fd7fd-e939-443b-b348-b06eec8a1bc3,"4/16/2021, 9:07:19.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a29eda5c-d7c6-4392-a3af-c9ba273b6dcd,"4/16/2021, 9:07:19.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1836111b-7bfb-4cc7-9e2e-313d6f935d9a,"4/16/2021, 9:07:19.680 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4ab2ed13-8018-494c-ac46-76f5feb87611,"4/16/2021, 9:07:19.680 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,74242f05-41fd-42a3-9f0a-f4e09e43dfba,"4/16/2021, 8:59:03.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3a432fd6-f29f-4e0f-8d66-c0751e47edeb,"4/16/2021, 8:59:03.052 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,3b89314b-df4c-4ced-a5d2-927a4b1e65b2,"4/16/2021, 8:59:03.052 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,7817e7c6-480c-4ebb-802e-7ff3cfb9956d,"4/16/2021, 8:59:03.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,7dbcc5e4-f449-4cca-a407-0dff13b90cbb,"4/16/2021, 8:59:03.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,42e24d74-1348-4fe9-b638-929ff709322f,"4/16/2021, 8:59:03.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,cae35b17-66c5-4ca0-9659-b5007a00cb5d,"4/16/2021, 8:59:03.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,82465fdc-4ac7-4572-a11a-84b146a1a62d,"4/16/2021, 8:59:03.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,60b3643f-4c66-420f-b583-8e029fce40c1,"4/16/2021, 8:59:03.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,ff7092be-3735-4fdf-a2c5-cc9e7f0dc92e,"4/16/2021, 8:59:03.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,decaaf35-c326-440b-99b7-95b26d009e5b,"4/16/2021, 8:59:03.052 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,11a8b934-9145-4fca-ab3d-c7909de90aff,"4/16/2021, 8:59:03.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de4ffe67-f67f-4867-85d3-9b13cc235e5f,"4/16/2021, 8:59:03.127 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ae9d394c-bb1e-4db9-a97f-8bc7bc897d8e,"4/16/2021, 8:59:03.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,61a39c2b-c7c8-4f19-906a-e5546c9718a1,"4/16/2021, 8:59:03.127 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ecb99495-bef7-49be-bbd9-5bf490d2f88c,"4/16/2021, 8:59:03.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e8b1c133-b3c6-4478-899f-bdf175a4dc09,"4/16/2021, 8:59:03.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bb8b3ed1-3be2-49b9-a0c3-ac1c6cd76735,"4/16/2021, 8:59:03.127 AM",,,,,NTLM,, +\HELP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b4913a6-0083-4f69-bd6c-52c39717b3ad,"4/16/2021, 8:59:03.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,45f24934-704f-4b9e-99ec-4474cd2913ce,"4/16/2021, 8:59:03.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d1bd333b-a82b-4a86-af4f-2633d9863136,"4/16/2021, 8:59:03.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7f4e39bb-dcf3-4d65-b6e3-3b9dadf643c5,"4/16/2021, 8:59:03.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ffcc10b5-18c7-4fe0-bf59-a02e0decd196,"4/16/2021, 8:59:03.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,70dc008c-63d0-4ae6-8d57-124ca52f3f92,"4/16/2021, 8:59:03.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03b425c1-b885-4863-9da4-e68396fe7c07,"4/16/2021, 8:59:03.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a0cc26a3-f6b8-4409-b96e-f85ff31294e6,"4/16/2021, 8:59:03.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a12cd187-f080-4284-99f2-9879e1e0eaeb,"4/16/2021, 8:59:03.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df4cde58-2db9-4ffa-9bf4-e052bed56360,"4/16/2021, 8:59:03.127 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ccce8c68-07ca-48fb-b01f-95719fe6ddb6,"4/16/2021, 8:59:03.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,84bc97e2-b203-4d50-90ed-864fb9347cad,"4/16/2021, 8:59:03.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2845e9a7-a9c6-499f-a010-974edbbf9bf9,"4/16/2021, 8:59:03.127 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,94e0255c-e083-45d5-95ab-0061c7f242ce,"4/16/2021, 8:59:03.127 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,cbd21db5-f1f7-435f-8314-314be1115555,"4/16/2021, 8:59:03.127 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,64ecd43c-4fd2-43cf-acc1-82f6fcfcbdfa,"4/16/2021, 8:59:03.127 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,90369d1f-501f-4359-81a3-0c86a4212169,"4/16/2021, 9:07:19.219 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a1fc06e7-8dc6-4d98-903a-25919a45cb2d,"4/16/2021, 9:07:19.219 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6ed42c69-3848-4119-a4f9-29712063851a,"4/16/2021, 9:07:19.219 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,186a787d-ee2e-47b2-90a9-8d8860504889,"4/16/2021, 9:07:19.219 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f17b33c0-b25f-4fe6-8912-515cb791a89a,"4/16/2021, 9:07:19.219 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ff35a7a-558d-44f3-929a-817d0e8a8d0d,"4/16/2021, 9:07:19.219 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,69d3c9e8-f935-4b09-8684-a122270a197a,"4/16/2021, 9:07:19.219 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b436a6db-58cf-4035-8242-8fe04b66f9fc,"4/16/2021, 9:07:19.219 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ed377e8d-3d36-4b6e-82ef-398e7d4ec326,"4/16/2021, 9:07:19.219 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b15b9438-2a82-49d7-975a-aed5958de404,"4/16/2021, 9:07:19.219 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d45a025c-4027-4a87-b7f3-9678501cbd30,"4/16/2021, 9:07:19.219 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7f164fe8-3c6c-48d8-8a25-191eb8af8829,"4/16/2021, 9:07:19.219 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,75e658e6-f45c-47d4-9588-9b1895994926,"4/16/2021, 9:07:19.219 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2934630f-1107-4a4f-a260-f86f39fad8aa,"4/16/2021, 9:07:19.219 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22aff42b-906f-468a-8865-e66f06d9a0f0,"4/16/2021, 9:07:19.219 AM",,,,,NTLM,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c9c035a2-fb98-4c47-940a-757e5728332a,"4/16/2021, 9:07:19.219 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,688f9765-abc7-49b0-89bc-be14218890ea,"4/16/2021, 9:07:19.219 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,042febc4-a21e-4fd3-8fd4-a51095766fbc,"4/16/2021, 9:07:19.219 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3fd4476a-2e0e-4fef-bb28-fcd09c627f21,"4/16/2021, 9:07:19.219 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,641c7f13-e2d9-47f2-aeed-6d533dc2c0b0,"4/16/2021, 9:07:19.219 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,31460f3e-e79e-47d9-8298-489f4ea930d8,"4/16/2021, 9:07:19.219 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cee57cdd-d776-422f-80ae-ab99ee7d6568,"4/16/2021, 9:07:19.219 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4383f636-5afe-4346-8ea6-fc76222db0d3,"4/16/2021, 9:07:19.219 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c15629a9-6143-4ca2-a94d-788a259bb357,"4/16/2021, 9:07:19.219 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0742751b-ca6e-4798-9853-389cd6e1a08d,"4/16/2021, 9:07:19.219 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8720 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 68705285F7914823244E19E4F6DBC4A75C4DE807EA1CF128AEC2CCAFCE5FE109 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.17763.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,a0a1b3fe-d97d-4aba-a705-bfb9acfa1b98,"4/16/2021, 8:59:09.113 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8240 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,513dbec0-3b05-4fa4-ade0-044caba707e2,"4/16/2021, 8:59:09.113 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e3e904d4-b42b-42af-acf5-ec4a0fb6a2e9,"4/16/2021, 8:59:09.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e6870978-7039-474d-8091-2a6b9615ba89,"4/16/2021, 8:59:09.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a7495d04-c2d4-44e7-b71c-bbc109fe2816,"4/16/2021, 8:59:09.113 AM",,,,,NTLM,, +\AALZ,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aa4e2f2c-983b-4cd2-b7b0-6dd87c6c2a3f,"4/16/2021, 8:59:09.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,578971b3-f458-4db5-a72d-0c750c3ea467,"4/16/2021, 8:59:09.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ace70f9b-5c88-495b-a6a4-64191751d833,"4/16/2021, 8:59:09.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a1379567-19e2-4c1e-9416-9623a71ae85c,"4/16/2021, 8:59:09.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dd0df3bd-f608-49c8-b707-761dbd4a9151,"4/16/2021, 8:59:09.113 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ba34807-58b5-4d71-a437-60d099a516d0,"4/16/2021, 8:59:09.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49ee7b12-9871-4032-adb2-7098e1358ed4,"4/16/2021, 8:59:09.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d527335-4873-4068-ade6-69dd0f1366cf,"4/16/2021, 8:59:09.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce076fb0-14ed-4f5e-bce1-9a780251208c,"4/16/2021, 8:59:09.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1214599f-e549-49f7-af63-b51abb9feffb,"4/16/2021, 8:59:09.113 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,07a9a7fe-22a9-47ab-890a-9626e3e3312a,"4/16/2021, 8:59:09.113 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e8ba64fa-6d6e-403c-8f3b-1af113c161db,"4/16/2021, 8:59:09.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4e22b97a-e195-435a-b26d-a9bd9c3b0efa,"4/16/2021, 8:59:09.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7b862b86-b1eb-41bb-98cc-5848c1a2cbcf,"4/16/2021, 8:59:09.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0b597aa3-c60f-4aeb-9d22-a3125948e46f,"4/16/2021, 8:59:09.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e9a7c561-08d2-4245-8889-ddacad1d5313,"4/16/2021, 8:59:09.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48daff99-752b-4bd8-b45c-e621b27a20d8,"4/16/2021, 8:59:09.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ee78ce9c-e66e-4c8a-96df-880a6a89eb0d,"4/16/2021, 8:59:09.113 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19c74c93-004c-45cd-a9ee-21f1533abe18,"4/16/2021, 8:56:06.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a94c4f3e-8cd6-42d7-a72c-851d4be87257,"4/16/2021, 8:56:06.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f3e367c7-a669-4dbe-b438-0113ab8dbd4e,"4/16/2021, 8:56:06.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bf679e3e-5a00-4e75-8153-61a96723e239,"4/16/2021, 8:56:06.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,132c0396-eac2-45a0-a354-a7233d22ff99,"4/16/2021, 8:56:06.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fca7449e-e7f3-47f5-9cb2-32ecf6b14378,"4/16/2021, 8:56:06.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2ff44c4-39ce-45d0-8814-5cf4b8059bf2,"4/16/2021, 8:56:06.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f475166-be3a-42d4-8684-7852512a8bab,"4/16/2021, 8:56:06.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,793b8cf6-4fc0-42f1-8139-24ebe7527b66,"4/16/2021, 8:56:06.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d5fa577-b105-4dfb-80b3-91d9d3adfbaa,"4/16/2021, 8:56:06.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cff1d7ce-c449-4245-a348-be70612b1a20,"4/16/2021, 8:56:06.117 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b85440ca-8bc3-473d-bfab-7f2d4ca51f62,"4/16/2021, 8:56:06.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea28e3c1-c403-47e5-ac9c-5f5fd6f41a92,"4/16/2021, 8:56:06.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,238650a4-dbf4-4255-9eed-3b0819a3136c,"4/16/2021, 8:56:06.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f92764a-383c-4cd4-9987-6126ca0c9df1,"4/16/2021, 8:56:06.117 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,21f6b240-be9e-4354-8fa0-8e9bc4c8a7f6,"4/16/2021, 8:56:06.117 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,425e8b36-e8ac-40cd-8876-11aead66d56f,"4/16/2021, 8:56:06.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f0dc72aa-d4e3-496e-83fc-9e703c6aa774,"4/16/2021, 8:56:06.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5fd608f-ebf5-4491-af5e-8dd9e42dd922,"4/16/2021, 8:56:06.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,352481c4-0d21-4914-82d2-985352ab8ab2,"4/16/2021, 8:56:06.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,70c5b126-98fa-4a9c-9c6c-fcdab2aea949,"4/16/2021, 8:56:06.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e0772ab8-8ae8-4a3a-badc-5368365d3720,"4/16/2021, 8:56:06.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d55e943-65f2-4e3a-9f0d-5a1e8110a0b4,"4/16/2021, 8:56:06.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dec7bd9a-7907-4b7d-8686-85b3c6b97f39,"4/16/2021, 8:56:06.117 AM",,,,,NTLM,, +\BACKUP,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,add1ed27-2fc2-4c22-ade6-81f3c7eb8fa3,"4/16/2021, 9:07:19.413 AM",,,,,NTLM,, +\JOHN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,99894e73-22da-49c0-9630-05d659d857c5,"4/16/2021, 9:07:19.413 AM",,,,,NTLM,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a504174e-affd-41ca-9dae-2ec58fc4a9f1,"4/16/2021, 9:07:19.413 AM",,,,,NTLM,, +\TEST1,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,2b63e4cf-0247-472a-bd90-e0c1100e3c4f,"4/16/2021, 9:07:19.413 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,76edfe9c-b0c4-4b1c-9260-96d305bf7cf1,"4/16/2021, 9:07:19.413 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,48800852-71b3-44b5-b90f-4e1006f9bd13,"4/16/2021, 9:07:19.413 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7980 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c7b7888b-81f7-4e6a-9416-5a41ead3b6bc,"4/16/2021, 9:07:19.413 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7508 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6c3a06e7-fa72-40d9-8304-bc80f11a5279,"4/16/2021, 9:07:19.413 AM",,,,,,, +\STUDENT,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8b5ba9c6-4952-4b7c-bc6a-5f72a146f850,"4/16/2021, 9:07:19.413 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,872e55a8-c88a-4680-8fa9-3e3477ca2ce2,"4/16/2021, 9:07:19.413 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,27a1b46e-847f-4930-b05f-11b855807c43,"4/16/2021, 8:59:17.652 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a0767fb7-71de-4748-a212-2f82c671f4a7,"4/16/2021, 8:59:17.652 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,008047e4-24bc-487f-9f9f-57d3196095ce,"4/16/2021, 8:59:17.652 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,66391ef1-b6b8-4908-b674-f2637c90f61f,"4/16/2021, 8:59:17.652 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cc5ce320-41ea-4709-9595-9ea07f157ac0,"4/16/2021, 8:59:17.652 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b79401af-cece-4712-93fd-33bc2830b07d,"4/16/2021, 8:59:17.652 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f0e2d427-50b0-4f5d-a57a-45f54099e7f1,"4/16/2021, 8:59:17.652 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1066d25a-b677-4d81-993b-880e676cfbfd,"4/16/2021, 8:59:17.652 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,feb3bcd0-4f0b-4894-a41d-ab9a629d93ed,"4/16/2021, 8:59:17.652 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,34d47153-4856-4f49-b7e8-6e65fbb7584f,"4/16/2021, 8:59:17.652 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f2a9036c-752d-4c74-afba-a2479714949a,"4/16/2021, 8:59:17.652 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dbb20726-4fdb-41c9-8ba2-961813aea9a1,"4/16/2021, 8:59:17.652 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,caf6587d-a84b-4835-ba73-3a9c556fb077,"4/16/2021, 8:59:17.652 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cd7dc42b-a939-497c-9bd7-638307ec42c1,"4/16/2021, 8:59:17.652 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4968e061-168e-48d9-b164-153b53f698b0,"4/16/2021, 8:59:17.652 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,133c6012-6cf7-493c-8e0c-7a076a51080a,"4/16/2021, 8:59:17.652 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,34b29439-76df-4384-ad76-3ee2c68cce71,"4/16/2021, 8:59:17.652 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,19208b00-b4c5-432b-b806-ccd4a8005ce0,"4/16/2021, 8:59:17.652 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1ca75733-c343-4d71-a078-e46baf26ea6f,"4/16/2021, 8:59:17.652 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fbc62d68-e715-48c0-9806-1ca906b47e60,"4/16/2021, 8:59:17.652 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4badec8b-1e1f-4d30-8cc5-f6bd719f1462,"4/16/2021, 8:59:17.652 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a932a11e-c234-4ae6-b178-35a2a7047b99,"4/16/2021, 8:59:17.652 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,78199a95-cf1d-4e29-a1e1-c2e6498510aa,"4/16/2021, 8:59:17.652 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,487d42db-70f7-4c7a-aefd-ece0fdd5f549,"4/16/2021, 9:07:24.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a5f9c63e-b568-4bfe-b4b0-4b65fedbc122,"4/16/2021, 9:07:24.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6305507e-92af-410d-b962-0a7da29ae5f7,"4/16/2021, 9:07:24.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3d9b9153-1216-4b98-abff-b44168e8a534,"4/16/2021, 9:07:24.122 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,9a044fbc-2998-4767-a566-877c2b22dda4,"4/16/2021, 9:07:24.122 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,211bf34e-aa55-46fc-9b52-5d6bec192349,"4/16/2021, 9:07:24.122 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,90609a5c-0ee0-4354-a306-11fab21ef33e,"4/16/2021, 9:07:24.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de148eed-bcbc-4407-a5b6-de22c962f390,"4/16/2021, 9:07:24.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6cc688f3-f420-414a-9da9-69650b8246c7,"4/16/2021, 9:07:24.122 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3672 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,62008e48-abed-4342-81b3-50f48f019a48,"4/16/2021, 9:07:24.122 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1440 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,9507aff0-8361-4e21-bd7e-62c118ddbab0,"4/16/2021, 9:07:24.122 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,daa1a99f-ab2e-47ed-8da5-b2b8e1c5ddfb,"4/16/2021, 9:07:24.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a079983d-4cbd-49df-9d83-135f1f5dbd31,"4/16/2021, 9:07:24.122 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,209e5b0e-9f8d-4b52-acf6-3abe3235f751,"4/16/2021, 9:07:24.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,58edd929-76ec-4c2e-96e3-718eb7e732d6,"4/16/2021, 9:07:24.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,717a7b93-497f-45e1-9eec-7430de8f0b60,"4/16/2021, 9:07:24.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c86f0878-8d8d-4fc0-b4a5-7e2c8c177938,"4/16/2021, 9:07:24.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb02cad5-ec27-4b6b-9310-9ef8dfca1888,"4/16/2021, 9:07:24.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d5be972c-662a-40dc-b1cb-309ce67a3c5d,"4/16/2021, 9:07:24.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,20f84ac9-56ea-4444-a7b9-11d15568a9be,"4/16/2021, 9:07:24.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48457f8d-cae2-49c1-b33a-b44b0cb01b49,"4/16/2021, 9:07:24.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,097ae52a-a486-41e3-a4ca-90b41b51b47c,"4/16/2021, 9:07:24.122 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1aa08cf9-a2c6-47cb-b531-7f382c09d0f9,"4/16/2021, 9:07:24.122 AM",,,,,NTLM,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,ab6f03a9-d4fb-4c9d-98d3-e9d6af4321c1,"4/16/2021, 8:56:09.903 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,0bb6fd46-d1aa-4db2-9189-839bfccb2814,"4/16/2021, 8:56:09.903 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2348 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,d1517ae0-2a8f-43cc-9cdc-78ec056ff9ea,"4/16/2021, 8:56:09.903 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1368 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,69fe39a5-22cc-4022-9d0b-0b727475569b,"4/16/2021, 8:56:09.903 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,3917065e-d9d8-43cb-a728-cacdd972a5de,"4/16/2021, 8:56:09.903 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,398f3894-b04f-4232-8979-145a7e340e15,"4/16/2021, 8:56:09.903 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 6868 + 84 + %OSDRIVE%\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\PLATFORM\4.18.2103.7-0\MPCMDRUN.EXE + 32 + C7A18C474A47F5335593A567F0C714D4F658E28D07DC27F6EAE5D5641788E813 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\MPCMDRUN.EXE\4.18.2103.07 + 0x3e4 + 77 + C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2103.7-0\MpCmdRun.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,88968540-eccd-4841-8c7d-84ad8c8fac20,"4/16/2021, 8:56:09.903 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f92da9fc-97dd-4856-a9ee-e9aea745b74d,"4/16/2021, 8:59:20.203 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2ea21bfe-bb0a-4ae3-a9ab-4a9c92fe276b,"4/16/2021, 8:59:20.203 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ed5bf3c-10ee-4985-bcfc-515627702048,"4/16/2021, 8:59:20.203 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bfc9627e-ad4d-44b2-bb58-ac5e356023b7,"4/16/2021, 8:59:20.203 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7f1015b8-94ba-4d71-bd82-5e5586265ef9,"4/16/2021, 8:59:20.203 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,34e4d15e-2418-4f60-8fe3-3fa2ac4362df,"4/16/2021, 8:59:20.203 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab849a6b-21b7-4bf2-bdbd-9deca28ade71,"4/16/2021, 8:59:20.203 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd2247a4-ebb8-4d70-a648-cafbdf320d11,"4/16/2021, 8:59:20.203 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f7e94ca-c231-4d0c-a59a-8a4f547afa1c,"4/16/2021, 8:59:20.203 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e7eda577-243d-49f2-ba12-3818af878e25,"4/16/2021, 8:59:20.203 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dda3e87f-1c25-4e2d-b6bc-f78395240399,"4/16/2021, 8:59:20.203 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,40d4db19-735e-42ea-8f2c-27886f2d5a43,"4/16/2021, 8:59:20.203 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c5fe1c6-de20-49e7-bb97-b5a756235f8b,"4/16/2021, 8:59:20.203 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f109e829-9919-4630-90cd-ff76f085a60f,"4/16/2021, 8:59:20.203 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2b704c1-c621-4c93-b021-1367ad9ac509,"4/16/2021, 8:59:20.203 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5619504a-cfeb-447b-af6b-e159900d073d,"4/16/2021, 8:59:20.203 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ecf8e7cb-4dcb-4e2a-a495-021a5d40fb54,"4/16/2021, 8:59:20.203 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b670768c-007d-4aef-864b-46fd52160fe7,"4/16/2021, 8:59:20.203 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b95a101d-efdb-4ec1-bb17-d0e1dd106ee2,"4/16/2021, 8:59:20.203 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,220283d0-1ff2-46de-8859-c7418b164b68,"4/16/2021, 8:59:20.203 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,79f24d50-6a6a-432b-a47e-7572695790e4,"4/16/2021, 8:59:20.203 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a14cd549-bce7-4a04-a5ec-236e037f13d3,"4/16/2021, 8:59:20.203 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7fbf8873-f994-44dd-8138-f8423dbee834,"4/16/2021, 8:59:20.203 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,94962e0d-4ec4-4fb1-988d-bb463f68a871,"4/16/2021, 8:59:20.203 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,d0315daa-5308-4f98-8644-ee7a9258f8cc,"4/16/2021, 8:59:20.203 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1540 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,01c450b8-ec26-4a14-9b57-8b0368a61c4d,"4/16/2021, 8:59:20.203 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8492 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,d983983d-ec70-49c6-8615-43094def436b,"4/16/2021, 8:59:20.203 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,71104207-aa63-47f5-9e19-14fb4905f4f3,"4/16/2021, 8:59:25.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cd1fe5da-3aa2-4951-a027-b14b454b3918,"4/16/2021, 8:59:25.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac920941-da96-4dc3-af32-c1d7488477d5,"4/16/2021, 8:59:25.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,63e4601d-c706-44ea-9542-efefa5d6359c,"4/16/2021, 8:59:25.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d52ee1a8-b5da-4dbe-82b3-309fc1f7dceb,"4/16/2021, 8:59:25.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7c1dd1dc-fef4-4962-86a1-86774ad3ad51,"4/16/2021, 8:59:25.115 AM",,,,,NTLM,, +\ACCESS,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a15f441-9f5c-4807-a592-d785b9ab04b2,"4/16/2021, 8:59:25.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e101630e-f1a9-4b66-abda-4302fa1bf6b1,"4/16/2021, 8:59:25.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,100a27fd-13b9-41ed-95d8-4bc33f7a16de,"4/16/2021, 8:59:25.115 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,07667541-e138-43bd-a99e-6b5360b8306d,"4/16/2021, 8:59:25.115 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,99e3f9d1-df27-4ed5-aa49-b97f9ddf6549,"4/16/2021, 8:59:25.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8508ffb0-8072-4ecc-b1e9-9a3698e957d4,"4/16/2021, 8:59:25.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b2baf240-bb15-4109-acec-1c89757e34bf,"4/16/2021, 8:59:25.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03d410d9-c686-4dbd-ba8a-8f59dc305baa,"4/16/2021, 8:59:25.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7775ebeb-141a-494c-b77a-348501b21b8d,"4/16/2021, 8:59:25.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19ab4d61-9a23-4a3c-821c-c1b22b0ac7ee,"4/16/2021, 8:59:25.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bda184a6-5d9e-4e9a-9c8d-2bb22fffbf68,"4/16/2021, 8:59:25.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,101c18fa-d628-4dd0-a3d6-fc8c81d34da3,"4/16/2021, 8:59:25.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7b93f9c5-5cf0-4ead-96c7-9f4568e6fdbf,"4/16/2021, 8:59:25.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,542607ad-dda9-4050-bf97-c28bf2df3971,"4/16/2021, 8:59:25.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e990621c-4c84-4ee0-a9a6-1c7164d61f74,"4/16/2021, 8:59:25.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6d2b87c5-745f-489f-9c72-328dd00338c8,"4/16/2021, 8:59:25.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,87d85327-46ab-4929-81bf-b890d204a72f,"4/16/2021, 8:59:25.115 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b69314e-4c42-41fb-8dc7-ba478015e99a,"4/16/2021, 9:07:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f9423093-ef95-48c6-b749-2f06f7859636,"4/16/2021, 9:07:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fef9379e-3f80-4f80-95a9-38330f035782,"4/16/2021, 9:07:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9a98848a-4009-4c7c-b8c3-15e93996d991,"4/16/2021, 9:07:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aafeb806-7d96-4b18-bf1c-562b871b9509,"4/16/2021, 9:07:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e0995e93-4ff5-4250-a70e-81abddb4385c,"4/16/2021, 9:07:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f96afc85-219c-49a3-86b8-02bc5caf69b3,"4/16/2021, 9:07:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6e790f67-2153-4ffd-b146-2eed43edc29a,"4/16/2021, 9:07:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ddb79a36-f6da-4568-a544-01bb006ec238,"4/16/2021, 9:07:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1b10d146-d836-44b1-b443-16abe2aa52ec,"4/16/2021, 9:07:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b0bf2284-81ce-4d4a-af24-b67d89315810,"4/16/2021, 9:07:33.120 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d360de7-08c2-47bc-a4ee-58e4d2a70903,"4/16/2021, 9:07:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2dfa3755-50a8-4dcd-878b-4e0410311268,"4/16/2021, 9:07:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a8489d0f-ae3f-4434-85d2-44f00893ad03,"4/16/2021, 9:07:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d78b10a2-8bff-422d-bbbd-5a8b8218338d,"4/16/2021, 9:07:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e29e6de-8959-4e55-b040-8af10f87489e,"4/16/2021, 9:07:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,75e6aab7-5fe5-4c6b-a743-5fffbf9b7347,"4/16/2021, 9:07:33.120 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f7e136e2-c93b-414a-97a3-ccccdf8b46af,"4/16/2021, 9:07:33.120 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,185c9d8e-90ad-42d5-8b32-455ad7e2565e,"4/16/2021, 9:07:33.120 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,140837fe-cf62-410d-84fe-a495707d81a7,"4/16/2021, 9:07:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b6c9520b-8739-4b95-81a0-7d1c7c24250a,"4/16/2021, 9:07:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9abd6a84-812b-4731-9b46-a27bd61f9228,"4/16/2021, 9:07:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e0cb75a-979d-4c4a-ac9c-9242d05b0ad9,"4/16/2021, 9:07:33.120 AM",,,,,NTLM,, +\ASP.NET,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c91ded97-0d3e-40d4-81b6-28d3d28f60e7,"4/16/2021, 9:07:33.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8dd9ba09-0b95-4e5d-9126-615dc2d0bd8c,"4/16/2021, 8:56:15.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,44ecfbcf-d308-474f-b2c3-5c76ac9e251e,"4/16/2021, 8:56:15.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,402d2cbb-7755-4ec3-8a4b-24c48bae6738,"4/16/2021, 8:56:15.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89e76be9-25a7-4aad-bcc8-3fffd3a51974,"4/16/2021, 8:56:15.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a7060e49-7481-403e-bd6d-ec806f733674,"4/16/2021, 8:56:15.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,945ebf5e-bac0-408c-ae51-92f06dece95a,"4/16/2021, 8:56:15.125 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b1d318f-bdbf-4adc-af47-6f16d2182e8f,"4/16/2021, 8:56:15.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e73e0418-06b7-4ccf-804a-8b7625c2d109,"4/16/2021, 8:56:15.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bca0ba41-f740-4059-bb94-01269161f53f,"4/16/2021, 8:56:15.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12baa323-0bde-4647-a610-2d8cd7f1ec91,"4/16/2021, 8:56:15.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7892a4ed-40ac-457b-bbe1-a0438f77a000,"4/16/2021, 8:56:15.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,248585b8-0a31-4725-bec6-53d5d5e9d5f4,"4/16/2021, 8:56:15.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f419ce8a-f996-42a1-88d3-d5378310f5fa,"4/16/2021, 8:56:15.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e78f4e58-9bd8-4493-ab34-e5703f69191a,"4/16/2021, 8:56:15.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d152dafe-2d9b-4365-860c-963068a9deb9,"4/16/2021, 8:56:15.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e8b87e1c-c668-498b-a04d-f623d06e5922,"4/16/2021, 8:56:15.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce25e595-e3b8-47cb-9f81-2314f55ace75,"4/16/2021, 8:56:15.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2061c585-7df8-4572-b484-bd1a5e4e7c16,"4/16/2021, 8:56:15.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a33cea04-a198-4396-a6e8-6e7e2b5740f0,"4/16/2021, 8:56:15.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,37ccdb6a-8153-4b47-a5fe-45feea8a8438,"4/16/2021, 8:56:15.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2ef25cd-ede3-4f7c-a841-a503d406d5f1,"4/16/2021, 8:56:15.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1ca345b-f8d0-4ad1-8cd5-f8ffab34284b,"4/16/2021, 8:56:15.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a6e5b352-9e6b-4503-8667-732e78c35fc0,"4/16/2021, 8:56:15.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,83c1219e-b687-4af6-8089-464577294d30,"4/16/2021, 8:56:15.125 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ef43838-6b13-4285-80f9-817220cdff79,"4/16/2021, 8:56:15.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c52f2fe2-ea2f-4c58-808d-4e014b094300,"4/16/2021, 8:56:15.125 AM",,,,,NTLM,, +\USER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,7bb41030-d307-4e4c-ad5c-c84a96270cb3,"4/16/2021, 8:59:28.437 AM",,,,,NTLM,, +\WEBADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9c8336ac-697f-4ca2-b66a-6e4639e4bc5a,"4/16/2021, 8:59:28.437 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0b512e23-cbe3-4487-af51-05f69ec97481,"4/16/2021, 8:59:28.437 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ec0429f8-0004-4c68-bb63-808bea7ab8cf,"4/16/2021, 8:59:28.437 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b6919141-932f-4227-a6d8-5d567f68c778,"4/16/2021, 8:59:28.437 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2516 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\Windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,cc1a07c3-2b0d-47a4-bcd4-67019b2848d1,"4/16/2021, 8:59:28.437 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4516 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,079241c2-6c55-409d-bfdb-9fd198313196,"4/16/2021, 8:59:28.437 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4796 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9b29e0b4-5a5b-43eb-82fd-4e68e05b6977,"4/16/2021, 8:59:28.437 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 76 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9f4d464e-cb79-4190-80c9-43ea6129276e,"4/16/2021, 8:59:28.437 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4360 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6dbf2c1b-4258-4143-97b5-8edb621fcf3d,"4/16/2021, 8:59:28.437 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,99a3bcb4-b829-4c99-a3d6-bb0764b11137,"4/16/2021, 8:59:28.437 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9248e259-0a42-4390-895f-0771fc37feab,"4/16/2021, 8:59:28.437 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e94bfc3e-c775-4d8d-826c-6c3a25f61c30,"4/16/2021, 8:59:28.437 AM",,,,,,, +\TEST,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,dc9e9b3a-b967-463b-9215-caf5e757d546,"4/16/2021, 8:59:28.437 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5981073-c8ba-4055-9361-1084e5cd50d6,"4/16/2021, 8:56:20.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d076855b-4b4d-40ad-838f-7adc565497df,"4/16/2021, 8:56:20.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f02fbf0b-c253-4de1-9518-a42793f8e7e0,"4/16/2021, 8:56:20.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,81d9a801-e2bc-4b43-a930-6280f7979070,"4/16/2021, 8:56:20.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,00b58c42-2266-402f-9c67-a518d5910779,"4/16/2021, 8:56:20.120 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de270a68-1b33-4b3a-b99e-6857ac77ffb8,"4/16/2021, 8:56:20.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,60fba593-e1e3-4f01-9d88-0e19124f9ee0,"4/16/2021, 8:56:20.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6a5112b8-7c49-41aa-95fd-74b721aa854b,"4/16/2021, 8:56:20.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98c0ddda-0134-4fbb-ac75-01fccd1dc7d5,"4/16/2021, 8:56:20.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c2fdca3a-9132-403b-b967-6499a82cfc8f,"4/16/2021, 8:56:20.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e372b95e-f8af-4ac8-ba6f-795c416fceec,"4/16/2021, 8:56:20.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1e97b9c-d111-4586-9399-41ed1c905b7d,"4/16/2021, 8:56:20.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8d830545-e3d3-4362-afca-b400d5a08e69,"4/16/2021, 8:56:20.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,be1f1318-a410-446d-80b8-ad9ac90e1a1b,"4/16/2021, 8:56:20.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c32ec6be-17ea-44f2-a2a8-9f049ef49033,"4/16/2021, 8:56:20.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8ebdef04-4ace-4e7f-9281-7aba66e48319,"4/16/2021, 8:56:20.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2604d53e-5671-4e2a-a0be-0859648654a2,"4/16/2021, 8:56:20.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,76c5662e-2691-4d88-8fae-e813ed803a15,"4/16/2021, 8:56:20.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,66fc5439-9ac1-4e14-83c6-5a78a8596e27,"4/16/2021, 8:56:20.120 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,33382f50-1ab7-40a2-a104-b90119c09dae,"4/16/2021, 8:56:20.120 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,2e5fb055-3155-41ea-b60c-9c4da0560d74,"4/16/2021, 8:56:20.120 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3236 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,0fa233e5-9ae5-421e-9ae9-2cc266c5dc58,"4/16/2021, 8:56:20.120 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6496 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,a4a2de22-cdb8-4d04-b6c1-b864770f26af,"4/16/2021, 8:56:20.120 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c65e94d3-04cc-4825-9e63-b7719f30b5ce,"4/16/2021, 8:56:30.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4177c99b-27ff-4126-8c51-1b875d8335ee,"4/16/2021, 8:56:30.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,61c5aa25-9478-4808-8647-d482b57a7504,"4/16/2021, 8:56:30.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b18877b-69db-4a40-90d1-7dab054f7671,"4/16/2021, 8:56:30.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d2408276-6bbd-4bcf-8e6c-a6b57e945460,"4/16/2021, 8:56:30.125 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c71a607-280f-4e83-8d50-ecb35555b68c,"4/16/2021, 8:56:30.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dee65187-bfc0-48c8-a7fc-5f87d1f28698,"4/16/2021, 8:56:30.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d41ed74f-c1df-4d2e-9b55-ad701c2404b5,"4/16/2021, 8:56:30.125 AM",,,,,NTLM,, +\SHARP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eff7fc2b-95dd-4109-9228-b33b509de343,"4/16/2021, 8:56:30.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6dd34f04-168d-40c7-aeb9-49a8d0ac17db,"4/16/2021, 8:56:30.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4597f8a9-2e7c-43e5-b1e9-2416eb411954,"4/16/2021, 8:56:30.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3e8be1cf-8f37-4e0a-928e-0d2ad51792d9,"4/16/2021, 8:56:30.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,91ec634c-ffc1-4ae7-ae81-43a3434bc340,"4/16/2021, 8:56:30.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,41727422-40ec-449f-aa9b-7185a820d9e5,"4/16/2021, 8:56:30.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ebdf1d05-ad89-4f48-8eec-5c6f13a9ba17,"4/16/2021, 8:56:30.125 AM",,,,,NTLM,, +\VBHELP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1e00b686-5f8e-4205-acef-d1754d5cd26f,"4/16/2021, 8:56:30.125 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03b2d79c-e0f2-4e10-a265-6f5aafe66fde,"4/16/2021, 8:56:30.125 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,21507081-e88e-48f7-a6d2-31d07d356c89,"4/16/2021, 8:56:30.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,06ec3a8e-1bd8-43e4-8bb1-3a5b7a09baa6,"4/16/2021, 8:56:30.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,afa69eb5-5327-4a58-b472-52181668a275,"4/16/2021, 8:56:30.125 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1471289-7c6e-4a68-acdd-fc2ac2cf7ec5,"4/16/2021, 8:56:30.125 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad534f67-2274-48a7-8b07-21d48caf216f,"4/16/2021, 8:56:30.125 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5b3ecf5f-f66d-47da-9ba6-8b84e6f0cb76,"4/16/2021, 9:07:36.087 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,bab03e3f-4d1b-4c64-9f8b-3db639ed5038,"4/16/2021, 9:07:36.087 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,13175b5f-4ec9-4b49-8cd1-ff53cce75181,"4/16/2021, 9:07:36.087 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,0805e301-39f5-4b4f-87da-8dca7e4c9340,"4/16/2021, 9:07:36.087 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,6efffa5e-3981-4a23-aa3a-ba9e283a2a45,"4/16/2021, 9:07:36.087 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,895344c5-d469-4634-989c-f099ae0bb470,"4/16/2021, 9:07:36.087 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,cf3b97f6-7eaa-4579-a9b9-ca39eaddff80,"4/16/2021, 9:07:36.087 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,ea63da92-896d-4458-a289-74a90beaff37,"4/16/2021, 9:07:36.087 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,cd50dbd6-7527-412b-93a6-1b99a8b1ed4d,"4/16/2021, 9:07:36.087 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,163a6bc9-1d48-46e0-a5d8-a6c40bb0a2e5,"4/16/2021, 9:07:36.087 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,f32191d4-15da-425d-a161-ecec58daadcd,"4/16/2021, 8:59:29.579 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7220 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,195e97e1-5b3a-4a54-bc99-61378e4566bc,"4/16/2021, 8:59:29.579 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,649af5e4-f1a0-4fe7-8847-ded439e1e0cb,"4/16/2021, 8:59:29.579 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,76c45036-5dec-44cc-ac58-37b4d5366504,"4/16/2021, 8:59:29.579 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2116 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,1d038daf-4837-4e1c-963e-a554bbe2fe9c,"4/16/2021, 8:59:29.579 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7240 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,997f42b3-3390-430b-8a24-ad25c23f73f4,"4/16/2021, 8:59:29.579 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,99897cc4-adcc-4a4c-aff0-9c01b8042d16,"4/16/2021, 8:59:29.579 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11204 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,1b799481-5ce7-4ecd-899e-e5c7dff42c6a,"4/16/2021, 8:59:29.579 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,157da3f6-f00e-4100-aceb-b09acb507a99,"4/16/2021, 8:59:29.665 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0b3b206c-8d4d-4130-9d72-6b54d67073a5,"4/16/2021, 8:59:29.665 AM",,,,,NTLM,, +\OJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6f4f3df4-3872-417a-9e37-b31c42afa2bf,"4/16/2021, 8:59:29.665 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,95b8f8c1-90e0-40e2-baaf-93b3d952ff14,"4/16/2021, 8:59:29.665 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0a948727-8fcb-41b2-b3b7-00092a0a677d,"4/16/2021, 8:59:29.665 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3ab24664-390d-4172-81a3-539acab466a6,"4/16/2021, 8:59:29.665 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cd58616e-dbfc-4a40-8e47-a6e637d3bc46,"4/16/2021, 8:59:29.665 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,44bd6d5f-3c3a-4eac-b310-a9cb5439b839,"4/16/2021, 8:59:29.665 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8f2e8f30-c3e3-4559-b8f9-651d834c35f5,"4/16/2021, 8:59:29.665 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ca9f2f48-9ca7-49c4-ad69-500695f28f1b,"4/16/2021, 8:59:29.665 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,85929c88-3a4b-4ce0-9695-738e90f88eac,"4/16/2021, 8:59:29.665 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2711ac46-184e-4269-91b5-96f444cf2421,"4/16/2021, 8:59:29.665 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3d226fae-45de-4b58-a7f2-529df539d10b,"4/16/2021, 8:59:29.665 AM",,,,,NTLM,, +\WEBADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7a21cdcd-de8a-4e20-8661-049de7321fbb,"4/16/2021, 8:59:29.665 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,237a6f47-b429-486f-ab8f-edac31b7ba0c,"4/16/2021, 8:59:29.665 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3fa541d7-f2f8-483c-a2d9-3b4becdf41c2,"4/16/2021, 8:59:29.665 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,77686f3b-27d1-4370-ac29-4c325efb9ab5,"4/16/2021, 8:59:29.665 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,662b52b8-808e-4200-9756-6ceb4f6ba0bc,"4/16/2021, 8:59:29.665 AM",,,,,NTLM,, +\HAKAN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,67f9f2ff-d3a8-484b-8ca0-53b74ec7f26b,"4/16/2021, 8:59:29.665 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3d19bf7f-35d7-4f44-b4ee-68fd88ac09ae,"4/16/2021, 8:59:29.665 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bd8f7de4-5cb1-4a03-b149-d9d6dd68371e,"4/16/2021, 8:59:29.665 AM",,,,,NTLM,, +\BACKUPEXEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,90d4f925-93ff-4f98-bbc4-57c8c9e8601f,"4/16/2021, 8:59:29.665 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f8a99a33-9414-47c4-bdc2-3da5277ad26e,"4/16/2021, 9:07:37.690 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,95441066-14b3-495c-b1ae-820f43585f36,"4/16/2021, 9:07:37.690 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4c5e105f-70c3-43b7-88b3-63a1e8181350,"4/16/2021, 9:07:37.690 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2d927c51-9469-4537-a8d0-081ffcaac6cd,"4/16/2021, 9:07:37.690 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6c836a65-bba7-4f4d-97cb-1d74bf48f822,"4/16/2021, 9:07:37.690 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a353d0c7-f88a-4bdf-8075-31ff11d77f5a,"4/16/2021, 9:07:37.690 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,92b39fcf-0cad-445b-9de1-98755ef0d8fd,"4/16/2021, 9:07:37.690 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f45bfc84-c950-4b72-ae4d-96a909dd7af2,"4/16/2021, 9:07:37.690 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eea78923-33ab-4970-a1a6-68c4a7e350a9,"4/16/2021, 9:07:37.690 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,18ebdd46-1f96-4fa1-b9b3-91a3310a4b02,"4/16/2021, 9:07:37.690 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ba390059-e653-4fad-9b13-99f4e3782744,"4/16/2021, 9:07:37.690 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0a5323ab-e48a-4ab6-9d6f-1b9fe06de46e,"4/16/2021, 9:07:37.690 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fcb9c74d-6e27-490a-8d16-8695a4f74c7d,"4/16/2021, 9:07:37.690 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,baeea932-e043-4ce7-bf70-8041f5d1e8db,"4/16/2021, 9:07:37.690 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4463abfd-d4d6-480f-95c9-278fb45e843a,"4/16/2021, 9:07:37.690 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7b037b57-b0f6-470c-9c3f-ba598eab4116,"4/16/2021, 9:07:37.690 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,24bdfb49-1f08-4e67-9a4f-337f09659cb5,"4/16/2021, 9:07:37.690 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d2a0fc1a-793f-4f10-9812-195ea2b3ed6e,"4/16/2021, 9:07:37.690 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9515da51-8f32-43b2-af67-2a5a507851a5,"4/16/2021, 9:07:37.690 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b8826086-4894-4a31-bb35-ffda588acbfc,"4/16/2021, 9:07:37.690 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1ee06c68-9179-427a-8ac8-ebba5f2dde86,"4/16/2021, 9:07:37.690 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,70aabc79-e0da-4b4d-8bc5-a63a41c61d05,"4/16/2021, 9:07:37.690 AM",,,,,NTLM,, +\USER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,99198fc6-68f4-4536-b163-8930ce037644,"4/16/2021, 8:56:37.417 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7676 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e50e3b5c-96e4-4929-9823-6a690507759e,"4/16/2021, 8:56:37.417 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7324 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,cee5cf81-e2b9-4f2d-9004-406b87f9b5f7,"4/16/2021, 8:56:37.417 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,37641846-c625-4944-a08f-52e4183388f2,"4/16/2021, 8:56:37.417 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,fcd2a77c-c0ad-4289-a3e0-364c8ee63695,"4/16/2021, 8:56:37.417 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,13331718-0d84-4f53-89c7-273ab10867fe,"4/16/2021, 8:56:37.417 AM",,,,,,, +\TEST,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ccb65165-817f-49b4-8fe0-e95e307bb8c0,"4/16/2021, 8:56:37.417 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bf2b9c8a-3728-4d7e-a305-f40c2fdeb2a0,"4/16/2021, 8:59:31.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d4b49bde-c959-4341-b33c-4a09b1810ef2,"4/16/2021, 8:59:31.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,87f59f78-c9cd-4901-aa08-ed1a1ee25d89,"4/16/2021, 8:59:31.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,21005aa6-63d4-4a4f-9a6b-a0a130442b58,"4/16/2021, 8:59:31.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ec5bc672-c50a-47aa-8d85-c6f0e0fee9c5,"4/16/2021, 8:59:31.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c134f0f1-57e3-4e73-9d7a-24e137efeb5e,"4/16/2021, 8:59:31.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3d6a8607-e85f-49ef-ad03-2f9e1437144a,"4/16/2021, 8:59:31.121 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c47c47f-fc29-4703-a05d-8e0c344e2445,"4/16/2021, 8:59:31.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f136e55-0e19-4b7f-9bd4-d5e61f1ddbf9,"4/16/2021, 8:59:31.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6177d069-4439-42a4-8aba-61df2ba6da32,"4/16/2021, 8:59:31.121 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3dbab913-fa8f-46e1-99b6-74dad6e6144b,"4/16/2021, 8:59:31.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1aa3812-e567-4d95-8abb-d46d1ceda077,"4/16/2021, 8:59:31.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6623f0f4-6fe0-417a-99fe-c9e50a809aed,"4/16/2021, 8:59:31.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,33fd3626-582f-49e8-ba2a-cac9b5de24a4,"4/16/2021, 8:59:31.121 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,084552c7-2f1b-495f-8f18-954e41a155b6,"4/16/2021, 8:59:31.121 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7df7e88a-60ad-48a9-96b7-ea99be609cd8,"4/16/2021, 8:59:31.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5eb25d0c-328e-4d57-a902-99f17f9f0243,"4/16/2021, 8:59:31.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f2f7631b-2868-41eb-bdef-7d075c7304c6,"4/16/2021, 8:59:31.121 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,966c1ab7-3f30-4bba-954d-0dedfe6335f5,"4/16/2021, 8:59:31.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6308cbb0-9834-4067-862b-d3cb62784020,"4/16/2021, 8:59:31.121 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,529cbb8b-de2f-4755-a6cb-0352a620f8dc,"4/16/2021, 8:59:31.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1d50e52-072a-4f61-a31b-cea2e2f72784,"4/16/2021, 8:59:31.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,565a5eca-c7d5-425c-b67a-a16689acb4b0,"4/16/2021, 8:59:31.121 AM",,,,,NTLM,, +\VEEAM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,13db21db-0f47-4332-945f-3065d531796c,"4/16/2021, 8:59:31.121 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,0f0e5cb2-194a-4573-b730-6ec2f2da2dd7,"4/16/2021, 8:59:31.121 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aacd6695-ee6f-4bce-ad27-8ee49cef752f,"4/16/2021, 8:59:31.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f9c3e6a-2ef2-4c09-9773-cd3ed739caca,"4/16/2021, 8:59:31.121 AM",,,,,NTLM,, +\VEEAM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dfbace9d-d7ba-427f-b6f5-c629fdf9f288,"4/16/2021, 9:07:39.147 AM",,,,,NTLM,, +\BACKUP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,061218e8-6798-4e43-bf8e-bdb8cb6d5f5e,"4/16/2021, 9:07:39.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8d84b3ce-522a-4bb6-ada6-97551b547490,"4/16/2021, 9:07:39.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d706aa4d-2bb6-46eb-9ea6-32b9b21713fc,"4/16/2021, 9:07:39.147 AM",,,,,NTLM,, +\DXX,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,634ea411-fff3-4415-91b1-ff7b55c84f5f,"4/16/2021, 9:07:39.147 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4d6ee821-e3b1-4468-80c8-0378e417b07e,"4/16/2021, 9:07:39.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ba95d8e-20a8-44b9-b047-6070ab053047,"4/16/2021, 9:07:39.147 AM",,,,,NTLM,, +\DXV,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0aeaa8c5-a24e-4fb0-9edb-9be2855d3ec5,"4/16/2021, 9:07:39.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0d644d18-e448-41f0-b004-8fb4eb10c613,"4/16/2021, 9:07:39.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4cf700e1-de07-485d-96c5-426a85879ea1,"4/16/2021, 9:07:39.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c9f5837-e5e4-48de-9445-853f88f9bb57,"4/16/2021, 9:07:39.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb34440c-81fe-4ba2-a7bc-973d918d2138,"4/16/2021, 9:07:39.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c4c4d3e-0e46-4ef2-896a-6402b4b0b0ed,"4/16/2021, 9:07:39.147 AM",,,,,NTLM,, +\DXY,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4033edb7-8cd9-44cb-8aab-d74eab008f4e,"4/16/2021, 9:07:39.147 AM",,,,,NTLM,, +\DXW,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,305227ca-22bb-40d8-8234-054ea3baecf9,"4/16/2021, 9:07:39.147 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,62517bd3-0e83-4fd0-9cf8-d5e80adc656c,"4/16/2021, 9:07:39.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d58a7241-86a3-4844-8707-196dff9b01b0,"4/16/2021, 9:07:39.147 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,13d1fb38-6eaa-48c2-b0f9-0f83d5acba4b,"4/16/2021, 9:07:39.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5469165f-5c59-4b72-b8ec-eb99bdc8dcc7,"4/16/2021, 9:07:39.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e574d858-7e2f-4090-8ae8-59eb62265d93,"4/16/2021, 9:07:39.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a13d0b93-2868-421a-987d-f5b4899db86d,"4/16/2021, 9:07:39.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e067abd-78a9-4c9d-8088-f64731a1b9c0,"4/16/2021, 9:07:39.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,80304c51-b112-4e6a-bb46-f70acaaaf9f2,"4/16/2021, 9:07:39.147 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3526c498-8c34-422e-a9fa-f3a48a3d0c8e,"4/16/2021, 9:07:39.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,07dd5195-dfb7-43ee-86e0-e0b26144535b,"4/16/2021, 9:07:39.147 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d0d7e794-9404-4e56-9f61-58e96c279e16,"4/16/2021, 9:07:39.147 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,2c2523aa-6efb-4142-98b3-4f7a6886fd97,"4/16/2021, 9:07:42.591 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11088 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,c62632d6-1524-4e58-8bf3-67122ef3ea50,"4/16/2021, 9:07:42.591 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10504 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,41c0752e-49c3-42de-b1b5-b66577680dc5,"4/16/2021, 9:07:42.591 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11232 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,4b44ae52-4f70-4efb-866e-d4f2a1b68789,"4/16/2021, 9:07:42.591 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,477fc59d-a263-4cb4-8adb-ff33896bf2f6,"4/16/2021, 9:07:42.591 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,37479de3-7ca1-4594-8ca9-169c734451cd,"4/16/2021, 9:07:42.591 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89f6c066-372a-4d13-80c5-b40d88d42b27,"4/16/2021, 8:56:37.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9977baf2-2a7c-4513-8315-7a5cd526954d,"4/16/2021, 8:56:37.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa4079a6-792a-4579-b4a0-489fa77b1333,"4/16/2021, 8:56:37.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7aef30d9-4ce9-40be-99f5-b5ff61c056ab,"4/16/2021, 8:56:37.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,77ee3614-1455-4514-9557-21d05da5d9f5,"4/16/2021, 8:56:37.111 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,26a90879-10a6-4da5-9c11-5906e1f01fe6,"4/16/2021, 8:56:37.111 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,f922649b-69f9-47d1-b1b9-186675e0e88f,"4/16/2021, 8:56:37.111 AM",,,,,,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a283e81f-9d4c-4cb3-af82-b926ae44127f,"4/16/2021, 8:56:37.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12d3954a-2425-4a84-a3af-2be2f5220e16,"4/16/2021, 8:56:37.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a60eb52-f3f3-4427-a750-3e8e31fe1310,"4/16/2021, 8:56:37.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,09d87a15-5e0c-46d1-b993-74bb5fd26289,"4/16/2021, 8:56:37.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7f1385ba-8788-46cd-ad9c-f409fa9ba9c2,"4/16/2021, 8:56:37.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5b87483d-8471-430b-aa49-fa7a22d97b4a,"4/16/2021, 8:56:37.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,569fb0f9-c76b-4c8b-bdd2-762ebc53b712,"4/16/2021, 8:56:37.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,500232c6-34d1-44d2-ba2b-72ad3503b242,"4/16/2021, 8:56:37.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7312b3de-a167-4d74-9dd4-0d860387b884,"4/16/2021, 8:56:37.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,866d7e81-5fb7-4262-9afa-121719bb4879,"4/16/2021, 8:56:37.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7b69ccf8-a6b1-4b80-8261-0e3281ce52fc,"4/16/2021, 8:56:37.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cde03030-7939-4968-afa6-0ef4ea370238,"4/16/2021, 8:56:37.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b645d82a-4f11-4289-bf37-7f63bce7b934,"4/16/2021, 8:56:37.111 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0cc63a66-b43e-4608-b330-77fe34d8a1b8,"4/16/2021, 8:56:37.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ac899c1-5367-4e61-9fc3-975a7e36a8c7,"4/16/2021, 8:56:37.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,35b89567-642a-4c6e-8f14-f8717b53edfd,"4/16/2021, 8:56:37.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1c50f491-eaf8-40a8-aded-e21e8949a6ad,"4/16/2021, 8:56:37.111 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ceba2e2-f752-4b1c-bfc5-0230b245b511,"4/16/2021, 8:59:38.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3eefb9c4-628d-4b50-a958-e9693d052134,"4/16/2021, 8:59:38.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c53ef4a1-3ec0-462c-a729-8799d017462f,"4/16/2021, 8:59:38.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c8ee7c39-372f-4dfb-b909-178a7e3dc9f4,"4/16/2021, 8:59:38.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a780d8cf-9f8f-4cb9-bb0f-d0233db2cdd4,"4/16/2021, 8:59:38.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dca9ad23-8a87-4953-81fb-ec1f0ad363c6,"4/16/2021, 8:59:38.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,40816169-a7f2-4253-b4fc-24923ced9066,"4/16/2021, 8:59:38.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f98abd0d-4830-470d-a81a-21e8e9f2df78,"4/16/2021, 8:59:38.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,79d2b01f-2f8b-4f7a-b5f9-dc02a9405c6a,"4/16/2021, 8:59:38.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,075b0ce9-c582-4c6f-a215-fca3c6672729,"4/16/2021, 8:59:38.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ddea0c4-48b6-424d-bded-fadc1b5bd85f,"4/16/2021, 8:59:38.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,703a611f-f7fe-4a03-a0c2-3fa8d72c2584,"4/16/2021, 8:59:38.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a33ef6c4-1472-4e99-b340-4c36280c6e64,"4/16/2021, 8:59:38.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d2ca7c55-aa3e-4265-93c9-5d9c31b589e9,"4/16/2021, 8:59:38.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b4003d6-0828-4227-b0c8-ed1782b04558,"4/16/2021, 8:59:38.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1cb6ef0d-c161-4706-b337-ddd71b43311a,"4/16/2021, 8:59:38.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,52961c81-d874-4d58-86df-dd7282f5ef0d,"4/16/2021, 8:59:38.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d2a24b89-6806-4ad1-ab21-e2772ca6f11a,"4/16/2021, 8:59:38.116 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d96cd97c-8542-4b80-9e2e-1712b74db170,"4/16/2021, 8:59:38.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bf6defcd-7747-4aa5-9662-a8bc96f291f6,"4/16/2021, 8:59:38.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bf314c91-a1d0-42e2-8a79-23928025a9ad,"4/16/2021, 8:59:38.116 AM",,,,,NTLM,, +\AZUREUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,37416aab-c5eb-459d-a15a-512feab83253,"4/16/2021, 8:59:38.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8ea3f1f7-652d-4078-84a1-7a85a4e3e15e,"4/16/2021, 8:56:42.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ee6040af-0983-4095-90b3-750062cef671,"4/16/2021, 8:56:42.137 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,be920414-715b-4ddb-a551-ff291210a22a,"4/16/2021, 8:56:42.137 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\microsofttpm,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,959d44c3-f68b-4ad7-8256-1abc957a80cf,"4/16/2021, 8:56:42.137 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:SELECT * FROM Win32_TPM,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,57f13f62-0089-4c62-9b85-1c0ce622f454,"4/16/2021, 8:56:42.137 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:Select * from __ClassProviderRegistration,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,9261ab02-4815-4a31-b1e3-3dbf9aefd285,"4/16/2021, 8:56:42.137 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,74dc1dec-0a92-4eea-8a23-66741629f2a3,"4/16/2021, 8:56:42.137 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,eb2e3c04-2590-4239-9f32-23e19f6dc577,"4/16/2021, 8:56:42.137 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,4744303f-a0ca-44e6-80ea-c1cee7f227fb,"4/16/2021, 8:56:42.137 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,e0a32d54-69e9-46f5-94d5-91541df74c2b,"4/16/2021, 8:56:42.137 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:Win32_Tpm,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,455f478d-97f2-4a28-8ce2-77d94936bfdc,"4/16/2021, 8:56:42.137 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:__ExtendedStatus,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f5abb84-5274-4fa4-8574-d202fa3f944a,"4/16/2021, 8:56:42.137 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftVolumeEncryption,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,86b6d670-d9f6-4e84-b478-9f36b050a160,"4/16/2021, 8:56:42.137 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:SELECT * FROM Win32_EncryptableVolume,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a24683c-f7d9-4e9b-86e4-5db363103057,"4/16/2021, 8:56:42.137 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:Select * from __ClassProviderRegistration,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,e3a543fb-fdb5-41a0-8c62-27688d11ae16,"4/16/2021, 8:56:42.137 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,7a8daf12-1a7b-4f02-be80-abf9bc588e77,"4/16/2021, 8:56:42.137 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,46cf7f68-f733-466f-b6da-835998af3b9d,"4/16/2021, 8:56:42.137 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e22de24-d512-4b2f-ac9c-f5c7bad02505,"4/16/2021, 8:56:42.137 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,6ffded22-45d9-4fbc-a3a6-d6c49959a70f,"4/16/2021, 8:56:42.137 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d0c6a56-ca8f-4f41-b96b-f4c5d1a1530c,"4/16/2021, 8:56:42.137 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:__ExtendedStatus,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,78f586ba-2e03-4579-bfcd-8cfa4352ed8d,"4/16/2021, 8:56:42.137 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{9a771a90-0000-0000-0000-100000000000}\\""::GetLockStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,d827c1db-2c31-41bb-bc1b-86c20653ead6,"4/16/2021, 8:56:42.137 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{9a771a90-0000-0000-0000-100000000000}\\""::GetProtectionStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,22fd4534-5a10-4b5f-af35-47bf97a02e15,"4/16/2021, 8:56:42.137 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{9a771a90-0000-0000-0000-100000000000}\\""::GetConversionStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e292a54-45c5-40dc-b746-b7a4570654ae,"4/16/2021, 8:56:42.137 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{6129dd30-0000-0000-0000-501f00000000}\\""::GetLockStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,e59ef7bc-3348-4f26-8630-e480090e65a6,"4/16/2021, 8:56:42.137 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{6129dd30-0000-0000-0000-501f00000000}\\""::GetProtectionStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c3bc8d2-576a-4f33-94f9-af0f22d22c3a,"4/16/2021, 8:56:42.137 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{6129dd30-0000-0000-0000-501f00000000}\\""::GetConversionStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,a7fd534f-76ce-48c7-bd35-ab0cf73edc3a,"4/16/2021, 8:56:42.137 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d7601a69-c0aa-49ac-baa9-987cc963b4d6,"4/16/2021, 8:56:42.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cdaa0723-c29a-46c5-9105-a61f144096b7,"4/16/2021, 8:56:42.137 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6608 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,38738561-17c2-4405-9c83-47bf43431024,"4/16/2021, 8:56:42.137 AM",,,,,,, +\BOSS,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f8da7e6-2046-4857-b443-282ad6ef1f92,"4/16/2021, 8:56:42.137 AM",,,,,NTLM,, +\WINNER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f42eb72f-eea4-4012-a2f5-6195ae29a71f,"4/16/2021, 8:56:42.137 AM",,,,,NTLM,, +\WAREHOUSE,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e7c6201a-1c0b-4573-b108-7aad18ebc8f3,"4/16/2021, 8:56:42.137 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,25ec6dee-6c4c-4b94-ad9f-256df2da1e30,"4/16/2021, 9:07:45.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6855c3f5-d2ff-4dff-b7b2-436e89550dad,"4/16/2021, 9:07:45.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d86d78e5-9613-48e5-abf0-4afaa8ae3980,"4/16/2021, 9:07:45.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4152427f-5323-4052-ac3e-4243a464e7a9,"4/16/2021, 9:07:45.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c8aba48-ea9f-456d-a1fc-06d29c4a8259,"4/16/2021, 9:07:45.120 AM",,,,,NTLM,, +\DXZ,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a79a76ec-97e4-4494-85e9-be83895ccdb0,"4/16/2021, 9:07:45.120 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19224b4f-3786-479f-9030-a65d8f0a2083,"4/16/2021, 9:07:45.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f313adf1-56d9-4045-8154-dd7cf8e9d5a3,"4/16/2021, 9:07:45.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c982e1c5-ba5e-4363-8e49-2b6f46ba05e3,"4/16/2021, 9:07:45.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,be783218-56b6-4303-bc12-3f85c44b72f5,"4/16/2021, 9:07:45.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,73708c1b-d018-492e-a598-f9b3f76c2937,"4/16/2021, 9:07:45.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c64ee707-8968-410a-bb21-b49eebb82c97,"4/16/2021, 9:07:45.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f636941e-819c-494f-af30-c28893ea9229,"4/16/2021, 9:07:45.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,722b3578-3050-49a7-96bc-62fb5ca386aa,"4/16/2021, 9:07:45.120 AM",,,,,NTLM,, +\CJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dbc145a2-dbc7-429e-b665-041a009d69f2,"4/16/2021, 9:07:45.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2004d7c2-29e4-4268-8cf2-e177bfcecdc0,"4/16/2021, 9:07:45.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea45d5ff-cdc8-46db-b5b8-42c37a2c9bbd,"4/16/2021, 9:07:45.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53bb833f-8770-45ae-8bc5-0c5557da9c60,"4/16/2021, 9:07:45.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a7b16926-3976-40ba-9bdb-82116efbbaec,"4/16/2021, 9:07:45.120 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea8d1ed3-1118-41c6-af53-607bbf78916f,"4/16/2021, 9:07:45.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df348598-4cb2-4679-a9f6-c4493ac77261,"4/16/2021, 9:07:45.120 AM",,,,,NTLM,, +\VMADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3678c429-f582-48a8-8ab7-17f6f1e87cd4,"4/16/2021, 9:07:45.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b30e0ca6-5006-4476-9215-2d9ce7d4a5ad,"4/16/2021, 9:07:45.120 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,68eba114-96e5-47e7-af4c-a49787451e99,"4/16/2021, 8:59:36.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,572b715a-400c-4696-acd6-e1bc4e0240e3,"4/16/2021, 8:59:36.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,6d8b4771-53c6-4b2b-9483-9e8e758fa24e,"4/16/2021, 8:59:36.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,391d0043-9710-4a53-a4a1-8f84220f91c6,"4/16/2021, 8:59:36.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,8963e9b0-9881-4670-9505-03b7d95cb285,"4/16/2021, 8:59:36.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,6a231d2b-365b-4119-bfbd-78231904dd95,"4/16/2021, 8:59:36.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,fcd1b8c3-4bf0-440d-9b63-4c102d41aeb9,"4/16/2021, 8:59:36.053 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,1e751933-62f9-4f5a-a380-ca68e1613957,"4/16/2021, 8:59:36.053 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,38b9e1e7-08de-4250-b285-289d36072412,"4/16/2021, 9:07:50.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8611361e-b38e-4dc8-8ff2-e61604007fd8,"4/16/2021, 9:07:50.129 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e15105cb-56b6-4189-b230-e48dc4afd8f5,"4/16/2021, 9:07:50.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8da13f24-8fd5-4463-b397-42de08f10def,"4/16/2021, 9:07:50.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc6c0e9d-38b0-4730-9df4-88c84e45f0b4,"4/16/2021, 9:07:50.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f320ede3-7a16-4005-ba6a-514d25aa0088,"4/16/2021, 9:07:50.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e43a063f-5a14-4d0f-a8ee-a0339027ab7d,"4/16/2021, 9:07:50.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,02c8d300-ffd3-4fdd-b407-a3ae1e9c5d5c,"4/16/2021, 9:07:50.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9a44a842-cff3-4e8c-b72f-1e8f4032f1a7,"4/16/2021, 9:07:50.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d734024b-f44a-4bed-9526-f381b5b26bea,"4/16/2021, 9:07:50.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7dfbd3d9-903f-445c-b8ba-f6d19d25a73a,"4/16/2021, 9:07:50.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,be5f865c-183e-4cbc-8ce5-49d6b87204f9,"4/16/2021, 9:07:50.129 AM",,,,,NTLM,, +\WPSERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9534c7b7-7309-4ad9-adcb-883a88793b65,"4/16/2021, 9:07:50.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f586bd5e-9dad-4ad7-991e-957283d3d9ad,"4/16/2021, 9:07:50.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c2ec819c-d864-46b1-8e7d-b149ea3e5cf2,"4/16/2021, 9:07:50.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,42c5520f-b78f-4dbc-8894-036a97e09c72,"4/16/2021, 9:07:50.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,97b0d97f-1d51-4831-9203-a9b190253320,"4/16/2021, 9:07:50.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6e141758-59bc-406c-b916-e4e11621575c,"4/16/2021, 9:07:50.129 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d2ea5c12-87b8-499e-9bae-37463d35f242,"4/16/2021, 9:07:50.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5de142bb-6591-4916-947b-0e379633feca,"4/16/2021, 9:07:50.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d66b9771-71cb-482f-abf8-89d55e3acc18,"4/16/2021, 9:07:50.129 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ba520787-4954-4f2d-a925-283434c38498,"4/16/2021, 9:07:50.129 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f194ee3f-3e79-423b-a3f0-23a5b1cbf558,"4/16/2021, 8:59:45.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54c97e00-136f-46e9-9531-58463b66ca44,"4/16/2021, 8:59:45.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,535a371a-829e-4124-bb70-0bcafdf8c624,"4/16/2021, 8:59:45.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c271365-c333-4858-80bc-e47f5e332ef9,"4/16/2021, 8:59:45.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7778181c-c1b3-4dc5-a3f0-29df1253d464,"4/16/2021, 8:59:45.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,04b2edc3-dd90-4bd0-be3f-7cfeed4fac08,"4/16/2021, 8:59:45.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bfa5ba92-8cc6-4ff8-9c10-38c6e31b8689,"4/16/2021, 8:59:45.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c203e6d-7817-4866-a3f9-97af5b78b3fd,"4/16/2021, 8:59:45.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e85f3f5c-e872-4437-b5dc-4c25ebee4dd4,"4/16/2021, 8:59:45.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,97a4069c-c776-4461-8088-2158188da7a9,"4/16/2021, 8:59:45.115 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d528e65d-58d7-46cc-a8f4-8b78ce0db61b,"4/16/2021, 8:59:45.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3ed19c16-8d2f-43f2-9190-1028605a9a29,"4/16/2021, 8:59:45.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,00084960-a505-4d67-97be-7b879d187f36,"4/16/2021, 8:59:45.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,475bfe8a-6a28-4726-8239-6a87011c2017,"4/16/2021, 8:59:45.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f4f9bd02-5f77-4358-868a-c5992f6cc36f,"4/16/2021, 8:59:45.115 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,59b984fd-2069-4357-8dbb-81ce9f5daa73,"4/16/2021, 8:59:45.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d652f1f-aff3-420c-932f-83f5b4de7c8d,"4/16/2021, 8:59:45.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7a68efd9-9444-4816-b6ed-b8234579488d,"4/16/2021, 8:59:45.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2cca6f27-f92f-4812-91f4-0e5ab7424456,"4/16/2021, 8:59:45.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f50d8be8-763c-46d5-913f-faa1025ab159,"4/16/2021, 8:59:45.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,033b1ec0-6abb-4d92-8631-f1f9b37a2c73,"4/16/2021, 8:59:45.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f1498f85-cf4d-4c47-9ebc-366a8df59dc7,"4/16/2021, 8:59:45.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f71f5806-d507-48b1-834d-b9f1a2883c00,"4/16/2021, 8:59:45.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,73da50ad-5399-44e0-8f1d-846bdf82b9fe,"4/16/2021, 8:59:45.115 AM",,,,,NTLM,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,bc1cb4d9-1a6e-45d0-9c1e-d31b6844c3f3,"4/16/2021, 8:59:44.862 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,3b278f2a-85a5-4f1c-83cb-bc461c02d349,"4/16/2021, 8:59:44.862 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,d8deaa9a-7ef9-45cb-a2c8-91f95525ec3e,"4/16/2021, 8:59:44.862 AM",,,,,,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0021b3ca-2e52-43e8-9018-1ad549574599,"4/16/2021, 9:07:50.770 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8fa5148c-5aca-43e5-94c9-0aef4388811c,"4/16/2021, 9:07:50.770 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,293c11b1-e637-4c4c-af7e-34fbbb306016,"4/16/2021, 9:07:50.770 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,88a35a66-0f04-484c-9b23-b6c72927e928,"4/16/2021, 9:07:50.770 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9e7c5111-5ff3-44a6-bde4-94ba41f6c95e,"4/16/2021, 9:07:50.770 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c6fc15d9-02d3-43c7-bf20-379ca96eb8b5,"4/16/2021, 9:07:50.770 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1635bd59-ac76-45f6-853e-61bdf6ddd25e,"4/16/2021, 9:07:50.770 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a8ccaf2c-6b4d-409c-abcf-7207b8d261e4,"4/16/2021, 9:07:50.770 AM",,,,,NTLM,, +\TEST,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3c1cc813-dd3a-4e40-aa14-67c8f3cb88e7,"4/16/2021, 9:07:50.770 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e22d1ef4-70f8-41fa-8821-32a1d258343f,"4/16/2021, 9:07:50.770 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,04448cea-2582-4d3c-9b41-6d48ef43f5f8,"4/16/2021, 9:07:50.770 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,51af0cde-7348-4abb-bfe5-6cd29abad598,"4/16/2021, 9:07:50.770 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,00bf517d-9400-4d9e-a6b1-8b408d3c940b,"4/16/2021, 9:07:50.770 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,63f56905-0e17-4a07-9729-93ba621b13b6,"4/16/2021, 9:07:50.770 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,939574a0-f51f-40b6-a947-d8d2b59d3ecf,"4/16/2021, 9:07:50.770 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,057e2e6d-870f-4431-ad33-194db769544a,"4/16/2021, 9:07:50.770 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,24415295-a7c4-437d-b6d5-6fb063fc162c,"4/16/2021, 9:07:50.770 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,08d13609-cafd-420a-8182-f762a9014713,"4/16/2021, 9:07:50.770 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5cebd6a7-d08f-4956-bb9a-04b953230e32,"4/16/2021, 9:07:50.770 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6a0a9087-e7a4-47a3-b5c7-983b4f1d722d,"4/16/2021, 9:07:50.770 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,90182919-55e8-4ac0-83ea-9d1b4a1d431c,"4/16/2021, 9:07:50.770 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dbcda7d4-32c1-49b6-a36e-3d0799016894,"4/16/2021, 9:07:50.770 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3860 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,9420d837-3de9-4964-86f0-92e79491a700,"4/16/2021, 8:56:49.259 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5164 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,eb9f6f22-d818-4236-a97b-d2d52bbd1dd3,"4/16/2021, 8:56:49.259 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6640 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,e4ded2cd-c743-4648-a362-3d00d96bd95a,"4/16/2021, 9:07:50.470 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 12280 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,a67a6b2f-2569-4e3b-8182-714cc996b43b,"4/16/2021, 9:07:50.470 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,25e2a20a-5279-4e56-95e3-d9d831eb653a,"4/16/2021, 8:57:02.615 AM","%%5649 ",0x2,-,-,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,5694aa27-53aa-44a5-98fe-1798b685331b,"4/16/2021, 8:57:02.615 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7364 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,3262e057-f440-4d53-bf68-49be878d352c,"4/16/2021, 8:57:02.615 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,7fdf260d-907a-4cc6-9596-930c8d4d8bf7,"4/16/2021, 8:57:02.615 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,ae06c8ef-a86d-49a1-b102-053dcc9748f6,"4/16/2021, 8:57:02.615 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 7176 + 34 + %SYSTEM32%\APPIDCERTSTORECHECK.EXE + 32 + E649E7E40B3CFC0011491AE742A6E8E697C7A48033F49DB9BA714A2891B99818 + 131 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\APPIDCERTSTORECHECK.EXE\10.0.18362.1474 + 0x3e5 + 43 + C:\windows\system32\appidcertstorecheck.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,0229dbc3-4e83-4557-b6fc-a7c723fdafc5,"4/16/2021, 8:57:02.615 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 7960 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e5 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,e2a08810-4c36-4954-aeb0-7f033a01c06b,"4/16/2021, 8:57:02.615 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,8f171b62-0d3b-4cd9-9bbc-d361adb37e2a,"4/16/2021, 8:57:02.615 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a74045ed-3dff-4cd3-9118-6c4c226443df,"4/16/2021, 8:59:46.653 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,12837716-ab31-4754-b09f-dfda69c87f46,"4/16/2021, 8:59:46.653 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7951e655-b8d7-492d-a24b-07dfe78eb93d,"4/16/2021, 8:59:46.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,73290091-8d87-4256-9473-119b871f039f,"4/16/2021, 8:59:46.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5004db4c-4eae-4cdc-845a-7461b4d1ab72,"4/16/2021, 8:59:46.653 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2975d4b4-4ee9-45c8-95f7-85086b06938e,"4/16/2021, 8:59:46.653 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c2059bfd-6096-472e-8530-0563cb500f21,"4/16/2021, 8:59:46.653 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a378d271-7114-4eec-b15d-d3183ddd4abd,"4/16/2021, 8:59:46.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,26643681-ba01-405f-a153-ce5e1f99a848,"4/16/2021, 8:59:46.653 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,62c0211d-f995-4738-ac18-970141fcf7b2,"4/16/2021, 8:59:46.653 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0c66ccff-2e3a-470b-ac96-4396a2f0bbd3,"4/16/2021, 8:59:46.653 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ed8a0068-567a-4929-bcf7-72511337367a,"4/16/2021, 8:59:46.653 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0c95ea11-3b17-488a-ba18-d2283758d5cf,"4/16/2021, 8:59:46.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,21534871-1088-46e1-8939-b02434a04fa5,"4/16/2021, 8:59:46.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9f4b2912-adf2-4e86-9f57-b13726848044,"4/16/2021, 8:59:46.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4a6935de-6871-4888-8165-430182b58e5f,"4/16/2021, 8:59:46.653 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9ccb78de-641c-4bc7-9c95-26deb8df6aaa,"4/16/2021, 8:59:46.653 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3758ce0c-a57c-48fb-8726-7dde577f0a49,"4/16/2021, 8:59:46.653 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2e3af52f-92f0-4f2d-b4c3-c9d310805efd,"4/16/2021, 8:59:46.653 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b56730ee-4313-4c7f-b864-d8007de46605,"4/16/2021, 8:59:46.653 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cecfd111-f9be-49c6-aa3b-6629c16f8340,"4/16/2021, 8:59:46.653 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d2f1fab5-4a21-40bf-b768-825abadbb385,"4/16/2021, 8:59:46.653 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6388 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,10681a56-cbd2-4e9f-959a-2e24f251ceb4,"4/16/2021, 8:59:49.270 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6580 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,fdfb5fe5-9068-4e55-991b-2834c595db00,"4/16/2021, 8:59:49.270 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3920 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,659431e0-04a3-4b87-b734-86a2c2d2ef90,"4/16/2021, 9:07:52.740 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6172 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,39b78b26-5ff1-4ae1-8c30-12b9b04fd756,"4/16/2021, 9:07:52.740 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,55be2419-d579-4c00-8ecd-4094f4865aea,"4/16/2021, 9:07:52.740 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,e0396774-23a8-4a67-8868-1f03d9fac319,"4/16/2021, 9:07:52.740 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,7151780f-959b-4335-8e8f-3f5de386050d,"4/16/2021, 9:07:52.740 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,d735b68e-fb98-41b3-aeeb-8bb0d8d3fc45,"4/16/2021, 9:07:52.740 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4cf6bd95-4335-443d-9e03-1c6cab22d322,"4/16/2021, 8:59:53.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,336cbfdd-721a-4f40-8293-fa74c8008a99,"4/16/2021, 8:59:53.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e59b64dd-024c-49a3-aebc-c4f8b30a9013,"4/16/2021, 8:59:53.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1b25cb63-adb4-436f-be45-0a754361d1f8,"4/16/2021, 8:59:53.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2c2bc5c-e231-4a0a-ba7b-39cc79034d66,"4/16/2021, 8:59:53.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aeae3472-f1da-498b-a0b7-9cd189072f1a,"4/16/2021, 8:59:53.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,826ce687-0e7f-44f2-8dbd-9c796782c588,"4/16/2021, 8:59:53.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3fee9d44-852e-406b-a913-287a8917c8bc,"4/16/2021, 8:59:53.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1d6f0105-71bb-4292-984e-4e0583877ba8,"4/16/2021, 8:59:53.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe103609-6f13-4e19-aaff-cc2d8b640625,"4/16/2021, 8:59:53.116 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5072e40d-4ee7-492e-8e83-288784f86017,"4/16/2021, 8:59:53.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,beae9397-eae4-49e8-8112-85cc76358bcd,"4/16/2021, 8:59:53.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,24d53bb8-9a0b-47ae-83a8-bdb882a50046,"4/16/2021, 8:59:53.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f486f622-dbfd-4439-a65b-d31e4ca0726a,"4/16/2021, 8:59:53.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f68872b-de46-4a17-9367-6c17e351fa26,"4/16/2021, 8:59:53.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2f2d303-5252-4ada-bb77-95d16adba595,"4/16/2021, 8:59:53.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,838385fb-28df-4bb8-9407-46aa4f00e918,"4/16/2021, 8:59:53.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03d06f86-a4ff-4e8f-80ec-866d95f22050,"4/16/2021, 8:59:53.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56b2c262-840d-446d-999b-30c6bf4403cd,"4/16/2021, 8:59:53.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c105fd96-84ac-4c3f-b987-b6d0b88c1d70,"4/16/2021, 8:59:53.116 AM",,,,,NTLM,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ae5bb49-d4f8-4bbd-ab89-b8bd6a53a0e6,"4/16/2021, 8:59:53.116 AM",,,,,NTLM,, +\ADMINISTRATEUR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,24ef37ef-df41-4f2d-a9ac-dca265aba593,"4/16/2021, 8:59:53.116 AM",,,,,NTLM,, +\RECEPTION,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3d254919-ce55-4c40-a243-0d216d35a7c5,"4/16/2021, 9:07:51.415 AM",,,,,NTLM,, +\USER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a3e57f19-0fd8-48e2-9e29-c42bf57f4fee,"4/16/2021, 9:07:51.415 AM",,,,,NTLM,, +\GAST,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8db25130-5d3e-4270-9cb3-cc88ee095f0c,"4/16/2021, 9:07:51.415 AM",,,,,NTLM,, +\REMOTE,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,fcdf42ea-28c7-4e26-b30d-42775c9a411b,"4/16/2021, 9:07:51.415 AM",,,,,NTLM,, +\TEST,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f9a318ea-a5d0-45f3-a33e-6c66b52644dc,"4/16/2021, 9:07:51.415 AM",,,,,NTLM,, +\SUPPORT,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,833cbf6c-e62d-460e-91ab-ea3c4d1884f3,"4/16/2021, 9:07:51.415 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f40cf845-2692-4015-8d27-d176b956cd83,"4/16/2021, 8:57:16.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c0ab7725-9735-466c-9a3b-27bd38f574c3,"4/16/2021, 8:57:16.110 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ef52422-0e78-45c6-89db-d4064446808d,"4/16/2021, 8:57:16.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0aee626c-e9f5-4a57-82c0-10d416df467e,"4/16/2021, 8:57:16.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8ee4a83d-eb3b-4aec-89f7-95836e0c347a,"4/16/2021, 8:57:16.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b617cc17-edd6-4307-9bb8-0e7920922321,"4/16/2021, 8:57:16.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f4bc0124-c592-41e3-bc89-ce7abf4eb3f0,"4/16/2021, 8:57:16.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3b281153-8600-448a-8c86-285cc9338f5b,"4/16/2021, 8:57:16.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,72a86f28-b5a9-44d1-96b7-7d8f7f266673,"4/16/2021, 8:57:16.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,201457b8-0b60-4c2f-aa56-1b7bb7227cf4,"4/16/2021, 8:57:16.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56670dda-59a8-48e0-a959-9b1b60dc01e3,"4/16/2021, 8:57:16.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,af852025-c552-43cb-9ffb-05a088dc63b2,"4/16/2021, 8:57:16.110 AM",,,,,NTLM,, +\JOKER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c7a8c47-2a65-4c99-9df7-faeee710e630,"4/16/2021, 8:57:16.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2ea9dffd-0f67-4734-acad-9fe108da0ae2,"4/16/2021, 8:57:16.110 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3acf63ae-a954-4416-90db-62c3f68aa3ef,"4/16/2021, 8:57:16.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b6054b6c-44ee-44ec-b794-736b873330f8,"4/16/2021, 8:57:16.110 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eae695ef-c23d-4204-bfff-100eb9b6b71a,"4/16/2021, 8:57:16.110 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ed2e8483-6aa2-41cc-b738-5ad8d300b75f,"4/16/2021, 8:57:16.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a4c0953-7599-4737-ab0e-005b8808077d,"4/16/2021, 8:57:16.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c38717e-bdcc-4bbc-9c20-d7a0f69a7689,"4/16/2021, 8:57:16.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e535ec1c-0a8b-4803-8415-2eefc03683ea,"4/16/2021, 8:57:16.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,955ed35d-9136-429f-815d-af2c815b1198,"4/16/2021, 8:57:16.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5fc125f4-ee25-4b05-8c9f-12b3568511a9,"4/16/2021, 8:57:16.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6b854027-5f42-412c-b7f4-655a41955e4c,"4/16/2021, 8:57:16.110 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5448 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,72fb80ad-d3a4-4ffb-9042-cae52f8d3777,"4/16/2021, 8:59:52.735 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5624 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,bee5ab0e-637e-4564-a0be-1f793b796cec,"4/16/2021, 8:59:52.735 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,f98e32b7-7df3-4232-9b24-3852ac75409b,"4/16/2021, 8:59:52.735 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,1978a429-bf2a-4619-8a9c-9b317467ac68,"4/16/2021, 8:59:52.735 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,a9344c52-f8c4-4e68-8ba6-8a036979910b,"4/16/2021, 8:59:52.735 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,4f7d3b0e-da2d-48bb-b41e-7e7f8e8df5aa,"4/16/2021, 8:59:52.735 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6abde4f2-0ebd-4ce9-a906-ff2875106bd9,"4/16/2021, 8:59:59.654 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5a19ccd0-9eef-47b3-924d-d4b780f3c27b,"4/16/2021, 8:59:59.654 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a89a443a-5406-4bce-82f0-7d143b4429a9,"4/16/2021, 8:59:59.654 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a60c8a6e-3962-4ae2-a127-8d93514d4fb8,"4/16/2021, 8:59:59.654 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bce6d278-6f1c-4383-8259-e350a3dc0e38,"4/16/2021, 8:59:59.654 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5a6344e1-ecce-4dbe-8ef6-e6217c9aa80c,"4/16/2021, 8:59:59.654 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7fd43e82-9a93-426f-a286-bbe6cde5eee5,"4/16/2021, 8:59:59.654 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,49684f1a-a9bd-4270-aecb-135e5e8c8a4c,"4/16/2021, 8:59:59.654 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b3f5758e-d128-4846-984c-3bdb3c1f5f02,"4/16/2021, 8:59:59.654 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bd4cdb00-2442-4f67-a6e6-dde9fe10936a,"4/16/2021, 8:59:59.654 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5cedf4ff-5d69-46ca-b671-604b777d1bee,"4/16/2021, 8:59:59.654 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ddba0dca-3e84-4da7-85f7-c140c7fb4021,"4/16/2021, 8:59:59.654 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fcf02e41-9446-4f9a-9746-2bfbd721273d,"4/16/2021, 8:59:59.654 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a0031d71-1279-44c7-87c5-8a3a4e269669,"4/16/2021, 8:59:59.654 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,15a64a00-072b-4877-9292-3fe4e801d7d5,"4/16/2021, 8:59:59.654 AM",,,,,,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9ca91da6-a727-4c8e-96bd-b290ecaf45fa,"4/16/2021, 8:59:59.654 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,04a9cee8-5df1-41c6-8c0e-7ec89fbf0f46,"4/16/2021, 8:59:59.654 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,52a73e8a-e1ca-4eea-852a-87fa74d1692b,"4/16/2021, 8:59:59.654 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,95a3ae14-2ada-42aa-ab1c-8fac79c038ef,"4/16/2021, 8:59:59.654 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d10b838f-402e-4427-a00c-bd736b7f3b0a,"4/16/2021, 8:59:59.654 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c3f56946-9d94-45b7-a6da-ca07deb5a581,"4/16/2021, 8:59:59.654 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7fd2ff98-33b3-420e-ad3c-b364dd33d95b,"4/16/2021, 8:59:59.654 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f2111839-6c9c-455c-9bad-dba7ca507605,"4/16/2021, 8:59:59.654 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3c66f0d3-6641-4674-bbf3-5b6c83eb22a9,"4/16/2021, 9:00:00.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4fef33ce-0452-4881-bf89-7e9c9b3b772b,"4/16/2021, 9:00:00.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a68728c1-2b2b-4b73-a972-63225ce8dcfb,"4/16/2021, 9:00:00.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1203879c-ca3a-405b-ab8f-1328e33c5985,"4/16/2021, 9:00:00.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53e8ed3b-be53-4712-9f79-21d2a6b41bdf,"4/16/2021, 9:00:00.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,646014d2-4830-4186-9659-60c07b2b10bd,"4/16/2021, 9:00:00.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a2f649e-7ce0-40b3-8ac0-d4c1da508dc4,"4/16/2021, 9:00:00.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e987195a-1a51-4672-89f0-fff624ddb515,"4/16/2021, 9:00:00.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d0a6cdb3-3771-43e4-93f8-02edc58a013f,"4/16/2021, 9:00:00.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1cae5e3-c822-495a-929a-324d50858eca,"4/16/2021, 9:00:00.164 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ebfea31b-ed6f-4752-a069-830694ed6e64,"4/16/2021, 9:00:00.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3de26fb1-84d4-463b-b20a-2eb51eeb1900,"4/16/2021, 9:00:00.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d559546-399e-4853-a278-96399d3d5954,"4/16/2021, 9:00:00.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3d53a279-b7ef-4c5a-ae67-ff1d876caec6,"4/16/2021, 9:00:00.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa95907c-a8fe-4ee0-8d0a-106ccfa77646,"4/16/2021, 9:00:00.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f428fb0-7999-448f-b3c9-d9c682bc9534,"4/16/2021, 9:00:00.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e270aaca-0e20-4744-8d23-9f2877f46f1d,"4/16/2021, 9:00:00.164 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,52d3456b-6f6d-40cf-b688-2bb555017de2,"4/16/2021, 9:00:00.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2133faa1-d28d-4f09-9f5c-56b9543daf8b,"4/16/2021, 9:00:00.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9a08d897-f5ad-4932-9272-0744aa77ad79,"4/16/2021, 9:00:00.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c75553a3-77f8-497c-b0d8-dfccab599361,"4/16/2021, 9:00:00.164 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2e941889-0c94-47ba-bf02-bab8c9586fbb,"4/16/2021, 9:00:00.164 AM",,,,,NTLM,, +\OVV,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c89a6ee-052a-4a51-8457-22fb4d5d9b73,"4/16/2021, 9:00:00.164 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4628 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 8542576A51D515DA19781689F9E5E561E4398C4DE19B14AF1E8EF1C7D2551843 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.18362.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,30d5ea7e-7522-43aa-a812-64779fcdefe0,"4/16/2021, 9:00:06.573 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8584 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,08522d5a-6e1b-4340-bddc-391271da4a57,"4/16/2021, 9:00:06.573 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,8afd9d21-2e22-4289-b3c2-f86096704f04,"4/16/2021, 9:00:06.573 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,2b2cf326-a487-4be7-924a-9f2f86b561fc,"4/16/2021, 9:00:06.573 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,2a4b21f1-bbe8-4ad0-8e5f-82bd6f31f67b,"4/16/2021, 9:00:06.573 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,a56bb81f-d1ac-43c3-8978-abcc26b7977d,"4/16/2021, 9:00:06.573 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6828 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,5c339c87-ce31-463c-9ce4-faab1532554b,"4/16/2021, 9:00:06.573 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4648,4648 - A logon was attempted using explicit credentials.,f6638b82-98a5-4542-8bec-6bc0977f793f,55b6619f-605e-4dab-86fe-7d8f0f693c5f,"4/16/2021, 9:00:06.573 AM",,,,,,, +CONTOSO\RonHD,User,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,f6638b82-98a5-4542-8bec-6bc0977f793f,a795babf-4053-42e1-a4de-ff7d21b2b59f,"4/16/2021, 9:00:06.573 AM",,,,,Negotiate,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + S-1-5-21-1661583231-2311428937-3957907789-1105 + RonHD + CONTOSO + 0x41319aa + 4 + 1 + 1 + %{S-1-5-21-1661583231-2311428937-3957907789-513} %{S-1-1-0} %{S-1-5-32-545} %{S-1-5-32-544} %{S-1-5-3} %{S-1-2-1} %{S-1-5-11} %{S-1-5-15} %{S-1-2-0} %{S-1-5-21-1661583231-2311428937-3957907789-1111} %{S-1-18-1} %{S-1-16-12288} +",4627,4627 - Group membership information.,f6638b82-98a5-4542-8bec-6bc0977f793f,148f2ced-1531-40a1-9155-b1bec7682e73,"4/16/2021, 9:00:06.573 AM",,,,,,, +CONTOSO\RonHD,User,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,f6638b82-98a5-4542-8bec-6bc0977f793f,cef80cd1-b542-4840-8121-cf321d069d91,"4/16/2021, 9:00:06.573 AM",,,,,,, +CONTOSO\RonHD,User,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12545,8,,4634,4634 - An account was logged off.,f6638b82-98a5-4542-8bec-6bc0977f793f,a18ecd1a-7ea0-4143-9b7d-c5160a9cea77,"4/16/2021, 9:00:06.573 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,238abea4-70fa-4f8f-b4c9-7c9984c2442a,"4/16/2021, 8:57:16.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,71164bc4-70fc-4c89-88f6-775a65f47933,"4/16/2021, 8:57:16.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,be5ce03f-2d59-48e4-bb2a-fe1510fd63b5,"4/16/2021, 8:57:16.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5966e049-77a9-4859-a06a-0d2ffdcb9253,"4/16/2021, 8:57:16.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3842c691-97da-428f-ab70-e70dc6fb977b,"4/16/2021, 8:57:16.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,21cdeaef-4ea2-4348-9ba8-4d769bc4526a,"4/16/2021, 8:57:16.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,79ffa15e-037b-4ee3-acc8-af556da51fec,"4/16/2021, 8:57:16.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,16a17cb5-a3be-445d-8a4e-3c084877c0f0,"4/16/2021, 8:57:16.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,cd2e9c71-24da-4d41-a3fd-a73e44fcecb9,"4/16/2021, 8:57:16.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,04988e48-4b59-46fc-acce-afce39514548,"4/16/2021, 8:57:16.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,e1c6d376-d578-4f5a-b03a-41cd0f726c99,"4/16/2021, 8:57:16.056 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2cec1b93-a038-4ec8-a2b0-dab20f6e6cf3,"4/16/2021, 9:00:10.201 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a8b17e2a-5ce5-4cd4-8437-e668f409b4bf,"4/16/2021, 9:00:10.201 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0cb0f713-ae94-4a15-8fb7-c21e0e50f21f,"4/16/2021, 9:00:10.201 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,38795b75-655c-4e70-81ad-3140094cbf14,"4/16/2021, 9:00:10.201 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6723e0c3-8a2d-4c13-a46a-760174ea3c0e,"4/16/2021, 9:00:10.201 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,97bbda88-ae38-4c78-b44a-ca77d9032e39,"4/16/2021, 9:00:10.201 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49cbd55a-c66b-4955-b03a-d015f2858cc8,"4/16/2021, 9:00:10.201 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,63685f09-70db-4bdd-b7c2-7146eb06638d,"4/16/2021, 9:00:10.201 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f1795073-af60-4982-a964-6ce29b5ba649,"4/16/2021, 9:00:10.201 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4e65653b-9cd9-43a9-92d8-c352f46f06fc,"4/16/2021, 9:00:10.201 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea12d59c-bd61-4ca0-bba8-6a2315c0fb27,"4/16/2021, 9:00:10.201 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6ab6a322-4977-4f5a-a8ef-e262a22c494e,"4/16/2021, 9:00:10.201 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dba690d5-fcf2-432b-87c0-f2ddc990d697,"4/16/2021, 9:00:10.201 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2144cde8-2dad-4aad-b47f-f78e247b0fde,"4/16/2021, 9:00:10.201 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b2faef6f-5dea-4b83-975e-89b65eb52b0f,"4/16/2021, 9:00:10.201 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e0060f02-caa7-454c-b0a3-c6e9eb76b95a,"4/16/2021, 9:00:10.201 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3ab77d5b-8f0a-4e49-8ba6-d75730f2e65c,"4/16/2021, 9:00:10.201 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,890f5ebe-fd85-437a-8e96-4ee17823b17e,"4/16/2021, 9:00:10.201 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bf5ce306-7a82-4824-b40e-0c7059f134c1,"4/16/2021, 9:00:10.201 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,271838b5-f210-4f2b-a1ee-5c0a239789c3,"4/16/2021, 9:00:10.201 AM",,,,,NTLM,, +\SVC_ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,933a864c-798f-418d-a3e8-c5dc4df7babe,"4/16/2021, 9:00:10.201 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53f0be55-582f-44a9-ac22-c40b0815be40,"4/16/2021, 9:00:10.201 AM",,,,,NTLM,, +\AZUREADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dd929d6a-3fcf-4cb4-83c2-6f6e7ed7c45d,"4/16/2021, 9:00:10.201 AM",,,,,NTLM,, +\SERVER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a4c52cb6-d4ed-45be-a101-c170543dbbd0,"4/16/2021, 8:57:23.409 AM",,,,,NTLM,, +\WEBADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3336e4e7-0fec-4772-b304-1fa67e6ec22b,"4/16/2021, 8:57:23.409 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7720 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3f5c170b-4dd3-4971-b8ce-de15bc173aeb,"4/16/2021, 8:57:23.409 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7196 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c8eec6c7-db91-4c59-b6e7-830002eb0fcc,"4/16/2021, 8:57:23.409 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3b7b0280-47ad-443f-a8da-211529fcd05c,"4/16/2021, 8:57:23.409 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,164547d9-0ac6-4980-9911-3de7d9a6b8d6,"4/16/2021, 8:57:23.409 AM",,,,,,, +\AZUREUSER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b73c2a46-57bb-4ade-bcaf-705bceee677b,"4/16/2021, 8:57:23.409 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ecd0fd96-8255-419f-9b38-6e3edb9d75b9,"4/16/2021, 8:57:23.409 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,bd41c02c-d22d-419b-95a6-03db3b5ca07e,"4/16/2021, 8:57:23.409 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11236 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,79d81e99-fa16-4662-96e8-3b9fc0fe8f5f,"4/16/2021, 8:57:49.262 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 704 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,cd8888e4-8573-436f-96b7-e17e625c5715,"4/16/2021, 8:57:49.262 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,719aa257-cfe4-4176-95df-7bbbc56fdbf2,"4/16/2021, 9:00:10.196 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,407fdda2-6600-48b5-8232-904a00a00cfb,"4/16/2021, 9:00:10.196 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,14a32749-c0b5-414a-8bb3-d7ddd76ed26a,"4/16/2021, 9:00:10.196 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,efc2e659-cda7-4ce1-86d1-2736aa7c5c0d,"4/16/2021, 9:00:10.196 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3eb4afbd-5a39-47e4-9059-fe7fdbb45406,"4/16/2021, 9:00:08.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5462db42-a76a-4561-b911-a39e58fe19af,"4/16/2021, 9:00:08.056 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,178a98fb-cabc-4a52-8295-dc08ef341ab8,"4/16/2021, 8:57:49.657 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,28b5b7ee-3bd8-45b1-94a2-0fe1f118b1b9,"4/16/2021, 8:57:49.657 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ffa78962-70b5-423b-932c-7e75ee625026,"4/16/2021, 8:57:49.657 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2de293fb-55d3-48c9-8397-f8739da970a8,"4/16/2021, 8:57:49.657 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4dee9743-1d9a-4e2e-a0ca-eea2455c6b45,"4/16/2021, 8:57:49.657 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e594af80-efd5-4949-acc4-f4d6b86dee58,"4/16/2021, 8:57:49.657 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a03353f2-ad90-4393-a678-674f9e98efef,"4/16/2021, 8:57:49.657 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c9ca5677-2243-437d-8734-d1076790f708,"4/16/2021, 8:57:49.657 AM",,,,,NTLM,, +\BACKUP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c67b67aa-7532-4dd5-921f-9f8c8f63d56e,"4/16/2021, 8:57:49.657 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4066aea6-2995-4cb0-aac2-fde0507cde1d,"4/16/2021, 8:57:49.657 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,af68b4eb-bdd6-44a6-bf3e-ad50dcaf8c24,"4/16/2021, 8:57:49.657 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dd641928-1ac1-4a05-9b45-51f88976fe38,"4/16/2021, 8:57:49.657 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bd88e4d0-cf81-4648-b434-11d34871580f,"4/16/2021, 8:57:49.657 AM",,,,,NTLM,, +\AZUREUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,035e317b-946a-4724-8125-4a25a7799fd2,"4/16/2021, 8:57:49.657 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5126e050-30cd-467c-b3c6-da389eb88047,"4/16/2021, 8:57:49.657 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4a2a7e24-52a6-47e6-a361-1b2852fa18d2,"4/16/2021, 8:57:49.657 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9592d5d6-2113-4b25-9e4e-bfd3c68a77d9,"4/16/2021, 8:57:49.657 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,89abb1d7-3bb2-4438-895d-30848932aeb5,"4/16/2021, 8:57:49.657 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9af6a4d6-cec5-44d1-bb91-1eff1a31e155,"4/16/2021, 8:57:49.657 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b2655829-f991-462f-82d4-df4fd99649cb,"4/16/2021, 8:57:49.657 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fc9cb9df-47c6-4e5a-a00e-fb7bf79c41cd,"4/16/2021, 8:57:49.657 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,77fe2519-dab9-412a-875f-21620600c469,"4/16/2021, 8:57:49.657 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e089e19a-af60-4295-9157-6b33e31c13f6,"4/16/2021, 8:57:49.657 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f76b97d1-5e1a-4196-b6e8-874db76d1196,"4/16/2021, 8:57:49.657 AM",,,,,NTLM,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,a593314e-0033-498f-b645-3344e72497c4,"4/16/2021, 8:58:08.869 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\microsofttpm,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,cc9adabc-08bf-4be5-8e00-4f93852d1dc6,"4/16/2021, 8:58:08.869 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:SELECT * FROM Win32_TPM,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,9529ca1f-8878-4b94-84a1-ed5e2cf1913b,"4/16/2021, 8:58:08.869 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:Select * from __ClassProviderRegistration,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,7414b8d8-325c-4d94-80f3-359369402097,"4/16/2021, 8:58:08.869 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,cedcc933-9f88-4965-8651-5564f92de394,"4/16/2021, 8:58:08.869 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,fe63e720-5fc3-480f-8ac5-44b75e8dc23a,"4/16/2021, 8:58:08.869 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,c5a82ff8-9f95-4e7c-be90-e2bbe6306477,"4/16/2021, 8:58:08.869 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,185052a7-ff03-4c92-bacc-e3a18d422c7d,"4/16/2021, 8:58:08.869 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:Win32_Tpm,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,c1a40f0c-838b-4cd9-bd07-6b0cfa8973de,"4/16/2021, 8:58:08.869 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:__ExtendedStatus,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,0bf88bbe-021e-4713-a3b8-658c986adb9b,"4/16/2021, 8:58:08.869 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftVolumeEncryption,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,fcc7dea5-75aa-49ee-a014-1290c08fa230,"4/16/2021, 8:58:08.869 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:SELECT * FROM Win32_EncryptableVolume,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,734aa14b-42a8-4a30-86e3-f0da8a3dbdf5,"4/16/2021, 8:58:08.869 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:Select * from __ClassProviderRegistration,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,22e46880-7e5a-43d9-9998-6917bf579286,"4/16/2021, 8:58:08.869 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,dd7d2656-82b9-41f2-a5af-c60cdb7a469b,"4/16/2021, 8:58:08.869 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,21a7dcae-3164-4ec0-98b6-1208859ca98e,"4/16/2021, 8:58:08.869 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,219c60bd-d227-4b3a-9cff-c03e40c49299,"4/16/2021, 8:58:08.869 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,ef83804a-447c-4610-bb76-be282cdb58a9,"4/16/2021, 8:58:08.869 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,6c333437-eb78-411c-a5c0-106b675dcf7a,"4/16/2021, 8:58:08.869 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:__ExtendedStatus,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,e851f91d-71d8-48da-a243-aa389be048cc,"4/16/2021, 8:58:08.869 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ae151378-0000-0000-0000-100000000000}\\""::GetLockStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,456f49ac-659e-4b47-adfa-7a85d37727e6,"4/16/2021, 8:58:08.869 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ae151378-0000-0000-0000-100000000000}\\""::GetProtectionStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,3e621954-49f5-4138-b84d-6f29ea6f807f,"4/16/2021, 8:58:08.869 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ae151378-0000-0000-0000-100000000000}\\""::GetConversionStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,a6e62e45-4f66-4bea-bd35-8afbd8da868e,"4/16/2021, 8:58:08.869 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetLockStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,03a5f0c7-d219-41b3-97a0-1be6d2f1b077,"4/16/2021, 8:58:08.869 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetProtectionStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,a7500056-d296-40c5-9348-88a33971efbd,"4/16/2021, 8:58:08.869 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetConversionStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,3a4b1647-ae7c-4b71-a5d9-2db4d041c869,"4/16/2021, 8:58:08.869 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,5503048d-aae9-48b7-bda5-46b931ec9ed1,5637ca70-930a-4148-b4f6-f2a9d209df27,"4/16/2021, 8:58:08.869 AM",,,,,Negotiate,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + 1 + 1 + %{S-1-5-32-544} %{S-1-1-0} %{S-1-5-11} %{S-1-16-16384} +",4627,4627 - Group membership information.,5503048d-aae9-48b7-bda5-46b931ec9ed1,a807070d-d7d7-4865-b773-79b95ca6ccb9,"4/16/2021, 8:58:08.869 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,5503048d-aae9-48b7-bda5-46b931ec9ed1,2617aca5-9042-4cc8-b592-163e93499900,"4/16/2021, 8:58:08.869 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,cede5ef6-17ae-4140-ab93-a182e06e9f25,"4/16/2021, 8:58:08.869 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,532ef3d0-f3a0-4c0f-bb49-aa7ef69605e9,"4/16/2021, 8:58:08.869 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 14784 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,d45ae8a1-7823-43ff-845c-b3a8fa5f9438,"4/16/2021, 8:58:08.869 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7152 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e7 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,ac59315d-9244-4770-8603-8d1203d0aac3,"4/16/2021, 8:58:08.869 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 9128 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e5 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,dd3fd4ed-6e60-407b-8411-c573f42af3c2,"4/16/2021, 8:58:08.869 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,712cbbcf-e8a2-4bb2-8172-d4cad8c57102,"4/16/2021, 8:58:08.869 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7072 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + 3E1A41FE3000D5ED15DE27C3BD6199E0427A1608B401E19E22D021627841AC19 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1411 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,81007db1-9684-41a9-a910-d66f2a9802a0,"4/16/2021, 8:58:08.869 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 432 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,f5d14867-bc4c-4898-b939-70557e34828e,"4/16/2021, 9:00:09.896 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6968 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,6c114bae-9ee2-4c94-9b68-e488aa07e98f,"4/16/2021, 9:00:09.896 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,d9667ab2-dc43-436e-9ffc-7eaa7af42d15,"4/16/2021, 9:00:09.896 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,5e24dada-c132-4d29-8427-c3a6854a6d8b,"4/16/2021, 9:00:09.896 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,e03693a0-0c8d-4966-b140-d290b887abb1,"4/16/2021, 9:00:09.896 AM",,,,,,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b5be308a-5c40-4af5-af10-3672f7eba1c5,"4/16/2021, 9:00:11.411 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7836 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f5015704-99b3-4b2e-88f5-75a7db306582,"4/16/2021, 9:00:11.411 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2680 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4ddcd469-10a8-4b73-9d9f-3f109ddc5ae5,"4/16/2021, 9:00:11.411 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,106da910-210a-4888-85a3-5c725f3f8d97,"4/16/2021, 9:00:11.411 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e2ea8689-16db-4f8d-a110-da7a62c57a02,"4/16/2021, 9:00:11.411 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3e0ae7d2-7e07-428b-abd8-aab0271763dd,"4/16/2021, 8:58:24.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b20f0c64-20e8-46c9-9604-24e1f5dab2a1,"4/16/2021, 8:58:24.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3ee744f1-d2e3-454d-adb5-4d81a826bf96,"4/16/2021, 8:58:24.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f0e6c6ea-f2e1-4f5c-a5c1-55fcbbb6f0bb,"4/16/2021, 8:58:24.124 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,81c5f917-3ebc-4e7e-b1ed-b1a9fc558295,"4/16/2021, 8:58:24.124 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,69632fcb-37e5-4b56-b295-77b3547a95a9,"4/16/2021, 8:58:24.124 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6278bc22-6c55-4a5e-a196-a031350820d1,"4/16/2021, 8:58:24.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0f626a7c-da50-497d-9add-bba56a5be2bd,"4/16/2021, 8:58:24.124 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1016 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,de064312-5a2e-4974-8a44-6e39fc93fd72,"4/16/2021, 8:58:24.124 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8612 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,53004b96-ebfa-4e69-9014-a03026b551bf,"4/16/2021, 8:58:24.124 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a2b57b7-3236-494a-8154-cd297c0bb7f8,"4/16/2021, 8:58:24.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b6e9cafe-bd50-4380-8b7e-5665f311c98b,"4/16/2021, 8:58:24.124 AM",,,,,NTLM,, +\VMADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,780b6718-4728-4683-8b9a-c30331aad8dc,"4/16/2021, 8:58:24.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,022322d5-8018-4052-9096-c88cb25a14c0,"4/16/2021, 8:58:24.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19bcf840-8e25-4708-be7f-bf7a30209b96,"4/16/2021, 8:58:24.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,515bad54-b78e-41f0-b5fa-c26523da8356,"4/16/2021, 8:58:24.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a46e5725-089f-468a-aa28-b994b0c9889e,"4/16/2021, 8:58:24.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0669d037-0976-44d1-9da6-e29a74bde6a8,"4/16/2021, 8:58:24.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db77781c-8a76-4235-8649-53692ecd9f82,"4/16/2021, 8:58:24.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a38b0e1-45ad-42a4-aa66-d7d10970eba6,"4/16/2021, 8:58:24.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7579e99c-6bb8-4430-a76d-169683771496,"4/16/2021, 8:58:24.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0539eab7-8955-4c7e-826a-6e910bf46f5f,"4/16/2021, 8:58:24.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,72bde181-f9a7-4a42-b1ac-9912b6a0ba8a,"4/16/2021, 8:58:24.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,beb9c1c6-413a-47c9-a380-5f8406687e0e,"4/16/2021, 8:58:24.124 AM",,,,,NTLM,, +\SERVER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,5a00edf2-12d5-4ee7-a14b-56234931275c,"4/16/2021, 9:00:11.411 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7444 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 68705285F7914823244E19E4F6DBC4A75C4DE807EA1CF128AEC2CCAFCE5FE109 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.17763.01 + 0x3e7 + 57 + C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8a67f30e-0269-4184-91cb-aa0e92a5c4f5,"4/16/2021, 9:00:11.411 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4456 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,79e59774-d4f0-4071-ac06-d9f9982c8db4,"4/16/2021, 9:00:11.411 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,bd3dec1f-8ade-43f3-ba5e-f79c212dada3,"4/16/2021, 9:00:11.411 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6430a872-cceb-4745-9d6e-8f0a9bcca735,"4/16/2021, 9:00:11.411 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,93be4f9c-5bfe-40eb-a8cb-ecf82abdbab6,"4/16/2021, 8:58:26.568 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,e58c6ac9-a422-4b4a-8111-7528c2b79ae3,"4/16/2021, 8:58:26.568 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6192 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,3241b9f7-afb2-4189-b488-e4d512970914,"4/16/2021, 8:58:26.568 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,5236c5c0-ad2e-4a24-a032-9abb96217988,"4/16/2021, 8:58:26.568 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,159425c3-68c9-4bed-b92d-6d99dff62783,"4/16/2021, 8:58:26.568 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10856 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,033e4b56-edef-4f80-bb4b-30ddae60086e,"4/16/2021, 8:58:26.568 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1132 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,cb8718d9-c6e2-4188-b12c-e5affaa143bd,"4/16/2021, 8:58:26.568 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c6e12811-7cbb-4f1c-90af-73fee87a20a9,"4/16/2021, 8:58:34.660 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,626a0cb4-b359-4495-8dd1-33b66128ce78,"4/16/2021, 8:58:34.660 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5616e6a0-2e39-4e41-a221-a66b29cb9933,"4/16/2021, 8:58:34.660 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f920413e-8217-4a40-a2dc-767858d8c483,"4/16/2021, 8:58:34.660 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a26eca42-ab29-48dd-b9fe-ff5ff1b96ed2,"4/16/2021, 8:58:34.660 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,95dfe5b1-b2ed-4477-b034-3b70b50a31e7,"4/16/2021, 8:58:34.660 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,547d441a-df11-4be7-8ed0-7c9cd3023d69,"4/16/2021, 8:58:34.660 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c18119a6-5204-4b36-a9bc-6e685181a7ef,"4/16/2021, 8:58:34.660 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cc674a3e-fc3c-45d6-9504-4f9403e2514c,"4/16/2021, 8:58:34.660 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,58d9c582-fe0c-4092-b22b-627a6ff28cc5,"4/16/2021, 8:58:34.660 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2e046e30-0eb1-48b3-a77e-334f1aef0be9,"4/16/2021, 8:58:34.660 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1f68fbfe-eb1d-49ac-843e-d782993691d5,"4/16/2021, 8:58:34.660 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8eb7de4f-0599-4fb8-a93a-7f6e8e33f6e0,"4/16/2021, 8:58:34.660 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b9137f31-bf62-44a7-9685-f399b63dbc8a,"4/16/2021, 8:58:34.660 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3089089f-5088-4685-a8ed-c4f80f5f8ce8,"4/16/2021, 8:58:34.660 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0a24b043-f2e4-4148-8c91-b7bf233399d9,"4/16/2021, 8:58:34.660 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4eec755f-d6a5-4cc1-bb64-f8555f7f9d50,"4/16/2021, 8:58:34.660 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,febfdb6b-3f51-48e4-ac09-d8fe50240c0a,"4/16/2021, 8:58:34.660 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dcc88228-ebc9-453d-b868-59fbf7c92e8d,"4/16/2021, 8:58:34.660 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,306598af-0d86-4727-9333-9d1e3d9154b5,"4/16/2021, 8:58:34.660 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2e59c58a-cd12-4d5c-890d-08bdd5fe0818,"4/16/2021, 8:58:34.660 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,554dc34b-6d7a-4ef8-b717-d927f8872c50,"4/16/2021, 8:58:34.660 AM",,,,,NTLM,, +\USER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d1b7d57b-17ac-4887-826c-350f17231f76,"4/16/2021, 8:58:34.660 AM",,,,,NTLM,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,e7fd8b83-8694-4e2f-b039-247d8fe2386b,"4/16/2021, 9:00:08.051 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,ad4e2fc0-9b3f-4afc-9c08-7d5f19d48d23,"4/16/2021, 9:00:08.051 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,4468e54a-4e74-47a9-b4b0-d001d7451614,"4/16/2021, 9:00:08.051 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,bca31bb3-c5fb-4818-acc5-2079b65f58ed,"4/16/2021, 9:00:08.051 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,94babb63-bcf7-4259-9877-d20e59ecb3f8,"4/16/2021, 9:00:08.051 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b14125e3-555b-4b92-b530-20b16b3e22b7,"4/16/2021, 9:00:08.051 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,89e52215-735a-4f60-a8b3-c12d6c85cf5a,"4/16/2021, 9:00:08.051 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c4e09869-3c48-400e-886c-aa13e44f301d,"4/16/2021, 9:00:08.051 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,0bbc98b9-b76e-440b-bf55-f8a37500f761,"4/16/2021, 9:00:08.051 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1f031a48-fd64-426a-a901-400dc578bb9f,"4/16/2021, 9:00:15.656 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,65bd70b2-b6d2-42bd-bcee-1a2adbe44f61,"4/16/2021, 9:00:15.656 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,36dde0aa-54e5-48c3-b303-a7fc36701ff6,"4/16/2021, 9:00:15.656 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b7de17de-f8a1-455c-bb65-9772727d6ca4,"4/16/2021, 9:00:15.656 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3c5eccbb-4f39-4bf3-8a7b-62eb422fa6fe,"4/16/2021, 9:00:15.656 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8794e7d9-9609-40b4-9dc8-e4bd811d2a05,"4/16/2021, 9:00:15.656 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3ba6c823-1926-4401-aec4-99a6d0a884d3,"4/16/2021, 9:00:15.656 AM",,,,,NTLM,, +\RAY,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,63cf3762-1e56-4d4c-9253-47a4370e2c55,"4/16/2021, 9:00:15.656 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,46ffa284-ecf1-4f96-abf0-830173066673,"4/16/2021, 9:00:15.656 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ad5834a5-2dc7-4973-a7b8-fa209c172924,"4/16/2021, 9:00:15.656 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bc3cbd7f-7dbb-480f-8ce0-8316383dfbe1,"4/16/2021, 9:00:15.656 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,25c112c3-cecc-419a-acd6-03d34072112a,"4/16/2021, 9:00:15.656 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4a92eff8-2530-4e97-8bc1-9b99a8c0be51,"4/16/2021, 9:00:15.656 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cae81a1a-b30a-469b-8a83-f97ca0018566,"4/16/2021, 9:00:15.656 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,813ac257-3762-4c56-a908-f1c32a0eaded,"4/16/2021, 9:00:15.656 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e37306db-f703-4e62-9037-35cc5f6c645c,"4/16/2021, 9:00:15.656 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,64e02607-4729-4173-895a-c2eda2682d73,"4/16/2021, 9:00:15.656 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d1fce2d0-d418-4bbe-90c0-9a8e66fa49fa,"4/16/2021, 9:00:15.656 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d020392c-b130-4cbc-87fd-d1f7ba25080c,"4/16/2021, 9:00:15.656 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e26fca41-f229-4a0b-ac12-4814e3bf9e97,"4/16/2021, 9:00:15.656 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,adc730a6-fb6b-4176-b790-adad1bb546ab,"4/16/2021, 9:00:15.656 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,be0c8339-2121-4dd7-adb5-f6a5672ff559,"4/16/2021, 9:00:15.656 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9620329e-0a08-4508-a4d4-571bfbb94170,"4/16/2021, 9:00:15.656 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4644 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c6e8c3c7-05f4-4204-99d4-d02dedef17cb,"4/16/2021, 8:58:41.411 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3444 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9b8b5c9e-6726-4aa7-b447-c1c07cf0dd85,"4/16/2021, 8:58:41.411 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,937a5e71-b102-4a7e-9906-84a1d511ccdd,"4/16/2021, 8:58:41.411 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,bff7f36c-d821-46fe-bc69-e43b0e900028,"4/16/2021, 8:58:41.411 AM",,,,,,, +\DEMOADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c1ee745b-4ac2-4801-9fc4-44820d41796e,"4/16/2021, 8:58:41.411 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,72e0b679-e57f-4c66-b944-a1ae3c688331,"4/16/2021, 8:58:41.411 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,38ec5533-19f0-4cab-97c1-93bcecc6b8e1,"4/16/2021, 8:58:41.411 AM",,,,,,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,2b94b8bf-b954-4443-a51b-edbca47d465a,"4/16/2021, 8:58:41.411 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4e5dbd05-edb0-492c-a533-2102848681d8,"4/16/2021, 9:00:17.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3088ea7e-df6c-4041-8c92-461ee53f2e81,"4/16/2021, 9:00:17.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5b1ed81e-be29-45e0-846d-a9899200bc05,"4/16/2021, 9:00:17.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f3cc665d-d912-409b-bad7-e1e5868cdf6c,"4/16/2021, 9:00:17.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7a57d416-34c6-421e-b953-71933ea13ba9,"4/16/2021, 9:00:17.114 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7999dfe3-cd46-4965-997e-45e0e6df8183,"4/16/2021, 9:00:17.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f3c9347a-bd78-46cd-b2e0-2494d2b0c783,"4/16/2021, 9:00:17.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4d88469e-1314-4d6c-894a-d47a104c49cb,"4/16/2021, 9:00:17.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e8b00c3-184c-46ee-9b65-e7aa146cc9b0,"4/16/2021, 9:00:17.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a93f4bf3-d822-4c68-b489-5541104945aa,"4/16/2021, 9:00:17.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,38a266a1-856b-4a9f-8e92-e2f0e9688f60,"4/16/2021, 9:00:17.114 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f035987e-fa2f-477f-b1c0-c8128ba4398e,"4/16/2021, 9:00:17.114 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aa8bfade-6470-42da-bc40-065eb8a159c8,"4/16/2021, 9:00:17.114 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5215fcf3-8807-4740-852d-5e433898a25e,"4/16/2021, 9:00:17.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b5001db-ef62-4a94-85f7-97a6c7771b71,"4/16/2021, 9:00:17.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53454a12-4109-4300-9c40-2d81e2c2712b,"4/16/2021, 9:00:17.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c7d75a5f-6388-41fa-99e5-5442bb4c5ddf,"4/16/2021, 9:00:17.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22096311-6de1-4110-b898-8fadda244aea,"4/16/2021, 9:00:17.114 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ecf3b04-7aad-4ed2-bbf0-4003b20949be,"4/16/2021, 9:00:17.114 AM",,,,,NTLM,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,988c27c7-8ce6-4a12-a424-0afbdb9280ca,"4/16/2021, 9:00:17.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c6a81ddf-df7b-4f1f-9ba8-c2088061d979,"4/16/2021, 9:00:17.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd3b4bf8-50d1-4b73-9dbd-66c71e872fe4,"4/16/2021, 9:00:17.114 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3e4b3622-ad21-430a-8ca7-60c48dcc3570,"4/16/2021, 9:00:17.114 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6442e040-9010-4453-8561-de8916a48204,"4/16/2021, 9:00:17.114 AM",,,,,NTLM,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,14aecb2f-2101-4c6a-92ee-7a91bc4636b1,"4/16/2021, 8:58:52.736 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,3faf9694-d80e-42b8-8484-9a37c6dd45f3,"4/16/2021, 8:58:52.736 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6052 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,ad23ba2f-c9a1-4fd2-bdfd-73a2d4ec1214,"4/16/2021, 8:58:52.736 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4800 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,f9f3829a-2a41-403b-8a45-c846851452f4,"4/16/2021, 8:58:52.736 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,86fc9d19-6466-44a1-a1dd-6ad5673920cc,"4/16/2021, 8:58:52.736 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,ba64a8d5-f10c-4040-9ccd-d73f5a2f79b4,"4/16/2021, 8:58:52.736 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,52849341-bf9d-4899-ab52-f11f5fab599f,"4/16/2021, 9:00:21.150 AM",,,,,NTLM,, +\VEEAM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,efa6f153-176f-421a-91e3-803893bb593d,"4/16/2021, 9:00:21.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5bfd3638-a14c-4e20-96be-9fa9aeab3280,"4/16/2021, 9:00:21.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,511cdee7-e190-45ba-a805-f03ea89510d7,"4/16/2021, 9:00:21.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3b4ce810-eaf9-4c1d-827d-4f51fe2da2fa,"4/16/2021, 9:00:21.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,531136c2-1816-4771-bc0a-a9c0ea36d58b,"4/16/2021, 9:00:21.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,07cdcc3c-e23f-4f18-81c0-3809ae514f7e,"4/16/2021, 9:00:21.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88efbc02-e2e0-44c9-a33a-bc000a754fb2,"4/16/2021, 9:00:21.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,491261c4-90a2-4f00-8de8-4d8bc2eb100a,"4/16/2021, 9:00:21.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,78372220-1d14-471f-9585-58e669d31b3b,"4/16/2021, 9:00:21.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b51ae2f4-02b1-4216-86ff-621597e856ff,"4/16/2021, 9:00:21.150 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,9cb44830-6a5e-4a64-972a-ad93271d4108,"4/16/2021, 9:00:21.150 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,af12520e-2e1f-40bc-a7ce-0ab1f01f8320,"4/16/2021, 9:00:21.150 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1544 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,29738560-a68a-4aa7-ac2e-8e85663d1a53,"4/16/2021, 9:00:21.150 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7464 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,1739582b-b429-45bb-b6b9-1d9e427ec020,"4/16/2021, 9:00:21.150 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a7987bc2-8040-464f-ac2f-607c6428dc6b,"4/16/2021, 9:00:21.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e0fe29d-f45d-4da0-8f17-27e56b316244,"4/16/2021, 9:00:21.150 AM",,,,,NTLM,, +\VMADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b56c502-a754-4a67-9ad4-8f27319dbda9,"4/16/2021, 9:00:21.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bd86263b-71fa-4816-b337-44e342f961b0,"4/16/2021, 9:00:21.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a29e746-5704-4c59-ac95-e510f268c425,"4/16/2021, 9:00:21.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2e2d36dd-a7ec-41cf-a0d8-4b177473b1f1,"4/16/2021, 9:00:21.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2060d68-2c90-44f6-8e17-5c4ce65d3b66,"4/16/2021, 9:00:21.150 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54ae6feb-0bfc-40dc-88a8-ffde57a7355b,"4/16/2021, 9:00:21.150 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 15256 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,cfc8995a-dcbf-42ee-a846-7c86ce772f9a,"4/16/2021, 8:59:55.984 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11728 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,a49ddf0e-7b65-4bbd-ac43-8e8b5c062bc1,"4/16/2021, 8:59:55.984 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4648,4648 - A logon was attempted using explicit credentials.,5503048d-aae9-48b7-bda5-46b931ec9ed1,588dc368-ec95-473b-ac64-415cd5170ba9,"4/16/2021, 9:00:32.893 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,5503048d-aae9-48b7-bda5-46b931ec9ed1,f83704e2-6913-4377-ad2f-a11532577231,"4/16/2021, 9:00:32.893 AM",,,,,Negotiate,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + S-1-5-21-1661583231-2311428937-3957907789-1103 + SamiraA + CONTOSO + 0x2417d2eb + 4 + 1 + 1 + %{S-1-5-21-1661583231-2311428937-3957907789-513} %{S-1-1-0} %{S-1-5-32-555} %{S-1-5-32-545} %{S-1-5-32-544} %{S-1-5-3} %{S-1-2-1} %{S-1-5-11} %{S-1-5-15} %{S-1-2-0} %{S-1-5-21-1661583231-2311428937-3957907789-512} %{S-1-5-21-1661583231-2311428937-3957907789-519} %{S-1-18-1} %{S-1-5-21-1661583231-2311428937-3957907789-572} %{S-1-16-12288} +",4627,4627 - Group membership information.,5503048d-aae9-48b7-bda5-46b931ec9ed1,5dcbcba6-c5ec-456e-9471-5f256fadc792,"4/16/2021, 9:00:32.893 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,5503048d-aae9-48b7-bda5-46b931ec9ed1,1b7d71e4-0b23-43c3-8bcd-04fba70a2d4e,"4/16/2021, 9:00:32.893 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12545,8,,4634,4634 - An account was logged off.,5503048d-aae9-48b7-bda5-46b931ec9ed1,5b633c8b-881c-4ae7-8bbd-19ae64689613,"4/16/2021, 9:00:32.893 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,2186607f-cb69-4f29-877a-4680c5ef65e0,"4/16/2021, 9:00:32.893 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a560e70d-e642-411b-8f7b-6eee2f3328b8,"4/16/2021, 9:00:27.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54cef459-f1dd-4806-9407-db76dbd3fbcd,"4/16/2021, 9:00:27.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7b14b8ab-a788-4551-a7f6-91b2d0f58b01,"4/16/2021, 9:00:27.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1c13fcbd-a790-4f74-94c0-9b5fa62200fe,"4/16/2021, 9:00:27.122 AM",,,,,NTLM,, +\PDV1,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b710ebc7-9a1d-4092-b659-831d551f6e56,"4/16/2021, 9:00:27.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ca8d22e-b85f-4acb-b1c4-b8bdee97c512,"4/16/2021, 9:00:27.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,23cc9e32-edbb-41fe-bc33-933f89988d03,"4/16/2021, 9:00:27.122 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a914b1ad-d957-4861-bc1a-9acbfb55862c,"4/16/2021, 9:00:27.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eacee919-8e0b-410b-bbf5-d13df0c3f682,"4/16/2021, 9:00:27.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3f0e925c-d6b7-47d5-a2bb-73d0b75ae856,"4/16/2021, 9:00:27.122 AM",,,,,NTLM,, +\CRESCENT PARK,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c6209661-dad2-413a-a9f8-f7ce3368d869,"4/16/2021, 9:00:27.122 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f3ef5f00-5511-4db8-88c7-b12d95027cf3,"4/16/2021, 9:00:27.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce8cb132-137f-4b36-9b83-fedb7e3dbbf2,"4/16/2021, 9:00:27.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88621072-5c09-4f1f-8d11-6a29e0d85ce3,"4/16/2021, 9:00:27.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,47d10426-3bd6-4a8f-a1c0-a75ef4277452,"4/16/2021, 9:00:27.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5111477-b2ba-472f-a6c3-26c04519b090,"4/16/2021, 9:00:27.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c37b1d6a-9e2d-474e-b5dc-dbaacc1677b1,"4/16/2021, 9:00:27.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6d3dfc35-b092-4ce4-a5b8-e3e293e68262,"4/16/2021, 9:00:27.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f66099bd-64f5-4adf-9082-946ab134e5d1,"4/16/2021, 9:00:27.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0dd61443-456d-42a6-bdeb-d64bfa24f3f9,"4/16/2021, 9:00:27.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4e3c50b8-b6c5-4a2a-bd73-856d70dbf3a9,"4/16/2021, 9:00:27.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ebf8e8af-9735-42fe-90b2-a79dd402324c,"4/16/2021, 9:00:27.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51840ad0-fbad-4fe6-ad42-d4a30be960a5,"4/16/2021, 9:00:27.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc600021-7bfa-422a-9c92-d3c9e8ac0e11,"4/16/2021, 9:00:27.122 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f6b6d6b-e195-4c33-bdb0-247c6a8d7672,"4/16/2021, 9:00:27.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f7550a68-ff6d-4efa-8dd4-d8e3ccc8a3c4,"4/16/2021, 9:00:27.122 AM",,,,,NTLM,, +\VEEAM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b996c550-a07d-4669-b180-94fceb5d37a8,"4/16/2021, 9:00:27.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,311fcd8c-5a2f-4d55-aaaa-b4a85f49ccb8,"4/16/2021, 9:00:27.122 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,483d4d84-5646-47f5-bc00-8b6d2b0981dd,"4/16/2021, 9:00:34.126 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c81a158a-d240-4f32-be73-6ef7bbb08153,"4/16/2021, 9:00:34.126 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,513e6af5-9008-41c5-a537-a94f0729b9aa,"4/16/2021, 9:00:34.126 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,be0a7f1b-62cb-4205-aac4-f94300d66c28,"4/16/2021, 9:00:34.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,45758566-c587-408e-8414-d89210e9e7f6,"4/16/2021, 9:00:34.126 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7568 + 94 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\RESOURCES\1450\PMFEXE.EXE + 32 + 6708CEA6F2F26E9B4AFF6300A4BE88433CF28688427E669CFB3FB43F94E0BE6A + 98 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\PROCESS INVESTIGATOR\PMFEXE.EXE\1.21.311.01 + 0x3e7 + 96 + C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Resources\1450\pmfexe.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,a4117a1f-f983-4b27-948b-9546b98cd29d,"4/16/2021, 9:00:34.126 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4984 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,5fb64de4-afe0-4a60-a811-df8ad223a890,"4/16/2021, 9:00:34.126 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,90564a17-c42a-4761-b946-980762865cb8,"4/16/2021, 9:00:34.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f56eee8b-fc9a-4d4b-ab12-9af737539f6c,"4/16/2021, 9:00:34.126 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,411cff52-e92c-4182-95de-be86d41120e6,"4/16/2021, 9:00:34.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6b67bcb7-e7ec-4d0a-a76b-8c019e35c3a1,"4/16/2021, 9:00:34.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,815d6e8e-9715-436b-8711-0bc06755809a,"4/16/2021, 9:00:34.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,60f5ea8d-202e-407f-a2ec-c51c669ee9f4,"4/16/2021, 9:00:34.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6c420a56-bc3a-4697-8e54-4125af393e67,"4/16/2021, 9:00:34.126 AM",,,,,NTLM,, +\DEMOUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f711e172-66ff-45f9-98a8-817d32d67ba3,"4/16/2021, 9:00:34.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,215521a1-949c-4afb-9bf6-63b43c0c9eb6,"4/16/2021, 9:00:34.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,402f5b80-c55c-4d9e-a1d1-93bc2e6121ae,"4/16/2021, 9:00:34.126 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,a664429e-b712-4bcb-a373-f4f1a2873ca9,"4/16/2021, 9:00:34.126 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,41c48a97-68b8-466d-a8d0-4f58c8858c22,"4/16/2021, 9:00:34.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f1ce1416-abec-4bb9-9cb0-aa0e22bb860d,"4/16/2021, 9:00:34.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dbf7b9b2-7e90-4515-87aa-94815ce3dad9,"4/16/2021, 9:00:34.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,47eaead2-bdcb-4a81-957c-e85d1996c908,"4/16/2021, 9:00:34.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,43654342-633e-451d-9f69-4f39dd944b6f,"4/16/2021, 9:00:34.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca9a74dc-da3d-429f-abed-8706ac874b58,"4/16/2021, 9:00:34.126 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,63b931ca-203d-4af9-9103-408d0b0aed31,"4/16/2021, 9:00:34.126 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,daa788a5-21f2-4935-bdb6-36aa233cb482,"4/16/2021, 9:00:34.126 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46adc55c-aabe-474e-8236-7eae8b6a56f3,"4/16/2021, 9:01:14.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d5a1819b-b055-4034-9552-bbf6f8e4a3d5,"4/16/2021, 9:01:14.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6fbcacc9-6691-471f-8c75-41fd859171e7,"4/16/2021, 9:01:14.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4dbc0c17-0160-436a-a0cc-63885585e4c3,"4/16/2021, 9:01:14.124 AM",,,,,NTLM,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,efa28218-6383-4392-b15f-18b9bfebca89,"4/16/2021, 9:01:14.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9e086b11-ec01-4c67-a35f-3e11f238c4c7,"4/16/2021, 9:01:14.124 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bac5c836-5579-4785-a888-2759684aa6c4,"4/16/2021, 9:01:14.124 AM",,,,,NTLM,, +\VEEAM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a69ebcc-4ac3-48a4-a9f5-8b131853b269,"4/16/2021, 9:01:14.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eae71476-ab02-4b58-a36a-fd1d55327fe3,"4/16/2021, 9:01:14.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a237bd9-67d5-4a17-abad-abc926620f1d,"4/16/2021, 9:01:14.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,38bec394-2cd2-4f75-89f6-ebedb529bfe5,"4/16/2021, 9:01:14.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,214fdd00-b6a9-4c79-bff4-470760b986d6,"4/16/2021, 9:01:14.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,40bc2a69-df88-4ae6-b49c-16f1729ba7a0,"4/16/2021, 9:01:14.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f523d2e5-8585-4437-b08a-5fa170a19594,"4/16/2021, 9:01:14.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d3a6d24b-11be-49e9-84ca-36e43e56120a,"4/16/2021, 9:01:14.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4190a2dc-e79e-4776-ae0d-8a1cd52150f6,"4/16/2021, 9:01:14.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,280896aa-73e5-4a15-be39-7179fc736408,"4/16/2021, 9:01:14.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,981a2a75-32c3-4274-bff4-dbefa1fa589b,"4/16/2021, 9:01:14.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6c598028-32f8-4c07-a581-fcfedfd4eb11,"4/16/2021, 9:01:14.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f6171d06-e784-4bd1-b8d0-b1eba371f50f,"4/16/2021, 9:01:14.124 AM",,,,,NTLM,, +\WRADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,25f57ca0-ff0a-4779-8609-f0b0dacb657f,"4/16/2021, 9:01:14.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,427107e3-c976-4742-8f74-0a976e00d799,"4/16/2021, 9:01:14.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,97be7a02-e6c3-4aa8-b421-be537b392a21,"4/16/2021, 9:01:14.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,727da483-07f7-4dc8-90cd-a6800e0860ed,"4/16/2021, 9:01:14.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f2942e2-c5e2-40bb-bff9-2df65e450737,"4/16/2021, 9:01:14.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,312750eb-698e-4d97-af40-7f27e5e5020b,"4/16/2021, 9:01:14.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,43653fc4-6d84-4f5d-a5ad-b021cf6ebe58,"4/16/2021, 9:01:14.124 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,819e0444-f261-47df-9dd4-9aa31d5ffa2b,"4/16/2021, 9:00:43.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,84bcbb2b-922e-494e-823f-4ac85548714d,"4/16/2021, 9:00:43.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,16058aa2-026c-40ab-874f-b0309406862a,"4/16/2021, 9:00:43.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,73c235e6-9de0-4aa5-adff-0ea34184ba8f,"4/16/2021, 9:00:43.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,98da1777-1442-4987-83f6-29df9bb10c21,"4/16/2021, 9:00:43.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,75465f23-5eb3-498c-9649-584a1f7c3b8c,"4/16/2021, 9:00:43.052 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,4aa637e9-034b-4918-a7f7-aeabb2d17571,"4/16/2021, 9:00:43.052 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,77b40b1a-5d3a-4977-95cb-e65745f7b456,"4/16/2021, 9:00:43.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,593b8948-d7ac-4266-99ee-8e9917c85761,"4/16/2021, 9:00:43.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,65326bf7-4015-40cb-b5e4-4feb08da09b4,"4/16/2021, 9:00:43.052 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b6f30a8e-6bf8-4487-846b-f0be4e8aee70,"4/16/2021, 9:01:24.656 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6a8ba43d-38bc-406b-950a-a9fed81a1053,"4/16/2021, 9:01:24.656 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c7ef89e2-d1a5-4b65-8dfb-0b0b9939e478,"4/16/2021, 9:01:24.656 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,79602f87-b33d-4183-902c-cceed063c11a,"4/16/2021, 9:01:24.656 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1d6a7aed-e74d-43e6-a4f1-80b8478e0186,"4/16/2021, 9:01:24.656 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d7aaee77-79e8-47fb-82b7-a90f2ad27950,"4/16/2021, 9:01:24.656 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,481d5e28-a8fc-42eb-8d8c-38624c74fb6f,"4/16/2021, 9:01:24.656 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d435cf68-333d-4c3b-a371-66e3a6a17146,"4/16/2021, 9:01:24.656 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,edc41dc7-af91-49fa-9adf-b3b7998bc6d9,"4/16/2021, 9:01:24.656 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e53bec9a-1ac6-4e2b-a193-8cbadf214e29,"4/16/2021, 9:01:24.656 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1c3ff4bb-5b2c-4b72-97db-5de4152b410f,"4/16/2021, 9:01:24.656 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6272e6cc-43dd-4672-9ee6-9da6d8a4c7b6,"4/16/2021, 9:01:24.656 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cb5071de-64af-457d-8705-89ac1c488d44,"4/16/2021, 9:01:24.656 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a1a3c839-200b-4c21-8617-67a4d83a3268,"4/16/2021, 9:01:24.656 AM",,,,,NTLM,, +\AZUREADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7ea9e9c0-14a6-4ceb-bb79-addd5fe2a7d2,"4/16/2021, 9:01:24.656 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ce4229d6-f968-4f9e-8141-3e1c8dcc6f83,"4/16/2021, 9:01:24.656 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5c30e1c6-d4c1-4829-af37-6af2d32ca907,"4/16/2021, 9:01:24.656 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,daa8ce95-83df-42c2-b5a7-ae371ffdfb61,"4/16/2021, 9:01:24.656 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,92b200b1-961a-411a-91be-245ecdb4bd40,"4/16/2021, 9:01:24.656 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6086a023-3726-4db6-83d2-05a2b2a0401a,"4/16/2021, 9:01:24.656 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0ef7b827-2cbd-4fc7-8fa0-a6d7be07a943,"4/16/2021, 9:01:24.656 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c8fb1c3e-5bc0-49fe-b54e-fa747b233009,"4/16/2021, 9:01:24.656 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4b8437b8-6741-4523-a22f-f11782fb245d,"4/16/2021, 9:01:24.656 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a5d3109f-087c-463c-b5f9-ab249fd11cdf,"4/16/2021, 9:00:44.664 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6773718e-4032-4f0c-93d7-8c43877de3e0,"4/16/2021, 9:00:44.664 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,203d829e-cb66-4f04-bb1d-fc240d1cd2ce,"4/16/2021, 9:00:44.664 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,af652f6c-21dd-435e-a59b-3b3d304888ad,"4/16/2021, 9:00:44.664 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,17d4201a-c3e5-4dc5-a781-abb944c79025,"4/16/2021, 9:00:44.664 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,77e0766d-de3b-469e-a71b-8b5aad54c4cc,"4/16/2021, 9:00:44.664 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7d95212b-1dfe-42bf-bbb4-8b35b7e5f7dd,"4/16/2021, 9:00:44.664 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,807d1c5c-c628-4f37-acb2-6d9b0b7f8e0a,"4/16/2021, 9:00:44.664 AM",,,,,NTLM,, +\MAGIX,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,40d63007-f689-4eae-8069-12de12452292,"4/16/2021, 9:00:44.664 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c26e07a3-d492-46a9-8cb6-75b7f718c0af,"4/16/2021, 9:00:44.664 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e3bf52cc-95c4-4cc5-8e48-55ff3a14b999,"4/16/2021, 9:00:44.664 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,40fbd52b-757d-455e-8b5b-65bf321481dc,"4/16/2021, 9:00:44.664 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a3e0ce0a-7af5-48c2-bb6c-d79fa60a1ece,"4/16/2021, 9:00:44.664 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bced54b2-b561-467c-9fe8-ab7438decfaf,"4/16/2021, 9:00:44.664 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,853656ac-d6a4-4ab6-a0aa-de9c57cf092d,"4/16/2021, 9:00:44.664 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fec8a89b-9413-451b-aed2-f3ff4dafb3b1,"4/16/2021, 9:00:44.664 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c3464457-1f3d-4f4d-9fe4-1fec4ce1facc,"4/16/2021, 9:00:44.664 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a3b0032d-36d9-4ef6-953b-36dea78445cd,"4/16/2021, 9:00:44.664 AM",,,,,NTLM,, +\DB2ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,89ae59ac-a7ab-4dca-a714-8ed729337d54,"4/16/2021, 9:00:44.664 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eb2b2f7b-e236-42f4-b8c2-87a159130ed5,"4/16/2021, 9:00:44.664 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,60c0a232-2d64-4a7a-927b-52e19eaf9bfb,"4/16/2021, 9:00:44.664 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4dace59d-b258-4717-80a5-63327d8fe197,"4/16/2021, 9:00:44.664 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b90fdae5-ada7-485a-b684-9d546f3b5677,"4/16/2021, 9:00:44.664 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f63adf41-5927-4e4b-b2fc-d194e668faed,"4/16/2021, 9:01:25.410 AM",,,,,NTLM,, +\WEBADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,01d48faa-8356-499b-87fe-2f2812f77657,"4/16/2021, 9:01:25.410 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c30b7d8b-3b3e-4878-83e6-83b1fc7d260a,"4/16/2021, 9:01:25.410 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6484 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,edf04818-ee34-413e-8b05-2b776fb32268,"4/16/2021, 9:01:25.410 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4020 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,079e3793-2a41-41f1-885a-8ca51faf02ca,"4/16/2021, 9:01:25.410 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b269fcb7-812e-4e11-8511-db4ac5c87c9d,"4/16/2021, 9:01:25.410 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,eac7c648-0ef1-453d-a624-bae2377a696d,"4/16/2021, 9:01:25.410 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6d267226-4450-40c2-ae13-e9ec17fd387e,"4/16/2021, 9:01:25.410 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 14456 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,5051a4cd-3aba-4a3e-be8a-b31090a3bdff,"4/16/2021, 9:00:47.026 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11656 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + E083DBF5FD891B0254E4021330270719E66D6B0C7F6543BDBA19C4CF5D37395D + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7411.17763.1697 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,82b05968-b0ed-422f-84ed-37a47f25b599,"4/16/2021, 9:00:47.026 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 932 + 84 + %OSDRIVE%\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\PLATFORM\4.18.2103.7-0\MPCMDRUN.EXE + 32 + C7A18C474A47F5335593A567F0C714D4F658E28D07DC27F6EAE5D5641788E813 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\MPCMDRUN.EXE\4.18.2103.07 + 0x3e4 + 77 + C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2103.7-0\MpCmdRun.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,b4a47c8d-9b1f-4715-877a-d9c9f34d9270,"4/16/2021, 9:00:47.026 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 12808 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,7c2d1601-b742-41fe-938f-e522a4d26979,"4/16/2021, 9:00:47.026 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10524 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,ec512bb0-a885-4171-abb4-6bbe38b7c038,"4/16/2021, 9:00:47.026 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1de11626-6bc5-4927-a385-b3e2a3237742,"4/16/2021, 9:01:48.115 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e3977898-d3f8-4f4c-acfa-137a8024ab68,"4/16/2021, 9:01:48.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8435135b-21d3-444d-8f8e-4a1c75ca3ae4,"4/16/2021, 9:01:48.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5299ccb8-91ee-4b8c-bf7e-130fe08d7bdf,"4/16/2021, 9:01:48.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f400e6fe-7531-40fd-9e69-fc92d4d3d5d9,"4/16/2021, 9:01:48.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d7081000-8fb4-42f1-a8d1-71138b779005,"4/16/2021, 9:01:48.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9af681b1-c939-4c64-9469-008d86357c70,"4/16/2021, 9:01:48.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,38afff10-8f75-43e1-b6d3-fac610176f7e,"4/16/2021, 9:01:48.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,389f348f-787a-41b8-b0a4-a8253c762638,"4/16/2021, 9:01:48.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1bd19ab0-dbd5-4762-9ad7-1aa4348e5a3c,"4/16/2021, 9:01:48.115 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7db68c7a-7db9-415c-9e76-fdc7d289b606,"4/16/2021, 9:01:48.115 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa4f926a-e1d0-489a-a7f1-a25be179a9ae,"4/16/2021, 9:01:48.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e8ac7360-6bd6-4e5a-944d-9398b5761f29,"4/16/2021, 9:01:48.115 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,99598180-84be-4725-8369-9848c1976e91,"4/16/2021, 9:01:48.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a7ac374b-ac0e-4cf3-9638-2902fe14b1e5,"4/16/2021, 9:01:48.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e34694b0-66be-4138-80e1-128eedc23f30,"4/16/2021, 9:01:48.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,40de02ac-3424-4a56-a25e-f7a2c35fd6d1,"4/16/2021, 9:01:48.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16d4354a-6de6-4749-a627-f6a06d9a26e4,"4/16/2021, 9:01:48.115 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a05ed40e-7ccc-46d0-9708-e81cb696b540,"4/16/2021, 9:01:48.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,875b409e-b0e4-4d36-afee-1f2b7fdd9ebc,"4/16/2021, 9:01:48.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,457e3083-361a-4f50-bc99-4ddb793b8959,"4/16/2021, 9:01:48.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,964d87cc-a737-45bf-99fe-2ecabda4bcb2,"4/16/2021, 9:01:48.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc283ef0-e5b0-4185-a47d-fa3317543b20,"4/16/2021, 9:00:46.115 AM",,,,,NTLM,, +\OJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,63fb36ee-d6b1-4aa7-b548-7bb2c6541865,"4/16/2021, 9:00:46.115 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6fc79f3d-9953-40ac-8b0c-bb0f8e978aec,"4/16/2021, 9:00:46.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab739c00-0148-4137-94dc-f1c876d955d3,"4/16/2021, 9:00:46.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5c3d7fb7-81e5-4454-b8f0-a287789ed92a,"4/16/2021, 9:00:46.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ba5b666d-d633-457c-b686-4494493eebf7,"4/16/2021, 9:00:46.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56fb20f8-0f73-4d9d-ba35-f1d7354d9728,"4/16/2021, 9:00:46.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7fc300cc-7ad0-4776-b86a-dcda44c8b7b4,"4/16/2021, 9:00:46.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,28c6487f-9c0c-41fb-96b2-0dfa280d862b,"4/16/2021, 9:00:46.115 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,000cf098-1ef6-4eee-831b-38cb7024d99c,"4/16/2021, 9:00:46.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,82b98fd1-c5e1-4ab9-accc-b077f98bb03d,"4/16/2021, 9:00:46.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5441cd2c-ebc7-469f-81d3-edb1c1c6807c,"4/16/2021, 9:00:46.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,32420b2f-a71c-4d39-abd7-366be57c67f2,"4/16/2021, 9:00:46.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e52980fe-7be5-4abd-b976-1837dec0323b,"4/16/2021, 9:00:46.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a5214491-f827-493f-8d82-c77f4c05fb9b,"4/16/2021, 9:00:46.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,77ff5fba-2c12-4db4-8d5e-1b803491b2c0,"4/16/2021, 9:00:46.115 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aef12693-3fc0-4219-8cf8-478a2c60bbcd,"4/16/2021, 9:00:46.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89617765-16cc-499b-9c51-87ec04483467,"4/16/2021, 9:00:46.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2e5136c3-d4e3-40bd-8714-0d3d909b3190,"4/16/2021, 9:00:46.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f57564d-9f68-4d4f-a691-ab33e4c1b319,"4/16/2021, 9:00:46.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e8dae5a6-b4fb-4b43-9329-b9f197ea67d1,"4/16/2021, 9:00:46.115 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b41263a3-b6a8-4a4e-85e6-5533fa0c441b,"4/16/2021, 9:00:46.115 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,10faccaf-4202-4ea8-9630-cc5ec56794d0,"4/16/2021, 9:01:51.664 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,78888041-a2fe-4563-a505-819f7456ff45,"4/16/2021, 9:01:51.664 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c391fe59-6e3b-4244-94ce-9441945cfed7,"4/16/2021, 9:01:51.664 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,04fd02bb-3f62-4c13-93e6-7c2370ebd8cc,"4/16/2021, 9:01:51.664 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e5fc0a8b-d9f0-41d0-a4cf-75ac52c2a960,"4/16/2021, 9:01:51.664 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8cac3031-687a-424c-89d2-d735e266ef4a,"4/16/2021, 9:01:51.664 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0d872c27-701d-44c1-848a-22ca053c6813,"4/16/2021, 9:01:51.664 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eaf65622-afd6-4009-8eaa-17a5058bb7cf,"4/16/2021, 9:01:51.664 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,db520d64-e968-418d-adcd-15fd992cbd16,"4/16/2021, 9:01:51.664 AM",,,,,NTLM,, +\IMAGES,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1e4ac62b-aee7-4e08-8051-9e2676606643,"4/16/2021, 9:01:51.664 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,885904a8-08c9-41bb-9d1e-db69e3036262,"4/16/2021, 9:01:51.664 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,53ae4ef8-8704-47b6-bf04-01c8dacdf14b,"4/16/2021, 9:01:51.664 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3110851d-e9ea-4f24-8dd1-182fec3ecd63,"4/16/2021, 9:01:51.664 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4df915a8-ca70-427e-885c-b2be8fa6f4cf,"4/16/2021, 9:01:51.664 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0234aede-3bad-42a9-850e-ebc533997f4b,"4/16/2021, 9:01:51.664 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,97d4f4fe-0a50-4a5b-9530-825360ed184b,"4/16/2021, 9:01:51.664 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f59b3220-d5aa-49ec-987c-3c019413cfab,"4/16/2021, 9:01:51.664 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,28a06899-0997-4845-a2dc-3cce05dcffd6,"4/16/2021, 9:01:51.664 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dc655177-eb34-4223-8fd3-b3f6de64b727,"4/16/2021, 9:01:51.664 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6311ee9e-d81d-4019-952d-24a6fa028433,"4/16/2021, 9:01:51.664 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,df105bdf-5add-4a55-818b-d7dc8d8a1e35,"4/16/2021, 9:01:51.664 AM",,,,,NTLM,, +\SCANS3,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5c615212-a9f3-4bd9-a3da-24731333f39a,"4/16/2021, 9:01:51.664 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9812 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,f6f7deff-91fc-4252-a5be-b4e94e685aa6,"4/16/2021, 9:00:49.278 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10892 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,516aa088-1d66-4bd2-9fd7-15ac7ebafc06,"4/16/2021, 9:00:49.278 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10972 + 115 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\ICT 2\CMF\DESIREDSTATECONFIGURATION\DSCRUN.EXE + 32 + 5D35920AEDE05DD39279B42A07B84E7EAC7A77F4E420A04FE25B82F0B2CAF5C0 + 111 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\WINDOWS (R) WIN 7 DDK DRIVER\DSCRUN.EXE\10.0.10011.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,7daf441d-2886-4ba1-894d-ce059ce9931d,"4/16/2021, 9:00:49.278 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6012 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,e74739d5-0f17-40fc-a993-5057323776b8,"4/16/2021, 9:00:49.278 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,34f294b1-7ebf-49e4-9b8e-b16c7df4be3a,"4/16/2021, 9:02:00.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,649c94f4-517b-4a1b-8e96-3d69a9fe8bb6,"4/16/2021, 9:02:00.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7421e6c7-c8d4-4019-aaa8-aadd177815cb,"4/16/2021, 9:02:00.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,efd31c6a-8a61-4f92-bc43-5d69dc063f79,"4/16/2021, 9:02:00.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aea61532-a855-47ef-bb0e-cab2b00fd2bf,"4/16/2021, 9:02:00.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f42b95b6-3080-4d2c-a241-34767790d7fc,"4/16/2021, 9:02:00.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,80574306-4a7e-43a8-aebf-0e593fe7bcea,"4/16/2021, 9:02:00.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4e47e731-d368-4bf7-9be1-d45d1a8a1697,"4/16/2021, 9:02:00.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,abf17182-ca59-494f-9672-64bbfbdf970e,"4/16/2021, 9:02:00.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8865672d-289f-47eb-8b21-8b274f1bf69f,"4/16/2021, 9:02:00.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb044081-81fc-4b84-bee9-dd1f376e0658,"4/16/2021, 9:02:00.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c685921-5067-4975-a82e-d0f21fb30fbe,"4/16/2021, 9:02:00.120 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,01ca2b6c-a101-45b5-804c-f748fe88e3f1,"4/16/2021, 9:02:00.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b20fb0fb-1f3c-45ca-9fbf-bfca0a45af72,"4/16/2021, 9:02:00.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e6cd67f2-2136-495d-97bc-9eee8fbdb9a6,"4/16/2021, 9:02:00.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4a8c0ed1-8264-4503-b27b-7539b7ddc7b1,"4/16/2021, 9:02:00.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,65a7ee41-708c-4672-af39-188477a3dd9d,"4/16/2021, 9:02:00.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b762e52d-e662-49cd-a718-3b57e82d9f8f,"4/16/2021, 9:02:00.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,71956bf1-5444-4581-ac1d-e93eb321183e,"4/16/2021, 9:02:00.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e9a8dcca-024e-4523-b5f3-a1395c3ebae0,"4/16/2021, 9:02:00.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c8dcc4d-f17e-461d-b3ef-7320aa85e429,"4/16/2021, 9:02:00.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,38daa2cc-1780-403a-9204-1bcbe073fdec,"4/16/2021, 9:02:00.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5fd6466e-eb45-4346-ba31-34b45ff93d8a,"4/16/2021, 9:02:00.120 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,f85d68f0-bd96-456a-a0d9-33ed96f364b8,"4/16/2021, 9:00:51.667 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,4be680fa-ce8c-48be-bcbe-3064a27097f4,"4/16/2021, 9:00:51.667 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3800 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,85ac9e94-4d88-462e-b864-4244fdfec10f,"4/16/2021, 9:00:51.667 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4488 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,6b66b723-af8e-4394-82b7-d801dfceb19e,"4/16/2021, 9:00:51.667 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,770df027-6a4e-4a06-8ae5-22d09a0e37c0,"4/16/2021, 9:00:51.667 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11228 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,b35f742d-baa0-4aee-b860-77bf0a915152,"4/16/2021, 9:00:51.667 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb2f005e-3071-477e-bb56-9842dec605fc,"4/16/2021, 9:02:16.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,698d2045-83eb-4da9-8045-928df0e31f1c,"4/16/2021, 9:02:16.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,57a0fee8-4ad8-4c7b-92df-402fd9165a43,"4/16/2021, 9:02:16.124 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,31533279-3016-4078-9e3f-d482da374bea,"4/16/2021, 9:02:16.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f9fd5ef-f933-4bf7-b7f0-57d9e47660d2,"4/16/2021, 9:02:16.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,01e67b80-82b8-4f70-a1e3-cd0bda71b5d9,"4/16/2021, 9:02:16.124 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,553097c8-340f-43e0-9089-39130d36af4d,"4/16/2021, 9:02:16.124 AM",,,,,NTLM,, +\ADMINISTRATEUR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f155fb9-6bab-4f73-b4ed-768eacb90ad7,"4/16/2021, 9:02:16.124 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f3cad9da-e18e-4d3d-8c67-801a260133ff,"4/16/2021, 9:02:16.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,313e8a04-84db-4086-8242-e9eb083b6309,"4/16/2021, 9:02:16.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d5f7b814-4392-4ad4-8d2a-66e1c099b82a,"4/16/2021, 9:02:16.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,128f48b4-e14a-4f92-b704-3bff4aef8d75,"4/16/2021, 9:02:16.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46ff2cd7-d85a-4621-8150-1159b412a423,"4/16/2021, 9:02:16.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b689339e-784e-46fa-ac81-646785b8322e,"4/16/2021, 9:02:16.124 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,289db7b5-9038-4893-aa64-dd11ef175fb0,"4/16/2021, 9:02:16.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d7b2efd-d636-4e61-9afe-996d3cc6902f,"4/16/2021, 9:02:16.124 AM",,,,,NTLM,, +\ACC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b228a225-435e-427d-bf44-2531bc167a84,"4/16/2021, 9:02:16.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,baf643ff-bf7b-421c-9ac7-530e92dfec06,"4/16/2021, 9:02:16.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd9a977c-946c-47e8-af67-e0073527e6cb,"4/16/2021, 9:02:16.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d11d73c1-e355-429c-851c-908fafc4620d,"4/16/2021, 9:02:16.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6046c364-0d8b-4c1c-8af5-2702ed114195,"4/16/2021, 9:02:16.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,09ea1c6f-fa41-4810-bba2-d80c9699624d,"4/16/2021, 9:02:16.124 AM",,,,,NTLM,, +\AAHZ,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bd6d7913-8d23-40e9-8ceb-5c7debd31538,"4/16/2021, 9:02:16.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3708d0ac-9957-4751-bbf8-b1c2d4be4394,"4/16/2021, 9:02:16.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2dda8b5-2a37-4564-af3f-5554cfed79f0,"4/16/2021, 9:02:16.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b62f829a-a46a-4f4f-8ef5-8e590ba628e7,"4/16/2021, 9:00:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,29a3d53e-50b8-450d-9399-5204793c4f88,"4/16/2021, 9:00:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,be802997-edaa-45aa-b683-a04fa423b3a2,"4/16/2021, 9:00:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a177ebc-b110-4a34-9766-3b43f7706572,"4/16/2021, 9:00:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,32a8a341-4ff5-4860-9ace-a6fa7ceb7c56,"4/16/2021, 9:00:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,09dda073-bf83-4ef2-8639-06e4a2f60443,"4/16/2021, 9:00:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,888c0079-92db-448a-b458-54fb6c1cec46,"4/16/2021, 9:00:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,47a92758-db86-4a84-ba2d-eef430991e61,"4/16/2021, 9:00:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,254d21eb-ed5d-48c1-8545-bd7aff0d20d4,"4/16/2021, 9:00:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2856c4ec-c961-4396-b4e4-90431ebf7e0b,"4/16/2021, 9:00:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d88ef259-294b-4e4e-a0c7-5da3d7296b25,"4/16/2021, 9:00:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,41752a7e-e83e-415a-8034-699c56b13098,"4/16/2021, 9:00:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8dbdd8b1-5c2a-4a7a-b416-c369afc476b6,"4/16/2021, 9:00:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4bab6d93-a2f6-4d89-ac04-7a6ffe5e9aaa,"4/16/2021, 9:00:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,882502fc-d7c1-4cbf-8f8e-9f8545fe0981,"4/16/2021, 9:00:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,44879d62-fd8e-4177-9a42-7b689b2f4ebf,"4/16/2021, 9:00:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,20957cc1-7b6a-4541-902a-a916efb083a9,"4/16/2021, 9:00:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8882d1dc-406a-4fec-8294-66333ce772d2,"4/16/2021, 9:00:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d76979ed-7ae0-4126-972e-21adcc5f96cf,"4/16/2021, 9:00:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9726c268-a0f0-4c13-aca6-29855672e551,"4/16/2021, 9:00:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,745ca89c-2c8c-4185-84b2-7f62a36794b7,"4/16/2021, 9:00:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bb4b635f-5ed9-4650-bc1f-b588a01d7e25,"4/16/2021, 9:00:53.120 AM",,,,,NTLM,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + 3192 + 2021-03-26T16:13:26.213487000Z + Microsoft Software Key Storage Provider + UNKNOWN + 8ede8545-bfd0-4f12-bcc3-10d7f268b736 + %%2499 + C:\ProgramData\Microsoft\Crypto\Keys\34917ebd2ccab6c02f40bc8086bac7d7_64407fac-9a41-4e9b-928b-8e63ee96a551 + %%2458 + 0x0 +",5058,5058 - Key file operation.,5503048d-aae9-48b7-bda5-46b931ec9ed1,cc4955fd-a05d-47cb-8b65-ca90b8325ea2,"4/16/2021, 9:02:23.863 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + Microsoft Software Key Storage Provider + RSA + 8ede8545-bfd0-4f12-bcc3-10d7f268b736 + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,5503048d-aae9-48b7-bda5-46b931ec9ed1,414099ee-500b-44e4-ab00-9e5f241cc0b8,"4/16/2021, 9:02:23.863 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + 3192 + 2021-03-26T16:13:26.213487000Z + Microsoft Software Key Storage Provider + RSA + 8ede8545-bfd0-4f12-bcc3-10d7f268b736 + %%2499 + %%2464 + 0x0 +",5059,5059 - Key migration operation.,5503048d-aae9-48b7-bda5-46b931ec9ed1,eafec628-c842-40d1-9e77-7e5fa8c4b597,"4/16/2021, 9:02:23.863 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + 3192 + 2021-03-26T16:13:26.213487000Z + Microsoft Software Key Storage Provider + RSA + 8ede8545-bfd0-4f12-bcc3-10d7f268b736 + %%2499 + %%2464 + 0x0 +",5059,5059 - Key migration operation.,5503048d-aae9-48b7-bda5-46b931ec9ed1,987f6b35-7c88-4a7b-aa65-d16810be8e67,"4/16/2021, 9:02:23.863 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,0ba0be7d-19dd-44bc-9ff3-6c0f20cd8526,"4/16/2021, 9:02:23.863 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4608333f-c163-479e-805d-b09b565b2815,"4/16/2021, 9:02:59.118 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,470c3728-2617-42bb-82b3-5eb617011264,"4/16/2021, 9:02:59.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb9f27e6-cf35-4e00-ae70-4600d4a3cb77,"4/16/2021, 9:02:59.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0985ec4d-073c-46ef-82dc-e925ab4dbcfe,"4/16/2021, 9:02:59.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,983bbbe1-fc37-491e-95a7-ee756f34da33,"4/16/2021, 9:02:59.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b0ff9dbc-e003-4552-b338-4656ef5716ec,"4/16/2021, 9:02:59.118 AM",,,,,NTLM,, +\GUEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,35cd0ee0-68ae-438f-882c-7e9433647d12,"4/16/2021, 9:02:59.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f2ec5119-45ff-4d19-ac0e-dad21bcf7aaa,"4/16/2021, 9:02:59.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e9a442af-e179-45a9-97fd-332b3fb095ab,"4/16/2021, 9:02:59.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3d8fb743-64ba-4a4d-9db6-ad63bd4753dd,"4/16/2021, 9:02:59.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe87eb71-5df5-4b2f-969f-1c009be062fd,"4/16/2021, 9:02:59.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4cb9fa5a-7700-4c5e-a34c-31d365a0adbc,"4/16/2021, 9:02:59.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bd427595-d3d7-4cbe-a6a9-c584fa055eb0,"4/16/2021, 9:02:59.118 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a899c23d-5521-448d-8166-76924e709bb7,"4/16/2021, 9:02:59.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,32fc9406-a833-4d29-9c1b-a64f3d8d448a,"4/16/2021, 9:02:59.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bb1114d2-6b88-441f-adf1-e2463ec92299,"4/16/2021, 9:02:59.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ebb583b-0a4d-4b51-b536-d68b73a7155a,"4/16/2021, 9:02:59.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2943d350-b853-4cba-8447-634a030a8a2f,"4/16/2021, 9:02:59.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a57e09d0-800e-4f17-85a2-e4457df5a947,"4/16/2021, 9:02:59.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea022c42-dad8-47a8-9eee-306ca3159109,"4/16/2021, 9:02:59.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b9184f65-85c6-4ee3-b327-3e875d08ef00,"4/16/2021, 9:02:59.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,507dba93-3da1-4348-b3ec-0de95df558e2,"4/16/2021, 9:02:59.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,105b2f8c-5fb5-41bc-adac-5805abd77e35,"4/16/2021, 9:02:59.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ef82ad30-8057-4f36-a00e-ea50486ce459,"4/16/2021, 9:02:59.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a625881-6d3c-4796-9eee-0f2868790129,"4/16/2021, 9:02:59.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,33865403-460b-4683-a62d-b81cc2ff9f5a,"4/16/2021, 9:02:59.118 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6708 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,a055af1f-8f8e-4799-8147-2592b6453ab3,"4/16/2021, 9:00:52.736 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6996 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,b6f3e68b-23d9-4fa3-9e2a-4c2c954613d8,"4/16/2021, 9:00:52.736 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,3ad04785-31fa-477b-bbe7-5ca3d618de4a,"4/16/2021, 9:00:52.736 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,a46463b4-de09-46de-b79d-12ba0519cffe,"4/16/2021, 9:00:52.736 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,1bee9c79-3df3-43e3-9b12-cc646d63ce89,"4/16/2021, 9:00:52.736 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,9e21fc1a-440b-4671-ac5d-53c7d8b7defd,"4/16/2021, 9:00:52.736 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,0b31dee3-5401-43d7-802a-7c8aab820390,16e3c459-bd58-4a8e-9993-9dfecb689c96,"4/16/2021, 9:03:01.062 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,0b31dee3-5401-43d7-802a-7c8aab820390,fe80b7fa-0bdb-4e01-b05d-6aa5f2d23dac,"4/16/2021, 9:03:01.062 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,41f3dacd-90d8-4e55-aba4-082f8af13a9a,"4/16/2021, 9:03:01.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,6b86221f-7d48-4c50-8498-bac5564ec0d8,"4/16/2021, 9:03:01.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c99842c5-1c02-4d34-8183-849a7cc7ea74,"4/16/2021, 9:03:01.062 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + Administrators + Builtin + S-1-5-32-544 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x6f18 + C:\Windows\System32\svchost.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,1d9b144c-ffc9-40c2-8418-604601201769,"4/16/2021, 9:03:01.062 AM",,,,,,0x6f18, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + Backup Operators + Builtin + S-1-5-32-551 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x6f18 + C:\Windows\System32\svchost.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,d6cef970-c4ce-424f-9a62-4dbec0cca35a,"4/16/2021, 9:03:01.062 AM",,,,,,0x6f18, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,0b31dee3-5401-43d7-802a-7c8aab820390,c47ab2c1-2248-4be1-be5f-3d4a4a675840,"4/16/2021, 9:03:01.062 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,0b31dee3-5401-43d7-802a-7c8aab820390,ae9d60a2-bd1c-4d9e-b764-ffc29b8e2352,"4/16/2021, 9:03:01.062 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,bcfef0e0-3c8a-47c9-a3a8-919771c4d660,"4/16/2021, 9:03:01.062 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,447d3174-324e-46e7-b557-86672f20d892,"4/16/2021, 9:03:01.062 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,3b45c0b9-f093-4107-88ad-5555b9c0cf5f,"4/16/2021, 9:03:01.062 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,ce18dbff-efcb-4a32-962d-66c2bd325871,"4/16/2021, 9:03:01.062 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,027f54c1-14a0-46b1-9b2c-49e16ac06004,"4/16/2021, 9:03:01.062 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,0b31dee3-5401-43d7-802a-7c8aab820390,7f617566-3542-439b-8129-823aa6fbddd0,"4/16/2021, 9:03:01.062 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,0b31dee3-5401-43d7-802a-7c8aab820390,fa23d664-6795-41a1-8cd1-2b12536e6e6f,"4/16/2021, 9:03:01.062 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,61c917aa-cfd2-4eb0-b529-3e75e4685346,"4/16/2021, 9:03:01.062 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,4a833cbd-da9f-43c6-90b5-249ba460066d,"4/16/2021, 9:03:01.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,6ce7497c-f804-459d-bc66-f328a4134943,"4/16/2021, 9:03:01.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,4247e79a-0212-4ce7-9961-9e091d708ec1,"4/16/2021, 9:03:01.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,09424212-f1c1-43b9-89f1-af9d3aec9665,"4/16/2021, 9:03:01.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,457fcd48-6493-4144-aa01-323ac497187d,"4/16/2021, 9:03:01.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3d50be15-911f-4c5b-b06d-ad7497112847,"4/16/2021, 9:03:01.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2d6dbb36-c3c6-4748-9066-26cc7c7530ee,"4/16/2021, 9:03:01.062 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,cfe22b13-7a82-443f-b325-e2d313ae05a6,"4/16/2021, 9:03:01.062 AM",,,,,,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7b2fb675-1ea0-43f5-9fcb-72aeb6cb5c57,"4/16/2021, 9:00:57.658 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f8464092-bd61-4c52-bba9-7880e0515e3d,"4/16/2021, 9:00:57.658 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c8268c88-5a73-4134-9e78-ba92814d3973,"4/16/2021, 9:00:57.658 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e592f08a-8856-4c64-8836-e6121e1c8e38,"4/16/2021, 9:00:57.658 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a8339a34-7438-47f4-8a88-23aeb9957972,"4/16/2021, 9:00:57.658 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ecc963f2-56f2-498c-a46e-0dc9564c99aa,"4/16/2021, 9:00:57.658 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,985f243d-8306-45a9-8261-d90594c780d9,"4/16/2021, 9:00:57.658 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cd7443f8-3a63-46e3-889e-b889bcb4f384,"4/16/2021, 9:00:57.658 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ee83bcbb-85fd-4316-8864-e0bbe4ec17ad,"4/16/2021, 9:00:57.658 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,52c24833-4840-4f4c-bf82-869b6e50971d,"4/16/2021, 9:00:57.658 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,54b9f0f4-25b3-46e6-941a-f9ef11006b84,"4/16/2021, 9:00:57.658 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5ded1116-b48e-434e-984d-29950c1edafc,"4/16/2021, 9:00:57.658 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b3bf6223-f590-4d62-abf2-a35e12ff702d,"4/16/2021, 9:00:57.658 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bbb3e5ee-e5f6-48ec-a405-7117d5e87b50,"4/16/2021, 9:00:57.658 AM",,,,,NTLM,, +\ACUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0160a4f2-681f-417b-8282-e4fa19e88527,"4/16/2021, 9:00:57.658 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f3d00add-8fca-4329-ba9e-3d76ff834e70,"4/16/2021, 9:00:57.658 AM",,,,,,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,302c6ce4-9c15-44cc-83a3-814f56a8c18a,"4/16/2021, 9:00:57.658 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b164fc3e-7c57-4882-9ca2-059d5c312154,"4/16/2021, 9:00:57.658 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,00133fe9-a0c4-4190-80ad-345b5f861918,"4/16/2021, 9:00:57.658 AM",,,,,NTLM,, +\AAUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d661015b-cac7-436d-bd6f-1b36cca22b38,"4/16/2021, 9:00:57.658 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3e5fde6d-73ba-41b1-89f4-becc93f3cc4c,"4/16/2021, 9:00:57.658 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5ad1267b-9d07-40bb-97af-41e4bd182e3e,"4/16/2021, 9:00:57.658 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,77c01f33-3dac-494a-8fa1-50d58655b696,"4/16/2021, 9:03:04.578 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7256 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,b6ea5d47-b15c-41e7-b887-8fa89d7aea46,"4/16/2021, 9:03:04.578 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,43de88d3-ad38-43dd-849e-3d0e552e4f5e,"4/16/2021, 9:03:04.578 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,26e10da5-005a-4f50-985a-5bb9c264190d,"4/16/2021, 9:01:01.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6bc93af5-5cbe-44a5-a7cc-d73d056cd0ee,"4/16/2021, 9:01:01.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,81dc1aae-a660-4cc0-abd6-d2697d011aa4,"4/16/2021, 9:01:01.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e4068916-c4a1-4a8e-9325-39fe3bc9c9a6,"4/16/2021, 9:01:01.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,286a47dc-7cb5-4a7a-a14b-24a4485306a2,"4/16/2021, 9:01:01.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc090be7-3acc-4300-a045-22a2a617c4f5,"4/16/2021, 9:01:01.121 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,30bad612-e4db-4135-b74d-95fea9f17640,"4/16/2021, 9:01:01.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,59b82a5d-0c0a-433a-997f-ff31cb4ed335,"4/16/2021, 9:01:01.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4cd77520-7d84-4e2b-bf00-43fc1a090c1f,"4/16/2021, 9:01:01.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d7dec02-3e18-4880-914d-28a1fc944df7,"4/16/2021, 9:01:01.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d6b9a8f2-d981-4a5d-86b1-9fe83b858074,"4/16/2021, 9:01:01.121 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,59d256a4-ca99-47a2-a82e-7656f3482297,"4/16/2021, 9:01:01.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,352d8ff6-89ec-490f-b5cb-5baf16a937ea,"4/16/2021, 9:01:01.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,24f22200-0123-4447-99ad-fba050b935f7,"4/16/2021, 9:01:01.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc505787-d3f4-4727-9aef-c23e8b86a1fb,"4/16/2021, 9:01:01.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,18b3a9a3-8fe6-43da-a6fa-c3887e39a271,"4/16/2021, 9:01:01.121 AM",,,,,NTLM,, +\TPV1,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b3133c00-86da-4f73-8e50-944798ae09a9,"4/16/2021, 9:01:01.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4bcabfbd-3ea4-4eb2-a4dd-e35f9acbd557,"4/16/2021, 9:01:01.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,97bfae20-9bc7-415d-bc5b-6a8698f88df4,"4/16/2021, 9:01:01.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,031fe6b9-dbb3-428a-8fc1-e25994d9dd40,"4/16/2021, 9:01:01.121 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a3f90a69-9bda-4008-9e20-de50e2434f06,"4/16/2021, 9:01:01.121 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,535db6f8-6c7c-4b7c-a32b-7bf59cb2d1eb,"4/16/2021, 9:01:01.121 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dbbb9560-25b9-47b0-9ba0-90692c9fda49,"4/16/2021, 9:03:12.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eb26ef02-2653-4885-ba12-fd2ae1c5ba78,"4/16/2021, 9:03:12.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,80871969-decc-49d9-bb89-8a1cb4b39313,"4/16/2021, 9:03:12.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b9db6d7c-b8b4-4352-a679-efed783e5ebb,"4/16/2021, 9:03:12.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fdea92b5-34cf-45a6-98fd-8928fc9947c8,"4/16/2021, 9:03:12.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,377d6978-c098-4f32-b4b8-6a4157e30ddf,"4/16/2021, 9:03:12.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,91acc39e-8407-4750-b58a-61d4c7897fe1,"4/16/2021, 9:03:12.118 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,120cc28d-deef-4842-af25-0d16cb853593,"4/16/2021, 9:03:12.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bfd52700-4901-47cf-8af7-ce1c3c49e571,"4/16/2021, 9:03:12.118 AM",,,,,NTLM,, +\BACKUP,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b4dbf717-6b87-400e-b3e5-795e2bc87620,"4/16/2021, 9:03:12.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b8b517e-18a7-4370-9854-7f98e2a3f557,"4/16/2021, 9:03:12.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,74425df3-053c-4afa-adcc-b3b7cae47888,"4/16/2021, 9:03:12.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a08572c-8d06-49fc-be14-9ac724ae6fd7,"4/16/2021, 9:03:12.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6f5feefe-c655-48be-b57f-fb69dfd3b023,"4/16/2021, 9:03:12.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4cc1db56-896c-48ba-8e29-59e3b79847d4,"4/16/2021, 9:03:12.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aa534f27-ebff-4d6a-b0ef-d5c66536fa40,"4/16/2021, 9:03:12.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db220f82-77ae-418f-b27c-26df21f4404d,"4/16/2021, 9:03:12.118 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b944e54e-e98e-4f5c-8384-59b97a26daca,"4/16/2021, 9:03:12.118 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0e78270b-a116-4abb-bfeb-7bbb16164564,"4/16/2021, 9:03:12.118 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9204beb0-aa36-4827-bb13-003cc69308c1,"4/16/2021, 9:03:12.118 AM",,,,,NTLM,, +\MAGIX,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,919be1aa-527c-41bd-a1b0-89e456dad773,"4/16/2021, 9:03:12.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,01b7f600-b7ff-4110-88bf-aee040865b63,"4/16/2021, 9:03:12.118 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b8153ec9-94cd-4508-9d8d-ae54e5090388,"4/16/2021, 9:03:12.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,692197f6-da31-4387-ba9e-81e7f754ba52,"4/16/2021, 9:03:12.118 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,26adf04f-a5da-4fc1-81b8-a718a50c3c5e,"4/16/2021, 9:03:36.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,12ee7663-6481-4ed3-94c0-3f77c9ebbeec,"4/16/2021, 9:03:36.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,fed4c430-46a7-44d2-b3b2-4591b92e8a76,"4/16/2021, 9:03:36.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,cc03a5fd-5ddd-4915-80de-0e6a53ae7471,"4/16/2021, 9:03:36.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2616496b-8bc5-46e2-b3a6-63548573696f,"4/16/2021, 9:03:36.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,69628ec6-1d2f-46db-8143-775f4ffc2061,"4/16/2021, 9:03:36.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,7bd8846c-9b77-4c22-92c6-5909aeb89efc,"4/16/2021, 9:03:36.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c452d39c-8ac3-4a57-9a15-771e9b829eec,"4/16/2021, 9:03:36.057 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5492 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,20a67607-97ac-4bbb-ad64-72121569904f,"4/16/2021, 9:03:52.859 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4980 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,3851b2d5-7306-460e-a6b3-5dafe93857f6,"4/16/2021, 9:03:52.859 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,b1078e6d-b276-49ac-aa7d-983792f69304,"4/16/2021, 9:03:52.859 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,7a49a436-baed-45b5-98c4-e4263b17c43a,"4/16/2021, 9:03:52.859 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,53010f32-2d0e-468d-8d9d-075b5e1852cb,"4/16/2021, 9:03:52.859 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,e799adee-8b24-48ee-9f0c-d57173834374,"4/16/2021, 9:03:52.859 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,659e9e82-899f-47c9-bf76-42e3091646e6,"4/16/2021, 9:01:09.865 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,2d861f27-7bd6-4577-aa32-253637a38994,"4/16/2021, 9:01:09.865 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2560 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,fd2fd183-7774-4aa3-987d-fa32653e6090,"4/16/2021, 9:01:09.865 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6984 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,84c1686a-b3fa-4da6-9ff1-0762f6258c2b,"4/16/2021, 9:01:09.865 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,ac2e792f-a6b9-4e23-b2c8-96c9d1e36fef,"4/16/2021, 9:01:09.865 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6028 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,5517d5bc-437a-452b-bb62-4f550a47e2a4,"4/16/2021, 9:04:06.724 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,dc91c404-87c9-4ba6-b50c-d951dd4896c2,"4/16/2021, 9:04:06.724 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,b11e19e7-5ae4-406d-9a39-e34fcb1b9e91,"4/16/2021, 9:04:06.724 AM",,,,,,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e24c22b3-1a4f-4d7a-9585-2fc2a96078b4,"4/16/2021, 9:01:09.663 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eb76ac64-7bdb-4c91-9b3b-2f215e4de312,"4/16/2021, 9:01:09.663 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0f0ec3d5-01c3-4f81-b1cf-bd7ffe8bbce1,"4/16/2021, 9:01:09.663 AM",,,,,NTLM,, +\SSH,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,30b87e7b-106f-4346-bc26-64343373ba1d,"4/16/2021, 9:01:09.663 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f4d43aaa-ea2b-4bb7-9999-23dd7894b4bb,"4/16/2021, 9:01:09.663 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e4e286d6-3791-41d6-ac80-f12c83b6af22,"4/16/2021, 9:01:09.663 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ae224d03-025c-43a9-aa87-17a5b773c4dd,"4/16/2021, 9:01:09.663 AM",,,,,NTLM,, +\DEMOUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8c75df29-515a-4da1-a619-7775ebd49c65,"4/16/2021, 9:01:09.663 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d2578289-6cc9-4c2b-814c-9cb087811626,"4/16/2021, 9:01:09.663 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,89409cec-2073-489f-82a7-f4ba468732c0,"4/16/2021, 9:01:09.663 AM",,,,,NTLM,, +\PJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e749ead8-d95f-4d47-a27a-b0171dfc8c0d,"4/16/2021, 9:01:09.663 AM",,,,,NTLM,, +\EYO,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3325962e-783f-4737-b02f-911f2689c021,"4/16/2021, 9:01:09.663 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,13065052-ffc5-4088-9f49-7955a0ae0ab9,"4/16/2021, 9:01:09.663 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,08a5ce99-25f5-418b-92ae-c49d3b856ef1,"4/16/2021, 9:01:09.663 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,105513c8-697d-44e0-bb5d-88e91ad95159,"4/16/2021, 9:01:09.663 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6a7fb23b-dabd-46ff-8c23-abf432a19264,"4/16/2021, 9:01:09.663 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a6ec1e20-eac7-4855-bea2-26faf79415c5,"4/16/2021, 9:01:09.663 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1d02cc4c-cd7b-49c7-9820-9632ca948fdc,"4/16/2021, 9:01:09.663 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,77d6707c-8665-410a-aee1-3f00cb8dd683,"4/16/2021, 9:01:09.663 AM",,,,,NTLM,, +\BACKUP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4eae12c4-a8f9-4bea-814e-d69f822a6e06,"4/16/2021, 9:01:09.663 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e4d09eff-6978-4038-b15c-76f18127f807,"4/16/2021, 9:01:09.663 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,317697b2-2cb9-46d7-9081-43cf1d6a6b30,"4/16/2021, 9:01:09.663 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c6be269d-3e2c-4c4c-9ec2-71bc7d7a73de,"4/16/2021, 9:01:09.663 AM",,,,,NTLM,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,47bb5893-d5bf-4174-8066-3d80bdc10e66,"4/16/2021, 9:04:08.056 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,ca9425da-f512-4f91-a090-6f11165d217c,"4/16/2021, 9:04:08.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,bf347fd7-3eff-464b-97ba-f60f8feca348,"4/16/2021, 9:04:08.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3a68bf83-5170-4a22-9a24-48fdde619fc3,"4/16/2021, 9:04:08.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,7d50eb9c-071e-4f46-848b-88e7b2bfb50e,"4/16/2021, 9:04:08.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,70de5afa-2f32-4d74-899f-e1c4f4c26940,"4/16/2021, 9:04:08.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,f7e2b4a7-4659-428d-8f07-5feb78809a84,"4/16/2021, 9:04:08.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,f17b318f-dc06-4c35-a0c4-693502b15408,"4/16/2021, 9:04:08.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,caae4daf-8366-4101-9c05-e8fdf5310fd2,"4/16/2021, 9:04:08.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,8e2445b0-e5a8-45a8-862b-4f4442b16fa5,"4/16/2021, 9:04:08.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d0190917-90a7-47a6-8c9c-238cadc8798e,"4/16/2021, 9:04:08.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,7e2700c0-407d-4167-9db4-a3f68a1de0fa,"4/16/2021, 9:01:16.098 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,102dcdf4-b366-4e85-8981-e781c142bc5c,"4/16/2021, 9:01:16.098 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,e401aa37-5c4a-4e0f-9125-100cc41b0639,"4/16/2021, 9:01:16.098 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,07c3da91-18c1-4013-825e-bdaf88536dce,"4/16/2021, 9:01:16.098 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,2126c725-723a-4a32-b53b-65187baf8294,"4/16/2021, 9:01:16.098 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,e7d0abf5-beea-42a6-95ef-68826435e8d6,"4/16/2021, 9:01:16.098 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,e989af91-e2c2-49d1-a213-723f0bca80de,"4/16/2021, 9:01:16.098 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,14a6f38f-014f-4bfb-9ccc-57e889d18bbc,"4/16/2021, 9:01:16.098 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,ee3a2a56-9a05-4fe5-a24f-dca1cd076e1e,"4/16/2021, 9:01:16.098 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,163d2e02-2328-4691-affc-f9075135494c,"4/16/2021, 9:01:16.098 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,a9bf5248-b8ee-40dd-9e0f-78575f609abc,"4/16/2021, 9:01:16.098 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,7de0506a-fa2d-43bc-8f8b-a2247d6d7f2f,"4/16/2021, 9:01:16.098 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,a1b83424-7f96-4d0c-9f02-15ac707ac2a2,"4/16/2021, 9:01:16.098 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + Remote Desktop Users + Builtin + S-1-5-32-555 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x854 + C:\WindowsAzure\Packages\WaAppAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,82e6fedb-0976-4589-8e5e-40e0efea4a71,"4/16/2021, 9:01:16.098 AM",,,,,,0x854, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,3a20aec9-9c1c-4a45-9311-0c8045a97fd2,"4/16/2021, 9:01:20.863 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,3dacbed7-7849-4e79-8673-b13658034715,"4/16/2021, 9:01:20.863 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 12812 + 34 + %SYSTEM32%\APPIDCERTSTORECHECK.EXE + 32 + 4907DF27D7E70A824E8BD9BCDF3B222C3D8FB687A9986541432520AE204173FE + 131 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\APPIDCERTSTORECHECK.EXE\10.0.18362.1049 + 0x3e5 + 43 + C:\windows\system32\appidcertstorecheck.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,fff1757d-a145-4051-b760-1412f8a99cee,"4/16/2021, 9:01:20.863 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 4360 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e5 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,3445d795-9ed1-41f9-b6cc-b232cea7f90c,"4/16/2021, 9:01:20.863 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,3c8a1a71-cbe8-46a4-979e-623b4265b4e3,"4/16/2021, 9:01:20.863 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,c71f1739-afcd-4664-94d3-6dcaa749878c,"4/16/2021, 9:01:20.863 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 4640 + 84 + %OSDRIVE%\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\PLATFORM\4.18.2103.7-0\MPCMDRUN.EXE + 32 + C7A18C474A47F5335593A567F0C714D4F658E28D07DC27F6EAE5D5641788E813 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\MPCMDRUN.EXE\4.18.2103.07 + 0x3e4 + 77 + C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2103.7-0\MpCmdRun.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,b262b01b-85bb-4a00-995d-a03d5ca10387,"4/16/2021, 9:01:20.863 AM",,,,,,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4a77a7ea-ffa2-42d1-95be-2ff7b96b62bc,"4/16/2021, 9:04:21.675 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eb7a6a8a-3332-4abe-8392-92f2ab3f9386,"4/16/2021, 9:04:21.675 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,64ca9d75-e5ff-4254-adc1-c24bb2cde974,"4/16/2021, 9:04:21.675 AM",,,,,NTLM,, +\SYMANTEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,28b2cdcf-c1b7-40aa-bb14-d2a579960c3d,"4/16/2021, 9:04:21.675 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bbfb45c0-45d1-46f5-8401-2777c48a1b54,"4/16/2021, 9:04:21.675 AM",,,,,,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9a19d323-f991-4159-830f-4f47febe230b,"4/16/2021, 9:04:21.675 AM",,,,,,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cb508615-60fd-4a52-9c17-5bd789436f47,"4/16/2021, 9:04:21.675 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4fffa9e6-72fc-42fc-9170-ea57f185a94d,"4/16/2021, 9:04:21.675 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7d8f5b93-235f-4276-a48f-901462932fe9,"4/16/2021, 9:04:21.675 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,df91197c-d337-4284-b8f4-ec59bddb0bf9,"4/16/2021, 9:04:21.675 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a8d7404e-e40d-44b4-83a8-bee7053f6ab1,"4/16/2021, 9:04:21.675 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,52ebe1b8-b946-4c6d-9a55-58d25d8e7c9e,"4/16/2021, 9:04:21.675 AM",,,,,NTLM,, +\SYMANTEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9cb7b505-29f4-4c9a-80e6-b1abd3740775,"4/16/2021, 9:04:21.675 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7394c745-23b7-4b22-9418-33931c82f073,"4/16/2021, 9:04:21.675 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a7a58edd-498b-44bd-8d67-84514b4652bf,"4/16/2021, 9:04:21.675 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9538e8ea-9a0d-42db-bc2f-84add78daee7,"4/16/2021, 9:04:21.675 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,85e6d417-e3fc-4c5d-8669-1ae75f2e2d4b,"4/16/2021, 9:04:21.675 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,077f0d40-5e24-4509-a566-862c81081d88,"4/16/2021, 9:04:21.675 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f2dd6260-2828-4546-87d4-a3d2ce27210b,"4/16/2021, 9:04:21.675 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9f7c35f8-b61f-4f00-bdf0-024643730a11,"4/16/2021, 9:04:21.675 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e4a8cf7c-e4ac-44d7-8292-745b3cbd3d8a,"4/16/2021, 9:04:21.675 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fa8a71d8-c9cd-4254-98e9-91fdb49887d4,"4/16/2021, 9:04:21.675 AM",,,,,NTLM,, +\BACKUPEXEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c0d41c7e-7d4c-4e07-90ad-aed2de185375,"4/16/2021, 9:04:21.675 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e43c5772-3158-4a55-b9a4-d68363c6ea1e,"4/16/2021, 9:04:21.675 AM",,,,,NTLM,, +\SERVICE,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,08a1c0ef-fec4-4b34-b268-cbd9929a27f0,"4/16/2021, 9:01:22.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ef4db33f-b474-4ace-aca4-c79934150a76,"4/16/2021, 9:01:22.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c871b201-2375-4a08-b62b-f9ed16320f1f,"4/16/2021, 9:01:22.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eba47ea2-ad50-4ba7-bb66-aa90b3170dd1,"4/16/2021, 9:01:22.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,400e4da3-14f6-45ea-bde4-a4c6f779c1f4,"4/16/2021, 9:01:22.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,42f0fa81-026c-44b5-b5b2-680342ccbbac,"4/16/2021, 9:01:22.124 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cb7c626d-0c8c-4c03-9a4e-28c95f0cbb81,"4/16/2021, 9:01:22.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d729631-4ddb-4156-a39f-a4197f37ac15,"4/16/2021, 9:01:22.124 AM",,,,,NTLM,, +\VEEAM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5194e468-c22f-4631-8711-2f130e881250,"4/16/2021, 9:01:22.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,236bf545-d5c6-4758-aaa2-ee92083342b1,"4/16/2021, 9:01:22.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,183f43bd-e7b8-4fdb-a6df-9b9140aba35c,"4/16/2021, 9:01:22.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f3545bd-bc75-41c7-9432-d50d1e8c0470,"4/16/2021, 9:01:22.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f30ff7b9-0445-49bf-b653-bff9129e0c3a,"4/16/2021, 9:01:22.124 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,39835f43-74ef-40db-bc16-768fe1651edb,"4/16/2021, 9:01:22.124 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,048bd090-5a27-447a-beb1-fdadaac9c221,"4/16/2021, 9:01:22.124 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f1c6a106-c289-4e92-ad24-1be0ff629922,"4/16/2021, 9:01:22.124 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8800 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,0b4c9cf0-b27c-46dc-912a-bcc561eba936,"4/16/2021, 9:01:22.124 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9092 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,0f7ad67b-f221-48f5-83a8-4c0433b53919,"4/16/2021, 9:01:22.124 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,712b8ed9-7cd1-4bb6-bcf1-cfdc91fb513f,"4/16/2021, 9:01:22.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8ecb01fa-4e2c-4ebd-806d-a823d9b5d761,"4/16/2021, 9:01:22.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6ff5a8f9-77fa-4cdf-9cff-86cdcddd6788,"4/16/2021, 9:01:22.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,960c1ad0-32d9-4980-b4ea-69b159a0678e,"4/16/2021, 9:01:22.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0474b16f-b8d9-407a-8f84-74931a79c627,"4/16/2021, 9:01:22.124 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7736 + 73 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\MOMPERFSNAPSHOTHELPER.EXE + 32 + E9EA37CA32AC25AAE3D798E42BB986FA63B54A87F03472E30A4F1AC2626B5BC7 + 122 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT MONITORING AGENT\MOMPERFSNAPSHOTHELPER.EXE\10.20.18053.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,ffc429e5-09e1-4d9d-a259-5518edc6865c,"4/16/2021, 9:04:23.270 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4720 + 28 + %SYSTEM32%\WBEM\WMIAPSRV.EXE + 32 + 98A2CC07E5F2C0CA555F4ACA46556611B42FDA3BDD1F108E52E02FCB22E7B40E + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIAPSRV.EXE\10.0.14393.2515 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,4846f1fb-e2d7-47cd-89cc-e2b37116ef0e,"4/16/2021, 9:04:23.270 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6600 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,14560dbc-30fb-47a2-8c52-0e389da4ce6e,"4/16/2021, 9:04:23.270 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 13292 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,63f974a4-e1d6-4adb-ad18-a577ec239b3c,"4/16/2021, 9:04:23.270 AM",,,,,,, +CONTOSO\SamiraA,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-21-1661583231-2311428937-3957907789-1103 + 6960 + 52 + %PROGRAMFILES%\MICROSOFT\EDGE\APPLICATION\MSEDGE.EXE + 32 + 1B66B6FF0E061B988938C66FE3AC87B2BD86CBD2554D9EA703B2F5B5D7C47AF7 + 92 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT EDGE\MSEDGE.EXE\89.0.774.57 + 0xbe79b17 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,e19ef685-2df1-46ca-addb-c347f0f73c14,"4/16/2021, 9:04:23.270 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,7640a30a-40c8-4e75-bd8a-f96e57a307e0,"4/16/2021, 9:01:26.572 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,27bdf465-2b18-460f-9a1c-cdba5aac53e7,"4/16/2021, 9:01:26.572 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3660 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,5c33d1b4-ca7d-46b0-a4c8-f7d96e5cf046,"4/16/2021, 9:01:26.572 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,4a618946-47de-453c-b2f4-c0ed32070cbf,"4/16/2021, 9:01:26.572 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,4cf7ce30-92df-42ea-9c98-f77c585672c3,"4/16/2021, 9:01:26.572 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8600 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,3891cb36-05e5-4cd8-8a0f-b7f71e0c7973,"4/16/2021, 9:01:26.572 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 484 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,b9258b2f-e65d-4992-97a4-aafc2ede82da,"4/16/2021, 9:01:26.572 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 7928 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e5 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,b8e10d71-e9a8-4eeb-bdd8-7344d6d35bee,"4/16/2021, 9:01:26.572 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,f48fd675-a925-47ea-8f0c-d1328035330c,"4/16/2021, 9:01:26.572 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1172 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,dc3e450f-b408-4cac-8a17-7f666c2dd637,"4/16/2021, 9:04:36.486 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,db25ef34-b78b-4ea9-80e7-68d443e10df0,"4/16/2021, 9:04:36.486 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3c9ce5ca-d209-4f43-a0f1-8d4e56b6105f,"4/16/2021, 9:04:36.486 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,36fac12c-83d3-4869-86f1-593a6403ba6b,"4/16/2021, 9:04:36.486 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3808 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f699292a-761e-49a6-bf1a-f99cb9c776c3,"4/16/2021, 9:04:36.486 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5868 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ccb7a098-db2d-4212-b62c-33854b59bd96,"4/16/2021, 9:04:36.486 AM",,,,,,, +\LOCALADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,5448e815-8f2e-45ec-9839-abf2bff6b16e,"4/16/2021, 9:04:36.486 AM",,,,,NTLM,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9c86e6da-d9e3-4f17-8c5e-8ffab433ab63,"4/16/2021, 9:04:36.486 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0b29ad02-062d-4b56-9bf4-5d4853042aa5,"4/16/2021, 9:04:36.486 AM",,,,,,, +\AZUREADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ce2dbd84-0fab-4113-9e82-bcc56e70d82b,"4/16/2021, 9:04:36.486 AM",,,,,NTLM,, +\OVB,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b4c63ee1-468d-4c0c-a6a6-72e97ab11b2b,"4/16/2021, 9:04:36.486 AM",,,,,NTLM,, +\USER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ea2a7d82-dd31-4ff3-b8f4-4101dc3f9484,"4/16/2021, 9:04:36.486 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e5065f8f-33bb-4e95-877a-21b2958108aa,"4/16/2021, 9:01:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5bcb32f9-343c-4fe8-a338-6a9f5bebb056,"4/16/2021, 9:01:28.118 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a034bb13-d336-40bd-8ae6-f0165cd676c9,"4/16/2021, 9:01:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9387d9eb-acc8-443f-be8a-a40b8a3ec3a4,"4/16/2021, 9:01:28.118 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a314f4bf-ddc8-41d6-9369-8a8990996674,"4/16/2021, 9:01:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,954135f6-3941-4b67-98b4-688ea01555ab,"4/16/2021, 9:01:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cd0c555b-14a9-4c2a-a37a-ff44a4ee9465,"4/16/2021, 9:01:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b6ee9ac-2856-4941-8007-a39c0925e6ac,"4/16/2021, 9:01:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1e936f55-c84a-43e1-acf6-934b6bad5f37,"4/16/2021, 9:01:28.118 AM",,,,,NTLM,, +\WEBADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f0c4dc27-a2e7-49cb-8b22-0f00e1bdd37f,"4/16/2021, 9:01:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,69f02cbc-9f31-4f34-95b9-4433e8f123a5,"4/16/2021, 9:01:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e32ab500-8603-45e4-9336-4de11c36ae27,"4/16/2021, 9:01:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,50709909-c0e8-4990-8f5b-241614d84753,"4/16/2021, 9:01:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ded87d98-f30a-47f3-b63b-f4c1a8971c62,"4/16/2021, 9:01:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f1cf68e0-a0ac-4a7b-9350-6cd7694c6f4e,"4/16/2021, 9:01:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d18b325-1f06-468b-ad07-d06f92490241,"4/16/2021, 9:01:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,17ea9d8b-cf55-49a5-b870-42fe4232b300,"4/16/2021, 9:01:28.118 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,385edb10-e410-4490-96d5-e8a80a3e6469,"4/16/2021, 9:01:28.118 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,96555968-d549-4030-b0bc-dac604c90a6f,"4/16/2021, 9:01:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d44d8cc-278c-4503-933f-7507c3447555,"4/16/2021, 9:01:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46b50a88-a920-402f-acf3-19344f1beb0e,"4/16/2021, 9:01:28.118 AM",,,,,NTLM,, +\AZUREADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6d124ffa-9a2d-422c-9079-a95dc5879a5d,"4/16/2021, 9:01:28.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,93f5b8e2-35ce-4559-a3b9-16a5da985203,"4/16/2021, 9:01:28.118 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,7867393a-3b64-480a-a861-ef76f2ebaa06,"4/16/2021, 9:04:43.066 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2ad2f354-17f7-41fc-8f41-044334f6c330,"4/16/2021, 9:04:43.066 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,77746d05-f274-4c2d-98e2-ef5e20a54fcd,"4/16/2021, 9:04:43.066 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,9f6e2234-841c-494c-bec5-b8385af2fd13,"4/16/2021, 9:04:43.066 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,8c8a6cf7-4e1c-4f94-88b7-69afcf9813d3,"4/16/2021, 9:04:43.066 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,aa82c71a-229a-4ae0-b681-e70d0d261da5,"4/16/2021, 9:04:43.066 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,fc4e93c3-5a0c-44ee-bfc9-429ece0e82e5,"4/16/2021, 9:04:43.066 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,1d07729f-66f0-46bc-a12f-8751009f2e81,"4/16/2021, 9:04:43.066 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d3cb5835-421f-4798-bd4b-b18418602f70,"4/16/2021, 9:01:32.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54514706-e965-477c-966a-4d20d6c7ed5e,"4/16/2021, 9:01:32.188 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a78fd2b6-3f98-435b-9baa-bd110788dfbc,"4/16/2021, 9:01:32.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54455091-bc50-48b7-b170-8cefd0082e74,"4/16/2021, 9:01:32.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b273e10-390d-43fe-8fb4-3aeee142fd53,"4/16/2021, 9:01:32.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,add3512d-b0b3-4fe7-8221-289f9c2c8cf7,"4/16/2021, 9:01:32.188 AM",,,,,NTLM,, +\CUSTOMERSERVICE,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e87a1782-90eb-4a52-9f71-6a92ccfea271,"4/16/2021, 9:01:32.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,24251332-9b6e-4d41-959a-717f11474b68,"4/16/2021, 9:01:32.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce0bee55-d0a0-4cff-a081-d757732d3abf,"4/16/2021, 9:01:32.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,18ae38cc-d7b6-44ca-b534-2535cc19190f,"4/16/2021, 9:01:32.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d9483084-ee67-477b-93d6-36941c78939e,"4/16/2021, 9:01:32.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dac0f510-73dd-4c4f-8ec1-997daedbdfef,"4/16/2021, 9:01:32.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,02a5ea85-9afc-4426-96f9-0ee64c5672e7,"4/16/2021, 9:01:32.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a56d822e-8d63-47f4-b28e-db8900822a9d,"4/16/2021, 9:01:32.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d2e50db3-2fb2-4445-abfe-1014a4ccf5bf,"4/16/2021, 9:01:32.188 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5b9e18a-7448-4c3e-8c08-4efbeb5fd063,"4/16/2021, 9:01:32.188 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,f6c749dd-b78e-45df-97ed-345c74c16845,"4/16/2021, 9:01:32.188 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,01cd8da5-783d-4c55-9a81-daf56698848f,"4/16/2021, 9:01:32.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c112162-9629-44c6-af9e-1dfba7b226cc,"4/16/2021, 9:01:32.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e8e69199-6e50-4abd-82f4-c48405a94762,"4/16/2021, 9:01:32.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a95f44de-1306-41cd-b6a2-5c262301fad0,"4/16/2021, 9:01:32.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b0ce74d6-5142-4fc2-b72e-33ab927797b7,"4/16/2021, 9:01:32.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,26073faf-2bc0-4359-bea2-148d47b0bd8a,"4/16/2021, 9:01:32.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49f8066c-1205-42f1-9865-846cefa6d989,"4/16/2021, 9:01:32.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1b4a26f-bf08-4968-8a10-134766562182,"4/16/2021, 9:01:32.188 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9fa450a7-d6e9-44b9-9422-6c64890f009b,"4/16/2021, 9:01:32.188 AM",,,,,NTLM,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,27d77c8f-1578-4b75-a3f0-8c7c96853f8f,"4/16/2021, 9:04:44.865 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 14500 + 70 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSEIR.EXE + 32 + 0A66182851BB6684883823A7F8BCF017BB30C761FB3241CC2CB0CAA19FA8E6FE + 122 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSEIR.EXE\10.7411.17763.1697 + 0x3e7 + 72 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,3f222d51-f72a-4359-a9fc-f1d1a3767ebc,"4/16/2021, 9:04:47.100 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10108 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,94f7ef3d-73af-414f-adcc-0f6220e4acd6,"4/16/2021, 9:04:47.100 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11192 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,698f1680-4772-4228-b4d5-78a885844250,"4/16/2021, 9:04:47.100 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7140 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 68705285F7914823244E19E4F6DBC4A75C4DE807EA1CF128AEC2CCAFCE5FE109 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.17763.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,5e65db4d-a3be-40df-ba34-90275527f420,"4/16/2021, 9:04:47.100 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11392 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,c2e510e3-a368-4cb4-b72d-cb9cdd2dfa61,"4/16/2021, 9:04:47.100 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5132 + 53 + %WINDIR%\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\CSC.EXE + 32 + 93CB38075CB505D501DE5D71B27AC877FCA882165EAC47CE236CCD00DEC982A0 + 100 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® .NET FRAMEWORK\CSC.EXE\4.7.3190.00 + 0x3e7 + 55 + C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,93d18eb3-17c0-4c88-9cd3-a426c8b37cca,"4/16/2021, 9:04:47.100 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8020 + 56 + %WINDIR%\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\CVTRES.EXE + 32 + DD01CFD8B16DBBBE45FE684F384AC9FDB0B7FC46A78E3330354FCB71F2DAC98B + 105 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® .NET FRAMEWORK\CVTRES.EXE\12.0.52519.00 + 0x3e7 + 58 + C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,a0695066-544e-485e-a53c-8f4208ac63c0,"4/16/2021, 9:04:47.100 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2180 + 18 + %SYSTEM32%\NET.EXE + 32 + 2D16BF609CB22E6F923D76098B47F619FE2CEF93E28961810069C30ACAF789B8 + 113 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\NET.EXE\10.0.17763.01 + 0x3e7 + 27 + C:\windows\system32\net.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,436a63f0-0dc2-41eb-984e-4d93444bf1e0,"4/16/2021, 9:04:47.100 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6212 + 19 + %SYSTEM32%\NET1.EXE + 32 + 6204A84B2E0F6EFBEFD50D51756EF7C92889EB91E2C5FBC705B898030A55D35B + 114 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\NET1.EXE\10.0.17763.01 + 0x3e7 + 28 + C:\windows\system32\net1.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,551d2982-2121-4107-8d75-71f525e2204e,"4/16/2021, 9:04:47.100 AM",,,,,,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b9802441-e179-4d26-9b82-2a380de3ce72,"4/16/2021, 9:01:37.665 AM",,,,,NTLM,, +\WEBADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,25af53ea-ca5b-43b2-8f8b-d00d89a91d6f,"4/16/2021, 9:01:37.665 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ebf5ec63-e829-4f2f-888a-594aae4b13ec,"4/16/2021, 9:01:37.665 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,240f7389-4d60-451d-ad3c-e0e3e1e26776,"4/16/2021, 9:01:37.665 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,77db91da-1bbc-4c51-baf9-135c68abe2b2,"4/16/2021, 9:01:37.665 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,84b972c3-8120-4ca8-ba98-2a163c74232b,"4/16/2021, 9:01:37.665 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7a720f59-e344-4738-bd45-4bd8e3509e57,"4/16/2021, 9:01:37.665 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,384d7d4c-81a6-41fd-a41f-6aa2a9ce227d,"4/16/2021, 9:01:37.665 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e7a9fc04-c8f1-4163-b48f-3a96c3cbd7a7,"4/16/2021, 9:01:37.665 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,aa1b94c3-50d6-4664-819f-a56dc7c30163,"4/16/2021, 9:01:37.665 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,31b8116a-832c-4c79-872e-e1047fda7f76,"4/16/2021, 9:01:37.665 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1b672c96-2dfe-47d8-af54-1616f0660d3a,"4/16/2021, 9:01:37.665 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2ad37442-62a0-4f42-a0d2-8ce7edce5a51,"4/16/2021, 9:01:37.665 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bbdbdee5-e65d-4b37-a939-3c3dcee6eb98,"4/16/2021, 9:01:37.665 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cb3512cc-aea0-446c-8f3c-9dbe186c43e0,"4/16/2021, 9:01:37.665 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b17f593d-28b8-4223-9510-16a55e5fc37c,"4/16/2021, 9:01:37.665 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5aaebc82-022e-4581-b107-a35da2ada03f,"4/16/2021, 9:01:37.665 AM",,,,,NTLM,, +\USER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,881bead5-a1de-4a5b-a35b-036cf1633f15,"4/16/2021, 9:01:37.665 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dd27a797-44b4-4e85-a913-c9073984cec6,"4/16/2021, 9:01:37.665 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6b1a353a-d6d8-402d-8f6c-e9d9d33b98a1,"4/16/2021, 9:01:37.665 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,52531bf4-d792-4873-9f3e-8e844f4e3f43,"4/16/2021, 9:01:37.665 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9ae70b1e-66e1-4cc5-88a3-6e445748833f,"4/16/2021, 9:01:37.665 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,50da4ae5-a6f8-4de0-aa86-a691bc0fd68d,"4/16/2021, 9:01:37.665 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7056 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,24ec5aa7-ffb0-44e0-a721-c6da7ecf88d3,"4/16/2021, 9:04:52.732 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6520 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,1238c9f1-fb3f-44b7-9654-04071eedd6c4,"4/16/2021, 9:04:52.732 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,5a321c5c-2213-4d0a-9111-9d67dfb5a1d3,"4/16/2021, 9:04:52.732 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,9a156e44-554f-4373-a752-895053363252,"4/16/2021, 9:04:52.732 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,0de73c39-305e-4745-a0fc-ccbd3cc24f72,"4/16/2021, 9:04:52.732 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,4724b8b7-60d9-4b01-a820-7a28d1cc8393,"4/16/2021, 9:04:52.732 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,945a6c7c-bad9-434a-acef-48b97e732138,"4/16/2021, 9:01:41.160 AM",,,,,NTLM,, +\WEBADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eaf8d442-957c-4343-b989-2e9e27029729,"4/16/2021, 9:01:41.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,419dd0ba-41b4-4b54-8dcb-a40f0a889595,"4/16/2021, 9:01:41.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cd82412f-0659-4a4e-b748-56c29ac9fe65,"4/16/2021, 9:01:41.160 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46308b99-67af-47d1-997c-df3d4e02a1c0,"4/16/2021, 9:01:41.160 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,852033aa-b77d-427e-87d9-9851928dd535,"4/16/2021, 9:01:41.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,42d695af-1cb2-44db-8116-5b32ab0f5d67,"4/16/2021, 9:01:41.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c466b9f-af8f-4c3e-bb19-bc1abf8a706b,"4/16/2021, 9:01:41.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3c5b3416-9e6e-40bc-ae4b-f7188fad2dcd,"4/16/2021, 9:01:41.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,25280472-717f-4726-9e1b-20633aa1d266,"4/16/2021, 9:01:41.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b0be1ee1-273f-4dee-b962-1c4803a7fd21,"4/16/2021, 9:01:41.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e383acf6-8d98-42ed-b7c8-71ace7492ae2,"4/16/2021, 9:01:41.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b801fdf6-ee35-4bc8-9fb0-5e33876b0d97,"4/16/2021, 9:01:41.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1bdbf51b-85e1-453e-ad31-c69411651025,"4/16/2021, 9:01:41.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4fbc2bfb-ac1e-4866-9851-f1305383335d,"4/16/2021, 9:01:41.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c5412d07-88a2-49e5-be48-d83e2dddf769,"4/16/2021, 9:01:41.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,79fe0f8f-910d-4101-ba13-c821b6e8d256,"4/16/2021, 9:01:41.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,536dfb0d-6403-4ed1-81f6-ee7f2bea576f,"4/16/2021, 9:01:41.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,06843047-f32c-4e5a-824b-17edb89960b1,"4/16/2021, 9:01:41.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b36f24a-ff52-47d1-8f54-f8c069331592,"4/16/2021, 9:01:41.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b35db10-5fde-428b-af0b-308429482675,"4/16/2021, 9:01:41.160 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,262b17f7-6db7-494f-88b7-2aa97fc2c9cf,"4/16/2021, 9:01:41.160 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,96cf14e6-2ad7-418c-97ea-216ba06225fe,"4/16/2021, 9:01:41.160 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,098bf008-485d-47db-857d-a5fc7a5fe7bc,"4/16/2021, 9:05:03.671 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5a496048-c314-4f93-a141-561e58816890,"4/16/2021, 9:05:03.671 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,13150f0b-7bc7-4057-ad82-b9afde3ef624,"4/16/2021, 9:05:03.671 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9536e795-d31f-4408-8a3e-7e710644f3b0,"4/16/2021, 9:05:03.671 AM",,,,,,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7ac027d0-7e62-4660-9fac-658b3fc0d654,"4/16/2021, 9:05:03.671 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1b24da77-02e0-4ac9-b4b1-228834c56227,"4/16/2021, 9:05:03.671 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3b74786f-30f7-4b26-97d0-1b529192aeed,"4/16/2021, 9:05:03.671 AM",,,,,NTLM,, +\DAVID,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f75437e6-cb95-413e-8b89-fa17497ee30b,"4/16/2021, 9:05:03.671 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,47919a9b-d97c-44d2-964d-e40aaae617a7,"4/16/2021, 9:05:03.671 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8a4c480e-9f61-4b3d-a7d8-13057bc44432,"4/16/2021, 9:05:03.671 AM",,,,,NTLM,, +\BACKUPEXEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,aca628ac-9c08-4ff3-a8e2-064cab0bf546,"4/16/2021, 9:05:03.671 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,67ebf70e-19db-426e-b5cc-455b5e90830f,"4/16/2021, 9:05:03.671 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6b8e383f-d463-4a4c-b8b0-03ec262b3fd2,"4/16/2021, 9:05:03.671 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6047d950-9890-4315-ae5d-b57be989aeff,"4/16/2021, 9:05:03.671 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4079378c-3e55-46e4-817a-da2c32fae1fb,"4/16/2021, 9:05:03.671 AM",,,,,NTLM,, +\AZUREADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,514f9106-b481-48b6-88e5-ad71d4225079,"4/16/2021, 9:05:03.671 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a214ac2c-6639-4f99-b838-c0421006ced0,"4/16/2021, 9:05:03.671 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c1a9fe4f-d743-4207-ac07-216e41705254,"4/16/2021, 9:05:03.671 AM",,,,,NTLM,, +\UJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2e4657a1-1e32-4c3b-95ab-dbf98a05e74d,"4/16/2021, 9:05:03.671 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6adf43df-6889-4773-9c34-57c6c9605563,"4/16/2021, 9:05:03.671 AM",,,,,NTLM,, +\QJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,724b4b7b-59b6-4fa8-9fe7-62c289d6b983,"4/16/2021, 9:05:03.671 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1b992a43-a054-4cb7-9182-4b2e029b4b4f,"4/16/2021, 9:05:03.671 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,95876a75-0c41-468b-84f1-627ee2f6919d,"4/16/2021, 9:05:03.671 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,45449d47-0e72-4aec-babc-6054353f8eca,"4/16/2021, 9:05:03.671 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6112 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 8542576A51D515DA19781689F9E5E561E4398C4DE19B14AF1E8EF1C7D2551843 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.18362.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,ed4ffbf7-678e-4b17-8c9c-469d3f239404,"4/16/2021, 9:01:46.732 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6256 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,951e2cd4-b609-42f9-b01c-ebde6376eb3e,"4/16/2021, 9:01:46.732 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,30c48202-f468-45b5-86f6-8a9373e9c53a,"4/16/2021, 9:01:46.732 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,74ececc0-41ef-4891-bb74-e7053ca5d364,"4/16/2021, 9:01:46.732 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4932 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,61ab9d1f-ff67-4be0-86a7-db4bd6586dd0,"4/16/2021, 9:01:46.732 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3220 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,920c2214-d346-4b81-a2b8-715abdc0d6c2,"4/16/2021, 9:01:46.732 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,4893d702-98a8-455b-ace5-e46467742d8e,"4/16/2021, 9:01:46.732 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,b4e816cc-7b64-4e26-9c7c-fa34438b27fc,"4/16/2021, 9:01:46.732 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,ecf8f722-5af3-4668-ac8a-3e3b3e191e45,"4/16/2021, 9:01:46.732 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,bf12a48e-67aa-44eb-86cf-fe7488c8533a,"4/16/2021, 9:01:46.732 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,af29ac01-b52d-4b74-92db-1b4b19eeee1f,"4/16/2021, 9:01:46.732 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6940 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,1681b3d1-579a-4956-906d-d2e3b93c9d47,"4/16/2021, 9:01:46.732 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,430adbb0-c447-42d0-9af7-454ec716d1c2,"4/16/2021, 9:05:05.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,50a7ecb1-4de0-41d8-bd6b-91fc63279d06,"4/16/2021, 9:05:05.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98b2ccab-9392-4c37-af08-8e024cd8b92c,"4/16/2021, 9:05:05.131 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c98ec7d6-e662-4dc8-b8b6-a0d7f77938dc,"4/16/2021, 9:05:05.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6943f585-7941-447c-97c5-d8a9b1ea8391,"4/16/2021, 9:05:05.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f6de72a-5274-4209-aa91-8f5614b345fa,"4/16/2021, 9:05:05.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,57839a76-fb8a-4daa-aa09-a3a2b072f396,"4/16/2021, 9:05:05.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b0764a30-d842-471b-8160-0146bf0bcd1b,"4/16/2021, 9:05:05.131 AM",,,,,NTLM,, +\PJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,85750969-de24-413f-b2f9-83fa3a0e61a7,"4/16/2021, 9:05:05.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,61bc4ac4-e424-4570-8292-981c8978b942,"4/16/2021, 9:05:05.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,74c01dbd-7f3e-4ea6-8b56-e15eea2895ba,"4/16/2021, 9:05:05.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f7e2f6b3-defe-4011-a1a4-2fbd16ff568f,"4/16/2021, 9:05:05.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1930659c-f87b-4cd2-93c7-ff10d142d22f,"4/16/2021, 9:05:05.131 AM",,,,,NTLM,, +\FTPUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,31c5bf81-ebd8-4623-81e2-eae3b3bb5a38,"4/16/2021, 9:05:05.131 AM",,,,,NTLM,, +\BACKUPEXEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d9fc328a-bca3-4a2d-8f42-ec9942b123e1,"4/16/2021, 9:05:05.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8d07ab99-2ce5-4b07-90be-4d2c99b28e63,"4/16/2021, 9:05:05.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f9d1b10-794d-4498-bc92-f82b6ec8952c,"4/16/2021, 9:05:05.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3701afec-f428-4f81-8345-e08f8c93dbf8,"4/16/2021, 9:05:05.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,160729ef-ba8b-4e44-8e7f-5988fe5c806e,"4/16/2021, 9:05:05.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4864809c-f296-45a3-bade-cfc7acc71ea8,"4/16/2021, 9:05:05.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16ee00d8-8996-490f-a8a8-2f919dc5c788,"4/16/2021, 9:05:05.131 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b81b05df-f0a7-43c0-b530-a82b360a5fec,"4/16/2021, 9:05:05.131 AM",,,,,NTLM,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13826,8," + Administrators + Builtin + S-1-5-32-544 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x854 + C:\WindowsAzure\Packages\WaAppAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,0b31dee3-5401-43d7-802a-7c8aab820390,4450a4fe-8b00-400d-9ffe-40a8f1378fd9,"4/16/2021, 9:01:47.057 AM",,,,,,0x854, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + juliango + VictimPC2 + S-1-5-21-217498627-1229392085-2738327920-500 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x854 + C:\WindowsAzure\Packages\WaAppAgent.exe +",4798,4798 - A user's local group membership was enumerated.,0b31dee3-5401-43d7-802a-7c8aab820390,b3ab6744-2585-4c3d-bf51-dd54c30c0f77,"4/16/2021, 9:01:47.057 AM",,,,,,0x854, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + sarahf + VictimPC2 + S-1-5-21-217498627-1229392085-2738327920-1000 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x854 + C:\WindowsAzure\Packages\WaAppAgent.exe +",4798,4798 - A user's local group membership was enumerated.,0b31dee3-5401-43d7-802a-7c8aab820390,2e6918f3-0e3c-4228-8c30-ade338f0e469,"4/16/2021, 9:01:47.057 AM",,,,,,0x854, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + cris + VictimPC2 + S-1-5-21-217498627-1229392085-2738327920-1001 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x854 + C:\WindowsAzure\Packages\WaAppAgent.exe +",4798,4798 - A user's local group membership was enumerated.,0b31dee3-5401-43d7-802a-7c8aab820390,0dafd692-899e-4ba9-9f21-886587fd2fe9,"4/16/2021, 9:01:47.057 AM",,,,,,0x854, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + cris + VictimPC2 + S-1-5-21-217498627-1229392085-2738327920-1001 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x78f8 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,0b31dee3-5401-43d7-802a-7c8aab820390,488d40f8-616b-4661-968d-098bab65dea0,"4/16/2021, 9:01:47.057 AM",,,,,,0x78f8, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + DefaultAccount + VictimPC2 + S-1-5-21-217498627-1229392085-2738327920-503 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x78f8 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,0b31dee3-5401-43d7-802a-7c8aab820390,c2de69b9-ab7b-455a-9a39-bb86cf0bfb18,"4/16/2021, 9:01:47.057 AM",,,,,,0x78f8, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + Guest + VictimPC2 + S-1-5-21-217498627-1229392085-2738327920-501 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x78f8 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,0b31dee3-5401-43d7-802a-7c8aab820390,bd867945-01c4-4471-824e-95f892b40046,"4/16/2021, 9:01:47.057 AM",,,,,,0x78f8, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + juliango + VictimPC2 + S-1-5-21-217498627-1229392085-2738327920-500 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x78f8 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,0b31dee3-5401-43d7-802a-7c8aab820390,e719de28-e20e-4c9d-b0b8-c60829b0442b,"4/16/2021, 9:01:47.057 AM",,,,,,0x78f8, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + sarahf + VictimPC2 + S-1-5-21-217498627-1229392085-2738327920-1000 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x78f8 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,0b31dee3-5401-43d7-802a-7c8aab820390,e8c057a1-73c1-4592-a69a-3660c95d90db,"4/16/2021, 9:01:47.057 AM",,,,,,0x78f8, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + WDAGUtilityAccount + VictimPC2 + S-1-5-21-217498627-1229392085-2738327920-504 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x78f8 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,0b31dee3-5401-43d7-802a-7c8aab820390,55ddec21-58e0-4e2b-af98-e21e78d12f94,"4/16/2021, 9:01:47.057 AM",,,,,,0x78f8, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + juliango + VictimPC2 + S-1-5-21-217498627-1229392085-2738327920-500 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x854 + C:\WindowsAzure\Packages\WaAppAgent.exe +",4798,4798 - A user's local group membership was enumerated.,0b31dee3-5401-43d7-802a-7c8aab820390,5c3c9a12-968c-4601-b5c9-3df75ee9baed,"4/16/2021, 9:01:47.057 AM",,,,,,0x854, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + juliango + VictimPC2 + S-1-5-21-217498627-1229392085-2738327920-500 + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 0x0 + - +",4798,4798 - A user's local group membership was enumerated.,0b31dee3-5401-43d7-802a-7c8aab820390,05c66b1a-d47e-490f-9917-4764b8a91757,"4/16/2021, 9:01:47.057 AM",,,,,,0x0, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,e57d0de7-e44d-4ae1-b1e4-c6f52dc82f46,"4/16/2021, 9:01:47.057 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,b137cf53-f610-4e2a-bf96-d3b6d3900afb,"4/16/2021, 9:01:47.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,aa2c042a-6588-45e2-86c7-5242299aa236,"4/16/2021, 9:01:47.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,6f407f1e-55bb-4368-87b9-944436c4ddf4,"4/16/2021, 9:01:47.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5caa41e4-d895-4c59-8bd1-4be4d3416124,"4/16/2021, 9:01:47.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,20a00745-98e1-4c52-acd7-cda102b554d7,"4/16/2021, 9:01:47.057 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,4e22126b-089b-4add-932f-fefe889624c3,"4/16/2021, 9:01:47.057 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,2e7cafdd-e17a-4023-986a-a973eea2dda9,"4/16/2021, 9:01:47.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,bfddda78-cd61-4389-b970-b9ad74098362,"4/16/2021, 9:01:47.057 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,16ecf2db-5aa7-43cd-a224-7571aaca3c06,"4/16/2021, 9:01:47.057 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6384 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,9080cefd-d878-41de-8205-81b94794b0a1,"4/16/2021, 9:05:08.716 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3564 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,c077a18f-60f2-4b66-a526-59d50269d3a4,"4/16/2021, 9:01:50.280 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2332 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,ea6bd1eb-b37c-4da8-95da-98e35a6dd034,"4/16/2021, 9:01:50.280 AM",,,,,,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,68bfed01-0951-40a3-8e75-e84dfd3f1d75,"4/16/2021, 9:05:41.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9e7cc680-faf3-4eaa-ba94-b72094e7802f,"4/16/2021, 9:05:41.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,04212805-c645-4784-a31f-32375dd263c5,"4/16/2021, 9:05:41.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f19542ba-b6ed-4989-ab08-640b67650c76,"4/16/2021, 9:05:41.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f739b9ae-af05-418b-a53c-0e7b0598d142,"4/16/2021, 9:05:41.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5185b908-6489-418d-85c3-bf55fc05ef01,"4/16/2021, 9:05:41.119 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f2cf1bd0-0061-4928-9d3d-a4f3e3fb54b5,"4/16/2021, 9:05:41.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6417d7d1-97af-46fe-818d-84c5b52bbc0a,"4/16/2021, 9:05:41.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a054ef6f-6862-4023-9a4a-9cd1f9265e8e,"4/16/2021, 9:05:41.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6b7c08a2-ecd6-4443-a256-9a1959ed8de7,"4/16/2021, 9:05:41.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,61e3ce09-6c37-43e5-892a-23f9e7c90c9a,"4/16/2021, 9:05:41.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f953054c-47e5-4360-97b2-157ef41b149d,"4/16/2021, 9:05:41.119 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1728aed8-7604-4c31-82b4-b27edd56f573,"4/16/2021, 9:05:41.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,046fb918-6628-45b8-9d99-1fd15bee43fe,"4/16/2021, 9:05:41.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1c2646d-5fa6-43bb-9b80-cbf92a2bb47c,"4/16/2021, 9:05:41.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e626bfba-bb41-4711-b454-02e726f979ae,"4/16/2021, 9:05:41.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb6d7d32-16aa-46c7-9740-c869d29c7577,"4/16/2021, 9:05:41.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b9d2f59c-b24b-4437-b8c4-d284e82f9404,"4/16/2021, 9:05:41.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de5cbfc8-637f-4a4b-bf47-2d1f34fd9e97,"4/16/2021, 9:05:41.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a954b026-14f9-4e31-973e-19687da72912,"4/16/2021, 9:05:41.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ae9a5ea1-d43f-413f-ae16-0d0eadf576e3,"4/16/2021, 9:05:41.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,68d28228-532a-40af-9c20-160956235db3,"4/16/2021, 9:05:41.119 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5376 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,38018413-e33e-4052-9d7f-b8d850a13db6,"4/16/2021, 9:05:41.411 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8084 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a4ce7b2f-8e83-415c-bee3-9342ceed52af,"4/16/2021, 9:05:41.411 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,fcb3b34c-2842-4d25-b279-f8a0bf61bf56,"4/16/2021, 9:05:41.411 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,93710aa6-bd0f-4a6d-b681-a9a0ff450b42,"4/16/2021, 9:05:41.411 AM",,,,,,, +\TEST,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,436197b3-2430-47be-8dc7-a4db94620267,"4/16/2021, 9:05:41.411 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,63587ae3-ce64-4620-b58d-4734e06e2a14,"4/16/2021, 9:05:41.411 AM",,,,,,, +\SERVER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,2a9457be-3f69-488a-9078-a6c88feb0012,"4/16/2021, 9:05:41.411 AM",,,,,NTLM,, +\GUEST,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,bae23409-2977-429b-ac0d-52c3eee69af9,"4/16/2021, 9:05:41.411 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3d6f7166-a4af-4679-bc6b-21413c80e6e2,"4/16/2021, 9:05:41.411 AM",,,,,NTLM,, +\USER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b6453899-f523-4de4-8cd6-13d7c990183b,"4/16/2021, 9:05:41.411 AM",,,,,NTLM,, +\SCANNER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0d3ebfa8-0138-4e5d-9dd2-f18a01b8a73f,"4/16/2021, 9:05:41.411 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,02a1d7c3-73e1-4f24-b1f3-42f23f6a5fc3,"4/16/2021, 9:01:53.120 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,62c55dc9-97a5-4575-9f11-268201a8fc12,"4/16/2021, 9:01:53.120 AM",,,,,NTLM,, +\VOICEMAIL,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d91014d7-cffc-4227-b78d-90af8fb0c8b9,"4/16/2021, 9:01:53.120 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc7ba756-9994-49b6-aa1a-4c0fd8f33487,"4/16/2021, 9:01:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,459fec78-81b7-4e2a-a1b0-27c8f9ff7234,"4/16/2021, 9:01:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49b91330-7028-4055-8b42-3794c5236227,"4/16/2021, 9:01:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c98394cf-c338-4f66-9991-2213dce23da4,"4/16/2021, 9:01:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0099b90d-6f9e-462d-8b0c-ce44682761dd,"4/16/2021, 9:01:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c4493dfb-d4f6-4a25-a983-564db03b62bd,"4/16/2021, 9:01:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9470fabe-5928-41f7-9fe3-c21bbfe2c0ab,"4/16/2021, 9:01:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e353114c-5f6f-4e25-8a17-160965e1ad48,"4/16/2021, 9:01:53.120 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,d4edd340-e594-4923-a018-6333eab9386c,"4/16/2021, 9:01:53.120 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,386a534c-1f1f-4465-ba6d-57cc69097b53,"4/16/2021, 9:01:53.120 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7528 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,b7878d13-3209-462c-9606-6ce05b448a96,"4/16/2021, 9:01:53.120 AM",,,,,,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,987d1d4a-f3f6-4835-b5b4-98cbca76a53e,"4/16/2021, 9:01:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5fcaa96d-91b5-44fd-aef8-23699eb513b2,"4/16/2021, 9:01:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1049f0f2-cbf8-47f4-a0b2-aac34817c254,"4/16/2021, 9:01:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6af29054-838f-4d11-a1e3-6e6f425ff436,"4/16/2021, 9:01:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dfbb9339-6fff-4e45-89da-bc416efb6ca5,"4/16/2021, 9:01:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e9a8fe7f-aef8-4e28-b5f6-82e4f3bf1e3a,"4/16/2021, 9:01:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9bfc1ff8-2ab1-4784-af96-5622d1ec4fe5,"4/16/2021, 9:01:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,42e64542-0ec6-45c1-ba24-662b33be2b08,"4/16/2021, 9:01:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6e223745-7534-477e-979d-2eb0c196b8b9,"4/16/2021, 9:01:53.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1ae734a-2d7f-4e94-822c-745a5097062e,"4/16/2021, 9:05:54.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3d71f6ca-36b2-4e6f-bb10-d26993eb3868,"4/16/2021, 9:05:54.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,30884853-96d3-491c-b58e-0b209eaef5f6,"4/16/2021, 9:05:54.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f65fd96c-2af4-41b2-a036-93a8b49219b7,"4/16/2021, 9:05:54.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dbda0fdf-3d8a-4f8f-b701-ee8bc6d0cbf8,"4/16/2021, 9:05:54.124 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc4294e1-1ce3-45ba-b1fa-4b625dadad37,"4/16/2021, 9:05:54.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5ca64fd-1613-494a-89fe-8f0653264a85,"4/16/2021, 9:05:54.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,31c11271-1b0d-4da7-a2a2-df2f67fce177,"4/16/2021, 9:05:54.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ed180d1f-8156-4d03-9723-a4b086427ab7,"4/16/2021, 9:05:54.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,47ecfdb4-52c8-427b-94b2-f35a2ed77211,"4/16/2021, 9:05:54.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,683fcb33-7662-4917-b511-20f5d866e2b9,"4/16/2021, 9:05:54.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16b2d3b3-69b2-4c04-ba95-d474c19c142a,"4/16/2021, 9:05:54.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6bf500fa-e812-45f1-9537-e71d57f86759,"4/16/2021, 9:05:54.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f879a4ba-b5e7-4ad8-a791-7fd52662cb62,"4/16/2021, 9:05:54.124 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,091e2937-586a-441d-ab3e-acd6a83703b1,"4/16/2021, 9:05:54.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2fa437a-0f92-4543-acb6-82cae77f40bd,"4/16/2021, 9:05:54.124 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e3b8afc-b71c-416f-badd-4408cd9f6fd9,"4/16/2021, 9:05:54.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5533dad-e96f-4345-b354-6e6b9042ecda,"4/16/2021, 9:05:54.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f67f7db7-3498-49b3-94b3-500ee602ffc2,"4/16/2021, 9:05:54.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,99bf820c-4a02-4c3b-8af5-adc085a3ef32,"4/16/2021, 9:05:54.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1eeb3201-2091-49dc-a565-d6df966d6a78,"4/16/2021, 9:05:54.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2b6fabb-f7fa-4bfa-845e-d42d001439fb,"4/16/2021, 9:05:54.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f1f85943-fc24-4b25-a22c-5456f1c69cb8,"4/16/2021, 9:05:54.124 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4924 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,a9ae7e91-0dbc-4a15-8b5a-6d297d17bdf7,"4/16/2021, 9:01:55.997 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 14284 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,969a3dcc-35b1-40a4-a9f2-ea403702e3b5,"4/16/2021, 9:01:55.997 AM",,,,,,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4899d96b-4829-4a20-b704-8e66f6307bd3,"4/16/2021, 9:06:28.676 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c205059e-3651-4873-8169-dff1d8958d6d,"4/16/2021, 9:06:28.676 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e8fdba5d-b6fa-4f4c-b9fe-fcec8a90ed85,"4/16/2021, 9:06:28.676 AM",,,,,NTLM,, +\CJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b258b6e3-6b93-412a-81c4-2c5e378bf84b,"4/16/2021, 9:06:28.676 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a87d8aba-59c4-4252-9170-d4ec19abefd4,"4/16/2021, 9:06:28.676 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,71fcaaf4-23ec-4f5a-8d95-1e8ec0e76f03,"4/16/2021, 9:06:28.676 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6d95fceb-41c4-4fa8-8899-896b1aee7bbc,"4/16/2021, 9:06:28.676 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a78cc50b-2bac-4c44-8241-c892af7942e7,"4/16/2021, 9:06:28.676 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f9cc1403-562d-4174-aab4-c0503f800f50,"4/16/2021, 9:06:28.676 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f8aec85c-f67e-4560-817b-d22f59accbfc,"4/16/2021, 9:06:28.676 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c1f63426-3245-46fe-bb33-36277846e590,"4/16/2021, 9:06:28.676 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,849f5c18-9a52-4766-8a7b-5b23b845f8ff,"4/16/2021, 9:06:28.676 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,06973aea-efdd-41dc-bf33-8393f63b1949,"4/16/2021, 9:06:28.676 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,95cacb54-8eac-4a3a-b4d5-f9f399a1cffe,"4/16/2021, 9:06:28.676 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,40b0d896-0f09-40cf-8b4d-9814a20ff52e,"4/16/2021, 9:06:28.676 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fe1466f6-a857-49e2-a5cf-585888aee142,"4/16/2021, 9:06:28.676 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f6092af7-8d91-42a1-9290-d64350380038,"4/16/2021, 9:06:28.676 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5446ca36-8420-4a43-9795-887b7274c106,"4/16/2021, 9:06:28.676 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2114c7f7-1ade-4e64-9c2f-912f8cb9b77e,"4/16/2021, 9:06:28.676 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f4648b4c-9ff5-4ca9-ba3f-1ec3421e8dc7,"4/16/2021, 9:06:28.676 AM",,,,,NTLM,, +\DEMOUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,35aedc17-5a78-43d9-bab5-827dfc63cec8,"4/16/2021, 9:06:28.676 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4b0089ff-cfdf-4f1b-af59-79f2a9cc1a19,"4/16/2021, 9:06:28.676 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dc7e5e02-a8d3-4e15-9773-0d1b28f290c8,"4/16/2021, 9:06:28.676 AM",,,,,NTLM,, +\PLF55,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,af993869-6b4e-4874-afd4-5936d91aee82,"4/16/2021, 9:06:28.676 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,69622ef8-95a1-40c7-a594-9d7fdf302962,"4/16/2021, 9:06:28.676 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,40fbc8d4-1ded-4c35-a637-55ee40468038,"4/16/2021, 9:06:28.676 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d26366f1-8d3c-4adf-a5bc-9d928e7e269b,"4/16/2021, 9:06:48.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc080112-23e9-42b0-a676-416039d67a8c,"4/16/2021, 9:06:48.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a39d2940-f456-4755-9298-62c771a7e21d,"4/16/2021, 9:06:48.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4cb96144-ec5e-4417-aecf-6c58a90081e4,"4/16/2021, 9:06:48.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,18eb43c6-b987-4199-918a-187bfdefca00,"4/16/2021, 9:06:48.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c569aa34-5217-4dfb-8039-078a68c8647f,"4/16/2021, 9:06:48.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e95852ba-39cc-4257-a7de-4582d08620b6,"4/16/2021, 9:06:48.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53242230-a393-4b2f-832a-b241520346b3,"4/16/2021, 9:06:48.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c34edd01-ea56-4753-8a65-0c26e0980329,"4/16/2021, 9:06:48.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ec9ab403-aa93-4532-bd0f-8b6160e0dea1,"4/16/2021, 9:06:48.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c6b99442-0ad0-4eb2-acc1-e472c215204f,"4/16/2021, 9:06:48.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88e2ad28-9c4f-46c7-8ae0-92b5b2a4b96c,"4/16/2021, 9:06:48.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d594a98-06e9-441c-9c1f-0fb273f4cce5,"4/16/2021, 9:06:48.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,10cb12b2-ba3b-41bd-8fb2-c81b0d5367a3,"4/16/2021, 9:06:48.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9de9c0f0-e56d-47ab-8284-06b76a304a71,"4/16/2021, 9:06:48.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f015b6e6-a049-47a5-94ff-72266b2f5e83,"4/16/2021, 9:06:48.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,643a48bf-e59c-435f-ba8f-bffa5a3846b7,"4/16/2021, 9:06:48.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,40d2178c-e048-4a46-8e8e-b680f5a11b66,"4/16/2021, 9:06:48.121 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,d7e47b61-058c-4ba5-9224-889087aaac8a,"4/16/2021, 9:06:48.121 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2916 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,300700ff-a6e1-4d05-93bb-3e7522500538,"4/16/2021, 9:06:48.121 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8560 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f118eb2-b631-4dd0-b353-4633abf1a16c,"4/16/2021, 9:06:48.121 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,79073eed-a478-43df-a275-7529ec59bcb3,"4/16/2021, 9:06:48.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc5a14a0-f5d6-427d-be9b-44e12212cbbe,"4/16/2021, 9:06:48.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dd433a52-1459-4436-87de-93206e632d6f,"4/16/2021, 9:06:48.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4cc0cd3e-5ff5-450c-8e33-a0107d1add1e,"4/16/2021, 9:06:48.121 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,5464a17c-6c8b-4788-a616-af7f81b1db60,"4/16/2021, 9:06:48.121 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e34b9f37-9033-4fcb-ba18-eb26decf9f35,"4/16/2021, 9:06:48.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19d35d92-32f2-4508-8bae-111ea7f1bef8,"4/16/2021, 9:06:48.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,55541fb8-582d-4756-8f41-13a304bda2a2,"4/16/2021, 9:06:56.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,962f8297-4fc0-4597-ae09-4fd1abfbe685,"4/16/2021, 9:06:56.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,058f5163-d200-41cc-9ba3-dc9e70c35a76,"4/16/2021, 9:06:56.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac3be0da-b1c1-4f13-afd4-3cca92e6799b,"4/16/2021, 9:06:56.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a16872b2-34db-4ef3-a67e-fe6e9548d1c4,"4/16/2021, 9:06:56.121 AM",,,,,NTLM,, +\AZUREADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aaf4dd13-1b48-4374-a15b-bfe5a06bc2c0,"4/16/2021, 9:06:56.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19a3346a-79c6-4717-8422-1589209af684,"4/16/2021, 9:06:56.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b7e2393-48d9-4cff-8e31-c3b045b7f995,"4/16/2021, 9:06:56.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48df2a30-0ef0-490e-8cd4-c919eb10de1c,"4/16/2021, 9:06:56.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d019f727-5570-45cf-83c3-995a88bdbf37,"4/16/2021, 9:06:56.121 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cda9f12b-1aa9-492b-85c4-a229b829d269,"4/16/2021, 9:06:56.121 AM",,,,,NTLM,, +\ADMINISTRATEUR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,217b3541-755d-4e73-990c-1c67fcdd85ba,"4/16/2021, 9:06:56.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,767784a0-3edc-441f-9fbf-dbd4e3653910,"4/16/2021, 9:06:56.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8eafd8e2-76a7-4895-a779-a2c8b949e801,"4/16/2021, 9:06:56.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5b6b8a7d-afbc-4de3-9cc9-109238d9406b,"4/16/2021, 9:06:56.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,855fb5cf-169a-481d-bafd-19c98c541213,"4/16/2021, 9:06:56.121 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a1678d6-92b8-438c-bef2-073ca391351d,"4/16/2021, 9:06:56.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f508cf5b-14fd-4c14-a233-aac43a7232d8,"4/16/2021, 9:06:56.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d66f7331-372b-42d3-a90c-f318e9a2a0da,"4/16/2021, 9:06:56.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9057becd-aa7f-4f7c-80b1-cf4e74085d93,"4/16/2021, 9:06:56.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54d720fd-ea6a-49ae-8c66-9eae1e7974fb,"4/16/2021, 9:06:56.121 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,25a5ae7e-c265-47e9-adb7-b2d82ca56c73,"4/16/2021, 9:06:56.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0d7ff15a-3a69-4809-8c69-a49a367d3b85,"4/16/2021, 9:06:56.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d106571-f471-4acb-87fb-b7812e2b9cfc,"4/16/2021, 9:06:56.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,adc8d79d-d0f2-4b30-aa7f-c9629e724435,"4/16/2021, 9:06:56.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,60079aab-c516-4291-9a9f-0943b7e34118,"4/16/2021, 9:06:56.121 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,102d706b-61c1-4399-9322-eaff0f660df5,"4/16/2021, 9:06:56.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b0cdcbd9-c97d-4366-b592-94673c26a282,"4/16/2021, 9:06:56.121 AM",,,,,NTLM,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,661a900a-2618-4762-82bc-e9406e884264,"4/16/2021, 9:01:58.430 AM",,,,,NTLM,, +\VMADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,32e2174d-a006-42a9-826f-1c0901070b25,"4/16/2021, 9:01:58.430 AM",,,,,NTLM,, +\USER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a1d338a3-badf-452e-84e5-63fe04db374d,"4/16/2021, 9:01:58.430 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9af54199-2662-4476-b6f3-bd2421fa8946,"4/16/2021, 9:01:58.430 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11576 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,4d7a9716-72cb-45e6-8c43-1eaf136ec221,"4/16/2021, 9:07:42.866 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,5e084668-e1d3-4b76-88f9-b84ff11a858d,"4/16/2021, 9:07:42.866 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,21a2279a-088d-4809-9147-0e85b530b851,"4/16/2021, 9:07:42.866 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11252 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,df077334-adc8-4b35-9baf-659d6eb74cee,"4/16/2021, 9:02:03.701 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,504f1ec3-63da-4392-9ba3-a89cd2eeaf2d,"4/16/2021, 9:02:03.601 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9316 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,0a857fd9-cb81-4547-afaf-9d53efef0a9b,"4/16/2021, 9:02:03.601 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,b1295493-b9eb-4a71-8310-001a771c2d32,"4/16/2021, 9:02:03.601 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,8dc63805-228d-4be8-9304-359e6f2452ea,"4/16/2021, 9:02:03.601 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8e1d5ba2-32d1-430c-ae69-b5035b423266,"4/16/2021, 9:02:07.695 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f930b3f8-201f-47f3-9d8c-bac0e8201319,"4/16/2021, 9:02:07.695 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a37b91db-8402-4b14-8d4d-7fca757bee1f,"4/16/2021, 9:02:07.695 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,db90cdc4-e0c9-4c8d-8be9-eb6107f71ea9,"4/16/2021, 9:02:07.695 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dcffe67b-d1e1-4dd4-b48b-404047182ef1,"4/16/2021, 9:02:07.695 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c1da1b4f-0b63-41b2-9e4b-984ba41f4ea4,"4/16/2021, 9:02:07.695 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,16065b35-78c7-4087-a332-ea6fa830faa2,"4/16/2021, 9:02:07.695 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,df5e353b-b678-4afe-835f-b2ff665f2aa0,"4/16/2021, 9:02:07.695 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fc0d5aad-018a-4c0f-983b-0bb0f259f714,"4/16/2021, 9:02:07.695 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,96a0d8a6-1f9e-4973-811d-95c1b45b79f4,"4/16/2021, 9:02:07.695 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,89bc9861-8a5d-494e-9052-039f51476501,"4/16/2021, 9:02:07.695 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fa14bfa7-2ba4-4885-8f62-547b3568655a,"4/16/2021, 9:02:07.695 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a33ef981-f31d-423d-a847-266333734a6a,"4/16/2021, 9:02:07.695 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cc99e3cb-a179-4474-8694-eef064068d0a,"4/16/2021, 9:02:07.695 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,722f06dd-1f8d-4654-b34b-7db8e5b4a8b1,"4/16/2021, 9:02:07.695 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b2a82979-b229-4dd0-bd2c-edcdeb11a30b,"4/16/2021, 9:02:07.695 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,373cf1bb-f45c-48f8-aeb1-da98c86ce5e0,"4/16/2021, 9:02:07.695 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,77bcf586-f084-40ee-bb22-cde28fcb37b5,"4/16/2021, 9:02:07.695 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9997b313-3ff3-418d-89dc-f3af9c7fdb78,"4/16/2021, 9:02:07.695 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,93e8582f-5a21-45cb-b7d8-9762f8a306e3,"4/16/2021, 9:02:07.695 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7df56abb-0ced-4ac4-935a-494d7fafbe40,"4/16/2021, 9:02:07.695 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,65b03334-63db-4048-908c-2f3c58717503,"4/16/2021, 9:02:07.695 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c9362702-06b9-4bc6-bac6-b97ab31a5712,"4/16/2021, 9:02:07.695 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a705a87a-7ba3-4c2f-97b7-afe459b102d1,"4/16/2021, 9:02:08.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a2a15dd-fbcc-40cb-8a45-14ef66d7d1ae,"4/16/2021, 9:02:08.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9aafacba-d4dc-40f5-ae62-246602749b03,"4/16/2021, 9:02:08.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b56b893-a647-4edf-84ce-42457755489a,"4/16/2021, 9:02:08.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c4fc9454-007d-4862-b91a-942564b2fadb,"4/16/2021, 9:02:08.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a5b0ffe-042f-49cf-a6d7-c07602603cb0,"4/16/2021, 9:02:08.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc4982e2-daf3-44c9-b61e-df2ff38d0d50,"4/16/2021, 9:02:08.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2018f4b1-22f8-45a3-8f99-8bd75e7cc133,"4/16/2021, 9:02:08.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9eeb48f0-995b-46b3-a16f-d15194460d15,"4/16/2021, 9:02:08.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d75247cb-dbe3-4712-a9f4-35d89b3377f6,"4/16/2021, 9:02:08.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c121d21-e402-4054-9188-af4f958aedb7,"4/16/2021, 9:02:08.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,504ab00c-603b-4bc2-84df-c1ae87579986,"4/16/2021, 9:02:08.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd5fe9d9-e9bf-43d1-9de3-691ef1557356,"4/16/2021, 9:02:08.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,abd38422-7cec-4d20-92a8-8d1e5d8950e7,"4/16/2021, 9:02:08.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc6d1d68-19dc-4e5f-96d2-2f46625d83f7,"4/16/2021, 9:02:08.116 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c400739-9bae-4aca-b8b1-536209c880ef,"4/16/2021, 9:02:08.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,97e661dd-ab5e-49ea-b2b1-cb4961b3957f,"4/16/2021, 9:02:08.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2556e9fe-602d-4c42-8583-8ef09bbfee30,"4/16/2021, 9:02:08.116 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a6227ca6-bea9-41e9-b205-f1d76d795603,"4/16/2021, 9:02:08.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,322dfe92-aeb4-424d-a86b-c4c738b872a0,"4/16/2021, 9:02:08.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1436221-4e6d-4928-8022-88e9e04dd6ae,"4/16/2021, 9:02:08.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12de04e6-0f52-4459-a825-bd983d19b090,"4/16/2021, 9:02:08.116 AM",,,,,NTLM,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,185745b0-c765-47cc-abad-9e0e647e42b4,"4/16/2021, 9:02:09.867 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,5b573928-1442-4090-ba16-34a6ec554867,"4/16/2021, 9:02:09.867 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6724 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,7764d5f7-478d-4520-b12f-9cf14320a812,"4/16/2021, 9:02:09.867 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5340 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,6b196b54-8c88-4de2-9353-ba5454d11e58,"4/16/2021, 9:02:09.867 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b437fd7e-e60f-4877-b6ae-c54ea50beff3,"4/16/2021, 9:02:09.867 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d305759d-0d13-423c-add5-bee99e172cbc,"4/16/2021, 9:02:21.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c7a32a86-295e-42bd-85cd-afc5bb16eb61,"4/16/2021, 9:02:21.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f290ce2-a509-4232-afe3-40145206e250,"4/16/2021, 9:02:21.116 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e607da67-9be5-4e2a-81cd-4e28320e375b,"4/16/2021, 9:02:21.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e4880ac9-8c9b-4659-9788-6534fb631acc,"4/16/2021, 9:02:21.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea10abde-de56-4c8d-8add-ea64367dae05,"4/16/2021, 9:02:21.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,636f5665-0022-43d4-bfcc-5fc805e6070c,"4/16/2021, 9:02:21.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4296f53a-3282-4c79-b561-d7a77c10a6d2,"4/16/2021, 9:02:21.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6b55b073-b327-47e0-b42f-e92c4e65e96e,"4/16/2021, 9:02:21.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f47e07f7-4f95-405d-ac61-ad1fa9d4dc58,"4/16/2021, 9:02:21.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ceedf04-d89e-4834-b5f3-ae9efb202cd1,"4/16/2021, 9:02:21.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,77882849-36d4-4dc1-985f-75d508880e99,"4/16/2021, 9:02:21.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7cbf5d54-3c9c-445c-9055-eccdce731020,"4/16/2021, 9:02:21.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,040b3571-c599-46da-8fe5-9bcb011119fd,"4/16/2021, 9:02:21.116 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,547ab0bb-374c-4813-bca8-64ec1dcb3874,"4/16/2021, 9:02:21.116 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,5436601a-af0c-468b-aaca-e605b1d70b15,"4/16/2021, 9:02:21.116 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 760 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,96c5e513-0b12-4d16-8926-5c4db315c9da,"4/16/2021, 9:02:21.116 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3716 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b78ee6d-7571-420b-8331-21d0b03c938b,"4/16/2021, 9:02:21.116 AM",,,,,,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,efcde993-d5c3-491d-a452-3c3412501a4d,"4/16/2021, 9:02:21.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c4c66410-242f-4a4d-8f35-7b615e6a7f50,"4/16/2021, 9:02:21.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,748dcf5f-d6c4-4917-9020-41ea7a3d4d63,"4/16/2021, 9:02:21.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,da699aa9-4cfb-4a59-8787-4edfa6f87c5a,"4/16/2021, 9:02:21.116 AM",,,,,NTLM,, +\PJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e0c4366a-2ed0-4043-be43-e507f30017e8,"4/16/2021, 9:02:21.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f99152bc-0078-4bd6-9413-9d00183c781c,"4/16/2021, 9:02:21.116 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11216 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,071642ff-99a2-4c28-9ae1-bbc9f88013fa,"4/16/2021, 9:02:21.585 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10876 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,69805080-6773-4cb9-afb2-8b850ec3b19b,"4/16/2021, 9:02:21.585 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10544 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,7420b376-409d-4548-ae3f-654963e440b8,"4/16/2021, 9:02:21.585 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6100 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e7 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,ac288908-4fe2-4aec-80e9-a95a6353d263,"4/16/2021, 9:02:21.585 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,db8f38d2-77a6-446d-a063-cf929ac8a7e5,"4/16/2021, 9:02:21.585 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,e72b9c13-c3e9-4ead-8f10-f646c4f02e2b,"4/16/2021, 9:02:21.585 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,8e7327ba-65d8-457a-9ae5-98b4efa1a083,"4/16/2021, 9:02:21.585 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\microsofttpm,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,bba55c3c-ef31-416c-8cff-2c5bf6f5f04c,"4/16/2021, 9:02:21.585 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:SELECT * FROM Win32_TPM,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,5c5fcec2-761d-44be-8430-cb08ce56177d,"4/16/2021, 9:02:21.585 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:Select * from __ClassProviderRegistration,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,6fb7d4c1-f249-4228-a1f2-cd447f6a631d,"4/16/2021, 9:02:21.585 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,1656dbe3-8932-4164-bc27-d48e32c4f1a1,"4/16/2021, 9:02:21.585 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,a1ba0c70-813d-4d74-bdf0-0d33acb5972c,"4/16/2021, 9:02:21.585 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,ee6bb66e-b284-4c6b-a5e2-c16aa5ae00e1,"4/16/2021, 9:02:21.585 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,a18563d3-50c0-4e91-b989-7adb9fb9aca2,"4/16/2021, 9:02:21.585 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:Win32_Tpm,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,5e1dfa84-72fd-40bf-84c5-dc2ae9f6b5ff,"4/16/2021, 9:02:21.585 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:__ExtendedStatus,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,349e2027-d1e0-47da-9e4d-14bd74de8a9a,"4/16/2021, 9:02:21.585 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftVolumeEncryption,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,0aa6878a-9256-472f-9bbc-cd8428a99c9e,"4/16/2021, 9:02:21.585 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:SELECT * FROM Win32_EncryptableVolume,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,4e65c387-9b04-48bb-94ff-7bfc6297607a,"4/16/2021, 9:02:21.585 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:Select * from __ClassProviderRegistration,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,f00457f5-eb6c-47aa-b9d3-9056b9d01598,"4/16/2021, 9:02:21.585 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,bd5aee1b-d98b-4fb9-81b7-1fd7b42e099c,"4/16/2021, 9:02:21.585 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,82956b85-fb80-4635-9b9b-55d1f90a6b0b,"4/16/2021, 9:02:21.585 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,736c9bd3-2672-42a2-a3f9-f5b3b613536d,"4/16/2021, 9:02:21.585 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,6472e750-ea6a-48ec-a2ee-4c0cbd4eea6e,"4/16/2021, 9:02:21.585 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,8e0e4026-40d5-4e7d-953c-155628e10453,"4/16/2021, 9:02:21.585 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:__ExtendedStatus,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,1aaaa091-47d7-4b69-9c89-ab29131de3dc,"4/16/2021, 9:02:21.585 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{14fa800d-0000-0000-0000-100000000000}\\""::GetLockStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,9804a783-5e61-4faf-af54-898b49269d01,"4/16/2021, 9:02:21.585 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{14fa800d-0000-0000-0000-100000000000}\\""::GetProtectionStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,530b7306-6237-4d1c-a20b-fa3edacde52e,"4/16/2021, 9:02:21.585 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{14fa800d-0000-0000-0000-100000000000}\\""::GetConversionStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,bcd1e71a-6211-4f10-b460-de4e72999bc4,"4/16/2021, 9:02:21.585 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetLockStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,5eb614d2-4a34-4d1a-b2cb-4dabf2461b87,"4/16/2021, 9:02:21.585 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetProtectionStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,d2e779af-67de-49de-a693-e06a78262075,"4/16/2021, 9:02:21.585 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\VICTIMPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetConversionStatus",,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,546a1fc5-f21c-42d9-9ee3-4a72c13359bd,"4/16/2021, 9:02:21.585 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,f6638b82-98a5-4542-8bec-6bc0977f793f,2d5dc6af-f346-43ba-be03-67c297f6a950,"4/16/2021, 9:02:21.585 AM",,,,,Negotiate,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + 1 + 1 + %{S-1-5-32-544} %{S-1-1-0} %{S-1-5-11} %{S-1-16-16384} +",4627,4627 - Group membership information.,f6638b82-98a5-4542-8bec-6bc0977f793f,3098d4b7-84ca-4b05-b80d-129c1aaeeaab,"4/16/2021, 9:02:21.585 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,f6638b82-98a5-4542-8bec-6bc0977f793f,c2a615a4-6a41-4656-8421-463c5f9d6181,"4/16/2021, 9:02:21.585 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,0ddf4452-f5ec-4d93-b394-a1e2504ff4cc,"4/16/2021, 9:02:21.585 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12804,8," + S-1-5-20 + VictimPC2$ + WORKGROUP + 0x3e4 + \Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask + <?xml version=""1.0"" encoding=""UTF-16""?> <Task version=""1.6"" xmlns=""http://schemas.microsoft.com/windows/2004/02/mit/task""> <RegistrationInfo> <Source>$(@%systemroot%\system32\sppc.dll,-200)</Source> <Author>$(@%systemroot%\system32\sppc.dll,-200)</Author> <Version>1.0</Version> <Description>$(@%systemroot%\system32\sppc.dll,-201)</Description> <URI>\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask</URI> <SecurityDescriptor>D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-87-2912274048-3994893941-1669128114-1310430903-1263774323)</SecurityDescriptor> </RegistrationInfo> <Triggers> <CalendarTrigger> <StartBoundary>2021-04-19T18:45:50Z</StartBoundary> <Enabled>true</Enabled> <ScheduleByDay> <DaysInterval>1</DaysInterval> </ScheduleByDay> </CalendarTrigger> </Triggers> <Principals> <Principal id=""NetworkService""> <UserId>S-1-5-20</UserId> <RunLevel>LeastPrivilege</RunLevel> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>true</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession> <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT0S</ExecutionTimeLimit> <Priority>7</Priority> <RestartOnFailure> <Interval>PT1M</Interval> <Count>3</Count> </RestartOnFailure> </Settings> <Actions Context=""NetworkService""> <ComHandler> <ClassId>{B1AEBB5D-EAD9-4476-B375-9C3ED9F32AFC}</ClassId> <Data><![CDATA[timer]]></Data> </ComHandler> </Actions> </Task> +",4702,4702 - A scheduled task was updated.,0b31dee3-5401-43d7-802a-7c8aab820390,a6561fdc-ac82-4eb5-831d-6a38a98931f8,"4/16/2021, 9:02:23.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,04e52ddb-2545-4238-beb4-6bbe7b00e63d,"4/16/2021, 9:02:23.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b29dfa7c-9f6b-4bac-9e31-b7144f620a23,"4/16/2021, 9:02:23.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,e918280c-8090-422b-bfaa-49e1e4819e35,"4/16/2021, 9:02:23.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,03d518f1-cf0e-47dd-aef3-fa123d3c955a,"4/16/2021, 9:02:23.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,aacdc136-771d-4b0c-8daf-44cba06bbf24,"4/16/2021, 9:02:23.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,cddd7d0f-b572-48ea-8e68-97eb0a7e30a2,"4/16/2021, 9:02:23.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,53220167-7932-4b27-a975-2efde42733e1,"4/16/2021, 9:02:23.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,0e84819c-865f-4db0-890b-a4b37b907bc5,"4/16/2021, 9:02:23.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,77bcc3e2-91f1-4e6a-ac1c-71bc994ca925,"4/16/2021, 9:02:23.056 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,d167d8b2-ad84-47bb-9175-3b40d9e13efd,"4/16/2021, 9:02:23.056 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,4740613a-8408-4015-87f6-b6fbcf995fe2,"4/16/2021, 9:02:23.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,d8c0c63a-a7cd-48e8-9c39-2b15c201c17d,"4/16/2021, 9:02:23.056 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,fe9609f5-168d-4ae5-a2a9-d94c86833020,"4/16/2021, 9:02:23.056 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,003cd05b-13bc-4934-b338-f8d458dfa7ed,"4/16/2021, 9:02:23.666 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a83baa6d-412e-4c69-99ab-a9b8dd1e05ce,"4/16/2021, 9:02:23.666 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,007c96df-2d4d-4571-9d0b-9f2cdd86386a,"4/16/2021, 9:02:23.666 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f1a0dadf-2a09-4ada-939c-b30e95bbc7e9,"4/16/2021, 9:02:23.666 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b2a7b0ea-83a6-4e62-8365-56cb51a502c7,"4/16/2021, 9:02:23.666 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e7c89c00-7ba0-41d6-bdf9-a60ec0f42ccb,"4/16/2021, 9:02:23.666 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,75aae9fd-b4cd-4e28-ae6a-48d7f23257dd,"4/16/2021, 9:02:23.666 AM",,,,,NTLM,, +\VMADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2044ac64-8c00-423c-81f3-ae8c71cd2b1b,"4/16/2021, 9:02:23.666 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3dc01a6a-8a64-4512-8f79-22a87bea8c6a,"4/16/2021, 9:02:23.666 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9ad542a0-02f5-41ec-999b-10131d88c2ce,"4/16/2021, 9:02:23.666 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4123610c-3f4a-4808-b535-858be8a60868,"4/16/2021, 9:02:23.666 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e11442ec-e69a-474e-be8b-f2b2eb89b095,"4/16/2021, 9:02:23.666 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,53a7e6b0-354f-44b0-803d-bdcde99e6d97,"4/16/2021, 9:02:23.666 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,67ee0596-90d5-45ad-8d73-71a4fd430a4b,"4/16/2021, 9:02:23.666 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4057cf24-e158-4f94-94af-a4c3f6f6e629,"4/16/2021, 9:02:23.666 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bd5f1667-c964-4c28-b5ce-99aaa1a7859a,"4/16/2021, 9:02:23.666 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bfb18355-8dc6-4cae-85e8-c962961b82dd,"4/16/2021, 9:02:23.666 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,20dd0927-5763-4ccf-8a91-a1fbf5b9ff07,"4/16/2021, 9:02:23.666 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cf450941-6ab1-4a98-967a-22c3151da163,"4/16/2021, 9:02:23.666 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,64492cec-6753-4caf-b621-3b8471096644,"4/16/2021, 9:02:23.666 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4047327b-d8a3-477e-a920-c460a521b806,"4/16/2021, 9:02:23.666 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c01a84e9-88e6-4114-90d0-79874f4772a9,"4/16/2021, 9:02:23.666 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b20ae806-6193-422b-ba9b-c6d3d9afde3e,"4/16/2021, 9:02:30.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ef9a718-ca4e-49b5-b1f5-ac3fd5be1846,"4/16/2021, 9:02:30.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,71ee2c84-2682-45b8-9f32-931b99b915e8,"4/16/2021, 9:02:30.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,69cd0195-9c04-4249-8aaf-1eddb34e6d07,"4/16/2021, 9:02:30.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3014a512-3e84-4d8f-83b5-696cff151d7d,"4/16/2021, 9:02:30.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c0755d1b-ca86-4d40-8113-28262468715d,"4/16/2021, 9:02:30.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e82a08b6-15cf-44d7-9e21-6d9283c8ac41,"4/16/2021, 9:02:30.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f37fbebb-b127-4cef-af16-222a8c51fbce,"4/16/2021, 9:02:30.117 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8d2b22ba-f4b3-4b67-b4f4-4fd3a4b29b74,"4/16/2021, 9:02:30.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a1c5d8a4-e032-4fb9-8bab-5f8e2e4d14fa,"4/16/2021, 9:02:30.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d9c88c9d-ef01-4163-acf7-48af710181a0,"4/16/2021, 9:02:30.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c6527f4d-a97f-44bc-9fa6-fc1e92dd677f,"4/16/2021, 9:02:30.117 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a94a9b99-bb2f-4bee-a2bb-512ac64bc82b,"4/16/2021, 9:02:30.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa060145-4758-4a4b-a971-4c876fb6c5b4,"4/16/2021, 9:02:30.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,97c569b5-250c-47e1-a751-00ec7066ca87,"4/16/2021, 9:02:30.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eafad48b-682c-4d7b-aba9-72e6d8819423,"4/16/2021, 9:02:30.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6db63b46-7580-4fea-9d03-80c94b98549e,"4/16/2021, 9:02:30.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4df9acfe-61e2-4258-9aaa-c60634ea8901,"4/16/2021, 9:02:30.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dd493370-ef11-4e55-bee5-1321c5b41513,"4/16/2021, 9:02:30.117 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,40549f80-b516-43cb-884e-49867222b2a3,"4/16/2021, 9:02:30.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51d3343f-7ee9-4104-ab3a-fc9a6e5ccee1,"4/16/2021, 9:02:30.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc4e2ffe-94f2-49f0-859d-dddd683150d3,"4/16/2021, 9:02:30.117 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,27edf471-8217-4bfc-b2d4-6763421af95b,"4/16/2021, 9:02:30.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2ce9d9a2-770f-4dd0-ab3c-690d1d418f4e,"4/16/2021, 9:02:30.117 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1e09b12-b113-42bf-8c12-ceffde1febb4,"4/16/2021, 9:02:30.117 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d1695296-e4d8-4995-870c-29d6b2bf0570,"4/16/2021, 9:02:30.117 AM",,,,,NTLM,, +CONTOSO\SamiraA,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-21-1661583231-2311428937-3957907789-1103 + 6700 + 52 + %PROGRAMFILES%\MICROSOFT\EDGE\APPLICATION\MSEDGE.EXE + 32 + 1B66B6FF0E061B988938C66FE3AC87B2BD86CBD2554D9EA703B2F5B5D7C47AF7 + 92 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT EDGE\MSEDGE.EXE\89.0.774.57 + 0xbe79b17 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,f3a9e40f-e31d-495e-bc3c-16ca9df746a9,"4/16/2021, 9:02:31.267 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5664 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,3b933aba-42bd-4273-87c1-9a106f71639f,"4/16/2021, 9:02:31.267 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5368 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,9418f3c5-6e37-4ece-8c13-82a219cc50aa,"4/16/2021, 9:02:31.267 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3ad7c7a1-4e97-4767-9443-9072d1e3339d,"4/16/2021, 9:02:36.724 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,84623b66-f004-421c-aa85-a6e0441118fa,"4/16/2021, 9:02:36.724 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2d7d4609-6305-439c-b29b-b77b4997aeb4,"4/16/2021, 9:02:36.724 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3b4e0d4a-afd6-443e-9c62-e41bbb93ac83,"4/16/2021, 9:02:36.724 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0cc261a6-930c-4949-a86a-f85ca2b298f9,"4/16/2021, 9:02:36.724 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,381aaa42-90e1-4a16-a5b3-d3f79957d7e2,"4/16/2021, 9:02:36.724 AM",,,,,NTLM,, +\SYMANTEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5b6854b6-8271-422f-a838-06a3740e8ef2,"4/16/2021, 9:02:36.724 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e9d31972-2b9e-4817-962d-f62e36f9b1ec,"4/16/2021, 9:02:36.724 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,457b7bc5-fdac-4fcf-a18d-4775eab94c18,"4/16/2021, 9:02:36.724 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9c281bbf-c530-4992-86ce-6944b0cf2e8d,"4/16/2021, 9:02:36.724 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bda58336-5aa4-4579-a087-0d1736639e62,"4/16/2021, 9:02:36.724 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fe512cc9-62fe-4a74-907b-995fd5800cbd,"4/16/2021, 9:02:36.724 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a4e63f0d-988c-4492-848d-c3b235af04e1,"4/16/2021, 9:02:36.724 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9dfa9ede-4bdf-46b1-b1d1-ea88868751e7,"4/16/2021, 9:02:36.724 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b966b84d-04b6-4d0d-b88b-abb97faf2a38,"4/16/2021, 9:02:36.724 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9bd3a103-fa04-47cc-a8ca-c9e4fc132fb8,"4/16/2021, 9:02:36.724 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1a187d1a-0fd9-447a-8449-50398dc730f8,"4/16/2021, 9:02:36.724 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9455bc8f-dca5-4a8c-a157-ec0a6aa5f161,"4/16/2021, 9:02:36.724 AM",,,,,NTLM,, +\BACKUPEXEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dd075c65-81e0-4a35-95bd-9097fdb8ce11,"4/16/2021, 9:02:36.724 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,972e52a2-34b6-4728-a2d9-f42b0b70c954,"4/16/2021, 9:02:36.724 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1b956cc3-ff2f-4002-96d4-581236b4cab7,"4/16/2021, 9:02:36.724 AM",,,,,NTLM,, +\TEST,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ecd38a51-5139-47fa-85ad-5a0ca80da2be,"4/16/2021, 9:02:36.724 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,db2dda93-860d-4e47-90f6-5ab0f5370747,"4/16/2021, 9:02:36.120 AM",,,,,,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,87396eb5-0c0f-4a76-8931-19eb4df648c2,"4/16/2021, 9:02:36.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ed43d59-f479-4cfc-87d4-faae68ccc90f,"4/16/2021, 9:02:36.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a057d919-c36d-48d0-a6c8-34cf6fee3cf0,"4/16/2021, 9:02:36.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad052bbe-17fb-4c4c-9ae3-fc0fa995f177,"4/16/2021, 9:02:36.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49430642-f50c-4a50-bee3-319a7ff45898,"4/16/2021, 9:02:36.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ce31404-df3c-4e60-89dd-4e77bdfa729f,"4/16/2021, 9:02:36.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12c88982-fde5-47a0-9ab8-a306607a1991,"4/16/2021, 9:02:36.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,99df3cff-e11b-4bb4-af8c-c70d7b566118,"4/16/2021, 9:02:36.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a9d646d7-a30f-49bd-9e1e-c6b15961fc15,"4/16/2021, 9:02:36.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,74d6679f-1c78-474e-b8a9-bf0d2c5ff1c9,"4/16/2021, 9:02:36.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8de85564-101a-459e-8a08-555d479ac0bf,"4/16/2021, 9:02:36.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c2f8a2ff-5c2f-4baf-9cf7-b32764f72aa6,"4/16/2021, 9:02:36.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d10d0111-bf15-4fca-8450-529724e2c54d,"4/16/2021, 9:02:36.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19fec11f-2862-42a2-a3da-794d0dca6d10,"4/16/2021, 9:02:36.120 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,28bf3f4d-8287-40fc-97cc-95df7ec95184,"4/16/2021, 9:02:36.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,587cee86-e7f6-4a54-bb54-c411c1381913,"4/16/2021, 9:02:36.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,20ba8c2a-1be0-470a-ade3-e0ea69dee6ea,"4/16/2021, 9:02:36.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,480423f9-d8b6-4193-9b1c-426afb8141e3,"4/16/2021, 9:02:36.120 AM",,,,,NTLM,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,30329f0d-1b41-4dac-9049-d87770bbf3df,"4/16/2021, 9:02:36.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e47d520-4ed5-4e1a-b72f-f01d1f06e706,"4/16/2021, 9:02:36.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,670b36b0-d68d-431e-9a77-215f5ed8301b,"4/16/2021, 9:02:36.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,25e79d02-311c-4b5d-b58e-b4baeb0291c0,"4/16/2021, 9:02:36.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,50bf8b62-2fb1-4481-9d7d-f2c407a0b9be,"4/16/2021, 9:02:36.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0daed6d3-68fb-4e79-a358-9a63a3e6554f,"4/16/2021, 9:02:36.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0aab20c3-dbad-463b-9803-3f25a267b2f3,"4/16/2021, 9:02:36.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3e94becb-718e-4a3d-b98d-5daa2b8aaea0,"4/16/2021, 9:02:36.120 AM",,,,,NTLM,, +\TEST,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a6c43e6c-2174-4ee7-949a-98aca3936b1c,"4/16/2021, 9:02:38.412 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6c2a70e7-1d00-4320-bbc3-1054747f1917,"4/16/2021, 9:02:38.412 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c7d4b2e6-aee9-41d1-b037-d78074a11a08,"4/16/2021, 9:02:38.412 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3896 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,7bae9f2f-3980-43e2-bdfb-8a7de053ce02,"4/16/2021, 9:02:38.412 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6496 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0f645da9-dad0-4354-8c8b-be5e57735146,"4/16/2021, 9:02:38.412 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,2488ec21-6564-42ac-bc52-1b1aa33d49b0,"4/16/2021, 9:02:38.412 AM",,,,,,, +\SERVER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3fb85b9d-1a1b-4ac1-8ae3-147015bd162f,"4/16/2021, 9:02:38.412 AM",,,,,NTLM,, +\AZUREADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e0ab07b2-286f-4277-a0ca-0fa85dad7070,"4/16/2021, 9:02:38.412 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa47c832-b0a2-41d6-a233-d52eb8debde3,"4/16/2021, 9:02:42.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8fdf144e-d8e0-4ae4-89e9-873109627419,"4/16/2021, 9:02:42.115 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,83fd5d27-1c62-41aa-a813-b7fdc705cea5,"4/16/2021, 9:02:42.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,93f363ca-beee-457a-9082-d2575022cc50,"4/16/2021, 9:02:42.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,27603166-1685-40cf-8f55-d414ce85c104,"4/16/2021, 9:02:42.115 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,80f05403-0a92-4171-9642-768e3b06571c,"4/16/2021, 9:02:42.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ae4e1b53-2fd0-45cb-b528-d7437944aa11,"4/16/2021, 9:02:42.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b60c8c43-094c-46a9-bbaf-1955055e7c8e,"4/16/2021, 9:02:42.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b98655c7-b74c-4519-9fff-d2f01e48b839,"4/16/2021, 9:02:42.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,92b5b106-ff33-4d66-9a75-8ba2e7d26f16,"4/16/2021, 9:02:42.115 AM",,,,,NTLM,, +\SERVER2,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,94e7b2b2-e468-451d-bbb3-262285603727,"4/16/2021, 9:02:42.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4d3b0a31-bf36-4944-be5e-e70c7e20ca6d,"4/16/2021, 9:02:42.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,586d1c68-451b-4aab-85e5-ef7e3ab385fc,"4/16/2021, 9:02:42.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4867c6ae-1593-4aed-9db5-a4dbb2d58f72,"4/16/2021, 9:02:42.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f0bc31d1-6c69-4203-a2d3-a6c2aaf85790,"4/16/2021, 9:02:42.115 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6721d370-efd9-4933-8fff-9ef58fcec4b0,"4/16/2021, 9:02:42.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,662882a8-5246-48c9-8dd8-236ec62778c8,"4/16/2021, 9:02:42.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,92f232c8-ca94-4ffd-a1ab-62aa8fb5d790,"4/16/2021, 9:02:42.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,291ef065-ab21-48c8-94d8-3d6ec2ceb865,"4/16/2021, 9:02:42.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a97178dd-5ee7-4417-8de2-1ae4bc618a90,"4/16/2021, 9:02:42.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0afc5195-92d4-4e50-9e89-db07133bd459,"4/16/2021, 9:02:42.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,62b42e7e-0005-46af-88a7-0f69dd62c714,"4/16/2021, 9:02:42.115 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8d7252f7-fba5-49e2-a792-6a9b9e304cc1,"4/16/2021, 9:02:42.115 AM",,,,,NTLM,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,5f54a8b5-ce6f-4609-badc-281974ab0668,"4/16/2021, 9:02:52.733 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,bd5ad075-751b-4962-8337-49abef9b13de,"4/16/2021, 9:02:52.733 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7148 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,d69b3c6e-f018-4c3f-a300-0428cadc31ff,"4/16/2021, 9:02:52.733 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7060 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,f868adcc-1390-4c25-8da5-c7f217027cf0,"4/16/2021, 9:02:52.733 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,1375db33-ad8e-45b7-b7cb-95060540be07,"4/16/2021, 9:02:52.733 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,d6e4a80c-519c-4209-9fda-4e9cecd4e6ae,"4/16/2021, 9:02:52.733 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10368 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,7454dfdc-f53e-4da5-8f04-42936aa9c812,"4/16/2021, 9:02:56.990 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 14988 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,65eb6c93-1e9b-4c99-bdf1-b8a7dd8d72bb,"4/16/2021, 9:02:56.990 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,169167d8-536e-4d29-875b-86e01d4551b8,"4/16/2021, 9:03:09.870 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,1c0f341a-2a52-482c-b1de-919947be2867,"4/16/2021, 9:03:09.870 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1400 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,6509439a-3043-44ec-8246-8fe06e2438be,"4/16/2021, 9:03:09.870 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4944 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,f410505b-6c46-45c6-bbaa-8d8fa7aa4b6d,"4/16/2021, 9:03:09.870 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,1f86248e-189c-49f5-810c-66c52e269f74,"4/16/2021, 9:03:09.870 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6676 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,c35c7721-4dab-4dc5-aa9b-80054c80511b,"4/16/2021, 9:03:09.870 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,61602e82-09b6-4a6a-8b92-c8234c5df28a,"4/16/2021, 9:03:09.870 AM",,,,,,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6e3aeeb2-390a-432b-9499-273b3c290311,"4/16/2021, 9:03:19.412 AM",,,,,NTLM,, +\SERVER2,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,2d0f3c8e-a091-4a68-8306-ed47df686cdc,"4/16/2021, 9:03:19.412 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b29de4e5-6208-43f2-b878-02be262d2ba7,"4/16/2021, 9:03:19.412 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ed19416d-1bfc-48f0-9cac-defec1446ccb,"4/16/2021, 9:03:19.412 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,7493b7ce-896a-48a7-83a6-aaeeb93115a7,"4/16/2021, 9:03:19.412 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4420 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,32ad433e-5dd9-4685-bb27-ac17130de21c,"4/16/2021, 9:03:19.412 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2356 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,96c6ac97-de6e-4eda-94d5-974664541cfb,"4/16/2021, 9:03:19.412 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9181bdbe-ccb0-4259-894c-82573a8db97f,"4/16/2021, 9:03:19.412 AM",,,,,,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,048a1552-dbc9-4652-8070-476f6c132505,"4/16/2021, 9:03:19.412 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,415adf79-22af-4509-af61-1245bb408a38,"4/16/2021, 9:03:35.584 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10884 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,714d36f4-fa78-40d5-9ad3-fe7f0995b5c2,"4/16/2021, 9:03:35.584 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9712 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,3d6115ff-58ed-46e4-b017-ed80923b093f,"4/16/2021, 9:03:35.584 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6572 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,837ab5c0-5e8d-4122-a6f4-e545289efb52,"4/16/2021, 9:03:35.584 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,4d9fdb38-0d94-4591-bcd0-68c382063cc4,"4/16/2021, 9:03:35.584 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,c516491c-31b8-4664-b68f-544d7b39a5bc,"4/16/2021, 9:03:35.584 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,ab4cd6eb-402b-4de3-8773-1b844c49c25d,"4/16/2021, 9:03:38.907 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9152 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + 3E1A41FE3000D5ED15DE27C3BD6199E0427A1608B401E19E22D021627841AC19 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1411 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,d60c83ff-ecba-4237-a55f-85e71e536602,"4/16/2021, 9:03:38.907 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,f48274ac-cf45-491b-bd79-f9053632bb8c,"4/16/2021, 9:03:38.907 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,8ceda610-990a-4229-8dbc-8d10e5168b41,"4/16/2021, 9:03:38.907 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6756 + 75 + %PROGRAMFILES%\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OFFICEC2RCLIENT.EXE + 32 + D2B9200C624C7F5EFBE189BABB1BEE81DE8E700BEE9CA208C826DCA739EF0135 + 108 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT OFFICE\OFFICEC2RCLIENT.EXE\16.0.13901.20328 + 0x3e7 + 77 + C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,4af3db8d-742b-4bb4-873f-2abef5e9e5e9,"4/16/2021, 9:03:38.907 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ea4ce78-a74f-4b24-b4f8-ae493bc59e50,"4/16/2021, 9:03:43.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dea82448-7c52-42d8-ac5b-4a1e51316900,"4/16/2021, 9:03:43.118 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c0de2c0-7ab8-4ca1-8755-f644d1c46e4e,"4/16/2021, 9:03:43.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3b875cba-631d-4f62-a344-45238e92895e,"4/16/2021, 9:03:43.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b6c81e85-4fda-4996-99fb-e3c55237bc52,"4/16/2021, 9:03:43.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,475c0094-38d3-42db-a7cc-016e55b48bb9,"4/16/2021, 9:03:43.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,11da30d2-0514-4238-af6d-3e8b78207858,"4/16/2021, 9:03:43.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e71040e3-3b41-4b3d-8554-8a4d2b6cc95c,"4/16/2021, 9:03:43.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,849fd650-b338-4b18-bfb0-b1b0bb278100,"4/16/2021, 9:03:43.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a0cb0e6a-4aab-499d-acfa-74b83782fa6b,"4/16/2021, 9:03:43.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,97634520-c5a4-4226-be4e-9b88f86e5e97,"4/16/2021, 9:03:43.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a80aea24-0f9e-42d6-bcfc-26b9bc2654fc,"4/16/2021, 9:03:43.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce73b786-07a9-47b2-9c61-88767de7e105,"4/16/2021, 9:03:43.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3270568c-cf5d-45ff-b63d-11a6d925bfa8,"4/16/2021, 9:03:43.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c2a99e31-6bb4-44bf-a325-a400d54bc683,"4/16/2021, 9:03:43.118 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,78ae5050-c365-485c-ab4d-3d57bbd869c0,"4/16/2021, 9:03:43.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,892948d0-9a8e-40d9-af2f-3339f7dc382e,"4/16/2021, 9:03:43.118 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e5c68dd5-8a3c-422f-9b45-186b68949c7c,"4/16/2021, 9:03:43.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ed679f6-f817-4dd0-846c-4e77531d2752,"4/16/2021, 9:03:43.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,545fec79-d1a8-4d54-8131-7d3ddcdc7721,"4/16/2021, 9:03:43.118 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,350c3000-69da-4629-8cb8-82fa609c02b8,"4/16/2021, 9:03:43.118 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4fa16f2a-82cf-4965-8297-f08da15e6098,"4/16/2021, 9:03:43.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,101cf3ff-9f59-4ec8-aa03-8b16ca124614,"4/16/2021, 9:03:43.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b2c9ccf1-2553-4b00-a0ad-0995b97a814c,"4/16/2021, 9:03:43.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca4f6884-8639-4fa4-a5bf-21b52d8e8027,"4/16/2021, 9:03:43.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,585cc439-5dbc-4bb3-9af5-17b96e5a2cde,"4/16/2021, 9:03:43.118 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 13500 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,a613e453-5367-4382-85a8-cc839dafd0ac,"4/16/2021, 9:03:55.995 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8588 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,6ef50266-69f0-4758-b665-6375efc0fb06,"4/16/2021, 9:03:55.995 AM",,,,,,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c747a280-870c-4c6a-9b9a-080e5b69b5fb,"4/16/2021, 9:04:00.406 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a9d14da7-06b0-48ca-83ce-b7a9899347db,"4/16/2021, 9:04:00.406 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,528887c4-0a7d-410a-8e93-24d09d14b7e1,"4/16/2021, 9:04:00.406 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4952 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\Windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,fe885358-7518-4bf2-94d8-c4ed9dffe468,"4/16/2021, 9:04:00.406 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,07da1f14-1262-4371-a7aa-48f67134f715,"4/16/2021, 9:04:03.199 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,596e9da4-35ba-4400-892a-93eeef3ce4b6,"4/16/2021, 9:04:03.199 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d40b5073-5f82-4218-be6d-b22a5980bf7c,"4/16/2021, 9:04:03.199 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,08dff4a3-9265-49e1-868d-2cf85e7ea711,"4/16/2021, 9:04:03.199 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ea412ae-0f01-44c2-b90a-ad61b4192010,"4/16/2021, 9:04:03.199 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe552d6c-7f88-4122-b821-2fc6d2a1f6fa,"4/16/2021, 9:04:03.199 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eb0d59ac-4212-4075-92d9-8574c23e1c97,"4/16/2021, 9:04:03.199 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1416478a-13e0-444d-8a90-e444672822bf,"4/16/2021, 9:04:03.199 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7569f715-245a-4248-b053-2cdaae062074,"4/16/2021, 9:04:03.199 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6022aec5-a5fc-4f16-aded-b617790e8205,"4/16/2021, 9:04:03.199 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bd487194-5d81-47cb-85a4-5b597678d239,"4/16/2021, 9:04:03.199 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9a5c7d50-e047-4312-b55a-02cf8ef07782,"4/16/2021, 9:04:03.199 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9058c800-7f5d-4186-b71b-4699aa4a0e0e,"4/16/2021, 9:04:03.199 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,244e9c17-61e6-45ad-acc9-ea8ff8faa0ea,"4/16/2021, 9:04:03.199 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,40065234-6fb7-4d4a-8e3f-a0f4746c71e5,"4/16/2021, 9:04:03.199 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a57d75b9-01a7-44a8-8d78-6e7f9fee0d05,"4/16/2021, 9:04:03.199 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d5e2fbfb-8d5c-42e7-9549-5ba0cdb66545,"4/16/2021, 9:04:03.199 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,97be2b50-c219-41f5-b3f9-a0a00049e8c7,"4/16/2021, 9:04:03.199 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f77bba44-2151-4bee-b6f6-330191c2fd0d,"4/16/2021, 9:04:03.199 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4bcfc36b-8293-4215-b754-bd88cae66c0e,"4/16/2021, 9:04:03.199 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,25043ebc-c07a-4856-85cc-be15ad2d08ba,"4/16/2021, 9:04:03.199 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88ae1df4-5951-453b-809a-2b6221ea14e7,"4/16/2021, 9:04:03.199 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,1369b131-a15a-421b-aa53-8b9aa080931f,"4/16/2021, 9:04:03.199 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,8d72ca02-aa6d-452a-96aa-d4e328eede5b,"4/16/2021, 9:04:03.199 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,8c9242b6-bc7c-49bc-a671-448f102ec1f4,"4/16/2021, 9:04:09.891 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,496e46db-e2d0-4ca0-849a-6fffad595e1c,"4/16/2021, 9:04:09.891 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1972 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,d6553aae-af6e-4dac-815f-c7f45ebff031,"4/16/2021, 9:04:09.891 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7040 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,363e8e1d-ea5c-4149-a8e9-97d24196714d,"4/16/2021, 9:04:09.891 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,f10e3e66-5957-4f8c-bf17-7b258dce95da,"4/16/2021, 9:04:09.891 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 6956 + 34 + %SYSTEM32%\APPIDCERTSTORECHECK.EXE + 32 + 52F861EBAFBD8F6ACF0499614FCEB0E64E14A9A871504B1004F6797C8E01BD50 + 131 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\APPIDCERTSTORECHECK.EXE\10.0.17763.1852 + 0x3e5 + 43 + C:\Windows\system32\appidcertstorecheck.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,e28633d3-d37a-4cee-9a06-f671cfdbacc9,"4/16/2021, 9:04:09.891 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 7124 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e5 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b3f42d5e-f9be-4dec-ac05-e5ce0dd0d814,"4/16/2021, 9:04:09.891 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,7450060f-9ab1-430a-9b49-67dce28453da,"4/16/2021, 9:04:09.891 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,e186bc0f-14bb-4ab4-bfd8-322e0072d077,"4/16/2021, 9:04:09.891 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f3214239-2979-4db2-b808-4700fbfe42b4,"4/16/2021, 9:04:17.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eaabd723-81cd-41e6-84da-51c4fdbdc14f,"4/16/2021, 9:04:17.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,34a6dbc9-d283-4571-addc-f5e187208ea8,"4/16/2021, 9:04:17.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bb23e8b3-a98b-4cf6-9058-99f9b76b2c88,"4/16/2021, 9:04:17.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,485dc036-9e04-40f9-b84d-d675d616083c,"4/16/2021, 9:04:17.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dd9faefa-1c16-441f-a82c-0879945a431f,"4/16/2021, 9:04:17.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6ae2588f-7f69-40a5-a2eb-a65c8d759369,"4/16/2021, 9:04:17.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,95b53ccd-de75-4054-a31e-a9ffe4d2bf02,"4/16/2021, 9:04:17.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc623a93-b16a-4120-a94f-1f2d01936f84,"4/16/2021, 9:04:17.117 AM",,,,,NTLM,, +\MJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0b222b12-2342-4c72-9169-25d7a27fb81d,"4/16/2021, 9:04:17.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8bd26f7e-4990-4f65-a130-279fb047130b,"4/16/2021, 9:04:17.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e32557f6-8390-4fd2-a101-8cd2aa12045e,"4/16/2021, 9:04:17.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f03b1dd5-7769-4e22-9fa3-830c3a5fbaea,"4/16/2021, 9:04:17.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,be5d4b8c-01f6-4ed4-b6ba-ee7bcef21f69,"4/16/2021, 9:04:17.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,91352aca-1725-49a0-ad27-d6f52942766f,"4/16/2021, 9:04:17.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f225368d-9fe8-463c-bbca-b3e134bd65d5,"4/16/2021, 9:04:17.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b62022de-3770-4608-8e30-0f0f04b1cb43,"4/16/2021, 9:04:17.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,69d586c9-e993-4625-ba8a-b4a1243c3d12,"4/16/2021, 9:04:17.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2ae84564-34b8-455b-9fa9-6080cc7ff72e,"4/16/2021, 9:04:17.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,24959a01-73cf-4d22-90a0-15496913b266,"4/16/2021, 9:04:17.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c3d68a23-9354-49bb-bccd-20969a7874ec,"4/16/2021, 9:04:17.117 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,652b85d3-1c9e-4e9d-910e-0c50edf2e07a,"4/16/2021, 9:04:17.117 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10812 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,7a1219e4-7913-4051-95c8-755d6a325302,"4/16/2021, 9:04:37.587 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,0f23f852-c893-4c96-a57b-543899ed4b52,"4/16/2021, 9:04:37.587 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,2c0e84fd-be52-4d44-a9bd-097aeab7000d,"4/16/2021, 9:04:37.587 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,a0ff7b4a-7f0d-44a5-87fb-60334893235d,"4/16/2021, 9:04:37.587 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8656 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,39f06b84-c7fe-446e-af94-8b999ac735f7,"4/16/2021, 9:04:37.587 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9880 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,078ec9d1-ac0e-4b8e-a5b8-cff7d6b7dec9,"4/16/2021, 9:04:37.587 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13826,8," + Remote Desktop Users + Builtin + S-1-5-32-555 + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + 0xc7c + C:\WindowsAzure\GuestAgent_2.7.41491.1009_2021-04-03_031925\WaAppAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,f6638b82-98a5-4542-8bec-6bc0977f793f,f9122a4b-970f-49aa-a599-a65069bd1e7d,"4/16/2021, 9:04:37.587 AM",,,,,,0xc7c, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13826,8," + Administrators + Builtin + S-1-5-32-544 + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + 0xc7c + C:\WindowsAzure\GuestAgent_2.7.41491.1009_2021-04-03_031925\WaAppAgent.exe +",4799,4799 - A security-enabled local group membership was enumerated,f6638b82-98a5-4542-8bec-6bc0977f793f,f2a52a4f-b6d4-4e7c-8981-71fbcd85039f,"4/16/2021, 9:04:37.587 AM",,,,,,0xc7c, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + ContosoAdmin + VictimPc + S-1-5-21-1778951011-109519560-3417497144-500 + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + 0xc7c + C:\WindowsAzure\GuestAgent_2.7.41491.1009_2021-04-03_031925\WaAppAgent.exe +",4798,4798 - A user's local group membership was enumerated.,f6638b82-98a5-4542-8bec-6bc0977f793f,cf7710fe-a1f0-4d65-9286-4685d09afc7e,"4/16/2021, 9:04:37.587 AM",,,,,,0xc7c, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + Andrew + VictimPc + S-1-5-21-1778951011-109519560-3417497144-1030 + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + 0xc7c + C:\WindowsAzure\GuestAgent_2.7.41491.1009_2021-04-03_031925\WaAppAgent.exe +",4798,4798 - A user's local group membership was enumerated.,f6638b82-98a5-4542-8bec-6bc0977f793f,79e509f3-3d63-4127-a2c3-97f01152a077,"4/16/2021, 9:04:37.587 AM",,,,,,0xc7c, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + Andrew + VictimPc + S-1-5-21-1778951011-109519560-3417497144-1030 + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + 0x1128 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,f6638b82-98a5-4542-8bec-6bc0977f793f,15abe9d0-0850-4b77-9bdd-e2f5f6555668,"4/16/2021, 9:04:37.587 AM",,,,,,0x1128, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + ContosoAdmin + VictimPc + S-1-5-21-1778951011-109519560-3417497144-500 + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + 0x1128 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,f6638b82-98a5-4542-8bec-6bc0977f793f,0e02c612-d275-4a10-8f7d-d30863283a4b,"4/16/2021, 9:04:37.587 AM",,,,,,0x1128, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + DefaultAccount + VictimPc + S-1-5-21-1778951011-109519560-3417497144-503 + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + 0x1128 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,f6638b82-98a5-4542-8bec-6bc0977f793f,71e94e48-35a0-4ee8-bb1f-036a887e7d7a,"4/16/2021, 9:04:37.587 AM",,,,,,0x1128, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + Guest + VictimPc + S-1-5-21-1778951011-109519560-3417497144-501 + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + 0x1128 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,f6638b82-98a5-4542-8bec-6bc0977f793f,0b30039e-00a1-44bc-bf7e-bbc4709c0d3c,"4/16/2021, 9:04:37.587 AM",,,,,,0x1128, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + WDAGUtilityAccount + VictimPc + S-1-5-21-1778951011-109519560-3417497144-504 + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + 0x1128 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,f6638b82-98a5-4542-8bec-6bc0977f793f,c517a2ee-d195-48b8-8b38-666a97a868f3,"4/16/2021, 9:04:37.587 AM",,,,,,0x1128, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + ContosoAdmin + VictimPc + S-1-5-21-1778951011-109519560-3417497144-500 + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + 0xc7c + C:\WindowsAzure\GuestAgent_2.7.41491.1009_2021-04-03_031925\WaAppAgent.exe +",4798,4798 - A user's local group membership was enumerated.,f6638b82-98a5-4542-8bec-6bc0977f793f,94b36a00-4396-4189-a515-d8b26d4726fc,"4/16/2021, 9:04:37.587 AM",,,,,,0xc7c, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + ContosoAdmin + VictimPc + S-1-5-21-1778951011-109519560-3417497144-500 + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + 0x0 + - +",4798,4798 - A user's local group membership was enumerated.,f6638b82-98a5-4542-8bec-6bc0977f793f,ad3755ee-a983-4555-a9c7-195b694aa73d,"4/16/2021, 9:04:37.587 AM",,,,,,0x0, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,9374d32f-04f4-41f9-8a3d-1ccdd8bf5eea,"4/16/2021, 9:04:37.587 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,b251c2db-a4db-4dda-8f2c-24675778676c,"4/16/2021, 9:04:37.587 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2024 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 8542576A51D515DA19781689F9E5E561E4398C4DE19B14AF1E8EF1C7D2551843 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.18362.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,1384e20c-2cf7-4378-99df-46cb70e3b120,"4/16/2021, 9:04:37.587 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11172 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,c20cd603-f5b8-4fae-81e7-3b7219d6c6ee,"4/16/2021, 9:04:37.587 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c1c15232-c41b-4616-8859-025521c034d8,"4/16/2021, 9:04:39.666 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,272996d3-6578-4630-b6ac-8ffe8b7cb27d,"4/16/2021, 9:04:39.666 AM",,,,,NTLM,, +\AAJZ,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e8a91dff-c8b7-452c-b39a-8bc397132ca7,"4/16/2021, 9:04:39.666 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4192f431-e1de-4e00-b503-24b642668f2b,"4/16/2021, 9:04:39.666 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c7bac71f-84c9-47eb-bd1a-cfe519ca16f8,"4/16/2021, 9:04:39.666 AM",,,,,NTLM,, +\AZUREUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,af2fb2dd-5bc8-416f-905c-493807d31975,"4/16/2021, 9:04:39.666 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c76f2d4d-6202-49a8-bcb0-a0d41688c1ec,"4/16/2021, 9:04:39.666 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,310e6247-8fe3-4f60-9b41-175b4fa63c61,"4/16/2021, 9:04:39.666 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,37be0fa5-d4aa-4861-a5c9-5eb0d95d3cb4,"4/16/2021, 9:04:39.666 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b6f16494-6c91-4b90-bb3f-9f469512c70c,"4/16/2021, 9:04:39.666 AM",,,,,NTLM,, +Tamarindo@tamacc\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f79129e2-c53a-42c2-971f-c805f5ef6482,"4/16/2021, 9:04:39.666 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ed538038-cb8d-4f80-9178-770e597f8259,"4/16/2021, 9:04:39.666 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,35896d78-5d05-4aaf-bb53-a6600249c266,"4/16/2021, 9:04:39.666 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,caa2aff9-8cc6-4a65-804d-825b905a0ea3,"4/16/2021, 9:04:39.666 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ca2ad4f9-00ef-4a2f-bac1-a2d9a46cf012,"4/16/2021, 9:04:39.666 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bfb61615-5715-4c15-b989-a58ebfc13292,"4/16/2021, 9:04:39.666 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f536ab88-5d77-46a6-9797-c5bc15c6121d,"4/16/2021, 9:04:39.666 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1f1eed40-dafb-4fc0-a12d-38564dc4a38c,"4/16/2021, 9:04:39.666 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c467cd67-6948-4dd4-87df-492e08ffad52,"4/16/2021, 9:04:39.666 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,50fe2f21-fe22-442c-8ff1-2e0b70a13afb,"4/16/2021, 9:04:39.666 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d5f9b82f-63ef-4098-8303-5f16f9e8b944,"4/16/2021, 9:04:39.666 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,874a8bca-0f91-4af9-a7b7-f8fc96770081,"4/16/2021, 9:04:39.666 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,46c38948-7c24-41fc-88b1-95c09fc6a7a3,"4/16/2021, 9:04:39.666 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c3ea6020-c9a9-4c4c-acbf-000509bdf7bd,"4/16/2021, 9:04:45.124 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a695acb6-4131-4d2e-891e-68e58f969968,"4/16/2021, 9:04:45.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,616812a0-5681-4e92-bb1c-5f8522417685,"4/16/2021, 9:04:45.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88515377-00ac-4f64-a371-8943be19d5b9,"4/16/2021, 9:04:45.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,35d55c59-b3c7-473c-b179-29f0284f6ed7,"4/16/2021, 9:04:45.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,470abd5d-afcc-49ba-9067-65640cfd6e74,"4/16/2021, 9:04:45.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db47c995-feef-4233-b64a-aa0d62cd0365,"4/16/2021, 9:04:45.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f641bb92-2cac-4842-83fb-68fb594a6acf,"4/16/2021, 9:04:45.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b9dc8f0-b5a0-4f56-86e1-0c5dcdb0f02b,"4/16/2021, 9:04:45.124 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,869f3005-3c49-4240-9894-b3ef8167bdc8,"4/16/2021, 9:04:45.124 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1bd6a5e-5f5d-442d-923a-7957b9900f36,"4/16/2021, 9:04:45.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a533a03-f7d7-484e-8b2c-cddfeaf37e70,"4/16/2021, 9:04:45.124 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88a09c91-3030-4b7c-b0c4-5e05c6a20e4a,"4/16/2021, 9:04:45.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3d19e5b3-e261-48e6-899b-7530a93a296e,"4/16/2021, 9:04:45.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,95661a7a-8a58-421c-af64-90a706e8cade,"4/16/2021, 9:04:45.124 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b6b9116-b1c7-4473-a5c3-99d2ed87bf8e,"4/16/2021, 9:04:45.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eccc3cef-c380-4da9-92b6-d95fd89c0683,"4/16/2021, 9:04:45.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,67269bd3-b701-44b3-894e-deef65c48c24,"4/16/2021, 9:04:45.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a12aa564-5be4-4300-9dcc-1eddb1fe2133,"4/16/2021, 9:04:45.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2ed3ac80-7e87-4035-87b3-73a776f075e1,"4/16/2021, 9:04:45.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc22ee3f-7841-4e4d-8bce-16c4d9441318,"4/16/2021, 9:04:45.124 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9210d27d-5994-44d6-bd34-1e77b6abff44,"4/16/2021, 9:04:45.124 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,77edd543-ea12-466c-98d3-246b3775b03c,"4/16/2021, 9:04:45.124 AM",,,,,NTLM,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,e9fd49da-aed9-442f-90fd-d021ea5b9d2e,"4/16/2021, 9:05:09.863 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,1d44f71a-0767-4e86-8b72-fbe408b03923,"4/16/2021, 9:05:09.863 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4476 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,7fea2489-3462-46d1-a9e0-c3a94bb7349e,"4/16/2021, 9:05:09.863 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1204 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,9a0e82f3-674f-4d7f-ab97-316d6e2e800e,"4/16/2021, 9:05:09.863 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,90ef1449-98f0-44a1-803e-0fbd35d154b3,"4/16/2021, 9:05:09.863 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,8f362a6f-afc3-4a39-a7df-1846b73b773a,"4/16/2021, 9:05:08.599 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2652 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,948242df-b2b3-46cb-9c14-7eb8174ef25f,"4/16/2021, 9:05:08.599 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,0c5a1934-7b49-4632-b0ae-1e559fa374cc,"4/16/2021, 9:05:08.599 AM",,,,,,, +NT AUTHORITY\NETWORK SERVICE,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 3104 + 21 + %SYSTEM32%\SPPSVC.EXE + 32 + 356D1FC495BBA123EE99EEB2389FB641779AC8E789C2883AC16F26376B3D8081 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SPPSVC.EXE\10.0.18362.1379 + 0x3e4 + 30 + C:\windows\system32\sppsvc.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,faf86184-1aa7-456e-9015-c4fd2891fe17,"4/16/2021, 9:05:08.599 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,027cc4af-eb67-4ec5-a8e5-eec40e6c6787,"4/16/2021, 9:05:08.599 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5428 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,ae593b8e-9213-434f-8a50-98b556eec1de,"4/16/2021, 9:05:08.599 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,218e6ac3-683f-46c9-962e-67f87aae1c0b,"4/16/2021, 9:05:08.599 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,22b9eb7a-95db-4938-af72-d5cd5717ab59,"4/16/2021, 9:05:08.599 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8740d4a2-2353-47f8-9336-a7267e8a0d69,"4/16/2021, 9:05:09.439 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\microsofttpm,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,719ecd4e-c310-4176-a98b-b705bfadb9a8,"4/16/2021, 9:05:09.439 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:SELECT * FROM Win32_TPM,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,f5bc85ba-0d81-404b-b779-4aeed267b877,"4/16/2021, 9:05:09.439 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:Select * from __ClassProviderRegistration,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8ff33545-8a52-4792-9d2d-4e64c6ee7584,"4/16/2021, 9:05:09.439 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,bf2ac947-e488-40ae-8488-a26b16a6078d,"4/16/2021, 9:05:09.439 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,18ec5fff-1119-4493-bd35-c53117f0af56,"4/16/2021, 9:05:09.439 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,53d3ea39-e1e0-4aa2-a74e-557db10d7c7a,"4/16/2021, 9:05:09.439 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,02bbf720-3c41-4705-b86d-42f173be11db,"4/16/2021, 9:05:09.439 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:Win32_Tpm,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b6dc48cf-063b-4eae-b930-060698457419,"4/16/2021, 9:05:09.439 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:__ExtendedStatus,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3bc29307-a5e8-4172-9b48-f9c469c79c95,"4/16/2021, 9:05:09.439 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftVolumeEncryption,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ec5b73d1-08f5-42e2-af63-cc1b61790832,"4/16/2021, 9:05:09.439 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:SELECT * FROM Win32_EncryptableVolume,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,74adab4c-fd73-465e-a1ce-c1407f051d87,"4/16/2021, 9:05:09.439 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:Select * from __ClassProviderRegistration,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,cd60d75c-4c08-451b-855f-0218df501d34,"4/16/2021, 9:05:09.439 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0ac1250c-13a1-4f33-9d84-fcf4793bc830,"4/16/2021, 9:05:09.439 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,352e43c4-2787-425c-96b4-4546f02d79d7,"4/16/2021, 9:05:09.439 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,08f70c94-abc9-4aea-b3c6-0e897a076dd2,"4/16/2021, 9:05:09.439 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e0a39cd5-7e2b-427b-bf63-a78c7dddf337,"4/16/2021, 9:05:09.439 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e8fb0c72-e788-4e54-9d06-7f77833c043b,"4/16/2021, 9:05:09.439 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:__ExtendedStatus,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,42ab96c8-83b6-4350-95dd-d7518c737023,"4/16/2021, 9:05:09.439 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{d035a0c7-0000-0000-0000-100000000000}\\""::GetLockStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,30f308bd-268e-4a83-877e-9610040ce0ce,"4/16/2021, 9:05:09.439 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{d035a0c7-0000-0000-0000-100000000000}\\""::GetProtectionStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,25522988-b1fe-4bec-9cc3-377fcba3fad7,"4/16/2021, 9:05:09.439 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{d035a0c7-0000-0000-0000-100000000000}\\""::GetConversionStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,62b6c304-f426-43e7-b892-61d54d15958d,"4/16/2021, 9:05:09.439 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ad0f04ca-0000-0000-0000-501f00000000}\\""::GetLockStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b377e559-2737-4083-b341-ce288ff95804,"4/16/2021, 9:05:09.439 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ad0f04ca-0000-0000-0000-501f00000000}\\""::GetProtectionStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,521c2e5b-fa53-47c8-b139-00bd0f57d1fd,"4/16/2021, 9:05:09.439 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ad0f04ca-0000-0000-0000-501f00000000}\\""::GetConversionStatus",,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,90cc4c7f-7bc1-4aed-8ac2-b5be8e0b99c4,"4/16/2021, 9:05:09.439 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4d046960-c5dc-495d-b0b0-95a49a3eaaf1,"4/16/2021, 9:05:09.439 AM",,,,,NTLM,, +\TEST,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,7ecdd054-084d-4a56-baa2-231f36c207c2,"4/16/2021, 9:05:09.439 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 692 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 68705285F7914823244E19E4F6DBC4A75C4DE807EA1CF128AEC2CCAFCE5FE109 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.17763.01 + 0x3e7 + 57 + C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9a2d0d54-64a8-44bd-a7f4-f5cbcf3ed631,"4/16/2021, 9:05:09.439 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4888 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4a361f56-c47e-4ba0-9aa4-1528c926be29,"4/16/2021, 9:05:09.439 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8863fafa-fd12-49cd-87bd-670eb81e7258,"4/16/2021, 9:05:09.439 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b9f6baa9-db5b-4d55-98ff-074f4de0d0e0,"4/16/2021, 9:05:09.439 AM",,,,,,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,5d0c1a8a-a38b-4029-b00d-c79c3a52a636,"4/16/2021, 9:05:09.439 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,59c8b075-b5da-486a-aa4d-9503e15df610,"4/16/2021, 9:05:14.669 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9d1a0932-e271-4f42-9fd8-91acd2000f6e,"4/16/2021, 9:05:14.669 AM",,,,,NTLM,, +\SYMANTEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2a7e4141-30b9-4ee3-a71f-3687f094786d,"4/16/2021, 9:05:14.669 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8cf0f6b5-df8c-40be-a473-2d9ec88e7359,"4/16/2021, 9:05:14.669 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3c9a72f6-ab94-4bd5-b2fc-04b209ea12c3,"4/16/2021, 9:05:14.669 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,53052d75-6055-41d3-89fd-86759d2d8ed2,"4/16/2021, 9:05:14.669 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d78d2463-d2e3-4a72-b03e-a919cfc09c2e,"4/16/2021, 9:05:14.669 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8f0a8da9-bc2b-48e0-a2b2-ef6701de644e,"4/16/2021, 9:05:14.669 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0c41bc2c-f078-4b7d-810f-621d57cbebc8,"4/16/2021, 9:05:14.669 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c890afb3-23b8-4d61-9d7d-1fa85b30835f,"4/16/2021, 9:05:14.669 AM",,,,,NTLM,, +\VEEAM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e2638125-566d-49ab-9788-cc1c0a72f30a,"4/16/2021, 9:05:14.669 AM",,,,,NTLM,, +\SYMANTEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,26e06679-fdbe-49d6-8fb5-3d7fd3e31d32,"4/16/2021, 9:05:14.669 AM",,,,,NTLM,, +\RMEDINA,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,97cf2b9f-59d3-404c-941a-add88f99c8e4,"4/16/2021, 9:05:14.669 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,704a9e0e-e6b4-4056-9e2d-7e250a0925d7,"4/16/2021, 9:05:14.669 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0e2a87ce-088f-442c-9d35-b4308dda2379,"4/16/2021, 9:05:14.669 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ce54b763-55f5-4d31-bb34-7e39c50127c7,"4/16/2021, 9:05:14.669 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a62dfdfb-f07b-4e4f-ba7e-c916eb772d5c,"4/16/2021, 9:05:14.669 AM",,,,,NTLM,, +\RMEDINA,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,063f662f-0262-45db-b2b8-4e1f45125c67,"4/16/2021, 9:05:14.669 AM",,,,,NTLM,, +\LOCALADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ef1070de-1b7f-47df-92d2-c43276baa185,"4/16/2021, 9:05:14.669 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d9a48eb1-3805-453b-bc3b-98eed1e80107,"4/16/2021, 9:05:14.669 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3527ff5a-ba02-4434-aba6-f9801c3976bf,"4/16/2021, 9:05:14.669 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d1ffd337-4878-453d-b875-97fec03dc122,"4/16/2021, 9:05:14.669 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4b694c6e-7d11-4a29-b63e-97dc5979925e,"4/16/2021, 9:05:14.669 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6822349f-1751-4ba6-800b-f82bf77017f5,"4/16/2021, 9:05:28.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,44758b25-6b3e-4412-8939-d2eb26f773a7,"4/16/2021, 9:05:28.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b100c40d-7edc-49c7-948f-abeb648273cc,"4/16/2021, 9:05:28.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2e96f585-896f-424f-8720-4dd397163f84,"4/16/2021, 9:05:28.119 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f9913e5-ece9-4a79-b52c-38b35c6f5bd2,"4/16/2021, 9:05:28.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bfc607c3-9986-4c1a-a792-6d89198925f6,"4/16/2021, 9:05:28.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,36d968e2-492d-4f23-8389-43b3b708b2c8,"4/16/2021, 9:05:28.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,65dc93dc-6adb-471f-b308-8541d80e82ba,"4/16/2021, 9:05:28.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,406c1944-acc1-4345-9341-1318f655c25b,"4/16/2021, 9:05:28.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1b1d53ad-5eb3-4969-be65-0b7824de6a4b,"4/16/2021, 9:05:28.119 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a6439447-3fe8-4717-9bcf-5d810281a722,"4/16/2021, 9:05:28.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2fcefdea-71e1-48ff-9dd4-16f7bedc0a84,"4/16/2021, 9:05:28.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,131a0650-2e75-4cbf-ad92-68440d529633,"4/16/2021, 9:05:28.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5f24723e-9725-47d9-a8ad-d7927b194f6d,"4/16/2021, 9:05:28.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fbdfbc13-b8ba-439a-b9ab-8426425838bb,"4/16/2021, 9:05:28.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc9226e4-9aba-4ff8-b58a-4fc5f2d593b6,"4/16/2021, 9:05:28.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,783bd0d4-a89e-4a3d-af0e-805438945870,"4/16/2021, 9:05:28.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1efffbe6-742d-45a3-89a6-7df73d4b36e6,"4/16/2021, 9:05:28.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1fa69bbd-27fd-4035-b678-e6c66a3ea83f,"4/16/2021, 9:05:28.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ab62b79-ecb0-4681-a945-f178c48e966b,"4/16/2021, 9:05:28.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1e0a5936-712b-4d0b-afda-120b31f52543,"4/16/2021, 9:05:28.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a8d2f3db-838a-4632-9f3f-5f1c712bf68f,"4/16/2021, 9:05:28.119 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c158e44a-d5a4-42a5-92c9-96030dd0207c,"4/16/2021, 9:05:28.119 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f230e7ae-d512-4b3a-bfe5-7b1dffb21268,"4/16/2021, 9:05:31.675 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0f632a08-cc91-4e5d-be01-441b3c43a8d2,"4/16/2021, 9:05:31.675 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d81d772b-05dc-4acc-94fa-3b9f73c3b9cd,"4/16/2021, 9:05:31.675 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,120ac0f7-1b0f-4d01-a957-e588c51d5e9d,"4/16/2021, 9:05:31.675 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1a32ed03-9946-4b34-97b2-50c3afb57b79,"4/16/2021, 9:05:31.675 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,364d175a-5e12-4faf-aa92-66173fd5f76b,"4/16/2021, 9:05:31.675 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,64cd441e-2dfa-4fe8-a2a0-011e9c1661bd,"4/16/2021, 9:05:31.675 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4bc4bc7c-8352-48fd-bb07-0c2df511e842,"4/16/2021, 9:05:31.675 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3f725f82-5f5f-4bed-998a-641d54c35d53,"4/16/2021, 9:05:31.675 AM",,,,,NTLM,, +\COMPUTER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eaa9d752-a7a9-4477-8994-266c170e1b84,"4/16/2021, 9:05:31.675 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3893fe66-ec21-45d2-8b75-9384c1610f44,"4/16/2021, 9:05:31.675 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3c0c8cf9-b918-4132-80f3-08b85ef0a16c,"4/16/2021, 9:05:31.675 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5b61ba2d-46d9-498c-86b7-ae4881440617,"4/16/2021, 9:05:31.675 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,99f00852-6e9c-4eb5-b6f6-dee55608f96e,"4/16/2021, 9:05:31.675 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d8d86b77-2eb1-40dd-9d65-7394ed083eb5,"4/16/2021, 9:05:31.675 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2d28be3f-243b-4fa3-a6e7-263e5105c184,"4/16/2021, 9:05:31.675 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,17036e79-5e86-407a-83d6-61d38902fbbc,"4/16/2021, 9:05:31.675 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5367fa37-a9ac-4fe4-a2b0-14b0b11b3c23,"4/16/2021, 9:05:31.675 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,99c7d890-35cc-43f9-97dc-b7326d2adfb5,"4/16/2021, 9:05:31.675 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6efa37fb-6875-4fb8-b7fb-0ac618783b0a,"4/16/2021, 9:05:31.675 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6d39f783-7c75-48bd-9313-aab0911afbf0,"4/16/2021, 9:05:31.675 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7fcd4620-051f-4157-8f82-b656ed5a840f,"4/16/2021, 9:05:31.675 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1c45f192-a5a0-4615-a2cb-2e098cce15fc,"4/16/2021, 9:05:31.675 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fb888c03-4b2e-4084-8294-8c61b0ae2c2d,"4/16/2021, 9:05:31.675 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9a15b088-b5bf-4f64-8cb0-a68db84d1ccb,"4/16/2021, 9:05:31.675 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,aaf717f1-c80b-4886-b9e2-47df755879bb,"4/16/2021, 9:05:31.675 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8," + S-1-5-20 + VICTIMPC$ + CONTOSO + 0x3e4 + \Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask + <?xml version=""1.0"" encoding=""UTF-16""?> <Task version=""1.6"" xmlns=""http://schemas.microsoft.com/windows/2004/02/mit/task""> <RegistrationInfo> <Source>$(@%systemroot%\system32\sppc.dll,-200)</Source> <Author>$(@%systemroot%\system32\sppc.dll,-200)</Author> <Version>1.0</Version> <Description>$(@%systemroot%\system32\sppc.dll,-201)</Description> <URI>\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask</URI> <SecurityDescriptor>D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-87-2912274048-3994893941-1669128114-1310430903-1263774323)</SecurityDescriptor> </RegistrationInfo> <Triggers> <CalendarTrigger> <StartBoundary>2021-04-16T11:26:11Z</StartBoundary> <Enabled>true</Enabled> <ScheduleByDay> <DaysInterval>1</DaysInterval> </ScheduleByDay> </CalendarTrigger> </Triggers> <Principals> <Principal id=""NetworkService""> <UserId>S-1-5-20</UserId> <RunLevel>LeastPrivilege</RunLevel> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>true</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession> <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT0S</ExecutionTimeLimit> <Priority>7</Priority> <RestartOnFailure> <Interval>PT1M</Interval> <Count>3</Count> </RestartOnFailure> </Settings> <Actions Context=""NetworkService""> <ComHandler> <ClassId>{B1AEBB5D-EAD9-4476-B375-9C3ED9F32AFC}</ClassId> <Data><![CDATA[timer]]></Data> </ComHandler> </Actions> </Task> + 13510798882126509 + 3104 + 780 + 0 + VictimPc.Contoso.Azure +",4702,4702 - A scheduled task was updated.,f6638b82-98a5-4542-8bec-6bc0977f793f,ab56e6ca-7f52-45be-b448-9880b985af26,"4/16/2021, 9:05:43.717 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9332 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,409e819d-083d-4ffa-90b3-5560b2c2f13f,"4/16/2021, 9:05:43.717 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10244 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,bcaacabc-4da1-4d38-8e3f-1f5480766403,"4/16/2021, 9:05:43.717 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,40c65b0c-7cd9-4763-b036-c868b40f811a,"4/16/2021, 9:05:43.717 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,69368503-4d6e-4e1a-8bfb-ecbdf812cb5f,"4/16/2021, 9:05:43.717 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,12b32d29-fbae-44ab-b76b-9f88ecf3b675,"4/16/2021, 9:05:43.717 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5912 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,89ebb46e-1535-491f-a286-7f9396b559b6,"4/16/2021, 9:05:43.717 AM",,,,,,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,37156cc2-4c1f-4db7-ad8e-5b35eb938aff,"4/16/2021, 9:06:02.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a1fd9549-de05-4ccc-a811-e14cc6258cf5,"4/16/2021, 9:06:02.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,882395d3-ea2b-4d4f-8a81-9e2f96e04f81,"4/16/2021, 9:06:02.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3d10c598-dbc2-4f65-bc20-7890aab37e03,"4/16/2021, 9:06:02.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f71ed1dc-80bf-41e8-a87c-f70c81440355,"4/16/2021, 9:06:02.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b414c75d-f571-44d4-a4b5-e8eb5212e126,"4/16/2021, 9:06:02.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,be95de55-75a0-4840-8d2b-b6cc79af1de2,"4/16/2021, 9:06:02.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2922461e-e77a-4e7c-a6ee-c93669cfb42b,"4/16/2021, 9:06:02.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1efc3bef-4612-47dc-8d46-6ff1af8b8dda,"4/16/2021, 9:06:02.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,469334b6-9134-4bbc-a156-a62ab92942c6,"4/16/2021, 9:06:02.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d048ba89-a9f6-4663-8b4a-945864ba39e0,"4/16/2021, 9:06:02.122 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cfaa1c25-74ae-4d8f-949d-446690a961c0,"4/16/2021, 9:06:02.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a1438ec2-c4ab-4927-ba34-a517c8ba8c96,"4/16/2021, 9:06:02.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6c0effcb-9953-444f-85ea-c1d646aa3b94,"4/16/2021, 9:06:02.122 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,638d34dc-4144-4d55-a0a4-66f70002f64b,"4/16/2021, 9:06:02.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a1d5da07-782a-4f10-9df2-a70cab7608ac,"4/16/2021, 9:06:02.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ae0358ee-8e79-4f86-87bb-97ceba6b3461,"4/16/2021, 9:06:02.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1254ff04-c31c-4064-909c-003fa34270d5,"4/16/2021, 9:06:02.122 AM",,,,,NTLM,, +\DEMOUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c59add21-956c-453f-93c5-e9ae61950974,"4/16/2021, 9:06:02.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,098a55db-4b51-4a8f-a566-89e834d1c46f,"4/16/2021, 9:06:02.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16847c86-0142-4779-a504-68eb3f0f3869,"4/16/2021, 9:06:02.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0fba626a-349f-4072-8e60-ae122c5508e8,"4/16/2021, 9:06:02.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5523ae3e-0c52-4d90-97fd-5e2465f1a4a8,"4/16/2021, 9:06:02.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6a4783f1-50ee-485f-b936-fe2eaa710605,"4/16/2021, 9:06:02.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5837c644-6ec5-43d6-a0d0-dca98d7c6b6d,"4/16/2021, 9:06:02.122 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51b3c8f5-9db5-4748-8019-ccee24548476,"4/16/2021, 9:06:02.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ed469bc2-bfe6-4cf7-9d84-0cdc828ce53b,"4/16/2021, 9:06:02.122 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,305aa7f7-2008-4a77-9264-2f3c41a33f6d,"4/16/2021, 9:06:02.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,36d1d406-aedd-4498-aab8-714060931e50,"4/16/2021, 9:07:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e7878e72-7abb-491a-b714-53080b75806b,"4/16/2021, 9:07:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,18ee6f86-a6f6-421b-84fe-3e91896f904f,"4/16/2021, 9:07:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc1ed0d0-9f3f-4284-b551-0d7d69950b5f,"4/16/2021, 9:07:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,09bbe5d8-8660-42a9-be9b-d84c0b6396b1,"4/16/2021, 9:07:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,935cfe96-7ef7-4f9a-a16a-88b871c7a783,"4/16/2021, 9:07:03.143 AM",,,,,NTLM,, +\COUNTER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,79821484-327e-459a-b167-d34ee04838dd,"4/16/2021, 9:07:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3d6904bf-2453-451b-8b36-02f909984109,"4/16/2021, 9:07:03.143 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a9f76ab4-6711-4ea1-a2a8-5b1525902021,"4/16/2021, 9:07:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16580a6f-1f9c-4cd4-88bc-a94b96fe077c,"4/16/2021, 9:07:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d37c8e30-cbf6-44f3-add9-a8d36be2d56c,"4/16/2021, 9:07:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,918aea0c-8aef-4993-bd5f-be3b3e7f766c,"4/16/2021, 9:07:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc75d970-0645-4433-b12a-03daec755150,"4/16/2021, 9:07:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac35c2aa-855b-4430-a500-688a1edc5630,"4/16/2021, 9:07:03.143 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4fc8f012-ab8c-4bc0-8fd7-e70e5d91a051,"4/16/2021, 9:07:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,83f11ad6-4f31-471f-904f-012c06a2c1b9,"4/16/2021, 9:07:03.143 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,96467975-4f06-4948-9b5e-72ff4e7ab347,"4/16/2021, 9:07:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d362853c-f5b6-40d7-9405-f6a1e4d3c70b,"4/16/2021, 9:07:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,97631078-ae72-479b-b07f-b57dd92c658c,"4/16/2021, 9:07:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb3d425d-43b0-4b44-a56c-7bb92ddfd531,"4/16/2021, 9:07:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,375047e9-fd4f-4f77-84e8-a31ea9fc3f38,"4/16/2021, 9:07:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b3c245de-127c-4077-b2e8-42398e35d1e1,"4/16/2021, 9:07:03.143 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d1f289b-3af1-4779-b480-9fe7dc5e53d5,"4/16/2021, 8:34:09.093 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df9cfc8b-7fb3-4a4b-a2f4-910482760df1,"4/16/2021, 8:34:09.093 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7dd9f459-0b79-42f2-a015-6d74e0612a79,"4/16/2021, 8:34:09.093 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1777bf01-4bae-47f4-b290-f5f2880da2a5,"4/16/2021, 8:34:09.093 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,148d09f1-d0ad-4b48-a86c-35bcbbc54cd9,"4/16/2021, 8:34:09.093 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,464bb987-c590-40a5-aae0-2ffaf6cad202,"4/16/2021, 8:34:09.093 AM",,,,,NTLM,, +\MJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,93fb38c7-7930-494e-9cce-fbb6afe553bd,"4/16/2021, 8:34:09.093 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f818710e-659d-405a-9f0b-ed054b5fc833,"4/16/2021, 8:34:09.093 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9bdd4a0c-ad0e-4911-8bad-f2a3626ead61,"4/16/2021, 8:34:09.093 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,50f28ffc-9296-434c-b260-daebaa579d1b,"4/16/2021, 8:34:09.093 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,95eefe32-9648-47a3-a147-16f30c32db17,"4/16/2021, 8:34:09.093 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e46bc791-762a-4f9f-917f-c0a9bbacd6fc,"4/16/2021, 8:34:09.093 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6d754c68-5e29-4002-b27f-e8e160543d6d,"4/16/2021, 8:34:09.093 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f6a8e6a8-b084-4839-bbb8-1a2317bb8134,"4/16/2021, 8:34:09.093 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e00e043e-7b3b-42cd-94b5-a7bba5dd87a0,"4/16/2021, 8:34:09.093 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,abb6e9d2-fc60-4772-8f66-a096785a92d0,"4/16/2021, 8:34:09.093 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,24ed2422-f693-48de-a42f-72930cb3f69e,"4/16/2021, 8:34:09.093 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,71b81e24-5869-4343-818b-a5e8892a76b8,"4/16/2021, 8:34:09.093 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,413e81f2-e957-4ab0-af86-906d70147cc4,"4/16/2021, 8:34:09.093 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e444f7b-f58b-45fe-8135-316767d24fd7,"4/16/2021, 8:34:09.093 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e8fa78d6-72d0-4984-9a63-7b44ed51e7bf,"4/16/2021, 8:34:09.093 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,17c1613c-f62c-434a-93ab-55ae5e7b1052,"4/16/2021, 8:34:09.093 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f6e4e8b9-3b49-4d8d-a1a5-8902fec2d70c,"4/16/2021, 8:34:10.578 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1fa992b5-5bb9-44bc-96c4-773c07a8c8b5,"4/16/2021, 8:34:10.578 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c3fb230e-0a97-405f-9782-93ae9995bb6d,"4/16/2021, 8:34:10.578 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e15095d0-1c22-4b50-972a-2e949544263d,"4/16/2021, 8:34:10.578 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d9b22845-2403-43e7-90a4-af2627d26d29,"4/16/2021, 8:34:10.578 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,12cdbd15-e611-4b0d-81d6-a63edae85fb3,"4/16/2021, 8:34:10.578 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,66b40917-e193-4c12-a46c-e1269c4a29da,"4/16/2021, 8:34:10.578 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1e228ad2-0da0-4b17-82df-a9964bf2dbb6,"4/16/2021, 8:34:10.578 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,45cf6920-eaac-4add-9b65-517dd002e5df,"4/16/2021, 8:34:10.578 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2bcf66ea-4124-427d-9c1e-3e180e27b293,"4/16/2021, 8:34:10.578 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,90be63c2-381a-417e-b6d5-8ed3a8626c3c,"4/16/2021, 8:34:10.578 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e78450c9-1c8a-481b-9a70-32fee1fc74e7,"4/16/2021, 8:34:10.578 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c0283b76-51fb-40ee-a716-5a1e88dabd1e,"4/16/2021, 8:34:10.578 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,090fff46-5b7e-40cb-bf62-639ecce7cf75,"4/16/2021, 8:34:10.578 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c43ea75c-8120-4a7d-8733-1aba107660bf,"4/16/2021, 8:34:10.578 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4fd841e7-8420-4d26-99f3-f64a13f57d44,"4/16/2021, 8:34:10.578 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a7940b55-bbc8-44a3-8711-e14e888988fd,"4/16/2021, 8:34:10.578 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,38a6d6e8-8db5-485e-a774-aa08c13d092d,"4/16/2021, 8:34:10.578 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7d76fd6c-8db0-466b-a2ff-7bd752292296,"4/16/2021, 8:34:10.578 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e5471cc8-fc20-4e5b-b393-b3496f7aec75,"4/16/2021, 8:34:18.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,814739ac-8519-446d-b90c-17fd61dd6f10,"4/16/2021, 8:34:18.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,395944e4-5796-4721-abfc-af181e7fe754,"4/16/2021, 8:34:18.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0b8bbda9-fc8f-416a-a237-6f3b4f49793f,"4/16/2021, 8:34:18.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a08f8f2-d823-4716-b580-72220e8c47d8,"4/16/2021, 8:34:18.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d37e9c0e-bc22-4ae7-b8a4-c6f71645c806,"4/16/2021, 8:34:18.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,574df63e-3760-44ad-96be-8d48ade3a92b,"4/16/2021, 8:34:18.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0dfcf428-ab93-4ca7-be94-965a1cc96b16,"4/16/2021, 8:34:18.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,21b32fa1-5f1c-4a93-bc3d-33e21b8e4d66,"4/16/2021, 8:34:18.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cbb84864-5091-43ab-8a53-2c00797875b8,"4/16/2021, 8:34:18.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,75031a89-1b33-4fda-843a-17305ee5ef98,"4/16/2021, 8:34:18.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,adb0ee1c-0142-42cd-8515-e2a30ccb0012,"4/16/2021, 8:34:18.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,841a2922-38f8-4935-b48e-4bd0e8669a42,"4/16/2021, 8:34:18.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2cd0590e-1e72-4a81-ade2-24e6ee691440,"4/16/2021, 8:34:18.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2008f7fe-ba30-4680-9ca7-178ebf5c0868,"4/16/2021, 8:34:18.096 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,64f983a8-e3f8-416e-b4e0-eaed3bbbfe38,"4/16/2021, 8:34:18.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6fd85f02-fb6d-49cf-ba03-e0417fa5e713,"4/16/2021, 8:34:18.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c9c81a8b-b0c3-4e99-9953-de54fd3ca3fb,"4/16/2021, 8:34:18.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,019940dd-bc22-4ec4-b9f0-eb6ad7bee095,"4/16/2021, 8:34:18.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,86fb3544-c946-42f3-b9e2-b0ab15901405,"4/16/2021, 8:34:18.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,11573e19-77bc-4347-b9bd-7334d5515b4e,"4/16/2021, 8:34:18.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca5bcbfa-038c-4ebc-9464-0b71c72955da,"4/16/2021, 8:34:18.096 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 944 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0ebb76c4-3ae5-4535-9c22-eed02898e96d,"4/16/2021, 8:34:19.414 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6792 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,521c48b4-e5a5-4dca-bc6b-3995539ffc21,"4/16/2021, 8:34:19.414 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,1a192b14-d203-4c5a-9661-e98af3b44001,"4/16/2021, 8:34:19.414 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c7e19917-f1c2-4099-b13f-b05654a38ad1,"4/16/2021, 8:34:19.414 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a1af454f-e7ec-4677-a07e-6578c331cfc7,"4/16/2021, 8:34:19.414 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,7540239c-f06a-449d-ac5d-23a0fb273f30,"4/16/2021, 8:34:19.414 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7672 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9de859e1-a893-4759-846c-d9deed4f0b31,"4/16/2021, 8:34:19.414 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6940 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,89fb6ee6-cd46-448b-839e-cd79e758e941,"4/16/2021, 8:34:19.414 AM",,,,,,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,7a1be48d-1dbf-445e-8b10-bbc8df016d44,"4/16/2021, 8:34:19.414 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,808c3f0d-9a50-4e56-b0f8-0255a43919f6,"4/16/2021, 8:34:19.414 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,27a4f0e7-a8ea-4efc-a3b4-40d6136b2f3a,"4/16/2021, 8:34:23.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d624a5d3-e974-465f-a4ce-2d623b460b87,"4/16/2021, 8:34:23.096 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b8e06984-f124-4453-9d0d-5b3a267791e8,"4/16/2021, 8:34:23.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19cc0a99-572d-431b-9435-c44710810180,"4/16/2021, 8:34:23.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3f85341b-0abf-49bd-afb5-059b83375853,"4/16/2021, 8:34:23.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c9a7b05-06f5-4e0c-a575-23f98ea42df3,"4/16/2021, 8:34:23.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1acfaee-d111-4ba9-ad4b-651c98072974,"4/16/2021, 8:34:23.096 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e9b853d-576e-484b-b692-be6bdac51604,"4/16/2021, 8:34:23.096 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,75e0ba70-cade-49f7-b441-11b6503d8923,"4/16/2021, 8:34:23.096 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,01c5a68d-9477-438e-9753-7deab1996aeb,"4/16/2021, 8:34:23.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1fe9d0ef-4a84-414d-b84f-b2a6ff4dabc5,"4/16/2021, 8:34:23.096 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7016 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,ba3eb1ba-fea3-4e4e-8d27-efd15978b4ab,"4/16/2021, 8:34:23.096 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6504 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,3aa3546e-1275-4924-a494-3cbf932c20ea,"4/16/2021, 8:34:23.096 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c7ea18cc-4ad3-4151-abe4-90612535a40c,"4/16/2021, 8:34:23.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49e9c840-df04-4170-ad8c-bdb2acaa25a4,"4/16/2021, 8:34:23.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a411c4ca-66f7-40ad-bc75-f2a8fe4eb2c2,"4/16/2021, 8:34:23.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,99c57217-06a3-4aa3-83c8-54c7a176eb83,"4/16/2021, 8:34:23.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1b3f249c-ea48-455e-a09d-7c68748f6692,"4/16/2021, 8:34:23.096 AM",,,,,NTLM,, +\ADMINISTRATEUR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b8c367fc-ece7-4dff-83d4-889524db8f8f,"4/16/2021, 8:34:23.096 AM",,,,,NTLM,, +\VPS,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,15b3104d-3ae5-470d-a592-23b539bbc31b,"4/16/2021, 8:34:23.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3418fd47-ace7-4b56-bb04-83b8bb756551,"4/16/2021, 8:34:23.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c8d4ef71-044a-4dd8-910d-d674c69ba5c9,"4/16/2021, 8:34:23.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b664ce1-df36-4874-9ab0-7ce14965218e,"4/16/2021, 8:34:23.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,087e0f87-e1a2-4bd8-bee7-9f36fdefacef,"4/16/2021, 8:34:23.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,01e4c012-5210-4499-b07e-2fac33fac88f,"4/16/2021, 8:34:23.096 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,47a6e201-d8e4-41d0-92e7-1c5e1e2754fc,"4/16/2021, 8:34:23.096 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6a6bf8be-7561-42a5-a5f3-8b335a99e675,"4/16/2021, 8:34:23.574 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,df0d8f4c-2689-4d85-9d8e-5b0f7f345bc1,"4/16/2021, 8:34:23.574 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5d2b6013-a890-4312-8efa-9ef0e341f9b1,"4/16/2021, 8:34:23.574 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f5ba996e-2e6d-4e3f-9419-368493498d14,"4/16/2021, 8:34:23.574 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a15f8dd2-c718-4bd6-bfd5-adb8aef4a283,"4/16/2021, 8:34:23.574 AM",,,,,NTLM,, +\DEMOUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a8ffd94b-86bc-44e2-9bb5-2fba1cce492e,"4/16/2021, 8:34:23.574 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d5f32d2d-afd5-4572-83bf-56c3838b4876,"4/16/2021, 8:34:23.574 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a61b851a-03ad-484d-a65f-2071daa1480b,"4/16/2021, 8:34:23.574 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,80e633d2-5986-4ca0-aef8-906955517dc8,"4/16/2021, 8:34:23.574 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2102c1f4-647f-4fae-a7d5-568d7ee29750,"4/16/2021, 8:34:23.574 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,927ba957-9e22-41f1-88f8-50d8c6d160f8,"4/16/2021, 8:34:23.574 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,de41726b-b477-40be-9a2e-93710762eeed,"4/16/2021, 8:34:23.574 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,edca00b2-0d1e-4f1d-850a-c15b7e824d98,"4/16/2021, 8:34:23.574 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d7635797-9ed5-4b8f-95a9-ca458461701b,"4/16/2021, 8:34:23.574 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ca364e2b-5166-4d1f-af7c-c19dc36792cf,"4/16/2021, 8:34:23.574 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,35121325-cee5-499f-9987-136a17b6c2ce,"4/16/2021, 8:34:23.574 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,35da5380-a279-4077-bc82-00ae6fcc3838,"4/16/2021, 8:34:23.574 AM",,,,,NTLM,, +\USER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e3352158-535e-4b5a-acb9-9276d60393a1,"4/16/2021, 8:34:23.574 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f3f6198a-7b5f-4525-9f88-87abb08c3283,"4/16/2021, 8:34:23.574 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2a5e2408-35aa-48c9-b0a1-d88a1c326028,"4/16/2021, 8:34:23.574 AM",,,,,NTLM,, +\BACKUP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8b8bd06c-a042-48ae-b78a-cf6a1c5fddb7,"4/16/2021, 8:34:23.574 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6f15968f-7e68-4f27-b3cc-3404a8c71322,"4/16/2021, 8:34:23.574 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3295f424-8676-4d14-bdc3-7cd105bf09f1,"4/16/2021, 8:34:23.574 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,165edc72-3afe-47f9-8a10-667886f1c267,"4/16/2021, 8:34:24.046 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c9ed4e7b-06aa-422b-8ea8-680ebdac78c3,"4/16/2021, 8:34:24.046 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,95edf425-ae0c-4751-b1d0-8ea6b6efcc2b,"4/16/2021, 8:34:24.046 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,ddef4fa7-298b-40c9-a4e6-f076d8da9c66,"4/16/2021, 8:34:24.046 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,1cbda332-b689-492c-a65a-ae646ce21867,"4/16/2021, 8:34:24.046 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b6a89715-da59-40c2-aa5d-4a966e03f205,"4/16/2021, 8:34:24.046 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,ab82f341-a42a-4b83-bdad-b1d58191be5e,"4/16/2021, 8:34:29.743 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9588 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,7ba084de-96b8-4856-acc9-d3c347cac0aa,"4/16/2021, 8:34:29.743 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10324 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,74003854-31af-4b0a-85e2-864b722d95d9,"4/16/2021, 8:34:29.569 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,81417c5d-7ece-4591-9e25-55bea5df0fe5,"4/16/2021, 8:34:29.569 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10452 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,d8c842fb-be88-42c6-a5c0-265344c145e9,"4/16/2021, 8:34:29.569 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4260 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,54365050-5786-4c2f-b60f-6204d62af24c,"4/16/2021, 8:34:29.569 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,4446d6d3-a293-4750-9184-81ea340c282a,"4/16/2021, 8:34:29.569 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,dd78dd12-01e9-4333-bd77-d32f10d454db,"4/16/2021, 8:34:29.569 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,37d2327c-3bae-4556-9d68-af4d998600da,"4/16/2021, 8:34:38.102 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,6a04c261-bb4e-44b0-be88-5a33e2ac2240,"4/16/2021, 8:34:38.102 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f0472c75-9c06-4c49-9712-02ffb4540354,"4/16/2021, 8:34:38.102 AM",,,,,NTLM,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,41550227-f451-4131-a658-1eb1b915bf42,"4/16/2021, 8:34:38.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,82fdb8c4-92cb-4597-a2e9-7747c76e8c8d,"4/16/2021, 8:34:38.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea42a36a-b31a-4d4a-9093-f3cdf01ad699,"4/16/2021, 8:34:38.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,982c3231-a2e3-4404-99f1-f0f0e8403154,"4/16/2021, 8:34:38.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a5915b2-f768-4036-adca-7d7669be30cb,"4/16/2021, 8:34:38.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,467a13af-6805-4f80-b8bf-ee8175a21210,"4/16/2021, 8:34:38.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49d7ff41-12ae-4d7d-bda3-8206324ec835,"4/16/2021, 8:34:38.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c124af1b-a883-4580-ad0e-ac2ec98cae90,"4/16/2021, 8:34:38.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a93d5538-8e72-45d0-8662-87972f05d550,"4/16/2021, 8:34:38.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1a4928c-bf8c-4533-9636-677e5dfa0085,"4/16/2021, 8:34:38.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,40b5535d-3805-4dc4-a551-ba518549155b,"4/16/2021, 8:34:38.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab1c5481-5cb6-4452-978b-7313dc1c5e6a,"4/16/2021, 8:34:38.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7f7335b6-efa7-468d-a434-55b19dfd1aa7,"4/16/2021, 8:34:38.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,82f8c81e-951e-42d4-9bde-3c128484c178,"4/16/2021, 8:34:38.102 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bbb1d799-9ab3-4bbf-8d9b-0d444baea1fa,"4/16/2021, 8:34:38.102 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,45f7662e-fbae-4391-a949-e083120c02d8,"4/16/2021, 8:34:38.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d7d3513f-7f82-41c9-b9b0-5efe7a175ed0,"4/16/2021, 8:34:38.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,45de1b80-39f4-43a5-92d4-5ed8df655a91,"4/16/2021, 8:34:38.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88de0aff-93d2-4321-84bd-5f9b963daec2,"4/16/2021, 8:34:38.102 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0fa333e8-1729-4e03-a9fd-473211f12fd1,"4/16/2021, 8:34:38.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c3028742-754e-4af5-a740-91cc3855f7d4,"4/16/2021, 8:34:38.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,69cf8444-bf67-4b16-8560-493e6d5c344b,"4/16/2021, 8:34:38.102 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c6fc56e8-2bdd-4c3c-a690-b381d9ae87ee,"4/16/2021, 8:34:37.587 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,32ec8e9c-4935-4c68-a868-979e791945fc,"4/16/2021, 8:34:37.587 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2bd53054-c7f8-4511-930c-ce5a90c0ccdb,"4/16/2021, 8:34:37.587 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5a9baaf5-c860-4d39-bb40-5acfa956d2d0,"4/16/2021, 8:34:37.587 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b748aef7-c6a6-444f-b213-b63c3838df8a,"4/16/2021, 8:34:37.587 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d4d8ad24-379e-44f0-badc-e1c756398660,"4/16/2021, 8:34:37.587 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e9877769-db56-49b8-977e-23ccd36fa509,"4/16/2021, 8:34:37.587 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ae77c252-94d7-4028-ad93-2ae0c9b8a042,"4/16/2021, 8:34:37.587 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,57ae03aa-637d-4ca8-8d15-53647d073cd0,"4/16/2021, 8:34:37.587 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,984de1ff-021a-4f6e-ac2d-2cbf39c00ec9,"4/16/2021, 8:34:37.587 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6187d860-5a7c-46f0-a5a6-19eafc446d15,"4/16/2021, 8:34:37.587 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7830d5e6-f4a3-4cd7-8183-662a9fdb05ab,"4/16/2021, 8:34:37.587 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2951ab1a-9c43-405b-be71-c365101f41b1,"4/16/2021, 8:34:37.587 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6398e6c4-af1f-42fa-b54c-5fef1fd53122,"4/16/2021, 8:34:37.587 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ede168e3-12f8-4180-be65-a18697321a4a,"4/16/2021, 8:34:37.587 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d53caddb-bd10-43df-922d-c2dc7fdb8f48,"4/16/2021, 8:34:37.587 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a7ffa40a-8e7a-406f-8e40-73542c1bf1c0,"4/16/2021, 8:34:37.587 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b58c686e-4874-49b2-8ab9-5d4a453c7d7f,"4/16/2021, 8:34:37.587 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,888d454a-f7a5-47fd-8f62-452dd20e2aa2,"4/16/2021, 8:34:37.587 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,231ef08c-3490-46d9-b64e-73115f0e61a4,"4/16/2021, 8:34:37.587 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b46b22ca-c9ba-4cbe-8152-0267d7ee9880,"4/16/2021, 8:34:37.587 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,008937cb-9dcc-4f16-9182-831ecf7db71a,"4/16/2021, 8:34:37.587 AM",,,,,NTLM,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,309bf634-ac17-47ac-a49d-2851cdb660d1,"4/16/2021, 8:34:44.855 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca341884-22f2-4b59-9dc4-32bbb07372ad,"4/16/2021, 8:34:46.206 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5c784cd8-f117-4af4-8704-7c669099a1bc,"4/16/2021, 8:34:46.206 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,977a8481-5ad4-4619-b9d7-c00f0efa9f31,"4/16/2021, 8:34:46.206 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,abf2ecdf-04ba-4e05-bdf0-f5b95163eb79,"4/16/2021, 8:34:46.206 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22982e4a-454f-47fd-8e50-ab4c5f704f5f,"4/16/2021, 8:34:46.206 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bbc38d62-835d-4373-8a50-33f1457acc33,"4/16/2021, 8:34:46.206 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,31b352f1-2e54-4204-b718-3a4efcc4fa7f,"4/16/2021, 8:34:46.206 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b0e966ad-0ea7-4375-bb6f-1a2890454593,"4/16/2021, 8:34:46.206 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,318812bd-d938-4408-89ae-67ff3e75aa7b,"4/16/2021, 8:34:46.206 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea6aea98-a36f-49e1-b71b-3291c23d48a6,"4/16/2021, 8:34:46.206 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0a93e349-b56d-4ea6-9b52-651003f56330,"4/16/2021, 8:34:46.206 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,afa0f367-ec53-4945-85d9-417470c866dc,"4/16/2021, 8:34:46.206 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e6e2b9a9-723f-417a-ab82-01a9ab1a5da0,"4/16/2021, 8:34:46.206 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc3daacc-0e66-4429-aa41-cdcd9e785456,"4/16/2021, 8:34:46.206 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a0ce898-c1c0-46b2-b7c0-85f3fc4f9cca,"4/16/2021, 8:34:46.206 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7461c600-22aa-484c-bb9f-0e16c5a2e98e,"4/16/2021, 8:34:46.206 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd03ddcb-7749-40e5-ad5f-2076dfbd5374,"4/16/2021, 8:34:46.206 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5338a31e-eb14-4ddd-bfc9-adeed6351bc0,"4/16/2021, 8:34:46.206 AM",,,,,NTLM,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4572e369-8b7e-40c2-b6ee-1291a88fe6ea,"4/16/2021, 8:34:46.206 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,42cafe60-0e83-4da6-8f70-02522db0d9d0,"4/16/2021, 8:34:46.206 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe87d5a4-8b00-4060-bcad-0d222958ee58,"4/16/2021, 8:34:46.206 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad36662e-3220-4445-985e-caac700dfd98,"4/16/2021, 8:34:46.206 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6288 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,5deb42e9-8b00-482b-b1bc-9f8afb8f0546,"4/16/2021, 8:34:52.742 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3964 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,0613864c-b3a7-4777-8728-d127da1a0c5e,"4/16/2021, 8:34:52.742 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,384c2bf8-1dcd-4d0c-a763-a6ad13df4d38,"4/16/2021, 8:34:52.742 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,4f605370-3ba7-4c5f-8435-32fe2e5d1685,"4/16/2021, 8:34:52.742 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,8161e739-93fa-4316-a218-46169edd74e8,"4/16/2021, 8:34:52.742 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,7e3fee28-5dfc-43e1-bcef-5334c251ab24,"4/16/2021, 8:34:52.742 AM",,,,,,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e7b1d190-32b9-4447-99ed-becc3f1973a1,"4/16/2021, 8:34:52.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7033905c-0231-43a8-8203-c623ec4247d3,"4/16/2021, 8:34:52.104 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c13942c-e4eb-41ce-8fc7-338588c50361,"4/16/2021, 8:34:52.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,83808ab8-1be9-45ea-b4c4-3c5509864dd4,"4/16/2021, 8:34:52.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,214363c0-cd1a-4c72-954f-bb13d2963577,"4/16/2021, 8:34:52.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2486b2cb-385e-4cab-8ed8-25d10ab0a5b9,"4/16/2021, 8:34:52.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,96885966-6678-4980-b37b-49c5b14f35da,"4/16/2021, 8:34:52.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3160445c-2a0f-4d44-9794-0e15fa086ec9,"4/16/2021, 8:34:52.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2e8f6c8-7788-48af-b065-ae3d488fdb52,"4/16/2021, 8:34:52.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,440bfa1f-c86d-4cb2-a52b-a2fdf13d1730,"4/16/2021, 8:34:52.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7c3f8584-b08a-4a85-a79f-e34564eea861,"4/16/2021, 8:34:52.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,be0f0de8-4855-4105-ba74-5204b6d52f5b,"4/16/2021, 8:34:52.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,44907f3f-fbae-4221-be07-d0ffde8b208b,"4/16/2021, 8:34:52.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c3498bb0-32cf-45e6-8512-1e1920874741,"4/16/2021, 8:34:52.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cd129843-1ea0-4323-9199-b4c22463a54b,"4/16/2021, 8:34:52.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5c228257-c847-4ae3-bc9e-c5a42fc42b15,"4/16/2021, 8:34:52.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a0d296b2-ea2b-4042-828d-f32e08d9c05d,"4/16/2021, 8:34:52.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,480e460b-bb09-4cfa-8c02-f7a6bc89e357,"4/16/2021, 8:34:52.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1a56513-2508-4a21-997f-26f79d0eb6f8,"4/16/2021, 8:34:52.104 AM",,,,,NTLM,, +\ZJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5004bbe6-e176-47e3-a616-c3916120d94e,"4/16/2021, 8:34:52.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4605ed5e-cfe9-4a68-a416-f1162f3e81cf,"4/16/2021, 8:34:52.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a858537-dd53-401b-a87f-7f975377fd89,"4/16/2021, 8:34:52.104 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6c699fc4-e16c-4677-a682-6c6372dd3e82,"4/16/2021, 8:34:53.577 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7de61f08-c0e6-485a-97d5-a1b65ab6f084,"4/16/2021, 8:34:53.577 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ececadb8-25f1-47e7-bee6-2a688eec51f2,"4/16/2021, 8:34:53.577 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4c84b745-dec6-41bd-8fc8-317c4443cec7,"4/16/2021, 8:34:53.577 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2dabe9c9-bd8c-4aca-98ed-535acdf57274,"4/16/2021, 8:34:53.577 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2de52eb9-8e7f-46dc-bfb6-242d5d315304,"4/16/2021, 8:34:53.577 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,095841e7-7954-49db-bc25-325c669e491a,"4/16/2021, 8:34:53.577 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3b36598d-c2c6-4418-9401-4df38b7d0be2,"4/16/2021, 8:34:53.577 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,846a2946-cf47-496e-be86-06e36446399c,"4/16/2021, 8:34:53.577 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b7aa8127-fbe4-4625-bca1-5f4a104c3e98,"4/16/2021, 8:34:53.577 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,66ac6a71-46e2-4dd6-a77d-b181cf1e28ac,"4/16/2021, 8:34:53.577 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,39bc507f-6c5f-43c0-8110-bcbcbf5e4431,"4/16/2021, 8:34:53.577 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,73dd8f0d-5729-4a71-9b96-7e78c7132471,"4/16/2021, 8:34:53.577 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5dda11e9-1dfb-4e46-87b6-2828b17d6de7,"4/16/2021, 8:34:53.577 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,20ba9777-26ed-4bd7-9240-8d55615df85b,"4/16/2021, 8:34:53.577 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,09a506d9-db62-4a58-be4b-f8dbdd7eb8c5,"4/16/2021, 8:34:53.577 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4458bc9f-25c4-49b8-b653-66bd59a4a6a4,"4/16/2021, 8:34:53.577 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,06e4ea50-493a-4315-8259-b28c09ffd15f,"4/16/2021, 8:34:53.577 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c4f5cb96-7d84-4c47-9ef2-bdbacaab8ab1,"4/16/2021, 8:34:53.577 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a4f39da8-2659-4785-b518-f03da076dbf6,"4/16/2021, 8:34:53.577 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9b305912-1e1d-4cb5-b8d8-0361de642f68,"4/16/2021, 8:34:53.577 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9afe41c2-5277-4827-b244-a1b599928724,"4/16/2021, 8:34:53.577 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 12956 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,f62e55b2-b20d-4a1c-af23-ef35274d4744,"4/16/2021, 8:34:56.979 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 13928 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,5e74e0d8-df8c-4f97-8665-ab35348c4aaa,"4/16/2021, 8:34:56.979 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,af119ac2-7b20-4b75-a323-867f53de8e3d,"4/16/2021, 8:35:03.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,bafc3e46-892b-48b2-a476-2c3b1ea5fef8,"4/16/2021, 8:35:03.050 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,27d3adb8-9d07-45b0-97ff-2f30306125db,"4/16/2021, 8:35:03.050 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,8fa996b3-9c27-405a-b0cb-8f20247ae0b2,"4/16/2021, 8:35:03.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,31b4ffd6-8a44-4849-8848-855ffc28d484,"4/16/2021, 8:35:03.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,9284f3aa-d267-42b7-8e9d-4204e49658c6,"4/16/2021, 8:35:03.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,bbd34a21-ce95-4a65-8b4c-ad67254abb11,"4/16/2021, 8:35:03.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,256dac0e-756f-4d4e-8fb0-dd49498e27f8,"4/16/2021, 8:35:03.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,a28ff9c9-a8d1-4de8-b336-8a93760a7469,"4/16/2021, 8:35:03.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,16d89d64-ce89-4e64-b71d-cfd8f682f71d,"4/16/2021, 8:35:03.050 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,78aaaae2-751b-45b7-b6f1-f14075399ea9,"4/16/2021, 8:35:03.050 AM",,,,,,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad095b4f-f8ae-4c0f-a26e-f449bbda0e84,"4/16/2021, 8:35:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e61ff32-c032-4f71-bf02-d2283aa4b255,"4/16/2021, 8:35:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f516d04b-7353-4c79-8f2f-e27b3b7bd22b,"4/16/2021, 8:35:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3323b9ef-8e62-47e8-9f8f-7077c23c5d45,"4/16/2021, 8:35:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b66fa658-874b-4a0a-a326-4bf2915f92fa,"4/16/2021, 8:35:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f61d4488-54e7-465d-af4e-397e622bc8cd,"4/16/2021, 8:35:02.121 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,69120ab7-b1c6-49d1-b2e5-3bbc0d433ade,"4/16/2021, 8:35:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4ad6f881-330c-44a6-a52c-ed6c740399c5,"4/16/2021, 8:35:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ec8a9d6d-493a-429b-99c6-9ad9cd425e65,"4/16/2021, 8:35:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,40d9d6d0-ef83-4061-8230-c433c9e8c0b5,"4/16/2021, 8:35:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12b69487-eaec-48d3-9f1b-8f41763372f4,"4/16/2021, 8:35:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8d3474a6-51cc-4103-91ae-4ce7c3d99a52,"4/16/2021, 8:35:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2852d37f-d263-4645-bf1b-9326c597bae6,"4/16/2021, 8:35:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f6e3229d-bbc4-4c52-b956-62a6778600d2,"4/16/2021, 8:35:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7fd6f8ee-96dc-491a-a4e7-f070b7119ed7,"4/16/2021, 8:35:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f64b0d22-a9b2-4c56-89f5-be95cf21e012,"4/16/2021, 8:35:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b0cebc2-1d72-40e6-8013-b127f09879f3,"4/16/2021, 8:35:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7c0c0867-5b70-496b-ba8d-f1ebbfbf3896,"4/16/2021, 8:35:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,552ce773-d1f6-4931-9a20-edf00c4b5e55,"4/16/2021, 8:35:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb8528cc-32df-46cf-99d0-77939af935ff,"4/16/2021, 8:35:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,35e24c90-ab23-49af-ad13-1923ebb6cf63,"4/16/2021, 8:35:02.121 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df370d58-d321-4e48-ad2d-25abcb80cd6e,"4/16/2021, 8:35:02.121 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a86fed51-ec67-4f3e-a09c-da9ea3104a8e,"4/16/2021, 8:35:05.572 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,905c7fb6-4240-4121-a4f3-bd5962a89d2e,"4/16/2021, 8:35:05.572 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e88c831b-9b34-4800-b54e-4f4042d7915a,"4/16/2021, 8:35:05.572 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4b61a7d4-2974-4de5-89e9-858d16cb4c49,"4/16/2021, 8:35:05.572 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1e8475f0-9d60-4074-8323-84192b879f06,"4/16/2021, 8:35:05.572 AM",,,,,,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0e67c689-fd8f-490a-901f-e81bed4837d0,"4/16/2021, 8:35:05.572 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f6bf0da9-2ecd-446f-a466-00e04fa2de6b,"4/16/2021, 8:35:05.572 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dd5ca925-3de1-47e1-b368-1b23b2a3039c,"4/16/2021, 8:35:05.572 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,154c0356-3fa3-4f65-b20f-c1f4371ff72c,"4/16/2021, 8:35:05.572 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8b3744b3-c2f1-49a2-97b2-a6a7552e097f,"4/16/2021, 8:35:05.572 AM",,,,,NTLM,, +\BACKUP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,26999255-939e-445d-8453-dfaefb7f9c11,"4/16/2021, 8:35:05.572 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2aea9b9a-4c3e-485b-912e-371e49abfe8c,"4/16/2021, 8:35:05.572 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b165901e-dd8c-436d-be7a-f54b3f930b2a,"4/16/2021, 8:35:05.572 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a3e42190-0572-46ac-aebc-2df5a75ba4ba,"4/16/2021, 8:35:05.572 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9f8def6d-d745-402b-9d3c-056c4d80f956,"4/16/2021, 8:35:05.572 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c59557cd-9861-441c-b610-e44ad099dfed,"4/16/2021, 8:35:05.572 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a50a23df-2ff2-4b32-bb61-c992d48b2d43,"4/16/2021, 8:35:05.572 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a7f3db2b-500b-42da-b36b-512d134009d3,"4/16/2021, 8:35:05.572 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b44df869-5be1-473b-83f1-9d4b898f3b97,"4/16/2021, 8:35:05.572 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c6fd67da-a527-4772-a34f-44c9cb2ddd3b,"4/16/2021, 8:35:05.572 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ef2c47b0-5fee-463b-abd1-e14f6d4b8929,"4/16/2021, 8:35:05.572 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fe52b95d-7380-4882-b730-fb64b8cce635,"4/16/2021, 8:35:05.572 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e126a790-4159-4e5a-8740-9abc8f2fae0f,"4/16/2021, 8:35:05.572 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f8b13d7b-5f7a-4c6d-ae75-8c09ddcc1ce7,"4/16/2021, 8:35:05.572 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c2b318c5-303c-4d01-95f9-c6eb1d50c419,"4/16/2021, 8:35:06.109 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e04dc041-3f40-4295-b953-c06c697e7db7,"4/16/2021, 8:35:06.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e4fbd8ae-459c-4313-8660-a168e725efe2,"4/16/2021, 8:35:06.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3eb3dfa2-2a11-479c-ac3f-10e7ab5d6bea,"4/16/2021, 8:35:06.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,561ab4a0-18ed-4489-bfde-39ce82293f50,"4/16/2021, 8:35:06.109 AM",,,,,NTLM,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,373cf2c3-b8d4-41dd-a2e7-af3e3062ecfd,"4/16/2021, 8:35:06.109 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a900a82-dfe1-46b4-92cf-d04a42a64802,"4/16/2021, 8:35:06.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c443e46a-0b65-44da-ba72-347ba80f2660,"4/16/2021, 8:35:06.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1733970f-4969-4d5b-86a0-5e4468b57a78,"4/16/2021, 8:35:06.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c4f85b7d-c5ce-4846-8b9c-c7cab4a32806,"4/16/2021, 8:35:06.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ead991e1-f5bd-4e74-bea8-4d3d38537669,"4/16/2021, 8:35:06.109 AM",,,,,NTLM,, +\SYMANTEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c6881fa2-4b56-481b-a2af-847bf126ffba,"4/16/2021, 8:35:06.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a358b7f3-f289-4c6f-973d-98012e758a36,"4/16/2021, 8:35:06.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,be64f6b8-fb95-43e9-92e3-93557bda0beb,"4/16/2021, 8:35:06.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b17a836-3196-4aeb-9a39-be4b39d759fc,"4/16/2021, 8:35:06.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3c9e8334-e73a-4de8-bf93-68dff645e8be,"4/16/2021, 8:35:06.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49dd5ecb-c095-4e04-ae7d-9bae1969ea22,"4/16/2021, 8:35:06.109 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,263e78b7-aa12-4996-a7ce-c7a72a9a300a,"4/16/2021, 8:35:06.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8ce2eaf2-d11f-4aa7-b7f0-e4ed07ba0a30,"4/16/2021, 8:35:06.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb5237a6-2d59-427e-b027-29c11042f405,"4/16/2021, 8:35:06.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,598e5efe-543c-4255-b177-4ecc09267dd5,"4/16/2021, 8:35:06.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fdcf6582-14f3-451e-ab00-3bae708c3cc9,"4/16/2021, 8:35:06.109 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5912 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 8542576A51D515DA19781689F9E5E561E4398C4DE19B14AF1E8EF1C7D2551843 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.18362.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,90c15c6a-9847-4429-a30e-cf9e8f0d6370,"4/16/2021, 8:35:06.516 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9732 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,f3f0e2c4-6648-4f4e-ad43-26df6791bc9e,"4/16/2021, 8:35:06.516 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,22355821-36e9-44f6-904f-cb17b0d62f40,"4/16/2021, 8:35:06.516 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,c8d582a5-9a67-449f-8aeb-ac52f90f5ad0,"4/16/2021, 8:35:06.516 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,aee8cdcc-cb7f-424b-97dd-2c8fee81c65d,"4/16/2021, 8:35:06.516 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,ef5b50b2-19b0-4aea-bdd8-e2fd13d66c58,"4/16/2021, 8:35:06.516 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10176 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,c3ea8969-a74e-4e2b-834e-bc2640c84ca9,"4/16/2021, 8:35:06.516 AM",,,,,,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4f6d46f4-41d5-437e-94e0-2c7aecea0a21,"4/16/2021, 8:35:07.419 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,968e7ab1-713e-4ec9-940a-17758c653160,"4/16/2021, 8:35:07.419 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\microsofttpm,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,17b682cb-635c-4f7c-b18b-30095f3fac50,"4/16/2021, 8:35:07.419 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:SELECT * FROM Win32_TPM,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8c9606e4-7833-4f0b-91dd-861002e75bef,"4/16/2021, 8:35:07.419 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:Select * from __ClassProviderRegistration,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d9be8f05-e883-4ea1-af4d-59a3666c9d50,"4/16/2021, 8:35:07.419 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a8596e97-fbd4-4705-b9f9-ef287dc497ec,"4/16/2021, 8:35:07.419 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,03735e20-0d7e-4e52-b7a1-60359dd3926a,"4/16/2021, 8:35:07.419 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e762c69a-3c5e-4deb-b573-e1edf1cc8e9f,"4/16/2021, 8:35:07.419 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a41dcd8e-8858-4329-bd76-b2d254c7e083,"4/16/2021, 8:35:07.419 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:Win32_Tpm,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4693882b-8c97-414a-980a-c65d9333560e,"4/16/2021, 8:35:07.419 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:__ExtendedStatus,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6fd1194e-c130-4248-af41-9b8b9260d930,"4/16/2021, 8:35:07.419 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftVolumeEncryption,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,aaf82b4d-7fba-4610-8e34-f2b251b1f7ec,"4/16/2021, 8:35:07.419 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:SELECT * FROM Win32_EncryptableVolume,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,81647867-6ddc-41e6-b7c0-a9e84e50d455,"4/16/2021, 8:35:07.419 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:Select * from __ClassProviderRegistration,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b91a5c67-0614-41cf-964c-ae87bf274b5a,"4/16/2021, 8:35:07.419 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,9ff1a836-4237-4e7c-ac57-3739bf68768e,"4/16/2021, 8:35:07.419 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,93f64868-57df-4f93-8846-4380649b10a7,"4/16/2021, 8:35:07.419 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3d5be527-b466-4b77-80b1-d10d1ff9392c,"4/16/2021, 8:35:07.419 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d1f21b73-1d45-460a-bab0-9bc052a1b56b,"4/16/2021, 8:35:07.419 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,898d6154-55d3-46a0-a122-72437c7b6718,"4/16/2021, 8:35:07.419 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:__ExtendedStatus,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3705c974-37a1-4f9c-a94b-b0cf5b544fbb,"4/16/2021, 8:35:07.419 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{d035a0c7-0000-0000-0000-100000000000}\\""::GetLockStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3e651a64-c0eb-4eb4-9981-88971feac697,"4/16/2021, 8:35:07.419 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{d035a0c7-0000-0000-0000-100000000000}\\""::GetProtectionStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b2d1a0f4-1e4b-4f24-98cc-39b8d8919a96,"4/16/2021, 8:35:07.419 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{d035a0c7-0000-0000-0000-100000000000}\\""::GetConversionStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e324747c-880e-435a-8c2b-5f12a51d2608,"4/16/2021, 8:35:07.419 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ad0f04ca-0000-0000-0000-501f00000000}\\""::GetLockStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,2bf7a798-c09f-4243-8669-4982027fcb4c,"4/16/2021, 8:35:07.419 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ad0f04ca-0000-0000-0000-501f00000000}\\""::GetProtectionStatus",,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6e89039f-0dcd-4ec2-96d0-f9eafeeccacc,"4/16/2021, 8:35:07.419 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SHIR-SAP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ad0f04ca-0000-0000-0000-501f00000000}\\""::GetConversionStatus",,, +\VPS,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,cd01544b-d868-4b97-bdbc-19b68e08e46f,"4/16/2021, 8:35:07.419 AM",,,,,NTLM,, +\DEMOUSER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ec18fd45-1882-4e7f-beb6-b5961a8dc244,"4/16/2021, 8:35:07.419 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6972 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 68705285F7914823244E19E4F6DBC4A75C4DE807EA1CF128AEC2CCAFCE5FE109 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.17763.01 + 0x3e7 + 57 + C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,58731594-20eb-41ce-80d4-a92193493011,"4/16/2021, 8:35:07.419 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,bf698c1b-2aed-4a1d-b3f8-26f72a4a0d19,"4/16/2021, 8:35:07.419 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d2549a32-f579-455a-a698-538e6095ebdb,"4/16/2021, 8:35:07.419 AM",,,,,,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b7e341d2-b50f-4917-98df-8059cf62d72f,"4/16/2021, 8:35:07.419 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6168 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,0441fa67-6f84-4c43-9271-19ba08b681da,"4/16/2021, 8:35:07.419 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,69ed2665-3605-4c45-9a35-b7899e16b9c5,"4/16/2021, 8:35:09.848 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,667285b1-9a07-4c55-881c-95bf82a318fc,"4/16/2021, 8:35:09.848 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5596 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,370b60bf-8c5b-4155-b820-0dc81b8a8cf6,"4/16/2021, 8:35:09.848 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6600 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,39408071-0390-4b16-91c3-991fcff10313,"4/16/2021, 8:35:09.848 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,d7e0a642-7bb2-4f7b-a585-a760d48b3ccc,"4/16/2021, 8:35:09.848 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0f60e789-7323-4102-b5bc-e987527ce4f1,"4/16/2021, 8:35:12.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,60a01bd1-3d07-4494-ba89-00626075860e,"4/16/2021, 8:35:12.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b30bd228-7841-463b-9113-9e997b4ab74d,"4/16/2021, 8:35:12.097 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,13757fb4-c48b-4a31-ad3b-b717693590b7,"4/16/2021, 8:35:12.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6d570bfe-e091-4461-964e-df2891b42db0,"4/16/2021, 8:35:12.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9360a3a2-4c16-4c5a-ae23-cae4540405b2,"4/16/2021, 8:35:12.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c56f5a7d-12b9-40d0-a005-a40e1516d2f8,"4/16/2021, 8:35:12.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b95824cb-4cad-4fd6-b9b9-f46a3c0c98d8,"4/16/2021, 8:35:12.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e5d6a499-783d-4b67-b475-26bedf53ef06,"4/16/2021, 8:35:12.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,691d81c8-a96b-4fe1-b62f-17590c95325b,"4/16/2021, 8:35:12.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4e5ffdd2-ef26-43a7-a991-b093ad88cecb,"4/16/2021, 8:35:12.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc016b0d-c0c6-48ca-a811-be9defc8899d,"4/16/2021, 8:35:12.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,99b3809a-a32f-482a-be9a-0af05555efe6,"4/16/2021, 8:35:12.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b2136ac4-cfee-486d-9d31-0d2760758848,"4/16/2021, 8:35:12.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c033427-6486-4bdb-b30a-b38d07338bc3,"4/16/2021, 8:35:12.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dfaf00f7-bffd-4845-a333-caa902536a4a,"4/16/2021, 8:35:12.097 AM",,,,,NTLM,, +\EJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b21e9332-2095-4d92-84db-619122922837,"4/16/2021, 8:35:12.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e6b4c3d8-7bbe-4f73-8631-3a3f88706be4,"4/16/2021, 8:35:12.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,06425996-3b9c-4101-a872-db9172ae29c1,"4/16/2021, 8:35:12.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,35aca0c9-6a1c-4674-9982-f265a38a939a,"4/16/2021, 8:35:12.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bd3bd6dd-7b7b-4288-9cd1-29d4a2a8bc88,"4/16/2021, 8:35:12.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,58276e42-293f-4dc3-881a-478b856987a1,"4/16/2021, 8:35:12.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,80e3bd8c-a757-42dc-889a-25ffbe01bf43,"4/16/2021, 8:35:12.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ddefc36f-8bf6-4950-b1dc-110f39bf09e4,"4/16/2021, 8:35:12.097 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,488748ca-0fa8-4f26-8fc2-26ffe3837300,"4/16/2021, 8:35:20.145 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f43d526e-8575-41fc-9d74-85fbcaac89ea,"4/16/2021, 8:35:20.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3fac4362-c834-4b87-ad6e-109001aa4a7b,"4/16/2021, 8:35:20.145 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a3b623ca-365c-46e4-a2af-c3f9ca010b27,"4/16/2021, 8:35:20.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f997e691-d432-4bf4-85f2-7954edd0435c,"4/16/2021, 8:35:20.145 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b63b51b5-e877-44db-ba3e-79f31c1735da,"4/16/2021, 8:35:20.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cfd24a57-f2a5-468d-92ee-9f4920a2081a,"4/16/2021, 8:35:20.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3e3c9f1b-e67f-4747-b98c-9e27b91edab1,"4/16/2021, 8:35:20.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd912373-cde4-40a1-9331-23fa10ceaebb,"4/16/2021, 8:35:20.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d248ecd5-064a-454f-a9a5-683b277468da,"4/16/2021, 8:35:20.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,62338e23-37b0-4f35-b733-1f805d4b45d8,"4/16/2021, 8:35:20.145 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3f2d1331-8149-4189-b5a3-c54beed3c9f6,"4/16/2021, 8:35:20.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c10d6fd4-9395-40df-bee4-07b2450d8a7f,"4/16/2021, 8:35:20.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2a440bd-da46-40ef-92ad-88290b7e336e,"4/16/2021, 8:35:20.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db8457e2-263f-47eb-b9af-312e67d8603b,"4/16/2021, 8:35:20.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ab9ae63-534a-483e-ac3d-53b53fd84a00,"4/16/2021, 8:35:20.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,357fc8a8-bdf4-4fe9-93a4-20abfc3088aa,"4/16/2021, 8:35:20.145 AM",,,,,NTLM,, +\JJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3342e9e5-6802-46b2-b5b0-380671c1bda2,"4/16/2021, 8:35:20.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9ac6ad5f-f397-4bd5-bdf9-89e0c7f211fe,"4/16/2021, 8:35:20.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,386e7ce2-6e25-4baf-b738-6dfbb2f7af8b,"4/16/2021, 8:35:20.145 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a66c2de-3916-4185-9b63-acc5846b1e30,"4/16/2021, 8:35:20.145 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,57e0fb69-cc79-468d-adc1-4637efed04a8,"4/16/2021, 8:35:20.145 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c7eaf57-9ee2-4ff0-91c8-acd89bf73101,"4/16/2021, 8:35:20.145 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8256 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,78e2a3e5-e4fa-436d-a383-a5195255e088,"4/16/2021, 8:35:20.145 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1780 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,50b7cf86-f4ce-4817-87d1-2df1ab5daa6a,"4/16/2021, 8:35:20.145 AM",,,,,,, +\TERZO,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d9885a86-67ad-40fb-9f2e-f4e9d0e269c9,"4/16/2021, 8:35:20.570 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0de148f4-f8d1-4797-9a4b-a907eb713de6,"4/16/2021, 8:35:20.570 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c4c1526d-ad81-408e-b7da-40c1ca861572,"4/16/2021, 8:35:20.570 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b1592965-b22f-40cb-bbdc-a101079c8ebe,"4/16/2021, 8:35:20.570 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,21422e1f-f197-4505-9c86-4327e6050b74,"4/16/2021, 8:35:20.570 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2f95f81c-4b5d-48d2-aa9c-84c868ecb981,"4/16/2021, 8:35:20.570 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,adcdfd1a-5ee1-43d0-a428-b85cc9db3438,"4/16/2021, 8:35:20.570 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,32e01827-3f92-497f-9f05-ebf268727630,"4/16/2021, 8:35:20.570 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,82828ca4-c996-4f14-97ee-e239b6f3723e,"4/16/2021, 8:35:20.570 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,91a2f8fb-4f9e-44f7-bff7-b624f1cda059,"4/16/2021, 8:35:20.570 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5d191201-7df6-4b47-a951-83b1e14a59ff,"4/16/2021, 8:35:20.570 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8dcf913c-d3b8-4d62-aca4-9505ef331327,"4/16/2021, 8:35:20.570 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9e1b2fe5-1715-415a-b425-dcc94cb5e658,"4/16/2021, 8:35:20.570 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8173257f-84d2-4b69-87dd-2b21d12b9b06,"4/16/2021, 8:35:20.570 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f5cfecda-8cfe-4b8d-b2b6-c6daa31cf733,"4/16/2021, 8:35:20.570 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fa0c5770-9ff6-4351-a5d4-ab226995d24c,"4/16/2021, 8:35:20.570 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4f659cbd-6cab-4289-a9fb-a518800b0c83,"4/16/2021, 8:35:20.570 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1566a595-25f7-434c-ae23-7b7d5e5d7cb7,"4/16/2021, 8:35:20.570 AM",,,,,NTLM,, +\VMADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,113c58c1-b378-47b3-880e-73749d22c22e,"4/16/2021, 8:35:20.570 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,da815dfa-75d7-4c02-8ba6-40aec349bc33,"4/16/2021, 8:35:20.570 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e14fed3e-3987-4b70-8468-2b9687022225,"4/16/2021, 8:35:20.570 AM",,,,,NTLM,, +\DEMOUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,34f59add-f45d-4f75-b47b-4e6303cae51c,"4/16/2021, 8:35:20.570 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,39615428-88ec-4280-92bb-22c092186413,"4/16/2021, 8:35:20.570 AM",,,,,NTLM,, +\MJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4c7d9c5a-03fd-47f3-97b7-168a0f0c6aa8,"4/16/2021, 8:35:20.570 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eb6217c6-1660-4ff0-b51a-d2b58e10acbb,"4/16/2021, 8:35:27.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,551dc504-87d2-434d-9205-c4eddf00ab18,"4/16/2021, 8:35:27.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d2c3f1e3-d782-42ee-99d7-2f946b427fa2,"4/16/2021, 8:35:27.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,539a369c-f633-4e45-9566-3323e2dd1e20,"4/16/2021, 8:35:27.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,100434c6-898e-4666-b786-fcbe7e65f436,"4/16/2021, 8:35:27.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eff9dfa1-f8d0-4cba-89eb-6437d9f97ab6,"4/16/2021, 8:35:27.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bdce568d-41c7-48be-ab70-b55c59d97a12,"4/16/2021, 8:35:27.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b3e62e0-3382-471a-960e-0a73a07b78e9,"4/16/2021, 8:35:27.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6b0bd357-5466-4c10-b986-1948bf0186a1,"4/16/2021, 8:35:27.097 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cba01fa1-7b5b-4f3d-9ae2-fd43c25a5aeb,"4/16/2021, 8:35:27.097 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f9b43e9c-84a8-4d65-966c-64fe7e150836,"4/16/2021, 8:35:27.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e9bcef1f-f67e-4113-96a2-a9dff696798a,"4/16/2021, 8:35:27.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,84dbb74a-279b-4695-93c2-93be12135672,"4/16/2021, 8:35:27.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f28b4aa3-b421-48e3-839f-29e47a2ec68e,"4/16/2021, 8:35:27.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8a6125f7-f993-40ef-ad70-19927039a1f7,"4/16/2021, 8:35:27.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c14db039-7616-4674-a991-f2e9d2cd19cc,"4/16/2021, 8:35:27.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d3d44b0-3367-443a-8efc-146e9d86d8b2,"4/16/2021, 8:35:27.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ae8e938-a127-44c8-9aae-45880f184f13,"4/16/2021, 8:35:27.097 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac4e2f2f-af9c-4624-83b4-3f9c069054be,"4/16/2021, 8:35:27.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,58184325-42ba-4161-a6db-bff1b0e6c7d9,"4/16/2021, 8:35:27.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d82e1526-58a4-4f3e-937f-e470eb2c37f3,"4/16/2021, 8:35:27.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,547ce4bb-4187-4d12-9e86-b2fe655019bb,"4/16/2021, 8:35:27.097 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7928 + 18 + %SYSTEM32%\CMD.EXE + 32 + EADCC06FA49193965AC87F20A2EAC9D9482A669A4C0AC722CE411E28B1F2EAC7 + 113 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CMD.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,cabe8743-fb79-4c2a-b91c-822e8ffe43b6,"4/16/2021, 8:35:28.322 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10812 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,652e204a-3fe3-4acc-97f5-8c0e58690423,"4/16/2021, 8:35:28.322 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 13264 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,52545f1c-2a76-4437-a00a-98698a9c0d87,"4/16/2021, 8:35:28.322 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10544 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,cd5d8af4-d3e9-4088-a3d2-c4bcf09c645c,"4/16/2021, 8:35:28.322 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a6cdf748-9d06-4528-922e-f83b587af44b,"4/16/2021, 8:35:33.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d20ab8d9-1e68-48fe-8043-bb969b522c75,"4/16/2021, 8:35:33.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ceb9d4a3-2a37-438e-91df-7ea098bf6418,"4/16/2021, 8:35:33.096 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ed9a61b7-8c2e-41de-8dcc-328edeb8bd73,"4/16/2021, 8:35:33.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,84eb0121-8888-43bf-a572-fed51e9fa98a,"4/16/2021, 8:35:33.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,799f57d1-1d32-4c51-af18-3158a89853b7,"4/16/2021, 8:35:33.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c73cee4a-6e9f-46a1-a381-57c5d6e0374e,"4/16/2021, 8:35:33.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,040fb2bc-afe5-45df-8700-12306b3cd468,"4/16/2021, 8:35:33.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ed4bef8-d8a4-44d4-92c2-cae820a022a8,"4/16/2021, 8:35:33.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53f7c8ac-b8ba-4cc3-a69a-e24f47f87714,"4/16/2021, 8:35:33.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,114f46a4-7505-4a48-808b-d4cdede3eeab,"4/16/2021, 8:35:33.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c9f2dfc-5df4-4ec6-8681-aaed06d2b4a3,"4/16/2021, 8:35:33.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8015f464-7dc4-4257-95e0-62684be3964f,"4/16/2021, 8:35:33.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9bd32d9a-bd5e-4c65-b62a-85052c9d0107,"4/16/2021, 8:35:33.096 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,f28e341e-a17d-4914-bdfe-0068b91895ba,"4/16/2021, 8:35:33.096 AM",,,,,,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d2f6f379-2d31-47e4-858d-adb7bd02add8,"4/16/2021, 8:35:33.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe383a07-94f5-4632-a429-7ce10478a132,"4/16/2021, 8:35:33.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4a7d41a1-91c8-44fb-802b-54cbb7be77d2,"4/16/2021, 8:35:33.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d05bf69a-d20b-46b6-bd9a-a999eb5761d0,"4/16/2021, 8:35:33.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,90747438-72c7-47ce-bb05-e14fa35f10a1,"4/16/2021, 8:35:33.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22f160d1-0186-4671-8918-b3a93d3c6a48,"4/16/2021, 8:35:33.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54dc49b0-a811-4dd6-9282-fabdc1e39311,"4/16/2021, 8:35:33.096 AM",,,,,NTLM,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4648,4648 - A logon was attempted using explicit credentials.,5503048d-aae9-48b7-bda5-46b931ec9ed1,0cfad651-d2fa-4358-ac35-0cb86ab13245,"4/16/2021, 8:35:34.866 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,5503048d-aae9-48b7-bda5-46b931ec9ed1,080c7c40-e853-4b6b-90f9-28e8cf952cd8,"4/16/2021, 8:35:34.866 AM",,,,,Negotiate,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + S-1-5-21-1661583231-2311428937-3957907789-1103 + SamiraA + CONTOSO + 0x24140cd3 + 4 + 1 + 1 + %{S-1-5-21-1661583231-2311428937-3957907789-513} %{S-1-1-0} %{S-1-5-32-555} %{S-1-5-32-545} %{S-1-5-32-544} %{S-1-5-3} %{S-1-2-1} %{S-1-5-11} %{S-1-5-15} %{S-1-2-0} %{S-1-5-21-1661583231-2311428937-3957907789-512} %{S-1-5-21-1661583231-2311428937-3957907789-519} %{S-1-18-1} %{S-1-5-21-1661583231-2311428937-3957907789-572} %{S-1-16-12288} +",4627,4627 - Group membership information.,5503048d-aae9-48b7-bda5-46b931ec9ed1,e0d0a6c1-4252-4e9a-8180-09847b945d00,"4/16/2021, 8:35:34.866 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,5503048d-aae9-48b7-bda5-46b931ec9ed1,1d254f0d-dd08-4ef0-a7bc-14985e9bba36,"4/16/2021, 8:35:34.866 AM",,,,,,, +CONTOSO\SamiraA,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12545,8,,4634,4634 - An account was logged off.,5503048d-aae9-48b7-bda5-46b931ec9ed1,4a465e3c-621c-43be-8fac-f40e149f6f15,"4/16/2021, 8:35:34.866 AM",,,,,,, +CONTOSO.AZURE\AATPService,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,5503048d-aae9-48b7-bda5-46b931ec9ed1,e12d5b04-f904-48ae-b2f0-2e9e1708b4e4,"4/16/2021, 8:35:34.866 AM",,,,,Kerberos,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-0-0 + - + - + 0x0 + S-1-5-21-1661583231-2311428937-3957907789-1106 + AATPService + CONTOSO.AZURE + 0x241413ad + 3 + 1 + 1 + %{S-1-5-21-1661583231-2311428937-3957907789-513} %{S-1-1-0} %{S-1-5-32-545} %{S-1-5-2} %{S-1-5-11} %{S-1-5-15} %{S-1-18-1} %{S-1-16-8192} +",4627,4627 - Group membership information.,5503048d-aae9-48b7-bda5-46b931ec9ed1,9b15bbb1-de2b-47ac-8728-ff8f20565c94,"4/16/2021, 8:35:34.866 AM",,,,,,, +CONTOSO.AZURE\AATPService,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,5503048d-aae9-48b7-bda5-46b931ec9ed1,ab969098-84d2-484a-8ab6-4ea38eda3ae1,"4/16/2021, 8:35:34.866 AM",,,,,Kerberos,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-0-0 + - + - + 0x0 + S-1-5-21-1661583231-2311428937-3957907789-1106 + AATPService + CONTOSO.AZURE + 0x24141413 + 3 + 1 + 1 + %{S-1-5-21-1661583231-2311428937-3957907789-513} %{S-1-1-0} %{S-1-5-32-545} %{S-1-5-2} %{S-1-5-11} %{S-1-5-15} %{S-1-18-1} %{S-1-16-8192} +",4627,4627 - Group membership information.,5503048d-aae9-48b7-bda5-46b931ec9ed1,59fd982a-3162-4eea-9482-0e28c5fac714,"4/16/2021, 8:35:34.866 AM",,,,,,, +CONTOSO.AZURE\AATPService,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,5503048d-aae9-48b7-bda5-46b931ec9ed1,477e3081-60b7-4946-a398-0c909e0da9b7,"4/16/2021, 8:35:34.866 AM",,,,,Kerberos,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-0-0 + - + - + 0x0 + S-1-5-21-1661583231-2311428937-3957907789-1106 + AATPService + CONTOSO.AZURE + 0x24141429 + 3 + 1 + 1 + %{S-1-5-21-1661583231-2311428937-3957907789-513} %{S-1-1-0} %{S-1-5-32-545} %{S-1-5-2} %{S-1-5-11} %{S-1-5-15} %{S-1-18-1} %{S-1-16-8192} +",4627,4627 - Group membership information.,5503048d-aae9-48b7-bda5-46b931ec9ed1,6fb2d02e-fe0d-45b0-a711-288eba80dbe3,"4/16/2021, 8:35:34.866 AM",,,,,,, +CONTOSO.AZURE\AATPService,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,5503048d-aae9-48b7-bda5-46b931ec9ed1,adb91a11-de3d-41a7-b5f3-b4a873326451,"4/16/2021, 8:35:34.866 AM",,,,,Kerberos,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-0-0 + - + - + 0x0 + S-1-5-21-1661583231-2311428937-3957907789-1106 + AATPService + CONTOSO.AZURE + 0x2414143e + 3 + 1 + 1 + %{S-1-5-21-1661583231-2311428937-3957907789-513} %{S-1-1-0} %{S-1-5-32-545} %{S-1-5-2} %{S-1-5-11} %{S-1-5-15} %{S-1-18-1} %{S-1-16-8192} +",4627,4627 - Group membership information.,5503048d-aae9-48b7-bda5-46b931ec9ed1,01a14618-4907-461c-b654-83cf778998d7,"4/16/2021, 8:35:34.866 AM",,,,,,, +CONTOSO\AATPService,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12545,8,,4634,4634 - An account was logged off.,5503048d-aae9-48b7-bda5-46b931ec9ed1,1fceec9c-af0c-4e41-ad1a-1076f06ecd35,"4/16/2021, 8:35:34.866 AM",,,,,,, +CONTOSO\AATPService,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12545,8,,4634,4634 - An account was logged off.,5503048d-aae9-48b7-bda5-46b931ec9ed1,ca3b7874-a0ec-46aa-b032-d9af8c58ee4c,"4/16/2021, 8:35:34.866 AM",,,,,,, +CONTOSO\AATPService,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12545,8,,4634,4634 - An account was logged off.,5503048d-aae9-48b7-bda5-46b931ec9ed1,43e43c0e-34d8-4e7f-90ce-c158b7791405,"4/16/2021, 8:35:34.866 AM",,,,,,, +CONTOSO\AATPService,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13826,8," + Administrators + Builtin + S-1-5-32-544 + S-1-5-21-1661583231-2311428937-3957907789-1106 + AATPService + CONTOSO + 0x241413ad + 0x0 + - +",4799,4799 - A security-enabled local group membership was enumerated,5503048d-aae9-48b7-bda5-46b931ec9ed1,ba56fefd-aa5c-49f2-9447-38021900497d,"4/16/2021, 8:35:34.866 AM",,,,,,0x0, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,13de5507-6c90-49c7-b0e5-85f4a1ed7358,"4/16/2021, 8:35:34.866 AM",,,,,,, +CONTOSO\AATPService,User,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12545,8,,4634,4634 - An account was logged off.,5503048d-aae9-48b7-bda5-46b931ec9ed1,ad08297d-64ee-4b5d-b6d1-0d6954011989,"4/16/2021, 8:35:34.866 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,199d00cb-8f1e-4f05-8405-32ab94bdd979,"4/16/2021, 8:35:34.866 AM","%%5649 ",0x2,-,-,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4f451130-2a34-43b9-85af-b06ec373fb27,"4/16/2021, 8:35:37.587 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c9f1e633-8bcf-4c62-ae93-71700115519b,"4/16/2021, 8:35:37.587 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e787eab6-332e-431a-a674-dd0c59c26c17,"4/16/2021, 8:35:37.587 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2a38f539-4482-408a-bd81-1de8091b91c9,"4/16/2021, 8:35:37.587 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,72553e68-64fe-4f24-a422-b196571f44b0,"4/16/2021, 8:35:37.587 AM",,,,,NTLM,, +\VEEAM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,446f488d-b485-4d1a-9bbe-d1272111fe7e,"4/16/2021, 8:35:37.587 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,efb1fc39-1a88-414a-b826-d789e1dd15f7,"4/16/2021, 8:35:37.587 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,61a1cc1f-3a33-4e54-aacd-f147075ef5ee,"4/16/2021, 8:35:37.587 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6a01ce6c-1db4-4a41-a06f-68bd40de347f,"4/16/2021, 8:35:37.587 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3d6b956e-423e-4b6b-be88-fb6a22dc46fb,"4/16/2021, 8:35:37.587 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bee8a8dd-6a04-4c54-a3f5-35819aca3dc9,"4/16/2021, 8:35:37.587 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9487dbfc-0b58-4fb9-ad96-b8fb48e62ae4,"4/16/2021, 8:35:37.587 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c4da1059-7557-4d3f-8e2c-ad56f9b91abc,"4/16/2021, 8:35:37.587 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fd544087-6ffc-4dd9-8e1f-3b8d08a49e83,"4/16/2021, 8:35:37.587 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cd394b15-f8e3-4dbe-896e-d32ef75206d1,"4/16/2021, 8:35:37.587 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1c31493c-2b2f-44b1-b159-8c13ef58fc77,"4/16/2021, 8:35:37.587 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b6404bba-f047-4f5c-94d0-01cd4e6e5d56,"4/16/2021, 8:35:37.587 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,db40bcbf-c9a5-4419-ba5d-eb5f29aa7051,"4/16/2021, 8:35:37.587 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,78cc0efb-866b-4cf7-8ede-ebc22eb2fece,"4/16/2021, 8:35:37.587 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,83a995ed-888f-4ad5-8b3c-4db20f3f27d1,"4/16/2021, 8:35:37.587 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ff5b2133-059e-4889-8cc5-7596401df73f,"4/16/2021, 8:35:37.587 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b7ca560a-a9b6-48b1-a3af-8092d61c36d8,"4/16/2021, 8:35:37.587 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6fd7d39c-7dd7-4c5a-86dc-65b1816c3065,"4/16/2021, 8:35:37.587 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c5734312-8233-499b-a3ed-aa1e021a72f2,"4/16/2021, 8:35:36.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,86bb45fd-dcbb-4483-8c98-87587610b1ff,"4/16/2021, 8:35:36.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,8b914252-1341-487a-bb80-450557a677ce,"4/16/2021, 8:35:36.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,53e859dd-64dd-40be-8aa2-92cb9ad6b80a,"4/16/2021, 8:35:36.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2f2f7a5f-185d-4a8f-a560-4eee1202b53d,"4/16/2021, 8:35:36.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,aa6c45a1-2e4e-46dc-a2e2-cde3ec3f576a,"4/16/2021, 8:35:36.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5356f8a9-18cb-4ffe-9341-146e4263908f,"4/16/2021, 8:35:36.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,ae5a307c-f86a-4ca4-bd2f-4f86ab0ae2cb,"4/16/2021, 8:35:36.052 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a9b79db7-9f34-4a9d-94a8-eccd1c332dc9,"4/16/2021, 8:35:40.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,593ca018-3fa8-43f7-aa4a-2ec0f1a55917,"4/16/2021, 8:35:40.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aadcb7fe-61a6-41d7-a64f-ec499994dd8e,"4/16/2021, 8:35:40.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,613a4806-3390-4d19-b1a5-0b887fd4e028,"4/16/2021, 8:35:40.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e3b5f0b4-074f-4e3b-ae68-038667853e07,"4/16/2021, 8:35:40.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,11ee2802-b900-4356-a564-4c8c5d3189d7,"4/16/2021, 8:35:40.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ecb92553-be69-4d12-85ec-15f978509a37,"4/16/2021, 8:35:40.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e87c1cbd-7f70-4015-ae2b-3cbeae606561,"4/16/2021, 8:35:40.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,341347d2-5d1d-49df-9bb1-7f57c811584d,"4/16/2021, 8:35:40.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,237d1429-45a5-423f-8c1a-f4918941df1e,"4/16/2021, 8:35:40.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9745ed7d-4d43-4429-8141-a5d09f900478,"4/16/2021, 8:35:40.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9915b90f-abf9-4dc0-9598-2984d2e6fe82,"4/16/2021, 8:35:40.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,45d2521b-050c-430e-80d1-6e3d3f826681,"4/16/2021, 8:35:40.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ef75557-9521-4971-a54c-352b91615870,"4/16/2021, 8:35:40.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3890e58f-8f92-4d04-b762-cda95c4953a7,"4/16/2021, 8:35:40.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d6a37472-79e8-4a2b-8a6d-c7ddfe89313b,"4/16/2021, 8:35:40.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4a31dd5d-8dd1-4283-9590-78b12d49a89d,"4/16/2021, 8:35:40.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5bb4e4f1-b676-4bfc-90d8-0e524313ae8e,"4/16/2021, 8:35:40.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7f997921-0aa3-4c49-bae6-40739f53b3dc,"4/16/2021, 8:35:40.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,530ba350-1bc2-49b8-a62a-e2d4a3e39149,"4/16/2021, 8:35:40.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5db7ef38-a5f5-4014-a111-f3feac36edc3,"4/16/2021, 8:35:40.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f230f83-cd78-448c-9428-345c47ecf0b8,"4/16/2021, 8:35:40.112 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,5150047f-9e13-4033-9434-dd513fd37449,"4/16/2021, 8:35:41.411 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,00a56a67-4789-4d39-8ed7-a2f89f9111e6,"4/16/2021, 8:35:41.411 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7520 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,85eb204c-bcc1-49c7-aafc-ec6f88c69aa2,"4/16/2021, 8:35:41.411 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4868 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,46ad2e76-736a-4f74-8ccc-bbfe6edd1fe1,"4/16/2021, 8:35:41.411 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,4019754b-8eee-4183-b594-7cf3a60387fb,"4/16/2021, 8:35:41.411 AM",,,,,,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b3f0b1a2-7b4c-44f9-a2ba-c01b699e05f3,"4/16/2021, 8:35:41.411 AM",,,,,NTLM,, +\VMADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b301d4e7-6ad0-4cca-a0b8-29304222e055,"4/16/2021, 8:35:41.411 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9004 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + E083DBF5FD891B0254E4021330270719E66D6B0C7F6543BDBA19C4CF5D37395D + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7411.17763.1697 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,6706750a-60a1-4cf1-8f1e-f3198493cb75,"4/16/2021, 8:35:47.988 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 12168 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,74aa722e-28cd-44dc-a818-7e956c42d397,"4/16/2021, 8:35:47.988 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 13368 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,21b42d0a-d958-4438-85bb-bbe06e36fe99,"4/16/2021, 8:35:47.988 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 11804 + 34 + %SYSTEM32%\APPIDCERTSTORECHECK.EXE + 32 + D783370D0C3716126E1F2130E165DBCF9EA52A431FB5BF0AB5E3D9D3D479AC08 + 129 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\APPIDCERTSTORECHECK.EXE\10.0.17763.01 + 0x3e5 + 43 + C:\windows\system32\appidcertstorecheck.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,3b18a931-5b7e-495f-b903-7f7a94ffa3f3,"4/16/2021, 8:35:47.988 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 10384 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e5 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,a3c3c825-dbf5-45fa-95b6-d1efe1bbc425,"4/16/2021, 8:35:47.988 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e1248a1-07a3-4431-877d-f7d2afe6bc5d,"4/16/2021, 8:35:47.096 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,c74b7e3d-ee41-4950-a65a-904243fedd9c,"4/16/2021, 8:35:47.096 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,37f9d3fc-5e0f-4259-b49c-6d52ba1b03bf,"4/16/2021, 8:35:47.096 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,17655ff2-339e-40df-8262-531a1e63cb3a,"4/16/2021, 8:35:47.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,668d854b-468c-43e6-9fb2-22f4ef6b290d,"4/16/2021, 8:35:47.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6a9339e8-4fc4-41cf-b22c-1827e1e78be5,"4/16/2021, 8:35:47.096 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,509f58d7-0fc9-4a52-82a6-256737540202,"4/16/2021, 8:35:47.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3bb2262a-9832-4f3c-af88-6f134f5d4f3b,"4/16/2021, 8:35:47.096 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8712 + 87 + %OSDRIVE%\WINDOWSAZURE\GUESTAGENT_2.7.41491.1008_2021-02-10_045418\COLLECTGUESTLOGS.EXE + 32 + 9CBE23B245E1ED128DF262318D623E57C98A79AFDD407B13BD8A2C82CA79796E + 101 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\COLLECTGUESTLOGS\COLLECTGUESTLOGS.EXE\2.7.0.00 + 0x3e7 + 80 + C:\WindowsAzure\GuestAgent_2.7.41491.1008_2021-02-10_045418\CollectGuestLogs.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,6678550b-1492-4306-946d-4204d8d411c6,"4/16/2021, 8:35:47.096 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 636 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,e666fdb3-30dc-40d1-a571-d30e1dde4bda,"4/16/2021, 8:35:47.096 AM",,,,,,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f897f17-814c-470b-98e1-fc45beffbbc2,"4/16/2021, 8:35:47.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1195efe1-0094-4e71-8225-b8189033396f,"4/16/2021, 8:35:47.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,69734ed7-deb6-4083-a1f6-7f5c20ee1549,"4/16/2021, 8:35:47.096 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a9daac5-dedb-45c9-88cc-570958998fd5,"4/16/2021, 8:35:47.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,41b3589c-06af-4fd9-9119-e3ef99c6d94c,"4/16/2021, 8:35:47.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3857cdb8-b4d0-443d-ada1-c50c85e349a4,"4/16/2021, 8:35:47.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b33aad8-47dc-46f8-89c0-1012d56979a7,"4/16/2021, 8:35:47.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6805eaf8-67ec-4e0c-aa27-cd66c20cb3ea,"4/16/2021, 8:35:47.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,807a0eb7-ff29-4ad7-9280-8d9516c5298f,"4/16/2021, 8:35:47.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,259a96a9-e33b-4fec-bee1-1090304ab01f,"4/16/2021, 8:35:47.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7209a166-b426-469b-b281-8783fd10e517,"4/16/2021, 8:35:47.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48e28542-359e-47c5-9ad4-a9747e58db8b,"4/16/2021, 8:35:47.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4cff9714-b977-49ca-beac-ec0d128094d7,"4/16/2021, 8:35:47.096 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3c7ba0fd-5450-4d7c-ab2b-4d25b361eaf2,"4/16/2021, 8:35:47.096 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6644 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,8f05ae89-d482-40be-a9ea-2e5c8666f47b,"4/16/2021, 8:35:52.739 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4276 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,609caab1-0669-40c5-8051-b2531938cc15,"4/16/2021, 8:35:52.739 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,9c4eecb9-4eaa-4b5b-9519-072c9d9923b1,"4/16/2021, 8:35:52.739 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,ef886813-174e-4ab2-acd7-9b08e60a4b2f,"4/16/2021, 8:35:52.739 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,b61bc2d6-5af7-4f8a-9efe-144e9057b194,"4/16/2021, 8:35:52.739 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,8e166322-abcd-4302-9cc3-5f548f2c83e8,"4/16/2021, 8:35:52.739 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11140 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,701b8c6d-d4c8-43ae-a9f0-d2591ecbae1d,"4/16/2021, 8:35:51.523 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8168 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,b37ca567-f8fe-4b4c-a98d-ae89760e7232,"4/16/2021, 8:35:51.523 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,6ff2cc21-a14a-44c1-8b90-1147df51ce21,"4/16/2021, 8:35:51.523 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,e295c5a4-a9fe-4b31-af0d-63a4fc1a3158,"4/16/2021, 8:35:51.523 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,ac096c8c-05d7-4e56-b91b-ee1bc7ff988b,"4/16/2021, 8:35:51.523 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5932 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,bf424b0f-78f2-41b4-a93b-28f004d90b95,"4/16/2021, 8:35:51.523 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,135b75a4-ea8b-46ad-b797-d1d8f86807b4,"4/16/2021, 8:35:53.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9503fb75-c019-4ff1-b96b-f3ded4d1645d,"4/16/2021, 8:35:53.109 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e10ae37-88c8-452c-aeab-dee27587271e,"4/16/2021, 8:35:53.109 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,029e1c07-6ca5-4a23-be5e-e3a42d9e7454,"4/16/2021, 8:35:53.109 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1bdc0958-c803-4b37-a30d-8caff1fa5365,"4/16/2021, 8:35:53.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6421555e-f9a7-477a-b582-576a1cb1a76e,"4/16/2021, 8:35:53.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1b92d914-1401-4fce-9612-ba6a5a88af21,"4/16/2021, 8:35:53.109 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2824 + 18 + %SYSTEM32%\CMD.EXE + 32 + 5F98D08805D4EEE36337C81914F0D82191A4D58D24EA2FF2E522A95A5D6E5B73 + 115 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CMD.EXE\10.0.17763.1697 + 0x3e7 + 27 + C:\windows\SYSTEM32\cmd.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,9c18cba3-fa5a-4d8d-85c9-45d2a13d511f,"4/16/2021, 8:35:53.109 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8432 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,b74ff53c-972e-4c41-8afb-6b473645d3a4,"4/16/2021, 8:35:53.109 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d16548f1-af30-4238-8536-b0e524754b90,"4/16/2021, 8:35:53.109 AM",,,,,NTLM,, +\ADMINISTRATÖR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ea45d8ac-8697-4b11-b2ab-288c998122e6,"4/16/2021, 8:35:53.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d4dae615-78ae-444e-8d7f-b01c3c125754,"4/16/2021, 8:35:53.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1b1be4e-fc29-47cf-9ab4-7a10f54e6139,"4/16/2021, 8:35:53.109 AM",,,,,NTLM,, +\BACKUPEXEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f2011092-bd74-43a9-8714-03163d2eb2d8,"4/16/2021, 8:35:53.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e8c27c74-f10b-4c80-b388-b38a9a4522e9,"4/16/2021, 8:35:53.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,40d960b0-28e7-40d5-86b5-20f205316e6e,"4/16/2021, 8:35:53.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c54a4d14-3ffe-483b-b3ed-5a8da4074614,"4/16/2021, 8:35:53.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,772142af-a6d1-4e45-a8f7-83041312349c,"4/16/2021, 8:35:53.109 AM",,,,,NTLM,, +\VMADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,46367d4c-a4d2-4036-8216-0c782d1c72a5,"4/16/2021, 8:35:53.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,86ff138e-0322-412b-a0db-48bdc904166b,"4/16/2021, 8:35:53.109 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1651f12b-f992-4c1a-802b-6fb9fb058ef9,"4/16/2021, 8:35:53.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bda3cefc-b987-43c0-abe2-7b735393aca0,"4/16/2021, 8:35:53.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0c318be1-9da8-4631-8838-ada42a0bb180,"4/16/2021, 8:35:53.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f2239be9-d5f6-418d-a087-6e71dc09b804,"4/16/2021, 8:35:53.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d9be3c6c-7bcb-4b85-bc76-32195ac9b10d,"4/16/2021, 8:35:53.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b788dd97-8d85-44b1-b91b-dba30b95fd40,"4/16/2021, 8:35:53.109 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8c349d8c-f7ae-4747-bed7-67f35459d010,"4/16/2021, 8:35:53.576 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d395dbad-38c9-4d60-940c-c6fe706b04d4,"4/16/2021, 8:35:53.576 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,08916239-3a95-4b42-a531-574abd4da507,"4/16/2021, 8:35:53.576 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,142f2e96-8209-44f7-9808-8d228709bc1f,"4/16/2021, 8:35:53.576 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,535264fc-effc-4332-a269-3ffdcbdeb5dd,"4/16/2021, 8:35:53.576 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a15c3c62-2d8d-4ad7-91f8-f51b97b7cdfa,"4/16/2021, 8:35:53.576 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0a5f4bda-b7af-49e5-ac8f-d66fe3e72abc,"4/16/2021, 8:35:53.576 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,52ac5cf1-cf56-4fb4-bcfc-63a7e43cdbac,"4/16/2021, 8:35:53.576 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ae077d28-2cd1-45bc-b9fd-0e199ce480b0,"4/16/2021, 8:35:53.576 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6f0417f6-93ef-4398-a42b-540c5ccb7df8,"4/16/2021, 8:35:53.576 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d3c40ec7-b11e-4298-9b2c-cc78d12f4d0b,"4/16/2021, 8:35:53.576 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7d6ba844-b8d5-4362-897c-91e64dddbf5f,"4/16/2021, 8:35:53.576 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a13367aa-31a4-477b-9e52-5cc27509fa46,"4/16/2021, 8:35:53.576 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ccafadec-e055-4c5f-8166-a1fcf4318439,"4/16/2021, 8:35:53.576 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a8833fc3-5055-4d0d-bf8a-c4bbc70044ff,"4/16/2021, 8:35:53.576 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,553e94fa-01b3-48a5-a1ea-73e292bb5e77,"4/16/2021, 8:35:53.576 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,51b2aabe-b0e6-44e2-8178-e6901e135243,"4/16/2021, 8:35:53.576 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c32620cf-e700-4f48-be94-775bf4d56c03,"4/16/2021, 8:35:53.576 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,83fd3c17-a8e1-4752-a4a2-e11d3ba081b6,"4/16/2021, 8:35:53.576 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ee064df2-622a-4912-91f9-28519c505e54,"4/16/2021, 8:35:53.576 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0ea138ce-a935-49d0-8a98-1b47f8a319f5,"4/16/2021, 8:35:53.576 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,287dd448-7f82-4a92-b45a-1e2ffb83306d,"4/16/2021, 8:35:53.576 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7a5ad566-2c6d-4579-9a41-35b3673af94b,"4/16/2021, 8:35:53.576 AM",,,,,NTLM,, +\TEST,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2a53e52c-6477-4596-9dc2-4d8ce5d5412f,"4/16/2021, 8:35:53.576 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a0e3e894-f8f0-4e6c-800d-b93617367b1e,"4/16/2021, 8:35:59.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b473bb0-9dd1-4beb-a15c-d324b4f2b506,"4/16/2021, 8:35:59.109 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3ef8ffb2-1f3f-4a95-ba43-ef53d7f26daa,"4/16/2021, 8:35:59.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f03b6d1-346b-459b-a5fd-3477f265b49a,"4/16/2021, 8:35:59.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a37adeb8-33a2-4f27-89c9-159974a78f3f,"4/16/2021, 8:35:59.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9962e2ab-7f2c-4f1a-993a-c37ec800beba,"4/16/2021, 8:35:59.109 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,245f7f31-5be9-467d-b90c-524a4dd403bd,"4/16/2021, 8:35:59.109 AM",,,,,NTLM,, +\CRESBARD,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,da407bb7-70cf-4e7b-9606-5b96a5b4d936,"4/16/2021, 8:35:59.109 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8077b405-5ebe-4d5f-ab6f-154e9a5c4c76,"4/16/2021, 8:35:59.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a9bb3f3a-5d11-44c3-94ff-4bfe6e99ec1d,"4/16/2021, 8:35:59.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa767863-713b-4b26-af7b-5455b9f59ebc,"4/16/2021, 8:35:59.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5bfde4d7-72a8-4a2e-982f-c2173723ac11,"4/16/2021, 8:35:59.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,59f9aa37-41d1-4a31-bef1-14a6c22f2579,"4/16/2021, 8:35:59.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1fdddd8a-326b-49d0-8c1f-080ad5aa0c77,"4/16/2021, 8:35:59.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c165b237-d44b-48b6-871f-132448e4bfb3,"4/16/2021, 8:35:59.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7a9388e1-8462-4ebf-a58a-1816ea87badc,"4/16/2021, 8:35:59.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fea7cbc1-e8c7-449b-918b-9082ff1a2be8,"4/16/2021, 8:35:59.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,77c9db69-dcb1-4d81-9994-a30c2a49ba0c,"4/16/2021, 8:35:59.109 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e63f0068-17e6-4b7b-90b7-901b770339f7,"4/16/2021, 8:35:59.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f256f897-ebcb-4d7d-a203-1bc476d8ce04,"4/16/2021, 8:35:59.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,378eaffe-1707-443d-9bb8-ca9a87645aa7,"4/16/2021, 8:35:59.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,94f49edf-5415-4e3c-863d-e43f85596c28,"4/16/2021, 8:35:59.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b672c38c-657c-4951-b6b6-6498e0264d7e,"4/16/2021, 8:35:59.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a7800333-6f18-4089-b356-a7e8255b35bc,"4/16/2021, 8:35:59.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,411b6a20-08e7-427d-8354-cb26a3db9925,"4/16/2021, 8:35:59.109 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,68e92c1b-2c78-4809-a9ad-56bd360e93aa,"4/16/2021, 8:36:07.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,85f41bc4-36a2-41f3-a04b-c2d05fa3e0c0,"4/16/2021, 8:36:07.120 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dd848d24-d88e-4a91-9bb4-e811bcf9f1d5,"4/16/2021, 8:36:07.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6d69019a-a119-497c-98cf-36c275ca2165,"4/16/2021, 8:36:07.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,463f68b5-015d-4ce3-a83f-ba9125d95123,"4/16/2021, 8:36:07.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a5ffbac9-cd52-4c72-ae3b-677eab89407e,"4/16/2021, 8:36:07.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc620f05-22a7-49e0-9e65-d1bfbbaafdba,"4/16/2021, 8:36:07.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dde3c4aa-fec3-4942-86cc-f1936bef4b5b,"4/16/2021, 8:36:07.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,76a27f4f-748f-4c60-8cb9-35347c609619,"4/16/2021, 8:36:07.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d3c5fc77-050a-4d98-afd6-092524892ce3,"4/16/2021, 8:36:07.120 AM",,,,,NTLM,, +\DEMOUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e5f0677d-76f9-4236-8acf-6503a8e78d07,"4/16/2021, 8:36:07.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b74505e8-c488-4e84-a49b-668647dc2227,"4/16/2021, 8:36:07.120 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,268314fb-d952-4588-8017-33d3941431f9,"4/16/2021, 8:36:07.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe4304b2-9224-4d6b-8ff9-7e6fc51c572f,"4/16/2021, 8:36:07.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,640213a3-0268-45d9-8cde-f21154514275,"4/16/2021, 8:36:07.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6f5f2976-f77c-46cd-9d1c-077e10192394,"4/16/2021, 8:36:07.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,be604139-3c8a-485f-8d1a-ecffcfb3f1e3,"4/16/2021, 8:36:07.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,545bf92d-345d-4ae4-a5ea-ad6b90c3e111,"4/16/2021, 8:36:07.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,63a1d757-ea0b-4934-9407-e5296de626f8,"4/16/2021, 8:36:07.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8507a31f-5702-46cc-b9e2-685148b3d665,"4/16/2021, 8:36:07.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,06e64994-d639-4d25-9f19-3723cf8aa73d,"4/16/2021, 8:36:07.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,635a35ae-dc0e-4e27-9cdb-2a00c40aa669,"4/16/2021, 8:36:07.120 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f9cf5ee5-b215-44e8-b115-bac73ae4f767,"4/16/2021, 8:36:07.120 AM",,,,,NTLM,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,6116cab0-f55b-477f-9c29-842a3a9794e2,"4/16/2021, 8:36:09.859 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,59c01f20-8461-4609-a495-5c4e540573ad,"4/16/2021, 8:36:09.859 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3232 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,35c8639c-47b7-4661-87fe-d1cf57907fe2,"4/16/2021, 8:36:09.859 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6364 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,fbec0b0b-1bef-430e-9749-378b040e8936,"4/16/2021, 8:36:09.859 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,0239a63e-0db5-48ac-b319-0fa4987a4fa6,"4/16/2021, 8:36:09.859 AM",,,,,,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,206d517a-4fcc-4833-a863-05201da9b7e0,"4/16/2021, 8:34:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,184a4ede-2770-4b6a-895c-548c16bfe61b,"4/16/2021, 8:34:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0519f006-226a-4170-8101-522ec95a8c8c,"4/16/2021, 8:34:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6547a612-96d6-403d-8458-40a78df5d6a7,"4/16/2021, 8:34:04.098 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,73522d29-ef00-4d35-88fa-775e4ba561a3,"4/16/2021, 8:34:04.098 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9efff9f6-3272-4769-821a-c7f7f071ff0e,"4/16/2021, 8:34:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,43fe28c4-b6a1-4f90-868f-5130d2e7a132,"4/16/2021, 8:34:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fab594f1-e0e8-478f-abfa-f2e57bb1cfc6,"4/16/2021, 8:34:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e3abf308-bb02-448a-997d-4343f4031a0c,"4/16/2021, 8:34:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,04bce355-b76d-4678-8b09-665ab07be822,"4/16/2021, 8:34:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e98c029a-5070-4cf0-a149-c97be4962fe8,"4/16/2021, 8:34:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d13c42a-f36d-4bfb-8b01-4ab75633c365,"4/16/2021, 8:34:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5c8992d5-033d-45df-9196-7f6ab120d43d,"4/16/2021, 8:34:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,821c86d5-f1c5-433a-a759-47205226f017,"4/16/2021, 8:34:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d1e4066d-64b3-4cad-aeda-5976b8bf591f,"4/16/2021, 8:34:04.098 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,2306a821-1874-495c-b9bc-9bf5ac6139d5,"4/16/2021, 8:34:04.098 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d8b4c3f-0e5b-4b73-accf-c560f7f7f801,"4/16/2021, 8:34:04.098 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e7458826-4de7-4561-866f-dff2b7f2661e,"4/16/2021, 8:34:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,de451dec-ba45-44af-b3d3-398b83486d1e,"4/16/2021, 8:34:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88a888ee-f1aa-4f62-aec6-7a97019b9461,"4/16/2021, 8:34:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a846e90-9ba9-4adb-826a-56c28c41514d,"4/16/2021, 8:34:04.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,87f4343a-2946-4c51-8d6e-3019117f1317,"4/16/2021, 8:34:04.098 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6204 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 68705285F7914823244E19E4F6DBC4A75C4DE807EA1CF128AEC2CCAFCE5FE109 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.17763.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,beee885d-28bf-40d0-80f8-be05069ea8b2,"4/16/2021, 8:34:04.098 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4680 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b1512ad-96b4-41ad-b8c8-358d945ce61a,"4/16/2021, 8:34:04.098 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,48584d74-f2e2-4e2d-92fb-d51ed2755aff,"4/16/2021, 8:36:08.223 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,03beb00d-8069-4165-9fde-152f2d2a9d5c,"4/16/2021, 8:36:08.223 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,43f4f1c7-6d2d-4b01-a15e-744b1eaa9780,"4/16/2021, 8:36:08.223 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,0d87f36d-cc6b-4536-9cee-8252593d1ee9,"4/16/2021, 8:36:08.223 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,416e632e-8b72-4094-86ea-60369e34fa43,"4/16/2021, 8:36:08.223 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,656655dc-d141-4202-b934-9e292cbf1fe0,"4/16/2021, 8:36:08.223 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,864beeee-27d6-4bc5-8dfb-fec8c87d79dd,"4/16/2021, 8:36:08.223 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,942fe97c-be59-4b71-b00b-7da1699a15db,"4/16/2021, 8:36:08.223 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,0300a67f-2712-46e5-9979-7b3806560bd7,"4/16/2021, 8:36:08.223 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,6c125d4d-82cb-4544-864d-773c16d0e199,"4/16/2021, 8:36:08.223 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c1cafd37-2c40-4a02-8b7e-f0aa3a92991b,"4/16/2021, 8:36:08.223 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,69fe1b35-9a65-48ac-a531-d268783ab77c,"4/16/2021, 8:34:30.106 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a7c6c4c5-31c9-4168-8e7d-c4379eeeaad4,"4/16/2021, 8:34:30.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b7c0de4d-dd7b-4434-8635-dabd5b8e16c6,"4/16/2021, 8:34:30.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eb9e2533-10c6-4a45-9ce4-c6fec0820d2b,"4/16/2021, 8:34:30.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,27301b49-71d6-46c4-9054-6fc5968edb0e,"4/16/2021, 8:34:30.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0798616b-b53b-41e1-a2f1-234fc8dfaff5,"4/16/2021, 8:34:30.106 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,94e665ac-970a-4ded-97d1-41af2bdae4b3,"4/16/2021, 8:34:30.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,32840b9f-f0a4-42f2-a7c3-f15e9fbfcfd2,"4/16/2021, 8:34:30.106 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7cf4e664-03b8-4349-b67a-ca7d0a6ef986,"4/16/2021, 8:34:30.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce2f27f0-111f-4758-ad8a-71476acda37e,"4/16/2021, 8:34:30.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e0781797-fc34-40d5-ae4a-e046fc70a436,"4/16/2021, 8:34:30.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,467f3259-1b8d-4edc-abb9-729495790e5f,"4/16/2021, 8:34:30.106 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a58fa4cc-6a95-4b18-8fe5-c968ae5f251f,"4/16/2021, 8:34:30.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eab56e62-daa1-47bd-a08d-ceb10fc3c66c,"4/16/2021, 8:34:30.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e8bba17-afd1-4385-9d2a-c971abc2d2b4,"4/16/2021, 8:34:30.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1bcdee19-0397-4c90-8d1d-e7d1b9b40709,"4/16/2021, 8:34:30.106 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8cb1c1a0-5f34-41bf-890d-329c4da97414,"4/16/2021, 8:34:30.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa5868df-6137-46a2-8250-abf86a92a043,"4/16/2021, 8:34:30.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e32887f7-22a2-460a-96ef-ed08a10a460c,"4/16/2021, 8:34:30.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,85991afb-0810-4a03-a5e3-b04718115124,"4/16/2021, 8:34:30.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,353113c7-19ee-404d-980c-eede07cc2f01,"4/16/2021, 8:34:30.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bf8d26b6-b907-40b1-9c2e-6a3dc9568a89,"4/16/2021, 8:34:30.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,76ec2ec3-421b-41ba-8754-3d19a6307162,"4/16/2021, 8:34:30.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b1a39c28-9657-4155-a3d0-a8d0e66bc2bb,"4/16/2021, 8:34:30.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a1d8a9c2-ba13-4e3f-a80b-af6f00c08450,"4/16/2021, 8:34:30.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,93b8c5ae-11c8-49f9-bafb-7f888d072af0,"4/16/2021, 8:34:30.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bdedb27a-363a-487a-8fb2-cfc8c3844841,"4/16/2021, 8:34:30.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ae2a928e-0fbc-426d-87b0-4c81e637b3e1,"4/16/2021, 8:34:30.106 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b95dfad-5706-4c41-a88a-d34493180294,"4/16/2021, 8:34:30.106 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc2479af-c275-4a98-bcde-4e3599819335,"4/16/2021, 8:36:15.172 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,82f85e31-67e5-4582-9a70-86490d110a65,"4/16/2021, 8:36:15.172 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3199a2d1-3650-43a0-b817-e50a0080e757,"4/16/2021, 8:36:15.172 AM",,,,,NTLM,, +\BACKUPEXEC,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54d79d13-cb2c-47dc-8289-02ba1cc66f0b,"4/16/2021, 8:36:15.172 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9515fa1c-1817-4b7a-861c-05ac06873af8,"4/16/2021, 8:36:15.172 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a7564c9-1cd8-4b80-ab70-dafc992cc238,"4/16/2021, 8:36:15.172 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7b2545d9-5188-49c7-b031-f524cd3fff60,"4/16/2021, 8:36:15.172 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,611aa449-b883-40b0-84be-684069cd77c1,"4/16/2021, 8:36:15.172 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a0cd6f68-a293-45f0-b017-f5d722ada322,"4/16/2021, 8:36:15.172 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cb1e4afc-0f3c-42d7-af7e-29018a1511c1,"4/16/2021, 8:36:15.172 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,923faa66-aa6f-4b18-8ec2-f3c07ceef156,"4/16/2021, 8:36:15.172 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,75659247-0b7e-47f7-abfa-b44fcbe8e260,"4/16/2021, 8:36:15.172 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2a5bd75b-44f2-4055-9d76-d0c8efd45da2,"4/16/2021, 8:36:15.172 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f12a8752-6c3e-4e8d-9b0a-522f0d885132,"4/16/2021, 8:36:15.172 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e55986aa-095c-4f6a-8941-4a191c008dbf,"4/16/2021, 8:36:15.172 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,25bc56b7-a40f-48b3-9b58-071c9b786225,"4/16/2021, 8:36:15.172 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2e89258f-9ddf-41ab-ad4c-4748e4131cff,"4/16/2021, 8:36:15.172 AM",,,,,NTLM,, +\COMERCIAL2,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5558ce5-56fa-4133-8bfe-20ab760885e7,"4/16/2021, 8:36:15.172 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5367a421-764d-4c1c-a393-54a45c2f40f4,"4/16/2021, 8:36:15.172 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,82870902-3fb4-48f5-9913-2c672f2d90b2,"4/16/2021, 8:36:15.172 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bdc192fc-1c5a-4536-8c7b-0960b03cf0e8,"4/16/2021, 8:36:15.172 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,37df4ae2-1a6f-401b-9620-e7e229cd6031,"4/16/2021, 8:36:15.172 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,33c4ff50-34a3-46a6-b109-ff66ec6b92b7,"4/16/2021, 8:36:15.172 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,11a9a84c-d7a9-45bb-aaee-9c01524acd27,"4/16/2021, 8:36:15.172 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,ae14940d-1860-4c77-9b0d-4ae2c8aa0b6f,"4/16/2021, 8:37:03.597 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10908 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,84ab6b17-7381-48d0-bc08-87f85e4ed5e8,"4/16/2021, 8:37:03.597 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,a14ab693-5d0a-4086-8b35-c106d8a1b355,"4/16/2021, 8:37:03.597 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,91508fac-30ff-4b31-808c-5d492fa90f93,"4/16/2021, 8:37:03.597 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,6d059c65-7fdb-40bf-a8b2-6bb9a1b24cd6,"4/16/2021, 8:37:42.854 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4320 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,42fde374-8ee0-4d03-b593-ae6dda4670f3,"4/16/2021, 8:37:42.854 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,1162d75b-b128-4f2a-bcb2-a022e28b1160,"4/16/2021, 8:37:42.854 AM",,,,,,, +\SYMANTEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dcf0368e-82b2-447e-8d25-929acc90d4f7,"4/16/2021, 8:36:16.588 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,54ab8903-9fb6-4a5e-8e07-eeb1f29e6205,"4/16/2021, 8:36:16.588 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4ffe6ead-3c1a-4bad-bd16-b4fb384ca1a0,"4/16/2021, 8:36:16.588 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e9e66ada-2c00-40d6-9771-39332b32c698,"4/16/2021, 8:36:16.588 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d74fd08e-fa6f-4f73-a44c-a99ea397ce6d,"4/16/2021, 8:36:16.588 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,823d959d-f6ff-42d8-99bb-1c96e67fe553,"4/16/2021, 8:36:16.588 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,38f57a00-359c-4ff7-aafe-d4db70f1cb28,"4/16/2021, 8:36:16.588 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3e66480d-33df-4a0e-8a8b-be16e9e48527,"4/16/2021, 8:36:16.588 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e6b36287-afd0-4070-b6c7-43c5fc081518,"4/16/2021, 8:36:16.588 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,aa8513b8-503c-4de0-9c8f-6bad0af2234f,"4/16/2021, 8:36:16.588 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ca38ed40-9386-4f45-8780-c63305adc807,"4/16/2021, 8:36:16.588 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c7941358-0ab3-4720-9074-344ed25bb06d,"4/16/2021, 8:36:16.588 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dca910cb-5b5b-4162-ad67-6103391df3e2,"4/16/2021, 8:36:16.588 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,629d8a28-48d8-4f35-a4bb-593b71adc80c,"4/16/2021, 8:36:16.588 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1617dfc6-9dbb-4ea9-a72d-c8a040dbfb95,"4/16/2021, 8:36:16.588 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,103a64b6-14dc-4965-8996-63fc060906f2,"4/16/2021, 8:36:16.588 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a8a1c788-cd2b-4dbc-8d10-a7f74f62c4af,"4/16/2021, 8:36:16.588 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a142c05f-62e3-4ac4-bb94-b581afb33d80,"4/16/2021, 8:36:16.588 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7861cd15-a58b-4c1d-aa4b-24d8f16efd4c,"4/16/2021, 8:36:16.588 AM",,,,,NTLM,, +\PC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fa6da255-ba06-4e6c-ace0-6084aff92a4d,"4/16/2021, 8:36:16.588 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3dacffd3-dc70-4135-9cf5-0d098e839a2b,"4/16/2021, 8:36:16.588 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3f58cd5a-ca3d-428e-a6a7-b0c9c64ea524,"4/16/2021, 8:36:16.588 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4a4bfb66-af3f-4781-80e9-e62a3ac562c0,"4/16/2021, 8:36:16.588 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ec072d72-47a4-4653-aac9-c8ecc8bf5139,"4/16/2021, 8:36:16.588 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 15056 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,23378213-fc3c-4eff-afd7-bd036b32e6ed,"4/16/2021, 8:39:56.983 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6540 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,2d87c3df-e0b7-4025-9f23-3f741ef9c3ad,"4/16/2021, 8:39:56.983 AM",,,,,,, +\USER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,462ad33e-968e-43d4-85a8-eeb90d235040,"4/16/2021, 8:36:16.410 AM",,,,,NTLM,, +\TEST,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8089ce41-e5ee-4c7e-8582-0f155272840d,"4/16/2021, 8:36:16.410 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8c5b550b-bcbe-410b-9d81-20cafe42785c,"4/16/2021, 8:36:16.410 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8f53122d-d33d-42bb-b046-609ec2fd7c80,"4/16/2021, 8:36:16.410 AM",,,,,,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8006d6bd-ec6d-47dc-af45-1a115ccd9f3d,"4/16/2021, 8:36:16.410 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6648 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,faf0bcfc-ee29-412a-b1f5-55e6100899be,"4/16/2021, 8:36:16.410 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7900 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8d3251c9-e6d5-4f30-a3cf-e493b04f1ff5,"4/16/2021, 8:36:16.410 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6e593b29-7b36-48b9-956c-cf682aae7509,"4/16/2021, 8:36:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e943fbc-b5eb-4902-89a0-8d4538ce7923,"4/16/2021, 8:36:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,449fe1b9-eab1-46cc-91b0-60ae9a8d8f9a,"4/16/2021, 8:36:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,017f7a4c-793d-41d8-8fd5-29c262c32467,"4/16/2021, 8:36:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f78608a4-d463-446f-a13d-ea633f0dc102,"4/16/2021, 8:36:20.116 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,30877498-7fb1-471d-acc7-3643a2fe6ca4,"4/16/2021, 8:36:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7ac3e715-26ce-44d7-9182-89f48fc4c841,"4/16/2021, 8:36:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7308c62a-2acf-4c12-ae78-46d7027c0ec1,"4/16/2021, 8:36:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,df38f192-3f26-485d-bc79-5c85d44bb06a,"4/16/2021, 8:36:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a3dc30bb-3a6e-418e-b3f5-52eec3a558b1,"4/16/2021, 8:36:20.116 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c8f1e3b-88c6-480c-b9f9-24312a48b4fb,"4/16/2021, 8:36:20.116 AM",,,,,NTLM,, +\AZUREUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,292b4e52-4c1c-424e-a4f9-ea5dcfc87af0,"4/16/2021, 8:36:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce789473-27a3-4c5f-91b3-e346bfd0a4ed,"4/16/2021, 8:36:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e0a75ee6-4ac3-4774-8ea8-c05cc4752683,"4/16/2021, 8:36:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ffe72f7b-f720-4b21-8f5b-c378258ae62a,"4/16/2021, 8:36:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c3fbe375-9841-416e-a9ac-abd3451ae2b4,"4/16/2021, 8:36:20.116 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c82f1da0-2160-4f95-87ec-19735392c7d0,"4/16/2021, 8:36:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3b074231-639d-4f00-a86c-041003938154,"4/16/2021, 8:36:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,001c85c5-b262-42c5-835c-0b3f2fdcec2e,"4/16/2021, 8:36:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4e11afd5-225c-4359-9877-c717d1a0c0a3,"4/16/2021, 8:36:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e09e75fb-d1e4-4260-8dbf-c1a98f699081,"4/16/2021, 8:36:20.116 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4316 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,b49cd4a1-48a3-4e42-93ba-6102fbf54f14,"4/16/2021, 8:36:20.116 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5400 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,6bbc1b00-f7f5-420c-ad07-298c3720352d,"4/16/2021, 8:36:20.116 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,b4d453ed-0264-4bcd-b38f-43b2c66c50af,"4/16/2021, 8:36:20.116 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,e7a03279-b577-4354-a8ba-cd9043271634,"4/16/2021, 8:36:20.116 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,59b1f7f6-4151-4922-b6e0-7b388f82476f,"4/16/2021, 8:36:27.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2817e93e-1c75-4a4c-a0d3-c7ae3ce0aaab,"4/16/2021, 8:36:27.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bec24c50-9b1b-46ca-9ad6-ba0dae245806,"4/16/2021, 8:36:27.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb742eee-a738-4919-b50a-fb355dacdbdc,"4/16/2021, 8:36:27.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,451069f1-5030-4454-ac2c-8cd0a32b0e3e,"4/16/2021, 8:36:27.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51d980be-1005-433c-90c4-eca6caabe053,"4/16/2021, 8:36:27.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3af1af40-54d5-4628-bc81-ef576932ac18,"4/16/2021, 8:36:27.136 AM",,,,,NTLM,, +\LOCALADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8d208f07-864b-4768-9182-6ea11fe4dd83,"4/16/2021, 8:36:27.136 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,37d2d314-754a-4f80-8526-be8e1d4bff5c,"4/16/2021, 8:36:27.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ec2b0de6-6ebd-4d02-b89c-9ea7a436003c,"4/16/2021, 8:36:27.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7957c2a9-0d8a-4177-9d35-2bd8c92fd378,"4/16/2021, 8:36:27.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,85ff60c5-8c34-4190-b514-72aaa370a602,"4/16/2021, 8:36:27.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,79b92ff5-abe5-428c-8fda-1ce613ed4961,"4/16/2021, 8:36:27.136 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff4e5e2c-59ea-4e72-a209-5e7289424b5c,"4/16/2021, 8:36:27.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c09dc57-04dc-40be-a87a-cb128a2b6e2e,"4/16/2021, 8:36:27.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb0088ab-c7f9-4e4a-b9ef-db38dc013562,"4/16/2021, 8:36:27.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9aa219a5-0aff-404d-abe4-2b376e40bf58,"4/16/2021, 8:36:27.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,798db391-d9cc-46ec-af21-0a1863a91bb0,"4/16/2021, 8:36:27.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db2a2061-4dc2-4b7e-902d-9abfeb923703,"4/16/2021, 8:36:27.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b3d19ad6-841c-4bd9-9811-d815cbaf83fe,"4/16/2021, 8:36:27.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e783a6bf-5048-44b8-adc9-989dbc6ddd15,"4/16/2021, 8:36:27.136 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9efd4272-44c1-4a99-a29d-1476ad905082,"4/16/2021, 8:36:27.136 AM",,,,,NTLM,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,4dacae56-43fc-46d4-926a-81566ff95108,"4/16/2021, 8:36:26.516 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10744 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,28671c86-3081-4fe4-8cda-9a0c0da7249e,"4/16/2021, 8:36:26.516 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,2d5b3c8c-dc53-4e64-8d47-a74c4ccb0d09,"4/16/2021, 8:36:26.516 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,a979aaae-decc-48ca-8d16-bdda24744843,"4/16/2021, 8:36:26.516 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 112 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e5 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,32b52dbd-1276-4b08-aa5b-84a17c98893c,"4/16/2021, 8:36:26.516 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7260 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,470a2b1d-1f66-43d9-b058-fcc0ebeed2d3,"4/16/2021, 8:36:26.516 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6972 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,451bbbda-3be1-4006-89dd-5c9b5dbb08e6,"4/16/2021, 8:36:26.516 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,bd1d7e5c-3fa6-4023-adf5-0b9fcc3793c7,"4/16/2021, 8:36:26.516 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,00a9caca-b8d7-4f1c-a70d-ca94ac1251b4,"4/16/2021, 8:36:26.516 AM",,,,,,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4a0db6bd-cae9-41f4-acbb-23ac0f6c6505,"4/16/2021, 8:36:27.570 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c2cb970d-55f8-4c94-8c46-3967507f97b5,"4/16/2021, 8:36:27.570 AM",,,,,NTLM,, +\BACKUPEXEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e9618bcd-27d1-4645-b7de-f6c6a94f4a01,"4/16/2021, 8:36:27.570 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,34497709-0752-4b92-b2e5-b4bf13841192,"4/16/2021, 8:36:27.570 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,22b51763-de37-4265-880f-b2b62635f1cb,"4/16/2021, 8:36:27.570 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,161b6514-f50e-4299-b9cc-2c188bfff8f2,"4/16/2021, 8:36:27.570 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,be7badd3-22a7-4a35-bc32-119c242d098c,"4/16/2021, 8:36:27.570 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a296876e-ee1c-456a-8b81-e24db677d64c,"4/16/2021, 8:36:27.570 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5de793ba-f5d1-41e6-a2af-e5bb36abfe74,"4/16/2021, 8:36:27.570 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2933a01d-a875-4d08-b197-e836df3403b1,"4/16/2021, 8:36:27.570 AM",,,,,NTLM,, +\SOGGYLETTUCE,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,17b5e589-5f1e-4282-a002-96eb673e19d3,"4/16/2021, 8:36:27.570 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,79b44b5e-c5f0-45d4-b861-ffc0ae5d99d7,"4/16/2021, 8:36:27.570 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f790f7f7-e4e0-4f8d-b513-a2d4896c0ae1,"4/16/2021, 8:36:27.570 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6114c0ba-33d4-40a5-a9f1-29753472460d,"4/16/2021, 8:36:27.570 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e7a8db22-e299-4651-887c-ebaa90751959,"4/16/2021, 8:36:27.570 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3a8bb7ab-af90-4bb5-87ed-ba271a116086,"4/16/2021, 8:36:27.570 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b6bc9b6e-a8da-4767-a2dc-24edbf76a4b3,"4/16/2021, 8:36:27.570 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3789e2b0-4deb-4119-afca-b2fa0a294348,"4/16/2021, 8:36:27.570 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0ea7e620-ddae-47a0-a8b3-880d2d892bf4,"4/16/2021, 8:36:27.570 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3602efa7-a277-4385-8035-0ae74e7bdf32,"4/16/2021, 8:36:27.570 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c2bf5663-6ed3-4655-a7bf-a590e8497790,"4/16/2021, 8:36:27.570 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f9526918-089e-48a8-a2ce-a712da0cd840,"4/16/2021, 8:36:27.570 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d9b3e9ea-975a-4c38-b94d-f61663985720,"4/16/2021, 8:36:27.570 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e0818fd8-66ba-4509-9db4-88a315cc2d3a,"4/16/2021, 8:36:33.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e2cd015-e967-41b9-8088-675a64b70676,"4/16/2021, 8:36:33.099 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0af5e788-b5d3-4d15-a677-f023e192e183,"4/16/2021, 8:36:33.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c279e615-33a3-466e-8390-f3b5af651b1a,"4/16/2021, 8:36:33.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ae39603b-e772-4f6c-9c70-aaad8bcbff0a,"4/16/2021, 8:36:33.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,988a616f-8c8c-4c3a-aeaa-d59e3e02ca14,"4/16/2021, 8:36:33.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d297cb68-7a98-4ea1-b47e-8cb954d5644b,"4/16/2021, 8:36:33.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b2fe391e-4fdd-43b4-ad5a-91bf1772829d,"4/16/2021, 8:36:33.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3ca1526c-ce06-415c-a687-074ccef2ad31,"4/16/2021, 8:36:33.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89bc71ff-d622-41d1-bf9f-1578bf926946,"4/16/2021, 8:36:33.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03068394-6b3c-43ea-8baf-60736dc4da0b,"4/16/2021, 8:36:33.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1d32b085-5447-47ed-81b9-fcfceec49a1c,"4/16/2021, 8:36:33.099 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,1950e702-ee37-4559-b916-b2c12f8252aa,"4/16/2021, 8:36:33.099 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,43caf3e3-42f9-406f-bab0-d69be2804223,"4/16/2021, 8:36:33.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3e9db8fb-0575-4e26-b084-8f401a6290ed,"4/16/2021, 8:36:33.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0fca889a-2c89-4dbb-809c-d74349a6566b,"4/16/2021, 8:36:33.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d18ca138-9f2d-42c2-8550-ff9620a4ac20,"4/16/2021, 8:36:33.099 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d30124c4-180e-4f35-ba0c-4a12d3f67104,"4/16/2021, 8:36:33.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc3392c8-0ded-4024-832e-dc74d84f82dc,"4/16/2021, 8:36:33.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2246d22c-a3b6-47a2-838b-a8dceacb49e1,"4/16/2021, 8:36:33.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3fdd552a-1a9c-4844-a15f-a6299bb7e3e8,"4/16/2021, 8:36:33.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d2bcb111-4af5-4f4a-9c74-bec4c66b66d9,"4/16/2021, 8:36:33.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c7b7b331-defe-4ea0-a636-15dcf217a7fa,"4/16/2021, 8:36:33.099 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ae6a4ec9-f631-47e9-be62-8ae9d691f8ca,"4/16/2021, 8:36:39.580 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9194619c-77ae-4e6f-9f40-59e365bc67d1,"4/16/2021, 8:36:39.580 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,54ba32af-785e-4693-a517-821b45046393,"4/16/2021, 8:36:39.580 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,830b9f9e-c372-4355-9544-deaed4267c81,"4/16/2021, 8:36:39.580 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d940546f-617c-4350-a6b6-2ebcc7926a94,"4/16/2021, 8:36:39.580 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7a8f3a4e-f65f-4c1b-8ec0-e7f7110a6060,"4/16/2021, 8:36:39.580 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b6238cd5-858d-45c6-bf72-72f3d759179f,"4/16/2021, 8:36:39.580 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2b090b0f-3e33-4cc6-b329-f8520c511c44,"4/16/2021, 8:36:39.580 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f9c4a47a-54ba-40c6-88cd-f6eb8b6fa66d,"4/16/2021, 8:36:39.580 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b238c47d-08e0-4e71-9613-4a70ec36c63c,"4/16/2021, 8:36:39.580 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6f14ad4e-940e-44ab-a6d9-0f52f7213b1c,"4/16/2021, 8:36:39.580 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b60a1005-8e17-44ea-9c57-933e3fe28348,"4/16/2021, 8:36:39.580 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,42fc93c8-68c3-4964-a78c-3af8e5b51558,"4/16/2021, 8:36:39.580 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1fc65150-7023-4ddb-823f-e4546ee82de9,"4/16/2021, 8:36:39.580 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,eea02f54-1c2f-439e-863d-2ffb16db6510,"4/16/2021, 8:36:39.580 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ad4beaf9-33be-4813-be28-b0730bac75b5,"4/16/2021, 8:36:39.580 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7de73f72-f1bd-4490-bd39-5fdda58eddd8,"4/16/2021, 8:36:39.580 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c36695ef-03a9-488e-b2bd-dfc380090aa6,"4/16/2021, 8:36:39.580 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,793c696b-ab9d-49f5-ab74-4099d994dede,"4/16/2021, 8:36:39.580 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9cefa2b9-670f-42b6-a4c0-0db30eda5f7a,"4/16/2021, 8:36:39.580 AM",,,,,NTLM,, +\OVX,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,68e1c3e2-f3ed-43a9-b3a6-7c8f4a6b8b18,"4/16/2021, 8:36:39.580 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,aa1b5a12-eeb6-4424-a060-ca7be992af95,"4/16/2021, 8:36:39.580 AM",,,,,NTLM,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,d984ae20-cf81-46d8-a88d-622f90783a07,"4/16/2021, 8:36:44.852 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,43c325c4-09cd-4306-8485-e424d646460d,"4/16/2021, 8:36:41.249 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\microsofttpm,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ed7d0f4-2810-4476-b8ec-586ae0e06b77,"4/16/2021, 8:36:41.249 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:SELECT * FROM Win32_TPM,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,87c326b6-0849-41b1-9a79-83c4b496d699,"4/16/2021, 8:36:41.249 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:Select * from __ClassProviderRegistration,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,593997bd-5600-4ddc-a7fb-e91c4f2e5b58,"4/16/2021, 8:36:41.249 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,93923116-9647-49b2-9733-02c368d1bec8,"4/16/2021, 8:36:41.249 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,a8408f09-81a7-4611-97ad-8d2b8bb8098b,"4/16/2021, 8:36:41.249 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d4c9c29-619f-4103-9d75-e4699409b54d,"4/16/2021, 8:36:41.249 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,38db587a-11f0-48bb-894a-0cfc9115f2e0,"4/16/2021, 8:36:41.249 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:Win32_Tpm,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,f27b9791-5306-48f7-a4b3-56ff0c8d2786,"4/16/2021, 8:36:41.249 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:__ExtendedStatus,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,c0848532-552c-45a9-89a8-894134acaf06,"4/16/2021, 8:36:41.249 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftVolumeEncryption,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,f19b5f26-2ad8-4c1d-85b8-6bf32cc15d77,"4/16/2021, 8:36:41.249 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:SELECT * FROM Win32_EncryptableVolume,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,8302f00e-0af6-462a-93a6-e8a1d0af07a1,"4/16/2021, 8:36:41.249 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:Select * from __ClassProviderRegistration,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,e0dfe51a-5d6c-4781-9e6f-b97af34f12e9,"4/16/2021, 8:36:41.249 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,964e1b60-00f9-489c-9d92-b8239add8528,"4/16/2021, 8:36:41.249 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,e3c565d1-9e2a-4638-bc3a-d920d8380f09,"4/16/2021, 8:36:41.249 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,4c8400c5-c592-46ee-ba07-1ad0a78ff83a,"4/16/2021, 8:36:41.249 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,155b362d-4b0a-46da-a994-e93bc278278f,"4/16/2021, 8:36:41.249 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,b2b7dc7d-c0f0-499a-9e20-f1112ecf2ce9,"4/16/2021, 8:36:41.249 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:__ExtendedStatus,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,c562c266-3ae0-40ed-b128-e65d95ba888b,"4/16/2021, 8:36:41.249 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{9a771a90-0000-0000-0000-100000000000}\\""::GetLockStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,49c2051f-6ba0-4f88-85e5-8574a0434a51,"4/16/2021, 8:36:41.249 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{9a771a90-0000-0000-0000-100000000000}\\""::GetProtectionStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,e778bedd-9869-40ec-b71f-0fefed8f6f9b,"4/16/2021, 8:36:41.249 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{9a771a90-0000-0000-0000-100000000000}\\""::GetConversionStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,1db2b931-9c69-4cea-9856-4724233d4133,"4/16/2021, 8:36:41.249 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{6129dd30-0000-0000-0000-501f00000000}\\""::GetLockStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,e59dfee0-5d83-4b63-b1f7-d76f59462f26,"4/16/2021, 8:36:41.249 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{6129dd30-0000-0000-0000-501f00000000}\\""::GetProtectionStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,41502da5-21b7-48ec-81c9-baeea8d7d669,e51aa596-8d28-45eb-89a1-d3d03ce07f07,"4/16/2021, 8:36:41.249 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\SOC-FW-RDP\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{6129dd30-0000-0000-0000-501f00000000}\\""::GetConversionStatus",,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,f9c2e761-b144-41bf-a5e7-cbc62b99f765,"4/16/2021, 8:36:41.249 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff093687-d4ff-450d-af39-11f82baa2892,"4/16/2021, 8:36:41.249 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc9d04ab-d55c-400d-a4ea-3c2d023b19e1,"4/16/2021, 8:36:41.249 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9096c3fc-88bd-461f-94aa-3d0d08ff3fc8,"4/16/2021, 8:36:41.249 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d9fb2cd3-ce3c-44c6-a139-4fa8a69e7a7c,"4/16/2021, 8:36:41.249 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b707b89-9c56-4302-8272-993c149aab6c,"4/16/2021, 8:36:41.249 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8436 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,4cf30c22-a851-42ce-9a7b-374e987530df,"4/16/2021, 8:36:41.249 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cad315e9-7340-47dd-b946-eb4c0db6b96d,"4/16/2021, 8:36:41.249 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,782ee1cc-9781-4a37-a3b2-72a80986f05f,"4/16/2021, 8:36:41.249 AM",,,,,NTLM,, +\ADMINISTRATEUR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,73c8779e-97fc-4fa9-ac8c-94c838ce6487,"4/16/2021, 8:36:41.249 AM",,,,,NTLM,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,fe1f08c2-55cb-426a-8fff-a4fa16bc49a2,"4/16/2021, 8:36:46.745 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,b4b47e9e-3086-4e9d-9a1f-12b7712823a0,"4/16/2021, 8:36:46.745 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3924 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 8542576A51D515DA19781689F9E5E561E4398C4DE19B14AF1E8EF1C7D2551843 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.18362.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,741aae81-324b-4d68-9f35-c19693031dab,"4/16/2021, 8:36:46.745 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5252 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,4c329311-cef9-48e6-9da8-f0d694992b25,"4/16/2021, 8:36:46.745 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5900 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,27cb31c1-7f62-42e3-9b53-e3765bbf7342,"4/16/2021, 8:36:46.745 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5428 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,279077d5-2c47-4b9b-a574-724432e595bf,"4/16/2021, 8:36:46.745 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,c3c63d73-adb6-476e-8820-863f9e224e6c,"4/16/2021, 8:36:46.745 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,c7c128cd-71b0-431d-8bfa-1e12e1ad7552,"4/16/2021, 8:36:46.745 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,0aa46053-e653-4e03-8997-e9ab5fca439a,"4/16/2021, 8:36:46.745 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,ae4bfafa-efb7-4bde-b821-956b472a4d12,"4/16/2021, 8:36:46.745 AM",,,,,,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3219ddc2-8357-40af-874d-080e3323e2b5,"4/16/2021, 8:36:48.410 AM",,,,,,, +\OVX,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,b07e9956-e133-42e8-8be3-e0816834c27d,"4/16/2021, 8:36:48.410 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,64ee7666-d786-43b7-a514-6a92122c21ef,"4/16/2021, 8:36:48.410 AM",,,,,NTLM,, +\SERVER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,d0e83285-0dd7-4844-b3da-9c92b9a837a2,"4/16/2021, 8:36:48.410 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a1c9a449-aa61-42db-82cb-e91316452b10,"4/16/2021, 8:36:49.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,57e53ecb-050e-47cc-b78b-ab950e30154c,"4/16/2021, 8:36:49.100 AM",,,,,NTLM,, +\MJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a03382a-a6d3-4e2f-a78e-04bf8e297bc4,"4/16/2021, 8:36:49.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0cb2c9e6-cee7-48ee-8fcd-84e83c68f227,"4/16/2021, 8:36:49.100 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c0633510-bfc9-4ea1-b83c-5543d54c5591,"4/16/2021, 8:36:49.100 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,89a3b204-14c7-4b60-9a1f-ba0a91f6c630,"4/16/2021, 8:36:49.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8597cc3a-478a-417f-81b6-2beec9c13ad9,"4/16/2021, 8:36:49.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fbae8df6-c184-4c20-9486-c103408cb9d5,"4/16/2021, 8:36:49.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,455be424-6c38-4fc2-80a3-bea9d8c52d10,"4/16/2021, 8:36:49.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cd767bc7-fb35-4e5f-9430-6db84ef2c90a,"4/16/2021, 8:36:49.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad6ac757-3f16-4e3d-9a46-e8bd084e151c,"4/16/2021, 8:36:49.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ed7f26f3-dc17-4fea-9bd0-e389f29739a7,"4/16/2021, 8:36:49.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,91d66fc3-8cb7-4c13-8d53-6b77dd915d80,"4/16/2021, 8:36:49.100 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,44a27e08-df73-4edf-b551-b3fe80e7c274,"4/16/2021, 8:36:49.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,15095765-cb93-4c1f-ac29-dde7d2ea1cfc,"4/16/2021, 8:36:49.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,21fc2856-bcf9-4a71-b990-7ab3a289c82b,"4/16/2021, 8:36:49.100 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,30a8bae8-10c6-4c76-973c-001729a762a8,"4/16/2021, 8:36:49.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,35171675-ac38-4f69-8110-c0cfd4804ac4,"4/16/2021, 8:36:49.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54749b25-96b3-4698-b370-ed4ecfd3e4be,"4/16/2021, 8:36:49.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,88f6b819-fd2f-4f45-b4fd-b2c0e7a908b3,"4/16/2021, 8:36:49.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,033d15d8-62c5-47e2-be5b-05eaee996908,"4/16/2021, 8:36:49.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce0cf50e-bec1-4a33-8749-4298064bfcc8,"4/16/2021, 8:36:49.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,14515235-0176-4645-a8bd-73ab3e3f3325,"4/16/2021, 8:36:49.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,326d38ca-0ea4-4b46-83b5-008c8b69dfec,"4/16/2021, 8:36:49.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,32500cea-8bb5-411c-9278-c89e88a9809f,"4/16/2021, 8:36:49.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,af8b6152-62ce-4cef-a08c-d116f56e073b,"4/16/2021, 8:36:39.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f9e080b7-6703-4a9e-b2ed-8f2d6a1a2642,"4/16/2021, 8:36:39.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,270c0c5e-b8fa-459c-a780-4001b0f91677,"4/16/2021, 8:36:39.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dec5e994-0551-4141-befb-6af5fffaa005,"4/16/2021, 8:36:39.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d1caca1-2492-47b1-a111-366b0f7db677,"4/16/2021, 8:36:39.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,79042d74-82d5-4c21-bc35-71a498947ac2,"4/16/2021, 8:36:39.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,088340eb-b7fa-40b1-9971-21ff39be6b68,"4/16/2021, 8:36:39.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,06f00ad8-6762-4bf4-8d60-8ac28c269aa4,"4/16/2021, 8:36:39.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,78f8e1a9-5d0c-4c4f-984a-a4a84148b395,"4/16/2021, 8:36:39.098 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,58a73313-3b02-4c1a-9b33-575ab13494a3,"4/16/2021, 8:36:39.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f6e43b20-5466-44c3-9b15-09af1dfd7d97,"4/16/2021, 8:36:39.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,17d375aa-afa4-40df-8756-37b9bb81b98a,"4/16/2021, 8:36:39.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1a4ab77e-a0e6-4b34-b250-4e68aabfb842,"4/16/2021, 8:36:39.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fef88503-5be8-4361-b3f5-85f9702af609,"4/16/2021, 8:36:39.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,39cc9311-b692-4db1-9475-43fcc22bd150,"4/16/2021, 8:36:39.098 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f2bcded-f3f2-495b-a01c-69eb68ee30a8,"4/16/2021, 8:36:39.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ec4dca90-ade2-4905-9d85-199a41ab7c1d,"4/16/2021, 8:36:39.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c6ced7ab-570a-4b17-86d8-ffd9a64ec9ac,"4/16/2021, 8:36:39.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5805fd7-2f28-4972-ba11-e6b7e456066d,"4/16/2021, 8:36:39.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48fab024-a38f-4caf-9b12-9959d12cb8ae,"4/16/2021, 8:36:39.098 AM",,,,,NTLM,, +\REMOTE,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8c1dad72-4255-4b34-8905-e816a2835f98,"4/16/2021, 8:36:39.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,831da82c-9a84-4d1a-9ab9-b298899e71f8,"4/16/2021, 8:36:39.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a106e123-db0a-41a5-b2c2-b795335c5e41,"4/16/2021, 8:36:39.098 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,18f2bc07-9be9-4c2f-a02b-e2b3369a9124,"4/16/2021, 8:36:43.121 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,7cac1db1-1c79-49dc-aa4f-1d25cdca5da3,"4/16/2021, 8:36:43.121 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3cae2d50-28f8-4c61-b29e-702d436dffb1,"4/16/2021, 8:36:43.121 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,26eb7a22-d934-4e79-909d-0256efe69ef0,"4/16/2021, 8:36:43.121 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,54179f9e-4715-4255-afb6-d67fe2146485,"4/16/2021, 8:36:43.121 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5bb0956c-d0d1-43be-a74f-e0fbd7c66e2d,"4/16/2021, 8:36:43.121 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,845c1620-c248-4305-b111-e867fec1b528,"4/16/2021, 8:36:43.121 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,c20f2222-f53a-4adb-97af-fbc07c13b469,"4/16/2021, 8:36:43.121 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5b3f5a87-bc3f-4143-a25d-d8a3637d79d1,"4/16/2021, 8:36:49.575 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8032f47c-73f0-424f-94e1-6d317f725c5d,"4/16/2021, 8:36:49.575 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4944c760-d3af-4720-9987-d6f3b1775631,"4/16/2021, 8:36:49.575 AM",,,,,NTLM,, +\ADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c9eeaf24-e34d-46da-a7b0-e087955161bb,"4/16/2021, 8:36:49.575 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ef81b529-2fe5-440d-b81b-129e2726ee47,"4/16/2021, 8:36:49.575 AM",,,,,NTLM,, +\VMADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b3e8d079-f59e-4a11-b719-61c5ca9c8b4c,"4/16/2021, 8:36:49.575 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,648b3bef-ddfc-47ca-8216-fc168238162b,"4/16/2021, 8:36:49.575 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,faa43309-085b-4ec1-97b8-4c911a957516,"4/16/2021, 8:36:49.575 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a59ea91e-d363-469c-a2b1-d559d84b1c33,"4/16/2021, 8:36:49.575 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8d2143b2-9a9c-4158-b686-67210b748b57,"4/16/2021, 8:36:49.575 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c2ea3e28-76aa-4660-92a7-f9da74edb4f4,"4/16/2021, 8:36:49.575 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e42f6509-c8db-42a9-b220-babbfcff2a2a,"4/16/2021, 8:36:49.575 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a88a01d5-a0d9-4cbf-974b-65d887958d9d,"4/16/2021, 8:36:49.575 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fc090c97-9549-410e-9423-eda02f00ae10,"4/16/2021, 8:36:49.575 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,42a5c501-19a7-4cc6-b9b1-bbbc1df3d9c5,"4/16/2021, 8:36:49.575 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dcc58554-5be9-4f4e-bad5-6ec7782fd106,"4/16/2021, 8:36:49.575 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2d1ca55e-7afb-4537-a0b3-90a0a68c389e,"4/16/2021, 8:36:49.575 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f8793bb0-82b6-4092-9353-71500d60122d,"4/16/2021, 8:36:49.575 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cb80baf5-349f-49be-b353-bea307901bf9,"4/16/2021, 8:36:49.575 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,41e72b97-8dc6-4959-93cd-d97268e9dc07,"4/16/2021, 8:36:49.575 AM",,,,,NTLM,, +\NJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,70edafcb-1c9d-4491-a569-c8e53da75fb3,"4/16/2021, 8:36:49.575 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e30499a1-acd0-406d-b080-58741246b81d,"4/16/2021, 8:36:49.575 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c7dc7aa9-9503-4a46-8fad-027c8f9630e1,"4/16/2021, 8:36:57.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8ffa900c-17af-48f2-8e78-cacf912c9949,"4/16/2021, 8:36:57.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,15eb9f3f-ca31-44d7-9ba2-179ad5db4519,"4/16/2021, 8:36:57.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3fa21f8d-eb7b-4aa0-81ad-0ba4ddb146be,"4/16/2021, 8:36:57.097 AM",,,,,NTLM,, +\CONNIE,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb79c0e5-4aed-4532-90e5-3035c2c8f8d1,"4/16/2021, 8:36:57.097 AM",,,,,NTLM,, +\COMPUTER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e2442580-5425-49a4-9af5-62518b8b5500,"4/16/2021, 8:36:57.097 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,18a84b2a-b47f-41c7-af59-c28ef487e3a4,"4/16/2021, 8:36:57.097 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,637beaf1-c3b1-4f8d-b6b9-23f2115e8e2a,"4/16/2021, 8:36:57.097 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0d29742b-c70e-4c9b-a1d0-b85ad479ee4a,"4/16/2021, 8:36:57.097 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6000 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + B8F9A1C213182E9E504DD17A1BB53823BB61BB096E0599912FE85DE09EAA68BB + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.17763.1852 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,b127ae1e-ab34-446b-8bfc-6e50c12d18b1,"4/16/2021, 8:36:57.097 AM",,,,,,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98247a58-ba42-4415-9a47-fe55f870b38a,"4/16/2021, 8:36:57.097 AM",,,,,NTLM,, +\DAN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9daeab7b-fb37-422c-848b-3604c1030bb4,"4/16/2021, 8:36:57.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,576db32e-7b71-4d27-9754-e5dd6faa8338,"4/16/2021, 8:36:57.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,77f2eba4-3249-4640-922d-54c819f0bf3b,"4/16/2021, 8:36:57.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5c690194-20f9-4262-8303-7ee7bfd29a79,"4/16/2021, 8:36:57.097 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7c6bfd9f-0635-4217-a038-186ecccecf6a,"4/16/2021, 8:36:57.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,97070f92-de02-4fef-949f-7e707e9b73ee,"4/16/2021, 8:36:57.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7da358bc-ea6c-4a43-9220-b70468445ea6,"4/16/2021, 8:36:57.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,443ae713-2d59-4b2d-89c9-e921cd45e688,"4/16/2021, 8:36:57.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,60b20829-5116-4b69-a2ce-5f1c97dae5c4,"4/16/2021, 8:36:57.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,664ce931-d5e4-48ab-99a4-38f49c86a908,"4/16/2021, 8:36:57.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6379422e-66b5-4ad0-91f5-c146bd8772ce,"4/16/2021, 8:36:57.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,93b7f00c-856e-448f-a3ba-87b341d6252c,"4/16/2021, 8:36:57.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,21d1871b-7838-4dba-a306-5a515d98028c,"4/16/2021, 8:36:57.097 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 13576 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,d529391b-d35d-4cd9-ae77-898df157a712,"4/16/2021, 8:36:56.975 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1296 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,7d878f68-e662-4463-9386-12a343eca2c1,"4/16/2021, 8:36:56.975 AM",,,,,,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fc893774-c46a-4047-b1a2-5166142e7947,"4/16/2021, 8:37:02.701 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,31540f42-e54a-419c-b33e-c13a58b10090,"4/16/2021, 8:37:02.701 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f9d376a6-45e2-40f5-9300-c8569744391d,"4/16/2021, 8:37:02.701 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2bdebc09-8186-49c7-8c5b-db4287171a94,"4/16/2021, 8:37:02.701 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5d4e7d78-f2ef-4c81-8b83-7552fbc674e6,"4/16/2021, 8:37:02.701 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8f171114-081c-4676-9ddf-b2143fc8beed,"4/16/2021, 8:37:02.701 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,57a39dd9-beba-4ab8-b82f-1b77d8ffbd37,"4/16/2021, 8:37:02.701 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,785636dd-5074-4540-bfb1-4c282e6dca2b,"4/16/2021, 8:37:02.701 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,46ce95d8-75f1-4a57-b98e-e5495942964c,"4/16/2021, 8:37:02.701 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,66336378-abae-4b27-b5a1-9eed45d660c3,"4/16/2021, 8:37:02.701 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c918d800-19a1-4666-a6fe-0ff726c0a4fe,"4/16/2021, 8:37:02.701 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7982ffd9-7350-42cd-b1ed-16667a05df9c,"4/16/2021, 8:37:02.701 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a1823fab-9262-41a9-a619-e579dcfcd4b3,"4/16/2021, 8:37:02.701 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6db9c598-7b80-4d51-980d-a85f38fbe621,"4/16/2021, 8:37:02.701 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,25c42b0e-578c-4df4-9d92-980b9e4e1e3e,"4/16/2021, 8:37:02.701 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,646d7fdc-5c9b-44be-9233-557355c8e575,"4/16/2021, 8:37:02.701 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fefc5cbe-a7b7-468c-94b5-02c3cab2f651,"4/16/2021, 8:37:02.701 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6c995661-72dd-45a2-9b8c-6b935a19de56,"4/16/2021, 8:37:02.701 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9b6bdd5a-f9d5-48d3-95bc-c4da2ac83409,"4/16/2021, 8:37:02.701 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bc294a1b-70d7-4aac-a281-db8e34a6f6ae,"4/16/2021, 8:37:02.701 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,151dfa94-1996-4634-8dfa-870331620c94,"4/16/2021, 8:37:02.701 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8d79c7ec-de9b-4cd5-bc3e-7eedf960c625,"4/16/2021, 8:37:02.701 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e16997b7-c84c-43e2-9299-c79f067fd285,"4/16/2021, 8:37:02.701 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ac9ba2e5-aec6-4749-ae19-24f2530e8dd8,"4/16/2021, 8:37:02.701 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b9624789-c37c-4fd1-8543-4b8efd25358e,"4/16/2021, 8:37:02.701 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4aa387e3-9745-4a53-8517-1c5d006dc57b,"4/16/2021, 8:37:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a0e43ef6-202c-4b2a-bfe6-0e8a85859c82,"4/16/2021, 8:37:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,24361054-433e-44f9-a112-a977520879c9,"4/16/2021, 8:37:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4d468a3e-f39d-4444-a5eb-80b90a47e699,"4/16/2021, 8:37:05.099 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1c9f296b-82a2-46a4-b774-7a109c79a223,"4/16/2021, 8:37:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,17b41e5e-2cbb-489e-a758-014e9aa57068,"4/16/2021, 8:37:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad147591-66a4-4886-913e-29b4c0181361,"4/16/2021, 8:37:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,63b48e1d-69bd-4888-b148-820f3004b131,"4/16/2021, 8:37:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,87e06502-355a-4087-9769-3de7455f7c23,"4/16/2021, 8:37:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7cc3463e-9eac-420c-ab58-5608901f31e1,"4/16/2021, 8:37:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,980a158d-70f4-4378-9768-3f42ac1012f9,"4/16/2021, 8:37:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,deb2eef1-6cd6-469d-b7f4-12bdabbc65ce,"4/16/2021, 8:37:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b7516631-a666-481e-b807-fd3be2cd8c0d,"4/16/2021, 8:37:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,886961b5-4a9e-4602-91c3-b3f60cb9e914,"4/16/2021, 8:37:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0d6b09d8-979c-472e-aa6a-c975b271610f,"4/16/2021, 8:37:05.099 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac41e7f3-13fa-45e0-8476-1452e0f6b5c4,"4/16/2021, 8:37:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,62e31c6e-1573-4d0f-bc98-e65148e998d7,"4/16/2021, 8:37:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cb875f4e-872d-42c2-99c0-38ea033d2fdf,"4/16/2021, 8:37:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d2919479-c9c6-4570-8f7d-fb9475236495,"4/16/2021, 8:37:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4294e665-4f8a-4305-9f0d-012fb012d3c2,"4/16/2021, 8:37:05.099 AM",,,,,NTLM,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fbed74ee-fabd-4428-a20c-7cf09ba35595,"4/16/2021, 8:37:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc550054-bf02-47b1-9a00-5d1471c4f4a0,"4/16/2021, 8:37:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac0fb68e-d836-4671-bd69-81da4f766eee,"4/16/2021, 8:37:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,391779c4-a68d-4eca-9ac5-d36f6942db96,"4/16/2021, 8:37:05.099 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d74c5bd3-f7e3-4605-b039-45e3d1e31eca,"4/16/2021, 8:37:05.099 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6776 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\Windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,95797103-e6f0-4857-9b14-1547e73a4915,"4/16/2021, 8:37:10.082 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + ContosoAdmin + TrustedVMDemo + S-1-5-21-17237524-3693279347-3277880188-500 + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + 0x1978 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,dbfc337f-75c9-4d64-9c3c-48077b4610ec,"4/16/2021, 8:37:09.940 AM",,,,,,0x1978, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + DefaultAccount + TrustedVMDemo + S-1-5-21-17237524-3693279347-3277880188-503 + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + 0x1978 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,92271cd4-603b-47a1-a53e-17db392559c7,"4/16/2021, 8:37:09.940 AM",,,,,,0x1978, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + Guest + TrustedVMDemo + S-1-5-21-17237524-3693279347-3277880188-501 + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + 0x1978 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,9e8a981f-6e59-469b-b07f-09900de60aa1,"4/16/2021, 8:37:09.940 AM",,,,,,0x1978, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + WDAGUtilityAccount + TrustedVMDemo + S-1-5-21-17237524-3693279347-3277880188-504 + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + 0x1978 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,360c15cc-9652-4508-ad00-740c9ef23d6e,"4/16/2021, 8:37:09.940 AM",,,,,,0x1978, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,f2c15544-9147-4aff-b31e-6a06549fefed,"4/16/2021, 8:37:09.940 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6260 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,ae05ebeb-c478-4c77-abcc-07d077a56664,"4/16/2021, 8:37:09.860 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3916 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,3676da6b-3747-4252-acef-020bd1465723,"4/16/2021, 8:37:09.860 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,7c6f6254-4ad5-4154-824c-a11912abbc60,"4/16/2021, 8:37:09.860 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,132088c6-7085-48d9-b413-1bad697ebb46,"4/16/2021, 8:37:09.860 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,e1d540ed-f45c-42fc-a9ee-7112282a2efd,"4/16/2021, 8:37:09.860 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3272 + 39 + %WINDIR%\SERVICING\TRUSTEDINSTALLER.EXE + 32 + 5AAB6030A17E092A3F547292BF75BBE5E777C3C6C3E1759A023CA59FE87F6D98 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\TRUSTEDINSTALLER.EXE\10.0.17763.1098 + 0x3e7 + 41 + C:\Windows\servicing\TrustedInstaller.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,a4ac7db1-1f7f-420e-8ab3-fcd86d0635db,"4/16/2021, 8:37:09.860 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1180 + 122 + %WINDIR%\WINSXS\AMD64_MICROSOFT-WINDOWS-SERVICINGSTACK_31BF3856AD364E35_10.0.17763.1876_NONE_56BCCE8F993D30E7\TIWORKER.EXE + 32 + 7EC24C6DAEE289FBD40C13635DA56FB1E9F868B65E3120B59D480D394ACD8285 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\TIWORKER.EXE\10.0.17763.01 + 0x3e7 + 124 + C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.17763.1876_none_56bcce8f993d30e7\TiWorker.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,9ee31a2a-a06f-428c-a419-e15a67b0399c,"4/16/2021, 8:37:09.860 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,cda6f5bf-8a68-4fee-b946-a0bf32dd7fda,"4/16/2021, 8:37:09.860 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,de6d357d-0505-4c48-a27f-9ad8a89de5f8,"4/16/2021, 8:37:09.860 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,49ef6603-90d7-4254-95b1-30132f3b5f80,"4/16/2021, 8:37:09.860 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,eb1fcb76-9e47-44ba-9325-ae2bd1911e2d,"4/16/2021, 8:37:09.860 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f236dfee-53fa-4b67-a532-00a022fe3afa,"4/16/2021, 8:37:12.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,17124e3e-718c-4aa4-9f7c-190fbbf0d891,"4/16/2021, 8:37:12.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cb536d7d-a6c1-441d-b5a8-d72d52a016a9,"4/16/2021, 8:37:12.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,17fafb29-d15b-404c-8d54-31bbbb268008,"4/16/2021, 8:37:12.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16d8bf69-a3cf-4a38-8706-aff38109649f,"4/16/2021, 8:37:12.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6e9cdece-3cbd-4590-b972-50a645fb5ede,"4/16/2021, 8:37:12.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8314b8af-2d70-417e-af08-1fca710ff06a,"4/16/2021, 8:37:12.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,29a5005b-d482-459d-a851-249e2cfcc1b3,"4/16/2021, 8:37:12.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,626f021c-a386-41de-89bf-502958f16661,"4/16/2021, 8:37:12.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,96a59835-889c-4881-adfc-231b0a6c2600,"4/16/2021, 8:37:12.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,efbb73f9-754f-4844-933d-a876dfed2150,"4/16/2021, 8:37:12.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,21789484-caf0-4414-aa37-fb7b6dd7251a,"4/16/2021, 8:37:12.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b52f8bd0-2d57-4074-806e-d36358cd4bae,"4/16/2021, 8:37:12.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3cd44132-f418-47a9-a23e-f1de8c9e5c2a,"4/16/2021, 8:37:12.100 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53a8871a-d918-4acc-9e43-33e80e5c12eb,"4/16/2021, 8:37:12.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c55c61fd-5018-4eb3-a59b-0e5adf506a89,"4/16/2021, 8:37:12.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab928024-30d0-4735-8eae-606e057ce44d,"4/16/2021, 8:37:12.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a72ef4fa-a764-4a56-8fcb-8035bc6f526d,"4/16/2021, 8:37:12.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d5c3e95e-e420-4df9-a737-fdf0490600ee,"4/16/2021, 8:37:12.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,57da4013-388f-4d2b-a0c5-41b85b5b4b9d,"4/16/2021, 8:37:12.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5a2a203-22fa-47d6-aa9c-2b0168ee1016,"4/16/2021, 8:37:12.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53003ed2-436f-4a95-9bd6-9768e7521936,"4/16/2021, 8:37:12.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,28ab3ba8-e00d-4e88-8f4b-b4e5cc7a8c5e,"4/16/2021, 8:37:12.100 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d8f29ba7-bff6-4717-8889-baba24863413,"4/16/2021, 8:37:13.590 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4941ed75-b312-4093-8964-9742edbcbe81,"4/16/2021, 8:37:13.590 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0894d3b2-0ed0-4db7-bd8d-9244b07eddd2,"4/16/2021, 8:37:13.590 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a116e2f6-8743-4d2a-87ce-c6fb95254303,"4/16/2021, 8:37:13.590 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dd3348f4-e2b8-4251-9358-420390f6bec9,"4/16/2021, 8:37:13.590 AM",,,,,NTLM,, +\6,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e8bf808d-6b86-464e-b85f-d77abe76c19e,"4/16/2021, 8:37:13.590 AM",,,,,NTLM,, +\USER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,36fa8515-0354-4a02-9726-a995587f8b64,"4/16/2021, 8:37:13.590 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4f2d86d5-12be-4c69-b785-56e840308a7b,"4/16/2021, 8:37:13.590 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3c1684b6-0548-429f-bbc8-4e43e4195288,"4/16/2021, 8:37:13.590 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,56b3fe00-22a9-46d6-b6ca-cedab059c53a,"4/16/2021, 8:37:13.590 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b34ac047-d527-4c34-8682-83a267b74dd1,"4/16/2021, 8:37:13.590 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4ff19e28-ebc1-4c3a-af29-a2da55f1a0c7,"4/16/2021, 8:37:13.590 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bf47dd6a-3c05-470b-a3bb-da7ab625ea08,"4/16/2021, 8:37:13.590 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0f5d9b4d-8467-40b6-903a-defb8ef315d8,"4/16/2021, 8:37:13.590 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d9ee989a-c586-4a1e-b2bb-dfa00863cc23,"4/16/2021, 8:37:13.590 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,910b4236-8666-4e0e-99ee-061fef0657a4,"4/16/2021, 8:37:13.590 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7a9a8664-264a-4b9a-b411-e6de5e326de5,"4/16/2021, 8:37:13.590 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,509eebe2-95ee-4b89-ab6a-95e2b1778eb2,"4/16/2021, 8:37:13.590 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b676b885-a130-4d68-894d-2d51c947e587,"4/16/2021, 8:37:13.590 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7b34c13e-3461-4061-b4da-9d856aad09c1,"4/16/2021, 8:37:13.590 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2c66b90f-7c4c-46df-b41f-29447bce7a43,"4/16/2021, 8:37:13.590 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ddfe6d43-6498-45c5-b9ab-8a60e2e7ef47,"4/16/2021, 8:37:13.590 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8aa6b515-3499-4b02-9658-d70dee1eb7b5,"4/16/2021, 8:37:13.590 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,8a8a2f99-fbd3-4e68-9a04-bad40d4e52e2,"4/16/2021, 8:37:16.045 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,f462c7d3-d302-4c5b-aede-56d17c482150,"4/16/2021, 8:37:16.045 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,4929572f-8e64-4cd8-8fca-a9b315e70826,"4/16/2021, 8:37:16.045 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b5616576-8095-4c48-bf85-d964b1a2ded7,"4/16/2021, 8:37:16.045 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,83e3d786-3574-49ee-a0f8-313920a7a6cf,"4/16/2021, 8:37:16.045 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,77abd37b-c635-462d-953f-875685147211,"4/16/2021, 8:37:16.045 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5c21669e-90a3-479a-8436-cf4d6d7d887f,"4/16/2021, 8:37:16.045 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,98fa86cb-2be8-4da2-a471-562afbd05a2b,"4/16/2021, 8:37:16.045 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,69af99a4-5e28-426e-88dc-7f058b7a2d8f,"4/16/2021, 8:37:16.045 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b3c7261c-fe26-461a-99a3-8c8064a9321f,"4/16/2021, 8:37:16.045 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b14b3ed2-57da-47df-bee0-4e3a1bdf1da5,"4/16/2021, 8:37:16.045 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bccb87f4-e82a-4e94-a6c2-cb219172b428,"4/16/2021, 8:37:17.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,db0542e7-c6d8-45a1-9b89-cda85d5e7399,"4/16/2021, 8:37:17.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3dcbd102-c898-46f8-a2d1-6c69e9833ae6,"4/16/2021, 8:37:17.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a496cbed-604f-458d-8ef5-0f2787da41a1,"4/16/2021, 8:37:17.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e3f3318d-0a8d-45e9-834f-3e1849938b76,"4/16/2021, 8:37:17.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,188be28b-e21a-4b9a-bb7d-189dcefbbb66,"4/16/2021, 8:37:17.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f85432e9-f34e-439e-a0f0-021741a6b395,"4/16/2021, 8:37:17.101 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aa6f1801-b3e7-454c-b978-d54d1530cfb9,"4/16/2021, 8:37:17.101 AM",,,,,NTLM,, +\DEMOUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5bd9ce77-cc09-4059-aece-d55dab0db04c,"4/16/2021, 8:37:17.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,99050588-ff62-4154-b895-b0ee86fb6e40,"4/16/2021, 8:37:17.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,14f18600-d1b2-4939-8e53-c3dec78917f4,"4/16/2021, 8:37:17.101 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,314b003a-1a8f-4fa7-8f43-be9bff3acbc5,"4/16/2021, 8:37:17.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bb80d1d5-46d6-4bc8-b9f0-eaefdc0393bb,"4/16/2021, 8:37:17.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f8a29deb-31e8-4f06-8795-8178fa8c960a,"4/16/2021, 8:37:17.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aff78523-83d4-4531-a419-8dcc53f9e33d,"4/16/2021, 8:37:17.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e229da40-bcd4-453f-9ad3-d1cadba91533,"4/16/2021, 8:37:17.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5cd65aa8-bfc6-4268-9910-38d21d790590,"4/16/2021, 8:37:17.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4ae127e1-0840-40f6-aca3-c17474d96dd4,"4/16/2021, 8:37:17.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5bf1afaf-6379-43ae-9078-4dd94c091d28,"4/16/2021, 8:37:17.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d0f6c011-c3f4-46cb-832d-1ef6d138169d,"4/16/2021, 8:37:17.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,15f1895d-0f42-40ab-9fa1-b1dfb6e8d0b7,"4/16/2021, 8:37:17.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b1856bc-61f4-40a4-8714-93e296e7668b,"4/16/2021, 8:37:17.101 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,72ec8c70-12f0-45ef-8b08-5a249d5cca2d,"4/16/2021, 8:37:24.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f6e96c1b-3b09-485c-9d4c-d4e3afbb9466,"4/16/2021, 8:37:24.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,96e131b3-db12-40b3-be7c-c395a99e248f,"4/16/2021, 8:37:24.097 AM",,,,,NTLM,, +\MAIRIE,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9bea5fc7-d110-4a25-b918-b7c6d9332237,"4/16/2021, 8:37:24.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a6027b85-9fa7-4d93-b6de-362fc3e338ff,"4/16/2021, 8:37:24.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,82e2fc23-28e6-4e8a-b76c-54e6b6331f80,"4/16/2021, 8:37:24.097 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,588c89a5-f296-42f0-87a2-b4cd6bfc6248,"4/16/2021, 8:37:24.097 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ff09c4e-6096-4edb-9a0c-aa9fdba92c91,"4/16/2021, 8:37:24.097 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a6a7b05-1543-49e7-bf9a-4c5e41eee10a,"4/16/2021, 8:37:24.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0aa73913-4b76-418d-97f7-5cb9f439a6c3,"4/16/2021, 8:37:24.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2797e28e-15c6-4fe0-97ac-2cb5037a3af2,"4/16/2021, 8:37:24.097 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6036 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,33f6977d-fbb6-4f60-8dfc-3a241ac9a9fc,"4/16/2021, 8:37:24.097 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8988 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,b2c0c6b2-9790-43e4-842e-81a36f58f053,"4/16/2021, 8:37:24.097 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c49f3be4-b337-4bf2-bed8-bf8fe1aeb981,"4/16/2021, 8:37:24.097 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,674017b6-7040-4081-a66d-6b252a45b018,"4/16/2021, 8:37:24.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9d456242-9981-44e0-839b-6b782bd43a3b,"4/16/2021, 8:37:24.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,74053bbe-ad74-4ad0-bfb7-01b172909581,"4/16/2021, 8:37:24.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ce1fe3d-950b-43eb-a6f0-f0fd3f32e395,"4/16/2021, 8:37:24.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,73f8e029-c020-4721-9e96-736ea9bc5198,"4/16/2021, 8:37:24.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2122f113-859a-447e-a060-347418a599a6,"4/16/2021, 8:37:24.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3c3f42a8-7f65-47d8-8313-684ac8558121,"4/16/2021, 8:37:24.097 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fcaa455c-034c-4701-b8c9-e5ec01c574b7,"4/16/2021, 8:37:24.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1916f186-e8b7-42e7-9b32-e85856d7f659,"4/16/2021, 8:37:24.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,972d6629-c92e-4de3-af89-4fc8d0271ded,"4/16/2021, 8:37:24.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,60a03a19-88b0-45de-ab88-b4e50dbc9591,"4/16/2021, 8:37:24.097 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,165d360f-1924-4da7-bad1-1b449b5ee2ee,"4/16/2021, 8:37:23.583 AM",,,,,NTLM,, +\WGONZALEZ,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,394ff904-e6d3-4e26-bb8f-96ad0bab5acc,"4/16/2021, 8:37:23.583 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,067b83ce-6eb5-4e96-90df-445b9253935e,"4/16/2021, 8:37:23.583 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b5991859-5f31-46c8-9c54-87b2dd58e6ac,"4/16/2021, 8:37:23.583 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,48a67e74-26ad-4242-b11f-652fb2a4084d,"4/16/2021, 8:37:23.583 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e51089e3-70cd-410c-9fd3-1a977d847c85,"4/16/2021, 8:37:23.583 AM",,,,,NTLM,, +\USER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8de7251d-15bf-438f-8ab9-856c1375e6ad,"4/16/2021, 8:37:23.583 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7e04245e-2509-4758-9cbf-84d421acd3bf,"4/16/2021, 8:37:23.583 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,31c4ca65-81d9-4121-ac0c-69ed25932c95,"4/16/2021, 8:37:23.583 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a6b401f2-fe2a-4c1b-af3d-138d02fc2fac,"4/16/2021, 8:37:23.583 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7852f8ce-533e-4e72-a68c-9fb5f0210491,"4/16/2021, 8:37:23.583 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e45c145e-8715-43ff-877e-1744d23a280f,"4/16/2021, 8:37:23.583 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b16055b5-8b0f-4fae-aa35-8819e905ec30,"4/16/2021, 8:37:23.583 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ca428e52-0d79-4427-b044-6d7473c75bfc,"4/16/2021, 8:37:23.583 AM",,,,,NTLM,, +\SYMANTEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4f34bb38-2e3f-40ff-a22e-e6c3b4ddf566,"4/16/2021, 8:37:23.583 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dcdf0e1f-bd82-4197-98fd-3a2f903d7574,"4/16/2021, 8:37:23.583 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,227298fc-77bb-419b-a6b2-836376eda83f,"4/16/2021, 8:37:23.583 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,96b1065d-1ae8-457c-8135-ea7ac5e94fc6,"4/16/2021, 8:37:23.583 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,848c13d9-935b-4f38-a7a0-0a3d3355be37,"4/16/2021, 8:37:23.583 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b9e021b4-350e-4101-89f7-431111c1c73f,"4/16/2021, 8:37:23.583 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4e9c5de1-1bb2-49b0-8747-146b72766b15,"4/16/2021, 8:37:23.583 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5ff9f7c0-29e0-4438-ae81-45fd71886f98,"4/16/2021, 8:37:23.583 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c96163d2-d103-48da-843d-35e53b22ddef,"4/16/2021, 8:37:23.583 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,06668853-8c48-4406-af7c-1d7f11ac154e,"4/16/2021, 8:37:24.417 AM",,,,,NTLM,, +\USER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,2665d469-5a27-476f-9230-e4d0b671890a,"4/16/2021, 8:37:24.417 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7644 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6d59c11b-eb7e-4d7a-9e6a-1179b0f05242,"4/16/2021, 8:37:24.417 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5428 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e52c37f2-1eb6-483e-a54b-dddde4fd10fa,"4/16/2021, 8:37:24.417 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,61e22481-d061-4991-9603-871bb5360426,"4/16/2021, 8:37:24.417 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a58dea41-f327-40a3-87ab-97213fb8a109,"4/16/2021, 8:37:24.417 AM",,,,,,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,34d5d9fb-9e77-4d16-80f3-38463d5b7f9a,"4/16/2021, 8:37:24.417 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8ab72690-aeb1-4cf9-b82a-1423394e498f,"4/16/2021, 8:37:24.417 AM",,,,,,, +\LOCALADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,e65733b4-3ff2-46a6-af1d-51d284c83e46,"4/16/2021, 8:37:24.417 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c7f14708-22b0-408f-820e-264b9a3de01a,"4/16/2021, 8:37:32.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49c0e495-0873-4032-a42c-2071d9bc2452,"4/16/2021, 8:37:32.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,505df65f-80b7-42b4-80d6-368b176009fd,"4/16/2021, 8:37:32.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,39a3c415-de08-4716-b7c1-45974d2d54e9,"4/16/2021, 8:37:32.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4317ddc0-2305-4bb5-a92b-b226517a013d,"4/16/2021, 8:37:32.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,62185d14-c9b2-46f4-998f-414e5b07ea00,"4/16/2021, 8:37:32.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c7afc7a2-2c41-493a-a037-4840e6740023,"4/16/2021, 8:37:32.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b3467d71-6a1e-4285-bd17-c141f8db0f2b,"4/16/2021, 8:37:32.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f12672ff-da1a-42e6-839f-035484f91466,"4/16/2021, 8:37:32.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,22b348c9-177b-4f6d-bb44-1e97c412e40e,"4/16/2021, 8:37:32.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1c5b9cac-fd2b-4ebe-b213-2f1c2769e749,"4/16/2021, 8:37:32.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,75a86fec-99f6-46aa-85bd-5b6968c1593e,"4/16/2021, 8:37:32.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7656c16a-f19b-4119-a35e-998bbe06e385,"4/16/2021, 8:37:32.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,772e5f5c-38f9-4018-962e-e8361c29dd6d,"4/16/2021, 8:37:32.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d7467bc5-551f-415f-b8a3-9fa66dc3d7f2,"4/16/2021, 8:37:32.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,08119220-ba04-4269-a874-e6f62d3724c9,"4/16/2021, 8:37:32.097 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e20c5ed5-3d14-4907-a9d4-9363add6b7e2,"4/16/2021, 8:37:32.097 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,108b72d2-bcbd-44b3-84ab-38ca4a7a4b14,"4/16/2021, 8:37:32.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d96d7f61-5499-4446-b7a3-cd126e42ab0e,"4/16/2021, 8:37:32.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce6ab8bc-c104-4984-9804-6c4c98834f69,"4/16/2021, 8:37:32.097 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b95fdeb9-180d-4ee9-b3a8-d6ce49895da1,"4/16/2021, 8:37:32.097 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,67ae959a-12d6-4511-a31e-b24a72df40cc,"4/16/2021, 8:37:32.097 AM",,,,,,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,228e668d-c14c-4fcf-80d0-c1361d4f7541,"4/16/2021, 8:37:32.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5a639f7-c95d-4751-85ab-0de5ac6730c2,"4/16/2021, 8:37:32.097 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,52cdaaa3-a940-49c4-9536-dee21da5dc11,"4/16/2021, 8:37:32.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4e4b5d1f-0d25-4d1c-b3bb-615c607d962e,"4/16/2021, 8:37:35.592 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3e1186eb-56a2-4468-867a-a70d4727fea0,"4/16/2021, 8:37:35.592 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,abdce2c9-d13e-4c69-9e75-320296ea58a8,"4/16/2021, 8:37:35.592 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ab625ca0-fc3b-445d-9896-5a4b8ec98453,"4/16/2021, 8:37:35.592 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b8a3e848-46fe-4021-a8e9-fd414c0b5f2a,"4/16/2021, 8:37:35.592 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e8a6f0ed-d142-47e3-8a5d-9d7c2dce6e67,"4/16/2021, 8:37:35.592 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,80b2b43f-0a69-41ad-a5cb-adc2eca9e4e7,"4/16/2021, 8:37:35.592 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,48eff91e-662f-41a2-b8e4-59fad9dc246f,"4/16/2021, 8:37:35.592 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cc1c93cf-53ee-4462-91d1-16bd25f796e3,"4/16/2021, 8:37:35.592 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,05ed3177-b5bb-4778-a708-eb893b79fe35,"4/16/2021, 8:37:35.592 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a9f5ff83-f9b0-4114-875b-361fd1a750b4,"4/16/2021, 8:37:35.592 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1d0acb50-5c04-4216-9cbb-bfae1c3e208a,"4/16/2021, 8:37:35.592 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a7ebc3b5-a0e7-4c02-a6af-efc41151bec2,"4/16/2021, 8:37:35.592 AM",,,,,NTLM,, +\RJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ef76250c-8134-4a9c-b76a-fceeed2f356b,"4/16/2021, 8:37:35.592 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c2059131-ab4e-40e1-87d7-66f40fe6255e,"4/16/2021, 8:37:35.592 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1f98d4eb-7dda-4080-85e5-b36e31b64499,"4/16/2021, 8:37:35.592 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ea200909-d194-4170-9432-22f279eb2ab7,"4/16/2021, 8:37:35.592 AM",,,,,NTLM,, +\GUEST,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,54b57857-ce3b-42f0-8f70-f199b2c97863,"4/16/2021, 8:37:35.592 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c9374e7b-4c37-47be-8de0-91dda6ac59b2,"4/16/2021, 8:37:35.592 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,980ea27c-c27e-4475-8398-14781657aa5c,"4/16/2021, 8:37:35.592 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fff170df-8e3f-4f34-8d2a-0248cd0d89f6,"4/16/2021, 8:37:35.592 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3ca6e47d-27da-4773-b4c4-a5fa0ce375c0,"4/16/2021, 8:37:35.592 AM",,,,,NTLM,, +\BACKUP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6a459c36-0480-47a1-9d56-ebb96bc86728,"4/16/2021, 8:37:35.592 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5f99d720-f8d8-49a0-9b0b-37d8c899ea3f,"4/16/2021, 8:37:35.592 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6cbe5d82-ce4f-492e-9eb4-15353288a9a5,"4/16/2021, 8:37:39.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ae061a3-e15e-476a-982b-0aabb81e4e3f,"4/16/2021, 8:37:39.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c652545b-5608-4027-a28a-b4115a63810b,"4/16/2021, 8:37:39.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a48dd9ba-4cb0-4af1-b2e8-bdb7cc37ecb3,"4/16/2021, 8:37:39.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ab37047-8ac2-43bb-b283-4d81da78d0a6,"4/16/2021, 8:37:39.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,143da79c-3bf1-4f8b-aa67-ff8161a6fddd,"4/16/2021, 8:37:39.182 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,8f920365-abde-4705-ba60-3f03f821f77d,"4/16/2021, 8:37:39.182 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,7b46e527-eb03-4211-8938-cebfe5c176c9,"4/16/2021, 8:37:39.182 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d214ecd5-fffc-4a93-82bd-b5b0e48c8ca6,"4/16/2021, 8:37:39.182 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6504 + 118 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\ICT 2\CMF-64\DESIREDSTATECONFIGURATION\DSCRUN.EXE + 32 + FD398814FCB0D126DEC81443B928D502C7F2EC649E1C0866E0155C61BC7CAC19 + 111 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\WINDOWS (R) WIN 7 DDK DRIVER\DSCRUN.EXE\10.0.10011.16384 + 0x3e7 + 120 + C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\ICT 2\CMF-64\DesiredStateConfiguration\DscRun.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,cd431c88-a18c-4b0f-8b0f-7439b41ec7ff,"4/16/2021, 8:37:39.182 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3116 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,76e64154-54ff-4394-8de4-9888df8cf41b,"4/16/2021, 8:37:39.182 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,71cb7812-9c93-4a36-9c2f-c4c6b96958fe,"4/16/2021, 8:37:39.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,15ba85ac-89e2-4a99-99a0-85bffd09dd9c,"4/16/2021, 8:37:39.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f834cdb7-530c-43d5-80c3-e159123fe2ef,"4/16/2021, 8:37:39.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ba5c0e27-ed41-4e5e-b4d1-b56cc6825f3f,"4/16/2021, 8:37:39.182 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f5a5e55a-5f49-4cf0-bd76-89c88f1807f5,"4/16/2021, 8:37:39.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3b0842f8-008a-4cd3-8596-3ab9c53669e3,"4/16/2021, 8:37:39.182 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c1acbcc6-4000-4d8a-af8c-bbaa320bbb20,"4/16/2021, 8:37:39.182 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c006172c-2ade-4f34-882c-9718f470c707,"4/16/2021, 8:37:39.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f3ca0931-9415-44da-b94f-e51d264fa850,"4/16/2021, 8:37:39.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e38c92e0-4ee9-4091-93f2-03b07ef34931,"4/16/2021, 8:37:39.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b76ebcd5-540e-4d8b-9788-99799066f2d3,"4/16/2021, 8:37:39.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7c1a4d64-4f75-42f3-81d2-455a7edd0215,"4/16/2021, 8:37:39.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3107b517-10ff-43d5-a38b-0040c9ba2ffd,"4/16/2021, 8:37:39.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9109eebb-e723-4607-9148-a4d649362200,"4/16/2021, 8:37:39.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cdeb585e-d1d4-47e7-94d8-f3165938fa6a,"4/16/2021, 8:37:45.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,75b2a995-7f60-487a-94d1-89a41b2dea41,"4/16/2021, 8:37:45.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b8b41a8f-0287-4ede-af51-10836979fb4c,"4/16/2021, 8:37:45.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8b942969-1054-4825-b245-5bfd9bbab20b,"4/16/2021, 8:37:45.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b5f275ba-3407-459b-a5a9-ceb2bad78cd9,"4/16/2021, 8:37:45.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,559da9a2-cdb5-4be5-98eb-0520bcb0b38b,"4/16/2021, 8:37:45.144 AM",,,,,NTLM,, +\TERZO,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,589bbd16-bfb4-4b83-8739-1b9484660a39,"4/16/2021, 8:37:45.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fbac21fb-3a88-4f47-85ac-2f91dc6c3e5a,"4/16/2021, 8:37:45.144 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,362e99c9-c9e7-44aa-b127-93f8b90e7d93,"4/16/2021, 8:37:45.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9a3053e6-f649-49dc-bb60-00da49b05b4f,"4/16/2021, 8:37:45.144 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,79dcf6c9-0a5d-45ea-bc6c-c3a1c71f531e,"4/16/2021, 8:37:45.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff7bdc9c-cf5f-46cc-af97-9b61b3b893c1,"4/16/2021, 8:37:45.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,24998e9a-0002-49c7-897d-ba829447b761,"4/16/2021, 8:37:45.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b6fdc799-5541-44e4-a7b7-a4cbfddb4a2c,"4/16/2021, 8:37:45.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1ac25b6-ff7c-4f3f-b26f-e1bbaf550e0f,"4/16/2021, 8:37:45.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2247b708-384d-435e-b974-9c18df0968d4,"4/16/2021, 8:37:45.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,92d99f1e-5acb-41d1-9c63-f9eeaf87fc83,"4/16/2021, 8:37:45.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03ee9643-2467-4789-994f-0b80750f3bbf,"4/16/2021, 8:37:45.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e242836b-7027-491a-be15-b4457b942fe0,"4/16/2021, 8:37:45.144 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,68222299-9551-4e6c-abd5-6c177aeaf564,"4/16/2021, 8:37:45.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb2bebc7-f38b-4923-9275-b83d338ada7c,"4/16/2021, 8:37:45.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7f6e2b37-abf5-46cf-b064-81334b0e6b9b,"4/16/2021, 8:37:45.144 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa9eb622-9be4-4ed4-9190-786a4ac7d3cc,"4/16/2021, 8:37:45.144 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11024 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,6fa8c6ff-6619-47da-8d8b-33717b970dfa,"4/16/2021, 8:37:49.270 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6440 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,a9df662e-aed6-43a8-8e6a-c8346da58ce1,"4/16/2021, 8:37:49.270 AM",,,,,,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3a934922-f7b8-43f1-9f35-fbdfdceea6f2,"4/16/2021, 8:37:49.578 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,807bce04-331b-4a66-a5fd-48f6f597d9d8,"4/16/2021, 8:37:49.578 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1e3e0fec-324e-4c12-b781-6c217303737c,"4/16/2021, 8:37:49.578 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,843a9e97-22ea-48a6-987b-9860760bae12,"4/16/2021, 8:37:49.578 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e2c2ef84-c2e2-4b65-a784-53a458d7df4d,"4/16/2021, 8:37:49.578 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,68a152ef-cb8b-4621-9959-f9132b32c175,"4/16/2021, 8:37:49.578 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,61d45a31-340a-4847-ba78-1f27d11ce002,"4/16/2021, 8:37:49.578 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2803f162-8e71-4ba1-8bbe-0d29959e0bdb,"4/16/2021, 8:37:49.578 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c01213b9-0c9c-4130-aa72-a39ade118a1b,"4/16/2021, 8:37:49.578 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b480e574-f8a2-4493-b4a4-ea3ff394b29a,"4/16/2021, 8:37:49.578 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b43a7241-c603-4e08-9744-8162524c9695,"4/16/2021, 8:37:49.578 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4b25e4cb-11f0-4487-ae03-f87eb8337adf,"4/16/2021, 8:37:49.578 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e1ce5366-3a6c-46f3-8278-a747b5c31d3b,"4/16/2021, 8:37:49.578 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a9eb77e9-cb29-4cd8-beff-04b24e72188b,"4/16/2021, 8:37:49.578 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3a300840-67ee-472c-9b9a-f9cab2192396,"4/16/2021, 8:37:49.578 AM",,,,,NTLM,, +\EYT,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2be6ee32-5999-4169-b1d2-ed977953059b,"4/16/2021, 8:37:49.578 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0feb7954-cc5a-4675-bd43-f726e299d545,"4/16/2021, 8:37:49.578 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,61a5ff9d-d42a-441f-aa6e-7aa2e988a6ec,"4/16/2021, 8:37:49.578 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8cf7bb53-2f42-4e9b-a201-75fbe7e34abd,"4/16/2021, 8:37:49.578 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,817193f2-f2a5-4174-994a-60657d1f7d6c,"4/16/2021, 8:37:49.578 AM",,,,,NTLM,, +\LOCALADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,112d1918-778d-4e19-aec4-697116d02cbc,"4/16/2021, 8:37:49.578 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dc5af137-a8b8-456a-a05c-a1ae6748765e,"4/16/2021, 8:37:49.578 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a70d9301-73be-437b-b500-8dca9a42ae11,"4/16/2021, 8:37:49.578 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4fedcca7-9a2c-4f53-9110-142c90fe4219,"4/16/2021, 8:37:49.578 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f527235f-ef03-4b02-8875-3612969792d4,"4/16/2021, 8:37:53.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e906f738-7d32-4779-b6be-9b688aa14a11,"4/16/2021, 8:37:53.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d27b0dd5-1d21-4c64-82ce-2d5cee7bebc8,"4/16/2021, 8:37:53.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cd9063ec-b254-4117-a4e7-4e5ee5861fa6,"4/16/2021, 8:37:53.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6fd75111-4a2c-4a2d-a99e-ac7c066036c8,"4/16/2021, 8:37:53.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9efe6d10-02ab-4d8e-85e5-5e08be23c47d,"4/16/2021, 8:37:53.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cac0235f-ab9b-4315-bb92-7821fe257166,"4/16/2021, 8:37:53.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,904913e8-696a-4517-b64b-06f45b94ab5b,"4/16/2021, 8:37:53.098 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e0025a72-265e-42e3-b2b5-5f753dec259c,"4/16/2021, 8:37:53.098 AM",,,,,NTLM,, +\BO,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5422eb9b-4d1c-480d-9c4e-ca622b03d072,"4/16/2021, 8:37:53.098 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,09e9c4e5-b2d4-4579-b8ea-1c8a81956e9b,"4/16/2021, 8:37:53.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e1076964-79e0-49f5-9894-6bc102b04fbd,"4/16/2021, 8:37:53.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5df64178-61f2-4052-912e-105e0fe9d22c,"4/16/2021, 8:37:53.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,384c559d-025f-44af-a809-f4e8dc6c2515,"4/16/2021, 8:37:53.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad85f62d-7a0c-429e-8724-43d79991a0d7,"4/16/2021, 8:37:53.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f980d124-2794-4319-a907-46066a304aa2,"4/16/2021, 8:37:53.098 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ff542810-6d12-495b-825b-1a1b1299aedd,"4/16/2021, 8:37:53.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51ae91e1-e2de-44ff-930d-930c0ec75b00,"4/16/2021, 8:37:53.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b8e1130c-b573-4944-acb0-f8e2ae9a8184,"4/16/2021, 8:37:53.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca5196e7-ee2e-430d-9612-ad97847581cb,"4/16/2021, 8:37:53.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c6314fc1-66b3-4e99-92ef-40d9634e94e2,"4/16/2021, 8:37:53.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8d2fb490-e834-49e4-888e-a7634074609e,"4/16/2021, 8:37:53.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,58e8aba4-885f-4ca0-972d-fd3625ce99b1,"4/16/2021, 8:37:53.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b54fd349-1bd0-4dd2-bcf1-cc4275ed73d2,"4/16/2021, 8:37:53.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,419b219d-ea39-4581-b2b3-cd1c0bbe7712,"4/16/2021, 8:37:53.098 AM",,,,,NTLM,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,c85aa597-7a66-44c1-9571-733126244bd1,"4/16/2021, 8:37:52.046 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,1cf81da8-2d19-4370-ac92-058ab415ca18,"4/16/2021, 8:37:52.046 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,0d8911a6-be34-45e0-87ca-4c097a12ed0b,"4/16/2021, 8:37:52.046 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,710b9333-1929-4eb4-8c75-1c34494ca7ce,"4/16/2021, 8:37:52.046 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,288fecfe-cdb6-45e1-9c8a-8ab5738c9b32,"4/16/2021, 8:37:52.046 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c6e00095-db31-4e0d-a103-71e3cc926955,"4/16/2021, 8:37:52.046 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,61ab86ec-7f2e-4ac0-9018-2c26a0cb7458,"4/16/2021, 8:37:52.046 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,a6cb3ce9-78ac-4d26-be1a-13d733c91305,"4/16/2021, 8:37:52.046 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,08381f8d-91d5-4d42-91ec-f3a1e892fc00,"4/16/2021, 8:37:52.046 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,28f0a031-c25e-488d-8c66-d016e566918d,"4/16/2021, 8:37:52.046 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6264 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,81121f70-aef3-4ba0-a383-b51bbf7f5497,"4/16/2021, 8:37:52.743 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc2.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {425cd7a3-312b-42c2-b551-9ae75e168aee} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6408 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,37cdd1b8-1f4c-4086-b4f3-b4a120d88a28,"4/16/2021, 8:37:52.743 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,6e8844f9-af5c-4d04-89fb-be9551d4e314,"4/16/2021, 8:37:52.743 AM",,,,,,, +CONTOSO\AdminPc2$,Machine,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,ba9fb88e-573e-4e09-abcc-26867b27b9a7,"4/16/2021, 8:37:52.743 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,f0d9ae4b-5f4e-4ff7-bc2e-ad14f1aa8122,"4/16/2021, 8:37:52.743 AM",,,,,,, +,,AdminPc2.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + AdminPc2$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T17:48:59.313398600Z + 5108 +",5379,5379,9e8e6e8c-89b4-4869-8b5c-4c28f0bcc4f3,959d5996-0993-41ed-9a6c-70f89678abc4,"4/16/2021, 8:37:52.743 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 13600 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,898168ce-7baf-4693-9c07-04f83ae7d244,"4/16/2021, 8:37:56.984 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3480 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,f07618f7-9799-4753-a3d1-74dff273f2da,"4/16/2021, 8:37:56.984 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cabf8f29-ea87-4cf7-9022-ce27263b98df,"4/16/2021, 8:38:02.097 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,effd478f-38e1-4b3d-877c-acc3f9db96ac,"4/16/2021, 8:38:02.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,26c2d1dc-9f02-4374-add9-5d3cbe06262b,"4/16/2021, 8:38:02.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,967ef117-0610-4cec-a025-ab748b2c4f82,"4/16/2021, 8:38:02.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0f555f86-b31a-4905-b2e0-6c9871349142,"4/16/2021, 8:38:02.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,425cb1fb-42b8-484e-b33e-b5fe8b88c9ee,"4/16/2021, 8:38:02.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ec76d1ee-14bd-4d8c-b90d-638c9a6c629a,"4/16/2021, 8:38:02.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56c63944-5585-49e8-9e5c-084c9e72bb34,"4/16/2021, 8:38:02.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5a3bd079-89fc-4388-9ff8-4abd586c0202,"4/16/2021, 8:38:02.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1fb06f41-a162-4370-a4d1-388553972428,"4/16/2021, 8:38:02.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5367a474-86af-411b-85d2-3c20be4e856a,"4/16/2021, 8:38:02.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,868c3b0b-d91b-4f89-8827-62c965c2ff45,"4/16/2021, 8:38:02.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d1e32180-6e25-4223-912e-5d00ee7800de,"4/16/2021, 8:38:02.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,13e369d1-44d3-4b8e-95c0-59a42db08961,"4/16/2021, 8:38:02.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,63cc6211-4196-4d54-8b88-1d0a75e5020b,"4/16/2021, 8:38:02.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,709711b4-8b63-446f-a13a-63f4c95827ac,"4/16/2021, 8:38:02.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,24a4cb2f-a603-41bd-b06f-652d6c09c48b,"4/16/2021, 8:38:02.097 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ce1decef-c40a-4972-a762-2d0c94198ec2,"4/16/2021, 8:38:02.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,98da8e91-c956-4fbc-9e4c-bd2edfa10895,"4/16/2021, 8:38:02.097 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bd96e0e4-c7f9-43f3-97e9-972fb34976c2,"4/16/2021, 8:38:02.097 AM",,,,,NTLM,, +\FTPUSER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aa5d3ee6-b993-4ab1-8009-ad7923a4ce9d,"4/16/2021, 8:38:02.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab231e2a-1c62-4326-a0a1-11e1b525e33c,"4/16/2021, 8:38:02.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,647d0534-e187-48d5-b42c-b68d33b9590c,"4/16/2021, 8:38:02.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6e2ef6ad-543c-4ebe-a6f0-c05ef356cb26,"4/16/2021, 8:38:02.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9448f84c-e8e0-4cdc-8082-dd3aa2fe98af,"4/16/2021, 8:38:02.097 AM",,,,,NTLM,, +\SYMANTEC,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2bbcfb16-b6d1-4961-a532-d4a378005727,"4/16/2021, 8:38:02.597 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,60cb5177-2fa1-4d46-ac5e-02be5b6b5f52,"4/16/2021, 8:38:02.597 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5206a2ec-5741-4f1c-937d-3cf0c1c0fe4d,"4/16/2021, 8:38:02.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,346600a7-1e1f-49ff-a499-6520291cd3de,"4/16/2021, 8:38:02.597 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,743d0758-1423-41f2-a191-d9aa1c77de9a,"4/16/2021, 8:38:02.597 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9ed3ea9b-0ee3-4bac-be1b-2aa3ba3e7099,"4/16/2021, 8:38:02.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c53b6db0-cb50-4841-baf3-e709e706a003,"4/16/2021, 8:38:02.597 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c9568986-83da-475f-a65b-3aa18a98dadc,"4/16/2021, 8:38:02.597 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e4a109a0-ac8a-447a-b0ca-79a9d10f0d42,"4/16/2021, 8:38:02.597 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,92e21a53-ed2a-4c10-a484-8ddc6d6ca1eb,"4/16/2021, 8:38:02.597 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2d026788-5da2-409b-b05c-8b78178a22b6,"4/16/2021, 8:38:02.597 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,62afa59c-2c0b-4fae-95f8-33cc35d13a4d,"4/16/2021, 8:38:02.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,48fbf715-dc59-4cc4-a868-576e9eca3348,"4/16/2021, 8:38:02.597 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,86f8db6c-8d52-49a4-8daa-d9163b7dff47,"4/16/2021, 8:38:02.597 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c90ba273-5b11-463f-b936-8e182f5c976f,"4/16/2021, 8:38:02.597 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f28d3dea-0109-449c-9872-d0c4f908632a,"4/16/2021, 8:38:02.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d2bdcee6-19bc-4cc0-94ef-eb5ffb8fbad5,"4/16/2021, 8:38:02.597 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b764dd54-f64b-44ca-95c5-28493874494f,"4/16/2021, 8:38:02.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b2ab5585-1184-4e3f-96b1-b0c46a58ac80,"4/16/2021, 8:38:02.597 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b56ab8cf-f629-4b6f-9263-463726d768fd,"4/16/2021, 8:38:02.597 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fb05010d-cb40-4bbf-8a16-3cedc8aabda7,"4/16/2021, 8:38:02.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c69b098c-0cae-4fc2-aad3-190ee815be87,"4/16/2021, 8:38:02.597 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4a397b70-d31d-4200-a683-915928bc1634,"4/16/2021, 8:38:02.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4443690f-a6da-48f2-b316-aabfb9db3730,"4/16/2021, 8:38:02.597 AM",,,,,NTLM,, +\,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,3f44a3e0-3cf1-43cf-849c-e055f5d2d2e3,"4/16/2021, 8:38:11.411 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,abd5a99a-6e82-4f66-8d69-081aec1f5fa2,"4/16/2021, 8:38:11.411 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,fe26b74b-d868-4c11-9ab8-856a9c785ca4,"4/16/2021, 8:38:11.411 AM",,,,,NTLM,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,bc9a0026-f239-4e5c-8582-6c16d935028c,"4/16/2021, 8:38:11.411 AM",,,,,,, +WORKGROUP\SHIR-SAP$,Machine,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,380b8455-ed62-494a-b238-9b73d0225dca,"4/16/2021, 8:38:11.411 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 860 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,6614d9d8-a312-4e21-8e16-f94bf83cd18d,"4/16/2021, 8:38:11.411 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SHIR-SAP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {66652c30-17b2-4344-9fb2-f4ba1a4084dc} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1596 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,ef955a85-76c1-491f-8734-086ab414b1fc,"4/16/2021, 8:38:11.411 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6e43fecd-5922-421a-a8bb-40be61ac5601,"4/16/2021, 8:38:13.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53a7b8d9-ad8f-47a0-a52e-8a4e17e87ddc,"4/16/2021, 8:38:13.112 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,07d839c1-dc8b-40dd-af3c-ca7eea8e7809,"4/16/2021, 8:38:13.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,50da1a70-1340-49b5-b49c-df2ccbeaf87e,"4/16/2021, 8:38:13.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d9f30765-1dd2-4bde-a305-8809870b29b7,"4/16/2021, 8:38:13.112 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5b893a45-a79f-4b7f-bbdb-7daf86f25e23,"4/16/2021, 8:38:13.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a0507f8-e5dd-46ab-98ce-52420deccd59,"4/16/2021, 8:38:13.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d0ca6094-a9fe-4ab6-b007-924091d764d3,"4/16/2021, 8:38:13.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ddc30d4-c3ad-4124-9d51-9c05fda47fed,"4/16/2021, 8:38:13.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fbdc0388-3c1a-4c7e-8eb5-148448e9c23e,"4/16/2021, 8:38:13.112 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,f40ea3a4-dc6e-4ca9-9442-7d0137d09eb2,"4/16/2021, 8:38:13.112 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca575f6c-ee0a-429a-9459-fb4e7920f9a3,"4/16/2021, 8:38:13.112 AM",,,,,Negotiate,, +NT AUTHORITY\SYSTEM,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,41502da5-21b7-48ec-81c9-baeea8d7d669,cf069959-b772-4a8a-99be-ea511d1f8c09,"4/16/2021, 8:38:13.112 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,7df126e2-4f9a-42b1-a782-ed86dce62f7a,"4/16/2021, 8:38:13.112 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3b7ebc16-bfae-412f-b58d-a65e134474b4,"4/16/2021, 8:38:13.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d4b26df5-6f71-4888-834f-41123f599b2f,"4/16/2021, 8:38:13.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,58e4065e-214b-48e2-a48b-1f2e1e763222,"4/16/2021, 8:38:13.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,26cbfe69-63d2-483a-87ec-e9ec804ed10d,"4/16/2021, 8:38:13.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,21021266-f5e3-4d65-847c-c9769280dd42,"4/16/2021, 8:38:13.112 AM",,,,,NTLM,, +NT AUTHORITY\LOCAL SERVICE,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 6584 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e5 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,ef375430-3f26-49f9-b779-4ec2fcabf64f,"4/16/2021, 8:38:13.112 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1808 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + A42A20DA16F83B8467DCED74AB028B58D5927D15D9D74C5C7B0D5C9DAC042CB2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.17763.01 + 0x3e7 + 31 + C:\windows\System32\svchost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b48d08c-5865-48e9-8c92-3f6fe874ac4a,"4/16/2021, 8:38:13.112 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,303874e6-759f-4012-986c-98db89370ba4,"4/16/2021, 8:38:13.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,420cd318-818e-4430-80f5-8282a67c3a0e,"4/16/2021, 8:38:13.112 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a2f6c00d-1e42-406c-9cc3-cfdd24407946,"4/16/2021, 8:38:13.112 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dff0a436-5480-4c9b-9088-23c90851ab7e,"4/16/2021, 8:38:14.594 AM",,,,,,, +\HP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f4c42be6-b22f-4ab1-bd45-810f86e3088b,"4/16/2021, 8:38:14.594 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,df03c145-df29-41a7-a8c6-7d9f87c648f1,"4/16/2021, 8:38:14.594 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,56906bf7-fcc3-4b8c-9068-de91e452abdc,"4/16/2021, 8:38:14.594 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,88781358-7d4e-4b14-9b04-4732dba2d680,"4/16/2021, 8:38:14.594 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c8b64d50-5c22-4c29-9f1c-74f5279df744,"4/16/2021, 8:38:14.594 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a332cdd1-9dcd-47a1-b490-594eb3e83b23,"4/16/2021, 8:38:14.594 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,25ac4b1e-04db-4eac-85aa-f12225479e9a,"4/16/2021, 8:38:14.594 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,223abc78-fa7d-4e30-a1a4-8ed375d9ac4d,"4/16/2021, 8:38:14.594 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,08650dd3-3f0d-41fb-b49d-8809c88a997f,"4/16/2021, 8:38:14.594 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,195ca4e8-c195-4f5d-ac3b-e43654c4a2ed,"4/16/2021, 8:38:14.594 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cf0b15bf-fbd8-4496-9c01-76a7fc893c51,"4/16/2021, 8:38:14.594 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,526ea6af-1475-404f-8ca1-ad774315e5cd,"4/16/2021, 8:38:14.594 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f9d83411-6b80-4ea7-8360-845a6ad2765f,"4/16/2021, 8:38:14.594 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2e2086ae-6e03-4997-8e3a-691042a40d75,"4/16/2021, 8:38:14.594 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fb8e1f90-1b53-4611-bb06-072e35e5b80f,"4/16/2021, 8:38:14.594 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,14295576-9fde-4cc5-84d1-4bf17670ef26,"4/16/2021, 8:38:14.594 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fa353f10-1d95-4c1a-9ec1-1289ee2374bb,"4/16/2021, 8:38:14.594 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,afae2745-6cf5-4cfa-a2cf-1f34afd0926c,"4/16/2021, 8:38:14.594 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,51bfe23d-6dec-4bc6-9947-1193746e774c,"4/16/2021, 8:38:14.594 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,948f68da-4acb-442f-8a50-0f2359d10ae2,"4/16/2021, 8:38:14.594 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2b9bda7f-3342-4d80-aae9-548572b583ae,"4/16/2021, 8:38:14.594 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f3f04629-c0b0-4210-816e-7235b3553f6e,"4/16/2021, 8:38:14.594 AM",,,,,NTLM,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,704b15f7-6c96-49ed-983f-3120f3e83e49,"4/16/2021, 8:38:21.882 AM","%%1552 ",0x1,Local Read (ConnectServer),Root\CIMV2\Security\MicrosoftTpm,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,553f9819-714f-4b7c-a2a0-b7e16edfde46,"4/16/2021, 8:38:21.882 AM","%%1552 ",0x1,Local Read (ExecQuery),"Root\CIMV2\Security\MicrosoftTpm:SELECT ManufacturerId, ManufacturerIdTxt, ManufacturerVersion, ManufacturerVersionInfo, PhysicalPresenceVersionInfo FROM Win32_Tpm",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,3fbe78b6-8970-45c7-921e-1b39a5a72117,"4/16/2021, 8:38:21.882 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:Select * from __ClassProviderRegistration,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,564b2fa3-e2b4-4fca-afeb-44f008fedca6,"4/16/2021, 8:38:21.882 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,1846d586-19b9-4996-b5da-e550ab6a36d3,"4/16/2021, 8:38:21.882 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,3832f7ef-0892-4f71-905b-c16c1a69036b,"4/16/2021, 8:38:21.882 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\microsofttpm:__Win32Provider.Name=""Win32_TpmProvider""",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,26948dd6-2538-4915-a3a6-95e25210ea10,"4/16/2021, 8:38:21.882 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\microsofttpm:references of {__Win32Provider.Name=""Win32_TpmProvider""}",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,dba30fbf-b613-481a-a607-3310c1160870,"4/16/2021, 8:38:21.882 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:Win32_Tpm,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,092b2ba8-2fd1-4bfe-807c-f42b5708ec4d,"4/16/2021, 8:38:21.882 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\microsofttpm:__ExtendedStatus,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,936b35ef-7ed8-40b9-a459-2cc4d2dce91f,"4/16/2021, 8:38:21.882 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,7f034557-ff13-4c99-bf66-deddc9ff3ff7,"4/16/2021, 8:38:21.882 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 392 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + 3E1A41FE3000D5ED15DE27C3BD6199E0427A1608B401E19E22D021627841AC19 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1411 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,34ed6cd1-8351-43b5-9b9b-7521c84a6adb,"4/16/2021, 8:38:21.882 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8440 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + 3E1A41FE3000D5ED15DE27C3BD6199E0427A1608B401E19E22D021627841AC19 + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1411 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,3b11987b-59cd-4c63-adc3-01c6f7d1a727,"4/16/2021, 8:38:21.882 AM",,,,,,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,0f74ef71-87ab-442f-9865-40b8fce3f789,"4/16/2021, 8:38:21.882 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + ContosoAdmin + AdminPc + S-1-5-21-1096725243-2186503423-4261620451-500 + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + 0x1290 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,5503048d-aae9-48b7-bda5-46b931ec9ed1,10fd92da-b2e7-49bc-90e9-f223c1f1088e,"4/16/2021, 8:38:21.882 AM",,,,,,0x1290, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + DefaultAccount + AdminPc + S-1-5-21-1096725243-2186503423-4261620451-503 + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + 0x1290 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,5503048d-aae9-48b7-bda5-46b931ec9ed1,f5804e2a-a9da-4451-89d5-23f45da0199a,"4/16/2021, 8:38:21.882 AM",,,,,,0x1290, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + Guest + AdminPc + S-1-5-21-1096725243-2186503423-4261620451-501 + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + 0x1290 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,5503048d-aae9-48b7-bda5-46b931ec9ed1,7b2eac1a-edd4-4c5e-aade-d7cc94492644,"4/16/2021, 8:38:21.882 AM",,,,,,0x1290, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + WDAGUtilityAccount + AdminPc + S-1-5-21-1096725243-2186503423-4261620451-504 + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + 0x1290 + C:\Windows\System32\wbem\WmiPrvSE.exe +",4798,4798 - A user's local group membership was enumerated.,5503048d-aae9-48b7-bda5-46b931ec9ed1,c7dd17e6-f5e2-4176-afef-11de61de0c7b,"4/16/2021, 8:38:21.882 AM",,,,,,0x1290, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,5b1e3e24-21db-4c11-a981-7a1c9849c88c,"4/16/2021, 8:38:21.882 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\microsofttpm,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,e22be265-b771-4664-991d-eb8dae2319ef,"4/16/2021, 8:38:21.882 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\microsofttpm:SELECT * FROM Win32_TPM,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,64763598-833e-49f1-9a62-d9986a440a4c,"4/16/2021, 8:38:21.882 AM","%%1552 ",0x1,Local Read (ConnectServer),root\cimv2\security\MicrosoftVolumeEncryption,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,8fc5c722-fc02-4e73-a971-739b7fd3e4da,"4/16/2021, 8:38:21.882 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:SELECT * FROM Win32_EncryptableVolume,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,a1ad9485-72b0-4ea1-b82b-01f812bd03fe,"4/16/2021, 8:38:21.882 AM","%%1552 ",0x1,Local Read (ExecQuery),root\cimv2\security\MicrosoftVolumeEncryption:Select * from __ClassProviderRegistration,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,f6e0227d-3638-44b1-97ce-d05b3e7b839e,"4/16/2021, 8:38:21.882 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,75906096-8907-4d78-bb92-bdb18d9db40e,"4/16/2021, 8:38:21.882 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,9c0ee008-237e-4aa1-b41e-a7b9d9e203f8,"4/16/2021, 8:38:21.882 AM","%%1552 ",0x1,Local Read (GetObject),"root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name=""Win32_EncryptableVolumeProvider""",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,fc3311ad-7037-4c7c-a4d2-261ee913f305,"4/16/2021, 8:38:21.882 AM","%%1552 ",0x1,Local Read (ExecQuery),"root\cimv2\security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name=""Win32_EncryptableVolumeProvider""}",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,647a2917-3ead-4470-84f8-51d3a1c19109,"4/16/2021, 8:38:21.882 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,a7a2d89b-7566-492a-b1cd-09a1acc5757c,"4/16/2021, 8:38:21.882 AM","%%1552 ",0x1,Local Read (GetObject),root\cimv2\security\MicrosoftVolumeEncryption:__ExtendedStatus,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,ed7a8dc0-33ad-42f5-ab7e-b18544e5ea95,"4/16/2021, 8:38:21.882 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ae151378-0000-0000-0000-100000000000}\\""::GetLockStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,f2359099-3795-486c-b5e3-fa12defb6eae,"4/16/2021, 8:38:21.882 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ae151378-0000-0000-0000-100000000000}\\""::GetProtectionStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,472d2c15-aee0-4b92-9296-c6ef972e9fcf,"4/16/2021, 8:38:21.882 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{ae151378-0000-0000-0000-100000000000}\\""::GetConversionStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,18924618-ef6e-4e4a-9325-1d27dc29d898,"4/16/2021, 8:38:21.882 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetLockStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,8d2478c5-02f9-4d13-b535-2f7c23a8d93f,"4/16/2021, 8:38:21.882 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetProtectionStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,5503048d-aae9-48b7-bda5-46b931ec9ed1,abd335ad-4c30-4331-b306-344faf7a593b,"4/16/2021, 8:38:21.882 AM","%%1552 %%1553 ",0x3,Local Execute (ExecMethod),"root\cimv2\security\MicrosoftVolumeEncryption:\\ADMINPC\root\cimv2\security\MicrosoftVolumeEncryption:Win32_EncryptableVolume.DeviceID=""\\\\?\\Volume{05b9812b-0000-0000-0000-501f00000000}\\""::GetConversionStatus",,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,b8e1e554-5cb8-4c79-bd71-b1277b41c651,"4/16/2021, 8:38:21.882 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,5503048d-aae9-48b7-bda5-46b931ec9ed1,51c15961-4ff2-4928-9adb-4c03a61f7a5a,"4/16/2021, 8:38:21.882 AM",,,,,Negotiate,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + S-1-5-18 + SYSTEM + NT AUTHORITY + 0x3e7 + 5 + 1 + 1 + %{S-1-5-32-544} %{S-1-1-0} %{S-1-5-11} %{S-1-16-16384} +",4627,4627 - Group membership information.,5503048d-aae9-48b7-bda5-46b931ec9ed1,822313b2-2b23-41a7-905e-06a3b7607dd8,"4/16/2021, 8:38:21.882 AM",,,,,,, +NT AUTHORITY\SYSTEM,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,5503048d-aae9-48b7-bda5-46b931ec9ed1,369d1f29-3b01-4240-84e7-5295e2e837c2,"4/16/2021, 8:38:21.882 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,18551cc1-55a0-4af6-8218-781ebe560d6e,"4/16/2021, 8:38:21.882 AM",,,,,,, +CONTOSO\ADMINPC$,Machine,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,5503048d-aae9-48b7-bda5-46b931ec9ed1,2b29e707-62fa-4d5e-9cda-ad792585280c,"4/16/2021, 8:38:21.882 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10740 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 235D9E42C97F69CE19F37CB2D7D3ADFBF9EA5A4820CFD4C47C4AFB28A4225BE1 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.18362.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,8f82bcf5-3443-4885-835f-ba860cab159f,"4/16/2021, 8:38:21.882 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 12504 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e7 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,a21ca058-1be6-4300-8d2c-080a5b5b81c2,"4/16/2021, 8:38:21.882 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,User,AdminPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {4cf980d7-872f-44ab-8847-6646c525029f} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-19 + 6440 + 22 + %SYSTEM32%\SVCHOST.EXE + 32 + 4D8FB874B2F884FDF7D307756735B5E87D579B0707B9B11377765427E5C74E70 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SVCHOST.EXE\10.0.18362.01 + 0x3e5 + 31 + C:\windows\system32\svchost.exe + +",8002,8002 - A process was allowed to run.,5503048d-aae9-48b7-bda5-46b931ec9ed1,a4669706-1068-41e9-92a1-15d9f2c584b0,"4/16/2021, 8:38:21.882 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,76449dcd-82f9-425e-b77f-6f6f0cac7050,"4/16/2021, 8:38:20.116 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,23cb0a36-f4db-409d-81c6-ce37b8be8750,"4/16/2021, 8:38:20.116 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6271a50a-74d8-48fd-ba29-1a3fc500b94a,"4/16/2021, 8:38:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4044d165-5f70-4766-b37e-87008fda446a,"4/16/2021, 8:38:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d19a82c5-4cd3-4184-9849-b034a83815a7,"4/16/2021, 8:38:20.116 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2b936deb-f26f-43d8-9bb9-7ba91e31c74b,"4/16/2021, 8:38:20.116 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4252 + 28 + %SYSTEM32%\WBEM\WMIPRVSE.EXE + 32 + 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5 + 118 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WMIPRVSE.EXE\10.0.17763.01 + 0x3e7 + 37 + C:\windows\system32\wbem\wmiprvse.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,2dcccbb6-d436-4e34-9189-41224534ccf3,"4/16/2021, 8:38:20.116 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b67facaf-3950-492a-9e01-9aa4c2919869,"4/16/2021, 8:38:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f4f18bf-5140-4213-838d-c952fe2b3786,"4/16/2021, 8:38:20.116 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,744b2e61-1960-4fe3-8344-5844894a8ec2,"4/16/2021, 8:38:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,55702e9c-9246-4469-978c-19d2ebf5f911,"4/16/2021, 8:38:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,58f2064c-4c8a-4a7e-9d32-b639b9f87184,"4/16/2021, 8:38:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,43990842-cf01-481e-8498-27202bdaf496,"4/16/2021, 8:38:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d70f7ad8-69a3-4bb3-b315-cbad3165d3ec,"4/16/2021, 8:38:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,04252d24-3d9d-451b-b36f-18f58b12acf5,"4/16/2021, 8:38:20.116 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3b5120a2-b02c-4b00-b896-ff4213e20429,"4/16/2021, 8:38:20.116 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03ce5e6d-642f-4b81-b6b2-d33dc7110a7f,"4/16/2021, 8:38:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c4f01f3a-5a05-4379-8ccd-59413e2cd5fb,"4/16/2021, 8:38:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4e4fab94-7071-451e-8e26-1d03ec981e1f,"4/16/2021, 8:38:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cb6a5f30-f95f-4326-a4f9-25e7ed1a0e73,"4/16/2021, 8:38:20.116 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,123bcc03-1742-4bed-9d5c-4597cbee9b6b,"4/16/2021, 8:38:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,746a73e3-8ccd-484d-bff7-b98f91d5b4c1,"4/16/2021, 8:38:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4232d825-29f0-4f9c-9e71-3f711efa2bfa,"4/16/2021, 8:38:20.116 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,fbbbec41-975a-43f8-9fb3-e791adde5e01,"4/16/2021, 8:38:20.116 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,86342683-35f5-4bf0-8896-562e6d0905f2,"4/16/2021, 8:38:20.116 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ed496a8f-f238-4d5a-ad11-1bf8ff540a2d,"4/16/2021, 8:38:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7fb967bf-f66c-484d-9603-8b0cb6365c9e,"4/16/2021, 8:38:20.116 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d66200ba-7430-456a-8a7c-a68b0170d414,"4/16/2021, 8:38:20.116 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7356 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,3a60ad1c-845c-432c-94c2-0342abf40688,"4/16/2021, 8:38:20.116 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1424 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ff005ae-0dee-4f20-9f58-f9db681346a6,"4/16/2021, 8:38:20.116 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,15b963d9-4d21-45fa-85b4-c433aad1bffa,"4/16/2021, 8:38:24.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,10837e07-d15d-4099-9e0a-dffe489bc140,"4/16/2021, 8:38:24.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,a59a7c8a-4277-47e1-b7f3-5fc6f621c502,"4/16/2021, 8:38:24.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,392db093-9754-435a-b963-d9875c165654,"4/16/2021, 8:38:24.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,2fd8a138-4064-4303-8881-9649521cdf24,"4/16/2021, 8:38:24.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,81b7b992-859e-4e20-898a-4a080b92fdfa,"4/16/2021, 8:38:24.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,ed6dbff8-8374-482a-b5f0-3b3a91c47fd5,"4/16/2021, 8:38:24.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,df32c303-d0c4-46f3-bc80-0f1a2e12790a,"4/16/2021, 8:38:24.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,0ddfe0f2-8ae6-4e16-bb9f-7160dc6242fa,"4/16/2021, 8:38:24.052 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,9848b1f5-7576-4352-97ef-cbffc756bcb2,"4/16/2021, 8:38:24.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,19824cf1-861a-4aa1-96c3-ec11076991bd,"4/16/2021, 8:38:24.052 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,4d0f0350-8a9d-4821-8678-ef2603a742f1,"4/16/2021, 8:38:24.052 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,b32810ec-3472-41b5-b762-0378467e9f93,"4/16/2021, 8:38:26.559 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,1ee40207-a043-44e1-b139-54c8693c2643,"4/16/2021, 8:38:26.559 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6292 + 59 + %PROGRAMFILES%\MICROSOFT\EDGEUPDATE\MICROSOFTEDGEUPDATE.EXE + 32 + 433D72D5919A339637AEA7EDE5FE9A6643400637BB84825DDC307974AFB486CF + 104 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT EDGE UPDATE\MSEDGEUPDATE.DLL\1.3.129.31 + 0x3e7 + 67 + C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,80508cc4-b20d-4e45-aa95-8d9f3fa48e6d,"4/16/2021, 8:38:26.559 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,f5cba212-798f-49a3-994d-62be5e08344d,"4/16/2021, 8:38:26.559 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5344 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,f6938ffc-aa13-480a-a07d-03f0a5db0748,"4/16/2021, 8:38:26.559 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8860 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,4f08cea3-4404-4cbf-ab8b-e0734630811d,"4/16/2021, 8:38:26.559 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1140 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,64ac2868-5e21-4c05-abfd-25dd1a45350c,"4/16/2021, 8:38:26.559 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,dc196200-4d59-4830-94d5-57d075f79d67,"4/16/2021, 8:38:26.559 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,c5d9ce72-3c25-4fe2-8f1f-fcb9cae00383,"4/16/2021, 8:38:26.559 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,761c34b8-08a1-4efc-9863-2fe008150d37,"4/16/2021, 8:38:28.590 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3f64e1f2-88fe-4456-8cce-08bf024c9980,"4/16/2021, 8:38:28.590 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1bced050-245e-41e7-a8a7-cdaecbe84ca7,"4/16/2021, 8:38:28.590 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,55593bf3-08c0-44f6-83dc-7f9b4f8a3416,"4/16/2021, 8:38:28.590 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f049a68d-efa4-42c4-a035-c96c3d6808d3,"4/16/2021, 8:38:28.590 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d908d384-8d70-4067-a00c-46cbfa72fc05,"4/16/2021, 8:38:28.590 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dd2c2df1-ec73-490c-8ba1-3623567e2d5c,"4/16/2021, 8:38:28.590 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4493b8a6-d8ea-44e0-a6be-58a70495ce34,"4/16/2021, 8:38:28.590 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c2450da2-db7c-499c-b0c4-0d9cffd10465,"4/16/2021, 8:38:28.590 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7e297330-0404-48bf-9b77-7426b2a0b7bd,"4/16/2021, 8:38:28.590 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,87a635dd-4bf1-4ba3-ab34-2b99b90c832c,"4/16/2021, 8:38:28.590 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c6a8c23d-f04c-42c0-af9c-de051367f9f0,"4/16/2021, 8:38:28.590 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d31a9fdd-4d19-4cc9-b303-68f8e76f42e8,"4/16/2021, 8:38:28.590 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,33c03b2e-6c59-429f-9da0-686d8ec5dcf2,"4/16/2021, 8:38:28.590 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,79d43c9d-6c55-4035-9fa3-c18a45915cc2,"4/16/2021, 8:38:28.590 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d6f5b13f-4d78-4970-a933-a634cd5797b9,"4/16/2021, 8:38:28.590 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e3ed1a02-3678-4691-bb05-7905de219d89,"4/16/2021, 8:38:28.590 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,553f4cc9-5afb-4857-a498-1229ef502378,"4/16/2021, 8:38:28.590 AM",,,,,NTLM,, +\OBED,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,38b52172-ad85-420e-ae00-80f0a2c470d7,"4/16/2021, 8:38:28.590 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c72c14f4-d3cd-4e99-bf2e-2b79c9891bcc,"4/16/2021, 8:38:28.590 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ee28241e-875e-4f4a-9298-25d2c51b0916,"4/16/2021, 8:38:28.590 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c1572860-57b5-4b4b-ac2b-13f9f332425b,"4/16/2021, 8:38:28.590 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a267b9f7-4f45-445d-98de-6d2c1e98ee25,"4/16/2021, 8:38:28.590 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8ca14a3c-791c-4234-9ad2-781a07a72541,"4/16/2021, 8:38:28.590 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b8d8aaf4-03ef-4b1f-b095-d5db2b65adb8,"4/16/2021, 8:38:30.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1fbc6c0e-5e05-40a3-a3d6-093608ed01b0,"4/16/2021, 8:38:30.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0d1339eb-1253-465d-8bfa-327e2b697a2d,"4/16/2021, 8:38:30.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,02af550b-9d13-4d9e-baf8-83c99f5b3064,"4/16/2021, 8:38:30.098 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,64cae743-708b-4941-87bf-7252dcc5411c,"4/16/2021, 8:38:30.098 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f42dda5-7c4e-4f39-8901-80ec4bc49182,"4/16/2021, 8:38:30.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12f807b7-8a3f-4a96-b41c-d9f21cc1585c,"4/16/2021, 8:38:30.098 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ad382925-f724-4cc6-a172-35bfa1f6fce6,"4/16/2021, 8:38:30.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a8b2dd96-bcc7-4128-a6a1-73ec6ea6017c,"4/16/2021, 8:38:30.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d6d11077-cfb6-4225-aa3b-c671d37db2cd,"4/16/2021, 8:38:30.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,06ecad99-231b-46e3-b328-0503f9e09973,"4/16/2021, 8:38:30.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,47a5a307-51b1-4f0e-b688-bfe21fd53196,"4/16/2021, 8:38:30.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0af58041-d108-418a-95b8-ef37269de5bc,"4/16/2021, 8:38:30.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,19519de8-a222-4576-be33-599defc4aba7,"4/16/2021, 8:38:30.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e38b5a66-5f9b-49c7-a773-916b8a3cbef4,"4/16/2021, 8:38:30.098 AM",,,,,NTLM,, +\AZUREADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,44dd7b6b-3f2a-4c1a-a945-e8d2507f924a,"4/16/2021, 8:38:30.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a0ba94aa-f1c6-4250-94c1-8e0dfcaa5a58,"4/16/2021, 8:38:30.098 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,790b3e27-554c-4993-8163-0b4bf5e484f0,"4/16/2021, 8:38:30.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d0fad2c7-5de8-4218-b23b-b4b8b2508dd0,"4/16/2021, 8:38:30.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f6d6291c-4b23-4b8d-b967-0bda65885baa,"4/16/2021, 8:38:30.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,04b2f37a-b282-4cf2-8788-b42e56e7f47a,"4/16/2021, 8:38:30.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc895e72-a6b0-4c4d-9316-27c46d3f0b2e,"4/16/2021, 8:38:30.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8d12232f-df6a-4980-90a4-3afb083281c1,"4/16/2021, 8:38:30.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7b127c27-92af-4047-8d5b-46f385f1d904,"4/16/2021, 8:38:30.098 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d2b8a793-6196-477a-8205-855211460030,"4/16/2021, 8:38:40.597 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e52a4bd2-2eb1-46e2-848e-fe6a1e730440,"4/16/2021, 8:38:40.597 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,888d0db3-2202-45b0-84d5-fb9e9c722a50,"4/16/2021, 8:38:40.597 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6dc7c687-7b8a-4a9c-b4f4-0e3388932fe3,"4/16/2021, 8:38:40.597 AM",,,,,NTLM,, +\VEEAM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,40a23e28-ebf9-4ffc-a4eb-4d0a7590e666,"4/16/2021, 8:38:40.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,66fda418-56c9-4330-9c4e-4a54bb482112,"4/16/2021, 8:38:40.597 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c5e84cb1-3588-46ea-914b-9ebbb0fa7c25,"4/16/2021, 8:38:40.597 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,13c0d1c1-03fb-424f-8768-c23f9defcc5d,"4/16/2021, 8:38:40.597 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,27b9af0f-b0a5-45e7-bdc1-0d894f1753eb,"4/16/2021, 8:38:40.597 AM",,,,,NTLM,, +\VAHELP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cca776da-7af9-40a8-9540-a6a48e0417ae,"4/16/2021, 8:38:40.597 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7a9d4688-ac1f-49b7-a9b1-5a37ce2facd4,"4/16/2021, 8:38:40.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,71239f63-8cd5-4bca-93fd-6d2bb93c581e,"4/16/2021, 8:38:40.597 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b77a9525-d783-48fc-8db8-a391cecdd094,"4/16/2021, 8:38:40.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,506b4018-923e-4ef2-917a-b8f534cb9847,"4/16/2021, 8:38:40.597 AM",,,,,NTLM,, +\SAGEHELP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,33e87199-aa14-42b1-8976-d74d8eb432fc,"4/16/2021, 8:38:40.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c3961f5d-16ad-451f-b530-b0c0f5f85af3,"4/16/2021, 8:38:40.597 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cd27552c-568b-406a-bf83-718a2f3895d8,"4/16/2021, 8:38:40.597 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,80e802d6-5661-4d59-bb0f-10bdd5b0a887,"4/16/2021, 8:38:40.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ae117e56-e287-4436-a28a-a2b45ba70ccd,"4/16/2021, 8:38:40.597 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b662028e-9f76-475d-a780-f9fb8011af06,"4/16/2021, 8:38:40.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1548ce0b-f5cf-4fa0-8eaf-d9e48be8ac28,"4/16/2021, 8:38:40.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,19f94a71-d9b0-4224-b13d-90f62483759c,"4/16/2021, 8:38:40.597 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f457ab94-e358-4361-b4df-688c072a6785,"4/16/2021, 8:38:40.597 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9293e137-584b-4335-8441-86b80325d4b2,"4/16/2021, 8:38:40.597 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,77e588df-016f-4cd6-9099-88e16f0440c1,"4/16/2021, 8:38:48.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e670967c-c41f-4217-b0a6-3a67cdf74497,"4/16/2021, 8:38:48.097 AM",,,,,NTLM,, +\VEEAM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d8204ee9-f3e5-4ffc-825e-59245f7e0934,"4/16/2021, 8:38:48.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ebe239e-98a2-4919-88b8-aaef182fe269,"4/16/2021, 8:38:48.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d0db2f93-dc81-42dc-86d5-687bc4e9c104,"4/16/2021, 8:38:48.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,614e5727-f37f-4a41-bbe5-bc2402d706d0,"4/16/2021, 8:38:48.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f712610b-5267-42f2-8475-6f04bd5c678d,"4/16/2021, 8:38:48.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d0f3492d-0b9b-4a4f-a169-f19793ddb559,"4/16/2021, 8:38:48.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,03a50de1-17e2-413b-ab98-3dae20e562eb,"4/16/2021, 8:38:48.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2dcb6cbe-b53f-49d1-98c4-6aebd47de15a,"4/16/2021, 8:38:48.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ffdfe851-aa10-4128-8f88-8c227b6ed503,"4/16/2021, 8:38:48.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d4f3368-3d7a-4cf8-9af5-07039866deff,"4/16/2021, 8:38:48.097 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e179981b-3b9d-4dfd-84ba-7c61221cda9b,"4/16/2021, 8:38:48.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,907c168c-a7af-4a4e-8169-b1bf7642abef,"4/16/2021, 8:38:48.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c5d98c9f-08ce-424f-bd29-90773e2ff6d4,"4/16/2021, 8:38:48.097 AM",,,,,NTLM,, +\RJOHNSON,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a817ec27-6119-4887-8a77-814504040e4b,"4/16/2021, 8:38:48.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,004c652f-9550-49b2-99b7-1447d7efe007,"4/16/2021, 8:38:48.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d7fc9784-acd2-467e-afb2-0cf1e4c564a0,"4/16/2021, 8:38:48.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,556abec8-e16a-4463-8689-a8f740b7e42a,"4/16/2021, 8:38:48.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0b88d485-256a-4fc2-b6d7-9a3f1be3cb65,"4/16/2021, 8:38:48.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,023de070-175b-4b3f-95c3-ce62a5cb6982,"4/16/2021, 8:38:48.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,baee2454-1f8c-4230-b747-a4c71cc421b0,"4/16/2021, 8:38:48.097 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,17f6db24-387e-45a5-92b7-05467c1e1ea4,"4/16/2021, 8:38:48.097 AM",,,,,NTLM,, +,,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-SAP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-15T01:14:02.124723600Z + 4936 +",5379,5379,790738c2-d2df-4c61-b9ce-1fa1ba028f27,dfee95eb-4c4a-46ce-9e70-5103f2b37f2b,"4/16/2021, 8:38:48.416 AM",,,,,,, +\ADMINISTRATOR,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,c0ff5bcc-9a53-4a34-b997-86a28b8c33be,"4/16/2021, 8:38:48.416 AM",,,,,NTLM,, +\ADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,8905b998-8683-46fc-85d1-563eb21f91b3,"4/16/2021, 8:38:48.416 AM",,,,,NTLM,, +\LOCALADMIN,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,edfbd085-4e9a-4992-a453-548e84b04c99,"4/16/2021, 8:38:48.416 AM",,,,,NTLM,, +\USER,User,SHIR-SAP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,790738c2-d2df-4c61-b9ce-1fa1ba028f27,a12051b2-25b0-4667-b697-ae649f92fb22,"4/16/2021, 8:38:48.416 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6452 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,c9c0ab44-4dcd-4742-b656-8877fae7a895,"4/16/2021, 8:38:49.466 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 6304 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,b6bc3a29-937c-491d-ac33-4c90dd9486d6,"4/16/2021, 8:38:49.466 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 11384 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 61FF6233DB141BE35A91025614CB7A6504D2E20174CD6298F6E0B02700C3F819 + 121 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.14393.206 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,3b5dcc37-8073-4c9e-9333-b48b658c1cc0,"4/16/2021, 8:38:49.466 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 10064 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,048bbca9-f1f9-443f-a366-3a54600341c8,"4/16/2021, 8:38:49.466 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5948 + 118 + %PROGRAMFILES%\MICROSOFT MONITORING AGENT\AGENT\HEALTH SERVICE STATE\MONITORING HOST TEMPORARY FILES 16\749\PMFEXE.EXE + 32 + 904F5575C1F607E5F05C4641A9A0964007FA2C1F1DAD3C96320DF45D377C737D + 98 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\PROCESS INVESTIGATOR\PMFEXE.EXE\1.20.607.01 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,1cc3a834-e358-418f-9c01-4f6c27dd7571,"4/16/2021, 8:38:49.466 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4540 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,3c5fb5e3-15f0-409c-815e-d840afef9ce6,"4/16/2021, 8:38:49.466 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 3180 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,6917ea74-3c71-46a2-886f-9cd1c6307f44,"4/16/2021, 8:38:56.982 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,OnPremSQL,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {549cb941-f2a8-45ce-8d65-7027de9521ce} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 14580 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 53B647BFBAD80E8E5E5E0001B2B300A434B48262EC09193F7C3D2AF74E3CF710 + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1432 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,804f954e-45e2-407d-a242-ae810913c07d,51ad9381-b925-428c-98fe-bd3236683ece,"4/16/2021, 8:38:56.982 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9959bfe5-674c-4e70-b944-a4ef6f60077e,"4/16/2021, 8:38:57.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,71189b2b-1f91-4fb8-ae6f-0f2e847c6135,"4/16/2021, 8:38:57.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,69601a92-5fa0-494d-8cd7-e7e1ad78e6c5,"4/16/2021, 8:38:57.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cbfa77da-2f93-498e-b86a-be8962992d3d,"4/16/2021, 8:38:57.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6df37e58-6505-4f98-8f12-a8b240b55a18,"4/16/2021, 8:38:57.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,35a9aec7-1466-4c60-b707-ef1c5acb446f,"4/16/2021, 8:38:57.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fcdff928-8ed4-4484-a464-c884a98ac163,"4/16/2021, 8:38:57.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,63240398-e2ff-4f5f-82c6-77f7e1a9240f,"4/16/2021, 8:38:57.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1e74084a-da3e-4890-a166-ea516d98bb4a,"4/16/2021, 8:38:57.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c616ffcd-50be-4dd2-a0b9-6b62848d0d27,"4/16/2021, 8:38:57.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,41b6b4cb-6a60-4946-ac22-a8a70fc1f431,"4/16/2021, 8:38:57.102 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c7bc571c-4e7e-4d25-845c-60b2e528746b,"4/16/2021, 8:38:57.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4b8b2666-bd91-4f3f-b41c-84c8d1f60bce,"4/16/2021, 8:38:57.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,266f698a-fb72-437a-aecb-3e841fc3f72e,"4/16/2021, 8:38:57.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,82b29d29-bfe7-4cb9-a4d3-ab7052232c3d,"4/16/2021, 8:38:57.102 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,270fb220-e73e-4f73-a426-49e0e330f54f,"4/16/2021, 8:38:57.102 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,540c5d37-6455-49b1-891f-a801fe4812fb,"4/16/2021, 8:38:57.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dc9c0e2e-00e1-4673-98a3-43c01871160c,"4/16/2021, 8:38:57.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e42b8efb-3e26-4be8-896b-d16d636fcb19,"4/16/2021, 8:38:57.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9feb30bc-7b38-4dd0-afaa-dbc45c2ccebe,"4/16/2021, 8:38:57.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b48414a-6352-47d2-8d9e-f974b9cfa329,"4/16/2021, 8:38:57.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dd206a77-ce74-4872-92f8-d18f5b25ca28,"4/16/2021, 8:38:57.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,725ca498-4bd8-413d-9a76-69118fedc8c4,"4/16/2021, 8:38:57.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,93943148-593b-4272-b871-1ddf8c074e2a,"4/16/2021, 8:38:57.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0ab85046-03d2-4ba6-bdae-e99fcba8556e,"4/16/2021, 8:38:57.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1c7bd638-ef29-45b1-8f07-ae15d83f68c5,"4/16/2021, 8:38:57.102 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aecef72a-c1dc-4743-99eb-483333f29808,"4/16/2021, 8:38:57.102 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,b89e247a-d2b1-4089-8548-9aeac333f6ee,"4/16/2021, 8:39:03.064 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,792a629d-6756-4ad4-819b-458d2db87a5d,"4/16/2021, 8:39:03.064 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,4715613d-a22c-41ff-83fc-62b67185de60,"4/16/2021, 8:39:03.064 AM",,,,,,, +WORKGROUP\VictimPC2$,Machine,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,0b31dee3-5401-43d7-802a-7c8aab820390,a7940ea9-885f-465b-acae-a36e6b65d383,"4/16/2021, 8:39:03.064 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,7f66e813-f673-4d75-aa30-0ea6789e9117,"4/16/2021, 8:39:03.064 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5c222112-cf56-4956-b444-c304d3167ca4,"4/16/2021, 8:39:03.064 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T16:02:27.759890100Z + 33024 +",5379,5379,0b31dee3-5401-43d7-802a-7c8aab820390,d743f451-f71e-4c2b-9258-5e89b3449d8c,"4/16/2021, 8:39:03.064 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,f8afacc7-9282-42a3-bcd2-c812e0ab8b05,"4/16/2021, 8:39:03.064 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,5e9b87f8-82ba-41c1-a16a-5d870888489c,"4/16/2021, 8:39:03.064 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,c26c8824-95cc-40b0-a22e-a4127a560968,"4/16/2021, 8:39:03.064 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,38382f13-d303-4647-a4d4-af2656ca30b6,"4/16/2021, 8:39:03.064 AM",,,,,,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fc7b367d-6ace-481f-8d5c-d8959d721f2a,"4/16/2021, 8:39:05.606 AM",,,,,,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0b558393-e20f-46f0-b971-f35ac64c6853,"4/16/2021, 8:39:05.606 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d911c811-e375-4833-934f-cf42a7271c34,"4/16/2021, 8:39:05.606 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,83c1f866-fe81-4375-b57d-2878d77e55d6,"4/16/2021, 8:39:05.606 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,754942e5-9808-4897-abb2-7c93889c5d30,"4/16/2021, 8:39:05.606 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,32eacf60-6fc4-44a8-978c-584041b9b577,"4/16/2021, 8:39:05.606 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,68e1d764-df14-4f39-a086-6c1def485bf9,"4/16/2021, 8:39:05.606 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0295a219-eb95-4b1f-af01-335e3ae6048e,"4/16/2021, 8:39:05.606 AM",,,,,NTLM,, +\LOCALADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cd42bec8-33d2-4d14-8546-aec63f42d970,"4/16/2021, 8:39:05.606 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4f905711-50b9-46a4-8470-350a40468be8,"4/16/2021, 8:39:05.606 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c3091929-1041-4334-9bf9-3f77447543b8,"4/16/2021, 8:39:05.606 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ac304b9d-88c9-423d-8680-319935adf8f2,"4/16/2021, 8:39:05.606 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8c01ca9d-032b-4700-bd18-f6a89acb4696,"4/16/2021, 8:39:05.606 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,20dfbaa3-0728-412a-abca-e0a3224006e3,"4/16/2021, 8:39:05.606 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ed99ff7a-7d07-4826-bf12-cdb3be91be1e,"4/16/2021, 8:39:05.606 AM",,,,,NTLM,, +\DEMOUSER,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7334dbd9-de9c-43a9-9df2-3e1d25444029,"4/16/2021, 8:39:05.606 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8c8fc120-9463-4059-8a44-49db744367d1,"4/16/2021, 8:39:05.606 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a41016ad-490a-4d04-ba79-b0f63f17ab96,"4/16/2021, 8:39:05.606 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fa3edbda-ca43-4e8d-aa0d-77a0b7049e59,"4/16/2021, 8:39:05.606 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,791ce1e3-3e59-4c34-b790-855a8c4ddaf3,"4/16/2021, 8:39:05.606 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5d453888-13a1-4bad-b914-d77a30f07a9e,"4/16/2021, 8:39:05.606 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,51cd1e5d-266d-4dca-a029-c04563aa6d93,"4/16/2021, 8:39:05.606 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3d42b8dd-57d6-442d-bdd3-0a5cc35b2039,"4/16/2021, 8:39:10.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d8590ca-e2a1-4cf7-91c9-0113e2984581,"4/16/2021, 8:39:10.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e6e1dda-fd0e-4505-bebd-e3ea88b63bd8,"4/16/2021, 8:39:10.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e0eb59c6-be37-41d5-a6d1-3dbd332b0980,"4/16/2021, 8:39:10.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2bfcf911-f167-49b3-bb8c-9b522c0fb57c,"4/16/2021, 8:39:10.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fbb54ece-e904-4a89-b029-79e1e654bd82,"4/16/2021, 8:39:10.100 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d7f426c-b5d5-4611-a15b-deedc881f19e,"4/16/2021, 8:39:10.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8ba215d0-60f6-4353-83a2-3bff21be0c4b,"4/16/2021, 8:39:10.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc631be1-e33d-498e-8f93-f2cdad09ea1a,"4/16/2021, 8:39:10.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa1ac161-5808-4168-972f-daa51760f480,"4/16/2021, 8:39:10.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,37e4711f-6577-47eb-bfa2-1ce5a28188c7,"4/16/2021, 8:39:10.100 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,973104c2-f6ea-4945-b04f-eae4242d0ad5,"4/16/2021, 8:39:10.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c5a2c285-3254-4267-8d16-221594f056ad,"4/16/2021, 8:39:10.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fdb934bb-735f-4984-9322-ba4e9f8f84a9,"4/16/2021, 8:39:10.100 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e04e1541-d5cd-4de2-95a8-4a53dc454710,"4/16/2021, 8:39:10.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f2ec3bbe-10ef-4a55-a705-93178fb5cb53,"4/16/2021, 8:39:10.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,00f56008-6a21-4509-a1b8-10c5216f42c5,"4/16/2021, 8:39:10.100 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7b85a166-eb54-4b69-9419-8dc34564f7de,"4/16/2021, 8:39:10.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,76780f9c-2241-410d-a4f2-d7c62d56e8ae,"4/16/2021, 8:39:10.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1b0f06f2-17e1-4a28-a284-2e0fad595549,"4/16/2021, 8:39:10.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d324e91f-db8c-48be-9dd6-46a051592c22,"4/16/2021, 8:39:10.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0abf8f0b-9fab-4f67-a0b3-4787393973d1,"4/16/2021, 8:39:10.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0b8e69a5-1907-493f-ba2e-c1d7c09bd7e9,"4/16/2021, 8:39:10.100 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,08b4b076-9d24-4036-b372-3650ff312535,"4/16/2021, 8:39:10.100 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,ae260685-98fe-4ef6-8e3e-6fb064a86235,"4/16/2021, 8:39:18.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1d43d321-6e9f-4109-ad38-7fa261e44e08,"4/16/2021, 8:39:18.597 AM",,,,,NTLM,, +\AFFILIATE,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,90fdfbc6-d23d-4dfa-b865-3c1415166c6d,"4/16/2021, 8:39:18.597 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,bdcee209-f63a-4280-80ca-4477ea2a0e02,"4/16/2021, 8:39:18.597 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f1710bad-7d43-4c26-a122-c1991fb0eba4,"4/16/2021, 8:39:18.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1e2b9b2b-9724-4418-89c9-3583e0499970,"4/16/2021, 8:39:18.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,195f7d7a-ef63-4fe4-93c5-950267640ddd,"4/16/2021, 8:39:18.597 AM",,,,,NTLM,, +\VEEAM,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fbe7678a-8d1e-4926-86d1-0b46d67ff27f,"4/16/2021, 8:39:18.597 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c9da4141-b90c-4f4e-b58e-c742abcc7a0d,"4/16/2021, 8:39:18.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0db37e65-69c3-41e7-8303-7db1b1a390a3,"4/16/2021, 8:39:18.597 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5da56883-5c29-4fa5-85f3-6d1aac98b35f,"4/16/2021, 8:39:18.597 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2f4a3243-26bc-402f-85c5-172545f0c01e,"4/16/2021, 8:39:18.597 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e1559419-1deb-41b2-8a8e-fa0faa97d3c4,"4/16/2021, 8:39:18.597 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,aa35c8ac-b37e-43c4-92ce-65358f526c40,"4/16/2021, 8:39:18.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,75654026-c48b-4778-93dd-ec700d5ce0a8,"4/16/2021, 8:39:18.597 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6d04f0e9-8bb9-4f09-add7-b9829b45ff2e,"4/16/2021, 8:39:18.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,86ee3c17-55aa-4994-8ad2-7998a27d4f5b,"4/16/2021, 8:39:18.597 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e7dec993-fb4f-4f7c-86c1-ede03c014182,"4/16/2021, 8:39:18.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fdd7da74-1607-466c-929a-71f622bb9782,"4/16/2021, 8:39:18.597 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0bbe16a0-aaa8-4e8d-800b-109e236795c2,"4/16/2021, 8:39:18.597 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f01a42c8-3d97-4864-9642-ef6da5787f47,"4/16/2021, 8:39:18.597 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f8a100b6-1e51-48a3-8c2f-de26195e5b5c,"4/16/2021, 8:39:18.597 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5985508b-71df-4118-8271-ccc890e6a31f,"4/16/2021, 8:39:18.597 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc179440-625e-42af-b6c8-7caac76a90ff,"4/16/2021, 8:39:26.119 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,9272c803-be10-4339-9357-15cdf87553ab,"4/16/2021, 8:39:26.119 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,39c88a3f-6035-4a75-9648-b9b97ee0f526,"4/16/2021, 8:39:26.119 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,b4b375c1-8726-49d4-a90a-2e1ad90b1da5,"4/16/2021, 8:39:26.119 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8352 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,8974806b-6af4-4a7c-bbdb-53264a022950,"4/16/2021, 8:39:26.119 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7660 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,d4b10ae0-6424-4871-991f-84d14d7ac811,"4/16/2021, 8:39:26.119 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,23eef104-02c2-4ace-a40b-313d0236c2ca,"4/16/2021, 8:39:26.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,06b15149-4e8a-4c69-b7a1-6d4afffc7d5f,"4/16/2021, 8:39:26.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8d87981f-1cbd-4cea-a3ff-0f5bed4f456c,"4/16/2021, 8:39:26.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a4803d4c-e7e0-4476-b9c6-620acd47123b,"4/16/2021, 8:39:26.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,90fbc275-4333-46a1-bb4c-1e42afc30fdf,"4/16/2021, 8:39:26.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a6189efd-deff-4287-9aa2-e2e9aaacdcbb,"4/16/2021, 8:39:26.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7309cc50-819d-4b1a-b59e-ad5ece4934e3,"4/16/2021, 8:39:26.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ecf68996-2d44-4bf7-bc4c-966344a9f669,"4/16/2021, 8:39:26.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,bc5b9351-82ee-4445-8982-3517e5a7ed65,"4/16/2021, 8:39:26.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ca15b770-2c2a-4c44-ace8-6b409cb1d88e,"4/16/2021, 8:39:26.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4f21a4a8-6067-4312-94db-a3870c5265d7,"4/16/2021, 8:39:26.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f1c56201-1ea1-43aa-a652-0afbe643fff0,"4/16/2021, 8:39:26.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,92e48922-356c-408b-bf5d-d832a4cfe976,"4/16/2021, 8:39:26.119 AM",,,,,NTLM,, +\ADMINISTRADOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9bea56f1-3b9c-4247-8f70-a563ff213db5,"4/16/2021, 8:39:26.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f46848ca-476c-461b-acb9-cf7aadd3bbac,"4/16/2021, 8:39:26.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1ed4b403-8845-474d-b71f-94d83dc52119,"4/16/2021, 8:39:26.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c9eada7d-6739-41b1-b39b-57b5f4583452,"4/16/2021, 8:39:26.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,95fd52f5-cfef-442c-9cce-c799f5601cb0,"4/16/2021, 8:39:26.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8fc461f9-5d0b-47c6-a254-66bac1ff12c2,"4/16/2021, 8:39:26.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,42e25b47-35f4-4e72-87ad-a5a40d60e152,"4/16/2021, 8:39:26.119 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,80401d27-e6d6-4b13-9281-50f8f6c6fee1,"4/16/2021, 8:39:34.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d17e2c72-f3c4-42a1-a754-f65034014414,"4/16/2021, 8:39:34.098 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab182b2e-a8ba-450e-a8a0-5e48670de52b,"4/16/2021, 8:39:34.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49339450-c164-4678-ac37-ddb533b9d8e5,"4/16/2021, 8:39:34.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0fdf9d27-fd95-4e42-8ba8-2ca840283e0c,"4/16/2021, 8:39:34.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ac4fabf6-9f30-4533-a788-b3bfdc37d865,"4/16/2021, 8:39:34.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1913e640-abb9-4028-bea6-6f2b23908dc0,"4/16/2021, 8:39:34.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e24fbcd8-9ffb-4683-82de-99b2b9e212eb,"4/16/2021, 8:39:34.098 AM",,,,,NTLM,, +\VEEAM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cc726843-bc28-4e11-a0e8-e86156f0cfef,"4/16/2021, 8:39:34.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1d84f2cf-733b-449e-9a93-5be9a57c475f,"4/16/2021, 8:39:34.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d68d2804-0bc5-4d19-b6fe-7f8ffbc3e9ba,"4/16/2021, 8:39:34.098 AM",,,,,NTLM,, +,,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SOC-FW-RDP$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T04:57:11.953527400Z + 6128 +",5379,5379,41502da5-21b7-48ec-81c9-baeea8d7d669,3e80207a-2461-4599-a143-3883346d67df,"4/16/2021, 8:39:34.098 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,477beb72-172d-4066-a0f0-5fdc2fd5393d,"4/16/2021, 8:39:34.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,73e7e427-6300-444e-ab26-387a0ff2c8fe,"4/16/2021, 8:39:34.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,55bf2e77-a0a7-452b-a89d-4c0f9e737fd5,"4/16/2021, 8:39:34.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f22efaa4-fee1-4be9-aeea-3c8b995d03b0,"4/16/2021, 8:39:34.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0fbe3948-2cfa-4f8e-8776-ad0591c52ad8,"4/16/2021, 8:39:34.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3df9c8c3-1f8e-497a-b195-dcbc4265c52b,"4/16/2021, 8:39:34.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,787398f0-74b2-4a0d-a3ec-f17a1c684b5b,"4/16/2021, 8:39:34.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,83992d29-0717-4ddc-9d76-6fc6c7f2e893,"4/16/2021, 8:39:34.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0dc4fe91-4c6a-426b-9e56-fe52f07d3fec,"4/16/2021, 8:39:34.098 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,eec9c62b-ee14-47a6-af5f-a6c3a7285ff6,"4/16/2021, 8:39:34.098 AM",,,,,NTLM,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,acda7b1a-c9a1-45fd-a955-7d235f71b6b3,"4/16/2021, 8:39:36.043 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,07817bea-1e17-4827-ada8-9356f7dc651f,"4/16/2021, 8:39:36.043 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,a501083f-0b1e-4576-99a8-3177d5334ce9,"4/16/2021, 8:39:36.043 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,e01c4fe9-53bf-420d-bd7e-1d739a254e0f,"4/16/2021, 8:39:36.043 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,3721237e-2ee2-4ec1-af0f-0229e9118032,"4/16/2021, 8:39:36.043 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,9db692e8-d6a1-4932-b8a3-7ee4f0c94965,"4/16/2021, 8:39:36.043 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12292,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + 33864 + 2021-04-14T16:00:06.377085500Z + Microsoft Software Key Storage Provider + UNKNOWN + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2b2573998563c2cadff31a57a46fc655_08c45d1e-04c1-423c-879c-529851bfc407 + %%2458 + 0x0 +",5058,5058 - Key file operation.,0b31dee3-5401-43d7-802a-7c8aab820390,81ec656a-e82b-457a-97e4-bac589d84491,"4/16/2021, 8:39:36.043 AM",,,,,,, +,,VictimPC2,Microsoft-Windows-Security-Auditing,Security,12290,8," + S-1-5-18 + VictimPC2$ + WORKGROUP + 0x3e7 + Microsoft Software Key Storage Provider + RSA + {9CBAD37E-868E-409C-9846-4666D204C0CB} + %%2499 + %%2480 + 0x0 +",5061,5061 - Cryptographic operation.,0b31dee3-5401-43d7-802a-7c8aab820390,80dabc4a-0f33-43f1-a899-5122459bf56e,"4/16/2021, 8:39:36.043 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,a0a7e0ac-f4f9-4294-a75c-a753ee90f8cf,"4/16/2021, 8:39:37.528 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4352 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,f8f31b38-aea3-4bd3-8fa9-5525af556f02,"4/16/2021, 8:39:37.528 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9332 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + FBF26354024DB79DE3FD99CE43C321BE0F522B90F29ED5D3D00C8DD69B936CD3 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,88163cc1-55fb-4bd5-812c-14c9b3c8af39,"4/16/2021, 8:39:37.528 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 8712 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,e79fe8c5-7bfb-4c0c-b5e2-a5525ff8970e,"4/16/2021, 8:39:37.528 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,d57957d2-b732-40fc-b257-e1aaf9867e2d,"4/16/2021, 8:39:37.528 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,eadb3a17-cae5-4420-8f39-5d6624ac084f,"4/16/2021, 8:39:37.528 AM",,,,,,, +NT AUTHORITY\LOCAL SERVICE,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12804,8,,4662,4662 - An operation was performed on an object.,f6638b82-98a5-4542-8bec-6bc0977f793f,9ea30dbb-30e0-4deb-b12b-9d817d513c38,"4/16/2021, 8:39:37.528 AM","%%5649 ",0x2,-,-,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,4151bbf3-1a96-4648-82e8-fbc8c1971a66,"4/16/2021, 8:39:37.528 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,476bc789-28ae-42df-8a90-a6178a2d014e,"4/16/2021, 8:39:37.528 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9836 + 48 + %SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE + 32 + 8542576A51D515DA19781689F9E5E561E4398C4DE19B14AF1E8EF1C7D2551843 + 120 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\POWERSHELL.EXE\10.0.18362.01 + 0x3e7 + 57 + C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,fdfbf556-2868-417c-8943-1f96336ca40c,"4/16/2021, 8:39:37.528 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 7796 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 4EBD055259246462DAC7548F383C8987FC48BBCD872386311C3DB85F2D165663 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.18362.01 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,dc38c824-08dd-48c6-8251-6a54912ca541,"4/16/2021, 8:39:37.528 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,51825c59-e034-4ed6-9cd0-b3642749392b,"4/16/2021, 8:39:41.100 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,187c9d11-1e73-4a0b-a7d6-042d1f42f2b8,"4/16/2021, 8:39:41.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e78f99ad-7dcb-4881-a8e4-864a53a245c4,"4/16/2021, 8:39:41.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c0f78bfb-32be-4f22-a459-429223a4d463,"4/16/2021, 8:39:41.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f86f6c4-a145-4f4c-9a3f-bf7df8ec7542,"4/16/2021, 8:39:41.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c66efa39-b7b1-4e94-b942-411148fb5bf0,"4/16/2021, 8:39:41.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cecb4261-5796-4539-9485-0e8dd8506d5b,"4/16/2021, 8:39:41.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e8a9f817-49bb-4e6b-82d7-027948f6eecc,"4/16/2021, 8:39:41.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,45874f49-ef9a-4ef9-8079-0fee99cebe6a,"4/16/2021, 8:39:41.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a1fe5f1c-fab2-40f8-b750-233564de3666,"4/16/2021, 8:39:41.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e79f8d2-146d-4d8d-8e27-b8fef91af887,"4/16/2021, 8:39:41.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1c5ab1fb-1681-4d17-979d-63f1e102a617,"4/16/2021, 8:39:41.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c7a4c1e6-6553-41af-a177-7550b5404a9a,"4/16/2021, 8:39:41.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ab611a90-9fc3-46c0-b86f-3b1b1267a056,"4/16/2021, 8:39:41.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fa195f30-cb30-4139-9735-5d76a66c24df,"4/16/2021, 8:39:41.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56f1746b-e4fd-4367-b784-ef9d2dd5ddb0,"4/16/2021, 8:39:41.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,dac01f3c-cc5e-4390-8667-2bfb41ceaf49,"4/16/2021, 8:39:41.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,18d617fa-6f4a-4810-b00b-6f5052de0141,"4/16/2021, 8:39:41.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fecead30-1c6f-4603-9a28-8151e9057f68,"4/16/2021, 8:39:41.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2d9fea4d-37dd-4853-9524-f49e6b53a85f,"4/16/2021, 8:39:41.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,92af06bb-304b-4466-af4a-4cd4c540f684,"4/16/2021, 8:39:41.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,906760cd-ecff-4541-bbe0-6f211b621efa,"4/16/2021, 8:39:41.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8be23819-b1d3-4b1b-8ce3-b08062aef515,"4/16/2021, 8:39:41.100 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a3b19c4f-10aa-4f77-91a7-04383c433b63,"4/16/2021, 8:39:41.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f2e365d-be6d-47f6-a28a-1026047a4839,"4/16/2021, 8:39:41.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c475217f-6d04-4f20-a6fa-371ce7251d0f,"4/16/2021, 8:39:41.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a865b653-0da6-4f56-a0bd-05db1c4bae07,"4/16/2021, 8:39:41.100 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a1b294c4-da20-4a72-835f-4c7201f9df4c,"4/16/2021, 8:39:41.100 AM",,,,,NTLM,, +,,AdminPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + ADMINPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:44:45.947181600Z + 14232 +",5379,5379,5503048d-aae9-48b7-bda5-46b931ec9ed1,769789bd-8191-44dd-9daf-91be8ed4615d,"4/16/2021, 8:39:44.907 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,df6f5eee-1186-4d47-a9a7-5cdceb3fbf55,"4/16/2021, 8:39:46.586 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,378574f6-ce96-4afd-9a9f-729cb714aaca,"4/16/2021, 8:39:46.586 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dcd1111c-b422-4dbd-b005-e57cf430da45,"4/16/2021, 8:39:46.586 AM",,,,,NTLM,, +\BACKUP,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c186791b-f3b0-4e90-8ee9-a3dd7edd6ba4,"4/16/2021, 8:39:46.586 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8f0bab92-e1ad-4ad0-8431-fbf089f89919,"4/16/2021, 8:39:46.586 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7b4af564-00b7-4806-a241-2a32c888e667,"4/16/2021, 8:39:46.586 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,17dfd2d4-3c41-4665-8454-530a6f3a0d81,"4/16/2021, 8:39:46.586 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c96b8772-0afd-4740-8f69-55561200a731,"4/16/2021, 8:39:46.586 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0007667c-feac-4198-9ed3-98c550729d28,"4/16/2021, 8:39:46.586 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,12d03fd8-7843-4969-8fdc-73ca91cf974f,"4/16/2021, 8:39:46.586 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4d0a448a-28bd-404b-be9c-4c5fc6494cb7,"4/16/2021, 8:39:46.586 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,4d0ec4c1-14d7-4c1a-a01e-5799fdfc494d,"4/16/2021, 8:39:46.586 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,15d3d5c7-4d5a-496c-81e2-62fbb2455cb6,"4/16/2021, 8:39:46.586 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,91e5ecbc-9037-4bf8-96fb-6b700a967ab8,"4/16/2021, 8:39:46.586 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cc643c66-9d4d-4a24-a32e-8bdace38d054,"4/16/2021, 8:39:46.586 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a40ed5fd-32bf-4743-b56c-e4b2d64c0d85,"4/16/2021, 8:39:46.586 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,691b041c-6200-448f-af0f-0f805b896d9e,"4/16/2021, 8:39:46.586 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,46e7a588-04e4-47aa-9614-a3d572bd97d8,"4/16/2021, 8:39:46.586 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c7fde453-69cf-4f93-8fb9-b76ad5695b64,"4/16/2021, 8:39:46.586 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0b0ebb3c-d1d7-4bb8-953f-af151f465a38,"4/16/2021, 8:39:46.586 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c8540b17-e31c-4207-a96f-e7aa80d34311,"4/16/2021, 8:39:46.586 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,183a5380-3a4f-4ace-ad73-decc13576c9d,"4/16/2021, 8:39:46.586 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8851eeac-2d37-4b94-a6e2-74aa53a38f0d,"4/16/2021, 8:39:46.586 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,92d2a647-c70e-4678-bcdb-459964ccc9c6,"4/16/2021, 8:39:47.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f1595368-b242-4608-b538-5b53a009bdff,"4/16/2021, 8:39:47.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,567c0587-0eac-40eb-a0a8-5560b126f07c,"4/16/2021, 8:39:47.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,005048fc-ebad-4094-80ee-69f3670d636b,"4/16/2021, 8:39:47.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,99eafee6-4ddf-4505-bbd9-c744bb098790,"4/16/2021, 8:39:47.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d69d84e1-c5cd-40ab-8615-735bf14f0235,"4/16/2021, 8:39:47.118 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2e9828ad-277d-4219-9a65-d433e9691ff1,"4/16/2021, 8:39:47.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5e2e39ac-02b3-40bf-8bbf-251548db28df,"4/16/2021, 8:39:47.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2e078205-f52b-434b-b15c-0bf05e90436c,"4/16/2021, 8:39:47.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cca1f9df-ebe5-4727-b4ee-da3d3789268c,"4/16/2021, 8:39:47.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fb021acf-7331-4fe6-8b87-ff78894284fa,"4/16/2021, 8:39:47.118 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f7865c36-50f6-4601-9397-70350a29cb31,"4/16/2021, 8:39:47.118 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c5bd5628-b617-4aea-87ec-57b2bb0372b3,"4/16/2021, 8:39:47.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d08fb2d-f645-4dab-80d1-e214980c76a0,"4/16/2021, 8:39:47.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,da8d9857-9f05-4d60-99b0-394b8b285bbe,"4/16/2021, 8:39:47.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c47aa2bc-3f6c-4087-8370-28439e738a9b,"4/16/2021, 8:39:47.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c502bfa6-db78-4b20-98e5-f87b13a8e03b,"4/16/2021, 8:39:47.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,57163e6c-951c-4326-91b1-129abe05bced,"4/16/2021, 8:39:47.118 AM",,,,,NTLM,, +\LOCALADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,358ca4df-2159-4381-b636-ba8c7771ac5c,"4/16/2021, 8:39:47.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,12503fbd-1671-48a3-94e2-53ce688c96fe,"4/16/2021, 8:39:47.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7484e722-cdff-4ce5-a8b9-9571f29c1014,"4/16/2021, 8:39:47.118 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,94d3cafc-5822-4d86-af4e-f3debb5f03b0,"4/16/2021, 8:39:47.118 AM",,,,,NTLM,, +\SERVER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,34c02741-b515-4be0-adc3-434126279499,"4/16/2021, 8:39:47.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4aabdc6c-ee72-4028-9596-7f65a1cdd241,"4/16/2021, 8:39:47.118 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,a9f3ee33-1603-4b21-afec-fc76081ba2e8,"4/16/2021, 8:39:47.118 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 9792 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,a112a5fd-7390-4945-ab3e-5fbb685de016,"4/16/2021, 8:39:49.931 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1032 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,954b4de2-fa93-4737-b3ff-8fc55e572ff2,"4/16/2021, 8:39:49.931 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1379ca70-5df7-49fc-ae06-15fcf936efbb,"4/16/2021, 8:39:54.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fe3991fc-778e-4688-846a-f8a28432b875,"4/16/2021, 8:39:54.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0e04ca7c-c6b5-4cf5-a79a-914ca9386428,"4/16/2021, 8:39:54.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e08a307-a126-4702-9d0e-e08146ac309a,"4/16/2021, 8:39:54.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,974b8108-f230-4d3d-97f2-f1a2ba432932,"4/16/2021, 8:39:54.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2c408361-5c13-49a6-baa2-e6018cd18fd5,"4/16/2021, 8:39:54.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,60e53f2d-c001-4a61-b1bf-eb1b075e250f,"4/16/2021, 8:39:54.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f2187edc-c2ee-43eb-b3ad-8585d94819ee,"4/16/2021, 8:39:54.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,84576e11-ca0c-4f29-95a0-b2cb7c7cd225,"4/16/2021, 8:39:54.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cb21fdc4-3cdf-4208-8045-4d8df67b518b,"4/16/2021, 8:39:54.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c7d03f01-01f8-4e60-a151-c6e73168c7fd,"4/16/2021, 8:39:54.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,6c7087fe-9770-4017-a419-6c22e71b5f6b,"4/16/2021, 8:39:54.122 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,0aceec76-4d80-48c8-a4dd-54836288c45e,"4/16/2021, 8:39:54.122 AM",,,,,NTLM,, +\MASTER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd3c7e19-1b8c-4156-b273-0882405eb528,"4/16/2021, 8:39:54.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,02198142-ad11-48bc-8708-be8ce5546820,"4/16/2021, 8:39:54.122 AM",,,,,NTLM,, +\VMADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,52f88d61-3def-49fe-b951-a6fd79f76faf,"4/16/2021, 8:39:54.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d3ed499c-5639-4f52-ab07-573457aa6e65,"4/16/2021, 8:39:54.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,120d9269-8815-4512-a27f-6a5fd46e1575,"4/16/2021, 8:39:54.122 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8fdbd176-1bed-41fd-8df4-fb6b246db37e,"4/16/2021, 8:39:54.122 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,94650bce-c125-4ec4-9368-37d3130b9d4b,"4/16/2021, 8:39:54.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2895a142-0cd1-44ae-b386-e17ba0a773dc,"4/16/2021, 8:39:54.122 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,86763712-117f-4521-9970-d5b3e8d379c8,"4/16/2021, 8:39:54.122 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3ff603c0-9d66-4ca2-b039-d2d10ba0ef09,"4/16/2021, 8:39:54.122 AM",,,,,NTLM,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,db5653d9-0963-4000-8625-15f2d6af82ec,"4/16/2021, 8:40:08.573 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 1612 + 76 + %PROGRAMFILES%\WINDOWS DEFENDER ADVANCED THREAT PROTECTION\SENSECNCPROXY.EXE + 32 + F358FBE493C2EA488DC35942304599FBE52418128BDAD41BEA3D9CC7A14A633A + 128 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SENSECNCPROXY.EXE\10.7740.18362.1474 + 0x3e7 + 78 + C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,d8d61b88-0b59-4dd6-be46-47eaaddb4f25,"4/16/2021, 8:40:08.573 AM",,,,,,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:45:43.737462400Z + 2860 +",5379,5379,f6638b82-98a5-4542-8bec-6bc0977f793f,cc315235-7414-49b1-9b1d-9152b0b6b4b0,"4/16/2021, 8:40:08.573 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,VictimPc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {62747072-f4a5-4af7-a15f-a2def5ff577a} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 6852 + 84 + %OSDRIVE%\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\PLATFORM\4.18.2103.7-0\MPCMDRUN.EXE + 32 + C7A18C474A47F5335593A567F0C714D4F658E28D07DC27F6EAE5D5641788E813 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\MPCMDRUN.EXE\4.18.2103.07 + 0x3e4 + 77 + C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2103.7-0\MpCmdRun.exe + +",8002,8002 - A process was allowed to run.,f6638b82-98a5-4542-8bec-6bc0977f793f,6fb429fb-167b-4c99-b12b-e3b57d492677,"4/16/2021, 8:40:08.573 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4648,4648 - A logon was attempted using explicit credentials.,f6638b82-98a5-4542-8bec-6bc0977f793f,9f2ade53-7f90-43d4-a039-198314e62b68,"4/16/2021, 8:40:08.573 AM",,,,,,, +CONTOSO\RonHD,User,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12544,8,,4624,4624 - An account was successfully logged on.,f6638b82-98a5-4542-8bec-6bc0977f793f,0cd26feb-fd4b-4812-a2e1-009f8e48049c,"4/16/2021, 8:40:08.573 AM",,,,,Negotiate,, +,,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12554,8," + S-1-5-18 + VICTIMPC$ + CONTOSO + 0x3e7 + S-1-5-21-1661583231-2311428937-3957907789-1105 + RonHD + CONTOSO + 0x40b9c93 + 4 + 1 + 1 + %{S-1-5-21-1661583231-2311428937-3957907789-513} %{S-1-1-0} %{S-1-5-32-545} %{S-1-5-32-544} %{S-1-5-3} %{S-1-2-1} %{S-1-5-11} %{S-1-5-15} %{S-1-2-0} %{S-1-5-21-1661583231-2311428937-3957907789-1111} %{S-1-18-1} %{S-1-16-12288} +",4627,4627 - Group membership information.,f6638b82-98a5-4542-8bec-6bc0977f793f,9b011052-71ac-4bd4-b02e-144f2cd7eaa5,"4/16/2021, 8:40:08.573 AM",,,,,,, +CONTOSO\RonHD,User,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12548,8,,4672,4672 - Special privileges assigned to new logon.,f6638b82-98a5-4542-8bec-6bc0977f793f,69f059bf-e9d8-4725-bef0-22f8e5f3548c,"4/16/2021, 8:40:08.573 AM",,,,,,, +CONTOSO\RonHD,User,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,12545,8,,4634,4634 - An account was logged off.,f6638b82-98a5-4542-8bec-6bc0977f793f,43f65156-5307-4ef2-b2ac-19b32ab296ee,"4/16/2021, 8:40:08.573 AM",,,,,,, +CONTOSO\VICTIMPC$,Machine,VictimPc.Contoso.Azure,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,f6638b82-98a5-4542-8bec-6bc0977f793f,13e360d8-8335-4a76-9c22-3961b4b31194,"4/16/2021, 8:40:08.573 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7e535e5f-7cd4-4d07-a2e8-8f67d92bd947,"4/16/2021, 8:40:11.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f926331e-1b80-409c-8899-fbeee1918ef5,"4/16/2021, 8:40:11.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e94181e2-1380-4229-98ce-721a02ded02a,"4/16/2021, 8:40:11.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c7d811e9-3388-408a-ae92-279f5674c545,"4/16/2021, 8:40:11.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1d13cdb6-074c-4e9b-959d-2436dfc369b5,"4/16/2021, 8:40:11.104 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b28d2250-0848-45cf-abe4-526430e7011c,"4/16/2021, 8:40:11.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b5f3488-f2d5-4ba3-8243-b41e974cd698,"4/16/2021, 8:40:11.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,152022f8-ad37-44ff-91ec-c4f9eeccced9,"4/16/2021, 8:40:11.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,40fac49c-33ca-47a6-9ff3-4bb6475cc8f5,"4/16/2021, 8:40:11.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,10ea3e86-a1cd-4598-b408-13c59db307f1,"4/16/2021, 8:40:11.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5d3cfcf2-9619-47e2-8357-2367d648d686,"4/16/2021, 8:40:11.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,13c58fe3-0fad-4684-b7c8-344fa394a78f,"4/16/2021, 8:40:11.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9b7e5a4c-8340-454a-8802-a7b8897744d7,"4/16/2021, 8:40:11.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,53a088dd-d2c6-4895-bb06-22fe6a7d63e6,"4/16/2021, 8:40:11.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cade4460-920f-4efa-8fb1-48b2379d0fe5,"4/16/2021, 8:40:11.104 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,316dde07-10c1-415c-bbd6-4052ed45e2e1,"4/16/2021, 8:40:11.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,25a06b86-fa5c-469a-b56d-3726c35dccd8,"4/16/2021, 8:40:11.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e8b70786-2dfc-4b90-af66-8ba0bb00e9c3,"4/16/2021, 8:40:11.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e03eeb4a-7b66-4631-a12f-3472d3217a4a,"4/16/2021, 8:40:11.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f77ed80a-6d73-4c0c-99e9-ef9c678f51f5,"4/16/2021, 8:40:11.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fd22748e-dd39-4290-91e9-fc7b3a1b2766,"4/16/2021, 8:40:11.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,00895178-e972-410e-b581-3f285a8e24e1,"4/16/2021, 8:40:11.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d910f83e-6617-4f09-a4df-b95d96c87a4a,"4/16/2021, 8:40:11.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f331820-5bf3-4a55-a0e7-da25a4eb85ae,"4/16/2021, 8:40:11.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e9f39c7b-49c9-4e2f-ad3b-01799066533d,"4/16/2021, 8:40:11.104 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,61951e40-cd48-49aa-ab9a-911f77d12843,"4/16/2021, 8:40:11.104 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,7d458513-86b4-4d09-9ae9-bf50fb6c9348,"4/16/2021, 8:40:11.104 AM",,,,,NTLM,, +\VMADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e42e9f89-99c2-40d3-afd7-5f7b9cb4e17a,"4/16/2021, 8:40:11.104 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3e9edbe5-03fb-4b15-a167-c0dae7d89d79,"4/16/2021, 8:40:15.598 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,555763dd-f14f-4695-9408-a93053f71e37,"4/16/2021, 8:40:15.598 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,30a28a79-9b42-4ed4-9b83-25dcd7b0448f,"4/16/2021, 8:40:15.598 AM",,,,,NTLM,, +\MJOHNSON,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,acbd663f-b8dc-4a88-877d-51133d766b35,"4/16/2021, 8:40:15.598 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3aef041a-152c-479a-910d-eff4891a5bdf,"4/16/2021, 8:40:15.598 AM",,,,,NTLM,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,144595cd-7a4b-457b-bdfa-53f70cc70018,"4/16/2021, 8:40:15.598 AM",,,,,,, +WORKGROUP\SHIR-Hive$,Machine,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3a22d1d8-b20e-4e43-9bef-fe968e432c53,"4/16/2021, 8:40:15.598 AM",,,,,,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7ffe9a38-cae1-42a5-abbb-581cba881460,"4/16/2021, 8:40:15.598 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1595b507-b18a-47ed-8535-10df3daef4ac,"4/16/2021, 8:40:15.598 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b6df68d7-6ddc-42eb-b777-5ca3d4954c40,"4/16/2021, 8:40:15.598 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,724e2cd1-b357-48dc-b106-d516e0989c79,"4/16/2021, 8:40:15.598 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0fc2c2a4-837a-4712-a834-505bfbd38944,"4/16/2021, 8:40:15.598 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5f3b3588-ae5e-4e57-9c59-cf7b083e0e08,"4/16/2021, 8:40:15.598 AM",,,,,NTLM,, +\AZUREADMIN,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,60a10a66-00fc-4d6e-a056-dea2f83a76ae,"4/16/2021, 8:40:15.598 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6af153c3-ccb9-4429-ad2f-6d0b790f57c2,"4/16/2021, 8:40:15.598 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3f0ed9c5-1fcb-4538-89fa-2a0348c981cd,"4/16/2021, 8:40:15.598 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e38f127f-256d-4999-a5c8-c4d67fc37c51,"4/16/2021, 8:40:15.598 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,64bff3ae-be2f-4330-b4cb-3a792eca7fed,"4/16/2021, 8:40:15.598 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8a818efb-00fc-4264-897e-b5b1534a30a4,"4/16/2021, 8:40:15.598 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7b491088-45bb-4592-88e4-e7c1a4f36048,"4/16/2021, 8:40:15.598 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b3b48069-d880-42b6-bf37-b1118d828fa6,"4/16/2021, 8:40:15.598 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c861ae1a-ea86-496c-a2b8-1c8900707a4f,"4/16/2021, 8:40:15.598 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,6b1f3648-5749-4866-a787-a255a8316259,"4/16/2021, 8:40:15.598 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3629fafa-3de9-4252-ba15-6ab5e4b0b2d7,"4/16/2021, 8:40:15.598 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,67e785b2-a53a-4608-b469-9486ef1bff1d,"4/16/2021, 8:40:15.598 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fadfadab-261f-4113-9474-f1d5253d82d8,"4/16/2021, 8:40:19.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c4bbe42e-a764-44f5-aeeb-27e7add1441a,"4/16/2021, 8:40:19.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,cb378675-316e-479e-9dae-89ab1c3ba815,"4/16/2021, 8:40:19.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,49503290-6ea2-4ec9-9021-757659cf2c56,"4/16/2021, 8:40:19.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,fc8f3bf3-fef0-4745-acd8-aaff50fdee5c,"4/16/2021, 8:40:19.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ec85e93e-089e-47cf-ba73-e0f9d8cfe439,"4/16/2021, 8:40:19.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,944a87aa-7303-4d91-90c5-7da44070b6fc,"4/16/2021, 8:40:19.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,84f27864-634d-4589-ac03-988e66fbfc9e,"4/16/2021, 8:40:19.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e9f9e0d4-a975-4ad8-8617-f7aef90f605d,"4/16/2021, 8:40:19.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5b05a8d3-c461-4b31-ba8e-844c8813d475,"4/16/2021, 8:40:19.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,2f4be854-18a4-4159-8311-2ea82dbbca99,"4/16/2021, 8:40:19.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3cd0cf8d-1366-4cdf-a36e-34e806b25e25,"4/16/2021, 8:40:19.112 AM",,,,,NTLM,, +\VEEAM,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4aba95a8-b8ac-490b-8bcc-b015bb8fefb2,"4/16/2021, 8:40:19.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,5ac1d36e-e063-43e9-a076-167dc5ce7e0f,"4/16/2021, 8:40:19.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9a2c6b91-7bb2-43d5-a2b7-14a16940d59f,"4/16/2021, 8:40:19.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,141602ae-eb9a-4ad9-a3f7-b06188f41ef1,"4/16/2021, 8:40:19.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,e6850357-2b2b-4d9d-a8cd-bf4c12bfc588,"4/16/2021, 8:40:19.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,756531ed-fa6d-48e0-ac02-ce975c23062a,"4/16/2021, 8:40:19.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f39cf93b-0c76-4572-97eb-375d2e40772c,"4/16/2021, 8:40:19.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,159761a9-6ec9-44d6-87c5-ceb171a13be9,"4/16/2021, 8:40:19.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b711a839-574f-4906-9c38-0c837a7d710c,"4/16/2021, 8:40:19.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,65063537-3272-46c1-ad56-267062257cce,"4/16/2021, 8:40:19.112 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,33d88578-d386-4e9d-a943-e0f29a845793,"4/16/2021, 8:40:25.110 AM",,,,,NTLM,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,624edc98-c21c-4925-8dcd-3e702953a69a,"4/16/2021, 8:40:25.110 AM",,,,,,, +WORKGROUP\SOC-FW-RDP$,Machine,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,41502da5-21b7-48ec-81c9-baeea8d7d669,1c484fa8-2bd8-4627-9861-5ca5d4b889a4,"4/16/2021, 8:40:25.110 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,55183926-f0b4-49cc-8a1e-5bb1b4a08621,"4/16/2021, 8:40:25.110 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d1fff651-79dd-4b1c-9431-f8b9cc6d1c9a,"4/16/2021, 8:40:25.110 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5188 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,50cfce3e-622b-45a8-b5eb-37c579f5e3a7,"4/16/2021, 8:40:25.110 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,SOC-FW-RDP,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {310150f6-6281-4fe3-9d5c-e76c8cdad4dd} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 4532 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,41502da5-21b7-48ec-81c9-baeea8d7d669,41c9b122-c0da-41b3-af9f-f147eff4aca9,"4/16/2021, 8:40:25.110 AM",,,,,,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,54e1100f-93da-4708-8515-d4a3dc8274fe,"4/16/2021, 8:40:25.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,c9e231dc-d814-4ea4-a2d6-baf5b522f50f,"4/16/2021, 8:40:25.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,56251031-c69d-406e-a2bc-6c9c7f651f3e,"4/16/2021, 8:40:25.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b4903f44-a2f2-4869-8b08-c1076eb89850,"4/16/2021, 8:40:25.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b6130b7b-d428-4eeb-8be1-194287394949,"4/16/2021, 8:40:25.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,59b54241-78a0-454e-b074-7d3896d4ab42,"4/16/2021, 8:40:25.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ef1a3f32-2a73-4ae1-bbf6-1b93b658853a,"4/16/2021, 8:40:25.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,aaceb745-984c-4344-8e93-01a33de1f8f8,"4/16/2021, 8:40:25.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,919edfe7-55a9-439e-94a9-4ace96411bfb,"4/16/2021, 8:40:25.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f6eb5262-f2f5-414a-a094-4afe0cd51983,"4/16/2021, 8:40:25.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d128321c-42ae-4452-a808-8430387c8ce0,"4/16/2021, 8:40:25.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,671d9b98-bf7b-4ced-8817-d6d33b3b0301,"4/16/2021, 8:40:25.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,44e225a6-693b-4a77-8936-7ab4b47bbb62,"4/16/2021, 8:40:25.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,672deb6d-ebb0-49ae-a0a8-a607d123d82b,"4/16/2021, 8:40:25.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,32a666f6-2aa8-477d-a2c3-3351a3138772,"4/16/2021, 8:40:25.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,16de15e1-0cd1-40d2-93b9-7753ac50e1e3,"4/16/2021, 8:40:25.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,840b9ab7-8c69-4dba-91f5-6923cf4de1a5,"4/16/2021, 8:40:25.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,068923b1-f9fb-46dd-b123-ed4065b9888b,"4/16/2021, 8:40:25.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,d3967789-6f0f-40fe-b147-8e94a408d32f,"4/16/2021, 8:40:25.110 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e0f84cc-bbad-460f-a20e-b02d31eacaac,"4/16/2021, 8:40:45.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,ec845f95-0411-4e9c-9c1f-da13840ef1de,"4/16/2021, 8:40:45.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,161d89e7-7cc2-4762-a284-a07fab7fb438,"4/16/2021, 8:40:45.182 AM",,,,,NTLM,, +\administrator,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,1f042aef-8893-41b8-8f91-d18185408318,"4/16/2021, 8:40:45.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,24b332b0-e711-4ff2-b140-46906d264b61,"4/16/2021, 8:40:45.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f88d0030-3a0e-4492-88c0-2b6618fe4ef9,"4/16/2021, 8:40:45.182 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,75234f8c-670d-4dfa-a342-490551e2c978,"4/16/2021, 8:40:45.182 AM",,,,,NTLM,, +\USER,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,3da800de-3ae2-460c-8f36-51afd0a8274d,"4/16/2021, 8:40:45.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,9be70d15-1ebc-4be9-ab8a-4acf2eec7351,"4/16/2021, 8:40:45.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,487eae3e-587e-4c86-9db8-e29179b1ada9,"4/16/2021, 8:40:45.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8f1bce3b-877a-4276-aed9-5ce4a334b584,"4/16/2021, 8:40:45.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b2f480c8-a9b5-45c3-97c3-d4ace653dd04,"4/16/2021, 8:40:45.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,48ef1cba-c6b2-4d69-b940-6841ffbcb8cc,"4/16/2021, 8:40:45.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,857d2d4c-a844-4010-8be2-5ed440a84587,"4/16/2021, 8:40:45.182 AM",,,,,NTLM,, +\TEST,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,4aa53327-57ce-49ef-8c0d-e04fc1e19548,"4/16/2021, 8:40:45.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,74ff9e78-dd47-4374-868e-b5fa6861a815,"4/16/2021, 8:40:45.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,072019a8-30ba-41b4-8fa8-1e83fce089ad,"4/16/2021, 8:40:45.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,b11f687b-1a09-4f8d-9c55-cffea1b1339b,"4/16/2021, 8:40:45.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,79bf1322-1e21-4ae9-983f-1e523d05dd07,"4/16/2021, 8:40:45.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,8e27f16b-7093-4653-87ed-c10efccefc63,"4/16/2021, 8:40:45.182 AM",,,,,NTLM,, +\ADMIN,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,41169574-a231-4793-a448-63ce08dc3714,"4/16/2021, 8:40:45.182 AM",,,,,NTLM,, +\ADMINISTRATOR,User,SOC-FW-RDP,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,41502da5-21b7-48ec-81c9-baeea8d7d669,f012effc-4de0-4943-a0f0-f0874812cf64,"4/16/2021, 8:40:45.182 AM",,,,,NTLM,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2592 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + D95CE56274759F9A1DC5DFB7C8F004B3837D82BF0098CB9CB40E0484C1ABFF98 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,f933f501-f77d-4c76-b9bb-056963522a76,"4/16/2021, 8:40:49.266 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,ContosoDc.Contoso.Azure,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {2E0B70A3-970D-4DAF-85EB-DD8A06B4F307} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5620 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + 7A4B863FCB85ECC9C635345C5E0545B237B3787A6B6F22C0C923294CA0634CD2 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.14393.00 + 0x3e7 + +",8002,8002 - A process was allowed to run.,9a259efc-db9b-4c88-bb3f-eab070fa783c,9595c80a-f73d-4250-ad4a-f778705d5b85,"4/16/2021, 8:40:49.266 AM",,,,,,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c98f288d-5d02-49b7-b037-44e49cf75159,"4/16/2021, 8:40:57.605 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cec28798-d7a4-4c52-9310-dcd50ab7242c,"4/16/2021, 8:40:57.605 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,e7914734-c1a3-4f7b-9fb9-d97e3a10bfd7,"4/16/2021, 8:40:57.605 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,73a278db-43d6-4940-ada9-8aa5faa6f74d,"4/16/2021, 8:40:57.605 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d183b088-f624-4b67-ae89-822d95e42a8c,"4/16/2021, 8:40:57.605 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7ed0147c-b371-47b1-a2c8-401824a7009a,"4/16/2021, 8:40:57.605 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f6f01a74-b379-4bd8-8ae2-91565df27258,"4/16/2021, 8:40:57.605 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8cc8aff9-8e86-4e87-9c96-ad7e3dc51199,"4/16/2021, 8:40:57.605 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,a3d0c0be-7883-41c9-830a-131a49e8a0c7,"4/16/2021, 8:40:57.605 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9a7c1917-cd38-45f8-aeac-36d436da252b,"4/16/2021, 8:40:57.605 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8afe0126-fa6a-4d0f-8afa-0bc221782df6,"4/16/2021, 8:40:57.605 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,98fcf06b-83b7-4517-b388-51a86c720840,"4/16/2021, 8:40:57.605 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,618c8726-0491-42ae-aab9-18fd2677392d,"4/16/2021, 8:40:57.605 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fc081a66-0b74-4953-9af5-c3c1d22741de,"4/16/2021, 8:40:57.605 AM",,,,,NTLM,, +,,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + SHIR-Hive$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-03-29T15:51:56.5253075Z + 2884 +",5379,5379,df6a58ab-e4d5-47e3-853f-26e261ec7efb,5ed603ce-9637-4675-a22a-c9c9d599a260,"4/16/2021, 8:40:57.605 AM",,,,,,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c08cf3de-5fdb-49d2-ae32-470b9e9e70a3,"4/16/2021, 8:40:57.605 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,95fccafb-e9b2-41df-9d3d-234393d18b63,"4/16/2021, 8:40:57.605 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c7b121e2-9d6c-49df-be10-6321664396f8,"4/16/2021, 8:40:57.605 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,3c6bae22-345f-4111-8ddf-b341d9ff505d,"4/16/2021, 8:40:57.605 AM",,,,,NTLM,, +\JACE,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,16fd803c-1ba7-4fc0-aa0f-d8cf8023d64e,"4/16/2021, 8:40:57.605 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cc18923e-37ef-4440-9f0c-c9a98cb934df,"4/16/2021, 8:40:57.605 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c6621bae-3292-4883-bcc3-e2c325d3b724,"4/16/2021, 8:40:57.605 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,cf8b9495-cd93-45b6-bf38-f20f48e71aea,"4/16/2021, 8:40:57.605 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8b76399d-5b9c-4f65-84f5-6984e0612410,"4/16/2021, 8:40:57.605 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,dd8e800b-523b-4307-95fa-b6e1c8b3acae,"4/16/2021, 8:40:57.605 AM",,,,,NTLM,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,b0a4b98a-c9cb-47d4-9a5e-72e594e00d49,"4/16/2021, 8:41:09.848 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,27593a79-8069-4433-acd3-73538528ea23,"4/16/2021, 8:41:09.848 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 5108 + 22 + %SYSTEM32%\CSCRIPT.EXE + 32 + 7EA894876FF19F8E2B3D2803BE3D3317FDFD23297BCACC116D79230C8A9E1741 + 116 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT ® WINDOWS SCRIPT HOST\CSCRIPT.EXE\5.812.10240.16384 + 0x3e7 + 31 + C:\Windows\system32\cscript.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,418fc48f-ff88-4106-8b45-497715bdef68,"4/16/2021, 8:41:09.848 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-18 + 2416 + 22 + %SYSTEM32%\CONHOST.EXE + 32 + CA6FB9951D41C3FE1496D7C74839E9441FA53D3C42429E1AED17BD9E899CAD6F + 119 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CONHOST.EXE\10.0.17763.1790 + 0x3e7 + 32 + \SystemRoot\System32\Conhost.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,4da9a3d7-4e9b-40f9-ba15-3d72c4e1d4b6,"4/16/2021, 8:41:09.848 AM",,,,,,, +NT AUTHORITY\SYSTEM,User,TrustedVMDemo,Microsoft-Windows-AppLocker,Microsoft-Windows-AppLocker/EXE and DLL,0,4," + + 3 + EXE + {327150ba-728c-4179-9814-200b0861a0e4} + 24 + (Default Rule) All Exe's + 48 + D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains ""*"")) + S-1-5-20 + 3232 + 84 + %OSDRIVE%\PROGRAMDATA\MICROSOFT\WINDOWS DEFENDER\PLATFORM\4.18.2103.7-0\MPCMDRUN.EXE + 32 + C7A18C474A47F5335593A567F0C714D4F658E28D07DC27F6EAE5D5641788E813 + 117 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\MPCMDRUN.EXE\4.18.2103.07 + 0x3e4 + 77 + C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2103.7-0\MpCmdRun.exe + +",8002,8002 - A process was allowed to run.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,98a577e3-9425-4d73-8e90-9e72197a4623,"4/16/2021, 8:41:09.848 AM",,,,,,, +WORKGROUP\TrustedVMDemo$,Machine,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13312,8,,4688,4688 - A new process has been created.,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,4c323d5a-434c-470a-ac0d-bf8f5ce05bab,"4/16/2021, 8:41:09.848 AM",,,,,,, +,,TrustedVMDemo,Microsoft-Windows-Security-Auditing,Security,13824,8," + S-1-5-18 + TrustedVMDemo$ + WORKGROUP + 0x3e7 + SQLADS:* + 0 + 0 + %%8100 + 3221226021 + 2021-04-14T17:28:19.422752600Z + 2908 +",5379,5379,9fdb88c2-0847-4e6c-bb54-92cc2bb00996,d166e4f4-e055-4ca3-ae3d-3b10f6547dbc,"4/16/2021, 8:41:09.848 AM",,,,,,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,b8df4147-cd04-47d4-bbf6-ef72059fdca9,"4/16/2021, 8:41:19.594 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,9ee7cc65-cc2b-4c1f-8041-4ae9ccb85209,"4/16/2021, 8:41:19.594 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,163bf292-2b5b-4cc2-990b-439c5fe3cd84,"4/16/2021, 8:41:19.594 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,af964f55-d47e-4422-9f8b-cd97b3ccb862,"4/16/2021, 8:41:19.594 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,7b7fb202-c508-458b-907c-84837f7e9475,"4/16/2021, 8:41:19.594 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,1dccb84d-22ff-4017-81da-0f8723b2792d,"4/16/2021, 8:41:19.594 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,943be54b-2283-46dd-8643-f1120fd704a9,"4/16/2021, 8:41:19.594 AM",,,,,NTLM,, +SHIR-Hive\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,2a4886c3-6ef9-41a6-bfc0-c51be93c8608,"4/16/2021, 8:41:19.594 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,0c0238ee-b4b0-4be6-a5d9-7576c235bcaf,"4/16/2021, 8:41:19.594 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,f58f617d-b56e-43ef-98fb-0852d8885076,"4/16/2021, 8:41:19.594 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,11edc34d-e673-442f-b246-1bd181b0571c,"4/16/2021, 8:41:19.594 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,26e0e643-df77-4c45-a736-ed73d1bed3c0,"4/16/2021, 8:41:19.594 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,49027c91-8701-4124-9d97-60bb52748c02,"4/16/2021, 8:41:19.594 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,8819be9e-9f7d-452c-99e5-19be749c8919,"4/16/2021, 8:41:19.594 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,44a15147-a9fe-4c5a-8198-5ce04205ff8f,"4/16/2021, 8:41:19.594 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d5118d2d-f106-403b-89b5-200c47eabda1,"4/16/2021, 8:41:19.594 AM",,,,,NTLM,, +\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,c1e35a32-a818-43eb-9f49-9e2b46d29fca,"4/16/2021, 8:41:19.594 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,88d9baa1-b82d-4459-a378-4969da91fa27,"4/16/2021, 8:41:19.594 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,fd3b448b-95b3-4821-b006-f2c13be15a95,"4/16/2021, 8:41:19.594 AM",,,,,NTLM,, +\administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,83b5ed13-1a59-4c89-961e-1a702e064ead,"4/16/2021, 8:41:19.594 AM",,,,,NTLM,, +SHIR-HIVE\Administrator,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,87f73f24-3204-4c20-a12a-febef4fbf858,"4/16/2021, 8:41:19.594 AM",,,,,NTLM,, +\admin,User,SHIR-Hive,Microsoft-Windows-Security-Auditing,Security,12544,16,,4625,4625 - An account failed to log on.,df6a58ab-e4d5-47e3-853f-26e261ec7efb,d36b4ea7-50e8-47b9-8a0e-7db5140cdc9f,"4/16/2021, 8:41:19.594 AM",,,,,NTLM,, diff --git a/src/SecurityInsights/test/sampleData/SigninLogs.csv b/src/SecurityInsights/test/sampleData/SigninLogs.csv new file mode 100644 index 000000000000..e209b0d1d485 --- /dev/null +++ b/src/SecurityInsights/test/sampleData/SigninLogs.csv @@ -0,0 +1,1233 @@ +TenantId,SourceSystem,ResourceId,OperationName,OperationVersion,Category,ResultType,ResultSignature,ResultDescription,DurationMs,CorrelationId,Resource,ResourceGroup,ResourceProvider,Identity,Level,Location,AlternateSignInName,AppDisplayName,AppId,AuthenticationDetails,AuthenticationMethodsUsed,AuthenticationProcessingDetails,AuthenticationRequirement,AuthenticationRequirementPolicies,ClientAppUsed,ConditionalAccessPolicies,ConditionalAccessStatus,CreatedDateTime,DeviceDetail,IsInteractive,Id,IPAddress,IsRisky,LocationDetails,MfaDetail,NetworkLocationDetails,OriginalRequestId,ProcessingTimeInMilliseconds,RiskDetail,RiskEventTypes,RiskEventTypes_V2,RiskLevelAggregated,RiskLevelDuringSignIn,RiskState,ResourceDisplayName,ResourceIdentity,ServicePrincipalId,ServicePrincipalName,Status_dynamic,Status_string,TokenIssuerName,TokenIssuerType,UserAgent,UserDisplayName,UserId,UserPrincipalName,AADTenantId,UserType,FlaggedForReview,SignInIdentifier,SignInIdentifierType,ResourceTenantId,HomeTenantId,Type,IPAddressFromResourceProvider +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,f9ff9ee8-d565-478b-bc95-8b4f0d468fe1,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Azure Portal,c44b4083-3bb0-49c1-b47d-974e53cbdf3c,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:08:45.2213421+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:08:45.221 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,cfb68155-70f5-4e28-b046-0a3a7086c401,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],cfb68155-70f5-4e28-b046-0a3a7086c401,3535,none,[],[],none,none,none,Windows Azure Service Management API,797f4846-ba00-4fd7-ba43-dac1f8f63013,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,b374c020-b0b2-4295-a9da-74bdd31de68c,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,O365 Suite UX,4345a7b9-9a63-4910-a426-35363201d503,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:27:54.8914298+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:27:54.891 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,ff7972e5-bd41-4c6a-9cc9-c34dc63e5701,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],ff7972e5-bd41-4c6a-9cc9-c34dc63e5701,1412,none,[],[],none,none,none,Windows Azure Active Directory,00000002-0000-0000-c000-000000000000,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,06910dc5-8e07-46a5-b53d-11c5ba4ed673,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Office365 Shell WCSS-Client,89bee1f7-5e6e-4d8a-9f3d-ecd601259da7,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:28:01.4357074+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:28:01.435 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,797afc36-b046-45b1-93bf-7d0b66357301,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],797afc36-b046-45b1-93bf-7d0b66357301,1289,none,[],[],none,none,none,,,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,d948aa1d-9416-4d23-8383-3a4847bca5fc,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Office365 Shell WCSS-Client,89bee1f7-5e6e-4d8a-9f3d-ecd601259da7,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:28:06.2490139+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Domain Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:28:06.249 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,b862bbd8-080c-47f4-8d77-b0c902505c01,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],b862bbd8-080c-47f4-8d77-b0c902505c01,2174,none,[],[],none,none,none,Office365 Shell WCSS-Server,5f09333a-842c-47da-a157-57da27fcbca5,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,e44aa2e9-3258-45a1-82bf-e4801f8003ac,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Office365 Shell WCSS-Client,89bee1f7-5e6e-4d8a-9f3d-ecd601259da7,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:28:06.921786+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Domain Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:28:06.921 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,b3b31048-1654-4f80-880e-d9f5dbfd6c01,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],b3b31048-1654-4f80-880e-d9f5dbfd6c01,2657,none,[],[],none,none,none,Microsoft Graph,00000003-0000-0000-c000-000000000000,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,e824715d-6d00-40f4-a54f-9b58b0184a1f,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Office 365 Exchange Online,00000002-0000-0ff1-ce00-000000000000,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:29:06.986823+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Domain Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""True"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:29:06.986 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,94a69790-5bb8-4d63-a81c-a87941bd5901,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],94a69790-5bb8-4d63-a81c-a87941bd5901,2760,none,[],[],none,none,none,Office 365 Exchange Online,00000002-0000-0ff1-ce00-000000000000,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,d8c36749-e8be-488f-b32b-316361ca724b,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Microsoft Teams Web Client,5e3ce6c0-2b1f-4285-8d4b-75ee78787346,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:29:07.9702173+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:29:07.970 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,e66745a9-0ef9-41ca-9b8c-0d96e3936101,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],e66745a9-0ef9-41ca-9b8c-0d96e3936101,1899,none,[],[],none,none,none,,,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,16000,None,Other,0,efb0c29f-204d-c000-3135-7a444b8eddbc,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Office 365 SharePoint Online,00000003-0000-0ff1-ce00-000000000000,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:29:08.3569132+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,[],notApplied,"4/28/2021, 2:29:08.356 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,d8acd976-4765-4bb7-805b-9d110f3d5a01,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],d8acd976-4765-4bb7-805b-9d110f3d5a01,2798,none,[],[],none,none,none,Office 365 SharePoint Online,00000003-0000-0ff1-ce00-000000000000,,,"{""errorCode"":16000,""failureReason"":""Other""}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,50058,None,The application tried to perform a silent sign in and the user could not be silently signed in. The application needs to start an interactive flow giving users an option to sign in. Contact app owner.,0,bf595f69-3dcc-4eef-b1c1-ba3cd8ba3de7,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Microsoft Teams Web Client,5e3ce6c0-2b1f-4285-8d4b-75ee78787346,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:29:16.617982+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:29:16.617 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,dffdd8fc-a142-4ddd-8ced-0192613f6901,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],dffdd8fc-a142-4ddd-8ced-0192613f6901,2131,none,[],[],none,none,none,,,,,"{""errorCode"":50058,""failureReason"":""The application tried to perform a silent sign in and the user could not be silently signed in. The application needs to start an interactive flow giving users an option to sign in. Contact app owner.""}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,0107d864-473e-4a12-aa71-ae9aaba9e17a,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Office365 Shell WCSS-Client,89bee1f7-5e6e-4d8a-9f3d-ecd601259da7,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:29:18.632758+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:29:18.632 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,4b6c9341-1536-4a63-9d00-107410a4b301,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],4b6c9341-1536-4a63-9d00-107410a4b301,1521,none,[],[],none,none,none,,,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,bf595f69-3dcc-4eef-b1c1-ba3cd8ba3de7,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Microsoft Teams Web Client,5e3ce6c0-2b1f-4285-8d4b-75ee78787346,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:29:20.4954585+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:29:20.495 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,55fa18e9-2894-4513-b406-dd8d4213ce01,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],55fa18e9-2894-4513-b406-dd8d4213ce01,1512,none,[],[],none,none,none,,,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,fd8a2a96-713c-430d-a539-7ba2d5cb2f50,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Office365 Shell WCSS-Client,89bee1f7-5e6e-4d8a-9f3d-ecd601259da7,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:29:22.1785431+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Domain Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:29:22.178 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,176739db-9294-48a0-acc0-181be5e85c01,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],176739db-9294-48a0-acc0-181be5e85c01,1595,none,[],[],none,none,none,Office365 Shell WCSS-Server,5f09333a-842c-47da-a157-57da27fcbca5,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,6eb62f3d-a8a6-4d54-bdbd-cbdea068764a,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Office365 Shell WCSS-Client,89bee1f7-5e6e-4d8a-9f3d-ecd601259da7,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:29:22.3035428+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Domain Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:29:22.303 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,176739db-9294-48a0-acc0-181bcce85c01,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],176739db-9294-48a0-acc0-181bcce85c01,2206,none,[],[],none,none,none,Microsoft Graph,00000003-0000-0000-c000-000000000000,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,3a3bd3b9-ed34-4fcd-8f03-b0329ad3e03f,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Microsoft Teams Web Client,5e3ce6c0-2b1f-4285-8d4b-75ee78787346,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:29:27.6146177+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""True"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:29:27.614 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,dffdd8fc-a142-4ddd-8ced-01925d416901,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],dffdd8fc-a142-4ddd-8ced-01925d416901,2520,none,[],[],none,none,none,Microsoft Teams Services,cc15fd57-2c6c-4117-a88c-83b1d56b4bbe,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,1dec1606-e6bb-4a44-925d-b8838e8fd66a,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Microsoft Teams Web Client,5e3ce6c0-2b1f-4285-8d4b-75ee78787346,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:29:37.9210516+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""True"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:29:37.921 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,b0d232a8-5128-4bd6-88df-fce04b4fab01,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],b0d232a8-5128-4bd6-88df-fce04b4fab01,4335,none,[],[],none,none,none,Microsoft Teams Chat Aggregator,b1379a75-ce5e-4fa3-80c6-89bb39bf646c,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,d9a6a740-e0e8-4e8e-8402-10780dc74b88,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Microsoft Teams Web Client,5e3ce6c0-2b1f-4285-8d4b-75ee78787346,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:29:45.4525138+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""True"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:29:45.452 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,a73aac59-e4c4-4bd3-9fb4-43f4a95d5501,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],a73aac59-e4c4-4bd3-9fb4-43f4a95d5501,3619,none,[],[],none,none,none,Microsoft Teams Chat Aggregator,b1379a75-ce5e-4fa3-80c6-89bb39bf646c,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,b4ba2a7e-6018-462c-bdb2-e14b885f5c02,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Microsoft Teams Web Client,5e3ce6c0-2b1f-4285-8d4b-75ee78787346,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:29:51.1875385+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:29:51.187 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,a73aac59-e4c4-4bd3-9fb4-43f4715f5501,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],a73aac59-e4c4-4bd3-9fb4-43f4715f5501,1359,none,[],[],none,none,none,Skype Presence Service,1e70cd27-4707-4589-8ec5-9bd20c472a46,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,0e7158fb-3719-494b-a5c5-ec85b08e97d8,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Microsoft Teams Web Client,5e3ce6c0-2b1f-4285-8d4b-75ee78787346,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:29:53.7585097+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:29:53.758 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,ff7972e5-bd41-4c6a-9cc9-c34d24535701,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],ff7972e5-bd41-4c6a-9cc9-c34d24535701,1901,none,[],[],none,none,none,Microsoft Teams UIS,1996141e-2b07-4491-927a-5a024b335c78,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,6ebc0918-cd75-45b0-838e-e07d1f2cc43c,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Microsoft Teams Web Client,5e3ce6c0-2b1f-4285-8d4b-75ee78787346,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:29:54.2493636+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:29:54.249 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,e074940e-c3c9-4024-b8ba-61123d046101,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],e074940e-c3c9-4024-b8ba-61123d046101,2440,none,[],[],none,none,none,Microsoft Stream Service,2634dd23-5e5a-431c-81ca-11710d9079f4,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,91e29e5a-ed6e-4839-82be-490053ac2887,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Microsoft Teams Web Client,5e3ce6c0-2b1f-4285-8d4b-75ee78787346,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:29:54.597063+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:29:54.597 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,56b911cf-6c72-4378-939e-4b0ce097df01,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],56b911cf-6c72-4378-939e-4b0ce097df01,2072,none,[],[],none,none,none,Call Recorder,4580fd1d-e5a3-4f56-9ad1-aab0e3bf8f76,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,3f6696ab-b05a-4876-97f3-13d5228e91a5,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Microsoft Teams Web Client,5e3ce6c0-2b1f-4285-8d4b-75ee78787346,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:29:55.0850623+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""True"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:29:55.085 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,37c3b890-9870-401d-b04a-56736b79f201,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],37c3b890-9870-401d-b04a-56736b79f201,3057,none,[],[],none,none,none,Office 365 SharePoint Online,00000003-0000-0ff1-ce00-000000000000,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,a3228d58-c5ed-42c2-8b85-761f1287c9f2,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Microsoft Teams Web Client,5e3ce6c0-2b1f-4285-8d4b-75ee78787346,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:29:56.0723166+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:29:56.072 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,b6634b5b-7f20-4d5a-b3cf-aa86676b6501,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],b6634b5b-7f20-4d5a-b3cf-aa86676b6501,2508,none,[],[],none,none,none,Microsoft People Cards Service,394866fc-eedb-4f01-8536-3ff84b16be2a,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,56ed29c5-6917-4055-8620-bfc55816c18e,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Microsoft Teams Web Client,5e3ce6c0-2b1f-4285-8d4b-75ee78787346,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:29:57.0858832+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""True"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:29:57.085 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,b862bbd8-080c-47f4-8d77-b0c990645c01,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],b862bbd8-080c-47f4-8d77-b0c990645c01,2608,none,[],[],none,none,none,Office 365 Exchange Online,00000002-0000-0ff1-ce00-000000000000,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,2c2e42dc-56ae-4d16-8628-042eb09c695a,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Microsoft Teams Web Client,5e3ce6c0-2b1f-4285-8d4b-75ee78787346,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:29:57.1495884+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""True"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:29:57.149 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,176739db-9294-48a0-acc0-181bc2ef5c01,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],176739db-9294-48a0-acc0-181bc2ef5c01,1504,none,[],[],none,none,none,Office 365 Exchange Online,00000002-0000-0ff1-ce00-000000000000,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,1215b0f1-002d-4477-a11a-84987f46b85c,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Microsoft Teams Web Client,5e3ce6c0-2b1f-4285-8d4b-75ee78787346,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:29:57.305829+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:29:57.305 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,653bdf5c-6fe7-4ad4-811e-20634e1b6a01,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],653bdf5c-6fe7-4ad4-811e-20634e1b6a01,2783,none,[],[],none,none,none,Skype Presence Service,1e70cd27-4707-4589-8ec5-9bd20c472a46,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,efb0c29f-204d-c000-3135-7a444b8eddbc,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Office 365 SharePoint Online,00000003-0000-0ff1-ce00-000000000000,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:30:35.9521472+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""IsCAEToken"", + ""value"": ""True"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:30:35.952 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,8d85a74e-93fe-4594-97f7-876efbc40b01,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],8d85a74e-93fe-4594-97f7-876efbc40b01,2203,none,[],[],none,none,none,Office 365 SharePoint Online,00000003-0000-0ff1-ce00-000000000000,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,c56ef18a-e41c-46b8-a285-d8f3c49199a5,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Office365 Shell WCSS-Client,89bee1f7-5e6e-4d8a-9f3d-ecd601259da7,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:30:47.310088+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:30:47.310 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,58834cda-a6a2-4007-8252-32b4e0837001,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],58834cda-a6a2-4007-8252-32b4e0837001,1120,none,[],[],none,none,none,,,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,04477479-4aa6-4542-a258-5761968511f8,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Azure Portal,c44b4083-3bb0-49c1-b47d-974e53cbdf3c,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:30:48.3516037+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:30:48.351 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,b0d232a8-5128-4bd6-88df-fce06c5cab01,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],b0d232a8-5128-4bd6-88df-fce06c5cab01,1095,none,[],[],none,none,none,Windows Azure Service Management API,797f4846-ba00-4fd7-ba43-dac1f8f63013,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,04f42fdc-1d00-4b95-9b31-1166d4ddb635,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Office365 Shell WCSS-Client,89bee1f7-5e6e-4d8a-9f3d-ecd601259da7,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:30:52.6943411+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Domain Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:30:52.694 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,12641949-1cf4-407a-a531-c393ff116301,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],12641949-1cf4-407a-a531-c393ff116301,2424,none,[],[],none,none,none,Office365 Shell WCSS-Server,5f09333a-842c-47da-a157-57da27fcbca5,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,9b285867-fd65-4cfa-9bdf-824f7fbda845,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Office365 Shell WCSS-Client,89bee1f7-5e6e-4d8a-9f3d-ecd601259da7,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:30:58.6858053+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Domain Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:30:58.685 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,16cb7198-6ee0-4379-b1b0-7403de445e01,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],16cb7198-6ee0-4379-b1b0-7403de445e01,2625,none,[],[],none,none,none,Microsoft Graph,00000003-0000-0000-c000-000000000000,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,16000,None,Other,0,3ab1c29f-40b7-b000-fad8-da0ec116fd4e,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Office 365 SharePoint Online,00000003-0000-0ff1-ce00-000000000000,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:34:15.9922004+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,[],notApplied,"4/28/2021, 2:34:15.992 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,a915aa9e-a64f-487d-b932-b4cc07707901,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],a915aa9e-a64f-487d-b932-b4cc07707901,2173,none,[],[],none,none,none,Office 365 SharePoint Online,00000003-0000-0ff1-ce00-000000000000,,,"{""errorCode"":16000,""failureReason"":""Other""}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,3ab1c29f-40b7-b000-fad8-da0ec116fd4e,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Office 365 SharePoint Online,00000003-0000-0ff1-ce00-000000000000,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:34:22.8418632+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""IsCAEToken"", + ""value"": ""True"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:34:22.841 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,3b50929d-3d7e-420d-a2bf-cf81fe916a01,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],3b50929d-3d7e-420d-a2bf-cf81fe916a01,3578,none,[],[],none,none,none,Office 365 SharePoint Online,00000003-0000-0ff1-ce00-000000000000,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,a8646c2c-b407-483f-9f72-a5773ed415dd,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Office Online Add-in SSO,93d53678-613d-4013-afc1-62e9e444a0a5,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:34:33.6440378+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Domain Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:34:33.644 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,709b386d-24a2-4296-96b5-00500ba3a600,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],709b386d-24a2-4296-96b5-00500ba3a600,2307,none,[],[],none,none,none,Microsoft Graph,00000003-0000-0000-c000-000000000000,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,8200a6aa-9bb7-4203-9ccf-700dc2dcd6ea,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Office Online Maker SSO,17d5e35f-655b-4fb0-8ae6-86356e9a49f5,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:34:34.9685566+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Domain Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:34:34.968 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,2107d03a-3e5f-48c3-a5a0-3f4cd3ddd601,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],2107d03a-3e5f-48c3-a5a0-3f4cd3ddd601,2673,none,[],[],none,none,none,Microsoft Graph,00000003-0000-0000-c000-000000000000,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,5d05c054-9f28-4039-9eaa-5b26f09c4876,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Office365 Shell WCSS-Client,89bee1f7-5e6e-4d8a-9f3d-ecd601259da7,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:35:28.9378094+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:35:28.937 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,c860c04c-d26e-4585-8c58-75d2ed475f01,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],c860c04c-d26e-4585-8c58-75d2ed475f01,1440,none,[],[],none,none,none,,,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,41310acc-65cb-47eb-a8f5-8da1265a9ffc,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Office365 Shell WCSS-Client,89bee1f7-5e6e-4d8a-9f3d-ecd601259da7,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:35:32.4474314+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Domain Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:35:32.447 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,b186f209-1ad9-4bb6-ab5a-e76055c36601,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],b186f209-1ad9-4bb6-ab5a-e76055c36601,1499,none,[],[],none,none,none,Office365 Shell WCSS-Server,5f09333a-842c-47da-a157-57da27fcbca5,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,cf229e41-ddd7-43d2-aca2-337c7ae23b52,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Office365 Shell WCSS-Client,89bee1f7-5e6e-4d8a-9f3d-ecd601259da7,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:35:36.8096788+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Domain Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:35:36.809 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,2107d03a-3e5f-48c3-a5a0-3f4c87ebd601,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],2107d03a-3e5f-48c3-a5a0-3f4c87ebd601,2415,none,[],[],none,none,none,Microsoft Graph,00000003-0000-0000-c000-000000000000,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,d2331948-f2d6-4e85-b7f7-4d9d1464d957,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,OfficeShredderWacClient,4d5c2d63-cf83-4365-853c-925fd1a64357,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:35:55.6937096+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Domain Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:35:55.693 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,c860c04c-d26e-4585-8c58-75d2934d5f01,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],c860c04c-d26e-4585-8c58-75d2934d5f01,1992,none,[],[],none,none,none,Office Shredding Service,b97b6bd4-a49f-4a0c-af18-af507d1da76c,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,02645cdc-f374-4992-97ed-75e04bc4c042,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Office Online Add-in SSO,93d53678-613d-4013-afc1-62e9e444a0a5,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:35:57.0509704+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Domain Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:35:57.050 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,3b50929d-3d7e-420d-a2bf-cf81e6a56a01,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],3b50929d-3d7e-420d-a2bf-cf81e6a56a01,2060,none,[],[],none,none,none,Microsoft Graph,00000003-0000-0000-c000-000000000000,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,a8d5a402-e2a8-4bff-b3da-53ca1be11ea9,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Office Online Augmentation Loop SSO,2abdc806-e091-4495-9b10-b04d93c3f040,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:35:58.5188565+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Domain Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:35:58.518 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,fe8dec05-e254-4652-aa7f-985ef9608601,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],fe8dec05-e254-4652-aa7f-985ef9608601,2412,none,[],[],none,none,none,Microsoft Graph,00000003-0000-0000-c000-000000000000,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,c4b2b4e6-121f-4c4f-8902-7b2a1f8beaee,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Office Online Search,a9b49b65-0a12-430b-9540-c80b3332c127,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:35:58.6853132+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Domain Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:35:58.685 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,49a395a2-8493-4fee-8704-174795635601,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],49a395a2-8493-4fee-8704-174795635601,2312,none,[],[],none,none,none,Office 365 Exchange Microservices,ec156f81-f23a-47bd-b16f-9fb2c66420f9,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,c6386b6e-23a0-4440-8f42-1efce8ff3e9f,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Microsoft Office Web Apps Service,67e3df25-268a-4324-a550-0de1c7f97287,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:35:59.3395699+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,[],notApplied,"4/28/2021, 2:35:59.339 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,b882ace3-a884-4b6d-84df-3814190be801,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],b882ace3-a884-4b6d-84df-3814190be801,1480,none,[],[],none,none,none,Windows Azure Active Directory,00000002-0000-0000-c000-000000000000,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,37163647-2330-4e87-a26f-653edb8c0139,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Office Online Loki SSO,b23dd4db-9142-4734-867f-3577f640ad0c,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:36:00.2142411+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Domain Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:36:00.214 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,afacfe98-266e-4dd4-9369-8ea4e32a5601,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],afacfe98-266e-4dd4-9369-8ea4e32a5601,1990,none,[],[],none,none,none,Microsoft Graph,00000003-0000-0000-c000-000000000000,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,faa6a22b-d84c-416e-81f3-96a538d10267,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Office Online Search,a9b49b65-0a12-430b-9540-c80b3332c127,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:36:12.6343777+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Domain Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:36:12.634 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,fe8dec05-e254-4652-aa7f-985e76648601,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],fe8dec05-e254-4652-aa7f-985e76648601,814,none,[],[],none,none,none,Office 365 Exchange Microservices,ec156f81-f23a-47bd-b16f-9fb2c66420f9,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,495c1c1c-b5b4-4b4f-91b3-251669bd7916,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,OfficeShredderWacClient,4d5c2d63-cf83-4365-853c-925fd1a64357,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:36:12.6393961+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Domain Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:36:12.639 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,aa2a96c4-9354-4844-8a2e-1976a59c5601,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],aa2a96c4-9354-4844-8a2e-1976a59c5601,1564,none,[],[],none,none,none,Office Shredding Service,b97b6bd4-a49f-4a0c-af18-af507d1da76c,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,295a2dd1-1942-481e-bfb2-4b66337649bc,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Office Online Add-in SSO,93d53678-613d-4013-afc1-62e9e444a0a5,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:36:13.5539212+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Domain Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:36:13.553 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,2107d03a-3e5f-48c3-a5a0-3f4cc3f3d601,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],2107d03a-3e5f-48c3-a5a0-3f4cc3f3d601,1817,none,[],[],none,none,none,Microsoft Graph,00000003-0000-0000-c000-000000000000,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,e01a6b1f-7512-4bb7-8c14-3acd7e9b93f5,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Microsoft Office Web Apps Service,67e3df25-268a-4324-a550-0de1c7f97287,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:36:14.2399026+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,[],notApplied,"4/28/2021, 2:36:14.239 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,7d6047e7-887c-49a7-aaec-324d59d44e01,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],7d6047e7-887c-49a7-aaec-324d59d44e01,1323,none,[],[],none,none,none,Windows Azure Active Directory,00000002-0000-0000-c000-000000000000,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,04477479-4aa6-4542-a258-5761968511f8,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Azure Portal,c44b4083-3bb0-49c1-b47d-974e53cbdf3c,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:36:18.2700034+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:36:18.270 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,2f862252-e535-476b-bb02-28a9acc44d01,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],2f862252-e535-476b-bb02-28a9acc44d01,3655,none,[],[],none,none,none,Windows Azure Service Management API,797f4846-ba00-4fd7-ba43-dac1f8f63013,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,14a95855-aafa-419e-9bfd-c97bfca2a6b2,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Office365 Shell WCSS-Client,89bee1f7-5e6e-4d8a-9f3d-ecd601259da7,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:44:09.9182894+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Domain Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:44:09.918 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,b6634b5b-7f20-4d5a-b3cf-aa862c0b6601,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],b6634b5b-7f20-4d5a-b3cf-aa862c0b6601,1101,none,[],[],none,none,none,Office365 Shell WCSS-Server,5f09333a-842c-47da-a157-57da27fcbca5,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,3840fda1-3724-43aa-a8a4-1384fa522829,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,OfficeShredderWacClient,4d5c2d63-cf83-4365-853c-925fd1a64357,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:44:28.1635118+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Domain Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:44:28.163 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,64c34e73-76fb-4592-a085-cd0998c55601,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],64c34e73-76fb-4592-a085-cd0998c55601,1844,none,[],[],none,none,none,Office Shredding Service,b97b6bd4-a49f-4a0c-af18-af507d1da76c,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,92673c97-3921-432f-8e84-f7f5abd18614,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Microsoft Teams Web Client,5e3ce6c0-2b1f-4285-8d4b-75ee78787346,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T15:12:17.51751+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 3:12:17.517 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,b0d232a8-5128-4bd6-88df-fce06531ad01,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],b0d232a8-5128-4bd6-88df-fce06531ad01,3583,none,[],[],none,none,none,Microsoft Teams - Teams And Channels Service,b55b276d-2b09-4ad2-8de5-f09cf24ffba9,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,8cf2d955-ee12-449e-b2dd-7b3fb409c7ce,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Office365 Shell WCSS-Client,89bee1f7-5e6e-4d8a-9f3d-ecd601259da7,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:44:06.3546015+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:44:06.354 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,2c4b5942-7ac1-4ea3-9cd5-5048eee25d01,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],2c4b5942-7ac1-4ea3-9cd5-5048eee25d01,1016,none,[],[],none,none,none,,,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,93086ebb-8da5-4532-8167-17ed1bafb07f,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Office365 Shell WCSS-Client,89bee1f7-5e6e-4d8a-9f3d-ecd601259da7,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:44:14.2055223+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Domain Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:44:14.205 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,2c4b5942-7ac1-4ea3-9cd5-50482de45d01,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],2c4b5942-7ac1-4ea3-9cd5-50482de45d01,1743,none,[],[],none,none,none,Microsoft Graph,00000003-0000-0000-c000-000000000000,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,bfc779b1-8753-f3b8-339c-530c4489ec4c,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Office Online Add-in SSO,93d53678-613d-4013-afc1-62e9e444a0a5,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:44:28.8068109+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Domain Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 2:44:28.806 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,ff7972e5-bd41-4c6a-9cc9-c34ddbf35701,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],ff7972e5-bd41-4c6a-9cc9-c34ddbf35701,2737,none,[],[],none,none,none,Microsoft Graph,00000003-0000-0000-c000-000000000000,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,0b0e6f7f-9df1-46a4-937a-95430e6bb9a8,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,Microsoft Office Web Apps Service,67e3df25-268a-4324-a550-0de1c7f97287,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T14:44:30.4428603+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""Login Hint Present"", + ""value"": ""True"" + }, + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,[],notApplied,"4/28/2021, 2:44:30.442 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,fd9b62e9-8921-42c1-82ed-4cc85dfd6101,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],fd9b62e9-8921-42c1-82ed-4cc85dfd6101,1580,none,[],[],none,none,none,Windows Azure Active Directory,00000002-0000-0000-c000-000000000000,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,0,None,,0,ebd36167-1c13-42e5-85a0-cca345ef71b2,Microsoft.aadiam,Microsoft.aadiam,,Adele Vance,4,IL,,SharePoint Online Web Client Extensibility,08e18876-6177-487e-b8b5-cf950c1e598c,"[ + { + ""authenticationStepDateTime"": ""2021-04-28T15:19:08.373733+00:00"", + ""authenticationMethod"": ""Previously satisfied"", + ""succeeded"": true, + ""authenticationStepResultDetail"": ""First factor requirement satisfied by claim in the token"", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 0 + } +]",,"[ + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,"[{""enforcedSessionControls"":[],""conditionsNotSatisfied"":0,""enforcedGrantControls"":[],""conditionsSatisfied"":0,""displayName"":""Exchange Online Requires Compliant Device"",""result"":""notEnabled"",""id"":""defb835a-eb9f-4346-a2ca-7a9184867bf1""}]",notApplied,"4/28/2021, 3:19:08.373 PM","{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,3b50929d-3d7e-420d-a2bf-cf8189a36c01,175.45.176.99,,"{""countryOrRegion"":""IL"",""geoCoordinates"":{""longitude"":34.79964828491211,""latitude"":32.02956008911133},""state"":""Tel Aviv"",""city"":""Azor""}",{},[],3b50929d-3d7e-420d-a2bf-cf8189a36c01,2290,none,[],[],none,none,none,Office 365 SharePoint Online,00000003-0000-0ff1-ce00-000000000000,,,"{""errorCode"":0}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49",Adele Vance,9b117c67-170e-4aed-9702-658b3fddc889,adelev@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,50057,None,User account is disabled. The account has been disabled by an administrator.,0,d655a0b1-dcd7-4fea-af0c-c8d5c82a7917,Microsoft.aadiam,Microsoft.aadiam,,JohnS,4,KP,johns@contoso.onmicrosoft.com,Azure Portal,c44b4083-3bb0-49c1-b47d-974e53cbdf3c,"[ + { + ""authenticationStepDateTime"": ""2021-04-19T12:13:19.4834758+00:00"", + ""authenticationMethod"": ""Password"", + ""authenticationMethodDetail"": ""Password in the cloud"", + ""succeeded"": false, + ""authenticationStepResultDetail"": ""User account is disabled. The account has been disabled by an administrator."", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 1 + } +]",,"[ + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,[],notApplied,,"{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,698711b3-cf4e-45f4-ae04-d4e340f06b00,175.45.176.99,,"{""countryOrRegion"":""KP"",""geoCoordinates"":{""longitude"":38.84468078613281,""latitude"":125.162410736083984},""state"":""North Korea"",""city"":""Pyongyang""}",,[],698711b3-cf4e-45f4-ae04-d4e340f06b00,400,none,[],[],none,none,none,Windows Azure Service Management API,797f4846-ba00-4fd7-ba43-dac1f8f63013,,,"{""errorCode"":50057,""failureReason"":""User account is disabled. The account has been disabled by an administrator.""}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.72 Safari/537.36 Edg/90.0.818.41",JohnS,14dc6e86-42b9-4f0a-8da0-8b5bdc62e336,johns@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,johns@m365x816222.onmicrosoft.com,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,50057,None,User account is disabled. The account has been disabled by an administrator.,0,d655a0b1-dcd7-4fea-af0c-c8d5c82a7917,Microsoft.aadiam,Microsoft.aadiam,,JohnS,4,KP,johns@contoso.onmicrosoft.com,Azure Portal,c44b4083-3bb0-49c1-b47d-974e53cbdf3c,"[ + { + ""authenticationStepDateTime"": ""2021-04-19T12:13:31.4214666+00:00"", + ""authenticationMethod"": ""Password"", + ""authenticationMethodDetail"": ""Password in the cloud"", + ""succeeded"": false, + ""authenticationStepResultDetail"": ""User account is disabled. The account has been disabled by an administrator."", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 1 + } +]",,"[ + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,[],notApplied,,"{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,c31b2f10-59ed-4459-9d24-7e1c6efc5b00,175.45.176.99,,"{""countryOrRegion"":""KP"",""geoCoordinates"":{""longitude"":38.84468078613281,""latitude"":125.162410736083984},""state"":""North Korea"",""city"":""Pyongyang""}",,[],c31b2f10-59ed-4459-9d24-7e1c6efc5b00,568,none,[],[],none,none,none,Windows Azure Service Management API,797f4846-ba00-4fd7-ba43-dac1f8f63013,,,"{""errorCode"":50057,""failureReason"":""User account is disabled. The account has been disabled by an administrator.""}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.72 Safari/537.36 Edg/90.0.818.41",JohnS,14dc6e86-42b9-4f0a-8da0-8b5bdc62e336,johns@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,johns@m365x816222.onmicrosoft.com,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,50057,None,User account is disabled. The account has been disabled by an administrator.,0,d655a0b1-dcd7-4fea-af0c-c8d5c82a7917,Microsoft.aadiam,Microsoft.aadiam,,JohnS,4,KP,johns@contoso.onmicrosoft.com,Azure Portal,c44b4083-3bb0-49c1-b47d-974e53cbdf3c,"[ + { + ""authenticationStepDateTime"": ""2021-04-19T12:16:30.7197199+00:00"", + ""authenticationMethod"": ""Password"", + ""authenticationMethodDetail"": ""Password in the cloud"", + ""succeeded"": false, + ""authenticationStepResultDetail"": ""User account is disabled. The account has been disabled by an administrator."", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 1 + } +]",,"[ + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,[],notApplied,,"{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,88627a19-54f9-4dba-97de-2caeb4896c00,175.45.176.99,,"{""countryOrRegion"":""KP"",""geoCoordinates"":{""longitude"":38.84468078613281,""latitude"":125.162410736083984},""state"":""North Korea"",""city"":""Pyongyang""}",,[],88627a19-54f9-4dba-97de-2caeb4896c00,428,none,[],[],none,none,none,Windows Azure Service Management API,797f4846-ba00-4fd7-ba43-dac1f8f63013,,,"{""errorCode"":50057,""failureReason"":""User account is disabled. The account has been disabled by an administrator.""}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.72 Safari/537.36 Edg/90.0.818.41",JohnS,14dc6e86-42b9-4f0a-8da0-8b5bdc62e336,johns@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,johns@m365x816222.onmicrosoft.com,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, +7c759f10-811c-4db8-ad6d-f07d8ae3f8ea,Azure AD,/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam,Sign-in activity,1,SignInLogs,50057,None,User account is disabled. The account has been disabled by an administrator.,0,d655a0b1-dcd7-4fea-af0c-c8d5c82a7917,Microsoft.aadiam,Microsoft.aadiam,,JohnS,4,KP,johns@contoso.onmicrosoft.com,Azure Portal,c44b4083-3bb0-49c1-b47d-974e53cbdf3c,"[ + { + ""authenticationStepDateTime"": ""2021-04-19T12:16:34.8773402+00:00"", + ""authenticationMethod"": ""Password"", + ""authenticationMethodDetail"": ""Password in the cloud"", + ""succeeded"": false, + ""authenticationStepResultDetail"": ""User account is disabled. The account has been disabled by an administrator."", + ""authenticationStepRequirement"": ""Primary authentication"", + ""StatusSequence"": 0, + ""RequestSequence"": 1 + } +]",,"[ + { + ""key"": ""IsCAEToken"", + ""value"": ""False"" + } +]",singleFactorAuthentication,[],Browser,[],notApplied,,"{""operatingSystem"":""Windows 10"",""deviceId"":"""",""browser"":""Edge 90.0.818""}",TRUE,6d6b5c90-85c5-4e7d-ac80-50a7eb0e6900,175.45.176.99,,"{""countryOrRegion"":""KP"",""geoCoordinates"":{""longitude"":38.84468078613281,""latitude"":125.162410736083984},""state"":""North Korea"",""city"":""Pyongyang""}",,[],6d6b5c90-85c5-4e7d-ac80-50a7eb0e6900,439,none,[],[],none,none,none,Windows Azure Service Management API,797f4846-ba00-4fd7-ba43-dac1f8f63013,,,"{""errorCode"":50057,""failureReason"":""User account is disabled. The account has been disabled by an administrator.""}",,,AzureAD,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.72 Safari/537.36 Edg/90.0.818.41",JohnS,14dc6e86-42b9-4f0a-8da0-8b5bdc62e336,johns@m365x816222.onmicrosoft.com,2ad3fc79-1859-42fa-9011-6f8df2251b22,Member,,johns@m365x816222.onmicrosoft.com,,2ad3fc79-1859-42fa-9011-6f8df2251b22,2ad3fc79-1859-42fa-9011-6f8df2251b22,SigninLogs, diff --git a/src/SecurityInsights/test/utils.ps1 b/src/SecurityInsights/test/utils.ps1 new file mode 100644 index 000000000000..124f3c377516 --- /dev/null +++ b/src/SecurityInsights/test/utils.ps1 @@ -0,0 +1,331 @@ +function RandomString([bool]$allChars, [int32]$len) { + if ($allChars) { + return -join ((33..126) | Get-Random -Count $len | % {[char]$_}) + } else { + return -join ((48..57) + (97..122) | Get-Random -Count $len | % {[char]$_}) + } +} +$env = @{} +if ($UsePreviousConfigForRecord) { + $previousEnv = Get-Content (Join-Path $PSScriptRoot 'env.json') | ConvertFrom-Json + $previousEnv.psobject.properties | Foreach-Object { $env[$_.Name] = $_.Value } +} +# Add script method called AddWithCache to $env, when useCache is set true, it will try to get the value from the $env first. +# example: $val = $env.AddWithCache('key', $val, $true) +$env | Add-Member -Type ScriptMethod -Value { param( [string]$key, [object]$val, [bool]$useCache) if ($this.Contains($key) -and $useCache) { return $this[$key] } else { $this[$key] = $val; return $val } } -Name 'AddWithCache' +function setupEnv() { + # Preload subscriptionId and tenant from context, which will be used in test + # as default. You could change them if needed. + $env.SubscriptionId = (Get-AzContext).Subscription.Id + $env.Tenant = (Get-AzContext).Tenant.Id + + #needed for custom api call + $Token = (Get-AzAccessToken).Token + $Header = @{ + Authorization="Bearer $Token" + Content='application/json' + } + + # Some constants + $constants = Get-Content .\test\constants.json | ConvertFrom-Json + $constants.psobject.Properties | ForEach-Object { $env[$_.Name] = $_.Value } + $TemplatePath = ".\test\deployment-templates" + $SampleDataPath = ".\test\sampleData" + + #Load common Functions + . (".\test\common.ps1") + + # Create the test group + $resourceGroupName = "aspstest" + (RandomString -allChars $false -len 6) + Write-Host "Start to create test resource group" $resourceGroupName + $null = $env.Add("resourceGroupName", $resourceGroupName) + New-AzResourceGroup -Name $resourceGroupName -Location $env.location + + # Create the Workspace+Sentinel + $workspaceName = "asptest" + (RandomString -allChars $false -len 6) + $newOnboardingStateWS = "asptest" + (RandomString -allChars $false -len 6) + $removeOnboardingStateWS = "asptest" + (RandomString -allChars $false -len 6) + Write-Host "Start to create test workspace" $workspaceName + $workspaceParams = Get-Content .\test\deployment-templates\workspace\template.parameters.json | ConvertFrom-Json + $workspaceParams.parameters.workspaceName.value = $workspaceName + $workspaceParams.parameters.newOnboardingStateWS.value = $newOnboardingStateWS + $workspaceParams.parameters.removeOnboardingStateWS.value = $removeOnboardingStateWS + set-content -Path .\test\deployment-templates\workspace\template.parameters.json -Value (ConvertTo-Json $workspaceParams) + $TemplateFile = (Get-ChildItem $TemplatePath\workspace\template.json).FullName + $TemplateParametersFile = (Get-ChildItem $TemplatePath\workspace\template.parameters.json).FullName + $result = New-AzDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name Workspace -ResourceGroupName $resourceGroupName + if($result.ProvisioningState -eq "Succeeded"){ + $null = $env.Add("workspaceName", $workspaceName) + $url = "https://management.azure.com/"+ ($result.Id) + "?api-version=2021-04-01" + $deployResult = Invoke-RestMethod -Uri $url -Method GET -headers $header + $null = $env.Add('workspaceId', ($deployResult.properties.outputs.workspaceId.value)) + #$null = $env.Add('workspaceKey', ($deployResult.properties.outputs.workspaceKey.value)) + $workspaceKey = ($deployResult.properties.outputs.workspaceKey.value) + $null = $env.Add('workspaceResourceId', ($deployResult.properties.outputs.workspaceResourceId.value)) + $null = $env.Add("newOnboardingStateWS", $newOnboardingStateWS) + $null = $env.Add("removeOnboardingStateWS", $removeOnboardingStateWS) + } + + + #Custom Log Import -> Create Analytic that triggers + Write-Host "Ingesting Sample Data" + $files = Get-ChildItem -Path $SampleDataPath -Filter *.csv + foreach($file in $Files){ + $fileToImport = $file.FullName + $tableName = ($file.Name).Replace('.csv','') + $status = SendToLogA -eventsTableName $tableName -EventsTableFile $fileToImport -CustomerId $env.workspaceId -SharedKey $workspaceKey + Write-Host "$TableName results: $status" + } + write-Host "Starting sleep to allow time for ingestion" + #Start-Sleep -Seconds 600 + Start-WaitForData 600 + + # Alert Rules that trigger off custom data. + Write-Host "Start to create test alert rules that trigger off custom data" + $solarigateRuleGuid = (New-Guid).Guid + $disabledRuleGuid = (New-Guid).Guid + $mlRuleGuid = (New-Guid).Guid + $alertRuleParams = Get-Content .\test\deployment-templates\customData\alertRules.parameters.json | ConvertFrom-Json + $alertRuleParams.parameters.solarigateRuleGuid.value = $solarigateRuleGuid + $alertRuleParams.parameters.disabledRuleGuid.value = $disabledRuleGuid + $alertRuleParams.parameters.mlRuleGuid.value = $mlRuleGuid + $alertRuleParams.parameters.workspaceName.value = $env.workspaceName + set-content -Path .\test\deployment-templates\customData\alertRules.parameters.json -Value (ConvertTo-Json $alertRuleParams) + $TemplateFile = (Get-ChildItem $TemplatePath\customData\alertRules.json).FullName + $TemplateParametersFile = (Get-ChildItem $TemplatePath\customData\alertRules.parameters.json).FullName + $result = New-AzDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name CustomData -ResourceGroupName $resourceGroupName + if($result.ProvisioningState -eq "Succeeded"){ + $null = $env.Add(("solarigateRuleGuid"), $solarigateRuleGuid) + $null = $env.Add(("disabledRuleGuid"), $disabledRuleGuid) + $null = $env.Add(("mlRuleGuid"), $mlRuleGuid) + } + + #Deploy Playbooks + Write-Host "Start to create test playbooks" + $TemplateFile = (Get-ChildItem $TemplatePath\playbooks\template.json).FullName + $TemplateParametersFile = (Get-ChildItem $TemplatePath\playbooks\template.parameters.json).FullName + $result = New-AzDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name Playbooks -ResourceGroupName $resourceGroupName + if($result.ProvisioningState -eq "Succeeded"){ + $url = "https://management.azure.com/"+ ($result.Id) + "?api-version=2021-04-01" + $deployResult = Invoke-RestMethod -Uri $url -Method GET -headers $header + $null = $env.Add('Playbook1LogicAppResourceId', ($deployResult.properties.Outputs.Playbook1LogicAppResourceId.value)) + $null = $env.Add('Playbook1TriggerUrl', ($deployResult.properties.Outputs.Playbook1triggerUrl.value)) + $null = $env.Add('Playbook2LogicAppResourceId', ($deployResult.properties.Outputs.Playbook2LogicAppResourceId.value)) + $null = $env.Add('Playbook2TriggerUrl', ($deployResult.properties.Outputs.Playbook2triggerUrl.value)) + $null = $env.Add('Playbook3LogicAppResourceId', ($deployResult.properties.Outputs.Playbook3LogicAppResourceId.value)) + $null = $env.Add('Playbook3TriggerUrl', ($deployResult.properties.Outputs.Playbook3triggerUrl.value)) + $null = $env.Add('Playbook4LogicAppResourceId', ($deployResult.properties.Outputs.Playbook4LogicAppResourceId.value)) + $null = $env.Add('Playbook4TriggerUrl', ($deployResult.properties.Outputs.Playbook4triggerUrl.value)) + } + + + #Create Alert Rules + Write-Host "Start to create test alert rules" + Create-AlertRule -PSVerb Get -WorkspaceName $env.workspaceName + Create-AlertRule -PSVerb Remove -WorkspaceName $env.workspaceName + Create-AlertRule -PSVerb RemoveViaId -WorkspaceName $env.workspaceName + Create-AlertRule -PSVerb Update -WorkspaceName $env.workspaceName + Create-AlertRule -PSVerb UpdateViaId -WorkspaceName $env.workspaceName + + #Create AlertRuleAction + Write-Host "Start to create test alert rule actions" + Create-AlertRuleAction -PSVerb Get -WorkspaceName $env.workspaceName -logicAppResourceId $env.Playbook1LogicAppResourceId -triggerUrl $env.Playbook1TriggerUrl + Create-AlertRuleAction -PSVerb Remove -WorkspaceName $env.workspaceName -logicAppResourceId $env.Playbook1LogicAppResourceId -triggerUrl $env.Playbook1TriggerUrl + Create-AlertRuleAction -PSVerb RemoveViaId -WorkspaceName $env.workspaceName -logicAppResourceId $env.Playbook1LogicAppResourceId -triggerUrl $env.Playbook1TriggerUrl + Create-AlertRuleAction -PSVerb Update -WorkspaceName $env.workspaceName -logicAppResourceId $env.Playbook1LogicAppResourceId -triggerUrl $env.Playbook1TriggerUrl + Create-AlertRuleAction -PSVerb UpdateViaId -WorkspaceName $env.workspaceName -logicAppResourceId $env.Playbook1LogicAppResourceId -triggerUrl $env.Playbook1TriggerUrl + + #Service Principal needs to be in constants.json. + #Write-Host "Get Service Principal" + #$ClientID = '1950a258-227b-4e31-a9cf-717495945fc2' + #$Resource = "74658136-14ec-4630-ad9b-26e160ff0fc6" + #$uri = "https://login.microsoftonline.com/"+$env.Tenant+"/oauth2/devicecode" + #$DeviceCodeRequestParams = @{ + # Method = 'POST' + # Uri = $uri + # Body = @{ + # client_id = $ClientId + # resource = $Resource + # } + #} + #$DeviceCodeRequest = Invoke-RestMethod @DeviceCodeRequestParams + #Write-Host $DeviceCodeRequest.message -ForegroundColor Yellow + #write-host "You need to go login with the data above. script will continue in " + #start-sleep -Seconds 120 + #$uri = "https://login.microsoftonline.com/"+$env.Tenant+"/oauth2/token" + #$TokenRequestParams = @{ + # Method = 'POST' + # Uri = $uri + # Body = @{ + # grant_type = "urn:ietf:params:oauth:grant-type:device_code" + # code = $DeviceCodeRequest.device_code + # client_id = $ClientId + # } + #} + #$TokenRequest = Invoke-RestMethod @TokenRequestParams + #$appToken = $TokenRequest.access_token + + #$header = @{ + #'Authorization' = 'Bearer ' + $appToken + #'X-Requested-With'= 'XMLHttpRequest' + #'x-ms-client-request-id'= [guid]::NewGuid() + #'x-ms-correlation-id' = [guid]::NewGuid() + #} + #$body = @{"accountEnabled"=$null;"isAppVisible"=$null;"appListQuery"=1;"searchText"="Azure Security Insights";"top"=50;"loadLogo"=$false;"putCachedLogoUrlOnly"=$true;"nextLink"="";"usedFirstPartyAppIds"=$null;"__ko_mapping__"=@{"ignore"=@();"include"=@("_destroy");"copy"=@();"observe"=@();"mappedProperties"=@{"accountEnabled"=$true;"isAppVisible"=$true;"appListQuery"=$true;"searchText"=$true;"top"=$true;"loadLogo"=$true;"putCachedLogoUrlOnly"=$true;"nextLink"=$true;"usedFirstPartyAppIds"=$true};"copiedProperties"=@()}} + #$url = "https://main.iam.ad.ext.azure.com/api/ManagedApplications/List" + #$res = Invoke-RestMethod -Uri $url -Headers $header -Method POST -body ($body | convertto-Json) -ErrorAction Stop -ContentType "application/json" + #$null = $env.Add('ASIServicePrinicpal', ($res.appList[0].objectId)) + + Write-Host "Deploy authorization to allow automation rules" + $authorizationParams = Get-Content .\test\deployment-templates\authorization\template.parameters.json | ConvertFrom-Json + $authorizationParams.parameters.ASIServicePrinicpal.value = $env.ASIServicePrinicpal + set-content -Path .\test\deployment-templates\authorization\template.parameters.json -Value (ConvertTo-Json $authorizationParams) + $TemplateFile = (Get-ChildItem $TemplatePath\authorization\template.json).FullName + $TemplateParametersFile = (Get-ChildItem $TemplatePath\authorization\template.parameters.json).FullName + $result = New-AzDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name Authorization -ResourceGroupName $resourceGroupName + start-sleep 60 + + #Create Automation Rule + Write-Host "Start to create test automation rule" + Create-AutomationRule -PSVerb Get -WorkspaceName $env.workspaceName -logicAppResourceId $env.Playbook2LogicAppResourceId + Create-AutomationRule -PSVerb Remove -WorkspaceName $env.workspaceName -logicAppResourceId $env.Playbook2LogicAppResourceId + Create-AutomationRule -PSVerb RemoveViaId -WorkspaceName $env.workspaceName -logicAppResourceId $env.Playbook2LogicAppResourceId + Create-AutomationRule -PSVerb Update -WorkspaceName $env.workspaceName -logicAppResourceId $env.Playbook2LogicAppResourceId + Create-AutomationRule -PSVerb UpdateViaId -WorkspaceName $env.workspaceName -logicAppResourceId $env.Playbook2LogicAppResourceId + + #Create Bookmark + Write-Host "Start to create test bookmark" + Create-Bookmark -PSVerb Get -WorkspaceName $env.workspaceName + Create-Bookmark -PSVerb Remove -WorkspaceName $env.workspaceName + Create-Bookmark -PSVerb RemoveViaId -WorkspaceName $env.workspaceName + Create-Bookmark -PSVerb Update -WorkspaceName $env.workspaceName + Create-Bookmark -PSVerb UpdateViaId -WorkspaceName $env.workspaceName + Create-Bookmark -PSVerb Expand -WorkspaceName $env.workspaceName + + #Bookmark Expansion + $bookmarkExpansionId = (New-Guid).Guid + $null = $env.Add('bookmarkExpansionId', $bookmarkExpansionId) + + #Create Bookmark Realtion + Write-Host "Start to create test bookmark Relation" + Create-BookmarkRelation -PSVerb Get -WorkspaceName $env.workspaceName + Create-BookmarkRelation -PSVerb Remove -WorkspaceName $env.workspaceName + Create-BookmarkRelation -PSVerb RemoveViaId -WorkspaceName $env.workspaceName + Create-BookmarkRelation -PSVerb Update -WorkspaceName $env.workspaceName + Create-BookmarkRelation -PSVerb UpdateViaId -WorkspaceName $env.workspaceName + + #Create DataConnector + Write-Host "Start to create test dataConnector" + $dataConnectorId = (New-Guid).Guid + $updateDataConnectorId = (New-Guid).Guid + $dataConnectorParams = Get-Content .\test\deployment-templates\dataConnector\template.parameters.json | ConvertFrom-Json + $dataConnectorParams.parameters.dataConnectorId.value = $dataConnectorId + $dataConnectorParams.parameters.updateDataConnectorId.value = $updateDataConnectorId + $dataConnectorParams.parameters.workspaceName.value = $workspaceName + set-content -Path .\test\deployment-templates\dataConnector\template.parameters.json -Value (ConvertTo-Json $dataConnectorParams) + $TemplateFile = (Get-ChildItem $TemplatePath\dataConnector\template.json).FullName + $TemplateParametersFile = (Get-ChildItem $TemplatePath\dataConnector\template.parameters.json).FullName + $result = New-AzDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name dataConnector -ResourceGroupName $resourceGroupName + if($result.ProvisioningState -eq "Succeeded"){ + $null = $env.Add('dataConnectorId', $dataConnectorId) + $null = $env.Add('updateDataConnectorId', $updateDataConnectorId) + } + #Entity + #imported fake data so nothing needed to create in arm. + + #Create Entity Queriers + Write-Host "Start to create test entityQuery" + Create-EntityQuery -PSVerb Get -WorkspaceName $env.workspaceName + Create-EntityQuery -PSVerb Remove -WorkspaceName $env.workspaceName + Create-EntityQuery -PSVerb RemoveViaId -WorkspaceName $env.workspaceName + Create-EntityQuery -PSVerb Update -WorkspaceName $env.workspaceName + Create-EntityQuery -PSVerb UpdateViaId -WorkspaceName $env.workspaceName + + #Entity Relations + #System built, can't test without data. Find way to import data? + + #Entity Timeline + #System built, can't test without data. Find way to import data? + + #Create Incident + Write-Host "Start to create test incident" + Create-Incident -PSVerb Get -WorkspaceName $env.workspaceName + Create-Incident -PSVerb Remove -WorkspaceName $env.workspaceName + Create-Incident -PSVerb RemoveViaId -WorkspaceName $env.workspaceName + Create-Incident -PSVerb Update -WorkspaceName $env.workspaceName + Create-Incident -PSVerb UpdateViaId -WorkspaceName $env.workspaceName + + #Incident Alert + #Custom data imported should trigger alert. + + #IncidentBookmark + #uses Bookmark Relation so no need to create anything new. + + #IncidentComment + Write-Host "Start to create test incident comment" + Create-IncidentComment -PSVerb Get -WorkspaceName $env.workspaceName + Create-IncidentComment -PSVerb Remove -WorkspaceName $env.workspaceName + Create-IncidentComment -PSVerb RemoveViaId -WorkspaceName $env.workspaceName + Create-IncidentComment -PSVerb Update -WorkspaceName $env.workspaceName + Create-IncidentComment -PSVerb UpdateViaId -WorkspaceName $env.workspaceName + + #IncidentEntity + #Custom data imported should trigger alert with entity + + #IncidentRelation + Write-Host "Start to create test incident relation" + Create-IncidentRelation -PSVerb Get -WorkspaceName $env.workspaceName + Create-IncidentRelation -PSVerb Remove -WorkspaceName $env.workspaceName + Create-IncidentRelation -PSVerb RemoveViaId -WorkspaceName $env.workspaceName + Create-IncidentRelation -PSVerb Update -WorkspaceName $env.workspaceName + Create-IncidentRelation -PSVerb UpdateViaId -WorkspaceName $env.workspaceName + + #Metadata + #"sourceId": "azuresentinel.azure-sentinel-solution-zerotrust + Write-Host "Start to create test MetaData" + $metadataParams = Get-Content .\test\deployment-templates\metadata\template.parameters.json | ConvertFrom-Json + $metadataParams.parameters.workspace.value = $workspaceName + set-content -Path .\test\deployment-templates\metadata\template.parameters.json -Value (ConvertTo-Json $metadataParams) + $TemplateFile = (Get-ChildItem $TemplatePath\metadata\template.json).FullName + $TemplateParametersFile = (Get-ChildItem $TemplatePath\metadata\template.parameters.json).FullName + $result = New-AzDeployment -Mode Incremental -TemplateFile $TemplateFile -TemplateParameterFile $TemplateParametersFile -Name metadata -ResourceGroupName $resourceGroupName + if($result.ProvisioningState -eq "Succeeded"){ + $null = $env.Add('metadataName', 'azuresentinel.azure-sentinel-solution-zerotrust') + } + + #OfficeConsent + #cant pre-create to test. + + #OnboardingState + #create additonal workspaces in first template + + #Setting + #Nothing to create + + #SourceControl + #SourceControlRepository + #nothing to create + + #ThreatIntelligeneceIndicator + Write-Host "Start to create test threat intelligence indicator" + Create-ThreatIntelligenceIndicator -PSVerb Get -WorkspaceName $env.workspaceName -IP "8.8.8.1" + Create-ThreatIntelligenceIndicator -PSVerb Remove -WorkspaceName $env.workspaceName -IP "8.8.8.2" + Create-ThreatIntelligenceIndicator -PSVerb RemoveViaId -WorkspaceName $env.workspaceName -IP "8.8.8.3" + Create-ThreatIntelligenceIndicator -PSVerb Update -WorkspaceName $env.workspaceName -IP "8.8.8.4" + Create-ThreatIntelligenceIndicator -PSVerb UpdateViaId -WorkspaceName $env.workspaceName -IP "8.8.8.5" + + #ThreatIntelligeneceIndicatorMetric + #nothing to create + + # For any resources you created for test, you should add it to $env here. + $envFile = 'env.json' + if ($TestMode -eq 'live') { + $envFile = 'localEnv.json' + } + set-content -Path (Join-Path $PSScriptRoot $envFile) -Value (ConvertTo-Json $env) +} +function cleanupEnv() { + # Clean resources you create for testing + # Remove-AzResourceGroup -Name $env.resourceGroupName +} + diff --git a/src/SecurityInsights/utils/Unprotect-SecureString.ps1 b/src/SecurityInsights/utils/Unprotect-SecureString.ps1 new file mode 100644 index 000000000000..cb05b51a6220 --- /dev/null +++ b/src/SecurityInsights/utils/Unprotect-SecureString.ps1 @@ -0,0 +1,16 @@ +#This script converts securestring to plaintext + +param( + [Parameter(Mandatory, ValueFromPipeline)] + [System.Security.SecureString] + ${SecureString} +) + +$ssPtr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($SecureString) +try { + $plaintext = [System.Runtime.InteropServices.Marshal]::PtrToStringBSTR($ssPtr) +} finally { + [System.Runtime.InteropServices.Marshal]::ZeroFreeBSTR($ssPtr) +} + +return $plaintext \ No newline at end of file From 0925538b403da18a4cc3264bfda370a7414faeef Mon Sep 17 00:00:00 2001 From: Beisi Zhou Date: Mon, 18 Jul 2022 09:34:40 +0800 Subject: [PATCH 02/24] Delete README.md --- src/SecurityInsights/README.md | 27 --------------------------- 1 file changed, 27 deletions(-) delete mode 100644 src/SecurityInsights/README.md diff --git a/src/SecurityInsights/README.md b/src/SecurityInsights/README.md deleted file mode 100644 index 54385914e651..000000000000 --- a/src/SecurityInsights/README.md +++ /dev/null @@ -1,27 +0,0 @@ - -# Az.SecurityInsights -This directory contains the PowerShell module for the SecurityInsights service. - ---- -## Status -[![Az.SecurityInsights](https://img.shields.io/powershellgallery/v/Az.SecurityInsights.svg?style=flat-square&label=Az.SecurityInsights "Az.SecurityInsights")](https://www.powershellgallery.com/packages/Az.SecurityInsights/) - -## Info -- Modifiable: yes -- Generated: all -- Committed: yes -- Packaged: yes - ---- -## Detail -This module was primarily generated via [AutoRest](https://github.com/Azure/autorest) using the [PowerShell](https://github.com/Azure/autorest.powershell) extension. - -## Module Requirements -- [Az.Accounts module](https://www.powershellgallery.com/packages/Az.Accounts/), version 2.7.5 or greater - -## Authentication -AutoRest does not generate authentication code for the module. Authentication is handled via Az.Accounts by altering the HTTP payload before it is sent. - -## Development -For information on how to develop for `Az.SecurityInsights`, see [how-to.md](how-to.md). - From 54629132f2c5c4214b1463528d0cdc3ef466f7dc Mon Sep 17 00:00:00 2001 From: Beisi Zhou Date: Mon, 18 Jul 2022 09:35:00 +0800 Subject: [PATCH 03/24] Rename readme.md to README.md --- src/SecurityInsights/{readme.md => README.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename src/SecurityInsights/{readme.md => README.md} (100%) diff --git a/src/SecurityInsights/readme.md b/src/SecurityInsights/README.md similarity index 100% rename from src/SecurityInsights/readme.md rename to src/SecurityInsights/README.md From f06a9759afe85ae22d8504377a886c3e3198e6d0 Mon Sep 17 00:00:00 2001 From: SecurityJedi Date: Mon, 25 Jul 2022 10:51:32 -0400 Subject: [PATCH 04/24] Update per design review --- .../custom/New-AzSentinelDataConnector.ps1 | 24 +- .../custom/Update-AzSentinelAlertRule.ps1 | 16 +- .../custom/Update-AzSentinelDataConnector.ps1 | 114 +++++- .../custom/Update-AzSentinelSetting.ps1 | 12 + .../docs/New-AzSentinelDataConnector.md | 12 +- .../docs/Update-AzSentinelAlertRule.md | 55 ++- .../docs/Update-AzSentinelDataConnector.md | 327 +++++++++++++++--- .../docs/Update-AzSentinelSetting.md | 40 ++- 8 files changed, 473 insertions(+), 127 deletions(-) diff --git a/src/SecurityInsights/custom/New-AzSentinelDataConnector.ps1 b/src/SecurityInsights/custom/New-AzSentinelDataConnector.ps1 index 9880df269994..e0a98a534b9b 100644 --- a/src/SecurityInsights/custom/New-AzSentinelDataConnector.ps1 +++ b/src/SecurityInsights/custom/New-AzSentinelDataConnector.ps1 @@ -104,7 +104,7 @@ function New-AzSentinelDataConnector { [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] [System.String] - ${DiscoveryLogs}, + ${DiscoveryLog}, [Parameter(ParameterSetName = 'MicrosoftThreatIntelligence')] [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] @@ -134,7 +134,7 @@ function New-AzSentinelDataConnector { [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] [System.String] - ${Incidents}, + ${Incident}, [Parameter(ParameterSetName = 'Office365')] [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] @@ -158,7 +158,7 @@ function New-AzSentinelDataConnector { [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] [System.String] - ${Indicators}, + ${Indicator}, [Parameter(ParameterSetName = 'ThreatIntelligenceTaxii', Mandatory)] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] @@ -416,9 +416,9 @@ function New-AzSentinelDataConnector { $null = $PSBoundParameters.Remove('Alerts') } - If($PSBoundParameters['DiscoveryLogs']){ - $DataConnector.DiscoveryLogState = $PSBoundParameters['DiscoveryLogs'] - $null = $PSBoundParameters.Remove('DiscoveryLogs') + If($PSBoundParameters['DiscoveryLog']){ + $DataConnector.DiscoveryLogState = $PSBoundParameters['DiscoveryLog'] + $null = $PSBoundParameters.Remove('DiscoveryLog') } } if($PSBoundParameters['Kind'] -eq 'MicrosoftDefenderAdvancedThreatProtection'){ @@ -493,9 +493,9 @@ function New-AzSentinelDataConnector { $DataConnector.TenantId = $PSBoundParameters['TenantId'] $null = $PSBoundParameters.Remove('TenantId') - If($PSBoundParameters['Incidents']){ - $DataConnector.IncidentState = $PSBoundParameters['Incidents'] - $null = $PSBoundParameters.Remove('Incidents') + If($PSBoundParameters['Incident']){ + $DataConnector.IncidentState = $PSBoundParameters['Incident'] + $null = $PSBoundParameters.Remove('Incident') } } if($PSBoundParameters['Kind'] -eq 'Office365'){ @@ -549,9 +549,9 @@ function New-AzSentinelDataConnector { $DataConnector.TipLookbackPeriod = "1970-01-01T00:00:00.000Z" - If($PSBoundParameters['Indicators']){ - $DataConnector.IndicatorState = $PSBoundParameters['Indicators'] - $null = $PSBoundParameters.Remove('Indicators') + If($PSBoundParameters['Indicator']){ + $DataConnector.IndicatorState = $PSBoundParameters['Indicator'] + $null = $PSBoundParameters.Remove('Indicator') } } if($PSBoundParameters['Kind'] -eq 'ThreatIntelligenceTaxii'){ diff --git a/src/SecurityInsights/custom/Update-AzSentinelAlertRule.ps1 b/src/SecurityInsights/custom/Update-AzSentinelAlertRule.ps1 index 815f4636d80e..ebc152a1bd31 100644 --- a/src/SecurityInsights/custom/Update-AzSentinelAlertRule.ps1 +++ b/src/SecurityInsights/custom/Update-AzSentinelAlertRule.ps1 @@ -75,26 +75,26 @@ function Update-AzSentinelAlertRule { # To construct, see NOTES section for INPUTOBJECT properties and create a hash table. ${InputObject}, - [Parameter(ParameterSetName = 'UpdateFusionMLTI')] - [Parameter(ParameterSetName = 'UpdateViaIdentityFusionMLTI')] + [Parameter(ParameterSetName = 'UpdateFusionMLTI', Mandatory)] + [Parameter(ParameterSetName = 'UpdateViaIdentityFusionMLTI', Mandatory)] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] [System.Management.Automation.SwitchParameter] ${FusionMLorTI}, - [Parameter(ParameterSetName = 'UpdateMicrosoftSecurityIncidentCreation')] - [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftSecurityIncidentCreation')] + [Parameter(ParameterSetName = 'UpdateMicrosoftSecurityIncidentCreation', Mandatory)] + [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftSecurityIncidentCreation', Mandatory)] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] [System.Management.Automation.SwitchParameter] ${MicrosoftSecurityIncidentCreation}, - [Parameter(ParameterSetName = 'UpdateNRT')] - [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')] + [Parameter(ParameterSetName = 'UpdateNRT', Mandatory)] + [Parameter(ParameterSetName = 'UpdateViaIdentityNRT', Mandatory)] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] [System.Management.Automation.SwitchParameter] ${NRT}, - [Parameter(ParameterSetName = 'UpdateScheduled')] - [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] + [Parameter(ParameterSetName = 'UpdateScheduled', Mandatory)] + [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled', Mandatory)] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] [System.Management.Automation.SwitchParameter] ${Scheduled}, diff --git a/src/SecurityInsights/custom/Update-AzSentinelDataConnector.ps1 b/src/SecurityInsights/custom/Update-AzSentinelDataConnector.ps1 index ac285003f984..b516f2eaef5e 100644 --- a/src/SecurityInsights/custom/Update-AzSentinelDataConnector.ps1 +++ b/src/SecurityInsights/custom/Update-AzSentinelDataConnector.ps1 @@ -129,6 +129,96 @@ function Update-AzSentinelDataConnector { # To construct, see NOTES section for INPUTOBJECT properties and create a hash table. ${InputObject}, + [Parameter(ParameterSetName = 'UpdateAmazonWebServicesCloudTrail', Mandatory)] + [Parameter(ParameterSetName = 'UpdateViaIdentityAmazonWebServicesCloudTrail', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + ${AWSCloudTrail}, + + [Parameter(ParameterSetName = 'UpdateAmazonWebServicesS3', Mandatory)] + [Parameter(ParameterSetName = 'UpdateViaIdentityAmazonWebServicesS3', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + ${AWSS3}, + + [Parameter(ParameterSetName = 'UpdateAADAATP', Mandatory)] + [Parameter(ParameterSetName = 'UpdateViaIdentityAADAATP', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + ${AzureADorAATP}, + + [Parameter(ParameterSetName = 'UpdateAzureSecurityCenter', Mandatory)] + [Parameter(ParameterSetName = 'UpdateViaIdentityAzureSecurityCenter', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + ${AzureSecurityCenter}, + + [Parameter(ParameterSetName = 'UpdateDynamics365', Mandatory)] + [Parameter(ParameterSetName = 'UpdateViaIdentityDynamics365', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + ${Dynamics365}, + + #[Parameter(ParameterSetName = 'UpdateGenericUI', Mandatory)] + #[Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI', Mandatory)] + #[Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + #[System.Management.Automation.SwitchParameter] + #${GenericUI}, + + [Parameter(ParameterSetName = 'UpdateMicrosoftCloudAppSecurity', Mandatory)] + [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftCloudAppSecurity', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + ${CloudAppSecurity}, + + [Parameter(ParameterSetName = 'UpdateMicrosoftDefenderAdvancedThreatProtection', Mandatory)] + [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftDefenderAdvancedThreatProtection', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + ${DefenderATP}, + + [Parameter(ParameterSetName = 'UpdateMicrosoftThreatIntelligence', Mandatory)] + [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftThreatIntelligence', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + ${MicrosoftTI}, + + [Parameter(ParameterSetName = 'UpdateMicrosoftThreatProtection', Mandatory)] + [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftThreatProtection', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + ${MicrosoftThreatProtection}, + + [Parameter(ParameterSetName = 'UpdateOffice365', Mandatory)] + [Parameter(ParameterSetName = 'UpdateViaIdentityOffice365', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + ${Office365}, + + [Parameter(ParameterSetName = 'UpdateOfficeATP', Mandatory)] + [Parameter(ParameterSetName = 'UpdateViaIdentityOfficeATP', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + ${OfficeATP}, + + [Parameter(ParameterSetName = 'UpdateOfficeIRM', Mandatory)] + [Parameter(ParameterSetName = 'UpdateViaIdentityOfficeIRM', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + ${OfficeIRM}, + + [Parameter(ParameterSetName = 'UpdateThreatIntelligence', Mandatory)] + [Parameter(ParameterSetName = 'UpdateViaIdentityThreatIntelligence', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + ${ThreatIntelligence}, + + [Parameter(ParameterSetName = 'UpdateThreatIntelligenceTaxii', Mandatory)] + [Parameter(ParameterSetName = 'UpdateViaIdentityThreatIntelligenceTaxii', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + ${ThreatIntelligenceTaxii}, + [Parameter(ParameterSetName = 'UpdateAADAATP')] [Parameter(ParameterSetName = 'UpdateDynamics365')] [Parameter(ParameterSetName = 'UpdateMicrosoftCloudAppSecurity')] @@ -197,7 +287,7 @@ function Update-AzSentinelDataConnector { [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] [System.String] - ${DiscoveryLogs}, + ${DiscoveryLog}, [Parameter(ParameterSetName = 'UpdateMicrosoftThreatIntelligence')] [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftThreatIntelligence')] @@ -232,7 +322,7 @@ function Update-AzSentinelDataConnector { [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] [System.String] - ${Incidents}, + ${Incident}, [Parameter(ParameterSetName = 'UpdateOffice365')] [Parameter(ParameterSetName = 'UpdateViaIdentityOffice365')] @@ -260,7 +350,7 @@ function Update-AzSentinelDataConnector { [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] [System.String] - ${Indicators}, + ${Indicator}, [Parameter(ParameterSetName = 'UpdateThreatIntelligenceTaxii')] [Parameter(ParameterSetName = 'UpdateViaIdentityThreatIntelligenceTaxii')] @@ -542,9 +632,9 @@ function Update-AzSentinelDataConnector { $null = $PSBoundParameters.Remove('Alerts') } - If ($PSBoundParameters['DiscoveryLogs']) { - $DataConnector.DiscoveryLogState = $PSBoundParameters['DiscoveryLogs'] - $null = $PSBoundParameters.Remove('DiscoveryLogs') + If ($PSBoundParameters['DiscoveryLog']) { + $DataConnector.DiscoveryLogState = $PSBoundParameters['DiscoveryLog'] + $null = $PSBoundParameters.Remove('DiscoveryLog') } } if ($DataConnector.Kind -eq 'MicrosoftDefenderAdvancedThreatProtection') { @@ -612,9 +702,9 @@ function Update-AzSentinelDataConnector { $null = $PSBoundParameters.Remove('TenantId') } - If ($PSBoundParameters['Incidents']) { - $DataConnector.IncidentState = $PSBoundParameters['Incidents'] - $null = $PSBoundParameters.Remove('Incidents') + If ($PSBoundParameters['Incident']) { + $DataConnector.IncidentState = $PSBoundParameters['Incident'] + $null = $PSBoundParameters.Remove('Incident') } } if ($DataConnector.Kind -eq 'Office365') { @@ -666,9 +756,9 @@ function Update-AzSentinelDataConnector { $null = $PSBoundParameters.Remove('TenantId') } - If ($PSBoundParameters['Indicators']) { - $DataConnector.IndicatorState = $PSBoundParameters['Indicators'] - $null = $PSBoundParameters.Remove('Indicators') + If ($PSBoundParameters['Indicator']) { + $DataConnector.IndicatorState = $PSBoundParameters['Indicator'] + $null = $PSBoundParameters.Remove('Indicator') } } if ($DataConnector.Kind -eq 'ThreatIntelligenceTaxii') { diff --git a/src/SecurityInsights/custom/Update-AzSentinelSetting.ps1 b/src/SecurityInsights/custom/Update-AzSentinelSetting.ps1 index ce94d00a7d27..dcb5992e67d2 100644 --- a/src/SecurityInsights/custom/Update-AzSentinelSetting.ps1 +++ b/src/SecurityInsights/custom/Update-AzSentinelSetting.ps1 @@ -66,6 +66,18 @@ function Update-AzSentinelSetting { # To construct, see NOTES section for INPUTOBJECT properties and create a hash table. ${InputObject}, + [Parameter(ParameterSetName = 'UpdateExpandedAnomaliesEyesOnEntityAnalytics', Mandatory)] + [Parameter(ParameterSetName = 'UpdateViaIdentityExpandedAnomaliesEyesOnEntityAnalytics', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + ${AnomaliesOrEyesOn}, + + [Parameter(ParameterSetName = 'UpdateExpandedUeba', Mandatory)] + [Parameter(ParameterSetName = 'UpdateViaIdentityExpandedUeba', Mandatory)] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] + [System.Management.Automation.SwitchParameter] + ${UEBA}, + #Anomalies #.EyesOn #.EntityAnalytics diff --git a/src/SecurityInsights/docs/New-AzSentinelDataConnector.md b/src/SecurityInsights/docs/New-AzSentinelDataConnector.md index 44192f13a347..54dadc25e388 100644 --- a/src/SecurityInsights/docs/New-AzSentinelDataConnector.md +++ b/src/SecurityInsights/docs/New-AzSentinelDataConnector.md @@ -66,7 +66,7 @@ New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName ### MicrosoftCloudAppSecurity ``` New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -Kind - [-DataConnectorId ] [-SubscriptionId ] [-Alerts ] [-DiscoveryLogs ] + [-DataConnectorId ] [-SubscriptionId ] [-Alerts ] [-DiscoveryLog ] [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` @@ -90,7 +90,7 @@ New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName ### MicrosoftThreatProtection ``` New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -Kind - [-DataConnectorId ] [-SubscriptionId ] [-Incidents ] [-TenantId ] + [-DataConnectorId ] [-SubscriptionId ] [-Incident ] [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` @@ -119,7 +119,7 @@ New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName ### ThreatIntelligence ``` New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -Kind - [-DataConnectorId ] [-SubscriptionId ] [-Indicators ] [-TenantId ] + [-DataConnectorId ] [-SubscriptionId ] [-Indicator ] [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` @@ -356,7 +356,7 @@ Accept pipeline input: False Accept wildcard characters: False ``` -### -DiscoveryLogs +### -DiscoveryLog ```yaml @@ -401,7 +401,7 @@ Accept pipeline input: False Accept wildcard characters: False ``` -### -Incidents +### -Incident ```yaml @@ -416,7 +416,7 @@ Accept pipeline input: False Accept wildcard characters: False ``` -### -Indicators +### -Indicator ```yaml diff --git a/src/SecurityInsights/docs/Update-AzSentinelAlertRule.md b/src/SecurityInsights/docs/Update-AzSentinelAlertRule.md index 7aab56d6a8fe..6953b0fe7c54 100644 --- a/src/SecurityInsights/docs/Update-AzSentinelAlertRule.md +++ b/src/SecurityInsights/docs/Update-AzSentinelAlertRule.md @@ -14,7 +14,7 @@ Updates the alert rule. ### UpdateScheduled (Default) ``` -Update-AzSentinelAlertRule -ResourceGroupName -RuleId -WorkspaceName +Update-AzSentinelAlertRule -ResourceGroupName -RuleId -WorkspaceName -Scheduled [-SubscriptionId ] [-AlertDescriptionFormat ] [-AlertDisplayNameFormat ] [-AlertRuleTemplateName ] [-AlertSeverityColumnName ] [-AlertTacticsColumnName ] [-CreateIncident] [-Description ] [-DisplayName ] [-Enabled] [-EntityMapping ] @@ -24,80 +24,79 @@ Update-AzSentinelAlertRule -ResourceGroupName -RuleId -Workspa [-QueryPeriod ] [-ReOpenClosedIncident] [-Severity ] [-SuppressionDuration ] [-SuppressionEnabled] [-Tactic ] [-TriggerOperator ] [-TriggerThreshold ] [-DefaultProfile ] [-AsJob] - [-NoWait] [-Scheduled] [-Confirm] [-WhatIf] [] + [-NoWait] [-Confirm] [-WhatIf] [] ``` ### UpdateFusionMLTI ``` -Update-AzSentinelAlertRule -ResourceGroupName -RuleId -WorkspaceName +Update-AzSentinelAlertRule -ResourceGroupName -RuleId -WorkspaceName -FusionMLorTI [-SubscriptionId ] [-AlertRuleTemplateName ] [-Enabled] [-DefaultProfile ] [-AsJob] - [-FusionMLorTI] [-NoWait] [-Confirm] [-WhatIf] [] + [-NoWait] [-Confirm] [-WhatIf] [] ``` ### UpdateMicrosoftSecurityIncidentCreation ``` Update-AzSentinelAlertRule -ResourceGroupName -RuleId -WorkspaceName - [-SubscriptionId ] [-AlertRuleTemplateName ] [-Description ] - [-DisplayNamesExcludeFilter ] [-DisplayNamesFilter ] [-Enabled] + -MicrosoftSecurityIncidentCreation [-SubscriptionId ] [-AlertRuleTemplateName ] + [-Description ] [-DisplayNamesExcludeFilter ] [-DisplayNamesFilter ] [-Enabled] [-ProductFilter ] [-SeveritiesFilter ] - [-DefaultProfile ] [-AsJob] [-MicrosoftSecurityIncidentCreation] [-NoWait] [-Confirm] [-WhatIf] - [] + [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` ### UpdateNRT ``` -Update-AzSentinelAlertRule -ResourceGroupName -RuleId -WorkspaceName +Update-AzSentinelAlertRule -ResourceGroupName -RuleId -WorkspaceName -NRT [-SubscriptionId ] [-AlertDescriptionFormat ] [-AlertDisplayNameFormat ] [-AlertRuleTemplateName ] [-AlertSeverityColumnName ] [-AlertTacticsColumnName ] [-CreateIncident] [-Description ] [-DisplayName ] [-Enabled] [-EntityMapping ] [-GroupByAlertDetail ] [-GroupByCustomDetail ] [-GroupByEntity ] [-GroupingConfigurationEnabled] [-LookbackDuration ] [-MatchingMethod ] [-Query ] [-ReOpenClosedIncident] [-Severity ] [-SuppressionDuration ] [-SuppressionEnabled] - [-Tactic ] [-DefaultProfile ] [-AsJob] [-NoWait] [-NRT] [-Confirm] [-WhatIf] + [-Tactic ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` ### UpdateViaIdentityFusionMLTI ``` -Update-AzSentinelAlertRule -InputObject [-AlertRuleTemplateName ] - [-Enabled] [-DefaultProfile ] [-AsJob] [-FusionMLorTI] [-NoWait] [-Confirm] [-WhatIf] - [] +Update-AzSentinelAlertRule -InputObject -FusionMLorTI + [-AlertRuleTemplateName ] [-Enabled] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] + [-WhatIf] [] ``` ### UpdateViaIdentityMicrosoftSecurityIncidentCreation ``` -Update-AzSentinelAlertRule -InputObject [-AlertRuleTemplateName ] - [-Description ] [-DisplayNamesExcludeFilter ] [-DisplayNamesFilter ] [-Enabled] - [-ProductFilter ] [-SeveritiesFilter ] - [-DefaultProfile ] [-AsJob] [-MicrosoftSecurityIncidentCreation] [-NoWait] [-Confirm] [-WhatIf] +Update-AzSentinelAlertRule -InputObject -MicrosoftSecurityIncidentCreation + [-AlertRuleTemplateName ] [-Description ] [-DisplayNamesExcludeFilter ] + [-DisplayNamesFilter ] [-Enabled] [-ProductFilter ] + [-SeveritiesFilter ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` ### UpdateViaIdentityNRT ``` -Update-AzSentinelAlertRule -InputObject [-AlertDescriptionFormat ] +Update-AzSentinelAlertRule -InputObject -NRT [-AlertDescriptionFormat ] [-AlertDisplayNameFormat ] [-AlertRuleTemplateName ] [-AlertSeverityColumnName ] [-AlertTacticsColumnName ] [-CreateIncident] [-Description ] [-DisplayName ] [-Enabled] [-EntityMapping ] [-GroupByAlertDetail ] [-GroupByCustomDetail ] [-GroupByEntity ] [-GroupingConfigurationEnabled] [-LookbackDuration ] [-MatchingMethod ] [-Query ] [-ReOpenClosedIncident] [-Severity ] [-SuppressionDuration ] [-SuppressionEnabled] [-Tactic ] - [-DefaultProfile ] [-AsJob] [-NoWait] [-NRT] [-Confirm] [-WhatIf] [] + [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` ### UpdateViaIdentityUpdateScheduled ``` -Update-AzSentinelAlertRule -InputObject [-AlertDescriptionFormat ] - [-AlertDisplayNameFormat ] [-AlertRuleTemplateName ] [-AlertSeverityColumnName ] - [-AlertTacticsColumnName ] [-CreateIncident] [-Description ] [-DisplayName ] - [-Enabled] [-EntityMapping ] +Update-AzSentinelAlertRule -InputObject -Scheduled + [-AlertDescriptionFormat ] [-AlertDisplayNameFormat ] [-AlertRuleTemplateName ] + [-AlertSeverityColumnName ] [-AlertTacticsColumnName ] [-CreateIncident] + [-Description ] [-DisplayName ] [-Enabled] [-EntityMapping ] [-EventGroupingSettingAggregationKind ] [-GroupByAlertDetail ] [-GroupByCustomDetail ] [-GroupByEntity ] [-GroupingConfigurationEnabled] [-LookbackDuration ] [-MatchingMethod ] [-Query ] [-QueryFrequency ] [-QueryPeriod ] [-ReOpenClosedIncident] [-Severity ] [-SuppressionDuration ] [-SuppressionEnabled] [-Tactic ] [-TriggerOperator ] [-TriggerThreshold ] [-DefaultProfile ] [-AsJob] - [-NoWait] [-Scheduled] [-Confirm] [-WhatIf] [] + [-NoWait] [-Confirm] [-WhatIf] [] ``` ## DESCRIPTION @@ -348,7 +347,7 @@ Type: System.Management.Automation.SwitchParameter Parameter Sets: UpdateFusionMLTI, UpdateViaIdentityFusionMLTI Aliases: -Required: False +Required: True Position: Named Default value: None Accept pipeline input: False @@ -469,7 +468,7 @@ Type: System.Management.Automation.SwitchParameter Parameter Sets: UpdateMicrosoftSecurityIncidentCreation, UpdateViaIdentityMicrosoftSecurityIncidentCreation Aliases: -Required: False +Required: True Position: Named Default value: None Accept pipeline input: False @@ -499,7 +498,7 @@ Type: System.Management.Automation.SwitchParameter Parameter Sets: UpdateNRT, UpdateViaIdentityNRT Aliases: -Required: False +Required: True Position: Named Default value: None Accept pipeline input: False @@ -620,7 +619,7 @@ Type: System.Management.Automation.SwitchParameter Parameter Sets: UpdateScheduled, UpdateViaIdentityUpdateScheduled Aliases: -Required: False +Required: True Position: Named Default value: None Accept pipeline input: False diff --git a/src/SecurityInsights/docs/Update-AzSentinelDataConnector.md b/src/SecurityInsights/docs/Update-AzSentinelDataConnector.md index b2bf4238392b..fc4c3847ca8f 100644 --- a/src/SecurityInsights/docs/Update-AzSentinelDataConnector.md +++ b/src/SecurityInsights/docs/Update-AzSentinelDataConnector.md @@ -15,21 +15,21 @@ Updates the data connector. ### UpdateAADAATP (Default) ``` Update-AzSentinelDataConnector -DataConnectorId -ResourceGroupName -WorkspaceName - [-SubscriptionId ] [-Alerts ] [-TenantId ] [-DefaultProfile ] [-AsJob] - [-NoWait] [-Confirm] [-WhatIf] [] + -AzureADorAATP [-SubscriptionId ] [-Alerts ] [-TenantId ] + [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` ### UpdateAmazonWebServicesCloudTrail ``` Update-AzSentinelDataConnector -DataConnectorId -ResourceGroupName -WorkspaceName - [-SubscriptionId ] [-AWSRoleArn ] [-Logs ] [-DefaultProfile ] [-AsJob] - [-NoWait] [-Confirm] [-WhatIf] [] + -AWSCloudTrail [-SubscriptionId ] [-AWSRoleArn ] [-Logs ] + [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` ### UpdateAmazonWebServicesS3 ``` Update-AzSentinelDataConnector -DataConnectorId -ResourceGroupName -WorkspaceName - [-SubscriptionId ] [-AWSRoleArn ] [-DetinationTable ] [-Logs ] + -AWSS3 [-SubscriptionId ] [-AWSRoleArn ] [-DetinationTable ] [-Logs ] [-SQSURL ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` @@ -37,14 +37,14 @@ Update-AzSentinelDataConnector -DataConnectorId -ResourceGroupName -ResourceGroupName -WorkspaceName - [-SubscriptionId ] [-Alerts ] [-ASCSubscriptionId ] [-DefaultProfile ] - [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] + -AzureSecurityCenter [-SubscriptionId ] [-Alerts ] [-ASCSubscriptionId ] + [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` ### UpdateDynamics365 ``` Update-AzSentinelDataConnector -DataConnectorId -ResourceGroupName -WorkspaceName - [-SubscriptionId ] [-CommonDataServiceActivity ] [-TenantId ] + -Dynamics365 [-SubscriptionId ] [-CommonDataServiceActivity ] [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` @@ -64,103 +64,104 @@ Update-AzSentinelDataConnector [-AvailabilityIsPreview ] [-Availability ### UpdateMicrosoftCloudAppSecurity ``` Update-AzSentinelDataConnector -DataConnectorId -ResourceGroupName -WorkspaceName - [-SubscriptionId ] [-Alerts ] [-DiscoveryLogs ] [-TenantId ] + -CloudAppSecurity [-SubscriptionId ] [-Alerts ] [-DiscoveryLog ] [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` ### UpdateMicrosoftDefenderAdvancedThreatProtection ``` Update-AzSentinelDataConnector -DataConnectorId -ResourceGroupName -WorkspaceName - [-SubscriptionId ] [-Alerts ] [-TenantId ] [-DefaultProfile ] [-AsJob] - [-NoWait] [-Confirm] [-WhatIf] [] + -DefenderATP [-SubscriptionId ] [-Alerts ] [-TenantId ] [-DefaultProfile ] + [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` ### UpdateMicrosoftThreatIntelligence ``` Update-AzSentinelDataConnector -DataConnectorId -ResourceGroupName -WorkspaceName - [-SubscriptionId ] [-BingSafetyPhishingUrlLookbackPeriod ] [-BingSafetyPhishinURL ] - [-MicrosoftEmergingThreatFeed ] [-MicrosoftEmergingThreatFeedLookbackPeriod ] - [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] - [] + -MicrosoftTI [-SubscriptionId ] [-BingSafetyPhishingUrlLookbackPeriod ] + [-BingSafetyPhishinURL ] [-MicrosoftEmergingThreatFeed ] + [-MicrosoftEmergingThreatFeedLookbackPeriod ] [-TenantId ] [-DefaultProfile ] + [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` ### UpdateMicrosoftThreatProtection ``` Update-AzSentinelDataConnector -DataConnectorId -ResourceGroupName -WorkspaceName - [-SubscriptionId ] [-Incidents ] [-TenantId ] [-DefaultProfile ] [-AsJob] - [-NoWait] [-Confirm] [-WhatIf] [] + -MicrosoftThreatProtection [-SubscriptionId ] [-Incident ] [-TenantId ] + [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` ### UpdateOffice365 ``` Update-AzSentinelDataConnector -DataConnectorId -ResourceGroupName -WorkspaceName - [-SubscriptionId ] [-Exchange ] [-SharePoint ] [-Teams ] [-TenantId ] - [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] + -Office365 [-SubscriptionId ] [-Exchange ] [-SharePoint ] [-Teams ] + [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] + [] ``` ### UpdateOfficeATP ``` Update-AzSentinelDataConnector -DataConnectorId -ResourceGroupName -WorkspaceName - [-SubscriptionId ] [-Alerts ] [-TenantId ] [-DefaultProfile ] [-AsJob] - [-NoWait] [-Confirm] [-WhatIf] [] + -OfficeATP [-SubscriptionId ] [-Alerts ] [-TenantId ] [-DefaultProfile ] + [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` ### UpdateOfficeIRM ``` Update-AzSentinelDataConnector -DataConnectorId -ResourceGroupName -WorkspaceName - [-SubscriptionId ] [-Alerts ] [-TenantId ] [-DefaultProfile ] [-AsJob] - [-NoWait] [-Confirm] [-WhatIf] [] + -OfficeIRM [-SubscriptionId ] [-Alerts ] [-TenantId ] [-DefaultProfile ] + [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` ### UpdateThreatIntelligence ``` Update-AzSentinelDataConnector -DataConnectorId -ResourceGroupName -WorkspaceName - [-SubscriptionId ] [-Indicators ] [-TenantId ] [-DefaultProfile ] [-AsJob] - [-NoWait] [-Confirm] [-WhatIf] [] + -ThreatIntelligence [-SubscriptionId ] [-Indicator ] [-TenantId ] + [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` ### UpdateThreatIntelligenceTaxii ``` Update-AzSentinelDataConnector -DataConnectorId -ResourceGroupName -WorkspaceName - -APIRootURL [-SubscriptionId ] [-CollectionId ] [-FriendlyName ] - [-Password ] [-PollingFrequency ] [-TaxiiLookbackPeriod ] - [-TenantId ] [-UserName ] [-WorkspaceId ] [-DefaultProfile ] [-AsJob] - [-NoWait] [-Confirm] [-WhatIf] [] + -APIRootURL -ThreatIntelligenceTaxii [-SubscriptionId ] [-CollectionId ] + [-FriendlyName ] [-Password ] [-PollingFrequency ] + [-TaxiiLookbackPeriod ] [-TenantId ] [-UserName ] [-WorkspaceId ] + [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` ### UpdateViaIdentityAADAATP ``` -Update-AzSentinelDataConnector -InputObject [-Alerts ] +Update-AzSentinelDataConnector -InputObject -AzureADorAATP [-Alerts ] [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` ### UpdateViaIdentityAmazonWebServicesCloudTrail ``` -Update-AzSentinelDataConnector -InputObject [-AWSRoleArn ] +Update-AzSentinelDataConnector -InputObject -AWSCloudTrail [-AWSRoleArn ] [-Logs ] [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` ### UpdateViaIdentityAmazonWebServicesS3 ``` -Update-AzSentinelDataConnector -InputObject [-AWSRoleArn ] +Update-AzSentinelDataConnector -InputObject -AWSS3 [-AWSRoleArn ] [-DetinationTable ] [-Logs ] [-SQSURL ] [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` ### UpdateViaIdentityAzureSecurityCenter ``` -Update-AzSentinelDataConnector -InputObject [-Alerts ] - [-ASCSubscriptionId ] [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] - [-WhatIf] [] +Update-AzSentinelDataConnector -InputObject -AzureSecurityCenter + [-Alerts ] [-ASCSubscriptionId ] [-TenantId ] [-DefaultProfile ] [-AsJob] + [-NoWait] [-Confirm] [-WhatIf] [] ``` ### UpdateViaIdentityDynamics365 ``` -Update-AzSentinelDataConnector -InputObject [-CommonDataServiceActivity ] - [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] - [] +Update-AzSentinelDataConnector -InputObject -Dynamics365 + [-CommonDataServiceActivity ] [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] + [-Confirm] [-WhatIf] [] ``` ### UpdateViaIdentityGenericUI @@ -178,21 +179,21 @@ Update-AzSentinelDataConnector [-AvailabilityIsPreview ] [-Availability ### UpdateViaIdentityMicrosoftCloudAppSecurity ``` -Update-AzSentinelDataConnector -InputObject [-Alerts ] - [-DiscoveryLogs ] [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] +Update-AzSentinelDataConnector -InputObject -CloudAppSecurity [-Alerts ] + [-DiscoveryLog ] [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` ### UpdateViaIdentityMicrosoftDefenderAdvancedThreatProtection ``` -Update-AzSentinelDataConnector -InputObject [-Alerts ] +Update-AzSentinelDataConnector -InputObject -DefenderATP [-Alerts ] [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` ### UpdateViaIdentityMicrosoftThreatIntelligence ``` -Update-AzSentinelDataConnector -InputObject +Update-AzSentinelDataConnector -InputObject -MicrosoftTI [-BingSafetyPhishingUrlLookbackPeriod ] [-BingSafetyPhishinURL ] [-MicrosoftEmergingThreatFeed ] [-MicrosoftEmergingThreatFeedLookbackPeriod ] [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] @@ -201,43 +202,43 @@ Update-AzSentinelDataConnector -InputObject ### UpdateViaIdentityMicrosoftThreatProtection ``` -Update-AzSentinelDataConnector -InputObject [-Incidents ] - [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] - [] +Update-AzSentinelDataConnector -InputObject -MicrosoftThreatProtection + [-Incident ] [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] + [-WhatIf] [] ``` ### UpdateViaIdentityOffice365 ``` -Update-AzSentinelDataConnector -InputObject [-Exchange ] +Update-AzSentinelDataConnector -InputObject -Office365 [-Exchange ] [-SharePoint ] [-Teams ] [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` ### UpdateViaIdentityOfficeATP ``` -Update-AzSentinelDataConnector -InputObject [-Alerts ] +Update-AzSentinelDataConnector -InputObject -OfficeATP [-Alerts ] [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` ### UpdateViaIdentityOfficeIRM ``` -Update-AzSentinelDataConnector -InputObject [-Alerts ] +Update-AzSentinelDataConnector -InputObject -OfficeIRM [-Alerts ] [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` ### UpdateViaIdentityThreatIntelligence ``` -Update-AzSentinelDataConnector -InputObject [-Indicators ] - [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] - [] +Update-AzSentinelDataConnector -InputObject -ThreatIntelligence + [-Indicator ] [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] + [-WhatIf] [] ``` ### UpdateViaIdentityThreatIntelligenceTaxii ``` -Update-AzSentinelDataConnector -InputObject [-CollectionId ] - [-FriendlyName ] [-Password ] [-PollingFrequency ] +Update-AzSentinelDataConnector -InputObject -ThreatIntelligenceTaxii + [-CollectionId ] [-FriendlyName ] [-Password ] [-PollingFrequency ] [-TaxiiLookbackPeriod ] [-TenantId ] [-UserName ] [-WorkspaceId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` @@ -346,6 +347,21 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -AWSCloudTrail + + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: UpdateAmazonWebServicesCloudTrail, UpdateViaIdentityAmazonWebServicesCloudTrail +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + ### -AWSRoleArn @@ -361,6 +377,51 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -AWSS3 + + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: UpdateAmazonWebServicesS3, UpdateViaIdentityAmazonWebServicesS3 +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AzureADorAATP + + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: UpdateAADAATP, UpdateViaIdentityAADAATP +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AzureSecurityCenter + + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: UpdateAzureSecurityCenter, UpdateViaIdentityAzureSecurityCenter +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + ### -BingSafetyPhishingUrlLookbackPeriod @@ -391,6 +452,25 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -CloudAppSecurity +[Parameter(ParameterSetName = 'UpdateGenericUI', Mandatory)] +[Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI', Mandatory)] +[Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] +[System.Management.Automation.SwitchParameter] +${GenericUI}, + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: UpdateMicrosoftCloudAppSecurity, UpdateViaIdentityMicrosoftCloudAppSecurity +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + ### -CollectionId @@ -452,6 +532,21 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -DefenderATP + + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: UpdateMicrosoftDefenderAdvancedThreatProtection, UpdateViaIdentityMicrosoftDefenderAdvancedThreatProtection +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + ### -DetinationTable @@ -467,7 +562,7 @@ Accept pipeline input: False Accept wildcard characters: False ``` -### -DiscoveryLogs +### -DiscoveryLog ```yaml @@ -482,6 +577,21 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -Dynamics365 + + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: UpdateDynamics365, UpdateViaIdentityDynamics365 +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + ### -Exchange @@ -512,7 +622,7 @@ Accept pipeline input: False Accept wildcard characters: False ``` -### -Incidents +### -Incident ```yaml @@ -527,7 +637,7 @@ Accept pipeline input: False Accept wildcard characters: False ``` -### -Indicators +### -Indicator ```yaml @@ -605,6 +715,36 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -MicrosoftThreatProtection + + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: UpdateMicrosoftThreatProtection, UpdateViaIdentityMicrosoftThreatProtection +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -MicrosoftTI + + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: UpdateMicrosoftThreatIntelligence, UpdateViaIdentityMicrosoftThreatIntelligence +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + ### -NoWait Run the command asynchronously @@ -620,6 +760,51 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -Office365 + + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: UpdateOffice365, UpdateViaIdentityOffice365 +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -OfficeATP + + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: UpdateOfficeATP, UpdateViaIdentityOfficeATP +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -OfficeIRM + + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: UpdateOfficeIRM, UpdateViaIdentityOfficeIRM +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + ### -Password @@ -789,6 +974,36 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -ThreatIntelligence + + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: UpdateThreatIntelligence, UpdateViaIdentityThreatIntelligence +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ThreatIntelligenceTaxii + + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: UpdateThreatIntelligenceTaxii, UpdateViaIdentityThreatIntelligenceTaxii +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + ### -UiConfigConnectivityCriterion To construct, see NOTES section for UICONFIGCONNECTIVITYCRITERION properties and create a hash table. diff --git a/src/SecurityInsights/docs/Update-AzSentinelSetting.md b/src/SecurityInsights/docs/Update-AzSentinelSetting.md index 562b297749b5..54fb5c274523 100644 --- a/src/SecurityInsights/docs/Update-AzSentinelSetting.md +++ b/src/SecurityInsights/docs/Update-AzSentinelSetting.md @@ -15,26 +15,26 @@ Updates setting. ### UpdateExpandedAnomaliesEyesOnEntityAnalytics (Default) ``` Update-AzSentinelSetting -ResourceGroupName -WorkspaceName -SettingsName - [-SubscriptionId ] [-Disabled] [-Enabled] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] - [-WhatIf] [] + -AnomaliesOrEyesOn [-SubscriptionId ] [-Disabled] [-Enabled] [-DefaultProfile ] [-AsJob] + [-NoWait] [-Confirm] [-WhatIf] [] ``` ### UpdateExpandedUeba ``` -Update-AzSentinelSetting -ResourceGroupName -WorkspaceName -SettingsName +Update-AzSentinelSetting -ResourceGroupName -WorkspaceName -SettingsName -UEBA [-SubscriptionId ] [-DataSource ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` ### UpdateViaIdentityExpandedAnomaliesEyesOnEntityAnalytics ``` -Update-AzSentinelSetting -InputObject [-Disabled] [-Enabled] +Update-AzSentinelSetting -InputObject -AnomaliesOrEyesOn [-Disabled] [-Enabled] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` ### UpdateViaIdentityExpandedUeba ``` -Update-AzSentinelSetting -InputObject [-DataSource ] +Update-AzSentinelSetting -InputObject -UEBA [-DataSource ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` @@ -53,6 +53,21 @@ EyesOn, EntityAnalytics and Ueba ## PARAMETERS +### -AnomaliesOrEyesOn + + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: UpdateExpandedAnomaliesEyesOnEntityAnalytics, UpdateViaIdentityExpandedAnomaliesEyesOnEntityAnalytics +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + ### -AsJob Run the command as a job @@ -205,6 +220,21 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -UEBA + + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: UpdateExpandedUeba, UpdateViaIdentityExpandedUeba +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + ### -WorkspaceName [Alias('DataConnectionName')] The name of the workspace. From 23e78e50234e2084f7f62bc65df88c26c04b8cb5 Mon Sep 17 00:00:00 2001 From: SecurityJedi Date: Fri, 29 Jul 2022 14:37:07 -0400 Subject: [PATCH 05/24] Fixes --- .../custom/New-AzSentinelDataConnector.ps1 | 7 - .../custom/New-AzSentinelEntityQuery.ps1 | 7 - .../custom/Update-AzSentinelAlertRule.ps1 | 34 +- .../custom/Update-AzSentinelDataConnector.ps1 | 22 +- .../custom/Update-AzSentinelSetting.ps1 | 16 +- src/SecurityInsights/custom/readme.md | 41 ++ .../docs/New-AzSentinelDataConnector.md | 85 ++-- .../docs/New-AzSentinelEntityQuery.md | 24 +- .../docs/Remove-AzSentinelIncidentRelation.md | 2 +- .../docs/Update-AzSentinelAlertRule.md | 57 ++- .../docs/Update-AzSentinelDataConnector.md | 99 ++-- .../docs/Update-AzSentinelSetting.md | 40 +- src/SecurityInsights/docs/readme.md | 11 + .../examples/New-AzSentinelDataConnector.md | 2 +- .../examples/New-AzSentinelEntityQuery.md | 2 +- .../Remove-AzSentinelIncidentRelation.md | 2 +- .../Update-AzSentinelDataConnector.md | 2 +- src/SecurityInsights/readme.md | 27 ++ src/SecurityInsights/resources/readme.md | 11 + .../Get-AzSentinelAlertRule.Recording.json | 88 ++-- ...t-AzSentinelAlertRuleAction.Recording.json | 80 ++-- ...AzSentinelAlertRuleTemplate.Recording.json | 88 ++-- ...et-AzSentinelAutomationRule.Recording.json | 88 ++-- .../Get-AzSentinelBookmark.Recording.json | 88 ++-- ...-AzSentinelBookmarkRelation.Recording.json | 80 ++-- ...Get-AzSentinelDataConnector.Recording.json | 88 ++-- .../Get-AzSentinelEnrichment.Recording.json | 48 +- .../test/Get-AzSentinelEntity.Recording.json | 132 +++--- ...et-AzSentinelEntityActivity.Recording.json | 44 +- ...Get-AzSentinelEntityInsight.Recording.json | 40 +- ...SentinelEntityQueryTemplate.Recording.json | 70 +-- ...et-AzSentinelEntityTimeline.Recording.json | 38 +- .../Get-AzSentinelIncident.Recording.json | 90 ++-- ...Get-AzSentinelIncidentAlert.Recording.json | 46 +- ...-AzSentinelIncidentBookmark.Recording.json | 24 +- ...t-AzSentinelIncidentComment.Recording.json | 44 +- ...et-AzSentinelIncidentEntity.Recording.json | 44 +- ...-AzSentinelIncidentRelation.Recording.json | 80 ++-- .../Get-AzSentinelMetadata.Recording.json | 96 ++-- ...t-AzSentinelOnboardingState.Recording.json | 80 ++-- .../test/Get-AzSentinelSetting.Recording.json | 44 +- ...ThreatIntelligenceIndicator.Recording.json | 48 +- ...IntelligenceIndicatorMetric.Recording.json | 24 +- ...nelDataConnectorCheckRequirement.Tests.ps1 | 25 - ...aConnectorsCheckRequirement.Recording.json | 434 ------------------ ...elDataConnectorsCheckRequirement.Tests.ps1 | 77 ---- ...tIntelligenceIndicatorQuery.Recording.json | 18 +- .../New-AzSentinelAlertRule.Recording.json | 20 +- .../test/New-AzSentinelAlertRule.Tests.ps1 | 2 +- ...w-AzSentinelAlertRuleAction.Recording.json | 36 +- .../New-AzSentinelAlertRuleAction.Tests.ps1 | 4 +- ...ew-AzSentinelAutomationRule.Recording.json | 18 +- .../New-AzSentinelAutomationRule.Tests.ps1 | 2 +- .../New-AzSentinelBookmark.Recording.json | 18 +- .../test/New-AzSentinelBookmark.Tests.ps1 | 2 +- ...-AzSentinelBookmarkRelation.Recording.json | 48 +- .../New-AzSentinelBookmarkRelation.Tests.ps1 | 6 +- ...New-AzSentinelDataConnector.Recording.json | 18 +- .../New-AzSentinelDataConnector.Tests.ps1 | 3 +- .../New-AzSentinelEntityQuery.Recording.json | 18 +- .../test/New-AzSentinelEntityQuery.Tests.ps1 | 2 +- .../New-AzSentinelIncident.Recording.json | 14 +- .../test/New-AzSentinelIncident.Tests.ps1 | 2 +- ...w-AzSentinelIncidentComment.Recording.json | 32 +- .../New-AzSentinelIncidentComment.Tests.ps1 | 4 +- ...-AzSentinelIncidentRelation.Recording.json | 50 +- .../New-AzSentinelIncidentRelation.Tests.ps1 | 6 +- .../New-AzSentinelIncidentTeam.Recording.json | 32 +- .../test/New-AzSentinelIncidentTeam.Tests.ps1 | 2 +- .../Remove-AzSentinelAlertRule.Recording.json | 58 +-- ...e-AzSentinelAlertRuleAction.Recording.json | 58 +-- ...ve-AzSentinelAutomationRule.Recording.json | 60 +-- .../Remove-AzSentinelBookmark.Recording.json | 60 +-- ...-AzSentinelBookmarkRelation.Recording.json | 58 +-- ...ove-AzSentinelDataConnector.Recording.json | 80 ++-- .../Remove-AzSentinelDataConnector.Tests.ps1 | 7 +- ...emove-AzSentinelEntityQuery.Recording.json | 62 +-- .../Remove-AzSentinelIncident.Recording.json | 62 +-- ...e-AzSentinelIncidentComment.Recording.json | 60 +-- ...-AzSentinelIncidentRelation.Recording.json | 58 +-- ...e-AzSentinelOnboardingState.Recording.json | 20 +- .../Update-AzSentinelAlertRule.Recording.json | 20 +- .../test/Update-AzSentinelAlertRule.Tests.ps1 | 4 +- ...e-AzSentinelAlertRuleAction.Recording.json | 58 +-- ...te-AzSentinelAutomationRule.Recording.json | 88 ++-- .../Update-AzSentinelBookmark.Recording.json | 84 ++-- ...-AzSentinelBookmarkRelation.Recording.json | 92 ++-- ...pdate-AzSentinelBookmarkRelation.Tests.ps1 | 4 +- ...ate-AzSentinelDataConnector.Recording.json | 58 +-- .../Update-AzSentinelDataConnector.Tests.ps1 | 6 +- ...pdate-AzSentinelEntityQuery.Recording.json | 60 +-- .../Update-AzSentinelIncident.Recording.json | 76 +-- ...e-AzSentinelIncidentComment.Recording.json | 60 +-- ...-AzSentinelIncidentRelation.Recording.json | 98 ++-- ...pdate-AzSentinelIncidentRelation.Tests.ps1 | 4 +- .../Update-AzSentinelSetting.Recording.json | 66 +-- src/SecurityInsights/test/constants.json | 2 +- .../alertRule/template.parameters.json | 6 +- .../alertRuleAction/template.parameters.json | 12 +- .../authorization/template.parameters.json | 2 +- .../automationRule/template.parameters.json | 8 +- .../bookmark/template.parameters.json | 10 +- .../bookmarkRelation/template.parameters.json | 16 +- .../customData/alertRules.parameters.json | 8 +- .../dataConnector/template.parameters.json | 6 +- .../entityQuery/template.parameters.json | 4 +- .../incident/template.parameters.json | 4 +- .../incidentComment/template.parameters.json | 8 +- .../incidentRelation/template.parameters.json | 16 +- .../metadata/template.parameters.json | 2 +- .../template.parameters.json | 8 +- .../workspace/template.parameters.json | 6 +- src/SecurityInsights/test/env.json | 354 +++++++------- src/SecurityInsights/test/readme.md | 17 + 114 files changed, 2207 insertions(+), 2679 deletions(-) create mode 100644 src/SecurityInsights/custom/readme.md create mode 100644 src/SecurityInsights/docs/readme.md create mode 100644 src/SecurityInsights/readme.md create mode 100644 src/SecurityInsights/resources/readme.md delete mode 100644 src/SecurityInsights/test/Invoke-AzSentinelDataConnectorCheckRequirement.Tests.ps1 delete mode 100644 src/SecurityInsights/test/Invoke-AzSentinelDataConnectorsCheckRequirement.Recording.json delete mode 100644 src/SecurityInsights/test/Invoke-AzSentinelDataConnectorsCheckRequirement.Tests.ps1 create mode 100644 src/SecurityInsights/test/readme.md diff --git a/src/SecurityInsights/custom/New-AzSentinelDataConnector.ps1 b/src/SecurityInsights/custom/New-AzSentinelDataConnector.ps1 index e0a98a534b9b..c09896d8e728 100644 --- a/src/SecurityInsights/custom/New-AzSentinelDataConnector.ps1 +++ b/src/SecurityInsights/custom/New-AzSentinelDataConnector.ps1 @@ -45,13 +45,6 @@ function New-AzSentinelDataConnector { [System.String] # The name of the workspace. ${WorkspaceName}, - - [Parameter()] - [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] - [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = '(New-Guid).Guid')] - [System.String] - # The Id of the Data Connector. - ${DataConnectorId}, [Parameter(Mandatory)] [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataConnectorKind])] diff --git a/src/SecurityInsights/custom/New-AzSentinelEntityQuery.ps1 b/src/SecurityInsights/custom/New-AzSentinelEntityQuery.ps1 index 288fea99923f..80541157d667 100644 --- a/src/SecurityInsights/custom/New-AzSentinelEntityQuery.ps1 +++ b/src/SecurityInsights/custom/New-AzSentinelEntityQuery.ps1 @@ -47,13 +47,6 @@ function New-AzSentinelEntityQuery { # The name of the workspace. ${WorkspaceName}, - [Parameter()] - [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] - [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = '(New-Guid).Guid')] - [System.String] - # The Id of the Entity Query. - ${EntityQueryId}, - [Parameter(Mandatory)] [ArgumentCompleter( { param ( $CommandName, $EntityQueryName, $WordToComplete, $CommandAst, $FakeBoundParameters ) return @('Activity') })] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] diff --git a/src/SecurityInsights/custom/Update-AzSentinelAlertRule.ps1 b/src/SecurityInsights/custom/Update-AzSentinelAlertRule.ps1 index ebc152a1bd31..7f7f7334efef 100644 --- a/src/SecurityInsights/custom/Update-AzSentinelAlertRule.ps1 +++ b/src/SecurityInsights/custom/Update-AzSentinelAlertRule.ps1 @@ -123,6 +123,18 @@ function Update-AzSentinelAlertRule { [Switch] ${Enabled}, + [Parameter(ParameterSetName = 'UpdateFusionMLTI')] + [Parameter(ParameterSetName = 'UpdateMicrosoftSecurityIncidentCreation')] + [Parameter(ParameterSetName = 'UpdateNRT')] + [Parameter(ParameterSetName = 'UpdateScheduled')] + [Parameter(ParameterSetName = 'UpdateViaIdentityFusionMLTI')] + [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftSecurityIncidentCreation')] + [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')] + [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Switch] + ${Disabled}, + [Parameter(ParameterSetName = 'UpdateMicrosoftSecurityIncidentCreation')] [Parameter(ParameterSetName = 'UpdateNRT')] [Parameter(ParameterSetName = 'UpdateScheduled')] @@ -447,8 +459,9 @@ function Update-AzSentinelAlertRule { $AlertRule.Enabled = $true $null = $PSBoundParameters.Remove('Enabled') } - else { + if($PSBoundParameters['Disabled']) { $AlertRule.Enabled = $false + $null = $PSBoundParameters.Remove('Disabled') } } #MSIC @@ -462,8 +475,9 @@ function Update-AzSentinelAlertRule { $AlertRule.Enabled = $true $null = $PSBoundParameters.Remove('Enabled') } - else { + if($PSBoundParameters['Disabled']) { $AlertRule.Enabled = $false + $null = $PSBoundParameters.Remove('Disabled') } If($PSBoundParameters['Description']){ @@ -502,8 +516,9 @@ function Update-AzSentinelAlertRule { $AlertRule.Enabled = $true $null = $PSBoundParameters.Remove('Enabled') } - else { + if($PSBoundParameters['Disabled']) { $AlertRule.Enabled = $false + $null = $PSBoundParameters.Remove('Disabled') } } @@ -515,11 +530,12 @@ function Update-AzSentinelAlertRule { } If($PSBoundParameters['Enabled']){ - $AlertRule.Enabled = $PSBoundParameters['Enabled'] + $AlertRule.Enabled = $true $null = $PSBoundParameters.Remove('Enabled') } - else { + if($PSBoundParameters['Disabled']) { $AlertRule.Enabled = $false + $null = $PSBoundParameters.Remove('Disabled') } If($PSBoundParameters['Description']){ @@ -643,11 +659,12 @@ function Update-AzSentinelAlertRule { } If($PSBoundParameters['Enabled']){ - $AlertRule.Enabled = $PSBoundParameters['Enabled'] + $AlertRule.Enabled = $true $null = $PSBoundParameters.Remove('Enabled') } - else { + if($PSBoundParameters['Disabled']) { $AlertRule.Enabled = $false + $null = $PSBoundParameters.Remove('Disabled') } If($PSBoundParameters['Description']){ @@ -798,8 +815,9 @@ function Update-AzSentinelAlertRule { $AlertRule.Enabled = $true $null = $PSBoundParameters.Remove('Enabled') } - else { + if($PSBoundParameters['Disabled']) { $AlertRule.Enabled = $false + $null = $PSBoundParameters.Remove('Disabled') } } diff --git a/src/SecurityInsights/custom/Update-AzSentinelDataConnector.ps1 b/src/SecurityInsights/custom/Update-AzSentinelDataConnector.ps1 index b516f2eaef5e..78c2a4783fac 100644 --- a/src/SecurityInsights/custom/Update-AzSentinelDataConnector.ps1 +++ b/src/SecurityInsights/custom/Update-AzSentinelDataConnector.ps1 @@ -106,7 +106,7 @@ function Update-AzSentinelDataConnector { [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] [System.String] # The Id of the Data Connector. - ${DataConnectorId}, + ${Id}, [Parameter(ParameterSetName = 'UpdateViaIdentityAmazonWebServicesCloudTrail', Mandatory, ValueFromPipeline)] [Parameter(ParameterSetName = 'UpdateViaIdentityAmazonWebServicesS3', Mandatory, ValueFromPipeline)] @@ -585,7 +585,7 @@ function Update-AzSentinelDataConnector { else { $GetPSBoundParameters.Add('ResourceGroupName', $PSBoundParameters['ResourceGroupName']) $GetPSBoundParameters.Add('WorkspaceName', $PSBoundParameters['WorkspaceName']) - $GetPSBoundParameters.Add('DataConnectorId', $PSBoundParameters['DataConnectorId']) + $GetPSBoundParameters.Add('Id', $PSBoundParameters['Id']) } $DataConnector = Az.SecurityInsights\Get-AzSentinelDataConnector @GetPSBoundParameters @@ -599,6 +599,8 @@ function Update-AzSentinelDataConnector { $DataConnector.AlertState = $PSBoundParameters['Alerts'] $null = $PSBoundParameters.Remove('Alerts') } + + $null = $PSBoundParameters.Remove('AzureADorAATP') } if ($DataConnector.Kind -eq 'AzureAdvancedThreatProtection') { If ($PSBoundParameters['TenantId']) { @@ -609,6 +611,7 @@ function Update-AzSentinelDataConnector { $DataConnector.AlertState = $PSBoundParameters['Alerts'] $null = $PSBoundParameters.Remove('Alerts') } + $null = $PSBoundParameters.Remove('AzureADorAATP') } if ($DataConnector.Kind -eq 'Dynamics365') { If ($PSBoundParameters['TenantId']) { @@ -620,6 +623,7 @@ function Update-AzSentinelDataConnector { $DataConnector.Dynamics365CdActivityState = $PSBoundParameters['CommonDataServiceActivity'] $null = $PSBoundParameters.Remove('CommonDataServiceActivity') } + $null = $PSBoundParameters.Remove('Dynamics365') } if ($DataConnector.Kind -eq 'MicrosoftCloudAppSecurity') { If ($PSBoundParameters['TenantId']) { @@ -636,6 +640,7 @@ function Update-AzSentinelDataConnector { $DataConnector.DiscoveryLogState = $PSBoundParameters['DiscoveryLog'] $null = $PSBoundParameters.Remove('DiscoveryLog') } + $null = $PSBoundParameters.Remove('CloudAppSecurity') } if ($DataConnector.Kind -eq 'MicrosoftDefenderAdvancedThreatProtection') { If ($PSBoundParameters['TenantId']) { @@ -647,6 +652,7 @@ function Update-AzSentinelDataConnector { $DataConnector.AlertState = $PSBoundParameters['Alerts'] $null = $PSBoundParameters.Remove('Alerts') } + $null = $PSBoundParameters.Remove('DefenderATP') } if ($DataConnector.Kind -eq 'MicrosoftThreatIntelligence') { If ($PSBoundParameters['TenantId']) { @@ -695,6 +701,7 @@ function Update-AzSentinelDataConnector { } $null = $PSBoundParameters.Remove('MicrosoftEmergingThreatFeedLookbackPeriod') } + $null = $PSBoundParameters.Remove('MicrosoftTI') } if ($DataConnector.Kind -eq 'MicrosoftThreatProtection') { If ($PSBoundParameters['TenantId']) { @@ -706,6 +713,7 @@ function Update-AzSentinelDataConnector { $DataConnector.IncidentState = $PSBoundParameters['Incident'] $null = $PSBoundParameters.Remove('Incident') } + $null = $PSBoundParameters.Remove('MicrosoftThreatProtection') } if ($DataConnector.Kind -eq 'Office365') { If ($PSBoundParameters['TenantId']) { @@ -727,6 +735,7 @@ function Update-AzSentinelDataConnector { $DataConnector.TeamState = $PSBoundParameters['Teams'] $null = $PSBoundParameters.Remove('Teams') } + $null = $PSBoundParameters.Remove('Office365') } if ($DataConnector.Kind -eq 'OfficeATP') { If ($PSBoundParameters['TenantId']) { @@ -738,6 +747,7 @@ function Update-AzSentinelDataConnector { $DataConnector.AlertState = $PSBoundParameters['Alerts'] $null = $PSBoundParameters.Remove('Alerts') } + $null = $PSBoundParameters.Remove('OfficeATP') } if ($DataConnector.Kind -eq 'OfficeIRM') { If ($PSBoundParameters['TenantId']) { @@ -749,6 +759,7 @@ function Update-AzSentinelDataConnector { $DataConnector.AlertState = $PSBoundParameters['Alerts'] $null = $PSBoundParameters.Remove('Alerts') } + $null = $PSBoundParameters.Remove('OfficeIRM') } if ($DataConnector.Kind -eq 'ThreatIntelligence') { If ($PSBoundParameters['TenantId']) { @@ -760,6 +771,7 @@ function Update-AzSentinelDataConnector { $DataConnector.IndicatorState = $PSBoundParameters['Indicator'] $null = $PSBoundParameters.Remove('Indicator') } + $null = $PSBoundParameters.Remove('ThreatIntelligence') } if ($DataConnector.Kind -eq 'ThreatIntelligenceTaxii') { If ($PSBoundParameters['TenantId']) { @@ -809,6 +821,7 @@ function Update-AzSentinelDataConnector { } $null = $PSBoundParameters.Remove('PollingFrequency') } + $null = $PSBoundParameters.Remove('ThreatIntelligenceTaxii') } if ($DataConnector.Kind -eq 'AzureSecurityCenter') { If ($PSBoundParameters['ASCSubscriptionId']) { @@ -820,6 +833,7 @@ function Update-AzSentinelDataConnector { $DataConnector.AlertState = $PSBoundParameters['Alerts'] $null = $PSBoundParameters.Remove('Alerts') } + $null = $PSBoundParameters.Remove('AzureSecurityCenter') } if ($DataConnector.Kind -eq 'AmazonWebServicesCloudTrail') { If ($PSBoundParameters['AWSRoleArn']) { @@ -830,7 +844,8 @@ function Update-AzSentinelDataConnector { If ($PSBoundParameters['Logs']) { $DataConnector.LogState = $PSBoundParameters['Logs'] $null = $PSBoundParameters.Remove('Logs') - } + } + $null = $PSBoundParameters.Remove('AWSCloudTrail') } if ($DataConnector.Kind -eq 'AmazonWebServicesS3') { If ($PSBoundParameters['AWSRoleArn']) { @@ -851,6 +866,7 @@ function Update-AzSentinelDataConnector { $DataConnector.DestinationTable = $PSBoundParameters['DetinationTable'] $null = $PSBoundParameters.Remove('DetinationTable') } + $null = $PSBoundParameters.Remove('AWSS3') } if ($DataConnector.Kind -eq 'GenericUI') { If ($PSBoundParameters['UiConfigTitle']) { diff --git a/src/SecurityInsights/custom/Update-AzSentinelSetting.ps1 b/src/SecurityInsights/custom/Update-AzSentinelSetting.ps1 index dcb5992e67d2..432afa05a3a5 100644 --- a/src/SecurityInsights/custom/Update-AzSentinelSetting.ps1 +++ b/src/SecurityInsights/custom/Update-AzSentinelSetting.ps1 @@ -66,21 +66,9 @@ function Update-AzSentinelSetting { # To construct, see NOTES section for INPUTOBJECT properties and create a hash table. ${InputObject}, - [Parameter(ParameterSetName = 'UpdateExpandedAnomaliesEyesOnEntityAnalytics', Mandatory)] - [Parameter(ParameterSetName = 'UpdateViaIdentityExpandedAnomaliesEyesOnEntityAnalytics', Mandatory)] - [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] - [System.Management.Automation.SwitchParameter] - ${AnomaliesOrEyesOn}, - - [Parameter(ParameterSetName = 'UpdateExpandedUeba', Mandatory)] - [Parameter(ParameterSetName = 'UpdateViaIdentityExpandedUeba', Mandatory)] - [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')] - [System.Management.Automation.SwitchParameter] - ${UEBA}, - #Anomalies - #.EyesOn - #.EntityAnalytics + #.EyesOn + #.EntityAnalytics [Parameter(ParameterSetName = 'UpdateExpandedAnomaliesEyesOnEntityAnalytics')] [Parameter(ParameterSetName = 'UpdateViaIdentityExpandedAnomaliesEyesOnEntityAnalytics')] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] diff --git a/src/SecurityInsights/custom/readme.md b/src/SecurityInsights/custom/readme.md new file mode 100644 index 000000000000..43bd883b0e75 --- /dev/null +++ b/src/SecurityInsights/custom/readme.md @@ -0,0 +1,41 @@ +# Custom +This directory contains custom implementation for non-generated cmdlets for the `Az.SecurityInsights` module. Both scripts (`.ps1`) and C# files (`.cs`) can be implemented here. They will be used during the build process in `build-module.ps1`, and create cmdlets into the `../exports` folder. The only generated file into this folder is the `Az.SecurityInsights.custom.psm1`. This file should not be modified. + +## Info +- Modifiable: yes +- Generated: partial +- Committed: yes +- Packaged: yes + +## Details +For `Az.SecurityInsights` to use custom cmdlets, it does this two different ways. We **highly recommend** creating script cmdlets, as they are easier to write and allow access to the other exported cmdlets. C# cmdlets *cannot access exported cmdlets*. + +For C# cmdlets, they are compiled with the rest of the generated low-level cmdlets into the `./bin/Az.SecurityInsights.private.dll`. The names of the cmdlets (methods) and files must follow the `[cmdletName]_[variantName]` syntax used for generated cmdlets. The `variantName` is used as the `ParameterSetName`, so use something appropriate that doesn't clash with already created variant or parameter set names. You cannot use the `ParameterSetName` property in the `Parameter` attribute on C# cmdlets. Each cmdlet must be separated into variants using the same pattern as seen in the `generated/cmdlets` folder. + +For script cmdlets, these are loaded via the `Az.SecurityInsights.custom.psm1`. Then, during the build process, this module is loaded and processed in the same manner as the C# cmdlets. The fundemental difference is the script cmdlets use the `ParameterSetName` attribute and C# cmdlets do not. To create a script cmdlet variant of a generated cmdlet, simply decorate all parameters in the script with the new `ParameterSetName` in the `Parameter` attribute. This will appropriately treat each parameter set as a separate variant when processed to be exported during the build. + +## Purpose +This allows the modules to have cmdlets that were not defined in the REST specification. It also allows combining logic using generated cmdlets. This is a level of customization beyond what can be done using the [readme configuration options](https://github.com/Azure/autorest/blob/master/docs/powershell/options.md) that are currently available. These custom cmdlets are then referenced by the cmdlets created at build-time in the `../exports` folder. + +## Usage +The easiest way currently to start developing custom cmdlets is to copy an existing cmdlet. For C# cmdlets, copy one from the `generated/cmdlets` folder. For script cmdlets, build the project using `build-module.ps1` and copy one of the scripts from the `../exports` folder. After that, if you want to add new parameter sets, follow the guidelines in the `Details` section above. For implementing a new cmdlets, at minimum, please keep these parameters: +- Break +- DefaultProfile +- HttpPipelineAppend +- HttpPipelinePrepend +- Proxy +- ProxyCredential +- ProxyUseDefaultCredentials + +These provide functionality to our HTTP pipeline and other useful features. In script, you can forward these parameters using `$PSBoundParameters` to the other cmdlets you're calling within `Az.SecurityInsights`. For C#, follow the usage seen in the `ProcessRecordAsync` method. + +### Attributes +For processing the cmdlets, we've created some additional attributes: +- `Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.DescriptionAttribute` + - Used in C# cmdlets to provide a high-level description of the cmdlet. This is propegated to reference documentation via [help comments](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_comment_based_help) in the exported scripts. +- `Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.DoNotExportAttribute` + - Used in C# and script cmdlets to suppress creating an exported cmdlet at build-time. These cmdlets will *not be exposed* by `Az.SecurityInsights`. +- `Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.InternalExportAttribute` + - Used in C# cmdlets to route exported cmdlets to the `../internal`, which are *not exposed* by `Az.SecurityInsights`. For more information, see [readme.md](../internal/readme.md) in the `../internal` folder. +- `Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.ProfileAttribute` + - Used in C# and script cmdlets to define which Azure profiles the cmdlet supports. This is only supported for Azure (`--azure`) modules. \ No newline at end of file diff --git a/src/SecurityInsights/docs/New-AzSentinelDataConnector.md b/src/SecurityInsights/docs/New-AzSentinelDataConnector.md index 54dadc25e388..3bd1c32ad02f 100644 --- a/src/SecurityInsights/docs/New-AzSentinelDataConnector.md +++ b/src/SecurityInsights/docs/New-AzSentinelDataConnector.md @@ -15,38 +15,37 @@ Creates or updates the data connector. ### AADAATP (Default) ``` New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -Kind - [-DataConnectorId ] [-SubscriptionId ] [-Alerts ] [-TenantId ] - [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] + [-SubscriptionId ] [-Alerts ] [-TenantId ] [-DefaultProfile ] [-AsJob] + [-NoWait] [-Confirm] [-WhatIf] [] ``` ### AmazonWebServicesCloudTrail ``` New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -AWSRoleArn - -Kind [-DataConnectorId ] [-SubscriptionId ] [-Logs ] - [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] + -Kind [-SubscriptionId ] [-Logs ] [-DefaultProfile ] [-AsJob] + [-NoWait] [-Confirm] [-WhatIf] [] ``` ### AmazonWebServicesS3 ``` New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -AWSRoleArn -DetinationTable -Kind -Logs -SQSURL - [-DataConnectorId ] [-SubscriptionId ] [-DefaultProfile ] [-AsJob] [-NoWait] - [-Confirm] [-WhatIf] [] + [-SubscriptionId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] + [] ``` ### AzureSecurityCenter ``` New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -ASCSubscriptionId - -Kind [-DataConnectorId ] [-SubscriptionId ] [-Alerts ] - [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] + -Kind [-SubscriptionId ] [-Alerts ] [-DefaultProfile ] [-AsJob] + [-NoWait] [-Confirm] [-WhatIf] [] ``` ### Dynamics365 ``` New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -Kind - [-DataConnectorId ] [-SubscriptionId ] [-CommonDataServiceActivity ] - [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] - [] + [-SubscriptionId ] [-CommonDataServiceActivity ] [-TenantId ] + [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` ### GenericUI @@ -57,8 +56,7 @@ New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -UiConfigDescriptionMarkdown -UiConfigGraphQueriesTableName -UiConfigGraphQuery -UiConfigInstructionStep -UiConfigPublisher -UiConfigSampleQuery -UiConfigTitle - [-DataConnectorId ] [-SubscriptionId ] [-AvailabilityStatus ] - [-PermissionCustom ] + [-SubscriptionId ] [-AvailabilityStatus ] [-PermissionCustom ] [-PermissionResourceProvider ] [-UiConfigCustomImage ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` @@ -66,70 +64,68 @@ New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName ### MicrosoftCloudAppSecurity ``` New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -Kind - [-DataConnectorId ] [-SubscriptionId ] [-Alerts ] [-DiscoveryLog ] - [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] - [] + [-SubscriptionId ] [-Alerts ] [-DiscoveryLog ] [-TenantId ] + [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` ### MicrosoftDefenderAdvancedThreatProtection ``` New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -Kind - [-DataConnectorId ] [-SubscriptionId ] [-Alerts ] [-TenantId ] - [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] + [-SubscriptionId ] [-Alerts ] [-TenantId ] [-DefaultProfile ] [-AsJob] + [-NoWait] [-Confirm] [-WhatIf] [] ``` ### MicrosoftThreatIntelligence ``` New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -Kind - [-DataConnectorId ] [-SubscriptionId ] [-BingSafetyPhishingURL ] - [-BingSafetyPhishingUrlLookbackPeriod ] [-MicrosoftEmergingThreatFeed ] - [-MicrosoftEmergingThreatFeedLookbackPeriod ] [-TenantId ] [-DefaultProfile ] - [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] + [-SubscriptionId ] [-BingSafetyPhishingURL ] [-BingSafetyPhishingUrlLookbackPeriod ] + [-MicrosoftEmergingThreatFeed ] [-MicrosoftEmergingThreatFeedLookbackPeriod ] + [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] + [] ``` ### MicrosoftThreatProtection ``` New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -Kind - [-DataConnectorId ] [-SubscriptionId ] [-Incident ] [-TenantId ] - [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] + [-SubscriptionId ] [-Incident ] [-TenantId ] [-DefaultProfile ] [-AsJob] + [-NoWait] [-Confirm] [-WhatIf] [] ``` ### Office365 ``` New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -Kind - [-DataConnectorId ] [-SubscriptionId ] [-Exchange ] [-SharePoint ] - [-Teams ] [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] - [] + [-SubscriptionId ] [-Exchange ] [-SharePoint ] [-Teams ] [-TenantId ] + [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` ### OfficeATP ``` New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -Kind - [-DataConnectorId ] [-SubscriptionId ] [-Alerts ] [-TenantId ] - [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] + [-SubscriptionId ] [-Alerts ] [-TenantId ] [-DefaultProfile ] [-AsJob] + [-NoWait] [-Confirm] [-WhatIf] [] ``` ### OfficeIRM ``` New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -Kind - [-DataConnectorId ] [-SubscriptionId ] [-Alerts ] [-TenantId ] - [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] + [-SubscriptionId ] [-Alerts ] [-TenantId ] [-DefaultProfile ] [-AsJob] + [-NoWait] [-Confirm] [-WhatIf] [] ``` ### ThreatIntelligence ``` New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -Kind - [-DataConnectorId ] [-SubscriptionId ] [-Indicator ] [-TenantId ] - [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] + [-SubscriptionId ] [-Indicator ] [-TenantId ] [-DefaultProfile ] [-AsJob] + [-NoWait] [-Confirm] [-WhatIf] [] ``` ### ThreatIntelligenceTaxii ``` New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -APIRootURL -CollectionId -FriendlyName -Kind -PollingFrequency - -WorkspaceId [-DataConnectorId ] [-SubscriptionId ] [-Password ] - [-TaxiiLookbackPeriod ] [-TenantId ] [-UserName ] [-DefaultProfile ] - [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] + -WorkspaceId [-SubscriptionId ] [-Password ] [-TaxiiLookbackPeriod ] + [-TenantId ] [-UserName ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] + [-WhatIf] [] ``` ## DESCRIPTION @@ -139,7 +135,7 @@ Creates or updates the data connector. ### Example 1: {{ Add title here }} ```powershell -New-AzSentinelDataConnector -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -DataConnectorId ((New-Guid).Guid) -Kind 'MicrosoftThreatIntelligence' -BingSafetyPhishingURL Enabled -BingSafetyPhishingUrlLookbackPeriod All -MicrosoftEmergingThreatFeed Enabled -MicrosoftEmergingThreatFeedLookbackPeriod All +New-AzSentinelDataConnector -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Kind 'MicrosoftThreatIntelligence' -BingSafetyPhishingURL Enabled -BingSafetyPhishingUrlLookbackPeriod All -MicrosoftEmergingThreatFeed Enabled -MicrosoftEmergingThreatFeedLookbackPeriod All ``` This command enables the Threat Intelligence data connector @@ -311,21 +307,6 @@ Accept pipeline input: False Accept wildcard characters: False ``` -### -DataConnectorId -The Id of the Data Connector. - -```yaml -Type: System.String -Parameter Sets: (All) -Aliases: - -Required: False -Position: Named -Default value: (New-Guid).Guid -Accept pipeline input: False -Accept wildcard characters: False -``` - ### -DefaultProfile The credentials, account, tenant, and subscription used for communication with Azure. diff --git a/src/SecurityInsights/docs/New-AzSentinelEntityQuery.md b/src/SecurityInsights/docs/New-AzSentinelEntityQuery.md index d1d5cf8cede3..1ad6891cb05d 100644 --- a/src/SecurityInsights/docs/New-AzSentinelEntityQuery.md +++ b/src/SecurityInsights/docs/New-AzSentinelEntityQuery.md @@ -15,10 +15,9 @@ Creates or updates the entity query. ``` New-AzSentinelEntityQuery -ResourceGroupName -WorkspaceName -Content -Description -InputEntityType -Kind -QueryDefinitionQuery - -Title [-EntityQueryId ] [-SubscriptionId ] - [-EntitiesFilter ] [-RequiredInputFieldsSet ] - [-TemplateName ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] - [] + -Title [-SubscriptionId ] [-EntitiesFilter ] + [-RequiredInputFieldsSet ] [-TemplateName ] [-DefaultProfile ] [-AsJob] [-NoWait] + [-Confirm] [-WhatIf] [] ``` ## DESCRIPTION @@ -29,7 +28,7 @@ Creates or updates the entity query. ### Example 1: Create Entity Query ```powershell $template = Get-AzSentinelEntityQueryTemplate -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Id "myEntityQueryTemplateId" - New-AzSentinelEntityQuery -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" [-EntityQueryId ] -Kind Activity -Title ($template.title) -InputEntityType ($template.inputEntityType) -TemplateName ($template.Name) + New-AzSentinelEntityQuery -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Kind Activity -Title ($template.title) -InputEntityType ($template.inputEntityType) -TemplateName ($template.Name) ``` ```output @@ -130,21 +129,6 @@ Accept pipeline input: False Accept wildcard characters: False ``` -### -EntityQueryId -The Id of the Entity Query. - -```yaml -Type: System.String -Parameter Sets: (All) -Aliases: - -Required: False -Position: Named -Default value: (New-Guid).Guid -Accept pipeline input: False -Accept wildcard characters: False -``` - ### -InputEntityType diff --git a/src/SecurityInsights/docs/Remove-AzSentinelIncidentRelation.md b/src/SecurityInsights/docs/Remove-AzSentinelIncidentRelation.md index afa37201e050..0800fb81b5ca 100644 --- a/src/SecurityInsights/docs/Remove-AzSentinelIncidentRelation.md +++ b/src/SecurityInsights/docs/Remove-AzSentinelIncidentRelation.md @@ -32,7 +32,7 @@ Delete the incident relation. ### Example 1: {{ Add title here }} ```powershell -Remove-AzSentinelIncidentRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId 7cc984fe-61a2-43c2-a1a4-3583c8a89da2 -RelationName 7a4c27ea-d61a-496b-b5c3-246770c857c1 +Remove-AzSentinelIncidentRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId 7cc984fe-61a2-43c2-a1a4-3583c8a89da2 -RelatedResourceId 7cc984fe-61a2-43c2-a1a4-3583c8a89db4 ``` This command removes the incident relation diff --git a/src/SecurityInsights/docs/Update-AzSentinelAlertRule.md b/src/SecurityInsights/docs/Update-AzSentinelAlertRule.md index 6953b0fe7c54..0a40bc09c36b 100644 --- a/src/SecurityInsights/docs/Update-AzSentinelAlertRule.md +++ b/src/SecurityInsights/docs/Update-AzSentinelAlertRule.md @@ -17,11 +17,11 @@ Updates the alert rule. Update-AzSentinelAlertRule -ResourceGroupName -RuleId -WorkspaceName -Scheduled [-SubscriptionId ] [-AlertDescriptionFormat ] [-AlertDisplayNameFormat ] [-AlertRuleTemplateName ] [-AlertSeverityColumnName ] [-AlertTacticsColumnName ] - [-CreateIncident] [-Description ] [-DisplayName ] [-Enabled] [-EntityMapping ] - [-EventGroupingSettingAggregationKind ] [-GroupByAlertDetail ] - [-GroupByCustomDetail ] [-GroupByEntity ] [-GroupingConfigurationEnabled] - [-LookbackDuration ] [-MatchingMethod ] [-Query ] [-QueryFrequency ] - [-QueryPeriod ] [-ReOpenClosedIncident] [-Severity ] + [-CreateIncident] [-Description ] [-Disabled] [-DisplayName ] [-Enabled] + [-EntityMapping ] [-EventGroupingSettingAggregationKind ] + [-GroupByAlertDetail ] [-GroupByCustomDetail ] [-GroupByEntity ] + [-GroupingConfigurationEnabled] [-LookbackDuration ] [-MatchingMethod ] [-Query ] + [-QueryFrequency ] [-QueryPeriod ] [-ReOpenClosedIncident] [-Severity ] [-SuppressionDuration ] [-SuppressionEnabled] [-Tactic ] [-TriggerOperator ] [-TriggerThreshold ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] @@ -30,16 +30,16 @@ Update-AzSentinelAlertRule -ResourceGroupName -RuleId -Workspa ### UpdateFusionMLTI ``` Update-AzSentinelAlertRule -ResourceGroupName -RuleId -WorkspaceName -FusionMLorTI - [-SubscriptionId ] [-AlertRuleTemplateName ] [-Enabled] [-DefaultProfile ] [-AsJob] - [-NoWait] [-Confirm] [-WhatIf] [] + [-SubscriptionId ] [-AlertRuleTemplateName ] [-Disabled] [-Enabled] + [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` ### UpdateMicrosoftSecurityIncidentCreation ``` Update-AzSentinelAlertRule -ResourceGroupName -RuleId -WorkspaceName -MicrosoftSecurityIncidentCreation [-SubscriptionId ] [-AlertRuleTemplateName ] - [-Description ] [-DisplayNamesExcludeFilter ] [-DisplayNamesFilter ] [-Enabled] - [-ProductFilter ] [-SeveritiesFilter ] + [-Description ] [-Disabled] [-DisplayNamesExcludeFilter ] [-DisplayNamesFilter ] + [-Enabled] [-ProductFilter ] [-SeveritiesFilter ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` @@ -48,25 +48,25 @@ Update-AzSentinelAlertRule -ResourceGroupName -RuleId -Workspa Update-AzSentinelAlertRule -ResourceGroupName -RuleId -WorkspaceName -NRT [-SubscriptionId ] [-AlertDescriptionFormat ] [-AlertDisplayNameFormat ] [-AlertRuleTemplateName ] [-AlertSeverityColumnName ] [-AlertTacticsColumnName ] - [-CreateIncident] [-Description ] [-DisplayName ] [-Enabled] [-EntityMapping ] - [-GroupByAlertDetail ] [-GroupByCustomDetail ] [-GroupByEntity ] - [-GroupingConfigurationEnabled] [-LookbackDuration ] [-MatchingMethod ] [-Query ] - [-ReOpenClosedIncident] [-Severity ] [-SuppressionDuration ] [-SuppressionEnabled] - [-Tactic ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] - [] + [-CreateIncident] [-Description ] [-Disabled] [-DisplayName ] [-Enabled] + [-EntityMapping ] [-GroupByAlertDetail ] [-GroupByCustomDetail ] + [-GroupByEntity ] [-GroupingConfigurationEnabled] [-LookbackDuration ] + [-MatchingMethod ] [-Query ] [-ReOpenClosedIncident] [-Severity ] + [-SuppressionDuration ] [-SuppressionEnabled] [-Tactic ] [-DefaultProfile ] + [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` ### UpdateViaIdentityFusionMLTI ``` Update-AzSentinelAlertRule -InputObject -FusionMLorTI - [-AlertRuleTemplateName ] [-Enabled] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] - [-WhatIf] [] + [-AlertRuleTemplateName ] [-Disabled] [-Enabled] [-DefaultProfile ] [-AsJob] [-NoWait] + [-Confirm] [-WhatIf] [] ``` ### UpdateViaIdentityMicrosoftSecurityIncidentCreation ``` Update-AzSentinelAlertRule -InputObject -MicrosoftSecurityIncidentCreation - [-AlertRuleTemplateName ] [-Description ] [-DisplayNamesExcludeFilter ] + [-AlertRuleTemplateName ] [-Description ] [-Disabled] [-DisplayNamesExcludeFilter ] [-DisplayNamesFilter ] [-Enabled] [-ProductFilter ] [-SeveritiesFilter ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] @@ -76,8 +76,8 @@ Update-AzSentinelAlertRule -InputObject -MicrosoftSe ``` Update-AzSentinelAlertRule -InputObject -NRT [-AlertDescriptionFormat ] [-AlertDisplayNameFormat ] [-AlertRuleTemplateName ] [-AlertSeverityColumnName ] - [-AlertTacticsColumnName ] [-CreateIncident] [-Description ] [-DisplayName ] - [-Enabled] [-EntityMapping ] [-GroupByAlertDetail ] + [-AlertTacticsColumnName ] [-CreateIncident] [-Description ] [-Disabled] + [-DisplayName ] [-Enabled] [-EntityMapping ] [-GroupByAlertDetail ] [-GroupByCustomDetail ] [-GroupByEntity ] [-GroupingConfigurationEnabled] [-LookbackDuration ] [-MatchingMethod ] [-Query ] [-ReOpenClosedIncident] [-Severity ] [-SuppressionDuration ] [-SuppressionEnabled] [-Tactic ] @@ -89,7 +89,7 @@ Update-AzSentinelAlertRule -InputObject -NRT [-Alert Update-AzSentinelAlertRule -InputObject -Scheduled [-AlertDescriptionFormat ] [-AlertDisplayNameFormat ] [-AlertRuleTemplateName ] [-AlertSeverityColumnName ] [-AlertTacticsColumnName ] [-CreateIncident] - [-Description ] [-DisplayName ] [-Enabled] [-EntityMapping ] + [-Description ] [-Disabled] [-DisplayName ] [-Enabled] [-EntityMapping ] [-EventGroupingSettingAggregationKind ] [-GroupByAlertDetail ] [-GroupByCustomDetail ] [-GroupByEntity ] [-GroupingConfigurationEnabled] [-LookbackDuration ] [-MatchingMethod ] [-Query ] [-QueryFrequency ] @@ -248,6 +248,21 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -Disabled + + +```yaml +Type: System.Management.Automation.SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + ### -DisplayName diff --git a/src/SecurityInsights/docs/Update-AzSentinelDataConnector.md b/src/SecurityInsights/docs/Update-AzSentinelDataConnector.md index fc4c3847ca8f..95d475820116 100644 --- a/src/SecurityInsights/docs/Update-AzSentinelDataConnector.md +++ b/src/SecurityInsights/docs/Update-AzSentinelDataConnector.md @@ -14,37 +14,37 @@ Updates the data connector. ### UpdateAADAATP (Default) ``` -Update-AzSentinelDataConnector -DataConnectorId -ResourceGroupName -WorkspaceName - -AzureADorAATP [-SubscriptionId ] [-Alerts ] [-TenantId ] - [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +Update-AzSentinelDataConnector -Id -ResourceGroupName -WorkspaceName -AzureADorAATP + [-SubscriptionId ] [-Alerts ] [-TenantId ] [-DefaultProfile ] [-AsJob] + [-NoWait] [-Confirm] [-WhatIf] [] ``` ### UpdateAmazonWebServicesCloudTrail ``` -Update-AzSentinelDataConnector -DataConnectorId -ResourceGroupName -WorkspaceName - -AWSCloudTrail [-SubscriptionId ] [-AWSRoleArn ] [-Logs ] - [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +Update-AzSentinelDataConnector -Id -ResourceGroupName -WorkspaceName -AWSCloudTrail + [-SubscriptionId ] [-AWSRoleArn ] [-Logs ] [-DefaultProfile ] [-AsJob] + [-NoWait] [-Confirm] [-WhatIf] [] ``` ### UpdateAmazonWebServicesS3 ``` -Update-AzSentinelDataConnector -DataConnectorId -ResourceGroupName -WorkspaceName - -AWSS3 [-SubscriptionId ] [-AWSRoleArn ] [-DetinationTable ] [-Logs ] +Update-AzSentinelDataConnector -Id -ResourceGroupName -WorkspaceName -AWSS3 + [-SubscriptionId ] [-AWSRoleArn ] [-DetinationTable ] [-Logs ] [-SQSURL ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` ### UpdateAzureSecurityCenter ``` -Update-AzSentinelDataConnector -DataConnectorId -ResourceGroupName -WorkspaceName +Update-AzSentinelDataConnector -Id -ResourceGroupName -WorkspaceName -AzureSecurityCenter [-SubscriptionId ] [-Alerts ] [-ASCSubscriptionId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` ### UpdateDynamics365 ``` -Update-AzSentinelDataConnector -DataConnectorId -ResourceGroupName -WorkspaceName - -Dynamics365 [-SubscriptionId ] [-CommonDataServiceActivity ] [-TenantId ] +Update-AzSentinelDataConnector -Id -ResourceGroupName -WorkspaceName -Dynamics365 + [-SubscriptionId ] [-CommonDataServiceActivity ] [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` @@ -63,66 +63,65 @@ Update-AzSentinelDataConnector [-AvailabilityIsPreview ] [-Availability ### UpdateMicrosoftCloudAppSecurity ``` -Update-AzSentinelDataConnector -DataConnectorId -ResourceGroupName -WorkspaceName +Update-AzSentinelDataConnector -Id -ResourceGroupName -WorkspaceName -CloudAppSecurity [-SubscriptionId ] [-Alerts ] [-DiscoveryLog ] [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` ### UpdateMicrosoftDefenderAdvancedThreatProtection ``` -Update-AzSentinelDataConnector -DataConnectorId -ResourceGroupName -WorkspaceName - -DefenderATP [-SubscriptionId ] [-Alerts ] [-TenantId ] [-DefaultProfile ] - [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +Update-AzSentinelDataConnector -Id -ResourceGroupName -WorkspaceName -DefenderATP + [-SubscriptionId ] [-Alerts ] [-TenantId ] [-DefaultProfile ] [-AsJob] + [-NoWait] [-Confirm] [-WhatIf] [] ``` ### UpdateMicrosoftThreatIntelligence ``` -Update-AzSentinelDataConnector -DataConnectorId -ResourceGroupName -WorkspaceName - -MicrosoftTI [-SubscriptionId ] [-BingSafetyPhishingUrlLookbackPeriod ] - [-BingSafetyPhishinURL ] [-MicrosoftEmergingThreatFeed ] - [-MicrosoftEmergingThreatFeedLookbackPeriod ] [-TenantId ] [-DefaultProfile ] - [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +Update-AzSentinelDataConnector -Id -ResourceGroupName -WorkspaceName -MicrosoftTI + [-SubscriptionId ] [-BingSafetyPhishingUrlLookbackPeriod ] [-BingSafetyPhishinURL ] + [-MicrosoftEmergingThreatFeed ] [-MicrosoftEmergingThreatFeedLookbackPeriod ] + [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] + [] ``` ### UpdateMicrosoftThreatProtection ``` -Update-AzSentinelDataConnector -DataConnectorId -ResourceGroupName -WorkspaceName +Update-AzSentinelDataConnector -Id -ResourceGroupName -WorkspaceName -MicrosoftThreatProtection [-SubscriptionId ] [-Incident ] [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` ### UpdateOffice365 ``` -Update-AzSentinelDataConnector -DataConnectorId -ResourceGroupName -WorkspaceName - -Office365 [-SubscriptionId ] [-Exchange ] [-SharePoint ] [-Teams ] - [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] - [] +Update-AzSentinelDataConnector -Id -ResourceGroupName -WorkspaceName -Office365 + [-SubscriptionId ] [-Exchange ] [-SharePoint ] [-Teams ] [-TenantId ] + [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` ### UpdateOfficeATP ``` -Update-AzSentinelDataConnector -DataConnectorId -ResourceGroupName -WorkspaceName - -OfficeATP [-SubscriptionId ] [-Alerts ] [-TenantId ] [-DefaultProfile ] - [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +Update-AzSentinelDataConnector -Id -ResourceGroupName -WorkspaceName -OfficeATP + [-SubscriptionId ] [-Alerts ] [-TenantId ] [-DefaultProfile ] [-AsJob] + [-NoWait] [-Confirm] [-WhatIf] [] ``` ### UpdateOfficeIRM ``` -Update-AzSentinelDataConnector -DataConnectorId -ResourceGroupName -WorkspaceName - -OfficeIRM [-SubscriptionId ] [-Alerts ] [-TenantId ] [-DefaultProfile ] - [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] +Update-AzSentinelDataConnector -Id -ResourceGroupName -WorkspaceName -OfficeIRM + [-SubscriptionId ] [-Alerts ] [-TenantId ] [-DefaultProfile ] [-AsJob] + [-NoWait] [-Confirm] [-WhatIf] [] ``` ### UpdateThreatIntelligence ``` -Update-AzSentinelDataConnector -DataConnectorId -ResourceGroupName -WorkspaceName +Update-AzSentinelDataConnector -Id -ResourceGroupName -WorkspaceName -ThreatIntelligence [-SubscriptionId ] [-Indicator ] [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` ### UpdateThreatIntelligenceTaxii ``` -Update-AzSentinelDataConnector -DataConnectorId -ResourceGroupName -WorkspaceName +Update-AzSentinelDataConnector -Id -ResourceGroupName -WorkspaceName -APIRootURL -ThreatIntelligenceTaxii [-SubscriptionId ] [-CollectionId ] [-FriendlyName ] [-Password ] [-PollingFrequency ] [-TaxiiLookbackPeriod ] [-TenantId ] [-UserName ] [-WorkspaceId ] @@ -250,7 +249,7 @@ Updates the data connector. ### Example 1: Update a Sentinel data connector ```powershell -Update-AzSentinelDataConnector -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -DataConnectorId 3bd6c555-1412-4103-9b9d-2b0b40cda6b6 -SharePoint "Enabled" +Update-AzSentinelDataConnector -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Id 3bd6c555-1412-4103-9b9d-2b0b40cda6b6 -SharePoint "Enabled" ``` This command updates a Sentinel data connector @@ -501,22 +500,6 @@ Accept pipeline input: False Accept wildcard characters: False ``` -### -DataConnectorId -[Parameter(ParameterSetName = 'UpdateGenericUI', Mandatory)] - The Id of the Data Connector. - -```yaml -Type: System.String -Parameter Sets: UpdateAADAATP, UpdateAmazonWebServicesCloudTrail, UpdateAmazonWebServicesS3, UpdateAzureSecurityCenter, UpdateDynamics365, UpdateMicrosoftCloudAppSecurity, UpdateMicrosoftDefenderAdvancedThreatProtection, UpdateMicrosoftThreatIntelligence, UpdateMicrosoftThreatProtection, UpdateOffice365, UpdateOfficeATP, UpdateOfficeIRM, UpdateThreatIntelligence, UpdateThreatIntelligenceTaxii -Aliases: - -Required: True -Position: Named -Default value: None -Accept pipeline input: False -Accept wildcard characters: False -``` - ### -DefaultProfile The credentials, account, tenant, and subscription used for communication with Azure. @@ -622,6 +605,22 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -Id +[Parameter(ParameterSetName = 'UpdateGenericUI', Mandatory)] + The Id of the Data Connector. + +```yaml +Type: System.String +Parameter Sets: UpdateAADAATP, UpdateAmazonWebServicesCloudTrail, UpdateAmazonWebServicesS3, UpdateAzureSecurityCenter, UpdateDynamics365, UpdateMicrosoftCloudAppSecurity, UpdateMicrosoftDefenderAdvancedThreatProtection, UpdateMicrosoftThreatIntelligence, UpdateMicrosoftThreatProtection, UpdateOffice365, UpdateOfficeATP, UpdateOfficeIRM, UpdateThreatIntelligence, UpdateThreatIntelligenceTaxii +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + ### -Incident diff --git a/src/SecurityInsights/docs/Update-AzSentinelSetting.md b/src/SecurityInsights/docs/Update-AzSentinelSetting.md index 54fb5c274523..562b297749b5 100644 --- a/src/SecurityInsights/docs/Update-AzSentinelSetting.md +++ b/src/SecurityInsights/docs/Update-AzSentinelSetting.md @@ -15,26 +15,26 @@ Updates setting. ### UpdateExpandedAnomaliesEyesOnEntityAnalytics (Default) ``` Update-AzSentinelSetting -ResourceGroupName -WorkspaceName -SettingsName - -AnomaliesOrEyesOn [-SubscriptionId ] [-Disabled] [-Enabled] [-DefaultProfile ] [-AsJob] - [-NoWait] [-Confirm] [-WhatIf] [] + [-SubscriptionId ] [-Disabled] [-Enabled] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] + [-WhatIf] [] ``` ### UpdateExpandedUeba ``` -Update-AzSentinelSetting -ResourceGroupName -WorkspaceName -SettingsName -UEBA +Update-AzSentinelSetting -ResourceGroupName -WorkspaceName -SettingsName [-SubscriptionId ] [-DataSource ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` ### UpdateViaIdentityExpandedAnomaliesEyesOnEntityAnalytics ``` -Update-AzSentinelSetting -InputObject -AnomaliesOrEyesOn [-Disabled] [-Enabled] +Update-AzSentinelSetting -InputObject [-Disabled] [-Enabled] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` ### UpdateViaIdentityExpandedUeba ``` -Update-AzSentinelSetting -InputObject -UEBA [-DataSource ] +Update-AzSentinelSetting -InputObject [-DataSource ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` @@ -53,21 +53,6 @@ EyesOn, EntityAnalytics and Ueba ## PARAMETERS -### -AnomaliesOrEyesOn - - -```yaml -Type: System.Management.Automation.SwitchParameter -Parameter Sets: UpdateExpandedAnomaliesEyesOnEntityAnalytics, UpdateViaIdentityExpandedAnomaliesEyesOnEntityAnalytics -Aliases: - -Required: True -Position: Named -Default value: None -Accept pipeline input: False -Accept wildcard characters: False -``` - ### -AsJob Run the command as a job @@ -220,21 +205,6 @@ Accept pipeline input: False Accept wildcard characters: False ``` -### -UEBA - - -```yaml -Type: System.Management.Automation.SwitchParameter -Parameter Sets: UpdateExpandedUeba, UpdateViaIdentityExpandedUeba -Aliases: - -Required: True -Position: Named -Default value: None -Accept pipeline input: False -Accept wildcard characters: False -``` - ### -WorkspaceName [Alias('DataConnectionName')] The name of the workspace. diff --git a/src/SecurityInsights/docs/readme.md b/src/SecurityInsights/docs/readme.md new file mode 100644 index 000000000000..f18a8fa38198 --- /dev/null +++ b/src/SecurityInsights/docs/readme.md @@ -0,0 +1,11 @@ +# Docs +This directory contains the documentation of the cmdlets for the `Az.SecurityInsights` module. To run documentation generation, use the `generate-help.ps1` script at the root module folder. Files in this folder will *always be overriden on regeneration*. To update documentation examples, please use the `../examples` folder. + +## Info +- Modifiable: no +- Generated: all +- Committed: yes +- Packaged: yes + +## Details +The process of documentation generation loads `Az.SecurityInsights` and analyzes the exported cmdlets from the module. It recognizes the [help comments](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_comment_based_help) that are generated into the scripts in the `../exports` folder. Additionally, when writing custom cmdlets in the `../custom` folder, you can use the help comments syntax, which decorate the exported scripts at build-time. The documentation examples are taken from the `../examples` folder. \ No newline at end of file diff --git a/src/SecurityInsights/examples/New-AzSentinelDataConnector.md b/src/SecurityInsights/examples/New-AzSentinelDataConnector.md index d3d4fa13dc02..f78559330f97 100644 --- a/src/SecurityInsights/examples/New-AzSentinelDataConnector.md +++ b/src/SecurityInsights/examples/New-AzSentinelDataConnector.md @@ -1,6 +1,6 @@ ### Example 1: {{ Add title here }} ```powershell -New-AzSentinelDataConnector -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -DataConnectorId ((New-Guid).Guid) -Kind 'MicrosoftThreatIntelligence' -BingSafetyPhishingURL Enabled -BingSafetyPhishingUrlLookbackPeriod All -MicrosoftEmergingThreatFeed Enabled -MicrosoftEmergingThreatFeedLookbackPeriod All +New-AzSentinelDataConnector -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Kind 'MicrosoftThreatIntelligence' -BingSafetyPhishingURL Enabled -BingSafetyPhishingUrlLookbackPeriod All -MicrosoftEmergingThreatFeed Enabled -MicrosoftEmergingThreatFeedLookbackPeriod All ``` ```output ``` diff --git a/src/SecurityInsights/examples/New-AzSentinelEntityQuery.md b/src/SecurityInsights/examples/New-AzSentinelEntityQuery.md index 6dc5ad631afa..af393f13958c 100644 --- a/src/SecurityInsights/examples/New-AzSentinelEntityQuery.md +++ b/src/SecurityInsights/examples/New-AzSentinelEntityQuery.md @@ -1,7 +1,7 @@ ### Example 1: Create Entity Query ```powershell $template = Get-AzSentinelEntityQueryTemplate -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Id "myEntityQueryTemplateId" - New-AzSentinelEntityQuery -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" [-EntityQueryId ] -Kind Activity -Title ($template.title) -InputEntityType ($template.inputEntityType) -TemplateName ($template.Name) + New-AzSentinelEntityQuery -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Kind Activity -Title ($template.title) -InputEntityType ($template.inputEntityType) -TemplateName ($template.Name) ``` ```output Title : The user has created an account diff --git a/src/SecurityInsights/examples/Remove-AzSentinelIncidentRelation.md b/src/SecurityInsights/examples/Remove-AzSentinelIncidentRelation.md index 5332454bc7cb..3e198edb7915 100644 --- a/src/SecurityInsights/examples/Remove-AzSentinelIncidentRelation.md +++ b/src/SecurityInsights/examples/Remove-AzSentinelIncidentRelation.md @@ -1,6 +1,6 @@ ### Example 1: {{ Add title here }} ```powershell -Remove-AzSentinelIncidentRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId 7cc984fe-61a2-43c2-a1a4-3583c8a89da2 -RelationName 7a4c27ea-d61a-496b-b5c3-246770c857c1 +Remove-AzSentinelIncidentRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId 7cc984fe-61a2-43c2-a1a4-3583c8a89da2 -RelatedResourceId 7cc984fe-61a2-43c2-a1a4-3583c8a89db4 ``` ```output ``` diff --git a/src/SecurityInsights/examples/Update-AzSentinelDataConnector.md b/src/SecurityInsights/examples/Update-AzSentinelDataConnector.md index 6e522cbb12fd..abfca4b426dd 100644 --- a/src/SecurityInsights/examples/Update-AzSentinelDataConnector.md +++ b/src/SecurityInsights/examples/Update-AzSentinelDataConnector.md @@ -1,6 +1,6 @@ ### Example 1: Update a Sentinel data connector ```powershell -Update-AzSentinelDataConnector -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -DataConnectorId 3bd6c555-1412-4103-9b9d-2b0b40cda6b6 -SharePoint "Enabled" +Update-AzSentinelDataConnector -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Id 3bd6c555-1412-4103-9b9d-2b0b40cda6b6 -SharePoint "Enabled" ``` ```output ``` diff --git a/src/SecurityInsights/readme.md b/src/SecurityInsights/readme.md new file mode 100644 index 000000000000..3dce0ebe8383 --- /dev/null +++ b/src/SecurityInsights/readme.md @@ -0,0 +1,27 @@ + +# Az.SecurityInsights +This directory contains the PowerShell module for the SecurityInsights service. + +--- +## Status +[![Az.SecurityInsights](https://img.shields.io/powershellgallery/v/Az.SecurityInsights.svg?style=flat-square&label=Az.SecurityInsights "Az.SecurityInsights")](https://www.powershellgallery.com/packages/Az.SecurityInsights/) + +## Info +- Modifiable: yes +- Generated: all +- Committed: yes +- Packaged: yes + +--- +## Detail +This module was primarily generated via [AutoRest](https://github.com/Azure/autorest) using the [PowerShell](https://github.com/Azure/autorest.powershell) extension. + +## Module Requirements +- [Az.Accounts module](https://www.powershellgallery.com/packages/Az.Accounts/), version 2.2.3 or greater + +## Authentication +AutoRest does not generate authentication code for the module. Authentication is handled via Az.Accounts by altering the HTTP payload before it is sent. + +## Development +For information on how to develop for `Az.SecurityInsights`, see [how-to.md](how-to.md). + diff --git a/src/SecurityInsights/resources/readme.md b/src/SecurityInsights/resources/readme.md new file mode 100644 index 000000000000..736492341e3d --- /dev/null +++ b/src/SecurityInsights/resources/readme.md @@ -0,0 +1,11 @@ +# Resources +This directory can contain any additional resources for module that are not required at runtime. This directory **does not** get packaged with the module. If you have assets for custom implementation, place them into the `../custom` folder. + +## Info +- Modifiable: yes +- Generated: no +- Committed: yes +- Packaged: no + +## Purpose +Use this folder to put anything you want to keep around as part of the repository for the module, but is not something that is required for the module. For example, development files, packaged builds, or additional information. This is only intended to be used in repositories where the module's output directory is cleaned, but tangential resources for the module want to remain intact. \ No newline at end of file diff --git a/src/SecurityInsights/test/Get-AzSentinelAlertRule.Recording.json b/src/SecurityInsights/test/Get-AzSentinelAlertRule.Recording.json index 34f71061a2f9..fae028081c25 100644 --- a/src/SecurityInsights/test/Get-AzSentinelAlertRule.Recording.json +++ b/src/SecurityInsights/test/Get-AzSentinelAlertRule.Recording.json @@ -1,17 +1,17 @@ { - "Get-AzSentinelAlertRule+[NoContext]+List+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules?api-version=2021-09-01-preview+1": { + "Get-AzSentinelAlertRule+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "159" ], - "x-ms-client-request-id": [ "c050c818-9f97-4df8-bc11-94c349ef9d53" ], + "x-ms-unique-id": [ "160" ], + "x-ms-client-request-id": [ "ed523158-f5ad-4aeb-bbaf-88375bdc7e8b" ], "CommandName": [ "Get-AzSentinelAlertRule" ], "FullCommandName": [ "Get-AzSentinelAlertRule_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -24,35 +24,35 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-reads": [ "11999" ], - "x-ms-request-id": [ "51617cd1-21bb-4178-81ff-968264f8fe83" ], - "x-ms-correlation-request-id": [ "51617cd1-21bb-4178-81ff-968264f8fe83" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T015317Z:51617cd1-21bb-4178-81ff-968264f8fe83" ], + "x-ms-request-id": [ "3a6917c7-b248-4bf2-a907-147d74e6b496" ], + "x-ms-correlation-request-id": [ "3a6917c7-b248-4bf2-a907-147d74e6b496" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183054Z:3a6917c7-b248-4bf2-a907-147d74e6b496" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 01:53:17 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:30:53 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "131519" ], + "Content-Length": [ "54779" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/BuiltInFusion\",\"name\":\"BuiltInFusion\",\"etag\":\"\\\"9100268d-0000-0100-0000-61b54cad0000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Fusion\",\"properties\":{\"displayName\":\"Advanced Multistage Attack Detection\",\"description\":\"Microsoft Sentinel uses Fusion, a correlation engine based on scalable machine learning algorithms, to automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.\\n\\nSince Fusion correlates multiple signals from various products to detect advanced multistage attacks, successful Fusion detections are presented as Fusion incidents on the Microsoft Sentinel Incidents page. This rule covers the following detections:\\n- Fusion for emerging threats\\n- Fusion for ransomware\\n- Scenario-based Fusion detections (122 scenarios)\\n\\nTo enable these detections, we recommend you configure the following data connectors for best results:\\n- Out-of-the-box anomaly detections\\n- Azure Active Directory Identity Protection\\n- Azure Defender\\n- Azure Defender for IoT\\n- Microsoft 365 Defender\\n- Microsoft Cloud App Security \\n- Microsoft Defender for Endpoint\\n- Microsoft Defender for Identity\\n- Microsoft Defender for Office 365\\n- Palo Alto Networks\\n- Scheduled analytics rules, both built-in and those created by your security analysts. Analytics rules must contain kill-chain (tactics) and entity mapping information in order to be used by Fusion.\\n\\nFor the full description of each detection that is supported by Fusion, go to https://aka.ms/SentinelFusion.\",\"alertRuleTemplateName\":\"f71aba3d-28fb-450b-b192-4e76a83015c8\",\"tactics\":[\"Collection\",\"CommandAndControl\",\"CredentialAccess\",\"DefenseEvasion\",\"Discovery\",\"Execution\",\"Exfiltration\",\"Impact\",\"InitialAccess\",\"LateralMovement\",\"Persistence\",\"PrivilegeEscalation\"],\"severity\":\"High\",\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:17.5992035Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/a3863d8b-8be1-4f52-8ba2-d6cec98b606b\",\"name\":\"a3863d8b-8be1-4f52-8ba2-d6cec98b606b\",\"etag\":\"\\\"9100888d-0000-0100-0000-61b54cb00000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"a3863d8b-8be1-4f52-8ba2-d6cec98b606b\",\"displayName\":\"(Preview) Suspicious volume of logins to user account with elevated token\",\"description\":\"This algorithm detects an unusually high volume of successful logins with elevated token per user account. The model is trained on the previous 21 days of security event ID 4624 on an account. It indicates anomalous high volume of successful logins with administrator privileges in the last day.\",\"anomalyVersion\":\"1.1.7\",\"techniques\":[\"T1078\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.7\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"InitialAccess\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:20.6683082Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/1f6d7abe-2cb7-4a4c-aeca-91fe6bfad0b2\",\"name\":\"1f6d7abe-2cb7-4a4c-aeca-91fe6bfad0b2\",\"etag\":\"\\\"91008e8d-0000-0100-0000-61b54cb00000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"1f6d7abe-2cb7-4a4c-aeca-91fe6bfad0b2\",\"displayName\":\"(Preview) Unusual web traffic detected with IP in URL path\",\"description\":\"This algorithm identifies unusual web requests which have a direct IP address as the host. This can be an attempt to bypass URL reputation services etc for \\nmalicious purposes. The anomaly filters all web requests with IP addresses in the URL path and compares them with the previous week of data to exclude known benign traffic. \\nAfter excluding known benign traffic, it triggers an anomaly only after exceeding certain thresholds with configured values such as total web requests, \\nnumbers of URLs seen with same host destination IP address, and number of distinct source IPs within the set of URLs with the same destination IP address.\",\"anomalyVersion\":\"1.0.3\",\"techniques\":[\"T1189\",\"T1071\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Palo Alto Networks\",\"Fortinet\",\"Zscaler\",\"Check Point\"],\"supportedValuesKql\":null,\"value\":\"Palo Alto Networks\",\"name\":\"Device vendor\",\"description\":\"Select device vendor of network connection logs from CommonSecurityLog\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"10\",\"maximum\":\"1000\",\"value\":\"25\",\"name\":\"Degree of source IPs\",\"description\":\"Suppress anomalies when the number of source IPs in a day accessing the URL is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"10\",\"maximum\":\"1000\",\"value\":\"30\",\"name\":\"Daily web requests threshold\",\"description\":\"Suppress anomalies when the number of daily web requests is less than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"},{\"minimum\":\"1\",\"maximum\":\"25\",\"value\":\"4\",\"name\":\"Number of distinct URLs for the destination IP\",\"description\":\"Suppress anomalies when number of distinct URLs are less than the chosen value\",\"sequenceNumber\":3,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"InitialAccess\",\"CommandAndControl\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:20.7261046Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/9c712bb2-08dc-44d3-b66b-af154dfc1c4f\",\"name\":\"9c712bb2-08dc-44d3-b66b-af154dfc1c4f\",\"etag\":\"\\\"9100908d-0000-0100-0000-61b54cb00000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"9c712bb2-08dc-44d3-b66b-af154dfc1c4f\",\"displayName\":\"(Preview) Suspicious volume of logins to computer\",\"description\":\"This algorithm detects an unusually high volume of successful logins per computer. The model is trained on the previous 21 days of security event ID 4624 on a computer. It indicates anomalous high volume of successful logins in the last day\",\"anomalyVersion\":\"1.2.8\",\"techniques\":[\"T1078\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.07\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"InitialAccess\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:20.7217187Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/0c804654-63b9-4241-89f8-1cddd7e9cacd\",\"name\":\"0c804654-63b9-4241-89f8-1cddd7e9cacd\",\"etag\":\"\\\"9100938d-0000-0100-0000-61b54cb00000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"0c804654-63b9-4241-89f8-1cddd7e9cacd\",\"displayName\":\"(Preview) Suspicious volume of AWS write API calls from a user account \",\"description\":\"This algorithm detects an unusually high volume of AWS write API calls per user account within the last day. The model is trained on the previous 21 days of AWS cloud trail log events on a user account basis. This activity may indicate that the account is compromised.\",\"anomalyVersion\":\"1.0.0\",\"techniques\":[\"T1078\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.2\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"InitialAccess\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:20.7605576Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/95514e77-1b23-4f05-817c-ae363c53aad3\",\"name\":\"95514e77-1b23-4f05-817c-ae363c53aad3\",\"etag\":\"\\\"9100958d-0000-0100-0000-61b54cb00000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"95514e77-1b23-4f05-817c-ae363c53aad3\",\"displayName\":\"(Preview) Unusual network volume anomaly\",\"description\":\"This algorithm is to detect unusually high volume of connections in network logs. \\nIt uses time series to decompose the data into seasonal, trend and residual components to \\ncalculate baseline. Any sudden large deviation from the historical baseline is considered as anomalous activity.\",\"anomalyVersion\":\"1.0.4\",\"techniques\":[\"T1030\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Akamai\",\"Aruba Networks\",\"Check Point\",\"Dell\",\"Forcepoint\",\"Fortinet\",\"McAfee\",\"Palo Alto Networks\",\"SonicWall\",\"Trend Micro\",\"Vectra Networks\",\"Zscaler\"],\"supportedValuesKql\":null,\"value\":\"Palo Alto Networks\",\"name\":\"Device vendor\",\"description\":\"Select device vendor reporting network connection logs to CommonSecurityLog\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"10\",\"maximum\":\"10000\",\"value\":\"10\",\"name\":\"Hourly event count threshold\",\"description\":\"Suppress anomalies when hourly event count is less than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\".98\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"Exfiltration\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:20.9281318Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/29094df8-e0c7-4475-a74c-bda74a07affb\",\"name\":\"29094df8-e0c7-4475-a74c-bda74a07affb\",\"etag\":\"\\\"9100968d-0000-0100-0000-61b54cb10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"29094df8-e0c7-4475-a74c-bda74a07affb\",\"displayName\":\"(Preview) Suspicious volume of logins to user account by logon types\",\"description\":\"This algorithm detects an unusually high volume of successful logins per user account by different logon types. The model is trained on the previous 21 days of security event ID 4624 on an account. It indicates anomalous high volume of successful logins in the last day.\",\"anomalyVersion\":\"1.0.8\",\"techniques\":[\"T1078\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.03\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"InitialAccess\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:20.9489601Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/ffe3625d-a933-4f63-b192-7e6ebf3be5fb\",\"name\":\"ffe3625d-a933-4f63-b192-7e6ebf3be5fb\",\"etag\":\"\\\"9100978d-0000-0100-0000-61b54cb10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"ffe3625d-a933-4f63-b192-7e6ebf3be5fb\",\"displayName\":\"(Preview) Attempted user account bruteforce\",\"description\":\"This algorithm detects an unusually high volume of failed login attempts per user account. The model is trained on the previous 21 days of security event ID 4625 on an account. It indicates anomalous high volume of failed login attempts in the last day.\",\"anomalyVersion\":\"1.2.8\",\"techniques\":[\"T1110\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.1\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"CredentialAccess\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:20.9145159Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/25bf2f45-1cf0-47d2-b394-a7b331d707b3\",\"name\":\"25bf2f45-1cf0-47d2-b394-a7b331d707b3\",\"etag\":\"\\\"9100a08d-0000-0100-0000-61b54cb10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"25bf2f45-1cf0-47d2-b394-a7b331d707b3\",\"displayName\":\"(Preview) Suspicious geography change in Palo Alto GlobalProtect account logins\",\"description\":\"When a Palo Alto GlobalProtect account logs in from a geographically new region that is not the same as the last region the day before, an anomaly will be generated.\",\"anomalyVersion\":\"2.0.0\",\"techniques\":[\"T1133\",\"T1078\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Yes\",\"No\"],\"supportedValuesKql\":null,\"value\":\"Yes\",\"name\":\"Use region adjacency\",\"description\":\"Suppress anomalies originated from two adjacent regions.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"supportedValues\":[\"Yes\",\"No\"],\"supportedValuesKql\":null,\"value\":\"No\",\"name\":\"Check for matching device\",\"description\":\"Suppress anomalies which are originated from the same device.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":null,\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"InitialAccess\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:21.0864049Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/30dea201-74da-4141-8d21-8a18f0861d60\",\"name\":\"30dea201-74da-4141-8d21-8a18f0861d60\",\"etag\":\"\\\"9100a18d-0000-0100-0000-61b54cb10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"30dea201-74da-4141-8d21-8a18f0861d60\",\"displayName\":\"(Preview) Suspicious volume of AWS cloud trail logs events of group user account by EventTypeName\",\"description\":\"This algorithm detects an unusually high volume of AWS cloud trail log events per group user account by different event types (AwsApiCall, AwsServiceEvent, AwsConsoleSignIn, AwsConsoleAction) within the last day. The model is trained on the previous 21 days of AWS cloud trail log events on a group user account basis. This activity may indicate that the account is compromised.\",\"anomalyVersion\":\"1.0.3\",\"techniques\":[\"T1078\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.02\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"InitialAccess\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:21.0949212Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/8a602940-4153-4045-a741-3bf15591ae29\",\"name\":\"8a602940-4153-4045-a741-3bf15591ae29\",\"etag\":\"\\\"9100a28d-0000-0100-0000-61b54cb10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"8a602940-4153-4045-a741-3bf15591ae29\",\"displayName\":\"(Preview) Attempted computer bruteforce\",\"description\":\"This algorithm detects an unusually high volume of failed login attempts to each computer. The model is trained on the previous 21 days of security event ID 4625 on a computer. It indicates anomalous high volume of failed login attempts in the last day.\",\"anomalyVersion\":\"1.2.8\",\"techniques\":[\"T1110\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.4\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"CredentialAccess\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:21.0380076Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/06107abb-1b68-4fdc-841b-8a1ff9301467\",\"name\":\"06107abb-1b68-4fdc-841b-8a1ff9301467\",\"etag\":\"\\\"9100a48d-0000-0100-0000-61b54cb10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"06107abb-1b68-4fdc-841b-8a1ff9301467\",\"displayName\":\"(Preview) Excessive Downloads via Palo Alto GlobalProtect\",\"description\":\"This algorithm detects unusually high volume of download per user account via Palo Alto VPN solution. The model is trained on the previous 14 days of the VPN logs. It indicates anomalous high volume of downloads in the last day.\",\"anomalyVersion\":\"1.0.6\",\"techniques\":[\"T1030\",\"T1041\",\"T1011\",\"T1567\",\"T1029\",\"T1537\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.87\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"Exfiltration\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:21.1472644Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/03401f05-5c45-4f2d-9295-092764090e02\",\"name\":\"03401f05-5c45-4f2d-9295-092764090e02\",\"etag\":\"\\\"9100a68d-0000-0100-0000-61b54cb10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"03401f05-5c45-4f2d-9295-092764090e02\",\"displayName\":\"(Preview) Multi-region logins in a single day via Palo Alto GlobalProtect\",\"description\":\"This algorithm detects a user account which had logins from multiple non-adjacent regions in a single day via Palo Alto VPN.\",\"anomalyVersion\":\"2.0.0\",\"techniques\":[\"T1078\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Yes\",\"No\"],\"supportedValuesKql\":null,\"value\":\"Yes\",\"name\":\"Use region adjacency\",\"description\":\"Suppress anomalies originated from two adjacent regions.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"2\",\"maximum\":\"10\",\"value\":\"2\",\"name\":\"Minimum daily regions for anomaly\",\"description\":\"Generate an anomaly when a user logs in from this many or more regions in a day\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"InitialAccess\",\"DefenseEvasion\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:21.2701652Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/fc1b7e7a-bc24-42c3-ad67-5c76c8fcb2d6\",\"name\":\"fc1b7e7a-bc24-42c3-ad67-5c76c8fcb2d6\",\"etag\":\"\\\"9100af8d-0000-0100-0000-61b54cb10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"fc1b7e7a-bc24-42c3-ad67-5c76c8fcb2d6\",\"displayName\":\"(Preview) Unusual mass downgrade AIP label\",\"description\":\"This algorithm detects unusual high volume of downgrade label activity in Azure Information Protection (AIP) logs.\\nIt considers \\\"AIP\\\" workload records for a given number of days and determines the sequence of activity performed on documents along with the label applied to classify unusual volume of downgrade activity.\",\"anomalyVersion\":\"1.0.3\",\"techniques\":[\"T1530\",\"T1213\",\"T1005\",\"T1039\",\"T1114\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\".txt,.jpg,.mp4\",\"dataType\":\"string\",\"name\":\"File extension\",\"description\":\"Give comma separated file extension to exclude from source data within double quotes, example: \\\".txt,.jpg,.mp4\\\"\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"5\",\"maximum\":\"100\",\"value\":\"10\",\"name\":\"Minimum number of downgrades\",\"description\":\"Generate an anomaly when number of downgrade label is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"Collection\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:21.3780064Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/8a12afde-ed27-46ac-a5ef-392e3d4f071f\",\"name\":\"8a12afde-ed27-46ac-a5ef-392e3d4f071f\",\"etag\":\"\\\"9100b18d-0000-0100-0000-61b54cb10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"8a12afde-ed27-46ac-a5ef-392e3d4f071f\",\"displayName\":\"(Preview) Anomalous W3CIIS logs activity\",\"description\":\"This anomaly indicates anomalous W3CIIS sessions within the last day, due to reasons such as a high number of distinct uri queries, specific http verbs or http statuses, user agents, or an unusually high number of logs in a session.\\nThe machine learning algorithm identifies unusual W3CIIS log events within an hourly session, grouped by site name and client IP.\\nThe model is trained on the previous 7 days of W3CIIS activity, using an autoencoder. The algorithm checks for sufficient volume of W3CIIS activity before training the model.\\nThe autoencoder compressess these site name/client IP sessions using a bottleneck encoding, and reconstructs the input sessions using a decoder.\\nSessions with high reconstruction errors are marked as anomalous.\",\"anomalyVersion\":\"1.0.0\",\"techniques\":[\"T1190\",\"T1505\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"1\",\"2\",\"3\"],\"supportedValuesKql\":null,\"value\":\"3\",\"name\":\"Number of reasons for anomalous activity\",\"description\":\"Provide explanations for the specified number of reasons why a W3CIIS session is anomalous.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"supportedValues\":[\"Distinct number of methods\",\"Distinct number of uri queries\",\"Distinct number of uri stems\",\"Distinct number of statuses\",\"Distinct number of user agents\",\"Total number of operations\",\"Total number of http verbs\",\"Total number of http statuses\",\"None\"],\"supportedValuesKql\":null,\"value\":\"None\",\"name\":\"Display anomalies for a specific top reason\",\"description\":\"Display anomalies only where the top reason is specified in the checklist.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"supportedValues\":[\"Public IPs\",\"Private IPs\",\"All IPs\"],\"supportedValuesKql\":null,\"value\":\"All IPs\",\"name\":\"Display anomalies for public, private, or all IPs\",\"description\":\"Choose to display anomalies for public, private, or all IPs.\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":null,\"dataType\":\"string\",\"name\":\"Exclude client IPs from the anomalies generated\",\"description\":\"Enter comma separated client IPs (prefixed client IP entities supported) that the anomalies should not display results for, in the exclude field.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.7\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"InitialAccess\",\"Persistence\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:21.3413051Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/213252f1-497c-4124-91da-6cb43902d5b1\",\"name\":\"213252f1-497c-4124-91da-6cb43902d5b1\",\"etag\":\"\\\"9100b78d-0000-0100-0000-61b54cb10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"213252f1-497c-4124-91da-6cb43902d5b1\",\"displayName\":\"(Preview) Unusual external firewall alarm detected\",\"description\":\"This algorithm identifies unusual external firewall alarms which are threat signatures released by a firewall vendor. \\nThe anomaly takes last 7 days activities to calculate top 10 noisy signatures and also noisy source hosts which are repeatedly seen \\ntriggering threat signatures. After excluding both type of noisy events, it triggers an anomaly only after exceeding the threshold of \\nnumber of signatures triggered in a single day.\",\"anomalyVersion\":\"1.0.4\",\"techniques\":[\"T1046\",\"T1135\",\"T1071\",\"T1095\",\"T1571\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"5\",\"maximum\":\"15\",\"value\":\"7\",\"name\":\"Number of distinct signatures in a day\",\"description\":\"Triggers anomalies when daily signatures triggered is more than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"Discovery\",\"CommandAndControl\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:21.3502544Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/c097bfdb-8b4b-4a98-b74d-1871ffd50a03\",\"name\":\"c097bfdb-8b4b-4a98-b74d-1871ffd50a03\",\"etag\":\"\\\"9100b88d-0000-0100-0000-61b54cb10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"c097bfdb-8b4b-4a98-b74d-1871ffd50a03\",\"displayName\":\"(Preview) Attempted user account bruteforce per logon type\",\"description\":\"This algorithm detects an unusually high volume of failed login attempts per user account per logon type. The model is trained on the previous 21 days of security event ID 4625 on an account and a logon type. It indicates anomalous high volume of failed login attempts with certain logon type in the last day.\",\"anomalyVersion\":\"1.0.6\",\"techniques\":[\"T1110\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"2-Interactive\",\"3-Network\",\"4-Batch\",\"5-Service\",\"7-Unlock\",\"8-NetworkCleartext\",\"9-NewCredentials\",\"10-RemoteInteractive\",\"11-CachedInteractive\"],\"values\":[\"2-Interactive\",\"3-Network\",\"4-Batch\",\"5-Service\",\"7-Unlock\",\"8-NetworkCleartext\",\"9-NewCredentials\",\"10-RemoteInteractive\",\"11-CachedInteractive\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Logon Types\",\"description\":\"Include only selected logon types in anomaly results.\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.03\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"CredentialAccess\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:21.4401824Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/8595d264-2f64-442d-b293-4e16dffc9882\",\"name\":\"8595d264-2f64-442d-b293-4e16dffc9882\",\"etag\":\"\\\"9100c28d-0000-0100-0000-61b54cb10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"8595d264-2f64-442d-b293-4e16dffc9882\",\"displayName\":\"(Preview) Anomalous Code Execution\",\"description\":\"Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.\\nThese interfaces and languages provide ways of interacting with computer systems\\nand are a common feature across many different platforms.\",\"anomalyVersion\":\"1.0.0\",\"techniques\":[\"T1059\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0\",\"name\":\"Anomaly score threshold\",\"description\":\"Generate an anomaly when the anomaly score is greater than the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"Execution\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:21.5726126Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/2d3e33c6-d8e6-4b51-92d6-dbe8bd9efb05\",\"name\":\"2d3e33c6-d8e6-4b51-92d6-dbe8bd9efb05\",\"etag\":\"\\\"9100c38d-0000-0100-0000-61b54cb10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"2d3e33c6-d8e6-4b51-92d6-dbe8bd9efb05\",\"displayName\":\"(Preview) Anomalous Azure AD sign-in sessions\",\"description\":\"The machine learning model groups the Azure AD sign-in logs on a per-user basis.\\nThe model is trained on the previous 6 days of user sign-in behavior.\\nIt indicates anomalous user sign-in sessions in the last day.\\nThis algorithm checks for sufficient volume of data before training the model.\\n\\nAn autoencoder model is used.\\nIts aim is to compress the user sign-in sessions into a bottleneck encoding.\\nIt then attempts to reconstruct the input sessions as best it can from the bottleneck encoding.\\nThe sessions with high reconstruction errors are assumed to be anomalous.\",\"anomalyVersion\":\"1.0.4\",\"techniques\":[\"T1078\",\"T1566\",\"T1133\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"Fraction of failed signins\",\"Number of failed signins\",\"Failed signins to successful signins ratio\",\"Number of signins with incorrect passwords\",\"Incorrect passwords to correct passwords ratio\",\"Fraction of incorrect password signins\",\"Distinct number of app ids\",\"Distinct number of client apps\",\"Distinct number of ip addresses\",\"Distinct number of opperating systems\",\"Distinct number of browsers\",\"Distinct number of cities\",\"Distinct number of states\",\"Distinct number of countries\"],\"values\":[\"Fraction of failed signins\",\"Number of failed signins\",\"Failed signins to successful signins ratio\",\"Number of signins with incorrect passwords\",\"Incorrect passwords to correct passwords ratio\",\"Fraction of incorrect password signins\",\"Distinct number of app ids\",\"Distinct number of client apps\",\"Distinct number of ip addresses\",\"Distinct number of opperating systems\",\"Distinct number of browsers\",\"Distinct number of cities\",\"Distinct number of states\",\"Distinct number of countries\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Top reason for high anomaly score\",\"description\":\"Include only anomalies where the top reason is one of these values.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.5\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"InitialAccess\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:21.5819245Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/edc946ae-cba8-419f-8e90-309966895956\",\"name\":\"edc946ae-cba8-419f-8e90-309966895956\",\"etag\":\"\\\"9100c78d-0000-0100-0000-61b54cb10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"edc946ae-cba8-419f-8e90-309966895956\",\"displayName\":\"(Preview) Anomalous web request activity\",\"description\":\"This algorithm groups the W3CIIS logs into per site name and per URI stem hourly sessions.\\nThe machine learning model identifies the sessions with anomalous requests that triggered response code 5xx in the last day.\\n5xx codes are an indication that some application instability or error condition has been triggered by the request.\\nThey can be an indication that an attacker is probing the URI stem for vulnerabilities and configuration issues, performing some exploitation activity such as SQL injection, or leveraging an unpatched vulnerability.\\n\\nThe algorithm uses 6 days of data for training.\\nIt identifies unusual high volume of web requests that generated respond code 5xx in the last day.\",\"anomalyVersion\":\"1.0.2\",\"techniques\":[\"T1190\",\"T1505\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Include regularly repeating anomalies for URI stems\",\"Exclude regularly repeating anomalies for URI stems\"],\"supportedValuesKql\":null,\"value\":\"Exclude regularly repeating anomalies for URI stems\",\"name\":\"Handle regularly repeating anomalies for URI stems\",\"description\":\"Choose to exclude URI stems that have been regularly occuring in the Anomalies table in Log Analytics.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":[{\"prioritize\":\".asp, .aspx, .armx, .asax, .ashz, .asmx, .axd, .cshtml, .php, .phps, .php3, .php4, .php5, .php7, .jsp, .jspx, .cfm, .cfml, .phtml\",\"exclude\":null,\"dataType\":\"string\",\"name\":\"Prioritize script suffixes of the URI stems\",\"description\":\"Give comma separated script suffixes of the URI stems that should be included in the prioritize field.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"prioritize\":null,\"exclude\":\"\",\"dataType\":\"string\",\"name\":\"Exclude noisy URI stems\",\"description\":\"Give comma separated URI stems that are frequently observing noisy sessions, and should be excluded from the Anomalies table in Log Analytics.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.2\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"InitialAccess\",\"Persistence\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:21.6281053Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/9c27cee8-0a33-4abe-8683-212c0a98fc28\",\"name\":\"9c27cee8-0a33-4abe-8683-212c0a98fc28\",\"etag\":\"\\\"9100ca8d-0000-0100-0000-61b54cb10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"9c27cee8-0a33-4abe-8683-212c0a98fc28\",\"displayName\":\"(Preview) Suspicious volume of logins to computer with elevated token\",\"description\":\"This algorithm detects an unusually high volume of successful logins with elevated token per computer. The model is trained on the previous 21 days of security event ID 4624 on a computer. It indicates anomalous high volume of successful logins with administrator privileges in the last day.\",\"anomalyVersion\":\"1.0.6\",\"techniques\":[\"T1078\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.1\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"InitialAccess\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:21.6801578Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/23850aa1-37d3-4b4b-9f39-4ebf5feb59fd\",\"name\":\"23850aa1-37d3-4b4b-9f39-4ebf5feb59fd\",\"etag\":\"\\\"9100cf8d-0000-0100-0000-61b54cb10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"23850aa1-37d3-4b4b-9f39-4ebf5feb59fd\",\"displayName\":\"(Preview) Excessive data transfer anomaly\",\"description\":\"This algorithm is to detect unusually high data transfer seen in network logs. \\nIt uses time series to decompose the data into seasonal, trend and residual components to \\ncalculate baseline. Any sudden large deviation from the historical baseline is considered anomalous activity.\",\"anomalyVersion\":\"1.0.5\",\"techniques\":[\"T1011\",\"T1029\",\"T1030\",\"T1041\",\"T1011\",\"T1537\",\"T1567\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Akamai\",\"Aruba Networks\",\"Check Point\",\"Dell\",\"Forcepoint\",\"Fortinet\",\"McAfee\",\"Palo Alto Networks\",\"SonicWall\",\"Trend Micro\",\"Vectra Networks\",\"Zscaler\"],\"supportedValuesKql\":null,\"value\":\"Palo Alto Networks\",\"name\":\"Device vendor\",\"description\":\"Select device vendor reporting network connection logs to CommonSecurityLog\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"1\",\"maximum\":\"10000\",\"value\":\"1\",\"name\":\"Hourly data transfer threshold in MB\",\"description\":\"Suppress anomalies when hourly data transfered (in MB) per hour is less than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\".98\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"Exfiltration\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:21.7739836Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/e7277475-4e31-41c7-9997-0b8b3d7f00cd\",\"name\":\"e7277475-4e31-41c7-9997-0b8b3d7f00cd\",\"etag\":\"\\\"9100d18d-0000-0100-0000-61b54cb10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"e7277475-4e31-41c7-9997-0b8b3d7f00cd\",\"displayName\":\"(Preview) Suspicious volume of failed login attempts to AWS Console by each source IP address\",\"description\":\"This algorithm detects an unusually high volume of AWS cloud trail log console failed login events per source IP address within the last day. The model is trained on the previous 21 days of AWS cloud trail log events on source IP address basis. This activity may indicate that the IP address is compromised.\",\"anomalyVersion\":\"1.0.2\",\"techniques\":[\"T1078\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.01\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"InitialAccess\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:21.7773051Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/f209187f-1d17-4431-94af-c141bf5f23db\",\"name\":\"f209187f-1d17-4431-94af-c141bf5f23db\",\"etag\":\"\\\"9100d38d-0000-0100-0000-61b54cb10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"f209187f-1d17-4431-94af-c141bf5f23db\",\"displayName\":\"(Preview) Anomalous Account Creation\",\"description\":\"Adversaries may create an account to maintain access to victim systems. With a sufficient level of access,\\ncreating such accounts may be used to establish secondary credentialed access\\nthat do not require persistent remote access tools to be deployed on the system.\",\"anomalyVersion\":\"1.0.1\",\"techniques\":[\"T1136\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.4\",\"name\":\"Anomaly score threshold\",\"description\":\"Generate an anomaly when the anomaly score is greater than the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"Persistence\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:21.8501491Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/93c4b361-ea7d-40f4-9ca6-e501cdef9c53\",\"name\":\"93c4b361-ea7d-40f4-9ca6-e501cdef9c53\",\"etag\":\"\\\"9100d58d-0000-0100-0000-61b54cb10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"93c4b361-ea7d-40f4-9ca6-e501cdef9c53\",\"displayName\":\"(Preview) Attempted user account bruteforce per failure reason\",\"description\":\"This algorithm detects an unusually high volume of failed login attempts per user account per failure reason. The model is trained on the previous 21 days of security event ID 4625 on an account and a failure reason. It indicates anomalous high volume of failed login attempts with certain failure reason in the last day.\",\"anomalyVersion\":\"1.1.6\",\"techniques\":[\"T1110\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"\\\\%%2305-The specified user account has expired\",\"\\\\%%2309-The specified account\u0027s password has expired\",\"\\\\%%2310-Account currently disabled\",\"\\\\%%2311-Account logon time restriction violation\",\"\\\\%%2312-User not allowed to logon at this computer\",\"\\\\%%2313-Unknown user name or bad password\",\"\\\\%%2307-Account locked out\",\"\\\\%%2304-An Error occurred during Logon\"],\"values\":[\"\\\\%%2305-The specified user account has expired\",\"\\\\%%2309-The specified account\u0027s password has expired\",\"\\\\%%2310-Account currently disabled\",\"\\\\%%2311-Account logon time restriction violation\",\"\\\\%%2312-User not allowed to logon at this computer\",\"\\\\%%2313-Unknown user name or bad password\",\"\\\\%%2307-Account locked out\",\"\\\\%%2304-An Error occurred during Logon\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Failure Reasons\",\"description\":\"Include only selected failure reasons in anomaly results.\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.3\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"CredentialAccess\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:21.8726705Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/622844c2-fc11-4efc-91e6-c05b06ab3008\",\"name\":\"622844c2-fc11-4efc-91e6-c05b06ab3008\",\"etag\":\"\\\"9100d88d-0000-0100-0000-61b54cb20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"622844c2-fc11-4efc-91e6-c05b06ab3008\",\"displayName\":\"(Preview) Detect machine generated network beaconing behavior\",\"description\":\"This algorithm identifies beaconing patterns from network traffic connection logs based on recurrent time delta patterns.\\nAny network connection towards the untrusted public networks at repetitive time delta is an indication of malware callbacks or data exfiltration attempts. \\nThe anomaly will calculate time delta between consecutive network connection between same source and destination ip as well as count (Connections in time-delta sequence) of \\ntime-delta sequence between same source and destination. Percentage of beaconing is calculated between connections in time-delta sequence against total connections in a day.\",\"anomalyVersion\":\"1.0.5\",\"techniques\":[\"T1001\",\"T1008\",\"T1071\",\"T1090\",\"T1095\",\"T1102\",\"T1104\",\"T1132\",\"T1205\",\"T1568\",\"T1571\",\"T1572\",\"T1573\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"10\",\"maximum\":\"1000\",\"value\":\"25\",\"name\":\"Degree of source IPs\",\"description\":\"Suppress anomalies when degree of source IPs is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"10\",\"maximum\":\"1000\",\"value\":\"30\",\"name\":\"Daily event count threshold\",\"description\":\"Suppress anomalies when daily event count is less than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"},{\"minimum\":\"10\",\"maximum\":\"1000\",\"value\":\"60\",\"name\":\"Time delta threshold in seconds\",\"description\":\"Suppress anomalies when time delta in seconds between network connections is less than the chosen value\",\"sequenceNumber\":3,\"rerun\":\"RerunAlways\"},{\"minimum\":\"50\",\"maximum\":\"100\",\"value\":\"75\",\"name\":\"Percent beaconing threshold\",\"description\":\"Generate an anomaly when percent beaconing is greater than the chosen value\",\"sequenceNumber\":4,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"CommandAndControl\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:21.9421482Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/af7fd11a-f305-44e1-8f46-f31580a15eab\",\"name\":\"af7fd11a-f305-44e1-8f46-f31580a15eab\",\"etag\":\"\\\"9100d98d-0000-0100-0000-61b54cb20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"af7fd11a-f305-44e1-8f46-f31580a15eab\",\"displayName\":\"(Preview) Potential data staging\",\"description\":\"The algorithm compares the downloads of distinct files on a per user basis from the previous week with the downloads for the current day for each user and \\nan anomaly is triggered when the number of downloads of distinct files exceeds the configured number of standard deviations above the mean. \\nCurrently the algorithm only analyze commonly seen files during exfiltration of type documents, images, videos and archives with the extensions\\n[\\\"doc\\\",\\\"docx\\\",\\\"xls\\\",\\\"xlsx\\\",\\\"xlsm\\\",\\\"ppt\\\",\\\"pptx\\\",\\\"one\\\",\\\"pdf\\\",\\\"zip\\\",\\\"rar\\\",\\\"bmp\\\",\\\"jpg\\\",\\\"mp3\\\",\\\"mp4\\\",\\\"mov\\\"].\",\"anomalyVersion\":\"1.0.0\",\"techniques\":[\"T1074\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\"app@sharepoint,user@example.com\",\"dataType\":\"string\",\"name\":\"User allowlist\",\"description\":\"Enter comma separated userids to be suppressed while triggering anomalies. This should be within double quotes and is case insensitive, example: \\\"user@exmaple.com, app@sharepoint\\\"\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"10\",\"maximum\":\"100\",\"value\":\"25\",\"name\":\"Number of distinct files dowloaded per day\",\"description\":\"Suppress anomalies when daily number of distinct files downloaded per day is less than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"2\",\"maximum\":\"10\",\"value\":\"3\",\"name\":\"Number of standard deviations\",\"description\":\"Triggers anomalies when number of standard deviations is greater than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"Collection\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:21.9788898Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/bb32dc8a-4f6b-4274-a28f-50f3400070b4\",\"name\":\"bb32dc8a-4f6b-4274-a28f-50f3400070b4\",\"etag\":\"\\\"9100e38d-0000-0100-0000-61b54cb20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"bb32dc8a-4f6b-4274-a28f-50f3400070b4\",\"displayName\":\"(Preview) Anomalous Sign In\",\"description\":\"Adversaries may steal the credentials of a specific user or service account using Credential\\nAccess techniques or capture credentials earlier in their reconnaissance process through\\nsocial engineering for means of gaining Persistence.\",\"anomalyVersion\":\"1.0.1\",\"techniques\":[\"T1078\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.2\",\"name\":\"Anomaly score threshold\",\"description\":\"Generate an anomaly when the anomaly score is greater than the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"InitialAccess\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:22.0605927Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/200f05a2-db6e-4ff7-be83-bbc30b44755f\",\"name\":\"200f05a2-db6e-4ff7-be83-bbc30b44755f\",\"etag\":\"\\\"9100e48d-0000-0100-0000-61b54cb20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"200f05a2-db6e-4ff7-be83-bbc30b44755f\",\"displayName\":\"(Preview) Suspicious volume of logins to user account\",\"description\":\"This algorithm detects an unusually high volume of successful logins per user account. The model is trained on the previous 21 days of security event ID 4624 on an account. It indicates anomalous high volume of successful logins in the last day\",\"anomalyVersion\":\"1.3.8\",\"techniques\":[\"T1078\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.07\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"InitialAccess\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:22.0796649Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/16d55bbb-8c54-4c1d-8537-521824e76bb6\",\"name\":\"16d55bbb-8c54-4c1d-8537-521824e76bb6\",\"etag\":\"\\\"9100e68d-0000-0100-0000-61b54cb20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"16d55bbb-8c54-4c1d-8537-521824e76bb6\",\"displayName\":\"(Preview) Anomalous user activities in Office Exchange\",\"description\":\"This machine learning model groups the Office Exchange logs on a per-user basis into hourly buckets. We define one\\nhour as a session. The model is trained on the previous 7 days of behavior across all regular (non-admin) users.\\nIt indicates anomalous user Office Exchange sessions in the last day.\\nThis algorithm checks for sufficient volume of data before training the model.\\n\\nAn autoencoder model is used.\\nIts aim is to compress the user Office Exchange sessions into a bottleneck encoding.\\nIt then attempts to reconstruct the input sessions as best it can from the bottleneck encoding.\\nThe sessions with high reconstruction errors are assumed to be anomalous.\",\"anomalyVersion\":\"1.0.2\",\"techniques\":[\"T1114\",\"T1213\",\"T1098\",\"T1136\",\"T1137\",\"T1505\",\"T1078\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"Distinct number of operations\",\"Distinct number of ClientInfoString\",\"Distinct number of mailboxes\",\"Number of operations\",\"Distinct number of IP addresses\",\"Distinct number of /24 subnets\",\"Distinct number of /16 subnets\",\"Number of MessageBind operations\",\"Number of FolderBind operations\",\"Number of UpdateInboxRules operations\",\"Number of MailItemsAccessed operations\"],\"values\":[\"Distinct number of operations\",\"Distinct number of ClientInfoString\",\"Distinct number of mailboxes\",\"Number of operations\",\"Distinct number of IP addresses\",\"Distinct number of /24 subnets\",\"Distinct number of /16 subnets\",\"Number of MessageBind operations\",\"Number of FolderBind operations\",\"Number of UpdateInboxRules operations\",\"Number of MailItemsAccessed operations\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Top reason for high anomaly score\",\"description\":\"Include only anomalies where the top reason is one of these values.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.6\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"Collection\",\"Persistence\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:22.1203371Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/c5644575-4982-4a07-8884-b11ec2866dc3\",\"name\":\"c5644575-4982-4a07-8884-b11ec2866dc3\",\"etag\":\"\\\"9100e88d-0000-0100-0000-61b54cb20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"c5644575-4982-4a07-8884-b11ec2866dc3\",\"displayName\":\"(Preview) Anomalous local account creation\",\"description\":\"This algorithm is to detect anomalous local account creation on windows systems. Adversaries may create local accounts to maintain access to victim systems.\\nThis algorithm analyzes historical local account creation activity (14 days) by users and compare with current day to find similar activity from the users who were not \\npreviously seen in historical activity. You can further customize the allowlist to filter known users from triggering this anomaly.\",\"anomalyVersion\":\"1.0.0\",\"techniques\":[\"T1136\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\"srcdomain1\\\\account1, srcdomain1\\\\account1\",\"dataType\":\"string\",\"name\":\"Source user allowlist\",\"description\":\"Enter comma separated source usernames to be suppressed while triggering anomalies. This should be within double quotes and is case sensitive, example: \\\"srcdomain1\\\\\\\\account1, srcdomain2\\\\\\\\account2\\\"\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"prioritize\":null,\"exclude\":\"account1, account2\",\"dataType\":\"string\",\"name\":\"Destination user allowlist\",\"description\":\"Enter comma separated destination usernames to be suppressed while triggering anomalies. This should be within double quotes and is case sensitive, example: \\\"account1, account2\\\"\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":null,\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"Persistence\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:22.1708984Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/8546330c-e1fb-422a-9388-5c09e9a8f4ca\",\"name\":\"8546330c-e1fb-422a-9388-5c09e9a8f4ca\",\"etag\":\"\\\"9100ef8d-0000-0100-0000-61b54cb20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"8546330c-e1fb-422a-9388-5c09e9a8f4ca\",\"displayName\":\"(Preview) Login from an unusual region via Palo Alto GlobalProtect account logins\",\"description\":\"When a Palo Alto GlobalProtect account logs in from a source region that has rarely been logged in\\nfrom during the last 14 days, an anomaly is triggered. This anomaly may indicate that the account\\nhas been compromised.\",\"anomalyVersion\":\"1.0.0\",\"techniques\":[\"T1133\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.8\",\"name\":\"Score\",\"description\":\"Generate an anomaly when a region rarity score is less than the threshold.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"minimum\":\"2\",\"maximum\":\"100\",\"value\":\"100\",\"name\":\"Minimum users per region\",\"description\":\"whitelist an anomaly if the number of users from a rare region is greater than this limit.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"InitialAccess\",\"CredentialAccess\",\"LateralMovement\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:22.2702628Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/b783df9c-4088-452e-a791-0c4fca47a109\",\"name\":\"b783df9c-4088-452e-a791-0c4fca47a109\",\"etag\":\"\\\"9100f18d-0000-0100-0000-61b54cb20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"b783df9c-4088-452e-a791-0c4fca47a109\",\"displayName\":\"(Preview) Domain generation algorithm (DGA) on DNS domains\",\"description\":\"This machine learning model indicates potential DGA domains in the second-level-domain (SLD) from the last day in the DNS logs.\\nThe algorithm applies to the DNS records that resolve to IPv4 and IPv6 addresses.\",\"anomalyVersion\":\"1.0.4\",\"techniques\":[\"T1568\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\".lan, .home\",\"dataType\":\"string\",\"name\":\"Top level domain\",\"description\":\"Give comma separated TLDs to exclude from source data within double quotes, example: \\\".lan, .home\\\"\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.9\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"CommandAndControl\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:22.3165847Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/d7309cb9-b16b-4c7a-9e4b-3e9009bd373d\",\"name\":\"d7309cb9-b16b-4c7a-9e4b-3e9009bd373d\",\"etag\":\"\\\"9100f28d-0000-0100-0000-61b54cb20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"d7309cb9-b16b-4c7a-9e4b-3e9009bd373d\",\"displayName\":\"(Preview) Anomalous Azure operations\",\"description\":\"This detection algorithm generates anomaly of a caller who performed sequence of an operation(s) which is uncommon in their workspace.\\nWe collect and featurize last 21 days of operation happened in the workspace grouped by the caller as a training data for ML algorithm.\\nThe trained model is used to score the operation performed by the caller on the test date and we tag those caller as anomaly whose error score is greater than given thershold.\\nFrom Security perspective, this anomaly will capture the caller along with operation performed on the test date which are not common in their workspace.\",\"anomalyVersion\":\"1.0.0\",\"techniques\":[\"T1190\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.7\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"InitialAccess\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:22.2947893Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/b40a7a5b-5d39-46fe-a79e-2acdb38e1ce7\",\"name\":\"b40a7a5b-5d39-46fe-a79e-2acdb38e1ce7\",\"etag\":\"\\\"9100f88d-0000-0100-0000-61b54cb20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"b40a7a5b-5d39-46fe-a79e-2acdb38e1ce7\",\"displayName\":\"(Preview) Suspicious volume of failed login attempts to AWS Console by each group user account\",\"description\":\"This algorithm detects an unusually high volume of AWS cloud trail log console failed login events per group user account within the last day. The model is trained on the previous 21 days of AWS cloud trail log events on group user account basis. This activity may indicate that the account is compromised.\",\"anomalyVersion\":\"1.0.3\",\"techniques\":[\"T1078\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.01\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"InitialAccess\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:22.4044454Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/ae9128e8-2740-4b62-8bde-54e62b183fca\",\"name\":\"ae9128e8-2740-4b62-8bde-54e62b183fca\",\"etag\":\"\\\"9100fa8d-0000-0100-0000-61b54cb20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"ae9128e8-2740-4b62-8bde-54e62b183fca\",\"displayName\":\"(Preview) Unusual network communication on commonly used ports\",\"description\":\"This algorithm identifies unusual network communication on commonly used ports, comparing daily traffic to a baseline from the previous 7 days.\\nThis includes traffic on commonly used ports (22, 53, 80, 443, 8080, 8888), and compares daily traffic to the mean and standard deviation of several\\nnetwork traffic attributes calculated over the baseline period. The traffic attributes considered are daily total events, daily data transfer and \\nnumber of distinct destination IP addresses per port. An anomaly is triggered when the daily values are greater than the configured number of standard deviations above the mean.\",\"anomalyVersion\":\"1.0.5\",\"techniques\":[\"T1030\",\"T1071\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Palo Alto Networks\",\"Fortinet\",\"Check Point\"],\"supportedValuesKql\":null,\"value\":\"Palo Alto Networks\",\"name\":\"Device vendor\",\"description\":\"Select device vendor of network connection logs from CommonSecurityLog\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"1\",\"maximum\":\"100\",\"value\":\"25\",\"name\":\"Daily data transfer threshold in MB\",\"description\":\"Suppress anomalies when daily data transfered (in MB) per hour is less than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"2\",\"maximum\":\"10\",\"value\":\"3\",\"name\":\"Number of standard deviations\",\"description\":\"Triggers anomalies when number of standard deviations is greater than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:22.4553897Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/543c9254-eb6f-4fdd-858d-783e0e3d5cb9\",\"name\":\"543c9254-eb6f-4fdd-858d-783e0e3d5cb9\",\"etag\":\"\\\"9100018e-0000-0100-0000-61b54cb20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"543c9254-eb6f-4fdd-858d-783e0e3d5cb9\",\"displayName\":\"(Preview) Suspicious number of protected documents accessed\",\"description\":\"This algorithm is to detect high volume of access to protected documents in Azure Information Protection (AIP) logs. \\nIt considers AIP workload records for a given number of days and determines whether the user performed unusual access to protected documents in a day given his/her historical behavior.\",\"anomalyVersion\":\"1.0.3\",\"techniques\":[\"T1530\",\"T1213\",\"T1005\",\"T1039\",\"T1114\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\".msg,.jpg,.txt\",\"dataType\":\"string\",\"name\":\"File extension\",\"description\":\"Give comma separated file extension to exclude from source data, for example: .txt,.jpg,.mp4\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.9\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the error percentile is greater than chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"Collection\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:22.549869Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/d4f9d54b-6dec-4655-8631-0fa8d4954fea\",\"name\":\"d4f9d54b-6dec-4655-8631-0fa8d4954fea\",\"etag\":\"\\\"91000a8e-0000-0100-0000-61b54cb20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"d4f9d54b-6dec-4655-8631-0fa8d4954fea\",\"displayName\":\"(Preview) Domain Reputation Palo Alto anomaly\",\"description\":\"This anomaly evaluates the reputation for all domains seen specifically for Palo Alto firewall (PAN-OS product).\\nA high anomaly score indicates a low reputation, suggesting that the domain has been observed to host malicious content or is likely to do so.\",\"anomalyVersion\":\"1.0.4\",\"techniques\":[\"T1568\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.99\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"CommandAndControl\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:22.6349232Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/2bb167bf-3951-435b-a932-8b03bfde0a2b\",\"name\":\"2bb167bf-3951-435b-a932-8b03bfde0a2b\",\"etag\":\"\\\"91000f8e-0000-0100-0000-61b54cb20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"2bb167bf-3951-435b-a932-8b03bfde0a2b\",\"displayName\":\"(Preview) Anomalous scanning activity\",\"description\":\"The Scanning Activity anomaly is looking to determine if there is potential port scanning anomaly in an environment coming from a single source IP to one or more destination IPs. \\nThe algorithm takes into account whether the IP is public, meaning external, or private, meaning internal, and the event is marked accordingly. Only private to public or public \\nto private is considered at this time. Scanning activity can indicate an attacker attempting to determine available services in an environment that can be potentially \\nexploited and used for ingress or lateral movement.\\nA high number of source ports and high number of destination ports from a single source IP to either a single or multiple destination IP or IPs can be interesting and indicate \\nanomalous scanning. Additionally, if there is a high ratio of destination IPs to the single source IP this can indicate anomalous scanning.\\nConfiguration details -\\nJob run default is daily, with hourly bins\\nThe algorithm uses the following defaults to limit the results based on hourly bins, each is configurable\\n-\u003e Included device actions - accept, allow, start\\n-\u003e Excluded ports - 53, 67, 80, 8080, 123, 137, 138, 443, 445, 3389\\n-\u003e Distinct destination port count \u003e= 600\\n-\u003e Distinct source port count \u003e= 600\\n-\u003e Distinct source port count divided by distinct destination port, ratio converted to percent \u003e= 99.99\\n-\u003e Source IP (always 1) divided by destination IP, ratio converted to percent \u003e= 99.99\",\"anomalyVersion\":\"1.0.3\",\"techniques\":[\"T1046\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"accept\",\"allow\",\"start\"],\"values\":[\"accept\",\"allow\",\"start\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Device action\",\"description\":\"Include only these specific device actions\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\"53,67,80,8080,123,137,138,443,445,3389\",\"dataType\":\"string\",\"name\":\"Exclude ports\",\"description\":\"Provide a comma separated list to exclude specific ports from source data. This should be within double quotes, example: \\\"53, 67, 80, 8080, 123, 137, 138, 443, 445, 3389\\\"\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"1\",\"maximum\":\"60000000\",\"value\":\"600\",\"name\":\"Destination IP count\",\"description\":\"The minimum distinct destination IP count per hour required for inclusion. Default is 600. This is an OR condition with destination port count.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"minimum\":\"1\",\"maximum\":\"60000000\",\"value\":\"600\",\"name\":\"Destination port count\",\"description\":\"The minimum distinct destination port count per hour required for inclusion. Default is 600. This is an OR condition with destination IP count.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"0.00\",\"maximum\":\"1.00\",\"value\":\"1.00\",\"name\":\"IP ratio\",\"description\":\"The distinct source IP (always 1) to distinct destination IP count with a default minimum ratio of 1.00 or lower (converted to Base 10 to the -4 power of original value). This is an OR condition with port ratio.\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"},{\"minimum\":\"0.00\",\"maximum\":\"1.00\",\"value\":\"1.00\",\"name\":\"Port ratio\",\"description\":\"The distinct source port to distinct destination port count with a default minimum ratio of 1.00 or lower (converted to Base 10 to the -4 power of original value). This is an OR condition with IP Ratio.\",\"sequenceNumber\":3,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"Discovery\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:22.6459974Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/d0bd9611-2fc1-42cb-af4e-793b6f28ba92\",\"name\":\"d0bd9611-2fc1-42cb-af4e-793b6f28ba92\",\"etag\":\"\\\"9100158e-0000-0100-0000-61b54cb20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"d0bd9611-2fc1-42cb-af4e-793b6f28ba92\",\"displayName\":\"(Preview) Excessive upload via Palo Alto GlobalProtect\",\"description\":\"This algorithm detects unusually high volume of upload per user account via Palo Alto VPN solution.\\nThe model is trained on the previous 14 days of the VPN logs.\\nIt indicates anomalous high volume of upload in the last day.\",\"anomalyVersion\":\"1.0.7\",\"techniques\":[\"T1030\",\"T1041\",\"T1011\",\"T1567\",\"T1029\",\"T1537\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.87\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"Exfiltration\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:22.7701239Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/32686052-5bed-48ef-9ffa-39fc7699f085\",\"name\":\"32686052-5bed-48ef-9ffa-39fc7699f085\",\"etag\":\"\\\"91001c8e-0000-0100-0000-61b54cb30000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Anomaly\",\"properties\":{\"alertRuleTemplateName\":\"32686052-5bed-48ef-9ffa-39fc7699f085\",\"displayName\":\"(Preview) Suspicious volume of AWS API calls from Non-AWS source IP address from a user account id per workspace on a daily basis\",\"description\":\"This algorithm detects an unusually high volume of AWS API calls from Source IPs not in AWS Source IP ranges from one user account per workspace within the last day. The model is trained on the previous 21 days of AWS cloud trail log events on source IP address basis. This activity may indicate that the user account is compromised.\",\"anomalyVersion\":\"1.0.0\",\"techniques\":[\"T1078\"],\"severity\":\"Informational\",\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.1\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"ruleStatus\":\"Production\",\"isDefaultRule\":true,\"anomalyRuleVersion\":0,\"tactics\":[\"InitialAccess\"],\"enabled\":true,\"lastModifiedUtc\":\"2021-12-12T01:13:22.9059365Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/02874339-f9a1-4ced-bdaf-44b3d8eb57a6\",\"name\":\"02874339-f9a1-4ced-bdaf-44b3d8eb57a6\",\"etag\":\"\\\"910061fe-0000-0100-0000-61b54f190000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":true,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT12H\",\"matchingMethod\":\"Selected\",\"groupByEntities\":[\"Account\"],\"groupByAlertDetails\":[],\"groupByCustomDetails\":[]}},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId__s\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Malicious Inbox Rule, affected user {{UserId__s}}\",\"alertDescriptionFormat\":null,\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"severity\":\"Medium\",\"query\":\"let Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\r\\nOfficeActivity_CL\\r\\n| where Operation_s =~ \\\"New-InboxRule\\\"\\r\\n| where Parameters_s has \\\"Deleted Items\\\" or Parameters_s has \\\"Junk Email\\\" \\r\\n| extend Events=todynamic(Parameters_s)\\r\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords \u0027}\u0027*\\r\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords \u0027}\u0027*\\r\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords \u0027}\u0027*\\r\\n| where SubjectContainsWords has_any (Keywords)\\r\\nor BodyContainsWords has_any (Keywords)\\r\\nor SubjectOrBodyContainsWords has_any (Keywords)\\r\\n| extend ClientIPAddress = case( ClientIP_s has \\\".\\\", tostring(split(ClientIP_s,\\\":\\\")[0]), ClientIP_s has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP_s,\\\"]\\\")[0]))), ClientIP_s )\\r\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\r\\n| extend RuleDetail = case(OfficeObjectId_s contains \u0027/\u0027 , tostring(split(OfficeObjectId_s, \u0027/\u0027)[-1]) , tostring(split(OfficeObjectId_s, \u0027\\\\\\\\\u0027)[-1]))\\r\\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation_s, UserId__s, ClientIPAddress, ResultStatus_s, Keyword, OriginatingServer_s, OfficeObjectId_s, RuleDetail\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Malicious Inbox Rule - custom\",\"enabled\":true,\"description\":\"This rule is detecting on delete all traces of phishing email from user mailboxes\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:23:36.39834Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/10a698ca-8310-4b90-a86e-2f43fe285e56\",\"name\":\"10a698ca-8310-4b90-a86e-2f43fe285e56\",\"etag\":\"\\\"91006cfe-0000-0100-0000-61b54f190000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":true,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[\"IP\"],\"groupByAlertDetails\":[],\"groupByCustomDetails\":[]}},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Medium\",\"query\":\"SigninLogs_CL\\n | where ResultType == \\\"50057\\\" \\n | where ResultDescription == \\\"User account is disabled. The account has been disabled by an administrator.\\\" \\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), disabledAccountLoginAttempts = count(), \\n disabledAccountsTargeted = dcount(UserPrincipalName_s), applicationsTargeted = dcount(AppDisplayName_s), disabledAccountSet = makeset(UserPrincipalName_s), \\n applicationSet = makeset(AppDisplayName_s)\\n by IPAddress, Type\\n | order by disabledAccountLoginAttempts desc\\n | join kind= leftouter (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n SigninLogs_CL\\n | where ResultType == 0\\n | summarize successfulAccountSigninCount = dcount(UserPrincipalName_s), successfulAccountSigninSet = makeset(UserPrincipalName_s, 15) by IPAddress, Type\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount \u003c 100\\n )\\n on IPAddress \\n | where successfulAccountSigninCount != 0\\n | project StartTime, EndTime, IPAddress, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\n successfulAccountSigninCount, successfulAccountSigninSet, Type\\n | order by disabledAccountLoginAttempts\\n | extend timestamp = StartTime, IPCustomEntity = IPAddress\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"enabled\":true,\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"alertRuleTemplateName\":\"500c103a-0319-4d56-8e99-3cec8d860757\",\"lastModifiedUtc\":\"2021-12-12T01:23:36.1386167Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/af03fc0e-d33f-447a-8397-d60726aa92c5\",\"name\":\"af03fc0e-d33f-447a-8397-d60726aa92c5\",\"etag\":\"\\\"9100d4fe-0000-0100-0000-61b54f1b0000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":true,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AnyAlert\",\"groupByEntities\":[],\"groupByAlertDetails\":[],\"groupByCustomDetails\":[]}},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"High\",\"query\":\"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | where DNSName in~ (domains) or DestinationHostName has_any (domains) or RequestURL has_any(domains)\\n | extend AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName, IPCustomEntity = SourceIP\\n ),\\n(DnsEvents \\n | extend DNSName = Name\\n | where isnotempty(DNSName)\\n | where DNSName in~ (domains)\\n | extend IPCustomEntity = ClientIP\\n ),\\n(imDns \\n | where isnotempty(Query)\\n | where Query in~ (domains)\\n | extend DNSName = Query\\n | extend IPCustomEntity = SrcIpAddr\\n ),\\n(VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n | where isnotempty(DNSName)\\n | where DNSName in~ (domains)\\n | extend IPCustomEntity = RemoteIp\\n ),\\n(DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl has_any (domains) \\n | extend DNSName = RemoteUrl\\n | extend IPCustomEntity = RemoteIP \\n | extend HostCustomEntity = DeviceName \\n ),\\n(AzureDiagnostics\\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallDnsProxy\\\"\\n | parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n | where Request_Name has_any (domains) \\n | extend DNSName = Request_Name\\n | extend IPCustomEntity = ClientIP \\n ),\\n(AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (domains) \\n | extend DNSName = DestinationHost \\n | extend IPCustomEntity = SourceHost\\n ) \\n )\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Solorigate Network Beacon\",\"enabled\":true,\"description\":\"Identifies a match across various data feeds for domains IOCs related to the Solorigate incident.\\n References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \\n https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1\",\"alertRuleTemplateName\":\"cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"lastModifiedUtc\":\"2021-12-12T01:23:36.2680673Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/aa4274ad-8144-44e6-8dc2-669dc0b5ea0d\",\"name\":\"aa4274ad-8144-44e6-8dc2-669dc0b5ea0d\",\"etag\":\"\\\"92003e0a-0000-0100-0000-61b54f580000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"GetAlertRulez4ros0\",\"enabled\":true,\"description\":\"GetAlertRulez4ros0 aa4274ad-8144-44e6-8dc2-669dc0b5ea0d\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:24:39.7729775Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/fdbab4a1-bd45-4dc1-a93b-e4aa20d16262\",\"name\":\"fdbab4a1-bd45-4dc1-a93b-e4aa20d16262\",\"etag\":\"\\\"92006710-0000-0100-0000-61b54f790000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"RemoveAlertRulesuagz6\",\"enabled\":true,\"description\":\"RemoveAlertRulesuagz6 fdbab4a1-bd45-4dc1-a93b-e4aa20d16262\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:25:11.212957Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/952fd6df-a3b8-4d0c-825a-53dcc519a480\",\"name\":\"952fd6df-a3b8-4d0c-825a-53dcc519a480\",\"etag\":\"\\\"9200b415-0000-0100-0000-61b54f960000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"RemoveViaIdAlertRule62imtb\",\"enabled\":true,\"description\":\"RemoveViaIdAlertRule62imtb 952fd6df-a3b8-4d0c-825a-53dcc519a480\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:25:42.5246541Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/98981b11-0c0a-40bb-adc9-63f3693592bf\",\"name\":\"98981b11-0c0a-40bb-adc9-63f3693592bf\",\"etag\":\"\\\"9200241b-0000-0100-0000-61b54fb50000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"UpdateAlertRulevi15sc\",\"enabled\":true,\"description\":\"UpdateAlertRulevi15sc 98981b11-0c0a-40bb-adc9-63f3693592bf\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:26:13.0837645Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/6dde1054-1a0b-4c5a-a9a8-3587c76613a2\",\"name\":\"6dde1054-1a0b-4c5a-a9a8-3587c76613a2\",\"etag\":\"\\\"9200dd20-0000-0100-0000-61b54fd40000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"UpdateViaIdAlertRuledgk4wi\",\"enabled\":true,\"description\":\"UpdateViaIdAlertRuledgk4wi 6dde1054-1a0b-4c5a-a9a8-3587c76613a2\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:26:44.114196Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/453b8e9c-424a-4b50-8c6d-58de856d5abf\",\"name\":\"453b8e9c-424a-4b50-8c6d-58de856d5abf\",\"etag\":\"\\\"9200a026-0000-0100-0000-61b54ff30000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"GetalertRuleActionRuleName1539nb\",\"enabled\":true,\"description\":\"GetalertRuleActionRuleName1539nb 453b8e9c-424a-4b50-8c6d-58de856d5abf\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:27:15.28338Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/3e459759-acb2-48cd-b091-f325a2618fb6\",\"name\":\"3e459759-acb2-48cd-b091-f325a2618fb6\",\"etag\":\"\\\"9200562c-0000-0100-0000-61b550120000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"RemovealertRuleActionRuleNamerey7av\",\"enabled\":true,\"description\":\"RemovealertRuleActionRuleNamerey7av 3e459759-acb2-48cd-b091-f325a2618fb6\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:27:46.3915852Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/a2dda58f-98fd-44db-ac37-397a9ccd9e25\",\"name\":\"a2dda58f-98fd-44db-ac37-397a9ccd9e25\",\"etag\":\"\\\"9200fc31-0000-0100-0000-61b550320000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"RemoveViaIdalertRuleActionRuleNamea13fz8\",\"enabled\":true,\"description\":\"RemoveViaIdalertRuleActionRuleNamea13fz8 a2dda58f-98fd-44db-ac37-397a9ccd9e25\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:28:18.3040106Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/09b5716f-9b0b-4663-8302-e17b94a12ead\",\"name\":\"09b5716f-9b0b-4663-8302-e17b94a12ead\",\"etag\":\"\\\"9200e237-0000-0100-0000-61b550520000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"UpdatealertRuleActionRuleName1lirvu\",\"enabled\":true,\"description\":\"UpdatealertRuleActionRuleName1lirvu 09b5716f-9b0b-4663-8302-e17b94a12ead\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:28:49.5419602Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/a555c523-e318-4501-bfe8-b9c6da354af7\",\"name\":\"a555c523-e318-4501-bfe8-b9c6da354af7\",\"etag\":\"\\\"92008e3d-0000-0100-0000-61b550710000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"UpdateViaIdalertRuleActionRuleNameymswnj\",\"enabled\":true,\"description\":\"UpdateViaIdalertRuleActionRuleNameymswnj a555c523-e318-4501-bfe8-b9c6da354af7\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:29:20.6202232Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/34c477db-1e8e-4b5e-9fc7-ef127fbfa354\",\"name\":\"34c477db-1e8e-4b5e-9fc7-ef127fbfa354\",\"etag\":\"\\\"93003d2e-0000-0100-0000-61b555900000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027Universal Security Capabilities\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Universal Security Capabilities Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:51:12.8940733Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/dd7306f3-4a9a-4270-a174-816dd3747be0\",\"name\":\"dd7306f3-4a9a-4270-a174-816dd3747be0\",\"etag\":\"\\\"9300442e-0000-0100-0000-61b555900000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n| join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n| where Family == \u0027Data Protection\u0027\\n| summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n| extend SuccessRatePercentage = (Success * 100 / Assessments)\\n| extend FailedRatePercentage = (Failed * 100 / Assessments)\\n| extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n| project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n| where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n// | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n| where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n| sort by FailedRatePercentage desc\\n| limit 250\\n| extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Data Protection Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:51:12.9239147Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/dfe9fbbf-c55e-4637-9ab6-9f9905d305ff\",\"name\":\"dfe9fbbf-c55e-4637-9ab6-9f9905d305ff\",\"etag\":\"\\\"9300492e-0000-0100-0000-61b555910000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027Email\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Email Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:51:13.0054042Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/b888a369-216c-4de2-a4c8-972018977325\",\"name\":\"b888a369-216c-4de2-a4c8-972018977325\",\"etag\":\"\\\"93004a2e-0000-0100-0000-61b555910000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n| join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n| where Family == \u0027Intrusion Detection\u0027\\n| summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n| extend SuccessRatePercentage = (Success * 100 / Assessments)\\n| extend FailedRatePercentage = (Failed * 100 / Assessments)\\n| extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n| project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n| where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n// | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n| where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n| sort by FailedRatePercentage desc\\n| limit 250\\n| extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Intrusion Detection Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:51:13.0215473Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/17bb920a-238b-4d2c-b208-83addc14efbe\",\"name\":\"17bb920a-238b-4d2c-b208-83addc14efbe\",\"etag\":\"\\\"93004b2e-0000-0100-0000-61b555910000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027Resiliency\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Resiliency Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:51:13.021751Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/3074775a-74e8-43cd-a60a-28ff236f1e2e\",\"name\":\"3074775a-74e8-43cd-a60a-28ff236f1e2e\",\"etag\":\"\\\"93004c2e-0000-0100-0000-61b555910000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027DNS\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) DNS Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:51:13.0175408Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/a074a675-209d-48d5-bae8-b6c958152873\",\"name\":\"a074a675-209d-48d5-bae8-b6c958152873\",\"etag\":\"\\\"93004d2e-0000-0100-0000-61b555910000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027Web\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Web Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:51:13.0388622Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/c3aa2c95-89ae-4417-b50f-e926a02a58a8\",\"name\":\"c3aa2c95-89ae-4417-b50f-e926a02a58a8\",\"etag\":\"\\\"93004e2e-0000-0100-0000-61b555910000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027Networking\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Networking Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:51:13.0351918Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/946778f9-52a0-414d-9453-fc3645ceca6f\",\"name\":\"946778f9-52a0-414d-9453-fc3645ceca6f\",\"etag\":\"\\\"9300502e-0000-0100-0000-61b555910000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027Files\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Files Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:51:13.0496088Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/07c2c80e-4c67-43fc-bce5-c8a34057f8a2\",\"name\":\"07c2c80e-4c67-43fc-bce5-c8a34057f8a2\",\"etag\":\"\\\"9300512e-0000-0100-0000-61b555910000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n| join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n| where Family == \u0027Enterprise\u0027\\n| summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n| extend SuccessRatePercentage = (Success * 100 / Assessments)\\n| extend FailedRatePercentage = (Failed * 100 / Assessments)\\n| extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n| project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n| where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n// | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n| where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n| sort by FailedRatePercentage desc\\n| limit 250\\n| extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Enterprise Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:51:13.0345167Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/a8219a17-8d55-42af-b4de-f9f06ddb6b66\",\"name\":\"a8219a17-8d55-42af-b4de-f9f06ddb6b66\",\"etag\":\"\\\"9300522e-0000-0100-0000-61b555910000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n| join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n| where Family == \u0027Unified Communications \u0026 Collaboration\u0027\\n| summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n| extend SuccessRatePercentage = (Success * 100 / Assessments)\\n| extend FailedRatePercentage = (Failed * 100 / Assessments)\\n| extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n| project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n| where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n// | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n| where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n| sort by FailedRatePercentage desc\\n| limit 250\\n| extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) UCC Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:51:13.017663Z\"}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/BuiltInFusion\",\"name\":\"BuiltInFusion\",\"etag\":\"\\\"2e007c30-0000-0100-0000-62e41cb30000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Fusion\",\"properties\":{\"displayName\":\"Advanced Multistage Attack Detection\",\"description\":\"Microsoft Sentinel uses Fusion, a correlation engine based on scalable machine learning algorithms, to automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.\\n\\nSince Fusion correlates multiple signals from various products to detect advanced multistage attacks, successful Fusion detections are presented as Fusion incidents on the Microsoft Sentinel Incidents page. This rule covers the following detections:\\n- Fusion for emerging threats\\n- Fusion for ransomware\\n- Scenario-based Fusion detections (122 scenarios)\\n\\nTo enable these detections, we recommend you configure the following data connectors for best results:\\n- Out-of-the-box anomaly detections\\n- Azure Active Directory Identity Protection\\n- Azure Defender\\n- Azure Defender for IoT\\n- Microsoft 365 Defender\\n- Microsoft Cloud App Security \\n- Microsoft Defender for Endpoint\\n- Microsoft Defender for Identity\\n- Microsoft Defender for Office 365\\n- Scheduled analytics rules, both built-in and those created by your security analysts. Analytics rules must contain kill-chain (tactics) and entity mapping information in order to be used by Fusion.\\n\\nFor the full description of each detection that is supported by Fusion, go to https://aka.ms/SentinelFusion.\",\"alertRuleTemplateName\":\"f71aba3d-28fb-450b-b192-4e76a83015c8\",\"tactics\":[\"Collection\",\"CommandAndControl\",\"CredentialAccess\",\"DefenseEvasion\",\"Discovery\",\"Execution\",\"Exfiltration\",\"Impact\",\"InitialAccess\",\"LateralMovement\",\"Persistence\",\"PrivilegeEscalation\"],\"severity\":\"High\",\"enabled\":true,\"lastModifiedUtc\":\"2022-07-29T17:45:23.4626713Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/75c9560c-ce08-4332-aa4a-0e675fc0b17c\",\"name\":\"75c9560c-ce08-4332-aa4a-0e675fc0b17c\",\"etag\":\"\\\"2e006c32-0000-0100-0000-62e41fa10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":true,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT12H\",\"matchingMethod\":\"Selected\",\"groupByEntities\":[\"Account\"],\"groupByAlertDetails\":[],\"groupByCustomDetails\":[]}},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId__s\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Malicious Inbox Rule, affected user {{UserId__s}}\",\"alertDescriptionFormat\":null,\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"severity\":\"Medium\",\"query\":\"let Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\r\\nOfficeActivity_CL\\r\\n| where Operation_s =~ \\\"New-InboxRule\\\"\\r\\n| where Parameters_s has \\\"Deleted Items\\\" or Parameters_s has \\\"Junk Email\\\" \\r\\n| extend Events=todynamic(Parameters_s)\\r\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords \u0027}\u0027*\\r\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords \u0027}\u0027*\\r\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords \u0027}\u0027*\\r\\n| where SubjectContainsWords has_any (Keywords)\\r\\nor BodyContainsWords has_any (Keywords)\\r\\nor SubjectOrBodyContainsWords has_any (Keywords)\\r\\n| extend ClientIPAddress = case( ClientIP_s has \\\".\\\", tostring(split(ClientIP_s,\\\":\\\")[0]), ClientIP_s has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP_s,\\\"]\\\")[0]))), ClientIP_s )\\r\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\r\\n| extend RuleDetail = case(OfficeObjectId_s contains \u0027/\u0027 , tostring(split(OfficeObjectId_s, \u0027/\u0027)[-1]) , tostring(split(OfficeObjectId_s, \u0027\\\\\\\\\u0027)[-1]))\\r\\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation_s, UserId__s, ClientIPAddress, ResultStatus_s, Keyword, OriginatingServer_s, OfficeObjectId_s, RuleDetail\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Malicious Inbox Rule - custom\",\"enabled\":true,\"description\":\"This rule is detecting on delete all traces of phishing email from user mailboxes\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-07-29T17:57:51.4044412Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/6692b8a1-d2bc-4cd6-b724-5dd2e4293ab3\",\"name\":\"6692b8a1-d2bc-4cd6-b724-5dd2e4293ab3\",\"etag\":\"\\\"2e006d32-0000-0100-0000-62e41fa10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":true,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AnyAlert\",\"groupByEntities\":[],\"groupByAlertDetails\":[],\"groupByCustomDetails\":[]}},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"High\",\"query\":\"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | where DNSName in~ (domains) or DestinationHostName has_any (domains) or RequestURL has_any(domains)\\n | extend AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName, IPCustomEntity = SourceIP\\n ),\\n(DnsEvents \\n | extend DNSName = Name\\n | where isnotempty(DNSName)\\n | where DNSName in~ (domains)\\n | extend IPCustomEntity = ClientIP\\n ),\\n(imDns \\n | where isnotempty(Query)\\n | where Query in~ (domains)\\n | extend DNSName = Query\\n | extend IPCustomEntity = SrcIpAddr\\n ),\\n(VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n | where isnotempty(DNSName)\\n | where DNSName in~ (domains)\\n | extend IPCustomEntity = RemoteIp\\n ),\\n(DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl has_any (domains) \\n | extend DNSName = RemoteUrl\\n | extend IPCustomEntity = RemoteIP \\n | extend HostCustomEntity = DeviceName \\n ),\\n(AzureDiagnostics\\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallDnsProxy\\\"\\n | parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n | where Request_Name has_any (domains) \\n | extend DNSName = Request_Name\\n | extend IPCustomEntity = ClientIP \\n ),\\n(AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (domains) \\n | extend DNSName = DestinationHost \\n | extend IPCustomEntity = SourceHost\\n ) \\n )\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Solorigate Network Beacon\",\"enabled\":true,\"description\":\"Identifies a match across various data feeds for domains IOCs related to the Solorigate incident.\\n References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \\n https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1\",\"alertRuleTemplateName\":\"cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"lastModifiedUtc\":\"2022-07-29T17:57:51.4443855Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/5c8dc0ac-8808-40f3-a6b4-1401369a9e1e\",\"name\":\"5c8dc0ac-8808-40f3-a6b4-1401369a9e1e\",\"etag\":\"\\\"2e006e32-0000-0100-0000-62e41fa20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":true,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[\"IP\"],\"groupByAlertDetails\":[],\"groupByCustomDetails\":[]}},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Medium\",\"query\":\"SigninLogs_CL\\n | where ResultType == \\\"50057\\\" \\n | where ResultDescription == \\\"User account is disabled. The account has been disabled by an administrator.\\\" \\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), disabledAccountLoginAttempts = count(), \\n disabledAccountsTargeted = dcount(UserPrincipalName_s), applicationsTargeted = dcount(AppDisplayName_s), disabledAccountSet = makeset(UserPrincipalName_s), \\n applicationSet = makeset(AppDisplayName_s)\\n by IPAddress, Type\\n | order by disabledAccountLoginAttempts desc\\n | join kind= leftouter (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n SigninLogs_CL\\n | where ResultType == 0\\n | summarize successfulAccountSigninCount = dcount(UserPrincipalName_s), successfulAccountSigninSet = makeset(UserPrincipalName_s, 15) by IPAddress, Type\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount \u003c 100\\n )\\n on IPAddress \\n | where successfulAccountSigninCount != 0\\n | project StartTime, EndTime, IPAddress, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\n successfulAccountSigninCount, successfulAccountSigninSet, Type\\n | order by disabledAccountLoginAttempts\\n | extend timestamp = StartTime, IPCustomEntity = IPAddress\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"enabled\":true,\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"alertRuleTemplateName\":\"500c103a-0319-4d56-8e99-3cec8d860757\",\"lastModifiedUtc\":\"2022-07-29T17:57:51.4503725Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/a7f0377a-a2ab-4a1c-9103-f59066cc6c61\",\"name\":\"a7f0377a-a2ab-4a1c-9103-f59066cc6c61\",\"etag\":\"\\\"2e00c932-0000-0100-0000-62e41fe50000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"GetAlertRuler93k8j\",\"enabled\":true,\"description\":\"GetAlertRuler93k8j a7f0377a-a2ab-4a1c-9103-f59066cc6c61\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-07-29T17:59:00.587924Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/c1c55dcf-8a31-4c94-93d7-bbb13c8da4c6\",\"name\":\"c1c55dcf-8a31-4c94-93d7-bbb13c8da4c6\",\"etag\":\"\\\"2e00de32-0000-0100-0000-62e420050000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"RemoveAlertRulex6lvwk\",\"enabled\":true,\"description\":\"RemoveAlertRulex6lvwk c1c55dcf-8a31-4c94-93d7-bbb13c8da4c6\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-07-29T17:59:32.8048022Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/c1a9cd5e-f882-4d57-b94f-742b0e2ae177\",\"name\":\"c1a9cd5e-f882-4d57-b94f-742b0e2ae177\",\"etag\":\"\\\"2e00e832-0000-0100-0000-62e420250000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"RemoveViaIdAlertRuleg7sd5h\",\"enabled\":true,\"description\":\"RemoveViaIdAlertRuleg7sd5h c1a9cd5e-f882-4d57-b94f-742b0e2ae177\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-07-29T18:00:04.2817896Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/a47d38eb-4d52-4b54-afaf-3f5ac2f847f9\",\"name\":\"a47d38eb-4d52-4b54-afaf-3f5ac2f847f9\",\"etag\":\"\\\"2e000233-0000-0100-0000-62e420440000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"UpdateAlertRulet0r6jh\",\"enabled\":true,\"description\":\"UpdateAlertRulet0r6jh a47d38eb-4d52-4b54-afaf-3f5ac2f847f9\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-07-29T18:00:35.8688539Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/819c1dad-0658-4633-b80c-74cae574c0f7\",\"name\":\"819c1dad-0658-4633-b80c-74cae574c0f7\",\"etag\":\"\\\"2e000f33-0000-0100-0000-62e420630000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"UpdateViaIdAlertRules7my5u\",\"enabled\":true,\"description\":\"UpdateViaIdAlertRules7my5u 819c1dad-0658-4633-b80c-74cae574c0f7\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-07-29T18:01:07.2111029Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/28d676f4-c9d3-465b-a7bf-b359b492f49d\",\"name\":\"28d676f4-c9d3-465b-a7bf-b359b492f49d\",\"etag\":\"\\\"2e001533-0000-0100-0000-62e420820000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"GetalertRuleActionRuleNamelboi79\",\"enabled\":true,\"description\":\"GetalertRuleActionRuleNamelboi79 28d676f4-c9d3-465b-a7bf-b359b492f49d\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-07-29T18:01:38.2323641Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/5259fc88-ad43-4c0f-8712-e276f794f08a\",\"name\":\"5259fc88-ad43-4c0f-8712-e276f794f08a\",\"etag\":\"\\\"2e006233-0000-0100-0000-62e420a20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"RemovealertRuleActionRuleNamegnwkmx\",\"enabled\":true,\"description\":\"RemovealertRuleActionRuleNamegnwkmx 5259fc88-ad43-4c0f-8712-e276f794f08a\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-07-29T18:02:09.910605Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/61843a21-8ee0-4c56-bb89-a4a9b306b43d\",\"name\":\"61843a21-8ee0-4c56-bb89-a4a9b306b43d\",\"etag\":\"\\\"2e009e33-0000-0100-0000-62e420c20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"RemoveViaIdalertRuleActionRuleNamebokia1\",\"enabled\":true,\"description\":\"RemoveViaIdalertRuleActionRuleNamebokia1 61843a21-8ee0-4c56-bb89-a4a9b306b43d\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-07-29T18:02:41.434286Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/c3f83b09-6bfc-4365-813e-56f9b186baac\",\"name\":\"c3f83b09-6bfc-4365-813e-56f9b186baac\",\"etag\":\"\\\"2e00b433-0000-0100-0000-62e420e20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"UpdatealertRuleActionRuleName9zg8ih\",\"enabled\":true,\"description\":\"UpdatealertRuleActionRuleName9zg8ih c3f83b09-6bfc-4365-813e-56f9b186baac\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-07-29T18:03:12.6101396Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/1190f2a9-3661-474d-8c8a-cc808bce7b2e\",\"name\":\"1190f2a9-3661-474d-8c8a-cc808bce7b2e\",\"etag\":\"\\\"2e00f133-0000-0100-0000-62e421000000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"UpdateViaIdalertRuleActionRuleNametyup2k\",\"enabled\":true,\"description\":\"UpdateViaIdalertRuleActionRuleNametyup2k 1190f2a9-3661-474d-8c8a-cc808bce7b2e\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-07-29T18:03:43.8469602Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/f853954a-a622-4649-b264-9a61959b4dc2\",\"name\":\"f853954a-a622-4649-b264-9a61959b4dc2\",\"etag\":\"\\\"2e002d3f-0000-0100-0000-62e427310000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027Web\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Web Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-07-29T18:30:09.0103126Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/4b9ab125-6c3f-49df-b2b8-eebddf99efc9\",\"name\":\"4b9ab125-6c3f-49df-b2b8-eebddf99efc9\",\"etag\":\"\\\"2e002e3f-0000-0100-0000-62e427310000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n| join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n| where Family == \u0027Intrusion Detection\u0027\\n| summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n| extend SuccessRatePercentage = (Success * 100 / Assessments)\\n| extend FailedRatePercentage = (Failed * 100 / Assessments)\\n| extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n| project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n| where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n// | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n| where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n| sort by FailedRatePercentage desc\\n| limit 250\\n| extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Intrusion Detection Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-07-29T18:30:09.0284881Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/94982952-13e2-49ca-8d0f-bb27e3191be7\",\"name\":\"94982952-13e2-49ca-8d0f-bb27e3191be7\",\"etag\":\"\\\"2e002f3f-0000-0100-0000-62e427310000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n| join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n| where Family == \u0027Unified Communications \u0026 Collaboration\u0027\\n| summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n| extend SuccessRatePercentage = (Success * 100 / Assessments)\\n| extend FailedRatePercentage = (Failed * 100 / Assessments)\\n| extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n| project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n| where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n// | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n| where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n| sort by FailedRatePercentage desc\\n| limit 250\\n| extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) UCC Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-07-29T18:30:09.027247Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/db311007-ed30-4aed-99bf-35424b5ac892\",\"name\":\"db311007-ed30-4aed-99bf-35424b5ac892\",\"etag\":\"\\\"2e00303f-0000-0100-0000-62e427310000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027Files\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Files Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-07-29T18:30:09.0393593Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/e86cabea-c73d-4add-b229-32b2e1a70d14\",\"name\":\"e86cabea-c73d-4add-b229-32b2e1a70d14\",\"etag\":\"\\\"2e00313f-0000-0100-0000-62e427310000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027Resiliency\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Resiliency Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-07-29T18:30:09.0327634Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/f85f5690-5b1a-466f-a277-88c3888dab5a\",\"name\":\"f85f5690-5b1a-466f-a277-88c3888dab5a\",\"etag\":\"\\\"2e00323f-0000-0100-0000-62e427310000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027Networking\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Networking Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-07-29T18:30:09.020468Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/18ed181f-e619-451e-bd0a-3e1bd6cc861e\",\"name\":\"18ed181f-e619-451e-bd0a-3e1bd6cc861e\",\"etag\":\"\\\"2e00333f-0000-0100-0000-62e427310000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027DNS\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) DNS Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-07-29T18:30:09.0201082Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/50552cfd-3606-4a5e-86b4-40b6529c0417\",\"name\":\"50552cfd-3606-4a5e-86b4-40b6529c0417\",\"etag\":\"\\\"2e00343f-0000-0100-0000-62e427310000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n| join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n| where Family == \u0027Enterprise\u0027\\n| summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n| extend SuccessRatePercentage = (Success * 100 / Assessments)\\n| extend FailedRatePercentage = (Failed * 100 / Assessments)\\n| extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n| project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n| where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n// | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n| where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n| sort by FailedRatePercentage desc\\n| limit 250\\n| extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Enterprise Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-07-29T18:30:09.0573302Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/3a63c6a2-7808-499d-bd4c-586968008fab\",\"name\":\"3a63c6a2-7808-499d-bd4c-586968008fab\",\"etag\":\"\\\"2e00353f-0000-0100-0000-62e427310000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n| join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n| where Family == \u0027Data Protection\u0027\\n| summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n| extend SuccessRatePercentage = (Success * 100 / Assessments)\\n| extend FailedRatePercentage = (Failed * 100 / Assessments)\\n| extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n| project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n| where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n// | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n| where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n| sort by FailedRatePercentage desc\\n| limit 250\\n| extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Data Protection Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-07-29T18:30:09.0160976Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/eb55a210-7f4a-4d1a-ad3c-de23c317f861\",\"name\":\"eb55a210-7f4a-4d1a-ad3c-de23c317f861\",\"etag\":\"\\\"2e00363f-0000-0100-0000-62e427310000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027Universal Security Capabilities\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Universal Security Capabilities Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-07-29T18:30:09.0422492Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/63860588-b4ea-401b-917d-1a29e4d94f7d\",\"name\":\"63860588-b4ea-401b-917d-1a29e4d94f7d\",\"etag\":\"\\\"2e00373f-0000-0100-0000-62e427310000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027Email\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Email Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-07-29T18:30:09.0521164Z\"}}]}", "isContentBase64": false } }, - "Get-AzSentinelAlertRule+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/aa4274ad-8144-44e6-8dc2-669dc0b5ea0d?api-version=2021-09-01-preview+1": { + "Get-AzSentinelAlertRule+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/a7f0377a-a2ab-4a1c-9103-f59066cc6c61?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/aa4274ad-8144-44e6-8dc2-669dc0b5ea0d?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/a7f0377a-a2ab-4a1c-9103-f59066cc6c61?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "160" ], - "x-ms-client-request-id": [ "ad064d7e-64b9-48c0-825d-cf1d4327108a" ], + "x-ms-unique-id": [ "161" ], + "x-ms-client-request-id": [ "b918c4ea-1d34-4df3-8d46-38f0b5a10980" ], "CommandName": [ "Get-AzSentinelAlertRule" ], "FullCommandName": [ "Get-AzSentinelAlertRule_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -65,35 +65,35 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-reads": [ "11998" ], - "x-ms-request-id": [ "54f6230f-8093-4fa1-91cd-f9dd1b65d2a1" ], - "x-ms-correlation-request-id": [ "54f6230f-8093-4fa1-91cd-f9dd1b65d2a1" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T015317Z:54f6230f-8093-4fa1-91cd-f9dd1b65d2a1" ], + "x-ms-request-id": [ "243a9296-2bd5-42cc-9606-b3e409477c5d" ], + "x-ms-correlation-request-id": [ "243a9296-2bd5-42cc-9606-b3e409477c5d" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183054Z:243a9296-2bd5-42cc-9606-b3e409477c5d" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 01:53:17 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:30:54 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1164" ], + "Content-Length": [ "1163" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/aa4274ad-8144-44e6-8dc2-669dc0b5ea0d\",\"name\":\"aa4274ad-8144-44e6-8dc2-669dc0b5ea0d\",\"etag\":\"\\\"92003e0a-0000-0100-0000-61b54f580000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"GetAlertRulez4ros0\",\"enabled\":true,\"description\":\"GetAlertRulez4ros0 aa4274ad-8144-44e6-8dc2-669dc0b5ea0d\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:24:39.7729775Z\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/a7f0377a-a2ab-4a1c-9103-f59066cc6c61\",\"name\":\"a7f0377a-a2ab-4a1c-9103-f59066cc6c61\",\"etag\":\"\\\"2e00c932-0000-0100-0000-62e41fe50000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"GetAlertRuler93k8j\",\"enabled\":true,\"description\":\"GetAlertRuler93k8j a7f0377a-a2ab-4a1c-9103-f59066cc6c61\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-07-29T17:59:00.587924Z\"}}", "isContentBase64": false } }, - "Get-AzSentinelAlertRule+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/aa4274ad-8144-44e6-8dc2-669dc0b5ea0d?api-version=2021-09-01-preview+1": { + "Get-AzSentinelAlertRule+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/a7f0377a-a2ab-4a1c-9103-f59066cc6c61?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/aa4274ad-8144-44e6-8dc2-669dc0b5ea0d?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/a7f0377a-a2ab-4a1c-9103-f59066cc6c61?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "161" ], - "x-ms-client-request-id": [ "81026a09-75bd-4bfa-a6a8-6df0d416ebee" ], + "x-ms-unique-id": [ "162" ], + "x-ms-client-request-id": [ "0336978f-33f7-41c4-8d10-51813f53ecf3" ], "CommandName": [ "Get-AzSentinelAlertRule" ], "FullCommandName": [ "Get-AzSentinelAlertRule_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -106,35 +106,35 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-reads": [ "11997" ], - "x-ms-request-id": [ "2816f5b9-b6a9-4fb8-984f-3633293f3c35" ], - "x-ms-correlation-request-id": [ "2816f5b9-b6a9-4fb8-984f-3633293f3c35" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T015318Z:2816f5b9-b6a9-4fb8-984f-3633293f3c35" ], + "x-ms-request-id": [ "ca23a09a-fe15-4551-982f-ef0fc5f4c0a3" ], + "x-ms-correlation-request-id": [ "ca23a09a-fe15-4551-982f-ef0fc5f4c0a3" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183055Z:ca23a09a-fe15-4551-982f-ef0fc5f4c0a3" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 01:53:17 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:30:55 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1164" ], + "Content-Length": [ "1163" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/aa4274ad-8144-44e6-8dc2-669dc0b5ea0d\",\"name\":\"aa4274ad-8144-44e6-8dc2-669dc0b5ea0d\",\"etag\":\"\\\"92003e0a-0000-0100-0000-61b54f580000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"GetAlertRulez4ros0\",\"enabled\":true,\"description\":\"GetAlertRulez4ros0 aa4274ad-8144-44e6-8dc2-669dc0b5ea0d\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:24:39.7729775Z\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/a7f0377a-a2ab-4a1c-9103-f59066cc6c61\",\"name\":\"a7f0377a-a2ab-4a1c-9103-f59066cc6c61\",\"etag\":\"\\\"2e00c932-0000-0100-0000-62e41fe50000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"GetAlertRuler93k8j\",\"enabled\":true,\"description\":\"GetAlertRuler93k8j a7f0377a-a2ab-4a1c-9103-f59066cc6c61\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-07-29T17:59:00.587924Z\"}}", "isContentBase64": false } }, - "Get-AzSentinelAlertRule+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/aa4274ad-8144-44e6-8dc2-669dc0b5ea0d?api-version=2021-09-01-preview+2": { + "Get-AzSentinelAlertRule+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/a7f0377a-a2ab-4a1c-9103-f59066cc6c61?api-version=2021-09-01-preview+2": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/aa4274ad-8144-44e6-8dc2-669dc0b5ea0d?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/a7f0377a-a2ab-4a1c-9103-f59066cc6c61?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "162" ], - "x-ms-client-request-id": [ "d982dd2f-d791-462c-adb1-8d0efc44d1c0" ], + "x-ms-unique-id": [ "163" ], + "x-ms-client-request-id": [ "03b3eabc-e48c-4348-9e95-93405cfbaf4c" ], "CommandName": [ "Get-AzSentinelAlertRule" ], "FullCommandName": [ "Get-AzSentinelAlertRule_GetViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -147,19 +147,19 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-reads": [ "11996" ], - "x-ms-request-id": [ "7a6d78ae-d285-414c-b301-d44f032f07c9" ], - "x-ms-correlation-request-id": [ "7a6d78ae-d285-414c-b301-d44f032f07c9" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T015318Z:7a6d78ae-d285-414c-b301-d44f032f07c9" ], + "x-ms-request-id": [ "db665301-df9b-4443-86be-83cbb893a625" ], + "x-ms-correlation-request-id": [ "db665301-df9b-4443-86be-83cbb893a625" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183055Z:db665301-df9b-4443-86be-83cbb893a625" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 01:53:17 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:30:55 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1164" ], + "Content-Length": [ "1163" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/aa4274ad-8144-44e6-8dc2-669dc0b5ea0d\",\"name\":\"aa4274ad-8144-44e6-8dc2-669dc0b5ea0d\",\"etag\":\"\\\"92003e0a-0000-0100-0000-61b54f580000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"GetAlertRulez4ros0\",\"enabled\":true,\"description\":\"GetAlertRulez4ros0 aa4274ad-8144-44e6-8dc2-669dc0b5ea0d\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:24:39.7729775Z\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/a7f0377a-a2ab-4a1c-9103-f59066cc6c61\",\"name\":\"a7f0377a-a2ab-4a1c-9103-f59066cc6c61\",\"etag\":\"\\\"2e00c932-0000-0100-0000-62e41fe50000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"GetAlertRuler93k8j\",\"enabled\":true,\"description\":\"GetAlertRuler93k8j a7f0377a-a2ab-4a1c-9103-f59066cc6c61\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-07-29T17:59:00.587924Z\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Get-AzSentinelAlertRuleAction.Recording.json b/src/SecurityInsights/test/Get-AzSentinelAlertRuleAction.Recording.json index 92fe31f567cf..6695d1502b58 100644 --- a/src/SecurityInsights/test/Get-AzSentinelAlertRuleAction.Recording.json +++ b/src/SecurityInsights/test/Get-AzSentinelAlertRuleAction.Recording.json @@ -1,17 +1,17 @@ { - "Get-AzSentinelAlertRuleAction+[NoContext]+List+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/453b8e9c-424a-4b50-8c6d-58de856d5abf/actions?api-version=2021-09-01-preview+1": { + "Get-AzSentinelAlertRuleAction+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/28d676f4-c9d3-465b-a7bf-b359b492f49d/actions?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/453b8e9c-424a-4b50-8c6d-58de856d5abf/actions?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/28d676f4-c9d3-465b-a7bf-b359b492f49d/actions?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "163" ], - "x-ms-client-request-id": [ "f916e3cf-4111-4055-a8e2-bdad5cc49a84" ], + "x-ms-unique-id": [ "164" ], + "x-ms-client-request-id": [ "c0742a2a-be53-428b-98ad-f18e0e632440" ], "CommandName": [ "Get-AzSentinelAlertRuleAction" ], "FullCommandName": [ "Get-AzSentinelAlertRuleAction_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -24,35 +24,35 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-reads": [ "11995" ], - "x-ms-request-id": [ "95d74ead-bcfe-4c63-92a2-d8a15a6d51c3" ], - "x-ms-correlation-request-id": [ "95d74ead-bcfe-4c63-92a2-d8a15a6d51c3" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T015339Z:95d74ead-bcfe-4c63-92a2-d8a15a6d51c3" ], + "x-ms-request-id": [ "d360651f-48c4-4fb3-93b0-9bb178c856ea" ], + "x-ms-correlation-request-id": [ "d360651f-48c4-4fb3-93b0-9bb178c856ea" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183057Z:d360651f-48c4-4fb3-93b0-9bb178c856ea" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 01:53:39 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:30:57 GMT" ] }, "ContentHeaders": { "Content-Length": [ "727" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/asicustomalertsv3_453b8e9c-424a-4b50-8c6d-58de856d5abf_1ce91c05-b6a4-4476-9e83-4df36d224e97/actions/1ce91c05-b6a4-4476-9e83-4df36d224e97\",\"name\":\"1ce91c05-b6a4-4476-9e83-4df36d224e97\",\"etag\":\"\\\"26009453-0000-0300-0000-61b54ff50000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"3647b421918e40f19a5e9346dc633c61\",\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/asicustomalertsv3_28d676f4-c9d3-465b-a7bf-b359b492f49d_fbc77ebc-03d2-4653-a435-f072687e1b97/actions/fbc77ebc-03d2-4653-a435-f072687e1b97\",\"name\":\"fbc77ebc-03d2-4653-a435-f072687e1b97\",\"etag\":\"\\\"8a006da2-0000-0300-0000-62e420830000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"e25a9538589f4273ac4b33c4251b7af4\",\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}]}", "isContentBase64": false } }, - "Get-AzSentinelAlertRuleAction+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/453b8e9c-424a-4b50-8c6d-58de856d5abf/actions/1ce91c05-b6a4-4476-9e83-4df36d224e97?api-version=2021-09-01-preview+1": { + "Get-AzSentinelAlertRuleAction+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/28d676f4-c9d3-465b-a7bf-b359b492f49d/actions/fbc77ebc-03d2-4653-a435-f072687e1b97?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/453b8e9c-424a-4b50-8c6d-58de856d5abf/actions/1ce91c05-b6a4-4476-9e83-4df36d224e97?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/28d676f4-c9d3-465b-a7bf-b359b492f49d/actions/fbc77ebc-03d2-4653-a435-f072687e1b97?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "164" ], - "x-ms-client-request-id": [ "8e4fe198-4eff-4579-af07-a882932d6da7" ], + "x-ms-unique-id": [ "165" ], + "x-ms-client-request-id": [ "8fa9cfef-bc43-4f51-a2ce-d2252dec975e" ], "CommandName": [ "Get-AzSentinelAlertRuleAction" ], "FullCommandName": [ "Get-AzSentinelAlertRuleAction_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -65,35 +65,35 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-reads": [ "11994" ], - "x-ms-request-id": [ "a9da4e26-15f4-4849-ad47-901cc441d680" ], - "x-ms-correlation-request-id": [ "a9da4e26-15f4-4849-ad47-901cc441d680" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T015339Z:a9da4e26-15f4-4849-ad47-901cc441d680" ], + "x-ms-request-id": [ "dfb30144-8f40-4229-9219-7d31877fec92" ], + "x-ms-correlation-request-id": [ "dfb30144-8f40-4229-9219-7d31877fec92" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183058Z:dfb30144-8f40-4229-9219-7d31877fec92" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 01:53:39 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:30:57 GMT" ] }, "ContentHeaders": { "Content-Length": [ "660" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/453b8e9c-424a-4b50-8c6d-58de856d5abf/actions/1ce91c05-b6a4-4476-9e83-4df36d224e97\",\"name\":\"1ce91c05-b6a4-4476-9e83-4df36d224e97\",\"etag\":\"\\\"26009453-0000-0300-0000-61b54ff50000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"3647b421918e40f19a5e9346dc633c61\",\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/28d676f4-c9d3-465b-a7bf-b359b492f49d/actions/fbc77ebc-03d2-4653-a435-f072687e1b97\",\"name\":\"fbc77ebc-03d2-4653-a435-f072687e1b97\",\"etag\":\"\\\"8a006da2-0000-0300-0000-62e420830000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"e25a9538589f4273ac4b33c4251b7af4\",\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}", "isContentBase64": false } }, - "Get-AzSentinelAlertRuleAction+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/453b8e9c-424a-4b50-8c6d-58de856d5abf/actions/1ce91c05-b6a4-4476-9e83-4df36d224e97?api-version=2021-09-01-preview+1": { + "Get-AzSentinelAlertRuleAction+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/28d676f4-c9d3-465b-a7bf-b359b492f49d/actions/fbc77ebc-03d2-4653-a435-f072687e1b97?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/453b8e9c-424a-4b50-8c6d-58de856d5abf/actions/1ce91c05-b6a4-4476-9e83-4df36d224e97?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/28d676f4-c9d3-465b-a7bf-b359b492f49d/actions/fbc77ebc-03d2-4653-a435-f072687e1b97?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "165" ], - "x-ms-client-request-id": [ "601a3c6b-e4b8-4b3b-861d-46725b40243f" ], + "x-ms-unique-id": [ "166" ], + "x-ms-client-request-id": [ "8db94fbd-9c5f-447f-94f7-ea99127a5332" ], "CommandName": [ "Get-AzSentinelAlertRuleAction" ], "FullCommandName": [ "Get-AzSentinelAlertRuleAction_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -106,35 +106,35 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-reads": [ "11993" ], - "x-ms-request-id": [ "3cef07d3-4665-4f94-82aa-102d543b3681" ], - "x-ms-correlation-request-id": [ "3cef07d3-4665-4f94-82aa-102d543b3681" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T015340Z:3cef07d3-4665-4f94-82aa-102d543b3681" ], + "x-ms-request-id": [ "c059db10-ca12-4241-b1af-688bd1bd8fa4" ], + "x-ms-correlation-request-id": [ "c059db10-ca12-4241-b1af-688bd1bd8fa4" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183058Z:c059db10-ca12-4241-b1af-688bd1bd8fa4" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 01:53:40 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:30:58 GMT" ] }, "ContentHeaders": { "Content-Length": [ "660" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/453b8e9c-424a-4b50-8c6d-58de856d5abf/actions/1ce91c05-b6a4-4476-9e83-4df36d224e97\",\"name\":\"1ce91c05-b6a4-4476-9e83-4df36d224e97\",\"etag\":\"\\\"26009453-0000-0300-0000-61b54ff50000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"3647b421918e40f19a5e9346dc633c61\",\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/28d676f4-c9d3-465b-a7bf-b359b492f49d/actions/fbc77ebc-03d2-4653-a435-f072687e1b97\",\"name\":\"fbc77ebc-03d2-4653-a435-f072687e1b97\",\"etag\":\"\\\"8a006da2-0000-0300-0000-62e420830000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"e25a9538589f4273ac4b33c4251b7af4\",\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}", "isContentBase64": false } }, - "Get-AzSentinelAlertRuleAction+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/453b8e9c-424a-4b50-8c6d-58de856d5abf/actions/1ce91c05-b6a4-4476-9e83-4df36d224e97?api-version=2021-09-01-preview+2": { + "Get-AzSentinelAlertRuleAction+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/28d676f4-c9d3-465b-a7bf-b359b492f49d/actions/fbc77ebc-03d2-4653-a435-f072687e1b97?api-version=2021-09-01-preview+2": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/453b8e9c-424a-4b50-8c6d-58de856d5abf/actions/1ce91c05-b6a4-4476-9e83-4df36d224e97?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/28d676f4-c9d3-465b-a7bf-b359b492f49d/actions/fbc77ebc-03d2-4653-a435-f072687e1b97?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "166" ], - "x-ms-client-request-id": [ "781a0ed8-5f29-4a45-a193-08596b71230a" ], + "x-ms-unique-id": [ "167" ], + "x-ms-client-request-id": [ "1582a96b-eacf-4154-9481-65ec0e9f2e84" ], "CommandName": [ "Get-AzSentinelAlertRuleAction" ], "FullCommandName": [ "Get-AzSentinelAlertRuleAction_GetViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -147,19 +147,19 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-reads": [ "11992" ], - "x-ms-request-id": [ "b8aeefe7-936a-4f07-9331-983e4c4a906b" ], - "x-ms-correlation-request-id": [ "b8aeefe7-936a-4f07-9331-983e4c4a906b" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T015340Z:b8aeefe7-936a-4f07-9331-983e4c4a906b" ], + "x-ms-request-id": [ "5fb320e0-7619-455c-ac4a-6c9dac2dbdd7" ], + "x-ms-correlation-request-id": [ "5fb320e0-7619-455c-ac4a-6c9dac2dbdd7" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183059Z:5fb320e0-7619-455c-ac4a-6c9dac2dbdd7" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 01:53:40 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:30:59 GMT" ] }, "ContentHeaders": { "Content-Length": [ "660" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/453b8e9c-424a-4b50-8c6d-58de856d5abf/actions/1ce91c05-b6a4-4476-9e83-4df36d224e97\",\"name\":\"1ce91c05-b6a4-4476-9e83-4df36d224e97\",\"etag\":\"\\\"26009453-0000-0300-0000-61b54ff50000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"3647b421918e40f19a5e9346dc633c61\",\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/28d676f4-c9d3-465b-a7bf-b359b492f49d/actions/fbc77ebc-03d2-4653-a435-f072687e1b97\",\"name\":\"fbc77ebc-03d2-4653-a435-f072687e1b97\",\"etag\":\"\\\"8a006da2-0000-0300-0000-62e420830000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"e25a9538589f4273ac4b33c4251b7af4\",\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Get-AzSentinelAlertRuleTemplate.Recording.json b/src/SecurityInsights/test/Get-AzSentinelAlertRuleTemplate.Recording.json index 104f76ac1356..2139a200ad90 100644 --- a/src/SecurityInsights/test/Get-AzSentinelAlertRuleTemplate.Recording.json +++ b/src/SecurityInsights/test/Get-AzSentinelAlertRuleTemplate.Recording.json @@ -1,17 +1,17 @@ { - "Get-AzSentinelAlertRuleTemplate+[NoContext]+List+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRuleTemplates?api-version=2021-09-01-preview+1": { + "Get-AzSentinelAlertRuleTemplate+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRuleTemplates?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRuleTemplates?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRuleTemplates?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "167" ], - "x-ms-client-request-id": [ "57316fa6-441c-4908-9e85-2ec6a3a32d84" ], + "x-ms-unique-id": [ "168" ], + "x-ms-client-request-id": [ "17411f3f-de7a-4ff4-be17-0d9be09c15e3" ], "CommandName": [ "Get-AzSentinelAlertRuleTemplate" ], "FullCommandName": [ "Get-AzSentinelAlertRuleTemplate_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -24,35 +24,35 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-reads": [ "11991" ], - "x-ms-request-id": [ "f493e6a5-6947-4531-9414-66f7ea1c7408" ], - "x-ms-correlation-request-id": [ "f493e6a5-6947-4531-9414-66f7ea1c7408" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T015403Z:f493e6a5-6947-4531-9414-66f7ea1c7408" ], + "x-ms-request-id": [ "d484073f-f9f4-420e-ac21-638aa4bd8515" ], + "x-ms-correlation-request-id": [ "d484073f-f9f4-420e-ac21-638aa4bd8515" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183101Z:d484073f-f9f4-420e-ac21-638aa4bd8515" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 01:54:02 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:31:01 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1139662" ], + "Content-Length": [ "1418736" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/738702fd-0a66-42c7-8586-e30f0583f8fe\",\"name\":\"738702fd-0a66-42c7-8586-e30f0583f8fe\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"DeviceEvents\\n| where ActionType has \\\"ExploitGuardNonMicrosoftSignedBlocked\\\"\\n| where InitiatingProcessFileName contains \\\"svchost.exe\\\" and FileName contains \\\"NetSetupSvc.dll\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\nHostCustomEntity = DeviceName, FileHashCustomEntity = InitiatingProcessSHA1, FileHashType = \\\"SHA1\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"TEARDROP memory-only dropper\",\"description\":\"Identifies SolarWinds TEARDROP memory-only dropper IOCs in Window\u0027s defender Exploit Guard activity\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/968358d6-6af8-49bb-aaa4-187b3067fb95\",\"name\":\"968358d6-6af8-49bb-aaa4-187b3067fb95\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let successCodes = dynamic([200, 302, 401]);\\nW3CIISLog\\n| where scStatus has_any (successCodes)\\n| where ipv4_is_private(cIP) == False\\n| where csUriStem hasprefix \\\"/autodiscover/autodiscover.json\\\"\\n| project TimeGenerated, cIP, sIP, sSiteName, csUriStem, csUriQuery, Computer, csUserName, _ResourceId, FileUri\\n| where (csUriQuery !has \\\"Protocol\\\" and isnotempty(csUriQuery))\\nor (csUriQuery has_any(\\\"/mapi/\\\", \\\"powershell\\\"))\\nor (csUriQuery contains \\\"@\\\" and csUriQuery matches regex @\\\"\\\\.[a-zA-Z]{2,4}?(?:[a-zA-Z]{2,4}\\\\/)\\\")\\nor (csUriQuery contains \\\":\\\" and csUriQuery matches regex @\\\"\\\\:[0-9]{2,4}\\\\/\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP, AccountCustomEntity = csUserName, ResourceCustomEntity = _ResourceId, FileCustomEntity = FileUri\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange SSRF Autodiscover ProxyShell - Detection\",\"description\":\"This query looks for suspicious request patterns to Exchange servers that fit patterns recently\\nblogged about by PeterJson. This exploitation chain utilises an SSRF vulnerability in Exchange\\nwhich eventually allows the attacker to execute arbitrary Powershell on the server. In the example\\npowershell can be used to write an email to disk with an encoded attachment containing a shell.\\nReference: https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-09T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69b7723c-2889-469f-8b55-a2d355ed9c87\",\"name\":\"69b7723c-2889-469f-8b55-a2d355ed9c87\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n DnsEvents | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where SubType =~ \\\"LookupQuery\\\" and isnotempty(IPAddresses)\\n | extend SingleIP = split(IPAddresses, \\\",\\\")\\n | mvexpand SingleIP\\n | extend SingleIP = tostring(SingleIP)\\n // renaming time column so it is clear the log this came from\\n | extend DNS_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SingleIP\\n| where DNS_TimeGenerated \u003e= TimeGenerated and DNS_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated,\\nTI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = DNS_TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.2\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to DnsEvents\",\"description\":\"Identifies a match in DnsEvents from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-18T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\"name\":\"d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\" \\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed), LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\\n| where MFAUsed !~ \\\"Yes\\\" and LoginResult !~ \\\"Failure\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUsed, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"Login to AWS Management Console without MFA\",\"description\":\"Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.\\nYou can limit this detection to trigger for adminsitrative accounts if you do not have MFA enabled on all accounts.\\nThis is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used \\nand the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/321f9dbd-64b7-4541-81dc-08cf7732ccb0\",\"name\":\"321f9dbd-64b7-4541-81dc-08cf7732ccb0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Edit this variable to only keep the Severity level where an incident needs to be created (Defaults are: \\\"Low\\\", \\\"Medium\\\", \\\"High\\\", \\\"Critical\\\" ) \\nlet configured_level = dynamic([\\\"Low\\\", \\\"Medium\\\", \\\"High\\\", \\\"Critical\\\"]);\\nlet upn_has_prefix = \\\":\\\";\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Vectra Networks\\\"\\n| where DeviceProduct == \\\"X Series\\\"\\n| where DeviceEventClassID == \\\"asc\\\"\\n| extend saccount = extract(\\\"saccount=(.+?);\\\", 1, AdditionalExtensions)\\n| extend type = iff(saccount matches regex upn_has_prefix, tostring(split(saccount,\\\":\\\")[0]) ,\\\"network\\\" ) \\n| extend upn = iff(saccount matches regex upn_has_prefix, tostring(split(saccount,\\\":\\\")[1]) , saccount )\\n| project-rename threat_score = FlexNumber1\\n| project-rename certainty_score = FlexNumber2\\n| project-rename vectra_URL = DeviceCustomString4\\n| project-rename detection_name = DeviceEventClassID\\n| project-rename score_decreases = DeviceCustomString3\\n| extend level = case( threat_score \u003c 50 and certainty_score \u003c 50, \\\"Low\\\",\\n threat_score \u003c 50 and certainty_score \u003e= 50 , \\\"Medium\\\", \\n threat_score \u003e= 50 and certainty_score \u003c= 50, \\\"High\\\", \\n threat_score \u003e= 50 and certainty_score \u003e= 50, \\\"Critical\\\",\\n \\\"UNKNOWN\\\")\\n| extend Severity = case( level == \\\"Low\\\", \\\"Low\\\",\\n level == \\\"Medium\\\", \\\"Medium\\\",\\n level == \\\"High\\\", \\\"Medium\\\",\\n level == \\\"Critical\\\", \\\"High\\\",\\n \\\"UNKNOWN\\\")\\n| where level in (configured_level) \\n//keep only the event with the highest threat score per Host\\n| summarize arg_max(threat_score, *) by saccount\\n| project TimeGenerated, saccount, level, Severity, upn, type, threat_score, certainty_score, vectra_URL\\n| extend AccountCustomEntity = upn, URLCustomEntity = vectra_URL, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Discovery\",\"LateralMovement\",\"Collection\",\"CommandAndControl\",\"Exfiltration\",\"Impact\"],\"displayName\":\"Vectra AI Detect - Suspected Compromised Account\",\"description\":\"Create an incident when an Account is suspected to be compromised. \\nThe higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. \\nLevel of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.\",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2021-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AIVectraDetect\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884be6e7-e568-418e-9c12-89229865ffde\",\"name\":\"884be6e7-e568-418e-9c12-89229865ffde\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let FailureThreshold = 15;\\nlet FailedLogins = Okta_CL\\n| where eventType_s =~ \\\"user.session.start\\\" and outcome_reason_s =~ \\\"VERIFICATION_ERROR\\\"\\n| summarize count() by actor_alternateId_s, client_ipAddress_s, bin(TimeGenerated, 5m)\\n| where count_ \u003e FailureThreshold\\n| project client_ipAddress_s, actor_alternateId_s;\\nOkta_CL\\n| join kind=inner (FailedLogins) on client_ipAddress_s, actor_alternateId_s\\n| where eventType_s =~ \\\"user.session.start\\\" and outcome_reason_s =~ \\\"VERIFICATION_ERROR\\\"\\n| summarize count() by actor_alternateId_s, ClientIP = client_ipAddress_s, City = client_geographicalContext_city_s, Country = client_geographicalContext_country_s, column_ifexists(\u0027published_t\u0027, now())\\n| sort by column_ifexists(\u0027published_t\u0027, now()) desc\\n| extend timestamp = column_ifexists(\u0027published_t\u0027, now()), IPCustomEntity = ClientIP, AccountCustomEntity = actor_alternateId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed Logins from Unknown or Invalid User\",\"description\":\"This query searches for numerous login attempts to the management console with an unknown or invalid user name\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OktaSSO\",\"dataTypes\":[\"Okta_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/213252f1-497c-4124-91da-6cb43902d5b1\",\"name\":\"213252f1-497c-4124-91da-6cb43902d5b1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.4\",\"techniques\":[\"T1046\",\"T1135\",\"T1071\",\"T1095\",\"T1571\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"5\",\"maximum\":\"15\",\"value\":\"7\",\"name\":\"Number of distinct signatures in a day\",\"description\":\"Triggers anomalies when daily signatures triggered is more than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Discovery\",\"CommandAndControl\"],\"displayName\":\"(Preview) Unusual external firewall alarm detected\",\"description\":\"This algorithm identifies unusual external firewall alarms which are threat signatures released by a firewall vendor. \\nThe anomaly takes last 7 days activities to calculate top 10 noisy signatures and also noisy source hosts which are repeatedly seen \\ntriggering threat signatures. After excluding both type of noisy events, it triggers an anomaly only after exceeding the threshold of \\nnumber of signatures triggered in a single day.\",\"lastUpdatedDateUTC\":\"2021-07-10T00:00:00Z\",\"createdDateUTC\":\"2021-04-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1f3b4dfd-21ff-4ed3-8e27-afc219e05c50\",\"name\":\"1f3b4dfd-21ff-4ed3-8e27-afc219e05c50\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where LoggedByService =~ \\\"PIM\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has \\\"Disable PIM Alert\\\"\\n| extend IpAddress = case(\\n isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), \\n isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.app)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.app)).ipAddress),\\n \u0027Not Available\u0027)\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName)), UserRoles = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| project InitiatedBy, ActivityDateTime, ActivityDisplayName, IpAddress, AADOperationType, AADTenantId, ResourceId, CorrelationId, Identity\\n| extend timestamp = ActivityDateTime, IPCustomEntity = IpAddress, AccountCustomEntity = tolower(InitiatedBy), ResourceCustomEntity = ResourceId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Detect PIM Alert Disabling activity\",\"description\":\"Privileged Identity Management (PIM) generates alerts when there is suspicious or unsafe activity in Azure Active Directory (Azure AD) organization. \\nThis query will help detect attackers attempts to disable in product PIM alerts which are associated with Azure MFA requirements and could indicate activation of privileged access\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56b0a0cd-894e-4b38-a0a1-c41d9f96649a\",\"name\":\"56b0a0cd-894e-4b38-a0a1-c41d9f96649a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let lbtime = 1h;\\nlet tls_ciphers = dynamic([\u0027RC4-SHA\u0027, \u0027DES-CBC3-SHA\u0027]);\\nProofpointPOD\\n| where EventType == \u0027message\u0027\\n| where TlsCipher in (tls_ciphers)\\n| extend IpCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"displayName\":\"ProofpointPOD - Weak ciphers\",\"description\":\"Detects when weak TLS ciphers are used.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8e267e91-6bda-4b3c-bf68-9f5cbdd103a3\",\"name\":\"8e267e91-6bda-4b3c-bf68-9f5cbdd103a3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"ZoomLogs \\n| where Event =~ \\\"account.settings_updated\\\" \\n| extend EnforceLogin = columnifexists(\\\"payload_object_settings_schedule_meeting_enfore_login_b\\\", \\\"\\\") \\n| extend EnforceLoginDomain = columnifexists(\\\"payload_object_settings_schedule_meeting_enfore_login_b\\\", \\\"\\\") \\n| extend GuestAlerts = columnifexists(\\\"payload_object_settings_in_meeting_alert_guest_join_b\\\", \\\"\\\") \\n| where EnforceLogin == \u0027false\u0027 or EnforceLoginDomain == \u0027false\u0027 or GuestAlerts == \u0027false\u0027 \\n| extend SettingChanged = case(EnforceLogin == \u0027false\u0027 and EnforceLoginDomain == \u0027false\u0027 and GuestAlerts == \u0027false\u0027, \\\"All settings changed\\\", \\n EnforceLogin == \u0027false\u0027 and EnforceLoginDomain == \u0027false\u0027, \\\"Enforced Logons and Restricted Domains Changed\\\", \\n EnforceLoginDomain == \u0027false\u0027 and GuestAlerts == \u0027false\u0027, \\\"Enforced Domains Changed\\\", \\n EnforceLoginDomain == \u0027false\u0027, \\\"Enfored Domains Changed\\\", \\n GuestAlerts == \u0027false\u0027, \\\"Guest Join Alerts Changed\\\", \\n EnforceLogin == \u0027false\u0027, \\\"Enforced Logins Changed\\\", \\n \\\"No Changes\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"External User Access Enabled\",\"description\":\"This alerts when the account setting is changed to allow either external domain access or anonymous access to meetings.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ba239935-42c2-472d-80ba-689186099ea1\",\"name\":\"ba239935-42c2-472d-80ba-689186099ea1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"afad_parser\\n| where MessageType == 2 and Codename == \\\"Password Guessing\\\"\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid Password Guessing\",\"description\":\"Searches for bruteforce Password Guessing attacks\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09ec8fa2-b25f-4696-bfae-05a7b85d7b9e\",\"name\":\"09ec8fa2-b25f-4696-bfae-05a7b85d7b9e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT3H\",\"queryPeriod\":\"PT3H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let timeframe = ago(3h);\\nlet threshold = 2;\\nimAuthentication\\n| where TimeGenerated \u003e timeframe\\n| where EventType==\u0027Logon\u0027 and EventResult==\u0027Success\u0027\\n| where isnotempty(SrcGeoCountry)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Vendors=make_set(EventVendor), Products=make_set(EventProduct)\\n , NumOfCountries = dcount(SrcGeoCountry)\\n by TargetUserId, TargetUsername, TargetUserType\\n| where NumOfCountries \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = TargetUsername\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.2.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"User login from different countries within 3 hours (Uses Authentication Normalization)\",\"description\":\"This query searches for successful user logins from different countries within 3 hours.\\n To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelAuthentication)\",\"lastUpdatedDateUTC\":\"2021-10-26T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb32dc8a-4f6b-4274-a28f-50f3400070b4\",\"name\":\"bb32dc8a-4f6b-4274-a28f-50f3400070b4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.1\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.2\",\"name\":\"Anomaly score threshold\",\"description\":\"Generate an anomaly when the anomaly score is greater than the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous Sign In\",\"description\":\"Adversaries may steal the credentials of a specific user or service account using Credential\\nAccess techniques or capture credentials earlier in their reconnaissance process through\\nsocial engineering for means of gaining Persistence.\",\"lastUpdatedDateUTC\":\"2021-08-25T00:00:00Z\",\"createdDateUTC\":\"2021-08-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884c4957-70ea-4f57-80b9-1bca3890315b\",\"name\":\"884c4957-70ea-4f57-80b9-1bca3890315b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeBin = 10m;\\nlet failedThreshold = 100;\\nW3CIISLog\\n| where scStatus in (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n// Handling Exchange specific items in IIS logs to remove the unique log identifier in the URI\\n| extend csUriQuery = iff(csUriQuery startswith \\\"MailboxId=\\\", tostring(split(csUriQuery, \\\"\u0026\\\")[0]) , csUriQuery )\\n| extend csUriQuery = iff(csUriQuery startswith \\\"X-ARR-CACHE-HIT=\\\", strcat(tostring(split(csUriQuery, \\\"\u0026\\\")[0]),tostring(split(csUriQuery, \\\"\u0026\\\")[1])) , csUriQuery )\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of failed logons by a user\\n| summarize makeset(decodedUriQuery), makeset(cIP), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), csUserName, Computer, sIP\\n| where FailedConnectionsCount \u003e= failedThreshold\\n| project TimeGenerated, csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_cIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"High count of failed logons by a user\",\"description\":\"Identifies when 100 or more failed attempts by a given user in 10 minutes occur on the IIS Server.\\nThis could be indicative of attempted brute force based on known account information.\\nThis could also simply indicate a misconfigured service or device. \\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/78979d32-e63f-4740-b206-cfb300c735e0\",\"name\":\"78979d32-e63f-4740-b206-cfb300c735e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ioc_lookBack = 30d;\\nlet timeframe = 1h;\\nlet TI_IP_List =\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(NetworkIP)\\n| summarize make_list(NetworkIP);\\nProofpointPOD \\n| where TimeGenerated \u003e ago(timeframe)\\n| where isnotempty(SrcIpAddr)\\n| where SrcIpAddr in~ (TI_IP_List)\\n| extend Message = \\\"Email sender IP in TI list\\\"\\n| project Message, SrcUserUpn, DstUserUpn, SrcIpAddr\\n| extend AccountCustomEntity = SrcUserUpn, IpCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\",\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Email sender IP in TI list\",\"description\":\"Email sender IP in TI list.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_maillog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\"name\":\"28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let failureCountThreshold = 5;\\nlet successCountThreshold = 1;\\nlet authenticationWindow = 20m;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n| where AppDisplayName has \\\"Azure Portal\\\"\\n// Split out failure versus non-failure types\\n| extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = make_set(IPAddress), make_set(OS), make_set(Browser), make_set(City),\\nmake_set(State), make_set(Region),make_set(ResultType), FailureCount = countif(FailureOrSuccess==\\\"Failure\\\"), SuccessCount = countif(FailureOrSuccess==\\\"Success\\\") \\nby bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName, AppDisplayName, Type\\n| where FailureCount \u003e= failureCountThreshold and SuccessCount \u003e= successCountThreshold\\n| mvexpand IPAddress\\n| extend IPAddress = tostring(IPAddress)\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against Azure Portal\",\"description\":\"Identifies evidence of brute force activity against Azure Portal by highlighting multiple authentication failures \\nand by a successful authentication within a given time window. \\n(The query does not enforce any sequence - eg requiring the successful authentication to occur last.)\\nDefault Failure count is 5, Default Success count is 1 and default Time Window is 20 minutes.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/694c91ee-d606-4ba9-928e-405a2dd0ff0f\",\"name\":\"694c91ee-d606-4ba9-928e-405a2dd0ff0f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let VIPUsers = (IdentityInfo\\n| where AssignedRoles contains \\\"Admin\\\"\\n| summarize by tolower(AccountUPN));\\nAuditLogs\\n| where Category =~ \\\"UserManagement\\\"\\n| where ActivityDisplayName =~ \\\"User registered security info\\\"\\n| where LoggedByService =~ \\\"Authentication Methods\\\"\\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| where AccountCustomEntity in (VIPUsers)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\"],\"displayName\":\"Authentication Methods Changed for Privileged Account\",\"description\":\"Identifies authentication methods being changed for a privileged account. This could be an indicated of an attacker adding an auth method to the account so they can have continued access.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ae9128e8-2740-4b62-8bde-54e62b183fca\",\"name\":\"ae9128e8-2740-4b62-8bde-54e62b183fca\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.5\",\"techniques\":[\"T1030\",\"T1071\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Palo Alto Networks\",\"Fortinet\",\"Check Point\"],\"supportedValuesKql\":null,\"value\":\"Palo Alto Networks\",\"name\":\"Device vendor\",\"description\":\"Select device vendor of network connection logs from CommonSecurityLog\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"1\",\"maximum\":\"100\",\"value\":\"25\",\"name\":\"Daily data transfer threshold in MB\",\"description\":\"Suppress anomalies when daily data transfered (in MB) per hour is less than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"2\",\"maximum\":\"10\",\"value\":\"3\",\"name\":\"Number of standard deviations\",\"description\":\"Triggers anomalies when number of standard deviations is greater than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"(Preview) Unusual network communication on commonly used ports\",\"description\":\"This algorithm identifies unusual network communication on commonly used ports, comparing daily traffic to a baseline from the previous 7 days.\\nThis includes traffic on commonly used ports (22, 53, 80, 443, 8080, 8888), and compares daily traffic to the mean and standard deviation of several\\nnetwork traffic attributes calculated over the baseline period. The traffic attributes considered are daily total events, daily data transfer and \\nnumber of distinct destination IP addresses per port. An anomaly is triggered when the daily values are greater than the configured number of standard deviations above the mean.\",\"lastUpdatedDateUTC\":\"2021-07-10T00:00:00Z\",\"createdDateUTC\":\"2021-05-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/35a0792a-1269-431e-ac93-7ae2980d4dde\",\"name\":\"35a0792a-1269-431e-ac93-7ae2980d4dde\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ioc_lookBack = 30d;\\nlet timeframe = 1h;\\nlet TI_email_List =\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(EmailSenderAddress)\\n| summarize make_list(EmailSenderAddress);\\nProofpointPOD \\n| where TimeGenerated \u003e ago(timeframe)\\n| where isnotempty(SrcUserUpn)\\n| where SrcUserUpn in~ (TI_email_List)\\n| extend Message = \\\"Email sender in TI list\\\"\\n| project Message, SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\",\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Email sender in TI list\",\"description\":\"Email sender in TI list.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_maillog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bc5ffe2a-84d6-48fe-bc7b-1055100469bc\",\"name\":\"bc5ffe2a-84d6-48fe-bc7b-1055100469bc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let SunburstMD5=dynamic([\\\"b91ce2fa41029f6955bff20079468448\\\",\\\"02af7cec58b9a5da1c542b5a32151ba1\\\",\\\"2c4a910a1299cdae2a4e55988a2f102e\\\",\\\"846e27a652a5e1bfbd0ddd38a16dc865\\\",\\\"4f2eb62fa529c0283b28d05ddd311fae\\\"]);\\nlet SupernovaMD5=\\\"56ceb6d0011d87b6e4d7023d7ef85676\\\";\\nimFileEvent\\n| where TargetFileMD5 in(SunburstMD5) or TargetFileMD5 in(SupernovaMD5)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = User, \\n HostCustomEntity = DvcHostname,\\n FileHashCustomEntity = TargetFileMD5\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"MD5\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events)\",\"description\":\"Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in File Events\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelFileEvent)\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/62085097-d113-459f-9ea7-30216f2ee6af\",\"name\":\"62085097-d113-459f-9ea7-30216f2ee6af\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P3D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let starttime = 3d;\\nlet SecEvents = materialize ( SecurityEvent | where TimeGenerated \u003e= ago(starttime)\\n| where EventID in (4722,4723) | where TargetUserName !endswith \\\"$\\\"\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, SubjectAccount, SubjectUserSid);\\nlet userEnable = SecEvents\\n| extend EventID4722Time = TimeGenerated\\n// 4722: User Account Enabled\\n| where EventID == 4722\\n| project Time_Event4722 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4722 = SubjectAccount, SubjectUserSid_Event4722 = SubjectUserSid, Activity_4722 = Activity, Computer_4722 = Computer;\\nlet userPwdSet = SecEvents\\n// 4723: Attempt made by user to set password\\n| where EventID == 4723\\n| project Time_Event4723 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4723 = SubjectAccount, SubjectUserSid_Event4723 = SubjectUserSid, Activity_4723 = Activity, Computer_4723 = Computer;\\nuserEnable | join kind=leftouter userPwdSet on TargetAccount, TargetSid\\n| extend PasswordSetAttemptDelta_Min = datetime_diff(\u0027minute\u0027, Time_Event4723, Time_Event4722)\\n| where PasswordSetAttemptDelta_Min \u003e 2880 or isempty(PasswordSetAttemptDelta_Min)\\n| project-away TargetAccount1, TargetSid1\\n| extend Reason = @\\\"User either has not yet attempted to set the initial password after account was enabled or it occurred after 48 hours\\\"\\n| order by Time_Event4722 asc \\n| extend timestamp = Time_Event4722, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer_4722\\n| project-reorder Time_Event4722, Time_Event4723, PasswordSetAttemptDelta_Min, TargetAccount, TargetSid\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"AD user enabled and password not set within 48 hours\",\"description\":\"Identifies when an account is enabled with a default password and the password is not set by the user within 48 hours.\\nEffectively, there is an event 4722 indicating an account was enabled and within 48 hours, no event 4723 occurs which \\nindicates there was no attempt by the user to set the password. This will show any attempts (success or fail) that occur \\nafter 48 hours, which can indicate too long of a time period in setting the password to something that only the user knows.\\nIt is recommended that this time period is adjusted per your internal company policy.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/11b4c19d-2a79-4da3-af38-b067e1273dee\",\"name\":\"11b4c19d-2a79-4da3-af38-b067e1273dee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID in (17,18)\\n| where EventData has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend PipeName = column_ifexists(\\\"PipeName\\\", \\\"\\\")\\n| extend Account = UserName\\n),\\n(\\n SecurityEvent\\n| where EventID == \u00275145\u0027\\n// %%4418 looks for presence of CreatePipeInstance value \\n| where AccessList has \u0027%%4418\u0027 \\n| where RelativeTargetName has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\"],\"displayName\":\"Solorigate Named Pipe\",\"description\":\"Identifies a match across various data feeds for named pipe IOCs related to the Solorigate incident.\\n For the sysmon events required for this detection, logging for Named Pipe Events needs to be configured in Sysmon config (Event ID 17 and Event ID 18)\\n Reference: https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\"name\":\"9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Low\",\"query\":\"let tokens = dynamic([\\\"416\\\",\\\"208\\\",\\\"128\\\",\\\"120\\\",\\\"96\\\",\\\"80\\\",\\\"72\\\",\\\"64\\\",\\\"48\\\",\\\"44\\\",\\\"40\\\",\\\"g5\\\",\\\"gs5\\\",\\\"g4\\\",\\\"gs4\\\",\\\"nc12\\\",\\\"nc24\\\",\\\"nv12\\\"]);\\nlet operationList = dynamic([\\\"microsoft.compute/virtualmachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nAzureActivity\\n| where tolower(OperationNameValue) in (operationList)\\n| where ActivityStatusValue == \\\"Accepted\\\" \\n| where isnotempty(Properties)\\n| extend vmSize = tolower(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).hardwareProfile)).vmSize))\\n| where isnotempty(vmSize)\\n| where vmSize has_any (tokens) \\n| extend ComputerName = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).osProfile)).computerName)\\n| extend clientIpAddress = tostring(parse_json(HTTPRequest).clientIpAddress)\\n| project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Creation of expensive computes in Azure\",\"description\":\"Identifies the creation of large size/expensive VMs (GPU or with large no of virtual CPUs) in Azure.\\nAdversary may create new or update existing virtual machines sizes to evade defenses \\nor use it for cryptomining purposes.\\nFor Windows/Linux Vm Sizes - https://docs.microsoft.com/azure/virtual-machines/windows/sizes \\nAzure VM Naming Conventions - https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f15370f4-c6fa-42c5-9be4-1d308f40284e\",\"name\":\"f15370f4-c6fa-42c5-9be4-1d308f40284e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n OfficeActivity | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.ClientIP\\n| where OfficeActivity_TimeGenerated \u003e= TimeGenerated and OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, OfficeActivity_TimeGenerated,\\nTI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = OfficeActivity_TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to OfficeActivity\",\"description\":\"Identifies a match in OfficeActivity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\"name\":\"ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(DestinationUserID)\\n // Filtering PAN Logs for specific event type to match relevant email entities\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"wildfire\\\" and ApplicationProtocol in (\\\"smtp\\\",\\\"pop3\\\")\\n | extend DestinationUserID = tolower(DestinationUserID)\\n | where DestinationUserID matches regex emailregex\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.DestinationUserID\\n| where CommonSecurityLog_TimeGenerated \u003e= TimeGenerated and CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, CommonSecurityLog_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction,\\nSourceIP, SourcePort, DestinationIP, DestinationPort, Protocol, ApplicationProtocol\\n| extend timestamp = CommonSecurityLog_TimeGenerated, AccountCustomEntity = DestinationUserID, IPCustomEntity = SourceIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to CommonSecurityLog\",\"description\":\"Identifies a match in CommonSecurityLog table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/11bda520-a965-4654-9a45-d09f372f71aa\",\"name\":\"11bda520-a965-4654-9a45-d09f372f71aa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AzureActivity\\n// Isolate run command actions\\n| where OperationNameValue == \\\"Microsoft.Compute/virtualMachines/runCommand/action\\\"\\n// Confirm that the operation impacted a virtual machine\\n| where Authorization has \\\"virtualMachines\\\"\\n// Each runcommand operation consists of three events when successful, Started, Accepted (or Rejected), Successful (or Failed).\\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), max(CallerIpAddress), make_list(ActivityStatusValue) by CorrelationId, Authorization, Caller\\n// Limit to Run Command executions that Succeeded\\n| where list_ActivityStatusValue has \\\"Succeeded\\\"\\n// Extract data from the Authorization field, allowing us to later extract the Caller (UPN) and CallerIpAddress\\n| extend Authorization_d = parse_json(Authorization)\\n| extend Scope = Authorization_d.scope\\n| extend Scope_s = split(Scope, \\\"/\\\")\\n| extend Subscription = tostring(Scope_s[2])\\n| extend VirtualMachineName = tostring(Scope_s[-1])\\n| project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress\\n// Create a join key using the Caller (UPN) and the Caller IP\\n| extend joinkey = tolower(Caller)\\n// Join the Run Command actions to UEBA data\\n| join kind = inner (\\n BehaviorAnalytics\\n // We are specifically interested in unsual logins\\n | where EventSource == \\\"Azure AD\\\"\\n | project UEBAEventTime=TimeGenerated, UEBAActionType=ActionType, UserPrincipalName, UEBASourceIPLocation=SourceIPLocation, UEBAActivityInsights=ActivityInsights, UEBAUsersInsights=UsersInsights\\n | where isnotempty(UserPrincipalName) and isnotempty(UEBASourceIPLocation)\\n | extend joinkey = tolower(UserPrincipalName)\\n) on joinkey\\n| project StartTime, EndTime, Subscription, VirtualMachineName, Caller, CallerIpAddress, UEBAEventTime, UEBAActionType, UEBASourceIPLocation, UEBAActivityInsights, UEBAUsersInsights\\n// Create a window around the UEBA event times, check to see if the Run Command action was performed within them\\n| extend UEBAWindowStart = UEBAEventTime - 1h | extend UEBAWindowEnd = UEBAEventTime - 6h\\n| where StartTime between (UEBAWindowStart .. UEBAWindowEnd)\\n| project StartTime, EndTime, Subscription, VirtualMachineName, Caller, CallerIpAddress, UEBAEventTime, UEBAActionType, UEBASourceIPLocation, UEBAActivityInsights, UEBAUsersInsights\\n| extend timestamp = StartTime, AccountCustomEntity=Caller, IPCustomEntity=CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"LateralMovement\",\"CredentialAccess\"],\"displayName\":\"Azure VM Run Command operation executed during suspicious login window\",\"description\":\"Identifies when the Azure Run Command operation is executed by a UserPrincipalName and IP Address \\nthat has resulted in a recent user entity behaviour alert.\",\"lastUpdatedDateUTC\":\"2021-11-04T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/18e6a87e-9d06-4a4e-8b59-3469cd49552d\",\"name\":\"18e6a87e-9d06-4a4e-8b59-3469cd49552d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true (SecurityEvent \\n| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created. \\n| where ObjectServer == \u0027DS\u0027\\n| where OperationType == \u0027Object Access\u0027\\n//| where ObjectName contains \u0027\u003cGUID of ADFS Policy Store DKM Group object\u0027 This is unique to the domain. Check description for more details.\\n| where ObjectType contains \u00275cb41ed0-0e4c-11d0-a286-00aa003049e2\u0027 // Contact Class\\n| where Properties contains \u00278d3bca50-1d7e-11d0-a081-00aa006c33ed\u0027 // Picture Attribute - Ldap-Display-Name: thumbnailPhoto\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = SubjectAccount),\\n(DeviceEvents\\n| where ActionType =~ \\\"LdapSearch\\\"\\n| where AdditionalFields.AttributeList contains \\\"thumbnailPhoto\\\"\\n| where AdditionalFields.DistinguishedName contains \\\"CN=ADFS,CN=Microsoft,CN=Program Data\\\" // Filter results to show only hits related to the ADFS AD container\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = InitiatingProcessAccountName)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"ADFS DKM Master Key Export\",\"description\":\"Identifies an export of the ADFS DKM Master Key from Active Directory.\\nReferences: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \\nhttps://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1\\nTo understand further the details behind this detection, please review the details in the original PR and subequent PR update to this:\\nhttps://github.com/Azure/Azure-Sentinel/pull/1562#issue-551542469\\nhttps://github.com/Azure/Azure-Sentinel/pull/1512#issue-543053339\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65c78944-930b-4cae-bd79-c3664ae30ba7\",\"name\":\"65c78944-930b-4cae-bd79-c3664ae30ba7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(AuditLogs \\n| where OperationName =~ \\\"Disable Strong Authentication\\\"\\n| extend IPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) \\n| extend InitiatedByUser = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend Targetprop = todynamic(TargetResources)\\n| extend TargetUser = tostring(Targetprop[0].userPrincipalName) \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, InitiatedByUser , Operation = OperationName , CorrelationId, IPAddress, Category, Source = SourceSystem , AADTenantId, Type\\n),\\n(AWSCloudTrail\\n| where EventName in~ (\\\"DeactivateMFADevice\\\", \\\"DeleteVirtualMFADevice\\\") \\n| extend InstanceProfileName = tostring(parse_json(RequestParameters).InstanceProfileName)\\n| extend TargetUser = tostring(parse_json(RequestParameters).userName)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, Source = EventSource , Operation = EventName , TenantorInstance_Detail = InstanceProfileName, IPAddress = SourceIpAddress\\n)\\n)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"MFA disabled for a user\",\"description\":\"Multi-Factor Authentication (MFA) helps prevent credential compromise. This alert identifies when an attempt has been made to disable MFA for a user \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95dc4ae3-e0f2-48bd-b996-cdd22b90f9af\",\"name\":\"95dc4ae3-e0f2-48bd-b996-cdd22b90f9af\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(\\nAuditLogs\\n| where OperationName =~ \\\"Set federation settings on domain\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName)\\n| mv-expand AdditionalDetails\\n),\\n(\\nAuditLogs\\n| where OperationName =~ \\\"Set domain authentication\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName), NewDomainValue=tostring(parse_json(modifiedProperties).newValue)\\n| where NewDomainValue has \\\"Federated\\\"\\n)\\n)\\n| extend UserAgent = iff(AdditionalDetails.key == \\\"User-Agent\\\",tostring(AdditionalDetails.value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Modified domain federation trust settings\",\"description\":\"This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/66276b14-32c5-4226-88e3-080dacc31ce1\",\"name\":\"66276b14-32c5-4226-88e3-080dacc31ce1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet AccountAllowList = dynamic([\u0027SYSTEM\u0027]);\\nlet SubCategoryList = dynamic([\\\"Logoff\\\", \\\"Account Lockout\\\", \\\"User Account Management\\\", \\\"Authorization Policy Change\\\"]); // Add any Category in the list to be allowed or disallowed\\nlet tokens = dynamic([\\\"clear\\\", \\\"remove\\\", \\\"success:disable\\\",\\\"failure:disable\\\"]); \\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n//| where Process =~ \\\"auditpol.exe\\\" \\n| where CommandLine has_any (tokens)\\n| where AccountType !~ \\\"Machine\\\" and Account !in~ (AccountAllowList)\\n| parse CommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n// | where InitiatingProcessFileName =~ \\\"auditpol.exe\\\" \\n| where InitiatingProcessCommandLine has_any (tokens)\\n| where AccountName !in~ (AccountAllowList)\\n| parse InitiatingProcessCommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n// | where OriginalFileName =~ \\\"auditpol.exe\\\"\\n| where CommandLine has_any (tokens)\\n| where User !in~ (AccountAllowList)\\n| parse CommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, Computer, User, Process, ParentImage, CommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\"],\"displayName\":\"Audit policy manipulation using auditpol utility\",\"description\":\"This detects attempt to manipulate audit policies using auditpol command.\\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\\nThe process name in each data source is commented out as an adversary could rename it. It is advisable to keep process name commented but \\nif the results show unrelated false positives, users may want to uncomment it.\\nRefer to auditpol syntax: https://docs.microsoft.com/windows-server/administration/windows-commands/auditpol \\nRefer to our M365 blog for details on use during the Solorigate attack:\\nhttps://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80733eb7-35b2-45b6-b2b8-3c51df258206\",\"name\":\"80733eb7-35b2-45b6-b2b8-3c51df258206\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\\"xmrget.com\\\", \\n\\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\\"supportxmr.com\\\",\\n\\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\n\\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\n\\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\n\\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\n\\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\",\\n\\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\",\\n\\\"shscrypto.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage), \\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage), \\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage), \\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \u0027200\u0027\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Squid proxy events related to mining pools\",\"description\":\"Checks for Squid proxy events in Syslog associated with common mining pools .This query presumes the default Squid log format is being used. \\n http://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bff093b2-500e-4ae5-bb49-a5b1423cbd5b\",\"name\":\"bff093b2-500e-4ae5-bb49-a5b1423cbd5b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n| where Operation =~ \\\"MemberAdded\\\"\\n| extend UPN = tostring(parse_json(Members)[0].UPN)\\n| where UPN contains (\\\"#EXT#\\\")\\n| project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName\\n| join (\\n OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n| where Operation =~ \\\"MemberRemoved\\\"\\n| extend UPN = tostring(parse_json(Members)[0].UPN)\\n| where UPN contains (\\\"#EXT#\\\")\\n| project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName\\n) on UPN\\n| where TimeDeleted \u003e TimeAdded\\n| project TimeAdded, TimeDeleted, UPN, UserWhoAdded, UserWhoDeleted, TeamName\\n| extend timestamp = TimeAdded, AccountCustomEntity = UPN\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"External user added and removed in short timeframe\",\"description\":\"This detection flags the occurances of external user accounts that are added to a Team and then removed within\\none hour.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/be52662c-3b23-435a-a6fa-f39bdfc849e6\",\"name\":\"be52662c-3b23-435a-a6fa-f39bdfc849e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetection_CL\\n| mv-expand todynamic(Detections_s)\\n| where Detections_s.Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\\n| where count_ \u003e= threshold\\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"High Number of Urgent Vulnerabilities Detected\",\"description\":\"This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/eb68b129-5f17-4f56-bf6d-dde48d5e615a\",\"name\":\"eb68b129-5f17-4f56-bf6d-dde48d5e615a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| extend attachedMimeType = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where attachedMimeType == \u0027application/zip\u0027\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = DstUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Binary file in attachment\",\"description\":\"Detects when email recieved with binary file as attachment.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d29b1d66-d4d9-4be2-b607-63278fc4fe6b\",\"name\":\"d29b1d66-d4d9-4be2-b607-63278fc4fe6b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let mediumRisk = 2;\\nlet financial = \u0027Financial Information\u0027;\\nCognniIncidents_CL \\n| where Severity == mediumRisk\\n| where informationType_s == financial\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Medium Sensitivity Financial Information\",\"description\":\"Display incidents in which medium sensitive financial information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b783df9c-4088-452e-a791-0c4fca47a109\",\"name\":\"b783df9c-4088-452e-a791-0c4fca47a109\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.4\",\"techniques\":[\"T1568\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\".lan, .home\",\"dataType\":\"string\",\"name\":\"Top level domain\",\"description\":\"Give comma separated TLDs to exclude from source data within double quotes, example: \\\".lan, .home\\\"\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.9\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"(Preview) Domain generation algorithm (DGA) on DNS domains\",\"description\":\"This machine learning model indicates potential DGA domains in the second-level-domain (SLD) from the last day in the DNS logs.\\nThe algorithm applies to the DNS records that resolve to IPv4 and IPv6 addresses.\",\"lastUpdatedDateUTC\":\"2021-05-21T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7d7e20f8-3384-4b71-811c-f5e950e8306c\",\"name\":\"7d7e20f8-3384-4b71-811c-f5e950e8306c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AuditLogs\\n| where ActivityDisplayName =~\u0027Add member to role completed (PIM activation)\u0027\\n| where Result == \\\"failure\\\"\\n| extend Role = tostring(TargetResources[3].displayName)\\n| extend User = tostring(TargetResources[2].displayName)\\n| project-reorder TimeGenerated, User, Role, OperationName, Result, ResultDescription\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| extend AccountCustomEntity = User, IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\"],\"displayName\":\"PIM Elevation Request Rejected\",\"description\":\"Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d82e1987-4356-4a7b-bc5e-064f29b143c0\",\"name\":\"d82e1987-4356-4a7b-bc5e-064f29b143c0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 4688\\n| where Process =~ \u0027rundll32.exe\u0027 \\n| where CommandLine has_all (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"NOBELIUM - suspicious rundll32.exe execution of vbscript\",\"description\":\"This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/48607a29-a26a-4abf-8078-a06dbdd174a4\",\"name\":\"48607a29-a26a-4abf-8078-a06dbdd174a4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeRange = 3d;\\nlet lookBack = 7d;\\nlet authenticationWindow = 20m;\\nlet authenticationThreshold = 5;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet failureCodes = dynamic([50053, 50126, 50055]); // invalid password, account is locked - too many sign ins, expired password\\nlet successCodes = dynamic([0, 50055, 50057, 50155, 50105, 50133, 50005, 50076, 50079, 50173, 50158, 50072, 50074, 53003, 53000, 53001, 50129]);\\n// Lookup up resolved identities from last 7 days\\nlet aadFunc = (tableName:string){\\nlet identityLookup = table(tableName)\\n| where TimeGenerated \u003e= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| where isnotempty(UserId)\\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName, Type;\\n// collect window threshold breaches\\ntable(tableName)\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(failureCodes)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed), count() by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName, UserPrincipalName, Type\\n| summarize FailedPrincipalCount = dcount(UserPrincipalName) by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName, Type\\n| where FailedPrincipalCount \u003e= authenticationThreshold\\n| summarize WindowThresholdBreaches = count() by IPAddress, Type\\n| join kind= inner (\\n// where we breached a threshold, join the details back on all failure data\\ntable(tableName)\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(failureCodes)\\n| extend LocationDetails = todynamic(LocationDetails)\\n| extend FullLocation = strcat(LocationDetails.countryOrRegion,\u0027|\u0027, LocationDetails.state, \u0027|\u0027, LocationDetails.city)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed), make_set(FullLocation), FailureCount = count() by IPAddress, AppDisplayName, UserPrincipalName, UserDisplayName, Identity, UserId, Type\\n// lookup any unresolved identities\\n| extend UnresolvedUserId = iff(Identity matches regex isGUID, UserId, \\\"\\\")\\n| join kind= leftouter (\\n identityLookup \\n) on $left.UnresolvedUserId==$right.UserId\\n| extend UserDisplayName=iff(isempty(lu_UserDisplayName), UserDisplayName, lu_UserDisplayName)\\n| extend UserPrincipalName=iff(isempty(lu_UserPrincipalName), UserPrincipalName, lu_UserPrincipalName)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), make_set(UserPrincipalName), make_set(UserDisplayName), make_set(set_ClientAppUsed), make_set(set_FullLocation), make_list(FailureCount) by IPAddress, AppDisplayName, Type\\n| extend FailedPrincipalCount = arraylength(set_UserPrincipalName)\\n) on IPAddress\\n| project IPAddress, StartTime, EndTime, TargetedApplication=AppDisplayName, FailedPrincipalCount, UserPrincipalNames=set_UserPrincipalName, UserDisplayNames=set_UserDisplayName, ClientAppsUsed=set_set_ClientAppUsed, Locations=set_set_FullLocation, FailureCountByPrincipal=list_FailureCount, WindowThresholdBreaches, Type\\n| join kind= inner (\\ntable(tableName) // get data on success vs. failure history for each IP\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(successCodes) or ResultType in(failureCodes) // success or failure types\\n| summarize GlobalSuccessPrincipalCount = dcountif(UserPrincipalName, (ResultType in(successCodes))), ResultTypeSuccesses = make_set_if(ResultType, (ResultType in(successCodes))), GlobalFailPrincipalCount = dcountif(UserPrincipalName, (ResultType in(failureCodes))), ResultTypeFailures = make_set_if(ResultType, (ResultType in(failureCodes))) by IPAddress, Type\\n| where GlobalFailPrincipalCount \u003e GlobalSuccessPrincipalCount // where the number of failed principals is greater than success - eliminates FPs from IPs who authenticate successfully alot and as a side effect have alot of failures\\n) on IPAddress\\n| project-away IPAddress1\\n| extend timestamp=StartTime, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Password spray attack against Azure AD application\",\"description\":\"Identifies evidence of password spray activity against Azure AD applications by looking for failures from multiple accounts from the same\\nIP address within a time window. If the number of accounts breaches the threshold just once, all failures from the IP address within the time range\\nare bought into the result. Details on whether there were successful authentications by the IP address within the time window are also included.\\nThis can be an indicator that an attack was successful.\\nThe default failure acccount threshold is 5, Default time window for failures is 20m and default look back window is 3 days\\nNote: Due to the number of possible accounts involved in a password spray it is not possible to map identities to a custom entity.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2c286288-3756-4824-b599-d3c499836c11\",\"name\":\"2c286288-3756-4824-b599-d3c499836c11\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let mediumRisk = 2;\\nlet business = \u0027Business Information\u0027;\\nCognniIncidents_CL \\n| where Severity == mediumRisk\\n| where informationType_s == business\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Medium Sensitivity Business Information\",\"description\":\"Display incidents in which medium sensitivity business information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\"name\":\"83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":3,\"severity\":\"Medium\",\"query\":\"let current = 1d;\\nlet auditLookback = 7d;\\n// Setting threshold to 3 as a default, change as needed. \\n// Any operation that has been initiated by a user or app more than 3 times in the past 7 days will be excluded\\nlet threshold = 3;\\n// Gather initial data from lookback period, excluding current, adjust current to more than a single day if no results\\nlet AuditTrail = AuditLogs | where TimeGenerated \u003e= ago(auditLookback) and TimeGenerated \u003c ago(current)\\n// 2 other operations that can be part of malicious activity in this situation are \\n// \\\"Add OAuth2PermissionGrant\\\" and \\\"Add service principal\\\", extend the filter below to capture these too\\n| where OperationName has \\\"Consent to application\\\"\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\n| summarize max(TimeGenerated), OperationCount = count() by OperationName, InitiatedBy, TargetResourceName\\n// only including operations by initiated by a user or app that is above the threshold so we produce only rare and has not occurred in last 7 days\\n| where OperationCount \u003e threshold\\n;\\n// Gather current period of audit data\\nlet RecentConsent = AuditLogs | where TimeGenerated \u003e= ago(current)\\n| where OperationName has \\\"Consent to application\\\"\\n| extend IpAddress = case(\\nisnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), \\nisnotempty(tostring(parse_json(tostring(InitiatedBy.app)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.app)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.app)).ipAddress),\\n\u0027Not Available\u0027)\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\n| parse TargetResources.[0].modifiedProperties with * \\\"ConsentType: \\\" ConsentType \\\"]\\\" *\\n| mv-expand AdditionalDetails\\n| extend UserAgent = iff(AdditionalDetails.key == \\\"User-Agent\\\",tostring(AdditionalDetails.value),\\\"\\\")\\n| project TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type;\\n// Exclude previously seen audit activity for \\\"Consent to application\\\" that was seen in the lookback period\\n// First for rare InitiatedBy\\nlet RareConsentBy = RecentConsent | join kind= leftanti AuditTrail on OperationName, InitiatedBy \\n| extend Reason = \\\"Previously unseen user consenting\\\";\\n// Second for rare TargetResourceName\\nlet RareConsentApp = RecentConsent | join kind= leftanti AuditTrail on OperationName, TargetResourceName\\n| extend Reason = \\\"Previously unseen app granted consent\\\";\\nRareConsentBy | union RareConsentApp\\n| summarize Reason = makeset(Reason) by TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatedBy, HostCustomEntity = TargetResourceName, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Persistence\",\"LateralMovement\",\"Collection\"],\"displayName\":\"Rare application consent\",\"description\":\"This will alert when the \\\"Consent to application\\\" operation occurs by a user that has not done this operation before or rarely does this.\\nThis could indicate that permissions to access the listed Azure App were provided to a malicious actor. \\nConsent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events. \\nThis may help detect the Oauth2 attack that can be initiated by this publicly available tool - https://github.com/fireeye/PwnAuth\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e1ce0eab-10d1-4aae-863f-9a383345ba88\",\"name\":\"e1ce0eab-10d1-4aae-863f-9a383345ba88\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let threshold = 15;\\nSyslog\\n| where SyslogMessage contains \\\"Failed password for invalid user\\\"\\n| where ProcessName =~ \\\"sshd\\\" \\n| parse kind=relaxed SyslogMessage with * \\\"invalid user\\\" user \\\" from \\\" ip \\\" port\\\" port \\\" ssh2\\\"\\n| project user, ip, port, SyslogMessage, EventTime\\n| summarize EventTimes = make_list(EventTime), PerHourCount = count() by ip, bin(EventTime, 4h), user\\n| where PerHourCount \u003e threshold\\n| mvexpand EventTimes\\n| extend EventTimes = tostring(EventTimes) \\n| summarize StartTimeUtc = min(EventTimes), EndTimeUtc = max(EventTimes), UserList = makeset(user), sum(PerHourCount) by IPAddress = ip\\n| extend UserList = tostring(UserList) \\n| extend timestamp = StartTimeUtc, IPCustomEntity = IPAddress, AccountCustomEntity = UserList\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"SSH - Potential Brute Force\",\"description\":\"Identifies an IP address that had 15 failed attempts to sign in via SSH in a 4 hour block during a 24 hour time period.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532c1811-79ee-4d9f-8d4d-6304c840daa1\",\"name\":\"532c1811-79ee-4d9f-8d4d-6304c840daa1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Active Directory Identity Protection\",\"displayName\":\"Create incidents based on Azure Active Directory Identity Protection alerts\",\"description\":\"Create incidents based on all alerts generated in Azure Active Directory Identity Protection\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0c804654-63b9-4241-89f8-1cddd7e9cacd\",\"name\":\"0c804654-63b9-4241-89f8-1cddd7e9cacd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.0\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.2\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of AWS write API calls from a user account \",\"description\":\"This algorithm detects an unusually high volume of AWS write API calls per user account within the last day. The model is trained on the previous 21 days of AWS cloud trail log events on a user account basis. This activity may indicate that the account is compromised.\",\"lastUpdatedDateUTC\":\"2021-10-26T00:00:00Z\",\"createdDateUTC\":\"2021-10-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65360bb0-8986-4ade-a89d-af3cf44d28aa\",\"name\":\"65360bb0-8986-4ade-a89d-af3cf44d28aa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"CreateNetworkAclEntry\\\",\\\"CreateRoute\\\",\\\"CreateRouteTable\\\",\\\"CreateInternetGateway\\\",\\\"CreateNatGateway\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"PrivilegeEscalation\",\"LateralMovement\"],\"displayName\":\"Changes to Amazon VPC settings\",\"description\":\"Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources\\nin a virtual network that you define.\\nThis identifies changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries,routes, routetable or Gateways.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\nand AWS VPC API Docs: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/OperationList-query-vpc.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5ef06767-b37c-4818-b035-47de950d0046\",\"name\":\"5ef06767-b37c-4818-b035-47de950d0046\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// How far back to look for events from\\nlet timeframe = 1d;\\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\\nlet time_window = 5m;\\n// Edit this to include build processes used\\nlet build_processes = dynamic([\\\"MSBuild.exe\\\", \\\"dotnet.exe\\\", \\\"VBCSCompiler.exe\\\"]);\\n// Include any processes that you want to allow to edit files during/around the build process\\nlet allow_list = dynamic([\\\"\\\"]);\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where EventID == 4688\\n| where Process has_any (build_processes)\\n| summarize by BuildParentProcess=ParentProcessName, BuildProcess=Process, BuildAccount = Account, Computer, BuildCommand=CommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for file modifications to code file\\n| where EventID == 4663\\n| where Process !in (allow_list)\\n// Look for code files, edit this to include file extensions used in build.\\n| where ObjectName endswith \\\".cs\\\" or ObjectName endswith \\\".cpp\\\"\\n// 0x6 and 0x4 for file append, 0x100 for file replacements\\n| where AccessMask == \\\"0x6\\\" or AccessMask == \\\"0x4\\\" or AccessMask == \\\"0X100\\\"\\n| summarize by FileEditParentProcess=ParentProcessName, FileEditAccount = Account, Computer, FileEdited=ObjectName, FileEditProcess=ProcessName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, Computer\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, Computer, BuildParentProcess, BuildProcess\\n| extend HostCustomEntity=Computer, timestamp=timekey\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Potential Build Process Compromise\",\"description\":\"The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process.\\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ec21493c-2684-4acd-9bc2-696dbad72426\",\"name\":\"ec21493c-2684-4acd-9bc2-696dbad72426\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation of extracted domains\\nlet list_tlds = ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e ago(ioc_lookBack)\\n | where isnotempty(DomainName)\\n | extend DomainName = tolower(DomainName)\\n | extend parts = split(DomainName, \u0027.\u0027)\\n | extend tld = parts[(array_length(parts)-1)]\\n | summarize count() by tostring(tld)\\n | summarize make_list(tld);\\n ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true\\n // Picking up only IOC\u0027s that contain the entities we want\\n | where isnotempty(DomainName)\\n | join (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n | where DeviceVendor =~ \u0027Palo Alto Networks\u0027\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | extend Domain = trim(@\\\"\\\"\\\"\\\",tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend parts = split(Domain, \u0027.\u0027)\\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\\n | where tld in~ (list_tlds)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n ) on $left.DomainName==$right.Domain\\n | where CommonSecurityLog_TimeGenerated \u003e= TimeGenerated and CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n | project LatestIndicatorTime, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, CommonSecurityLog_TimeGenerated, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\\n | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to PaloAlto\",\"description\":\"Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\"name\":\"f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"// Replace these with the username or emails of your VIP users you wish to monitor for.\\nlet vips = dynamic([\u0027vip1@email.com\u0027,\u0027vip2@email.com\u0027]);\\n// Add users who are allowed to conduct these searches - this could be specific SOC team members\\nlet allowed_users = dynamic([]);\\nLAQueryLogs\\n| where QueryText has_any (vips) or QueryText has_any (\u0027_GetWatchlist(\\\"VIPUsers\\\")\u0027, \\\"_GetWatchlist(\u0027VIPUsers\u0027)\\\")\\n| where AADEmail !in (allowed_users)\\n| project TimeGenerated, AADEmail, RequestClientApp, QueryText, ResponseRowCount, RequestTarget\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AADEmail\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"RequestTarget\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Users searching for VIP user activity\",\"description\":\"This query monitors for users running Log Analytics queries that contain filters\\nfor specific, defined VIP user accounts or the VIPUser watchlist template.\\nUse this detection to alert for users specifically searching for activity of sensitive users.\",\"lastUpdatedDateUTC\":\"2021-11-11T00:00:00Z\",\"createdDateUTC\":\"2020-09-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d0bd9611-2fc1-42cb-af4e-793b6f28ba92\",\"name\":\"d0bd9611-2fc1-42cb-af4e-793b6f28ba92\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.7\",\"techniques\":[\"T1030\",\"T1041\",\"T1011\",\"T1567\",\"T1029\",\"T1537\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.87\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"(Preview) Excessive upload via Palo Alto GlobalProtect\",\"description\":\"This algorithm detects unusually high volume of upload per user account via Palo Alto VPN solution.\\nThe model is trained on the previous 14 days of the VPN logs.\\nIt indicates anomalous high volume of upload in the last day.\",\"lastUpdatedDateUTC\":\"2021-11-17T00:00:00Z\",\"createdDateUTC\":\"2020-11-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\"name\":\"532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n| join (\\n Syslog\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n //Extract domain patterns from syslog message\\n | extend domain = extract(\\\"(([a-z0-9]+(-[a-z0-9]+)*\\\\\\\\.)+[a-z]{2,})\\\",1, tolower(SyslogMessage))\\n | where isnotempty(domain)\\n | extend parts = split(domain, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.domain\\n| where Syslog_TimeGenerated \u003e= TimeGenerated and Syslog_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, domain, HostIP, Url\\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to Syslog\",\"description\":\"Identifies a match in Syslog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a9956d3a-07a9-44a6-a279-081a85020cae\",\"name\":\"a9956d3a-07a9-44a6-a279-081a85020cae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 15;\\nlet rejectedAccess = SymantecVIP\\n| where isnotempty(RADIUSAuth)\\n| where RADIUSAuth =~ \\\"Reject\\\"\\n| summarize Total = count() by ClientIP, bin(TimeGenerated, 15m)\\n| where Total \u003e threshold\\n| project ClientIP;\\nSymantecVIP\\n| where isnotempty(RADIUSAuth)\\n| where RADIUSAuth =~ \\\"Reject\\\"\\n| join kind=inner rejectedAccess on ClientIP\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by ClientIP, User\\n| extend timestamp = StartTime, IPCustomEntity = ClientIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"ClientDeniedAccess\",\"description\":\"Creates an incident in the event a Client has an excessive amounts of denied access requests.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SymantecVIP\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2dd4a3a-ebac-4994-9499-1a859938c947\",\"name\":\"f2dd4a3a-ebac-4994-9499-1a859938c947\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet bytessentperhourthreshold = 10;\\nlet PrivateIPregex = @\u0027^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.\u0027;\\nlet TimeSeriesData = (union isfuzzy=true\\n(\\nVMConnection\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\\n| extend DestinationIpType = iff(DestinationIp matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIpType == \\\"public\\\" | extend DeviceVendor = \\\"VMConnection\\\"\\n| project TimeGenerated, BytesSent, DeviceVendor\\n| make-series TotalBytesSent=sum(BytesSent) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n),\\n(\\nCommonSecurityLog\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| extend DestinationIpType = iff(DestinationIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIpType == \\\"public\\\"\\n| project TimeGenerated, SentBytes, DeviceVendor\\n| make-series TotalBytesSent=sum(SentBytes) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n)\\n);\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(TotalBytesSent, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand TotalBytesSent to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| extend TotalBytesSentinMBperHour = round(((TotalBytesSent / 1024)/1024),2), baselinebytessentperHour = round(((baseline / 1024)/1024),2), score = round(score,2)\\n| project DeviceVendor, AnomalyHour, TimeGenerated, TotalBytesSentinMBperHour, baselinebytessentperHour, anomalies, score);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\n//Union of all BaseLogs aggregated per hour\\nlet BaseLogs = (union isfuzzy=true\\n(\\nCommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend DestinationIpType = iff(DestinationIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIpType == \\\"public\\\"\\n| extend SentBytesinMB = ((SentBytes / 1024)/1024), ReceivedBytesinMB = ((ReceivedBytes / 1024)/1024)\\n| summarize HourlyCount = count(), TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort,100), TotalSentBytesinMB = sum(SentBytesinMB), TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| where TotalSentBytesinMB \u003e bytessentperhourthreshold\\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\\n| where Rank \u003c 10 // Selecting Top 10 records with Highest BytesSent in each Hour\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\\n),\\n(\\nVMConnection\\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend SourceIP = SourceIp, DestinationIP = DestinationIp\\n| extend DestinationIpType = iff(DestinationIp matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIpType == \\\"public\\\" | extend DeviceVendor = \\\"VMConnection\\\"\\n| extend SentBytesinMB = ((BytesSent / 1024)/1024), ReceivedBytesinMB = ((BytesReceived / 1024)/1024)\\n| summarize HourlyCount = count(),TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort, 100), TotalSentBytesinMB = sum(SentBytesinMB),TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| where TotalSentBytesinMB \u003e bytessentperhourthreshold\\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\\n| where Rank \u003c 10 // Selecting Top 10 records with Highest BytesSent in each Hour\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\\n)\\n);\\n// Join against base logs to retrive records associated with the hour of anomoly\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\n BaseLogs | extend AnomalyHour = TimeGeneratedHour\\n) on DeviceVendor, AnomalyHour | sort by score desc\\n| project DeviceVendor, AnomalyHour,TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\\n| summarize EventCount = count(), StartTimeUtc= min(TimeGeneratedMax), EndTimeUtc= max(TimeGeneratedMax), SourceIPMax= arg_max(SourceIP,*), TotalBytesSentinMB = sum(TotalSentBytesinMB), TotalBytesReceivedinMB = sum(TotalReceivedBytesinMB), SourceIPList = make_set(SourceIP, 100), DestinationIPList = make_set(DestinationIPList, 100) by AnomalyHour,TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\\n| project DeviceVendor, AnomalyHour, StartTimeUtc, EndTimeUtc, SourceIPMax, SourceIPList, DestinationIPList, DestinationPortList, TotalBytesSentinMB, TotalBytesReceivedinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies, EventCount\\n| extend timestamp =EndTimeUtc, IPCustomEntity = SourceIPMax\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"Time series anomaly for data size transferred to public internet\",\"description\":\"Identifies anomalous data transfer to public networks. The query leverages built-in KQL anomaly detection algorithms that detects large deviations from a baseline pattern.\\nA sudden increase in data transferred to unknown public networks is an indication of data exfiltration attempts and should be investigated.\\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port bytes sent traffic observed in the flagged anomaly hour.\\nThe source IP addresses which were sending less than bytessentperhourthreshold have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-05-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95002681-4ecb-4da3-9ece-26d7e5feaa33\",\"name\":\"95002681-4ecb-4da3-9ece-26d7e5feaa33\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"imAuthentication\\n| where EventResult ==\u0027Failure\u0027\\n| where EventResultDetails == \u0027User disabled\u0027\\n| summarize StartTime=min(EventStartTime), EndTime=max(EventEndTime), disabledAccountLoginAttempts = count()\\n , disabledAccountsTargeted = dcount(TargetUsername), disabledAccountSet = make_set(TargetUsername)\\n , applicationsTargeted = dcount(TargetAppName)\\n , applicationSet = make_set(TargetAppName) \\n by SrcDvcIpAddr, Type\\n| order by disabledAccountLoginAttempts desc\\n| join kind=leftouter \\n (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n imAuthentication\\n | where EventResult==\u0027Success\u0027\\n | summarize successfulAccountSigninCount = dcount(TargetUsername), successfulAccountSigninSet = makeset(TargetUsername, 15) by SrcDvcIpAddr, Type\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount \u003c 100\\n )\\n on SrcDvcIpAddr\\n| where isnotempty(successfulAccountSigninCount)\\n| project StartTime, EndTime, SrcDvcIpAddr, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\nsuccessfulAccountSigninCount, successfulAccountSigninSet, Type\\n| order by disabledAccountLoginAttempts\\n| extend timestamp = StartTime, IPCustomEntity = SrcDvcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelAuthentication)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-07-27T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a50766a7-0674-4ccb-8845-15dc55a80ba1\",\"name\":\"a50766a7-0674-4ccb-8845-15dc55a80ba1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n WireData | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(RemoteIP)\\n // renaming time column so it is clear the log this came from\\n | extend WireData_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIP\\n| where WireData_TimeGenerated \u003e= TimeGenerated and WireData_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, WireData_TimeGenerated,\\nTI_ipEntity, Computer, LocalIP, RemoteIP, ProcessName, ApplicationProtocol, LocalPortNumber, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = WireData_TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to WireData\",\"description\":\"Identifies a match in WireData from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\"name\":\"d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let SensitiveOperationList = dynamic(\\n[\\\"VaultDelete\\\", \\\"KeyDelete\\\", \\\"SecretDelete\\\", \\\"SecretPurge\\\", \\\"KeyPurge\\\", \\\"SecretBackup\\\", \\\"KeyBackup\\\"]);\\nAzureDiagnostics\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\" \\n| where OperationName in~ (SensitiveOperationList) \\n| summarize EventCount=count(), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\\n| extend timestamp = StartTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Impact\"],\"displayName\":\"Sensitive Azure Key Vault operations\",\"description\":\"Identifies when sensitive Azure Key Vault operations are used. This includes: VaultDelete, KeyDelete, SecretDelete, SecretPurge, KeyPurge, SecretBackup, KeyBackup. \\nAny Backup operations should match with expected scheduled backup activity.\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/04384937-e927-4595-8f3c-89ff58ed231f\",\"name\":\"04384937-e927-4595-8f3c-89ff58ed231f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let IPs = dynamic ([\\\"199.249.230.\\\",\\\"185.220.101.\\\",\\\"23.129.64.\\\",\\\"109.70.100.\\\",\\\"185.220.102.\\\"]);\\nOfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != \u0027UserLoggedIn\u0027\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = ExtendedProperties.Value\\n| where ClientIP has_any (IPs)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts \u003e 2500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Possible STRONTIUM attempted credential harvesting - Sept 2020\",\"description\":\"Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.\\nReferences: https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/427e4c9e-8cf4-4094-a684-a2d060dbca38\",\"name\":\"427e4c9e-8cf4-4094-a684-a2d060dbca38\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 50;\\nSophosXGFirewall\\n| where Log_Type =~ \\\"Firewall\\\"\\n| where not(ipv4_is_match(\\\"10.0.0.0\\\",Src_IP,8) or ipv4_is_match(\\\"172.16.0.0\\\",Src_IP,12) or ipv4_is_match(\\\"192.168.0.0\\\",Src_IP,16))\\n| summarize dcount(Dst_Port) by Src_IP, bin(TimeGenerated, 5m)\\n| where dcount_Dst_Port \u003e threshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = Src_IP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\"],\"displayName\":\"Port Scan Detected\",\"description\":\"This alert creates an incident when a source IP addresses attempt to communicate with a large amount of distinct ports within a short period.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SophosXGFirewall\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/86a036b2-3686-42eb-b417-909fc0867771\",\"name\":\"86a036b2-3686-42eb-b417-909fc0867771\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/delete\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS Service Delete\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.\\nA threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.\\nThe health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.\\nMore information in this blog https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/00cb180c-08a8-4e55-a276-63fb1442d5b5\",\"name\":\"00cb180c-08a8-4e55-a276-63fb1442d5b5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let cmdTokens0 = dynamic([\u0027vbscript\u0027,\u0027jscript\u0027]);\\nlet cmdTokens1 = dynamic([\u0027mshtml\u0027,\u0027RunHTMLApplication\u0027]);\\nlet cmdTokens2 = dynamic([\u0027Execute\u0027,\u0027CreateObject\u0027,\u0027RegRead\u0027,\u0027window.close\u0027]);\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(14d)\\n| where EventID == 4688\\n| where CommandLine has @\u0027\\\\Microsoft\\\\Windows\\\\CurrentVersion\u0027\\n| where not(CommandLine has_any (@\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\u0027, @\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\u0027))\\n// If you are receiving false positives, then it may help to make the query more strict by uncommenting one or both of the lines below to refine the matches\\n//| where CommandLine has_any (cmdTokens0)\\n//| where CommandLine has_all (cmdTokens1)\\n| where CommandLine has_all (cmdTokens2)\\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\"],\"displayName\":\"NOBELIUM - Script payload stored in Registry\",\"description\":\"This query idenifies when a process execution commandline indicates that a registry value is written to allow for later execution a malicious script\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d023f64-8225-41a2-9570-2bd7c2c4535e\",\"name\":\"3d023f64-8225-41a2-9570-2bd7c2c4535e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\nSecurityEvent \\n| where TimeGenerated \u003e ago(2*timeframe) \\n// A user account was enabled\\n| where EventID == 4722\\n| where AccountType =~ \\\"User\\\"\\n| where TargetAccount !hassuffix \\\"$\\\"\\n| project EnableTime = TimeGenerated, EnableEventID = EventID, EnableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToEnable = SubjectAccount, SIDofAccountUsedToEnable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n| join kind= inner (\\n SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe) \\n // A user account was disabled \\n | where EventID == 4725\\n| where AccountType =~ \\\"User\\\"\\n| project DisableTime = TimeGenerated, DisableEventID = EventID, DisableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToDisable = SubjectAccount, SIDofAccountUsedToDisable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n) on Computer, TargetAccount\\n| where DisableTime - EnableTime \u003c spanoftime\\n| extend TimeDelta = DisableTime - EnableTime\\n| where tolong(TimeDelta) \u003e= threshold\\n| project TimeDelta, EnableTime, EnableEventID, EnableActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToEnable, SIDofAccountUsedToEnable, \\nDisableTime, DisableEventID, DisableActivity, AccountUsedToDisable, SIDofAccountUsedToDisable\\n| extend timestamp = EnableTime, AccountCustomEntity = AccountUsedToEnable, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"SIDofAccountUsedToEnable\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account enabled and disabled within 10 mins\",\"description\":\"Identifies when a user account is enabled and then disabled within 10 minutes. This can be an indication of compromise and\\nan adversary attempting to hide in the noise.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/707494a5-8e44-486b-90f8-155d1797a8eb\",\"name\":\"707494a5-8e44-486b-90f8-155d1797a8eb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let auditLookbackStart = 2d;\\nlet auditLookbackEnd = 1d;\\nAuditLogs\\n| where TimeGenerated \u003e= ago(auditLookbackStart)\\n| where OperationName =~ \\\"Consent to application\\\" \\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| extend targetResourceName = tostring(target.displayName)\\n| extend targetResourceID = tostring(target.id)\\n| extend targetResourceType = tostring(target.type)\\n| extend targetModifiedProp = TargetResources[0].modifiedProperties\\n| extend isAdminConsent = targetModifiedProp[0].newValue\\n| extend Consent_ServicePrincipalNames = targetModifiedProp[5].newValue\\n| extend Consent_Permissions = targetModifiedProp[4].newValue\\n| extend Consent_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend Consent_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| join ( \\nAuditLogs\\n| where TimeGenerated \u003e= ago(auditLookbackEnd)\\n| where OperationName =~ \\\"Add service principal credentials\\\"\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| extend targetResourceName = tostring(target.displayName)\\n| extend targetResourceID = tostring(target.id)\\n| extend targetModifiedProp = TargetResources[0].modifiedProperties\\n| extend Credential_KeyDescription = targetModifiedProp[0].newValue\\n| extend UpdatedProperties = targetModifiedProp[1].newValue\\n| extend Credential_ServicePrincipalNames = targetModifiedProp[2].newValue\\n| extend Credential_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend Credential_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n) on targetResourceName, targetResourceID\\n| extend TimeConsent = TimeGenerated, TimeCred = TimeGenerated1\\n| where TimeConsent \u003e TimeCred \\n| project TimeConsent, TimeCred, Consent_InitiatingUserOrApp, Credential_InitiatingUserOrApp, targetResourceName, targetResourceType, isAdminConsent, Consent_ServicePrincipalNames, Credential_ServicePrincipalNames, Consent_Permissions, Credential_KeyDescription, Consent_InitiatingIpAddress, Credential_InitiatingIpAddress\\n| extend timestamp = TimeConsent, AccountCustomEntity = Consent_InitiatingUserOrApp, IPCustomEntity = Consent_InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Credential added after admin consented to Application\",\"description\":\"This query will identify instances where Service Principal credentials were added to an application by one user after the application was granted admin consent rights by another user.\\n If a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\n Additional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow.\\n For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/610d3850-c26f-4f20-8d86-f10fdf2425f5\",\"name\":\"610d3850-c26f-4f20-8d86-f10fdf2425f5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"UpdateTrail\\\",\\\"DeleteTrail\\\",\\\"StopLogging\\\",\\\"DeleteFlowLogs\\\",\\\"DeleteEventBus\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Changes made to AWS CloudTrail logs\",\"description\":\"Attackers often try to hide their steps by deleting or stopping the collection of logs that could show their activity. \\nThis alert identifies any manipulation of AWS CloudTrail, Cloudwatch/EventBridge or VPC Flow logs.\\nMore Information: AWS CloudTrail API: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html\\nAWS Cloudwatch/Eventbridge API: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_Operations.html\\nAWS DelteteFlowLogs API : https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2cfc3c6e-f424-4b88-9cc9-c89f482d016a\",\"name\":\"2cfc3c6e-f424-4b88-9cc9-c89f482d016a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set == \\\"[]\\\"\\n| parse new_value_set with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"First access credential added to Application or Service Principal where no credential was present\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d722831e-88f5-4e25-b106-4ef6e29f8c13\",\"name\":\"d722831e-88f5-4e25-b106-4ef6e29f8c13\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"// a threshold can be enabled, see commented line below for PrevSeenCount\\nlet threshold = 2;\\nlet uploadOp = \u0027FileUploaded\u0027;\\n// Extensions that are interesting. Add/Remove to this list as you see fit\\nlet execExt = dynamic([\u0027exe\u0027, \u0027inf\u0027, \u0027gzip\u0027, \u0027cmd\u0027, \u0027bat\u0027]);\\nlet starttime = 8d;\\nlet endtime = 1d;\\nOfficeActivity | where TimeGenerated \u003e= ago(endtime)\\n// Limited to File Uploads due to potential noise, comment out the Operation statement below to include any operation type\\n// Additional, but potentially noisy operation types that include Uploads and Downloads can be included by adding the following - Operation contains \\\"upload\\\" or Operation contains \\\"download\\\"\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| project TimeGenerated, OfficeId, OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, UserAgent, Site_Url, SourceRelativeUrl, SourceFileName\\n| join kind= leftanti (\\nOfficeActivity | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| summarize SourceRelativeUrl = make_set(SourceRelativeUrl), UserId = make_set(UserId) , PrevSeenCount = count() by SourceFileName\\n// To exclude previous matches when only above a specific count, change threshold above and uncomment the line below\\n//| where PrevSeenCount \u003e threshold\\n| mvexpand SourceRelativeUrl, UserId\\n| extend SourceRelativeUrl = tostring(SourceRelativeUrl), UserId = tostring(UserId)\\n) on SourceFileName, SourceRelativeUrl, UserId \\n| extend SiteUrlUserFolder = tolower(split(Site_Url, \u0027/\u0027)[-2])\\n| extend UserIdUserFolderFormat = tolower(replace(\u0027@|\\\\\\\\.\u0027, \u0027_\u0027,UserId))\\n// identify when UserId is not a match to the specific site url personal folder reference\\n| extend UserIdDiffThanUserFolder = iff(Site_Url has \u0027/personal/\u0027 and SiteUrlUserFolder != UserIdUserFolderFormat, true , false ) \\n| summarize TimeGenerated = make_list(TimeGenerated), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), \\nUserAgents = make_list(UserAgent), OfficeIds = make_list(OfficeId), SourceRelativeUrls = make_list(SourceRelativeUrl), FileNames = make_list(SourceFileName)\\nby OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, Site_Url, SiteUrlUserFolder, UserIdUserFolderFormat, UserIdDiffThanUserFolder\\n| extend timestamp = StartTime, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"New executable via Office FileUploaded Operation\",\"description\":\"Identifies when executable file types are uploaded to Office services such as SharePoint and OneDrive.\\nList currently includes \u0027exe\u0027, \u0027inf\u0027, \u0027gzip\u0027, \u0027cmd\u0027, \u0027bat\u0027 file extensions.\\nAdditionally, identifies when a given user is uploading these files to another users workspace.\\nThis may be indication of a staging location for malware or other malicious activity.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d804b39c-03a4-417c-a949-bdbf21fa3305\",\"name\":\"d804b39c-03a4-417c-a949-bdbf21fa3305\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\\n[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet file_paths = (iocs | where Type =~ \\\"filepath\\\" | project IoC);\\nlet sha256s = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet ips = (iocs | where Type =~ \\\"ip\\\" | project IoC);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\" | project IoC);\\nunion isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4663\\n| where ObjectName in (file_paths)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(imFileEvent\\n| where TargetFileName in (file_paths)\\n or\\n TargetFileSHA256 in (sha256s)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\\n),\\n(DeviceFileEvents\\n| where FolderPath in (file_paths)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 in (sha256s)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256s)\\n| extend timestamp = TimeGenerated\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| where isnotempty(Hashes)\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 *\\n| where SHA256 in~ (sha256s)\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = Hashes\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where (SourceIP in (ips) or DestinationIP in (ips) or Message has_any (ips)) or (RequestURL has_any (domains))\\n| extend IPMatch = case(SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"Message\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\")\\n),\\n(VMConnection\\n| where isnotempty(SourceIp) or isnotempty(DestinationIp)\\n| where SourceIp in (ips) or DestinationIp in (ips)\\n| extend IPMatch = case( SourceIp in (ips), \\\"SourceIP\\\", DestinationIp in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(WireData\\n| where isnotempty(RemoteIP)\\n| where RemoteIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer\\n),\\n(W3CIISLog\\n| where isnotempty(cIP)\\n| where cIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(\\nDeviceNetworkEvents\\n| where (RemoteIPType =~ \\\"Public\\\" and RemoteUrl has_any (domains)) or (isnotempty(RemoteIP) and RemoteIP in (ips))\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(\\nWindowsFirewall\\n| where SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n),\\n(\\nDnsEvents\\n| where SubType =~ \\\"LookupQuery\\\"\\n| where Name has_any (domains)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\\n),\\n(\\nimDns(domain_has_any=domains)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\\n)\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.4.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange Server Vulnerabilities Disclosed March 2021 IoC Match\",\"description\":\"This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements.\\nRef: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog (Cisco)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog (F5)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dcdf9bfc-c239-4764-a9f9-3612e6dff49c\",\"name\":\"dcdf9bfc-c239-4764-a9f9-3612e6dff49c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 6d;\\n// Adjust this to adjust the key export detection timeframe\\n//let timeframe = 1d;\\n// Start be identifying ADFS servers to reduce FP chance\\nlet ADFS_Servers = (\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\")\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| summarize by Computer);\\n// Look for ADFS servers where Named Pipes event are present\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| where Computer in~ (ADFS_Servers)\\n| extend RenderedDescription = tostring(split(RenderedDescription, \\\":\\\")[0])\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend RuleName = column_ifexists(\\\"RuleName\\\", \\\"\\\"),\\n TechniqueId = column_ifexists(\\\"TechniqueId\\\", \\\"\\\"),\\n TechniqueName = column_ifexists(\\\"TechniqueName\\\", \\\"\\\"),\\n Image = column_ifexists(\\\"Image\\\", \\\"\\\"),\\n PipeName = column_ifexists(\\\"PipeName\\\", \\\"\\\"),\\n EventType = column_ifexists(\\\"EventType\\\", \\\"\\\")\\n| parse RuleName with * \u0027technique_id=\u0027 TechniqueId \u0027,\u0027 * \u0027technique_name=\u0027 TechniqueName\\n// Look for Pipe related to querying the WID\\n| where PipeName == \\\"\\\\\\\\MICROSOFT##WID\\\\\\\\tsql\\\\\\\\query\\\"\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n// Exclude expected processes\\n| where process !in (\\\"Microsoft.IdentityServer.ServiceHost.exe\\\", \\\"Microsoft.Identity.Health.Adfs.PshSurrogate.exe\\\", \\\"AzureADConnect.exe\\\", \\\"Microsoft.Tri.Sensor.exe\\\", \\\"wsmprovhost.exe\\\",\\\"mmc.exe\\\", \\\"sqlservr.exe\\\")\\n| extend Operation = RenderedDescription\\n| project-reorder TimeGenerated, EventType, Operation, process, Image, Computer, UserName\\n| extend HostCustomEntity = Computer, AccountCustomEntity = UserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Collection\"],\"displayName\":\"ADFS Database Named Pipe Connection\",\"description\":\"This detection uses Sysmon telemetry to detect suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).\\nIn order to use this query you need to be collecting Sysmon EventIdD 18 (Pipe Connected).\\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\\nFailed to resolve scalar expression named \\\"[@Name]\",\"lastUpdatedDateUTC\":\"2021-11-23T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a0647a60-16f9-4175-b344-5cdd2934413f\",\"name\":\"a0647a60-16f9-4175-b344-5cdd2934413f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let lowRisk = 1;\\nlet business = \u0027Business Information\u0027;\\nCognniIncidents_CL \\n| where Severity == lowRisk\\n| where informationType_s == business\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Low Sensitivity Business Information\",\"description\":\"Display incidents in which low sensitivity business information] was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5f0d80db-3415-4265-9d52-8466b7372e3a\",\"name\":\"5f0d80db-3415-4265-9d52-8466b7372e3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AzureDevOpsAuditing\\n| where AuthenticationMechanism startswith \\\"PAT\\\"\\n// Look for useragents that include a redenring engine\\n| where UserAgent has_any (\\\"Gecko\\\", \\\"WebKit\\\", \\\"Presto\\\", \\\"Trident\\\", \\\"EdgeHTML\\\", \\\"Blink\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure DevOps PAT used with Browser.\",\"description\":\"Personal Access Tokens (PATs) are used as an alternate password to authenticate into Azure DevOps. PATs are intended for programmatic access use in code or applications. \\nThis can be prone to attacker theft if not adequately secured. This query looks for the use of a PAT in authentication but from a User Agent indicating a browser. \\nThis should not be normal activity and could be an indicator of an attacker using a stolen PAT.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\"name\":\"30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nlet aadFunc = (tableName:string){\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n table(tableName) | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(UserPrincipalName)\\n //Normalizing the column to lower case for exact match with EmailSenderAddress column\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n | where UserPrincipalName matches regex emailregex\\n | extend Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n // renaming timestamp column so it is clear the log this came from SigninLogs table\\n | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type\\n)\\non $left.EmailSenderAddress == $right.UserPrincipalName\\n| where SigninLogs_TimeGenerated \u003e= TimeGenerated and SigninLogs_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, SigninLogs_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, IPAddress, UserPrincipalName, AppDisplayName,\\nStatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, Type\\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SigninLogs\",\"description\":\"Identifies a match in SigninLogs table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75bf9902-0789-47c1-a5d8-f57046aa72df\",\"name\":\"75bf9902-0789-47c1-a5d8-f57046aa72df\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let procList = dynamic([\\\"cmd.exe\\\",\\\"ftp.exe\\\",\\\"schtasks.exe\\\",\\\"powershell.exe\\\",\\\"rundll32.exe\\\",\\\"regsvr32.exe\\\",\\\"msiexec.exe\\\"]);\\nlet ProcessCreationEvents=() {\\nlet processEvents=SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,\\nFileName = Process, CommandLine, ParentProcessName;\\nprocessEvents};\\nProcessCreationEvents \\n| where FileName in~ (procList)\\n| where CommandLine contains \\\":\\\\\\\\recycler\\\"\\n| project StartTimeUtc = TimeGenerated, Computer, Account, NewProcessName, FileName, CommandLine, ParentProcessName\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Malware in the recycle bin\",\"description\":\"Identifies malware that has been hidden in the recycle bin.\\nReferences: https://azure.microsoft.com/blog/how-azure-security-center-helps-reveal-a-cyberattack/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2018-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23005e87-2d3a-482b-b03d-edbebd1ae151\",\"name\":\"23005e87-2d3a-482b-b03d-edbebd1ae151\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let exchange_servers = (\\nW3CIISLog\\n| where TimeGenerated \u003e ago(14d)\\n| where sSiteName =~ \\\"Exchange Back End\\\"\\n| summarize by Computer);\\nW3CIISLog\\n| where TimeGenerated \u003e ago(1d)\\n| where Computer in (exchange_servers)\\n| where csUriQuery startswith \\\"t=\\\"\\n| project-reorder TimeGenerated, Computer, csUriStem, csUriQuery, csUserName, csUserAgent, cIP\\n| extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious Exchange Request\",\"description\":\"This query looks for suspicious request patterns to Exchange servers that fit a pattern observed by HAFNIUM actors.\\nThe same query can be run on HTTPProxy logs from on-premise hosted Exchange servers.\\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3ff0fffb-d963-40c0-b235-3404f915add7\",\"name\":\"3ff0fffb-d963-40c0-b235-3404f915add7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"GitHubAudit\\n| where Action == \\\"org.disable_two_factor_requirement\\\"\\n| project TimeGenerated, Action, Actor, Country, IPaddress, Repository\\n| extend AccountCustomEntity = Actor, IPCustomEntity = IPaddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"GitHub Two Factor Auth Disable\",\"description\":\"Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/473d57e6-f787-435c-a16b-b38b51fa9a4b\",\"name\":\"473d57e6-f787-435c-a16b-b38b51fa9a4b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let servicelist = dynamic([\u0027Services\\\\\\\\HealthService\u0027, \u0027Services\\\\\\\\Sense\u0027, \u0027Services\\\\\\\\WinDefend\u0027, \u0027Services\\\\\\\\MsSecFlt\u0027, \u0027Services\\\\\\\\DiagTrack\u0027, \u0027Services\\\\\\\\SgrmBroker\u0027, \u0027Services\\\\\\\\SgrmAgent\u0027, \u0027Services\\\\\\\\AATPSensorUpdater\u0027 , \u0027Services\\\\\\\\AATPSensor\u0027, \u0027Services\\\\\\\\mpssvc\u0027]);\\nlet filename = dynamic([\\\"subinacl.exe\\\",\u0027SetACL.exe\u0027]);\\nlet parameters = dynamic ([\u0027/deny=SYSTEM\u0027, \u0027/deny=S-1-5-18\u0027, \u0027/grant=SYSTEM=r\u0027, \u0027/grant=S-1-5-18=r\u0027, \u0027n:SYSTEM;p:READ\u0027, \u0027n1:SYSTEM;ta:remtrst;w:dacl\u0027]);\\nlet FullAccess = dynamic([\u0027A;CI;KA;;;SY\u0027, \u0027A;ID;KA;;;SY\u0027, \u0027A;CIID;KA;;;SY\u0027]);\\nlet ReadAccess = dynamic([\u0027A;CI;KR;;;SY\u0027, \u0027A;ID;KR;;;SY\u0027, \u0027A;CIID;KR;;;SY\u0027]);\\nlet DenyAccess = dynamic([\u0027D;CI;KR;;;SY\u0027, \u0027D;ID;KR;;;SY\u0027, \u0027D;CIID;KR;;;SY\u0027]);\\nlet timeframe = 1d;\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4670\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName has_any (servicelist)\\n| parse EventData with * \u0027OldSd\\\"\u003e\u0027 OldSd \\\"\u003c\\\" *\\n| parse EventData with * \u0027NewSd\\\"\u003e\u0027 NewSd \\\"\u003c\\\" *\\n| extend Reason = case( (OldSd has \u0027;;;SY\u0027 and NewSd !has \u0027;;;SY\u0027), \u0027System Account is removed\u0027, (OldSd has_any (FullAccess) and NewSd has_any (ReadAccess)) , \u0027System permission has been changed to read from full access\u0027, (OldSd has_any (FullAccess) and NewSd has_any (DenyAccess)), \u0027System account has been given denied permission\u0027, \u0027None\u0027)\\n| project TimeGenerated, Computer, Account, ProcessName, ProcessId, ObjectName, EventData, Activity, HandleId, SubjectLogonId, OldSd, NewSd , Reason\\n),\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688\\n| extend ProcessName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ProcessName in~ (filename) \\n| where CommandLine has_any (servicelist) and CommandLine has_any (parameters)\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where InitiatingProcessFileName in~ (filename) \\n| where InitiatingProcessCommandLine has_any(servicelist) and InitiatingProcessCommandLine has_any (parameters)\\n| extend Account = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName), Computer = DeviceName\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName = InitiatingProcessFileName, ProcessNameFullPath = FolderPath, Activity = ActionType, CommandLine = InitiatingProcessCommandLine, Type, InitiatingProcessParentFileName\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Security Service Registry ACL Modification\",\"description\":\"Identifies attempts to modify registry ACL to evade security solutions. In the Solorigate attack, the attackers were found modifying registry permissions so services.exe cannot access the relevant registry keys to start the service.\\n The detection leverages Security Event as well as MDE data to identify when specific security services registry permissions are modified. \\n Only some portions of this detection are related to Solorigate, it also includes coverage for some common tools that perform this activity. \\n Reference on guidance for enabling registry auditing:\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing-faq\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-registry\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4670\\n - For the event 4670 to be created the audit policy for the registry must have auditing enabled for Write DAC and/or Write Owner\\n - https://github.com/OTRF/Set-AuditRule \\n - https://docs.microsoft.com/dotnet/api/system.security.accesscontrol.registryrights?view=dotnet-plat-ext-5.0\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b619d1f1-7f39-4c7e-bf9e-afbb46457997\",\"name\":\"b619d1f1-7f39-4c7e-bf9e-afbb46457997\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal contains \\\"XMRig\\\" or HttpUserAgentOriginal contains \\\"ccminer\\\"\\n| extend Message = \\\"Crypto Miner User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Crypto Miner User-Agent Detected\",\"description\":\"Detects suspicious user agent strings used by crypto miners in proxy logs.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/17f23fbe-bb73-4324-8ecf-a18545a5dc26\",\"name\":\"17f23fbe-bb73-4324-8ecf-a18545a5dc26\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P3D\",\"queryPeriod\":\"P3D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 3d;\\n// Get Release Pipeline Creation Events and group by day\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineCreated\\\"\\n// Group by day\\n| extend timekey = bin(TimeGenerated, 1d)\\n| extend PipelineId = tostring(Data.PipelineId)\\n| extend PipelineName = tostring(Data.PipelineName)\\n// Rename some columns to make output clearer\\n| project-rename TimeCreated = TimeGenerated, CreatingUser = ActorUPN, CreatingUserAgent = UserAgent, CreatingIP = IpAddress\\n// Join with Release Pipeline Deletions where Pipeline ID is the same and deletion occurred on same day as creation\\n| join (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineDeleted\\\"\\n// Group by day\\n| extend timekey = bin(TimeGenerated, 1d)\\n| extend PipelineId = tostring(Data.PipelineId)\\n| extend PipelineName = tostring(Data.PipelineName)\\n// Rename some things to make the output clearer\\n| project-rename TimeDeleted = TimeGenerated, DeletingUser = ActorUPN, DeletingUserAgent = UserAgent, DeletingIP = IpAddress) on PipelineId, timekey\\n| project TimeCreated, TimeDeleted, PipelineName, PipelineId, CreatingUser, CreatingIP, CreatingUserAgent, DeletingUser, DeletingIP, DeletingUserAgent, ScopeDisplayName, ProjectName, Data, OperationName, OperationName1\\n| extend timestamp = TimeCreated, AccountCustomEntity = CreatingUser, IPCustomEntity = CreatingIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeletingUser\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DeletingIP\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\"],\"displayName\":\"Azure DevOps Pipeline Created and Deleted on the Same Day\",\"description\":\"An attacker with access to Azure DevOps could create a pipeline to inject artifacts used by other pipelines, \\nor to create a malicious software build that looks legitimate by using a pipeline that incorporates legitimate elements. \\nAn attacker would also likely want to cover their tracks once conducting such activity. This query looks for Pipelines \\ncreated and deleted within the same day, this is unlikely to be legitimate user activity in the majority of cases.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\"name\":\"5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n W3CIISLog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(cIP)\\n // renaming time column so it is clear the log this came from\\n | extend W3CIISLog_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.cIP\\n| where W3CIISLog_TimeGenerated \u003e= TimeGenerated and W3CIISLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nW3CIISLog_TimeGenerated, TI_ipEntity, Computer, sSiteName, cIP, sIP, sPort, csMethod, csUserName, scStatus, scSubStatus, scWin32Status,\\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = W3CIISLog_TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to W3CIISLog\",\"description\":\"Identifies a match in W3CIISLog from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7564d76-ec6b-4519-a66b-fcc80c42332b\",\"name\":\"a7564d76-ec6b-4519-a66b-fcc80c42332b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet GroupAddition = SecurityEvent \\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group \\n| where EventID in (\\\"4728\\\", \\\"4732\\\", \\\"4756\\\") \\n| where AccountType =~ \\\"User\\\" and MemberName == \\\"-\\\"\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, GroupAddComputer = Computer, GroupAddTargetAccount = TargetAccount, \\nGroupAddTargetSid = TargetSid, GroupAddSubjectAccount = SubjectAccount, GroupAddSubjectUserSid = SubjectUserSid, GroupSid = MemberSid;\\nlet GroupCreated = SecurityEvent\\n// 4727 - A security-enabled global group was created\\n// 4731 - A security-enabled local group was created\\n// 4754 - A security-enabled universal group was created\\n| where EventID in (\\\"4727\\\", \\\"4731\\\", \\\"4754\\\")\\n| where AccountType =~ \\\"User\\\"\\n| project GroupCreateTime = TimeGenerated, GroupCreateEventID = EventID, GroupCreateActivity = Activity, GroupCreateComputer = Computer, GroupCreateTargetAccount = TargetAccount, \\nGroupCreateSubjectAccount = SubjectAccount, GroupCreateSubjectUserSid = SubjectUserSid, GroupSid = TargetSid;\\nGroupCreated\\n| join (\\nGroupAddition\\n) on GroupSid \\n| extend timestamp = GroupCreateTime, AccountCustomEntity = GroupCreateSubjectAccount, HostCustomEntity = GroupCreateComputer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"GroupCreateSubjectUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Group created then added to built in domain local or global group\",\"description\":\"Identifies when a recently created Group was added to a privileged built in domain local group or global group such as the \\nEnterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\\nReferences: For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/67775878-7f8b-4380-ac54-115e1e828901\",\"name\":\"67775878-7f8b-4380-ac54-115e1e828901\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet IP_TI = (ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\\\"\\\")\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId);\\nlet TI_IP_List=IP_TI | summarize make_set( TI_ipEntity);\\nimDns(starttime=ago(dt_lookBack), response_has_any_prefix=todynamic(toscalar(TI_IP_List)))\\n | extend tilist = toscalar(TI_IP_List)\\n | mv-expand tilist\\n | extend SingleIP=tostring(tilist)\\n | project-away tilist\\n | where has_ipv4(DnsResponseName, SingleIP)\\n | extend DNS_TimeGenerated = TimeGenerated\\n| join IP_TI\\n on $left.SingleIP == $right.TI_ipEntity\\n| where DNS_TimeGenerated \u003e= TimeGenerated and DNS_TimeGenerated \u003c ExpirationDateTime\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated,\\nTI_ipEntity, Dvc, EventId, SubType, SrcIpAddr, DnsQuery, DnsResponseName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = DNS_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Dvc, URLCustomEntity = Url\",\"customDetails\":{\"LatestIndicatorTime\":\"LatestIndicatorTime\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"ConfidenceScore\":\"ConfidenceScore\",\"DnsQuery\":\"DnsQuery\",\"Description\":\"Description\",\"EventId\":\"EventId\",\"IndicatorId\":\"IndicatorId\",\"DNSRequestTime\":\"DNS_TimeGenerated\",\"ThreatType\":\"ThreatType\",\"ExpirationDateTime\":\"ExpirationDateTime\",\"SubType\":\"SubType\",\"SourceIPAddress\":\"SrcIpAddr\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map IP entity to Dns Events (Normalized DNS)\",\"description\":\"Identifies a match in DNS events from any IP IOC from TI\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns).\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3863d8b-8be1-4f52-8ba2-d6cec98b606b\",\"name\":\"a3863d8b-8be1-4f52-8ba2-d6cec98b606b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.1.7\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.7\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of logins to user account with elevated token\",\"description\":\"This algorithm detects an unusually high volume of successful logins with elevated token per user account. The model is trained on the previous 21 days of security event ID 4624 on an account. It indicates anomalous high volume of successful logins with administrator privileges in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/983a6922-894d-413c-9f04-d7add0ecc307\",\"name\":\"983a6922-894d-413c-9f04-d7add0ecc307\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P10D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let referencestarttime = 10d;\\nlet referenceendtime = 1d;\\nlet threshold = 100;\\nlet nxDomainDnsEvents = (stime:datetime, etime:datetime) \\n {imDns(responsecodename=\u0027NXDOMAIN\u0027, starttime=stime, endtime=etime)\\n | where DnsQueryTypeName in (\\\"A\\\", \\\"AAAA\\\")\\n | where ipv4_is_match(\\\"127.0.0.1\\\", SrcIpAddr) == False\\n | where DnsQuery !contains \\\"/\\\" and DnsQuery contains \\\".\\\"};\\nnxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now())\\n | extend sld = tostring(split(DnsQuery, \\\".\\\")[-2])\\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld) by SrcIpAddr\\n | where dcount_sld \u003e threshold\\n // Filter out previously seen IPs\\n | join kind=leftanti (nxDomainDnsEvents (stime=ago(referencestarttime), etime=ago(referenceendtime))\\n | extend sld = tostring(split(DnsQuery, \\\".\\\")[-2])\\n | summarize dcount(sld) by SrcIpAddr\\n | where dcount_sld \u003e threshold ) on SrcIpAddr\\n// Pull out sample NXDomain responses for those remaining potentially infected IPs\\n| join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential DGA detected (ASimDNS)\",\"description\":\"Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains\\nwhere most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with \\nNXDomain records in prior 10-day baseline period).\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"name\":\"cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | where DNSName in~ (domains) or DestinationHostName has_any (domains) or RequestURL has_any(domains)\\n | extend AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName, IPCustomEntity = SourceIP\\n ),\\n(DnsEvents \\n | extend DNSName = Name\\n | where isnotempty(DNSName)\\n | where DNSName has_any (domains)\\n | extend IPCustomEntity = ClientIP\\n ),\\n(imDns (domain_has_any=domains)\\n | extend DNSName = DnsQuery\\n | extend IPCustomEntity = SrcIpAddr\\n ),\\n(VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n | where isnotempty(DNSName)\\n | where DNSName in~ (domains)\\n | extend IPCustomEntity = RemoteIp\\n ),\\n(DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl has_any (domains) \\n | extend DNSName = RemoteUrl\\n | extend IPCustomEntity = RemoteIP \\n | extend HostCustomEntity = DeviceName \\n ),\\n(AzureDiagnostics\\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallDnsProxy\\\"\\n | parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n | where Request_Name has_any (domains) \\n | extend DNSName = Request_Name\\n | extend IPCustomEntity = ClientIP \\n ),\\n(AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (domains) \\n | extend DNSName = DestinationHost \\n | extend IPCustomEntity = SourceHost\\n ) \\n )\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"version\":\"1.3.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Solorigate Network Beacon\",\"description\":\"Identifies a match across various data feeds for domains IOCs related to the Solorigate incident.\\n References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \\n https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5436f471-b03d-41cb-b333-65891f887c43\",\"name\":\"5436f471-b03d-41cb-b333-65891f887c43\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Informational\",\"query\":\"GitHubRepo\\n| where Action == \\\"vulnerabilityAlert\\\"\\n| project TimeGenerated, DismmisedAt, Reason, vulnerableManifestFilename, Description, Link, PublishedAt, Severity, Summary\",\"entityMappings\":[],\"version\":\"1.0.0\",\"displayName\":\"GitHub Security Vulnerability in Repository\",\"description\":\"This alerts when there is a new security vulnerability in a GitHub repository.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-10T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb8a3481-dd14-4e76-8dcc-bbec8776d695\",\"name\":\"bb8a3481-dd14-4e76-8dcc-bbec8776d695\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let DomainNames = dynamic([\u0027onetechcompany.com\u0027, \u0027reyweb.com\u0027, \u0027srfnetwork.org\u0027, \u0027sense4baby.fr\u0027, \u0027nikeoutletinc.org\u0027, \u0027megatoolkit.com\u0027]);\\nlet IPList = dynamic([\u0027185.225.69.69\u0027]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (DomainNames) or RequestURL has_any (DomainNames) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (DomainNames), \\\"RequestUrl\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) or Name has_any (DomainNames) \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(imDns\\n| where DnsResponseName has_any (IPList) or DnsQuery has_any(DomainNames) \\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (DomainNames)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer\\n),\\n(OfficeActivity\\n| where ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (DomainNames) or RemoteIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"NOBELIUM - Domain and IP IOCs - March 2021\",\"description\":\"Identifies a match across various data feeds for domains and IP IOCs related to NOBELIUM.\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2d3e33c6-d8e6-4b51-92d6-dbe8bd9efb05\",\"name\":\"2d3e33c6-d8e6-4b51-92d6-dbe8bd9efb05\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.4\",\"techniques\":[\"T1078\",\"T1566\",\"T1133\"],\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"Fraction of failed signins\",\"Number of failed signins\",\"Failed signins to successful signins ratio\",\"Number of signins with incorrect passwords\",\"Incorrect passwords to correct passwords ratio\",\"Fraction of incorrect password signins\",\"Distinct number of app ids\",\"Distinct number of client apps\",\"Distinct number of ip addresses\",\"Distinct number of opperating systems\",\"Distinct number of browsers\",\"Distinct number of cities\",\"Distinct number of states\",\"Distinct number of countries\"],\"values\":[\"Fraction of failed signins\",\"Number of failed signins\",\"Failed signins to successful signins ratio\",\"Number of signins with incorrect passwords\",\"Incorrect passwords to correct passwords ratio\",\"Fraction of incorrect password signins\",\"Distinct number of app ids\",\"Distinct number of client apps\",\"Distinct number of ip addresses\",\"Distinct number of opperating systems\",\"Distinct number of browsers\",\"Distinct number of cities\",\"Distinct number of states\",\"Distinct number of countries\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Top reason for high anomaly score\",\"description\":\"Include only anomalies where the top reason is one of these values.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.5\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous Azure AD sign-in sessions\",\"description\":\"The machine learning model groups the Azure AD sign-in logs on a per-user basis.\\nThe model is trained on the previous 6 days of user sign-in behavior.\\nIt indicates anomalous user sign-in sessions in the last day.\\nThis algorithm checks for sufficient volume of data before training the model.\\n\\nAn autoencoder model is used.\\nIts aim is to compress the user sign-in sessions into a bottleneck encoding.\\nIt then attempts to reconstruct the input sessions as best it can from the bottleneck encoding.\\nThe sessions with high reconstruction errors are assumed to be anomalous.\",\"lastUpdatedDateUTC\":\"2021-07-07T00:00:00Z\",\"createdDateUTC\":\"2020-11-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6d63efa6-7c25-4bd4-a486-aa6bf50fde8a\",\"name\":\"6d63efa6-7c25-4bd4-a486-aa6bf50fde8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Add non-approved user principal names to the list below to search for their account creation/deletion activity\\n// ex: dynamic([\\\"UPN1\\\", \\\"upn123\\\"])\\nlet nonapproved_users = dynamic([]);\\nAuditLogs\\n| where OperationName == \\\"Add user\\\" or OperationName == \\\"Delete user\\\"\\n| where Result == \\\"success\\\"\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| where InitiatingUser has_any (nonapproved_users)\\n| project-reorder TimeGenerated, ResourceId, OperationName, InitiatingUser, TargetResources\\n| extend AccountCustomEntity = InitiatingUser, IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Account created or deleted by non-approved user\",\"description\":\"Identifies accounts that were created or deleted by a defined list of non-approved user principal names. Add to this list before running the query for accurate results.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts\",\"lastUpdatedDateUTC\":\"2021-10-29T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b40a7a5b-5d39-46fe-a79e-2acdb38e1ce7\",\"name\":\"b40a7a5b-5d39-46fe-a79e-2acdb38e1ce7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.3\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.01\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of failed login attempts to AWS Console by each group user account\",\"description\":\"This algorithm detects an unusually high volume of AWS cloud trail log console failed login events per group user account within the last day. The model is trained on the previous 21 days of AWS cloud trail log events on group user account basis. This activity may indicate that the account is compromised.\",\"lastUpdatedDateUTC\":\"2021-10-26T00:00:00Z\",\"createdDateUTC\":\"2021-08-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\"name\":\"4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n OfficeActivity | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(UserId)\\n | where UserId matches regex emailregex\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.UserId\\n| where OfficeActivity_TimeGenerated \u003e= TimeGenerated and OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, OfficeActivity_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters\\n| extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to OfficeActivity\",\"description\":\"Identifies a match in OfficeActivity table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d4f9d54b-6dec-4655-8631-0fa8d4954fea\",\"name\":\"d4f9d54b-6dec-4655-8631-0fa8d4954fea\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.4\",\"techniques\":[\"T1568\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.99\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"(Preview) Domain Reputation Palo Alto anomaly\",\"description\":\"This anomaly evaluates the reputation for all domains seen specifically for Palo Alto firewall (PAN-OS product).\\nA high anomaly score indicates a low reputation, suggesting that the domain has been observed to host malicious content or is likely to do so.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-07-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1218175f-c534-421c-8070-5dcaabf28067\",\"name\":\"1218175f-c534-421c-8070-5dcaabf28067\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let threshold = 3; \\nZoomLogs \\n| where Event =~ \\\"chat_message.sent\\\" \\n| extend Channel = tostring(parse_json(ChatEvents).Channel) \\n| extend Message = tostring(parse_json(ChatEvents).Message) \\n| where Message matches regex \\\"http(s?):\\\\\\\\/\\\\\\\\/\\\" \\n| summarize Channels = makeset(Channel), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Message, User, UserId\\n| extend ChannelCount = arraylength(Channels) \\n| where ChannelCount \u003e threshold\\n| extend timestamp = StartTime, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"Suspicious link sharing pattern\",\"description\":\"Alerts in links that have been shared across multiple Zoom chat channels by the same user in a short space if time. \\nAdjust the threshold figure to change the number of channels a message needs to be posted in before an alert is raised.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/154fde9f-ae00-4422-a8da-ef00b11da3fc\",\"name\":\"154fde9f-ae00-4422-a8da-ef00b11da3fc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nafad_parser\\n| where MessageType == 0\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid Indicators of Exposures\",\"description\":\"Searches for triggered Indicators of Exposures\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f948a32f-226c-4116-bddd-d95e91d97eb9\",\"name\":\"f948a32f-226c-4116-bddd-d95e91d97eb9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"mailboxsettings\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"contacts.read\\\" and ConsentFull contains \\\"user.read\\\" and ConsentFull contains \\\"mail.read\\\" and ConsentFull contains \\\"notes.read.all\\\" and ConsentFull contains \\\"mailboxsettings.readwrite\\\" and ConsentFull contains \\\"Files.ReadWrite.All\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), \\\"\\\")\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Suspicious application consent similar to O365 Attack Toolkit\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\\nThe default permissions/scope for the MDSec O365 Attack toolkit are contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, and files.readwrite.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/45b903c5-6f56-4969-af10-ae62ac709718\",\"name\":\"45b903c5-6f56-4969-af10-ae62ac709718\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count() \\nby Account = tolower(Account), Computer = toupper(Computer), IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n// use left anti to exclude anything from the previous 14 days that is not rare\\n| join kind=leftanti (\\nSecurityEvent\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where EventID == 4624\\n| summarize by Computer = toupper(Computer), IpAddress, Account = tolower(Account)\\n) on Account, Computer\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), ConnectionCount = sum(ConnectionCount) \\nby Account, Computer, IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\"],\"displayName\":\"Rare RDP Connections\",\"description\":\"Identifies when an RDP connection is new or rare related to any logon type by a given account today based on comparison with the previous 14 days.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-01-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/327cd4ed-ca42-454b-887c-54e1c91363c6\",\"name\":\"327cd4ed-ca42-454b-887c-54e1c91363c6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft Defender Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Endpoint alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Endpoint\",\"lastUpdatedDateUTC\":\"2019-10-24T00:00:00Z\",\"createdDateUTC\":\"2019-10-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4915c713-ab38-432e-800b-8e2d46933de6\",\"name\":\"4915c713-ab38-432e-800b-8e2d46933de6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let PrivateIPregex = @\u0027^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.\u0027; \\nlet avgthreshold = 0;\\nlet probabilityLimit = 0.01;\\nlet ssh_logins = Syslog\\n| where Facility contains \\\"auth\\\" and ProcessName =~ \\\"sshd\\\"\\n| where SyslogMessage has \\\"Accepted\\\"\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage) \\n| where isnotempty(SourceIP)\\n| extend ipType = iff(SourceIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\");\\nssh_logins \\n| summarize privatecount=countif(ipType==\\\"private\\\"), publiccount=countif(ipType==\\\"public\\\") by HostName, HostIP, bin(EventTime, 1d)\\n| summarize \\npublicIPLoginHistory = make_list(pack(\u0027IPCount\u0027, publiccount, \u0027logon_time\u0027, EventTime)),\\nprivateIPLoginHistory = make_list(pack(\u0027IPCount\u0027, privatecount, \u0027logon_time\u0027, EventTime)) by HostName, HostIP\\n| mv-apply publicIPLoginHistory = publicIPLoginHistory on\\n(\\n order by todatetime(publicIPLoginHistory[\u0027logon_time\u0027]) asc\\n | summarize publicIPLoginCountList=make_list(toint(publicIPLoginHistory[\u0027IPCount\u0027])), publicAverage=avg(toint(publicIPLoginHistory[\u0027IPCount\u0027])), publicStd=stdev(toint(publicIPLoginHistory[\u0027IPCount\u0027])), maxPublicLoginCount=max(toint(publicIPLoginHistory[\u0027IPCount\u0027]))\\n)\\n| mv-apply privateIPLoginHistory = privateIPLoginHistory on\\n(\\n order by todatetime(privateIPLoginHistory[\u0027logon_time\u0027]) asc\\n | summarize privateIPLoginCountList=make_list(toint(privateIPLoginHistory[\u0027IPCount\u0027])), privateAverage=avg(toint(privateIPLoginHistory[\u0027IPCount\u0027])), privateStd=stdev(toint(privateIPLoginHistory[\u0027IPCount\u0027]))\\n)\\n// Some logins from private IPs\\n| where privateAverage \u003e avgthreshold\\n// There is a non-zero number of logins from public IPs\\n| where publicAverage \u003e avgthreshold\\n// Approximate probability of seeing login from a public IP is \u003c 1%\\n| extend probabilityPublic = publicAverage / (privateAverage + publicAverage)\\n| where probabilityPublic \u003c probabilityLimit\\n// Today has the highest number of logins from public IPs that we\u0027ve seen in the last week\\n| extend publicLoginCountToday = publicIPLoginCountList[-1]\\n| where publicLoginCountToday \u003e= maxPublicLoginCount\\n| extend HostCustomEntity = HostName\\n// Optionally retrieve the original raw data for those logins that we\u0027ve identified as potentially suspect\\n// | join kind=rightsemi (\\n// ssh_logins\\n// | where ipType == \\\"public\\\"\\n// ) on HostName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"New internet-exposed SSH endpoints\",\"description\":\"Looks for SSH endpoints with a history of sign-ins only from private IP addresses are accessed from a public IP address.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd\",\"name\":\"c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let args = dynamic([\\\"objectcategory\\\",\\\"domainlist\\\",\\\"dcmodes\\\",\\\"adinfo\\\",\\\"trustdmp\\\",\\\"computers_pwdnotreqd\\\",\\\"Domain Admins\\\", \\\"objectcategory=person\\\", \\\"objectcategory=computer\\\", \\\"objectcategory=*\\\",\\\"dclist\\\"]);\\nlet parentProcesses = dynamic([\\\"pwsh.exe\\\",\\\"powershell.exe\\\",\\\"cmd.exe\\\"]);\\nDeviceProcessEvents\\n//looks for execution from a shell\\n| where InitiatingProcessFileName in (parentProcesses)\\n// main filter\\n| where FileName =~ \\\"AdFind.exe\\\" or SHA256 == \\\"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\\\"\\n // AdFind common Flags to check for from various threat actor TTPs\\n or ProcessCommandLine has_any (args)\\n| extend AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = SHA256\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"SHA256\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\"],\"displayName\":\"Probable AdFind Recon Tool Usage\",\"description\":\"Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-04-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c094384d-7ea7-4091-83be-18706ecca981\",\"name\":\"c094384d-7ea7-4091-83be-18706ecca981\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let minersDomains=dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\"]);\\nimDns(domain_has_any=minersDomains)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.2.0\",\"tactics\":[\"Impact\"],\"displayName\":\"DNS events related to mining pools (Normalized DNS)\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1f6d7abe-2cb7-4a4c-aeca-91fe6bfad0b2\",\"name\":\"1f6d7abe-2cb7-4a4c-aeca-91fe6bfad0b2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.3\",\"techniques\":[\"T1189\",\"T1071\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Palo Alto Networks\",\"Fortinet\",\"Zscaler\",\"Check Point\"],\"supportedValuesKql\":null,\"value\":\"Palo Alto Networks\",\"name\":\"Device vendor\",\"description\":\"Select device vendor of network connection logs from CommonSecurityLog\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"10\",\"maximum\":\"1000\",\"value\":\"25\",\"name\":\"Degree of source IPs\",\"description\":\"Suppress anomalies when the number of source IPs in a day accessing the URL is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"10\",\"maximum\":\"1000\",\"value\":\"30\",\"name\":\"Daily web requests threshold\",\"description\":\"Suppress anomalies when the number of daily web requests is less than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"},{\"minimum\":\"1\",\"maximum\":\"25\",\"value\":\"4\",\"name\":\"Number of distinct URLs for the destination IP\",\"description\":\"Suppress anomalies when number of distinct URLs are less than the chosen value\",\"sequenceNumber\":3,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\",\"CommandAndControl\"],\"displayName\":\"(Preview) Unusual web traffic detected with IP in URL path\",\"description\":\"This algorithm identifies unusual web requests which have a direct IP address as the host. This can be an attempt to bypass URL reputation services etc for \\nmalicious purposes. The anomaly filters all web requests with IP addresses in the URL path and compares them with the previous week of data to exclude known benign traffic. \\nAfter excluding known benign traffic, it triggers an anomaly only after exceeding certain thresholds with configured values such as total web requests, \\nnumbers of URLs seen with same host destination IP address, and number of distinct source IPs within the set of URLs with the same destination IP address.\",\"lastUpdatedDateUTC\":\"2021-07-10T00:00:00Z\",\"createdDateUTC\":\"2021-05-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f041e01d-840d-43da-95c8-4188f6cef546\",\"name\":\"f041e01d-840d-43da-95c8-4188f6cef546\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let LearningPeriod = 7d;\\nlet RunTime = 1h;\\nlet StartTime = 1h;\\nlet EndRunTime = StartTime - RunTime;\\nlet EndLearningTime = StartTime + LearningPeriod;\\nlet GitHubCountryCodeLogs = (GitHubAudit\\n| where Country != \\\"\\\");\\n GitHubCountryCodeLogs\\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime))\\n| summarize makeset(Country) by Actor\\n| join kind=innerunique (\\n GitHubCountryCodeLogs\\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime))\\n | distinct Country, Actor, TimeGenerated\\n) on Actor \\n| where set_Country !contains Country\\n| extend AccountCustomEntity = Actor , timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"GitHub Activites from a New Country\",\"description\":\"Detect activities from a location that was not recently or was never visited by the user or by any user in your organization.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d7309cb9-b16b-4c7a-9e4b-3e9009bd373d\",\"name\":\"d7309cb9-b16b-4c7a-9e4b-3e9009bd373d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.0\",\"techniques\":[\"T1190\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.7\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous Azure operations\",\"description\":\"This detection algorithm generates anomaly of a caller who performed sequence of an operation(s) which is uncommon in their workspace.\\nWe collect and featurize last 21 days of operation happened in the workspace grouped by the caller as a training data for ML algorithm.\\nThe trained model is used to score the operation performed by the caller on the test date and we tag those caller as anomaly whose error score is greater than given thershold.\\nFrom Security perspective, this anomaly will capture the caller along with operation performed on the test date which are not common in their workspace.\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2021-11-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8b3c49c-4087-499b-920f-0dcfaff0cbca\",\"name\":\"f8b3c49c-4087-499b-920f-0dcfaff0cbca\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"imProcessCreate\\n | where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n | where isnotempty(Process)\\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Dvc, ActorUsername, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\\n | extend timestamp = StartTimeUtc, AccountCustomEntity = ActorUsername, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Base64 encoded Windows process command-lines (Normalized Process Events)\",\"description\":\"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2018-09-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e4779bdc-397a-4b71-be28-59e6a1e1d16b\",\"name\":\"e4779bdc-397a-4b71-be28-59e6a1e1d16b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"ZoomLogs\\n| where Event =~ \\\"account.settings_updated\\\"\\n| extend NewE2ESetting = columnifexists(\\\"payload_object_settings_in_meeting_e2e_encryption_b\\\", \\\"\\\")\\n| extend OldE2ESetting = columnifexists(\\\"payload_old_object_settings_in_meeting_e2e_encryption_b\\\", \\\"\\\")\\n| where OldE2ESetting =~ \u0027false\u0027 and NewE2ESetting =~ \u0027true\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Discovery\"],\"displayName\":\"Zoom E2E Encryption Disabled\",\"description\":\"This alerts when end to end encryption is disabled for Zoom meetings.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/85aca4d1-5d15-4001-abd9-acb86ca1786a\",\"name\":\"85aca4d1-5d15-4001-abd9-acb86ca1786a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n| join (\\n DnsEvents\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n //Extract domain patterns from syslog message\\n | where isnotempty(Name)\\n | extend parts = split(Name, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend DNS_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.Name\\n| where DNS_TimeGenerated \u003e= TimeGenerated and DNS_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Computer, ClientIP, Name, QueryType\\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = ClientIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to DnsEvent\",\"description\":\"Identifies a match in DnsEvent table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b8266f81-2715-41a6-9062-42486cbc9c73\",\"name\":\"b8266f81-2715-41a6-9062-42486cbc9c73\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 200;\\nInfobloxNIOS\\n| where ProcessName =~ \\\"named\\\" and Log_Type =~ \\\"client\\\"\\n| where isnotempty(ResponseCode)\\n| where ResponseCode =~ \\\"NXDOMAIN\\\"\\n| summarize count() by Client_IP, bin(TimeGenerated,15m)\\n| where count_ \u003e threshold\\n| join kind=inner (InfobloxNIOS\\n | where ProcessName =~ \\\"named\\\" and Log_Type =~ \\\"client\\\"\\n | where isnotempty(ResponseCode)\\n | where ResponseCode =~ \\\"NXDOMAIN\\\"\\n ) on Client_IP\\n| extend timestamp = TimeGenerated, IPCustomEntity = Client_IP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Excessive NXDOMAIN DNS Queries\",\"description\":\"This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/25e0b2dd-3ad3-4d5b-80dd-720f4ef0f12c\",\"name\":\"25e0b2dd-3ad3-4d5b-80dd-720f4ef0f12c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"afad_parser\\n| where MessageType == 2 and Codename == \\\"DCShadow\\\"\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Alsid DCShadow\",\"description\":\"Searches for DCShadow attacks\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06bbf969-fcbe-43fa-bac2-b2fa131d113a\",\"name\":\"06bbf969-fcbe-43fa-bac2-b2fa131d113a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// ADHealthAgent Registry Key\\nlet aadConnectHealthRegKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\ADHealthAgent\\\";\\n// Filter out known processes\\nlet aadConnectHealthProcs = dynamic ([\\n \u0027Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.InsightsService.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.PshSurrogate.exe\u0027,\\n \u0027Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe\u0027\\n]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| extend SubjectUserName = column_ifexists(\\\"SubjectUserName\\\", \\\"\\\"),\\n SubjectDomainName = column_ifexists(\\\"SubjectDomainName\\\", \\\"\\\"),\\n ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),\\n ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\"),\\n ProcessName = column_ifexists(\\\"ProcessName\\\", \\\"\\\")\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],\\n Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName startswith aadConnectHealthRegKey\\n| where Process !in (aadConnectHealthProcs)\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName startswith aadConnectHealthRegKey\\n| where Process !in (aadConnectHealthProcs)\\n)\\n)\\n// You can filter out potential machine accounts\\n//| where AccountType != \u0027Machine\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Azure AD Health Service Agents Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).\\nInformation from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).\\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\\\\SOFTWARE\\\\Microsoft\\\\ADHealthAgent.\\nMake sure you set the SACL to propagate to its sub-keys. You can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/999e9f5d-db4a-4b07-a206-29c4e667b7e8\",\"name\":\"999e9f5d-db4a-4b07-a206-29c4e667b7e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet DomainTIs= ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n // Picking up only IOC\u0027s that contain the entities we want\\n | where isnotempty(DomainName)\\n | where Active == true\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId;\\nlet Domains= toscalar(DomainTIs | where isnotempty(DomainName) |summarize make_set(DomainName));\\nDomainTIs\\n | join (\\n imDns(starttime=ago(dt_lookBack), domain_has_any=(Domains))\\n | extend DNS_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.DnsQuery\\n| where DNS_TimeGenerated \u003c ExpirationDateTime\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, QueryType\\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url\",\"customDetails\":{\"IndicatorId\":\"IndicatorId\",\"SourceIPAddress\":\"SrcIpAddr\",\"ThreatType\":\"ThreatType\",\"ConfidenceScore\":\"ConfidenceScore\",\"DnsQuery\":\"DnsQuery\",\"Description\":\"Description\",\"ExpirationDateTime\":\"ExpirationDateTime\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"LatestIndicatorTime\":\"LatestIndicatorTime\",\"QueryType\":\"QueryType\",\"DNSRequestTime\":\"DNS_TimeGenerated\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map Domain entity to Dns Events (Normalized DNS)\",\"description\":\"Identifies a match in DNS events from any Domain IOC from TI\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns).\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/12dcea64-bec2-41c9-9df2-9f28461b1295\",\"name\":\"12dcea64-bec2-41c9-9df2-9f28461b1295\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\n// Adjust for a longer timeframe for identifying ADFS Servers\\nlet lookback = 6d;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n);\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where Account !endswith \\\"$\\\"\\n// Check for scheduled task events\\n| where EventID in (4697, 4698, 4699, 4700, 4701, 4702)\\n| extend EventDataParsed = parse_xml(EventData)\\n| extend SubjectLogonId = tostring(EventDataParsed.EventData.Data[3][\\\"#text\\\"])\\n// Check specifically for access to IPC$ share and PIPE\\\\svcctl and PIPE\\\\atsvc for Service Control Services and Schedule Control Services\\n| union ( \\n SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n | where Account !endswith \\\"$\\\"\\n | where EventID == 5145\\n | where RelativeTargetName =~ \\\"svcctl\\\" or RelativeTargetName =~ \\\"atsvc\\\"\\n)\\n// Check for lateral movement\\n| join kind=inner\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Account !endswith \\\"$\\\"\\n| where EventID == 4624 and LogonType == 3\\n) on $left.SubjectLogonId == $right.TargetLogonId\\n| project TimeGenerated, Account, Computer, EventID, RelativeTargetName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\"],\"displayName\":\"Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task\",\"description\":\"This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through SMB and Remote Service or Scheduled Task.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f0be259a-34ac-4946-aa15-ca2b115d5feb\",\"name\":\"f0be259a-34ac-4946-aa15-ca2b115d5feb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let starttime = 2d;\\nlet endtime = 1d;\\nlet TimeDeltaThreshold = 10;\\nlet TotalEventsThreshold = 15;\\nlet PercentBeaconThreshold = 80;\\nlet PrivateIPregex = @\u0027^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.\u0027;\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Palo Alto Networks\\\" and Activity == \\\"TRAFFIC\\\"\\n| where TimeGenerated between (ago(starttime)..ago(endtime))\\n| extend DestinationIPType = iff(DestinationIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIPType == \\\"public\\\"\\n| project TimeGenerated, DeviceName, SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, ReceivedBytes, SentBytes\\n| sort by SourceIP asc,TimeGenerated asc, DestinationIP asc, DestinationPort asc\\n| serialize\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\u0027second\u0027,nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP\\n//Whitelisting criteria/ threshold criteria\\n| where TimeDeltainSeconds \u003e TimeDeltaThreshold \\n| project TimeGenerated, TimeDeltainSeconds, DeviceName, SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, ReceivedBytes, SentBytes\\n| summarize count(), sum(ReceivedBytes), sum(SentBytes), make_list(TimeDeltainSeconds) \\nby TimeDeltainSeconds, bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSentBytes = sum(sum_SentBytes), TotalReceivedBytes = sum(sum_ReceivedBytes) \\nby bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| where TotalEvents \u003e TotalEventsThreshold \\n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\\n| where BeaconPercent \u003e PercentBeaconThreshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Palo Alto - potential beaconing detected\",\"description\":\"Identifies beaconing patterns from Palo Alto Network traffic logs based on recurrent timedelta patterns. \\nThe query leverages various KQL functions to calculate time deltas and then compares it with total events observed in a day to find percentage of beaconing. \\nThis outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts.\\nReference Blog:\\nhttp://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-05-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/622844c2-fc11-4efc-91e6-c05b06ab3008\",\"name\":\"622844c2-fc11-4efc-91e6-c05b06ab3008\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.5\",\"techniques\":[\"T1001\",\"T1008\",\"T1071\",\"T1090\",\"T1095\",\"T1102\",\"T1104\",\"T1132\",\"T1205\",\"T1568\",\"T1571\",\"T1572\",\"T1573\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"10\",\"maximum\":\"1000\",\"value\":\"25\",\"name\":\"Degree of source IPs\",\"description\":\"Suppress anomalies when degree of source IPs is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"10\",\"maximum\":\"1000\",\"value\":\"30\",\"name\":\"Daily event count threshold\",\"description\":\"Suppress anomalies when daily event count is less than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"},{\"minimum\":\"10\",\"maximum\":\"1000\",\"value\":\"60\",\"name\":\"Time delta threshold in seconds\",\"description\":\"Suppress anomalies when time delta in seconds between network connections is less than the chosen value\",\"sequenceNumber\":3,\"rerun\":\"RerunAlways\"},{\"minimum\":\"50\",\"maximum\":\"100\",\"value\":\"75\",\"name\":\"Percent beaconing threshold\",\"description\":\"Generate an anomaly when percent beaconing is greater than the chosen value\",\"sequenceNumber\":4,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"(Preview) Detect machine generated network beaconing behavior\",\"description\":\"This algorithm identifies beaconing patterns from network traffic connection logs based on recurrent time delta patterns.\\nAny network connection towards the untrusted public networks at repetitive time delta is an indication of malware callbacks or data exfiltration attempts. \\nThe anomaly will calculate time delta between consecutive network connection between same source and destination ip as well as count (Connections in time-delta sequence) of \\ntime-delta sequence between same source and destination. Percentage of beaconing is calculated between connections in time-delta sequence against total connections in a day.\",\"lastUpdatedDateUTC\":\"2021-07-10T00:00:00Z\",\"createdDateUTC\":\"2021-04-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/32686052-5bed-48ef-9ffa-39fc7699f085\",\"name\":\"32686052-5bed-48ef-9ffa-39fc7699f085\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.0\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.1\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of AWS API calls from Non-AWS source IP address from a user account id per workspace on a daily basis\",\"description\":\"This algorithm detects an unusually high volume of AWS API calls from Source IPs not in AWS Source IP ranges from one user account per workspace within the last day. The model is trained on the previous 21 days of AWS cloud trail log events on source IP address basis. This activity may indicate that the user account is compromised.\",\"lastUpdatedDateUTC\":\"2021-10-07T00:00:00Z\",\"createdDateUTC\":\"2021-10-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2d8a60aa-c15e-442e-9ce3-ee924889d2a6\",\"name\":\"2d8a60aa-c15e-442e-9ce3-ee924889d2a6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT5M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"eset_CL\\n| where event_type_s == \\\"Threat_Event\\\"\\n| extend HostCustomEntity = hostname_s, AccountCustomEntity = username_s, IPCustomEntity = ipv4_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"CredentialAccess\",\"PrivilegeEscalation\"],\"displayName\":\"Threats detected by Eset\",\"description\":\"Escalates threats detected by Eset.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-09T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"EsetSMC\",\"dataTypes\":[\"eset_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a5fe9489-cf8b-47ae-a87e-8f3a13e4203e\",\"name\":\"a5fe9489-cf8b-47ae-a87e-8f3a13e4203e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nlet codeNameList = datatable(Codename:string)[\\\"C-PRIV-ACCOUNTS-SPN\\\", \\\"C-NATIVE-ADM-GROUP-MEMBERS\\\", \\\"C-KRBTGT-PASSWORD\\\", \\\"C-PROTECTED-USERS-GROUP-UNUSED\\\", \\\"C-ADMINCOUNT-ACCOUNT-PROPS\\\", \\\"C-ADM-ACC-USAGE\\\", \\\"C-LAPS-UNSECURE-CONFIG\\\", \\\"C-DISABLED-ACCOUNTS-PRIV-GROUPS\\\"];\\nafad_parser\\n| where MessageType == 0 and Codename in~ (codeNameList)\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid privileged accounts issues\",\"description\":\"Searches for triggered Indicators of Exposures related to privileged accounts issues\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\"name\":\"90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Security Center\",\"severitiesFilter\":[\"Low\",\"Medium\",\"High\"],\"displayName\":\"Create incidents based on Azure Defender alerts\",\"description\":\"Create incidents based on all alerts generated in Azure Defender\",\"lastUpdatedDateUTC\":\"2021-07-25T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert (ASC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\"name\":\"b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n Syslog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // Extract URL from the Syslog message but only take messages that include URLs\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,SyslogMessage)\\n | where isnotempty(Url)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n) on Url\\n| where Syslog_TimeGenerated \u003e= TimeGenerated and Syslog_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, Url, HostIP\\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to Syslog data\",\"description\":\"Identifies a match in Syslog data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0625fcce-6d52-491e-8c68-1d9b801d25b9\",\"name\":\"0625fcce-6d52-491e-8c68-1d9b801d25b9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"Event\\n| where EventLog =~ \\\"Application\\\"\\n| where Source startswith \\\"MSExchange\\\"\\n| where EventLevelName =~ \\\"error\\\"\\n| where (RenderedDescription startswith \\\"Watson report\\\" and RenderedDescription contains \\\"umworkerprocess\\\" and RenderedDescription contains \\\"TextFormattingRunProperties\\\") or RenderedDescription startswith \\\"An unhandled exception occurred in a UM worker process\\\" or RenderedDescription startswith \\\"The Microsoft Exchange Unified Messaging service\\\" or RenderedDescription contains \\\"MSExchange Unified Messaging\\\"\\n| where RenderedDescription !contains \\\"System.OutOfMemoryException\\\"\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious UM Service Error\",\"description\":\"This query looks for errors that may indicate that an attacker is attempting to exploit a vulnerability in the service. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/26a3b261-b997-4374-94ea-6c37f67f4f39\",\"name\":\"26a3b261-b997-4374-94ea-6c37f67f4f39\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"asyspy256.ddns.net\\\",\\\"hotkillmail9sddcc.ddns.net\\\",\\\"rosaf112.ddns.net\\\",\\\"cvdfhjh1231.myftp.biz\\\",\\\"sz2016rose.ddns.net\\\",\\\"dffwescwer4325.myftp.biz\\\",\\\"cvdfhjh1231.ddns.net\\\"]);\\nlet SHA1Hash = dynamic ([\\\"53a44c2396d15c3a03723fa5e5db54cafd527635\\\", \\\"9c5e496921e3bc882dc40694f1dcc3746a75db19\\\", \\\"aeb573accfd95758550cf30bf04f389a92922844\\\", \\\"79ef78a797403a4ed1a616c68e07fff868a8650a\\\", \\\"4f6f38b4cec35e895d91c052b1f5a83d665c2196\\\", \\\"1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d\\\", \\\"e841a63e47361a572db9a7334af459ddca11347a\\\", \\\"c28f606df28a9bc8df75a4d5e5837fc5522dd34d\\\", \\\"2e94b305d6812a9f96e6781c888e48c7fb157b6b\\\", \\\"dd44133716b8a241957b912fa6a02efde3ce3025\\\", \\\"8793bf166cb89eb55f0593404e4e933ab605e803\\\", \\\"a39b57032dbb2335499a51e13470a7cd5d86b138\\\", \\\"41cc2b15c662bc001c0eb92f6cc222934f0beeea\\\", \\\"d209430d6af54792371174e70e27dd11d3def7a7\\\", \\\"1c6452026c56efd2c94cea7e0f671eb55515edb0\\\", \\\"c6b41d3afdcdcaf9f442bbe772f5da871801fd5a\\\", \\\"4923d460e22fbbf165bbbaba168e5a46b8157d9f\\\", \\\"f201504bd96e81d0d350c3a8332593ee1c9e09de\\\", \\\"ddd2db1127632a2a52943a2fe516a2e7d05d70d2\\\"]);\\nlet SHA256Hash = dynamic ([\\\"9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd\\\", \\\"7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b\\\", \\\"657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5\\\", \\\"2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29\\\", \\\"52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77\\\", \\\"a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3\\\", \\\"5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022\\\", \\\"6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883\\\", \\\"3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e\\\", \\\"1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7\\\", \\\"fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1\\\", \\\"7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c\\\", \\\"178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945\\\", \\\"51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9\\\", \\\"889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79\\\", \\\"332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf\\\", \\\"44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08\\\", \\\"63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef\\\", \\\"056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070\\\"]);\\nlet SigNames = dynamic([\\\"TrojanDropper:Win32/BlackMould.A!dha\\\", \\\"Trojan:Win32/BlackMould.B!dha\\\", \\\"Trojan:Win32/QuarkBandit.A!dha\\\", \\\"Trojan:Win32/Sidelod.A!dha\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(DnsEvents \\n| extend DNSName = Name\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend IPAddress = ClientIP\\n),\\n( imDns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA1=\u0027 SHA1 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA1Hash) \\n| extend Account = UserName\\n),\\n(SecurityAlert\\n| where Entities has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName)\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend DNSName = Request_Name\\n| extend IPAddress = ClientIP \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.3.0\",\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known GALLIUM domains and hashes\",\"description\":\"GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. \\n Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\\n References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-12-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3acf5617-7c41-4085-9a79-cc3a425ba83a\",\"name\":\"3acf5617-7c41-4085-9a79-cc3a425ba83a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"afad_parser\\n| where MessageType == 2 and Codename == \\\"OS Credential Dumping: LSASS Memory\\\"\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid LSASS Memory\",\"description\":\"Searches for OS Credentials dumping attacks\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2560515c-07d1-434e-87fb-ebe3af267760\",\"name\":\"2560515c-07d1-434e-87fb-ebe3af267760\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add delegated permission grant\\\",\\\"Add app role assignment to service principal\\\")\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend props = parse_json(tostring(TargetResources[0].modifiedProperties))\\n| mv-expand props\\n| extend UserAgent = tostring(AdditionalDetails[0].value)\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| extend UserIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| extend DisplayName = tostring(props.displayName)\\n| extend Permissions = tostring(parse_json(tostring(props.newValue)))\\n| where Permissions has_any (\\\"Mail.Read\\\", \\\"Mail.ReadWrite\\\")\\n| extend PermissionsAddedTo = tostring(TargetResources[0].displayName)\\n| extend Type = tostring(TargetResources[0].type)\\n| project-away props\\n| join kind=leftouter(\\n AuditLogs\\n | where ActivityDisplayName has \\\"Consent to application\\\"\\n | extend AppName = tostring(TargetResources[0].displayName)\\n | extend AppId = tostring(TargetResources[0].id)\\n | project AppName, AppId, CorrelationId) on CorrelationId\\n| project-reorder TimeGenerated, OperationName, InitiatingUser, UserIPAddress, UserAgent, PermissionsAddedTo, Permissions, AppName, AppId, CorrelationId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUser, IPCustomEntity = UserIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Mail.Read Permissions Granted to Application\",\"description\":\"This query look for applications that have been granted (Delegated or App/Role) permissions to Read Mail (Permissions field has Mail.Read) and subsequently has been consented to. This can help identify applications that have been abused to gain access to mailboxes.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a4025a76-6490-4e6b-bb69-d02be4b03f07\",\"name\":\"a4025a76-6490-4e6b-bb69-d02be4b03f07\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n AzureNetworkAnalytics_CL\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AzureNetworkAnalytics_CL_TimeGenerated = TimeGenerated\\n // NSG Flow Logs have additional information concat with Public IP, removing onlp Public IP\\n | extend PIPs = split(PublicIPs_s, \u0027|\u0027, 0)\\n | extend PIP = tostring(PIPs[0])\\n)\\non $left.TI_ipEntity == $right.PIP\\n| where AzureNetworkAnalytics_CL_TimeGenerated \u003e= TimeGenerated and AzureNetworkAnalytics_CL_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n// Set to alert on Allowed NSG Flows from TI Public IP IOC\\n| where FlowStatus_s == \\\"A\\\"\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AzureNetworkAnalytics_CL_TimeGenerated,\\nTI_ipEntity, Computer, FlowDirection_s, FlowStatus_s, FlowType_s, SrcPublicIPs_s, DestPublicIPs_s, PublicIPs_s, L7Protocol_s, DestPort_d, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureNetworkAnalytics_CL_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)\",\"description\":\"Identifies a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI that was Allowed\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/01f64465-b1ef-41ea-a7f5-31553a11ad43\",\"name\":\"01f64465-b1ef-41ea-a7f5-31553a11ad43\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let endpointData = \\n(SecurityEvent\\n | where EventID == 4688\\n | extend shortFileName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n );\\n// Correlate suspect executables seen in TrendMicro rule updates with similar activity on endpoints\\nCommonSecurityLog\\n| where DeviceVendor =~ \\\"Trend Micro\\\"\\n| where Activity =~ \\\"Deny List updated\\\" \\n| where RequestURL endswith \\\".exe\\\"\\n| project TimeGenerated, Activity , RequestURL , SourceIP, DestinationIP\\n| extend suspectExeName = tolower(tostring(split(RequestURL, \u0027/\u0027)[-1]))\\n| join (endpointData) on $left.suspectExeName == $right.shortFileName \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = TargetUserName, HostCustomEntity = Computer, URLCustomEntity = RequestURL\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\"],\"displayName\":\"Network endpoint to host executable correlation\",\"description\":\"Correlates blocked URLs hosting [malicious] executables with host endpoint data\\nto identify potential instances of executables of the same name having been recently run.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"TrendMicro\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\"name\":\"9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let szOperationNames = dynamic([\\\"Microsoft.Compute/virtualMachines/write\\\", \\\"Microsoft.Resources/deployments/write\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet RareCaller = AzureActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationNameValue in~ (szOperationNames)\\n| project ResourceGroup, Caller, OperationNameValue, CallerIpAddress\\n| join kind=rightantisemi (\\nAzureActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityStatusValue = makeset(ActivityStatusValue), OperationIds = makeset(OperationId), CallerIpAddress = makeset(CallerIpAddress) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n) on Caller, ResourceGroup \\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress);\\nlet Counts = RareCaller | summarize ActivityCountByCaller = count() by Caller;\\nRareCaller | join kind= inner (Counts) on Caller | project-away Caller1\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = tostring(CallerIpAddress)\\n| sort by ActivityCountByCaller desc nulls last\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"Suspicious Resource deployment\",\"description\":\"Identifies when a rare Resource and ResourceGroup deployment occurs by a previously unseen Caller.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6116dc19-475a-4148-84b2-efe89c073e27\",\"name\":\"6116dc19-475a-4148-84b2-efe89c073e27\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetectionV2_CL\\n| extend Status = tostring(Status_s), Vulnerability = tostring(QID_s), Severity = tostring(Severity_s)\\n| where Status =~ \\\"New\\\" and Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(QID_s)\\n| where dcount_NetBios_s \u003e= threshold\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"New High Severity Vulnerability Detected Across Multiple Hosts\",\"description\":\"This creates an incident when a new high severity vulnerability is detected across multilple hosts\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetectionV2_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2f561e20-d97b-4b13-b02d-18b34af6e87c\",\"name\":\"2f561e20-d97b-4b13-b02d-18b34af6e87c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet cmdList = dynamic([\\\"Set-CASMailbox\\\",\\\"ActiveSyncAllowedDeviceIDs\\\",\\\"add\\\"]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where CommandLine has_all (cmdList)\\n| project Type, TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where InitiatingProcessCommandLine has_all (cmdList)\\n| project Type, TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where CommandLine has_all (cmdList)\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| project Type, TimeGenerated, Computer, User, Process, ParentImage, CommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Email access via active sync\",\"description\":\"This query detects attempts to add attacker devices as allowed IDs for active sync using the Set-CASMailbox command.\\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\\n- Note that this query can be changed to use the KQL \\\"has_all\\\" operator, which hasn\u0027t yet been documented officially, but will be soon.\\n In short, \\\"has_all\\\" will only match when the referenced field has all strings in the list.\\n- Refer to Set-CASMailbox syntax: https://docs.microsoft.com/powershell/module/exchange/set-casmailbox?view=exchange-ps \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fb9e0b51-8867-48d7-86f4-6e76f2176bf8\",\"name\":\"fb9e0b51-8867-48d7-86f4-6e76f2176bf8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nlet codeNameList = datatable(Codename:string)[\\\"C-ACCOUNTS-DANG-SID-HISTORY\\\", \\\"C-PRE-WIN2000-ACCESS-MEMBERS\\\", \\\"C-PASSWORD-DONT-EXPIRE\\\", \\\"C-SLEEPING-ACCOUNTS\\\", \\\"C-DANG-PRIMGROUPID\\\", \\\"C-PASSWORD-NOT-REQUIRED\\\", \\\"C-USER-PASSWORD\\\"];\\nafad_parser\\n| where MessageType == 0 and Codename in~ (codeNameList)\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid user accounts issues\",\"description\":\"Searches for triggered Indicators of Exposures related to user accounts issues\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/29094df8-e0c7-4475-a74c-bda74a07affb\",\"name\":\"29094df8-e0c7-4475-a74c-bda74a07affb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.8\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.03\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of logins to user account by logon types\",\"description\":\"This algorithm detects an unusually high volume of successful logins per user account by different logon types. The model is trained on the previous 21 days of security event ID 4624 on an account. It indicates anomalous high volume of successful logins in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3a9d5ede-2b9d-43a2-acc4-d272321ff77c\",\"name\":\"3a9d5ede-2b9d-43a2-acc4-d272321ff77c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 5;\\nlet aadFunc = (tableName:string){\\n // Failed Signins attempts with reasoning related to conditional access policies.\\n table(tableName)\\n | where TimeGenerated between (startofday(ago(starttime))..startofday(ago(timeframe)))\\n | where ResultDescription has_any (\\\"conditional access\\\", \\\"CA\\\") or ResultType in (50005, 50131, 53000, 53001, 53002, 52003, 70044)\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt ;\\nlet TimeSeriesData = union isfuzzy=true aadSignin, aadNonInt \\n| project TimeGenerated, UserPrincipalName\\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by UserPrincipalName\\n| project TimeGenerated, UserPrincipalName, HourlyCount;\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| where baseline \u003e baselinethreshold // Filtering low count events per baselinethreshold\\n| project UserPrincipalName, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated;\\n// Filter the alerts for specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join kind=inner ( \\nunion isfuzzy=true aadSignin, aadNonInt\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n | summarize HourlyCount=count(), LatestAnomalyTime = arg_max(timestamp,*) by bin(TimeGenerated,1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\\n) on UserPrincipalName\\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, HourlyCount, baseline, anomalies, score\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"User Accounts - Sign in Failure due to CA Spikes\",\"description\":\" Identifies spike in failed sign-ins from user accounts due to conditional access policied.\\nSpike is determined based on Time series anomaly which will look at historical baseline values.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aa1eff90-29d4-49dc-a3ea-b65199f516db\",\"name\":\"aa1eff90-29d4-49dc-a3ea-b65199f516db\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"SecurityEvent\\n| where EventID == 4720\\n| where AccountType == \\\"User\\\"\\n| project CreatedUserTime = TimeGenerated, CreatedUserEventID = EventID, CreatedUserActivity = Activity, Computer = toupper(Computer), \\nCreatedUser = tolower(TargetAccount), CreatedUserSid = TargetSid, AccountUsedToCreateUser = strcat(SubjectAccount), SidofAccountUsedToCreateUser = SubjectUserSid\\n| join (\\nSecurityEvent \\n| where AccountType == \\\"User\\\"\\n// 4732 - A member was added to a security-enabled local group\\n| where EventID == 4732\\n//TargetSid is the builin Admins group: S-1-5-32-544\\n| where TargetSid == \\\"S-1-5-32-544\\\"\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, Computer = toupper(Computer), GroupName = tolower(TargetAccount), \\nGroupSid = TargetSid, AccountThatAddedUser = SubjectAccount, SIDofAccountThatAddedUser = SubjectUserSid, CreatedUserSid = MemberSid\\n)\\non CreatedUserSid\\n//Create User first, then the add to the group.\\n| project Computer, CreatedUserTime, CreatedUserEventID, CreatedUserActivity, CreatedUser, CreatedUserSid, GroupAddTime, GroupAddEventID, \\nGroupAddActivity, AccountUsedToCreateUser, GroupName, GroupSid, AccountThatAddedUser, SIDofAccountThatAddedUser \\n| extend timestamp = CreatedUserTime, AccountCustomEntity = CreatedUser, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"CreatedUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"New user created and added to the built-in administrators group\",\"description\":\"Identifies when a user account was created and then added to the builtin Administrators group in the same day.\\nThis should be monitored closely and all additions reviewed.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4f45f43b-3a4b-491b-9cbe-d649603384aa\",\"name\":\"4f45f43b-3a4b-491b-9cbe-d649603384aa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let highRisk = 3;\\nlet legal = \u0027Legal Information\u0027;\\nCognniIncidents_CL \\n| where Severity == highRisk\\n| where informationType_s == legal\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Highly Sensitive Legal Information\",\"description\":\"Display incidents in which highly sensitive legal information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/200f05a2-db6e-4ff7-be83-bbc30b44755f\",\"name\":\"200f05a2-db6e-4ff7-be83-bbc30b44755f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.3.8\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.07\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of logins to user account\",\"description\":\"This algorithm detects an unusually high volume of successful logins per user account. The model is trained on the previous 21 days of security event ID 4624 on an account. It indicates anomalous high volume of successful logins in the last day\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2020-12-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3edb7215-250b-40c0-8b46-79093949242d\",\"name\":\"3edb7215-250b-40c0-8b46-79093949242d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetectionV2_CL\\n| where Severity_s == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\\n| where count_ \u003e= threshold\\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"High Number of Urgent Vulnerabilities Detected\",\"description\":\"This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetectionV2_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd0a6029-ecef-4507-89c4-fc355ac52111\",\"name\":\"dd0a6029-ecef-4507-89c4-fc355ac52111\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation of extracted domains\\nlet list_tlds = ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e ago(ioc_lookBack)\\n | where isnotempty(DomainName)\\n | extend DomainName = tolower(DomainName)\\n | extend parts = split(DomainName, \u0027.\u0027)\\n | extend tld = parts[(array_length(parts)-1)]\\n | summarize count() by tostring(tld)\\n | summarize make_list(tld);\\n ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true\\n // Picking up only IOC\u0027s that contain the entities we want\\n | where isnotempty(DomainName)\\n | join (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | extend Domain = trim(@\\\"\\\"\\\"\\\",tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend parts = split(Domain, \u0027.\u0027)\\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\\n | where tld in~ (list_tlds)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n ) on $left.DomainName==$right.Domain\\n | where CommonSecurityLog_TimeGenerated \u003e= TimeGenerated and CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n | project LatestIndicatorTime, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, CommonSecurityLog_TimeGenerated, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\\n | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to CommonSecurityLog\",\"description\":\"Identifies a match in CommonSecurityLog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5dd76a87-9f87-4576-bab3-268b0e2b338b\",\"name\":\"5dd76a87-9f87-4576-bab3-268b0e2b338b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 5;\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet historicalActivity =\\nOfficeActivity\\n| where TimeGenerated between(ago(starttime)..ago(endtime))\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| summarize historicalCount = count() by UserAgent, RecordType, Operation;\\nlet recentActivity = OfficeActivity\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where TimeGenerated \u003e ago(endtime)\\n| where isnotempty(UserAgent)\\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by UserAgent, RecordType, Operation;\\nlet RareUserAgent = recentActivity | join kind = leftanti (historicalActivity) on UserAgent\\n| order by recentCount desc, UserAgent\\n// More than 5 downloads/uploads from a new user agent today\\n| where recentCount \u003e threshold;\\nOfficeActivity \\n| where TimeGenerated \u003e ago(endtime) \\n| where RecordType =~ szSharePointFileOperation \\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| join kind= inner (RareUserAgent)\\non UserAgent, RecordType, Operation \\n| where Start_Time between(min_Start_Time .. max_Start_Time)\\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserAgent, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgentSeenCount = recentCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\\n| order by UserAgentSeenCount desc, UserAgent asc, Operation asc, UserId asc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"SharePointFileOperation via devices with previously unseen user agents\",\"description\":\"Identifies if the number of documents uploaded or downloaded from device(s) associated\\nwith a previously unseen user agent exceeds a threshold (default is 5).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84cf1d59-f620-4fee-b569-68daf7008b7b\",\"name\":\"84cf1d59-f620-4fee-b569-68daf7008b7b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetection_CL\\n| mv-expand todynamic(Detections_s)\\n| extend Status = tostring(Detections_s.Status), Vulnerability = tostring(Detections_s.Results), Severity = tostring(Detections_s.Severity)\\n| where Status =~ \\\"New\\\" and Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(Detections_s.QID)\\n| where dcount_NetBios_s \u003e= threshold\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"New High Severity Vulnerability Detected Across Multiple Hosts\",\"description\":\"This creates an incident when a new high severity vulnerability is detected across multilple hosts\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/011c84d8-85f0-4370-b864-24c13455aa94\",\"name\":\"011c84d8-85f0-4370-b864-24c13455aa94\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SecurityAlert\\n| extend Extprop = parse_json(ExtendedProperties)\\n| extend Computer = iff(isnotempty(toupper(tostring(Extprop[\\\"Compromised Host\\\"]))), toupper(tostring(Extprop[\\\"Compromised Host\\\"])), tostring(parse_json(Entities)[0].HostName))\\n| extend Account = iff(isnotempty(tolower(tostring(Extprop[\\\"User Name\\\"]))), tolower(tostring(Extprop[\\\"User Name\\\"])), tolower(tostring(Extprop[\\\"user name\\\"])))\\n| extend IpAddress = tostring(parse_json(ExtendedProperties).[\\\"IpAddress\\\"]) \\n| project TimeGenerated, AlertName, Computer, Account, IpAddress, ExtendedProperties\\n| extend timestamp = TimeGenerated, Account, MachineName = Computer, IpAddress\\n| join kind=inner\\n(\\nCoreAzureBackup\\n| where State =~ \\\"Deleted\\\"\\n| where OperationName =~ \\\"BackupItem\\\"\\n| extend data = split(BackupItemUniqueId, \\\";\\\")\\n| extend AzureLocation = data[0], VaultId=data[1], MachineName=data[2], DrivesBackedUp=data[3]\\n| project timestamp = TimeGenerated, AzureLocation, VaultId, tostring(MachineName), DrivesBackedUp, State, BackupItemUniqueId, _ResourceId, OperationName, BackupItemFriendlyName\\n)\\non MachineName\\n| project timestamp, AlertName, HostCustomEntity = MachineName, AccountCustomEntity = Account, ResourceCustomEntity = _ResourceId, IPCustomEntity = IpAddress, VaultId, AzureLocation, DrivesBackedUp, State, BackupItemUniqueId, OperationName, BackupItemFriendlyName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"CoreBackUp Deletion in correlation with other related security alerts\",\"description\":\"This query will help detect attackers attempt to delete backup containers in correlation with other alerts that could have triggered to help possibly reveal more details of attacker activity. \\nThough such an activity could be legitimate as part of business operation, some ransomware actors may perform such operation to cause interruption to regular business services.\",\"lastUpdatedDateUTC\":\"2021-11-06T00:00:00Z\",\"createdDateUTC\":\"2021-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/157c0cfc-d76d-463b-8755-c781608cdc1a\",\"name\":\"157c0cfc-d76d-463b-8755-c781608cdc1a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let PrivateIPregex = @\u0027^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.\u0027;\\nlet aadFunc = (tableName:string){\\nCommonSecurityLog\\n| where DeviceVendor =~ \\\"Cisco\\\"\\n| where DeviceAction =~ \\\"denied\\\"\\n| extend SourceIPType = iff(SourceIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where SourceIPType == \\\"public\\\"\\n| summarize count() by SourceIP\\n| join (\\n // Successful signins from IPs blocked by the firewall solution are suspect\\n // Include fully successful sign-ins, but also ones that failed only at MFA stage\\n // as that supposes the password was sucessfully guessed.\\n table(tableName)\\n | where ResultType in (\\\"0\\\", \\\"50074\\\", \\\"50076\\\") \\n) on $left.SourceIP == $right.IPAddress\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Cisco - firewall block but success logon to Azure AD\",\"description\":\"Correlate IPs blocked by a Cisco firewall appliance with successful Azure Active Directory signins. \\nBecause the IP was blocked by the firewall, that same IP logging on successfully to AAD is potentially suspect\\nand could indicate credential compromise for the user account.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\"name\":\"7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"154.223.45.38\\\",\\\"185.141.207.140\\\",\\\"185.234.73.19\\\",\\\"216.245.210.106\\\",\\\"51.91.48.210\\\",\\\"46.255.230.229\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n|extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account\\n),\\n(DnsEvents \\n| extend DestinationIPAddress = IPAddresses, Host = Computer\\n| where DestinationIPAddress has_any (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(imDns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DnsResponseName, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(VMConnection \\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) \\n| where SourceIp in (IPList) or DestinationIp in (IPList) \\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(SigninLogs\\n| where isnotempty(IPAddress)\\n| where IPAddress in (IPList)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(AADNonInteractiveUserSignInLogs\\n| where isnotempty(IPAddress)\\n| where IPAddress in (IPList)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(W3CIISLog \\n| where isnotempty(cIP)\\n| where cIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(AzureActivity \\n| where isnotempty(CallerIpAddress)\\n| where CallerIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller\\n),\\n(\\nAWSCloudTrail\\n| where isnotempty(SourceIpAddress)\\n| where SourceIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.2.1\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known IRIDIUM IP\",\"description\":\"IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.\",\"lastUpdatedDateUTC\":\"2021-11-25T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a04cf847-a832-4c60-b687-b0b6147da219\",\"name\":\"a04cf847-a832-4c60-b687-b0b6147da219\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"45.63.52.41\\\",\\\"140.82.17.161\\\",\\\"207.148.101.95\\\",\\\"45.32.87.51\\\",\\\"66.42.98.156\\\",\\\"45.76.144.105\\\",\\\"217.163.28.35\\\",\\\"45.32.141.174\\\",\\\"149.28.165.249\\\",\\\"209.250.225.247\\\",\\\"45.63.100.115\\\",\\\"95.179.229.230\\\",\\\"209.250.233.247\\\",\\\"45.77.121.232\\\",\\\"45.76.175.65\\\",\\\"104.238.160.237\\\",\\\"45.77.181.97\\\",\\\"95.179.192.125\\\",\\\"149.28.93.184\\\",\\\"140.82.16.81\\\",\\\"45.76.173.103\\\",\\\"45.77.255.22\\\",\\\"45.32.11.71\\\",\\\"149.28.77.26\\\",\\\"45.32.54.50\\\",\\\"104.156.233.156\\\",\\\"45.32.21.118\\\",\\\"45.63.62.109\\\",\\\"45.77.244.202\\\",\\\"149.248.11.205\\\",\\\"104.238.190.244\\\"]);\\nlet IOCTerms = \\\"\\\\\\\\?lang=[/..]*/dev/cmdb/sslvpn_websession|/dana-na/jam/[/..]*home/webserver/htdocs/dana/html5acc/guacamole[/..]*etc/passwd\\\\\\\\?\\\";\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or has_any_ipv4 (Message, IPList)\\n| extend IPMatch = case(\\nSourceIP in (IPList), \\\"SourceIP\\\", \\nDestinationIP in (IPList), \\\"DestinationIP\\\",\\n\\\"Message\\\") \\n| where Message matches regex IOCTerms\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n| where isnotempty(UserAgent) and ClientIP in (IPList)\\n| where UserAgent contains \\\"ExchangeServicesClient/0.0.0.0\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP = ClientIP, Account = UserId, Type, RecordType, OfficeWorkload, UserAgent, OfficeObjectId, IPMatch = \\\"ClientIP\\\"\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"InitialAccess\",\"Collection\"],\"displayName\":\"Known Manganese IP and UserAgent activity\",\"description\":\"Matches IP plus UserAgent IOCs in OfficeActivity data, along with IP plus Connection string information in the CommonSecurityLog data related to Manganese group activity.\\nReferences: \\nhttps://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/\\nhttps://fortiguard.com/psirt/FG-IR-18-384\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-10-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\"name\":\"02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let logonDiff = 10m;\\nlet aadFunc = (tableName:string){\\ntable(tableName) \\n| where ResultType == \\\"0\\\" \\n| where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\")\\n| project SuccessLogonTime = TimeGenerated, UserPrincipalName, SuccessIPAddress = IPAddress, AppDisplayName, SuccessIPBlock = strcat(split(IPAddress, \\\".\\\")[0], \\\".\\\", split(IPAddress, \\\".\\\")[1]), Type\\n| join kind= inner (\\n table(tableName)\\n | where ResultType !in (\\\"0\\\", \\\"50140\\\") \\n | where ResultDescription !~ \\\"Other\\\" \\n | where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\")\\n | project FailedLogonTime = TimeGenerated, UserPrincipalName, FailedIPAddress = IPAddress, AppDisplayName, ResultType, ResultDescription, Type\\n) on UserPrincipalName, AppDisplayName \\n| where SuccessLogonTime \u003c FailedLogonTime and FailedLogonTime - SuccessLogonTime \u003c= logonDiff and FailedIPAddress !startswith SuccessIPBlock\\n| summarize FailedLogonTime = max(FailedLogonTime), SuccessLogonTime = max(SuccessLogonTime) by UserPrincipalName, SuccessIPAddress, AppDisplayName, FailedIPAddress, ResultType, ResultDescription, Type\\n| extend timestamp = SuccessLogonTime\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SuccessIPAddress\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"FailedIPAddress\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"CredentialAccess\",\"InitialAccess\"],\"displayName\":\"Successful logon from IP and failure from a different IP\",\"description\":\"Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP.\\nThis may indicate a malicious attempt at password guessing based on knowledge of the users account.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\"name\":\"90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage), \\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage), \\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage), \\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \\\"200\\\"\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Squid proxy events for ToR proxies\",\"description\":\"Check for Squid proxy events associated with common ToR proxies. This query presumes the default squid log format is being used.\\nhttp://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b4ceb583-4c44-4555-8ecf-39f572e827ba\",\"name\":\"b4ceb583-4c44-4555-8ecf-39f572e827ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 1.5;\\nlet percentthreshold = 50;\\n// Preparing the time series data aggregated hourly count of MailItemsAccessd Operation in the form of multi-value array to use with time series anomaly function.\\nlet TimeSeriesData =\\nOfficeActivity\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where OfficeWorkload=~ \\\"Exchange\\\" and Operation =~ \\\"MailItemsAccessed\\\" and ResultStatus =~ \\\"Succeeded\\\"\\n| project TimeGenerated, Operation, MailboxOwnerUPN\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe;\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0\\n| project TimeGenerated, Total, baseline, anomalies, score;\\n// Joining the flagged outlier from the previous step with the original dataset to present contextual information\\n// during the anomalyhour to analysts to conduct investigation or informed decisions.\\nTimeSeriesAlerts | where TimeGenerated \u003e ago(2d)\\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\\n| join (\\n OfficeActivity\\n | where TimeGenerated \u003e ago(2d)\\n | extend DateHour = bin(TimeGenerated, 1h)\\n | where OfficeWorkload=~ \\\"Exchange\\\" and Operation =~ \\\"MailItemsAccessed\\\" and ResultStatus =~ \\\"Succeeded\\\"\\n | summarize HourlyCount=count(), TimeGeneratedMax = arg_max(TimeGenerated, *), IPAdressList = make_set(Client_IPAddress), SourceIPMax= arg_max(Client_IPAddress, *), ClientInfoStringList= make_set(ClientInfoString) by MailboxOwnerUPN, Logon_Type, TenantId, UserType, TimeGenerated = bin(TimeGenerated, 1h) \\n | where HourlyCount \u003e 25 // Only considering operations with more than 25 hourly count to reduce False Positivies\\n | order by HourlyCount desc \\n) on TimeGenerated\\n| extend PercentofTotal = round(HourlyCount/Total, 2) * 100 \\n| where PercentofTotal \u003e percentthreshold // Filter Users with count of less than 5 percent of TotalEvents per Hour to remove FPs/ users with very low count of MailItemsAccessed events\\n| order by PercentofTotal desc \\n| project-reorder TimeGeneratedMax, Type, OfficeWorkload, Operation, UserId,SourceIPMax ,IPAdressList, ClientInfoStringList, HourlyCount, PercentofTotal, Total, baseline, score, anomalies\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Exchange workflow MailItemsAccessed operation anomaly\",\"description\":\"Identifies anomalous increases in Exchange mail items accessed operations.\\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\\nSudden increases in execution frequency of sensitive actions should be further investigated for malicious activity.\\nManually change scorethreshold from 1.5 to 3 or higher to reduce the noise based on outliers flagged from the query criteria.\\nRead more about MailItemsAccessed- https://docs.microsoft.com/microsoft-365/compliance/advanced-audit?view=o365-worldwide#mailitemsaccessed\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182\",\"name\":\"8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT5M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = ago(5m);\\nDuoSecurityTrustMonitor_CL\\n| where TimeGenerated \u003e= timeframe\\n| extend AccountCustomEntity = surfaced_auth_user_name_s, IPCustomEntity = surfaced_auth_access_device_ip_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Trust Monitor Event\",\"description\":\"This query identifies when a new trust monitor event is detected.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\"name\":\"8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"AuthorizeDBSecurityGroupIngress\\\",\\\"CreateDBSecurityGroup\\\",\\\"DeleteDBSecurityGroup\\\",\\\"RevokeDBSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to internet facing AWS RDS Database instances\",\"description\":\"Amazon Relational Database Service (RDS) is scalable relational database in the cloud. \\nIf your organization have one or more AWS RDS Databases running, monitoring changes to especially internet facing AWS RDS (Relational Database Service) \\nOnce alerts triggered, validate if changes observed are authorized and adhere to change control policy. \\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255\\nand RDS API Reference Docs: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Operations.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09551db0-e147-4a0c-9e7b-918f88847605\",\"name\":\"09551db0-e147-4a0c-9e7b-918f88847605\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let tokens = dynamic([\\\"SSL_HandShaking\\\", \\\"ASN2_TYPE_new\\\", \\\"sql_blob_open\\\", \\\"cmsSetLogHandlerTHR\\\", \\\"ntSystemInfo\\\", \\\"SetWebFilterString\\\", \\\"CleanupBrokerString\\\", \\\"glInitSampler\\\", \\\"deflateSuffix\\\", \\\"ntWindowsProc\\\"]);\\nlet DomainNames = dynamic([\u0027codevexillium.org\u0027, \u0027angeldonationblog.com\u0027, \u0027investbooking.de\u0027, \u0027krakenfolio.com\u0027]);\\nlet SHA256Hash = dynamic([\u002758a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495\u0027,\u0027e0e59bfc22876c170af65dcbf19f744ae560cc43b720b23b9d248f4505c02f3e\u0027,\u00273d3195697521973efe0097a320cbce0f0f98d29d50e044f4505e1fbc043e8cf9\u0027, \u00270a2d81164d524be7022ba8fd4e1e8e01bfd65407148569d172e2171b5cd76cd4\u0027, \u002796d7a93f6691303d39a9cc270b8814151dfec5683e12094537fd580afdf2e5fe\u0027,\u0027dc4cf164635db06b2a0b62d313dbd186350bca6fc88438617411a68df13ec83c\u0027, \u002746efd5179e43c9cbf07dcec22ce0d5527e2402655aee3afc016e5c260650284a\u0027, \u002795e42a94d4df1e7e472998f43b9879eb34aaa93f3705d7d3ef9e3b97349d7008\u0027, \u00279d5320e883264a80ea214077f44b1d4b22155446ad5083f4b27d2ab5bd127ef5\u0027, \u00279fd05063ad203581a126232ac68027ca731290d17bd43b5d3311e8153c893fe3\u0027, \u0027ada7e80c9d09f3efb39b729af238fcdf375383caaf0e9e0aed303931dc73b720\u0027, \u0027edb1597789c7ed784b85367a36440bf05267ac786efe5a4044ec23e490864cee\u0027, \u002733665ce1157ddb7cd7e905e3356b39245dfba17b7a658bdbf02b6968656b9998\u0027, \u00273ab770458577eb72bd6239fe97c35e7eb8816bce5a4b47da7bd0382622854f7c\u0027, \u0027b630ad8ffa11003693ce8431d2f1c6b8b126cd32b657a4bfa9c0dbe70b007d6c\u0027, \u002753f3e55c1217dafb8801af7087e7d68b605e2b6dde6368fceea14496c8a9f3e5\u0027, \u002799c95b5272c5b11093eed3ef2272e304b7a9311a22ff78caeb91632211fcb777\u0027, \u0027f21abadef52b4dbd01ad330efb28ef50f8205f57916a26daf5de02249c0f24ef\u0027, \u00272cbdea62e26d06080d114bbd922d6368807d7c6b950b1421d0aa030eca7e85da\u0027, \u0027079659fac6bd9a1ce28384e7e3a465be4380acade3b4a4a4f0e67fd0260e9447\u0027]);\\nlet SigNames = dynamic([\\\"Backdoor:Script/ComebackerCompile.A!dha\\\", \\\"Trojan:Win64/Comebacker.A!dha\\\", \\\"Trojan:Win64/Comebacker.A.gen!dha\\\", \\\"Trojan:Win64/Comebacker.B.gen!dha\\\", \\\"Trojan:Win32/Comebacker.C.gen!dha\\\", \\\"Trojan:Win32/Klackring.A!dha\\\", \\\"Trojan:Win32/Klackring.B!dha\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in~ (SHA256Hash) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n| project Type, TimeGenerated, Computer, Account, IPAddress, FileHash, DNSName\\n),\\n(DnsEvents\\n| extend DNSName = Name\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend Type = \\\"DnsEvents\\\", IPAddress = ClientIP\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(imDns(domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend Type = \\\"imDns\\\", IPAddress = SrcIpAddr, Computer=Dvc\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(VMConnection\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| where isnotempty(Hashes)\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 * \\n| where SHA256 in~ (SHA256Hash) \\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = Hashes\\n| project Type, TimeGenerated, Computer, Account, FileHash\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (SHA256Hash)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (SHA256Hash)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl in~ (DomainNames)\\n| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName\\n| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl\\n),\\n(SecurityAlert\\n| where Entities has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName) \\n| project Type, TimeGenerated, Computer\\n),\\n(DeviceProcessEvents\\n| where FileName =~ \\\"powershell.exe\\\" or FileName =~ \\\"rundll32.exe\\\"\\n| where (ProcessCommandLine has \\\"is64bitoperatingsystem\\\" and ProcessCommandLine has \\\"Debug\\\\\\\\Browse\\\") or (ProcessCommandLine has_any (tokens))\\n| extend Computer = DeviceName, Account = AccountName, CommandLine = ProcessCommandLine\\n| project Type, TimeGenerated, Computer, Account, CommandLine, FileName\\n),\\n(SecurityEvent\\n| where ProcessName has_any (\\\"powershell.exe\\\", \\\"rundll32.exe\\\")\\n| where (CommandLine has \\\"is64bitoperatingsystem\\\" and CommandLine has \\\"Debug\\\\\\\\Browse\\\") or (CommandLine has_any (tokens))\\n| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine \\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend DNSName = Request_Name\\n| extend IPAddress = ClientIP \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.3.0\",\"tactics\":[\"CommandAndControl\",\"Execution\"],\"displayName\":\"Known ZINC Comebacker and Klackring malware hashes\",\"description\":\"ZINC attacks against security researcher campaign malware hashes.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\"name\":\"a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n| where isnotempty(FileHashValue)\\n| join (\\n SecurityEvent | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where EventID in (\\\"8003\\\",\\\"8002\\\",\\\"8005\\\")\\n | where isnotempty(FileHash)\\n | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID\\n)\\non $left.FileHashValue == $right.FileHash\\n| where SecurityEvent_TimeGenerated \u003e= TimeGenerated and SecurityEvent_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nSecurityEvent_TimeGenerated, Process, FileHash, Computer, Account, Event\\n| extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map File Hash to Security Event\",\"description\":\"Identifies a match in Security Event data from any File Hash IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\"name\":\"e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 15;\\n// Below pulls messages from syslog-authpriv logs where there was an authentication failure with an unknown user.\\n// IP address of system attempting logon is also extracted from the SyslogMessage field. Some of these messages\\n// are aggregated.\\nlet authfail = Syslog\\n| where Facility =~ \\\"authpriv\\\" // looks at authpriv messages\\n| where SyslogMessage contains \\\"authentication failure\\\" and SyslogMessage contains \\\" uid=0\\\"\\n| parse SyslogMessage with * \\\"rhost=\\\" ExternalIP\\n| project TimeGenerated, Computer, ProcessName, HostIP, ExternalIP, ProcessID; \\n// Below pulls messages from syslog-authpriv logs that show each instance an unknown user tried to logon. \\nlet userfail = Syslog \\n| where Facility =~ \\\"authpriv\\\" \\n| where SyslogMessage contains \\\"user unknown\\\"\\n| project TimeGenerated, Computer, HostIP, ProcessID;\\n// Join the two log messages above\\nlet userauthfail = authfail | join (userfail) on Computer, HostIP, ProcessID\\n| project TimeGenerated, Computer, HostIP, ExternalIP, ProcessID ;\\n// Extract the EventTime of the first logon attempt\\nlet firstfail = userauthfail\\n| summarize arg_min(TimeGenerated, *) by Computer, ExternalIP\\n| project Computer, ExternalIP, FirstLogonAttempt = TimeGenerated;\\n// Extract the EventTime of the last logon attempt\\nlet lastfail = userauthfail\\n| summarize arg_max(TimeGenerated, *) by Computer, ExternalIP\\n| project Computer, ExternalIP, LatestLogonAttempt = TimeGenerated;\\n// Join first and last logon attempt data and calculate the time between them (AttemptPeriodLength).\\nlet faildates = firstfail | join (lastfail) on Computer, ExternalIP\\n| project ExternalIP, Computer, FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts = LatestLogonAttempt - FirstLogonAttempt;\\n// Count the number of failed logon attempts by External IP and internal machine\\nlet totalfails = userauthfail\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), TotalLogonAttempts = count() by ExternalIP, Computer, HostIP\\n| project StartTimeUtc, EndTimeUtc, ExternalIP, Computer, HostIP, TotalLogonAttempts;\\n// Combine total attempts with timing data from above\\nlet finalfails = totalfails | join (faildates) on Computer, ExternalIP\\n| project StartTimeUtc, EndTimeUtc, SourceAddress = ExternalIP, DestinationHost = Computer, DestinationIP = HostIP, TotalLogonAttempts, FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts\\n| order by DestinationHost asc nulls last;\\nfinalfails \\n| where TotalLogonAttempts \u003e= threshold\\n| extend timestamp = StartTimeUtc, HostCustomEntity = DestinationHost, IPCustomEntity = DestinationIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed logon attempts in authpriv\",\"description\":\"Identifies failed logon attempts from unknown users in Syslog authpriv logs. The unknown user means the account that tried to log in \\nisn\u0027t provisioned on the machine. A few hits could indicate someone attempting to access a machine they aren\u0027t authorized to access. \\nIf there are many of hits, especially from outside your network, it could indicate a brute force attack. \\nDefault threshold for logon attempts is 15.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\"name\":\"a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == 500121\\n| where Status has \\\"MFA Denied; user declined the authentication\\\"\\n| extend Type = Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = ClientAppUsed\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Explicit MFA Deny\",\"description\":\"User explicitly denies MFA push, indicating that login was not expected and the account\u0027s password may be compromised.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\"name\":\"68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let User_Agents = dynamic ([\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70\\\", \\n\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.1 Safari/605.1.15\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\", \\n\\\"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\"]);\\nOfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != \u0027UserLoggedIn\u0027\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = todynamic(ExtendedProperties).Value\\n| where UserAgent =~ \\\"ms-office\\\" or UserAgent has_any (User_Agents)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts \u003e 500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Possible STRONTIUM attempted credential harvesting - Oct 2020\",\"description\":\"Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/de58ee9e-b229-4252-8537-41a4c2f4045e\",\"name\":\"de58ee9e-b229-4252-8537-41a4c2f4045e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let file_ext_blocklist = dynamic([\u0027.ps1\u0027, \u0027.vbs\u0027, \u0027.bat\u0027, \u0027.scr\u0027]);\\nlet lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| extend file_ext = extract(@\u0027.*(\\\\.\\\\w+)$\u0027, 1, UrlOriginal)\\n| extend Filename = extract(@\u0027.*\\\\/*\\\\/(.*\\\\.\\\\w+)$\u0027, 1, UrlOriginal)\\n| where file_ext in (file_ext_blocklist)\\n| project TimeGenerated, SrcIpAddr, Identities, Filename\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Cisco Umbrella - Request to blocklisted file type\",\"description\":\"Detects request to potentially harmful file types (.ps1, .bat, .vbs, etc.).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fc1b7e7a-bc24-42c3-ad67-5c76c8fcb2d6\",\"name\":\"fc1b7e7a-bc24-42c3-ad67-5c76c8fcb2d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.3\",\"techniques\":[\"T1530\",\"T1213\",\"T1005\",\"T1039\",\"T1114\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\".txt,.jpg,.mp4\",\"dataType\":\"string\",\"name\":\"File extension\",\"description\":\"Give comma separated file extension to exclude from source data within double quotes, example: \\\".txt,.jpg,.mp4\\\"\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"5\",\"maximum\":\"100\",\"value\":\"10\",\"name\":\"Minimum number of downgrades\",\"description\":\"Generate an anomaly when number of downgrade label is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Collection\"],\"displayName\":\"(Preview) Unusual mass downgrade AIP label\",\"description\":\"This algorithm detects unusual high volume of downgrade label activity in Azure Information Protection (AIP) logs.\\nIt considers \\\"AIP\\\" workload records for a given number of days and determines the sequence of activity performed on documents along with the label applied to classify unusual volume of downgrade activity.\",\"lastUpdatedDateUTC\":\"2021-06-04T00:00:00Z\",\"createdDateUTC\":\"2020-11-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureInformationProtection\",\"dataTypes\":[\"InformationProtectionLogs_CL\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/53e936c6-6c30-4d12-8343-b8a0456e8429\",\"name\":\"53e936c6-6c30-4d12-8343-b8a0456e8429\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let SUNSPOT_Hashes = dynamic([\\\"c45c9bda8db1d470f1fd0dcc346dc449839eb5ce9a948c70369230af0b3ef168\\\", \\\"0819db19be479122c1d48743e644070a8dc9a1c852df9a8c0dc2343e904da389\\\"]);\\nunion isfuzzy=true(\\nDeviceEvents\\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes)),\\n(DeviceImageLoadEvents\\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes))\\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"SUNSPOT malware hashes\",\"description\":\"This query uses Microsoft Defender for Endpoint data to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\\nMore details: \\n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \\n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceImageLoadEvents\",\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b9a44d7-c651-45ed-816c-eae583a6f2f1\",\"name\":\"3b9a44d7-c651-45ed-816c-eae583a6f2f1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\nlet historical_data =\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend variables = Data.Variables\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend UserKey = strcat(VariableGroupId, \\\"-\\\", ActorUserId)\\n| project UserKey;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend VariableGroupName = tostring(Data.VariableGroupName)\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend UserKey = strcat(VariableGroupId, \\\"-\\\", ActorUserId)\\n| where UserKey !in (historical_data)\\n| project-away UserKey\\n| project-reorder TimeGenerated, VariableGroupName, ActorUPN, IpAddress, UserAgent\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Build Variable Modified by New User.\",\"description\":\"Variables can be configured and used at any stage of the build process in Azure DevOps to inject values. An attacker with the required permissions could modify \\nor add to these variables to conduct malicious activity such as changing paths or remote endpoints called during the build. As variables are often changed by users, \\njust detecting these changes would have a high false positive rate. This detection looks for modifications to variable groups where that user has not been observed \\nmodifying them before.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c3b11fb2-9201-4844-b7b9-6b7bf6d9b851\",\"name\":\"c3b11fb2-9201-4844-b7b9-6b7bf6d9b851\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 200;\\nimDns(responsecodename=\u0027NXDOMAIN\u0027)\\n| where isnotempty(DnsResponseCodeName)\\n//| where DnsResponseCodeName =~ \\\"NXDOMAIN\\\"\\n| summarize count() by SrcIpAddr, bin(TimeGenerated,15m)\\n| where count_ \u003e threshold\\n| join kind=inner (imDns(responsecodename=\u0027NXDOMAIN\u0027)\\n ) on SrcIpAddr\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.2.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Excessive NXDOMAIN DNS Queries (Normalized DNS)\",\"description\":\"This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. \\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8ee967a2-a645-4832-85f4-72b635bcb3a6\",\"name\":\"8ee967a2-a645-4832-85f4-72b635bcb3a6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit the environment\\nlet signin_threshold = 5;\\n//Make a list of all IPs with failed signins to AAD above our threshold\\nlet aadFunc = (tableName:string){\\nlet suspicious_signins =\\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress !in (\u0027127.0.0.1\u0027, \u0027::1\u0027)\\n| summarize count() by IPAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(IPAddress);\\n//See if any of these IPs have sucessfully logged into *nix hosts\\nlet linux_logons =\\nSyslog\\n| where Facility contains \\\"auth\\\" and ProcessName != \\\"sudo\\\"\\n| where SyslogMessage has \\\"Accepted\\\"\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Computer, HostIP, IpAddress = SourceIP, SyslogMessage, Facility, ProcessName, Reason;\\n//See if any of these IPs have sucessfully logged into Windows hosts\\nlet win_logons =\\nSecurityEvent\\n| where EventID == 4624\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| where IpAddress in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Account, AccountType, Computer, Activity, EventID, LogonProcessName, IpAddress, LogonTypeName, TargetUserSid, Reason;\\nunion isfuzzy=true linux_logons,win_logons\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, IPCustomEntity = IpAddress, HostCustomEntity = Computer\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AzureAD logons but success logon to host\",\"description\":\"Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory.\\nUses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/543c9254-eb6f-4fdd-858d-783e0e3d5cb9\",\"name\":\"543c9254-eb6f-4fdd-858d-783e0e3d5cb9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.3\",\"techniques\":[\"T1530\",\"T1213\",\"T1005\",\"T1039\",\"T1114\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\".msg,.jpg,.txt\",\"dataType\":\"string\",\"name\":\"File extension\",\"description\":\"Give comma separated file extension to exclude from source data, for example: .txt,.jpg,.mp4\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.9\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the error percentile is greater than chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Collection\"],\"displayName\":\"(Preview) Suspicious number of protected documents accessed\",\"description\":\"This algorithm is to detect high volume of access to protected documents in Azure Information Protection (AIP) logs. \\nIt considers AIP workload records for a given number of days and determines whether the user performed unusual access to protected documents in a day given his/her historical behavior.\",\"lastUpdatedDateUTC\":\"2021-06-04T00:00:00Z\",\"createdDateUTC\":\"2021-02-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureInformationProtection\",\"dataTypes\":[\"InformationProtectionLogs_CL\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d23ed927-5be3-4902-a9c1-85f841eb4fa1\",\"name\":\"d23ed927-5be3-4902-a9c1-85f841eb4fa1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n DuoSecurityAuthentication_CL\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(access_device_ip_s)\\n // renaming time column so it is clear the log this came from\\n | extend Duo_TimeGenerated = isotimestamp_t\\n)\\non $left.TI_ipEntity == $right.access_device_ip_s\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Duo_TimeGenerated,\\nTI_ipEntity, user_name_s, factor_s, result_s, application_name_s, event_type_s, txid_g, user_key_s, access_device_ip_s, access_device_location_city_s, access_device_location_state_s, access_device_location_country_s\\n| extend timestamp = Duo_TimeGenerated, IPCustomEntity = access_device_ip_s, AccountCustomEntity = user_name_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Duo Security\",\"description\":\"Identifies a match in DuoSecurity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3073ac-7383-48a9-90a8-eb6716183a54\",\"name\":\"4a3073ac-7383-48a9-90a8-eb6716183a54\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let excludeProcs = dynamic([@\\\"\\\\SolarWinds\\\\Orion\\\\APM\\\\APMServiceControl.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\ExportToPDFCmd.Exe\\\", @\\\"\\\\SolarWinds.Credentials\\\\SolarWinds.Credentials.Orion.WebApi.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Topology\\\\SolarWinds.Orion.Topology.Calculator.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Database-Maint.exe\\\", @\\\"\\\\SolarWinds.Orion.ApiPoller.Service\\\\SolarWinds.Orion.ApiPoller.Service.exe\\\", @\\\"\\\\Windows\\\\SysWOW64\\\\WerFault.exe\\\"]);\\nDeviceProcessEvents\\n| where InitiatingProcessFileName =~ \\\"solarwinds.businesslayerhost.exe\\\"\\n| where not(FolderPath has_any (excludeProcs))\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n FileHashCustomEntity = MD5\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"MD5\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST suspicious SolarWinds child processes\",\"description\":\"Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/269435e3-1db8-4423-9dfc-9bf59997da1c\",\"name\":\"269435e3-1db8-4423-9dfc-9bf59997da1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName =~ \u0027Add member to role (permanent)\u0027\\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Privleged Role Assigned Outside PIM\",\"description\":\"Identifies a privileged role being assigned to a user outside of PIM\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\"name\":\"6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"SecurityEvent\\n| where EventID == 4738\\n// 2089 value indicates the Don\u0027t Expire Password value has been set\\n| where UserAccountControl has \\\"%%2089\\\" \\n| extend Value_2089 = iff(UserAccountControl has \\\"%%2089\\\",\\\"\u0027Don\u0027t Expire Password\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n// 2050 indicates that the Password Not Required value is NOT set, this often shows up at the same time as a 2089 and is the recommended value. This value may not be in the event. \\n| extend Value_2050 = iff(UserAccountControl has \\\"%%2050\\\",\\\"\u0027Password Not Required\u0027 - Disabled\\\", \\\"Not Changed\\\")\\n// If value %%2082 is present in the 4738 event, this indicates the account has been configured to logon WITHOUT a password. Generally you should only see this value when an account is created and only in Event 4720: Account Creation Event. \\n| extend Value_2082 = iff(UserAccountControl has \\\"%%2082\\\",\\\"\u0027Password Not Required\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n| project StartTime = TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, AccountType, UserAccountControl, Value_2089, Value_2050, Value_2082, SubjectAccount\\n| extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"AD account with Don\u0027t Expire Password\",\"description\":\"Identifies whenever a user account has the setting \\\"Password Never Expires\\\" in the user account properties selected.\\nThis is indicated in Security event 4738 in the EventData item labeled UserAccountControl with an included value of %%2089.\\n%%2089 resolves to \\\"Don\u0027t Expire Password - Enabled\\\".\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2ca4e7fc-c61a-49e5-9736-5da8035c47e0\",\"name\":\"2ca4e7fc-c61a-49e5-9736-5da8035c47e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 8;\\nCarbonBlackNotifications_CL\\n| where threatHunterInfo_score_d \u003e= threshold\\n| extend eventTime = datetime(1970-01-01) + tolong(threatHunterInfo_time_d/1000) * 1sec\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by eventTime, Threat_Name = threatHunterInfo_reportName_s, Device_Name = deviceInfo_deviceName_s, Internal_IP = deviceInfo_internalIpAddress_s, External_IP = deviceInfo_externalIpAddress_s, Threat_Score = threatHunterInfo_score_d\\n| project-away count_\\n| extend timestamp = StartTime, HostCustomEntity = Device_Name, IPCustomEntity = Internal_IP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\"],\"displayName\":\"Critical Threat Detected\",\"description\":\"This creates an incident in the event a critical threat was identified on a Carbon Black managed endpoint.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"VMwareCarbonBlack\",\"dataTypes\":[\"CarbonBlackNotifications_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d992b87b-eb49-4a9d-aa96-baacf9d26247\",\"name\":\"d992b87b-eb49-4a9d-aa96-baacf9d26247\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let IPList = dynamic([\\\"185.63.90.137\\\"]); \\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet sha256Hashes = \\ndynamic([\\\"53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441\\\",\\n\\\"c297e545b8f150cc5ff56dbb68dc74fe30a421d9d40f38f4a53083192697c44c\\\",\\n\\\"17921368901f23e0cad0d2fe4ce5694aebaf4727699ed0358117500701914d1b\\\",\\n\\\"198a2d42df010d838b4207f478d885ef36e3db13b1744d673e221b828c28bf77\\\",\\n\\\"71d7b48c2fdc7b57b104a7858a35165bbed21d2fa7e34828d6c1d50b2b33a1d0\\\",\\n\\\"601227d52c6e367e11b80240183d07d38bc11a88e844e8401fce17eb25e92ba8\\\",\\n\\\"63ff04bed4fdb120a9cb9b1ea7fd88e83f12fb01ab6a057088f8016e663b48d4\\\",\\n\\\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\\\",\\n\\\"e19b8be1b21c066d60725e550f8455f824065abbf1b43f7b2fe4fb338b241ffc\\\",\\n\\\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\\\"\\n]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", MessageIP in (IPList), \\\"Message\\\", \\\"NoMatch\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DeviceNetworkEvents\\n| where RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) \\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP\\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost) \\n| where SourceHost in (IPList) or DestinationHost in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(DeviceFileEvents\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash\\n| where FileHash in (sha256Hashes)\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = FileHash\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 in~ (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash\\n),\\n(SecurityEvent\\n| where EventID == \u00274688\u0027\\n| where NewProcessName in (IPList) \\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"SHA256\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Impact\"],\"displayName\":\"Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021\",\"description\":\"Identifies a match across various data feeds for IP,hashes and IOCs related to Windows/ELF malware published by Black Lotus Labs\\nReference: \\nhttps://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders/\\nhttps://github.com/ManuelBerrueta/YARA-rules/blob/master/BlackLotusLabs-WSLMalware/BLL_SneakyWSL.yar\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32\",\"name\":\"d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet msgthreshold = 3;\\nlet msgszthreshold = 3000000;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where NetworkBytes \u003e msgszthreshold\\n| summarize count() by SrcUserUpn, DstUserUpn\\n| where count_ \u003e msgthreshold\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple large emails to the same recipient\",\"description\":\"Detects when multiple emails with lage size where sent to the same recipient.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae\",\"name\":\"2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 4656\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, TargetAccount, Computer, EventSourceName, Channel, Task, Level, EventID, Activity, TargetLogonId, SourceComputerId, EventOriginId, Type, _ResourceId, TenantId, SourceSystem, ManagementGroupName, IpAddress, Account)\\n| extend ObjectServer = column_ifexists(\u0027ObjectServer\u0027, \\\"\\\"), ObjectType = column_ifexists(\u0027ObjectType\u0027, \\\"\\\"), ObjectName = column_ifexists(\u0027ObjectName\u0027, \\\"\\\")\\n| where isnotempty(ObjectServer) and isnotempty(ObjectType) and isnotempty(ObjectName)\\n| where ObjectServer =~ \\\"SC Manager\\\" and ObjectType =~ \\\"SERVICE OBJECT\\\" and ObjectName =~ \\\"HealthService\\\"\\n// Comment out the join below if the SACL only audits users that are part of the Network logon users, i.e. with user/group target pointing to \\\"NU.\\\"\\n| join kind=leftouter (\\n SecurityEvent\\n | where EventID == 4624\\n) on TargetLogonId\\n| project TimeGenerated, Computer, Account, TargetAccount, IpAddress,TargetLogonId, ObjectServer, ObjectType, ObjectName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Starting or Stopping HealthService to Avoid Detection\",\"description\":\"This query detects events where an actor is stopping or starting HealthService to disable telemetry collection/detection from the agent.\\n The query requires a SACL to audit for access request to the service.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4acd3a04-2fad-4efc-8a4b-51476594cec4\",\"name\":\"4acd3a04-2fad-4efc-8a4b-51476594cec4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let triThreshold = 500;\\nlet startTime = 6h;\\nlet dgaLengthThreshold = 8;\\n// fetch the alexa top 1M domains\\nlet top1M = (externaldata (Position:int, Domain:string) [@\\\"http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip\\\"] with (format=\\\"csv\\\", zipPattern=\\\"*.csv\\\"));\\n// extract tri grams that are above our threshold - i.e. are common\\nlet triBaseline = top1M\\n| extend Domain = tolower(extract(\\\"([^.]*).{0,7}$\\\", 1, Domain))\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", Domain), extract_all(\\\"(...)\\\", substring(Domain, 1)), extract_all(\\\"(...)\\\", substring(Domain, 2)))\\n| mvexpand Trigram=AllTriGrams\\n| summarize triCount=count() by tostring(Trigram)\\n| sort by triCount desc\\n| where triCount \u003e triThreshold\\n| distinct Trigram;\\n// collect domain information from common security log, filter and extract the DGA candidate and its trigrams\\nlet allDataSummarized = CommonSecurityLog\\n| where TimeGenerated \u003e ago(startTime)\\n| where isnotempty(DestinationHostName)\\n| extend Name = tolower(DestinationHostName)\\n| distinct Name\\n| where Name has \\\".\\\"\\n| where Name !endswith \\\".home\\\" and Name !endswith \\\".lan\\\"\\n// extract DGA candidate\\n| extend DGADomain = extract(\\\"([^.]*).{0,7}$\\\", 1, Name)\\n| where strlen(DGADomain) \u003e dgaLengthThreshold\\n// throw out domains with number in them\\n| where DGADomain matches regex \\\"^[A-Za-z]{0,}$\\\"\\n// extract the tri grams from summarized data\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", DGADomain), extract_all(\\\"(...)\\\", substring(DGADomain, 1)), extract_all(\\\"(...)\\\", substring(DGADomain, 2)));\\n// throw out domains that have repeating tri\u0027s and/or \u003e=3 repeating letters\\nlet nonRepeatingTris = allDataSummarized\\n| join kind=leftanti\\n(\\n allDataSummarized\\n | mvexpand AllTriGrams\\n | summarize count() by tostring(AllTriGrams), DGADomain\\n | where count_ \u003e 1\\n | distinct DGADomain\\n)\\non DGADomain;\\n// find domains that do not have a common tri in the baseline\\nlet dataWithRareTris = nonRepeatingTris\\n| join kind=leftanti\\n(\\n nonRepeatingTris\\n | mvexpand AllTriGrams\\n | extend Trigram = tostring(AllTriGrams)\\n | distinct Trigram, DGADomain\\n | join kind=inner\\n (\\n triBaseline\\n )\\n on Trigram\\n | distinct DGADomain\\n)\\non DGADomain;\\ndataWithRareTris\\n// join DGAs back on connection data\\n| join kind=inner\\n(\\n CommonSecurityLog\\n | where TimeGenerated \u003e ago(startTime)\\n | where isnotempty(DestinationHostName)\\n | extend DestinationHostName = tolower(DestinationHostName)\\n | project-rename Name=DestinationHostName, DataSource=DeviceVendor\\n | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) by Name, SourceIP, DestinationIP, DataSource\\n)\\non Name\\n| project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, DataSource\\n| extend timestamp=StartTime, IPCustomEntity=SourceIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"Name\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Possible contact with a domain generated by a DGA\",\"description\":\"Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used\\nby malware to generate rendezvous points that are difficult to predict in advance. This detection uses the Alexa Top 1 million domain names to build a model\\nof what normal domains look like. It uses this to identify domains that may have been randomly generated by an algorithm.\\nThe triThreshold is set to 500 - increase this to report on domains that are less likely to have been randomly generated, decrease it for more likely.\\nThe start time and end time look back over 6 hours of data and the dgaLengthThreshold is set to 8 - meaning domains whose length is 8 or more are reported.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Barracuda\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/78422ef2-62bf-48ca-9bab-72c69818a425\",\"name\":\"78422ef2-62bf-48ca-9bab-72c69818a425\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let endtime = 1d;\\nlet starttime = 8d;\\nlet threshold = 2.0;\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName) \\nby Account, IpAddress, AccountType, Activity, LogonTypeName\\n| join kind=inner (\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n| summarize ComputerCountPrev7Days = dcount(Computer) by Account, IpAddress\\n) on Account, IpAddress\\n| extend Ratio = ComputerCountToday/(ComputerCountPrev7Days*1.0)\\n// Where the ratio of today to previous 7 days is more than double.\\n| where Ratio \u003e threshold\\n| project StartTimeUtc, EndTimeUtc, Account, IpAddress, ComputerSet, ComputerCountToday, ComputerCountPrev7Days, Ratio, AccountType, Activity, LogonTypeName, ProcessSet\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\"],\"displayName\":\"Multiple RDP connections from Single System\",\"description\":\"Identifies when an RDP connection is made to multiple systems and above the normal for the previous 7 days. \\nConnections from the same system with the same account within the same day.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-10-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9d0295ee-cb75-4f2c-9952-e5acfbb67036\",\"name\":\"9d0295ee-cb75-4f2c-9952-e5acfbb67036\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Informational\",\"query\":\"let timeframe = ago(1d);\\nAppServiceAntivirusScanAuditLogs\\n| where NumberOfInfectedFiles \u003e 0\\n| extend HostCustomEntity = _ResourceId, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"displayName\":\"AppServices AV Scan with Infected Files\",\"description\":\"Identifies if an AV scan finds infected files in Azure App Services.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/30dea201-74da-4141-8d21-8a18f0861d60\",\"name\":\"30dea201-74da-4141-8d21-8a18f0861d60\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.3\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.02\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of AWS cloud trail logs events of group user account by EventTypeName\",\"description\":\"This algorithm detects an unusually high volume of AWS cloud trail log events per group user account by different event types (AwsApiCall, AwsServiceEvent, AwsConsoleSignIn, AwsConsoleAction) within the last day. The model is trained on the previous 21 days of AWS cloud trail log events on a group user account basis. This activity may indicate that the account is compromised.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-06-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\"name\":\"a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n SecurityAlert \\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\\n | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray\\n // Parsing relevant entity column to filter type account and creating new column by combining account and UPNSuffix\\n | extend Entitytype = tostring(parse_json(EntitiesDynamicArray).Type), EntityName = tostring(parse_json(EntitiesDynamicArray).Name),\\n EntityUPNSuffix = tostring(parse_json(EntitiesDynamicArray).UPNSuffix)\\n | where Entitytype =~ \\\"account\\\"\\n | extend EntityEmail = tolower(strcat(EntityName, \\\"@\\\", EntityUPNSuffix))\\n | where EntityEmail matches regex emailregex\\n | extend Alert_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.EntityEmail\\n| where Alert_TimeGenerated \u003e= TimeGenerated and Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Alert_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, EntityEmail, AlertName, AlertType,\\nAlertSeverity, Entities, ProviderName, VendorName\\n| extend timestamp = Alert_TimeGenerated, AccountCustomEntity = EntityEmail, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.2\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SecurityAlert\",\"description\":\"Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others\",\"lastUpdatedDateUTC\":\"2021-11-24T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bda5a2bd-979b-4828-a91f-27c2a5048f7f\",\"name\":\"bda5a2bd-979b-4828-a91f-27c2a5048f7f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet msgthreshold = 3;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| extend attachedMimeType = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where attachedMimeType == \u0027application/zip\u0027\\n| summarize count() by SrcUserUpn, DstUserUpn\\n| where count_ \u003e msgthreshold\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple archived attachments to the same recipient\",\"description\":\"Detects when multiple emails where sent to the same recipient with large archived attachments.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5d33fc63-b83b-4913-b95e-94d13f0d379f\",\"name\":\"5d33fc63-b83b-4913-b95e-94d13f0d379f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet fileHashIndicators = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n| where isnotempty(FileHashValue);\\n// Handle matches against both lower case and uppercase versions of the hash:\\n( fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n |union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n| join (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.FileHashValue == $right.FileHash\\n| where CommonSecurityLog_TimeGenerated \u003e= TimeGenerated and CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nCommonSecurityLog_TimeGenerated, SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction,\\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map File Hash to CommonSecurityLog Event\",\"description\":\"Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/00282588-11e7-436d-90e8-011256c3c691\",\"name\":\"00282588-11e7-436d-90e8-011256c3c691\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let threshold = 100;\\nTrendMicro_XDR_CL \\n| where modelSeverity_s == \u0027medium\u0027 or modelSeverity_s == \u0027low\u0027\\n| extend AccountCustomEntity = impactScope_account_s, HostCustomEntity = impactScope_hostname_s, IPCustomEntity = impactScope_host_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"displayName\":\"Create Incident for XDR Alerts (Medium \u0026 Low)\",\"description\":\"This Query creates an incident based on Trend Micro XDR Workbench Alerts and maps the impacted entities for Microsoft Sentinel usage. (Medium \u0026 Low Serverity Alerts)\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-12-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"TrendMicroXDR\",\"dataTypes\":[\"TrendMicro_XDR_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ef8654b1-b2cf-4f6c-ae5c-eca635a764e8\",\"name\":\"ef8654b1-b2cf-4f6c-ae5c-eca635a764e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let lowRisk = 1;\\nlet hr = \u0027HR Information\u0027;\\nCognniIncidents_CL \\n| where Severity == lowRisk\\n| where informationType_s == hr\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Low Sensitivity HR Information\",\"description\":\"Display incidents in which low sensitive HR information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/46ac55ae-47b8-414a-8f94-89ccd1962178\",\"name\":\"46ac55ae-47b8-414a-8f94-89ccd1962178\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let mode = \u0027Blocked\u0027; \\nlet successCode = dynamic([\u0027200\u0027, \u0027101\u0027,\u0027204\u0027, \u0027400\u0027,\u0027504\u0027,\u0027304\u0027,\u0027401\u0027,\u0027500\u0027]);\\nlet minTime = ago(1d);\\nlet maxSessionWindow = 1h;\\nlet sessionBin = maxSessionWindow/2.0;\\nAzureDiagnostics\\n| where TimeGenerated \u003e minTime\\n| where Category == \u0027ApplicationGatewayFirewallLog\u0027\\n| where action_s == mode\\n| sort by hostname_s asc, clientIp_s asc, TimeGenerated asc\\n| extend SessionStarted = row_window_session(TimeGenerated, maxSessionWindow, 10m, ((clientIp_s != prev(clientIp_s)) or (hostname_s != prev(hostname_s))))\\n| summarize minTime = min(TimeGenerated), maxTime = max(TimeGenerated), SessionBlockedCount=count() by hostname_s, clientIp_s, SessionStarted\\n| extend duration = maxTime - minTime\\n| extend TimeKey = bin(SessionStarted, sessionBin)\\n| join kind = inner(\\nAzureDiagnostics\\n| where TimeGenerated \u003e minTime\\n| where Category == \u0027ApplicationGatewayAccessLog\u0027\\n| where httpStatus_d in (successCode) or isempty(httpStatus_d)\\n| extend TimeKey = range(bin(TimeGenerated-maxSessionWindow, sessionBin), bin(TimeGenerated, sessionBin), sessionBin)\\n| mv-expand TimeKey to typeof(datetime)\\n) on $left.hostname_s == $right.host_s, $left.clientIp_s == $right.clientIP_s, TimeKey\\n| where (TimeGenerated - SessionStarted) between (0m .. duration)\\n| extend originalRequestUriWithArgs_s = column_ifexists(\\\"originalRequestUriWithArgs_s\\\", \\\"\\\")\\n| extend serverStatus_s = column_ifexists(\\\"serverStatus_s\\\", \\\"\\\")\\n| extend timestamp = SessionStarted, IPCustomEntity = clientIP_s\\n| summarize SuccessfulAccessLogCount = count(), UserAgents = make_set(userAgent_s), RequestURIs = make_set(requestUri_s) , OriginalRequestURIs = make_set(originalRequestUriWithArgs_s), \\nSuccessCodes = make_set(httpStatus_d), SuccessCodes_BackendServer = make_set(serverStatus_s) by timestamp, hostname_s, IPCustomEntity, SessionBlockedCount\\n| extend BlockvsSuccessRatio = SessionBlockedCount/SuccessfulAccessLogCount\\n| sort by BlockvsSuccessRatio desc, timestamp asc\\n| where SessionBlockedCount \u003e SuccessfulAccessLogCount\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"A potentially malicious web request was executed against a web server\",\"description\":\"Detects unobstructed Web Application Firewall (WAF) activity in sessions where the WAF blocked incoming requests by computing the \\nratio between blocked requests and unobstructed WAF requests in these sessions (BlockvsSuccessRatio metric). A high ratio value for \\na given client IP and hostname calls for further investigation of the WAF data in that session, due to the significantly high number \\nof blocked requests and a few unobstructed logs which may be malicious but have passed undetected through the WAF. The successCode \\nvariable defines what the detection thinks is a successful status code, and should be altered to fit the environment.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/edc946ae-cba8-419f-8e90-309966895956\",\"name\":\"edc946ae-cba8-419f-8e90-309966895956\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.2\",\"techniques\":[\"T1190\",\"T1505\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Include regularly repeating anomalies for URI stems\",\"Exclude regularly repeating anomalies for URI stems\"],\"supportedValuesKql\":null,\"value\":\"Exclude regularly repeating anomalies for URI stems\",\"name\":\"Handle regularly repeating anomalies for URI stems\",\"description\":\"Choose to exclude URI stems that have been regularly occuring in the Anomalies table in Log Analytics.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":[{\"prioritize\":\".asp, .aspx, .armx, .asax, .ashz, .asmx, .axd, .cshtml, .php, .phps, .php3, .php4, .php5, .php7, .jsp, .jspx, .cfm, .cfml, .phtml\",\"exclude\":null,\"dataType\":\"string\",\"name\":\"Prioritize script suffixes of the URI stems\",\"description\":\"Give comma separated script suffixes of the URI stems that should be included in the prioritize field.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"prioritize\":null,\"exclude\":\"\",\"dataType\":\"string\",\"name\":\"Exclude noisy URI stems\",\"description\":\"Give comma separated URI stems that are frequently observing noisy sessions, and should be excluded from the Anomalies table in Log Analytics.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.2\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"(Preview) Anomalous web request activity\",\"description\":\"This algorithm groups the W3CIIS logs into per site name and per URI stem hourly sessions.\\nThe machine learning model identifies the sessions with anomalous requests that triggered response code 5xx in the last day.\\n5xx codes are an indication that some application instability or error condition has been triggered by the request.\\nThey can be an indication that an attacker is probing the URI stem for vulnerabilities and configuration issues, performing some exploitation activity such as SQL injection, or leveraging an unpatched vulnerability.\\n\\nThe algorithm uses 6 days of data for training.\\nIt identifies unusual high volume of web requests that generated respond code 5xx in the last day.\",\"lastUpdatedDateUTC\":\"2021-06-10T00:00:00Z\",\"createdDateUTC\":\"2021-04-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d500e6d-c984-43a3-9f39-7edec8dcc04d\",\"name\":\"4d500e6d-c984-43a3-9f39-7edec8dcc04d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".aspx\\\", \\\".asp\\\", \\\".cfml\\\"]);\\n//The number of URI\u0027s seen to be suspicious, higher = less likely to be suspicious\\nlet uriThreshold = 1;\\nCommonSecurityLog\\n// Only look at connections that were allowed through the web proxy\\n| where DeviceVendor =~ \\\"Zscaler\\\" and DeviceAction =~ \\\"Allowed\\\"\\n// Only look where some data was exchanged.\\n| where SentBytes \u003e 0 and ReceivedBytes \u003e 0\\n// Extract the Domain\\n| extend Domain = iff(countof(DestinationHostName,\u0027.\u0027) \u003e= 2, strcat(split(DestinationHostName,\u0027.\u0027)[-2], \u0027.\u0027,split(DestinationHostName,\u0027.\u0027)[-1]), DestinationHostName)\\n| extend GetData=iff(RequestURL == \\\"?\\\", 1, 0)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), makelist(RequestURL), makelist(DestinationIP), makelist(SourceIP), numOfConnections = count(), make_set(RequestMethod), max(GetData), max(RequestContext) by Domain\\n// Determine the number of URIs that have been visited for the domain\\n| extend destinationURI = arraylength(list_RequestURL)\\n| where destinationURI \u003c= uriThreshold\\n| where tostring(list_RequestURL) has_any(scriptExtensions)\\n//Remove matches with referer\\n| where max_RequestContext == \\\"\\\"\\n//Keep requests where data was trasferred either in a GET with parameters or a POST\\n| where set_RequestMethod in~ (\\\"POST\\\") or max_GetData == 1\\n//Defeat email click tracking, may increase FN\u0027s while decreasing FP\u0027s\\n| where list_RequestURL !has \\\"click\\\" and set_RequestMethod !has \\\"GET\\\"\\n| mvexpand list_RequestURL, list_DestinationIP\\n| extend RequestURL = tostring(list_RequestURL), DestinationIP = tostring(list_DestinationIP), ClientIP = tostring(list_SourceIP)\\n//Extend custom entitites for incidents\\n| extend timestamp = StartTimeUtc, IPCustomEntity = DestinationIP\\n| project-away list_RequestURL, list_DestinationIP, list_SourceIP, destinationURI, Domain, StartTimeUtc, EndTimeUtc, max_GetData, max_RequestContext\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Request for single resource on domain\",\"description\":\"This will look for connections to a domain where only a single file is requested, this is unusual as most modern web applications require additional recources. This type of activity is often assocaited with malware beaconing or tracking URL\u0027s delivered in emails. Developed for Zscaler but applicable to any outbound web logging.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/155f40c6-610d-497d-85fc-3cf06ec13256\",\"name\":\"155f40c6-610d-497d-85fc-3cf06ec13256\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"yahoo-verification.org\\\",\\\"support-servics.com\\\",\\\"verification-live.com\\\",\\\"com-mailbox.com\\\",\\\"com-myaccuants.com\\\",\\\"notification-accountservice.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\\"verify-linkedin.net\\\", \\n\\\"yahoo-verification.net\\\",\\\"yahoo-verify.net\\\",\\\"outlook-verify.net\\\",\\\"com-users.net\\\",\\\"verifiy-account.net\\\",\\\"te1egram.net\\\",\\\"account-verifiy.net\\\",\\\"myaccount-services.net\\\",\\n\\\"com-identifier-servicelog.name\\\",\\\"microsoft-update.bid\\\",\\\"outlook-livecom.bid\\\",\\\"update-microsoft.bid\\\",\\\"documentsfilesharing.cloud\\\",\\\"com-microsoftonline.club\\\",\\n\\\"confirm-session-identifier.info\\\",\\\"session-management.info\\\",\\\"confirmation-service.info\\\",\\\"document-share.info\\\",\\\"broadcast-news.info\\\",\\\"customize-identity.info\\\",\\\"webemail.info\\\",\\n\\\"com-identifier-servicelog.info\\\",\\\"documentsharing.info\\\",\\\"notification-accountservice.info\\\",\\\"identifier-activities.info\\\",\\\"documentofficupdate.info\\\",\\\"recoveryusercustomer.info\\\",\\n\\\"serverbroadcast.info\\\",\\\"account-profile-users.info\\\",\\\"account-service-management.info\\\",\\\"accounts-manager.info\\\",\\\"activity-confirmation-service.info\\\",\\\"com-accountidentifier.info\\\",\\n\\\"com-privacy-help.info\\\",\\\"com-sessionidentifier.info\\\",\\\"com-useraccount.info\\\",\\\"confirmation-users-service.info\\\",\\\"confirm-identity.info\\\",\\\"confirm-session-identification.info\\\",\\n\\\"continue-session-identifier.info\\\",\\\"customer-recovery.info\\\",\\\"customers-activities.info\\\",\\\"elitemaildelivery.info\\\",\\\"email-delivery.info\\\",\\\"identify-user-session.info\\\",\\n\\\"message-serviceprovider.info\\\",\\\"notificationapp.info\\\",\\\"notification-manager.info\\\",\\\"recognized-activity.info\\\",\\\"recover-customers-service.info\\\",\\\"recovery-session-change.info\\\",\\n\\\"service-recovery-session.info\\\",\\\"service-session-continue.info\\\",\\\"session-mail-customers.info\\\",\\\"session-managment.info\\\",\\\"session-verify-user.info\\\",\\\"shop-sellwear.info\\\",\\n\\\"supportmailservice.info\\\",\\\"terms-service-notification.info\\\",\\\"user-activity-issues.info\\\",\\\"useridentity-confirm.info\\\",\\\"users-issue-services.info\\\",\\\"verify-user-session.info\\\",\\n\\\"login-gov.info\\\",\\\"notification-signal-agnecy.info\\\",\\\"notifications-center.info\\\",\\\"identifier-services-sessions.info\\\",\\\"customers-manager.info\\\",\\\"session-manager.info\\\",\\n\\\"customer-managers.info\\\",\\\"confirmation-recovery-options.info\\\",\\\"service-session-confirm.info\\\",\\\"session-recovery-options.info\\\",\\\"services-session-confirmation.info\\\",\\n\\\"notification-managers.info\\\",\\\"activities-services-notification.info\\\",\\\"activities-recovery-options.info\\\",\\\"activity-session-recovery.info\\\",\\\"customers-services.info\\\",\\n\\\"sessions-notification.info\\\",\\\"download-teamspeak.info\\\",\\\"services-issue-notification.info\\\",\\\"microsoft-upgrade.mobi\\\",\\\"broadcastnews.pro\\\",\\\"mobile-messengerplus.network\\\"]);\\nlet IPList = dynamic([\\\"51.91.200.147\\\"]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(SourceIP) and SourceIP in (IPList)) or (isnotempty(DestinationIP) and DestinationIP in (IPList)) \\nor (isnotempty(DNSName) and DNSName in~ (DomainNames)) or (isnotempty(DestinationHostName) and DestinationHostName in~ (DomainNames)) or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames) or RequestURLIP in (IPList))) \\nor (isnotempty(Message) and MessageIP in (IPList))\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURLIP in (IPList), \\\"RequestUrl\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP,IPMatch == \\\"Message\\\", MessageIP,\\nIPMatch == \\\"RequestUrl\\\", RequestURLIP,\\\"NoMatch\\\"), Account = SourceUserID, Host = DeviceName\\n),\\n(DnsEvents \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| where DestinationIPAddress in (IPList) or DNSName has_any (DomainNames) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),\\n(imDns\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| where DestinationIPAddress has_any (IPList) or DNSName has_any (DomainNames) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) or isnotempty(DNSName)\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or DNSName in~ (DomainNames)\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer),\\n(OfficeActivity\\n| extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend DNSName = Request_Name\\n| extend IPCustomEntity = ClientIP),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPCustomEntity = SourceHost \\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.2.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Phosphorus group domains/IP\",\"description\":\"Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d94d4a9-dc96-450a-9dea-4d4d4594199b\",\"name\":\"4d94d4a9-dc96-450a-9dea-4d4d4594199b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"SecurityNestedRecommendation\\n| where RemediationDescription has \u0027CVE-2021-38647\u0027\\n| parse ResourceDetails with * \u0027virtualMachines/\u0027 VirtualMAchine \u0027\\\"\u0027 *\\n| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId\\n| extend Timestamp = TimeGenerated, HostCustomEntity = VirtualMAchine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.2\",\"tactics\":[\"InitialAccess\",\"Execution\"],\"displayName\":\"Vulnerable Machines related to OMIGOD CVE-2021-38647\",\"description\":\"This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to OMIGOD CVE-2021-38647. OMI is the Linux equivalent of Windows WMI and \\n helps users manage configurations across remote and local environments. The query aims to find machines that have this OMI vulnerability (CVE-2021-38647).\\n Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).\\n Reference: https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure\\n Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/050b9b3d-53d0-4364-a3da-1b678b8211ec\",\"name\":\"050b9b3d-53d0-4364-a3da-1b678b8211ec\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\")\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| summarize by bin(TimeGenerated, 1h), OperationName, RoleName, Target, Initiator, Result\\n| extend AccountCustomEntity = Target\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Initiator\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\"],\"displayName\":\"User Assigned Privileged Role\",\"description\":\"Identifies when a new privileged role is assigned to a user. Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn\u0027t the responsibility of the account holder, investigate.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75ff4f7d-0564-4a55-8b25-a75be951cde3\",\"name\":\"75ff4f7d-0564-4a55-8b25-a75be951cde3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let mediumRisk = 2;\\nlet hr = \u0027HR Information\u0027;\\nCognniIncidents_CL \\n| where Severity == mediumRisk\\n| where informationType_s == hr\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Medium Sensitivity HR Information\",\"description\":\"Display incidents in which medium sensitivity HR information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbfbf530-506b-49a4-81ad-4030885a195c\",\"name\":\"fbfbf530-506b-49a4-81ad-4030885a195c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let alertTimeWindow = 1h;\\nlet logTimeWindow = 7d;\\n// Define script extensions that suit your web application environment - a sample are provided below\\nlet scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]); \\nlet alertData = materialize(SecurityAlert \\n| where TimeGenerated \u003e ago(alertTimeWindow) \\n| where ProviderName == \\\"MDATP\\\" \\n// Parse and expand the alert JSON \\n| extend alertData = parse_json(Entities) \\n| mvexpand alertData);\\nlet fileData = alertData\\n// Extract web script files from MDATP alerts - our malicious web scripts - candidate webshells\\n| where alertData.Type =~ \\\"file\\\" \\n| where alertData.Name has_any(scriptExtensions) \\n| extend FileName = tostring(alertData.Name), Directory = tostring(alertData.Directory);\\nlet hostData = alertData\\n// Extract server details from alerts and map to alert id\\n| where alertData.Type =~ \\\"host\\\"\\n| project HostName = tostring(alertData.HostName), DnsDomain = tostring(alertData.DnsDomain), SystemAlertId\\n| distinct HostName, DnsDomain, SystemAlertId;\\n// Join the files on their impacted servers\\nlet webshellData = fileData\\n| join kind=inner (hostData) on SystemAlertId \\n| project TimeGenerated, FileName, Directory, HostName, DnsDomain;\\nwebshellData\\n| join ( \\n// Find requests that were made to this file on the impacted server in the W3CIISLog table \\nW3CIISLog \\n| where TimeGenerated \u003e ago(logTimeWindow) \\n// Restrict to accesses to script extensions \\n| where csUriStem has_any(scriptExtensions)\\n| extend splitUriStem = split(csUriStem, \\\"/\\\") \\n| extend FileName = splitUriStem[-1], HostName = sComputerName\\n// Summarize potential attacker activity\\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), RequestUserAgents=make_set(csUserAgent), ReqestMethods=make_set(csMethod), RequestStatusCodes=make_set(scStatus), RequestCookies=make_set(csCookie), RequestReferers=make_set(csReferer), RequestQueryStrings=make_set(csUriQuery) by AttackerIP=cIP, SiteName=sSiteName, ShellLocation=csUriStem, tostring(FileName), HostName \\n) on FileName, HostName\\n| project StartTime, EndTime, AttackerIP, RequestUserAgents, HostName, SiteName, ShellLocation, ReqestMethods, RequestStatusCodes, RequestCookies, RequestReferers, RequestQueryStrings, RequestCount = count_\\n// Expose the attacker ip address as a custom entity\\n| extend timestamp=StartTime, IPCustomEntity = AttackerIP, HostCustomEntity = HostName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Malicious web application requests linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts\",\"description\":\"Takes Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts where web scripts are present in the evidence and correlates with requests made to those scripts\\nin the WCSIISLog to surface new alerts for potentially malicious web request activity.\\nThe lookback for alerts is set to 1h and the lookback for W3CIISLogs is set to 7d. A sample set of popular web script extensions\\nhas been provided in scriptExtensions that should be tailored to your environment.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-05-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e7277475-4e31-41c7-9997-0b8b3d7f00cd\",\"name\":\"e7277475-4e31-41c7-9997-0b8b3d7f00cd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.2\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.01\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of failed login attempts to AWS Console by each source IP address\",\"description\":\"This algorithm detects an unusually high volume of AWS cloud trail log console failed login events per source IP address within the last day. The model is trained on the previous 21 days of AWS cloud trail log events on source IP address basis. This activity may indicate that the IP address is compromised.\",\"lastUpdatedDateUTC\":\"2021-10-26T00:00:00Z\",\"createdDateUTC\":\"2021-08-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0bd65651-1404-438b-8f63-eecddcec87b4\",\"name\":\"0bd65651-1404-438b-8f63-eecddcec87b4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\n// Adjust for a longer timeframe for identifying ADFS Servers\\nlet lookback = 6d;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\nEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n| union isfuzzy=true (\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n)\\n| distinct Computer);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where ParentProcessName has \u0027wmiprvse.exe\u0027\\n// Looking for rundll32.exe is based on intel from the blog linked in the description\\n// This can be commented out or altered to filter out known internal uses\\n| where CommandLine has_any (\u0027rundll32\u0027) \\n| project TimeGenerated, TargetAccount, CommandLine, Computer, Account, TargetLogonId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n// Search for recent logons to identify lateral movement\\n| join kind= inner\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventID == 4624 and LogonType == 3\\n| where Account !endswith \\\"$\\\"\\n| project TargetLogonId\\n) on TargetLogonId\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n// Check for WMI Events\\n| where Computer in~ (ADFS_Servers) and EventID in (19, 20, 21)\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| project TimeGenerated, EventType, Image, Computer, UserName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = UserName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\"],\"displayName\":\"Gain Code Execution on ADFS Server via Remote WMI Execution\",\"description\":\"This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through remote WMI Execution.\\nIn order to use this query you need to be collecting Sysmon EventIDs 19, 20, and 21.\\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\\n Failed to resolve scalar expression named \\\"[@Name]\\\"\\nFor more on how WMI was used in Solorigate see https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/.\\nThe query contains some features from the following detections to look for potentially malicious ADFS activity. See them for more details.\\n- ADFS Key Export (Sysmon): https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSKeyExportSysmon.yaml\\n- ADFS DKM Master Key Export: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/03e04c97-8cae-48b3-9d2f-4ab262e4ffff\",\"name\":\"03e04c97-8cae-48b3-9d2f-4ab262e4ffff\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]);\\nhttp_proxy_oab_CL\\n| where RawData contains \\\"Download failed and temporary file\\\"\\n| extend File = extract(\\\"([^\\\\\\\\\\\\\\\\]*)(\\\\\\\\\\\\\\\\[^\u0027]*)\\\",2,RawData)\\n| extend Extension = strcat(\\\".\\\",split(File, \\\".\\\")[-1])\\n| extend InteractiveFile = iif(Extension in (scriptExtensions), \\\"Yes\\\", \\\"No\\\")\\n// Uncomment the following line to alert only on interactive file download type\\n//| where InteractiveFile =~ \\\"Yes\\\"\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious File Downloads.\",\"description\":\"This query looks for messages related to file downloads of suspicious file types. This query uses the Exchange HttpProxy AOBGeneratorLog, you will need to onboard this log as a custom log under the table http_proxy_oab_CL before using this query. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/194dd92e-d6e7-4249-85a5-273350a7f5ce\",\"name\":\"194dd92e-d6e7-4249-85a5-273350a7f5ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\") \\n// Only admin or global-admin can disable audit logging\\n| where Operation =~ \\\"Set-AdminAuditLogConfig\\\" \\n| extend AdminAuditLogEnabledValue = tostring(parse_json(tostring(parse_json(tostring(array_slice(parse_json(Parameters),3,3)))[0])).Value)\\n| where AdminAuditLogEnabledValue =~ \\\"False\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP, ResultStatus, Parameters, AdminAuditLogEnabledValue\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Exchange AuditLog disabled\",\"description\":\"Identifies when the exchange audit logging has been disabled which may be an adversary attempt\\nto evade detection or avoid other defenses.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c37711a4-5f44-4472-8afc-0679bc0ef966\",\"name\":\"c37711a4-5f44-4472-8afc-0679bc0ef966\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/FoggyWebIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type == \\\"sha256\\\" | project IoC);\\nlet FilePaths = (iocs | where Type =~ \\\"FilePath\\\" | project IoC);\\nlet POST_URI = (iocs | where Type =~ \\\"URI1\\\" | project IoC);\\nlet GET_URI = (iocs | where Type =~ \\\"URI2\\\" | project IoC);\\n//Include in the list below, the ADFS servers you know about in your environment. In the next part of the query, we will try to identify them for you if you have the telemetry.\\nlet ADFS_Servers1 = datatable(Computer:string)\\n[ \\\"\u003cADFS01\u003e.\u003cDOMAIN\u003e.\u003cCOM\u003e\\\",\\n\\\"\u003cADFS02\u003e.\u003cDOMAIN\u003e.\u003cCOM\u003e\\\"\\n];\\n// Automatically identify potential ADFS services in your environment by searching process event telemetry for \\\"Microsoft.IdentityServer.ServiceHost.exe\\\".\\nlet ADFS_Servers2 = \\n(union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n),\\n(DeviceProcessEvents\\n| where InitiatingProcessFileName == \u0027Microsoft.IdentityServer.ServiceHost.exe\u0027\\n| extend Computer = DeviceName\\n| distinct Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n)\\n);\\nlet ADFS_Servers =\\nADFS_Servers1\\n| union (ADFS_Servers2 | distinct Computer);\\n(union isfuzzy=true\\n(DeviceNetworkEvents\\n| where DeviceName in (ADFS_Servers)\\n| where isnotempty(InitiatingProcessSHA256) or isnotempty(InitiatingProcessFolderPath)\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or InitiatingProcessFolderPath has_any (FilePaths)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\" and EventID == \u00277\u0027\\n| where Computer in (ADFS_Servers)\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend ImageLoaded = EventDetail.[5].[\\\"#text\\\"], Hashes = EventDetail.[11].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| where ImageLoaded has_any (FilePaths) or SHA256 has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, ImageLoaded, EventID\\n| extend Type = strcat(Type,\\\":\\\",EventID, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\\\"#text\\\"] \\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = FileHash\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = FileHash\\n),\\n(DeviceEvents\\n| where DeviceName in (ADFS_Servers)\\n| extend FilePath = strcat(FolderPath, \u0027\\\\\\\\\u0027, FileName)\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash\\n),\\n(DeviceFileEvents\\n| where DeviceName in (ADFS_Servers)\\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash\\n),\\n(DeviceImageLoadEvents\\n| where DeviceName in (ADFS_Servers)\\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where Computer in (ADFS_Servers)\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| where EventDetail has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\\\"#text\\\"] \\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = FileHash\\n),\\n(W3CIISLog \\n| where ( csMethod == \u0027GET\u0027 and csUriStem has_any (GET_URI)) or (csMethod == \u0027POST\u0027 and csUriStem has_any (POST_URI))\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), cIP_MethodCount = count() \\nby cIP, cIP_MethodCountType = \\\"Count of repeated entries, this is to reduce rowsets returned\\\", csMethod, \\ncsHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, csReferer\\n| extend timestamp = StartTime, IPCustomEntity = cIP, HostCustomEntity = csHost, AccountCustomEntity = csUserName\\n),\\n(imFileEvent\\n| where DvcHostname in (ADFS_Servers)\\n| where TargetFileSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"SHA256\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"version\":\"2.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"NOBELIUM IOCs related to FoggyWeb backdoor\",\"description\":\"Identifies a match across various data feeds for IOCs related to FoggyWeb backdoor by the threat actor NOBELIUM.\\n FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server.\\n It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server.\\n Reference: https://aka.ms/nobelium-foggy-web\",\"lastUpdatedDateUTC\":\"2021-11-16T00:00:00Z\",\"createdDateUTC\":\"2021-09-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\"name\":\"7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet AC_Add = \\nSecurityEvent\\n// Event ID related to member addition.\\n| where EventID in (4728, 4732,4756) \\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountAdded \\\",OU\\\" *\\n| where isnotempty(AccountAdded)\\n| extend GroupAddedTo = TargetUserName, AddingAccount = Account \\n| extend AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, \\\"||\\\", GroupAddedTo, \\\"||\\\", AddingAccount )\\n| project AccountAdded_GroupAddedTo_AddingAccount, AccountAddedTime = TimeGenerated;\\nlet AC_Remove = \\nSecurityEvent\\n// Event IDs related to member removal.\\n| where EventID in (4729,4733,4757)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountRemoved \\\",OU\\\" * \\n| where isnotempty(AccountRemoved)\\n| extend GroupRemovedFrom = TargetUserName, RemovingAccount = Account\\n| extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, \\\"||\\\", GroupRemovedFrom, \\\"||\\\", RemovingAccount)\\n| project AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime = TimeGenerated, Computer, RemovedAccountId = tolower(AccountRemoved), \\nRemovedByUser = SubjectUserName, RemovedByUserLogonId = SubjectLogonId, GroupRemovedFrom = TargetUserName, TargetDomainName; \\nAC_Add \\n| join kind= inner AC_Remove on $left.AccountAdded_GroupAddedTo_AddingAccount == $right.AccountRemoved_GroupRemovedFrom_RemovingAccount \\n| extend DurationinSecondAfter_Removed = datetime_diff (\u0027second\u0027, AccountRemovedTime, AccountAddedTime)\\n| where DurationinSecondAfter_Removed \u003e 0\\n| project-away AccountRemoved_GroupRemovedFrom_RemovingAccount\\n| extend timestamp = AccountAddedTime, AccountCustomEntity = RemovedAccountId, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Account added and removed from privileged groups\",\"description\":\"Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise.\u0027 \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/472b7cf4-bf1a-4061-b9ab-9fe4894e3c17\",\"name\":\"472b7cf4-bf1a-4061-b9ab-9fe4894e3c17\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nlet codeNameList = datatable(Codename:string)[\\\"C-CLEARTEXT-PASSWORD\\\", \\\"C-PASSWORD-DONT-EXPIRE\\\", \\\"C-USER-REVER-PWDS\\\", \\\"C-PASSWORD-POLICY\\\", \\\"C-USER-PASSWORD\\\", \\\"C-KRBTGT-PASSWORD\\\", \\\"C-AAD-SSO-PASSWORD\\\", \\\"C-REVER-PWD-GPO\\\"];\\nafad_parser\\n| where MessageType == 0 and Codename in~ (codeNameList)\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid Password issues\",\"description\":\"Searches for triggered Indicators of Exposures related to password issues\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/25bf2f45-1cf0-47d2-b394-a7b331d707b3\",\"name\":\"25bf2f45-1cf0-47d2-b394-a7b331d707b3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"2.0.0\",\"techniques\":[\"T1133\",\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Yes\",\"No\"],\"supportedValuesKql\":null,\"value\":\"Yes\",\"name\":\"Use region adjacency\",\"description\":\"Suppress anomalies originated from two adjacent regions.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"supportedValues\":[\"Yes\",\"No\"],\"supportedValuesKql\":null,\"value\":\"No\",\"name\":\"Check for matching device\",\"description\":\"Suppress anomalies which are originated from the same device.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":null,\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious geography change in Palo Alto GlobalProtect account logins\",\"description\":\"When a Palo Alto GlobalProtect account logs in from a geographically new region that is not the same as the last region the day before, an anomaly will be generated.\",\"lastUpdatedDateUTC\":\"2021-07-13T00:00:00Z\",\"createdDateUTC\":\"2021-04-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7ebb7386-6c99-4331-aab1-a185a603eb47\",\"name\":\"7ebb7386-6c99-4331-aab1-a185a603eb47\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let highRisk = 3;\\nlet financial = \u0027Financial Information\u0027;\\nCognniIncidents_CL \\n| where Severity == highRisk\\n| where informationType_s == financial\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Highly Sensitive Financial Information\",\"description\":\"Display incidents in which highly sensitive financial information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b443f22-9be9-4c35-ac70-a94757748439\",\"name\":\"3b443f22-9be9-4c35-ac70-a94757748439\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let files1 = dynamic([\\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\lsa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pc.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\Rar.exe\\\"]);\\nlet files2 = dynamic([\\\"svchost.exe\\\",\\\"wdmsvc.exe\\\"]);\\nlet FileHash1 = dynamic([\\\"43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\\\", \\\"ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\\\", \\\"010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77\\\", \\\"56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7\\\"]);\\nlet FileHash2 = dynamic([\\\"2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\\\", \\\"9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\\\", \\\"18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\\\"]);\\nDeviceProcessEvents\\n| where ( FolderPath has_any (files1) and SHA256 has_any (FileHash1)) or (FolderPath has_any (files2) and SHA256 has_any (FileHash2))\\n| extend DvcId = DeviceId\\n| join kind=leftouter (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| mv-expand todynamic(Entities)\\n| extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)\\n| where isnotempty(DvcId)\\n// Higher risk score are for Defender alerts related to threat actor\\n| extend AlertRiskScore = iif(ThreatName has_any (\\\"Backdoor:MSIL/ShellClient.A\\\", \\\"Backdoor:MSIL/ShellClient.A!dll\\\", \\\"Trojan:MSIL/Mimikatz.BA!MTB\\\"), 1.0, 0.5)\\n| project DvcId, AlertRiskScore) on DvcId\\n| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = AccountName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileName\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Execution\"],\"displayName\":\"Dev-0228 File Path Hashes November 2021\",\"description\":\"This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.\\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.\",\"lastUpdatedDateUTC\":\"2021-11-18T00:00:00Z\",\"createdDateUTC\":\"2021-11-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95a15f39-d9cc-4667-8cdd-58f3113691c9\",\"name\":\"95a15f39-d9cc-4667-8cdd-58f3113691c9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\nSecurityEvent\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where EventID == 4688\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| join kind=rightanti (\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where EventID == 4688) on NewProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM New UM Service Child Process\",\"description\":\"This query looks for new processes being spawned by the Exchange UM service where that process has not previously been observed before. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\"name\":\"7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lookBack_long = 7d;\\nlet lookBack_med = 3d;\\nlet lookBack = 1d;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack_long))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n// Create time series \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_long)),now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n// Compute best fit line for each entry \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount) \\n// Chart the 3 most interesting lines \\n// A 0-value slope corresponds to an account being completely stable over time for a given Azure Active Directory application\\n| where Slope \u003e 0.3\\n| top 50 by Slope desc\\n| join kind = leftsemi (\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack_med))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_med)) ,now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount)\\n| where Slope \u003e 0.3\\n| top 50 by Slope desc\\n) on UserPrincipalName, AppDisplayName\\n| join kind = leftsemi (\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack)) ,now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount)\\n| where Slope \u003e 5\\n| top 50 by Slope desc\\n// Higher threshold requirement on last day anomaly\\n) on UserPrincipalName, AppDisplayName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomalous sign-in location by user account and authenticating application\",\"description\":\"This query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active \\nDirectory application and picks out the most anomalous change in location profile for a user within an \\nindividual application. An alert is generated for recent sign-ins that have location counts that are anomalous\\nover last day but also over the last 3-day and 7-day periods.\\nPlease note that on workspaces with larger volume of Signin data (~10M+ events a day) may timeout when using this default query time period.\\nIt is recommended that you test and tune this appropriately for the workspace.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6a2e2ff4-5568-475e-bef2-b95f12b9367b\",\"name\":\"6a2e2ff4-5568-475e-bef2-b95f12b9367b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let FailureThreshold = 15;\\nimAuthentication\\n| where EventType== \u0027Logon\u0027 and EventResult== \u0027Failure\u0027\\n// reason: creds \\n| where EventResultDetails in (\u0027No such user or password\u0027, \u0027Incorrect password\u0027)\\n| summarize UserCount=dcount(TargetUserId), Vendors=make_set(EventVendor), Products=make_set(EventVendor)\\n , Users = make_set(TargetUserId,100) \\n by SrcDvcIpAddr, SrcGeoCountry, bin(TimeGenerated, 5m)\\n| where UserCount \u003e FailureThreshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcDvcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Potential Password Spray Attack (Uses Authentication Normalization)\",\"description\":\"This query searches for failed attempts to log in from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack\\n To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelAuthentication)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\"name\":\"79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let timeframe = 1h;\\nlet last1h = CommonSecurityLog \\n| where TimeGenerated \u003e= ago(timeframe)\\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend CurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend CurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend CumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize last1hCumTotal = sum(CumulativeTotal), last1hAvgRatePerSec = avg(CurrentAvgRatePerSec), last1hAvgBurstRatePerSec = avg(CurrentBurstRatePerSec) by DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlet prev6h = CommonSecurityLog \\n| where TimeGenerated between (ago(6h) .. ago(1h))\\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend prevCurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend prevCurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend prevCumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), prev6hCumTotal = sum(prevCumulativeTotal), prev6hAvgRatePerSec = avg(prevCurrentAvgRatePerSec), prev6hAvgBurstRatePerSec = avg(prevCurrentBurstRatePerSec) \\nby DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlast1h | join (\\n prev6h \\n) on DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate\\n| project StartTimeUtc, EndTimeUtc, DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate, last1hCumTotal, prev6hCumTotal, prev6hAvgCumTotal = prev6hCumTotal/6, last1hAvgRatePerSec, prev6hAvgRatePerSec, last1hAvgBurstRatePerSec, prev6hAvgBurstRatePerSec\\n// Select only events that indicate a doubling of the expected rate in the last hour over the previous 6 hours\\n| where last1hCumTotal \u003e 2*prev6hAvgCumTotal or last1hAvgRatePerSec \u003e 2*prev6hAvgRatePerSec or last1hAvgBurstRatePerSec \u003e 2*prev6hAvgBurstRatePerSec\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\",\"Impact\"],\"displayName\":\"Cisco ASA - average attack detection rate increase\",\"description\":\"This will help you determine if Cisco ASA devices are under heavier attack than normal over the last hour versus the previous 6 hours based on DeviceEventClassID 733100\\nReferences: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a34d0338-eda0-42b5-8b93-32aae0d7a501\",\"name\":\"a34d0338-eda0-42b5-8b93-32aae0d7a501\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"CommonSecurityLog\\n| where DeviceVendor == \\\"Vectra Networks\\\"\\n| where DeviceProduct == \\\"X Series\\\"\\n| where DeviceEventClassID contains \\\"campaign\\\"\\n| where DeviceAction == \\\"START\\\"\\n| extend reason = extract(\\\"reason=(.+?)$\\\", 1, AdditionalExtensions)\\n| project-rename vectra_URL = DeviceCustomString4\\n| project Activity,SourceHostName, reason, vectra_URL\\n| extend HostCustomEntity = SourceHostName, URLCustomEntity = vectra_URL\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"LateralMovement\",\"CommandAndControl\"],\"displayName\":\"Vectra AI Detect - New Campaign Detected\",\"description\":\"Identifies when a new Campaign has been detected. This occurs when multiple Detections accross different Hosts are suspected to be part of the same Attack Campaign.\",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2021-05-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AIVectraDetect\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\"name\":\"7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\nOfficeActivity\\n| where Operation =~ \\\"New-InboxRule\\\"\\n| where Parameters has \\\"Deleted Items\\\" or Parameters has \\\"Junk Email\\\" or Parameters has \\\"DeleteMessage\\\"\\n| extend Events=todynamic(Parameters)\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords \u0027}\u0027*\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords \u0027}\u0027*\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords \u0027}\u0027*\\n| where SubjectContainsWords has_any (Keywords)\\n or BodyContainsWords has_any (Keywords)\\n or SubjectOrBodyContainsWords has_any (Keywords)\\n| extend ClientIPAddress = case( ClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), ClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))), ClientIP )\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\n| extend RuleDetail = case(OfficeObjectId contains \u0027/\u0027 , tostring(split(OfficeObjectId, \u0027/\u0027)[-1]) , tostring(split(OfficeObjectId, \u0027\\\\\\\\\u0027)[-1]))\\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation, UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIPAddress, AccountCustomEntity = UserId , HostCustomEntity = OriginatingServer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Malicious Inbox Rule\",\"description\":\"Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords. \\n This is done so as to limit ability to warn compromised users that they\u0027ve been compromised. Below is a sample query that tries to detect this.\\nReference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6d7214d9-4a28-44df-aafb-0910b9e6ae3e\",\"name\":\"6d7214d9-4a28-44df-aafb-0910b9e6ae3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let match_window = 3m;\\nAzureActivity\\n| where ResourceGroup has \\\"cloud-shell\\\"\\n| where (OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/listKeys/action\\\") \\n| where ActivityStatusValue == \\\"Success\\\"\\n| extend TimeKey = bin(TimeGenerated, match_window), AzureIP = CallerIpAddress\\n| join kind = inner\\n(AzureActivity\\n| where ResourceGroup has \\\"cloud-shell\\\"\\n| where (OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/write\\\") \\n| extend TimeKey = bin(TimeGenerated, match_window), UserIP = CallerIpAddress\\n) on Caller, TimeKey\\n| summarize count() by TimeKey, Caller, ResourceGroup, SubscriptionId, TenantId, AzureIP, UserIP, HTTPRequest, Type, Properties, CategoryValue, OperationList = strcat(OperationNameValue, \u0027 , \u0027, OperationNameValue1)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"UserIP\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Execution\"],\"displayName\":\"New CloudShell User\",\"description\":\"Identifies when a user creates an Azure CloudShell for the first time.\\nMonitor this activity to ensure only expected user are using CloudShell\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cf3ede88-a429-493b-9108-3e46d3c741f7\",\"name\":\"cf3ede88-a429-493b-9108-3e46d3c741f7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let timeRange = 6h;\\nlet authenticationWindow = 1h;\\nlet authenticationThreshold = 5;\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeRange)\\n| where EventID == 4624 or EventID == 4625\\n| where IpAddress != \\\"-\\\" and isnotempty(Account)\\n| extend Outcome = iff(EventID == 4624, \\\"Success\\\", \\\"Failure\\\")\\n// bin outcomes into 5 minute windows to reduce the volume of data\\n| summarize OutcomeCount=count() by Account, IpAddress, Computer, Outcome, bin(TimeGenerated, 5m)\\n| project TimeGenerated, Account, IpAddress, Computer, Outcome, OutcomeCount\\n// sort ready for sessionizing - by account and time of the authentication outcome\\n| sort by Account asc, TimeGenerated asc\\n| serialize \\n// sessionize into failure groupings until either the account changes or there is a success\\n| extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, Account != prev(Account) or prev(Outcome) == \\\"Success\\\")\\n// count the failures in each session\\n| summarize FailureCountBeforeSuccess=sumif(OutcomeCount, Outcome == \\\"Failure\\\"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), makelist(Outcome), makeset(Computer), makeset(IpAddress) by SessionStartedUtc, Account\\n// the session must not start with a success, and must end with one\\n| where array_index_of(list_Outcome, \\\"Success\\\") != 0\\n| where array_index_of(list_Outcome, \\\"Success\\\") == array_length(list_Outcome) - 1\\n| project-away SessionStartedUtc, list_Outcome \\n// where the number of failures before the success is above the threshold \\n| where FailureCountBeforeSuccess \u003e= authenticationThreshold\\n// expand out ip and computer for customer entity assignment\\n| mvexpand set_IpAddress, set_Computer\\n| extend IpAddress = tostring(set_IpAddress), Computer = tostring(set_Computer)\\n| extend timestamp=StartTime, AccountCustomEntity=Account, HostCustomEntity=Computer, IPCustomEntity=IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"SecurityEvent - Multiple authentication failures followed by a success\",\"description\":\"Identifies accounts who have failed to logon to the domain multiple times in a row, followed by a successful authentication\\nwithin a short time frame. Multiple failed attempts followed by a success can be an indication of a brute force attempt or\\npossible mis-configuration of a service account within an environment.\\nThe lookback is set to 6h and the authentication window and threshold are set to 1h and 5, meaning we need to see a minimum\\nof 5 failures followed by a success for an account within 1 hour to surface an alert.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7a58b253-0ef2-4248-b4e5-c350f15a8346\",\"name\":\"7a58b253-0ef2-4248-b4e5-c350f15a8346\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let threshold = 100;\\nSymantecProxySG \\n| where sc_filter_result =~ \\\"DENIED\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by c_ip, cs_host\\n| where count_ \u003e threshold\\n| extend timestamp = StartTime, HostCustomEntity = cs_host, IPCustomEntity = c_ip\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Excessive Denied Proxy Traffic\",\"description\":\"This alert creates an incident when a client generates an excessive amounts of denied proxy traffic.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SymantecProxySG\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\"name\":\"75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 3;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == \\\"50057\\\"\\n| where ResultDescription =~ \\\"User account is disabled. The account has been disabled by an administrator.\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), applicationCount = dcount(AppDisplayName), \\napplicationSet = make_set(AppDisplayName), count() by UserPrincipalName, IPAddress, Type\\n| where applicationCount \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Attempts to sign in to disabled accounts\",\"description\":\"Identifies failed attempts to sign in to disabled accounts across multiple Azure Applications.\\nDefault threshold for Azure Applications attempted to sign in to is 3.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/910124df-913c-47e3-a7cd-29e1643fa55e\",\"name\":\"910124df-913c-47e3-a7cd-29e1643fa55e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with failed AWS console logins\\nlet aws_fails = AWSCloudTrail\\n| where EventName == \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \\n| where LoginResult != \\\"Success\\\"\\n| where SourceIpAddress != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_list(SourceIpAddress);\\n//See if any of those IPs have sucessfully logged into Azure AD.\\nSigninLogs\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (aws_fails) \\n| extend Reason = \\\"Multiple failed AWS Console logins from IP address\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AWS Console logons but success logon to AzureAD\",\"description\":\"Identifies a list of IP addresses with a minimum numbe(default of 5) of failed logon attempts to AWS Console.\\nUses that list to identify any successful Azure Active Directory logons from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/32555639-b639-4c2b-afda-c0ae0abefa55\",\"name\":\"32555639-b639-4c2b-afda-c0ae0abefa55\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"GetCallerIdentity\\\" and UserIdentityType =~ \\\"AssumedRole\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by SourceIpAddress, EventName, EventTypeName, UserIdentityType, UserIdentityAccountId, UserIdentityPrincipalid, \\nUserAgent, UserIdentityUserName, SessionMfaAuthenticated,AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTime, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\\n| sort by EndTime desc nulls last\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\"],\"displayName\":\"Monitor AWS Credential abuse or hijacking\",\"description\":\"Looking for GetCallerIdentity Events where the UserID Type is AssumedRole \\nAn attacker who has assumed the role of a legitimate account can call the GetCallerIdentity function to determine what account they are using.\\nA legitimate user using legitimate credentials would not need to call GetCallerIdentity since they should already know what account they are using.\\nMore Information: https://duo.com/decipher/trailblazer-hunts-compromised-credentials-in-aws\\nAWS STS GetCallerIdentity API: https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fb0f4a93-d8ad-4b54-9931-85bdb7550f90\",\"name\":\"fb0f4a93-d8ad-4b54-9931-85bdb7550f90\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SymantecProxySG\\n| mv-expand cs_categories\\n| where cs_categories has_any (\\\"Suspicious\\\",\\\"phishing\\\", \\\"hacking\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by sc_filter_result, cs_userdn, c_ip, cs_host, Computer, tostring(cs_categories)\\n| extend timestamp = StartTime, AccountCustomEntity = cs_userdn, IPCustomEntity = c_ip, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"User Accessed Suspicious URL Categories\",\"description\":\"Creates an incident in the event the requested URL accessed by the user has been identified as Suspicious, Phishing, or Hacking.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SymantecProxySG\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bfb1c90f-8006-4325-98be-c7fffbc254d6\",\"name\":\"bfb1c90f-8006-4325-98be-c7fffbc254d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let s_threshold = 30;\\nlet l_threshold = 3;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where OperationName =~ \\\"Sign-in activity\\\"\\n// Error codes that we want to look at as they are related to the use of incorrect password.\\n| where ResultType in (\\\"50126\\\", \\\"50053\\\" , \\\"50055\\\", \\\"50056\\\")\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend LocationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), LocationCount=dcount(LocationString), Location = make_set(LocationString), \\nIPAddress = make_set(IPAddress), IPAddressCount = dcount(IPAddress), AppDisplayName = make_set(AppDisplayName), ResultDescription = make_set(ResultDescription), \\nBrowser = make_set(Browser), OS = make_set(OS), SigninCount = count() by UserPrincipalName, Type \\n// Setting a generic threshold - Can be different for different environment\\n| where SigninCount \u003e s_threshold and LocationCount \u003e= l_threshold\\n| extend tostring(Location), tostring(IPAddress), tostring(AppDisplayName), tostring(ResultDescription), tostring(Browser), tostring(OS)\\n| distinct *\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Distributed Password cracking attempts in AzureAD\",\"description\":\"Identifies distributed password cracking attempts from the Azure Active Directory SigninLogs.\\nThe query looks for unusually high number of failed password attempts coming from multiple locations for a user account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50053 Account is locked because the user tried to sign in too many times with an incorrect user ID or password.\\n50055 Invalid password, entered expired password.\\n50056 Invalid or null password - Password does not exist in store for this user.\\n50126 Invalid username or password, or invalid on-premises username or password.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ef88eb96-861c-43a0-ab16-f3835a97c928\",\"name\":\"ef88eb96-861c-43a0-ab16-f3835a97c928\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let regexEmpire = @\\\"SetDelay|GetDelay|Set-LostLimit|Get-LostLimit|Set-Killdate|Get-Killdate|Set-WorkingHours|Get-WorkingHours|Get-Sysinfo|Add-Servers|Invoke-ShellCommand|Start-AgentJob|Update-Profile|Get-FilePart|Encrypt-Bytes|Decrypt-Bytes|Encode-Packet|Decode-Packet|Send-Message|Process-Packet|Process-Tasking|Get-Task|Start-Negotiate|Invoke-DllInjection|Invoke-ReflectivePEInjection|Invoke-Shellcode|Invoke-ShellcodeMSIL|Get-ChromeDump|Get-ClipboardContents|Get-IndexedItem|Get-Keystrokes|Invoke-Inveigh|Invoke-NetRipper|local:Invoke-PatchDll|Invoke-NinjaCopy|Get-Win32Types|Get-Win32Constants|Get-Win32Functions|Sub-SignedIntAsUnsigned|Add-SignedIntAsUnsigned|Compare-Val1GreaterThanVal2AsUInt|Convert-UIntToInt|Test-MemoryRangeValid|Write-BytesToMemory|Get-DelegateType|Get-ProcAddress|Enable-SeDebugPrivilege|Invoke-CreateRemoteThread|Get-ImageNtHeaders|Get-PEBasicInfo|Get-PEDetailedInfo|Import-DllInRemoteProcess|Get-RemoteProcAddress|Copy-Sections|Update-MemoryAddresses|Import-DllImports|Get-VirtualProtectValue|Update-MemoryProtectionFlags|Update-ExeFunctions|Copy-ArrayOfMemAddresses|Get-MemoryProcAddress|Invoke-MemoryLoadLibrary|Invoke-MemoryFreeLibrary|Out-Minidump|Get-VaultCredential|Invoke-DCSync|Translate-Name|Get-NetDomain|Get-NetForest|Get-NetForestDomain|Get-DomainSearcher|Get-NetComputer|Get-NetGroupMember|Get-NetUser|Invoke-Mimikatz|Invoke-PowerDump|Invoke-TokenManipulation|Exploit-JMXConsole|Exploit-JBoss|Invoke-Thunderstruck|Invoke-VoiceTroll|Set-WallPaper|Invoke-PsExec|Invoke-SSHCommand|Invoke-PSInject|Invoke-RunAs|Invoke-SendMail|Invoke-Rule|Get-OSVersion|Select-EmailItem|View-Email|Get-OutlookFolder|Get-EmailItems|Invoke-MailSearch|Get-SubFolders|Get-GlobalAddressList|Invoke-SearchGAL|Get-SMTPAddress|Disable-SecuritySettings|Reset-SecuritySettings|Get-OutlookInstance|New-HoneyHash|Set-MacAttribute|Invoke-PatchDll|Get-SecurityPackages|Install-SSP|Invoke-BackdoorLNK|New-ElevatedPersistenceOption|New-UserPersistenceOption|Add-Persistence|Invoke-CallbackIEX|Add-PSFirewallRules|Invoke-EventLoop|Invoke-PortBind|Invoke-DNSLoop|Invoke-PacketKnock|Invoke-CallbackLoop|Invoke-BypassUAC|Get-DecryptedCpassword|Get-GPPInnerFields|Invoke-WScriptBypassUAC|Get-ModifiableFile|Get-ServiceUnquoted|Get-ServiceFilePermission|Get-ServicePermission|Invoke-ServiceUserAdd|Invoke-ServiceCMD|Write-UserAddServiceBinary|Write-CMDServiceBinary|Write-ServiceEXE|Write-ServiceEXECMD|Restore-ServiceEXE|Invoke-ServiceStart|Invoke-ServiceStop|Invoke-ServiceEnable|Invoke-ServiceDisable|Get-ServiceDetail|Find-DLLHijack|Find-PathHijack|Write-HijackDll|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-VulnAutoRun|Get-VulnSchTask|Get-UnattendedInstallFile|Get-Webconfig|Get-ApplicationHost|Write-UserAddMSI|Invoke-AllChecks|Invoke-ThreadedFunction|Test-Login|Get-UserAgent|Test-Password|Get-ComputerDetails|Find-4648Logons|Find-4624Logons|Find-AppLockerLogs|Find-PSScriptsInPSAppLog|Find-RDPClientConnections|Get-SystemDNSServer|Invoke-Paranoia|Invoke-WinEnum{|Get-SPN|Invoke-ARPScan|Invoke-Portscan|Invoke-ReverseDNSLookup|Invoke-SMBScanner|New-InMemoryModule|Add-Win32Type|Export-PowerViewCSV|Get-MacAttribute|Copy-ClonedFile|Get-IPAddress|Convert-NameToSid|Convert-SidToName|Convert-NT4toCanonical|Get-Proxy|Get-PathAcl|Get-NameField|Convert-LDAPProperty|Get-NetDomainController|Add-NetUser|Add-NetGroupUser|Get-UserProperty|Find-UserField|Get-UserEvent|Get-ObjectAcl|Add-ObjectAcl|Invoke-ACLScanner|Get-GUIDMap|Get-ADObject|Set-ADObject|Get-ComputerProperty|Find-ComputerField|Get-NetOU|Get-NetSite|Get-NetSubnet|Get-DomainSID|Get-NetGroup|Get-NetFileServer|SplitPath|Get-DFSshare|Get-DFSshareV1|Get-DFSshareV2|Get-GptTmpl|Get-GroupsXML|Get-NetGPO|Get-NetGPOGroup|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Invoke-ImpersonateUser|Create-ProcessWithToken|Free-AllTokens|Enum-AllTokens|Invoke-RevertToSelf|Set-Speaker(\\\\$Volume){\\\\$wshShell|Local:Get-RandomString|Local:Invoke-PsExecCmd|Get-GPPPassword|Local:Inject-BypassStuff|Local:Invoke-CopyFile\\\\(\\\\$sSource,|ind-Fruit|New-IPv4Range|New-IPv4RangeFromCIDR|Parse-Hosts|Parse-ILHosts|Exclude-Hosts|Get-TopPort|Parse-Ports|Parse-IpPorts|Remove-Ports|Write-PortscanOut|Convert-SwitchtoBool|Get-ForeignUser|Get-ForeignGroup\\\";\\nlet ProcessCreationEvents=() {\\nlet processEvents=SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName;\\nprocessEvents};\\nlet decodedPS = ProcessCreationEvents\\n| where CommandLine contains \\\" -encodedCommand\\\"\\n| parse kind=regex flags=i CommandLine with * \\\"-EncodedCommand \\\" encodedCommand\\n| project StartTimeUtc = TimeGenerated, encodedCommand = tostring(split(encodedCommand, \u0027 \u0027)[0]), CommandLine\\n// Note: currently the base64_decode_tostring function is limited to supporting UTF8\\n| extend decodedCommand = translate(\u0027\\\\0\u0027,\u0027\u0027, base64_decode_tostring(substring(encodedCommand, 0, strlen(encodedCommand) - (strlen(encodedCommand) %8)))), encodedCommand, CommandLine , strlen(encodedCommand);\\n(decodedPS\\n| union \\n(ProcessCreationEvents\\n| where FileName in~ (\\\"powershell.exe\\\",\\\"powershell_ise.exe\\\")\\n| where CommandLine !contains \\\"-encodedcommand\\\")\\n| extend StartTimeUtc = TimeGenerated\\n)\\n| where CommandLine matches regex regexEmpire\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"Powershell Empire cmdlets seen in command line\",\"description\":\"Identifies instances of PowerShell Empire cmdlets in powershell process command line data.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a0907abe-6925-4d90-af2b-c7e89dc201a6\",\"name\":\"a0907abe-6925-4d90-af2b-c7e89dc201a6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P10D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 10d;\\nlet endtime = 1d;\\nlet threshold = 100;\\nlet nxDomainDnsEvents = DnsEvents \\n| where ResultCode == 3 \\n| where QueryType in (\\\"A\\\", \\\"AAAA\\\")\\n| where ipv4_is_match(\\\"127.0.0.1\\\", ClientIP) == False\\n| where Name !contains \\\"/\\\"\\n| where Name contains \\\".\\\";\\nnxDomainDnsEvents\\n| where TimeGenerated \u003e ago(endtime)\\n| extend sld = tostring(split(Name, \\\".\\\")[-2])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld) by ClientIP\\n| where dcount_sld \u003e threshold\\n// Filter out previously seen IPs\\n| join kind=leftanti (nxDomainDnsEvents\\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | extend sld = tostring(split(Name, \\\".\\\")[-2])\\n | summarize dcount(sld) by ClientIP\\n | where dcount_sld \u003e threshold ) on ClientIP\\n// Pull out sample NXDomain responses for those remaining potentially infected IPs\\n| join kind = inner (nxDomainDnsEvents | summarize by Name, ClientIP) on ClientIP\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(Name, 100) by ClientIP, dcount_sld\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential DGA detected\",\"description\":\"Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains\\nwhere most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with \\nNXDomain records in prior 10-day baseline period).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c2da1106-bfe4-4a63-bf14-5ab73130ccd5\",\"name\":\"c2da1106-bfe4-4a63-bf14-5ab73130ccd5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Informational\",\"query\":\"let timeframe = ago(1d);\\nAppServiceAntivirusScanAuditLogs\\n| where ScanStatus == \\\"Failed\\\"\\n| extend HostCustomEntity = _ResourceId, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"displayName\":\"AppServices AV Scan Failure\",\"description\":\"Identifies if an AV scan fails in Azure App Services.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d9938c3b-16f9-444d-bc22-ea9a9110e0fd\",\"name\":\"d9938c3b-16f9-444d-bc22-ea9a9110e0fd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Azure AD Connect Health Agent - cf6d7e68-f018-4e0a-a7b3-126e053fb88d\\n// Azure Active Directory Connect - cb1056e2-e479-49de-ae31-7812af012ed8\\nlet appList = dynamic([\u0027cf6d7e68-f018-4e0a-a7b3-126e053fb88d\u0027,\u0027cb1056e2-e479-49de-ae31-7812af012ed8\u0027]);\\nlet operationNamesList = dynamic([\u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027,\u0027Microsoft.ADHybridHealthService/services/delete\u0027]);\\nAzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue in~ (operationNamesList)\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| where AppId !in (appList)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS Suspicious Application\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to a suspicious application adding a server instance to an Azure AD Hybrid health AD FS service or deleting the AD FS service instance.\\nUsually the Azure AD Connect Health Agent application with ID cf6d7e68-f018-4e0a-a7b3-126e053fb88d is used to perform those operations.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c5644575-4982-4a07-8884-b11ec2866dc3\",\"name\":\"c5644575-4982-4a07-8884-b11ec2866dc3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.0\",\"techniques\":[\"T1136\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\"srcdomain1\\\\account1, srcdomain1\\\\account1\",\"dataType\":\"string\",\"name\":\"Source user allowlist\",\"description\":\"Enter comma separated source usernames to be suppressed while triggering anomalies. This should be within double quotes and is case sensitive, example: \\\"srcdomain1\\\\\\\\account1, srcdomain2\\\\\\\\account2\\\"\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"prioritize\":null,\"exclude\":\"account1, account2\",\"dataType\":\"string\",\"name\":\"Destination user allowlist\",\"description\":\"Enter comma separated destination usernames to be suppressed while triggering anomalies. This should be within double quotes and is case sensitive, example: \\\"account1, account2\\\"\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":null,\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Persistence\"],\"displayName\":\"(Preview) Anomalous local account creation\",\"description\":\"This algorithm is to detect anomalous local account creation on windows systems. Adversaries may create local accounts to maintain access to victim systems.\\nThis algorithm analyzes historical local account creation activity (14 days) by users and compare with current day to find similar activity from the users who were not \\npreviously seen in historical activity. You can further customize the allowlist to filter known users from triggering this anomaly.\",\"lastUpdatedDateUTC\":\"2021-09-22T00:00:00Z\",\"createdDateUTC\":\"2021-09-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/faf1a6ff-53b5-4f92-8c55-4b20e9957594\",\"name\":\"faf1a6ff-53b5-4f92-8c55-4b20e9957594\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"SecurityEvent\\n// Look for specific Directory Service Changes and parse data\\n| where EventID == 5136\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion = array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value),TimeGenerated, EventID, Computer, Account, AccountType, EventSourceName, Activity, SubjectAccount)\\n// Where changes relate to Exchange OAB\\n| extend ObjectClass = column_ifexists(\\\"ObjectClass\\\", \\\"\\\")\\n| where ObjectClass =~ \\\"msExchOABVirtualDirectory\\\"\\n// Look for InternalHostName or ExternalHostName properties being changed\\n| extend AttributeLDAPDisplayName = column_ifexists(\\\"AttributeLDAPDisplayName\\\", \\\"\\\")\\n| where AttributeLDAPDisplayName in (\\\"msExchExternalHostName\\\", \\\"msExchInternalHostName\\\")\\n// Look for suspected webshell activity\\n| extend AttributeValue = column_ifexists(\\\"AttributeValue\\\", \\\"\\\")\\n| where AttributeValue has \\\"script\\\"\\n| project-rename LastSeen = TimeGenerated\\n| extend ObjectDN = column_ifexists(\\\"ObjectDN\\\", \\\"\\\")\\n| project-reorder LastSeen, Computer, Account, ObjectDN, AttributeLDAPDisplayName, AttributeValue\\n| extend timestamp = LastSeen, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange OAB Virtual Directory Attribute Containing Potential Webshell\",\"description\":\"This query uses Windows Event ID 5136 in order to detect potential webshell deployment by exploitation of CVE-2021-27065.\\nThis query looks for changes to the InternalHostName or ExternalHostName properties of Exchange OAB Virtual Directory objects in AD Directory Services\\nwhere the new objects contain potential webshell objects. Ref: https://aka.ms/ExchangeVulns\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/61988db3-0565-49b5-b8e3-747195baac6e\",\"name\":\"61988db3-0565-49b5-b8e3-747195baac6e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let procList = dynamic([\\\"cmd.exe\\\",\\\"ftp.exe\\\",\\\"schtasks.exe\\\",\\\"powershell.exe\\\",\\\"rundll32.exe\\\",\\\"regsvr32.exe\\\",\\\"msiexec.exe\\\"]); \\nimProcessCreate\\n| where CommandLine has \\\"recycler\\\"\\n| where Process has_any (procList)\\n| extend FileName = tostring(split(Process, \u0027\\\\\\\\\u0027)[-1])\\n| where FileName in~ (procList)\\n| project StartTimeUtc = TimeGenerated, Dvc, User, Process, FileName, CommandLine, ActingProcessName, EventVendor, EventProduct\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.2.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Malware in the recycle bin (Normalized Process Events)\",\"description\":\"Identifies malware that has been hidden in the recycle bin.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)\",\"lastUpdatedDateUTC\":\"2021-10-26T00:00:00Z\",\"createdDateUTC\":\"2021-06-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5efb0cfd-063d-417a-803b-562eae5b0301\",\"name\":\"5efb0cfd-063d-417a-803b-562eae5b0301\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 6h;\\n// Ignore Build/Releases with less/equal this number\\nlet ServiceConnectionThreshold = 3;\\n// New Connections need to exhibit execution of more \\\"new\\\" connections than this number.\\nlet NewConnectionThreshold = 1;\\n// List of Builds/Releases to ignore in your space\\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\\n[\\n//\\\"103\\\", \\\"Release\\\", \\\"ProjectA\\\",\\n//\\\"42\\\", \\\"Release\\\", \\\"ProjectB\\\",\\n//\\\"122\\\", \\\"Build\\\", \\\"ProjectB\\\"\\n];\\nlet HistoricDefs = AzureDevOpsAuditing\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| summarize HistoricCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)) \\n by DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e= ago(endtime)\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| parse ScopeDisplayName with OrganizationName \u0027 (Organization)\u0027\\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) \\n by OrganizationName, DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN\\n| where CurrentCount \u003e ServiceConnectionThreshold\\n| join (HistoricDefs) on ProjectId, DefId, Type, ActorUPN\\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\\n| extend link = iff(\\nType == \\\"Build\\\", strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_build?definitionId=\u0027, DefId),\\nstrcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_release?_a=releases\u0026view=mine\u0026definitionId=\u0027, DefId))\\n| where CurrentCount \u003e= HistoricCount + NewConnectionThreshold\\n| project StartTime, OrganizationName, ProjectName, DefId, link, RecentDistinctServiceConnections = CurrentCount, HistoricDistinctServiceConnections = HistoricCount, \\n RecentConnections = ConnectionNames, HistoricConnections = ConnectionNames1, ActorUPN\\n| extend timestamp = StartTime, AccountCustomEntity = ActorUPN\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure DevOps Service Connection Addition/Abuse - Historic allow list\",\"description\":\"This detection builds an allow list of historic service connection use by Builds and Releases and compares to recent history, flagging growth of service connection use which are not manually included in the allow list and \\nnot historically included in the allow list Build/Release runs. This is to determine if someone is hijacking a build/release and adding many service connections in order to abuse or dump credentials from service connections.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2b701288-b428-4fb8-805e-e4372c574786\",\"name\":\"2b701288-b428-4fb8-805e-e4372c574786\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//The bigger the window the better the data sample size, as we use IP prevalence, more sample data is better.\\n//The minimum number of countries that the account has been accessed from [default: 2]\\nlet minimumCountries = 2;\\n//The delta (%) between the largest in-use IP and the smallest [default: 90]\\nlet deltaThreshold = 95;\\n//The maximum (%) threshold that the country appears in login data [default: 10]\\nlet countryPrevalenceThreshold = 10;\\n//The time to project forward after the last login activity [default: 60min]\\nlet projectedEndTime = 60min; \\n//Get Teams successful signins globally\\nlet aadFunc = (tableName:string){\\nlet signinData =\\n table(tableName)\\n | where AppDisplayName has \\\"Teams\\\"\\n | where ConditionalAccessStatus =~ \\\"success\\\"\\n | extend country = tostring(todynamic(LocationDetails)[\u0027countryOrRegion\u0027])\\n | where isnotempty(country) and isnotempty(IPAddress);\\n// Collect successful signins to teams\\nlet loginEvents = \\n signinData\\n | summarize count(), country=any(country), make_list(TimeGenerated) by IPAddress, UserPrincipalName;\\n//Calcualte delta between logins\\nlet loginDelta =\\n loginEvents\\n | summarize max(count_), min(count_) by UserPrincipalName\\n | extend delta = toreal(max_count_ - min_count_) / max_count_ * 100\\n | where delta \u003e= deltaThreshold;\\n//Count number of countries used to sign in\\nlet countryCount =\\n loginEvents\\n | summarize Countries = dcount(country) by UserPrincipalName;\\n//Join delta and sign in counts to successful logins\\nloginDelta\\n| join kind=rightouter (\\n loginEvents\\n) on UserPrincipalName\\n| join kind=rightouter (\\n countryCount\\n) on UserPrincipalName\\n//Check where the record meets the minimum required countries\\n| where Countries \u003e= minimumCountries\\n| join kind=leftouter (\\n signinData\\n | summarize count() by country\\n | join (\\n //Now get the total number of logins from any country and join it to the previous count in a single table\\n signinData\\n | summarize count() by country\\n | summarize sum(count_), make_list(country)\\n | mv-expand list_country\\n | extend country = tostring(list_country)\\n ) on country\\n | summarize by country, count_, sum_count_\\n //Now calculate each countries prevalence within login events\\n | extend prevalence = toreal(count_) / toreal(sum_count_) * 100\\n | project-away sum_count_\\n | order by prevalence\\n) on country\\n//The % that suspicious country is prevalent in data, this can be configured, less than 10% is uncommon\\n| where prevalence \u003c countryPrevalenceThreshold\\n| where min_count_ == count_\\n//Login start and end times from the JSON object, this is the activity window the suspicious IP was active within\\n| extend EventTimes = list_TimeGenerated\\n| extend SuspiciousIP = IPAddress\\n| project UserPrincipalName, SuspiciousIP, UserIPDelta = delta, SuspiciousLoginCountry = country, SuspiciousCountryPrevalence = prevalence, EventTimes\\n//Teams join to collect operations the user account has performed within the given time range\\n| join kind=inner( \\n OfficeActivity\\n | where Operation in~ (\\\"TeamsAdminAction\\\", \\\"MemberAdded\\\", \\\"MemberRemoved\\\", \\\"MemberRoleChanged\\\", \\\"AppInstalled\\\", \\\"BotAddedToTeam\\\")\\n | project Operation, UserId=tolower(UserId), OperationTime=TimeGenerated\\n) on $left.UserPrincipalName == $right.UserId\\n| mv-expand StartTime = EventTimes\\n| extend StartTime = make_datetime(StartTime)\\n//The end time is projected 60 minutes forward, in case actions took place within the last hour of the final login for the suspicious IP\\n| extend ProjectedEndTime = make_datetime(StartTime + projectedEndTime)\\n//Limit to operations carried out by the user account in the timeframe the IP was active\\n| where OperationTime between (StartTime .. ProjectedEndTime)\\n| project UserPrincipalName, SuspiciousIP, StartTime, ProjectedEndTime, OperationTime, Operation, SuspiciousLoginCountry, SuspiciousCountryPrevalence\\n//Filter on suspicious actions\\n| extend activitySummary = pack(tostring(StartTime), pack(\\\"Operation\\\",tostring(Operation), \\\"OperationTime\\\", OperationTime))\\n| summarize make_bag(activitySummary) by UserPrincipalName, SuspiciousIP, SuspiciousLoginCountry, SuspiciousCountryPrevalence\\n| extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Anomalous login followed by Teams action\",\"description\":\"Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed.\\nQuery calculates IP usage Delta for each user account and selects accounts where a delta \u003e= 90% is observed between the most and least used IP.\\nTo further reduce results the query performs a prevalence check on the lowest used IP\u0027s country, only keeping IP\u0027s where the country is unusual for the tenant (dynamic ranges)\\nFinally the user accounts activity within Teams logs is checked for suspicious commands (modifying user privileges or admin actions) during the period the suspicious IP was active.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ca74dc0-8352-4ac5-893c-73571cc78331\",\"name\":\"4ca74dc0-8352-4ac5-893c-73571cc78331\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let keywords = dynamic([\\\"secret\\\", \\\"secrets\\\", \\\"password\\\", \\\"PAT\\\", \\\"passwd\\\", \\\"pswd\\\", \\\"pwd\\\", \\\"cred\\\", \\\"creds\\\", \\\"credentials\\\", \\\"credential\\\", \\\"key\\\"]);\\nAzureDevOpsAuditing\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend Type = tostring(Data.Type)\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend VariableGroupName = tostring(Data.VariableGroupName)\\n| mv-expand Data.Variables\\n| where VariableGroupName has_any (keywords) or Data_Variables has_any (keywords)\\n| where Type != \\\"AzureKeyVault\\\"\\n| where Data_Variables !has \\\"IsSecret\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure DevOps Variable Secret Not Secured\",\"description\":\"Credentials used in the build process may be stored as Azure DevOps variables. To secure these variables they should be stored in KeyVault or marked as Secrets. \\nThis detection looks for new variables added with names that suggest they are credentials but where they are not set as Secrets or stored in KeyVault.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c9b6d281-b96b-4763-b728-9a04b9fe1246\",\"name\":\"c9b6d281-b96b-4763-b728-9a04b9fe1246\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlCategory has_any (\u0027Dynamic and Residential\u0027, \u0027Personal VPN\u0027)\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"Exfiltration\"],\"displayName\":\"Cisco Umbrella - Connection to non-corporate private network\",\"description\":\"IP addresses of broadband links that usually indicates users attempting to access their home network, for example for a remote session to a home computer.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75297f62-10a8-4fc1-9b2a-12f25c6f05a7\",\"name\":\"75297f62-10a8-4fc1-9b2a-12f25c6f05a7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let domain_lookBack= 14d;\\nlet timeframe = 1d;\\nlet top_million_list = Cisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(domain_lookBack) and TimeGenerated \u003c ago(timeframe)\\n| extend Hostname = parse_url(UrlOriginal)[\\\"Host\\\"]\\n| summarize count() by tostring(Hostname)\\n| top 1000000 by count_\\n| summarize make_list(Hostname);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| extend Hostname = parse_url(UrlOriginal)[\\\"Host\\\"]\\n| where Hostname !in (top_million_list)\\n| extend Message = \\\"Connect to unpopular website (possible malicious payload delivery)\\\"\\n| project Message, SrcIpAddr, DstIpAddr,UrlOriginal, TimeGenerated\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Connection to Unpopular Website Detected\",\"description\":\"Detects first connection to an unpopular website (possible malicious payload delivery).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c775a46b-21b1-46d7-afa6-37e3e577a27b\",\"name\":\"c775a46b-21b1-46d7-afa6-37e3e577a27b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 15;\\nSymantecVIP\\n| where isnotempty(RADIUSAuth)\\n| where RADIUSAuth =~ \\\"Reject\\\"\\n| summarize Total = count() by bin(TimeGenerated, 15m), User, ClientIP\\n| where Total \u003e threshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Excessive Failed Authentication from Invalid Inputs\",\"description\":\"Creates an incident in the event that a user generates an excessive amount of failed authentications due to invalid inputs, indications of a potential brute force.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SymantecVIP\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3fbc20a4-04c4-464e-8fcb-6667f53e4987\",\"name\":\"3fbc20a4-04c4-464e-8fcb-6667f53e4987\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let failureCountThreshold = 5;\\nlet successCountThreshold = 1;\\nlet authenticationWindow = 20m;\\nSigninLogs\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\\n| where AppDisplayName =~ \\\"Windows Sign In\\\"\\n// Split out failure versus non-failure types\\n| extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = makeset(IPAddress), makeset(OS), makeset(Browser), makeset(City), \\nmakeset(ResultType), FailureCount = countif(FailureOrSuccess==\\\"Failure\\\"), SuccessCount = countif(FailureOrSuccess==\\\"Success\\\") \\nby bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName, AppDisplayName\\n| where FailureCount \u003e= failureCountThreshold and SuccessCount \u003e= successCountThreshold\\n| mvexpand IPAddress\\n| extend IPAddress = tostring(IPAddress)\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against a Cloud PC\",\"description\":\"Identifies evidence of brute force activity against a Windows 365 Cloud PC by highlighting multiple authentication failures and by a successful authentication within a given time window.\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2021-10-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3fe3c520-04f1-44b8-8398-782ed21435f8\",\"name\":\"3fe3c520-04f1-44b8-8398-782ed21435f8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let torProxies=dynamic([\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\"]);\\nimDns(domain_has_any=torProxies)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.2.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"DNS events related to ToR proxies (Normalized DNS)\",\"description\":\"Identifies IP addresses performing DNS lookups associated with common ToR proxies.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c1d4a005-e220-4d06-9e53-7326a22b8fe4\",\"name\":\"c1d4a005-e220-4d06-9e53-7326a22b8fe4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let mediumRisk = 2;\\nlet goverence = \u0027Goverence Information\u0027;\\nCognniIncidents_CL \\n| where Severity == mediumRisk\\n| where informationType_s == goverence\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Medium Sensitivity Governance Information\",\"description\":\"Display incidents in which medium sensitivity governance information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/595a10c9-91be-4abb-bbc7-ae9c57848bef\",\"name\":\"595a10c9-91be-4abb-bbc7-ae9c57848bef\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, DNSName, Type\\n| extend MessageIP = extract(IPRegex, 0, Message), RequestIP = extract(IPRegex, 0, RequestURL)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL has_any (domains), \\\"RequestUrl\\\", \\\"NoMatch\\\"), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID, UrlCustomEntity = RequestURL \\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) or Name in~ (domains) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer, ProcessCustomEntity = ProcessName\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Image has_any (process)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = split(Image, \u0027\\\\\\\\\u0027, -1)[-1], HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) \\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, AlertDetail = \u0027Chia crypto IOC detected\u0027, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (domains) or RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) or InitiatingProcessFileName has_any (process)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, AlertDetail = \u0027Chia crypto IOC detected\u0027, UrlCustomEntity =RemoteUrl\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\"), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains) or ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| where EventDetail has_any (sha256Hashes) \\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\\\"#text\\\"] , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = split(Image, \u0027\\\\\\\\\u0027, -1)[-1], FileHashCustomEntity = FileHash\\n),\\n(DeviceFileEvents\\n| where InitiatingProcessFolderPath has_any (process)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = FileHash, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| project TimeGenerated, EventDetail, UserName, Computer, Type\\n| extend Image = EventDetail.[4].[\\\"#text\\\"] , CommandLine = EventDetail.[10].[\\\"#text\\\"], Account = UserName, FileHash = EventDetail.[17].[\\\"#text\\\"] , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| where Image has_any (process)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = split(Image, \u0027\\\\\\\\\u0027, -1)[-1], FileHashCustomEntity = FileHash\\n),\\n(DeviceEvents\\n| where InitiatingProcessFileName has_any (process) or InitiatingProcessSHA256 in~ (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash\\n),\\n( SecurityEvent\\n| where EventID == \u00274688\u0027\\n| where NewProcessName has_any (process)\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"SHA256\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021\",\"description\":\"Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-06-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d0aa8969-1bbe-4da3-9e76-09e5f67c9d85\",\"name\":\"d0aa8969-1bbe-4da3-9e76-09e5f67c9d85\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now() \\n| where Active == true\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureDiagnostics\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where ResourceProvider == \u0027MICROSOFT.SQL\u0027\\n | where Category == \u0027SQLSecurityAuditEvents\u0027\\n | extend SQLSecurityAuditEvents_TimeGenerated = TimeGenerated\\n // projecting fields with column if exists as this is in AzureDiag and if the event is not in the table, then queries will fail due to event specific schemas\\n | extend ClientIP = column_ifexists(\\\"client_ip_s\\\", \\\"Not Available\\\"), Action = column_ifexists(\\\"action_name_s\\\", \\\"Not Available\\\"), \\n Application = column_ifexists(\\\"application_name_s\\\", \\\"Not Available\\\"), HostName = column_ifexists(\\\"host_name_s\\\", \\\"Not Available\\\")\\n)\\non $left.TI_ipEntity == $right.ClientIP\\n| where SQLSecurityAuditEvents_TimeGenerated \u003c ExpirationDateTime\\n| summarize SQLSecurityAuditEvents_TimeGenerated = arg_max(SQLSecurityAuditEvents_TimeGenerated, *) by IndicatorId, ClientIP\\n| project SQLSecurityAuditEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ResourceId, ClientIP, Action, Application, HostName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = SQLSecurityAuditEvents_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Azure SQL Security Audit Events\",\"description\":\"Identifies a match in SQLSecurityAuditEvents from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8a602940-4153-4045-a741-3bf15591ae29\",\"name\":\"8a602940-4153-4045-a741-3bf15591ae29\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.2.8\",\"techniques\":[\"T1110\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.4\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"(Preview) Attempted computer bruteforce\",\"description\":\"This algorithm detects an unusually high volume of failed login attempts to each computer. The model is trained on the previous 21 days of security event ID 4625 on a computer. It indicates anomalous high volume of failed login attempts in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2020-12-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/45076281-35ae-45e0-b443-c32aa0baf965\",\"name\":\"45076281-35ae-45e0-b443-c32aa0baf965\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let args = dynamic([\\\"objectcategory\\\",\\\"domainlist\\\",\\\"dcmodes\\\",\\\"adinfo\\\",\\\"trustdmp\\\",\\\"computers_pwdnotreqd\\\",\\\"Domain Admins\\\", \\\"objectcategory=person\\\", \\\"objectcategory=computer\\\", \\\"objectcategory=*\\\",\\\"dclist\\\"]);\\nlet parentProcesses = dynamic([\\\"pwsh.exe\\\",\\\"powershell.exe\\\",\\\"cmd.exe\\\"]);\\nimProcessCreate\\n//looks for execution from a shell\\n| where ActingProcessName has_any (parentProcesses)\\n| extend ActingProcessFileName = tostring(split(ActingProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ActingProcessFileName in~ (parentProcesses)\\n// main filter\\n| where Process hassuffix \\\"AdFind.exe\\\" or TargetProcessSHA256 == \\\"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\\\"\\n // AdFind common Flags to check for from various threat actor TTPs\\n or CommandLine has_any (args)\\n| extend AccountCustomEntity = User, HostCustomEntity = Dvc, ProcessCustomEntity = ActingProcessName, FileHashCustomEntity = TargetProcessSHA256\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"SHA256\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Discovery\"],\"displayName\":\"Probable AdFind Recon Tool Usage (Normalized Process Events)\",\"description\":\"Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-06-09T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/106813db-679e-4382-a51b-1bfc463befc3\",\"name\":\"106813db-679e-4382-a51b-1bfc463befc3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n // Select on Palo Alto logs\\n | where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Select logs where URL data is populated\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url), extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | where isnotempty(PA_Url)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n) on $left.Url == $right.PA_Url\\n| where CommonSecurityLog_TimeGenerated \u003e= TimeGenerated and CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, SourceIP, CommonSecurityLog_TimeGenerated, PA_Url, DeviceName\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to PaloAlto data\",\"description\":\"Identifies a match in PaloAlto data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\"name\":\"97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let LearningPeriod = 7d; \\nlet BinTime = 1h; \\nlet RunTime = 1h; \\nlet StartTime = 1h; \\nlet NumberOfStds = 3; \\nlet MinThreshold = 10.0; \\nlet EndRunTime = StartTime - RunTime; \\nlet EndLearningTime = StartTime + LearningPeriod;\\nlet aadFunc = (tableName:string){\\nlet GitHubFailedSSOLogins = (table(tableName) \\n| where AppDisplayName == \\\"GitHub.com\\\" \\n| where ResultType != 0); \\nGitHubFailedSSOLogins \\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime)) \\n| summarize FailedLoginsCountInBinTime = count() by UserPrincipalName, bin(TimeGenerated, BinTime), Type\\n| summarize AvgOfFailedLoginsInLearning = avg(FailedLoginsCountInBinTime), StdOfFailedLoginsInLearning = stdev(FailedLoginsCountInBinTime) by UserPrincipalName, Type\\n| extend LearningThreshold = max_of(AvgOfFailedLoginsInLearning + StdOfFailedLoginsInLearning * NumberOfStds, MinThreshold) \\n| join kind=innerunique ( \\n GitHubFailedSSOLogins \\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime)) \\n | summarize FailedLoginsCountInRunTime = count() by User = Identity, UserPrincipalName, bin(TimeGenerated, BinTime), Type\\n) on UserPrincipalName \\n| where FailedLoginsCountInRunTime \u003e LearningThreshold\\n| extend AccountCustomEntity = UserPrincipalName , timestamp = TimeGenerated\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute Force Attack against GitHub Account\",\"description\":\"Attackers who are trying to guess your users\u0027 passwords or use brute-force methods to get in. If your organization is using SSO with Azure Active Directory, authentication logs to GitHub.com will be generated. Using the following query can help you identify a sudden increase in failed logon attempt of users.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8\",\"name\":\"f71aba3d-28fb-450b-b192-4e76a83015c8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Fusion\",\"properties\":{\"severity\":\"High\",\"tactics\":[\"Collection\",\"CommandAndControl\",\"CredentialAccess\",\"DefenseEvasion\",\"Discovery\",\"Execution\",\"Exfiltration\",\"Impact\",\"InitialAccess\",\"LateralMovement\",\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Advanced Multistage Attack Detection\",\"description\":\"Microsoft Sentinel uses Fusion, a correlation engine based on scalable machine learning algorithms, to automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.\\n\\nSince Fusion correlates multiple signals from various products to detect advanced multistage attacks, successful Fusion detections are presented as Fusion incidents on the Microsoft Sentinel Incidents page. This rule covers the following detections:\\n- Fusion for emerging threats\\n- Fusion for ransomware\\n- Scenario-based Fusion detections (122 scenarios)\\n\\nTo enable these detections, we recommend you configure the following data connectors for best results:\\n- Out-of-the-box anomaly detections\\n- Azure Active Directory Identity Protection\\n- Azure Defender\\n- Azure Defender for IoT\\n- Microsoft 365 Defender\\n- Microsoft Cloud App Security \\n- Microsoft Defender for Endpoint\\n- Microsoft Defender for Identity\\n- Microsoft Defender for Office 365\\n- Palo Alto Networks\\n- Scheduled analytics rules, both built-in and those created by your security analysts. Analytics rules must contain kill-chain (tactics) and entity mapping information in order to be used by Fusion.\\n\\nFor the full description of each detection that is supported by Fusion, go to https://aka.ms/SentinelFusion.\",\"lastUpdatedDateUTC\":\"2021-06-09T00:00:00Z\",\"createdDateUTC\":\"2019-07-25T00:00:00Z\",\"status\":\"Installed\",\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/677da133-e487-4108-a150-5b926591a92b\",\"name\":\"677da133-e487-4108-a150-5b926591a92b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\\n[@\\\"https://raw.githubusercontent.com/microsoft/mstic/master/Indicators/May21-NOBELIUM/May21NOBELIUMIoCs.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256s = (iocs | where Type =~ \\\"SHA256\\\"| project IoC);\\nlet ips = (iocs | where Type =~ \\\"IP\\\"| project IoC);\\nlet IPList = dynamic([\\\"192.99.221.77\\\",\\\"83.171.237.173\\\"]);\\nlet domains = (iocs | where Type =~ \\\"Domain\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet sha256Hashes = dynamic([\\\"2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252\\\",\\n\\\"d035d394a82ae1e44b25e273f99eae8e2369da828d6b6fdb95076fd3eb5de142\\\",\\n\\\"94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916\\\",\\n\\\"48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0\\\",\\n\\\"ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c\\\",\\n\\\"ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (domains) or RequestURL has_any (domains) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (domains), \\\"RequestUrl\\\", SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) or IPAddresses in (ips) or Name in~ (domains) \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or SourceIp in (ips) or DestinationIp in (ips) or RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", SourceIp in (ips), \\\"SourceIP\\\", DestinationIp in (ips), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) or ClientIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (domains) or RemoteIP in (IPList) or RemoteIP in (ips)\\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| where EventDetail has_any (sha256Hashes) or EventDetail has_any (sha256s)\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, FileHash\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (sha256Hashes) or SHA256 in~ (sha256s)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (sha256Hashes) or TargetFileSHA256 in~ (sha256s)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes) or FileHash in (sha256s)\\n| extend timestamp = TimeGenerated\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"version\":\"1.3.0\",\"tactics\":[\"CommandAndControl\",\"Execution\"],\"displayName\":\"NOBELIUM - Domain, Hash and IP IOCs - May 2021\",\"description\":\"Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM.\\nRef: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f6a51e2c-2d6a-4f92-a090-cfb002ca611f\",\"name\":\"f6a51e2c-2d6a-4f92-a090-cfb002ca611f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nlet disallowed_ext = dynamic([\u0027ps1\u0027, \u0027exe\u0027, \u0027vbs\u0027, \u0027js\u0027, \u0027scr\u0027]);\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| extend attachedExt = todynamic(MsgParts)[0][\u0027detectedExt\u0027]\\n| where attachedExt in (disallowed_ext)\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = DstUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Suspicious attachment\",\"description\":\"Detects when email contains suspicious attachment (file type).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/643c2025-9604-47c5-833f-7b4b9378a1f5\",\"name\":\"643c2025-9604-47c5-833f-7b4b9378a1f5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit your environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with AAD signin failures above our threshold\\nlet aadFunc = (tableName:string){\\nlet Suspicious_signins = \\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n| summarize count() by IPAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(IPAddress);\\nSuspicious_signins\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet Suspicious_signins = \\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize make_set(set_IPAddress);\\n//See if any of those IPs have sucessfully logged into the AWS console\\nAWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \\n| where LoginResult =~ \\\"Success\\\"\\n| where SourceIpAddress in (Suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed)\\n| extend User = iif(isempty(UserIdentityUserName), UserIdentityType, UserIdentityUserName) \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Reason, LoginResult, EventTypeName, UserIdentityType, User, AWSRegion, SourceIpAddress, UserAgent, MFAUsed\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AzureAD logons but success logon to AWS Console\",\"description\":\"Identifies a list of IP addresses with a minimum number(defualt of 5) of failed logon attempts to Azure Active Directory.\\nUses that list to identify any successful AWS Console logons from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/39e48890-2c02-487e-aa9e-3ba494061798\",\"name\":\"39e48890-2c02-487e-aa9e-3ba494061798\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"// Edit this variable to only keep the tactics where an incident needs to be created (Defaults are: \\\"COMMAND \u0026 CONTROL\\\", \\\"BOTNET ACTIVITY\\\", \\\"EXFILTRATION\\\", \\\"LATERAL MOVEMENT\\\", \\\"RECONNAISSANCE\\\") \\nlet configured_tactics = dynamic([\\\"COMMAND \u0026 CONTROL\\\", \\\"BOTNET ACTIVITY\\\", \\\"EXFILTRATION\\\", \\\"LATERAL MOVEMENT\\\", \\\"RECONNAISSANCE\\\"]);\\n//default threshold is 7 (meaning a threat score of 70)\\nlet severity_threshold = 7.0;\\n//Map by default to High Severity in Sentinel\\nlet Severity = \\\"High\\\";\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Vectra Networks\\\"\\n| where DeviceProduct == \\\"X Series\\\"\\n| where DeviceEventClassID != \\\"campaigns\\\" and DeviceEventClassID != \\\"hsc\\\" and DeviceEventClassID != \\\"audit\\\" and DeviceEventClassID != \\\"health\\\" and DeviceEventClassID != \\\"asc\\\"\\n| extend Category = extract(\\\"cat=(.+?);\\\", 1, AdditionalExtensions) \\n| project-rename threat_score = FlexNumber1\\n| project-rename certainty_score = FlexNumber2\\n| project-rename vectra_URL = DeviceCustomString4\\n| project-rename detection_name = DeviceEventClassID\\n| where todecimal(LogSeverity) \u003e= severity_threshold\\n| extend Tactic = case( Category == \\\"COMMAND \u0026 CONTROL\\\", \\\"CommandAndControl\\\",\\n Category == \\\"BOTNET ACTIVITY\\\" , \\\"Impact\\\",\\n Category == \\\"EXFILTRATION\\\", \\\"Exfiltration\\\",\\n Category == \\\"LATERAL MOVEMENT\\\", \\\"LateralMovement\\\",\\n Category == \\\"RECONNAISSANCE\\\", \\\"Discovery\\\",\\n \\\"UNKNOWN\\\")\\n| extend account = extract(\\\"account=(.+?);\\\", 1, AdditionalExtensions)\\n| extend upn = iff(account matches regex \\\":\\\", tostring(split(account,\\\":\\\")[1]) ,tostring(split(account,\\\":\\\")[0])) \\n| extend source_entity = case( isnotempty(upn), upn,\\n isnotempty(SourceHostName), SourceHostName,\\n \\\"UNKNWON\\\") \\n| where Category in (configured_tactics) \\n| summarize arg_max(threat_score, *) by source_entity, Activity\\n| sort by TimeGenerated\\n| project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Tactic, Activity, LogSeverity, Severity, vectra_URL\\n| extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Discovery\",\"LateralMovement\",\"Collection\",\"CommandAndControl\",\"Exfiltration\",\"Impact\"],\"displayName\":\"Vectra AI Detect - Detections with High Severity\",\"description\":\"Create an incident for high severity malicious behavior detected by Vectra AI (Threat score superior to 7.0). \\nThe Severity is a mapping with the Threat score assigned to a detection. It ranges between 0 and 10. \\nThe severity_threshold variable can be adjusted as desired.\u0027 \",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2021-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AIVectraDetect\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2fc5d810-c9cc-491a-b564-841427ae0e50\",\"name\":\"2fc5d810-c9cc-491a-b564-841427ae0e50\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n SecurityEvent | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(TargetUserName)\\n //Normalizing the column to lower case for exact match with EmailSenderAddress column\\n | extend TargetUserName = tolower(TargetUserName)\\n // renaming timestamp column so it is clear the log this came from SecurityEvent table\\n | extend SecurityEvent_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.TargetUserName\\n| where SecurityEvent_TimeGenerated \u003e= TimeGenerated and SecurityEvent_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, SecurityEvent_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Computer, EventID, TargetUserName, Activity, IpAddress, AccountType,\\nLogonTypeName, LogonProcessName, Status, SubStatus\\n| extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SecurityEvent\",\"description\":\"Identifies a match in SecurityEvent table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fa118b98-de46-4e94-87f9-8e6d5060b60b\",\"name\":\"fa118b98-de46-4e94-87f9-8e6d5060b60b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MLBehaviorAnalytics\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous SSH Login Detection\",\"description\":\"This detection uses machine learning (ML) to identify anomalous Secure Shell (SSH) login activity, based on syslog data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Microsoft Sentinel to build a profile of normal activity for your environment.\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-syslog#configure-the-syslog-connector-for-anomalous-ssh-login-detection)\\n\\nBy enabling this rule, you give Microsoft permission to copy ingested data outside of your Microsoft Sentinel workspace\u0027s geography as necessary for processing by the machine learning engine.\",\"lastUpdatedDateUTC\":\"2021-03-26T00:00:00Z\",\"createdDateUTC\":\"2019-08-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8e0403b1-07f8-4865-b2e9-74d1e83200a4\",\"name\":\"8e0403b1-07f8-4865-b2e9-74d1e83200a4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let timeframe = 14d;\\nlet time_generated_bucket = 1h;\\nlet min_urgency = 9;\\nlet maxTimeGeneratedBucket = toscalar(\\n CyberpionActionItems_CL\\n | where TimeGenerated \u003e ago(timeframe)\\n | summarize max(bin(TimeGenerated, time_generated_bucket))\\n );\\nCyberpionActionItems_CL\\n | where TimeGenerated \u003e ago(timeframe) and is_open_b == true\\n | where bin(TimeGenerated, time_generated_bucket) == maxTimeGeneratedBucket\\n | where urgency_d \u003e= min_urgency\\n | extend timestamp = opening_datetime_t\\n | extend DNSCustomEntity = host_s\",\"entityMappings\":[{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"High Urgency Cyberpion Action Items\",\"description\":\"This query creates an alert for active Cyberpion Action Items with high urgency (9-10).\\n Urgency can be altered using the \\\"min_urgency\\\" variable in the query.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CyberpionSecurityLogs\",\"dataTypes\":[\"CyberpionActionItems_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5239248b-abfb-4c6a-8177-b104ade5db56\",\"name\":\"5239248b-abfb-4c6a-8177-b104ade5db56\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let RunCommandData = materialize ( AzureActivity\\n// Isolate run command actions\\n| where OperationNameValue == \\\"Microsoft.Compute/virtualMachines/runCommand/action\\\"\\n// Confirm that the operation impacted a virtual machine\\n| where Authorization has \\\"virtualMachines\\\"\\n// Each runcommand operation consists of three events when successful, StartTimeed, Accepted (or Rejected), Successful (or Failed).\\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), max(CallerIpAddress), make_list(ActivityStatusValue) by CorrelationId, Authorization, Caller\\n// Limit to Run Command executions that Succeeded\\n| where list_ActivityStatusValue has \\\"Succeeded\\\"\\n// Extract data from the Authorization field, allowing us to later extract the Caller (UPN) and CallerIpAddress\\n| extend Authorization_d = parse_json(Authorization)\\n| extend Scope = Authorization_d.scope\\n| extend Scope_s = split(Scope, \\\"/\\\")\\n| extend Subscription = tostring(Scope_s[2])\\n| extend VirtualMachineName = tostring(Scope_s[-1])\\n| project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress\\n| join kind=leftouter (\\n DeviceFileEvents\\n | where InitiatingProcessFileName == \\\"RunCommandExtension.exe\\\"\\n | extend VirtualMachineName = tostring(split(DeviceName, \\\".\\\")[0])\\n | project VirtualMachineName, PowershellFileCreatedTimestamp=TimeGenerated, FileName, FileSize, InitiatingProcessAccountName, InitiatingProcessAccountDomain, InitiatingProcessFolderPath, InitiatingProcessId\\n) on VirtualMachineName\\n// We need to filter by time sadly, this is the only way to link events\\n| where PowershellFileCreatedTimestamp between (StartTime .. EndTime)\\n| project StartTime, EndTime, PowershellFileCreatedTimestamp, VirtualMachineName, Caller, CallerIpAddress, FileName, FileSize, InitiatingProcessId, InitiatingProcessAccountDomain, InitiatingProcessFolderPath\\n| join kind=inner(\\n DeviceEvents\\n | extend VirtualMachineName = tostring(split(DeviceName, \\\".\\\")[0])\\n | where InitiatingProcessCommandLine has \\\"-File\\\"\\n // Extract the script name based on the structure used by the RunCommand extension\\n | extend PowershellFileName = extract(@\\\"\\\\-File\\\\s(script[0-9]{1,9}\\\\.ps1)\\\", 1, InitiatingProcessCommandLine)\\n // Discard results that didn\u0027t successfully extract, these are not run command related\\n | where isnotempty(PowershellFileName)\\n | extend PSCommand = tostring(parse_json(AdditionalFields).Command)\\n // The first execution of PowerShell will be the RunCommand script itself, we can discard this as it will break our hash later\\n | where PSCommand != PowershellFileName \\n // Now we normalise the cmdlets, we\u0027re aiming to hash them to find scripts using rare combinations\\n | extend PSCommand = toupper(PSCommand)\\n | order by PSCommand asc\\n | summarize PowershellExecStartTime=min(TimeGenerated), PowershellExecEnd=max(TimeGenerated), make_list(PSCommand) by PowershellFileName, InitiatingProcessCommandLine\\n) on $left.FileName == $right.PowershellFileName\\n| project StartTime, EndTime, PowershellFileCreatedTimestamp, PowershellExecStartTime, PowershellExecEnd, PowershellFileName, PowershellScriptCommands=list_PSCommand, Caller, CallerIpAddress, InitiatingProcessCommandLine, PowershellFileSize=FileSize, VirtualMachineName\\n| order by StartTime asc \\n// We generate the hash based on the cmdlets called and the size of the powershell script\\n| extend TempFingerprintString = strcat(PowershellScriptCommands, PowershellFileSize)\\n| extend ScriptFingerprintHash = hash_sha256(tostring(PowershellScriptCommands)));\\nlet totals = toscalar (RunCommandData\\n| summarize count());\\nlet hashTotals = RunCommandData\\n| summarize HashCount=count() by ScriptFingerprintHash;\\nRunCommandData\\n| join kind=leftouter (\\nhashTotals\\n) on ScriptFingerprintHash\\n// Calculate prevelance, while we don\u0027t need this, it may be useful for responders to know how rare this script is in relation to normal activity\\n| extend Prevelance = toreal(HashCount) / toreal(totals) * 100\\n// Where the hash was only ever seen once.\\n| where HashCount == 1\\n| extend timestamp = StartTime, IPCustomEntity=CallerIpAddress, AccountCustomEntity=Caller, HostCustomEntity=VirtualMachineName\\n| project timestamp, StartTime, EndTime, PowershellFileName, VirtualMachineName, Caller, CallerIpAddress, PowershellScriptCommands, PowershellFileSize, ScriptFingerprintHash, IPCustomEntity, AccountCustomEntity, HostCustomEntity\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\",\"CredentialAccess\"],\"displayName\":\"Azure VM Run Command operations executing a unique powershell script\",\"description\":\"Identifies when Azure Run command is used to execute a powershell script on a VM that is unique.\\nThe uniqueness of the powershell script is determined by taking a combined hash of the cmdlets it imports\\nand the filesize of the PowerShell script. Alerts from this detection indicate a unique PowerShell was executed\\nin your environment.\",\"lastUpdatedDateUTC\":\"2021-10-25T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2926ce29-08d2-4654-b2e8-7d8df70095d9\",\"name\":\"2926ce29-08d2-4654-b2e8-7d8df70095d9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let highRisk = 3;\\nlet governance = \u0027Governance Information\u0027;\\nCognniIncidents_CL \\n| where Severity == highRisk\\n| where informationType_s == governance\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Highly Sensitive Governance Information\",\"description\":\"Display incidents in which highly sensitive governance information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/40ba9493-4183-4eee-974f-87fe39c8f267\",\"name\":\"40ba9493-4183-4eee-974f-87fe39c8f267\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Identity alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Identity\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (AATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f819c592-c5f9-4d5c-a79f-1e6819863533\",\"name\":\"f819c592-c5f9-4d5c-a79f-1e6819863533\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// ADHealth Monitoring Agent Registry Key\\nlet aadHealthMonAgentRegKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Microsoft Online\\\\\\\\Reporting\\\\\\\\MonitoringAgent\\\";\\n// Filter out known processes\\nlet aadConnectHealthProcs = dynamic ([\\n \u0027Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.InsightsService.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.PshSurrogate.exe\u0027,\\n \u0027Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe\u0027\\n]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| extend SubjectUserName = column_ifexists(\\\"SubjectUserName\\\", \\\"\\\"),\\n SubjectDomainName = column_ifexists(\\\"SubjectDomainName\\\", \\\"\\\"),\\n ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),\\n ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\"),\\n ProcessName = column_ifexists(\\\"ProcessName\\\", \\\"\\\")\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],\\n Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| where Process !in (aadConnectHealthProcs)\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| where Process !in (aadConnectHealthProcs)\\n)\\n)\\n// You can filter out potential machine accounts\\n//| where AccountType != \u0027Machine\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n| summarize count() by ProcessName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Azure AD Health Monitoring Agent Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.\\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\\\\SOFTWARE\\\\Microsoft\\\\Microsoft Online\\\\Reporting\\\\MonitoringAgent.\\nYou can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_monitoring_agent.yml\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ffe3625d-a933-4f63-b192-7e6ebf3be5fb\",\"name\":\"ffe3625d-a933-4f63-b192-7e6ebf3be5fb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.2.8\",\"techniques\":[\"T1110\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.1\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"(Preview) Attempted user account bruteforce\",\"description\":\"This algorithm detects an unusually high volume of failed login attempts per user account. The model is trained on the previous 21 days of security event ID 4625 on an account. It indicates anomalous high volume of failed login attempts in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2020-12-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d3980830-dd9d-40a5-911f-76b44dfdce16\",\"name\":\"d3980830-dd9d-40a5-911f-76b44dfdce16\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where AppDisplayName == \\\"GitHub.com\\\"\\n| where ResultType == 0\\n| summarize CountOfLocations = dcount(Location), Locations = make_set(Location), BurstStartTime = min(TimeGenerated), BurstEndTime = max(TimeGenerated) by UserPrincipalName, Type\\n| where CountOfLocations \u003e 1\\n| extend timestamp = BurstStartTime, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"GitHub Signin Burst from Multiple Locations\",\"description\":\"This alerts when there Signin burst from multiple locations in GitHub (AAD SSO).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d57c33a9-76b9-40e0-9dfa-ff0404546410\",\"name\":\"d57c33a9-76b9-40e0-9dfa-ff0404546410\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 0d;\\n// Adjust this to adjust detection timeframe\\n//let timeframe = 1d;\\n// Filter out other servers in the AD FS farm\\nlet ADFSServersList = dynamic([\\\"ADFS02.domain.com\\\",\\\"ADFS03.domain.com\\\"]);\\n// Start by identifying ADFS servers to reduce FP chance\\nlet ADFS_Servers = (\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| where Computer !in (ADFSServersList)\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\")\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| summarize by Computer\\n);\\n// Look for ADFS servers receiving connections over port 80\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where Computer in~ (ADFS_Servers)\\n| extend RenderedDescription = tostring(split(RenderedDescription, \\\":\\\")[0])\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, _ResourceId)\\n| extend RuleName = column_ifexists(\\\"RuleName\\\", \\\"\\\"), TechniqueId = column_ifexists(\\\"TechniqueId\\\", \\\"\\\"), TechniqueName = column_ifexists(\\\"TechniqueName\\\", \\\"\\\")\\n| parse RuleName with * \u0027technique_id=\u0027 TechniqueId \u0027,\u0027 * \u0027technique_name=\u0027 TechniqueName\\n| where EventID == 3\\n// Look for endpoints connecting to the AD FS server over port 80\\n| extend DestinationPort = column_ifexists(\\\"DestinationPort\\\", \\\"\\\"), Image = column_ifexists(\\\"Image\\\", \\\"\\\"), Initiated = column_ifexists(\\\"Initiated\\\", \\\"\\\"), SourceIp = column_ifexists(\\\"DestinationIp\\\", \\\"\\\"), DestinationIp = column_ifexists(\\\"DestinationIp\\\", \\\"\\\")\\n| where DestinationPort == 80\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n// Look for the System process receiving connections\\n| where process == \u0027System\u0027 and Initiated == \u0027false\u0027\\n| where DestinationIp !in (\u0027::1\u0027,\u00270:0:0:0:0:0:0:1\u0027)\\n| extend Operation = RenderedDescription\\n| project-reorder TimeGenerated, Operation, Image, Computer, UserName\\n| extend HostCustomEntity = Computer, AccountCustomEntity = UserName, IPCustomEntity = SourceIp\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"AD FS Remote HTTP Network Connection\",\"description\":\"This detection uses Sysmon events (NetworkConnect events) to detect incoming network traffic on port 80 on AD FS servers. This could be a sign of a threat actor\\ntrying to use replication services on the AD FS server to get its configuration settings and extract sensitive information such as AD FS certificates.\\nIn order to use this query you need to enable Sysmon telemetry on the AD FS Server.\\nReference: https://twitter.com/OTR_Community/status/1387038995016732672\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3c144f9-8051-47d4-ac29-ffb0c312c910\",\"name\":\"a3c144f9-8051-47d4-ac29-ffb0c312c910\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let SunburstMD5=dynamic([\\\"b91ce2fa41029f6955bff20079468448\\\",\\\"02af7cec58b9a5da1c542b5a32151ba1\\\",\\\"2c4a910a1299cdae2a4e55988a2f102e\\\",\\\"846e27a652a5e1bfbd0ddd38a16dc865\\\",\\\"4f2eb62fa529c0283b28d05ddd311fae\\\"]);\\nlet SupernovaMD5=\\\"56ceb6d0011d87b6e4d7023d7ef85676\\\";\\nDeviceFileEvents\\n| where MD5 in(SunburstMD5) or MD5 in(SupernovaMD5)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n FileHashCustomEntity = MD5\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"MD5\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST and SUPERNOVA backdoor hashes\",\"description\":\"Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in DeviceFileEvents\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ba144bf8-75b8-406f-9420-ed74397f9479\",\"name\":\"ba144bf8-75b8-406f-9420-ed74397f9479\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//Set a threshold of failed AAD signins from an IP address within 1 day above which we want to deem those logins suspicious.\\nlet signin_threshold = 5; \\n//Make a list of IPs with AAD signin failures above our threshold.\\nlet aadFunc = (tableName:string){\\nlet suspicious_signins = \\n table(tableName)\\n //Looking for logon failure results\\n | where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n //Exclude localhost addresses to reduce the chance of FPs\\n | where IPAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n | summarize count() by IPAddress\\n | where count_ \u003e signin_threshold\\n | summarize make_set(IPAddress);\\n suspicious_signins\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet suspicious_signins = \\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize make_set(set_IPAddress);\\n//See if any of those IPs have sucessfully logged into PA VPNs during the same timeperiod\\nCommonSecurityLog\\n //Select only PA VPN sucessful logons\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"globalprotect\\\"\\n | where Message has \\\"GlobalProtect gateway user authentication succeeded\\\"\\n //Parse out the logon source IP from the Message field to match on\\n | extend SourceIP = extract(\\\"Login from: ([^,]+)\\\", 1, Message) \\n | where SourceIP in (suspicious_signins)\\n | extend Reason = \\\"Multiple failed AAD logins from SourceIP\\\"\\n //Parse out other useful information from Message field\\n | extend User = extract(\u0027User name: ([^,]+)\u0027, 1, Message) \\n | extend ClientOS = extract(\u0027Client OS version: ([^,\\\\\\\"]+)\u0027, 1, Message)\\n | extend Location = extract(\u0027Source region: ([^,]{2})\u0027,1, Message)\\n | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName\\n | extend AccountCustomEntity = User, IPCustomEntity = SourceIP, timestamp = TimeGenerated, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN\",\"description\":\"This query creates a list of IP addresses with a number failed login attempts to AAD \\nabove a set threshold. It then looks for any successful Palo Alto VPN logins from any\\nof these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-09-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9f86885f-f31f-4e66-a39d-352771ee789e\",\"name\":\"9f86885f-f31f-4e66-a39d-352771ee789e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"CarbonBlackEvents_CL\\n| extend eventTime = datetime(1970-01-01) + tolong(eventTime_d/1000) * 1sec\\n| where targetApp_effectiveReputation_s =~ \\\"KNOWN_MALWARE\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by eventTime, deviceDetails_deviceName_s, deviceDetails_deviceIpAddress_s, processDetails_fullUserName_s, processDetails_targetName_s\\n| extend timestamp = StartTime, AccountCustomEntity = processDetails_fullUserName_s, HostCustomEntity = deviceDetails_deviceName_s, IPCustomEntity = deviceDetails_deviceIpAddress_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\"],\"displayName\":\"Known Malware Detected\",\"description\":\"This creates an incident when a known Malware is detected on a endpoint managed by a Carbon Black.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"VMwareCarbonBlack\",\"dataTypes\":[\"CarbonBlackEvents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/957cb240-f45d-4491-9ba5-93430a3c08be\",\"name\":\"957cb240-f45d-4491-9ba5-93430a3c08be\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"OfficeActivity\\n| where Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Add-MailboxFolderPermission\\\", \\\"Set-Mailbox\\\", \\\"New-ManagementRoleAssignment\\\")\\nand not(UserId has_any (\u0027NT AUTHORITY\\\\\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\u0027,\u0027devilfish-applicationaccount\u0027) and Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Set-Mailbox\\\"))\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"Collection\"],\"displayName\":\"Rare and potentially high-risk Office operations\",\"description\":\"Identifies Office operations that are typically rare and can provide capabilities useful to attackers.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9c712bb2-08dc-44d3-b66b-af154dfc1c4f\",\"name\":\"9c712bb2-08dc-44d3-b66b-af154dfc1c4f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.2.8\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.07\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of logins to computer\",\"description\":\"This algorithm detects an unusually high volume of successful logins per computer. The model is trained on the previous 21 days of security event ID 4624 on a computer. It indicates anomalous high volume of successful logins in the last day\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2020-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/44a555d8-ecee-4a25-95ce-055879b4b14b\",\"name\":\"44a555d8-ecee-4a25-95ce-055879b4b14b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeBin = 10m;\\nlet portThreshold = 30;\\nW3CIISLog\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of attempts by client IP on many ports\\n| summarize makeset(sPort), makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), ConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\\n| extend portCount = arraylength(set_sPort)\\n| where portCount \u003e= portThreshold\\n| project TimeGenerated, cIP, set_sPort, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, ConnectionsCount, portCount\\n| order by portCount\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"High count of connections by client IP on many ports\",\"description\":\"Identifies when 30 or more ports are used for a given client IP in 10 minutes occurring on the IIS server.\\nThis could be indicative of attempted port scanning or exploit attempt at internet facing web applications. \\nThis could also simply indicate a misconfigured service or device.\\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\"name\":\"fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let opList = OfficeActivity \\n| summarize by Operation\\n//| where Operation startswith \\\"Remove-\\\" or Operation startswith \\\"Disable-\\\"\\n| where Operation has_any (\\\"Remove\\\", \\\"Disable\\\")\\n| where Operation contains \\\"AntiPhish\\\" or Operation contains \\\"SafeAttachment\\\" or Operation contains \\\"SafeLinks\\\" or Operation contains \\\"Dlp\\\" or Operation contains \\\"Audit\\\"\\n| summarize make_set(Operation);\\nOfficeActivity\\n// Only admin or global-admin can disable/remove policy\\n| where RecordType =~ \\\"ExchangeAdmin\\\"\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\")\\n// Pass in interesting Operation list\\n| where Operation in~ (opList)\\n| extend ClientIPOnly = case( \\nClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), \\nClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))),\\nClientIP\\n) \\n| extend Port = case(\\nClientIP has \\\".\\\", (split(ClientIP,\\\":\\\")[1]),\\nClientIP has \\\"[\\\", tostring(split(ClientIP,\\\"]:\\\")[1]),\\nClientIP\\n)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP = ClientIPOnly, Port, ResultStatus, Parameters\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Office policy tampering\",\"description\":\"Identifies if any tampering is done to either auditlog, ATP Safelink, SafeAttachment, AntiPhish or Dlp policy. \\nAn adversary may use this technique to evade detection or avoid other policy based defenses.\\nReferences: https://docs.microsoft.com/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ab4b6944-a20d-42ab-8b63-238426525801\",\"name\":\"ab4b6944-a20d-42ab-8b63-238426525801\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\nlet timeframe = 1h;\\nlet connections = VMConnection \\n | where TimeGenerated \u003e= ago(timeframe)\\n | extend DNSName = set_union(todynamic(RemoteDnsCanonicalNames),todynamic(RemoteDnsQuestions))\\n | mv-expand DNSName\\n | where isnotempty(DNSName)\\n | where DNSName has_any (domains)\\n | extend IPCustomEntity = RemoteIp\\n | summarize TimeGenerated = arg_min(TimeGenerated, *), requests = count() by IPCustomEntity, DNSName = tostring(DNSName), AgentId, Machine, Process;\\nlet processes = VMProcess\\n | where TimeGenerated \u003e= ago(timeframe)\\n | project AgentId, Machine, Process, UserName, UserDomain, ExecutablePath, CommandLine, FirstPid\\n | extend exePathArr = split(ExecutablePath, \\\"\\\\\\\\\\\")\\n | extend DirectoryName = array_strcat(array_slice(exePathArr, 0, array_length(exePathArr) - 2), \\\"\\\\\\\\\\\")\\n | extend Filename = array_strcat(array_slice(exePathArr, array_length(exePathArr) - 1, array_length(exePathArr)), \\\"\\\\\\\\\\\")\\n | project-away exePathArr;\\nlet computers = VMComputer\\n | where TimeGenerated \u003e= ago(timeframe)\\n | project HostCustomEntity = HostName, AzureResourceId = _ResourceId, AgentId, Machine;\\nconnections | join kind = inner (processes) on AgentId, Machine, Process\\n | join kind = inner (computers) on AgentId, Machine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"FirstPid\"},{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Directory\",\"columnName\":\"DirectoryName\"},{\"identifier\":\"Name\",\"columnName\":\"Filename\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Solorigate Domains Found in VM Insights\",\"description\":\"Identifies connections to Solorigate-related DNS records based on VM insights data\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMProcess\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMComputer\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\"name\":\"c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"ApplySecurityGroupsToLoadBalancer\\\", \\\"SetSecurityGroups\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \\nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion,\\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to AWS Elastic Load Balancer security groups\",\"description\":\"Elastic Load Balancer distributes incoming traffic across multiple instances in multiple availability Zones. This increases the fault tolerance of your applications. \\n Unwanted changes to Elastic Load Balancer specific security groups could open your environment to attack and hence needs monitoring.\\n More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\n and https://aws.amazon.com/elasticloadbalancing/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d99cf5c3-d660-436c-895b-8a8f8448da23\",\"name\":\"d99cf5c3-d660-436c-895b-8a8f8448da23\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SigninLogs\\n| where ResultType == 500121\\n| extend additionalDetails_ = tostring(Status.additionalDetails)\\n| where additionalDetails_ =~ \\\"MFA denied; user declined the authentication\\\"\\n| extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"MFA Rejected by User\",\"description\":\"Identifies accurances where a user has rejected an MFA prompt. This could be an indicator that a threat actor has compromised the username and password of this user account and is using it to try and log into the account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\"name\":\"70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"seoulhobi.biz\\\", \\\"reader.cash\\\", \\\"pieceview.club\\\", \\\"app-wallet.com\\\", \\\"bigwnet.com\\\", \\\"bitwoll.com\\\", \\\"cexrout.com\\\", \\\"change-pw.com\\\", \\\"checkprofie.com\\\", \\\"cloudwebappservice.com\\\", \\\"ctquast.com\\\", \\\"dataviewering.com\\\", \\\"day-post.com\\\", \\\"dialy-post.com\\\", \\\"documentviewingcom.com\\\", \\\"dovvn-mail.com\\\", \\\"down-error.com\\\", \\\"drivecheckingcom.com\\\", \\\"drog-service.com\\\", \\\"encodingmail.com\\\", \\\"filinvestment.com\\\", \\\"foldershareing.com\\\", \\\"golangapis.com\\\", \\\"hotrnall.com\\\", \\\"lh-logins.com\\\", \\\"login-use.com\\\", \\\"mail-down.com\\\", \\\"matmiho.com\\\", \\\"mihomat.com\\\", \\\"natwpersonal-online.com\\\", \\\"nidlogin.com\\\", \\\"nid-login.com\\\", \\\"nidlogon.com\\\", \\\"pw-change.com\\\", \\\"rnaii.com\\\", \\\"rnailm.com\\\", \\\"sec-live.com\\\", \\\"secrityprocessing.com\\\", \\\"securitedmode.com\\\", \\\"securytingmail.com\\\", \\\"set-login.com\\\", \\\"usrchecking.com\\\", \\\"com-serviceround.info\\\", \\\"mai1.info\\\", \\\"reviewer.mobi\\\", \\\"files-download.net\\\", \\\"fixcool.net\\\", \\\"hanrnaii.net\\\", \\\"office356-us.org\\\", \\\"smtper.org\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(DnsEvents \\n| extend DNSName = Name\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend IPAddress = ClientIP\\n),\\n(imDns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend DNSName = Request_Name\\n| extend IPAddress = ClientIP \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost \\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.3.0\",\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"THALLIUM domains included in DCU takedown\",\"description\":\"THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. \\n Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\\n References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-01-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/29a29e5d-354e-4f5e-8321-8b39d25047bf\",\"name\":\"29a29e5d-354e-4f5e-8321-8b39d25047bf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let files1 = dynamic([\\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\lsa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pc.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\Rar.exe\\\"]);\\nlet files2 = dynamic([\\\"svchost.exe\\\",\\\"wdmsvc.exe\\\"]);\\nlet FileHash1 = dynamic([\\\"43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\\\", \\\"ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\\\", \\\"010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77\\\", \\\"56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7\\\"]);\\nlet FileHash2 = dynamic([\\\"2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\\\", \\\"9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\\\", \\\"18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\\\"]);\\nimFileEvent\\n| where ((FilePath has_any (files1)) and (ActingProcessSHA256 has_any (FileHash1))) or ((FilePath has_any (files2)) and (ActingProcessSHA256 has_any (FileHash2)))\\n// Increase risk score if recent alerts for the host\\n| join kind=leftouter (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| mv-expand todynamic(Entities)\\n| extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)\\n| where isnotempty(DvcId)\\n// Higher risk score are for Defender alerts related to threat actor\\n| extend AlertRiskScore = iif(ThreatName has_any (\\\"Backdoor:MSIL/ShellClient.A\\\", \\\"Backdoor:MSIL/ShellClient.A!dll\\\", \\\"Trojan:MSIL/Mimikatz.BA!MTB\\\"), 1.0, 0.5)\\n| project DvcId, AlertRiskScore) on DvcId\\n| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = ActorUsername\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileName\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"CredentialAccess\",\"Execution\"],\"displayName\":\"Dev-0228 File Path Hashes November 2021 - ASIM\",\"description\":\"This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.\\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.\\n This query uses the Microsoft Sentinel Information Model - https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2021-11-18T00:00:00Z\",\"createdDateUTC\":\"2021-11-18T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/44e80f00-b4f5-486b-a57d-4073746276df\",\"name\":\"44e80f00-b4f5-486b-a57d-4073746276df\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let highRisk = 3;\\nlet business = \u0027Business Information\u0027;\\nCognniIncidents_CL \\n| where Severity == highRisk\\n| where informationType_s == business\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Highly Sensitive Business Information\",\"description\":\"Display incidents in which highly sensitive business information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2acc91c3-17c2-4388-938e-4eac2d5894e8\",\"name\":\"2acc91c3-17c2-4388-938e-4eac2d5894e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"W3CIISLog\\n| where csMethod == \u0027GET\u0027\\n| where isnotempty(csUriStem) and isnotempty(csUriQuery)\\n| where csUriStem contains \\\"logoimagehandler.ashx\\\"\\n| where csUriQuery contains \\\"codes\\\" and csUriQuery contains \\\"clazz\\\" and csUriQuery contains \\\"method\\\" and csUriQuery contains \\\"args\\\"\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"SUPERNOVA webshell\",\"description\":\"Identifies SUPERNOVA webshell based on W3CIISLog data.\\n References:\\n - https://unit42.paloaltonetworks.com/solarstorm-supernova/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6190dde-8fd2-456a-ac5b-0a32400b0464\",\"name\":\"d6190dde-8fd2-456a-ac5b-0a32400b0464\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ProcessCreationEvents=() {\\nlet processEvents=SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName;\\nprocessEvents;\\n};\\nProcessCreationEvents \\n| where CommandLine contains \\\".decode(\u0027base64\u0027)\\\"\\n or CommandLine contains \\\"base64 --decode\\\"\\n or CommandLine contains \\\".decode64(\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), CountToday = count() by Computer, Account, AccountDomain, FileName, CommandLine, ParentProcessName \\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Process executed from binary hidden in Base64 encoded file\",\"description\":\"Encoding malicious software is a technique used to obfuscate files from detection. \\nThe first CommandLine component is looking for Python decoding base64. \\nThe second CommandLine component is looking for Bash/sh command line base64 decoding.\\nThe third one is looking for Ruby decoding base64.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bdf04f58-242b-4729-b376-577c4bdf5d3a\",\"name\":\"bdf04f58-242b-4729-b376-577c4bdf5d3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"imProcessCreate\\n| where Process hassuffix \u0027rundll32.exe\u0027\\n| where CommandLine has_any (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| project TimeGenerated, Dvc, User, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\\n| extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"NOBELIUM - suspicious rundll32.exe execution of vbscript (Normalized Process Events)\",\"description\":\"This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\\nReferences: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/712fab52-2a7d-401e-a08c-ff939cc7c25e\",\"name\":\"712fab52-2a7d-401e-a08c-ff939cc7c25e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n AuditLogs\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // Extract the URL that is contained within the JSON data\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\\\", 1,tostring(TargetResources))\\n | where isnotempty(Url)\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend TargetResourceDisplayName = tostring(TargetResources[0].displayName)\\n | extend Audit_TimeGenerated = TimeGenerated\\n) on Url\\n| where Audit_TimeGenerated \u003e= TimeGenerated and Audit_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nAudit_TimeGenerated, OperationName, Identity, userPrincipalName, TargetResourceDisplayName, Url\\n| extend timestamp = Audit_TimeGenerated, AccountCustomEntity = userPrincipalName, HostCustomEntity = TargetResourceDisplayName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to AuditLogs\",\"description\":\"Identifies a match in AuditLogs from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1bf6e165-5e32-420e-ab4f-0da8558a8be2\",\"name\":\"1bf6e165-5e32-420e-ab4f-0da8558a8be2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// How far back to look for events from\\nlet timeframe = 1d;\\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\\nlet time_window = 5m;\\n// Edit this to include build processes used\\nlet build_processes = dynamic([\\\"MSBuild.exe\\\", \\\"dotnet.exe\\\", \\\"VBCSCompiler.exe\\\"]);\\n// Include any processes that you want to allow to edit files during/around the build process\\nlet allow_list = dynamic([]);\\nDeviceProcessEvents\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where FileName has_any (build_processes)\\n| summarize by BuildParentProcess=InitiatingProcessFileName, BuildProcess=FileName, BuildAccount = AccountName, DeviceName, BuildCommand=ProcessCommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nDeviceFileEvents\\n| where TimeGenerated \u003e ago(timeframe)\\n| where InitiatingProcessFileName !in (allow_list)\\n| where ActionType == \\\"FileCreated\\\" or ActionType == \\\"FileModified\\\"\\n// Look for code files, edit this to include file extensions used in build.\\n| where FileName endswith \\\".cs\\\" or FileName endswith \\\".cpp\\\"\\n| summarize by FileEditParentProcess=InitiatingProcessParentFileName, FileEditAccount = InitiatingProcessAccountName, DeviceName, FileEdited=FileName, FileEditProcess=InitiatingProcessFileName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, DeviceName\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, DeviceName, BuildParentProcess, BuildProcess\\n| extend HostCustomEntity=DeviceName, timestamp=timekey\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Potential Build Process Compromise - MDE\",\"description\":\"The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process. This query uses Microsoft Defender for Endpoint telemetry.\\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\",\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b93c5af-d20b-4236-b696-a28b8c51407f\",\"name\":\"4b93c5af-d20b-4236-b696-a28b8c51407f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\nSecurityEvent \\n| where TimeGenerated \u003e ago(2*timeframe) \\n// A user account was created\\n| where EventID == 4720\\n| where AccountType =~ \\\"User\\\"\\n| project creationTime = TimeGenerated, CreateEventID = EventID, CreateActivity = Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToCreate = SubjectAccount, SIDofAccountUsedToCreate = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n| join kind= inner (\\n SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe) \\n // A user account was deleted \\n | where EventID == 4726\\n| where AccountType == \\\"User\\\"\\n| project deletionTime = TimeGenerated, DeleteEventID = EventID, DeleteActivity = Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToDelete = SubjectAccount, SIDofAccountUsedToDelete = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n) on Computer, TargetAccount\\n| where deletionTime - creationTime \u003c spanoftime\\n| extend TimeDelta = deletionTime - creationTime\\n| where tolong(TimeDelta) \u003e= threshold\\n| project TimeDelta, creationTime, CreateEventID, CreateActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToCreate, SIDofAccountUsedToCreate,\\ndeletionTime, DeleteEventID, DeleteActivity, AccountUsedToDelete, SIDofAccountUsedToDelete\\n| extend timestamp = creationTime, AccountCustomEntity = AccountUsedToCreate, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"SIDofAccountUsedToCreate\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account created and deleted within 10 mins\",\"description\":\"Identifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and\\nan adversary attempting to hide in the noise.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23de46ea-c425-4a77-b456-511ae4855d69\",\"name\":\"23de46ea-c425-4a77-b456-511ae4855d69\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\nlet SensitiveOperationList = dynamic([\\\"microsoft.compute/snapshots/write\\\", \\\"microsoft.network/networksecuritygroups/write\\\", \\\"microsoft.storage/storageaccounts/listkeys/action\\\"]);\\nlet SensitiveActivity = AzureActivity\\n| where OperationNameValue in~ (SensitiveOperationList) or OperationNameValue hassuffix \\\"listkeys/action\\\"\\n| where ActivityStatusValue =~ \\\"Succeeded\\\";\\nSensitiveActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller, OperationNameValue\\n| where count_ \u003e= alertOperationThreshold\\n| join kind = rightanti ( \\nSensitiveActivity\\n| where TimeGenerated \u003e= ago(endtime)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CorrelationIds = makelist(CorrelationId), Resources = makelist(Resource), ResourceGroups = makelist(ResourceGroup), ResourceIds = makelist(ResourceId), ActivityCountByCallerIPAddress = count() \\nby CallerIpAddress, Caller, OperationNameValue\\n) on CallerIpAddress, Caller, OperationNameValue\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"Rare subscription-level operations in Azure\",\"description\":\"This query looks for a few sensitive subscription-level events based on Azure Activity Logs. \\n For example this monitors for the operation name \u0027Create or Update Snapshot\u0027 which is used for creating backups but could be misused by attackers \\n to dump hashes or extract sensitive information from the disk.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c7cd6073-6d2c-4284-a5c8-da27605bdfde\",\"name\":\"c7cd6073-6d2c-4284-a5c8-da27605bdfde\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| where FilterModulesSpamScoresOverall == \u0027100\u0027\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - High risk message not discarded\",\"description\":\"Detects when email with high risk score was not rejected or discarded by filters.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/16d55bbb-8c54-4c1d-8537-521824e76bb6\",\"name\":\"16d55bbb-8c54-4c1d-8537-521824e76bb6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.2\",\"techniques\":[\"T1114\",\"T1213\",\"T1098\",\"T1136\",\"T1137\",\"T1505\",\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"Distinct number of operations\",\"Distinct number of ClientInfoString\",\"Distinct number of mailboxes\",\"Number of operations\",\"Distinct number of IP addresses\",\"Distinct number of /24 subnets\",\"Distinct number of /16 subnets\",\"Number of MessageBind operations\",\"Number of FolderBind operations\",\"Number of UpdateInboxRules operations\",\"Number of MailItemsAccessed operations\"],\"values\":[\"Distinct number of operations\",\"Distinct number of ClientInfoString\",\"Distinct number of mailboxes\",\"Number of operations\",\"Distinct number of IP addresses\",\"Distinct number of /24 subnets\",\"Distinct number of /16 subnets\",\"Number of MessageBind operations\",\"Number of FolderBind operations\",\"Number of UpdateInboxRules operations\",\"Number of MailItemsAccessed operations\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Top reason for high anomaly score\",\"description\":\"Include only anomalies where the top reason is one of these values.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.6\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Collection\",\"Persistence\"],\"displayName\":\"(Preview) Anomalous user activities in Office Exchange\",\"description\":\"This machine learning model groups the Office Exchange logs on a per-user basis into hourly buckets. We define one\\nhour as a session. The model is trained on the previous 7 days of behavior across all regular (non-admin) users.\\nIt indicates anomalous user Office Exchange sessions in the last day.\\nThis algorithm checks for sufficient volume of data before training the model.\\n\\nAn autoencoder model is used.\\nIts aim is to compress the user Office Exchange sessions into a bottleneck encoding.\\nIt then attempts to reconstruct the input sessions as best it can from the bottleneck encoding.\\nThe sessions with high reconstruction errors are assumed to be anomalous.\",\"lastUpdatedDateUTC\":\"2021-06-09T00:00:00Z\",\"createdDateUTC\":\"2021-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Exchange)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4759ddb4-2daf-43cb-b34e-d85b85b4e4a5\",\"name\":\"4759ddb4-2daf-43cb-b34e-d85b85b4e4a5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\nlet parentprocess = (iocs | where Type =~ \\\"parentprocess\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or RequestURL has_any (IPList) or Message has_any (IPList)\\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, Type\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (IPList), \\\"RequestUrl\\\",\\\"NoMatch\\\"), AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, IPMatch == \\\"RequestUrl\\\", RequestURL, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer, ProcessCustomEntity = ProcessName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) \\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, AlertDetail = \u0027Dev-0322 IOC match\u0027, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, AlertDetail = \u0027Dev-0322 IOC match\u0027, UrlCustomEntity =RemoteUrl, ProcessCustomEntity = InitiatingProcessFileName\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\"), AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where SourceHost in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend ParentImage = EventDetail.[20].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where ( ParentImage has_any (parentprocess) and Image has_any (process))\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256,Image, ParentImage \\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = FileHash\\n),\\n(DeviceFileEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type, CommandLineIP\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash, IPCustomEntity = CommandLineIP\\n),\\n(DeviceEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, CommandLineIP\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash, IPCustomEntity = CommandLineIP\\n),\\n(DeviceProcessEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, CommandLineIP, AccountName\\n| extend Account = AccountName, Computer = DeviceName, IPAddress = CommandLineIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash, IPCustomEntity = IPAddress\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| extend CommandLineIP = extract(IPRegex, 0, CommandLine)\\n| where CommandLineIP in (IPList) or (NewProcessName has_any (process) and ParentProcessName has_any (parentprocess))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, CommandLine, CommandLineIP\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = \u0027Dev-0322 IOC match\u0027, IPCustomEntity = CommandLineIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"SHA256\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"DEV-0322 Serv-U related IOCs - July 2021\",\"description\":\"Identifies a match across IOC\u0027s related to DEV-0322 targeting SolarWinds Serv-U software.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-06-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\"name\":\"f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Medium\",\"query\":\"let threshold = 1;\\nAzureDiagnostics\\n | where OperationName in (\\\"AzureFirewallApplicationRuleLog\\\",\\\"AzureFirewallNetworkRuleLog\\\")\\n | extend msg_s_replaced0 = replace(@\\\"\\\\s\\\\s\\\",@\\\" \\\",msg_s)\\n | extend msg_s_replaced1 = replace(@\\\"\\\\.\\\\s\\\",@\\\" \\\",msg_s_replaced0)\\n | extend msg_a = split(msg_s_replaced1,\\\" \\\")\\n | extend srcAddr_a = split(msg_a[3],\\\":\\\") , destAddr_a = split(msg_a[5],\\\":\\\")\\n | extend protocol = tostring(msg_a[0]), srcIp = tostring(srcAddr_a[0]), srcPort = tostring(srcAddr_a[1]), destIp = tostring(destAddr_a[0]), destPort = tostring(destAddr_a[1]), action = tostring(msg_a[7])\\n | where action == \\\"Deny\\\"\\n | extend url = iff(destIp matches regex \\\"\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\",\\\"\\\",destIp)\\n | summarize StartTime = min(TimeGenerated), count() by srcIp, destIp, url, action, protocol\\n | where count_ \u003e= [\\\"threshold\\\"]\\n | extend timestamp = StartTime, URLCustomEntity = url, IPCustomEntity = srcIp\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\",\"LateralMovement\",\"CommandAndControl\"],\"displayName\":\"Several deny actions registered\",\"description\":\"Identifies attack pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/57e56fc9-417a-4f41-a579-5475aea7b8ce\",\"name\":\"57e56fc9-417a-4f41-a579-5475aea7b8ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 1000;\\nInfobloxNIOS\\n| where ProcessName =~ \\\"dhcpd\\\" and Log_Type =~ \\\"DHCPREQUEST\\\"\\n| summarize count() by ServerIP, bin(TimeGenerated,5m)\\n| where count_ \u003e threshold\\n| join kind=inner (InfobloxNIOS\\n | where ProcessName =~ \\\"dhcpd\\\" and Log_Type =~ \\\"DHCPREQUEST\\\"\\n ) on ServerIP\\n| extend timestamp = TimeGenerated, IPCustomEntity = ServerIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Potential DHCP Starvation Attack\",\"description\":\"This creates an incident in the event that an excessive amount of DHCPREQUEST have been recieved by a DHCP Server and could potentially be an indication of a DHCP Starvation Attack.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0dd422ee-e6af-4204-b219-f59ac172e4c6\",\"name\":\"0dd422ee-e6af-4204-b219-f59ac172e4c6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"ThreatIntelligence\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"Persistence\",\"LateralMovement\"],\"displayName\":\"(Preview) Microsoft Threat Intelligence Analytics\",\"description\":\"This rule generates an alert when a Microsoft Threat Intelligence Indicator gets matched with your event logs. The alerts are very high fidelity.\\n\\nNote : It is advised to turn off any custom alert rules which match the threat intelligence indicators with the same event logs matched by this analytics to prevent duplicate alerts.\",\"lastUpdatedDateUTC\":\"2021-07-28T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508\",\"name\":\"e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let FailureThreshold = 15;\\nlet FailedEvents = Okta_CL\\n| where eventType_s =~ \\\"user.session.start\\\"and outcome_reason_s in (\\\"VERIFICATION_ERROR\\\",\\\"INVALID_CREDENTIALS\\\")\\n| summarize dcount(actor_alternateId_s) by client_ipAddress_s, bin(TimeGenerated, 5m)\\n| where dcount_actor_alternateId_s \u003e FailureThreshold\\n| project client_ipAddress_s, TimeGenerated;\\nOkta_CL\\n| where eventType_s =~ \\\"user.session.start\\\"and outcome_reason_s in (\\\"VERIFICATION_ERROR\\\",\\\"INVALID_CREDENTIALS\\\")\\n| summarize Users = make_set(actor_alternateId_s) by client_ipAddress_s, City = client_geographicalContext_city_s, Country = client_geographicalContext_country_s, bin(TimeGenerated, 5m)\\n| join kind=inner (FailedEvents) on client_ipAddress_s, TimeGenerated\\n| sort by TimeGenerated desc\\n| extend timestamp = TimeGenerated, IPCustomEntity = client_ipAddress_s\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Potential Password Spray Attack\",\"description\":\"This query searches for failed attempts to log into the Okta console from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OktaSSO\",\"dataTypes\":[\"Okta_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/93c4b361-ea7d-40f4-9ca6-e501cdef9c53\",\"name\":\"93c4b361-ea7d-40f4-9ca6-e501cdef9c53\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.1.6\",\"techniques\":[\"T1110\"],\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"\\\\%%2305-The specified user account has expired\",\"\\\\%%2309-The specified account\u0027s password has expired\",\"\\\\%%2310-Account currently disabled\",\"\\\\%%2311-Account logon time restriction violation\",\"\\\\%%2312-User not allowed to logon at this computer\",\"\\\\%%2313-Unknown user name or bad password\",\"\\\\%%2307-Account locked out\",\"\\\\%%2304-An Error occurred during Logon\"],\"values\":[\"\\\\%%2305-The specified user account has expired\",\"\\\\%%2309-The specified account\u0027s password has expired\",\"\\\\%%2310-Account currently disabled\",\"\\\\%%2311-Account logon time restriction violation\",\"\\\\%%2312-User not allowed to logon at this computer\",\"\\\\%%2313-Unknown user name or bad password\",\"\\\\%%2307-Account locked out\",\"\\\\%%2304-An Error occurred during Logon\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Failure Reasons\",\"description\":\"Include only selected failure reasons in anomaly results.\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.3\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"(Preview) Attempted user account bruteforce per failure reason\",\"description\":\"This algorithm detects an unusually high volume of failed login attempts per user account per failure reason. The model is trained on the previous 21 days of security event ID 4625 on an account and a failure reason. It indicates anomalous high volume of failed login attempts with certain failure reason in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-04-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e\",\"name\":\"7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]);\\nunion isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4663\\n| where Process has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where ObjectName has_any (scriptExtensions)\\n| where AccessMask in (\u00270x2\u0027,\u00270x100\u0027, \u00270x10\u0027, \u00270x4\u0027)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n(imFileEvent\\n| where EventType == \\\"FileCreated\\\"\\n| where ActingProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n and\\n TargetFileName has_any (scriptExtensions)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\\n),\\n(DeviceFileEvents\\n| where ActionType =~ \\\"FileCreated\\\"\\n| where InitiatingProcessFileName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where FileName has_any(scriptExtensions)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName, IPCustomEntity = RequestSourceIP)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingProcessAccountUpn\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM UM Service writing suspicious file\",\"description\":\"This query looks for the Exchange server UM process writing suspicious files that may be indicative of webshells.\\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d3c658bd-8da9-4372-82e4-aaffa922f428\",\"name\":\"d3c658bd-8da9-4372-82e4-aaffa922f428\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"afad_parser\\n| where MessageType == 2 and Codename == \\\"DCSync\\\"\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid DCSync\",\"description\":\"Searches for DCSync attacks\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/88f453ff-7b9e-45bb-8c12-4058ca5e44ee\",\"name\":\"88f453ff-7b9e-45bb-8c12-4058ca5e44ee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS New Server\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.\\nA threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.\\nThis can be done programmatically via HTTP requests to Azure. More information in this blog: https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\"name\":\"1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 1d;\\nlet endtime = 1h;\\nlet prev23hThreshold = 4;\\nlet prev1hThreshold = 15;\\nlet Kerbevent =\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(starttime)\\n| where EventID == 4769\\n| parse EventData with * \u0027TicketEncryptionType\\\"\u003e\u0027 TicketEncryptionType \\\"\u003c\\\" *\\n| where TicketEncryptionType == \u00270x17\u0027\\n| parse EventData with * \u0027TicketOptions\\\"\u003e\u0027 TicketOptions \\\"\u003c\\\" *\\n| where TicketOptions == \u00270x40810000\u0027\\n| parse EventData with * \u0027Status\\\"\u003e\u0027 Status \\\"\u003c\\\" *\\n| where Status == \u00270x0\u0027\\n| parse EventData with * \u0027ServiceName\\\"\u003e\u0027 ServiceName \\\"\u003c\\\" *\\n| where ServiceName !contains \\\"$\\\" and ServiceName !contains \\\"krbtgt\\\" \\n| parse EventData with * \u0027TargetUserName\\\"\u003e\u0027 TargetUserName \\\"\u003c\\\" *\\n| where TargetUserName !contains \\\"$@\\\" and TargetUserName !contains ServiceName\\n| parse EventData with * \u0027IpAddress\\\"\u003e::ffff:\u0027 ClientIPAddress \\\"\u003c\\\" *;\\nlet Kerbevent23h = Kerbevent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| summarize ServiceNameCountPrev23h = dcount(ServiceName), ServiceNameSet23h = makeset(ServiceName) \\nby Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status\\n| where ServiceNameCountPrev23h \u003c prev23hThreshold;\\nlet Kerbevent1h = \\nKerbevent\\n| where TimeGenerated \u003e= ago(endtime)\\n| summarize min(TimeGenerated), max(TimeGenerated), ServiceNameCountPrev1h = dcount(ServiceName), ServiceNameSet1h = makeset(ServiceName) \\nby Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status;\\nKerbevent1h \\n| join kind=leftanti\\n(\\nKerbevent23h\\n) on TargetUserName, TargetDomainName\\n// Threshold value set above is based on testing, this value may need to be changed for your environment.\\n| where ServiceNameCountPrev1h \u003e prev1hThreshold\\n| project StartTimeUtc = min_TimeGenerated, EndTimeUtc = max_TimeGenerated, TargetUserName, Computer, ClientIPAddress, TicketOptions, \\nTicketEncryptionType, Status, ServiceNameCountPrev1h, ServiceNameSet1h, TargetDomainName\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = strcat(TargetDomainName,\\\"\\\\\\\\\\\", TargetUserName), HostCustomEntity = Computer, IPCustomEntity = ClientIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Potential Kerberoasting\",\"description\":\"A service principal name (SPN) is used to uniquely identify a service instance in a Windows environment. \\nEach SPN is usually associated with a service account. Organizations may have used service accounts with weak passwords in their environment. \\nAn attacker can try requesting Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC) which contains \\na hash of the Service account. This can then be used for offline cracking. This hunting query looks for accounts that are generating excessive \\nrequests to different resources within the last hour compared with the previous 24 hours. Normal users would not make an unusually large number \\nof request within a small time window. This is based on 4769 events which can be very noisy so environment based tweaking might be needed.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/972c89fa-c969-4d12-932f-04d55d145299\",\"name\":\"972c89fa-c969-4d12-932f-04d55d145299\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"( union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| extend FileName = Process, ProcessCommandLine = CommandLine\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\n or ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(DeviceProcessEvents\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\nor ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1 \\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\"), ProcessCommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| extend FileName = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\n or ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\"],\"displayName\":\"MSHTML vulnerability CVE-2021-40444 attack\",\"description\":\"This query detects attacks that exploit the CVE-2021-40444 MSHTML vulnerability using specially crafted Microsoft Office documents. \\n The detection searches for relevant files used in the attack along with regex matches in commnadline to look for pattern similar to : \\\".cpl:../../msword.inf\\\"\\n Refrence: https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0914adab-90b5-47a3-a79f-7cdcac843aa7\",\"name\":\"0914adab-90b5-47a3-a79f-7cdcac843aa7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 5;\\n// To avoid any False Positives, filtering using AppId is recommended. For example the AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds \\n// to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\\nlet Allowedappid = dynamic([\\\"509e4652-da8d-478d-a730-e9d4a1996ca4\\\"]);\\nlet OperationList = dynamic(\\n[\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nlet TimeSeriesData = AzureDiagnostics\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList)\\n| project TimeGenerated, OperationName, Resource, CallerIPAddress\\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by Resource;\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| where baseline \u003e baselinethreshold // Filtering low count events per baselinethreshold\\n| project Resource, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated;\\n// Filter the alerts since specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\\n| join (\\nAzureDiagnostics\\n| where TimeGenerated \u003e ago(timeframe)\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList)\\n| summarize PerOperationCount=count(), LatestAnomalyTime = arg_max(TimeGenerated,*) by bin(TimeGenerated,1h), Resource, OperationName, id_s, CallerIPAddress, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, requestUri_s, clientInfo_s\\n) on Resource, TimeGenerated\\n| summarize EventCount=count(), OperationNameList = make_set(OperationName), RequestURLList = make_set(requestUri_s, 100), AccountList = make_set(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, 100), AccountMax = arg_max(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g,*) by Resource, id_s, clientInfo_s, LatestAnomalyTime\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = CallerIPAddress, AccountCustomEntity = AccountMax\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.2\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure Key Vault access TimeSeries anomaly\",\"description\":\"Indentifies a sudden increase in count of Azure Key Vault secret or vault access operations by CallerIPAddress. The query leverages a built-in KQL anomaly detection algorithm\\nto find large deviations from baseline Azure Key Vault access patterns. Any sudden increase in the count of Azure Key Vault accesses can be an\\nindication of adversary dumping credentials via automated methods. If you are seeing any noise, try filtering known source(IP/Account) and user-agent combinations.\\nTimeSeries Reference Blog: https://techcommunity.microsoft.com/t5/azure-sentinel/looking-for-unknown-anomalies-what-is-normal-time-series/ba-p/555052\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500415fb-bba7-4227-a08a-9857fb61b6a7\",\"name\":\"500415fb-bba7-4227-a08a-9857fb61b6a7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where OfficeWorkload == \\\"Exchange\\\"\\n| where Operation in~ (\\\"New-TransportRule\\\", \\\"Set-TransportRule\\\")\\n| extend p = parse_json(Parameters)\\n| extend RuleName = case(\\n Operation =~ \\\"Set-TransportRule\\\", tostring(OfficeObjectId),\\n Operation =~ \\\"New-TransportRule\\\", tostring(p[1].Value),\\n \\\"Unknown\\\"\\n ) \\n| mvexpand p\\n| where (p.Name =~ \\\"BlindCopyTo\\\" or p.Name =~ \\\"RedirectMessageTo\\\") and isnotempty(p.Value)\\n| extend RedirectTo = p.Value\\n| extend ClientIPOnly = case( \\n ClientIP has \\\".\\\" and ClientIP has \\\":\\\", tostring(split(ClientIP,\\\":\\\")[0]), \\n ClientIP has \\\".\\\" and ClientIP has \\\"-\\\", tostring(split(ClientIP,\\\"-\\\")[0]), \\n ClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))),\\n ClientIP\\n ) \\n| extend Port = case(\\n ClientIP has \\\".\\\" and ClientIP has \\\":\\\", (split(ClientIP,\\\":\\\")[1]),\\n ClientIP has \\\".\\\" and ClientIP has \\\"-\\\", (split(ClientIP,\\\"-\\\")[1]),\\n ClientIP has \\\"[\\\" and ClientIP has \\\":\\\", tostring(split(ClientIP,\\\"]:\\\")[1]),\\n ClientIP has \\\"[\\\" and ClientIP has \\\"-\\\", tostring(split(ClientIP,\\\"]-\\\")[1]),\\n ClientIP\\n )\\n| extend ClientIP = ClientIPOnly\\n| project TimeGenerated, RedirectTo, ClientIP, Port, UserId, Operation, RuleName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Mail redirect via ExO transport rule\",\"description\":\"Identifies when Exchange Online transport rule configured to forward emails.\\nThis could be an adversary mailbox configured to collect mail from multiple user accounts.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-05-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/57c7e832-64eb-411f-8928-4133f01f4a25\",\"name\":\"57c7e832-64eb-411f-8928-4133f01f4a25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now() \\n| where Active == true\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureDiagnostics\\n | where ResourceType =~ \\\"VAULTS\\\"\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend KeyVaultEvents_TimeGenerated = TimeGenerated, ClientIP = CallerIPAddress\\n)\\non $left.TI_ipEntity == $right.ClientIP\\n| where KeyVaultEvents_TimeGenerated \u003c ExpirationDateTime\\n| summarize KeyVaultEvents_TimeGenerated = arg_max(KeyVaultEvents_TimeGenerated, *) by IndicatorId, ClientIP\\n| project KeyVaultEvents_TimeGenerated , Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ClientIP, ResourceId, SubscriptionId, OperationName, ResultType, CorrelationId, id_s, clientInfo_s, httpStatusCode_d, identity_claim_appid_g, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\n| extend timestamp = KeyVaultEvents_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Azure Key Vault logs\",\"description\":\"Identifies a match in Azure Key Vault logsfrom any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f845881e-2500-44dc-8ed7-b372af3e1e25\",\"name\":\"f845881e-2500-44dc-8ed7-b372af3e1e25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let short_uaLength = 5;\\nlet long_uaLength = 1000;\\nlet c_threshold = 100;\\nW3CIISLog \\n// Exclude local IPs as these create noise\\n| where cIP !startswith \\\"192.168.\\\" and cIP != \\\"::1\\\"\\n| where isnotempty(csUserAgent) and csUserAgent !in~ (\\\"-\\\", \\\"MSRPC\\\") and (string_size(csUserAgent) \u003c= short_uaLength or string_size(csUserAgent) \u003e= long_uaLength)\\n| extend csUserAgent_size = string_size(csUserAgent)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ConnectionCount = count() by Computer, sSiteName, sPort, csUserAgent, csUserAgent_size, csUserName , csMethod, csUriStem, sIP, cIP, scStatus, scSubStatus, scWin32Status\\n| where ConnectionCount \u003c c_threshold\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomalous User Agent connection attempt\",\"description\":\"Identifies connection attempts (success or fail) from clients with very short or very long User Agent strings and with less than 100 connection attempts.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cca3b4d9-ac39-4109-8b93-65bb284003e6\",\"name\":\"cca3b4d9-ac39-4109-8b93-65bb284003e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n AzureActivity | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(Caller)\\n | extend Caller = tolower(Caller)\\n | where Caller matches regex emailregex\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.Caller\\n| where AzureActivity_TimeGenerated \u003e= TimeGenerated and AzureActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, AzureActivity_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Caller, Level, CallerIpAddress, CategoryValue,\\nOperationNameValue, ActivityStatusValue, ResourceGroup, SubscriptionId\\n| extend timestamp = AzureActivity_TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to AzureActivity\",\"description\":\"Identifies a match in AzureActivity table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/71d374e0-1cf8-4e50-aecd-ab6c519795c2\",\"name\":\"71d374e0-1cf8-4e50-aecd-ab6c519795c2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"Pipelines.PipelineRetentionSettingChanged\\\"\\n| where Data.SettingName in (\\\"PurgeArtifacts\\\", \\\"PurgeRuns\\\")\\n| where Data.NewValue == 1 or Data.NewValue \u003c Data.OldValue/2\\n| project-reorder TimeGenerated, OperationName, ActorUPN, IpAddress, UserAgent, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.2\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Retention Reduced\",\"description\":\"AzureDevOps retains items such as run records and produced artifacts for a configurable amount of time. An attacker looking to reduce the footprint left by their malicious activity may look to reduce the retention time for artifacts and runs.\\nThis query will look for where retention has been reduced to the minimum level - 1, or reduced by more than half.\",\"lastUpdatedDateUTC\":\"2021-11-02T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d2e40c79-fe8c-428e-8cb9-0e2282d4558c\",\"name\":\"d2e40c79-fe8c-428e-8cb9-0e2282d4558c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let lowRisk = 1;\\nlet governance = \u0027Governance Information\u0027;\\nCognniIncidents_CL \\n| where Severity == lowRisk\\n| where informationType_s == governance\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Low Sensitivity Governance Information\",\"description\":\"Display incidents in which low sensitivity governance information] was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\"name\":\"4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let OperationList = dynamic([\\\"Add member to role\\\",\\\"Add member to role in PIM requested (permanent)\\\"]);\\nlet PrivilegedGroups = dynamic([\\\"UserAccountAdmins\\\",\\\"PrivilegedRoleAdmins\\\",\\\"TenantAdmins\\\"]);\\nAuditLogs\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName in~ (OperationList)\\n| mv-expand TargetResources\\n| extend modProps = parse_json(TargetResources).modifiedProperties\\n| mv-expand bagexpansion=array modProps\\n| evaluate bag_unpack(modProps)\\n| extend displayName = column_ifexists(\\\"displayName\\\", \\\"NotAvailable\\\"), newValue = column_ifexists(\\\"newValue\\\", \\\"NotAvailable\\\")\\n| where displayName =~ \\\"Role.WellKnownObjectName\\\"\\n| extend DisplayName = displayName, GroupName = replace(\u0027\\\"\u0027,\u0027\u0027,newValue)\\n| extend initByApp = parse_json(InitiatedBy).app, initByUser = parse_json(InitiatedBy).user\\n| extend AppId = initByApp.appId, \\nInitiatedByDisplayName = case(isnotempty(initByApp.displayName), initByApp.displayName, isnotempty(initByUser.displayName), initByUser.displayName, \\\"not available\\\"),\\nServicePrincipalId = tostring(initByApp.servicePrincipalId),\\nServicePrincipalName = tostring(initByApp.servicePrincipalName),\\nUserId = initByUser.id,\\nUserIPAddress = initByUser.ipAddress,\\nUserRoles = initByUser.roles,\\nUserPrincipalName = tostring(initByUser.userPrincipalName),\\nTargetUserPrincipalName = tostring(TargetResources.userPrincipalName)\\n| where GroupName in~ (PrivilegedGroups)\\n// If you don\u0027t want to alert for operations from PIM, remove below filtering for MS-PIM.\\n//| where InitiatedByDisplayName != \\\"MS-PIM\\\"\\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, isnotempty(ServicePrincipalId), ServicePrincipalId, isnotempty(UserPrincipalName), UserPrincipalName, \\\"not available\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User added to Azure Active Directory Privileged Groups\",\"description\":\"This will alert when a user is added to any of the Privileged Groups.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\\nFor Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500c103a-0319-4d56-8e99-3cec8d860757\",\"name\":\"500c103a-0319-4d56-8e99-3cec8d860757\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == \\\"50057\\\" \\n| where ResultDescription == \\\"User account is disabled. The account has been disabled by an administrator.\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), disabledAccountLoginAttempts = count(), \\ndisabledAccountsTargeted = dcount(UserPrincipalName), applicationsTargeted = dcount(AppDisplayName), disabledAccountSet = make_set(UserPrincipalName), \\napplicationSet = make_set(AppDisplayName) by IPAddress, Type\\n| order by disabledAccountLoginAttempts desc\\n| join kind= leftouter (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n table(tableName)\\n | where ResultType == 0\\n | summarize successfulAccountSigninCount = dcount(UserPrincipalName), successfulAccountSigninSet = make_set(UserPrincipalName, 15) by IPAddress, Type\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount \u003c 100\\n) on IPAddress \\n// IPs from which attempts to authenticate as disabled user accounts originated, and had a non-zero success rate for some other account\\n| where isnotempty(successfulAccountSigninCount)\\n| project StartTime, EndTime, IPAddress, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\nsuccessfulAccountSigninCount, successfulAccountSigninSet, Type\\n| order by disabledAccountLoginAttempts\\n| extend timestamp = StartTime, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts and where that same IP has had successful signins from other accounts.\\nThis could indicate an attacker who obtained credentials for a list of accounts and is attempting to login with those accounts, some of which may have already been disabled.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"lastUpdatedDateUTC\":\"2021-10-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9e20eb4e-cc0d-4349-a99d-cad756859dfb\",\"name\":\"9e20eb4e-cc0d-4349-a99d-cad756859dfb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"afad_parser\\n| where MessageType == 2 and Codename == \\\"Password Spraying\\\"\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid Password Spraying\",\"description\":\"Searches for Password spraying attacks\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8d537f3c-094f-430c-a588-8a87da36ee3a\",\"name\":\"8d537f3c-094f-430c-a588-8a87da36ee3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nlet user_agents=dynamic([\\n \u0027(hydra)\u0027,\\n \u0027 arachni/\u0027,\\n \u0027 BFAC \u0027,\\n \u0027 brutus \u0027,\\n \u0027 cgichk \u0027,\\n \u0027core-project/1.0\u0027,\\n \u0027 crimscanner/\u0027,\\n \u0027datacha0s\u0027,\\n \u0027dirbuster\u0027,\\n \u0027domino hunter\u0027,\\n \u0027dotdotpwn\u0027,\\n \u0027FHScan Core\u0027,\\n \u0027floodgate\u0027,\\n \u0027get-minimal\u0027,\\n \u0027gootkit auto-rooter scanner\u0027,\\n \u0027grendel-scan\u0027,\\n \u0027 inspath \u0027,\\n \u0027internet ninja\u0027,\\n \u0027jaascois\u0027,\\n \u0027 zmeu \u0027,\\n \u0027masscan\u0027,\\n \u0027 metis \u0027,\\n \u0027morfeus fucking scanner\u0027,\\n \u0027n-stealth\u0027,\\n \u0027nsauditor\u0027,\\n \u0027pmafind\u0027,\\n \u0027security scan\u0027,\\n \u0027springenwerk\u0027,\\n \u0027teh forest lobster\u0027,\\n \u0027toata dragostea\u0027,\\n \u0027 vega/\u0027,\\n \u0027voideye\u0027,\\n \u0027webshag\u0027,\\n \u0027webvulnscan\u0027,\\n \u0027 whcc/\u0027,\\n \u0027 Havij\u0027,\\n \u0027absinthe\u0027,\\n \u0027bsqlbf\u0027,\\n \u0027mysqloit\u0027,\\n \u0027pangolin\u0027,\\n \u0027sql power injector\u0027,\\n \u0027sqlmap\u0027,\\n \u0027sqlninja\u0027,\\n \u0027uil2pn\u0027,\\n \u0027ruler\u0027,\\n \u0027Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)\u0027\\n ]);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal has_any (user_agents)\\n| extend Message = \\\"Hack Tool User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Hack Tool User-Agent Detected\",\"description\":\"Detects suspicious user agent strings used by known hack tools\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/87210ca1-49a4-4a7d-bb4a-4988752f978c\",\"name\":\"87210ca1-49a4-4a7d-bb4a-4988752f978c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Get details of current Azure Ranges (note this URL updates regularly so will need to be manually updated over time)\\n// You may find the name of the new JSON here: https://www.microsoft.com/download/details.aspx?id=56519\\nlet azure_ranges = externaldata(changeNumber: string, cloud: string, values: dynamic)\\n[\\\"https://download.microsoft.com/download/7/1/D/71D86715-5596-4529-9B13-DA13A5DE5B63/ServiceTags_Public_20211108.json\\\"]\\nwith(format=\u0027multijson\u0027)\\n| mv-expand values\\n| mv-expand values.properties.addressPrefixes\\n| mv-expand values_properties_addressPrefixes\\n| summarize by tostring(values_properties_addressPrefixes);\\nSigninLogs\\n// Limiting to Azure Portal really reduces false positives and helps focus on potential admin activity\\n| where AppDisplayName =~ \\\"Azure Portal\\\"\\n// Only get logons where the IP address is in an Azure range\\n| evaluate ipv4_lookup(azure_ranges, IPAddress, values_properties_addressPrefixes)\\n// Limit to where the user is external to the tenant\\n| where HomeTenantId != ResourceTenantId\\n// Further limit it to just access to the current tenant (you can drop this if you wanted to look elsewhere as well but it helps reduce FPs)\\n| where ResourceTenantId == TenantId\\n| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), make_set(ResourceDisplayName) by UserPrincipalName, IPAddress, UserAgent, Location, HomeTenantId, ResourceTenantId\\n| extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure Portal Signin from another Azure Tenant\",\"description\":\"This query looks for sign in attempts to the Azure Portal where the user who is signing in from another Azure tenant,\\n and the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look\\n to pivot to other tenants leveraging cross-tenant delegated access in this manner.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f209187f-1d17-4431-94af-c141bf5f23db\",\"name\":\"f209187f-1d17-4431-94af-c141bf5f23db\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.1\",\"techniques\":[\"T1136\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.4\",\"name\":\"Anomaly score threshold\",\"description\":\"Generate an anomaly when the anomaly score is greater than the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Persistence\"],\"displayName\":\"(Preview) Anomalous Account Creation\",\"description\":\"Adversaries may create an account to maintain access to victim systems. With a sufficient level of access,\\ncreating such accounts may be used to establish secondary credentialed access\\nthat do not require persistent remote access tools to be deployed on the system.\",\"lastUpdatedDateUTC\":\"2021-07-26T00:00:00Z\",\"createdDateUTC\":\"2021-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b12b3dab-d973-45af-b07e-e29bb34d8db9\",\"name\":\"b12b3dab-d973-45af-b07e-e29bb34d8db9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal contains \\\"WindowsPowerShell\\\"\\n| extend Message = \\\"Windows PowerShell User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"DefenseEvasion\"],\"displayName\":\"Cisco Umbrella - Windows PowerShell User-Agent Detected\",\"description\":\"Rule helps to detect Powershell user-agent activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/34663177-8abf-4db1-b0a4-5683ab273f44\",\"name\":\"34663177-8abf-4db1-b0a4-5683ab273f44\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let threshold = 20;\\nPulseConnectSecure\\n| where Messages contains \\\"Login failed\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by User, Source_IP\\n| where count_ \u003e threshold\\n| extend timestamp = StartTime, AccountCustomEntity = User, IPCustomEntity = Source_IP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"PulseConnectSecure - Potential Brute Force Attempts\",\"description\":\"This query identifies evidence of potential brute force attack by looking at multiple failed attempts to log into the VPN server\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PulseConnectSecure\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/15ae38a2-2e29-48f7-883f-863fb25a5a06\",\"name\":\"15ae38a2-2e29-48f7-883f-863fb25a5a06\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 10;\\nDnsEvents \\n| where TimeGenerated \u003e ago(endtime)\\n| where Name contains \\\"in-addr.arpa\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(Name) by ClientIP\\n| where dcount_Name \u003e threshold\\n| project StartTimeUtc, EndTimeUtc, ClientIP , dcount_Name \\n| join kind=leftanti (DnsEvents \\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | where Name contains \\\"in-addr.arpa\\\" \\n | summarize dcount(Name) by ClientIP, bin(TimeGenerated, 1d)\\n | where dcount_Name \u003e threshold\\n | project ClientIP , dcount_Name \\n) on ClientIP\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\"],\"displayName\":\"Rare client observed with high reverse DNS lookup count\",\"description\":\"Identifies clients with a high reverse DNS counts which could be carrying out reconnaissance or discovery activity.\\nAlert is generated if the IP performing such reverse DNS lookups was not seen doing so in the preceding 7-day period.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\"name\":\"24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let EventCountThreshold = 25;\\n// To avoid any False Positives, filtering using AppId is recommended. For example the AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds \\n// to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\\nlet Allowedappid = dynamic([\\\"509e4652-da8d-478d-a730-e9d4a1996ca4\\\"]);\\nlet OperationList = dynamic(\\n[\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nAzureDiagnostics\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList) \\n| summarize count() by identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, OperationName\\n| where count_ \u003e EventCountThreshold \\n| join (\\nAzureDiagnostics\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where OperationName in~ (OperationList) \\n) on identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g \\n| summarize EventCount=sum(count_), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\\n| extend timestamp = EndTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.2\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Mass secret retrieval from Azure Key Vault\",\"description\":\"Identifies mass secret retrieval from Azure Key Vault observed by a single user. \\nMass secret retrival crossing a certain threshold is an indication of credential dump operations or mis-configured applications. \\nYou can tweak the EventCountThreshold based on average count seen in your environment \\nand also filter any known sources (IP/Account) and useragent combinations based on historical analysis to further reduce noise\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/39198934-62a0-4781-8416-a81265c03fd6\",\"name\":\"39198934-62a0-4781-8416-a81265c03fd6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"user.read\\\" and ConsentFull contains \\\"offline_access\\\" and ConsentFull contains \\\"mail.readwrite\\\" and ConsentFull contains \\\"mail.send\\\" and ConsentFull contains \\\"files.read.all\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\")\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Suspicious application consent similar to PwnAuth\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the FireEye PwnAuth toolkit (https://github.com/fireeye/PwnAuth).\\nThe default permissions/scope for the PwnAuth toolkit are user.read, offline_access, mail.readwrite, mail.send, and files.read.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/35ce9aff-1708-45b8-a295-5e9a307f5f17\",\"name\":\"35ce9aff-1708-45b8-a295-5e9a307f5f17\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"Group.UpdateGroupMembership.Add\\\"\\n| where Details has_any (\\\"Project Administrators\\\", \\\"Project Collection Administrators\\\", \\\"Project Collection Service Accounts\\\", \\\"Build Administrator\\\")\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, AuthenticationMechanism, ScopeDisplayName\\n| extend timekey = bin(TimeGenerated, 1h)\\n| extend ActorUserId = tostring(Data.MemberId)\\n| project timekey, ActorUserId, AddingUser=ActorUPN, TimeAdded=TimeGenerated, PermissionGrantDetails = Details\\n// Get details of operations conducted by user soon after elevation of permissions\\n| join (AzureDevOpsAuditing\\n| extend ActorUserId = tostring(Data.MemberId)\\n| extend timekey = bin(TimeGenerated, 1h)) on timekey, ActorUserId\\n| summarize ActionsWhenAdded = make_set(OperationName) by ActorUPN, AddingUser, TimeAdded, PermissionGrantDetails, IpAddress, UserAgent\\n| extend timestamp = TimeAdded, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddingUser\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"New PA, PCA, or PCAS added to Azure DevOps\",\"description\":\"In order for an attacker to be able to conduct many potential attacks against Azure DevOps they will need to gain elevated permissions. \\nThis detection looks for users being granted key administrative permissions. If the principal of least privilege is applied, the number of \\nusers granted these permissions should be small. Note that permissions can also be granted via Azure AD groups and monitoring of these \\nshould also be conducted.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0b904747-1336-4363-8d84-df2710bfe5e7\",\"name\":\"0b904747-1336-4363-8d84-df2710bfe5e7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n AzureDiagnostics\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where OperationName in (\\\"AzureFirewallApplicationRuleLog\\\",\\\"AzureFirewallNetworkRuleLog\\\")\\n | parse kind=regex flags=U msg_s with Protocol \u0027request from \u0027 SourceHost \u0027to \u0027 DestinationHost @\u0027\\\\.? Action:\u0027 Action\\n | extend SourceAddress = extract(@\u0027([\\\\.0-9]+)(:[\\\\.0-9]+)?\u0027,1,SourceHost)\\n | extend DestinationAddress = extract(@\u0027([\\\\.0-9]+)(:[\\\\.0-9]+)?\u0027,1,DestinationHost)\\n | where not(ipv4_is_private(DestinationAddress))\\n | project-rename AzureFirewall_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.DestinationAddress\\n| where AzureFirewall_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureFirewall_TimeGenerated = arg_max(AzureFirewall_TimeGenerated, *) by IndicatorId, SourceAddress\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, AzureFirewall_TimeGenerated,\\nTI_ipEntity, Resource, Category, msg_s, SourceAddress, DestinationAddress, Action, Protocol, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureFirewall_TimeGenerated, IPCustomEntity = TI_ipEntity, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureFirewall\",\"description\":\"Identifies a match in AzureFirewall (NetworkRule \u0026 ApplicationRule Logs) from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3df4a32-4805-4c6d-8699-f3c888af2f67\",\"name\":\"a3df4a32-4805-4c6d-8699-f3c888af2f67\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let Alert1 = \\nSecurityAlert\\n| where AlertName == \\\"Unfamiliar sign-in properties\\\"\\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\\\"User Account\\\"])\\n| extend Alert1Time = TimeGenerated\\n| extend Alert1 = AlertName\\n| extend Alert1Severity = AlertSeverity\\n;\\nlet Alert2 = \\nSecurityAlert\\n| where AlertName == \\\"Atypical travel\\\"\\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\\\"User Account\\\"])\\n| extend Alert2Time = TimeGenerated\\n| extend Alert2 = AlertName\\n| extend Alert2Severity = AlertSeverity\\n| extend CurrentLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[1].Location)).CountryCode), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[1].Location)).State), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[1].Location)).City))\\n| extend PreviousLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[2].Location)).CountryCode), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).State), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).City))\\n| extend CurrentIPAddress = tostring(parse_json(Entities)[1].Address)\\n| extend PreviousIPAddress = tostring(parse_json(Entities)[2].Address)\\n;\\nAlert1\\n| join kind=inner Alert2 on UserPrincipalName\\n| where abs(datetime_diff(\u0027minute\u0027, Alert1Time, Alert2Time)) \u003c=10\\n| extend TimeDelta = Alert1Time - Alert2Time\\n| project UserPrincipalName, Alert1, Alert1Time, Alert1Severity, Alert2, Alert2Time, Alert2Severity, TimeDelta, CurrentLocation, PreviousLocation, CurrentIPAddress, PreviousIPAddress\\n| extend AccountCustomEntity = UserPrincipalName\\n| extend IPCustomEntity = CurrentIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Correlate Unfamiliar sign-in properties and atypical travel alerts\",\"description\":\"The combination of an Unfamiliar sign-in properties alert and an Atypical travel alert about the same user within a +10m or -10m window is considered a high severity incident.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3174a9ec-d0ad-4152-8307-94ed04fa450a\",\"name\":\"3174a9ec-d0ad-4152-8307-94ed04fa450a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let SHA256Hash = \\\"1174fd03271f80f5e2a6435c72bdd0272a6e3a37049f6190abf125b216a83471\\\" ;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) \\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA265 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA256Hash) \\n| extend Account = UserName\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known ZINC related maldoc hash\",\"description\":\"Document hash used by ZINC in highly targeted spear phishing campaign.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/acfdee3f-b794-404a-aeba-ef6a1fa08ad1\",\"name\":\"acfdee3f-b794-404a-aeba-ef6a1fa08ad1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let lookback = 14d;\\nlet timewindow = 7d;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback)\\n| where OperationName =~ \\\"Library.AgentPoolCreated\\\"\\n| extend AgentCloudId = tostring(Data.AgentCloudId)\\n| extend PoolType = iif(isnotempty(AgentCloudId), \\\"Azure VMs\\\", \\\"Self Hosted\\\")\\n// Comment this line out to include cloud pools as well\\n| where PoolType == \\\"Self Hosted\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend AgentPoolId = tostring(Data.AgentPoolId)\\n| extend IsHosted = tostring(Data.IsHosted)\\n| extend IsLegacy = tostring(Data.IsLegacy)\\n| extend timekey = bin(TimeGenerated, timewindow)\\n// Join only with pools deleted in the same window\\n| join (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback)\\n| where OperationName =~ \\\"Library.AgentPoolDeleted\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend AgentPoolId = tostring(Data.AgentPoolId)\\n| extend timekey = bin(TimeGenerated, timewindow)) on AgentPoolId, timekey\\n| project-reorder TimeGenerated, ActorUPN, UserAgent, IpAddress, AuthenticationMechanism, OperationName, AgentPoolName, IsHosted, IsLegacy, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Agent Pool Created Then Deleted\",\"description\":\"As well as adding build agents to an existing pool to execute malicious activity within a pipeline, an attacker could create a complete new agent pool and use this for execution.\\nAzure DevOps allows for the creation of agent pools with Azure hosted infrastructure or self-hosted infrastructure. Given the additional customizability of self-hosted agents this \\ndetection focuses on the creation of new self-hosted pools. To further reduce false positive rates the detection looks for pools created and deleted relatively quickly (within 7 days by default), \\nas an attacker is likely to remove a malicious pool once used in order to reduce/remove evidence of their activity.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2b328487-162d-4034-b472-59f1d53684a1\",\"name\":\"2b328487-162d-4034-b472-59f1d53684a1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal == \u0027\u0027\\n| extend Message = \\\"Empty User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Empty User Agent Detected\",\"description\":\"Rule helps to detect empty and unusual user agent indicating web browsing activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3533f74c-9207-4047-96e2-0eb9383be587\",\"name\":\"3533f74c-9207-4047-96e2-0eb9383be587\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"offline_access\\\" and ConsentFull contains \\\"Files.Read\\\" or ConsentFull contains \\\"Mail.Read\\\" or ConsentFull contains \\\"Notes.Read\\\" or ConsentFull contains \\\"ChannelMessage.Read\\\" or ConsentFull contains \\\"Chat.Read\\\" or ConsentFull contains \\\"TeamsActivity.Read\\\" or ConsentFull contains \\\"Group.Read\\\" or ConsentFull contains \\\"EWS.AccessAsUser.All\\\" or ConsentFull contains \\\"EAS.AccessAsUser.All\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))\\n| extend GrantUserAgent = tostring(iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\"))\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Suspicious application consent for offline access\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with offline access via OAuth.\\nOffline access will provide the Azure App with access to the listed resources without requiring two-factor authentication.\\nConsent to applications with offline access and read capabilities should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\"name\":\"c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let DomainNames = \\\"miniodaum.ml\\\";\\nlet SHA256Hash = dynamic ([\\\"53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0dfd44771762257\\\", \\\"0897c80df8b80b4c49bf1ccf876f5f782849608b830c3b5cb3ad212dc3e19eff\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName =~ DomainNames\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(DnsEvents \\n| extend DNSName = Name\\n| where isnotempty(DNSName)\\n| where DNSName =~ DomainNames\\n| extend IPAddress = ClientIP\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName =~ DomainNames\\n| extend IPAddress = RemoteIp\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend DNSName = Request_Name\\n| extend IPAddress = ClientIP \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known CERIUM domains and hashes\",\"description\":\"CERIUM malicious webserver and hash values for maldocs and malware. \\n Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f30a47c1-65fb-42b1-a7f4-00941c12550b\",\"name\":\"f30a47c1-65fb-42b1-a7f4-00941c12550b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n SecurityAlert\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n // Extract URL from JSON data\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,Entities)\\n // We only want alerts that actually contain URL data\\n | where isnotempty(Url)\\n // Extract hostname from JSON data for entity mapping\\n | extend Compromised_Host = tostring(parse_json(ExtendedProperties).[\\\"Compromised Host\\\"])\\n | extend Alert_TimeGenerated = TimeGenerated\\n) on Url\\n| where Alert_TimeGenerated \u003e= TimeGenerated and Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Alert_TimeGenerated,\\nAlertName, AlertSeverity, Description, Url, Compromised_Host\\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = Compromised_Host, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.2\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to SecurityAlert data\",\"description\":\"Identifies a match in SecurityAlert data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-24T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8374ec0f-d857-4c17-b1e7-93d11800f8fb\",\"name\":\"8374ec0f-d857-4c17-b1e7-93d11800f8fb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let lowRisk = 1;\\nlet legal = \u0027Legal Information\u0027;\\nCognniIncidents_CL \\n| where Severity == lowRisk\\n| where informationType_s == legal\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Low Sensitivity Legal Information\",\"description\":\"Display incidents in which low sensitivity legal information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06107abb-1b68-4fdc-841b-8a1ff9301467\",\"name\":\"06107abb-1b68-4fdc-841b-8a1ff9301467\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.6\",\"techniques\":[\"T1030\",\"T1041\",\"T1011\",\"T1567\",\"T1029\",\"T1537\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.87\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"(Preview) Excessive Downloads via Palo Alto GlobalProtect\",\"description\":\"This algorithm detects unusually high volume of download per user account via Palo Alto VPN solution. The model is trained on the previous 14 days of the VPN logs. It indicates anomalous high volume of downloads in the last day.\",\"lastUpdatedDateUTC\":\"2021-06-10T00:00:00Z\",\"createdDateUTC\":\"2020-11-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/87890d78-3e05-43ec-9ab9-ba32f4e01250\",\"name\":\"87890d78-3e05-43ec-9ab9-ba32f4e01250\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n| join (\\n SecurityAlert\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n //Extract domain patterns from message\\n | extend domain = extract(\\\"(([a-z0-9]+(-[a-z0-9]+)*\\\\\\\\.)+[a-z]{2,})\\\", 1, tolower(Entities))\\n | where isnotempty(domain)\\n | extend parts = split(domain, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\\n | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray\\n // Parsing relevant entity column extract hostname and IP address\\n | extend EntityType = tostring(parse_json(EntitiesDynamicArray).Type), EntityAddress = tostring(EntitiesDynamicArray.Address), EntityHostName = tostring(EntitiesDynamicArray.HostName)\\n | extend HostName = iif(EntityType == \u0027host\u0027, EntityHostName, \u0027\u0027)\\n | extend IP_addr = iif(EntityType == \u0027ip\u0027, EntityAddress, \u0027\u0027)\\n | extend Alert_TimeGenerated = TimeGenerated\\n | extend Alert_Description = Description\\n) on $left.DomainName==$right.domain\\n| where Alert_TimeGenerated \u003e= TimeGenerated and Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Alert_TimeGenerated, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url\\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = HostName, IPCustomEntity = IP_addr, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.2\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to SecurityAlert\",\"description\":\"Identifies a match in SecurityAlert table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-24T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\"name\":\"5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"CommonSecurityLog \\n| where isnotempty(DestinationPort) and DeviceAction !in (\\\"reset-both\\\", \\\"deny\\\") \\n// filter out common usage ports. Add ports that are legitimate for your environment\\n| where DestinationPort !in (\\\"443\\\", \\\"53\\\", \\\"389\\\", \\\"80\\\", \\\"0\\\", \\\"880\\\", \\\"8888\\\", \\\"8080\\\")\\n| where ApplicationProtocol == \\\"incomplete\\\" \\n// filter out IANA ephemeral or negotiated ports as per https://en.wikipedia.org/wiki/Ephemeral_port\\n| where DestinationPort !between (toint(49512) .. toint(65535)) \\n| where Computer != \\\"\\\" \\n| where DestinationIP !startswith \\\"10.\\\"\\n// Filter out any graceful reset reasons of AGED OUT which occurs when a TCP session closes with a FIN due to aging out. \\n| where AdditionalExtensions !has \\\"reason=aged-out\\\" \\n// Filter out any TCP FIN which occurs when a TCP FIN is used to gracefully close half or both sides of a connection.\\n| where AdditionalExtensions !has \\\"reason=tcp-fin\\\" \\n// Uncomment one of the following where clauses to trigger on specific TCP reset reasons\\n// See Palo Alto article for details - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK\\n// TCP RST-server - Occurs when the server sends a TCP reset to the client\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-server\\\" \\n// TCP RST-client - Occurs when the client sends a TCP reset to the server\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-client\\\" \\n| extend reason = tostring(split(AdditionalExtensions, \\\";\\\")[3])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction, DestinationIP\\n| where count_ \u003e= 10\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), makeset(DestinationIP), totalcount = sum(count_) by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\"],\"displayName\":\"Palo Alto - possible internal to external port scanning\",\"description\":\"Identifies a list of internal Source IPs (10.x.x.x Hosts) that have triggered 10 or more non-graceful tcp server resets from one or more Destination IPs which \\nresults in an \\\"ApplicationProtocol = incomplete\\\" designation. The server resets coupled with an \\\"Incomplete\\\" ApplicationProtocol designation can be an indication \\nof internal to external port scanning or probing attack. \\nReferences: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK and\\nhttps://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTaCAK\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69a45b05-71f5-45ca-8944-2e038747fb39\",\"name\":\"69a45b05-71f5-45ca-8944-2e038747fb39\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let endtime = 1d;\\nlet starttime = 8d;\\n// The threshold below excludes matching on RDP connection computer counts of 5 or more by a given account and IP in a given day. Change the threshold as needed.\\nlet threshold = 5;\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n// Labeling the first RDP connection time, computer and ip\\n| extend FirstHop = TimeGenerated, FirstComputer = toupper(Computer), FirstIPAddress = IpAddress, Account = tolower(Account) \\n| join kind=inner (\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n// Labeling the second RDP connection time, computer and ip\\n| extend SecondHop = TimeGenerated, SecondComputer = toupper(Computer), SecondIPAddress = IpAddress, Account = tolower(Account)\\n) on Account\\n// Make sure that the first connection is after the second connection --\u003e SecondHop \u003e FirstHop\\n// Then identify only RDP to another computer from within the first RDP connection by only choosing matches where the Computer names do not match --\u003e FirstComputer != SecondComputer\\n// Then make sure the IPAddresses do not match by excluding connections from the same computers with first hop RDP connections to multiple computers --\u003e FirstIPAddress != SecondIPAddress\\n| where FirstComputer != SecondComputer and FirstIPAddress != SecondIPAddress and SecondHop \u003e FirstHop\\n// where the second hop occurs within 30 minutes of the first hop\\n| where SecondHop \u003c= FirstHop+30m\\n| distinct Account, FirstHop, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, SecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\\n// use left anti to exclude anything from the previous 7 days where the Account and IP has connected 5 or more computers.\\n| join kind=leftanti (\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n| summarize makeset(Computer), ComputerCount = dcount(Computer) by bin(TimeGenerated, 1d), Account = tolower(Account), IpAddress\\n// Connection count to computer by same account and IP to exclude counts of 5 or more on a given day\\n| where ComputerCount \u003e= threshold\\n| mvexpand set_Computer\\n| extend Computer = toupper(set_Computer)\\n) on Account, $left.SecondComputer == $right.Computer, $left.SecondIPAddress == $right.IpAddress\\n| summarize FirstHopFirstSeen = min(FirstHop), FirstHopLastSeen = max(FirstHop) by Account, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, \\nSecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\\n| extend timestamp = FirstHopFirstSeen, AccountCustomEntity = Account, HostCustomEntity = FirstComputer, IPCustomEntity = FirstIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\"],\"displayName\":\"RDP Nesting\",\"description\":\"Identifies when an RDP connection is made to a first system and then an RDP connection is made from the first system \\nto another system with the same account within the 60 minutes. Additionally, if historically daily \\nRDP connections are indicated by the logged EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-10-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9c27cee8-0a33-4abe-8683-212c0a98fc28\",\"name\":\"9c27cee8-0a33-4abe-8683-212c0a98fc28\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.6\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.1\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of logins to computer with elevated token\",\"description\":\"This algorithm detects an unusually high volume of successful logins with elevated token per computer. The model is trained on the previous 21 days of security event ID 4624 on a computer. It indicates anomalous high volume of successful logins with administrator privileges in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84ad2f8a-b64c-49bc-b669-bdb4fd3071e9\",\"name\":\"84ad2f8a-b64c-49bc-b669-bdb4fd3071e9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT5M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"eset_CL\\n| where event_type_s == \u0027FilteredWebsites_Event\u0027\\n| extend AccountCustomEntity = username_s, URLCustomEntity = object_uri_s, HostCustomEntity = hostname_s, IPCustomEntity = ipv4_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\",\"CommandAndControl\",\"InitialAccess\"],\"displayName\":\"Web sites blocked by Eset\",\"description\":\"Create alert on web sites blocked by Eset.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-09T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"EsetSMC\",\"dataTypes\":[\"eset_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/223db5c1-1bf8-47d8-8806-bed401b356a4\",\"name\":\"223db5c1-1bf8-47d8-8806-bed401b356a4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let timeRange = 1d;\\nlet lookBack = 7d;\\nlet threshold_Failed = 5;\\nlet threshold_FailedwithSingleIP = 20;\\nlet threshold_IPAddressCount = 2;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet aadFunc = (tableName:string){\\nlet azPortalSignins = materialize(table(tableName)\\n| where TimeGenerated \u003e= ago(lookBack)\\n// Azure Portal only\\n| where AppDisplayName =~ \\\"Azure Portal\\\")\\n;\\nlet successPortalSignins = azPortalSignins\\n| where TimeGenerated \u003e= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n// Tagging identities not resolved to friendly names\\n//| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n| distinct TimeGenerated, UserPrincipalName, Id, ResultType\\n;\\nlet failPortalSignins = azPortalSignins\\n| where TimeGenerated \u003e= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n// Tagging identities not resolved to friendly names\\n| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n;\\n// Verify there is no success for the same connection attempt after the fail\\nlet failnoSuccess = failPortalSignins | join kind= leftouter (\\n successPortalSignins \\n) on UserPrincipalName, Id\\n| where TimeGenerated \u003e TimeGenerated1\\n| project-away TimeGenerated1, UserPrincipalName1, Id1, ResultType1\\n;\\n// Lookup up resolved identities from last 7 days\\nlet identityLookup = azPortalSignins\\n| where TimeGenerated \u003e= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName;\\n// Join resolved names to unresolved list from portal signins\\nlet unresolvedNames = failnoSuccess | where Unresolved == true | join kind= inner (\\n identityLookup \\n) on UserId\\n| extend UserDisplayName = lu_UserDisplayName, UserPrincipalName = lu_UserPrincipalName\\n| project-away lu_UserDisplayName, lu_UserPrincipalName;\\n// Join Signins that had resolved names with list of unresolved that now have a resolved name\\nlet u_azPortalSignins = failnoSuccess | where Unresolved == false | union unresolvedNames;\\nu_azPortalSignins\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend Status = strcat(ResultType, \\\": \\\", ResultDescription), OS = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n| extend FullLocation = strcat(Region,\u0027|\u0027, State, \u0027|\u0027, City)\\n| summarize TimeGenerated = makelist(TimeGenerated), Status = makelist(Status), IPAddresses = makelist(IPAddress), IPAddressCount = dcount(IPAddress), FailedLogonCount = count()\\nby UserPrincipalName, UserId, UserDisplayName, AppDisplayName, Browser, OS, FullLocation, Type\\n| mvexpand TimeGenerated, IPAddresses, Status\\n| extend TimeGenerated = todatetime(tostring(TimeGenerated)), IPAddress = tostring(IPAddresses), Status = tostring(Status)\\n| project-away IPAddresses\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserPrincipalName, UserId, UserDisplayName, Status, FailedLogonCount, IPAddress, IPAddressCount, AppDisplayName, Browser, OS, FullLocation, Type\\n| where (IPAddressCount \u003e= threshold_IPAddressCount and FailedLogonCount \u003e= threshold_Failed) or FailedLogonCount \u003e= threshold_FailedwithSingleIP\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed login attempts to Azure Portal\",\"description\":\"Identifies failed login attempts in the Azure Active Directory SigninLogs to the Azure Portal. Many failed logon \\nattempts or some failed logon attempts from multiple IPs could indicate a potential brute force attack. \\nThe following are excluded due to success and non-failure results:\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n0 - successful logon\\n50125 - Sign-in was interrupted due to a password reset or password registration entry.\\n50140 - This error occurred due to \u0027Keep me signed in\u0027 interrupt when the user was signing-in.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\"name\":\"1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with failed Windows host logins above threshold\\nlet win_fails = \\nSecurityEvent\\n| where EventID == 4625\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| summarize count() by IpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_list(IpAddress);\\n//Make a list of IPs with failed *nix host logins above threshold\\nlet nix_fails = \\nSyslog\\n| where Facility contains \u0027auth\u0027 and ProcessName != \u0027sudo\u0027\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP != \\\"\\\" and SourceIP != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIP\\n| where count_ \u003e signin_threshold\\n| summarize make_list(SourceIP);\\n//See if any of the IPs with failed host logins hve had a sucessful Azure AD login\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (win_fails) or IPAddress in (nix_fails)\\n| extend Reason= \\\"Multiple failed host logins from IP address with successful Azure AD login\\\"\\n| extend timstamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, Type = Type\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed host logons but success logon to AzureAD\",\"description\":\"Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts.\\nUses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8546330c-e1fb-422a-9388-5c09e9a8f4ca\",\"name\":\"8546330c-e1fb-422a-9388-5c09e9a8f4ca\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.1\",\"techniques\":[\"T1133\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.8\",\"name\":\"Score\",\"description\":\"Generate an anomaly when a region rarity score is less than the threshold.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"minimum\":\"2\",\"maximum\":\"100\",\"value\":\"100\",\"name\":\"Minimum users per region\",\"description\":\"whitelist an anomaly if the number of users from a rare region is greater than this limit.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\",\"LateralMovement\"],\"displayName\":\"(Preview) Login from an unusual region via Palo Alto GlobalProtect account logins\",\"description\":\"When a Palo Alto GlobalProtect account logs in from a source region that has rarely been logged in\\nfrom during the last 14 days, an anomaly is triggered. This anomaly may indicate that the account\\nhas been compromised.\",\"lastUpdatedDateUTC\":\"2021-06-07T00:00:00Z\",\"createdDateUTC\":\"2021-06-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d564ff12-8f53-41b8-8649-44f76b37b99f\",\"name\":\"d564ff12-8f53-41b8-8649-44f76b37b99f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// How many greater than Service Connections you want to view per build/release\\nlet ServiceConnectionThreshold = 4;\\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\\n[\\n//\\\"103\\\", \\\"Release\\\", \\\"ProjectA\\\",\\n//\\\"42\\\", \\\"Release\\\", \\\"ProjectB\\\",\\n//\\\"122\\\", \\\"Build\\\", \\\"ProjectB\\\"\\n];\\nAzureDevOpsAuditing\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| parse ScopeDisplayName with OrganizationName \u0027 (Organization)\u0027\\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) \\n by OrganizationName, tostring(DefId), tostring(Type), ProjectId, ProjectName\\n| where CurrentCount \u003e ServiceConnectionThreshold\\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\\n| extend link = iif(\\n Type == \\\"Build\\\", strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_build?definitionId=\u0027, DefId),\\n strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_release?_a=releases\u0026view=mine\u0026definitionId=\u0027, DefId))\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure DevOps Service Connection Abuse\",\"description\":\"Flags builds/releases that use a large number of service connections if they aren\u0027t manually in the allow list.\\nThis is to determine if someone is hijacking a build/release and adding many service connections in order to abuse \\nor dump credentials from service connections.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c0e84221-f240-4dd7-ab1e-37e034ea2a4e\",\"name\":\"c0e84221-f240-4dd7-ab1e-37e034ea2a4e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"union isfuzzy=true\\n(DeviceFileEvents\\n| where FolderPath endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated),\\n(SecurityEvent\\n| where EventID == 4663\\n| where ObjectName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = Computer, timestamp=TimeGenerated),\\n(imFileEvent\\n| where TargetFileName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = DvcHostname, timestamp=TimeGenerated\\n)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"SUNSPOT log file creation\",\"description\":\"This query uses Microsoft Defender for Endpoint data and Windows Event Logs to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\\nMore details: \\n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \\n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2bb167bf-3951-435b-a932-8b03bfde0a2b\",\"name\":\"2bb167bf-3951-435b-a932-8b03bfde0a2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.3\",\"techniques\":[\"T1046\"],\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"accept\",\"allow\",\"start\"],\"values\":[\"accept\",\"allow\",\"start\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Device action\",\"description\":\"Include only these specific device actions\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\"53,67,80,8080,123,137,138,443,445,3389\",\"dataType\":\"string\",\"name\":\"Exclude ports\",\"description\":\"Provide a comma separated list to exclude specific ports from source data. This should be within double quotes, example: \\\"53, 67, 80, 8080, 123, 137, 138, 443, 445, 3389\\\"\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"1\",\"maximum\":\"60000000\",\"value\":\"600\",\"name\":\"Destination IP count\",\"description\":\"The minimum distinct destination IP count per hour required for inclusion. Default is 600. This is an OR condition with destination port count.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"minimum\":\"1\",\"maximum\":\"60000000\",\"value\":\"600\",\"name\":\"Destination port count\",\"description\":\"The minimum distinct destination port count per hour required for inclusion. Default is 600. This is an OR condition with destination IP count.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"0.00\",\"maximum\":\"1.00\",\"value\":\"1.00\",\"name\":\"IP ratio\",\"description\":\"The distinct source IP (always 1) to distinct destination IP count with a default minimum ratio of 1.00 or lower (converted to Base 10 to the -4 power of original value). This is an OR condition with port ratio.\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"},{\"minimum\":\"0.00\",\"maximum\":\"1.00\",\"value\":\"1.00\",\"name\":\"Port ratio\",\"description\":\"The distinct source port to distinct destination port count with a default minimum ratio of 1.00 or lower (converted to Base 10 to the -4 power of original value). This is an OR condition with IP Ratio.\",\"sequenceNumber\":3,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) Anomalous scanning activity\",\"description\":\"The Scanning Activity anomaly is looking to determine if there is potential port scanning anomaly in an environment coming from a single source IP to one or more destination IPs. \\nThe algorithm takes into account whether the IP is public, meaning external, or private, meaning internal, and the event is marked accordingly. Only private to public or public \\nto private is considered at this time. Scanning activity can indicate an attacker attempting to determine available services in an environment that can be potentially \\nexploited and used for ingress or lateral movement.\\nA high number of source ports and high number of destination ports from a single source IP to either a single or multiple destination IP or IPs can be interesting and indicate \\nanomalous scanning. Additionally, if there is a high ratio of destination IPs to the single source IP this can indicate anomalous scanning.\\nConfiguration details -\\nJob run default is daily, with hourly bins\\nThe algorithm uses the following defaults to limit the results based on hourly bins, each is configurable\\n-\u003e Included device actions - accept, allow, start\\n-\u003e Excluded ports - 53, 67, 80, 8080, 123, 137, 138, 443, 445, 3389\\n-\u003e Distinct destination port count \u003e= 600\\n-\u003e Distinct source port count \u003e= 600\\n-\u003e Distinct source port count divided by distinct destination port, ratio converted to percent \u003e= 99.99\\n-\u003e Source IP (always 1) divided by destination IP, ratio converted to percent \u003e= 99.99\",\"lastUpdatedDateUTC\":\"2021-07-10T00:00:00Z\",\"createdDateUTC\":\"2021-04-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/34c5aff9-a8c2-4601-9654-c7e46342d03b\",\"name\":\"34c5aff9-a8c2-4601-9654-c7e46342d03b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 5;\\nlet aadFunc = (tableName:string){\\nIdentityInfo\\n| where AssignedRoles contains \\\"Admin\\\"\\n| mv-expand AssignedRoles\\n| extend Roles = tostring(AssignedRoles), AccountUPN = tolower(AccountUPN)\\n| where Roles contains \\\"Admin\\\"\\n| distinct Roles, AccountUPN\\n| join kind=inner (\\n // Failed Signins attempts with reasoning related to MFA.\\n table(tableName)\\n | where TimeGenerated between (startofday(ago(starttime))..startofday(ago(timeframe)))\\n | where ResultType != 0\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n) on $left.AccountUPN == $right.UserPrincipalName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt ;\\nlet TimeSeriesData = union isfuzzy=true aadSignin, aadNonInt \\n| project TimeGenerated, Roles, UserPrincipalName\\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by UserPrincipalName, Roles\\n| project TimeGenerated, Roles, UserPrincipalName, HourlyCount;\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| where baseline \u003e baselinethreshold // Filtering low count events per baselinethreshold\\n| project Roles, UserPrincipalName, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated;\\n// Filter the alerts for specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join kind=inner ( \\nunion isfuzzy=true aadSignin, aadNonInt\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n | summarize HourlyCount=count(), LatestAnomalyTime = arg_max(timestamp,*) by bin(TimeGenerated,1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\\n) on UserPrincipalName\\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, HourlyCount, baseline, anomalies, score\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Privileged Accounts - Sign in Failure Spikes\",\"description\":\" Identifies spike in failed sign-ins from Privileged accounts. Privileged accounts list can be based on IdentityInfo UEBA table or built-in watchlist.\\nSpike is determined based on Time series anomaly which will look at historical baseline values.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor\",\"lastUpdatedDateUTC\":\"2021-11-01T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f110287e-1358-490d-8147-ed804b328514\",\"name\":\"f110287e-1358-490d-8147-ed804b328514\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n AWSCloudTrail | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AWSCloudTrail_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SourceIpAddress\\n| where AWSCloudTrail_TimeGenerated \u003e= TimeGenerated and AWSCloudTrail_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AWSCloudTrail_TimeGenerated,\\nTI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress,\\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AWSCloudTrail_TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AWSCloudTrail\",\"description\":\"Identifies a match in AWSCloudTrail from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c097bfdb-8b4b-4a98-b74d-1871ffd50a03\",\"name\":\"c097bfdb-8b4b-4a98-b74d-1871ffd50a03\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.6\",\"techniques\":[\"T1110\"],\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"2-Interactive\",\"3-Network\",\"4-Batch\",\"5-Service\",\"7-Unlock\",\"8-NetworkCleartext\",\"9-NewCredentials\",\"10-RemoteInteractive\",\"11-CachedInteractive\"],\"values\":[\"2-Interactive\",\"3-Network\",\"4-Batch\",\"5-Service\",\"7-Unlock\",\"8-NetworkCleartext\",\"9-NewCredentials\",\"10-RemoteInteractive\",\"11-CachedInteractive\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Logon Types\",\"description\":\"Include only selected logon types in anomaly results.\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.03\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"(Preview) Attempted user account bruteforce per logon type\",\"description\":\"This algorithm detects an unusually high volume of failed login attempts per user account per logon type. The model is trained on the previous 21 days of security event ID 4625 on an account and a logon type. It indicates anomalous high volume of failed login attempts with certain logon type in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2954d424-f786-4677-9ffc-c24c44c6e7d5\",\"name\":\"2954d424-f786-4677-9ffc-c24c44c6e7d5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT3H\",\"queryPeriod\":\"PT3H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let timeframe = ago(3h);\\nlet threshold = 2;\\nOkta_CL\\n| where column_ifexists(\u0027published_t\u0027, now()) \u003e= timeframe\\n| where eventType_s =~ \\\"user.session.start\\\"\\n| where outcome_result_s =~ \\\"SUCCESS\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumOfCountries = dcount(client_geographicalContext_country_s) by actor_alternateId_s\\n| where NumOfCountries \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = actor_alternateId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"User Login from Different Countries within 3 hours\",\"description\":\"This query searches for successful user logins to the Okta Console from different countries within 3 hours\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OktaSSO\",\"dataTypes\":[\"Okta_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/adc32a33-1cd6-46f5-8801-e3ed8337885f\",\"name\":\"adc32a33-1cd6-46f5-8801-e3ed8337885f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Add any known allowed sources and source locations to the filter below (the NuGet Gallery has been added here as an example).\\nlet allowed_sources = dynamic([\\\"NuGet Gallery\\\"]);\\nlet allowed_locations = dynamic([\\\"https://api.nuget.org/v3/index.json\\\"]);\\nAzureDevOpsAuditing\\n// Look for feeds created or modified at either the organization or project level\\n| where OperationName matches regex \\\"Artifacts.Feed.(Org|Project).Modify\\\"\\n| where Details has \\\"UpstreamSources, added\\\"\\n| extend FeedName = tostring(Data.FeedName)\\n| extend FeedId = tostring(Data.FeedId)\\n| extend UpstreamsAdded = Data.UpstreamsAdded\\n// As multiple feeds may be added expand these out\\n| mv-expand UpstreamsAdded\\n// Only focus on external feeds\\n| where UpstreamsAdded.UpstreamSourceType !~ \\\"internal\\\"\\n| extend SourceLocation = tostring(UpstreamsAdded.Location)\\n| extend SourceName = tostring(UpstreamsAdded.Name)\\n// Exclude sources and locations in the allow list\\n| where SourceLocation !in (allowed_locations) and SourceName !in (allowed_sources)\\n| extend SourceProtocol = tostring(UpstreamsAdded.Protocol)\\n| extend SourceStatus = tostring(UpstreamsAdded.Status)\\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, ProjectName, FeedName, SourceName, SourceLocation, SourceProtocol, ActorUPN, UserAgent, IpAddress\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"External Upstream Source Added to Azure DevOps Feed\",\"description\":\"The detection looks for new external sources added to an Azure DevOps feed. An allow list can be customized to explicitly allow known good sources. \\nAn attacker could look to add a malicious feed in order to inject malicious packages into a build pipeline.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6852d9da-8015-4b95-8ecf-d9572ee0395d\",\"name\":\"6852d9da-8015-4b95-8ecf-d9572ee0395d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let timeframe = 60m;\\nlet lookback = 10m;\\nlet account_created =\\nAuditLogs \\n | where ActivityDisplayName == \\\"Add service principal\\\"\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend creationTime = ActivityDateTime\\n | extend userPrincipalName_creator = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend ipAddress_creator = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\\nlet account_activity =\\nAADServicePrincipalSignInLogs\\n | extend Activities = pack(\\\"ActivityTime\\\", TimeGenerated ,\\\"IpAddress\\\", IPAddress, \\\"ResourceDisplayName\\\", ResourceDisplayName)\\n | extend AppID = AppId\\n | summarize make_list(Activities) by AppID;\\nlet account_deleted =\\nAuditLogs \\n | where OperationName == \\\"Remove service principal\\\"\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend deletionTime = ActivityDateTime\\n | extend userPrincipalName_deleter = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend ipAddress_deleter = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\\nlet account_credentials =\\nAuditLogs\\n | where OperationName contains \\\"Update application - Certificates and secrets management\\\"\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend credentialCreationTime = ActivityDateTime;\\nlet roles_assigned =\\nAuditLogs\\n | where ActivityDisplayName == \\\"Add app role assignment to service principal\\\"\\n | extend AppID = tostring(TargetResources[1].displayName)\\n | extend AssignedRole = iff(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].displayName)==\\\"AppRole.Value\\\", tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue))),\\\"\\\")\\n | extend AssignedRoles = pack(\\\"Role\\\", AssignedRole)\\n |summarize make_list(AssignedRoles) by AppID;\\naccount_created \\n | join kind= inner (account_activity) on AppID, AppID \\n | join kind= inner (account_deleted) on AppID, AppID \\n | join kind= inner (account_credentials) on AppID, AppID \\n | join kind= inner (roles_assigned) on AppID, AppID\\n | where deletionTime - creationTime \u003c lookback\\n | where tolong(deletionTime - creationTime) \u003e= 0\\n | where creationTime \u003e ago(timeframe)\\n | extend AliveTime = deletionTime - creationTime\\n | project AADTenantId, AppID, creationTime, deletionTime, userPrincipalName_creator, userPrincipalName_deleter, ipAddress_creator, ipAddress_deleter, list_Activities , list_AssignedRoles, AliveTime\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName_creator\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName_deleter\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress_creator\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress_deleter\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"PrivilegeEscalation\",\"InitialAccess\"],\"displayName\":\"Suspicious Service Principal creation activity\",\"description\":\"This alert will detect creation of an SPN, permissions granted, credentials cretaed, activity and deletion of the SPN in a time frame (default 10 minutes)\",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2021-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\",\"AADServicePrincipalSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2eb15bd-8a88-4b24-9281-e133edfba315\",\"name\":\"f2eb15bd-8a88-4b24-9281-e133edfba315\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet aadFunc = (tableName:string){\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join kind=innerunique (\\n table(tableName) | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend Status = todynamic(Status), LocationDetails = todynamic(LocationDetails)\\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails), StatusReason = tostring(Status.failureReason)\\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n // renaming time column so it is clear the log this came from\\n | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type\\n)\\non $left.TI_ipEntity == $right.IPAddress\\n| where SigninLogs_TimeGenerated \u003c ExpirationDateTime\\n| summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, IPAddress\\n| project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDetails, StatusReason, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.2\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to SigninLogs\",\"description\":\"Identifies a match in SigninLogs from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/60eb6cf0-3fa1-44c1-b1fe-220fbee23d63\",\"name\":\"60eb6cf0-3fa1-44c1-b1fe-220fbee23d63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"// Edit this variable to only keep the Severity level where an incident needs to be created (Defaults are: \\\"Low\\\", \\\"Medium\\\", \\\"High\\\", \\\"Critical\\\" ) \\nlet configured_level = dynamic([\\\"Low\\\", \\\"Medium\\\", \\\"High\\\", \\\"Critical\\\"]);\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Vectra Networks\\\"\\n| where DeviceProduct == \\\"X Series\\\"\\n| where DeviceEventClassID == \\\"hsc\\\"\\n| project-rename threat_score = FlexNumber1\\n| project-rename certainty_score = FlexNumber2\\n| project-rename vectra_URL = DeviceCustomString4\\n| project-rename detection_name = DeviceEventClassID\\n| project-rename score_decreases = DeviceCustomString3\\n| extend level = case( threat_score \u003c 50 and certainty_score \u003c 50, \\\"Low\\\",\\n threat_score \u003c 50 and certainty_score \u003e= 50 , \\\"Medium\\\", \\n threat_score \u003e= 50 and certainty_score \u003c= 50, \\\"High\\\", \\n threat_score \u003e= 50 and certainty_score \u003e= 50, \\\"Critical\\\",\\n \\\"UNKNOWN\\\")\\n| extend Severity = case( level == \\\"Low\\\", \\\"Low\\\",\\n level == \\\"Medium\\\", \\\"Medium\\\",\\n level == \\\"High\\\", \\\"Medium\\\",\\n level == \\\"Critical\\\", \\\"High\\\",\\n \\\"UNKNOWN\\\")\\n| where level in (configured_level) \\n//keep only the event with the highest threat score per Host\\n| summarize arg_max(threat_score, *) by SourceHostName\\n| project SourceHostName, level, Severity, TimeGenerated, SourceIP, threat_score, certainty_score, vectra_URL\\n| extend HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Discovery\",\"LateralMovement\",\"Collection\",\"CommandAndControl\",\"Exfiltration\",\"Impact\"],\"displayName\":\"Vectra AI Detect - Suspected Compromised Host\",\"description\":\"Create an incident when a Host is suspected to be compromised. \\nThe higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. \\nLevel of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.\",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2021-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AIVectraDetect\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/03401f05-5c45-4f2d-9295-092764090e02\",\"name\":\"03401f05-5c45-4f2d-9295-092764090e02\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"2.0.0\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Yes\",\"No\"],\"supportedValuesKql\":null,\"value\":\"Yes\",\"name\":\"Use region adjacency\",\"description\":\"Suppress anomalies originated from two adjacent regions.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"2\",\"maximum\":\"10\",\"value\":\"2\",\"name\":\"Minimum daily regions for anomaly\",\"description\":\"Generate an anomaly when a user logs in from this many or more regions in a day\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\",\"DefenseEvasion\"],\"displayName\":\"(Preview) Multi-region logins in a single day via Palo Alto GlobalProtect\",\"description\":\"This algorithm detects a user account which had logins from multiple non-adjacent regions in a single day via Palo Alto VPN.\",\"lastUpdatedDateUTC\":\"2021-07-13T00:00:00Z\",\"createdDateUTC\":\"2021-04-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/074ce265-f684-41cd-af07-613c5f3e6d0d\",\"name\":\"074ce265-f684-41cd-af07-613c5f3e6d0d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"irf.services\\\",\\\"microsoft-onthehub.com\\\",\\\"msofficelab.com\\\",\\\"com-mailbox.com\\\",\\\"my-sharefile.com\\\",\\\"my-sharepoints.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\n\\\"onedrive-sharedfile.com\\\",\\\"onedrv-live.com\\\",\\\"transparencyinternational-my-sharepoint.com\\\",\\\"transparencyinternational-my-sharepoints.com\\\",\\\"soros-my-sharepoint.com\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend Account = SourceUserID, Host = DeviceName, IPAddress = SourceIP),\\n(DnsEvents \\n| extend IPAddress = ClientIP, DNSName = Name, Host = Computer),\\n(imDns (domain_has_any=DomainNames)\\n| extend IPAddress = SrcIpAddr, DNSName = DnsQuery, Host = Dvc),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| extend IPAddress = RemoteIp, Host = Computer),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| extend DNSName = Request_Name\\n| extend IPAddress = ClientIP),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost)\\n)\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = Account, HostCustomEntity = Host\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.3.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known STRONTIUM group domains - July 2019\",\"description\":\"Matches domain name IOCs related to Strontium group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b3cfc7c0-092c-481c-a55b-34a3979758cb\",\"name\":\"b3cfc7c0-092c-481c-a55b-34a3979758cb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft Cloud App Security\",\"displayName\":\"Create incidents based on Microsoft Cloud App Security alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Cloud App Security\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert (MCAS)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/77171efa-4502-4ab7-9d23-d12305ff5a5e\",\"name\":\"77171efa-4502-4ab7-9d23-d12305ff5a5e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let lowRisk = 1;\\nlet financial = \u0027Financial Information\u0027;\\nCognniIncidents_CL \\n| where Severity == lowRisk\\n| where informationType_s == financial\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Low Sensitivity Financial Information\",\"description\":\"Display incidents in which low sensitivity financial information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/173f8699-6af5-484a-8b06-8c47ba89b380\",\"name\":\"173f8699-6af5-484a-8b06-8c47ba89b380\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"// Adjust this value to change how many Teams should be deleted before including\\nlet max_delete_count = 3;\\n// Adjust this value to change the timewindow the query runs over\\n OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\" \\n| where Operation =~ \\\"TeamDeleted\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DeletedTeams = make_set(TeamName) by UserId\\n| where array_length(DeletedTeams) \u003e max_delete_count\\n| extend timestamp = StartTime, AccountCustomEntity = UserId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Impact\"],\"displayName\":\"Multiple Teams deleted by a single user\",\"description\":\"This detection flags the occurrences of deleting multiple teams within an hour.\\nThis data is a part of Office 365 Connector in Microsoft Sentinel.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a35f2c18-1b97-458f-ad26-e033af18eb99\",\"name\":\"a35f2c18-1b97-458f-ad26-e033af18eb99\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"// For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups\\nlet WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nSecurityEvent \\n// When MemberName contains \u0027-\u0027 this indicates addition of a group to a group\\n| where AccountType == \\\"User\\\" and MemberName != \\\"-\\\"\\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group\\n| where EventID in (4728, 4732, 4756) \\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| extend SimpleMemberName = substring(MemberName, 3, indexof_regex(MemberName, @\\\",OU|,CN\\\") - 3)\\n| project TimeGenerated, EventID, Activity, Computer, SimpleMemberName, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SimpleMemberName, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.2.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account added to built in domain local or global group\",\"description\":\"Identifies when a user account has been added to a privileged built in domain local group or global group \\nsuch as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/631d02df-ab51-46c1-8d72-32d0cfec0720\",\"name\":\"631d02df-ab51-46c1-8d72-32d0cfec0720\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let excludeProcs = dynamic([@\\\"\\\\SolarWinds\\\\Orion\\\\APM\\\\APMServiceControl.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\ExportToPDFCmd.Exe\\\", @\\\"\\\\SolarWinds.Credentials\\\\SolarWinds.Credentials.Orion.WebApi.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Topology\\\\SolarWinds.Orion.Topology.Calculator.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Database-Maint.exe\\\", @\\\"\\\\SolarWinds.Orion.ApiPoller.Service\\\\SolarWinds.Orion.ApiPoller.Service.exe\\\", @\\\"\\\\Windows\\\\SysWOW64\\\\WerFault.exe\\\"]);\\nimProcessCreate\\n| where Process hassuffix \u0027solarwinds.businesslayerhost.exe\u0027\\n| where not(Process has_any (excludeProcs))\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = ActorUsername,\\n HostCustomEntity = User,\\n FileHashCustomEntity = TargetProcessMD5 // Change to *hash* once implemented\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"MD5\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST suspicious SolarWinds child processes (Normalized Process Events)\",\"description\":\"Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\"name\":\"4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([ \\\"AuthorizeSecurityGroupEgress\\\", \\\"AuthorizeSecurityGroupIngress\\\", \\\"RevokeSecurityGroupEgress\\\", \\\"RevokeSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \\nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion, \\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to AWS Security Group ingress and egress settings\",\"description\":\"A Security Group acts as a virtual firewall of an instance to control inbound and outbound traffic. \\n Hence, ingress and egress settings changes to AWS Security Group should be monitored as these can expose the enviornment to new attack vectors.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/737a2ce1-70a3-4968-9e90-3e6aca836abf\",\"name\":\"737a2ce1-70a3-4968-9e90-3e6aca836abf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MLBehaviorAnalytics\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous RDP Login Detections\",\"description\":\"This detection uses machine learning (ML) to identify anomalous Remote Desktop Protocol (RDP) login activity, based on Windows Security Event data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Microsoft Sentinel to build a profile of normal activity for your environment.\\t\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events)\\n\\nBy enabling this rule, you give Microsoft permission to copy ingested data outside of your Microsoft Sentinel workspace\u0027s geography as necessary for processing by the machine learning engine.\",\"lastUpdatedDateUTC\":\"2021-03-26T00:00:00Z\",\"createdDateUTC\":\"2020-04-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9713e3c0-1410-468d-b79e-383448434b2d\",\"name\":\"9713e3c0-1410-468d-b79e-383448434b2d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n VMConnection\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend VMConnection_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIp\\n| where VMConnection_TimeGenerated \u003e= TimeGenerated and VMConnection_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, VMConnection_TimeGenerated,\\nTI_ipEntity, Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = VMConnection_TimeGenerated, IPCustomEntity = RemoteIp, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to VMConnection\",\"description\":\"Identifies a match in VMConnection from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/19e01883-15d8-4eb6-a7a5-3276cd668388\",\"name\":\"19e01883-15d8-4eb6-a7a5-3276cd668388\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeBin = 1m;\\nlet failedThreshold = 20;\\nW3CIISLog\\n| where scStatus in (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of failed attempts from same client IP\\n| summarize makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\\n| where FailedConnectionsCount \u003e= failedThreshold\\n| project TimeGenerated, cIP, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"High count of failed attempts from same client IP\",\"description\":\"Identifies when 20 or more failed attempts from a given client IP in 1 minute occur on the IIS server.\\nThis could be indicative of an attempted brute force. This could also simply indicate a misconfigured service or device.\\nRecommendations: Validate that these are expected connections from the given Client IP. If the client IP is not recognized, \\npotentially block these connections at the edge device.\\nIf these are expected connections, verify the credentials are properly configured on the system, service, application or device \\nthat is associated with the client IP.\\nReferences:\\nIIS status code mapping: https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping: https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e70fa6e0-796a-4e85-9420-98b17b0bb749\",\"name\":\"e70fa6e0-796a-4e85-9420-98b17b0bb749\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"DeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where ThreatName has \\\"Solorigate\\\"\\n| extend HostCustomEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.HostCustomEntity\\n| project TimeGenerated, DisplayName, ThreatName, CompromisedEntity, PublicIP, MachineGroup, AlertSeverity, Description, LoggedOnUsers, DeviceId, TenantId, HostCustomEntity\\n| extend timestamp = TimeGenerated, IPCustomEntity = PublicIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Solorigate Defender Detections\",\"description\":\"Surfaces any Defender Alert for Solorigate Events. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as \\n Device group, ip, logged on users etc. This way, the Microsoft Sentinel user can have all the pertinent device info in one view for all the the Solarigate Defender alerts.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7249500f-3038-4b83-8549-9cd8dfa2d498\",\"name\":\"7249500f-3038-4b83-8549-9cd8dfa2d498\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"de-ma.online\\\", \\\"g20saudi.000webhostapp.com\\\", \\\"ksat20.000webhostapp.com\\\"]);\\nlet EmailAddresses = dynamic([\\\"munichconference1962@gmail.com\\\",\\\"munichconference@outlook.de\\\", \\\"munichconference@outlook.com\\\", \\\"t20saudiarabia@gmail.com\\\", \\\"t20saudiarabia@hotmail.com\\\", \\\"t20saudiarabia@outlook.sa\\\"]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(DNSName) and DNSName has_any (DomainNames)) \\n or (isnotempty(DestinationHostName) and DestinationHostName has_any (DomainNames)) \\n or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames)))\\n| extend timestamp = TimeGenerated , AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\\n),\\n(DnsEvents \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| where DNSName has_any (DomainNames) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend timestamp = TimeGenerated , HostCustomEntity = Computer),\\n(SecurityAlert\\n| where ProviderName =~ \u0027OATP\u0027\\n| extend UPN = case(isnotempty(parse_json(Entities)[0].Upn), parse_json(Entities)[0].Upn, \\n isnotempty(parse_json(Entities)[1].Upn), parse_json(Entities)[1].Upn,\\n isnotempty(parse_json(Entities)[2].Upn), parse_json(Entities)[2].Upn,\\n isnotempty(parse_json(Entities)[3].Upn), parse_json(Entities)[3].Upn,\\n isnotempty(parse_json(Entities)[4].Upn), parse_json(Entities)[4].Upn,\\n isnotempty(parse_json(Entities)[5].Upn), parse_json(Entities)[5].Upn,\\n isnotempty(parse_json(Entities)[6].Upn), parse_json(Entities)[6].Upn,\\n isnotempty(parse_json(Entities)[7].Upn), parse_json(Entities)[7].Upn,\\n isnotempty(parse_json(Entities)[8].Upn), parse_json(Entities)[8].Upn,\\n parse_json(Entities)[9].Upn)\\n| where Entities has_any (EmailAddresses)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = tostring(UPN)),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"AZUREFIREWALLS\\\"\\n| where msg_s has_any (DomainNames)\\n| extend timestamp = TimeGenerated))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"InitialAccess\"],\"displayName\":\"Known PHOSPHORUS group domains/IP - October 2020\",\"description\":\"Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\\nReferences: \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog (Cisco)\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert (OATP)\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics (Azure Firewall)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3caa67ef-8ed3-4ab5-baf2-3850d3667f3d\",\"name\":\"3caa67ef-8ed3-4ab5-baf2-3850d3667f3d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nafad_parser\\n| where MessageType == 2\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid Indicators of Attack\",\"description\":\"Searches for triggered Indicators of Attack\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d8de9e6-263e-4845-8618-cd23a4f58b70\",\"name\":\"4d8de9e6-263e-4845-8618-cd23a4f58b70\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT3H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 3h;\\n// Add full UPN (user@domain.com) to Authorized Bypassers to ignore policy bypasses by certain authorized users\\nlet AuthorizedBypassers = dynamic([\u0027foo@baz.com\u0027, \u0027test@foo.com\u0027]);\\nlet historicBypassers = AzureDevOpsAuditing\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationName == \u0027Git.RefUpdatePoliciesBypassed\u0027\\n| distinct ActorUPN;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e= ago(endtime)\\n| where OperationName == \u0027Git.RefUpdatePoliciesBypassed\u0027\\n| where ActorUPN !in (historicBypassers) and ActorUPN !in (AuthorizedBypassers)\\n| parse ScopeDisplayName with OrganizationName \u0027(Organization)\u0027\\n| project TimeGenerated, ActorUPN, IpAddress, UserAgent, OrganizationName, ProjectName, RepoName = Data.RepoName, AlertDetails = Details, Branch = Data.Name, \\n BypassReason = Data.BypassReason, PRLink = strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_git/\u0027, Data.RepoName, \u0027/pullrequest/\u0027, Data.PullRequestId)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps Pull Request Policy Bypassing - Historic allow list\",\"description\":\"This detection builds an allow list of historic PR policy bypasses and compares to recent history, flagging pull request bypasses that are not manually in the allow list and not historically included in the allow list.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\"name\":\"ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Office 365 Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Office 365 alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Office 365\",\"lastUpdatedDateUTC\":\"2020-09-01T00:00:00Z\",\"createdDateUTC\":\"2020-04-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert (OATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bf0cde21-0c41-48f6-a40c-6b5bd71fa106\",\"name\":\"bf0cde21-0c41-48f6-a40c-6b5bd71fa106\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AWSGuardDuty | extend tokens = split(ActivityType,\\\":\\\") | extend ThreatPurpose = tokens[0], tokens= split(tokens[1],\\\"/\\\") | extend ResourceTypeAffected = tokens[0], ThreatFamilyName= tokens[1] | extend UniqueFindingId = Id | extend AWSAcoundId = AccountId | project-away tokens,ActivityType, Id, AccountId | project-away TimeGenerated, TenantId, SchemaVersion, Region, Partition | extend Severity= iff(Severity between (7.0..8.9),\\\"High\\\",iff(Severity between (4.0..6.9), \\\"Medium\\\", iff(Severity between (1.0..3.9),\\\"Low\\\",\\\"Unknown\\\")))\",\"customDetails\":{\"ThreatPurpos\":\"ThreatPurpose\",\"ResourceTypeAffected\":\"ResourceTypeAffected\",\"UniqueFindingId\":\"UniqueFindingId\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Arn\"},{\"identifier\":\"ObjectGuid\",\"columnName\":\"AWSAcoundId\"}]}],\"version\":\"1.0.0\",\"displayName\":\"AWS Guard Duty Alert\",\"description\":\"Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. This templates create an alert for each Amazon GuardDuty finding.\",\"lastUpdatedDateUTC\":\"2021-11-18T00:00:00Z\",\"createdDateUTC\":\"2021-11-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSGuardDuty\",\"dataTypes\":[\"AWSGuardDuty\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\"name\":\"a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Security Center for IoT\",\"displayName\":\"Create incidents based on Azure Defender for IOT alerts\",\"description\":\"Create incidents based on all alerts generated in Azure Defender for IOT\",\"lastUpdatedDateUTC\":\"2019-12-24T00:00:00Z\",\"createdDateUTC\":\"2019-12-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"IoT\",\"dataTypes\":[\"SecurityAlert (ASC for IoT)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ac891683-53c3-4f86-86b4-c361708e2b2b\",\"name\":\"ac891683-53c3-4f86-86b4-c361708e2b2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"// Allowlisted UPNs should likely stay empty\\nlet AllowlistedUpns = datatable(UPN:string)[\u0027foo@bar.com\u0027, \u0027test@foo.com\u0027];\\n// Operation Name parts that will alert\\nlet HasAnyBlocklist = datatable(OperationNamePart:string)[\u0027Security.\u0027,\u0027Project.\u0027,\u0027AuditLog.\u0027,\u0027Extension.\u0027];\\n// Distinct Operation Names that will flag\\nlet HasExactBlocklist = datatable(OperationName:string)[\u0027Group.UpdateGroupMembership.Add\u0027,\u0027Library.ServiceConnectionExecuted\u0027,\u0027Pipelines.PipelineModified\u0027,\\n\u0027Release.ReleasePipelineModified\u0027, \u0027Git.RefUpdatePoliciesBypassed\u0027];\\nAzureDevOpsAuditing\\n| where AuthenticationMechanism startswith \\\"PAT\\\" and (OperationName has_any (HasAnyBlocklist) or OperationName in (HasExactBlocklist))\\n and ActorUPN !in (AllowlistedUpns)\\n| project TimeGenerated, AuthenticationMechanism, ProjectName, ActorUPN, ActorDisplayName, IpAddress, UserAgent, OperationName, Details, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Execution\",\"Impact\"],\"displayName\":\"Azure DevOps Personal Access Token (PAT) misuse\",\"description\":\"This Alert detects whenever a PAT is used in ways that PATs are not normally used. May require an allow list and baselining.\\nReference - https://docs.microsoft.com/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops\u0026tabs=preview-page\\nUse this query for baselining:\\nAzureDevOpsAuditing\\n| distinct OperationName\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6cb75f65-231f-46c4-a0b3-50ff21ee6ed3\",\"name\":\"6cb75f65-231f-46c4-a0b3-50ff21ee6ed3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Edit this variable to only keep the tactics where an incident needs to be created (Defaults are: \\\"COMMAND \u0026 CONTROL\\\", \\\"BOTNET ACTIVITY\\\", \\\"EXFILTRATION\\\", \\\"LATERAL MOVEMENT\\\", \\\"RECONNAISSANCE\\\") \\nlet configured_tactics = dynamic([\\\"COMMAND \u0026 CONTROL\\\", \\\"BOTNET ACTIVITY\\\", \\\"EXFILTRATION\\\", \\\"LATERAL MOVEMENT\\\", \\\"RECONNAISSANCE\\\"]);\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Vectra Networks\\\"\\n| where DeviceProduct == \\\"X Series\\\"\\n| where DeviceEventClassID != \\\"campaigns\\\" and DeviceEventClassID != \\\"hsc\\\" and DeviceEventClassID != \\\"audit\\\" and DeviceEventClassID != \\\"health\\\" and DeviceEventClassID != \\\"asc\\\" \\n| extend Category = extract(\\\"cat=(.+?);\\\", 1, AdditionalExtensions) \\n| project-rename threat_score = FlexNumber1\\n| project-rename certainty_score = FlexNumber2\\n| project-rename triaged = DeviceCustomString5\\n| project-rename vectra_URL = DeviceCustomString4\\n| project-rename detection_name = DeviceEventClassID\\n| extend Tactic = case( Category == \\\"COMMAND \u0026 CONTROL\\\", \\\"CommandAndControl\\\",\\n Category == \\\"BOTNET ACTIVITY\\\" , \\\"Impact\\\",\\n Category == \\\"EXFILTRATION\\\", \\\"Exfiltration\\\",\\n Category == \\\"LATERAL MOVEMENT\\\", \\\"LateralMovement\\\",\\n Category == \\\"RECONNAISSANCE\\\", \\\"Discovery\\\",\\n \\\"UNKNOWN\\\")\\n| extend level = case( threat_score \u003c 50 and certainty_score \u003c 50, \\\"Low\\\",\\n threat_score \u003c 50 and certainty_score \u003e= 50 , \\\"Medium\\\", \\n threat_score \u003e= 50 and certainty_score \u003c= 50, \\\"High\\\", \\n threat_score \u003e= 50 and certainty_score \u003e= 50, \\\"Critical\\\",\\n \\\"UNKNOWN\\\")\\n| extend Severity = case( level == \\\"Low\\\", \\\"Low\\\",\\n level == \\\"Medium\\\", \\\"Medium\\\",\\n level == \\\"High\\\", \\\"Medium\\\",\\n level == \\\"Critical\\\", \\\"High\\\",\\n \\\"UNKNOWN\\\")\\n| extend account = extract(\\\"account=(.+?);\\\", 1, AdditionalExtensions)\\n| extend upn = iff(account matches regex \\\":\\\", tostring(split(account,\\\":\\\")[1]) ,tostring(split(account,\\\":\\\")[0])) \\n| extend source_entity = case( isnotempty(upn), upn,\\n isnotempty(SourceHostName), SourceHostName,\\n \\\"UNKNWON\\\") \\n| where Category in (configured_tactics) \\n| summarize arg_max(threat_score, *) by source_entity , Activity\\n| project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Activity, Tactic, Severity, threat_score, certainty_score, triaged, vectra_URL\\n| extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Discovery\",\"LateralMovement\",\"Collection\",\"CommandAndControl\",\"Exfiltration\",\"Impact\"],\"displayName\":\"Vectra AI Detect - Suspicious Behaviors\",\"description\":\"Create an incident for each new malicious behavior detected by Vectra Detect. \\nBy default, it looks through all tactics. This can be modified to create incident only for a subset of tactics.\",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2021-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AIVectraDetect\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\"name\":\"0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let PerUserThreshold = 5;\\nlet TotalThreshold = 100;\\nlet action = dynamic([\\\"change\\\", \\\"changed\\\", \\\"reset\\\"]);\\nlet pWord = dynamic([\\\"password\\\", \\\"credentials\\\"]);\\nlet PasswordResetMultiDataSource =\\n(union isfuzzy=true\\n(//Password reset events\\n//4723: An attempt was made to change an account\u0027s password\\n//4724: An attempt was made to reset an accounts password\\nSecurityEvent\\n| where EventID in (\\\"4723\\\",\\\"4724\\\")\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName),\\n(//Azure Active Directory Password reset events\\nAuditLogs\\n| where OperationName has_any (pWord) and OperationName has_any (action) and Result =~ \\\"success\\\"\\n| extend AccountType = tostring(TargetResources[0].type), Account = tostring(TargetResources[0].userPrincipalName), \\nTargetUserName = tolower(tostring(TargetResources[0].displayName))\\n| project TimeGenerated, AccountType, Account, Computer = \\\"\\\", Type),\\n(//OfficeActive ActiveDirectory Password reset events\\nOfficeActivity\\n| where OfficeWorkload == \\\"AzureActiveDirectory\\\" \\n| where (ExtendedProperties has_any (pWord) or ModifiedProperties has_any (pWord)) and (ExtendedProperties has_any (action) or ModifiedProperties has_any (action))\\n| extend AccountType = UserType, Account = OfficeObjectId \\n| project TimeGenerated, AccountType, Account, Type, Computer = \\\"\\\"),\\n(// Unix syslog password reset events\\nSyslog\\n| where Facility in (\\\"auth\\\",\\\"authpriv\\\")\\n| where SyslogMessage has_any (pWord) and SyslogMessage has_any (action)\\n| extend AccountType = iif(SyslogMessage contains \\\"root\\\", \\\"Root\\\", \\\"Non-Root\\\")\\n| where SyslogMessage matches regex \\\".*password changed for.*\\\"\\n| parse SyslogMessage with * \\\"password changed for\\\" Account\\n| project TimeGenerated, AccountType, Account, Computer = HostName, Type)\\n);\\nlet pwrmd = PasswordResetMultiDataSource\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName;\\n(union isfuzzy=true \\n(pwrmd\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Computerlist = make_set(Computer, 25), AccountType = make_set(AccountType, 25), Computer = arg_max(Computer , TimeGenerated), TargetUserList = make_set(TargetUserName, 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), Total=count() by Account, Type\\n| where Total \u003e PerUserThreshold\\n| extend ResetPivot = \\\"PerUserReset\\\"), \\n(pwrmd\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerList = make_set(Computer, 25), AccountList = make_set(Account, 25), AccountType = make_set(AccountType, 25), Account = arg_max(Account, TimeGenerated), Computer = arg_max(Computer , TimeGenerated), TargetUserList = make_set(TargetUserName, 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), Total=count() by Type\\n| where Total \u003e TotalThreshold\\n| extend ResetPivot = \\\"TotalUserReset\\\")\\n)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserName\"}]}],\"version\":\"2.0.0\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Multiple Password Reset by user\",\"description\":\"This query will determine multiple password resets by user across multiple data sources. \\nAccount manipulation including password reset may aid adversaries in maintaining access to credentials \\nand certain permission levels within an environment.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-09-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6ee72a9e-2e54-459c-bc9a-9c09a6502a63\",\"name\":\"6ee72a9e-2e54-459c-bc9a-9c09a6502a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"216.24.185.74\\\", \\\"107.175.189.159\\\", \\\"192.210.132.102\\\", \\\"67.230.163.214\\\", \\n \\\"199.19.110.240\\\", \\\"107.148.130.176\\\", \\\"154.212.129.218\\\", \\\"172.86.75.54\\\", \\\"45.61.136.199\\\", \\n \\\"149.28.150.195\\\", \\\"108.61.214.194\\\", \\\"144.202.98.198\\\", \\\"149.28.84.98\\\", \\\"103.99.209.78\\\", \\n \\\"45.61.136.2\\\", \\\"176.122.162.149\\\", \\\"192.3.80.245\\\", \\\"149.28.23.32\\\", \\\"107.182.18.149\\\", \\\"107.174.45.134\\\", \\n \\\"149.248.18.104\\\", \\\"65.49.192.74\\\", \\\"156.255.2.154\\\", \\\"45.76.6.149\\\", \\\"8.9.11.130\\\", \\\"140.238.27.255\\\", \\n \\\"107.182.24.70\\\", \\\"176.122.188.254\\\", \\\"192.161.161.108\\\", \\\"64.64.234.24\\\", \\\"104.224.185.36\\\", \\n \\\"104.233.224.227\\\", \\\"104.36.69.105\\\", \\\"119.28.139.120\\\", \\\"161.117.39.130\\\", \\\"66.42.100.42\\\", \\\"45.76.31.159\\\", \\n \\\"149.248.8.134\\\", \\\"216.24.182.48\\\", \\\"66.42.103.222\\\", \\\"218.89.236.11\\\", \\\"180.150.227.249\\\", \\\"47.75.80.23\\\",\\n \\\"124.156.164.19\\\", \\\"149.248.62.83\\\", \\\"150.109.76.174\\\", \\\"222.209.187.207\\\", \\\"218.38.191.38\\\", \\n \\\"119.28.226.59\\\", \\\"66.42.98.220\\\", \\\"74.82.201.8\\\", \\\"173.242.122.198\\\", \\\"45.32.130.72\\\", \\\"89.35.178.10\\\", \\n \\\"89.43.60.113\\\"]); \\n(union isfuzzy=true \\n(CommonSecurityLog \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch \\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n), \\n(OfficeActivity \\n|extend SourceIPAddress = ClientIP, Account = UserId \\n| where SourceIPAddress in (IPList) \\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \\n),\\n(DnsEvents \\n| extend DestinationIPAddress = IPAddresses, Host = Computer \\n| where DestinationIPAddress has_any (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \\n), \\n(imDns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \\n), \\n(VMConnection \\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) \\n| where SourceIp in (IPList) or DestinationIp in (IPList) \\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer \\n), \\n(Event \\n| where Source == \\\"Microsoft-Windows-Sysmon\\\" \\n| where EventID == 3 \\n| extend EvData = parse_xml(EventData) \\n| extend EventDetail = EvData.DataItem.EventData.Data \\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"] \\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\") \\n), \\n(WireData \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer \\n), \\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Barium IP\",\"description\":\"Identifies a match across various data feeds for IP IOCs related to the Barium activity group. \\n References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer\u0027 \",\"lastUpdatedDateUTC\":\"2021-11-25T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\"name\":\"a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"DNS events related to ToR proxies\",\"description\":\"Identifies IP addresses performing DNS lookups associated with common ToR proxies.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\"name\":\"3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let starttime = 1d;\\nlet TimeDeltaThresholdInSeconds = 60; // we ignore beacons diffs that fall below this threshold \\nlet TotalBeaconsThreshold = 4; // minimum number of beacons required in a session to surface a row\\nlet JitterTolerance = 0.2; // tolerance to jitter, e.g. - 0.2 = 20% jitter is tolerated either side of the periodicity\\nlet PrivateIPregex = @\\\"^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.\\\"; // exclude destinations that fall into this category\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Fortinet\\\"\\n| where TimeGenerated \u003e ago(starttime)\\n// eliminate bad data\\n| where isnotempty(SourceIP) and isnotempty(DestinationIP) and SourceIP != \\\"0.0.0.0\\\"\\n// filter out deny, close, rst and SNMP to reduce data volume\\n| where DeviceAction !in (\\\"close\\\", \\\"client-rst\\\", \\\"server-rst\\\", \\\"deny\\\") and DestinationPort != 161\\n// map input fields\\n| project TimeGenerated , SourceIP, DestinationIP, DestinationPort, ReceivedBytes, SentBytes, DeviceAction \\n// where destination IPs are public\\n| extend DestinationIPType = iff(DestinationIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIPType == \\\"public\\\"\\n// sort into source-\u003edestination \u0027sessions\u0027\\n| sort by SourceIP asc, DestinationIP asc, DestinationPort asc, TimeGenerated asc\\n| serialize\\n// time diff the contact times between source and destination to get a list of deltas\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1), nextDestIP = next(DestinationIP, 1), nextDestPort = next(DestinationPort, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\\\"second\\\",nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP and DestinationIP == nextDestIP and DestinationPort == nextDestPort\\n// remove small time deltas below the set threshold\\n| where TimeDeltainSeconds \u003e TimeDeltaThresholdInSeconds\\n| project TimeGenerated, TimeDeltainSeconds, SourceIP, DestinationIP, DestinationPort, ReceivedBytes, SentBytes, DeviceAction \\n// summarize the deltas by source-\u003edestination\\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), sum(ReceivedBytes), sum(SentBytes), makelist(TimeDeltainSeconds), makeset(DeviceAction) by SourceIP, DestinationIP, DestinationPort\\n// get some statistical properties of the delta distribution and smooth any outliers (e.g. laptop shut overnight, working hours)\\n| extend series_stats(list_TimeDeltainSeconds), outliers=series_outliers(list_TimeDeltainSeconds)\\n// expand the deltas and the outliers\\n| mvexpand list_TimeDeltainSeconds to typeof(double), outliers to typeof(double)\\n// replace outliers with the average of the distribution\\n| extend list_TimeDeltainSeconds_normalized=iff(outliers \u003e 1.5 or outliers \u003c -1.5, series_stats_list_TimeDeltainSeconds_avg , list_TimeDeltainSeconds)\\n// summarize with the smoothed distribution\\n| summarize BeaconCount=count(), makelist(list_TimeDeltainSeconds), list_TimeDeltainSeconds_normalized=makelist(list_TimeDeltainSeconds_normalized), makeset(set_DeviceAction) by StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, sum_ReceivedBytes, sum_SentBytes\\n// get stats on the smoothed distribution\\n| extend series_stats(list_TimeDeltainSeconds_normalized)\\n// match jitter tolerance on smoothed distrib\\n| extend MaxJitter = (series_stats_list_TimeDeltainSeconds_normalized_avg*JitterTolerance)\\n| where series_stats_list_TimeDeltainSeconds_normalized_stdev \u003c MaxJitter\\n// where the minimum beacon threshold is satisfied and there was some data transfer\\n| where BeaconCount \u003e TotalBeaconsThreshold and (sum_SentBytes \u003e 0 or sum_ReceivedBytes \u003e 0)\\n// final projection\\n| project StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, BeaconCount, TimeDeltasInSeconds=list_list_TimeDeltainSeconds, Periodicity=series_stats_list_TimeDeltainSeconds_normalized_avg, ReceivedBytes=sum_ReceivedBytes, SentBytes=sum_SentBytes, Actions=set_set_DeviceAction\\n// where periodicity is order of magnitude larger than time delta threshold (eliminates FPs whose periodicity is close to the values we ignored)\\n| where Periodicity \u003e= (10*TimeDeltaThresholdInSeconds)\\n| extend timestamp = StartTime, IPCustomEntity = DestinationIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Fortinet - Beacon pattern detected\",\"description\":\"Identifies patterns in the time deltas of contacts between internal and external IPs in Fortinet network data that are consistent with beaconing.\\n Accounts for randomness (jitter) and seasonality such as working hours that may have been introduced into the beacon pattern.\\n The lookback is set to 1d, the minimum granularity in time deltas is set to 60 seconds and the minimum number of beacons required to emit a\\n detection is set to 4.\\n Increase the lookback period to capture beacons with larger periodicities.\\n The jitter tolerance is set to 0.2 - This means we account for an overall 20% deviation from the infered beacon periodicity. Seasonality is dealt with\\n automatically using series_outliers.\\n Note: In large environments it may be necessary to reduce the lookback period to get fast query times.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d\",\"name\":\"b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//Collect the alert events\\nlet alertData = SecurityAlert \\n| where DisplayName has \\\"Potential malware uploaded to\\\" \\n| extend Entities = parse_json(Entities) \\n| mv-expand Entities;\\n//Parse the IP address data\\nlet ipData = alertData \\n| where Entities[\u0027Type\u0027] =~ \\\"ip\\\" \\n| extend AttackerIP = tostring(Entities[\u0027Address\u0027]), AttackerCountry = tostring(Entities[\u0027Location\u0027][\u0027CountryName\u0027]);\\n//Parse the file data\\nlet FileData = alertData \\n| where Entities[\u0027Type\u0027] =~ \\\"file\\\" \\n| extend MaliciousFileDirectory = tostring(Entities[\u0027Directory\u0027]), MaliciousFileName = tostring(Entities[\u0027Name\u0027]), MaliciousFileHashes = tostring(Entities[\u0027FileHashes\u0027]);\\n//Combine the File and IP data together\\nipData \\n| join (FileData) on VendorOriginalId \\n| summarize by TimeGenerated, AttackerIP, AttackerCountry, DisplayName, ResourceId, AlertType, MaliciousFileDirectory, MaliciousFileName, MaliciousFileHashes\\n//Create a type column so we can track if it was a File storage or blobl storage upload \\n| extend type = iff(DisplayName has \\\"file\\\", \\\"File\\\", \\\"Blob\\\") \\n| join (\\n union\\n StorageFileLogs, \\n StorageBlobLogs \\n //File upload operations \\n | where OperationName =~ \\\"PutBlob\\\" or OperationName =~ \\\"PutRange\\\"\\n //Parse out the uploader IP \\n | extend ClientIP = tostring(split(CallerIpAddress, \\\":\\\", 0)[0])\\n //Extract the filename from the Uri \\n | extend FileName = extract(@\\\"\\\\/([\\\\w\\\\-. ]+)\\\\?\\\", 1, Uri)\\n //Base64 decode the MD5 filehash, we will encounter non-ascii hex so string operations don\u0027t work\\n //We can work around this by making it an array then converting it to hex from an int \\n | extend base64Char = base64_decode_toarray(ResponseMd5) \\n | mv-expand base64Char \\n | extend hexChar = tohex(toint(base64Char))\\n | extend hexChar = iff(strlen(hexChar) \u003c 2, strcat(\\\"0\\\", hexChar), hexChar) \\n | extend SourceTable = iff(OperationName has \\\"range\\\", \\\"StorageFileLogs\\\", \\\"StorageBlobLogs\\\") \\n | summarize make_list(hexChar) by CorrelationId, ResponseMd5, FileName, AccountName, TimeGenerated, RequestBodySize, ClientIP, SourceTable \\n | extend Md5Hash = strcat_array(list_hexChar, \\\"\\\")\\n //Pack the file information the summarise into a ClientIP row \\n | extend p = pack(\\\"FileName\\\", FileName, \\\"FileSize\\\", RequestBodySize, \\\"Md5Hash\\\", Md5Hash, \\\"Time\\\", TimeGenerated, \\\"SourceTable\\\", SourceTable) \\n | summarize UploadedFileInfo=make_list(p), FilesUploaded=count() by ClientIP \\n | join kind=leftouter (\\n union\\n StorageFileLogs,\\n StorageBlobLogs \\n | where OperationName =~ \\\"DeleteFile\\\" or OperationName =~ \\\"DeleteBlob\\\" \\n | extend ClientIP = tostring(split(CallerIpAddress, \\\":\\\", 0)[0]) \\n | extend FileName = extract(@\\\"\\\\/([\\\\w\\\\-. ]+)\\\\?\\\", 1, Uri) \\n | extend SourceTable = iff(OperationName has \\\"range\\\", \\\"StorageFileLogs\\\", \\\"StorageBlobLogs\\\") \\n | extend p = pack(\\\"FileName\\\", FileName, \\\"Time\\\", TimeGenerated, \\\"SourceTable\\\", SourceTable) \\n | summarize DeletedFileInfo=make_list(p), FilesDeleted=count() by ClientIP\\n ) on ClientIP\\n ) on $left.AttackerIP == $right.ClientIP \\n| mvexpand UploadedFileInfo \\n| extend LinkedMaliciousFileName = UploadedFileInfo.FileName \\n| extend LinkedMaliciousFileHash = UploadedFileInfo.Md5Hash \\n| project AlertTimeGenerated = TimeGenerated, tostring(LinkedMaliciousFileName), tostring(LinkedMaliciousFileHash), AlertType, AttackerIP, AttackerCountry, MaliciousFileDirectory, MaliciousFileName, FilesUploaded, UploadedFileInfo \\n| extend FileHashCustomEntity = LinkedMaliciousFileName, HashAlgorithm = \\\"MD5\\\", IPCustomEntity = AttackerIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"Exfiltration\"],\"displayName\":\"Linked Malicious Storage Artifacts\",\"description\":\"An IP address which uploaded malicious content to an Azure Blob or File Storage container (triggering a malware alert) also uploaded additional files.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b9d2eebc-5dcb-4888-8165-900db44443ab\",\"name\":\"b9d2eebc-5dcb-4888-8165-900db44443ab\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"// Enter a reference list of hostnames for your DC servers\\n//let DCServersList = dynamic ([\\\"DC01.simulandlabs.com\\\",\\\"DC02.simulandlabs.com\\\"]);\\nSecurityEvent\\n//| where Computer in (DCServersList)\\n| where EventID == 4662 and ObjectServer == \u0027DS\u0027\\n| where AccountType != \u0027Machine\u0027\\n| where Properties has \u00271131f6aa-9c07-11d1-f79f-00c04fc2dcd2\u0027 //DS-Replication-Get-Changes\\n or Properties has \u00271131f6ad-9c07-11d1-f79f-00c04fc2dcd2\u0027 //DS-Replication-Get-Changes-All\\n or Properties has \u002789e95b76-444d-4c62-991a-0facbeda640c\u0027 //DS-Replication-Get-Changes-In-Filtered-Set\\n| project TimeGenerated, Account, Activity, Properties, SubjectLogonId, Computer\\n| join kind=leftouter\\n(\\n SecurityEvent\\n //| where Computer in (DCServersList)\\n | where EventID == 4624 and LogonType == 3\\n | where AccountType != \u0027Machine\u0027\\n | project TargetLogonId, IpAddress\\n)\\non $left.SubjectLogonId == $right.TargetLogonId\\n| project-reorder TimeGenerated, Computer, Account, IpAddress\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, SourceAddress = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceAddress\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Non Domain Controller Active Directory Replication\",\"description\":\"This query detects potential attempts by non-computer accounts (non domain controllers) to retrieve/synchronize an active directory object leveraging directory replication services (DRS).\\nA Domain Controller (computer account) would usually be performing these actions in a domain environment. Another detection rule can be created to cover domain controllers accounts doing at rare times.\\nA domain user with privileged permissions to use directory replication services is rare. Ref: https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html\",\"lastUpdatedDateUTC\":\"2021-11-08T00:00:00Z\",\"createdDateUTC\":\"2021-05-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8127962-7739-4211-a4a9-390a7a00e91f\",\"name\":\"f8127962-7739-4211-a4a9-390a7a00e91f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet lbperiod = 30d;\\nlet knownrecipients = ProofpointPOD\\n| where TimeGenerated \u003e ago(lbperiod)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where SrcUserUpn != \u0027\u0027\\n| where array_length(todynamic(DstUserUpn)) == 1\\n| summarize recipients = make_set(tostring(todynamic(DstUserUpn)[0])) by SrcUserUpn\\n| extend commcol = SrcUserUpn;\\nProofpointPOD\\n| where TimeGenerated between (ago(lbtime) .. now())\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| extend isProtected = todynamic(MsgParts)[0][\u0027isProtected\u0027]\\n| extend mimePgp = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where isProtected == \u0027true\u0027 or mimePgp == \u0027application/pgp-encrypted\u0027\\n| extend DstUserMail = tostring(todynamic(DstUserUpn)[0])\\n| extend commcol = tostring(todynamic(DstUserUpn)[0])\\n| join knownrecipients on commcol\\n| where recipients !contains DstUserMail\\n| project SrcUserUpn, DstUserMail\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple protected emails to unknown recipient\",\"description\":\"Detects when multiple protected messages where sent to early not seen recipient.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/826bb2f8-7894-4785-9a6b-a8a855d8366f\",\"name\":\"826bb2f8-7894-4785-9a6b-a8a855d8366f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let EventNameList = dynamic([\\\"AttachUserPolicy\\\",\\\"AttachRolePolicy\\\",\\\"AttachGroupPolicy\\\"]);\\nlet createPolicy = \\\"CreatePolicy\\\";\\nlet timeframe = 1d;\\nlet lookback = 14d;\\n// Creating Master table with all the events to use with materialize for better performance\\nlet EventInfo = AWSCloudTrail\\n| where TimeGenerated \u003e= ago(lookback)\\n| where EventName in (EventNameList) or EventName == createPolicy;\\n//Checking for Policy creation event with Full Admin Privileges since lookback period.\\nlet FullAdminPolicyEvents = materialize( EventInfo\\n| where TimeGenerated \u003e= ago(lookback)\\n| where EventName == createPolicy\\n| extend PolicyName = tostring(parse_json(RequestParameters).policyName)\\n| extend Statement = parse_json(tostring((parse_json(RequestParameters).policyDocument))).Statement\\n| mvexpand Statement\\n| extend Action = parse_json(Statement).Action , Effect = tostring(parse_json(Statement).Effect), Resource = tostring(parse_json(Statement).Resource)\\n| mvexpand Action\\n| extend Action = tostring(Action)\\n| where Effect =~ \\\"Allow\\\" and Action == \\\"*\\\" and Resource == \\\"*\\\"\\n| distinct TimeGenerated, EventName, PolicyName, SourceIpAddress, UserIdentityArn, UserIdentityUserName\\n| extend UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,\u0027/\u0027)[-1]))\\n| project-rename StartTime = TimeGenerated );\\nlet PolicyAttach = materialize( EventInfo\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventName in (EventNameList)\\n| extend PolicyName = tostring(split(tostring(parse_json(RequestParameters).policyArn),\\\"/\\\")[1])\\n| summarize AttachEventCount=count(), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventSource, EventName, UserIdentityType , UserIdentityArn, SourceIpAddress, UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,\u0027/\u0027)[-1])), PolicyName\\n| extend AttachEvent = pack(\\\"StartTime\\\", StartTime, \\\"EndTime\\\", EndTime, \\\"EventName\\\", EventName, \\\"UserIdentityType\\\", UserIdentityType, \\\"UserIdentityArn\\\", UserIdentityArn, \\\"SourceIpAddress\\\", SourceIpAddress, \\\"UserIdentityUserName\\\", UserIdentityUserName)\\n| project EventSource, PolicyName, AttachEvent, AttachEventCount\\n);\\n// Joining the list of PolicyNames and checking if it has been attached to any Roles/Users/Groups.\\n// These Roles/Users/Groups will be Privileged and can be used by adversaries as pivot point for privilege escalation via multiple ways.\\nFullAdminPolicyEvents\\n| join kind=leftouter\\n(\\n PolicyAttach\\n)\\non PolicyName\\n| project-away PolicyName1\\n| extend timestamp = StartTime, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Full Admin policy created and then attached to Roles, Users or Groups\",\"description\":\"Identity and Access Management (IAM) securely manages access to AWS services and resources. \\nIdentifies when a policy is created with Full Administrators Access (Allow-Action:*,Resource:*). \\nThis policy can be attached to role,user or group and may be used by an adversary to escalate a normal user privileges to an adminsitrative level.\\nAWS IAM Policy Grammar: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html\\nand AWS IAM API at https://docs.aws.amazon.com/IAM/latest/APIReference/API_Operations.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/155e9134-d5ad-4a6f-88f3-99c220040b66\",\"name\":\"155e9134-d5ad-4a6f-88f3-99c220040b66\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Set the lookback to determine if user has created pipelines before\\nlet timeback = 14d;\\n// Set the period for detections\\nlet timeframe = 1d;\\n// Get a list of previous Release Pipeline creators to exclude\\nlet releaseusers = AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName in (\\\"Release.ReleasePipelineCreated\\\", \\\"Release.ReleasePipelineModified\\\")\\n// We want to look for users performing actions in specific projects so we create this userscope object to match on\\n| extend UserScope = strcat(ActorUserId, \\\"-\\\", ProjectName)\\n| summarize by UserScope;\\n// Get Release Pipeline creations by new users\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineModified\\\"\\n| extend UserScope = strcat(ActorUserId, \\\"-\\\", ProjectName)\\n| where UserScope !in (releaseusers)\\n| extend ActorUPN = tolower(ActorUPN)\\n| project-away Id, ActivityId, ActorCUID, ScopeId, ProjectId, TenantId, SourceSystem, UserScope\\n// See if any of these users have Azure AD alerts associated with them in the same timeframe\\n| join kind = leftouter (\\nSecurityAlert\\n| where TimeGenerated \u003e ago(timeframe)\\n| where ProviderName == \\\"IPC\\\"\\n| extend AadUserId = tostring(parse_json(Entities)[0].AadUserId)\\n| summarize Alerts=count() by AadUserId) on $left.ActorUserId == $right.AadUserId\\n| extend Alerts = iif(isnotempty(Alerts), Alerts, 0)\\n// Uncomment the line below to only show results where the user as AADIdP alerts\\n//| where Alerts \u003e 0\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Pipeline modified by a new user.\",\"description\":\"There are several potential pipeline steps that could be modified by an attacker to inject malicious code into the build cycle. A likely attacker path is the modification to an existing pipeline that they have access to. \\nThis detection looks for users modifying a pipeline when they have not previously been observed modifying or creating that pipeline before. This query also joins events with data to Azure AD Identity Protection (AAD IdP) \\nin order to show if the user conducting the action has any associated AAD IdP alerts. You can also choose to filter this detection to only alert when the user also has AAD IdP alerts associated with them.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79566f41-df67-4e10-a703-c38a6213afd8\",\"name\":\"79566f41-df67-4e10-a703-c38a6213afd8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set != \\\"[]\\\"\\n| extend diff = set_difference(new_value_set, old_value_set)\\n| where isnotempty(diff)\\n| parse diff with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away diff, new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"New access credential added to Application or Service Principal\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6bf1931-b1eb-448d-90b2-de118559c7ce\",\"name\":\"d6bf1931-b1eb-448d-90b2-de118559c7ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlCategory contains \u0027Adult Themes\u0027 or\\n UrlCategory contains \u0027Adware\u0027 or\\n UrlCategory contains \u0027Alcohol\u0027 or\\n UrlCategory contains \u0027Illegal Downloads\u0027 or\\n UrlCategory contains \u0027Drugs\u0027 or\\n UrlCategory contains \u0027Child Abuse Content\u0027 or\\n UrlCategory contains \u0027Hate/Discrimination\u0027 or\\n UrlCategory contains \u0027Nudity\u0027 or\\n UrlCategory contains \u0027Pornography\u0027 or\\n UrlCategory contains \u0027Proxy/Anonymizer\u0027 or\\n UrlCategory contains \u0027Sexuality\u0027 or\\n UrlCategory contains \u0027Tasteless\u0027 or\\n UrlCategory contains \u0027Terrorism\u0027 or\\n UrlCategory contains \u0027Web Spam\u0027 or\\n UrlCategory contains \u0027German Youth Protection\u0027 or\\n UrlCategory contains \u0027Illegal Activities\u0027 or\\n UrlCategory contains \u0027Lingerie/Bikini\u0027 or\\n UrlCategory contains \u0027Weapons\u0027\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"InitialAccess\"],\"displayName\":\"Cisco Umbrella - Request Allowed to harmful/malicious URI category\",\"description\":\"It is reccomended that these Categories shoud be blocked by policies because they provide harmful/malicious content..\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c805d9b1-97e7-4bc0-9172-67edb36273e4\",\"name\":\"c805d9b1-97e7-4bc0-9172-67edb36273e4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft 365 Insider Risk Management\",\"displayName\":\"(Private Preview) Create incidents based on Microsoft 365 Insider Risk Management\",\"description\":\"Create incidents based on all alerts generated in Microsoft 365 Insider Risk Management\",\"lastUpdatedDateUTC\":\"2021-05-13T00:00:00Z\",\"createdDateUTC\":\"2021-05-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeIRM\",\"dataTypes\":[\"SecurityAlert (OfficeIRM)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4e8238bd-ff4f-4126-a9f6-09b3b6801b3d\",\"name\":\"4e8238bd-ff4f-4126-a9f6-09b3b6801b3d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"AuditLog.StreamDisabledByUser\\\"\\n| extend StreamType = tostring(Data.ConsumerType)\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, StreamType\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Audit Stream Disabled\",\"description\":\"Azure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams \\nbefore conducting activity and then re-enabling the stream after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action \\nits unlikely to have a high false positive rate.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d645a88-2724-41a7-adea-db74c439cf79\",\"name\":\"3d645a88-2724-41a7-adea-db74c439cf79\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 5000;\\nSophosXGFirewall\\n| where Log_Type =~ \\\"Firewall\\\" and Status =~ \\\"Deny\\\"\\n| summarize count() by Src_IP, bin(TimeGenerated,5m)\\n| where count_ \u003e threshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = Src_IP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"Excessive Amount of Denied Connections from a Single Source\",\"description\":\"This creates an incident in the event that a single source IP address generates a excessive amount of denied connections.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SophosXGFirewall\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a357535e-f722-4afe-b375-cff362b2b376\",\"name\":\"a357535e-f722-4afe-b375-cff362b2b376\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(OfficeActivity | where UserAgent != \\\"\\\"),\\n(OfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectory\\\", \\\"AzureActiveDirectoryStsLogon\\\")\\n| extend OperationName = Operation\\n| parse ExtendedProperties with * \u0027User-Agent\\\\\\\\\\\":\\\\\\\\\\\"\u0027 UserAgent2 \u0027\\\\\\\\\u0027 *\\n| parse ExtendedProperties with * \u0027UserAgent\\\", \\\"Value\\\": \\\"\u0027 UserAgent1 \u0027\\\"\u0027 *\\n| where isnotempty(UserAgent1) or isnotempty(UserAgent2)\\n| extend UserAgent = iff( RecordType == \u0027AzureActiveDirectoryStsLogon\u0027, UserAgent1, UserAgent2)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\\n),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"APPLICATIONGATEWAYS\\\" \\n| where OperationName =~ \\\"ApplicationGatewayAccess\\\" \\n| extend ClientIP = columnifexists(\\\"clientIP_s\\\", \\\"None\\\"), UserAgent = columnifexists(\\\"userAgent_s\\\", \\\"None\\\")\\n| where UserAgent != \u0027-\u0027\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, requestUri_s, httpMethod_s, host_s, requestQuery_s, Type\\n),\\n(\\nW3CIISLog\\n| where isnotempty(csUserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\\n),\\n(SigninLogs\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n)\\n)\\n// Likely artefact of hardcoding\\n| where UserAgent startswith \\\"User\\\" or UserAgent startswith \u0027\\\\\\\"\u0027\\n// Incorrect casing\\nor (UserAgent startswith \\\"Mozilla\\\" and not(UserAgent containscs \\\"Mozilla\\\"))\\n// Incorrect casing\\nor UserAgent containscs \\\"(Compatible;\\\"\\n// Missing MSIE version\\nor UserAgent matches regex @\\\"MSIE\\\\s?;\\\"\\n// Incorrect spacing around MSIE version\\nor UserAgent matches regex @\\\"MSIE(?:\\\\d|.{1,5}?\\\\d\\\\s;)\\\"\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CommandAndControl\",\"Execution\"],\"displayName\":\"Malformed user agent\",\"description\":\"Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware.\\nMalformed user agents can be an indication of such malware.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee1818ec-5f65-4991-b711-bcf2ab7e36c3\",\"name\":\"ee1818ec-5f65-4991-b711-bcf2ab7e36c3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlOriginal matches regex @\u0027\\\\Ahttp:\\\\/\\\\/\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}.*\u0027\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - URI contains IP address\",\"description\":\"Malware can use IP address to communicate with C2.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bf07ca9c-e408-443a-8939-6860a45a929e\",\"name\":\"bf07ca9c-e408-443a-8939-6860a45a929e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let allowed_publishers = dynamic([]);\\nAzureDevOpsAuditing\\n| where OperationName =~ \\\"Extension.Installed\\\"\\n| extend ExtensionName = tostring(Data.ExtensionName)\\n| extend PublisherName = tostring(Data.PublisherName)\\n| where PublisherName !in (allowed_publishers)\\n| project-reorder TimeGenerated, OperationName, ExtensionName, PublisherName, ActorUPN, IpAddress, UserAgent, ScopeDisplayName, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps New Extension Added\",\"description\":\"Extensions add additional features to Azure DevOps. An attacker could use a malicious extension to conduct malicious activity. \\nThis query looks for new extensions that are not from a configurable list of approved publishers.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/89e6adbd-612c-4fbe-bc3d-32f81baf3b6c\",\"name\":\"89e6adbd-612c-4fbe-bc3d-32f81baf3b6c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT4H\",\"queryPeriod\":\"PT4H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Change to true to monitor for Project Administrator adds to *any* project\\nlet MonitorAllProjects = false;\\n// If MonitorAllProjects is false, trigger only on Project Administrator add for the following projects\\nlet ProjectsToMonitor = dynamic([\u0027\u003cproject_X\u003e\u0027,\u0027\u003cproject_Y\u003e\u0027]);\\nAzureDevOpsAuditing\\n| where Area == \\\"Group\\\" and OperationName == \\\"Group.UpdateGroupMembership.Add\\\"\\n| where Details has \u0027Administrators\u0027\\n| where Details has \\\"was added as a member of group\\\" and (Details endswith \u0027\\\\\\\\Project Administrators\u0027 or Details endswith \u0027\\\\\\\\Project Collection Administrators\u0027)\\n| parse Details with AddedIdentity \u0027 was added as a member of group [\u0027 EntityName \u0027]\\\\\\\\\u0027 GroupName\\n| extend Level = iif(GroupName == \u0027Project Collection Administrators\u0027, \u0027Organization\u0027, \u0027Project\u0027), AddedIdentityId = Data.MemberId\\n| extend Severity = iif(Level == \u0027Organization\u0027, \u0027High\u0027, \u0027Medium\u0027), AlertDetails = strcat(\u0027At \u0027, TimeGenerated, \u0027 UTC \u0027, ActorUPN, \u0027/\u0027, ActorDisplayName, \u0027 added \u0027, AddedIdentity, \u0027 to the \u0027, EntityName, \u0027 \u0027, Level)\\n| where MonitorAllProjects == true or EntityName in (ProjectsToMonitor) or Level == \u0027Organization\u0027\\n| project TimeGenerated, Severity, Adder = ActorUPN, AddedIdentity, AddedIdentityId, AlertDetails, Level, EntityName, GroupName, ActorAuthType = AuthenticationMechanism, \\n ActorIpAddress = IpAddress, ActorUserAgent = UserAgent, RawDetails = Details\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Adder, IPCustomEntity = ActorIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps Administrator Group Monitoring\",\"description\":\"This detection monitors for additions to projects or project collection administration groups in an Azure DevOps Organization.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/218f60de-c269-457a-b882-9966632b9dc6\",\"name\":\"218f60de-c269-457a-b882-9966632b9dc6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| summarize dcount(Target) by bin(TimeGenerated, 1h)\\n| where dcount_Target \u003e 9\\n| join kind=rightsemi (AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| extend TimeWindow = bin(TimeGenerated, 1h)) on $left.TimeGenerated == $right.TimeWindow\\n| extend AccountCustomEntity = Target\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Bulk Changes to Privileged Account Permissions\",\"description\":\"Identifies when changes to multiple users permissions are changed at once. Investigate immediately if not a planned change. This setting could enable an attacker access to Azure subscriptions in your environment.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\"name\":\"795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"CommonSecurityLog \\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID in (\\\"733101\\\",\\\"733102\\\",\\\"733103\\\",\\\"733104\\\",\\\"733105\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\",\"Impact\"],\"displayName\":\"Cisco ASA - threat detection message fired\",\"description\":\"Identifies when the Cisco ASA Threat Detection engine fired an alert based on malicious activity occurring on the network inicated by DeviceEventClassID 733101-733105\\nResources: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/58fc0170-0877-4ea8-a9ff-d805e361cfae\",\"name\":\"58fc0170-0877-4ea8-a9ff-d805e361cfae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let schedule_lookback = 14d; \\nlet join_lookback = 1d; \\n// If you want to whitelist specific timezones include them in a list here\\nlet tz_whitelist = dynamic([]);\\nlet meetings = ( \\nZoomLogs \\n| where TimeGenerated \u003e= ago(schedule_lookback) \\n| where Event =~ \\\"meeting.created\\\" \\n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId) \\n| extend SchedTimezone = tostring(parse_json(MeetingEvents).Timezone)); \\nZoomLogs \\n| where TimeGenerated \u003e= ago(join_lookback) \\n| where Event =~ \\\"meeting.participant_joined\\\" \\n| extend JoinedTimeZone = tostring(parse_json(MeetingEvents).Timezone) \\n| extend MeetingName = tostring(parse_json(MeetingEvents).MeetingName) \\n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId) \\n| where JoinedTimeZone !in (tz_whitelist)\\n| join (meetings) on MeetingId \\n| where SchedTimezone != JoinedTimeZone \\n| project TimeGenerated, MeetingName, JoiningUser=payload_object_participant_user_name_s, JoinedTimeZone, SchedTimezone, MeetingScheduler=User1 \\n| extend timestamp = TimeGenerated, AccountCustomEntity = JoiningUser\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"User joining Zoom meeting from suspicious timezone\",\"description\":\"The alert shows users that join a Zoom meeting from a time zone other than the one the meeting was created in.\\nYou can also whitelist known good time zones in the tz_whitelist value using the tz database name format https://en.wikipedia.org/wiki/List_of_tz_database_time_zones\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95514e77-1b23-4f05-817c-ae363c53aad3\",\"name\":\"95514e77-1b23-4f05-817c-ae363c53aad3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.4\",\"techniques\":[\"T1030\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Akamai\",\"Aruba Networks\",\"Check Point\",\"Dell\",\"Forcepoint\",\"Fortinet\",\"McAfee\",\"Palo Alto Networks\",\"SonicWall\",\"Trend Micro\",\"Vectra Networks\",\"Zscaler\"],\"supportedValuesKql\":null,\"value\":\"Palo Alto Networks\",\"name\":\"Device vendor\",\"description\":\"Select device vendor reporting network connection logs to CommonSecurityLog\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"10\",\"maximum\":\"10000\",\"value\":\"10\",\"name\":\"Hourly event count threshold\",\"description\":\"Suppress anomalies when hourly event count is less than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\".98\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"(Preview) Unusual network volume anomaly\",\"description\":\"This algorithm is to detect unusually high volume of connections in network logs. \\nIt uses time series to decompose the data into seasonal, trend and residual components to \\ncalculate baseline. Any sudden large deviation from the historical baseline is considered as anomalous activity.\",\"lastUpdatedDateUTC\":\"2021-07-10T00:00:00Z\",\"createdDateUTC\":\"2021-04-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6\",\"name\":\"2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 0d;\\n// Adjust this to adjust detection timeframe\\n//let timeframe = 1d;\\n// SamAccountName of AD FS Service Account. Filter on the use of a specific AD FS user account\\n//let adfsuser = \u0027adfsadmin\u0027;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\n SecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe+lookback)\\n | where EventSourceName == \u0027AD FS Auditing\u0027\\n | distinct Computer\\n);\\nSecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n // A token of type \u0027http://schemas.microsoft.com/ws/2006/05/servicemodel/tokens/SecureConversation\u0027\\n // for relying party \u0027-\u0027 was successfully authenticated.\\n | where EventID == 412\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | extend InstanceId = tostring(EventData[0])\\n| join kind=inner\\n(\\n SecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n // Events to identify caller identity from event 412\\n | where EventID == 501\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | where tostring(EventData[1]) contains \u0027identity/claims/name\u0027\\n | extend InstanceId = tostring(EventData[0])\\n | extend ClaimsName = tostring(EventData[2])\\n // Filter on the use of a specific AD FS user account\\n //| where ClaimsName contains adfsuser\\n)\\non $left.InstanceId == $right.InstanceId\\n| join kind=inner\\n(\\n SecurityEvent\\n | where EventID == 5156\\n | where Computer in~ (ADFS_Servers)\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | mv-expand bagexpansion=array EventData\\n | evaluate bag_unpack(EventData)\\n | extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n | evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n | extend DestPort = column_ifexists(\\\"DestPort\\\", \\\"\\\"),\\n Direction = column_ifexists(\\\"Direction\\\", \\\"\\\"),\\n Application = column_ifexists(\\\"Application\\\", \\\"\\\"),\\n DestAddress = column_ifexists(\\\"DestAddress\\\", \\\"\\\"),\\n SourceAddress = column_ifexists(\\\"SourceAddress\\\", \\\"\\\"),\\n SourcePort = column_ifexists(\\\"SourcePort\\\", \\\"\\\")\\n // Look for inbound connections from endpoints on port 80\\n | where DestPort == 80 and Direction == \u0027%%14592\u0027 and Application == \u0027System\u0027\\n | where DestAddress !in (\u0027::1\u0027,\u00270:0:0:0:0:0:0:1\u0027) \\n)\\non $left.Computer == $right.Computer\\n| project TimeGenerated, Computer, ClaimsName, SourceAddress, SourcePort\\n| extend HostCustomEntity = Computer, AccountCustomEntity = ClaimsName, IPCustomEntity = SourceAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"AD FS Remote Auth Sync Connection\",\"description\":\"This detection uses Security events from the \\\"AD FS Auditing\\\" provider to detect suspicious authentication events on an AD FS server. The results then get\\ncorrelated with events from the Windows Filtering Platform (WFP) to detect suspicious incoming network traffic on port 80 on the AD FS server.\\nThis could be a sign of a threat actor trying to use replication services on the AD FS server to get its configuration settings and extract\\nsensitive information such as AD FS certificates.\\nIn order to use this query you need to enable AD FS auditing on the AD FS Server.\\nReference: https://twitter.com/OTR_Community/status/1387038995016732672\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-04-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\"name\":\"2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n AzureActivity | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CallerIpAddress\\n| where AzureActivity_TimeGenerated \u003e= TimeGenerated and AzureActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AzureActivity_TimeGenerated,\\nTI_ipEntity, CallerIpAddress, Caller, OperationNameValue, ActivityStatusValue, CategoryValue, ResourceId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureActivity_TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureActivity\",\"description\":\"Identifies a match in AzureActivity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\"name\":\"4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 50;\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet historicalActivity =\\nOfficeActivity\\n| where TimeGenerated between(ago(starttime)..ago(endtime))\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| summarize historicalCount = count() by ClientIP, RecordType, Operation;\\nlet recentActivity = OfficeActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by ClientIP, RecordType, Operation;\\nlet RareIP = recentActivity | join kind= leftanti ( historicalActivity ) on ClientIP, RecordType, Operation\\n// More than 50 downloads/uploads from a new IP\\n| where recentCount \u003e threshold;\\nOfficeActivity \\n| where TimeGenerated \u003e= ago(endtime) \\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| join kind= inner (RareIP) on ClientIP, RecordType, Operation\\n| where Start_Time between(min_Start_Time .. max_Start_Time)\\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgent, IPSeenCount = recentCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\\n| order by IPSeenCount desc, ClientIP asc, Operation asc, UserId asc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"SharePointFileOperation via previously unseen IPs\",\"description\":\"Identifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses\\nexceeds a threshold (default is 50).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0febd8cc-1b8d-45ed-87b3-e1e8a57d14cd\",\"name\":\"0febd8cc-1b8d-45ed-87b3-e1e8a57d14cd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let threshold = 100;\\nTrendMicro_XDR_CL \\n| where modelSeverity_s == \u0027high\u0027 or modelSeverity_s == \u0027critical\u0027\\n| extend AccountCustomEntity = impactScope_account_s, HostCustomEntity = impactScope_hostname_s, IPCustomEntity = impactScope_host_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"displayName\":\"Create Incident for XDR Alerts (Critical \u0026 High)\",\"description\":\"This Query creates an incident based on Trend Micro XDR Workbench Alerts and maps the impacted entities for Microsoft Sentinel usage. (Critical \u0026 High Serverity Alerts)\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-12-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"TrendMicroXDR\",\"dataTypes\":[\"TrendMicro_XDR_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/50574fac-f8d1-4395-81c7-78a463ff0c52\",\"name\":\"50574fac-f8d1-4395-81c7-78a463ff0c52\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where AppId =~ \\\"1b730954-1685-4b74-9bfd-dac224a7b894\\\" // AppDisplayName IS Azure Active Directory PowerShell\\n| where TokenIssuerType =~ \\\"AzureAD\\\"\\n| where ResourceIdentity !in (\\\"00000002-0000-0000-c000-000000000000\\\", \\\"00000003-0000-0000-c000-000000000000\\\") // ResourceDisplayName IS NOT Windows Azure Active Directory OR Microsoft Graph\\n| extend Status = todynamic(Status)\\n| where Status.errorCode == 0 // Success\\n| project-reorder IPAddress, UserAgent, ResourceDisplayName, UserDisplayName, UserId, UserPrincipalName, Type\\n| order by TimeGenerated desc\\n// New entity mapping\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure Active Directory PowerShell accessing non-AAD resources\",\"description\":\"This will alert when a user or application signs in using Azure Active Directory PowerShell to access non-Active Directory resources, such as the Azure Key Vault, which may be undesired or unauthorized behavior.\\nFor capabilities and expected behavior of the Azure Active Directory PowerShell module, see: https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0.\\nFor further information on Azure Active Directory Signin activity reports, see: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb616d82-108f-47d3-9dec-9652ea0d3bf6\",\"name\":\"bb616d82-108f-47d3-9dec-9652ea0d3bf6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AuditLogs\\n| where OperationName =~ \\\"Add user\\\"\\n| extend UPN = tostring(TargetResources[0].userPrincipalName)\\n| join kind=inner (AuditLogs\\n| where OperationName =~ \\\"Delete user\\\"\\n| extend UPN = tostring(TargetResources[0].userPrincipalName)\\n| extend IPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) on UPN\\n| extend timedelta = TimeGenerated1 - TimeGenerated\\n| project-reorder TimeGenerated, TimeGenerated1, timedelta\\n| where timedelta \u003c timespan(24h) and timedelta \u003e timespan(0h)\\n| extend CustomAccountEntity = UPN, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CustomAccountEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Account Created and Deleted in Short Timeframe\",\"description\":\"Search for user principal name (UPN) events. Look for accounts created and then deleted in under 24 hours. Attackers may create an account for their use, and then remove the account when no longer needed.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-account\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\"name\":\"0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"DNS events related to mining pools\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3cc5ccd8-b416-4141-bb2d-4eba370e37a5\",\"name\":\"3cc5ccd8-b416-4141-bb2d-4eba370e37a5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let OMIVulnerabilityPatchVersion = \\\"OMIVulnerabilityPatchVersion:1.13.40-0\\\";\\nHeartbeat\\n| where Category == \\\"Direct Agent\\\"\\n| summarize arg_max(TimeGenerated,*) by Computer\\n| parse strcat(\\\"Version:\\\" , Version) with * \\\"Version:\\\" Major:long \\\".\\\"\\nMinor:long \\\".\\\" Patch:long \\\"-\\\" *\\n| parse OMIVulnerabilityPatchVersion with * \\\"OMIVulnerabilityPatchVersion:\\\"\\nOMIVersionMajor:long \\\".\\\" OMIVersionMinor:long \\\".\\\" OMIVersionPatch:long \\\"-\\\" *\\n| where Major \u003cOMIVersionMajor or (Major==OMIVersionMajor and Minor\\n\u003cOMIVersionMinor) or (Major==OMIVersionMajor and Minor==OMIVersionMinor and\\nPatch\u003cOMIVersionPatch) \\n| project Version, Major,Minor,Patch,\\nComputer,ComputerIP,OSType,OSName,ResourceId\",\"customDetails\":{\"OSName\":\"OSName\",\"OSType\":\"OSType\",\"HostIp\":\"ComputerIP\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"OMI Vulnerability Exploitation\",\"description\":\"Following the September 14th, 2021 release of three Elevation of Privilege\\n(EoP) vulnerabilities (CVE-2021-38645, CVE-2021-38649, CVE-2021-38648) and one\\nunauthenticated Remote Code Execution (RCE) vulnerability (CVE-2021-38647) in\\nthe Open Management Infrastructure (OMI) Framework.\\nThis detection validates that any OMS-agent that is reporting to the Microsoft\\nSentinel workspace is updated with the patch. The detection will go over the\\nheartbeats received from all agents over the last day and will create alert\\nfor those agents who are not updated.\",\"lastUpdatedDateUTC\":\"2021-11-18T00:00:00Z\",\"createdDateUTC\":\"2021-09-23T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9649e203-3cb7-47ff-89a9-42f2a5eefe31\",\"name\":\"9649e203-3cb7-47ff-89a9-42f2a5eefe31\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nlet codeNameList = datatable(Codename:string)[\\\"C-PRIV-ACCOUNTS-SPN\\\", \\\"C-SDPROP-CONSISTENCY\\\", \\\"C-DANG-PRIMGROUPID\\\", \\\"C-GPO-HARDENING\\\", \\\"C-DC-ACCESS-CONSISTENCY\\\", \\\"C-DANGEROUS-TRUST-RELATIONSHIP\\\", \\\"C-UNCONST-DELEG\\\", \\\"C-ABNORMAL-ENTRIES-IN-SCHEMA\\\"];\\nafad_parser\\n| where MessageType == 0 and Codename in~ (codeNameList)\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid Active Directory attacks pathways\",\"description\":\"Searches for triggered Indicators of Exposures related to Active Directory attacks pathways\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\"name\":\"3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let threshold = 1;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ConditionalAccessStatus == 1 or ConditionalAccessStatus =~ \\\"failure\\\"\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion) \\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend ConditionalAccessPolicies = todynamic(ConditionalAccessPolicies)\\n| extend ConditionalAccessPol0Name = tostring(ConditionalAccessPolicies[0].displayName)\\n| extend ConditionalAccessPol1Name = tostring(ConditionalAccessPolicies[1].displayName)\\n| extend ConditionalAccessPol2Name = tostring(ConditionalAccessPolicies[2].displayName)\\n| extend Status = strcat(StatusCode, \\\": \\\", ResultDescription) \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Status = make_list(Status), StatusDetails = make_list(StatusDetails), IPAddresses = make_list(IPAddress), IPAddressCount = dcount(IPAddress), CorrelationIds = make_list(CorrelationId) \\nby UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name, Type\\n| where IPAddressCount \u003e threshold and StatusDetails !has \\\"MFA successfully completed\\\"\\n| mvexpand IPAddresses, Status, StatusDetails, CorrelationIds\\n| extend Status = strcat(Status, \\\" \\\", StatusDetails)\\n| summarize IPAddresses = make_set(IPAddresses), Status = make_set(Status), CorrelationIds = make_set(CorrelationIds) \\nby StartTime, EndTime, UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name, IPAddressCount, Type\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = tostring(IPAddresses)\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Attempt to bypass conditional access rule in Azure AD\",\"description\":\"Identifies an attempt to Bypass conditional access rule(s) in Azure Active Directory.\\nThe ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access\\nor if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1).\\nReferences: \\nhttps://docs.microsoft.com/azure/active-directory/conditional-access/overview\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\nConditionalAccessStatus == 0 // Success\\nConditionalAccessStatus == 1 // Failure\\nConditionalAccessStatus == 2 // Not Applied\\nConditionalAccessStatus == 3 // unknown\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4899-42cb-910c-5ffaf9d7997d\",\"name\":\"70b12a3b-4899-42cb-910c-5ffaf9d7997d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"0.ns1.dns-info.gq\\\", \\\"1.ns1.dns-info.gq\\\", \\\"10.ns1.dns-info.gq\\\", \\\"102.ns1.dns-info.gq\\\", \\n \\\"104.ns1.dns-info.gq\\\", \\\"11.ns1.dns-info.gq\\\", \\\"110.ns1.dns-info.gq\\\", \\\"115.ns1.dns-info.gq\\\", \\\"116.ns1.dns-info.gq\\\", \\n \\\"117.ns1.dns-info.gq\\\", \\\"118.ns1.dns-info.gq\\\", \\\"12.ns1.dns-info.gq\\\", \\\"120.ns1.dns-info.gq\\\", \\\"122.ns1.dns-info.gq\\\", \\n \\\"123.ns1.dns-info.gq\\\", \\\"128.ns1.dns-info.gq\\\", \\\"13.ns1.dns-info.gq\\\", \\\"134.ns1.dns-info.gq\\\", \\\"135.ns1.dns-info.gq\\\", \\n \\\"138.ns1.dns-info.gq\\\", \\\"14.ns1.dns-info.gq\\\", \\\"144.ns1.dns-info.gq\\\", \\\"15.ns1.dns-info.gq\\\", \\\"153.ns1.dns-info.gq\\\", \\n \\\"157.ns1.dns-info.gq\\\", \\\"16.ns1.dns-info.gq\\\", \\\"17.ns1.dns-info.gq\\\", \\\"18.ns1.dns-info.gq\\\", \\\"19.ns1.dns-info.gq\\\", \\n \\\"1a9604fa.ns1.feedsdns.com\\\", \\\"1c7606b6.ns1.steamappstore.com\\\", \\\"2.ns1.dns-info.gq\\\", \\\"20.ns1.dns-info.gq\\\", \\n \\\"201.ns1.dns-info.gq\\\", \\\"202.ns1.dns-info.gq\\\", \\\"204.ns1.dns-info.gq\\\", \\\"207.ns1.dns-info.gq\\\", \\\"21.ns1.dns-info.gq\\\", \\n \\\"210.ns1.dns-info.gq\\\", \\\"211.ns1.dns-info.gq\\\", \\\"216.ns1.dns-info.gq\\\", \\\"22.ns1.dns-info.gq\\\", \\\"220.ns1.dns-info.gq\\\", \\n \\\"223.ns1.dns-info.gq\\\", \\\"23.ns1.dns-info.gq\\\", \\\"24.ns1.dns-info.gq\\\", \\\"25.ns1.dns-info.gq\\\", \\\"26.ns1.dns-info.gq\\\", \\n \\\"27.ns1.dns-info.gq\\\", \\\"28.ns1.dns-info.gq\\\", \\\"29.ns1.dns-info.gq\\\", \\\"3.ns1.dns-info.gq\\\", \\\"30.ns1.dns-info.gq\\\", \\n \\\"31.ns1.dns-info.gq\\\", \\\"32.ns1.dns-info.gq\\\", \\\"33.ns1.dns-info.gq\\\", \\\"34.ns1.dns-info.gq\\\", \\\"35.ns1.dns-info.gq\\\", \\n \\\"36.ns1.dns-info.gq\\\", \\\"37.ns1.dns-info.gq\\\", \\\"39.ns1.dns-info.gq\\\", \\\"3d6fe4b2.ns1.steamappstore.com\\\", \\n \\\"4.ns1.dns-info.gq\\\", \\\"40.ns1.dns-info.gq\\\", \\\"42.ns1.dns-info.gq\\\", \\\"43.ns1.dns-info.gq\\\", \\\"44.ns1.dns-info.gq\\\", \\n \\\"45.ns1.dns-info.gq\\\", \\\"46.ns1.dns-info.gq\\\", \\\"48.ns1.dns-info.gq\\\", \\\"5.ns1.dns-info.gq\\\", \\\"50.ns1.dns-info.gq\\\", \\n \\\"50417.service.gstatic.dnset.com\\\", \\\"51.ns1.dns-info.gq\\\", \\\"52.ns1.dns-info.gq\\\", \\\"53.ns1.dns-info.gq\\\",\\n \\\"54.ns1.dns-info.gq\\\", \\\"55.ns1.dns-info.gq\\\", \\\"56.ns1.dns-info.gq\\\", \\\"57.ns1.dns-info.gq\\\", \\\"58.ns1.dns-info.gq\\\", \\n \\\"6.ns1.dns-info.gq\\\", \\\"60.ns1.dns-info.gq\\\", \\\"62.ns1.dns-info.gq\\\", \\\"63.ns1.dns-info.gq\\\", \\\"64.ns1.dns-info.gq\\\", \\n \\\"65.ns1.dns-info.gq\\\", \\\"67.ns1.dns-info.gq\\\", \\\"7.ns1.dns-info.gq\\\", \\\"70.ns1.dns-info.gq\\\", \\\"71.ns1.dns-info.gq\\\",\\n \\\"73.ns1.dns-info.gq\\\", \\\"77.ns1.dns-info.gq\\\", \\\"77075.service.gstatic.dnset.com\\\", \\\"7c1947fa.ns1.steamappstore.com\\\",\\n \\\"8.ns1.dns-info.gq\\\", \\\"81.ns1.dns-info.gq\\\", \\\"86.ns1.dns-info.gq\\\", \\\"87.ns1.dns-info.gq\\\", \\\"9.ns1.dns-info.gq\\\", \\n \\\"94343.service.gstatic.dnset.com\\\", \\\"9939.service.gstatic.dnset.com\\\", \\\"aa.ns.mircosoftdoc.com\\\", \\n \\\"aaa.feeds.api.ns1.feedsdns.com\\\", \\\"aaa.googlepublic.feeds.ns1.dns-info.gq\\\", \\n \\\"aaa.resolution.174547._get.cache.up.sourcedns.tk\\\", \\\"acc.microsoftonetravel.com\\\", \\n \\\"accounts.longmusic.com\\\", \\\"admin.dnstemplog.com\\\", \\\"agent.updatenai.com\\\", \\n \\\"alibaba.zzux.com\\\", \\\"api.feedsdns.com\\\", \\\"app.portomnail.com\\\", \\\"asia.updatenai.com\\\", \\n \\\"battllestategames.com\\\", \\\"bguha.serveuser.com\\\", \\\"binann-ce.com\\\", \\\"bing.dsmtp.com\\\", \\n \\\"blog.cdsend.xyz\\\", \\\"brives.minivineyapp.com\\\", \\\"bsbana.dynamic-dns.net\\\", \\n \\\"californiaforce.000webhostapp.com\\\", \\\"californiafroce.000webhostapp.com\\\", \\n \\\"cdn.freetcp.com\\\", \\\"cdsend.xyz\\\", \\\"cipla.zzux.com\\\", \\\"cloudfeeddns.com\\\", \\\"comcleanner.info\\\",\\n \\\"cs.microsoftsonline.net\\\", \\\"dns-info.gq\\\", \\\"dns05.cf\\\", \\\"dns22.ml\\\", \\\"dns224.com\\\", \\n \\\"dnsdist.org\\\", \\\"dnstemplog.com\\\", \\\"doc.mircosoftdoc.com\\\", \\\"dropdns.com\\\", \\n \\\"eshop.cdn.freetcp.com\\\", \\\"exchange.dumb1.com\\\", \\\"exchange.misecure.com\\\", \\\"exchange.mrbasic.com\\\",\\n \\\"facebookdocs.com\\\", \\\"facebookint.com\\\", \\\"facebookvi.com\\\", \\\"feed.ns1.dns-info.gq\\\", \\\"feedsdns.com\\\", \\n \\\"firejun.freeddns.com\\\", \\\"ftp.dns-info.dyndns.pro\\\", \\\"goallbandungtravel.com\\\", \\\"goodhk.azurewebsites.net\\\", \\n \\\"googlepublic.feed.ns1.dns-info.gq\\\", \\\"gp.spotifylite.cloud\\\", \\\"gskytop.com\\\", \\\"gstatic.dnset.com\\\", \\n \\\"gxxservice.com\\\", \\\"helpdesk.cdn.freetcp.com\\\", \\\"id.serveuser.com\\\", \\\"infestexe.com\\\", \\\"item.itemdb.com\\\",\\n \\\"m.mircosoftdoc.com\\\", \\\"mail.transferdkim.xyz\\\", \\\"mcafee.updatenai.com\\\", \\\"mecgjm.mircosoftdoc.com\\\",\\n \\\"microdocs.ga\\\", \\\"microsock.website\\\", \\\"microsocks.net\\\", \\\"microsoft.sendsmtp.com\\\", \\n \\\"microsoftbook.dns05.com\\\", \\\"microsoftcontactcenter.com\\\", \\\"microsoftdocs.dns05.com\\\", \\\"microsoftdocs.ml\\\", \\n \\\"microsoftonetravel.com\\\", \\\"microsoftonlines.net\\\", \\\"microsoftprod.com\\\", \\\"microsofts.dns1.us\\\", \\\"microsoftsonline.net\\\",\\n \\\"minivineyapp.com\\\", \\\"mircosoftdoc.com\\\", \\\"mircosoftdocs.com\\\", \\\"mlcrosoft.ninth.biz\\\", \\\"mlcrosoft.site\\\", \\n \\\"mm.portomnail.com\\\", \\\"msdnupdate.com\\\", \\\"msecdn.cloud\\\", \\\"mtnl1.dynamic-dns.net\\\", \\\"ns.gstatic.dnset.com\\\", \\n \\\"ns.microsoftprod.com\\\", \\\"ns.steamappstore.com\\\", \\\"ns1.cdn.freetcp.com\\\", \\\"ns1.comcleanner.info\\\", \\\"ns1.dns-info.gq\\\", \\n \\\"ns1.dns05.cf\\\", \\\"ns1.dnstemplog.com\\\", \\\"ns1.dropdns.com\\\", \\\"ns1.microsoftonetravel.com\\\", \\n \\\"ns1.microsoftonlines.net\\\", \\\"ns1.microsoftprod.com\\\", \\\"ns1.microsoftsonline.net\\\", \\\"ns1.mlcrosoft.site\\\", \\n \\\"ns1.teams.wikaba.com\\\", \\\"ns1.windowsdefende.com\\\", \\\"ns2.comcleanner.info\\\", \\\"ns2.dnstemplog.com\\\", \\n \\\"ns2.microsoftonetravel.com\\\", \\\"ns2.microsoftprod.com\\\", \\\"ns2.microsoftsonline.net\\\", \\\"ns2.mlcrosoft.site\\\", \\n \\\"ns2.windowsdefende.com\\\", \\\"ns3.microsoftprod.com\\\", \\\"ns3.mlcrosoft.site\\\", \\\"nutrition.mrbasic.com\\\", \\n \\\"nutrition.youdontcare.com\\\", \\\"online.mlcrosoft.site\\\", \\\"online.msdnupdate.com\\\", \\\"outlookservce.site\\\", \\n \\\"owa.jetos.com\\\", \\\"owa.otzo.com\\\", \\\"pornotime.co\\\", \\\"portomnail.com\\\", \\n \\\"post.1a0.066e063ac.7c1947fa.ns1.steamappstore.com\\\", \\\"pricingdmdk.com\\\", \\\"prod.microsoftprod.com\\\", \\n \\\"product.microsoftprod.com\\\", \\\"ptcl.yourtrap.com\\\", \\\"query.api.sourcedns.tk\\\", \\\"rb.itemdb.com\\\", \\\"redditcdn.com\\\", \\n \\\"rss.otzo.com\\\", \\\"secure.msdnupdate.com\\\", \\\"service.dns22.ml\\\", \\\"service.gstatic.dnset.com\\\", \\\"service04.dns04.com\\\", \\n \\\"settings.teams.wikaba.com\\\", \\\"sip.outlookservce.site\\\", \\\"sixindent.epizy.com\\\", \\\"soft.msdnupdate.com\\\", \\\"sourcedns.ml\\\", \\n \\\"sourcedns.tk\\\", \\\"sport.msdnupdate.com\\\", \\\"spotifylite.cloud\\\", \\\"static.misecure.com\\\", \\\"steamappstore.com\\\", \\n \\\"store.otzo.com\\\", \\\"survey.outlookservce.site\\\", \\\"team.itemdb.com\\\", \\\"temp221.com\\\", \\\"test.microsoftprod.com\\\", \\n \\\"thisisaaa.000webhostapp.com\\\", \\\"token.dns04.com\\\", \\\"token.dns05.com\\\", \\\"transferdkim.xyz\\\", \\n \\\"travelsanignacio.com\\\", \\\"update08.com\\\", \\\"updated08.com\\\", \\\"updatenai.com\\\", \\\"wantforspeed.com\\\",\\n \\\"web.mircosoftdoc.com\\\", \\\"webmail.pornotime.co\\\", \\\"webwhois.team.itemdb.com\\\", \\\"windowsdefende.com\\\", \\\"wnswindows.com\\\",\\n \\\"ashcrack.freetcp.com\\\", \\\"battllestategames.com\\\", \\\"binannce.com\\\", \\\"cdsend.xyz\\\", \\\"comcleanner.info\\\", \\\"microsock.website\\\", \\n \\\"microsocks.net\\\", \\\"microsoftsonline.net\\\", \\\"mlcrosoft.site\\\", \\\"notify.serveuser.com\\\", \\\"ns1.microsoftprod.com\\\", \\n \\\"ns2.microsoftprod.com\\\", \\\"pricingdmdk.com\\\", \\\"steamappstore.com\\\", \\\"update08.com\\\", \\\"wnswindows.com\\\", \\n \\\"youtube.dns05.com\\\", \\\"z1.zalofilescdn.com\\\", \\\"z2.zalofilescdn.com\\\", \\\"zalofilescdn.com\\\"]); \\n(union isfuzzy=true \\n (CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | where DNSName in~ (DomainNames) \\n | extend Account = SourceUserID, Computer = DeviceName, IPAddress = DestinationIP \\n ), \\n (DnsEvents \\n | extend DNSName = Name \\n | where isnotempty(DNSName) \\n | where DNSName has_any (DomainNames) \\n | extend IPAddress = ClientIP \\n ), \\n (imDns (domain_has_any=DomainNames)\\n | extend DNSName = DnsQuery \\n | extend IPAddress = SrcIpAddr, Computer = Dvc\\n ), \\n (VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 * \\n | where isnotempty(DNSName) \\n | where DNSName in~ (DomainNames) \\n | extend IPAddress = RemoteIp \\n ), \\n ( \\n DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl in~ (DomainNames) \\n | extend IPAddress = RemoteIP \\n | extend Computer = DeviceName \\n ),\\n (AzureDiagnostics\\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallDnsProxy\\\"\\n | parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n | where Request_Name has_any (DomainNames) \\n | extend DNSName = Request_Name\\n | extend IPAddress = ClientIP \\n ),\\n (AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (DomainNames) \\n | extend DNSName = DestinationHost \\n | extend IPAddress = SourceHost\\n ) \\n ) \\n | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.3.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Barium domains\",\"description\":\"Identifies a match across various data feeds for domains IOCs related to the Barium activity group.\\n References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\"name\":\"2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet TotalEventsThreshold = 5;\\nlet ExeList = dynamic([\\\"powershell.exe\\\",\\\"cmd.exe\\\",\\\"wmic.exe\\\",\\\"psexec.exe\\\",\\\"cacls.exe\\\",\\\"rundll.exe\\\"]);\\nlet TimeSeriesData =\\nSecurityEvent\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where Process in (ExeList)\\n| project TimeGenerated, Computer, AccountType, Account, Process\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by Process;\\nlet TimeSeriesAlerts = materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 1.5, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0\\n| project Process, TimeGenerated, Total, baseline, anomalies, score\\n| where Total \u003e TotalEventsThreshold);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\nSecurityEvent\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| summarize CommandlineCount = count() by bin(TimeGenerated, 1h), Process, CommandLine, Computer, Account\\n) on Process, TimeGenerated\\n| project AnomalyHour = TimeGenerated, Computer, Account, Process, CommandLine, CommandlineCount, Total, baseline, anomalies, score\\n| extend timestamp = AnomalyHour, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Execution\"],\"displayName\":\"Process execution frequency anomaly\",\"description\":\"Identifies anomalous spike in frequency of executions of sensitive processes which are often leveraged as attack vectors.\\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\\nSudden increases in execution frequency of sensitive processes should be further investigated for malicious activity.\\nTune the values from 1.5 to 3 in series_decompose_anomalies for further outliers or based on custom threshold values for score.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-05-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ce1e7025-866c-41f3-9b08-ec170e05e73e\",\"name\":\"ce1e7025-866c-41f3-9b08-ec170e05e73e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let SunburstURL=dynamic([\\\"panhardware.com\\\",\\\"databasegalore.com\\\",\\\"avsvmcloud.com\\\",\\\"freescanonline.com\\\",\\\"thedoccloud.com\\\",\\\"deftsecurity.com\\\"]);\\nDeviceNetworkEvents\\n| where ActionType == \\\"ConnectionSuccess\\\"\\n| where RemoteUrl in(SunburstURL)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n FileHashCustomEntity = InitiatingProcessMD5, \\n HashAlgorithm = \u0027MD5\u0027,\\n URLCustomEntity = RemoteUrl,\\n IPCustomEntity = RemoteIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST network beacons\",\"description\":\"Identifies SolarWinds SUNBURST domain beacon IOCs in DeviceNetworkEvents\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06a9b845-6a95-4432-a78b-83919b28c375\",\"name\":\"06a9b845-6a95-4432-a78b-83919b28c375\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":3,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet percentotalthreshold = 50;\\nlet TimeSeriesData = CommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| project TimeGenerated,SourceIP, DestinationIP, DeviceVendor\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor;\\n// Filtering specific records associated with spikes as outliers\\nlet TimeSeriesAlerts=materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend score = round(score,2), AnomalyHour = TimeGenerated\\n| project DeviceVendor,AnomalyHour, TimeGenerated, Total, baseline, anomalies, score);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\n// Join anomalies with Base Data to popalate associated records for investigation - Results sorted by score in descending order\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\n CommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| summarize HourlyCount = count(), TimeGeneratedMax = arg_max(TimeGenerated, *), DestinationIPlist = make_set(DestinationIP, 100), DestinationPortlist = make_set(DestinationPort, 100) by DeviceVendor, SourceIP, TimeGeneratedHour= bin(TimeGenerated, 1h)\\n| extend AnomalyHour = TimeGeneratedHour\\n) on AnomalyHour, DeviceVendor\\n| extend PercentTotal = round((HourlyCount / Total) * 100, 3)\\n| where PercentTotal \u003e percentotalthreshold\\n| project DeviceVendor , AnomalyHour, TimeGeneratedMax, SourceIP, DestinationIPlist, DestinationPortlist, HourlyCount, PercentTotal, Total, baseline, score, anomalies\\n| summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist, 100), DestinationPortlist = make_set(DestinationPortlist, 100) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies\\n| project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies\\n| extend timestamp= EndTimeUtc , IPCustomEntity = SourceIPMax\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"Time series anomaly detection for total volume of traffic\",\"description\":\"Identifies anamalous spikes in network traffic logs as compared to baseline or normal historical patterns.\\nThe query leverages a KQL built-in anomaly detection algorithm to find large deviations from baseline patterns.\\nSudden increases in network traffic volume may be an indication of data exfiltration attempts and should be investigated.\\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port traffic observed in the flagged anomaly hour.\\nThe source IP addresses which were sending less than percentotalthreshold of the total traffic have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-05-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Barracuda\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/871ba14c-88ef-48aa-ad38-810f26760ca3\",\"name\":\"871ba14c-88ef-48aa-ad38-810f26760ca3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where Operation =~ \\\"Set-Mailbox\\\"\\n| where Parameters has \\\"ForwardingSmtpAddress\\\"\\n| extend parsed = parse_json(Parameters)\\n| mv-expand parsed\\n| where parsed.Name == \\\"ForwardingSmtpAddress\\\"\\n| extend parameterName = tostring(parsed.Name), fwdingDestination = tostring(parsed.Value)\\n| where isnotempty(fwdingDestination)\\n| extend ClientIPOnly = case( \\nClientIP has \\\".\\\" and ClientIP has \u0027:\u0027, tostring(split(ClientIP,\\\":\\\")[0]), \\nClientIP has \\\".\\\" and ClientIP has \u0027-\u0027, tostring(split(ClientIP,\\\"-\\\")[0]), \\nClientIP has \u0027]-\u0027, tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))),\\nClientIP has \u0027]:\u0027, tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))),\\nisempty(ClientIP) and ClientIP_ has \\\".\\\" and ClientIP_ has \u0027:\u0027, tostring(split(ClientIP_,\\\":\\\")[0]), \\nisempty(ClientIP) and ClientIP_ has \\\".\\\" and ClientIP_ has \u0027-\u0027, tostring(split(ClientIP_,\\\"-\\\")[0]), \\nisempty(ClientIP) and ClientIP_ has \u0027]-\u0027, tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP_,\\\"]\\\")[0]))),\\nisempty(ClientIP) and ClientIP_ has \u0027]:\u0027, tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP_,\\\"]\\\")[0]))),\\nisnotempty(ClientIP), ClientIP,\\nisnotempty(ClientIP_), ClientIP_,\\n\\\"IP Not Available\\\"\\n) \\n| extend Port = case(\\nClientIP has \\\".\\\" and ClientIP has \u0027:\u0027, tostring(split(ClientIP,\\\":\\\")[1]), \\nClientIP has \\\".\\\" and ClientIP has \u0027-\u0027, tostring(split(ClientIP,\\\"-\\\")[1]), \\nClientIP has \u0027]-\u0027, tostring(split(ClientIP,\\\"]-\\\")[1]), \\nClientIP has \u0027]:\u0027, tostring(split(ClientIP,\\\"]:\\\")[1]), \\nisempty(ClientIP) and ClientIP_ has \\\".\\\" and ClientIP_ has \u0027:\u0027, tostring(split(ClientIP_,\\\":\\\")[1]), \\nisempty(ClientIP) and ClientIP_ has \\\".\\\" and ClientIP_ has \u0027-\u0027, tostring(split(ClientIP_,\\\"-\\\")[1]), \\nisempty(ClientIP) and ClientIP_ has \u0027]-\u0027, tostring(split(ClientIP_,\\\"]-\\\")[1]),\\nisempty(ClientIP) and ClientIP_ has \u0027]:\u0027, tostring(split(ClientIP_,\\\"]:\\\")[1]),\\nisnotempty(ClientIP), ClientIP,\\nisnotempty(ClientIP_), ClientIP_,\\n\\\"IP Not Available\\\"\\n)\\n| extend UserId = iff(isempty(UserId), UserId_, UserId)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId), \\nPorts = make_set(Port), EventCount = count() by fwdingDestination, ClientIP = ClientIPOnly \\n| where DistinctUserCount \u003e 1\\n| mv-expand UserId\\n| extend UserId = tostring(UserId), Ports = tostring(Ports)\\n| distinct StartTimeUtc, EndTimeUtc, UserId, DistinctUserCount, ClientIP, Ports, fwdingDestination, EventCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Multiple users email forwarded to same destination\",\"description\":\"Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination. \\nThis could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aedc5b33-2d7c-42cb-a692-f25ef637cbb1\",\"name\":\"aedc5b33-2d7c-42cb-a692-f25ef637cbb1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where array_length(todynamic(DstUserUpn)) == 1\\n| extend sender = extract(@\u0027\\\\A(.*?)@\u0027, 1, SrcUserUpn)\\n| extend sender_domain = extract(@\u0027@(.*)$\u0027, 1, SrcUserUpn)\\n| extend recipient = extract(@\u0027\\\\A(.*?)@\u0027, 1, tostring(todynamic(DstUserUpn)[0]))\\n| extend recipient_domain = extract(@\u0027@(.*)$\u0027, 1, tostring(todynamic(DstUserUpn)[0]))\\n| where sender =~ recipient\\n| where sender_domain != recipient_domain\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Possible data exfiltration to private email\",\"description\":\"Detects when sender sent email to the non-corporate domain and recipient\u0027s username is the same as sender\u0027s username.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\"name\":\"36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n OfficeActivity\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n //Extract the Url from a number of potential fields\\n | extend Url = iif(OfficeWorkload == \\\"AzureActiveDirectory\\\",extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\\\", 1,ModifiedProperties),tostring(parse_json(ModifiedProperties)[12].NewValue))\\n | where isnotempty(Url)\\n // Ensure we get a clean URL\\n | extend Url = tostring(split(Url, \u0027;\u0027)[0])\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n // Project a single user identity that we can use for entity mapping\\n | extend User = iif(isnotempty(UserId), UserId, iif(isnotempty(Actor), tostring(parse_json(Actor)[0].ID), tostring(parse_json(Parameters)[0].Vlaue))) \\n) on Url\\n| where OfficeActivity_TimeGenerated \u003e= TimeGenerated and OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Operation, \\nUserType, OfficeWorkload, Parameters, OfficeActivity_TimeGenerated, Url, User\\n| extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = User, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to OfficeActivity data\",\"description\":\"Identifies a match in OfficeActivity data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\"name\":\"80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 1102 and EventSourceName == \\\"Microsoft-Windows-Eventlog\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Security Event log cleared\",\"description\":\"Checks for event id 1102 which indicates the security event log was cleared. \\nIt uses Event Source Name \\\"Microsoft-Windows-Eventlog\\\" to avoid generating false positives from other sources, like AD FS servers for instance.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1fa1528e-f746-4794-8a41-14827f4cb798\",\"name\":\"1fa1528e-f746-4794-8a41-14827f4cb798\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 100;\\nPulseConnectSecure\\n| where Messages startswith \\\"Login failed\\\"\\n| summarize dcount(User) by Computer, bin(TimeGenerated, 15m)\\n| where dcount_User \u003e threshold\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"PulseConnectSecure - Large Number of Distinct Failed User Logins\",\"description\":\"This query identifies evidence of failed login attempts from a large number of distinct users on a Pulse Connect Secure VPN server\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PulseConnectSecure\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/94749332-1ad9-49dd-a5ab-5ff2170788fc\",\"name\":\"94749332-1ad9-49dd-a5ab-5ff2170788fc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet file_path1 = (iocs | where Type =~ \\\"filepath1\\\" | project IoC);\\nlet file_path2 = (iocs | where Type =~ \\\"filepath2\\\" | project IoC);\\nlet file_path3 = (iocs | where Type =~ \\\"filepath3\\\" | project IoC);\\nlet reg_key = (iocs | where Type =~ \\\"regkey\\\" | project IoC);\\n (union isfuzzy=true\\n(CommonSecurityLog\\n| where DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (domains)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 *\\n| project TimeGenerated, Message, SourceUserID, RequestURL, DestinationHostName, Type, SourceIP, DestinationIP, DNSName\\n| extend Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SourceUserID, UrlCustomEntity = RequestURL , IPCustomEntity = DestinationIP, DNSCustomEntity = DNSName\\n),\\n(DnsEvents\\n| where Name in~ (domains)\\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DNSName = Name, Host = Computer , Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Host, DNSCustomEntity = DNSName, IPCustomEntity = IPAddresses\\n),\\n(VMConnection\\n| where RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, RemoteDnsCanonicalNames, ProcessName, SourceIp, DestinationIp, DestinationPort, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIp, HostCustomEntity = Computer, ProcessCustomEntity = ProcessName, DNSCustomEntity = DNSName, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where Image has_any (file_path1) or Image has_any (file_path3)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, EventDetail, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = split(Image, \u0027\\\\\\\\\u0027, -1)[-1], HostCustomEntity = Computer , IPCustomEntity = DestinationIP, Alert = \u0027SOURGUM IOC detected\u0027\\n), \\n(DeviceNetworkEvents\\n| where (RemoteUrl has_any (domains)) or (InitiatingProcessSHA256 in (sha256Hashes) and InitiatingProcessFolderPath has_any (file_path1)) or InitiatingProcessFolderPath has_any (file_path3)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, Alert = \u0027SOURGUM IOC detected\u0027, UrlCustomEntity =RemoteUrl\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"]\\n| where (SHA256 has_any (sha256Hashes) and Image has_any (file_path1)) or (Image has_any (file_path3)) or ( CommandLine has_any (file_path3)) or ( CommandLine has_any (file_path1)) or ( CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source), Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = split(Image, \u0027\\\\\\\\\u0027, -1)[-1], FileHashCustomEntity = SHA256\\n),\\n(DeviceRegistryEvents\\n| where RegistryKey has_any (reg_key) and RegistryValueData has_any (file_path2)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type \\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceProcessEvents\\n| where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3)) or ( InitiatingProcessCommandLine has \u0027reg add\u0027 and InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceFileEvents\\n| where (InitiatingProcessSHA256 has_any (sha256Hashes) and InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3)) or ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = RequestAccountName, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceEvents\\n| where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3)) or ( InitiatingProcessCommandLine has \u0027reg add\u0027 and InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend CommandLine = InitiatingProcessCommandLine, Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = InitiatingProcessSHA256\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has_any (file_path1)) or ( CommandLine has_any (file_path3)) or ( CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) or (NewProcessName has_any (file_path1)) or (NewProcessName has_any (file_path3)) or (ParentProcessName has_any (file_path1)) or (ParentProcessName has_any (file_path3))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = \u0027SOURGUM IOC detected\u0027\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"SHA256\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"SOURGUM Actor IOC - July 2021\",\"description\":\"Identifies a match across IOC\u0027s related to an actor tracked by Microsoft as SOURGUM\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-07-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceRegistryEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a6c435a2-b1a0-466d-b730-9f8af69262e8\",\"name\":\"a6c435a2-b1a0-466d-b730-9f8af69262e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let failureCountThreshold = 10;\\nlet successCountThreshold = 1;\\nlet authenticationWindow = 20m;\\nimAuthentication\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = make_set(SrcDvcIpAddr)\\n , FailureCount = countif(EventResult==\u0027Failure\u0027)\\n , SuccessCount = countif(EventResult==\u0027Success\u0027) \\n // might be improved by counting FailReason:Outdated as Success.\\nby bin(TimeGenerated, authenticationWindow), TargetUserId, TargetUsername, TargetUserType \\n| where FailureCount \u003e= failureCountThreshold and SuccessCount \u003e= successCountThreshold\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against user credentials (Uses Authentication Normalization)\",\"description\":\"Identifies evidence of brute force activity against a user highlighting multiple authentication failures \\nand by a successful authentication within a given time window. \\n(The query does not enforce any sequence - eg requiring the successful authentication to occur last.)\\nDefault Failure count is 10, Default Success count is 1 and default Time Window is 20 minutes.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelAuthentication)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8a12afde-ed27-46ac-a5ef-392e3d4f071f\",\"name\":\"8a12afde-ed27-46ac-a5ef-392e3d4f071f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.0\",\"techniques\":[\"T1190\",\"T1505\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"1\",\"2\",\"3\"],\"supportedValuesKql\":null,\"value\":\"3\",\"name\":\"Number of reasons for anomalous activity\",\"description\":\"Provide explanations for the specified number of reasons why a W3CIIS session is anomalous.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"supportedValues\":[\"Distinct number of methods\",\"Distinct number of uri queries\",\"Distinct number of uri stems\",\"Distinct number of statuses\",\"Distinct number of user agents\",\"Total number of operations\",\"Total number of http verbs\",\"Total number of http statuses\",\"None\"],\"supportedValuesKql\":null,\"value\":\"None\",\"name\":\"Display anomalies for a specific top reason\",\"description\":\"Display anomalies only where the top reason is specified in the checklist.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"supportedValues\":[\"Public IPs\",\"Private IPs\",\"All IPs\"],\"supportedValuesKql\":null,\"value\":\"All IPs\",\"name\":\"Display anomalies for public, private, or all IPs\",\"description\":\"Choose to display anomalies for public, private, or all IPs.\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":null,\"dataType\":\"string\",\"name\":\"Exclude client IPs from the anomalies generated\",\"description\":\"Enter comma separated client IPs (prefixed client IP entities supported) that the anomalies should not display results for, in the exclude field.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.7\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"(Preview) Anomalous W3CIIS logs activity\",\"description\":\"This anomaly indicates anomalous W3CIIS sessions within the last day, due to reasons such as a high number of distinct uri queries, specific http verbs or http statuses, user agents, or an unusually high number of logs in a session.\\nThe machine learning algorithm identifies unusual W3CIIS log events within an hourly session, grouped by site name and client IP.\\nThe model is trained on the previous 7 days of W3CIIS activity, using an autoencoder. The algorithm checks for sufficient volume of W3CIIS activity before training the model.\\nThe autoencoder compressess these site name/client IP sessions using a bottleneck encoding, and reconstructs the input sessions using a decoder.\\nSessions with high reconstruction errors are marked as anomalous.\",\"lastUpdatedDateUTC\":\"2021-07-26T00:00:00Z\",\"createdDateUTC\":\"2021-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f9949656-473f-4503-bf43-a9d9890f7d08\",\"name\":\"f9949656-473f-4503-bf43-a9d9890f7d08\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n AppServiceHTTPLogs | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(CIp)\\n | extend WebApp = split(_ResourceId, \u0027/\u0027)[8]\\n // renaming time column so it is clear the log this came from\\n | extend AppService_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CIp\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AppService_TimeGenerated, TI_ipEntity, CsUsername, WebApp = split(_ResourceId, \u0027/\u0027)[8], CIp, CsHost, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AppService_TimeGenerated, AccountCustomEntity = CsUsername, IPCustomEntity = CIp, URLCustomEntity = CsHost\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AppServiceHTTPLogs\",\"description\":\"Identifies a match in AppServiceHTTPLogs from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/21ab3f52-6d79-47e3-97f8-ad65f2cb29fb\",\"name\":\"21ab3f52-6d79-47e3-97f8-ad65f2cb29fb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"afad_parser\\n| where MessageType == 2 and Codename == \\\"Golden Ticket\\\"\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid Golden Ticket\",\"description\":\"Searches for Golden Ticket attacks\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\"name\":\"0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let threshold = 20;\\nSecurityEvent \\n| where EventID == 4625\\n| where AccountType =~ \\\"User\\\"\\n| where SubStatus !=\u00270xc0000064\u0027 and Account !in (\u0027\\\\\\\\\u0027, \u0027-\\\\\\\\-\u0027)\\n// SubStatus \u00270xc0000064\u0027 signifies \u0027Account name does not exist\u0027\\n| extend ResourceId = column_ifexists(\\\"_ResourceId\\\", _ResourceId), SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", SourceComputerId)\\n| extend Reason = case(\\nSubStatus =~ \u00270xC000005E\u0027, \u0027There are currently no logon servers available to service the logon request.\u0027,\\nSubStatus =~ \u00270xC0000064\u0027, \u0027User logon with misspelled or bad user account\u0027,\\nSubStatus =~ \u00270xC000006A\u0027, \u0027User logon with misspelled or bad password\u0027, \\nSubStatus =~ \u00270xC000006D\u0027, \u0027Bad user name or password\u0027,\\nSubStatus =~ \u00270xC000006E\u0027, \u0027Unknown user name or bad password\u0027,\\nSubStatus =~ \u00270xC000006F\u0027, \u0027User logon outside authorized hours\u0027,\\nSubStatus =~ \u00270xC0000070\u0027, \u0027User logon from unauthorized workstation\u0027,\\nSubStatus =~ \u00270xC0000071\u0027, \u0027User logon with expired password\u0027,\\nSubStatus =~ \u00270xC0000072\u0027, \u0027User logon to account disabled by administrator\u0027,\\nSubStatus =~ \u00270xC00000DC\u0027, \u0027Indicates the Sam Server was in the wrong state to perform the desired operation\u0027, \\nSubStatus =~ \u00270xC0000133\u0027, \u0027Clocks between DC and other computer too far out of sync\u0027,\\nSubStatus =~ \u00270xC000015B\u0027, \u0027The user has not been granted the requested logon type (aka logon right) at this machine\u0027,\\nSubStatus =~ \u00270xC000018C\u0027, \u0027The logon request failed because the trust relationship between the primary domain and the trusted domain failed\u0027,\\nSubStatus =~ \u00270xC0000192\u0027, \u0027An attempt was made to logon, but the Netlogon service was not started\u0027,\\nSubStatus =~ \u00270xC0000193\u0027, \u0027User logon with expired account\u0027,\\nSubStatus =~ \u00270xC0000224\u0027, \u0027User is required to change password at next logon\u0027,\\nSubStatus =~ \u00270xC0000225\u0027, \u0027Evidently a bug in Windows and not a risk\u0027,\\nSubStatus =~ \u00270xC0000234\u0027, \u0027User logon with account locked\u0027,\\nSubStatus =~ \u00270xC00002EE\u0027, \u0027Failure Reason: An Error occurred during Logon\u0027,\\nSubStatus =~ \u00270xC0000413\u0027, \u0027Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine\u0027,\\nstrcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), FailedLogonCount = count() by EventID, \\nActivity, Computer, Account, TargetAccount, TargetUserName, TargetDomainName, \\nLogonType, LogonTypeName, LogonProcessName, Status, SubStatus, Reason, ResourceId, SourceComputerId, WorkstationName, IpAddress\\n| where FailedLogonCount \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed logon attempts by valid accounts within 10 mins\",\"description\":\"Identifies when failed logon attempts are 20 or higher during a 10 minute period (2 failed logons per minute minimum) from valid account.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\"name\":\"b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\nlet createRoleAssignmentActivity = AzureActivity\\n| where OperationNameValue =~ \\\"microsoft.authorization/roleassignments/write\\\";\\ncreateRoleAssignmentActivity \\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller\\n| where count_ \u003e= alertOperationThreshold\\n| join kind = rightanti ( \\ncreateRoleAssignmentActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = make_set(TimeGenerated), ActivityStatusValue = make_set(ActivityStatusValue), \\nOperationIds = make_set(OperationId), CorrelationId = make_set(CorrelationId), ActivityCountByCallerIPAddress = count() \\nby ResourceId, CallerIpAddress, Caller, OperationNameValue, Resource, ResourceGroup\\n) on CallerIpAddress, Caller\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Suspicious granting of permissions to an account\",\"description\":\"Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2790795b-7dba-483e-853f-44aa0bc9c985\",\"name\":\"2790795b-7dba-483e-853f-44aa0bc9c985\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"CommonSecurityLog\\n| where DeviceProduct =~ \\\"Wazuh\\\"\\n| where Activity has \\\"Web server 400 error code.\\\"\\n| where Message has \\\"403\\\"\\n| extend HostName=substring(split(DeviceCustomString1,\\\")\\\")[0],1)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = dcount(SourceIP) by HostName, SourceIP\\n| where NumberOfErrors \u003e 400\\n| sort by NumberOfErrors desc\\n| extend timestamp = StartTime, HostCustomEntity = HostName, IPCustomEntity = SourceIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Wazuh - Large Number of Web errors from an IP\",\"description\":\"Identifies instances where Wazuh logged over 400 \u0027403\u0027 Web Errors from one IP Address. To onboard Wazuh data into Sentinel please view: https://github.com/wazuh/wazuh-documentation/blob/master/source/azure/monitoring%20activity.rst\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-21T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ce177b3-56b1-4f0e-b83e-27eed4cb0b16\",\"name\":\"4ce177b3-56b1-4f0e-b83e-27eed4cb0b16\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\n// exclude allowed users from query such as the ADO service\\nlet allowed_users = dynamic([\\\"Azure DevOps Service\\\"]);\\nunion\\n// Look for agents being added to a pool of a OS type not seen with that pool before\\n(AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName =~ \\\"Library.AgentAdded\\\"\\n| where ActorUPN !in (allowed_users)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| where isnotempty(OsDescription)\\n| extend OsDescription = tostring(split(OsDescription, \\\"#\\\", 0)[0])\\n| project AgentPoolName, OsDescription\\n| join kind=rightanti (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName == \\\"Library.AgentAdded\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| where isnotempty(OsDescription)\\n| extend OsDescription = tostring(split(OsDescription, \\\"#\\\", 0)[0])) on AgentPoolName, OsDescription),\\n// Look for users addeing agents to a pool that they have not added agents to before.\\n(AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| where ActorUPN !in (allowed_users)\\n| project AgentPoolName, ActorUPN\\n| join kind=rightanti (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName == \\\"Library.AgentAdded\\\"\\n| where ActorUPN !in (allowed_users)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n) on AgentPoolName, ActorUPN)\\n| extend AgentName = tostring(Data.AgentName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| extend SystemDetails = Data.SystemCapabilities\\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, AgentPoolName, AgentName, ActorUPN, IpAddress, UserAgent, OsDescription, SystemDetails, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Execution\"],\"displayName\":\"New Agent Added to Pool by New User or Added to a New OS Type.\",\"description\":\"As seen in attacks such as SolarWinds attackers can look to subvert a build process by controlling build servers. Azure DevOps uses agent pools to execute pipeline tasks. \\nAn attacker could insert compromised agents that they control into the pools in order to execute malicious code. This query looks for users adding agents to pools they have \\nnot added agents to before, or adding agents to a pool of an OS that has not been added to that pool before. This detection has potential for false positives so has a \\nconfigurable allow list to allow for certain users to be excluded from the logic.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\"name\":\"ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ProcessCreationEvents=() {\\nlet processEvents=SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,\\nFileName = Process, CommandLine, ParentProcessName;\\nprocessEvents};\\nProcessCreationEvents\\n| where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Base64 encoded Windows process command-lines\",\"description\":\"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2018-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/af7fd11a-f305-44e1-8f46-f31580a15eab\",\"name\":\"af7fd11a-f305-44e1-8f46-f31580a15eab\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.0\",\"techniques\":[\"T1074\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\"app@sharepoint,user@example.com\",\"dataType\":\"string\",\"name\":\"User allowlist\",\"description\":\"Enter comma separated userids to be suppressed while triggering anomalies. This should be within double quotes and is case insensitive, example: \\\"user@exmaple.com, app@sharepoint\\\"\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"10\",\"maximum\":\"100\",\"value\":\"25\",\"name\":\"Number of distinct files dowloaded per day\",\"description\":\"Suppress anomalies when daily number of distinct files downloaded per day is less than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"2\",\"maximum\":\"10\",\"value\":\"3\",\"name\":\"Number of standard deviations\",\"description\":\"Triggers anomalies when number of standard deviations is greater than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Collection\"],\"displayName\":\"(Preview) Potential data staging\",\"description\":\"The algorithm compares the downloads of distinct files on a per user basis from the previous week with the downloads for the current day for each user and \\nan anomaly is triggered when the number of downloads of distinct files exceeds the configured number of standard deviations above the mean. \\nCurrently the algorithm only analyze commonly seen files during exfiltration of type documents, images, videos and archives with the extensions\\n[\\\"doc\\\",\\\"docx\\\",\\\"xls\\\",\\\"xlsx\\\",\\\"xlsm\\\",\\\"ppt\\\",\\\"pptx\\\",\\\"one\\\",\\\"pdf\\\",\\\"zip\\\",\\\"rar\\\",\\\"bmp\\\",\\\"jpg\\\",\\\"mp3\\\",\\\"mp4\\\",\\\"mov\\\"].\",\"lastUpdatedDateUTC\":\"2021-08-24T00:00:00Z\",\"createdDateUTC\":\"2021-08-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Exchange)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\"name\":\"b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet UserAgentAll =\\n(union isfuzzy=true\\n(OfficeActivity\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\\n),\\n(\\nW3CIISLog\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(csUserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\\n))\\n// remove wordSize blocks of non-numeric hex characters prior to word extraction\\n| extend UserAgentNoHexAlphas = replace(\\\"([A-Fa-f]{4,})\\\", \\\"x\\\", UserAgent)\\n// once blocks of hex chars are removed, extract wordSize blocks of a-z\\n| extend Tokens = extract_all(\\\"([A-Za-z]{4,})\\\", UserAgentNoHexAlphas)\\n// concatenate extracted words to create a summarized user agent for baseline and comparison\\n| extend NormalizedUserAgent = strcat_array(Tokens, \\\"|\\\")\\n| project-away UserAgentNoHexAlphas, Tokens;\\nUserAgentAll\\n| where StartTime \u003e= ago(endtime)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), count() by UserAgent, NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n| join kind=leftanti\\n(\\nUserAgentAll\\n| where StartTime \u003c ago(endtime)\\n| summarize by NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n)\\non NormalizedUserAgent\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CommandAndControl\",\"Execution\"],\"displayName\":\"New UserAgent observed in last 24 hours\",\"description\":\"Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection\\nextracts words from user agents to build the baseline and determine rareity rather than perform a\\ndirect comparison. This avoids FPs caused by version numbers and other high entropy user agent components.\\nThese new UserAgents could be benign. However, in normally stable environments,\\nthese new UserAgents could provide a starting point for investigating malicious activity.\\nNote: W3CIISLog can be noisy depending on the environment, however OfficeActivity and AWSCloudTrail are\\nusually stable with low numbers of detections.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23850aa1-37d3-4b4b-9f39-4ebf5feb59fd\",\"name\":\"23850aa1-37d3-4b4b-9f39-4ebf5feb59fd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.5\",\"techniques\":[\"T1011\",\"T1029\",\"T1030\",\"T1041\",\"T1011\",\"T1537\",\"T1567\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Akamai\",\"Aruba Networks\",\"Check Point\",\"Dell\",\"Forcepoint\",\"Fortinet\",\"McAfee\",\"Palo Alto Networks\",\"SonicWall\",\"Trend Micro\",\"Vectra Networks\",\"Zscaler\"],\"supportedValuesKql\":null,\"value\":\"Palo Alto Networks\",\"name\":\"Device vendor\",\"description\":\"Select device vendor reporting network connection logs to CommonSecurityLog\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"1\",\"maximum\":\"10000\",\"value\":\"1\",\"name\":\"Hourly data transfer threshold in MB\",\"description\":\"Suppress anomalies when hourly data transfered (in MB) per hour is less than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\".98\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"(Preview) Excessive data transfer anomaly\",\"description\":\"This algorithm is to detect unusually high data transfer seen in network logs. \\nIt uses time series to decompose the data into seasonal, trend and residual components to \\ncalculate baseline. Any sudden large deviation from the historical baseline is considered anomalous activity.\",\"lastUpdatedDateUTC\":\"2021-07-10T00:00:00Z\",\"createdDateUTC\":\"2021-04-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\"name\":\"361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let szOperationNames = dynamic([\\\"microsoft.compute/virtualMachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nlet starttime = 7d;\\nlet endtime = 1d;\\nAzureActivity\\n| where TimeGenerated between (startofday(ago(starttime)) .. startofday(ago(endtime)))\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress)\\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(7d)), now(), 1d) \\nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatusValue), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationNameValue , Resource, ResourceGroup\\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\\n| where Slope \u003e 0.2\\n| join kind=leftsemi (\\n// Last day\u0027s activity is anomalous\\nAzureActivity\\n| where TimeGenerated \u003e= startofday(ago(endtime))\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress)\\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(1d)), now(), 1d) \\nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatusValue), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationNameValue , Resource, ResourceGroup\\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\\n| where Slope \u003e 0.2 \\n) on Caller, CallerIpAddress \\n| mvexpand todynamic(ActivityTimeStamp), todynamic(ActivityStatusValue), todynamic(OperationIds), todynamic(CorrelationId)\\n| extend timestamp = ActivityTimeStamp, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Impact\"],\"displayName\":\"Suspicious number of resource creation or deployment activities\",\"description\":\"Indicates when an anomalous number of VM creations or deployment activities occur in Azure via the AzureActivity log.\\nThe anomaly detection identifies activities that have occurred both since the start of the day 1 day ago and the start of the day 7 days ago.\\nThe start of the day is considered 12am UTC time.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/db750607-d48f-4aef-b238-085f4a9882f1\",\"name\":\"db750607-d48f-4aef-b238-085f4a9882f1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let mediumRisk = 2;\\nlet legal = \u0027Legal Information\u0027;\\nCognniIncidents_CL \\n| where Severity == mediumRisk\\n| where informationType_s == legal\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Medium Sensitivity Legal Information\",\"description\":\"Display incidents in which medium sensitivity legal information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8c8de3fa-6425-4623-9cd9-45de1dd0569a\",\"name\":\"8c8de3fa-6425-4623-9cd9-45de1dd0569a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lookBack = 14d;\\nlet timeframe = 1d;\\nlet user_agents_list = Cisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(lookBack) and TimeGenerated \u003c ago(timeframe)\\n| summarize count() by HttpUserAgentOriginal\\n| summarize make_list(HttpUserAgentOriginal);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal !in (user_agents_list)\\n| extend Message = \\\"Rare User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Rare User Agent Detected\",\"description\":\"Rule helps to detect a rare user-agents indicating web browsing activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8595d264-2f64-442d-b293-4e16dffc9882\",\"name\":\"8595d264-2f64-442d-b293-4e16dffc9882\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.1\",\"techniques\":[\"T1059\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0\",\"name\":\"Anomaly score threshold\",\"description\":\"Generate an anomaly when the anomaly score is greater than the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Execution\"],\"displayName\":\"(Preview) Anomalous Code Execution\",\"description\":\"Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.\\nThese interfaces and languages provide ways of interacting with computer systems\\nand are a common feature across many different platforms.\",\"lastUpdatedDateUTC\":\"2021-07-26T00:00:00Z\",\"createdDateUTC\":\"2021-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2be4ef67-a93f-4d8a-981a-88158cb73abd\",\"name\":\"2be4ef67-a93f-4d8a-981a-88158cb73abd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet covidIndicators = (externaldata(TimeGenerated:datetime, FileHashValue:string, FileHashType: string, TlpLevel: string, Product: string, ThreatType: string, Description: string )\\n[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.csv\\\"] with (format=\\\"csv\\\"));\\nlet fileHashIndicators = covidIndicators\\n| where isnotempty(FileHashValue);\\n// Handle matches against both lower case and uppercase versions of the hash:\\n( fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n | union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n| join (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack) \\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.FileHashValue == $right.FileHash\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by FileHashValue\\n| project LatestIndicatorTime, FileHashValue, FileHashType, Description, ThreatType, \\nCommonSecurityLog_TimeGenerated, SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, \\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"Microsoft COVID-19 file hash indicator matches\",\"description\":\"Identifies a match in CommonSecurityLog Event data from any FileHash published in the Microsoft COVID-19 Threat Intel Feed - as described at https://www.microsoft.com/security/blog/2020/05/14/open-sourcing-covid-threat-intelligence/\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2019-08-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f68846cf-ec99-497d-9ce1-80a9441564fb\",\"name\":\"f68846cf-ec99-497d-9ce1-80a9441564fb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let highRisk = 3;\\nlet hr = \u0027HR Information\u0027;\\nCognniIncidents_CL \\n| where Severity == highRisk\\n| where informationType_s == hr\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Highly Sensitive HR Information\",\"description\":\"Display incidents in which highly sensitive HR information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2391ce61-8c8d-41ac-9723-d945b2e90720\",\"name\":\"2391ce61-8c8d-41ac-9723-d945b2e90720\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 0.333;\\nlet countlimit = 50;\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4625 and AccountType =~ \\\"User\\\"\\n| where IpAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), CountToday = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress, Process\\n| join kind=leftouter (\\n SecurityEvent \\n | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n | where EventID == 4625 and AccountType =~ \\\"User\\\"\\n | where IpAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n | summarize CountPrev7day = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n) on EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n| where CountToday \u003e= coalesce(CountPrev7day,0)*threshold and CountToday \u003e= countlimit\\n//SubStatus Codes are detailed here - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4625\\n| extend Reason = case(\\nSubStatus =~ \u00270xC000005E\u0027, \u0027There are currently no logon servers available to service the logon request.\u0027,\\nSubStatus =~ \u00270xC0000064\u0027, \u0027User logon with misspelled or bad user account\u0027,\\nSubStatus =~ \u00270xC000006A\u0027, \u0027User logon with misspelled or bad password\u0027, \\nSubStatus =~ \u00270xC000006D\u0027, \u0027Bad user name or password\u0027,\\nSubStatus =~ \u00270xC000006E\u0027, \u0027Unknown user name or bad password\u0027,\\nSubStatus =~ \u00270xC000006F\u0027, \u0027User logon outside authorized hours\u0027,\\nSubStatus =~ \u00270xC0000070\u0027, \u0027User logon from unauthorized workstation\u0027,\\nSubStatus =~ \u00270xC0000071\u0027, \u0027User logon with expired password\u0027,\\nSubStatus =~ \u00270xC0000072\u0027, \u0027User logon to account disabled by administrator\u0027,\\nSubStatus =~ \u00270xC00000DC\u0027, \u0027Indicates the Sam Server was in the wrong state to perform the desired operation\u0027, \\nSubStatus =~ \u00270xC0000133\u0027, \u0027Clocks between DC and other computer too far out of sync\u0027,\\nSubStatus =~ \u00270xC000015B\u0027, \u0027The user has not been granted the requested logon type (aka logon right) at this machine\u0027,\\nSubStatus =~ \u00270xC000018C\u0027, \u0027The logon request failed because the trust relationship between the primary domain and the trusted domain failed\u0027,\\nSubStatus =~ \u00270xC0000192\u0027, \u0027An attempt was made to logon, but the Netlogon service was not started\u0027,\\nSubStatus =~ \u00270xC0000193\u0027, \u0027User logon with expired account\u0027,\\nSubStatus =~ \u00270xC0000224\u0027, \u0027User is required to change password at next logon\u0027,\\nSubStatus =~ \u00270xC0000225\u0027, \u0027Evidently a bug in Windows and not a risk\u0027,\\nSubStatus =~ \u00270xC0000234\u0027, \u0027User logon with account locked\u0027,\\nSubStatus =~ \u00270xC00002EE\u0027, \u0027Failure Reason: An Error occurred during Logon\u0027,\\nSubStatus =~ \u00270xC0000413\u0027, \u0027Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine\u0027,\\nstrcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n| extend WorkstationName = iff(WorkstationName == \\\"-\\\" or isempty(WorkstationName), Computer , WorkstationName) \\n| project StartTime, EndTime, EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, Computer, WorkstationName, IpAddress, CountToday, CountPrev7day, Avg7Day = round(CountPrev7day*1.00/7,2), Process\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), Computer = make_set(Computer,128), IpAddressList = make_set(IpAddress,128), sum(CountToday), sum(CountPrev7day), avg(Avg7Day) \\nby EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, WorkstationName, Process\\n| order by sum_CountToday desc nulls last \\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = WorkstationName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"Process\"}]}],\"version\":\"2.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Excessive Windows logon failures\",\"description\":\"User has over 50 Windows logon failures today and at least 33% of the count of logon failures over the previous 7 days.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aac495a9-feb1-446d-b08e-a1164a539452\",\"name\":\"aac495a9-feb1-446d-b08e-a1164a539452\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"ThreatIntelligenceIndicator\\n| where Action == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n GitHubAudit\\n | extend GitHubAudit_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.IPaddress\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, GitHubAudit_TimeGenerated, TI_ipEntity, IPaddress, Actor, Action, Country, OperationType, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = GitHubAudit_TimeGenerated, IPCustomEntity = IPaddress, AccountCustomEntity = Actor\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to GitHub_CL\",\"description\":\"Identifies a match in GitHub_CL table from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8\",\"name\":\"f71aba3d-28fb-450b-b192-4e76a83015c8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Fusion\",\"properties\":{\"severity\":\"High\",\"tactics\":[\"Collection\",\"CommandAndControl\",\"CredentialAccess\",\"DefenseEvasion\",\"Discovery\",\"Execution\",\"Exfiltration\",\"Impact\",\"InitialAccess\",\"LateralMovement\",\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Advanced Multistage Attack Detection\",\"description\":\"Microsoft Sentinel uses Fusion, a correlation engine based on scalable machine learning algorithms, to automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.\\n\\nSince Fusion correlates multiple signals from various products to detect advanced multistage attacks, successful Fusion detections are presented as Fusion incidents on the Microsoft Sentinel Incidents page. This rule covers the following detections:\\n- Fusion for emerging threats\\n- Fusion for ransomware\\n- Scenario-based Fusion detections (122 scenarios)\\n\\nTo enable these detections, we recommend you configure the following data connectors for best results:\\n- Out-of-the-box anomaly detections\\n- Azure Active Directory Identity Protection\\n- Azure Defender\\n- Azure Defender for IoT\\n- Microsoft 365 Defender\\n- Microsoft Cloud App Security \\n- Microsoft Defender for Endpoint\\n- Microsoft Defender for Identity\\n- Microsoft Defender for Office 365\\n- Scheduled analytics rules, both built-in and those created by your security analysts. Analytics rules must contain kill-chain (tactics) and entity mapping information in order to be used by Fusion.\\n\\nFor the full description of each detection that is supported by Fusion, go to https://aka.ms/SentinelFusion.\",\"lastUpdatedDateUTC\":\"2021-06-09T00:00:00Z\",\"createdDateUTC\":\"2019-07-25T00:00:00Z\",\"status\":\"Installed\",\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/57c7e832-64eb-411f-8928-4133f01f4a25\",\"name\":\"57c7e832-64eb-411f-8928-4133f01f4a25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureDiagnostics\\n | where ResourceType =~ \\\"VAULTS\\\"\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend KeyVaultEvents_TimeGenerated = TimeGenerated, ClientIP = CallerIPAddress\\n)\\non $left.TI_ipEntity == $right.ClientIP\\n| where KeyVaultEvents_TimeGenerated \u003c ExpirationDateTime\\n| summarize KeyVaultEvents_TimeGenerated = arg_max(KeyVaultEvents_TimeGenerated, *) by IndicatorId, ClientIP\\n| project KeyVaultEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ClientIP, ResourceId, SubscriptionId, OperationName, ResultType, CorrelationId, id_s, clientInfo_s, httpStatusCode_d, identity_claim_appid_g, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\n| extend timestamp = KeyVaultEvents_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Azure Key Vault logs\",\"description\":\"Identifies a match in Azure Key Vault logsfrom any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f948a32f-226c-4116-bddd-d95e91d97eb9\",\"name\":\"f948a32f-226c-4116-bddd-d95e91d97eb9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"mailboxsettings\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"contacts.read\\\" and ConsentFull contains \\\"user.read\\\" and ConsentFull contains \\\"mail.read\\\" and ConsentFull contains \\\"notes.read.all\\\" and ConsentFull contains \\\"mailboxsettings.readwrite\\\" and ConsentFull contains \\\"Files.ReadWrite.All\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), \\\"\\\")\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Suspicious application consent similar to O365 Attack Toolkit\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\\nThe default permissions/scope for the MDSec O365 Attack toolkit are contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, and files.readwrite.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3c144f9-8051-47d4-ac29-ffb0c312c910\",\"name\":\"a3c144f9-8051-47d4-ac29-ffb0c312c910\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"let SunburstMD5=dynamic([\\\"b91ce2fa41029f6955bff20079468448\\\",\\\"02af7cec58b9a5da1c542b5a32151ba1\\\",\\\"2c4a910a1299cdae2a4e55988a2f102e\\\",\\\"846e27a652a5e1bfbd0ddd38a16dc865\\\",\\\"4f2eb62fa529c0283b28d05ddd311fae\\\"]);\\nlet SupernovaMD5=\\\"56ceb6d0011d87b6e4d7023d7ef85676\\\";\\nDeviceFileEvents\\n| where MD5 in(SunburstMD5) or MD5 in(SupernovaMD5)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n AlgorithmCustomEntity = \\\"MD5\\\",\\n FileHashCustomEntity = MD5\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"SUNBURST and SUPERNOVA backdoor hashes\",\"description\":\"Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in DeviceFileEvents\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/87210ca1-49a4-4a7d-bb4a-4988752f978c\",\"name\":\"87210ca1-49a4-4a7d-bb4a-4988752f978c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"// Get details of current Azure Ranges (note this URL updates regularly so will need to be manually updated over time)\\n// You may find the name of the new JSON here: https://www.microsoft.com/download/details.aspx?id=56519\\n// On the downloads page, click the \u0027details\u0027 button, and then replace just the filename in the URL below\\nlet azure_ranges = externaldata(changeNumber: string, cloud: string, values: dynamic)\\n[\\\"https://download.microsoft.com/download/7/1/D/71D86715-5596-4529-9B13-DA13A5DE5B63/ServiceTags_Public_20220321.json\\\"]\\nwith(format=\u0027multijson\u0027)\\n| mv-expand values\\n| mv-expand values.properties.addressPrefixes\\n| mv-expand values_properties_addressPrefixes\\n| summarize by tostring(values_properties_addressPrefixes);\\nSigninLogs\\n// Limiting to Azure Portal really reduces false positives and helps focus on potential admin activity\\n| where AppDisplayName =~ \\\"Azure Portal\\\"\\n// Only get logons where the IP address is in an Azure range\\n| evaluate ipv4_lookup(azure_ranges, IPAddress, values_properties_addressPrefixes)\\n// Limit to where the user is external to the tenant\\n| where HomeTenantId != ResourceTenantId\\n// Further limit it to just access to the current tenant (you can drop this if you wanted to look elsewhere as well but it helps reduce FPs)\\n| where ResourceTenantId == AADTenantId\\n| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), make_set(ResourceDisplayName) by UserPrincipalName, IPAddress, UserAgent, Location, HomeTenantId, ResourceTenantId\\n| extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure Portal Signin from another Azure Tenant\",\"description\":\"This query looks for sign in attempts to the Azure Portal where the user who is signing in from another Azure tenant,\\n and the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look\\n to pivot to other tenants leveraging cross-tenant delegated access in this manner.\",\"lastUpdatedDateUTC\":\"2022-03-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/29a29e5d-354e-4f5e-8321-8b39d25047bf\",\"name\":\"29a29e5d-354e-4f5e-8321-8b39d25047bf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"High\",\"query\":\"let files1 = dynamic([\\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\lsa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pc.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\Rar.exe\\\"]);\\nlet files2 = dynamic([\\\"svchost.exe\\\",\\\"wdmsvc.exe\\\"]);\\nlet FileHash1 = dynamic([\\\"43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\\\", \\\"ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\\\", \\\"010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77\\\", \\\"56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7\\\"]);\\nlet FileHash2 = dynamic([\\\"2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\\\", \\\"9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\\\", \\\"18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\\\"]);\\nimFileEvent\\n| where ((FilePath has_any (files1)) and (ActingProcessSHA256 has_any (FileHash1))) or ((FilePath has_any (files2)) and (ActingProcessSHA256 has_any (FileHash2)))\\n// Increase risk score if recent alerts for the host\\n| join kind=leftouter (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| mv-expand todynamic(Entities)\\n| extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)\\n| where isnotempty(DvcId)\\n// Higher risk score are for Defender alerts related to threat actor\\n| extend AlertRiskScore = iif(ThreatName has_any (\\\"Backdoor:MSIL/ShellClient.A\\\", \\\"Backdoor:MSIL/ShellClient.A!dll\\\", \\\"Trojan:MSIL/Mimikatz.BA!MTB\\\"), 1.0, 0.5)\\n| project DvcId, AlertRiskScore) on DvcId\\n| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = ActorUsername\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileName\"}]}],\"tactics\":[\"CredentialAccess\",\"Execution\"],\"displayName\":\"Dev-0228 File Path Hashes November 2021 (ASIM Version)\",\"description\":\"This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.\\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.\\n This query uses the Microsoft Sentinel Information Model - https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-11-18T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0dd2a343-4bf9-4c93-a547-adf3658ddaec\",\"name\":\"0dd2a343-4bf9-4c93-a547-adf3658ddaec\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let known_processes = (\\n imProcess\\n // Change these values if adjusting Query Frequency or Query Period\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where Process has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | summarize by Process);\\n imProcess\\n // Change these values if adjusting Query Frequency or Query Period\\n | where TimeGenerated \u003e ago(1d)\\n | where Process has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | where Process !in (known_processes)\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, CommandLine, DvcHostname\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DvcHostname\"}]}],\"tactics\":[\"Execution\",\"LateralMovement\"],\"displayName\":\"New EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version)\",\"description\":\"This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice is that these policies should not be used for deployment of files.\\n A threat actor may use these policies to deploy files or scripts to all hosts in a domain.\\n This query uses the ASIM parsers and will need them deployed before usage - https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/871ba14c-88ef-48aa-ad38-810f26760ca3\",\"name\":\"871ba14c-88ef-48aa-ad38-810f26760ca3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let queryfrequency = 1d;\\nlet queryperiod = 7d;\\nOfficeActivity\\n| where TimeGenerated \u003e ago(queryperiod)\\n| where OfficeWorkload =~ \\\"Exchange\\\"\\n//| where Operation in (\\\"Set-Mailbox\\\", \\\"New-InboxRule\\\", \\\"Set-InboxRule\\\")\\n| where Parameters has_any (\\\"ForwardTo\\\", \\\"RedirectTo\\\", \\\"ForwardingSmtpAddress\\\")\\n| mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))\\n| evaluate bag_unpack(ParsedParameters, columnsConflict=\u0027replace_source\u0027)\\n| extend DestinationMailAddress = tolower(case(\\n isnotempty(column_ifexists(\\\"ForwardTo\\\", \\\"\\\")), column_ifexists(\\\"ForwardTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"RedirectTo\\\", \\\"\\\")), column_ifexists(\\\"RedirectTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")), trim_start(@\\\"smtp:\\\", column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")),\\n \\\"\\\"))\\n| where isnotempty(DestinationMailAddress)\\n| mv-expand split(DestinationMailAddress, \\\";\\\")\\n| extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n| extend ClientIP = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1])\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId, 250), Ports = make_set(Port, 250), EventCount = count() by tostring(DestinationMailAddress), ClientIP\\n| where DistinctUserCount \u003e 1 and EndTime \u003e ago(queryfrequency)\\n| mv-expand UserId to typeof(string)\\n| extend timestamp = StartTime, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Multiple users email forwarded to same destination\",\"description\":\"Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination. \\nThis could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.\",\"lastUpdatedDateUTC\":\"2022-06-24T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a6c435a2-b1a0-466d-b730-9f8af69262e8\",\"name\":\"a6c435a2-b1a0-466d-b730-9f8af69262e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT20M\",\"queryPeriod\":\"PT20M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let failureCountThreshold = 10;\\nlet successCountThreshold = 1;\\n// let authenticationWindow = 20m; // Implicit in the analytic rule query period \\nimAuthentication\\n| summarize \\n StartTime = min(TimeGenerated), \\n EndTime = max(TimeGenerated), \\n IpAddresses = make_set (SrcDvcIpAddr, 100),\\n ReportedBy = make_set (strcat (EventVendor, \\\"/\\\", EventProduct), 100),\\n FailureCount = countif(EventResult==\u0027Failure\u0027),\\n SuccessCount = countif(EventResult==\u0027Success\u0027)\\n by \\n TargetUserId, TargetUsername, TargetUserType \\n| where FailureCount \u003e= failureCountThreshold and SuccessCount \u003e= successCountThreshold\\n| extend\\n IpAddresses = strcat_array(IpAddresses, \\\", \\\"), \\n ReportedBy = strcat_array(ReportedBy, \\\", \\\")\",\"customDetails\":{\"IpAddresses\":\"IpAddresses\",\"ReportedBy\":\"ReportedBy\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUsername\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against user credentials (Uses Authentication Normalization)\",\"description\":\"Identifies evidence of brute force activity against a user based on multiple authentication failures \\nand at least one successful authentication within a given time window. Note that the query does not enforce any sequence,\\nand does not require the successful authentication to occur last.\\nThe default failure threshold is 10, success threshold is 1, and the default time window is 20 minutes.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb8a3481-dd14-4e76-8dcc-bbec8776d695\",\"name\":\"bb8a3481-dd14-4e76-8dcc-bbec8776d695\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Medium\",\"query\":\"let DomainNames = dynamic([\u0027onetechcompany.com\u0027, \u0027reyweb.com\u0027, \u0027srfnetwork.org\u0027, \u0027sense4baby.fr\u0027, \u0027nikeoutletinc.org\u0027, \u0027megatoolkit.com\u0027]);\\nlet IPList = dynamic([\u0027185.225.69.69\u0027]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (DomainNames) or RequestURL has_any (DomainNames) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (DomainNames), \\\"RequestUrl\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(_Im_WebSession(url_has_any=DomainNames)\\n| extend DestinationIPAddress = DstIpAddr, DNSName = tostring(parse_url(Url)[\\\"Host\\\"]), Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (DomainNames)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer\\n),\\n(OfficeActivity\\n| where ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (DomainNames) or RemoteIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"NOBELIUM - Domain and IP IOCs - March 2021\",\"description\":\"Identifies a match across various data feeds for domains and IP IOCs related to NOBELIUM.\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\"name\":\"f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"// Replace these with the username or emails of your VIP users you wish to monitor for.\\nlet vips = dynamic([\u0027vip1@email.com\u0027,\u0027vip2@email.com\u0027]);\\n// Add users who are allowed to conduct these searches - this could be specific SOC team members\\nlet allowed_users = dynamic([]);\\nLAQueryLogs\\n| where QueryText has_any (vips) or QueryText has_any (\u0027_GetWatchlist(\\\"VIPUsers\\\")\u0027, \\\"_GetWatchlist(\u0027VIPUsers\u0027)\\\")\\n| where AADEmail !in (allowed_users)\\n| project TimeGenerated, AADEmail, RequestClientApp, QueryText, ResponseRowCount, RequestTarget\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AADEmail\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"RequestTarget\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Users searching for VIP user activity\",\"description\":\"This query monitors for users running Log Analytics queries that contain filters\\nfor specific, defined VIP user accounts or the VIPUser watchlist template.\\nUse this detection to alert for users specifically searching for activity of sensitive users.\",\"lastUpdatedDateUTC\":\"2021-11-11T00:00:00Z\",\"createdDateUTC\":\"2020-09-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/62085097-d113-459f-9ea7-30216f2ee6af\",\"name\":\"62085097-d113-459f-9ea7-30216f2ee6af\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P3D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let starttime = 3d;\\nlet SecEvents = materialize ( SecurityEvent | where TimeGenerated \u003e= ago(starttime)\\n| where EventID in (4722,4723) | where TargetUserName !endswith \\\"$\\\"\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, SubjectAccount, SubjectUserSid);\\nlet userEnable = SecEvents\\n| extend EventID4722Time = TimeGenerated\\n// 4722: User Account Enabled\\n| where EventID == 4722\\n| project Time_Event4722 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4722 = SubjectAccount, SubjectUserSid_Event4722 = SubjectUserSid, Activity_4722 = Activity, Computer_4722 = Computer;\\nlet userPwdSet = SecEvents\\n// 4723: Attempt made by user to set password\\n| where EventID == 4723\\n| project Time_Event4723 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4723 = SubjectAccount, SubjectUserSid_Event4723 = SubjectUserSid, Activity_4723 = Activity, Computer_4723 = Computer;\\nuserEnable | join kind=leftouter userPwdSet on TargetAccount, TargetSid\\n| extend PasswordSetAttemptDelta_Min = datetime_diff(\u0027minute\u0027, Time_Event4723, Time_Event4722)\\n| where PasswordSetAttemptDelta_Min \u003e 2880 or isempty(PasswordSetAttemptDelta_Min)\\n| project-away TargetAccount1, TargetSid1\\n| extend Reason = @\\\"User either has not yet attempted to set the initial password after account was enabled or it occurred after 48 hours\\\"\\n| order by Time_Event4722 asc \\n| extend timestamp = Time_Event4722, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer_4722\\n| project-reorder Time_Event4722, Time_Event4723, PasswordSetAttemptDelta_Min, TargetAccount, TargetSid\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AD user enabled and password not set within 48 hours\",\"description\":\"Identifies when an account is enabled with a default password and the password is not set by the user within 48 hours.\\nEffectively, there is an event 4722 indicating an account was enabled and within 48 hours, no event 4723 occurs which \\nindicates there was no attempt by the user to set the password. This will show any attempts (success or fail) that occur \\nafter 48 hours, which can indicate too long of a time period in setting the password to something that only the user knows.\\nIt is recommended that this time period is adjusted per your internal company policy.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f9949656-473f-4503-bf43-a9d9890f7d08\",\"name\":\"f9949656-473f-4503-bf43-a9d9890f7d08\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.3\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n//Exclude local addresses, using the ipv4_is_private operator\\n| where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AppServiceHTTPLogs | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(CIp)\\n | extend WebApp = split(_ResourceId, \u0027/\u0027)[8]\\n // renaming time column so it is clear the log this came from\\n | extend AppService_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CIp\\n| where AppService_TimeGenerated \u003c ExpirationDateTime\\n| summarize AppService_TimeGenerated = arg_max(AppService_TimeGenerated, *) by IndicatorId, CIp\\n| project AppService_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CsUsername, \\nWebApp = split(_ResourceId, \u0027/\u0027)[8], CIp, CsHost, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, _ResourceId\\n| extend timestamp = AppService_TimeGenerated, AccountCustomEntity = CsUsername, IPCustomEntity = CIp, URLCustomEntity = Url, HostCustomEntity = CsHost\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"_ResourceId\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AppServiceHTTPLogs\",\"description\":\"Identifies a match in AppServiceHTTPLogs from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-04-26T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8b3c49c-4087-499b-920f-0dcfaff0cbca\",\"name\":\"f8b3c49c-4087-499b-920f-0dcfaff0cbca\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"imProcessCreate\\n | where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n | where isnotempty(Process)\\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Dvc, ActorUsername, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\\n | extend timestamp = StartTimeUtc, AccountCustomEntity = ActorUsername, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Base64 encoded Windows process command-lines (Normalized Process Events)\",\"description\":\"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2018-09-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c3e5dbaa-a540-408c-8b36-68bdfb3df088\",\"name\":\"c3e5dbaa-a540-408c-8b36-68bdfb3df088\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID==4688\\n | where isnotempty(CommandLine)\\n | where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"NRT Base64 encoded Windows process command-lines\",\"description\":\"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2022-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0433c8a3-9aa6-4577-beef-2ea23be41137\",\"name\":\"0433c8a3-9aa6-4577-beef-2ea23be41137\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let admin_users = (IdentityInfo\\n | where TimeGenerated \u003e ago(2d)\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | where AssignedRoles contains \\\"admin\\\"\\n | summarize by tolower(AccountUPN));\\n AuditLogs\\n | where Category =~ \\\"RoleManagement\\\"\\n | where OperationName has \\\"Add eligible member\\\"\\n | extend userPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | where tolower(userPrincipalName) in (admin_users)\\n | extend Group = tostring(TargetResources[0].displayName)\\n | extend AddedTo = iif(isnotempty(userPrincipalName), userPrincipalName, Group)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend AddedBy = iif(isnotempty(appName), appName, UPN)\\n | mv-expand mod_props\\n | where mod_props.displayName == \\\"Role.DisplayName\\\"\\n | extend RoleAdded = tostring(parse_json(tostring(mod_props.newValue)))\\n | project-reorder TimeGenerated, OperationName, AddedTo, RoleAdded, AddedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Privileged Account Permissions Changed\",\"description\":\"Detects changes to permissions assigned to admin users. Threat actors may try and increase permission scope by adding additional roles to already privileged accounts.\\nReview any modifications to ensure they were made legitimately.\\nRef: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79566f41-df67-4e10-a703-c38a6213afd8\",\"name\":\"79566f41-df67-4e10-a703-c38a6213afd8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set != \\\"[]\\\"\\n| extend diff = set_difference(new_value_set, old_value_set)\\n| where isnotempty(diff)\\n| parse diff with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away diff, new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"New access credential added to Application or Service Principal\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/66276b14-32c5-4226-88e3-080dacc31ce1\",\"name\":\"66276b14-32c5-4226-88e3-080dacc31ce1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet AccountAllowList = dynamic([\u0027SYSTEM\u0027]);\\nlet SubCategoryList = dynamic([\\\"Logoff\\\", \\\"Account Lockout\\\", \\\"User Account Management\\\", \\\"Authorization Policy Change\\\"]); // Add any Category in the list to be allowed or disallowed\\nlet tokens = dynamic([\\\"clear\\\", \\\"remove\\\", \\\"success:disable\\\",\\\"failure:disable\\\"]); \\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n//| where Process =~ \\\"auditpol.exe\\\" \\n| where CommandLine has_any (tokens)\\n| where AccountType !~ \\\"Machine\\\" and Account !in~ (AccountAllowList)\\n| parse CommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n// | where InitiatingProcessFileName =~ \\\"auditpol.exe\\\" \\n| where InitiatingProcessCommandLine has_any (tokens)\\n| where AccountName !in~ (AccountAllowList)\\n| parse InitiatingProcessCommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n// | where OriginalFileName =~ \\\"auditpol.exe\\\"\\n| where CommandLine has_any (tokens)\\n| where User !in~ (AccountAllowList)\\n| parse CommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, Computer, User, Process, ParentImage, CommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Audit policy manipulation using auditpol utility\",\"description\":\"This detects attempt to manipulate audit policies using auditpol command.\\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\\nThe process name in each data source is commented out as an adversary could rename it. It is advisable to keep process name commented but \\nif the results show unrelated false positives, users may want to uncomment it.\\nRefer to auditpol syntax: https://docs.microsoft.com/windows-server/administration/windows-commands/auditpol \\nRefer to our M365 blog for details on use during the Solorigate attack:\\nhttps://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/18e6a87e-9d06-4a4e-8b59-3469cd49552d\",\"name\":\"18e6a87e-9d06-4a4e-8b59-3469cd49552d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true \\n(SecurityEvent \\n| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created. \\n| where ObjectServer == \u0027DS\u0027\\n| where OperationType == \u0027Object Access\u0027\\n//| where ObjectName contains \u0027\u003cGUID of ADFS Policy Store DKM Group object\u0027 This is unique to the domain. Check description for more details.\\n| where ObjectType contains \u00275cb41ed0-0e4c-11d0-a286-00aa003049e2\u0027 // Contact Class\\n| where Properties contains \u00278d3bca50-1d7e-11d0-a081-00aa006c33ed\u0027 // Picture Attribute - Ldap-Display-Name: thumbnailPhoto\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = SubjectAccount\\n),\\n( WindowsEvent \\n| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created. \\n| where EventData has_all(\u0027Object Access\u0027, \u00275cb41ed0-0e4c-11d0-a286-00aa003049e2\u0027,\u00278d3bca50-1d7e-11d0-a081-00aa006c33ed\u0027) \\n| extend ObjectServer = tostring(EventData.ObjectServer)\\n| where ObjectServer == \u0027DS\u0027\\n| extend OperationType = tostring(EventData.OperationType)\\n| where OperationType == \u0027Object Access\u0027\\n//| where ObjectName contains \u0027\u003cGUID of ADFS Policy Store DKM Group object\u0027 This is unique to the domain. Check description for more details.\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType contains \u00275cb41ed0-0e4c-11d0-a286-00aa003049e2\u0027 // Contact Class\\n| extend Properties = tostring(EventData.Properties)\\n| where Properties contains \u00278d3bca50-1d7e-11d0-a081-00aa006c33ed\u0027 // Picture Attribute - Ldap-Display-Name: thumbnailPhoto\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName), \\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend \\n timestamp = TimeGenerated,\\n HostCustomEntity = Computer,\\n AccountCustomEntity = SubjectAccount\\n),\\n(DeviceEvents\\n| where ActionType =~ \\\"LdapSearch\\\"\\n| where AdditionalFields.AttributeList contains \\\"thumbnailPhoto\\\"\\n| where AdditionalFields.DistinguishedName contains \\\"CN=ADFS,CN=Microsoft,CN=Program Data\\\" // Filter results to show only hits related to the ADFS AD container\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = InitiatingProcessAccountName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"ADFS DKM Master Key Export\",\"description\":\"Identifies an export of the ADFS DKM Master Key from Active Directory.\\nReferences: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \\nhttps://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1\\nTo understand further the details behind this detection, please review the details in the original PR and subequent PR update to this:\\nhttps://github.com/Azure/Azure-Sentinel/pull/1562#issue-551542469\\nhttps://github.com/Azure/Azure-Sentinel/pull/1512#issue-543053339\\n\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2391ce61-8c8d-41ac-9723-d945b2e90720\",\"name\":\"2391ce61-8c8d-41ac-9723-d945b2e90720\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"Low\",\"query\":\"let starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 0.333;\\nlet countlimit = 50;\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4625 and AccountType =~ \\\"User\\\"\\n| where IpAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), CountToday = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress, Process\\n| join kind=leftouter (\\n SecurityEvent \\n | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n | where EventID == 4625 and AccountType =~ \\\"User\\\"\\n | where IpAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n | summarize CountPrev7day = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n) on EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n| where CountToday \u003e= coalesce(CountPrev7day,0)*threshold and CountToday \u003e= countlimit\\n//SubStatus Codes are detailed here - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4625\\n| extend Reason = case(\\nSubStatus =~ \u00270xC000005E\u0027, \u0027There are currently no logon servers available to service the logon request.\u0027,\\nSubStatus =~ \u00270xC0000064\u0027, \u0027User logon with misspelled or bad user account\u0027,\\nSubStatus =~ \u00270xC000006A\u0027, \u0027User logon with misspelled or bad password\u0027, \\nSubStatus =~ \u00270xC000006D\u0027, \u0027Bad user name or password\u0027,\\nSubStatus =~ \u00270xC000006E\u0027, \u0027Unknown user name or bad password\u0027,\\nSubStatus =~ \u00270xC000006F\u0027, \u0027User logon outside authorized hours\u0027,\\nSubStatus =~ \u00270xC0000070\u0027, \u0027User logon from unauthorized workstation\u0027,\\nSubStatus =~ \u00270xC0000071\u0027, \u0027User logon with expired password\u0027,\\nSubStatus =~ \u00270xC0000072\u0027, \u0027User logon to account disabled by administrator\u0027,\\nSubStatus =~ \u00270xC00000DC\u0027, \u0027Indicates the Sam Server was in the wrong state to perform the desired operation\u0027, \\nSubStatus =~ \u00270xC0000133\u0027, \u0027Clocks between DC and other computer too far out of sync\u0027,\\nSubStatus =~ \u00270xC000015B\u0027, \u0027The user has not been granted the requested logon type (aka logon right) at this machine\u0027,\\nSubStatus =~ \u00270xC000018C\u0027, \u0027The logon request failed because the trust relationship between the primary domain and the trusted domain failed\u0027,\\nSubStatus =~ \u00270xC0000192\u0027, \u0027An attempt was made to logon, but the Netlogon service was not started\u0027,\\nSubStatus =~ \u00270xC0000193\u0027, \u0027User logon with expired account\u0027,\\nSubStatus =~ \u00270xC0000224\u0027, \u0027User is required to change password at next logon\u0027,\\nSubStatus =~ \u00270xC0000225\u0027, \u0027Evidently a bug in Windows and not a risk\u0027,\\nSubStatus =~ \u00270xC0000234\u0027, \u0027User logon with account locked\u0027,\\nSubStatus =~ \u00270xC00002EE\u0027, \u0027Failure Reason: An Error occurred during Logon\u0027,\\nSubStatus =~ \u00270xC0000413\u0027, \u0027Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine\u0027,\\nstrcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n| extend WorkstationName = iff(WorkstationName == \\\"-\\\" or isempty(WorkstationName), Computer , WorkstationName) \\n| project StartTime, EndTime, EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, Computer, WorkstationName, IpAddress, CountToday, CountPrev7day, Avg7Day = round(CountPrev7day*1.00/7,2), Process\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), Computer = make_set(Computer,128), IpAddressList = make_set(IpAddress,128), sum(CountToday), sum(CountPrev7day), avg(Avg7Day) \\nby EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, WorkstationName, Process\\n| order by sum_CountToday desc nulls last \\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = WorkstationName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"Process\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Excessive Windows logon failures\",\"description\":\"User has over 50 Windows logon failures today and at least 33% of the count of logon failures over the previous 7 days.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56f3f35c-3aca-4437-a1fb-b7a84dc4af00\",\"name\":\"56f3f35c-3aca-4437-a1fb-b7a84dc4af00\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID == 4657\\n | parse ObjectName with \\\"\\\\\\\\REGISTRY\\\\\\\\\\\" KeyPrefix \\\"\\\\\\\\\\\" RegistryKey\\n | project-reorder RegistryKey\\n | where RegistryKey has \\\"Software\\\\\\\\Classes\\\\\\\\ms-settings\\\\\\\\shell\\\\\\\\open\\\\\\\\command\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)\\n | join (\\n SecurityEvent\\n | where EventID == 4688\\n | where Process =~ \\\"fodhelper.exe\\\"\\n | where ParentProcessName endswith \\\"cmd.exe\\\" or ParentProcessName endswith \\\"powershell.exe\\\" or ParentProcessName endswith \\\"powershell_ise.exe\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)) on TimeKey, Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Potential Fodhelper UAC Bypass\",\"description\":\"This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process within 1 hour - this can be tweaked as required.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b93c5af-d20b-4236-b696-a28b8c51407f\",\"name\":\"4b93c5af-d20b-4236-b696-a28b8c51407f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1DT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\n (union isfuzzy=true\\n (SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+spanoftime)\\n// A user account was created\\n| where EventID == 4720\\n| where AccountType =~ \\\"User\\\"\\n| project creationTime = TimeGenerated, CreateEventID = EventID, CreateActivity = Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToCreate = SubjectAccount, SIDofAccountUsedToCreate = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e ago(timeframe+spanoftime)\\n// A user account was created\\n| where EventID == 4720\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType =~ \\\"User\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| extend Activity = \\\"4720 - A user account was created.\\\"\\n| extend TargetUserName = tostring(EventData.TargetUserName) \\n| project creationTime = TimeGenerated, CreateEventID = EventID, CreateActivity = Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToCreate = SubjectAccount, SIDofAccountUsedToCreate = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid \\n))\\n| join kind= inner (\\n (union isfuzzy=true\\n (SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n // A user account was deleted\\n | where EventID == 4726\\n| where AccountType == \\\"User\\\"\\n| project deletionTime = TimeGenerated, DeleteEventID = EventID, DeleteActivity = Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToDelete = SubjectAccount, SIDofAccountUsedToDelete = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n // A user account was deleted\\n| where EventID == 4726\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(SubjectAccount endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType == \\\"User\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| extend Activity = \\\"4726 - A user account was deleted.\\\"\\n| extend TargetUserName = tostring(EventData.TargetUserName) \\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| project deletionTime = TimeGenerated, DeleteEventID = EventID, DeleteActivity = Activity, Computer, TargetUserName, UserPrincipalName, AccountUsedToDelete = SubjectAccount, SIDofAccountUsedToDelete = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid))\\n) on Computer, TargetAccount\\n| where deletionTime - creationTime \u003c spanoftime\\n| extend TimeDelta = deletionTime - creationTime\\n| where tolong(TimeDelta) \u003e= threshold\\n| project TimeDelta, creationTime, CreateEventID, CreateActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToCreate, SIDofAccountUsedToCreate,\\ndeletionTime, DeleteEventID, DeleteActivity, AccountUsedToDelete, SIDofAccountUsedToDelete\\n| extend timestamp = creationTime, AccountCustomEntity = AccountUsedToCreate, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"SIDofAccountUsedToCreate\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account created and deleted within 10 mins\",\"description\":\"Identifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and\\nan adversary attempting to hide in the noise.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d7feb859-f03e-4e8d-8b21-617be0213b13\",\"name\":\"d7feb859-f03e-4e8d-8b21-617be0213b13\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let admin_users = (IdentityInfo\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | where AssignedRoles contains \\\"admin\\\"\\n | summarize by tolower(AccountUPN));\\n AuditLogs\\n | where OperationName =~ \\\"Admin registered security info\\\"\\n | where ResultReason =~ \\\"Admin registered temporary access pass method for user\\\"\\n | extend userPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | where tolower(userPrincipalName) in (admin_users)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Addition of a Temporary Access Pass to a Privileged Account\",\"description\":\"Detects when a Temporary Access Pass (TAP) is created for a Privileged Account.\\n A Temporary Access Pass is a time-limited passcode issued by an admin that satisfies strong authentication requirements and can be used to onboard other authentication methods, including Passwordless ones such as Microsoft Authenticator or even Windows Hello.\\n A threat actor could use a TAP to register a new authentication method to maintain persistance to an account.\\n Review any TAP creations to ensure they were used legitimately.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1399664f-9434-497c-9cde-42e4d74ae20e\",\"name\":\"1399664f-9434-497c-9cde-42e4d74ae20e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityAlert \\n| where AlertName == \\\"Impossible travel activity\\\"\\n| extend Extprop = parsejson(Entities)\\n| mv-expand Extprop\\n| extend Extprop = parsejson(Extprop)\\n| extend CmdLine = iff(Extprop[\u0027Type\u0027]==\\\"process\\\", Extprop[\u0027CommandLine\u0027], \u0027\u0027)\\n| extend File = iff(Extprop[\u0027Type\u0027]==\\\"file\\\", Extprop[\u0027Name\u0027], \u0027\u0027)\\n| extend Account = Extprop[\u0027Name\u0027]\\n| extend Domain = Extprop[\u0027UPNSuffix\u0027]\\n| extend Account = iif(isnotempty(Domain) and Extprop[\u0027Type\u0027]==\\\"account\\\", tolower(strcat(Account, \\\"@\\\", Domain)), iif(Extprop[\u0027Type\u0027]==\\\"account\\\", tolower(Account), \\\"\\\"))\\n| extend IpAddress = iff(Extprop[\\\"Type\\\"] == \\\"ip\\\",Extprop[\u0027Address\u0027], \u0027\u0027)\\n| extend Process = iff(isnotempty(CmdLine), CmdLine, File)\\n| project TimeGenerated,Account,IpAddress,CompromisedEntity,Description,ProviderName,ResourceId\\n| join kind=inner\\n(\\nOfficeActivity\\n| where Operation =~ \\\"Add-MailboxPermission\\\"\\n| extend value = tostring(parse_json(Parameters)[3].Value)\\n| where value contains \\\"FullAccess\\\"\\n| where ResultStatus == \\\"True\\\"\\n| project Parameters,TimeGenerated,value,RecordType,Operation,OrganizationId,UserType,UserKey,OfficeWorkload,ResultStatus,OfficeObjectId,UserId,ClientIP,ExternalAccess,OriginatingServer,OrganizationName,TenantId,ElevationTime,SourceSystem,OfficeId,OfficeTenantId,Type,SourceRecordId\\n) on $left.Account == $right.UserId\\n| join kind=inner\\n(\\nAuditLogs\\n| where ActivityDisplayName =~ \\\"Add eligible member to role in PIM requested (timebound)\\\"\\n| where AADOperationType =~ \\\"CreateRequestEligibleRole\\\"\\n| where TargetResources has_any (\\\"-PRIV\\\", \\\"Administrator\\\", \\\"Security\\\")\\n| extend BuiltinRole = tostring(parse_json(TargetResources[0].displayName))\\n| extend CustomGroup = tostring(parse_json(TargetResources[3].displayName))\\n| extend TargetAccount = tostring(parse_json(TargetResources[2].displayName))\\n| extend Initiatedby = Identity\\n| project TimeGenerated, ActivityDisplayName, AADOperationType, Initiatedby, TargetAccount, BuiltinRole, CustomGroup, LoggedByService, Result, ResourceId, Id\\n| sort by TimeGenerated desc\\n) on $left.UserId == $right.Initiatedby\\n| project AADOperationType, ActivityDisplayName,AccountCustomEntity=Initiatedby, Id,ResourceId,IPCustomEntity=IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"PrivilegeEscalation\"],\"displayName\":\"Detecting Impossible travel with mailbox permission tampering \u0026 Privilege Escalation attempt\",\"description\":\"This hunting query will alert on any Impossible travel activity in correlation with mailbox permission tampering followed by account being added to a PIM managed privileged group.\\nEnsure this impossible travel incident with increase of privileges is legitimate in your environment.\",\"lastUpdatedDateUTC\":\"2022-02-09T00:00:00Z\",\"createdDateUTC\":\"2022-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert (ASC)\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\"name\":\"4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([ \\\"AuthorizeSecurityGroupEgress\\\", \\\"AuthorizeSecurityGroupIngress\\\", \\\"RevokeSecurityGroupEgress\\\", \\\"RevokeSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \\nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion, \\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to AWS Security Group ingress and egress settings\",\"description\":\"A Security Group acts as a virtual firewall of an instance to control inbound and outbound traffic. \\n Hence, ingress and egress settings changes to AWS Security Group should be monitored as these can expose the enviornment to new attack vectors.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0914adab-90b5-47a3-a79f-7cdcac843aa7\",\"name\":\"0914adab-90b5-47a3-a79f-7cdcac843aa7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 5;\\n// To avoid any False Positives, filtering using AppId is recommended. For example the AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds \\n// to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\\nlet Allowedappid = dynamic([\\\"509e4652-da8d-478d-a730-e9d4a1996ca4\\\"]);\\nlet OperationList = dynamic(\\n[\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nlet TimeSeriesData = AzureDiagnostics\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList)\\n| project TimeGenerated, OperationName, Resource, CallerIPAddress\\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by Resource;\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| where baseline \u003e baselinethreshold // Filtering low count events per baselinethreshold\\n| project Resource, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated;\\n// Filter the alerts since specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\\n| join (\\nAzureDiagnostics\\n| where TimeGenerated \u003e ago(timeframe)\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList)\\n| summarize PerOperationCount=count(), LatestAnomalyTime = arg_max(TimeGenerated,*) by bin(TimeGenerated,1h), Resource, OperationName, id_s, CallerIPAddress, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, requestUri_s, clientInfo_s\\n) on Resource, TimeGenerated\\n| summarize EventCount=count(), OperationNameList = make_set(OperationName), RequestURLList = make_set(requestUri_s, 100), AccountList = make_set(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, 100), AccountMax = arg_max(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g,*) by Resource, id_s, clientInfo_s, LatestAnomalyTime\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = CallerIPAddress, AccountCustomEntity = AccountMax\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure Key Vault access TimeSeries anomaly\",\"description\":\"Indentifies a sudden increase in count of Azure Key Vault secret or vault access operations by CallerIPAddress. The query leverages a built-in KQL anomaly detection algorithm\\nto find large deviations from baseline Azure Key Vault access patterns. Any sudden increase in the count of Azure Key Vault accesses can be an\\nindication of adversary dumping credentials via automated methods. If you are seeing any noise, try filtering known source(IP/Account) and user-agent combinations.\\nTimeSeries Reference Blog: https://techcommunity.microsoft.com/t5/azure-sentinel/looking-for-unknown-anomalies-what-is-normal-time-series/ba-p/555052\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6a2e2ff4-5568-475e-bef2-b95f12b9367b\",\"name\":\"6a2e2ff4-5568-475e-bef2-b95f12b9367b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let FailureThreshold = 15;\\nimAuthentication\\n| where EventType== \u0027Logon\u0027 and EventResult== \u0027Failure\u0027\\n// reason: creds \\n| where EventResultDetails in (\u0027No such user or password\u0027, \u0027Incorrect password\u0027)\\n| summarize UserCount=dcount(TargetUserId), Vendors=make_set(EventVendor), Products=make_set(EventVendor)\\n , Users = make_set(TargetUserId,100) \\n by SrcDvcIpAddr, SrcGeoCountry, bin(TimeGenerated, 5m)\\n| where UserCount \u003e FailureThreshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcDvcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Potential Password Spray Attack (Uses Authentication Normalization)\",\"description\":\"This query searches for failed attempts to log in from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack\\n To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a5b3429d-f1da-42b9-883c-327ecb7b91ff\",\"name\":\"a5b3429d-f1da-42b9-883c-327ecb7b91ff\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityAlert \\n| where AlertName == \\\"Sign-in from an infected device\\\"\\n| extend Extprop = parsejson(Entities)\\n| mv-expand Extprop\\n| extend Extprop = parsejson(Extprop)\\n| extend CmdLine = iff(Extprop[\u0027Type\u0027]==\\\"process\\\", Extprop[\u0027CommandLine\u0027], \u0027\u0027)\\n| extend File = iff(Extprop[\u0027Type\u0027]==\\\"file\\\", Extprop[\u0027Name\u0027], \u0027\u0027)\\n| extend Account = Extprop[\u0027Name\u0027]\\n| extend Domain = Extprop[\u0027UPNSuffix\u0027]\\n| extend Account = iif(isnotempty(Domain) and Extprop[\u0027Type\u0027]==\\\"account\\\", tolower(strcat(Account, \\\"@\\\", Domain)), iif(Extprop[\u0027Type\u0027]==\\\"account\\\", tolower(Account), \\\"\\\"))\\n| extend IpAddress = iff(Extprop[\\\"Type\\\"] == \\\"ip\\\",Extprop[\u0027Address\u0027], \u0027\u0027)\\n| extend Process = iff(isnotempty(CmdLine), CmdLine, File)\\n| summarize count() by AlertName, AlertSeverity, CompromisedEntity, Account, IpAddress\\n| join kind=inner \\n(\\nAzureActivity\\n| where OperationNameValue hassuffix (\\\"/workspaces/computes/delete\\\")\\n| where ActivityStatusValue =~ \\\"Succeeded\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), OperationIds = makelist(OperationId), CorrelationIds = makelist(CorrelationId), Resources = makelist(Resource), ResourceGroups = makelist(ResourceGroup), ResourceIds = makelist(ResourceId), ActivityCountByCallerIPAddress = count() \\nby CallerIpAddress, Caller, OperationNameValue\\n) on $left. IpAddress == $right. CallerIpAddress\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Impact\"],\"displayName\":\"Workspace deletion attempt from an infected device\",\"description\":\"This hunting query will alert on any sign-ins from devices infected with malware in correlation with potential workspace deletion activity. \\nAttackers may attempt to delete workspaces containing compute instances after successful compromise to cause service unavailability to regular business operation.\",\"lastUpdatedDateUTC\":\"2022-04-11T00:00:00Z\",\"createdDateUTC\":\"2022-04-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8e267e91-6bda-4b3c-bf68-9f5cbdd103a3\",\"name\":\"8e267e91-6bda-4b3c-bf68-9f5cbdd103a3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"ZoomLogs\\n| where Event =~ \\\"account.settings_updated\\\" \\n| extend EnforceLogin = columnifexists(\\\"payload_object_settings_schedule_meeting_enfore_login_b\\\", \\\"\\\") \\n| extend EnforceLoginDomain = columnifexists(\\\"payload_object_settings_schedule_meeting_enfore_login_b\\\", \\\"\\\") \\n| extend GuestAlerts = columnifexists(\\\"payload_object_settings_in_meeting_alert_guest_join_b\\\", \\\"\\\") \\n| where EnforceLogin == \u0027false\u0027 or EnforceLoginDomain == \u0027false\u0027 or GuestAlerts == \u0027false\u0027 \\n| extend SettingChanged = case(EnforceLogin == \u0027false\u0027 and EnforceLoginDomain == \u0027false\u0027 and GuestAlerts == \u0027false\u0027, \\\"All settings changed\\\", \\n EnforceLogin == \u0027false\u0027 and EnforceLoginDomain == \u0027false\u0027, \\\"Enforced Logons and Restricted Domains Changed\\\", \\n EnforceLoginDomain == \u0027false\u0027 and GuestAlerts == \u0027false\u0027, \\\"Enforced Domains Changed\\\", \\n EnforceLoginDomain == \u0027false\u0027, \\\"Enfored Domains Changed\\\", \\n GuestAlerts == \u0027false\u0027, \\\"Guest Join Alerts Changed\\\", \\n EnforceLogin == \u0027false\u0027, \\\"Enforced Logins Changed\\\", \\n \\\"No Changes\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"External User Access Enabled\",\"description\":\"This alerts when the account setting is changed to allow either external domain access or anonymous access to meetings.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56b0a0cd-894e-4b38-a0a1-c41d9f96649a\",\"name\":\"56b0a0cd-894e-4b38-a0a1-c41d9f96649a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let lbtime = 1h;\\nlet tls_ciphers = dynamic([\u0027RC4-SHA\u0027, \u0027DES-CBC3-SHA\u0027]);\\nProofpointPOD\\n| where EventType == \u0027message\u0027\\n| where TlsCipher in (tls_ciphers)\\n| extend IpCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"ProofpointPOD - Weak ciphers\",\"description\":\"Detects when weak TLS ciphers are used.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/87890d78-3e05-43ec-9ab9-ba32f4e01250\",\"name\":\"87890d78-3e05-43ec-9ab9-ba32f4e01250\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.3\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n SecurityAlert\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n //Extract domain patterns from message\\n | extend domain = todynamic(dynamic_to_json(extract_all(@\\\"(((xn--)?[a-z0-9\\\\-]+\\\\.)+([a-z]+|(xn--[a-z0-9]+)))\\\", dynamic([1]), tolower(Entities))))\\n | mv-expand domain\\n | extend domain = tostring(domain[0])\\n | extend parts = split(domain, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\\n | extend EntitiesDynamicArray = parse_json(Entities)\\n | mv-apply EntitiesDynamicArray on\\n (summarize\\n HostName = take_anyif(tostring(EntitiesDynamicArray.HostName), EntitiesDynamicArray.Type == \\\"host\\\"),\\n IP_addr = take_anyif(tostring(EntitiesDynamicArray.Address), EntitiesDynamicArray.Type == \\\"ip\\\")\\n )\\n | extend Alert_TimeGenerated = TimeGenerated\\n | extend Alert_Description = Description\\n) on $left.DomainName==$right.domain\\n| where Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\\n| project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DomainName, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url, Entities\\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = HostName, IPCustomEntity = IP_addr, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to SecurityAlert\",\"description\":\"Identifies a match in SecurityAlert table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/88f453ff-7b9e-45bb-8c12-4058ca5e44ee\",\"name\":\"88f453ff-7b9e-45bb-8c12-4058ca5e44ee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS New Server\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.\\nA threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.\\nThis can be done programmatically via HTTP requests to Azure. More information in this blog: https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e1ce0eab-10d1-4aae-863f-9a383345ba88\",\"name\":\"e1ce0eab-10d1-4aae-863f-9a383345ba88\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let threshold = 15;\\nSyslog\\n| where SyslogMessage contains \\\"Failed password for invalid user\\\"\\n| where ProcessName =~ \\\"sshd\\\" \\n| parse kind=relaxed SyslogMessage with * \\\"invalid user\\\" user \\\" from \\\" ip \\\" port\\\" port \\\" ssh2\\\"\\n| project user, ip, port, SyslogMessage, EventTime\\n| summarize EventTimes = make_list(EventTime), PerHourCount = count() by ip, bin(EventTime, 4h), user\\n| where PerHourCount \u003e threshold\\n| mvexpand EventTimes\\n| extend EventTimes = tostring(EventTimes) \\n| summarize StartTimeUtc = min(EventTimes), EndTimeUtc = max(EventTimes), UserList = makeset(user), sum(PerHourCount) by IPAddress = ip\\n| extend UserList = tostring(UserList) \\n| extend timestamp = StartTimeUtc, IPCustomEntity = IPAddress, AccountCustomEntity = UserList\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"SSH - Potential Brute Force\",\"description\":\"Identifies an IP address that had 15 failed attempts to sign in via SSH in a 4 hour block during a 24 hour time period.\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-02-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/55073036-bb86-47d3-a85a-b113ac3d9396\",\"name\":\"55073036-bb86-47d3-a85a-b113ac3d9396\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let admins=(IdentityInfo\\n | where AssignedRoles contains \\\"admin\\\"\\n | summarize by tolower(AccountUPN));\\n let known_asns = (\\n SigninLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where ResultType == 0\\n | summarize by AutonomousSystemNumber);\\n SigninLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType == 0\\n | where tolower(UserPrincipalName) in (admins)\\n | where AutonomousSystemNumber !in (known_asns)\\n | project-reorder TimeGenerated, UserPrincipalName, UserAgent, IpAddress, AutonomousSystemNumber\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"UserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Privileged User Logon from new ASN\",\"description\":\"Detects a successful logon by a privileged account from an ASN not logged in from in the last 14 days.\\n Monitor these logons to ensure they are legitimate and identify if there are any similar sign ins.\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7b9df32-1367-402d-b385-882daf6e3020\",\"name\":\"a7b9df32-1367-402d-b385-882daf6e3020\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==10\\n| parse EventData with * \u0027TargetImage\\\"\u003e\u0027 TargetImage \\\"\u003c\\\" * \u0027GrantedAccess\\\"\u003e\u0027 GrantedAccess \\\"\u003c\\\" * \u0027CallTrace\\\"\u003e\u0027 CallTrace \\\"\u003c\\\" * \\n| where GrantedAccess == \\\"0x1FFFFF\\\" and TargetImage == \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\" and CallTrace has_any (\\\"dbghelp.dll\\\",\\\"dbgcore.dll\\\")\\n| parse EventData with * \u0027SourceProcessGUID\\\"\u003e\u0027 SourceProcessGUID \\\"\u003c\\\" * \u0027SourceImage\\\"\u003e\u0027 SourceImage \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, SourceProcessGUID, SourceImage, GrantedAccess, TargetImage, CallTrace\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"SourceImage\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Dumping LSASS Process Into a File\",\"description\":\"Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). \\nAfter a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. \\nThese credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement using Use Alternate Authentication Material. \\nAs well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.\\nRef: https://attack.mitre.org/techniques/T1003/001/\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/94749332-1ad9-49dd-a5ab-5ff2170788fc\",\"name\":\"94749332-1ad9-49dd-a5ab-5ff2170788fc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet file_path1 = (iocs | where Type =~ \\\"filepath1\\\" | project IoC);\\nlet file_path2 = (iocs | where Type =~ \\\"filepath2\\\" | project IoC);\\nlet file_path3 = (iocs | where Type =~ \\\"filepath3\\\" | project IoC);\\nlet reg_key = (iocs | where Type =~ \\\"regkey\\\" | project IoC);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (domains)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 *\\n| project TimeGenerated, Message, SourceUserID, RequestURL, DestinationHostName, Type, SourceIP, DestinationIP, DNSName\\n| extend Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SourceUserID, UrlCustomEntity = RequestURL , IPCustomEntity = DestinationIP, DNSCustomEntity = DNSName\\n),\\n(DnsEvents\\n| where Name in~ (domains)\\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DNSName = Name, Host = Computer , Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Host, DNSCustomEntity = DNSName, IPCustomEntity = IPAddresses\\n),\\n(VMConnection\\n| where RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, RemoteDnsCanonicalNames, ProcessName, SourceIp, DestinationIp, DestinationPort, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIp, HostCustomEntity = Computer, ProcessCustomEntity = ProcessName, DNSCustomEntity = DNSName, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"]), Image = EventDetail.[4].[\\\"#text\\\"]\\n| where Image has_any (file_path1) or Image has_any (file_path3)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, EventDetail, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), HostCustomEntity = Computer , IPCustomEntity = DestinationIP, Alert = \u0027SOURGUM IOC detected\u0027\\n), \\n(DeviceNetworkEvents\\n| where (RemoteUrl has_any (domains)) or (InitiatingProcessSHA256 in (sha256Hashes) and InitiatingProcessFolderPath has_any (file_path1)) or InitiatingProcessFolderPath has_any (file_path3)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, Alert = \u0027SOURGUM IOC detected\u0027, UrlCustomEntity =RemoteUrl\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"]\\n| where (SHA256 has_any (sha256Hashes) and Image has_any (file_path1)) or (Image has_any (file_path3)) or ( CommandLine has_any (file_path3)) or ( CommandLine has_any (file_path1)) or ( CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source), Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = SHA256\\n),\\n(DeviceRegistryEvents\\n| where RegistryKey has_any (reg_key) and RegistryValueData has_any (file_path2)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type \\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceProcessEvents\\n| where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3)) or ( InitiatingProcessCommandLine has \u0027reg add\u0027 and InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceFileEvents\\n| where (InitiatingProcessSHA256 has_any (sha256Hashes) and InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3)) or ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = RequestAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceEvents\\n| where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3)) or ( InitiatingProcessCommandLine has \u0027reg add\u0027 and InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend CommandLine = InitiatingProcessCommandLine, Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has_any (file_path1)) or ( CommandLine has_any (file_path3)) or ( CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) or (NewProcessName has_any (file_path1)) or (NewProcessName has_any (file_path3)) or (ParentProcessName has_any (file_path1)) or (ParentProcessName has_any (file_path3))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = \u0027SOURGUM IOC detected\u0027\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"SOURGUM Actor IOC - July 2021\",\"description\":\"Identifies a match across IOC\u0027s related to an actor tracked by Microsoft as SOURGUM\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-07-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceRegistryEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95407904-0131-4918-bc49-ebf282ce149a\",\"name\":\"95407904-0131-4918-bc49-ebf282ce149a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"135.125.147.170:80\\\",\\\"185.244.129.79:63047\\\",\\\"185.244.129.79:80\\\",\\\"45.80.149.108:63047\\\",\\\"45.80.149.108:80\\\",\\\"45.80.149.57:63047\\\",\\\"45.80.149.68:63047\\\",\\\"45.80.149.71:80\\\",\\\"185.244.129.109\\\",\\\"172.96.188.51\\\",\\\"51.83.246.73\\\"]); \\n(union isfuzzy=true \\n(CommonSecurityLog \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch \\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n), \\n(OfficeActivity \\n|extend SourceIPAddress = ClientIP, Account = UserId \\n| where SourceIPAddress in (IPList) \\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \\n), \\n(_Im_NetworkSession (srcipaddr_has_any_prefix=IPList)\\n | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Hostname, AccountCustomEntity=User\\n), \\n(_Im_NetworkSession (dstipaddr_has_any_prefix=IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = Hostname , AccountCustomEntity = User\\n), \\n(WireData \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer \\n), \\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known POLONIUM IP\",\"description\":\"Identifies a match across various data feeds for IP IOCs related to the POLONIUM activity group. \\n References: BLOGURL\u0027 \",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ed43bdb7-eaab-4ea4-be52-6951fcfa7e3b\",\"name\":\"ed43bdb7-eaab-4ea4-be52-6951fcfa7e3b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet TotalEventsThreshold = 25; \\nlet TimeSeriesData = \\nAzureActivity \\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where OperationNameValue endswith \\\"delete\\\" \\n| project TimeGenerated, Caller \\n| make-series Total = count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by Caller; \\nlet TimeSeriesAlerts = materialize(TimeSeriesData \\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 3, -1, \u0027linefit\u0027) \\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long) \\n| where anomalies \u003e 0 \\n| project Caller, TimeGenerated, Total, baseline, anomalies, score \\n| where Total \u003e TotalEventsThreshold and baseline \u003e 0 ); \\nTimeSeriesAlerts \\n| where TimeGenerated \u003e (ago(endtime)) \\n| project TimeGenerated, Caller \\n| join (AzureActivity \\n| where TimeGenerated \u003e (ago(endtime)) \\n| where OperationNameValue endswith \\\"delete\\\" \\n| summarize count(), make_set(OperationNameValue), make_set(Resource) by bin(TimeGenerated, 1h), Caller) on TimeGenerated, Caller \\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Mass Cloud resource deletions Time Series Anomaly\",\"description\":\"This query generates baseline pattern of cloud resource deletions by an user and generated anomaly \\nwhen any unusual spike is detected.\\nThese anomalies from unusual or privileged users could be an indication of cloud infrastructure \\ntake-down by an adversary \",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2022-03-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b6988c32-4f3b-4a45-8313-b46b33061a74\",\"name\":\"b6988c32-4f3b-4a45-8313-b46b33061a74\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set == \\\"[]\\\"\\n| mv-expand new_value_set\\n| parse new_value_set with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT First access credential added to Application or Service Principal where no credential was present\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-06-01T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba\",\"name\":\"fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let account_threshold = 5;\\nAADNonInteractiveUserSignInLogs\\n//| where ResultType == \\\"81016\\\"\\n| where ResultType startswith \\\"81\\\"\\n| summarize DistinctAccounts = dcount(UserPrincipalName), DistinctAddresses = make_set(IPAddress) by ResultType\\n| where DistinctAccounts \u003e account_threshold\\n| mv-expand IPAddress = DistinctAddresses\\n| extend IPAddress = tostring(IPAddress)\\n| join kind=leftouter (union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs) on IPAddress\\n| summarize\\n StartTime = min(TimeGenerated),\\n EndTime = max(TimeGenerated),\\n UserPrincipalName = make_set(UserPrincipalName),\\n UserAgent = make_set(UserAgent),\\n ResultDescription = take_any(ResultDescription),\\n ResultSignature = take_any(ResultSignature)\\n by IPAddress, Type, ResultType\\n| project Type, StartTime, EndTime, IPAddress, ResultType, ResultDescription, ResultSignature, UserPrincipalName, UserAgent = iff(array_length(UserAgent) == 1, UserAgent[0], UserAgent)\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Password spray attack against Azure AD Seamless SSO\",\"description\":\"This query detects when there is a spike in Azure AD Seamless SSO errors. They may not be caused by a Password Spray attack, but the cause of the errors might need to be investigated.\\nAzure AD only logs the requests that matched existing accounts, thus there might have been unlogged requests for non-existing accounts.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2022-03-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/825991eb-ea39-4590-9de2-ee97ef42eb93\",\"name\":\"825991eb-ea39-4590-9de2-ee97ef42eb93\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\n(union isfuzzy=true\\n(DeviceProcessEvents\\n| where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) or (ProcessCommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and ProcessCommandLine has (\u0027/tr \\\"wscript.exe\u0027) and ProcessCommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and ProcessCommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (ProcessCommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and ProcessCommandLine has (\u0027.wav\u0027) and ProcessCommandLine has (\u0027//e:VBScript //b\u0027) \\nor (ProcessCommandLine has_all (\\\"schtasks.exe\\\", \\\"create\\\", \\\"wscript\\\", \\\"e:vbscript\\\", \\\".wav\\\")))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessCommandLine, FolderPath, InitiatingProcessFolderPath, ProcessId, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, AccountName, SHA256, FileName\\n| extend Account = AccountName, Computer = DeviceName, FileHash = case(InitiatingProcessSHA256 in (sha256Hashes), \\\"InitiatingProcessSHA256\\\", SHA256 in (sha256Hashes), \\\"SHA256\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = FileName, FileHashCustomEntity = case(FileHash == \\\"InitiatingProcessSHA256\\\", InitiatingProcessSHA256, FileHash == \\\"SHA256\\\", SHA256, \\\"No Match\\\")\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where (CommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and CommandLine has (\u0027/tr \\\"wscript.exe\u0027) and CommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and CommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (CommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and CommandLine has (\u0027.wav\u0027) and CommandLine has (\u0027//e:VBScript //b\u0027))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, EventID\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n( CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n( imFileEvent\\n| where Hash in~ (sha256Hashes) or (ActingProcessCommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and ActingProcessCommandLine has (\u0027/tr \\\"wscript.exe\u0027) and ActingProcessCommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and ActingProcessCommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (ActingProcessCommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and ActingProcessCommandLine has (\u0027.wav\u0027) and ActingProcessCommandLine has (\u0027//e:VBScript //b\u0027) \\n or (ActingProcessCommandLine has_all (\\\"schtasks.exe\\\", \\\"create\\\", \\\"wscript\\\", \\\"e:vbscript\\\", \\\".wav\\\")))\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = Hash\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) or (CommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and CommandLine has (\u0027/tr \\\"wscript.exe\u0027) and CommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and CommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (CommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and CommandLine has (\u0027.wav\u0027) and CommandLine has (\u0027//e:VBScript //b\u0027) or (CommandLine has_all (\\\"schtasks.exe\\\", \\\"create\\\", \\\"wscript\\\", \\\"e:vbscript\\\", \\\".wav\\\")))\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n),\\n(DnsEvents\\n| where Name in~ (domains) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Computer \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress\\n),\\n(VMConnection\\n| where RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIp, File = ProcessName\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(DeviceNetworkEvents \\n| where isnotempty(RemoteUrl) \\n| where RemoteUrl in~ (domains) \\n| project Type, TimeGenerated, DeviceName, RemoteIP, RemoteUrl, InitiatingProcessAccountName\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, DNSName = RemoteUrl, IPCustomEntity = RemoteIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"ACTINIUM Actor IOCs - Feb 2022\",\"description\":\"Identifies a match across various data feeds for domains, hashes and commands related to an actor tracked by Microsoft as Actinium.\",\"lastUpdatedDateUTC\":\"2022-03-09T00:00:00Z\",\"createdDateUTC\":\"2022-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65360bb0-8986-4ade-a89d-af3cf44d28aa\",\"name\":\"65360bb0-8986-4ade-a89d-af3cf44d28aa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"CreateNetworkAclEntry\\\",\\\"CreateRoute\\\",\\\"CreateRouteTable\\\",\\\"CreateInternetGateway\\\",\\\"CreateNatGateway\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\",\"LateralMovement\"],\"displayName\":\"Changes to Amazon VPC settings\",\"description\":\"Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources\\nin a virtual network that you define.\\nThis identifies changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries,routes, routetable or Gateways.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\nand AWS VPC API Docs: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/OperationList-query-vpc.html\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2eb15bd-8a88-4b24-9281-e133edfba315\",\"name\":\"f2eb15bd-8a88-4b24-9281-e133edfba315\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet aadFunc = (tableName:string){\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n table(tableName) | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend Status = todynamic(Status), LocationDetails = todynamic(LocationDetails)\\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails), StatusReason = tostring(Status.failureReason)\\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n // renaming time column so it is clear the log this came from\\n | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type\\n)\\non $left.TI_ipEntity == $right.IPAddress\\n| where SigninLogs_TimeGenerated \u003c ExpirationDateTime\\n| summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, IPAddress\\n| project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDetails, StatusReason, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to SigninLogs\",\"description\":\"Identifies a match in SigninLogs from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6e715730-82c0-496c-983b-7a20c4590bd9\",\"name\":\"6e715730-82c0-496c-983b-7a20c4590bd9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let accountLookback = 3d;\\nlet requestLookback = 3d;\\nlet extraction_regex = @\\\"(?:\\\\?|\u0026)[a-zA-Z0-9\\\\%]*=([a-zA-Z0-9\\\\/\\\\+\\\\=]*)\\\";\\n// Collect account names and base64 encode them\\nDeviceEvents\\n| where TimeGenerated \u003e ago(accountLookback)\\n| summarize make_set(DeviceId), make_set(DeviceName) by InitiatingProcessAccountName\\n| where isnotempty(InitiatingProcessAccountName)\\n| extend base64_user = base64_encode_tostring(InitiatingProcessAccountName)\\n| join (\\n // Collect requests and extract base64 parameters\\n CommonSecurityLog\\n | where TimeGenerated \u003e ago(requestLookback)\\n | where isnotempty(RequestURL)\\n // Summarize early on the RequestURL\\n | summarize FirstRequest=min(TimeGenerated), LastRequest=max(TimeGenerated), NumberOfRequests=count() by RequestURL\\n | extend base64_candidate = extract_all(extraction_regex, RequestURL)\\n | mv-expand base64_candidate to typeof(string)\\n) on $left.base64_user == $right.base64_candidate\\n| project FirstRequest, LastRequest, NumberOfRequests, RequestURL, DeviceIds=set_DeviceId, DeviceNames=set_DeviceName, UserName=InitiatingProcessAccountName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceNames\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"UserName\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"Windows host username encoded in base64 web request\",\"description\":\"This detection will identify network requests in HTTP proxy data that contains Base64 encoded usernames from machines in the DeviceEvents table.\\nThis technique was seen usee by POLONIUM in their RunningRAT tool.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e4779bdc-397a-4b71-be28-59e6a1e1d16b\",\"name\":\"e4779bdc-397a-4b71-be28-59e6a1e1d16b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"ZoomLogs\\n| where Event =~ \\\"account.settings_updated\\\"\\n| extend NewE2ESetting = columnifexists(\\\"payload_object_settings_in_meeting_e2e_encryption_b\\\", \\\"\\\")\\n| extend OldE2ESetting = columnifexists(\\\"payload_old_object_settings_in_meeting_e2e_encryption_b\\\", \\\"\\\")\\n| where OldE2ESetting =~ \u0027false\u0027 and NewE2ESetting =~ \u0027true\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Discovery\"],\"displayName\":\"Zoom E2E Encryption Disabled\",\"description\":\"This alerts when end to end encryption is disabled for Zoom meetings.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/194dd92e-d6e7-4249-85a5-273350a7f5ce\",\"name\":\"194dd92e-d6e7-4249-85a5-273350a7f5ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\") \\n// Only admin or global-admin can disable audit logging\\n| where Operation =~ \\\"Set-AdminAuditLogConfig\\\" \\n| extend AdminAuditLogEnabledValue = tostring(parse_json(tostring(parse_json(tostring(array_slice(parse_json(Parameters),3,3)))[0])).Value)\\n| where AdminAuditLogEnabledValue =~ \\\"False\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP, ResultStatus, Parameters, AdminAuditLogEnabledValue\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Exchange AuditLog disabled\",\"description\":\"Identifies when the exchange audit logging has been disabled which may be an adversary attempt\\nto evade detection or avoid other defenses.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/218f60de-c269-457a-b882-9966632b9dc6\",\"name\":\"218f60de-c269-457a-b882-9966632b9dc6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| summarize dcount(Target) by bin(TimeGenerated, 1h)\\n| where dcount_Target \u003e 9\\n| join kind=rightsemi (AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| extend TimeWindow = bin(TimeGenerated, 1h)) on $left.TimeGenerated == $right.TimeWindow\\n| extend AccountCustomEntity = Target\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Bulk Changes to Privileged Account Permissions\",\"description\":\"Identifies when changes to multiple users permissions are changed at once. Investigate immediately if not a planned change. This setting could enable an attacker access to Azure subscriptions in your environment.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6e575295-a7e6-464c-8192-3e1d8fd6a990\",\"name\":\"6e575295-a7e6-464c-8192-3e1d8fd6a990\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.1\",\"severity\":\"High\",\"query\":\"let IPList = externaldata(IPAddress:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Log4j_IOC_List.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n//Network logs\\nlet CSlogSourceIP = CommonSecurityLog | summarize by IPAddress = SourceIP, Type;\\nlet CSlogDestIP = CommonSecurityLog | summarize by IPAddress = DestinationIP, Type;\\nlet CSlogMsgIP = CommonSecurityLog | extend MessageIP = extract(IPRegex, 0, Message) | summarize by IPAddress = MessageIP, Type;\\nlet DnsIP = DnsEvents | summarize by IPAddress = IPAddresses, Type;\\n// If you have enabled the imDNS and/or imNetworkSession normalization in your workspace, you can uncomment one or both below. Reference - https://docs.microsoft.com/azure/sentinel/normalization\\n//let imDnsIP = imDns (response_has_any_prefix=IPList) | summarize by IPAddress = ResponseName, Type;\\n//let imNetSessIP = imNetworkSession (dstipaddr_has_any_prefix=IPList) | summarize by IPAddress = DstIpAddr, Type;\\n//Cloud service logs\\nlet officeIP = OfficeActivity | summarize by IPAddress = ClientIP, Type;\\nlet signinIP = SigninLogs | summarize by IPAddress, Type;\\nlet nonintSigninIP = AADNonInteractiveUserSignInLogs | summarize by IPAddress, Type;\\nlet azureActIP = AzureActivity | summarize by IPAddress = CallerIpAddress, Type;\\nlet awsCtIP = AWSCloudTrail | summarize by IPAddress = SourceIpAddress, Type;\\n//Device logs\\nlet vmConnSourceIP = VMConnection | summarize by IPAddress = SourceIp, Type;\\nlet vmConnDestIP = VMConnection | summarize by IPAddress = DestinationIp, Type;\\nlet iisLogIP = W3CIISLog | summarize by IPAddress = cIP, Type;\\nlet devNetIP = DeviceNetworkEvents | summarize by IPAddress = RemoteIP, Type;\\n//need to parse to get IP\\nlet azureDiagIP = AzureDiagnostics | where ResourceType == \\\"AZUREFIREWALLS\\\" | where Category in (\\\"AzureFirewallApplicationRule\\\", \\\"AzureFirewallNetworkRule\\\") \\n| where msg_s has_any (IPList) | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action | summarize by IPAddress = DestinationHost, Type;\\nlet sysEvtIP = Event | where Source == \\\"Microsoft-Windows-Sysmon\\\" | where EventID == 3 | where EventData has_any (IPList) | extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"])\\n| where SourceIP in (IPList) or DestinationIP in (IPList) | extend IPAddress = iff(SourceIP in (IPList), SourceIP, DestinationIP) | summarize by IPAddress, Type;\\n// If you have enabled the imDNS and/or imNetworkSession normalization in your workdspace, you can uncomment below and include. Reference - https://docs.microsoft.com/azure/sentinel/normalization\\n//let ipsort = union isfuzzy=true CSlogDestIP, CSlogMsgIP, CSlogSourceIP, DnsIP, officeIP, signinIP, nonintSigninIP, azureActIP, awsCtIP, vmConnDestIP, vmConnSourceIP, azureDiagIP, sysEvtIP, imDnsIP, imNetSessIP\\n// If you uncomment above, then comment out the line below\\nlet ipsort = union isfuzzy=true CSlogDestIP, CSlogMsgIP, CSlogSourceIP, DnsIP, officeIP, signinIP, nonintSigninIP, azureActIP, awsCtIP, vmConnDestIP, vmConnSourceIP, azureDiagIP, sysEvtIP\\n| summarize by IPAddress\\n| where isnotempty(IPAddress) | where not(ipv4_is_private(IPAddress)) and IPAddress !in (\u00270.0.0.0\u0027,\u0027127.0.0.1\u0027);\\nlet ipMatch = ipsort | where IPAddress in (IPList);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (ipMatch) or DestinationIP in (ipMatch) or Message has_any (ipMatch)\\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, Type\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (ipMatch), \\\"SourceIP\\\", DestinationIP in (ipMatch), \\\"DestinationIP\\\", MessageIP in (ipMatch), \\\"Message\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"No Match\\\")\\n),\\n(OfficeActivity\\n| where ClientIP in (ipMatch)\\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, Type\\n| extend SourceIPAddress = ClientIP, Account = UserId\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account\\n),\\n(DnsEvents\\n| where IPAddresses has_any (ipMatch)\\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, Host = Computer\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (ipMatch) or DestinationIp in (ipMatch)\\n| project TimeGenerated, Computer, SourceIp, DestinationIp, Type\\n| extend IPMatch = case( SourceIp in (ipMatch), \\\"SourceIP\\\", DestinationIp in (ipMatch), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| where EventData has_any (ipMatch)\\n| project TimeGenerated, EventData, UserName, Computer, Type\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"])\\n| where SourceIP in (ipMatch) or DestinationIP in (ipMatch)\\n| extend IPMatch = case( SourceIP in (ipMatch), \\\"SourceIP\\\", DestinationIP in (ipMatch), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(SigninLogs\\n| where IPAddress in (ipMatch)\\n| project TimeGenerated, UserPrincipalName, IPAddress, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(AADNonInteractiveUserSignInLogs\\n| where IPAddress in (ipMatch)\\n| project TimeGenerated, UserPrincipalName, IPAddress, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(W3CIISLog\\n| where cIP in (ipMatch)\\n| project TimeGenerated, Computer, cIP, csUserName, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(AzureActivity\\n| where CallerIpAddress in (ipMatch)\\n| project TimeGenerated, CallerIpAddress, Caller, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller\\n),\\n(\\nAWSCloudTrail\\n| where SourceIpAddress in (ipMatch)\\n| project TimeGenerated, SourceIpAddress, UserIdentityUserName, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\\n), \\n( \\nDeviceNetworkEvents\\n| where RemoteIP in (ipMatch)\\n| where ActionType == \\\"InboundConnectionAccepted\\\"\\n| project TimeGenerated, RemoteIP, DeviceName, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category in (\\\"AzureFirewallApplicationRule\\\", \\\"AzureFirewallNetworkRule\\\")\\n| where msg_s has_any (ipMatch)\\n| project TimeGenerated, msg_s, Type\\n| parse msg_s with Protocol \u0027request from \u0027 SourceIP \u0027:\u0027 SourcePort \u0027to \u0027 DestinationIP \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where DestinationIP has_any (ipMatch)\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP\\n)\\n// If you have enabled the imDNS and/or imNetworkSession normalization in your workdspace, you can uncomment below and include. Reference - https://docs.microsoft.com/azure/sentinel/normalization\\n//,\\n//(imDns (response_has_any_prefix=IPList)\\n//| project TimeGenerated, ResponseName, SrcIpAddr, Type\\n//| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr\\n//| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n//),\\n//(imNetworkSession (dstipaddr_has_any_prefix=IPList)\\n//| project TimeGenerated, DstIpAddr, SrcIpAddr, Type\\n//| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = SrcIpAddr\\n//)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Log4j vulnerability exploit aka Log4Shell IP IOC\",\"description\":\"Identifies a match across various data feeds for IP IOCs related to the Log4j vulnerability exploit aka Log4Shell described in CVE-2021-44228. \\n References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228\u0027 \",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bda5a2bd-979b-4828-a91f-27c2a5048f7f\",\"name\":\"bda5a2bd-979b-4828-a91f-27c2a5048f7f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet msgthreshold = 3;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| extend attachedMimeType = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where attachedMimeType == \u0027application/zip\u0027\\n| summarize count() by SrcUserUpn, DstUserUpn\\n| where count_ \u003e msgthreshold\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple archived attachments to the same recipient\",\"description\":\"Detects when multiple emails where sent to the same recipient with large archived attachments.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1baaaf00-655f-4de9-8ff8-312e902cda71\",\"name\":\"1baaaf00-655f-4de9-8ff8-312e902cda71\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let known_locations = (\\n AADServicePrincipalSignInLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where ResultType == 0\\n | summarize by Location);\\n AADServicePrincipalSignInLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType != 50126\\n | where Location !in (known_locations)\\n | extend City = tostring(parse_json(LocationDetails).city)\\n | extend State = tostring(parse_json(LocationDetails).state)\\n | extend Place = strcat(City, \\\" - \\\", State)\\n | extend Result = strcat(tostring(ResultType), \\\" - \\\", ResultDescription)\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), make_set(Result), make_set(IPAddress), make_set(Place) by ServicePrincipalName, Location\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ServicePrincipalName\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Service Principal Authentication Attempt from New Country\",\"description\":\"Detects when there is a Service Principal login attempt from a country that has not seen a successful login in the previous 14 days.\\n Threat actors may attempt to authenticate with credentials from compromised accounts - monitoring attempts from anomalous locations may help identify these attempts.\\n Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADServicePrincipalSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/39198934-62a0-4781-8416-a81265c03fd6\",\"name\":\"39198934-62a0-4781-8416-a81265c03fd6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"user.read\\\" and ConsentFull contains \\\"offline_access\\\" and ConsentFull contains \\\"mail.readwrite\\\" and ConsentFull contains \\\"mail.send\\\" and ConsentFull contains \\\"files.read.all\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\")\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Suspicious application consent similar to PwnAuth\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the FireEye PwnAuth toolkit (https://github.com/fireeye/PwnAuth).\\nThe default permissions/scope for the PwnAuth toolkit are user.read, offline_access, mail.readwrite, mail.send, and files.read.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\"name\":\"fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let opList = OfficeActivity \\n| summarize by Operation\\n//| where Operation startswith \\\"Remove-\\\" or Operation startswith \\\"Disable-\\\"\\n| where Operation has_any (\\\"Remove\\\", \\\"Disable\\\")\\n| where Operation contains \\\"AntiPhish\\\" or Operation contains \\\"SafeAttachment\\\" or Operation contains \\\"SafeLinks\\\" or Operation contains \\\"Dlp\\\" or Operation contains \\\"Audit\\\"\\n| summarize make_set(Operation);\\nOfficeActivity\\n// Only admin or global-admin can disable/remove policy\\n| where RecordType =~ \\\"ExchangeAdmin\\\"\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\")\\n// Pass in interesting Operation list\\n| where Operation in~ (opList)\\n| extend ClientIPOnly = case( \\nClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), \\nClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))),\\nClientIP\\n) \\n| extend Port = case(\\nClientIP has \\\".\\\", (split(ClientIP,\\\":\\\")[1]),\\nClientIP has \\\"[\\\", tostring(split(ClientIP,\\\"]:\\\")[1]),\\nClientIP\\n)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP = ClientIPOnly, Port, ResultStatus, Parameters\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Office policy tampering\",\"description\":\"Identifies if any tampering is done to either auditlog, ATP Safelink, SafeAttachment, AntiPhish or Dlp policy. \\nAn adversary may use this technique to evade detection or avoid other policy based defenses.\\nReferences: https://docs.microsoft.com/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06a9b845-6a95-4432-a78b-83919b28c375\",\"name\":\"06a9b845-6a95-4432-a78b-83919b28c375\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":3,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet percentotalthreshold = 50;\\nlet TimeSeriesData = CommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| project TimeGenerated,SourceIP, DestinationIP, DeviceVendor\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor;\\n// Filtering specific records associated with spikes as outliers\\nlet TimeSeriesAlerts=materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend score = round(score,2), AnomalyHour = TimeGenerated\\n| project DeviceVendor,AnomalyHour, TimeGenerated, Total, baseline, anomalies, score);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\n// Join anomalies with Base Data to popalate associated records for investigation - Results sorted by score in descending order\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\n CommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| summarize HourlyCount = count(), TimeGeneratedMax = arg_max(TimeGenerated, *), DestinationIPlist = make_set(DestinationIP, 100), DestinationPortlist = make_set(DestinationPort, 100) by DeviceVendor, SourceIP, TimeGeneratedHour= bin(TimeGenerated, 1h)\\n| extend AnomalyHour = TimeGeneratedHour\\n) on AnomalyHour, DeviceVendor\\n| extend PercentTotal = round((HourlyCount / Total) * 100, 3)\\n| where PercentTotal \u003e percentotalthreshold\\n| project DeviceVendor , AnomalyHour, TimeGeneratedMax, SourceIP, DestinationIPlist, DestinationPortlist, HourlyCount, PercentTotal, Total, baseline, score, anomalies\\n| summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist, 100), DestinationPortlist = make_set(DestinationPortlist, 100) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies\\n| project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies\\n| extend timestamp= EndTimeUtc , IPCustomEntity = SourceIPMax\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"Time series anomaly detection for total volume of traffic\",\"description\":\"Identifies anamalous spikes in network traffic logs as compared to baseline or normal historical patterns.\\nThe query leverages a KQL built-in anomaly detection algorithm to find large deviations from baseline patterns.\\nSudden increases in network traffic volume may be an indication of data exfiltration attempts and should be investigated.\\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port traffic observed in the flagged anomaly hour.\\nThe source IP addresses which were sending less than percentotalthreshold of the total traffic have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Barracuda\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f110287e-1358-490d-8147-ed804b328514\",\"name\":\"f110287e-1358-490d-8147-ed804b328514\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AWSCloudTrail | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AWSCloudTrail_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SourceIpAddress\\n| where AWSCloudTrail_TimeGenerated \u003c ExpirationDateTime\\n| summarize AWSCloudTrail_TimeGenerated = arg_max(AWSCloudTrail_TimeGenerated, *) by IndicatorId, SourceIpAddress\\n| project AWSCloudTrail_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress,\\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AWSCloudTrail_TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AWSCloudTrail\",\"description\":\"Identifies a match in AWSCloudTrail from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7249500f-3038-4b83-8549-9cd8dfa2d498\",\"name\":\"7249500f-3038-4b83-8549-9cd8dfa2d498\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"de-ma.online\\\", \\\"g20saudi.000webhostapp.com\\\", \\\"ksat20.000webhostapp.com\\\"]);\\nlet EmailAddresses = dynamic([\\\"munichconference1962@gmail.com\\\",\\\"munichconference@outlook.de\\\", \\\"munichconference@outlook.com\\\", \\\"t20saudiarabia@gmail.com\\\", \\\"t20saudiarabia@hotmail.com\\\", \\\"t20saudiarabia@outlook.sa\\\"]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(DNSName) and DNSName has_any (DomainNames)) \\n or (isnotempty(DestinationHostName) and DestinationHostName has_any (DomainNames)) \\n or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames)))\\n| extend timestamp = TimeGenerated , AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\\n),\\n(DnsEvents \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| where DNSName has_any (DomainNames) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend timestamp = TimeGenerated , HostCustomEntity = Computer),\\n(SecurityAlert\\n| where ProviderName =~ \u0027OATP\u0027\\n| extend UPN = case(isnotempty(parse_json(Entities)[0].Upn), parse_json(Entities)[0].Upn, \\n isnotempty(parse_json(Entities)[1].Upn), parse_json(Entities)[1].Upn,\\n isnotempty(parse_json(Entities)[2].Upn), parse_json(Entities)[2].Upn,\\n isnotempty(parse_json(Entities)[3].Upn), parse_json(Entities)[3].Upn,\\n isnotempty(parse_json(Entities)[4].Upn), parse_json(Entities)[4].Upn,\\n isnotempty(parse_json(Entities)[5].Upn), parse_json(Entities)[5].Upn,\\n isnotempty(parse_json(Entities)[6].Upn), parse_json(Entities)[6].Upn,\\n isnotempty(parse_json(Entities)[7].Upn), parse_json(Entities)[7].Upn,\\n isnotempty(parse_json(Entities)[8].Upn), parse_json(Entities)[8].Upn,\\n parse_json(Entities)[9].Upn)\\n| where Entities has_any (EmailAddresses)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = tostring(UPN)),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"AZUREFIREWALLS\\\"\\n| where msg_s has_any (DomainNames)\\n| extend timestamp = TimeGenerated))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"InitialAccess\"],\"displayName\":\"Known PHOSPHORUS group domains/IP - October 2020\",\"description\":\"Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\\nReferences: \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog (Cisco)\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert (OATP)\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics (Azure Firewall)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5ef06767-b37c-4818-b035-47de950d0046\",\"name\":\"5ef06767-b37c-4818-b035-47de950d0046\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"// How far back to look for events from\\nlet timeframe = 1d;\\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\\nlet time_window = 5m;\\n// Edit this to include build processes used\\nlet build_processes = dynamic([\\\"MSBuild.exe\\\", \\\"dotnet.exe\\\", \\\"VBCSCompiler.exe\\\"]);\\n// Include any processes that you want to allow to edit files during/around the build process\\nlet allow_list = dynamic([\\\"\\\"]);\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where EventID == 4688\\n| where Process has_any (build_processes)\\n| summarize by BuildParentProcess=ParentProcessName, BuildProcess=Process, BuildAccount = Account, Computer, BuildCommand=CommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for file modifications to code file\\n| where EventID == 4663\\n| where Process !in (allow_list)\\n// Look for code files, edit this to include file extensions used in build.\\n| where ObjectName endswith \\\".cs\\\" or ObjectName endswith \\\".cpp\\\"\\n// 0x6 and 0x4 for file append, 0x100 for file replacements\\n| where AccessMask == \\\"0x6\\\" or AccessMask == \\\"0x4\\\" or AccessMask == \\\"0X100\\\"\\n| summarize by FileEditParentProcess=ParentProcessName, FileEditAccount = Account, Computer, FileEdited=ObjectName, FileEditProcess=ProcessName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, Computer\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, Computer, BuildParentProcess, BuildProcess\\n| extend HostCustomEntity=Computer, timestamp=timekey\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where EventID == 4688 and EventData has_any (build_processes)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process has_any (build_processes)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend CommandLine = tostring(EventData.CommandLine) \\n| summarize by BuildParentProcess=ParentProcessName, BuildProcess=Process, BuildAccount = Account, Computer, BuildCommand=CommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nWindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for file modifications to code file\\n| where EventID == 4663 and EventData has_any (\\\"0x6\\\", \\\"0x4\\\", \\\"0X100\\\") and EventData has_any (\\\".cs\\\", \\\".cpp\\\")\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (allow_list)\\n// Look for code files, edit this to include file extensions used in build.\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName endswith \\\".cs\\\" or ObjectName endswith \\\".cpp\\\"\\n// 0x6 and 0x4 for file append, 0x100 for file replacements\\n| extend AccessMask = tostring(EventData.AccessMask) \\n| where AccessMask == \\\"0x6\\\" or AccessMask == \\\"0x4\\\" or AccessMask == \\\"0X100\\\"\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| summarize by FileEditParentProcess=ParentProcessName, FileEditAccount = Account, Computer, FileEdited=ObjectName, FileEditProcess=ProcessName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, Computer\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, Computer, BuildParentProcess, BuildProcess\\n| extend HostCustomEntity=Computer, timestamp=timekey\\n))\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Potential Build Process Compromise\",\"description\":\"The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process.\\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\"name\":\"a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"DNS events related to ToR proxies\",\"description\":\"Identifies IP addresses performing DNS lookups associated with common ToR proxies.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/42436753-9944-4d70-801c-daaa4d19ddd2\",\"name\":\"42436753-9944-4d70-801c-daaa4d19ddd2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let threatCategory=\\\"Powershell\\\";\\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\\n [ @\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\\\"]\\n with(format=\\\"csv\\\", ignoreFirstRecord=True));\\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet customUserAgents=toscalar(_GetWatchlist(\\\"UnusualUserAgents\\\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\\\"UserAgent\\\",\\\"\\\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet fullUAList = array_concat(knownUserAgents,customUserAgents);\\n_Im_WebSession(httpuseragent_has_any=fullUAList)\\n| project SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername\",\"customDetails\":{\"UserAgent\":\"HttpUserAgent\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"SrcUsername\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Host {{SrcIpAddr}} is potentially running PowerShell\",\"alertDescriptionFormat\":\"The host at address {{SrcIpAddr}} sent an HTTP request to the URL {{Url}} with the HTTP user agent header {{HttpUserAgent}}. This user agent is known to be used by PoerShell and indicates suspicious activity on the host.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\",\"DefenseEvasion\"],\"displayName\":\"A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request with a user agent header known to belong PowerShell. \u003cbr\u003eYou can add custom Powershell indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).\u003cbr\u003e\u003cbr\u003e\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56fe0db0-6779-46fa-b3c5-006082a53064\",\"name\":\"56fe0db0-6779-46fa-b3c5-006082a53064\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let tokens = dynamic([\\\"416\\\",\\\"208\\\",\\\"128\\\",\\\"120\\\",\\\"96\\\",\\\"80\\\",\\\"72\\\",\\\"64\\\",\\\"48\\\",\\\"44\\\",\\\"40\\\",\\\"g5\\\",\\\"gs5\\\",\\\"g4\\\",\\\"gs4\\\",\\\"nc12\\\",\\\"nc24\\\",\\\"nv12\\\"]);\\nlet operationList = dynamic([\\\"microsoft.compute/virtualmachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nAzureActivity\\n| where tolower(OperationNameValue) in (operationList)\\n| where ActivityStatusValue == \\\"Accepted\\\" \\n| where isnotempty(Properties)\\n| extend vmSize = tolower(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).hardwareProfile)).vmSize))\\n| where isnotempty(vmSize)\\n| where vmSize has_any (tokens) \\n| extend ComputerName = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).osProfile)).computerName)\\n| extend clientIpAddress = tostring(parse_json(HTTPRequest).clientIpAddress)\\n| project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Creation of expensive computes in Azure\",\"description\":\"Identifies the creation of large size/expensive VMs (GPU or with large no of virtual CPUs) in Azure.\\nAdversary may create new or update existing virtual machines sizes to evade defenses \\nor use it for cryptomining purposes.\\nFor Windows/Linux Vm Sizes - https://docs.microsoft.com/azure/virtual-machines/windows/sizes \\nAzure VM Naming Conventions - https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions\",\"lastUpdatedDateUTC\":\"2022-03-31T00:00:00Z\",\"createdDateUTC\":\"2020-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5d33fc63-b83b-4913-b95e-94d13f0d379f\",\"name\":\"5d33fc63-b83b-4913-b95e-94d13f0d379f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet fileHashIndicators = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n| where isnotempty(FileHashValue);\\n// Handle matches against both lower case and uppercase versions of the hash:\\n(fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n| union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n )\\non $left.FileHashValue == $right.FileHash\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, FileHashValue\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nSourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction,\\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity, FileHashValue, FileHashType\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Value\",\"columnName\":\"FileHashValue\"},{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map File Hash to CommonSecurityLog Event\",\"description\":\"Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI\",\"lastUpdatedDateUTC\":\"2022-07-07T00:00:00Z\",\"createdDateUTC\":\"2019-08-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1f3b4dfd-21ff-4ed3-8e27-afc219e05c50\",\"name\":\"1f3b4dfd-21ff-4ed3-8e27-afc219e05c50\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where LoggedByService =~ \\\"PIM\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has \\\"Disable PIM Alert\\\"\\n| extend IpAddress = case(\\n isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), \\n isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.app)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.app)).ipAddress),\\n \u0027Not Available\u0027)\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName)), UserRoles = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| project InitiatedBy, ActivityDateTime, ActivityDisplayName, IpAddress, AADOperationType, AADTenantId, ResourceId, CorrelationId, Identity\\n| extend timestamp = ActivityDateTime, IPCustomEntity = IpAddress, AccountCustomEntity = tolower(InitiatedBy), ResourceCustomEntity = ResourceId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Detect PIM Alert Disabling activity\",\"description\":\"Privileged Identity Management (PIM) generates alerts when there is suspicious or unsafe activity in Azure Active Directory (Azure AD) organization. \\nThis query will help detect attackers attempts to disable in product PIM alerts which are associated with Azure MFA requirements and could indicate activation of privileged access\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d99cf5c3-d660-436c-895b-8a8f8448da23\",\"name\":\"d99cf5c3-d660-436c-895b-8a8f8448da23\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"SigninLogs\\n| where ResultType == 500121\\n| extend additionalDetails_ = tostring(Status.additionalDetails)\\n| where additionalDetails_ =~ \\\"MFA denied; user declined the authentication\\\"\\n| extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"AadUserId\",\"columnName\":\"UserId\"},{\"identifier\":\"AadTenantId\",\"columnName\":\"AADTenantId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"MFA Rejected by User\",\"description\":\"Identifies accurances where a user has rejected an MFA prompt. This could be an indicator that a threat actor has compromised the username and password of this user account and is using it to try and log into the account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d0aa8969-1bbe-4da3-9e76-09e5f67c9d85\",\"name\":\"d0aa8969-1bbe-4da3-9e76-09e5f67c9d85\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureDiagnostics\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where ResourceProvider == \u0027MICROSOFT.SQL\u0027\\n | where Category == \u0027SQLSecurityAuditEvents\u0027\\n | extend SQLSecurityAuditEvents_TimeGenerated = TimeGenerated\\n // projecting fields with column if exists as this is in AzureDiag and if the event is not in the table, then queries will fail due to event specific schemas\\n | extend ClientIP = column_ifexists(\\\"client_ip_s\\\", \\\"Not Available\\\"), Action = column_ifexists(\\\"action_name_s\\\", \\\"Not Available\\\"), \\n Application = column_ifexists(\\\"application_name_s\\\", \\\"Not Available\\\"), HostName = column_ifexists(\\\"host_name_s\\\", \\\"Not Available\\\")\\n)\\non $left.TI_ipEntity == $right.ClientIP\\n| where SQLSecurityAuditEvents_TimeGenerated \u003c ExpirationDateTime\\n| summarize SQLSecurityAuditEvents_TimeGenerated = arg_max(SQLSecurityAuditEvents_TimeGenerated, *) by IndicatorId, ClientIP\\n| project SQLSecurityAuditEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ResourceId, ClientIP, Action, Application, HostName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = SQLSecurityAuditEvents_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Azure SQL Security Audit Events\",\"description\":\"Identifies a match in SQLSecurityAuditEvents from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\"name\":\"4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n OfficeActivity | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(UserId)\\n | where UserId matches regex emailregex\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.UserId\\n| where OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, UserId\\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters\\n| extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to OfficeActivity\",\"description\":\"Identifies a match in OfficeActivity table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/44a555d8-ecee-4a25-95ce-055879b4b14b\",\"name\":\"44a555d8-ecee-4a25-95ce-055879b4b14b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeBin = 10m;\\nlet portThreshold = 30;\\nW3CIISLog\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of attempts by client IP on many ports\\n| summarize makeset(sPort), makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), ConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\\n| extend portCount = arraylength(set_sPort)\\n| where portCount \u003e= portThreshold\\n| project TimeGenerated, cIP, set_sPort, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, ConnectionsCount, portCount\\n| order by portCount\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"High count of connections by client IP on many ports\",\"description\":\"Identifies when 30 or more ports are used for a given client IP in 10 minutes occurring on the IIS server.\\nThis could be indicative of attempted port scanning or exploit attempt at internet facing web applications. \\nThis could also simply indicate a misconfigured service or device.\\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2de8abd6-a613-450e-95ed-08e503369fb3\",\"name\":\"2de8abd6-a613-450e-95ed-08e503369fb3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"AzureDiagnostics\\n| where details_data_s has \\\"jndi:\\\"\\n| parse details_data_s with * \u0027${\u0027 MaliciousCommand \u0027}\u0027 *\\n| extend EncodeCmd = iff(MaliciousCommand has \u0027Base64/\u0027, split(split(MaliciousCommand, \\\"Base64/\\\",1)[0], \\\"}\\\", 0)[0], \\\"\\\")\\n| extend EncodeCmd1 = iff(MaliciousCommand has \u0027base64/\u0027, split(split(MaliciousCommand, \\\"base64/\\\",1)[0], \\\"}\\\", 0)[0], \\\"\\\")\\n| extend CmdLine = iff( isnotempty(EncodeCmd), EncodeCmd, EncodeCmd1)\\n| extend DecodedCmdLine = base64_decode_tostring(tostring(CmdLine))\\n| extend DecodedCmdLine = iff( isnotempty(DecodedCmdLine), DecodedCmdLine, \\\"Unable to decode\\\")\\n| project TimeGenerated, Target=hostname_s, MaliciousHost = clientIp_s, MaliciousCommand, details_data_s, DecodedCmdLine, Message, ruleSetType_s, OperationName, SubscriptionId, details_message_s, details_file_s \\n| extend IPCustomEntity = MaliciousHost, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure WAF matching for Log4j vuln(CVE-2021-44228)\",\"description\":\"This query will alert on a positive pattern match by Azure WAF for CVE-2021-44228 log4j vulnerability exploitation attempt. If possible, it then decodes the malicious command for further analysis.\\n Refrence: https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-12-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/972c89fa-c969-4d12-932f-04d55d145299\",\"name\":\"972c89fa-c969-4d12-932f-04d55d145299\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"( union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| extend FileName = Process, ProcessCommandLine = CommandLine\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\n or ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(DeviceProcessEvents\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\nor ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1 \\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\"), ProcessCommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| extend FileName = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\n or ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"MSHTML vulnerability CVE-2021-40444 attack\",\"description\":\"This query detects attacks that exploit the CVE-2021-40444 MSHTML vulnerability using specially crafted Microsoft Office documents. \\n The detection searches for relevant files used in the attack along with regex matches in commnadline to look for pattern similar to : \\\".cpl:../../msword.inf\\\"\\n Refrence: https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ca74dc0-8352-4ac5-893c-73571cc78331\",\"name\":\"4ca74dc0-8352-4ac5-893c-73571cc78331\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let keywords = dynamic([\\\"secret\\\", \\\"secrets\\\", \\\"password\\\", \\\"PAT\\\", \\\"passwd\\\", \\\"pswd\\\", \\\"pwd\\\", \\\"cred\\\", \\\"creds\\\", \\\"credentials\\\", \\\"credential\\\", \\\"key\\\"]);\\nAzureDevOpsAuditing\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend Type = tostring(Data.Type)\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend VariableGroupName = tostring(Data.VariableGroupName)\\n| mv-expand Data.Variables\\n| where VariableGroupName has_any (keywords) or Data_Variables has_any (keywords)\\n| where Type != \\\"AzureKeyVault\\\"\\n| where Data_Variables !has \\\"IsSecret\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure DevOps Variable Secret Not Secured\",\"description\":\"Credentials used in the build process may be stored as Azure DevOps variables. To secure these variables they should be stored in KeyVault or marked as Secrets. \\nThis detection looks for new variables added with names that suggest they are credentials but where they are not set as Secrets or stored in KeyVault.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cc5780ce-3245-4bba-8bc1-e9048c2257ce\",\"name\":\"cc5780ce-3245-4bba-8bc1-e9048c2257ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where OperationName =~ \\\"Add owner to application\\\"\\n | extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend UpdatedBy = iif(isnotempty(appName), appName, UPN)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | extend AddedUser = TargetResources[0].userPrincipalName\\n | mv-expand mod_props\\n | where mod_props.displayName =~ \\\"Application.DisplayName\\\"\\n | extend AppName = tostring(parse_json(tostring(mod_props.newValue)))\\n | project-reorder TimeGenerated, OperationName, AppName, AddedUser, UpdatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatedBy\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedUser\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Changes to Application Ownership\",\"description\":\"Detects changes to the ownership of an appplicaiton.\\n Monitor these changes to make sure that they were authorized.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#new-owner\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/15049017-527f-4d3b-b011-b0e99e68ef45\",\"name\":\"15049017-527f-4d3b-b011-b0e99e68ef45\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let procList = externaldata(Process:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Microsoft_Lolbas_Execution_Binaries.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityEvent\\n| where EventID == 4688 and Process has_any (procList) and not (NewProcessName has (\\\"C:\\\\\\\\Windows\\\\\\\\\\\"))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, SubjectUserName, NewProcessName, Process, CommandLine\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectUserName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Windows Binaries Executed from Non-Default Directory\",\"description\":\"The query detects Windows binaries, that can be executed from a non-default directory (e.g. C:\\\\Windows\\\\, C:\\\\Windows\\\\System32 etc.). \\nRef: https://lolbas-project.github.io/\",\"lastUpdatedDateUTC\":\"2022-02-15T00:00:00Z\",\"createdDateUTC\":\"2022-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6\",\"name\":\"2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 0d;\\n// Adjust this to adjust detection timeframe\\n//let timeframe = 1d;\\n// SamAccountName of AD FS Service Account. Filter on the use of a specific AD FS user account\\n//let adfsuser = \u0027adfsadmin\u0027;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\n SecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe+lookback)\\n | where EventSourceName == \u0027AD FS Auditing\u0027\\n | distinct Computer\\n);\\nSecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n // A token of type \u0027http://schemas.microsoft.com/ws/2006/05/servicemodel/tokens/SecureConversation\u0027\\n // for relying party \u0027-\u0027 was successfully authenticated.\\n | where EventID == 412\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | extend InstanceId = tostring(EventData[0])\\n| join kind=inner\\n(\\n SecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n // Events to identify caller identity from event 412\\n | where EventID == 501\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | where tostring(EventData[1]) contains \u0027identity/claims/name\u0027\\n | extend InstanceId = tostring(EventData[0])\\n | extend ClaimsName = tostring(EventData[2])\\n // Filter on the use of a specific AD FS user account\\n //| where ClaimsName contains adfsuser\\n)\\non $left.InstanceId == $right.InstanceId\\n| join kind=inner\\n(\\n SecurityEvent\\n | where EventID == 5156\\n | where Computer in~ (ADFS_Servers)\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | mv-expand bagexpansion=array EventData\\n | evaluate bag_unpack(EventData)\\n | extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n | evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n | extend DestPort = column_ifexists(\\\"DestPort\\\", \\\"\\\"),\\n Direction = column_ifexists(\\\"Direction\\\", \\\"\\\"),\\n Application = column_ifexists(\\\"Application\\\", \\\"\\\"),\\n DestAddress = column_ifexists(\\\"DestAddress\\\", \\\"\\\"),\\n SourceAddress = column_ifexists(\\\"SourceAddress\\\", \\\"\\\"),\\n SourcePort = column_ifexists(\\\"SourcePort\\\", \\\"\\\")\\n // Look for inbound connections from endpoints on port 80\\n | where DestPort == 80 and Direction == \u0027%%14592\u0027 and Application == \u0027System\u0027\\n | where DestAddress !in (\u0027::1\u0027,\u00270:0:0:0:0:0:0:1\u0027) \\n)\\non $left.Computer == $right.Computer\\n| project TimeGenerated, Computer, ClaimsName, SourceAddress, SourcePort\\n| extend HostCustomEntity = Computer, AccountCustomEntity = ClaimsName, IPCustomEntity = SourceAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"AD FS Remote Auth Sync Connection\",\"description\":\"This detection uses Security events from the \\\"AD FS Auditing\\\" provider to detect suspicious authentication events on an AD FS server. The results then get\\ncorrelated with events from the Windows Filtering Platform (WFP) to detect suspicious incoming network traffic on port 80 on the AD FS server.\\nThis could be a sign of a threat actor trying to use replication services on the AD FS server to get its configuration settings and extract\\nsensitive information such as AD FS certificates.\\nIn order to use this query you need to enable AD FS auditing on the AD FS Server.\\nReference: https://twitter.com/OTR_Community/status/1387038995016732672\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-04-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d992b87b-eb49-4a9d-aa96-baacf9d26247\",\"name\":\"d992b87b-eb49-4a9d-aa96-baacf9d26247\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let IPList = dynamic([\\\"185.63.90.137\\\"]); \\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet sha256Hashes = \\ndynamic([\\\"53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441\\\",\\n\\\"c297e545b8f150cc5ff56dbb68dc74fe30a421d9d40f38f4a53083192697c44c\\\",\\n\\\"17921368901f23e0cad0d2fe4ce5694aebaf4727699ed0358117500701914d1b\\\",\\n\\\"198a2d42df010d838b4207f478d885ef36e3db13b1744d673e221b828c28bf77\\\",\\n\\\"71d7b48c2fdc7b57b104a7858a35165bbed21d2fa7e34828d6c1d50b2b33a1d0\\\",\\n\\\"601227d52c6e367e11b80240183d07d38bc11a88e844e8401fce17eb25e92ba8\\\",\\n\\\"63ff04bed4fdb120a9cb9b1ea7fd88e83f12fb01ab6a057088f8016e663b48d4\\\",\\n\\\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\\\",\\n\\\"e19b8be1b21c066d60725e550f8455f824065abbf1b43f7b2fe4fb338b241ffc\\\",\\n\\\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\\\"\\n]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", MessageIP in (IPList), \\\"Message\\\", \\\"NoMatch\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DeviceNetworkEvents\\n| where RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) \\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP\\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost) \\n| where SourceHost in (IPList) or DestinationHost in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(DeviceFileEvents\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n| where FileHash in (sha256Hashes)\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash\\n| extend timestamp = TimeGenerated, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 in~ (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(SecurityEvent\\n| where EventID == \u00274688\u0027\\n| where CommandLine has_any (IPList) \\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n(WindowsEvent\\n| where EventID == \u00274688\u0027 and has_any_ipv4(EventData, toscalar(IPList)) \\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| where NewProcessName in (IPList) \\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend NewProcessId = tostring(EventData.NewProcessId)\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021\",\"description\":\"Identifies a match across various data feeds for IP,hashes and IOCs related to Windows/ELF malware published by Black Lotus Labs\\nReference: \\nhttps://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders\\nhttps://github.com/ManuelBerrueta/YARA-rules/blob/master/BlackLotusLabs-WSLMalware/BLL_SneakyWSL.yar\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ce1e7025-866c-41f3-9b08-ec170e05e73e\",\"name\":\"ce1e7025-866c-41f3-9b08-ec170e05e73e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let SunburstURL=dynamic([\\\"panhardware.com\\\",\\\"databasegalore.com\\\",\\\"avsvmcloud.com\\\",\\\"freescanonline.com\\\",\\\"thedoccloud.com\\\",\\\"deftsecurity.com\\\"]);\\nDeviceNetworkEvents\\n| where ActionType == \\\"ConnectionSuccess\\\"\\n| where RemoteUrl in(SunburstURL)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n FileHashCustomEntity = InitiatingProcessMD5, \\n HashAlgorithm = \u0027MD5\u0027,\\n URLCustomEntity = RemoteUrl,\\n IPCustomEntity = RemoteIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"SUNBURST network beacons\",\"description\":\"Identifies SolarWinds SUNBURST domain beacon IOCs in DeviceNetworkEvents\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/baedfdf4-7cc8-45a1-81a9-065821628b83\",\"name\":\"baedfdf4-7cc8-45a1-81a9-065821628b83\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let runningRAT_parameters = dynamic([\u0027/ui/chk\u0027, \u0027mactok=\u0027, \u0027UsRnMe=\u0027, \u0027IlocalP=\u0027, \u0027kMnD=\u0027]);\\nCommonSecurityLog\\n| where RequestMethod == \\\"GET\\\"\\n| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication\\n| where RequestURL has_any (runningRAT_parameters)\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DestinationIP\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"SourceHostName\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"RunningRAT request parameters\",\"description\":\"This detection will alert when RunningRAT URI parameters or paths are detect in an HTTP request. Id the device blocked this communication\\npresence of this alert means the RunningRAT implant is likely still executing on the source host.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d8de9e6-263e-4845-8618-cd23a4f58b70\",\"name\":\"4d8de9e6-263e-4845-8618-cd23a4f58b70\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT3H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 3h;\\n// Add full UPN (user@domain.com) to Authorized Bypassers to ignore policy bypasses by certain authorized users\\nlet AuthorizedBypassers = dynamic([\u0027foo@baz.com\u0027, \u0027test@foo.com\u0027]);\\nlet historicBypassers = AzureDevOpsAuditing\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationName == \u0027Git.RefUpdatePoliciesBypassed\u0027\\n| distinct ActorUPN;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e= ago(endtime)\\n| where OperationName == \u0027Git.RefUpdatePoliciesBypassed\u0027\\n| where ActorUPN !in (historicBypassers) and ActorUPN !in (AuthorizedBypassers)\\n| parse ScopeDisplayName with OrganizationName \u0027(Organization)\u0027\\n| project TimeGenerated, ActorUPN, IpAddress, UserAgent, OrganizationName, ProjectName, RepoName = Data.RepoName, AlertDetails = Details, Branch = Data.Name, \\n BypassReason = Data.BypassReason, PRLink = strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_git/\u0027, Data.RepoName, \u0027/pullrequest/\u0027, Data.PullRequestId)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps Pull Request Policy Bypassing - Historic allow list\",\"description\":\"This detection builds an allow list of historic PR policy bypasses and compares to recent history, flagging pull request bypasses that are not manually in the allow list and not historically included in the allow list.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75bf9902-0789-47c1-a5d8-f57046aa72df\",\"name\":\"75bf9902-0789-47c1-a5d8-f57046aa72df\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let procList = externaldata(Process:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Microsoft_Lolbas_Execution_Binaries.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet ProcessCreationEvents=() {\\nlet processEvents=(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,\\nFileName = Process, CommandLine, ParentProcessName\\n),\\n(WindowsEvent\\n| where EventID==4688 and EventData has_any (procList) and EventData has \\\":\\\\\\\\recycler\\\"\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where isnotempty(CommandLine)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName) \\n| extend NewProcessName = tostring(EventData.NewProcessName) \\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,\\nFileName = Process, CommandLine, ParentProcessName\\n));\\nprocessEvents};\\nProcessCreationEvents \\n| where FileName in~ (procList)\\n| where CommandLine contains \\\":\\\\\\\\recycler\\\"\\n| project StartTimeUtc = TimeGenerated, Computer, Account, NewProcessName, FileName, CommandLine, ParentProcessName\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Malware in the recycle bin\",\"description\":\"The query detects Windows binaries, that can be used for executing malware, that have been hidden in the recycle bin. \\n The list of these binaries are sourced from https://lolbas-project.github.io/\\n References: https://azure.microsoft.com/blog/how-azure-security-center-helps-reveal-a-cyberattack/.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2018-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e2399891-383c-4caf-ae67-68a008b9f89e\",\"name\":\"e2399891-383c-4caf-ae67-68a008b9f89e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet IP_TI=ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\\\"NO_IP\\\")\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where TI_ipEntity != \\\"NO_IP\\\";\\nlet IP_TI_list=toscalar(IP_TI | summarize NIoCs=dcount(TI_ipEntity), IoCs=make_set( TI_ipEntity)\\n | project IoCs=iff(NIoCs \u003e HAS_ANY_MAX, dynamic([]), IoCs));\\nIP_TI\\n // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n | join kind=innerunique \\n (\\n union \\n (\\n _Im_NetworkSession (starttime=ago(dt_lookBack), dstipaddr_has_any_prefix=IP_TI_list)\\n | where isnotempty(SrcIpAddr)\\n // renaming time column so it is clear the log this came from\\n | extend imNWS_TimeGenerated = TimeGenerated, IoCIP=DstIpAddr, IoCIPDirection=\u0027Destination\u0027\\n ),\\n (\\n _Im_NetworkSession (starttime=ago(dt_lookBack), srcipaddr_has_any_prefix=IP_TI_list)\\n | where isnotempty(DstIpAddr)\\n // renaming time column so it is clear the log this came from\\n | extend imNWS_TimeGenerated = TimeGenerated, IoCIP=SrcIpAddr, IoCIPDirection=\u0027Source\u0027\\n )\\n)on $left.TI_ipEntity == $right.IoCIP\\n| where imNWS_TimeGenerated \u003c ExpirationDateTime\\n| summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, IoCIP, IoCIPDirection\\n| project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Dvc, SrcIpAddr, DstIpAddr, IoCIPDirection, IoCIP\",\"customDetails\":{\"EventTime\":\"imNWS_TimeGenerated\",\"IoCDescription\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"IoCExpirationTime\":\"ExpirationDateTime\",\"IoCConfidenceScore\":\"ConfidenceScore\",\"IoCIPDirection\":\"IoCIPDirection\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IoCIP\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"A network session {{IoCIPDirection}} address {{IoCIP}} matched an IoC.\",\"alertDescriptionFormat\":\"The {{IoCIPDirection}} address {{IoCIP}} of a network session matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blead for more information on the indicator.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map IP entity to Network Session Events (ASIM Network Session schema)\",\"description\":\"This rule identifies a match Network Sessions for which the source of destination IP address is a known IoC. \u003cbr\u003e\u003cbr\u003e\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2022-04-27T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\"name\":\"8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"AuthorizeDBSecurityGroupIngress\\\",\\\"CreateDBSecurityGroup\\\",\\\"DeleteDBSecurityGroup\\\",\\\"RevokeDBSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to internet facing AWS RDS Database instances\",\"description\":\"Amazon Relational Database Service (RDS) is scalable relational database in the cloud. \\nIf your organization have one or more AWS RDS Databases running, monitoring changes to especially internet facing AWS RDS (Relational Database Service) \\nOnce alerts triggered, validate if changes observed are authorized and adhere to change control policy. \\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255\\nand RDS API Reference Docs: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Operations.html\",\"lastUpdatedDateUTC\":\"2021-11-28T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6ee72a9e-2e54-459c-bc9a-9c09a6502a63\",\"name\":\"6ee72a9e-2e54-459c-bc9a-9c09a6502a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"216.24.185.74\\\", \\\"107.175.189.159\\\", \\\"192.210.132.102\\\", \\\"67.230.163.214\\\", \\n \\\"199.19.110.240\\\", \\\"107.148.130.176\\\", \\\"154.212.129.218\\\", \\\"172.86.75.54\\\", \\\"45.61.136.199\\\", \\n \\\"149.28.150.195\\\", \\\"108.61.214.194\\\", \\\"144.202.98.198\\\", \\\"149.28.84.98\\\", \\\"103.99.209.78\\\", \\n \\\"45.61.136.2\\\", \\\"176.122.162.149\\\", \\\"192.3.80.245\\\", \\\"149.28.23.32\\\", \\\"107.182.18.149\\\", \\\"107.174.45.134\\\", \\n \\\"149.248.18.104\\\", \\\"65.49.192.74\\\", \\\"156.255.2.154\\\", \\\"45.76.6.149\\\", \\\"8.9.11.130\\\", \\\"140.238.27.255\\\", \\n \\\"107.182.24.70\\\", \\\"176.122.188.254\\\", \\\"192.161.161.108\\\", \\\"64.64.234.24\\\", \\\"104.224.185.36\\\", \\n \\\"104.233.224.227\\\", \\\"104.36.69.105\\\", \\\"119.28.139.120\\\", \\\"161.117.39.130\\\", \\\"66.42.100.42\\\", \\\"45.76.31.159\\\", \\n \\\"149.248.8.134\\\", \\\"216.24.182.48\\\", \\\"66.42.103.222\\\", \\\"218.89.236.11\\\", \\\"180.150.227.249\\\", \\\"47.75.80.23\\\",\\n \\\"124.156.164.19\\\", \\\"149.248.62.83\\\", \\\"150.109.76.174\\\", \\\"222.209.187.207\\\", \\\"218.38.191.38\\\", \\n \\\"119.28.226.59\\\", \\\"66.42.98.220\\\", \\\"74.82.201.8\\\", \\\"173.242.122.198\\\", \\\"45.32.130.72\\\", \\\"89.35.178.10\\\", \\n \\\"89.43.60.113\\\"]); \\n(union isfuzzy=true \\n(CommonSecurityLog \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch \\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n), \\n(OfficeActivity \\n|extend SourceIPAddress = ClientIP, Account = UserId \\n| where SourceIPAddress in (IPList) \\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \\n), \\n(_Im_NetworkSession (srcipaddr_has_any_prefix=IPList)\\n | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Hostname, AccountCustomEntity=User\\n), \\n(_Im_NetworkSession (dstipaddr_has_any_prefix=IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = Hostname , AccountCustomEntity = User\\n), \\n(WireData \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer \\n), \\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Barium IP\",\"description\":\"Identifies a match across various data feeds for IP IOCs related to the Barium activity group. \\n References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer\u0027 \",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/595a10c9-91be-4abb-bbc7-ae9c57848bef\",\"name\":\"595a10c9-91be-4abb-bbc7-ae9c57848bef\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Low\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n//This query uses sysmon data, sections that have - | where Source == \\\"Microsoft-Windows-Sysmon\\\" - may need to be updated with latest\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, DNSName, Type\\n| extend MessageIP = extract(IPRegex, 0, Message), RequestIP = extract(IPRegex, 0, RequestURL)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL has_any (domains), \\\"RequestUrl\\\", \\\"NoMatch\\\"), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), Account = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) or Name in~ (domains) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Computer , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPEntity = DestinationIPAddress\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), File = ProcessName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"]), Image = tostring(EventDetail.[4].[\\\"#text\\\"])\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Image has_any (process)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, Account = UserName, Computer, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, File = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n| extend FilePath = replace_string(Image, File, \u0027\u0027)\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) \\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, AlertDetail = \u0027Chia crypto IOC detected\u0027, Type\\n| extend timestamp = TimeGenerated, IPEntity = ClientIP, Account = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (domains) or RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) or InitiatingProcessFileName has_any (process)\\n| project TimeGenerated, ActionType, DeviceId, Computer = DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPEntity = RemoteIP, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\"), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, Computer, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains) or ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPEntity = ClientIP, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPEntity = SourceHost, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| where EventDetail has_any (sha256Hashes) \\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = tostring(EventDetail.[4].[\\\"#text\\\"]), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath = replace_string(Image, File, \u0027\u0027)\\n),\\n(DeviceFileEvents\\n| where InitiatingProcessFolderPath has_any (process)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, Computer, Account, File = InitiatingProcessFileName, FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath = replace_string(InitiatingProcessFolderPath, File, \u0027\u0027)\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, AlertDetail = \u0027Chia crypto IOC detected\u0027, FileHashAlgo = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| project TimeGenerated, EventDetail, UserName, Computer, Type\\n| extend Image = tostring(EventDetail.[4].[\\\"#text\\\"]), CommandLine = tostring(EventDetail.[10].[\\\"#text\\\"]), Account = UserName, FileHash = tostring(EventDetail.[17].[\\\"#text\\\"]), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| where Image has_any (process)\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath= replace_string(Image, File, \u0027\u0027)\\n),\\n(DeviceEvents\\n| where InitiatingProcessFileName has_any (process) or InitiatingProcessSHA256 in~ (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, Computer, Account, File = InitiatingProcessFileName, FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath = replace_string(InitiatingProcessFolderPath, File, \u0027\u0027)\\n),\\n(SecurityEvent\\n| where EventID == \u00274688\u0027\\n| where NewProcessName has_any (process)\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027, -1)[-1]), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend FilePath = replace_string(NewProcessName, File, \u0027\u0027)\\n)\\n)\\n| extend AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPEntity, FileCustomEntity = File, FilePathCustomEntity = FilePath, FileHashCustomEntity = FileHash\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileCustomEntity\"},{\"identifier\":\"Directory\",\"columnName\":\"FilePathCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashAlgo\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021\",\"description\":\"Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.\",\"lastUpdatedDateUTC\":\"2021-12-08T00:00:00Z\",\"createdDateUTC\":\"2021-06-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd0a6029-ecef-4507-89c4-fc355ac52111\",\"name\":\"dd0a6029-ecef-4507-89c4-fc355ac52111\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation of extracted domains\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend DomainName = tolower(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | extend Domain = trim(@\\\"\\\"\\\"\\\",tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend parts = split(Domain, \u0027.\u0027)\\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\\n | where tld in~ (list_tlds)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n ) on $left.DomainName==$right.Domain\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, FileHashValue\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to CommonSecurityLog\",\"description\":\"Identifies a match in CommonSecurityLog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\"name\":\"6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"union isfuzzy=true \\n(\\n SecurityEvent\\n | where EventID == 4738\\n // 2089 value indicates the Don\u0027t Expire Password value has been set\\n | where UserAccountControl has \\\"%%2089\\\" \\n | extend Value_2089 = iff(UserAccountControl has \\\"%%2089\\\",\\\"\u0027Don\u0027t Expire Password\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n // 2050 indicates that the Password Not Required value is NOT set, this often shows up at the same time as a 2089 and is the recommended value. This value may not be in the event. \\n | extend Value_2050 = iff(UserAccountControl has \\\"%%2050\\\",\\\"\u0027Password Not Required\u0027 - Disabled\\\", \\\"Not Changed\\\")\\n // If value %%2082 is present in the 4738 event, this indicates the account has been configured to logon WITHOUT a password. Generally you should only see this value when an account is created and only in Event 4720: Account Creation Event. \\n | extend Value_2082 = iff(UserAccountControl has \\\"%%2082\\\",\\\"\u0027Password Not Required\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n | project StartTime = TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, AccountType, UserAccountControl, Value_2089, Value_2050, Value_2082, SubjectAccount\\n | extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer\\n ),\\n (\\n WindowsEvent\\n | where EventID == 4738 and EventData has \u00272089\u0027\\n // 2089 value indicates the Don\u0027t Expire Password value has been set\\n | extend UserAccountControl = tostring(EventData.UserAccountControl)\\n | where UserAccountControl has \\\"%%2089\\\" \\n | extend Value_2089 = iff(UserAccountControl has \\\"%%2089\\\",\\\"\u0027Don\u0027t Expire Password\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n // 2050 indicates that the Password Not Required value is NOT set, this often shows up at the same time as a 2089 and is the recommended value. This value may not be in the event. \\n | extend Value_2050 = iff(UserAccountControl has \\\"%%2050\\\",\\\"\u0027Password Not Required\u0027 - Disabled\\\", \\\"Not Changed\\\")\\n // If value %%2082 is present in the 4738 event, this indicates the account has been configured to logon WITHOUT a password. Generally you should only see this value when an account is created and only in Event 4720: Account Creation Event. \\n | extend Value_2082 = iff(UserAccountControl has \\\"%%2082\\\",\\\"\u0027Password Not Required\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n | extend Activity=\\\"4738 - A user account was changed.\\\"\\n | extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n | extend TargetSid = tostring(EventData.TargetSid)\\n | extend SubjectAccount = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n | extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n | extend AccountType=case(SubjectAccount endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n | project StartTime = TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, AccountType, UserAccountControl, Value_2089, Value_2050, Value_2082, SubjectAccount\\n | extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer\\n )\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AD account with Don\u0027t Expire Password\",\"description\":\"Identifies whenever a user account has the setting \\\"Password Never Expires\\\" in the user account properties selected.\\nThis is indicated in Security event 4738 in the EventData item labeled UserAccountControl with an included value of %%2089.\\n%%2089 resolves to \\\"Don\u0027t Expire Password - Enabled\\\".\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4e8238bd-ff4f-4126-a9f6-09b3b6801b3d\",\"name\":\"4e8238bd-ff4f-4126-a9f6-09b3b6801b3d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"AuditLog.StreamDisabledByUser\\\"\\n| extend StreamType = tostring(Data.ConsumerType)\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, StreamType\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Audit Stream Disabled\",\"description\":\"Azure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams \\nbefore conducting activity and then re-enabling the stream after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action \\nits unlikely to have a high false positive rate.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e2559891-383c-4caf-ae67-55a008b9f89e\",\"name\":\"e2559891-383c-4caf-ae67-55a008b9f89e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet IP_TI=ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\\\"NO_IP\\\")\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where TI_ipEntity != \\\"NO_IP\\\";\\nlet IP_TI_list=toscalar(IP_TI | summarize NIoCs= dcount(TI_ipEntity), IoCs=make_set(TI_ipEntity) \\n | project IoCs=iff(NIoCs \u003e HAS_ANY_MAX, dynamic([]), IoCs ) );\\nIP_TI\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n _Im_WebSession (starttime=ago(dt_lookBack), srcipaddr_has_any_prefix=IP_TI_list)\\n | where isnotempty(SrcIpAddr)\\n // renaming time column so it is clear the log this came from\\n | extend imNWS_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SrcIpAddr\\n| where imNWS_TimeGenerated \u003c ExpirationDateTime\\n| summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, DstIpAddr\\n| project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Dvc, SrcIpAddr, DstIpAddr\",\"customDetails\":{\"EventTime\":\"imNWS_TimeGenerated\",\"IoCDescription\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"IoCExpirationTime\":\"ExpirationDateTime\",\"IoCConfidenceScore\":\"ConfidenceScore\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DstIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"The IP {{SrcIpAddr}} of a web request to hostname {{domain}} matched an IoC\",\"alertDescriptionFormat\":\"The source address {{SrcIpAddr}} of a web request for URL {{Url}} matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blead for more information on the indicator.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map IP entity to Web Session Events (ASIM Web Session schema)\",\"description\":\"This rule identifies Web Sessions for which the source IP address is a known IoC. \u003cbr\u003e\u003cbr\u003eThis rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM.\",\"lastUpdatedDateUTC\":\"2022-03-15T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\"name\":\"c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"ApplySecurityGroupsToLoadBalancer\\\", \\\"SetSecurityGroups\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \\nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion,\\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to AWS Elastic Load Balancer security groups\",\"description\":\"Elastic Load Balancer distributes incoming traffic across multiple instances in multiple availability Zones. This increases the fault tolerance of your applications. \\n Unwanted changes to Elastic Load Balancer specific security groups could open your environment to attack and hence needs monitoring.\\n More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\n and https://aws.amazon.com/elasticloadbalancing/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bdf04f58-242b-4729-b376-577c4bdf5d3a\",\"name\":\"bdf04f58-242b-4729-b376-577c4bdf5d3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"imProcessCreate\\n| where Process hassuffix \u0027rundll32.exe\u0027\\n| where CommandLine has_any (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| project TimeGenerated, Dvc, User, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\\n| extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"NOBELIUM - suspicious rundll32.exe execution of vbscript (Normalized Process Events)\",\"description\":\"This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\\nReferences: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f30a47c1-65fb-42b1-a7f4-00941c12550b\",\"name\":\"f30a47c1-65fb-42b1-a7f4-00941c12550b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n SecurityAlert\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n // Extract URL from JSON data\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,Entities)\\n // We only want alerts that actually contain URL data\\n | where isnotempty(Url)\\n // Extract hostname from JSON data for entity mapping\\n | extend Compromised_Host = tostring(parse_json(ExtendedProperties).[\\\"Compromised Host\\\"])\\n | extend Alert_TimeGenerated = TimeGenerated\\n) on Url\\n| where Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\\n| project Alert_TimeGenerated, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, AlertName, AlertSeverity, Description, Url, Compromised_Host\\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = Compromised_Host, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to SecurityAlert data\",\"description\":\"Identifies a match in SecurityAlert data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\"name\":\"80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == 1102 and EventSourceName == \\\"Microsoft-Windows-Eventlog\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(\\nWindowsEvent\\n| where EventID == 1102 and Provider == \\\"Microsoft-Windows-Eventlog\\\" \\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend Activity= \\\"1102 - The audit log was cleared.\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Security Event log cleared\",\"description\":\"Checks for event id 1102 which indicates the security event log was cleared. \\nIt uses Event Source Name \\\"Microsoft-Windows-Eventlog\\\" to avoid generating false positives from other sources, like AD FS servers for instance.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\"name\":\"36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n OfficeActivity\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n //Extract the Url from a number of potential fields\\n | extend Url = iif(OfficeWorkload == \\\"AzureActiveDirectory\\\",extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\\\", 1,ModifiedProperties),tostring(parse_json(ModifiedProperties)[12].NewValue))\\n | where isnotempty(Url)\\n // Ensure we get a clean URL\\n | extend Url = tostring(split(Url, \u0027;\u0027)[0])\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n // Project a single user identity that we can use for entity mapping\\n | extend User = iif(isnotempty(UserId), UserId, iif(isnotempty(Actor), tostring(parse_json(Actor)[0].ID), tostring(parse_json(Parameters)[0].Value)))\\n) on Url\\n| where OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, Url\\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Operation, \\nUserType, OfficeWorkload, Parameters, Url, User\\n| extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = User, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to OfficeActivity data\",\"description\":\"Identifies a match in OfficeActivity data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f0be259a-34ac-4946-aa15-ca2b115d5feb\",\"name\":\"f0be259a-34ac-4946-aa15-ca2b115d5feb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let starttime = 2d;\\nlet endtime = 1d;\\nlet TimeDeltaThreshold = 25;\\nlet TotalEventsThreshold = 30;\\nlet MostFrequentTimeDeltaThreshold = 25;\\nlet PercentBeaconThreshold = 80;\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Palo Alto Networks\\\" and Activity == \\\"TRAFFIC\\\"\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where ipv4_is_private(DestinationIP)== false\\n| project TimeGenerated, DeviceName, SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, ReceivedBytes, SentBytes\\n| sort by SourceIP asc,TimeGenerated asc, DestinationIP asc, DestinationPort asc\\n| serialize\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\u0027second\u0027,nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP\\n//Whitelisting criteria/ threshold criteria\\n| where TimeDeltainSeconds \u003e TimeDeltaThreshold \\n| summarize count(), sum(ReceivedBytes), sum(SentBytes)\\nby TimeDeltainSeconds, bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSentBytes = sum(sum_SentBytes), TotalReceivedBytes = sum(sum_ReceivedBytes) \\nby bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| where TotalEvents \u003e TotalEventsThreshold and MostFrequentTimeDeltaCount \u003e MostFrequentTimeDeltaThreshold\\n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\\n| where BeaconPercent \u003e PercentBeaconThreshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Palo Alto - potential beaconing detected\",\"description\":\"Identifies beaconing patterns from Palo Alto Network traffic logs based on recurrent timedelta patterns. \\nThe query leverages various KQL functions to calculate time deltas and then compares it with total events observed in a day to find percentage of beaconing. \\nThis outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts.\\nReference Blog:\\nhttp://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/\\nhttps://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/detect-network-beaconing-via-intra-request-time-delta-patterns/ba-p/779586\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/14f6da04-2f96-44ee-9210-9ccc1be6401e\",\"name\":\"14f6da04-2f96-44ee-9210-9ccc1be6401e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName has \\\"Add member to role outside of PIM\\\"\\n or (LoggedByService == \\\"Core Directory\\\" and OperationName == \\\"Add member to role\\\" and Identity != \\\"MS-PIM\\\")\\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"NRT Privileged Role Assigned Outside PIM\",\"description\":\"Identifies a privileged role being assigned to a user outside of PIM\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-04-22T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f6502545-ae3a-4232-a8b0-79d87e5c98d7\",\"name\":\"f6502545-ae3a-4232-a8b0-79d87e5c98d7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \\n| where TargetObject==\\\"HKLM\\\\\\\\System\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\SecurityProviders\\\\\\\\WDigest\\\\\\\\UseLogonCredential\\\" and Details !=\\\"DWORD (0x00000000)\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"WDigest downgrade attack\",\"description\":\"When the WDigest Authentication protocol is enabled, plain text passwords are stored in the Local Security Authority Subsystem Service (LSASS) exposing them to theft. This setting will prevent WDigest from storing credentials in memory.\\nRef: https://www.stigviewer.com/stig/windows_7/2016-12-19/finding/V-72753\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2022-03-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\"name\":\"b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet UserAgentAll =\\n(union isfuzzy=true\\n(OfficeActivity\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\\n),\\n(\\nW3CIISLog\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(csUserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\\n))\\n// remove wordSize blocks of non-numeric hex characters prior to word extraction\\n| extend UserAgentNoHexAlphas = replace(\\\"([A-Fa-f]{4,})\\\", \\\"x\\\", UserAgent)\\n// once blocks of hex chars are removed, extract wordSize blocks of a-z\\n| extend Tokens = extract_all(\\\"([A-Za-z]{4,})\\\", UserAgentNoHexAlphas)\\n// concatenate extracted words to create a summarized user agent for baseline and comparison\\n| extend NormalizedUserAgent = strcat_array(Tokens, \\\"|\\\")\\n| project-away UserAgentNoHexAlphas, Tokens;\\nUserAgentAll\\n| where StartTime \u003e= ago(endtime)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), count() by UserAgent, NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n| join kind=leftanti\\n(\\nUserAgentAll\\n| where StartTime \u003c ago(endtime)\\n| summarize by NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n)\\non NormalizedUserAgent\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CommandAndControl\",\"Execution\"],\"displayName\":\"New UserAgent observed in last 24 hours\",\"description\":\"Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection\\nextracts words from user agents to build the baseline and determine rareity rather than perform a\\ndirect comparison. This avoids FPs caused by version numbers and other high entropy user agent components.\\nThese new UserAgents could be benign. However, in normally stable environments,\\nthese new UserAgents could provide a starting point for investigating malicious activity.\\nNote: W3CIISLog can be noisy depending on the environment, however OfficeActivity and AWSCloudTrail are\\nusually stable with low numbers of detections.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/155e9134-d5ad-4a6f-88f3-99c220040b66\",\"name\":\"155e9134-d5ad-4a6f-88f3-99c220040b66\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"// Set the lookback to determine if user has created pipelines before\\nlet timeback = 14d;\\n// Set the period for detections\\nlet timeframe = 1d;\\n// Get a list of previous Release Pipeline creators to exclude\\nlet releaseusers = AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName in (\\\"Release.ReleasePipelineCreated\\\", \\\"Release.ReleasePipelineModified\\\")\\n// We want to look for users performing actions in specific projects so we create this userscope object to match on\\n| extend UserScope = strcat(ActorUserId, \\\"-\\\", ProjectName)\\n| summarize by UserScope;\\n// Get Release Pipeline creations by new users\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineModified\\\"\\n| extend UserScope = strcat(ActorUserId, \\\"-\\\", ProjectName)\\n| where UserScope !in (releaseusers)\\n| extend ActorUPN = tolower(ActorUPN)\\n| project-away Id, ActivityId, ActorCUID, ScopeId, ProjectId, TenantId, SourceSystem, UserScope\\n// See if any of these users have Azure AD alerts associated with them in the same timeframe\\n| join kind = leftouter (\\nSecurityAlert\\n| where TimeGenerated \u003e ago(timeframe)\\n| where ProviderName == \\\"IPC\\\"\\n| extend AadUserId = tostring(parse_json(Entities)[0].AadUserId)\\n| summarize Alerts=count() by AadUserId) on $left.ActorUserId == $right.AadUserId\\n| extend Alerts = iif(isnotempty(Alerts), Alerts, 0)\\n// Uncomment the line below to only show results where the user as AADIdP alerts\\n//| where Alerts \u003e 0\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Pipeline modified by a new user.\",\"description\":\"There are several potential pipeline steps that could be modified by an attacker to inject malicious code into the build cycle. A likely attacker path is the modification to an existing pipeline that they have access to. \\nThis detection looks for users modifying a pipeline when they have not previously been observed modifying or creating that pipeline before. This query also joins events with data to Azure AD Identity Protection (AAD IdP) \\nin order to show if the user conducting the action has any associated AAD IdP alerts. You can also choose to filter this detection to only alert when the user also has AAD IdP alerts associated with them.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d023f64-8225-41a2-9570-2bd7c2c4535e\",\"name\":\"3d023f64-8225-41a2-9570-2bd7c2c4535e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1DT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+spanoftime)\\n// A user account was enabled\\n| where EventID == 4722\\n| where AccountType =~ \\\"User\\\"\\n| where TargetAccount !endswith \\\"$\\\"\\n| project EnableTime = TimeGenerated, EnableEventID = EventID, EnableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToEnable = SubjectAccount, SIDofAccountUsedToEnable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e ago(timeframe+spanoftime)\\n// A user account was enabled\\n| where EventID == 4722\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType =~ \\\"User\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| where TargetAccount !endswith \\\"$\\\"\\n| extend Activity=\\\"4722 - A user account was enabled.\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| project EnableTime = TimeGenerated, EnableEventID = EventID, EnableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToEnable = SubjectAccount, SIDofAccountUsedToEnable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n))\\n| join kind= inner (\\n (union isfuzzy=true\\n (SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n // A user account was disabled\\n | where EventID == 4725\\n| where AccountType =~ \\\"User\\\"\\n| project DisableTime = TimeGenerated, DisableEventID = EventID, DisableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToDisable = SubjectAccount, SIDofAccountUsedToDisable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n),\\n(WindowsEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n // A user account was disabled\\n | where EventID == 4725\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType =~ \\\"User\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| extend Activity = \\\"4725 - A user account was disabled.\\\"\\n| project DisableTime = TimeGenerated, DisableEventID = EventID, DisableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToDisable = SubjectAccount, SIDofAccountUsedToDisable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid))\\n) on Computer, TargetAccount\\n| where DisableTime - EnableTime \u003c spanoftime\\n| extend TimeDelta = DisableTime - EnableTime\\n| where tolong(TimeDelta) \u003e= threshold\\n| project TimeDelta, EnableTime, EnableEventID, EnableActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToEnable, SIDofAccountUsedToEnable, \\nDisableTime, DisableEventID, DisableActivity, AccountUsedToDisable, SIDofAccountUsedToDisable\\n| extend timestamp = EnableTime, AccountCustomEntity = AccountUsedToEnable, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"SIDofAccountUsedToEnable\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account enabled and disabled within 10 mins\",\"description\":\"Identifies when a user account is enabled and then disabled within 10 minutes. This can be an indication of compromise and\\nan adversary attempting to hide in the noise.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0625fcce-6d52-491e-8c68-1d9b801d25b9\",\"name\":\"0625fcce-6d52-491e-8c68-1d9b801d25b9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"Event\\n| where EventLog =~ \\\"Application\\\"\\n| where Source startswith \\\"MSExchange\\\"\\n| where EventLevelName =~ \\\"error\\\"\\n| where (RenderedDescription startswith \\\"Watson report\\\" and RenderedDescription contains \\\"umworkerprocess\\\" and RenderedDescription contains \\\"TextFormattingRunProperties\\\") or RenderedDescription startswith \\\"An unhandled exception occurred in a UM worker process\\\" or RenderedDescription startswith \\\"The Microsoft Exchange Unified Messaging service\\\" or RenderedDescription contains \\\"MSExchange Unified Messaging\\\"\\n| where RenderedDescription !contains \\\"System.OutOfMemoryException\\\"\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious UM Service Error\",\"description\":\"This query looks for errors that may indicate that an attacker is attempting to exploit a vulnerability in the service. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09c49590-4e9d-4da9-a34d-17222d0c9e7e\",\"name\":\"09c49590-4e9d-4da9-a34d-17222d0c9e7e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let default_file_ext_blocklist = dynamic([\u0027.ps1\u0027, \u0027.vbs\u0027, \u0027.bat\u0027, \u0027.scr\u0027]);\\nlet custom_file_ext_blocklist=toscalar(_GetWatchlist(\u0027RiskyFileTypes\u0027) | extend Extension=column_ifexists(\\\"Extension\\\",\\\"\\\") | where isnotempty(Extension) | summarize make_set(Extension));\\nlet file_ext_blocklist = array_concat(default_file_ext_blocklist, custom_file_ext_blocklist);\\n_Im_WebSession(url_has_any=file_ext_blocklist, eventresult=\u0027Success\u0027)\\n| extend requestedFileName=tostring(split(tostring(parse_url(Url)[\\\"Path\\\"]),\u0027/\u0027)[-1])\\n| extend requestedFileExt=extract(@(\\\\.\\\\w+)$,1,requestedFileName, typeof(string))\\n| where requestedFileExtension in (file_ext_blocklist)\\n| summarize LastAttemptTime=max(TimeGenerated), NumFailedAttempts=count() by SrcIpAddr, requestedFileName, Url\\n| extend IPCustomEntity = SrcIpAddr, UrlCustomEntity=Url\",\"customDetails\":{\"requestedFileName\":\"requestedFileName\",\"requestedFileExt\":\"requestedFileExt\",\"Username\":\"SrcUsername\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Client {{SrcIpAddr}} accessed a URL with potentially harmful extension {{requestedFileExt}}\",\"alertDescriptionFormat\":\"The client at address {{SrcIpAddr}} accessed the URL {{Url}} that has the extension {{requestedFileExt}}. Downloading a file with this extension may be harmful and may indicate malicious activity.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"InitialAccess\"],\"displayName\":\"A client made a web request to a potentially harmful file (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request to a URL that holds a file type, including .ps1, .bat, .vbs, and .scr that can be harmful if downloaded. This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM. To use this Analytics Rule, deploy the Advanced Security Information Model (ASIM).\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\"name\":\"ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(DestinationUserID)\\n // Filtering PAN Logs for specific event type to match relevant email entities\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"wildfire\\\" and ApplicationProtocol in (\\\"smtp\\\",\\\"pop3\\\")\\n | extend DestinationUserID = tolower(DestinationUserID)\\n | where DestinationUserID matches regex emailregex\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.DestinationUserID\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, DestinationUserID\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, EmailSenderName, EmailRecipient, \\nEmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction, SourceIP, SourcePort, \\nDestinationIP, DestinationPort, Protocol, ApplicationProtocol\\n| extend timestamp = CommonSecurityLog_TimeGenerated, AccountCustomEntity = DestinationUserID, IPCustomEntity = SourceIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to CommonSecurityLog\",\"description\":\"Identifies a match in CommonSecurityLog table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\"name\":\"7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let lookBack_long = 7d;\\nlet lookBack_med = 3d;\\nlet lookBack = 1d;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack_long))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n// Create time series \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_long)),now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n// Compute best fit line for each entry \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount) \\n// Chart the 3 most interesting lines \\n// A 0-value slope corresponds to an account being completely stable over time for a given Azure Active Directory application\\n| where Slope \u003e 0.3\\n| top 50 by Slope desc\\n| join kind = leftsemi (\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack_med))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_med)) ,now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount)\\n| where Slope \u003e 0.3\\n| top 50 by Slope desc\\n) on UserPrincipalName, AppDisplayName\\n| join kind = leftsemi (\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack)) ,now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount)\\n| where Slope \u003e 5\\n| top 50 by Slope desc\\n// Higher threshold requirement on last day anomaly\\n) on UserPrincipalName, AppDisplayName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomalous sign-in location by user account and authenticating application\",\"description\":\"This query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active \\nDirectory application and picks out the most anomalous change in location profile for a user within an \\nindividual application. An alert is generated for recent sign-ins that have location counts that are anomalous\\nover last day but also over the last 3-day and 7-day periods.\\nPlease note that on workspaces with larger volume of Signin data (~10M+ events a day) may timeout when using this default query time period.\\nIt is recommended that you test and tune this appropriately for the workspace.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1da9853f-3dea-4ea9-b7e5-26730da3d537\",\"name\":\"1da9853f-3dea-4ea9-b7e5-26730da3d537\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let PortScanThreshold = 50;\\n_Im_NetworkSession\\n| where ipv4_is_private(SrcIpAddr) == False\\n| summarize AttemptedPortsCount=dcount(DstPortNumber) by SrcIpAddr, bin(TimeGenerated, 5m)\\n| where AttemptedPortsCount \u003e PortScanThreshold\",\"customDetails\":{\"AttemptedPortsCount\":\"AttemptedPortsCount\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Potential port scan from {{SrcIpAddr}}\",\"alertDescriptionFormat\":\"A port scan has been performed from address {{SrcIpAddr}} over {{AttemptedPortsCount}} pots within 5 minutes. This may indicate that a [port scanner](https://en.wikipedia.org/wiki/Port_scanner) is trying to identify open ports in order to penetrate a system.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Discovery\"],\"displayName\":\"Port scan detected (ASIM Network Session schema)\",\"description\":\"This rule identifies a possible port scan, in which a single source tries to access a large number of different ports is a short time frame. This may indicate that a [port scanner](https://en.wikipedia.org/wiki/Port_scanner) is trying to identify open ports in order to penetrate a system.\u003cbr\u003e\u003cbr\u003e\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/eda260eb-f4a1-4379-ad98-452604da9b3e\",\"name\":\"eda260eb-f4a1-4379-ad98-452604da9b3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let eventsThreshold = 20;\\nCommonSecurityLog\\n| where isnotempty(RequestURL)\\n| project TimeGenerated, RequestURL, RequestMethod, SourceIP, SourceHostName\\n| evaluate sequence_detect(TimeGenerated, 5s, 8s, login=(RequestURL has \\\"login.microsoftonline.com/consumers/oauth2/v2.0/token\\\"), graph=(RequestURL has \\\"graph.microsoft.com/v1.0/me/drive/\\\"), SourceIP, SourceHostName)\\n| summarize Events=count() by SourceIP, SourceHostName\\n| where Events \u003e= eventsThreshold\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"SourceHostName\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"CreepyDrive request URL sequence\",\"description\":\"CreepyDrive uses OneDrive for command and control, however, it makes regular requests to predicatable paths.\\nThis detecton will alert when over 20 sequences are observed in a single day.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3533f74c-9207-4047-96e2-0eb9383be587\",\"name\":\"3533f74c-9207-4047-96e2-0eb9383be587\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"offline_access\\\" and ConsentFull contains \\\"Files.Read\\\" or ConsentFull contains \\\"Mail.Read\\\" or ConsentFull contains \\\"Notes.Read\\\" or ConsentFull contains \\\"ChannelMessage.Read\\\" or ConsentFull contains \\\"Chat.Read\\\" or ConsentFull contains \\\"TeamsActivity.Read\\\" or ConsentFull contains \\\"Group.Read\\\" or ConsentFull contains \\\"EWS.AccessAsUser.All\\\" or ConsentFull contains \\\"EAS.AccessAsUser.All\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))\\n| extend GrantUserAgent = tostring(iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\"))\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Suspicious application consent for offline access\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with offline access via OAuth.\\nOffline access will provide the Azure App with access to the listed resources without requiring two-factor authentication.\\nConsent to applications with offline access and read capabilities should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0ee2aafb-4500-4e36-bcb1-e90eec2f0b9b\",\"name\":\"0ee2aafb-4500-4e36-bcb1-e90eec2f0b9b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\"\\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed), LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\\n| where MFAUsed !~ \\\"Yes\\\" and LoginResult !~ \\\"Failure\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUsed, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent,\\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserIdentityUserName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"NRT Login to AWS Management Console without MFA\",\"description\":\"Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.\\nYou can limit this detection to trigger for administrative accounts if you do not have MFA enabled on all accounts.\\nThis is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used\\nand the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.\",\"lastUpdatedDateUTC\":\"2022-02-08T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/269435e3-1db8-4423-9dfc-9bf59997da1c\",\"name\":\"269435e3-1db8-4423-9dfc-9bf59997da1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName has \\\"Add member to role outside of PIM\\\"\\n or (LoggedByService == \\\"Core Directory\\\" and OperationName == \\\"Add member to role\\\" and Identity != \\\"MS-PIM\\\")\\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Privileged Role Assigned Outside PIM\",\"description\":\"Identifies a privileged role being assigned to a user outside of PIM\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2be4ef67-a93f-4d8a-981a-88158cb73abd\",\"name\":\"2be4ef67-a93f-4d8a-981a-88158cb73abd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet covidIndicators = (externaldata(TimeGenerated:datetime, FileHashValue:string, FileHashType: string, TlpLevel: string, Product: string, ThreatType: string, Description: string )\\n[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.csv\\\"] with (format=\\\"csv\\\"));\\nlet fileHashIndicators = covidIndicators\\n| where isnotempty(FileHashValue);\\n// Handle matches against both lower case and uppercase versions of the hash:\\n(fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n| union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack) \\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n )\\non $left.FileHashValue == $right.FileHash\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by FileHashValue\\n| project CommonSecurityLog_TimeGenerated, FileHashValue, FileHashType, Description, ThreatType, \\nSourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, \\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Value\",\"columnName\":\"FileHashValue\"},{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Microsoft COVID-19 file hash indicator matches\",\"description\":\"Identifies a match in CommonSecurityLog Event data from any FileHash published in the Microsoft COVID-19 Threat Intel Feed - as described at https://www.microsoft.com/security/blog/2020/05/14/open-sourcing-covid-threat-intelligence/\",\"lastUpdatedDateUTC\":\"2022-07-07T00:00:00Z\",\"createdDateUTC\":\"2019-08-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\"name\":\"5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"CommonSecurityLog\\n| where isnotempty(DestinationPort) and DeviceAction !in (\\\"reset-both\\\", \\\"deny\\\") \\n// filter out common usage ports. Add ports that are legitimate for your environment\\n| where DestinationPort !in (\\\"443\\\", \\\"53\\\", \\\"389\\\", \\\"80\\\", \\\"0\\\", \\\"880\\\", \\\"8888\\\", \\\"8080\\\")\\n| where ApplicationProtocol == \\\"incomplete\\\" \\n// filter out IANA ephemeral or negotiated ports as per https://en.wikipedia.org/wiki/Ephemeral_port\\n| where DestinationPort !between (toint(49512) .. toint(65535)) \\n| where Computer != \\\"\\\" \\n| where DestinationIP !startswith \\\"10.\\\"\\n| extend Reason = coalesce(\\n column_ifexists(\\\"Reason\\\", \\\"\\\"), \\n extract(\\\"reason=(.+?)(;|$)\\\", 1, AdditionalExtensions),\\n \\\"\\\"\\n )\\n// Filter out any graceful reset reasons of AGED OUT which occurs when a TCP session closes with a FIN due to aging out. \\n| where Reason !has \\\"aged-out\\\" \\n// Filter out any TCP FIN which occurs when a TCP FIN is used to gracefully close half or both sides of a connection.\\n| where Reason !has \\\"tcp-fin\\\" \\n// Uncomment one of the following where clauses to trigger on specific TCP reset reasons\\n// See Palo Alto article for details - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK\\n// TCP RST-server - Occurs when the server sends a TCP reset to the client\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-server\\\" \\n// TCP RST-client - Occurs when the client sends a TCP reset to the server\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-client\\\" \\n// Already performed\\n//| extend reason = tostring(split(AdditionalExtensions, \\\";\\\")[3])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, Reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction, DestinationIP\\n| where count_ \u003e= 10\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), makeset(DestinationIP), totalcount = sum(count_) by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, Reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Palo Alto - possible internal to external port scanning\",\"description\":\"Identifies a list of internal Source IPs (10.x.x.x Hosts) that have triggered 10 or more non-graceful tcp server resets from one or more Destination IPs which \\nresults in an \\\"ApplicationProtocol = incomplete\\\" designation. The server resets coupled with an \\\"Incomplete\\\" ApplicationProtocol designation can be an indication \\nof internal to external port scanning or probing attack. \\nReferences: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK and\\nhttps://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTaCAK\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/677da133-e487-4108-a150-5b926591a92b\",\"name\":\"677da133-e487-4108-a150-5b926591a92b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.5.1\",\"severity\":\"Medium\",\"query\":\"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\\n[@\\\"https://raw.githubusercontent.com/microsoft/mstic/master/Indicators/May21-NOBELIUM/May21NOBELIUMIoCs.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256s = (iocs | where Type =~ \\\"SHA256\\\"| project IoC);\\nlet ips = (iocs | where Type =~ \\\"IP\\\"| project IoC);\\nlet IPList = dynamic([\\\"192.99.221.77\\\",\\\"83.171.237.173\\\"]);\\nlet ips_list=toscalar(ips | summarize makeset(IoC));\\nlet full_ip_list= array_concat(ips_list, IPList);\\nlet domains = (iocs | where Type =~ \\\"Domain\\\"| project IoC);\\nlet domain_list=toscalar(domains | summarize make_set(IoC));\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet sha256Hashes = dynamic([\\\"2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252\\\",\\n\\\"d035d394a82ae1e44b25e273f99eae8e2369da828d6b6fdb95076fd3eb5de142\\\",\\n\\\"94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916\\\",\\n\\\"48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0\\\",\\n\\\"ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c\\\",\\n\\\"ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (domains) or RequestURL has_any (domains) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (domains), \\\"RequestUrl\\\", SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(_Im_Dns (domain_has_any=todynamic(domain_list))\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(_Im_Dns (response_has_any_prefix=todynamic(full_ip_list))\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or SourceIp in (ips) or DestinationIp in (ips) or RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", SourceIp in (ips), \\\"SourceIP\\\", DestinationIp in (ips), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer\\n),\\n(OfficeActivity\\n| where ClientIP in (IPList) or ClientIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n),\\n(_Im_NetworkSession(srcipaddr_has_any_prefix=full_ip_list)\\n | extend IPMatch = \\\"SourceIP\\\"\\n | extend timestamp = TimeGenerated, HostCustomEntity = Dvc , IPCustomEntity = SrcIpAddr //, AccountCustomEntity =User\\n),\\n(_Im_NetworkSession(dstipaddr_has_any_prefix=full_ip_list)\\n | extend IPMatch = \\\"DestinationIP\\\"\\n | extend timestamp = TimeGenerated, HostCustomEntity = Dvc , IPCustomEntity = DstIpAddr //, AccountCustomEntity =User\\n),\\n(_Im_WebSession(url_has_any=domains)\\n | extend timestamp=TimeGenerated, HostCustomEntity=Dvc , DNSName=tostring(parse_url(Url)[\\\"Host\\\"]), AccountCustomEntity=User\\n),\\n(_Im_WebSession(srcipaddr_has_any_prefix=full_ip_list)\\n | extend timestamp=TimeGenerated, HostCustomEntity=Dvc , DNSName=tostring(parse_url(Url)[\\\"Host\\\"]), AccountCustomEntity=User\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| where EventDetail has_any (sha256Hashes) or EventDetail has_any (sha256s)\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, FileHash\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (sha256Hashes) or SHA256 in~ (sha256s)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (sha256Hashes) or TargetFileSHA256 in~ (sha256s)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes) or FileHash in (sha256s)\\n| extend timestamp = TimeGenerated\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"tactics\":[\"CommandAndControl\",\"Execution\"],\"displayName\":\"NOBELIUM - Domain, Hash and IP IOCs - May 2021\",\"description\":\"Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM.\\nRef: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/35ce9aff-1708-45b8-a295-5e9a307f5f17\",\"name\":\"35ce9aff-1708-45b8-a295-5e9a307f5f17\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"Group.UpdateGroupMembership.Add\\\"\\n| where Details has_any (\\\"Project Administrators\\\", \\\"Project Collection Administrators\\\", \\\"Project Collection Service Accounts\\\", \\\"Build Administrator\\\")\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, AuthenticationMechanism, ScopeDisplayName\\n| extend timekey = bin(TimeGenerated, 1h)\\n| extend ActorUserId = tostring(Data.MemberId)\\n| project timekey, ActorUserId, AddingUser=ActorUPN, TimeAdded=TimeGenerated, PermissionGrantDetails = Details\\n// Get details of operations conducted by user soon after elevation of permissions\\n| join (AzureDevOpsAuditing\\n| extend ActorUserId = tostring(Data.MemberId)\\n| extend timekey = bin(TimeGenerated, 1h)) on timekey, ActorUserId\\n| summarize ActionsWhenAdded = make_set(OperationName) by ActorUPN, AddingUser, TimeAdded, PermissionGrantDetails, IpAddress, UserAgent\\n| extend timestamp = TimeAdded, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddingUser\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"New PA, PCA, or PCAS added to Azure DevOps\",\"description\":\"In order for an attacker to be able to conduct many potential attacks against Azure DevOps they will need to gain elevated permissions. \\nThis detection looks for users being granted key administrative permissions. If the principal of least privilege is applied, the number of \\nusers granted these permissions should be small. Note that permissions can also be granted via Azure AD groups and monitoring of these \\nshould also be conducted.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bf07ca9c-e408-443a-8939-6860a45a929e\",\"name\":\"bf07ca9c-e408-443a-8939-6860a45a929e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let allowed_publishers = dynamic([]);\\nAzureDevOpsAuditing\\n| where OperationName =~ \\\"Extension.Installed\\\"\\n| extend ExtensionName = tostring(Data.ExtensionName)\\n| extend PublisherName = tostring(Data.PublisherName)\\n| where PublisherName !in (allowed_publishers)\\n| project-reorder TimeGenerated, OperationName, ExtensionName, PublisherName, ActorUPN, IpAddress, UserAgent, ScopeDisplayName, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps New Extension Added\",\"description\":\"Extensions add additional features to Azure DevOps. An attacker could use a malicious extension to conduct malicious activity. \\nThis query looks for new extensions that are not from a configurable list of approved publishers.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65c78944-930b-4cae-bd79-c3664ae30ba7\",\"name\":\"65c78944-930b-4cae-bd79-c3664ae30ba7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(AuditLogs \\n| where OperationName =~ \\\"Disable Strong Authentication\\\"\\n| extend IPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) \\n| extend InitiatedByUser = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend Targetprop = todynamic(TargetResources)\\n| extend TargetUser = tostring(Targetprop[0].userPrincipalName) \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, InitiatedByUser , Operation = OperationName , CorrelationId, IPAddress, Category, Source = SourceSystem , AADTenantId, Type\\n),\\n(AWSCloudTrail\\n| where EventName in~ (\\\"DeactivateMFADevice\\\", \\\"DeleteVirtualMFADevice\\\") \\n| extend InstanceProfileName = tostring(parse_json(RequestParameters).InstanceProfileName)\\n| extend TargetUser = tostring(parse_json(RequestParameters).userName)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, Source = EventSource , Operation = EventName , TenantorInstance_Detail = InstanceProfileName, IPAddress = SourceIpAddress\\n)\\n)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"MFA disabled for a user\",\"description\":\"Multi-Factor Authentication (MFA) helps prevent credential compromise. This alert identifies when an attempt has been made to disable MFA for a user \",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4759ddb4-2daf-43cb-b34e-d85b85b4e4a5\",\"name\":\"4759ddb4-2daf-43cb-b34e-d85b85b4e4a5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\nlet parentprocess = (iocs | where Type =~ \\\"parentprocess\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or RequestURL has_any (IPList) or Message has_any (IPList)\\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, Type\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (IPList), \\\"RequestUrl\\\",\\\"NoMatch\\\"), AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, IPMatch == \\\"RequestUrl\\\", RequestURL, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer, ProcessCustomEntity = ProcessName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) \\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, AlertDetail = \u0027Dev-0322 IOC match\u0027, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, AlertDetail = \u0027Dev-0322 IOC match\u0027, UrlCustomEntity =RemoteUrl, ProcessCustomEntity = InitiatingProcessFileName\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\"), AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where SourceHost in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend ParentImage = EventDetail.[20].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where ( ParentImage has_any (parentprocess) and Image has_any (process))\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256,Image, ParentImage \\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceFileEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type, CommandLineIP\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash, IPCustomEntity = CommandLineIP\\n),\\n(DeviceEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, CommandLineIP\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash, IPCustomEntity = CommandLineIP\\n),\\n(DeviceProcessEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, CommandLineIP, AccountName\\n| extend Account = AccountName, Computer = DeviceName, IPAddress = CommandLineIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash, IPCustomEntity = IPAddress\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| extend CommandLineIP = extract(IPRegex, 0, CommandLine)\\n| where CommandLineIP in (IPList) or (NewProcessName has_any (process) and ParentProcessName has_any (parentprocess))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, CommandLine, CommandLineIP\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = \u0027Dev-0322 IOC match\u0027, IPCustomEntity = CommandLineIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"DEV-0322 Serv-U related IOCs - July 2021\",\"description\":\"Identifies a match across IOC\u0027s related to DEV-0322 targeting SolarWinds Serv-U software.\",\"lastUpdatedDateUTC\":\"2021-11-30T00:00:00Z\",\"createdDateUTC\":\"2021-06-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\"name\":\"d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let SensitiveOperationList = dynamic(\\n[\\\"VaultDelete\\\", \\\"KeyDelete\\\", \\\"SecretDelete\\\", \\\"SecretPurge\\\", \\\"KeyPurge\\\", \\\"SecretBackup\\\", \\\"KeyBackup\\\"]);\\nAzureDiagnostics\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\" \\n| where OperationName in~ (SensitiveOperationList) \\n| summarize EventCount=count(), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\\n| extend timestamp = StartTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Sensitive Azure Key Vault operations\",\"description\":\"Identifies when sensitive Azure Key Vault operations are used. This includes: VaultDelete, KeyDelete, SecretDelete, SecretPurge, KeyPurge, SecretBackup, KeyBackup. \\nAny Backup operations should match with expected scheduled backup activity.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4899-42cb-910c-5ffaf9d7997d\",\"name\":\"70b12a3b-4899-42cb-910c-5ffaf9d7997d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.6.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"0.ns1.dns-info.gq\\\", \\\"1.ns1.dns-info.gq\\\", \\\"10.ns1.dns-info.gq\\\", \\\"102.ns1.dns-info.gq\\\", \\n \\\"104.ns1.dns-info.gq\\\", \\\"11.ns1.dns-info.gq\\\", \\\"110.ns1.dns-info.gq\\\", \\\"115.ns1.dns-info.gq\\\", \\\"116.ns1.dns-info.gq\\\", \\n \\\"117.ns1.dns-info.gq\\\", \\\"118.ns1.dns-info.gq\\\", \\\"12.ns1.dns-info.gq\\\", \\\"120.ns1.dns-info.gq\\\", \\\"122.ns1.dns-info.gq\\\", \\n \\\"123.ns1.dns-info.gq\\\", \\\"128.ns1.dns-info.gq\\\", \\\"13.ns1.dns-info.gq\\\", \\\"134.ns1.dns-info.gq\\\", \\\"135.ns1.dns-info.gq\\\", \\n \\\"138.ns1.dns-info.gq\\\", \\\"14.ns1.dns-info.gq\\\", \\\"144.ns1.dns-info.gq\\\", \\\"15.ns1.dns-info.gq\\\", \\\"153.ns1.dns-info.gq\\\", \\n \\\"157.ns1.dns-info.gq\\\", \\\"16.ns1.dns-info.gq\\\", \\\"17.ns1.dns-info.gq\\\", \\\"18.ns1.dns-info.gq\\\", \\\"19.ns1.dns-info.gq\\\", \\n \\\"1a9604fa.ns1.feedsdns.com\\\", \\\"1c7606b6.ns1.steamappstore.com\\\", \\\"2.ns1.dns-info.gq\\\", \\\"20.ns1.dns-info.gq\\\", \\n \\\"201.ns1.dns-info.gq\\\", \\\"202.ns1.dns-info.gq\\\", \\\"204.ns1.dns-info.gq\\\", \\\"207.ns1.dns-info.gq\\\", \\\"21.ns1.dns-info.gq\\\", \\n \\\"210.ns1.dns-info.gq\\\", \\\"211.ns1.dns-info.gq\\\", \\\"216.ns1.dns-info.gq\\\", \\\"22.ns1.dns-info.gq\\\", \\\"220.ns1.dns-info.gq\\\", \\n \\\"223.ns1.dns-info.gq\\\", \\\"23.ns1.dns-info.gq\\\", \\\"24.ns1.dns-info.gq\\\", \\\"25.ns1.dns-info.gq\\\", \\\"26.ns1.dns-info.gq\\\", \\n \\\"27.ns1.dns-info.gq\\\", \\\"28.ns1.dns-info.gq\\\", \\\"29.ns1.dns-info.gq\\\", \\\"3.ns1.dns-info.gq\\\", \\\"30.ns1.dns-info.gq\\\", \\n \\\"31.ns1.dns-info.gq\\\", \\\"32.ns1.dns-info.gq\\\", \\\"33.ns1.dns-info.gq\\\", \\\"34.ns1.dns-info.gq\\\", \\\"35.ns1.dns-info.gq\\\", \\n \\\"36.ns1.dns-info.gq\\\", \\\"37.ns1.dns-info.gq\\\", \\\"39.ns1.dns-info.gq\\\", \\\"3d6fe4b2.ns1.steamappstore.com\\\", \\n \\\"4.ns1.dns-info.gq\\\", \\\"40.ns1.dns-info.gq\\\", \\\"42.ns1.dns-info.gq\\\", \\\"43.ns1.dns-info.gq\\\", \\\"44.ns1.dns-info.gq\\\", \\n \\\"45.ns1.dns-info.gq\\\", \\\"46.ns1.dns-info.gq\\\", \\\"48.ns1.dns-info.gq\\\", \\\"5.ns1.dns-info.gq\\\", \\\"50.ns1.dns-info.gq\\\", \\n \\\"50417.service.gstatic.dnset.com\\\", \\\"51.ns1.dns-info.gq\\\", \\\"52.ns1.dns-info.gq\\\", \\\"53.ns1.dns-info.gq\\\",\\n \\\"54.ns1.dns-info.gq\\\", \\\"55.ns1.dns-info.gq\\\", \\\"56.ns1.dns-info.gq\\\", \\\"57.ns1.dns-info.gq\\\", \\\"58.ns1.dns-info.gq\\\", \\n \\\"6.ns1.dns-info.gq\\\", \\\"60.ns1.dns-info.gq\\\", \\\"62.ns1.dns-info.gq\\\", \\\"63.ns1.dns-info.gq\\\", \\\"64.ns1.dns-info.gq\\\", \\n \\\"65.ns1.dns-info.gq\\\", \\\"67.ns1.dns-info.gq\\\", \\\"7.ns1.dns-info.gq\\\", \\\"70.ns1.dns-info.gq\\\", \\\"71.ns1.dns-info.gq\\\",\\n \\\"73.ns1.dns-info.gq\\\", \\\"77.ns1.dns-info.gq\\\", \\\"77075.service.gstatic.dnset.com\\\", \\\"7c1947fa.ns1.steamappstore.com\\\",\\n \\\"8.ns1.dns-info.gq\\\", \\\"81.ns1.dns-info.gq\\\", \\\"86.ns1.dns-info.gq\\\", \\\"87.ns1.dns-info.gq\\\", \\\"9.ns1.dns-info.gq\\\", \\n \\\"94343.service.gstatic.dnset.com\\\", \\\"9939.service.gstatic.dnset.com\\\", \\\"aa.ns.mircosoftdoc.com\\\", \\n \\\"aaa.feeds.api.ns1.feedsdns.com\\\", \\\"aaa.googlepublic.feeds.ns1.dns-info.gq\\\", \\n \\\"aaa.resolution.174547._get.cache.up.sourcedns.tk\\\", \\\"acc.microsoftonetravel.com\\\", \\n \\\"accounts.longmusic.com\\\", \\\"admin.dnstemplog.com\\\", \\\"agent.updatenai.com\\\", \\n \\\"alibaba.zzux.com\\\", \\\"api.feedsdns.com\\\", \\\"app.portomnail.com\\\", \\\"asia.updatenai.com\\\", \\n \\\"battllestategames.com\\\", \\\"bguha.serveuser.com\\\", \\\"binann-ce.com\\\", \\\"bing.dsmtp.com\\\", \\n \\\"blog.cdsend.xyz\\\", \\\"brives.minivineyapp.com\\\", \\\"bsbana.dynamic-dns.net\\\", \\n \\\"californiaforce.000webhostapp.com\\\", \\\"californiafroce.000webhostapp.com\\\", \\n \\\"cdn.freetcp.com\\\", \\\"cdsend.xyz\\\", \\\"cipla.zzux.com\\\", \\\"cloudfeeddns.com\\\", \\\"comcleanner.info\\\",\\n \\\"cs.microsoftsonline.net\\\", \\\"dns-info.gq\\\", \\\"dns05.cf\\\", \\\"dns22.ml\\\", \\\"dns224.com\\\", \\n \\\"dnsdist.org\\\", \\\"dnstemplog.com\\\", \\\"doc.mircosoftdoc.com\\\", \\\"dropdns.com\\\", \\n \\\"eshop.cdn.freetcp.com\\\", \\\"exchange.dumb1.com\\\", \\\"exchange.misecure.com\\\", \\\"exchange.mrbasic.com\\\",\\n \\\"facebookdocs.com\\\", \\\"facebookint.com\\\", \\\"facebookvi.com\\\", \\\"feed.ns1.dns-info.gq\\\", \\\"feedsdns.com\\\", \\n \\\"firejun.freeddns.com\\\", \\\"ftp.dns-info.dyndns.pro\\\", \\\"goallbandungtravel.com\\\", \\\"goodhk.azurewebsites.net\\\", \\n \\\"googlepublic.feed.ns1.dns-info.gq\\\", \\\"gp.spotifylite.cloud\\\", \\\"gskytop.com\\\", \\\"gstatic.dnset.com\\\", \\n \\\"gxxservice.com\\\", \\\"helpdesk.cdn.freetcp.com\\\", \\\"id.serveuser.com\\\", \\\"infestexe.com\\\", \\\"item.itemdb.com\\\",\\n \\\"m.mircosoftdoc.com\\\", \\\"mail.transferdkim.xyz\\\", \\\"mcafee.updatenai.com\\\", \\\"mecgjm.mircosoftdoc.com\\\",\\n \\\"microdocs.ga\\\", \\\"microsock.website\\\", \\\"microsocks.net\\\", \\\"microsoft.sendsmtp.com\\\", \\n \\\"microsoftbook.dns05.com\\\", \\\"microsoftcontactcenter.com\\\", \\\"microsoftdocs.dns05.com\\\", \\\"microsoftdocs.ml\\\", \\n \\\"microsoftonetravel.com\\\", \\\"microsoftonlines.net\\\", \\\"microsoftprod.com\\\", \\\"microsofts.dns1.us\\\", \\\"microsoftsonline.net\\\",\\n \\\"minivineyapp.com\\\", \\\"mircosoftdoc.com\\\", \\\"mircosoftdocs.com\\\", \\\"mlcrosoft.ninth.biz\\\", \\\"mlcrosoft.site\\\", \\n \\\"mm.portomnail.com\\\", \\\"msdnupdate.com\\\", \\\"msecdn.cloud\\\", \\\"mtnl1.dynamic-dns.net\\\", \\\"ns.gstatic.dnset.com\\\", \\n \\\"ns.microsoftprod.com\\\", \\\"ns.steamappstore.com\\\", \\\"ns1.cdn.freetcp.com\\\", \\\"ns1.comcleanner.info\\\", \\\"ns1.dns-info.gq\\\", \\n \\\"ns1.dns05.cf\\\", \\\"ns1.dnstemplog.com\\\", \\\"ns1.dropdns.com\\\", \\\"ns1.microsoftonetravel.com\\\", \\n \\\"ns1.microsoftonlines.net\\\", \\\"ns1.microsoftprod.com\\\", \\\"ns1.microsoftsonline.net\\\", \\\"ns1.mlcrosoft.site\\\", \\n \\\"ns1.teams.wikaba.com\\\", \\\"ns1.windowsdefende.com\\\", \\\"ns2.comcleanner.info\\\", \\\"ns2.dnstemplog.com\\\", \\n \\\"ns2.microsoftonetravel.com\\\", \\\"ns2.microsoftprod.com\\\", \\\"ns2.microsoftsonline.net\\\", \\\"ns2.mlcrosoft.site\\\", \\n \\\"ns2.windowsdefende.com\\\", \\\"ns3.microsoftprod.com\\\", \\\"ns3.mlcrosoft.site\\\", \\\"nutrition.mrbasic.com\\\", \\n \\\"nutrition.youdontcare.com\\\", \\\"online.mlcrosoft.site\\\", \\\"online.msdnupdate.com\\\", \\\"outlookservce.site\\\", \\n \\\"owa.jetos.com\\\", \\\"owa.otzo.com\\\", \\\"pornotime.co\\\", \\\"portomnail.com\\\", \\n \\\"post.1a0.066e063ac.7c1947fa.ns1.steamappstore.com\\\", \\\"pricingdmdk.com\\\", \\\"prod.microsoftprod.com\\\", \\n \\\"product.microsoftprod.com\\\", \\\"ptcl.yourtrap.com\\\", \\\"query.api.sourcedns.tk\\\", \\\"rb.itemdb.com\\\", \\\"redditcdn.com\\\", \\n \\\"rss.otzo.com\\\", \\\"secure.msdnupdate.com\\\", \\\"service.dns22.ml\\\", \\\"service.gstatic.dnset.com\\\", \\\"service04.dns04.com\\\", \\n \\\"settings.teams.wikaba.com\\\", \\\"sip.outlookservce.site\\\", \\\"sixindent.epizy.com\\\", \\\"soft.msdnupdate.com\\\", \\\"sourcedns.ml\\\", \\n \\\"sourcedns.tk\\\", \\\"sport.msdnupdate.com\\\", \\\"spotifylite.cloud\\\", \\\"static.misecure.com\\\", \\\"steamappstore.com\\\", \\n \\\"store.otzo.com\\\", \\\"survey.outlookservce.site\\\", \\\"team.itemdb.com\\\", \\\"temp221.com\\\", \\\"test.microsoftprod.com\\\", \\n \\\"thisisaaa.000webhostapp.com\\\", \\\"token.dns04.com\\\", \\\"token.dns05.com\\\", \\\"transferdkim.xyz\\\", \\n \\\"travelsanignacio.com\\\", \\\"update08.com\\\", \\\"updated08.com\\\", \\\"updatenai.com\\\", \\\"wantforspeed.com\\\",\\n \\\"web.mircosoftdoc.com\\\", \\\"webmail.pornotime.co\\\", \\\"webwhois.team.itemdb.com\\\", \\\"windowsdefende.com\\\", \\\"wnswindows.com\\\",\\n \\\"ashcrack.freetcp.com\\\", \\\"battllestategames.com\\\", \\\"binannce.com\\\", \\\"cdsend.xyz\\\", \\\"comcleanner.info\\\", \\\"microsock.website\\\", \\n \\\"microsocks.net\\\", \\\"microsoftsonline.net\\\", \\\"mlcrosoft.site\\\", \\\"notify.serveuser.com\\\", \\\"ns1.microsoftprod.com\\\", \\n \\\"ns2.microsoftprod.com\\\", \\\"pricingdmdk.com\\\", \\\"steamappstore.com\\\", \\\"update08.com\\\", \\\"wnswindows.com\\\", \\n \\\"youtube.dns05.com\\\", \\\"z1.zalofilescdn.com\\\", \\\"z2.zalofilescdn.com\\\", \\\"zalofilescdn.com\\\"]); \\n(union isfuzzy=true \\n (CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | where DNSName in~ (DomainNames) \\n | extend Account = SourceUserID, Computer = DeviceName, IPAddress = DestinationIP \\n ), \\n (_Im_Dns (domain_has_any=DomainNames)\\n | extend DNSName = DnsQuery \\n | extend IPAddress = SrcIpAddr, Computer = Dvc\\n ), \\n (_Im_WebSession (url_has_any=DomainNames)\\n | extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n | extend IPAddress = SrcIpAddr, Computer = Dvc\\n ), \\n (VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 * \\n | where isnotempty(DNSName) \\n | where DNSName in~ (DomainNames) \\n | extend IPAddress = RemoteIp \\n ), \\n ( \\n DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl in~ (DomainNames) \\n | extend IPAddress = RemoteIP \\n | extend Computer = DeviceName \\n ),\\n (AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (DomainNames) \\n | extend DNSName = DestinationHost \\n | extend IPAddress = SourceHost\\n ) \\n ) \\n | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Barium domains\",\"description\":\"Identifies a match across various data feeds for domains IOCs related to the Barium activity group.\\n References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bff058b2-500e-4ae5-bb49-a5b1423cbd5b\",\"name\":\"bff058b2-500e-4ae5-bb49-a5b1423cbd5b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let fileAccessThrehold = 10;\\nOfficeActivity\\n | where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n | where Operation =~ \\\"MemberAdded\\\"\\n | extend UPN = tostring(parse_json(Members)[0].UPN)\\n | where UPN contains (\\\"#EXT#\\\")\\n | project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName\\n | join kind = inner(\\n OfficeActivity\\n | where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n | where Operation =~ \\\"MemberRemoved\\\"\\n | extend UPN = tostring(parse_json(Members)[0].UPN)\\n | where UPN contains (\\\"#EXT#\\\")\\n | project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName\\n ) on UPN\\n | where TimeDeleted \u003e TimeAdded\\n | join kind=inner \\n (\\n OfficeActivity\\n | where RecordType == \\\"SharePointFileOperation\\\"\\n | where SourceRelativeUrl has \\\"Microsoft Teams Chat Files\\\"\\n | where Operation == \\\"FileUploaded\\\"\\n | join kind = inner \\n (\\n OfficeActivity\\n | where RecordType == \\\"SharePointFileOperation\\\"\\n | where Operation == \\\"FileAccessed\\\"\\n | where SourceRelativeUrl has \\\"Microsoft Teams Chat Files\\\"\\n | summarize FileAccessCount = count() by OfficeObjectId\\n | where FileAccessCount \u003e fileAccessThrehold\\n ) on $left.OfficeObjectId == $right.OfficeObjectId\\n )on $left.UPN == $right.UserId\\n | extend timestamp=TimeGenerated, AccountCustomEntity = UserWhoAdded\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Accessed files shared by temporary external user\",\"description\":\"This detection identifies an external user is added to a Team or Teams chat\\nand shares a files which is accessed by many users (\u003e10) and the users is removed within short period of time. This might be\\nan indicator of suspicious activity.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2020-08-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/610d3850-c26f-4f20-8d86-f10fdf2425f5\",\"name\":\"610d3850-c26f-4f20-8d86-f10fdf2425f5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"UpdateTrail\\\",\\\"DeleteTrail\\\",\\\"StopLogging\\\",\\\"DeleteFlowLogs\\\",\\\"DeleteEventBus\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Changes made to AWS CloudTrail logs\",\"description\":\"Attackers often try to hide their steps by deleting or stopping the collection of logs that could show their activity. \\nThis alert identifies any manipulation of AWS CloudTrail, Cloudwatch/EventBridge or VPC Flow logs.\\nMore Information: AWS CloudTrail API: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html\\nAWS Cloudwatch/Eventbridge API: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_Operations.html\\nAWS DelteteFlowLogs API : https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html \",\"lastUpdatedDateUTC\":\"2022-01-11T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3fbc20a4-04c4-464e-8fcb-6667f53e4987\",\"name\":\"3fbc20a4-04c4-464e-8fcb-6667f53e4987\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let failureCountThreshold = 5;\\nlet successCountThreshold = 1;\\nlet authenticationWindow = 20m;\\nSigninLogs\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\\n| where AppDisplayName =~ \\\"Windows Sign In\\\"\\n// Split out failure versus non-failure types\\n| extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = makeset(IPAddress), makeset(OS), makeset(Browser), makeset(City), \\nmakeset(ResultType), FailureCount = countif(FailureOrSuccess==\\\"Failure\\\"), SuccessCount = countif(FailureOrSuccess==\\\"Success\\\") \\nby bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName, AppDisplayName\\n| where FailureCount \u003e= failureCountThreshold and SuccessCount \u003e= successCountThreshold\\n| mvexpand IPAddress\\n| extend IPAddress = tostring(IPAddress)\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against a Cloud PC\",\"description\":\"Identifies evidence of brute force activity against a Windows 365 Cloud PC by highlighting multiple authentication failures and by a successful authentication within a given time window.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/173f8699-6af5-484a-8b06-8c47ba89b380\",\"name\":\"173f8699-6af5-484a-8b06-8c47ba89b380\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"// Adjust this value to change how many Teams should be deleted before including\\nlet max_delete_count = 3;\\n// Adjust this value to change the timewindow the query runs over\\n OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\" \\n| where Operation =~ \\\"TeamDeleted\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DeletedTeams = make_set(TeamName) by UserId\\n| where array_length(DeletedTeams) \u003e max_delete_count\\n| extend timestamp = StartTime, AccountCustomEntity = UserId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Multiple Teams deleted by a single user\",\"description\":\"This detection flags the occurrences of deleting multiple teams within an hour.\\nThis data is a part of Office 365 Connector in Microsoft Sentinel.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5f171045-88ab-4634-baae-a7b6509f483b\",\"name\":\"5f171045-88ab-4634-baae-a7b6509f483b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let Dev0530_threats = dynamic([\\\"Trojan:Win32/SiennaPurple.A\\\", \\\"Ransom:Win32/SiennaBlue.A\\\", \\\"Ransom:Win32/SiennaBlue.B\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (Dev0530_threats) or ThreatFamilyName in~ (Dev0530_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"AV detections related to Dev-0530 actors\",\"description\":\"This query looks for Microsoft Defender AV detections related to Dev-0530 actors. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, \\n this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\",\"lastUpdatedDateUTC\":\"2022-07-14T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbfbf530-506b-49a4-81ad-4030885a195c\",\"name\":\"fbfbf530-506b-49a4-81ad-4030885a195c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let alertTimeWindow = 1h;\\nlet logTimeWindow = 7d;\\n// Define script extensions that suit your web application environment - a sample are provided below\\nlet scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]); \\nlet alertData = materialize(SecurityAlert \\n| where TimeGenerated \u003e ago(alertTimeWindow) \\n| where ProviderName == \\\"MDATP\\\" \\n// Parse and expand the alert JSON \\n| extend alertData = parse_json(Entities) \\n| mvexpand alertData);\\nlet fileData = alertData\\n// Extract web script files from MDATP alerts - our malicious web scripts - candidate webshells\\n| where alertData.Type =~ \\\"file\\\" \\n| where alertData.Name has_any(scriptExtensions) \\n| extend FileName = tostring(alertData.Name), Directory = tostring(alertData.Directory);\\nlet hostData = alertData\\n// Extract server details from alerts and map to alert id\\n| where alertData.Type =~ \\\"host\\\"\\n| project HostName = tostring(alertData.HostName), DnsDomain = tostring(alertData.DnsDomain), SystemAlertId\\n| distinct HostName, DnsDomain, SystemAlertId;\\n// Join the files on their impacted servers\\nlet webshellData = fileData\\n| join kind=inner (hostData) on SystemAlertId \\n| project TimeGenerated, FileName, Directory, HostName, DnsDomain;\\nwebshellData\\n| join ( \\n// Find requests that were made to this file on the impacted server in the W3CIISLog table \\nW3CIISLog \\n| where TimeGenerated \u003e ago(logTimeWindow) \\n// Restrict to accesses to script extensions \\n| where csUriStem has_any(scriptExtensions)\\n| extend splitUriStem = split(csUriStem, \\\"/\\\") \\n| extend FileName = splitUriStem[-1], HostName = sComputerName\\n// Summarize potential attacker activity\\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), RequestUserAgents=make_set(csUserAgent), ReqestMethods=make_set(csMethod), RequestStatusCodes=make_set(scStatus), RequestCookies=make_set(csCookie), RequestReferers=make_set(csReferer), RequestQueryStrings=make_set(csUriQuery) by AttackerIP=cIP, SiteName=sSiteName, ShellLocation=csUriStem, tostring(FileName), HostName \\n) on FileName, HostName\\n| project StartTime, EndTime, AttackerIP, RequestUserAgents, HostName, SiteName, ShellLocation, ReqestMethods, RequestStatusCodes, RequestCookies, RequestReferers, RequestQueryStrings, RequestCount = count_\\n// Expose the attacker ip address as a custom entity\\n| extend timestamp=StartTime, IPCustomEntity = AttackerIP, HostCustomEntity = HostName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Malicious web application requests linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts\",\"description\":\"Takes Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts where web scripts are present in the evidence and correlates with requests made to those scripts\\nin the WCSIISLog to surface new alerts for potentially malicious web request activity.\\nThe lookback for alerts is set to 1h and the lookback for W3CIISLogs is set to 7d. A sample set of popular web script extensions\\nhas been provided in scriptExtensions that should be tailored to your environment.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-05-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5f0d80db-3415-4265-9d52-8466b7372e3a\",\"name\":\"5f0d80db-3415-4265-9d52-8466b7372e3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"AzureDevOpsAuditing\\n| where AuthenticationMechanism startswith \\\"PAT\\\"\\n// Look for useragents that include a redenring engine\\n| where UserAgent has_any (\\\"Gecko\\\", \\\"WebKit\\\", \\\"Presto\\\", \\\"Trident\\\", \\\"EdgeHTML\\\", \\\"Blink\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure DevOps PAT used with Browser.\",\"description\":\"Personal Access Tokens (PATs) are used as an alternate password to authenticate into Azure DevOps. PATs are intended for programmatic access use in code or applications. \\nThis can be prone to attacker theft if not adequately secured. This query looks for the use of a PAT in authentication but from a User Agent indicating a browser. \\nThis should not be normal activity and could be an indicator of an attacker using a stolen PAT.\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/86a036b2-3686-42eb-b417-909fc0867771\",\"name\":\"86a036b2-3686-42eb-b417-909fc0867771\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/delete\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS Service Delete\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.\\nA threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.\\nThe health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.\\nMore information in this blog https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\"name\":\"b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\nlet createRoleAssignmentActivity = AzureActivity\\n| where OperationNameValue =~ \\\"microsoft.authorization/roleassignments/write\\\";\\ncreateRoleAssignmentActivity \\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller\\n| where count_ \u003e= alertOperationThreshold\\n| join kind = rightanti ( \\ncreateRoleAssignmentActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = make_set(TimeGenerated), ActivityStatusValue = make_set(ActivityStatusValue), \\nOperationIds = make_set(OperationId), CorrelationId = make_set(CorrelationId), ActivityCountByCallerIPAddress = count() \\nby ResourceId, CallerIpAddress, Caller, OperationNameValue, Resource, ResourceGroup\\n) on CallerIpAddress, Caller\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Suspicious granting of permissions to an account\",\"description\":\"Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\"name\":\"9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let szOperationNames = dynamic([\\\"Microsoft.Compute/virtualMachines/write\\\", \\\"Microsoft.Resources/deployments/write\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet RareCaller = AzureActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationNameValue in~ (szOperationNames)\\n| project ResourceGroup, Caller, OperationNameValue, CallerIpAddress\\n| join kind=rightantisemi (\\nAzureActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityStatusValue = makeset(ActivityStatusValue), OperationIds = makeset(OperationId), CallerIpAddress = makeset(CallerIpAddress) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n) on Caller, ResourceGroup \\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress);\\nlet Counts = RareCaller | summarize ActivityCountByCaller = count() by Caller;\\nRareCaller | join kind= inner (Counts) on Caller | project-away Caller1\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = tostring(CallerIpAddress)\\n| sort by ActivityCountByCaller desc nulls last\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Suspicious Resource deployment\",\"description\":\"Identifies when a rare Resource and ResourceGroup deployment occurs by a previously unseen Caller.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4902eddb-34f7-44a8-ac94-8486366e9494\",\"name\":\"4902eddb-34f7-44a8-ac94-8486366e9494\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 5000;\\n_Im_NetworkSession(eventresult=\u0027Failure\u0027)\\n| summarize Count=count() by SrcIpAddr, bin(TimeGenerated,5m)\\n| where Count \u003e threshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr\",\"customDetails\":{\"NumberOfDenies\":\"Count\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Excessive number of failed connections from {{SrcIpAddr}}\",\"alertDescriptionFormat\":\"The client at address {{SrcIpAddr}} generated more than {{threshold}} failures over a 5 minutes time window, which may indicate malicious activity.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Impact\"],\"displayName\":\"Excessive number of failed connections from a single source (ASIM Network Session schema)\",\"description\":\"This rule identifies that a single source generates an excessive amount of failed connections. Modify the threshold to change the sensitivity of the rule: the higher the threshold, the less sensitive is the rule and less incidents will be generated.\u003cbr\u003e\u003cbr\u003e\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f7c3f5c8-71ea-49ff-b8b3-148f0e346291\",\"name\":\"f7c3f5c8-71ea-49ff-b8b3-148f0e346291\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let known_locations = (SigninLogs\\n | where TimeGenerated between(ago(7d)..ago(1d))\\n | where ResultType == 0\\n | extend LocationDetail = strcat(Location, \\\"-\\\", LocationDetails.state)\\n | summarize by LocationDetail);\\n let known_asn = (SigninLogs\\n | where TimeGenerated between(ago(7d)..ago(1d))\\n | where ResultType == 0\\n | summarize by AutonomousSystemNumber);\\n SigninLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType == 0\\n | where isempty(DeviceDetail.deviceId)\\n | where AuthenticationRequirement == \\\"singleFactorAuthentication\\\"\\n | extend LocationDetail = strcat(Location, \\\"-\\\", LocationDetails.state)\\n | where AutonomousSystemNumber !in (known_asn) and LocationDetail !in (known_locations)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"UserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomolous Single Factor Signin\",\"description\":\"Detects successful signins using single factor authentication where the device, location, and ASN are abnormal.\\n Single factor authentications pose an opportunity to access compromised accounts, investigate these for anomalous occurrencess.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\"name\":\"1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 1d;\\nlet endtime = 1h;\\nlet prev23hThreshold = 4;\\nlet prev1hThreshold = 15;\\nlet Kerbevent = (union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(starttime)\\n| where EventID == 4769\\n| parse EventData with * \u0027TicketEncryptionType\\\"\u003e\u0027 TicketEncryptionType \\\"\u003c\\\" *\\n| where TicketEncryptionType == \u00270x17\u0027\\n| parse EventData with * \u0027TicketOptions\\\"\u003e\u0027 TicketOptions \\\"\u003c\\\" *\\n| where TicketOptions == \u00270x40810000\u0027\\n| parse EventData with * \u0027Status\\\"\u003e\u0027 Status \\\"\u003c\\\" *\\n| where Status == \u00270x0\u0027\\n| parse EventData with * \u0027ServiceName\\\"\u003e\u0027 ServiceName \\\"\u003c\\\" *\\n| where ServiceName !contains \\\"$\\\" and ServiceName !contains \\\"krbtgt\\\" \\n| parse EventData with * \u0027TargetUserName\\\"\u003e\u0027 TargetUserName \\\"\u003c\\\" *\\n| where TargetUserName !contains \\\"$@\\\" and TargetUserName !contains ServiceName\\n| parse EventData with * \u0027IpAddress\\\"\u003e::ffff:\u0027 ClientIPAddress \\\"\u003c\\\" *\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e= ago(starttime)\\n| where EventID == 4769 and EventData has \u00270x17\u0027 and EventData has \u00270x40810000\u0027 and EventData has \u0027krbtgt\u0027\\n| extend TicketEncryptionType = tostring(EventData.TicketEncryptionType)\\n| where TicketEncryptionType == \u00270x17\u0027\\n| extend TicketOptions = tostring(EventData.TicketOptions)\\n| where TicketOptions == \u00270x40810000\u0027\\n| extend Status = tostring(EventData.Status)\\n| where Status == \u00270x0\u0027\\n| extend ServiceName = tostring(EventData.ServiceName)\\n| where ServiceName !contains \\\"$\\\" and ServiceName !contains \\\"krbtgt\\\"\\n| extend TargetUserName = tostring(EventData.TargetUserName) \\n| where TargetUserName !contains \\\"$@\\\" and TargetUserName !contains ServiceName\\n| extend ClientIPAddress = tostring(EventData.IpAddress) \\n));\\nlet Kerbevent23h = Kerbevent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| summarize ServiceNameCountPrev23h = dcount(ServiceName), ServiceNameSet23h = makeset(ServiceName) \\nby Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status\\n| where ServiceNameCountPrev23h \u003c prev23hThreshold;\\nlet Kerbevent1h = \\nKerbevent\\n| where TimeGenerated \u003e= ago(endtime)\\n| summarize min(TimeGenerated), max(TimeGenerated), ServiceNameCountPrev1h = dcount(ServiceName), ServiceNameSet1h = makeset(ServiceName) \\nby Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status;\\nKerbevent1h \\n| join kind=leftanti\\n(\\nKerbevent23h\\n) on TargetUserName, TargetDomainName\\n// Threshold value set above is based on testing, this value may need to be changed for your environment.\\n| where ServiceNameCountPrev1h \u003e prev1hThreshold\\n| project StartTimeUtc = min_TimeGenerated, EndTimeUtc = max_TimeGenerated, TargetUserName, Computer, ClientIPAddress, TicketOptions, \\nTicketEncryptionType, Status, ServiceNameCountPrev1h, ServiceNameSet1h, TargetDomainName\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = strcat(TargetDomainName,\\\"\\\\\\\\\\\", TargetUserName), HostCustomEntity = Computer, IPCustomEntity = ClientIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Potential Kerberoasting\",\"description\":\"A service principal name (SPN) is used to uniquely identify a service instance in a Windows environment. \\nEach SPN is usually associated with a service account. Organizations may have used service accounts with weak passwords in their environment. \\nAn attacker can try requesting Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC) which contains \\na hash of the Service account. This can then be used for offline cracking. This hunting query looks for accounts that are generating excessive \\nrequests to different resources within the last hour compared with the previous 24 hours. Normal users would not make an unusually large number \\nof request within a small time window. This is based on 4769 events which can be very noisy so environment based tweaking might be needed.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-04-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/508cef41-2cd8-4d40-a519-b04826a9085f\",\"name\":\"508cef41-2cd8-4d40-a519-b04826a9085f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 1102 and EventSourceName == \\\"Microsoft-Windows-Eventlog\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Security Event log cleared\",\"description\":\"Checks for event id 1102 which indicates the security event log was cleared.\\nIt uses Event Source Name \\\"Microsoft-Windows-Eventlog\\\" to avoid generating false positives from other sources, like AD FS servers for instance.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3ff0fffb-d963-40c0-b235-3404f915add7\",\"name\":\"3ff0fffb-d963-40c0-b235-3404f915add7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"GitHubAudit\\n| where Action == \\\"org.disable_two_factor_requirement\\\"\\n| project TimeGenerated, Action, Actor, Country, IPaddress, Repository\\n| extend AccountCustomEntity = Actor, IPCustomEntity = IPaddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"GitHub Two Factor Auth Disable\",\"description\":\"Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/594c653d-719a-4c23-b028-36e3413e632e\",\"name\":\"594c653d-719a-4c23-b028-36e3413e632e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"GitHubAudit\\n| where Action == \\\"org.disable_two_factor_requirement\\\"\\n| project TimeGenerated, Action, Actor, Country, IPaddress, Repository\\n| extend AccountCustomEntity = Actor, IPCustomEntity = IPaddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT GitHub Two Factor Auth Disable\",\"description\":\"Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. \",\"lastUpdatedDateUTC\":\"2022-05-22T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/50cbf34a-4cdd-45d7-b3f5-8b53a1d0d14f\",\"name\":\"50cbf34a-4cdd-45d7-b3f5-8b53a1d0d14f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n| parse EventData with * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" *\\n| where ParentCommandLine == \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe -k DcomLaunch\\\" and CommandLine == \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe -Embedding\\\"\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Lateral Movement via DCOM\",\"description\":\"This query detects a fairly uncommon attack technique using the Windows Distributed Component Object Model (DCOM) to make a remote execution call to another computer system and gain lateral movement throughout the network.\\nRef: http://thenegative.zone/incident%20response/2017/02/04/MMC20.Application-Lateral-Movement-Analysis.html\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b1832f60-6c3d-4722-a0a5-3d564ee61a63\",\"name\":\"b1832f60-6c3d-4722-a0a5-3d564ee61a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet DOMAIN_TI=ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName);\\nlet DOMAIN_TI_list= todynamic(toscalar(DOMAIN_TI | summarize NIoCs = dcount(DomainName), Domains = make_set(DomainName) \\n | project Domains=iff(NIoCs \u003e HAS_ANY_MAX, dynamic([]), Domains) ));\\nDOMAIN_TI\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n _Im_WebSession(starttime=ago(dt_lookBack), url_has_any= DOMAIN_TI_list )\\n //Extract domain patterns from syslog message\\n | extend domain = tostring(parse_url(Url)[\\\"Host\\\"])\\n | where isnotempty(domain)\\n | extend tld = tostring(split(domain, \u0027.\u0027)[-1])\\n | extend Event_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.domain\\n| where Event_TimeGenerated \u003c ExpirationDateTime\\n| summarize Event_TimeGenerated = arg_max(Event_TimeGenerated , *) by IndicatorId, domain\\n| project Event_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, domain, SrcIpAddr, Url\",\"customDetails\":{\"EventTime\":\"Event_TimeGenerated\",\"IoCDescription\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"IoCExpirationTime\":\"ExpirationDateTime\",\"IoCConfidenceScore\":\"ConfidenceScore\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"A web request from {{SrcIpAddr}} to hostname {{domain}} matched an IoC\",\"alertDescriptionFormat\":\"A client with address {{SrcIpAddr}} requested the URL {{Url}}, whose hostname is a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blead for more information on the indicator.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map Domain entity to Web Session Events (ASIM Web Session schema)\",\"description\":\"This rule identifies Web Sessions for which the target URL hostname is a known IoC. \u003cbr\u003e\u003cbr\u003eThis rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutSIM) and supports any web session source that complies with ASIM.\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/643c2025-9604-47c5-833f-7b4b9378a1f5\",\"name\":\"643c2025-9604-47c5-833f-7b4b9378a1f5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit your environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with AAD signin failures above our threshold\\nlet aadFunc = (tableName:string){\\nlet Suspicious_signins = \\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n| summarize count() by IPAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(IPAddress);\\nSuspicious_signins\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet Suspicious_signins = \\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize make_set(set_IPAddress);\\n//See if any of those IPs have sucessfully logged into the AWS console\\nAWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \\n| where LoginResult =~ \\\"Success\\\"\\n| where SourceIpAddress in (Suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed)\\n| extend User = iif(isempty(UserIdentityUserName), UserIdentityType, UserIdentityUserName) \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Reason, LoginResult, EventTypeName, UserIdentityType, User, AWSRegion, SourceIpAddress, UserAgent, MFAUsed\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AzureAD logons but success logon to AWS Console\",\"description\":\"Identifies a list of IP addresses with a minimum number(defualt of 5) of failed logon attempts to Azure Active Directory.\\nUses that list to identify any successful AWS Console logons from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e\",\"name\":\"7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]);\\nunion isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4663\\n| where Process has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where ObjectName has_any (scriptExtensions)\\n| where AccessMask in (\u00270x2\u0027,\u00270x100\u0027, \u00270x10\u0027, \u00270x4\u0027)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n (WindowsEvent\\n| where EventID == 4663 and EventData has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\") and EventData has_any (scriptExtensions) \\n| where EventData has_any (\u00270x2\u0027,\u00270x100\u0027, \u00270x10\u0027, \u00270x4\u0027)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName has_any (scriptExtensions)\\n| extend AccessMask = tostring(EventData.AccessMask)\\n| where AccessMask in (\u00270x2\u0027,\u00270x100\u0027, \u00270x10\u0027, \u00270x4\u0027)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n(imFileEvent\\n| where EventType == \\\"FileCreated\\\"\\n| where ActingProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n and\\n TargetFileName has_any (scriptExtensions)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\\n),\\n(DeviceFileEvents\\n| where ActionType =~ \\\"FileCreated\\\"\\n| where InitiatingProcessFileName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where FileName has_any(scriptExtensions)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName, IPCustomEntity = RequestSourceIP)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingProcessAccountUpn\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM UM Service writing suspicious file\",\"description\":\"This query looks for the Exchange server UM process writing suspicious files that may be indicative of webshells.\\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d714ef62-1a56-4779-804f-91c4158e528d\",\"name\":\"d714ef62-1a56-4779-804f-91c4158e528d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let ImagesList = dynamic ([\\\"sethc.exe\\\",\\\"utilman.exe\\\",\\\"osk.exe\\\",\\\"Magnify.exe\\\",\\\"Narrator.exe\\\",\\\"DisplaySwitch.exe\\\",\\\"AtBroker.exe\\\"]); \\nlet OriginalFileNameList = dynamic ([\\\"sethc.exe\\\",\\\"utilman.exe\\\",\\\"osk.exe\\\",\\\"Magnify.exe\\\",\\\"Narrator.exe\\\",\\\"DisplaySwitch.exe\\\",\\\"AtBroker.exe\\\",\\\"SR.exe\\\",\\\"utilman2.exe\\\",\\\"ScreenMagnifier.exe\\\"]); \\nEvent\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n| parse EventData with * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027OriginalFileName\\\"\u003e\u0027 OriginalFileName \\\"\u003c\\\" *\\n| where Image has_any (ImagesList) and not (OriginalFileName has_any (OriginalFileNameList))\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027Hashes\\\"\u003e\u0027 Hashes \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description, OriginalFileName, CurrentDirectory, Hashes\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Modification of Accessibility Features\",\"description\":\"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\\n Two common accessibility programs are C:\\\\Windows\\\\System32\\\\sethc.exe, launched when the shift key is pressed five times and C:\\\\Windows\\\\System32\\\\utilman.exe, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as \\\"sticky keys\\\", and has been used by adversaries for unauthenticated access through a remote desktop login screen. [1]\\nRef: https://attack.mitre.org/techniques/T1546/008/\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\"name\":\"f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let threshold = 1;\\nAzureDiagnostics\\n | where OperationName in (\\\"AzureFirewallApplicationRuleLog\\\",\\\"AzureFirewallNetworkRuleLog\\\")\\n | extend msg_s_replaced0 = replace(@\\\"\\\\s\\\\s\\\",@\\\" \\\",msg_s)\\n | extend msg_s_replaced1 = replace(@\\\"\\\\.\\\\s\\\",@\\\" \\\",msg_s_replaced0)\\n | extend msg_a = split(msg_s_replaced1,\\\" \\\")\\n | extend srcAddr_a = split(msg_a[3],\\\":\\\") , destAddr_a = split(msg_a[5],\\\":\\\")\\n | extend protocol = tostring(msg_a[0]), srcIp = tostring(srcAddr_a[0]), srcPort = tostring(srcAddr_a[1]), destIp = tostring(destAddr_a[0]), destPort = tostring(destAddr_a[1]), action = tostring(msg_a[7])\\n | where action == \\\"Deny\\\"\\n | extend url = iff(destIp matches regex \\\"\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\",\\\"\\\",destIp)\\n | summarize StartTime = min(TimeGenerated), count() by srcIp, destIp, url, action, protocol\\n | where count_ \u003e= [\\\"threshold\\\"]\\n | extend timestamp = StartTime, URLCustomEntity = url, IPCustomEntity = srcIp\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Discovery\",\"LateralMovement\",\"CommandAndControl\"],\"displayName\":\"Several deny actions registered\",\"description\":\"Identifies attack pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-10-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b9d2eebc-5dcb-4888-8165-900db44443ab\",\"name\":\"b9d2eebc-5dcb-4888-8165-900db44443ab\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"// Enter a reference list of hostnames for your DC servers\\n//let DCServersList = dynamic ([\\\"DC01.simulandlabs.com\\\",\\\"DC02.simulandlabs.com\\\"]);\\nSecurityEvent\\n//| where Computer in (DCServersList)\\n| where EventID == 4662 and ObjectServer == \u0027DS\u0027\\n| where AccountType != \u0027Machine\u0027\\n| where Properties has \u00271131f6aa-9c07-11d1-f79f-00c04fc2dcd2\u0027 //DS-Replication-Get-Changes\\n or Properties has \u00271131f6ad-9c07-11d1-f79f-00c04fc2dcd2\u0027 //DS-Replication-Get-Changes-All\\n or Properties has \u002789e95b76-444d-4c62-991a-0facbeda640c\u0027 //DS-Replication-Get-Changes-In-Filtered-Set\\n| project TimeGenerated, Account, Activity, Properties, SubjectLogonId, Computer\\n| join kind=leftouter\\n(\\n SecurityEvent\\n //| where Computer in (DCServersList)\\n | where EventID == 4624 and LogonType == 3\\n | where AccountType != \u0027Machine\u0027\\n | project TargetLogonId, IpAddress\\n)\\non $left.SubjectLogonId == $right.TargetLogonId\\n| project-reorder TimeGenerated, Computer, Account, IpAddress\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, SourceAddress = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Non Domain Controller Active Directory Replication\",\"description\":\"This query detects potential attempts by non-computer accounts (non domain controllers) to retrieve/synchronize an active directory object leveraging directory replication services (DRS).\\nA Domain Controller (computer account) would usually be performing these actions in a domain environment. Another detection rule can be created to cover domain controllers accounts doing at rare times.\\nA domain user with privileged permissions to use directory replication services is rare. Ref: https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html\",\"lastUpdatedDateUTC\":\"2021-11-08T00:00:00Z\",\"createdDateUTC\":\"2021-05-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75297f62-10a8-4fc1-9b2a-12f25c6f05a7\",\"name\":\"75297f62-10a8-4fc1-9b2a-12f25c6f05a7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let domain_lookBack= 14d;\\nlet timeframe = 1d;\\nlet top_million_list = Cisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(domain_lookBack) and TimeGenerated \u003c ago(timeframe)\\n| extend Hostname = parse_url(UrlOriginal)[\\\"Host\\\"]\\n| summarize count() by tostring(Hostname)\\n| top 1000000 by count_\\n| summarize make_list(Hostname);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| extend Hostname = parse_url(UrlOriginal)[\\\"Host\\\"]\\n| where Hostname !in (top_million_list)\\n| extend Message = \\\"Connect to unpopular website (possible malicious payload delivery)\\\"\\n| project Message, SrcIpAddr, DstIpAddr,UrlOriginal, TimeGenerated\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Connection to Unpopular Website Detected\",\"description\":\"Detects first connection to an unpopular website (possible malicious payload delivery).\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/89a86f70-615f-4a79-9621-6f68c50f365f\",\"name\":\"89a86f70-615f-4a79-9621-6f68c50f365f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 7d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet HistThreshold = 25; \\nlet CurrThreshold = 10; \\nlet HistoricalThreats = CommonSecurityLog\\n| where isnotempty(SourceIP)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n| where Activity =~ \\\"THREAT\\\" and SimplifiedDeviceAction =~ \\\"alert\\\" \\n| where DeviceEventClassID in (\u0027spyware\u0027, \u0027scan\u0027, \u0027file\u0027, \u0027vulnerability\u0027, \u0027flood\u0027, \u0027packet\u0027, \u0027virus\u0027,\u0027wildfire\u0027, \u0027wildfire-virus\u0027)\\n| summarize TotalEvents = count(), ThreatTypes = make_set(DeviceEventClassID), DestinationIpList = make_set(DestinationIP), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by SourceIP, DeviceAction, DeviceVendor;\\nlet CurrentHourThreats = CommonSecurityLog\\n| where isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(timeframe)\\n| where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n| where Activity =~ \\\"THREAT\\\" and SimplifiedDeviceAction =~ \\\"alert\\\" \\n| where DeviceEventClassID in (\u0027spyware\u0027, \u0027scan\u0027, \u0027file\u0027, \u0027vulnerability\u0027, \u0027flood\u0027, \u0027packet\u0027, \u0027virus\u0027,\u0027wildfire\u0027, \u0027wildfire-virus\u0027)\\n| summarize TotalEvents = count(), ThreatTypes = make_set(DeviceEventClassID), DestinationIpList = make_set(DestinationIP), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by SourceIP, DeviceAction, DeviceProduct, DeviceVendor;\\nCurrentHourThreats \\n| where TotalEvents \u003c CurrThreshold\\n| join kind = leftanti (HistoricalThreats \\n| where TotalEvents \u003e HistThreshold) on SourceIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]}],\"tactics\":[\"Discovery\",\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"Palo Alto Threat signatures from Unusual IP addresses\",\"description\":\"Identifies Palo Alto Threat signatures from unusual IP addresses which are not historically seen. \\nThis detection is also leveraged and required for MDE and PAN Fusion scenario\\nhttps://docs.microsoft.com/Azure/sentinel/fusion-scenario-reference#network-request-to-tor-anonymization-service-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall\",\"lastUpdatedDateUTC\":\"2022-04-20T00:00:00Z\",\"createdDateUTC\":\"2022-03-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/35a0792a-1269-431e-ac93-7ae2980d4dde\",\"name\":\"35a0792a-1269-431e-ac93-7ae2980d4dde\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now() \\n| where Active == true\\n| where isnotempty(EmailSenderAddress)\\n| extend TI_emailEntity = EmailSenderAddress\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n ProofpointPOD \\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(SrcUserUpn)\\n | extend ProofpointPOD_TimeGenerated = TimeGenerated, ClientEmail = SrcUserUpn\\n\\n)\\non $left.TI_emailEntity == $right.ClientEmail\\n| where ProofpointPOD_TimeGenerated \u003c ExpirationDateTime\\n| summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientEmail\\n| project ProofpointPOD_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, ClientEmail\\n| extend timestamp = ProofpointPOD_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ClientEmail\"}]}],\"tactics\":[\"Exfiltration\",\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Email sender in TI list\",\"description\":\"Email sender in TI list.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_maillog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c3b11fb2-9201-4844-b7b9-6b7bf6d9b851\",\"name\":\"c3b11fb2-9201-4844-b7b9-6b7bf6d9b851\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Medium\",\"query\":\"let threshold = 200;\\n_Im_Dns(responsecodename=\u0027NXDOMAIN\u0027)\\n| where isnotempty(DnsResponseCodeName)\\n//| where DnsResponseCodeName =~ \\\"NXDOMAIN\\\"\\n| summarize count() by SrcIpAddr, bin(TimeGenerated,15m)\\n| where count_ \u003e threshold\\n| join kind=inner (_Im_Dns(responsecodename=\u0027NXDOMAIN\u0027)\\n ) on SrcIpAddr\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Excessive NXDOMAIN DNS Queries (ASIM DNS Schema)\",\"description\":\"This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. \\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a172107d-794c-48c0-bc26-d3349fe10b4d\",\"name\":\"a172107d-794c-48c0-bc26-d3349fe10b4d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Dev-0530_July2022.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\n(union isfuzzy=true \\n(DeviceProcessEvents\\n| where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) or ( InitiatingProcessCommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) \\nand InitiatingProcessCommandLine has (\u0027sc minute /mo 1 /F /ru system\u0027))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, AccountName, SHA256\\n| extend Account = AccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = case(InitiatingProcessSHA256 in (sha256Hashes), \\\"InitiatingProcessSHA256\\\", SHA256 in (sha256Hashes), \\\"SHA256\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = case(FileHash == \\\"InitiatingProcessSHA256\\\", InitiatingProcessSHA256, FileHash == \\\"SHA256\\\", SHA256, \\\"No Match\\\")\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) and CommandLine has (\u0027/sc minute /mo 1 /F /ru system\u0027))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, EventID, CommandLine\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n( imFileEvent\\n| where Hash in~ (sha256Hashes) or ( ActingProcessCommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) and ActingProcessCommandLine has (\u0027/sc minute /mo 1 /F /ru system\u0027))\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, FileHashCustomEntity = FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) or ( CommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) and CommandLine has (\u0027/sc minute /mo 1 /F /ru system\u0027)) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(EmailEvents\\n| where SenderFromAddress == \u0027H0lyGh0st@mail2tor.com\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = SenderIPv4, AccountCustomEntity = SenderFromAddress \\n),\\n(CommonSecurityLog \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) or FileHash in (sha256Hashes)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch , FileHash\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n), \\n(OfficeActivity \\n|extend SourceIPAddress = ClientIP, Account = UserId \\n| where SourceIPAddress in (IPList) \\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \\n),\\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Dev-0530 IOC - July 2022\",\"description\":\"Identifies a IOC match related to Dev-0530 actor across various data sources.\",\"lastUpdatedDateUTC\":\"2022-07-14T00:00:00Z\",\"createdDateUTC\":\"2022-07-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceProcessEvents\",\"DeviceNetworkEvents\",\"EmailEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/572e75ef-5147-49d9-9d65-13f2ed1e3a86\",\"name\":\"572e75ef-5147-49d9-9d65-13f2ed1e3a86\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let inviting_users = (AuditLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where OperationName =~ \\\"Invite external user\\\"\\n | where Result =~ \\\"success\\\"\\n | extend invitingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | where isnotempty(invitingUser)\\n | summarize by invitingUser);\\n AuditLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where OperationName =~ \\\"Invite external user\\\"\\n | where Result =~ \\\"success\\\"\\n | extend invitingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | where isnotempty(invitingUser) and invitingUser !in (inviting_users)\\n | extend invitedUserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"invitingUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"invitedUserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Guest Users Invited to Tenant by New Inviters\",\"description\":\"Detects when a Guest User is added by a user account that has not been seen adding a guest in the previous 14 days.\\n Monitoring guest accounts and the access they are provided is important to detect potential account abuse.\\n Accounts added should be investigated to ensure the activity was legitimate.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500415fb-bba7-4227-a08a-9857fb61b6a7\",\"name\":\"500415fb-bba7-4227-a08a-9857fb61b6a7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where OfficeWorkload == \\\"Exchange\\\"\\n| where Operation in~ (\\\"New-TransportRule\\\", \\\"Set-TransportRule\\\")\\n| mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))\\n| extend RuleName = case(\\n Operation =~ \\\"Set-TransportRule\\\", OfficeObjectId,\\n Operation =~ \\\"New-TransportRule\\\", ParsedParameters.Name,\\n \\\"Unknown\\\")\\n| mv-expand ExpandedParameters = todynamic(Parameters)\\n| where ExpandedParameters.Name in~ (\\\"BlindCopyTo\\\", \\\"RedirectMessageTo\\\") and isnotempty(ExpandedParameters.Value)\\n| extend RedirectTo = ExpandedParameters.Value\\n| extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n| project TimeGenerated, RedirectTo, IPAddress = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1]), UserId, Operation, RuleName, Parameters\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Mail redirect via ExO transport rule\",\"description\":\"Identifies when Exchange Online transport rule configured to forward emails.\\nThis could be an adversary mailbox configured to collect mail from multiple user accounts.\",\"lastUpdatedDateUTC\":\"2022-04-18T00:00:00Z\",\"createdDateUTC\":\"2020-05-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500c103a-0319-4d56-8e99-3cec8d860757\",\"name\":\"500c103a-0319-4d56-8e99-3cec8d860757\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == \\\"50057\\\" \\n| where ResultDescription == \\\"User account is disabled. The account has been disabled by an administrator.\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), disabledAccountLoginAttempts = count(), \\ndisabledAccountsTargeted = dcount(UserPrincipalName), applicationsTargeted = dcount(AppDisplayName), disabledAccountSet = make_set(UserPrincipalName), \\napplicationSet = make_set(AppDisplayName) by IPAddress, Type\\n| order by disabledAccountLoginAttempts desc\\n| join kind= leftouter (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n table(tableName)\\n | where ResultType == 0\\n | summarize successfulAccountSigninCount = dcount(UserPrincipalName), successfulAccountSigninSet = make_set(UserPrincipalName, 15) by IPAddress, Type\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount \u003c 100\\n) on IPAddress \\n// IPs from which attempts to authenticate as disabled user accounts originated, and had a non-zero success rate for some other account\\n| where isnotempty(successfulAccountSigninCount)\\n| project StartTime, EndTime, IPAddress, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\nsuccessfulAccountSigninCount, successfulAccountSigninSet, Type\\n| order by disabledAccountLoginAttempts\\n| extend timestamp = StartTime, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts and where that same IP has had successful signins from other accounts.\\nThis could indicate an attacker who obtained credentials for a list of accounts and is attempting to login with those accounts, some of which may have already been disabled.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"lastUpdatedDateUTC\":\"2021-10-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e7470b35-0128-4508-bfc9-e01cfb3c2eb7\",\"name\":\"e7470b35-0128-4508-bfc9-e01cfb3c2eb7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n | where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n | parse EventData with * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" *\\n | where ParentImage has \\\"svchost.exe\\\" and Image has \\\"rundll32.exe\\\" and CommandLine has \\\"{c08afd90-f2a1-11d1-8455-00a0c91f3880}\\\"\\n | parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Detecting Macro Invoking ShellBrowserWindow COM Objects\",\"description\":\"This query detects a macro invoking ShellBrowserWindow COM Objects evade naive parent/child Office detection rules.\\nRef: https://blog.menasec.net/2019/02/threat-hunting-doc-with-macro-invoking.html\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c2da1106-bfe4-4a63-bf14-5ab73130ccd5\",\"name\":\"c2da1106-bfe4-4a63-bf14-5ab73130ccd5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.0\",\"severity\":\"Informational\",\"query\":\"let timeframe = ago(1d);\\nAppServiceAntivirusScanAuditLogs\\n| where ScanStatus == \\\"Failed\\\"\\n| extend HostCustomEntity = _ResourceId, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"displayName\":\"AppServices AV Scan Failure\",\"description\":\"Identifies if an AV scan fails in Azure App Services.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\"name\":\"68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let User_Agents = dynamic ([\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70\\\", \\n\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.1 Safari/605.1.15\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\", \\n\\\"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\"]);\\nOfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != \u0027UserLoggedIn\u0027\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = todynamic(ExtendedProperties).Value\\n| where UserAgent =~ \\\"ms-office\\\" or UserAgent has_any (User_Agents)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts \u003e 500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\"entityMappings\":[],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Possible STRONTIUM attempted credential harvesting - Oct 2020\",\"description\":\"Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\"name\":\"e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let threshold = 15;\\n// Below pulls messages from syslog-authpriv logs where there was an authentication failure with an unknown user.\\n// IP address of system attempting logon is also extracted from the SyslogMessage field. Some of these messages\\n// are aggregated.\\nSyslog\\n| where Facility =~ \\\"authpriv\\\"\\n| where SyslogMessage has \\\"authentication failure\\\" and SyslogMessage has \\\" uid=0\\\"\\n| parse SyslogMessage with * \\\"rhost=\\\" RemoteIP\\n| project TimeGenerated, Computer, ProcessName, HostIP, RemoteIP, ProcessID\\n| join kind=innerunique (\\n // Below pulls messages from syslog-authpriv logs that show each instance an unknown user tried to logon. \\n Syslog \\n | where Facility =~ \\\"authpriv\\\"\\n | where SyslogMessage has \\\"user unknown\\\"\\n | project Computer, HostIP, ProcessID\\n ) on Computer, HostIP, ProcessID\\n// Count the number of failed logon attempts by External IP and internal machine\\n| summarize FirstLogonAttempt = min(TimeGenerated), LatestLogonAttempt = max(TimeGenerated), TotalLogonAttempts = count() by Computer, HostIP, RemoteIP\\n// Calculate the time between first and last logon attempt (AttemptPeriodLength)\\n| extend TimeBetweenLogonAttempts = LatestLogonAttempt - FirstLogonAttempt\\n| where TotalLogonAttempts \u003e= threshold\\n| project FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts, TotalLogonAttempts, SourceAddress = RemoteIP, DestinationHost = Computer, DestinationAddress = HostIP\\n| sort by DestinationHost asc nulls last\\n| extend timestamp = FirstLogonAttempt, HostCustomEntity = DestinationHost, IPCustomEntity = DestinationAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed logon attempts in authpriv\",\"description\":\"Identifies failed logon attempts from unknown users in Syslog authpriv logs. The unknown user means the account that tried to log in \\nisn\u0027t provisioned on the machine. A few hits could indicate someone attempting to access a machine they aren\u0027t authorized to access. \\nIf there are many of hits, especially from outside your network, it could indicate a brute force attack. \\nDefault threshold for logon attempts is 15.\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f041e01d-840d-43da-95c8-4188f6cef546\",\"name\":\"f041e01d-840d-43da-95c8-4188f6cef546\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let LearningPeriod = 7d;\\nlet RunTime = 1h;\\nlet StartTime = 1h;\\nlet EndRunTime = StartTime - RunTime;\\nlet EndLearningTime = StartTime + LearningPeriod;\\nlet GitHubCountryCodeLogs = (GitHubAudit\\n| where Country != \\\"\\\");\\n GitHubCountryCodeLogs\\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime))\\n| summarize makeset(Country) by Actor\\n| join kind=innerunique (\\n GitHubCountryCodeLogs\\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime))\\n | distinct Country, Actor, TimeGenerated\\n) on Actor \\n| where set_Country !contains Country\\n| extend AccountCustomEntity = Actor , timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"GitHub Activites from a New Country\",\"description\":\"Detect activities from a location that was not recently or was never visited by the user or by any user in your organization.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/40ba9493-4183-4eee-974f-87fe39c8f267\",\"name\":\"40ba9493-4183-4eee-974f-87fe39c8f267\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Identity alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Identity\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (AATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\"name\":\"4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 50;\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet historicalActivity =\\nOfficeActivity\\n| where TimeGenerated between(ago(starttime)..ago(endtime))\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| summarize historicalCount = count() by ClientIP, RecordType, Operation;\\nlet recentActivity = OfficeActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by ClientIP, RecordType, Operation;\\nlet RareIP = recentActivity | join kind= leftanti ( historicalActivity ) on ClientIP, RecordType, Operation\\n// More than 50 downloads/uploads from a new IP\\n| where recentCount \u003e threshold;\\nOfficeActivity \\n| where TimeGenerated \u003e= ago(endtime) \\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| join kind= inner (RareIP) on ClientIP, RecordType, Operation\\n| where Start_Time between(min_Start_Time .. max_Start_Time)\\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgent, IPSeenCount = recentCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\\n| order by IPSeenCount desc, ClientIP asc, Operation asc, UserId asc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"SharePointFileOperation via previously unseen IPs\",\"description\":\"Identifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses\\nexceeds a threshold (default is 50).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3073ac-7383-48a9-90a8-eb6716183a54\",\"name\":\"4a3073ac-7383-48a9-90a8-eb6716183a54\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let excludeProcs = dynamic([@\\\"\\\\SolarWinds\\\\Orion\\\\APM\\\\APMServiceControl.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\ExportToPDFCmd.Exe\\\", @\\\"\\\\SolarWinds.Credentials\\\\SolarWinds.Credentials.Orion.WebApi.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Topology\\\\SolarWinds.Orion.Topology.Calculator.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Database-Maint.exe\\\", @\\\"\\\\SolarWinds.Orion.ApiPoller.Service\\\\SolarWinds.Orion.ApiPoller.Service.exe\\\", @\\\"\\\\Windows\\\\SysWOW64\\\\WerFault.exe\\\"]);\\nDeviceProcessEvents\\n| where InitiatingProcessFileName =~ \\\"solarwinds.businesslayerhost.exe\\\"\\n| where not(FolderPath has_any (excludeProcs))\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n AlgorithmCustomEntity = \\\"MD5\\\",\\n FileHashCustomEntity = MD5\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST suspicious SolarWinds child processes\",\"description\":\"Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-02-01T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32\",\"name\":\"d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet msgthreshold = 3;\\nlet msgszthreshold = 3000000;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where NetworkBytes \u003e msgszthreshold\\n| summarize count() by SrcUserUpn, DstUserUpn\\n| where count_ \u003e msgthreshold\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple large emails to the same recipient\",\"description\":\"Detects when multiple emails with large size where sent to the same recipient.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6dd2629c-534b-4275-8201-d7968b4fa77e\",\"name\":\"6dd2629c-534b-4275-8201-d7968b4fa77e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"SecurityEvent\\n| where EventID == 4657\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, TargetAccount, Computer, EventSourceName, Channel, Task, Level, EventID, Activity, TargetLogonId, SourceComputerId, EventOriginId, Type, _ResourceId, TenantId, SourceSystem, ManagementGroupName, IpAddress, Account)\\n| extend ObjectName = column_ifexists(\u0027ObjectName\u0027, \\\"\\\"), OperationType = column_ifexists(\u0027OperationType\u0027, \\\"\\\"), ObjectValueName = column_ifexists(\u0027ObjectValueName\u0027, \\\"\\\")\\n| where ObjectName has \u0027Schedule\\\\\\\\TaskCache\\\\\\\\Tree\u0027 and ObjectValueName == \\\"SD\\\" and OperationType == \\\"%%1906\\\" // %%1906 - Registry value deleted\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Scheduled Task Hide\",\"description\":\"This query detects attempts by malware to hide the scheduled task by deleting the SD (Security Descriptor) value. Removal of SD value results in the scheduled task disappearing from schtasks /query and Task Scheduler.\\n The query requires auditing to be turned on for HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree registry hive as well as audit policy for registry auditing to be turned on.\\n Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/\\n Reference: https://4sysops.com/archives/audit-changes-in-the-windows-registry/\",\"lastUpdatedDateUTC\":\"2022-04-12T00:00:00Z\",\"createdDateUTC\":\"2022-04-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3f0c20d5-6228-48ef-92f3-9ff7822c1954\",\"name\":\"3f0c20d5-6228-48ef-92f3-9ff7822c1954\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let threatCategory=\\\"Hacking Tool\\\";\\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\\n [ @\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\\\"] \\n with(format=\\\"csv\\\", ignoreFirstRecord=True));\\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet customUserAgents=toscalar(_GetWatchlist(\\\"UnusualUserAgents\\\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\\\"UserAgent\\\",\\\"\\\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet fullUAList = array_concat(knownUserAgents,customUserAgents);\\n_Im_WebSession(httpuseragent_has_any=fullUAList)\\n| project SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername\",\"customDetails\":{\"UserAgent\":\"HttpUserAgent\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"SrcUsername\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Host {{SrcIpAddr}} is potentially running a hacking tool\",\"alertDescriptionFormat\":\"The host at address {{SrcIpAddr}} sent an HTTP request to the URL {{Url}} with the HTTP user agent header {{HttpUserAgent}}. This user agent is known to be used by a hacking tool and indicates suspicious activity on the host.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"A host is potentially running a hacking tool (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request with a user agent header known to belong to a hacking tool. This indicates a hacking tool is used on the host.\u003cbr\u003eYou can add custom hacking tool indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).\u003cbr\u003e\u003cbr\u003e\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/738702fd-0a66-42c7-8586-e30f0583f8fe\",\"name\":\"738702fd-0a66-42c7-8586-e30f0583f8fe\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"DeviceEvents\\n| where ActionType has \\\"ExploitGuardNonMicrosoftSignedBlocked\\\"\\n| where InitiatingProcessFileName contains \\\"svchost.exe\\\" and FileName contains \\\"NetSetupSvc.dll\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\nHostCustomEntity = DeviceName, FileHashCustomEntity = InitiatingProcessSHA1, FileHashType = \\\"SHA1\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"TEARDROP memory-only dropper\",\"description\":\"Identifies SolarWinds TEARDROP memory-only dropper IOCs in Window\u0027s defender Exploit Guard activity\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a4025a76-6490-4e6b-bb69-d02be4b03f07\",\"name\":\"a4025a76-6490-4e6b-bb69-d02be4b03f07\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureNetworkAnalytics_CL\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AzureNetworkAnalytics_CL_TimeGenerated = TimeGenerated\\n // NSG Flow Logs have additional information concat with Public IP, removing onlp Public IP\\n | extend PIPs = split(PublicIPs_s, \u0027|\u0027, 0)\\n | extend PIP = tostring(PIPs[0])\\n)\\non $left.TI_ipEntity == $right.PIP\\n| where AzureNetworkAnalytics_CL_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureNetworkAnalytics_CL_TimeGenerated = arg_max(AzureNetworkAnalytics_CL_TimeGenerated, *) by IndicatorId, PIP\\n// Set to alert on Allowed NSG Flows from TI Public IP IOC\\n| where FlowStatus_s == \\\"A\\\"\\n| project AzureNetworkAnalytics_CL_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, FlowDirection_s, FlowStatus_s, FlowType_s, SrcPublicIPs_s, DestPublicIPs_s, PublicIPs_s, L7Protocol_s, DestPort_d, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureNetworkAnalytics_CL_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)\",\"description\":\"Identifies a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI that was Allowed\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/968358d6-6af8-49bb-aaa4-187b3067fb95\",\"name\":\"968358d6-6af8-49bb-aaa4-187b3067fb95\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let successCodes = dynamic([200, 302, 401]);\\nW3CIISLog\\n| where scStatus has_any (successCodes)\\n| where ipv4_is_private(cIP) == False\\n| where csUriStem hasprefix \\\"/autodiscover/autodiscover.json\\\"\\n| project TimeGenerated, cIP, sIP, sSiteName, csUriStem, csUriQuery, Computer, csUserName, _ResourceId, FileUri\\n| where (csUriQuery !has \\\"Protocol\\\" and isnotempty(csUriQuery))\\nor (csUriQuery has_any(\\\"/mapi/\\\", \\\"powershell\\\"))\\nor (csUriQuery contains \\\"@\\\" and csUriQuery matches regex @\\\"\\\\.[a-zA-Z]{2,4}?(?:[a-zA-Z]{2,4}\\\\/)\\\")\\nor (csUriQuery contains \\\":\\\" and csUriQuery matches regex @\\\"\\\\:[0-9]{2,4}\\\\/\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP, AccountCustomEntity = csUserName, ResourceCustomEntity = _ResourceId, FileCustomEntity = FileUri\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange SSRF Autodiscover ProxyShell - Detection\",\"description\":\"This query looks for suspicious request patterns to Exchange servers that fit patterns recently\\nblogged about by PeterJson. This exploitation chain utilises an SSRF vulnerability in Exchange\\nwhich eventually allows the attacker to execute arbitrary Powershell on the server. In the example\\npowershell can be used to write an email to disk with an encoded attachment containing a shell.\\nReference: https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-09T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/999e9f5d-db4a-4b07-a206-29c4e667b7e8\",\"name\":\"999e9f5d-db4a-4b07-a206-29c4e667b7e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet DomainTIs= ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n // Picking up only IOC\u0027s that contain the entities we want\\n | where isnotempty(DomainName)\\n | where Active == true\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId;\\nlet Domains = DomainTIs | where isnotempty(DomainName) |summarize NDomains=dcount(DomainName), DomainsList=make_set(DomainName) \\n | project DomainList = iff(NDomains \u003e HAS_ANY_MAX, dynamic([]), DomainsList) ;\\nDomainTIs\\n | join (\\n _Im_Dns(starttime=ago(dt_lookBack), domain_has_any=toscalar(Domains))\\n | extend DNS_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.DnsQuery\\n| where DNS_TimeGenerated \u003c ExpirationDateTime\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, DnsQueryType\\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url\",\"customDetails\":{\"LatestIndicatorTime\":\"LatestIndicatorTime\",\"Description\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"ExpirationDateTime\":\"ExpirationDateTime\",\"ConfidenceScore\":\"ConfidenceScore\",\"DNSRequestTime\":\"DNS_TimeGenerated\",\"SourceIPAddress\":\"SrcIpAddr\",\"DnsQuery\":\"DnsQuery\",\"QueryType\":\"DnsQueryType\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map Domain entity to Dns Events (ASIM DNS Schema)\",\"description\":\"Identifies a match in DNS events from any Domain IOC from TI\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-27T00:00:00Z\",\"createdDateUTC\":\"2021-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2dd4a3a-ebac-4994-9499-1a859938c947\",\"name\":\"f2dd4a3a-ebac-4994-9499-1a859938c947\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet bytessentperhourthreshold = 10;\\nlet TimeSeriesData = (union isfuzzy=true\\n(\\nVMConnection\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\\n| extend SourceIP = SourceIp, DestinationIP = DestinationIp\\n| where ipv4_is_private(DestinationIP) == false\\n| extend DeviceVendor = \\\"VMConnection\\\"\\n| project TimeGenerated, BytesSent, DeviceVendor\\n| make-series TotalBytesSent=sum(BytesSent) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n),\\n(\\nCommonSecurityLog\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where ipv4_is_private(DestinationIP) == false\\n| project TimeGenerated, SentBytes, DeviceVendor\\n| make-series TotalBytesSent=sum(SentBytes) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n)\\n);\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(TotalBytesSent, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand TotalBytesSent to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| extend TotalBytesSentinMBperHour = round(((TotalBytesSent / 1024)/1024),2), baselinebytessentperHour = round(((baseline / 1024)/1024),2), score = round(score,2)\\n| project DeviceVendor, AnomalyHour, TimeGenerated, TotalBytesSentinMBperHour, baselinebytessentperHour, anomalies, score);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\n//Union of all BaseLogs aggregated per hour\\nlet BaseLogs = (union isfuzzy=true\\n(\\nCommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| where ipv4_is_private(DestinationIP) == false\\n| extend SentBytesinMB = ((SentBytes / 1024)/1024), ReceivedBytesinMB = ((ReceivedBytes / 1024)/1024)\\n| summarize HourlyCount = count(), TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort,100), TotalSentBytesinMB = sum(SentBytesinMB), TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| where TotalSentBytesinMB \u003e bytessentperhourthreshold\\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\\n| where Rank \u003c 10 // Selecting Top 10 records with Highest BytesSent in each Hour\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\\n),\\n(\\nVMConnection\\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend SourceIP = SourceIp, DestinationIP = DestinationIp\\n| where ipv4_is_private(DestinationIP) == false | extend DeviceVendor = \\\"VMConnection\\\"\\n| extend SentBytesinMB = ((BytesSent / 1024)/1024), ReceivedBytesinMB = ((BytesReceived / 1024)/1024)\\n| summarize HourlyCount = count(),TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort, 100), TotalSentBytesinMB = sum(SentBytesinMB),TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| where TotalSentBytesinMB \u003e bytessentperhourthreshold\\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\\n| where Rank \u003c 10 // Selecting Top 10 records with Highest BytesSent in each Hour\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\\n)\\n);\\n// Join against base logs to retrive records associated with the hour of anomoly\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\n BaseLogs | extend AnomalyHour = TimeGeneratedHour\\n) on DeviceVendor, AnomalyHour | sort by score desc\\n| project DeviceVendor, AnomalyHour,TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\\n| summarize EventCount = count(), StartTimeUtc= min(TimeGeneratedMax), EndTimeUtc= max(TimeGeneratedMax), SourceIPMax= arg_max(SourceIP,*), TotalBytesSentinMB = sum(TotalSentBytesinMB), TotalBytesReceivedinMB = sum(TotalReceivedBytesinMB), SourceIPList = make_set(SourceIP, 100), DestinationIPList = make_set(DestinationIPList, 100) by AnomalyHour,TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\\n| project DeviceVendor, AnomalyHour, StartTimeUtc, EndTimeUtc, SourceIPMax, SourceIPList, DestinationIPList, DestinationPortList, TotalBytesSentinMB, TotalBytesReceivedinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies, EventCount\\n| extend timestamp =EndTimeUtc, IPCustomEntity = SourceIPMax\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"Time series anomaly for data size transferred to public internet\",\"description\":\"Identifies anomalous data transfer to public networks. The query leverages built-in KQL anomaly detection algorithms that detects large deviations from a baseline pattern.\\nA sudden increase in data transferred to unknown public networks is an indication of data exfiltration attempts and should be investigated.\\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port bytes sent traffic observed in the flagged anomaly hour.\\nThe source IP addresses which were sending less than bytessentperhourthreshold have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06bbf969-fcbe-43fa-bac2-b2fa131d113a\",\"name\":\"06bbf969-fcbe-43fa-bac2-b2fa131d113a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"// ADHealth Monitoring Agent Registry Key\\nlet aadHealthMonAgentRegKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\MicrosoftOnline\\\\\\\\Reporting\\\\\\\\MonitoringAgent\\\";\\n// Filter out known processes\\nlet aadConnectHealthProcs = dynamic ([\\n \u0027Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.InsightsService.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.PshSurrogate.exe\u0027,\\n \u0027Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe\u0027,\\n \u0027Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.AadConnect.Health.AadSync.Host.exe\u0027,\\n \u0027Microsoft.Azure.ActiveDirectory.Synchronization.Upgrader.exe\u0027,\\n \u0027miiserver.exe\u0027\\n]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| where EventData has aadHealthMonAgentRegKey\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| extend ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),\\n ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\")\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend SubjectUserName = column_ifexists(\\\"SubjectUserName\\\", \\\"\\\"),\\n SubjectDomainName = column_ifexists(\\\"SubjectDomainName\\\", \\\"\\\"),\\n ProcessName = column_ifexists(\\\"ProcessName\\\", \\\"\\\")\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],\\n Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n ( WindowsEvent\\n| where EventID == \u00274656\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n( WindowsEvent\\n| where EventID == \u00274663\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n)\\n)\\n// You can filter out potential machine accounts\\n//| where AccountType != \u0027Machine\u0027\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"Azure AD Health Service Agents Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).\\nInformation from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).\\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\\\\SOFTWARE\\\\Microsoft\\\\ADHealthAgent.\\nMake sure you set the SACL to propagate to its sub-keys. You can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml\\n\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a35f2c18-1b97-458f-ad26-e033af18eb99\",\"name\":\"a35f2c18-1b97-458f-ad26-e033af18eb99\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.2\",\"severity\":\"Low\",\"query\":\"// For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups\\nlet WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nunion isfuzzy=true \\n(\\nSecurityEvent \\n// When MemberName contains \u0027-\u0027 this indicates addition of a group to a group\\n| where AccountType == \\\"User\\\" and MemberName != \\\"-\\\"\\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group\\n| where EventID in (4728, 4732, 4756) \\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| extend SimpleMemberName = substring(MemberName, 3, indexof_regex(MemberName, @\\\",OU|,CN\\\") - 3)\\n| project TimeGenerated, EventID, Activity, Computer, SimpleMemberName, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SimpleMemberName, HostCustomEntity = Computer\\n),\\n(\\nWindowsEvent \\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group\\n| where EventID in (4728, 4732, 4756) and not(EventData has \\\"S-1-5-32-555\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| extend MemberName = tostring(EventData.MemberName)\\n// When MemberName contains \u0027-\u0027 this indicates addition of a group to a group\\n| where AccountType == \\\"User\\\" and MemberName != \\\"-\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| extend SimpleMemberName = substring(MemberName, 3, indexof_regex(MemberName, @\\\",OU|,CN\\\") - 3)\\n| extend MemberSid = tostring(EventData.MemberSid)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend TargetDomainName = tostring(EventData.TargetDomainName)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| project TimeGenerated, EventID, Computer, SimpleMemberName, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SimpleMemberName, HostCustomEntity = Computer\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account added to built in domain local or global group\",\"description\":\"Identifies when a user account has been added to a privileged built in domain local group or global group \\nsuch as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2acc91c3-17c2-4388-938e-4eac2d5894e8\",\"name\":\"2acc91c3-17c2-4388-938e-4eac2d5894e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"W3CIISLog\\n| where csMethod == \u0027GET\u0027\\n| where isnotempty(csUriStem) and isnotempty(csUriQuery)\\n| where csUriStem contains \\\"logoimagehandler.ashx\\\"\\n| where csUriQuery contains \\\"codes\\\" and csUriQuery contains \\\"clazz\\\" and csUriQuery contains \\\"method\\\" and csUriQuery contains \\\"args\\\"\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"CommandAndControl\"],\"displayName\":\"SUPERNOVA webshell\",\"description\":\"Identifies SUPERNOVA webshell based on W3CIISLog data.\\n References:\\n - https://unit42.paloaltonetworks.com/solarstorm-supernova/\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-01-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/223db5c1-1bf8-47d8-8806-bed401b356a4\",\"name\":\"223db5c1-1bf8-47d8-8806-bed401b356a4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let timeRange = 1d;\\nlet lookBack = 7d;\\nlet threshold_Failed = 5;\\nlet threshold_FailedwithSingleIP = 20;\\nlet threshold_IPAddressCount = 2;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet aadFunc = (tableName:string){\\nlet azPortalSignins = materialize(table(tableName)\\n| where TimeGenerated \u003e= ago(lookBack)\\n// Azure Portal only\\n| where AppDisplayName =~ \\\"Azure Portal\\\")\\n;\\nlet successPortalSignins = azPortalSignins\\n| where TimeGenerated \u003e= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n// Tagging identities not resolved to friendly names\\n//| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n| distinct TimeGenerated, UserPrincipalName\\n;\\nlet failPortalSignins = azPortalSignins\\n| where TimeGenerated \u003e= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70044\\\", \\\"70043\\\")\\n// Tagging identities not resolved to friendly names\\n| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n;\\n// Verify there is no success for the same connection attempt after the fail\\nlet failnoSuccess = failPortalSignins | join kind= leftouter (\\n successPortalSignins \\n) on UserPrincipalName\\n| where TimeGenerated \u003e TimeGenerated1 or isempty(TimeGenerated1)\\n| project-away TimeGenerated1, UserPrincipalName1\\n;\\n// Lookup up resolved identities from last 7 days\\nlet identityLookup = azPortalSignins\\n| where TimeGenerated \u003e= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName;\\n// Join resolved names to unresolved list from portal signins\\nlet unresolvedNames = failnoSuccess | where Unresolved == true | join kind= inner (\\n identityLookup \\n) on UserId\\n| extend UserDisplayName = lu_UserDisplayName, UserPrincipalName = lu_UserPrincipalName\\n| project-away lu_UserDisplayName, lu_UserPrincipalName;\\n// Join Signins that had resolved names with list of unresolved that now have a resolved name\\nlet u_azPortalSignins = failnoSuccess | where Unresolved == false | union unresolvedNames;\\nu_azPortalSignins\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend Status = strcat(ResultType, \\\": \\\", ResultDescription), OS = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n| extend FullLocation = strcat(Region,\u0027|\u0027, State, \u0027|\u0027, City)\\n| summarize TimeGenerated = makelist(TimeGenerated), Status = makelist(Status), IPAddresses = makelist(IPAddress), IPAddressCount = dcount(IPAddress), FailedLogonCount = count()\\nby UserPrincipalName, UserId, UserDisplayName, AppDisplayName, Browser, OS, FullLocation, Type\\n| mvexpand TimeGenerated, IPAddresses, Status\\n| extend TimeGenerated = todatetime(tostring(TimeGenerated)), IPAddress = tostring(IPAddresses), Status = tostring(Status)\\n| project-away IPAddresses\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserPrincipalName, UserId, UserDisplayName, Status, FailedLogonCount, IPAddress, IPAddressCount, AppDisplayName, Browser, OS, FullLocation, Type\\n| where (IPAddressCount \u003e= threshold_IPAddressCount and FailedLogonCount \u003e= threshold_Failed) or FailedLogonCount \u003e= threshold_FailedwithSingleIP\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed login attempts to Azure Portal\",\"description\":\"Identifies failed login attempts in the Azure Active Directory SigninLogs to the Azure Portal. Many failed logon \\nattempts or some failed logon attempts from multiple IPs could indicate a potential brute force attack. \\nThe following are excluded due to success and non-failure results:\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n0 - successful logon\\n50125 - Sign-in was interrupted due to a password reset or password registration entry.\\n50140 - This error occurred due to \u0027Keep me signed in\u0027 interrupt when the user was signing-in.\",\"lastUpdatedDateUTC\":\"2022-04-21T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/acc4c247-aaf7-494b-b5da-17f18863878a\",\"name\":\"acc4c247-aaf7-494b-b5da-17f18863878a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"let queryfrequency = 1h;\\nlet queryperiod = 1d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(queryperiod)\\n| where OperationName in (\\\"Invite external user\\\", \\\"Bulk invite users - started (bulk)\\\", \\\"Invite external user with reset invitation status\\\")\\n| extend InitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\\n// Uncomment the following line to filter events where the inviting user was a guest user\\n//| where InitiatedBy has_any (\\\"live.com#\\\", \\\"#EXT#\\\")\\n| extend InvitedUser = TargetResources[0].userPrincipalName\\n| mv-expand UserToCompare = pack_array(InitiatedBy, InvitedUser) to typeof(string)\\n| where UserToCompare has_any (\\\"live.com#\\\", \\\"#EXT#\\\")\\n| extend\\n parsedUser = replace_string(tolower(iff(UserToCompare startswith \\\"live.com#\\\", tostring(split(UserToCompare, \\\"#\\\")[1]), tostring(split(UserToCompare, \\\"#EXT#\\\")[0]))), \\\"@\\\", \\\"_\\\"),\\n InvitationTime = TimeGenerated\\n| join (\\n (union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs)\\n | where TimeGenerated \u003e ago(queryfrequency)\\n | where UserType != \\\"Member\\\"\\n | where AppId has_any\\n (\\\"1b730954-1685-4b74-9bfd-dac224a7b894\\\",// Azure Active Directory PowerShell\\n \\\"04b07795-8ddb-461a-bbee-02f9e1bf7b46\\\",// Microsoft Azure CLI\\n \\\"1950a258-227b-4e31-a9cf-717495945fc2\\\",// Microsoft Azure PowerShell\\n \\\"a0c73c16-a7e3-4564-9a95-2bdf47383716\\\",// Microsoft Exchange Online Remote PowerShell\\n \\\"fb78d390-0c51-40cd-8e17-fdbfab77341b\\\",// Microsoft Exchange REST API Based Powershell\\n \\\"d1ddf0e4-d672-4dae-b554-9d5bdfd93547\\\",// Microsoft Intune PowerShell\\n \\\"9bc3ab49-b65d-410a-85ad-de819febfddc\\\",// Microsoft SharePoint Online Management Shell\\n \\\"12128f48-ec9e-42f0-b203-ea49fb6af367\\\",// MS Teams Powershell Cmdlets\\n \\\"23d8f6bd-1eb0-4cc2-a08c-7bf525c67bcd\\\",// Power BI PowerShell\\n \\\"31359c7f-bd7e-475c-86db-fdb8c937548e\\\",// PnP Management Shell\\n \\\"90f610bf-206d-4950-b61d-37fa6fd1b224\\\" // Aadrm Admin Powershell\\n )\\n | summarize arg_min(TimeGenerated, *) by UserPrincipalName\\n | extend\\n parsedUser = replace_string(UserPrincipalName, \\\"@\\\", \\\"_\\\"),\\n SigninTime = TimeGenerated\\n )\\n on parsedUser\\n| project InvitationTime, InitiatedBy, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, IPAddress, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InvitedUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatedBy\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\",\"Discovery\"],\"displayName\":\"External guest invitation followed by Azure AD PowerShell signin\",\"description\":\"By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests\\nusers, who have been invited or have invited recently, who also are logging via various PowerShell CLI.\\nRef : \u0027https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\"name\":\"3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let threshold = 1;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ConditionalAccessStatus == 1 or ConditionalAccessStatus =~ \\\"failure\\\"\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion) \\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend ConditionalAccessPolicies = todynamic(ConditionalAccessPolicies)\\n| extend ConditionalAccessPol0Name = tostring(ConditionalAccessPolicies[0].displayName)\\n| extend ConditionalAccessPol1Name = tostring(ConditionalAccessPolicies[1].displayName)\\n| extend ConditionalAccessPol2Name = tostring(ConditionalAccessPolicies[2].displayName)\\n| extend Status = strcat(StatusCode, \\\": \\\", ResultDescription) \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Status = make_list(Status), StatusDetails = make_list(StatusDetails), IPAddresses = make_list(IPAddress), IPAddressCount = dcount(IPAddress), CorrelationIds = make_list(CorrelationId) \\nby UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name, Type\\n| where IPAddressCount \u003e threshold and StatusDetails !has \\\"MFA successfully completed\\\"\\n| mvexpand IPAddresses, Status, StatusDetails, CorrelationIds\\n| extend Status = strcat(Status, \\\" \\\", StatusDetails)\\n| summarize IPAddresses = make_set(IPAddresses), Status = make_set(Status), CorrelationIds = make_set(CorrelationIds) \\nby StartTime, EndTime, UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name, IPAddressCount, Type\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = tostring(IPAddresses)\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Attempt to bypass conditional access rule in Azure AD\",\"description\":\"Identifies an attempt to Bypass conditional access rule(s) in Azure Active Directory.\\nThe ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access\\nor if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1).\\nReferences: \\nhttps://docs.microsoft.com/azure/active-directory/conditional-access/overview\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\nConditionalAccessStatus == 0 // Success\\nConditionalAccessStatus == 1 // Failure\\nConditionalAccessStatus == 2 // Not Applied\\nConditionalAccessStatus == 3 // unknown\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0b904747-1336-4363-8d84-df2710bfe5e7\",\"name\":\"0b904747-1336-4363-8d84-df2710bfe5e7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureDiagnostics\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where OperationName in (\\\"AzureFirewallApplicationRuleLog\\\", \\\"AzureFirewallNetworkRuleLog\\\")\\n | parse kind=regex flags=U msg_s with Protocol \u0027request from \u0027 SourceHost \u0027to \u0027 DestinationHost @\u0027\\\\.? Action: \u0027 Firewall_Action @\u0027\\\\.\u0027 Rest_msg\\n | extend SourceAddress = extract(@\u0027([\\\\.0-9]+)(:[\\\\.0-9]+)?\u0027, 1, SourceHost)\\n | extend DestinationAddress = extract(@\u0027([\\\\.0-9]+)(:[\\\\.0-9]+)?\u0027, 1, DestinationHost)\\n | extend RemoteIP = case(not(ipv4_is_private(DestinationAddress)), DestinationAddress, not(ipv4_is_private(SourceAddress)), SourceAddress, \\\"\\\")\\n // Traffic that involves a public address, and in case this is the source address then the traffic was not denied\\n | where isnotempty(RemoteIP)\\n | project-rename AzureFirewall_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIP\\n| where AzureFirewall_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureFirewall_TimeGenerated = arg_max(AzureFirewall_TimeGenerated, *) by IndicatorId, RemoteIP\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, AzureFirewall_TimeGenerated,\\nTI_ipEntity, Resource, Category, msg_s, SourceAddress, DestinationAddress, Firewall_Action, Protocol, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureFirewall_TimeGenerated, IPCustomEntity = TI_ipEntity, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureFirewall\",\"description\":\"Identifies a match in AzureFirewall (NetworkRule \u0026 ApplicationRule Logs) from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ebbb5c2-8802-11ec-a8a3-0242ac120002\",\"name\":\"4ebbb5c2-8802-11ec-a8a3-0242ac120002\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"// Enter a reference list of decoy users (usernames) \\\"Case Sensitive\\\"\\nlet MaliciousServiceArtifacts = dynamic ([\\\"fgexec\\\",\\\"cachedump\\\",\\\"mimikatz\\\",\\\"mimidrv\\\",\\\"wceservice\\\",\\\"pwdump\\\"]);\\nEvent\\n| where Source == \\\"Service Control Manager\\\" and EventID == 7045\\n| parse EventData with * \u0027ServiceName\\\"\u003e\u0027 ServiceName \\\"\u003c\\\" * \u0027ImagePath\\\"\u003e\u0027 ImagePath \\\"\u003c\\\" *\\n| where ServiceName has_any (MaliciousServiceArtifacts) or ImagePath has_any (MaliciousServiceArtifacts)\\n| parse EventData with * \u0027AccountName\\\"\u003e\u0027 AccountName \\\"\u003c\\\" *\\n|summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, ServiceName, ImagePath, AccountName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountName\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ImagePath\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Credential Dumping Tools - Service Installation\",\"description\":\"This query detects the installation of a Windows service that contains artifacts from credential dumping tools such as Mimikatz.\\nRef: https://blueteamblog.com/darkside-ransomware-operations-preventions-and-detections\",\"lastUpdatedDateUTC\":\"2022-04-22T00:00:00Z\",\"createdDateUTC\":\"2022-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"Event\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/adc32a33-1cd6-46f5-8801-e3ed8337885f\",\"name\":\"adc32a33-1cd6-46f5-8801-e3ed8337885f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// Add any known allowed sources and source locations to the filter below (the NuGet Gallery has been added here as an example).\\nlet allowed_sources = dynamic([\\\"NuGet Gallery\\\"]);\\nlet allowed_locations = dynamic([\\\"https://api.nuget.org/v3/index.json\\\"]);\\nAzureDevOpsAuditing\\n// Look for feeds created or modified at either the organization or project level\\n| where OperationName matches regex \\\"Artifacts.Feed.(Org|Project).Modify\\\"\\n| where Details has \\\"UpstreamSources, added\\\"\\n| extend FeedName = tostring(Data.FeedName)\\n| extend FeedId = tostring(Data.FeedId)\\n| extend UpstreamsAdded = Data.UpstreamsAdded\\n// As multiple feeds may be added expand these out\\n| mv-expand UpstreamsAdded\\n// Only focus on external feeds\\n| where UpstreamsAdded.UpstreamSourceType !~ \\\"internal\\\"\\n| extend SourceLocation = tostring(UpstreamsAdded.Location)\\n| extend SourceName = tostring(UpstreamsAdded.Name)\\n// Exclude sources and locations in the allow list\\n| where SourceLocation !in (allowed_locations) and SourceName !in (allowed_sources)\\n| extend SourceProtocol = tostring(UpstreamsAdded.Protocol)\\n| extend SourceStatus = tostring(UpstreamsAdded.Status)\\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, ProjectName, FeedName, SourceName, SourceLocation, SourceProtocol, ActorUPN, UserAgent, IpAddress\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"External Upstream Source Added to Azure DevOps Feed\",\"description\":\"The detection looks for new external sources added to an Azure DevOps feed. An allow list can be customized to explicitly allow known good sources. \\nAn attacker could look to add a malicious feed in order to inject malicious packages into a build pipeline.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/feb0a2fb-ae75-4343-8cbc-ed545f1da289\",\"name\":\"feb0a2fb-ae75-4343-8cbc-ed545f1da289\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let VIPUsers = (IdentityInfo\\n| where AssignedRoles contains \\\"Admin\\\"\\n| summarize by tolower(AccountUPN));\\nAuditLogs\\n| where Category =~ \\\"UserManagement\\\"\\n| where ActivityDisplayName =~ \\\"User registered security info\\\"\\n| where LoggedByService =~ \\\"Authentication Methods\\\"\\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| where AccountCustomEntity in (VIPUsers)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Authentication Method Changed for Privileged Account\",\"description\":\"Identifies authentication methods being changed for a privileged account. This could be an indicated of an attacker adding an auth method to the account so they can have continued access.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2937bc6b-7cda-4fba-b452-ea43ba8e835f\",\"name\":\"2937bc6b-7cda-4fba-b452-ea43ba8e835f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 5136 \\n| parse EventData with * \u0027ObjectClass\\\"\u003e\u0027 ObjectClass \\\"\u003c\\\" *\\n| parse EventData with * \u0027AttributeLDAPDisplayName\\\"\u003e\u0027 AttributeLDAPDisplayName \\\"\u003c\\\" *\\n| where ObjectClass == \\\"computer\\\" and AttributeLDAPDisplayName == \\\"msDS-AllowedToActOnBehalfOfOtherIdentity\\\"\\n| parse EventData with * \u0027ObjectDN\\\"\u003e\u0027 ObjectDN \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, SubjectUserSid, SubjectLogonId, ObjectDN, AttributeLDAPDisplayName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Possible Resource-Based Constrained Delegation Abuse\",\"description\":\"This query identifies Active Directory computer objects modifications that allow an adversary to abuse the Resource-based constrained delegation. \\nThis query checks for event id 5136 that the Object Class field is \\\"computer\\\" and the LDAP Display Name is \\\"msDS-AllowedToActOnBehalfOfOtherIdentity\\\" which is an indicator of Resource-based constrained delegation.\\nRef: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html\",\"lastUpdatedDateUTC\":\"2022-01-19T00:00:00Z\",\"createdDateUTC\":\"2022-01-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/89e6adbd-612c-4fbe-bc3d-32f81baf3b6c\",\"name\":\"89e6adbd-612c-4fbe-bc3d-32f81baf3b6c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT4H\",\"queryPeriod\":\"PT4H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// Change to true to monitor for Project Administrator adds to *any* project\\nlet MonitorAllProjects = false;\\n// If MonitorAllProjects is false, trigger only on Project Administrator add for the following projects\\nlet ProjectsToMonitor = dynamic([\u0027\u003cproject_X\u003e\u0027,\u0027\u003cproject_Y\u003e\u0027]);\\nAzureDevOpsAuditing\\n| where Area == \\\"Group\\\" and OperationName == \\\"Group.UpdateGroupMembership.Add\\\"\\n| where Details has \u0027Administrators\u0027\\n| where Details has \\\"was added as a member of group\\\" and (Details endswith \u0027\\\\\\\\Project Administrators\u0027 or Details endswith \u0027\\\\\\\\Project Collection Administrators\u0027)\\n| parse Details with AddedIdentity \u0027 was added as a member of group [\u0027 EntityName \u0027]\\\\\\\\\u0027 GroupName\\n| extend Level = iif(GroupName == \u0027Project Collection Administrators\u0027, \u0027Organization\u0027, \u0027Project\u0027), AddedIdentityId = Data.MemberId\\n| extend Severity = iif(Level == \u0027Organization\u0027, \u0027High\u0027, \u0027Medium\u0027), AlertDetails = strcat(\u0027At \u0027, TimeGenerated, \u0027 UTC \u0027, ActorUPN, \u0027/\u0027, ActorDisplayName, \u0027 added \u0027, AddedIdentity, \u0027 to the \u0027, EntityName, \u0027 \u0027, Level)\\n| where MonitorAllProjects == true or EntityName in (ProjectsToMonitor) or Level == \u0027Organization\u0027\\n| project TimeGenerated, Severity, Adder = ActorUPN, AddedIdentity, AddedIdentityId, AlertDetails, Level, EntityName, GroupName, ActorAuthType = AuthenticationMechanism, \\n ActorIpAddress = IpAddress, ActorUserAgent = UserAgent, RawDetails = Details\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Adder, IPCustomEntity = ActorIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps Administrator Group Monitoring\",\"description\":\"This detection monitors for additions to projects or project collection administration groups in an Azure DevOps Organization.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/473d57e6-f787-435c-a16b-b38b51fa9a4b\",\"name\":\"473d57e6-f787-435c-a16b-b38b51fa9a4b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"let servicelist = dynamic([\u0027Services\\\\\\\\HealthService\u0027, \u0027Services\\\\\\\\Sense\u0027, \u0027Services\\\\\\\\WinDefend\u0027, \u0027Services\\\\\\\\MsSecFlt\u0027, \u0027Services\\\\\\\\DiagTrack\u0027, \u0027Services\\\\\\\\SgrmBroker\u0027, \u0027Services\\\\\\\\SgrmAgent\u0027, \u0027Services\\\\\\\\AATPSensorUpdater\u0027 , \u0027Services\\\\\\\\AATPSensor\u0027, \u0027Services\\\\\\\\mpssvc\u0027]);\\nlet filename = dynamic([\\\"subinacl.exe\\\",\u0027SetACL.exe\u0027]);\\nlet parameters = dynamic ([\u0027/deny=SYSTEM\u0027, \u0027/deny=S-1-5-18\u0027, \u0027/grant=SYSTEM=r\u0027, \u0027/grant=S-1-5-18=r\u0027, \u0027n:SYSTEM;p:READ\u0027, \u0027n1:SYSTEM;ta:remtrst;w:dacl\u0027]);\\nlet FullAccess = dynamic([\u0027A;CI;KA;;;SY\u0027, \u0027A;ID;KA;;;SY\u0027, \u0027A;CIID;KA;;;SY\u0027]);\\nlet ReadAccess = dynamic([\u0027A;CI;KR;;;SY\u0027, \u0027A;ID;KR;;;SY\u0027, \u0027A;CIID;KR;;;SY\u0027]);\\nlet DenyAccess = dynamic([\u0027D;CI;KR;;;SY\u0027, \u0027D;ID;KR;;;SY\u0027, \u0027D;CIID;KR;;;SY\u0027]);\\nlet timeframe = 1d;\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4670\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName has_any (servicelist)\\n| parse EventData with * \u0027OldSd\\\"\u003e\u0027 OldSd \\\"\u003c\\\" *\\n| parse EventData with * \u0027NewSd\\\"\u003e\u0027 NewSd \\\"\u003c\\\" *\\n| extend Reason = case( (OldSd has \u0027;;;SY\u0027 and NewSd !has \u0027;;;SY\u0027), \u0027System Account is removed\u0027, (OldSd has_any (FullAccess) and NewSd has_any (ReadAccess)) , \u0027System permission has been changed to read from full access\u0027, (OldSd has_any (FullAccess) and NewSd has_any (DenyAccess)), \u0027System account has been given denied permission\u0027, \u0027None\u0027)\\n| project TimeGenerated, Computer, Account, ProcessName, ProcessId, ObjectName, EventData, Activity, HandleId, SubjectLogonId, OldSd, NewSd , Reason\\n),\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688\\n| extend ProcessName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ProcessName in~ (filename) \\n| where CommandLine has_any (servicelist) and CommandLine has_any (parameters)\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4670 and EventData has_any (servicelist) and EventData has \u0027Key\u0027\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName has_any (servicelist)\\n| extend OldSd = tostring(EventData.OldSd)\\n| extend NewSd = tostring(EventData.NewSd)\\n| extend Reason = case( (OldSd has \u0027;;;SY\u0027 and NewSd !has \u0027;;;SY\u0027), \u0027System Account is removed\u0027, (OldSd has_any (FullAccess) and NewSd has_any (ReadAccess)) , \u0027System permission has been changed to read from full access\u0027, (OldSd has_any (FullAccess) and NewSd has_any (DenyAccess)), \u0027System account has been given denied permission\u0027, \u0027None\u0027)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend ProcessId = tostring(EventData.ProcessId)\\n| extend Activity= \\\"4670 - Permissions on an object were changed.\\\"\\n| extend HandleId = tostring(EventData.HandleId)\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| project TimeGenerated, Computer, Account, ProcessName, ProcessId, ObjectName, EventData, Activity, HandleId, SubjectLogonId, OldSd, NewSd , Reason\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688 and EventData has_any (filename) and EventData has_any (servicelist) and EventData has_any (parameters)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend ProcessName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ProcessName in~ (filename) \\n| extend CommandLine = tostring(EventData.CommandLine) \\n| where CommandLine has_any (servicelist) and CommandLine has_any (parameters)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountDomain = tostring(EventData.AccountDomain)\\n| extend Activity=\\\"4688 - A new process has been created.\\\"\\n| extend EventSourceName=Provider\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where InitiatingProcessFileName in~ (filename) \\n| where InitiatingProcessCommandLine has_any(servicelist) and InitiatingProcessCommandLine has_any (parameters)\\n| extend Account = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName), Computer = DeviceName\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName = InitiatingProcessFileName, ProcessNameFullPath = FolderPath, Activity = ActionType, CommandLine = InitiatingProcessCommandLine, Type, InitiatingProcessParentFileName\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Security Service Registry ACL Modification\",\"description\":\"Identifies attempts to modify registry ACL to evade security solutions. In the Solorigate attack, the attackers were found modifying registry permissions so services.exe cannot access the relevant registry keys to start the service.\\n The detection leverages Security Event as well as MDE data to identify when specific security services registry permissions are modified. \\n Only some portions of this detection are related to Solorigate, it also includes coverage for some common tools that perform this activity. \\n Reference on guidance for enabling registry auditing:\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing-faq\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-registry\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4670\\n - For the event 4670 to be created the audit policy for the registry must have auditing enabled for Write DAC and/or Write Owner\\n - https://github.com/OTRF/Set-AuditRule \\n - https://docs.microsoft.com/dotnet/api/system.security.accesscontrol.registryrights?view=dotnet-plat-ext-5.0\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-01-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/29283b22-a1c0-4d16-b0a9-3460b655a46a\",\"name\":\"29283b22-a1c0-4d16-b0a9-3460b655a46a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let UserAgentString = dynamic ([\\\"${jndi:ldap:/\\\", \\\"${jndi:rmi:/\\\", \\\"${jndi:ldaps:/\\\", \\\"${jndi:dns:/\\\", \\\"${jndi:iiop:/\\\",\\\"${jndi:\\\",\\\"${jndi:nds:/\\\",\\\"${jndi:corba/\\\"]);\\nlet UARegexMinimalString=dynamic([\u0027{\u0027,\u0027%7b\u0027, \u0027%7B\u0027]);\\nlet UARegex = @\u0027(\\\\\\\\$|%24)(\\\\\\\\{|%7B)([^jJ]*[jJ])([^nN]*[nN])([^dD]*[dD])([^iI]*[iI])(:|%3A|\\\\\\\\$|%24|}|%7D)\u0027;\\n(union isfuzzy=true\\n(OfficeActivity\\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, Operation\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n),\\n(AzureDiagnostics\\n| where Category in (\\\"FrontdoorWebApplicationFirewallLog\\\", \\\"FrontdoorAccessLog\\\", \\\"ApplicationGatewayFirewallLog\\\", \\\"ApplicationGatewayAccessLog\\\")\\n| where userAgent_s has_any (UserAgentString) or userAgent_s matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = userAgent_s, SourceIP = clientIP_s, Type, host_s, requestUri_s, httpStatus_d\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, UrlCustomEntity = requestUri_s\\n),\\n(\\nW3CIISLog\\n| where csUserAgent has_any (UserAgentString) or csUserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP, UrlCustomEntity = csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventName\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n),\\n(SigninLogs\\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, Operation = OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n),\\n(AADNonInteractiveUserSignInLogs \\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, Operation = OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n),\\n(_Im_WebSession (httpuseragent_has_any=array_concat(UserAgentString,UARegexMinimalString))\\n| where HttpUserAgent has_any (UserAgentString) or HttpUserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by HttpUserAgent, SourceIP = SrcIpAddr, DstIpAddr, Account = SrcUsername, Url, Type\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP, UrlCustomEntity = Url\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"User agent search for log4j exploitation attempt\",\"description\":\"This query uses various log sources having user agent data to look for log4j CVE-2021-44228 exploitation attempt based on user agent pattern. Log4j is an open-source Apache logging library that is used in \\n many Java-based applications. The regex and the string matching look for the most common attacks. This might not be comprehensive to detect every possible user agent variation.\\n Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\"name\":\"3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let starttime = 1d;\\nlet TimeDeltaThresholdInSeconds = 60; // we ignore beacons diffs that fall below this threshold \\nlet TotalBeaconsThreshold = 4; // minimum number of beacons required in a session to surface a row\\nlet JitterTolerance = 0.2; // tolerance to jitter, e.g. - 0.2 = 20% jitter is tolerated either side of the periodicity\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Fortinet\\\"\\n| where TimeGenerated \u003e ago(starttime)\\n// eliminate bad data\\n| where isnotempty(SourceIP) and isnotempty(DestinationIP) and SourceIP != \\\"0.0.0.0\\\"\\n// filter out deny, close, rst and SNMP to reduce data volume\\n| where DeviceAction !in (\\\"close\\\", \\\"client-rst\\\", \\\"server-rst\\\", \\\"deny\\\") and DestinationPort != 161\\n// map input fields\\n| project TimeGenerated , SourceIP, DestinationIP, DestinationPort, ReceivedBytes, SentBytes, DeviceAction \\n// where destination IPs are public\\n| where ipv4_is_private(DestinationIP) == false\\n// sort into source-\u003edestination \u0027sessions\u0027\\n| sort by SourceIP asc, DestinationIP asc, DestinationPort asc, TimeGenerated asc\\n| serialize\\n// time diff the contact times between source and destination to get a list of deltas\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1), nextDestIP = next(DestinationIP, 1), nextDestPort = next(DestinationPort, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\\\"second\\\",nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP and DestinationIP == nextDestIP and DestinationPort == nextDestPort\\n// remove small time deltas below the set threshold\\n| where TimeDeltainSeconds \u003e TimeDeltaThresholdInSeconds\\n// summarize the deltas by source-\u003edestination\\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), sum(ReceivedBytes), sum(SentBytes), makelist(TimeDeltainSeconds), makeset(DeviceAction) by SourceIP, DestinationIP, DestinationPort\\n// get some statistical properties of the delta distribution and smooth any outliers (e.g. laptop shut overnight, working hours)\\n| extend series_stats(list_TimeDeltainSeconds), outliers=series_outliers(list_TimeDeltainSeconds)\\n// expand the deltas and the outliers\\n| mvexpand list_TimeDeltainSeconds to typeof(double), outliers to typeof(double)\\n// replace outliers with the average of the distribution\\n| extend list_TimeDeltainSeconds_normalized=iff(outliers \u003e 1.5 or outliers \u003c -1.5, series_stats_list_TimeDeltainSeconds_avg , list_TimeDeltainSeconds)\\n// summarize with the smoothed distribution\\n| summarize BeaconCount=count(), makelist(list_TimeDeltainSeconds), list_TimeDeltainSeconds_normalized=makelist(list_TimeDeltainSeconds_normalized), makeset(set_DeviceAction) by StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, sum_ReceivedBytes, sum_SentBytes\\n// get stats on the smoothed distribution\\n| extend series_stats(list_TimeDeltainSeconds_normalized)\\n// match jitter tolerance on smoothed distrib\\n| extend MaxJitter = (series_stats_list_TimeDeltainSeconds_normalized_avg*JitterTolerance)\\n| where series_stats_list_TimeDeltainSeconds_normalized_stdev \u003c MaxJitter\\n// where the minimum beacon threshold is satisfied and there was some data transfer\\n| where BeaconCount \u003e TotalBeaconsThreshold and (sum_SentBytes \u003e 0 or sum_ReceivedBytes \u003e 0)\\n// final projection\\n| project StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, BeaconCount, TimeDeltasInSeconds=list_list_TimeDeltainSeconds, Periodicity=series_stats_list_TimeDeltainSeconds_normalized_avg, ReceivedBytes=sum_ReceivedBytes, SentBytes=sum_SentBytes, Actions=set_set_DeviceAction\\n// where periodicity is order of magnitude larger than time delta threshold (eliminates FPs whose periodicity is close to the values we ignored)\\n| where Periodicity \u003e= (10*TimeDeltaThresholdInSeconds)\\n| extend timestamp = StartTime, IPCustomEntity = DestinationIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Fortinet - Beacon pattern detected\",\"description\":\"Identifies patterns in the time deltas of contacts between internal and external IPs in Fortinet network data that are consistent with beaconing.\\n Accounts for randomness (jitter) and seasonality such as working hours that may have been introduced into the beacon pattern.\\n The lookback is set to 1d, the minimum granularity in time deltas is set to 60 seconds and the minimum number of beacons required to emit a\\n detection is set to 4.\\n Increase the lookback period to capture beacons with larger periodicities.\\n The jitter tolerance is set to 0.2 - This means we account for an overall 20% deviation from the infered beacon periodicity. Seasonality is dealt with\\n automatically using series_outliers.\\n Note: In large environments it may be necessary to reduce the lookback period to get fast query times.\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2020-03-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80733eb7-35b2-45b6-b2b8-3c51df258206\",\"name\":\"80733eb7-35b2-45b6-b2b8-3c51df258206\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\\"xmrget.com\\\", \\n\\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\\"supportxmr.com\\\",\\n\\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\n\\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\n\\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\n\\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\n\\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\",\\n\\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\",\\n\\\"shscrypto.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage), \\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage), \\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage), \\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \u0027200\u0027\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Squid proxy events related to mining pools\",\"description\":\"Checks for Squid proxy events in Syslog associated with common mining pools .This query presumes the default Squid log format is being used. \\n http://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-07-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b05727d-a8d1-477d-bbdd-d957da96ac7b\",\"name\":\"3b05727d-a8d1-477d-bbdd-d957da96ac7b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where OfficeWorkload =~ \\\"Exchange\\\"\\n| where Parameters has_any (\\\"ForwardTo\\\", \\\"RedirectTo\\\", \\\"ForwardingSmtpAddress\\\")\\n| mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))\\n| evaluate bag_unpack(ParsedParameters, columnsConflict=\u0027replace_source\u0027)\\n| extend DestinationMailAddress = tolower(case(\\n isnotempty(column_ifexists(\\\"ForwardTo\\\", \\\"\\\")), column_ifexists(\\\"ForwardTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"RedirectTo\\\", \\\"\\\")), column_ifexists(\\\"RedirectTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")), trim_start(@\\\"smtp:\\\", column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")),\\n \\\"\\\"))\\n| where isnotempty(DestinationMailAddress)\\n| mv-expand split(DestinationMailAddress, \\\";\\\")\\n| extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n| extend ClientIP = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1])\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId, 250), Ports = make_set(Port, 250), EventCount = count() by tostring(DestinationMailAddress), ClientIP\\n| where DistinctUserCount \u003e 1\\n| mv-expand UserId to typeof(string)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"NRT Multiple users email forwarded to same destination\",\"description\":\"Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination.\\nThis could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.\",\"lastUpdatedDateUTC\":\"2022-06-24T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\"name\":\"75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 3;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == \\\"50057\\\"\\n| where ResultDescription =~ \\\"User account is disabled. The account has been disabled by an administrator.\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), applicationCount = dcount(AppDisplayName), \\napplicationSet = make_set(AppDisplayName), count() by UserPrincipalName, IPAddress, Type\\n| where applicationCount \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Attempts to sign in to disabled accounts\",\"description\":\"Identifies failed attempts to sign in to disabled accounts across multiple Azure Applications.\\nDefault threshold for Azure Applications attempted to sign in to is 3.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bfb1c90f-8006-4325-98be-c7fffbc254d6\",\"name\":\"bfb1c90f-8006-4325-98be-c7fffbc254d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let s_threshold = 30;\\nlet l_threshold = 3;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where OperationName =~ \\\"Sign-in activity\\\"\\n// Error codes that we want to look at as they are related to the use of incorrect password.\\n| where ResultType in (\\\"50126\\\", \\\"50053\\\" , \\\"50055\\\", \\\"50056\\\")\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend LocationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), LocationCount=dcount(LocationString), Location = make_set(LocationString), \\nIPAddress = make_set(IPAddress), IPAddressCount = dcount(IPAddress), AppDisplayName = make_set(AppDisplayName), ResultDescription = make_set(ResultDescription), \\nBrowser = make_set(Browser), OS = make_set(OS), SigninCount = count() by UserPrincipalName, Type \\n// Setting a generic threshold - Can be different for different environment\\n| where SigninCount \u003e s_threshold and LocationCount \u003e= l_threshold\\n| extend tostring(Location), tostring(IPAddress), tostring(AppDisplayName), tostring(ResultDescription), tostring(Browser), tostring(OS)\\n| distinct *\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Distributed Password cracking attempts in AzureAD\",\"description\":\"Identifies distributed password cracking attempts from the Azure Active Directory SigninLogs.\\nThe query looks for unusually high number of failed password attempts coming from multiple locations for a user account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50053 Account is locked because the user tried to sign in too many times with an incorrect user ID or password.\\n50055 Invalid password, entered expired password.\\n50056 Invalid or null password - Password does not exist in store for this user.\\n50126 Invalid username or password, or invalid on-premises username or password.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7ad4c32b-d0d2-411c-a0e8-b557afa12fce\",\"name\":\"7ad4c32b-d0d2-411c-a0e8-b557afa12fce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName\\n| where CommandLine contains \\\".decode(\u0027base64\u0027)\\\"\\n or CommandLine contains \\\"base64 --decode\\\"\\n or CommandLine contains \\\".decode64(\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"NRT Process executed from binary hidden in Base64 encoded file\",\"description\":\"Encoding malicious software is a technique used to obfuscate files from detection.\\nThe first CommandLine component is looking for Python decoding base64.\\nThe second CommandLine component is looking for Bash/sh command line base64 decoding.\\nThe third one is looking for Ruby decoding base64.\",\"lastUpdatedDateUTC\":\"2022-02-08T00:00:00Z\",\"createdDateUTC\":\"2019-01-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95002681-4ecb-4da3-9ece-26d7e5feaa33\",\"name\":\"95002681-4ecb-4da3-9ece-26d7e5feaa33\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"imAuthentication\\n| where EventResult ==\u0027Failure\u0027\\n| where EventResultDetails == \u0027User disabled\u0027\\n| summarize StartTime=min(EventStartTime), EndTime=max(EventEndTime), disabledAccountLoginAttempts = count()\\n , disabledAccountsTargeted = dcount(TargetUsername), disabledAccountSet = make_set(TargetUsername)\\n , applicationsTargeted = dcount(TargetAppName)\\n , applicationSet = make_set(TargetAppName) \\n by SrcDvcIpAddr, Type\\n| order by disabledAccountLoginAttempts desc\\n| join kind=leftouter \\n (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n imAuthentication\\n | where EventResult==\u0027Success\u0027\\n | summarize successfulAccountSigninCount = dcount(TargetUsername), successfulAccountSigninSet = makeset(TargetUsername, 15) by SrcDvcIpAddr, Type\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount \u003c 100\\n )\\n on SrcDvcIpAddr\\n| where isnotempty(successfulAccountSigninCount)\\n| project StartTime, EndTime, SrcDvcIpAddr, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\nsuccessfulAccountSigninCount, successfulAccountSigninSet, Type\\n| order by disabledAccountLoginAttempts\\n| extend timestamp = StartTime, IPCustomEntity = SrcDvcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-07-27T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\"name\":\"795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"CommonSecurityLog \\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID in (\\\"733101\\\",\\\"733102\\\",\\\"733103\\\",\\\"733104\\\",\\\"733105\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\",\"Impact\"],\"displayName\":\"Cisco ASA - threat detection message fired\",\"description\":\"Identifies when the Cisco ASA Threat Detection engine fired an alert based on malicious activity occurring on the network inicated by DeviceEventClassID 733101-733105\\nResources: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1785d372-b9fe-4283-96a6-3a1d83cabfd1\",\"name\":\"1785d372-b9fe-4283-96a6-3a1d83cabfd1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let Tarrask_threats = dynamic([\\\"HackTool:Win64/Tarrask!MS\\\", \\\"HackTool:Win64/Ligolo!MSR\\\", \\\"Behavior:Win32/ScheduledTaskHide.A\\\", \\\"Tarrask\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=rightouter ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (Tarrask_threats) or ThreatFamilyName in~ (Tarrask_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AV detections related to Tarrask malware\",\"description\":\"This query looks for Microsoft Defender AV detections related to Tarrask malware. In Microsoft Sentinel the SecurityAlerts table \\n includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. \\n This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\\n Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-04-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/157c0cfc-d76d-463b-8755-c781608cdc1a\",\"name\":\"157c0cfc-d76d-463b-8755-c781608cdc1a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\nCommonSecurityLog\\n| where DeviceVendor =~ \\\"Cisco\\\"\\n| where DeviceAction =~ \\\"denied\\\"\\n| where ipv4_is_private(SourceIP) == false\\n| summarize count() by SourceIP\\n| join (\\n // Successful signins from IPs blocked by the firewall solution are suspect\\n // Include fully successful sign-ins, but also ones that failed only at MFA stage\\n // as that supposes the password was sucessfully guessed.\\n table(tableName)\\n | where ResultType in (\\\"0\\\", \\\"50074\\\", \\\"50076\\\") \\n) on $left.SourceIP == $right.IPAddress\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Cisco - firewall block but success logon to Azure AD\",\"description\":\"Correlate IPs blocked by a Cisco firewall appliance with successful Azure Active Directory signins. \\nBecause the IP was blocked by the firewall, that same IP logging on successfully to AAD is potentially suspect\\nand could indicate credential compromise for the user account.\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2019-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/875d0eb1-883a-4191-bd0e-dbfdeb95a464\",\"name\":\"875d0eb1-883a-4191-bd0e-dbfdeb95a464\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 5136 \\n| parse EventData with * \u0027AttributeLDAPDisplayName\\\"\u003e\u0027 AttributeLDAPDisplayName \\\"\u003c\\\" *\\n| parse EventData with * \u0027ObjectClass\\\"\u003e\u0027 ObjectClass \\\"\u003c\\\" *\\n| where AttributeLDAPDisplayName == \\\"servicePrincipalName\\\" and ObjectClass == \\\"user\\\"\\n| parse EventData with * \u0027ObjectDN\\\"\u003e\u0027 ObjectDN \\\"\u003c\\\" *\\n| parse EventData with * \u0027AttributeValue\\\"\u003e\u0027 AttributeValue \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, ObjectDN, AttributeValue\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Service Principal Name (SPN) Assigned to User Account\",\"description\":\"This query identifies whether a Active Directory user object was assigned a service principal name which could indicate that an adversary is preparing for performing Kerberoasting. \\nThis query checks for event id 5136 that the Object Class field is \\\"user\\\" and the LDAP Display Name is \\\"servicePrincipalName\\\".\\nRef: https://thevivi.net/assets/docs/2019/theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf\",\"lastUpdatedDateUTC\":\"2022-02-02T00:00:00Z\",\"createdDateUTC\":\"2022-01-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/45076281-35ae-45e0-b443-c32aa0baf965\",\"name\":\"45076281-35ae-45e0-b443-c32aa0baf965\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"High\",\"query\":\"let args = dynamic([\\\"objectcategory\\\",\\\"domainlist\\\",\\\"dcmodes\\\",\\\"adinfo\\\",\\\"trustdmp\\\",\\\"computers_pwdnotreqd\\\",\\\"Domain Admins\\\", \\\"objectcategory=person\\\", \\\"objectcategory=computer\\\", \\\"objectcategory=*\\\",\\\"dclist\\\"]);\\nlet parentProcesses = dynamic([\\\"pwsh.exe\\\",\\\"powershell.exe\\\",\\\"cmd.exe\\\"]);\\nimProcessCreate\\n//looks for execution from a shell\\n| where ActingProcessName has_any (parentProcesses)\\n| extend ActingProcessFileName = tostring(split(ActingProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ActingProcessFileName in~ (parentProcesses)\\n// main filter\\n| where Process hassuffix \\\"AdFind.exe\\\" or TargetProcessSHA256 == \\\"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\\\"\\n // AdFind common Flags to check for from various threat actor TTPs\\n or CommandLine has_any (args)\\n| extend AccountCustomEntity = User, HostCustomEntity = Dvc, ProcessCustomEntity = ActingProcessName, CommandLineCustomEntity = CommandLine, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = TargetProcessSHA256\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"},{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLineCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Probable AdFind Recon Tool Usage (Normalized Process Events)\",\"description\":\"Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-06-09T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/910124df-913c-47e3-a7cd-29e1643fa55e\",\"name\":\"910124df-913c-47e3-a7cd-29e1643fa55e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with failed AWS console logins\\nlet aws_fails = AWSCloudTrail\\n| where EventName == \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \\n| where LoginResult != \\\"Success\\\"\\n| where SourceIpAddress != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(SourceIpAddress);\\n//See if any of those IPs have sucessfully logged into Azure AD.\\nSigninLogs\\n| where ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (aws_fails) \\n| extend Reason = \\\"Multiple failed AWS Console logins from IP address\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AWS Console logons but success logon to AzureAD\",\"description\":\"Identifies a list of IP addresses with a minimum numbe(default of 5) of failed logon attempts to AWS Console.\\nUses that list to identify any successful Azure Active Directory logons from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aedc5b33-2d7c-42cb-a692-f25ef637cbb1\",\"name\":\"aedc5b33-2d7c-42cb-a692-f25ef637cbb1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where array_length(todynamic(DstUserUpn)) == 1\\n| extend sender = extract(@\u0027\\\\A(.*?)@\u0027, 1, SrcUserUpn)\\n| extend sender_domain = extract(@\u0027@(.*)$\u0027, 1, SrcUserUpn)\\n| extend recipient = extract(@\u0027\\\\A(.*?)@\u0027, 1, tostring(todynamic(DstUserUpn)[0]))\\n| extend recipient_domain = extract(@\u0027@(.*)$\u0027, 1, tostring(todynamic(DstUserUpn)[0]))\\n| where sender =~ recipient\\n| where sender_domain != recipient_domain\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Possible data exfiltration to private email\",\"description\":\"Detects when sender sent email to the non-corporate domain and recipient\u0027s username is the same as sender\u0027s username.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\"name\":\"30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nlet aadFunc = (tableName:string){\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n table(tableName) | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(UserPrincipalName)\\n //Normalizing the column to lower case for exact match with EmailSenderAddress column\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n | where UserPrincipalName matches regex emailregex\\n | extend Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n // renaming timestamp column so it is clear the log this came from SigninLogs table\\n | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type\\n)\\non $left.EmailSenderAddress == $right.UserPrincipalName\\n| where SigninLogs_TimeGenerated \u003c ExpirationDateTime\\n| summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, UserPrincipalName\\n| project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, IPAddress, UserPrincipalName, AppDisplayName,\\nStatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, Type\\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SigninLogs\",\"description\":\"Identifies a match in SigninLogs table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6190dde-8fd2-456a-ac5b-0a32400b0464\",\"name\":\"d6190dde-8fd2-456a-ac5b-0a32400b0464\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let ProcessCreationEvents=() {\\nlet processEvents=(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName\\n),\\n(WindowsEvent\\n| where EventID==4688\\n| where EventData has_any (\\\".decode(\u0027base64\u0027)\\\", \\\"base64 --decode\\\", \\\".decode64(\\\" )\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where isnotempty(CommandLine)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend FileName=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, CommandLine, ParentProcessName\\n));\\nprocessEvents;\\n};\\nProcessCreationEvents \\n| where CommandLine contains \\\".decode(\u0027base64\u0027)\\\"\\n or CommandLine contains \\\"base64 --decode\\\"\\n or CommandLine contains \\\".decode64(\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), CountToday = count() by Computer, Account, AccountDomain, FileName, CommandLine, ParentProcessName \\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Process executed from binary hidden in Base64 encoded file\",\"description\":\"Encoding malicious software is a technique used to obfuscate files from detection. \\nThe first CommandLine component is looking for Python decoding base64. \\nThe second CommandLine component is looking for Bash/sh command line base64 decoding.\\nThe third one is looking for Ruby decoding base64.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-01-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a04cf847-a832-4c60-b687-b0b6147da219\",\"name\":\"a04cf847-a832-4c60-b687-b0b6147da219\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"45.63.52.41\\\",\\\"140.82.17.161\\\",\\\"207.148.101.95\\\",\\\"45.32.87.51\\\",\\\"66.42.98.156\\\",\\\"45.76.144.105\\\",\\\"217.163.28.35\\\",\\\"45.32.141.174\\\",\\\"149.28.165.249\\\",\\\"209.250.225.247\\\",\\\"45.63.100.115\\\",\\\"95.179.229.230\\\",\\\"209.250.233.247\\\",\\\"45.77.121.232\\\",\\\"45.76.175.65\\\",\\\"104.238.160.237\\\",\\\"45.77.181.97\\\",\\\"95.179.192.125\\\",\\\"149.28.93.184\\\",\\\"140.82.16.81\\\",\\\"45.76.173.103\\\",\\\"45.77.255.22\\\",\\\"45.32.11.71\\\",\\\"149.28.77.26\\\",\\\"45.32.54.50\\\",\\\"104.156.233.156\\\",\\\"45.32.21.118\\\",\\\"45.63.62.109\\\",\\\"45.77.244.202\\\",\\\"149.248.11.205\\\",\\\"104.238.190.244\\\"]);\\nlet IOCTerms = \\\"\\\\\\\\?lang=[/..]*/dev/cmdb/sslvpn_websession|/dana-na/jam/[/..]*home/webserver/htdocs/dana/html5acc/guacamole[/..]*etc/passwd\\\\\\\\?\\\";\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or has_any_ipv4 (Message, IPList)\\n| extend IPMatch = case(\\nSourceIP in (IPList), \\\"SourceIP\\\", \\nDestinationIP in (IPList), \\\"DestinationIP\\\",\\n\\\"Message\\\") \\n| where Message matches regex IOCTerms\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n| where isnotempty(UserAgent) and ClientIP in (IPList)\\n| where UserAgent contains \\\"ExchangeServicesClient/0.0.0.0\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP = ClientIP, Account = UserId, Type, RecordType, OfficeWorkload, UserAgent, OfficeObjectId, IPMatch = \\\"ClientIP\\\"\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Collection\"],\"displayName\":\"Known Manganese IP and UserAgent activity\",\"description\":\"Matches IP plus UserAgent IOCs in OfficeActivity data, along with IP plus Connection string information in the CommonSecurityLog data related to Manganese group activity.\\nReferences: \\nhttps://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/\\nhttps://fortiguard.com/psirt/FG-IR-18-384\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-10-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/74ed028d-e392-40b7-baef-e69627bf89d1\",\"name\":\"74ed028d-e392-40b7-baef-e69627bf89d1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"AuditLog.StreamDisabledByUser\\\"\\n| extend StreamType = tostring(Data.ConsumerType)\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, StreamType\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Azure DevOps Audit Stream Disabled\",\"description\":\"Azure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams \\n before conducting activity and then re-enabling the stream after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action \\n its unlikely to have a high false positive rate.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a356c8bd-c81d-428b-aa36-83be706be034\",\"name\":\"a356c8bd-c81d-428b-aa36-83be706be034\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// AADJoined or Register Device Registry Keys\\nlet aadJoinRoot = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet001\\\\\\\\Control\\\\\\\\CloudDomainJoin\\\\\\\\JoinInfo\\\\\\\\\\\";\\nlet aadRegisteredRoot = \\\"\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\WorkplaceJoin\\\";\\n// Transport Key Registry Key\\nlet keyTransportKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet001\\\\\\\\Control\\\\\\\\Cryptography\\\\\\\\Ngc\\\\\\\\KeyTransportKey\\\\\\\\\\\";\\n(union isfuzzy=true\\n(\\n// Access to Object Requested\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| where EventData contains aadJoinRoot or EventData contains aadRegisteredRoot\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName startswith aadJoinRoot and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n| extend ProcessId = column_ifexists(\\\"ProcessId\\\", \\\"\\\"), Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| join kind=innerunique (\\n SecurityEvent\\n | where EventID == \u00274656\u0027\\n | where EventData contains keyTransportKey\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | mv-expand bagexpansion=array EventData\\n | evaluate bag_unpack(EventData)\\n | extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n | evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n | extend ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\")\\n | where ObjectType == \u0027Key\u0027\\n | where ObjectName startswith keyTransportKey and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n | extend ProcessId = column_ifexists(\\\"ProcessId\\\", \\\"\\\"), Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n) on $left.Computer == $right.Computer and $left.SubjectLogonId == $right.SubjectLogonId and $left.ProcessId == $right.ProcessId\\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, SubjectLogonId, ObjectName, tostring(Process), ProcessName, ProcessId, EventID\\n),\\n// Accessing Object\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| where ObjectType == \u0027Key\u0027\\n| where (ObjectName startswith aadJoinRoot or ObjectName contains aadRegisteredRoot) and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n| extend Account = SubjectAccount\\n| join kind=innerunique (\\n SecurityEvent\\n | where EventID == \u00274663\u0027\\n | where ObjectType == \u0027Key\u0027\\n | where ObjectName contains keyTransportKey and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n | extend Account = SubjectAccount\\n) on $left.Computer == $right.Computer and $left.SubjectLogonId == $right.SubjectLogonId and $left.ProcessId == $right.ProcessId\\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, SubjectLogonId, ObjectName, Process, ProcessName, ProcessId, EventID\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"AAD Local Device Join Information and Transport Key Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts by the same process\\n to registry keys that provide information about an AAD joined or registered devices and Transport keys (tkpub / tkpriv).\\n This information can be used to export the Device Certificate (dkpub / dkpriv) and Transport key (tkpub/tkpriv).\\n These set of keys can be used to impersonate existing Azure AD joined devices.\\n This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable objects:\\n HKLM:\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\CloudDomainJoin (AAD joined devices)\\n HKCU:\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\WorkplaceJoin (AAD registered devices)\\n HKLM:\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Cryptography\\\\Ngc\\\\KeyTransportKey (Transport Key)\\n Make sure you set the SACL to propagate to its sub-keys. You can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml\\n Reference: https://o365blog.com/post/deviceidentity/\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/58fc0170-0877-4ea8-a9ff-d805e361cfae\",\"name\":\"58fc0170-0877-4ea8-a9ff-d805e361cfae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let schedule_lookback = 14d; \\nlet join_lookback = 1d; \\n// If you want to whitelist specific timezones include them in a list here\\nlet tz_whitelist = dynamic([]);\\nlet meetings = ( \\nZoomLogs \\n| where TimeGenerated \u003e= ago(schedule_lookback) \\n| where Event =~ \\\"meeting.created\\\" \\n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId) \\n| extend SchedTimezone = tostring(parse_json(MeetingEvents).Timezone)); \\nZoomLogs \\n| where TimeGenerated \u003e= ago(join_lookback) \\n| where Event =~ \\\"meeting.participant_joined\\\" \\n| extend JoinedTimeZone = tostring(parse_json(MeetingEvents).Timezone) \\n| extend MeetingName = tostring(parse_json(MeetingEvents).MeetingName) \\n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId) \\n| where JoinedTimeZone !in (tz_whitelist)\\n| join (meetings) on MeetingId \\n| where SchedTimezone != JoinedTimeZone \\n| project TimeGenerated, MeetingName, JoiningUser=payload_object_participant_user_name_s, JoinedTimeZone, SchedTimezone, MeetingScheduler=User1 \\n| extend timestamp = TimeGenerated, AccountCustomEntity = JoiningUser\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"PrivilegeEscalation\"],\"displayName\":\"User joining Zoom meeting from suspicious timezone\",\"description\":\"The alert shows users that join a Zoom meeting from a time zone other than the one the meeting was created in.\\nYou can also whitelist known good time zones in the tz_whitelist value using the tz database name format https://en.wikipedia.org/wiki/List_of_tz_database_time_zones\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a09a0b8e-30fe-4ebf-94a0-cffe50f579cd\",\"name\":\"a09a0b8e-30fe-4ebf-94a0-cffe50f579cd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where OperationName =~ \\\"Update user\\\"\\n | where Result =~ \\\"success\\\"\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | where TargetResources_modifiedProperties.displayName =~ \\\"TargetId.UserType\\\"\\n | extend UpdatingServicePrincipal = tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalId)\\n | extend UpdatingUserPrincipal = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend UpdatingUser = iif(isnotempty(UpdatingServicePrincipal), UpdatingServicePrincipal, UpdatingUserPrincipal)\\n | extend UpdatedUserPrincipalName = tostring(TargetResources.userPrincipalName)\\n | project-reorder TimeGenerated, UpdatedUserPrincipalName, UpdatingUser\\n | where parse_json(tostring(TargetResources_modifiedProperties.newValue)) =~ \\\"\\\\\\\"Member\\\\\\\"\\\" and parse_json(tostring(TargetResources_modifiedProperties.oldValue)) =~ \\\"\\\\\\\"Guest\\\\\\\"\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatingUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatedUserPrincipalName\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User State changed from Guest to Member\",\"description\":\"Detects when a guest account in a tenant is converted to a member of the tenant.\\n Monitoring guest accounts and the access they are provided is important to detect potential account abuse.\\n Accounts converted to members should be investigated to ensure the activity was legitimate.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b12b3dab-d973-45af-b07e-e29bb34d8db9\",\"name\":\"b12b3dab-d973-45af-b07e-e29bb34d8db9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal contains \\\"WindowsPowerShell\\\"\\n| extend Message = \\\"Windows PowerShell User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"DefenseEvasion\"],\"displayName\":\"Cisco Umbrella - Windows PowerShell User-Agent Detected\",\"description\":\"Rule helps to detect Powershell user-agent activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d722831e-88f5-4e25-b106-4ef6e29f8c13\",\"name\":\"d722831e-88f5-4e25-b106-4ef6e29f8c13\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"// a threshold can be enabled, see commented line below for PrevSeenCount\\nlet threshold = 2;\\nlet uploadOp = \u0027FileUploaded\u0027;\\n// Extensions that are interesting. Add/Remove to this list as you see fit\\nlet execExt = dynamic([\u0027exe\u0027, \u0027inf\u0027, \u0027gzip\u0027, \u0027cmd\u0027, \u0027bat\u0027]);\\nlet starttime = 8d;\\nlet endtime = 1d;\\nOfficeActivity | where TimeGenerated \u003e= ago(endtime)\\n// Limited to File Uploads due to potential noise, comment out the Operation statement below to include any operation type\\n// Additional, but potentially noisy operation types that include Uploads and Downloads can be included by adding the following - Operation contains \\\"upload\\\" or Operation contains \\\"download\\\"\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| project TimeGenerated, OfficeId, OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, UserAgent, Site_Url, SourceRelativeUrl, SourceFileName\\n| join kind= leftanti (\\nOfficeActivity | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| summarize SourceRelativeUrl = make_set(SourceRelativeUrl), UserId = make_set(UserId) , PrevSeenCount = count() by SourceFileName\\n// To exclude previous matches when only above a specific count, change threshold above and uncomment the line below\\n//| where PrevSeenCount \u003e threshold\\n| mvexpand SourceRelativeUrl, UserId\\n| extend SourceRelativeUrl = tostring(SourceRelativeUrl), UserId = tostring(UserId)\\n) on SourceFileName, SourceRelativeUrl, UserId \\n| extend SiteUrlUserFolder = tolower(split(Site_Url, \u0027/\u0027)[-2])\\n| extend UserIdUserFolderFormat = tolower(replace(\u0027@|\\\\\\\\.\u0027, \u0027_\u0027,UserId))\\n// identify when UserId is not a match to the specific site url personal folder reference\\n| extend UserIdDiffThanUserFolder = iff(Site_Url has \u0027/personal/\u0027 and SiteUrlUserFolder != UserIdUserFolderFormat, true , false ) \\n| summarize TimeGenerated = make_list(TimeGenerated), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), \\nUserAgents = make_list(UserAgent), OfficeIds = make_list(OfficeId), SourceRelativeUrls = make_list(SourceRelativeUrl), FileNames = make_list(SourceFileName)\\nby OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, Site_Url, SiteUrlUserFolder, UserIdUserFolderFormat, UserIdDiffThanUserFolder\\n| extend timestamp = StartTime, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"New executable via Office FileUploaded Operation\",\"description\":\"Identifies when executable file types are uploaded to Office services such as SharePoint and OneDrive.\\nList currently includes \u0027exe\u0027, \u0027inf\u0027, \u0027gzip\u0027, \u0027cmd\u0027, \u0027bat\u0027 file extensions.\\nAdditionally, identifies when a given user is uploading these files to another users workspace.\\nThis may be indication of a staging location for malware or other malicious activity.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69a45b05-71f5-45ca-8944-2e038747fb39\",\"name\":\"69a45b05-71f5-45ca-8944-2e038747fb39\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let endtime = 1d;\\nlet starttime = 8d;\\n// The threshold below excludes matching on RDP connection computer counts of 5 or more by a given account and IP in a given day. Change the threshold as needed.\\nlet threshold = 5;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n// Labeling the first RDP connection time, computer and ip\\n| extend FirstHop = TimeGenerated, FirstComputer = toupper(Computer), FirstIPAddress = IpAddress, Account = tolower(Account)\\n),\\n( WindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10 // Labeling the first RDP connection time, computer and ip\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend FirstHop = TimeGenerated, FirstComputer = toupper(Computer), FirstIPAddress = IpAddress, Account = tolower(Account)\\n))\\n| join kind=inner (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n// Labeling the second RDP connection time, computer and ip\\n| extend SecondHop = TimeGenerated, SecondComputer = toupper(Computer), SecondIPAddress = IpAddress, Account = tolower(Account)\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = toint(EventData.LogonType)\\n| where LogonType == 10 // Labeling the second RDP connection time, computer and ip\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend SecondHop = TimeGenerated, SecondComputer = toupper(Computer), SecondIPAddress = IpAddress, Account = tolower(Account)\\n))\\n) on Account\\n// Make sure that the first connection is after the second connection --\u003e SecondHop \u003e FirstHop\\n// Then identify only RDP to another computer from within the first RDP connection by only choosing matches where the Computer names do not match --\u003e FirstComputer != SecondComputer\\n// Then make sure the IPAddresses do not match by excluding connections from the same computers with first hop RDP connections to multiple computers --\u003e FirstIPAddress != SecondIPAddress\\n| where FirstComputer != SecondComputer and FirstIPAddress != SecondIPAddress and SecondHop \u003e FirstHop\\n// where the second hop occurs within 30 minutes of the first hop\\n| where SecondHop \u003c= FirstHop+30m\\n| distinct Account, FirstHop, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, SecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\\n// use left anti to exclude anything from the previous 7 days where the Account and IP has connected 5 or more computers.\\n| join kind=leftanti (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize makeset(Computer), ComputerCount = dcount(Computer) by bin(TimeGenerated, 1d), Account = tolower(Account), IpAddress\\n// Connection count to computer by same account and IP to exclude counts of 5 or more on a given day\\n| where ComputerCount \u003e= threshold\\n| mvexpand set_Computer\\n| extend Computer = toupper(set_Computer)\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10 \\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| summarize makeset(Computer), ComputerCount = dcount(Computer) by bin(TimeGenerated, 1d), Account = tolower(Account), IpAddress\\n// Connection count to computer by same account and IP to exclude counts of 5 or more on a given day\\n| where ComputerCount \u003e= threshold\\n| mvexpand set_Computer\\n| extend Computer = toupper(set_Computer)\\n))\\n) on Account, $left.SecondComputer == $right.Computer, $left.SecondIPAddress == $right.IpAddress\\n| summarize FirstHopFirstSeen = min(FirstHop), FirstHopLastSeen = max(FirstHop) by Account, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, \\nSecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\\n| extend timestamp = FirstHopFirstSeen, AccountCustomEntity = Account, HostCustomEntity = FirstComputer, IPCustomEntity = FirstIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"RDP Nesting\",\"description\":\"Identifies when an RDP connection is made to a first system and then an RDP connection is made from the first system\\nto another system with the same account within the 60 minutes. Additionally, if historically daily\\nRDP connections are indicated by the logged EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-10-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884c4957-70ea-4f57-80b9-1bca3890315b\",\"name\":\"884c4957-70ea-4f57-80b9-1bca3890315b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeBin = 10m;\\nlet failedThreshold = 100;\\nW3CIISLog\\n| where scStatus in (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n// Handling Exchange specific items in IIS logs to remove the unique log identifier in the URI\\n| extend csUriQuery = iff(csUriQuery startswith \\\"MailboxId=\\\", tostring(split(csUriQuery, \\\"\u0026\\\")[0]) , csUriQuery )\\n| extend csUriQuery = iff(csUriQuery startswith \\\"X-ARR-CACHE-HIT=\\\", strcat(tostring(split(csUriQuery, \\\"\u0026\\\")[0]),tostring(split(csUriQuery, \\\"\u0026\\\")[1])) , csUriQuery )\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of failed logons by a user\\n| summarize makeset(decodedUriQuery), makeset(cIP), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), csUserName, Computer, sIP\\n| where FailedConnectionsCount \u003e= failedThreshold\\n| project TimeGenerated, csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_cIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"High count of failed logons by a user\",\"description\":\"Identifies when 100 or more failed attempts by a given user in 10 minutes occur on the IIS Server.\\nThis could be indicative of attempted brute force based on known account information.\\nThis could also simply indicate a misconfigured service or device. \\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\"name\":\"7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"let WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet AC_Add = \\n(union isfuzzy=true \\n(SecurityEvent\\n// Event ID related to member addition.\\n| where EventID in (4728, 4732,4756) \\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountAdded \\\",OU\\\" *\\n| where isnotempty(AccountAdded)\\n| extend GroupAddedTo = TargetUserName, AddingAccount = Account \\n| extend AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, \\\"||\\\", GroupAddedTo, \\\"||\\\", AddingAccount )\\n| project AccountAdded_GroupAddedTo_AddingAccount, AccountAddedTime = TimeGenerated\\n),\\n(WindowsEvent\\n// Event ID related to member addition.\\n| where EventID in (4728, 4732,4756) \\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData.MemberName with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountAdded \\\",OU\\\" *\\n| where isnotempty(AccountAdded)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend AddingAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend GroupAddedTo = TargetUserName\\n| extend AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, \\\"||\\\", GroupAddedTo, \\\"||\\\", AddingAccount )\\n| project AccountAdded_GroupAddedTo_AddingAccount, AccountAddedTime = TimeGenerated\\n)\\n);\\nlet AC_Remove = \\n( union isfuzzy=true \\n(SecurityEvent\\n// Event IDs related to member removal.\\n| where EventID in (4729,4733,4757)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountRemoved \\\",OU\\\" * \\n| where isnotempty(AccountRemoved)\\n| extend GroupRemovedFrom = TargetUserName, RemovingAccount = Account\\n| extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, \\\"||\\\", GroupRemovedFrom, \\\"||\\\", RemovingAccount)\\n| project AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime = TimeGenerated, Computer, RemovedAccountId = tolower(AccountRemoved), \\nRemovedByUser = SubjectUserName, RemovedByUserLogonId = SubjectLogonId, GroupRemovedFrom = TargetUserName, TargetDomainName\\n),\\n(WindowsEvent\\n// Event IDs related to member removal.\\n| where EventID in (4729,4733,4757)\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData.MemberName with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountRemoved \\\",OU\\\" * \\n| where isnotempty(AccountRemoved)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend RemovingAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend GroupRemovedFrom = TargetUserName\\n| extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, \\\"||\\\", GroupRemovedFrom, \\\"||\\\", RemovingAccount)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| extend TargetDomainName = tostring(EventData.TargetDomainName)\\n| project AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime = TimeGenerated, Computer, RemovedAccountId = tolower(AccountRemoved), \\nRemovedByUser = SubjectUserName, RemovedByUserLogonId = SubjectLogonId, GroupRemovedFrom = TargetUserName, TargetDomainName\\n)); \\nAC_Add \\n| join kind= inner AC_Remove on $left.AccountAdded_GroupAddedTo_AddingAccount == $right.AccountRemoved_GroupRemovedFrom_RemovingAccount \\n| extend DurationinSecondAfter_Removed = datetime_diff (\u0027second\u0027, AccountRemovedTime, AccountAddedTime)\\n| where DurationinSecondAfter_Removed \u003e 0\\n| project-away AccountRemoved_GroupRemovedFrom_RemovingAccount\\n| extend timestamp = AccountAddedTime, AccountCustomEntity = RemovedAccountId, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Account added and removed from privileged groups\",\"description\":\"Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise.\u0027 \",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-04-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3df4a32-4805-4c6d-8699-f3c888af2f67\",\"name\":\"a3df4a32-4805-4c6d-8699-f3c888af2f67\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let Alert1 = \\nSecurityAlert\\n| where AlertName == \\\"Unfamiliar sign-in properties\\\"\\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\\\"User Account\\\"])\\n| extend Alert1Time = TimeGenerated\\n| extend Alert1 = AlertName\\n| extend Alert1Severity = AlertSeverity\\n;\\nlet Alert2 = \\nSecurityAlert\\n| where AlertName == \\\"Atypical travel\\\"\\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\\\"User Account\\\"])\\n| extend Alert2Time = TimeGenerated\\n| extend Alert2 = AlertName\\n| extend Alert2Severity = AlertSeverity\\n| extend CurrentLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[2].Location)).CountryCode), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).State), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).City))\\n| extend PreviousLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[3].Location)).CountryCode), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[3].Location)).State), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[3].Location)).City))\\n| extend CurrentIPAddress = tostring(parse_json(Entities)[2].Address)\\n| extend PreviousIPAddress = tostring(parse_json(Entities)[3].Address)\\n;\\nAlert1\\n| join kind=inner Alert2 on UserPrincipalName\\n| where abs(datetime_diff(\u0027minute\u0027, Alert1Time, Alert2Time)) \u003c=10\\n| extend TimeDelta = Alert1Time - Alert2Time\\n| project UserPrincipalName, Alert1, Alert1Time, Alert1Severity, Alert2, Alert2Time, Alert2Severity, TimeDelta, CurrentLocation, PreviousLocation, CurrentIPAddress, PreviousIPAddress\\n| extend AccountCustomEntity = UserPrincipalName\\n| extend IPCustomEntity = CurrentIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Correlate Unfamiliar sign-in properties and atypical travel alerts\",\"description\":\"The combination of an Unfamiliar sign-in properties alert and an Atypical travel alert about the same user within a +10m or -10m window is considered a high severity incident.\",\"lastUpdatedDateUTC\":\"2021-12-07T00:00:00Z\",\"createdDateUTC\":\"2020-09-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7564d76-ec6b-4519-a66b-fcc80c42332b\",\"name\":\"a7564d76-ec6b-4519-a66b-fcc80c42332b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet GroupAddition = (union isfuzzy=true \\n(SecurityEvent \\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group \\n| where EventID in (\\\"4728\\\", \\\"4732\\\", \\\"4756\\\") \\n| where AccountType =~ \\\"User\\\" and MemberName == \\\"-\\\"\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, GroupAddComputer = Computer, GroupAddTargetAccount = TargetAccount, \\nGroupAddTargetSid = TargetSid, GroupAddSubjectAccount = SubjectAccount, GroupAddSubjectUserSid = SubjectUserSid, GroupSid = MemberSid\\n),\\n(\\nWindowsEvent \\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group \\n| where EventID in (\\\"4728\\\", \\\"4732\\\", \\\"4756\\\") and not(EventData has \\\"S-1-5-32-555\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| extend MemberName = tostring(EventData.MemberName)\\n| where AccountType =~ \\\"User\\\" and MemberName == \\\"-\\\"\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend MemberSid = tostring(EventData.MemberSid)\\n| extend Activity= \\\"GroupAddActivity\\\"\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, GroupAddComputer = Computer, GroupAddTargetAccount = TargetAccount, \\nGroupAddTargetSid = TargetSid, GroupAddSubjectAccount = Account, GroupAddSubjectUserSid = SubjectUserSid, GroupSid = MemberSid\\n));\\nlet GroupCreated = (union isfuzzy=true \\n(SecurityEvent\\n// 4727 - A security-enabled global group was created\\n// 4731 - A security-enabled local group was created\\n// 4754 - A security-enabled universal group was created\\n| where EventID in (\\\"4727\\\", \\\"4731\\\", \\\"4754\\\")\\n| where AccountType =~ \\\"User\\\"\\n| project GroupCreateTime = TimeGenerated, GroupCreateEventID = EventID, GroupCreateActivity = Activity, GroupCreateComputer = Computer, GroupCreateTargetAccount = TargetAccount, \\nGroupCreateSubjectAccount = SubjectAccount, GroupCreateSubjectUserSid = SubjectUserSid, GroupSid = TargetSid\\n),\\n(WindowsEvent\\n// 4727 - A security-enabled global group was created\\n// 4731 - A security-enabled local group was created\\n// 4754 - A security-enabled universal group was created\\n| where EventID in (\\\"4727\\\", \\\"4731\\\", \\\"4754\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\", \\\"Machine\\\", iff(SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", iff(isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")))\\n| where AccountType =~ \\\"User\\\"\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend SubjectAccount = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName) \\n| extend TargetSid = tostring(EventData.TargetSid) \\n| extend Activity= \\\"GroupAddActivity\\\"\\n| project GroupCreateTime = TimeGenerated, GroupCreateEventID = EventID, GroupCreateActivity = Activity, GroupCreateComputer = Computer, GroupCreateTargetAccount = TargetAccount, \\nGroupCreateSubjectAccount = SubjectAccount, GroupCreateSubjectUserSid = SubjectUserSid, GroupSid = TargetSid\\n));\\nGroupCreated\\n| join (\\nGroupAddition\\n) on GroupSid \\n| extend timestamp = GroupCreateTime, AccountCustomEntity = GroupCreateSubjectAccount, HostCustomEntity = GroupCreateComputer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"GroupCreateSubjectUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Group created then added to built in domain local or global group\",\"description\":\"Identifies when a recently created Group was added to a privileged built in domain local group or global group such as the \\nEnterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\\nReferences: For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b443f22-9be9-4c35-ac70-a94757748439\",\"name\":\"3b443f22-9be9-4c35-ac70-a94757748439\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let files1 = dynamic([\\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\lsa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pc.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\Rar.exe\\\"]);\\nlet files2 = dynamic([\\\"svchost.exe\\\",\\\"wdmsvc.exe\\\"]);\\nlet FileHash1 = dynamic([\\\"43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\\\", \\\"ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\\\", \\\"010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77\\\", \\\"56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7\\\"]);\\nlet FileHash2 = dynamic([\\\"2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\\\", \\\"9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\\\", \\\"18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\\\"]);\\nDeviceProcessEvents\\n| where ( FolderPath has_any (files1) and SHA256 has_any (FileHash1)) or (FolderPath has_any (files2) and SHA256 has_any (FileHash2))\\n| extend DvcId = DeviceId\\n| join kind=leftouter (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| mv-expand todynamic(Entities)\\n| extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)\\n| where isnotempty(DvcId)\\n// Higher risk score are for Defender alerts related to threat actor\\n| extend AlertRiskScore = iif(ThreatName has_any (\\\"Backdoor:MSIL/ShellClient.A\\\", \\\"Backdoor:MSIL/ShellClient.A!dll\\\", \\\"Trojan:MSIL/Mimikatz.BA!MTB\\\"), 1.0, 0.5)\\n| project DvcId, AlertRiskScore) on DvcId\\n| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = AccountName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileName\"}]}],\"tactics\":[\"CredentialAccess\",\"Execution\"],\"displayName\":\"Dev-0228 File Path Hashes November 2021\",\"description\":\"This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.\\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-11-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2f561e20-d97b-4b13-b02d-18b34af6e87c\",\"name\":\"2f561e20-d97b-4b13-b02d-18b34af6e87c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet cmdList = dynamic([\\\"Set-CASMailbox\\\",\\\"ActiveSyncAllowedDeviceIDs\\\",\\\"add\\\"]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688\\n| where CommandLine has_all (cmdList)\\n| project Type, TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n( WindowsEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688\\n| where EventData has_all (cmdList)\\n| extend CommandLine = tostring(EventData.CommandLine) \\n| where CommandLine has_all (cmdList)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| project Type, TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where InitiatingProcessCommandLine has_all (cmdList)\\n| project Type, TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where CommandLine has_all (cmdList)\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| project Type, TimeGenerated, Computer, User, Process, ParentImage, CommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Email access via active sync\",\"description\":\"This query detects attempts to add attacker devices as allowed IDs for active sync using the Set-CASMailbox command.\\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\\n- Note that this query can be changed to use the KQL \\\"has_all\\\" operator, which hasn\u0027t yet been documented officially, but will be soon.\\n In short, \\\"has_all\\\" will only match when the referenced field has all strings in the list.\\n- Refer to Set-CASMailbox syntax: https://docs.microsoft.com/powershell/module/exchange/set-casmailbox?view=exchange-ps \",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-02-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\"name\":\"2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet TotalEventsThreshold = 5;\\nlet ExeList = dynamic([\\\"powershell.exe\\\",\\\"cmd.exe\\\",\\\"wmic.exe\\\",\\\"psexec.exe\\\",\\\"cacls.exe\\\",\\\"rundll.exe\\\"]);\\nlet TimeSeriesData =\\nSecurityEvent\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where Process in (ExeList)\\n| project TimeGenerated, Computer, AccountType, Account, Process\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by Process;\\nlet TimeSeriesAlerts = materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 1.5, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0\\n| project Process, TimeGenerated, Total, baseline, anomalies, score\\n| where Total \u003e TotalEventsThreshold);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\nSecurityEvent\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| summarize CommandlineCount = count() by bin(TimeGenerated, 1h), Process, CommandLine, Computer, Account\\n) on Process, TimeGenerated\\n| project AnomalyHour = TimeGenerated, Computer, Account, Process, CommandLine, CommandlineCount, Total, baseline, anomalies, score\\n| extend timestamp = AnomalyHour, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Process execution frequency anomaly\",\"description\":\"Identifies anomalous spike in frequency of executions of sensitive processes which are often leveraged as attack vectors.\\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\\nSudden increases in execution frequency of sensitive processes should be further investigated for malicious activity.\\nTune the values from 1.5 to 3 in series_decompose_anomalies for further outliers or based on custom threshold values for score.\",\"lastUpdatedDateUTC\":\"2022-03-07T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/694c91ee-d606-4ba9-928e-405a2dd0ff0f\",\"name\":\"694c91ee-d606-4ba9-928e-405a2dd0ff0f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"High\",\"query\":\"let queryperiod = 14d;\\nlet queryfrequency = 2h;\\nlet security_info_actions = dynamic([\\\"User registered security info\\\", \\\"User changed default security info\\\", \\\"User deleted security info\\\", \\\"Admin updated security info\\\", \\\"User reviewed security info\\\", \\\"Admin deleted security info\\\", \\\"Admin registered security info\\\"]);\\nlet VIPUsers = (\\n IdentityInfo\\n | where TimeGenerated \u003e ago(queryperiod)\\n | mv-expand AssignedRoles\\n | where AssignedRoles matches regex \u0027Admin\u0027\\n | summarize by tolower(AccountUPN));\\nAuditLogs\\n| where TimeGenerated \u003e ago(queryfrequency)\\n| where Category =~ \\\"UserManagement\\\"\\n| where ActivityDisplayName in (security_info_actions)\\n| extend Initiator = tostring(InitiatedBy.user.userPrincipalName)\\n| extend IP = tostring(InitiatedBy.user.ipAddress)\\n| extend Target = tolower(tostring(TargetResources[0].userPrincipalName))\\n| where Target in (VIPUsers)\\n// Uncomment the line below if you are experiencing high volumes of Target entities. If this is uncommented, the Target column will not be mapped to an entity.\\n//| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason, MaxSize=8), Targets=make_set(Target, MaxSize=256) by Initiator, IP, Result\\n// Comment out this line below, if line above is used.\\n| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason, MaxSize=8) by Initiator, IP, Result, Targets = Target\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Targets\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Initiator\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IP\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Authentication Methods Changed for Privileged Account\",\"description\":\"Identifies authentication methods being changed for a privileged account. This could be an indication of an attacker adding an auth method to the account so they can have continued access.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6267ce44-1e9d-471b-9f1e-ae76a6b7aa84\",\"name\":\"6267ce44-1e9d-471b-9f1e-ae76a6b7aa84\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityAlert\\n| where AlertName =~ \\\"mass download by a single user\\\"\\n| extend Extprop = parse_json(ExtendedProperties)\\n| extend Computer = iff(isnotempty(toupper(tostring(Extprop[\\\"Compromised Host\\\"]))), toupper(tostring(Extprop[\\\"Compromised Host\\\"])), tostring(parse_json(Entities)[0].HostName))\\n| extend Account = iff(isnotempty(tolower(tostring(Extprop[\\\"User Name\\\"]))), tolower(tostring(Extprop[\\\"User Name\\\"])), tolower(tostring(Extprop[\\\"user name\\\"])))\\n| extend IpAddress = tostring(parse_json(ExtendedProperties).[\\\"IpAddress\\\"]) \\n| project timestamp=TimeGenerated, AlertName, Computer, Account, IpAddress, ExtendedProperties\\n| join kind=inner\\n( \\nDeviceEvents\\n| where ActionType == \\\"PnpDeviceConnected\\\"\\n| extend parsed = parse_json(AdditionalFields)\\n| project DeviceId, DriveClass = tostring(parsed.ClassName), UsbDeviceId = tostring(parsed.DeviceId), ClassId = tostring(parsed.DeviceId), DeviceDescription = tostring(parsed.DeviceDescription), VendorIds = tostring(parsed.VendorIds), AccountDomain,AccountName,TimeGenerated, ActionType, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, Type\\n| where DriveClass == \u0027USB\u0027 and DeviceDescription == \u0027USB Mass Storage Device\u0027\\n) on $left.Account == $right.AccountName\\n| join kind=inner \\n(\\nDeviceFileEvents\\n| where FolderPath !startswith \\\"c\\\" and FolderPath !startswith @\\\"\\\\\\\"\\n) on DeviceId\\n| project TimeGenerated, ActionType, Computer, FileName, FileSize, IpAddress, InitiatingProcessCommandLine, InitiatingProcessFileName, Account\\n| extend timestamp = TimeGenerated, CompromisedEntity = Computer, AccountCustomEntity=Account, ProcessCustomEntity = InitiatingProcessFileName, IPCustomEntity=IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"Mass Download \u0026 copy to USB device by single user\",\"description\":\"This query looks for any mass download by a single user with possible file copy activity to a new USB drive. Malicious insiders may perform such activities that may cause harm to the organization. \\nThis query could also reveal unintentional insider that had no intention of malicious activity but their actions may impact an organizations security posture.\\nReference:https://docs.microsoft.com/defender-cloud-apps/policy-template-reference\",\"lastUpdatedDateUTC\":\"2022-05-04T00:00:00Z\",\"createdDateUTC\":\"2022-04-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\",\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3edb7215-250b-40c0-8b46-79093949242d\",\"name\":\"3edb7215-250b-40c0-8b46-79093949242d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetectionV2_CL\\n| where Severity_s == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\\n| where count_ \u003e= threshold\\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"High Number of Urgent Vulnerabilities Detected\",\"description\":\"This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.\",\"lastUpdatedDateUTC\":\"2021-12-08T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/492fbe35-cbac-4a8c-9059-826782e6915a\",\"name\":\"492fbe35-cbac-4a8c-9059-826782e6915a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where OperationName has_any (\\\"Update Application\\\", \\\"Update Service principal\\\")\\n | extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend UpdatedBy = iif(isnotempty(appName), appName, UPN)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | extend AppName = tostring(TargetResources[0].displayName)\\n | mv-expand mod_props\\n | extend Action = tostring(mod_props.displayName)\\n | where Action contains \\\"Url\\\"\\n | extend OldURL = tostring(mod_props.oldValue)\\n | extend NewURL = tostring(mod_props.newValue)\\n | project-reorder TimeGenerated, OperationName, Action, AppName, OldURL, NewURL, UpdatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatedBy\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"OldURL\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"NewURL\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Changes to Application Logout URL\",\"description\":\"Detects changes to an applications sign out URL.\\n Look for any modifications to a sign out URL. Blank entries or entries to non-existent locations would stop a user from terminating a session.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#logout-url-modified-or-removed\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\"name\":\"2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureActivity | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CallerIpAddress\\n| where AzureActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureActivity_TimeGenerated = arg_max(AzureActivity_TimeGenerated, *) by IndicatorId, CallerIpAddress\\n| project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CallerIpAddress, \\nCaller, OperationNameValue, ActivityStatusValue, CategoryValue, ResourceId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureActivity_TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureActivity\",\"description\":\"Identifies a match in AzureActivity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3174a9ec-d0ad-4152-8307-94ed04fa450a\",\"name\":\"3174a9ec-d0ad-4152-8307-94ed04fa450a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let SHA256Hash = \\\"1174fd03271f80f5e2a6435c72bdd0272a6e3a37049f6190abf125b216a83471\\\" ;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) \\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA265 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA256Hash) \\n| extend Account = UserName\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known ZINC related maldoc hash\",\"description\":\"Document hash used by ZINC in highly targeted spear phishing campaign.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\"name\":\"d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\" \\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed), LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\\n| where MFAUsed !~ \\\"Yes\\\" and LoginResult !~ \\\"Failure\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUsed, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"Login to AWS Management Console without MFA\",\"description\":\"Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.\\nYou can limit this detection to trigger for adminsitrative accounts if you do not have MFA enabled on all accounts.\\nThis is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used \\nand the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0ed0fe7c-af29-4990-af7f-bb5ccb231198\",\"name\":\"0ed0fe7c-af29-4990-af7f-bb5ccb231198\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"AuditLogs\\n | where Category =~ \\\"RoleManagement\\\"\\n | where OperationName =~ \\\"Update role setting in PIM\\\"\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | project-reorder TimeGenerated, OperationName, ResultReason, userPrincipalName, ipAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Changes to PIM Settings\",\"description\":\"PIM provides a key mechanism for assigning privileges to accounts, this query detects changes to PIM role settings.\\n Monitor these changes to ensure they are being made legitimately and don\u0027t confer more privileges than expected or reduce the security of a PIM elevation.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c805d9b1-97e7-4bc0-9172-67edb36273e4\",\"name\":\"c805d9b1-97e7-4bc0-9172-67edb36273e4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft 365 Insider Risk Management\",\"displayName\":\"(Private Preview) Create incidents based on Microsoft 365 Insider Risk Management\",\"description\":\"Create incidents based on all alerts generated in Microsoft 365 Insider Risk Management\",\"lastUpdatedDateUTC\":\"2021-05-13T00:00:00Z\",\"createdDateUTC\":\"2021-05-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeIRM\",\"dataTypes\":[\"SecurityAlert (OfficeIRM)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09551db0-e147-4a0c-9e7b-918f88847605\",\"name\":\"09551db0-e147-4a0c-9e7b-918f88847605\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.6.2\",\"severity\":\"High\",\"query\":\"let tokens = dynamic([\\\"SSL_HandShaking\\\", \\\"ASN2_TYPE_new\\\", \\\"sql_blob_open\\\", \\\"cmsSetLogHandlerTHR\\\", \\\"ntSystemInfo\\\", \\\"SetWebFilterString\\\", \\\"CleanupBrokerString\\\", \\\"glInitSampler\\\", \\\"deflateSuffix\\\", \\\"ntWindowsProc\\\"]);\\nlet DomainNames = dynamic([\u0027codevexillium.org\u0027, \u0027angeldonationblog.com\u0027, \u0027investbooking.de\u0027, \u0027krakenfolio.com\u0027]);\\nlet SHA256Hash = dynamic([\u002758a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495\u0027,\u0027e0e59bfc22876c170af65dcbf19f744ae560cc43b720b23b9d248f4505c02f3e\u0027,\u00273d3195697521973efe0097a320cbce0f0f98d29d50e044f4505e1fbc043e8cf9\u0027, \u00270a2d81164d524be7022ba8fd4e1e8e01bfd65407148569d172e2171b5cd76cd4\u0027, \u002796d7a93f6691303d39a9cc270b8814151dfec5683e12094537fd580afdf2e5fe\u0027,\u0027dc4cf164635db06b2a0b62d313dbd186350bca6fc88438617411a68df13ec83c\u0027, \u002746efd5179e43c9cbf07dcec22ce0d5527e2402655aee3afc016e5c260650284a\u0027, \u002795e42a94d4df1e7e472998f43b9879eb34aaa93f3705d7d3ef9e3b97349d7008\u0027, \u00279d5320e883264a80ea214077f44b1d4b22155446ad5083f4b27d2ab5bd127ef5\u0027, \u00279fd05063ad203581a126232ac68027ca731290d17bd43b5d3311e8153c893fe3\u0027, \u0027ada7e80c9d09f3efb39b729af238fcdf375383caaf0e9e0aed303931dc73b720\u0027, \u0027edb1597789c7ed784b85367a36440bf05267ac786efe5a4044ec23e490864cee\u0027, \u002733665ce1157ddb7cd7e905e3356b39245dfba17b7a658bdbf02b6968656b9998\u0027, \u00273ab770458577eb72bd6239fe97c35e7eb8816bce5a4b47da7bd0382622854f7c\u0027, \u0027b630ad8ffa11003693ce8431d2f1c6b8b126cd32b657a4bfa9c0dbe70b007d6c\u0027, \u002753f3e55c1217dafb8801af7087e7d68b605e2b6dde6368fceea14496c8a9f3e5\u0027, \u002799c95b5272c5b11093eed3ef2272e304b7a9311a22ff78caeb91632211fcb777\u0027, \u0027f21abadef52b4dbd01ad330efb28ef50f8205f57916a26daf5de02249c0f24ef\u0027, \u00272cbdea62e26d06080d114bbd922d6368807d7c6b950b1421d0aa030eca7e85da\u0027, \u0027079659fac6bd9a1ce28384e7e3a465be4380acade3b4a4a4f0e67fd0260e9447\u0027]);\\nlet SigNames = dynamic([\\\"Backdoor:Script/ComebackerCompile.A!dha\\\", \\\"Trojan:Win64/Comebacker.A!dha\\\", \\\"Trojan:Win64/Comebacker.A.gen!dha\\\", \\\"Trojan:Win64/Comebacker.B.gen!dha\\\", \\\"Trojan:Win32/Comebacker.C.gen!dha\\\", \\\"Trojan:Win32/Klackring.A!dha\\\", \\\"Trojan:Win32/Klackring.B!dha\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in~ (SHA256Hash) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n| project Type, TimeGenerated, Computer, Account, IPAddress, FileHash, DNSName\\n),\\n(_Im_Dns(domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend Type = \\\"imDns\\\", IPAddress = SrcIpAddr, Computer=Dvc\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(VMConnection\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| where isnotempty(Hashes)\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 * \\n| where SHA256 in~ (SHA256Hash) \\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = Hashes\\n| project Type, TimeGenerated, Computer, Account, FileHash\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (SHA256Hash)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (SHA256Hash)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl in~ (DomainNames)\\n| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName\\n| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl\\n),\\n(SecurityAlert\\n| where ProductName == \\\"Microsoft Defender Advanced Threat Protection\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where isnotempty(ThreatName)\\n| where ThreatName has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName) \\n| project Type, TimeGenerated, Computer\\n),\\n(DeviceProcessEvents\\n| where FileName =~ \\\"powershell.exe\\\" or FileName =~ \\\"rundll32.exe\\\"\\n| where (ProcessCommandLine has \\\"is64bitoperatingsystem\\\" and ProcessCommandLine has \\\"Debug\\\\\\\\Browse\\\") or (ProcessCommandLine has_any (tokens))\\n| extend Computer = DeviceName, Account = AccountName, CommandLine = ProcessCommandLine\\n| project Type, TimeGenerated, Computer, Account, CommandLine, FileName\\n),\\n(SecurityEvent\\n| where EventID == 4688\\n| where ProcessName has_any (\\\"powershell.exe\\\", \\\"rundll32.exe\\\")\\n| where (CommandLine has \\\"is64bitoperatingsystem\\\" and CommandLine has \\\"Debug\\\\\\\\Browse\\\") or (CommandLine has_any (tokens))\\n| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine \\n),\\n( WindowsEvent\\n| where EventID == 4688\\n| where EventData has_any (\\\"powershell.exe\\\", \\\"rundll32.exe\\\") and EventData has_any (tokens, \\\"Debug\\\\\\\\Browse\\\",\\\"is64bitoperatingsystem\\\" ) \\n| extend ProcessName = tostring(EventData.ProcessName)\\n| where ProcessName has_any (\\\"powershell.exe\\\", \\\"rundll32.exe\\\")\\n| extend CommandLine = tostring(EventData.CommandLine) \\n| where (CommandLine has \\\"is64bitoperatingsystem\\\" and CommandLine has \\\"Debug\\\\\\\\Browse\\\") or (CommandLine has_any (tokens))\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"Execution\"],\"displayName\":\"Known ZINC Comebacker and Klackring malware hashes\",\"description\":\"ZINC attacks against security researcher campaign malware hashes.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ce177b3-56b1-4f0e-b83e-27eed4cb0b16\",\"name\":\"4ce177b3-56b1-4f0e-b83e-27eed4cb0b16\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\n// exclude allowed users from query such as the ADO service\\nlet allowed_users = dynamic([\\\"Azure DevOps Service\\\"]);\\nunion\\n// Look for agents being added to a pool of a OS type not seen with that pool before\\n(AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName =~ \\\"Library.AgentAdded\\\"\\n| where ActorUPN !in (allowed_users)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| where isnotempty(OsDescription)\\n| extend OsDescription = tostring(split(OsDescription, \\\"#\\\", 0)[0])\\n| project AgentPoolName, OsDescription\\n| join kind=rightanti (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName == \\\"Library.AgentAdded\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| where isnotempty(OsDescription)\\n| extend OsDescription = tostring(split(OsDescription, \\\"#\\\", 0)[0])) on AgentPoolName, OsDescription),\\n// Look for users addeing agents to a pool that they have not added agents to before.\\n(AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| where ActorUPN !in (allowed_users)\\n| project AgentPoolName, ActorUPN\\n| join kind=rightanti (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName == \\\"Library.AgentAdded\\\"\\n| where ActorUPN !in (allowed_users)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n) on AgentPoolName, ActorUPN)\\n| extend AgentName = tostring(Data.AgentName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| extend SystemDetails = Data.SystemCapabilities\\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, AgentPoolName, AgentName, ActorUPN, IpAddress, UserAgent, OsDescription, SystemDetails, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"New Agent Added to Pool by New User or Added to a New OS Type.\",\"description\":\"As seen in attacks such as SolarWinds attackers can look to subvert a build process by controlling build servers. Azure DevOps uses agent pools to execute pipeline tasks. \\nAn attacker could insert compromised agents that they control into the pools in order to execute malicious code. This query looks for users adding agents to pools they have \\nnot added agents to before, or adding agents to a pool of an OS that has not been added to that pool before. This detection has potential for false positives so has a \\nconfigurable allow list to allow for certain users to be excluded from the logic.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/05b4bccd-dd12-423d-8de4-5a6fb526bb4f\",\"name\":\"05b4bccd-dd12-423d-8de4-5a6fb526bb4f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let known_processes = (\\n SecurityEvent\\n // If adjusting Query Period or Frequency update these\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where EventID == 4688\\n | where NewProcessName has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | summarize by Process);\\n SecurityEvent\\n // If adjusting Query Period or Frequency update these\\n | where TimeGenerated \u003e ago(1d)\\n | where EventID == 4688\\n | where NewProcessName has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | where Process !in (known_processes)\\n // This will likely apply to multiple hosts so summarize these data\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, NewProcessName, CommandLine, Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Execution\",\"LateralMovement\"],\"displayName\":\"New EXE deployed via Default Domain or Default Domain Controller Policies\",\"description\":\"This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice is that these policies should not be used for deployment of files.\\nA threat actor may use these policies to deploy files or scripts to all hosts in a domain.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c61ad0ac-ad68-4ebb-b41a-74296d3e0044\",\"name\":\"c61ad0ac-ad68-4ebb-b41a-74296d3e0044\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \\n| where TargetObject has (\\\"\\\\\\\\Control\\\\\\\\Session Manager\\\\\\\\AppCertDLLs\\\\\\\\\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Registry Persistence via AppCert DLL Modification\",\"description\":\"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. \\nDynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\ are loaded into every process that calls the ubiquitously used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec.\\nRef: https://attack.mitre.org/techniques/T1546/009/\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8ee967a2-a645-4832-85f4-72b635bcb3a6\",\"name\":\"8ee967a2-a645-4832-85f4-72b635bcb3a6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit the environment\\nlet signin_threshold = 5;\\n//Make a list of all IPs with failed signins to AAD above our threshold\\nlet aadFunc = (tableName:string){\\nlet suspicious_signins =\\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress !in (\u0027127.0.0.1\u0027, \u0027::1\u0027)\\n| summarize count() by IPAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(IPAddress);\\n//See if any of these IPs have sucessfully logged into *nix hosts\\nlet linux_logons =\\nSyslog\\n| where Facility contains \\\"auth\\\" and ProcessName != \\\"sudo\\\"\\n| where SyslogMessage has \\\"Accepted\\\"\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Computer, HostIP, IpAddress = SourceIP, SyslogMessage, Facility, ProcessName, Reason;\\n//See if any of these IPs have sucessfully logged into Windows hosts\\nlet win_logons = (union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4624\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| where IpAddress in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Account, AccountType, Computer, Activity, EventID, LogonProcessName, IpAddress, LogonTypeName, TargetUserSid, Reason\\n),\\n(WindowsEvent\\n| where EventID == 4624 and has_any_ipv4(EventData, toscalar(suspicious_signins))\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType in (10, 7, 3)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| where IpAddress != \\\"-\\\"\\n| where IpAddress in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| extend Activity = \\\"4624 - An account was successfully logged on.\\\"\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend AccountType =case(Account endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| extend LogonProcessName = tostring(EventData.LogonProcessName)\\n| project TimeGenerated, Account, AccountType, Computer, Activity, EventID, LogonProcessName, IpAddress, TargetUserSid, Reason\\n)\\n);\\nunion isfuzzy=true linux_logons,win_logons\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, IPCustomEntity = IpAddress, HostCustomEntity = Computer\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AzureAD logons but success logon to host\",\"description\":\"Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory.\\nUses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/46ac55ae-47b8-414a-8f94-89ccd1962178\",\"name\":\"46ac55ae-47b8-414a-8f94-89ccd1962178\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let queryperiod = 1d;\\nlet mode = \u0027Blocked\u0027;\\nlet successCode = dynamic([\u0027200\u0027, \u0027101\u0027,\u0027204\u0027, \u0027400\u0027,\u0027504\u0027,\u0027304\u0027,\u0027401\u0027,\u0027500\u0027]);\\nlet sessionBin = 30m;\\nAzureDiagnostics\\n| where TimeGenerated \u003e ago(queryperiod)\\n| where Category == \u0027ApplicationGatewayFirewallLog\u0027 and action_s == mode\\n| sort by hostname_s asc, clientIp_s asc, TimeGenerated asc\\n| extend SessionBlockedStarted = row_window_session(TimeGenerated, queryperiod, 10m, ((clientIp_s != prev(clientIp_s)) or (hostname_s != prev(hostname_s))))\\n| summarize SessionBlockedEnded = max(TimeGenerated), SessionBlockedCount = count() by hostname_s, clientIp_s, SessionBlockedStarted\\n| extend TimeKey = range(bin(SessionBlockedStarted, sessionBin), bin(SessionBlockedEnded, sessionBin), sessionBin)\\n| mv-expand TimeKey to typeof(datetime)\\n| join kind = inner(\\n AzureDiagnostics\\n | where TimeGenerated \u003e ago(queryperiod)\\n | where Category == \u0027ApplicationGatewayAccessLog\u0027 and (isempty(httpStatus_d) or httpStatus_d in (successCode))\\n | extend TimeKey = bin(TimeGenerated, sessionBin)\\n) on TimeKey, $left.hostname_s == $right.host_s, $left.clientIp_s == $right.clientIP_s\\n| where TimeGenerated between (SessionBlockedStarted..SessionBlockedEnded)\\n| extend\\n originalRequestUriWithArgs_s = column_ifexists(\\\"originalRequestUriWithArgs_s\\\", \\\"\\\"),\\n serverStatus_s = column_ifexists(\\\"serverStatus_s\\\", \\\"\\\")\\n| summarize\\n SuccessfulAccessCount = count(),\\n UserAgents = make_set(userAgent_s, 250),\\n RequestURIs = make_set(requestUri_s, 250),\\n OriginalRequestURIs = make_set(originalRequestUriWithArgs_s, 250),\\n SuccessCodes = make_set(httpStatus_d, 250),\\n SuccessCodes_BackendServer = make_set(serverStatus_s, 250),\\n take_any(SessionBlockedEnded, SessionBlockedCount)\\n by hostname_s, clientIp_s, SessionBlockedStarted\\n| where SessionBlockedCount \u003e SuccessfulAccessCount\\n| extend timestamp = SessionBlockedStarted, IPCustomEntity = clientIp_s\\n| extend BlockvsSuccessRatio = SessionBlockedCount/toreal(SuccessfulAccessCount)\\n| sort by BlockvsSuccessRatio desc, timestamp asc\\n| project-reorder SessionBlockedStarted, SessionBlockedEnded, hostname_s, clientIp_s, SessionBlockedCount, SuccessfulAccessCount, BlockvsSuccessRatio, SuccessCodes, RequestURIs, OriginalRequestURIs, UserAgents\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"A potentially malicious web request was executed against a web server\",\"description\":\"Detects unobstructed Web Application Firewall (WAF) activity in sessions where the WAF blocked incoming requests by computing the \\nratio between blocked requests and unobstructed WAF requests in these sessions (BlockvsSuccessRatio metric). A high ratio value for \\na given client IP and hostname calls for further investigation of the WAF data in that session, due to the significantly high number \\nof blocked requests and a few unobstructed logs which may be malicious but have passed undetected through the WAF. The successCode \\nvariable defines what the detection thinks is a successful status code, and should be altered to fit the environment.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2020-11-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d173248-439b-4741-8b37-f63ad0c896ae\",\"name\":\"4d173248-439b-4741-8b37-f63ad0c896ae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\n//This query uses sysmon data, sections that have - | where Source == \\\"Microsoft-Windows-Sysmon\\\" - may need to be updated with latest\\nWindowsEvent\\n| where EventID == \u00274688\u0027 and EventData has_any (process)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| where NewProcessName has_any (process)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n , Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n , NewProcessId = tostring(EventData.NewProcessId)\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027, -1)[-1]), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend FilePath = replace_string(NewProcessName, File, \u0027\u0027)\\n| project TimeGenerated, timestamp, File, AlertDetail, FilePath,Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileCustomEntity\"},{\"identifier\":\"Directory\",\"columnName\":\"FilePathCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashAlgo\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021\",\"description\":\"Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.\",\"lastUpdatedDateUTC\":\"2022-05-19T00:00:00Z\",\"createdDateUTC\":\"2022-02-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\"name\":\"7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\nOfficeActivity\\n| where Operation =~ \\\"New-InboxRule\\\"\\n| where Parameters has \\\"Deleted Items\\\" or Parameters has \\\"Junk Email\\\" or Parameters has \\\"DeleteMessage\\\"\\n| extend Events=todynamic(Parameters)\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords \u0027}\u0027*\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords \u0027}\u0027*\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords \u0027}\u0027*\\n| where SubjectContainsWords has_any (Keywords)\\n or BodyContainsWords has_any (Keywords)\\n or SubjectOrBodyContainsWords has_any (Keywords)\\n| extend ClientIPAddress = case( ClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), ClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))), ClientIP )\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\n| extend RuleDetail = case(OfficeObjectId contains \u0027/\u0027 , tostring(split(OfficeObjectId, \u0027/\u0027)[-1]) , tostring(split(OfficeObjectId, \u0027\\\\\\\\\u0027)[-1]))\\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation, UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIPAddress, AccountCustomEntity = UserId , HostCustomEntity = OriginatingServer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Malicious Inbox Rule\",\"description\":\"Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords. \\n This is done so as to limit ability to warn compromised users that they\u0027ve been compromised. Below is a sample query that tries to detect this.\\nReference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ef88eb96-861c-43a0-ab16-f3835a97c928\",\"name\":\"ef88eb96-861c-43a0-ab16-f3835a97c928\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let regexEmpire = @\\\"SetDelay|GetDelay|Set-LostLimit|Get-LostLimit|Set-Killdate|Get-Killdate|Set-WorkingHours|Get-WorkingHours|Get-Sysinfo|Add-Servers|Invoke-ShellCommand|Start-AgentJob|Update-Profile|Get-FilePart|Encrypt-Bytes|Decrypt-Bytes|Encode-Packet|Decode-Packet|Send-Message|Process-Packet|Process-Tasking|Get-Task|Start-Negotiate|Invoke-DllInjection|Invoke-ReflectivePEInjection|Invoke-Shellcode|Invoke-ShellcodeMSIL|Get-ChromeDump|Get-ClipboardContents|Get-IndexedItem|Get-Keystrokes|Invoke-Inveigh|Invoke-NetRipper|local:Invoke-PatchDll|Invoke-NinjaCopy|Get-Win32Types|Get-Win32Constants|Get-Win32Functions|Sub-SignedIntAsUnsigned|Add-SignedIntAsUnsigned|Compare-Val1GreaterThanVal2AsUInt|Convert-UIntToInt|Test-MemoryRangeValid|Write-BytesToMemory|Get-DelegateType|Get-ProcAddress|Enable-SeDebugPrivilege|Invoke-CreateRemoteThread|Get-ImageNtHeaders|Get-PEBasicInfo|Get-PEDetailedInfo|Import-DllInRemoteProcess|Get-RemoteProcAddress|Copy-Sections|Update-MemoryAddresses|Import-DllImports|Get-VirtualProtectValue|Update-MemoryProtectionFlags|Update-ExeFunctions|Copy-ArrayOfMemAddresses|Get-MemoryProcAddress|Invoke-MemoryLoadLibrary|Invoke-MemoryFreeLibrary|Out-Minidump|Get-VaultCredential|Invoke-DCSync|Translate-Name|Get-NetDomain|Get-NetForest|Get-NetForestDomain|Get-DomainSearcher|Get-NetComputer|Get-NetGroupMember|Get-NetUser|Invoke-Mimikatz|Invoke-PowerDump|Invoke-TokenManipulation|Exploit-JMXConsole|Exploit-JBoss|Invoke-Thunderstruck|Invoke-VoiceTroll|Set-WallPaper|Invoke-PsExec|Invoke-SSHCommand|Invoke-PSInject|Invoke-RunAs|Invoke-SendMail|Invoke-Rule|Get-OSVersion|Select-EmailItem|View-Email|Get-OutlookFolder|Get-EmailItems|Invoke-MailSearch|Get-SubFolders|Get-GlobalAddressList|Invoke-SearchGAL|Get-SMTPAddress|Disable-SecuritySettings|Reset-SecuritySettings|Get-OutlookInstance|New-HoneyHash|Set-MacAttribute|Invoke-PatchDll|Get-SecurityPackages|Install-SSP|Invoke-BackdoorLNK|New-ElevatedPersistenceOption|New-UserPersistenceOption|Add-Persistence|Invoke-CallbackIEX|Add-PSFirewallRules|Invoke-EventLoop|Invoke-PortBind|Invoke-DNSLoop|Invoke-PacketKnock|Invoke-CallbackLoop|Invoke-BypassUAC|Get-DecryptedCpassword|Get-GPPInnerFields|Invoke-WScriptBypassUAC|Get-ModifiableFile|Get-ServiceUnquoted|Get-ServiceFilePermission|Get-ServicePermission|Invoke-ServiceUserAdd|Invoke-ServiceCMD|Write-UserAddServiceBinary|Write-CMDServiceBinary|Write-ServiceEXE|Write-ServiceEXECMD|Restore-ServiceEXE|Invoke-ServiceStart|Invoke-ServiceStop|Invoke-ServiceEnable|Invoke-ServiceDisable|Get-ServiceDetail|Find-DLLHijack|Find-PathHijack|Write-HijackDll|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-VulnAutoRun|Get-VulnSchTask|Get-UnattendedInstallFile|Get-Webconfig|Get-ApplicationHost|Write-UserAddMSI|Invoke-AllChecks|Invoke-ThreadedFunction|Test-Login|Get-UserAgent|Test-Password|Get-ComputerDetails|Find-4648Logons|Find-4624Logons|Find-AppLockerLogs|Find-PSScriptsInPSAppLog|Find-RDPClientConnections|Get-SystemDNSServer|Invoke-Paranoia|Invoke-WinEnum{|Get-SPN|Invoke-ARPScan|Invoke-Portscan|Invoke-ReverseDNSLookup|Invoke-SMBScanner|New-InMemoryModule|Add-Win32Type|Export-PowerViewCSV|Get-MacAttribute|Copy-ClonedFile|Get-IPAddress|Convert-NameToSid|Convert-SidToName|Convert-NT4toCanonical|Get-Proxy|Get-PathAcl|Get-NameField|Convert-LDAPProperty|Get-NetDomainController|Add-NetUser|Add-NetGroupUser|Get-UserProperty|Find-UserField|Get-UserEvent|Get-ObjectAcl|Add-ObjectAcl|Invoke-ACLScanner|Get-GUIDMap|Get-ADObject|Set-ADObject|Get-ComputerProperty|Find-ComputerField|Get-NetOU|Get-NetSite|Get-NetSubnet|Get-DomainSID|Get-NetGroup|Get-NetFileServer|SplitPath|Get-DFSshare|Get-DFSshareV1|Get-DFSshareV2|Get-GptTmpl|Get-GroupsXML|Get-NetGPO|Get-NetGPOGroup|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Invoke-ImpersonateUser|Create-ProcessWithToken|Free-AllTokens|Enum-AllTokens|Invoke-RevertToSelf|Set-Speaker\\\\(\\\\$Volume\\\\){\\\\$wshShell|Local:Get-RandomString|Local:Invoke-PsExecCmd|Get-GPPPassword|Local:Inject-BypassStuff|Local:Invoke-CopyFile\\\\(\\\\$sSource,|ind-Fruit|New-IPv4Range|New-IPv4RangeFromCIDR|Parse-Hosts|Parse-ILHosts|Exclude-Hosts|Get-TopPort|Parse-Ports|Parse-IpPorts|Remove-Ports|Write-PortscanOut|Convert-SwitchtoBool|Get-ForeignUser|Get-ForeignGroup\\\";\\n(union isfuzzy=true\\n (SecurityEvent\\n| where EventID == 4688\\n//consider filtering on filename if perf issues occur\\n//where FileName in~ (\\\"powershell.exe\\\",\\\"powershell_ise.exe\\\",\\\"pwsh.exe\\\")\\n| where not(ParentProcessName has_any (\u0027gc_worker.exe\u0027, \u0027gc_service.exe\u0027))\\n| where CommandLine has \\\"-encodedCommand\\\"\\n| parse kind=regex flags=i CommandLine with * \\\"-EncodedCommand \\\" encodedCommand\\n| extend encodedCommand = iff(encodedCommand has \\\" \\\", tostring(split(encodedCommand, \\\" \\\")[0]), encodedCommand)\\n// Note: currently the base64_decode_tostring function is limited to supporting UTF8\\n| extend decodedCommand = translate(\u0027\\\\0\u0027,\u0027\u0027, base64_decode_tostring(substring(encodedCommand, 0, strlen(encodedCommand) - (strlen(encodedCommand) %8)))), encodedCommand, CommandLine , strlen(encodedCommand)\\n| extend EfectiveCommand = iff(isnotempty(encodedCommand), decodedCommand, CommandLine)\\n| where EfectiveCommand matches regex regexEmpire\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, EfectiveCommand, decodedCommand, encodedCommand, CommandLine, ParentProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(WindowsEvent\\n| where EventID == 4688 \\n| where EventData has_any (\\\"-encodedCommand\\\", \\\"powershell.exe\\\",\\\"powershell_ise.exe\\\",\\\"pwsh.exe\\\")\\n| where not(EventData has_any (\u0027gc_worker.exe\u0027, \u0027gc_service.exe\u0027))\\n//consider filtering on filename if perf issues occur\\n//extend NewProcessName = tostring(EventData.NewProcessName)\\n//extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n//FileName = Process\\n//where FileName in~ (\\\"powershell.exe\\\",\\\"powershell_ise.exe\\\",\\\"pwsh.exe\\\")\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where not(ParentProcessName has_any (\u0027gc_worker.exe\u0027, \u0027gc_service.exe\u0027))\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has \\\"-encodedCommand\\\"\\n| parse kind=regex flags=i CommandLine with * \\\"-EncodedCommand \\\" encodedCommand\\n| extend encodedCommand = iff(encodedCommand has \\\" \\\", tostring(split(encodedCommand, \\\" \\\")[0]), encodedCommand)\\n// Note: currently the base64_decode_tostring function is limited to supporting UTF8\\n| extend decodedCommand = translate(\u0027\\\\0\u0027,\u0027\u0027, base64_decode_tostring(substring(encodedCommand, 0, strlen(encodedCommand) - (strlen(encodedCommand) %8)))), encodedCommand, CommandLine , strlen(encodedCommand)\\n| extend EfectiveCommand = iff(isnotempty(encodedCommand), decodedCommand, CommandLine)\\n| where EfectiveCommand matches regex regexEmpire\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, EfectiveCommand, decodedCommand, encodedCommand, CommandLine, ParentProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"Powershell Empire cmdlets seen in command line\",\"description\":\"Identifies instances of PowerShell Empire cmdlets in powershell process command line data.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-01-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cda5928c-2c1e-4575-9dfa-07568bc27a4f\",\"name\":\"cda5928c-2c1e-4575-9dfa-07568bc27a4f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let lookback = 7d; \\nlet timeframe = 1h; \\nlet GlobalAdminsRemoved = AuditLogs \\n| where TimeGenerated \u003e ago(timeframe) \\n| where Category =~ \\\"RoleManagement\\\" \\n| where AADOperationType in (\\\"Unassign\\\", \\\"RemoveEligibleRole\\\") \\n| where ActivityDisplayName has_any (\\\"Remove member from role\\\", \\\"Remove eligible member from role\\\") \\n| mv-expand TargetResources \\n| mv-expand TargetResources.modifiedProperties \\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName) \\n| where displayName_ =~ \\\"Role.DisplayName\\\" \\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.oldValue))) \\n| where RoleName == \\\"Global Administrator\\\" // Add other Privileged role if applicable \\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName) \\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) \\n| where Initiator != \\\"MS-PIM\\\" // Filtering PIM events \\n| extend Target = tostring(TargetResources.userPrincipalName) \\n| summarize RemovedGlobalAdminTime = max(TimeGenerated), TargetAdmins = make_set(Target) by OperationName, RoleName, Initiator, Result; \\nlet GlobalAdminsAdded = AuditLogs \\n| where TimeGenerated \u003e ago(lookback) \\n| where Category =~ \\\"RoleManagement\\\" \\n| where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\") \\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\") and Result == \\\"success\\\" \\n| mv-expand TargetResources \\n| mv-expand TargetResources.modifiedProperties \\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName) \\n| where displayName_ =~ \\\"Role.DisplayName\\\" \\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue))) \\n| where RoleName == \\\"Global Administrator\\\" // Add other Privileged role if applicable \\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName) \\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) \\n| where Initiator != \\\"MS-PIM\\\" // Filtering PIM events \\n| extend Target = tostring(TargetResources.userPrincipalName) \\n| summarize AddedGlobalAdminTime = max(TimeGenerated) by OperationName, RoleName, Target, Initiator, Result \\n| extend AccountCustomEntity = Target; \\nGlobalAdminsAdded \\n| join kind= inner GlobalAdminsRemoved on $left.Target == $right.Initiator \\n| where AddedGlobalAdminTime \u003c RemovedGlobalAdminTime \\n| extend NoofAdminsRemoved = array_length(TargetAdmins) \\n| where NoofAdminsRemoved \u003e 1\\n| project AddedGlobalAdminTime, Initiator, Target, AccountCustomEntity, RemovedGlobalAdminTime, TargetAdmins, NoofAdminsRemoved\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Multiple admin membership removals from newly created admin.\",\"description\":\"This query detects when newly created Global admin removes multiple existing global admins which can be an attempt by adversaries to lock down organization and retain sole access. \\n Investigate reasoning and intention of multiple membership removal by new Global admins and take necessary actions accordingly.\",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2022-03-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/be52662c-3b23-435a-a6fa-f39bdfc849e6\",\"name\":\"be52662c-3b23-435a-a6fa-f39bdfc849e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetection_CL\\n| mv-expand todynamic(Detections_s)\\n| where Detections_s.Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\\n| where count_ \u003e= threshold\\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"High Number of Urgent Vulnerabilities Detected\",\"description\":\"This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/45b903c5-6f56-4969-af10-ae62ac709718\",\"name\":\"45b903c5-6f56-4969-af10-ae62ac709718\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count()\\nby Account = tolower(Account), Computer = toupper(Computer), IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n// use left anti to exclude anything from the previous 14 days that is not rare\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10 \\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend AccountType=case(Account endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| extend Activity=\\\"4624 - An account was successfully logged on.\\\"\\n| extend LogonTypeName=\\\"10 - RemoteInteractive\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count()\\nby Account = tolower(Account), Computer = toupper(Computer), IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n))\\n| join kind=leftanti (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where EventID == 4624\\n| summarize by Computer = toupper(Computer), IpAddress, Account = tolower(Account)\\n),\\n( WindowsEvent\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where EventID == 4624\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| summarize by Computer = toupper(Computer), IpAddress, Account = tolower(Account)\\n))\\n) on Account, Computer\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), ConnectionCount = sum(ConnectionCount)\\nby Account, Computer, IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Rare RDP Connections\",\"description\":\"Identifies when an RDP connection is new or rare related to any logon type by a given account today based on comparison with the previous 14 days.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2020-01-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a1080fc1-13d1-479b-8340-255f0290d96c\",\"name\":\"a1080fc1-13d1-479b-8340-255f0290d96c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where Result =~ \\\"success\\\"\\n | where OperationName =~ \u0027Update Application\u0027\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | where TargetResources_modifiedProperties.displayName =~ \\\"AppAddress\\\"\\n | extend Key = tostring(TargetResources_modifiedProperties.displayName)\\n | extend NewValue = TargetResources_modifiedProperties.newValue\\n | extend OldValue = TargetResources_modifiedProperties.oldValue\\n | where isnotempty(Key) and isnotempty(NewValue)\\n | project-reorder Key, NewValue, OldValue\\n | extend NewUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(NewValue))\\n | extend OldUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(OldValue))\\n | extend AddedUrls = set_difference(NewUrls, OldUrls)\\n | where array_length(AddedUrls) \u003e 0\\n | extend UserAgent = iif(tostring(AdditionalDetails[0].key) == \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), \\\"\\\")\\n | extend AddingUser = iif(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) , tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), \\\"\\\")\\n | extend AddingApp = iif(isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName)) , tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName), \\\"\\\")\\n | extend AddedBy = iif(isnotempty(AddingUser), AddingUser, AddingApp)\\n | project-away AddingApp, AddingUser\\n | extend AppDisplayName = tostring(TargetResources.displayName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | project-reorder TimeGenerated, AppDisplayName, AddedUrls, AddedBy, UserAgent, ipAddress\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"AddedUrls\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Application Redirect URL Update\",\"description\":\"Detects the redirect URL of an app being changed.\\n Applications associated with URLs not controlled by the organization can pose a security risk.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#application-configuration-changes\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e42e889a-caaf-4dbb-aec6-371b37d64298\",\"name\":\"e42e889a-caaf-4dbb-aec6-371b37d64298\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\")\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set != \\\"[]\\\"\\n| extend diff = set_difference(new_value_set, old_value_set)\\n| where isnotempty(diff)\\n| parse diff with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away diff, new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserOrApp\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT New access credential added to Application or Service Principal\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b79f6190-d104-4691-b7db-823e05980895\",\"name\":\"b79f6190-d104-4691-b7db-823e05980895\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\nOfficeActivity\\n| where OfficeWorkload =~ \\\"Exchange\\\"\\n| where Parameters has \\\"Deleted Items\\\" or Parameters has \\\"Junk Email\\\" or Parameters has \\\"DeleteMessage\\\"\\n| extend Events=todynamic(Parameters)\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords \u0027}\u0027*\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords \u0027}\u0027*\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords \u0027}\u0027*\\n| where SubjectContainsWords has_any (Keywords)\\n or BodyContainsWords has_any (Keywords)\\n or SubjectOrBodyContainsWords has_any (Keywords)\\n| extend ClientIPAddress = case( ClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), ClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))), ClientIP )\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\n| extend RuleDetail = case(OfficeObjectId contains \u0027/\u0027 , tostring(split(OfficeObjectId, \u0027/\u0027)[-1]) , tostring(split(OfficeObjectId, \u0027\\\\\\\\\u0027)[-1]))\\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"OriginatingServer\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIPAddress\"}]}],\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"NRT Malicious Inbox Rule\",\"description\":\"Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords.\\n This is done so as to limit ability to warn compromised users that they\u0027ve been compromised. Below is a sample query that tries to detect this.\\nReference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/\",\"lastUpdatedDateUTC\":\"2022-03-07T00:00:00Z\",\"createdDateUTC\":\"2020-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9fb2ee72-959f-4c2b-bc38-483affc539e4\",\"name\":\"9fb2ee72-959f-4c2b-bc38-483affc539e4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where Category == \\\"ApplicationManagement\\\"\\n | where OperationName has_any (\\\"Update Application\\\", \\\"Update Service principal\\\")\\n | extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend UpdatedBy = iif(isnotempty(appName), appName, UPN)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | extend AppName = tostring(TargetResources[0].displayName)\\n | mv-expand mod_props\\n | where mod_props.displayName has \\\"AppIdentifierUri\\\"\\n | extend OldURI = tostring(mod_props.oldValue)\\n | extend NewURI = tostring(mod_props.newValue)\\n | project-reorder TimeGenerated, OperationName, AppName, OldURI, NewURI, UpdatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatedBy\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"NewURI\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Application ID URI Changed\",\"description\":\"Detects changes to an Application ID URI.\\n Monitor these changes to make sure that they were authorized.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#appid-uri-added-modified-or-removed\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/faf1a6ff-53b5-4f92-8c55-4b20e9957594\",\"name\":\"faf1a6ff-53b5-4f92-8c55-4b20e9957594\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"SecurityEvent\\n// Look for specific Directory Service Changes and parse data\\n| where EventID == 5136\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion = array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value),TimeGenerated, EventID, Computer, Account, AccountType, EventSourceName, Activity, SubjectAccount)\\n// Where changes relate to Exchange OAB\\n| extend ObjectClass = column_ifexists(\\\"ObjectClass\\\", \\\"\\\")\\n| where ObjectClass =~ \\\"msExchOABVirtualDirectory\\\"\\n// Look for InternalHostName or ExternalHostName properties being changed\\n| extend AttributeLDAPDisplayName = column_ifexists(\\\"AttributeLDAPDisplayName\\\", \\\"\\\")\\n| where AttributeLDAPDisplayName in (\\\"msExchExternalHostName\\\", \\\"msExchInternalHostName\\\")\\n// Look for suspected webshell activity\\n| extend AttributeValue = column_ifexists(\\\"AttributeValue\\\", \\\"\\\")\\n| where AttributeValue has \\\"script\\\"\\n| project-rename LastSeen = TimeGenerated\\n| extend ObjectDN = column_ifexists(\\\"ObjectDN\\\", \\\"\\\")\\n| project-reorder LastSeen, Computer, Account, ObjectDN, AttributeLDAPDisplayName, AttributeValue\\n| extend timestamp = LastSeen, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange OAB Virtual Directory Attribute Containing Potential Webshell\",\"description\":\"This query uses Windows Event ID 5136 in order to detect potential webshell deployment by exploitation of CVE-2021-27065.\\nThis query looks for changes to the InternalHostName or ExternalHostName properties of Exchange OAB Virtual Directory objects in AD Directory Services\\nwhere the new objects contain potential webshell objects. Ref: https://aka.ms/ExchangeVulns\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b3cfc7c0-092c-481c-a55b-34a3979758cb\",\"name\":\"b3cfc7c0-092c-481c-a55b-34a3979758cb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft Cloud App Security\",\"displayName\":\"Create incidents based on Microsoft Cloud App Security alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Cloud Apps\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert (MCAS)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/eb68b129-5f17-4f56-bf6d-dde48d5e615a\",\"name\":\"eb68b129-5f17-4f56-bf6d-dde48d5e615a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| extend attachedMimeType = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where attachedMimeType == \u0027application/zip\u0027\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = DstUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Binary file in attachment\",\"description\":\"Detects when email received with binary file as attachment.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c0e84221-f240-4dd7-ab1e-37e034ea2a4e\",\"name\":\"c0e84221-f240-4dd7-ab1e-37e034ea2a4e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"union isfuzzy=true\\n(DeviceFileEvents\\n| where FolderPath endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated),\\n(WindowsEvent\\n| where EventID == 4663 and EventData has \\\"vmware-vmdmp.log\\\"\\n| extend ObjectName = tostring(EventData.ObjectName) \\n| where ObjectName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = Computer, timestamp=TimeGenerated),\\n(SecurityEvent\\n| where EventID == 4663\\n| where ObjectName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = Computer, timestamp=TimeGenerated),\\n(imFileEvent\\n| where TargetFileName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = DvcHostname, timestamp=TimeGenerated\\n)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"SUNSPOT log file creation\",\"description\":\"This query uses Microsoft Defender for Endpoint data and Windows Event Logs to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\\nMore details: \\n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \\n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5b6ae038-f66e-4f74-9315-df52fd492be4\",\"name\":\"5b6ae038-f66e-4f74-9315-df52fd492be4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"imProcess\\n | where CommandLine has_all (\\\"accepteula\\\", \\\"-s\\\", \\\"-r\\\", \\\"-q\\\")\\n | where Process !endswith \\\"sdelete.exe\\\"\\n | where CommandLine !has \\\"sdelete\\\"\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DvcHostname\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DvcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"}]}],\"tactics\":[\"DefenseEvasion\",\"Impact\"],\"displayName\":\"Potential re-named sdelete usage (ASIM Version)\",\"description\":\"This detection looks for command line parameters associated with the use of Sysinternals sdelete (https://docs.microsoft.com/sysinternals/downloads/sdelete) to delete multiple files on a host\u0027s C drive.\\nA threat actor may re-name the tool to avoid detection and then use it for destructive attacks on a host.\\nThis detection uses the ASIM imProcess parser, this will need to be deployed before use - https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8c8de3fa-6425-4623-9cd9-45de1dd0569a\",\"name\":\"8c8de3fa-6425-4623-9cd9-45de1dd0569a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let lookBack = 14d;\\nlet timeframe = 1d;\\nlet user_agents_list = Cisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(lookBack) and TimeGenerated \u003c ago(timeframe)\\n| summarize count() by HttpUserAgentOriginal\\n| summarize make_list(HttpUserAgentOriginal);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal !in (user_agents_list)\\n| extend Message = \\\"Rare User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Rare User Agent Detected\",\"description\":\"Rule helps to detect a rare user-agents indicating web browsing activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\"name\":\"02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let logonDiff = 10m;\\nlet aadFunc = (tableName:string){\\ntable(tableName) \\n| where ResultType == \\\"0\\\" \\n| where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\")\\n| project SuccessLogonTime = TimeGenerated, UserPrincipalName, SuccessIPAddress = IPAddress, AppDisplayName, SuccessIPBlock = strcat(split(IPAddress, \\\".\\\")[0], \\\".\\\", split(IPAddress, \\\".\\\")[1]), Type\\n| join kind= inner (\\n table(tableName)\\n | where ResultType !in (\\\"0\\\", \\\"50140\\\") \\n | where ResultDescription !~ \\\"Other\\\" \\n | where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\")\\n | project FailedLogonTime = TimeGenerated, UserPrincipalName, FailedIPAddress = IPAddress, AppDisplayName, ResultType, ResultDescription, Type\\n) on UserPrincipalName, AppDisplayName \\n| where SuccessLogonTime \u003c FailedLogonTime and FailedLogonTime - SuccessLogonTime \u003c= logonDiff and FailedIPAddress !startswith SuccessIPBlock\\n| summarize FailedLogonTime = max(FailedLogonTime), SuccessLogonTime = max(SuccessLogonTime) by UserPrincipalName, SuccessIPAddress, AppDisplayName, FailedIPAddress, ResultType, ResultDescription, Type\\n| extend timestamp = SuccessLogonTime\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SuccessIPAddress\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"FailedIPAddress\"}]}],\"tactics\":[\"CredentialAccess\",\"InitialAccess\"],\"displayName\":\"Successful logon from IP and failure from a different IP\",\"description\":\"Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP.\\nThis may indicate a malicious attempt at password guessing based on knowledge of the users account.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\"name\":\"9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.1.0\",\"severity\":\"Low\",\"query\":\"let tokens = dynamic([\\\"416\\\",\\\"208\\\",\\\"128\\\",\\\"120\\\",\\\"96\\\",\\\"80\\\",\\\"72\\\",\\\"64\\\",\\\"48\\\",\\\"44\\\",\\\"40\\\",\\\"g5\\\",\\\"gs5\\\",\\\"g4\\\",\\\"gs4\\\",\\\"nc12\\\",\\\"nc24\\\",\\\"nv12\\\"]);\\nlet operationList = dynamic([\\\"microsoft.compute/virtualmachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nAzureActivity\\n| where tolower(OperationNameValue) in (operationList)\\n| where ActivityStatusValue == \\\"Accepted\\\" \\n| where isnotempty(Properties)\\n| extend vmSize = tolower(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).hardwareProfile)).vmSize))\\n| where isnotempty(vmSize)\\n| where vmSize has_any (tokens) \\n| extend ComputerName = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).osProfile)).computerName)\\n| extend clientIpAddress = tostring(parse_json(HTTPRequest).clientIpAddress)\\n| project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Creation of expensive computes in Azure\",\"description\":\"Identifies the creation of large size/expensive VMs (GPU or with large no of virtual CPUs) in Azure.\\nAdversary may create new or update existing virtual machines sizes to evade defenses \\nor use it for cryptomining purposes.\\nFor Windows/Linux Vm Sizes - https://docs.microsoft.com/azure/virtual-machines/windows/sizes \\nAzure VM Naming Conventions - https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/78422ef2-62bf-48ca-9bab-72c69818a425\",\"name\":\"78422ef2-62bf-48ca-9bab-72c69818a425\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Low\",\"query\":\"let endtime = 1d;\\nlet starttime = 8d;\\nlet threshold = 2.0;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName)\\nby Account, IpAddress, AccountType, Activity, LogonTypeName),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 \\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend AccountType=case(Account endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| extend Activity=\\\"4624 - An account was successfully logged on.\\\"\\n| extend LogonTypeName=\\\"10 - RemoteInteractive\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName)\\nby Account, IpAddress, AccountType, Activity, LogonTypeName)\\n)\\n| join kind=inner (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize ComputerCountPrev7Days = dcount(Computer) by Account = tolower(Account), IpAddress\\n),\\n( WindowsEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = toint(EventData.LogonType)\\n| where LogonType == 10\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| summarize ComputerCountPrev7Days = dcount(Computer) by Account = tolower(Account), IpAddress)\\n)\\n) on Account, IpAddress\\n| extend Ratio = iff(isempty(ComputerCountPrev7Days), toreal(ComputerCountToday), ComputerCountToday / (ComputerCountPrev7Days * 1.0))\\n// Where the ratio of today to previous 7 days is more than double.\\n| where Ratio \u003e threshold\\n| project StartTimeUtc, EndTimeUtc, Account, IpAddress, ComputerSet, ComputerCountToday, ComputerCountPrev7Days, Ratio, AccountType, Activity, LogonTypeName, ProcessSet\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Multiple RDP connections from Single System\",\"description\":\"Identifies when an RDP connection is made to multiple systems and above the normal for the previous 7 days.\\nConnections from the same system with the same account within the same day.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-10-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d94d4a9-dc96-450a-9dea-4d4d4594199b\",\"name\":\"4d94d4a9-dc96-450a-9dea-4d4d4594199b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"SecurityNestedRecommendation\\n| where RemediationDescription has \u0027CVE-2021-38647\u0027\\n| parse ResourceDetails with * \u0027virtualMachines/\u0027 VirtualMAchine \u0027\\\"\u0027 *\\n| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId\\n| extend Timestamp = TimeGenerated, HostCustomEntity = VirtualMAchine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Execution\"],\"displayName\":\"Vulnerable Machines related to OMIGOD CVE-2021-38647\",\"description\":\"This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to OMIGOD CVE-2021-38647. OMI is the Linux equivalent of Windows WMI and \\n helps users manage configurations across remote and local environments. The query aims to find machines that have this OMI vulnerability (CVE-2021-38647).\\n Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).\\n Reference: https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure\\n Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d3980830-dd9d-40a5-911f-76b44dfdce16\",\"name\":\"d3980830-dd9d-40a5-911f-76b44dfdce16\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where AppDisplayName == \\\"GitHub.com\\\"\\n| where ResultType == 0\\n| summarize CountOfLocations = dcount(Location), Locations = make_set(Location), BurstStartTime = min(TimeGenerated), BurstEndTime = max(TimeGenerated) by UserPrincipalName, Type\\n| where CountOfLocations \u003e 1\\n| extend timestamp = BurstStartTime, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"GitHub Signin Burst from Multiple Locations\",\"description\":\"This alerts when there Signin burst from multiple locations in GitHub (AAD SSO).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/25a7f951-54b7-4cf5-9862-ebc04306c590\",\"name\":\"25a7f951-54b7-4cf5-9862-ebc04306c590\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let known_users = (AuditLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where OperationName has \\\"conditional access policy\\\"\\n | where Result =~ \\\"success\\\"\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | summarize by userPrincipalName);\\n AuditLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where OperationName has \\\"conditional access policy\\\"\\n | where Result =~ \\\"success\\\"\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend CAPolicyName = tostring(TargetResources[0].displayName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | where userPrincipalName !in (known_users)\\n | extend NewPolicyValues = TargetResources[0].modifiedProperties[0].newValue\\n | extend OldPolicyValues = TargetResources[0].modifiedProperties[0].oldValue\\n | project-reorder TimeGenerated, OperationName, CAPolicyName, userPrincipalName, ipAddress, NewPolicyValues, OldPolicyValues\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Conditional Access Policy Modified by New User\",\"description\":\"Detects a Conditional Access Policy being modified by a user who has not modified a policy in the last 14 days.\\n A threat actor may try to modify policies to weaken the security controls in place.\\n Investigate any change to ensure they are approved.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\"name\":\"70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"seoulhobi.biz\\\", \\\"reader.cash\\\", \\\"pieceview.club\\\", \\\"app-wallet.com\\\", \\\"bigwnet.com\\\", \\\"bitwoll.com\\\", \\\"cexrout.com\\\", \\\"change-pw.com\\\", \\\"checkprofie.com\\\", \\\"cloudwebappservice.com\\\", \\\"ctquast.com\\\", \\\"dataviewering.com\\\", \\\"day-post.com\\\", \\\"dialy-post.com\\\", \\\"documentviewingcom.com\\\", \\\"dovvn-mail.com\\\", \\\"down-error.com\\\", \\\"drivecheckingcom.com\\\", \\\"drog-service.com\\\", \\\"encodingmail.com\\\", \\\"filinvestment.com\\\", \\\"foldershareing.com\\\", \\\"golangapis.com\\\", \\\"hotrnall.com\\\", \\\"lh-logins.com\\\", \\\"login-use.com\\\", \\\"mail-down.com\\\", \\\"matmiho.com\\\", \\\"mihomat.com\\\", \\\"natwpersonal-online.com\\\", \\\"nidlogin.com\\\", \\\"nid-login.com\\\", \\\"nidlogon.com\\\", \\\"pw-change.com\\\", \\\"rnaii.com\\\", \\\"rnailm.com\\\", \\\"sec-live.com\\\", \\\"secrityprocessing.com\\\", \\\"securitedmode.com\\\", \\\"securytingmail.com\\\", \\\"set-login.com\\\", \\\"usrchecking.com\\\", \\\"com-serviceround.info\\\", \\\"mai1.info\\\", \\\"reviewer.mobi\\\", \\\"files-download.net\\\", \\\"fixcool.net\\\", \\\"hanrnaii.net\\\", \\\"office356-us.org\\\", \\\"smtper.org\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost \\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"THALLIUM domains included in DCU takedown\",\"description\":\"THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. \\n Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\\n References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ \",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2020-01-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\"name\":\"4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let OperationList = dynamic([\\\"Add member to role\\\",\\\"Add member to role in PIM requested (permanent)\\\"]);\\nlet PrivilegedGroups = dynamic([\\\"UserAccountAdmins\\\",\\\"PrivilegedRoleAdmins\\\",\\\"TenantAdmins\\\"]);\\nAuditLogs\\n//| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName in~ (OperationList)\\n| mv-expand TargetResources\\n| extend modProps = parse_json(TargetResources).modifiedProperties\\n| mv-expand bagexpansion=array modProps\\n| evaluate bag_unpack(modProps)\\n| extend displayName = column_ifexists(\\\"displayName\\\", \\\"NotAvailable\\\"), newValue = column_ifexists(\\\"newValue\\\", \\\"NotAvailable\\\")\\n| where displayName =~ \\\"Role.WellKnownObjectName\\\"\\n| extend DisplayName = displayName, GroupName = replace(\u0027\\\"\u0027,\u0027\u0027,newValue)\\n| extend initByApp = parse_json(InitiatedBy).app, initByUser = parse_json(InitiatedBy).user\\n| extend AppId = initByApp.appId, \\nInitiatedByDisplayName = case(isnotempty(initByApp.displayName), initByApp.displayName, isnotempty(initByUser.displayName), initByUser.displayName, \\\"not available\\\"),\\nServicePrincipalId = tostring(initByApp.servicePrincipalId),\\nServicePrincipalName = tostring(initByApp.servicePrincipalName),\\nUserId = initByUser.id,\\nUserIPAddress = initByUser.ipAddress,\\nUserRoles = initByUser.roles,\\nUserPrincipalName = tostring(initByUser.userPrincipalName),\\nTargetUserPrincipalName = tostring(TargetResources.userPrincipalName)\\n| where GroupName in~ (PrivilegedGroups)\\n// If you don\u0027t want to alert for operations from PIM, remove below filtering for MS-PIM.\\n//| where InitiatedByDisplayName != \\\"MS-PIM\\\"\\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, isnotempty(ServicePrincipalId), ServicePrincipalId, isnotempty(UserPrincipalName), UserPrincipalName, \\\"not available\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User added to Azure Active Directory Privileged Groups\",\"description\":\"This will alert when a user is added to any of the Privileged Groups.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\\nFor Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles\",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2020-07-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/50574fac-f8d1-4395-81c7-78a463ff0c52\",\"name\":\"50574fac-f8d1-4395-81c7-78a463ff0c52\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where AppId =~ \\\"1b730954-1685-4b74-9bfd-dac224a7b894\\\" // AppDisplayName IS Azure Active Directory PowerShell\\n| where TokenIssuerType =~ \\\"AzureAD\\\"\\n| where ResourceIdentity !in (\\\"00000002-0000-0000-c000-000000000000\\\", \\\"00000003-0000-0000-c000-000000000000\\\") // ResourceDisplayName IS NOT Windows Azure Active Directory OR Microsoft Graph\\n| extend Status = todynamic(Status)\\n| where Status.errorCode == 0 // Success\\n| project-reorder IPAddress, UserAgent, ResourceDisplayName, UserDisplayName, UserId, UserPrincipalName, Type\\n| order by TimeGenerated desc\\n// New entity mapping\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure Active Directory PowerShell accessing non-AAD resources\",\"description\":\"This will alert when a user or application signs in using Azure Active Directory PowerShell to access non-Active Directory resources, such as the Azure Key Vault, which may be undesired or unauthorized behavior.\\nFor capabilities and expected behavior of the Azure Active Directory PowerShell module, see: https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0.\\nFor further information on Azure Active Directory Signin activity reports, see: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins.\",\"lastUpdatedDateUTC\":\"2022-02-23T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cca3b4d9-ac39-4109-8b93-65bb284003e6\",\"name\":\"cca3b4d9-ac39-4109-8b93-65bb284003e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureActivity | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(Caller)\\n | extend Caller = tolower(Caller)\\n | where Caller matches regex emailregex\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.Caller\\n| where AzureActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureActivity_TimeGenerated = arg_max(AzureActivity_TimeGenerated, *) by IndicatorId, Caller\\n| project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, EmailSenderName, EmailRecipient, \\nEmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Caller, Level, CallerIpAddress, CategoryValue, OperationNameValue, ActivityStatusValue, \\nResourceGroup, SubscriptionId\\n| extend timestamp = AzureActivity_TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to AzureActivity\",\"description\":\"Identifies a match in AzureActivity table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9122a9cb-916b-4d98-a199-1b7b0af8d598\",\"name\":\"9122a9cb-916b-4d98-a199-1b7b0af8d598\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"beesweiserdog.com\\\", \\n \\\"bluehostfit.com\\\", \\n \\\"business-toys.com\\\", \\n \\\"cleanskycloud.com\\\", \\n \\\"cumberbat.com\\\", \\n \\\"czreadsecurity.com\\\", \\n \\\"dgtresorgouv.com\\\", \\n \\\"dimediamikedask.com\\\", \\n \\\"diresitioscon.com\\\", \\n \\\"elcolectador.com\\\", \\n \\\"elperuanos.org\\\", \\n \\\"eprotectioneu.com\\\", \\n \\\"fheacor.com\\\", \\n \\\"followthewaterdata.com\\\", \\n \\\"francevrteepress.com\\\", \\n \\\"futtuhy.com\\\", \\n \\\"gardienweb.com\\\", \\n \\\"heimflugaustr.com\\\", \\n \\\"ivpsers.com\\\", \\n \\\"jkeducation.org\\\", \\n \\\"micrlmb.com\\\", \\n \\\"muthesck.com\\\", \\n \\\"netscalertech.com\\\", \\n \\\"newgoldbalmap.com\\\", \\n \\\"news-laestrella.com\\\", \\n \\\"noticialif.com\\\", \\n \\\"opentanzanfoundation.com\\\", \\n \\\"optonlinepress.com\\\", \\n \\\"palazzochigi.com\\\", \\n \\\"pandemicacre.com\\\", \\n \\\"papa-ser.com\\\", \\n \\\"pekematclouds.com\\\", \\n \\\"pipcake.com\\\", \\n \\\"popularservicenter.com\\\", \\n \\\"projectsyndic.com\\\", \\n \\\"qsadtv.com\\\", \\n \\\"sankreal.com\\\", \\n \\\"scielope.com\\\", \\n \\\"seoamdcopywriting.com\\\", \\n \\\"slidenshare.com\\\", \\n \\\"somoswake.com\\\", \\n \\\"squarespacenow.com\\\", \\n \\\"subapostilla.com\\\", \\n \\\"suzukicycles.net\\\", \\n \\\"tatanotakeeps.com\\\", \\n \\\"tijuanazxc.com\\\", \\n \\\"transactioninfo.net\\\", \\n \\\"eurolabspro.com\\\", \\n \\\"adelluminate.com\\\", \\n \\\"headhunterblue.com\\\", \\n \\\"primenuesty.com\\\" \\n ]);\\nlet SHA256Hashes = dynamic ([\\\"02daf4544bcefb2de865d0b45fc406bee3630704be26a9d6da25c9abe906e7d2\\\", \\n \\\"0a45ec3da31838aa7f56e4cbe70d5b3b3809029f9159ff0235837e5b7a4cb34c\\\", \\n \\\"0d7965489810446ca7acc7a2160795b22e452a164261313c634a6529a0090a0c\\\", \\n \\\"10bb4e056fd19f2debe61d8fc5665434f56064a93ca0ec0bef946a4c3e098b95\\\", \\n \\\"12d914f24fe5501e09f5edf503820cc5fe8b763827a1c6d44cdb705e48651b21\\\", \\n \\\"1899f761123fedfeba0fee6a11f830a29cd3653bcdcf70380b72a05b921b4b49\\\", \\n \\\"22e68e366dd3323e5bb68161b0938da8e1331e4f1c1819c8e84a97e704d93844\\\", \\n \\\"259783405ec2cb37fdd8fd16304328edbb6a0703bc3d551eba252d9b450554ef\\\", \\n \\\"26debed09b1bbf24545e3b4501b799b66a0146d4020f882776465b5071e91822\\\", \\n \\\"35c5f22bb11f7dd7a2bb03808e0337cb7f9c0d96047b94c8afdab63efc0b9bb2\\\", \\n \\\"3ae2d9ffa4e53519e62cc0a75696f9023f9cce09b0a917f25699b48d0f7c4838\\\", \\n \\\"3bac2e459c69fcef8c1c93c18e5f4f3e3102d8d0f54a63e0650072aeb2a5fa65\\\", \\n \\\"3c0bf69f6faf85523d9e60d13218e77122b2adb0136ffebbad0f39f3e3eed4e6\\\", \\n \\\"3dc0001a11d54925d2591aec4ea296e64f1d4fdf17ff3343ddeea82e9bd5e4f1\\\", \\n \\\"3fd73af89e94af180b1fbf442bbfb7d7a6c4cf9043abd22ac0aa2f8149bafc90\\\", \\n \\\"6854df6aa0af46f7c77667c450796d5658b3058219158456e869ebd39a47d54b\\\", \\n \\\"6b79b807a66c786bd2e57d1c761fc7e69dd9f790ffab7ce74086c4115c9305ce\\\", \\n \\\"7944a86fbef6238d2a55c14c660c3a3d361c172f6b8fa490686cc8889b7a51a0\\\", \\n \\\"926904f7c0da13a6b8689c36dab9d20b3a2e6d32f212fca9e5f8cf2c6055333c\\\", \\n \\\"95e98c811ea9d212673d0e84046d6da94cbd9134284275195800278593594b5a\\\", \\n \\\"a142625512e5372a1728595be19dbee23eea50524b4827cb64ed5aaeaaa0270b\\\", \\n \\\"afe5e9145882e0b98a795468a4c0352f5b1ddb7b4a534783c9e8fc366914cf6a\\\", \\n \\\"b9027bad09a9f5c917cf0f811610438e46e42e5e984a8984b6d69206ceb74124\\\", \\n \\\"c132d59a3bf0099e0f9f5667daf7b65dba66780f4addd88f04eecae47d5d99fa\\\", \\n \\\"c9a5765561f52bbe34382ce06f4431f7ac65bafe786db5de89c29748cf371dda\\\", \\n \\\"ce0408f92635e42aadc99da3cc1cbc0044e63441129c597e7aa1d76bf2700c94\\\", \\n \\\"ce47bacc872516f91263f5e59441c54f14e9856cf213ca3128470217655fc5e6\\\", \\n \\\"d0fe4562970676e30a4be8cb4923dc9bfd1fca8178e8e7fea0f3f02e0c7435ce\\\", \\n \\\"d5b36648dc9828e69242b57aca91a0bb73296292bf987720c73fcd3d2becbae6\\\", \\n \\\"e72d142a2bc49572e2d99ed15827fc27c67fc0999e90d4bf1352b075f86a83ba\\\"\\n ]);\\nlet SigNames = dynamic([\\\"Backdoor:Win32/Leeson\\\", \\\"Trojan:Win32/Kechang\\\", \\\"Backdoor:Win32/Nightimp!dha\\\", \\\"Trojan:Win32/QuarkBandit.A!dha\\\", \\\"TrojanSpy:Win32/KeyLogger\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hashes) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(_Im_Dns(domain_has_any = DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(_Im_WebSession(url_has_any = DomainNames)\\n| extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n| extend IPAddress = SrcIpAddr\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA256Hashes) \\n| extend Account = UserName\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (SHA256Hashes)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (SHA256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl in~ (DomainNames)\\n| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName\\n| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl\\n),\\n(SecurityAlert\\n| where ProductName == \\\"Microsoft Defender Advanced Threat Protection\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where isnotempty(ThreatName)\\n| where ThreatName has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName)\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known NICKEL domains and hashes\",\"description\":\"IOC domains and hash values for tools and malware used by NICKEL. \\n Matches domain name, hash IOCs and M365 Defender sigs related to the NICKEL activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/720d12c6-a08c-44c4-b18f-2236412d59b0\",\"name\":\"720d12c6-a08c-44c4-b18f-2236412d59b0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"SecurityEvent\\n | where EventID == 4688\\n | where Process !~ \\\"sdelete.exe\\\"\\n | where CommandLine has_all (\\\"accepteula\\\", \\\"-r\\\", \\\"-s\\\", \\\"-q\\\", \\\"c:/\\\")\\n | where CommandLine !has (\\\"sdelete\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"DefenseEvasion\",\"Impact\"],\"displayName\":\"Potential re-named sdelete usage\",\"description\":\"This detection looks for command line parameters associated with the use of Sysinternals sdelete (https://docs.microsoft.com/sysinternals/downloads/sdelete) to delete multiple files on a host\u0027s C drive.\\nA threat actor may re-name the tool to avoid detection and then use it for destructive attacks on a host.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/009b9bae-23dd-43c4-bcb9-11c4ba7c784a\",\"name\":\"009b9bae-23dd-43c4-bcb9-11c4ba7c784a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where OperationName has \\\"Consent to application\\\"\\n | where Result =~ \\\"failure\\\"\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend userAgent = iif(AdditionalDetails[0].key == \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), tostring(AdditionalDetails[1].value))\\n | where isnotempty(TargetResources)\\n | extend AppName = tostring(TargetResources[0].displayName)\\n | mv-expand TargetResources[0].modifiedProperties\\n | extend TargetResources_0_modifiedProperties = columnifexists(\\\"TargetResources_0_modifiedProperties\\\", \u0027\u0027)\\n | where isnotempty(TargetResources_0_modifiedProperties)\\n | where TargetResources_0_modifiedProperties.displayName =~ \\\"MethodExecutionResult.\\\"\\n | extend FailureReason = tostring(parse_json(tostring(TargetResources_0_modifiedProperties.newValue)))\\n | where FailureReason contains \\\"Risky\\\"\\n | project-reorder TimeGenerated, OperationName, Result, AppName, FailureReason, userPrincipalName, userAgent, ipAddress\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"End-user consent stopped due to risk-based consent\",\"description\":\"Detects a user\u0027s consent to an OAuth application being blocked due to it being too risky.\\n These events should be investigated to understand why the user attempted to consent to the applicaiton and what other applicaitons they may have consented to.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#end-user-stopped-due-to-risk-based-consent\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e70fa6e0-796a-4e85-9420-98b17b0bb749\",\"name\":\"e70fa6e0-796a-4e85-9420-98b17b0bb749\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"DeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where ThreatName has \\\"Solorigate\\\"\\n| extend HostCustomEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.HostCustomEntity\\n| project TimeGenerated, DisplayName, ThreatName, CompromisedEntity, PublicIP, MachineGroup, AlertSeverity, Description, LoggedOnUsers, DeviceId, TenantId, HostCustomEntity\\n| extend timestamp = TimeGenerated, IPCustomEntity = PublicIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Solorigate Defender Detections\",\"description\":\"Surfaces any Defender Alert for Solorigate Events. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as \\n Device group, ip, logged on users etc. This way, the Microsoft Sentinel user can have all the pertinent device info in one view for all the the Solarigate Defender alerts.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9176b18f-a946-42c6-a2f6-0f6d17cd6a8a\",\"name\":\"9176b18f-a946-42c6-a2f6-0f6d17cd6a8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let triThreshold = 500;\\nlet querystarttime = 6h;\\nlet dgaLengthThreshold = 8;\\n// fetch the cisco umbrella top 1M domains\\nlet top1M = (externaldata (Position:int, Domain:string) [@\\\"http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip\\\"] with (format=\\\"csv\\\", zipPattern=\\\"*.csv\\\"));\\n// extract tri grams that are above our threshold - i.e. are common\\nlet triBaseline = top1M\\n | extend Domain = tolower(extract(\\\"([^.]*).{0,7}$\\\", 1, Domain))\\n | extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", Domain), extract_all(\\\"(...)\\\", substring(Domain, 1)), extract_all(\\\"(...)\\\", substring(Domain, 2)))\\n | mvexpand Trigram=AllTriGrams to typeof(string)\\n | summarize triCount=count() by Trigram\\n | sort by triCount desc\\n | where triCount \u003e triThreshold\\n | distinct Trigram;\\n// collect domain information from common security log, filter and extract the DGA candidate and its trigrams\\nlet allDataSummarized = _Im_WebSession \\n| where isnotempty(Url) \\n| extend Name = tolower(tostring(parse_url(Url)[\\\"Host\\\"]))\\n| summarize NameCount=count() by Name\\n| where Name has \\\".\\\"\\n| where Name !endswith \\\".home\\\" and Name !endswith \\\".lan\\\"\\n// extract DGA candidate\\n| extend DGADomain = extract(\\\"([^.]*).{0,7}$\\\", 1, Name)\\n| where strlen(DGADomain) \u003e dgaLengthThreshold\\n// throw out domains with number in them\\n| where DGADomain matches regex \\\"^[A-Za-z]{0,}$\\\"\\n// extract the tri grams from summarized data\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", DGADomain), extract_all(\\\"(...)\\\", substring(DGADomain, 1)), extract_all(\\\"(...)\\\", substring(DGADomain, 2)));\\n// throw out domains that have repeating tri\u0027s and/or \u003e=3 repeating letters\\nlet nonRepeatingTris = allDataSummarized\\n| join kind=leftanti\\n(\\n allDataSummarized\\n | mvexpand AllTriGrams\\n | summarize count() by tostring(AllTriGrams), DGADomain\\n | where count_ \u003e 1\\n | distinct DGADomain\\n)\\non DGADomain;\\n// find domains that do not have a common tri in the baseline\\nlet dataWithRareTris = nonRepeatingTris\\n| join kind=leftanti\\n(\\n nonRepeatingTris\\n | mvexpand AllTriGrams\\n | extend Trigram = tostring(AllTriGrams)\\n | distinct Trigram, DGADomain\\n | join kind=inner\\n (\\n triBaseline\\n )\\n on Trigram\\n | distinct DGADomain\\n)\\non DGADomain;\\ndataWithRareTris\\n// join DGAs back on connection data\\n| join kind=inner\\n(\\n _Im_WebSession\\n | where isnotempty(Url)\\n | extend Url = tolower(Url)\\n | summarize arg_max(TimeGenerated, EventVendor, SrcIpAddr) by Url\\n | extend Name=tostring(parse_url(Url)[\\\"Host\\\"])\\n | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) by Name, SrcIpAddr, Url\\n)\\non Name\\n| project StartTime, EndTime, Name, DGADomain, SrcIpAddr, Url, NameCount\",\"customDetails\":{\"DGAPattern\":\"DGADomain\",\"NameCount\":\"NameCount\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URL\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Potential communication from {{SrcIpAddr} with a Domain Generation Algorithm (DGA) based host {{Name}}\",\"alertDescriptionFormat\":\"A client with address {{SrcIpAddr}} communicated with host {{Name}} that have a domain name that might have been generated by a Domain Generation Algorithm (DGA), identified by the pattern {{DGADomain}}. DGAs are used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the top 1 million domain names to build a model of what normal domains look like and uses the model to identify domains that may have been randomly generated by an algorithm.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential communication with a Domain Generation Algorithm (DGA) based hostname (ASIM Web Session schema)\",\"description\":\"This rule identifies communication with hosts that have a domain name that might have been generated by a Domain Generation Algorithm (DGA). DGAs are used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the top 1 million domain names to build a model of what normal domains look like nad uses the model to identify domains that may have been randomly generated by an algorithm. You can modify the triThreshold and dgaLengthThreshold query parameters to change Analytic Rule sensitivity. The higher the numbers, the less noisy the rule is. \u003cbr\u003e\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f819c592-c5f9-4d5c-a79f-1e6819863533\",\"name\":\"f819c592-c5f9-4d5c-a79f-1e6819863533\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"// ADHealth Monitoring Agent Registry Key\\nlet aadHealthMonAgentRegKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Microsoft Online\\\\\\\\Reporting\\\\\\\\MonitoringAgent\\\";\\n// Filter out known processes\\nlet aadConnectHealthProcs = dynamic ([\\n \u0027Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.InsightsService.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.PshSurrogate.exe\u0027,\\n \u0027Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe\u0027,\\n \u0027Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.AadConnect.Health.AadSync.Host.exe\u0027,\\n \u0027Microsoft.Azure.ActiveDirectory.Synchronization.Upgrader.exe\u0027,\\n \u0027miiserver.exe\u0027\\n]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| where EventData has aadHealthMonAgentRegKey\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| extend ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),\\n ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\")\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend SubjectUserName = column_ifexists(\\\"SubjectUserName\\\", \\\"\\\"),\\n SubjectDomainName = column_ifexists(\\\"SubjectDomainName\\\", \\\"\\\"),\\n ProcessName = column_ifexists(\\\"ProcessName\\\", \\\"\\\")\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],\\n Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n(\\nWindowsEvent\\n| where EventID == \u00274656\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n (\\nWindowsEvent\\n| where EventID == \u00274663\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n)\\n)\\n// You can filter out potential machine accounts\\n//| where AccountType != \u0027Machine\u0027\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"Azure AD Health Monitoring Agent Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.\\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\\\\SOFTWARE\\\\Microsoft\\\\Microsoft Online\\\\Reporting\\\\MonitoringAgent.\\nYou can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_monitoring_agent.yml\\n\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/066395ac-ef91-4993-8bf6-25c61ab0ca5a\",\"name\":\"066395ac-ef91-4993-8bf6-25c61ab0ca5a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet file_path1 = (iocs | where Type =~ \\\"filepath1\\\" | project IoC);\\nlet file_path2 = (iocs | where Type =~ \\\"filepath2\\\" | project IoC);\\nlet file_path3 = (iocs | where Type =~ \\\"filepath3\\\" | project IoC);\\nlet reg_key = (iocs | where Type =~ \\\"regkey\\\" | project IoC);\\nWindowsEvent\\n| where EventID == 4688 and (EventData has_any (file_path1) or EventData has_any (file_path2) or EventData has_any (file_path3) or EventData has_any (\u0027reg add\u0027) or EventData has_any (reg_key) )\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where (CommandLine has_any (file_path1)) or\\n (CommandLine has_any (file_path3)) or\\n (CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) or \\n (NewProcessName has_any (file_path1)) or\\n (NewProcessName has_any (file_path3)) or\\n (ParentProcessName has_any (file_path1)) or \\n (ParentProcessName has_any (file_path3)) \\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend NewProcessId = tostring(EventData.NewProcessId)\\n| extend IPCustomEntity = tostring(EventData.IpAddress)\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, IPCustomEntity\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = \u0027SOURGUM IOC detected\u0027\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"SOURGUM Actor IOC - July 2021\",\"description\":\"Identifies a match across IOC\u0027s related to an actor tracked by Microsoft as SOURGUM\",\"lastUpdatedDateUTC\":\"2022-05-19T00:00:00Z\",\"createdDateUTC\":\"2022-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6116dc19-475a-4148-84b2-efe89c073e27\",\"name\":\"6116dc19-475a-4148-84b2-efe89c073e27\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetectionV2_CL\\n| extend Status = tostring(Status_s), Vulnerability = tostring(QID_s), Severity = tostring(Severity_s)\\n| where Status =~ \\\"New\\\" and Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(QID_s)\\n| where dcount_NetBios_s \u003e= threshold\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"tactics\":[\"InitialAccess\"],\"displayName\":\"New High Severity Vulnerability Detected Across Multiple Hosts\",\"description\":\"This creates an incident when a new high severity vulnerability is detected across multilple hosts\",\"lastUpdatedDateUTC\":\"2021-12-08T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\"name\":\"90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage), \\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage), \\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage), \\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \\\"200\\\"\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Squid proxy events for ToR proxies\",\"description\":\"Check for Squid proxy events associated with common ToR proxies. This query presumes the default squid log format is being used.\\nhttp://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-07-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70fc7201-f28e-4ba7-b9ea-c04b96701f13\",\"name\":\"70fc7201-f28e-4ba7-b9ea-c04b96701f13\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let OperationList = dynamic([\\\"Add member to role\\\",\\\"Add member to role in PIM requested (permanent)\\\"]);\\nlet PrivilegedGroups = dynamic([\\\"UserAccountAdmins\\\",\\\"PrivilegedRoleAdmins\\\",\\\"TenantAdmins\\\"]);\\nAuditLogs\\n//| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName in~ (OperationList)\\n| mv-expand TargetResources\\n| extend modProps = parse_json(TargetResources).modifiedProperties\\n| mv-expand bagexpansion=array modProps\\n| evaluate bag_unpack(modProps)\\n| extend displayName = column_ifexists(\\\"displayName\\\", \\\"NotAvailable\\\"), newValue = column_ifexists(\\\"newValue\\\", \\\"NotAvailable\\\")\\n| where displayName =~ \\\"Role.WellKnownObjectName\\\"\\n| extend DisplayName = displayName, GroupName = replace(\u0027\\\"\u0027,\u0027\u0027,newValue)\\n| extend initByApp = parse_json(InitiatedBy).app, initByUser = parse_json(InitiatedBy).user\\n| extend AppId = initByApp.appId,\\nInitiatedByDisplayName = case(isnotempty(initByApp.displayName), initByApp.displayName, isnotempty(initByUser.displayName), initByUser.displayName, \\\"not available\\\"),\\nServicePrincipalId = tostring(initByApp.servicePrincipalId),\\nServicePrincipalName = tostring(initByApp.servicePrincipalName),\\nUserId = initByUser.id,\\nUserIPAddress = initByUser.ipAddress,\\nUserRoles = initByUser.roles,\\nUserPrincipalName = tostring(initByUser.userPrincipalName),\\nTargetUserPrincipalName = tostring(TargetResources.userPrincipalName)\\n| where GroupName in~ (PrivilegedGroups)\\n// If you don\u0027t want to alert for operations from PIM, remove below filtering for MS-PIM.\\n//| where InitiatedByDisplayName != \\\"MS-PIM\\\"\\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName\\n| extend AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, isnotempty(ServicePrincipalId), ServicePrincipalId, isnotempty(UserPrincipalName), UserPrincipalName, \\\"not available\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"NRT User added to Azure Active Directory Privileged Groups\",\"description\":\"This will alert when a user is added to any of the Privileged Groups.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\\nFor Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles\",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2020-07-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5239248b-abfb-4c6a-8177-b104ade5db56\",\"name\":\"5239248b-abfb-4c6a-8177-b104ade5db56\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let RunCommandData = materialize ( AzureActivity\\n// Isolate run command actions\\n| where OperationNameValue == \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\\\"\\n// Confirm that the operation impacted a virtual machine\\n| where Authorization has \\\"virtualMachines\\\"\\n// Each runcommand operation consists of three events when successful, StartTimeed, Accepted (or Rejected), Successful (or Failed).\\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), max(CallerIpAddress), make_list(ActivityStatusValue) by CorrelationId, Authorization, Caller\\n// Limit to Run Command executions that Succeeded\\n| where list_ActivityStatusValue has \\\"Success\\\"\\n// Extract data from the Authorization field, allowing us to later extract the Caller (UPN) and CallerIpAddress\\n| extend Authorization_d = parse_json(Authorization)\\n| extend Scope = Authorization_d.scope\\n| extend Scope_s = split(Scope, \\\"/\\\")\\n| extend Subscription = tostring(Scope_s[2])\\n| extend VirtualMachineName = tostring(Scope_s[-1])\\n| project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress\\n| join kind=leftouter (\\n DeviceFileEvents\\n | where InitiatingProcessFileName == \\\"RunCommandExtension.exe\\\"\\n | extend VirtualMachineName = tostring(split(DeviceName, \\\".\\\")[0])\\n | project VirtualMachineName, PowershellFileCreatedTimestamp=TimeGenerated, FileName, FileSize, InitiatingProcessAccountName, InitiatingProcessAccountDomain, InitiatingProcessFolderPath, InitiatingProcessId\\n) on VirtualMachineName\\n// We need to filter by time sadly, this is the only way to link events\\n| where PowershellFileCreatedTimestamp between (StartTime .. EndTime)\\n| project StartTime, EndTime, PowershellFileCreatedTimestamp, VirtualMachineName, Caller, CallerIpAddress, FileName, FileSize, InitiatingProcessId, InitiatingProcessAccountDomain, InitiatingProcessFolderPath\\n| join kind=inner(\\n DeviceEvents\\n | extend VirtualMachineName = tostring(split(DeviceName, \\\".\\\")[0])\\n | where InitiatingProcessCommandLine has \\\"-File\\\"\\n // Extract the script name based on the structure used by the RunCommand extension\\n | extend PowershellFileName = extract(@\\\"\\\\-File\\\\s(script[0-9]{1,9}\\\\.ps1)\\\", 1, InitiatingProcessCommandLine)\\n // Discard results that didn\u0027t successfully extract, these are not run command related\\n | where isnotempty(PowershellFileName)\\n | extend PSCommand = tostring(parse_json(AdditionalFields).Command)\\n // The first execution of PowerShell will be the RunCommand script itself, we can discard this as it will break our hash later\\n | where PSCommand != PowershellFileName \\n // Now we normalise the cmdlets, we\u0027re aiming to hash them to find scripts using rare combinations\\n | extend PSCommand = toupper(PSCommand)\\n | order by PSCommand asc\\n | summarize PowershellExecStartTime=min(TimeGenerated), PowershellExecEnd=max(TimeGenerated), make_list(PSCommand) by PowershellFileName, InitiatingProcessCommandLine\\n) on $left.FileName == $right.PowershellFileName\\n| project StartTime, EndTime, PowershellFileCreatedTimestamp, PowershellExecStartTime, PowershellExecEnd, PowershellFileName, PowershellScriptCommands=list_PSCommand, Caller, CallerIpAddress, InitiatingProcessCommandLine, PowershellFileSize=FileSize, VirtualMachineName\\n| order by StartTime asc \\n// We generate the hash based on the cmdlets called and the size of the powershell script\\n| extend TempFingerprintString = strcat(PowershellScriptCommands, PowershellFileSize)\\n| extend ScriptFingerprintHash = hash_sha256(tostring(PowershellScriptCommands)));\\nlet totals = toscalar (RunCommandData\\n| summarize count());\\nlet hashTotals = RunCommandData\\n| summarize HashCount=count() by ScriptFingerprintHash;\\nRunCommandData\\n| join kind=leftouter (\\nhashTotals\\n) on ScriptFingerprintHash\\n// Calculate prevalence, while we don\u0027t need this, it may be useful for responders to know how rare this script is in relation to normal activity\\n| extend Prevalence = toreal(HashCount) / toreal(totals) * 100\\n// Where the hash was only ever seen once.\\n| where HashCount == 1\\n| extend timestamp = StartTime, IPCustomEntity=CallerIpAddress, AccountCustomEntity=Caller, HostCustomEntity=VirtualMachineName\\n| project timestamp, StartTime, EndTime, PowershellFileName, VirtualMachineName, Caller, CallerIpAddress, PowershellScriptCommands, PowershellFileSize, ScriptFingerprintHash, Prevalence, IPCustomEntity, AccountCustomEntity, HostCustomEntity\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"LateralMovement\",\"Execution\"],\"displayName\":\"Azure VM Run Command operations executing a unique PowerShell script\",\"description\":\"Identifies when Azure Run command is used to execute a PowerShell script on a VM that is unique.\\nThe uniqueness of the PowerShell script is determined by taking a combined hash of the cmdLets it imports\\nand the file size of the PowerShell script. Alerts from this detection indicate a unique PowerShell was executed\\nin your environment.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f15370f4-c6fa-42c5-9be4-1d308f40284e\",\"name\":\"f15370f4-c6fa-42c5-9be4-1d308f40284e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n OfficeActivity\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(ClientIP)\\n | extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]%]+)(%\\\\d+)?\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n | extend IPAddress = tostring(ClientIPValues[0])\\n // renaming time column so it is clear the log this came from\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.IPAddress\\n| where OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId\\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = OfficeActivity_TimeGenerated, IPCustomEntity = TI_ipEntity, AccountCustomEntity = UserId, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to OfficeActivity\",\"description\":\"Identifies a match in OfficeActivity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a4ce20ae-a2e4-4d50-b40d-d49f1353b6cc\",\"name\":\"a4ce20ae-a2e4-4d50-b40d-d49f1353b6cc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Extracts plaintext IPv4 addresses\\nlet ipv4_plaintext_extraction_regex = @\\\"((?:(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])(?:\\\\.)){3}(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]){1,3})\\\";\\n// Identified base64 encoded IPv4 addresses\\nlet ipv4_encoded_identification_regex = @\\\"\\\\=([a-zA-Z0-9\\\\/\\\\+]*(?:(?:MC|Au|wL|MS|Eu|xL|Mi|Iu|yL|My|Mu|zL|NC|Qu|0L|NS|Uu|1L|Ni|Yu|2L|Ny|cu|3L|OC|gu|4L|OS|ku|5L){1}[a-zA-Z0-9\\\\/\\\\+]{2,4}){3}[a-zA-Z0-9\\\\/\\\\+\\\\=]*)\\\";\\n// Extractes IPv4 addresses as hex values\\nlet ipv4_decoded_hex_extract = @\\\"((?:(?:61|62|63|64|65|66|67|68|69|6a|6b|6c|6d|6e|6f|70|71|72|73|74|75|76|77|78|79|7a|41|42|43|44|45|46|47|48|49|4a|4b|4c|4d|4e|4f|50|51|52|53|54|55|56|57|58|59|5a|2f|2b|3d),){7,15})\\\";\\nCommonSecurityLog\\n| where isnotempty(RequestURL)\\n// Identify requests with encoded IPv4 addresses\\n| where RequestURL matches regex ipv4_encoded_identification_regex\\n| project TimeGenerated, RequestURL\\n// Extract IP candidates in their base64 encoded format, significantly reducing the dataset\\n| extend extracted_encoded_ip_candidate = extract_all(ipv4_encoded_identification_regex, RequestURL)\\n// We could have more than one candidate, expand them out\\n| mv-expand extracted_encoded_ip_candidate to typeof(string)\\n| summarize Start=min(TimeGenerated), End=max(TimeGenerated), make_set(RequestURL) by extracted_encoded_ip_candidate\\n// Pad if we need to\\n| extend extracted_encoded_ip_candidate = iff(strlen(extracted_encoded_ip_candidate) % 2 == 0, extracted_encoded_ip_candidate, strcat(extracted_encoded_ip_candidate, \\\"=\\\"))\\n// Now decode the candidate to a long array, we cannot go straight to string as it cannot handle non-UTF8, we need to strip that first\\n| extend extracted_encoded_ip_candidate = tostring(base64_decode_toarray(extracted_encoded_ip_candidate))\\n// Extract the IP candidates from the array\\n| extend hex_extracted = extract_all(ipv4_decoded_hex_extract, extracted_encoded_ip_candidate)\\n// Expand, it\u0027s still possible that we might have more than 1 IP\\n| mv-expand hex_extracted\\n// Now we should have a clean string. We need to put it back into a dynamic array to convert back to a string.\\n| extend hex_extracted = trim_end(\\\",\\\", tostring(hex_extracted))\\n| extend hex_extracted = strcat(\\\"[\\\",hex_extracted,\\\"]\\\")\\n| extend hex_extracted = todynamic(hex_extracted)\\n| extend extracted_encoded_ip_candidate = todynamic(extracted_encoded_ip_candidate)\\n// Convert the array back into a string\\n| extend decoded_ip_candidate = make_string(hex_extracted)\\n| summarize by decoded_ip_candidate, tostring(set_RequestURL), Start, End\\n// Now the IP candidates will be in plaintext, extract the IPs using a regex\\n| extend ipmatch = extract_all(ipv4_plaintext_extraction_regex, decoded_ip_candidate)\\n// If it\u0027s not an IP, throw it out\\n| where isnotnull(ipmatch)\\n| mv-expand ipmatch to typeof(string)\\n// Join with DeviceNetworkEvents to find instances where an IP of a machine in our MDE estate sent it\u0027s IP in a base64 encoded string\\n| join (\\n DeviceNetworkEvents\\n | summarize make_set(DeviceId), make_set(DeviceName) by RemoteIP\\n) on $left.ipmatch == $right.RemoteIP\\n| project Start, End, IPmatch=ipmatch, RequestURL=set_RequestURL, DeviceNames=set_DeviceName, DeviceIds=set_DeviceId, RemoteIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPmatch\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceNames\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"IP address of Windows host encoded in web request\",\"description\":\"This detection will identify network requests in HTTP proxy data that contains Base64 encoded IP addresses. After identifying candidates the query\\njoins with DeviceNetworkEvents to idnetify any machine within the network using that IP address. Alerts indicate that the IP address of a machine\\nwithin your network was seen with it\u0027s IP address base64 encoded in an outbounf web request. This method of egressing the IP was seen used in POLONIUM\u0027s\\nRunningRAT tool, however the detection is generic.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cbf6ad48-fa5c-4bf7-b205-28dbadb91255\",\"name\":\"cbf6ad48-fa5c-4bf7-b205-28dbadb91255\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let procList = externaldata(Process:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Microsoft_Lolbas_Execution_Binaries.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nEvent\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n| parse EventData with * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027OriginalFileName\\\"\u003e\u0027 OriginalFileName \\\"\u003c\\\" *\\n| where OriginalFileName has_any (procList) and not (Image has_any (procList))\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027Hashes\\\"\u003e\u0027 Hashes \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description, OriginalFileName, CurrentDirectory, Hashes\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Windows Binaries Lolbins Renamed\",\"description\":\"This query detects the execution of renamed Windows binaries (Lolbins). This is a common technique used by adversaries to evade detection. \\nRef: https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/execution-of-renamed-lolbin.html\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3a9d5ede-2b9d-43a2-acc4-d272321ff77c\",\"name\":\"3a9d5ede-2b9d-43a2-acc4-d272321ff77c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 50;\\nlet aadFunc = (tableName:string){\\n // Failed Signins attempts with reasoning related to conditional access policies.\\n table(tableName)\\n | where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n | where ResultDescription has_any (\\\"conditional access\\\", \\\"CA\\\") or ResultType in (50005, 50131, 53000, 53001, 53002, 52003, 70044)\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt;\\nlet TimeSeriesAlerts = \\nallSignins\\n| make-series DailyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step 1d by UserPrincipalName\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(DailyCount, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand DailyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n// Filtering low count events per baselinethreshold\\n| where anomalies \u003e 0 and baseline \u003e baselinethreshold\\n| extend AnomalyHour = TimeGenerated\\n| project UserPrincipalName, AnomalyHour, TimeGenerated, DailyCount, baseline, anomalies, score;\\n// Filter the alerts for specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e startofday(ago(timeframe))\\n| join kind=inner ( \\n allSignins\\n | where TimeGenerated \u003e startofday(ago(timeframe))\\n // create a new column and round to hour\\n | extend DateHour = bin(TimeGenerated, 1h)\\n | summarize PartialFailedSignins = count(), LatestAnomalyTime = arg_max(TimeGenerated, *) by bin(TimeGenerated, 1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\\n) on UserPrincipalName, $left.AnomalyHour == $right.DateHour\\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, PartialFailedSignins, TotalFailedSignins = DailyCount, baseline, anomalies, score\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"User Accounts - Sign in Failure due to CA Spikes\",\"description\":\" Identifies spike in failed sign-ins from user accounts due to conditional access policied.\\nSpike is determined based on Time series anomaly which will look at historical baseline values.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b6d03b88-4d27-49a2-9c1c-29f1ad2842dc\",\"name\":\"b6d03b88-4d27-49a2-9c1c-29f1ad2842dc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let oneDriveCalls = dynamic([\u0027graph.microsoft.com/v1.0/me/drive/root:/Documents/data.txt:/content\u0027,\u0027graph.microsoft.com/v1.0/me/drive/root:/Documents/response.json:/content\u0027]);\\nlet oneDriveCallsRegex = dynamic([@\u0027graph\\\\.microsoft\\\\.com\\\\/v1\\\\.0\\\\/me\\\\/drive\\\\/root\\\\:\\\\/Uploaded\\\\/.*\\\\:\\\\/content\u0027,@\u0027graph\\\\.microsoft\\\\.com\\\\/v1\\\\.0\\\\/me\\\\/drive\\\\/root\\\\:\\\\/Downloaded\\\\/.*\\\\:\\\\/content\u0027]);\\nCommonSecurityLog\\n| where RequestURL has_any (oneDriveCalls) or RequestURL matches regex tostring(oneDriveCallsRegex[0]) or RequestURL matches regex tostring(oneDriveCallsRegex[1])\\n| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"SourceHostName\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"CreepyDrive URLs\",\"description\":\"CreepyDrive uses OneDrive for command and control. This detection identifies URLs specific to CreepyDrive.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/011c84d8-85f0-4370-b864-24c13455aa94\",\"name\":\"011c84d8-85f0-4370-b864-24c13455aa94\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityAlert\\n| extend Extprop = parse_json(ExtendedProperties)\\n| extend Computer = iff(isnotempty(toupper(tostring(Extprop[\\\"Compromised Host\\\"]))), toupper(tostring(Extprop[\\\"Compromised Host\\\"])), tostring(parse_json(Entities)[0].HostName))\\n| extend Account = iff(isnotempty(tolower(tostring(Extprop[\\\"User Name\\\"]))), tolower(tostring(Extprop[\\\"User Name\\\"])), tolower(tostring(Extprop[\\\"user name\\\"])))\\n| extend IpAddress = tostring(parse_json(ExtendedProperties).[\\\"IpAddress\\\"]) \\n| project TimeGenerated, AlertName, Computer, Account, IpAddress, ExtendedProperties\\n| extend timestamp = TimeGenerated, Account, MachineName = Computer, IpAddress\\n| join kind=inner\\n(\\nCoreAzureBackup\\n| where State =~ \\\"Deleted\\\"\\n| where OperationName =~ \\\"BackupItem\\\"\\n| extend data = split(BackupItemUniqueId, \\\";\\\")\\n| extend AzureLocation = data[0], VaultId=data[1], MachineName=data[2], DrivesBackedUp=data[3]\\n| project timestamp = TimeGenerated, AzureLocation, VaultId, tostring(MachineName), DrivesBackedUp, State, BackupItemUniqueId, _ResourceId, OperationName, BackupItemFriendlyName\\n)\\non MachineName\\n| project timestamp, AlertName, HostCustomEntity = MachineName, AccountCustomEntity = Account, ResourceCustomEntity = _ResourceId, IPCustomEntity = IpAddress, VaultId, AzureLocation, DrivesBackedUp, State, BackupItemUniqueId, OperationName, BackupItemFriendlyName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"CoreBackUp Deletion in correlation with other related security alerts\",\"description\":\"This query will help detect attackers attempt to delete backup containers in correlation with other alerts that could have triggered to help possibly reveal more details of attacker activity. \\nThough such an activity could be legitimate as part of business operation, some ransomware actors may perform such operation to cause interruption to regular business services.\",\"lastUpdatedDateUTC\":\"2021-11-05T00:00:00Z\",\"createdDateUTC\":\"2021-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1218175f-c534-421c-8070-5dcaabf28067\",\"name\":\"1218175f-c534-421c-8070-5dcaabf28067\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let threshold = 3; \\nZoomLogs \\n| where Event =~ \\\"chat_message.sent\\\" \\n| extend Channel = tostring(parse_json(ChatEvents).Channel) \\n| extend Message = tostring(parse_json(ChatEvents).Message) \\n| where Message matches regex \\\"http(s?):\\\\\\\\/\\\\\\\\/\\\" \\n| summarize Channels = makeset(Channel), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Message, User, UserId\\n| extend ChannelCount = arraylength(Channels) \\n| where ChannelCount \u003e threshold\\n| extend timestamp = StartTime, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"Suspicious link sharing pattern\",\"description\":\"Alerts in links that have been shared across multiple Zoom chat channels by the same user in a short space if time. \\nAdjust the threshold figure to change the number of channels a message needs to be posted in before an alert is raised.\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\"name\":\"0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"DNS events related to mining pools\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95a15f39-d9cc-4667-8cdd-58f3113691c9\",\"name\":\"95a15f39-d9cc-4667-8cdd-58f3113691c9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where EventID == 4688\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| join kind=rightanti (\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where EventID == 4688) on NewProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where EventID == 4688 and EventData has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| join kind=rightanti (\\nWindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventID == 4688 and EventData has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)) on NewProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM New UM Service Child Process\",\"description\":\"This query looks for new processes being spawned by the Exchange UM service where that process has not previously been observed before. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f845881e-2500-44dc-8ed7-b372af3e1e25\",\"name\":\"f845881e-2500-44dc-8ed7-b372af3e1e25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let short_uaLength = 5;\\nlet long_uaLength = 1000;\\nlet c_threshold = 100;\\nW3CIISLog \\n// Exclude local IPs as these create noise\\n| where cIP !startswith \\\"192.168.\\\" and cIP != \\\"::1\\\"\\n| where isnotempty(csUserAgent) and csUserAgent !in~ (\\\"-\\\", \\\"MSRPC\\\") and (string_size(csUserAgent) \u003c= short_uaLength or string_size(csUserAgent) \u003e= long_uaLength)\\n| extend csUserAgent_size = string_size(csUserAgent)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ConnectionCount = count() by Computer, sSiteName, sPort, csUserAgent, csUserAgent_size, csUserName , csMethod, csUriStem, sIP, cIP, scStatus, scSubStatus, scWin32Status\\n| where ConnectionCount \u003c c_threshold\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomalous User Agent connection attempt\",\"description\":\"Identifies connection attempts (success or fail) from clients with very short or very long User Agent strings and with less than 100 connection attempts.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\"name\":\"a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n SecurityAlert \\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\\n | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray\\n // Parsing relevant entity column to filter type account and creating new column by combining account and UPNSuffix\\n | extend Entitytype = tostring(parse_json(EntitiesDynamicArray).Type), EntityName = tostring(parse_json(EntitiesDynamicArray).Name),\\n EntityUPNSuffix = tostring(parse_json(EntitiesDynamicArray).UPNSuffix)\\n | where Entitytype =~ \\\"account\\\"\\n | extend EntityEmail = tolower(strcat(EntityName, \\\"@\\\", EntityUPNSuffix))\\n | where EntityEmail matches regex emailregex\\n | extend Alert_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.EntityEmail\\n| where Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\\n| project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, \\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, EntityEmail, AlertName, AlertType,\\nAlertSeverity, Entities, ProviderName, VendorName\\n| extend timestamp = Alert_TimeGenerated, AccountCustomEntity = EntityEmail, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SecurityAlert\",\"description\":\"Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c9b6d281-b96b-4763-b728-9a04b9fe1246\",\"name\":\"c9b6d281-b96b-4763-b728-9a04b9fe1246\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlCategory has_any (\u0027Dynamic and Residential\u0027, \u0027Personal VPN\u0027)\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"Exfiltration\"],\"displayName\":\"Cisco Umbrella - Connection to non-corporate private network\",\"description\":\"IP addresses of broadband links that usually indicates users attempting to access their home network, for example for a remote session to a home computer.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/631d02df-ab51-46c1-8d72-32d0cfec0720\",\"name\":\"631d02df-ab51-46c1-8d72-32d0cfec0720\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let excludeProcs = dynamic([@\\\"\\\\SolarWinds\\\\Orion\\\\APM\\\\APMServiceControl.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\ExportToPDFCmd.Exe\\\", @\\\"\\\\SolarWinds.Credentials\\\\SolarWinds.Credentials.Orion.WebApi.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Topology\\\\SolarWinds.Orion.Topology.Calculator.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Database-Maint.exe\\\", @\\\"\\\\SolarWinds.Orion.ApiPoller.Service\\\\SolarWinds.Orion.ApiPoller.Service.exe\\\", @\\\"\\\\Windows\\\\SysWOW64\\\\WerFault.exe\\\"]);\\nimProcessCreate\\n| where Process hassuffix \u0027solarwinds.businesslayerhost.exe\u0027\\n| where not(Process has_any (excludeProcs))\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = ActorUsername,\\n HostCustomEntity = User,\\n AlgorithmCustomEntity = \\\"MD5\\\",\\n FileHashCustomEntity = TargetProcessMD5 // Change to *hash* once implemented\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST suspicious SolarWinds child processes (Normalized Process Events)\",\"description\":\"Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0bd65651-1404-438b-8f63-eecddcec87b4\",\"name\":\"0bd65651-1404-438b-8f63-eecddcec87b4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\n// Adjust for a longer timeframe for identifying ADFS Servers\\nlet lookback = 6d;\\n// Identify ADFS Servers\\nlet ADFS_Servers = ( union isfuzzy=true\\n( Event\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n),\\n( SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and EventData has \\\"0x3e4\\\" and EventData has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| where SubjectLogonId != \\\"0x3e4\\\"\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n)\\n| distinct Computer);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == 4688\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where ParentProcessName has \u0027wmiprvse.exe\u0027\\n// Looking for rundll32.exe is based on intel from the blog linked in the description\\n// This can be commented out or altered to filter out known internal uses\\n| where CommandLine has_any (\u0027rundll32\u0027) \\n| project TimeGenerated, TargetAccount, CommandLine, Computer, Account, TargetLogonId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n// Search for recent logons to identify lateral movement\\n| join kind= inner\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventID == 4624 and LogonType == 3\\n| where Account !endswith \\\"$\\\"\\n| project TargetLogonId\\n) on TargetLogonId\\n),\\n(\\nWindowsEvent\\n| where EventID == 4688\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where EventData has \u0027wmiprvse.exe\u0027 and EventData has_any (\u0027rundll32\u0027) \\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where ParentProcessName has \u0027wmiprvse.exe\u0027\\n// Looking for rundll32.exe is based on intel from the blog linked in the description\\n// This can be commented out or altered to filter out known internal uses\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has_any (\u0027rundll32\u0027) \\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend Account = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend TargetLogonId = tostring(EventData.TargetLogonId)\\n| project TimeGenerated, TargetAccount, CommandLine, Computer, Account, TargetLogonId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n// Search for recent logons to identify lateral movement\\n| join kind= inner\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventID == 4624 \\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 3\\n| extend Account = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| where Account !endswith \\\"$\\\"\\n| extend TargetLogonId = tostring(EventData.TargetLogonId)\\n| project TargetLogonId\\n) on TargetLogonId\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n// Check for WMI Events\\n| where Computer in~ (ADFS_Servers) and EventID in (19, 20, 21)\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| project TimeGenerated, EventType, Image, Computer, UserName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = UserName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Gain Code Execution on ADFS Server via Remote WMI Execution\",\"description\":\"This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through remote WMI Execution.\\nIn order to use this query you need to be collecting Sysmon EventIDs 19, 20, and 21.\\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\\n Failed to resolve scalar expression named \\\"[@Name]\\\"\\nFor more on how WMI was used in Solorigate see https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/.\\nThe query contains some features from the following detections to look for potentially malicious ADFS activity. See them for more details.\\n- ADFS Key Export (Sysmon): https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSKeyExportSysmon.yaml\\n- ADFS DKM Master Key Export: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d71fc38-f249-454e-8479-0a358382ef9a\",\"name\":\"3d71fc38-f249-454e-8479-0a358382ef9a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"SecurityNestedRecommendation\\n| where RemediationDescription has \u0027CVE-2021-44228\u0027\\n| parse ResourceDetails with * \u0027virtualMachines/\u0027 VirtualMAchine \u0027\\\"\u0027 *\\n| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId\\n| extend Timestamp = TimeGenerated, HostCustomEntity = VirtualMAchine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Execution\"],\"displayName\":\"Vulnerable Machines related to log4j CVE-2021-44228\",\"description\":\"This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to log4j CVE-2021-44228. Log4j is an open-source Apache logging library that is used in \\n many Java-based applications. Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).\\n Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/\\n Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal\\n Reference: https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/how-defender-for-cloud-displays-machines-affected-by-log4j/ba-p/3037271\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\"name\":\"a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Security Center for IoT\",\"displayName\":\"Create incidents based on Microsoft Defender for IOT alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for IOT\",\"lastUpdatedDateUTC\":\"2019-12-24T00:00:00Z\",\"createdDateUTC\":\"2019-12-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"IoT\",\"dataTypes\":[\"SecurityAlert (ASC for IoT)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d2e8fd50-8d66-11ec-b909-0242ac120002\",\"name\":\"d2e8fd50-8d66-11ec-b909-0242ac120002\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID in (4624,4625) and LogonType in (10) and IpAddress in (\\\"::1\\\",\\\"127.0.0.1\\\")\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, TargetUserName, TargetLogonId, LogonType, IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential Remote Desktop Tunneling\",\"description\":\"This query detects remote desktop authentication attempts with a localhost source address which can indicate a tunneled login.\\nRef: https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling\",\"lastUpdatedDateUTC\":\"2022-02-15T00:00:00Z\",\"createdDateUTC\":\"2022-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c37711a4-5f44-4472-8afc-0679bc0ef966\",\"name\":\"c37711a4-5f44-4472-8afc-0679bc0ef966\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.1.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/FoggyWebIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type == \\\"sha256\\\" | project IoC);\\nlet FilePaths = (iocs | where Type =~ \\\"FilePath\\\" | project IoC);\\nlet POST_URI = (iocs | where Type =~ \\\"URI1\\\" | project IoC);\\nlet GET_URI = (iocs | where Type =~ \\\"URI2\\\" | project IoC);\\n//Include in the list below, the ADFS servers you know about in your environment. In the next part of the query, we will try to identify them for you if you have the telemetry.\\nlet ADFS_Servers1 = datatable(Computer:string)\\n[ \\\"\u003cADFS01\u003e.\u003cDOMAIN\u003e.\u003cCOM\u003e\\\",\\n\\\"\u003cADFS02\u003e.\u003cDOMAIN\u003e.\u003cCOM\u003e\\\"\\n];\\n// Automatically identify potential ADFS services in your environment by searching process event telemetry for \\\"Microsoft.IdentityServer.ServiceHost.exe\\\".\\nlet ADFS_Servers2 = \\n(union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n),\\n( WindowsEvent\\n| where EventID == 4688 and EventData has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\" and EventData has \\\"0x3e4\\\"\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| where ProcessName == \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| where SubjectLogonId != \\\"0x3e4\\\"\\n| distinct Computer\\n),\\n(DeviceProcessEvents\\n| where InitiatingProcessFileName == \u0027Microsoft.IdentityServer.ServiceHost.exe\u0027\\n| extend Computer = DeviceName\\n| distinct Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n)\\n);\\nlet ADFS_Servers =\\nADFS_Servers1\\n| union (ADFS_Servers2 | distinct Computer);\\n(union isfuzzy=true\\n(DeviceNetworkEvents\\n| where DeviceName in (ADFS_Servers)\\n| where isnotempty(InitiatingProcessSHA256) or isnotempty(InitiatingProcessFolderPath)\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or InitiatingProcessFolderPath has_any (FilePaths)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\" and EventID == \u00277\u0027\\n| where Computer in (ADFS_Servers)\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend ImageLoaded = EventDetail.[5].[\\\"#text\\\"], Hashes = EventDetail.[11].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| where ImageLoaded has_any (FilePaths) or SHA256 has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, ImageLoaded, EventID\\n| extend Type = strcat(Type,\\\":\\\",EventID, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\\\"#text\\\"] \\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceEvents\\n| where DeviceName in (ADFS_Servers)\\n| extend FilePath = strcat(FolderPath, \u0027\\\\\\\\\u0027, FileName)\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceFileEvents\\n| where DeviceName in (ADFS_Servers)\\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceImageLoadEvents\\n| where DeviceName in (ADFS_Servers)\\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where Computer in (ADFS_Servers)\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| where EventDetail has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\\\"#text\\\"] \\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(W3CIISLog \\n| where ( csMethod == \u0027GET\u0027 and csUriStem has_any (GET_URI)) or (csMethod == \u0027POST\u0027 and csUriStem has_any (POST_URI))\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), cIP_MethodCount = count() \\nby cIP, cIP_MethodCountType = \\\"Count of repeated entries, this is to reduce rowsets returned\\\", csMethod, \\ncsHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, csReferer\\n| extend timestamp = StartTime, IPCustomEntity = cIP, HostCustomEntity = csHost, AccountCustomEntity = csUserName\\n),\\n(imFileEvent\\n| where DvcHostname in (ADFS_Servers)\\n| where TargetFileSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"NOBELIUM IOCs related to FoggyWeb backdoor\",\"description\":\"Identifies a match across various data feeds for IOCs related to FoggyWeb backdoor by the threat actor NOBELIUM.\\n FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server.\\n It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server.\\n Reference: https://aka.ms/nobelium-foggy-web\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/61988db3-0565-49b5-b8e3-747195baac6e\",\"name\":\"61988db3-0565-49b5-b8e3-747195baac6e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let procList = dynamic([\\\"cmd.exe\\\",\\\"ftp.exe\\\",\\\"schtasks.exe\\\",\\\"powershell.exe\\\",\\\"rundll32.exe\\\",\\\"regsvr32.exe\\\",\\\"msiexec.exe\\\"]); \\nimProcessCreate\\n| where CommandLine has \\\"recycler\\\"\\n| where Process has_any (procList)\\n| extend FileName = tostring(split(Process, \u0027\\\\\\\\\u0027)[-1])\\n| where FileName in~ (procList)\\n| project StartTimeUtc = TimeGenerated, Dvc, User, Process, FileName, CommandLine, ActingProcessName, EventVendor, EventProduct\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Malware in the recycle bin (Normalized Process Events)\",\"description\":\"Identifies malware that has been hidden in the recycle bin.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-23T00:00:00Z\",\"createdDateUTC\":\"2021-06-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ec491363-5fe7-4eff-b68e-f42dcb76fcf6\",\"name\":\"ec491363-5fe7-4eff-b68e-f42dcb76fcf6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| project-away claimsJson\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Azure Active Directory Hybrid Health AD FS New Server\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.\\nA threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.\\nThis can be done programmatically via HTTP requests to Azure. More information in this blog: https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/32ffb19e-8ed8-40ed-87a0-1adb4746b7c4\",\"name\":\"32ffb19e-8ed8-40ed-87a0-1adb4746b7c4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"// Enter a reference list of malicious file artifacts\\nlet MaliciousFileArtifacts = dynamic ([\\\"lsass.dmp\\\",\\\"test.pwd\\\",\\\"lsremora.dll\\\",\\\"lsremora64.dll\\\",\\\"fgexec.exe\\\",\\\"pwdump\\\",\\\"kirbi\\\",\\\"wce_ccache\\\",\\\"wce_krbtkts\\\",\\\"wceaux.dll\\\",\\\"PwHashes\\\",\\\"SAM.out\\\",\\\"SECURITY.out\\\",\\\"SYSTEM.out\\\",\\\"NTDS.out\\\" \\\"DumpExt.dll\\\",\\\"DumpSvc.exe\\\",\\\"cachedump64.exe\\\",\\\"cachedump.exe\\\",\\\"pstgdump.exe\\\",\\\"servpw64.exe\\\",\\\"servpw.exe\\\",\\\"pwdump.exe\\\",\\\"fgdump-log\\\"]);\\nEvent\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==11\\n| parse EventData with * \u0027TargetFilename\\\"\u003e\u0027 TargetFilename \\\"\u003c\\\" *\\n| where TargetFilename has_any (MaliciousFileArtifacts)\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, Image, ProcessGuid, TargetFilename\",\"entityMappings\":[{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"TargetFilename\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"Image\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Credential Dumping Tools - File Artifacts\",\"description\":\"This query detects the creation of credential dumping tools files. Several credential dumping tools export files with hardcoded file names.\\nRef: https://jpcertcc.github.io/ToolAnalysisResultSheet/\",\"lastUpdatedDateUTC\":\"2022-04-22T00:00:00Z\",\"createdDateUTC\":\"2022-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"Event\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/983a6922-894d-413c-9f04-d7add0ecc307\",\"name\":\"983a6922-894d-413c-9f04-d7add0ecc307\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P10D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Medium\",\"query\":\"let referencestarttime = 10d;\\nlet referenceendtime = 1d;\\nlet threshold = 100;\\nlet nxDomainDnsEvents = (stime:datetime, etime:datetime) \\n {_Im_Dns(responsecodename=\u0027NXDOMAIN\u0027, starttime=stime, endtime=etime)\\n | where DnsQueryTypeName in (\\\"A\\\", \\\"AAAA\\\")\\n | where ipv4_is_match(\\\"127.0.0.1\\\", SrcIpAddr) == False\\n | where DnsQuery !contains \\\"/\\\" and DnsQuery contains \\\".\\\"};\\nnxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now())\\n | extend sld = tostring(split(DnsQuery, \\\".\\\")[-2])\\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld) by SrcIpAddr\\n | where dcount_sld \u003e threshold\\n // Filter out previously seen IPs\\n | join kind=leftanti (nxDomainDnsEvents (stime=ago(referencestarttime), etime=ago(referenceendtime))\\n | extend sld = tostring(split(DnsQuery, \\\".\\\")[-2])\\n | summarize dcount(sld) by SrcIpAddr\\n | where dcount_sld \u003e threshold ) on SrcIpAddr\\n// Pull out sample NXDomain responses for those remaining potentially infected IPs\\n| join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential DGA detected (ASIM DNS Schema)\",\"description\":\"Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains\\nwhere most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with \\nNXDomain records in prior 10-day baseline period).\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/18dbdc22-b69f-4109-9e39-723d9465f45f\",\"name\":\"18dbdc22-b69f-4109-9e39-723d9465f45f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet AVHits = (iocs | where Type =~ \\\"AVDetection\\\"| project IoC);\\nSecurityAlert\\n| where ProviderName == \u0027MDATP\u0027\\n| extend ThreatName_ = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where ThreatName_ has_any (AVHits)\\n| extend Directory = tostring(parse_json(Entities)[0].Directory), SHA256 = tostring(parse_json(tostring(parse_json(Entities)[0].FileHashes))[2].Value), FileName = tostring(parse_json(Entities)[0].Name), Hostname = tostring(parse_json(Entities)[6].FQDN)| extend AccountName = tostring(parse_json(tostring(parse_json(Entities)[6].LoggedOnUsers))[0].AccountName)\\n| project TimeGenerated, AlertName, ThreatName_, ProviderName, AlertSeverity, Description, RemediationSteps, ExtendedProperties, Entities, FileName,SHA256, Directory, Hostname, AccountName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Hostname , AccountCustomEntity = AccountName, FileHashCustomEntity = SHA256\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"ACTINIUM AV hits - Feb 2022\",\"description\":\"Identifies a match in the Security Alert table for MDATP hits related to the ACTINIUM actor\",\"lastUpdatedDateUTC\":\"2022-02-04T00:00:00Z\",\"createdDateUTC\":\"2022-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f6a51e2c-2d6a-4f92-a090-cfb002ca611f\",\"name\":\"f6a51e2c-2d6a-4f92-a090-cfb002ca611f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nlet disallowed_ext = dynamic([\u0027ps1\u0027, \u0027exe\u0027, \u0027vbs\u0027, \u0027js\u0027, \u0027scr\u0027]);\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| extend attachedExt = todynamic(MsgParts)[0][\u0027detectedExt\u0027]\\n| where attachedExt in (disallowed_ext)\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = DstUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Suspicious attachment\",\"description\":\"Detects when email contains suspicious attachment (file type).\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/707494a5-8e44-486b-90f8-155d1797a8eb\",\"name\":\"707494a5-8e44-486b-90f8-155d1797a8eb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let auditLookbackStart = 2d;\\nlet auditLookbackEnd = 1d;\\nAuditLogs\\n| where TimeGenerated \u003e= ago(auditLookbackStart)\\n| where OperationName =~ \\\"Consent to application\\\" \\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| extend targetResourceName = tostring(target.displayName)\\n| extend targetResourceID = tostring(target.id)\\n| extend targetResourceType = tostring(target.type)\\n| extend targetModifiedProp = TargetResources[0].modifiedProperties\\n| extend isAdminConsent = targetModifiedProp[0].newValue\\n| extend Consent_ServicePrincipalNames = targetModifiedProp[5].newValue\\n| extend Consent_Permissions = targetModifiedProp[4].newValue\\n| extend Consent_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend Consent_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| join ( \\nAuditLogs\\n| where TimeGenerated \u003e= ago(auditLookbackEnd)\\n| where OperationName =~ \\\"Add service principal credentials\\\"\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| extend targetResourceName = tostring(target.displayName)\\n| extend targetResourceID = tostring(target.id)\\n| extend targetModifiedProp = TargetResources[0].modifiedProperties\\n| extend Credential_KeyDescription = targetModifiedProp[0].newValue\\n| extend UpdatedProperties = targetModifiedProp[1].newValue\\n| extend Credential_ServicePrincipalNames = targetModifiedProp[2].newValue\\n| extend Credential_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend Credential_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n) on targetResourceName, targetResourceID\\n| extend TimeConsent = TimeGenerated, TimeCred = TimeGenerated1\\n| where TimeConsent \u003e TimeCred \\n| project TimeConsent, TimeCred, Consent_InitiatingUserOrApp, Credential_InitiatingUserOrApp, targetResourceName, targetResourceType, isAdminConsent, Consent_ServicePrincipalNames, Credential_ServicePrincipalNames, Consent_Permissions, Credential_KeyDescription, Consent_InitiatingIpAddress, Credential_InitiatingIpAddress\\n| extend timestamp = TimeConsent, AccountCustomEntity = Consent_InitiatingUserOrApp, IPCustomEntity = Consent_InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Credential added after admin consented to Application\",\"description\":\"This query will identify instances where Service Principal credentials were added to an application by one user after the application was granted admin consent rights by another user.\\n If a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\n Additional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow.\\n For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2021-02-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/11bda520-a965-4654-9a45-d09f372f71aa\",\"name\":\"11bda520-a965-4654-9a45-d09f372f71aa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"High\",\"query\":\"AzureActivity\\n// Isolate run command actions\\n| where OperationNameValue == \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\\\"\\n// Confirm that the operation impacted a virtual machine\\n| where Authorization has \\\"virtualMachines\\\"\\n// Each runcommand operation consists of three events when successful, Started, Accepted (or Rejected), Successful (or Failed).\\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), max(CallerIpAddress), make_list(ActivityStatusValue) by CorrelationId, Authorization, Caller\\n// Limit to Run Command executions that Succeeded\\n| where list_ActivityStatusValue has \\\"Success\\\"\\n// Extract data from the Authorization field\\n| extend Authorization_d = parse_json(Authorization)\\n| extend Scope = Authorization_d.scope\\n| extend Scope_s = split(Scope, \\\"/\\\")\\n| extend Subscription = tostring(Scope_s[2])\\n| extend VirtualMachineName = tostring(Scope_s[-1])\\n| project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress\\n// Create a join key using the Caller (UPN)\\n| extend joinkey = tolower(Caller)\\n// Join the Run Command actions to UEBA data\\n| join kind = inner (\\n BehaviorAnalytics\\n // We are specifically interested in unusual logins\\n | where EventSource == \\\"Azure AD\\\" and ActivityInsights.ActionUncommonlyPerformedByUser == \\\"True\\\"\\n | project UEBAEventTime=TimeGenerated, UEBAActionType=ActionType, UserPrincipalName, UEBASourceIPLocation=SourceIPLocation, UEBAActivityInsights=ActivityInsights, UEBAUsersInsights=UsersInsights\\n | where isnotempty(UserPrincipalName) and isnotempty(UEBASourceIPLocation)\\n | extend joinkey = tolower(UserPrincipalName)\\n) on joinkey\\n// Create a window around the UEBA event times, check to see if the Run Command action was performed within them\\n| extend UEBAWindowStart = UEBAEventTime - 1h, UEBAWindowEnd = UEBAEventTime + 6h\\n| where StartTime between (UEBAWindowStart .. UEBAWindowEnd)\\n| project StartTime, EndTime, Subscription, VirtualMachineName, Caller, CallerIpAddress, UEBAEventTime, UEBAActionType, UEBASourceIPLocation, UEBAActivityInsights, UEBAUsersInsights\\n| extend timestamp = StartTime, AccountCustomEntity=Caller, IPCustomEntity=CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"LateralMovement\",\"CredentialAccess\"],\"displayName\":\"Azure VM Run Command operation executed during suspicious login window\",\"description\":\"Identifies when the Azure Run Command operation is executed by a UserPrincipalName and IP Address \\nthat has resulted in a recent user entity behaviour alert.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3fe3c520-04f1-44b8-8398-782ed21435f8\",\"name\":\"3fe3c520-04f1-44b8-8398-782ed21435f8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Low\",\"query\":\"let torProxies=dynamic([\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\"]);\\n_Im_Dns(domain_has_any=torProxies)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"DNS events related to ToR proxies (ASIM DNS Schema)\",\"description\":\"Identifies IP addresses performing DNS lookups associated with common ToR proxies.\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d9938c3b-16f9-444d-bc22-ea9a9110e0fd\",\"name\":\"d9938c3b-16f9-444d-bc22-ea9a9110e0fd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Azure AD Connect Health Agent - cf6d7e68-f018-4e0a-a7b3-126e053fb88d\\n// Azure Active Directory Connect - cb1056e2-e479-49de-ae31-7812af012ed8\\nlet appList = dynamic([\u0027cf6d7e68-f018-4e0a-a7b3-126e053fb88d\u0027,\u0027cb1056e2-e479-49de-ae31-7812af012ed8\u0027]);\\nlet operationNamesList = dynamic([\u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027,\u0027Microsoft.ADHybridHealthService/services/delete\u0027]);\\nAzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue in~ (operationNamesList)\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| where AppId !in (appList)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS Suspicious Application\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to a suspicious application adding a server instance to an Azure AD Hybrid health AD FS service or deleting the AD FS service instance.\\nUsually the Azure AD Connect Health Agent application with ID cf6d7e68-f018-4e0a-a7b3-126e053fb88d is used to perform those operations.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9d0295ee-cb75-4f2c-9952-e5acfbb67036\",\"name\":\"9d0295ee-cb75-4f2c-9952-e5acfbb67036\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.0\",\"severity\":\"Informational\",\"query\":\"let timeframe = ago(1d);\\nAppServiceAntivirusScanAuditLogs\\n| where NumberOfInfectedFiles \u003e 0\\n| extend HostCustomEntity = _ResourceId, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"displayName\":\"AppServices AV Scan with Infected Files\",\"description\":\"Identifies if an AV scan finds infected files in Azure App Services.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b2199398-8942-4b8c-91a9-b0a707c5d147\",\"name\":\"b2199398-8942-4b8c-91a9-b0a707c5d147\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/HiveRansomwareJuly2022.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n(imFileEvent\\n| where TargetFileSHA256 has_any (sha256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceImageLoadEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Hive Ransomware IOC - July 2022\",\"description\":\"Identifies a hash match related to Hive Ransomware across various data sources.\",\"lastUpdatedDateUTC\":\"2022-07-05T00:00:00Z\",\"createdDateUTC\":\"2022-01-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1ff56009-db01-4615-8211-d4fda21da02d\",\"name\":\"1ff56009-db01-4615-8211-d4fda21da02d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where AADOperationType =~ \\\"Assign\\\"\\n| where ActivityDisplayName has_any (\\\"Add delegated permission grant\\\",\\\"Add app role assignment to service principal\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ has_any (\\\"AppRole.Value\\\",\\\"DelegatedPermissionGrant.Scope\\\")\\n| extend Permission = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where Permission has \\\"RoleManagement.ReadWrite.Directory\\\"\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n| extend Target = tostring(parse_json(tostring(TargetResources.modifiedProperties[4].newValue)))\\n| extend TargetId = iif(displayName_ =~ \u0027DelegatedPermissionGrant.Scope\u0027,\\n tostring(parse_json(tostring(TargetResources.modifiedProperties[2].newValue))),\\n tostring(parse_json(tostring(TargetResources.modifiedProperties[3].newValue))))\\n| summarize by bin(TimeGenerated, 1h), OperationName, Initiator, Target, TargetId, Result\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Initiator\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Target\"}]}],\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure AD Role Management Permission Grant\",\"description\":\"Identifies when the Microsoft Graph RoleManagement.ReadWrite.Directory (Delegated or Application) permission is granted to a service principal.\\nThis permission allows an application to read and manage the role-based access control (RBAC) settings for your company\u0027s directory.\\nAn adversary could use this permission to add an Azure AD object to an Admin directory role and escalate privileges.\\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions\\nRef : https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0\u0026tabs=http\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/71d374e0-1cf8-4e50-aecd-ab6c519795c2\",\"name\":\"71d374e0-1cf8-4e50-aecd-ab6c519795c2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"Pipelines.PipelineRetentionSettingChanged\\\"\\n| where Data.SettingName in (\\\"PurgeArtifacts\\\", \\\"PurgeRuns\\\")\\n| where Data.NewValue == 1 or Data.NewValue \u003c Data.OldValue/2\\n| project-reorder TimeGenerated, OperationName, ActorUPN, IpAddress, UserAgent, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Retention Reduced\",\"description\":\"AzureDevOps retains items such as run records and produced artifacts for a configurable amount of time. An attacker looking to reduce the footprint left by their malicious activity may look to reduce the retention time for artifacts and runs.\\nThis query will look for where retention has been reduced to the minimum level - 1, or reduced by more than half.\",\"lastUpdatedDateUTC\":\"2021-11-02T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/979c42dd-533e-4ede-b18b-31a84ba8b3d6\",\"name\":\"979c42dd-533e-4ede-b18b-31a84ba8b3d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \\n| where TargetObject has (\\\"HKLM\\\\\\\\System\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\DsrmAdminLogonBehavior\\\") and Details == \\\"DWORD (0x00000002)\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"DSRM Account Abuse\",\"description\":\"This query detects an abuse of the DSRM account in order to maintain persistence and access to the organization\u0027s Active Directory.\\nRef: https://adsecurity.org/?p=1785\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d82eb796-d1eb-43c8-a813-325ce3417cef\",\"name\":\"d82eb796-d1eb-43c8-a813-325ce3417cef\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(DeviceFileEvents\\n| where ActionType == \\\"FileCreated\\\"\\n| where FileName endswith \\\".h0lyenc\\\" or FolderPath == \\\"C:\\\\\\\\FOR_DECRYPT.html\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName), HostCustomEntity = DeviceName, Type, InitiatingProcessId, FileName, FolderPath, EventType = ActionType, Commandline = InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessSHA256, FileHashCustomEntity = SHA256\\n),\\n(imFileEvent\\n| where EventType == \\\"FileCreated\\\" \\n| where TargetFilePath endswith \\\".h0lyenc\\\" or TargetFilePath == \\\"C:\\\\\\\\FOR_DECRYPT.html\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname, DvcId, Type, EventType, FileHashCustomEntity = TargetFileSHA256, Hash, TargetFilePath, Commandline = ActingProcessCommandLine\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Dev-0530 File Extension Rename\",\"description\":\"Dev-0530 actors are known to encrypt the contents of the victims device as well as renaming the file extensions. This query looks for the creation of files with .h0lyenc extension or presence of ransom note.\",\"lastUpdatedDateUTC\":\"2022-07-14T00:00:00Z\",\"createdDateUTC\":\"2022-07-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ba144bf8-75b8-406f-9420-ed74397f9479\",\"name\":\"ba144bf8-75b8-406f-9420-ed74397f9479\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"//Set a threshold of failed AAD signins from an IP address within 1 day above which we want to deem those logins suspicious.\\nlet signin_threshold = 5; \\n//Make a list of IPs with AAD signin failures above our threshold.\\nlet aadFunc = (tableName:string){\\nlet suspicious_signins = \\n table(tableName)\\n //Looking for logon failure results\\n | where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n //Exclude localhost addresses to reduce the chance of FPs\\n | where IPAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n | summarize count() by IPAddress\\n | where count_ \u003e signin_threshold\\n | summarize make_set(IPAddress);\\n suspicious_signins\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet suspicious_signins = \\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize make_set(set_IPAddress);\\n//See if any of those IPs have sucessfully logged into PA VPNs during the same timeperiod\\nCommonSecurityLog\\n //Select only PA VPN sucessful logons\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"globalprotect\\\"\\n | where Message has \\\"GlobalProtect gateway user authentication succeeded\\\"\\n //Parse out the logon source IP from the Message field to match on\\n | extend SourceIP = extract(\\\"Login from: ([^,]+)\\\", 1, Message) \\n | where SourceIP in (suspicious_signins)\\n | extend Reason = \\\"Multiple failed AAD logins from SourceIP\\\"\\n //Parse out other useful information from Message field\\n | extend User = extract(\u0027User name: ([^,]+)\u0027, 1, Message) \\n | extend ClientOS = extract(\u0027Client OS version: ([^,\\\\\\\"]+)\u0027, 1, Message)\\n | extend Location = extract(\u0027Source region: ([^,]{2})\u0027,1, Message)\\n | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName\\n | extend AccountCustomEntity = User, IPCustomEntity = SourceIP, timestamp = TimeGenerated, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN\",\"description\":\"This query creates a list of IP addresses with a number failed login attempts to AAD \\nabove a set threshold. It then looks for any successful Palo Alto VPN logins from any\\nof these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-09-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/32555639-b639-4c2b-afda-c0ae0abefa55\",\"name\":\"32555639-b639-4c2b-afda-c0ae0abefa55\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"GetCallerIdentity\\\" and UserIdentityType =~ \\\"AssumedRole\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by SourceIpAddress, EventName, EventTypeName, UserIdentityType, UserIdentityAccountId, UserIdentityPrincipalid, \\nUserAgent, UserIdentityUserName, SessionMfaAuthenticated,AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTime, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\\n| sort by EndTime desc nulls last\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Monitor AWS Credential abuse or hijacking\",\"description\":\"Looking for GetCallerIdentity Events where the UserID Type is AssumedRole \\nAn attacker who has assumed the role of a legitimate account can call the GetCallerIdentity function to determine what account they are using.\\nA legitimate user using legitimate credentials would not need to call GetCallerIdentity since they should already know what account they are using.\\nMore Information: https://duo.com/decipher/trailblazer-hunts-compromised-credentials-in-aws\\nAWS STS GetCallerIdentity API: https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/53e936c6-6c30-4d12-8343-b8a0456e8429\",\"name\":\"53e936c6-6c30-4d12-8343-b8a0456e8429\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let SUNSPOT_Hashes = dynamic([\\\"c45c9bda8db1d470f1fd0dcc346dc449839eb5ce9a948c70369230af0b3ef168\\\", \\\"0819db19be479122c1d48743e644070a8dc9a1c852df9a8c0dc2343e904da389\\\"]);\\nunion isfuzzy=true(\\nDeviceEvents\\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes)),\\n(DeviceImageLoadEvents\\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes))\\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"SUNSPOT malware hashes\",\"description\":\"This query uses Microsoft Defender for Endpoint data to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\\nMore details: \\n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \\n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceImageLoadEvents\",\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fcb9d75c-c3c1-4910-8697-f136bfef2363\",\"name\":\"fcb9d75c-c3c1-4910-8697-f136bfef2363\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Low\",\"query\":\"let querystarttime = 2d;\\nlet queryendtime = 1d;\\nlet TimeDeltaThreshold = 10;\\nlet TotalEventsThreshold = 15;\\nlet PercentBeaconThreshold = 80;\\n_Im_NetworkSession(starttime=querystarttime, endtime=queryendtime)\\n| where not(ipv4_is_private(DstIpAddr))\\n| project TimeGenerated, SrcIpAddr, SrcPortNumber, DstIpAddr, DstPortNumber, DstBytes, SrcBytes\\n| sort by SrcIpAddr asc,TimeGenerated asc, DstIpAddr asc, DstPortNumber asc\\n| serialize\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSrcIpAddr = next(SrcIpAddr, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\u0027second\u0027,nextTimeGenerated,TimeGenerated)\\n| where SrcIpAddr == nextSrcIpAddr\\n//Whitelisting criteria/ threshold criteria\\n| where TimeDeltainSeconds \u003e TimeDeltaThreshold \\n| project TimeGenerated, TimeDeltainSeconds, SrcIpAddr, SrcPortNumber, DstIpAddr, DstPortNumber, DstBytes, SrcBytes\\n| summarize count(), sum(DstBytes), sum(SrcBytes), make_list(TimeDeltainSeconds) \\nby TimeDeltainSeconds, bin(TimeGenerated, 1h), SrcIpAddr, DstIpAddr, DstPortNumber\\n| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSrcBytes = sum(sum_SrcBytes), TotalDstBytes = sum(sum_DstBytes) \\nby bin(TimeGenerated, 1h), SrcIpAddr, DstIpAddr, DstPortNumber\\n| where TotalEvents \u003e TotalEventsThreshold \\n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\\n| where BeaconPercent \u003e PercentBeaconThreshold\",\"customDetails\":{\"DstPortNumber\":\"DstPortNumber\",\"FrequencyCount\":\"TotalSrcBytes\",\"FrequencyTime\":\"MostFrequentTimeDeltaCount\",\"TotalDstBytes\":\"TotalDstBytes\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DstIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Potential beaconing from {{SrcIpAddr}} to {{DstIpAddr}} over port {{DstPortNumber}}\",\"alertDescriptionFormat\":\"Potential beaconing pattern from a client at address {{SrcIpAddr}} to a server at address {{DstIpAddr}} over port {{DstPortNumber}} identified. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/). The recurring frequency, reported as FrequencyTime in the custom details, and the total transferred volume reported as TotalDstBytes in the custom details, can help to determine the significance of this incident.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential beaconing activity (ASIM Network Session schema)\",\"description\":\"This rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/).\\\\\u003cbr\u003e\u003cbr\u003e\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b8b8ba09-1e89-45a1-8bd7-691cd23bfa32\",\"name\":\"b8b8ba09-1e89-45a1-8bd7-691cd23bfa32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let query_frequency = 15m;\\nlet missing_period = 1h;\\n//Enter a reference list of hostnames for your DC servers\\nlet DCServersList = dynamic ([\\\"DC01.simulandlabs.com\\\",\\\"DC02.simulandlabs.com\\\"]);\\n//Alternatively, a Watchlist can be used\\n//let DCServersList = _GetWatchlist(\u0027HostName-DomainControllers\u0027) | project HostName;\\nHeartbeat\\n| summarize arg_max(TimeGenerated, *) by Computer\\n| where Computer in (DCServersList)\\n//You may specify the OS type of your Domain Controllers\\n//| where OSType == \u0027Windows\u0027\\n| where TimeGenerated between (ago(query_frequency + missing_period) .. ago(missing_period))\\n| project TimeGenerated, Computer, OSType, Version, ComputerEnvironment, Type, Solutions\\n| sort by TimeGenerated asc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Impact\",\"DefenseEvasion\"],\"displayName\":\"Missing Domain Controller Heartbeat\",\"description\":\"This detection will go over the heartbeats received from the agents of Domain Controllers over the last hour, and will create alerts if the last heartbeats were received an hour ago.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-11-23T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/737a2ce1-70a3-4968-9e90-3e6aca836abf\",\"name\":\"737a2ce1-70a3-4968-9e90-3e6aca836abf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MLBehaviorAnalytics\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous RDP Login Detections\",\"description\":\"This detection uses machine learning (ML) to identify anomalous Remote Desktop Protocol (RDP) login activity, based on Windows Security Event data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Microsoft Sentinel to build a profile of normal activity for your environment.\\t\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events)\\n\\nBy enabling this rule, you give Microsoft permission to copy ingested data outside of your Microsoft Sentinel workspace\u0027s geography as necessary for processing by the machine learning engine.\",\"lastUpdatedDateUTC\":\"2021-03-26T00:00:00Z\",\"createdDateUTC\":\"2020-04-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/85aca4d1-5d15-4001-abd9-acb86ca1786a\",\"name\":\"85aca4d1-5d15-4001-abd9-acb86ca1786a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n DnsEvents\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n //Extract domain patterns from syslog message\\n | where isnotempty(Name)\\n | extend parts = split(Name, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend DNS_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.Name\\n| where DNS_TimeGenerated \u003c ExpirationDateTime\\n| summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated , *) by IndicatorId, Name\\n| project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, Computer, ClientIP, Name, QueryType\\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = ClientIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to DnsEvents\",\"description\":\"Identifies a match in DnsEvents from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2022-02-15T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\"name\":\"5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n//Exclude local addresses, using the ipv4_is_private operator\\n| where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n W3CIISLog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(cIP)\\n //Exclude local addresses, using the ipv4_is_private operator\\n | where ipv4_is_private(cIP) == false and cIP !startswith \\\"fe80\\\" and cIP !startswith \\\"::\\\" and cIP !startswith \\\"127.\\\"\\n // renaming time column so it is clear the log this came from\\n | extend W3CIISLog_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.cIP\\n| where W3CIISLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize W3CIISLog_TimeGenerated = arg_max(W3CIISLog_TimeGenerated, *) by IndicatorId, cIP\\n| project W3CIISLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, sSiteName, cIP, sIP, sPort, csMethod, csUserName, scStatus, scSubStatus, scWin32Status,\\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = W3CIISLog_TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to W3CIISLog\",\"description\":\"Identifies a match in W3CIISLog from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-04-26T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d564ff12-8f53-41b8-8649-44f76b37b99f\",\"name\":\"d564ff12-8f53-41b8-8649-44f76b37b99f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// How many greater than Service Connections you want to view per build/release\\nlet ServiceConnectionThreshold = 4;\\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\\n[\\n//\\\"103\\\", \\\"Release\\\", \\\"ProjectA\\\",\\n//\\\"42\\\", \\\"Release\\\", \\\"ProjectB\\\",\\n//\\\"122\\\", \\\"Build\\\", \\\"ProjectB\\\"\\n];\\nAzureDevOpsAuditing\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| parse ScopeDisplayName with OrganizationName \u0027 (Organization)\u0027\\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) \\n by OrganizationName, tostring(DefId), tostring(Type), ProjectId, ProjectName\\n| where CurrentCount \u003e ServiceConnectionThreshold\\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\\n| extend link = iif(\\n Type == \\\"Build\\\", strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_build?definitionId=\u0027, DefId),\\n strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_release?_a=releases\u0026view=mine\u0026definitionId=\u0027, DefId))\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure DevOps Service Connection Abuse\",\"description\":\"Flags builds/releases that use a large number of service connections if they aren\u0027t manually in the allow list.\\nThis is to determine if someone is hijacking a build/release and adding many service connections in order to abuse \\nor dump credentials from service connections.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/01e8ffff-dc0c-43fe-aa22-d459c4204553\",\"name\":\"01e8ffff-dc0c-43fe-aa22-d459c4204553\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let discord=dynamic([\\\"cdn.discordapp.com\\\", \\\"media.discordapp.com\\\"]);\\n _Im_WebSession(url_has_any=discord, eventresult=\u0027Success\u0027)\\n | where Url has \\\"attachments\\\"\\n | extend DiscordServerId = extract(@\\\"\\\\/attachments\\\\/([0-9]+)\\\\/\\\", 1, Url)\\n | summarize dcount(Url), make_set(SrcUsername), make_set(SrcIpAddr), make_set(Url), min(TimeGenerated), max(TimeGenerated), make_set(EventResult) by DiscordServerId\\n | mv-expand set_SrcUsername to typeof(string), set_Url to typeof(string), set_EventResult to typeof(string), set_SrcIpAddr to typeof(string)\\n | summarize by DiscordServerId, dcount_Url, set_SrcUsername, min_TimeGenerated, max_TimeGenerated, set_EventResult, set_SrcIpAddr, set_Url\\n | project StartTime=min_TimeGenerated, EndTime=max_TimeGenerated, Result=set_EventResult, SourceUser=set_SrcUsername, SourceIP=set_SrcIpAddr, RequestURL=set_Url\\n | where RequestURL has_any (\\\".bin\\\",\\\".exe\\\",\\\".dll\\\",\\\".bin\\\",\\\".msi\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SourceUser\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Discord CDN Risky File Download (ASIM Web Session Schema)\",\"description\":\"Identifies callouts to Discord CDN addresses for risky file extensions. This detection will trigger when a callout for a risky file is made to a discord server that has only been seen once in your environment. Unique discord servers are identified using the server ID that is included in the request URL (DiscordServerId in query). Discord CDN has been used in multiple campaigns to download additional payloads.\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4e5914a4-2ccd-429d-a845-fa597f0bd8c5\",\"name\":\"4e5914a4-2ccd-429d-a845-fa597f0bd8c5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let Hive_threats = dynamic([\\\"Ransom:Win64/Hive\\\", \\\"Ransom:Win32/Hive\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (Hive_threats) or ThreatFamilyName in~ (Hive_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"AV detections related to Hive Ransomware\",\"description\":\"This query looks for Microsoft Defender AV detections related to Hive Ransomware . In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device,\\n this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\",\"lastUpdatedDateUTC\":\"2022-07-11T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\"name\":\"361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let szOperationNames = dynamic([\\\"microsoft.compute/virtualMachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nlet starttime = 7d;\\nlet endtime = 1d;\\nAzureActivity\\n| where TimeGenerated between (startofday(ago(starttime)) .. startofday(ago(endtime)))\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress)\\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(7d)), now(), 1d) \\nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatusValue), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationNameValue , Resource, ResourceGroup\\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\\n| where Slope \u003e 0.2\\n| join kind=leftsemi (\\n// Last day\u0027s activity is anomalous\\nAzureActivity\\n| where TimeGenerated \u003e= startofday(ago(endtime))\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress)\\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(1d)), now(), 1d) \\nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatusValue), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationNameValue , Resource, ResourceGroup\\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\\n| where Slope \u003e 0.2 \\n) on Caller, CallerIpAddress \\n| mvexpand todynamic(ActivityTimeStamp), todynamic(ActivityStatusValue), todynamic(OperationIds), todynamic(CorrelationId)\\n| extend timestamp = ActivityTimeStamp, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Suspicious number of resource creation or deployment activities\",\"description\":\"Indicates when an anomalous number of VM creations or deployment activities occur in Azure via the AzureActivity log.\\nThe anomaly detection identifies activities that have occurred both since the start of the day 1 day ago and the start of the day 7 days ago.\\nThe start of the day is considered 12am UTC time.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/050b9b3d-53d0-4364-a3da-1b678b8211ec\",\"name\":\"050b9b3d-53d0-4364-a3da-1b678b8211ec\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\")\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n// Uncomment below to not alert for PIM activations\\n//| where Initiator != \\\"MS-PIM\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| summarize by bin(TimeGenerated, 1h), OperationName, RoleName, Target, Initiator, Result\\n| extend AccountCustomEntity = Target\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Initiator\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User Assigned Privileged Role\",\"description\":\"Identifies when a new privileged role is assigned to a user. Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn\u0027t the responsibility of the account holder, investigate.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/48607a29-a26a-4abf-8078-a06dbdd174a4\",\"name\":\"48607a29-a26a-4abf-8078-a06dbdd174a4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let timeRange = 3d;\\nlet lookBack = 7d;\\nlet authenticationWindow = 20m;\\nlet authenticationThreshold = 5;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet failureCodes = dynamic([50053, 50126, 50055]); // invalid password, account is locked - too many sign ins, expired password\\nlet successCodes = dynamic([0, 50055, 50057, 50155, 50105, 50133, 50005, 50076, 50079, 50173, 50158, 50072, 50074, 53003, 53000, 53001, 50129]);\\n// Lookup up resolved identities from last 7 days\\nlet aadFunc = (tableName:string){\\nlet identityLookup = table(tableName)\\n| where TimeGenerated \u003e= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| where isnotempty(UserId)\\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName, Type;\\n// collect window threshold breaches\\ntable(tableName)\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(failureCodes)\\n| summarize FailedPrincipalCount = dcount(UserPrincipalName) by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName, Type\\n| where FailedPrincipalCount \u003e= authenticationThreshold\\n| summarize WindowThresholdBreaches = count() by IPAddress, Type\\n| join kind= inner (\\n// where we breached a threshold, join the details back on all failure data\\ntable(tableName)\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(failureCodes)\\n| extend LocationDetails = todynamic(LocationDetails)\\n| extend FullLocation = strcat(LocationDetails.countryOrRegion,\u0027|\u0027, LocationDetails.state, \u0027|\u0027, LocationDetails.city)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed), make_set(FullLocation), FailureCount = count() by IPAddress, AppDisplayName, UserPrincipalName, UserDisplayName, Identity, UserId, Type\\n// lookup any unresolved identities\\n| extend UnresolvedUserId = iff(Identity matches regex isGUID, UserId, \\\"\\\")\\n| join kind= leftouter (\\n identityLookup \\n) on $left.UnresolvedUserId==$right.UserId\\n| extend UserDisplayName=iff(isempty(lu_UserDisplayName), UserDisplayName, lu_UserDisplayName)\\n| extend UserPrincipalName=iff(isempty(lu_UserPrincipalName), UserPrincipalName, lu_UserPrincipalName)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), make_set(UserPrincipalName), make_set(UserDisplayName), make_set(set_ClientAppUsed), make_set(set_FullLocation), make_list(FailureCount) by IPAddress, AppDisplayName, Type\\n| extend FailedPrincipalCount = arraylength(set_UserPrincipalName)\\n) on IPAddress\\n| project IPAddress, StartTime, EndTime, TargetedApplication=AppDisplayName, FailedPrincipalCount, UserPrincipalNames=set_UserPrincipalName, UserDisplayNames=set_UserDisplayName, ClientAppsUsed=set_set_ClientAppUsed, Locations=set_set_FullLocation, FailureCountByPrincipal=list_FailureCount, WindowThresholdBreaches, Type\\n| join kind= inner (\\ntable(tableName) // get data on success vs. failure history for each IP\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(successCodes) or ResultType in(failureCodes) // success or failure types\\n| summarize GlobalSuccessPrincipalCount = dcountif(UserPrincipalName, (ResultType in(successCodes))), ResultTypeSuccesses = make_set_if(ResultType, (ResultType in(successCodes))), GlobalFailPrincipalCount = dcountif(UserPrincipalName, (ResultType in(failureCodes))), ResultTypeFailures = make_set_if(ResultType, (ResultType in(failureCodes))) by IPAddress, Type\\n| where GlobalFailPrincipalCount \u003e GlobalSuccessPrincipalCount // where the number of failed principals is greater than success - eliminates FPs from IPs who authenticate successfully alot and as a side effect have alot of failures\\n) on IPAddress\\n| project-away IPAddress1\\n| extend timestamp=StartTime, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Password spray attack against Azure AD application\",\"description\":\"Identifies evidence of password spray activity against Azure AD applications by looking for failures from multiple accounts from the same\\nIP address within a time window. If the number of accounts breaches the threshold just once, all failures from the IP address within the time range\\nare bought into the result. Details on whether there were successful authentications by the IP address within the time window are also included.\\nThis can be an indicator that an attack was successful.\\nThe default failure acccount threshold is 5, Default time window for failures is 20m and default look back window is 3 days\\nNote: Due to the number of possible accounts involved in a password spray it is not possible to map identities to a custom entity.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\"lastUpdatedDateUTC\":\"2022-02-16T00:00:00Z\",\"createdDateUTC\":\"2020-03-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\"name\":\"7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"154.223.45.38\\\",\\\"185.141.207.140\\\",\\\"185.234.73.19\\\",\\\"216.245.210.106\\\",\\\"51.91.48.210\\\",\\\"46.255.230.229\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n|extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account\\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DnsResponseName, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host, AccountCustomEntity=User\\n),\\n(_Im_WebSession (srcipaddr_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DstIpAddr, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(_Im_NetworkSession (srcipaddr_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DstIpAddr, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(_Im_NetworkSession (dstipaddr_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DstIpAddr, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(SigninLogs\\n| where isnotempty(IPAddress)\\n| where IPAddress in (IPList)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(AADNonInteractiveUserSignInLogs\\n| where isnotempty(IPAddress)\\n| where IPAddress in (IPList)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(W3CIISLog \\n| where isnotempty(cIP)\\n| where cIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(AzureActivity \\n| where isnotempty(CallerIpAddress)\\n| where CallerIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller\\n),\\n(\\nAWSCloudTrail\\n| where isnotempty(SourceIpAddress)\\n| where SourceIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known IRIDIUM IP\",\"description\":\"IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d7424fd9-abb3-4ded-a723-eebe023aaa0b\",\"name\":\"d7424fd9-abb3-4ded-a723-eebe023aaa0b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Administrative roles to look for, default is all admin roles\\nlet roles = dynamic([\\\"Administrator\\\", \\\"Admin\\\"]);\\n// The maximum distances between and invite and acceptance\\nlet maxTimeBetweenInviteAccept = 30min;\\n// The delta (minutes) between the invite being sent and the account being escalated\\nlet deltaBetweenInviteEscalation = 60;\\n// Collect external user invitations\\nlet invite = AuditLogs\\n| where Category =~ \\\"UserManagement\\\"\\n| where OperationName =~ \\\"Invite external user\\\"\\n| extend Target = tostring(TargetResources[0].[\\\"userPrincipalName\\\"])\\n| extend InviteInitiator = tostring(InitiatedBy.[\\\"user\\\"].[\\\"userPrincipalName\\\"])\\n| where isnotempty(InviteInitiator);\\n// Collect redeem events\\nlet redeem = AuditLogs\\n| where Category =~ \\\"UserManagement\\\"\\n| where OperationName =~ \\\"Redeem external user invite\\\"\\n| where Result =~ \\\"success\\\"\\n| extend Target = tostring(TargetResources[0].[\\\"displayName\\\"]) | extend Target = tostring(extract(@\\\"UPN\\\\:\\\\s(.+)\\\\,\\\\sEmail\\\",1,Target))\\n| where isnotempty(Target);\\n// Union the inivtation and redeem data then run the sequence_detect kusto plugin\\ninvite\\n| union redeem\\n| order by TimeGenerated\\n| project TimeGenerated, Target, InviteInitiator, OperationName, TenantId\\n| evaluate sequence_detect(TimeGenerated, maxTimeBetweenInviteAccept, maxTimeBetweenInviteAccept, invite=(OperationName has \\\"Invite external user\\\"), redeem=(OperationName has \\\"Redeem external user invite\\\"), Target)\\n| join (\\nAuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\")\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n// Limit to external accounts\\n| where TargetResources.userPrincipalName has \\\"EXT\\\"\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n// Perform check for admin roles\\n| where RoleName has_any(roles)\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n| where Initiator != \\\"MS-PIM\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| summarize by TimeGenerated, OperationName, RoleName, Target, Initiator, Result\\n) on Target\\n// Calculate delta between the invite and the account escalation\\n| extend delta = datetime_diff(\\\"minute\\\", TimeGenerated, invite_TimeGenerated)\\n| where delta \u003c= deltaBetweenInviteEscalation\\n| project InvitationTime=invite_TimeGenerated, RedeemTime=redeem_TimeGenerated, GrantTime=TimeGenerated, ExternalUser=Target, RoleGranted=RoleName, AdminInitiator=Initiator, MinsBetweenInviteAndEscalation=delta\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ExternalUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AdminInitiator\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"New External User Granted Admin\",\"description\":\"This query will detect instances where a newly invited external user is granted an administrative role. By default this query\\nwill alert on any granted administrative role, however this can be modified using the roles variable if false positives occur\\nin your environment. The maximum delta between invite and escalation to admin is 60 minues, this can be configured using the \\ndeltaBetweenInviteEscalation variable.\",\"lastUpdatedDateUTC\":\"2022-06-16T00:00:00Z\",\"createdDateUTC\":\"2022-06-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6bf1931-b1eb-448d-90b2-de118559c7ce\",\"name\":\"d6bf1931-b1eb-448d-90b2-de118559c7ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlCategory contains \u0027Adult Themes\u0027 or\\n UrlCategory contains \u0027Adware\u0027 or\\n UrlCategory contains \u0027Alcohol\u0027 or\\n UrlCategory contains \u0027Illegal Downloads\u0027 or\\n UrlCategory contains \u0027Drugs\u0027 or\\n UrlCategory contains \u0027Child Abuse Content\u0027 or\\n UrlCategory contains \u0027Hate/Discrimination\u0027 or\\n UrlCategory contains \u0027Nudity\u0027 or\\n UrlCategory contains \u0027Pornography\u0027 or\\n UrlCategory contains \u0027Proxy/Anonymizer\u0027 or\\n UrlCategory contains \u0027Sexuality\u0027 or\\n UrlCategory contains \u0027Tasteless\u0027 or\\n UrlCategory contains \u0027Terrorism\u0027 or\\n UrlCategory contains \u0027Web Spam\u0027 or\\n UrlCategory contains \u0027German Youth Protection\u0027 or\\n UrlCategory contains \u0027Illegal Activities\u0027 or\\n UrlCategory contains \u0027Lingerie/Bikini\u0027 or\\n UrlCategory contains \u0027Weapons\u0027\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"InitialAccess\"],\"displayName\":\"Cisco Umbrella - Request Allowed to harmful/malicious URI category\",\"description\":\"It is reccomended that these Categories shoud be blocked by policies because they provide harmful/malicious content..\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee55dc85-d2da-48c1-a6c0-3eaee62a8d56\",\"name\":\"ee55dc85-d2da-48c1-a6c0-3eaee62a8d56\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"// Add the environments expected username format regex below before deploying\\n let user_regex = \\\"\\\";\\n AuditLogs\\n | where OperationName =~ \\\"Add user\\\"\\n | where Result =~ \\\"success\\\"\\n | extend userAgent = tostring(AdditionalDetails[0].value)\\n | extend addingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend addingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend AddedBy = iif(isnotempty(addingUser), addingUser, addingApp)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | extend AddedUser = tostring(TargetResources[0].userPrincipalName)\\n | where AddedUser matches regex user_regex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedUser\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User Account Created Using Incorrect Naming Format\",\"description\":\"This query looks for accounts being created where the name does not match a defined pattern.\\n Attackers may attempt to add accounts as a means of establishing persistant access to an environment, looking for anomalies in created accounts may help identify illegitimately created accounts.\\n Created accounts should be investigated to ensure they were legitimated created.\\n The user_regex field in the query needs to be populated with the expected pattern for the environment before deployment.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#accounts-not-following-naming-policies\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\"name\":\"0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"let threshold = 20;\\nlet ReasontoSubStatus = datatable(SubStatus:string,Reason:string) [\\n\\\"0xC000005E\\\", \\\"There are currently no logon servers available to service the logon request.\\\",\\n\\\"0xC0000064\\\", \\\"User logon with misspelled or bad user account\\\", \\n\\\"0xC000006A\\\", \\\"User logon with misspelled or bad password\\\",\\n\\\"0xC000006D\\\", \\\"Bad user name or password\\\",\\n\\\"0xC000006E\\\", \\\"Unknown user name or bad password\\\",\\n\\\"0xC000006F\\\", \\\"User logon outside authorized hours\\\",\\n\\\"0xC0000070\\\", \\\"User logon from unauthorized workstation\\\",\\n\\\"0xC0000071\\\", \\\"User logon with expired password\\\",\\n\\\"0xC0000072\\\", \\\"User logon to account disabled by administrator\\\",\\n\\\"0xC00000DC\\\", \\\"Indicates the Sam Server was in the wrong state to perform the desired operation\\\",\\n\\\"0xC0000133\\\", \\\"Clocks between DC and other computer too far out of sync\\\",\\n\\\"0xC000015B\\\", \\\"The user has not been granted the requested logon type (aka logon right) at this machine\\\",\\n\\\"0xC000018C\\\", \\\"The logon request failed because the trust relationship between the primary domain and the trusted domain failed\\\",\\n\\\"0xC0000192\\\", \\\"An attempt was made to logon, but the Netlogon service was not started\\\",\\n\\\"0xC0000193\\\", \\\"User logon with expired account\\\",\\n\\\"0xC0000224\\\", \\\"User is required to change password at next logon\\\",\\n\\\"0xC0000225\\\", \\\"Evidently a bug in Windows and not a risk\\\",\\n\\\"0xC0000234\\\", \\\"User logon with account locked\\\",\\n\\\"0xC00002EE\\\", \\\"Failure Reason: An Error occurred during Logon\\\",\\n\\\"0xC0000413\\\", \\\"Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine\\\"\\n];\\n(union isfuzzy=true\\n(SecurityEvent \\n| where EventID == 4625\\n| where AccountType =~ \\\"User\\\"\\n| where SubStatus !=\u00270xc0000064\u0027 and Account !in (\u0027\\\\\\\\\u0027, \u0027-\\\\\\\\-\u0027)\\n// SubStatus \u00270xc0000064\u0027 signifies \u0027Account name does not exist\u0027\\n| extend ResourceId = column_ifexists(\\\"_ResourceId\\\", _ResourceId), SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", SourceComputerId)\\n| lookup ReasontoSubStatus on SubStatus\\n| extend coalesce(Reason, strcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), FailedLogonCount = count() by EventID, \\nActivity, Computer, Account, TargetAccount, TargetUserName, TargetDomainName, \\nLogonType, LogonTypeName, LogonProcessName, Status, SubStatus, Reason, ResourceId, SourceComputerId, WorkstationName, IpAddress\\n| where FailedLogonCount \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n(\\n(WindowsEvent \\n| where EventID == 4625 and not(EventData has \u00270xc0000064\u0027)\\n| extend TargetAccount = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend AccountType=case(EventData.TargetUserName endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType =~ \\\"User\\\"\\n| extend SubStatus = tostring(EventData.SubStatus)\\n| where SubStatus !=\u00270xc0000064\u0027 and TargetAccount !in (\u0027\\\\\\\\\u0027, \u0027-\\\\\\\\-\u0027)\\n// SubStatus \u00270xc0000064\u0027 signifies \u0027Account name does not exist\u0027\\n| extend ResourceId = column_ifexists(\\\"_ResourceId\\\", _ResourceId), SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", \\\"\\\")\\n| lookup ReasontoSubStatus on SubStatus\\n| extend coalesce(Reason, strcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n| extend Activity=\\\"4625 - An account failed to log on.\\\"\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend TargetDomainName = tostring(EventData.TargetDomainName)\\n| extend LogonType = tostring(EventData.LogonType)\\n| extend Status= tostring(EventData.Status)\\n| extend LogonProcessName = tostring(EventData.LogonProcessName)\\n| extend WorkstationName = tostring(EventData.WorkstationName)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend LogonTypeName=case(LogonType==2,\\\"2 - Interactive\\\", LogonType==3,\\\"3 - Network\\\", LogonType==4, \\\"4 - Batch\\\",LogonType==5, \\\"5 - Service\\\", LogonType==7, \\\"7 - Unlock\\\", LogonType==8, \\\"8 - NetworkCleartext\\\", LogonType==9, \\\"9 - NewCredentials\\\", LogonType==10, \\\"10 - RemoteInteractive\\\", LogonType==11, \\\"11 - CachedInteractive\\\",tostring(LogonType))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), FailedLogonCount = count() by EventID, \\nActivity, Computer, TargetAccount, TargetUserName, TargetDomainName, \\nLogonType, LogonTypeName, LogonProcessName, Status, SubStatus, Reason, ResourceId, SourceComputerId, WorkstationName, IpAddress\\n| where FailedLogonCount \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n)))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed logon attempts by valid accounts within 10 mins\",\"description\":\"Identifies when failed logon attempts are 20 or higher during a 10 minute period (2 failed logons per minute minimum) from valid account.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b9a44d7-c651-45ed-816c-eae583a6f2f1\",\"name\":\"3b9a44d7-c651-45ed-816c-eae583a6f2f1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\nlet historical_data =\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend variables = Data.Variables\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend UserKey = strcat(VariableGroupId, \\\"-\\\", ActorUserId)\\n| project UserKey;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend VariableGroupName = tostring(Data.VariableGroupName)\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend UserKey = strcat(VariableGroupId, \\\"-\\\", ActorUserId)\\n| where UserKey !in (historical_data)\\n| project-away UserKey\\n| project-reorder TimeGenerated, VariableGroupName, ActorUPN, IpAddress, UserAgent\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Build Variable Modified by New User.\",\"description\":\"Variables can be configured and used at any stage of the build process in Azure DevOps to inject values. An attacker with the required permissions could modify \\nor add to these variables to conduct malicious activity such as changing paths or remote endpoints called during the build. As variables are often changed by users, \\njust detecting these changes would have a high false positive rate. This detection looks for modifications to variable groups where that user has not been observed \\nmodifying them before.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8127962-7739-4211-a4a9-390a7a00e91f\",\"name\":\"f8127962-7739-4211-a4a9-390a7a00e91f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet lbperiod = 14d;\\nlet knownrecipients = ProofpointPOD\\n| where TimeGenerated \u003e ago(lbperiod)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where SrcUserUpn != \u0027\u0027\\n| where array_length(todynamic(DstUserUpn)) == 1\\n| summarize recipients = make_set(tostring(todynamic(DstUserUpn)[0])) by SrcUserUpn\\n| extend commcol = SrcUserUpn;\\nProofpointPOD\\n| where TimeGenerated between (ago(lbtime) .. now())\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| extend isProtected = todynamic(MsgParts)[0][\u0027isProtected\u0027]\\n| extend mimePgp = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where isProtected == \u0027true\u0027 or mimePgp == \u0027application/pgp-encrypted\u0027\\n| extend DstUserMail = tostring(todynamic(DstUserUpn)[0])\\n| extend commcol = tostring(todynamic(DstUserUpn)[0])\\n| join knownrecipients on commcol\\n| where recipients !contains DstUserMail\\n| project SrcUserUpn, DstUserMail\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple protected emails to unknown recipient\",\"description\":\"Detects when multiple protected messages where sent to early not seen recipient.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee1818ec-5f65-4991-b711-bcf2ab7e36c3\",\"name\":\"ee1818ec-5f65-4991-b711-bcf2ab7e36c3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlOriginal matches regex @\u0027\\\\Ahttp:\\\\/\\\\/\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}.*\u0027\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - URI contains IP address\",\"description\":\"Malware can use IP address to communicate with C2.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23005e87-2d3a-482b-b03d-edbebd1ae151\",\"name\":\"23005e87-2d3a-482b-b03d-edbebd1ae151\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let exchange_servers = (\\nW3CIISLog\\n| where TimeGenerated \u003e ago(14d)\\n| where sSiteName =~ \\\"Exchange Back End\\\"\\n| summarize by Computer);\\nW3CIISLog\\n| where TimeGenerated \u003e ago(1d)\\n| where Computer in (exchange_servers)\\n| where csUriQuery startswith \\\"t=\\\"\\n| project-reorder TimeGenerated, Computer, csUriStem, csUriQuery, csUserName, csUserAgent, cIP\\n| extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious Exchange Request\",\"description\":\"This query looks for suspicious request patterns to Exchange servers that fit a pattern observed by HAFNIUM actors.\\nThe same query can be run on HTTPProxy logs from on-premise hosted Exchange servers.\\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ac9e233e-44d4-45eb-b522-6e47445f6582\",\"name\":\"ac9e233e-44d4-45eb-b522-6e47445f6582\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"imRegistry\\n | where EventType in (\\\"RegistryValueSet\\\", \\\"RegistryKeyCreated\\\")\\n | where RegistryKey has \\\"Software\\\\\\\\Classes\\\\\\\\ms-settings\\\\\\\\shell\\\\\\\\open\\\\\\\\command\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)\\n | join (imProcess\\n | where Process endswith \\\"fodhelper.exe\\\"\\n | where ParentProcessName endswith \\\"cmd.exe\\\" or ParentProcessName endswith \\\"powershell.exe\\\" or ParentProcessName endswith \\\"powershell_ise.exe\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)) on TimeKey, Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DvcHostname\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DvcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Potential Fodhelper UAC Bypass (ASIM Version)\",\"description\":\"This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process within 1 hour - this can be tweaked as required.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\"name\":\"ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Office 365 Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Office 365 alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Office 365\",\"lastUpdatedDateUTC\":\"2020-09-01T00:00:00Z\",\"createdDateUTC\":\"2020-04-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert (OATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a333d8bf-22a3-4c55-a1e9-5f0a135c0253\",\"name\":\"a333d8bf-22a3-4c55-a1e9-5f0a135c0253\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let mde_threats = dynamic([\\\"Behavior:Win32/SuspAzureRequest.A\\\", \\\"Behavior:Win32/SuspAzureRequest.B\\\", \\\"Behavior:Win32/SuspAzureRequest.C\\\", \\\"Behavior:Win32/LaunchingSuspCMD.B\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (mde_threats) or ThreatFamilyName in~ (mde_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Microsoft Defender for Endpoint (MDE) signatures for Azure Synapse pipelines and Azure Data Factory\",\"description\":\"This query looks for Microsoft Defender for Endpoint detections related to the remote command execution attempts on Azure IR with Managed VNet or SHIR. \\nIn Microsoft Sentinel, the SecurityAlerts table includes the name of the impacted device. Additionally, this query joins the DeviceInfo table to connect other information such as device group, \\nIP address, signed in users, and others allowing analysts using Microsoft Sentinel to have more context related to the alert. \\nReference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29972 , \\nhttps://msrc-blog.microsoft.com/2022/05/09/vulnerability-mitigated-in-the-third-party-data-connector-used-in-azure-synapse-pipelines-and-azure-data-factory-cve-2022-29972\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5db427b2-f406-4274-b413-e9fcb29412f8\",\"name\":\"5db427b2-f406-4274-b413-e9fcb29412f8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where ActivityDisplayName =~\u0027Add member to role completed (PIM activation)\u0027\\n| where Result == \\\"failure\\\"\\n| extend Role = tostring(TargetResources[3].displayName)\\n| extend User = tostring(TargetResources[2].displayName)\\n| project-reorder TimeGenerated, User, Role, OperationName, Result, ResultDescription\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| extend IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"NRT PIM Elevation Request Rejected\",\"description\":\"Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/03e04c97-8cae-48b3-9d2f-4ab262e4ffff\",\"name\":\"03e04c97-8cae-48b3-9d2f-4ab262e4ffff\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]);\\nhttp_proxy_oab_CL\\n| where RawData contains \\\"Download failed and temporary file\\\"\\n| extend File = extract(\\\"([^\\\\\\\\\\\\\\\\]*)(\\\\\\\\\\\\\\\\[^\u0027]*)\\\",2,RawData)\\n| extend Extension = strcat(\\\".\\\",split(File, \\\".\\\")[-1])\\n| extend InteractiveFile = iif(Extension in (scriptExtensions), \\\"Yes\\\", \\\"No\\\")\\n// Uncomment the following line to alert only on interactive file download type\\n//| where InteractiveFile =~ \\\"Yes\\\"\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious File Downloads.\",\"description\":\"This query looks for messages related to file downloads of suspicious file types. This query uses the Exchange HttpProxy AOBGeneratorLog, you will need to onboard this log as a custom log under the table http_proxy_oab_CL before using this query. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d5b32cd4-2328-43da-ab47-cd289c1f5efc\",\"name\":\"d5b32cd4-2328-43da-ab47-cd289c1f5efc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\",\\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\",\\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\",\\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\",\\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\",\\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\",\\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\",\\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\",\\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\")\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"NRT DNS events related to mining pools\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/de58ee9e-b229-4252-8537-41a4c2f4045e\",\"name\":\"de58ee9e-b229-4252-8537-41a4c2f4045e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let file_ext_blocklist = dynamic([\u0027.ps1\u0027, \u0027.vbs\u0027, \u0027.bat\u0027, \u0027.scr\u0027]);\\nlet lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| extend file_ext = extract(@\u0027.*(\\\\.\\\\w+)$\u0027, 1, UrlOriginal)\\n| extend Filename = extract(@\u0027.*\\\\/*\\\\/(.*\\\\.\\\\w+)$\u0027, 1, UrlOriginal)\\n| where file_ext in (file_ext_blocklist)\\n| project TimeGenerated, SrcIpAddr, Identities, Filename\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Cisco Umbrella - Request to blocklisted file type\",\"description\":\"Detects request to potentially harmful file types (.ps1, .bat, .vbs, etc.).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\"name\":\"97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let LearningPeriod = 7d; \\nlet BinTime = 1h; \\nlet RunTime = 1h; \\nlet StartTime = 1h; \\nlet NumberOfStds = 3; \\nlet MinThreshold = 10.0; \\nlet EndRunTime = StartTime - RunTime; \\nlet EndLearningTime = StartTime + LearningPeriod;\\nlet aadFunc = (tableName:string){\\nlet GitHubFailedSSOLogins = (table(tableName) \\n| where AppDisplayName == \\\"GitHub.com\\\" \\n| where ResultType != 0); \\nGitHubFailedSSOLogins \\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime)) \\n| summarize FailedLoginsCountInBinTime = count() by UserPrincipalName, bin(TimeGenerated, BinTime), Type\\n| summarize AvgOfFailedLoginsInLearning = avg(FailedLoginsCountInBinTime), StdOfFailedLoginsInLearning = stdev(FailedLoginsCountInBinTime) by UserPrincipalName, Type\\n| extend LearningThreshold = max_of(AvgOfFailedLoginsInLearning + StdOfFailedLoginsInLearning * NumberOfStds, MinThreshold) \\n| join kind=innerunique ( \\n GitHubFailedSSOLogins \\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime)) \\n | summarize FailedLoginsCountInRunTime = count() by User = Identity, UserPrincipalName, bin(TimeGenerated, BinTime), Type\\n) on UserPrincipalName \\n| where FailedLoginsCountInRunTime \u003e LearningThreshold\\n| extend AccountCustomEntity = UserPrincipalName , timestamp = TimeGenerated\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute Force Attack against GitHub Account\",\"description\":\"Attackers who are trying to guess your users\u0027 passwords or use brute-force methods to get in. If your organization is using SSO with Azure Active Directory, authentication logs to GitHub.com will be generated. Using the following query can help you identify a sudden increase in failed logon attempt of users.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/12dcea64-bec2-41c9-9df2-9f28461b1295\",\"name\":\"12dcea64-bec2-41c9-9df2-9f28461b1295\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\n// Adjust for a longer timeframe for identifying ADFS Servers\\nlet lookback = 6d;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where NewProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n);\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where Account !endswith \\\"$\\\"\\n// Check for scheduled task events\\n| where EventID in (4697, 4698, 4699, 4700, 4701, 4702)\\n| extend EventDataParsed = parse_xml(EventData)\\n| extend SubjectLogonId = tostring(EventDataParsed.EventData.Data[3][\\\"#text\\\"])\\n// Check specifically for access to IPC$ share and PIPE\\\\svcctl and PIPE\\\\atsvc for Service Control Services and Schedule Control Services\\n| union (\\n SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n | where Account !endswith \\\"$\\\"\\n | where EventID == 5145\\n | where RelativeTargetName =~ \\\"svcctl\\\" or RelativeTargetName =~ \\\"atsvc\\\"\\n)\\n// Check for lateral movement\\n| join kind=inner\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Account !endswith \\\"$\\\"\\n| where EventID == 4624 and LogonType == 3\\n) on $left.SubjectLogonId == $right.TargetLogonId\\n| project TimeGenerated, Account, Computer, EventID, RelativeTargetName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task\",\"description\":\"This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through SMB and Remote Service or Scheduled Task.\",\"lastUpdatedDateUTC\":\"2022-01-30T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/155f40c6-610d-497d-85fc-3cf06ec13256\",\"name\":\"155f40c6-610d-497d-85fc-3cf06ec13256\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"yahoo-verification.org\\\",\\\"support-servics.com\\\",\\\"verification-live.com\\\",\\\"com-mailbox.com\\\",\\\"com-myaccuants.com\\\",\\\"notification-accountservice.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\\"verify-linkedin.net\\\", \\n\\\"yahoo-verification.net\\\",\\\"yahoo-verify.net\\\",\\\"outlook-verify.net\\\",\\\"com-users.net\\\",\\\"verifiy-account.net\\\",\\\"te1egram.net\\\",\\\"account-verifiy.net\\\",\\\"myaccount-services.net\\\",\\n\\\"com-identifier-servicelog.name\\\",\\\"microsoft-update.bid\\\",\\\"outlook-livecom.bid\\\",\\\"update-microsoft.bid\\\",\\\"documentsfilesharing.cloud\\\",\\\"com-microsoftonline.club\\\",\\n\\\"confirm-session-identifier.info\\\",\\\"session-management.info\\\",\\\"confirmation-service.info\\\",\\\"document-share.info\\\",\\\"broadcast-news.info\\\",\\\"customize-identity.info\\\",\\\"webemail.info\\\",\\n\\\"com-identifier-servicelog.info\\\",\\\"documentsharing.info\\\",\\\"notification-accountservice.info\\\",\\\"identifier-activities.info\\\",\\\"documentofficupdate.info\\\",\\\"recoveryusercustomer.info\\\",\\n\\\"serverbroadcast.info\\\",\\\"account-profile-users.info\\\",\\\"account-service-management.info\\\",\\\"accounts-manager.info\\\",\\\"activity-confirmation-service.info\\\",\\\"com-accountidentifier.info\\\",\\n\\\"com-privacy-help.info\\\",\\\"com-sessionidentifier.info\\\",\\\"com-useraccount.info\\\",\\\"confirmation-users-service.info\\\",\\\"confirm-identity.info\\\",\\\"confirm-session-identification.info\\\",\\n\\\"continue-session-identifier.info\\\",\\\"customer-recovery.info\\\",\\\"customers-activities.info\\\",\\\"elitemaildelivery.info\\\",\\\"email-delivery.info\\\",\\\"identify-user-session.info\\\",\\n\\\"message-serviceprovider.info\\\",\\\"notificationapp.info\\\",\\\"notification-manager.info\\\",\\\"recognized-activity.info\\\",\\\"recover-customers-service.info\\\",\\\"recovery-session-change.info\\\",\\n\\\"service-recovery-session.info\\\",\\\"service-session-continue.info\\\",\\\"session-mail-customers.info\\\",\\\"session-managment.info\\\",\\\"session-verify-user.info\\\",\\\"shop-sellwear.info\\\",\\n\\\"supportmailservice.info\\\",\\\"terms-service-notification.info\\\",\\\"user-activity-issues.info\\\",\\\"useridentity-confirm.info\\\",\\\"users-issue-services.info\\\",\\\"verify-user-session.info\\\",\\n\\\"login-gov.info\\\",\\\"notification-signal-agnecy.info\\\",\\\"notifications-center.info\\\",\\\"identifier-services-sessions.info\\\",\\\"customers-manager.info\\\",\\\"session-manager.info\\\",\\n\\\"customer-managers.info\\\",\\\"confirmation-recovery-options.info\\\",\\\"service-session-confirm.info\\\",\\\"session-recovery-options.info\\\",\\\"services-session-confirmation.info\\\",\\n\\\"notification-managers.info\\\",\\\"activities-services-notification.info\\\",\\\"activities-recovery-options.info\\\",\\\"activity-session-recovery.info\\\",\\\"customers-services.info\\\",\\n\\\"sessions-notification.info\\\",\\\"download-teamspeak.info\\\",\\\"services-issue-notification.info\\\",\\\"microsoft-upgrade.mobi\\\",\\\"broadcastnews.pro\\\",\\\"mobile-messengerplus.network\\\"]);\\nlet IPList = dynamic([\\\"51.91.200.147\\\"]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(SourceIP) and SourceIP in (IPList)) or (isnotempty(DestinationIP) and DestinationIP in (IPList)) \\nor (isnotempty(DNSName) and DNSName in~ (DomainNames)) or (isnotempty(DestinationHostName) and DestinationHostName in~ (DomainNames)) or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames) or RequestURLIP in (IPList))) \\nor (isnotempty(Message) and MessageIP in (IPList))\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURLIP in (IPList), \\\"RequestUrl\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP,IPMatch == \\\"Message\\\", MessageIP,\\nIPMatch == \\\"RequestUrl\\\", RequestURLIP,\\\"NoMatch\\\"), Account = SourceUserID, Host = DeviceName\\n),\\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\\n(_Im_WebSession(url_has_any=DomainNames)\\n| extend DestinationIPAddress = DstIpAddr, DNSName = tostring(parse_url(Url)[\\\"Host\\\"]), Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) or isnotempty(DNSName)\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or DNSName in~ (DomainNames)\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer),\\n(OfficeActivity\\n| extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPCustomEntity = SourceHost \\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Phosphorus group domains/IP\",\"description\":\"Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-10-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a1bddaf8-982b-4089-ba9e-6590dfcf80ea\",\"name\":\"a1bddaf8-982b-4089-ba9e-6590dfcf80ea\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let error403_count_threshold=200;\\n_Im_WebSession(eventresultdetails_in=\\\"403\\\")\\n| extend ParsedUrl=parse_url(Url)\\n| extend UrlHost=tostring(ParsedUrl[\\\"Host\\\"]), UrlSchema=tostring(ParsedUrl[\\\"Schema\\\"])\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = count(), Urls=makeset(Url) by UrlHost, SrcIpAddr\\n| where NumberOfErrors \u003e error403_count_threshold\\n| sort by NumberOfErrors desc\\n| extend Url=tostring(Urls[0])\",\"customDetails\":{\"NumberOfErrors\":\"NumberOfErrors\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URL\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Excessive number of HTTP authentication failures from {{SrcIpAddr}\",\"alertDescriptionFormat\":\"A client with address {{SrcIpAddr}} generated a large number of failed authentication HTTP requests. This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Persistence\",\"CredentialAccess\"],\"displayName\":\"Excessive number of HTTP authentication failures from a source (ASIM Web Session schema)\",\"description\":\"This rule identifies a source that repeatedly fails to authenticate to a web service (HTTP response code 403). This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.\u003cbr\u003e\u003cbr\u003e\\nThis rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutSIM) and supports any web session source that complies with ASIM. \",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2a09f8cb-deb7-4c40-b08b-9137667f1c0b\",\"name\":\"2a09f8cb-deb7-4c40-b08b-9137667f1c0b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n | where OperationName in (\\\"Add eligible member (permanent)\\\", \\\"Add eligible member (eligible)\\\")\\n | extend Role = tostring(TargetResources[0].displayName)\\n | where Role contains \\\"admin\\\"\\n | extend AddedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend AddedUser = tostring(TargetResources[2].userPrincipalName)\\n | project-reorder TimeGenerated, AddedUser, Role, AddedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedUser\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"User Added to Admin Role\",\"description\":\"Detects a user being added to a new privileged role. Monitor these additions to ensure the users are made eligible for these roles are intended to have these levels of access.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dc99e38c-f4e9-4837-94d7-353ac0b01a77\",\"name\":\"dc99e38c-f4e9-4837-94d7-353ac0b01a77\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let threshold = 10;\\n let default_ad_attributes = dynamic([\\\"LastDirSyncTime\\\", \\\"StsRefreshTokensValidFrom\\\", \\\"Included Updated Properties\\\", \\\"AccountEnabled\\\", \\\"Action Client Name\\\", \\\"SourceAnchor\\\"]);\\n AuditLogs\\n | where OperationName =~ \\\"Add user\\\"\\n | where Result =~ \\\"success\\\"\\n | extend properties = TargetResources[0].modifiedProperties\\n | mv-expand properties\\n | evaluate bag_unpack(properties)\\n | summarize count() by displayName, TenantId\\n | where displayName !in (default_ad_attributes)\\n | top threshold by count_ desc\\n | summarize make_set(displayName) by TenantId\\n | join kind=inner (AuditLogs\\n | where Result =~ \\\"success\\\"\\n | where OperationName =~ \\\"Add user\\\"\\n | extend CreatingUserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend CreatedUserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | extend AccountProperties = TargetResources[0].modifiedProperties\\n | mv-expand AccountProperties\\n | extend PropName = tostring(AccountProperties.displayName)) on TenantId\\n | summarize makeset(PropName) by TimeGenerated, CorrelationId, CreatedUserPrincipalName, CreatingUserPrincipalName, tostring(set_displayName)\\n | extend missing_props = set_difference(todynamic(set_displayName), set_PropName)\\n | where array_length(missing_props) \u003e 0\\n | join kind=innerunique (AuditLogs\\n | where Result =~ \\\"success\\\"\\n | where OperationName =~ \\\"Add user\\\"\\n | extend CreatedUserPrincipalName = tostring(TargetResources[0].userPrincipalName)) on CorrelationId, CreatedUserPrincipalName\\n | extend ExpectedProperties = set_displayName\\n | project-away set_displayName, set_PropName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CreatingUserPrincipalName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CreatedUserPrincipalName\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User account created without expected attributes defined\",\"description\":\"This query looks for accounts being created that do not have attributes populated that are commonly populated in the tenant.\\n Attackers may attempt to add accounts as a means of establishing persistant access to an environment, looking for anomalies in created accounts may help identify illegitimately created accounts.\\n Created accounts should be investigated to ensure they were legitimated created.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#accounts-not-following-naming-policies\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aa1eff90-29d4-49dc-a3ea-b65199f516db\",\"name\":\"aa1eff90-29d4-49dc-a3ea-b65199f516db\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Low\",\"query\":\"(union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4720\\n| where AccountType == \\\"User\\\"\\n| project CreatedUserTime = TimeGenerated, CreatedUserEventID = EventID, CreatedUserActivity = Activity, Computer = toupper(Computer), \\nCreatedUser = tolower(TargetAccount), CreatedUserSid = TargetSid, AccountUsedToCreateUser = strcat(SubjectAccount), SidofAccountUsedToCreateUser = SubjectUserSid\\n),\\n(WindowsEvent\\n| where EventID == 4720\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType == \\\"User\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend Activity=\\\"4720 - A user account was created.\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| project CreatedUserTime = TimeGenerated, CreatedUserEventID = EventID, CreatedUserActivity = Activity, Computer = toupper(Computer), \\nCreatedUser = tolower(TargetAccount), CreatedUserSid = TargetSid, AccountUsedToCreateUser = strcat(SubjectAccount), SidofAccountUsedToCreateUser = SubjectUserSid\\n))\\n| join ((union isfuzzy=true\\n(SecurityEvent \\n| where AccountType == \\\"User\\\"\\n// 4732 - A member was added to a security-enabled local group\\n| where EventID == 4732\\n// TargetSid is the builin Admins group: S-1-5-32-544\\n| where TargetSid == \\\"S-1-5-32-544\\\"\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, Computer = toupper(Computer), GroupName = tolower(TargetAccount), \\nGroupSid = TargetSid, AccountThatAddedUser = SubjectAccount, SIDofAccountThatAddedUser = SubjectUserSid, CreatedUserSid = MemberSid\\n),\\n( WindowsEvent \\n// 4732 - A member was added to a security-enabled local group\\n| where EventID == 4732 and EventData has \\\"S-1-5-32-544\\\"\\n//TargetSid is the builin Admins group: S-1-5-32-544\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType == \\\"User\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid == \\\"S-1-5-32-544\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend Activity=\\\"4732 - A member was added to a security-enabled local group.\\\"\\n| extend MemberSid = tostring(EventData.MemberSid)\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, Computer = toupper(Computer), GroupName = tolower(TargetAccount), \\nGroupSid = TargetSid, AccountThatAddedUser = SubjectAccount, SIDofAccountThatAddedUser = SubjectUserSid, CreatedUserSid = MemberSid)\\n))\\non CreatedUserSid\\n//Create User first, then the add to the group.\\n| project Computer, CreatedUserTime, CreatedUserEventID, CreatedUserActivity, CreatedUser, CreatedUserSid, GroupAddTime, GroupAddEventID, \\nGroupAddActivity, AccountUsedToCreateUser, GroupName, GroupSid, AccountThatAddedUser, SIDofAccountThatAddedUser \\n| extend timestamp = CreatedUserTime, AccountCustomEntity = CreatedUser, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"CreatedUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"New user created and added to the built-in administrators group\",\"description\":\"Identifies when a user account was created and then added to the builtin Administrators group in the same day.\\nThis should be monitored closely and all additions reviewed.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d23ed927-5be3-4902-a9c1-85f841eb4fa1\",\"name\":\"d23ed927-5be3-4902-a9c1-85f841eb4fa1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n DuoSecurityAuthentication_CL\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(access_device_ip_s)\\n // renaming time column so it is clear the log this came from\\n | extend Duo_TimeGenerated = isotimestamp_t\\n)\\non $left.TI_ipEntity == $right.access_device_ip_s\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Duo_TimeGenerated,\\nTI_ipEntity, user_name_s, factor_s, result_s, application_name_s, event_type_s, txid_g, user_key_s, access_device_ip_s, access_device_location_city_s, access_device_location_state_s, access_device_location_country_s\\n| extend timestamp = Duo_TimeGenerated, IPCustomEntity = access_device_ip_s, AccountCustomEntity = user_name_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Duo Security\",\"description\":\"Identifies a match in DuoSecurity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae\",\"name\":\"2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 4656\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, TargetAccount, Computer, EventSourceName, Channel, Task, Level, EventID, Activity, TargetLogonId, SourceComputerId, EventOriginId, Type, _ResourceId, TenantId, SourceSystem, ManagementGroupName, IpAddress, Account)\\n| extend ObjectServer = column_ifexists(\u0027ObjectServer\u0027, \\\"\\\"), ObjectType = column_ifexists(\u0027ObjectType\u0027, \\\"\\\"), ObjectName = column_ifexists(\u0027ObjectName\u0027, \\\"\\\")\\n| where isnotempty(ObjectServer) and isnotempty(ObjectType) and isnotempty(ObjectName)\\n| where ObjectServer =~ \\\"SC Manager\\\" and ObjectType =~ \\\"SERVICE OBJECT\\\" and ObjectName =~ \\\"HealthService\\\"\\n// Comment out the join below if the SACL only audits users that are part of the Network logon users, i.e. with user/group target pointing to \\\"NU.\\\"\\n| join kind=leftouter (\\n SecurityEvent\\n | where EventID == 4624\\n) on TargetLogonId\\n| project TimeGenerated, Computer, Account, TargetAccount, IpAddress,TargetLogonId, ObjectServer, ObjectType, ObjectName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Starting or Stopping HealthService to Avoid Detection\",\"description\":\"This query detects events where an actor is stopping or starting HealthService to disable telemetry collection/detection from the agent.\\n The query requires a SACL to audit for access request to the service.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-03-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bff093b2-500e-4ae5-bb49-a5b1423cbd5b\",\"name\":\"bff093b2-500e-4ae5-bb49-a5b1423cbd5b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n| where Operation =~ \\\"MemberAdded\\\"\\n| extend UPN = tostring(parse_json(Members)[0].UPN)\\n| where UPN contains (\\\"#EXT#\\\")\\n| project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName\\n| join (\\n OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n| where Operation =~ \\\"MemberRemoved\\\"\\n| extend UPN = tostring(parse_json(Members)[0].UPN)\\n| where UPN contains (\\\"#EXT#\\\")\\n| project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName\\n) on UPN\\n| where TimeDeleted \u003e TimeAdded\\n| project TimeAdded, TimeDeleted, UPN, UserWhoAdded, UserWhoDeleted, TeamName\\n| extend timestamp = TimeAdded, AccountCustomEntity = UPN\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"External user added and removed in short timeframe\",\"description\":\"This detection flags the occurances of external user accounts that are added to a Team and then removed within\\none hour.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9367dff0-941d-44e2-8875-cb48570c7add\",\"name\":\"9367dff0-941d-44e2-8875-cb48570c7add\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \\n| where TargetObject has \\\"\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_DLLs\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Registry Persistence via AppInit DLLs Modification\",\"description\":\"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. \\nDynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows or HKEY_LOCAL_MACHINE\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library.\\nRef: https://attack.mitre.org/techniques/T1546/010/\",\"lastUpdatedDateUTC\":\"2022-03-21T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8d537f3c-094f-430c-a588-8a87da36ee3a\",\"name\":\"8d537f3c-094f-430c-a588-8a87da36ee3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nlet user_agents=dynamic([\\n \u0027(hydra)\u0027,\\n \u0027 arachni/\u0027,\\n \u0027 BFAC \u0027,\\n \u0027 brutus \u0027,\\n \u0027 cgichk \u0027,\\n \u0027core-project/1.0\u0027,\\n \u0027 crimscanner/\u0027,\\n \u0027datacha0s\u0027,\\n \u0027dirbuster\u0027,\\n \u0027domino hunter\u0027,\\n \u0027dotdotpwn\u0027,\\n \u0027FHScan Core\u0027,\\n \u0027floodgate\u0027,\\n \u0027get-minimal\u0027,\\n \u0027gootkit auto-rooter scanner\u0027,\\n \u0027grendel-scan\u0027,\\n \u0027 inspath \u0027,\\n \u0027internet ninja\u0027,\\n \u0027jaascois\u0027,\\n \u0027 zmeu \u0027,\\n \u0027masscan\u0027,\\n \u0027 metis \u0027,\\n \u0027morfeus fucking scanner\u0027,\\n \u0027n-stealth\u0027,\\n \u0027nsauditor\u0027,\\n \u0027pmafind\u0027,\\n \u0027security scan\u0027,\\n \u0027springenwerk\u0027,\\n \u0027teh forest lobster\u0027,\\n \u0027toata dragostea\u0027,\\n \u0027 vega/\u0027,\\n \u0027voideye\u0027,\\n \u0027webshag\u0027,\\n \u0027webvulnscan\u0027,\\n \u0027 whcc/\u0027,\\n \u0027 Havij\u0027,\\n \u0027absinthe\u0027,\\n \u0027bsqlbf\u0027,\\n \u0027mysqloit\u0027,\\n \u0027pangolin\u0027,\\n \u0027sql power injector\u0027,\\n \u0027sqlmap\u0027,\\n \u0027sqlninja\u0027,\\n \u0027uil2pn\u0027,\\n \u0027ruler\u0027,\\n \u0027Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)\u0027\\n ]);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal has_any (user_agents)\\n| extend Message = \\\"Hack Tool User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Hack Tool User-Agent Detected\",\"description\":\"Detects suspicious user agent strings used by known hack tools\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/30c8b802-ace1-4408-bc29-4c5c5afb49e1\",\"name\":\"30c8b802-ace1-4408-bc29-4c5c5afb49e1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"imProcess\\n | where EventType =~ \\\"ProcessCreated\\\"\\n | where Process endswith \\\"svchost.exe\\\"\\n | where CommandLine has \\\"-k GPSvcGroup\\\" or CommandLine has \\\"-s gpsvc\\\"\\n | extend timekey = bin(TimeGenerated, 1m)\\n | project timekey, ActingProcessId, Dvc\\n | join kind=inner (imProcess\\n | where EventType =~ \\\"ProcessCreated\\\"\\n | where Process =~ \\\"sdelete.exe\\\" or CommandLine has \\\"sdelete\\\"\\n | where ActingProcessName endswith \\\"svchost.exe\\\"\\n | where CommandLine has_all (\\\"-s\\\", \\\"-r\\\")\\n | extend timekey = bin(TimeGenerated, 1m)\\n ) on $left.ActingProcessId == $right.ParentProcessId, timekey, Dvc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DvcIpAddr\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Sdelete deployed via GPO and run recursively (ASIM Version)\",\"description\":\"This query looks for the Sdelete process being run recursively after being deployed to a host via GPO. Attackers could use this technique to deploy Sdelete to multiple host and delete data on them.\\n This query uses the Advanced Security Information Model. Parsers will need to be deployed before use: https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84cccc86-5c11-4b3a-aca6-7c8f738ed0f7\",\"name\":\"84cccc86-5c11-4b3a-aca6-7c8f738ed0f7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where OperationName has_all (\\\"member to role\\\", \\\"add\\\")\\n | where Result =~ \\\"Success\\\"\\n | extend type_ = tostring(TargetResources[0].type)\\n | where type_ =~ \\\"ServicePrincipal\\\"\\n | where isnotempty(TargetResources)\\n | extend ServicePrincipal = tostring(TargetResources[0].displayName)\\n | extend SPID = tostring(TargetResources[0].id)\\n | mv-expand TargetResources[0].modifiedProperties\\n | extend TargetResources_0_modifiedProperties = columnifexists(\\\"TargetResources_0_modifiedProperties\\\", \u0027\u0027)\\n | where isnotempty(TargetResources_0_modifiedProperties)\\n | where TargetResources_0_modifiedProperties.displayName =~ \\\"Role.DisplayName\\\"\\n | extend TargetRole = parse_json(tostring(TargetResources_0_modifiedProperties.newValue))\\n | where TargetRole contains \\\"admin\\\"\\n | extend AddedByApp = iif(\\n isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName)),\\n tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName),\\n tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n )\\n | extend AddedByUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend AddedBy = iif(isnotempty(AddedByApp), AddedByApp, AddedByUser)\\n | extend IpAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | project-reorder TimeGenerated, ServicePrincipal, SPID, TargetRole, AddedBy, IpAddress\\n | project-away AddedByApp, AddedByUser\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"SPID\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Service Principal Assigned Privileged Role\",\"description\":\"Detects a privileged role being added to a Service Principal.\\n Ensure that any assignment to a Service Principal is valid and appropriate - Service Principals should not be assigned to very highly privileged roles such as Global Admin.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182\",\"name\":\"8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT5M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = ago(5m);\\nDuoSecurityTrustMonitor_CL\\n| where TimeGenerated \u003e= timeframe\\n| extend AccountCustomEntity = surfaced_auth_user_name_s, IPCustomEntity = surfaced_auth_access_device_ip_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Trust Monitor Event\",\"description\":\"This query identifies when a new trust monitor event is detected.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dcdf9bfc-c239-4764-a9f9-3612e6dff49c\",\"name\":\"dcdf9bfc-c239-4764-a9f9-3612e6dff49c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 6d;\\n// Adjust this to adjust the key export detection timeframe\\n//let timeframe = 1d;\\n// Start be identifying ADFS servers to reduce FP chance\\nlet ADFS_Servers = (\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\")\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| summarize by Computer);\\n// Look for ADFS servers where Named Pipes event are present\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| where Computer in~ (ADFS_Servers)\\n| extend RenderedDescription = tostring(split(RenderedDescription, \\\":\\\")[0])\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend RuleName = column_ifexists(\\\"RuleName\\\", \\\"\\\"),\\n TechniqueId = column_ifexists(\\\"TechniqueId\\\", \\\"\\\"),\\n TechniqueName = column_ifexists(\\\"TechniqueName\\\", \\\"\\\"),\\n Image = column_ifexists(\\\"Image\\\", \\\"\\\"),\\n PipeName = column_ifexists(\\\"PipeName\\\", \\\"\\\"),\\n EventType = column_ifexists(\\\"EventType\\\", \\\"\\\")\\n| parse RuleName with * \u0027technique_id=\u0027 TechniqueId \u0027,\u0027 * \u0027technique_name=\u0027 TechniqueName\\n// Look for Pipe related to querying the WID\\n| where PipeName == \\\"\\\\\\\\MICROSOFT##WID\\\\\\\\tsql\\\\\\\\query\\\"\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n// Exclude expected processes\\n| where process !in (\\\"Microsoft.IdentityServer.ServiceHost.exe\\\", \\\"Microsoft.Identity.Health.Adfs.PshSurrogate.exe\\\", \\\"AzureADConnect.exe\\\", \\\"Microsoft.Tri.Sensor.exe\\\", \\\"wsmprovhost.exe\\\",\\\"mmc.exe\\\", \\\"sqlservr.exe\\\")\\n| extend Operation = RenderedDescription\\n| project-reorder TimeGenerated, EventType, Operation, process, Image, Computer, UserName\\n| extend HostCustomEntity = Computer, AccountCustomEntity = UserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"ADFS Database Named Pipe Connection\",\"description\":\"This detection uses Sysmon telemetry to detect suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).\\nIn order to use this query you need to be collecting Sysmon EventIdD 18 (Pipe Connected).\\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\\nFailed to resolve scalar expression named \\\"[@Name]\",\"lastUpdatedDateUTC\":\"2021-11-23T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3617d76d-b15e-4c6f-985e-a1dac73c592d\",\"name\":\"3617d76d-b15e-4c6f-985e-a1dac73c592d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SigninLogs\\n| where ResultType == 500121\\n| extend additionalDetails_ = tostring(Status.additionalDetails)\\n| where additionalDetails_ =~ \\\"MFA denied; user declined the authentication\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"NRT MFA Rejected by User\",\"description\":\"Identifies occurrences where a user has rejected an MFA prompt. This could be an indicator that a threat actor has compromised the username and password of this user account and is using it to try and log into the account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-02-08T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5436f471-b03d-41cb-b333-65891f887c43\",\"name\":\"5436f471-b03d-41cb-b333-65891f887c43\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Informational\",\"query\":\"GitHubRepo\\n| where Action == \\\"vulnerabilityAlert\\\"\\n| project TimeGenerated, DismmisedAt, Reason, vulnerableManifestFilename, Description, Link, PublishedAt, Severity, Summary\",\"entityMappings\":[],\"displayName\":\"GitHub Security Vulnerability in Repository\",\"description\":\"This alerts when there is a new security vulnerability in a GitHub repository.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-10T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d82e1987-4356-4a7b-bc5e-064f29b143c0\",\"name\":\"d82e1987-4356-4a7b-bc5e-064f29b143c0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true \\n(SecurityEvent\\n| where EventID == 4688\\n| where Process =~ \u0027rundll32.exe\u0027 \\n| where CommandLine has_all (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n),\\n(WindowsEvent\\n| where EventID == 4688 and EventData has \u0027rundll32.exe\u0027 and EventData has_any (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process =~ \u0027rundll32.exe\u0027 \\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has_all (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName) \\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n) )\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"NOBELIUM - suspicious rundll32.exe execution of vbscript\",\"description\":\"This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/961b6a81-5c53-40b6-9800-4f661a8faea7\",\"name\":\"961b6a81-5c53-40b6-9800-4f661a8faea7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0586.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet Command_Line = (iocs | where Type =~ \\\"CommandLine\\\" | project IoC);\\n(union isfuzzy=true\\n(DeviceProcessEvents\\n| where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) or ( InitiatingProcessCommandLine has (\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and InitiatingProcessCommandLine has_any (Command_Line))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, AccountName, SHA256\\n| extend Account = AccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = case(InitiatingProcessSHA256 in (sha256Hashes), \\\"InitiatingProcessSHA256\\\", SHA256 in (sha256Hashes), \\\"SHA256\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = case(FileHash == \\\"InitiatingProcessSHA256\\\", InitiatingProcessSHA256, FileHash == \\\"SHA256\\\", SHA256, \\\"No Match\\\")\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has (@\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and CommandLine has_any (Command_Line))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, EventID\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n( CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n( imFileEvent\\n| where Hash in~ (sha256Hashes) or ( ActingProcessCommandLine has (\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and ActingProcessCommandLine has_any (Command_Line))\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) or ( CommandLine has (\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and CommandLine has_any (Command_Line)) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashAlgo\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"DEV-0586 Actor IOC - January 2022\",\"description\":\"Identifies a match across IOC\u0027s related to an actor tracked by Microsoft as DEV-0586\\n Refrence: https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2022-01-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/66c81ae2-1f89-4433-be00-2fbbd9ba5ebe\",\"name\":\"66c81ae2-1f89-4433-be00-2fbbd9ba5ebe\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MessageIP = extract(IPRegex, 0, Message)\\n | extend CS_ipEntity = iff(isnotempty(SourceIP), SourceIP, DestinationIP)\\n | extend CS_ipEntity = iff(isempty(CS_ipEntity) and isnotempty(MessageIP), MessageIP, CS_ipEntity)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CS_ipEntity\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, CS_ipEntity\\n| project CommonSecurityLog_TimeGenerated, SourceIP, DestinationIP, MessageIP, Message, DeviceVendor, DeviceProduct, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CS_ipEntity, LogSeverity, DeviceAction\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = CS_ipEntity\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to CommonSecurityLog\",\"description\":\"Identifies a match in CommonSecurityLog from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/17f23fbe-bb73-4324-8ecf-a18545a5dc26\",\"name\":\"17f23fbe-bb73-4324-8ecf-a18545a5dc26\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P3D\",\"queryPeriod\":\"P3D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 3d;\\n// Get Release Pipeline Creation Events and group by day\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineCreated\\\"\\n// Group by day\\n| extend timekey = bin(TimeGenerated, 1d)\\n| extend PipelineId = tostring(Data.PipelineId)\\n| extend PipelineName = tostring(Data.PipelineName)\\n// Rename some columns to make output clearer\\n| project-rename TimeCreated = TimeGenerated, CreatingUser = ActorUPN, CreatingUserAgent = UserAgent, CreatingIP = IpAddress\\n// Join with Release Pipeline Deletions where Pipeline ID is the same and deletion occurred on same day as creation\\n| join (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineDeleted\\\"\\n// Group by day\\n| extend timekey = bin(TimeGenerated, 1d)\\n| extend PipelineId = tostring(Data.PipelineId)\\n| extend PipelineName = tostring(Data.PipelineName)\\n// Rename some things to make the output clearer\\n| project-rename TimeDeleted = TimeGenerated, DeletingUser = ActorUPN, DeletingUserAgent = UserAgent, DeletingIP = IpAddress) on PipelineId, timekey\\n| project TimeCreated, TimeDeleted, PipelineName, PipelineId, CreatingUser, CreatingIP, CreatingUserAgent, DeletingUser, DeletingIP, DeletingUserAgent, ScopeDisplayName, ProjectName, Data, OperationName, OperationName1\\n| extend timestamp = TimeCreated, AccountCustomEntity = CreatingUser, IPCustomEntity = CreatingIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeletingUser\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DeletingIP\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Azure DevOps Pipeline Created and Deleted on the Same Day\",\"description\":\"An attacker with access to Azure DevOps could create a pipeline to inject artifacts used by other pipelines, \\nor to create a malicious software build that looks legitimate by using a pipeline that incorporates legitimate elements. \\nAn attacker would also likely want to cover their tracks once conducting such activity. This query looks for Pipelines \\ncreated and deleted within the same day, this is unlikely to be legitimate user activity in the majority of cases.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\"name\":\"83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":3,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let current = 1d;\\nlet auditLookback = 7d;\\n// Setting threshold to 3 as a default, change as needed. \\n// Any operation that has been initiated by a user or app more than 3 times in the past 7 days will be excluded\\nlet threshold = 3;\\n// Gather initial data from lookback period, excluding current, adjust current to more than a single day if no results\\nlet AuditTrail = AuditLogs | where TimeGenerated \u003e= ago(auditLookback) and TimeGenerated \u003c ago(current)\\n// 2 other operations that can be part of malicious activity in this situation are \\n// \\\"Add OAuth2PermissionGrant\\\" and \\\"Add service principal\\\", extend the filter below to capture these too\\n| where OperationName has \\\"Consent to application\\\"\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\n| summarize max(TimeGenerated), OperationCount = count() by OperationName, InitiatedBy, TargetResourceName\\n// only including operations by initiated by a user or app that is above the threshold so we produce only rare and has not occurred in last 7 days\\n| where OperationCount \u003e threshold\\n;\\n// Gather current period of audit data\\nlet RecentConsent = AuditLogs | where TimeGenerated \u003e= ago(current)\\n| where OperationName has \\\"Consent to application\\\"\\n| extend IpAddress = case(\\nisnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), \\nisnotempty(tostring(parse_json(tostring(InitiatedBy.app)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.app)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.app)).ipAddress),\\n\u0027Not Available\u0027)\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\n| parse TargetResources.[0].modifiedProperties with * \\\"ConsentType: \\\" ConsentType \\\"]\\\" *\\n| mv-expand AdditionalDetails\\n| extend UserAgent = iff(AdditionalDetails.key == \\\"User-Agent\\\",tostring(AdditionalDetails.value),\\\"\\\")\\n| project TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type;\\n// Exclude previously seen audit activity for \\\"Consent to application\\\" that was seen in the lookback period\\n// First for rare InitiatedBy\\nlet RareConsentBy = RecentConsent | join kind= leftanti AuditTrail on OperationName, InitiatedBy \\n| extend Reason = \\\"Previously unseen user consenting\\\";\\n// Second for rare TargetResourceName\\nlet RareConsentApp = RecentConsent | join kind= leftanti AuditTrail on OperationName, TargetResourceName\\n| extend Reason = \\\"Previously unseen app granted consent\\\";\\nRareConsentBy | union RareConsentApp\\n| summarize Reason = makeset(Reason) by TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatedBy, HostCustomEntity = TargetResourceName, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Rare application consent\",\"description\":\"This will alert when the \\\"Consent to application\\\" operation occurs by a user that has not done this operation before or rarely does this.\\nThis could indicate that permissions to access the listed Azure App were provided to a malicious actor. \\nConsent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events. \\nThis may help detect the Oauth2 attack that can be initiated by this publicly available tool - https://github.com/fireeye/PwnAuth\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-07-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69b7723c-2889-469f-8b55-a2d355ed9c87\",\"name\":\"69b7723c-2889-469f-8b55-a2d355ed9c87\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.3\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n DnsEvents\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where SubType =~ \\\"LookupQuery\\\" and isnotempty(IPAddresses)\\n | mv-expand SingleIP = split(IPAddresses, \\\", \\\") to typeof(string)\\n // renaming time column so it is clear the log this came from\\n | extend DNS_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SingleIP\\n| where DNS_TimeGenerated \u003c ExpirationDateTime\\n| summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated , *) by IndicatorId, SingleIP\\n| project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = DNS_TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to DnsEvents\",\"description\":\"Identifies a match in DnsEvents from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-06-27T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd\",\"name\":\"c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let args = dynamic([\\\"objectcategory\\\",\\\"domainlist\\\",\\\"dcmodes\\\",\\\"adinfo\\\",\\\"trustdmp\\\",\\\"computers_pwdnotreqd\\\",\\\"Domain Admins\\\", \\\"objectcategory=person\\\", \\\"objectcategory=computer\\\", \\\"objectcategory=*\\\",\\\"dclist\\\"]);\\nlet parentProcesses = dynamic([\\\"pwsh.exe\\\",\\\"powershell.exe\\\",\\\"cmd.exe\\\"]);\\nDeviceProcessEvents\\n//looks for execution from a shell\\n| where InitiatingProcessFileName in (parentProcesses)\\n// main filter\\n| where FileName =~ \\\"AdFind.exe\\\" or SHA256 == \\\"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\\\"\\n // AdFind common Flags to check for from various threat actor TTPs\\n or ProcessCommandLine has_any (args)\\n| extend AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, ProcessCustomEntity = InitiatingProcessFileName, CommandLineCustomEntity = ProcessCommandLine, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = SHA256\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"},{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLineCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Probable AdFind Recon Tool Usage\",\"description\":\"Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.\",\"lastUpdatedDateUTC\":\"2021-11-30T00:00:00Z\",\"createdDateUTC\":\"2021-04-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\"name\":\"b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n Syslog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // Extract URL from the Syslog message but only take messages that include URLs\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,SyslogMessage)\\n | where isnotempty(Url)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n) on Url\\n| where Syslog_TimeGenerated \u003c ExpirationDateTime\\n| summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, Url\\n| project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, Url, HostIP\\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to Syslog data\",\"description\":\"Identifies a match in Syslog data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/af435ca1-fb70-4de1-92c1-7435c48482a9\",\"name\":\"af435ca1-fb70-4de1-92c1-7435c48482a9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let admin_users = (IdentityInfo\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | where AssignedRoles contains \\\"admin\\\"\\n | summarize by tolower(AccountUPN));\\n let admin_asn = (SigninLogs\\n | where TimeGenerated between (ago(7d)..ago(1d))\\n | where tolower(UserPrincipalName) in (admin_users)\\n | summarize by AutonomousSystemNumber);\\n let admin_locations = (SigninLogs\\n | where TimeGenerated between (ago(7d)..ago(1d))\\n | where tolower(UserPrincipalName) in (admin_users)\\n | summarize by Location);\\n let admin_devices = (SigninLogs\\n | where TimeGenerated between (ago(7d)..ago(1d))\\n | where tolower(UserPrincipalName) in (admin_users)\\n | extend deviceId = tostring(DeviceDetail.deviceId)\\n | where isnotempty(deviceId)\\n | summarize by deviceId);\\n SigninLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType == 0\\n | where tolower(UserPrincipalName) in (admin_users)\\n | extend deviceId = tostring(DeviceDetail.deviceId)\\n | where AutonomousSystemNumber !in (admin_asn) and deviceId !in (admin_devices) and Location !in (admin_locations)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Authentications of Privileged Accounts Outside of Expected Controls\",\"description\":\"Detects when a privileged user account successfully authenticates from a location, device or ASN that another admin has not logged in from in the last 7 days.\\n Privileged accounts are a key target for threat actors, monitoring for logins from these accounts that deviate from normal activity can help identify compromised accounts.\\n Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a357535e-f722-4afe-b375-cff362b2b376\",\"name\":\"a357535e-f722-4afe-b375-cff362b2b376\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(OfficeActivity | where UserAgent != \\\"\\\"),\\n(OfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectory\\\", \\\"AzureActiveDirectoryStsLogon\\\")\\n| extend OperationName = Operation\\n| parse ExtendedProperties with * \u0027User-Agent\\\\\\\\\\\":\\\\\\\\\\\"\u0027 UserAgent2 \u0027\\\\\\\\\u0027 *\\n| parse ExtendedProperties with * \u0027UserAgent\\\", \\\"Value\\\": \\\"\u0027 UserAgent1 \u0027\\\"\u0027 *\\n| where isnotempty(UserAgent1) or isnotempty(UserAgent2)\\n| extend UserAgent = iff( RecordType == \u0027AzureActiveDirectoryStsLogon\u0027, UserAgent1, UserAgent2)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\\n),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"APPLICATIONGATEWAYS\\\" \\n| where OperationName =~ \\\"ApplicationGatewayAccess\\\" \\n| extend ClientIP = columnifexists(\\\"clientIP_s\\\", \\\"None\\\"), UserAgent = columnifexists(\\\"userAgent_s\\\", \\\"None\\\")\\n| where UserAgent != \u0027-\u0027\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, requestUri_s, httpMethod_s, host_s, requestQuery_s, Type\\n),\\n(\\nW3CIISLog\\n| where isnotempty(csUserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\\n),\\n(SigninLogs\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n)\\n)\\n// Likely artefact of hardcoding\\n| where UserAgent startswith \\\"User\\\" or UserAgent startswith \u0027\\\\\\\"\u0027\\n// Incorrect casing\\nor (UserAgent startswith \\\"Mozilla\\\" and not(UserAgent containscs \\\"Mozilla\\\"))\\n// Incorrect casing\\nor UserAgent containscs \\\"(Compatible;\\\"\\n// Missing MSIE version\\nor UserAgent matches regex @\\\"MSIE\\\\s?;\\\"\\n// Incorrect spacing around MSIE version\\nor UserAgent matches regex @\\\"MSIE(?:\\\\d|.{1,5}?\\\\d\\\\s;)\\\"\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CommandAndControl\",\"Execution\"],\"displayName\":\"Malformed user agent\",\"description\":\"Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware.\\nMalformed user agents can be an indication of such malware.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4acd3a04-2fad-4efc-8a4b-51476594cec4\",\"name\":\"4acd3a04-2fad-4efc-8a4b-51476594cec4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let triThreshold = 500;\\nlet startTime = 6h;\\nlet dgaLengthThreshold = 8;\\n// fetch the alexa top 1M domains\\nlet top1M = (externaldata (Position:int, Domain:string) [@\\\"http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip\\\"] with (format=\\\"csv\\\", zipPattern=\\\"*.csv\\\"));\\n// extract tri grams that are above our threshold - i.e. are common\\nlet triBaseline = top1M\\n| extend Domain = tolower(extract(\\\"([^.]*).{0,7}$\\\", 1, Domain))\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", Domain), extract_all(\\\"(...)\\\", substring(Domain, 1)), extract_all(\\\"(...)\\\", substring(Domain, 2)))\\n| mvexpand Trigram=AllTriGrams\\n| summarize triCount=count() by tostring(Trigram)\\n| sort by triCount desc\\n| where triCount \u003e triThreshold\\n| distinct Trigram;\\n// collect domain information from common security log, filter and extract the DGA candidate and its trigrams\\nlet allDataSummarized = CommonSecurityLog\\n| where TimeGenerated \u003e ago(startTime)\\n| where isnotempty(DestinationHostName)\\n| extend Name = tolower(DestinationHostName)\\n| distinct Name\\n| where Name has \\\".\\\"\\n| where Name !endswith \\\".home\\\" and Name !endswith \\\".lan\\\"\\n// extract DGA candidate\\n| extend DGADomain = extract(\\\"([^.]*).{0,7}$\\\", 1, Name)\\n| where strlen(DGADomain) \u003e dgaLengthThreshold\\n// throw out domains with number in them\\n| where DGADomain matches regex \\\"^[A-Za-z]{0,}$\\\"\\n// extract the tri grams from summarized data\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", DGADomain), extract_all(\\\"(...)\\\", substring(DGADomain, 1)), extract_all(\\\"(...)\\\", substring(DGADomain, 2)));\\n// throw out domains that have repeating tri\u0027s and/or \u003e=3 repeating letters\\nlet nonRepeatingTris = allDataSummarized\\n| join kind=leftanti\\n(\\n allDataSummarized\\n | mvexpand AllTriGrams\\n | summarize count() by tostring(AllTriGrams), DGADomain\\n | where count_ \u003e 1\\n | distinct DGADomain\\n)\\non DGADomain;\\n// find domains that do not have a common tri in the baseline\\nlet dataWithRareTris = nonRepeatingTris\\n| join kind=leftanti\\n(\\n nonRepeatingTris\\n | mvexpand AllTriGrams\\n | extend Trigram = tostring(AllTriGrams)\\n | distinct Trigram, DGADomain\\n | join kind=inner\\n (\\n triBaseline\\n )\\n on Trigram\\n | distinct DGADomain\\n)\\non DGADomain;\\ndataWithRareTris\\n// join DGAs back on connection data\\n| join kind=inner\\n(\\n CommonSecurityLog\\n | where TimeGenerated \u003e ago(startTime)\\n | where isnotempty(DestinationHostName)\\n | extend DestinationHostName = tolower(DestinationHostName)\\n | project-rename Name=DestinationHostName, DataSource=DeviceVendor\\n | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) by Name, SourceIP, DestinationIP, DataSource\\n)\\non Name\\n| project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, DataSource\\n| extend timestamp=StartTime, IPCustomEntity=SourceIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"Name\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Possible contact with a domain generated by a DGA\",\"description\":\"Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used\\nby malware to generate rendezvous points that are difficult to predict in advance. This detection uses the Alexa Top 1 million domain names to build a model\\nof what normal domains look like. It uses this to identify domains that may have been randomly generated by an algorithm.\\nThe triThreshold is set to 500 - increase this to report on domains that are less likely to have been randomly generated, decrease it for more likely.\\nThe start time and end time look back over 6 hours of data and the dgaLengthThreshold is set to 8 - meaning domains whose length is 8 or more are reported.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Barracuda\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aac495a9-feb1-446d-b08e-a1164a539452\",\"name\":\"aac495a9-feb1-446d-b08e-a1164a539452\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"ThreatIntelligenceIndicator\\n| where Action == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n GitHubAudit\\n | extend GitHubAudit_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.IPaddress\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, GitHubAudit_TimeGenerated, TI_ipEntity, IPaddress, Actor, Action, Country, OperationType, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = GitHubAudit_TimeGenerated, IPCustomEntity = IPaddress, AccountCustomEntity = Actor\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to GitHub_CL\",\"description\":\"Identifies a match in GitHub_CL table from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2cfc3c6e-f424-4b88-9cc9-c89f482d016a\",\"name\":\"2cfc3c6e-f424-4b88-9cc9-c89f482d016a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set == \\\"[]\\\"\\n| mv-expand new_value_set\\n| parse new_value_set with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"First access credential added to Application or Service Principal where no credential was present\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-02-11T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0dd422ee-e6af-4204-b219-f59ac172e4c6\",\"name\":\"0dd422ee-e6af-4204-b219-f59ac172e4c6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"ThreatIntelligence\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"Persistence\",\"LateralMovement\"],\"displayName\":\"(Preview) Microsoft Threat Intelligence Analytics\",\"description\":\"This rule generates an alert when a Microsoft Threat Intelligence Indicator gets matched with your event logs. The alerts are very high fidelity.\\n\\nNote : It is advised to turn off any custom alert rules which match the threat intelligence indicators with the same event logs matched by this analytics to prevent duplicate alerts.\",\"lastUpdatedDateUTC\":\"2021-07-28T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/074ce265-f684-41cd-af07-613c5f3e6d0d\",\"name\":\"074ce265-f684-41cd-af07-613c5f3e6d0d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"irf.services\\\",\\\"microsoft-onthehub.com\\\",\\\"msofficelab.com\\\",\\\"com-mailbox.com\\\",\\\"my-sharefile.com\\\",\\\"my-sharepoints.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\n\\\"onedrive-sharedfile.com\\\",\\\"onedrv-live.com\\\",\\\"transparencyinternational-my-sharepoint.com\\\",\\\"transparencyinternational-my-sharepoints.com\\\",\\\"soros-my-sharepoint.com\\\"]);\\n(union isfuzzy=true\\n (CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | extend Account = SourceUserID, Host = DeviceName, IPAddress = SourceIP\\n ),\\n (_Im_Dns(domain_has_any=DomainNames)\\n | extend IPAddress = SrcIpAddr, DNSName = DnsQuery, Host = Dvc),\\n (VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n | extend IPAddress = RemoteIp, Host = Computer\\n ),\\n (AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | extend DNSName = DestinationHost \\n | extend IPAddress = SourceHost\\n ),\\n (\\n _Im_WebSession(url_has_any=DomainNames)\\n | extend IPCustomEntity=IpAddr, HostCustomEntity=Hostname, AccoutCustomEntity=User\\n )\\n)\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = Account, HostCustomEntity = Host\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known STRONTIUM group domains - July 2019\",\"description\":\"Matches domain name IOCs related to Strontium group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2019-07-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a50766a7-0674-4ccb-8845-15dc55a80ba1\",\"name\":\"a50766a7-0674-4ccb-8845-15dc55a80ba1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n WireData | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(RemoteIP)\\n // renaming time column so it is clear the log this came from\\n | extend WireData_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIP\\n| where WireData_TimeGenerated \u003c ExpirationDateTime\\n| summarize WireData_TimeGenerated = arg_max(WireData_TimeGenerated, *) by IndicatorId, RemoteIP\\n| project WireData_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, LocalIP, RemoteIP, ProcessName, ApplicationProtocol, LocalPortNumber, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = WireData_TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to WireData\",\"description\":\"Identifies a match in WireData from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6d7214d9-4a28-44df-aafb-0910b9e6ae3e\",\"name\":\"6d7214d9-4a28-44df-aafb-0910b9e6ae3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Low\",\"query\":\"let match_window = 3m;\\nAzureActivity\\n| where ResourceGroup has \\\"cloud-shell\\\"\\n| where (OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/listKeys/action\\\") \\n| where ActivityStatusValue == \\\"Success\\\"\\n| extend TimeKey = bin(TimeGenerated, match_window), AzureIP = CallerIpAddress\\n| join kind = inner\\n(AzureActivity\\n| where ResourceGroup has \\\"cloud-shell\\\"\\n| where (OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/write\\\") \\n| extend TimeKey = bin(TimeGenerated, match_window), UserIP = CallerIpAddress\\n) on Caller, TimeKey\\n| summarize count() by TimeKey, Caller, ResourceGroup, SubscriptionId, TenantId, AzureIP, UserIP, HTTPRequest, Type, Properties, CategoryValue, OperationList = strcat(OperationNameValue, \u0027 , \u0027, OperationNameValue1)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"UserIP\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"New CloudShell User\",\"description\":\"Identifies when a user creates an Azure CloudShell for the first time.\\nMonitor this activity to ensure only expected user are using CloudShell\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5170c3c4-b8c9-485c-910d-a21d965ee181\",\"name\":\"5170c3c4-b8c9-485c-910d-a21d965ee181\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let queryfrequency = 30m;\\nlet accountthreshold = 10;\\nlet successCodes = dynamic([0, 50144]);\\nADFSSignInLogs\\n| extend IngestionTime = ingestion_time()\\n| where IngestionTime \u003e ago(queryfrequency)\\n| where not(todynamic(AuthenticationDetails)[0].authenticationMethod == \\\"Integrated Windows Authentication\\\")\\n| summarize\\n DistinctFailureCount = dcountif(UserPrincipalName, ResultType !in (successCodes)),\\n DistinctSuccessCount = dcountif(UserPrincipalName, ResultType in (successCodes)),\\n SuccessAccounts = make_set_if(UserPrincipalName, ResultType in (successCodes), 250),\\n arg_min(TimeGenerated, *)\\n by IPAddress\\n| where DistinctFailureCount \u003e DistinctSuccessCount and DistinctFailureCount \u003e= accountthreshold\\n//| extend SuccessAccounts = iff(array_length(SuccessAccounts) != 0, SuccessAccounts, dynamic([\\\"null\\\"]))\\n//| mv-expand SuccessAccounts\\n| project TimeGenerated, Category, OperationName, IPAddress, DistinctFailureCount, DistinctSuccessCount, SuccessAccounts, AuthenticationRequirement, ConditionalAccessStatus, IsInteractive, UserAgent, NetworkLocationDetails, DeviceDetail, TokenIssuerType, TokenIssuerName, ResourceIdentity\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Password spray attack against ADFSSignInLogs\",\"description\":\"Identifies evidence of password spray activity against Connect Health for AD FS sign-in events by looking for failures from multiple accounts from the same IP address within a time window.\\nReference: https://adfshelp.microsoft.com/References/ConnectHealthErrorCodeReference\",\"lastUpdatedDateUTC\":\"2022-05-04T00:00:00Z\",\"createdDateUTC\":\"2022-03-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"ADFSSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6d63efa6-7c25-4bd4-a486-aa6bf50fde8a\",\"name\":\"6d63efa6-7c25-4bd4-a486-aa6bf50fde8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// Add non-approved user principal names to the list below to search for their account creation/deletion activity\\n// ex: dynamic([\\\"UPN1\\\", \\\"upn123\\\"])\\nlet nonapproved_users = dynamic([]);\\nAuditLogs\\n| where OperationName == \\\"Add user\\\" or OperationName == \\\"Delete user\\\"\\n| where Result == \\\"success\\\"\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| where InitiatingUser has_any (nonapproved_users)\\n| project-reorder TimeGenerated, ResourceId, OperationName, InitiatingUser, TargetResources\\n| extend AccountCustomEntity = InitiatingUser, IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Account created or deleted by non-approved user\",\"description\":\"Identifies accounts that were created or deleted by a defined list of non-approved user principal names. Add to this list before running the query for accurate results.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/11b4c19d-2a79-4da3-af38-b067e1273dee\",\"name\":\"11b4c19d-2a79-4da3-af38-b067e1273dee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID in (17,18)\\n| where EventData has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend PipeName = column_ifexists(\\\"PipeName\\\", \\\"\\\")\\n| extend Account = UserName\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00275145\u0027\\n// %%4418 looks for presence of CreatePipeInstance value \\n| where AccessList has \u0027%%4418\u0027 \\n| where RelativeTargetName has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n),\\n(\\nWindowsEvent\\n| where EventID == \u00275145\u0027 and EventData has \u0027%%4418\u0027 and EventData has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027 \\n// %%4418 looks for presence of CreatePipeInstance value \\n| extend AccessList= tostring(EventData.AccessList)\\n| where AccessList has \u0027%%4418\u0027 \\n| extend RelativeTargetName= tostring(EventData.RelativeTargetName)\\n| where RelativeTargetName has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\"],\"displayName\":\"Solorigate Named Pipe\",\"description\":\"Identifies a match across various data feeds for named pipe IOCs related to the Solorigate incident.\\n For the sysmon events required for this detection, logging for Named Pipe Events needs to be configured in Sysmon config (Event ID 17 and Event ID 18)\\n Reference: https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2020-12-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\"name\":\"532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n Syslog\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n //Extract domain patterns from syslog message\\n | extend domain = extract(\\\"(([a-z0-9]+(-[a-z0-9]+)*\\\\\\\\.)+[a-z]{2,})\\\",1, tolower(SyslogMessage))\\n | where isnotempty(domain)\\n | extend parts = split(domain, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.domain\\n| where Syslog_TimeGenerated \u003c ExpirationDateTime\\n| summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, domain\\n| project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, domain, HostIP, Url\\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to Syslog\",\"description\":\"Identifies a match in Syslog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/19e01883-15d8-4eb6-a7a5-3276cd668388\",\"name\":\"19e01883-15d8-4eb6-a7a5-3276cd668388\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeBin = 1m;\\nlet failedThreshold = 20;\\nW3CIISLog\\n| where scStatus in (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of failed attempts from same client IP\\n| summarize makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\\n| where FailedConnectionsCount \u003e= failedThreshold\\n| project TimeGenerated, cIP, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"High count of failed attempts from same client IP\",\"description\":\"Identifies when 20 or more failed attempts from a given client IP in 1 minute occur on the IIS server.\\nThis could be indicative of an attempted brute force. This could also simply indicate a misconfigured service or device.\\nRecommendations: Validate that these are expected connections from the given Client IP. If the client IP is not recognized, \\npotentially block these connections at the edge device.\\nIf these are expected connections, verify the credentials are properly configured on the system, service, application or device \\nthat is associated with the client IP.\\nReferences:\\nIIS status code mapping: https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping: https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd78a122-d377-415a-afe9-f22e08d2112c\",\"name\":\"dd78a122-d377-415a-afe9-f22e08d2112c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Add other permissions to this list as needed\\n let permissions = dynamic([\\\"Mail.Read\\\", \\\"offline_access\\\", \\\"Files.Read\\\", \\\"Notes.Read\\\", \\\"ChannelMessage.Read\\\", \\\"Chat.Read\\\", \\\"TeamsActivity.Read\\\",\\n \\\"Group.Read\\\", \\\"EWS.AccessAsUser.All\\\", \\\"EAS.AccessAsUser.All\\\"]);\\n AuditLogs\\n | where OperationName =~ \\\"Add app role assignment to service principal\\\"\\n | mv-expand TargetResources[0].modifiedProperties\\n | extend TargetResources_0_modifiedProperties = columnifexists(\\\"TargetResources_0_modifiedProperties\\\", \u0027\u0027)\\n | where isnotempty(TargetResources_0_modifiedProperties)\\n | where TargetResources_0_modifiedProperties.displayName =~ \\\"AppRole.Value\\\" or TargetResources_0_modifiedProperties.displayName =~ \\\"DelegatedPermissionGrant.Scope\\\"\\n | extend Permissions = split((parse_json(tostring(TargetResources_0_modifiedProperties.newValue))), \\\" \\\")\\n | where Permissions has_any (permissions)\\n | summarize AddedPermissions=make_set(Permissions) by CorrelationId\\n | join kind=inner (AuditLogs\\n | where OperationName =~ \\\"Add app role assignment to service principal\\\") on CorrelationId\\n | extend InitiatedBy = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))\\n | extend ServicePrincipal = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[4].newValue)))\\n | extend SPID = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[6].newValue)))\\n | extend InitiatedBy = pack(\\\"User\\\", InitiatedBy, \\\"UA\\\", UserAgent, \\\"IPAddress\\\", IpAddress)\\n | mv-expand kind=array AddedPermissions\\n | summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), make_set(InitiatedBy), make_set(AddedPermissions) by SPID, ServicePrincipal\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ServicePrincipal\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"SPID\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Service Principal Assigned App Role With Sensitive Access\",\"description\":\"Detects a Service Principal being assigned an app role that has sensitive access such as Mail.Read.\\n A threat actor who compromises a Service Principal may assign it an app role to allow it to access sensitive data, or to perform other actions.\\n Ensure that any assignment to a Service Principal is valid and appropriate.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d9f28fdf-abc8-4f1a-a7e7-1aaec87a2fc5\",\"name\":\"d9f28fdf-abc8-4f1a-a7e7-1aaec87a2fc5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID == 4688\\n | where Process =~ \\\"svchost.exe\\\"\\n | where CommandLine has \\\"-k GPSvcGroup\\\" or CommandLine has \\\"-s gpsvc\\\"\\n | extend timekey = bin(TimeGenerated, 1m)\\n | project timekey, NewProcessId, Computer\\n | join kind=inner (SecurityEvent\\n | where EventID == 4688\\n | where Process =~ \\\"sdelete.exe\\\" or CommandLine has \\\"sdelete\\\"\\n | where ParentProcessName endswith \\\"svchost.exe\\\"\\n | where CommandLine has_all (\\\"-s\\\", \\\"-r\\\")\\n | extend newProcess = Process\\n | extend timekey = bin(TimeGenerated, 1m)\\n ) on $left.NewProcessId == $right.ProcessId, timekey, Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Sdelete deployed via GPO and run recursively\",\"description\":\"This query looks for the Sdelete process being run recursively after being deployed to a host via GPO. Attackers could use this technique to deploy Sdelete to multiple host and delete data on them.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5dd76a87-9f87-4576-bab3-268b0e2b338b\",\"name\":\"5dd76a87-9f87-4576-bab3-268b0e2b338b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 5;\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet historicalActivity =\\nOfficeActivity\\n| where TimeGenerated between(ago(starttime)..ago(endtime))\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| summarize historicalCount = count() by UserAgent, RecordType, Operation;\\nlet recentActivity = OfficeActivity\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where TimeGenerated \u003e ago(endtime)\\n| where isnotempty(UserAgent)\\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by UserAgent, RecordType, Operation;\\nlet RareUserAgent = recentActivity | join kind = leftanti (historicalActivity) on UserAgent\\n| order by recentCount desc, UserAgent\\n// More than 5 downloads/uploads from a new user agent today\\n| where recentCount \u003e threshold;\\nOfficeActivity \\n| where TimeGenerated \u003e ago(endtime) \\n| where RecordType =~ szSharePointFileOperation \\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| join kind= inner (RareUserAgent)\\non UserAgent, RecordType, Operation \\n| where Start_Time between(min_Start_Time .. max_Start_Time)\\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserAgent, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgentSeenCount = recentCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\\n| order by UserAgentSeenCount desc, UserAgent asc, Operation asc, UserId asc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"SharePointFileOperation via devices with previously unseen user agents\",\"description\":\"Identifies if the number of documents uploaded or downloaded from device(s) associated\\nwith a previously unseen user agent exceeds a threshold (default is 5).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f80d951a-eddc-4171-b9d0-d616bb83efdc\",\"name\":\"f80d951a-eddc-4171-b9d0-d616bb83efdc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where AADOperationType =~ \\\"Assign\\\"\\n| where ActivityDisplayName =~ \\\"Add app role assignment to service principal\\\"\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"AppRole.Value\\\"\\n| extend AppRole = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where AppRole has \\\"RoleManagement.ReadWrite.Directory\\\"\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n| extend Target = tostring(parse_json(tostring(TargetResources.modifiedProperties[4].newValue)))\\n| extend TargetId = tostring(parse_json(tostring(TargetResources.modifiedProperties[3].newValue)))\\n| project TimeGenerated, OperationName, Initiator, Target, TargetId, Result\\n| join kind=innerunique (\\n AuditLogs\\n | where LoggedByService =~ \\\"Core Directory\\\"\\n | where Category =~ \\\"RoleManagement\\\"\\n | where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\")\\n | where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n | where displayName_ =~ \\\"Role.DisplayName\\\"\\n | extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n | where RoleName contains \\\"Admin\\\"\\n | extend Initiator = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend InitiatorId = tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalId)\\n | extend TargetUser = tostring(TargetResources.userPrincipalName)\\n | extend Target = iif(isnotempty(TargetUser), TargetUser, tostring(TargetResources.displayName))\\n | extend TargetType = tostring(TargetResources.type)\\n | extend TargetId = tostring(TargetResources.id)\\n | project TimeGenerated, OperationName, RoleName, Initiator, InitiatorId, Target, TargetId, TargetType, Result\\n) on $left.TargetId == $right.InitiatorId\\n| extend TimeRoleMgGrant = TimeGenerated, TimeAdminPromo = TimeGenerated1, ServicePrincipal = Initiator1, ServicePrincipalId = InitiatorId,\\n TargetObject = Target1, TargetObjectId = TargetId1, TargetObjectType = TargetType\\n| where TimeRoleMgGrant \u003c TimeAdminPromo\\n| project TimeRoleMgGrant, TimeAdminPromo, RoleName, ServicePrincipal, ServicePrincipalId, TargetObject, TargetObjectId, TargetObjectType\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ServicePrincipal\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetObject\"}]}],\"tactics\":[\"PrivilegeEscalation\",\"Persistence\"],\"displayName\":\"Admin promotion after Role Management Application Permission Grant\",\"description\":\"This rule looks for a service principal being granted the Microsoft Graph RoleManagement.ReadWrite.Directory (application) permission before being used to add an Azure AD object or user account to an Admin directory role (i.e. Global Administrators).\\nThis is a known attack path that is usually abused when a service principal already has the AppRoleAssignment.ReadWrite.All permission granted. This permission Allows an app to manage permission grants for application permissions to any API.\\nA service principal can promote itself or other service principals to admin roles (i.e. Global Administrators). This would be considered a privilege escalation technique.\\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions, https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0\u0026tabs=http\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\"name\":\"79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let timeframe = 1h;\\nlet last1h = CommonSecurityLog \\n| where TimeGenerated \u003e= ago(timeframe)\\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend CurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend CurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend CumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize last1hCumTotal = sum(CumulativeTotal), last1hAvgRatePerSec = avg(CurrentAvgRatePerSec), last1hAvgBurstRatePerSec = avg(CurrentBurstRatePerSec) by DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlet prev6h = CommonSecurityLog \\n| where TimeGenerated between (ago(6h) .. ago(1h))\\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend prevCurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend prevCurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend prevCumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), prev6hCumTotal = sum(prevCumulativeTotal), prev6hAvgRatePerSec = avg(prevCurrentAvgRatePerSec), prev6hAvgBurstRatePerSec = avg(prevCurrentBurstRatePerSec) \\nby DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlast1h | join (\\n prev6h \\n) on DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate\\n| project StartTimeUtc, EndTimeUtc, DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate, last1hCumTotal, prev6hCumTotal, prev6hAvgCumTotal = prev6hCumTotal/6, last1hAvgRatePerSec, prev6hAvgRatePerSec, last1hAvgBurstRatePerSec, prev6hAvgBurstRatePerSec\\n// Select only events that indicate a doubling of the expected rate in the last hour over the previous 6 hours\\n| where last1hCumTotal \u003e 2*prev6hAvgCumTotal or last1hAvgRatePerSec \u003e 2*prev6hAvgRatePerSec or last1hAvgBurstRatePerSec \u003e 2*prev6hAvgBurstRatePerSec\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\",\"Impact\"],\"displayName\":\"Cisco ASA - average attack detection rate increase\",\"description\":\"This will help you determine if Cisco ASA devices are under heavier attack than normal over the last hour versus the previous 6 hours based on DeviceEventClassID 733100\\nReferences: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/826bb2f8-7894-4785-9a6b-a8a855d8366f\",\"name\":\"826bb2f8-7894-4785-9a6b-a8a855d8366f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let EventNameList = dynamic([\\\"AttachUserPolicy\\\",\\\"AttachRolePolicy\\\",\\\"AttachGroupPolicy\\\"]);\\nlet createPolicy = \\\"CreatePolicy\\\";\\nlet timeframe = 1d;\\nlet lookback = 14d;\\n// Creating Master table with all the events to use with materialize for better performance\\nlet EventInfo = AWSCloudTrail\\n| where TimeGenerated \u003e= ago(lookback)\\n| where EventName in (EventNameList) or EventName == createPolicy;\\n//Checking for Policy creation event with Full Admin Privileges since lookback period.\\nlet FullAdminPolicyEvents = materialize( EventInfo\\n| where TimeGenerated \u003e= ago(lookback)\\n| where EventName == createPolicy\\n| extend PolicyName = tostring(parse_json(RequestParameters).policyName)\\n| extend Statement = parse_json(tostring((parse_json(RequestParameters).policyDocument))).Statement\\n| mvexpand Statement\\n| extend Action = parse_json(Statement).Action , Effect = tostring(parse_json(Statement).Effect), Resource = tostring(parse_json(Statement).Resource)\\n| mvexpand Action\\n| extend Action = tostring(Action)\\n| where Effect =~ \\\"Allow\\\" and Action == \\\"*\\\" and Resource == \\\"*\\\"\\n| distinct TimeGenerated, EventName, PolicyName, SourceIpAddress, UserIdentityArn, UserIdentityUserName\\n| extend UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,\u0027/\u0027)[-1]))\\n| project-rename StartTime = TimeGenerated );\\nlet PolicyAttach = materialize( EventInfo\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventName in (EventNameList)\\n| extend PolicyName = tostring(split(tostring(parse_json(RequestParameters).policyArn),\\\"/\\\")[1])\\n| summarize AttachEventCount=count(), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventSource, EventName, UserIdentityType , UserIdentityArn, SourceIpAddress, UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,\u0027/\u0027)[-1])), PolicyName\\n| extend AttachEvent = pack(\\\"StartTime\\\", StartTime, \\\"EndTime\\\", EndTime, \\\"EventName\\\", EventName, \\\"UserIdentityType\\\", UserIdentityType, \\\"UserIdentityArn\\\", UserIdentityArn, \\\"SourceIpAddress\\\", SourceIpAddress, \\\"UserIdentityUserName\\\", UserIdentityUserName)\\n| project EventSource, PolicyName, AttachEvent, AttachEventCount\\n);\\n// Joining the list of PolicyNames and checking if it has been attached to any Roles/Users/Groups.\\n// These Roles/Users/Groups will be Privileged and can be used by adversaries as pivot point for privilege escalation via multiple ways.\\nFullAdminPolicyEvents\\n| join kind=leftouter\\n(\\n PolicyAttach\\n)\\non PolicyName\\n| project-away PolicyName1\\n| extend timestamp = StartTime, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Full Admin policy created and then attached to Roles, Users or Groups\",\"description\":\"Identity and Access Management (IAM) securely manages access to AWS services and resources. \\nIdentifies when a policy is created with Full Administrators Access (Allow-Action:*,Resource:*). \\nThis policy can be attached to role,user or group and may be used by an adversary to escalate a normal user privileges to an adminsitrative level.\\nAWS IAM Policy Grammar: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html\\nand AWS IAM API at https://docs.aws.amazon.com/IAM/latest/APIReference/API_Operations.html\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2020-04-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/34c5aff9-a8c2-4601-9654-c7e46342d03b\",\"name\":\"34c5aff9-a8c2-4601-9654-c7e46342d03b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 5;\\nlet aadFunc = (tableName:string){\\n IdentityInfo\\n | where TimeGenerated \u003e ago(starttime)\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | mv-expand AssignedRoles\\n | where AssignedRoles matches regex \u0027Admin\u0027\\n | summarize Roles = make_list(AssignedRoles) by AccountUPN = tolower(AccountUPN)\\n | join kind=inner (\\n table(tableName)\\n | where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n | where ResultType != 0\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n ) on $left.AccountUPN == $right.UserPrincipalName\\n | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, Roles = tostring(Roles)\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt;\\nlet TimeSeriesAlerts = \\n allSignins\\n | make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step 1h by UserPrincipalName, Roles\\n | extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, \u0027linefit\u0027)\\n | mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n // Filtering low count events per baselinethreshold\\n | where anomalies \u003e 0 and baseline \u003e baselinethreshold\\n | extend AnomalyHour = TimeGenerated\\n | project UserPrincipalName, Roles, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\n// Filter the alerts for specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e startofday(ago(timeframe))\\n| join kind=inner ( \\n allSignins\\n | where TimeGenerated \u003e startofday(ago(timeframe))\\n // create a new column and round to hour\\n | extend DateHour = bin(TimeGenerated, 1h)\\n | summarize PartialFailedSignins = count(), LatestAnomalyTime = arg_max(TimeGenerated, *) by bin(TimeGenerated, 1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, Roles, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\\n) on UserPrincipalName, $left.AnomalyHour == $right.DateHour\\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, Roles = todynamic(Roles), UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, PartialFailedSignins, TotalFailedSignins = HourlyCount, baseline, anomalies, score\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Privileged Accounts - Sign in Failure Spikes\",\"description\":\" Identifies spike in failed sign-ins from Privileged accounts. Privileged accounts list can be based on IdentityInfo UEBA table or built-in watchlist.\\nSpike is determined based on Time series anomaly which will look at historical baseline values.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor\",\"lastUpdatedDateUTC\":\"2022-01-25T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/106813db-679e-4382-a51b-1bfc463befc3\",\"name\":\"106813db-679e-4382-a51b-1bfc463befc3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n // Select on Palo Alto logs\\n | where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Select logs where URL data is populated\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url), extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | where isnotempty(PA_Url)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n) on $left.Url == $right.PA_Url\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, PA_Url\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, SourceIP, PA_Url, DeviceName\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to PaloAlto data\",\"description\":\"Identifies a match in PaloAlto data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884ead54-cb3f-4676-a1eb-b26532d6cbfd\",\"name\":\"884ead54-cb3f-4676-a1eb-b26532d6cbfd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let SensitiveOperationList = dynamic(\\n[\\\"VaultDelete\\\", \\\"KeyDelete\\\", \\\"SecretDelete\\\", \\\"SecretPurge\\\", \\\"KeyPurge\\\", \\\"SecretBackup\\\", \\\"KeyBackup\\\"]);\\nAzureDiagnostics\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in~ (SensitiveOperationList)\\n| summarize EventCount=count(), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIPMax\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"NRT Sensitive Azure Key Vault operations\",\"description\":\"Identifies when sensitive Azure Key Vault operations are used. This includes: VaultDelete, KeyDelete, SecretDelete, SecretPurge, KeyPurge, SecretBackup, KeyBackup.\\nAny Backup operations should match with expected scheduled backup activity.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95dc4ae3-e0f2-48bd-b996-cdd22b90f9af\",\"name\":\"95dc4ae3-e0f2-48bd-b996-cdd22b90f9af\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(\\nAuditLogs\\n| where OperationName =~ \\\"Set federation settings on domain\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName)\\n| mv-expand AdditionalDetails\\n),\\n(\\nAuditLogs\\n| where OperationName =~ \\\"Set domain authentication\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName), NewDomainValue=tostring(parse_json(modifiedProperties).newValue)\\n| where NewDomainValue has \\\"Federated\\\"\\n)\\n)\\n| extend UserAgent = iff(AdditionalDetails.key == \\\"User-Agent\\\",tostring(AdditionalDetails.value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Modified domain federation trust settings\",\"description\":\"This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ac891683-53c3-4f86-86b4-c361708e2b2b\",\"name\":\"ac891683-53c3-4f86-86b4-c361708e2b2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"// Allowlisted UPNs should likely stay empty\\nlet AllowlistedUpns = datatable(UPN:string)[\u0027foo@bar.com\u0027, \u0027test@foo.com\u0027];\\n// Operation Name parts that will alert\\nlet HasAnyBlocklist = datatable(OperationNamePart:string)[\u0027Security.\u0027,\u0027Project.\u0027,\u0027AuditLog.\u0027,\u0027Extension.\u0027];\\n// Distinct Operation Names that will flag\\nlet HasExactBlocklist = datatable(OperationName:string)[\u0027Group.UpdateGroupMembership.Add\u0027,\u0027Library.ServiceConnectionExecuted\u0027,\u0027Pipelines.PipelineModified\u0027,\\n\u0027Release.ReleasePipelineModified\u0027, \u0027Git.RefUpdatePoliciesBypassed\u0027];\\nAzureDevOpsAuditing\\n| where AuthenticationMechanism startswith \\\"PAT\\\" and (OperationName has_any (HasAnyBlocklist) or OperationName in (HasExactBlocklist))\\n and ActorUPN !in (AllowlistedUpns)\\n| project TimeGenerated, AuthenticationMechanism, ProjectName, ActorUPN, ActorDisplayName, IpAddress, UserAgent, OperationName, Details, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Impact\"],\"displayName\":\"Azure DevOps Personal Access Token (PAT) misuse\",\"description\":\"This Alert detects whenever a PAT is used in ways that PATs are not normally used. May require an allow list and baselining.\\nReference - https://docs.microsoft.com/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops\u0026tabs=preview-page\\nUse this query for baselining:\\nAzureDevOpsAuditing\\n| distinct OperationName\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-06-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/acfdee3f-b794-404a-aeba-ef6a1fa08ad1\",\"name\":\"acfdee3f-b794-404a-aeba-ef6a1fa08ad1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let lookback = 14d;\\nlet timewindow = 7d;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback)\\n| where OperationName =~ \\\"Library.AgentPoolCreated\\\"\\n| extend AgentCloudId = tostring(Data.AgentCloudId)\\n| extend PoolType = iif(isnotempty(AgentCloudId), \\\"Azure VMs\\\", \\\"Self Hosted\\\")\\n// Comment this line out to include cloud pools as well\\n| where PoolType == \\\"Self Hosted\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend AgentPoolId = tostring(Data.AgentPoolId)\\n| extend IsHosted = tostring(Data.IsHosted)\\n| extend IsLegacy = tostring(Data.IsLegacy)\\n| extend timekey = bin(TimeGenerated, timewindow)\\n// Join only with pools deleted in the same window\\n| join (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback)\\n| where OperationName =~ \\\"Library.AgentPoolDeleted\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend AgentPoolId = tostring(Data.AgentPoolId)\\n| extend timekey = bin(TimeGenerated, timewindow)) on AgentPoolId, timekey\\n| project-reorder TimeGenerated, ActorUPN, UserAgent, IpAddress, AuthenticationMechanism, OperationName, AgentPoolName, IsHosted, IsLegacy, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Agent Pool Created Then Deleted\",\"description\":\"As well as adding build agents to an existing pool to execute malicious activity within a pipeline, an attacker could create a complete new agent pool and use this for execution.\\nAzure DevOps allows for the creation of agent pools with Azure hosted infrastructure or self-hosted infrastructure. Given the additional customizability of self-hosted agents this \\ndetection focuses on the creation of new self-hosted pools. To further reduce false positive rates the detection looks for pools created and deleted relatively quickly (within 7 days by default), \\nas an attacker is likely to remove a malicious pool once used in order to reduce/remove evidence of their activity.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/26a3b261-b997-4374-94ea-6c37f67f4f39\",\"name\":\"26a3b261-b997-4374-94ea-6c37f67f4f39\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.5.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"asyspy256.ddns.net\\\",\\\"hotkillmail9sddcc.ddns.net\\\",\\\"rosaf112.ddns.net\\\",\\\"cvdfhjh1231.myftp.biz\\\",\\\"sz2016rose.ddns.net\\\",\\\"dffwescwer4325.myftp.biz\\\",\\\"cvdfhjh1231.ddns.net\\\"]);\\nlet SHA1Hash = dynamic ([\\\"53a44c2396d15c3a03723fa5e5db54cafd527635\\\", \\\"9c5e496921e3bc882dc40694f1dcc3746a75db19\\\", \\\"aeb573accfd95758550cf30bf04f389a92922844\\\", \\\"79ef78a797403a4ed1a616c68e07fff868a8650a\\\", \\\"4f6f38b4cec35e895d91c052b1f5a83d665c2196\\\", \\\"1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d\\\", \\\"e841a63e47361a572db9a7334af459ddca11347a\\\", \\\"c28f606df28a9bc8df75a4d5e5837fc5522dd34d\\\", \\\"2e94b305d6812a9f96e6781c888e48c7fb157b6b\\\", \\\"dd44133716b8a241957b912fa6a02efde3ce3025\\\", \\\"8793bf166cb89eb55f0593404e4e933ab605e803\\\", \\\"a39b57032dbb2335499a51e13470a7cd5d86b138\\\", \\\"41cc2b15c662bc001c0eb92f6cc222934f0beeea\\\", \\\"d209430d6af54792371174e70e27dd11d3def7a7\\\", \\\"1c6452026c56efd2c94cea7e0f671eb55515edb0\\\", \\\"c6b41d3afdcdcaf9f442bbe772f5da871801fd5a\\\", \\\"4923d460e22fbbf165bbbaba168e5a46b8157d9f\\\", \\\"f201504bd96e81d0d350c3a8332593ee1c9e09de\\\", \\\"ddd2db1127632a2a52943a2fe516a2e7d05d70d2\\\"]);\\nlet SHA256Hash = dynamic ([\\\"9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd\\\", \\\"7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b\\\", \\\"657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5\\\", \\\"2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29\\\", \\\"52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77\\\", \\\"a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3\\\", \\\"5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022\\\", \\\"6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883\\\", \\\"3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e\\\", \\\"1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7\\\", \\\"fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1\\\", \\\"7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c\\\", \\\"178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945\\\", \\\"51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9\\\", \\\"889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79\\\", \\\"332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf\\\", \\\"44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08\\\", \\\"63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef\\\", \\\"056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070\\\"]);\\nlet SigNames = dynamic([\\\"TrojanDropper:Win32/BlackMould.A!dha\\\", \\\"Trojan:Win32/BlackMould.B!dha\\\", \\\"Trojan:Win32/QuarkBandit.A!dha\\\", \\\"Trojan:Win32/Sidelod.A!dha\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n( _Im_Dns(domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA1=\u0027 SHA1 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA1Hash) \\n| extend Account = UserName\\n),\\n(SecurityAlert\\n| where ProductName == \\\"Microsoft Defender Advanced Threat Protection\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where isnotempty(ThreatName)\\n| where ThreatName has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName)\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known GALLIUM domains and hashes\",\"description\":\"GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. \\n Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\\n References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ \",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2019-12-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/52aec824-96c1-4a03-8e44-bb70532e6cea\",\"name\":\"52aec824-96c1-4a03-8e44-bb70532e6cea\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"SecurityEvent\\n| where EventID == 5136 and EventData contains \\\"\u003cData Name=\\\\\\\"ObjectDN\\\\\\\"\u003eCN=AdminSDHolder,CN=System\\\"\\n| parse EventData with * \u0027ObjectDN\\\"\u003e\u0027 ObjectDN \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, SubjectUserSid, SubjectLogonId, ObjectDN\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AdminSDHolder Modifications\",\"description\":\"This query detects modification in the AdminSDHolder in the Active Directory which could indicate an attempt for persistence. \\nAdminSDHolder Modification is a persistence technique in which an attacker abuses the SDProp process in Active Directory to establish a persistent backdoor to Active Directory.\\nThis query searches for the event id 5136 where the Object DN is AdminSDHolder.\\nRef: https://attack.stealthbits.com/adminsdholder-modification-ad-persistence\",\"lastUpdatedDateUTC\":\"2022-01-20T00:00:00Z\",\"createdDateUTC\":\"2021-12-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8540c842-5bbc-4a24-9fb2-a836c0e55a51\",\"name\":\"8540c842-5bbc-4a24-9fb2-a836c0e55a51\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where OperationName =~ \\\"Set federation settings on domain\\\" or OperationName =~ \\\"Set domain authentication\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName), NewDomainValue=tostring(parse_json(modifiedProperties).newValue)\\n| extend Federated = iif(OperationName =~ \\\"Set domain authentication\\\", iif(NewDomainValue has \\\"Federated\\\", True, False), True)\\n| where Federated == True\\n| mv-expand AdditionalDetails\\n| extend UserAgent = iff(AdditionalDetails.key == \\\"User-Agent\\\",tostring(AdditionalDetails.value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserOrApp\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"NRT Modified domain federation trust settings\",\"description\":\"This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/327cd4ed-ca42-454b-887c-54e1c91363c6\",\"name\":\"327cd4ed-ca42-454b-887c-54e1c91363c6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft Defender Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Endpoint alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Endpoint\",\"lastUpdatedDateUTC\":\"2019-10-24T00:00:00Z\",\"createdDateUTC\":\"2019-10-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\"name\":\"0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.1.1\",\"severity\":\"Low\",\"query\":\"let PerUserThreshold = 5;\\nlet TotalThreshold = 100;\\nlet action = dynamic([\\\"change\\\", \\\"changed\\\", \\\"reset\\\"]);\\nlet pWord = dynamic([\\\"password\\\", \\\"credentials\\\"]);\\nlet PasswordResetMultiDataSource =\\n(union isfuzzy=true\\n(//Password reset events\\n//4723: An attempt was made to change an account\u0027s password\\n//4724: An attempt was made to reset an accounts password\\nSecurityEvent\\n| where EventID in (\\\"4723\\\",\\\"4724\\\")\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName),\\n(//Password reset events\\n//4723: An attempt was made to change an account\u0027s password\\n//4724: An attempt was made to reset an accounts password\\nWindowsEvent\\n| where EventID in (\\\"4723\\\",\\\"4724\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName),\\n(//Azure Active Directory Password reset events\\nAuditLogs\\n| where OperationName has_any (pWord) and OperationName has_any (action) and Result =~ \\\"success\\\"\\n| extend AccountType = tostring(TargetResources[0].type), Account = tostring(TargetResources[0].userPrincipalName), \\nTargetUserName = tolower(tostring(TargetResources[0].displayName))\\n| project TimeGenerated, AccountType, Account, Computer = \\\"\\\", Type),\\n(//OfficeActive ActiveDirectory Password reset events\\nOfficeActivity\\n| where OfficeWorkload == \\\"AzureActiveDirectory\\\" \\n| where (ExtendedProperties has_any (pWord) or ModifiedProperties has_any (pWord)) and (ExtendedProperties has_any (action) or ModifiedProperties has_any (action))\\n| extend AccountType = UserType, Account = OfficeObjectId \\n| project TimeGenerated, AccountType, Account, Type, Computer = \\\"\\\"),\\n(// Unix syslog password reset events\\nSyslog\\n| where Facility in (\\\"auth\\\",\\\"authpriv\\\")\\n| where SyslogMessage has_any (pWord) and SyslogMessage has_any (action)\\n| extend AccountType = iif(SyslogMessage contains \\\"root\\\", \\\"Root\\\", \\\"Non-Root\\\")\\n| where SyslogMessage matches regex \\\".*password changed for.*\\\"\\n| parse SyslogMessage with * \\\"password changed for\\\" Account\\n| project TimeGenerated, AccountType, Account, Computer = HostName, Type)\\n);\\nlet pwrmd = PasswordResetMultiDataSource\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName;\\n(union isfuzzy=true \\n(pwrmd\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Computerlist = make_set(Computer, 25), AccountType = make_set(AccountType, 25), Computer = arg_max(Computer , TimeGenerated), TargetUserList = make_set(TargetUserName, 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), Total=count() by Account, Type\\n| where Total \u003e PerUserThreshold\\n| extend ResetPivot = \\\"PerUserReset\\\"), \\n(pwrmd\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerList = make_set(Computer, 25), AccountList = make_set(Account, 25), AccountType = make_set(AccountType, 25), Computer = arg_max(Computer , TimeGenerated), TargetUserList = make_set(TargetUserName, 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), Total=count() by Type\\n| where Total \u003e TotalThreshold\\n| extend ResetPivot = \\\"TotalUserReset\\\")\\n)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserName\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Multiple Password Reset by user\",\"description\":\"This query will determine multiple password resets by user across multiple data sources. \\nAccount manipulation including password reset may aid adversaries in maintaining access to credentials \\nand certain permission levels within an environment.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-09-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d804b39c-03a4-417c-a949-bdbf21fa3305\",\"name\":\"d804b39c-03a4-417c-a949-bdbf21fa3305\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.7.2\",\"severity\":\"Medium\",\"query\":\"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\\n[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet file_paths = (iocs | where Type =~ \\\"filepath\\\" | project IoC);\\nlet sha256s = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet ips = (iocs | where Type =~ \\\"ip\\\" | project IoC);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\" | project IoC);\\nlet dyndomains = todynamic(toscalar((domains | summarize make_set(IoC))));\\nunion isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4663\\n| where ObjectName in (file_paths)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(WindowsEvent\\n| where EventID == 4663 and EventData has_any (file_paths)\\n| extend ObjectName = tostring(EventData.ObjectName) \\n| where ObjectName in (file_paths)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName), \\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(imFileEvent\\n| where TargetFileName in (file_paths)\\n or\\n TargetFileSHA256 in (sha256s)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\\n),\\n(DeviceFileEvents\\n| where FolderPath in (file_paths)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 in (sha256s)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\\n),\\n (CommonSecurityLog\\n| where FileHash in (sha256s)\\n| extend timestamp = TimeGenerated\\n),\\n(Event // File iocs\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| where isnotempty(Hashes)\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 *\\n| where SHA256 in~ (sha256s)\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = Hashes\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where (SourceIP in (ips) or DestinationIP in (ips) or Message has_any (ips)) or (RequestURL has_any (domains))\\n| extend IPMatch = case(SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"Message\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\")\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(WireData\\n| where isnotempty(RemoteIP)\\n| where RemoteIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer\\n),\\n(W3CIISLog\\n| where isnotempty(cIP)\\n| where cIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(\\nWindowsFirewall\\n| where SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n),\\n(\\n _Im_NetworkSession(srcipaddr_has_any_prefix=ips) \\n | extend IPCustomEntity = SrcIpAddr, AccountCustomEntity= User, HostCustomEntity=Hostname\\n),\\n (\\n _Im_NetworkSession(dstipaddr_has_any_prefix=ips) \\n | extend IPCustomEntity = DstIpAddr, AccountCustomEntity= User, HostCustomEntity=Hostname\\n),\\n(_Im_Dns(domain_has_any=dyndomains)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\\n)\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange Server Vulnerabilities Disclosed March 2021 IoC Match\",\"description\":\"This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements.\\nRef: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-03-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog (Cisco)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog (F5)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09ec8fa2-b25f-4696-bfae-05a7b85d7b9e\",\"name\":\"09ec8fa2-b25f-4696-bfae-05a7b85d7b9e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT3H\",\"queryPeriod\":\"PT3H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"let timeframe = ago(3h);\\nlet threshold = 2;\\nimAuthentication\\n| where TimeGenerated \u003e timeframe\\n| where EventType==\u0027Logon\u0027 and EventResult==\u0027Success\u0027\\n| where isnotempty(SrcGeoCountry)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Vendors=make_set(EventVendor), Products=make_set(EventProduct)\\n , NumOfCountries = dcount(SrcGeoCountry)\\n by TargetUserId, TargetUsername, TargetUserType\\n| where NumOfCountries \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = TargetUsername\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"User login from different countries within 3 hours (Uses Authentication Normalization)\",\"description\":\"This query searches for successful user logins from different countries within 3 hours.\\n To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/67775878-7f8b-4380-ac54-115e1e828901\",\"name\":\"67775878-7f8b-4380-ac54-115e1e828901\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX=10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet IP_TI = (ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\\\"\\\")\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true);\\nlet TI_IP_List=IP_TI | summarize NIPs=dcount(TI_ipEntity), IP_List=make_set( TI_ipEntity) \\n| project IP_List=iff(NIPs \u003e HAS_ANY_MAX, dynamic([]), IP_List);\\n_Im_Dns(starttime=ago(dt_lookBack), response_has_any_prefix=todynamic(toscalar(TI_IP_List)))\\n | extend tilist = toscalar(TI_IP_List)\\n | mv-expand tilist\\n | extend SingleIP=tostring(tilist)\\n | project-away tilist\\n | where has_ipv4(DnsResponseName, SingleIP)\\n | extend DNS_TimeGenerated = TimeGenerated\\n| join IP_TI\\n on $left.SingleIP == $right.TI_ipEntity\\n| where DNS_TimeGenerated \u003e= TimeGenerated and DNS_TimeGenerated \u003c ExpirationDateTime\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated,\\nTI_ipEntity, Dvc, EventSubType, SrcIpAddr, DnsQuery, DnsResponseName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = DNS_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Dvc, URLCustomEntity = Url\",\"customDetails\":{\"LatestIndicatorTime\":\"LatestIndicatorTime\",\"Description\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"ExpirationDateTime\":\"ExpirationDateTime\",\"ConfidenceScore\":\"ConfidenceScore\",\"DNSRequestTime\":\"DNS_TimeGenerated\",\"SourceIPAddress\":\"SrcIpAddr\",\"SubType\":\"EventSubType\",\"DnsQuery\":\"DnsQuery\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map IP entity to Dns Events (ASIM DNS Schema)\",\"description\":\"Identifies a match in DNS events from any IP IOC from TI\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-27T00:00:00Z\",\"createdDateUTC\":\"2021-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\"name\":\"ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let ProcessCreationEvents=() {\\nlet processEvents=(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,\\nFileName = Process, CommandLine, ParentProcessName\\n),\\n(WindowsEvent\\n| where EventID==4688\\n| where EventData has \\\"TVqQAAMAAAAEAAA\\\"\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where isnotempty(CommandLine)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,\\nFileName = Process, CommandLine, ParentProcessName));\\nprocessEvents};\\nProcessCreationEvents\\n| where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Base64 encoded Windows process command-lines\",\"description\":\"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2018-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\"name\":\"90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Security Center\",\"severitiesFilter\":[\"Low\",\"Medium\",\"High\"],\"displayName\":\"Create incidents based on Microsoft Defender for Cloud\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Cloud\",\"lastUpdatedDateUTC\":\"2021-07-25T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert (ASC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d57c33a9-76b9-40e0-9dfa-ff0404546410\",\"name\":\"d57c33a9-76b9-40e0-9dfa-ff0404546410\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 0d;\\n// Adjust this to adjust detection timeframe\\n//let timeframe = 1d;\\n// Filter out other servers in the AD FS farm\\nlet ADFSServersList = dynamic([\\\"ADFS02.domain.com\\\",\\\"ADFS03.domain.com\\\"]);\\n// Start by identifying ADFS servers to reduce FP chance\\nlet ADFS_Servers = (\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| where Computer !in (ADFSServersList)\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\")\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| summarize by Computer\\n);\\n// Look for ADFS servers receiving connections over port 80\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where Computer in~ (ADFS_Servers)\\n| extend RenderedDescription = tostring(split(RenderedDescription, \\\":\\\")[0])\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, _ResourceId)\\n| extend RuleName = column_ifexists(\\\"RuleName\\\", \\\"\\\"), TechniqueId = column_ifexists(\\\"TechniqueId\\\", \\\"\\\"), TechniqueName = column_ifexists(\\\"TechniqueName\\\", \\\"\\\")\\n| parse RuleName with * \u0027technique_id=\u0027 TechniqueId \u0027,\u0027 * \u0027technique_name=\u0027 TechniqueName\\n| where EventID == 3\\n// Look for endpoints connecting to the AD FS server over port 80\\n| extend DestinationPort = column_ifexists(\\\"DestinationPort\\\", \\\"\\\"), Image = column_ifexists(\\\"Image\\\", \\\"\\\"), Initiated = column_ifexists(\\\"Initiated\\\", \\\"\\\"), SourceIp = column_ifexists(\\\"DestinationIp\\\", \\\"\\\"), DestinationIp = column_ifexists(\\\"DestinationIp\\\", \\\"\\\")\\n| where DestinationPort == 80\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n// Look for the System process receiving connections\\n| where process == \u0027System\u0027 and Initiated == \u0027false\u0027\\n| where DestinationIp !in (\u0027::1\u0027,\u00270:0:0:0:0:0:0:1\u0027)\\n| extend Operation = RenderedDescription\\n| project-reorder TimeGenerated, Operation, Image, Computer, UserName\\n| extend HostCustomEntity = Computer, AccountCustomEntity = UserName, IPCustomEntity = SourceIp\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"AD FS Remote HTTP Network Connection\",\"description\":\"This detection uses Sysmon events (NetworkConnect events) to detect incoming network traffic on port 80 on AD FS servers. This could be a sign of a threat actor\\ntrying to use replication services on the AD FS server to get its configuration settings and extract sensitive information such as AD FS certificates.\\nIn order to use this query you need to enable Sysmon telemetry on the AD FS Server.\\nReference: https://twitter.com/OTR_Community/status/1387038995016732672\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c1faf5e8-6958-11ec-90d6-0242ac120003\",\"name\":\"c1faf5e8-6958-11ec-90d6-0242ac120003\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 4720 and TargetUserName endswith \\\"$\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectUserName, SubjectUserSid, SubjectLogonId, TargetUserName, TargetSid\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectUserName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Fake computer account created\",\"description\":\"This query detects domain user accounts creation (event ID 4720) where the username ends with $. \\nAccounts that end with $ are normally domain computer accounts and when they are created the event ID 4741 is generated instead.\\nRef: https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights.html\",\"lastUpdatedDateUTC\":\"2022-01-19T00:00:00Z\",\"createdDateUTC\":\"2021-12-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/04384937-e927-4595-8f3c-89ff58ed231f\",\"name\":\"04384937-e927-4595-8f3c-89ff58ed231f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let IPs = dynamic ([\\\"199.249.230.\\\",\\\"185.220.101.\\\",\\\"23.129.64.\\\",\\\"109.70.100.\\\",\\\"185.220.102.\\\"]);\\nOfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != \u0027UserLoggedIn\u0027\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = ExtendedProperties.Value\\n| where ClientIP has_any (IPs)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts \u003e 2500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\"entityMappings\":[],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Possible STRONTIUM attempted credential harvesting - Sept 2020\",\"description\":\"Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.\\nReferences: https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7d7e20f8-3384-4b71-811c-f5e950e8306c\",\"name\":\"7d7e20f8-3384-4b71-811c-f5e950e8306c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where ActivityDisplayName =~\u0027Add member to role completed (PIM activation)\u0027\\n| where Result == \\\"failure\\\"\\n| extend Role = tostring(TargetResources[3].displayName)\\n| extend User = tostring(TargetResources[2].displayName)\\n| project-reorder TimeGenerated, User, Role, OperationName, Result, ResultDescription\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| extend AccountCustomEntity = User, IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"PIM Elevation Request Rejected\",\"description\":\"Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6852d9da-8015-4b95-8ecf-d9572ee0395d\",\"name\":\"6852d9da-8015-4b95-8ecf-d9572ee0395d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let queryfrequency = 1h;\\nlet wait_for_deletion = 10m;\\nlet account_created =\\n AuditLogs \\n | where ActivityDisplayName == \\\"Add service principal\\\"\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend creationTime = ActivityDateTime\\n | extend userPrincipalName_creator = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend ipAddress_creator = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\\nlet account_activity =\\n AADServicePrincipalSignInLogs\\n | extend Activities = pack(\\\"ActivityTime\\\", TimeGenerated ,\\\"IpAddress\\\", IPAddress, \\\"ResourceDisplayName\\\", ResourceDisplayName)\\n | extend AppID = AppId\\n | summarize make_list(Activities) by AppID;\\nlet account_deleted =\\n AuditLogs \\n | where OperationName == \\\"Remove service principal\\\"\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend deletionTime = ActivityDateTime\\n | extend userPrincipalName_deleter = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend ipAddress_deleter = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\\nlet account_credentials =\\n AuditLogs\\n | where OperationName has_all (\\\"Update application\\\", \\\"Certificates and secrets management\\\")\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend credentialCreationTime = ActivityDateTime;\\nlet roles_assigned =\\n AuditLogs\\n | where ActivityDisplayName == \\\"Add app role assignment to service principal\\\"\\n | extend AppID = tostring(TargetResources[1].displayName)\\n | extend AssignedRole = iff(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].displayName)==\\\"AppRole.Value\\\", tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue))),\\\"\\\")\\n | extend AssignedRoles = pack(\\\"Role\\\", AssignedRole)\\n | summarize make_list(AssignedRoles) by AppID;\\naccount_created\\n| where TimeGenerated between (ago(wait_for_deletion+queryfrequency)..ago(wait_for_deletion))\\n| join kind= inner (account_activity) on AppID\\n| join kind= inner (account_deleted) on AppID\\n| join kind= inner (account_credentials) on AppID\\n| join kind= inner (roles_assigned) on AppID\\n| where deletionTime - creationTime between (time(0s)..wait_for_deletion)\\n| extend AliveTime = deletionTime - creationTime\\n| project AADTenantId, AppID, creationTime, deletionTime, userPrincipalName_creator, userPrincipalName_deleter, ipAddress_creator, ipAddress_deleter, list_Activities, list_AssignedRoles, AliveTime\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName_creator\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName_deleter\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress_creator\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress_deleter\"}]}],\"tactics\":[\"CredentialAccess\",\"PrivilegeEscalation\",\"InitialAccess\"],\"displayName\":\"Suspicious Service Principal creation activity\",\"description\":\"This alert will detect creation of an SPN, permissions granted, credentials created, activity and deletion of the SPN in a time frame (default 10 minutes)\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\",\"AADServicePrincipalSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ec21493c-2684-4acd-9bc2-696dbad72426\",\"name\":\"ec21493c-2684-4acd-9bc2-696dbad72426\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation of extracted domains\\nlet list_tlds = ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e ago(ioc_lookBack)\\n | where isnotempty(DomainName)\\n | extend DomainName = tolower(DomainName)\\n | extend parts = split(DomainName, \u0027.\u0027)\\n | extend tld = parts[(array_length(parts)-1)]\\n | summarize count() by tostring(tld)\\n | summarize make_list(tld);\\n ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true\\n // Picking up only IOC\u0027s that contain the entities we want\\n | where isnotempty(DomainName)\\n // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n | join kind=innerunique (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n | where DeviceVendor =~ \u0027Palo Alto Networks\u0027\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | extend Domain = trim(@\\\"\\\"\\\"\\\",tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend parts = split(Domain, \u0027.\u0027)\\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\\n | where tld in~ (list_tlds)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n ) on $left.DomainName==$right.Domain\\n | where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, Domain\\n | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, \\n DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\\n | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to PaloAlto\",\"description\":\"Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/caf78b95-d886-4ac3-957a-a7a3691ff4ed\",\"name\":\"caf78b95-d886-4ac3-957a-a7a3691ff4ed\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Tarrask.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n(imFileEvent\\n| where TargetFileSHA256 has_any (sha256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceImageLoadEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Tarrask malware IOC - April 2022\",\"description\":\"Identifies a hash match related to Tarrask malware across various data sources.\\n Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/\",\"lastUpdatedDateUTC\":\"2022-04-12T00:00:00Z\",\"createdDateUTC\":\"2022-01-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2560515c-07d1-434e-87fb-ebe3af267760\",\"name\":\"2560515c-07d1-434e-87fb-ebe3af267760\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add delegated permission grant\\\",\\\"Add app role assignment to service principal\\\")\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend props = parse_json(tostring(TargetResources[0].modifiedProperties))\\n| mv-expand props\\n| extend UserAgent = tostring(AdditionalDetails[0].value)\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| extend UserIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| extend DisplayName = tostring(props.displayName)\\n| extend Permissions = tostring(parse_json(tostring(props.newValue)))\\n| where Permissions has_any (\\\"Mail.Read\\\", \\\"Mail.ReadWrite\\\")\\n| extend PermissionsAddedTo = tostring(TargetResources[0].displayName)\\n| extend Type = tostring(TargetResources[0].type)\\n| project-away props\\n| join kind=leftouter(\\n AuditLogs\\n | where ActivityDisplayName has \\\"Consent to application\\\"\\n | extend AppName = tostring(TargetResources[0].displayName)\\n | extend AppId = tostring(TargetResources[0].id)\\n | project AppName, AppId, CorrelationId) on CorrelationId\\n| project-reorder TimeGenerated, OperationName, InitiatingUser, UserIPAddress, UserAgent, PermissionsAddedTo, Permissions, AppName, AppId, CorrelationId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUser, IPCustomEntity = UserIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Mail.Read Permissions Granted to Application\",\"description\":\"This query look for applications that have been granted (Delegated or App/Role) permissions to Read Mail (Permissions field has Mail.Read) and subsequently has been consented to. This can help identify applications that have been abused to gain access to mailboxes.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532c1811-79ee-4d9f-8d4d-6304c840daa1\",\"name\":\"532c1811-79ee-4d9f-8d4d-6304c840daa1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Active Directory Identity Protection\",\"displayName\":\"Create incidents based on Azure Active Directory Identity Protection alerts\",\"description\":\"Create incidents based on all alerts generated in Azure Active Directory Identity Protection\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb616d82-108f-47d3-9dec-9652ea0d3bf6\",\"name\":\"bb616d82-108f-47d3-9dec-9652ea0d3bf6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let queryfrequency = 1h;\\nlet queryperiod = 1d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(queryfrequency)\\n| where OperationName =~ \\\"Delete user\\\"\\n//extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n| extend UserPrincipalName = extract(@\u0027([a-f0-9]{32})?(.*)\u0027, 2, tostring(TargetResources[0].userPrincipalName))\\n| extend DeletedByUser = tostring(InitiatedBy.user.userPrincipalName), DeletedByIPAddress = tostring(InitiatedBy.user.ipAddress)\\n| extend DeletedByApp = tostring(InitiatedBy.app.displayName)\\n| project Deletion_TimeGenerated = TimeGenerated, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, Deletion_AdditionalDetails = AdditionalDetails, Deletion_InitiatedBy = InitiatedBy, Deletion_TargetResources = TargetResources\\n| join kind=inner (\\n AuditLogs\\n | where TimeGenerated \u003e ago(queryperiod)\\n | where OperationName =~ \\\"Add user\\\"\\n | extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | project-rename Creation_TimeGenerated = TimeGenerated\\n) on UserPrincipalName\\n| extend TimeDelta = Deletion_TimeGenerated - Creation_TimeGenerated\\n| where TimeDelta between (time(0s) .. queryperiod)\\n| extend CreatedByUser = tostring(InitiatedBy.user.userPrincipalName), CreatedByIPAddress = tostring(InitiatedBy.user.ipAddress)\\n| extend CreatedByApp = tostring(InitiatedBy.app.displayName)\\n| project Creation_TimeGenerated, Deletion_TimeGenerated, TimeDelta, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, CreatedByUser, CreatedByIPAddress, CreatedByApp, Creation_AdditionalDetails = AdditionalDetails, Creation_InitiatedBy = InitiatedBy, Creation_TargetResources = TargetResources, Deletion_AdditionalDetails, Deletion_InitiatedBy, Deletion_TargetResources\\n| extend timestamp = Deletion_TimeGenerated, CustomAccountEntity = UserPrincipalName, IPCustomEntity = DeletedByIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CustomAccountEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Account Created and Deleted in Short Timeframe\",\"description\":\"Search for user principal name (UPN) events. Look for accounts created and then deleted in under 24 hours. Attackers may create an account for their use, and then remove the account when no longer needed.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-account\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a0907abe-6925-4d90-af2b-c7e89dc201a6\",\"name\":\"a0907abe-6925-4d90-af2b-c7e89dc201a6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P10D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 10d;\\nlet endtime = 1d;\\nlet threshold = 100;\\nlet nxDomainDnsEvents = DnsEvents \\n| where ResultCode == 3 \\n| where QueryType in (\\\"A\\\", \\\"AAAA\\\")\\n| where ipv4_is_match(\\\"127.0.0.1\\\", ClientIP) == False\\n| where Name !contains \\\"/\\\"\\n| where Name contains \\\".\\\";\\nnxDomainDnsEvents\\n| where TimeGenerated \u003e ago(endtime)\\n| extend sld = tostring(split(Name, \\\".\\\")[-2])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld) by ClientIP\\n| where dcount_sld \u003e threshold\\n// Filter out previously seen IPs\\n| join kind=leftanti (nxDomainDnsEvents\\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | extend sld = tostring(split(Name, \\\".\\\")[-2])\\n | summarize dcount(sld) by ClientIP\\n | where dcount_sld \u003e threshold ) on ClientIP\\n// Pull out sample NXDomain responses for those remaining potentially infected IPs\\n| join kind = inner (nxDomainDnsEvents | summarize by Name, ClientIP) on ClientIP\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(Name, 100) by ClientIP, dcount_sld\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential DGA detected\",\"description\":\"Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains\\nwhere most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with \\nNXDomain records in prior 10-day baseline period).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ef895ada-e8e8-4cf0-9313-b1ab67fab69f\",\"name\":\"ef895ada-e8e8-4cf0-9313-b1ab67fab69f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let known_locations =\\n union isfuzzy=True AADNonInteractiveUserSignInLogs, SigninLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where ResultType == 0\\n | summarize by Location;\\n union isfuzzy=True AADNonInteractiveUserSignInLogs, SigninLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType != 50126\\n | where Location !in (known_locations)\\n | extend LocationDetails_dynamic = column_ifexists(\\\"LocationDetails_dynamic\\\", \\\"\\\")\\n | extend DeviceDetail_dynamic = column_ifexists(\\\"DeviceDetail_dynamic\\\", \\\"\\\")\\n | extend LocationDetails = iif(isnotempty(LocationDetails_dynamic), LocationDetails_dynamic, parse_json(LocationDetails_string))\\n | extend DeviceDetail = iif(isnotempty(DeviceDetail_dynamic), DeviceDetail_dynamic, parse_json(DeviceDetail_string))\\n | extend City = tostring(LocationDetails.city)\\n | extend State = tostring(LocationDetails.state)\\n | extend Place = strcat(City, \\\" - \\\", State)\\n | extend DeviceId = tostring(DeviceDetail.deviceId)\\n | extend Result = strcat(tostring(ResultType), \\\" - \\\", ResultDescription)\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), make_set(Result), make_set(IPAddress), make_set(UserAgent), make_set(Place), make_set(DeviceId) by UserPrincipalName, Location, Category\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Authentication Attempt from New Country\",\"description\":\"Detects when there is a log in attempt from a country that has not seen a successful login in the previous 14 days.\\n Threat actors may attempt to authenticate with credentials from compromised accounts - monitoring attempts from anomalous locations may help identify these attempts.\\n Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\",\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9713e3c0-1410-468d-b79e-383448434b2d\",\"name\":\"9713e3c0-1410-468d-b79e-383448434b2d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n VMConnection\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend VMConnection_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIp\\n| where VMConnection_TimeGenerated \u003c ExpirationDateTime\\n| summarize VMConnection_TimeGenerated = arg_max(VMConnection_TimeGenerated, *) by IndicatorId, RemoteIp\\n| project VMConnection_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = VMConnection_TimeGenerated, IPCustomEntity = RemoteIp, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to VMConnection\",\"description\":\"Identifies a match in VMConnection from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/017e095a-94d8-430c-a047-e51a11fb737b\",\"name\":\"017e095a-94d8-430c-a047-e51a11fb737b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let domains =\\n SigninLogs\\n | where ResultType == 0\\n | extend domain = split(UserPrincipalName, \\\"@\\\")[1]\\n | extend domain = tostring(split(UserPrincipalName, \\\"@\\\")[1])\\n | summarize by tolower(tostring(domain));\\n AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where Result =~ \\\"success\\\"\\n | where OperationName =~ \u0027Update Application\u0027\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | where TargetResources_modifiedProperties.displayName =~ \\\"AppAddress\\\"\\n | extend Key = tostring(TargetResources_modifiedProperties.displayName)\\n | extend NewValue = TargetResources_modifiedProperties.newValue\\n | extend OldValue = TargetResources_modifiedProperties.oldValue\\n | where isnotempty(Key) and isnotempty(NewValue)\\n | project-reorder Key, NewValue, OldValue\\n | extend NewUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(NewValue))\\n | extend OldUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(OldValue))\\n | extend AddedUrls = set_difference(NewUrls, OldUrls)\\n | where array_length(AddedUrls) \u003e 0\\n | extend UserAgent = iif(tostring(AdditionalDetails[0].key) == \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), \\\"\\\")\\n | extend AddingUser = iif(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) , tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), \\\"\\\")\\n | extend AddingApp = iif(isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName)) , tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName), \\\"\\\")\\n | extend AddedBy = iif(isnotempty(AddingUser), AddingUser, AddingApp)\\n | project-away AddingApp, AddingUser\\n | extend AppDisplayName = tostring(TargetResources.displayName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | where isnotempty(AddedUrls)\\n | mv-expand AddedUrls\\n | extend Domain = extract(\\\"^(?:https?:\\\\\\\\/\\\\\\\\/)?(?:[^@\\\\\\\\/\\\\\\\\n]+@)?(?:www\\\\\\\\.)?([^:\\\\\\\\/?\\\\\\\\n]+)/\\\", 1, replace_string(tolower(tostring(AddedUrls)), \u0027\\\"\u0027, \\\"\\\"))\\n | where isnotempty(Domain)\\n | extend Domain = strcat(split(Domain, \\\".\\\")[-2], \\\".\\\", split(Domain, \\\".\\\")[-1])\\n | where Domain !in (domains)\\n | project-reorder TimeGenerated, AppDisplayName, AddedUrls, AddedBy, UserAgent, ipAddress\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"AddedUrls\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"URL Added to Application from Unknown Domain\",\"description\":\"Detects a URL being added to an application where the domain is not one that is associated with the tenant.\\n The query uses domains seen in sign in logs to determine if the domain is associated with the tenant.\\n Applications associated with URLs not controlled by the organization can pose a security risk.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#application-configuration-changes\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d\",\"name\":\"b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"//Collect the alert events\\nlet alertData = SecurityAlert \\n| where DisplayName has \\\"Potential malware uploaded to\\\" \\n| extend Entities = parse_json(Entities) \\n| mv-expand Entities;\\n//Parse the IP address data\\nlet ipData = alertData \\n| where Entities[\u0027Type\u0027] =~ \\\"ip\\\" \\n| extend AttackerIP = tostring(Entities[\u0027Address\u0027]), AttackerCountry = tostring(Entities[\u0027Location\u0027][\u0027CountryName\u0027]);\\n//Parse the file data\\nlet FileData = alertData \\n| where Entities[\u0027Type\u0027] =~ \\\"file\\\" \\n| extend MaliciousFileDirectory = tostring(Entities[\u0027Directory\u0027]), MaliciousFileName = tostring(Entities[\u0027Name\u0027]), MaliciousFileHashes = tostring(Entities[\u0027FileHashes\u0027]);\\n//Combine the File and IP data together\\nipData \\n| join (FileData) on VendorOriginalId \\n| summarize by TimeGenerated, AttackerIP, AttackerCountry, DisplayName, ResourceId, AlertType, MaliciousFileDirectory, MaliciousFileName, MaliciousFileHashes\\n//Create a type column so we can track if it was a File storage or blobl storage upload \\n| extend type = iff(DisplayName has \\\"file\\\", \\\"File\\\", \\\"Blob\\\") \\n| join (\\n union\\n StorageFileLogs, \\n StorageBlobLogs \\n //File upload operations \\n | where OperationName =~ \\\"PutBlob\\\" or OperationName =~ \\\"PutRange\\\"\\n //Parse out the uploader IP \\n | extend ClientIP = tostring(split(CallerIpAddress, \\\":\\\", 0)[0])\\n //Extract the filename from the Uri \\n | extend FileName = extract(@\\\"\\\\/([\\\\w\\\\-. ]+)\\\\?\\\", 1, Uri)\\n //Base64 decode the MD5 filehash, we will encounter non-ascii hex so string operations don\u0027t work\\n //We can work around this by making it an array then converting it to hex from an int \\n | extend base64Char = base64_decode_toarray(ResponseMd5) \\n | mv-expand base64Char \\n | extend hexChar = tohex(toint(base64Char))\\n | extend hexChar = iff(strlen(hexChar) \u003c 2, strcat(\\\"0\\\", hexChar), hexChar) \\n | extend SourceTable = iff(OperationName has \\\"range\\\", \\\"StorageFileLogs\\\", \\\"StorageBlobLogs\\\") \\n | summarize make_list(hexChar) by CorrelationId, ResponseMd5, FileName, AccountName, TimeGenerated, RequestBodySize, ClientIP, SourceTable \\n | extend Md5Hash = strcat_array(list_hexChar, \\\"\\\")\\n //Pack the file information the summarise into a ClientIP row \\n | extend p = pack(\\\"FileName\\\", FileName, \\\"FileSize\\\", RequestBodySize, \\\"Md5Hash\\\", Md5Hash, \\\"Time\\\", TimeGenerated, \\\"SourceTable\\\", SourceTable) \\n | summarize UploadedFileInfo=make_list(p), FilesUploaded=count() by ClientIP \\n | join kind=leftouter (\\n union\\n StorageFileLogs,\\n StorageBlobLogs \\n | where OperationName =~ \\\"DeleteFile\\\" or OperationName =~ \\\"DeleteBlob\\\" \\n | extend ClientIP = tostring(split(CallerIpAddress, \\\":\\\", 0)[0]) \\n | extend FileName = extract(@\\\"\\\\/([\\\\w\\\\-. ]+)\\\\?\\\", 1, Uri) \\n | extend SourceTable = iff(OperationName has \\\"range\\\", \\\"StorageFileLogs\\\", \\\"StorageBlobLogs\\\") \\n | extend p = pack(\\\"FileName\\\", FileName, \\\"Time\\\", TimeGenerated, \\\"SourceTable\\\", SourceTable) \\n | summarize DeletedFileInfo=make_list(p), FilesDeleted=count() by ClientIP\\n ) on ClientIP\\n ) on $left.AttackerIP == $right.ClientIP \\n| mvexpand UploadedFileInfo \\n| extend LinkedMaliciousFileName = UploadedFileInfo.FileName \\n| extend LinkedMaliciousFileHash = UploadedFileInfo.Md5Hash \\n| project AlertTimeGenerated = TimeGenerated, tostring(LinkedMaliciousFileName), tostring(LinkedMaliciousFileHash), AlertType, AttackerIP, AttackerCountry, MaliciousFileDirectory, MaliciousFileName, FilesUploaded, UploadedFileInfo \\n| extend FileHashCustomEntity = LinkedMaliciousFileName, HashAlgorithm = \\\"MD5\\\", IPCustomEntity = AttackerIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"Exfiltration\"],\"displayName\":\"Linked Malicious Storage Artifacts\",\"description\":\"An IP address which uploaded malicious content to an Azure Blob or File Storage container (triggering a malware alert) also uploaded additional files.\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2021-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c7cd6073-6d2c-4284-a5c8-da27605bdfde\",\"name\":\"c7cd6073-6d2c-4284-a5c8-da27605bdfde\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| where FilterModulesSpamScoresOverall == \u0027100\u0027\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - High risk message not discarded\",\"description\":\"Detects when email with high risk score was not rejected or discarded by filters.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\"name\":\"c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"let DomainNames = \\\"miniodaum.ml\\\";\\nlet SHA256Hash = dynamic ([\\\"53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0dfd44771762257\\\", \\\"0897c80df8b80b4c49bf1ccf876f5f782849608b830c3b5cb3ad212dc3e19eff\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName =~ DomainNames\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n (_Im_Dns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery \\n| extend IPAddress = SrcIpAddr, Computer = Dvc\\n), \\n(_Im_WebSession(url_has_any=DomainNames) \\n| extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n| extend IPAddress = SrcIpAddr, Account=User\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName =~ DomainNames\\n| extend IPAddress = RemoteIp\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known CERIUM domains and hashes\",\"description\":\"CERIUM malicious webserver and hash values for maldocs and malware. \\n Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/712fab52-2a7d-401e-a08c-ff939cc7c25e\",\"name\":\"712fab52-2a7d-401e-a08c-ff939cc7c25e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AuditLogs\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // Extract the URL that is contained within the JSON data\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\\\", 1,tostring(TargetResources))\\n | where isnotempty(Url)\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend TargetResourceDisplayName = tostring(TargetResources[0].displayName)\\n | extend Audit_TimeGenerated = TimeGenerated\\n) on Url\\n| where Audit_TimeGenerated \u003c ExpirationDateTime\\n| summarize Audit_TimeGenerated = arg_max(Audit_TimeGenerated, *) by IndicatorId, Url\\n| project Audit_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nOperationName, Identity, userPrincipalName, TargetResourceDisplayName, Url\\n| extend timestamp = Audit_TimeGenerated, AccountCustomEntity = userPrincipalName, HostCustomEntity = TargetResourceDisplayName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to AuditLogs\",\"description\":\"Identifies a match in AuditLogs from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ab4b6944-a20d-42ab-8b63-238426525801\",\"name\":\"ab4b6944-a20d-42ab-8b63-238426525801\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\nlet timeframe = 1h;\\nlet connections = VMConnection \\n | where TimeGenerated \u003e= ago(timeframe)\\n | extend DNSName = set_union(todynamic(RemoteDnsCanonicalNames),todynamic(RemoteDnsQuestions))\\n | mv-expand DNSName\\n | where isnotempty(DNSName)\\n | where DNSName has_any (domains)\\n | extend IPCustomEntity = RemoteIp\\n | summarize TimeGenerated = arg_min(TimeGenerated, *), requests = count() by IPCustomEntity, DNSName = tostring(DNSName), AgentId, Machine, Process;\\nlet processes = VMProcess\\n | where TimeGenerated \u003e= ago(timeframe)\\n | project AgentId, Machine, Process, UserName, UserDomain, ExecutablePath, CommandLine, FirstPid\\n | extend exePathArr = split(ExecutablePath, \\\"\\\\\\\\\\\")\\n | extend DirectoryName = array_strcat(array_slice(exePathArr, 0, array_length(exePathArr) - 2), \\\"\\\\\\\\\\\")\\n | extend Filename = array_strcat(array_slice(exePathArr, array_length(exePathArr) - 1, array_length(exePathArr)), \\\"\\\\\\\\\\\")\\n | project-away exePathArr;\\nlet computers = VMComputer\\n | where TimeGenerated \u003e= ago(timeframe)\\n | project HostCustomEntity = HostName, AzureResourceId = _ResourceId, AgentId, Machine;\\nconnections | join kind = inner (processes) on AgentId, Machine, Process\\n | join kind = inner (computers) on AgentId, Machine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"FirstPid\"},{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Directory\",\"columnName\":\"DirectoryName\"},{\"identifier\":\"Name\",\"columnName\":\"Filename\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Solorigate Domains Found in VM Insights\",\"description\":\"Identifies connections to Solorigate-related DNS records based on VM insights data\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMProcess\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMComputer\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\"name\":\"1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with failed Windows host logins above threshold\\nlet win_fails = \\nSecurityEvent\\n| where EventID == 4625\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| summarize count() by IpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_list(IpAddress);\\nlet wef_fails =\\nWindowsEvent\\n| where EventID == 4625\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType in (10, 7, 3)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| where IpAddress != \\\"-\\\"\\n| summarize count() by IpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_list(IpAddress);\\n//Make a list of IPs with failed *nix host logins above threshold\\nlet nix_fails = \\nSyslog\\n| where Facility contains \u0027auth\u0027 and ProcessName != \u0027sudo\u0027\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP != \\\"\\\" and SourceIP != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIP\\n| where count_ \u003e signin_threshold\\n| summarize make_list(SourceIP);\\n//See if any of the IPs with failed host logins hve had a sucessful Azure AD login\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (win_fails) or IPAddress in (nix_fails) or IPAddress in (wef_fails)\\n| extend Reason= \\\"Multiple failed host logins from IP address with successful Azure AD login\\\"\\n| extend timstamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, Type = Type\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed host logons but success logon to AzureAD\",\"description\":\"Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts.\\nUses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\"name\":\"28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"Medium\",\"query\":\"let timeRange = 24h;\\nlet failureCountThreshold = 5;\\nlet authenticationWindow = 20m;\\nlet aadFunc = (tableName:string){\\n table(tableName)\\n| where AppDisplayName has \\\"Azure Portal\\\"\\n| extend\\n DeviceDetail = todynamic(DeviceDetail),\\n //Status = todynamic(Status),\\n LocationDetails = todynamic(LocationDetails)\\n| extend\\n OS = tostring(DeviceDetail.operatingSystem),\\n Browser = tostring(DeviceDetail.browser),\\n //StatusCode = tostring(Status.errorCode),\\n //StatusDetails = tostring(Status.additionalDetails),\\n State = tostring(LocationDetails.state),\\n City = tostring(LocationDetails.city),\\n Region = tostring(LocationDetails.countryOrRegion)\\n// Split out failure versus non-failure types\\n| extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\") \\n// bin outcomes based on authenticationWindow\\n| summarize take_anyif(UserPrincipalName, not(UserPrincipalName matches regex @\\\"[a-f\\\\d]+\\\\-[a-f\\\\d]+\\\\-[a-f\\\\d]+\\\\-[a-f\\\\d]+\\\\-[a-f\\\\d]+\\\")),\\n take_anyif(UserDisplayName, isnotempty(UserDisplayName)), FailureOrSuccessCount = count() by FailureOrSuccess, UserId, UserDisplayName, AppDisplayName, IPAddress, Browser, OS, State, City, Region, Type, CorrelationId, bin(TimeGenerated, authenticationWindow), ResultType\\n// sort for sessionizing - by UserPrincipalName and time of the authentication outcome\\n| sort by UserPrincipalName asc, TimeGenerated asc\\n| serialize \\n// sessionize into failure groupings until either the account changes or there is a success\\n| extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, UserPrincipalName != prev(UserPrincipalName) or prev(FailureOrSuccess) == \\\"Success\\\")\\n// count the failures in each session\\n| summarize FailureCountBeforeSuccess=sumif(FailureOrSuccessCount, FailureOrSuccess == \\\"Failure\\\"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), makelist(FailureOrSuccess), IPAddress = make_set(IPAddress), make_set(Browser), make_set(City), make_set(State), make_set(Region), make_set(ResultType) by SessionStartedUtc, UserPrincipalName, CorrelationId, AppDisplayName, UserId, Type\\n// the session must not start with a success, and must end with one\\n| where array_index_of(list_FailureOrSuccess, \\\"Success\\\") != 0\\n| where array_index_of(list_FailureOrSuccess, \\\"Success\\\") == array_length(list_FailureOrSuccess) - 1\\n| project-away SessionStartedUtc, list_FailureOrSuccess\\n// where the number of failures before the success is above the threshold \\n| where FailureCountBeforeSuccess \u003e= failureCountThreshold \\n// expand out ip for entity assignment\\n| mv-expand IPAddress\\n| extend IPAddress = tostring(IPAddress)\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n};\\n let aadSignin = aadFunc(\\\"SigninLogs\\\");\\n let aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\n union isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against Azure Portal\",\"description\":\"Identifies evidence of brute force activity against Azure Portal by highlighting multiple authentication failures \\nand by a successful authentication within a given time window. \\nDefault Failure count is 5 and default Time Window is 20 minutes.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-04-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23de46ea-c425-4a77-b456-511ae4855d69\",\"name\":\"23de46ea-c425-4a77-b456-511ae4855d69\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\nlet SensitiveOperationList = dynamic([\\\"microsoft.compute/snapshots/write\\\", \\\"microsoft.network/networksecuritygroups/write\\\", \\\"microsoft.storage/storageaccounts/listkeys/action\\\"]);\\nlet SensitiveActivity = AzureActivity\\n| where OperationNameValue in~ (SensitiveOperationList) or OperationNameValue hassuffix \\\"listkeys/action\\\"\\n| where ActivityStatusValue =~ \\\"Success\\\";\\nSensitiveActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller, OperationNameValue\\n| where count_ \u003e= alertOperationThreshold\\n| join kind = rightanti ( \\nSensitiveActivity\\n| where TimeGenerated \u003e= ago(endtime)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CorrelationIds = makelist(CorrelationId), Resources = makelist(Resource), ResourceGroups = makelist(ResourceGroup), ResourceIds = makelist(ResourceId), ActivityCountByCallerIPAddress = count() \\nby CallerIpAddress, Caller, OperationNameValue\\n) on CallerIpAddress, Caller, OperationNameValue\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"Rare subscription-level operations in Azure\",\"description\":\"This query looks for a few sensitive subscription-level events based on Azure Activity Logs. \\n For example this monitors for the operation name \u0027Create or Update Snapshot\u0027 which is used for creating backups but could be misused by attackers \\n to dump hashes or extract sensitive information from the disk.\",\"lastUpdatedDateUTC\":\"2022-03-15T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84cf1d59-f620-4fee-b569-68daf7008b7b\",\"name\":\"84cf1d59-f620-4fee-b569-68daf7008b7b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetection_CL\\n| mv-expand todynamic(Detections_s)\\n| extend Status = tostring(Detections_s.Status), Vulnerability = tostring(Detections_s.Results), Severity = tostring(Detections_s.Severity)\\n| where Status =~ \\\"New\\\" and Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(Detections_s.QID)\\n| where dcount_NetBios_s \u003e= threshold\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"tactics\":[\"InitialAccess\"],\"displayName\":\"New High Severity Vulnerability Detected Across Multiple Hosts\",\"description\":\"This creates an incident when a new high severity vulnerability is detected across multilple hosts\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bc5ffe2a-84d6-48fe-bc7b-1055100469bc\",\"name\":\"bc5ffe2a-84d6-48fe-bc7b-1055100469bc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"let SunburstMD5=dynamic([\\\"b91ce2fa41029f6955bff20079468448\\\",\\\"02af7cec58b9a5da1c542b5a32151ba1\\\",\\\"2c4a910a1299cdae2a4e55988a2f102e\\\",\\\"846e27a652a5e1bfbd0ddd38a16dc865\\\",\\\"4f2eb62fa529c0283b28d05ddd311fae\\\"]);\\nlet SupernovaMD5=\\\"56ceb6d0011d87b6e4d7023d7ef85676\\\";\\nimFileEvent\\n| where TargetFileMD5 in(SunburstMD5) or TargetFileMD5 in(SupernovaMD5)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = User, \\n HostCustomEntity = DvcHostname,\\n FileHashCustomEntity = TargetFileMD5,\\n AlgorithmCustomEntity = \\\"MD5\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events)\",\"description\":\"Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in File Events\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimFileEvent)\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8cbc3215-fa58-4bd6-aaaa-f0029c351730\",\"name\":\"8cbc3215-fa58-4bd6-aaaa-f0029c351730\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let threatCategory=\\\"Cryptominer\\\";\\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\\n [ @\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\\\"] \\n with(format=\\\"csv\\\", ignoreFirstRecord=True));\\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet customUserAgents=toscalar(_GetWatchlist(\\\"UnusualUserAgents\\\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\\\"UserAgent\\\",\\\"\\\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet fullUAList = array_concat(knownUserAgents,customUserAgents);\\n_Im_WebSession(httpuseragent_has_any=fullUAList)\\n| summarize N_Events=count() by SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername\",\"customDetails\":{\"UserAgent\":\"HttpUserAgent\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"SrcUsername\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"The host {{SrcIpAddr}} is potentially running a crypto miner\",\"alertDescriptionFormat\":\"The host at address {{SrcIpAddr}} sent an HTTP request to the URL {{Url}} with the HTTP user agent header {{HttpUserAgent}}. This user agent is known to be used by crypto miners and indicates crypto mining activity on the client.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"A host is potentially running a crypto miner (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request with a user agent header known to belong to a crypto miner. This indicates a crypto miner may have infected the client machine.\u003cbr\u003eYou can add custom crypto mining indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).\u003cbr\u003e\u003cbr\u003e This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\"name\":\"24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"let EventCountThreshold = 25;\\n// To avoid any False Positives, filtering using AppId is recommended.\\n// For example the AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds \\n// to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\\n// The AppId 8cae6e77-e04e-42ce-b5cb-50d82bce26b1 has been added as it correspond to Microsoft Policy Insights Provider Data Plane performing VaultGet operations for policies checks.\\nlet Allowedappid = dynamic([\\\"509e4652-da8d-478d-a730-e9d4a1996ca4\\\",\\\"8cae6e77-e04e-42ce-b5cb-50d82bce26b1\\\"]);\\nlet OperationList = dynamic(\\n[\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nAzureDiagnostics\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList) \\n| summarize count() by identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, OperationName\\n| where count_ \u003e EventCountThreshold \\n| join (\\nAzureDiagnostics\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where OperationName in~ (OperationList) \\n) on identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g \\n| summarize EventCount=sum(count_), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\\n| extend timestamp = EndTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Mass secret retrieval from Azure Key Vault\",\"description\":\"Identifies mass secret retrieval from Azure Key Vault observed by a single user. \\nMass secret retrival crossing a certain threshold is an indication of credential dump operations or mis-configured applications. \\nYou can tweak the EventCountThreshold based on average count seen in your environment \\nand also filter any known sources (IP/Account) and useragent combinations based on historical analysis to further reduce noise\",\"lastUpdatedDateUTC\":\"2022-07-04T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b619d1f1-7f39-4c7e-bf9e-afbb46457997\",\"name\":\"b619d1f1-7f39-4c7e-bf9e-afbb46457997\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal contains \\\"XMRig\\\" or HttpUserAgentOriginal contains \\\"ccminer\\\"\\n| extend Message = \\\"Crypto Miner User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Crypto Miner User-Agent Detected\",\"description\":\"Detects suspicious user agent strings used by crypto miners in proxy logs.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd03057e-4347-4853-bf1e-2b2d21eb4e59\",\"name\":\"dd03057e-4347-4853-bf1e-2b2d21eb4e59\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\\"xmrget.com\\\",\\n\\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\\"supportxmr.com\\\",\\n\\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\\"gntl.co.uk\\\", \\\"semipool.com\\\",\\n\\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\",\\n\\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\\"extrmepool.org\\\", \\\"webcoin.me\\\",\\n\\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\",\\n\\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\",\\n\\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\",\\n\\\"shscrypto.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage),\\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage),\\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage),\\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \u0027200\u0027\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URL\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"NRT Squid proxy events related to mining pools\",\"description\":\"Checks for Squid proxy events in Syslog associated with common mining pools .This query presumes the default Squid log format is being used.\\n http://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-07-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2b701288-b428-4fb8-805e-e4372c574786\",\"name\":\"2b701288-b428-4fb8-805e-e4372c574786\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"//The bigger the window the better the data sample size, as we use IP prevalence, more sample data is better.\\n//The minimum number of countries that the account has been accessed from [default: 2]\\nlet minimumCountries = 2;\\n//The delta (%) between the largest in-use IP and the smallest [default: 95]\\nlet deltaThreshold = 95;\\n//The maximum (%) threshold that the country appears in login data [default: 10]\\nlet countryPrevalenceThreshold = 10;\\n//The time to project forward after the last login activity [default: 60min]\\nlet projectedEndTime = 60m;\\nlet queryfrequency = 1d;\\nlet queryperiod = 14d;\\nlet aadFunc = (tableName: string) {\\n // Get successful signins to Teams\\n let signinData =\\n table(tableName)\\n | where TimeGenerated \u003e ago(queryperiod)\\n | where AppDisplayName has \\\"Teams\\\" and ConditionalAccessStatus =~ \\\"success\\\"\\n | extend Country = tostring(todynamic(LocationDetails)[\u0027countryOrRegion\u0027])\\n | where isnotempty(Country) and isnotempty(IPAddress);\\n // Calculate prevalence of countries\\n let countryPrevalence =\\n signinData\\n | summarize CountCountrySignin = count() by Country\\n | extend TotalSignin = toscalar(signinData | summarize count())\\n | extend CountryPrevalence = toreal(CountCountrySignin) / toreal(TotalSignin) * 100;\\n // Count signins by user and IP address\\n let userIpSignin =\\n signinData\\n | summarize CountIPSignin = count(), Country = any(Country), ListSigninTimeGenerated = make_list(TimeGenerated) by IPAddress, UserPrincipalName;\\n // Calculate delta between the IP addresses with the most and minimum activity by user\\n let userIpDelta =\\n userIpSignin\\n | summarize MaxIPSignin = max(CountIPSignin), MinIPSignin = min(CountIPSignin), DistinctCountries = dcount(Country), make_set(Country) by UserPrincipalName\\n | extend UserIPDelta = toreal(MaxIPSignin - MinIPSignin) / toreal(MaxIPSignin) * 100;\\n // Collect Team operations the user account has performed within a time range of the suspicious signins\\n OfficeActivity\\n | where TimeGenerated \u003e ago(queryfrequency)\\n | where Operation in~ (\\\"TeamsAdminAction\\\", \\\"MemberAdded\\\", \\\"MemberRemoved\\\", \\\"MemberRoleChanged\\\", \\\"AppInstalled\\\", \\\"BotAddedToTeam\\\")\\n | project OperationTimeGenerated = TimeGenerated, UserId = tolower(UserId), Operation\\n | join kind = inner(\\n userIpDelta\\n // Check users with activity from distinct countries\\n | where DistinctCountries \u003e= minimumCountries\\n // Check users with high IP delta\\n | where UserIPDelta \u003e= deltaThreshold\\n // Add information about signins and countries\\n | join kind = leftouter userIpSignin on UserPrincipalName\\n | join kind = leftouter countryPrevalence on Country\\n // Check activity that comes from nonprevalent countries\\n | where CountryPrevalence \u003c countryPrevalenceThreshold\\n | project\\n UserPrincipalName,\\n SuspiciousIP = IPAddress,\\n UserIPDelta,\\n SuspiciousSigninCountry = Country,\\n SuspiciousCountryPrevalence = CountryPrevalence,\\n EventTimes = ListSigninTimeGenerated\\n ) on $left.UserId == $right.UserPrincipalName\\n // Check the signins occured 60 min before the Teams operations\\n | mv-expand SigninTimeGenerated = EventTimes\\n | extend SigninTimeGenerated = todatetime(SigninTimeGenerated)\\n | where OperationTimeGenerated between (SigninTimeGenerated .. (SigninTimeGenerated + projectedEndTime))\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize arg_max(SigninTimeGenerated, *) by UserPrincipalName, SuspiciousIP, OperationTimeGenerated\\n| summarize\\n ActivitySummary = make_bag(pack(tostring(SigninTimeGenerated), pack(\\\"Operation\\\", tostring(Operation), \\\"OperationTime\\\", OperationTimeGenerated)))\\n by UserPrincipalName, SuspiciousIP, SuspiciousSigninCountry, SuspiciousCountryPrevalence\\n| extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Anomalous login followed by Teams action\",\"description\":\"Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed.\\nQuery calculates IP usage Delta for each user account and selects accounts where a delta \u003e= 90% is observed between the most and least used IP.\\nTo further reduce results the query performs a prevalence check on the lowest used IP\u0027s country, only keeping IP\u0027s where the country is unusual for the tenant (dynamic ranges)\\nFinally the user accounts activity within Teams logs is checked for suspicious commands (modifying user privileges or admin actions) during the period the suspicious IP was active.\",\"lastUpdatedDateUTC\":\"2022-03-21T00:00:00Z\",\"createdDateUTC\":\"2020-06-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fa118b98-de46-4e94-87f9-8e6d5060b60b\",\"name\":\"fa118b98-de46-4e94-87f9-8e6d5060b60b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MLBehaviorAnalytics\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous SSH Login Detection\",\"description\":\"This detection uses machine learning (ML) to identify anomalous Secure Shell (SSH) login activity, based on syslog data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Microsoft Sentinel to build a profile of normal activity for your environment.\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-syslog#configure-the-syslog-connector-for-anomalous-ssh-login-detection)\\n\\nBy enabling this rule, you give Microsoft permission to copy ingested data outside of your Microsoft Sentinel workspace\u0027s geography as necessary for processing by the machine learning engine.\",\"lastUpdatedDateUTC\":\"2021-03-26T00:00:00Z\",\"createdDateUTC\":\"2019-08-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c094384d-7ea7-4091-83be-18706ecca981\",\"name\":\"c094384d-7ea7-4091-83be-18706ecca981\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Low\",\"query\":\"let minersDomains=dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\"]);\\n_Im_Dns(domain_has_any=minersDomains)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"DNS events related to mining pools (ASIM DNS Schema)\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/99d589fa-7337-40d7-91a0-c96d0c4fa437\",\"name\":\"99d589fa-7337-40d7-91a0-c96d0c4fa437\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let core_domains = (SigninLogs\\n | where TimeGenerated \u003e ago(7d)\\n | where ResultType == 0\\n | extend domain = tolower(split(UserPrincipalName, \\\"@\\\")[1])\\n | summarize by tostring(domain));\\n let alternative_domains = (SigninLogs\\n | where TimeGenerated \u003e ago(7d)\\n | where isnotempty(AlternateSignInName)\\n | where ResultType == 0\\n | extend domain = tolower(split(AlternateSignInName, \\\"@\\\")[1])\\n | summarize by tostring(domain));\\n AuditLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where OperationName =~ \\\"Add User\\\"\\n | extend AddingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend AddingSPN = tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName)\\n | extend AddedBy = iif(isnotempty(AddingUser), AddingUser, AddingSPN)\\n | extend UserAdded = tostring(TargetResources[0].userPrincipalName)\\n | extend Domain = tolower(split(UserAdded, \\\"@\\\")[1])\\n | where Domain !in (core_domains) and Domain !in (alternative_domains)\\n | project-away AddingUser\\n | project-reorder TimeGenerated, UserAdded, Domain, AddedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserAdded\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Account created from non-approved sources\",\"description\":\"This query looks for account being created from a domain that is not regularly seen in a tenant.\\n Attackers may attempt to add accounts from these sources as a means of establishing persistant access to an environment.\\n Created accounts should be investigated to ensure they were legitimated created.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\",\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/15ae38a2-2e29-48f7-883f-863fb25a5a06\",\"name\":\"15ae38a2-2e29-48f7-883f-863fb25a5a06\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 10;\\nDnsEvents \\n| where TimeGenerated \u003e ago(endtime)\\n| where Name contains \\\"in-addr.arpa\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(Name) by ClientIP\\n| where dcount_Name \u003e threshold\\n| project StartTimeUtc, EndTimeUtc, ClientIP , dcount_Name \\n| join kind=leftanti (DnsEvents \\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | where Name contains \\\"in-addr.arpa\\\" \\n | summarize dcount(Name) by ClientIP, bin(TimeGenerated, 1d)\\n | where dcount_Name \u003e threshold\\n | project ClientIP , dcount_Name \\n) on ClientIP\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Rare client observed with high reverse DNS lookup count\",\"description\":\"Identifies clients with a high reverse DNS counts which could be carrying out reconnaissance or discovery activity.\\nAlert is generated if the IP performing such reverse DNS lookups was not seen doing so in the preceding 7-day period.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\"name\":\"a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\n let ioc_lookBack = 14d;\\n ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true\\n | where isnotempty(FileHashValue)\\n | extend FileHashValue = toupper(FileHashValue)\\n // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n | join kind=innerunique ( union isfuzzy=true \\n (SecurityEvent | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where EventID in (\\\"8003\\\",\\\"8002\\\",\\\"8005\\\")\\n | where isnotempty(FileHash)\\n | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID, FileHash = toupper(FileHash)\\n ),\\n (WindowsEvent | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where EventID in (\\\"8003\\\",\\\"8002\\\",\\\"8005\\\")\\n | where isnotempty(EventData.FileHash)\\n | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID, FileHash = toupper(EventData.FileHash)\\n )\\n )\\n on $left.FileHashValue == $right.FileHash\\n | where SecurityEvent_TimeGenerated \u003c ExpirationDateTime\\n | summarize SecurityEvent_TimeGenerated = arg_max(SecurityEvent_TimeGenerated, *) by IndicatorId, FileHash\\n | project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\n Process, FileHash, Computer, Account, Event, FileHashValue, FileHashType\\n | extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Value\",\"columnName\":\"FileHashValue\"},{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map File Hash to Security Event\",\"description\":\"Identifies a match in Security Event data from any File Hash IOC from TI\",\"lastUpdatedDateUTC\":\"2022-07-07T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1bf6e165-5e32-420e-ab4f-0da8558a8be2\",\"name\":\"1bf6e165-5e32-420e-ab4f-0da8558a8be2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// How far back to look for events from\\nlet timeframe = 1d;\\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\\nlet time_window = 5m;\\n// Edit this to include build processes used\\nlet build_processes = dynamic([\\\"MSBuild.exe\\\", \\\"dotnet.exe\\\", \\\"VBCSCompiler.exe\\\"]);\\n// Include any processes that you want to allow to edit files during/around the build process\\nlet allow_list = dynamic([]);\\nDeviceProcessEvents\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where FileName has_any (build_processes)\\n| summarize by BuildParentProcess=InitiatingProcessFileName, BuildProcess=FileName, BuildAccount = AccountName, DeviceName, BuildCommand=ProcessCommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nDeviceFileEvents\\n| where TimeGenerated \u003e ago(timeframe)\\n| where InitiatingProcessFileName !in (allow_list)\\n| where ActionType == \\\"FileCreated\\\" or ActionType == \\\"FileModified\\\"\\n// Look for code files, edit this to include file extensions used in build.\\n| where FileName endswith \\\".cs\\\" or FileName endswith \\\".cpp\\\"\\n| summarize by FileEditParentProcess=InitiatingProcessParentFileName, FileEditAccount = InitiatingProcessAccountName, DeviceName, FileEdited=FileName, FileEditProcess=InitiatingProcessFileName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, DeviceName\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, DeviceName, BuildParentProcess, BuildProcess\\n| extend HostCustomEntity=DeviceName, timestamp=timekey\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Potential Build Process Compromise - MDE\",\"description\":\"The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process. This query uses Microsoft Defender for Endpoint telemetry.\\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\",\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/957cb240-f45d-4491-9ba5-93430a3c08be\",\"name\":\"957cb240-f45d-4491-9ba5-93430a3c08be\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"OfficeActivity\\n| where Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Add-MailboxFolderPermission\\\", \\\"Set-Mailbox\\\", \\\"New-ManagementRoleAssignment\\\", \\\"New-InboxRule\\\", \\\"Set-InboxRule\\\", \\\"Set-TransportRule\\\")\\nand not(UserId has_any (\u0027NT AUTHORITY\\\\\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\u0027, \u0027NT AUTHORITY\\\\\\\\SYSTEM (w3wp)\u0027, \u0027devilfish-applicationaccount\u0027) and Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Set-Mailbox\\\"))\\n| extend ClientIPOnly = tostring(extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?\u0027, dynamic([\\\"IPAddress\\\"]), ClientIP)[0][0])\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIPOnly\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"Collection\"],\"displayName\":\"Rare and potentially high-risk Office operations\",\"description\":\"Identifies Office operations that are typically rare and can provide capabilities useful to attackers.\",\"lastUpdatedDateUTC\":\"2022-05-24T00:00:00Z\",\"createdDateUTC\":\"2019-02-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2fc5d810-c9cc-491a-b564-841427ae0e50\",\"name\":\"2fc5d810-c9cc-491a-b564-841427ae0e50\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique ( \\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(TargetUserName)\\n//Normalizing the column to lower case for exact match with EmailSenderAddress column\\n| extend TargetUserName = tolower(TargetUserName)\\n// renaming timestamp column so it is clear the log this came from SecurityEvent table\\n| extend SecurityEvent_TimeGenerated = TimeGenerated\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(dt_lookBack) \\n| extend TargetUserName = tostring(EventData.TargetUserName) \\n| where isnotempty(TargetUserName)\\n//Normalizing the column to lower case for exact match with EmailSenderAddress column\\n| extend TargetUserName = tolower(TargetUserName)\\n// renaming timestamp column so it is clear the log this came from SecurityEvent table\\n| extend SecurityEvent_TimeGenerated = TimeGenerated\\n))\\n)\\non $left.EmailSenderAddress == $right.TargetUserName\\n| where SecurityEvent_TimeGenerated \u003c ExpirationDateTime\\n| summarize SecurityEvent_TimeGenerated = arg_max(SecurityEvent_TimeGenerated, *) by IndicatorId, TargetUserName\\n| project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Computer, EventID, TargetUserName, Activity, IpAddress, AccountType,\\nLogonTypeName, LogonProcessName, Status, SubStatus\\n| extend\\ntimestamp = SecurityEvent_TimeGenerated,\\nAccountCustomEntity = TargetUserName,\\nIPCustomEntity = IpAddress,\\nHostCustomEntity = Computer,\\nURLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SecurityEvent\",\"description\":\"Identifies a match in SecurityEvent table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/01f64465-b1ef-41ea-a7f5-31553a11ad43\",\"name\":\"01f64465-b1ef-41ea-a7f5-31553a11ad43\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let endpointData = \\n(union isfuzzy=true\\n(SecurityEvent\\n | where EventID == 4688\\n | extend shortFileName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n ),\\n (WindowsEvent\\n | where EventID == 4688\\n | extend NewProcessName = tostring(EventData.NewProcessName)\\n | extend shortFileName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n | extend TargetUserName = tostring(EventData.TargetUserName)\\n ));\\n// Correlate suspect executables seen in TrendMicro rule updates with similar activity on endpoints\\nCommonSecurityLog\\n| where DeviceVendor =~ \\\"Trend Micro\\\"\\n| where Activity =~ \\\"Deny List updated\\\" \\n| where RequestURL endswith \\\".exe\\\"\\n| project TimeGenerated, Activity , RequestURL , SourceIP, DestinationIP\\n| extend suspectExeName = tolower(tostring(split(RequestURL, \u0027/\u0027)[-1]))\\n| join (endpointData) on $left.suspectExeName == $right.shortFileName \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = TargetUserName, HostCustomEntity = Computer, URLCustomEntity = RequestURL\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Network endpoint to host executable correlation\",\"description\":\"Correlates blocked URLs hosting [malicious] executables with host endpoint data\\nto identify potential instances of executables of the same name having been recently run.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"TrendMicro\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5efb0cfd-063d-417a-803b-562eae5b0301\",\"name\":\"5efb0cfd-063d-417a-803b-562eae5b0301\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 6h;\\n// Ignore Build/Releases with less/equal this number\\nlet ServiceConnectionThreshold = 3;\\n// New Connections need to exhibit execution of more \\\"new\\\" connections than this number.\\nlet NewConnectionThreshold = 1;\\n// List of Builds/Releases to ignore in your space\\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\\n[\\n//\\\"103\\\", \\\"Release\\\", \\\"ProjectA\\\",\\n//\\\"42\\\", \\\"Release\\\", \\\"ProjectB\\\",\\n//\\\"122\\\", \\\"Build\\\", \\\"ProjectB\\\"\\n];\\nlet HistoricDefs = AzureDevOpsAuditing\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| summarize HistoricCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)) \\n by DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e= ago(endtime)\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| parse ScopeDisplayName with OrganizationName \u0027 (Organization)\u0027\\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) \\n by OrganizationName, DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN\\n| where CurrentCount \u003e ServiceConnectionThreshold\\n| join (HistoricDefs) on ProjectId, DefId, Type, ActorUPN\\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\\n| extend link = iff(\\nType == \\\"Build\\\", strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_build?definitionId=\u0027, DefId),\\nstrcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_release?_a=releases\u0026view=mine\u0026definitionId=\u0027, DefId))\\n| where CurrentCount \u003e= HistoricCount + NewConnectionThreshold\\n| project StartTime, OrganizationName, ProjectName, DefId, link, RecentDistinctServiceConnections = CurrentCount, HistoricDistinctServiceConnections = HistoricCount, \\n RecentConnections = ConnectionNames, HistoricConnections = ConnectionNames1, ActorUPN\\n| extend timestamp = StartTime, AccountCustomEntity = ActorUPN\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure DevOps Service Connection Addition/Abuse - Historic allow list\",\"description\":\"This detection builds an allow list of historic service connection use by Builds and Releases and compares to recent history, flagging growth of service connection use which are not manually included in the allow list and \\nnot historically included in the allow list Build/Release runs. This is to determine if someone is hijacking a build/release and adding many service connections in order to abuse or dump credentials from service connections.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3bd33158-3f0b-47e3-a50f-7c20a1b88038\",\"name\":\"3bd33158-3f0b-47e3-a50f-7c20a1b88038\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let SpringShell_threats = dynamic([\\\"Trojan:Python/SpringShellExpl\\\", \\\"Exploit:Python/SpringShell\\\", \\\"Backdoor:PHP/Remoteshell.V\\\", \\\"SpringShell\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (SpringShell_threats) or ThreatFamilyName in~ (SpringShell_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"AV detections related to SpringShell Vulnerability\",\"description\":\"This query looks for Microsoft Defender AV detections related to SpringShell Vulnerability. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, \\n this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\\n Reference: https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b4ceb583-4c44-4555-8ecf-39f572e827ba\",\"name\":\"b4ceb583-4c44-4555-8ecf-39f572e827ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 1.5;\\nlet percentthreshold = 50;\\n// Preparing the time series data aggregated hourly count of MailItemsAccessd Operation in the form of multi-value array to use with time series anomaly function.\\nlet TimeSeriesData =\\nOfficeActivity\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where OfficeWorkload=~ \\\"Exchange\\\" and Operation =~ \\\"MailItemsAccessed\\\" and ResultStatus =~ \\\"Succeeded\\\"\\n| project TimeGenerated, Operation, MailboxOwnerUPN\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe;\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0\\n| project TimeGenerated, Total, baseline, anomalies, score;\\n// Joining the flagged outlier from the previous step with the original dataset to present contextual information\\n// during the anomalyhour to analysts to conduct investigation or informed decisions.\\nTimeSeriesAlerts | where TimeGenerated \u003e ago(2d)\\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\\n| join (\\n OfficeActivity\\n | where TimeGenerated \u003e ago(2d)\\n | extend DateHour = bin(TimeGenerated, 1h)\\n | where OfficeWorkload=~ \\\"Exchange\\\" and Operation =~ \\\"MailItemsAccessed\\\" and ResultStatus =~ \\\"Succeeded\\\"\\n | summarize HourlyCount=count(), TimeGeneratedMax = arg_max(TimeGenerated, *), IPAdressList = make_set(Client_IPAddress), SourceIPMax= arg_max(Client_IPAddress, *), ClientInfoStringList= make_set(ClientInfoString) by MailboxOwnerUPN, Logon_Type, TenantId, UserType, TimeGenerated = bin(TimeGenerated, 1h) \\n | where HourlyCount \u003e 25 // Only considering operations with more than 25 hourly count to reduce False Positivies\\n | order by HourlyCount desc \\n) on TimeGenerated\\n| extend PercentofTotal = round(HourlyCount/Total, 2) * 100 \\n| where PercentofTotal \u003e percentthreshold // Filter Users with count of less than 5 percent of TotalEvents per Hour to remove FPs/ users with very low count of MailItemsAccessed events\\n| order by PercentofTotal desc \\n| project-reorder TimeGeneratedMax, Type, OfficeWorkload, Operation, UserId,SourceIPMax ,IPAdressList, ClientInfoStringList, HourlyCount, PercentofTotal, Total, baseline, score, anomalies\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"Exchange workflow MailItemsAccessed operation anomaly\",\"description\":\"Identifies anomalous increases in Exchange mail items accessed operations.\\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\\nSudden increases in execution frequency of sensitive actions should be further investigated for malicious activity.\\nManually change scorethreshold from 1.5 to 3 or higher to reduce the noise based on outliers flagged from the query criteria.\\nRead more about MailItemsAccessed- https://docs.microsoft.com/microsoft-365/compliance/advanced-audit?view=o365-worldwide#mailitemsaccessed\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/00cb180c-08a8-4e55-a276-63fb1442d5b5\",\"name\":\"00cb180c-08a8-4e55-a276-63fb1442d5b5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let cmdTokens0 = dynamic([\u0027vbscript\u0027,\u0027jscript\u0027]);\\nlet cmdTokens1 = dynamic([\u0027mshtml\u0027,\u0027RunHTMLApplication\u0027]);\\nlet cmdTokens2 = dynamic([\u0027Execute\u0027,\u0027CreateObject\u0027,\u0027RegRead\u0027,\u0027window.close\u0027]);\\n(union isfuzzy=true \\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(14d)\\n| where EventID == 4688\\n| where CommandLine has @\u0027\\\\Microsoft\\\\Windows\\\\CurrentVersion\u0027\\n| where not(CommandLine has_any (@\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\u0027, @\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\u0027))\\n// If you are receiving false positives, then it may help to make the query more strict by uncommenting one or both of the lines below to refine the matches\\n//| where CommandLine has_any (cmdTokens0)\\n//| where CommandLine has_all (cmdTokens1)\\n| where CommandLine has_all (cmdTokens2)\\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(14d)\\n| where EventID == 4688 and EventData has_all(cmdTokens2) and EventData has @\u0027\\\\Microsoft\\\\Windows\\\\CurrentVersion\u0027\\n| where not(EventData has_any (@\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\u0027, @\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\u0027))\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has @\u0027\\\\Microsoft\\\\Windows\\\\CurrentVersion\u0027\\n| where not(CommandLine has_any (@\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\u0027, @\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\u0027))\\n// If you are receiving false positives, then it may help to make the query more strict by uncommenting one or both of the lines below to refine the matches\\n//| where CommandLine has_any (cmdTokens0)\\n//| where CommandLine has_all (cmdTokens1)\\n| where CommandLine has_all (cmdTokens2)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend ParentProcessName = tostring(EventData.ParentProcessName) \\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"NOBELIUM - Script payload stored in Registry\",\"description\":\"This query idenifies when a process execution commandline indicates that a registry value is written to allow for later execution a malicious script\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3cc5ccd8-b416-4141-bb2d-4eba370e37a5\",\"name\":\"3cc5ccd8-b416-4141-bb2d-4eba370e37a5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let OMIVulnerabilityPatchVersion = \\\"OMIVulnerabilityPatchVersion:1.13.40-0\\\";\\nHeartbeat\\n| where Category == \\\"Direct Agent\\\"\\n| summarize arg_max(TimeGenerated,*) by Computer\\n| parse strcat(\\\"Version:\\\" , Version) with * \\\"Version:\\\" Major:long \\\".\\\"\\nMinor:long \\\".\\\" Patch:long \\\"-\\\" *\\n| parse OMIVulnerabilityPatchVersion with * \\\"OMIVulnerabilityPatchVersion:\\\"\\nOMIVersionMajor:long \\\".\\\" OMIVersionMinor:long \\\".\\\" OMIVersionPatch:long \\\"-\\\" *\\n| where Major \u003cOMIVersionMajor or (Major==OMIVersionMajor and Minor\\n\u003cOMIVersionMinor) or (Major==OMIVersionMajor and Minor==OMIVersionMinor and\\nPatch\u003cOMIVersionPatch) \\n| project Version, Major,Minor,Patch,\\nComputer,ComputerIP,OSType,OSName,ResourceId\",\"customDetails\":{\"HostIp\":\"ComputerIP\",\"OSType\":\"OSType\",\"OSName\":\"OSName\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"OMI Vulnerability Exploitation\",\"description\":\"Following the September 14th, 2021 release of three Elevation of Privilege\\n(EoP) vulnerabilities (CVE-2021-38645, CVE-2021-38649, CVE-2021-38648) and one\\nunauthenticated Remote Code Execution (RCE) vulnerability (CVE-2021-38647) in\\nthe Open Management Infrastructure (OMI) Framework.\\nThis detection validates that any OMS-agent that is reporting to the Microsoft\\nSentinel workspace is updated with the patch. The detection will go over the\\nheartbeats received from all agents over the last day and will create alert\\nfor those agents who are not updated.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-09-23T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c1c66f0b-5531-4a3e-a619-9d2f770ef730\",\"name\":\"c1c66f0b-5531-4a3e-a619-9d2f770ef730\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where OperationName =~ \\\"Add member to role completed (PIM activation)\\\"\\n | where Result =~ \\\"success\\\"\\n | extend ElevatedUser = tostring(TargetResources[2].userPrincipalName)\\n | extend displayName = tostring(TargetResources[0].displayName)\\n | extend displayName2 = tostring(TargetResources[3].displayName)\\n | extend ElevatedRole = iif(displayName =~ \\\"Member\\\", displayName2, displayName)\\n | join kind = rightanti (AuditLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where OperationName =~ \\\"Add member to role completed (PIM activation)\\\"\\n | where Result =~ \\\"success\\\"\\n | extend ElevatedUser = tostring(TargetResources[2].userPrincipalName)\\n | extend displayName = tostring(TargetResources[0].displayName)\\n | extend displayName2 = tostring(TargetResources[3].displayName)\\n | extend ElevatedRole = iif(displayName =~ \\\"Member\\\", displayName2, displayName)\\n | extend ElevatedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) on ElevatedRole, ElevatedUser\\n | project-reorder ElevatedUser, ElevatedRole, ResultReason,ElevatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ElevatedUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ElevatedBy\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Account Elevated to New Role\",\"description\":\"Detects an account that is elevated to a new role where that account has not had that role in the last 14 days.\\n Role elevations are a key mechanism for gaining permissions, monitoring which users have which roles, and for anomalies in those roles is useful for finding suspicious activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d0c82b7f-40b2-4180-a4d6-7aa0541b7599\",\"name\":\"d0c82b7f-40b2-4180-a4d6-7aa0541b7599\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let threshold = 3;\\nPulseConnectSecure\\n| where Messages contains \\\"Unauthenticated request url /dana-na/\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by Source_IP\\n| where count_ \u003e threshold\\n| extend timestamp = StartTime, IPCustomEntity = Source_IP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"PulseConnectSecure - CVE-2021-22893 Possible Pulse Connect Secure RCE Vulnerability Attack\",\"description\":\"This query identifies exploitation attempts using Pulse Connect Secure(PCS) vulnerability (CVE-2021-22893) to the VPN server\",\"lastUpdatedDateUTC\":\"2022-05-11T00:00:00Z\",\"createdDateUTC\":\"2022-05-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PulseConnectSecure\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bf0cde21-0c41-48f6-a40c-6b5bd71fa106\",\"name\":\"bf0cde21-0c41-48f6-a40c-6b5bd71fa106\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"AWSGuardDuty | extend tokens = split(ActivityType,\\\":\\\") | extend ThreatPurpose = tokens[0], tokens= split(tokens[1],\\\"/\\\") | extend ResourceTypeAffected = tokens[0], ThreatFamilyName= tokens[1] | extend UniqueFindingId = Id | extend AWSAcoundId = AccountId | project-away tokens,ActivityType, Id, AccountId | project-away TimeGenerated, TenantId, SchemaVersion, Region, Partition | extend Severity= iff(Severity between (7.0..8.9),\\\"High\\\",iff(Severity between (4.0..6.9), \\\"Medium\\\", iff(Severity between (1.0..3.9),\\\"Low\\\",\\\"Unknown\\\")))\",\"customDetails\":{\"ThreatPurpose\":\"ThreatPurpose\",\"ResourceTypeAffected\":\"ResourceTypeAffected\",\"UniqueFindingId\":\"UniqueFindingId\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Arn\"},{\"identifier\":\"ObjectGuid\",\"columnName\":\"AWSAcoundId\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"{{Title}}\",\"alertDescriptionFormat\":\"{{Description}}\",\"alertTacticsColumnName\":\"ThreatPurpose\",\"alertSeverityColumnName\":\"Severity\"},\"displayName\":\"AWS Guard Duty Alert\",\"description\":\"Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. This templates create an alert for each Amazon GuardDuty finding.\",\"lastUpdatedDateUTC\":\"2022-02-08T00:00:00Z\",\"createdDateUTC\":\"2021-11-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSGuardDuty\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b6685757-3ed1-4b05-a5bd-2cacadc86c2a\",\"name\":\"b6685757-3ed1-4b05-a5bd-2cacadc86c2a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"let UA_threats = dynamic([\\\"FoxBlade\\\", \\\"WhisperGate\\\", \\\"Lasainraw\\\", \\\"SonicVote\\\"]);\\n SecurityAlert\\n | where ProviderName == \\\"MDATP\\\"\\n | extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n | where ThreatFamilyName in (UA_threats)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"AV detections related to Ukraine threats\",\"description\":\"This query looks for Microsoft Defender AV detections for malware observed in relation to the war in Ukraine.\\n Ref: https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/ \",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cf3ede88-a429-493b-9108-3e46d3c741f7\",\"name\":\"cf3ede88-a429-493b-9108-3e46d3c741f7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let timeRange = 6h;\\nlet authenticationWindow = 1h;\\nlet authenticationThreshold = 5;\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeRange)\\n| where EventID == 4624 or EventID == 4625\\n| where IpAddress != \\\"-\\\" and isnotempty(Account)\\n| extend Outcome = iff(EventID == 4624, \\\"Success\\\", \\\"Failure\\\")\\n// bin outcomes into 5 minute windows to reduce the volume of data\\n| summarize OutcomeCount=count() by Account, IpAddress, Computer, Outcome, bin(TimeGenerated, 5m)\\n| project TimeGenerated, Account, IpAddress, Computer, Outcome, OutcomeCount\\n// sort ready for sessionizing - by account and time of the authentication outcome\\n| sort by Account asc, TimeGenerated asc\\n| serialize \\n// sessionize into failure groupings until either the account changes or there is a success\\n| extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, Account != prev(Account) or prev(Outcome) == \\\"Success\\\")\\n// count the failures in each session\\n| summarize FailureCountBeforeSuccess=sumif(OutcomeCount, Outcome == \\\"Failure\\\"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), makelist(Outcome), makeset(Computer), makeset(IpAddress) by SessionStartedUtc, Account\\n// the session must not start with a success, and must end with one\\n| where array_index_of(list_Outcome, \\\"Success\\\") != 0\\n| where array_index_of(list_Outcome, \\\"Success\\\") == array_length(list_Outcome) - 1\\n| project-away SessionStartedUtc, list_Outcome \\n// where the number of failures before the success is above the threshold \\n| where FailureCountBeforeSuccess \u003e= authenticationThreshold\\n// expand out ip and computer for customer entity assignment\\n| mvexpand set_IpAddress, set_Computer\\n| extend IpAddress = tostring(set_IpAddress), Computer = tostring(set_Computer)\\n| extend timestamp=StartTime, AccountCustomEntity=Account, HostCustomEntity=Computer, IPCustomEntity=IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"SecurityEvent - Multiple authentication failures followed by a success\",\"description\":\"Identifies accounts who have failed to logon to the domain multiple times in a row, followed by a successful authentication\\nwithin a short time frame. Multiple failed attempts followed by a success can be an indication of a brute force attempt or\\npossible mis-configuration of a service account within an environment.\\nThe lookback is set to 6h and the authentication window and threshold are set to 1h and 5, meaning we need to see a minimum\\nof 5 failures followed by a success for an account within 1 hour to surface an alert.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"name\":\"cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | where DNSName in~ (domains) or DestinationHostName has_any (domains) or RequestURL has_any(domains)\\n | extend AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName, IPCustomEntity = SourceIP\\n ),\\n(_Im_Dns (domain_has_any=domains)\\n | extend DNSName = DnsQuery\\n | extend IPCustomEntity = SrcIpAddr\\n ),\\n(VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n | where isnotempty(DNSName)\\n | where DNSName in~ (domains)\\n | extend IPCustomEntity = RemoteIp\\n ),\\n(DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl has_any (domains) \\n | extend DNSName = RemoteUrl\\n | extend IPCustomEntity = RemoteIP \\n | extend HostCustomEntity = DeviceName \\n ),\\n(AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (domains) \\n | extend DNSName = DestinationHost \\n | extend IPCustomEntity = SourceHost\\n ) \\n )\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Solorigate Network Beacon\",\"description\":\"Identifies a match across various data feeds for domains IOCs related to the Solorigate incident.\\n References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \\n https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2790795b-7dba-483e-853f-44aa0bc9c985\",\"name\":\"2790795b-7dba-483e-853f-44aa0bc9c985\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"CommonSecurityLog\\n| where DeviceProduct =~ \\\"Wazuh\\\"\\n| where Activity has \\\"Web server 400 error code.\\\"\\n| where Message has \\\"403\\\"\\n| extend HostName=substring(split(DeviceCustomString1,\\\")\\\")[0],1)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = dcount(SourceIP) by HostName, SourceIP\\n| where NumberOfErrors \u003e 400\\n| sort by NumberOfErrors desc\\n| extend timestamp = StartTime, HostCustomEntity = HostName, IPCustomEntity = SourceIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Wazuh - Large Number of Web errors from an IP\",\"description\":\"Identifies instances where Wazuh logged over 400 \u0027403\u0027 Web Errors from one IP Address. To onboard Wazuh data into Sentinel please view: https://github.com/wazuh/wazuh-documentation/blob/master/source/azure/monitoring%20activity.rst\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2020-04-21T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/78979d32-e63f-4740-b206-cfb300c735e0\",\"name\":\"78979d32-e63f-4740-b206-cfb300c735e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n ProofpointPOD \\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(SrcIpAddr)\\n | extend ProofpointPOD_TimeGenerated = TimeGenerated, ClientIP = SrcIpAddr\\n )\\non $left.TI_ipEntity == $right.ClientIP\\n| where ProofpointPOD_TimeGenerated \u003c ExpirationDateTime\\n| summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientIP\\n| project ProofpointPOD_TimeGenerated, SrcUserUpn, DstUserUpn, SrcIpAddr, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ClientIP\\n| extend timestamp = ProofpointPOD_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SrcUserUpn\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Exfiltration\",\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Email sender IP in TI list\",\"description\":\"Email sender IP in TI list.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_maillog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2b328487-162d-4034-b472-59f1d53684a1\",\"name\":\"2b328487-162d-4034-b472-59f1d53684a1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal == \u0027\u0027\\n| extend Message = \\\"Empty User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Empty User Agent Detected\",\"description\":\"Rule helps to detect empty and unusual user agent indicating web browsing activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\"name\":\"a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == 500121\\n| where Status has \\\"MFA Denied; user declined the authentication\\\" or Status has \\\"MFA denied; Phone App Reported Fraud\\\"\\n| extend Type = Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = ClientAppUsed\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Explicit MFA Deny\",\"description\":\"User explicitly denies MFA push, indicating that login was not expected and the account\u0027s password may be compromised.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-10-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}}]}", "isContentBase64": false } }, - "Get-AzSentinelAlertRuleTemplate+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRuleTemplates?api-version=2021-09-01-preview+1": { + "Get-AzSentinelAlertRuleTemplate+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRuleTemplates?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRuleTemplates?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRuleTemplates?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "168" ], - "x-ms-client-request-id": [ "24437480-02f4-48bb-8768-777fee15218a" ], + "x-ms-unique-id": [ "169" ], + "x-ms-client-request-id": [ "5b92aa6d-da0f-4b1d-9b90-36cad7f5979f" ], "CommandName": [ "Get-AzSentinelAlertRuleTemplate" ], "FullCommandName": [ "Get-AzSentinelAlertRuleTemplate_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -65,35 +65,35 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-reads": [ "11990" ], - "x-ms-request-id": [ "29320738-9dd0-4d68-9991-91f8e8512634" ], - "x-ms-correlation-request-id": [ "29320738-9dd0-4d68-9991-91f8e8512634" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T015408Z:29320738-9dd0-4d68-9991-91f8e8512634" ], + "x-ms-request-id": [ "f00eebfd-9c8d-4b60-96d5-c24811810852" ], + "x-ms-correlation-request-id": [ "f00eebfd-9c8d-4b60-96d5-c24811810852" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183106Z:f00eebfd-9c8d-4b60-96d5-c24811810852" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 01:54:07 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:31:06 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1139662" ], + "Content-Length": [ "1418736" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/738702fd-0a66-42c7-8586-e30f0583f8fe\",\"name\":\"738702fd-0a66-42c7-8586-e30f0583f8fe\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"DeviceEvents\\n| where ActionType has \\\"ExploitGuardNonMicrosoftSignedBlocked\\\"\\n| where InitiatingProcessFileName contains \\\"svchost.exe\\\" and FileName contains \\\"NetSetupSvc.dll\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\nHostCustomEntity = DeviceName, FileHashCustomEntity = InitiatingProcessSHA1, FileHashType = \\\"SHA1\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"TEARDROP memory-only dropper\",\"description\":\"Identifies SolarWinds TEARDROP memory-only dropper IOCs in Window\u0027s defender Exploit Guard activity\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/968358d6-6af8-49bb-aaa4-187b3067fb95\",\"name\":\"968358d6-6af8-49bb-aaa4-187b3067fb95\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let successCodes = dynamic([200, 302, 401]);\\nW3CIISLog\\n| where scStatus has_any (successCodes)\\n| where ipv4_is_private(cIP) == False\\n| where csUriStem hasprefix \\\"/autodiscover/autodiscover.json\\\"\\n| project TimeGenerated, cIP, sIP, sSiteName, csUriStem, csUriQuery, Computer, csUserName, _ResourceId, FileUri\\n| where (csUriQuery !has \\\"Protocol\\\" and isnotempty(csUriQuery))\\nor (csUriQuery has_any(\\\"/mapi/\\\", \\\"powershell\\\"))\\nor (csUriQuery contains \\\"@\\\" and csUriQuery matches regex @\\\"\\\\.[a-zA-Z]{2,4}?(?:[a-zA-Z]{2,4}\\\\/)\\\")\\nor (csUriQuery contains \\\":\\\" and csUriQuery matches regex @\\\"\\\\:[0-9]{2,4}\\\\/\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP, AccountCustomEntity = csUserName, ResourceCustomEntity = _ResourceId, FileCustomEntity = FileUri\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange SSRF Autodiscover ProxyShell - Detection\",\"description\":\"This query looks for suspicious request patterns to Exchange servers that fit patterns recently\\nblogged about by PeterJson. This exploitation chain utilises an SSRF vulnerability in Exchange\\nwhich eventually allows the attacker to execute arbitrary Powershell on the server. In the example\\npowershell can be used to write an email to disk with an encoded attachment containing a shell.\\nReference: https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-09T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69b7723c-2889-469f-8b55-a2d355ed9c87\",\"name\":\"69b7723c-2889-469f-8b55-a2d355ed9c87\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n DnsEvents | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where SubType =~ \\\"LookupQuery\\\" and isnotempty(IPAddresses)\\n | extend SingleIP = split(IPAddresses, \\\",\\\")\\n | mvexpand SingleIP\\n | extend SingleIP = tostring(SingleIP)\\n // renaming time column so it is clear the log this came from\\n | extend DNS_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SingleIP\\n| where DNS_TimeGenerated \u003e= TimeGenerated and DNS_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated,\\nTI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = DNS_TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.2\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to DnsEvents\",\"description\":\"Identifies a match in DnsEvents from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-18T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\"name\":\"d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\" \\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed), LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\\n| where MFAUsed !~ \\\"Yes\\\" and LoginResult !~ \\\"Failure\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUsed, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"Login to AWS Management Console without MFA\",\"description\":\"Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.\\nYou can limit this detection to trigger for adminsitrative accounts if you do not have MFA enabled on all accounts.\\nThis is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used \\nand the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/321f9dbd-64b7-4541-81dc-08cf7732ccb0\",\"name\":\"321f9dbd-64b7-4541-81dc-08cf7732ccb0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Edit this variable to only keep the Severity level where an incident needs to be created (Defaults are: \\\"Low\\\", \\\"Medium\\\", \\\"High\\\", \\\"Critical\\\" ) \\nlet configured_level = dynamic([\\\"Low\\\", \\\"Medium\\\", \\\"High\\\", \\\"Critical\\\"]);\\nlet upn_has_prefix = \\\":\\\";\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Vectra Networks\\\"\\n| where DeviceProduct == \\\"X Series\\\"\\n| where DeviceEventClassID == \\\"asc\\\"\\n| extend saccount = extract(\\\"saccount=(.+?);\\\", 1, AdditionalExtensions)\\n| extend type = iff(saccount matches regex upn_has_prefix, tostring(split(saccount,\\\":\\\")[0]) ,\\\"network\\\" ) \\n| extend upn = iff(saccount matches regex upn_has_prefix, tostring(split(saccount,\\\":\\\")[1]) , saccount )\\n| project-rename threat_score = FlexNumber1\\n| project-rename certainty_score = FlexNumber2\\n| project-rename vectra_URL = DeviceCustomString4\\n| project-rename detection_name = DeviceEventClassID\\n| project-rename score_decreases = DeviceCustomString3\\n| extend level = case( threat_score \u003c 50 and certainty_score \u003c 50, \\\"Low\\\",\\n threat_score \u003c 50 and certainty_score \u003e= 50 , \\\"Medium\\\", \\n threat_score \u003e= 50 and certainty_score \u003c= 50, \\\"High\\\", \\n threat_score \u003e= 50 and certainty_score \u003e= 50, \\\"Critical\\\",\\n \\\"UNKNOWN\\\")\\n| extend Severity = case( level == \\\"Low\\\", \\\"Low\\\",\\n level == \\\"Medium\\\", \\\"Medium\\\",\\n level == \\\"High\\\", \\\"Medium\\\",\\n level == \\\"Critical\\\", \\\"High\\\",\\n \\\"UNKNOWN\\\")\\n| where level in (configured_level) \\n//keep only the event with the highest threat score per Host\\n| summarize arg_max(threat_score, *) by saccount\\n| project TimeGenerated, saccount, level, Severity, upn, type, threat_score, certainty_score, vectra_URL\\n| extend AccountCustomEntity = upn, URLCustomEntity = vectra_URL, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Discovery\",\"LateralMovement\",\"Collection\",\"CommandAndControl\",\"Exfiltration\",\"Impact\"],\"displayName\":\"Vectra AI Detect - Suspected Compromised Account\",\"description\":\"Create an incident when an Account is suspected to be compromised. \\nThe higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. \\nLevel of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.\",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2021-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AIVectraDetect\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884be6e7-e568-418e-9c12-89229865ffde\",\"name\":\"884be6e7-e568-418e-9c12-89229865ffde\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let FailureThreshold = 15;\\nlet FailedLogins = Okta_CL\\n| where eventType_s =~ \\\"user.session.start\\\" and outcome_reason_s =~ \\\"VERIFICATION_ERROR\\\"\\n| summarize count() by actor_alternateId_s, client_ipAddress_s, bin(TimeGenerated, 5m)\\n| where count_ \u003e FailureThreshold\\n| project client_ipAddress_s, actor_alternateId_s;\\nOkta_CL\\n| join kind=inner (FailedLogins) on client_ipAddress_s, actor_alternateId_s\\n| where eventType_s =~ \\\"user.session.start\\\" and outcome_reason_s =~ \\\"VERIFICATION_ERROR\\\"\\n| summarize count() by actor_alternateId_s, ClientIP = client_ipAddress_s, City = client_geographicalContext_city_s, Country = client_geographicalContext_country_s, column_ifexists(\u0027published_t\u0027, now())\\n| sort by column_ifexists(\u0027published_t\u0027, now()) desc\\n| extend timestamp = column_ifexists(\u0027published_t\u0027, now()), IPCustomEntity = ClientIP, AccountCustomEntity = actor_alternateId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed Logins from Unknown or Invalid User\",\"description\":\"This query searches for numerous login attempts to the management console with an unknown or invalid user name\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OktaSSO\",\"dataTypes\":[\"Okta_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/213252f1-497c-4124-91da-6cb43902d5b1\",\"name\":\"213252f1-497c-4124-91da-6cb43902d5b1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.4\",\"techniques\":[\"T1046\",\"T1135\",\"T1071\",\"T1095\",\"T1571\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"5\",\"maximum\":\"15\",\"value\":\"7\",\"name\":\"Number of distinct signatures in a day\",\"description\":\"Triggers anomalies when daily signatures triggered is more than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Discovery\",\"CommandAndControl\"],\"displayName\":\"(Preview) Unusual external firewall alarm detected\",\"description\":\"This algorithm identifies unusual external firewall alarms which are threat signatures released by a firewall vendor. \\nThe anomaly takes last 7 days activities to calculate top 10 noisy signatures and also noisy source hosts which are repeatedly seen \\ntriggering threat signatures. After excluding both type of noisy events, it triggers an anomaly only after exceeding the threshold of \\nnumber of signatures triggered in a single day.\",\"lastUpdatedDateUTC\":\"2021-07-10T00:00:00Z\",\"createdDateUTC\":\"2021-04-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1f3b4dfd-21ff-4ed3-8e27-afc219e05c50\",\"name\":\"1f3b4dfd-21ff-4ed3-8e27-afc219e05c50\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where LoggedByService =~ \\\"PIM\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has \\\"Disable PIM Alert\\\"\\n| extend IpAddress = case(\\n isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), \\n isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.app)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.app)).ipAddress),\\n \u0027Not Available\u0027)\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName)), UserRoles = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| project InitiatedBy, ActivityDateTime, ActivityDisplayName, IpAddress, AADOperationType, AADTenantId, ResourceId, CorrelationId, Identity\\n| extend timestamp = ActivityDateTime, IPCustomEntity = IpAddress, AccountCustomEntity = tolower(InitiatedBy), ResourceCustomEntity = ResourceId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Detect PIM Alert Disabling activity\",\"description\":\"Privileged Identity Management (PIM) generates alerts when there is suspicious or unsafe activity in Azure Active Directory (Azure AD) organization. \\nThis query will help detect attackers attempts to disable in product PIM alerts which are associated with Azure MFA requirements and could indicate activation of privileged access\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56b0a0cd-894e-4b38-a0a1-c41d9f96649a\",\"name\":\"56b0a0cd-894e-4b38-a0a1-c41d9f96649a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let lbtime = 1h;\\nlet tls_ciphers = dynamic([\u0027RC4-SHA\u0027, \u0027DES-CBC3-SHA\u0027]);\\nProofpointPOD\\n| where EventType == \u0027message\u0027\\n| where TlsCipher in (tls_ciphers)\\n| extend IpCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"displayName\":\"ProofpointPOD - Weak ciphers\",\"description\":\"Detects when weak TLS ciphers are used.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8e267e91-6bda-4b3c-bf68-9f5cbdd103a3\",\"name\":\"8e267e91-6bda-4b3c-bf68-9f5cbdd103a3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"ZoomLogs \\n| where Event =~ \\\"account.settings_updated\\\" \\n| extend EnforceLogin = columnifexists(\\\"payload_object_settings_schedule_meeting_enfore_login_b\\\", \\\"\\\") \\n| extend EnforceLoginDomain = columnifexists(\\\"payload_object_settings_schedule_meeting_enfore_login_b\\\", \\\"\\\") \\n| extend GuestAlerts = columnifexists(\\\"payload_object_settings_in_meeting_alert_guest_join_b\\\", \\\"\\\") \\n| where EnforceLogin == \u0027false\u0027 or EnforceLoginDomain == \u0027false\u0027 or GuestAlerts == \u0027false\u0027 \\n| extend SettingChanged = case(EnforceLogin == \u0027false\u0027 and EnforceLoginDomain == \u0027false\u0027 and GuestAlerts == \u0027false\u0027, \\\"All settings changed\\\", \\n EnforceLogin == \u0027false\u0027 and EnforceLoginDomain == \u0027false\u0027, \\\"Enforced Logons and Restricted Domains Changed\\\", \\n EnforceLoginDomain == \u0027false\u0027 and GuestAlerts == \u0027false\u0027, \\\"Enforced Domains Changed\\\", \\n EnforceLoginDomain == \u0027false\u0027, \\\"Enfored Domains Changed\\\", \\n GuestAlerts == \u0027false\u0027, \\\"Guest Join Alerts Changed\\\", \\n EnforceLogin == \u0027false\u0027, \\\"Enforced Logins Changed\\\", \\n \\\"No Changes\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"External User Access Enabled\",\"description\":\"This alerts when the account setting is changed to allow either external domain access or anonymous access to meetings.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ba239935-42c2-472d-80ba-689186099ea1\",\"name\":\"ba239935-42c2-472d-80ba-689186099ea1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"afad_parser\\n| where MessageType == 2 and Codename == \\\"Password Guessing\\\"\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid Password Guessing\",\"description\":\"Searches for bruteforce Password Guessing attacks\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09ec8fa2-b25f-4696-bfae-05a7b85d7b9e\",\"name\":\"09ec8fa2-b25f-4696-bfae-05a7b85d7b9e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT3H\",\"queryPeriod\":\"PT3H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let timeframe = ago(3h);\\nlet threshold = 2;\\nimAuthentication\\n| where TimeGenerated \u003e timeframe\\n| where EventType==\u0027Logon\u0027 and EventResult==\u0027Success\u0027\\n| where isnotempty(SrcGeoCountry)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Vendors=make_set(EventVendor), Products=make_set(EventProduct)\\n , NumOfCountries = dcount(SrcGeoCountry)\\n by TargetUserId, TargetUsername, TargetUserType\\n| where NumOfCountries \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = TargetUsername\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.2.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"User login from different countries within 3 hours (Uses Authentication Normalization)\",\"description\":\"This query searches for successful user logins from different countries within 3 hours.\\n To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelAuthentication)\",\"lastUpdatedDateUTC\":\"2021-10-26T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb32dc8a-4f6b-4274-a28f-50f3400070b4\",\"name\":\"bb32dc8a-4f6b-4274-a28f-50f3400070b4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.1\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.2\",\"name\":\"Anomaly score threshold\",\"description\":\"Generate an anomaly when the anomaly score is greater than the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous Sign In\",\"description\":\"Adversaries may steal the credentials of a specific user or service account using Credential\\nAccess techniques or capture credentials earlier in their reconnaissance process through\\nsocial engineering for means of gaining Persistence.\",\"lastUpdatedDateUTC\":\"2021-08-25T00:00:00Z\",\"createdDateUTC\":\"2021-08-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884c4957-70ea-4f57-80b9-1bca3890315b\",\"name\":\"884c4957-70ea-4f57-80b9-1bca3890315b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeBin = 10m;\\nlet failedThreshold = 100;\\nW3CIISLog\\n| where scStatus in (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n// Handling Exchange specific items in IIS logs to remove the unique log identifier in the URI\\n| extend csUriQuery = iff(csUriQuery startswith \\\"MailboxId=\\\", tostring(split(csUriQuery, \\\"\u0026\\\")[0]) , csUriQuery )\\n| extend csUriQuery = iff(csUriQuery startswith \\\"X-ARR-CACHE-HIT=\\\", strcat(tostring(split(csUriQuery, \\\"\u0026\\\")[0]),tostring(split(csUriQuery, \\\"\u0026\\\")[1])) , csUriQuery )\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of failed logons by a user\\n| summarize makeset(decodedUriQuery), makeset(cIP), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), csUserName, Computer, sIP\\n| where FailedConnectionsCount \u003e= failedThreshold\\n| project TimeGenerated, csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_cIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"High count of failed logons by a user\",\"description\":\"Identifies when 100 or more failed attempts by a given user in 10 minutes occur on the IIS Server.\\nThis could be indicative of attempted brute force based on known account information.\\nThis could also simply indicate a misconfigured service or device. \\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/78979d32-e63f-4740-b206-cfb300c735e0\",\"name\":\"78979d32-e63f-4740-b206-cfb300c735e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ioc_lookBack = 30d;\\nlet timeframe = 1h;\\nlet TI_IP_List =\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(NetworkIP)\\n| summarize make_list(NetworkIP);\\nProofpointPOD \\n| where TimeGenerated \u003e ago(timeframe)\\n| where isnotempty(SrcIpAddr)\\n| where SrcIpAddr in~ (TI_IP_List)\\n| extend Message = \\\"Email sender IP in TI list\\\"\\n| project Message, SrcUserUpn, DstUserUpn, SrcIpAddr\\n| extend AccountCustomEntity = SrcUserUpn, IpCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\",\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Email sender IP in TI list\",\"description\":\"Email sender IP in TI list.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_maillog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\"name\":\"28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let failureCountThreshold = 5;\\nlet successCountThreshold = 1;\\nlet authenticationWindow = 20m;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n| where AppDisplayName has \\\"Azure Portal\\\"\\n// Split out failure versus non-failure types\\n| extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = make_set(IPAddress), make_set(OS), make_set(Browser), make_set(City),\\nmake_set(State), make_set(Region),make_set(ResultType), FailureCount = countif(FailureOrSuccess==\\\"Failure\\\"), SuccessCount = countif(FailureOrSuccess==\\\"Success\\\") \\nby bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName, AppDisplayName, Type\\n| where FailureCount \u003e= failureCountThreshold and SuccessCount \u003e= successCountThreshold\\n| mvexpand IPAddress\\n| extend IPAddress = tostring(IPAddress)\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against Azure Portal\",\"description\":\"Identifies evidence of brute force activity against Azure Portal by highlighting multiple authentication failures \\nand by a successful authentication within a given time window. \\n(The query does not enforce any sequence - eg requiring the successful authentication to occur last.)\\nDefault Failure count is 5, Default Success count is 1 and default Time Window is 20 minutes.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/694c91ee-d606-4ba9-928e-405a2dd0ff0f\",\"name\":\"694c91ee-d606-4ba9-928e-405a2dd0ff0f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let VIPUsers = (IdentityInfo\\n| where AssignedRoles contains \\\"Admin\\\"\\n| summarize by tolower(AccountUPN));\\nAuditLogs\\n| where Category =~ \\\"UserManagement\\\"\\n| where ActivityDisplayName =~ \\\"User registered security info\\\"\\n| where LoggedByService =~ \\\"Authentication Methods\\\"\\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| where AccountCustomEntity in (VIPUsers)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\"],\"displayName\":\"Authentication Methods Changed for Privileged Account\",\"description\":\"Identifies authentication methods being changed for a privileged account. This could be an indicated of an attacker adding an auth method to the account so they can have continued access.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ae9128e8-2740-4b62-8bde-54e62b183fca\",\"name\":\"ae9128e8-2740-4b62-8bde-54e62b183fca\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.5\",\"techniques\":[\"T1030\",\"T1071\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Palo Alto Networks\",\"Fortinet\",\"Check Point\"],\"supportedValuesKql\":null,\"value\":\"Palo Alto Networks\",\"name\":\"Device vendor\",\"description\":\"Select device vendor of network connection logs from CommonSecurityLog\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"1\",\"maximum\":\"100\",\"value\":\"25\",\"name\":\"Daily data transfer threshold in MB\",\"description\":\"Suppress anomalies when daily data transfered (in MB) per hour is less than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"2\",\"maximum\":\"10\",\"value\":\"3\",\"name\":\"Number of standard deviations\",\"description\":\"Triggers anomalies when number of standard deviations is greater than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"(Preview) Unusual network communication on commonly used ports\",\"description\":\"This algorithm identifies unusual network communication on commonly used ports, comparing daily traffic to a baseline from the previous 7 days.\\nThis includes traffic on commonly used ports (22, 53, 80, 443, 8080, 8888), and compares daily traffic to the mean and standard deviation of several\\nnetwork traffic attributes calculated over the baseline period. The traffic attributes considered are daily total events, daily data transfer and \\nnumber of distinct destination IP addresses per port. An anomaly is triggered when the daily values are greater than the configured number of standard deviations above the mean.\",\"lastUpdatedDateUTC\":\"2021-07-10T00:00:00Z\",\"createdDateUTC\":\"2021-05-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/35a0792a-1269-431e-ac93-7ae2980d4dde\",\"name\":\"35a0792a-1269-431e-ac93-7ae2980d4dde\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ioc_lookBack = 30d;\\nlet timeframe = 1h;\\nlet TI_email_List =\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(EmailSenderAddress)\\n| summarize make_list(EmailSenderAddress);\\nProofpointPOD \\n| where TimeGenerated \u003e ago(timeframe)\\n| where isnotempty(SrcUserUpn)\\n| where SrcUserUpn in~ (TI_email_List)\\n| extend Message = \\\"Email sender in TI list\\\"\\n| project Message, SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\",\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Email sender in TI list\",\"description\":\"Email sender in TI list.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_maillog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bc5ffe2a-84d6-48fe-bc7b-1055100469bc\",\"name\":\"bc5ffe2a-84d6-48fe-bc7b-1055100469bc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let SunburstMD5=dynamic([\\\"b91ce2fa41029f6955bff20079468448\\\",\\\"02af7cec58b9a5da1c542b5a32151ba1\\\",\\\"2c4a910a1299cdae2a4e55988a2f102e\\\",\\\"846e27a652a5e1bfbd0ddd38a16dc865\\\",\\\"4f2eb62fa529c0283b28d05ddd311fae\\\"]);\\nlet SupernovaMD5=\\\"56ceb6d0011d87b6e4d7023d7ef85676\\\";\\nimFileEvent\\n| where TargetFileMD5 in(SunburstMD5) or TargetFileMD5 in(SupernovaMD5)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = User, \\n HostCustomEntity = DvcHostname,\\n FileHashCustomEntity = TargetFileMD5\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"MD5\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events)\",\"description\":\"Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in File Events\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelFileEvent)\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/62085097-d113-459f-9ea7-30216f2ee6af\",\"name\":\"62085097-d113-459f-9ea7-30216f2ee6af\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P3D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let starttime = 3d;\\nlet SecEvents = materialize ( SecurityEvent | where TimeGenerated \u003e= ago(starttime)\\n| where EventID in (4722,4723) | where TargetUserName !endswith \\\"$\\\"\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, SubjectAccount, SubjectUserSid);\\nlet userEnable = SecEvents\\n| extend EventID4722Time = TimeGenerated\\n// 4722: User Account Enabled\\n| where EventID == 4722\\n| project Time_Event4722 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4722 = SubjectAccount, SubjectUserSid_Event4722 = SubjectUserSid, Activity_4722 = Activity, Computer_4722 = Computer;\\nlet userPwdSet = SecEvents\\n// 4723: Attempt made by user to set password\\n| where EventID == 4723\\n| project Time_Event4723 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4723 = SubjectAccount, SubjectUserSid_Event4723 = SubjectUserSid, Activity_4723 = Activity, Computer_4723 = Computer;\\nuserEnable | join kind=leftouter userPwdSet on TargetAccount, TargetSid\\n| extend PasswordSetAttemptDelta_Min = datetime_diff(\u0027minute\u0027, Time_Event4723, Time_Event4722)\\n| where PasswordSetAttemptDelta_Min \u003e 2880 or isempty(PasswordSetAttemptDelta_Min)\\n| project-away TargetAccount1, TargetSid1\\n| extend Reason = @\\\"User either has not yet attempted to set the initial password after account was enabled or it occurred after 48 hours\\\"\\n| order by Time_Event4722 asc \\n| extend timestamp = Time_Event4722, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer_4722\\n| project-reorder Time_Event4722, Time_Event4723, PasswordSetAttemptDelta_Min, TargetAccount, TargetSid\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"AD user enabled and password not set within 48 hours\",\"description\":\"Identifies when an account is enabled with a default password and the password is not set by the user within 48 hours.\\nEffectively, there is an event 4722 indicating an account was enabled and within 48 hours, no event 4723 occurs which \\nindicates there was no attempt by the user to set the password. This will show any attempts (success or fail) that occur \\nafter 48 hours, which can indicate too long of a time period in setting the password to something that only the user knows.\\nIt is recommended that this time period is adjusted per your internal company policy.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/11b4c19d-2a79-4da3-af38-b067e1273dee\",\"name\":\"11b4c19d-2a79-4da3-af38-b067e1273dee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID in (17,18)\\n| where EventData has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend PipeName = column_ifexists(\\\"PipeName\\\", \\\"\\\")\\n| extend Account = UserName\\n),\\n(\\n SecurityEvent\\n| where EventID == \u00275145\u0027\\n// %%4418 looks for presence of CreatePipeInstance value \\n| where AccessList has \u0027%%4418\u0027 \\n| where RelativeTargetName has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\"],\"displayName\":\"Solorigate Named Pipe\",\"description\":\"Identifies a match across various data feeds for named pipe IOCs related to the Solorigate incident.\\n For the sysmon events required for this detection, logging for Named Pipe Events needs to be configured in Sysmon config (Event ID 17 and Event ID 18)\\n Reference: https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\"name\":\"9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Low\",\"query\":\"let tokens = dynamic([\\\"416\\\",\\\"208\\\",\\\"128\\\",\\\"120\\\",\\\"96\\\",\\\"80\\\",\\\"72\\\",\\\"64\\\",\\\"48\\\",\\\"44\\\",\\\"40\\\",\\\"g5\\\",\\\"gs5\\\",\\\"g4\\\",\\\"gs4\\\",\\\"nc12\\\",\\\"nc24\\\",\\\"nv12\\\"]);\\nlet operationList = dynamic([\\\"microsoft.compute/virtualmachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nAzureActivity\\n| where tolower(OperationNameValue) in (operationList)\\n| where ActivityStatusValue == \\\"Accepted\\\" \\n| where isnotempty(Properties)\\n| extend vmSize = tolower(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).hardwareProfile)).vmSize))\\n| where isnotempty(vmSize)\\n| where vmSize has_any (tokens) \\n| extend ComputerName = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).osProfile)).computerName)\\n| extend clientIpAddress = tostring(parse_json(HTTPRequest).clientIpAddress)\\n| project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Creation of expensive computes in Azure\",\"description\":\"Identifies the creation of large size/expensive VMs (GPU or with large no of virtual CPUs) in Azure.\\nAdversary may create new or update existing virtual machines sizes to evade defenses \\nor use it for cryptomining purposes.\\nFor Windows/Linux Vm Sizes - https://docs.microsoft.com/azure/virtual-machines/windows/sizes \\nAzure VM Naming Conventions - https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f15370f4-c6fa-42c5-9be4-1d308f40284e\",\"name\":\"f15370f4-c6fa-42c5-9be4-1d308f40284e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n OfficeActivity | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.ClientIP\\n| where OfficeActivity_TimeGenerated \u003e= TimeGenerated and OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, OfficeActivity_TimeGenerated,\\nTI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = OfficeActivity_TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to OfficeActivity\",\"description\":\"Identifies a match in OfficeActivity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\"name\":\"ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(DestinationUserID)\\n // Filtering PAN Logs for specific event type to match relevant email entities\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"wildfire\\\" and ApplicationProtocol in (\\\"smtp\\\",\\\"pop3\\\")\\n | extend DestinationUserID = tolower(DestinationUserID)\\n | where DestinationUserID matches regex emailregex\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.DestinationUserID\\n| where CommonSecurityLog_TimeGenerated \u003e= TimeGenerated and CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, CommonSecurityLog_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction,\\nSourceIP, SourcePort, DestinationIP, DestinationPort, Protocol, ApplicationProtocol\\n| extend timestamp = CommonSecurityLog_TimeGenerated, AccountCustomEntity = DestinationUserID, IPCustomEntity = SourceIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to CommonSecurityLog\",\"description\":\"Identifies a match in CommonSecurityLog table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/11bda520-a965-4654-9a45-d09f372f71aa\",\"name\":\"11bda520-a965-4654-9a45-d09f372f71aa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AzureActivity\\n// Isolate run command actions\\n| where OperationNameValue == \\\"Microsoft.Compute/virtualMachines/runCommand/action\\\"\\n// Confirm that the operation impacted a virtual machine\\n| where Authorization has \\\"virtualMachines\\\"\\n// Each runcommand operation consists of three events when successful, Started, Accepted (or Rejected), Successful (or Failed).\\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), max(CallerIpAddress), make_list(ActivityStatusValue) by CorrelationId, Authorization, Caller\\n// Limit to Run Command executions that Succeeded\\n| where list_ActivityStatusValue has \\\"Succeeded\\\"\\n// Extract data from the Authorization field, allowing us to later extract the Caller (UPN) and CallerIpAddress\\n| extend Authorization_d = parse_json(Authorization)\\n| extend Scope = Authorization_d.scope\\n| extend Scope_s = split(Scope, \\\"/\\\")\\n| extend Subscription = tostring(Scope_s[2])\\n| extend VirtualMachineName = tostring(Scope_s[-1])\\n| project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress\\n// Create a join key using the Caller (UPN) and the Caller IP\\n| extend joinkey = tolower(Caller)\\n// Join the Run Command actions to UEBA data\\n| join kind = inner (\\n BehaviorAnalytics\\n // We are specifically interested in unsual logins\\n | where EventSource == \\\"Azure AD\\\"\\n | project UEBAEventTime=TimeGenerated, UEBAActionType=ActionType, UserPrincipalName, UEBASourceIPLocation=SourceIPLocation, UEBAActivityInsights=ActivityInsights, UEBAUsersInsights=UsersInsights\\n | where isnotempty(UserPrincipalName) and isnotempty(UEBASourceIPLocation)\\n | extend joinkey = tolower(UserPrincipalName)\\n) on joinkey\\n| project StartTime, EndTime, Subscription, VirtualMachineName, Caller, CallerIpAddress, UEBAEventTime, UEBAActionType, UEBASourceIPLocation, UEBAActivityInsights, UEBAUsersInsights\\n// Create a window around the UEBA event times, check to see if the Run Command action was performed within them\\n| extend UEBAWindowStart = UEBAEventTime - 1h | extend UEBAWindowEnd = UEBAEventTime - 6h\\n| where StartTime between (UEBAWindowStart .. UEBAWindowEnd)\\n| project StartTime, EndTime, Subscription, VirtualMachineName, Caller, CallerIpAddress, UEBAEventTime, UEBAActionType, UEBASourceIPLocation, UEBAActivityInsights, UEBAUsersInsights\\n| extend timestamp = StartTime, AccountCustomEntity=Caller, IPCustomEntity=CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"LateralMovement\",\"CredentialAccess\"],\"displayName\":\"Azure VM Run Command operation executed during suspicious login window\",\"description\":\"Identifies when the Azure Run Command operation is executed by a UserPrincipalName and IP Address \\nthat has resulted in a recent user entity behaviour alert.\",\"lastUpdatedDateUTC\":\"2021-11-04T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/18e6a87e-9d06-4a4e-8b59-3469cd49552d\",\"name\":\"18e6a87e-9d06-4a4e-8b59-3469cd49552d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true (SecurityEvent \\n| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created. \\n| where ObjectServer == \u0027DS\u0027\\n| where OperationType == \u0027Object Access\u0027\\n//| where ObjectName contains \u0027\u003cGUID of ADFS Policy Store DKM Group object\u0027 This is unique to the domain. Check description for more details.\\n| where ObjectType contains \u00275cb41ed0-0e4c-11d0-a286-00aa003049e2\u0027 // Contact Class\\n| where Properties contains \u00278d3bca50-1d7e-11d0-a081-00aa006c33ed\u0027 // Picture Attribute - Ldap-Display-Name: thumbnailPhoto\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = SubjectAccount),\\n(DeviceEvents\\n| where ActionType =~ \\\"LdapSearch\\\"\\n| where AdditionalFields.AttributeList contains \\\"thumbnailPhoto\\\"\\n| where AdditionalFields.DistinguishedName contains \\\"CN=ADFS,CN=Microsoft,CN=Program Data\\\" // Filter results to show only hits related to the ADFS AD container\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = InitiatingProcessAccountName)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"ADFS DKM Master Key Export\",\"description\":\"Identifies an export of the ADFS DKM Master Key from Active Directory.\\nReferences: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \\nhttps://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1\\nTo understand further the details behind this detection, please review the details in the original PR and subequent PR update to this:\\nhttps://github.com/Azure/Azure-Sentinel/pull/1562#issue-551542469\\nhttps://github.com/Azure/Azure-Sentinel/pull/1512#issue-543053339\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65c78944-930b-4cae-bd79-c3664ae30ba7\",\"name\":\"65c78944-930b-4cae-bd79-c3664ae30ba7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(AuditLogs \\n| where OperationName =~ \\\"Disable Strong Authentication\\\"\\n| extend IPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) \\n| extend InitiatedByUser = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend Targetprop = todynamic(TargetResources)\\n| extend TargetUser = tostring(Targetprop[0].userPrincipalName) \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, InitiatedByUser , Operation = OperationName , CorrelationId, IPAddress, Category, Source = SourceSystem , AADTenantId, Type\\n),\\n(AWSCloudTrail\\n| where EventName in~ (\\\"DeactivateMFADevice\\\", \\\"DeleteVirtualMFADevice\\\") \\n| extend InstanceProfileName = tostring(parse_json(RequestParameters).InstanceProfileName)\\n| extend TargetUser = tostring(parse_json(RequestParameters).userName)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, Source = EventSource , Operation = EventName , TenantorInstance_Detail = InstanceProfileName, IPAddress = SourceIpAddress\\n)\\n)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"MFA disabled for a user\",\"description\":\"Multi-Factor Authentication (MFA) helps prevent credential compromise. This alert identifies when an attempt has been made to disable MFA for a user \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95dc4ae3-e0f2-48bd-b996-cdd22b90f9af\",\"name\":\"95dc4ae3-e0f2-48bd-b996-cdd22b90f9af\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(\\nAuditLogs\\n| where OperationName =~ \\\"Set federation settings on domain\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName)\\n| mv-expand AdditionalDetails\\n),\\n(\\nAuditLogs\\n| where OperationName =~ \\\"Set domain authentication\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName), NewDomainValue=tostring(parse_json(modifiedProperties).newValue)\\n| where NewDomainValue has \\\"Federated\\\"\\n)\\n)\\n| extend UserAgent = iff(AdditionalDetails.key == \\\"User-Agent\\\",tostring(AdditionalDetails.value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Modified domain federation trust settings\",\"description\":\"This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/66276b14-32c5-4226-88e3-080dacc31ce1\",\"name\":\"66276b14-32c5-4226-88e3-080dacc31ce1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet AccountAllowList = dynamic([\u0027SYSTEM\u0027]);\\nlet SubCategoryList = dynamic([\\\"Logoff\\\", \\\"Account Lockout\\\", \\\"User Account Management\\\", \\\"Authorization Policy Change\\\"]); // Add any Category in the list to be allowed or disallowed\\nlet tokens = dynamic([\\\"clear\\\", \\\"remove\\\", \\\"success:disable\\\",\\\"failure:disable\\\"]); \\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n//| where Process =~ \\\"auditpol.exe\\\" \\n| where CommandLine has_any (tokens)\\n| where AccountType !~ \\\"Machine\\\" and Account !in~ (AccountAllowList)\\n| parse CommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n// | where InitiatingProcessFileName =~ \\\"auditpol.exe\\\" \\n| where InitiatingProcessCommandLine has_any (tokens)\\n| where AccountName !in~ (AccountAllowList)\\n| parse InitiatingProcessCommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n// | where OriginalFileName =~ \\\"auditpol.exe\\\"\\n| where CommandLine has_any (tokens)\\n| where User !in~ (AccountAllowList)\\n| parse CommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, Computer, User, Process, ParentImage, CommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\"],\"displayName\":\"Audit policy manipulation using auditpol utility\",\"description\":\"This detects attempt to manipulate audit policies using auditpol command.\\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\\nThe process name in each data source is commented out as an adversary could rename it. It is advisable to keep process name commented but \\nif the results show unrelated false positives, users may want to uncomment it.\\nRefer to auditpol syntax: https://docs.microsoft.com/windows-server/administration/windows-commands/auditpol \\nRefer to our M365 blog for details on use during the Solorigate attack:\\nhttps://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80733eb7-35b2-45b6-b2b8-3c51df258206\",\"name\":\"80733eb7-35b2-45b6-b2b8-3c51df258206\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\\"xmrget.com\\\", \\n\\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\\"supportxmr.com\\\",\\n\\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\n\\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\n\\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\n\\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\n\\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\",\\n\\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\",\\n\\\"shscrypto.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage), \\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage), \\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage), \\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \u0027200\u0027\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Squid proxy events related to mining pools\",\"description\":\"Checks for Squid proxy events in Syslog associated with common mining pools .This query presumes the default Squid log format is being used. \\n http://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bff093b2-500e-4ae5-bb49-a5b1423cbd5b\",\"name\":\"bff093b2-500e-4ae5-bb49-a5b1423cbd5b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n| where Operation =~ \\\"MemberAdded\\\"\\n| extend UPN = tostring(parse_json(Members)[0].UPN)\\n| where UPN contains (\\\"#EXT#\\\")\\n| project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName\\n| join (\\n OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n| where Operation =~ \\\"MemberRemoved\\\"\\n| extend UPN = tostring(parse_json(Members)[0].UPN)\\n| where UPN contains (\\\"#EXT#\\\")\\n| project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName\\n) on UPN\\n| where TimeDeleted \u003e TimeAdded\\n| project TimeAdded, TimeDeleted, UPN, UserWhoAdded, UserWhoDeleted, TeamName\\n| extend timestamp = TimeAdded, AccountCustomEntity = UPN\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"External user added and removed in short timeframe\",\"description\":\"This detection flags the occurances of external user accounts that are added to a Team and then removed within\\none hour.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/be52662c-3b23-435a-a6fa-f39bdfc849e6\",\"name\":\"be52662c-3b23-435a-a6fa-f39bdfc849e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetection_CL\\n| mv-expand todynamic(Detections_s)\\n| where Detections_s.Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\\n| where count_ \u003e= threshold\\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"High Number of Urgent Vulnerabilities Detected\",\"description\":\"This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/eb68b129-5f17-4f56-bf6d-dde48d5e615a\",\"name\":\"eb68b129-5f17-4f56-bf6d-dde48d5e615a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| extend attachedMimeType = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where attachedMimeType == \u0027application/zip\u0027\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = DstUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Binary file in attachment\",\"description\":\"Detects when email recieved with binary file as attachment.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d29b1d66-d4d9-4be2-b607-63278fc4fe6b\",\"name\":\"d29b1d66-d4d9-4be2-b607-63278fc4fe6b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let mediumRisk = 2;\\nlet financial = \u0027Financial Information\u0027;\\nCognniIncidents_CL \\n| where Severity == mediumRisk\\n| where informationType_s == financial\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Medium Sensitivity Financial Information\",\"description\":\"Display incidents in which medium sensitive financial information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b783df9c-4088-452e-a791-0c4fca47a109\",\"name\":\"b783df9c-4088-452e-a791-0c4fca47a109\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.4\",\"techniques\":[\"T1568\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\".lan, .home\",\"dataType\":\"string\",\"name\":\"Top level domain\",\"description\":\"Give comma separated TLDs to exclude from source data within double quotes, example: \\\".lan, .home\\\"\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.9\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"(Preview) Domain generation algorithm (DGA) on DNS domains\",\"description\":\"This machine learning model indicates potential DGA domains in the second-level-domain (SLD) from the last day in the DNS logs.\\nThe algorithm applies to the DNS records that resolve to IPv4 and IPv6 addresses.\",\"lastUpdatedDateUTC\":\"2021-05-21T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7d7e20f8-3384-4b71-811c-f5e950e8306c\",\"name\":\"7d7e20f8-3384-4b71-811c-f5e950e8306c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AuditLogs\\n| where ActivityDisplayName =~\u0027Add member to role completed (PIM activation)\u0027\\n| where Result == \\\"failure\\\"\\n| extend Role = tostring(TargetResources[3].displayName)\\n| extend User = tostring(TargetResources[2].displayName)\\n| project-reorder TimeGenerated, User, Role, OperationName, Result, ResultDescription\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| extend AccountCustomEntity = User, IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\"],\"displayName\":\"PIM Elevation Request Rejected\",\"description\":\"Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d82e1987-4356-4a7b-bc5e-064f29b143c0\",\"name\":\"d82e1987-4356-4a7b-bc5e-064f29b143c0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 4688\\n| where Process =~ \u0027rundll32.exe\u0027 \\n| where CommandLine has_all (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"NOBELIUM - suspicious rundll32.exe execution of vbscript\",\"description\":\"This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/48607a29-a26a-4abf-8078-a06dbdd174a4\",\"name\":\"48607a29-a26a-4abf-8078-a06dbdd174a4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeRange = 3d;\\nlet lookBack = 7d;\\nlet authenticationWindow = 20m;\\nlet authenticationThreshold = 5;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet failureCodes = dynamic([50053, 50126, 50055]); // invalid password, account is locked - too many sign ins, expired password\\nlet successCodes = dynamic([0, 50055, 50057, 50155, 50105, 50133, 50005, 50076, 50079, 50173, 50158, 50072, 50074, 53003, 53000, 53001, 50129]);\\n// Lookup up resolved identities from last 7 days\\nlet aadFunc = (tableName:string){\\nlet identityLookup = table(tableName)\\n| where TimeGenerated \u003e= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| where isnotempty(UserId)\\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName, Type;\\n// collect window threshold breaches\\ntable(tableName)\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(failureCodes)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed), count() by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName, UserPrincipalName, Type\\n| summarize FailedPrincipalCount = dcount(UserPrincipalName) by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName, Type\\n| where FailedPrincipalCount \u003e= authenticationThreshold\\n| summarize WindowThresholdBreaches = count() by IPAddress, Type\\n| join kind= inner (\\n// where we breached a threshold, join the details back on all failure data\\ntable(tableName)\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(failureCodes)\\n| extend LocationDetails = todynamic(LocationDetails)\\n| extend FullLocation = strcat(LocationDetails.countryOrRegion,\u0027|\u0027, LocationDetails.state, \u0027|\u0027, LocationDetails.city)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed), make_set(FullLocation), FailureCount = count() by IPAddress, AppDisplayName, UserPrincipalName, UserDisplayName, Identity, UserId, Type\\n// lookup any unresolved identities\\n| extend UnresolvedUserId = iff(Identity matches regex isGUID, UserId, \\\"\\\")\\n| join kind= leftouter (\\n identityLookup \\n) on $left.UnresolvedUserId==$right.UserId\\n| extend UserDisplayName=iff(isempty(lu_UserDisplayName), UserDisplayName, lu_UserDisplayName)\\n| extend UserPrincipalName=iff(isempty(lu_UserPrincipalName), UserPrincipalName, lu_UserPrincipalName)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), make_set(UserPrincipalName), make_set(UserDisplayName), make_set(set_ClientAppUsed), make_set(set_FullLocation), make_list(FailureCount) by IPAddress, AppDisplayName, Type\\n| extend FailedPrincipalCount = arraylength(set_UserPrincipalName)\\n) on IPAddress\\n| project IPAddress, StartTime, EndTime, TargetedApplication=AppDisplayName, FailedPrincipalCount, UserPrincipalNames=set_UserPrincipalName, UserDisplayNames=set_UserDisplayName, ClientAppsUsed=set_set_ClientAppUsed, Locations=set_set_FullLocation, FailureCountByPrincipal=list_FailureCount, WindowThresholdBreaches, Type\\n| join kind= inner (\\ntable(tableName) // get data on success vs. failure history for each IP\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(successCodes) or ResultType in(failureCodes) // success or failure types\\n| summarize GlobalSuccessPrincipalCount = dcountif(UserPrincipalName, (ResultType in(successCodes))), ResultTypeSuccesses = make_set_if(ResultType, (ResultType in(successCodes))), GlobalFailPrincipalCount = dcountif(UserPrincipalName, (ResultType in(failureCodes))), ResultTypeFailures = make_set_if(ResultType, (ResultType in(failureCodes))) by IPAddress, Type\\n| where GlobalFailPrincipalCount \u003e GlobalSuccessPrincipalCount // where the number of failed principals is greater than success - eliminates FPs from IPs who authenticate successfully alot and as a side effect have alot of failures\\n) on IPAddress\\n| project-away IPAddress1\\n| extend timestamp=StartTime, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Password spray attack against Azure AD application\",\"description\":\"Identifies evidence of password spray activity against Azure AD applications by looking for failures from multiple accounts from the same\\nIP address within a time window. If the number of accounts breaches the threshold just once, all failures from the IP address within the time range\\nare bought into the result. Details on whether there were successful authentications by the IP address within the time window are also included.\\nThis can be an indicator that an attack was successful.\\nThe default failure acccount threshold is 5, Default time window for failures is 20m and default look back window is 3 days\\nNote: Due to the number of possible accounts involved in a password spray it is not possible to map identities to a custom entity.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2c286288-3756-4824-b599-d3c499836c11\",\"name\":\"2c286288-3756-4824-b599-d3c499836c11\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let mediumRisk = 2;\\nlet business = \u0027Business Information\u0027;\\nCognniIncidents_CL \\n| where Severity == mediumRisk\\n| where informationType_s == business\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Medium Sensitivity Business Information\",\"description\":\"Display incidents in which medium sensitivity business information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\"name\":\"83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":3,\"severity\":\"Medium\",\"query\":\"let current = 1d;\\nlet auditLookback = 7d;\\n// Setting threshold to 3 as a default, change as needed. \\n// Any operation that has been initiated by a user or app more than 3 times in the past 7 days will be excluded\\nlet threshold = 3;\\n// Gather initial data from lookback period, excluding current, adjust current to more than a single day if no results\\nlet AuditTrail = AuditLogs | where TimeGenerated \u003e= ago(auditLookback) and TimeGenerated \u003c ago(current)\\n// 2 other operations that can be part of malicious activity in this situation are \\n// \\\"Add OAuth2PermissionGrant\\\" and \\\"Add service principal\\\", extend the filter below to capture these too\\n| where OperationName has \\\"Consent to application\\\"\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\n| summarize max(TimeGenerated), OperationCount = count() by OperationName, InitiatedBy, TargetResourceName\\n// only including operations by initiated by a user or app that is above the threshold so we produce only rare and has not occurred in last 7 days\\n| where OperationCount \u003e threshold\\n;\\n// Gather current period of audit data\\nlet RecentConsent = AuditLogs | where TimeGenerated \u003e= ago(current)\\n| where OperationName has \\\"Consent to application\\\"\\n| extend IpAddress = case(\\nisnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), \\nisnotempty(tostring(parse_json(tostring(InitiatedBy.app)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.app)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.app)).ipAddress),\\n\u0027Not Available\u0027)\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\n| parse TargetResources.[0].modifiedProperties with * \\\"ConsentType: \\\" ConsentType \\\"]\\\" *\\n| mv-expand AdditionalDetails\\n| extend UserAgent = iff(AdditionalDetails.key == \\\"User-Agent\\\",tostring(AdditionalDetails.value),\\\"\\\")\\n| project TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type;\\n// Exclude previously seen audit activity for \\\"Consent to application\\\" that was seen in the lookback period\\n// First for rare InitiatedBy\\nlet RareConsentBy = RecentConsent | join kind= leftanti AuditTrail on OperationName, InitiatedBy \\n| extend Reason = \\\"Previously unseen user consenting\\\";\\n// Second for rare TargetResourceName\\nlet RareConsentApp = RecentConsent | join kind= leftanti AuditTrail on OperationName, TargetResourceName\\n| extend Reason = \\\"Previously unseen app granted consent\\\";\\nRareConsentBy | union RareConsentApp\\n| summarize Reason = makeset(Reason) by TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatedBy, HostCustomEntity = TargetResourceName, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Persistence\",\"LateralMovement\",\"Collection\"],\"displayName\":\"Rare application consent\",\"description\":\"This will alert when the \\\"Consent to application\\\" operation occurs by a user that has not done this operation before or rarely does this.\\nThis could indicate that permissions to access the listed Azure App were provided to a malicious actor. \\nConsent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events. \\nThis may help detect the Oauth2 attack that can be initiated by this publicly available tool - https://github.com/fireeye/PwnAuth\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e1ce0eab-10d1-4aae-863f-9a383345ba88\",\"name\":\"e1ce0eab-10d1-4aae-863f-9a383345ba88\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let threshold = 15;\\nSyslog\\n| where SyslogMessage contains \\\"Failed password for invalid user\\\"\\n| where ProcessName =~ \\\"sshd\\\" \\n| parse kind=relaxed SyslogMessage with * \\\"invalid user\\\" user \\\" from \\\" ip \\\" port\\\" port \\\" ssh2\\\"\\n| project user, ip, port, SyslogMessage, EventTime\\n| summarize EventTimes = make_list(EventTime), PerHourCount = count() by ip, bin(EventTime, 4h), user\\n| where PerHourCount \u003e threshold\\n| mvexpand EventTimes\\n| extend EventTimes = tostring(EventTimes) \\n| summarize StartTimeUtc = min(EventTimes), EndTimeUtc = max(EventTimes), UserList = makeset(user), sum(PerHourCount) by IPAddress = ip\\n| extend UserList = tostring(UserList) \\n| extend timestamp = StartTimeUtc, IPCustomEntity = IPAddress, AccountCustomEntity = UserList\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"SSH - Potential Brute Force\",\"description\":\"Identifies an IP address that had 15 failed attempts to sign in via SSH in a 4 hour block during a 24 hour time period.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532c1811-79ee-4d9f-8d4d-6304c840daa1\",\"name\":\"532c1811-79ee-4d9f-8d4d-6304c840daa1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Active Directory Identity Protection\",\"displayName\":\"Create incidents based on Azure Active Directory Identity Protection alerts\",\"description\":\"Create incidents based on all alerts generated in Azure Active Directory Identity Protection\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0c804654-63b9-4241-89f8-1cddd7e9cacd\",\"name\":\"0c804654-63b9-4241-89f8-1cddd7e9cacd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.0\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.2\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of AWS write API calls from a user account \",\"description\":\"This algorithm detects an unusually high volume of AWS write API calls per user account within the last day. The model is trained on the previous 21 days of AWS cloud trail log events on a user account basis. This activity may indicate that the account is compromised.\",\"lastUpdatedDateUTC\":\"2021-10-26T00:00:00Z\",\"createdDateUTC\":\"2021-10-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65360bb0-8986-4ade-a89d-af3cf44d28aa\",\"name\":\"65360bb0-8986-4ade-a89d-af3cf44d28aa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"CreateNetworkAclEntry\\\",\\\"CreateRoute\\\",\\\"CreateRouteTable\\\",\\\"CreateInternetGateway\\\",\\\"CreateNatGateway\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"PrivilegeEscalation\",\"LateralMovement\"],\"displayName\":\"Changes to Amazon VPC settings\",\"description\":\"Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources\\nin a virtual network that you define.\\nThis identifies changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries,routes, routetable or Gateways.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\nand AWS VPC API Docs: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/OperationList-query-vpc.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5ef06767-b37c-4818-b035-47de950d0046\",\"name\":\"5ef06767-b37c-4818-b035-47de950d0046\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// How far back to look for events from\\nlet timeframe = 1d;\\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\\nlet time_window = 5m;\\n// Edit this to include build processes used\\nlet build_processes = dynamic([\\\"MSBuild.exe\\\", \\\"dotnet.exe\\\", \\\"VBCSCompiler.exe\\\"]);\\n// Include any processes that you want to allow to edit files during/around the build process\\nlet allow_list = dynamic([\\\"\\\"]);\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where EventID == 4688\\n| where Process has_any (build_processes)\\n| summarize by BuildParentProcess=ParentProcessName, BuildProcess=Process, BuildAccount = Account, Computer, BuildCommand=CommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for file modifications to code file\\n| where EventID == 4663\\n| where Process !in (allow_list)\\n// Look for code files, edit this to include file extensions used in build.\\n| where ObjectName endswith \\\".cs\\\" or ObjectName endswith \\\".cpp\\\"\\n// 0x6 and 0x4 for file append, 0x100 for file replacements\\n| where AccessMask == \\\"0x6\\\" or AccessMask == \\\"0x4\\\" or AccessMask == \\\"0X100\\\"\\n| summarize by FileEditParentProcess=ParentProcessName, FileEditAccount = Account, Computer, FileEdited=ObjectName, FileEditProcess=ProcessName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, Computer\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, Computer, BuildParentProcess, BuildProcess\\n| extend HostCustomEntity=Computer, timestamp=timekey\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Potential Build Process Compromise\",\"description\":\"The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process.\\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ec21493c-2684-4acd-9bc2-696dbad72426\",\"name\":\"ec21493c-2684-4acd-9bc2-696dbad72426\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation of extracted domains\\nlet list_tlds = ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e ago(ioc_lookBack)\\n | where isnotempty(DomainName)\\n | extend DomainName = tolower(DomainName)\\n | extend parts = split(DomainName, \u0027.\u0027)\\n | extend tld = parts[(array_length(parts)-1)]\\n | summarize count() by tostring(tld)\\n | summarize make_list(tld);\\n ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true\\n // Picking up only IOC\u0027s that contain the entities we want\\n | where isnotempty(DomainName)\\n | join (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n | where DeviceVendor =~ \u0027Palo Alto Networks\u0027\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | extend Domain = trim(@\\\"\\\"\\\"\\\",tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend parts = split(Domain, \u0027.\u0027)\\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\\n | where tld in~ (list_tlds)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n ) on $left.DomainName==$right.Domain\\n | where CommonSecurityLog_TimeGenerated \u003e= TimeGenerated and CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n | project LatestIndicatorTime, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, CommonSecurityLog_TimeGenerated, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\\n | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to PaloAlto\",\"description\":\"Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\"name\":\"f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"// Replace these with the username or emails of your VIP users you wish to monitor for.\\nlet vips = dynamic([\u0027vip1@email.com\u0027,\u0027vip2@email.com\u0027]);\\n// Add users who are allowed to conduct these searches - this could be specific SOC team members\\nlet allowed_users = dynamic([]);\\nLAQueryLogs\\n| where QueryText has_any (vips) or QueryText has_any (\u0027_GetWatchlist(\\\"VIPUsers\\\")\u0027, \\\"_GetWatchlist(\u0027VIPUsers\u0027)\\\")\\n| where AADEmail !in (allowed_users)\\n| project TimeGenerated, AADEmail, RequestClientApp, QueryText, ResponseRowCount, RequestTarget\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AADEmail\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"RequestTarget\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Users searching for VIP user activity\",\"description\":\"This query monitors for users running Log Analytics queries that contain filters\\nfor specific, defined VIP user accounts or the VIPUser watchlist template.\\nUse this detection to alert for users specifically searching for activity of sensitive users.\",\"lastUpdatedDateUTC\":\"2021-11-11T00:00:00Z\",\"createdDateUTC\":\"2020-09-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d0bd9611-2fc1-42cb-af4e-793b6f28ba92\",\"name\":\"d0bd9611-2fc1-42cb-af4e-793b6f28ba92\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.7\",\"techniques\":[\"T1030\",\"T1041\",\"T1011\",\"T1567\",\"T1029\",\"T1537\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.87\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"(Preview) Excessive upload via Palo Alto GlobalProtect\",\"description\":\"This algorithm detects unusually high volume of upload per user account via Palo Alto VPN solution.\\nThe model is trained on the previous 14 days of the VPN logs.\\nIt indicates anomalous high volume of upload in the last day.\",\"lastUpdatedDateUTC\":\"2021-11-17T00:00:00Z\",\"createdDateUTC\":\"2020-11-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\"name\":\"532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n| join (\\n Syslog\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n //Extract domain patterns from syslog message\\n | extend domain = extract(\\\"(([a-z0-9]+(-[a-z0-9]+)*\\\\\\\\.)+[a-z]{2,})\\\",1, tolower(SyslogMessage))\\n | where isnotempty(domain)\\n | extend parts = split(domain, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.domain\\n| where Syslog_TimeGenerated \u003e= TimeGenerated and Syslog_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, domain, HostIP, Url\\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to Syslog\",\"description\":\"Identifies a match in Syslog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a9956d3a-07a9-44a6-a279-081a85020cae\",\"name\":\"a9956d3a-07a9-44a6-a279-081a85020cae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 15;\\nlet rejectedAccess = SymantecVIP\\n| where isnotempty(RADIUSAuth)\\n| where RADIUSAuth =~ \\\"Reject\\\"\\n| summarize Total = count() by ClientIP, bin(TimeGenerated, 15m)\\n| where Total \u003e threshold\\n| project ClientIP;\\nSymantecVIP\\n| where isnotempty(RADIUSAuth)\\n| where RADIUSAuth =~ \\\"Reject\\\"\\n| join kind=inner rejectedAccess on ClientIP\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by ClientIP, User\\n| extend timestamp = StartTime, IPCustomEntity = ClientIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"ClientDeniedAccess\",\"description\":\"Creates an incident in the event a Client has an excessive amounts of denied access requests.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SymantecVIP\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2dd4a3a-ebac-4994-9499-1a859938c947\",\"name\":\"f2dd4a3a-ebac-4994-9499-1a859938c947\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet bytessentperhourthreshold = 10;\\nlet PrivateIPregex = @\u0027^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.\u0027;\\nlet TimeSeriesData = (union isfuzzy=true\\n(\\nVMConnection\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\\n| extend DestinationIpType = iff(DestinationIp matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIpType == \\\"public\\\" | extend DeviceVendor = \\\"VMConnection\\\"\\n| project TimeGenerated, BytesSent, DeviceVendor\\n| make-series TotalBytesSent=sum(BytesSent) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n),\\n(\\nCommonSecurityLog\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| extend DestinationIpType = iff(DestinationIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIpType == \\\"public\\\"\\n| project TimeGenerated, SentBytes, DeviceVendor\\n| make-series TotalBytesSent=sum(SentBytes) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n)\\n);\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(TotalBytesSent, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand TotalBytesSent to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| extend TotalBytesSentinMBperHour = round(((TotalBytesSent / 1024)/1024),2), baselinebytessentperHour = round(((baseline / 1024)/1024),2), score = round(score,2)\\n| project DeviceVendor, AnomalyHour, TimeGenerated, TotalBytesSentinMBperHour, baselinebytessentperHour, anomalies, score);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\n//Union of all BaseLogs aggregated per hour\\nlet BaseLogs = (union isfuzzy=true\\n(\\nCommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend DestinationIpType = iff(DestinationIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIpType == \\\"public\\\"\\n| extend SentBytesinMB = ((SentBytes / 1024)/1024), ReceivedBytesinMB = ((ReceivedBytes / 1024)/1024)\\n| summarize HourlyCount = count(), TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort,100), TotalSentBytesinMB = sum(SentBytesinMB), TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| where TotalSentBytesinMB \u003e bytessentperhourthreshold\\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\\n| where Rank \u003c 10 // Selecting Top 10 records with Highest BytesSent in each Hour\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\\n),\\n(\\nVMConnection\\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend SourceIP = SourceIp, DestinationIP = DestinationIp\\n| extend DestinationIpType = iff(DestinationIp matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIpType == \\\"public\\\" | extend DeviceVendor = \\\"VMConnection\\\"\\n| extend SentBytesinMB = ((BytesSent / 1024)/1024), ReceivedBytesinMB = ((BytesReceived / 1024)/1024)\\n| summarize HourlyCount = count(),TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort, 100), TotalSentBytesinMB = sum(SentBytesinMB),TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| where TotalSentBytesinMB \u003e bytessentperhourthreshold\\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\\n| where Rank \u003c 10 // Selecting Top 10 records with Highest BytesSent in each Hour\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\\n)\\n);\\n// Join against base logs to retrive records associated with the hour of anomoly\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\n BaseLogs | extend AnomalyHour = TimeGeneratedHour\\n) on DeviceVendor, AnomalyHour | sort by score desc\\n| project DeviceVendor, AnomalyHour,TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\\n| summarize EventCount = count(), StartTimeUtc= min(TimeGeneratedMax), EndTimeUtc= max(TimeGeneratedMax), SourceIPMax= arg_max(SourceIP,*), TotalBytesSentinMB = sum(TotalSentBytesinMB), TotalBytesReceivedinMB = sum(TotalReceivedBytesinMB), SourceIPList = make_set(SourceIP, 100), DestinationIPList = make_set(DestinationIPList, 100) by AnomalyHour,TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\\n| project DeviceVendor, AnomalyHour, StartTimeUtc, EndTimeUtc, SourceIPMax, SourceIPList, DestinationIPList, DestinationPortList, TotalBytesSentinMB, TotalBytesReceivedinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies, EventCount\\n| extend timestamp =EndTimeUtc, IPCustomEntity = SourceIPMax\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"Time series anomaly for data size transferred to public internet\",\"description\":\"Identifies anomalous data transfer to public networks. The query leverages built-in KQL anomaly detection algorithms that detects large deviations from a baseline pattern.\\nA sudden increase in data transferred to unknown public networks is an indication of data exfiltration attempts and should be investigated.\\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port bytes sent traffic observed in the flagged anomaly hour.\\nThe source IP addresses which were sending less than bytessentperhourthreshold have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-05-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95002681-4ecb-4da3-9ece-26d7e5feaa33\",\"name\":\"95002681-4ecb-4da3-9ece-26d7e5feaa33\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"imAuthentication\\n| where EventResult ==\u0027Failure\u0027\\n| where EventResultDetails == \u0027User disabled\u0027\\n| summarize StartTime=min(EventStartTime), EndTime=max(EventEndTime), disabledAccountLoginAttempts = count()\\n , disabledAccountsTargeted = dcount(TargetUsername), disabledAccountSet = make_set(TargetUsername)\\n , applicationsTargeted = dcount(TargetAppName)\\n , applicationSet = make_set(TargetAppName) \\n by SrcDvcIpAddr, Type\\n| order by disabledAccountLoginAttempts desc\\n| join kind=leftouter \\n (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n imAuthentication\\n | where EventResult==\u0027Success\u0027\\n | summarize successfulAccountSigninCount = dcount(TargetUsername), successfulAccountSigninSet = makeset(TargetUsername, 15) by SrcDvcIpAddr, Type\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount \u003c 100\\n )\\n on SrcDvcIpAddr\\n| where isnotempty(successfulAccountSigninCount)\\n| project StartTime, EndTime, SrcDvcIpAddr, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\nsuccessfulAccountSigninCount, successfulAccountSigninSet, Type\\n| order by disabledAccountLoginAttempts\\n| extend timestamp = StartTime, IPCustomEntity = SrcDvcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelAuthentication)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-07-27T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a50766a7-0674-4ccb-8845-15dc55a80ba1\",\"name\":\"a50766a7-0674-4ccb-8845-15dc55a80ba1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n WireData | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(RemoteIP)\\n // renaming time column so it is clear the log this came from\\n | extend WireData_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIP\\n| where WireData_TimeGenerated \u003e= TimeGenerated and WireData_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, WireData_TimeGenerated,\\nTI_ipEntity, Computer, LocalIP, RemoteIP, ProcessName, ApplicationProtocol, LocalPortNumber, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = WireData_TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to WireData\",\"description\":\"Identifies a match in WireData from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\"name\":\"d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let SensitiveOperationList = dynamic(\\n[\\\"VaultDelete\\\", \\\"KeyDelete\\\", \\\"SecretDelete\\\", \\\"SecretPurge\\\", \\\"KeyPurge\\\", \\\"SecretBackup\\\", \\\"KeyBackup\\\"]);\\nAzureDiagnostics\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\" \\n| where OperationName in~ (SensitiveOperationList) \\n| summarize EventCount=count(), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\\n| extend timestamp = StartTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Impact\"],\"displayName\":\"Sensitive Azure Key Vault operations\",\"description\":\"Identifies when sensitive Azure Key Vault operations are used. This includes: VaultDelete, KeyDelete, SecretDelete, SecretPurge, KeyPurge, SecretBackup, KeyBackup. \\nAny Backup operations should match with expected scheduled backup activity.\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/04384937-e927-4595-8f3c-89ff58ed231f\",\"name\":\"04384937-e927-4595-8f3c-89ff58ed231f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let IPs = dynamic ([\\\"199.249.230.\\\",\\\"185.220.101.\\\",\\\"23.129.64.\\\",\\\"109.70.100.\\\",\\\"185.220.102.\\\"]);\\nOfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != \u0027UserLoggedIn\u0027\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = ExtendedProperties.Value\\n| where ClientIP has_any (IPs)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts \u003e 2500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Possible STRONTIUM attempted credential harvesting - Sept 2020\",\"description\":\"Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.\\nReferences: https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/427e4c9e-8cf4-4094-a684-a2d060dbca38\",\"name\":\"427e4c9e-8cf4-4094-a684-a2d060dbca38\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 50;\\nSophosXGFirewall\\n| where Log_Type =~ \\\"Firewall\\\"\\n| where not(ipv4_is_match(\\\"10.0.0.0\\\",Src_IP,8) or ipv4_is_match(\\\"172.16.0.0\\\",Src_IP,12) or ipv4_is_match(\\\"192.168.0.0\\\",Src_IP,16))\\n| summarize dcount(Dst_Port) by Src_IP, bin(TimeGenerated, 5m)\\n| where dcount_Dst_Port \u003e threshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = Src_IP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\"],\"displayName\":\"Port Scan Detected\",\"description\":\"This alert creates an incident when a source IP addresses attempt to communicate with a large amount of distinct ports within a short period.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SophosXGFirewall\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/86a036b2-3686-42eb-b417-909fc0867771\",\"name\":\"86a036b2-3686-42eb-b417-909fc0867771\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/delete\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS Service Delete\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.\\nA threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.\\nThe health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.\\nMore information in this blog https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/00cb180c-08a8-4e55-a276-63fb1442d5b5\",\"name\":\"00cb180c-08a8-4e55-a276-63fb1442d5b5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let cmdTokens0 = dynamic([\u0027vbscript\u0027,\u0027jscript\u0027]);\\nlet cmdTokens1 = dynamic([\u0027mshtml\u0027,\u0027RunHTMLApplication\u0027]);\\nlet cmdTokens2 = dynamic([\u0027Execute\u0027,\u0027CreateObject\u0027,\u0027RegRead\u0027,\u0027window.close\u0027]);\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(14d)\\n| where EventID == 4688\\n| where CommandLine has @\u0027\\\\Microsoft\\\\Windows\\\\CurrentVersion\u0027\\n| where not(CommandLine has_any (@\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\u0027, @\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\u0027))\\n// If you are receiving false positives, then it may help to make the query more strict by uncommenting one or both of the lines below to refine the matches\\n//| where CommandLine has_any (cmdTokens0)\\n//| where CommandLine has_all (cmdTokens1)\\n| where CommandLine has_all (cmdTokens2)\\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\"],\"displayName\":\"NOBELIUM - Script payload stored in Registry\",\"description\":\"This query idenifies when a process execution commandline indicates that a registry value is written to allow for later execution a malicious script\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d023f64-8225-41a2-9570-2bd7c2c4535e\",\"name\":\"3d023f64-8225-41a2-9570-2bd7c2c4535e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\nSecurityEvent \\n| where TimeGenerated \u003e ago(2*timeframe) \\n// A user account was enabled\\n| where EventID == 4722\\n| where AccountType =~ \\\"User\\\"\\n| where TargetAccount !hassuffix \\\"$\\\"\\n| project EnableTime = TimeGenerated, EnableEventID = EventID, EnableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToEnable = SubjectAccount, SIDofAccountUsedToEnable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n| join kind= inner (\\n SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe) \\n // A user account was disabled \\n | where EventID == 4725\\n| where AccountType =~ \\\"User\\\"\\n| project DisableTime = TimeGenerated, DisableEventID = EventID, DisableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToDisable = SubjectAccount, SIDofAccountUsedToDisable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n) on Computer, TargetAccount\\n| where DisableTime - EnableTime \u003c spanoftime\\n| extend TimeDelta = DisableTime - EnableTime\\n| where tolong(TimeDelta) \u003e= threshold\\n| project TimeDelta, EnableTime, EnableEventID, EnableActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToEnable, SIDofAccountUsedToEnable, \\nDisableTime, DisableEventID, DisableActivity, AccountUsedToDisable, SIDofAccountUsedToDisable\\n| extend timestamp = EnableTime, AccountCustomEntity = AccountUsedToEnable, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"SIDofAccountUsedToEnable\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account enabled and disabled within 10 mins\",\"description\":\"Identifies when a user account is enabled and then disabled within 10 minutes. This can be an indication of compromise and\\nan adversary attempting to hide in the noise.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/707494a5-8e44-486b-90f8-155d1797a8eb\",\"name\":\"707494a5-8e44-486b-90f8-155d1797a8eb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let auditLookbackStart = 2d;\\nlet auditLookbackEnd = 1d;\\nAuditLogs\\n| where TimeGenerated \u003e= ago(auditLookbackStart)\\n| where OperationName =~ \\\"Consent to application\\\" \\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| extend targetResourceName = tostring(target.displayName)\\n| extend targetResourceID = tostring(target.id)\\n| extend targetResourceType = tostring(target.type)\\n| extend targetModifiedProp = TargetResources[0].modifiedProperties\\n| extend isAdminConsent = targetModifiedProp[0].newValue\\n| extend Consent_ServicePrincipalNames = targetModifiedProp[5].newValue\\n| extend Consent_Permissions = targetModifiedProp[4].newValue\\n| extend Consent_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend Consent_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| join ( \\nAuditLogs\\n| where TimeGenerated \u003e= ago(auditLookbackEnd)\\n| where OperationName =~ \\\"Add service principal credentials\\\"\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| extend targetResourceName = tostring(target.displayName)\\n| extend targetResourceID = tostring(target.id)\\n| extend targetModifiedProp = TargetResources[0].modifiedProperties\\n| extend Credential_KeyDescription = targetModifiedProp[0].newValue\\n| extend UpdatedProperties = targetModifiedProp[1].newValue\\n| extend Credential_ServicePrincipalNames = targetModifiedProp[2].newValue\\n| extend Credential_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend Credential_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n) on targetResourceName, targetResourceID\\n| extend TimeConsent = TimeGenerated, TimeCred = TimeGenerated1\\n| where TimeConsent \u003e TimeCred \\n| project TimeConsent, TimeCred, Consent_InitiatingUserOrApp, Credential_InitiatingUserOrApp, targetResourceName, targetResourceType, isAdminConsent, Consent_ServicePrincipalNames, Credential_ServicePrincipalNames, Consent_Permissions, Credential_KeyDescription, Consent_InitiatingIpAddress, Credential_InitiatingIpAddress\\n| extend timestamp = TimeConsent, AccountCustomEntity = Consent_InitiatingUserOrApp, IPCustomEntity = Consent_InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Credential added after admin consented to Application\",\"description\":\"This query will identify instances where Service Principal credentials were added to an application by one user after the application was granted admin consent rights by another user.\\n If a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\n Additional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow.\\n For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/610d3850-c26f-4f20-8d86-f10fdf2425f5\",\"name\":\"610d3850-c26f-4f20-8d86-f10fdf2425f5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"UpdateTrail\\\",\\\"DeleteTrail\\\",\\\"StopLogging\\\",\\\"DeleteFlowLogs\\\",\\\"DeleteEventBus\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Changes made to AWS CloudTrail logs\",\"description\":\"Attackers often try to hide their steps by deleting or stopping the collection of logs that could show their activity. \\nThis alert identifies any manipulation of AWS CloudTrail, Cloudwatch/EventBridge or VPC Flow logs.\\nMore Information: AWS CloudTrail API: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html\\nAWS Cloudwatch/Eventbridge API: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_Operations.html\\nAWS DelteteFlowLogs API : https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2cfc3c6e-f424-4b88-9cc9-c89f482d016a\",\"name\":\"2cfc3c6e-f424-4b88-9cc9-c89f482d016a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set == \\\"[]\\\"\\n| parse new_value_set with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"First access credential added to Application or Service Principal where no credential was present\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d722831e-88f5-4e25-b106-4ef6e29f8c13\",\"name\":\"d722831e-88f5-4e25-b106-4ef6e29f8c13\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"// a threshold can be enabled, see commented line below for PrevSeenCount\\nlet threshold = 2;\\nlet uploadOp = \u0027FileUploaded\u0027;\\n// Extensions that are interesting. Add/Remove to this list as you see fit\\nlet execExt = dynamic([\u0027exe\u0027, \u0027inf\u0027, \u0027gzip\u0027, \u0027cmd\u0027, \u0027bat\u0027]);\\nlet starttime = 8d;\\nlet endtime = 1d;\\nOfficeActivity | where TimeGenerated \u003e= ago(endtime)\\n// Limited to File Uploads due to potential noise, comment out the Operation statement below to include any operation type\\n// Additional, but potentially noisy operation types that include Uploads and Downloads can be included by adding the following - Operation contains \\\"upload\\\" or Operation contains \\\"download\\\"\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| project TimeGenerated, OfficeId, OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, UserAgent, Site_Url, SourceRelativeUrl, SourceFileName\\n| join kind= leftanti (\\nOfficeActivity | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| summarize SourceRelativeUrl = make_set(SourceRelativeUrl), UserId = make_set(UserId) , PrevSeenCount = count() by SourceFileName\\n// To exclude previous matches when only above a specific count, change threshold above and uncomment the line below\\n//| where PrevSeenCount \u003e threshold\\n| mvexpand SourceRelativeUrl, UserId\\n| extend SourceRelativeUrl = tostring(SourceRelativeUrl), UserId = tostring(UserId)\\n) on SourceFileName, SourceRelativeUrl, UserId \\n| extend SiteUrlUserFolder = tolower(split(Site_Url, \u0027/\u0027)[-2])\\n| extend UserIdUserFolderFormat = tolower(replace(\u0027@|\\\\\\\\.\u0027, \u0027_\u0027,UserId))\\n// identify when UserId is not a match to the specific site url personal folder reference\\n| extend UserIdDiffThanUserFolder = iff(Site_Url has \u0027/personal/\u0027 and SiteUrlUserFolder != UserIdUserFolderFormat, true , false ) \\n| summarize TimeGenerated = make_list(TimeGenerated), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), \\nUserAgents = make_list(UserAgent), OfficeIds = make_list(OfficeId), SourceRelativeUrls = make_list(SourceRelativeUrl), FileNames = make_list(SourceFileName)\\nby OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, Site_Url, SiteUrlUserFolder, UserIdUserFolderFormat, UserIdDiffThanUserFolder\\n| extend timestamp = StartTime, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"New executable via Office FileUploaded Operation\",\"description\":\"Identifies when executable file types are uploaded to Office services such as SharePoint and OneDrive.\\nList currently includes \u0027exe\u0027, \u0027inf\u0027, \u0027gzip\u0027, \u0027cmd\u0027, \u0027bat\u0027 file extensions.\\nAdditionally, identifies when a given user is uploading these files to another users workspace.\\nThis may be indication of a staging location for malware or other malicious activity.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d804b39c-03a4-417c-a949-bdbf21fa3305\",\"name\":\"d804b39c-03a4-417c-a949-bdbf21fa3305\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\\n[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet file_paths = (iocs | where Type =~ \\\"filepath\\\" | project IoC);\\nlet sha256s = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet ips = (iocs | where Type =~ \\\"ip\\\" | project IoC);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\" | project IoC);\\nunion isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4663\\n| where ObjectName in (file_paths)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(imFileEvent\\n| where TargetFileName in (file_paths)\\n or\\n TargetFileSHA256 in (sha256s)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\\n),\\n(DeviceFileEvents\\n| where FolderPath in (file_paths)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 in (sha256s)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256s)\\n| extend timestamp = TimeGenerated\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| where isnotempty(Hashes)\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 *\\n| where SHA256 in~ (sha256s)\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = Hashes\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where (SourceIP in (ips) or DestinationIP in (ips) or Message has_any (ips)) or (RequestURL has_any (domains))\\n| extend IPMatch = case(SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"Message\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\")\\n),\\n(VMConnection\\n| where isnotempty(SourceIp) or isnotempty(DestinationIp)\\n| where SourceIp in (ips) or DestinationIp in (ips)\\n| extend IPMatch = case( SourceIp in (ips), \\\"SourceIP\\\", DestinationIp in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(WireData\\n| where isnotempty(RemoteIP)\\n| where RemoteIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer\\n),\\n(W3CIISLog\\n| where isnotempty(cIP)\\n| where cIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(\\nDeviceNetworkEvents\\n| where (RemoteIPType =~ \\\"Public\\\" and RemoteUrl has_any (domains)) or (isnotempty(RemoteIP) and RemoteIP in (ips))\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(\\nWindowsFirewall\\n| where SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n),\\n(\\nDnsEvents\\n| where SubType =~ \\\"LookupQuery\\\"\\n| where Name has_any (domains)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\\n),\\n(\\nimDns(domain_has_any=domains)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\\n)\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.4.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange Server Vulnerabilities Disclosed March 2021 IoC Match\",\"description\":\"This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements.\\nRef: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog (Cisco)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog (F5)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dcdf9bfc-c239-4764-a9f9-3612e6dff49c\",\"name\":\"dcdf9bfc-c239-4764-a9f9-3612e6dff49c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 6d;\\n// Adjust this to adjust the key export detection timeframe\\n//let timeframe = 1d;\\n// Start be identifying ADFS servers to reduce FP chance\\nlet ADFS_Servers = (\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\")\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| summarize by Computer);\\n// Look for ADFS servers where Named Pipes event are present\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| where Computer in~ (ADFS_Servers)\\n| extend RenderedDescription = tostring(split(RenderedDescription, \\\":\\\")[0])\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend RuleName = column_ifexists(\\\"RuleName\\\", \\\"\\\"),\\n TechniqueId = column_ifexists(\\\"TechniqueId\\\", \\\"\\\"),\\n TechniqueName = column_ifexists(\\\"TechniqueName\\\", \\\"\\\"),\\n Image = column_ifexists(\\\"Image\\\", \\\"\\\"),\\n PipeName = column_ifexists(\\\"PipeName\\\", \\\"\\\"),\\n EventType = column_ifexists(\\\"EventType\\\", \\\"\\\")\\n| parse RuleName with * \u0027technique_id=\u0027 TechniqueId \u0027,\u0027 * \u0027technique_name=\u0027 TechniqueName\\n// Look for Pipe related to querying the WID\\n| where PipeName == \\\"\\\\\\\\MICROSOFT##WID\\\\\\\\tsql\\\\\\\\query\\\"\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n// Exclude expected processes\\n| where process !in (\\\"Microsoft.IdentityServer.ServiceHost.exe\\\", \\\"Microsoft.Identity.Health.Adfs.PshSurrogate.exe\\\", \\\"AzureADConnect.exe\\\", \\\"Microsoft.Tri.Sensor.exe\\\", \\\"wsmprovhost.exe\\\",\\\"mmc.exe\\\", \\\"sqlservr.exe\\\")\\n| extend Operation = RenderedDescription\\n| project-reorder TimeGenerated, EventType, Operation, process, Image, Computer, UserName\\n| extend HostCustomEntity = Computer, AccountCustomEntity = UserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Collection\"],\"displayName\":\"ADFS Database Named Pipe Connection\",\"description\":\"This detection uses Sysmon telemetry to detect suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).\\nIn order to use this query you need to be collecting Sysmon EventIdD 18 (Pipe Connected).\\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\\nFailed to resolve scalar expression named \\\"[@Name]\",\"lastUpdatedDateUTC\":\"2021-11-23T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a0647a60-16f9-4175-b344-5cdd2934413f\",\"name\":\"a0647a60-16f9-4175-b344-5cdd2934413f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let lowRisk = 1;\\nlet business = \u0027Business Information\u0027;\\nCognniIncidents_CL \\n| where Severity == lowRisk\\n| where informationType_s == business\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Low Sensitivity Business Information\",\"description\":\"Display incidents in which low sensitivity business information] was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5f0d80db-3415-4265-9d52-8466b7372e3a\",\"name\":\"5f0d80db-3415-4265-9d52-8466b7372e3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AzureDevOpsAuditing\\n| where AuthenticationMechanism startswith \\\"PAT\\\"\\n// Look for useragents that include a redenring engine\\n| where UserAgent has_any (\\\"Gecko\\\", \\\"WebKit\\\", \\\"Presto\\\", \\\"Trident\\\", \\\"EdgeHTML\\\", \\\"Blink\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure DevOps PAT used with Browser.\",\"description\":\"Personal Access Tokens (PATs) are used as an alternate password to authenticate into Azure DevOps. PATs are intended for programmatic access use in code or applications. \\nThis can be prone to attacker theft if not adequately secured. This query looks for the use of a PAT in authentication but from a User Agent indicating a browser. \\nThis should not be normal activity and could be an indicator of an attacker using a stolen PAT.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\"name\":\"30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nlet aadFunc = (tableName:string){\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n table(tableName) | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(UserPrincipalName)\\n //Normalizing the column to lower case for exact match with EmailSenderAddress column\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n | where UserPrincipalName matches regex emailregex\\n | extend Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n // renaming timestamp column so it is clear the log this came from SigninLogs table\\n | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type\\n)\\non $left.EmailSenderAddress == $right.UserPrincipalName\\n| where SigninLogs_TimeGenerated \u003e= TimeGenerated and SigninLogs_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, SigninLogs_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, IPAddress, UserPrincipalName, AppDisplayName,\\nStatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, Type\\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SigninLogs\",\"description\":\"Identifies a match in SigninLogs table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75bf9902-0789-47c1-a5d8-f57046aa72df\",\"name\":\"75bf9902-0789-47c1-a5d8-f57046aa72df\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let procList = dynamic([\\\"cmd.exe\\\",\\\"ftp.exe\\\",\\\"schtasks.exe\\\",\\\"powershell.exe\\\",\\\"rundll32.exe\\\",\\\"regsvr32.exe\\\",\\\"msiexec.exe\\\"]);\\nlet ProcessCreationEvents=() {\\nlet processEvents=SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,\\nFileName = Process, CommandLine, ParentProcessName;\\nprocessEvents};\\nProcessCreationEvents \\n| where FileName in~ (procList)\\n| where CommandLine contains \\\":\\\\\\\\recycler\\\"\\n| project StartTimeUtc = TimeGenerated, Computer, Account, NewProcessName, FileName, CommandLine, ParentProcessName\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Malware in the recycle bin\",\"description\":\"Identifies malware that has been hidden in the recycle bin.\\nReferences: https://azure.microsoft.com/blog/how-azure-security-center-helps-reveal-a-cyberattack/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2018-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23005e87-2d3a-482b-b03d-edbebd1ae151\",\"name\":\"23005e87-2d3a-482b-b03d-edbebd1ae151\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let exchange_servers = (\\nW3CIISLog\\n| where TimeGenerated \u003e ago(14d)\\n| where sSiteName =~ \\\"Exchange Back End\\\"\\n| summarize by Computer);\\nW3CIISLog\\n| where TimeGenerated \u003e ago(1d)\\n| where Computer in (exchange_servers)\\n| where csUriQuery startswith \\\"t=\\\"\\n| project-reorder TimeGenerated, Computer, csUriStem, csUriQuery, csUserName, csUserAgent, cIP\\n| extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious Exchange Request\",\"description\":\"This query looks for suspicious request patterns to Exchange servers that fit a pattern observed by HAFNIUM actors.\\nThe same query can be run on HTTPProxy logs from on-premise hosted Exchange servers.\\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3ff0fffb-d963-40c0-b235-3404f915add7\",\"name\":\"3ff0fffb-d963-40c0-b235-3404f915add7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"GitHubAudit\\n| where Action == \\\"org.disable_two_factor_requirement\\\"\\n| project TimeGenerated, Action, Actor, Country, IPaddress, Repository\\n| extend AccountCustomEntity = Actor, IPCustomEntity = IPaddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"GitHub Two Factor Auth Disable\",\"description\":\"Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/473d57e6-f787-435c-a16b-b38b51fa9a4b\",\"name\":\"473d57e6-f787-435c-a16b-b38b51fa9a4b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let servicelist = dynamic([\u0027Services\\\\\\\\HealthService\u0027, \u0027Services\\\\\\\\Sense\u0027, \u0027Services\\\\\\\\WinDefend\u0027, \u0027Services\\\\\\\\MsSecFlt\u0027, \u0027Services\\\\\\\\DiagTrack\u0027, \u0027Services\\\\\\\\SgrmBroker\u0027, \u0027Services\\\\\\\\SgrmAgent\u0027, \u0027Services\\\\\\\\AATPSensorUpdater\u0027 , \u0027Services\\\\\\\\AATPSensor\u0027, \u0027Services\\\\\\\\mpssvc\u0027]);\\nlet filename = dynamic([\\\"subinacl.exe\\\",\u0027SetACL.exe\u0027]);\\nlet parameters = dynamic ([\u0027/deny=SYSTEM\u0027, \u0027/deny=S-1-5-18\u0027, \u0027/grant=SYSTEM=r\u0027, \u0027/grant=S-1-5-18=r\u0027, \u0027n:SYSTEM;p:READ\u0027, \u0027n1:SYSTEM;ta:remtrst;w:dacl\u0027]);\\nlet FullAccess = dynamic([\u0027A;CI;KA;;;SY\u0027, \u0027A;ID;KA;;;SY\u0027, \u0027A;CIID;KA;;;SY\u0027]);\\nlet ReadAccess = dynamic([\u0027A;CI;KR;;;SY\u0027, \u0027A;ID;KR;;;SY\u0027, \u0027A;CIID;KR;;;SY\u0027]);\\nlet DenyAccess = dynamic([\u0027D;CI;KR;;;SY\u0027, \u0027D;ID;KR;;;SY\u0027, \u0027D;CIID;KR;;;SY\u0027]);\\nlet timeframe = 1d;\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4670\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName has_any (servicelist)\\n| parse EventData with * \u0027OldSd\\\"\u003e\u0027 OldSd \\\"\u003c\\\" *\\n| parse EventData with * \u0027NewSd\\\"\u003e\u0027 NewSd \\\"\u003c\\\" *\\n| extend Reason = case( (OldSd has \u0027;;;SY\u0027 and NewSd !has \u0027;;;SY\u0027), \u0027System Account is removed\u0027, (OldSd has_any (FullAccess) and NewSd has_any (ReadAccess)) , \u0027System permission has been changed to read from full access\u0027, (OldSd has_any (FullAccess) and NewSd has_any (DenyAccess)), \u0027System account has been given denied permission\u0027, \u0027None\u0027)\\n| project TimeGenerated, Computer, Account, ProcessName, ProcessId, ObjectName, EventData, Activity, HandleId, SubjectLogonId, OldSd, NewSd , Reason\\n),\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688\\n| extend ProcessName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ProcessName in~ (filename) \\n| where CommandLine has_any (servicelist) and CommandLine has_any (parameters)\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where InitiatingProcessFileName in~ (filename) \\n| where InitiatingProcessCommandLine has_any(servicelist) and InitiatingProcessCommandLine has_any (parameters)\\n| extend Account = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName), Computer = DeviceName\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName = InitiatingProcessFileName, ProcessNameFullPath = FolderPath, Activity = ActionType, CommandLine = InitiatingProcessCommandLine, Type, InitiatingProcessParentFileName\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Security Service Registry ACL Modification\",\"description\":\"Identifies attempts to modify registry ACL to evade security solutions. In the Solorigate attack, the attackers were found modifying registry permissions so services.exe cannot access the relevant registry keys to start the service.\\n The detection leverages Security Event as well as MDE data to identify when specific security services registry permissions are modified. \\n Only some portions of this detection are related to Solorigate, it also includes coverage for some common tools that perform this activity. \\n Reference on guidance for enabling registry auditing:\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing-faq\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-registry\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4670\\n - For the event 4670 to be created the audit policy for the registry must have auditing enabled for Write DAC and/or Write Owner\\n - https://github.com/OTRF/Set-AuditRule \\n - https://docs.microsoft.com/dotnet/api/system.security.accesscontrol.registryrights?view=dotnet-plat-ext-5.0\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b619d1f1-7f39-4c7e-bf9e-afbb46457997\",\"name\":\"b619d1f1-7f39-4c7e-bf9e-afbb46457997\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal contains \\\"XMRig\\\" or HttpUserAgentOriginal contains \\\"ccminer\\\"\\n| extend Message = \\\"Crypto Miner User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Crypto Miner User-Agent Detected\",\"description\":\"Detects suspicious user agent strings used by crypto miners in proxy logs.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/17f23fbe-bb73-4324-8ecf-a18545a5dc26\",\"name\":\"17f23fbe-bb73-4324-8ecf-a18545a5dc26\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P3D\",\"queryPeriod\":\"P3D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 3d;\\n// Get Release Pipeline Creation Events and group by day\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineCreated\\\"\\n// Group by day\\n| extend timekey = bin(TimeGenerated, 1d)\\n| extend PipelineId = tostring(Data.PipelineId)\\n| extend PipelineName = tostring(Data.PipelineName)\\n// Rename some columns to make output clearer\\n| project-rename TimeCreated = TimeGenerated, CreatingUser = ActorUPN, CreatingUserAgent = UserAgent, CreatingIP = IpAddress\\n// Join with Release Pipeline Deletions where Pipeline ID is the same and deletion occurred on same day as creation\\n| join (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineDeleted\\\"\\n// Group by day\\n| extend timekey = bin(TimeGenerated, 1d)\\n| extend PipelineId = tostring(Data.PipelineId)\\n| extend PipelineName = tostring(Data.PipelineName)\\n// Rename some things to make the output clearer\\n| project-rename TimeDeleted = TimeGenerated, DeletingUser = ActorUPN, DeletingUserAgent = UserAgent, DeletingIP = IpAddress) on PipelineId, timekey\\n| project TimeCreated, TimeDeleted, PipelineName, PipelineId, CreatingUser, CreatingIP, CreatingUserAgent, DeletingUser, DeletingIP, DeletingUserAgent, ScopeDisplayName, ProjectName, Data, OperationName, OperationName1\\n| extend timestamp = TimeCreated, AccountCustomEntity = CreatingUser, IPCustomEntity = CreatingIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeletingUser\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DeletingIP\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\"],\"displayName\":\"Azure DevOps Pipeline Created and Deleted on the Same Day\",\"description\":\"An attacker with access to Azure DevOps could create a pipeline to inject artifacts used by other pipelines, \\nor to create a malicious software build that looks legitimate by using a pipeline that incorporates legitimate elements. \\nAn attacker would also likely want to cover their tracks once conducting such activity. This query looks for Pipelines \\ncreated and deleted within the same day, this is unlikely to be legitimate user activity in the majority of cases.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\"name\":\"5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n W3CIISLog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(cIP)\\n // renaming time column so it is clear the log this came from\\n | extend W3CIISLog_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.cIP\\n| where W3CIISLog_TimeGenerated \u003e= TimeGenerated and W3CIISLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nW3CIISLog_TimeGenerated, TI_ipEntity, Computer, sSiteName, cIP, sIP, sPort, csMethod, csUserName, scStatus, scSubStatus, scWin32Status,\\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = W3CIISLog_TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to W3CIISLog\",\"description\":\"Identifies a match in W3CIISLog from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7564d76-ec6b-4519-a66b-fcc80c42332b\",\"name\":\"a7564d76-ec6b-4519-a66b-fcc80c42332b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet GroupAddition = SecurityEvent \\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group \\n| where EventID in (\\\"4728\\\", \\\"4732\\\", \\\"4756\\\") \\n| where AccountType =~ \\\"User\\\" and MemberName == \\\"-\\\"\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, GroupAddComputer = Computer, GroupAddTargetAccount = TargetAccount, \\nGroupAddTargetSid = TargetSid, GroupAddSubjectAccount = SubjectAccount, GroupAddSubjectUserSid = SubjectUserSid, GroupSid = MemberSid;\\nlet GroupCreated = SecurityEvent\\n// 4727 - A security-enabled global group was created\\n// 4731 - A security-enabled local group was created\\n// 4754 - A security-enabled universal group was created\\n| where EventID in (\\\"4727\\\", \\\"4731\\\", \\\"4754\\\")\\n| where AccountType =~ \\\"User\\\"\\n| project GroupCreateTime = TimeGenerated, GroupCreateEventID = EventID, GroupCreateActivity = Activity, GroupCreateComputer = Computer, GroupCreateTargetAccount = TargetAccount, \\nGroupCreateSubjectAccount = SubjectAccount, GroupCreateSubjectUserSid = SubjectUserSid, GroupSid = TargetSid;\\nGroupCreated\\n| join (\\nGroupAddition\\n) on GroupSid \\n| extend timestamp = GroupCreateTime, AccountCustomEntity = GroupCreateSubjectAccount, HostCustomEntity = GroupCreateComputer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"GroupCreateSubjectUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Group created then added to built in domain local or global group\",\"description\":\"Identifies when a recently created Group was added to a privileged built in domain local group or global group such as the \\nEnterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\\nReferences: For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/67775878-7f8b-4380-ac54-115e1e828901\",\"name\":\"67775878-7f8b-4380-ac54-115e1e828901\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet IP_TI = (ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\\\"\\\")\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId);\\nlet TI_IP_List=IP_TI | summarize make_set( TI_ipEntity);\\nimDns(starttime=ago(dt_lookBack), response_has_any_prefix=todynamic(toscalar(TI_IP_List)))\\n | extend tilist = toscalar(TI_IP_List)\\n | mv-expand tilist\\n | extend SingleIP=tostring(tilist)\\n | project-away tilist\\n | where has_ipv4(DnsResponseName, SingleIP)\\n | extend DNS_TimeGenerated = TimeGenerated\\n| join IP_TI\\n on $left.SingleIP == $right.TI_ipEntity\\n| where DNS_TimeGenerated \u003e= TimeGenerated and DNS_TimeGenerated \u003c ExpirationDateTime\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated,\\nTI_ipEntity, Dvc, EventId, SubType, SrcIpAddr, DnsQuery, DnsResponseName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = DNS_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Dvc, URLCustomEntity = Url\",\"customDetails\":{\"LatestIndicatorTime\":\"LatestIndicatorTime\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"ConfidenceScore\":\"ConfidenceScore\",\"DnsQuery\":\"DnsQuery\",\"Description\":\"Description\",\"EventId\":\"EventId\",\"IndicatorId\":\"IndicatorId\",\"DNSRequestTime\":\"DNS_TimeGenerated\",\"ThreatType\":\"ThreatType\",\"ExpirationDateTime\":\"ExpirationDateTime\",\"SubType\":\"SubType\",\"SourceIPAddress\":\"SrcIpAddr\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map IP entity to Dns Events (Normalized DNS)\",\"description\":\"Identifies a match in DNS events from any IP IOC from TI\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns).\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3863d8b-8be1-4f52-8ba2-d6cec98b606b\",\"name\":\"a3863d8b-8be1-4f52-8ba2-d6cec98b606b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.1.7\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.7\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of logins to user account with elevated token\",\"description\":\"This algorithm detects an unusually high volume of successful logins with elevated token per user account. The model is trained on the previous 21 days of security event ID 4624 on an account. It indicates anomalous high volume of successful logins with administrator privileges in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/983a6922-894d-413c-9f04-d7add0ecc307\",\"name\":\"983a6922-894d-413c-9f04-d7add0ecc307\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P10D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let referencestarttime = 10d;\\nlet referenceendtime = 1d;\\nlet threshold = 100;\\nlet nxDomainDnsEvents = (stime:datetime, etime:datetime) \\n {imDns(responsecodename=\u0027NXDOMAIN\u0027, starttime=stime, endtime=etime)\\n | where DnsQueryTypeName in (\\\"A\\\", \\\"AAAA\\\")\\n | where ipv4_is_match(\\\"127.0.0.1\\\", SrcIpAddr) == False\\n | where DnsQuery !contains \\\"/\\\" and DnsQuery contains \\\".\\\"};\\nnxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now())\\n | extend sld = tostring(split(DnsQuery, \\\".\\\")[-2])\\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld) by SrcIpAddr\\n | where dcount_sld \u003e threshold\\n // Filter out previously seen IPs\\n | join kind=leftanti (nxDomainDnsEvents (stime=ago(referencestarttime), etime=ago(referenceendtime))\\n | extend sld = tostring(split(DnsQuery, \\\".\\\")[-2])\\n | summarize dcount(sld) by SrcIpAddr\\n | where dcount_sld \u003e threshold ) on SrcIpAddr\\n// Pull out sample NXDomain responses for those remaining potentially infected IPs\\n| join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential DGA detected (ASimDNS)\",\"description\":\"Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains\\nwhere most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with \\nNXDomain records in prior 10-day baseline period).\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"name\":\"cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | where DNSName in~ (domains) or DestinationHostName has_any (domains) or RequestURL has_any(domains)\\n | extend AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName, IPCustomEntity = SourceIP\\n ),\\n(DnsEvents \\n | extend DNSName = Name\\n | where isnotempty(DNSName)\\n | where DNSName has_any (domains)\\n | extend IPCustomEntity = ClientIP\\n ),\\n(imDns (domain_has_any=domains)\\n | extend DNSName = DnsQuery\\n | extend IPCustomEntity = SrcIpAddr\\n ),\\n(VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n | where isnotempty(DNSName)\\n | where DNSName in~ (domains)\\n | extend IPCustomEntity = RemoteIp\\n ),\\n(DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl has_any (domains) \\n | extend DNSName = RemoteUrl\\n | extend IPCustomEntity = RemoteIP \\n | extend HostCustomEntity = DeviceName \\n ),\\n(AzureDiagnostics\\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallDnsProxy\\\"\\n | parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n | where Request_Name has_any (domains) \\n | extend DNSName = Request_Name\\n | extend IPCustomEntity = ClientIP \\n ),\\n(AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (domains) \\n | extend DNSName = DestinationHost \\n | extend IPCustomEntity = SourceHost\\n ) \\n )\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"version\":\"1.3.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Solorigate Network Beacon\",\"description\":\"Identifies a match across various data feeds for domains IOCs related to the Solorigate incident.\\n References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \\n https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5436f471-b03d-41cb-b333-65891f887c43\",\"name\":\"5436f471-b03d-41cb-b333-65891f887c43\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Informational\",\"query\":\"GitHubRepo\\n| where Action == \\\"vulnerabilityAlert\\\"\\n| project TimeGenerated, DismmisedAt, Reason, vulnerableManifestFilename, Description, Link, PublishedAt, Severity, Summary\",\"entityMappings\":[],\"version\":\"1.0.0\",\"displayName\":\"GitHub Security Vulnerability in Repository\",\"description\":\"This alerts when there is a new security vulnerability in a GitHub repository.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-10T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb8a3481-dd14-4e76-8dcc-bbec8776d695\",\"name\":\"bb8a3481-dd14-4e76-8dcc-bbec8776d695\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let DomainNames = dynamic([\u0027onetechcompany.com\u0027, \u0027reyweb.com\u0027, \u0027srfnetwork.org\u0027, \u0027sense4baby.fr\u0027, \u0027nikeoutletinc.org\u0027, \u0027megatoolkit.com\u0027]);\\nlet IPList = dynamic([\u0027185.225.69.69\u0027]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (DomainNames) or RequestURL has_any (DomainNames) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (DomainNames), \\\"RequestUrl\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) or Name has_any (DomainNames) \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(imDns\\n| where DnsResponseName has_any (IPList) or DnsQuery has_any(DomainNames) \\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (DomainNames)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer\\n),\\n(OfficeActivity\\n| where ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (DomainNames) or RemoteIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"NOBELIUM - Domain and IP IOCs - March 2021\",\"description\":\"Identifies a match across various data feeds for domains and IP IOCs related to NOBELIUM.\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2d3e33c6-d8e6-4b51-92d6-dbe8bd9efb05\",\"name\":\"2d3e33c6-d8e6-4b51-92d6-dbe8bd9efb05\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.4\",\"techniques\":[\"T1078\",\"T1566\",\"T1133\"],\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"Fraction of failed signins\",\"Number of failed signins\",\"Failed signins to successful signins ratio\",\"Number of signins with incorrect passwords\",\"Incorrect passwords to correct passwords ratio\",\"Fraction of incorrect password signins\",\"Distinct number of app ids\",\"Distinct number of client apps\",\"Distinct number of ip addresses\",\"Distinct number of opperating systems\",\"Distinct number of browsers\",\"Distinct number of cities\",\"Distinct number of states\",\"Distinct number of countries\"],\"values\":[\"Fraction of failed signins\",\"Number of failed signins\",\"Failed signins to successful signins ratio\",\"Number of signins with incorrect passwords\",\"Incorrect passwords to correct passwords ratio\",\"Fraction of incorrect password signins\",\"Distinct number of app ids\",\"Distinct number of client apps\",\"Distinct number of ip addresses\",\"Distinct number of opperating systems\",\"Distinct number of browsers\",\"Distinct number of cities\",\"Distinct number of states\",\"Distinct number of countries\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Top reason for high anomaly score\",\"description\":\"Include only anomalies where the top reason is one of these values.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.5\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous Azure AD sign-in sessions\",\"description\":\"The machine learning model groups the Azure AD sign-in logs on a per-user basis.\\nThe model is trained on the previous 6 days of user sign-in behavior.\\nIt indicates anomalous user sign-in sessions in the last day.\\nThis algorithm checks for sufficient volume of data before training the model.\\n\\nAn autoencoder model is used.\\nIts aim is to compress the user sign-in sessions into a bottleneck encoding.\\nIt then attempts to reconstruct the input sessions as best it can from the bottleneck encoding.\\nThe sessions with high reconstruction errors are assumed to be anomalous.\",\"lastUpdatedDateUTC\":\"2021-07-07T00:00:00Z\",\"createdDateUTC\":\"2020-11-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6d63efa6-7c25-4bd4-a486-aa6bf50fde8a\",\"name\":\"6d63efa6-7c25-4bd4-a486-aa6bf50fde8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Add non-approved user principal names to the list below to search for their account creation/deletion activity\\n// ex: dynamic([\\\"UPN1\\\", \\\"upn123\\\"])\\nlet nonapproved_users = dynamic([]);\\nAuditLogs\\n| where OperationName == \\\"Add user\\\" or OperationName == \\\"Delete user\\\"\\n| where Result == \\\"success\\\"\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| where InitiatingUser has_any (nonapproved_users)\\n| project-reorder TimeGenerated, ResourceId, OperationName, InitiatingUser, TargetResources\\n| extend AccountCustomEntity = InitiatingUser, IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Account created or deleted by non-approved user\",\"description\":\"Identifies accounts that were created or deleted by a defined list of non-approved user principal names. Add to this list before running the query for accurate results.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts\",\"lastUpdatedDateUTC\":\"2021-10-29T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b40a7a5b-5d39-46fe-a79e-2acdb38e1ce7\",\"name\":\"b40a7a5b-5d39-46fe-a79e-2acdb38e1ce7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.3\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.01\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of failed login attempts to AWS Console by each group user account\",\"description\":\"This algorithm detects an unusually high volume of AWS cloud trail log console failed login events per group user account within the last day. The model is trained on the previous 21 days of AWS cloud trail log events on group user account basis. This activity may indicate that the account is compromised.\",\"lastUpdatedDateUTC\":\"2021-10-26T00:00:00Z\",\"createdDateUTC\":\"2021-08-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\"name\":\"4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n OfficeActivity | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(UserId)\\n | where UserId matches regex emailregex\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.UserId\\n| where OfficeActivity_TimeGenerated \u003e= TimeGenerated and OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, OfficeActivity_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters\\n| extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to OfficeActivity\",\"description\":\"Identifies a match in OfficeActivity table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d4f9d54b-6dec-4655-8631-0fa8d4954fea\",\"name\":\"d4f9d54b-6dec-4655-8631-0fa8d4954fea\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.4\",\"techniques\":[\"T1568\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.99\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"(Preview) Domain Reputation Palo Alto anomaly\",\"description\":\"This anomaly evaluates the reputation for all domains seen specifically for Palo Alto firewall (PAN-OS product).\\nA high anomaly score indicates a low reputation, suggesting that the domain has been observed to host malicious content or is likely to do so.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-07-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1218175f-c534-421c-8070-5dcaabf28067\",\"name\":\"1218175f-c534-421c-8070-5dcaabf28067\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let threshold = 3; \\nZoomLogs \\n| where Event =~ \\\"chat_message.sent\\\" \\n| extend Channel = tostring(parse_json(ChatEvents).Channel) \\n| extend Message = tostring(parse_json(ChatEvents).Message) \\n| where Message matches regex \\\"http(s?):\\\\\\\\/\\\\\\\\/\\\" \\n| summarize Channels = makeset(Channel), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Message, User, UserId\\n| extend ChannelCount = arraylength(Channels) \\n| where ChannelCount \u003e threshold\\n| extend timestamp = StartTime, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"Suspicious link sharing pattern\",\"description\":\"Alerts in links that have been shared across multiple Zoom chat channels by the same user in a short space if time. \\nAdjust the threshold figure to change the number of channels a message needs to be posted in before an alert is raised.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/154fde9f-ae00-4422-a8da-ef00b11da3fc\",\"name\":\"154fde9f-ae00-4422-a8da-ef00b11da3fc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nafad_parser\\n| where MessageType == 0\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid Indicators of Exposures\",\"description\":\"Searches for triggered Indicators of Exposures\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f948a32f-226c-4116-bddd-d95e91d97eb9\",\"name\":\"f948a32f-226c-4116-bddd-d95e91d97eb9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"mailboxsettings\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"contacts.read\\\" and ConsentFull contains \\\"user.read\\\" and ConsentFull contains \\\"mail.read\\\" and ConsentFull contains \\\"notes.read.all\\\" and ConsentFull contains \\\"mailboxsettings.readwrite\\\" and ConsentFull contains \\\"Files.ReadWrite.All\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), \\\"\\\")\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Suspicious application consent similar to O365 Attack Toolkit\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\\nThe default permissions/scope for the MDSec O365 Attack toolkit are contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, and files.readwrite.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/45b903c5-6f56-4969-af10-ae62ac709718\",\"name\":\"45b903c5-6f56-4969-af10-ae62ac709718\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count() \\nby Account = tolower(Account), Computer = toupper(Computer), IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n// use left anti to exclude anything from the previous 14 days that is not rare\\n| join kind=leftanti (\\nSecurityEvent\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where EventID == 4624\\n| summarize by Computer = toupper(Computer), IpAddress, Account = tolower(Account)\\n) on Account, Computer\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), ConnectionCount = sum(ConnectionCount) \\nby Account, Computer, IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\"],\"displayName\":\"Rare RDP Connections\",\"description\":\"Identifies when an RDP connection is new or rare related to any logon type by a given account today based on comparison with the previous 14 days.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-01-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/327cd4ed-ca42-454b-887c-54e1c91363c6\",\"name\":\"327cd4ed-ca42-454b-887c-54e1c91363c6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft Defender Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Endpoint alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Endpoint\",\"lastUpdatedDateUTC\":\"2019-10-24T00:00:00Z\",\"createdDateUTC\":\"2019-10-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4915c713-ab38-432e-800b-8e2d46933de6\",\"name\":\"4915c713-ab38-432e-800b-8e2d46933de6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let PrivateIPregex = @\u0027^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.\u0027; \\nlet avgthreshold = 0;\\nlet probabilityLimit = 0.01;\\nlet ssh_logins = Syslog\\n| where Facility contains \\\"auth\\\" and ProcessName =~ \\\"sshd\\\"\\n| where SyslogMessage has \\\"Accepted\\\"\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage) \\n| where isnotempty(SourceIP)\\n| extend ipType = iff(SourceIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\");\\nssh_logins \\n| summarize privatecount=countif(ipType==\\\"private\\\"), publiccount=countif(ipType==\\\"public\\\") by HostName, HostIP, bin(EventTime, 1d)\\n| summarize \\npublicIPLoginHistory = make_list(pack(\u0027IPCount\u0027, publiccount, \u0027logon_time\u0027, EventTime)),\\nprivateIPLoginHistory = make_list(pack(\u0027IPCount\u0027, privatecount, \u0027logon_time\u0027, EventTime)) by HostName, HostIP\\n| mv-apply publicIPLoginHistory = publicIPLoginHistory on\\n(\\n order by todatetime(publicIPLoginHistory[\u0027logon_time\u0027]) asc\\n | summarize publicIPLoginCountList=make_list(toint(publicIPLoginHistory[\u0027IPCount\u0027])), publicAverage=avg(toint(publicIPLoginHistory[\u0027IPCount\u0027])), publicStd=stdev(toint(publicIPLoginHistory[\u0027IPCount\u0027])), maxPublicLoginCount=max(toint(publicIPLoginHistory[\u0027IPCount\u0027]))\\n)\\n| mv-apply privateIPLoginHistory = privateIPLoginHistory on\\n(\\n order by todatetime(privateIPLoginHistory[\u0027logon_time\u0027]) asc\\n | summarize privateIPLoginCountList=make_list(toint(privateIPLoginHistory[\u0027IPCount\u0027])), privateAverage=avg(toint(privateIPLoginHistory[\u0027IPCount\u0027])), privateStd=stdev(toint(privateIPLoginHistory[\u0027IPCount\u0027]))\\n)\\n// Some logins from private IPs\\n| where privateAverage \u003e avgthreshold\\n// There is a non-zero number of logins from public IPs\\n| where publicAverage \u003e avgthreshold\\n// Approximate probability of seeing login from a public IP is \u003c 1%\\n| extend probabilityPublic = publicAverage / (privateAverage + publicAverage)\\n| where probabilityPublic \u003c probabilityLimit\\n// Today has the highest number of logins from public IPs that we\u0027ve seen in the last week\\n| extend publicLoginCountToday = publicIPLoginCountList[-1]\\n| where publicLoginCountToday \u003e= maxPublicLoginCount\\n| extend HostCustomEntity = HostName\\n// Optionally retrieve the original raw data for those logins that we\u0027ve identified as potentially suspect\\n// | join kind=rightsemi (\\n// ssh_logins\\n// | where ipType == \\\"public\\\"\\n// ) on HostName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"New internet-exposed SSH endpoints\",\"description\":\"Looks for SSH endpoints with a history of sign-ins only from private IP addresses are accessed from a public IP address.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd\",\"name\":\"c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let args = dynamic([\\\"objectcategory\\\",\\\"domainlist\\\",\\\"dcmodes\\\",\\\"adinfo\\\",\\\"trustdmp\\\",\\\"computers_pwdnotreqd\\\",\\\"Domain Admins\\\", \\\"objectcategory=person\\\", \\\"objectcategory=computer\\\", \\\"objectcategory=*\\\",\\\"dclist\\\"]);\\nlet parentProcesses = dynamic([\\\"pwsh.exe\\\",\\\"powershell.exe\\\",\\\"cmd.exe\\\"]);\\nDeviceProcessEvents\\n//looks for execution from a shell\\n| where InitiatingProcessFileName in (parentProcesses)\\n// main filter\\n| where FileName =~ \\\"AdFind.exe\\\" or SHA256 == \\\"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\\\"\\n // AdFind common Flags to check for from various threat actor TTPs\\n or ProcessCommandLine has_any (args)\\n| extend AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = SHA256\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"SHA256\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\"],\"displayName\":\"Probable AdFind Recon Tool Usage\",\"description\":\"Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-04-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c094384d-7ea7-4091-83be-18706ecca981\",\"name\":\"c094384d-7ea7-4091-83be-18706ecca981\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let minersDomains=dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\"]);\\nimDns(domain_has_any=minersDomains)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.2.0\",\"tactics\":[\"Impact\"],\"displayName\":\"DNS events related to mining pools (Normalized DNS)\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1f6d7abe-2cb7-4a4c-aeca-91fe6bfad0b2\",\"name\":\"1f6d7abe-2cb7-4a4c-aeca-91fe6bfad0b2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.3\",\"techniques\":[\"T1189\",\"T1071\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Palo Alto Networks\",\"Fortinet\",\"Zscaler\",\"Check Point\"],\"supportedValuesKql\":null,\"value\":\"Palo Alto Networks\",\"name\":\"Device vendor\",\"description\":\"Select device vendor of network connection logs from CommonSecurityLog\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"10\",\"maximum\":\"1000\",\"value\":\"25\",\"name\":\"Degree of source IPs\",\"description\":\"Suppress anomalies when the number of source IPs in a day accessing the URL is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"10\",\"maximum\":\"1000\",\"value\":\"30\",\"name\":\"Daily web requests threshold\",\"description\":\"Suppress anomalies when the number of daily web requests is less than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"},{\"minimum\":\"1\",\"maximum\":\"25\",\"value\":\"4\",\"name\":\"Number of distinct URLs for the destination IP\",\"description\":\"Suppress anomalies when number of distinct URLs are less than the chosen value\",\"sequenceNumber\":3,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\",\"CommandAndControl\"],\"displayName\":\"(Preview) Unusual web traffic detected with IP in URL path\",\"description\":\"This algorithm identifies unusual web requests which have a direct IP address as the host. This can be an attempt to bypass URL reputation services etc for \\nmalicious purposes. The anomaly filters all web requests with IP addresses in the URL path and compares them with the previous week of data to exclude known benign traffic. \\nAfter excluding known benign traffic, it triggers an anomaly only after exceeding certain thresholds with configured values such as total web requests, \\nnumbers of URLs seen with same host destination IP address, and number of distinct source IPs within the set of URLs with the same destination IP address.\",\"lastUpdatedDateUTC\":\"2021-07-10T00:00:00Z\",\"createdDateUTC\":\"2021-05-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f041e01d-840d-43da-95c8-4188f6cef546\",\"name\":\"f041e01d-840d-43da-95c8-4188f6cef546\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let LearningPeriod = 7d;\\nlet RunTime = 1h;\\nlet StartTime = 1h;\\nlet EndRunTime = StartTime - RunTime;\\nlet EndLearningTime = StartTime + LearningPeriod;\\nlet GitHubCountryCodeLogs = (GitHubAudit\\n| where Country != \\\"\\\");\\n GitHubCountryCodeLogs\\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime))\\n| summarize makeset(Country) by Actor\\n| join kind=innerunique (\\n GitHubCountryCodeLogs\\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime))\\n | distinct Country, Actor, TimeGenerated\\n) on Actor \\n| where set_Country !contains Country\\n| extend AccountCustomEntity = Actor , timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"GitHub Activites from a New Country\",\"description\":\"Detect activities from a location that was not recently or was never visited by the user or by any user in your organization.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d7309cb9-b16b-4c7a-9e4b-3e9009bd373d\",\"name\":\"d7309cb9-b16b-4c7a-9e4b-3e9009bd373d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.0\",\"techniques\":[\"T1190\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.7\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous Azure operations\",\"description\":\"This detection algorithm generates anomaly of a caller who performed sequence of an operation(s) which is uncommon in their workspace.\\nWe collect and featurize last 21 days of operation happened in the workspace grouped by the caller as a training data for ML algorithm.\\nThe trained model is used to score the operation performed by the caller on the test date and we tag those caller as anomaly whose error score is greater than given thershold.\\nFrom Security perspective, this anomaly will capture the caller along with operation performed on the test date which are not common in their workspace.\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2021-11-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8b3c49c-4087-499b-920f-0dcfaff0cbca\",\"name\":\"f8b3c49c-4087-499b-920f-0dcfaff0cbca\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"imProcessCreate\\n | where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n | where isnotempty(Process)\\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Dvc, ActorUsername, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\\n | extend timestamp = StartTimeUtc, AccountCustomEntity = ActorUsername, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Base64 encoded Windows process command-lines (Normalized Process Events)\",\"description\":\"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2018-09-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e4779bdc-397a-4b71-be28-59e6a1e1d16b\",\"name\":\"e4779bdc-397a-4b71-be28-59e6a1e1d16b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"ZoomLogs\\n| where Event =~ \\\"account.settings_updated\\\"\\n| extend NewE2ESetting = columnifexists(\\\"payload_object_settings_in_meeting_e2e_encryption_b\\\", \\\"\\\")\\n| extend OldE2ESetting = columnifexists(\\\"payload_old_object_settings_in_meeting_e2e_encryption_b\\\", \\\"\\\")\\n| where OldE2ESetting =~ \u0027false\u0027 and NewE2ESetting =~ \u0027true\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Discovery\"],\"displayName\":\"Zoom E2E Encryption Disabled\",\"description\":\"This alerts when end to end encryption is disabled for Zoom meetings.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/85aca4d1-5d15-4001-abd9-acb86ca1786a\",\"name\":\"85aca4d1-5d15-4001-abd9-acb86ca1786a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n| join (\\n DnsEvents\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n //Extract domain patterns from syslog message\\n | where isnotempty(Name)\\n | extend parts = split(Name, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend DNS_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.Name\\n| where DNS_TimeGenerated \u003e= TimeGenerated and DNS_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Computer, ClientIP, Name, QueryType\\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = ClientIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to DnsEvent\",\"description\":\"Identifies a match in DnsEvent table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b8266f81-2715-41a6-9062-42486cbc9c73\",\"name\":\"b8266f81-2715-41a6-9062-42486cbc9c73\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 200;\\nInfobloxNIOS\\n| where ProcessName =~ \\\"named\\\" and Log_Type =~ \\\"client\\\"\\n| where isnotempty(ResponseCode)\\n| where ResponseCode =~ \\\"NXDOMAIN\\\"\\n| summarize count() by Client_IP, bin(TimeGenerated,15m)\\n| where count_ \u003e threshold\\n| join kind=inner (InfobloxNIOS\\n | where ProcessName =~ \\\"named\\\" and Log_Type =~ \\\"client\\\"\\n | where isnotempty(ResponseCode)\\n | where ResponseCode =~ \\\"NXDOMAIN\\\"\\n ) on Client_IP\\n| extend timestamp = TimeGenerated, IPCustomEntity = Client_IP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Excessive NXDOMAIN DNS Queries\",\"description\":\"This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/25e0b2dd-3ad3-4d5b-80dd-720f4ef0f12c\",\"name\":\"25e0b2dd-3ad3-4d5b-80dd-720f4ef0f12c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"afad_parser\\n| where MessageType == 2 and Codename == \\\"DCShadow\\\"\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Alsid DCShadow\",\"description\":\"Searches for DCShadow attacks\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06bbf969-fcbe-43fa-bac2-b2fa131d113a\",\"name\":\"06bbf969-fcbe-43fa-bac2-b2fa131d113a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// ADHealthAgent Registry Key\\nlet aadConnectHealthRegKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\ADHealthAgent\\\";\\n// Filter out known processes\\nlet aadConnectHealthProcs = dynamic ([\\n \u0027Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.InsightsService.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.PshSurrogate.exe\u0027,\\n \u0027Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe\u0027\\n]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| extend SubjectUserName = column_ifexists(\\\"SubjectUserName\\\", \\\"\\\"),\\n SubjectDomainName = column_ifexists(\\\"SubjectDomainName\\\", \\\"\\\"),\\n ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),\\n ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\"),\\n ProcessName = column_ifexists(\\\"ProcessName\\\", \\\"\\\")\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],\\n Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName startswith aadConnectHealthRegKey\\n| where Process !in (aadConnectHealthProcs)\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName startswith aadConnectHealthRegKey\\n| where Process !in (aadConnectHealthProcs)\\n)\\n)\\n// You can filter out potential machine accounts\\n//| where AccountType != \u0027Machine\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Azure AD Health Service Agents Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).\\nInformation from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).\\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\\\\SOFTWARE\\\\Microsoft\\\\ADHealthAgent.\\nMake sure you set the SACL to propagate to its sub-keys. You can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/999e9f5d-db4a-4b07-a206-29c4e667b7e8\",\"name\":\"999e9f5d-db4a-4b07-a206-29c4e667b7e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet DomainTIs= ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n // Picking up only IOC\u0027s that contain the entities we want\\n | where isnotempty(DomainName)\\n | where Active == true\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId;\\nlet Domains= toscalar(DomainTIs | where isnotempty(DomainName) |summarize make_set(DomainName));\\nDomainTIs\\n | join (\\n imDns(starttime=ago(dt_lookBack), domain_has_any=(Domains))\\n | extend DNS_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.DnsQuery\\n| where DNS_TimeGenerated \u003c ExpirationDateTime\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, QueryType\\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url\",\"customDetails\":{\"IndicatorId\":\"IndicatorId\",\"SourceIPAddress\":\"SrcIpAddr\",\"ThreatType\":\"ThreatType\",\"ConfidenceScore\":\"ConfidenceScore\",\"DnsQuery\":\"DnsQuery\",\"Description\":\"Description\",\"ExpirationDateTime\":\"ExpirationDateTime\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"LatestIndicatorTime\":\"LatestIndicatorTime\",\"QueryType\":\"QueryType\",\"DNSRequestTime\":\"DNS_TimeGenerated\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map Domain entity to Dns Events (Normalized DNS)\",\"description\":\"Identifies a match in DNS events from any Domain IOC from TI\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns).\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/12dcea64-bec2-41c9-9df2-9f28461b1295\",\"name\":\"12dcea64-bec2-41c9-9df2-9f28461b1295\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\n// Adjust for a longer timeframe for identifying ADFS Servers\\nlet lookback = 6d;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n);\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where Account !endswith \\\"$\\\"\\n// Check for scheduled task events\\n| where EventID in (4697, 4698, 4699, 4700, 4701, 4702)\\n| extend EventDataParsed = parse_xml(EventData)\\n| extend SubjectLogonId = tostring(EventDataParsed.EventData.Data[3][\\\"#text\\\"])\\n// Check specifically for access to IPC$ share and PIPE\\\\svcctl and PIPE\\\\atsvc for Service Control Services and Schedule Control Services\\n| union ( \\n SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n | where Account !endswith \\\"$\\\"\\n | where EventID == 5145\\n | where RelativeTargetName =~ \\\"svcctl\\\" or RelativeTargetName =~ \\\"atsvc\\\"\\n)\\n// Check for lateral movement\\n| join kind=inner\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Account !endswith \\\"$\\\"\\n| where EventID == 4624 and LogonType == 3\\n) on $left.SubjectLogonId == $right.TargetLogonId\\n| project TimeGenerated, Account, Computer, EventID, RelativeTargetName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\"],\"displayName\":\"Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task\",\"description\":\"This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through SMB and Remote Service or Scheduled Task.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f0be259a-34ac-4946-aa15-ca2b115d5feb\",\"name\":\"f0be259a-34ac-4946-aa15-ca2b115d5feb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let starttime = 2d;\\nlet endtime = 1d;\\nlet TimeDeltaThreshold = 10;\\nlet TotalEventsThreshold = 15;\\nlet PercentBeaconThreshold = 80;\\nlet PrivateIPregex = @\u0027^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.\u0027;\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Palo Alto Networks\\\" and Activity == \\\"TRAFFIC\\\"\\n| where TimeGenerated between (ago(starttime)..ago(endtime))\\n| extend DestinationIPType = iff(DestinationIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIPType == \\\"public\\\"\\n| project TimeGenerated, DeviceName, SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, ReceivedBytes, SentBytes\\n| sort by SourceIP asc,TimeGenerated asc, DestinationIP asc, DestinationPort asc\\n| serialize\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\u0027second\u0027,nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP\\n//Whitelisting criteria/ threshold criteria\\n| where TimeDeltainSeconds \u003e TimeDeltaThreshold \\n| project TimeGenerated, TimeDeltainSeconds, DeviceName, SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, ReceivedBytes, SentBytes\\n| summarize count(), sum(ReceivedBytes), sum(SentBytes), make_list(TimeDeltainSeconds) \\nby TimeDeltainSeconds, bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSentBytes = sum(sum_SentBytes), TotalReceivedBytes = sum(sum_ReceivedBytes) \\nby bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| where TotalEvents \u003e TotalEventsThreshold \\n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\\n| where BeaconPercent \u003e PercentBeaconThreshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Palo Alto - potential beaconing detected\",\"description\":\"Identifies beaconing patterns from Palo Alto Network traffic logs based on recurrent timedelta patterns. \\nThe query leverages various KQL functions to calculate time deltas and then compares it with total events observed in a day to find percentage of beaconing. \\nThis outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts.\\nReference Blog:\\nhttp://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-05-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/622844c2-fc11-4efc-91e6-c05b06ab3008\",\"name\":\"622844c2-fc11-4efc-91e6-c05b06ab3008\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.5\",\"techniques\":[\"T1001\",\"T1008\",\"T1071\",\"T1090\",\"T1095\",\"T1102\",\"T1104\",\"T1132\",\"T1205\",\"T1568\",\"T1571\",\"T1572\",\"T1573\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"10\",\"maximum\":\"1000\",\"value\":\"25\",\"name\":\"Degree of source IPs\",\"description\":\"Suppress anomalies when degree of source IPs is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"10\",\"maximum\":\"1000\",\"value\":\"30\",\"name\":\"Daily event count threshold\",\"description\":\"Suppress anomalies when daily event count is less than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"},{\"minimum\":\"10\",\"maximum\":\"1000\",\"value\":\"60\",\"name\":\"Time delta threshold in seconds\",\"description\":\"Suppress anomalies when time delta in seconds between network connections is less than the chosen value\",\"sequenceNumber\":3,\"rerun\":\"RerunAlways\"},{\"minimum\":\"50\",\"maximum\":\"100\",\"value\":\"75\",\"name\":\"Percent beaconing threshold\",\"description\":\"Generate an anomaly when percent beaconing is greater than the chosen value\",\"sequenceNumber\":4,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"(Preview) Detect machine generated network beaconing behavior\",\"description\":\"This algorithm identifies beaconing patterns from network traffic connection logs based on recurrent time delta patterns.\\nAny network connection towards the untrusted public networks at repetitive time delta is an indication of malware callbacks or data exfiltration attempts. \\nThe anomaly will calculate time delta between consecutive network connection between same source and destination ip as well as count (Connections in time-delta sequence) of \\ntime-delta sequence between same source and destination. Percentage of beaconing is calculated between connections in time-delta sequence against total connections in a day.\",\"lastUpdatedDateUTC\":\"2021-07-10T00:00:00Z\",\"createdDateUTC\":\"2021-04-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/32686052-5bed-48ef-9ffa-39fc7699f085\",\"name\":\"32686052-5bed-48ef-9ffa-39fc7699f085\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.0\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.1\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of AWS API calls from Non-AWS source IP address from a user account id per workspace on a daily basis\",\"description\":\"This algorithm detects an unusually high volume of AWS API calls from Source IPs not in AWS Source IP ranges from one user account per workspace within the last day. The model is trained on the previous 21 days of AWS cloud trail log events on source IP address basis. This activity may indicate that the user account is compromised.\",\"lastUpdatedDateUTC\":\"2021-10-07T00:00:00Z\",\"createdDateUTC\":\"2021-10-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2d8a60aa-c15e-442e-9ce3-ee924889d2a6\",\"name\":\"2d8a60aa-c15e-442e-9ce3-ee924889d2a6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT5M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"eset_CL\\n| where event_type_s == \\\"Threat_Event\\\"\\n| extend HostCustomEntity = hostname_s, AccountCustomEntity = username_s, IPCustomEntity = ipv4_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"CredentialAccess\",\"PrivilegeEscalation\"],\"displayName\":\"Threats detected by Eset\",\"description\":\"Escalates threats detected by Eset.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-09T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"EsetSMC\",\"dataTypes\":[\"eset_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a5fe9489-cf8b-47ae-a87e-8f3a13e4203e\",\"name\":\"a5fe9489-cf8b-47ae-a87e-8f3a13e4203e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nlet codeNameList = datatable(Codename:string)[\\\"C-PRIV-ACCOUNTS-SPN\\\", \\\"C-NATIVE-ADM-GROUP-MEMBERS\\\", \\\"C-KRBTGT-PASSWORD\\\", \\\"C-PROTECTED-USERS-GROUP-UNUSED\\\", \\\"C-ADMINCOUNT-ACCOUNT-PROPS\\\", \\\"C-ADM-ACC-USAGE\\\", \\\"C-LAPS-UNSECURE-CONFIG\\\", \\\"C-DISABLED-ACCOUNTS-PRIV-GROUPS\\\"];\\nafad_parser\\n| where MessageType == 0 and Codename in~ (codeNameList)\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid privileged accounts issues\",\"description\":\"Searches for triggered Indicators of Exposures related to privileged accounts issues\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\"name\":\"90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Security Center\",\"severitiesFilter\":[\"Low\",\"Medium\",\"High\"],\"displayName\":\"Create incidents based on Azure Defender alerts\",\"description\":\"Create incidents based on all alerts generated in Azure Defender\",\"lastUpdatedDateUTC\":\"2021-07-25T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert (ASC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\"name\":\"b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n Syslog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // Extract URL from the Syslog message but only take messages that include URLs\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,SyslogMessage)\\n | where isnotempty(Url)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n) on Url\\n| where Syslog_TimeGenerated \u003e= TimeGenerated and Syslog_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, Url, HostIP\\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to Syslog data\",\"description\":\"Identifies a match in Syslog data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0625fcce-6d52-491e-8c68-1d9b801d25b9\",\"name\":\"0625fcce-6d52-491e-8c68-1d9b801d25b9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"Event\\n| where EventLog =~ \\\"Application\\\"\\n| where Source startswith \\\"MSExchange\\\"\\n| where EventLevelName =~ \\\"error\\\"\\n| where (RenderedDescription startswith \\\"Watson report\\\" and RenderedDescription contains \\\"umworkerprocess\\\" and RenderedDescription contains \\\"TextFormattingRunProperties\\\") or RenderedDescription startswith \\\"An unhandled exception occurred in a UM worker process\\\" or RenderedDescription startswith \\\"The Microsoft Exchange Unified Messaging service\\\" or RenderedDescription contains \\\"MSExchange Unified Messaging\\\"\\n| where RenderedDescription !contains \\\"System.OutOfMemoryException\\\"\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious UM Service Error\",\"description\":\"This query looks for errors that may indicate that an attacker is attempting to exploit a vulnerability in the service. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/26a3b261-b997-4374-94ea-6c37f67f4f39\",\"name\":\"26a3b261-b997-4374-94ea-6c37f67f4f39\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"asyspy256.ddns.net\\\",\\\"hotkillmail9sddcc.ddns.net\\\",\\\"rosaf112.ddns.net\\\",\\\"cvdfhjh1231.myftp.biz\\\",\\\"sz2016rose.ddns.net\\\",\\\"dffwescwer4325.myftp.biz\\\",\\\"cvdfhjh1231.ddns.net\\\"]);\\nlet SHA1Hash = dynamic ([\\\"53a44c2396d15c3a03723fa5e5db54cafd527635\\\", \\\"9c5e496921e3bc882dc40694f1dcc3746a75db19\\\", \\\"aeb573accfd95758550cf30bf04f389a92922844\\\", \\\"79ef78a797403a4ed1a616c68e07fff868a8650a\\\", \\\"4f6f38b4cec35e895d91c052b1f5a83d665c2196\\\", \\\"1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d\\\", \\\"e841a63e47361a572db9a7334af459ddca11347a\\\", \\\"c28f606df28a9bc8df75a4d5e5837fc5522dd34d\\\", \\\"2e94b305d6812a9f96e6781c888e48c7fb157b6b\\\", \\\"dd44133716b8a241957b912fa6a02efde3ce3025\\\", \\\"8793bf166cb89eb55f0593404e4e933ab605e803\\\", \\\"a39b57032dbb2335499a51e13470a7cd5d86b138\\\", \\\"41cc2b15c662bc001c0eb92f6cc222934f0beeea\\\", \\\"d209430d6af54792371174e70e27dd11d3def7a7\\\", \\\"1c6452026c56efd2c94cea7e0f671eb55515edb0\\\", \\\"c6b41d3afdcdcaf9f442bbe772f5da871801fd5a\\\", \\\"4923d460e22fbbf165bbbaba168e5a46b8157d9f\\\", \\\"f201504bd96e81d0d350c3a8332593ee1c9e09de\\\", \\\"ddd2db1127632a2a52943a2fe516a2e7d05d70d2\\\"]);\\nlet SHA256Hash = dynamic ([\\\"9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd\\\", \\\"7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b\\\", \\\"657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5\\\", \\\"2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29\\\", \\\"52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77\\\", \\\"a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3\\\", \\\"5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022\\\", \\\"6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883\\\", \\\"3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e\\\", \\\"1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7\\\", \\\"fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1\\\", \\\"7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c\\\", \\\"178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945\\\", \\\"51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9\\\", \\\"889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79\\\", \\\"332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf\\\", \\\"44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08\\\", \\\"63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef\\\", \\\"056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070\\\"]);\\nlet SigNames = dynamic([\\\"TrojanDropper:Win32/BlackMould.A!dha\\\", \\\"Trojan:Win32/BlackMould.B!dha\\\", \\\"Trojan:Win32/QuarkBandit.A!dha\\\", \\\"Trojan:Win32/Sidelod.A!dha\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(DnsEvents \\n| extend DNSName = Name\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend IPAddress = ClientIP\\n),\\n( imDns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA1=\u0027 SHA1 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA1Hash) \\n| extend Account = UserName\\n),\\n(SecurityAlert\\n| where Entities has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName)\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend DNSName = Request_Name\\n| extend IPAddress = ClientIP \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.3.0\",\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known GALLIUM domains and hashes\",\"description\":\"GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. \\n Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\\n References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-12-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3acf5617-7c41-4085-9a79-cc3a425ba83a\",\"name\":\"3acf5617-7c41-4085-9a79-cc3a425ba83a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"afad_parser\\n| where MessageType == 2 and Codename == \\\"OS Credential Dumping: LSASS Memory\\\"\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid LSASS Memory\",\"description\":\"Searches for OS Credentials dumping attacks\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2560515c-07d1-434e-87fb-ebe3af267760\",\"name\":\"2560515c-07d1-434e-87fb-ebe3af267760\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add delegated permission grant\\\",\\\"Add app role assignment to service principal\\\")\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend props = parse_json(tostring(TargetResources[0].modifiedProperties))\\n| mv-expand props\\n| extend UserAgent = tostring(AdditionalDetails[0].value)\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| extend UserIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| extend DisplayName = tostring(props.displayName)\\n| extend Permissions = tostring(parse_json(tostring(props.newValue)))\\n| where Permissions has_any (\\\"Mail.Read\\\", \\\"Mail.ReadWrite\\\")\\n| extend PermissionsAddedTo = tostring(TargetResources[0].displayName)\\n| extend Type = tostring(TargetResources[0].type)\\n| project-away props\\n| join kind=leftouter(\\n AuditLogs\\n | where ActivityDisplayName has \\\"Consent to application\\\"\\n | extend AppName = tostring(TargetResources[0].displayName)\\n | extend AppId = tostring(TargetResources[0].id)\\n | project AppName, AppId, CorrelationId) on CorrelationId\\n| project-reorder TimeGenerated, OperationName, InitiatingUser, UserIPAddress, UserAgent, PermissionsAddedTo, Permissions, AppName, AppId, CorrelationId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUser, IPCustomEntity = UserIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Mail.Read Permissions Granted to Application\",\"description\":\"This query look for applications that have been granted (Delegated or App/Role) permissions to Read Mail (Permissions field has Mail.Read) and subsequently has been consented to. This can help identify applications that have been abused to gain access to mailboxes.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a4025a76-6490-4e6b-bb69-d02be4b03f07\",\"name\":\"a4025a76-6490-4e6b-bb69-d02be4b03f07\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n AzureNetworkAnalytics_CL\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AzureNetworkAnalytics_CL_TimeGenerated = TimeGenerated\\n // NSG Flow Logs have additional information concat with Public IP, removing onlp Public IP\\n | extend PIPs = split(PublicIPs_s, \u0027|\u0027, 0)\\n | extend PIP = tostring(PIPs[0])\\n)\\non $left.TI_ipEntity == $right.PIP\\n| where AzureNetworkAnalytics_CL_TimeGenerated \u003e= TimeGenerated and AzureNetworkAnalytics_CL_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n// Set to alert on Allowed NSG Flows from TI Public IP IOC\\n| where FlowStatus_s == \\\"A\\\"\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AzureNetworkAnalytics_CL_TimeGenerated,\\nTI_ipEntity, Computer, FlowDirection_s, FlowStatus_s, FlowType_s, SrcPublicIPs_s, DestPublicIPs_s, PublicIPs_s, L7Protocol_s, DestPort_d, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureNetworkAnalytics_CL_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)\",\"description\":\"Identifies a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI that was Allowed\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/01f64465-b1ef-41ea-a7f5-31553a11ad43\",\"name\":\"01f64465-b1ef-41ea-a7f5-31553a11ad43\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let endpointData = \\n(SecurityEvent\\n | where EventID == 4688\\n | extend shortFileName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n );\\n// Correlate suspect executables seen in TrendMicro rule updates with similar activity on endpoints\\nCommonSecurityLog\\n| where DeviceVendor =~ \\\"Trend Micro\\\"\\n| where Activity =~ \\\"Deny List updated\\\" \\n| where RequestURL endswith \\\".exe\\\"\\n| project TimeGenerated, Activity , RequestURL , SourceIP, DestinationIP\\n| extend suspectExeName = tolower(tostring(split(RequestURL, \u0027/\u0027)[-1]))\\n| join (endpointData) on $left.suspectExeName == $right.shortFileName \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = TargetUserName, HostCustomEntity = Computer, URLCustomEntity = RequestURL\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\"],\"displayName\":\"Network endpoint to host executable correlation\",\"description\":\"Correlates blocked URLs hosting [malicious] executables with host endpoint data\\nto identify potential instances of executables of the same name having been recently run.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"TrendMicro\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\"name\":\"9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let szOperationNames = dynamic([\\\"Microsoft.Compute/virtualMachines/write\\\", \\\"Microsoft.Resources/deployments/write\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet RareCaller = AzureActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationNameValue in~ (szOperationNames)\\n| project ResourceGroup, Caller, OperationNameValue, CallerIpAddress\\n| join kind=rightantisemi (\\nAzureActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityStatusValue = makeset(ActivityStatusValue), OperationIds = makeset(OperationId), CallerIpAddress = makeset(CallerIpAddress) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n) on Caller, ResourceGroup \\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress);\\nlet Counts = RareCaller | summarize ActivityCountByCaller = count() by Caller;\\nRareCaller | join kind= inner (Counts) on Caller | project-away Caller1\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = tostring(CallerIpAddress)\\n| sort by ActivityCountByCaller desc nulls last\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"Suspicious Resource deployment\",\"description\":\"Identifies when a rare Resource and ResourceGroup deployment occurs by a previously unseen Caller.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6116dc19-475a-4148-84b2-efe89c073e27\",\"name\":\"6116dc19-475a-4148-84b2-efe89c073e27\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetectionV2_CL\\n| extend Status = tostring(Status_s), Vulnerability = tostring(QID_s), Severity = tostring(Severity_s)\\n| where Status =~ \\\"New\\\" and Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(QID_s)\\n| where dcount_NetBios_s \u003e= threshold\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"New High Severity Vulnerability Detected Across Multiple Hosts\",\"description\":\"This creates an incident when a new high severity vulnerability is detected across multilple hosts\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetectionV2_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2f561e20-d97b-4b13-b02d-18b34af6e87c\",\"name\":\"2f561e20-d97b-4b13-b02d-18b34af6e87c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet cmdList = dynamic([\\\"Set-CASMailbox\\\",\\\"ActiveSyncAllowedDeviceIDs\\\",\\\"add\\\"]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where CommandLine has_all (cmdList)\\n| project Type, TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where InitiatingProcessCommandLine has_all (cmdList)\\n| project Type, TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where CommandLine has_all (cmdList)\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| project Type, TimeGenerated, Computer, User, Process, ParentImage, CommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Email access via active sync\",\"description\":\"This query detects attempts to add attacker devices as allowed IDs for active sync using the Set-CASMailbox command.\\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\\n- Note that this query can be changed to use the KQL \\\"has_all\\\" operator, which hasn\u0027t yet been documented officially, but will be soon.\\n In short, \\\"has_all\\\" will only match when the referenced field has all strings in the list.\\n- Refer to Set-CASMailbox syntax: https://docs.microsoft.com/powershell/module/exchange/set-casmailbox?view=exchange-ps \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fb9e0b51-8867-48d7-86f4-6e76f2176bf8\",\"name\":\"fb9e0b51-8867-48d7-86f4-6e76f2176bf8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nlet codeNameList = datatable(Codename:string)[\\\"C-ACCOUNTS-DANG-SID-HISTORY\\\", \\\"C-PRE-WIN2000-ACCESS-MEMBERS\\\", \\\"C-PASSWORD-DONT-EXPIRE\\\", \\\"C-SLEEPING-ACCOUNTS\\\", \\\"C-DANG-PRIMGROUPID\\\", \\\"C-PASSWORD-NOT-REQUIRED\\\", \\\"C-USER-PASSWORD\\\"];\\nafad_parser\\n| where MessageType == 0 and Codename in~ (codeNameList)\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid user accounts issues\",\"description\":\"Searches for triggered Indicators of Exposures related to user accounts issues\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/29094df8-e0c7-4475-a74c-bda74a07affb\",\"name\":\"29094df8-e0c7-4475-a74c-bda74a07affb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.8\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.03\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of logins to user account by logon types\",\"description\":\"This algorithm detects an unusually high volume of successful logins per user account by different logon types. The model is trained on the previous 21 days of security event ID 4624 on an account. It indicates anomalous high volume of successful logins in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3a9d5ede-2b9d-43a2-acc4-d272321ff77c\",\"name\":\"3a9d5ede-2b9d-43a2-acc4-d272321ff77c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 5;\\nlet aadFunc = (tableName:string){\\n // Failed Signins attempts with reasoning related to conditional access policies.\\n table(tableName)\\n | where TimeGenerated between (startofday(ago(starttime))..startofday(ago(timeframe)))\\n | where ResultDescription has_any (\\\"conditional access\\\", \\\"CA\\\") or ResultType in (50005, 50131, 53000, 53001, 53002, 52003, 70044)\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt ;\\nlet TimeSeriesData = union isfuzzy=true aadSignin, aadNonInt \\n| project TimeGenerated, UserPrincipalName\\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by UserPrincipalName\\n| project TimeGenerated, UserPrincipalName, HourlyCount;\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| where baseline \u003e baselinethreshold // Filtering low count events per baselinethreshold\\n| project UserPrincipalName, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated;\\n// Filter the alerts for specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join kind=inner ( \\nunion isfuzzy=true aadSignin, aadNonInt\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n | summarize HourlyCount=count(), LatestAnomalyTime = arg_max(timestamp,*) by bin(TimeGenerated,1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\\n) on UserPrincipalName\\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, HourlyCount, baseline, anomalies, score\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"User Accounts - Sign in Failure due to CA Spikes\",\"description\":\" Identifies spike in failed sign-ins from user accounts due to conditional access policied.\\nSpike is determined based on Time series anomaly which will look at historical baseline values.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aa1eff90-29d4-49dc-a3ea-b65199f516db\",\"name\":\"aa1eff90-29d4-49dc-a3ea-b65199f516db\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"SecurityEvent\\n| where EventID == 4720\\n| where AccountType == \\\"User\\\"\\n| project CreatedUserTime = TimeGenerated, CreatedUserEventID = EventID, CreatedUserActivity = Activity, Computer = toupper(Computer), \\nCreatedUser = tolower(TargetAccount), CreatedUserSid = TargetSid, AccountUsedToCreateUser = strcat(SubjectAccount), SidofAccountUsedToCreateUser = SubjectUserSid\\n| join (\\nSecurityEvent \\n| where AccountType == \\\"User\\\"\\n// 4732 - A member was added to a security-enabled local group\\n| where EventID == 4732\\n//TargetSid is the builin Admins group: S-1-5-32-544\\n| where TargetSid == \\\"S-1-5-32-544\\\"\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, Computer = toupper(Computer), GroupName = tolower(TargetAccount), \\nGroupSid = TargetSid, AccountThatAddedUser = SubjectAccount, SIDofAccountThatAddedUser = SubjectUserSid, CreatedUserSid = MemberSid\\n)\\non CreatedUserSid\\n//Create User first, then the add to the group.\\n| project Computer, CreatedUserTime, CreatedUserEventID, CreatedUserActivity, CreatedUser, CreatedUserSid, GroupAddTime, GroupAddEventID, \\nGroupAddActivity, AccountUsedToCreateUser, GroupName, GroupSid, AccountThatAddedUser, SIDofAccountThatAddedUser \\n| extend timestamp = CreatedUserTime, AccountCustomEntity = CreatedUser, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"CreatedUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"New user created and added to the built-in administrators group\",\"description\":\"Identifies when a user account was created and then added to the builtin Administrators group in the same day.\\nThis should be monitored closely and all additions reviewed.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4f45f43b-3a4b-491b-9cbe-d649603384aa\",\"name\":\"4f45f43b-3a4b-491b-9cbe-d649603384aa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let highRisk = 3;\\nlet legal = \u0027Legal Information\u0027;\\nCognniIncidents_CL \\n| where Severity == highRisk\\n| where informationType_s == legal\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Highly Sensitive Legal Information\",\"description\":\"Display incidents in which highly sensitive legal information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/200f05a2-db6e-4ff7-be83-bbc30b44755f\",\"name\":\"200f05a2-db6e-4ff7-be83-bbc30b44755f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.3.8\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.07\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of logins to user account\",\"description\":\"This algorithm detects an unusually high volume of successful logins per user account. The model is trained on the previous 21 days of security event ID 4624 on an account. It indicates anomalous high volume of successful logins in the last day\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2020-12-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3edb7215-250b-40c0-8b46-79093949242d\",\"name\":\"3edb7215-250b-40c0-8b46-79093949242d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetectionV2_CL\\n| where Severity_s == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\\n| where count_ \u003e= threshold\\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"High Number of Urgent Vulnerabilities Detected\",\"description\":\"This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetectionV2_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd0a6029-ecef-4507-89c4-fc355ac52111\",\"name\":\"dd0a6029-ecef-4507-89c4-fc355ac52111\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation of extracted domains\\nlet list_tlds = ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e ago(ioc_lookBack)\\n | where isnotempty(DomainName)\\n | extend DomainName = tolower(DomainName)\\n | extend parts = split(DomainName, \u0027.\u0027)\\n | extend tld = parts[(array_length(parts)-1)]\\n | summarize count() by tostring(tld)\\n | summarize make_list(tld);\\n ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true\\n // Picking up only IOC\u0027s that contain the entities we want\\n | where isnotempty(DomainName)\\n | join (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | extend Domain = trim(@\\\"\\\"\\\"\\\",tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend parts = split(Domain, \u0027.\u0027)\\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\\n | where tld in~ (list_tlds)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n ) on $left.DomainName==$right.Domain\\n | where CommonSecurityLog_TimeGenerated \u003e= TimeGenerated and CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n | project LatestIndicatorTime, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, CommonSecurityLog_TimeGenerated, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\\n | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to CommonSecurityLog\",\"description\":\"Identifies a match in CommonSecurityLog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5dd76a87-9f87-4576-bab3-268b0e2b338b\",\"name\":\"5dd76a87-9f87-4576-bab3-268b0e2b338b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 5;\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet historicalActivity =\\nOfficeActivity\\n| where TimeGenerated between(ago(starttime)..ago(endtime))\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| summarize historicalCount = count() by UserAgent, RecordType, Operation;\\nlet recentActivity = OfficeActivity\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where TimeGenerated \u003e ago(endtime)\\n| where isnotempty(UserAgent)\\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by UserAgent, RecordType, Operation;\\nlet RareUserAgent = recentActivity | join kind = leftanti (historicalActivity) on UserAgent\\n| order by recentCount desc, UserAgent\\n// More than 5 downloads/uploads from a new user agent today\\n| where recentCount \u003e threshold;\\nOfficeActivity \\n| where TimeGenerated \u003e ago(endtime) \\n| where RecordType =~ szSharePointFileOperation \\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| join kind= inner (RareUserAgent)\\non UserAgent, RecordType, Operation \\n| where Start_Time between(min_Start_Time .. max_Start_Time)\\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserAgent, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgentSeenCount = recentCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\\n| order by UserAgentSeenCount desc, UserAgent asc, Operation asc, UserId asc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"SharePointFileOperation via devices with previously unseen user agents\",\"description\":\"Identifies if the number of documents uploaded or downloaded from device(s) associated\\nwith a previously unseen user agent exceeds a threshold (default is 5).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84cf1d59-f620-4fee-b569-68daf7008b7b\",\"name\":\"84cf1d59-f620-4fee-b569-68daf7008b7b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetection_CL\\n| mv-expand todynamic(Detections_s)\\n| extend Status = tostring(Detections_s.Status), Vulnerability = tostring(Detections_s.Results), Severity = tostring(Detections_s.Severity)\\n| where Status =~ \\\"New\\\" and Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(Detections_s.QID)\\n| where dcount_NetBios_s \u003e= threshold\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"New High Severity Vulnerability Detected Across Multiple Hosts\",\"description\":\"This creates an incident when a new high severity vulnerability is detected across multilple hosts\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/011c84d8-85f0-4370-b864-24c13455aa94\",\"name\":\"011c84d8-85f0-4370-b864-24c13455aa94\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SecurityAlert\\n| extend Extprop = parse_json(ExtendedProperties)\\n| extend Computer = iff(isnotempty(toupper(tostring(Extprop[\\\"Compromised Host\\\"]))), toupper(tostring(Extprop[\\\"Compromised Host\\\"])), tostring(parse_json(Entities)[0].HostName))\\n| extend Account = iff(isnotempty(tolower(tostring(Extprop[\\\"User Name\\\"]))), tolower(tostring(Extprop[\\\"User Name\\\"])), tolower(tostring(Extprop[\\\"user name\\\"])))\\n| extend IpAddress = tostring(parse_json(ExtendedProperties).[\\\"IpAddress\\\"]) \\n| project TimeGenerated, AlertName, Computer, Account, IpAddress, ExtendedProperties\\n| extend timestamp = TimeGenerated, Account, MachineName = Computer, IpAddress\\n| join kind=inner\\n(\\nCoreAzureBackup\\n| where State =~ \\\"Deleted\\\"\\n| where OperationName =~ \\\"BackupItem\\\"\\n| extend data = split(BackupItemUniqueId, \\\";\\\")\\n| extend AzureLocation = data[0], VaultId=data[1], MachineName=data[2], DrivesBackedUp=data[3]\\n| project timestamp = TimeGenerated, AzureLocation, VaultId, tostring(MachineName), DrivesBackedUp, State, BackupItemUniqueId, _ResourceId, OperationName, BackupItemFriendlyName\\n)\\non MachineName\\n| project timestamp, AlertName, HostCustomEntity = MachineName, AccountCustomEntity = Account, ResourceCustomEntity = _ResourceId, IPCustomEntity = IpAddress, VaultId, AzureLocation, DrivesBackedUp, State, BackupItemUniqueId, OperationName, BackupItemFriendlyName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"CoreBackUp Deletion in correlation with other related security alerts\",\"description\":\"This query will help detect attackers attempt to delete backup containers in correlation with other alerts that could have triggered to help possibly reveal more details of attacker activity. \\nThough such an activity could be legitimate as part of business operation, some ransomware actors may perform such operation to cause interruption to regular business services.\",\"lastUpdatedDateUTC\":\"2021-11-06T00:00:00Z\",\"createdDateUTC\":\"2021-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/157c0cfc-d76d-463b-8755-c781608cdc1a\",\"name\":\"157c0cfc-d76d-463b-8755-c781608cdc1a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let PrivateIPregex = @\u0027^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.\u0027;\\nlet aadFunc = (tableName:string){\\nCommonSecurityLog\\n| where DeviceVendor =~ \\\"Cisco\\\"\\n| where DeviceAction =~ \\\"denied\\\"\\n| extend SourceIPType = iff(SourceIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where SourceIPType == \\\"public\\\"\\n| summarize count() by SourceIP\\n| join (\\n // Successful signins from IPs blocked by the firewall solution are suspect\\n // Include fully successful sign-ins, but also ones that failed only at MFA stage\\n // as that supposes the password was sucessfully guessed.\\n table(tableName)\\n | where ResultType in (\\\"0\\\", \\\"50074\\\", \\\"50076\\\") \\n) on $left.SourceIP == $right.IPAddress\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Cisco - firewall block but success logon to Azure AD\",\"description\":\"Correlate IPs blocked by a Cisco firewall appliance with successful Azure Active Directory signins. \\nBecause the IP was blocked by the firewall, that same IP logging on successfully to AAD is potentially suspect\\nand could indicate credential compromise for the user account.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\"name\":\"7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"154.223.45.38\\\",\\\"185.141.207.140\\\",\\\"185.234.73.19\\\",\\\"216.245.210.106\\\",\\\"51.91.48.210\\\",\\\"46.255.230.229\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n|extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account\\n),\\n(DnsEvents \\n| extend DestinationIPAddress = IPAddresses, Host = Computer\\n| where DestinationIPAddress has_any (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(imDns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DnsResponseName, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(VMConnection \\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) \\n| where SourceIp in (IPList) or DestinationIp in (IPList) \\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(SigninLogs\\n| where isnotempty(IPAddress)\\n| where IPAddress in (IPList)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(AADNonInteractiveUserSignInLogs\\n| where isnotempty(IPAddress)\\n| where IPAddress in (IPList)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(W3CIISLog \\n| where isnotempty(cIP)\\n| where cIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(AzureActivity \\n| where isnotempty(CallerIpAddress)\\n| where CallerIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller\\n),\\n(\\nAWSCloudTrail\\n| where isnotempty(SourceIpAddress)\\n| where SourceIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.2.1\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known IRIDIUM IP\",\"description\":\"IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.\",\"lastUpdatedDateUTC\":\"2021-11-25T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a04cf847-a832-4c60-b687-b0b6147da219\",\"name\":\"a04cf847-a832-4c60-b687-b0b6147da219\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"45.63.52.41\\\",\\\"140.82.17.161\\\",\\\"207.148.101.95\\\",\\\"45.32.87.51\\\",\\\"66.42.98.156\\\",\\\"45.76.144.105\\\",\\\"217.163.28.35\\\",\\\"45.32.141.174\\\",\\\"149.28.165.249\\\",\\\"209.250.225.247\\\",\\\"45.63.100.115\\\",\\\"95.179.229.230\\\",\\\"209.250.233.247\\\",\\\"45.77.121.232\\\",\\\"45.76.175.65\\\",\\\"104.238.160.237\\\",\\\"45.77.181.97\\\",\\\"95.179.192.125\\\",\\\"149.28.93.184\\\",\\\"140.82.16.81\\\",\\\"45.76.173.103\\\",\\\"45.77.255.22\\\",\\\"45.32.11.71\\\",\\\"149.28.77.26\\\",\\\"45.32.54.50\\\",\\\"104.156.233.156\\\",\\\"45.32.21.118\\\",\\\"45.63.62.109\\\",\\\"45.77.244.202\\\",\\\"149.248.11.205\\\",\\\"104.238.190.244\\\"]);\\nlet IOCTerms = \\\"\\\\\\\\?lang=[/..]*/dev/cmdb/sslvpn_websession|/dana-na/jam/[/..]*home/webserver/htdocs/dana/html5acc/guacamole[/..]*etc/passwd\\\\\\\\?\\\";\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or has_any_ipv4 (Message, IPList)\\n| extend IPMatch = case(\\nSourceIP in (IPList), \\\"SourceIP\\\", \\nDestinationIP in (IPList), \\\"DestinationIP\\\",\\n\\\"Message\\\") \\n| where Message matches regex IOCTerms\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n| where isnotempty(UserAgent) and ClientIP in (IPList)\\n| where UserAgent contains \\\"ExchangeServicesClient/0.0.0.0\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP = ClientIP, Account = UserId, Type, RecordType, OfficeWorkload, UserAgent, OfficeObjectId, IPMatch = \\\"ClientIP\\\"\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"InitialAccess\",\"Collection\"],\"displayName\":\"Known Manganese IP and UserAgent activity\",\"description\":\"Matches IP plus UserAgent IOCs in OfficeActivity data, along with IP plus Connection string information in the CommonSecurityLog data related to Manganese group activity.\\nReferences: \\nhttps://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/\\nhttps://fortiguard.com/psirt/FG-IR-18-384\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-10-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\"name\":\"02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let logonDiff = 10m;\\nlet aadFunc = (tableName:string){\\ntable(tableName) \\n| where ResultType == \\\"0\\\" \\n| where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\")\\n| project SuccessLogonTime = TimeGenerated, UserPrincipalName, SuccessIPAddress = IPAddress, AppDisplayName, SuccessIPBlock = strcat(split(IPAddress, \\\".\\\")[0], \\\".\\\", split(IPAddress, \\\".\\\")[1]), Type\\n| join kind= inner (\\n table(tableName)\\n | where ResultType !in (\\\"0\\\", \\\"50140\\\") \\n | where ResultDescription !~ \\\"Other\\\" \\n | where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\")\\n | project FailedLogonTime = TimeGenerated, UserPrincipalName, FailedIPAddress = IPAddress, AppDisplayName, ResultType, ResultDescription, Type\\n) on UserPrincipalName, AppDisplayName \\n| where SuccessLogonTime \u003c FailedLogonTime and FailedLogonTime - SuccessLogonTime \u003c= logonDiff and FailedIPAddress !startswith SuccessIPBlock\\n| summarize FailedLogonTime = max(FailedLogonTime), SuccessLogonTime = max(SuccessLogonTime) by UserPrincipalName, SuccessIPAddress, AppDisplayName, FailedIPAddress, ResultType, ResultDescription, Type\\n| extend timestamp = SuccessLogonTime\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SuccessIPAddress\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"FailedIPAddress\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"CredentialAccess\",\"InitialAccess\"],\"displayName\":\"Successful logon from IP and failure from a different IP\",\"description\":\"Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP.\\nThis may indicate a malicious attempt at password guessing based on knowledge of the users account.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\"name\":\"90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage), \\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage), \\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage), \\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \\\"200\\\"\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Squid proxy events for ToR proxies\",\"description\":\"Check for Squid proxy events associated with common ToR proxies. This query presumes the default squid log format is being used.\\nhttp://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b4ceb583-4c44-4555-8ecf-39f572e827ba\",\"name\":\"b4ceb583-4c44-4555-8ecf-39f572e827ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 1.5;\\nlet percentthreshold = 50;\\n// Preparing the time series data aggregated hourly count of MailItemsAccessd Operation in the form of multi-value array to use with time series anomaly function.\\nlet TimeSeriesData =\\nOfficeActivity\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where OfficeWorkload=~ \\\"Exchange\\\" and Operation =~ \\\"MailItemsAccessed\\\" and ResultStatus =~ \\\"Succeeded\\\"\\n| project TimeGenerated, Operation, MailboxOwnerUPN\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe;\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0\\n| project TimeGenerated, Total, baseline, anomalies, score;\\n// Joining the flagged outlier from the previous step with the original dataset to present contextual information\\n// during the anomalyhour to analysts to conduct investigation or informed decisions.\\nTimeSeriesAlerts | where TimeGenerated \u003e ago(2d)\\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\\n| join (\\n OfficeActivity\\n | where TimeGenerated \u003e ago(2d)\\n | extend DateHour = bin(TimeGenerated, 1h)\\n | where OfficeWorkload=~ \\\"Exchange\\\" and Operation =~ \\\"MailItemsAccessed\\\" and ResultStatus =~ \\\"Succeeded\\\"\\n | summarize HourlyCount=count(), TimeGeneratedMax = arg_max(TimeGenerated, *), IPAdressList = make_set(Client_IPAddress), SourceIPMax= arg_max(Client_IPAddress, *), ClientInfoStringList= make_set(ClientInfoString) by MailboxOwnerUPN, Logon_Type, TenantId, UserType, TimeGenerated = bin(TimeGenerated, 1h) \\n | where HourlyCount \u003e 25 // Only considering operations with more than 25 hourly count to reduce False Positivies\\n | order by HourlyCount desc \\n) on TimeGenerated\\n| extend PercentofTotal = round(HourlyCount/Total, 2) * 100 \\n| where PercentofTotal \u003e percentthreshold // Filter Users with count of less than 5 percent of TotalEvents per Hour to remove FPs/ users with very low count of MailItemsAccessed events\\n| order by PercentofTotal desc \\n| project-reorder TimeGeneratedMax, Type, OfficeWorkload, Operation, UserId,SourceIPMax ,IPAdressList, ClientInfoStringList, HourlyCount, PercentofTotal, Total, baseline, score, anomalies\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Exchange workflow MailItemsAccessed operation anomaly\",\"description\":\"Identifies anomalous increases in Exchange mail items accessed operations.\\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\\nSudden increases in execution frequency of sensitive actions should be further investigated for malicious activity.\\nManually change scorethreshold from 1.5 to 3 or higher to reduce the noise based on outliers flagged from the query criteria.\\nRead more about MailItemsAccessed- https://docs.microsoft.com/microsoft-365/compliance/advanced-audit?view=o365-worldwide#mailitemsaccessed\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182\",\"name\":\"8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT5M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = ago(5m);\\nDuoSecurityTrustMonitor_CL\\n| where TimeGenerated \u003e= timeframe\\n| extend AccountCustomEntity = surfaced_auth_user_name_s, IPCustomEntity = surfaced_auth_access_device_ip_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Trust Monitor Event\",\"description\":\"This query identifies when a new trust monitor event is detected.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\"name\":\"8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"AuthorizeDBSecurityGroupIngress\\\",\\\"CreateDBSecurityGroup\\\",\\\"DeleteDBSecurityGroup\\\",\\\"RevokeDBSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to internet facing AWS RDS Database instances\",\"description\":\"Amazon Relational Database Service (RDS) is scalable relational database in the cloud. \\nIf your organization have one or more AWS RDS Databases running, monitoring changes to especially internet facing AWS RDS (Relational Database Service) \\nOnce alerts triggered, validate if changes observed are authorized and adhere to change control policy. \\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255\\nand RDS API Reference Docs: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Operations.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09551db0-e147-4a0c-9e7b-918f88847605\",\"name\":\"09551db0-e147-4a0c-9e7b-918f88847605\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let tokens = dynamic([\\\"SSL_HandShaking\\\", \\\"ASN2_TYPE_new\\\", \\\"sql_blob_open\\\", \\\"cmsSetLogHandlerTHR\\\", \\\"ntSystemInfo\\\", \\\"SetWebFilterString\\\", \\\"CleanupBrokerString\\\", \\\"glInitSampler\\\", \\\"deflateSuffix\\\", \\\"ntWindowsProc\\\"]);\\nlet DomainNames = dynamic([\u0027codevexillium.org\u0027, \u0027angeldonationblog.com\u0027, \u0027investbooking.de\u0027, \u0027krakenfolio.com\u0027]);\\nlet SHA256Hash = dynamic([\u002758a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495\u0027,\u0027e0e59bfc22876c170af65dcbf19f744ae560cc43b720b23b9d248f4505c02f3e\u0027,\u00273d3195697521973efe0097a320cbce0f0f98d29d50e044f4505e1fbc043e8cf9\u0027, \u00270a2d81164d524be7022ba8fd4e1e8e01bfd65407148569d172e2171b5cd76cd4\u0027, \u002796d7a93f6691303d39a9cc270b8814151dfec5683e12094537fd580afdf2e5fe\u0027,\u0027dc4cf164635db06b2a0b62d313dbd186350bca6fc88438617411a68df13ec83c\u0027, \u002746efd5179e43c9cbf07dcec22ce0d5527e2402655aee3afc016e5c260650284a\u0027, \u002795e42a94d4df1e7e472998f43b9879eb34aaa93f3705d7d3ef9e3b97349d7008\u0027, \u00279d5320e883264a80ea214077f44b1d4b22155446ad5083f4b27d2ab5bd127ef5\u0027, \u00279fd05063ad203581a126232ac68027ca731290d17bd43b5d3311e8153c893fe3\u0027, \u0027ada7e80c9d09f3efb39b729af238fcdf375383caaf0e9e0aed303931dc73b720\u0027, \u0027edb1597789c7ed784b85367a36440bf05267ac786efe5a4044ec23e490864cee\u0027, \u002733665ce1157ddb7cd7e905e3356b39245dfba17b7a658bdbf02b6968656b9998\u0027, \u00273ab770458577eb72bd6239fe97c35e7eb8816bce5a4b47da7bd0382622854f7c\u0027, \u0027b630ad8ffa11003693ce8431d2f1c6b8b126cd32b657a4bfa9c0dbe70b007d6c\u0027, \u002753f3e55c1217dafb8801af7087e7d68b605e2b6dde6368fceea14496c8a9f3e5\u0027, \u002799c95b5272c5b11093eed3ef2272e304b7a9311a22ff78caeb91632211fcb777\u0027, \u0027f21abadef52b4dbd01ad330efb28ef50f8205f57916a26daf5de02249c0f24ef\u0027, \u00272cbdea62e26d06080d114bbd922d6368807d7c6b950b1421d0aa030eca7e85da\u0027, \u0027079659fac6bd9a1ce28384e7e3a465be4380acade3b4a4a4f0e67fd0260e9447\u0027]);\\nlet SigNames = dynamic([\\\"Backdoor:Script/ComebackerCompile.A!dha\\\", \\\"Trojan:Win64/Comebacker.A!dha\\\", \\\"Trojan:Win64/Comebacker.A.gen!dha\\\", \\\"Trojan:Win64/Comebacker.B.gen!dha\\\", \\\"Trojan:Win32/Comebacker.C.gen!dha\\\", \\\"Trojan:Win32/Klackring.A!dha\\\", \\\"Trojan:Win32/Klackring.B!dha\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in~ (SHA256Hash) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n| project Type, TimeGenerated, Computer, Account, IPAddress, FileHash, DNSName\\n),\\n(DnsEvents\\n| extend DNSName = Name\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend Type = \\\"DnsEvents\\\", IPAddress = ClientIP\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(imDns(domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend Type = \\\"imDns\\\", IPAddress = SrcIpAddr, Computer=Dvc\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(VMConnection\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| where isnotempty(Hashes)\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 * \\n| where SHA256 in~ (SHA256Hash) \\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = Hashes\\n| project Type, TimeGenerated, Computer, Account, FileHash\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (SHA256Hash)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (SHA256Hash)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl in~ (DomainNames)\\n| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName\\n| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl\\n),\\n(SecurityAlert\\n| where Entities has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName) \\n| project Type, TimeGenerated, Computer\\n),\\n(DeviceProcessEvents\\n| where FileName =~ \\\"powershell.exe\\\" or FileName =~ \\\"rundll32.exe\\\"\\n| where (ProcessCommandLine has \\\"is64bitoperatingsystem\\\" and ProcessCommandLine has \\\"Debug\\\\\\\\Browse\\\") or (ProcessCommandLine has_any (tokens))\\n| extend Computer = DeviceName, Account = AccountName, CommandLine = ProcessCommandLine\\n| project Type, TimeGenerated, Computer, Account, CommandLine, FileName\\n),\\n(SecurityEvent\\n| where ProcessName has_any (\\\"powershell.exe\\\", \\\"rundll32.exe\\\")\\n| where (CommandLine has \\\"is64bitoperatingsystem\\\" and CommandLine has \\\"Debug\\\\\\\\Browse\\\") or (CommandLine has_any (tokens))\\n| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine \\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend DNSName = Request_Name\\n| extend IPAddress = ClientIP \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.3.0\",\"tactics\":[\"CommandAndControl\",\"Execution\"],\"displayName\":\"Known ZINC Comebacker and Klackring malware hashes\",\"description\":\"ZINC attacks against security researcher campaign malware hashes.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\"name\":\"a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n| where isnotempty(FileHashValue)\\n| join (\\n SecurityEvent | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where EventID in (\\\"8003\\\",\\\"8002\\\",\\\"8005\\\")\\n | where isnotempty(FileHash)\\n | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID\\n)\\non $left.FileHashValue == $right.FileHash\\n| where SecurityEvent_TimeGenerated \u003e= TimeGenerated and SecurityEvent_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nSecurityEvent_TimeGenerated, Process, FileHash, Computer, Account, Event\\n| extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map File Hash to Security Event\",\"description\":\"Identifies a match in Security Event data from any File Hash IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\"name\":\"e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 15;\\n// Below pulls messages from syslog-authpriv logs where there was an authentication failure with an unknown user.\\n// IP address of system attempting logon is also extracted from the SyslogMessage field. Some of these messages\\n// are aggregated.\\nlet authfail = Syslog\\n| where Facility =~ \\\"authpriv\\\" // looks at authpriv messages\\n| where SyslogMessage contains \\\"authentication failure\\\" and SyslogMessage contains \\\" uid=0\\\"\\n| parse SyslogMessage with * \\\"rhost=\\\" ExternalIP\\n| project TimeGenerated, Computer, ProcessName, HostIP, ExternalIP, ProcessID; \\n// Below pulls messages from syslog-authpriv logs that show each instance an unknown user tried to logon. \\nlet userfail = Syslog \\n| where Facility =~ \\\"authpriv\\\" \\n| where SyslogMessage contains \\\"user unknown\\\"\\n| project TimeGenerated, Computer, HostIP, ProcessID;\\n// Join the two log messages above\\nlet userauthfail = authfail | join (userfail) on Computer, HostIP, ProcessID\\n| project TimeGenerated, Computer, HostIP, ExternalIP, ProcessID ;\\n// Extract the EventTime of the first logon attempt\\nlet firstfail = userauthfail\\n| summarize arg_min(TimeGenerated, *) by Computer, ExternalIP\\n| project Computer, ExternalIP, FirstLogonAttempt = TimeGenerated;\\n// Extract the EventTime of the last logon attempt\\nlet lastfail = userauthfail\\n| summarize arg_max(TimeGenerated, *) by Computer, ExternalIP\\n| project Computer, ExternalIP, LatestLogonAttempt = TimeGenerated;\\n// Join first and last logon attempt data and calculate the time between them (AttemptPeriodLength).\\nlet faildates = firstfail | join (lastfail) on Computer, ExternalIP\\n| project ExternalIP, Computer, FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts = LatestLogonAttempt - FirstLogonAttempt;\\n// Count the number of failed logon attempts by External IP and internal machine\\nlet totalfails = userauthfail\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), TotalLogonAttempts = count() by ExternalIP, Computer, HostIP\\n| project StartTimeUtc, EndTimeUtc, ExternalIP, Computer, HostIP, TotalLogonAttempts;\\n// Combine total attempts with timing data from above\\nlet finalfails = totalfails | join (faildates) on Computer, ExternalIP\\n| project StartTimeUtc, EndTimeUtc, SourceAddress = ExternalIP, DestinationHost = Computer, DestinationIP = HostIP, TotalLogonAttempts, FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts\\n| order by DestinationHost asc nulls last;\\nfinalfails \\n| where TotalLogonAttempts \u003e= threshold\\n| extend timestamp = StartTimeUtc, HostCustomEntity = DestinationHost, IPCustomEntity = DestinationIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed logon attempts in authpriv\",\"description\":\"Identifies failed logon attempts from unknown users in Syslog authpriv logs. The unknown user means the account that tried to log in \\nisn\u0027t provisioned on the machine. A few hits could indicate someone attempting to access a machine they aren\u0027t authorized to access. \\nIf there are many of hits, especially from outside your network, it could indicate a brute force attack. \\nDefault threshold for logon attempts is 15.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\"name\":\"a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == 500121\\n| where Status has \\\"MFA Denied; user declined the authentication\\\"\\n| extend Type = Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = ClientAppUsed\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Explicit MFA Deny\",\"description\":\"User explicitly denies MFA push, indicating that login was not expected and the account\u0027s password may be compromised.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\"name\":\"68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let User_Agents = dynamic ([\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70\\\", \\n\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.1 Safari/605.1.15\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\", \\n\\\"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\"]);\\nOfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != \u0027UserLoggedIn\u0027\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = todynamic(ExtendedProperties).Value\\n| where UserAgent =~ \\\"ms-office\\\" or UserAgent has_any (User_Agents)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts \u003e 500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Possible STRONTIUM attempted credential harvesting - Oct 2020\",\"description\":\"Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/de58ee9e-b229-4252-8537-41a4c2f4045e\",\"name\":\"de58ee9e-b229-4252-8537-41a4c2f4045e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let file_ext_blocklist = dynamic([\u0027.ps1\u0027, \u0027.vbs\u0027, \u0027.bat\u0027, \u0027.scr\u0027]);\\nlet lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| extend file_ext = extract(@\u0027.*(\\\\.\\\\w+)$\u0027, 1, UrlOriginal)\\n| extend Filename = extract(@\u0027.*\\\\/*\\\\/(.*\\\\.\\\\w+)$\u0027, 1, UrlOriginal)\\n| where file_ext in (file_ext_blocklist)\\n| project TimeGenerated, SrcIpAddr, Identities, Filename\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Cisco Umbrella - Request to blocklisted file type\",\"description\":\"Detects request to potentially harmful file types (.ps1, .bat, .vbs, etc.).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fc1b7e7a-bc24-42c3-ad67-5c76c8fcb2d6\",\"name\":\"fc1b7e7a-bc24-42c3-ad67-5c76c8fcb2d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.3\",\"techniques\":[\"T1530\",\"T1213\",\"T1005\",\"T1039\",\"T1114\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\".txt,.jpg,.mp4\",\"dataType\":\"string\",\"name\":\"File extension\",\"description\":\"Give comma separated file extension to exclude from source data within double quotes, example: \\\".txt,.jpg,.mp4\\\"\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"5\",\"maximum\":\"100\",\"value\":\"10\",\"name\":\"Minimum number of downgrades\",\"description\":\"Generate an anomaly when number of downgrade label is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Collection\"],\"displayName\":\"(Preview) Unusual mass downgrade AIP label\",\"description\":\"This algorithm detects unusual high volume of downgrade label activity in Azure Information Protection (AIP) logs.\\nIt considers \\\"AIP\\\" workload records for a given number of days and determines the sequence of activity performed on documents along with the label applied to classify unusual volume of downgrade activity.\",\"lastUpdatedDateUTC\":\"2021-06-04T00:00:00Z\",\"createdDateUTC\":\"2020-11-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureInformationProtection\",\"dataTypes\":[\"InformationProtectionLogs_CL\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/53e936c6-6c30-4d12-8343-b8a0456e8429\",\"name\":\"53e936c6-6c30-4d12-8343-b8a0456e8429\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let SUNSPOT_Hashes = dynamic([\\\"c45c9bda8db1d470f1fd0dcc346dc449839eb5ce9a948c70369230af0b3ef168\\\", \\\"0819db19be479122c1d48743e644070a8dc9a1c852df9a8c0dc2343e904da389\\\"]);\\nunion isfuzzy=true(\\nDeviceEvents\\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes)),\\n(DeviceImageLoadEvents\\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes))\\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"SUNSPOT malware hashes\",\"description\":\"This query uses Microsoft Defender for Endpoint data to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\\nMore details: \\n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \\n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceImageLoadEvents\",\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b9a44d7-c651-45ed-816c-eae583a6f2f1\",\"name\":\"3b9a44d7-c651-45ed-816c-eae583a6f2f1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\nlet historical_data =\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend variables = Data.Variables\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend UserKey = strcat(VariableGroupId, \\\"-\\\", ActorUserId)\\n| project UserKey;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend VariableGroupName = tostring(Data.VariableGroupName)\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend UserKey = strcat(VariableGroupId, \\\"-\\\", ActorUserId)\\n| where UserKey !in (historical_data)\\n| project-away UserKey\\n| project-reorder TimeGenerated, VariableGroupName, ActorUPN, IpAddress, UserAgent\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Build Variable Modified by New User.\",\"description\":\"Variables can be configured and used at any stage of the build process in Azure DevOps to inject values. An attacker with the required permissions could modify \\nor add to these variables to conduct malicious activity such as changing paths or remote endpoints called during the build. As variables are often changed by users, \\njust detecting these changes would have a high false positive rate. This detection looks for modifications to variable groups where that user has not been observed \\nmodifying them before.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c3b11fb2-9201-4844-b7b9-6b7bf6d9b851\",\"name\":\"c3b11fb2-9201-4844-b7b9-6b7bf6d9b851\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 200;\\nimDns(responsecodename=\u0027NXDOMAIN\u0027)\\n| where isnotempty(DnsResponseCodeName)\\n//| where DnsResponseCodeName =~ \\\"NXDOMAIN\\\"\\n| summarize count() by SrcIpAddr, bin(TimeGenerated,15m)\\n| where count_ \u003e threshold\\n| join kind=inner (imDns(responsecodename=\u0027NXDOMAIN\u0027)\\n ) on SrcIpAddr\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.2.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Excessive NXDOMAIN DNS Queries (Normalized DNS)\",\"description\":\"This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. \\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8ee967a2-a645-4832-85f4-72b635bcb3a6\",\"name\":\"8ee967a2-a645-4832-85f4-72b635bcb3a6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit the environment\\nlet signin_threshold = 5;\\n//Make a list of all IPs with failed signins to AAD above our threshold\\nlet aadFunc = (tableName:string){\\nlet suspicious_signins =\\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress !in (\u0027127.0.0.1\u0027, \u0027::1\u0027)\\n| summarize count() by IPAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(IPAddress);\\n//See if any of these IPs have sucessfully logged into *nix hosts\\nlet linux_logons =\\nSyslog\\n| where Facility contains \\\"auth\\\" and ProcessName != \\\"sudo\\\"\\n| where SyslogMessage has \\\"Accepted\\\"\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Computer, HostIP, IpAddress = SourceIP, SyslogMessage, Facility, ProcessName, Reason;\\n//See if any of these IPs have sucessfully logged into Windows hosts\\nlet win_logons =\\nSecurityEvent\\n| where EventID == 4624\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| where IpAddress in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Account, AccountType, Computer, Activity, EventID, LogonProcessName, IpAddress, LogonTypeName, TargetUserSid, Reason;\\nunion isfuzzy=true linux_logons,win_logons\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, IPCustomEntity = IpAddress, HostCustomEntity = Computer\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AzureAD logons but success logon to host\",\"description\":\"Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory.\\nUses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/543c9254-eb6f-4fdd-858d-783e0e3d5cb9\",\"name\":\"543c9254-eb6f-4fdd-858d-783e0e3d5cb9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.3\",\"techniques\":[\"T1530\",\"T1213\",\"T1005\",\"T1039\",\"T1114\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\".msg,.jpg,.txt\",\"dataType\":\"string\",\"name\":\"File extension\",\"description\":\"Give comma separated file extension to exclude from source data, for example: .txt,.jpg,.mp4\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.9\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the error percentile is greater than chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Collection\"],\"displayName\":\"(Preview) Suspicious number of protected documents accessed\",\"description\":\"This algorithm is to detect high volume of access to protected documents in Azure Information Protection (AIP) logs. \\nIt considers AIP workload records for a given number of days and determines whether the user performed unusual access to protected documents in a day given his/her historical behavior.\",\"lastUpdatedDateUTC\":\"2021-06-04T00:00:00Z\",\"createdDateUTC\":\"2021-02-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureInformationProtection\",\"dataTypes\":[\"InformationProtectionLogs_CL\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d23ed927-5be3-4902-a9c1-85f841eb4fa1\",\"name\":\"d23ed927-5be3-4902-a9c1-85f841eb4fa1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n DuoSecurityAuthentication_CL\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(access_device_ip_s)\\n // renaming time column so it is clear the log this came from\\n | extend Duo_TimeGenerated = isotimestamp_t\\n)\\non $left.TI_ipEntity == $right.access_device_ip_s\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Duo_TimeGenerated,\\nTI_ipEntity, user_name_s, factor_s, result_s, application_name_s, event_type_s, txid_g, user_key_s, access_device_ip_s, access_device_location_city_s, access_device_location_state_s, access_device_location_country_s\\n| extend timestamp = Duo_TimeGenerated, IPCustomEntity = access_device_ip_s, AccountCustomEntity = user_name_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Duo Security\",\"description\":\"Identifies a match in DuoSecurity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3073ac-7383-48a9-90a8-eb6716183a54\",\"name\":\"4a3073ac-7383-48a9-90a8-eb6716183a54\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let excludeProcs = dynamic([@\\\"\\\\SolarWinds\\\\Orion\\\\APM\\\\APMServiceControl.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\ExportToPDFCmd.Exe\\\", @\\\"\\\\SolarWinds.Credentials\\\\SolarWinds.Credentials.Orion.WebApi.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Topology\\\\SolarWinds.Orion.Topology.Calculator.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Database-Maint.exe\\\", @\\\"\\\\SolarWinds.Orion.ApiPoller.Service\\\\SolarWinds.Orion.ApiPoller.Service.exe\\\", @\\\"\\\\Windows\\\\SysWOW64\\\\WerFault.exe\\\"]);\\nDeviceProcessEvents\\n| where InitiatingProcessFileName =~ \\\"solarwinds.businesslayerhost.exe\\\"\\n| where not(FolderPath has_any (excludeProcs))\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n FileHashCustomEntity = MD5\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"MD5\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST suspicious SolarWinds child processes\",\"description\":\"Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/269435e3-1db8-4423-9dfc-9bf59997da1c\",\"name\":\"269435e3-1db8-4423-9dfc-9bf59997da1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName =~ \u0027Add member to role (permanent)\u0027\\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Privleged Role Assigned Outside PIM\",\"description\":\"Identifies a privileged role being assigned to a user outside of PIM\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\"name\":\"6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"SecurityEvent\\n| where EventID == 4738\\n// 2089 value indicates the Don\u0027t Expire Password value has been set\\n| where UserAccountControl has \\\"%%2089\\\" \\n| extend Value_2089 = iff(UserAccountControl has \\\"%%2089\\\",\\\"\u0027Don\u0027t Expire Password\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n// 2050 indicates that the Password Not Required value is NOT set, this often shows up at the same time as a 2089 and is the recommended value. This value may not be in the event. \\n| extend Value_2050 = iff(UserAccountControl has \\\"%%2050\\\",\\\"\u0027Password Not Required\u0027 - Disabled\\\", \\\"Not Changed\\\")\\n// If value %%2082 is present in the 4738 event, this indicates the account has been configured to logon WITHOUT a password. Generally you should only see this value when an account is created and only in Event 4720: Account Creation Event. \\n| extend Value_2082 = iff(UserAccountControl has \\\"%%2082\\\",\\\"\u0027Password Not Required\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n| project StartTime = TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, AccountType, UserAccountControl, Value_2089, Value_2050, Value_2082, SubjectAccount\\n| extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"AD account with Don\u0027t Expire Password\",\"description\":\"Identifies whenever a user account has the setting \\\"Password Never Expires\\\" in the user account properties selected.\\nThis is indicated in Security event 4738 in the EventData item labeled UserAccountControl with an included value of %%2089.\\n%%2089 resolves to \\\"Don\u0027t Expire Password - Enabled\\\".\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2ca4e7fc-c61a-49e5-9736-5da8035c47e0\",\"name\":\"2ca4e7fc-c61a-49e5-9736-5da8035c47e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 8;\\nCarbonBlackNotifications_CL\\n| where threatHunterInfo_score_d \u003e= threshold\\n| extend eventTime = datetime(1970-01-01) + tolong(threatHunterInfo_time_d/1000) * 1sec\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by eventTime, Threat_Name = threatHunterInfo_reportName_s, Device_Name = deviceInfo_deviceName_s, Internal_IP = deviceInfo_internalIpAddress_s, External_IP = deviceInfo_externalIpAddress_s, Threat_Score = threatHunterInfo_score_d\\n| project-away count_\\n| extend timestamp = StartTime, HostCustomEntity = Device_Name, IPCustomEntity = Internal_IP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\"],\"displayName\":\"Critical Threat Detected\",\"description\":\"This creates an incident in the event a critical threat was identified on a Carbon Black managed endpoint.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"VMwareCarbonBlack\",\"dataTypes\":[\"CarbonBlackNotifications_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d992b87b-eb49-4a9d-aa96-baacf9d26247\",\"name\":\"d992b87b-eb49-4a9d-aa96-baacf9d26247\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let IPList = dynamic([\\\"185.63.90.137\\\"]); \\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet sha256Hashes = \\ndynamic([\\\"53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441\\\",\\n\\\"c297e545b8f150cc5ff56dbb68dc74fe30a421d9d40f38f4a53083192697c44c\\\",\\n\\\"17921368901f23e0cad0d2fe4ce5694aebaf4727699ed0358117500701914d1b\\\",\\n\\\"198a2d42df010d838b4207f478d885ef36e3db13b1744d673e221b828c28bf77\\\",\\n\\\"71d7b48c2fdc7b57b104a7858a35165bbed21d2fa7e34828d6c1d50b2b33a1d0\\\",\\n\\\"601227d52c6e367e11b80240183d07d38bc11a88e844e8401fce17eb25e92ba8\\\",\\n\\\"63ff04bed4fdb120a9cb9b1ea7fd88e83f12fb01ab6a057088f8016e663b48d4\\\",\\n\\\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\\\",\\n\\\"e19b8be1b21c066d60725e550f8455f824065abbf1b43f7b2fe4fb338b241ffc\\\",\\n\\\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\\\"\\n]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", MessageIP in (IPList), \\\"Message\\\", \\\"NoMatch\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DeviceNetworkEvents\\n| where RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) \\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP\\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost) \\n| where SourceHost in (IPList) or DestinationHost in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(DeviceFileEvents\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash\\n| where FileHash in (sha256Hashes)\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = FileHash\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 in~ (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash\\n),\\n(SecurityEvent\\n| where EventID == \u00274688\u0027\\n| where NewProcessName in (IPList) \\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"SHA256\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Impact\"],\"displayName\":\"Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021\",\"description\":\"Identifies a match across various data feeds for IP,hashes and IOCs related to Windows/ELF malware published by Black Lotus Labs\\nReference: \\nhttps://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders/\\nhttps://github.com/ManuelBerrueta/YARA-rules/blob/master/BlackLotusLabs-WSLMalware/BLL_SneakyWSL.yar\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32\",\"name\":\"d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet msgthreshold = 3;\\nlet msgszthreshold = 3000000;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where NetworkBytes \u003e msgszthreshold\\n| summarize count() by SrcUserUpn, DstUserUpn\\n| where count_ \u003e msgthreshold\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple large emails to the same recipient\",\"description\":\"Detects when multiple emails with lage size where sent to the same recipient.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae\",\"name\":\"2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 4656\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, TargetAccount, Computer, EventSourceName, Channel, Task, Level, EventID, Activity, TargetLogonId, SourceComputerId, EventOriginId, Type, _ResourceId, TenantId, SourceSystem, ManagementGroupName, IpAddress, Account)\\n| extend ObjectServer = column_ifexists(\u0027ObjectServer\u0027, \\\"\\\"), ObjectType = column_ifexists(\u0027ObjectType\u0027, \\\"\\\"), ObjectName = column_ifexists(\u0027ObjectName\u0027, \\\"\\\")\\n| where isnotempty(ObjectServer) and isnotempty(ObjectType) and isnotempty(ObjectName)\\n| where ObjectServer =~ \\\"SC Manager\\\" and ObjectType =~ \\\"SERVICE OBJECT\\\" and ObjectName =~ \\\"HealthService\\\"\\n// Comment out the join below if the SACL only audits users that are part of the Network logon users, i.e. with user/group target pointing to \\\"NU.\\\"\\n| join kind=leftouter (\\n SecurityEvent\\n | where EventID == 4624\\n) on TargetLogonId\\n| project TimeGenerated, Computer, Account, TargetAccount, IpAddress,TargetLogonId, ObjectServer, ObjectType, ObjectName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Starting or Stopping HealthService to Avoid Detection\",\"description\":\"This query detects events where an actor is stopping or starting HealthService to disable telemetry collection/detection from the agent.\\n The query requires a SACL to audit for access request to the service.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4acd3a04-2fad-4efc-8a4b-51476594cec4\",\"name\":\"4acd3a04-2fad-4efc-8a4b-51476594cec4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let triThreshold = 500;\\nlet startTime = 6h;\\nlet dgaLengthThreshold = 8;\\n// fetch the alexa top 1M domains\\nlet top1M = (externaldata (Position:int, Domain:string) [@\\\"http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip\\\"] with (format=\\\"csv\\\", zipPattern=\\\"*.csv\\\"));\\n// extract tri grams that are above our threshold - i.e. are common\\nlet triBaseline = top1M\\n| extend Domain = tolower(extract(\\\"([^.]*).{0,7}$\\\", 1, Domain))\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", Domain), extract_all(\\\"(...)\\\", substring(Domain, 1)), extract_all(\\\"(...)\\\", substring(Domain, 2)))\\n| mvexpand Trigram=AllTriGrams\\n| summarize triCount=count() by tostring(Trigram)\\n| sort by triCount desc\\n| where triCount \u003e triThreshold\\n| distinct Trigram;\\n// collect domain information from common security log, filter and extract the DGA candidate and its trigrams\\nlet allDataSummarized = CommonSecurityLog\\n| where TimeGenerated \u003e ago(startTime)\\n| where isnotempty(DestinationHostName)\\n| extend Name = tolower(DestinationHostName)\\n| distinct Name\\n| where Name has \\\".\\\"\\n| where Name !endswith \\\".home\\\" and Name !endswith \\\".lan\\\"\\n// extract DGA candidate\\n| extend DGADomain = extract(\\\"([^.]*).{0,7}$\\\", 1, Name)\\n| where strlen(DGADomain) \u003e dgaLengthThreshold\\n// throw out domains with number in them\\n| where DGADomain matches regex \\\"^[A-Za-z]{0,}$\\\"\\n// extract the tri grams from summarized data\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", DGADomain), extract_all(\\\"(...)\\\", substring(DGADomain, 1)), extract_all(\\\"(...)\\\", substring(DGADomain, 2)));\\n// throw out domains that have repeating tri\u0027s and/or \u003e=3 repeating letters\\nlet nonRepeatingTris = allDataSummarized\\n| join kind=leftanti\\n(\\n allDataSummarized\\n | mvexpand AllTriGrams\\n | summarize count() by tostring(AllTriGrams), DGADomain\\n | where count_ \u003e 1\\n | distinct DGADomain\\n)\\non DGADomain;\\n// find domains that do not have a common tri in the baseline\\nlet dataWithRareTris = nonRepeatingTris\\n| join kind=leftanti\\n(\\n nonRepeatingTris\\n | mvexpand AllTriGrams\\n | extend Trigram = tostring(AllTriGrams)\\n | distinct Trigram, DGADomain\\n | join kind=inner\\n (\\n triBaseline\\n )\\n on Trigram\\n | distinct DGADomain\\n)\\non DGADomain;\\ndataWithRareTris\\n// join DGAs back on connection data\\n| join kind=inner\\n(\\n CommonSecurityLog\\n | where TimeGenerated \u003e ago(startTime)\\n | where isnotempty(DestinationHostName)\\n | extend DestinationHostName = tolower(DestinationHostName)\\n | project-rename Name=DestinationHostName, DataSource=DeviceVendor\\n | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) by Name, SourceIP, DestinationIP, DataSource\\n)\\non Name\\n| project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, DataSource\\n| extend timestamp=StartTime, IPCustomEntity=SourceIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"Name\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Possible contact with a domain generated by a DGA\",\"description\":\"Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used\\nby malware to generate rendezvous points that are difficult to predict in advance. This detection uses the Alexa Top 1 million domain names to build a model\\nof what normal domains look like. It uses this to identify domains that may have been randomly generated by an algorithm.\\nThe triThreshold is set to 500 - increase this to report on domains that are less likely to have been randomly generated, decrease it for more likely.\\nThe start time and end time look back over 6 hours of data and the dgaLengthThreshold is set to 8 - meaning domains whose length is 8 or more are reported.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Barracuda\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/78422ef2-62bf-48ca-9bab-72c69818a425\",\"name\":\"78422ef2-62bf-48ca-9bab-72c69818a425\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let endtime = 1d;\\nlet starttime = 8d;\\nlet threshold = 2.0;\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName) \\nby Account, IpAddress, AccountType, Activity, LogonTypeName\\n| join kind=inner (\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n| summarize ComputerCountPrev7Days = dcount(Computer) by Account, IpAddress\\n) on Account, IpAddress\\n| extend Ratio = ComputerCountToday/(ComputerCountPrev7Days*1.0)\\n// Where the ratio of today to previous 7 days is more than double.\\n| where Ratio \u003e threshold\\n| project StartTimeUtc, EndTimeUtc, Account, IpAddress, ComputerSet, ComputerCountToday, ComputerCountPrev7Days, Ratio, AccountType, Activity, LogonTypeName, ProcessSet\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\"],\"displayName\":\"Multiple RDP connections from Single System\",\"description\":\"Identifies when an RDP connection is made to multiple systems and above the normal for the previous 7 days. \\nConnections from the same system with the same account within the same day.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-10-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9d0295ee-cb75-4f2c-9952-e5acfbb67036\",\"name\":\"9d0295ee-cb75-4f2c-9952-e5acfbb67036\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Informational\",\"query\":\"let timeframe = ago(1d);\\nAppServiceAntivirusScanAuditLogs\\n| where NumberOfInfectedFiles \u003e 0\\n| extend HostCustomEntity = _ResourceId, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"displayName\":\"AppServices AV Scan with Infected Files\",\"description\":\"Identifies if an AV scan finds infected files in Azure App Services.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/30dea201-74da-4141-8d21-8a18f0861d60\",\"name\":\"30dea201-74da-4141-8d21-8a18f0861d60\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.3\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.02\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of AWS cloud trail logs events of group user account by EventTypeName\",\"description\":\"This algorithm detects an unusually high volume of AWS cloud trail log events per group user account by different event types (AwsApiCall, AwsServiceEvent, AwsConsoleSignIn, AwsConsoleAction) within the last day. The model is trained on the previous 21 days of AWS cloud trail log events on a group user account basis. This activity may indicate that the account is compromised.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-06-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\"name\":\"a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n SecurityAlert \\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\\n | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray\\n // Parsing relevant entity column to filter type account and creating new column by combining account and UPNSuffix\\n | extend Entitytype = tostring(parse_json(EntitiesDynamicArray).Type), EntityName = tostring(parse_json(EntitiesDynamicArray).Name),\\n EntityUPNSuffix = tostring(parse_json(EntitiesDynamicArray).UPNSuffix)\\n | where Entitytype =~ \\\"account\\\"\\n | extend EntityEmail = tolower(strcat(EntityName, \\\"@\\\", EntityUPNSuffix))\\n | where EntityEmail matches regex emailregex\\n | extend Alert_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.EntityEmail\\n| where Alert_TimeGenerated \u003e= TimeGenerated and Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Alert_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, EntityEmail, AlertName, AlertType,\\nAlertSeverity, Entities, ProviderName, VendorName\\n| extend timestamp = Alert_TimeGenerated, AccountCustomEntity = EntityEmail, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.2\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SecurityAlert\",\"description\":\"Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others\",\"lastUpdatedDateUTC\":\"2021-11-24T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bda5a2bd-979b-4828-a91f-27c2a5048f7f\",\"name\":\"bda5a2bd-979b-4828-a91f-27c2a5048f7f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet msgthreshold = 3;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| extend attachedMimeType = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where attachedMimeType == \u0027application/zip\u0027\\n| summarize count() by SrcUserUpn, DstUserUpn\\n| where count_ \u003e msgthreshold\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple archived attachments to the same recipient\",\"description\":\"Detects when multiple emails where sent to the same recipient with large archived attachments.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5d33fc63-b83b-4913-b95e-94d13f0d379f\",\"name\":\"5d33fc63-b83b-4913-b95e-94d13f0d379f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet fileHashIndicators = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n| where isnotempty(FileHashValue);\\n// Handle matches against both lower case and uppercase versions of the hash:\\n( fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n |union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n| join (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.FileHashValue == $right.FileHash\\n| where CommonSecurityLog_TimeGenerated \u003e= TimeGenerated and CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nCommonSecurityLog_TimeGenerated, SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction,\\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map File Hash to CommonSecurityLog Event\",\"description\":\"Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/00282588-11e7-436d-90e8-011256c3c691\",\"name\":\"00282588-11e7-436d-90e8-011256c3c691\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let threshold = 100;\\nTrendMicro_XDR_CL \\n| where modelSeverity_s == \u0027medium\u0027 or modelSeverity_s == \u0027low\u0027\\n| extend AccountCustomEntity = impactScope_account_s, HostCustomEntity = impactScope_hostname_s, IPCustomEntity = impactScope_host_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"displayName\":\"Create Incident for XDR Alerts (Medium \u0026 Low)\",\"description\":\"This Query creates an incident based on Trend Micro XDR Workbench Alerts and maps the impacted entities for Microsoft Sentinel usage. (Medium \u0026 Low Serverity Alerts)\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-12-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"TrendMicroXDR\",\"dataTypes\":[\"TrendMicro_XDR_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ef8654b1-b2cf-4f6c-ae5c-eca635a764e8\",\"name\":\"ef8654b1-b2cf-4f6c-ae5c-eca635a764e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let lowRisk = 1;\\nlet hr = \u0027HR Information\u0027;\\nCognniIncidents_CL \\n| where Severity == lowRisk\\n| where informationType_s == hr\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Low Sensitivity HR Information\",\"description\":\"Display incidents in which low sensitive HR information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/46ac55ae-47b8-414a-8f94-89ccd1962178\",\"name\":\"46ac55ae-47b8-414a-8f94-89ccd1962178\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let mode = \u0027Blocked\u0027; \\nlet successCode = dynamic([\u0027200\u0027, \u0027101\u0027,\u0027204\u0027, \u0027400\u0027,\u0027504\u0027,\u0027304\u0027,\u0027401\u0027,\u0027500\u0027]);\\nlet minTime = ago(1d);\\nlet maxSessionWindow = 1h;\\nlet sessionBin = maxSessionWindow/2.0;\\nAzureDiagnostics\\n| where TimeGenerated \u003e minTime\\n| where Category == \u0027ApplicationGatewayFirewallLog\u0027\\n| where action_s == mode\\n| sort by hostname_s asc, clientIp_s asc, TimeGenerated asc\\n| extend SessionStarted = row_window_session(TimeGenerated, maxSessionWindow, 10m, ((clientIp_s != prev(clientIp_s)) or (hostname_s != prev(hostname_s))))\\n| summarize minTime = min(TimeGenerated), maxTime = max(TimeGenerated), SessionBlockedCount=count() by hostname_s, clientIp_s, SessionStarted\\n| extend duration = maxTime - minTime\\n| extend TimeKey = bin(SessionStarted, sessionBin)\\n| join kind = inner(\\nAzureDiagnostics\\n| where TimeGenerated \u003e minTime\\n| where Category == \u0027ApplicationGatewayAccessLog\u0027\\n| where httpStatus_d in (successCode) or isempty(httpStatus_d)\\n| extend TimeKey = range(bin(TimeGenerated-maxSessionWindow, sessionBin), bin(TimeGenerated, sessionBin), sessionBin)\\n| mv-expand TimeKey to typeof(datetime)\\n) on $left.hostname_s == $right.host_s, $left.clientIp_s == $right.clientIP_s, TimeKey\\n| where (TimeGenerated - SessionStarted) between (0m .. duration)\\n| extend originalRequestUriWithArgs_s = column_ifexists(\\\"originalRequestUriWithArgs_s\\\", \\\"\\\")\\n| extend serverStatus_s = column_ifexists(\\\"serverStatus_s\\\", \\\"\\\")\\n| extend timestamp = SessionStarted, IPCustomEntity = clientIP_s\\n| summarize SuccessfulAccessLogCount = count(), UserAgents = make_set(userAgent_s), RequestURIs = make_set(requestUri_s) , OriginalRequestURIs = make_set(originalRequestUriWithArgs_s), \\nSuccessCodes = make_set(httpStatus_d), SuccessCodes_BackendServer = make_set(serverStatus_s) by timestamp, hostname_s, IPCustomEntity, SessionBlockedCount\\n| extend BlockvsSuccessRatio = SessionBlockedCount/SuccessfulAccessLogCount\\n| sort by BlockvsSuccessRatio desc, timestamp asc\\n| where SessionBlockedCount \u003e SuccessfulAccessLogCount\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"A potentially malicious web request was executed against a web server\",\"description\":\"Detects unobstructed Web Application Firewall (WAF) activity in sessions where the WAF blocked incoming requests by computing the \\nratio between blocked requests and unobstructed WAF requests in these sessions (BlockvsSuccessRatio metric). A high ratio value for \\na given client IP and hostname calls for further investigation of the WAF data in that session, due to the significantly high number \\nof blocked requests and a few unobstructed logs which may be malicious but have passed undetected through the WAF. The successCode \\nvariable defines what the detection thinks is a successful status code, and should be altered to fit the environment.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/edc946ae-cba8-419f-8e90-309966895956\",\"name\":\"edc946ae-cba8-419f-8e90-309966895956\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.2\",\"techniques\":[\"T1190\",\"T1505\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Include regularly repeating anomalies for URI stems\",\"Exclude regularly repeating anomalies for URI stems\"],\"supportedValuesKql\":null,\"value\":\"Exclude regularly repeating anomalies for URI stems\",\"name\":\"Handle regularly repeating anomalies for URI stems\",\"description\":\"Choose to exclude URI stems that have been regularly occuring in the Anomalies table in Log Analytics.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":[{\"prioritize\":\".asp, .aspx, .armx, .asax, .ashz, .asmx, .axd, .cshtml, .php, .phps, .php3, .php4, .php5, .php7, .jsp, .jspx, .cfm, .cfml, .phtml\",\"exclude\":null,\"dataType\":\"string\",\"name\":\"Prioritize script suffixes of the URI stems\",\"description\":\"Give comma separated script suffixes of the URI stems that should be included in the prioritize field.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"prioritize\":null,\"exclude\":\"\",\"dataType\":\"string\",\"name\":\"Exclude noisy URI stems\",\"description\":\"Give comma separated URI stems that are frequently observing noisy sessions, and should be excluded from the Anomalies table in Log Analytics.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.2\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"(Preview) Anomalous web request activity\",\"description\":\"This algorithm groups the W3CIIS logs into per site name and per URI stem hourly sessions.\\nThe machine learning model identifies the sessions with anomalous requests that triggered response code 5xx in the last day.\\n5xx codes are an indication that some application instability or error condition has been triggered by the request.\\nThey can be an indication that an attacker is probing the URI stem for vulnerabilities and configuration issues, performing some exploitation activity such as SQL injection, or leveraging an unpatched vulnerability.\\n\\nThe algorithm uses 6 days of data for training.\\nIt identifies unusual high volume of web requests that generated respond code 5xx in the last day.\",\"lastUpdatedDateUTC\":\"2021-06-10T00:00:00Z\",\"createdDateUTC\":\"2021-04-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d500e6d-c984-43a3-9f39-7edec8dcc04d\",\"name\":\"4d500e6d-c984-43a3-9f39-7edec8dcc04d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".aspx\\\", \\\".asp\\\", \\\".cfml\\\"]);\\n//The number of URI\u0027s seen to be suspicious, higher = less likely to be suspicious\\nlet uriThreshold = 1;\\nCommonSecurityLog\\n// Only look at connections that were allowed through the web proxy\\n| where DeviceVendor =~ \\\"Zscaler\\\" and DeviceAction =~ \\\"Allowed\\\"\\n// Only look where some data was exchanged.\\n| where SentBytes \u003e 0 and ReceivedBytes \u003e 0\\n// Extract the Domain\\n| extend Domain = iff(countof(DestinationHostName,\u0027.\u0027) \u003e= 2, strcat(split(DestinationHostName,\u0027.\u0027)[-2], \u0027.\u0027,split(DestinationHostName,\u0027.\u0027)[-1]), DestinationHostName)\\n| extend GetData=iff(RequestURL == \\\"?\\\", 1, 0)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), makelist(RequestURL), makelist(DestinationIP), makelist(SourceIP), numOfConnections = count(), make_set(RequestMethod), max(GetData), max(RequestContext) by Domain\\n// Determine the number of URIs that have been visited for the domain\\n| extend destinationURI = arraylength(list_RequestURL)\\n| where destinationURI \u003c= uriThreshold\\n| where tostring(list_RequestURL) has_any(scriptExtensions)\\n//Remove matches with referer\\n| where max_RequestContext == \\\"\\\"\\n//Keep requests where data was trasferred either in a GET with parameters or a POST\\n| where set_RequestMethod in~ (\\\"POST\\\") or max_GetData == 1\\n//Defeat email click tracking, may increase FN\u0027s while decreasing FP\u0027s\\n| where list_RequestURL !has \\\"click\\\" and set_RequestMethod !has \\\"GET\\\"\\n| mvexpand list_RequestURL, list_DestinationIP\\n| extend RequestURL = tostring(list_RequestURL), DestinationIP = tostring(list_DestinationIP), ClientIP = tostring(list_SourceIP)\\n//Extend custom entitites for incidents\\n| extend timestamp = StartTimeUtc, IPCustomEntity = DestinationIP\\n| project-away list_RequestURL, list_DestinationIP, list_SourceIP, destinationURI, Domain, StartTimeUtc, EndTimeUtc, max_GetData, max_RequestContext\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Request for single resource on domain\",\"description\":\"This will look for connections to a domain where only a single file is requested, this is unusual as most modern web applications require additional recources. This type of activity is often assocaited with malware beaconing or tracking URL\u0027s delivered in emails. Developed for Zscaler but applicable to any outbound web logging.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/155f40c6-610d-497d-85fc-3cf06ec13256\",\"name\":\"155f40c6-610d-497d-85fc-3cf06ec13256\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"yahoo-verification.org\\\",\\\"support-servics.com\\\",\\\"verification-live.com\\\",\\\"com-mailbox.com\\\",\\\"com-myaccuants.com\\\",\\\"notification-accountservice.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\\"verify-linkedin.net\\\", \\n\\\"yahoo-verification.net\\\",\\\"yahoo-verify.net\\\",\\\"outlook-verify.net\\\",\\\"com-users.net\\\",\\\"verifiy-account.net\\\",\\\"te1egram.net\\\",\\\"account-verifiy.net\\\",\\\"myaccount-services.net\\\",\\n\\\"com-identifier-servicelog.name\\\",\\\"microsoft-update.bid\\\",\\\"outlook-livecom.bid\\\",\\\"update-microsoft.bid\\\",\\\"documentsfilesharing.cloud\\\",\\\"com-microsoftonline.club\\\",\\n\\\"confirm-session-identifier.info\\\",\\\"session-management.info\\\",\\\"confirmation-service.info\\\",\\\"document-share.info\\\",\\\"broadcast-news.info\\\",\\\"customize-identity.info\\\",\\\"webemail.info\\\",\\n\\\"com-identifier-servicelog.info\\\",\\\"documentsharing.info\\\",\\\"notification-accountservice.info\\\",\\\"identifier-activities.info\\\",\\\"documentofficupdate.info\\\",\\\"recoveryusercustomer.info\\\",\\n\\\"serverbroadcast.info\\\",\\\"account-profile-users.info\\\",\\\"account-service-management.info\\\",\\\"accounts-manager.info\\\",\\\"activity-confirmation-service.info\\\",\\\"com-accountidentifier.info\\\",\\n\\\"com-privacy-help.info\\\",\\\"com-sessionidentifier.info\\\",\\\"com-useraccount.info\\\",\\\"confirmation-users-service.info\\\",\\\"confirm-identity.info\\\",\\\"confirm-session-identification.info\\\",\\n\\\"continue-session-identifier.info\\\",\\\"customer-recovery.info\\\",\\\"customers-activities.info\\\",\\\"elitemaildelivery.info\\\",\\\"email-delivery.info\\\",\\\"identify-user-session.info\\\",\\n\\\"message-serviceprovider.info\\\",\\\"notificationapp.info\\\",\\\"notification-manager.info\\\",\\\"recognized-activity.info\\\",\\\"recover-customers-service.info\\\",\\\"recovery-session-change.info\\\",\\n\\\"service-recovery-session.info\\\",\\\"service-session-continue.info\\\",\\\"session-mail-customers.info\\\",\\\"session-managment.info\\\",\\\"session-verify-user.info\\\",\\\"shop-sellwear.info\\\",\\n\\\"supportmailservice.info\\\",\\\"terms-service-notification.info\\\",\\\"user-activity-issues.info\\\",\\\"useridentity-confirm.info\\\",\\\"users-issue-services.info\\\",\\\"verify-user-session.info\\\",\\n\\\"login-gov.info\\\",\\\"notification-signal-agnecy.info\\\",\\\"notifications-center.info\\\",\\\"identifier-services-sessions.info\\\",\\\"customers-manager.info\\\",\\\"session-manager.info\\\",\\n\\\"customer-managers.info\\\",\\\"confirmation-recovery-options.info\\\",\\\"service-session-confirm.info\\\",\\\"session-recovery-options.info\\\",\\\"services-session-confirmation.info\\\",\\n\\\"notification-managers.info\\\",\\\"activities-services-notification.info\\\",\\\"activities-recovery-options.info\\\",\\\"activity-session-recovery.info\\\",\\\"customers-services.info\\\",\\n\\\"sessions-notification.info\\\",\\\"download-teamspeak.info\\\",\\\"services-issue-notification.info\\\",\\\"microsoft-upgrade.mobi\\\",\\\"broadcastnews.pro\\\",\\\"mobile-messengerplus.network\\\"]);\\nlet IPList = dynamic([\\\"51.91.200.147\\\"]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(SourceIP) and SourceIP in (IPList)) or (isnotempty(DestinationIP) and DestinationIP in (IPList)) \\nor (isnotempty(DNSName) and DNSName in~ (DomainNames)) or (isnotempty(DestinationHostName) and DestinationHostName in~ (DomainNames)) or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames) or RequestURLIP in (IPList))) \\nor (isnotempty(Message) and MessageIP in (IPList))\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURLIP in (IPList), \\\"RequestUrl\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP,IPMatch == \\\"Message\\\", MessageIP,\\nIPMatch == \\\"RequestUrl\\\", RequestURLIP,\\\"NoMatch\\\"), Account = SourceUserID, Host = DeviceName\\n),\\n(DnsEvents \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| where DestinationIPAddress in (IPList) or DNSName has_any (DomainNames) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),\\n(imDns\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| where DestinationIPAddress has_any (IPList) or DNSName has_any (DomainNames) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) or isnotempty(DNSName)\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or DNSName in~ (DomainNames)\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer),\\n(OfficeActivity\\n| extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend DNSName = Request_Name\\n| extend IPCustomEntity = ClientIP),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPCustomEntity = SourceHost \\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.2.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Phosphorus group domains/IP\",\"description\":\"Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d94d4a9-dc96-450a-9dea-4d4d4594199b\",\"name\":\"4d94d4a9-dc96-450a-9dea-4d4d4594199b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"SecurityNestedRecommendation\\n| where RemediationDescription has \u0027CVE-2021-38647\u0027\\n| parse ResourceDetails with * \u0027virtualMachines/\u0027 VirtualMAchine \u0027\\\"\u0027 *\\n| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId\\n| extend Timestamp = TimeGenerated, HostCustomEntity = VirtualMAchine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.2\",\"tactics\":[\"InitialAccess\",\"Execution\"],\"displayName\":\"Vulnerable Machines related to OMIGOD CVE-2021-38647\",\"description\":\"This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to OMIGOD CVE-2021-38647. OMI is the Linux equivalent of Windows WMI and \\n helps users manage configurations across remote and local environments. The query aims to find machines that have this OMI vulnerability (CVE-2021-38647).\\n Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).\\n Reference: https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure\\n Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/050b9b3d-53d0-4364-a3da-1b678b8211ec\",\"name\":\"050b9b3d-53d0-4364-a3da-1b678b8211ec\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\")\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| summarize by bin(TimeGenerated, 1h), OperationName, RoleName, Target, Initiator, Result\\n| extend AccountCustomEntity = Target\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Initiator\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\"],\"displayName\":\"User Assigned Privileged Role\",\"description\":\"Identifies when a new privileged role is assigned to a user. Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn\u0027t the responsibility of the account holder, investigate.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75ff4f7d-0564-4a55-8b25-a75be951cde3\",\"name\":\"75ff4f7d-0564-4a55-8b25-a75be951cde3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let mediumRisk = 2;\\nlet hr = \u0027HR Information\u0027;\\nCognniIncidents_CL \\n| where Severity == mediumRisk\\n| where informationType_s == hr\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Medium Sensitivity HR Information\",\"description\":\"Display incidents in which medium sensitivity HR information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbfbf530-506b-49a4-81ad-4030885a195c\",\"name\":\"fbfbf530-506b-49a4-81ad-4030885a195c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let alertTimeWindow = 1h;\\nlet logTimeWindow = 7d;\\n// Define script extensions that suit your web application environment - a sample are provided below\\nlet scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]); \\nlet alertData = materialize(SecurityAlert \\n| where TimeGenerated \u003e ago(alertTimeWindow) \\n| where ProviderName == \\\"MDATP\\\" \\n// Parse and expand the alert JSON \\n| extend alertData = parse_json(Entities) \\n| mvexpand alertData);\\nlet fileData = alertData\\n// Extract web script files from MDATP alerts - our malicious web scripts - candidate webshells\\n| where alertData.Type =~ \\\"file\\\" \\n| where alertData.Name has_any(scriptExtensions) \\n| extend FileName = tostring(alertData.Name), Directory = tostring(alertData.Directory);\\nlet hostData = alertData\\n// Extract server details from alerts and map to alert id\\n| where alertData.Type =~ \\\"host\\\"\\n| project HostName = tostring(alertData.HostName), DnsDomain = tostring(alertData.DnsDomain), SystemAlertId\\n| distinct HostName, DnsDomain, SystemAlertId;\\n// Join the files on their impacted servers\\nlet webshellData = fileData\\n| join kind=inner (hostData) on SystemAlertId \\n| project TimeGenerated, FileName, Directory, HostName, DnsDomain;\\nwebshellData\\n| join ( \\n// Find requests that were made to this file on the impacted server in the W3CIISLog table \\nW3CIISLog \\n| where TimeGenerated \u003e ago(logTimeWindow) \\n// Restrict to accesses to script extensions \\n| where csUriStem has_any(scriptExtensions)\\n| extend splitUriStem = split(csUriStem, \\\"/\\\") \\n| extend FileName = splitUriStem[-1], HostName = sComputerName\\n// Summarize potential attacker activity\\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), RequestUserAgents=make_set(csUserAgent), ReqestMethods=make_set(csMethod), RequestStatusCodes=make_set(scStatus), RequestCookies=make_set(csCookie), RequestReferers=make_set(csReferer), RequestQueryStrings=make_set(csUriQuery) by AttackerIP=cIP, SiteName=sSiteName, ShellLocation=csUriStem, tostring(FileName), HostName \\n) on FileName, HostName\\n| project StartTime, EndTime, AttackerIP, RequestUserAgents, HostName, SiteName, ShellLocation, ReqestMethods, RequestStatusCodes, RequestCookies, RequestReferers, RequestQueryStrings, RequestCount = count_\\n// Expose the attacker ip address as a custom entity\\n| extend timestamp=StartTime, IPCustomEntity = AttackerIP, HostCustomEntity = HostName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Malicious web application requests linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts\",\"description\":\"Takes Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts where web scripts are present in the evidence and correlates with requests made to those scripts\\nin the WCSIISLog to surface new alerts for potentially malicious web request activity.\\nThe lookback for alerts is set to 1h and the lookback for W3CIISLogs is set to 7d. A sample set of popular web script extensions\\nhas been provided in scriptExtensions that should be tailored to your environment.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-05-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e7277475-4e31-41c7-9997-0b8b3d7f00cd\",\"name\":\"e7277475-4e31-41c7-9997-0b8b3d7f00cd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.2\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.01\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of failed login attempts to AWS Console by each source IP address\",\"description\":\"This algorithm detects an unusually high volume of AWS cloud trail log console failed login events per source IP address within the last day. The model is trained on the previous 21 days of AWS cloud trail log events on source IP address basis. This activity may indicate that the IP address is compromised.\",\"lastUpdatedDateUTC\":\"2021-10-26T00:00:00Z\",\"createdDateUTC\":\"2021-08-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0bd65651-1404-438b-8f63-eecddcec87b4\",\"name\":\"0bd65651-1404-438b-8f63-eecddcec87b4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\n// Adjust for a longer timeframe for identifying ADFS Servers\\nlet lookback = 6d;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\nEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n| union isfuzzy=true (\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n)\\n| distinct Computer);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where ParentProcessName has \u0027wmiprvse.exe\u0027\\n// Looking for rundll32.exe is based on intel from the blog linked in the description\\n// This can be commented out or altered to filter out known internal uses\\n| where CommandLine has_any (\u0027rundll32\u0027) \\n| project TimeGenerated, TargetAccount, CommandLine, Computer, Account, TargetLogonId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n// Search for recent logons to identify lateral movement\\n| join kind= inner\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventID == 4624 and LogonType == 3\\n| where Account !endswith \\\"$\\\"\\n| project TargetLogonId\\n) on TargetLogonId\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n// Check for WMI Events\\n| where Computer in~ (ADFS_Servers) and EventID in (19, 20, 21)\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| project TimeGenerated, EventType, Image, Computer, UserName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = UserName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\"],\"displayName\":\"Gain Code Execution on ADFS Server via Remote WMI Execution\",\"description\":\"This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through remote WMI Execution.\\nIn order to use this query you need to be collecting Sysmon EventIDs 19, 20, and 21.\\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\\n Failed to resolve scalar expression named \\\"[@Name]\\\"\\nFor more on how WMI was used in Solorigate see https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/.\\nThe query contains some features from the following detections to look for potentially malicious ADFS activity. See them for more details.\\n- ADFS Key Export (Sysmon): https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSKeyExportSysmon.yaml\\n- ADFS DKM Master Key Export: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/03e04c97-8cae-48b3-9d2f-4ab262e4ffff\",\"name\":\"03e04c97-8cae-48b3-9d2f-4ab262e4ffff\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]);\\nhttp_proxy_oab_CL\\n| where RawData contains \\\"Download failed and temporary file\\\"\\n| extend File = extract(\\\"([^\\\\\\\\\\\\\\\\]*)(\\\\\\\\\\\\\\\\[^\u0027]*)\\\",2,RawData)\\n| extend Extension = strcat(\\\".\\\",split(File, \\\".\\\")[-1])\\n| extend InteractiveFile = iif(Extension in (scriptExtensions), \\\"Yes\\\", \\\"No\\\")\\n// Uncomment the following line to alert only on interactive file download type\\n//| where InteractiveFile =~ \\\"Yes\\\"\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious File Downloads.\",\"description\":\"This query looks for messages related to file downloads of suspicious file types. This query uses the Exchange HttpProxy AOBGeneratorLog, you will need to onboard this log as a custom log under the table http_proxy_oab_CL before using this query. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/194dd92e-d6e7-4249-85a5-273350a7f5ce\",\"name\":\"194dd92e-d6e7-4249-85a5-273350a7f5ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\") \\n// Only admin or global-admin can disable audit logging\\n| where Operation =~ \\\"Set-AdminAuditLogConfig\\\" \\n| extend AdminAuditLogEnabledValue = tostring(parse_json(tostring(parse_json(tostring(array_slice(parse_json(Parameters),3,3)))[0])).Value)\\n| where AdminAuditLogEnabledValue =~ \\\"False\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP, ResultStatus, Parameters, AdminAuditLogEnabledValue\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Exchange AuditLog disabled\",\"description\":\"Identifies when the exchange audit logging has been disabled which may be an adversary attempt\\nto evade detection or avoid other defenses.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c37711a4-5f44-4472-8afc-0679bc0ef966\",\"name\":\"c37711a4-5f44-4472-8afc-0679bc0ef966\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/FoggyWebIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type == \\\"sha256\\\" | project IoC);\\nlet FilePaths = (iocs | where Type =~ \\\"FilePath\\\" | project IoC);\\nlet POST_URI = (iocs | where Type =~ \\\"URI1\\\" | project IoC);\\nlet GET_URI = (iocs | where Type =~ \\\"URI2\\\" | project IoC);\\n//Include in the list below, the ADFS servers you know about in your environment. In the next part of the query, we will try to identify them for you if you have the telemetry.\\nlet ADFS_Servers1 = datatable(Computer:string)\\n[ \\\"\u003cADFS01\u003e.\u003cDOMAIN\u003e.\u003cCOM\u003e\\\",\\n\\\"\u003cADFS02\u003e.\u003cDOMAIN\u003e.\u003cCOM\u003e\\\"\\n];\\n// Automatically identify potential ADFS services in your environment by searching process event telemetry for \\\"Microsoft.IdentityServer.ServiceHost.exe\\\".\\nlet ADFS_Servers2 = \\n(union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n),\\n(DeviceProcessEvents\\n| where InitiatingProcessFileName == \u0027Microsoft.IdentityServer.ServiceHost.exe\u0027\\n| extend Computer = DeviceName\\n| distinct Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n)\\n);\\nlet ADFS_Servers =\\nADFS_Servers1\\n| union (ADFS_Servers2 | distinct Computer);\\n(union isfuzzy=true\\n(DeviceNetworkEvents\\n| where DeviceName in (ADFS_Servers)\\n| where isnotempty(InitiatingProcessSHA256) or isnotempty(InitiatingProcessFolderPath)\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or InitiatingProcessFolderPath has_any (FilePaths)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\" and EventID == \u00277\u0027\\n| where Computer in (ADFS_Servers)\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend ImageLoaded = EventDetail.[5].[\\\"#text\\\"], Hashes = EventDetail.[11].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| where ImageLoaded has_any (FilePaths) or SHA256 has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, ImageLoaded, EventID\\n| extend Type = strcat(Type,\\\":\\\",EventID, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\\\"#text\\\"] \\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = FileHash\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = FileHash\\n),\\n(DeviceEvents\\n| where DeviceName in (ADFS_Servers)\\n| extend FilePath = strcat(FolderPath, \u0027\\\\\\\\\u0027, FileName)\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash\\n),\\n(DeviceFileEvents\\n| where DeviceName in (ADFS_Servers)\\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash\\n),\\n(DeviceImageLoadEvents\\n| where DeviceName in (ADFS_Servers)\\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where Computer in (ADFS_Servers)\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| where EventDetail has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\\\"#text\\\"] \\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = FileHash\\n),\\n(W3CIISLog \\n| where ( csMethod == \u0027GET\u0027 and csUriStem has_any (GET_URI)) or (csMethod == \u0027POST\u0027 and csUriStem has_any (POST_URI))\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), cIP_MethodCount = count() \\nby cIP, cIP_MethodCountType = \\\"Count of repeated entries, this is to reduce rowsets returned\\\", csMethod, \\ncsHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, csReferer\\n| extend timestamp = StartTime, IPCustomEntity = cIP, HostCustomEntity = csHost, AccountCustomEntity = csUserName\\n),\\n(imFileEvent\\n| where DvcHostname in (ADFS_Servers)\\n| where TargetFileSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"SHA256\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"version\":\"2.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"NOBELIUM IOCs related to FoggyWeb backdoor\",\"description\":\"Identifies a match across various data feeds for IOCs related to FoggyWeb backdoor by the threat actor NOBELIUM.\\n FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server.\\n It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server.\\n Reference: https://aka.ms/nobelium-foggy-web\",\"lastUpdatedDateUTC\":\"2021-11-16T00:00:00Z\",\"createdDateUTC\":\"2021-09-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\"name\":\"7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet AC_Add = \\nSecurityEvent\\n// Event ID related to member addition.\\n| where EventID in (4728, 4732,4756) \\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountAdded \\\",OU\\\" *\\n| where isnotempty(AccountAdded)\\n| extend GroupAddedTo = TargetUserName, AddingAccount = Account \\n| extend AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, \\\"||\\\", GroupAddedTo, \\\"||\\\", AddingAccount )\\n| project AccountAdded_GroupAddedTo_AddingAccount, AccountAddedTime = TimeGenerated;\\nlet AC_Remove = \\nSecurityEvent\\n// Event IDs related to member removal.\\n| where EventID in (4729,4733,4757)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountRemoved \\\",OU\\\" * \\n| where isnotempty(AccountRemoved)\\n| extend GroupRemovedFrom = TargetUserName, RemovingAccount = Account\\n| extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, \\\"||\\\", GroupRemovedFrom, \\\"||\\\", RemovingAccount)\\n| project AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime = TimeGenerated, Computer, RemovedAccountId = tolower(AccountRemoved), \\nRemovedByUser = SubjectUserName, RemovedByUserLogonId = SubjectLogonId, GroupRemovedFrom = TargetUserName, TargetDomainName; \\nAC_Add \\n| join kind= inner AC_Remove on $left.AccountAdded_GroupAddedTo_AddingAccount == $right.AccountRemoved_GroupRemovedFrom_RemovingAccount \\n| extend DurationinSecondAfter_Removed = datetime_diff (\u0027second\u0027, AccountRemovedTime, AccountAddedTime)\\n| where DurationinSecondAfter_Removed \u003e 0\\n| project-away AccountRemoved_GroupRemovedFrom_RemovingAccount\\n| extend timestamp = AccountAddedTime, AccountCustomEntity = RemovedAccountId, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Account added and removed from privileged groups\",\"description\":\"Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise.\u0027 \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/472b7cf4-bf1a-4061-b9ab-9fe4894e3c17\",\"name\":\"472b7cf4-bf1a-4061-b9ab-9fe4894e3c17\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nlet codeNameList = datatable(Codename:string)[\\\"C-CLEARTEXT-PASSWORD\\\", \\\"C-PASSWORD-DONT-EXPIRE\\\", \\\"C-USER-REVER-PWDS\\\", \\\"C-PASSWORD-POLICY\\\", \\\"C-USER-PASSWORD\\\", \\\"C-KRBTGT-PASSWORD\\\", \\\"C-AAD-SSO-PASSWORD\\\", \\\"C-REVER-PWD-GPO\\\"];\\nafad_parser\\n| where MessageType == 0 and Codename in~ (codeNameList)\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid Password issues\",\"description\":\"Searches for triggered Indicators of Exposures related to password issues\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/25bf2f45-1cf0-47d2-b394-a7b331d707b3\",\"name\":\"25bf2f45-1cf0-47d2-b394-a7b331d707b3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"2.0.0\",\"techniques\":[\"T1133\",\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Yes\",\"No\"],\"supportedValuesKql\":null,\"value\":\"Yes\",\"name\":\"Use region adjacency\",\"description\":\"Suppress anomalies originated from two adjacent regions.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"supportedValues\":[\"Yes\",\"No\"],\"supportedValuesKql\":null,\"value\":\"No\",\"name\":\"Check for matching device\",\"description\":\"Suppress anomalies which are originated from the same device.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":null,\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious geography change in Palo Alto GlobalProtect account logins\",\"description\":\"When a Palo Alto GlobalProtect account logs in from a geographically new region that is not the same as the last region the day before, an anomaly will be generated.\",\"lastUpdatedDateUTC\":\"2021-07-13T00:00:00Z\",\"createdDateUTC\":\"2021-04-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7ebb7386-6c99-4331-aab1-a185a603eb47\",\"name\":\"7ebb7386-6c99-4331-aab1-a185a603eb47\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let highRisk = 3;\\nlet financial = \u0027Financial Information\u0027;\\nCognniIncidents_CL \\n| where Severity == highRisk\\n| where informationType_s == financial\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Highly Sensitive Financial Information\",\"description\":\"Display incidents in which highly sensitive financial information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b443f22-9be9-4c35-ac70-a94757748439\",\"name\":\"3b443f22-9be9-4c35-ac70-a94757748439\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let files1 = dynamic([\\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\lsa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pc.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\Rar.exe\\\"]);\\nlet files2 = dynamic([\\\"svchost.exe\\\",\\\"wdmsvc.exe\\\"]);\\nlet FileHash1 = dynamic([\\\"43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\\\", \\\"ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\\\", \\\"010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77\\\", \\\"56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7\\\"]);\\nlet FileHash2 = dynamic([\\\"2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\\\", \\\"9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\\\", \\\"18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\\\"]);\\nDeviceProcessEvents\\n| where ( FolderPath has_any (files1) and SHA256 has_any (FileHash1)) or (FolderPath has_any (files2) and SHA256 has_any (FileHash2))\\n| extend DvcId = DeviceId\\n| join kind=leftouter (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| mv-expand todynamic(Entities)\\n| extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)\\n| where isnotempty(DvcId)\\n// Higher risk score are for Defender alerts related to threat actor\\n| extend AlertRiskScore = iif(ThreatName has_any (\\\"Backdoor:MSIL/ShellClient.A\\\", \\\"Backdoor:MSIL/ShellClient.A!dll\\\", \\\"Trojan:MSIL/Mimikatz.BA!MTB\\\"), 1.0, 0.5)\\n| project DvcId, AlertRiskScore) on DvcId\\n| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = AccountName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileName\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Execution\"],\"displayName\":\"Dev-0228 File Path Hashes November 2021\",\"description\":\"This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.\\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.\",\"lastUpdatedDateUTC\":\"2021-11-18T00:00:00Z\",\"createdDateUTC\":\"2021-11-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95a15f39-d9cc-4667-8cdd-58f3113691c9\",\"name\":\"95a15f39-d9cc-4667-8cdd-58f3113691c9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\nSecurityEvent\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where EventID == 4688\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| join kind=rightanti (\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where EventID == 4688) on NewProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM New UM Service Child Process\",\"description\":\"This query looks for new processes being spawned by the Exchange UM service where that process has not previously been observed before. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\"name\":\"7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lookBack_long = 7d;\\nlet lookBack_med = 3d;\\nlet lookBack = 1d;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack_long))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n// Create time series \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_long)),now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n// Compute best fit line for each entry \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount) \\n// Chart the 3 most interesting lines \\n// A 0-value slope corresponds to an account being completely stable over time for a given Azure Active Directory application\\n| where Slope \u003e 0.3\\n| top 50 by Slope desc\\n| join kind = leftsemi (\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack_med))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_med)) ,now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount)\\n| where Slope \u003e 0.3\\n| top 50 by Slope desc\\n) on UserPrincipalName, AppDisplayName\\n| join kind = leftsemi (\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack)) ,now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount)\\n| where Slope \u003e 5\\n| top 50 by Slope desc\\n// Higher threshold requirement on last day anomaly\\n) on UserPrincipalName, AppDisplayName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomalous sign-in location by user account and authenticating application\",\"description\":\"This query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active \\nDirectory application and picks out the most anomalous change in location profile for a user within an \\nindividual application. An alert is generated for recent sign-ins that have location counts that are anomalous\\nover last day but also over the last 3-day and 7-day periods.\\nPlease note that on workspaces with larger volume of Signin data (~10M+ events a day) may timeout when using this default query time period.\\nIt is recommended that you test and tune this appropriately for the workspace.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6a2e2ff4-5568-475e-bef2-b95f12b9367b\",\"name\":\"6a2e2ff4-5568-475e-bef2-b95f12b9367b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let FailureThreshold = 15;\\nimAuthentication\\n| where EventType== \u0027Logon\u0027 and EventResult== \u0027Failure\u0027\\n// reason: creds \\n| where EventResultDetails in (\u0027No such user or password\u0027, \u0027Incorrect password\u0027)\\n| summarize UserCount=dcount(TargetUserId), Vendors=make_set(EventVendor), Products=make_set(EventVendor)\\n , Users = make_set(TargetUserId,100) \\n by SrcDvcIpAddr, SrcGeoCountry, bin(TimeGenerated, 5m)\\n| where UserCount \u003e FailureThreshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcDvcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Potential Password Spray Attack (Uses Authentication Normalization)\",\"description\":\"This query searches for failed attempts to log in from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack\\n To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelAuthentication)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\"name\":\"79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let timeframe = 1h;\\nlet last1h = CommonSecurityLog \\n| where TimeGenerated \u003e= ago(timeframe)\\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend CurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend CurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend CumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize last1hCumTotal = sum(CumulativeTotal), last1hAvgRatePerSec = avg(CurrentAvgRatePerSec), last1hAvgBurstRatePerSec = avg(CurrentBurstRatePerSec) by DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlet prev6h = CommonSecurityLog \\n| where TimeGenerated between (ago(6h) .. ago(1h))\\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend prevCurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend prevCurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend prevCumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), prev6hCumTotal = sum(prevCumulativeTotal), prev6hAvgRatePerSec = avg(prevCurrentAvgRatePerSec), prev6hAvgBurstRatePerSec = avg(prevCurrentBurstRatePerSec) \\nby DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlast1h | join (\\n prev6h \\n) on DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate\\n| project StartTimeUtc, EndTimeUtc, DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate, last1hCumTotal, prev6hCumTotal, prev6hAvgCumTotal = prev6hCumTotal/6, last1hAvgRatePerSec, prev6hAvgRatePerSec, last1hAvgBurstRatePerSec, prev6hAvgBurstRatePerSec\\n// Select only events that indicate a doubling of the expected rate in the last hour over the previous 6 hours\\n| where last1hCumTotal \u003e 2*prev6hAvgCumTotal or last1hAvgRatePerSec \u003e 2*prev6hAvgRatePerSec or last1hAvgBurstRatePerSec \u003e 2*prev6hAvgBurstRatePerSec\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\",\"Impact\"],\"displayName\":\"Cisco ASA - average attack detection rate increase\",\"description\":\"This will help you determine if Cisco ASA devices are under heavier attack than normal over the last hour versus the previous 6 hours based on DeviceEventClassID 733100\\nReferences: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a34d0338-eda0-42b5-8b93-32aae0d7a501\",\"name\":\"a34d0338-eda0-42b5-8b93-32aae0d7a501\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"CommonSecurityLog\\n| where DeviceVendor == \\\"Vectra Networks\\\"\\n| where DeviceProduct == \\\"X Series\\\"\\n| where DeviceEventClassID contains \\\"campaign\\\"\\n| where DeviceAction == \\\"START\\\"\\n| extend reason = extract(\\\"reason=(.+?)$\\\", 1, AdditionalExtensions)\\n| project-rename vectra_URL = DeviceCustomString4\\n| project Activity,SourceHostName, reason, vectra_URL\\n| extend HostCustomEntity = SourceHostName, URLCustomEntity = vectra_URL\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"LateralMovement\",\"CommandAndControl\"],\"displayName\":\"Vectra AI Detect - New Campaign Detected\",\"description\":\"Identifies when a new Campaign has been detected. This occurs when multiple Detections accross different Hosts are suspected to be part of the same Attack Campaign.\",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2021-05-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AIVectraDetect\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\"name\":\"7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\nOfficeActivity\\n| where Operation =~ \\\"New-InboxRule\\\"\\n| where Parameters has \\\"Deleted Items\\\" or Parameters has \\\"Junk Email\\\" or Parameters has \\\"DeleteMessage\\\"\\n| extend Events=todynamic(Parameters)\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords \u0027}\u0027*\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords \u0027}\u0027*\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords \u0027}\u0027*\\n| where SubjectContainsWords has_any (Keywords)\\n or BodyContainsWords has_any (Keywords)\\n or SubjectOrBodyContainsWords has_any (Keywords)\\n| extend ClientIPAddress = case( ClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), ClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))), ClientIP )\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\n| extend RuleDetail = case(OfficeObjectId contains \u0027/\u0027 , tostring(split(OfficeObjectId, \u0027/\u0027)[-1]) , tostring(split(OfficeObjectId, \u0027\\\\\\\\\u0027)[-1]))\\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation, UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIPAddress, AccountCustomEntity = UserId , HostCustomEntity = OriginatingServer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Malicious Inbox Rule\",\"description\":\"Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords. \\n This is done so as to limit ability to warn compromised users that they\u0027ve been compromised. Below is a sample query that tries to detect this.\\nReference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6d7214d9-4a28-44df-aafb-0910b9e6ae3e\",\"name\":\"6d7214d9-4a28-44df-aafb-0910b9e6ae3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let match_window = 3m;\\nAzureActivity\\n| where ResourceGroup has \\\"cloud-shell\\\"\\n| where (OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/listKeys/action\\\") \\n| where ActivityStatusValue == \\\"Success\\\"\\n| extend TimeKey = bin(TimeGenerated, match_window), AzureIP = CallerIpAddress\\n| join kind = inner\\n(AzureActivity\\n| where ResourceGroup has \\\"cloud-shell\\\"\\n| where (OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/write\\\") \\n| extend TimeKey = bin(TimeGenerated, match_window), UserIP = CallerIpAddress\\n) on Caller, TimeKey\\n| summarize count() by TimeKey, Caller, ResourceGroup, SubscriptionId, TenantId, AzureIP, UserIP, HTTPRequest, Type, Properties, CategoryValue, OperationList = strcat(OperationNameValue, \u0027 , \u0027, OperationNameValue1)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"UserIP\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Execution\"],\"displayName\":\"New CloudShell User\",\"description\":\"Identifies when a user creates an Azure CloudShell for the first time.\\nMonitor this activity to ensure only expected user are using CloudShell\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cf3ede88-a429-493b-9108-3e46d3c741f7\",\"name\":\"cf3ede88-a429-493b-9108-3e46d3c741f7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let timeRange = 6h;\\nlet authenticationWindow = 1h;\\nlet authenticationThreshold = 5;\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeRange)\\n| where EventID == 4624 or EventID == 4625\\n| where IpAddress != \\\"-\\\" and isnotempty(Account)\\n| extend Outcome = iff(EventID == 4624, \\\"Success\\\", \\\"Failure\\\")\\n// bin outcomes into 5 minute windows to reduce the volume of data\\n| summarize OutcomeCount=count() by Account, IpAddress, Computer, Outcome, bin(TimeGenerated, 5m)\\n| project TimeGenerated, Account, IpAddress, Computer, Outcome, OutcomeCount\\n// sort ready for sessionizing - by account and time of the authentication outcome\\n| sort by Account asc, TimeGenerated asc\\n| serialize \\n// sessionize into failure groupings until either the account changes or there is a success\\n| extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, Account != prev(Account) or prev(Outcome) == \\\"Success\\\")\\n// count the failures in each session\\n| summarize FailureCountBeforeSuccess=sumif(OutcomeCount, Outcome == \\\"Failure\\\"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), makelist(Outcome), makeset(Computer), makeset(IpAddress) by SessionStartedUtc, Account\\n// the session must not start with a success, and must end with one\\n| where array_index_of(list_Outcome, \\\"Success\\\") != 0\\n| where array_index_of(list_Outcome, \\\"Success\\\") == array_length(list_Outcome) - 1\\n| project-away SessionStartedUtc, list_Outcome \\n// where the number of failures before the success is above the threshold \\n| where FailureCountBeforeSuccess \u003e= authenticationThreshold\\n// expand out ip and computer for customer entity assignment\\n| mvexpand set_IpAddress, set_Computer\\n| extend IpAddress = tostring(set_IpAddress), Computer = tostring(set_Computer)\\n| extend timestamp=StartTime, AccountCustomEntity=Account, HostCustomEntity=Computer, IPCustomEntity=IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"SecurityEvent - Multiple authentication failures followed by a success\",\"description\":\"Identifies accounts who have failed to logon to the domain multiple times in a row, followed by a successful authentication\\nwithin a short time frame. Multiple failed attempts followed by a success can be an indication of a brute force attempt or\\npossible mis-configuration of a service account within an environment.\\nThe lookback is set to 6h and the authentication window and threshold are set to 1h and 5, meaning we need to see a minimum\\nof 5 failures followed by a success for an account within 1 hour to surface an alert.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7a58b253-0ef2-4248-b4e5-c350f15a8346\",\"name\":\"7a58b253-0ef2-4248-b4e5-c350f15a8346\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let threshold = 100;\\nSymantecProxySG \\n| where sc_filter_result =~ \\\"DENIED\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by c_ip, cs_host\\n| where count_ \u003e threshold\\n| extend timestamp = StartTime, HostCustomEntity = cs_host, IPCustomEntity = c_ip\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Excessive Denied Proxy Traffic\",\"description\":\"This alert creates an incident when a client generates an excessive amounts of denied proxy traffic.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SymantecProxySG\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\"name\":\"75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 3;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == \\\"50057\\\"\\n| where ResultDescription =~ \\\"User account is disabled. The account has been disabled by an administrator.\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), applicationCount = dcount(AppDisplayName), \\napplicationSet = make_set(AppDisplayName), count() by UserPrincipalName, IPAddress, Type\\n| where applicationCount \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Attempts to sign in to disabled accounts\",\"description\":\"Identifies failed attempts to sign in to disabled accounts across multiple Azure Applications.\\nDefault threshold for Azure Applications attempted to sign in to is 3.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/910124df-913c-47e3-a7cd-29e1643fa55e\",\"name\":\"910124df-913c-47e3-a7cd-29e1643fa55e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with failed AWS console logins\\nlet aws_fails = AWSCloudTrail\\n| where EventName == \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \\n| where LoginResult != \\\"Success\\\"\\n| where SourceIpAddress != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_list(SourceIpAddress);\\n//See if any of those IPs have sucessfully logged into Azure AD.\\nSigninLogs\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (aws_fails) \\n| extend Reason = \\\"Multiple failed AWS Console logins from IP address\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AWS Console logons but success logon to AzureAD\",\"description\":\"Identifies a list of IP addresses with a minimum numbe(default of 5) of failed logon attempts to AWS Console.\\nUses that list to identify any successful Azure Active Directory logons from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/32555639-b639-4c2b-afda-c0ae0abefa55\",\"name\":\"32555639-b639-4c2b-afda-c0ae0abefa55\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"GetCallerIdentity\\\" and UserIdentityType =~ \\\"AssumedRole\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by SourceIpAddress, EventName, EventTypeName, UserIdentityType, UserIdentityAccountId, UserIdentityPrincipalid, \\nUserAgent, UserIdentityUserName, SessionMfaAuthenticated,AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTime, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\\n| sort by EndTime desc nulls last\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\"],\"displayName\":\"Monitor AWS Credential abuse or hijacking\",\"description\":\"Looking for GetCallerIdentity Events where the UserID Type is AssumedRole \\nAn attacker who has assumed the role of a legitimate account can call the GetCallerIdentity function to determine what account they are using.\\nA legitimate user using legitimate credentials would not need to call GetCallerIdentity since they should already know what account they are using.\\nMore Information: https://duo.com/decipher/trailblazer-hunts-compromised-credentials-in-aws\\nAWS STS GetCallerIdentity API: https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fb0f4a93-d8ad-4b54-9931-85bdb7550f90\",\"name\":\"fb0f4a93-d8ad-4b54-9931-85bdb7550f90\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SymantecProxySG\\n| mv-expand cs_categories\\n| where cs_categories has_any (\\\"Suspicious\\\",\\\"phishing\\\", \\\"hacking\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by sc_filter_result, cs_userdn, c_ip, cs_host, Computer, tostring(cs_categories)\\n| extend timestamp = StartTime, AccountCustomEntity = cs_userdn, IPCustomEntity = c_ip, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"User Accessed Suspicious URL Categories\",\"description\":\"Creates an incident in the event the requested URL accessed by the user has been identified as Suspicious, Phishing, or Hacking.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SymantecProxySG\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bfb1c90f-8006-4325-98be-c7fffbc254d6\",\"name\":\"bfb1c90f-8006-4325-98be-c7fffbc254d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let s_threshold = 30;\\nlet l_threshold = 3;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where OperationName =~ \\\"Sign-in activity\\\"\\n// Error codes that we want to look at as they are related to the use of incorrect password.\\n| where ResultType in (\\\"50126\\\", \\\"50053\\\" , \\\"50055\\\", \\\"50056\\\")\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend LocationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), LocationCount=dcount(LocationString), Location = make_set(LocationString), \\nIPAddress = make_set(IPAddress), IPAddressCount = dcount(IPAddress), AppDisplayName = make_set(AppDisplayName), ResultDescription = make_set(ResultDescription), \\nBrowser = make_set(Browser), OS = make_set(OS), SigninCount = count() by UserPrincipalName, Type \\n// Setting a generic threshold - Can be different for different environment\\n| where SigninCount \u003e s_threshold and LocationCount \u003e= l_threshold\\n| extend tostring(Location), tostring(IPAddress), tostring(AppDisplayName), tostring(ResultDescription), tostring(Browser), tostring(OS)\\n| distinct *\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Distributed Password cracking attempts in AzureAD\",\"description\":\"Identifies distributed password cracking attempts from the Azure Active Directory SigninLogs.\\nThe query looks for unusually high number of failed password attempts coming from multiple locations for a user account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50053 Account is locked because the user tried to sign in too many times with an incorrect user ID or password.\\n50055 Invalid password, entered expired password.\\n50056 Invalid or null password - Password does not exist in store for this user.\\n50126 Invalid username or password, or invalid on-premises username or password.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ef88eb96-861c-43a0-ab16-f3835a97c928\",\"name\":\"ef88eb96-861c-43a0-ab16-f3835a97c928\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let regexEmpire = @\\\"SetDelay|GetDelay|Set-LostLimit|Get-LostLimit|Set-Killdate|Get-Killdate|Set-WorkingHours|Get-WorkingHours|Get-Sysinfo|Add-Servers|Invoke-ShellCommand|Start-AgentJob|Update-Profile|Get-FilePart|Encrypt-Bytes|Decrypt-Bytes|Encode-Packet|Decode-Packet|Send-Message|Process-Packet|Process-Tasking|Get-Task|Start-Negotiate|Invoke-DllInjection|Invoke-ReflectivePEInjection|Invoke-Shellcode|Invoke-ShellcodeMSIL|Get-ChromeDump|Get-ClipboardContents|Get-IndexedItem|Get-Keystrokes|Invoke-Inveigh|Invoke-NetRipper|local:Invoke-PatchDll|Invoke-NinjaCopy|Get-Win32Types|Get-Win32Constants|Get-Win32Functions|Sub-SignedIntAsUnsigned|Add-SignedIntAsUnsigned|Compare-Val1GreaterThanVal2AsUInt|Convert-UIntToInt|Test-MemoryRangeValid|Write-BytesToMemory|Get-DelegateType|Get-ProcAddress|Enable-SeDebugPrivilege|Invoke-CreateRemoteThread|Get-ImageNtHeaders|Get-PEBasicInfo|Get-PEDetailedInfo|Import-DllInRemoteProcess|Get-RemoteProcAddress|Copy-Sections|Update-MemoryAddresses|Import-DllImports|Get-VirtualProtectValue|Update-MemoryProtectionFlags|Update-ExeFunctions|Copy-ArrayOfMemAddresses|Get-MemoryProcAddress|Invoke-MemoryLoadLibrary|Invoke-MemoryFreeLibrary|Out-Minidump|Get-VaultCredential|Invoke-DCSync|Translate-Name|Get-NetDomain|Get-NetForest|Get-NetForestDomain|Get-DomainSearcher|Get-NetComputer|Get-NetGroupMember|Get-NetUser|Invoke-Mimikatz|Invoke-PowerDump|Invoke-TokenManipulation|Exploit-JMXConsole|Exploit-JBoss|Invoke-Thunderstruck|Invoke-VoiceTroll|Set-WallPaper|Invoke-PsExec|Invoke-SSHCommand|Invoke-PSInject|Invoke-RunAs|Invoke-SendMail|Invoke-Rule|Get-OSVersion|Select-EmailItem|View-Email|Get-OutlookFolder|Get-EmailItems|Invoke-MailSearch|Get-SubFolders|Get-GlobalAddressList|Invoke-SearchGAL|Get-SMTPAddress|Disable-SecuritySettings|Reset-SecuritySettings|Get-OutlookInstance|New-HoneyHash|Set-MacAttribute|Invoke-PatchDll|Get-SecurityPackages|Install-SSP|Invoke-BackdoorLNK|New-ElevatedPersistenceOption|New-UserPersistenceOption|Add-Persistence|Invoke-CallbackIEX|Add-PSFirewallRules|Invoke-EventLoop|Invoke-PortBind|Invoke-DNSLoop|Invoke-PacketKnock|Invoke-CallbackLoop|Invoke-BypassUAC|Get-DecryptedCpassword|Get-GPPInnerFields|Invoke-WScriptBypassUAC|Get-ModifiableFile|Get-ServiceUnquoted|Get-ServiceFilePermission|Get-ServicePermission|Invoke-ServiceUserAdd|Invoke-ServiceCMD|Write-UserAddServiceBinary|Write-CMDServiceBinary|Write-ServiceEXE|Write-ServiceEXECMD|Restore-ServiceEXE|Invoke-ServiceStart|Invoke-ServiceStop|Invoke-ServiceEnable|Invoke-ServiceDisable|Get-ServiceDetail|Find-DLLHijack|Find-PathHijack|Write-HijackDll|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-VulnAutoRun|Get-VulnSchTask|Get-UnattendedInstallFile|Get-Webconfig|Get-ApplicationHost|Write-UserAddMSI|Invoke-AllChecks|Invoke-ThreadedFunction|Test-Login|Get-UserAgent|Test-Password|Get-ComputerDetails|Find-4648Logons|Find-4624Logons|Find-AppLockerLogs|Find-PSScriptsInPSAppLog|Find-RDPClientConnections|Get-SystemDNSServer|Invoke-Paranoia|Invoke-WinEnum{|Get-SPN|Invoke-ARPScan|Invoke-Portscan|Invoke-ReverseDNSLookup|Invoke-SMBScanner|New-InMemoryModule|Add-Win32Type|Export-PowerViewCSV|Get-MacAttribute|Copy-ClonedFile|Get-IPAddress|Convert-NameToSid|Convert-SidToName|Convert-NT4toCanonical|Get-Proxy|Get-PathAcl|Get-NameField|Convert-LDAPProperty|Get-NetDomainController|Add-NetUser|Add-NetGroupUser|Get-UserProperty|Find-UserField|Get-UserEvent|Get-ObjectAcl|Add-ObjectAcl|Invoke-ACLScanner|Get-GUIDMap|Get-ADObject|Set-ADObject|Get-ComputerProperty|Find-ComputerField|Get-NetOU|Get-NetSite|Get-NetSubnet|Get-DomainSID|Get-NetGroup|Get-NetFileServer|SplitPath|Get-DFSshare|Get-DFSshareV1|Get-DFSshareV2|Get-GptTmpl|Get-GroupsXML|Get-NetGPO|Get-NetGPOGroup|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Invoke-ImpersonateUser|Create-ProcessWithToken|Free-AllTokens|Enum-AllTokens|Invoke-RevertToSelf|Set-Speaker(\\\\$Volume){\\\\$wshShell|Local:Get-RandomString|Local:Invoke-PsExecCmd|Get-GPPPassword|Local:Inject-BypassStuff|Local:Invoke-CopyFile\\\\(\\\\$sSource,|ind-Fruit|New-IPv4Range|New-IPv4RangeFromCIDR|Parse-Hosts|Parse-ILHosts|Exclude-Hosts|Get-TopPort|Parse-Ports|Parse-IpPorts|Remove-Ports|Write-PortscanOut|Convert-SwitchtoBool|Get-ForeignUser|Get-ForeignGroup\\\";\\nlet ProcessCreationEvents=() {\\nlet processEvents=SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName;\\nprocessEvents};\\nlet decodedPS = ProcessCreationEvents\\n| where CommandLine contains \\\" -encodedCommand\\\"\\n| parse kind=regex flags=i CommandLine with * \\\"-EncodedCommand \\\" encodedCommand\\n| project StartTimeUtc = TimeGenerated, encodedCommand = tostring(split(encodedCommand, \u0027 \u0027)[0]), CommandLine\\n// Note: currently the base64_decode_tostring function is limited to supporting UTF8\\n| extend decodedCommand = translate(\u0027\\\\0\u0027,\u0027\u0027, base64_decode_tostring(substring(encodedCommand, 0, strlen(encodedCommand) - (strlen(encodedCommand) %8)))), encodedCommand, CommandLine , strlen(encodedCommand);\\n(decodedPS\\n| union \\n(ProcessCreationEvents\\n| where FileName in~ (\\\"powershell.exe\\\",\\\"powershell_ise.exe\\\")\\n| where CommandLine !contains \\\"-encodedcommand\\\")\\n| extend StartTimeUtc = TimeGenerated\\n)\\n| where CommandLine matches regex regexEmpire\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"Powershell Empire cmdlets seen in command line\",\"description\":\"Identifies instances of PowerShell Empire cmdlets in powershell process command line data.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a0907abe-6925-4d90-af2b-c7e89dc201a6\",\"name\":\"a0907abe-6925-4d90-af2b-c7e89dc201a6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P10D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 10d;\\nlet endtime = 1d;\\nlet threshold = 100;\\nlet nxDomainDnsEvents = DnsEvents \\n| where ResultCode == 3 \\n| where QueryType in (\\\"A\\\", \\\"AAAA\\\")\\n| where ipv4_is_match(\\\"127.0.0.1\\\", ClientIP) == False\\n| where Name !contains \\\"/\\\"\\n| where Name contains \\\".\\\";\\nnxDomainDnsEvents\\n| where TimeGenerated \u003e ago(endtime)\\n| extend sld = tostring(split(Name, \\\".\\\")[-2])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld) by ClientIP\\n| where dcount_sld \u003e threshold\\n// Filter out previously seen IPs\\n| join kind=leftanti (nxDomainDnsEvents\\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | extend sld = tostring(split(Name, \\\".\\\")[-2])\\n | summarize dcount(sld) by ClientIP\\n | where dcount_sld \u003e threshold ) on ClientIP\\n// Pull out sample NXDomain responses for those remaining potentially infected IPs\\n| join kind = inner (nxDomainDnsEvents | summarize by Name, ClientIP) on ClientIP\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(Name, 100) by ClientIP, dcount_sld\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential DGA detected\",\"description\":\"Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains\\nwhere most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with \\nNXDomain records in prior 10-day baseline period).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c2da1106-bfe4-4a63-bf14-5ab73130ccd5\",\"name\":\"c2da1106-bfe4-4a63-bf14-5ab73130ccd5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Informational\",\"query\":\"let timeframe = ago(1d);\\nAppServiceAntivirusScanAuditLogs\\n| where ScanStatus == \\\"Failed\\\"\\n| extend HostCustomEntity = _ResourceId, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"displayName\":\"AppServices AV Scan Failure\",\"description\":\"Identifies if an AV scan fails in Azure App Services.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d9938c3b-16f9-444d-bc22-ea9a9110e0fd\",\"name\":\"d9938c3b-16f9-444d-bc22-ea9a9110e0fd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Azure AD Connect Health Agent - cf6d7e68-f018-4e0a-a7b3-126e053fb88d\\n// Azure Active Directory Connect - cb1056e2-e479-49de-ae31-7812af012ed8\\nlet appList = dynamic([\u0027cf6d7e68-f018-4e0a-a7b3-126e053fb88d\u0027,\u0027cb1056e2-e479-49de-ae31-7812af012ed8\u0027]);\\nlet operationNamesList = dynamic([\u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027,\u0027Microsoft.ADHybridHealthService/services/delete\u0027]);\\nAzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue in~ (operationNamesList)\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| where AppId !in (appList)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS Suspicious Application\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to a suspicious application adding a server instance to an Azure AD Hybrid health AD FS service or deleting the AD FS service instance.\\nUsually the Azure AD Connect Health Agent application with ID cf6d7e68-f018-4e0a-a7b3-126e053fb88d is used to perform those operations.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c5644575-4982-4a07-8884-b11ec2866dc3\",\"name\":\"c5644575-4982-4a07-8884-b11ec2866dc3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.0\",\"techniques\":[\"T1136\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\"srcdomain1\\\\account1, srcdomain1\\\\account1\",\"dataType\":\"string\",\"name\":\"Source user allowlist\",\"description\":\"Enter comma separated source usernames to be suppressed while triggering anomalies. This should be within double quotes and is case sensitive, example: \\\"srcdomain1\\\\\\\\account1, srcdomain2\\\\\\\\account2\\\"\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"prioritize\":null,\"exclude\":\"account1, account2\",\"dataType\":\"string\",\"name\":\"Destination user allowlist\",\"description\":\"Enter comma separated destination usernames to be suppressed while triggering anomalies. This should be within double quotes and is case sensitive, example: \\\"account1, account2\\\"\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":null,\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Persistence\"],\"displayName\":\"(Preview) Anomalous local account creation\",\"description\":\"This algorithm is to detect anomalous local account creation on windows systems. Adversaries may create local accounts to maintain access to victim systems.\\nThis algorithm analyzes historical local account creation activity (14 days) by users and compare with current day to find similar activity from the users who were not \\npreviously seen in historical activity. You can further customize the allowlist to filter known users from triggering this anomaly.\",\"lastUpdatedDateUTC\":\"2021-09-22T00:00:00Z\",\"createdDateUTC\":\"2021-09-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/faf1a6ff-53b5-4f92-8c55-4b20e9957594\",\"name\":\"faf1a6ff-53b5-4f92-8c55-4b20e9957594\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"SecurityEvent\\n// Look for specific Directory Service Changes and parse data\\n| where EventID == 5136\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion = array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value),TimeGenerated, EventID, Computer, Account, AccountType, EventSourceName, Activity, SubjectAccount)\\n// Where changes relate to Exchange OAB\\n| extend ObjectClass = column_ifexists(\\\"ObjectClass\\\", \\\"\\\")\\n| where ObjectClass =~ \\\"msExchOABVirtualDirectory\\\"\\n// Look for InternalHostName or ExternalHostName properties being changed\\n| extend AttributeLDAPDisplayName = column_ifexists(\\\"AttributeLDAPDisplayName\\\", \\\"\\\")\\n| where AttributeLDAPDisplayName in (\\\"msExchExternalHostName\\\", \\\"msExchInternalHostName\\\")\\n// Look for suspected webshell activity\\n| extend AttributeValue = column_ifexists(\\\"AttributeValue\\\", \\\"\\\")\\n| where AttributeValue has \\\"script\\\"\\n| project-rename LastSeen = TimeGenerated\\n| extend ObjectDN = column_ifexists(\\\"ObjectDN\\\", \\\"\\\")\\n| project-reorder LastSeen, Computer, Account, ObjectDN, AttributeLDAPDisplayName, AttributeValue\\n| extend timestamp = LastSeen, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange OAB Virtual Directory Attribute Containing Potential Webshell\",\"description\":\"This query uses Windows Event ID 5136 in order to detect potential webshell deployment by exploitation of CVE-2021-27065.\\nThis query looks for changes to the InternalHostName or ExternalHostName properties of Exchange OAB Virtual Directory objects in AD Directory Services\\nwhere the new objects contain potential webshell objects. Ref: https://aka.ms/ExchangeVulns\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/61988db3-0565-49b5-b8e3-747195baac6e\",\"name\":\"61988db3-0565-49b5-b8e3-747195baac6e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let procList = dynamic([\\\"cmd.exe\\\",\\\"ftp.exe\\\",\\\"schtasks.exe\\\",\\\"powershell.exe\\\",\\\"rundll32.exe\\\",\\\"regsvr32.exe\\\",\\\"msiexec.exe\\\"]); \\nimProcessCreate\\n| where CommandLine has \\\"recycler\\\"\\n| where Process has_any (procList)\\n| extend FileName = tostring(split(Process, \u0027\\\\\\\\\u0027)[-1])\\n| where FileName in~ (procList)\\n| project StartTimeUtc = TimeGenerated, Dvc, User, Process, FileName, CommandLine, ActingProcessName, EventVendor, EventProduct\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.2.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Malware in the recycle bin (Normalized Process Events)\",\"description\":\"Identifies malware that has been hidden in the recycle bin.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)\",\"lastUpdatedDateUTC\":\"2021-10-26T00:00:00Z\",\"createdDateUTC\":\"2021-06-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5efb0cfd-063d-417a-803b-562eae5b0301\",\"name\":\"5efb0cfd-063d-417a-803b-562eae5b0301\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 6h;\\n// Ignore Build/Releases with less/equal this number\\nlet ServiceConnectionThreshold = 3;\\n// New Connections need to exhibit execution of more \\\"new\\\" connections than this number.\\nlet NewConnectionThreshold = 1;\\n// List of Builds/Releases to ignore in your space\\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\\n[\\n//\\\"103\\\", \\\"Release\\\", \\\"ProjectA\\\",\\n//\\\"42\\\", \\\"Release\\\", \\\"ProjectB\\\",\\n//\\\"122\\\", \\\"Build\\\", \\\"ProjectB\\\"\\n];\\nlet HistoricDefs = AzureDevOpsAuditing\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| summarize HistoricCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)) \\n by DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e= ago(endtime)\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| parse ScopeDisplayName with OrganizationName \u0027 (Organization)\u0027\\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) \\n by OrganizationName, DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN\\n| where CurrentCount \u003e ServiceConnectionThreshold\\n| join (HistoricDefs) on ProjectId, DefId, Type, ActorUPN\\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\\n| extend link = iff(\\nType == \\\"Build\\\", strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_build?definitionId=\u0027, DefId),\\nstrcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_release?_a=releases\u0026view=mine\u0026definitionId=\u0027, DefId))\\n| where CurrentCount \u003e= HistoricCount + NewConnectionThreshold\\n| project StartTime, OrganizationName, ProjectName, DefId, link, RecentDistinctServiceConnections = CurrentCount, HistoricDistinctServiceConnections = HistoricCount, \\n RecentConnections = ConnectionNames, HistoricConnections = ConnectionNames1, ActorUPN\\n| extend timestamp = StartTime, AccountCustomEntity = ActorUPN\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure DevOps Service Connection Addition/Abuse - Historic allow list\",\"description\":\"This detection builds an allow list of historic service connection use by Builds and Releases and compares to recent history, flagging growth of service connection use which are not manually included in the allow list and \\nnot historically included in the allow list Build/Release runs. This is to determine if someone is hijacking a build/release and adding many service connections in order to abuse or dump credentials from service connections.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2b701288-b428-4fb8-805e-e4372c574786\",\"name\":\"2b701288-b428-4fb8-805e-e4372c574786\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//The bigger the window the better the data sample size, as we use IP prevalence, more sample data is better.\\n//The minimum number of countries that the account has been accessed from [default: 2]\\nlet minimumCountries = 2;\\n//The delta (%) between the largest in-use IP and the smallest [default: 90]\\nlet deltaThreshold = 95;\\n//The maximum (%) threshold that the country appears in login data [default: 10]\\nlet countryPrevalenceThreshold = 10;\\n//The time to project forward after the last login activity [default: 60min]\\nlet projectedEndTime = 60min; \\n//Get Teams successful signins globally\\nlet aadFunc = (tableName:string){\\nlet signinData =\\n table(tableName)\\n | where AppDisplayName has \\\"Teams\\\"\\n | where ConditionalAccessStatus =~ \\\"success\\\"\\n | extend country = tostring(todynamic(LocationDetails)[\u0027countryOrRegion\u0027])\\n | where isnotempty(country) and isnotempty(IPAddress);\\n// Collect successful signins to teams\\nlet loginEvents = \\n signinData\\n | summarize count(), country=any(country), make_list(TimeGenerated) by IPAddress, UserPrincipalName;\\n//Calcualte delta between logins\\nlet loginDelta =\\n loginEvents\\n | summarize max(count_), min(count_) by UserPrincipalName\\n | extend delta = toreal(max_count_ - min_count_) / max_count_ * 100\\n | where delta \u003e= deltaThreshold;\\n//Count number of countries used to sign in\\nlet countryCount =\\n loginEvents\\n | summarize Countries = dcount(country) by UserPrincipalName;\\n//Join delta and sign in counts to successful logins\\nloginDelta\\n| join kind=rightouter (\\n loginEvents\\n) on UserPrincipalName\\n| join kind=rightouter (\\n countryCount\\n) on UserPrincipalName\\n//Check where the record meets the minimum required countries\\n| where Countries \u003e= minimumCountries\\n| join kind=leftouter (\\n signinData\\n | summarize count() by country\\n | join (\\n //Now get the total number of logins from any country and join it to the previous count in a single table\\n signinData\\n | summarize count() by country\\n | summarize sum(count_), make_list(country)\\n | mv-expand list_country\\n | extend country = tostring(list_country)\\n ) on country\\n | summarize by country, count_, sum_count_\\n //Now calculate each countries prevalence within login events\\n | extend prevalence = toreal(count_) / toreal(sum_count_) * 100\\n | project-away sum_count_\\n | order by prevalence\\n) on country\\n//The % that suspicious country is prevalent in data, this can be configured, less than 10% is uncommon\\n| where prevalence \u003c countryPrevalenceThreshold\\n| where min_count_ == count_\\n//Login start and end times from the JSON object, this is the activity window the suspicious IP was active within\\n| extend EventTimes = list_TimeGenerated\\n| extend SuspiciousIP = IPAddress\\n| project UserPrincipalName, SuspiciousIP, UserIPDelta = delta, SuspiciousLoginCountry = country, SuspiciousCountryPrevalence = prevalence, EventTimes\\n//Teams join to collect operations the user account has performed within the given time range\\n| join kind=inner( \\n OfficeActivity\\n | where Operation in~ (\\\"TeamsAdminAction\\\", \\\"MemberAdded\\\", \\\"MemberRemoved\\\", \\\"MemberRoleChanged\\\", \\\"AppInstalled\\\", \\\"BotAddedToTeam\\\")\\n | project Operation, UserId=tolower(UserId), OperationTime=TimeGenerated\\n) on $left.UserPrincipalName == $right.UserId\\n| mv-expand StartTime = EventTimes\\n| extend StartTime = make_datetime(StartTime)\\n//The end time is projected 60 minutes forward, in case actions took place within the last hour of the final login for the suspicious IP\\n| extend ProjectedEndTime = make_datetime(StartTime + projectedEndTime)\\n//Limit to operations carried out by the user account in the timeframe the IP was active\\n| where OperationTime between (StartTime .. ProjectedEndTime)\\n| project UserPrincipalName, SuspiciousIP, StartTime, ProjectedEndTime, OperationTime, Operation, SuspiciousLoginCountry, SuspiciousCountryPrevalence\\n//Filter on suspicious actions\\n| extend activitySummary = pack(tostring(StartTime), pack(\\\"Operation\\\",tostring(Operation), \\\"OperationTime\\\", OperationTime))\\n| summarize make_bag(activitySummary) by UserPrincipalName, SuspiciousIP, SuspiciousLoginCountry, SuspiciousCountryPrevalence\\n| extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Anomalous login followed by Teams action\",\"description\":\"Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed.\\nQuery calculates IP usage Delta for each user account and selects accounts where a delta \u003e= 90% is observed between the most and least used IP.\\nTo further reduce results the query performs a prevalence check on the lowest used IP\u0027s country, only keeping IP\u0027s where the country is unusual for the tenant (dynamic ranges)\\nFinally the user accounts activity within Teams logs is checked for suspicious commands (modifying user privileges or admin actions) during the period the suspicious IP was active.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ca74dc0-8352-4ac5-893c-73571cc78331\",\"name\":\"4ca74dc0-8352-4ac5-893c-73571cc78331\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let keywords = dynamic([\\\"secret\\\", \\\"secrets\\\", \\\"password\\\", \\\"PAT\\\", \\\"passwd\\\", \\\"pswd\\\", \\\"pwd\\\", \\\"cred\\\", \\\"creds\\\", \\\"credentials\\\", \\\"credential\\\", \\\"key\\\"]);\\nAzureDevOpsAuditing\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend Type = tostring(Data.Type)\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend VariableGroupName = tostring(Data.VariableGroupName)\\n| mv-expand Data.Variables\\n| where VariableGroupName has_any (keywords) or Data_Variables has_any (keywords)\\n| where Type != \\\"AzureKeyVault\\\"\\n| where Data_Variables !has \\\"IsSecret\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure DevOps Variable Secret Not Secured\",\"description\":\"Credentials used in the build process may be stored as Azure DevOps variables. To secure these variables they should be stored in KeyVault or marked as Secrets. \\nThis detection looks for new variables added with names that suggest they are credentials but where they are not set as Secrets or stored in KeyVault.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c9b6d281-b96b-4763-b728-9a04b9fe1246\",\"name\":\"c9b6d281-b96b-4763-b728-9a04b9fe1246\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlCategory has_any (\u0027Dynamic and Residential\u0027, \u0027Personal VPN\u0027)\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"Exfiltration\"],\"displayName\":\"Cisco Umbrella - Connection to non-corporate private network\",\"description\":\"IP addresses of broadband links that usually indicates users attempting to access their home network, for example for a remote session to a home computer.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75297f62-10a8-4fc1-9b2a-12f25c6f05a7\",\"name\":\"75297f62-10a8-4fc1-9b2a-12f25c6f05a7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let domain_lookBack= 14d;\\nlet timeframe = 1d;\\nlet top_million_list = Cisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(domain_lookBack) and TimeGenerated \u003c ago(timeframe)\\n| extend Hostname = parse_url(UrlOriginal)[\\\"Host\\\"]\\n| summarize count() by tostring(Hostname)\\n| top 1000000 by count_\\n| summarize make_list(Hostname);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| extend Hostname = parse_url(UrlOriginal)[\\\"Host\\\"]\\n| where Hostname !in (top_million_list)\\n| extend Message = \\\"Connect to unpopular website (possible malicious payload delivery)\\\"\\n| project Message, SrcIpAddr, DstIpAddr,UrlOriginal, TimeGenerated\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Connection to Unpopular Website Detected\",\"description\":\"Detects first connection to an unpopular website (possible malicious payload delivery).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c775a46b-21b1-46d7-afa6-37e3e577a27b\",\"name\":\"c775a46b-21b1-46d7-afa6-37e3e577a27b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 15;\\nSymantecVIP\\n| where isnotempty(RADIUSAuth)\\n| where RADIUSAuth =~ \\\"Reject\\\"\\n| summarize Total = count() by bin(TimeGenerated, 15m), User, ClientIP\\n| where Total \u003e threshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Excessive Failed Authentication from Invalid Inputs\",\"description\":\"Creates an incident in the event that a user generates an excessive amount of failed authentications due to invalid inputs, indications of a potential brute force.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SymantecVIP\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3fbc20a4-04c4-464e-8fcb-6667f53e4987\",\"name\":\"3fbc20a4-04c4-464e-8fcb-6667f53e4987\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let failureCountThreshold = 5;\\nlet successCountThreshold = 1;\\nlet authenticationWindow = 20m;\\nSigninLogs\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\\n| where AppDisplayName =~ \\\"Windows Sign In\\\"\\n// Split out failure versus non-failure types\\n| extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = makeset(IPAddress), makeset(OS), makeset(Browser), makeset(City), \\nmakeset(ResultType), FailureCount = countif(FailureOrSuccess==\\\"Failure\\\"), SuccessCount = countif(FailureOrSuccess==\\\"Success\\\") \\nby bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName, AppDisplayName\\n| where FailureCount \u003e= failureCountThreshold and SuccessCount \u003e= successCountThreshold\\n| mvexpand IPAddress\\n| extend IPAddress = tostring(IPAddress)\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against a Cloud PC\",\"description\":\"Identifies evidence of brute force activity against a Windows 365 Cloud PC by highlighting multiple authentication failures and by a successful authentication within a given time window.\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2021-10-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3fe3c520-04f1-44b8-8398-782ed21435f8\",\"name\":\"3fe3c520-04f1-44b8-8398-782ed21435f8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let torProxies=dynamic([\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\"]);\\nimDns(domain_has_any=torProxies)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.2.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"DNS events related to ToR proxies (Normalized DNS)\",\"description\":\"Identifies IP addresses performing DNS lookups associated with common ToR proxies.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c1d4a005-e220-4d06-9e53-7326a22b8fe4\",\"name\":\"c1d4a005-e220-4d06-9e53-7326a22b8fe4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let mediumRisk = 2;\\nlet goverence = \u0027Goverence Information\u0027;\\nCognniIncidents_CL \\n| where Severity == mediumRisk\\n| where informationType_s == goverence\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Medium Sensitivity Governance Information\",\"description\":\"Display incidents in which medium sensitivity governance information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/595a10c9-91be-4abb-bbc7-ae9c57848bef\",\"name\":\"595a10c9-91be-4abb-bbc7-ae9c57848bef\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, DNSName, Type\\n| extend MessageIP = extract(IPRegex, 0, Message), RequestIP = extract(IPRegex, 0, RequestURL)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL has_any (domains), \\\"RequestUrl\\\", \\\"NoMatch\\\"), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID, UrlCustomEntity = RequestURL \\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) or Name in~ (domains) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer, ProcessCustomEntity = ProcessName\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Image has_any (process)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = split(Image, \u0027\\\\\\\\\u0027, -1)[-1], HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) \\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, AlertDetail = \u0027Chia crypto IOC detected\u0027, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (domains) or RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) or InitiatingProcessFileName has_any (process)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, AlertDetail = \u0027Chia crypto IOC detected\u0027, UrlCustomEntity =RemoteUrl\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\"), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains) or ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| where EventDetail has_any (sha256Hashes) \\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\\\"#text\\\"] , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = split(Image, \u0027\\\\\\\\\u0027, -1)[-1], FileHashCustomEntity = FileHash\\n),\\n(DeviceFileEvents\\n| where InitiatingProcessFolderPath has_any (process)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = FileHash, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| project TimeGenerated, EventDetail, UserName, Computer, Type\\n| extend Image = EventDetail.[4].[\\\"#text\\\"] , CommandLine = EventDetail.[10].[\\\"#text\\\"], Account = UserName, FileHash = EventDetail.[17].[\\\"#text\\\"] , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| where Image has_any (process)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = split(Image, \u0027\\\\\\\\\u0027, -1)[-1], FileHashCustomEntity = FileHash\\n),\\n(DeviceEvents\\n| where InitiatingProcessFileName has_any (process) or InitiatingProcessSHA256 in~ (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash\\n),\\n( SecurityEvent\\n| where EventID == \u00274688\u0027\\n| where NewProcessName has_any (process)\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"SHA256\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021\",\"description\":\"Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-06-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d0aa8969-1bbe-4da3-9e76-09e5f67c9d85\",\"name\":\"d0aa8969-1bbe-4da3-9e76-09e5f67c9d85\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now() \\n| where Active == true\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureDiagnostics\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where ResourceProvider == \u0027MICROSOFT.SQL\u0027\\n | where Category == \u0027SQLSecurityAuditEvents\u0027\\n | extend SQLSecurityAuditEvents_TimeGenerated = TimeGenerated\\n // projecting fields with column if exists as this is in AzureDiag and if the event is not in the table, then queries will fail due to event specific schemas\\n | extend ClientIP = column_ifexists(\\\"client_ip_s\\\", \\\"Not Available\\\"), Action = column_ifexists(\\\"action_name_s\\\", \\\"Not Available\\\"), \\n Application = column_ifexists(\\\"application_name_s\\\", \\\"Not Available\\\"), HostName = column_ifexists(\\\"host_name_s\\\", \\\"Not Available\\\")\\n)\\non $left.TI_ipEntity == $right.ClientIP\\n| where SQLSecurityAuditEvents_TimeGenerated \u003c ExpirationDateTime\\n| summarize SQLSecurityAuditEvents_TimeGenerated = arg_max(SQLSecurityAuditEvents_TimeGenerated, *) by IndicatorId, ClientIP\\n| project SQLSecurityAuditEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ResourceId, ClientIP, Action, Application, HostName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = SQLSecurityAuditEvents_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Azure SQL Security Audit Events\",\"description\":\"Identifies a match in SQLSecurityAuditEvents from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8a602940-4153-4045-a741-3bf15591ae29\",\"name\":\"8a602940-4153-4045-a741-3bf15591ae29\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.2.8\",\"techniques\":[\"T1110\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.4\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"(Preview) Attempted computer bruteforce\",\"description\":\"This algorithm detects an unusually high volume of failed login attempts to each computer. The model is trained on the previous 21 days of security event ID 4625 on a computer. It indicates anomalous high volume of failed login attempts in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2020-12-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/45076281-35ae-45e0-b443-c32aa0baf965\",\"name\":\"45076281-35ae-45e0-b443-c32aa0baf965\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let args = dynamic([\\\"objectcategory\\\",\\\"domainlist\\\",\\\"dcmodes\\\",\\\"adinfo\\\",\\\"trustdmp\\\",\\\"computers_pwdnotreqd\\\",\\\"Domain Admins\\\", \\\"objectcategory=person\\\", \\\"objectcategory=computer\\\", \\\"objectcategory=*\\\",\\\"dclist\\\"]);\\nlet parentProcesses = dynamic([\\\"pwsh.exe\\\",\\\"powershell.exe\\\",\\\"cmd.exe\\\"]);\\nimProcessCreate\\n//looks for execution from a shell\\n| where ActingProcessName has_any (parentProcesses)\\n| extend ActingProcessFileName = tostring(split(ActingProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ActingProcessFileName in~ (parentProcesses)\\n// main filter\\n| where Process hassuffix \\\"AdFind.exe\\\" or TargetProcessSHA256 == \\\"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\\\"\\n // AdFind common Flags to check for from various threat actor TTPs\\n or CommandLine has_any (args)\\n| extend AccountCustomEntity = User, HostCustomEntity = Dvc, ProcessCustomEntity = ActingProcessName, FileHashCustomEntity = TargetProcessSHA256\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"SHA256\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Discovery\"],\"displayName\":\"Probable AdFind Recon Tool Usage (Normalized Process Events)\",\"description\":\"Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-06-09T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/106813db-679e-4382-a51b-1bfc463befc3\",\"name\":\"106813db-679e-4382-a51b-1bfc463befc3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n // Select on Palo Alto logs\\n | where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Select logs where URL data is populated\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url), extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | where isnotempty(PA_Url)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n) on $left.Url == $right.PA_Url\\n| where CommonSecurityLog_TimeGenerated \u003e= TimeGenerated and CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, SourceIP, CommonSecurityLog_TimeGenerated, PA_Url, DeviceName\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to PaloAlto data\",\"description\":\"Identifies a match in PaloAlto data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\"name\":\"97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let LearningPeriod = 7d; \\nlet BinTime = 1h; \\nlet RunTime = 1h; \\nlet StartTime = 1h; \\nlet NumberOfStds = 3; \\nlet MinThreshold = 10.0; \\nlet EndRunTime = StartTime - RunTime; \\nlet EndLearningTime = StartTime + LearningPeriod;\\nlet aadFunc = (tableName:string){\\nlet GitHubFailedSSOLogins = (table(tableName) \\n| where AppDisplayName == \\\"GitHub.com\\\" \\n| where ResultType != 0); \\nGitHubFailedSSOLogins \\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime)) \\n| summarize FailedLoginsCountInBinTime = count() by UserPrincipalName, bin(TimeGenerated, BinTime), Type\\n| summarize AvgOfFailedLoginsInLearning = avg(FailedLoginsCountInBinTime), StdOfFailedLoginsInLearning = stdev(FailedLoginsCountInBinTime) by UserPrincipalName, Type\\n| extend LearningThreshold = max_of(AvgOfFailedLoginsInLearning + StdOfFailedLoginsInLearning * NumberOfStds, MinThreshold) \\n| join kind=innerunique ( \\n GitHubFailedSSOLogins \\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime)) \\n | summarize FailedLoginsCountInRunTime = count() by User = Identity, UserPrincipalName, bin(TimeGenerated, BinTime), Type\\n) on UserPrincipalName \\n| where FailedLoginsCountInRunTime \u003e LearningThreshold\\n| extend AccountCustomEntity = UserPrincipalName , timestamp = TimeGenerated\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute Force Attack against GitHub Account\",\"description\":\"Attackers who are trying to guess your users\u0027 passwords or use brute-force methods to get in. If your organization is using SSO with Azure Active Directory, authentication logs to GitHub.com will be generated. Using the following query can help you identify a sudden increase in failed logon attempt of users.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8\",\"name\":\"f71aba3d-28fb-450b-b192-4e76a83015c8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Fusion\",\"properties\":{\"severity\":\"High\",\"tactics\":[\"Collection\",\"CommandAndControl\",\"CredentialAccess\",\"DefenseEvasion\",\"Discovery\",\"Execution\",\"Exfiltration\",\"Impact\",\"InitialAccess\",\"LateralMovement\",\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Advanced Multistage Attack Detection\",\"description\":\"Microsoft Sentinel uses Fusion, a correlation engine based on scalable machine learning algorithms, to automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.\\n\\nSince Fusion correlates multiple signals from various products to detect advanced multistage attacks, successful Fusion detections are presented as Fusion incidents on the Microsoft Sentinel Incidents page. This rule covers the following detections:\\n- Fusion for emerging threats\\n- Fusion for ransomware\\n- Scenario-based Fusion detections (122 scenarios)\\n\\nTo enable these detections, we recommend you configure the following data connectors for best results:\\n- Out-of-the-box anomaly detections\\n- Azure Active Directory Identity Protection\\n- Azure Defender\\n- Azure Defender for IoT\\n- Microsoft 365 Defender\\n- Microsoft Cloud App Security \\n- Microsoft Defender for Endpoint\\n- Microsoft Defender for Identity\\n- Microsoft Defender for Office 365\\n- Palo Alto Networks\\n- Scheduled analytics rules, both built-in and those created by your security analysts. Analytics rules must contain kill-chain (tactics) and entity mapping information in order to be used by Fusion.\\n\\nFor the full description of each detection that is supported by Fusion, go to https://aka.ms/SentinelFusion.\",\"lastUpdatedDateUTC\":\"2021-06-09T00:00:00Z\",\"createdDateUTC\":\"2019-07-25T00:00:00Z\",\"status\":\"Installed\",\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/677da133-e487-4108-a150-5b926591a92b\",\"name\":\"677da133-e487-4108-a150-5b926591a92b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\\n[@\\\"https://raw.githubusercontent.com/microsoft/mstic/master/Indicators/May21-NOBELIUM/May21NOBELIUMIoCs.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256s = (iocs | where Type =~ \\\"SHA256\\\"| project IoC);\\nlet ips = (iocs | where Type =~ \\\"IP\\\"| project IoC);\\nlet IPList = dynamic([\\\"192.99.221.77\\\",\\\"83.171.237.173\\\"]);\\nlet domains = (iocs | where Type =~ \\\"Domain\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet sha256Hashes = dynamic([\\\"2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252\\\",\\n\\\"d035d394a82ae1e44b25e273f99eae8e2369da828d6b6fdb95076fd3eb5de142\\\",\\n\\\"94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916\\\",\\n\\\"48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0\\\",\\n\\\"ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c\\\",\\n\\\"ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (domains) or RequestURL has_any (domains) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (domains), \\\"RequestUrl\\\", SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) or IPAddresses in (ips) or Name in~ (domains) \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or SourceIp in (ips) or DestinationIp in (ips) or RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", SourceIp in (ips), \\\"SourceIP\\\", DestinationIp in (ips), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) or ClientIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (domains) or RemoteIP in (IPList) or RemoteIP in (ips)\\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| where EventDetail has_any (sha256Hashes) or EventDetail has_any (sha256s)\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, FileHash\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (sha256Hashes) or SHA256 in~ (sha256s)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (sha256Hashes) or TargetFileSHA256 in~ (sha256s)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes) or FileHash in (sha256s)\\n| extend timestamp = TimeGenerated\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"version\":\"1.3.0\",\"tactics\":[\"CommandAndControl\",\"Execution\"],\"displayName\":\"NOBELIUM - Domain, Hash and IP IOCs - May 2021\",\"description\":\"Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM.\\nRef: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f6a51e2c-2d6a-4f92-a090-cfb002ca611f\",\"name\":\"f6a51e2c-2d6a-4f92-a090-cfb002ca611f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nlet disallowed_ext = dynamic([\u0027ps1\u0027, \u0027exe\u0027, \u0027vbs\u0027, \u0027js\u0027, \u0027scr\u0027]);\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| extend attachedExt = todynamic(MsgParts)[0][\u0027detectedExt\u0027]\\n| where attachedExt in (disallowed_ext)\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = DstUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Suspicious attachment\",\"description\":\"Detects when email contains suspicious attachment (file type).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/643c2025-9604-47c5-833f-7b4b9378a1f5\",\"name\":\"643c2025-9604-47c5-833f-7b4b9378a1f5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit your environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with AAD signin failures above our threshold\\nlet aadFunc = (tableName:string){\\nlet Suspicious_signins = \\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n| summarize count() by IPAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(IPAddress);\\nSuspicious_signins\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet Suspicious_signins = \\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize make_set(set_IPAddress);\\n//See if any of those IPs have sucessfully logged into the AWS console\\nAWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \\n| where LoginResult =~ \\\"Success\\\"\\n| where SourceIpAddress in (Suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed)\\n| extend User = iif(isempty(UserIdentityUserName), UserIdentityType, UserIdentityUserName) \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Reason, LoginResult, EventTypeName, UserIdentityType, User, AWSRegion, SourceIpAddress, UserAgent, MFAUsed\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AzureAD logons but success logon to AWS Console\",\"description\":\"Identifies a list of IP addresses with a minimum number(defualt of 5) of failed logon attempts to Azure Active Directory.\\nUses that list to identify any successful AWS Console logons from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/39e48890-2c02-487e-aa9e-3ba494061798\",\"name\":\"39e48890-2c02-487e-aa9e-3ba494061798\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"// Edit this variable to only keep the tactics where an incident needs to be created (Defaults are: \\\"COMMAND \u0026 CONTROL\\\", \\\"BOTNET ACTIVITY\\\", \\\"EXFILTRATION\\\", \\\"LATERAL MOVEMENT\\\", \\\"RECONNAISSANCE\\\") \\nlet configured_tactics = dynamic([\\\"COMMAND \u0026 CONTROL\\\", \\\"BOTNET ACTIVITY\\\", \\\"EXFILTRATION\\\", \\\"LATERAL MOVEMENT\\\", \\\"RECONNAISSANCE\\\"]);\\n//default threshold is 7 (meaning a threat score of 70)\\nlet severity_threshold = 7.0;\\n//Map by default to High Severity in Sentinel\\nlet Severity = \\\"High\\\";\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Vectra Networks\\\"\\n| where DeviceProduct == \\\"X Series\\\"\\n| where DeviceEventClassID != \\\"campaigns\\\" and DeviceEventClassID != \\\"hsc\\\" and DeviceEventClassID != \\\"audit\\\" and DeviceEventClassID != \\\"health\\\" and DeviceEventClassID != \\\"asc\\\"\\n| extend Category = extract(\\\"cat=(.+?);\\\", 1, AdditionalExtensions) \\n| project-rename threat_score = FlexNumber1\\n| project-rename certainty_score = FlexNumber2\\n| project-rename vectra_URL = DeviceCustomString4\\n| project-rename detection_name = DeviceEventClassID\\n| where todecimal(LogSeverity) \u003e= severity_threshold\\n| extend Tactic = case( Category == \\\"COMMAND \u0026 CONTROL\\\", \\\"CommandAndControl\\\",\\n Category == \\\"BOTNET ACTIVITY\\\" , \\\"Impact\\\",\\n Category == \\\"EXFILTRATION\\\", \\\"Exfiltration\\\",\\n Category == \\\"LATERAL MOVEMENT\\\", \\\"LateralMovement\\\",\\n Category == \\\"RECONNAISSANCE\\\", \\\"Discovery\\\",\\n \\\"UNKNOWN\\\")\\n| extend account = extract(\\\"account=(.+?);\\\", 1, AdditionalExtensions)\\n| extend upn = iff(account matches regex \\\":\\\", tostring(split(account,\\\":\\\")[1]) ,tostring(split(account,\\\":\\\")[0])) \\n| extend source_entity = case( isnotempty(upn), upn,\\n isnotempty(SourceHostName), SourceHostName,\\n \\\"UNKNWON\\\") \\n| where Category in (configured_tactics) \\n| summarize arg_max(threat_score, *) by source_entity, Activity\\n| sort by TimeGenerated\\n| project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Tactic, Activity, LogSeverity, Severity, vectra_URL\\n| extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Discovery\",\"LateralMovement\",\"Collection\",\"CommandAndControl\",\"Exfiltration\",\"Impact\"],\"displayName\":\"Vectra AI Detect - Detections with High Severity\",\"description\":\"Create an incident for high severity malicious behavior detected by Vectra AI (Threat score superior to 7.0). \\nThe Severity is a mapping with the Threat score assigned to a detection. It ranges between 0 and 10. \\nThe severity_threshold variable can be adjusted as desired.\u0027 \",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2021-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AIVectraDetect\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2fc5d810-c9cc-491a-b564-841427ae0e50\",\"name\":\"2fc5d810-c9cc-491a-b564-841427ae0e50\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n SecurityEvent | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(TargetUserName)\\n //Normalizing the column to lower case for exact match with EmailSenderAddress column\\n | extend TargetUserName = tolower(TargetUserName)\\n // renaming timestamp column so it is clear the log this came from SecurityEvent table\\n | extend SecurityEvent_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.TargetUserName\\n| where SecurityEvent_TimeGenerated \u003e= TimeGenerated and SecurityEvent_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, SecurityEvent_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Computer, EventID, TargetUserName, Activity, IpAddress, AccountType,\\nLogonTypeName, LogonProcessName, Status, SubStatus\\n| extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SecurityEvent\",\"description\":\"Identifies a match in SecurityEvent table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fa118b98-de46-4e94-87f9-8e6d5060b60b\",\"name\":\"fa118b98-de46-4e94-87f9-8e6d5060b60b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MLBehaviorAnalytics\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous SSH Login Detection\",\"description\":\"This detection uses machine learning (ML) to identify anomalous Secure Shell (SSH) login activity, based on syslog data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Microsoft Sentinel to build a profile of normal activity for your environment.\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-syslog#configure-the-syslog-connector-for-anomalous-ssh-login-detection)\\n\\nBy enabling this rule, you give Microsoft permission to copy ingested data outside of your Microsoft Sentinel workspace\u0027s geography as necessary for processing by the machine learning engine.\",\"lastUpdatedDateUTC\":\"2021-03-26T00:00:00Z\",\"createdDateUTC\":\"2019-08-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8e0403b1-07f8-4865-b2e9-74d1e83200a4\",\"name\":\"8e0403b1-07f8-4865-b2e9-74d1e83200a4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let timeframe = 14d;\\nlet time_generated_bucket = 1h;\\nlet min_urgency = 9;\\nlet maxTimeGeneratedBucket = toscalar(\\n CyberpionActionItems_CL\\n | where TimeGenerated \u003e ago(timeframe)\\n | summarize max(bin(TimeGenerated, time_generated_bucket))\\n );\\nCyberpionActionItems_CL\\n | where TimeGenerated \u003e ago(timeframe) and is_open_b == true\\n | where bin(TimeGenerated, time_generated_bucket) == maxTimeGeneratedBucket\\n | where urgency_d \u003e= min_urgency\\n | extend timestamp = opening_datetime_t\\n | extend DNSCustomEntity = host_s\",\"entityMappings\":[{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"High Urgency Cyberpion Action Items\",\"description\":\"This query creates an alert for active Cyberpion Action Items with high urgency (9-10).\\n Urgency can be altered using the \\\"min_urgency\\\" variable in the query.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CyberpionSecurityLogs\",\"dataTypes\":[\"CyberpionActionItems_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5239248b-abfb-4c6a-8177-b104ade5db56\",\"name\":\"5239248b-abfb-4c6a-8177-b104ade5db56\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let RunCommandData = materialize ( AzureActivity\\n// Isolate run command actions\\n| where OperationNameValue == \\\"Microsoft.Compute/virtualMachines/runCommand/action\\\"\\n// Confirm that the operation impacted a virtual machine\\n| where Authorization has \\\"virtualMachines\\\"\\n// Each runcommand operation consists of three events when successful, StartTimeed, Accepted (or Rejected), Successful (or Failed).\\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), max(CallerIpAddress), make_list(ActivityStatusValue) by CorrelationId, Authorization, Caller\\n// Limit to Run Command executions that Succeeded\\n| where list_ActivityStatusValue has \\\"Succeeded\\\"\\n// Extract data from the Authorization field, allowing us to later extract the Caller (UPN) and CallerIpAddress\\n| extend Authorization_d = parse_json(Authorization)\\n| extend Scope = Authorization_d.scope\\n| extend Scope_s = split(Scope, \\\"/\\\")\\n| extend Subscription = tostring(Scope_s[2])\\n| extend VirtualMachineName = tostring(Scope_s[-1])\\n| project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress\\n| join kind=leftouter (\\n DeviceFileEvents\\n | where InitiatingProcessFileName == \\\"RunCommandExtension.exe\\\"\\n | extend VirtualMachineName = tostring(split(DeviceName, \\\".\\\")[0])\\n | project VirtualMachineName, PowershellFileCreatedTimestamp=TimeGenerated, FileName, FileSize, InitiatingProcessAccountName, InitiatingProcessAccountDomain, InitiatingProcessFolderPath, InitiatingProcessId\\n) on VirtualMachineName\\n// We need to filter by time sadly, this is the only way to link events\\n| where PowershellFileCreatedTimestamp between (StartTime .. EndTime)\\n| project StartTime, EndTime, PowershellFileCreatedTimestamp, VirtualMachineName, Caller, CallerIpAddress, FileName, FileSize, InitiatingProcessId, InitiatingProcessAccountDomain, InitiatingProcessFolderPath\\n| join kind=inner(\\n DeviceEvents\\n | extend VirtualMachineName = tostring(split(DeviceName, \\\".\\\")[0])\\n | where InitiatingProcessCommandLine has \\\"-File\\\"\\n // Extract the script name based on the structure used by the RunCommand extension\\n | extend PowershellFileName = extract(@\\\"\\\\-File\\\\s(script[0-9]{1,9}\\\\.ps1)\\\", 1, InitiatingProcessCommandLine)\\n // Discard results that didn\u0027t successfully extract, these are not run command related\\n | where isnotempty(PowershellFileName)\\n | extend PSCommand = tostring(parse_json(AdditionalFields).Command)\\n // The first execution of PowerShell will be the RunCommand script itself, we can discard this as it will break our hash later\\n | where PSCommand != PowershellFileName \\n // Now we normalise the cmdlets, we\u0027re aiming to hash them to find scripts using rare combinations\\n | extend PSCommand = toupper(PSCommand)\\n | order by PSCommand asc\\n | summarize PowershellExecStartTime=min(TimeGenerated), PowershellExecEnd=max(TimeGenerated), make_list(PSCommand) by PowershellFileName, InitiatingProcessCommandLine\\n) on $left.FileName == $right.PowershellFileName\\n| project StartTime, EndTime, PowershellFileCreatedTimestamp, PowershellExecStartTime, PowershellExecEnd, PowershellFileName, PowershellScriptCommands=list_PSCommand, Caller, CallerIpAddress, InitiatingProcessCommandLine, PowershellFileSize=FileSize, VirtualMachineName\\n| order by StartTime asc \\n// We generate the hash based on the cmdlets called and the size of the powershell script\\n| extend TempFingerprintString = strcat(PowershellScriptCommands, PowershellFileSize)\\n| extend ScriptFingerprintHash = hash_sha256(tostring(PowershellScriptCommands)));\\nlet totals = toscalar (RunCommandData\\n| summarize count());\\nlet hashTotals = RunCommandData\\n| summarize HashCount=count() by ScriptFingerprintHash;\\nRunCommandData\\n| join kind=leftouter (\\nhashTotals\\n) on ScriptFingerprintHash\\n// Calculate prevelance, while we don\u0027t need this, it may be useful for responders to know how rare this script is in relation to normal activity\\n| extend Prevelance = toreal(HashCount) / toreal(totals) * 100\\n// Where the hash was only ever seen once.\\n| where HashCount == 1\\n| extend timestamp = StartTime, IPCustomEntity=CallerIpAddress, AccountCustomEntity=Caller, HostCustomEntity=VirtualMachineName\\n| project timestamp, StartTime, EndTime, PowershellFileName, VirtualMachineName, Caller, CallerIpAddress, PowershellScriptCommands, PowershellFileSize, ScriptFingerprintHash, IPCustomEntity, AccountCustomEntity, HostCustomEntity\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\",\"CredentialAccess\"],\"displayName\":\"Azure VM Run Command operations executing a unique powershell script\",\"description\":\"Identifies when Azure Run command is used to execute a powershell script on a VM that is unique.\\nThe uniqueness of the powershell script is determined by taking a combined hash of the cmdlets it imports\\nand the filesize of the PowerShell script. Alerts from this detection indicate a unique PowerShell was executed\\nin your environment.\",\"lastUpdatedDateUTC\":\"2021-10-25T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2926ce29-08d2-4654-b2e8-7d8df70095d9\",\"name\":\"2926ce29-08d2-4654-b2e8-7d8df70095d9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let highRisk = 3;\\nlet governance = \u0027Governance Information\u0027;\\nCognniIncidents_CL \\n| where Severity == highRisk\\n| where informationType_s == governance\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Highly Sensitive Governance Information\",\"description\":\"Display incidents in which highly sensitive governance information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/40ba9493-4183-4eee-974f-87fe39c8f267\",\"name\":\"40ba9493-4183-4eee-974f-87fe39c8f267\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Identity alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Identity\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (AATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f819c592-c5f9-4d5c-a79f-1e6819863533\",\"name\":\"f819c592-c5f9-4d5c-a79f-1e6819863533\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// ADHealth Monitoring Agent Registry Key\\nlet aadHealthMonAgentRegKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Microsoft Online\\\\\\\\Reporting\\\\\\\\MonitoringAgent\\\";\\n// Filter out known processes\\nlet aadConnectHealthProcs = dynamic ([\\n \u0027Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.InsightsService.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.PshSurrogate.exe\u0027,\\n \u0027Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe\u0027\\n]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| extend SubjectUserName = column_ifexists(\\\"SubjectUserName\\\", \\\"\\\"),\\n SubjectDomainName = column_ifexists(\\\"SubjectDomainName\\\", \\\"\\\"),\\n ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),\\n ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\"),\\n ProcessName = column_ifexists(\\\"ProcessName\\\", \\\"\\\")\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],\\n Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| where Process !in (aadConnectHealthProcs)\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| where Process !in (aadConnectHealthProcs)\\n)\\n)\\n// You can filter out potential machine accounts\\n//| where AccountType != \u0027Machine\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n| summarize count() by ProcessName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Azure AD Health Monitoring Agent Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.\\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\\\\SOFTWARE\\\\Microsoft\\\\Microsoft Online\\\\Reporting\\\\MonitoringAgent.\\nYou can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_monitoring_agent.yml\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ffe3625d-a933-4f63-b192-7e6ebf3be5fb\",\"name\":\"ffe3625d-a933-4f63-b192-7e6ebf3be5fb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.2.8\",\"techniques\":[\"T1110\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.1\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"(Preview) Attempted user account bruteforce\",\"description\":\"This algorithm detects an unusually high volume of failed login attempts per user account. The model is trained on the previous 21 days of security event ID 4625 on an account. It indicates anomalous high volume of failed login attempts in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2020-12-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d3980830-dd9d-40a5-911f-76b44dfdce16\",\"name\":\"d3980830-dd9d-40a5-911f-76b44dfdce16\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where AppDisplayName == \\\"GitHub.com\\\"\\n| where ResultType == 0\\n| summarize CountOfLocations = dcount(Location), Locations = make_set(Location), BurstStartTime = min(TimeGenerated), BurstEndTime = max(TimeGenerated) by UserPrincipalName, Type\\n| where CountOfLocations \u003e 1\\n| extend timestamp = BurstStartTime, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"GitHub Signin Burst from Multiple Locations\",\"description\":\"This alerts when there Signin burst from multiple locations in GitHub (AAD SSO).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d57c33a9-76b9-40e0-9dfa-ff0404546410\",\"name\":\"d57c33a9-76b9-40e0-9dfa-ff0404546410\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 0d;\\n// Adjust this to adjust detection timeframe\\n//let timeframe = 1d;\\n// Filter out other servers in the AD FS farm\\nlet ADFSServersList = dynamic([\\\"ADFS02.domain.com\\\",\\\"ADFS03.domain.com\\\"]);\\n// Start by identifying ADFS servers to reduce FP chance\\nlet ADFS_Servers = (\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| where Computer !in (ADFSServersList)\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\")\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| summarize by Computer\\n);\\n// Look for ADFS servers receiving connections over port 80\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where Computer in~ (ADFS_Servers)\\n| extend RenderedDescription = tostring(split(RenderedDescription, \\\":\\\")[0])\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, _ResourceId)\\n| extend RuleName = column_ifexists(\\\"RuleName\\\", \\\"\\\"), TechniqueId = column_ifexists(\\\"TechniqueId\\\", \\\"\\\"), TechniqueName = column_ifexists(\\\"TechniqueName\\\", \\\"\\\")\\n| parse RuleName with * \u0027technique_id=\u0027 TechniqueId \u0027,\u0027 * \u0027technique_name=\u0027 TechniqueName\\n| where EventID == 3\\n// Look for endpoints connecting to the AD FS server over port 80\\n| extend DestinationPort = column_ifexists(\\\"DestinationPort\\\", \\\"\\\"), Image = column_ifexists(\\\"Image\\\", \\\"\\\"), Initiated = column_ifexists(\\\"Initiated\\\", \\\"\\\"), SourceIp = column_ifexists(\\\"DestinationIp\\\", \\\"\\\"), DestinationIp = column_ifexists(\\\"DestinationIp\\\", \\\"\\\")\\n| where DestinationPort == 80\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n// Look for the System process receiving connections\\n| where process == \u0027System\u0027 and Initiated == \u0027false\u0027\\n| where DestinationIp !in (\u0027::1\u0027,\u00270:0:0:0:0:0:0:1\u0027)\\n| extend Operation = RenderedDescription\\n| project-reorder TimeGenerated, Operation, Image, Computer, UserName\\n| extend HostCustomEntity = Computer, AccountCustomEntity = UserName, IPCustomEntity = SourceIp\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"AD FS Remote HTTP Network Connection\",\"description\":\"This detection uses Sysmon events (NetworkConnect events) to detect incoming network traffic on port 80 on AD FS servers. This could be a sign of a threat actor\\ntrying to use replication services on the AD FS server to get its configuration settings and extract sensitive information such as AD FS certificates.\\nIn order to use this query you need to enable Sysmon telemetry on the AD FS Server.\\nReference: https://twitter.com/OTR_Community/status/1387038995016732672\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3c144f9-8051-47d4-ac29-ffb0c312c910\",\"name\":\"a3c144f9-8051-47d4-ac29-ffb0c312c910\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let SunburstMD5=dynamic([\\\"b91ce2fa41029f6955bff20079468448\\\",\\\"02af7cec58b9a5da1c542b5a32151ba1\\\",\\\"2c4a910a1299cdae2a4e55988a2f102e\\\",\\\"846e27a652a5e1bfbd0ddd38a16dc865\\\",\\\"4f2eb62fa529c0283b28d05ddd311fae\\\"]);\\nlet SupernovaMD5=\\\"56ceb6d0011d87b6e4d7023d7ef85676\\\";\\nDeviceFileEvents\\n| where MD5 in(SunburstMD5) or MD5 in(SupernovaMD5)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n FileHashCustomEntity = MD5\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"MD5\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST and SUPERNOVA backdoor hashes\",\"description\":\"Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in DeviceFileEvents\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ba144bf8-75b8-406f-9420-ed74397f9479\",\"name\":\"ba144bf8-75b8-406f-9420-ed74397f9479\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//Set a threshold of failed AAD signins from an IP address within 1 day above which we want to deem those logins suspicious.\\nlet signin_threshold = 5; \\n//Make a list of IPs with AAD signin failures above our threshold.\\nlet aadFunc = (tableName:string){\\nlet suspicious_signins = \\n table(tableName)\\n //Looking for logon failure results\\n | where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n //Exclude localhost addresses to reduce the chance of FPs\\n | where IPAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n | summarize count() by IPAddress\\n | where count_ \u003e signin_threshold\\n | summarize make_set(IPAddress);\\n suspicious_signins\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet suspicious_signins = \\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize make_set(set_IPAddress);\\n//See if any of those IPs have sucessfully logged into PA VPNs during the same timeperiod\\nCommonSecurityLog\\n //Select only PA VPN sucessful logons\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"globalprotect\\\"\\n | where Message has \\\"GlobalProtect gateway user authentication succeeded\\\"\\n //Parse out the logon source IP from the Message field to match on\\n | extend SourceIP = extract(\\\"Login from: ([^,]+)\\\", 1, Message) \\n | where SourceIP in (suspicious_signins)\\n | extend Reason = \\\"Multiple failed AAD logins from SourceIP\\\"\\n //Parse out other useful information from Message field\\n | extend User = extract(\u0027User name: ([^,]+)\u0027, 1, Message) \\n | extend ClientOS = extract(\u0027Client OS version: ([^,\\\\\\\"]+)\u0027, 1, Message)\\n | extend Location = extract(\u0027Source region: ([^,]{2})\u0027,1, Message)\\n | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName\\n | extend AccountCustomEntity = User, IPCustomEntity = SourceIP, timestamp = TimeGenerated, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN\",\"description\":\"This query creates a list of IP addresses with a number failed login attempts to AAD \\nabove a set threshold. It then looks for any successful Palo Alto VPN logins from any\\nof these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-09-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9f86885f-f31f-4e66-a39d-352771ee789e\",\"name\":\"9f86885f-f31f-4e66-a39d-352771ee789e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"CarbonBlackEvents_CL\\n| extend eventTime = datetime(1970-01-01) + tolong(eventTime_d/1000) * 1sec\\n| where targetApp_effectiveReputation_s =~ \\\"KNOWN_MALWARE\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by eventTime, deviceDetails_deviceName_s, deviceDetails_deviceIpAddress_s, processDetails_fullUserName_s, processDetails_targetName_s\\n| extend timestamp = StartTime, AccountCustomEntity = processDetails_fullUserName_s, HostCustomEntity = deviceDetails_deviceName_s, IPCustomEntity = deviceDetails_deviceIpAddress_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\"],\"displayName\":\"Known Malware Detected\",\"description\":\"This creates an incident when a known Malware is detected on a endpoint managed by a Carbon Black.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"VMwareCarbonBlack\",\"dataTypes\":[\"CarbonBlackEvents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/957cb240-f45d-4491-9ba5-93430a3c08be\",\"name\":\"957cb240-f45d-4491-9ba5-93430a3c08be\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"OfficeActivity\\n| where Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Add-MailboxFolderPermission\\\", \\\"Set-Mailbox\\\", \\\"New-ManagementRoleAssignment\\\")\\nand not(UserId has_any (\u0027NT AUTHORITY\\\\\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\u0027,\u0027devilfish-applicationaccount\u0027) and Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Set-Mailbox\\\"))\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"Collection\"],\"displayName\":\"Rare and potentially high-risk Office operations\",\"description\":\"Identifies Office operations that are typically rare and can provide capabilities useful to attackers.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9c712bb2-08dc-44d3-b66b-af154dfc1c4f\",\"name\":\"9c712bb2-08dc-44d3-b66b-af154dfc1c4f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.2.8\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.07\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of logins to computer\",\"description\":\"This algorithm detects an unusually high volume of successful logins per computer. The model is trained on the previous 21 days of security event ID 4624 on a computer. It indicates anomalous high volume of successful logins in the last day\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2020-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/44a555d8-ecee-4a25-95ce-055879b4b14b\",\"name\":\"44a555d8-ecee-4a25-95ce-055879b4b14b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeBin = 10m;\\nlet portThreshold = 30;\\nW3CIISLog\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of attempts by client IP on many ports\\n| summarize makeset(sPort), makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), ConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\\n| extend portCount = arraylength(set_sPort)\\n| where portCount \u003e= portThreshold\\n| project TimeGenerated, cIP, set_sPort, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, ConnectionsCount, portCount\\n| order by portCount\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"High count of connections by client IP on many ports\",\"description\":\"Identifies when 30 or more ports are used for a given client IP in 10 minutes occurring on the IIS server.\\nThis could be indicative of attempted port scanning or exploit attempt at internet facing web applications. \\nThis could also simply indicate a misconfigured service or device.\\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\"name\":\"fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let opList = OfficeActivity \\n| summarize by Operation\\n//| where Operation startswith \\\"Remove-\\\" or Operation startswith \\\"Disable-\\\"\\n| where Operation has_any (\\\"Remove\\\", \\\"Disable\\\")\\n| where Operation contains \\\"AntiPhish\\\" or Operation contains \\\"SafeAttachment\\\" or Operation contains \\\"SafeLinks\\\" or Operation contains \\\"Dlp\\\" or Operation contains \\\"Audit\\\"\\n| summarize make_set(Operation);\\nOfficeActivity\\n// Only admin or global-admin can disable/remove policy\\n| where RecordType =~ \\\"ExchangeAdmin\\\"\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\")\\n// Pass in interesting Operation list\\n| where Operation in~ (opList)\\n| extend ClientIPOnly = case( \\nClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), \\nClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))),\\nClientIP\\n) \\n| extend Port = case(\\nClientIP has \\\".\\\", (split(ClientIP,\\\":\\\")[1]),\\nClientIP has \\\"[\\\", tostring(split(ClientIP,\\\"]:\\\")[1]),\\nClientIP\\n)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP = ClientIPOnly, Port, ResultStatus, Parameters\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Office policy tampering\",\"description\":\"Identifies if any tampering is done to either auditlog, ATP Safelink, SafeAttachment, AntiPhish or Dlp policy. \\nAn adversary may use this technique to evade detection or avoid other policy based defenses.\\nReferences: https://docs.microsoft.com/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ab4b6944-a20d-42ab-8b63-238426525801\",\"name\":\"ab4b6944-a20d-42ab-8b63-238426525801\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\nlet timeframe = 1h;\\nlet connections = VMConnection \\n | where TimeGenerated \u003e= ago(timeframe)\\n | extend DNSName = set_union(todynamic(RemoteDnsCanonicalNames),todynamic(RemoteDnsQuestions))\\n | mv-expand DNSName\\n | where isnotempty(DNSName)\\n | where DNSName has_any (domains)\\n | extend IPCustomEntity = RemoteIp\\n | summarize TimeGenerated = arg_min(TimeGenerated, *), requests = count() by IPCustomEntity, DNSName = tostring(DNSName), AgentId, Machine, Process;\\nlet processes = VMProcess\\n | where TimeGenerated \u003e= ago(timeframe)\\n | project AgentId, Machine, Process, UserName, UserDomain, ExecutablePath, CommandLine, FirstPid\\n | extend exePathArr = split(ExecutablePath, \\\"\\\\\\\\\\\")\\n | extend DirectoryName = array_strcat(array_slice(exePathArr, 0, array_length(exePathArr) - 2), \\\"\\\\\\\\\\\")\\n | extend Filename = array_strcat(array_slice(exePathArr, array_length(exePathArr) - 1, array_length(exePathArr)), \\\"\\\\\\\\\\\")\\n | project-away exePathArr;\\nlet computers = VMComputer\\n | where TimeGenerated \u003e= ago(timeframe)\\n | project HostCustomEntity = HostName, AzureResourceId = _ResourceId, AgentId, Machine;\\nconnections | join kind = inner (processes) on AgentId, Machine, Process\\n | join kind = inner (computers) on AgentId, Machine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"FirstPid\"},{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Directory\",\"columnName\":\"DirectoryName\"},{\"identifier\":\"Name\",\"columnName\":\"Filename\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Solorigate Domains Found in VM Insights\",\"description\":\"Identifies connections to Solorigate-related DNS records based on VM insights data\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMProcess\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMComputer\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\"name\":\"c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"ApplySecurityGroupsToLoadBalancer\\\", \\\"SetSecurityGroups\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \\nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion,\\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to AWS Elastic Load Balancer security groups\",\"description\":\"Elastic Load Balancer distributes incoming traffic across multiple instances in multiple availability Zones. This increases the fault tolerance of your applications. \\n Unwanted changes to Elastic Load Balancer specific security groups could open your environment to attack and hence needs monitoring.\\n More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\n and https://aws.amazon.com/elasticloadbalancing/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d99cf5c3-d660-436c-895b-8a8f8448da23\",\"name\":\"d99cf5c3-d660-436c-895b-8a8f8448da23\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SigninLogs\\n| where ResultType == 500121\\n| extend additionalDetails_ = tostring(Status.additionalDetails)\\n| where additionalDetails_ =~ \\\"MFA denied; user declined the authentication\\\"\\n| extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"MFA Rejected by User\",\"description\":\"Identifies accurances where a user has rejected an MFA prompt. This could be an indicator that a threat actor has compromised the username and password of this user account and is using it to try and log into the account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\"name\":\"70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"seoulhobi.biz\\\", \\\"reader.cash\\\", \\\"pieceview.club\\\", \\\"app-wallet.com\\\", \\\"bigwnet.com\\\", \\\"bitwoll.com\\\", \\\"cexrout.com\\\", \\\"change-pw.com\\\", \\\"checkprofie.com\\\", \\\"cloudwebappservice.com\\\", \\\"ctquast.com\\\", \\\"dataviewering.com\\\", \\\"day-post.com\\\", \\\"dialy-post.com\\\", \\\"documentviewingcom.com\\\", \\\"dovvn-mail.com\\\", \\\"down-error.com\\\", \\\"drivecheckingcom.com\\\", \\\"drog-service.com\\\", \\\"encodingmail.com\\\", \\\"filinvestment.com\\\", \\\"foldershareing.com\\\", \\\"golangapis.com\\\", \\\"hotrnall.com\\\", \\\"lh-logins.com\\\", \\\"login-use.com\\\", \\\"mail-down.com\\\", \\\"matmiho.com\\\", \\\"mihomat.com\\\", \\\"natwpersonal-online.com\\\", \\\"nidlogin.com\\\", \\\"nid-login.com\\\", \\\"nidlogon.com\\\", \\\"pw-change.com\\\", \\\"rnaii.com\\\", \\\"rnailm.com\\\", \\\"sec-live.com\\\", \\\"secrityprocessing.com\\\", \\\"securitedmode.com\\\", \\\"securytingmail.com\\\", \\\"set-login.com\\\", \\\"usrchecking.com\\\", \\\"com-serviceround.info\\\", \\\"mai1.info\\\", \\\"reviewer.mobi\\\", \\\"files-download.net\\\", \\\"fixcool.net\\\", \\\"hanrnaii.net\\\", \\\"office356-us.org\\\", \\\"smtper.org\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(DnsEvents \\n| extend DNSName = Name\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend IPAddress = ClientIP\\n),\\n(imDns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend DNSName = Request_Name\\n| extend IPAddress = ClientIP \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost \\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.3.0\",\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"THALLIUM domains included in DCU takedown\",\"description\":\"THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. \\n Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\\n References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-01-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/29a29e5d-354e-4f5e-8321-8b39d25047bf\",\"name\":\"29a29e5d-354e-4f5e-8321-8b39d25047bf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let files1 = dynamic([\\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\lsa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pc.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\Rar.exe\\\"]);\\nlet files2 = dynamic([\\\"svchost.exe\\\",\\\"wdmsvc.exe\\\"]);\\nlet FileHash1 = dynamic([\\\"43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\\\", \\\"ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\\\", \\\"010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77\\\", \\\"56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7\\\"]);\\nlet FileHash2 = dynamic([\\\"2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\\\", \\\"9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\\\", \\\"18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\\\"]);\\nimFileEvent\\n| where ((FilePath has_any (files1)) and (ActingProcessSHA256 has_any (FileHash1))) or ((FilePath has_any (files2)) and (ActingProcessSHA256 has_any (FileHash2)))\\n// Increase risk score if recent alerts for the host\\n| join kind=leftouter (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| mv-expand todynamic(Entities)\\n| extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)\\n| where isnotempty(DvcId)\\n// Higher risk score are for Defender alerts related to threat actor\\n| extend AlertRiskScore = iif(ThreatName has_any (\\\"Backdoor:MSIL/ShellClient.A\\\", \\\"Backdoor:MSIL/ShellClient.A!dll\\\", \\\"Trojan:MSIL/Mimikatz.BA!MTB\\\"), 1.0, 0.5)\\n| project DvcId, AlertRiskScore) on DvcId\\n| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = ActorUsername\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileName\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"CredentialAccess\",\"Execution\"],\"displayName\":\"Dev-0228 File Path Hashes November 2021 - ASIM\",\"description\":\"This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.\\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.\\n This query uses the Microsoft Sentinel Information Model - https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2021-11-18T00:00:00Z\",\"createdDateUTC\":\"2021-11-18T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/44e80f00-b4f5-486b-a57d-4073746276df\",\"name\":\"44e80f00-b4f5-486b-a57d-4073746276df\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let highRisk = 3;\\nlet business = \u0027Business Information\u0027;\\nCognniIncidents_CL \\n| where Severity == highRisk\\n| where informationType_s == business\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Highly Sensitive Business Information\",\"description\":\"Display incidents in which highly sensitive business information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2acc91c3-17c2-4388-938e-4eac2d5894e8\",\"name\":\"2acc91c3-17c2-4388-938e-4eac2d5894e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"W3CIISLog\\n| where csMethod == \u0027GET\u0027\\n| where isnotempty(csUriStem) and isnotempty(csUriQuery)\\n| where csUriStem contains \\\"logoimagehandler.ashx\\\"\\n| where csUriQuery contains \\\"codes\\\" and csUriQuery contains \\\"clazz\\\" and csUriQuery contains \\\"method\\\" and csUriQuery contains \\\"args\\\"\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"SUPERNOVA webshell\",\"description\":\"Identifies SUPERNOVA webshell based on W3CIISLog data.\\n References:\\n - https://unit42.paloaltonetworks.com/solarstorm-supernova/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6190dde-8fd2-456a-ac5b-0a32400b0464\",\"name\":\"d6190dde-8fd2-456a-ac5b-0a32400b0464\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ProcessCreationEvents=() {\\nlet processEvents=SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName;\\nprocessEvents;\\n};\\nProcessCreationEvents \\n| where CommandLine contains \\\".decode(\u0027base64\u0027)\\\"\\n or CommandLine contains \\\"base64 --decode\\\"\\n or CommandLine contains \\\".decode64(\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), CountToday = count() by Computer, Account, AccountDomain, FileName, CommandLine, ParentProcessName \\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Process executed from binary hidden in Base64 encoded file\",\"description\":\"Encoding malicious software is a technique used to obfuscate files from detection. \\nThe first CommandLine component is looking for Python decoding base64. \\nThe second CommandLine component is looking for Bash/sh command line base64 decoding.\\nThe third one is looking for Ruby decoding base64.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bdf04f58-242b-4729-b376-577c4bdf5d3a\",\"name\":\"bdf04f58-242b-4729-b376-577c4bdf5d3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"imProcessCreate\\n| where Process hassuffix \u0027rundll32.exe\u0027\\n| where CommandLine has_any (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| project TimeGenerated, Dvc, User, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\\n| extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"NOBELIUM - suspicious rundll32.exe execution of vbscript (Normalized Process Events)\",\"description\":\"This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\\nReferences: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/712fab52-2a7d-401e-a08c-ff939cc7c25e\",\"name\":\"712fab52-2a7d-401e-a08c-ff939cc7c25e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n AuditLogs\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // Extract the URL that is contained within the JSON data\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\\\", 1,tostring(TargetResources))\\n | where isnotempty(Url)\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend TargetResourceDisplayName = tostring(TargetResources[0].displayName)\\n | extend Audit_TimeGenerated = TimeGenerated\\n) on Url\\n| where Audit_TimeGenerated \u003e= TimeGenerated and Audit_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nAudit_TimeGenerated, OperationName, Identity, userPrincipalName, TargetResourceDisplayName, Url\\n| extend timestamp = Audit_TimeGenerated, AccountCustomEntity = userPrincipalName, HostCustomEntity = TargetResourceDisplayName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to AuditLogs\",\"description\":\"Identifies a match in AuditLogs from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1bf6e165-5e32-420e-ab4f-0da8558a8be2\",\"name\":\"1bf6e165-5e32-420e-ab4f-0da8558a8be2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// How far back to look for events from\\nlet timeframe = 1d;\\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\\nlet time_window = 5m;\\n// Edit this to include build processes used\\nlet build_processes = dynamic([\\\"MSBuild.exe\\\", \\\"dotnet.exe\\\", \\\"VBCSCompiler.exe\\\"]);\\n// Include any processes that you want to allow to edit files during/around the build process\\nlet allow_list = dynamic([]);\\nDeviceProcessEvents\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where FileName has_any (build_processes)\\n| summarize by BuildParentProcess=InitiatingProcessFileName, BuildProcess=FileName, BuildAccount = AccountName, DeviceName, BuildCommand=ProcessCommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nDeviceFileEvents\\n| where TimeGenerated \u003e ago(timeframe)\\n| where InitiatingProcessFileName !in (allow_list)\\n| where ActionType == \\\"FileCreated\\\" or ActionType == \\\"FileModified\\\"\\n// Look for code files, edit this to include file extensions used in build.\\n| where FileName endswith \\\".cs\\\" or FileName endswith \\\".cpp\\\"\\n| summarize by FileEditParentProcess=InitiatingProcessParentFileName, FileEditAccount = InitiatingProcessAccountName, DeviceName, FileEdited=FileName, FileEditProcess=InitiatingProcessFileName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, DeviceName\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, DeviceName, BuildParentProcess, BuildProcess\\n| extend HostCustomEntity=DeviceName, timestamp=timekey\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Potential Build Process Compromise - MDE\",\"description\":\"The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process. This query uses Microsoft Defender for Endpoint telemetry.\\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\",\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b93c5af-d20b-4236-b696-a28b8c51407f\",\"name\":\"4b93c5af-d20b-4236-b696-a28b8c51407f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\nSecurityEvent \\n| where TimeGenerated \u003e ago(2*timeframe) \\n// A user account was created\\n| where EventID == 4720\\n| where AccountType =~ \\\"User\\\"\\n| project creationTime = TimeGenerated, CreateEventID = EventID, CreateActivity = Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToCreate = SubjectAccount, SIDofAccountUsedToCreate = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n| join kind= inner (\\n SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe) \\n // A user account was deleted \\n | where EventID == 4726\\n| where AccountType == \\\"User\\\"\\n| project deletionTime = TimeGenerated, DeleteEventID = EventID, DeleteActivity = Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToDelete = SubjectAccount, SIDofAccountUsedToDelete = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n) on Computer, TargetAccount\\n| where deletionTime - creationTime \u003c spanoftime\\n| extend TimeDelta = deletionTime - creationTime\\n| where tolong(TimeDelta) \u003e= threshold\\n| project TimeDelta, creationTime, CreateEventID, CreateActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToCreate, SIDofAccountUsedToCreate,\\ndeletionTime, DeleteEventID, DeleteActivity, AccountUsedToDelete, SIDofAccountUsedToDelete\\n| extend timestamp = creationTime, AccountCustomEntity = AccountUsedToCreate, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"SIDofAccountUsedToCreate\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account created and deleted within 10 mins\",\"description\":\"Identifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and\\nan adversary attempting to hide in the noise.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23de46ea-c425-4a77-b456-511ae4855d69\",\"name\":\"23de46ea-c425-4a77-b456-511ae4855d69\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\nlet SensitiveOperationList = dynamic([\\\"microsoft.compute/snapshots/write\\\", \\\"microsoft.network/networksecuritygroups/write\\\", \\\"microsoft.storage/storageaccounts/listkeys/action\\\"]);\\nlet SensitiveActivity = AzureActivity\\n| where OperationNameValue in~ (SensitiveOperationList) or OperationNameValue hassuffix \\\"listkeys/action\\\"\\n| where ActivityStatusValue =~ \\\"Succeeded\\\";\\nSensitiveActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller, OperationNameValue\\n| where count_ \u003e= alertOperationThreshold\\n| join kind = rightanti ( \\nSensitiveActivity\\n| where TimeGenerated \u003e= ago(endtime)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CorrelationIds = makelist(CorrelationId), Resources = makelist(Resource), ResourceGroups = makelist(ResourceGroup), ResourceIds = makelist(ResourceId), ActivityCountByCallerIPAddress = count() \\nby CallerIpAddress, Caller, OperationNameValue\\n) on CallerIpAddress, Caller, OperationNameValue\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"Rare subscription-level operations in Azure\",\"description\":\"This query looks for a few sensitive subscription-level events based on Azure Activity Logs. \\n For example this monitors for the operation name \u0027Create or Update Snapshot\u0027 which is used for creating backups but could be misused by attackers \\n to dump hashes or extract sensitive information from the disk.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c7cd6073-6d2c-4284-a5c8-da27605bdfde\",\"name\":\"c7cd6073-6d2c-4284-a5c8-da27605bdfde\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| where FilterModulesSpamScoresOverall == \u0027100\u0027\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - High risk message not discarded\",\"description\":\"Detects when email with high risk score was not rejected or discarded by filters.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/16d55bbb-8c54-4c1d-8537-521824e76bb6\",\"name\":\"16d55bbb-8c54-4c1d-8537-521824e76bb6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.2\",\"techniques\":[\"T1114\",\"T1213\",\"T1098\",\"T1136\",\"T1137\",\"T1505\",\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"Distinct number of operations\",\"Distinct number of ClientInfoString\",\"Distinct number of mailboxes\",\"Number of operations\",\"Distinct number of IP addresses\",\"Distinct number of /24 subnets\",\"Distinct number of /16 subnets\",\"Number of MessageBind operations\",\"Number of FolderBind operations\",\"Number of UpdateInboxRules operations\",\"Number of MailItemsAccessed operations\"],\"values\":[\"Distinct number of operations\",\"Distinct number of ClientInfoString\",\"Distinct number of mailboxes\",\"Number of operations\",\"Distinct number of IP addresses\",\"Distinct number of /24 subnets\",\"Distinct number of /16 subnets\",\"Number of MessageBind operations\",\"Number of FolderBind operations\",\"Number of UpdateInboxRules operations\",\"Number of MailItemsAccessed operations\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Top reason for high anomaly score\",\"description\":\"Include only anomalies where the top reason is one of these values.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.6\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Collection\",\"Persistence\"],\"displayName\":\"(Preview) Anomalous user activities in Office Exchange\",\"description\":\"This machine learning model groups the Office Exchange logs on a per-user basis into hourly buckets. We define one\\nhour as a session. The model is trained on the previous 7 days of behavior across all regular (non-admin) users.\\nIt indicates anomalous user Office Exchange sessions in the last day.\\nThis algorithm checks for sufficient volume of data before training the model.\\n\\nAn autoencoder model is used.\\nIts aim is to compress the user Office Exchange sessions into a bottleneck encoding.\\nIt then attempts to reconstruct the input sessions as best it can from the bottleneck encoding.\\nThe sessions with high reconstruction errors are assumed to be anomalous.\",\"lastUpdatedDateUTC\":\"2021-06-09T00:00:00Z\",\"createdDateUTC\":\"2021-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Exchange)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4759ddb4-2daf-43cb-b34e-d85b85b4e4a5\",\"name\":\"4759ddb4-2daf-43cb-b34e-d85b85b4e4a5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\nlet parentprocess = (iocs | where Type =~ \\\"parentprocess\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or RequestURL has_any (IPList) or Message has_any (IPList)\\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, Type\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (IPList), \\\"RequestUrl\\\",\\\"NoMatch\\\"), AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, IPMatch == \\\"RequestUrl\\\", RequestURL, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer, ProcessCustomEntity = ProcessName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) \\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, AlertDetail = \u0027Dev-0322 IOC match\u0027, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, AlertDetail = \u0027Dev-0322 IOC match\u0027, UrlCustomEntity =RemoteUrl, ProcessCustomEntity = InitiatingProcessFileName\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\"), AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where SourceHost in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend ParentImage = EventDetail.[20].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where ( ParentImage has_any (parentprocess) and Image has_any (process))\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256,Image, ParentImage \\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = FileHash\\n),\\n(DeviceFileEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type, CommandLineIP\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash, IPCustomEntity = CommandLineIP\\n),\\n(DeviceEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, CommandLineIP\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash, IPCustomEntity = CommandLineIP\\n),\\n(DeviceProcessEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, CommandLineIP, AccountName\\n| extend Account = AccountName, Computer = DeviceName, IPAddress = CommandLineIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash, IPCustomEntity = IPAddress\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| extend CommandLineIP = extract(IPRegex, 0, CommandLine)\\n| where CommandLineIP in (IPList) or (NewProcessName has_any (process) and ParentProcessName has_any (parentprocess))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, CommandLine, CommandLineIP\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = \u0027Dev-0322 IOC match\u0027, IPCustomEntity = CommandLineIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"SHA256\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"DEV-0322 Serv-U related IOCs - July 2021\",\"description\":\"Identifies a match across IOC\u0027s related to DEV-0322 targeting SolarWinds Serv-U software.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-06-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\"name\":\"f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Medium\",\"query\":\"let threshold = 1;\\nAzureDiagnostics\\n | where OperationName in (\\\"AzureFirewallApplicationRuleLog\\\",\\\"AzureFirewallNetworkRuleLog\\\")\\n | extend msg_s_replaced0 = replace(@\\\"\\\\s\\\\s\\\",@\\\" \\\",msg_s)\\n | extend msg_s_replaced1 = replace(@\\\"\\\\.\\\\s\\\",@\\\" \\\",msg_s_replaced0)\\n | extend msg_a = split(msg_s_replaced1,\\\" \\\")\\n | extend srcAddr_a = split(msg_a[3],\\\":\\\") , destAddr_a = split(msg_a[5],\\\":\\\")\\n | extend protocol = tostring(msg_a[0]), srcIp = tostring(srcAddr_a[0]), srcPort = tostring(srcAddr_a[1]), destIp = tostring(destAddr_a[0]), destPort = tostring(destAddr_a[1]), action = tostring(msg_a[7])\\n | where action == \\\"Deny\\\"\\n | extend url = iff(destIp matches regex \\\"\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\",\\\"\\\",destIp)\\n | summarize StartTime = min(TimeGenerated), count() by srcIp, destIp, url, action, protocol\\n | where count_ \u003e= [\\\"threshold\\\"]\\n | extend timestamp = StartTime, URLCustomEntity = url, IPCustomEntity = srcIp\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\",\"LateralMovement\",\"CommandAndControl\"],\"displayName\":\"Several deny actions registered\",\"description\":\"Identifies attack pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/57e56fc9-417a-4f41-a579-5475aea7b8ce\",\"name\":\"57e56fc9-417a-4f41-a579-5475aea7b8ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 1000;\\nInfobloxNIOS\\n| where ProcessName =~ \\\"dhcpd\\\" and Log_Type =~ \\\"DHCPREQUEST\\\"\\n| summarize count() by ServerIP, bin(TimeGenerated,5m)\\n| where count_ \u003e threshold\\n| join kind=inner (InfobloxNIOS\\n | where ProcessName =~ \\\"dhcpd\\\" and Log_Type =~ \\\"DHCPREQUEST\\\"\\n ) on ServerIP\\n| extend timestamp = TimeGenerated, IPCustomEntity = ServerIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Potential DHCP Starvation Attack\",\"description\":\"This creates an incident in the event that an excessive amount of DHCPREQUEST have been recieved by a DHCP Server and could potentially be an indication of a DHCP Starvation Attack.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0dd422ee-e6af-4204-b219-f59ac172e4c6\",\"name\":\"0dd422ee-e6af-4204-b219-f59ac172e4c6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"ThreatIntelligence\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"Persistence\",\"LateralMovement\"],\"displayName\":\"(Preview) Microsoft Threat Intelligence Analytics\",\"description\":\"This rule generates an alert when a Microsoft Threat Intelligence Indicator gets matched with your event logs. The alerts are very high fidelity.\\n\\nNote : It is advised to turn off any custom alert rules which match the threat intelligence indicators with the same event logs matched by this analytics to prevent duplicate alerts.\",\"lastUpdatedDateUTC\":\"2021-07-28T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508\",\"name\":\"e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let FailureThreshold = 15;\\nlet FailedEvents = Okta_CL\\n| where eventType_s =~ \\\"user.session.start\\\"and outcome_reason_s in (\\\"VERIFICATION_ERROR\\\",\\\"INVALID_CREDENTIALS\\\")\\n| summarize dcount(actor_alternateId_s) by client_ipAddress_s, bin(TimeGenerated, 5m)\\n| where dcount_actor_alternateId_s \u003e FailureThreshold\\n| project client_ipAddress_s, TimeGenerated;\\nOkta_CL\\n| where eventType_s =~ \\\"user.session.start\\\"and outcome_reason_s in (\\\"VERIFICATION_ERROR\\\",\\\"INVALID_CREDENTIALS\\\")\\n| summarize Users = make_set(actor_alternateId_s) by client_ipAddress_s, City = client_geographicalContext_city_s, Country = client_geographicalContext_country_s, bin(TimeGenerated, 5m)\\n| join kind=inner (FailedEvents) on client_ipAddress_s, TimeGenerated\\n| sort by TimeGenerated desc\\n| extend timestamp = TimeGenerated, IPCustomEntity = client_ipAddress_s\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Potential Password Spray Attack\",\"description\":\"This query searches for failed attempts to log into the Okta console from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OktaSSO\",\"dataTypes\":[\"Okta_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/93c4b361-ea7d-40f4-9ca6-e501cdef9c53\",\"name\":\"93c4b361-ea7d-40f4-9ca6-e501cdef9c53\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.1.6\",\"techniques\":[\"T1110\"],\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"\\\\%%2305-The specified user account has expired\",\"\\\\%%2309-The specified account\u0027s password has expired\",\"\\\\%%2310-Account currently disabled\",\"\\\\%%2311-Account logon time restriction violation\",\"\\\\%%2312-User not allowed to logon at this computer\",\"\\\\%%2313-Unknown user name or bad password\",\"\\\\%%2307-Account locked out\",\"\\\\%%2304-An Error occurred during Logon\"],\"values\":[\"\\\\%%2305-The specified user account has expired\",\"\\\\%%2309-The specified account\u0027s password has expired\",\"\\\\%%2310-Account currently disabled\",\"\\\\%%2311-Account logon time restriction violation\",\"\\\\%%2312-User not allowed to logon at this computer\",\"\\\\%%2313-Unknown user name or bad password\",\"\\\\%%2307-Account locked out\",\"\\\\%%2304-An Error occurred during Logon\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Failure Reasons\",\"description\":\"Include only selected failure reasons in anomaly results.\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.3\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"(Preview) Attempted user account bruteforce per failure reason\",\"description\":\"This algorithm detects an unusually high volume of failed login attempts per user account per failure reason. The model is trained on the previous 21 days of security event ID 4625 on an account and a failure reason. It indicates anomalous high volume of failed login attempts with certain failure reason in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-04-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e\",\"name\":\"7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]);\\nunion isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4663\\n| where Process has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where ObjectName has_any (scriptExtensions)\\n| where AccessMask in (\u00270x2\u0027,\u00270x100\u0027, \u00270x10\u0027, \u00270x4\u0027)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n(imFileEvent\\n| where EventType == \\\"FileCreated\\\"\\n| where ActingProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n and\\n TargetFileName has_any (scriptExtensions)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\\n),\\n(DeviceFileEvents\\n| where ActionType =~ \\\"FileCreated\\\"\\n| where InitiatingProcessFileName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where FileName has_any(scriptExtensions)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName, IPCustomEntity = RequestSourceIP)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingProcessAccountUpn\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM UM Service writing suspicious file\",\"description\":\"This query looks for the Exchange server UM process writing suspicious files that may be indicative of webshells.\\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d3c658bd-8da9-4372-82e4-aaffa922f428\",\"name\":\"d3c658bd-8da9-4372-82e4-aaffa922f428\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"afad_parser\\n| where MessageType == 2 and Codename == \\\"DCSync\\\"\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid DCSync\",\"description\":\"Searches for DCSync attacks\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/88f453ff-7b9e-45bb-8c12-4058ca5e44ee\",\"name\":\"88f453ff-7b9e-45bb-8c12-4058ca5e44ee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS New Server\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.\\nA threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.\\nThis can be done programmatically via HTTP requests to Azure. More information in this blog: https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\"name\":\"1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 1d;\\nlet endtime = 1h;\\nlet prev23hThreshold = 4;\\nlet prev1hThreshold = 15;\\nlet Kerbevent =\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(starttime)\\n| where EventID == 4769\\n| parse EventData with * \u0027TicketEncryptionType\\\"\u003e\u0027 TicketEncryptionType \\\"\u003c\\\" *\\n| where TicketEncryptionType == \u00270x17\u0027\\n| parse EventData with * \u0027TicketOptions\\\"\u003e\u0027 TicketOptions \\\"\u003c\\\" *\\n| where TicketOptions == \u00270x40810000\u0027\\n| parse EventData with * \u0027Status\\\"\u003e\u0027 Status \\\"\u003c\\\" *\\n| where Status == \u00270x0\u0027\\n| parse EventData with * \u0027ServiceName\\\"\u003e\u0027 ServiceName \\\"\u003c\\\" *\\n| where ServiceName !contains \\\"$\\\" and ServiceName !contains \\\"krbtgt\\\" \\n| parse EventData with * \u0027TargetUserName\\\"\u003e\u0027 TargetUserName \\\"\u003c\\\" *\\n| where TargetUserName !contains \\\"$@\\\" and TargetUserName !contains ServiceName\\n| parse EventData with * \u0027IpAddress\\\"\u003e::ffff:\u0027 ClientIPAddress \\\"\u003c\\\" *;\\nlet Kerbevent23h = Kerbevent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| summarize ServiceNameCountPrev23h = dcount(ServiceName), ServiceNameSet23h = makeset(ServiceName) \\nby Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status\\n| where ServiceNameCountPrev23h \u003c prev23hThreshold;\\nlet Kerbevent1h = \\nKerbevent\\n| where TimeGenerated \u003e= ago(endtime)\\n| summarize min(TimeGenerated), max(TimeGenerated), ServiceNameCountPrev1h = dcount(ServiceName), ServiceNameSet1h = makeset(ServiceName) \\nby Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status;\\nKerbevent1h \\n| join kind=leftanti\\n(\\nKerbevent23h\\n) on TargetUserName, TargetDomainName\\n// Threshold value set above is based on testing, this value may need to be changed for your environment.\\n| where ServiceNameCountPrev1h \u003e prev1hThreshold\\n| project StartTimeUtc = min_TimeGenerated, EndTimeUtc = max_TimeGenerated, TargetUserName, Computer, ClientIPAddress, TicketOptions, \\nTicketEncryptionType, Status, ServiceNameCountPrev1h, ServiceNameSet1h, TargetDomainName\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = strcat(TargetDomainName,\\\"\\\\\\\\\\\", TargetUserName), HostCustomEntity = Computer, IPCustomEntity = ClientIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Potential Kerberoasting\",\"description\":\"A service principal name (SPN) is used to uniquely identify a service instance in a Windows environment. \\nEach SPN is usually associated with a service account. Organizations may have used service accounts with weak passwords in their environment. \\nAn attacker can try requesting Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC) which contains \\na hash of the Service account. This can then be used for offline cracking. This hunting query looks for accounts that are generating excessive \\nrequests to different resources within the last hour compared with the previous 24 hours. Normal users would not make an unusually large number \\nof request within a small time window. This is based on 4769 events which can be very noisy so environment based tweaking might be needed.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/972c89fa-c969-4d12-932f-04d55d145299\",\"name\":\"972c89fa-c969-4d12-932f-04d55d145299\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"( union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| extend FileName = Process, ProcessCommandLine = CommandLine\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\n or ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(DeviceProcessEvents\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\nor ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1 \\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\"), ProcessCommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| extend FileName = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\n or ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\"],\"displayName\":\"MSHTML vulnerability CVE-2021-40444 attack\",\"description\":\"This query detects attacks that exploit the CVE-2021-40444 MSHTML vulnerability using specially crafted Microsoft Office documents. \\n The detection searches for relevant files used in the attack along with regex matches in commnadline to look for pattern similar to : \\\".cpl:../../msword.inf\\\"\\n Refrence: https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0914adab-90b5-47a3-a79f-7cdcac843aa7\",\"name\":\"0914adab-90b5-47a3-a79f-7cdcac843aa7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 5;\\n// To avoid any False Positives, filtering using AppId is recommended. For example the AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds \\n// to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\\nlet Allowedappid = dynamic([\\\"509e4652-da8d-478d-a730-e9d4a1996ca4\\\"]);\\nlet OperationList = dynamic(\\n[\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nlet TimeSeriesData = AzureDiagnostics\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList)\\n| project TimeGenerated, OperationName, Resource, CallerIPAddress\\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by Resource;\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| where baseline \u003e baselinethreshold // Filtering low count events per baselinethreshold\\n| project Resource, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated;\\n// Filter the alerts since specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\\n| join (\\nAzureDiagnostics\\n| where TimeGenerated \u003e ago(timeframe)\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList)\\n| summarize PerOperationCount=count(), LatestAnomalyTime = arg_max(TimeGenerated,*) by bin(TimeGenerated,1h), Resource, OperationName, id_s, CallerIPAddress, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, requestUri_s, clientInfo_s\\n) on Resource, TimeGenerated\\n| summarize EventCount=count(), OperationNameList = make_set(OperationName), RequestURLList = make_set(requestUri_s, 100), AccountList = make_set(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, 100), AccountMax = arg_max(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g,*) by Resource, id_s, clientInfo_s, LatestAnomalyTime\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = CallerIPAddress, AccountCustomEntity = AccountMax\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.2\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure Key Vault access TimeSeries anomaly\",\"description\":\"Indentifies a sudden increase in count of Azure Key Vault secret or vault access operations by CallerIPAddress. The query leverages a built-in KQL anomaly detection algorithm\\nto find large deviations from baseline Azure Key Vault access patterns. Any sudden increase in the count of Azure Key Vault accesses can be an\\nindication of adversary dumping credentials via automated methods. If you are seeing any noise, try filtering known source(IP/Account) and user-agent combinations.\\nTimeSeries Reference Blog: https://techcommunity.microsoft.com/t5/azure-sentinel/looking-for-unknown-anomalies-what-is-normal-time-series/ba-p/555052\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500415fb-bba7-4227-a08a-9857fb61b6a7\",\"name\":\"500415fb-bba7-4227-a08a-9857fb61b6a7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where OfficeWorkload == \\\"Exchange\\\"\\n| where Operation in~ (\\\"New-TransportRule\\\", \\\"Set-TransportRule\\\")\\n| extend p = parse_json(Parameters)\\n| extend RuleName = case(\\n Operation =~ \\\"Set-TransportRule\\\", tostring(OfficeObjectId),\\n Operation =~ \\\"New-TransportRule\\\", tostring(p[1].Value),\\n \\\"Unknown\\\"\\n ) \\n| mvexpand p\\n| where (p.Name =~ \\\"BlindCopyTo\\\" or p.Name =~ \\\"RedirectMessageTo\\\") and isnotempty(p.Value)\\n| extend RedirectTo = p.Value\\n| extend ClientIPOnly = case( \\n ClientIP has \\\".\\\" and ClientIP has \\\":\\\", tostring(split(ClientIP,\\\":\\\")[0]), \\n ClientIP has \\\".\\\" and ClientIP has \\\"-\\\", tostring(split(ClientIP,\\\"-\\\")[0]), \\n ClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))),\\n ClientIP\\n ) \\n| extend Port = case(\\n ClientIP has \\\".\\\" and ClientIP has \\\":\\\", (split(ClientIP,\\\":\\\")[1]),\\n ClientIP has \\\".\\\" and ClientIP has \\\"-\\\", (split(ClientIP,\\\"-\\\")[1]),\\n ClientIP has \\\"[\\\" and ClientIP has \\\":\\\", tostring(split(ClientIP,\\\"]:\\\")[1]),\\n ClientIP has \\\"[\\\" and ClientIP has \\\"-\\\", tostring(split(ClientIP,\\\"]-\\\")[1]),\\n ClientIP\\n )\\n| extend ClientIP = ClientIPOnly\\n| project TimeGenerated, RedirectTo, ClientIP, Port, UserId, Operation, RuleName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Mail redirect via ExO transport rule\",\"description\":\"Identifies when Exchange Online transport rule configured to forward emails.\\nThis could be an adversary mailbox configured to collect mail from multiple user accounts.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-05-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/57c7e832-64eb-411f-8928-4133f01f4a25\",\"name\":\"57c7e832-64eb-411f-8928-4133f01f4a25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now() \\n| where Active == true\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureDiagnostics\\n | where ResourceType =~ \\\"VAULTS\\\"\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend KeyVaultEvents_TimeGenerated = TimeGenerated, ClientIP = CallerIPAddress\\n)\\non $left.TI_ipEntity == $right.ClientIP\\n| where KeyVaultEvents_TimeGenerated \u003c ExpirationDateTime\\n| summarize KeyVaultEvents_TimeGenerated = arg_max(KeyVaultEvents_TimeGenerated, *) by IndicatorId, ClientIP\\n| project KeyVaultEvents_TimeGenerated , Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ClientIP, ResourceId, SubscriptionId, OperationName, ResultType, CorrelationId, id_s, clientInfo_s, httpStatusCode_d, identity_claim_appid_g, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\n| extend timestamp = KeyVaultEvents_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Azure Key Vault logs\",\"description\":\"Identifies a match in Azure Key Vault logsfrom any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f845881e-2500-44dc-8ed7-b372af3e1e25\",\"name\":\"f845881e-2500-44dc-8ed7-b372af3e1e25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let short_uaLength = 5;\\nlet long_uaLength = 1000;\\nlet c_threshold = 100;\\nW3CIISLog \\n// Exclude local IPs as these create noise\\n| where cIP !startswith \\\"192.168.\\\" and cIP != \\\"::1\\\"\\n| where isnotempty(csUserAgent) and csUserAgent !in~ (\\\"-\\\", \\\"MSRPC\\\") and (string_size(csUserAgent) \u003c= short_uaLength or string_size(csUserAgent) \u003e= long_uaLength)\\n| extend csUserAgent_size = string_size(csUserAgent)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ConnectionCount = count() by Computer, sSiteName, sPort, csUserAgent, csUserAgent_size, csUserName , csMethod, csUriStem, sIP, cIP, scStatus, scSubStatus, scWin32Status\\n| where ConnectionCount \u003c c_threshold\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomalous User Agent connection attempt\",\"description\":\"Identifies connection attempts (success or fail) from clients with very short or very long User Agent strings and with less than 100 connection attempts.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cca3b4d9-ac39-4109-8b93-65bb284003e6\",\"name\":\"cca3b4d9-ac39-4109-8b93-65bb284003e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n AzureActivity | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(Caller)\\n | extend Caller = tolower(Caller)\\n | where Caller matches regex emailregex\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.Caller\\n| where AzureActivity_TimeGenerated \u003e= TimeGenerated and AzureActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, AzureActivity_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Caller, Level, CallerIpAddress, CategoryValue,\\nOperationNameValue, ActivityStatusValue, ResourceGroup, SubscriptionId\\n| extend timestamp = AzureActivity_TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to AzureActivity\",\"description\":\"Identifies a match in AzureActivity table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/71d374e0-1cf8-4e50-aecd-ab6c519795c2\",\"name\":\"71d374e0-1cf8-4e50-aecd-ab6c519795c2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"Pipelines.PipelineRetentionSettingChanged\\\"\\n| where Data.SettingName in (\\\"PurgeArtifacts\\\", \\\"PurgeRuns\\\")\\n| where Data.NewValue == 1 or Data.NewValue \u003c Data.OldValue/2\\n| project-reorder TimeGenerated, OperationName, ActorUPN, IpAddress, UserAgent, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.2\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Retention Reduced\",\"description\":\"AzureDevOps retains items such as run records and produced artifacts for a configurable amount of time. An attacker looking to reduce the footprint left by their malicious activity may look to reduce the retention time for artifacts and runs.\\nThis query will look for where retention has been reduced to the minimum level - 1, or reduced by more than half.\",\"lastUpdatedDateUTC\":\"2021-11-02T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d2e40c79-fe8c-428e-8cb9-0e2282d4558c\",\"name\":\"d2e40c79-fe8c-428e-8cb9-0e2282d4558c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let lowRisk = 1;\\nlet governance = \u0027Governance Information\u0027;\\nCognniIncidents_CL \\n| where Severity == lowRisk\\n| where informationType_s == governance\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Low Sensitivity Governance Information\",\"description\":\"Display incidents in which low sensitivity governance information] was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\"name\":\"4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let OperationList = dynamic([\\\"Add member to role\\\",\\\"Add member to role in PIM requested (permanent)\\\"]);\\nlet PrivilegedGroups = dynamic([\\\"UserAccountAdmins\\\",\\\"PrivilegedRoleAdmins\\\",\\\"TenantAdmins\\\"]);\\nAuditLogs\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName in~ (OperationList)\\n| mv-expand TargetResources\\n| extend modProps = parse_json(TargetResources).modifiedProperties\\n| mv-expand bagexpansion=array modProps\\n| evaluate bag_unpack(modProps)\\n| extend displayName = column_ifexists(\\\"displayName\\\", \\\"NotAvailable\\\"), newValue = column_ifexists(\\\"newValue\\\", \\\"NotAvailable\\\")\\n| where displayName =~ \\\"Role.WellKnownObjectName\\\"\\n| extend DisplayName = displayName, GroupName = replace(\u0027\\\"\u0027,\u0027\u0027,newValue)\\n| extend initByApp = parse_json(InitiatedBy).app, initByUser = parse_json(InitiatedBy).user\\n| extend AppId = initByApp.appId, \\nInitiatedByDisplayName = case(isnotempty(initByApp.displayName), initByApp.displayName, isnotempty(initByUser.displayName), initByUser.displayName, \\\"not available\\\"),\\nServicePrincipalId = tostring(initByApp.servicePrincipalId),\\nServicePrincipalName = tostring(initByApp.servicePrincipalName),\\nUserId = initByUser.id,\\nUserIPAddress = initByUser.ipAddress,\\nUserRoles = initByUser.roles,\\nUserPrincipalName = tostring(initByUser.userPrincipalName),\\nTargetUserPrincipalName = tostring(TargetResources.userPrincipalName)\\n| where GroupName in~ (PrivilegedGroups)\\n// If you don\u0027t want to alert for operations from PIM, remove below filtering for MS-PIM.\\n//| where InitiatedByDisplayName != \\\"MS-PIM\\\"\\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, isnotempty(ServicePrincipalId), ServicePrincipalId, isnotempty(UserPrincipalName), UserPrincipalName, \\\"not available\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User added to Azure Active Directory Privileged Groups\",\"description\":\"This will alert when a user is added to any of the Privileged Groups.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\\nFor Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500c103a-0319-4d56-8e99-3cec8d860757\",\"name\":\"500c103a-0319-4d56-8e99-3cec8d860757\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == \\\"50057\\\" \\n| where ResultDescription == \\\"User account is disabled. The account has been disabled by an administrator.\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), disabledAccountLoginAttempts = count(), \\ndisabledAccountsTargeted = dcount(UserPrincipalName), applicationsTargeted = dcount(AppDisplayName), disabledAccountSet = make_set(UserPrincipalName), \\napplicationSet = make_set(AppDisplayName) by IPAddress, Type\\n| order by disabledAccountLoginAttempts desc\\n| join kind= leftouter (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n table(tableName)\\n | where ResultType == 0\\n | summarize successfulAccountSigninCount = dcount(UserPrincipalName), successfulAccountSigninSet = make_set(UserPrincipalName, 15) by IPAddress, Type\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount \u003c 100\\n) on IPAddress \\n// IPs from which attempts to authenticate as disabled user accounts originated, and had a non-zero success rate for some other account\\n| where isnotempty(successfulAccountSigninCount)\\n| project StartTime, EndTime, IPAddress, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\nsuccessfulAccountSigninCount, successfulAccountSigninSet, Type\\n| order by disabledAccountLoginAttempts\\n| extend timestamp = StartTime, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts and where that same IP has had successful signins from other accounts.\\nThis could indicate an attacker who obtained credentials for a list of accounts and is attempting to login with those accounts, some of which may have already been disabled.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"lastUpdatedDateUTC\":\"2021-10-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9e20eb4e-cc0d-4349-a99d-cad756859dfb\",\"name\":\"9e20eb4e-cc0d-4349-a99d-cad756859dfb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"afad_parser\\n| where MessageType == 2 and Codename == \\\"Password Spraying\\\"\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid Password Spraying\",\"description\":\"Searches for Password spraying attacks\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8d537f3c-094f-430c-a588-8a87da36ee3a\",\"name\":\"8d537f3c-094f-430c-a588-8a87da36ee3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nlet user_agents=dynamic([\\n \u0027(hydra)\u0027,\\n \u0027 arachni/\u0027,\\n \u0027 BFAC \u0027,\\n \u0027 brutus \u0027,\\n \u0027 cgichk \u0027,\\n \u0027core-project/1.0\u0027,\\n \u0027 crimscanner/\u0027,\\n \u0027datacha0s\u0027,\\n \u0027dirbuster\u0027,\\n \u0027domino hunter\u0027,\\n \u0027dotdotpwn\u0027,\\n \u0027FHScan Core\u0027,\\n \u0027floodgate\u0027,\\n \u0027get-minimal\u0027,\\n \u0027gootkit auto-rooter scanner\u0027,\\n \u0027grendel-scan\u0027,\\n \u0027 inspath \u0027,\\n \u0027internet ninja\u0027,\\n \u0027jaascois\u0027,\\n \u0027 zmeu \u0027,\\n \u0027masscan\u0027,\\n \u0027 metis \u0027,\\n \u0027morfeus fucking scanner\u0027,\\n \u0027n-stealth\u0027,\\n \u0027nsauditor\u0027,\\n \u0027pmafind\u0027,\\n \u0027security scan\u0027,\\n \u0027springenwerk\u0027,\\n \u0027teh forest lobster\u0027,\\n \u0027toata dragostea\u0027,\\n \u0027 vega/\u0027,\\n \u0027voideye\u0027,\\n \u0027webshag\u0027,\\n \u0027webvulnscan\u0027,\\n \u0027 whcc/\u0027,\\n \u0027 Havij\u0027,\\n \u0027absinthe\u0027,\\n \u0027bsqlbf\u0027,\\n \u0027mysqloit\u0027,\\n \u0027pangolin\u0027,\\n \u0027sql power injector\u0027,\\n \u0027sqlmap\u0027,\\n \u0027sqlninja\u0027,\\n \u0027uil2pn\u0027,\\n \u0027ruler\u0027,\\n \u0027Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)\u0027\\n ]);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal has_any (user_agents)\\n| extend Message = \\\"Hack Tool User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Hack Tool User-Agent Detected\",\"description\":\"Detects suspicious user agent strings used by known hack tools\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/87210ca1-49a4-4a7d-bb4a-4988752f978c\",\"name\":\"87210ca1-49a4-4a7d-bb4a-4988752f978c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Get details of current Azure Ranges (note this URL updates regularly so will need to be manually updated over time)\\n// You may find the name of the new JSON here: https://www.microsoft.com/download/details.aspx?id=56519\\nlet azure_ranges = externaldata(changeNumber: string, cloud: string, values: dynamic)\\n[\\\"https://download.microsoft.com/download/7/1/D/71D86715-5596-4529-9B13-DA13A5DE5B63/ServiceTags_Public_20211108.json\\\"]\\nwith(format=\u0027multijson\u0027)\\n| mv-expand values\\n| mv-expand values.properties.addressPrefixes\\n| mv-expand values_properties_addressPrefixes\\n| summarize by tostring(values_properties_addressPrefixes);\\nSigninLogs\\n// Limiting to Azure Portal really reduces false positives and helps focus on potential admin activity\\n| where AppDisplayName =~ \\\"Azure Portal\\\"\\n// Only get logons where the IP address is in an Azure range\\n| evaluate ipv4_lookup(azure_ranges, IPAddress, values_properties_addressPrefixes)\\n// Limit to where the user is external to the tenant\\n| where HomeTenantId != ResourceTenantId\\n// Further limit it to just access to the current tenant (you can drop this if you wanted to look elsewhere as well but it helps reduce FPs)\\n| where ResourceTenantId == TenantId\\n| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), make_set(ResourceDisplayName) by UserPrincipalName, IPAddress, UserAgent, Location, HomeTenantId, ResourceTenantId\\n| extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure Portal Signin from another Azure Tenant\",\"description\":\"This query looks for sign in attempts to the Azure Portal where the user who is signing in from another Azure tenant,\\n and the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look\\n to pivot to other tenants leveraging cross-tenant delegated access in this manner.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f209187f-1d17-4431-94af-c141bf5f23db\",\"name\":\"f209187f-1d17-4431-94af-c141bf5f23db\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.1\",\"techniques\":[\"T1136\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.4\",\"name\":\"Anomaly score threshold\",\"description\":\"Generate an anomaly when the anomaly score is greater than the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Persistence\"],\"displayName\":\"(Preview) Anomalous Account Creation\",\"description\":\"Adversaries may create an account to maintain access to victim systems. With a sufficient level of access,\\ncreating such accounts may be used to establish secondary credentialed access\\nthat do not require persistent remote access tools to be deployed on the system.\",\"lastUpdatedDateUTC\":\"2021-07-26T00:00:00Z\",\"createdDateUTC\":\"2021-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b12b3dab-d973-45af-b07e-e29bb34d8db9\",\"name\":\"b12b3dab-d973-45af-b07e-e29bb34d8db9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal contains \\\"WindowsPowerShell\\\"\\n| extend Message = \\\"Windows PowerShell User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"DefenseEvasion\"],\"displayName\":\"Cisco Umbrella - Windows PowerShell User-Agent Detected\",\"description\":\"Rule helps to detect Powershell user-agent activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/34663177-8abf-4db1-b0a4-5683ab273f44\",\"name\":\"34663177-8abf-4db1-b0a4-5683ab273f44\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let threshold = 20;\\nPulseConnectSecure\\n| where Messages contains \\\"Login failed\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by User, Source_IP\\n| where count_ \u003e threshold\\n| extend timestamp = StartTime, AccountCustomEntity = User, IPCustomEntity = Source_IP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"PulseConnectSecure - Potential Brute Force Attempts\",\"description\":\"This query identifies evidence of potential brute force attack by looking at multiple failed attempts to log into the VPN server\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PulseConnectSecure\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/15ae38a2-2e29-48f7-883f-863fb25a5a06\",\"name\":\"15ae38a2-2e29-48f7-883f-863fb25a5a06\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 10;\\nDnsEvents \\n| where TimeGenerated \u003e ago(endtime)\\n| where Name contains \\\"in-addr.arpa\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(Name) by ClientIP\\n| where dcount_Name \u003e threshold\\n| project StartTimeUtc, EndTimeUtc, ClientIP , dcount_Name \\n| join kind=leftanti (DnsEvents \\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | where Name contains \\\"in-addr.arpa\\\" \\n | summarize dcount(Name) by ClientIP, bin(TimeGenerated, 1d)\\n | where dcount_Name \u003e threshold\\n | project ClientIP , dcount_Name \\n) on ClientIP\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\"],\"displayName\":\"Rare client observed with high reverse DNS lookup count\",\"description\":\"Identifies clients with a high reverse DNS counts which could be carrying out reconnaissance or discovery activity.\\nAlert is generated if the IP performing such reverse DNS lookups was not seen doing so in the preceding 7-day period.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\"name\":\"24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let EventCountThreshold = 25;\\n// To avoid any False Positives, filtering using AppId is recommended. For example the AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds \\n// to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\\nlet Allowedappid = dynamic([\\\"509e4652-da8d-478d-a730-e9d4a1996ca4\\\"]);\\nlet OperationList = dynamic(\\n[\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nAzureDiagnostics\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList) \\n| summarize count() by identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, OperationName\\n| where count_ \u003e EventCountThreshold \\n| join (\\nAzureDiagnostics\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where OperationName in~ (OperationList) \\n) on identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g \\n| summarize EventCount=sum(count_), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\\n| extend timestamp = EndTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.2\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Mass secret retrieval from Azure Key Vault\",\"description\":\"Identifies mass secret retrieval from Azure Key Vault observed by a single user. \\nMass secret retrival crossing a certain threshold is an indication of credential dump operations or mis-configured applications. \\nYou can tweak the EventCountThreshold based on average count seen in your environment \\nand also filter any known sources (IP/Account) and useragent combinations based on historical analysis to further reduce noise\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/39198934-62a0-4781-8416-a81265c03fd6\",\"name\":\"39198934-62a0-4781-8416-a81265c03fd6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"user.read\\\" and ConsentFull contains \\\"offline_access\\\" and ConsentFull contains \\\"mail.readwrite\\\" and ConsentFull contains \\\"mail.send\\\" and ConsentFull contains \\\"files.read.all\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\")\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Suspicious application consent similar to PwnAuth\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the FireEye PwnAuth toolkit (https://github.com/fireeye/PwnAuth).\\nThe default permissions/scope for the PwnAuth toolkit are user.read, offline_access, mail.readwrite, mail.send, and files.read.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/35ce9aff-1708-45b8-a295-5e9a307f5f17\",\"name\":\"35ce9aff-1708-45b8-a295-5e9a307f5f17\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"Group.UpdateGroupMembership.Add\\\"\\n| where Details has_any (\\\"Project Administrators\\\", \\\"Project Collection Administrators\\\", \\\"Project Collection Service Accounts\\\", \\\"Build Administrator\\\")\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, AuthenticationMechanism, ScopeDisplayName\\n| extend timekey = bin(TimeGenerated, 1h)\\n| extend ActorUserId = tostring(Data.MemberId)\\n| project timekey, ActorUserId, AddingUser=ActorUPN, TimeAdded=TimeGenerated, PermissionGrantDetails = Details\\n// Get details of operations conducted by user soon after elevation of permissions\\n| join (AzureDevOpsAuditing\\n| extend ActorUserId = tostring(Data.MemberId)\\n| extend timekey = bin(TimeGenerated, 1h)) on timekey, ActorUserId\\n| summarize ActionsWhenAdded = make_set(OperationName) by ActorUPN, AddingUser, TimeAdded, PermissionGrantDetails, IpAddress, UserAgent\\n| extend timestamp = TimeAdded, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddingUser\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"New PA, PCA, or PCAS added to Azure DevOps\",\"description\":\"In order for an attacker to be able to conduct many potential attacks against Azure DevOps they will need to gain elevated permissions. \\nThis detection looks for users being granted key administrative permissions. If the principal of least privilege is applied, the number of \\nusers granted these permissions should be small. Note that permissions can also be granted via Azure AD groups and monitoring of these \\nshould also be conducted.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0b904747-1336-4363-8d84-df2710bfe5e7\",\"name\":\"0b904747-1336-4363-8d84-df2710bfe5e7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n AzureDiagnostics\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where OperationName in (\\\"AzureFirewallApplicationRuleLog\\\",\\\"AzureFirewallNetworkRuleLog\\\")\\n | parse kind=regex flags=U msg_s with Protocol \u0027request from \u0027 SourceHost \u0027to \u0027 DestinationHost @\u0027\\\\.? Action:\u0027 Action\\n | extend SourceAddress = extract(@\u0027([\\\\.0-9]+)(:[\\\\.0-9]+)?\u0027,1,SourceHost)\\n | extend DestinationAddress = extract(@\u0027([\\\\.0-9]+)(:[\\\\.0-9]+)?\u0027,1,DestinationHost)\\n | where not(ipv4_is_private(DestinationAddress))\\n | project-rename AzureFirewall_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.DestinationAddress\\n| where AzureFirewall_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureFirewall_TimeGenerated = arg_max(AzureFirewall_TimeGenerated, *) by IndicatorId, SourceAddress\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, AzureFirewall_TimeGenerated,\\nTI_ipEntity, Resource, Category, msg_s, SourceAddress, DestinationAddress, Action, Protocol, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureFirewall_TimeGenerated, IPCustomEntity = TI_ipEntity, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureFirewall\",\"description\":\"Identifies a match in AzureFirewall (NetworkRule \u0026 ApplicationRule Logs) from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3df4a32-4805-4c6d-8699-f3c888af2f67\",\"name\":\"a3df4a32-4805-4c6d-8699-f3c888af2f67\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let Alert1 = \\nSecurityAlert\\n| where AlertName == \\\"Unfamiliar sign-in properties\\\"\\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\\\"User Account\\\"])\\n| extend Alert1Time = TimeGenerated\\n| extend Alert1 = AlertName\\n| extend Alert1Severity = AlertSeverity\\n;\\nlet Alert2 = \\nSecurityAlert\\n| where AlertName == \\\"Atypical travel\\\"\\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\\\"User Account\\\"])\\n| extend Alert2Time = TimeGenerated\\n| extend Alert2 = AlertName\\n| extend Alert2Severity = AlertSeverity\\n| extend CurrentLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[1].Location)).CountryCode), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[1].Location)).State), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[1].Location)).City))\\n| extend PreviousLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[2].Location)).CountryCode), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).State), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).City))\\n| extend CurrentIPAddress = tostring(parse_json(Entities)[1].Address)\\n| extend PreviousIPAddress = tostring(parse_json(Entities)[2].Address)\\n;\\nAlert1\\n| join kind=inner Alert2 on UserPrincipalName\\n| where abs(datetime_diff(\u0027minute\u0027, Alert1Time, Alert2Time)) \u003c=10\\n| extend TimeDelta = Alert1Time - Alert2Time\\n| project UserPrincipalName, Alert1, Alert1Time, Alert1Severity, Alert2, Alert2Time, Alert2Severity, TimeDelta, CurrentLocation, PreviousLocation, CurrentIPAddress, PreviousIPAddress\\n| extend AccountCustomEntity = UserPrincipalName\\n| extend IPCustomEntity = CurrentIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Correlate Unfamiliar sign-in properties and atypical travel alerts\",\"description\":\"The combination of an Unfamiliar sign-in properties alert and an Atypical travel alert about the same user within a +10m or -10m window is considered a high severity incident.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3174a9ec-d0ad-4152-8307-94ed04fa450a\",\"name\":\"3174a9ec-d0ad-4152-8307-94ed04fa450a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let SHA256Hash = \\\"1174fd03271f80f5e2a6435c72bdd0272a6e3a37049f6190abf125b216a83471\\\" ;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) \\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA265 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA256Hash) \\n| extend Account = UserName\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known ZINC related maldoc hash\",\"description\":\"Document hash used by ZINC in highly targeted spear phishing campaign.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/acfdee3f-b794-404a-aeba-ef6a1fa08ad1\",\"name\":\"acfdee3f-b794-404a-aeba-ef6a1fa08ad1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let lookback = 14d;\\nlet timewindow = 7d;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback)\\n| where OperationName =~ \\\"Library.AgentPoolCreated\\\"\\n| extend AgentCloudId = tostring(Data.AgentCloudId)\\n| extend PoolType = iif(isnotempty(AgentCloudId), \\\"Azure VMs\\\", \\\"Self Hosted\\\")\\n// Comment this line out to include cloud pools as well\\n| where PoolType == \\\"Self Hosted\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend AgentPoolId = tostring(Data.AgentPoolId)\\n| extend IsHosted = tostring(Data.IsHosted)\\n| extend IsLegacy = tostring(Data.IsLegacy)\\n| extend timekey = bin(TimeGenerated, timewindow)\\n// Join only with pools deleted in the same window\\n| join (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback)\\n| where OperationName =~ \\\"Library.AgentPoolDeleted\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend AgentPoolId = tostring(Data.AgentPoolId)\\n| extend timekey = bin(TimeGenerated, timewindow)) on AgentPoolId, timekey\\n| project-reorder TimeGenerated, ActorUPN, UserAgent, IpAddress, AuthenticationMechanism, OperationName, AgentPoolName, IsHosted, IsLegacy, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Agent Pool Created Then Deleted\",\"description\":\"As well as adding build agents to an existing pool to execute malicious activity within a pipeline, an attacker could create a complete new agent pool and use this for execution.\\nAzure DevOps allows for the creation of agent pools with Azure hosted infrastructure or self-hosted infrastructure. Given the additional customizability of self-hosted agents this \\ndetection focuses on the creation of new self-hosted pools. To further reduce false positive rates the detection looks for pools created and deleted relatively quickly (within 7 days by default), \\nas an attacker is likely to remove a malicious pool once used in order to reduce/remove evidence of their activity.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2b328487-162d-4034-b472-59f1d53684a1\",\"name\":\"2b328487-162d-4034-b472-59f1d53684a1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal == \u0027\u0027\\n| extend Message = \\\"Empty User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Empty User Agent Detected\",\"description\":\"Rule helps to detect empty and unusual user agent indicating web browsing activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3533f74c-9207-4047-96e2-0eb9383be587\",\"name\":\"3533f74c-9207-4047-96e2-0eb9383be587\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"offline_access\\\" and ConsentFull contains \\\"Files.Read\\\" or ConsentFull contains \\\"Mail.Read\\\" or ConsentFull contains \\\"Notes.Read\\\" or ConsentFull contains \\\"ChannelMessage.Read\\\" or ConsentFull contains \\\"Chat.Read\\\" or ConsentFull contains \\\"TeamsActivity.Read\\\" or ConsentFull contains \\\"Group.Read\\\" or ConsentFull contains \\\"EWS.AccessAsUser.All\\\" or ConsentFull contains \\\"EAS.AccessAsUser.All\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))\\n| extend GrantUserAgent = tostring(iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\"))\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Suspicious application consent for offline access\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with offline access via OAuth.\\nOffline access will provide the Azure App with access to the listed resources without requiring two-factor authentication.\\nConsent to applications with offline access and read capabilities should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\"name\":\"c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let DomainNames = \\\"miniodaum.ml\\\";\\nlet SHA256Hash = dynamic ([\\\"53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0dfd44771762257\\\", \\\"0897c80df8b80b4c49bf1ccf876f5f782849608b830c3b5cb3ad212dc3e19eff\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName =~ DomainNames\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(DnsEvents \\n| extend DNSName = Name\\n| where isnotempty(DNSName)\\n| where DNSName =~ DomainNames\\n| extend IPAddress = ClientIP\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName =~ DomainNames\\n| extend IPAddress = RemoteIp\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend DNSName = Request_Name\\n| extend IPAddress = ClientIP \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known CERIUM domains and hashes\",\"description\":\"CERIUM malicious webserver and hash values for maldocs and malware. \\n Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f30a47c1-65fb-42b1-a7f4-00941c12550b\",\"name\":\"f30a47c1-65fb-42b1-a7f4-00941c12550b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n SecurityAlert\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n // Extract URL from JSON data\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,Entities)\\n // We only want alerts that actually contain URL data\\n | where isnotempty(Url)\\n // Extract hostname from JSON data for entity mapping\\n | extend Compromised_Host = tostring(parse_json(ExtendedProperties).[\\\"Compromised Host\\\"])\\n | extend Alert_TimeGenerated = TimeGenerated\\n) on Url\\n| where Alert_TimeGenerated \u003e= TimeGenerated and Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Alert_TimeGenerated,\\nAlertName, AlertSeverity, Description, Url, Compromised_Host\\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = Compromised_Host, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.2\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to SecurityAlert data\",\"description\":\"Identifies a match in SecurityAlert data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-24T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8374ec0f-d857-4c17-b1e7-93d11800f8fb\",\"name\":\"8374ec0f-d857-4c17-b1e7-93d11800f8fb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let lowRisk = 1;\\nlet legal = \u0027Legal Information\u0027;\\nCognniIncidents_CL \\n| where Severity == lowRisk\\n| where informationType_s == legal\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Low Sensitivity Legal Information\",\"description\":\"Display incidents in which low sensitivity legal information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06107abb-1b68-4fdc-841b-8a1ff9301467\",\"name\":\"06107abb-1b68-4fdc-841b-8a1ff9301467\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.6\",\"techniques\":[\"T1030\",\"T1041\",\"T1011\",\"T1567\",\"T1029\",\"T1537\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.87\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"(Preview) Excessive Downloads via Palo Alto GlobalProtect\",\"description\":\"This algorithm detects unusually high volume of download per user account via Palo Alto VPN solution. The model is trained on the previous 14 days of the VPN logs. It indicates anomalous high volume of downloads in the last day.\",\"lastUpdatedDateUTC\":\"2021-06-10T00:00:00Z\",\"createdDateUTC\":\"2020-11-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/87890d78-3e05-43ec-9ab9-ba32f4e01250\",\"name\":\"87890d78-3e05-43ec-9ab9-ba32f4e01250\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n| join (\\n SecurityAlert\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n //Extract domain patterns from message\\n | extend domain = extract(\\\"(([a-z0-9]+(-[a-z0-9]+)*\\\\\\\\.)+[a-z]{2,})\\\", 1, tolower(Entities))\\n | where isnotempty(domain)\\n | extend parts = split(domain, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\\n | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray\\n // Parsing relevant entity column extract hostname and IP address\\n | extend EntityType = tostring(parse_json(EntitiesDynamicArray).Type), EntityAddress = tostring(EntitiesDynamicArray.Address), EntityHostName = tostring(EntitiesDynamicArray.HostName)\\n | extend HostName = iif(EntityType == \u0027host\u0027, EntityHostName, \u0027\u0027)\\n | extend IP_addr = iif(EntityType == \u0027ip\u0027, EntityAddress, \u0027\u0027)\\n | extend Alert_TimeGenerated = TimeGenerated\\n | extend Alert_Description = Description\\n) on $left.DomainName==$right.domain\\n| where Alert_TimeGenerated \u003e= TimeGenerated and Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Alert_TimeGenerated, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url\\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = HostName, IPCustomEntity = IP_addr, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.2\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to SecurityAlert\",\"description\":\"Identifies a match in SecurityAlert table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-24T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\"name\":\"5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"CommonSecurityLog \\n| where isnotempty(DestinationPort) and DeviceAction !in (\\\"reset-both\\\", \\\"deny\\\") \\n// filter out common usage ports. Add ports that are legitimate for your environment\\n| where DestinationPort !in (\\\"443\\\", \\\"53\\\", \\\"389\\\", \\\"80\\\", \\\"0\\\", \\\"880\\\", \\\"8888\\\", \\\"8080\\\")\\n| where ApplicationProtocol == \\\"incomplete\\\" \\n// filter out IANA ephemeral or negotiated ports as per https://en.wikipedia.org/wiki/Ephemeral_port\\n| where DestinationPort !between (toint(49512) .. toint(65535)) \\n| where Computer != \\\"\\\" \\n| where DestinationIP !startswith \\\"10.\\\"\\n// Filter out any graceful reset reasons of AGED OUT which occurs when a TCP session closes with a FIN due to aging out. \\n| where AdditionalExtensions !has \\\"reason=aged-out\\\" \\n// Filter out any TCP FIN which occurs when a TCP FIN is used to gracefully close half or both sides of a connection.\\n| where AdditionalExtensions !has \\\"reason=tcp-fin\\\" \\n// Uncomment one of the following where clauses to trigger on specific TCP reset reasons\\n// See Palo Alto article for details - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK\\n// TCP RST-server - Occurs when the server sends a TCP reset to the client\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-server\\\" \\n// TCP RST-client - Occurs when the client sends a TCP reset to the server\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-client\\\" \\n| extend reason = tostring(split(AdditionalExtensions, \\\";\\\")[3])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction, DestinationIP\\n| where count_ \u003e= 10\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), makeset(DestinationIP), totalcount = sum(count_) by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\"],\"displayName\":\"Palo Alto - possible internal to external port scanning\",\"description\":\"Identifies a list of internal Source IPs (10.x.x.x Hosts) that have triggered 10 or more non-graceful tcp server resets from one or more Destination IPs which \\nresults in an \\\"ApplicationProtocol = incomplete\\\" designation. The server resets coupled with an \\\"Incomplete\\\" ApplicationProtocol designation can be an indication \\nof internal to external port scanning or probing attack. \\nReferences: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK and\\nhttps://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTaCAK\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69a45b05-71f5-45ca-8944-2e038747fb39\",\"name\":\"69a45b05-71f5-45ca-8944-2e038747fb39\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let endtime = 1d;\\nlet starttime = 8d;\\n// The threshold below excludes matching on RDP connection computer counts of 5 or more by a given account and IP in a given day. Change the threshold as needed.\\nlet threshold = 5;\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n// Labeling the first RDP connection time, computer and ip\\n| extend FirstHop = TimeGenerated, FirstComputer = toupper(Computer), FirstIPAddress = IpAddress, Account = tolower(Account) \\n| join kind=inner (\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n// Labeling the second RDP connection time, computer and ip\\n| extend SecondHop = TimeGenerated, SecondComputer = toupper(Computer), SecondIPAddress = IpAddress, Account = tolower(Account)\\n) on Account\\n// Make sure that the first connection is after the second connection --\u003e SecondHop \u003e FirstHop\\n// Then identify only RDP to another computer from within the first RDP connection by only choosing matches where the Computer names do not match --\u003e FirstComputer != SecondComputer\\n// Then make sure the IPAddresses do not match by excluding connections from the same computers with first hop RDP connections to multiple computers --\u003e FirstIPAddress != SecondIPAddress\\n| where FirstComputer != SecondComputer and FirstIPAddress != SecondIPAddress and SecondHop \u003e FirstHop\\n// where the second hop occurs within 30 minutes of the first hop\\n| where SecondHop \u003c= FirstHop+30m\\n| distinct Account, FirstHop, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, SecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\\n// use left anti to exclude anything from the previous 7 days where the Account and IP has connected 5 or more computers.\\n| join kind=leftanti (\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n| summarize makeset(Computer), ComputerCount = dcount(Computer) by bin(TimeGenerated, 1d), Account = tolower(Account), IpAddress\\n// Connection count to computer by same account and IP to exclude counts of 5 or more on a given day\\n| where ComputerCount \u003e= threshold\\n| mvexpand set_Computer\\n| extend Computer = toupper(set_Computer)\\n) on Account, $left.SecondComputer == $right.Computer, $left.SecondIPAddress == $right.IpAddress\\n| summarize FirstHopFirstSeen = min(FirstHop), FirstHopLastSeen = max(FirstHop) by Account, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, \\nSecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\\n| extend timestamp = FirstHopFirstSeen, AccountCustomEntity = Account, HostCustomEntity = FirstComputer, IPCustomEntity = FirstIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\"],\"displayName\":\"RDP Nesting\",\"description\":\"Identifies when an RDP connection is made to a first system and then an RDP connection is made from the first system \\nto another system with the same account within the 60 minutes. Additionally, if historically daily \\nRDP connections are indicated by the logged EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-10-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9c27cee8-0a33-4abe-8683-212c0a98fc28\",\"name\":\"9c27cee8-0a33-4abe-8683-212c0a98fc28\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.6\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.1\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of logins to computer with elevated token\",\"description\":\"This algorithm detects an unusually high volume of successful logins with elevated token per computer. The model is trained on the previous 21 days of security event ID 4624 on a computer. It indicates anomalous high volume of successful logins with administrator privileges in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84ad2f8a-b64c-49bc-b669-bdb4fd3071e9\",\"name\":\"84ad2f8a-b64c-49bc-b669-bdb4fd3071e9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT5M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"eset_CL\\n| where event_type_s == \u0027FilteredWebsites_Event\u0027\\n| extend AccountCustomEntity = username_s, URLCustomEntity = object_uri_s, HostCustomEntity = hostname_s, IPCustomEntity = ipv4_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\",\"CommandAndControl\",\"InitialAccess\"],\"displayName\":\"Web sites blocked by Eset\",\"description\":\"Create alert on web sites blocked by Eset.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-09T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"EsetSMC\",\"dataTypes\":[\"eset_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/223db5c1-1bf8-47d8-8806-bed401b356a4\",\"name\":\"223db5c1-1bf8-47d8-8806-bed401b356a4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let timeRange = 1d;\\nlet lookBack = 7d;\\nlet threshold_Failed = 5;\\nlet threshold_FailedwithSingleIP = 20;\\nlet threshold_IPAddressCount = 2;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet aadFunc = (tableName:string){\\nlet azPortalSignins = materialize(table(tableName)\\n| where TimeGenerated \u003e= ago(lookBack)\\n// Azure Portal only\\n| where AppDisplayName =~ \\\"Azure Portal\\\")\\n;\\nlet successPortalSignins = azPortalSignins\\n| where TimeGenerated \u003e= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n// Tagging identities not resolved to friendly names\\n//| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n| distinct TimeGenerated, UserPrincipalName, Id, ResultType\\n;\\nlet failPortalSignins = azPortalSignins\\n| where TimeGenerated \u003e= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n// Tagging identities not resolved to friendly names\\n| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n;\\n// Verify there is no success for the same connection attempt after the fail\\nlet failnoSuccess = failPortalSignins | join kind= leftouter (\\n successPortalSignins \\n) on UserPrincipalName, Id\\n| where TimeGenerated \u003e TimeGenerated1\\n| project-away TimeGenerated1, UserPrincipalName1, Id1, ResultType1\\n;\\n// Lookup up resolved identities from last 7 days\\nlet identityLookup = azPortalSignins\\n| where TimeGenerated \u003e= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName;\\n// Join resolved names to unresolved list from portal signins\\nlet unresolvedNames = failnoSuccess | where Unresolved == true | join kind= inner (\\n identityLookup \\n) on UserId\\n| extend UserDisplayName = lu_UserDisplayName, UserPrincipalName = lu_UserPrincipalName\\n| project-away lu_UserDisplayName, lu_UserPrincipalName;\\n// Join Signins that had resolved names with list of unresolved that now have a resolved name\\nlet u_azPortalSignins = failnoSuccess | where Unresolved == false | union unresolvedNames;\\nu_azPortalSignins\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend Status = strcat(ResultType, \\\": \\\", ResultDescription), OS = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n| extend FullLocation = strcat(Region,\u0027|\u0027, State, \u0027|\u0027, City)\\n| summarize TimeGenerated = makelist(TimeGenerated), Status = makelist(Status), IPAddresses = makelist(IPAddress), IPAddressCount = dcount(IPAddress), FailedLogonCount = count()\\nby UserPrincipalName, UserId, UserDisplayName, AppDisplayName, Browser, OS, FullLocation, Type\\n| mvexpand TimeGenerated, IPAddresses, Status\\n| extend TimeGenerated = todatetime(tostring(TimeGenerated)), IPAddress = tostring(IPAddresses), Status = tostring(Status)\\n| project-away IPAddresses\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserPrincipalName, UserId, UserDisplayName, Status, FailedLogonCount, IPAddress, IPAddressCount, AppDisplayName, Browser, OS, FullLocation, Type\\n| where (IPAddressCount \u003e= threshold_IPAddressCount and FailedLogonCount \u003e= threshold_Failed) or FailedLogonCount \u003e= threshold_FailedwithSingleIP\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed login attempts to Azure Portal\",\"description\":\"Identifies failed login attempts in the Azure Active Directory SigninLogs to the Azure Portal. Many failed logon \\nattempts or some failed logon attempts from multiple IPs could indicate a potential brute force attack. \\nThe following are excluded due to success and non-failure results:\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n0 - successful logon\\n50125 - Sign-in was interrupted due to a password reset or password registration entry.\\n50140 - This error occurred due to \u0027Keep me signed in\u0027 interrupt when the user was signing-in.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\"name\":\"1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with failed Windows host logins above threshold\\nlet win_fails = \\nSecurityEvent\\n| where EventID == 4625\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| summarize count() by IpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_list(IpAddress);\\n//Make a list of IPs with failed *nix host logins above threshold\\nlet nix_fails = \\nSyslog\\n| where Facility contains \u0027auth\u0027 and ProcessName != \u0027sudo\u0027\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP != \\\"\\\" and SourceIP != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIP\\n| where count_ \u003e signin_threshold\\n| summarize make_list(SourceIP);\\n//See if any of the IPs with failed host logins hve had a sucessful Azure AD login\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (win_fails) or IPAddress in (nix_fails)\\n| extend Reason= \\\"Multiple failed host logins from IP address with successful Azure AD login\\\"\\n| extend timstamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, Type = Type\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed host logons but success logon to AzureAD\",\"description\":\"Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts.\\nUses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8546330c-e1fb-422a-9388-5c09e9a8f4ca\",\"name\":\"8546330c-e1fb-422a-9388-5c09e9a8f4ca\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.1\",\"techniques\":[\"T1133\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.8\",\"name\":\"Score\",\"description\":\"Generate an anomaly when a region rarity score is less than the threshold.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"minimum\":\"2\",\"maximum\":\"100\",\"value\":\"100\",\"name\":\"Minimum users per region\",\"description\":\"whitelist an anomaly if the number of users from a rare region is greater than this limit.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\",\"LateralMovement\"],\"displayName\":\"(Preview) Login from an unusual region via Palo Alto GlobalProtect account logins\",\"description\":\"When a Palo Alto GlobalProtect account logs in from a source region that has rarely been logged in\\nfrom during the last 14 days, an anomaly is triggered. This anomaly may indicate that the account\\nhas been compromised.\",\"lastUpdatedDateUTC\":\"2021-06-07T00:00:00Z\",\"createdDateUTC\":\"2021-06-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d564ff12-8f53-41b8-8649-44f76b37b99f\",\"name\":\"d564ff12-8f53-41b8-8649-44f76b37b99f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// How many greater than Service Connections you want to view per build/release\\nlet ServiceConnectionThreshold = 4;\\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\\n[\\n//\\\"103\\\", \\\"Release\\\", \\\"ProjectA\\\",\\n//\\\"42\\\", \\\"Release\\\", \\\"ProjectB\\\",\\n//\\\"122\\\", \\\"Build\\\", \\\"ProjectB\\\"\\n];\\nAzureDevOpsAuditing\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| parse ScopeDisplayName with OrganizationName \u0027 (Organization)\u0027\\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) \\n by OrganizationName, tostring(DefId), tostring(Type), ProjectId, ProjectName\\n| where CurrentCount \u003e ServiceConnectionThreshold\\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\\n| extend link = iif(\\n Type == \\\"Build\\\", strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_build?definitionId=\u0027, DefId),\\n strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_release?_a=releases\u0026view=mine\u0026definitionId=\u0027, DefId))\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure DevOps Service Connection Abuse\",\"description\":\"Flags builds/releases that use a large number of service connections if they aren\u0027t manually in the allow list.\\nThis is to determine if someone is hijacking a build/release and adding many service connections in order to abuse \\nor dump credentials from service connections.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c0e84221-f240-4dd7-ab1e-37e034ea2a4e\",\"name\":\"c0e84221-f240-4dd7-ab1e-37e034ea2a4e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"union isfuzzy=true\\n(DeviceFileEvents\\n| where FolderPath endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated),\\n(SecurityEvent\\n| where EventID == 4663\\n| where ObjectName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = Computer, timestamp=TimeGenerated),\\n(imFileEvent\\n| where TargetFileName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = DvcHostname, timestamp=TimeGenerated\\n)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"SUNSPOT log file creation\",\"description\":\"This query uses Microsoft Defender for Endpoint data and Windows Event Logs to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\\nMore details: \\n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \\n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2bb167bf-3951-435b-a932-8b03bfde0a2b\",\"name\":\"2bb167bf-3951-435b-a932-8b03bfde0a2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.3\",\"techniques\":[\"T1046\"],\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"accept\",\"allow\",\"start\"],\"values\":[\"accept\",\"allow\",\"start\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Device action\",\"description\":\"Include only these specific device actions\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\"53,67,80,8080,123,137,138,443,445,3389\",\"dataType\":\"string\",\"name\":\"Exclude ports\",\"description\":\"Provide a comma separated list to exclude specific ports from source data. This should be within double quotes, example: \\\"53, 67, 80, 8080, 123, 137, 138, 443, 445, 3389\\\"\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"1\",\"maximum\":\"60000000\",\"value\":\"600\",\"name\":\"Destination IP count\",\"description\":\"The minimum distinct destination IP count per hour required for inclusion. Default is 600. This is an OR condition with destination port count.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"minimum\":\"1\",\"maximum\":\"60000000\",\"value\":\"600\",\"name\":\"Destination port count\",\"description\":\"The minimum distinct destination port count per hour required for inclusion. Default is 600. This is an OR condition with destination IP count.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"0.00\",\"maximum\":\"1.00\",\"value\":\"1.00\",\"name\":\"IP ratio\",\"description\":\"The distinct source IP (always 1) to distinct destination IP count with a default minimum ratio of 1.00 or lower (converted to Base 10 to the -4 power of original value). This is an OR condition with port ratio.\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"},{\"minimum\":\"0.00\",\"maximum\":\"1.00\",\"value\":\"1.00\",\"name\":\"Port ratio\",\"description\":\"The distinct source port to distinct destination port count with a default minimum ratio of 1.00 or lower (converted to Base 10 to the -4 power of original value). This is an OR condition with IP Ratio.\",\"sequenceNumber\":3,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) Anomalous scanning activity\",\"description\":\"The Scanning Activity anomaly is looking to determine if there is potential port scanning anomaly in an environment coming from a single source IP to one or more destination IPs. \\nThe algorithm takes into account whether the IP is public, meaning external, or private, meaning internal, and the event is marked accordingly. Only private to public or public \\nto private is considered at this time. Scanning activity can indicate an attacker attempting to determine available services in an environment that can be potentially \\nexploited and used for ingress or lateral movement.\\nA high number of source ports and high number of destination ports from a single source IP to either a single or multiple destination IP or IPs can be interesting and indicate \\nanomalous scanning. Additionally, if there is a high ratio of destination IPs to the single source IP this can indicate anomalous scanning.\\nConfiguration details -\\nJob run default is daily, with hourly bins\\nThe algorithm uses the following defaults to limit the results based on hourly bins, each is configurable\\n-\u003e Included device actions - accept, allow, start\\n-\u003e Excluded ports - 53, 67, 80, 8080, 123, 137, 138, 443, 445, 3389\\n-\u003e Distinct destination port count \u003e= 600\\n-\u003e Distinct source port count \u003e= 600\\n-\u003e Distinct source port count divided by distinct destination port, ratio converted to percent \u003e= 99.99\\n-\u003e Source IP (always 1) divided by destination IP, ratio converted to percent \u003e= 99.99\",\"lastUpdatedDateUTC\":\"2021-07-10T00:00:00Z\",\"createdDateUTC\":\"2021-04-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/34c5aff9-a8c2-4601-9654-c7e46342d03b\",\"name\":\"34c5aff9-a8c2-4601-9654-c7e46342d03b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 5;\\nlet aadFunc = (tableName:string){\\nIdentityInfo\\n| where AssignedRoles contains \\\"Admin\\\"\\n| mv-expand AssignedRoles\\n| extend Roles = tostring(AssignedRoles), AccountUPN = tolower(AccountUPN)\\n| where Roles contains \\\"Admin\\\"\\n| distinct Roles, AccountUPN\\n| join kind=inner (\\n // Failed Signins attempts with reasoning related to MFA.\\n table(tableName)\\n | where TimeGenerated between (startofday(ago(starttime))..startofday(ago(timeframe)))\\n | where ResultType != 0\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n) on $left.AccountUPN == $right.UserPrincipalName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt ;\\nlet TimeSeriesData = union isfuzzy=true aadSignin, aadNonInt \\n| project TimeGenerated, Roles, UserPrincipalName\\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by UserPrincipalName, Roles\\n| project TimeGenerated, Roles, UserPrincipalName, HourlyCount;\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| where baseline \u003e baselinethreshold // Filtering low count events per baselinethreshold\\n| project Roles, UserPrincipalName, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated;\\n// Filter the alerts for specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join kind=inner ( \\nunion isfuzzy=true aadSignin, aadNonInt\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n | summarize HourlyCount=count(), LatestAnomalyTime = arg_max(timestamp,*) by bin(TimeGenerated,1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\\n) on UserPrincipalName\\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, HourlyCount, baseline, anomalies, score\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Privileged Accounts - Sign in Failure Spikes\",\"description\":\" Identifies spike in failed sign-ins from Privileged accounts. Privileged accounts list can be based on IdentityInfo UEBA table or built-in watchlist.\\nSpike is determined based on Time series anomaly which will look at historical baseline values.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor\",\"lastUpdatedDateUTC\":\"2021-11-01T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f110287e-1358-490d-8147-ed804b328514\",\"name\":\"f110287e-1358-490d-8147-ed804b328514\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n AWSCloudTrail | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AWSCloudTrail_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SourceIpAddress\\n| where AWSCloudTrail_TimeGenerated \u003e= TimeGenerated and AWSCloudTrail_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AWSCloudTrail_TimeGenerated,\\nTI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress,\\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AWSCloudTrail_TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AWSCloudTrail\",\"description\":\"Identifies a match in AWSCloudTrail from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c097bfdb-8b4b-4a98-b74d-1871ffd50a03\",\"name\":\"c097bfdb-8b4b-4a98-b74d-1871ffd50a03\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.6\",\"techniques\":[\"T1110\"],\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"2-Interactive\",\"3-Network\",\"4-Batch\",\"5-Service\",\"7-Unlock\",\"8-NetworkCleartext\",\"9-NewCredentials\",\"10-RemoteInteractive\",\"11-CachedInteractive\"],\"values\":[\"2-Interactive\",\"3-Network\",\"4-Batch\",\"5-Service\",\"7-Unlock\",\"8-NetworkCleartext\",\"9-NewCredentials\",\"10-RemoteInteractive\",\"11-CachedInteractive\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Logon Types\",\"description\":\"Include only selected logon types in anomaly results.\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.03\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"(Preview) Attempted user account bruteforce per logon type\",\"description\":\"This algorithm detects an unusually high volume of failed login attempts per user account per logon type. The model is trained on the previous 21 days of security event ID 4625 on an account and a logon type. It indicates anomalous high volume of failed login attempts with certain logon type in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2954d424-f786-4677-9ffc-c24c44c6e7d5\",\"name\":\"2954d424-f786-4677-9ffc-c24c44c6e7d5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT3H\",\"queryPeriod\":\"PT3H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let timeframe = ago(3h);\\nlet threshold = 2;\\nOkta_CL\\n| where column_ifexists(\u0027published_t\u0027, now()) \u003e= timeframe\\n| where eventType_s =~ \\\"user.session.start\\\"\\n| where outcome_result_s =~ \\\"SUCCESS\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumOfCountries = dcount(client_geographicalContext_country_s) by actor_alternateId_s\\n| where NumOfCountries \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = actor_alternateId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"User Login from Different Countries within 3 hours\",\"description\":\"This query searches for successful user logins to the Okta Console from different countries within 3 hours\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OktaSSO\",\"dataTypes\":[\"Okta_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/adc32a33-1cd6-46f5-8801-e3ed8337885f\",\"name\":\"adc32a33-1cd6-46f5-8801-e3ed8337885f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Add any known allowed sources and source locations to the filter below (the NuGet Gallery has been added here as an example).\\nlet allowed_sources = dynamic([\\\"NuGet Gallery\\\"]);\\nlet allowed_locations = dynamic([\\\"https://api.nuget.org/v3/index.json\\\"]);\\nAzureDevOpsAuditing\\n// Look for feeds created or modified at either the organization or project level\\n| where OperationName matches regex \\\"Artifacts.Feed.(Org|Project).Modify\\\"\\n| where Details has \\\"UpstreamSources, added\\\"\\n| extend FeedName = tostring(Data.FeedName)\\n| extend FeedId = tostring(Data.FeedId)\\n| extend UpstreamsAdded = Data.UpstreamsAdded\\n// As multiple feeds may be added expand these out\\n| mv-expand UpstreamsAdded\\n// Only focus on external feeds\\n| where UpstreamsAdded.UpstreamSourceType !~ \\\"internal\\\"\\n| extend SourceLocation = tostring(UpstreamsAdded.Location)\\n| extend SourceName = tostring(UpstreamsAdded.Name)\\n// Exclude sources and locations in the allow list\\n| where SourceLocation !in (allowed_locations) and SourceName !in (allowed_sources)\\n| extend SourceProtocol = tostring(UpstreamsAdded.Protocol)\\n| extend SourceStatus = tostring(UpstreamsAdded.Status)\\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, ProjectName, FeedName, SourceName, SourceLocation, SourceProtocol, ActorUPN, UserAgent, IpAddress\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"External Upstream Source Added to Azure DevOps Feed\",\"description\":\"The detection looks for new external sources added to an Azure DevOps feed. An allow list can be customized to explicitly allow known good sources. \\nAn attacker could look to add a malicious feed in order to inject malicious packages into a build pipeline.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6852d9da-8015-4b95-8ecf-d9572ee0395d\",\"name\":\"6852d9da-8015-4b95-8ecf-d9572ee0395d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let timeframe = 60m;\\nlet lookback = 10m;\\nlet account_created =\\nAuditLogs \\n | where ActivityDisplayName == \\\"Add service principal\\\"\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend creationTime = ActivityDateTime\\n | extend userPrincipalName_creator = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend ipAddress_creator = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\\nlet account_activity =\\nAADServicePrincipalSignInLogs\\n | extend Activities = pack(\\\"ActivityTime\\\", TimeGenerated ,\\\"IpAddress\\\", IPAddress, \\\"ResourceDisplayName\\\", ResourceDisplayName)\\n | extend AppID = AppId\\n | summarize make_list(Activities) by AppID;\\nlet account_deleted =\\nAuditLogs \\n | where OperationName == \\\"Remove service principal\\\"\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend deletionTime = ActivityDateTime\\n | extend userPrincipalName_deleter = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend ipAddress_deleter = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\\nlet account_credentials =\\nAuditLogs\\n | where OperationName contains \\\"Update application - Certificates and secrets management\\\"\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend credentialCreationTime = ActivityDateTime;\\nlet roles_assigned =\\nAuditLogs\\n | where ActivityDisplayName == \\\"Add app role assignment to service principal\\\"\\n | extend AppID = tostring(TargetResources[1].displayName)\\n | extend AssignedRole = iff(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].displayName)==\\\"AppRole.Value\\\", tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue))),\\\"\\\")\\n | extend AssignedRoles = pack(\\\"Role\\\", AssignedRole)\\n |summarize make_list(AssignedRoles) by AppID;\\naccount_created \\n | join kind= inner (account_activity) on AppID, AppID \\n | join kind= inner (account_deleted) on AppID, AppID \\n | join kind= inner (account_credentials) on AppID, AppID \\n | join kind= inner (roles_assigned) on AppID, AppID\\n | where deletionTime - creationTime \u003c lookback\\n | where tolong(deletionTime - creationTime) \u003e= 0\\n | where creationTime \u003e ago(timeframe)\\n | extend AliveTime = deletionTime - creationTime\\n | project AADTenantId, AppID, creationTime, deletionTime, userPrincipalName_creator, userPrincipalName_deleter, ipAddress_creator, ipAddress_deleter, list_Activities , list_AssignedRoles, AliveTime\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName_creator\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName_deleter\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress_creator\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress_deleter\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"PrivilegeEscalation\",\"InitialAccess\"],\"displayName\":\"Suspicious Service Principal creation activity\",\"description\":\"This alert will detect creation of an SPN, permissions granted, credentials cretaed, activity and deletion of the SPN in a time frame (default 10 minutes)\",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2021-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\",\"AADServicePrincipalSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2eb15bd-8a88-4b24-9281-e133edfba315\",\"name\":\"f2eb15bd-8a88-4b24-9281-e133edfba315\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet aadFunc = (tableName:string){\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join kind=innerunique (\\n table(tableName) | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend Status = todynamic(Status), LocationDetails = todynamic(LocationDetails)\\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails), StatusReason = tostring(Status.failureReason)\\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n // renaming time column so it is clear the log this came from\\n | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type\\n)\\non $left.TI_ipEntity == $right.IPAddress\\n| where SigninLogs_TimeGenerated \u003c ExpirationDateTime\\n| summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, IPAddress\\n| project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDetails, StatusReason, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.2\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to SigninLogs\",\"description\":\"Identifies a match in SigninLogs from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/60eb6cf0-3fa1-44c1-b1fe-220fbee23d63\",\"name\":\"60eb6cf0-3fa1-44c1-b1fe-220fbee23d63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"// Edit this variable to only keep the Severity level where an incident needs to be created (Defaults are: \\\"Low\\\", \\\"Medium\\\", \\\"High\\\", \\\"Critical\\\" ) \\nlet configured_level = dynamic([\\\"Low\\\", \\\"Medium\\\", \\\"High\\\", \\\"Critical\\\"]);\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Vectra Networks\\\"\\n| where DeviceProduct == \\\"X Series\\\"\\n| where DeviceEventClassID == \\\"hsc\\\"\\n| project-rename threat_score = FlexNumber1\\n| project-rename certainty_score = FlexNumber2\\n| project-rename vectra_URL = DeviceCustomString4\\n| project-rename detection_name = DeviceEventClassID\\n| project-rename score_decreases = DeviceCustomString3\\n| extend level = case( threat_score \u003c 50 and certainty_score \u003c 50, \\\"Low\\\",\\n threat_score \u003c 50 and certainty_score \u003e= 50 , \\\"Medium\\\", \\n threat_score \u003e= 50 and certainty_score \u003c= 50, \\\"High\\\", \\n threat_score \u003e= 50 and certainty_score \u003e= 50, \\\"Critical\\\",\\n \\\"UNKNOWN\\\")\\n| extend Severity = case( level == \\\"Low\\\", \\\"Low\\\",\\n level == \\\"Medium\\\", \\\"Medium\\\",\\n level == \\\"High\\\", \\\"Medium\\\",\\n level == \\\"Critical\\\", \\\"High\\\",\\n \\\"UNKNOWN\\\")\\n| where level in (configured_level) \\n//keep only the event with the highest threat score per Host\\n| summarize arg_max(threat_score, *) by SourceHostName\\n| project SourceHostName, level, Severity, TimeGenerated, SourceIP, threat_score, certainty_score, vectra_URL\\n| extend HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Discovery\",\"LateralMovement\",\"Collection\",\"CommandAndControl\",\"Exfiltration\",\"Impact\"],\"displayName\":\"Vectra AI Detect - Suspected Compromised Host\",\"description\":\"Create an incident when a Host is suspected to be compromised. \\nThe higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. \\nLevel of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.\",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2021-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AIVectraDetect\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/03401f05-5c45-4f2d-9295-092764090e02\",\"name\":\"03401f05-5c45-4f2d-9295-092764090e02\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"2.0.0\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Yes\",\"No\"],\"supportedValuesKql\":null,\"value\":\"Yes\",\"name\":\"Use region adjacency\",\"description\":\"Suppress anomalies originated from two adjacent regions.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"2\",\"maximum\":\"10\",\"value\":\"2\",\"name\":\"Minimum daily regions for anomaly\",\"description\":\"Generate an anomaly when a user logs in from this many or more regions in a day\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\",\"DefenseEvasion\"],\"displayName\":\"(Preview) Multi-region logins in a single day via Palo Alto GlobalProtect\",\"description\":\"This algorithm detects a user account which had logins from multiple non-adjacent regions in a single day via Palo Alto VPN.\",\"lastUpdatedDateUTC\":\"2021-07-13T00:00:00Z\",\"createdDateUTC\":\"2021-04-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/074ce265-f684-41cd-af07-613c5f3e6d0d\",\"name\":\"074ce265-f684-41cd-af07-613c5f3e6d0d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"irf.services\\\",\\\"microsoft-onthehub.com\\\",\\\"msofficelab.com\\\",\\\"com-mailbox.com\\\",\\\"my-sharefile.com\\\",\\\"my-sharepoints.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\n\\\"onedrive-sharedfile.com\\\",\\\"onedrv-live.com\\\",\\\"transparencyinternational-my-sharepoint.com\\\",\\\"transparencyinternational-my-sharepoints.com\\\",\\\"soros-my-sharepoint.com\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend Account = SourceUserID, Host = DeviceName, IPAddress = SourceIP),\\n(DnsEvents \\n| extend IPAddress = ClientIP, DNSName = Name, Host = Computer),\\n(imDns (domain_has_any=DomainNames)\\n| extend IPAddress = SrcIpAddr, DNSName = DnsQuery, Host = Dvc),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| extend IPAddress = RemoteIp, Host = Computer),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| extend DNSName = Request_Name\\n| extend IPAddress = ClientIP),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost)\\n)\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = Account, HostCustomEntity = Host\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.3.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known STRONTIUM group domains - July 2019\",\"description\":\"Matches domain name IOCs related to Strontium group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b3cfc7c0-092c-481c-a55b-34a3979758cb\",\"name\":\"b3cfc7c0-092c-481c-a55b-34a3979758cb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft Cloud App Security\",\"displayName\":\"Create incidents based on Microsoft Cloud App Security alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Cloud App Security\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert (MCAS)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/77171efa-4502-4ab7-9d23-d12305ff5a5e\",\"name\":\"77171efa-4502-4ab7-9d23-d12305ff5a5e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let lowRisk = 1;\\nlet financial = \u0027Financial Information\u0027;\\nCognniIncidents_CL \\n| where Severity == lowRisk\\n| where informationType_s == financial\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Low Sensitivity Financial Information\",\"description\":\"Display incidents in which low sensitivity financial information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/173f8699-6af5-484a-8b06-8c47ba89b380\",\"name\":\"173f8699-6af5-484a-8b06-8c47ba89b380\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"// Adjust this value to change how many Teams should be deleted before including\\nlet max_delete_count = 3;\\n// Adjust this value to change the timewindow the query runs over\\n OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\" \\n| where Operation =~ \\\"TeamDeleted\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DeletedTeams = make_set(TeamName) by UserId\\n| where array_length(DeletedTeams) \u003e max_delete_count\\n| extend timestamp = StartTime, AccountCustomEntity = UserId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Impact\"],\"displayName\":\"Multiple Teams deleted by a single user\",\"description\":\"This detection flags the occurrences of deleting multiple teams within an hour.\\nThis data is a part of Office 365 Connector in Microsoft Sentinel.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a35f2c18-1b97-458f-ad26-e033af18eb99\",\"name\":\"a35f2c18-1b97-458f-ad26-e033af18eb99\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"// For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups\\nlet WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nSecurityEvent \\n// When MemberName contains \u0027-\u0027 this indicates addition of a group to a group\\n| where AccountType == \\\"User\\\" and MemberName != \\\"-\\\"\\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group\\n| where EventID in (4728, 4732, 4756) \\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| extend SimpleMemberName = substring(MemberName, 3, indexof_regex(MemberName, @\\\",OU|,CN\\\") - 3)\\n| project TimeGenerated, EventID, Activity, Computer, SimpleMemberName, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SimpleMemberName, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.2.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account added to built in domain local or global group\",\"description\":\"Identifies when a user account has been added to a privileged built in domain local group or global group \\nsuch as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/631d02df-ab51-46c1-8d72-32d0cfec0720\",\"name\":\"631d02df-ab51-46c1-8d72-32d0cfec0720\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let excludeProcs = dynamic([@\\\"\\\\SolarWinds\\\\Orion\\\\APM\\\\APMServiceControl.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\ExportToPDFCmd.Exe\\\", @\\\"\\\\SolarWinds.Credentials\\\\SolarWinds.Credentials.Orion.WebApi.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Topology\\\\SolarWinds.Orion.Topology.Calculator.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Database-Maint.exe\\\", @\\\"\\\\SolarWinds.Orion.ApiPoller.Service\\\\SolarWinds.Orion.ApiPoller.Service.exe\\\", @\\\"\\\\Windows\\\\SysWOW64\\\\WerFault.exe\\\"]);\\nimProcessCreate\\n| where Process hassuffix \u0027solarwinds.businesslayerhost.exe\u0027\\n| where not(Process has_any (excludeProcs))\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = ActorUsername,\\n HostCustomEntity = User,\\n FileHashCustomEntity = TargetProcessMD5 // Change to *hash* once implemented\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"MD5\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST suspicious SolarWinds child processes (Normalized Process Events)\",\"description\":\"Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\"name\":\"4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([ \\\"AuthorizeSecurityGroupEgress\\\", \\\"AuthorizeSecurityGroupIngress\\\", \\\"RevokeSecurityGroupEgress\\\", \\\"RevokeSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \\nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion, \\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to AWS Security Group ingress and egress settings\",\"description\":\"A Security Group acts as a virtual firewall of an instance to control inbound and outbound traffic. \\n Hence, ingress and egress settings changes to AWS Security Group should be monitored as these can expose the enviornment to new attack vectors.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/737a2ce1-70a3-4968-9e90-3e6aca836abf\",\"name\":\"737a2ce1-70a3-4968-9e90-3e6aca836abf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MLBehaviorAnalytics\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous RDP Login Detections\",\"description\":\"This detection uses machine learning (ML) to identify anomalous Remote Desktop Protocol (RDP) login activity, based on Windows Security Event data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Microsoft Sentinel to build a profile of normal activity for your environment.\\t\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events)\\n\\nBy enabling this rule, you give Microsoft permission to copy ingested data outside of your Microsoft Sentinel workspace\u0027s geography as necessary for processing by the machine learning engine.\",\"lastUpdatedDateUTC\":\"2021-03-26T00:00:00Z\",\"createdDateUTC\":\"2020-04-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9713e3c0-1410-468d-b79e-383448434b2d\",\"name\":\"9713e3c0-1410-468d-b79e-383448434b2d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n VMConnection\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend VMConnection_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIp\\n| where VMConnection_TimeGenerated \u003e= TimeGenerated and VMConnection_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, VMConnection_TimeGenerated,\\nTI_ipEntity, Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = VMConnection_TimeGenerated, IPCustomEntity = RemoteIp, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to VMConnection\",\"description\":\"Identifies a match in VMConnection from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/19e01883-15d8-4eb6-a7a5-3276cd668388\",\"name\":\"19e01883-15d8-4eb6-a7a5-3276cd668388\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeBin = 1m;\\nlet failedThreshold = 20;\\nW3CIISLog\\n| where scStatus in (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of failed attempts from same client IP\\n| summarize makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\\n| where FailedConnectionsCount \u003e= failedThreshold\\n| project TimeGenerated, cIP, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"High count of failed attempts from same client IP\",\"description\":\"Identifies when 20 or more failed attempts from a given client IP in 1 minute occur on the IIS server.\\nThis could be indicative of an attempted brute force. This could also simply indicate a misconfigured service or device.\\nRecommendations: Validate that these are expected connections from the given Client IP. If the client IP is not recognized, \\npotentially block these connections at the edge device.\\nIf these are expected connections, verify the credentials are properly configured on the system, service, application or device \\nthat is associated with the client IP.\\nReferences:\\nIIS status code mapping: https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping: https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e70fa6e0-796a-4e85-9420-98b17b0bb749\",\"name\":\"e70fa6e0-796a-4e85-9420-98b17b0bb749\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"DeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where ThreatName has \\\"Solorigate\\\"\\n| extend HostCustomEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.HostCustomEntity\\n| project TimeGenerated, DisplayName, ThreatName, CompromisedEntity, PublicIP, MachineGroup, AlertSeverity, Description, LoggedOnUsers, DeviceId, TenantId, HostCustomEntity\\n| extend timestamp = TimeGenerated, IPCustomEntity = PublicIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Solorigate Defender Detections\",\"description\":\"Surfaces any Defender Alert for Solorigate Events. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as \\n Device group, ip, logged on users etc. This way, the Microsoft Sentinel user can have all the pertinent device info in one view for all the the Solarigate Defender alerts.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7249500f-3038-4b83-8549-9cd8dfa2d498\",\"name\":\"7249500f-3038-4b83-8549-9cd8dfa2d498\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"de-ma.online\\\", \\\"g20saudi.000webhostapp.com\\\", \\\"ksat20.000webhostapp.com\\\"]);\\nlet EmailAddresses = dynamic([\\\"munichconference1962@gmail.com\\\",\\\"munichconference@outlook.de\\\", \\\"munichconference@outlook.com\\\", \\\"t20saudiarabia@gmail.com\\\", \\\"t20saudiarabia@hotmail.com\\\", \\\"t20saudiarabia@outlook.sa\\\"]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(DNSName) and DNSName has_any (DomainNames)) \\n or (isnotempty(DestinationHostName) and DestinationHostName has_any (DomainNames)) \\n or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames)))\\n| extend timestamp = TimeGenerated , AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\\n),\\n(DnsEvents \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| where DNSName has_any (DomainNames) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend timestamp = TimeGenerated , HostCustomEntity = Computer),\\n(SecurityAlert\\n| where ProviderName =~ \u0027OATP\u0027\\n| extend UPN = case(isnotempty(parse_json(Entities)[0].Upn), parse_json(Entities)[0].Upn, \\n isnotempty(parse_json(Entities)[1].Upn), parse_json(Entities)[1].Upn,\\n isnotempty(parse_json(Entities)[2].Upn), parse_json(Entities)[2].Upn,\\n isnotempty(parse_json(Entities)[3].Upn), parse_json(Entities)[3].Upn,\\n isnotempty(parse_json(Entities)[4].Upn), parse_json(Entities)[4].Upn,\\n isnotempty(parse_json(Entities)[5].Upn), parse_json(Entities)[5].Upn,\\n isnotempty(parse_json(Entities)[6].Upn), parse_json(Entities)[6].Upn,\\n isnotempty(parse_json(Entities)[7].Upn), parse_json(Entities)[7].Upn,\\n isnotempty(parse_json(Entities)[8].Upn), parse_json(Entities)[8].Upn,\\n parse_json(Entities)[9].Upn)\\n| where Entities has_any (EmailAddresses)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = tostring(UPN)),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"AZUREFIREWALLS\\\"\\n| where msg_s has_any (DomainNames)\\n| extend timestamp = TimeGenerated))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"InitialAccess\"],\"displayName\":\"Known PHOSPHORUS group domains/IP - October 2020\",\"description\":\"Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\\nReferences: \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog (Cisco)\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert (OATP)\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics (Azure Firewall)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3caa67ef-8ed3-4ab5-baf2-3850d3667f3d\",\"name\":\"3caa67ef-8ed3-4ab5-baf2-3850d3667f3d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nafad_parser\\n| where MessageType == 2\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid Indicators of Attack\",\"description\":\"Searches for triggered Indicators of Attack\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d8de9e6-263e-4845-8618-cd23a4f58b70\",\"name\":\"4d8de9e6-263e-4845-8618-cd23a4f58b70\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT3H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 3h;\\n// Add full UPN (user@domain.com) to Authorized Bypassers to ignore policy bypasses by certain authorized users\\nlet AuthorizedBypassers = dynamic([\u0027foo@baz.com\u0027, \u0027test@foo.com\u0027]);\\nlet historicBypassers = AzureDevOpsAuditing\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationName == \u0027Git.RefUpdatePoliciesBypassed\u0027\\n| distinct ActorUPN;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e= ago(endtime)\\n| where OperationName == \u0027Git.RefUpdatePoliciesBypassed\u0027\\n| where ActorUPN !in (historicBypassers) and ActorUPN !in (AuthorizedBypassers)\\n| parse ScopeDisplayName with OrganizationName \u0027(Organization)\u0027\\n| project TimeGenerated, ActorUPN, IpAddress, UserAgent, OrganizationName, ProjectName, RepoName = Data.RepoName, AlertDetails = Details, Branch = Data.Name, \\n BypassReason = Data.BypassReason, PRLink = strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_git/\u0027, Data.RepoName, \u0027/pullrequest/\u0027, Data.PullRequestId)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps Pull Request Policy Bypassing - Historic allow list\",\"description\":\"This detection builds an allow list of historic PR policy bypasses and compares to recent history, flagging pull request bypasses that are not manually in the allow list and not historically included in the allow list.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\"name\":\"ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Office 365 Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Office 365 alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Office 365\",\"lastUpdatedDateUTC\":\"2020-09-01T00:00:00Z\",\"createdDateUTC\":\"2020-04-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert (OATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bf0cde21-0c41-48f6-a40c-6b5bd71fa106\",\"name\":\"bf0cde21-0c41-48f6-a40c-6b5bd71fa106\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AWSGuardDuty | extend tokens = split(ActivityType,\\\":\\\") | extend ThreatPurpose = tokens[0], tokens= split(tokens[1],\\\"/\\\") | extend ResourceTypeAffected = tokens[0], ThreatFamilyName= tokens[1] | extend UniqueFindingId = Id | extend AWSAcoundId = AccountId | project-away tokens,ActivityType, Id, AccountId | project-away TimeGenerated, TenantId, SchemaVersion, Region, Partition | extend Severity= iff(Severity between (7.0..8.9),\\\"High\\\",iff(Severity between (4.0..6.9), \\\"Medium\\\", iff(Severity between (1.0..3.9),\\\"Low\\\",\\\"Unknown\\\")))\",\"customDetails\":{\"ThreatPurpos\":\"ThreatPurpose\",\"ResourceTypeAffected\":\"ResourceTypeAffected\",\"UniqueFindingId\":\"UniqueFindingId\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Arn\"},{\"identifier\":\"ObjectGuid\",\"columnName\":\"AWSAcoundId\"}]}],\"version\":\"1.0.0\",\"displayName\":\"AWS Guard Duty Alert\",\"description\":\"Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. This templates create an alert for each Amazon GuardDuty finding.\",\"lastUpdatedDateUTC\":\"2021-11-18T00:00:00Z\",\"createdDateUTC\":\"2021-11-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSGuardDuty\",\"dataTypes\":[\"AWSGuardDuty\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\"name\":\"a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Security Center for IoT\",\"displayName\":\"Create incidents based on Azure Defender for IOT alerts\",\"description\":\"Create incidents based on all alerts generated in Azure Defender for IOT\",\"lastUpdatedDateUTC\":\"2019-12-24T00:00:00Z\",\"createdDateUTC\":\"2019-12-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"IoT\",\"dataTypes\":[\"SecurityAlert (ASC for IoT)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ac891683-53c3-4f86-86b4-c361708e2b2b\",\"name\":\"ac891683-53c3-4f86-86b4-c361708e2b2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"// Allowlisted UPNs should likely stay empty\\nlet AllowlistedUpns = datatable(UPN:string)[\u0027foo@bar.com\u0027, \u0027test@foo.com\u0027];\\n// Operation Name parts that will alert\\nlet HasAnyBlocklist = datatable(OperationNamePart:string)[\u0027Security.\u0027,\u0027Project.\u0027,\u0027AuditLog.\u0027,\u0027Extension.\u0027];\\n// Distinct Operation Names that will flag\\nlet HasExactBlocklist = datatable(OperationName:string)[\u0027Group.UpdateGroupMembership.Add\u0027,\u0027Library.ServiceConnectionExecuted\u0027,\u0027Pipelines.PipelineModified\u0027,\\n\u0027Release.ReleasePipelineModified\u0027, \u0027Git.RefUpdatePoliciesBypassed\u0027];\\nAzureDevOpsAuditing\\n| where AuthenticationMechanism startswith \\\"PAT\\\" and (OperationName has_any (HasAnyBlocklist) or OperationName in (HasExactBlocklist))\\n and ActorUPN !in (AllowlistedUpns)\\n| project TimeGenerated, AuthenticationMechanism, ProjectName, ActorUPN, ActorDisplayName, IpAddress, UserAgent, OperationName, Details, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Execution\",\"Impact\"],\"displayName\":\"Azure DevOps Personal Access Token (PAT) misuse\",\"description\":\"This Alert detects whenever a PAT is used in ways that PATs are not normally used. May require an allow list and baselining.\\nReference - https://docs.microsoft.com/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops\u0026tabs=preview-page\\nUse this query for baselining:\\nAzureDevOpsAuditing\\n| distinct OperationName\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6cb75f65-231f-46c4-a0b3-50ff21ee6ed3\",\"name\":\"6cb75f65-231f-46c4-a0b3-50ff21ee6ed3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Edit this variable to only keep the tactics where an incident needs to be created (Defaults are: \\\"COMMAND \u0026 CONTROL\\\", \\\"BOTNET ACTIVITY\\\", \\\"EXFILTRATION\\\", \\\"LATERAL MOVEMENT\\\", \\\"RECONNAISSANCE\\\") \\nlet configured_tactics = dynamic([\\\"COMMAND \u0026 CONTROL\\\", \\\"BOTNET ACTIVITY\\\", \\\"EXFILTRATION\\\", \\\"LATERAL MOVEMENT\\\", \\\"RECONNAISSANCE\\\"]);\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Vectra Networks\\\"\\n| where DeviceProduct == \\\"X Series\\\"\\n| where DeviceEventClassID != \\\"campaigns\\\" and DeviceEventClassID != \\\"hsc\\\" and DeviceEventClassID != \\\"audit\\\" and DeviceEventClassID != \\\"health\\\" and DeviceEventClassID != \\\"asc\\\" \\n| extend Category = extract(\\\"cat=(.+?);\\\", 1, AdditionalExtensions) \\n| project-rename threat_score = FlexNumber1\\n| project-rename certainty_score = FlexNumber2\\n| project-rename triaged = DeviceCustomString5\\n| project-rename vectra_URL = DeviceCustomString4\\n| project-rename detection_name = DeviceEventClassID\\n| extend Tactic = case( Category == \\\"COMMAND \u0026 CONTROL\\\", \\\"CommandAndControl\\\",\\n Category == \\\"BOTNET ACTIVITY\\\" , \\\"Impact\\\",\\n Category == \\\"EXFILTRATION\\\", \\\"Exfiltration\\\",\\n Category == \\\"LATERAL MOVEMENT\\\", \\\"LateralMovement\\\",\\n Category == \\\"RECONNAISSANCE\\\", \\\"Discovery\\\",\\n \\\"UNKNOWN\\\")\\n| extend level = case( threat_score \u003c 50 and certainty_score \u003c 50, \\\"Low\\\",\\n threat_score \u003c 50 and certainty_score \u003e= 50 , \\\"Medium\\\", \\n threat_score \u003e= 50 and certainty_score \u003c= 50, \\\"High\\\", \\n threat_score \u003e= 50 and certainty_score \u003e= 50, \\\"Critical\\\",\\n \\\"UNKNOWN\\\")\\n| extend Severity = case( level == \\\"Low\\\", \\\"Low\\\",\\n level == \\\"Medium\\\", \\\"Medium\\\",\\n level == \\\"High\\\", \\\"Medium\\\",\\n level == \\\"Critical\\\", \\\"High\\\",\\n \\\"UNKNOWN\\\")\\n| extend account = extract(\\\"account=(.+?);\\\", 1, AdditionalExtensions)\\n| extend upn = iff(account matches regex \\\":\\\", tostring(split(account,\\\":\\\")[1]) ,tostring(split(account,\\\":\\\")[0])) \\n| extend source_entity = case( isnotempty(upn), upn,\\n isnotempty(SourceHostName), SourceHostName,\\n \\\"UNKNWON\\\") \\n| where Category in (configured_tactics) \\n| summarize arg_max(threat_score, *) by source_entity , Activity\\n| project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Activity, Tactic, Severity, threat_score, certainty_score, triaged, vectra_URL\\n| extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Discovery\",\"LateralMovement\",\"Collection\",\"CommandAndControl\",\"Exfiltration\",\"Impact\"],\"displayName\":\"Vectra AI Detect - Suspicious Behaviors\",\"description\":\"Create an incident for each new malicious behavior detected by Vectra Detect. \\nBy default, it looks through all tactics. This can be modified to create incident only for a subset of tactics.\",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2021-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AIVectraDetect\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\"name\":\"0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let PerUserThreshold = 5;\\nlet TotalThreshold = 100;\\nlet action = dynamic([\\\"change\\\", \\\"changed\\\", \\\"reset\\\"]);\\nlet pWord = dynamic([\\\"password\\\", \\\"credentials\\\"]);\\nlet PasswordResetMultiDataSource =\\n(union isfuzzy=true\\n(//Password reset events\\n//4723: An attempt was made to change an account\u0027s password\\n//4724: An attempt was made to reset an accounts password\\nSecurityEvent\\n| where EventID in (\\\"4723\\\",\\\"4724\\\")\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName),\\n(//Azure Active Directory Password reset events\\nAuditLogs\\n| where OperationName has_any (pWord) and OperationName has_any (action) and Result =~ \\\"success\\\"\\n| extend AccountType = tostring(TargetResources[0].type), Account = tostring(TargetResources[0].userPrincipalName), \\nTargetUserName = tolower(tostring(TargetResources[0].displayName))\\n| project TimeGenerated, AccountType, Account, Computer = \\\"\\\", Type),\\n(//OfficeActive ActiveDirectory Password reset events\\nOfficeActivity\\n| where OfficeWorkload == \\\"AzureActiveDirectory\\\" \\n| where (ExtendedProperties has_any (pWord) or ModifiedProperties has_any (pWord)) and (ExtendedProperties has_any (action) or ModifiedProperties has_any (action))\\n| extend AccountType = UserType, Account = OfficeObjectId \\n| project TimeGenerated, AccountType, Account, Type, Computer = \\\"\\\"),\\n(// Unix syslog password reset events\\nSyslog\\n| where Facility in (\\\"auth\\\",\\\"authpriv\\\")\\n| where SyslogMessage has_any (pWord) and SyslogMessage has_any (action)\\n| extend AccountType = iif(SyslogMessage contains \\\"root\\\", \\\"Root\\\", \\\"Non-Root\\\")\\n| where SyslogMessage matches regex \\\".*password changed for.*\\\"\\n| parse SyslogMessage with * \\\"password changed for\\\" Account\\n| project TimeGenerated, AccountType, Account, Computer = HostName, Type)\\n);\\nlet pwrmd = PasswordResetMultiDataSource\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName;\\n(union isfuzzy=true \\n(pwrmd\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Computerlist = make_set(Computer, 25), AccountType = make_set(AccountType, 25), Computer = arg_max(Computer , TimeGenerated), TargetUserList = make_set(TargetUserName, 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), Total=count() by Account, Type\\n| where Total \u003e PerUserThreshold\\n| extend ResetPivot = \\\"PerUserReset\\\"), \\n(pwrmd\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerList = make_set(Computer, 25), AccountList = make_set(Account, 25), AccountType = make_set(AccountType, 25), Account = arg_max(Account, TimeGenerated), Computer = arg_max(Computer , TimeGenerated), TargetUserList = make_set(TargetUserName, 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), Total=count() by Type\\n| where Total \u003e TotalThreshold\\n| extend ResetPivot = \\\"TotalUserReset\\\")\\n)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserName\"}]}],\"version\":\"2.0.0\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Multiple Password Reset by user\",\"description\":\"This query will determine multiple password resets by user across multiple data sources. \\nAccount manipulation including password reset may aid adversaries in maintaining access to credentials \\nand certain permission levels within an environment.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-09-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6ee72a9e-2e54-459c-bc9a-9c09a6502a63\",\"name\":\"6ee72a9e-2e54-459c-bc9a-9c09a6502a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"216.24.185.74\\\", \\\"107.175.189.159\\\", \\\"192.210.132.102\\\", \\\"67.230.163.214\\\", \\n \\\"199.19.110.240\\\", \\\"107.148.130.176\\\", \\\"154.212.129.218\\\", \\\"172.86.75.54\\\", \\\"45.61.136.199\\\", \\n \\\"149.28.150.195\\\", \\\"108.61.214.194\\\", \\\"144.202.98.198\\\", \\\"149.28.84.98\\\", \\\"103.99.209.78\\\", \\n \\\"45.61.136.2\\\", \\\"176.122.162.149\\\", \\\"192.3.80.245\\\", \\\"149.28.23.32\\\", \\\"107.182.18.149\\\", \\\"107.174.45.134\\\", \\n \\\"149.248.18.104\\\", \\\"65.49.192.74\\\", \\\"156.255.2.154\\\", \\\"45.76.6.149\\\", \\\"8.9.11.130\\\", \\\"140.238.27.255\\\", \\n \\\"107.182.24.70\\\", \\\"176.122.188.254\\\", \\\"192.161.161.108\\\", \\\"64.64.234.24\\\", \\\"104.224.185.36\\\", \\n \\\"104.233.224.227\\\", \\\"104.36.69.105\\\", \\\"119.28.139.120\\\", \\\"161.117.39.130\\\", \\\"66.42.100.42\\\", \\\"45.76.31.159\\\", \\n \\\"149.248.8.134\\\", \\\"216.24.182.48\\\", \\\"66.42.103.222\\\", \\\"218.89.236.11\\\", \\\"180.150.227.249\\\", \\\"47.75.80.23\\\",\\n \\\"124.156.164.19\\\", \\\"149.248.62.83\\\", \\\"150.109.76.174\\\", \\\"222.209.187.207\\\", \\\"218.38.191.38\\\", \\n \\\"119.28.226.59\\\", \\\"66.42.98.220\\\", \\\"74.82.201.8\\\", \\\"173.242.122.198\\\", \\\"45.32.130.72\\\", \\\"89.35.178.10\\\", \\n \\\"89.43.60.113\\\"]); \\n(union isfuzzy=true \\n(CommonSecurityLog \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch \\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n), \\n(OfficeActivity \\n|extend SourceIPAddress = ClientIP, Account = UserId \\n| where SourceIPAddress in (IPList) \\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \\n),\\n(DnsEvents \\n| extend DestinationIPAddress = IPAddresses, Host = Computer \\n| where DestinationIPAddress has_any (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \\n), \\n(imDns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \\n), \\n(VMConnection \\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) \\n| where SourceIp in (IPList) or DestinationIp in (IPList) \\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer \\n), \\n(Event \\n| where Source == \\\"Microsoft-Windows-Sysmon\\\" \\n| where EventID == 3 \\n| extend EvData = parse_xml(EventData) \\n| extend EventDetail = EvData.DataItem.EventData.Data \\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"] \\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\") \\n), \\n(WireData \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer \\n), \\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Barium IP\",\"description\":\"Identifies a match across various data feeds for IP IOCs related to the Barium activity group. \\n References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer\u0027 \",\"lastUpdatedDateUTC\":\"2021-11-25T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\"name\":\"a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"DNS events related to ToR proxies\",\"description\":\"Identifies IP addresses performing DNS lookups associated with common ToR proxies.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\"name\":\"3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let starttime = 1d;\\nlet TimeDeltaThresholdInSeconds = 60; // we ignore beacons diffs that fall below this threshold \\nlet TotalBeaconsThreshold = 4; // minimum number of beacons required in a session to surface a row\\nlet JitterTolerance = 0.2; // tolerance to jitter, e.g. - 0.2 = 20% jitter is tolerated either side of the periodicity\\nlet PrivateIPregex = @\\\"^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.\\\"; // exclude destinations that fall into this category\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Fortinet\\\"\\n| where TimeGenerated \u003e ago(starttime)\\n// eliminate bad data\\n| where isnotempty(SourceIP) and isnotempty(DestinationIP) and SourceIP != \\\"0.0.0.0\\\"\\n// filter out deny, close, rst and SNMP to reduce data volume\\n| where DeviceAction !in (\\\"close\\\", \\\"client-rst\\\", \\\"server-rst\\\", \\\"deny\\\") and DestinationPort != 161\\n// map input fields\\n| project TimeGenerated , SourceIP, DestinationIP, DestinationPort, ReceivedBytes, SentBytes, DeviceAction \\n// where destination IPs are public\\n| extend DestinationIPType = iff(DestinationIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIPType == \\\"public\\\"\\n// sort into source-\u003edestination \u0027sessions\u0027\\n| sort by SourceIP asc, DestinationIP asc, DestinationPort asc, TimeGenerated asc\\n| serialize\\n// time diff the contact times between source and destination to get a list of deltas\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1), nextDestIP = next(DestinationIP, 1), nextDestPort = next(DestinationPort, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\\\"second\\\",nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP and DestinationIP == nextDestIP and DestinationPort == nextDestPort\\n// remove small time deltas below the set threshold\\n| where TimeDeltainSeconds \u003e TimeDeltaThresholdInSeconds\\n| project TimeGenerated, TimeDeltainSeconds, SourceIP, DestinationIP, DestinationPort, ReceivedBytes, SentBytes, DeviceAction \\n// summarize the deltas by source-\u003edestination\\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), sum(ReceivedBytes), sum(SentBytes), makelist(TimeDeltainSeconds), makeset(DeviceAction) by SourceIP, DestinationIP, DestinationPort\\n// get some statistical properties of the delta distribution and smooth any outliers (e.g. laptop shut overnight, working hours)\\n| extend series_stats(list_TimeDeltainSeconds), outliers=series_outliers(list_TimeDeltainSeconds)\\n// expand the deltas and the outliers\\n| mvexpand list_TimeDeltainSeconds to typeof(double), outliers to typeof(double)\\n// replace outliers with the average of the distribution\\n| extend list_TimeDeltainSeconds_normalized=iff(outliers \u003e 1.5 or outliers \u003c -1.5, series_stats_list_TimeDeltainSeconds_avg , list_TimeDeltainSeconds)\\n// summarize with the smoothed distribution\\n| summarize BeaconCount=count(), makelist(list_TimeDeltainSeconds), list_TimeDeltainSeconds_normalized=makelist(list_TimeDeltainSeconds_normalized), makeset(set_DeviceAction) by StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, sum_ReceivedBytes, sum_SentBytes\\n// get stats on the smoothed distribution\\n| extend series_stats(list_TimeDeltainSeconds_normalized)\\n// match jitter tolerance on smoothed distrib\\n| extend MaxJitter = (series_stats_list_TimeDeltainSeconds_normalized_avg*JitterTolerance)\\n| where series_stats_list_TimeDeltainSeconds_normalized_stdev \u003c MaxJitter\\n// where the minimum beacon threshold is satisfied and there was some data transfer\\n| where BeaconCount \u003e TotalBeaconsThreshold and (sum_SentBytes \u003e 0 or sum_ReceivedBytes \u003e 0)\\n// final projection\\n| project StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, BeaconCount, TimeDeltasInSeconds=list_list_TimeDeltainSeconds, Periodicity=series_stats_list_TimeDeltainSeconds_normalized_avg, ReceivedBytes=sum_ReceivedBytes, SentBytes=sum_SentBytes, Actions=set_set_DeviceAction\\n// where periodicity is order of magnitude larger than time delta threshold (eliminates FPs whose periodicity is close to the values we ignored)\\n| where Periodicity \u003e= (10*TimeDeltaThresholdInSeconds)\\n| extend timestamp = StartTime, IPCustomEntity = DestinationIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Fortinet - Beacon pattern detected\",\"description\":\"Identifies patterns in the time deltas of contacts between internal and external IPs in Fortinet network data that are consistent with beaconing.\\n Accounts for randomness (jitter) and seasonality such as working hours that may have been introduced into the beacon pattern.\\n The lookback is set to 1d, the minimum granularity in time deltas is set to 60 seconds and the minimum number of beacons required to emit a\\n detection is set to 4.\\n Increase the lookback period to capture beacons with larger periodicities.\\n The jitter tolerance is set to 0.2 - This means we account for an overall 20% deviation from the infered beacon periodicity. Seasonality is dealt with\\n automatically using series_outliers.\\n Note: In large environments it may be necessary to reduce the lookback period to get fast query times.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d\",\"name\":\"b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//Collect the alert events\\nlet alertData = SecurityAlert \\n| where DisplayName has \\\"Potential malware uploaded to\\\" \\n| extend Entities = parse_json(Entities) \\n| mv-expand Entities;\\n//Parse the IP address data\\nlet ipData = alertData \\n| where Entities[\u0027Type\u0027] =~ \\\"ip\\\" \\n| extend AttackerIP = tostring(Entities[\u0027Address\u0027]), AttackerCountry = tostring(Entities[\u0027Location\u0027][\u0027CountryName\u0027]);\\n//Parse the file data\\nlet FileData = alertData \\n| where Entities[\u0027Type\u0027] =~ \\\"file\\\" \\n| extend MaliciousFileDirectory = tostring(Entities[\u0027Directory\u0027]), MaliciousFileName = tostring(Entities[\u0027Name\u0027]), MaliciousFileHashes = tostring(Entities[\u0027FileHashes\u0027]);\\n//Combine the File and IP data together\\nipData \\n| join (FileData) on VendorOriginalId \\n| summarize by TimeGenerated, AttackerIP, AttackerCountry, DisplayName, ResourceId, AlertType, MaliciousFileDirectory, MaliciousFileName, MaliciousFileHashes\\n//Create a type column so we can track if it was a File storage or blobl storage upload \\n| extend type = iff(DisplayName has \\\"file\\\", \\\"File\\\", \\\"Blob\\\") \\n| join (\\n union\\n StorageFileLogs, \\n StorageBlobLogs \\n //File upload operations \\n | where OperationName =~ \\\"PutBlob\\\" or OperationName =~ \\\"PutRange\\\"\\n //Parse out the uploader IP \\n | extend ClientIP = tostring(split(CallerIpAddress, \\\":\\\", 0)[0])\\n //Extract the filename from the Uri \\n | extend FileName = extract(@\\\"\\\\/([\\\\w\\\\-. ]+)\\\\?\\\", 1, Uri)\\n //Base64 decode the MD5 filehash, we will encounter non-ascii hex so string operations don\u0027t work\\n //We can work around this by making it an array then converting it to hex from an int \\n | extend base64Char = base64_decode_toarray(ResponseMd5) \\n | mv-expand base64Char \\n | extend hexChar = tohex(toint(base64Char))\\n | extend hexChar = iff(strlen(hexChar) \u003c 2, strcat(\\\"0\\\", hexChar), hexChar) \\n | extend SourceTable = iff(OperationName has \\\"range\\\", \\\"StorageFileLogs\\\", \\\"StorageBlobLogs\\\") \\n | summarize make_list(hexChar) by CorrelationId, ResponseMd5, FileName, AccountName, TimeGenerated, RequestBodySize, ClientIP, SourceTable \\n | extend Md5Hash = strcat_array(list_hexChar, \\\"\\\")\\n //Pack the file information the summarise into a ClientIP row \\n | extend p = pack(\\\"FileName\\\", FileName, \\\"FileSize\\\", RequestBodySize, \\\"Md5Hash\\\", Md5Hash, \\\"Time\\\", TimeGenerated, \\\"SourceTable\\\", SourceTable) \\n | summarize UploadedFileInfo=make_list(p), FilesUploaded=count() by ClientIP \\n | join kind=leftouter (\\n union\\n StorageFileLogs,\\n StorageBlobLogs \\n | where OperationName =~ \\\"DeleteFile\\\" or OperationName =~ \\\"DeleteBlob\\\" \\n | extend ClientIP = tostring(split(CallerIpAddress, \\\":\\\", 0)[0]) \\n | extend FileName = extract(@\\\"\\\\/([\\\\w\\\\-. ]+)\\\\?\\\", 1, Uri) \\n | extend SourceTable = iff(OperationName has \\\"range\\\", \\\"StorageFileLogs\\\", \\\"StorageBlobLogs\\\") \\n | extend p = pack(\\\"FileName\\\", FileName, \\\"Time\\\", TimeGenerated, \\\"SourceTable\\\", SourceTable) \\n | summarize DeletedFileInfo=make_list(p), FilesDeleted=count() by ClientIP\\n ) on ClientIP\\n ) on $left.AttackerIP == $right.ClientIP \\n| mvexpand UploadedFileInfo \\n| extend LinkedMaliciousFileName = UploadedFileInfo.FileName \\n| extend LinkedMaliciousFileHash = UploadedFileInfo.Md5Hash \\n| project AlertTimeGenerated = TimeGenerated, tostring(LinkedMaliciousFileName), tostring(LinkedMaliciousFileHash), AlertType, AttackerIP, AttackerCountry, MaliciousFileDirectory, MaliciousFileName, FilesUploaded, UploadedFileInfo \\n| extend FileHashCustomEntity = LinkedMaliciousFileName, HashAlgorithm = \\\"MD5\\\", IPCustomEntity = AttackerIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"Exfiltration\"],\"displayName\":\"Linked Malicious Storage Artifacts\",\"description\":\"An IP address which uploaded malicious content to an Azure Blob or File Storage container (triggering a malware alert) also uploaded additional files.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b9d2eebc-5dcb-4888-8165-900db44443ab\",\"name\":\"b9d2eebc-5dcb-4888-8165-900db44443ab\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"// Enter a reference list of hostnames for your DC servers\\n//let DCServersList = dynamic ([\\\"DC01.simulandlabs.com\\\",\\\"DC02.simulandlabs.com\\\"]);\\nSecurityEvent\\n//| where Computer in (DCServersList)\\n| where EventID == 4662 and ObjectServer == \u0027DS\u0027\\n| where AccountType != \u0027Machine\u0027\\n| where Properties has \u00271131f6aa-9c07-11d1-f79f-00c04fc2dcd2\u0027 //DS-Replication-Get-Changes\\n or Properties has \u00271131f6ad-9c07-11d1-f79f-00c04fc2dcd2\u0027 //DS-Replication-Get-Changes-All\\n or Properties has \u002789e95b76-444d-4c62-991a-0facbeda640c\u0027 //DS-Replication-Get-Changes-In-Filtered-Set\\n| project TimeGenerated, Account, Activity, Properties, SubjectLogonId, Computer\\n| join kind=leftouter\\n(\\n SecurityEvent\\n //| where Computer in (DCServersList)\\n | where EventID == 4624 and LogonType == 3\\n | where AccountType != \u0027Machine\u0027\\n | project TargetLogonId, IpAddress\\n)\\non $left.SubjectLogonId == $right.TargetLogonId\\n| project-reorder TimeGenerated, Computer, Account, IpAddress\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, SourceAddress = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceAddress\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Non Domain Controller Active Directory Replication\",\"description\":\"This query detects potential attempts by non-computer accounts (non domain controllers) to retrieve/synchronize an active directory object leveraging directory replication services (DRS).\\nA Domain Controller (computer account) would usually be performing these actions in a domain environment. Another detection rule can be created to cover domain controllers accounts doing at rare times.\\nA domain user with privileged permissions to use directory replication services is rare. Ref: https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html\",\"lastUpdatedDateUTC\":\"2021-11-08T00:00:00Z\",\"createdDateUTC\":\"2021-05-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8127962-7739-4211-a4a9-390a7a00e91f\",\"name\":\"f8127962-7739-4211-a4a9-390a7a00e91f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet lbperiod = 30d;\\nlet knownrecipients = ProofpointPOD\\n| where TimeGenerated \u003e ago(lbperiod)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where SrcUserUpn != \u0027\u0027\\n| where array_length(todynamic(DstUserUpn)) == 1\\n| summarize recipients = make_set(tostring(todynamic(DstUserUpn)[0])) by SrcUserUpn\\n| extend commcol = SrcUserUpn;\\nProofpointPOD\\n| where TimeGenerated between (ago(lbtime) .. now())\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| extend isProtected = todynamic(MsgParts)[0][\u0027isProtected\u0027]\\n| extend mimePgp = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where isProtected == \u0027true\u0027 or mimePgp == \u0027application/pgp-encrypted\u0027\\n| extend DstUserMail = tostring(todynamic(DstUserUpn)[0])\\n| extend commcol = tostring(todynamic(DstUserUpn)[0])\\n| join knownrecipients on commcol\\n| where recipients !contains DstUserMail\\n| project SrcUserUpn, DstUserMail\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple protected emails to unknown recipient\",\"description\":\"Detects when multiple protected messages where sent to early not seen recipient.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/826bb2f8-7894-4785-9a6b-a8a855d8366f\",\"name\":\"826bb2f8-7894-4785-9a6b-a8a855d8366f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let EventNameList = dynamic([\\\"AttachUserPolicy\\\",\\\"AttachRolePolicy\\\",\\\"AttachGroupPolicy\\\"]);\\nlet createPolicy = \\\"CreatePolicy\\\";\\nlet timeframe = 1d;\\nlet lookback = 14d;\\n// Creating Master table with all the events to use with materialize for better performance\\nlet EventInfo = AWSCloudTrail\\n| where TimeGenerated \u003e= ago(lookback)\\n| where EventName in (EventNameList) or EventName == createPolicy;\\n//Checking for Policy creation event with Full Admin Privileges since lookback period.\\nlet FullAdminPolicyEvents = materialize( EventInfo\\n| where TimeGenerated \u003e= ago(lookback)\\n| where EventName == createPolicy\\n| extend PolicyName = tostring(parse_json(RequestParameters).policyName)\\n| extend Statement = parse_json(tostring((parse_json(RequestParameters).policyDocument))).Statement\\n| mvexpand Statement\\n| extend Action = parse_json(Statement).Action , Effect = tostring(parse_json(Statement).Effect), Resource = tostring(parse_json(Statement).Resource)\\n| mvexpand Action\\n| extend Action = tostring(Action)\\n| where Effect =~ \\\"Allow\\\" and Action == \\\"*\\\" and Resource == \\\"*\\\"\\n| distinct TimeGenerated, EventName, PolicyName, SourceIpAddress, UserIdentityArn, UserIdentityUserName\\n| extend UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,\u0027/\u0027)[-1]))\\n| project-rename StartTime = TimeGenerated );\\nlet PolicyAttach = materialize( EventInfo\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventName in (EventNameList)\\n| extend PolicyName = tostring(split(tostring(parse_json(RequestParameters).policyArn),\\\"/\\\")[1])\\n| summarize AttachEventCount=count(), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventSource, EventName, UserIdentityType , UserIdentityArn, SourceIpAddress, UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,\u0027/\u0027)[-1])), PolicyName\\n| extend AttachEvent = pack(\\\"StartTime\\\", StartTime, \\\"EndTime\\\", EndTime, \\\"EventName\\\", EventName, \\\"UserIdentityType\\\", UserIdentityType, \\\"UserIdentityArn\\\", UserIdentityArn, \\\"SourceIpAddress\\\", SourceIpAddress, \\\"UserIdentityUserName\\\", UserIdentityUserName)\\n| project EventSource, PolicyName, AttachEvent, AttachEventCount\\n);\\n// Joining the list of PolicyNames and checking if it has been attached to any Roles/Users/Groups.\\n// These Roles/Users/Groups will be Privileged and can be used by adversaries as pivot point for privilege escalation via multiple ways.\\nFullAdminPolicyEvents\\n| join kind=leftouter\\n(\\n PolicyAttach\\n)\\non PolicyName\\n| project-away PolicyName1\\n| extend timestamp = StartTime, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Full Admin policy created and then attached to Roles, Users or Groups\",\"description\":\"Identity and Access Management (IAM) securely manages access to AWS services and resources. \\nIdentifies when a policy is created with Full Administrators Access (Allow-Action:*,Resource:*). \\nThis policy can be attached to role,user or group and may be used by an adversary to escalate a normal user privileges to an adminsitrative level.\\nAWS IAM Policy Grammar: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html\\nand AWS IAM API at https://docs.aws.amazon.com/IAM/latest/APIReference/API_Operations.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/155e9134-d5ad-4a6f-88f3-99c220040b66\",\"name\":\"155e9134-d5ad-4a6f-88f3-99c220040b66\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Set the lookback to determine if user has created pipelines before\\nlet timeback = 14d;\\n// Set the period for detections\\nlet timeframe = 1d;\\n// Get a list of previous Release Pipeline creators to exclude\\nlet releaseusers = AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName in (\\\"Release.ReleasePipelineCreated\\\", \\\"Release.ReleasePipelineModified\\\")\\n// We want to look for users performing actions in specific projects so we create this userscope object to match on\\n| extend UserScope = strcat(ActorUserId, \\\"-\\\", ProjectName)\\n| summarize by UserScope;\\n// Get Release Pipeline creations by new users\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineModified\\\"\\n| extend UserScope = strcat(ActorUserId, \\\"-\\\", ProjectName)\\n| where UserScope !in (releaseusers)\\n| extend ActorUPN = tolower(ActorUPN)\\n| project-away Id, ActivityId, ActorCUID, ScopeId, ProjectId, TenantId, SourceSystem, UserScope\\n// See if any of these users have Azure AD alerts associated with them in the same timeframe\\n| join kind = leftouter (\\nSecurityAlert\\n| where TimeGenerated \u003e ago(timeframe)\\n| where ProviderName == \\\"IPC\\\"\\n| extend AadUserId = tostring(parse_json(Entities)[0].AadUserId)\\n| summarize Alerts=count() by AadUserId) on $left.ActorUserId == $right.AadUserId\\n| extend Alerts = iif(isnotempty(Alerts), Alerts, 0)\\n// Uncomment the line below to only show results where the user as AADIdP alerts\\n//| where Alerts \u003e 0\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Pipeline modified by a new user.\",\"description\":\"There are several potential pipeline steps that could be modified by an attacker to inject malicious code into the build cycle. A likely attacker path is the modification to an existing pipeline that they have access to. \\nThis detection looks for users modifying a pipeline when they have not previously been observed modifying or creating that pipeline before. This query also joins events with data to Azure AD Identity Protection (AAD IdP) \\nin order to show if the user conducting the action has any associated AAD IdP alerts. You can also choose to filter this detection to only alert when the user also has AAD IdP alerts associated with them.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79566f41-df67-4e10-a703-c38a6213afd8\",\"name\":\"79566f41-df67-4e10-a703-c38a6213afd8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set != \\\"[]\\\"\\n| extend diff = set_difference(new_value_set, old_value_set)\\n| where isnotempty(diff)\\n| parse diff with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away diff, new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"New access credential added to Application or Service Principal\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6bf1931-b1eb-448d-90b2-de118559c7ce\",\"name\":\"d6bf1931-b1eb-448d-90b2-de118559c7ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlCategory contains \u0027Adult Themes\u0027 or\\n UrlCategory contains \u0027Adware\u0027 or\\n UrlCategory contains \u0027Alcohol\u0027 or\\n UrlCategory contains \u0027Illegal Downloads\u0027 or\\n UrlCategory contains \u0027Drugs\u0027 or\\n UrlCategory contains \u0027Child Abuse Content\u0027 or\\n UrlCategory contains \u0027Hate/Discrimination\u0027 or\\n UrlCategory contains \u0027Nudity\u0027 or\\n UrlCategory contains \u0027Pornography\u0027 or\\n UrlCategory contains \u0027Proxy/Anonymizer\u0027 or\\n UrlCategory contains \u0027Sexuality\u0027 or\\n UrlCategory contains \u0027Tasteless\u0027 or\\n UrlCategory contains \u0027Terrorism\u0027 or\\n UrlCategory contains \u0027Web Spam\u0027 or\\n UrlCategory contains \u0027German Youth Protection\u0027 or\\n UrlCategory contains \u0027Illegal Activities\u0027 or\\n UrlCategory contains \u0027Lingerie/Bikini\u0027 or\\n UrlCategory contains \u0027Weapons\u0027\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"InitialAccess\"],\"displayName\":\"Cisco Umbrella - Request Allowed to harmful/malicious URI category\",\"description\":\"It is reccomended that these Categories shoud be blocked by policies because they provide harmful/malicious content..\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c805d9b1-97e7-4bc0-9172-67edb36273e4\",\"name\":\"c805d9b1-97e7-4bc0-9172-67edb36273e4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft 365 Insider Risk Management\",\"displayName\":\"(Private Preview) Create incidents based on Microsoft 365 Insider Risk Management\",\"description\":\"Create incidents based on all alerts generated in Microsoft 365 Insider Risk Management\",\"lastUpdatedDateUTC\":\"2021-05-13T00:00:00Z\",\"createdDateUTC\":\"2021-05-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeIRM\",\"dataTypes\":[\"SecurityAlert (OfficeIRM)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4e8238bd-ff4f-4126-a9f6-09b3b6801b3d\",\"name\":\"4e8238bd-ff4f-4126-a9f6-09b3b6801b3d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"AuditLog.StreamDisabledByUser\\\"\\n| extend StreamType = tostring(Data.ConsumerType)\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, StreamType\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Audit Stream Disabled\",\"description\":\"Azure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams \\nbefore conducting activity and then re-enabling the stream after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action \\nits unlikely to have a high false positive rate.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d645a88-2724-41a7-adea-db74c439cf79\",\"name\":\"3d645a88-2724-41a7-adea-db74c439cf79\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 5000;\\nSophosXGFirewall\\n| where Log_Type =~ \\\"Firewall\\\" and Status =~ \\\"Deny\\\"\\n| summarize count() by Src_IP, bin(TimeGenerated,5m)\\n| where count_ \u003e threshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = Src_IP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"Excessive Amount of Denied Connections from a Single Source\",\"description\":\"This creates an incident in the event that a single source IP address generates a excessive amount of denied connections.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SophosXGFirewall\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a357535e-f722-4afe-b375-cff362b2b376\",\"name\":\"a357535e-f722-4afe-b375-cff362b2b376\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(OfficeActivity | where UserAgent != \\\"\\\"),\\n(OfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectory\\\", \\\"AzureActiveDirectoryStsLogon\\\")\\n| extend OperationName = Operation\\n| parse ExtendedProperties with * \u0027User-Agent\\\\\\\\\\\":\\\\\\\\\\\"\u0027 UserAgent2 \u0027\\\\\\\\\u0027 *\\n| parse ExtendedProperties with * \u0027UserAgent\\\", \\\"Value\\\": \\\"\u0027 UserAgent1 \u0027\\\"\u0027 *\\n| where isnotempty(UserAgent1) or isnotempty(UserAgent2)\\n| extend UserAgent = iff( RecordType == \u0027AzureActiveDirectoryStsLogon\u0027, UserAgent1, UserAgent2)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\\n),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"APPLICATIONGATEWAYS\\\" \\n| where OperationName =~ \\\"ApplicationGatewayAccess\\\" \\n| extend ClientIP = columnifexists(\\\"clientIP_s\\\", \\\"None\\\"), UserAgent = columnifexists(\\\"userAgent_s\\\", \\\"None\\\")\\n| where UserAgent != \u0027-\u0027\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, requestUri_s, httpMethod_s, host_s, requestQuery_s, Type\\n),\\n(\\nW3CIISLog\\n| where isnotempty(csUserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\\n),\\n(SigninLogs\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n)\\n)\\n// Likely artefact of hardcoding\\n| where UserAgent startswith \\\"User\\\" or UserAgent startswith \u0027\\\\\\\"\u0027\\n// Incorrect casing\\nor (UserAgent startswith \\\"Mozilla\\\" and not(UserAgent containscs \\\"Mozilla\\\"))\\n// Incorrect casing\\nor UserAgent containscs \\\"(Compatible;\\\"\\n// Missing MSIE version\\nor UserAgent matches regex @\\\"MSIE\\\\s?;\\\"\\n// Incorrect spacing around MSIE version\\nor UserAgent matches regex @\\\"MSIE(?:\\\\d|.{1,5}?\\\\d\\\\s;)\\\"\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CommandAndControl\",\"Execution\"],\"displayName\":\"Malformed user agent\",\"description\":\"Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware.\\nMalformed user agents can be an indication of such malware.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee1818ec-5f65-4991-b711-bcf2ab7e36c3\",\"name\":\"ee1818ec-5f65-4991-b711-bcf2ab7e36c3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlOriginal matches regex @\u0027\\\\Ahttp:\\\\/\\\\/\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}.*\u0027\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - URI contains IP address\",\"description\":\"Malware can use IP address to communicate with C2.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bf07ca9c-e408-443a-8939-6860a45a929e\",\"name\":\"bf07ca9c-e408-443a-8939-6860a45a929e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let allowed_publishers = dynamic([]);\\nAzureDevOpsAuditing\\n| where OperationName =~ \\\"Extension.Installed\\\"\\n| extend ExtensionName = tostring(Data.ExtensionName)\\n| extend PublisherName = tostring(Data.PublisherName)\\n| where PublisherName !in (allowed_publishers)\\n| project-reorder TimeGenerated, OperationName, ExtensionName, PublisherName, ActorUPN, IpAddress, UserAgent, ScopeDisplayName, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps New Extension Added\",\"description\":\"Extensions add additional features to Azure DevOps. An attacker could use a malicious extension to conduct malicious activity. \\nThis query looks for new extensions that are not from a configurable list of approved publishers.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/89e6adbd-612c-4fbe-bc3d-32f81baf3b6c\",\"name\":\"89e6adbd-612c-4fbe-bc3d-32f81baf3b6c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT4H\",\"queryPeriod\":\"PT4H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Change to true to monitor for Project Administrator adds to *any* project\\nlet MonitorAllProjects = false;\\n// If MonitorAllProjects is false, trigger only on Project Administrator add for the following projects\\nlet ProjectsToMonitor = dynamic([\u0027\u003cproject_X\u003e\u0027,\u0027\u003cproject_Y\u003e\u0027]);\\nAzureDevOpsAuditing\\n| where Area == \\\"Group\\\" and OperationName == \\\"Group.UpdateGroupMembership.Add\\\"\\n| where Details has \u0027Administrators\u0027\\n| where Details has \\\"was added as a member of group\\\" and (Details endswith \u0027\\\\\\\\Project Administrators\u0027 or Details endswith \u0027\\\\\\\\Project Collection Administrators\u0027)\\n| parse Details with AddedIdentity \u0027 was added as a member of group [\u0027 EntityName \u0027]\\\\\\\\\u0027 GroupName\\n| extend Level = iif(GroupName == \u0027Project Collection Administrators\u0027, \u0027Organization\u0027, \u0027Project\u0027), AddedIdentityId = Data.MemberId\\n| extend Severity = iif(Level == \u0027Organization\u0027, \u0027High\u0027, \u0027Medium\u0027), AlertDetails = strcat(\u0027At \u0027, TimeGenerated, \u0027 UTC \u0027, ActorUPN, \u0027/\u0027, ActorDisplayName, \u0027 added \u0027, AddedIdentity, \u0027 to the \u0027, EntityName, \u0027 \u0027, Level)\\n| where MonitorAllProjects == true or EntityName in (ProjectsToMonitor) or Level == \u0027Organization\u0027\\n| project TimeGenerated, Severity, Adder = ActorUPN, AddedIdentity, AddedIdentityId, AlertDetails, Level, EntityName, GroupName, ActorAuthType = AuthenticationMechanism, \\n ActorIpAddress = IpAddress, ActorUserAgent = UserAgent, RawDetails = Details\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Adder, IPCustomEntity = ActorIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps Administrator Group Monitoring\",\"description\":\"This detection monitors for additions to projects or project collection administration groups in an Azure DevOps Organization.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/218f60de-c269-457a-b882-9966632b9dc6\",\"name\":\"218f60de-c269-457a-b882-9966632b9dc6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| summarize dcount(Target) by bin(TimeGenerated, 1h)\\n| where dcount_Target \u003e 9\\n| join kind=rightsemi (AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| extend TimeWindow = bin(TimeGenerated, 1h)) on $left.TimeGenerated == $right.TimeWindow\\n| extend AccountCustomEntity = Target\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Bulk Changes to Privileged Account Permissions\",\"description\":\"Identifies when changes to multiple users permissions are changed at once. Investigate immediately if not a planned change. This setting could enable an attacker access to Azure subscriptions in your environment.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\"name\":\"795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"CommonSecurityLog \\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID in (\\\"733101\\\",\\\"733102\\\",\\\"733103\\\",\\\"733104\\\",\\\"733105\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\",\"Impact\"],\"displayName\":\"Cisco ASA - threat detection message fired\",\"description\":\"Identifies when the Cisco ASA Threat Detection engine fired an alert based on malicious activity occurring on the network inicated by DeviceEventClassID 733101-733105\\nResources: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/58fc0170-0877-4ea8-a9ff-d805e361cfae\",\"name\":\"58fc0170-0877-4ea8-a9ff-d805e361cfae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let schedule_lookback = 14d; \\nlet join_lookback = 1d; \\n// If you want to whitelist specific timezones include them in a list here\\nlet tz_whitelist = dynamic([]);\\nlet meetings = ( \\nZoomLogs \\n| where TimeGenerated \u003e= ago(schedule_lookback) \\n| where Event =~ \\\"meeting.created\\\" \\n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId) \\n| extend SchedTimezone = tostring(parse_json(MeetingEvents).Timezone)); \\nZoomLogs \\n| where TimeGenerated \u003e= ago(join_lookback) \\n| where Event =~ \\\"meeting.participant_joined\\\" \\n| extend JoinedTimeZone = tostring(parse_json(MeetingEvents).Timezone) \\n| extend MeetingName = tostring(parse_json(MeetingEvents).MeetingName) \\n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId) \\n| where JoinedTimeZone !in (tz_whitelist)\\n| join (meetings) on MeetingId \\n| where SchedTimezone != JoinedTimeZone \\n| project TimeGenerated, MeetingName, JoiningUser=payload_object_participant_user_name_s, JoinedTimeZone, SchedTimezone, MeetingScheduler=User1 \\n| extend timestamp = TimeGenerated, AccountCustomEntity = JoiningUser\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"User joining Zoom meeting from suspicious timezone\",\"description\":\"The alert shows users that join a Zoom meeting from a time zone other than the one the meeting was created in.\\nYou can also whitelist known good time zones in the tz_whitelist value using the tz database name format https://en.wikipedia.org/wiki/List_of_tz_database_time_zones\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95514e77-1b23-4f05-817c-ae363c53aad3\",\"name\":\"95514e77-1b23-4f05-817c-ae363c53aad3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.4\",\"techniques\":[\"T1030\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Akamai\",\"Aruba Networks\",\"Check Point\",\"Dell\",\"Forcepoint\",\"Fortinet\",\"McAfee\",\"Palo Alto Networks\",\"SonicWall\",\"Trend Micro\",\"Vectra Networks\",\"Zscaler\"],\"supportedValuesKql\":null,\"value\":\"Palo Alto Networks\",\"name\":\"Device vendor\",\"description\":\"Select device vendor reporting network connection logs to CommonSecurityLog\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"10\",\"maximum\":\"10000\",\"value\":\"10\",\"name\":\"Hourly event count threshold\",\"description\":\"Suppress anomalies when hourly event count is less than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\".98\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"(Preview) Unusual network volume anomaly\",\"description\":\"This algorithm is to detect unusually high volume of connections in network logs. \\nIt uses time series to decompose the data into seasonal, trend and residual components to \\ncalculate baseline. Any sudden large deviation from the historical baseline is considered as anomalous activity.\",\"lastUpdatedDateUTC\":\"2021-07-10T00:00:00Z\",\"createdDateUTC\":\"2021-04-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6\",\"name\":\"2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 0d;\\n// Adjust this to adjust detection timeframe\\n//let timeframe = 1d;\\n// SamAccountName of AD FS Service Account. Filter on the use of a specific AD FS user account\\n//let adfsuser = \u0027adfsadmin\u0027;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\n SecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe+lookback)\\n | where EventSourceName == \u0027AD FS Auditing\u0027\\n | distinct Computer\\n);\\nSecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n // A token of type \u0027http://schemas.microsoft.com/ws/2006/05/servicemodel/tokens/SecureConversation\u0027\\n // for relying party \u0027-\u0027 was successfully authenticated.\\n | where EventID == 412\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | extend InstanceId = tostring(EventData[0])\\n| join kind=inner\\n(\\n SecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n // Events to identify caller identity from event 412\\n | where EventID == 501\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | where tostring(EventData[1]) contains \u0027identity/claims/name\u0027\\n | extend InstanceId = tostring(EventData[0])\\n | extend ClaimsName = tostring(EventData[2])\\n // Filter on the use of a specific AD FS user account\\n //| where ClaimsName contains adfsuser\\n)\\non $left.InstanceId == $right.InstanceId\\n| join kind=inner\\n(\\n SecurityEvent\\n | where EventID == 5156\\n | where Computer in~ (ADFS_Servers)\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | mv-expand bagexpansion=array EventData\\n | evaluate bag_unpack(EventData)\\n | extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n | evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n | extend DestPort = column_ifexists(\\\"DestPort\\\", \\\"\\\"),\\n Direction = column_ifexists(\\\"Direction\\\", \\\"\\\"),\\n Application = column_ifexists(\\\"Application\\\", \\\"\\\"),\\n DestAddress = column_ifexists(\\\"DestAddress\\\", \\\"\\\"),\\n SourceAddress = column_ifexists(\\\"SourceAddress\\\", \\\"\\\"),\\n SourcePort = column_ifexists(\\\"SourcePort\\\", \\\"\\\")\\n // Look for inbound connections from endpoints on port 80\\n | where DestPort == 80 and Direction == \u0027%%14592\u0027 and Application == \u0027System\u0027\\n | where DestAddress !in (\u0027::1\u0027,\u00270:0:0:0:0:0:0:1\u0027) \\n)\\non $left.Computer == $right.Computer\\n| project TimeGenerated, Computer, ClaimsName, SourceAddress, SourcePort\\n| extend HostCustomEntity = Computer, AccountCustomEntity = ClaimsName, IPCustomEntity = SourceAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"AD FS Remote Auth Sync Connection\",\"description\":\"This detection uses Security events from the \\\"AD FS Auditing\\\" provider to detect suspicious authentication events on an AD FS server. The results then get\\ncorrelated with events from the Windows Filtering Platform (WFP) to detect suspicious incoming network traffic on port 80 on the AD FS server.\\nThis could be a sign of a threat actor trying to use replication services on the AD FS server to get its configuration settings and extract\\nsensitive information such as AD FS certificates.\\nIn order to use this query you need to enable AD FS auditing on the AD FS Server.\\nReference: https://twitter.com/OTR_Community/status/1387038995016732672\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-04-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\"name\":\"2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n AzureActivity | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CallerIpAddress\\n| where AzureActivity_TimeGenerated \u003e= TimeGenerated and AzureActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AzureActivity_TimeGenerated,\\nTI_ipEntity, CallerIpAddress, Caller, OperationNameValue, ActivityStatusValue, CategoryValue, ResourceId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureActivity_TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureActivity\",\"description\":\"Identifies a match in AzureActivity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\"name\":\"4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 50;\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet historicalActivity =\\nOfficeActivity\\n| where TimeGenerated between(ago(starttime)..ago(endtime))\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| summarize historicalCount = count() by ClientIP, RecordType, Operation;\\nlet recentActivity = OfficeActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by ClientIP, RecordType, Operation;\\nlet RareIP = recentActivity | join kind= leftanti ( historicalActivity ) on ClientIP, RecordType, Operation\\n// More than 50 downloads/uploads from a new IP\\n| where recentCount \u003e threshold;\\nOfficeActivity \\n| where TimeGenerated \u003e= ago(endtime) \\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| join kind= inner (RareIP) on ClientIP, RecordType, Operation\\n| where Start_Time between(min_Start_Time .. max_Start_Time)\\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgent, IPSeenCount = recentCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\\n| order by IPSeenCount desc, ClientIP asc, Operation asc, UserId asc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"SharePointFileOperation via previously unseen IPs\",\"description\":\"Identifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses\\nexceeds a threshold (default is 50).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0febd8cc-1b8d-45ed-87b3-e1e8a57d14cd\",\"name\":\"0febd8cc-1b8d-45ed-87b3-e1e8a57d14cd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let threshold = 100;\\nTrendMicro_XDR_CL \\n| where modelSeverity_s == \u0027high\u0027 or modelSeverity_s == \u0027critical\u0027\\n| extend AccountCustomEntity = impactScope_account_s, HostCustomEntity = impactScope_hostname_s, IPCustomEntity = impactScope_host_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"displayName\":\"Create Incident for XDR Alerts (Critical \u0026 High)\",\"description\":\"This Query creates an incident based on Trend Micro XDR Workbench Alerts and maps the impacted entities for Microsoft Sentinel usage. (Critical \u0026 High Serverity Alerts)\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-12-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"TrendMicroXDR\",\"dataTypes\":[\"TrendMicro_XDR_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/50574fac-f8d1-4395-81c7-78a463ff0c52\",\"name\":\"50574fac-f8d1-4395-81c7-78a463ff0c52\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where AppId =~ \\\"1b730954-1685-4b74-9bfd-dac224a7b894\\\" // AppDisplayName IS Azure Active Directory PowerShell\\n| where TokenIssuerType =~ \\\"AzureAD\\\"\\n| where ResourceIdentity !in (\\\"00000002-0000-0000-c000-000000000000\\\", \\\"00000003-0000-0000-c000-000000000000\\\") // ResourceDisplayName IS NOT Windows Azure Active Directory OR Microsoft Graph\\n| extend Status = todynamic(Status)\\n| where Status.errorCode == 0 // Success\\n| project-reorder IPAddress, UserAgent, ResourceDisplayName, UserDisplayName, UserId, UserPrincipalName, Type\\n| order by TimeGenerated desc\\n// New entity mapping\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure Active Directory PowerShell accessing non-AAD resources\",\"description\":\"This will alert when a user or application signs in using Azure Active Directory PowerShell to access non-Active Directory resources, such as the Azure Key Vault, which may be undesired or unauthorized behavior.\\nFor capabilities and expected behavior of the Azure Active Directory PowerShell module, see: https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0.\\nFor further information on Azure Active Directory Signin activity reports, see: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb616d82-108f-47d3-9dec-9652ea0d3bf6\",\"name\":\"bb616d82-108f-47d3-9dec-9652ea0d3bf6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AuditLogs\\n| where OperationName =~ \\\"Add user\\\"\\n| extend UPN = tostring(TargetResources[0].userPrincipalName)\\n| join kind=inner (AuditLogs\\n| where OperationName =~ \\\"Delete user\\\"\\n| extend UPN = tostring(TargetResources[0].userPrincipalName)\\n| extend IPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) on UPN\\n| extend timedelta = TimeGenerated1 - TimeGenerated\\n| project-reorder TimeGenerated, TimeGenerated1, timedelta\\n| where timedelta \u003c timespan(24h) and timedelta \u003e timespan(0h)\\n| extend CustomAccountEntity = UPN, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CustomAccountEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Account Created and Deleted in Short Timeframe\",\"description\":\"Search for user principal name (UPN) events. Look for accounts created and then deleted in under 24 hours. Attackers may create an account for their use, and then remove the account when no longer needed.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-account\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\"name\":\"0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"DNS events related to mining pools\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3cc5ccd8-b416-4141-bb2d-4eba370e37a5\",\"name\":\"3cc5ccd8-b416-4141-bb2d-4eba370e37a5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let OMIVulnerabilityPatchVersion = \\\"OMIVulnerabilityPatchVersion:1.13.40-0\\\";\\nHeartbeat\\n| where Category == \\\"Direct Agent\\\"\\n| summarize arg_max(TimeGenerated,*) by Computer\\n| parse strcat(\\\"Version:\\\" , Version) with * \\\"Version:\\\" Major:long \\\".\\\"\\nMinor:long \\\".\\\" Patch:long \\\"-\\\" *\\n| parse OMIVulnerabilityPatchVersion with * \\\"OMIVulnerabilityPatchVersion:\\\"\\nOMIVersionMajor:long \\\".\\\" OMIVersionMinor:long \\\".\\\" OMIVersionPatch:long \\\"-\\\" *\\n| where Major \u003cOMIVersionMajor or (Major==OMIVersionMajor and Minor\\n\u003cOMIVersionMinor) or (Major==OMIVersionMajor and Minor==OMIVersionMinor and\\nPatch\u003cOMIVersionPatch) \\n| project Version, Major,Minor,Patch,\\nComputer,ComputerIP,OSType,OSName,ResourceId\",\"customDetails\":{\"OSName\":\"OSName\",\"OSType\":\"OSType\",\"HostIp\":\"ComputerIP\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"OMI Vulnerability Exploitation\",\"description\":\"Following the September 14th, 2021 release of three Elevation of Privilege\\n(EoP) vulnerabilities (CVE-2021-38645, CVE-2021-38649, CVE-2021-38648) and one\\nunauthenticated Remote Code Execution (RCE) vulnerability (CVE-2021-38647) in\\nthe Open Management Infrastructure (OMI) Framework.\\nThis detection validates that any OMS-agent that is reporting to the Microsoft\\nSentinel workspace is updated with the patch. The detection will go over the\\nheartbeats received from all agents over the last day and will create alert\\nfor those agents who are not updated.\",\"lastUpdatedDateUTC\":\"2021-11-18T00:00:00Z\",\"createdDateUTC\":\"2021-09-23T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9649e203-3cb7-47ff-89a9-42f2a5eefe31\",\"name\":\"9649e203-3cb7-47ff-89a9-42f2a5eefe31\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nlet codeNameList = datatable(Codename:string)[\\\"C-PRIV-ACCOUNTS-SPN\\\", \\\"C-SDPROP-CONSISTENCY\\\", \\\"C-DANG-PRIMGROUPID\\\", \\\"C-GPO-HARDENING\\\", \\\"C-DC-ACCESS-CONSISTENCY\\\", \\\"C-DANGEROUS-TRUST-RELATIONSHIP\\\", \\\"C-UNCONST-DELEG\\\", \\\"C-ABNORMAL-ENTRIES-IN-SCHEMA\\\"];\\nafad_parser\\n| where MessageType == 0 and Codename in~ (codeNameList)\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid Active Directory attacks pathways\",\"description\":\"Searches for triggered Indicators of Exposures related to Active Directory attacks pathways\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\"name\":\"3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let threshold = 1;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ConditionalAccessStatus == 1 or ConditionalAccessStatus =~ \\\"failure\\\"\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion) \\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend ConditionalAccessPolicies = todynamic(ConditionalAccessPolicies)\\n| extend ConditionalAccessPol0Name = tostring(ConditionalAccessPolicies[0].displayName)\\n| extend ConditionalAccessPol1Name = tostring(ConditionalAccessPolicies[1].displayName)\\n| extend ConditionalAccessPol2Name = tostring(ConditionalAccessPolicies[2].displayName)\\n| extend Status = strcat(StatusCode, \\\": \\\", ResultDescription) \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Status = make_list(Status), StatusDetails = make_list(StatusDetails), IPAddresses = make_list(IPAddress), IPAddressCount = dcount(IPAddress), CorrelationIds = make_list(CorrelationId) \\nby UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name, Type\\n| where IPAddressCount \u003e threshold and StatusDetails !has \\\"MFA successfully completed\\\"\\n| mvexpand IPAddresses, Status, StatusDetails, CorrelationIds\\n| extend Status = strcat(Status, \\\" \\\", StatusDetails)\\n| summarize IPAddresses = make_set(IPAddresses), Status = make_set(Status), CorrelationIds = make_set(CorrelationIds) \\nby StartTime, EndTime, UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name, IPAddressCount, Type\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = tostring(IPAddresses)\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Attempt to bypass conditional access rule in Azure AD\",\"description\":\"Identifies an attempt to Bypass conditional access rule(s) in Azure Active Directory.\\nThe ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access\\nor if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1).\\nReferences: \\nhttps://docs.microsoft.com/azure/active-directory/conditional-access/overview\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\nConditionalAccessStatus == 0 // Success\\nConditionalAccessStatus == 1 // Failure\\nConditionalAccessStatus == 2 // Not Applied\\nConditionalAccessStatus == 3 // unknown\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4899-42cb-910c-5ffaf9d7997d\",\"name\":\"70b12a3b-4899-42cb-910c-5ffaf9d7997d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"0.ns1.dns-info.gq\\\", \\\"1.ns1.dns-info.gq\\\", \\\"10.ns1.dns-info.gq\\\", \\\"102.ns1.dns-info.gq\\\", \\n \\\"104.ns1.dns-info.gq\\\", \\\"11.ns1.dns-info.gq\\\", \\\"110.ns1.dns-info.gq\\\", \\\"115.ns1.dns-info.gq\\\", \\\"116.ns1.dns-info.gq\\\", \\n \\\"117.ns1.dns-info.gq\\\", \\\"118.ns1.dns-info.gq\\\", \\\"12.ns1.dns-info.gq\\\", \\\"120.ns1.dns-info.gq\\\", \\\"122.ns1.dns-info.gq\\\", \\n \\\"123.ns1.dns-info.gq\\\", \\\"128.ns1.dns-info.gq\\\", \\\"13.ns1.dns-info.gq\\\", \\\"134.ns1.dns-info.gq\\\", \\\"135.ns1.dns-info.gq\\\", \\n \\\"138.ns1.dns-info.gq\\\", \\\"14.ns1.dns-info.gq\\\", \\\"144.ns1.dns-info.gq\\\", \\\"15.ns1.dns-info.gq\\\", \\\"153.ns1.dns-info.gq\\\", \\n \\\"157.ns1.dns-info.gq\\\", \\\"16.ns1.dns-info.gq\\\", \\\"17.ns1.dns-info.gq\\\", \\\"18.ns1.dns-info.gq\\\", \\\"19.ns1.dns-info.gq\\\", \\n \\\"1a9604fa.ns1.feedsdns.com\\\", \\\"1c7606b6.ns1.steamappstore.com\\\", \\\"2.ns1.dns-info.gq\\\", \\\"20.ns1.dns-info.gq\\\", \\n \\\"201.ns1.dns-info.gq\\\", \\\"202.ns1.dns-info.gq\\\", \\\"204.ns1.dns-info.gq\\\", \\\"207.ns1.dns-info.gq\\\", \\\"21.ns1.dns-info.gq\\\", \\n \\\"210.ns1.dns-info.gq\\\", \\\"211.ns1.dns-info.gq\\\", \\\"216.ns1.dns-info.gq\\\", \\\"22.ns1.dns-info.gq\\\", \\\"220.ns1.dns-info.gq\\\", \\n \\\"223.ns1.dns-info.gq\\\", \\\"23.ns1.dns-info.gq\\\", \\\"24.ns1.dns-info.gq\\\", \\\"25.ns1.dns-info.gq\\\", \\\"26.ns1.dns-info.gq\\\", \\n \\\"27.ns1.dns-info.gq\\\", \\\"28.ns1.dns-info.gq\\\", \\\"29.ns1.dns-info.gq\\\", \\\"3.ns1.dns-info.gq\\\", \\\"30.ns1.dns-info.gq\\\", \\n \\\"31.ns1.dns-info.gq\\\", \\\"32.ns1.dns-info.gq\\\", \\\"33.ns1.dns-info.gq\\\", \\\"34.ns1.dns-info.gq\\\", \\\"35.ns1.dns-info.gq\\\", \\n \\\"36.ns1.dns-info.gq\\\", \\\"37.ns1.dns-info.gq\\\", \\\"39.ns1.dns-info.gq\\\", \\\"3d6fe4b2.ns1.steamappstore.com\\\", \\n \\\"4.ns1.dns-info.gq\\\", \\\"40.ns1.dns-info.gq\\\", \\\"42.ns1.dns-info.gq\\\", \\\"43.ns1.dns-info.gq\\\", \\\"44.ns1.dns-info.gq\\\", \\n \\\"45.ns1.dns-info.gq\\\", \\\"46.ns1.dns-info.gq\\\", \\\"48.ns1.dns-info.gq\\\", \\\"5.ns1.dns-info.gq\\\", \\\"50.ns1.dns-info.gq\\\", \\n \\\"50417.service.gstatic.dnset.com\\\", \\\"51.ns1.dns-info.gq\\\", \\\"52.ns1.dns-info.gq\\\", \\\"53.ns1.dns-info.gq\\\",\\n \\\"54.ns1.dns-info.gq\\\", \\\"55.ns1.dns-info.gq\\\", \\\"56.ns1.dns-info.gq\\\", \\\"57.ns1.dns-info.gq\\\", \\\"58.ns1.dns-info.gq\\\", \\n \\\"6.ns1.dns-info.gq\\\", \\\"60.ns1.dns-info.gq\\\", \\\"62.ns1.dns-info.gq\\\", \\\"63.ns1.dns-info.gq\\\", \\\"64.ns1.dns-info.gq\\\", \\n \\\"65.ns1.dns-info.gq\\\", \\\"67.ns1.dns-info.gq\\\", \\\"7.ns1.dns-info.gq\\\", \\\"70.ns1.dns-info.gq\\\", \\\"71.ns1.dns-info.gq\\\",\\n \\\"73.ns1.dns-info.gq\\\", \\\"77.ns1.dns-info.gq\\\", \\\"77075.service.gstatic.dnset.com\\\", \\\"7c1947fa.ns1.steamappstore.com\\\",\\n \\\"8.ns1.dns-info.gq\\\", \\\"81.ns1.dns-info.gq\\\", \\\"86.ns1.dns-info.gq\\\", \\\"87.ns1.dns-info.gq\\\", \\\"9.ns1.dns-info.gq\\\", \\n \\\"94343.service.gstatic.dnset.com\\\", \\\"9939.service.gstatic.dnset.com\\\", \\\"aa.ns.mircosoftdoc.com\\\", \\n \\\"aaa.feeds.api.ns1.feedsdns.com\\\", \\\"aaa.googlepublic.feeds.ns1.dns-info.gq\\\", \\n \\\"aaa.resolution.174547._get.cache.up.sourcedns.tk\\\", \\\"acc.microsoftonetravel.com\\\", \\n \\\"accounts.longmusic.com\\\", \\\"admin.dnstemplog.com\\\", \\\"agent.updatenai.com\\\", \\n \\\"alibaba.zzux.com\\\", \\\"api.feedsdns.com\\\", \\\"app.portomnail.com\\\", \\\"asia.updatenai.com\\\", \\n \\\"battllestategames.com\\\", \\\"bguha.serveuser.com\\\", \\\"binann-ce.com\\\", \\\"bing.dsmtp.com\\\", \\n \\\"blog.cdsend.xyz\\\", \\\"brives.minivineyapp.com\\\", \\\"bsbana.dynamic-dns.net\\\", \\n \\\"californiaforce.000webhostapp.com\\\", \\\"californiafroce.000webhostapp.com\\\", \\n \\\"cdn.freetcp.com\\\", \\\"cdsend.xyz\\\", \\\"cipla.zzux.com\\\", \\\"cloudfeeddns.com\\\", \\\"comcleanner.info\\\",\\n \\\"cs.microsoftsonline.net\\\", \\\"dns-info.gq\\\", \\\"dns05.cf\\\", \\\"dns22.ml\\\", \\\"dns224.com\\\", \\n \\\"dnsdist.org\\\", \\\"dnstemplog.com\\\", \\\"doc.mircosoftdoc.com\\\", \\\"dropdns.com\\\", \\n \\\"eshop.cdn.freetcp.com\\\", \\\"exchange.dumb1.com\\\", \\\"exchange.misecure.com\\\", \\\"exchange.mrbasic.com\\\",\\n \\\"facebookdocs.com\\\", \\\"facebookint.com\\\", \\\"facebookvi.com\\\", \\\"feed.ns1.dns-info.gq\\\", \\\"feedsdns.com\\\", \\n \\\"firejun.freeddns.com\\\", \\\"ftp.dns-info.dyndns.pro\\\", \\\"goallbandungtravel.com\\\", \\\"goodhk.azurewebsites.net\\\", \\n \\\"googlepublic.feed.ns1.dns-info.gq\\\", \\\"gp.spotifylite.cloud\\\", \\\"gskytop.com\\\", \\\"gstatic.dnset.com\\\", \\n \\\"gxxservice.com\\\", \\\"helpdesk.cdn.freetcp.com\\\", \\\"id.serveuser.com\\\", \\\"infestexe.com\\\", \\\"item.itemdb.com\\\",\\n \\\"m.mircosoftdoc.com\\\", \\\"mail.transferdkim.xyz\\\", \\\"mcafee.updatenai.com\\\", \\\"mecgjm.mircosoftdoc.com\\\",\\n \\\"microdocs.ga\\\", \\\"microsock.website\\\", \\\"microsocks.net\\\", \\\"microsoft.sendsmtp.com\\\", \\n \\\"microsoftbook.dns05.com\\\", \\\"microsoftcontactcenter.com\\\", \\\"microsoftdocs.dns05.com\\\", \\\"microsoftdocs.ml\\\", \\n \\\"microsoftonetravel.com\\\", \\\"microsoftonlines.net\\\", \\\"microsoftprod.com\\\", \\\"microsofts.dns1.us\\\", \\\"microsoftsonline.net\\\",\\n \\\"minivineyapp.com\\\", \\\"mircosoftdoc.com\\\", \\\"mircosoftdocs.com\\\", \\\"mlcrosoft.ninth.biz\\\", \\\"mlcrosoft.site\\\", \\n \\\"mm.portomnail.com\\\", \\\"msdnupdate.com\\\", \\\"msecdn.cloud\\\", \\\"mtnl1.dynamic-dns.net\\\", \\\"ns.gstatic.dnset.com\\\", \\n \\\"ns.microsoftprod.com\\\", \\\"ns.steamappstore.com\\\", \\\"ns1.cdn.freetcp.com\\\", \\\"ns1.comcleanner.info\\\", \\\"ns1.dns-info.gq\\\", \\n \\\"ns1.dns05.cf\\\", \\\"ns1.dnstemplog.com\\\", \\\"ns1.dropdns.com\\\", \\\"ns1.microsoftonetravel.com\\\", \\n \\\"ns1.microsoftonlines.net\\\", \\\"ns1.microsoftprod.com\\\", \\\"ns1.microsoftsonline.net\\\", \\\"ns1.mlcrosoft.site\\\", \\n \\\"ns1.teams.wikaba.com\\\", \\\"ns1.windowsdefende.com\\\", \\\"ns2.comcleanner.info\\\", \\\"ns2.dnstemplog.com\\\", \\n \\\"ns2.microsoftonetravel.com\\\", \\\"ns2.microsoftprod.com\\\", \\\"ns2.microsoftsonline.net\\\", \\\"ns2.mlcrosoft.site\\\", \\n \\\"ns2.windowsdefende.com\\\", \\\"ns3.microsoftprod.com\\\", \\\"ns3.mlcrosoft.site\\\", \\\"nutrition.mrbasic.com\\\", \\n \\\"nutrition.youdontcare.com\\\", \\\"online.mlcrosoft.site\\\", \\\"online.msdnupdate.com\\\", \\\"outlookservce.site\\\", \\n \\\"owa.jetos.com\\\", \\\"owa.otzo.com\\\", \\\"pornotime.co\\\", \\\"portomnail.com\\\", \\n \\\"post.1a0.066e063ac.7c1947fa.ns1.steamappstore.com\\\", \\\"pricingdmdk.com\\\", \\\"prod.microsoftprod.com\\\", \\n \\\"product.microsoftprod.com\\\", \\\"ptcl.yourtrap.com\\\", \\\"query.api.sourcedns.tk\\\", \\\"rb.itemdb.com\\\", \\\"redditcdn.com\\\", \\n \\\"rss.otzo.com\\\", \\\"secure.msdnupdate.com\\\", \\\"service.dns22.ml\\\", \\\"service.gstatic.dnset.com\\\", \\\"service04.dns04.com\\\", \\n \\\"settings.teams.wikaba.com\\\", \\\"sip.outlookservce.site\\\", \\\"sixindent.epizy.com\\\", \\\"soft.msdnupdate.com\\\", \\\"sourcedns.ml\\\", \\n \\\"sourcedns.tk\\\", \\\"sport.msdnupdate.com\\\", \\\"spotifylite.cloud\\\", \\\"static.misecure.com\\\", \\\"steamappstore.com\\\", \\n \\\"store.otzo.com\\\", \\\"survey.outlookservce.site\\\", \\\"team.itemdb.com\\\", \\\"temp221.com\\\", \\\"test.microsoftprod.com\\\", \\n \\\"thisisaaa.000webhostapp.com\\\", \\\"token.dns04.com\\\", \\\"token.dns05.com\\\", \\\"transferdkim.xyz\\\", \\n \\\"travelsanignacio.com\\\", \\\"update08.com\\\", \\\"updated08.com\\\", \\\"updatenai.com\\\", \\\"wantforspeed.com\\\",\\n \\\"web.mircosoftdoc.com\\\", \\\"webmail.pornotime.co\\\", \\\"webwhois.team.itemdb.com\\\", \\\"windowsdefende.com\\\", \\\"wnswindows.com\\\",\\n \\\"ashcrack.freetcp.com\\\", \\\"battllestategames.com\\\", \\\"binannce.com\\\", \\\"cdsend.xyz\\\", \\\"comcleanner.info\\\", \\\"microsock.website\\\", \\n \\\"microsocks.net\\\", \\\"microsoftsonline.net\\\", \\\"mlcrosoft.site\\\", \\\"notify.serveuser.com\\\", \\\"ns1.microsoftprod.com\\\", \\n \\\"ns2.microsoftprod.com\\\", \\\"pricingdmdk.com\\\", \\\"steamappstore.com\\\", \\\"update08.com\\\", \\\"wnswindows.com\\\", \\n \\\"youtube.dns05.com\\\", \\\"z1.zalofilescdn.com\\\", \\\"z2.zalofilescdn.com\\\", \\\"zalofilescdn.com\\\"]); \\n(union isfuzzy=true \\n (CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | where DNSName in~ (DomainNames) \\n | extend Account = SourceUserID, Computer = DeviceName, IPAddress = DestinationIP \\n ), \\n (DnsEvents \\n | extend DNSName = Name \\n | where isnotempty(DNSName) \\n | where DNSName has_any (DomainNames) \\n | extend IPAddress = ClientIP \\n ), \\n (imDns (domain_has_any=DomainNames)\\n | extend DNSName = DnsQuery \\n | extend IPAddress = SrcIpAddr, Computer = Dvc\\n ), \\n (VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 * \\n | where isnotempty(DNSName) \\n | where DNSName in~ (DomainNames) \\n | extend IPAddress = RemoteIp \\n ), \\n ( \\n DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl in~ (DomainNames) \\n | extend IPAddress = RemoteIP \\n | extend Computer = DeviceName \\n ),\\n (AzureDiagnostics\\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallDnsProxy\\\"\\n | parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n | where Request_Name has_any (DomainNames) \\n | extend DNSName = Request_Name\\n | extend IPAddress = ClientIP \\n ),\\n (AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (DomainNames) \\n | extend DNSName = DestinationHost \\n | extend IPAddress = SourceHost\\n ) \\n ) \\n | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.3.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Barium domains\",\"description\":\"Identifies a match across various data feeds for domains IOCs related to the Barium activity group.\\n References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\"name\":\"2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet TotalEventsThreshold = 5;\\nlet ExeList = dynamic([\\\"powershell.exe\\\",\\\"cmd.exe\\\",\\\"wmic.exe\\\",\\\"psexec.exe\\\",\\\"cacls.exe\\\",\\\"rundll.exe\\\"]);\\nlet TimeSeriesData =\\nSecurityEvent\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where Process in (ExeList)\\n| project TimeGenerated, Computer, AccountType, Account, Process\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by Process;\\nlet TimeSeriesAlerts = materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 1.5, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0\\n| project Process, TimeGenerated, Total, baseline, anomalies, score\\n| where Total \u003e TotalEventsThreshold);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\nSecurityEvent\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| summarize CommandlineCount = count() by bin(TimeGenerated, 1h), Process, CommandLine, Computer, Account\\n) on Process, TimeGenerated\\n| project AnomalyHour = TimeGenerated, Computer, Account, Process, CommandLine, CommandlineCount, Total, baseline, anomalies, score\\n| extend timestamp = AnomalyHour, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Execution\"],\"displayName\":\"Process execution frequency anomaly\",\"description\":\"Identifies anomalous spike in frequency of executions of sensitive processes which are often leveraged as attack vectors.\\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\\nSudden increases in execution frequency of sensitive processes should be further investigated for malicious activity.\\nTune the values from 1.5 to 3 in series_decompose_anomalies for further outliers or based on custom threshold values for score.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-05-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ce1e7025-866c-41f3-9b08-ec170e05e73e\",\"name\":\"ce1e7025-866c-41f3-9b08-ec170e05e73e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let SunburstURL=dynamic([\\\"panhardware.com\\\",\\\"databasegalore.com\\\",\\\"avsvmcloud.com\\\",\\\"freescanonline.com\\\",\\\"thedoccloud.com\\\",\\\"deftsecurity.com\\\"]);\\nDeviceNetworkEvents\\n| where ActionType == \\\"ConnectionSuccess\\\"\\n| where RemoteUrl in(SunburstURL)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n FileHashCustomEntity = InitiatingProcessMD5, \\n HashAlgorithm = \u0027MD5\u0027,\\n URLCustomEntity = RemoteUrl,\\n IPCustomEntity = RemoteIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST network beacons\",\"description\":\"Identifies SolarWinds SUNBURST domain beacon IOCs in DeviceNetworkEvents\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06a9b845-6a95-4432-a78b-83919b28c375\",\"name\":\"06a9b845-6a95-4432-a78b-83919b28c375\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":3,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet percentotalthreshold = 50;\\nlet TimeSeriesData = CommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| project TimeGenerated,SourceIP, DestinationIP, DeviceVendor\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor;\\n// Filtering specific records associated with spikes as outliers\\nlet TimeSeriesAlerts=materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend score = round(score,2), AnomalyHour = TimeGenerated\\n| project DeviceVendor,AnomalyHour, TimeGenerated, Total, baseline, anomalies, score);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\n// Join anomalies with Base Data to popalate associated records for investigation - Results sorted by score in descending order\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\n CommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| summarize HourlyCount = count(), TimeGeneratedMax = arg_max(TimeGenerated, *), DestinationIPlist = make_set(DestinationIP, 100), DestinationPortlist = make_set(DestinationPort, 100) by DeviceVendor, SourceIP, TimeGeneratedHour= bin(TimeGenerated, 1h)\\n| extend AnomalyHour = TimeGeneratedHour\\n) on AnomalyHour, DeviceVendor\\n| extend PercentTotal = round((HourlyCount / Total) * 100, 3)\\n| where PercentTotal \u003e percentotalthreshold\\n| project DeviceVendor , AnomalyHour, TimeGeneratedMax, SourceIP, DestinationIPlist, DestinationPortlist, HourlyCount, PercentTotal, Total, baseline, score, anomalies\\n| summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist, 100), DestinationPortlist = make_set(DestinationPortlist, 100) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies\\n| project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies\\n| extend timestamp= EndTimeUtc , IPCustomEntity = SourceIPMax\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"Time series anomaly detection for total volume of traffic\",\"description\":\"Identifies anamalous spikes in network traffic logs as compared to baseline or normal historical patterns.\\nThe query leverages a KQL built-in anomaly detection algorithm to find large deviations from baseline patterns.\\nSudden increases in network traffic volume may be an indication of data exfiltration attempts and should be investigated.\\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port traffic observed in the flagged anomaly hour.\\nThe source IP addresses which were sending less than percentotalthreshold of the total traffic have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-05-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Barracuda\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/871ba14c-88ef-48aa-ad38-810f26760ca3\",\"name\":\"871ba14c-88ef-48aa-ad38-810f26760ca3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where Operation =~ \\\"Set-Mailbox\\\"\\n| where Parameters has \\\"ForwardingSmtpAddress\\\"\\n| extend parsed = parse_json(Parameters)\\n| mv-expand parsed\\n| where parsed.Name == \\\"ForwardingSmtpAddress\\\"\\n| extend parameterName = tostring(parsed.Name), fwdingDestination = tostring(parsed.Value)\\n| where isnotempty(fwdingDestination)\\n| extend ClientIPOnly = case( \\nClientIP has \\\".\\\" and ClientIP has \u0027:\u0027, tostring(split(ClientIP,\\\":\\\")[0]), \\nClientIP has \\\".\\\" and ClientIP has \u0027-\u0027, tostring(split(ClientIP,\\\"-\\\")[0]), \\nClientIP has \u0027]-\u0027, tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))),\\nClientIP has \u0027]:\u0027, tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))),\\nisempty(ClientIP) and ClientIP_ has \\\".\\\" and ClientIP_ has \u0027:\u0027, tostring(split(ClientIP_,\\\":\\\")[0]), \\nisempty(ClientIP) and ClientIP_ has \\\".\\\" and ClientIP_ has \u0027-\u0027, tostring(split(ClientIP_,\\\"-\\\")[0]), \\nisempty(ClientIP) and ClientIP_ has \u0027]-\u0027, tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP_,\\\"]\\\")[0]))),\\nisempty(ClientIP) and ClientIP_ has \u0027]:\u0027, tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP_,\\\"]\\\")[0]))),\\nisnotempty(ClientIP), ClientIP,\\nisnotempty(ClientIP_), ClientIP_,\\n\\\"IP Not Available\\\"\\n) \\n| extend Port = case(\\nClientIP has \\\".\\\" and ClientIP has \u0027:\u0027, tostring(split(ClientIP,\\\":\\\")[1]), \\nClientIP has \\\".\\\" and ClientIP has \u0027-\u0027, tostring(split(ClientIP,\\\"-\\\")[1]), \\nClientIP has \u0027]-\u0027, tostring(split(ClientIP,\\\"]-\\\")[1]), \\nClientIP has \u0027]:\u0027, tostring(split(ClientIP,\\\"]:\\\")[1]), \\nisempty(ClientIP) and ClientIP_ has \\\".\\\" and ClientIP_ has \u0027:\u0027, tostring(split(ClientIP_,\\\":\\\")[1]), \\nisempty(ClientIP) and ClientIP_ has \\\".\\\" and ClientIP_ has \u0027-\u0027, tostring(split(ClientIP_,\\\"-\\\")[1]), \\nisempty(ClientIP) and ClientIP_ has \u0027]-\u0027, tostring(split(ClientIP_,\\\"]-\\\")[1]),\\nisempty(ClientIP) and ClientIP_ has \u0027]:\u0027, tostring(split(ClientIP_,\\\"]:\\\")[1]),\\nisnotempty(ClientIP), ClientIP,\\nisnotempty(ClientIP_), ClientIP_,\\n\\\"IP Not Available\\\"\\n)\\n| extend UserId = iff(isempty(UserId), UserId_, UserId)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId), \\nPorts = make_set(Port), EventCount = count() by fwdingDestination, ClientIP = ClientIPOnly \\n| where DistinctUserCount \u003e 1\\n| mv-expand UserId\\n| extend UserId = tostring(UserId), Ports = tostring(Ports)\\n| distinct StartTimeUtc, EndTimeUtc, UserId, DistinctUserCount, ClientIP, Ports, fwdingDestination, EventCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Multiple users email forwarded to same destination\",\"description\":\"Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination. \\nThis could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aedc5b33-2d7c-42cb-a692-f25ef637cbb1\",\"name\":\"aedc5b33-2d7c-42cb-a692-f25ef637cbb1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where array_length(todynamic(DstUserUpn)) == 1\\n| extend sender = extract(@\u0027\\\\A(.*?)@\u0027, 1, SrcUserUpn)\\n| extend sender_domain = extract(@\u0027@(.*)$\u0027, 1, SrcUserUpn)\\n| extend recipient = extract(@\u0027\\\\A(.*?)@\u0027, 1, tostring(todynamic(DstUserUpn)[0]))\\n| extend recipient_domain = extract(@\u0027@(.*)$\u0027, 1, tostring(todynamic(DstUserUpn)[0]))\\n| where sender =~ recipient\\n| where sender_domain != recipient_domain\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Possible data exfiltration to private email\",\"description\":\"Detects when sender sent email to the non-corporate domain and recipient\u0027s username is the same as sender\u0027s username.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\"name\":\"36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n OfficeActivity\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n //Extract the Url from a number of potential fields\\n | extend Url = iif(OfficeWorkload == \\\"AzureActiveDirectory\\\",extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\\\", 1,ModifiedProperties),tostring(parse_json(ModifiedProperties)[12].NewValue))\\n | where isnotempty(Url)\\n // Ensure we get a clean URL\\n | extend Url = tostring(split(Url, \u0027;\u0027)[0])\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n // Project a single user identity that we can use for entity mapping\\n | extend User = iif(isnotempty(UserId), UserId, iif(isnotempty(Actor), tostring(parse_json(Actor)[0].ID), tostring(parse_json(Parameters)[0].Vlaue))) \\n) on Url\\n| where OfficeActivity_TimeGenerated \u003e= TimeGenerated and OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Operation, \\nUserType, OfficeWorkload, Parameters, OfficeActivity_TimeGenerated, Url, User\\n| extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = User, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to OfficeActivity data\",\"description\":\"Identifies a match in OfficeActivity data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\"name\":\"80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 1102 and EventSourceName == \\\"Microsoft-Windows-Eventlog\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Security Event log cleared\",\"description\":\"Checks for event id 1102 which indicates the security event log was cleared. \\nIt uses Event Source Name \\\"Microsoft-Windows-Eventlog\\\" to avoid generating false positives from other sources, like AD FS servers for instance.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1fa1528e-f746-4794-8a41-14827f4cb798\",\"name\":\"1fa1528e-f746-4794-8a41-14827f4cb798\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 100;\\nPulseConnectSecure\\n| where Messages startswith \\\"Login failed\\\"\\n| summarize dcount(User) by Computer, bin(TimeGenerated, 15m)\\n| where dcount_User \u003e threshold\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"PulseConnectSecure - Large Number of Distinct Failed User Logins\",\"description\":\"This query identifies evidence of failed login attempts from a large number of distinct users on a Pulse Connect Secure VPN server\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PulseConnectSecure\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/94749332-1ad9-49dd-a5ab-5ff2170788fc\",\"name\":\"94749332-1ad9-49dd-a5ab-5ff2170788fc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet file_path1 = (iocs | where Type =~ \\\"filepath1\\\" | project IoC);\\nlet file_path2 = (iocs | where Type =~ \\\"filepath2\\\" | project IoC);\\nlet file_path3 = (iocs | where Type =~ \\\"filepath3\\\" | project IoC);\\nlet reg_key = (iocs | where Type =~ \\\"regkey\\\" | project IoC);\\n (union isfuzzy=true\\n(CommonSecurityLog\\n| where DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (domains)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 *\\n| project TimeGenerated, Message, SourceUserID, RequestURL, DestinationHostName, Type, SourceIP, DestinationIP, DNSName\\n| extend Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SourceUserID, UrlCustomEntity = RequestURL , IPCustomEntity = DestinationIP, DNSCustomEntity = DNSName\\n),\\n(DnsEvents\\n| where Name in~ (domains)\\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DNSName = Name, Host = Computer , Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Host, DNSCustomEntity = DNSName, IPCustomEntity = IPAddresses\\n),\\n(VMConnection\\n| where RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, RemoteDnsCanonicalNames, ProcessName, SourceIp, DestinationIp, DestinationPort, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIp, HostCustomEntity = Computer, ProcessCustomEntity = ProcessName, DNSCustomEntity = DNSName, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where Image has_any (file_path1) or Image has_any (file_path3)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, EventDetail, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = split(Image, \u0027\\\\\\\\\u0027, -1)[-1], HostCustomEntity = Computer , IPCustomEntity = DestinationIP, Alert = \u0027SOURGUM IOC detected\u0027\\n), \\n(DeviceNetworkEvents\\n| where (RemoteUrl has_any (domains)) or (InitiatingProcessSHA256 in (sha256Hashes) and InitiatingProcessFolderPath has_any (file_path1)) or InitiatingProcessFolderPath has_any (file_path3)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, Alert = \u0027SOURGUM IOC detected\u0027, UrlCustomEntity =RemoteUrl\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"]\\n| where (SHA256 has_any (sha256Hashes) and Image has_any (file_path1)) or (Image has_any (file_path3)) or ( CommandLine has_any (file_path3)) or ( CommandLine has_any (file_path1)) or ( CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source), Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = split(Image, \u0027\\\\\\\\\u0027, -1)[-1], FileHashCustomEntity = SHA256\\n),\\n(DeviceRegistryEvents\\n| where RegistryKey has_any (reg_key) and RegistryValueData has_any (file_path2)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type \\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceProcessEvents\\n| where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3)) or ( InitiatingProcessCommandLine has \u0027reg add\u0027 and InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceFileEvents\\n| where (InitiatingProcessSHA256 has_any (sha256Hashes) and InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3)) or ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = RequestAccountName, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceEvents\\n| where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3)) or ( InitiatingProcessCommandLine has \u0027reg add\u0027 and InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend CommandLine = InitiatingProcessCommandLine, Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = InitiatingProcessSHA256\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has_any (file_path1)) or ( CommandLine has_any (file_path3)) or ( CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) or (NewProcessName has_any (file_path1)) or (NewProcessName has_any (file_path3)) or (ParentProcessName has_any (file_path1)) or (ParentProcessName has_any (file_path3))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = \u0027SOURGUM IOC detected\u0027\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"SHA256\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"SOURGUM Actor IOC - July 2021\",\"description\":\"Identifies a match across IOC\u0027s related to an actor tracked by Microsoft as SOURGUM\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-07-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceRegistryEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a6c435a2-b1a0-466d-b730-9f8af69262e8\",\"name\":\"a6c435a2-b1a0-466d-b730-9f8af69262e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let failureCountThreshold = 10;\\nlet successCountThreshold = 1;\\nlet authenticationWindow = 20m;\\nimAuthentication\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = make_set(SrcDvcIpAddr)\\n , FailureCount = countif(EventResult==\u0027Failure\u0027)\\n , SuccessCount = countif(EventResult==\u0027Success\u0027) \\n // might be improved by counting FailReason:Outdated as Success.\\nby bin(TimeGenerated, authenticationWindow), TargetUserId, TargetUsername, TargetUserType \\n| where FailureCount \u003e= failureCountThreshold and SuccessCount \u003e= successCountThreshold\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against user credentials (Uses Authentication Normalization)\",\"description\":\"Identifies evidence of brute force activity against a user highlighting multiple authentication failures \\nand by a successful authentication within a given time window. \\n(The query does not enforce any sequence - eg requiring the successful authentication to occur last.)\\nDefault Failure count is 10, Default Success count is 1 and default Time Window is 20 minutes.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelAuthentication)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8a12afde-ed27-46ac-a5ef-392e3d4f071f\",\"name\":\"8a12afde-ed27-46ac-a5ef-392e3d4f071f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.0\",\"techniques\":[\"T1190\",\"T1505\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"1\",\"2\",\"3\"],\"supportedValuesKql\":null,\"value\":\"3\",\"name\":\"Number of reasons for anomalous activity\",\"description\":\"Provide explanations for the specified number of reasons why a W3CIIS session is anomalous.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"supportedValues\":[\"Distinct number of methods\",\"Distinct number of uri queries\",\"Distinct number of uri stems\",\"Distinct number of statuses\",\"Distinct number of user agents\",\"Total number of operations\",\"Total number of http verbs\",\"Total number of http statuses\",\"None\"],\"supportedValuesKql\":null,\"value\":\"None\",\"name\":\"Display anomalies for a specific top reason\",\"description\":\"Display anomalies only where the top reason is specified in the checklist.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"supportedValues\":[\"Public IPs\",\"Private IPs\",\"All IPs\"],\"supportedValuesKql\":null,\"value\":\"All IPs\",\"name\":\"Display anomalies for public, private, or all IPs\",\"description\":\"Choose to display anomalies for public, private, or all IPs.\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":null,\"dataType\":\"string\",\"name\":\"Exclude client IPs from the anomalies generated\",\"description\":\"Enter comma separated client IPs (prefixed client IP entities supported) that the anomalies should not display results for, in the exclude field.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.7\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"(Preview) Anomalous W3CIIS logs activity\",\"description\":\"This anomaly indicates anomalous W3CIIS sessions within the last day, due to reasons such as a high number of distinct uri queries, specific http verbs or http statuses, user agents, or an unusually high number of logs in a session.\\nThe machine learning algorithm identifies unusual W3CIIS log events within an hourly session, grouped by site name and client IP.\\nThe model is trained on the previous 7 days of W3CIIS activity, using an autoencoder. The algorithm checks for sufficient volume of W3CIIS activity before training the model.\\nThe autoencoder compressess these site name/client IP sessions using a bottleneck encoding, and reconstructs the input sessions using a decoder.\\nSessions with high reconstruction errors are marked as anomalous.\",\"lastUpdatedDateUTC\":\"2021-07-26T00:00:00Z\",\"createdDateUTC\":\"2021-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f9949656-473f-4503-bf43-a9d9890f7d08\",\"name\":\"f9949656-473f-4503-bf43-a9d9890f7d08\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n AppServiceHTTPLogs | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(CIp)\\n | extend WebApp = split(_ResourceId, \u0027/\u0027)[8]\\n // renaming time column so it is clear the log this came from\\n | extend AppService_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CIp\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AppService_TimeGenerated, TI_ipEntity, CsUsername, WebApp = split(_ResourceId, \u0027/\u0027)[8], CIp, CsHost, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AppService_TimeGenerated, AccountCustomEntity = CsUsername, IPCustomEntity = CIp, URLCustomEntity = CsHost\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AppServiceHTTPLogs\",\"description\":\"Identifies a match in AppServiceHTTPLogs from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/21ab3f52-6d79-47e3-97f8-ad65f2cb29fb\",\"name\":\"21ab3f52-6d79-47e3-97f8-ad65f2cb29fb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"afad_parser\\n| where MessageType == 2 and Codename == \\\"Golden Ticket\\\"\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid Golden Ticket\",\"description\":\"Searches for Golden Ticket attacks\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\"name\":\"0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let threshold = 20;\\nSecurityEvent \\n| where EventID == 4625\\n| where AccountType =~ \\\"User\\\"\\n| where SubStatus !=\u00270xc0000064\u0027 and Account !in (\u0027\\\\\\\\\u0027, \u0027-\\\\\\\\-\u0027)\\n// SubStatus \u00270xc0000064\u0027 signifies \u0027Account name does not exist\u0027\\n| extend ResourceId = column_ifexists(\\\"_ResourceId\\\", _ResourceId), SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", SourceComputerId)\\n| extend Reason = case(\\nSubStatus =~ \u00270xC000005E\u0027, \u0027There are currently no logon servers available to service the logon request.\u0027,\\nSubStatus =~ \u00270xC0000064\u0027, \u0027User logon with misspelled or bad user account\u0027,\\nSubStatus =~ \u00270xC000006A\u0027, \u0027User logon with misspelled or bad password\u0027, \\nSubStatus =~ \u00270xC000006D\u0027, \u0027Bad user name or password\u0027,\\nSubStatus =~ \u00270xC000006E\u0027, \u0027Unknown user name or bad password\u0027,\\nSubStatus =~ \u00270xC000006F\u0027, \u0027User logon outside authorized hours\u0027,\\nSubStatus =~ \u00270xC0000070\u0027, \u0027User logon from unauthorized workstation\u0027,\\nSubStatus =~ \u00270xC0000071\u0027, \u0027User logon with expired password\u0027,\\nSubStatus =~ \u00270xC0000072\u0027, \u0027User logon to account disabled by administrator\u0027,\\nSubStatus =~ \u00270xC00000DC\u0027, \u0027Indicates the Sam Server was in the wrong state to perform the desired operation\u0027, \\nSubStatus =~ \u00270xC0000133\u0027, \u0027Clocks between DC and other computer too far out of sync\u0027,\\nSubStatus =~ \u00270xC000015B\u0027, \u0027The user has not been granted the requested logon type (aka logon right) at this machine\u0027,\\nSubStatus =~ \u00270xC000018C\u0027, \u0027The logon request failed because the trust relationship between the primary domain and the trusted domain failed\u0027,\\nSubStatus =~ \u00270xC0000192\u0027, \u0027An attempt was made to logon, but the Netlogon service was not started\u0027,\\nSubStatus =~ \u00270xC0000193\u0027, \u0027User logon with expired account\u0027,\\nSubStatus =~ \u00270xC0000224\u0027, \u0027User is required to change password at next logon\u0027,\\nSubStatus =~ \u00270xC0000225\u0027, \u0027Evidently a bug in Windows and not a risk\u0027,\\nSubStatus =~ \u00270xC0000234\u0027, \u0027User logon with account locked\u0027,\\nSubStatus =~ \u00270xC00002EE\u0027, \u0027Failure Reason: An Error occurred during Logon\u0027,\\nSubStatus =~ \u00270xC0000413\u0027, \u0027Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine\u0027,\\nstrcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), FailedLogonCount = count() by EventID, \\nActivity, Computer, Account, TargetAccount, TargetUserName, TargetDomainName, \\nLogonType, LogonTypeName, LogonProcessName, Status, SubStatus, Reason, ResourceId, SourceComputerId, WorkstationName, IpAddress\\n| where FailedLogonCount \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed logon attempts by valid accounts within 10 mins\",\"description\":\"Identifies when failed logon attempts are 20 or higher during a 10 minute period (2 failed logons per minute minimum) from valid account.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\"name\":\"b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\nlet createRoleAssignmentActivity = AzureActivity\\n| where OperationNameValue =~ \\\"microsoft.authorization/roleassignments/write\\\";\\ncreateRoleAssignmentActivity \\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller\\n| where count_ \u003e= alertOperationThreshold\\n| join kind = rightanti ( \\ncreateRoleAssignmentActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = make_set(TimeGenerated), ActivityStatusValue = make_set(ActivityStatusValue), \\nOperationIds = make_set(OperationId), CorrelationId = make_set(CorrelationId), ActivityCountByCallerIPAddress = count() \\nby ResourceId, CallerIpAddress, Caller, OperationNameValue, Resource, ResourceGroup\\n) on CallerIpAddress, Caller\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Suspicious granting of permissions to an account\",\"description\":\"Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2790795b-7dba-483e-853f-44aa0bc9c985\",\"name\":\"2790795b-7dba-483e-853f-44aa0bc9c985\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"CommonSecurityLog\\n| where DeviceProduct =~ \\\"Wazuh\\\"\\n| where Activity has \\\"Web server 400 error code.\\\"\\n| where Message has \\\"403\\\"\\n| extend HostName=substring(split(DeviceCustomString1,\\\")\\\")[0],1)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = dcount(SourceIP) by HostName, SourceIP\\n| where NumberOfErrors \u003e 400\\n| sort by NumberOfErrors desc\\n| extend timestamp = StartTime, HostCustomEntity = HostName, IPCustomEntity = SourceIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Wazuh - Large Number of Web errors from an IP\",\"description\":\"Identifies instances where Wazuh logged over 400 \u0027403\u0027 Web Errors from one IP Address. To onboard Wazuh data into Sentinel please view: https://github.com/wazuh/wazuh-documentation/blob/master/source/azure/monitoring%20activity.rst\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-21T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ce177b3-56b1-4f0e-b83e-27eed4cb0b16\",\"name\":\"4ce177b3-56b1-4f0e-b83e-27eed4cb0b16\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\n// exclude allowed users from query such as the ADO service\\nlet allowed_users = dynamic([\\\"Azure DevOps Service\\\"]);\\nunion\\n// Look for agents being added to a pool of a OS type not seen with that pool before\\n(AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName =~ \\\"Library.AgentAdded\\\"\\n| where ActorUPN !in (allowed_users)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| where isnotempty(OsDescription)\\n| extend OsDescription = tostring(split(OsDescription, \\\"#\\\", 0)[0])\\n| project AgentPoolName, OsDescription\\n| join kind=rightanti (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName == \\\"Library.AgentAdded\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| where isnotempty(OsDescription)\\n| extend OsDescription = tostring(split(OsDescription, \\\"#\\\", 0)[0])) on AgentPoolName, OsDescription),\\n// Look for users addeing agents to a pool that they have not added agents to before.\\n(AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| where ActorUPN !in (allowed_users)\\n| project AgentPoolName, ActorUPN\\n| join kind=rightanti (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName == \\\"Library.AgentAdded\\\"\\n| where ActorUPN !in (allowed_users)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n) on AgentPoolName, ActorUPN)\\n| extend AgentName = tostring(Data.AgentName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| extend SystemDetails = Data.SystemCapabilities\\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, AgentPoolName, AgentName, ActorUPN, IpAddress, UserAgent, OsDescription, SystemDetails, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Execution\"],\"displayName\":\"New Agent Added to Pool by New User or Added to a New OS Type.\",\"description\":\"As seen in attacks such as SolarWinds attackers can look to subvert a build process by controlling build servers. Azure DevOps uses agent pools to execute pipeline tasks. \\nAn attacker could insert compromised agents that they control into the pools in order to execute malicious code. This query looks for users adding agents to pools they have \\nnot added agents to before, or adding agents to a pool of an OS that has not been added to that pool before. This detection has potential for false positives so has a \\nconfigurable allow list to allow for certain users to be excluded from the logic.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\"name\":\"ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ProcessCreationEvents=() {\\nlet processEvents=SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,\\nFileName = Process, CommandLine, ParentProcessName;\\nprocessEvents};\\nProcessCreationEvents\\n| where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Base64 encoded Windows process command-lines\",\"description\":\"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2018-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/af7fd11a-f305-44e1-8f46-f31580a15eab\",\"name\":\"af7fd11a-f305-44e1-8f46-f31580a15eab\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.0\",\"techniques\":[\"T1074\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\"app@sharepoint,user@example.com\",\"dataType\":\"string\",\"name\":\"User allowlist\",\"description\":\"Enter comma separated userids to be suppressed while triggering anomalies. This should be within double quotes and is case insensitive, example: \\\"user@exmaple.com, app@sharepoint\\\"\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"10\",\"maximum\":\"100\",\"value\":\"25\",\"name\":\"Number of distinct files dowloaded per day\",\"description\":\"Suppress anomalies when daily number of distinct files downloaded per day is less than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"2\",\"maximum\":\"10\",\"value\":\"3\",\"name\":\"Number of standard deviations\",\"description\":\"Triggers anomalies when number of standard deviations is greater than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Collection\"],\"displayName\":\"(Preview) Potential data staging\",\"description\":\"The algorithm compares the downloads of distinct files on a per user basis from the previous week with the downloads for the current day for each user and \\nan anomaly is triggered when the number of downloads of distinct files exceeds the configured number of standard deviations above the mean. \\nCurrently the algorithm only analyze commonly seen files during exfiltration of type documents, images, videos and archives with the extensions\\n[\\\"doc\\\",\\\"docx\\\",\\\"xls\\\",\\\"xlsx\\\",\\\"xlsm\\\",\\\"ppt\\\",\\\"pptx\\\",\\\"one\\\",\\\"pdf\\\",\\\"zip\\\",\\\"rar\\\",\\\"bmp\\\",\\\"jpg\\\",\\\"mp3\\\",\\\"mp4\\\",\\\"mov\\\"].\",\"lastUpdatedDateUTC\":\"2021-08-24T00:00:00Z\",\"createdDateUTC\":\"2021-08-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Exchange)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\"name\":\"b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet UserAgentAll =\\n(union isfuzzy=true\\n(OfficeActivity\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\\n),\\n(\\nW3CIISLog\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(csUserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\\n))\\n// remove wordSize blocks of non-numeric hex characters prior to word extraction\\n| extend UserAgentNoHexAlphas = replace(\\\"([A-Fa-f]{4,})\\\", \\\"x\\\", UserAgent)\\n// once blocks of hex chars are removed, extract wordSize blocks of a-z\\n| extend Tokens = extract_all(\\\"([A-Za-z]{4,})\\\", UserAgentNoHexAlphas)\\n// concatenate extracted words to create a summarized user agent for baseline and comparison\\n| extend NormalizedUserAgent = strcat_array(Tokens, \\\"|\\\")\\n| project-away UserAgentNoHexAlphas, Tokens;\\nUserAgentAll\\n| where StartTime \u003e= ago(endtime)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), count() by UserAgent, NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n| join kind=leftanti\\n(\\nUserAgentAll\\n| where StartTime \u003c ago(endtime)\\n| summarize by NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n)\\non NormalizedUserAgent\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CommandAndControl\",\"Execution\"],\"displayName\":\"New UserAgent observed in last 24 hours\",\"description\":\"Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection\\nextracts words from user agents to build the baseline and determine rareity rather than perform a\\ndirect comparison. This avoids FPs caused by version numbers and other high entropy user agent components.\\nThese new UserAgents could be benign. However, in normally stable environments,\\nthese new UserAgents could provide a starting point for investigating malicious activity.\\nNote: W3CIISLog can be noisy depending on the environment, however OfficeActivity and AWSCloudTrail are\\nusually stable with low numbers of detections.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23850aa1-37d3-4b4b-9f39-4ebf5feb59fd\",\"name\":\"23850aa1-37d3-4b4b-9f39-4ebf5feb59fd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.5\",\"techniques\":[\"T1011\",\"T1029\",\"T1030\",\"T1041\",\"T1011\",\"T1537\",\"T1567\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Akamai\",\"Aruba Networks\",\"Check Point\",\"Dell\",\"Forcepoint\",\"Fortinet\",\"McAfee\",\"Palo Alto Networks\",\"SonicWall\",\"Trend Micro\",\"Vectra Networks\",\"Zscaler\"],\"supportedValuesKql\":null,\"value\":\"Palo Alto Networks\",\"name\":\"Device vendor\",\"description\":\"Select device vendor reporting network connection logs to CommonSecurityLog\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"1\",\"maximum\":\"10000\",\"value\":\"1\",\"name\":\"Hourly data transfer threshold in MB\",\"description\":\"Suppress anomalies when hourly data transfered (in MB) per hour is less than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\".98\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"(Preview) Excessive data transfer anomaly\",\"description\":\"This algorithm is to detect unusually high data transfer seen in network logs. \\nIt uses time series to decompose the data into seasonal, trend and residual components to \\ncalculate baseline. Any sudden large deviation from the historical baseline is considered anomalous activity.\",\"lastUpdatedDateUTC\":\"2021-07-10T00:00:00Z\",\"createdDateUTC\":\"2021-04-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\"name\":\"361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let szOperationNames = dynamic([\\\"microsoft.compute/virtualMachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nlet starttime = 7d;\\nlet endtime = 1d;\\nAzureActivity\\n| where TimeGenerated between (startofday(ago(starttime)) .. startofday(ago(endtime)))\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress)\\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(7d)), now(), 1d) \\nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatusValue), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationNameValue , Resource, ResourceGroup\\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\\n| where Slope \u003e 0.2\\n| join kind=leftsemi (\\n// Last day\u0027s activity is anomalous\\nAzureActivity\\n| where TimeGenerated \u003e= startofday(ago(endtime))\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress)\\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(1d)), now(), 1d) \\nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatusValue), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationNameValue , Resource, ResourceGroup\\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\\n| where Slope \u003e 0.2 \\n) on Caller, CallerIpAddress \\n| mvexpand todynamic(ActivityTimeStamp), todynamic(ActivityStatusValue), todynamic(OperationIds), todynamic(CorrelationId)\\n| extend timestamp = ActivityTimeStamp, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Impact\"],\"displayName\":\"Suspicious number of resource creation or deployment activities\",\"description\":\"Indicates when an anomalous number of VM creations or deployment activities occur in Azure via the AzureActivity log.\\nThe anomaly detection identifies activities that have occurred both since the start of the day 1 day ago and the start of the day 7 days ago.\\nThe start of the day is considered 12am UTC time.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/db750607-d48f-4aef-b238-085f4a9882f1\",\"name\":\"db750607-d48f-4aef-b238-085f4a9882f1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let mediumRisk = 2;\\nlet legal = \u0027Legal Information\u0027;\\nCognniIncidents_CL \\n| where Severity == mediumRisk\\n| where informationType_s == legal\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Medium Sensitivity Legal Information\",\"description\":\"Display incidents in which medium sensitivity legal information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8c8de3fa-6425-4623-9cd9-45de1dd0569a\",\"name\":\"8c8de3fa-6425-4623-9cd9-45de1dd0569a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lookBack = 14d;\\nlet timeframe = 1d;\\nlet user_agents_list = Cisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(lookBack) and TimeGenerated \u003c ago(timeframe)\\n| summarize count() by HttpUserAgentOriginal\\n| summarize make_list(HttpUserAgentOriginal);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal !in (user_agents_list)\\n| extend Message = \\\"Rare User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Rare User Agent Detected\",\"description\":\"Rule helps to detect a rare user-agents indicating web browsing activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8595d264-2f64-442d-b293-4e16dffc9882\",\"name\":\"8595d264-2f64-442d-b293-4e16dffc9882\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.1\",\"techniques\":[\"T1059\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0\",\"name\":\"Anomaly score threshold\",\"description\":\"Generate an anomaly when the anomaly score is greater than the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Execution\"],\"displayName\":\"(Preview) Anomalous Code Execution\",\"description\":\"Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.\\nThese interfaces and languages provide ways of interacting with computer systems\\nand are a common feature across many different platforms.\",\"lastUpdatedDateUTC\":\"2021-07-26T00:00:00Z\",\"createdDateUTC\":\"2021-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2be4ef67-a93f-4d8a-981a-88158cb73abd\",\"name\":\"2be4ef67-a93f-4d8a-981a-88158cb73abd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet covidIndicators = (externaldata(TimeGenerated:datetime, FileHashValue:string, FileHashType: string, TlpLevel: string, Product: string, ThreatType: string, Description: string )\\n[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.csv\\\"] with (format=\\\"csv\\\"));\\nlet fileHashIndicators = covidIndicators\\n| where isnotempty(FileHashValue);\\n// Handle matches against both lower case and uppercase versions of the hash:\\n( fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n | union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n| join (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack) \\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.FileHashValue == $right.FileHash\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by FileHashValue\\n| project LatestIndicatorTime, FileHashValue, FileHashType, Description, ThreatType, \\nCommonSecurityLog_TimeGenerated, SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, \\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"Microsoft COVID-19 file hash indicator matches\",\"description\":\"Identifies a match in CommonSecurityLog Event data from any FileHash published in the Microsoft COVID-19 Threat Intel Feed - as described at https://www.microsoft.com/security/blog/2020/05/14/open-sourcing-covid-threat-intelligence/\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2019-08-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f68846cf-ec99-497d-9ce1-80a9441564fb\",\"name\":\"f68846cf-ec99-497d-9ce1-80a9441564fb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let highRisk = 3;\\nlet hr = \u0027HR Information\u0027;\\nCognniIncidents_CL \\n| where Severity == highRisk\\n| where informationType_s == hr\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Highly Sensitive HR Information\",\"description\":\"Display incidents in which highly sensitive HR information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2391ce61-8c8d-41ac-9723-d945b2e90720\",\"name\":\"2391ce61-8c8d-41ac-9723-d945b2e90720\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 0.333;\\nlet countlimit = 50;\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4625 and AccountType =~ \\\"User\\\"\\n| where IpAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), CountToday = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress, Process\\n| join kind=leftouter (\\n SecurityEvent \\n | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n | where EventID == 4625 and AccountType =~ \\\"User\\\"\\n | where IpAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n | summarize CountPrev7day = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n) on EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n| where CountToday \u003e= coalesce(CountPrev7day,0)*threshold and CountToday \u003e= countlimit\\n//SubStatus Codes are detailed here - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4625\\n| extend Reason = case(\\nSubStatus =~ \u00270xC000005E\u0027, \u0027There are currently no logon servers available to service the logon request.\u0027,\\nSubStatus =~ \u00270xC0000064\u0027, \u0027User logon with misspelled or bad user account\u0027,\\nSubStatus =~ \u00270xC000006A\u0027, \u0027User logon with misspelled or bad password\u0027, \\nSubStatus =~ \u00270xC000006D\u0027, \u0027Bad user name or password\u0027,\\nSubStatus =~ \u00270xC000006E\u0027, \u0027Unknown user name or bad password\u0027,\\nSubStatus =~ \u00270xC000006F\u0027, \u0027User logon outside authorized hours\u0027,\\nSubStatus =~ \u00270xC0000070\u0027, \u0027User logon from unauthorized workstation\u0027,\\nSubStatus =~ \u00270xC0000071\u0027, \u0027User logon with expired password\u0027,\\nSubStatus =~ \u00270xC0000072\u0027, \u0027User logon to account disabled by administrator\u0027,\\nSubStatus =~ \u00270xC00000DC\u0027, \u0027Indicates the Sam Server was in the wrong state to perform the desired operation\u0027, \\nSubStatus =~ \u00270xC0000133\u0027, \u0027Clocks between DC and other computer too far out of sync\u0027,\\nSubStatus =~ \u00270xC000015B\u0027, \u0027The user has not been granted the requested logon type (aka logon right) at this machine\u0027,\\nSubStatus =~ \u00270xC000018C\u0027, \u0027The logon request failed because the trust relationship between the primary domain and the trusted domain failed\u0027,\\nSubStatus =~ \u00270xC0000192\u0027, \u0027An attempt was made to logon, but the Netlogon service was not started\u0027,\\nSubStatus =~ \u00270xC0000193\u0027, \u0027User logon with expired account\u0027,\\nSubStatus =~ \u00270xC0000224\u0027, \u0027User is required to change password at next logon\u0027,\\nSubStatus =~ \u00270xC0000225\u0027, \u0027Evidently a bug in Windows and not a risk\u0027,\\nSubStatus =~ \u00270xC0000234\u0027, \u0027User logon with account locked\u0027,\\nSubStatus =~ \u00270xC00002EE\u0027, \u0027Failure Reason: An Error occurred during Logon\u0027,\\nSubStatus =~ \u00270xC0000413\u0027, \u0027Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine\u0027,\\nstrcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n| extend WorkstationName = iff(WorkstationName == \\\"-\\\" or isempty(WorkstationName), Computer , WorkstationName) \\n| project StartTime, EndTime, EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, Computer, WorkstationName, IpAddress, CountToday, CountPrev7day, Avg7Day = round(CountPrev7day*1.00/7,2), Process\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), Computer = make_set(Computer,128), IpAddressList = make_set(IpAddress,128), sum(CountToday), sum(CountPrev7day), avg(Avg7Day) \\nby EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, WorkstationName, Process\\n| order by sum_CountToday desc nulls last \\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = WorkstationName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"Process\"}]}],\"version\":\"2.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Excessive Windows logon failures\",\"description\":\"User has over 50 Windows logon failures today and at least 33% of the count of logon failures over the previous 7 days.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aac495a9-feb1-446d-b08e-a1164a539452\",\"name\":\"aac495a9-feb1-446d-b08e-a1164a539452\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"ThreatIntelligenceIndicator\\n| where Action == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n GitHubAudit\\n | extend GitHubAudit_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.IPaddress\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, GitHubAudit_TimeGenerated, TI_ipEntity, IPaddress, Actor, Action, Country, OperationType, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = GitHubAudit_TimeGenerated, IPCustomEntity = IPaddress, AccountCustomEntity = Actor\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to GitHub_CL\",\"description\":\"Identifies a match in GitHub_CL table from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8\",\"name\":\"f71aba3d-28fb-450b-b192-4e76a83015c8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Fusion\",\"properties\":{\"severity\":\"High\",\"tactics\":[\"Collection\",\"CommandAndControl\",\"CredentialAccess\",\"DefenseEvasion\",\"Discovery\",\"Execution\",\"Exfiltration\",\"Impact\",\"InitialAccess\",\"LateralMovement\",\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Advanced Multistage Attack Detection\",\"description\":\"Microsoft Sentinel uses Fusion, a correlation engine based on scalable machine learning algorithms, to automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.\\n\\nSince Fusion correlates multiple signals from various products to detect advanced multistage attacks, successful Fusion detections are presented as Fusion incidents on the Microsoft Sentinel Incidents page. This rule covers the following detections:\\n- Fusion for emerging threats\\n- Fusion for ransomware\\n- Scenario-based Fusion detections (122 scenarios)\\n\\nTo enable these detections, we recommend you configure the following data connectors for best results:\\n- Out-of-the-box anomaly detections\\n- Azure Active Directory Identity Protection\\n- Azure Defender\\n- Azure Defender for IoT\\n- Microsoft 365 Defender\\n- Microsoft Cloud App Security \\n- Microsoft Defender for Endpoint\\n- Microsoft Defender for Identity\\n- Microsoft Defender for Office 365\\n- Scheduled analytics rules, both built-in and those created by your security analysts. Analytics rules must contain kill-chain (tactics) and entity mapping information in order to be used by Fusion.\\n\\nFor the full description of each detection that is supported by Fusion, go to https://aka.ms/SentinelFusion.\",\"lastUpdatedDateUTC\":\"2021-06-09T00:00:00Z\",\"createdDateUTC\":\"2019-07-25T00:00:00Z\",\"status\":\"Installed\",\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/57c7e832-64eb-411f-8928-4133f01f4a25\",\"name\":\"57c7e832-64eb-411f-8928-4133f01f4a25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureDiagnostics\\n | where ResourceType =~ \\\"VAULTS\\\"\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend KeyVaultEvents_TimeGenerated = TimeGenerated, ClientIP = CallerIPAddress\\n)\\non $left.TI_ipEntity == $right.ClientIP\\n| where KeyVaultEvents_TimeGenerated \u003c ExpirationDateTime\\n| summarize KeyVaultEvents_TimeGenerated = arg_max(KeyVaultEvents_TimeGenerated, *) by IndicatorId, ClientIP\\n| project KeyVaultEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ClientIP, ResourceId, SubscriptionId, OperationName, ResultType, CorrelationId, id_s, clientInfo_s, httpStatusCode_d, identity_claim_appid_g, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\n| extend timestamp = KeyVaultEvents_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Azure Key Vault logs\",\"description\":\"Identifies a match in Azure Key Vault logsfrom any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f948a32f-226c-4116-bddd-d95e91d97eb9\",\"name\":\"f948a32f-226c-4116-bddd-d95e91d97eb9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"mailboxsettings\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"contacts.read\\\" and ConsentFull contains \\\"user.read\\\" and ConsentFull contains \\\"mail.read\\\" and ConsentFull contains \\\"notes.read.all\\\" and ConsentFull contains \\\"mailboxsettings.readwrite\\\" and ConsentFull contains \\\"Files.ReadWrite.All\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), \\\"\\\")\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Suspicious application consent similar to O365 Attack Toolkit\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\\nThe default permissions/scope for the MDSec O365 Attack toolkit are contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, and files.readwrite.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3c144f9-8051-47d4-ac29-ffb0c312c910\",\"name\":\"a3c144f9-8051-47d4-ac29-ffb0c312c910\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"let SunburstMD5=dynamic([\\\"b91ce2fa41029f6955bff20079468448\\\",\\\"02af7cec58b9a5da1c542b5a32151ba1\\\",\\\"2c4a910a1299cdae2a4e55988a2f102e\\\",\\\"846e27a652a5e1bfbd0ddd38a16dc865\\\",\\\"4f2eb62fa529c0283b28d05ddd311fae\\\"]);\\nlet SupernovaMD5=\\\"56ceb6d0011d87b6e4d7023d7ef85676\\\";\\nDeviceFileEvents\\n| where MD5 in(SunburstMD5) or MD5 in(SupernovaMD5)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n AlgorithmCustomEntity = \\\"MD5\\\",\\n FileHashCustomEntity = MD5\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"SUNBURST and SUPERNOVA backdoor hashes\",\"description\":\"Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in DeviceFileEvents\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/87210ca1-49a4-4a7d-bb4a-4988752f978c\",\"name\":\"87210ca1-49a4-4a7d-bb4a-4988752f978c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"// Get details of current Azure Ranges (note this URL updates regularly so will need to be manually updated over time)\\n// You may find the name of the new JSON here: https://www.microsoft.com/download/details.aspx?id=56519\\n// On the downloads page, click the \u0027details\u0027 button, and then replace just the filename in the URL below\\nlet azure_ranges = externaldata(changeNumber: string, cloud: string, values: dynamic)\\n[\\\"https://download.microsoft.com/download/7/1/D/71D86715-5596-4529-9B13-DA13A5DE5B63/ServiceTags_Public_20220321.json\\\"]\\nwith(format=\u0027multijson\u0027)\\n| mv-expand values\\n| mv-expand values.properties.addressPrefixes\\n| mv-expand values_properties_addressPrefixes\\n| summarize by tostring(values_properties_addressPrefixes);\\nSigninLogs\\n// Limiting to Azure Portal really reduces false positives and helps focus on potential admin activity\\n| where AppDisplayName =~ \\\"Azure Portal\\\"\\n// Only get logons where the IP address is in an Azure range\\n| evaluate ipv4_lookup(azure_ranges, IPAddress, values_properties_addressPrefixes)\\n// Limit to where the user is external to the tenant\\n| where HomeTenantId != ResourceTenantId\\n// Further limit it to just access to the current tenant (you can drop this if you wanted to look elsewhere as well but it helps reduce FPs)\\n| where ResourceTenantId == AADTenantId\\n| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), make_set(ResourceDisplayName) by UserPrincipalName, IPAddress, UserAgent, Location, HomeTenantId, ResourceTenantId\\n| extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure Portal Signin from another Azure Tenant\",\"description\":\"This query looks for sign in attempts to the Azure Portal where the user who is signing in from another Azure tenant,\\n and the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look\\n to pivot to other tenants leveraging cross-tenant delegated access in this manner.\",\"lastUpdatedDateUTC\":\"2022-03-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/29a29e5d-354e-4f5e-8321-8b39d25047bf\",\"name\":\"29a29e5d-354e-4f5e-8321-8b39d25047bf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"High\",\"query\":\"let files1 = dynamic([\\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\lsa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pc.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\Rar.exe\\\"]);\\nlet files2 = dynamic([\\\"svchost.exe\\\",\\\"wdmsvc.exe\\\"]);\\nlet FileHash1 = dynamic([\\\"43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\\\", \\\"ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\\\", \\\"010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77\\\", \\\"56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7\\\"]);\\nlet FileHash2 = dynamic([\\\"2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\\\", \\\"9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\\\", \\\"18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\\\"]);\\nimFileEvent\\n| where ((FilePath has_any (files1)) and (ActingProcessSHA256 has_any (FileHash1))) or ((FilePath has_any (files2)) and (ActingProcessSHA256 has_any (FileHash2)))\\n// Increase risk score if recent alerts for the host\\n| join kind=leftouter (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| mv-expand todynamic(Entities)\\n| extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)\\n| where isnotempty(DvcId)\\n// Higher risk score are for Defender alerts related to threat actor\\n| extend AlertRiskScore = iif(ThreatName has_any (\\\"Backdoor:MSIL/ShellClient.A\\\", \\\"Backdoor:MSIL/ShellClient.A!dll\\\", \\\"Trojan:MSIL/Mimikatz.BA!MTB\\\"), 1.0, 0.5)\\n| project DvcId, AlertRiskScore) on DvcId\\n| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = ActorUsername\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileName\"}]}],\"tactics\":[\"CredentialAccess\",\"Execution\"],\"displayName\":\"Dev-0228 File Path Hashes November 2021 (ASIM Version)\",\"description\":\"This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.\\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.\\n This query uses the Microsoft Sentinel Information Model - https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-11-18T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0dd2a343-4bf9-4c93-a547-adf3658ddaec\",\"name\":\"0dd2a343-4bf9-4c93-a547-adf3658ddaec\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let known_processes = (\\n imProcess\\n // Change these values if adjusting Query Frequency or Query Period\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where Process has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | summarize by Process);\\n imProcess\\n // Change these values if adjusting Query Frequency or Query Period\\n | where TimeGenerated \u003e ago(1d)\\n | where Process has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | where Process !in (known_processes)\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, CommandLine, DvcHostname\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DvcHostname\"}]}],\"tactics\":[\"Execution\",\"LateralMovement\"],\"displayName\":\"New EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version)\",\"description\":\"This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice is that these policies should not be used for deployment of files.\\n A threat actor may use these policies to deploy files or scripts to all hosts in a domain.\\n This query uses the ASIM parsers and will need them deployed before usage - https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/871ba14c-88ef-48aa-ad38-810f26760ca3\",\"name\":\"871ba14c-88ef-48aa-ad38-810f26760ca3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let queryfrequency = 1d;\\nlet queryperiod = 7d;\\nOfficeActivity\\n| where TimeGenerated \u003e ago(queryperiod)\\n| where OfficeWorkload =~ \\\"Exchange\\\"\\n//| where Operation in (\\\"Set-Mailbox\\\", \\\"New-InboxRule\\\", \\\"Set-InboxRule\\\")\\n| where Parameters has_any (\\\"ForwardTo\\\", \\\"RedirectTo\\\", \\\"ForwardingSmtpAddress\\\")\\n| mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))\\n| evaluate bag_unpack(ParsedParameters, columnsConflict=\u0027replace_source\u0027)\\n| extend DestinationMailAddress = tolower(case(\\n isnotempty(column_ifexists(\\\"ForwardTo\\\", \\\"\\\")), column_ifexists(\\\"ForwardTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"RedirectTo\\\", \\\"\\\")), column_ifexists(\\\"RedirectTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")), trim_start(@\\\"smtp:\\\", column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")),\\n \\\"\\\"))\\n| where isnotempty(DestinationMailAddress)\\n| mv-expand split(DestinationMailAddress, \\\";\\\")\\n| extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n| extend ClientIP = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1])\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId, 250), Ports = make_set(Port, 250), EventCount = count() by tostring(DestinationMailAddress), ClientIP\\n| where DistinctUserCount \u003e 1 and EndTime \u003e ago(queryfrequency)\\n| mv-expand UserId to typeof(string)\\n| extend timestamp = StartTime, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Multiple users email forwarded to same destination\",\"description\":\"Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination. \\nThis could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.\",\"lastUpdatedDateUTC\":\"2022-06-24T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a6c435a2-b1a0-466d-b730-9f8af69262e8\",\"name\":\"a6c435a2-b1a0-466d-b730-9f8af69262e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT20M\",\"queryPeriod\":\"PT20M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let failureCountThreshold = 10;\\nlet successCountThreshold = 1;\\n// let authenticationWindow = 20m; // Implicit in the analytic rule query period \\nimAuthentication\\n| summarize \\n StartTime = min(TimeGenerated), \\n EndTime = max(TimeGenerated), \\n IpAddresses = make_set (SrcDvcIpAddr, 100),\\n ReportedBy = make_set (strcat (EventVendor, \\\"/\\\", EventProduct), 100),\\n FailureCount = countif(EventResult==\u0027Failure\u0027),\\n SuccessCount = countif(EventResult==\u0027Success\u0027)\\n by \\n TargetUserId, TargetUsername, TargetUserType \\n| where FailureCount \u003e= failureCountThreshold and SuccessCount \u003e= successCountThreshold\\n| extend\\n IpAddresses = strcat_array(IpAddresses, \\\", \\\"), \\n ReportedBy = strcat_array(ReportedBy, \\\", \\\")\",\"customDetails\":{\"IpAddresses\":\"IpAddresses\",\"ReportedBy\":\"ReportedBy\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUsername\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against user credentials (Uses Authentication Normalization)\",\"description\":\"Identifies evidence of brute force activity against a user based on multiple authentication failures \\nand at least one successful authentication within a given time window. Note that the query does not enforce any sequence,\\nand does not require the successful authentication to occur last.\\nThe default failure threshold is 10, success threshold is 1, and the default time window is 20 minutes.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb8a3481-dd14-4e76-8dcc-bbec8776d695\",\"name\":\"bb8a3481-dd14-4e76-8dcc-bbec8776d695\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Medium\",\"query\":\"let DomainNames = dynamic([\u0027onetechcompany.com\u0027, \u0027reyweb.com\u0027, \u0027srfnetwork.org\u0027, \u0027sense4baby.fr\u0027, \u0027nikeoutletinc.org\u0027, \u0027megatoolkit.com\u0027]);\\nlet IPList = dynamic([\u0027185.225.69.69\u0027]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (DomainNames) or RequestURL has_any (DomainNames) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (DomainNames), \\\"RequestUrl\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(_Im_WebSession(url_has_any=DomainNames)\\n| extend DestinationIPAddress = DstIpAddr, DNSName = tostring(parse_url(Url)[\\\"Host\\\"]), Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (DomainNames)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer\\n),\\n(OfficeActivity\\n| where ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (DomainNames) or RemoteIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"NOBELIUM - Domain and IP IOCs - March 2021\",\"description\":\"Identifies a match across various data feeds for domains and IP IOCs related to NOBELIUM.\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\"name\":\"f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"// Replace these with the username or emails of your VIP users you wish to monitor for.\\nlet vips = dynamic([\u0027vip1@email.com\u0027,\u0027vip2@email.com\u0027]);\\n// Add users who are allowed to conduct these searches - this could be specific SOC team members\\nlet allowed_users = dynamic([]);\\nLAQueryLogs\\n| where QueryText has_any (vips) or QueryText has_any (\u0027_GetWatchlist(\\\"VIPUsers\\\")\u0027, \\\"_GetWatchlist(\u0027VIPUsers\u0027)\\\")\\n| where AADEmail !in (allowed_users)\\n| project TimeGenerated, AADEmail, RequestClientApp, QueryText, ResponseRowCount, RequestTarget\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AADEmail\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"RequestTarget\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Users searching for VIP user activity\",\"description\":\"This query monitors for users running Log Analytics queries that contain filters\\nfor specific, defined VIP user accounts or the VIPUser watchlist template.\\nUse this detection to alert for users specifically searching for activity of sensitive users.\",\"lastUpdatedDateUTC\":\"2021-11-11T00:00:00Z\",\"createdDateUTC\":\"2020-09-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/62085097-d113-459f-9ea7-30216f2ee6af\",\"name\":\"62085097-d113-459f-9ea7-30216f2ee6af\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P3D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let starttime = 3d;\\nlet SecEvents = materialize ( SecurityEvent | where TimeGenerated \u003e= ago(starttime)\\n| where EventID in (4722,4723) | where TargetUserName !endswith \\\"$\\\"\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, SubjectAccount, SubjectUserSid);\\nlet userEnable = SecEvents\\n| extend EventID4722Time = TimeGenerated\\n// 4722: User Account Enabled\\n| where EventID == 4722\\n| project Time_Event4722 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4722 = SubjectAccount, SubjectUserSid_Event4722 = SubjectUserSid, Activity_4722 = Activity, Computer_4722 = Computer;\\nlet userPwdSet = SecEvents\\n// 4723: Attempt made by user to set password\\n| where EventID == 4723\\n| project Time_Event4723 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4723 = SubjectAccount, SubjectUserSid_Event4723 = SubjectUserSid, Activity_4723 = Activity, Computer_4723 = Computer;\\nuserEnable | join kind=leftouter userPwdSet on TargetAccount, TargetSid\\n| extend PasswordSetAttemptDelta_Min = datetime_diff(\u0027minute\u0027, Time_Event4723, Time_Event4722)\\n| where PasswordSetAttemptDelta_Min \u003e 2880 or isempty(PasswordSetAttemptDelta_Min)\\n| project-away TargetAccount1, TargetSid1\\n| extend Reason = @\\\"User either has not yet attempted to set the initial password after account was enabled or it occurred after 48 hours\\\"\\n| order by Time_Event4722 asc \\n| extend timestamp = Time_Event4722, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer_4722\\n| project-reorder Time_Event4722, Time_Event4723, PasswordSetAttemptDelta_Min, TargetAccount, TargetSid\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AD user enabled and password not set within 48 hours\",\"description\":\"Identifies when an account is enabled with a default password and the password is not set by the user within 48 hours.\\nEffectively, there is an event 4722 indicating an account was enabled and within 48 hours, no event 4723 occurs which \\nindicates there was no attempt by the user to set the password. This will show any attempts (success or fail) that occur \\nafter 48 hours, which can indicate too long of a time period in setting the password to something that only the user knows.\\nIt is recommended that this time period is adjusted per your internal company policy.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f9949656-473f-4503-bf43-a9d9890f7d08\",\"name\":\"f9949656-473f-4503-bf43-a9d9890f7d08\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.3\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n//Exclude local addresses, using the ipv4_is_private operator\\n| where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AppServiceHTTPLogs | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(CIp)\\n | extend WebApp = split(_ResourceId, \u0027/\u0027)[8]\\n // renaming time column so it is clear the log this came from\\n | extend AppService_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CIp\\n| where AppService_TimeGenerated \u003c ExpirationDateTime\\n| summarize AppService_TimeGenerated = arg_max(AppService_TimeGenerated, *) by IndicatorId, CIp\\n| project AppService_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CsUsername, \\nWebApp = split(_ResourceId, \u0027/\u0027)[8], CIp, CsHost, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, _ResourceId\\n| extend timestamp = AppService_TimeGenerated, AccountCustomEntity = CsUsername, IPCustomEntity = CIp, URLCustomEntity = Url, HostCustomEntity = CsHost\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"_ResourceId\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AppServiceHTTPLogs\",\"description\":\"Identifies a match in AppServiceHTTPLogs from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-04-26T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8b3c49c-4087-499b-920f-0dcfaff0cbca\",\"name\":\"f8b3c49c-4087-499b-920f-0dcfaff0cbca\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"imProcessCreate\\n | where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n | where isnotempty(Process)\\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Dvc, ActorUsername, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\\n | extend timestamp = StartTimeUtc, AccountCustomEntity = ActorUsername, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Base64 encoded Windows process command-lines (Normalized Process Events)\",\"description\":\"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2018-09-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c3e5dbaa-a540-408c-8b36-68bdfb3df088\",\"name\":\"c3e5dbaa-a540-408c-8b36-68bdfb3df088\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID==4688\\n | where isnotempty(CommandLine)\\n | where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"NRT Base64 encoded Windows process command-lines\",\"description\":\"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2022-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0433c8a3-9aa6-4577-beef-2ea23be41137\",\"name\":\"0433c8a3-9aa6-4577-beef-2ea23be41137\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let admin_users = (IdentityInfo\\n | where TimeGenerated \u003e ago(2d)\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | where AssignedRoles contains \\\"admin\\\"\\n | summarize by tolower(AccountUPN));\\n AuditLogs\\n | where Category =~ \\\"RoleManagement\\\"\\n | where OperationName has \\\"Add eligible member\\\"\\n | extend userPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | where tolower(userPrincipalName) in (admin_users)\\n | extend Group = tostring(TargetResources[0].displayName)\\n | extend AddedTo = iif(isnotempty(userPrincipalName), userPrincipalName, Group)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend AddedBy = iif(isnotempty(appName), appName, UPN)\\n | mv-expand mod_props\\n | where mod_props.displayName == \\\"Role.DisplayName\\\"\\n | extend RoleAdded = tostring(parse_json(tostring(mod_props.newValue)))\\n | project-reorder TimeGenerated, OperationName, AddedTo, RoleAdded, AddedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Privileged Account Permissions Changed\",\"description\":\"Detects changes to permissions assigned to admin users. Threat actors may try and increase permission scope by adding additional roles to already privileged accounts.\\nReview any modifications to ensure they were made legitimately.\\nRef: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79566f41-df67-4e10-a703-c38a6213afd8\",\"name\":\"79566f41-df67-4e10-a703-c38a6213afd8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set != \\\"[]\\\"\\n| extend diff = set_difference(new_value_set, old_value_set)\\n| where isnotempty(diff)\\n| parse diff with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away diff, new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"New access credential added to Application or Service Principal\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/66276b14-32c5-4226-88e3-080dacc31ce1\",\"name\":\"66276b14-32c5-4226-88e3-080dacc31ce1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet AccountAllowList = dynamic([\u0027SYSTEM\u0027]);\\nlet SubCategoryList = dynamic([\\\"Logoff\\\", \\\"Account Lockout\\\", \\\"User Account Management\\\", \\\"Authorization Policy Change\\\"]); // Add any Category in the list to be allowed or disallowed\\nlet tokens = dynamic([\\\"clear\\\", \\\"remove\\\", \\\"success:disable\\\",\\\"failure:disable\\\"]); \\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n//| where Process =~ \\\"auditpol.exe\\\" \\n| where CommandLine has_any (tokens)\\n| where AccountType !~ \\\"Machine\\\" and Account !in~ (AccountAllowList)\\n| parse CommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n// | where InitiatingProcessFileName =~ \\\"auditpol.exe\\\" \\n| where InitiatingProcessCommandLine has_any (tokens)\\n| where AccountName !in~ (AccountAllowList)\\n| parse InitiatingProcessCommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n// | where OriginalFileName =~ \\\"auditpol.exe\\\"\\n| where CommandLine has_any (tokens)\\n| where User !in~ (AccountAllowList)\\n| parse CommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, Computer, User, Process, ParentImage, CommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Audit policy manipulation using auditpol utility\",\"description\":\"This detects attempt to manipulate audit policies using auditpol command.\\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\\nThe process name in each data source is commented out as an adversary could rename it. It is advisable to keep process name commented but \\nif the results show unrelated false positives, users may want to uncomment it.\\nRefer to auditpol syntax: https://docs.microsoft.com/windows-server/administration/windows-commands/auditpol \\nRefer to our M365 blog for details on use during the Solorigate attack:\\nhttps://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/18e6a87e-9d06-4a4e-8b59-3469cd49552d\",\"name\":\"18e6a87e-9d06-4a4e-8b59-3469cd49552d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true \\n(SecurityEvent \\n| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created. \\n| where ObjectServer == \u0027DS\u0027\\n| where OperationType == \u0027Object Access\u0027\\n//| where ObjectName contains \u0027\u003cGUID of ADFS Policy Store DKM Group object\u0027 This is unique to the domain. Check description for more details.\\n| where ObjectType contains \u00275cb41ed0-0e4c-11d0-a286-00aa003049e2\u0027 // Contact Class\\n| where Properties contains \u00278d3bca50-1d7e-11d0-a081-00aa006c33ed\u0027 // Picture Attribute - Ldap-Display-Name: thumbnailPhoto\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = SubjectAccount\\n),\\n( WindowsEvent \\n| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created. \\n| where EventData has_all(\u0027Object Access\u0027, \u00275cb41ed0-0e4c-11d0-a286-00aa003049e2\u0027,\u00278d3bca50-1d7e-11d0-a081-00aa006c33ed\u0027) \\n| extend ObjectServer = tostring(EventData.ObjectServer)\\n| where ObjectServer == \u0027DS\u0027\\n| extend OperationType = tostring(EventData.OperationType)\\n| where OperationType == \u0027Object Access\u0027\\n//| where ObjectName contains \u0027\u003cGUID of ADFS Policy Store DKM Group object\u0027 This is unique to the domain. Check description for more details.\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType contains \u00275cb41ed0-0e4c-11d0-a286-00aa003049e2\u0027 // Contact Class\\n| extend Properties = tostring(EventData.Properties)\\n| where Properties contains \u00278d3bca50-1d7e-11d0-a081-00aa006c33ed\u0027 // Picture Attribute - Ldap-Display-Name: thumbnailPhoto\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName), \\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend \\n timestamp = TimeGenerated,\\n HostCustomEntity = Computer,\\n AccountCustomEntity = SubjectAccount\\n),\\n(DeviceEvents\\n| where ActionType =~ \\\"LdapSearch\\\"\\n| where AdditionalFields.AttributeList contains \\\"thumbnailPhoto\\\"\\n| where AdditionalFields.DistinguishedName contains \\\"CN=ADFS,CN=Microsoft,CN=Program Data\\\" // Filter results to show only hits related to the ADFS AD container\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = InitiatingProcessAccountName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"ADFS DKM Master Key Export\",\"description\":\"Identifies an export of the ADFS DKM Master Key from Active Directory.\\nReferences: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \\nhttps://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1\\nTo understand further the details behind this detection, please review the details in the original PR and subequent PR update to this:\\nhttps://github.com/Azure/Azure-Sentinel/pull/1562#issue-551542469\\nhttps://github.com/Azure/Azure-Sentinel/pull/1512#issue-543053339\\n\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2391ce61-8c8d-41ac-9723-d945b2e90720\",\"name\":\"2391ce61-8c8d-41ac-9723-d945b2e90720\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"Low\",\"query\":\"let starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 0.333;\\nlet countlimit = 50;\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4625 and AccountType =~ \\\"User\\\"\\n| where IpAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), CountToday = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress, Process\\n| join kind=leftouter (\\n SecurityEvent \\n | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n | where EventID == 4625 and AccountType =~ \\\"User\\\"\\n | where IpAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n | summarize CountPrev7day = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n) on EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n| where CountToday \u003e= coalesce(CountPrev7day,0)*threshold and CountToday \u003e= countlimit\\n//SubStatus Codes are detailed here - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4625\\n| extend Reason = case(\\nSubStatus =~ \u00270xC000005E\u0027, \u0027There are currently no logon servers available to service the logon request.\u0027,\\nSubStatus =~ \u00270xC0000064\u0027, \u0027User logon with misspelled or bad user account\u0027,\\nSubStatus =~ \u00270xC000006A\u0027, \u0027User logon with misspelled or bad password\u0027, \\nSubStatus =~ \u00270xC000006D\u0027, \u0027Bad user name or password\u0027,\\nSubStatus =~ \u00270xC000006E\u0027, \u0027Unknown user name or bad password\u0027,\\nSubStatus =~ \u00270xC000006F\u0027, \u0027User logon outside authorized hours\u0027,\\nSubStatus =~ \u00270xC0000070\u0027, \u0027User logon from unauthorized workstation\u0027,\\nSubStatus =~ \u00270xC0000071\u0027, \u0027User logon with expired password\u0027,\\nSubStatus =~ \u00270xC0000072\u0027, \u0027User logon to account disabled by administrator\u0027,\\nSubStatus =~ \u00270xC00000DC\u0027, \u0027Indicates the Sam Server was in the wrong state to perform the desired operation\u0027, \\nSubStatus =~ \u00270xC0000133\u0027, \u0027Clocks between DC and other computer too far out of sync\u0027,\\nSubStatus =~ \u00270xC000015B\u0027, \u0027The user has not been granted the requested logon type (aka logon right) at this machine\u0027,\\nSubStatus =~ \u00270xC000018C\u0027, \u0027The logon request failed because the trust relationship between the primary domain and the trusted domain failed\u0027,\\nSubStatus =~ \u00270xC0000192\u0027, \u0027An attempt was made to logon, but the Netlogon service was not started\u0027,\\nSubStatus =~ \u00270xC0000193\u0027, \u0027User logon with expired account\u0027,\\nSubStatus =~ \u00270xC0000224\u0027, \u0027User is required to change password at next logon\u0027,\\nSubStatus =~ \u00270xC0000225\u0027, \u0027Evidently a bug in Windows and not a risk\u0027,\\nSubStatus =~ \u00270xC0000234\u0027, \u0027User logon with account locked\u0027,\\nSubStatus =~ \u00270xC00002EE\u0027, \u0027Failure Reason: An Error occurred during Logon\u0027,\\nSubStatus =~ \u00270xC0000413\u0027, \u0027Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine\u0027,\\nstrcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n| extend WorkstationName = iff(WorkstationName == \\\"-\\\" or isempty(WorkstationName), Computer , WorkstationName) \\n| project StartTime, EndTime, EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, Computer, WorkstationName, IpAddress, CountToday, CountPrev7day, Avg7Day = round(CountPrev7day*1.00/7,2), Process\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), Computer = make_set(Computer,128), IpAddressList = make_set(IpAddress,128), sum(CountToday), sum(CountPrev7day), avg(Avg7Day) \\nby EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, WorkstationName, Process\\n| order by sum_CountToday desc nulls last \\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = WorkstationName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"Process\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Excessive Windows logon failures\",\"description\":\"User has over 50 Windows logon failures today and at least 33% of the count of logon failures over the previous 7 days.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56f3f35c-3aca-4437-a1fb-b7a84dc4af00\",\"name\":\"56f3f35c-3aca-4437-a1fb-b7a84dc4af00\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID == 4657\\n | parse ObjectName with \\\"\\\\\\\\REGISTRY\\\\\\\\\\\" KeyPrefix \\\"\\\\\\\\\\\" RegistryKey\\n | project-reorder RegistryKey\\n | where RegistryKey has \\\"Software\\\\\\\\Classes\\\\\\\\ms-settings\\\\\\\\shell\\\\\\\\open\\\\\\\\command\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)\\n | join (\\n SecurityEvent\\n | where EventID == 4688\\n | where Process =~ \\\"fodhelper.exe\\\"\\n | where ParentProcessName endswith \\\"cmd.exe\\\" or ParentProcessName endswith \\\"powershell.exe\\\" or ParentProcessName endswith \\\"powershell_ise.exe\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)) on TimeKey, Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Potential Fodhelper UAC Bypass\",\"description\":\"This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process within 1 hour - this can be tweaked as required.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b93c5af-d20b-4236-b696-a28b8c51407f\",\"name\":\"4b93c5af-d20b-4236-b696-a28b8c51407f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1DT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\n (union isfuzzy=true\\n (SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+spanoftime)\\n// A user account was created\\n| where EventID == 4720\\n| where AccountType =~ \\\"User\\\"\\n| project creationTime = TimeGenerated, CreateEventID = EventID, CreateActivity = Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToCreate = SubjectAccount, SIDofAccountUsedToCreate = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e ago(timeframe+spanoftime)\\n// A user account was created\\n| where EventID == 4720\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType =~ \\\"User\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| extend Activity = \\\"4720 - A user account was created.\\\"\\n| extend TargetUserName = tostring(EventData.TargetUserName) \\n| project creationTime = TimeGenerated, CreateEventID = EventID, CreateActivity = Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToCreate = SubjectAccount, SIDofAccountUsedToCreate = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid \\n))\\n| join kind= inner (\\n (union isfuzzy=true\\n (SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n // A user account was deleted\\n | where EventID == 4726\\n| where AccountType == \\\"User\\\"\\n| project deletionTime = TimeGenerated, DeleteEventID = EventID, DeleteActivity = Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToDelete = SubjectAccount, SIDofAccountUsedToDelete = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n // A user account was deleted\\n| where EventID == 4726\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(SubjectAccount endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType == \\\"User\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| extend Activity = \\\"4726 - A user account was deleted.\\\"\\n| extend TargetUserName = tostring(EventData.TargetUserName) \\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| project deletionTime = TimeGenerated, DeleteEventID = EventID, DeleteActivity = Activity, Computer, TargetUserName, UserPrincipalName, AccountUsedToDelete = SubjectAccount, SIDofAccountUsedToDelete = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid))\\n) on Computer, TargetAccount\\n| where deletionTime - creationTime \u003c spanoftime\\n| extend TimeDelta = deletionTime - creationTime\\n| where tolong(TimeDelta) \u003e= threshold\\n| project TimeDelta, creationTime, CreateEventID, CreateActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToCreate, SIDofAccountUsedToCreate,\\ndeletionTime, DeleteEventID, DeleteActivity, AccountUsedToDelete, SIDofAccountUsedToDelete\\n| extend timestamp = creationTime, AccountCustomEntity = AccountUsedToCreate, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"SIDofAccountUsedToCreate\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account created and deleted within 10 mins\",\"description\":\"Identifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and\\nan adversary attempting to hide in the noise.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d7feb859-f03e-4e8d-8b21-617be0213b13\",\"name\":\"d7feb859-f03e-4e8d-8b21-617be0213b13\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let admin_users = (IdentityInfo\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | where AssignedRoles contains \\\"admin\\\"\\n | summarize by tolower(AccountUPN));\\n AuditLogs\\n | where OperationName =~ \\\"Admin registered security info\\\"\\n | where ResultReason =~ \\\"Admin registered temporary access pass method for user\\\"\\n | extend userPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | where tolower(userPrincipalName) in (admin_users)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Addition of a Temporary Access Pass to a Privileged Account\",\"description\":\"Detects when a Temporary Access Pass (TAP) is created for a Privileged Account.\\n A Temporary Access Pass is a time-limited passcode issued by an admin that satisfies strong authentication requirements and can be used to onboard other authentication methods, including Passwordless ones such as Microsoft Authenticator or even Windows Hello.\\n A threat actor could use a TAP to register a new authentication method to maintain persistance to an account.\\n Review any TAP creations to ensure they were used legitimately.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1399664f-9434-497c-9cde-42e4d74ae20e\",\"name\":\"1399664f-9434-497c-9cde-42e4d74ae20e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityAlert \\n| where AlertName == \\\"Impossible travel activity\\\"\\n| extend Extprop = parsejson(Entities)\\n| mv-expand Extprop\\n| extend Extprop = parsejson(Extprop)\\n| extend CmdLine = iff(Extprop[\u0027Type\u0027]==\\\"process\\\", Extprop[\u0027CommandLine\u0027], \u0027\u0027)\\n| extend File = iff(Extprop[\u0027Type\u0027]==\\\"file\\\", Extprop[\u0027Name\u0027], \u0027\u0027)\\n| extend Account = Extprop[\u0027Name\u0027]\\n| extend Domain = Extprop[\u0027UPNSuffix\u0027]\\n| extend Account = iif(isnotempty(Domain) and Extprop[\u0027Type\u0027]==\\\"account\\\", tolower(strcat(Account, \\\"@\\\", Domain)), iif(Extprop[\u0027Type\u0027]==\\\"account\\\", tolower(Account), \\\"\\\"))\\n| extend IpAddress = iff(Extprop[\\\"Type\\\"] == \\\"ip\\\",Extprop[\u0027Address\u0027], \u0027\u0027)\\n| extend Process = iff(isnotempty(CmdLine), CmdLine, File)\\n| project TimeGenerated,Account,IpAddress,CompromisedEntity,Description,ProviderName,ResourceId\\n| join kind=inner\\n(\\nOfficeActivity\\n| where Operation =~ \\\"Add-MailboxPermission\\\"\\n| extend value = tostring(parse_json(Parameters)[3].Value)\\n| where value contains \\\"FullAccess\\\"\\n| where ResultStatus == \\\"True\\\"\\n| project Parameters,TimeGenerated,value,RecordType,Operation,OrganizationId,UserType,UserKey,OfficeWorkload,ResultStatus,OfficeObjectId,UserId,ClientIP,ExternalAccess,OriginatingServer,OrganizationName,TenantId,ElevationTime,SourceSystem,OfficeId,OfficeTenantId,Type,SourceRecordId\\n) on $left.Account == $right.UserId\\n| join kind=inner\\n(\\nAuditLogs\\n| where ActivityDisplayName =~ \\\"Add eligible member to role in PIM requested (timebound)\\\"\\n| where AADOperationType =~ \\\"CreateRequestEligibleRole\\\"\\n| where TargetResources has_any (\\\"-PRIV\\\", \\\"Administrator\\\", \\\"Security\\\")\\n| extend BuiltinRole = tostring(parse_json(TargetResources[0].displayName))\\n| extend CustomGroup = tostring(parse_json(TargetResources[3].displayName))\\n| extend TargetAccount = tostring(parse_json(TargetResources[2].displayName))\\n| extend Initiatedby = Identity\\n| project TimeGenerated, ActivityDisplayName, AADOperationType, Initiatedby, TargetAccount, BuiltinRole, CustomGroup, LoggedByService, Result, ResourceId, Id\\n| sort by TimeGenerated desc\\n) on $left.UserId == $right.Initiatedby\\n| project AADOperationType, ActivityDisplayName,AccountCustomEntity=Initiatedby, Id,ResourceId,IPCustomEntity=IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"PrivilegeEscalation\"],\"displayName\":\"Detecting Impossible travel with mailbox permission tampering \u0026 Privilege Escalation attempt\",\"description\":\"This hunting query will alert on any Impossible travel activity in correlation with mailbox permission tampering followed by account being added to a PIM managed privileged group.\\nEnsure this impossible travel incident with increase of privileges is legitimate in your environment.\",\"lastUpdatedDateUTC\":\"2022-02-09T00:00:00Z\",\"createdDateUTC\":\"2022-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert (ASC)\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\"name\":\"4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([ \\\"AuthorizeSecurityGroupEgress\\\", \\\"AuthorizeSecurityGroupIngress\\\", \\\"RevokeSecurityGroupEgress\\\", \\\"RevokeSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \\nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion, \\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to AWS Security Group ingress and egress settings\",\"description\":\"A Security Group acts as a virtual firewall of an instance to control inbound and outbound traffic. \\n Hence, ingress and egress settings changes to AWS Security Group should be monitored as these can expose the enviornment to new attack vectors.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0914adab-90b5-47a3-a79f-7cdcac843aa7\",\"name\":\"0914adab-90b5-47a3-a79f-7cdcac843aa7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 5;\\n// To avoid any False Positives, filtering using AppId is recommended. For example the AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds \\n// to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\\nlet Allowedappid = dynamic([\\\"509e4652-da8d-478d-a730-e9d4a1996ca4\\\"]);\\nlet OperationList = dynamic(\\n[\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nlet TimeSeriesData = AzureDiagnostics\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList)\\n| project TimeGenerated, OperationName, Resource, CallerIPAddress\\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by Resource;\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| where baseline \u003e baselinethreshold // Filtering low count events per baselinethreshold\\n| project Resource, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated;\\n// Filter the alerts since specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\\n| join (\\nAzureDiagnostics\\n| where TimeGenerated \u003e ago(timeframe)\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList)\\n| summarize PerOperationCount=count(), LatestAnomalyTime = arg_max(TimeGenerated,*) by bin(TimeGenerated,1h), Resource, OperationName, id_s, CallerIPAddress, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, requestUri_s, clientInfo_s\\n) on Resource, TimeGenerated\\n| summarize EventCount=count(), OperationNameList = make_set(OperationName), RequestURLList = make_set(requestUri_s, 100), AccountList = make_set(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, 100), AccountMax = arg_max(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g,*) by Resource, id_s, clientInfo_s, LatestAnomalyTime\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = CallerIPAddress, AccountCustomEntity = AccountMax\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure Key Vault access TimeSeries anomaly\",\"description\":\"Indentifies a sudden increase in count of Azure Key Vault secret or vault access operations by CallerIPAddress. The query leverages a built-in KQL anomaly detection algorithm\\nto find large deviations from baseline Azure Key Vault access patterns. Any sudden increase in the count of Azure Key Vault accesses can be an\\nindication of adversary dumping credentials via automated methods. If you are seeing any noise, try filtering known source(IP/Account) and user-agent combinations.\\nTimeSeries Reference Blog: https://techcommunity.microsoft.com/t5/azure-sentinel/looking-for-unknown-anomalies-what-is-normal-time-series/ba-p/555052\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6a2e2ff4-5568-475e-bef2-b95f12b9367b\",\"name\":\"6a2e2ff4-5568-475e-bef2-b95f12b9367b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let FailureThreshold = 15;\\nimAuthentication\\n| where EventType== \u0027Logon\u0027 and EventResult== \u0027Failure\u0027\\n// reason: creds \\n| where EventResultDetails in (\u0027No such user or password\u0027, \u0027Incorrect password\u0027)\\n| summarize UserCount=dcount(TargetUserId), Vendors=make_set(EventVendor), Products=make_set(EventVendor)\\n , Users = make_set(TargetUserId,100) \\n by SrcDvcIpAddr, SrcGeoCountry, bin(TimeGenerated, 5m)\\n| where UserCount \u003e FailureThreshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcDvcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Potential Password Spray Attack (Uses Authentication Normalization)\",\"description\":\"This query searches for failed attempts to log in from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack\\n To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a5b3429d-f1da-42b9-883c-327ecb7b91ff\",\"name\":\"a5b3429d-f1da-42b9-883c-327ecb7b91ff\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityAlert \\n| where AlertName == \\\"Sign-in from an infected device\\\"\\n| extend Extprop = parsejson(Entities)\\n| mv-expand Extprop\\n| extend Extprop = parsejson(Extprop)\\n| extend CmdLine = iff(Extprop[\u0027Type\u0027]==\\\"process\\\", Extprop[\u0027CommandLine\u0027], \u0027\u0027)\\n| extend File = iff(Extprop[\u0027Type\u0027]==\\\"file\\\", Extprop[\u0027Name\u0027], \u0027\u0027)\\n| extend Account = Extprop[\u0027Name\u0027]\\n| extend Domain = Extprop[\u0027UPNSuffix\u0027]\\n| extend Account = iif(isnotempty(Domain) and Extprop[\u0027Type\u0027]==\\\"account\\\", tolower(strcat(Account, \\\"@\\\", Domain)), iif(Extprop[\u0027Type\u0027]==\\\"account\\\", tolower(Account), \\\"\\\"))\\n| extend IpAddress = iff(Extprop[\\\"Type\\\"] == \\\"ip\\\",Extprop[\u0027Address\u0027], \u0027\u0027)\\n| extend Process = iff(isnotempty(CmdLine), CmdLine, File)\\n| summarize count() by AlertName, AlertSeverity, CompromisedEntity, Account, IpAddress\\n| join kind=inner \\n(\\nAzureActivity\\n| where OperationNameValue hassuffix (\\\"/workspaces/computes/delete\\\")\\n| where ActivityStatusValue =~ \\\"Succeeded\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), OperationIds = makelist(OperationId), CorrelationIds = makelist(CorrelationId), Resources = makelist(Resource), ResourceGroups = makelist(ResourceGroup), ResourceIds = makelist(ResourceId), ActivityCountByCallerIPAddress = count() \\nby CallerIpAddress, Caller, OperationNameValue\\n) on $left. IpAddress == $right. CallerIpAddress\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Impact\"],\"displayName\":\"Workspace deletion attempt from an infected device\",\"description\":\"This hunting query will alert on any sign-ins from devices infected with malware in correlation with potential workspace deletion activity. \\nAttackers may attempt to delete workspaces containing compute instances after successful compromise to cause service unavailability to regular business operation.\",\"lastUpdatedDateUTC\":\"2022-04-11T00:00:00Z\",\"createdDateUTC\":\"2022-04-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8e267e91-6bda-4b3c-bf68-9f5cbdd103a3\",\"name\":\"8e267e91-6bda-4b3c-bf68-9f5cbdd103a3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"ZoomLogs\\n| where Event =~ \\\"account.settings_updated\\\" \\n| extend EnforceLogin = columnifexists(\\\"payload_object_settings_schedule_meeting_enfore_login_b\\\", \\\"\\\") \\n| extend EnforceLoginDomain = columnifexists(\\\"payload_object_settings_schedule_meeting_enfore_login_b\\\", \\\"\\\") \\n| extend GuestAlerts = columnifexists(\\\"payload_object_settings_in_meeting_alert_guest_join_b\\\", \\\"\\\") \\n| where EnforceLogin == \u0027false\u0027 or EnforceLoginDomain == \u0027false\u0027 or GuestAlerts == \u0027false\u0027 \\n| extend SettingChanged = case(EnforceLogin == \u0027false\u0027 and EnforceLoginDomain == \u0027false\u0027 and GuestAlerts == \u0027false\u0027, \\\"All settings changed\\\", \\n EnforceLogin == \u0027false\u0027 and EnforceLoginDomain == \u0027false\u0027, \\\"Enforced Logons and Restricted Domains Changed\\\", \\n EnforceLoginDomain == \u0027false\u0027 and GuestAlerts == \u0027false\u0027, \\\"Enforced Domains Changed\\\", \\n EnforceLoginDomain == \u0027false\u0027, \\\"Enfored Domains Changed\\\", \\n GuestAlerts == \u0027false\u0027, \\\"Guest Join Alerts Changed\\\", \\n EnforceLogin == \u0027false\u0027, \\\"Enforced Logins Changed\\\", \\n \\\"No Changes\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"External User Access Enabled\",\"description\":\"This alerts when the account setting is changed to allow either external domain access or anonymous access to meetings.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56b0a0cd-894e-4b38-a0a1-c41d9f96649a\",\"name\":\"56b0a0cd-894e-4b38-a0a1-c41d9f96649a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let lbtime = 1h;\\nlet tls_ciphers = dynamic([\u0027RC4-SHA\u0027, \u0027DES-CBC3-SHA\u0027]);\\nProofpointPOD\\n| where EventType == \u0027message\u0027\\n| where TlsCipher in (tls_ciphers)\\n| extend IpCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"ProofpointPOD - Weak ciphers\",\"description\":\"Detects when weak TLS ciphers are used.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/87890d78-3e05-43ec-9ab9-ba32f4e01250\",\"name\":\"87890d78-3e05-43ec-9ab9-ba32f4e01250\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.3\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n SecurityAlert\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n //Extract domain patterns from message\\n | extend domain = todynamic(dynamic_to_json(extract_all(@\\\"(((xn--)?[a-z0-9\\\\-]+\\\\.)+([a-z]+|(xn--[a-z0-9]+)))\\\", dynamic([1]), tolower(Entities))))\\n | mv-expand domain\\n | extend domain = tostring(domain[0])\\n | extend parts = split(domain, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\\n | extend EntitiesDynamicArray = parse_json(Entities)\\n | mv-apply EntitiesDynamicArray on\\n (summarize\\n HostName = take_anyif(tostring(EntitiesDynamicArray.HostName), EntitiesDynamicArray.Type == \\\"host\\\"),\\n IP_addr = take_anyif(tostring(EntitiesDynamicArray.Address), EntitiesDynamicArray.Type == \\\"ip\\\")\\n )\\n | extend Alert_TimeGenerated = TimeGenerated\\n | extend Alert_Description = Description\\n) on $left.DomainName==$right.domain\\n| where Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\\n| project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DomainName, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url, Entities\\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = HostName, IPCustomEntity = IP_addr, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to SecurityAlert\",\"description\":\"Identifies a match in SecurityAlert table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/88f453ff-7b9e-45bb-8c12-4058ca5e44ee\",\"name\":\"88f453ff-7b9e-45bb-8c12-4058ca5e44ee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS New Server\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.\\nA threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.\\nThis can be done programmatically via HTTP requests to Azure. More information in this blog: https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e1ce0eab-10d1-4aae-863f-9a383345ba88\",\"name\":\"e1ce0eab-10d1-4aae-863f-9a383345ba88\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let threshold = 15;\\nSyslog\\n| where SyslogMessage contains \\\"Failed password for invalid user\\\"\\n| where ProcessName =~ \\\"sshd\\\" \\n| parse kind=relaxed SyslogMessage with * \\\"invalid user\\\" user \\\" from \\\" ip \\\" port\\\" port \\\" ssh2\\\"\\n| project user, ip, port, SyslogMessage, EventTime\\n| summarize EventTimes = make_list(EventTime), PerHourCount = count() by ip, bin(EventTime, 4h), user\\n| where PerHourCount \u003e threshold\\n| mvexpand EventTimes\\n| extend EventTimes = tostring(EventTimes) \\n| summarize StartTimeUtc = min(EventTimes), EndTimeUtc = max(EventTimes), UserList = makeset(user), sum(PerHourCount) by IPAddress = ip\\n| extend UserList = tostring(UserList) \\n| extend timestamp = StartTimeUtc, IPCustomEntity = IPAddress, AccountCustomEntity = UserList\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"SSH - Potential Brute Force\",\"description\":\"Identifies an IP address that had 15 failed attempts to sign in via SSH in a 4 hour block during a 24 hour time period.\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-02-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/55073036-bb86-47d3-a85a-b113ac3d9396\",\"name\":\"55073036-bb86-47d3-a85a-b113ac3d9396\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let admins=(IdentityInfo\\n | where AssignedRoles contains \\\"admin\\\"\\n | summarize by tolower(AccountUPN));\\n let known_asns = (\\n SigninLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where ResultType == 0\\n | summarize by AutonomousSystemNumber);\\n SigninLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType == 0\\n | where tolower(UserPrincipalName) in (admins)\\n | where AutonomousSystemNumber !in (known_asns)\\n | project-reorder TimeGenerated, UserPrincipalName, UserAgent, IpAddress, AutonomousSystemNumber\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"UserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Privileged User Logon from new ASN\",\"description\":\"Detects a successful logon by a privileged account from an ASN not logged in from in the last 14 days.\\n Monitor these logons to ensure they are legitimate and identify if there are any similar sign ins.\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7b9df32-1367-402d-b385-882daf6e3020\",\"name\":\"a7b9df32-1367-402d-b385-882daf6e3020\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==10\\n| parse EventData with * \u0027TargetImage\\\"\u003e\u0027 TargetImage \\\"\u003c\\\" * \u0027GrantedAccess\\\"\u003e\u0027 GrantedAccess \\\"\u003c\\\" * \u0027CallTrace\\\"\u003e\u0027 CallTrace \\\"\u003c\\\" * \\n| where GrantedAccess == \\\"0x1FFFFF\\\" and TargetImage == \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\" and CallTrace has_any (\\\"dbghelp.dll\\\",\\\"dbgcore.dll\\\")\\n| parse EventData with * \u0027SourceProcessGUID\\\"\u003e\u0027 SourceProcessGUID \\\"\u003c\\\" * \u0027SourceImage\\\"\u003e\u0027 SourceImage \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, SourceProcessGUID, SourceImage, GrantedAccess, TargetImage, CallTrace\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"SourceImage\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Dumping LSASS Process Into a File\",\"description\":\"Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). \\nAfter a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. \\nThese credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement using Use Alternate Authentication Material. \\nAs well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.\\nRef: https://attack.mitre.org/techniques/T1003/001/\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/94749332-1ad9-49dd-a5ab-5ff2170788fc\",\"name\":\"94749332-1ad9-49dd-a5ab-5ff2170788fc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet file_path1 = (iocs | where Type =~ \\\"filepath1\\\" | project IoC);\\nlet file_path2 = (iocs | where Type =~ \\\"filepath2\\\" | project IoC);\\nlet file_path3 = (iocs | where Type =~ \\\"filepath3\\\" | project IoC);\\nlet reg_key = (iocs | where Type =~ \\\"regkey\\\" | project IoC);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (domains)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 *\\n| project TimeGenerated, Message, SourceUserID, RequestURL, DestinationHostName, Type, SourceIP, DestinationIP, DNSName\\n| extend Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SourceUserID, UrlCustomEntity = RequestURL , IPCustomEntity = DestinationIP, DNSCustomEntity = DNSName\\n),\\n(DnsEvents\\n| where Name in~ (domains)\\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DNSName = Name, Host = Computer , Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Host, DNSCustomEntity = DNSName, IPCustomEntity = IPAddresses\\n),\\n(VMConnection\\n| where RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, RemoteDnsCanonicalNames, ProcessName, SourceIp, DestinationIp, DestinationPort, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIp, HostCustomEntity = Computer, ProcessCustomEntity = ProcessName, DNSCustomEntity = DNSName, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"]), Image = EventDetail.[4].[\\\"#text\\\"]\\n| where Image has_any (file_path1) or Image has_any (file_path3)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, EventDetail, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), HostCustomEntity = Computer , IPCustomEntity = DestinationIP, Alert = \u0027SOURGUM IOC detected\u0027\\n), \\n(DeviceNetworkEvents\\n| where (RemoteUrl has_any (domains)) or (InitiatingProcessSHA256 in (sha256Hashes) and InitiatingProcessFolderPath has_any (file_path1)) or InitiatingProcessFolderPath has_any (file_path3)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, Alert = \u0027SOURGUM IOC detected\u0027, UrlCustomEntity =RemoteUrl\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"]\\n| where (SHA256 has_any (sha256Hashes) and Image has_any (file_path1)) or (Image has_any (file_path3)) or ( CommandLine has_any (file_path3)) or ( CommandLine has_any (file_path1)) or ( CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source), Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = SHA256\\n),\\n(DeviceRegistryEvents\\n| where RegistryKey has_any (reg_key) and RegistryValueData has_any (file_path2)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type \\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceProcessEvents\\n| where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3)) or ( InitiatingProcessCommandLine has \u0027reg add\u0027 and InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceFileEvents\\n| where (InitiatingProcessSHA256 has_any (sha256Hashes) and InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3)) or ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = RequestAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceEvents\\n| where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3)) or ( InitiatingProcessCommandLine has \u0027reg add\u0027 and InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend CommandLine = InitiatingProcessCommandLine, Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has_any (file_path1)) or ( CommandLine has_any (file_path3)) or ( CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) or (NewProcessName has_any (file_path1)) or (NewProcessName has_any (file_path3)) or (ParentProcessName has_any (file_path1)) or (ParentProcessName has_any (file_path3))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = \u0027SOURGUM IOC detected\u0027\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"SOURGUM Actor IOC - July 2021\",\"description\":\"Identifies a match across IOC\u0027s related to an actor tracked by Microsoft as SOURGUM\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-07-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceRegistryEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95407904-0131-4918-bc49-ebf282ce149a\",\"name\":\"95407904-0131-4918-bc49-ebf282ce149a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"135.125.147.170:80\\\",\\\"185.244.129.79:63047\\\",\\\"185.244.129.79:80\\\",\\\"45.80.149.108:63047\\\",\\\"45.80.149.108:80\\\",\\\"45.80.149.57:63047\\\",\\\"45.80.149.68:63047\\\",\\\"45.80.149.71:80\\\",\\\"185.244.129.109\\\",\\\"172.96.188.51\\\",\\\"51.83.246.73\\\"]); \\n(union isfuzzy=true \\n(CommonSecurityLog \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch \\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n), \\n(OfficeActivity \\n|extend SourceIPAddress = ClientIP, Account = UserId \\n| where SourceIPAddress in (IPList) \\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \\n), \\n(_Im_NetworkSession (srcipaddr_has_any_prefix=IPList)\\n | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Hostname, AccountCustomEntity=User\\n), \\n(_Im_NetworkSession (dstipaddr_has_any_prefix=IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = Hostname , AccountCustomEntity = User\\n), \\n(WireData \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer \\n), \\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known POLONIUM IP\",\"description\":\"Identifies a match across various data feeds for IP IOCs related to the POLONIUM activity group. \\n References: BLOGURL\u0027 \",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ed43bdb7-eaab-4ea4-be52-6951fcfa7e3b\",\"name\":\"ed43bdb7-eaab-4ea4-be52-6951fcfa7e3b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet TotalEventsThreshold = 25; \\nlet TimeSeriesData = \\nAzureActivity \\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where OperationNameValue endswith \\\"delete\\\" \\n| project TimeGenerated, Caller \\n| make-series Total = count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by Caller; \\nlet TimeSeriesAlerts = materialize(TimeSeriesData \\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 3, -1, \u0027linefit\u0027) \\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long) \\n| where anomalies \u003e 0 \\n| project Caller, TimeGenerated, Total, baseline, anomalies, score \\n| where Total \u003e TotalEventsThreshold and baseline \u003e 0 ); \\nTimeSeriesAlerts \\n| where TimeGenerated \u003e (ago(endtime)) \\n| project TimeGenerated, Caller \\n| join (AzureActivity \\n| where TimeGenerated \u003e (ago(endtime)) \\n| where OperationNameValue endswith \\\"delete\\\" \\n| summarize count(), make_set(OperationNameValue), make_set(Resource) by bin(TimeGenerated, 1h), Caller) on TimeGenerated, Caller \\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Mass Cloud resource deletions Time Series Anomaly\",\"description\":\"This query generates baseline pattern of cloud resource deletions by an user and generated anomaly \\nwhen any unusual spike is detected.\\nThese anomalies from unusual or privileged users could be an indication of cloud infrastructure \\ntake-down by an adversary \",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2022-03-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b6988c32-4f3b-4a45-8313-b46b33061a74\",\"name\":\"b6988c32-4f3b-4a45-8313-b46b33061a74\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set == \\\"[]\\\"\\n| mv-expand new_value_set\\n| parse new_value_set with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT First access credential added to Application or Service Principal where no credential was present\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-06-01T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba\",\"name\":\"fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let account_threshold = 5;\\nAADNonInteractiveUserSignInLogs\\n//| where ResultType == \\\"81016\\\"\\n| where ResultType startswith \\\"81\\\"\\n| summarize DistinctAccounts = dcount(UserPrincipalName), DistinctAddresses = make_set(IPAddress) by ResultType\\n| where DistinctAccounts \u003e account_threshold\\n| mv-expand IPAddress = DistinctAddresses\\n| extend IPAddress = tostring(IPAddress)\\n| join kind=leftouter (union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs) on IPAddress\\n| summarize\\n StartTime = min(TimeGenerated),\\n EndTime = max(TimeGenerated),\\n UserPrincipalName = make_set(UserPrincipalName),\\n UserAgent = make_set(UserAgent),\\n ResultDescription = take_any(ResultDescription),\\n ResultSignature = take_any(ResultSignature)\\n by IPAddress, Type, ResultType\\n| project Type, StartTime, EndTime, IPAddress, ResultType, ResultDescription, ResultSignature, UserPrincipalName, UserAgent = iff(array_length(UserAgent) == 1, UserAgent[0], UserAgent)\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Password spray attack against Azure AD Seamless SSO\",\"description\":\"This query detects when there is a spike in Azure AD Seamless SSO errors. They may not be caused by a Password Spray attack, but the cause of the errors might need to be investigated.\\nAzure AD only logs the requests that matched existing accounts, thus there might have been unlogged requests for non-existing accounts.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2022-03-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/825991eb-ea39-4590-9de2-ee97ef42eb93\",\"name\":\"825991eb-ea39-4590-9de2-ee97ef42eb93\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\n(union isfuzzy=true\\n(DeviceProcessEvents\\n| where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) or (ProcessCommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and ProcessCommandLine has (\u0027/tr \\\"wscript.exe\u0027) and ProcessCommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and ProcessCommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (ProcessCommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and ProcessCommandLine has (\u0027.wav\u0027) and ProcessCommandLine has (\u0027//e:VBScript //b\u0027) \\nor (ProcessCommandLine has_all (\\\"schtasks.exe\\\", \\\"create\\\", \\\"wscript\\\", \\\"e:vbscript\\\", \\\".wav\\\")))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessCommandLine, FolderPath, InitiatingProcessFolderPath, ProcessId, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, AccountName, SHA256, FileName\\n| extend Account = AccountName, Computer = DeviceName, FileHash = case(InitiatingProcessSHA256 in (sha256Hashes), \\\"InitiatingProcessSHA256\\\", SHA256 in (sha256Hashes), \\\"SHA256\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = FileName, FileHashCustomEntity = case(FileHash == \\\"InitiatingProcessSHA256\\\", InitiatingProcessSHA256, FileHash == \\\"SHA256\\\", SHA256, \\\"No Match\\\")\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where (CommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and CommandLine has (\u0027/tr \\\"wscript.exe\u0027) and CommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and CommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (CommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and CommandLine has (\u0027.wav\u0027) and CommandLine has (\u0027//e:VBScript //b\u0027))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, EventID\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n( CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n( imFileEvent\\n| where Hash in~ (sha256Hashes) or (ActingProcessCommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and ActingProcessCommandLine has (\u0027/tr \\\"wscript.exe\u0027) and ActingProcessCommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and ActingProcessCommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (ActingProcessCommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and ActingProcessCommandLine has (\u0027.wav\u0027) and ActingProcessCommandLine has (\u0027//e:VBScript //b\u0027) \\n or (ActingProcessCommandLine has_all (\\\"schtasks.exe\\\", \\\"create\\\", \\\"wscript\\\", \\\"e:vbscript\\\", \\\".wav\\\")))\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = Hash\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) or (CommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and CommandLine has (\u0027/tr \\\"wscript.exe\u0027) and CommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and CommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (CommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and CommandLine has (\u0027.wav\u0027) and CommandLine has (\u0027//e:VBScript //b\u0027) or (CommandLine has_all (\\\"schtasks.exe\\\", \\\"create\\\", \\\"wscript\\\", \\\"e:vbscript\\\", \\\".wav\\\")))\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n),\\n(DnsEvents\\n| where Name in~ (domains) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Computer \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress\\n),\\n(VMConnection\\n| where RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIp, File = ProcessName\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(DeviceNetworkEvents \\n| where isnotempty(RemoteUrl) \\n| where RemoteUrl in~ (domains) \\n| project Type, TimeGenerated, DeviceName, RemoteIP, RemoteUrl, InitiatingProcessAccountName\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, DNSName = RemoteUrl, IPCustomEntity = RemoteIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"ACTINIUM Actor IOCs - Feb 2022\",\"description\":\"Identifies a match across various data feeds for domains, hashes and commands related to an actor tracked by Microsoft as Actinium.\",\"lastUpdatedDateUTC\":\"2022-03-09T00:00:00Z\",\"createdDateUTC\":\"2022-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65360bb0-8986-4ade-a89d-af3cf44d28aa\",\"name\":\"65360bb0-8986-4ade-a89d-af3cf44d28aa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"CreateNetworkAclEntry\\\",\\\"CreateRoute\\\",\\\"CreateRouteTable\\\",\\\"CreateInternetGateway\\\",\\\"CreateNatGateway\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\",\"LateralMovement\"],\"displayName\":\"Changes to Amazon VPC settings\",\"description\":\"Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources\\nin a virtual network that you define.\\nThis identifies changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries,routes, routetable or Gateways.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\nand AWS VPC API Docs: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/OperationList-query-vpc.html\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2eb15bd-8a88-4b24-9281-e133edfba315\",\"name\":\"f2eb15bd-8a88-4b24-9281-e133edfba315\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet aadFunc = (tableName:string){\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n table(tableName) | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend Status = todynamic(Status), LocationDetails = todynamic(LocationDetails)\\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails), StatusReason = tostring(Status.failureReason)\\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n // renaming time column so it is clear the log this came from\\n | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type\\n)\\non $left.TI_ipEntity == $right.IPAddress\\n| where SigninLogs_TimeGenerated \u003c ExpirationDateTime\\n| summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, IPAddress\\n| project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDetails, StatusReason, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to SigninLogs\",\"description\":\"Identifies a match in SigninLogs from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6e715730-82c0-496c-983b-7a20c4590bd9\",\"name\":\"6e715730-82c0-496c-983b-7a20c4590bd9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let accountLookback = 3d;\\nlet requestLookback = 3d;\\nlet extraction_regex = @\\\"(?:\\\\?|\u0026)[a-zA-Z0-9\\\\%]*=([a-zA-Z0-9\\\\/\\\\+\\\\=]*)\\\";\\n// Collect account names and base64 encode them\\nDeviceEvents\\n| where TimeGenerated \u003e ago(accountLookback)\\n| summarize make_set(DeviceId), make_set(DeviceName) by InitiatingProcessAccountName\\n| where isnotempty(InitiatingProcessAccountName)\\n| extend base64_user = base64_encode_tostring(InitiatingProcessAccountName)\\n| join (\\n // Collect requests and extract base64 parameters\\n CommonSecurityLog\\n | where TimeGenerated \u003e ago(requestLookback)\\n | where isnotempty(RequestURL)\\n // Summarize early on the RequestURL\\n | summarize FirstRequest=min(TimeGenerated), LastRequest=max(TimeGenerated), NumberOfRequests=count() by RequestURL\\n | extend base64_candidate = extract_all(extraction_regex, RequestURL)\\n | mv-expand base64_candidate to typeof(string)\\n) on $left.base64_user == $right.base64_candidate\\n| project FirstRequest, LastRequest, NumberOfRequests, RequestURL, DeviceIds=set_DeviceId, DeviceNames=set_DeviceName, UserName=InitiatingProcessAccountName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceNames\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"UserName\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"Windows host username encoded in base64 web request\",\"description\":\"This detection will identify network requests in HTTP proxy data that contains Base64 encoded usernames from machines in the DeviceEvents table.\\nThis technique was seen usee by POLONIUM in their RunningRAT tool.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e4779bdc-397a-4b71-be28-59e6a1e1d16b\",\"name\":\"e4779bdc-397a-4b71-be28-59e6a1e1d16b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"ZoomLogs\\n| where Event =~ \\\"account.settings_updated\\\"\\n| extend NewE2ESetting = columnifexists(\\\"payload_object_settings_in_meeting_e2e_encryption_b\\\", \\\"\\\")\\n| extend OldE2ESetting = columnifexists(\\\"payload_old_object_settings_in_meeting_e2e_encryption_b\\\", \\\"\\\")\\n| where OldE2ESetting =~ \u0027false\u0027 and NewE2ESetting =~ \u0027true\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Discovery\"],\"displayName\":\"Zoom E2E Encryption Disabled\",\"description\":\"This alerts when end to end encryption is disabled for Zoom meetings.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/194dd92e-d6e7-4249-85a5-273350a7f5ce\",\"name\":\"194dd92e-d6e7-4249-85a5-273350a7f5ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\") \\n// Only admin or global-admin can disable audit logging\\n| where Operation =~ \\\"Set-AdminAuditLogConfig\\\" \\n| extend AdminAuditLogEnabledValue = tostring(parse_json(tostring(parse_json(tostring(array_slice(parse_json(Parameters),3,3)))[0])).Value)\\n| where AdminAuditLogEnabledValue =~ \\\"False\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP, ResultStatus, Parameters, AdminAuditLogEnabledValue\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Exchange AuditLog disabled\",\"description\":\"Identifies when the exchange audit logging has been disabled which may be an adversary attempt\\nto evade detection or avoid other defenses.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/218f60de-c269-457a-b882-9966632b9dc6\",\"name\":\"218f60de-c269-457a-b882-9966632b9dc6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| summarize dcount(Target) by bin(TimeGenerated, 1h)\\n| where dcount_Target \u003e 9\\n| join kind=rightsemi (AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| extend TimeWindow = bin(TimeGenerated, 1h)) on $left.TimeGenerated == $right.TimeWindow\\n| extend AccountCustomEntity = Target\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Bulk Changes to Privileged Account Permissions\",\"description\":\"Identifies when changes to multiple users permissions are changed at once. Investigate immediately if not a planned change. This setting could enable an attacker access to Azure subscriptions in your environment.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6e575295-a7e6-464c-8192-3e1d8fd6a990\",\"name\":\"6e575295-a7e6-464c-8192-3e1d8fd6a990\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.1\",\"severity\":\"High\",\"query\":\"let IPList = externaldata(IPAddress:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Log4j_IOC_List.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n//Network logs\\nlet CSlogSourceIP = CommonSecurityLog | summarize by IPAddress = SourceIP, Type;\\nlet CSlogDestIP = CommonSecurityLog | summarize by IPAddress = DestinationIP, Type;\\nlet CSlogMsgIP = CommonSecurityLog | extend MessageIP = extract(IPRegex, 0, Message) | summarize by IPAddress = MessageIP, Type;\\nlet DnsIP = DnsEvents | summarize by IPAddress = IPAddresses, Type;\\n// If you have enabled the imDNS and/or imNetworkSession normalization in your workspace, you can uncomment one or both below. Reference - https://docs.microsoft.com/azure/sentinel/normalization\\n//let imDnsIP = imDns (response_has_any_prefix=IPList) | summarize by IPAddress = ResponseName, Type;\\n//let imNetSessIP = imNetworkSession (dstipaddr_has_any_prefix=IPList) | summarize by IPAddress = DstIpAddr, Type;\\n//Cloud service logs\\nlet officeIP = OfficeActivity | summarize by IPAddress = ClientIP, Type;\\nlet signinIP = SigninLogs | summarize by IPAddress, Type;\\nlet nonintSigninIP = AADNonInteractiveUserSignInLogs | summarize by IPAddress, Type;\\nlet azureActIP = AzureActivity | summarize by IPAddress = CallerIpAddress, Type;\\nlet awsCtIP = AWSCloudTrail | summarize by IPAddress = SourceIpAddress, Type;\\n//Device logs\\nlet vmConnSourceIP = VMConnection | summarize by IPAddress = SourceIp, Type;\\nlet vmConnDestIP = VMConnection | summarize by IPAddress = DestinationIp, Type;\\nlet iisLogIP = W3CIISLog | summarize by IPAddress = cIP, Type;\\nlet devNetIP = DeviceNetworkEvents | summarize by IPAddress = RemoteIP, Type;\\n//need to parse to get IP\\nlet azureDiagIP = AzureDiagnostics | where ResourceType == \\\"AZUREFIREWALLS\\\" | where Category in (\\\"AzureFirewallApplicationRule\\\", \\\"AzureFirewallNetworkRule\\\") \\n| where msg_s has_any (IPList) | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action | summarize by IPAddress = DestinationHost, Type;\\nlet sysEvtIP = Event | where Source == \\\"Microsoft-Windows-Sysmon\\\" | where EventID == 3 | where EventData has_any (IPList) | extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"])\\n| where SourceIP in (IPList) or DestinationIP in (IPList) | extend IPAddress = iff(SourceIP in (IPList), SourceIP, DestinationIP) | summarize by IPAddress, Type;\\n// If you have enabled the imDNS and/or imNetworkSession normalization in your workdspace, you can uncomment below and include. Reference - https://docs.microsoft.com/azure/sentinel/normalization\\n//let ipsort = union isfuzzy=true CSlogDestIP, CSlogMsgIP, CSlogSourceIP, DnsIP, officeIP, signinIP, nonintSigninIP, azureActIP, awsCtIP, vmConnDestIP, vmConnSourceIP, azureDiagIP, sysEvtIP, imDnsIP, imNetSessIP\\n// If you uncomment above, then comment out the line below\\nlet ipsort = union isfuzzy=true CSlogDestIP, CSlogMsgIP, CSlogSourceIP, DnsIP, officeIP, signinIP, nonintSigninIP, azureActIP, awsCtIP, vmConnDestIP, vmConnSourceIP, azureDiagIP, sysEvtIP\\n| summarize by IPAddress\\n| where isnotempty(IPAddress) | where not(ipv4_is_private(IPAddress)) and IPAddress !in (\u00270.0.0.0\u0027,\u0027127.0.0.1\u0027);\\nlet ipMatch = ipsort | where IPAddress in (IPList);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (ipMatch) or DestinationIP in (ipMatch) or Message has_any (ipMatch)\\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, Type\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (ipMatch), \\\"SourceIP\\\", DestinationIP in (ipMatch), \\\"DestinationIP\\\", MessageIP in (ipMatch), \\\"Message\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"No Match\\\")\\n),\\n(OfficeActivity\\n| where ClientIP in (ipMatch)\\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, Type\\n| extend SourceIPAddress = ClientIP, Account = UserId\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account\\n),\\n(DnsEvents\\n| where IPAddresses has_any (ipMatch)\\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, Host = Computer\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (ipMatch) or DestinationIp in (ipMatch)\\n| project TimeGenerated, Computer, SourceIp, DestinationIp, Type\\n| extend IPMatch = case( SourceIp in (ipMatch), \\\"SourceIP\\\", DestinationIp in (ipMatch), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| where EventData has_any (ipMatch)\\n| project TimeGenerated, EventData, UserName, Computer, Type\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"])\\n| where SourceIP in (ipMatch) or DestinationIP in (ipMatch)\\n| extend IPMatch = case( SourceIP in (ipMatch), \\\"SourceIP\\\", DestinationIP in (ipMatch), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(SigninLogs\\n| where IPAddress in (ipMatch)\\n| project TimeGenerated, UserPrincipalName, IPAddress, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(AADNonInteractiveUserSignInLogs\\n| where IPAddress in (ipMatch)\\n| project TimeGenerated, UserPrincipalName, IPAddress, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(W3CIISLog\\n| where cIP in (ipMatch)\\n| project TimeGenerated, Computer, cIP, csUserName, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(AzureActivity\\n| where CallerIpAddress in (ipMatch)\\n| project TimeGenerated, CallerIpAddress, Caller, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller\\n),\\n(\\nAWSCloudTrail\\n| where SourceIpAddress in (ipMatch)\\n| project TimeGenerated, SourceIpAddress, UserIdentityUserName, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\\n), \\n( \\nDeviceNetworkEvents\\n| where RemoteIP in (ipMatch)\\n| where ActionType == \\\"InboundConnectionAccepted\\\"\\n| project TimeGenerated, RemoteIP, DeviceName, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category in (\\\"AzureFirewallApplicationRule\\\", \\\"AzureFirewallNetworkRule\\\")\\n| where msg_s has_any (ipMatch)\\n| project TimeGenerated, msg_s, Type\\n| parse msg_s with Protocol \u0027request from \u0027 SourceIP \u0027:\u0027 SourcePort \u0027to \u0027 DestinationIP \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where DestinationIP has_any (ipMatch)\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP\\n)\\n// If you have enabled the imDNS and/or imNetworkSession normalization in your workdspace, you can uncomment below and include. Reference - https://docs.microsoft.com/azure/sentinel/normalization\\n//,\\n//(imDns (response_has_any_prefix=IPList)\\n//| project TimeGenerated, ResponseName, SrcIpAddr, Type\\n//| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr\\n//| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n//),\\n//(imNetworkSession (dstipaddr_has_any_prefix=IPList)\\n//| project TimeGenerated, DstIpAddr, SrcIpAddr, Type\\n//| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = SrcIpAddr\\n//)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Log4j vulnerability exploit aka Log4Shell IP IOC\",\"description\":\"Identifies a match across various data feeds for IP IOCs related to the Log4j vulnerability exploit aka Log4Shell described in CVE-2021-44228. \\n References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228\u0027 \",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bda5a2bd-979b-4828-a91f-27c2a5048f7f\",\"name\":\"bda5a2bd-979b-4828-a91f-27c2a5048f7f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet msgthreshold = 3;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| extend attachedMimeType = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where attachedMimeType == \u0027application/zip\u0027\\n| summarize count() by SrcUserUpn, DstUserUpn\\n| where count_ \u003e msgthreshold\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple archived attachments to the same recipient\",\"description\":\"Detects when multiple emails where sent to the same recipient with large archived attachments.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1baaaf00-655f-4de9-8ff8-312e902cda71\",\"name\":\"1baaaf00-655f-4de9-8ff8-312e902cda71\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let known_locations = (\\n AADServicePrincipalSignInLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where ResultType == 0\\n | summarize by Location);\\n AADServicePrincipalSignInLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType != 50126\\n | where Location !in (known_locations)\\n | extend City = tostring(parse_json(LocationDetails).city)\\n | extend State = tostring(parse_json(LocationDetails).state)\\n | extend Place = strcat(City, \\\" - \\\", State)\\n | extend Result = strcat(tostring(ResultType), \\\" - \\\", ResultDescription)\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), make_set(Result), make_set(IPAddress), make_set(Place) by ServicePrincipalName, Location\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ServicePrincipalName\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Service Principal Authentication Attempt from New Country\",\"description\":\"Detects when there is a Service Principal login attempt from a country that has not seen a successful login in the previous 14 days.\\n Threat actors may attempt to authenticate with credentials from compromised accounts - monitoring attempts from anomalous locations may help identify these attempts.\\n Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADServicePrincipalSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/39198934-62a0-4781-8416-a81265c03fd6\",\"name\":\"39198934-62a0-4781-8416-a81265c03fd6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"user.read\\\" and ConsentFull contains \\\"offline_access\\\" and ConsentFull contains \\\"mail.readwrite\\\" and ConsentFull contains \\\"mail.send\\\" and ConsentFull contains \\\"files.read.all\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\")\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Suspicious application consent similar to PwnAuth\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the FireEye PwnAuth toolkit (https://github.com/fireeye/PwnAuth).\\nThe default permissions/scope for the PwnAuth toolkit are user.read, offline_access, mail.readwrite, mail.send, and files.read.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\"name\":\"fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let opList = OfficeActivity \\n| summarize by Operation\\n//| where Operation startswith \\\"Remove-\\\" or Operation startswith \\\"Disable-\\\"\\n| where Operation has_any (\\\"Remove\\\", \\\"Disable\\\")\\n| where Operation contains \\\"AntiPhish\\\" or Operation contains \\\"SafeAttachment\\\" or Operation contains \\\"SafeLinks\\\" or Operation contains \\\"Dlp\\\" or Operation contains \\\"Audit\\\"\\n| summarize make_set(Operation);\\nOfficeActivity\\n// Only admin or global-admin can disable/remove policy\\n| where RecordType =~ \\\"ExchangeAdmin\\\"\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\")\\n// Pass in interesting Operation list\\n| where Operation in~ (opList)\\n| extend ClientIPOnly = case( \\nClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), \\nClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))),\\nClientIP\\n) \\n| extend Port = case(\\nClientIP has \\\".\\\", (split(ClientIP,\\\":\\\")[1]),\\nClientIP has \\\"[\\\", tostring(split(ClientIP,\\\"]:\\\")[1]),\\nClientIP\\n)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP = ClientIPOnly, Port, ResultStatus, Parameters\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Office policy tampering\",\"description\":\"Identifies if any tampering is done to either auditlog, ATP Safelink, SafeAttachment, AntiPhish or Dlp policy. \\nAn adversary may use this technique to evade detection or avoid other policy based defenses.\\nReferences: https://docs.microsoft.com/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06a9b845-6a95-4432-a78b-83919b28c375\",\"name\":\"06a9b845-6a95-4432-a78b-83919b28c375\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":3,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet percentotalthreshold = 50;\\nlet TimeSeriesData = CommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| project TimeGenerated,SourceIP, DestinationIP, DeviceVendor\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor;\\n// Filtering specific records associated with spikes as outliers\\nlet TimeSeriesAlerts=materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend score = round(score,2), AnomalyHour = TimeGenerated\\n| project DeviceVendor,AnomalyHour, TimeGenerated, Total, baseline, anomalies, score);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\n// Join anomalies with Base Data to popalate associated records for investigation - Results sorted by score in descending order\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\n CommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| summarize HourlyCount = count(), TimeGeneratedMax = arg_max(TimeGenerated, *), DestinationIPlist = make_set(DestinationIP, 100), DestinationPortlist = make_set(DestinationPort, 100) by DeviceVendor, SourceIP, TimeGeneratedHour= bin(TimeGenerated, 1h)\\n| extend AnomalyHour = TimeGeneratedHour\\n) on AnomalyHour, DeviceVendor\\n| extend PercentTotal = round((HourlyCount / Total) * 100, 3)\\n| where PercentTotal \u003e percentotalthreshold\\n| project DeviceVendor , AnomalyHour, TimeGeneratedMax, SourceIP, DestinationIPlist, DestinationPortlist, HourlyCount, PercentTotal, Total, baseline, score, anomalies\\n| summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist, 100), DestinationPortlist = make_set(DestinationPortlist, 100) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies\\n| project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies\\n| extend timestamp= EndTimeUtc , IPCustomEntity = SourceIPMax\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"Time series anomaly detection for total volume of traffic\",\"description\":\"Identifies anamalous spikes in network traffic logs as compared to baseline or normal historical patterns.\\nThe query leverages a KQL built-in anomaly detection algorithm to find large deviations from baseline patterns.\\nSudden increases in network traffic volume may be an indication of data exfiltration attempts and should be investigated.\\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port traffic observed in the flagged anomaly hour.\\nThe source IP addresses which were sending less than percentotalthreshold of the total traffic have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Barracuda\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f110287e-1358-490d-8147-ed804b328514\",\"name\":\"f110287e-1358-490d-8147-ed804b328514\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AWSCloudTrail | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AWSCloudTrail_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SourceIpAddress\\n| where AWSCloudTrail_TimeGenerated \u003c ExpirationDateTime\\n| summarize AWSCloudTrail_TimeGenerated = arg_max(AWSCloudTrail_TimeGenerated, *) by IndicatorId, SourceIpAddress\\n| project AWSCloudTrail_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress,\\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AWSCloudTrail_TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AWSCloudTrail\",\"description\":\"Identifies a match in AWSCloudTrail from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7249500f-3038-4b83-8549-9cd8dfa2d498\",\"name\":\"7249500f-3038-4b83-8549-9cd8dfa2d498\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"de-ma.online\\\", \\\"g20saudi.000webhostapp.com\\\", \\\"ksat20.000webhostapp.com\\\"]);\\nlet EmailAddresses = dynamic([\\\"munichconference1962@gmail.com\\\",\\\"munichconference@outlook.de\\\", \\\"munichconference@outlook.com\\\", \\\"t20saudiarabia@gmail.com\\\", \\\"t20saudiarabia@hotmail.com\\\", \\\"t20saudiarabia@outlook.sa\\\"]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(DNSName) and DNSName has_any (DomainNames)) \\n or (isnotempty(DestinationHostName) and DestinationHostName has_any (DomainNames)) \\n or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames)))\\n| extend timestamp = TimeGenerated , AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\\n),\\n(DnsEvents \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| where DNSName has_any (DomainNames) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend timestamp = TimeGenerated , HostCustomEntity = Computer),\\n(SecurityAlert\\n| where ProviderName =~ \u0027OATP\u0027\\n| extend UPN = case(isnotempty(parse_json(Entities)[0].Upn), parse_json(Entities)[0].Upn, \\n isnotempty(parse_json(Entities)[1].Upn), parse_json(Entities)[1].Upn,\\n isnotempty(parse_json(Entities)[2].Upn), parse_json(Entities)[2].Upn,\\n isnotempty(parse_json(Entities)[3].Upn), parse_json(Entities)[3].Upn,\\n isnotempty(parse_json(Entities)[4].Upn), parse_json(Entities)[4].Upn,\\n isnotempty(parse_json(Entities)[5].Upn), parse_json(Entities)[5].Upn,\\n isnotempty(parse_json(Entities)[6].Upn), parse_json(Entities)[6].Upn,\\n isnotempty(parse_json(Entities)[7].Upn), parse_json(Entities)[7].Upn,\\n isnotempty(parse_json(Entities)[8].Upn), parse_json(Entities)[8].Upn,\\n parse_json(Entities)[9].Upn)\\n| where Entities has_any (EmailAddresses)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = tostring(UPN)),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"AZUREFIREWALLS\\\"\\n| where msg_s has_any (DomainNames)\\n| extend timestamp = TimeGenerated))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"InitialAccess\"],\"displayName\":\"Known PHOSPHORUS group domains/IP - October 2020\",\"description\":\"Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\\nReferences: \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog (Cisco)\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert (OATP)\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics (Azure Firewall)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5ef06767-b37c-4818-b035-47de950d0046\",\"name\":\"5ef06767-b37c-4818-b035-47de950d0046\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"// How far back to look for events from\\nlet timeframe = 1d;\\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\\nlet time_window = 5m;\\n// Edit this to include build processes used\\nlet build_processes = dynamic([\\\"MSBuild.exe\\\", \\\"dotnet.exe\\\", \\\"VBCSCompiler.exe\\\"]);\\n// Include any processes that you want to allow to edit files during/around the build process\\nlet allow_list = dynamic([\\\"\\\"]);\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where EventID == 4688\\n| where Process has_any (build_processes)\\n| summarize by BuildParentProcess=ParentProcessName, BuildProcess=Process, BuildAccount = Account, Computer, BuildCommand=CommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for file modifications to code file\\n| where EventID == 4663\\n| where Process !in (allow_list)\\n// Look for code files, edit this to include file extensions used in build.\\n| where ObjectName endswith \\\".cs\\\" or ObjectName endswith \\\".cpp\\\"\\n// 0x6 and 0x4 for file append, 0x100 for file replacements\\n| where AccessMask == \\\"0x6\\\" or AccessMask == \\\"0x4\\\" or AccessMask == \\\"0X100\\\"\\n| summarize by FileEditParentProcess=ParentProcessName, FileEditAccount = Account, Computer, FileEdited=ObjectName, FileEditProcess=ProcessName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, Computer\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, Computer, BuildParentProcess, BuildProcess\\n| extend HostCustomEntity=Computer, timestamp=timekey\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where EventID == 4688 and EventData has_any (build_processes)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process has_any (build_processes)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend CommandLine = tostring(EventData.CommandLine) \\n| summarize by BuildParentProcess=ParentProcessName, BuildProcess=Process, BuildAccount = Account, Computer, BuildCommand=CommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nWindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for file modifications to code file\\n| where EventID == 4663 and EventData has_any (\\\"0x6\\\", \\\"0x4\\\", \\\"0X100\\\") and EventData has_any (\\\".cs\\\", \\\".cpp\\\")\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (allow_list)\\n// Look for code files, edit this to include file extensions used in build.\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName endswith \\\".cs\\\" or ObjectName endswith \\\".cpp\\\"\\n// 0x6 and 0x4 for file append, 0x100 for file replacements\\n| extend AccessMask = tostring(EventData.AccessMask) \\n| where AccessMask == \\\"0x6\\\" or AccessMask == \\\"0x4\\\" or AccessMask == \\\"0X100\\\"\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| summarize by FileEditParentProcess=ParentProcessName, FileEditAccount = Account, Computer, FileEdited=ObjectName, FileEditProcess=ProcessName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, Computer\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, Computer, BuildParentProcess, BuildProcess\\n| extend HostCustomEntity=Computer, timestamp=timekey\\n))\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Potential Build Process Compromise\",\"description\":\"The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process.\\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\"name\":\"a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"DNS events related to ToR proxies\",\"description\":\"Identifies IP addresses performing DNS lookups associated with common ToR proxies.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/42436753-9944-4d70-801c-daaa4d19ddd2\",\"name\":\"42436753-9944-4d70-801c-daaa4d19ddd2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let threatCategory=\\\"Powershell\\\";\\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\\n [ @\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\\\"]\\n with(format=\\\"csv\\\", ignoreFirstRecord=True));\\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet customUserAgents=toscalar(_GetWatchlist(\\\"UnusualUserAgents\\\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\\\"UserAgent\\\",\\\"\\\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet fullUAList = array_concat(knownUserAgents,customUserAgents);\\n_Im_WebSession(httpuseragent_has_any=fullUAList)\\n| project SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername\",\"customDetails\":{\"UserAgent\":\"HttpUserAgent\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"SrcUsername\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Host {{SrcIpAddr}} is potentially running PowerShell\",\"alertDescriptionFormat\":\"The host at address {{SrcIpAddr}} sent an HTTP request to the URL {{Url}} with the HTTP user agent header {{HttpUserAgent}}. This user agent is known to be used by PoerShell and indicates suspicious activity on the host.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\",\"DefenseEvasion\"],\"displayName\":\"A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request with a user agent header known to belong PowerShell. \u003cbr\u003eYou can add custom Powershell indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).\u003cbr\u003e\u003cbr\u003e\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56fe0db0-6779-46fa-b3c5-006082a53064\",\"name\":\"56fe0db0-6779-46fa-b3c5-006082a53064\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let tokens = dynamic([\\\"416\\\",\\\"208\\\",\\\"128\\\",\\\"120\\\",\\\"96\\\",\\\"80\\\",\\\"72\\\",\\\"64\\\",\\\"48\\\",\\\"44\\\",\\\"40\\\",\\\"g5\\\",\\\"gs5\\\",\\\"g4\\\",\\\"gs4\\\",\\\"nc12\\\",\\\"nc24\\\",\\\"nv12\\\"]);\\nlet operationList = dynamic([\\\"microsoft.compute/virtualmachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nAzureActivity\\n| where tolower(OperationNameValue) in (operationList)\\n| where ActivityStatusValue == \\\"Accepted\\\" \\n| where isnotempty(Properties)\\n| extend vmSize = tolower(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).hardwareProfile)).vmSize))\\n| where isnotempty(vmSize)\\n| where vmSize has_any (tokens) \\n| extend ComputerName = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).osProfile)).computerName)\\n| extend clientIpAddress = tostring(parse_json(HTTPRequest).clientIpAddress)\\n| project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Creation of expensive computes in Azure\",\"description\":\"Identifies the creation of large size/expensive VMs (GPU or with large no of virtual CPUs) in Azure.\\nAdversary may create new or update existing virtual machines sizes to evade defenses \\nor use it for cryptomining purposes.\\nFor Windows/Linux Vm Sizes - https://docs.microsoft.com/azure/virtual-machines/windows/sizes \\nAzure VM Naming Conventions - https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions\",\"lastUpdatedDateUTC\":\"2022-03-31T00:00:00Z\",\"createdDateUTC\":\"2020-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5d33fc63-b83b-4913-b95e-94d13f0d379f\",\"name\":\"5d33fc63-b83b-4913-b95e-94d13f0d379f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet fileHashIndicators = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n| where isnotempty(FileHashValue);\\n// Handle matches against both lower case and uppercase versions of the hash:\\n(fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n| union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n )\\non $left.FileHashValue == $right.FileHash\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, FileHashValue\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nSourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction,\\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity, FileHashValue, FileHashType\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Value\",\"columnName\":\"FileHashValue\"},{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map File Hash to CommonSecurityLog Event\",\"description\":\"Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI\",\"lastUpdatedDateUTC\":\"2022-07-07T00:00:00Z\",\"createdDateUTC\":\"2019-08-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1f3b4dfd-21ff-4ed3-8e27-afc219e05c50\",\"name\":\"1f3b4dfd-21ff-4ed3-8e27-afc219e05c50\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where LoggedByService =~ \\\"PIM\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has \\\"Disable PIM Alert\\\"\\n| extend IpAddress = case(\\n isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), \\n isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.app)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.app)).ipAddress),\\n \u0027Not Available\u0027)\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName)), UserRoles = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| project InitiatedBy, ActivityDateTime, ActivityDisplayName, IpAddress, AADOperationType, AADTenantId, ResourceId, CorrelationId, Identity\\n| extend timestamp = ActivityDateTime, IPCustomEntity = IpAddress, AccountCustomEntity = tolower(InitiatedBy), ResourceCustomEntity = ResourceId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Detect PIM Alert Disabling activity\",\"description\":\"Privileged Identity Management (PIM) generates alerts when there is suspicious or unsafe activity in Azure Active Directory (Azure AD) organization. \\nThis query will help detect attackers attempts to disable in product PIM alerts which are associated with Azure MFA requirements and could indicate activation of privileged access\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d99cf5c3-d660-436c-895b-8a8f8448da23\",\"name\":\"d99cf5c3-d660-436c-895b-8a8f8448da23\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"SigninLogs\\n| where ResultType == 500121\\n| extend additionalDetails_ = tostring(Status.additionalDetails)\\n| where additionalDetails_ =~ \\\"MFA denied; user declined the authentication\\\"\\n| extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"AadUserId\",\"columnName\":\"UserId\"},{\"identifier\":\"AadTenantId\",\"columnName\":\"AADTenantId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"MFA Rejected by User\",\"description\":\"Identifies accurances where a user has rejected an MFA prompt. This could be an indicator that a threat actor has compromised the username and password of this user account and is using it to try and log into the account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d0aa8969-1bbe-4da3-9e76-09e5f67c9d85\",\"name\":\"d0aa8969-1bbe-4da3-9e76-09e5f67c9d85\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureDiagnostics\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where ResourceProvider == \u0027MICROSOFT.SQL\u0027\\n | where Category == \u0027SQLSecurityAuditEvents\u0027\\n | extend SQLSecurityAuditEvents_TimeGenerated = TimeGenerated\\n // projecting fields with column if exists as this is in AzureDiag and if the event is not in the table, then queries will fail due to event specific schemas\\n | extend ClientIP = column_ifexists(\\\"client_ip_s\\\", \\\"Not Available\\\"), Action = column_ifexists(\\\"action_name_s\\\", \\\"Not Available\\\"), \\n Application = column_ifexists(\\\"application_name_s\\\", \\\"Not Available\\\"), HostName = column_ifexists(\\\"host_name_s\\\", \\\"Not Available\\\")\\n)\\non $left.TI_ipEntity == $right.ClientIP\\n| where SQLSecurityAuditEvents_TimeGenerated \u003c ExpirationDateTime\\n| summarize SQLSecurityAuditEvents_TimeGenerated = arg_max(SQLSecurityAuditEvents_TimeGenerated, *) by IndicatorId, ClientIP\\n| project SQLSecurityAuditEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ResourceId, ClientIP, Action, Application, HostName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = SQLSecurityAuditEvents_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Azure SQL Security Audit Events\",\"description\":\"Identifies a match in SQLSecurityAuditEvents from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\"name\":\"4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n OfficeActivity | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(UserId)\\n | where UserId matches regex emailregex\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.UserId\\n| where OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, UserId\\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters\\n| extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to OfficeActivity\",\"description\":\"Identifies a match in OfficeActivity table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/44a555d8-ecee-4a25-95ce-055879b4b14b\",\"name\":\"44a555d8-ecee-4a25-95ce-055879b4b14b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeBin = 10m;\\nlet portThreshold = 30;\\nW3CIISLog\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of attempts by client IP on many ports\\n| summarize makeset(sPort), makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), ConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\\n| extend portCount = arraylength(set_sPort)\\n| where portCount \u003e= portThreshold\\n| project TimeGenerated, cIP, set_sPort, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, ConnectionsCount, portCount\\n| order by portCount\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"High count of connections by client IP on many ports\",\"description\":\"Identifies when 30 or more ports are used for a given client IP in 10 minutes occurring on the IIS server.\\nThis could be indicative of attempted port scanning or exploit attempt at internet facing web applications. \\nThis could also simply indicate a misconfigured service or device.\\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2de8abd6-a613-450e-95ed-08e503369fb3\",\"name\":\"2de8abd6-a613-450e-95ed-08e503369fb3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"AzureDiagnostics\\n| where details_data_s has \\\"jndi:\\\"\\n| parse details_data_s with * \u0027${\u0027 MaliciousCommand \u0027}\u0027 *\\n| extend EncodeCmd = iff(MaliciousCommand has \u0027Base64/\u0027, split(split(MaliciousCommand, \\\"Base64/\\\",1)[0], \\\"}\\\", 0)[0], \\\"\\\")\\n| extend EncodeCmd1 = iff(MaliciousCommand has \u0027base64/\u0027, split(split(MaliciousCommand, \\\"base64/\\\",1)[0], \\\"}\\\", 0)[0], \\\"\\\")\\n| extend CmdLine = iff( isnotempty(EncodeCmd), EncodeCmd, EncodeCmd1)\\n| extend DecodedCmdLine = base64_decode_tostring(tostring(CmdLine))\\n| extend DecodedCmdLine = iff( isnotempty(DecodedCmdLine), DecodedCmdLine, \\\"Unable to decode\\\")\\n| project TimeGenerated, Target=hostname_s, MaliciousHost = clientIp_s, MaliciousCommand, details_data_s, DecodedCmdLine, Message, ruleSetType_s, OperationName, SubscriptionId, details_message_s, details_file_s \\n| extend IPCustomEntity = MaliciousHost, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure WAF matching for Log4j vuln(CVE-2021-44228)\",\"description\":\"This query will alert on a positive pattern match by Azure WAF for CVE-2021-44228 log4j vulnerability exploitation attempt. If possible, it then decodes the malicious command for further analysis.\\n Refrence: https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-12-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/972c89fa-c969-4d12-932f-04d55d145299\",\"name\":\"972c89fa-c969-4d12-932f-04d55d145299\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"( union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| extend FileName = Process, ProcessCommandLine = CommandLine\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\n or ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(DeviceProcessEvents\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\nor ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1 \\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\"), ProcessCommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| extend FileName = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\n or ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"MSHTML vulnerability CVE-2021-40444 attack\",\"description\":\"This query detects attacks that exploit the CVE-2021-40444 MSHTML vulnerability using specially crafted Microsoft Office documents. \\n The detection searches for relevant files used in the attack along with regex matches in commnadline to look for pattern similar to : \\\".cpl:../../msword.inf\\\"\\n Refrence: https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ca74dc0-8352-4ac5-893c-73571cc78331\",\"name\":\"4ca74dc0-8352-4ac5-893c-73571cc78331\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let keywords = dynamic([\\\"secret\\\", \\\"secrets\\\", \\\"password\\\", \\\"PAT\\\", \\\"passwd\\\", \\\"pswd\\\", \\\"pwd\\\", \\\"cred\\\", \\\"creds\\\", \\\"credentials\\\", \\\"credential\\\", \\\"key\\\"]);\\nAzureDevOpsAuditing\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend Type = tostring(Data.Type)\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend VariableGroupName = tostring(Data.VariableGroupName)\\n| mv-expand Data.Variables\\n| where VariableGroupName has_any (keywords) or Data_Variables has_any (keywords)\\n| where Type != \\\"AzureKeyVault\\\"\\n| where Data_Variables !has \\\"IsSecret\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure DevOps Variable Secret Not Secured\",\"description\":\"Credentials used in the build process may be stored as Azure DevOps variables. To secure these variables they should be stored in KeyVault or marked as Secrets. \\nThis detection looks for new variables added with names that suggest they are credentials but where they are not set as Secrets or stored in KeyVault.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cc5780ce-3245-4bba-8bc1-e9048c2257ce\",\"name\":\"cc5780ce-3245-4bba-8bc1-e9048c2257ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where OperationName =~ \\\"Add owner to application\\\"\\n | extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend UpdatedBy = iif(isnotempty(appName), appName, UPN)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | extend AddedUser = TargetResources[0].userPrincipalName\\n | mv-expand mod_props\\n | where mod_props.displayName =~ \\\"Application.DisplayName\\\"\\n | extend AppName = tostring(parse_json(tostring(mod_props.newValue)))\\n | project-reorder TimeGenerated, OperationName, AppName, AddedUser, UpdatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatedBy\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedUser\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Changes to Application Ownership\",\"description\":\"Detects changes to the ownership of an appplicaiton.\\n Monitor these changes to make sure that they were authorized.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#new-owner\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/15049017-527f-4d3b-b011-b0e99e68ef45\",\"name\":\"15049017-527f-4d3b-b011-b0e99e68ef45\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let procList = externaldata(Process:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Microsoft_Lolbas_Execution_Binaries.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityEvent\\n| where EventID == 4688 and Process has_any (procList) and not (NewProcessName has (\\\"C:\\\\\\\\Windows\\\\\\\\\\\"))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, SubjectUserName, NewProcessName, Process, CommandLine\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectUserName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Windows Binaries Executed from Non-Default Directory\",\"description\":\"The query detects Windows binaries, that can be executed from a non-default directory (e.g. C:\\\\Windows\\\\, C:\\\\Windows\\\\System32 etc.). \\nRef: https://lolbas-project.github.io/\",\"lastUpdatedDateUTC\":\"2022-02-15T00:00:00Z\",\"createdDateUTC\":\"2022-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6\",\"name\":\"2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 0d;\\n// Adjust this to adjust detection timeframe\\n//let timeframe = 1d;\\n// SamAccountName of AD FS Service Account. Filter on the use of a specific AD FS user account\\n//let adfsuser = \u0027adfsadmin\u0027;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\n SecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe+lookback)\\n | where EventSourceName == \u0027AD FS Auditing\u0027\\n | distinct Computer\\n);\\nSecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n // A token of type \u0027http://schemas.microsoft.com/ws/2006/05/servicemodel/tokens/SecureConversation\u0027\\n // for relying party \u0027-\u0027 was successfully authenticated.\\n | where EventID == 412\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | extend InstanceId = tostring(EventData[0])\\n| join kind=inner\\n(\\n SecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n // Events to identify caller identity from event 412\\n | where EventID == 501\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | where tostring(EventData[1]) contains \u0027identity/claims/name\u0027\\n | extend InstanceId = tostring(EventData[0])\\n | extend ClaimsName = tostring(EventData[2])\\n // Filter on the use of a specific AD FS user account\\n //| where ClaimsName contains adfsuser\\n)\\non $left.InstanceId == $right.InstanceId\\n| join kind=inner\\n(\\n SecurityEvent\\n | where EventID == 5156\\n | where Computer in~ (ADFS_Servers)\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | mv-expand bagexpansion=array EventData\\n | evaluate bag_unpack(EventData)\\n | extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n | evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n | extend DestPort = column_ifexists(\\\"DestPort\\\", \\\"\\\"),\\n Direction = column_ifexists(\\\"Direction\\\", \\\"\\\"),\\n Application = column_ifexists(\\\"Application\\\", \\\"\\\"),\\n DestAddress = column_ifexists(\\\"DestAddress\\\", \\\"\\\"),\\n SourceAddress = column_ifexists(\\\"SourceAddress\\\", \\\"\\\"),\\n SourcePort = column_ifexists(\\\"SourcePort\\\", \\\"\\\")\\n // Look for inbound connections from endpoints on port 80\\n | where DestPort == 80 and Direction == \u0027%%14592\u0027 and Application == \u0027System\u0027\\n | where DestAddress !in (\u0027::1\u0027,\u00270:0:0:0:0:0:0:1\u0027) \\n)\\non $left.Computer == $right.Computer\\n| project TimeGenerated, Computer, ClaimsName, SourceAddress, SourcePort\\n| extend HostCustomEntity = Computer, AccountCustomEntity = ClaimsName, IPCustomEntity = SourceAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"AD FS Remote Auth Sync Connection\",\"description\":\"This detection uses Security events from the \\\"AD FS Auditing\\\" provider to detect suspicious authentication events on an AD FS server. The results then get\\ncorrelated with events from the Windows Filtering Platform (WFP) to detect suspicious incoming network traffic on port 80 on the AD FS server.\\nThis could be a sign of a threat actor trying to use replication services on the AD FS server to get its configuration settings and extract\\nsensitive information such as AD FS certificates.\\nIn order to use this query you need to enable AD FS auditing on the AD FS Server.\\nReference: https://twitter.com/OTR_Community/status/1387038995016732672\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-04-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d992b87b-eb49-4a9d-aa96-baacf9d26247\",\"name\":\"d992b87b-eb49-4a9d-aa96-baacf9d26247\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let IPList = dynamic([\\\"185.63.90.137\\\"]); \\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet sha256Hashes = \\ndynamic([\\\"53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441\\\",\\n\\\"c297e545b8f150cc5ff56dbb68dc74fe30a421d9d40f38f4a53083192697c44c\\\",\\n\\\"17921368901f23e0cad0d2fe4ce5694aebaf4727699ed0358117500701914d1b\\\",\\n\\\"198a2d42df010d838b4207f478d885ef36e3db13b1744d673e221b828c28bf77\\\",\\n\\\"71d7b48c2fdc7b57b104a7858a35165bbed21d2fa7e34828d6c1d50b2b33a1d0\\\",\\n\\\"601227d52c6e367e11b80240183d07d38bc11a88e844e8401fce17eb25e92ba8\\\",\\n\\\"63ff04bed4fdb120a9cb9b1ea7fd88e83f12fb01ab6a057088f8016e663b48d4\\\",\\n\\\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\\\",\\n\\\"e19b8be1b21c066d60725e550f8455f824065abbf1b43f7b2fe4fb338b241ffc\\\",\\n\\\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\\\"\\n]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", MessageIP in (IPList), \\\"Message\\\", \\\"NoMatch\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DeviceNetworkEvents\\n| where RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) \\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP\\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost) \\n| where SourceHost in (IPList) or DestinationHost in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(DeviceFileEvents\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n| where FileHash in (sha256Hashes)\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash\\n| extend timestamp = TimeGenerated, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 in~ (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(SecurityEvent\\n| where EventID == \u00274688\u0027\\n| where CommandLine has_any (IPList) \\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n(WindowsEvent\\n| where EventID == \u00274688\u0027 and has_any_ipv4(EventData, toscalar(IPList)) \\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| where NewProcessName in (IPList) \\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend NewProcessId = tostring(EventData.NewProcessId)\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021\",\"description\":\"Identifies a match across various data feeds for IP,hashes and IOCs related to Windows/ELF malware published by Black Lotus Labs\\nReference: \\nhttps://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders\\nhttps://github.com/ManuelBerrueta/YARA-rules/blob/master/BlackLotusLabs-WSLMalware/BLL_SneakyWSL.yar\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ce1e7025-866c-41f3-9b08-ec170e05e73e\",\"name\":\"ce1e7025-866c-41f3-9b08-ec170e05e73e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let SunburstURL=dynamic([\\\"panhardware.com\\\",\\\"databasegalore.com\\\",\\\"avsvmcloud.com\\\",\\\"freescanonline.com\\\",\\\"thedoccloud.com\\\",\\\"deftsecurity.com\\\"]);\\nDeviceNetworkEvents\\n| where ActionType == \\\"ConnectionSuccess\\\"\\n| where RemoteUrl in(SunburstURL)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n FileHashCustomEntity = InitiatingProcessMD5, \\n HashAlgorithm = \u0027MD5\u0027,\\n URLCustomEntity = RemoteUrl,\\n IPCustomEntity = RemoteIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"SUNBURST network beacons\",\"description\":\"Identifies SolarWinds SUNBURST domain beacon IOCs in DeviceNetworkEvents\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/baedfdf4-7cc8-45a1-81a9-065821628b83\",\"name\":\"baedfdf4-7cc8-45a1-81a9-065821628b83\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let runningRAT_parameters = dynamic([\u0027/ui/chk\u0027, \u0027mactok=\u0027, \u0027UsRnMe=\u0027, \u0027IlocalP=\u0027, \u0027kMnD=\u0027]);\\nCommonSecurityLog\\n| where RequestMethod == \\\"GET\\\"\\n| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication\\n| where RequestURL has_any (runningRAT_parameters)\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DestinationIP\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"SourceHostName\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"RunningRAT request parameters\",\"description\":\"This detection will alert when RunningRAT URI parameters or paths are detect in an HTTP request. Id the device blocked this communication\\npresence of this alert means the RunningRAT implant is likely still executing on the source host.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d8de9e6-263e-4845-8618-cd23a4f58b70\",\"name\":\"4d8de9e6-263e-4845-8618-cd23a4f58b70\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT3H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 3h;\\n// Add full UPN (user@domain.com) to Authorized Bypassers to ignore policy bypasses by certain authorized users\\nlet AuthorizedBypassers = dynamic([\u0027foo@baz.com\u0027, \u0027test@foo.com\u0027]);\\nlet historicBypassers = AzureDevOpsAuditing\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationName == \u0027Git.RefUpdatePoliciesBypassed\u0027\\n| distinct ActorUPN;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e= ago(endtime)\\n| where OperationName == \u0027Git.RefUpdatePoliciesBypassed\u0027\\n| where ActorUPN !in (historicBypassers) and ActorUPN !in (AuthorizedBypassers)\\n| parse ScopeDisplayName with OrganizationName \u0027(Organization)\u0027\\n| project TimeGenerated, ActorUPN, IpAddress, UserAgent, OrganizationName, ProjectName, RepoName = Data.RepoName, AlertDetails = Details, Branch = Data.Name, \\n BypassReason = Data.BypassReason, PRLink = strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_git/\u0027, Data.RepoName, \u0027/pullrequest/\u0027, Data.PullRequestId)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps Pull Request Policy Bypassing - Historic allow list\",\"description\":\"This detection builds an allow list of historic PR policy bypasses and compares to recent history, flagging pull request bypasses that are not manually in the allow list and not historically included in the allow list.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75bf9902-0789-47c1-a5d8-f57046aa72df\",\"name\":\"75bf9902-0789-47c1-a5d8-f57046aa72df\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let procList = externaldata(Process:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Microsoft_Lolbas_Execution_Binaries.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet ProcessCreationEvents=() {\\nlet processEvents=(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,\\nFileName = Process, CommandLine, ParentProcessName\\n),\\n(WindowsEvent\\n| where EventID==4688 and EventData has_any (procList) and EventData has \\\":\\\\\\\\recycler\\\"\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where isnotempty(CommandLine)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName) \\n| extend NewProcessName = tostring(EventData.NewProcessName) \\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,\\nFileName = Process, CommandLine, ParentProcessName\\n));\\nprocessEvents};\\nProcessCreationEvents \\n| where FileName in~ (procList)\\n| where CommandLine contains \\\":\\\\\\\\recycler\\\"\\n| project StartTimeUtc = TimeGenerated, Computer, Account, NewProcessName, FileName, CommandLine, ParentProcessName\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Malware in the recycle bin\",\"description\":\"The query detects Windows binaries, that can be used for executing malware, that have been hidden in the recycle bin. \\n The list of these binaries are sourced from https://lolbas-project.github.io/\\n References: https://azure.microsoft.com/blog/how-azure-security-center-helps-reveal-a-cyberattack/.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2018-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e2399891-383c-4caf-ae67-68a008b9f89e\",\"name\":\"e2399891-383c-4caf-ae67-68a008b9f89e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet IP_TI=ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\\\"NO_IP\\\")\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where TI_ipEntity != \\\"NO_IP\\\";\\nlet IP_TI_list=toscalar(IP_TI | summarize NIoCs=dcount(TI_ipEntity), IoCs=make_set( TI_ipEntity)\\n | project IoCs=iff(NIoCs \u003e HAS_ANY_MAX, dynamic([]), IoCs));\\nIP_TI\\n // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n | join kind=innerunique \\n (\\n union \\n (\\n _Im_NetworkSession (starttime=ago(dt_lookBack), dstipaddr_has_any_prefix=IP_TI_list)\\n | where isnotempty(SrcIpAddr)\\n // renaming time column so it is clear the log this came from\\n | extend imNWS_TimeGenerated = TimeGenerated, IoCIP=DstIpAddr, IoCIPDirection=\u0027Destination\u0027\\n ),\\n (\\n _Im_NetworkSession (starttime=ago(dt_lookBack), srcipaddr_has_any_prefix=IP_TI_list)\\n | where isnotempty(DstIpAddr)\\n // renaming time column so it is clear the log this came from\\n | extend imNWS_TimeGenerated = TimeGenerated, IoCIP=SrcIpAddr, IoCIPDirection=\u0027Source\u0027\\n )\\n)on $left.TI_ipEntity == $right.IoCIP\\n| where imNWS_TimeGenerated \u003c ExpirationDateTime\\n| summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, IoCIP, IoCIPDirection\\n| project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Dvc, SrcIpAddr, DstIpAddr, IoCIPDirection, IoCIP\",\"customDetails\":{\"EventTime\":\"imNWS_TimeGenerated\",\"IoCDescription\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"IoCExpirationTime\":\"ExpirationDateTime\",\"IoCConfidenceScore\":\"ConfidenceScore\",\"IoCIPDirection\":\"IoCIPDirection\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IoCIP\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"A network session {{IoCIPDirection}} address {{IoCIP}} matched an IoC.\",\"alertDescriptionFormat\":\"The {{IoCIPDirection}} address {{IoCIP}} of a network session matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blead for more information on the indicator.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map IP entity to Network Session Events (ASIM Network Session schema)\",\"description\":\"This rule identifies a match Network Sessions for which the source of destination IP address is a known IoC. \u003cbr\u003e\u003cbr\u003e\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2022-04-27T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\"name\":\"8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"AuthorizeDBSecurityGroupIngress\\\",\\\"CreateDBSecurityGroup\\\",\\\"DeleteDBSecurityGroup\\\",\\\"RevokeDBSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to internet facing AWS RDS Database instances\",\"description\":\"Amazon Relational Database Service (RDS) is scalable relational database in the cloud. \\nIf your organization have one or more AWS RDS Databases running, monitoring changes to especially internet facing AWS RDS (Relational Database Service) \\nOnce alerts triggered, validate if changes observed are authorized and adhere to change control policy. \\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255\\nand RDS API Reference Docs: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Operations.html\",\"lastUpdatedDateUTC\":\"2021-11-28T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6ee72a9e-2e54-459c-bc9a-9c09a6502a63\",\"name\":\"6ee72a9e-2e54-459c-bc9a-9c09a6502a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"216.24.185.74\\\", \\\"107.175.189.159\\\", \\\"192.210.132.102\\\", \\\"67.230.163.214\\\", \\n \\\"199.19.110.240\\\", \\\"107.148.130.176\\\", \\\"154.212.129.218\\\", \\\"172.86.75.54\\\", \\\"45.61.136.199\\\", \\n \\\"149.28.150.195\\\", \\\"108.61.214.194\\\", \\\"144.202.98.198\\\", \\\"149.28.84.98\\\", \\\"103.99.209.78\\\", \\n \\\"45.61.136.2\\\", \\\"176.122.162.149\\\", \\\"192.3.80.245\\\", \\\"149.28.23.32\\\", \\\"107.182.18.149\\\", \\\"107.174.45.134\\\", \\n \\\"149.248.18.104\\\", \\\"65.49.192.74\\\", \\\"156.255.2.154\\\", \\\"45.76.6.149\\\", \\\"8.9.11.130\\\", \\\"140.238.27.255\\\", \\n \\\"107.182.24.70\\\", \\\"176.122.188.254\\\", \\\"192.161.161.108\\\", \\\"64.64.234.24\\\", \\\"104.224.185.36\\\", \\n \\\"104.233.224.227\\\", \\\"104.36.69.105\\\", \\\"119.28.139.120\\\", \\\"161.117.39.130\\\", \\\"66.42.100.42\\\", \\\"45.76.31.159\\\", \\n \\\"149.248.8.134\\\", \\\"216.24.182.48\\\", \\\"66.42.103.222\\\", \\\"218.89.236.11\\\", \\\"180.150.227.249\\\", \\\"47.75.80.23\\\",\\n \\\"124.156.164.19\\\", \\\"149.248.62.83\\\", \\\"150.109.76.174\\\", \\\"222.209.187.207\\\", \\\"218.38.191.38\\\", \\n \\\"119.28.226.59\\\", \\\"66.42.98.220\\\", \\\"74.82.201.8\\\", \\\"173.242.122.198\\\", \\\"45.32.130.72\\\", \\\"89.35.178.10\\\", \\n \\\"89.43.60.113\\\"]); \\n(union isfuzzy=true \\n(CommonSecurityLog \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch \\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n), \\n(OfficeActivity \\n|extend SourceIPAddress = ClientIP, Account = UserId \\n| where SourceIPAddress in (IPList) \\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \\n), \\n(_Im_NetworkSession (srcipaddr_has_any_prefix=IPList)\\n | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Hostname, AccountCustomEntity=User\\n), \\n(_Im_NetworkSession (dstipaddr_has_any_prefix=IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = Hostname , AccountCustomEntity = User\\n), \\n(WireData \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer \\n), \\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Barium IP\",\"description\":\"Identifies a match across various data feeds for IP IOCs related to the Barium activity group. \\n References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer\u0027 \",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/595a10c9-91be-4abb-bbc7-ae9c57848bef\",\"name\":\"595a10c9-91be-4abb-bbc7-ae9c57848bef\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Low\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n//This query uses sysmon data, sections that have - | where Source == \\\"Microsoft-Windows-Sysmon\\\" - may need to be updated with latest\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, DNSName, Type\\n| extend MessageIP = extract(IPRegex, 0, Message), RequestIP = extract(IPRegex, 0, RequestURL)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL has_any (domains), \\\"RequestUrl\\\", \\\"NoMatch\\\"), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), Account = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) or Name in~ (domains) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Computer , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPEntity = DestinationIPAddress\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), File = ProcessName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"]), Image = tostring(EventDetail.[4].[\\\"#text\\\"])\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Image has_any (process)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, Account = UserName, Computer, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, File = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n| extend FilePath = replace_string(Image, File, \u0027\u0027)\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) \\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, AlertDetail = \u0027Chia crypto IOC detected\u0027, Type\\n| extend timestamp = TimeGenerated, IPEntity = ClientIP, Account = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (domains) or RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) or InitiatingProcessFileName has_any (process)\\n| project TimeGenerated, ActionType, DeviceId, Computer = DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPEntity = RemoteIP, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\"), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, Computer, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains) or ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPEntity = ClientIP, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPEntity = SourceHost, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| where EventDetail has_any (sha256Hashes) \\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = tostring(EventDetail.[4].[\\\"#text\\\"]), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath = replace_string(Image, File, \u0027\u0027)\\n),\\n(DeviceFileEvents\\n| where InitiatingProcessFolderPath has_any (process)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, Computer, Account, File = InitiatingProcessFileName, FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath = replace_string(InitiatingProcessFolderPath, File, \u0027\u0027)\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, AlertDetail = \u0027Chia crypto IOC detected\u0027, FileHashAlgo = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| project TimeGenerated, EventDetail, UserName, Computer, Type\\n| extend Image = tostring(EventDetail.[4].[\\\"#text\\\"]), CommandLine = tostring(EventDetail.[10].[\\\"#text\\\"]), Account = UserName, FileHash = tostring(EventDetail.[17].[\\\"#text\\\"]), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| where Image has_any (process)\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath= replace_string(Image, File, \u0027\u0027)\\n),\\n(DeviceEvents\\n| where InitiatingProcessFileName has_any (process) or InitiatingProcessSHA256 in~ (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, Computer, Account, File = InitiatingProcessFileName, FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath = replace_string(InitiatingProcessFolderPath, File, \u0027\u0027)\\n),\\n(SecurityEvent\\n| where EventID == \u00274688\u0027\\n| where NewProcessName has_any (process)\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027, -1)[-1]), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend FilePath = replace_string(NewProcessName, File, \u0027\u0027)\\n)\\n)\\n| extend AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPEntity, FileCustomEntity = File, FilePathCustomEntity = FilePath, FileHashCustomEntity = FileHash\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileCustomEntity\"},{\"identifier\":\"Directory\",\"columnName\":\"FilePathCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashAlgo\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021\",\"description\":\"Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.\",\"lastUpdatedDateUTC\":\"2021-12-08T00:00:00Z\",\"createdDateUTC\":\"2021-06-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd0a6029-ecef-4507-89c4-fc355ac52111\",\"name\":\"dd0a6029-ecef-4507-89c4-fc355ac52111\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation of extracted domains\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend DomainName = tolower(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | extend Domain = trim(@\\\"\\\"\\\"\\\",tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend parts = split(Domain, \u0027.\u0027)\\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\\n | where tld in~ (list_tlds)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n ) on $left.DomainName==$right.Domain\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, FileHashValue\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to CommonSecurityLog\",\"description\":\"Identifies a match in CommonSecurityLog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\"name\":\"6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"union isfuzzy=true \\n(\\n SecurityEvent\\n | where EventID == 4738\\n // 2089 value indicates the Don\u0027t Expire Password value has been set\\n | where UserAccountControl has \\\"%%2089\\\" \\n | extend Value_2089 = iff(UserAccountControl has \\\"%%2089\\\",\\\"\u0027Don\u0027t Expire Password\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n // 2050 indicates that the Password Not Required value is NOT set, this often shows up at the same time as a 2089 and is the recommended value. This value may not be in the event. \\n | extend Value_2050 = iff(UserAccountControl has \\\"%%2050\\\",\\\"\u0027Password Not Required\u0027 - Disabled\\\", \\\"Not Changed\\\")\\n // If value %%2082 is present in the 4738 event, this indicates the account has been configured to logon WITHOUT a password. Generally you should only see this value when an account is created and only in Event 4720: Account Creation Event. \\n | extend Value_2082 = iff(UserAccountControl has \\\"%%2082\\\",\\\"\u0027Password Not Required\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n | project StartTime = TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, AccountType, UserAccountControl, Value_2089, Value_2050, Value_2082, SubjectAccount\\n | extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer\\n ),\\n (\\n WindowsEvent\\n | where EventID == 4738 and EventData has \u00272089\u0027\\n // 2089 value indicates the Don\u0027t Expire Password value has been set\\n | extend UserAccountControl = tostring(EventData.UserAccountControl)\\n | where UserAccountControl has \\\"%%2089\\\" \\n | extend Value_2089 = iff(UserAccountControl has \\\"%%2089\\\",\\\"\u0027Don\u0027t Expire Password\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n // 2050 indicates that the Password Not Required value is NOT set, this often shows up at the same time as a 2089 and is the recommended value. This value may not be in the event. \\n | extend Value_2050 = iff(UserAccountControl has \\\"%%2050\\\",\\\"\u0027Password Not Required\u0027 - Disabled\\\", \\\"Not Changed\\\")\\n // If value %%2082 is present in the 4738 event, this indicates the account has been configured to logon WITHOUT a password. Generally you should only see this value when an account is created and only in Event 4720: Account Creation Event. \\n | extend Value_2082 = iff(UserAccountControl has \\\"%%2082\\\",\\\"\u0027Password Not Required\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n | extend Activity=\\\"4738 - A user account was changed.\\\"\\n | extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n | extend TargetSid = tostring(EventData.TargetSid)\\n | extend SubjectAccount = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n | extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n | extend AccountType=case(SubjectAccount endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n | project StartTime = TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, AccountType, UserAccountControl, Value_2089, Value_2050, Value_2082, SubjectAccount\\n | extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer\\n )\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AD account with Don\u0027t Expire Password\",\"description\":\"Identifies whenever a user account has the setting \\\"Password Never Expires\\\" in the user account properties selected.\\nThis is indicated in Security event 4738 in the EventData item labeled UserAccountControl with an included value of %%2089.\\n%%2089 resolves to \\\"Don\u0027t Expire Password - Enabled\\\".\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4e8238bd-ff4f-4126-a9f6-09b3b6801b3d\",\"name\":\"4e8238bd-ff4f-4126-a9f6-09b3b6801b3d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"AuditLog.StreamDisabledByUser\\\"\\n| extend StreamType = tostring(Data.ConsumerType)\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, StreamType\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Audit Stream Disabled\",\"description\":\"Azure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams \\nbefore conducting activity and then re-enabling the stream after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action \\nits unlikely to have a high false positive rate.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e2559891-383c-4caf-ae67-55a008b9f89e\",\"name\":\"e2559891-383c-4caf-ae67-55a008b9f89e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet IP_TI=ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\\\"NO_IP\\\")\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where TI_ipEntity != \\\"NO_IP\\\";\\nlet IP_TI_list=toscalar(IP_TI | summarize NIoCs= dcount(TI_ipEntity), IoCs=make_set(TI_ipEntity) \\n | project IoCs=iff(NIoCs \u003e HAS_ANY_MAX, dynamic([]), IoCs ) );\\nIP_TI\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n _Im_WebSession (starttime=ago(dt_lookBack), srcipaddr_has_any_prefix=IP_TI_list)\\n | where isnotempty(SrcIpAddr)\\n // renaming time column so it is clear the log this came from\\n | extend imNWS_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SrcIpAddr\\n| where imNWS_TimeGenerated \u003c ExpirationDateTime\\n| summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, DstIpAddr\\n| project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Dvc, SrcIpAddr, DstIpAddr\",\"customDetails\":{\"EventTime\":\"imNWS_TimeGenerated\",\"IoCDescription\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"IoCExpirationTime\":\"ExpirationDateTime\",\"IoCConfidenceScore\":\"ConfidenceScore\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DstIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"The IP {{SrcIpAddr}} of a web request to hostname {{domain}} matched an IoC\",\"alertDescriptionFormat\":\"The source address {{SrcIpAddr}} of a web request for URL {{Url}} matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blead for more information on the indicator.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map IP entity to Web Session Events (ASIM Web Session schema)\",\"description\":\"This rule identifies Web Sessions for which the source IP address is a known IoC. \u003cbr\u003e\u003cbr\u003eThis rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM.\",\"lastUpdatedDateUTC\":\"2022-03-15T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\"name\":\"c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"ApplySecurityGroupsToLoadBalancer\\\", \\\"SetSecurityGroups\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \\nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion,\\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to AWS Elastic Load Balancer security groups\",\"description\":\"Elastic Load Balancer distributes incoming traffic across multiple instances in multiple availability Zones. This increases the fault tolerance of your applications. \\n Unwanted changes to Elastic Load Balancer specific security groups could open your environment to attack and hence needs monitoring.\\n More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\n and https://aws.amazon.com/elasticloadbalancing/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bdf04f58-242b-4729-b376-577c4bdf5d3a\",\"name\":\"bdf04f58-242b-4729-b376-577c4bdf5d3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"imProcessCreate\\n| where Process hassuffix \u0027rundll32.exe\u0027\\n| where CommandLine has_any (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| project TimeGenerated, Dvc, User, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\\n| extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"NOBELIUM - suspicious rundll32.exe execution of vbscript (Normalized Process Events)\",\"description\":\"This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\\nReferences: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f30a47c1-65fb-42b1-a7f4-00941c12550b\",\"name\":\"f30a47c1-65fb-42b1-a7f4-00941c12550b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n SecurityAlert\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n // Extract URL from JSON data\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,Entities)\\n // We only want alerts that actually contain URL data\\n | where isnotempty(Url)\\n // Extract hostname from JSON data for entity mapping\\n | extend Compromised_Host = tostring(parse_json(ExtendedProperties).[\\\"Compromised Host\\\"])\\n | extend Alert_TimeGenerated = TimeGenerated\\n) on Url\\n| where Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\\n| project Alert_TimeGenerated, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, AlertName, AlertSeverity, Description, Url, Compromised_Host\\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = Compromised_Host, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to SecurityAlert data\",\"description\":\"Identifies a match in SecurityAlert data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\"name\":\"80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == 1102 and EventSourceName == \\\"Microsoft-Windows-Eventlog\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(\\nWindowsEvent\\n| where EventID == 1102 and Provider == \\\"Microsoft-Windows-Eventlog\\\" \\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend Activity= \\\"1102 - The audit log was cleared.\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Security Event log cleared\",\"description\":\"Checks for event id 1102 which indicates the security event log was cleared. \\nIt uses Event Source Name \\\"Microsoft-Windows-Eventlog\\\" to avoid generating false positives from other sources, like AD FS servers for instance.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\"name\":\"36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n OfficeActivity\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n //Extract the Url from a number of potential fields\\n | extend Url = iif(OfficeWorkload == \\\"AzureActiveDirectory\\\",extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\\\", 1,ModifiedProperties),tostring(parse_json(ModifiedProperties)[12].NewValue))\\n | where isnotempty(Url)\\n // Ensure we get a clean URL\\n | extend Url = tostring(split(Url, \u0027;\u0027)[0])\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n // Project a single user identity that we can use for entity mapping\\n | extend User = iif(isnotempty(UserId), UserId, iif(isnotempty(Actor), tostring(parse_json(Actor)[0].ID), tostring(parse_json(Parameters)[0].Value)))\\n) on Url\\n| where OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, Url\\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Operation, \\nUserType, OfficeWorkload, Parameters, Url, User\\n| extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = User, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to OfficeActivity data\",\"description\":\"Identifies a match in OfficeActivity data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f0be259a-34ac-4946-aa15-ca2b115d5feb\",\"name\":\"f0be259a-34ac-4946-aa15-ca2b115d5feb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let starttime = 2d;\\nlet endtime = 1d;\\nlet TimeDeltaThreshold = 25;\\nlet TotalEventsThreshold = 30;\\nlet MostFrequentTimeDeltaThreshold = 25;\\nlet PercentBeaconThreshold = 80;\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Palo Alto Networks\\\" and Activity == \\\"TRAFFIC\\\"\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where ipv4_is_private(DestinationIP)== false\\n| project TimeGenerated, DeviceName, SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, ReceivedBytes, SentBytes\\n| sort by SourceIP asc,TimeGenerated asc, DestinationIP asc, DestinationPort asc\\n| serialize\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\u0027second\u0027,nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP\\n//Whitelisting criteria/ threshold criteria\\n| where TimeDeltainSeconds \u003e TimeDeltaThreshold \\n| summarize count(), sum(ReceivedBytes), sum(SentBytes)\\nby TimeDeltainSeconds, bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSentBytes = sum(sum_SentBytes), TotalReceivedBytes = sum(sum_ReceivedBytes) \\nby bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| where TotalEvents \u003e TotalEventsThreshold and MostFrequentTimeDeltaCount \u003e MostFrequentTimeDeltaThreshold\\n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\\n| where BeaconPercent \u003e PercentBeaconThreshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Palo Alto - potential beaconing detected\",\"description\":\"Identifies beaconing patterns from Palo Alto Network traffic logs based on recurrent timedelta patterns. \\nThe query leverages various KQL functions to calculate time deltas and then compares it with total events observed in a day to find percentage of beaconing. \\nThis outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts.\\nReference Blog:\\nhttp://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/\\nhttps://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/detect-network-beaconing-via-intra-request-time-delta-patterns/ba-p/779586\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/14f6da04-2f96-44ee-9210-9ccc1be6401e\",\"name\":\"14f6da04-2f96-44ee-9210-9ccc1be6401e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName has \\\"Add member to role outside of PIM\\\"\\n or (LoggedByService == \\\"Core Directory\\\" and OperationName == \\\"Add member to role\\\" and Identity != \\\"MS-PIM\\\")\\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"NRT Privileged Role Assigned Outside PIM\",\"description\":\"Identifies a privileged role being assigned to a user outside of PIM\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-04-22T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f6502545-ae3a-4232-a8b0-79d87e5c98d7\",\"name\":\"f6502545-ae3a-4232-a8b0-79d87e5c98d7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \\n| where TargetObject==\\\"HKLM\\\\\\\\System\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\SecurityProviders\\\\\\\\WDigest\\\\\\\\UseLogonCredential\\\" and Details !=\\\"DWORD (0x00000000)\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"WDigest downgrade attack\",\"description\":\"When the WDigest Authentication protocol is enabled, plain text passwords are stored in the Local Security Authority Subsystem Service (LSASS) exposing them to theft. This setting will prevent WDigest from storing credentials in memory.\\nRef: https://www.stigviewer.com/stig/windows_7/2016-12-19/finding/V-72753\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2022-03-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\"name\":\"b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet UserAgentAll =\\n(union isfuzzy=true\\n(OfficeActivity\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\\n),\\n(\\nW3CIISLog\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(csUserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\\n))\\n// remove wordSize blocks of non-numeric hex characters prior to word extraction\\n| extend UserAgentNoHexAlphas = replace(\\\"([A-Fa-f]{4,})\\\", \\\"x\\\", UserAgent)\\n// once blocks of hex chars are removed, extract wordSize blocks of a-z\\n| extend Tokens = extract_all(\\\"([A-Za-z]{4,})\\\", UserAgentNoHexAlphas)\\n// concatenate extracted words to create a summarized user agent for baseline and comparison\\n| extend NormalizedUserAgent = strcat_array(Tokens, \\\"|\\\")\\n| project-away UserAgentNoHexAlphas, Tokens;\\nUserAgentAll\\n| where StartTime \u003e= ago(endtime)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), count() by UserAgent, NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n| join kind=leftanti\\n(\\nUserAgentAll\\n| where StartTime \u003c ago(endtime)\\n| summarize by NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n)\\non NormalizedUserAgent\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CommandAndControl\",\"Execution\"],\"displayName\":\"New UserAgent observed in last 24 hours\",\"description\":\"Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection\\nextracts words from user agents to build the baseline and determine rareity rather than perform a\\ndirect comparison. This avoids FPs caused by version numbers and other high entropy user agent components.\\nThese new UserAgents could be benign. However, in normally stable environments,\\nthese new UserAgents could provide a starting point for investigating malicious activity.\\nNote: W3CIISLog can be noisy depending on the environment, however OfficeActivity and AWSCloudTrail are\\nusually stable with low numbers of detections.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/155e9134-d5ad-4a6f-88f3-99c220040b66\",\"name\":\"155e9134-d5ad-4a6f-88f3-99c220040b66\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"// Set the lookback to determine if user has created pipelines before\\nlet timeback = 14d;\\n// Set the period for detections\\nlet timeframe = 1d;\\n// Get a list of previous Release Pipeline creators to exclude\\nlet releaseusers = AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName in (\\\"Release.ReleasePipelineCreated\\\", \\\"Release.ReleasePipelineModified\\\")\\n// We want to look for users performing actions in specific projects so we create this userscope object to match on\\n| extend UserScope = strcat(ActorUserId, \\\"-\\\", ProjectName)\\n| summarize by UserScope;\\n// Get Release Pipeline creations by new users\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineModified\\\"\\n| extend UserScope = strcat(ActorUserId, \\\"-\\\", ProjectName)\\n| where UserScope !in (releaseusers)\\n| extend ActorUPN = tolower(ActorUPN)\\n| project-away Id, ActivityId, ActorCUID, ScopeId, ProjectId, TenantId, SourceSystem, UserScope\\n// See if any of these users have Azure AD alerts associated with them in the same timeframe\\n| join kind = leftouter (\\nSecurityAlert\\n| where TimeGenerated \u003e ago(timeframe)\\n| where ProviderName == \\\"IPC\\\"\\n| extend AadUserId = tostring(parse_json(Entities)[0].AadUserId)\\n| summarize Alerts=count() by AadUserId) on $left.ActorUserId == $right.AadUserId\\n| extend Alerts = iif(isnotempty(Alerts), Alerts, 0)\\n// Uncomment the line below to only show results where the user as AADIdP alerts\\n//| where Alerts \u003e 0\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Pipeline modified by a new user.\",\"description\":\"There are several potential pipeline steps that could be modified by an attacker to inject malicious code into the build cycle. A likely attacker path is the modification to an existing pipeline that they have access to. \\nThis detection looks for users modifying a pipeline when they have not previously been observed modifying or creating that pipeline before. This query also joins events with data to Azure AD Identity Protection (AAD IdP) \\nin order to show if the user conducting the action has any associated AAD IdP alerts. You can also choose to filter this detection to only alert when the user also has AAD IdP alerts associated with them.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d023f64-8225-41a2-9570-2bd7c2c4535e\",\"name\":\"3d023f64-8225-41a2-9570-2bd7c2c4535e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1DT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+spanoftime)\\n// A user account was enabled\\n| where EventID == 4722\\n| where AccountType =~ \\\"User\\\"\\n| where TargetAccount !endswith \\\"$\\\"\\n| project EnableTime = TimeGenerated, EnableEventID = EventID, EnableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToEnable = SubjectAccount, SIDofAccountUsedToEnable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e ago(timeframe+spanoftime)\\n// A user account was enabled\\n| where EventID == 4722\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType =~ \\\"User\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| where TargetAccount !endswith \\\"$\\\"\\n| extend Activity=\\\"4722 - A user account was enabled.\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| project EnableTime = TimeGenerated, EnableEventID = EventID, EnableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToEnable = SubjectAccount, SIDofAccountUsedToEnable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n))\\n| join kind= inner (\\n (union isfuzzy=true\\n (SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n // A user account was disabled\\n | where EventID == 4725\\n| where AccountType =~ \\\"User\\\"\\n| project DisableTime = TimeGenerated, DisableEventID = EventID, DisableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToDisable = SubjectAccount, SIDofAccountUsedToDisable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n),\\n(WindowsEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n // A user account was disabled\\n | where EventID == 4725\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType =~ \\\"User\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| extend Activity = \\\"4725 - A user account was disabled.\\\"\\n| project DisableTime = TimeGenerated, DisableEventID = EventID, DisableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToDisable = SubjectAccount, SIDofAccountUsedToDisable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid))\\n) on Computer, TargetAccount\\n| where DisableTime - EnableTime \u003c spanoftime\\n| extend TimeDelta = DisableTime - EnableTime\\n| where tolong(TimeDelta) \u003e= threshold\\n| project TimeDelta, EnableTime, EnableEventID, EnableActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToEnable, SIDofAccountUsedToEnable, \\nDisableTime, DisableEventID, DisableActivity, AccountUsedToDisable, SIDofAccountUsedToDisable\\n| extend timestamp = EnableTime, AccountCustomEntity = AccountUsedToEnable, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"SIDofAccountUsedToEnable\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account enabled and disabled within 10 mins\",\"description\":\"Identifies when a user account is enabled and then disabled within 10 minutes. This can be an indication of compromise and\\nan adversary attempting to hide in the noise.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0625fcce-6d52-491e-8c68-1d9b801d25b9\",\"name\":\"0625fcce-6d52-491e-8c68-1d9b801d25b9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"Event\\n| where EventLog =~ \\\"Application\\\"\\n| where Source startswith \\\"MSExchange\\\"\\n| where EventLevelName =~ \\\"error\\\"\\n| where (RenderedDescription startswith \\\"Watson report\\\" and RenderedDescription contains \\\"umworkerprocess\\\" and RenderedDescription contains \\\"TextFormattingRunProperties\\\") or RenderedDescription startswith \\\"An unhandled exception occurred in a UM worker process\\\" or RenderedDescription startswith \\\"The Microsoft Exchange Unified Messaging service\\\" or RenderedDescription contains \\\"MSExchange Unified Messaging\\\"\\n| where RenderedDescription !contains \\\"System.OutOfMemoryException\\\"\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious UM Service Error\",\"description\":\"This query looks for errors that may indicate that an attacker is attempting to exploit a vulnerability in the service. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09c49590-4e9d-4da9-a34d-17222d0c9e7e\",\"name\":\"09c49590-4e9d-4da9-a34d-17222d0c9e7e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let default_file_ext_blocklist = dynamic([\u0027.ps1\u0027, \u0027.vbs\u0027, \u0027.bat\u0027, \u0027.scr\u0027]);\\nlet custom_file_ext_blocklist=toscalar(_GetWatchlist(\u0027RiskyFileTypes\u0027) | extend Extension=column_ifexists(\\\"Extension\\\",\\\"\\\") | where isnotempty(Extension) | summarize make_set(Extension));\\nlet file_ext_blocklist = array_concat(default_file_ext_blocklist, custom_file_ext_blocklist);\\n_Im_WebSession(url_has_any=file_ext_blocklist, eventresult=\u0027Success\u0027)\\n| extend requestedFileName=tostring(split(tostring(parse_url(Url)[\\\"Path\\\"]),\u0027/\u0027)[-1])\\n| extend requestedFileExt=extract(@(\\\\.\\\\w+)$,1,requestedFileName, typeof(string))\\n| where requestedFileExtension in (file_ext_blocklist)\\n| summarize LastAttemptTime=max(TimeGenerated), NumFailedAttempts=count() by SrcIpAddr, requestedFileName, Url\\n| extend IPCustomEntity = SrcIpAddr, UrlCustomEntity=Url\",\"customDetails\":{\"requestedFileName\":\"requestedFileName\",\"requestedFileExt\":\"requestedFileExt\",\"Username\":\"SrcUsername\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Client {{SrcIpAddr}} accessed a URL with potentially harmful extension {{requestedFileExt}}\",\"alertDescriptionFormat\":\"The client at address {{SrcIpAddr}} accessed the URL {{Url}} that has the extension {{requestedFileExt}}. Downloading a file with this extension may be harmful and may indicate malicious activity.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"InitialAccess\"],\"displayName\":\"A client made a web request to a potentially harmful file (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request to a URL that holds a file type, including .ps1, .bat, .vbs, and .scr that can be harmful if downloaded. This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM. To use this Analytics Rule, deploy the Advanced Security Information Model (ASIM).\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\"name\":\"ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(DestinationUserID)\\n // Filtering PAN Logs for specific event type to match relevant email entities\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"wildfire\\\" and ApplicationProtocol in (\\\"smtp\\\",\\\"pop3\\\")\\n | extend DestinationUserID = tolower(DestinationUserID)\\n | where DestinationUserID matches regex emailregex\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.DestinationUserID\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, DestinationUserID\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, EmailSenderName, EmailRecipient, \\nEmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction, SourceIP, SourcePort, \\nDestinationIP, DestinationPort, Protocol, ApplicationProtocol\\n| extend timestamp = CommonSecurityLog_TimeGenerated, AccountCustomEntity = DestinationUserID, IPCustomEntity = SourceIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to CommonSecurityLog\",\"description\":\"Identifies a match in CommonSecurityLog table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\"name\":\"7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let lookBack_long = 7d;\\nlet lookBack_med = 3d;\\nlet lookBack = 1d;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack_long))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n// Create time series \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_long)),now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n// Compute best fit line for each entry \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount) \\n// Chart the 3 most interesting lines \\n// A 0-value slope corresponds to an account being completely stable over time for a given Azure Active Directory application\\n| where Slope \u003e 0.3\\n| top 50 by Slope desc\\n| join kind = leftsemi (\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack_med))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_med)) ,now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount)\\n| where Slope \u003e 0.3\\n| top 50 by Slope desc\\n) on UserPrincipalName, AppDisplayName\\n| join kind = leftsemi (\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack)) ,now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount)\\n| where Slope \u003e 5\\n| top 50 by Slope desc\\n// Higher threshold requirement on last day anomaly\\n) on UserPrincipalName, AppDisplayName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomalous sign-in location by user account and authenticating application\",\"description\":\"This query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active \\nDirectory application and picks out the most anomalous change in location profile for a user within an \\nindividual application. An alert is generated for recent sign-ins that have location counts that are anomalous\\nover last day but also over the last 3-day and 7-day periods.\\nPlease note that on workspaces with larger volume of Signin data (~10M+ events a day) may timeout when using this default query time period.\\nIt is recommended that you test and tune this appropriately for the workspace.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1da9853f-3dea-4ea9-b7e5-26730da3d537\",\"name\":\"1da9853f-3dea-4ea9-b7e5-26730da3d537\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let PortScanThreshold = 50;\\n_Im_NetworkSession\\n| where ipv4_is_private(SrcIpAddr) == False\\n| summarize AttemptedPortsCount=dcount(DstPortNumber) by SrcIpAddr, bin(TimeGenerated, 5m)\\n| where AttemptedPortsCount \u003e PortScanThreshold\",\"customDetails\":{\"AttemptedPortsCount\":\"AttemptedPortsCount\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Potential port scan from {{SrcIpAddr}}\",\"alertDescriptionFormat\":\"A port scan has been performed from address {{SrcIpAddr}} over {{AttemptedPortsCount}} pots within 5 minutes. This may indicate that a [port scanner](https://en.wikipedia.org/wiki/Port_scanner) is trying to identify open ports in order to penetrate a system.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Discovery\"],\"displayName\":\"Port scan detected (ASIM Network Session schema)\",\"description\":\"This rule identifies a possible port scan, in which a single source tries to access a large number of different ports is a short time frame. This may indicate that a [port scanner](https://en.wikipedia.org/wiki/Port_scanner) is trying to identify open ports in order to penetrate a system.\u003cbr\u003e\u003cbr\u003e\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/eda260eb-f4a1-4379-ad98-452604da9b3e\",\"name\":\"eda260eb-f4a1-4379-ad98-452604da9b3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let eventsThreshold = 20;\\nCommonSecurityLog\\n| where isnotempty(RequestURL)\\n| project TimeGenerated, RequestURL, RequestMethod, SourceIP, SourceHostName\\n| evaluate sequence_detect(TimeGenerated, 5s, 8s, login=(RequestURL has \\\"login.microsoftonline.com/consumers/oauth2/v2.0/token\\\"), graph=(RequestURL has \\\"graph.microsoft.com/v1.0/me/drive/\\\"), SourceIP, SourceHostName)\\n| summarize Events=count() by SourceIP, SourceHostName\\n| where Events \u003e= eventsThreshold\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"SourceHostName\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"CreepyDrive request URL sequence\",\"description\":\"CreepyDrive uses OneDrive for command and control, however, it makes regular requests to predicatable paths.\\nThis detecton will alert when over 20 sequences are observed in a single day.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3533f74c-9207-4047-96e2-0eb9383be587\",\"name\":\"3533f74c-9207-4047-96e2-0eb9383be587\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"offline_access\\\" and ConsentFull contains \\\"Files.Read\\\" or ConsentFull contains \\\"Mail.Read\\\" or ConsentFull contains \\\"Notes.Read\\\" or ConsentFull contains \\\"ChannelMessage.Read\\\" or ConsentFull contains \\\"Chat.Read\\\" or ConsentFull contains \\\"TeamsActivity.Read\\\" or ConsentFull contains \\\"Group.Read\\\" or ConsentFull contains \\\"EWS.AccessAsUser.All\\\" or ConsentFull contains \\\"EAS.AccessAsUser.All\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))\\n| extend GrantUserAgent = tostring(iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\"))\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Suspicious application consent for offline access\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with offline access via OAuth.\\nOffline access will provide the Azure App with access to the listed resources without requiring two-factor authentication.\\nConsent to applications with offline access and read capabilities should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0ee2aafb-4500-4e36-bcb1-e90eec2f0b9b\",\"name\":\"0ee2aafb-4500-4e36-bcb1-e90eec2f0b9b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\"\\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed), LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\\n| where MFAUsed !~ \\\"Yes\\\" and LoginResult !~ \\\"Failure\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUsed, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent,\\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserIdentityUserName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"NRT Login to AWS Management Console without MFA\",\"description\":\"Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.\\nYou can limit this detection to trigger for administrative accounts if you do not have MFA enabled on all accounts.\\nThis is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used\\nand the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.\",\"lastUpdatedDateUTC\":\"2022-02-08T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/269435e3-1db8-4423-9dfc-9bf59997da1c\",\"name\":\"269435e3-1db8-4423-9dfc-9bf59997da1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName has \\\"Add member to role outside of PIM\\\"\\n or (LoggedByService == \\\"Core Directory\\\" and OperationName == \\\"Add member to role\\\" and Identity != \\\"MS-PIM\\\")\\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Privileged Role Assigned Outside PIM\",\"description\":\"Identifies a privileged role being assigned to a user outside of PIM\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2be4ef67-a93f-4d8a-981a-88158cb73abd\",\"name\":\"2be4ef67-a93f-4d8a-981a-88158cb73abd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet covidIndicators = (externaldata(TimeGenerated:datetime, FileHashValue:string, FileHashType: string, TlpLevel: string, Product: string, ThreatType: string, Description: string )\\n[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.csv\\\"] with (format=\\\"csv\\\"));\\nlet fileHashIndicators = covidIndicators\\n| where isnotempty(FileHashValue);\\n// Handle matches against both lower case and uppercase versions of the hash:\\n(fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n| union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack) \\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n )\\non $left.FileHashValue == $right.FileHash\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by FileHashValue\\n| project CommonSecurityLog_TimeGenerated, FileHashValue, FileHashType, Description, ThreatType, \\nSourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, \\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Value\",\"columnName\":\"FileHashValue\"},{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Microsoft COVID-19 file hash indicator matches\",\"description\":\"Identifies a match in CommonSecurityLog Event data from any FileHash published in the Microsoft COVID-19 Threat Intel Feed - as described at https://www.microsoft.com/security/blog/2020/05/14/open-sourcing-covid-threat-intelligence/\",\"lastUpdatedDateUTC\":\"2022-07-07T00:00:00Z\",\"createdDateUTC\":\"2019-08-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\"name\":\"5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"CommonSecurityLog\\n| where isnotempty(DestinationPort) and DeviceAction !in (\\\"reset-both\\\", \\\"deny\\\") \\n// filter out common usage ports. Add ports that are legitimate for your environment\\n| where DestinationPort !in (\\\"443\\\", \\\"53\\\", \\\"389\\\", \\\"80\\\", \\\"0\\\", \\\"880\\\", \\\"8888\\\", \\\"8080\\\")\\n| where ApplicationProtocol == \\\"incomplete\\\" \\n// filter out IANA ephemeral or negotiated ports as per https://en.wikipedia.org/wiki/Ephemeral_port\\n| where DestinationPort !between (toint(49512) .. toint(65535)) \\n| where Computer != \\\"\\\" \\n| where DestinationIP !startswith \\\"10.\\\"\\n| extend Reason = coalesce(\\n column_ifexists(\\\"Reason\\\", \\\"\\\"), \\n extract(\\\"reason=(.+?)(;|$)\\\", 1, AdditionalExtensions),\\n \\\"\\\"\\n )\\n// Filter out any graceful reset reasons of AGED OUT which occurs when a TCP session closes with a FIN due to aging out. \\n| where Reason !has \\\"aged-out\\\" \\n// Filter out any TCP FIN which occurs when a TCP FIN is used to gracefully close half or both sides of a connection.\\n| where Reason !has \\\"tcp-fin\\\" \\n// Uncomment one of the following where clauses to trigger on specific TCP reset reasons\\n// See Palo Alto article for details - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK\\n// TCP RST-server - Occurs when the server sends a TCP reset to the client\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-server\\\" \\n// TCP RST-client - Occurs when the client sends a TCP reset to the server\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-client\\\" \\n// Already performed\\n//| extend reason = tostring(split(AdditionalExtensions, \\\";\\\")[3])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, Reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction, DestinationIP\\n| where count_ \u003e= 10\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), makeset(DestinationIP), totalcount = sum(count_) by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, Reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Palo Alto - possible internal to external port scanning\",\"description\":\"Identifies a list of internal Source IPs (10.x.x.x Hosts) that have triggered 10 or more non-graceful tcp server resets from one or more Destination IPs which \\nresults in an \\\"ApplicationProtocol = incomplete\\\" designation. The server resets coupled with an \\\"Incomplete\\\" ApplicationProtocol designation can be an indication \\nof internal to external port scanning or probing attack. \\nReferences: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK and\\nhttps://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTaCAK\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/677da133-e487-4108-a150-5b926591a92b\",\"name\":\"677da133-e487-4108-a150-5b926591a92b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.5.1\",\"severity\":\"Medium\",\"query\":\"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\\n[@\\\"https://raw.githubusercontent.com/microsoft/mstic/master/Indicators/May21-NOBELIUM/May21NOBELIUMIoCs.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256s = (iocs | where Type =~ \\\"SHA256\\\"| project IoC);\\nlet ips = (iocs | where Type =~ \\\"IP\\\"| project IoC);\\nlet IPList = dynamic([\\\"192.99.221.77\\\",\\\"83.171.237.173\\\"]);\\nlet ips_list=toscalar(ips | summarize makeset(IoC));\\nlet full_ip_list= array_concat(ips_list, IPList);\\nlet domains = (iocs | where Type =~ \\\"Domain\\\"| project IoC);\\nlet domain_list=toscalar(domains | summarize make_set(IoC));\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet sha256Hashes = dynamic([\\\"2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252\\\",\\n\\\"d035d394a82ae1e44b25e273f99eae8e2369da828d6b6fdb95076fd3eb5de142\\\",\\n\\\"94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916\\\",\\n\\\"48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0\\\",\\n\\\"ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c\\\",\\n\\\"ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (domains) or RequestURL has_any (domains) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (domains), \\\"RequestUrl\\\", SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(_Im_Dns (domain_has_any=todynamic(domain_list))\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(_Im_Dns (response_has_any_prefix=todynamic(full_ip_list))\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or SourceIp in (ips) or DestinationIp in (ips) or RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", SourceIp in (ips), \\\"SourceIP\\\", DestinationIp in (ips), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer\\n),\\n(OfficeActivity\\n| where ClientIP in (IPList) or ClientIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n),\\n(_Im_NetworkSession(srcipaddr_has_any_prefix=full_ip_list)\\n | extend IPMatch = \\\"SourceIP\\\"\\n | extend timestamp = TimeGenerated, HostCustomEntity = Dvc , IPCustomEntity = SrcIpAddr //, AccountCustomEntity =User\\n),\\n(_Im_NetworkSession(dstipaddr_has_any_prefix=full_ip_list)\\n | extend IPMatch = \\\"DestinationIP\\\"\\n | extend timestamp = TimeGenerated, HostCustomEntity = Dvc , IPCustomEntity = DstIpAddr //, AccountCustomEntity =User\\n),\\n(_Im_WebSession(url_has_any=domains)\\n | extend timestamp=TimeGenerated, HostCustomEntity=Dvc , DNSName=tostring(parse_url(Url)[\\\"Host\\\"]), AccountCustomEntity=User\\n),\\n(_Im_WebSession(srcipaddr_has_any_prefix=full_ip_list)\\n | extend timestamp=TimeGenerated, HostCustomEntity=Dvc , DNSName=tostring(parse_url(Url)[\\\"Host\\\"]), AccountCustomEntity=User\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| where EventDetail has_any (sha256Hashes) or EventDetail has_any (sha256s)\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, FileHash\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (sha256Hashes) or SHA256 in~ (sha256s)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (sha256Hashes) or TargetFileSHA256 in~ (sha256s)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes) or FileHash in (sha256s)\\n| extend timestamp = TimeGenerated\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"tactics\":[\"CommandAndControl\",\"Execution\"],\"displayName\":\"NOBELIUM - Domain, Hash and IP IOCs - May 2021\",\"description\":\"Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM.\\nRef: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/35ce9aff-1708-45b8-a295-5e9a307f5f17\",\"name\":\"35ce9aff-1708-45b8-a295-5e9a307f5f17\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"Group.UpdateGroupMembership.Add\\\"\\n| where Details has_any (\\\"Project Administrators\\\", \\\"Project Collection Administrators\\\", \\\"Project Collection Service Accounts\\\", \\\"Build Administrator\\\")\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, AuthenticationMechanism, ScopeDisplayName\\n| extend timekey = bin(TimeGenerated, 1h)\\n| extend ActorUserId = tostring(Data.MemberId)\\n| project timekey, ActorUserId, AddingUser=ActorUPN, TimeAdded=TimeGenerated, PermissionGrantDetails = Details\\n// Get details of operations conducted by user soon after elevation of permissions\\n| join (AzureDevOpsAuditing\\n| extend ActorUserId = tostring(Data.MemberId)\\n| extend timekey = bin(TimeGenerated, 1h)) on timekey, ActorUserId\\n| summarize ActionsWhenAdded = make_set(OperationName) by ActorUPN, AddingUser, TimeAdded, PermissionGrantDetails, IpAddress, UserAgent\\n| extend timestamp = TimeAdded, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddingUser\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"New PA, PCA, or PCAS added to Azure DevOps\",\"description\":\"In order for an attacker to be able to conduct many potential attacks against Azure DevOps they will need to gain elevated permissions. \\nThis detection looks for users being granted key administrative permissions. If the principal of least privilege is applied, the number of \\nusers granted these permissions should be small. Note that permissions can also be granted via Azure AD groups and monitoring of these \\nshould also be conducted.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bf07ca9c-e408-443a-8939-6860a45a929e\",\"name\":\"bf07ca9c-e408-443a-8939-6860a45a929e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let allowed_publishers = dynamic([]);\\nAzureDevOpsAuditing\\n| where OperationName =~ \\\"Extension.Installed\\\"\\n| extend ExtensionName = tostring(Data.ExtensionName)\\n| extend PublisherName = tostring(Data.PublisherName)\\n| where PublisherName !in (allowed_publishers)\\n| project-reorder TimeGenerated, OperationName, ExtensionName, PublisherName, ActorUPN, IpAddress, UserAgent, ScopeDisplayName, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps New Extension Added\",\"description\":\"Extensions add additional features to Azure DevOps. An attacker could use a malicious extension to conduct malicious activity. \\nThis query looks for new extensions that are not from a configurable list of approved publishers.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65c78944-930b-4cae-bd79-c3664ae30ba7\",\"name\":\"65c78944-930b-4cae-bd79-c3664ae30ba7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(AuditLogs \\n| where OperationName =~ \\\"Disable Strong Authentication\\\"\\n| extend IPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) \\n| extend InitiatedByUser = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend Targetprop = todynamic(TargetResources)\\n| extend TargetUser = tostring(Targetprop[0].userPrincipalName) \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, InitiatedByUser , Operation = OperationName , CorrelationId, IPAddress, Category, Source = SourceSystem , AADTenantId, Type\\n),\\n(AWSCloudTrail\\n| where EventName in~ (\\\"DeactivateMFADevice\\\", \\\"DeleteVirtualMFADevice\\\") \\n| extend InstanceProfileName = tostring(parse_json(RequestParameters).InstanceProfileName)\\n| extend TargetUser = tostring(parse_json(RequestParameters).userName)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, Source = EventSource , Operation = EventName , TenantorInstance_Detail = InstanceProfileName, IPAddress = SourceIpAddress\\n)\\n)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"MFA disabled for a user\",\"description\":\"Multi-Factor Authentication (MFA) helps prevent credential compromise. This alert identifies when an attempt has been made to disable MFA for a user \",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4759ddb4-2daf-43cb-b34e-d85b85b4e4a5\",\"name\":\"4759ddb4-2daf-43cb-b34e-d85b85b4e4a5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\nlet parentprocess = (iocs | where Type =~ \\\"parentprocess\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or RequestURL has_any (IPList) or Message has_any (IPList)\\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, Type\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (IPList), \\\"RequestUrl\\\",\\\"NoMatch\\\"), AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, IPMatch == \\\"RequestUrl\\\", RequestURL, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer, ProcessCustomEntity = ProcessName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) \\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, AlertDetail = \u0027Dev-0322 IOC match\u0027, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, AlertDetail = \u0027Dev-0322 IOC match\u0027, UrlCustomEntity =RemoteUrl, ProcessCustomEntity = InitiatingProcessFileName\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\"), AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where SourceHost in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend ParentImage = EventDetail.[20].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where ( ParentImage has_any (parentprocess) and Image has_any (process))\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256,Image, ParentImage \\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceFileEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type, CommandLineIP\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash, IPCustomEntity = CommandLineIP\\n),\\n(DeviceEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, CommandLineIP\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash, IPCustomEntity = CommandLineIP\\n),\\n(DeviceProcessEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, CommandLineIP, AccountName\\n| extend Account = AccountName, Computer = DeviceName, IPAddress = CommandLineIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash, IPCustomEntity = IPAddress\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| extend CommandLineIP = extract(IPRegex, 0, CommandLine)\\n| where CommandLineIP in (IPList) or (NewProcessName has_any (process) and ParentProcessName has_any (parentprocess))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, CommandLine, CommandLineIP\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = \u0027Dev-0322 IOC match\u0027, IPCustomEntity = CommandLineIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"DEV-0322 Serv-U related IOCs - July 2021\",\"description\":\"Identifies a match across IOC\u0027s related to DEV-0322 targeting SolarWinds Serv-U software.\",\"lastUpdatedDateUTC\":\"2021-11-30T00:00:00Z\",\"createdDateUTC\":\"2021-06-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\"name\":\"d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let SensitiveOperationList = dynamic(\\n[\\\"VaultDelete\\\", \\\"KeyDelete\\\", \\\"SecretDelete\\\", \\\"SecretPurge\\\", \\\"KeyPurge\\\", \\\"SecretBackup\\\", \\\"KeyBackup\\\"]);\\nAzureDiagnostics\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\" \\n| where OperationName in~ (SensitiveOperationList) \\n| summarize EventCount=count(), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\\n| extend timestamp = StartTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Sensitive Azure Key Vault operations\",\"description\":\"Identifies when sensitive Azure Key Vault operations are used. This includes: VaultDelete, KeyDelete, SecretDelete, SecretPurge, KeyPurge, SecretBackup, KeyBackup. \\nAny Backup operations should match with expected scheduled backup activity.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4899-42cb-910c-5ffaf9d7997d\",\"name\":\"70b12a3b-4899-42cb-910c-5ffaf9d7997d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.6.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"0.ns1.dns-info.gq\\\", \\\"1.ns1.dns-info.gq\\\", \\\"10.ns1.dns-info.gq\\\", \\\"102.ns1.dns-info.gq\\\", \\n \\\"104.ns1.dns-info.gq\\\", \\\"11.ns1.dns-info.gq\\\", \\\"110.ns1.dns-info.gq\\\", \\\"115.ns1.dns-info.gq\\\", \\\"116.ns1.dns-info.gq\\\", \\n \\\"117.ns1.dns-info.gq\\\", \\\"118.ns1.dns-info.gq\\\", \\\"12.ns1.dns-info.gq\\\", \\\"120.ns1.dns-info.gq\\\", \\\"122.ns1.dns-info.gq\\\", \\n \\\"123.ns1.dns-info.gq\\\", \\\"128.ns1.dns-info.gq\\\", \\\"13.ns1.dns-info.gq\\\", \\\"134.ns1.dns-info.gq\\\", \\\"135.ns1.dns-info.gq\\\", \\n \\\"138.ns1.dns-info.gq\\\", \\\"14.ns1.dns-info.gq\\\", \\\"144.ns1.dns-info.gq\\\", \\\"15.ns1.dns-info.gq\\\", \\\"153.ns1.dns-info.gq\\\", \\n \\\"157.ns1.dns-info.gq\\\", \\\"16.ns1.dns-info.gq\\\", \\\"17.ns1.dns-info.gq\\\", \\\"18.ns1.dns-info.gq\\\", \\\"19.ns1.dns-info.gq\\\", \\n \\\"1a9604fa.ns1.feedsdns.com\\\", \\\"1c7606b6.ns1.steamappstore.com\\\", \\\"2.ns1.dns-info.gq\\\", \\\"20.ns1.dns-info.gq\\\", \\n \\\"201.ns1.dns-info.gq\\\", \\\"202.ns1.dns-info.gq\\\", \\\"204.ns1.dns-info.gq\\\", \\\"207.ns1.dns-info.gq\\\", \\\"21.ns1.dns-info.gq\\\", \\n \\\"210.ns1.dns-info.gq\\\", \\\"211.ns1.dns-info.gq\\\", \\\"216.ns1.dns-info.gq\\\", \\\"22.ns1.dns-info.gq\\\", \\\"220.ns1.dns-info.gq\\\", \\n \\\"223.ns1.dns-info.gq\\\", \\\"23.ns1.dns-info.gq\\\", \\\"24.ns1.dns-info.gq\\\", \\\"25.ns1.dns-info.gq\\\", \\\"26.ns1.dns-info.gq\\\", \\n \\\"27.ns1.dns-info.gq\\\", \\\"28.ns1.dns-info.gq\\\", \\\"29.ns1.dns-info.gq\\\", \\\"3.ns1.dns-info.gq\\\", \\\"30.ns1.dns-info.gq\\\", \\n \\\"31.ns1.dns-info.gq\\\", \\\"32.ns1.dns-info.gq\\\", \\\"33.ns1.dns-info.gq\\\", \\\"34.ns1.dns-info.gq\\\", \\\"35.ns1.dns-info.gq\\\", \\n \\\"36.ns1.dns-info.gq\\\", \\\"37.ns1.dns-info.gq\\\", \\\"39.ns1.dns-info.gq\\\", \\\"3d6fe4b2.ns1.steamappstore.com\\\", \\n \\\"4.ns1.dns-info.gq\\\", \\\"40.ns1.dns-info.gq\\\", \\\"42.ns1.dns-info.gq\\\", \\\"43.ns1.dns-info.gq\\\", \\\"44.ns1.dns-info.gq\\\", \\n \\\"45.ns1.dns-info.gq\\\", \\\"46.ns1.dns-info.gq\\\", \\\"48.ns1.dns-info.gq\\\", \\\"5.ns1.dns-info.gq\\\", \\\"50.ns1.dns-info.gq\\\", \\n \\\"50417.service.gstatic.dnset.com\\\", \\\"51.ns1.dns-info.gq\\\", \\\"52.ns1.dns-info.gq\\\", \\\"53.ns1.dns-info.gq\\\",\\n \\\"54.ns1.dns-info.gq\\\", \\\"55.ns1.dns-info.gq\\\", \\\"56.ns1.dns-info.gq\\\", \\\"57.ns1.dns-info.gq\\\", \\\"58.ns1.dns-info.gq\\\", \\n \\\"6.ns1.dns-info.gq\\\", \\\"60.ns1.dns-info.gq\\\", \\\"62.ns1.dns-info.gq\\\", \\\"63.ns1.dns-info.gq\\\", \\\"64.ns1.dns-info.gq\\\", \\n \\\"65.ns1.dns-info.gq\\\", \\\"67.ns1.dns-info.gq\\\", \\\"7.ns1.dns-info.gq\\\", \\\"70.ns1.dns-info.gq\\\", \\\"71.ns1.dns-info.gq\\\",\\n \\\"73.ns1.dns-info.gq\\\", \\\"77.ns1.dns-info.gq\\\", \\\"77075.service.gstatic.dnset.com\\\", \\\"7c1947fa.ns1.steamappstore.com\\\",\\n \\\"8.ns1.dns-info.gq\\\", \\\"81.ns1.dns-info.gq\\\", \\\"86.ns1.dns-info.gq\\\", \\\"87.ns1.dns-info.gq\\\", \\\"9.ns1.dns-info.gq\\\", \\n \\\"94343.service.gstatic.dnset.com\\\", \\\"9939.service.gstatic.dnset.com\\\", \\\"aa.ns.mircosoftdoc.com\\\", \\n \\\"aaa.feeds.api.ns1.feedsdns.com\\\", \\\"aaa.googlepublic.feeds.ns1.dns-info.gq\\\", \\n \\\"aaa.resolution.174547._get.cache.up.sourcedns.tk\\\", \\\"acc.microsoftonetravel.com\\\", \\n \\\"accounts.longmusic.com\\\", \\\"admin.dnstemplog.com\\\", \\\"agent.updatenai.com\\\", \\n \\\"alibaba.zzux.com\\\", \\\"api.feedsdns.com\\\", \\\"app.portomnail.com\\\", \\\"asia.updatenai.com\\\", \\n \\\"battllestategames.com\\\", \\\"bguha.serveuser.com\\\", \\\"binann-ce.com\\\", \\\"bing.dsmtp.com\\\", \\n \\\"blog.cdsend.xyz\\\", \\\"brives.minivineyapp.com\\\", \\\"bsbana.dynamic-dns.net\\\", \\n \\\"californiaforce.000webhostapp.com\\\", \\\"californiafroce.000webhostapp.com\\\", \\n \\\"cdn.freetcp.com\\\", \\\"cdsend.xyz\\\", \\\"cipla.zzux.com\\\", \\\"cloudfeeddns.com\\\", \\\"comcleanner.info\\\",\\n \\\"cs.microsoftsonline.net\\\", \\\"dns-info.gq\\\", \\\"dns05.cf\\\", \\\"dns22.ml\\\", \\\"dns224.com\\\", \\n \\\"dnsdist.org\\\", \\\"dnstemplog.com\\\", \\\"doc.mircosoftdoc.com\\\", \\\"dropdns.com\\\", \\n \\\"eshop.cdn.freetcp.com\\\", \\\"exchange.dumb1.com\\\", \\\"exchange.misecure.com\\\", \\\"exchange.mrbasic.com\\\",\\n \\\"facebookdocs.com\\\", \\\"facebookint.com\\\", \\\"facebookvi.com\\\", \\\"feed.ns1.dns-info.gq\\\", \\\"feedsdns.com\\\", \\n \\\"firejun.freeddns.com\\\", \\\"ftp.dns-info.dyndns.pro\\\", \\\"goallbandungtravel.com\\\", \\\"goodhk.azurewebsites.net\\\", \\n \\\"googlepublic.feed.ns1.dns-info.gq\\\", \\\"gp.spotifylite.cloud\\\", \\\"gskytop.com\\\", \\\"gstatic.dnset.com\\\", \\n \\\"gxxservice.com\\\", \\\"helpdesk.cdn.freetcp.com\\\", \\\"id.serveuser.com\\\", \\\"infestexe.com\\\", \\\"item.itemdb.com\\\",\\n \\\"m.mircosoftdoc.com\\\", \\\"mail.transferdkim.xyz\\\", \\\"mcafee.updatenai.com\\\", \\\"mecgjm.mircosoftdoc.com\\\",\\n \\\"microdocs.ga\\\", \\\"microsock.website\\\", \\\"microsocks.net\\\", \\\"microsoft.sendsmtp.com\\\", \\n \\\"microsoftbook.dns05.com\\\", \\\"microsoftcontactcenter.com\\\", \\\"microsoftdocs.dns05.com\\\", \\\"microsoftdocs.ml\\\", \\n \\\"microsoftonetravel.com\\\", \\\"microsoftonlines.net\\\", \\\"microsoftprod.com\\\", \\\"microsofts.dns1.us\\\", \\\"microsoftsonline.net\\\",\\n \\\"minivineyapp.com\\\", \\\"mircosoftdoc.com\\\", \\\"mircosoftdocs.com\\\", \\\"mlcrosoft.ninth.biz\\\", \\\"mlcrosoft.site\\\", \\n \\\"mm.portomnail.com\\\", \\\"msdnupdate.com\\\", \\\"msecdn.cloud\\\", \\\"mtnl1.dynamic-dns.net\\\", \\\"ns.gstatic.dnset.com\\\", \\n \\\"ns.microsoftprod.com\\\", \\\"ns.steamappstore.com\\\", \\\"ns1.cdn.freetcp.com\\\", \\\"ns1.comcleanner.info\\\", \\\"ns1.dns-info.gq\\\", \\n \\\"ns1.dns05.cf\\\", \\\"ns1.dnstemplog.com\\\", \\\"ns1.dropdns.com\\\", \\\"ns1.microsoftonetravel.com\\\", \\n \\\"ns1.microsoftonlines.net\\\", \\\"ns1.microsoftprod.com\\\", \\\"ns1.microsoftsonline.net\\\", \\\"ns1.mlcrosoft.site\\\", \\n \\\"ns1.teams.wikaba.com\\\", \\\"ns1.windowsdefende.com\\\", \\\"ns2.comcleanner.info\\\", \\\"ns2.dnstemplog.com\\\", \\n \\\"ns2.microsoftonetravel.com\\\", \\\"ns2.microsoftprod.com\\\", \\\"ns2.microsoftsonline.net\\\", \\\"ns2.mlcrosoft.site\\\", \\n \\\"ns2.windowsdefende.com\\\", \\\"ns3.microsoftprod.com\\\", \\\"ns3.mlcrosoft.site\\\", \\\"nutrition.mrbasic.com\\\", \\n \\\"nutrition.youdontcare.com\\\", \\\"online.mlcrosoft.site\\\", \\\"online.msdnupdate.com\\\", \\\"outlookservce.site\\\", \\n \\\"owa.jetos.com\\\", \\\"owa.otzo.com\\\", \\\"pornotime.co\\\", \\\"portomnail.com\\\", \\n \\\"post.1a0.066e063ac.7c1947fa.ns1.steamappstore.com\\\", \\\"pricingdmdk.com\\\", \\\"prod.microsoftprod.com\\\", \\n \\\"product.microsoftprod.com\\\", \\\"ptcl.yourtrap.com\\\", \\\"query.api.sourcedns.tk\\\", \\\"rb.itemdb.com\\\", \\\"redditcdn.com\\\", \\n \\\"rss.otzo.com\\\", \\\"secure.msdnupdate.com\\\", \\\"service.dns22.ml\\\", \\\"service.gstatic.dnset.com\\\", \\\"service04.dns04.com\\\", \\n \\\"settings.teams.wikaba.com\\\", \\\"sip.outlookservce.site\\\", \\\"sixindent.epizy.com\\\", \\\"soft.msdnupdate.com\\\", \\\"sourcedns.ml\\\", \\n \\\"sourcedns.tk\\\", \\\"sport.msdnupdate.com\\\", \\\"spotifylite.cloud\\\", \\\"static.misecure.com\\\", \\\"steamappstore.com\\\", \\n \\\"store.otzo.com\\\", \\\"survey.outlookservce.site\\\", \\\"team.itemdb.com\\\", \\\"temp221.com\\\", \\\"test.microsoftprod.com\\\", \\n \\\"thisisaaa.000webhostapp.com\\\", \\\"token.dns04.com\\\", \\\"token.dns05.com\\\", \\\"transferdkim.xyz\\\", \\n \\\"travelsanignacio.com\\\", \\\"update08.com\\\", \\\"updated08.com\\\", \\\"updatenai.com\\\", \\\"wantforspeed.com\\\",\\n \\\"web.mircosoftdoc.com\\\", \\\"webmail.pornotime.co\\\", \\\"webwhois.team.itemdb.com\\\", \\\"windowsdefende.com\\\", \\\"wnswindows.com\\\",\\n \\\"ashcrack.freetcp.com\\\", \\\"battllestategames.com\\\", \\\"binannce.com\\\", \\\"cdsend.xyz\\\", \\\"comcleanner.info\\\", \\\"microsock.website\\\", \\n \\\"microsocks.net\\\", \\\"microsoftsonline.net\\\", \\\"mlcrosoft.site\\\", \\\"notify.serveuser.com\\\", \\\"ns1.microsoftprod.com\\\", \\n \\\"ns2.microsoftprod.com\\\", \\\"pricingdmdk.com\\\", \\\"steamappstore.com\\\", \\\"update08.com\\\", \\\"wnswindows.com\\\", \\n \\\"youtube.dns05.com\\\", \\\"z1.zalofilescdn.com\\\", \\\"z2.zalofilescdn.com\\\", \\\"zalofilescdn.com\\\"]); \\n(union isfuzzy=true \\n (CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | where DNSName in~ (DomainNames) \\n | extend Account = SourceUserID, Computer = DeviceName, IPAddress = DestinationIP \\n ), \\n (_Im_Dns (domain_has_any=DomainNames)\\n | extend DNSName = DnsQuery \\n | extend IPAddress = SrcIpAddr, Computer = Dvc\\n ), \\n (_Im_WebSession (url_has_any=DomainNames)\\n | extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n | extend IPAddress = SrcIpAddr, Computer = Dvc\\n ), \\n (VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 * \\n | where isnotempty(DNSName) \\n | where DNSName in~ (DomainNames) \\n | extend IPAddress = RemoteIp \\n ), \\n ( \\n DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl in~ (DomainNames) \\n | extend IPAddress = RemoteIP \\n | extend Computer = DeviceName \\n ),\\n (AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (DomainNames) \\n | extend DNSName = DestinationHost \\n | extend IPAddress = SourceHost\\n ) \\n ) \\n | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Barium domains\",\"description\":\"Identifies a match across various data feeds for domains IOCs related to the Barium activity group.\\n References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bff058b2-500e-4ae5-bb49-a5b1423cbd5b\",\"name\":\"bff058b2-500e-4ae5-bb49-a5b1423cbd5b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let fileAccessThrehold = 10;\\nOfficeActivity\\n | where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n | where Operation =~ \\\"MemberAdded\\\"\\n | extend UPN = tostring(parse_json(Members)[0].UPN)\\n | where UPN contains (\\\"#EXT#\\\")\\n | project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName\\n | join kind = inner(\\n OfficeActivity\\n | where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n | where Operation =~ \\\"MemberRemoved\\\"\\n | extend UPN = tostring(parse_json(Members)[0].UPN)\\n | where UPN contains (\\\"#EXT#\\\")\\n | project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName\\n ) on UPN\\n | where TimeDeleted \u003e TimeAdded\\n | join kind=inner \\n (\\n OfficeActivity\\n | where RecordType == \\\"SharePointFileOperation\\\"\\n | where SourceRelativeUrl has \\\"Microsoft Teams Chat Files\\\"\\n | where Operation == \\\"FileUploaded\\\"\\n | join kind = inner \\n (\\n OfficeActivity\\n | where RecordType == \\\"SharePointFileOperation\\\"\\n | where Operation == \\\"FileAccessed\\\"\\n | where SourceRelativeUrl has \\\"Microsoft Teams Chat Files\\\"\\n | summarize FileAccessCount = count() by OfficeObjectId\\n | where FileAccessCount \u003e fileAccessThrehold\\n ) on $left.OfficeObjectId == $right.OfficeObjectId\\n )on $left.UPN == $right.UserId\\n | extend timestamp=TimeGenerated, AccountCustomEntity = UserWhoAdded\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Accessed files shared by temporary external user\",\"description\":\"This detection identifies an external user is added to a Team or Teams chat\\nand shares a files which is accessed by many users (\u003e10) and the users is removed within short period of time. This might be\\nan indicator of suspicious activity.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2020-08-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/610d3850-c26f-4f20-8d86-f10fdf2425f5\",\"name\":\"610d3850-c26f-4f20-8d86-f10fdf2425f5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"UpdateTrail\\\",\\\"DeleteTrail\\\",\\\"StopLogging\\\",\\\"DeleteFlowLogs\\\",\\\"DeleteEventBus\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Changes made to AWS CloudTrail logs\",\"description\":\"Attackers often try to hide their steps by deleting or stopping the collection of logs that could show their activity. \\nThis alert identifies any manipulation of AWS CloudTrail, Cloudwatch/EventBridge or VPC Flow logs.\\nMore Information: AWS CloudTrail API: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html\\nAWS Cloudwatch/Eventbridge API: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_Operations.html\\nAWS DelteteFlowLogs API : https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html \",\"lastUpdatedDateUTC\":\"2022-01-11T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3fbc20a4-04c4-464e-8fcb-6667f53e4987\",\"name\":\"3fbc20a4-04c4-464e-8fcb-6667f53e4987\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let failureCountThreshold = 5;\\nlet successCountThreshold = 1;\\nlet authenticationWindow = 20m;\\nSigninLogs\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\\n| where AppDisplayName =~ \\\"Windows Sign In\\\"\\n// Split out failure versus non-failure types\\n| extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = makeset(IPAddress), makeset(OS), makeset(Browser), makeset(City), \\nmakeset(ResultType), FailureCount = countif(FailureOrSuccess==\\\"Failure\\\"), SuccessCount = countif(FailureOrSuccess==\\\"Success\\\") \\nby bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName, AppDisplayName\\n| where FailureCount \u003e= failureCountThreshold and SuccessCount \u003e= successCountThreshold\\n| mvexpand IPAddress\\n| extend IPAddress = tostring(IPAddress)\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against a Cloud PC\",\"description\":\"Identifies evidence of brute force activity against a Windows 365 Cloud PC by highlighting multiple authentication failures and by a successful authentication within a given time window.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/173f8699-6af5-484a-8b06-8c47ba89b380\",\"name\":\"173f8699-6af5-484a-8b06-8c47ba89b380\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"// Adjust this value to change how many Teams should be deleted before including\\nlet max_delete_count = 3;\\n// Adjust this value to change the timewindow the query runs over\\n OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\" \\n| where Operation =~ \\\"TeamDeleted\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DeletedTeams = make_set(TeamName) by UserId\\n| where array_length(DeletedTeams) \u003e max_delete_count\\n| extend timestamp = StartTime, AccountCustomEntity = UserId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Multiple Teams deleted by a single user\",\"description\":\"This detection flags the occurrences of deleting multiple teams within an hour.\\nThis data is a part of Office 365 Connector in Microsoft Sentinel.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5f171045-88ab-4634-baae-a7b6509f483b\",\"name\":\"5f171045-88ab-4634-baae-a7b6509f483b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let Dev0530_threats = dynamic([\\\"Trojan:Win32/SiennaPurple.A\\\", \\\"Ransom:Win32/SiennaBlue.A\\\", \\\"Ransom:Win32/SiennaBlue.B\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (Dev0530_threats) or ThreatFamilyName in~ (Dev0530_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"AV detections related to Dev-0530 actors\",\"description\":\"This query looks for Microsoft Defender AV detections related to Dev-0530 actors. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, \\n this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\",\"lastUpdatedDateUTC\":\"2022-07-14T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbfbf530-506b-49a4-81ad-4030885a195c\",\"name\":\"fbfbf530-506b-49a4-81ad-4030885a195c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let alertTimeWindow = 1h;\\nlet logTimeWindow = 7d;\\n// Define script extensions that suit your web application environment - a sample are provided below\\nlet scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]); \\nlet alertData = materialize(SecurityAlert \\n| where TimeGenerated \u003e ago(alertTimeWindow) \\n| where ProviderName == \\\"MDATP\\\" \\n// Parse and expand the alert JSON \\n| extend alertData = parse_json(Entities) \\n| mvexpand alertData);\\nlet fileData = alertData\\n// Extract web script files from MDATP alerts - our malicious web scripts - candidate webshells\\n| where alertData.Type =~ \\\"file\\\" \\n| where alertData.Name has_any(scriptExtensions) \\n| extend FileName = tostring(alertData.Name), Directory = tostring(alertData.Directory);\\nlet hostData = alertData\\n// Extract server details from alerts and map to alert id\\n| where alertData.Type =~ \\\"host\\\"\\n| project HostName = tostring(alertData.HostName), DnsDomain = tostring(alertData.DnsDomain), SystemAlertId\\n| distinct HostName, DnsDomain, SystemAlertId;\\n// Join the files on their impacted servers\\nlet webshellData = fileData\\n| join kind=inner (hostData) on SystemAlertId \\n| project TimeGenerated, FileName, Directory, HostName, DnsDomain;\\nwebshellData\\n| join ( \\n// Find requests that were made to this file on the impacted server in the W3CIISLog table \\nW3CIISLog \\n| where TimeGenerated \u003e ago(logTimeWindow) \\n// Restrict to accesses to script extensions \\n| where csUriStem has_any(scriptExtensions)\\n| extend splitUriStem = split(csUriStem, \\\"/\\\") \\n| extend FileName = splitUriStem[-1], HostName = sComputerName\\n// Summarize potential attacker activity\\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), RequestUserAgents=make_set(csUserAgent), ReqestMethods=make_set(csMethod), RequestStatusCodes=make_set(scStatus), RequestCookies=make_set(csCookie), RequestReferers=make_set(csReferer), RequestQueryStrings=make_set(csUriQuery) by AttackerIP=cIP, SiteName=sSiteName, ShellLocation=csUriStem, tostring(FileName), HostName \\n) on FileName, HostName\\n| project StartTime, EndTime, AttackerIP, RequestUserAgents, HostName, SiteName, ShellLocation, ReqestMethods, RequestStatusCodes, RequestCookies, RequestReferers, RequestQueryStrings, RequestCount = count_\\n// Expose the attacker ip address as a custom entity\\n| extend timestamp=StartTime, IPCustomEntity = AttackerIP, HostCustomEntity = HostName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Malicious web application requests linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts\",\"description\":\"Takes Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts where web scripts are present in the evidence and correlates with requests made to those scripts\\nin the WCSIISLog to surface new alerts for potentially malicious web request activity.\\nThe lookback for alerts is set to 1h and the lookback for W3CIISLogs is set to 7d. A sample set of popular web script extensions\\nhas been provided in scriptExtensions that should be tailored to your environment.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-05-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5f0d80db-3415-4265-9d52-8466b7372e3a\",\"name\":\"5f0d80db-3415-4265-9d52-8466b7372e3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"AzureDevOpsAuditing\\n| where AuthenticationMechanism startswith \\\"PAT\\\"\\n// Look for useragents that include a redenring engine\\n| where UserAgent has_any (\\\"Gecko\\\", \\\"WebKit\\\", \\\"Presto\\\", \\\"Trident\\\", \\\"EdgeHTML\\\", \\\"Blink\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure DevOps PAT used with Browser.\",\"description\":\"Personal Access Tokens (PATs) are used as an alternate password to authenticate into Azure DevOps. PATs are intended for programmatic access use in code or applications. \\nThis can be prone to attacker theft if not adequately secured. This query looks for the use of a PAT in authentication but from a User Agent indicating a browser. \\nThis should not be normal activity and could be an indicator of an attacker using a stolen PAT.\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/86a036b2-3686-42eb-b417-909fc0867771\",\"name\":\"86a036b2-3686-42eb-b417-909fc0867771\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/delete\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS Service Delete\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.\\nA threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.\\nThe health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.\\nMore information in this blog https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\"name\":\"b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\nlet createRoleAssignmentActivity = AzureActivity\\n| where OperationNameValue =~ \\\"microsoft.authorization/roleassignments/write\\\";\\ncreateRoleAssignmentActivity \\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller\\n| where count_ \u003e= alertOperationThreshold\\n| join kind = rightanti ( \\ncreateRoleAssignmentActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = make_set(TimeGenerated), ActivityStatusValue = make_set(ActivityStatusValue), \\nOperationIds = make_set(OperationId), CorrelationId = make_set(CorrelationId), ActivityCountByCallerIPAddress = count() \\nby ResourceId, CallerIpAddress, Caller, OperationNameValue, Resource, ResourceGroup\\n) on CallerIpAddress, Caller\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Suspicious granting of permissions to an account\",\"description\":\"Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\"name\":\"9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let szOperationNames = dynamic([\\\"Microsoft.Compute/virtualMachines/write\\\", \\\"Microsoft.Resources/deployments/write\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet RareCaller = AzureActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationNameValue in~ (szOperationNames)\\n| project ResourceGroup, Caller, OperationNameValue, CallerIpAddress\\n| join kind=rightantisemi (\\nAzureActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityStatusValue = makeset(ActivityStatusValue), OperationIds = makeset(OperationId), CallerIpAddress = makeset(CallerIpAddress) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n) on Caller, ResourceGroup \\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress);\\nlet Counts = RareCaller | summarize ActivityCountByCaller = count() by Caller;\\nRareCaller | join kind= inner (Counts) on Caller | project-away Caller1\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = tostring(CallerIpAddress)\\n| sort by ActivityCountByCaller desc nulls last\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Suspicious Resource deployment\",\"description\":\"Identifies when a rare Resource and ResourceGroup deployment occurs by a previously unseen Caller.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4902eddb-34f7-44a8-ac94-8486366e9494\",\"name\":\"4902eddb-34f7-44a8-ac94-8486366e9494\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 5000;\\n_Im_NetworkSession(eventresult=\u0027Failure\u0027)\\n| summarize Count=count() by SrcIpAddr, bin(TimeGenerated,5m)\\n| where Count \u003e threshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr\",\"customDetails\":{\"NumberOfDenies\":\"Count\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Excessive number of failed connections from {{SrcIpAddr}}\",\"alertDescriptionFormat\":\"The client at address {{SrcIpAddr}} generated more than {{threshold}} failures over a 5 minutes time window, which may indicate malicious activity.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Impact\"],\"displayName\":\"Excessive number of failed connections from a single source (ASIM Network Session schema)\",\"description\":\"This rule identifies that a single source generates an excessive amount of failed connections. Modify the threshold to change the sensitivity of the rule: the higher the threshold, the less sensitive is the rule and less incidents will be generated.\u003cbr\u003e\u003cbr\u003e\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f7c3f5c8-71ea-49ff-b8b3-148f0e346291\",\"name\":\"f7c3f5c8-71ea-49ff-b8b3-148f0e346291\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let known_locations = (SigninLogs\\n | where TimeGenerated between(ago(7d)..ago(1d))\\n | where ResultType == 0\\n | extend LocationDetail = strcat(Location, \\\"-\\\", LocationDetails.state)\\n | summarize by LocationDetail);\\n let known_asn = (SigninLogs\\n | where TimeGenerated between(ago(7d)..ago(1d))\\n | where ResultType == 0\\n | summarize by AutonomousSystemNumber);\\n SigninLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType == 0\\n | where isempty(DeviceDetail.deviceId)\\n | where AuthenticationRequirement == \\\"singleFactorAuthentication\\\"\\n | extend LocationDetail = strcat(Location, \\\"-\\\", LocationDetails.state)\\n | where AutonomousSystemNumber !in (known_asn) and LocationDetail !in (known_locations)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"UserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomolous Single Factor Signin\",\"description\":\"Detects successful signins using single factor authentication where the device, location, and ASN are abnormal.\\n Single factor authentications pose an opportunity to access compromised accounts, investigate these for anomalous occurrencess.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\"name\":\"1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 1d;\\nlet endtime = 1h;\\nlet prev23hThreshold = 4;\\nlet prev1hThreshold = 15;\\nlet Kerbevent = (union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(starttime)\\n| where EventID == 4769\\n| parse EventData with * \u0027TicketEncryptionType\\\"\u003e\u0027 TicketEncryptionType \\\"\u003c\\\" *\\n| where TicketEncryptionType == \u00270x17\u0027\\n| parse EventData with * \u0027TicketOptions\\\"\u003e\u0027 TicketOptions \\\"\u003c\\\" *\\n| where TicketOptions == \u00270x40810000\u0027\\n| parse EventData with * \u0027Status\\\"\u003e\u0027 Status \\\"\u003c\\\" *\\n| where Status == \u00270x0\u0027\\n| parse EventData with * \u0027ServiceName\\\"\u003e\u0027 ServiceName \\\"\u003c\\\" *\\n| where ServiceName !contains \\\"$\\\" and ServiceName !contains \\\"krbtgt\\\" \\n| parse EventData with * \u0027TargetUserName\\\"\u003e\u0027 TargetUserName \\\"\u003c\\\" *\\n| where TargetUserName !contains \\\"$@\\\" and TargetUserName !contains ServiceName\\n| parse EventData with * \u0027IpAddress\\\"\u003e::ffff:\u0027 ClientIPAddress \\\"\u003c\\\" *\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e= ago(starttime)\\n| where EventID == 4769 and EventData has \u00270x17\u0027 and EventData has \u00270x40810000\u0027 and EventData has \u0027krbtgt\u0027\\n| extend TicketEncryptionType = tostring(EventData.TicketEncryptionType)\\n| where TicketEncryptionType == \u00270x17\u0027\\n| extend TicketOptions = tostring(EventData.TicketOptions)\\n| where TicketOptions == \u00270x40810000\u0027\\n| extend Status = tostring(EventData.Status)\\n| where Status == \u00270x0\u0027\\n| extend ServiceName = tostring(EventData.ServiceName)\\n| where ServiceName !contains \\\"$\\\" and ServiceName !contains \\\"krbtgt\\\"\\n| extend TargetUserName = tostring(EventData.TargetUserName) \\n| where TargetUserName !contains \\\"$@\\\" and TargetUserName !contains ServiceName\\n| extend ClientIPAddress = tostring(EventData.IpAddress) \\n));\\nlet Kerbevent23h = Kerbevent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| summarize ServiceNameCountPrev23h = dcount(ServiceName), ServiceNameSet23h = makeset(ServiceName) \\nby Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status\\n| where ServiceNameCountPrev23h \u003c prev23hThreshold;\\nlet Kerbevent1h = \\nKerbevent\\n| where TimeGenerated \u003e= ago(endtime)\\n| summarize min(TimeGenerated), max(TimeGenerated), ServiceNameCountPrev1h = dcount(ServiceName), ServiceNameSet1h = makeset(ServiceName) \\nby Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status;\\nKerbevent1h \\n| join kind=leftanti\\n(\\nKerbevent23h\\n) on TargetUserName, TargetDomainName\\n// Threshold value set above is based on testing, this value may need to be changed for your environment.\\n| where ServiceNameCountPrev1h \u003e prev1hThreshold\\n| project StartTimeUtc = min_TimeGenerated, EndTimeUtc = max_TimeGenerated, TargetUserName, Computer, ClientIPAddress, TicketOptions, \\nTicketEncryptionType, Status, ServiceNameCountPrev1h, ServiceNameSet1h, TargetDomainName\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = strcat(TargetDomainName,\\\"\\\\\\\\\\\", TargetUserName), HostCustomEntity = Computer, IPCustomEntity = ClientIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Potential Kerberoasting\",\"description\":\"A service principal name (SPN) is used to uniquely identify a service instance in a Windows environment. \\nEach SPN is usually associated with a service account. Organizations may have used service accounts with weak passwords in their environment. \\nAn attacker can try requesting Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC) which contains \\na hash of the Service account. This can then be used for offline cracking. This hunting query looks for accounts that are generating excessive \\nrequests to different resources within the last hour compared with the previous 24 hours. Normal users would not make an unusually large number \\nof request within a small time window. This is based on 4769 events which can be very noisy so environment based tweaking might be needed.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-04-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/508cef41-2cd8-4d40-a519-b04826a9085f\",\"name\":\"508cef41-2cd8-4d40-a519-b04826a9085f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 1102 and EventSourceName == \\\"Microsoft-Windows-Eventlog\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Security Event log cleared\",\"description\":\"Checks for event id 1102 which indicates the security event log was cleared.\\nIt uses Event Source Name \\\"Microsoft-Windows-Eventlog\\\" to avoid generating false positives from other sources, like AD FS servers for instance.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3ff0fffb-d963-40c0-b235-3404f915add7\",\"name\":\"3ff0fffb-d963-40c0-b235-3404f915add7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"GitHubAudit\\n| where Action == \\\"org.disable_two_factor_requirement\\\"\\n| project TimeGenerated, Action, Actor, Country, IPaddress, Repository\\n| extend AccountCustomEntity = Actor, IPCustomEntity = IPaddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"GitHub Two Factor Auth Disable\",\"description\":\"Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/594c653d-719a-4c23-b028-36e3413e632e\",\"name\":\"594c653d-719a-4c23-b028-36e3413e632e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"GitHubAudit\\n| where Action == \\\"org.disable_two_factor_requirement\\\"\\n| project TimeGenerated, Action, Actor, Country, IPaddress, Repository\\n| extend AccountCustomEntity = Actor, IPCustomEntity = IPaddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT GitHub Two Factor Auth Disable\",\"description\":\"Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. \",\"lastUpdatedDateUTC\":\"2022-05-22T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/50cbf34a-4cdd-45d7-b3f5-8b53a1d0d14f\",\"name\":\"50cbf34a-4cdd-45d7-b3f5-8b53a1d0d14f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n| parse EventData with * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" *\\n| where ParentCommandLine == \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe -k DcomLaunch\\\" and CommandLine == \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe -Embedding\\\"\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Lateral Movement via DCOM\",\"description\":\"This query detects a fairly uncommon attack technique using the Windows Distributed Component Object Model (DCOM) to make a remote execution call to another computer system and gain lateral movement throughout the network.\\nRef: http://thenegative.zone/incident%20response/2017/02/04/MMC20.Application-Lateral-Movement-Analysis.html\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b1832f60-6c3d-4722-a0a5-3d564ee61a63\",\"name\":\"b1832f60-6c3d-4722-a0a5-3d564ee61a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet DOMAIN_TI=ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName);\\nlet DOMAIN_TI_list= todynamic(toscalar(DOMAIN_TI | summarize NIoCs = dcount(DomainName), Domains = make_set(DomainName) \\n | project Domains=iff(NIoCs \u003e HAS_ANY_MAX, dynamic([]), Domains) ));\\nDOMAIN_TI\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n _Im_WebSession(starttime=ago(dt_lookBack), url_has_any= DOMAIN_TI_list )\\n //Extract domain patterns from syslog message\\n | extend domain = tostring(parse_url(Url)[\\\"Host\\\"])\\n | where isnotempty(domain)\\n | extend tld = tostring(split(domain, \u0027.\u0027)[-1])\\n | extend Event_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.domain\\n| where Event_TimeGenerated \u003c ExpirationDateTime\\n| summarize Event_TimeGenerated = arg_max(Event_TimeGenerated , *) by IndicatorId, domain\\n| project Event_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, domain, SrcIpAddr, Url\",\"customDetails\":{\"EventTime\":\"Event_TimeGenerated\",\"IoCDescription\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"IoCExpirationTime\":\"ExpirationDateTime\",\"IoCConfidenceScore\":\"ConfidenceScore\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"A web request from {{SrcIpAddr}} to hostname {{domain}} matched an IoC\",\"alertDescriptionFormat\":\"A client with address {{SrcIpAddr}} requested the URL {{Url}}, whose hostname is a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blead for more information on the indicator.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map Domain entity to Web Session Events (ASIM Web Session schema)\",\"description\":\"This rule identifies Web Sessions for which the target URL hostname is a known IoC. \u003cbr\u003e\u003cbr\u003eThis rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutSIM) and supports any web session source that complies with ASIM.\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/643c2025-9604-47c5-833f-7b4b9378a1f5\",\"name\":\"643c2025-9604-47c5-833f-7b4b9378a1f5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit your environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with AAD signin failures above our threshold\\nlet aadFunc = (tableName:string){\\nlet Suspicious_signins = \\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n| summarize count() by IPAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(IPAddress);\\nSuspicious_signins\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet Suspicious_signins = \\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize make_set(set_IPAddress);\\n//See if any of those IPs have sucessfully logged into the AWS console\\nAWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \\n| where LoginResult =~ \\\"Success\\\"\\n| where SourceIpAddress in (Suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed)\\n| extend User = iif(isempty(UserIdentityUserName), UserIdentityType, UserIdentityUserName) \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Reason, LoginResult, EventTypeName, UserIdentityType, User, AWSRegion, SourceIpAddress, UserAgent, MFAUsed\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AzureAD logons but success logon to AWS Console\",\"description\":\"Identifies a list of IP addresses with a minimum number(defualt of 5) of failed logon attempts to Azure Active Directory.\\nUses that list to identify any successful AWS Console logons from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e\",\"name\":\"7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]);\\nunion isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4663\\n| where Process has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where ObjectName has_any (scriptExtensions)\\n| where AccessMask in (\u00270x2\u0027,\u00270x100\u0027, \u00270x10\u0027, \u00270x4\u0027)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n (WindowsEvent\\n| where EventID == 4663 and EventData has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\") and EventData has_any (scriptExtensions) \\n| where EventData has_any (\u00270x2\u0027,\u00270x100\u0027, \u00270x10\u0027, \u00270x4\u0027)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName has_any (scriptExtensions)\\n| extend AccessMask = tostring(EventData.AccessMask)\\n| where AccessMask in (\u00270x2\u0027,\u00270x100\u0027, \u00270x10\u0027, \u00270x4\u0027)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n(imFileEvent\\n| where EventType == \\\"FileCreated\\\"\\n| where ActingProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n and\\n TargetFileName has_any (scriptExtensions)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\\n),\\n(DeviceFileEvents\\n| where ActionType =~ \\\"FileCreated\\\"\\n| where InitiatingProcessFileName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where FileName has_any(scriptExtensions)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName, IPCustomEntity = RequestSourceIP)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingProcessAccountUpn\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM UM Service writing suspicious file\",\"description\":\"This query looks for the Exchange server UM process writing suspicious files that may be indicative of webshells.\\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d714ef62-1a56-4779-804f-91c4158e528d\",\"name\":\"d714ef62-1a56-4779-804f-91c4158e528d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let ImagesList = dynamic ([\\\"sethc.exe\\\",\\\"utilman.exe\\\",\\\"osk.exe\\\",\\\"Magnify.exe\\\",\\\"Narrator.exe\\\",\\\"DisplaySwitch.exe\\\",\\\"AtBroker.exe\\\"]); \\nlet OriginalFileNameList = dynamic ([\\\"sethc.exe\\\",\\\"utilman.exe\\\",\\\"osk.exe\\\",\\\"Magnify.exe\\\",\\\"Narrator.exe\\\",\\\"DisplaySwitch.exe\\\",\\\"AtBroker.exe\\\",\\\"SR.exe\\\",\\\"utilman2.exe\\\",\\\"ScreenMagnifier.exe\\\"]); \\nEvent\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n| parse EventData with * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027OriginalFileName\\\"\u003e\u0027 OriginalFileName \\\"\u003c\\\" *\\n| where Image has_any (ImagesList) and not (OriginalFileName has_any (OriginalFileNameList))\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027Hashes\\\"\u003e\u0027 Hashes \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description, OriginalFileName, CurrentDirectory, Hashes\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Modification of Accessibility Features\",\"description\":\"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\\n Two common accessibility programs are C:\\\\Windows\\\\System32\\\\sethc.exe, launched when the shift key is pressed five times and C:\\\\Windows\\\\System32\\\\utilman.exe, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as \\\"sticky keys\\\", and has been used by adversaries for unauthenticated access through a remote desktop login screen. [1]\\nRef: https://attack.mitre.org/techniques/T1546/008/\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\"name\":\"f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let threshold = 1;\\nAzureDiagnostics\\n | where OperationName in (\\\"AzureFirewallApplicationRuleLog\\\",\\\"AzureFirewallNetworkRuleLog\\\")\\n | extend msg_s_replaced0 = replace(@\\\"\\\\s\\\\s\\\",@\\\" \\\",msg_s)\\n | extend msg_s_replaced1 = replace(@\\\"\\\\.\\\\s\\\",@\\\" \\\",msg_s_replaced0)\\n | extend msg_a = split(msg_s_replaced1,\\\" \\\")\\n | extend srcAddr_a = split(msg_a[3],\\\":\\\") , destAddr_a = split(msg_a[5],\\\":\\\")\\n | extend protocol = tostring(msg_a[0]), srcIp = tostring(srcAddr_a[0]), srcPort = tostring(srcAddr_a[1]), destIp = tostring(destAddr_a[0]), destPort = tostring(destAddr_a[1]), action = tostring(msg_a[7])\\n | where action == \\\"Deny\\\"\\n | extend url = iff(destIp matches regex \\\"\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\",\\\"\\\",destIp)\\n | summarize StartTime = min(TimeGenerated), count() by srcIp, destIp, url, action, protocol\\n | where count_ \u003e= [\\\"threshold\\\"]\\n | extend timestamp = StartTime, URLCustomEntity = url, IPCustomEntity = srcIp\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Discovery\",\"LateralMovement\",\"CommandAndControl\"],\"displayName\":\"Several deny actions registered\",\"description\":\"Identifies attack pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-10-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b9d2eebc-5dcb-4888-8165-900db44443ab\",\"name\":\"b9d2eebc-5dcb-4888-8165-900db44443ab\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"// Enter a reference list of hostnames for your DC servers\\n//let DCServersList = dynamic ([\\\"DC01.simulandlabs.com\\\",\\\"DC02.simulandlabs.com\\\"]);\\nSecurityEvent\\n//| where Computer in (DCServersList)\\n| where EventID == 4662 and ObjectServer == \u0027DS\u0027\\n| where AccountType != \u0027Machine\u0027\\n| where Properties has \u00271131f6aa-9c07-11d1-f79f-00c04fc2dcd2\u0027 //DS-Replication-Get-Changes\\n or Properties has \u00271131f6ad-9c07-11d1-f79f-00c04fc2dcd2\u0027 //DS-Replication-Get-Changes-All\\n or Properties has \u002789e95b76-444d-4c62-991a-0facbeda640c\u0027 //DS-Replication-Get-Changes-In-Filtered-Set\\n| project TimeGenerated, Account, Activity, Properties, SubjectLogonId, Computer\\n| join kind=leftouter\\n(\\n SecurityEvent\\n //| where Computer in (DCServersList)\\n | where EventID == 4624 and LogonType == 3\\n | where AccountType != \u0027Machine\u0027\\n | project TargetLogonId, IpAddress\\n)\\non $left.SubjectLogonId == $right.TargetLogonId\\n| project-reorder TimeGenerated, Computer, Account, IpAddress\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, SourceAddress = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Non Domain Controller Active Directory Replication\",\"description\":\"This query detects potential attempts by non-computer accounts (non domain controllers) to retrieve/synchronize an active directory object leveraging directory replication services (DRS).\\nA Domain Controller (computer account) would usually be performing these actions in a domain environment. Another detection rule can be created to cover domain controllers accounts doing at rare times.\\nA domain user with privileged permissions to use directory replication services is rare. Ref: https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html\",\"lastUpdatedDateUTC\":\"2021-11-08T00:00:00Z\",\"createdDateUTC\":\"2021-05-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75297f62-10a8-4fc1-9b2a-12f25c6f05a7\",\"name\":\"75297f62-10a8-4fc1-9b2a-12f25c6f05a7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let domain_lookBack= 14d;\\nlet timeframe = 1d;\\nlet top_million_list = Cisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(domain_lookBack) and TimeGenerated \u003c ago(timeframe)\\n| extend Hostname = parse_url(UrlOriginal)[\\\"Host\\\"]\\n| summarize count() by tostring(Hostname)\\n| top 1000000 by count_\\n| summarize make_list(Hostname);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| extend Hostname = parse_url(UrlOriginal)[\\\"Host\\\"]\\n| where Hostname !in (top_million_list)\\n| extend Message = \\\"Connect to unpopular website (possible malicious payload delivery)\\\"\\n| project Message, SrcIpAddr, DstIpAddr,UrlOriginal, TimeGenerated\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Connection to Unpopular Website Detected\",\"description\":\"Detects first connection to an unpopular website (possible malicious payload delivery).\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/89a86f70-615f-4a79-9621-6f68c50f365f\",\"name\":\"89a86f70-615f-4a79-9621-6f68c50f365f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 7d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet HistThreshold = 25; \\nlet CurrThreshold = 10; \\nlet HistoricalThreats = CommonSecurityLog\\n| where isnotempty(SourceIP)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n| where Activity =~ \\\"THREAT\\\" and SimplifiedDeviceAction =~ \\\"alert\\\" \\n| where DeviceEventClassID in (\u0027spyware\u0027, \u0027scan\u0027, \u0027file\u0027, \u0027vulnerability\u0027, \u0027flood\u0027, \u0027packet\u0027, \u0027virus\u0027,\u0027wildfire\u0027, \u0027wildfire-virus\u0027)\\n| summarize TotalEvents = count(), ThreatTypes = make_set(DeviceEventClassID), DestinationIpList = make_set(DestinationIP), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by SourceIP, DeviceAction, DeviceVendor;\\nlet CurrentHourThreats = CommonSecurityLog\\n| where isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(timeframe)\\n| where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n| where Activity =~ \\\"THREAT\\\" and SimplifiedDeviceAction =~ \\\"alert\\\" \\n| where DeviceEventClassID in (\u0027spyware\u0027, \u0027scan\u0027, \u0027file\u0027, \u0027vulnerability\u0027, \u0027flood\u0027, \u0027packet\u0027, \u0027virus\u0027,\u0027wildfire\u0027, \u0027wildfire-virus\u0027)\\n| summarize TotalEvents = count(), ThreatTypes = make_set(DeviceEventClassID), DestinationIpList = make_set(DestinationIP), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by SourceIP, DeviceAction, DeviceProduct, DeviceVendor;\\nCurrentHourThreats \\n| where TotalEvents \u003c CurrThreshold\\n| join kind = leftanti (HistoricalThreats \\n| where TotalEvents \u003e HistThreshold) on SourceIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]}],\"tactics\":[\"Discovery\",\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"Palo Alto Threat signatures from Unusual IP addresses\",\"description\":\"Identifies Palo Alto Threat signatures from unusual IP addresses which are not historically seen. \\nThis detection is also leveraged and required for MDE and PAN Fusion scenario\\nhttps://docs.microsoft.com/Azure/sentinel/fusion-scenario-reference#network-request-to-tor-anonymization-service-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall\",\"lastUpdatedDateUTC\":\"2022-04-20T00:00:00Z\",\"createdDateUTC\":\"2022-03-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/35a0792a-1269-431e-ac93-7ae2980d4dde\",\"name\":\"35a0792a-1269-431e-ac93-7ae2980d4dde\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now() \\n| where Active == true\\n| where isnotempty(EmailSenderAddress)\\n| extend TI_emailEntity = EmailSenderAddress\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n ProofpointPOD \\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(SrcUserUpn)\\n | extend ProofpointPOD_TimeGenerated = TimeGenerated, ClientEmail = SrcUserUpn\\n\\n)\\non $left.TI_emailEntity == $right.ClientEmail\\n| where ProofpointPOD_TimeGenerated \u003c ExpirationDateTime\\n| summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientEmail\\n| project ProofpointPOD_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, ClientEmail\\n| extend timestamp = ProofpointPOD_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ClientEmail\"}]}],\"tactics\":[\"Exfiltration\",\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Email sender in TI list\",\"description\":\"Email sender in TI list.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_maillog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c3b11fb2-9201-4844-b7b9-6b7bf6d9b851\",\"name\":\"c3b11fb2-9201-4844-b7b9-6b7bf6d9b851\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Medium\",\"query\":\"let threshold = 200;\\n_Im_Dns(responsecodename=\u0027NXDOMAIN\u0027)\\n| where isnotempty(DnsResponseCodeName)\\n//| where DnsResponseCodeName =~ \\\"NXDOMAIN\\\"\\n| summarize count() by SrcIpAddr, bin(TimeGenerated,15m)\\n| where count_ \u003e threshold\\n| join kind=inner (_Im_Dns(responsecodename=\u0027NXDOMAIN\u0027)\\n ) on SrcIpAddr\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Excessive NXDOMAIN DNS Queries (ASIM DNS Schema)\",\"description\":\"This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. \\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a172107d-794c-48c0-bc26-d3349fe10b4d\",\"name\":\"a172107d-794c-48c0-bc26-d3349fe10b4d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Dev-0530_July2022.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\n(union isfuzzy=true \\n(DeviceProcessEvents\\n| where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) or ( InitiatingProcessCommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) \\nand InitiatingProcessCommandLine has (\u0027sc minute /mo 1 /F /ru system\u0027))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, AccountName, SHA256\\n| extend Account = AccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = case(InitiatingProcessSHA256 in (sha256Hashes), \\\"InitiatingProcessSHA256\\\", SHA256 in (sha256Hashes), \\\"SHA256\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = case(FileHash == \\\"InitiatingProcessSHA256\\\", InitiatingProcessSHA256, FileHash == \\\"SHA256\\\", SHA256, \\\"No Match\\\")\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) and CommandLine has (\u0027/sc minute /mo 1 /F /ru system\u0027))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, EventID, CommandLine\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n( imFileEvent\\n| where Hash in~ (sha256Hashes) or ( ActingProcessCommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) and ActingProcessCommandLine has (\u0027/sc minute /mo 1 /F /ru system\u0027))\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, FileHashCustomEntity = FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) or ( CommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) and CommandLine has (\u0027/sc minute /mo 1 /F /ru system\u0027)) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(EmailEvents\\n| where SenderFromAddress == \u0027H0lyGh0st@mail2tor.com\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = SenderIPv4, AccountCustomEntity = SenderFromAddress \\n),\\n(CommonSecurityLog \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) or FileHash in (sha256Hashes)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch , FileHash\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n), \\n(OfficeActivity \\n|extend SourceIPAddress = ClientIP, Account = UserId \\n| where SourceIPAddress in (IPList) \\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \\n),\\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Dev-0530 IOC - July 2022\",\"description\":\"Identifies a IOC match related to Dev-0530 actor across various data sources.\",\"lastUpdatedDateUTC\":\"2022-07-14T00:00:00Z\",\"createdDateUTC\":\"2022-07-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceProcessEvents\",\"DeviceNetworkEvents\",\"EmailEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/572e75ef-5147-49d9-9d65-13f2ed1e3a86\",\"name\":\"572e75ef-5147-49d9-9d65-13f2ed1e3a86\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let inviting_users = (AuditLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where OperationName =~ \\\"Invite external user\\\"\\n | where Result =~ \\\"success\\\"\\n | extend invitingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | where isnotempty(invitingUser)\\n | summarize by invitingUser);\\n AuditLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where OperationName =~ \\\"Invite external user\\\"\\n | where Result =~ \\\"success\\\"\\n | extend invitingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | where isnotempty(invitingUser) and invitingUser !in (inviting_users)\\n | extend invitedUserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"invitingUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"invitedUserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Guest Users Invited to Tenant by New Inviters\",\"description\":\"Detects when a Guest User is added by a user account that has not been seen adding a guest in the previous 14 days.\\n Monitoring guest accounts and the access they are provided is important to detect potential account abuse.\\n Accounts added should be investigated to ensure the activity was legitimate.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500415fb-bba7-4227-a08a-9857fb61b6a7\",\"name\":\"500415fb-bba7-4227-a08a-9857fb61b6a7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where OfficeWorkload == \\\"Exchange\\\"\\n| where Operation in~ (\\\"New-TransportRule\\\", \\\"Set-TransportRule\\\")\\n| mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))\\n| extend RuleName = case(\\n Operation =~ \\\"Set-TransportRule\\\", OfficeObjectId,\\n Operation =~ \\\"New-TransportRule\\\", ParsedParameters.Name,\\n \\\"Unknown\\\")\\n| mv-expand ExpandedParameters = todynamic(Parameters)\\n| where ExpandedParameters.Name in~ (\\\"BlindCopyTo\\\", \\\"RedirectMessageTo\\\") and isnotempty(ExpandedParameters.Value)\\n| extend RedirectTo = ExpandedParameters.Value\\n| extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n| project TimeGenerated, RedirectTo, IPAddress = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1]), UserId, Operation, RuleName, Parameters\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Mail redirect via ExO transport rule\",\"description\":\"Identifies when Exchange Online transport rule configured to forward emails.\\nThis could be an adversary mailbox configured to collect mail from multiple user accounts.\",\"lastUpdatedDateUTC\":\"2022-04-18T00:00:00Z\",\"createdDateUTC\":\"2020-05-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500c103a-0319-4d56-8e99-3cec8d860757\",\"name\":\"500c103a-0319-4d56-8e99-3cec8d860757\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == \\\"50057\\\" \\n| where ResultDescription == \\\"User account is disabled. The account has been disabled by an administrator.\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), disabledAccountLoginAttempts = count(), \\ndisabledAccountsTargeted = dcount(UserPrincipalName), applicationsTargeted = dcount(AppDisplayName), disabledAccountSet = make_set(UserPrincipalName), \\napplicationSet = make_set(AppDisplayName) by IPAddress, Type\\n| order by disabledAccountLoginAttempts desc\\n| join kind= leftouter (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n table(tableName)\\n | where ResultType == 0\\n | summarize successfulAccountSigninCount = dcount(UserPrincipalName), successfulAccountSigninSet = make_set(UserPrincipalName, 15) by IPAddress, Type\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount \u003c 100\\n) on IPAddress \\n// IPs from which attempts to authenticate as disabled user accounts originated, and had a non-zero success rate for some other account\\n| where isnotempty(successfulAccountSigninCount)\\n| project StartTime, EndTime, IPAddress, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\nsuccessfulAccountSigninCount, successfulAccountSigninSet, Type\\n| order by disabledAccountLoginAttempts\\n| extend timestamp = StartTime, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts and where that same IP has had successful signins from other accounts.\\nThis could indicate an attacker who obtained credentials for a list of accounts and is attempting to login with those accounts, some of which may have already been disabled.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"lastUpdatedDateUTC\":\"2021-10-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e7470b35-0128-4508-bfc9-e01cfb3c2eb7\",\"name\":\"e7470b35-0128-4508-bfc9-e01cfb3c2eb7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n | where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n | parse EventData with * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" *\\n | where ParentImage has \\\"svchost.exe\\\" and Image has \\\"rundll32.exe\\\" and CommandLine has \\\"{c08afd90-f2a1-11d1-8455-00a0c91f3880}\\\"\\n | parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Detecting Macro Invoking ShellBrowserWindow COM Objects\",\"description\":\"This query detects a macro invoking ShellBrowserWindow COM Objects evade naive parent/child Office detection rules.\\nRef: https://blog.menasec.net/2019/02/threat-hunting-doc-with-macro-invoking.html\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c2da1106-bfe4-4a63-bf14-5ab73130ccd5\",\"name\":\"c2da1106-bfe4-4a63-bf14-5ab73130ccd5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.0\",\"severity\":\"Informational\",\"query\":\"let timeframe = ago(1d);\\nAppServiceAntivirusScanAuditLogs\\n| where ScanStatus == \\\"Failed\\\"\\n| extend HostCustomEntity = _ResourceId, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"displayName\":\"AppServices AV Scan Failure\",\"description\":\"Identifies if an AV scan fails in Azure App Services.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\"name\":\"68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let User_Agents = dynamic ([\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70\\\", \\n\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.1 Safari/605.1.15\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\", \\n\\\"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\"]);\\nOfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != \u0027UserLoggedIn\u0027\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = todynamic(ExtendedProperties).Value\\n| where UserAgent =~ \\\"ms-office\\\" or UserAgent has_any (User_Agents)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts \u003e 500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\"entityMappings\":[],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Possible STRONTIUM attempted credential harvesting - Oct 2020\",\"description\":\"Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\"name\":\"e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let threshold = 15;\\n// Below pulls messages from syslog-authpriv logs where there was an authentication failure with an unknown user.\\n// IP address of system attempting logon is also extracted from the SyslogMessage field. Some of these messages\\n// are aggregated.\\nSyslog\\n| where Facility =~ \\\"authpriv\\\"\\n| where SyslogMessage has \\\"authentication failure\\\" and SyslogMessage has \\\" uid=0\\\"\\n| parse SyslogMessage with * \\\"rhost=\\\" RemoteIP\\n| project TimeGenerated, Computer, ProcessName, HostIP, RemoteIP, ProcessID\\n| join kind=innerunique (\\n // Below pulls messages from syslog-authpriv logs that show each instance an unknown user tried to logon. \\n Syslog \\n | where Facility =~ \\\"authpriv\\\"\\n | where SyslogMessage has \\\"user unknown\\\"\\n | project Computer, HostIP, ProcessID\\n ) on Computer, HostIP, ProcessID\\n// Count the number of failed logon attempts by External IP and internal machine\\n| summarize FirstLogonAttempt = min(TimeGenerated), LatestLogonAttempt = max(TimeGenerated), TotalLogonAttempts = count() by Computer, HostIP, RemoteIP\\n// Calculate the time between first and last logon attempt (AttemptPeriodLength)\\n| extend TimeBetweenLogonAttempts = LatestLogonAttempt - FirstLogonAttempt\\n| where TotalLogonAttempts \u003e= threshold\\n| project FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts, TotalLogonAttempts, SourceAddress = RemoteIP, DestinationHost = Computer, DestinationAddress = HostIP\\n| sort by DestinationHost asc nulls last\\n| extend timestamp = FirstLogonAttempt, HostCustomEntity = DestinationHost, IPCustomEntity = DestinationAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed logon attempts in authpriv\",\"description\":\"Identifies failed logon attempts from unknown users in Syslog authpriv logs. The unknown user means the account that tried to log in \\nisn\u0027t provisioned on the machine. A few hits could indicate someone attempting to access a machine they aren\u0027t authorized to access. \\nIf there are many of hits, especially from outside your network, it could indicate a brute force attack. \\nDefault threshold for logon attempts is 15.\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f041e01d-840d-43da-95c8-4188f6cef546\",\"name\":\"f041e01d-840d-43da-95c8-4188f6cef546\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let LearningPeriod = 7d;\\nlet RunTime = 1h;\\nlet StartTime = 1h;\\nlet EndRunTime = StartTime - RunTime;\\nlet EndLearningTime = StartTime + LearningPeriod;\\nlet GitHubCountryCodeLogs = (GitHubAudit\\n| where Country != \\\"\\\");\\n GitHubCountryCodeLogs\\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime))\\n| summarize makeset(Country) by Actor\\n| join kind=innerunique (\\n GitHubCountryCodeLogs\\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime))\\n | distinct Country, Actor, TimeGenerated\\n) on Actor \\n| where set_Country !contains Country\\n| extend AccountCustomEntity = Actor , timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"GitHub Activites from a New Country\",\"description\":\"Detect activities from a location that was not recently or was never visited by the user or by any user in your organization.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/40ba9493-4183-4eee-974f-87fe39c8f267\",\"name\":\"40ba9493-4183-4eee-974f-87fe39c8f267\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Identity alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Identity\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (AATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\"name\":\"4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 50;\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet historicalActivity =\\nOfficeActivity\\n| where TimeGenerated between(ago(starttime)..ago(endtime))\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| summarize historicalCount = count() by ClientIP, RecordType, Operation;\\nlet recentActivity = OfficeActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by ClientIP, RecordType, Operation;\\nlet RareIP = recentActivity | join kind= leftanti ( historicalActivity ) on ClientIP, RecordType, Operation\\n// More than 50 downloads/uploads from a new IP\\n| where recentCount \u003e threshold;\\nOfficeActivity \\n| where TimeGenerated \u003e= ago(endtime) \\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| join kind= inner (RareIP) on ClientIP, RecordType, Operation\\n| where Start_Time between(min_Start_Time .. max_Start_Time)\\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgent, IPSeenCount = recentCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\\n| order by IPSeenCount desc, ClientIP asc, Operation asc, UserId asc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"SharePointFileOperation via previously unseen IPs\",\"description\":\"Identifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses\\nexceeds a threshold (default is 50).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3073ac-7383-48a9-90a8-eb6716183a54\",\"name\":\"4a3073ac-7383-48a9-90a8-eb6716183a54\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let excludeProcs = dynamic([@\\\"\\\\SolarWinds\\\\Orion\\\\APM\\\\APMServiceControl.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\ExportToPDFCmd.Exe\\\", @\\\"\\\\SolarWinds.Credentials\\\\SolarWinds.Credentials.Orion.WebApi.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Topology\\\\SolarWinds.Orion.Topology.Calculator.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Database-Maint.exe\\\", @\\\"\\\\SolarWinds.Orion.ApiPoller.Service\\\\SolarWinds.Orion.ApiPoller.Service.exe\\\", @\\\"\\\\Windows\\\\SysWOW64\\\\WerFault.exe\\\"]);\\nDeviceProcessEvents\\n| where InitiatingProcessFileName =~ \\\"solarwinds.businesslayerhost.exe\\\"\\n| where not(FolderPath has_any (excludeProcs))\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n AlgorithmCustomEntity = \\\"MD5\\\",\\n FileHashCustomEntity = MD5\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST suspicious SolarWinds child processes\",\"description\":\"Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-02-01T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32\",\"name\":\"d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet msgthreshold = 3;\\nlet msgszthreshold = 3000000;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where NetworkBytes \u003e msgszthreshold\\n| summarize count() by SrcUserUpn, DstUserUpn\\n| where count_ \u003e msgthreshold\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple large emails to the same recipient\",\"description\":\"Detects when multiple emails with large size where sent to the same recipient.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6dd2629c-534b-4275-8201-d7968b4fa77e\",\"name\":\"6dd2629c-534b-4275-8201-d7968b4fa77e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"SecurityEvent\\n| where EventID == 4657\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, TargetAccount, Computer, EventSourceName, Channel, Task, Level, EventID, Activity, TargetLogonId, SourceComputerId, EventOriginId, Type, _ResourceId, TenantId, SourceSystem, ManagementGroupName, IpAddress, Account)\\n| extend ObjectName = column_ifexists(\u0027ObjectName\u0027, \\\"\\\"), OperationType = column_ifexists(\u0027OperationType\u0027, \\\"\\\"), ObjectValueName = column_ifexists(\u0027ObjectValueName\u0027, \\\"\\\")\\n| where ObjectName has \u0027Schedule\\\\\\\\TaskCache\\\\\\\\Tree\u0027 and ObjectValueName == \\\"SD\\\" and OperationType == \\\"%%1906\\\" // %%1906 - Registry value deleted\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Scheduled Task Hide\",\"description\":\"This query detects attempts by malware to hide the scheduled task by deleting the SD (Security Descriptor) value. Removal of SD value results in the scheduled task disappearing from schtasks /query and Task Scheduler.\\n The query requires auditing to be turned on for HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree registry hive as well as audit policy for registry auditing to be turned on.\\n Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/\\n Reference: https://4sysops.com/archives/audit-changes-in-the-windows-registry/\",\"lastUpdatedDateUTC\":\"2022-04-12T00:00:00Z\",\"createdDateUTC\":\"2022-04-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3f0c20d5-6228-48ef-92f3-9ff7822c1954\",\"name\":\"3f0c20d5-6228-48ef-92f3-9ff7822c1954\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let threatCategory=\\\"Hacking Tool\\\";\\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\\n [ @\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\\\"] \\n with(format=\\\"csv\\\", ignoreFirstRecord=True));\\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet customUserAgents=toscalar(_GetWatchlist(\\\"UnusualUserAgents\\\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\\\"UserAgent\\\",\\\"\\\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet fullUAList = array_concat(knownUserAgents,customUserAgents);\\n_Im_WebSession(httpuseragent_has_any=fullUAList)\\n| project SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername\",\"customDetails\":{\"UserAgent\":\"HttpUserAgent\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"SrcUsername\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Host {{SrcIpAddr}} is potentially running a hacking tool\",\"alertDescriptionFormat\":\"The host at address {{SrcIpAddr}} sent an HTTP request to the URL {{Url}} with the HTTP user agent header {{HttpUserAgent}}. This user agent is known to be used by a hacking tool and indicates suspicious activity on the host.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"A host is potentially running a hacking tool (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request with a user agent header known to belong to a hacking tool. This indicates a hacking tool is used on the host.\u003cbr\u003eYou can add custom hacking tool indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).\u003cbr\u003e\u003cbr\u003e\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/738702fd-0a66-42c7-8586-e30f0583f8fe\",\"name\":\"738702fd-0a66-42c7-8586-e30f0583f8fe\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"DeviceEvents\\n| where ActionType has \\\"ExploitGuardNonMicrosoftSignedBlocked\\\"\\n| where InitiatingProcessFileName contains \\\"svchost.exe\\\" and FileName contains \\\"NetSetupSvc.dll\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\nHostCustomEntity = DeviceName, FileHashCustomEntity = InitiatingProcessSHA1, FileHashType = \\\"SHA1\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"TEARDROP memory-only dropper\",\"description\":\"Identifies SolarWinds TEARDROP memory-only dropper IOCs in Window\u0027s defender Exploit Guard activity\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a4025a76-6490-4e6b-bb69-d02be4b03f07\",\"name\":\"a4025a76-6490-4e6b-bb69-d02be4b03f07\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureNetworkAnalytics_CL\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AzureNetworkAnalytics_CL_TimeGenerated = TimeGenerated\\n // NSG Flow Logs have additional information concat with Public IP, removing onlp Public IP\\n | extend PIPs = split(PublicIPs_s, \u0027|\u0027, 0)\\n | extend PIP = tostring(PIPs[0])\\n)\\non $left.TI_ipEntity == $right.PIP\\n| where AzureNetworkAnalytics_CL_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureNetworkAnalytics_CL_TimeGenerated = arg_max(AzureNetworkAnalytics_CL_TimeGenerated, *) by IndicatorId, PIP\\n// Set to alert on Allowed NSG Flows from TI Public IP IOC\\n| where FlowStatus_s == \\\"A\\\"\\n| project AzureNetworkAnalytics_CL_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, FlowDirection_s, FlowStatus_s, FlowType_s, SrcPublicIPs_s, DestPublicIPs_s, PublicIPs_s, L7Protocol_s, DestPort_d, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureNetworkAnalytics_CL_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)\",\"description\":\"Identifies a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI that was Allowed\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/968358d6-6af8-49bb-aaa4-187b3067fb95\",\"name\":\"968358d6-6af8-49bb-aaa4-187b3067fb95\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let successCodes = dynamic([200, 302, 401]);\\nW3CIISLog\\n| where scStatus has_any (successCodes)\\n| where ipv4_is_private(cIP) == False\\n| where csUriStem hasprefix \\\"/autodiscover/autodiscover.json\\\"\\n| project TimeGenerated, cIP, sIP, sSiteName, csUriStem, csUriQuery, Computer, csUserName, _ResourceId, FileUri\\n| where (csUriQuery !has \\\"Protocol\\\" and isnotempty(csUriQuery))\\nor (csUriQuery has_any(\\\"/mapi/\\\", \\\"powershell\\\"))\\nor (csUriQuery contains \\\"@\\\" and csUriQuery matches regex @\\\"\\\\.[a-zA-Z]{2,4}?(?:[a-zA-Z]{2,4}\\\\/)\\\")\\nor (csUriQuery contains \\\":\\\" and csUriQuery matches regex @\\\"\\\\:[0-9]{2,4}\\\\/\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP, AccountCustomEntity = csUserName, ResourceCustomEntity = _ResourceId, FileCustomEntity = FileUri\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange SSRF Autodiscover ProxyShell - Detection\",\"description\":\"This query looks for suspicious request patterns to Exchange servers that fit patterns recently\\nblogged about by PeterJson. This exploitation chain utilises an SSRF vulnerability in Exchange\\nwhich eventually allows the attacker to execute arbitrary Powershell on the server. In the example\\npowershell can be used to write an email to disk with an encoded attachment containing a shell.\\nReference: https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-09T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/999e9f5d-db4a-4b07-a206-29c4e667b7e8\",\"name\":\"999e9f5d-db4a-4b07-a206-29c4e667b7e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet DomainTIs= ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n // Picking up only IOC\u0027s that contain the entities we want\\n | where isnotempty(DomainName)\\n | where Active == true\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId;\\nlet Domains = DomainTIs | where isnotempty(DomainName) |summarize NDomains=dcount(DomainName), DomainsList=make_set(DomainName) \\n | project DomainList = iff(NDomains \u003e HAS_ANY_MAX, dynamic([]), DomainsList) ;\\nDomainTIs\\n | join (\\n _Im_Dns(starttime=ago(dt_lookBack), domain_has_any=toscalar(Domains))\\n | extend DNS_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.DnsQuery\\n| where DNS_TimeGenerated \u003c ExpirationDateTime\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, DnsQueryType\\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url\",\"customDetails\":{\"LatestIndicatorTime\":\"LatestIndicatorTime\",\"Description\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"ExpirationDateTime\":\"ExpirationDateTime\",\"ConfidenceScore\":\"ConfidenceScore\",\"DNSRequestTime\":\"DNS_TimeGenerated\",\"SourceIPAddress\":\"SrcIpAddr\",\"DnsQuery\":\"DnsQuery\",\"QueryType\":\"DnsQueryType\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map Domain entity to Dns Events (ASIM DNS Schema)\",\"description\":\"Identifies a match in DNS events from any Domain IOC from TI\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-27T00:00:00Z\",\"createdDateUTC\":\"2021-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2dd4a3a-ebac-4994-9499-1a859938c947\",\"name\":\"f2dd4a3a-ebac-4994-9499-1a859938c947\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet bytessentperhourthreshold = 10;\\nlet TimeSeriesData = (union isfuzzy=true\\n(\\nVMConnection\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\\n| extend SourceIP = SourceIp, DestinationIP = DestinationIp\\n| where ipv4_is_private(DestinationIP) == false\\n| extend DeviceVendor = \\\"VMConnection\\\"\\n| project TimeGenerated, BytesSent, DeviceVendor\\n| make-series TotalBytesSent=sum(BytesSent) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n),\\n(\\nCommonSecurityLog\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where ipv4_is_private(DestinationIP) == false\\n| project TimeGenerated, SentBytes, DeviceVendor\\n| make-series TotalBytesSent=sum(SentBytes) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n)\\n);\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(TotalBytesSent, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand TotalBytesSent to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| extend TotalBytesSentinMBperHour = round(((TotalBytesSent / 1024)/1024),2), baselinebytessentperHour = round(((baseline / 1024)/1024),2), score = round(score,2)\\n| project DeviceVendor, AnomalyHour, TimeGenerated, TotalBytesSentinMBperHour, baselinebytessentperHour, anomalies, score);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\n//Union of all BaseLogs aggregated per hour\\nlet BaseLogs = (union isfuzzy=true\\n(\\nCommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| where ipv4_is_private(DestinationIP) == false\\n| extend SentBytesinMB = ((SentBytes / 1024)/1024), ReceivedBytesinMB = ((ReceivedBytes / 1024)/1024)\\n| summarize HourlyCount = count(), TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort,100), TotalSentBytesinMB = sum(SentBytesinMB), TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| where TotalSentBytesinMB \u003e bytessentperhourthreshold\\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\\n| where Rank \u003c 10 // Selecting Top 10 records with Highest BytesSent in each Hour\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\\n),\\n(\\nVMConnection\\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend SourceIP = SourceIp, DestinationIP = DestinationIp\\n| where ipv4_is_private(DestinationIP) == false | extend DeviceVendor = \\\"VMConnection\\\"\\n| extend SentBytesinMB = ((BytesSent / 1024)/1024), ReceivedBytesinMB = ((BytesReceived / 1024)/1024)\\n| summarize HourlyCount = count(),TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort, 100), TotalSentBytesinMB = sum(SentBytesinMB),TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| where TotalSentBytesinMB \u003e bytessentperhourthreshold\\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\\n| where Rank \u003c 10 // Selecting Top 10 records with Highest BytesSent in each Hour\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\\n)\\n);\\n// Join against base logs to retrive records associated with the hour of anomoly\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\n BaseLogs | extend AnomalyHour = TimeGeneratedHour\\n) on DeviceVendor, AnomalyHour | sort by score desc\\n| project DeviceVendor, AnomalyHour,TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\\n| summarize EventCount = count(), StartTimeUtc= min(TimeGeneratedMax), EndTimeUtc= max(TimeGeneratedMax), SourceIPMax= arg_max(SourceIP,*), TotalBytesSentinMB = sum(TotalSentBytesinMB), TotalBytesReceivedinMB = sum(TotalReceivedBytesinMB), SourceIPList = make_set(SourceIP, 100), DestinationIPList = make_set(DestinationIPList, 100) by AnomalyHour,TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\\n| project DeviceVendor, AnomalyHour, StartTimeUtc, EndTimeUtc, SourceIPMax, SourceIPList, DestinationIPList, DestinationPortList, TotalBytesSentinMB, TotalBytesReceivedinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies, EventCount\\n| extend timestamp =EndTimeUtc, IPCustomEntity = SourceIPMax\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"Time series anomaly for data size transferred to public internet\",\"description\":\"Identifies anomalous data transfer to public networks. The query leverages built-in KQL anomaly detection algorithms that detects large deviations from a baseline pattern.\\nA sudden increase in data transferred to unknown public networks is an indication of data exfiltration attempts and should be investigated.\\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port bytes sent traffic observed in the flagged anomaly hour.\\nThe source IP addresses which were sending less than bytessentperhourthreshold have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06bbf969-fcbe-43fa-bac2-b2fa131d113a\",\"name\":\"06bbf969-fcbe-43fa-bac2-b2fa131d113a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"// ADHealth Monitoring Agent Registry Key\\nlet aadHealthMonAgentRegKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\MicrosoftOnline\\\\\\\\Reporting\\\\\\\\MonitoringAgent\\\";\\n// Filter out known processes\\nlet aadConnectHealthProcs = dynamic ([\\n \u0027Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.InsightsService.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.PshSurrogate.exe\u0027,\\n \u0027Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe\u0027,\\n \u0027Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.AadConnect.Health.AadSync.Host.exe\u0027,\\n \u0027Microsoft.Azure.ActiveDirectory.Synchronization.Upgrader.exe\u0027,\\n \u0027miiserver.exe\u0027\\n]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| where EventData has aadHealthMonAgentRegKey\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| extend ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),\\n ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\")\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend SubjectUserName = column_ifexists(\\\"SubjectUserName\\\", \\\"\\\"),\\n SubjectDomainName = column_ifexists(\\\"SubjectDomainName\\\", \\\"\\\"),\\n ProcessName = column_ifexists(\\\"ProcessName\\\", \\\"\\\")\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],\\n Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n ( WindowsEvent\\n| where EventID == \u00274656\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n( WindowsEvent\\n| where EventID == \u00274663\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n)\\n)\\n// You can filter out potential machine accounts\\n//| where AccountType != \u0027Machine\u0027\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"Azure AD Health Service Agents Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).\\nInformation from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).\\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\\\\SOFTWARE\\\\Microsoft\\\\ADHealthAgent.\\nMake sure you set the SACL to propagate to its sub-keys. You can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml\\n\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a35f2c18-1b97-458f-ad26-e033af18eb99\",\"name\":\"a35f2c18-1b97-458f-ad26-e033af18eb99\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.2\",\"severity\":\"Low\",\"query\":\"// For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups\\nlet WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nunion isfuzzy=true \\n(\\nSecurityEvent \\n// When MemberName contains \u0027-\u0027 this indicates addition of a group to a group\\n| where AccountType == \\\"User\\\" and MemberName != \\\"-\\\"\\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group\\n| where EventID in (4728, 4732, 4756) \\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| extend SimpleMemberName = substring(MemberName, 3, indexof_regex(MemberName, @\\\",OU|,CN\\\") - 3)\\n| project TimeGenerated, EventID, Activity, Computer, SimpleMemberName, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SimpleMemberName, HostCustomEntity = Computer\\n),\\n(\\nWindowsEvent \\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group\\n| where EventID in (4728, 4732, 4756) and not(EventData has \\\"S-1-5-32-555\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| extend MemberName = tostring(EventData.MemberName)\\n// When MemberName contains \u0027-\u0027 this indicates addition of a group to a group\\n| where AccountType == \\\"User\\\" and MemberName != \\\"-\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| extend SimpleMemberName = substring(MemberName, 3, indexof_regex(MemberName, @\\\",OU|,CN\\\") - 3)\\n| extend MemberSid = tostring(EventData.MemberSid)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend TargetDomainName = tostring(EventData.TargetDomainName)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| project TimeGenerated, EventID, Computer, SimpleMemberName, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SimpleMemberName, HostCustomEntity = Computer\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account added to built in domain local or global group\",\"description\":\"Identifies when a user account has been added to a privileged built in domain local group or global group \\nsuch as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2acc91c3-17c2-4388-938e-4eac2d5894e8\",\"name\":\"2acc91c3-17c2-4388-938e-4eac2d5894e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"W3CIISLog\\n| where csMethod == \u0027GET\u0027\\n| where isnotempty(csUriStem) and isnotempty(csUriQuery)\\n| where csUriStem contains \\\"logoimagehandler.ashx\\\"\\n| where csUriQuery contains \\\"codes\\\" and csUriQuery contains \\\"clazz\\\" and csUriQuery contains \\\"method\\\" and csUriQuery contains \\\"args\\\"\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"CommandAndControl\"],\"displayName\":\"SUPERNOVA webshell\",\"description\":\"Identifies SUPERNOVA webshell based on W3CIISLog data.\\n References:\\n - https://unit42.paloaltonetworks.com/solarstorm-supernova/\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-01-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/223db5c1-1bf8-47d8-8806-bed401b356a4\",\"name\":\"223db5c1-1bf8-47d8-8806-bed401b356a4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let timeRange = 1d;\\nlet lookBack = 7d;\\nlet threshold_Failed = 5;\\nlet threshold_FailedwithSingleIP = 20;\\nlet threshold_IPAddressCount = 2;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet aadFunc = (tableName:string){\\nlet azPortalSignins = materialize(table(tableName)\\n| where TimeGenerated \u003e= ago(lookBack)\\n// Azure Portal only\\n| where AppDisplayName =~ \\\"Azure Portal\\\")\\n;\\nlet successPortalSignins = azPortalSignins\\n| where TimeGenerated \u003e= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n// Tagging identities not resolved to friendly names\\n//| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n| distinct TimeGenerated, UserPrincipalName\\n;\\nlet failPortalSignins = azPortalSignins\\n| where TimeGenerated \u003e= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70044\\\", \\\"70043\\\")\\n// Tagging identities not resolved to friendly names\\n| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n;\\n// Verify there is no success for the same connection attempt after the fail\\nlet failnoSuccess = failPortalSignins | join kind= leftouter (\\n successPortalSignins \\n) on UserPrincipalName\\n| where TimeGenerated \u003e TimeGenerated1 or isempty(TimeGenerated1)\\n| project-away TimeGenerated1, UserPrincipalName1\\n;\\n// Lookup up resolved identities from last 7 days\\nlet identityLookup = azPortalSignins\\n| where TimeGenerated \u003e= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName;\\n// Join resolved names to unresolved list from portal signins\\nlet unresolvedNames = failnoSuccess | where Unresolved == true | join kind= inner (\\n identityLookup \\n) on UserId\\n| extend UserDisplayName = lu_UserDisplayName, UserPrincipalName = lu_UserPrincipalName\\n| project-away lu_UserDisplayName, lu_UserPrincipalName;\\n// Join Signins that had resolved names with list of unresolved that now have a resolved name\\nlet u_azPortalSignins = failnoSuccess | where Unresolved == false | union unresolvedNames;\\nu_azPortalSignins\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend Status = strcat(ResultType, \\\": \\\", ResultDescription), OS = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n| extend FullLocation = strcat(Region,\u0027|\u0027, State, \u0027|\u0027, City)\\n| summarize TimeGenerated = makelist(TimeGenerated), Status = makelist(Status), IPAddresses = makelist(IPAddress), IPAddressCount = dcount(IPAddress), FailedLogonCount = count()\\nby UserPrincipalName, UserId, UserDisplayName, AppDisplayName, Browser, OS, FullLocation, Type\\n| mvexpand TimeGenerated, IPAddresses, Status\\n| extend TimeGenerated = todatetime(tostring(TimeGenerated)), IPAddress = tostring(IPAddresses), Status = tostring(Status)\\n| project-away IPAddresses\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserPrincipalName, UserId, UserDisplayName, Status, FailedLogonCount, IPAddress, IPAddressCount, AppDisplayName, Browser, OS, FullLocation, Type\\n| where (IPAddressCount \u003e= threshold_IPAddressCount and FailedLogonCount \u003e= threshold_Failed) or FailedLogonCount \u003e= threshold_FailedwithSingleIP\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed login attempts to Azure Portal\",\"description\":\"Identifies failed login attempts in the Azure Active Directory SigninLogs to the Azure Portal. Many failed logon \\nattempts or some failed logon attempts from multiple IPs could indicate a potential brute force attack. \\nThe following are excluded due to success and non-failure results:\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n0 - successful logon\\n50125 - Sign-in was interrupted due to a password reset or password registration entry.\\n50140 - This error occurred due to \u0027Keep me signed in\u0027 interrupt when the user was signing-in.\",\"lastUpdatedDateUTC\":\"2022-04-21T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/acc4c247-aaf7-494b-b5da-17f18863878a\",\"name\":\"acc4c247-aaf7-494b-b5da-17f18863878a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"let queryfrequency = 1h;\\nlet queryperiod = 1d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(queryperiod)\\n| where OperationName in (\\\"Invite external user\\\", \\\"Bulk invite users - started (bulk)\\\", \\\"Invite external user with reset invitation status\\\")\\n| extend InitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\\n// Uncomment the following line to filter events where the inviting user was a guest user\\n//| where InitiatedBy has_any (\\\"live.com#\\\", \\\"#EXT#\\\")\\n| extend InvitedUser = TargetResources[0].userPrincipalName\\n| mv-expand UserToCompare = pack_array(InitiatedBy, InvitedUser) to typeof(string)\\n| where UserToCompare has_any (\\\"live.com#\\\", \\\"#EXT#\\\")\\n| extend\\n parsedUser = replace_string(tolower(iff(UserToCompare startswith \\\"live.com#\\\", tostring(split(UserToCompare, \\\"#\\\")[1]), tostring(split(UserToCompare, \\\"#EXT#\\\")[0]))), \\\"@\\\", \\\"_\\\"),\\n InvitationTime = TimeGenerated\\n| join (\\n (union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs)\\n | where TimeGenerated \u003e ago(queryfrequency)\\n | where UserType != \\\"Member\\\"\\n | where AppId has_any\\n (\\\"1b730954-1685-4b74-9bfd-dac224a7b894\\\",// Azure Active Directory PowerShell\\n \\\"04b07795-8ddb-461a-bbee-02f9e1bf7b46\\\",// Microsoft Azure CLI\\n \\\"1950a258-227b-4e31-a9cf-717495945fc2\\\",// Microsoft Azure PowerShell\\n \\\"a0c73c16-a7e3-4564-9a95-2bdf47383716\\\",// Microsoft Exchange Online Remote PowerShell\\n \\\"fb78d390-0c51-40cd-8e17-fdbfab77341b\\\",// Microsoft Exchange REST API Based Powershell\\n \\\"d1ddf0e4-d672-4dae-b554-9d5bdfd93547\\\",// Microsoft Intune PowerShell\\n \\\"9bc3ab49-b65d-410a-85ad-de819febfddc\\\",// Microsoft SharePoint Online Management Shell\\n \\\"12128f48-ec9e-42f0-b203-ea49fb6af367\\\",// MS Teams Powershell Cmdlets\\n \\\"23d8f6bd-1eb0-4cc2-a08c-7bf525c67bcd\\\",// Power BI PowerShell\\n \\\"31359c7f-bd7e-475c-86db-fdb8c937548e\\\",// PnP Management Shell\\n \\\"90f610bf-206d-4950-b61d-37fa6fd1b224\\\" // Aadrm Admin Powershell\\n )\\n | summarize arg_min(TimeGenerated, *) by UserPrincipalName\\n | extend\\n parsedUser = replace_string(UserPrincipalName, \\\"@\\\", \\\"_\\\"),\\n SigninTime = TimeGenerated\\n )\\n on parsedUser\\n| project InvitationTime, InitiatedBy, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, IPAddress, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InvitedUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatedBy\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\",\"Discovery\"],\"displayName\":\"External guest invitation followed by Azure AD PowerShell signin\",\"description\":\"By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests\\nusers, who have been invited or have invited recently, who also are logging via various PowerShell CLI.\\nRef : \u0027https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\"name\":\"3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let threshold = 1;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ConditionalAccessStatus == 1 or ConditionalAccessStatus =~ \\\"failure\\\"\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion) \\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend ConditionalAccessPolicies = todynamic(ConditionalAccessPolicies)\\n| extend ConditionalAccessPol0Name = tostring(ConditionalAccessPolicies[0].displayName)\\n| extend ConditionalAccessPol1Name = tostring(ConditionalAccessPolicies[1].displayName)\\n| extend ConditionalAccessPol2Name = tostring(ConditionalAccessPolicies[2].displayName)\\n| extend Status = strcat(StatusCode, \\\": \\\", ResultDescription) \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Status = make_list(Status), StatusDetails = make_list(StatusDetails), IPAddresses = make_list(IPAddress), IPAddressCount = dcount(IPAddress), CorrelationIds = make_list(CorrelationId) \\nby UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name, Type\\n| where IPAddressCount \u003e threshold and StatusDetails !has \\\"MFA successfully completed\\\"\\n| mvexpand IPAddresses, Status, StatusDetails, CorrelationIds\\n| extend Status = strcat(Status, \\\" \\\", StatusDetails)\\n| summarize IPAddresses = make_set(IPAddresses), Status = make_set(Status), CorrelationIds = make_set(CorrelationIds) \\nby StartTime, EndTime, UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name, IPAddressCount, Type\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = tostring(IPAddresses)\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Attempt to bypass conditional access rule in Azure AD\",\"description\":\"Identifies an attempt to Bypass conditional access rule(s) in Azure Active Directory.\\nThe ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access\\nor if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1).\\nReferences: \\nhttps://docs.microsoft.com/azure/active-directory/conditional-access/overview\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\nConditionalAccessStatus == 0 // Success\\nConditionalAccessStatus == 1 // Failure\\nConditionalAccessStatus == 2 // Not Applied\\nConditionalAccessStatus == 3 // unknown\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0b904747-1336-4363-8d84-df2710bfe5e7\",\"name\":\"0b904747-1336-4363-8d84-df2710bfe5e7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureDiagnostics\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where OperationName in (\\\"AzureFirewallApplicationRuleLog\\\", \\\"AzureFirewallNetworkRuleLog\\\")\\n | parse kind=regex flags=U msg_s with Protocol \u0027request from \u0027 SourceHost \u0027to \u0027 DestinationHost @\u0027\\\\.? Action: \u0027 Firewall_Action @\u0027\\\\.\u0027 Rest_msg\\n | extend SourceAddress = extract(@\u0027([\\\\.0-9]+)(:[\\\\.0-9]+)?\u0027, 1, SourceHost)\\n | extend DestinationAddress = extract(@\u0027([\\\\.0-9]+)(:[\\\\.0-9]+)?\u0027, 1, DestinationHost)\\n | extend RemoteIP = case(not(ipv4_is_private(DestinationAddress)), DestinationAddress, not(ipv4_is_private(SourceAddress)), SourceAddress, \\\"\\\")\\n // Traffic that involves a public address, and in case this is the source address then the traffic was not denied\\n | where isnotempty(RemoteIP)\\n | project-rename AzureFirewall_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIP\\n| where AzureFirewall_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureFirewall_TimeGenerated = arg_max(AzureFirewall_TimeGenerated, *) by IndicatorId, RemoteIP\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, AzureFirewall_TimeGenerated,\\nTI_ipEntity, Resource, Category, msg_s, SourceAddress, DestinationAddress, Firewall_Action, Protocol, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureFirewall_TimeGenerated, IPCustomEntity = TI_ipEntity, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureFirewall\",\"description\":\"Identifies a match in AzureFirewall (NetworkRule \u0026 ApplicationRule Logs) from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ebbb5c2-8802-11ec-a8a3-0242ac120002\",\"name\":\"4ebbb5c2-8802-11ec-a8a3-0242ac120002\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"// Enter a reference list of decoy users (usernames) \\\"Case Sensitive\\\"\\nlet MaliciousServiceArtifacts = dynamic ([\\\"fgexec\\\",\\\"cachedump\\\",\\\"mimikatz\\\",\\\"mimidrv\\\",\\\"wceservice\\\",\\\"pwdump\\\"]);\\nEvent\\n| where Source == \\\"Service Control Manager\\\" and EventID == 7045\\n| parse EventData with * \u0027ServiceName\\\"\u003e\u0027 ServiceName \\\"\u003c\\\" * \u0027ImagePath\\\"\u003e\u0027 ImagePath \\\"\u003c\\\" *\\n| where ServiceName has_any (MaliciousServiceArtifacts) or ImagePath has_any (MaliciousServiceArtifacts)\\n| parse EventData with * \u0027AccountName\\\"\u003e\u0027 AccountName \\\"\u003c\\\" *\\n|summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, ServiceName, ImagePath, AccountName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountName\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ImagePath\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Credential Dumping Tools - Service Installation\",\"description\":\"This query detects the installation of a Windows service that contains artifacts from credential dumping tools such as Mimikatz.\\nRef: https://blueteamblog.com/darkside-ransomware-operations-preventions-and-detections\",\"lastUpdatedDateUTC\":\"2022-04-22T00:00:00Z\",\"createdDateUTC\":\"2022-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"Event\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/adc32a33-1cd6-46f5-8801-e3ed8337885f\",\"name\":\"adc32a33-1cd6-46f5-8801-e3ed8337885f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// Add any known allowed sources and source locations to the filter below (the NuGet Gallery has been added here as an example).\\nlet allowed_sources = dynamic([\\\"NuGet Gallery\\\"]);\\nlet allowed_locations = dynamic([\\\"https://api.nuget.org/v3/index.json\\\"]);\\nAzureDevOpsAuditing\\n// Look for feeds created or modified at either the organization or project level\\n| where OperationName matches regex \\\"Artifacts.Feed.(Org|Project).Modify\\\"\\n| where Details has \\\"UpstreamSources, added\\\"\\n| extend FeedName = tostring(Data.FeedName)\\n| extend FeedId = tostring(Data.FeedId)\\n| extend UpstreamsAdded = Data.UpstreamsAdded\\n// As multiple feeds may be added expand these out\\n| mv-expand UpstreamsAdded\\n// Only focus on external feeds\\n| where UpstreamsAdded.UpstreamSourceType !~ \\\"internal\\\"\\n| extend SourceLocation = tostring(UpstreamsAdded.Location)\\n| extend SourceName = tostring(UpstreamsAdded.Name)\\n// Exclude sources and locations in the allow list\\n| where SourceLocation !in (allowed_locations) and SourceName !in (allowed_sources)\\n| extend SourceProtocol = tostring(UpstreamsAdded.Protocol)\\n| extend SourceStatus = tostring(UpstreamsAdded.Status)\\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, ProjectName, FeedName, SourceName, SourceLocation, SourceProtocol, ActorUPN, UserAgent, IpAddress\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"External Upstream Source Added to Azure DevOps Feed\",\"description\":\"The detection looks for new external sources added to an Azure DevOps feed. An allow list can be customized to explicitly allow known good sources. \\nAn attacker could look to add a malicious feed in order to inject malicious packages into a build pipeline.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/feb0a2fb-ae75-4343-8cbc-ed545f1da289\",\"name\":\"feb0a2fb-ae75-4343-8cbc-ed545f1da289\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let VIPUsers = (IdentityInfo\\n| where AssignedRoles contains \\\"Admin\\\"\\n| summarize by tolower(AccountUPN));\\nAuditLogs\\n| where Category =~ \\\"UserManagement\\\"\\n| where ActivityDisplayName =~ \\\"User registered security info\\\"\\n| where LoggedByService =~ \\\"Authentication Methods\\\"\\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| where AccountCustomEntity in (VIPUsers)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Authentication Method Changed for Privileged Account\",\"description\":\"Identifies authentication methods being changed for a privileged account. This could be an indicated of an attacker adding an auth method to the account so they can have continued access.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2937bc6b-7cda-4fba-b452-ea43ba8e835f\",\"name\":\"2937bc6b-7cda-4fba-b452-ea43ba8e835f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 5136 \\n| parse EventData with * \u0027ObjectClass\\\"\u003e\u0027 ObjectClass \\\"\u003c\\\" *\\n| parse EventData with * \u0027AttributeLDAPDisplayName\\\"\u003e\u0027 AttributeLDAPDisplayName \\\"\u003c\\\" *\\n| where ObjectClass == \\\"computer\\\" and AttributeLDAPDisplayName == \\\"msDS-AllowedToActOnBehalfOfOtherIdentity\\\"\\n| parse EventData with * \u0027ObjectDN\\\"\u003e\u0027 ObjectDN \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, SubjectUserSid, SubjectLogonId, ObjectDN, AttributeLDAPDisplayName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Possible Resource-Based Constrained Delegation Abuse\",\"description\":\"This query identifies Active Directory computer objects modifications that allow an adversary to abuse the Resource-based constrained delegation. \\nThis query checks for event id 5136 that the Object Class field is \\\"computer\\\" and the LDAP Display Name is \\\"msDS-AllowedToActOnBehalfOfOtherIdentity\\\" which is an indicator of Resource-based constrained delegation.\\nRef: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html\",\"lastUpdatedDateUTC\":\"2022-01-19T00:00:00Z\",\"createdDateUTC\":\"2022-01-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/89e6adbd-612c-4fbe-bc3d-32f81baf3b6c\",\"name\":\"89e6adbd-612c-4fbe-bc3d-32f81baf3b6c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT4H\",\"queryPeriod\":\"PT4H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// Change to true to monitor for Project Administrator adds to *any* project\\nlet MonitorAllProjects = false;\\n// If MonitorAllProjects is false, trigger only on Project Administrator add for the following projects\\nlet ProjectsToMonitor = dynamic([\u0027\u003cproject_X\u003e\u0027,\u0027\u003cproject_Y\u003e\u0027]);\\nAzureDevOpsAuditing\\n| where Area == \\\"Group\\\" and OperationName == \\\"Group.UpdateGroupMembership.Add\\\"\\n| where Details has \u0027Administrators\u0027\\n| where Details has \\\"was added as a member of group\\\" and (Details endswith \u0027\\\\\\\\Project Administrators\u0027 or Details endswith \u0027\\\\\\\\Project Collection Administrators\u0027)\\n| parse Details with AddedIdentity \u0027 was added as a member of group [\u0027 EntityName \u0027]\\\\\\\\\u0027 GroupName\\n| extend Level = iif(GroupName == \u0027Project Collection Administrators\u0027, \u0027Organization\u0027, \u0027Project\u0027), AddedIdentityId = Data.MemberId\\n| extend Severity = iif(Level == \u0027Organization\u0027, \u0027High\u0027, \u0027Medium\u0027), AlertDetails = strcat(\u0027At \u0027, TimeGenerated, \u0027 UTC \u0027, ActorUPN, \u0027/\u0027, ActorDisplayName, \u0027 added \u0027, AddedIdentity, \u0027 to the \u0027, EntityName, \u0027 \u0027, Level)\\n| where MonitorAllProjects == true or EntityName in (ProjectsToMonitor) or Level == \u0027Organization\u0027\\n| project TimeGenerated, Severity, Adder = ActorUPN, AddedIdentity, AddedIdentityId, AlertDetails, Level, EntityName, GroupName, ActorAuthType = AuthenticationMechanism, \\n ActorIpAddress = IpAddress, ActorUserAgent = UserAgent, RawDetails = Details\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Adder, IPCustomEntity = ActorIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps Administrator Group Monitoring\",\"description\":\"This detection monitors for additions to projects or project collection administration groups in an Azure DevOps Organization.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/473d57e6-f787-435c-a16b-b38b51fa9a4b\",\"name\":\"473d57e6-f787-435c-a16b-b38b51fa9a4b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"let servicelist = dynamic([\u0027Services\\\\\\\\HealthService\u0027, \u0027Services\\\\\\\\Sense\u0027, \u0027Services\\\\\\\\WinDefend\u0027, \u0027Services\\\\\\\\MsSecFlt\u0027, \u0027Services\\\\\\\\DiagTrack\u0027, \u0027Services\\\\\\\\SgrmBroker\u0027, \u0027Services\\\\\\\\SgrmAgent\u0027, \u0027Services\\\\\\\\AATPSensorUpdater\u0027 , \u0027Services\\\\\\\\AATPSensor\u0027, \u0027Services\\\\\\\\mpssvc\u0027]);\\nlet filename = dynamic([\\\"subinacl.exe\\\",\u0027SetACL.exe\u0027]);\\nlet parameters = dynamic ([\u0027/deny=SYSTEM\u0027, \u0027/deny=S-1-5-18\u0027, \u0027/grant=SYSTEM=r\u0027, \u0027/grant=S-1-5-18=r\u0027, \u0027n:SYSTEM;p:READ\u0027, \u0027n1:SYSTEM;ta:remtrst;w:dacl\u0027]);\\nlet FullAccess = dynamic([\u0027A;CI;KA;;;SY\u0027, \u0027A;ID;KA;;;SY\u0027, \u0027A;CIID;KA;;;SY\u0027]);\\nlet ReadAccess = dynamic([\u0027A;CI;KR;;;SY\u0027, \u0027A;ID;KR;;;SY\u0027, \u0027A;CIID;KR;;;SY\u0027]);\\nlet DenyAccess = dynamic([\u0027D;CI;KR;;;SY\u0027, \u0027D;ID;KR;;;SY\u0027, \u0027D;CIID;KR;;;SY\u0027]);\\nlet timeframe = 1d;\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4670\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName has_any (servicelist)\\n| parse EventData with * \u0027OldSd\\\"\u003e\u0027 OldSd \\\"\u003c\\\" *\\n| parse EventData with * \u0027NewSd\\\"\u003e\u0027 NewSd \\\"\u003c\\\" *\\n| extend Reason = case( (OldSd has \u0027;;;SY\u0027 and NewSd !has \u0027;;;SY\u0027), \u0027System Account is removed\u0027, (OldSd has_any (FullAccess) and NewSd has_any (ReadAccess)) , \u0027System permission has been changed to read from full access\u0027, (OldSd has_any (FullAccess) and NewSd has_any (DenyAccess)), \u0027System account has been given denied permission\u0027, \u0027None\u0027)\\n| project TimeGenerated, Computer, Account, ProcessName, ProcessId, ObjectName, EventData, Activity, HandleId, SubjectLogonId, OldSd, NewSd , Reason\\n),\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688\\n| extend ProcessName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ProcessName in~ (filename) \\n| where CommandLine has_any (servicelist) and CommandLine has_any (parameters)\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4670 and EventData has_any (servicelist) and EventData has \u0027Key\u0027\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName has_any (servicelist)\\n| extend OldSd = tostring(EventData.OldSd)\\n| extend NewSd = tostring(EventData.NewSd)\\n| extend Reason = case( (OldSd has \u0027;;;SY\u0027 and NewSd !has \u0027;;;SY\u0027), \u0027System Account is removed\u0027, (OldSd has_any (FullAccess) and NewSd has_any (ReadAccess)) , \u0027System permission has been changed to read from full access\u0027, (OldSd has_any (FullAccess) and NewSd has_any (DenyAccess)), \u0027System account has been given denied permission\u0027, \u0027None\u0027)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend ProcessId = tostring(EventData.ProcessId)\\n| extend Activity= \\\"4670 - Permissions on an object were changed.\\\"\\n| extend HandleId = tostring(EventData.HandleId)\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| project TimeGenerated, Computer, Account, ProcessName, ProcessId, ObjectName, EventData, Activity, HandleId, SubjectLogonId, OldSd, NewSd , Reason\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688 and EventData has_any (filename) and EventData has_any (servicelist) and EventData has_any (parameters)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend ProcessName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ProcessName in~ (filename) \\n| extend CommandLine = tostring(EventData.CommandLine) \\n| where CommandLine has_any (servicelist) and CommandLine has_any (parameters)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountDomain = tostring(EventData.AccountDomain)\\n| extend Activity=\\\"4688 - A new process has been created.\\\"\\n| extend EventSourceName=Provider\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where InitiatingProcessFileName in~ (filename) \\n| where InitiatingProcessCommandLine has_any(servicelist) and InitiatingProcessCommandLine has_any (parameters)\\n| extend Account = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName), Computer = DeviceName\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName = InitiatingProcessFileName, ProcessNameFullPath = FolderPath, Activity = ActionType, CommandLine = InitiatingProcessCommandLine, Type, InitiatingProcessParentFileName\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Security Service Registry ACL Modification\",\"description\":\"Identifies attempts to modify registry ACL to evade security solutions. In the Solorigate attack, the attackers were found modifying registry permissions so services.exe cannot access the relevant registry keys to start the service.\\n The detection leverages Security Event as well as MDE data to identify when specific security services registry permissions are modified. \\n Only some portions of this detection are related to Solorigate, it also includes coverage for some common tools that perform this activity. \\n Reference on guidance for enabling registry auditing:\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing-faq\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-registry\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4670\\n - For the event 4670 to be created the audit policy for the registry must have auditing enabled for Write DAC and/or Write Owner\\n - https://github.com/OTRF/Set-AuditRule \\n - https://docs.microsoft.com/dotnet/api/system.security.accesscontrol.registryrights?view=dotnet-plat-ext-5.0\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-01-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/29283b22-a1c0-4d16-b0a9-3460b655a46a\",\"name\":\"29283b22-a1c0-4d16-b0a9-3460b655a46a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let UserAgentString = dynamic ([\\\"${jndi:ldap:/\\\", \\\"${jndi:rmi:/\\\", \\\"${jndi:ldaps:/\\\", \\\"${jndi:dns:/\\\", \\\"${jndi:iiop:/\\\",\\\"${jndi:\\\",\\\"${jndi:nds:/\\\",\\\"${jndi:corba/\\\"]);\\nlet UARegexMinimalString=dynamic([\u0027{\u0027,\u0027%7b\u0027, \u0027%7B\u0027]);\\nlet UARegex = @\u0027(\\\\\\\\$|%24)(\\\\\\\\{|%7B)([^jJ]*[jJ])([^nN]*[nN])([^dD]*[dD])([^iI]*[iI])(:|%3A|\\\\\\\\$|%24|}|%7D)\u0027;\\n(union isfuzzy=true\\n(OfficeActivity\\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, Operation\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n),\\n(AzureDiagnostics\\n| where Category in (\\\"FrontdoorWebApplicationFirewallLog\\\", \\\"FrontdoorAccessLog\\\", \\\"ApplicationGatewayFirewallLog\\\", \\\"ApplicationGatewayAccessLog\\\")\\n| where userAgent_s has_any (UserAgentString) or userAgent_s matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = userAgent_s, SourceIP = clientIP_s, Type, host_s, requestUri_s, httpStatus_d\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, UrlCustomEntity = requestUri_s\\n),\\n(\\nW3CIISLog\\n| where csUserAgent has_any (UserAgentString) or csUserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP, UrlCustomEntity = csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventName\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n),\\n(SigninLogs\\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, Operation = OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n),\\n(AADNonInteractiveUserSignInLogs \\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, Operation = OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n),\\n(_Im_WebSession (httpuseragent_has_any=array_concat(UserAgentString,UARegexMinimalString))\\n| where HttpUserAgent has_any (UserAgentString) or HttpUserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by HttpUserAgent, SourceIP = SrcIpAddr, DstIpAddr, Account = SrcUsername, Url, Type\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP, UrlCustomEntity = Url\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"User agent search for log4j exploitation attempt\",\"description\":\"This query uses various log sources having user agent data to look for log4j CVE-2021-44228 exploitation attempt based on user agent pattern. Log4j is an open-source Apache logging library that is used in \\n many Java-based applications. The regex and the string matching look for the most common attacks. This might not be comprehensive to detect every possible user agent variation.\\n Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\"name\":\"3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let starttime = 1d;\\nlet TimeDeltaThresholdInSeconds = 60; // we ignore beacons diffs that fall below this threshold \\nlet TotalBeaconsThreshold = 4; // minimum number of beacons required in a session to surface a row\\nlet JitterTolerance = 0.2; // tolerance to jitter, e.g. - 0.2 = 20% jitter is tolerated either side of the periodicity\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Fortinet\\\"\\n| where TimeGenerated \u003e ago(starttime)\\n// eliminate bad data\\n| where isnotempty(SourceIP) and isnotempty(DestinationIP) and SourceIP != \\\"0.0.0.0\\\"\\n// filter out deny, close, rst and SNMP to reduce data volume\\n| where DeviceAction !in (\\\"close\\\", \\\"client-rst\\\", \\\"server-rst\\\", \\\"deny\\\") and DestinationPort != 161\\n// map input fields\\n| project TimeGenerated , SourceIP, DestinationIP, DestinationPort, ReceivedBytes, SentBytes, DeviceAction \\n// where destination IPs are public\\n| where ipv4_is_private(DestinationIP) == false\\n// sort into source-\u003edestination \u0027sessions\u0027\\n| sort by SourceIP asc, DestinationIP asc, DestinationPort asc, TimeGenerated asc\\n| serialize\\n// time diff the contact times between source and destination to get a list of deltas\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1), nextDestIP = next(DestinationIP, 1), nextDestPort = next(DestinationPort, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\\\"second\\\",nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP and DestinationIP == nextDestIP and DestinationPort == nextDestPort\\n// remove small time deltas below the set threshold\\n| where TimeDeltainSeconds \u003e TimeDeltaThresholdInSeconds\\n// summarize the deltas by source-\u003edestination\\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), sum(ReceivedBytes), sum(SentBytes), makelist(TimeDeltainSeconds), makeset(DeviceAction) by SourceIP, DestinationIP, DestinationPort\\n// get some statistical properties of the delta distribution and smooth any outliers (e.g. laptop shut overnight, working hours)\\n| extend series_stats(list_TimeDeltainSeconds), outliers=series_outliers(list_TimeDeltainSeconds)\\n// expand the deltas and the outliers\\n| mvexpand list_TimeDeltainSeconds to typeof(double), outliers to typeof(double)\\n// replace outliers with the average of the distribution\\n| extend list_TimeDeltainSeconds_normalized=iff(outliers \u003e 1.5 or outliers \u003c -1.5, series_stats_list_TimeDeltainSeconds_avg , list_TimeDeltainSeconds)\\n// summarize with the smoothed distribution\\n| summarize BeaconCount=count(), makelist(list_TimeDeltainSeconds), list_TimeDeltainSeconds_normalized=makelist(list_TimeDeltainSeconds_normalized), makeset(set_DeviceAction) by StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, sum_ReceivedBytes, sum_SentBytes\\n// get stats on the smoothed distribution\\n| extend series_stats(list_TimeDeltainSeconds_normalized)\\n// match jitter tolerance on smoothed distrib\\n| extend MaxJitter = (series_stats_list_TimeDeltainSeconds_normalized_avg*JitterTolerance)\\n| where series_stats_list_TimeDeltainSeconds_normalized_stdev \u003c MaxJitter\\n// where the minimum beacon threshold is satisfied and there was some data transfer\\n| where BeaconCount \u003e TotalBeaconsThreshold and (sum_SentBytes \u003e 0 or sum_ReceivedBytes \u003e 0)\\n// final projection\\n| project StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, BeaconCount, TimeDeltasInSeconds=list_list_TimeDeltainSeconds, Periodicity=series_stats_list_TimeDeltainSeconds_normalized_avg, ReceivedBytes=sum_ReceivedBytes, SentBytes=sum_SentBytes, Actions=set_set_DeviceAction\\n// where periodicity is order of magnitude larger than time delta threshold (eliminates FPs whose periodicity is close to the values we ignored)\\n| where Periodicity \u003e= (10*TimeDeltaThresholdInSeconds)\\n| extend timestamp = StartTime, IPCustomEntity = DestinationIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Fortinet - Beacon pattern detected\",\"description\":\"Identifies patterns in the time deltas of contacts between internal and external IPs in Fortinet network data that are consistent with beaconing.\\n Accounts for randomness (jitter) and seasonality such as working hours that may have been introduced into the beacon pattern.\\n The lookback is set to 1d, the minimum granularity in time deltas is set to 60 seconds and the minimum number of beacons required to emit a\\n detection is set to 4.\\n Increase the lookback period to capture beacons with larger periodicities.\\n The jitter tolerance is set to 0.2 - This means we account for an overall 20% deviation from the infered beacon periodicity. Seasonality is dealt with\\n automatically using series_outliers.\\n Note: In large environments it may be necessary to reduce the lookback period to get fast query times.\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2020-03-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80733eb7-35b2-45b6-b2b8-3c51df258206\",\"name\":\"80733eb7-35b2-45b6-b2b8-3c51df258206\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\\"xmrget.com\\\", \\n\\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\\"supportxmr.com\\\",\\n\\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\n\\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\n\\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\n\\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\n\\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\",\\n\\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\",\\n\\\"shscrypto.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage), \\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage), \\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage), \\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \u0027200\u0027\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Squid proxy events related to mining pools\",\"description\":\"Checks for Squid proxy events in Syslog associated with common mining pools .This query presumes the default Squid log format is being used. \\n http://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-07-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b05727d-a8d1-477d-bbdd-d957da96ac7b\",\"name\":\"3b05727d-a8d1-477d-bbdd-d957da96ac7b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where OfficeWorkload =~ \\\"Exchange\\\"\\n| where Parameters has_any (\\\"ForwardTo\\\", \\\"RedirectTo\\\", \\\"ForwardingSmtpAddress\\\")\\n| mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))\\n| evaluate bag_unpack(ParsedParameters, columnsConflict=\u0027replace_source\u0027)\\n| extend DestinationMailAddress = tolower(case(\\n isnotempty(column_ifexists(\\\"ForwardTo\\\", \\\"\\\")), column_ifexists(\\\"ForwardTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"RedirectTo\\\", \\\"\\\")), column_ifexists(\\\"RedirectTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")), trim_start(@\\\"smtp:\\\", column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")),\\n \\\"\\\"))\\n| where isnotempty(DestinationMailAddress)\\n| mv-expand split(DestinationMailAddress, \\\";\\\")\\n| extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n| extend ClientIP = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1])\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId, 250), Ports = make_set(Port, 250), EventCount = count() by tostring(DestinationMailAddress), ClientIP\\n| where DistinctUserCount \u003e 1\\n| mv-expand UserId to typeof(string)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"NRT Multiple users email forwarded to same destination\",\"description\":\"Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination.\\nThis could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.\",\"lastUpdatedDateUTC\":\"2022-06-24T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\"name\":\"75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 3;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == \\\"50057\\\"\\n| where ResultDescription =~ \\\"User account is disabled. The account has been disabled by an administrator.\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), applicationCount = dcount(AppDisplayName), \\napplicationSet = make_set(AppDisplayName), count() by UserPrincipalName, IPAddress, Type\\n| where applicationCount \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Attempts to sign in to disabled accounts\",\"description\":\"Identifies failed attempts to sign in to disabled accounts across multiple Azure Applications.\\nDefault threshold for Azure Applications attempted to sign in to is 3.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bfb1c90f-8006-4325-98be-c7fffbc254d6\",\"name\":\"bfb1c90f-8006-4325-98be-c7fffbc254d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let s_threshold = 30;\\nlet l_threshold = 3;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where OperationName =~ \\\"Sign-in activity\\\"\\n// Error codes that we want to look at as they are related to the use of incorrect password.\\n| where ResultType in (\\\"50126\\\", \\\"50053\\\" , \\\"50055\\\", \\\"50056\\\")\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend LocationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), LocationCount=dcount(LocationString), Location = make_set(LocationString), \\nIPAddress = make_set(IPAddress), IPAddressCount = dcount(IPAddress), AppDisplayName = make_set(AppDisplayName), ResultDescription = make_set(ResultDescription), \\nBrowser = make_set(Browser), OS = make_set(OS), SigninCount = count() by UserPrincipalName, Type \\n// Setting a generic threshold - Can be different for different environment\\n| where SigninCount \u003e s_threshold and LocationCount \u003e= l_threshold\\n| extend tostring(Location), tostring(IPAddress), tostring(AppDisplayName), tostring(ResultDescription), tostring(Browser), tostring(OS)\\n| distinct *\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Distributed Password cracking attempts in AzureAD\",\"description\":\"Identifies distributed password cracking attempts from the Azure Active Directory SigninLogs.\\nThe query looks for unusually high number of failed password attempts coming from multiple locations for a user account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50053 Account is locked because the user tried to sign in too many times with an incorrect user ID or password.\\n50055 Invalid password, entered expired password.\\n50056 Invalid or null password - Password does not exist in store for this user.\\n50126 Invalid username or password, or invalid on-premises username or password.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7ad4c32b-d0d2-411c-a0e8-b557afa12fce\",\"name\":\"7ad4c32b-d0d2-411c-a0e8-b557afa12fce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName\\n| where CommandLine contains \\\".decode(\u0027base64\u0027)\\\"\\n or CommandLine contains \\\"base64 --decode\\\"\\n or CommandLine contains \\\".decode64(\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"NRT Process executed from binary hidden in Base64 encoded file\",\"description\":\"Encoding malicious software is a technique used to obfuscate files from detection.\\nThe first CommandLine component is looking for Python decoding base64.\\nThe second CommandLine component is looking for Bash/sh command line base64 decoding.\\nThe third one is looking for Ruby decoding base64.\",\"lastUpdatedDateUTC\":\"2022-02-08T00:00:00Z\",\"createdDateUTC\":\"2019-01-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95002681-4ecb-4da3-9ece-26d7e5feaa33\",\"name\":\"95002681-4ecb-4da3-9ece-26d7e5feaa33\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"imAuthentication\\n| where EventResult ==\u0027Failure\u0027\\n| where EventResultDetails == \u0027User disabled\u0027\\n| summarize StartTime=min(EventStartTime), EndTime=max(EventEndTime), disabledAccountLoginAttempts = count()\\n , disabledAccountsTargeted = dcount(TargetUsername), disabledAccountSet = make_set(TargetUsername)\\n , applicationsTargeted = dcount(TargetAppName)\\n , applicationSet = make_set(TargetAppName) \\n by SrcDvcIpAddr, Type\\n| order by disabledAccountLoginAttempts desc\\n| join kind=leftouter \\n (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n imAuthentication\\n | where EventResult==\u0027Success\u0027\\n | summarize successfulAccountSigninCount = dcount(TargetUsername), successfulAccountSigninSet = makeset(TargetUsername, 15) by SrcDvcIpAddr, Type\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount \u003c 100\\n )\\n on SrcDvcIpAddr\\n| where isnotempty(successfulAccountSigninCount)\\n| project StartTime, EndTime, SrcDvcIpAddr, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\nsuccessfulAccountSigninCount, successfulAccountSigninSet, Type\\n| order by disabledAccountLoginAttempts\\n| extend timestamp = StartTime, IPCustomEntity = SrcDvcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-07-27T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\"name\":\"795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"CommonSecurityLog \\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID in (\\\"733101\\\",\\\"733102\\\",\\\"733103\\\",\\\"733104\\\",\\\"733105\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\",\"Impact\"],\"displayName\":\"Cisco ASA - threat detection message fired\",\"description\":\"Identifies when the Cisco ASA Threat Detection engine fired an alert based on malicious activity occurring on the network inicated by DeviceEventClassID 733101-733105\\nResources: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1785d372-b9fe-4283-96a6-3a1d83cabfd1\",\"name\":\"1785d372-b9fe-4283-96a6-3a1d83cabfd1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let Tarrask_threats = dynamic([\\\"HackTool:Win64/Tarrask!MS\\\", \\\"HackTool:Win64/Ligolo!MSR\\\", \\\"Behavior:Win32/ScheduledTaskHide.A\\\", \\\"Tarrask\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=rightouter ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (Tarrask_threats) or ThreatFamilyName in~ (Tarrask_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AV detections related to Tarrask malware\",\"description\":\"This query looks for Microsoft Defender AV detections related to Tarrask malware. In Microsoft Sentinel the SecurityAlerts table \\n includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. \\n This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\\n Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-04-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/157c0cfc-d76d-463b-8755-c781608cdc1a\",\"name\":\"157c0cfc-d76d-463b-8755-c781608cdc1a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\nCommonSecurityLog\\n| where DeviceVendor =~ \\\"Cisco\\\"\\n| where DeviceAction =~ \\\"denied\\\"\\n| where ipv4_is_private(SourceIP) == false\\n| summarize count() by SourceIP\\n| join (\\n // Successful signins from IPs blocked by the firewall solution are suspect\\n // Include fully successful sign-ins, but also ones that failed only at MFA stage\\n // as that supposes the password was sucessfully guessed.\\n table(tableName)\\n | where ResultType in (\\\"0\\\", \\\"50074\\\", \\\"50076\\\") \\n) on $left.SourceIP == $right.IPAddress\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Cisco - firewall block but success logon to Azure AD\",\"description\":\"Correlate IPs blocked by a Cisco firewall appliance with successful Azure Active Directory signins. \\nBecause the IP was blocked by the firewall, that same IP logging on successfully to AAD is potentially suspect\\nand could indicate credential compromise for the user account.\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2019-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/875d0eb1-883a-4191-bd0e-dbfdeb95a464\",\"name\":\"875d0eb1-883a-4191-bd0e-dbfdeb95a464\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 5136 \\n| parse EventData with * \u0027AttributeLDAPDisplayName\\\"\u003e\u0027 AttributeLDAPDisplayName \\\"\u003c\\\" *\\n| parse EventData with * \u0027ObjectClass\\\"\u003e\u0027 ObjectClass \\\"\u003c\\\" *\\n| where AttributeLDAPDisplayName == \\\"servicePrincipalName\\\" and ObjectClass == \\\"user\\\"\\n| parse EventData with * \u0027ObjectDN\\\"\u003e\u0027 ObjectDN \\\"\u003c\\\" *\\n| parse EventData with * \u0027AttributeValue\\\"\u003e\u0027 AttributeValue \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, ObjectDN, AttributeValue\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Service Principal Name (SPN) Assigned to User Account\",\"description\":\"This query identifies whether a Active Directory user object was assigned a service principal name which could indicate that an adversary is preparing for performing Kerberoasting. \\nThis query checks for event id 5136 that the Object Class field is \\\"user\\\" and the LDAP Display Name is \\\"servicePrincipalName\\\".\\nRef: https://thevivi.net/assets/docs/2019/theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf\",\"lastUpdatedDateUTC\":\"2022-02-02T00:00:00Z\",\"createdDateUTC\":\"2022-01-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/45076281-35ae-45e0-b443-c32aa0baf965\",\"name\":\"45076281-35ae-45e0-b443-c32aa0baf965\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"High\",\"query\":\"let args = dynamic([\\\"objectcategory\\\",\\\"domainlist\\\",\\\"dcmodes\\\",\\\"adinfo\\\",\\\"trustdmp\\\",\\\"computers_pwdnotreqd\\\",\\\"Domain Admins\\\", \\\"objectcategory=person\\\", \\\"objectcategory=computer\\\", \\\"objectcategory=*\\\",\\\"dclist\\\"]);\\nlet parentProcesses = dynamic([\\\"pwsh.exe\\\",\\\"powershell.exe\\\",\\\"cmd.exe\\\"]);\\nimProcessCreate\\n//looks for execution from a shell\\n| where ActingProcessName has_any (parentProcesses)\\n| extend ActingProcessFileName = tostring(split(ActingProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ActingProcessFileName in~ (parentProcesses)\\n// main filter\\n| where Process hassuffix \\\"AdFind.exe\\\" or TargetProcessSHA256 == \\\"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\\\"\\n // AdFind common Flags to check for from various threat actor TTPs\\n or CommandLine has_any (args)\\n| extend AccountCustomEntity = User, HostCustomEntity = Dvc, ProcessCustomEntity = ActingProcessName, CommandLineCustomEntity = CommandLine, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = TargetProcessSHA256\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"},{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLineCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Probable AdFind Recon Tool Usage (Normalized Process Events)\",\"description\":\"Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-06-09T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/910124df-913c-47e3-a7cd-29e1643fa55e\",\"name\":\"910124df-913c-47e3-a7cd-29e1643fa55e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with failed AWS console logins\\nlet aws_fails = AWSCloudTrail\\n| where EventName == \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \\n| where LoginResult != \\\"Success\\\"\\n| where SourceIpAddress != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(SourceIpAddress);\\n//See if any of those IPs have sucessfully logged into Azure AD.\\nSigninLogs\\n| where ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (aws_fails) \\n| extend Reason = \\\"Multiple failed AWS Console logins from IP address\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AWS Console logons but success logon to AzureAD\",\"description\":\"Identifies a list of IP addresses with a minimum numbe(default of 5) of failed logon attempts to AWS Console.\\nUses that list to identify any successful Azure Active Directory logons from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aedc5b33-2d7c-42cb-a692-f25ef637cbb1\",\"name\":\"aedc5b33-2d7c-42cb-a692-f25ef637cbb1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where array_length(todynamic(DstUserUpn)) == 1\\n| extend sender = extract(@\u0027\\\\A(.*?)@\u0027, 1, SrcUserUpn)\\n| extend sender_domain = extract(@\u0027@(.*)$\u0027, 1, SrcUserUpn)\\n| extend recipient = extract(@\u0027\\\\A(.*?)@\u0027, 1, tostring(todynamic(DstUserUpn)[0]))\\n| extend recipient_domain = extract(@\u0027@(.*)$\u0027, 1, tostring(todynamic(DstUserUpn)[0]))\\n| where sender =~ recipient\\n| where sender_domain != recipient_domain\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Possible data exfiltration to private email\",\"description\":\"Detects when sender sent email to the non-corporate domain and recipient\u0027s username is the same as sender\u0027s username.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\"name\":\"30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nlet aadFunc = (tableName:string){\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n table(tableName) | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(UserPrincipalName)\\n //Normalizing the column to lower case for exact match with EmailSenderAddress column\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n | where UserPrincipalName matches regex emailregex\\n | extend Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n // renaming timestamp column so it is clear the log this came from SigninLogs table\\n | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type\\n)\\non $left.EmailSenderAddress == $right.UserPrincipalName\\n| where SigninLogs_TimeGenerated \u003c ExpirationDateTime\\n| summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, UserPrincipalName\\n| project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, IPAddress, UserPrincipalName, AppDisplayName,\\nStatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, Type\\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SigninLogs\",\"description\":\"Identifies a match in SigninLogs table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6190dde-8fd2-456a-ac5b-0a32400b0464\",\"name\":\"d6190dde-8fd2-456a-ac5b-0a32400b0464\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let ProcessCreationEvents=() {\\nlet processEvents=(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName\\n),\\n(WindowsEvent\\n| where EventID==4688\\n| where EventData has_any (\\\".decode(\u0027base64\u0027)\\\", \\\"base64 --decode\\\", \\\".decode64(\\\" )\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where isnotempty(CommandLine)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend FileName=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, CommandLine, ParentProcessName\\n));\\nprocessEvents;\\n};\\nProcessCreationEvents \\n| where CommandLine contains \\\".decode(\u0027base64\u0027)\\\"\\n or CommandLine contains \\\"base64 --decode\\\"\\n or CommandLine contains \\\".decode64(\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), CountToday = count() by Computer, Account, AccountDomain, FileName, CommandLine, ParentProcessName \\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Process executed from binary hidden in Base64 encoded file\",\"description\":\"Encoding malicious software is a technique used to obfuscate files from detection. \\nThe first CommandLine component is looking for Python decoding base64. \\nThe second CommandLine component is looking for Bash/sh command line base64 decoding.\\nThe third one is looking for Ruby decoding base64.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-01-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a04cf847-a832-4c60-b687-b0b6147da219\",\"name\":\"a04cf847-a832-4c60-b687-b0b6147da219\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"45.63.52.41\\\",\\\"140.82.17.161\\\",\\\"207.148.101.95\\\",\\\"45.32.87.51\\\",\\\"66.42.98.156\\\",\\\"45.76.144.105\\\",\\\"217.163.28.35\\\",\\\"45.32.141.174\\\",\\\"149.28.165.249\\\",\\\"209.250.225.247\\\",\\\"45.63.100.115\\\",\\\"95.179.229.230\\\",\\\"209.250.233.247\\\",\\\"45.77.121.232\\\",\\\"45.76.175.65\\\",\\\"104.238.160.237\\\",\\\"45.77.181.97\\\",\\\"95.179.192.125\\\",\\\"149.28.93.184\\\",\\\"140.82.16.81\\\",\\\"45.76.173.103\\\",\\\"45.77.255.22\\\",\\\"45.32.11.71\\\",\\\"149.28.77.26\\\",\\\"45.32.54.50\\\",\\\"104.156.233.156\\\",\\\"45.32.21.118\\\",\\\"45.63.62.109\\\",\\\"45.77.244.202\\\",\\\"149.248.11.205\\\",\\\"104.238.190.244\\\"]);\\nlet IOCTerms = \\\"\\\\\\\\?lang=[/..]*/dev/cmdb/sslvpn_websession|/dana-na/jam/[/..]*home/webserver/htdocs/dana/html5acc/guacamole[/..]*etc/passwd\\\\\\\\?\\\";\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or has_any_ipv4 (Message, IPList)\\n| extend IPMatch = case(\\nSourceIP in (IPList), \\\"SourceIP\\\", \\nDestinationIP in (IPList), \\\"DestinationIP\\\",\\n\\\"Message\\\") \\n| where Message matches regex IOCTerms\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n| where isnotempty(UserAgent) and ClientIP in (IPList)\\n| where UserAgent contains \\\"ExchangeServicesClient/0.0.0.0\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP = ClientIP, Account = UserId, Type, RecordType, OfficeWorkload, UserAgent, OfficeObjectId, IPMatch = \\\"ClientIP\\\"\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Collection\"],\"displayName\":\"Known Manganese IP and UserAgent activity\",\"description\":\"Matches IP plus UserAgent IOCs in OfficeActivity data, along with IP plus Connection string information in the CommonSecurityLog data related to Manganese group activity.\\nReferences: \\nhttps://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/\\nhttps://fortiguard.com/psirt/FG-IR-18-384\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-10-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/74ed028d-e392-40b7-baef-e69627bf89d1\",\"name\":\"74ed028d-e392-40b7-baef-e69627bf89d1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"AuditLog.StreamDisabledByUser\\\"\\n| extend StreamType = tostring(Data.ConsumerType)\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, StreamType\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Azure DevOps Audit Stream Disabled\",\"description\":\"Azure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams \\n before conducting activity and then re-enabling the stream after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action \\n its unlikely to have a high false positive rate.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a356c8bd-c81d-428b-aa36-83be706be034\",\"name\":\"a356c8bd-c81d-428b-aa36-83be706be034\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// AADJoined or Register Device Registry Keys\\nlet aadJoinRoot = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet001\\\\\\\\Control\\\\\\\\CloudDomainJoin\\\\\\\\JoinInfo\\\\\\\\\\\";\\nlet aadRegisteredRoot = \\\"\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\WorkplaceJoin\\\";\\n// Transport Key Registry Key\\nlet keyTransportKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet001\\\\\\\\Control\\\\\\\\Cryptography\\\\\\\\Ngc\\\\\\\\KeyTransportKey\\\\\\\\\\\";\\n(union isfuzzy=true\\n(\\n// Access to Object Requested\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| where EventData contains aadJoinRoot or EventData contains aadRegisteredRoot\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName startswith aadJoinRoot and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n| extend ProcessId = column_ifexists(\\\"ProcessId\\\", \\\"\\\"), Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| join kind=innerunique (\\n SecurityEvent\\n | where EventID == \u00274656\u0027\\n | where EventData contains keyTransportKey\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | mv-expand bagexpansion=array EventData\\n | evaluate bag_unpack(EventData)\\n | extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n | evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n | extend ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\")\\n | where ObjectType == \u0027Key\u0027\\n | where ObjectName startswith keyTransportKey and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n | extend ProcessId = column_ifexists(\\\"ProcessId\\\", \\\"\\\"), Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n) on $left.Computer == $right.Computer and $left.SubjectLogonId == $right.SubjectLogonId and $left.ProcessId == $right.ProcessId\\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, SubjectLogonId, ObjectName, tostring(Process), ProcessName, ProcessId, EventID\\n),\\n// Accessing Object\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| where ObjectType == \u0027Key\u0027\\n| where (ObjectName startswith aadJoinRoot or ObjectName contains aadRegisteredRoot) and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n| extend Account = SubjectAccount\\n| join kind=innerunique (\\n SecurityEvent\\n | where EventID == \u00274663\u0027\\n | where ObjectType == \u0027Key\u0027\\n | where ObjectName contains keyTransportKey and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n | extend Account = SubjectAccount\\n) on $left.Computer == $right.Computer and $left.SubjectLogonId == $right.SubjectLogonId and $left.ProcessId == $right.ProcessId\\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, SubjectLogonId, ObjectName, Process, ProcessName, ProcessId, EventID\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"AAD Local Device Join Information and Transport Key Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts by the same process\\n to registry keys that provide information about an AAD joined or registered devices and Transport keys (tkpub / tkpriv).\\n This information can be used to export the Device Certificate (dkpub / dkpriv) and Transport key (tkpub/tkpriv).\\n These set of keys can be used to impersonate existing Azure AD joined devices.\\n This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable objects:\\n HKLM:\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\CloudDomainJoin (AAD joined devices)\\n HKCU:\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\WorkplaceJoin (AAD registered devices)\\n HKLM:\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Cryptography\\\\Ngc\\\\KeyTransportKey (Transport Key)\\n Make sure you set the SACL to propagate to its sub-keys. You can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml\\n Reference: https://o365blog.com/post/deviceidentity/\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/58fc0170-0877-4ea8-a9ff-d805e361cfae\",\"name\":\"58fc0170-0877-4ea8-a9ff-d805e361cfae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let schedule_lookback = 14d; \\nlet join_lookback = 1d; \\n// If you want to whitelist specific timezones include them in a list here\\nlet tz_whitelist = dynamic([]);\\nlet meetings = ( \\nZoomLogs \\n| where TimeGenerated \u003e= ago(schedule_lookback) \\n| where Event =~ \\\"meeting.created\\\" \\n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId) \\n| extend SchedTimezone = tostring(parse_json(MeetingEvents).Timezone)); \\nZoomLogs \\n| where TimeGenerated \u003e= ago(join_lookback) \\n| where Event =~ \\\"meeting.participant_joined\\\" \\n| extend JoinedTimeZone = tostring(parse_json(MeetingEvents).Timezone) \\n| extend MeetingName = tostring(parse_json(MeetingEvents).MeetingName) \\n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId) \\n| where JoinedTimeZone !in (tz_whitelist)\\n| join (meetings) on MeetingId \\n| where SchedTimezone != JoinedTimeZone \\n| project TimeGenerated, MeetingName, JoiningUser=payload_object_participant_user_name_s, JoinedTimeZone, SchedTimezone, MeetingScheduler=User1 \\n| extend timestamp = TimeGenerated, AccountCustomEntity = JoiningUser\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"PrivilegeEscalation\"],\"displayName\":\"User joining Zoom meeting from suspicious timezone\",\"description\":\"The alert shows users that join a Zoom meeting from a time zone other than the one the meeting was created in.\\nYou can also whitelist known good time zones in the tz_whitelist value using the tz database name format https://en.wikipedia.org/wiki/List_of_tz_database_time_zones\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a09a0b8e-30fe-4ebf-94a0-cffe50f579cd\",\"name\":\"a09a0b8e-30fe-4ebf-94a0-cffe50f579cd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where OperationName =~ \\\"Update user\\\"\\n | where Result =~ \\\"success\\\"\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | where TargetResources_modifiedProperties.displayName =~ \\\"TargetId.UserType\\\"\\n | extend UpdatingServicePrincipal = tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalId)\\n | extend UpdatingUserPrincipal = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend UpdatingUser = iif(isnotempty(UpdatingServicePrincipal), UpdatingServicePrincipal, UpdatingUserPrincipal)\\n | extend UpdatedUserPrincipalName = tostring(TargetResources.userPrincipalName)\\n | project-reorder TimeGenerated, UpdatedUserPrincipalName, UpdatingUser\\n | where parse_json(tostring(TargetResources_modifiedProperties.newValue)) =~ \\\"\\\\\\\"Member\\\\\\\"\\\" and parse_json(tostring(TargetResources_modifiedProperties.oldValue)) =~ \\\"\\\\\\\"Guest\\\\\\\"\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatingUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatedUserPrincipalName\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User State changed from Guest to Member\",\"description\":\"Detects when a guest account in a tenant is converted to a member of the tenant.\\n Monitoring guest accounts and the access they are provided is important to detect potential account abuse.\\n Accounts converted to members should be investigated to ensure the activity was legitimate.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b12b3dab-d973-45af-b07e-e29bb34d8db9\",\"name\":\"b12b3dab-d973-45af-b07e-e29bb34d8db9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal contains \\\"WindowsPowerShell\\\"\\n| extend Message = \\\"Windows PowerShell User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"DefenseEvasion\"],\"displayName\":\"Cisco Umbrella - Windows PowerShell User-Agent Detected\",\"description\":\"Rule helps to detect Powershell user-agent activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d722831e-88f5-4e25-b106-4ef6e29f8c13\",\"name\":\"d722831e-88f5-4e25-b106-4ef6e29f8c13\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"// a threshold can be enabled, see commented line below for PrevSeenCount\\nlet threshold = 2;\\nlet uploadOp = \u0027FileUploaded\u0027;\\n// Extensions that are interesting. Add/Remove to this list as you see fit\\nlet execExt = dynamic([\u0027exe\u0027, \u0027inf\u0027, \u0027gzip\u0027, \u0027cmd\u0027, \u0027bat\u0027]);\\nlet starttime = 8d;\\nlet endtime = 1d;\\nOfficeActivity | where TimeGenerated \u003e= ago(endtime)\\n// Limited to File Uploads due to potential noise, comment out the Operation statement below to include any operation type\\n// Additional, but potentially noisy operation types that include Uploads and Downloads can be included by adding the following - Operation contains \\\"upload\\\" or Operation contains \\\"download\\\"\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| project TimeGenerated, OfficeId, OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, UserAgent, Site_Url, SourceRelativeUrl, SourceFileName\\n| join kind= leftanti (\\nOfficeActivity | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| summarize SourceRelativeUrl = make_set(SourceRelativeUrl), UserId = make_set(UserId) , PrevSeenCount = count() by SourceFileName\\n// To exclude previous matches when only above a specific count, change threshold above and uncomment the line below\\n//| where PrevSeenCount \u003e threshold\\n| mvexpand SourceRelativeUrl, UserId\\n| extend SourceRelativeUrl = tostring(SourceRelativeUrl), UserId = tostring(UserId)\\n) on SourceFileName, SourceRelativeUrl, UserId \\n| extend SiteUrlUserFolder = tolower(split(Site_Url, \u0027/\u0027)[-2])\\n| extend UserIdUserFolderFormat = tolower(replace(\u0027@|\\\\\\\\.\u0027, \u0027_\u0027,UserId))\\n// identify when UserId is not a match to the specific site url personal folder reference\\n| extend UserIdDiffThanUserFolder = iff(Site_Url has \u0027/personal/\u0027 and SiteUrlUserFolder != UserIdUserFolderFormat, true , false ) \\n| summarize TimeGenerated = make_list(TimeGenerated), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), \\nUserAgents = make_list(UserAgent), OfficeIds = make_list(OfficeId), SourceRelativeUrls = make_list(SourceRelativeUrl), FileNames = make_list(SourceFileName)\\nby OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, Site_Url, SiteUrlUserFolder, UserIdUserFolderFormat, UserIdDiffThanUserFolder\\n| extend timestamp = StartTime, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"New executable via Office FileUploaded Operation\",\"description\":\"Identifies when executable file types are uploaded to Office services such as SharePoint and OneDrive.\\nList currently includes \u0027exe\u0027, \u0027inf\u0027, \u0027gzip\u0027, \u0027cmd\u0027, \u0027bat\u0027 file extensions.\\nAdditionally, identifies when a given user is uploading these files to another users workspace.\\nThis may be indication of a staging location for malware or other malicious activity.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69a45b05-71f5-45ca-8944-2e038747fb39\",\"name\":\"69a45b05-71f5-45ca-8944-2e038747fb39\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let endtime = 1d;\\nlet starttime = 8d;\\n// The threshold below excludes matching on RDP connection computer counts of 5 or more by a given account and IP in a given day. Change the threshold as needed.\\nlet threshold = 5;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n// Labeling the first RDP connection time, computer and ip\\n| extend FirstHop = TimeGenerated, FirstComputer = toupper(Computer), FirstIPAddress = IpAddress, Account = tolower(Account)\\n),\\n( WindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10 // Labeling the first RDP connection time, computer and ip\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend FirstHop = TimeGenerated, FirstComputer = toupper(Computer), FirstIPAddress = IpAddress, Account = tolower(Account)\\n))\\n| join kind=inner (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n// Labeling the second RDP connection time, computer and ip\\n| extend SecondHop = TimeGenerated, SecondComputer = toupper(Computer), SecondIPAddress = IpAddress, Account = tolower(Account)\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = toint(EventData.LogonType)\\n| where LogonType == 10 // Labeling the second RDP connection time, computer and ip\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend SecondHop = TimeGenerated, SecondComputer = toupper(Computer), SecondIPAddress = IpAddress, Account = tolower(Account)\\n))\\n) on Account\\n// Make sure that the first connection is after the second connection --\u003e SecondHop \u003e FirstHop\\n// Then identify only RDP to another computer from within the first RDP connection by only choosing matches where the Computer names do not match --\u003e FirstComputer != SecondComputer\\n// Then make sure the IPAddresses do not match by excluding connections from the same computers with first hop RDP connections to multiple computers --\u003e FirstIPAddress != SecondIPAddress\\n| where FirstComputer != SecondComputer and FirstIPAddress != SecondIPAddress and SecondHop \u003e FirstHop\\n// where the second hop occurs within 30 minutes of the first hop\\n| where SecondHop \u003c= FirstHop+30m\\n| distinct Account, FirstHop, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, SecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\\n// use left anti to exclude anything from the previous 7 days where the Account and IP has connected 5 or more computers.\\n| join kind=leftanti (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize makeset(Computer), ComputerCount = dcount(Computer) by bin(TimeGenerated, 1d), Account = tolower(Account), IpAddress\\n// Connection count to computer by same account and IP to exclude counts of 5 or more on a given day\\n| where ComputerCount \u003e= threshold\\n| mvexpand set_Computer\\n| extend Computer = toupper(set_Computer)\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10 \\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| summarize makeset(Computer), ComputerCount = dcount(Computer) by bin(TimeGenerated, 1d), Account = tolower(Account), IpAddress\\n// Connection count to computer by same account and IP to exclude counts of 5 or more on a given day\\n| where ComputerCount \u003e= threshold\\n| mvexpand set_Computer\\n| extend Computer = toupper(set_Computer)\\n))\\n) on Account, $left.SecondComputer == $right.Computer, $left.SecondIPAddress == $right.IpAddress\\n| summarize FirstHopFirstSeen = min(FirstHop), FirstHopLastSeen = max(FirstHop) by Account, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, \\nSecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\\n| extend timestamp = FirstHopFirstSeen, AccountCustomEntity = Account, HostCustomEntity = FirstComputer, IPCustomEntity = FirstIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"RDP Nesting\",\"description\":\"Identifies when an RDP connection is made to a first system and then an RDP connection is made from the first system\\nto another system with the same account within the 60 minutes. Additionally, if historically daily\\nRDP connections are indicated by the logged EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-10-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884c4957-70ea-4f57-80b9-1bca3890315b\",\"name\":\"884c4957-70ea-4f57-80b9-1bca3890315b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeBin = 10m;\\nlet failedThreshold = 100;\\nW3CIISLog\\n| where scStatus in (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n// Handling Exchange specific items in IIS logs to remove the unique log identifier in the URI\\n| extend csUriQuery = iff(csUriQuery startswith \\\"MailboxId=\\\", tostring(split(csUriQuery, \\\"\u0026\\\")[0]) , csUriQuery )\\n| extend csUriQuery = iff(csUriQuery startswith \\\"X-ARR-CACHE-HIT=\\\", strcat(tostring(split(csUriQuery, \\\"\u0026\\\")[0]),tostring(split(csUriQuery, \\\"\u0026\\\")[1])) , csUriQuery )\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of failed logons by a user\\n| summarize makeset(decodedUriQuery), makeset(cIP), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), csUserName, Computer, sIP\\n| where FailedConnectionsCount \u003e= failedThreshold\\n| project TimeGenerated, csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_cIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"High count of failed logons by a user\",\"description\":\"Identifies when 100 or more failed attempts by a given user in 10 minutes occur on the IIS Server.\\nThis could be indicative of attempted brute force based on known account information.\\nThis could also simply indicate a misconfigured service or device. \\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\"name\":\"7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"let WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet AC_Add = \\n(union isfuzzy=true \\n(SecurityEvent\\n// Event ID related to member addition.\\n| where EventID in (4728, 4732,4756) \\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountAdded \\\",OU\\\" *\\n| where isnotempty(AccountAdded)\\n| extend GroupAddedTo = TargetUserName, AddingAccount = Account \\n| extend AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, \\\"||\\\", GroupAddedTo, \\\"||\\\", AddingAccount )\\n| project AccountAdded_GroupAddedTo_AddingAccount, AccountAddedTime = TimeGenerated\\n),\\n(WindowsEvent\\n// Event ID related to member addition.\\n| where EventID in (4728, 4732,4756) \\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData.MemberName with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountAdded \\\",OU\\\" *\\n| where isnotempty(AccountAdded)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend AddingAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend GroupAddedTo = TargetUserName\\n| extend AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, \\\"||\\\", GroupAddedTo, \\\"||\\\", AddingAccount )\\n| project AccountAdded_GroupAddedTo_AddingAccount, AccountAddedTime = TimeGenerated\\n)\\n);\\nlet AC_Remove = \\n( union isfuzzy=true \\n(SecurityEvent\\n// Event IDs related to member removal.\\n| where EventID in (4729,4733,4757)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountRemoved \\\",OU\\\" * \\n| where isnotempty(AccountRemoved)\\n| extend GroupRemovedFrom = TargetUserName, RemovingAccount = Account\\n| extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, \\\"||\\\", GroupRemovedFrom, \\\"||\\\", RemovingAccount)\\n| project AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime = TimeGenerated, Computer, RemovedAccountId = tolower(AccountRemoved), \\nRemovedByUser = SubjectUserName, RemovedByUserLogonId = SubjectLogonId, GroupRemovedFrom = TargetUserName, TargetDomainName\\n),\\n(WindowsEvent\\n// Event IDs related to member removal.\\n| where EventID in (4729,4733,4757)\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData.MemberName with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountRemoved \\\",OU\\\" * \\n| where isnotempty(AccountRemoved)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend RemovingAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend GroupRemovedFrom = TargetUserName\\n| extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, \\\"||\\\", GroupRemovedFrom, \\\"||\\\", RemovingAccount)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| extend TargetDomainName = tostring(EventData.TargetDomainName)\\n| project AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime = TimeGenerated, Computer, RemovedAccountId = tolower(AccountRemoved), \\nRemovedByUser = SubjectUserName, RemovedByUserLogonId = SubjectLogonId, GroupRemovedFrom = TargetUserName, TargetDomainName\\n)); \\nAC_Add \\n| join kind= inner AC_Remove on $left.AccountAdded_GroupAddedTo_AddingAccount == $right.AccountRemoved_GroupRemovedFrom_RemovingAccount \\n| extend DurationinSecondAfter_Removed = datetime_diff (\u0027second\u0027, AccountRemovedTime, AccountAddedTime)\\n| where DurationinSecondAfter_Removed \u003e 0\\n| project-away AccountRemoved_GroupRemovedFrom_RemovingAccount\\n| extend timestamp = AccountAddedTime, AccountCustomEntity = RemovedAccountId, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Account added and removed from privileged groups\",\"description\":\"Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise.\u0027 \",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-04-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3df4a32-4805-4c6d-8699-f3c888af2f67\",\"name\":\"a3df4a32-4805-4c6d-8699-f3c888af2f67\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let Alert1 = \\nSecurityAlert\\n| where AlertName == \\\"Unfamiliar sign-in properties\\\"\\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\\\"User Account\\\"])\\n| extend Alert1Time = TimeGenerated\\n| extend Alert1 = AlertName\\n| extend Alert1Severity = AlertSeverity\\n;\\nlet Alert2 = \\nSecurityAlert\\n| where AlertName == \\\"Atypical travel\\\"\\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\\\"User Account\\\"])\\n| extend Alert2Time = TimeGenerated\\n| extend Alert2 = AlertName\\n| extend Alert2Severity = AlertSeverity\\n| extend CurrentLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[2].Location)).CountryCode), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).State), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).City))\\n| extend PreviousLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[3].Location)).CountryCode), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[3].Location)).State), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[3].Location)).City))\\n| extend CurrentIPAddress = tostring(parse_json(Entities)[2].Address)\\n| extend PreviousIPAddress = tostring(parse_json(Entities)[3].Address)\\n;\\nAlert1\\n| join kind=inner Alert2 on UserPrincipalName\\n| where abs(datetime_diff(\u0027minute\u0027, Alert1Time, Alert2Time)) \u003c=10\\n| extend TimeDelta = Alert1Time - Alert2Time\\n| project UserPrincipalName, Alert1, Alert1Time, Alert1Severity, Alert2, Alert2Time, Alert2Severity, TimeDelta, CurrentLocation, PreviousLocation, CurrentIPAddress, PreviousIPAddress\\n| extend AccountCustomEntity = UserPrincipalName\\n| extend IPCustomEntity = CurrentIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Correlate Unfamiliar sign-in properties and atypical travel alerts\",\"description\":\"The combination of an Unfamiliar sign-in properties alert and an Atypical travel alert about the same user within a +10m or -10m window is considered a high severity incident.\",\"lastUpdatedDateUTC\":\"2021-12-07T00:00:00Z\",\"createdDateUTC\":\"2020-09-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7564d76-ec6b-4519-a66b-fcc80c42332b\",\"name\":\"a7564d76-ec6b-4519-a66b-fcc80c42332b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet GroupAddition = (union isfuzzy=true \\n(SecurityEvent \\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group \\n| where EventID in (\\\"4728\\\", \\\"4732\\\", \\\"4756\\\") \\n| where AccountType =~ \\\"User\\\" and MemberName == \\\"-\\\"\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, GroupAddComputer = Computer, GroupAddTargetAccount = TargetAccount, \\nGroupAddTargetSid = TargetSid, GroupAddSubjectAccount = SubjectAccount, GroupAddSubjectUserSid = SubjectUserSid, GroupSid = MemberSid\\n),\\n(\\nWindowsEvent \\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group \\n| where EventID in (\\\"4728\\\", \\\"4732\\\", \\\"4756\\\") and not(EventData has \\\"S-1-5-32-555\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| extend MemberName = tostring(EventData.MemberName)\\n| where AccountType =~ \\\"User\\\" and MemberName == \\\"-\\\"\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend MemberSid = tostring(EventData.MemberSid)\\n| extend Activity= \\\"GroupAddActivity\\\"\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, GroupAddComputer = Computer, GroupAddTargetAccount = TargetAccount, \\nGroupAddTargetSid = TargetSid, GroupAddSubjectAccount = Account, GroupAddSubjectUserSid = SubjectUserSid, GroupSid = MemberSid\\n));\\nlet GroupCreated = (union isfuzzy=true \\n(SecurityEvent\\n// 4727 - A security-enabled global group was created\\n// 4731 - A security-enabled local group was created\\n// 4754 - A security-enabled universal group was created\\n| where EventID in (\\\"4727\\\", \\\"4731\\\", \\\"4754\\\")\\n| where AccountType =~ \\\"User\\\"\\n| project GroupCreateTime = TimeGenerated, GroupCreateEventID = EventID, GroupCreateActivity = Activity, GroupCreateComputer = Computer, GroupCreateTargetAccount = TargetAccount, \\nGroupCreateSubjectAccount = SubjectAccount, GroupCreateSubjectUserSid = SubjectUserSid, GroupSid = TargetSid\\n),\\n(WindowsEvent\\n// 4727 - A security-enabled global group was created\\n// 4731 - A security-enabled local group was created\\n// 4754 - A security-enabled universal group was created\\n| where EventID in (\\\"4727\\\", \\\"4731\\\", \\\"4754\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\", \\\"Machine\\\", iff(SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", iff(isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")))\\n| where AccountType =~ \\\"User\\\"\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend SubjectAccount = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName) \\n| extend TargetSid = tostring(EventData.TargetSid) \\n| extend Activity= \\\"GroupAddActivity\\\"\\n| project GroupCreateTime = TimeGenerated, GroupCreateEventID = EventID, GroupCreateActivity = Activity, GroupCreateComputer = Computer, GroupCreateTargetAccount = TargetAccount, \\nGroupCreateSubjectAccount = SubjectAccount, GroupCreateSubjectUserSid = SubjectUserSid, GroupSid = TargetSid\\n));\\nGroupCreated\\n| join (\\nGroupAddition\\n) on GroupSid \\n| extend timestamp = GroupCreateTime, AccountCustomEntity = GroupCreateSubjectAccount, HostCustomEntity = GroupCreateComputer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"GroupCreateSubjectUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Group created then added to built in domain local or global group\",\"description\":\"Identifies when a recently created Group was added to a privileged built in domain local group or global group such as the \\nEnterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\\nReferences: For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b443f22-9be9-4c35-ac70-a94757748439\",\"name\":\"3b443f22-9be9-4c35-ac70-a94757748439\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let files1 = dynamic([\\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\lsa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pc.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\Rar.exe\\\"]);\\nlet files2 = dynamic([\\\"svchost.exe\\\",\\\"wdmsvc.exe\\\"]);\\nlet FileHash1 = dynamic([\\\"43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\\\", \\\"ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\\\", \\\"010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77\\\", \\\"56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7\\\"]);\\nlet FileHash2 = dynamic([\\\"2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\\\", \\\"9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\\\", \\\"18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\\\"]);\\nDeviceProcessEvents\\n| where ( FolderPath has_any (files1) and SHA256 has_any (FileHash1)) or (FolderPath has_any (files2) and SHA256 has_any (FileHash2))\\n| extend DvcId = DeviceId\\n| join kind=leftouter (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| mv-expand todynamic(Entities)\\n| extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)\\n| where isnotempty(DvcId)\\n// Higher risk score are for Defender alerts related to threat actor\\n| extend AlertRiskScore = iif(ThreatName has_any (\\\"Backdoor:MSIL/ShellClient.A\\\", \\\"Backdoor:MSIL/ShellClient.A!dll\\\", \\\"Trojan:MSIL/Mimikatz.BA!MTB\\\"), 1.0, 0.5)\\n| project DvcId, AlertRiskScore) on DvcId\\n| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = AccountName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileName\"}]}],\"tactics\":[\"CredentialAccess\",\"Execution\"],\"displayName\":\"Dev-0228 File Path Hashes November 2021\",\"description\":\"This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.\\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-11-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2f561e20-d97b-4b13-b02d-18b34af6e87c\",\"name\":\"2f561e20-d97b-4b13-b02d-18b34af6e87c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet cmdList = dynamic([\\\"Set-CASMailbox\\\",\\\"ActiveSyncAllowedDeviceIDs\\\",\\\"add\\\"]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688\\n| where CommandLine has_all (cmdList)\\n| project Type, TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n( WindowsEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688\\n| where EventData has_all (cmdList)\\n| extend CommandLine = tostring(EventData.CommandLine) \\n| where CommandLine has_all (cmdList)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| project Type, TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where InitiatingProcessCommandLine has_all (cmdList)\\n| project Type, TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where CommandLine has_all (cmdList)\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| project Type, TimeGenerated, Computer, User, Process, ParentImage, CommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Email access via active sync\",\"description\":\"This query detects attempts to add attacker devices as allowed IDs for active sync using the Set-CASMailbox command.\\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\\n- Note that this query can be changed to use the KQL \\\"has_all\\\" operator, which hasn\u0027t yet been documented officially, but will be soon.\\n In short, \\\"has_all\\\" will only match when the referenced field has all strings in the list.\\n- Refer to Set-CASMailbox syntax: https://docs.microsoft.com/powershell/module/exchange/set-casmailbox?view=exchange-ps \",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-02-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\"name\":\"2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet TotalEventsThreshold = 5;\\nlet ExeList = dynamic([\\\"powershell.exe\\\",\\\"cmd.exe\\\",\\\"wmic.exe\\\",\\\"psexec.exe\\\",\\\"cacls.exe\\\",\\\"rundll.exe\\\"]);\\nlet TimeSeriesData =\\nSecurityEvent\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where Process in (ExeList)\\n| project TimeGenerated, Computer, AccountType, Account, Process\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by Process;\\nlet TimeSeriesAlerts = materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 1.5, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0\\n| project Process, TimeGenerated, Total, baseline, anomalies, score\\n| where Total \u003e TotalEventsThreshold);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\nSecurityEvent\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| summarize CommandlineCount = count() by bin(TimeGenerated, 1h), Process, CommandLine, Computer, Account\\n) on Process, TimeGenerated\\n| project AnomalyHour = TimeGenerated, Computer, Account, Process, CommandLine, CommandlineCount, Total, baseline, anomalies, score\\n| extend timestamp = AnomalyHour, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Process execution frequency anomaly\",\"description\":\"Identifies anomalous spike in frequency of executions of sensitive processes which are often leveraged as attack vectors.\\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\\nSudden increases in execution frequency of sensitive processes should be further investigated for malicious activity.\\nTune the values from 1.5 to 3 in series_decompose_anomalies for further outliers or based on custom threshold values for score.\",\"lastUpdatedDateUTC\":\"2022-03-07T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/694c91ee-d606-4ba9-928e-405a2dd0ff0f\",\"name\":\"694c91ee-d606-4ba9-928e-405a2dd0ff0f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"High\",\"query\":\"let queryperiod = 14d;\\nlet queryfrequency = 2h;\\nlet security_info_actions = dynamic([\\\"User registered security info\\\", \\\"User changed default security info\\\", \\\"User deleted security info\\\", \\\"Admin updated security info\\\", \\\"User reviewed security info\\\", \\\"Admin deleted security info\\\", \\\"Admin registered security info\\\"]);\\nlet VIPUsers = (\\n IdentityInfo\\n | where TimeGenerated \u003e ago(queryperiod)\\n | mv-expand AssignedRoles\\n | where AssignedRoles matches regex \u0027Admin\u0027\\n | summarize by tolower(AccountUPN));\\nAuditLogs\\n| where TimeGenerated \u003e ago(queryfrequency)\\n| where Category =~ \\\"UserManagement\\\"\\n| where ActivityDisplayName in (security_info_actions)\\n| extend Initiator = tostring(InitiatedBy.user.userPrincipalName)\\n| extend IP = tostring(InitiatedBy.user.ipAddress)\\n| extend Target = tolower(tostring(TargetResources[0].userPrincipalName))\\n| where Target in (VIPUsers)\\n// Uncomment the line below if you are experiencing high volumes of Target entities. If this is uncommented, the Target column will not be mapped to an entity.\\n//| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason, MaxSize=8), Targets=make_set(Target, MaxSize=256) by Initiator, IP, Result\\n// Comment out this line below, if line above is used.\\n| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason, MaxSize=8) by Initiator, IP, Result, Targets = Target\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Targets\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Initiator\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IP\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Authentication Methods Changed for Privileged Account\",\"description\":\"Identifies authentication methods being changed for a privileged account. This could be an indication of an attacker adding an auth method to the account so they can have continued access.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6267ce44-1e9d-471b-9f1e-ae76a6b7aa84\",\"name\":\"6267ce44-1e9d-471b-9f1e-ae76a6b7aa84\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityAlert\\n| where AlertName =~ \\\"mass download by a single user\\\"\\n| extend Extprop = parse_json(ExtendedProperties)\\n| extend Computer = iff(isnotempty(toupper(tostring(Extprop[\\\"Compromised Host\\\"]))), toupper(tostring(Extprop[\\\"Compromised Host\\\"])), tostring(parse_json(Entities)[0].HostName))\\n| extend Account = iff(isnotempty(tolower(tostring(Extprop[\\\"User Name\\\"]))), tolower(tostring(Extprop[\\\"User Name\\\"])), tolower(tostring(Extprop[\\\"user name\\\"])))\\n| extend IpAddress = tostring(parse_json(ExtendedProperties).[\\\"IpAddress\\\"]) \\n| project timestamp=TimeGenerated, AlertName, Computer, Account, IpAddress, ExtendedProperties\\n| join kind=inner\\n( \\nDeviceEvents\\n| where ActionType == \\\"PnpDeviceConnected\\\"\\n| extend parsed = parse_json(AdditionalFields)\\n| project DeviceId, DriveClass = tostring(parsed.ClassName), UsbDeviceId = tostring(parsed.DeviceId), ClassId = tostring(parsed.DeviceId), DeviceDescription = tostring(parsed.DeviceDescription), VendorIds = tostring(parsed.VendorIds), AccountDomain,AccountName,TimeGenerated, ActionType, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, Type\\n| where DriveClass == \u0027USB\u0027 and DeviceDescription == \u0027USB Mass Storage Device\u0027\\n) on $left.Account == $right.AccountName\\n| join kind=inner \\n(\\nDeviceFileEvents\\n| where FolderPath !startswith \\\"c\\\" and FolderPath !startswith @\\\"\\\\\\\"\\n) on DeviceId\\n| project TimeGenerated, ActionType, Computer, FileName, FileSize, IpAddress, InitiatingProcessCommandLine, InitiatingProcessFileName, Account\\n| extend timestamp = TimeGenerated, CompromisedEntity = Computer, AccountCustomEntity=Account, ProcessCustomEntity = InitiatingProcessFileName, IPCustomEntity=IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"Mass Download \u0026 copy to USB device by single user\",\"description\":\"This query looks for any mass download by a single user with possible file copy activity to a new USB drive. Malicious insiders may perform such activities that may cause harm to the organization. \\nThis query could also reveal unintentional insider that had no intention of malicious activity but their actions may impact an organizations security posture.\\nReference:https://docs.microsoft.com/defender-cloud-apps/policy-template-reference\",\"lastUpdatedDateUTC\":\"2022-05-04T00:00:00Z\",\"createdDateUTC\":\"2022-04-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\",\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3edb7215-250b-40c0-8b46-79093949242d\",\"name\":\"3edb7215-250b-40c0-8b46-79093949242d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetectionV2_CL\\n| where Severity_s == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\\n| where count_ \u003e= threshold\\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"High Number of Urgent Vulnerabilities Detected\",\"description\":\"This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.\",\"lastUpdatedDateUTC\":\"2021-12-08T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/492fbe35-cbac-4a8c-9059-826782e6915a\",\"name\":\"492fbe35-cbac-4a8c-9059-826782e6915a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where OperationName has_any (\\\"Update Application\\\", \\\"Update Service principal\\\")\\n | extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend UpdatedBy = iif(isnotempty(appName), appName, UPN)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | extend AppName = tostring(TargetResources[0].displayName)\\n | mv-expand mod_props\\n | extend Action = tostring(mod_props.displayName)\\n | where Action contains \\\"Url\\\"\\n | extend OldURL = tostring(mod_props.oldValue)\\n | extend NewURL = tostring(mod_props.newValue)\\n | project-reorder TimeGenerated, OperationName, Action, AppName, OldURL, NewURL, UpdatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatedBy\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"OldURL\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"NewURL\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Changes to Application Logout URL\",\"description\":\"Detects changes to an applications sign out URL.\\n Look for any modifications to a sign out URL. Blank entries or entries to non-existent locations would stop a user from terminating a session.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#logout-url-modified-or-removed\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\"name\":\"2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureActivity | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CallerIpAddress\\n| where AzureActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureActivity_TimeGenerated = arg_max(AzureActivity_TimeGenerated, *) by IndicatorId, CallerIpAddress\\n| project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CallerIpAddress, \\nCaller, OperationNameValue, ActivityStatusValue, CategoryValue, ResourceId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureActivity_TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureActivity\",\"description\":\"Identifies a match in AzureActivity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3174a9ec-d0ad-4152-8307-94ed04fa450a\",\"name\":\"3174a9ec-d0ad-4152-8307-94ed04fa450a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let SHA256Hash = \\\"1174fd03271f80f5e2a6435c72bdd0272a6e3a37049f6190abf125b216a83471\\\" ;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) \\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA265 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA256Hash) \\n| extend Account = UserName\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known ZINC related maldoc hash\",\"description\":\"Document hash used by ZINC in highly targeted spear phishing campaign.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\"name\":\"d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\" \\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed), LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\\n| where MFAUsed !~ \\\"Yes\\\" and LoginResult !~ \\\"Failure\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUsed, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"Login to AWS Management Console without MFA\",\"description\":\"Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.\\nYou can limit this detection to trigger for adminsitrative accounts if you do not have MFA enabled on all accounts.\\nThis is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used \\nand the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0ed0fe7c-af29-4990-af7f-bb5ccb231198\",\"name\":\"0ed0fe7c-af29-4990-af7f-bb5ccb231198\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"AuditLogs\\n | where Category =~ \\\"RoleManagement\\\"\\n | where OperationName =~ \\\"Update role setting in PIM\\\"\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | project-reorder TimeGenerated, OperationName, ResultReason, userPrincipalName, ipAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Changes to PIM Settings\",\"description\":\"PIM provides a key mechanism for assigning privileges to accounts, this query detects changes to PIM role settings.\\n Monitor these changes to ensure they are being made legitimately and don\u0027t confer more privileges than expected or reduce the security of a PIM elevation.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c805d9b1-97e7-4bc0-9172-67edb36273e4\",\"name\":\"c805d9b1-97e7-4bc0-9172-67edb36273e4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft 365 Insider Risk Management\",\"displayName\":\"(Private Preview) Create incidents based on Microsoft 365 Insider Risk Management\",\"description\":\"Create incidents based on all alerts generated in Microsoft 365 Insider Risk Management\",\"lastUpdatedDateUTC\":\"2021-05-13T00:00:00Z\",\"createdDateUTC\":\"2021-05-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeIRM\",\"dataTypes\":[\"SecurityAlert (OfficeIRM)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09551db0-e147-4a0c-9e7b-918f88847605\",\"name\":\"09551db0-e147-4a0c-9e7b-918f88847605\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.6.2\",\"severity\":\"High\",\"query\":\"let tokens = dynamic([\\\"SSL_HandShaking\\\", \\\"ASN2_TYPE_new\\\", \\\"sql_blob_open\\\", \\\"cmsSetLogHandlerTHR\\\", \\\"ntSystemInfo\\\", \\\"SetWebFilterString\\\", \\\"CleanupBrokerString\\\", \\\"glInitSampler\\\", \\\"deflateSuffix\\\", \\\"ntWindowsProc\\\"]);\\nlet DomainNames = dynamic([\u0027codevexillium.org\u0027, \u0027angeldonationblog.com\u0027, \u0027investbooking.de\u0027, \u0027krakenfolio.com\u0027]);\\nlet SHA256Hash = dynamic([\u002758a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495\u0027,\u0027e0e59bfc22876c170af65dcbf19f744ae560cc43b720b23b9d248f4505c02f3e\u0027,\u00273d3195697521973efe0097a320cbce0f0f98d29d50e044f4505e1fbc043e8cf9\u0027, \u00270a2d81164d524be7022ba8fd4e1e8e01bfd65407148569d172e2171b5cd76cd4\u0027, \u002796d7a93f6691303d39a9cc270b8814151dfec5683e12094537fd580afdf2e5fe\u0027,\u0027dc4cf164635db06b2a0b62d313dbd186350bca6fc88438617411a68df13ec83c\u0027, \u002746efd5179e43c9cbf07dcec22ce0d5527e2402655aee3afc016e5c260650284a\u0027, \u002795e42a94d4df1e7e472998f43b9879eb34aaa93f3705d7d3ef9e3b97349d7008\u0027, \u00279d5320e883264a80ea214077f44b1d4b22155446ad5083f4b27d2ab5bd127ef5\u0027, \u00279fd05063ad203581a126232ac68027ca731290d17bd43b5d3311e8153c893fe3\u0027, \u0027ada7e80c9d09f3efb39b729af238fcdf375383caaf0e9e0aed303931dc73b720\u0027, \u0027edb1597789c7ed784b85367a36440bf05267ac786efe5a4044ec23e490864cee\u0027, \u002733665ce1157ddb7cd7e905e3356b39245dfba17b7a658bdbf02b6968656b9998\u0027, \u00273ab770458577eb72bd6239fe97c35e7eb8816bce5a4b47da7bd0382622854f7c\u0027, \u0027b630ad8ffa11003693ce8431d2f1c6b8b126cd32b657a4bfa9c0dbe70b007d6c\u0027, \u002753f3e55c1217dafb8801af7087e7d68b605e2b6dde6368fceea14496c8a9f3e5\u0027, \u002799c95b5272c5b11093eed3ef2272e304b7a9311a22ff78caeb91632211fcb777\u0027, \u0027f21abadef52b4dbd01ad330efb28ef50f8205f57916a26daf5de02249c0f24ef\u0027, \u00272cbdea62e26d06080d114bbd922d6368807d7c6b950b1421d0aa030eca7e85da\u0027, \u0027079659fac6bd9a1ce28384e7e3a465be4380acade3b4a4a4f0e67fd0260e9447\u0027]);\\nlet SigNames = dynamic([\\\"Backdoor:Script/ComebackerCompile.A!dha\\\", \\\"Trojan:Win64/Comebacker.A!dha\\\", \\\"Trojan:Win64/Comebacker.A.gen!dha\\\", \\\"Trojan:Win64/Comebacker.B.gen!dha\\\", \\\"Trojan:Win32/Comebacker.C.gen!dha\\\", \\\"Trojan:Win32/Klackring.A!dha\\\", \\\"Trojan:Win32/Klackring.B!dha\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in~ (SHA256Hash) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n| project Type, TimeGenerated, Computer, Account, IPAddress, FileHash, DNSName\\n),\\n(_Im_Dns(domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend Type = \\\"imDns\\\", IPAddress = SrcIpAddr, Computer=Dvc\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(VMConnection\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| where isnotempty(Hashes)\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 * \\n| where SHA256 in~ (SHA256Hash) \\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = Hashes\\n| project Type, TimeGenerated, Computer, Account, FileHash\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (SHA256Hash)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (SHA256Hash)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl in~ (DomainNames)\\n| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName\\n| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl\\n),\\n(SecurityAlert\\n| where ProductName == \\\"Microsoft Defender Advanced Threat Protection\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where isnotempty(ThreatName)\\n| where ThreatName has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName) \\n| project Type, TimeGenerated, Computer\\n),\\n(DeviceProcessEvents\\n| where FileName =~ \\\"powershell.exe\\\" or FileName =~ \\\"rundll32.exe\\\"\\n| where (ProcessCommandLine has \\\"is64bitoperatingsystem\\\" and ProcessCommandLine has \\\"Debug\\\\\\\\Browse\\\") or (ProcessCommandLine has_any (tokens))\\n| extend Computer = DeviceName, Account = AccountName, CommandLine = ProcessCommandLine\\n| project Type, TimeGenerated, Computer, Account, CommandLine, FileName\\n),\\n(SecurityEvent\\n| where EventID == 4688\\n| where ProcessName has_any (\\\"powershell.exe\\\", \\\"rundll32.exe\\\")\\n| where (CommandLine has \\\"is64bitoperatingsystem\\\" and CommandLine has \\\"Debug\\\\\\\\Browse\\\") or (CommandLine has_any (tokens))\\n| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine \\n),\\n( WindowsEvent\\n| where EventID == 4688\\n| where EventData has_any (\\\"powershell.exe\\\", \\\"rundll32.exe\\\") and EventData has_any (tokens, \\\"Debug\\\\\\\\Browse\\\",\\\"is64bitoperatingsystem\\\" ) \\n| extend ProcessName = tostring(EventData.ProcessName)\\n| where ProcessName has_any (\\\"powershell.exe\\\", \\\"rundll32.exe\\\")\\n| extend CommandLine = tostring(EventData.CommandLine) \\n| where (CommandLine has \\\"is64bitoperatingsystem\\\" and CommandLine has \\\"Debug\\\\\\\\Browse\\\") or (CommandLine has_any (tokens))\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"Execution\"],\"displayName\":\"Known ZINC Comebacker and Klackring malware hashes\",\"description\":\"ZINC attacks against security researcher campaign malware hashes.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ce177b3-56b1-4f0e-b83e-27eed4cb0b16\",\"name\":\"4ce177b3-56b1-4f0e-b83e-27eed4cb0b16\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\n// exclude allowed users from query such as the ADO service\\nlet allowed_users = dynamic([\\\"Azure DevOps Service\\\"]);\\nunion\\n// Look for agents being added to a pool of a OS type not seen with that pool before\\n(AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName =~ \\\"Library.AgentAdded\\\"\\n| where ActorUPN !in (allowed_users)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| where isnotempty(OsDescription)\\n| extend OsDescription = tostring(split(OsDescription, \\\"#\\\", 0)[0])\\n| project AgentPoolName, OsDescription\\n| join kind=rightanti (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName == \\\"Library.AgentAdded\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| where isnotempty(OsDescription)\\n| extend OsDescription = tostring(split(OsDescription, \\\"#\\\", 0)[0])) on AgentPoolName, OsDescription),\\n// Look for users addeing agents to a pool that they have not added agents to before.\\n(AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| where ActorUPN !in (allowed_users)\\n| project AgentPoolName, ActorUPN\\n| join kind=rightanti (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName == \\\"Library.AgentAdded\\\"\\n| where ActorUPN !in (allowed_users)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n) on AgentPoolName, ActorUPN)\\n| extend AgentName = tostring(Data.AgentName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| extend SystemDetails = Data.SystemCapabilities\\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, AgentPoolName, AgentName, ActorUPN, IpAddress, UserAgent, OsDescription, SystemDetails, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"New Agent Added to Pool by New User or Added to a New OS Type.\",\"description\":\"As seen in attacks such as SolarWinds attackers can look to subvert a build process by controlling build servers. Azure DevOps uses agent pools to execute pipeline tasks. \\nAn attacker could insert compromised agents that they control into the pools in order to execute malicious code. This query looks for users adding agents to pools they have \\nnot added agents to before, or adding agents to a pool of an OS that has not been added to that pool before. This detection has potential for false positives so has a \\nconfigurable allow list to allow for certain users to be excluded from the logic.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/05b4bccd-dd12-423d-8de4-5a6fb526bb4f\",\"name\":\"05b4bccd-dd12-423d-8de4-5a6fb526bb4f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let known_processes = (\\n SecurityEvent\\n // If adjusting Query Period or Frequency update these\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where EventID == 4688\\n | where NewProcessName has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | summarize by Process);\\n SecurityEvent\\n // If adjusting Query Period or Frequency update these\\n | where TimeGenerated \u003e ago(1d)\\n | where EventID == 4688\\n | where NewProcessName has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | where Process !in (known_processes)\\n // This will likely apply to multiple hosts so summarize these data\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, NewProcessName, CommandLine, Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Execution\",\"LateralMovement\"],\"displayName\":\"New EXE deployed via Default Domain or Default Domain Controller Policies\",\"description\":\"This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice is that these policies should not be used for deployment of files.\\nA threat actor may use these policies to deploy files or scripts to all hosts in a domain.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c61ad0ac-ad68-4ebb-b41a-74296d3e0044\",\"name\":\"c61ad0ac-ad68-4ebb-b41a-74296d3e0044\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \\n| where TargetObject has (\\\"\\\\\\\\Control\\\\\\\\Session Manager\\\\\\\\AppCertDLLs\\\\\\\\\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Registry Persistence via AppCert DLL Modification\",\"description\":\"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. \\nDynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\ are loaded into every process that calls the ubiquitously used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec.\\nRef: https://attack.mitre.org/techniques/T1546/009/\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8ee967a2-a645-4832-85f4-72b635bcb3a6\",\"name\":\"8ee967a2-a645-4832-85f4-72b635bcb3a6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit the environment\\nlet signin_threshold = 5;\\n//Make a list of all IPs with failed signins to AAD above our threshold\\nlet aadFunc = (tableName:string){\\nlet suspicious_signins =\\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress !in (\u0027127.0.0.1\u0027, \u0027::1\u0027)\\n| summarize count() by IPAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(IPAddress);\\n//See if any of these IPs have sucessfully logged into *nix hosts\\nlet linux_logons =\\nSyslog\\n| where Facility contains \\\"auth\\\" and ProcessName != \\\"sudo\\\"\\n| where SyslogMessage has \\\"Accepted\\\"\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Computer, HostIP, IpAddress = SourceIP, SyslogMessage, Facility, ProcessName, Reason;\\n//See if any of these IPs have sucessfully logged into Windows hosts\\nlet win_logons = (union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4624\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| where IpAddress in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Account, AccountType, Computer, Activity, EventID, LogonProcessName, IpAddress, LogonTypeName, TargetUserSid, Reason\\n),\\n(WindowsEvent\\n| where EventID == 4624 and has_any_ipv4(EventData, toscalar(suspicious_signins))\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType in (10, 7, 3)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| where IpAddress != \\\"-\\\"\\n| where IpAddress in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| extend Activity = \\\"4624 - An account was successfully logged on.\\\"\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend AccountType =case(Account endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| extend LogonProcessName = tostring(EventData.LogonProcessName)\\n| project TimeGenerated, Account, AccountType, Computer, Activity, EventID, LogonProcessName, IpAddress, TargetUserSid, Reason\\n)\\n);\\nunion isfuzzy=true linux_logons,win_logons\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, IPCustomEntity = IpAddress, HostCustomEntity = Computer\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AzureAD logons but success logon to host\",\"description\":\"Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory.\\nUses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/46ac55ae-47b8-414a-8f94-89ccd1962178\",\"name\":\"46ac55ae-47b8-414a-8f94-89ccd1962178\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let queryperiod = 1d;\\nlet mode = \u0027Blocked\u0027;\\nlet successCode = dynamic([\u0027200\u0027, \u0027101\u0027,\u0027204\u0027, \u0027400\u0027,\u0027504\u0027,\u0027304\u0027,\u0027401\u0027,\u0027500\u0027]);\\nlet sessionBin = 30m;\\nAzureDiagnostics\\n| where TimeGenerated \u003e ago(queryperiod)\\n| where Category == \u0027ApplicationGatewayFirewallLog\u0027 and action_s == mode\\n| sort by hostname_s asc, clientIp_s asc, TimeGenerated asc\\n| extend SessionBlockedStarted = row_window_session(TimeGenerated, queryperiod, 10m, ((clientIp_s != prev(clientIp_s)) or (hostname_s != prev(hostname_s))))\\n| summarize SessionBlockedEnded = max(TimeGenerated), SessionBlockedCount = count() by hostname_s, clientIp_s, SessionBlockedStarted\\n| extend TimeKey = range(bin(SessionBlockedStarted, sessionBin), bin(SessionBlockedEnded, sessionBin), sessionBin)\\n| mv-expand TimeKey to typeof(datetime)\\n| join kind = inner(\\n AzureDiagnostics\\n | where TimeGenerated \u003e ago(queryperiod)\\n | where Category == \u0027ApplicationGatewayAccessLog\u0027 and (isempty(httpStatus_d) or httpStatus_d in (successCode))\\n | extend TimeKey = bin(TimeGenerated, sessionBin)\\n) on TimeKey, $left.hostname_s == $right.host_s, $left.clientIp_s == $right.clientIP_s\\n| where TimeGenerated between (SessionBlockedStarted..SessionBlockedEnded)\\n| extend\\n originalRequestUriWithArgs_s = column_ifexists(\\\"originalRequestUriWithArgs_s\\\", \\\"\\\"),\\n serverStatus_s = column_ifexists(\\\"serverStatus_s\\\", \\\"\\\")\\n| summarize\\n SuccessfulAccessCount = count(),\\n UserAgents = make_set(userAgent_s, 250),\\n RequestURIs = make_set(requestUri_s, 250),\\n OriginalRequestURIs = make_set(originalRequestUriWithArgs_s, 250),\\n SuccessCodes = make_set(httpStatus_d, 250),\\n SuccessCodes_BackendServer = make_set(serverStatus_s, 250),\\n take_any(SessionBlockedEnded, SessionBlockedCount)\\n by hostname_s, clientIp_s, SessionBlockedStarted\\n| where SessionBlockedCount \u003e SuccessfulAccessCount\\n| extend timestamp = SessionBlockedStarted, IPCustomEntity = clientIp_s\\n| extend BlockvsSuccessRatio = SessionBlockedCount/toreal(SuccessfulAccessCount)\\n| sort by BlockvsSuccessRatio desc, timestamp asc\\n| project-reorder SessionBlockedStarted, SessionBlockedEnded, hostname_s, clientIp_s, SessionBlockedCount, SuccessfulAccessCount, BlockvsSuccessRatio, SuccessCodes, RequestURIs, OriginalRequestURIs, UserAgents\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"A potentially malicious web request was executed against a web server\",\"description\":\"Detects unobstructed Web Application Firewall (WAF) activity in sessions where the WAF blocked incoming requests by computing the \\nratio between blocked requests and unobstructed WAF requests in these sessions (BlockvsSuccessRatio metric). A high ratio value for \\na given client IP and hostname calls for further investigation of the WAF data in that session, due to the significantly high number \\nof blocked requests and a few unobstructed logs which may be malicious but have passed undetected through the WAF. The successCode \\nvariable defines what the detection thinks is a successful status code, and should be altered to fit the environment.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2020-11-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d173248-439b-4741-8b37-f63ad0c896ae\",\"name\":\"4d173248-439b-4741-8b37-f63ad0c896ae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\n//This query uses sysmon data, sections that have - | where Source == \\\"Microsoft-Windows-Sysmon\\\" - may need to be updated with latest\\nWindowsEvent\\n| where EventID == \u00274688\u0027 and EventData has_any (process)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| where NewProcessName has_any (process)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n , Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n , NewProcessId = tostring(EventData.NewProcessId)\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027, -1)[-1]), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend FilePath = replace_string(NewProcessName, File, \u0027\u0027)\\n| project TimeGenerated, timestamp, File, AlertDetail, FilePath,Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileCustomEntity\"},{\"identifier\":\"Directory\",\"columnName\":\"FilePathCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashAlgo\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021\",\"description\":\"Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.\",\"lastUpdatedDateUTC\":\"2022-05-19T00:00:00Z\",\"createdDateUTC\":\"2022-02-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\"name\":\"7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\nOfficeActivity\\n| where Operation =~ \\\"New-InboxRule\\\"\\n| where Parameters has \\\"Deleted Items\\\" or Parameters has \\\"Junk Email\\\" or Parameters has \\\"DeleteMessage\\\"\\n| extend Events=todynamic(Parameters)\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords \u0027}\u0027*\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords \u0027}\u0027*\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords \u0027}\u0027*\\n| where SubjectContainsWords has_any (Keywords)\\n or BodyContainsWords has_any (Keywords)\\n or SubjectOrBodyContainsWords has_any (Keywords)\\n| extend ClientIPAddress = case( ClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), ClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))), ClientIP )\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\n| extend RuleDetail = case(OfficeObjectId contains \u0027/\u0027 , tostring(split(OfficeObjectId, \u0027/\u0027)[-1]) , tostring(split(OfficeObjectId, \u0027\\\\\\\\\u0027)[-1]))\\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation, UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIPAddress, AccountCustomEntity = UserId , HostCustomEntity = OriginatingServer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Malicious Inbox Rule\",\"description\":\"Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords. \\n This is done so as to limit ability to warn compromised users that they\u0027ve been compromised. Below is a sample query that tries to detect this.\\nReference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ef88eb96-861c-43a0-ab16-f3835a97c928\",\"name\":\"ef88eb96-861c-43a0-ab16-f3835a97c928\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let regexEmpire = @\\\"SetDelay|GetDelay|Set-LostLimit|Get-LostLimit|Set-Killdate|Get-Killdate|Set-WorkingHours|Get-WorkingHours|Get-Sysinfo|Add-Servers|Invoke-ShellCommand|Start-AgentJob|Update-Profile|Get-FilePart|Encrypt-Bytes|Decrypt-Bytes|Encode-Packet|Decode-Packet|Send-Message|Process-Packet|Process-Tasking|Get-Task|Start-Negotiate|Invoke-DllInjection|Invoke-ReflectivePEInjection|Invoke-Shellcode|Invoke-ShellcodeMSIL|Get-ChromeDump|Get-ClipboardContents|Get-IndexedItem|Get-Keystrokes|Invoke-Inveigh|Invoke-NetRipper|local:Invoke-PatchDll|Invoke-NinjaCopy|Get-Win32Types|Get-Win32Constants|Get-Win32Functions|Sub-SignedIntAsUnsigned|Add-SignedIntAsUnsigned|Compare-Val1GreaterThanVal2AsUInt|Convert-UIntToInt|Test-MemoryRangeValid|Write-BytesToMemory|Get-DelegateType|Get-ProcAddress|Enable-SeDebugPrivilege|Invoke-CreateRemoteThread|Get-ImageNtHeaders|Get-PEBasicInfo|Get-PEDetailedInfo|Import-DllInRemoteProcess|Get-RemoteProcAddress|Copy-Sections|Update-MemoryAddresses|Import-DllImports|Get-VirtualProtectValue|Update-MemoryProtectionFlags|Update-ExeFunctions|Copy-ArrayOfMemAddresses|Get-MemoryProcAddress|Invoke-MemoryLoadLibrary|Invoke-MemoryFreeLibrary|Out-Minidump|Get-VaultCredential|Invoke-DCSync|Translate-Name|Get-NetDomain|Get-NetForest|Get-NetForestDomain|Get-DomainSearcher|Get-NetComputer|Get-NetGroupMember|Get-NetUser|Invoke-Mimikatz|Invoke-PowerDump|Invoke-TokenManipulation|Exploit-JMXConsole|Exploit-JBoss|Invoke-Thunderstruck|Invoke-VoiceTroll|Set-WallPaper|Invoke-PsExec|Invoke-SSHCommand|Invoke-PSInject|Invoke-RunAs|Invoke-SendMail|Invoke-Rule|Get-OSVersion|Select-EmailItem|View-Email|Get-OutlookFolder|Get-EmailItems|Invoke-MailSearch|Get-SubFolders|Get-GlobalAddressList|Invoke-SearchGAL|Get-SMTPAddress|Disable-SecuritySettings|Reset-SecuritySettings|Get-OutlookInstance|New-HoneyHash|Set-MacAttribute|Invoke-PatchDll|Get-SecurityPackages|Install-SSP|Invoke-BackdoorLNK|New-ElevatedPersistenceOption|New-UserPersistenceOption|Add-Persistence|Invoke-CallbackIEX|Add-PSFirewallRules|Invoke-EventLoop|Invoke-PortBind|Invoke-DNSLoop|Invoke-PacketKnock|Invoke-CallbackLoop|Invoke-BypassUAC|Get-DecryptedCpassword|Get-GPPInnerFields|Invoke-WScriptBypassUAC|Get-ModifiableFile|Get-ServiceUnquoted|Get-ServiceFilePermission|Get-ServicePermission|Invoke-ServiceUserAdd|Invoke-ServiceCMD|Write-UserAddServiceBinary|Write-CMDServiceBinary|Write-ServiceEXE|Write-ServiceEXECMD|Restore-ServiceEXE|Invoke-ServiceStart|Invoke-ServiceStop|Invoke-ServiceEnable|Invoke-ServiceDisable|Get-ServiceDetail|Find-DLLHijack|Find-PathHijack|Write-HijackDll|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-VulnAutoRun|Get-VulnSchTask|Get-UnattendedInstallFile|Get-Webconfig|Get-ApplicationHost|Write-UserAddMSI|Invoke-AllChecks|Invoke-ThreadedFunction|Test-Login|Get-UserAgent|Test-Password|Get-ComputerDetails|Find-4648Logons|Find-4624Logons|Find-AppLockerLogs|Find-PSScriptsInPSAppLog|Find-RDPClientConnections|Get-SystemDNSServer|Invoke-Paranoia|Invoke-WinEnum{|Get-SPN|Invoke-ARPScan|Invoke-Portscan|Invoke-ReverseDNSLookup|Invoke-SMBScanner|New-InMemoryModule|Add-Win32Type|Export-PowerViewCSV|Get-MacAttribute|Copy-ClonedFile|Get-IPAddress|Convert-NameToSid|Convert-SidToName|Convert-NT4toCanonical|Get-Proxy|Get-PathAcl|Get-NameField|Convert-LDAPProperty|Get-NetDomainController|Add-NetUser|Add-NetGroupUser|Get-UserProperty|Find-UserField|Get-UserEvent|Get-ObjectAcl|Add-ObjectAcl|Invoke-ACLScanner|Get-GUIDMap|Get-ADObject|Set-ADObject|Get-ComputerProperty|Find-ComputerField|Get-NetOU|Get-NetSite|Get-NetSubnet|Get-DomainSID|Get-NetGroup|Get-NetFileServer|SplitPath|Get-DFSshare|Get-DFSshareV1|Get-DFSshareV2|Get-GptTmpl|Get-GroupsXML|Get-NetGPO|Get-NetGPOGroup|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Invoke-ImpersonateUser|Create-ProcessWithToken|Free-AllTokens|Enum-AllTokens|Invoke-RevertToSelf|Set-Speaker\\\\(\\\\$Volume\\\\){\\\\$wshShell|Local:Get-RandomString|Local:Invoke-PsExecCmd|Get-GPPPassword|Local:Inject-BypassStuff|Local:Invoke-CopyFile\\\\(\\\\$sSource,|ind-Fruit|New-IPv4Range|New-IPv4RangeFromCIDR|Parse-Hosts|Parse-ILHosts|Exclude-Hosts|Get-TopPort|Parse-Ports|Parse-IpPorts|Remove-Ports|Write-PortscanOut|Convert-SwitchtoBool|Get-ForeignUser|Get-ForeignGroup\\\";\\n(union isfuzzy=true\\n (SecurityEvent\\n| where EventID == 4688\\n//consider filtering on filename if perf issues occur\\n//where FileName in~ (\\\"powershell.exe\\\",\\\"powershell_ise.exe\\\",\\\"pwsh.exe\\\")\\n| where not(ParentProcessName has_any (\u0027gc_worker.exe\u0027, \u0027gc_service.exe\u0027))\\n| where CommandLine has \\\"-encodedCommand\\\"\\n| parse kind=regex flags=i CommandLine with * \\\"-EncodedCommand \\\" encodedCommand\\n| extend encodedCommand = iff(encodedCommand has \\\" \\\", tostring(split(encodedCommand, \\\" \\\")[0]), encodedCommand)\\n// Note: currently the base64_decode_tostring function is limited to supporting UTF8\\n| extend decodedCommand = translate(\u0027\\\\0\u0027,\u0027\u0027, base64_decode_tostring(substring(encodedCommand, 0, strlen(encodedCommand) - (strlen(encodedCommand) %8)))), encodedCommand, CommandLine , strlen(encodedCommand)\\n| extend EfectiveCommand = iff(isnotempty(encodedCommand), decodedCommand, CommandLine)\\n| where EfectiveCommand matches regex regexEmpire\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, EfectiveCommand, decodedCommand, encodedCommand, CommandLine, ParentProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(WindowsEvent\\n| where EventID == 4688 \\n| where EventData has_any (\\\"-encodedCommand\\\", \\\"powershell.exe\\\",\\\"powershell_ise.exe\\\",\\\"pwsh.exe\\\")\\n| where not(EventData has_any (\u0027gc_worker.exe\u0027, \u0027gc_service.exe\u0027))\\n//consider filtering on filename if perf issues occur\\n//extend NewProcessName = tostring(EventData.NewProcessName)\\n//extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n//FileName = Process\\n//where FileName in~ (\\\"powershell.exe\\\",\\\"powershell_ise.exe\\\",\\\"pwsh.exe\\\")\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where not(ParentProcessName has_any (\u0027gc_worker.exe\u0027, \u0027gc_service.exe\u0027))\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has \\\"-encodedCommand\\\"\\n| parse kind=regex flags=i CommandLine with * \\\"-EncodedCommand \\\" encodedCommand\\n| extend encodedCommand = iff(encodedCommand has \\\" \\\", tostring(split(encodedCommand, \\\" \\\")[0]), encodedCommand)\\n// Note: currently the base64_decode_tostring function is limited to supporting UTF8\\n| extend decodedCommand = translate(\u0027\\\\0\u0027,\u0027\u0027, base64_decode_tostring(substring(encodedCommand, 0, strlen(encodedCommand) - (strlen(encodedCommand) %8)))), encodedCommand, CommandLine , strlen(encodedCommand)\\n| extend EfectiveCommand = iff(isnotempty(encodedCommand), decodedCommand, CommandLine)\\n| where EfectiveCommand matches regex regexEmpire\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, EfectiveCommand, decodedCommand, encodedCommand, CommandLine, ParentProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"Powershell Empire cmdlets seen in command line\",\"description\":\"Identifies instances of PowerShell Empire cmdlets in powershell process command line data.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-01-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cda5928c-2c1e-4575-9dfa-07568bc27a4f\",\"name\":\"cda5928c-2c1e-4575-9dfa-07568bc27a4f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let lookback = 7d; \\nlet timeframe = 1h; \\nlet GlobalAdminsRemoved = AuditLogs \\n| where TimeGenerated \u003e ago(timeframe) \\n| where Category =~ \\\"RoleManagement\\\" \\n| where AADOperationType in (\\\"Unassign\\\", \\\"RemoveEligibleRole\\\") \\n| where ActivityDisplayName has_any (\\\"Remove member from role\\\", \\\"Remove eligible member from role\\\") \\n| mv-expand TargetResources \\n| mv-expand TargetResources.modifiedProperties \\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName) \\n| where displayName_ =~ \\\"Role.DisplayName\\\" \\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.oldValue))) \\n| where RoleName == \\\"Global Administrator\\\" // Add other Privileged role if applicable \\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName) \\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) \\n| where Initiator != \\\"MS-PIM\\\" // Filtering PIM events \\n| extend Target = tostring(TargetResources.userPrincipalName) \\n| summarize RemovedGlobalAdminTime = max(TimeGenerated), TargetAdmins = make_set(Target) by OperationName, RoleName, Initiator, Result; \\nlet GlobalAdminsAdded = AuditLogs \\n| where TimeGenerated \u003e ago(lookback) \\n| where Category =~ \\\"RoleManagement\\\" \\n| where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\") \\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\") and Result == \\\"success\\\" \\n| mv-expand TargetResources \\n| mv-expand TargetResources.modifiedProperties \\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName) \\n| where displayName_ =~ \\\"Role.DisplayName\\\" \\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue))) \\n| where RoleName == \\\"Global Administrator\\\" // Add other Privileged role if applicable \\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName) \\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) \\n| where Initiator != \\\"MS-PIM\\\" // Filtering PIM events \\n| extend Target = tostring(TargetResources.userPrincipalName) \\n| summarize AddedGlobalAdminTime = max(TimeGenerated) by OperationName, RoleName, Target, Initiator, Result \\n| extend AccountCustomEntity = Target; \\nGlobalAdminsAdded \\n| join kind= inner GlobalAdminsRemoved on $left.Target == $right.Initiator \\n| where AddedGlobalAdminTime \u003c RemovedGlobalAdminTime \\n| extend NoofAdminsRemoved = array_length(TargetAdmins) \\n| where NoofAdminsRemoved \u003e 1\\n| project AddedGlobalAdminTime, Initiator, Target, AccountCustomEntity, RemovedGlobalAdminTime, TargetAdmins, NoofAdminsRemoved\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Multiple admin membership removals from newly created admin.\",\"description\":\"This query detects when newly created Global admin removes multiple existing global admins which can be an attempt by adversaries to lock down organization and retain sole access. \\n Investigate reasoning and intention of multiple membership removal by new Global admins and take necessary actions accordingly.\",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2022-03-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/be52662c-3b23-435a-a6fa-f39bdfc849e6\",\"name\":\"be52662c-3b23-435a-a6fa-f39bdfc849e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetection_CL\\n| mv-expand todynamic(Detections_s)\\n| where Detections_s.Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\\n| where count_ \u003e= threshold\\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"High Number of Urgent Vulnerabilities Detected\",\"description\":\"This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/45b903c5-6f56-4969-af10-ae62ac709718\",\"name\":\"45b903c5-6f56-4969-af10-ae62ac709718\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count()\\nby Account = tolower(Account), Computer = toupper(Computer), IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n// use left anti to exclude anything from the previous 14 days that is not rare\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10 \\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend AccountType=case(Account endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| extend Activity=\\\"4624 - An account was successfully logged on.\\\"\\n| extend LogonTypeName=\\\"10 - RemoteInteractive\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count()\\nby Account = tolower(Account), Computer = toupper(Computer), IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n))\\n| join kind=leftanti (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where EventID == 4624\\n| summarize by Computer = toupper(Computer), IpAddress, Account = tolower(Account)\\n),\\n( WindowsEvent\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where EventID == 4624\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| summarize by Computer = toupper(Computer), IpAddress, Account = tolower(Account)\\n))\\n) on Account, Computer\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), ConnectionCount = sum(ConnectionCount)\\nby Account, Computer, IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Rare RDP Connections\",\"description\":\"Identifies when an RDP connection is new or rare related to any logon type by a given account today based on comparison with the previous 14 days.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2020-01-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a1080fc1-13d1-479b-8340-255f0290d96c\",\"name\":\"a1080fc1-13d1-479b-8340-255f0290d96c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where Result =~ \\\"success\\\"\\n | where OperationName =~ \u0027Update Application\u0027\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | where TargetResources_modifiedProperties.displayName =~ \\\"AppAddress\\\"\\n | extend Key = tostring(TargetResources_modifiedProperties.displayName)\\n | extend NewValue = TargetResources_modifiedProperties.newValue\\n | extend OldValue = TargetResources_modifiedProperties.oldValue\\n | where isnotempty(Key) and isnotempty(NewValue)\\n | project-reorder Key, NewValue, OldValue\\n | extend NewUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(NewValue))\\n | extend OldUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(OldValue))\\n | extend AddedUrls = set_difference(NewUrls, OldUrls)\\n | where array_length(AddedUrls) \u003e 0\\n | extend UserAgent = iif(tostring(AdditionalDetails[0].key) == \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), \\\"\\\")\\n | extend AddingUser = iif(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) , tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), \\\"\\\")\\n | extend AddingApp = iif(isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName)) , tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName), \\\"\\\")\\n | extend AddedBy = iif(isnotempty(AddingUser), AddingUser, AddingApp)\\n | project-away AddingApp, AddingUser\\n | extend AppDisplayName = tostring(TargetResources.displayName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | project-reorder TimeGenerated, AppDisplayName, AddedUrls, AddedBy, UserAgent, ipAddress\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"AddedUrls\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Application Redirect URL Update\",\"description\":\"Detects the redirect URL of an app being changed.\\n Applications associated with URLs not controlled by the organization can pose a security risk.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#application-configuration-changes\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e42e889a-caaf-4dbb-aec6-371b37d64298\",\"name\":\"e42e889a-caaf-4dbb-aec6-371b37d64298\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\")\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set != \\\"[]\\\"\\n| extend diff = set_difference(new_value_set, old_value_set)\\n| where isnotempty(diff)\\n| parse diff with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away diff, new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserOrApp\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT New access credential added to Application or Service Principal\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b79f6190-d104-4691-b7db-823e05980895\",\"name\":\"b79f6190-d104-4691-b7db-823e05980895\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\nOfficeActivity\\n| where OfficeWorkload =~ \\\"Exchange\\\"\\n| where Parameters has \\\"Deleted Items\\\" or Parameters has \\\"Junk Email\\\" or Parameters has \\\"DeleteMessage\\\"\\n| extend Events=todynamic(Parameters)\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords \u0027}\u0027*\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords \u0027}\u0027*\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords \u0027}\u0027*\\n| where SubjectContainsWords has_any (Keywords)\\n or BodyContainsWords has_any (Keywords)\\n or SubjectOrBodyContainsWords has_any (Keywords)\\n| extend ClientIPAddress = case( ClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), ClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))), ClientIP )\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\n| extend RuleDetail = case(OfficeObjectId contains \u0027/\u0027 , tostring(split(OfficeObjectId, \u0027/\u0027)[-1]) , tostring(split(OfficeObjectId, \u0027\\\\\\\\\u0027)[-1]))\\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"OriginatingServer\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIPAddress\"}]}],\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"NRT Malicious Inbox Rule\",\"description\":\"Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords.\\n This is done so as to limit ability to warn compromised users that they\u0027ve been compromised. Below is a sample query that tries to detect this.\\nReference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/\",\"lastUpdatedDateUTC\":\"2022-03-07T00:00:00Z\",\"createdDateUTC\":\"2020-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9fb2ee72-959f-4c2b-bc38-483affc539e4\",\"name\":\"9fb2ee72-959f-4c2b-bc38-483affc539e4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where Category == \\\"ApplicationManagement\\\"\\n | where OperationName has_any (\\\"Update Application\\\", \\\"Update Service principal\\\")\\n | extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend UpdatedBy = iif(isnotempty(appName), appName, UPN)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | extend AppName = tostring(TargetResources[0].displayName)\\n | mv-expand mod_props\\n | where mod_props.displayName has \\\"AppIdentifierUri\\\"\\n | extend OldURI = tostring(mod_props.oldValue)\\n | extend NewURI = tostring(mod_props.newValue)\\n | project-reorder TimeGenerated, OperationName, AppName, OldURI, NewURI, UpdatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatedBy\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"NewURI\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Application ID URI Changed\",\"description\":\"Detects changes to an Application ID URI.\\n Monitor these changes to make sure that they were authorized.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#appid-uri-added-modified-or-removed\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/faf1a6ff-53b5-4f92-8c55-4b20e9957594\",\"name\":\"faf1a6ff-53b5-4f92-8c55-4b20e9957594\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"SecurityEvent\\n// Look for specific Directory Service Changes and parse data\\n| where EventID == 5136\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion = array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value),TimeGenerated, EventID, Computer, Account, AccountType, EventSourceName, Activity, SubjectAccount)\\n// Where changes relate to Exchange OAB\\n| extend ObjectClass = column_ifexists(\\\"ObjectClass\\\", \\\"\\\")\\n| where ObjectClass =~ \\\"msExchOABVirtualDirectory\\\"\\n// Look for InternalHostName or ExternalHostName properties being changed\\n| extend AttributeLDAPDisplayName = column_ifexists(\\\"AttributeLDAPDisplayName\\\", \\\"\\\")\\n| where AttributeLDAPDisplayName in (\\\"msExchExternalHostName\\\", \\\"msExchInternalHostName\\\")\\n// Look for suspected webshell activity\\n| extend AttributeValue = column_ifexists(\\\"AttributeValue\\\", \\\"\\\")\\n| where AttributeValue has \\\"script\\\"\\n| project-rename LastSeen = TimeGenerated\\n| extend ObjectDN = column_ifexists(\\\"ObjectDN\\\", \\\"\\\")\\n| project-reorder LastSeen, Computer, Account, ObjectDN, AttributeLDAPDisplayName, AttributeValue\\n| extend timestamp = LastSeen, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange OAB Virtual Directory Attribute Containing Potential Webshell\",\"description\":\"This query uses Windows Event ID 5136 in order to detect potential webshell deployment by exploitation of CVE-2021-27065.\\nThis query looks for changes to the InternalHostName or ExternalHostName properties of Exchange OAB Virtual Directory objects in AD Directory Services\\nwhere the new objects contain potential webshell objects. Ref: https://aka.ms/ExchangeVulns\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b3cfc7c0-092c-481c-a55b-34a3979758cb\",\"name\":\"b3cfc7c0-092c-481c-a55b-34a3979758cb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft Cloud App Security\",\"displayName\":\"Create incidents based on Microsoft Cloud App Security alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Cloud Apps\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert (MCAS)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/eb68b129-5f17-4f56-bf6d-dde48d5e615a\",\"name\":\"eb68b129-5f17-4f56-bf6d-dde48d5e615a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| extend attachedMimeType = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where attachedMimeType == \u0027application/zip\u0027\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = DstUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Binary file in attachment\",\"description\":\"Detects when email received with binary file as attachment.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c0e84221-f240-4dd7-ab1e-37e034ea2a4e\",\"name\":\"c0e84221-f240-4dd7-ab1e-37e034ea2a4e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"union isfuzzy=true\\n(DeviceFileEvents\\n| where FolderPath endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated),\\n(WindowsEvent\\n| where EventID == 4663 and EventData has \\\"vmware-vmdmp.log\\\"\\n| extend ObjectName = tostring(EventData.ObjectName) \\n| where ObjectName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = Computer, timestamp=TimeGenerated),\\n(SecurityEvent\\n| where EventID == 4663\\n| where ObjectName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = Computer, timestamp=TimeGenerated),\\n(imFileEvent\\n| where TargetFileName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = DvcHostname, timestamp=TimeGenerated\\n)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"SUNSPOT log file creation\",\"description\":\"This query uses Microsoft Defender for Endpoint data and Windows Event Logs to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\\nMore details: \\n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \\n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5b6ae038-f66e-4f74-9315-df52fd492be4\",\"name\":\"5b6ae038-f66e-4f74-9315-df52fd492be4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"imProcess\\n | where CommandLine has_all (\\\"accepteula\\\", \\\"-s\\\", \\\"-r\\\", \\\"-q\\\")\\n | where Process !endswith \\\"sdelete.exe\\\"\\n | where CommandLine !has \\\"sdelete\\\"\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DvcHostname\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DvcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"}]}],\"tactics\":[\"DefenseEvasion\",\"Impact\"],\"displayName\":\"Potential re-named sdelete usage (ASIM Version)\",\"description\":\"This detection looks for command line parameters associated with the use of Sysinternals sdelete (https://docs.microsoft.com/sysinternals/downloads/sdelete) to delete multiple files on a host\u0027s C drive.\\nA threat actor may re-name the tool to avoid detection and then use it for destructive attacks on a host.\\nThis detection uses the ASIM imProcess parser, this will need to be deployed before use - https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8c8de3fa-6425-4623-9cd9-45de1dd0569a\",\"name\":\"8c8de3fa-6425-4623-9cd9-45de1dd0569a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let lookBack = 14d;\\nlet timeframe = 1d;\\nlet user_agents_list = Cisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(lookBack) and TimeGenerated \u003c ago(timeframe)\\n| summarize count() by HttpUserAgentOriginal\\n| summarize make_list(HttpUserAgentOriginal);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal !in (user_agents_list)\\n| extend Message = \\\"Rare User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Rare User Agent Detected\",\"description\":\"Rule helps to detect a rare user-agents indicating web browsing activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\"name\":\"02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let logonDiff = 10m;\\nlet aadFunc = (tableName:string){\\ntable(tableName) \\n| where ResultType == \\\"0\\\" \\n| where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\")\\n| project SuccessLogonTime = TimeGenerated, UserPrincipalName, SuccessIPAddress = IPAddress, AppDisplayName, SuccessIPBlock = strcat(split(IPAddress, \\\".\\\")[0], \\\".\\\", split(IPAddress, \\\".\\\")[1]), Type\\n| join kind= inner (\\n table(tableName)\\n | where ResultType !in (\\\"0\\\", \\\"50140\\\") \\n | where ResultDescription !~ \\\"Other\\\" \\n | where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\")\\n | project FailedLogonTime = TimeGenerated, UserPrincipalName, FailedIPAddress = IPAddress, AppDisplayName, ResultType, ResultDescription, Type\\n) on UserPrincipalName, AppDisplayName \\n| where SuccessLogonTime \u003c FailedLogonTime and FailedLogonTime - SuccessLogonTime \u003c= logonDiff and FailedIPAddress !startswith SuccessIPBlock\\n| summarize FailedLogonTime = max(FailedLogonTime), SuccessLogonTime = max(SuccessLogonTime) by UserPrincipalName, SuccessIPAddress, AppDisplayName, FailedIPAddress, ResultType, ResultDescription, Type\\n| extend timestamp = SuccessLogonTime\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SuccessIPAddress\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"FailedIPAddress\"}]}],\"tactics\":[\"CredentialAccess\",\"InitialAccess\"],\"displayName\":\"Successful logon from IP and failure from a different IP\",\"description\":\"Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP.\\nThis may indicate a malicious attempt at password guessing based on knowledge of the users account.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\"name\":\"9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.1.0\",\"severity\":\"Low\",\"query\":\"let tokens = dynamic([\\\"416\\\",\\\"208\\\",\\\"128\\\",\\\"120\\\",\\\"96\\\",\\\"80\\\",\\\"72\\\",\\\"64\\\",\\\"48\\\",\\\"44\\\",\\\"40\\\",\\\"g5\\\",\\\"gs5\\\",\\\"g4\\\",\\\"gs4\\\",\\\"nc12\\\",\\\"nc24\\\",\\\"nv12\\\"]);\\nlet operationList = dynamic([\\\"microsoft.compute/virtualmachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nAzureActivity\\n| where tolower(OperationNameValue) in (operationList)\\n| where ActivityStatusValue == \\\"Accepted\\\" \\n| where isnotempty(Properties)\\n| extend vmSize = tolower(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).hardwareProfile)).vmSize))\\n| where isnotempty(vmSize)\\n| where vmSize has_any (tokens) \\n| extend ComputerName = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).osProfile)).computerName)\\n| extend clientIpAddress = tostring(parse_json(HTTPRequest).clientIpAddress)\\n| project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Creation of expensive computes in Azure\",\"description\":\"Identifies the creation of large size/expensive VMs (GPU or with large no of virtual CPUs) in Azure.\\nAdversary may create new or update existing virtual machines sizes to evade defenses \\nor use it for cryptomining purposes.\\nFor Windows/Linux Vm Sizes - https://docs.microsoft.com/azure/virtual-machines/windows/sizes \\nAzure VM Naming Conventions - https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/78422ef2-62bf-48ca-9bab-72c69818a425\",\"name\":\"78422ef2-62bf-48ca-9bab-72c69818a425\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Low\",\"query\":\"let endtime = 1d;\\nlet starttime = 8d;\\nlet threshold = 2.0;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName)\\nby Account, IpAddress, AccountType, Activity, LogonTypeName),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 \\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend AccountType=case(Account endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| extend Activity=\\\"4624 - An account was successfully logged on.\\\"\\n| extend LogonTypeName=\\\"10 - RemoteInteractive\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName)\\nby Account, IpAddress, AccountType, Activity, LogonTypeName)\\n)\\n| join kind=inner (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize ComputerCountPrev7Days = dcount(Computer) by Account = tolower(Account), IpAddress\\n),\\n( WindowsEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = toint(EventData.LogonType)\\n| where LogonType == 10\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| summarize ComputerCountPrev7Days = dcount(Computer) by Account = tolower(Account), IpAddress)\\n)\\n) on Account, IpAddress\\n| extend Ratio = iff(isempty(ComputerCountPrev7Days), toreal(ComputerCountToday), ComputerCountToday / (ComputerCountPrev7Days * 1.0))\\n// Where the ratio of today to previous 7 days is more than double.\\n| where Ratio \u003e threshold\\n| project StartTimeUtc, EndTimeUtc, Account, IpAddress, ComputerSet, ComputerCountToday, ComputerCountPrev7Days, Ratio, AccountType, Activity, LogonTypeName, ProcessSet\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Multiple RDP connections from Single System\",\"description\":\"Identifies when an RDP connection is made to multiple systems and above the normal for the previous 7 days.\\nConnections from the same system with the same account within the same day.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-10-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d94d4a9-dc96-450a-9dea-4d4d4594199b\",\"name\":\"4d94d4a9-dc96-450a-9dea-4d4d4594199b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"SecurityNestedRecommendation\\n| where RemediationDescription has \u0027CVE-2021-38647\u0027\\n| parse ResourceDetails with * \u0027virtualMachines/\u0027 VirtualMAchine \u0027\\\"\u0027 *\\n| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId\\n| extend Timestamp = TimeGenerated, HostCustomEntity = VirtualMAchine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Execution\"],\"displayName\":\"Vulnerable Machines related to OMIGOD CVE-2021-38647\",\"description\":\"This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to OMIGOD CVE-2021-38647. OMI is the Linux equivalent of Windows WMI and \\n helps users manage configurations across remote and local environments. The query aims to find machines that have this OMI vulnerability (CVE-2021-38647).\\n Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).\\n Reference: https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure\\n Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d3980830-dd9d-40a5-911f-76b44dfdce16\",\"name\":\"d3980830-dd9d-40a5-911f-76b44dfdce16\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where AppDisplayName == \\\"GitHub.com\\\"\\n| where ResultType == 0\\n| summarize CountOfLocations = dcount(Location), Locations = make_set(Location), BurstStartTime = min(TimeGenerated), BurstEndTime = max(TimeGenerated) by UserPrincipalName, Type\\n| where CountOfLocations \u003e 1\\n| extend timestamp = BurstStartTime, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"GitHub Signin Burst from Multiple Locations\",\"description\":\"This alerts when there Signin burst from multiple locations in GitHub (AAD SSO).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/25a7f951-54b7-4cf5-9862-ebc04306c590\",\"name\":\"25a7f951-54b7-4cf5-9862-ebc04306c590\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let known_users = (AuditLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where OperationName has \\\"conditional access policy\\\"\\n | where Result =~ \\\"success\\\"\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | summarize by userPrincipalName);\\n AuditLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where OperationName has \\\"conditional access policy\\\"\\n | where Result =~ \\\"success\\\"\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend CAPolicyName = tostring(TargetResources[0].displayName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | where userPrincipalName !in (known_users)\\n | extend NewPolicyValues = TargetResources[0].modifiedProperties[0].newValue\\n | extend OldPolicyValues = TargetResources[0].modifiedProperties[0].oldValue\\n | project-reorder TimeGenerated, OperationName, CAPolicyName, userPrincipalName, ipAddress, NewPolicyValues, OldPolicyValues\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Conditional Access Policy Modified by New User\",\"description\":\"Detects a Conditional Access Policy being modified by a user who has not modified a policy in the last 14 days.\\n A threat actor may try to modify policies to weaken the security controls in place.\\n Investigate any change to ensure they are approved.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\"name\":\"70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"seoulhobi.biz\\\", \\\"reader.cash\\\", \\\"pieceview.club\\\", \\\"app-wallet.com\\\", \\\"bigwnet.com\\\", \\\"bitwoll.com\\\", \\\"cexrout.com\\\", \\\"change-pw.com\\\", \\\"checkprofie.com\\\", \\\"cloudwebappservice.com\\\", \\\"ctquast.com\\\", \\\"dataviewering.com\\\", \\\"day-post.com\\\", \\\"dialy-post.com\\\", \\\"documentviewingcom.com\\\", \\\"dovvn-mail.com\\\", \\\"down-error.com\\\", \\\"drivecheckingcom.com\\\", \\\"drog-service.com\\\", \\\"encodingmail.com\\\", \\\"filinvestment.com\\\", \\\"foldershareing.com\\\", \\\"golangapis.com\\\", \\\"hotrnall.com\\\", \\\"lh-logins.com\\\", \\\"login-use.com\\\", \\\"mail-down.com\\\", \\\"matmiho.com\\\", \\\"mihomat.com\\\", \\\"natwpersonal-online.com\\\", \\\"nidlogin.com\\\", \\\"nid-login.com\\\", \\\"nidlogon.com\\\", \\\"pw-change.com\\\", \\\"rnaii.com\\\", \\\"rnailm.com\\\", \\\"sec-live.com\\\", \\\"secrityprocessing.com\\\", \\\"securitedmode.com\\\", \\\"securytingmail.com\\\", \\\"set-login.com\\\", \\\"usrchecking.com\\\", \\\"com-serviceround.info\\\", \\\"mai1.info\\\", \\\"reviewer.mobi\\\", \\\"files-download.net\\\", \\\"fixcool.net\\\", \\\"hanrnaii.net\\\", \\\"office356-us.org\\\", \\\"smtper.org\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost \\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"THALLIUM domains included in DCU takedown\",\"description\":\"THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. \\n Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\\n References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ \",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2020-01-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\"name\":\"4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let OperationList = dynamic([\\\"Add member to role\\\",\\\"Add member to role in PIM requested (permanent)\\\"]);\\nlet PrivilegedGroups = dynamic([\\\"UserAccountAdmins\\\",\\\"PrivilegedRoleAdmins\\\",\\\"TenantAdmins\\\"]);\\nAuditLogs\\n//| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName in~ (OperationList)\\n| mv-expand TargetResources\\n| extend modProps = parse_json(TargetResources).modifiedProperties\\n| mv-expand bagexpansion=array modProps\\n| evaluate bag_unpack(modProps)\\n| extend displayName = column_ifexists(\\\"displayName\\\", \\\"NotAvailable\\\"), newValue = column_ifexists(\\\"newValue\\\", \\\"NotAvailable\\\")\\n| where displayName =~ \\\"Role.WellKnownObjectName\\\"\\n| extend DisplayName = displayName, GroupName = replace(\u0027\\\"\u0027,\u0027\u0027,newValue)\\n| extend initByApp = parse_json(InitiatedBy).app, initByUser = parse_json(InitiatedBy).user\\n| extend AppId = initByApp.appId, \\nInitiatedByDisplayName = case(isnotempty(initByApp.displayName), initByApp.displayName, isnotempty(initByUser.displayName), initByUser.displayName, \\\"not available\\\"),\\nServicePrincipalId = tostring(initByApp.servicePrincipalId),\\nServicePrincipalName = tostring(initByApp.servicePrincipalName),\\nUserId = initByUser.id,\\nUserIPAddress = initByUser.ipAddress,\\nUserRoles = initByUser.roles,\\nUserPrincipalName = tostring(initByUser.userPrincipalName),\\nTargetUserPrincipalName = tostring(TargetResources.userPrincipalName)\\n| where GroupName in~ (PrivilegedGroups)\\n// If you don\u0027t want to alert for operations from PIM, remove below filtering for MS-PIM.\\n//| where InitiatedByDisplayName != \\\"MS-PIM\\\"\\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, isnotempty(ServicePrincipalId), ServicePrincipalId, isnotempty(UserPrincipalName), UserPrincipalName, \\\"not available\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User added to Azure Active Directory Privileged Groups\",\"description\":\"This will alert when a user is added to any of the Privileged Groups.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\\nFor Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles\",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2020-07-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/50574fac-f8d1-4395-81c7-78a463ff0c52\",\"name\":\"50574fac-f8d1-4395-81c7-78a463ff0c52\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where AppId =~ \\\"1b730954-1685-4b74-9bfd-dac224a7b894\\\" // AppDisplayName IS Azure Active Directory PowerShell\\n| where TokenIssuerType =~ \\\"AzureAD\\\"\\n| where ResourceIdentity !in (\\\"00000002-0000-0000-c000-000000000000\\\", \\\"00000003-0000-0000-c000-000000000000\\\") // ResourceDisplayName IS NOT Windows Azure Active Directory OR Microsoft Graph\\n| extend Status = todynamic(Status)\\n| where Status.errorCode == 0 // Success\\n| project-reorder IPAddress, UserAgent, ResourceDisplayName, UserDisplayName, UserId, UserPrincipalName, Type\\n| order by TimeGenerated desc\\n// New entity mapping\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure Active Directory PowerShell accessing non-AAD resources\",\"description\":\"This will alert when a user or application signs in using Azure Active Directory PowerShell to access non-Active Directory resources, such as the Azure Key Vault, which may be undesired or unauthorized behavior.\\nFor capabilities and expected behavior of the Azure Active Directory PowerShell module, see: https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0.\\nFor further information on Azure Active Directory Signin activity reports, see: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins.\",\"lastUpdatedDateUTC\":\"2022-02-23T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cca3b4d9-ac39-4109-8b93-65bb284003e6\",\"name\":\"cca3b4d9-ac39-4109-8b93-65bb284003e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureActivity | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(Caller)\\n | extend Caller = tolower(Caller)\\n | where Caller matches regex emailregex\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.Caller\\n| where AzureActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureActivity_TimeGenerated = arg_max(AzureActivity_TimeGenerated, *) by IndicatorId, Caller\\n| project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, EmailSenderName, EmailRecipient, \\nEmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Caller, Level, CallerIpAddress, CategoryValue, OperationNameValue, ActivityStatusValue, \\nResourceGroup, SubscriptionId\\n| extend timestamp = AzureActivity_TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to AzureActivity\",\"description\":\"Identifies a match in AzureActivity table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9122a9cb-916b-4d98-a199-1b7b0af8d598\",\"name\":\"9122a9cb-916b-4d98-a199-1b7b0af8d598\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"beesweiserdog.com\\\", \\n \\\"bluehostfit.com\\\", \\n \\\"business-toys.com\\\", \\n \\\"cleanskycloud.com\\\", \\n \\\"cumberbat.com\\\", \\n \\\"czreadsecurity.com\\\", \\n \\\"dgtresorgouv.com\\\", \\n \\\"dimediamikedask.com\\\", \\n \\\"diresitioscon.com\\\", \\n \\\"elcolectador.com\\\", \\n \\\"elperuanos.org\\\", \\n \\\"eprotectioneu.com\\\", \\n \\\"fheacor.com\\\", \\n \\\"followthewaterdata.com\\\", \\n \\\"francevrteepress.com\\\", \\n \\\"futtuhy.com\\\", \\n \\\"gardienweb.com\\\", \\n \\\"heimflugaustr.com\\\", \\n \\\"ivpsers.com\\\", \\n \\\"jkeducation.org\\\", \\n \\\"micrlmb.com\\\", \\n \\\"muthesck.com\\\", \\n \\\"netscalertech.com\\\", \\n \\\"newgoldbalmap.com\\\", \\n \\\"news-laestrella.com\\\", \\n \\\"noticialif.com\\\", \\n \\\"opentanzanfoundation.com\\\", \\n \\\"optonlinepress.com\\\", \\n \\\"palazzochigi.com\\\", \\n \\\"pandemicacre.com\\\", \\n \\\"papa-ser.com\\\", \\n \\\"pekematclouds.com\\\", \\n \\\"pipcake.com\\\", \\n \\\"popularservicenter.com\\\", \\n \\\"projectsyndic.com\\\", \\n \\\"qsadtv.com\\\", \\n \\\"sankreal.com\\\", \\n \\\"scielope.com\\\", \\n \\\"seoamdcopywriting.com\\\", \\n \\\"slidenshare.com\\\", \\n \\\"somoswake.com\\\", \\n \\\"squarespacenow.com\\\", \\n \\\"subapostilla.com\\\", \\n \\\"suzukicycles.net\\\", \\n \\\"tatanotakeeps.com\\\", \\n \\\"tijuanazxc.com\\\", \\n \\\"transactioninfo.net\\\", \\n \\\"eurolabspro.com\\\", \\n \\\"adelluminate.com\\\", \\n \\\"headhunterblue.com\\\", \\n \\\"primenuesty.com\\\" \\n ]);\\nlet SHA256Hashes = dynamic ([\\\"02daf4544bcefb2de865d0b45fc406bee3630704be26a9d6da25c9abe906e7d2\\\", \\n \\\"0a45ec3da31838aa7f56e4cbe70d5b3b3809029f9159ff0235837e5b7a4cb34c\\\", \\n \\\"0d7965489810446ca7acc7a2160795b22e452a164261313c634a6529a0090a0c\\\", \\n \\\"10bb4e056fd19f2debe61d8fc5665434f56064a93ca0ec0bef946a4c3e098b95\\\", \\n \\\"12d914f24fe5501e09f5edf503820cc5fe8b763827a1c6d44cdb705e48651b21\\\", \\n \\\"1899f761123fedfeba0fee6a11f830a29cd3653bcdcf70380b72a05b921b4b49\\\", \\n \\\"22e68e366dd3323e5bb68161b0938da8e1331e4f1c1819c8e84a97e704d93844\\\", \\n \\\"259783405ec2cb37fdd8fd16304328edbb6a0703bc3d551eba252d9b450554ef\\\", \\n \\\"26debed09b1bbf24545e3b4501b799b66a0146d4020f882776465b5071e91822\\\", \\n \\\"35c5f22bb11f7dd7a2bb03808e0337cb7f9c0d96047b94c8afdab63efc0b9bb2\\\", \\n \\\"3ae2d9ffa4e53519e62cc0a75696f9023f9cce09b0a917f25699b48d0f7c4838\\\", \\n \\\"3bac2e459c69fcef8c1c93c18e5f4f3e3102d8d0f54a63e0650072aeb2a5fa65\\\", \\n \\\"3c0bf69f6faf85523d9e60d13218e77122b2adb0136ffebbad0f39f3e3eed4e6\\\", \\n \\\"3dc0001a11d54925d2591aec4ea296e64f1d4fdf17ff3343ddeea82e9bd5e4f1\\\", \\n \\\"3fd73af89e94af180b1fbf442bbfb7d7a6c4cf9043abd22ac0aa2f8149bafc90\\\", \\n \\\"6854df6aa0af46f7c77667c450796d5658b3058219158456e869ebd39a47d54b\\\", \\n \\\"6b79b807a66c786bd2e57d1c761fc7e69dd9f790ffab7ce74086c4115c9305ce\\\", \\n \\\"7944a86fbef6238d2a55c14c660c3a3d361c172f6b8fa490686cc8889b7a51a0\\\", \\n \\\"926904f7c0da13a6b8689c36dab9d20b3a2e6d32f212fca9e5f8cf2c6055333c\\\", \\n \\\"95e98c811ea9d212673d0e84046d6da94cbd9134284275195800278593594b5a\\\", \\n \\\"a142625512e5372a1728595be19dbee23eea50524b4827cb64ed5aaeaaa0270b\\\", \\n \\\"afe5e9145882e0b98a795468a4c0352f5b1ddb7b4a534783c9e8fc366914cf6a\\\", \\n \\\"b9027bad09a9f5c917cf0f811610438e46e42e5e984a8984b6d69206ceb74124\\\", \\n \\\"c132d59a3bf0099e0f9f5667daf7b65dba66780f4addd88f04eecae47d5d99fa\\\", \\n \\\"c9a5765561f52bbe34382ce06f4431f7ac65bafe786db5de89c29748cf371dda\\\", \\n \\\"ce0408f92635e42aadc99da3cc1cbc0044e63441129c597e7aa1d76bf2700c94\\\", \\n \\\"ce47bacc872516f91263f5e59441c54f14e9856cf213ca3128470217655fc5e6\\\", \\n \\\"d0fe4562970676e30a4be8cb4923dc9bfd1fca8178e8e7fea0f3f02e0c7435ce\\\", \\n \\\"d5b36648dc9828e69242b57aca91a0bb73296292bf987720c73fcd3d2becbae6\\\", \\n \\\"e72d142a2bc49572e2d99ed15827fc27c67fc0999e90d4bf1352b075f86a83ba\\\"\\n ]);\\nlet SigNames = dynamic([\\\"Backdoor:Win32/Leeson\\\", \\\"Trojan:Win32/Kechang\\\", \\\"Backdoor:Win32/Nightimp!dha\\\", \\\"Trojan:Win32/QuarkBandit.A!dha\\\", \\\"TrojanSpy:Win32/KeyLogger\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hashes) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(_Im_Dns(domain_has_any = DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(_Im_WebSession(url_has_any = DomainNames)\\n| extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n| extend IPAddress = SrcIpAddr\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA256Hashes) \\n| extend Account = UserName\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (SHA256Hashes)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (SHA256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl in~ (DomainNames)\\n| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName\\n| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl\\n),\\n(SecurityAlert\\n| where ProductName == \\\"Microsoft Defender Advanced Threat Protection\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where isnotempty(ThreatName)\\n| where ThreatName has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName)\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known NICKEL domains and hashes\",\"description\":\"IOC domains and hash values for tools and malware used by NICKEL. \\n Matches domain name, hash IOCs and M365 Defender sigs related to the NICKEL activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/720d12c6-a08c-44c4-b18f-2236412d59b0\",\"name\":\"720d12c6-a08c-44c4-b18f-2236412d59b0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"SecurityEvent\\n | where EventID == 4688\\n | where Process !~ \\\"sdelete.exe\\\"\\n | where CommandLine has_all (\\\"accepteula\\\", \\\"-r\\\", \\\"-s\\\", \\\"-q\\\", \\\"c:/\\\")\\n | where CommandLine !has (\\\"sdelete\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"DefenseEvasion\",\"Impact\"],\"displayName\":\"Potential re-named sdelete usage\",\"description\":\"This detection looks for command line parameters associated with the use of Sysinternals sdelete (https://docs.microsoft.com/sysinternals/downloads/sdelete) to delete multiple files on a host\u0027s C drive.\\nA threat actor may re-name the tool to avoid detection and then use it for destructive attacks on a host.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/009b9bae-23dd-43c4-bcb9-11c4ba7c784a\",\"name\":\"009b9bae-23dd-43c4-bcb9-11c4ba7c784a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where OperationName has \\\"Consent to application\\\"\\n | where Result =~ \\\"failure\\\"\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend userAgent = iif(AdditionalDetails[0].key == \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), tostring(AdditionalDetails[1].value))\\n | where isnotempty(TargetResources)\\n | extend AppName = tostring(TargetResources[0].displayName)\\n | mv-expand TargetResources[0].modifiedProperties\\n | extend TargetResources_0_modifiedProperties = columnifexists(\\\"TargetResources_0_modifiedProperties\\\", \u0027\u0027)\\n | where isnotempty(TargetResources_0_modifiedProperties)\\n | where TargetResources_0_modifiedProperties.displayName =~ \\\"MethodExecutionResult.\\\"\\n | extend FailureReason = tostring(parse_json(tostring(TargetResources_0_modifiedProperties.newValue)))\\n | where FailureReason contains \\\"Risky\\\"\\n | project-reorder TimeGenerated, OperationName, Result, AppName, FailureReason, userPrincipalName, userAgent, ipAddress\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"End-user consent stopped due to risk-based consent\",\"description\":\"Detects a user\u0027s consent to an OAuth application being blocked due to it being too risky.\\n These events should be investigated to understand why the user attempted to consent to the applicaiton and what other applicaitons they may have consented to.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#end-user-stopped-due-to-risk-based-consent\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e70fa6e0-796a-4e85-9420-98b17b0bb749\",\"name\":\"e70fa6e0-796a-4e85-9420-98b17b0bb749\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"DeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where ThreatName has \\\"Solorigate\\\"\\n| extend HostCustomEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.HostCustomEntity\\n| project TimeGenerated, DisplayName, ThreatName, CompromisedEntity, PublicIP, MachineGroup, AlertSeverity, Description, LoggedOnUsers, DeviceId, TenantId, HostCustomEntity\\n| extend timestamp = TimeGenerated, IPCustomEntity = PublicIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Solorigate Defender Detections\",\"description\":\"Surfaces any Defender Alert for Solorigate Events. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as \\n Device group, ip, logged on users etc. This way, the Microsoft Sentinel user can have all the pertinent device info in one view for all the the Solarigate Defender alerts.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9176b18f-a946-42c6-a2f6-0f6d17cd6a8a\",\"name\":\"9176b18f-a946-42c6-a2f6-0f6d17cd6a8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let triThreshold = 500;\\nlet querystarttime = 6h;\\nlet dgaLengthThreshold = 8;\\n// fetch the cisco umbrella top 1M domains\\nlet top1M = (externaldata (Position:int, Domain:string) [@\\\"http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip\\\"] with (format=\\\"csv\\\", zipPattern=\\\"*.csv\\\"));\\n// extract tri grams that are above our threshold - i.e. are common\\nlet triBaseline = top1M\\n | extend Domain = tolower(extract(\\\"([^.]*).{0,7}$\\\", 1, Domain))\\n | extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", Domain), extract_all(\\\"(...)\\\", substring(Domain, 1)), extract_all(\\\"(...)\\\", substring(Domain, 2)))\\n | mvexpand Trigram=AllTriGrams to typeof(string)\\n | summarize triCount=count() by Trigram\\n | sort by triCount desc\\n | where triCount \u003e triThreshold\\n | distinct Trigram;\\n// collect domain information from common security log, filter and extract the DGA candidate and its trigrams\\nlet allDataSummarized = _Im_WebSession \\n| where isnotempty(Url) \\n| extend Name = tolower(tostring(parse_url(Url)[\\\"Host\\\"]))\\n| summarize NameCount=count() by Name\\n| where Name has \\\".\\\"\\n| where Name !endswith \\\".home\\\" and Name !endswith \\\".lan\\\"\\n// extract DGA candidate\\n| extend DGADomain = extract(\\\"([^.]*).{0,7}$\\\", 1, Name)\\n| where strlen(DGADomain) \u003e dgaLengthThreshold\\n// throw out domains with number in them\\n| where DGADomain matches regex \\\"^[A-Za-z]{0,}$\\\"\\n// extract the tri grams from summarized data\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", DGADomain), extract_all(\\\"(...)\\\", substring(DGADomain, 1)), extract_all(\\\"(...)\\\", substring(DGADomain, 2)));\\n// throw out domains that have repeating tri\u0027s and/or \u003e=3 repeating letters\\nlet nonRepeatingTris = allDataSummarized\\n| join kind=leftanti\\n(\\n allDataSummarized\\n | mvexpand AllTriGrams\\n | summarize count() by tostring(AllTriGrams), DGADomain\\n | where count_ \u003e 1\\n | distinct DGADomain\\n)\\non DGADomain;\\n// find domains that do not have a common tri in the baseline\\nlet dataWithRareTris = nonRepeatingTris\\n| join kind=leftanti\\n(\\n nonRepeatingTris\\n | mvexpand AllTriGrams\\n | extend Trigram = tostring(AllTriGrams)\\n | distinct Trigram, DGADomain\\n | join kind=inner\\n (\\n triBaseline\\n )\\n on Trigram\\n | distinct DGADomain\\n)\\non DGADomain;\\ndataWithRareTris\\n// join DGAs back on connection data\\n| join kind=inner\\n(\\n _Im_WebSession\\n | where isnotempty(Url)\\n | extend Url = tolower(Url)\\n | summarize arg_max(TimeGenerated, EventVendor, SrcIpAddr) by Url\\n | extend Name=tostring(parse_url(Url)[\\\"Host\\\"])\\n | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) by Name, SrcIpAddr, Url\\n)\\non Name\\n| project StartTime, EndTime, Name, DGADomain, SrcIpAddr, Url, NameCount\",\"customDetails\":{\"DGAPattern\":\"DGADomain\",\"NameCount\":\"NameCount\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URL\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Potential communication from {{SrcIpAddr} with a Domain Generation Algorithm (DGA) based host {{Name}}\",\"alertDescriptionFormat\":\"A client with address {{SrcIpAddr}} communicated with host {{Name}} that have a domain name that might have been generated by a Domain Generation Algorithm (DGA), identified by the pattern {{DGADomain}}. DGAs are used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the top 1 million domain names to build a model of what normal domains look like and uses the model to identify domains that may have been randomly generated by an algorithm.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential communication with a Domain Generation Algorithm (DGA) based hostname (ASIM Web Session schema)\",\"description\":\"This rule identifies communication with hosts that have a domain name that might have been generated by a Domain Generation Algorithm (DGA). DGAs are used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the top 1 million domain names to build a model of what normal domains look like nad uses the model to identify domains that may have been randomly generated by an algorithm. You can modify the triThreshold and dgaLengthThreshold query parameters to change Analytic Rule sensitivity. The higher the numbers, the less noisy the rule is. \u003cbr\u003e\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f819c592-c5f9-4d5c-a79f-1e6819863533\",\"name\":\"f819c592-c5f9-4d5c-a79f-1e6819863533\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"// ADHealth Monitoring Agent Registry Key\\nlet aadHealthMonAgentRegKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Microsoft Online\\\\\\\\Reporting\\\\\\\\MonitoringAgent\\\";\\n// Filter out known processes\\nlet aadConnectHealthProcs = dynamic ([\\n \u0027Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.InsightsService.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.PshSurrogate.exe\u0027,\\n \u0027Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe\u0027,\\n \u0027Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.AadConnect.Health.AadSync.Host.exe\u0027,\\n \u0027Microsoft.Azure.ActiveDirectory.Synchronization.Upgrader.exe\u0027,\\n \u0027miiserver.exe\u0027\\n]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| where EventData has aadHealthMonAgentRegKey\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| extend ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),\\n ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\")\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend SubjectUserName = column_ifexists(\\\"SubjectUserName\\\", \\\"\\\"),\\n SubjectDomainName = column_ifexists(\\\"SubjectDomainName\\\", \\\"\\\"),\\n ProcessName = column_ifexists(\\\"ProcessName\\\", \\\"\\\")\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],\\n Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n(\\nWindowsEvent\\n| where EventID == \u00274656\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n (\\nWindowsEvent\\n| where EventID == \u00274663\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n)\\n)\\n// You can filter out potential machine accounts\\n//| where AccountType != \u0027Machine\u0027\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"Azure AD Health Monitoring Agent Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.\\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\\\\SOFTWARE\\\\Microsoft\\\\Microsoft Online\\\\Reporting\\\\MonitoringAgent.\\nYou can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_monitoring_agent.yml\\n\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/066395ac-ef91-4993-8bf6-25c61ab0ca5a\",\"name\":\"066395ac-ef91-4993-8bf6-25c61ab0ca5a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet file_path1 = (iocs | where Type =~ \\\"filepath1\\\" | project IoC);\\nlet file_path2 = (iocs | where Type =~ \\\"filepath2\\\" | project IoC);\\nlet file_path3 = (iocs | where Type =~ \\\"filepath3\\\" | project IoC);\\nlet reg_key = (iocs | where Type =~ \\\"regkey\\\" | project IoC);\\nWindowsEvent\\n| where EventID == 4688 and (EventData has_any (file_path1) or EventData has_any (file_path2) or EventData has_any (file_path3) or EventData has_any (\u0027reg add\u0027) or EventData has_any (reg_key) )\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where (CommandLine has_any (file_path1)) or\\n (CommandLine has_any (file_path3)) or\\n (CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) or \\n (NewProcessName has_any (file_path1)) or\\n (NewProcessName has_any (file_path3)) or\\n (ParentProcessName has_any (file_path1)) or \\n (ParentProcessName has_any (file_path3)) \\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend NewProcessId = tostring(EventData.NewProcessId)\\n| extend IPCustomEntity = tostring(EventData.IpAddress)\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, IPCustomEntity\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = \u0027SOURGUM IOC detected\u0027\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"SOURGUM Actor IOC - July 2021\",\"description\":\"Identifies a match across IOC\u0027s related to an actor tracked by Microsoft as SOURGUM\",\"lastUpdatedDateUTC\":\"2022-05-19T00:00:00Z\",\"createdDateUTC\":\"2022-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6116dc19-475a-4148-84b2-efe89c073e27\",\"name\":\"6116dc19-475a-4148-84b2-efe89c073e27\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetectionV2_CL\\n| extend Status = tostring(Status_s), Vulnerability = tostring(QID_s), Severity = tostring(Severity_s)\\n| where Status =~ \\\"New\\\" and Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(QID_s)\\n| where dcount_NetBios_s \u003e= threshold\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"tactics\":[\"InitialAccess\"],\"displayName\":\"New High Severity Vulnerability Detected Across Multiple Hosts\",\"description\":\"This creates an incident when a new high severity vulnerability is detected across multilple hosts\",\"lastUpdatedDateUTC\":\"2021-12-08T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\"name\":\"90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage), \\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage), \\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage), \\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \\\"200\\\"\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Squid proxy events for ToR proxies\",\"description\":\"Check for Squid proxy events associated with common ToR proxies. This query presumes the default squid log format is being used.\\nhttp://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-07-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70fc7201-f28e-4ba7-b9ea-c04b96701f13\",\"name\":\"70fc7201-f28e-4ba7-b9ea-c04b96701f13\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let OperationList = dynamic([\\\"Add member to role\\\",\\\"Add member to role in PIM requested (permanent)\\\"]);\\nlet PrivilegedGroups = dynamic([\\\"UserAccountAdmins\\\",\\\"PrivilegedRoleAdmins\\\",\\\"TenantAdmins\\\"]);\\nAuditLogs\\n//| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName in~ (OperationList)\\n| mv-expand TargetResources\\n| extend modProps = parse_json(TargetResources).modifiedProperties\\n| mv-expand bagexpansion=array modProps\\n| evaluate bag_unpack(modProps)\\n| extend displayName = column_ifexists(\\\"displayName\\\", \\\"NotAvailable\\\"), newValue = column_ifexists(\\\"newValue\\\", \\\"NotAvailable\\\")\\n| where displayName =~ \\\"Role.WellKnownObjectName\\\"\\n| extend DisplayName = displayName, GroupName = replace(\u0027\\\"\u0027,\u0027\u0027,newValue)\\n| extend initByApp = parse_json(InitiatedBy).app, initByUser = parse_json(InitiatedBy).user\\n| extend AppId = initByApp.appId,\\nInitiatedByDisplayName = case(isnotempty(initByApp.displayName), initByApp.displayName, isnotempty(initByUser.displayName), initByUser.displayName, \\\"not available\\\"),\\nServicePrincipalId = tostring(initByApp.servicePrincipalId),\\nServicePrincipalName = tostring(initByApp.servicePrincipalName),\\nUserId = initByUser.id,\\nUserIPAddress = initByUser.ipAddress,\\nUserRoles = initByUser.roles,\\nUserPrincipalName = tostring(initByUser.userPrincipalName),\\nTargetUserPrincipalName = tostring(TargetResources.userPrincipalName)\\n| where GroupName in~ (PrivilegedGroups)\\n// If you don\u0027t want to alert for operations from PIM, remove below filtering for MS-PIM.\\n//| where InitiatedByDisplayName != \\\"MS-PIM\\\"\\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName\\n| extend AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, isnotempty(ServicePrincipalId), ServicePrincipalId, isnotempty(UserPrincipalName), UserPrincipalName, \\\"not available\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"NRT User added to Azure Active Directory Privileged Groups\",\"description\":\"This will alert when a user is added to any of the Privileged Groups.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\\nFor Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles\",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2020-07-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5239248b-abfb-4c6a-8177-b104ade5db56\",\"name\":\"5239248b-abfb-4c6a-8177-b104ade5db56\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let RunCommandData = materialize ( AzureActivity\\n// Isolate run command actions\\n| where OperationNameValue == \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\\\"\\n// Confirm that the operation impacted a virtual machine\\n| where Authorization has \\\"virtualMachines\\\"\\n// Each runcommand operation consists of three events when successful, StartTimeed, Accepted (or Rejected), Successful (or Failed).\\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), max(CallerIpAddress), make_list(ActivityStatusValue) by CorrelationId, Authorization, Caller\\n// Limit to Run Command executions that Succeeded\\n| where list_ActivityStatusValue has \\\"Success\\\"\\n// Extract data from the Authorization field, allowing us to later extract the Caller (UPN) and CallerIpAddress\\n| extend Authorization_d = parse_json(Authorization)\\n| extend Scope = Authorization_d.scope\\n| extend Scope_s = split(Scope, \\\"/\\\")\\n| extend Subscription = tostring(Scope_s[2])\\n| extend VirtualMachineName = tostring(Scope_s[-1])\\n| project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress\\n| join kind=leftouter (\\n DeviceFileEvents\\n | where InitiatingProcessFileName == \\\"RunCommandExtension.exe\\\"\\n | extend VirtualMachineName = tostring(split(DeviceName, \\\".\\\")[0])\\n | project VirtualMachineName, PowershellFileCreatedTimestamp=TimeGenerated, FileName, FileSize, InitiatingProcessAccountName, InitiatingProcessAccountDomain, InitiatingProcessFolderPath, InitiatingProcessId\\n) on VirtualMachineName\\n// We need to filter by time sadly, this is the only way to link events\\n| where PowershellFileCreatedTimestamp between (StartTime .. EndTime)\\n| project StartTime, EndTime, PowershellFileCreatedTimestamp, VirtualMachineName, Caller, CallerIpAddress, FileName, FileSize, InitiatingProcessId, InitiatingProcessAccountDomain, InitiatingProcessFolderPath\\n| join kind=inner(\\n DeviceEvents\\n | extend VirtualMachineName = tostring(split(DeviceName, \\\".\\\")[0])\\n | where InitiatingProcessCommandLine has \\\"-File\\\"\\n // Extract the script name based on the structure used by the RunCommand extension\\n | extend PowershellFileName = extract(@\\\"\\\\-File\\\\s(script[0-9]{1,9}\\\\.ps1)\\\", 1, InitiatingProcessCommandLine)\\n // Discard results that didn\u0027t successfully extract, these are not run command related\\n | where isnotempty(PowershellFileName)\\n | extend PSCommand = tostring(parse_json(AdditionalFields).Command)\\n // The first execution of PowerShell will be the RunCommand script itself, we can discard this as it will break our hash later\\n | where PSCommand != PowershellFileName \\n // Now we normalise the cmdlets, we\u0027re aiming to hash them to find scripts using rare combinations\\n | extend PSCommand = toupper(PSCommand)\\n | order by PSCommand asc\\n | summarize PowershellExecStartTime=min(TimeGenerated), PowershellExecEnd=max(TimeGenerated), make_list(PSCommand) by PowershellFileName, InitiatingProcessCommandLine\\n) on $left.FileName == $right.PowershellFileName\\n| project StartTime, EndTime, PowershellFileCreatedTimestamp, PowershellExecStartTime, PowershellExecEnd, PowershellFileName, PowershellScriptCommands=list_PSCommand, Caller, CallerIpAddress, InitiatingProcessCommandLine, PowershellFileSize=FileSize, VirtualMachineName\\n| order by StartTime asc \\n// We generate the hash based on the cmdlets called and the size of the powershell script\\n| extend TempFingerprintString = strcat(PowershellScriptCommands, PowershellFileSize)\\n| extend ScriptFingerprintHash = hash_sha256(tostring(PowershellScriptCommands)));\\nlet totals = toscalar (RunCommandData\\n| summarize count());\\nlet hashTotals = RunCommandData\\n| summarize HashCount=count() by ScriptFingerprintHash;\\nRunCommandData\\n| join kind=leftouter (\\nhashTotals\\n) on ScriptFingerprintHash\\n// Calculate prevalence, while we don\u0027t need this, it may be useful for responders to know how rare this script is in relation to normal activity\\n| extend Prevalence = toreal(HashCount) / toreal(totals) * 100\\n// Where the hash was only ever seen once.\\n| where HashCount == 1\\n| extend timestamp = StartTime, IPCustomEntity=CallerIpAddress, AccountCustomEntity=Caller, HostCustomEntity=VirtualMachineName\\n| project timestamp, StartTime, EndTime, PowershellFileName, VirtualMachineName, Caller, CallerIpAddress, PowershellScriptCommands, PowershellFileSize, ScriptFingerprintHash, Prevalence, IPCustomEntity, AccountCustomEntity, HostCustomEntity\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"LateralMovement\",\"Execution\"],\"displayName\":\"Azure VM Run Command operations executing a unique PowerShell script\",\"description\":\"Identifies when Azure Run command is used to execute a PowerShell script on a VM that is unique.\\nThe uniqueness of the PowerShell script is determined by taking a combined hash of the cmdLets it imports\\nand the file size of the PowerShell script. Alerts from this detection indicate a unique PowerShell was executed\\nin your environment.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f15370f4-c6fa-42c5-9be4-1d308f40284e\",\"name\":\"f15370f4-c6fa-42c5-9be4-1d308f40284e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n OfficeActivity\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(ClientIP)\\n | extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]%]+)(%\\\\d+)?\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n | extend IPAddress = tostring(ClientIPValues[0])\\n // renaming time column so it is clear the log this came from\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.IPAddress\\n| where OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId\\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = OfficeActivity_TimeGenerated, IPCustomEntity = TI_ipEntity, AccountCustomEntity = UserId, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to OfficeActivity\",\"description\":\"Identifies a match in OfficeActivity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a4ce20ae-a2e4-4d50-b40d-d49f1353b6cc\",\"name\":\"a4ce20ae-a2e4-4d50-b40d-d49f1353b6cc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Extracts plaintext IPv4 addresses\\nlet ipv4_plaintext_extraction_regex = @\\\"((?:(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])(?:\\\\.)){3}(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]){1,3})\\\";\\n// Identified base64 encoded IPv4 addresses\\nlet ipv4_encoded_identification_regex = @\\\"\\\\=([a-zA-Z0-9\\\\/\\\\+]*(?:(?:MC|Au|wL|MS|Eu|xL|Mi|Iu|yL|My|Mu|zL|NC|Qu|0L|NS|Uu|1L|Ni|Yu|2L|Ny|cu|3L|OC|gu|4L|OS|ku|5L){1}[a-zA-Z0-9\\\\/\\\\+]{2,4}){3}[a-zA-Z0-9\\\\/\\\\+\\\\=]*)\\\";\\n// Extractes IPv4 addresses as hex values\\nlet ipv4_decoded_hex_extract = @\\\"((?:(?:61|62|63|64|65|66|67|68|69|6a|6b|6c|6d|6e|6f|70|71|72|73|74|75|76|77|78|79|7a|41|42|43|44|45|46|47|48|49|4a|4b|4c|4d|4e|4f|50|51|52|53|54|55|56|57|58|59|5a|2f|2b|3d),){7,15})\\\";\\nCommonSecurityLog\\n| where isnotempty(RequestURL)\\n// Identify requests with encoded IPv4 addresses\\n| where RequestURL matches regex ipv4_encoded_identification_regex\\n| project TimeGenerated, RequestURL\\n// Extract IP candidates in their base64 encoded format, significantly reducing the dataset\\n| extend extracted_encoded_ip_candidate = extract_all(ipv4_encoded_identification_regex, RequestURL)\\n// We could have more than one candidate, expand them out\\n| mv-expand extracted_encoded_ip_candidate to typeof(string)\\n| summarize Start=min(TimeGenerated), End=max(TimeGenerated), make_set(RequestURL) by extracted_encoded_ip_candidate\\n// Pad if we need to\\n| extend extracted_encoded_ip_candidate = iff(strlen(extracted_encoded_ip_candidate) % 2 == 0, extracted_encoded_ip_candidate, strcat(extracted_encoded_ip_candidate, \\\"=\\\"))\\n// Now decode the candidate to a long array, we cannot go straight to string as it cannot handle non-UTF8, we need to strip that first\\n| extend extracted_encoded_ip_candidate = tostring(base64_decode_toarray(extracted_encoded_ip_candidate))\\n// Extract the IP candidates from the array\\n| extend hex_extracted = extract_all(ipv4_decoded_hex_extract, extracted_encoded_ip_candidate)\\n// Expand, it\u0027s still possible that we might have more than 1 IP\\n| mv-expand hex_extracted\\n// Now we should have a clean string. We need to put it back into a dynamic array to convert back to a string.\\n| extend hex_extracted = trim_end(\\\",\\\", tostring(hex_extracted))\\n| extend hex_extracted = strcat(\\\"[\\\",hex_extracted,\\\"]\\\")\\n| extend hex_extracted = todynamic(hex_extracted)\\n| extend extracted_encoded_ip_candidate = todynamic(extracted_encoded_ip_candidate)\\n// Convert the array back into a string\\n| extend decoded_ip_candidate = make_string(hex_extracted)\\n| summarize by decoded_ip_candidate, tostring(set_RequestURL), Start, End\\n// Now the IP candidates will be in plaintext, extract the IPs using a regex\\n| extend ipmatch = extract_all(ipv4_plaintext_extraction_regex, decoded_ip_candidate)\\n// If it\u0027s not an IP, throw it out\\n| where isnotnull(ipmatch)\\n| mv-expand ipmatch to typeof(string)\\n// Join with DeviceNetworkEvents to find instances where an IP of a machine in our MDE estate sent it\u0027s IP in a base64 encoded string\\n| join (\\n DeviceNetworkEvents\\n | summarize make_set(DeviceId), make_set(DeviceName) by RemoteIP\\n) on $left.ipmatch == $right.RemoteIP\\n| project Start, End, IPmatch=ipmatch, RequestURL=set_RequestURL, DeviceNames=set_DeviceName, DeviceIds=set_DeviceId, RemoteIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPmatch\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceNames\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"IP address of Windows host encoded in web request\",\"description\":\"This detection will identify network requests in HTTP proxy data that contains Base64 encoded IP addresses. After identifying candidates the query\\njoins with DeviceNetworkEvents to idnetify any machine within the network using that IP address. Alerts indicate that the IP address of a machine\\nwithin your network was seen with it\u0027s IP address base64 encoded in an outbounf web request. This method of egressing the IP was seen used in POLONIUM\u0027s\\nRunningRAT tool, however the detection is generic.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cbf6ad48-fa5c-4bf7-b205-28dbadb91255\",\"name\":\"cbf6ad48-fa5c-4bf7-b205-28dbadb91255\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let procList = externaldata(Process:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Microsoft_Lolbas_Execution_Binaries.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nEvent\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n| parse EventData with * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027OriginalFileName\\\"\u003e\u0027 OriginalFileName \\\"\u003c\\\" *\\n| where OriginalFileName has_any (procList) and not (Image has_any (procList))\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027Hashes\\\"\u003e\u0027 Hashes \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description, OriginalFileName, CurrentDirectory, Hashes\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Windows Binaries Lolbins Renamed\",\"description\":\"This query detects the execution of renamed Windows binaries (Lolbins). This is a common technique used by adversaries to evade detection. \\nRef: https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/execution-of-renamed-lolbin.html\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3a9d5ede-2b9d-43a2-acc4-d272321ff77c\",\"name\":\"3a9d5ede-2b9d-43a2-acc4-d272321ff77c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 50;\\nlet aadFunc = (tableName:string){\\n // Failed Signins attempts with reasoning related to conditional access policies.\\n table(tableName)\\n | where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n | where ResultDescription has_any (\\\"conditional access\\\", \\\"CA\\\") or ResultType in (50005, 50131, 53000, 53001, 53002, 52003, 70044)\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt;\\nlet TimeSeriesAlerts = \\nallSignins\\n| make-series DailyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step 1d by UserPrincipalName\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(DailyCount, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand DailyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n// Filtering low count events per baselinethreshold\\n| where anomalies \u003e 0 and baseline \u003e baselinethreshold\\n| extend AnomalyHour = TimeGenerated\\n| project UserPrincipalName, AnomalyHour, TimeGenerated, DailyCount, baseline, anomalies, score;\\n// Filter the alerts for specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e startofday(ago(timeframe))\\n| join kind=inner ( \\n allSignins\\n | where TimeGenerated \u003e startofday(ago(timeframe))\\n // create a new column and round to hour\\n | extend DateHour = bin(TimeGenerated, 1h)\\n | summarize PartialFailedSignins = count(), LatestAnomalyTime = arg_max(TimeGenerated, *) by bin(TimeGenerated, 1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\\n) on UserPrincipalName, $left.AnomalyHour == $right.DateHour\\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, PartialFailedSignins, TotalFailedSignins = DailyCount, baseline, anomalies, score\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"User Accounts - Sign in Failure due to CA Spikes\",\"description\":\" Identifies spike in failed sign-ins from user accounts due to conditional access policied.\\nSpike is determined based on Time series anomaly which will look at historical baseline values.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b6d03b88-4d27-49a2-9c1c-29f1ad2842dc\",\"name\":\"b6d03b88-4d27-49a2-9c1c-29f1ad2842dc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let oneDriveCalls = dynamic([\u0027graph.microsoft.com/v1.0/me/drive/root:/Documents/data.txt:/content\u0027,\u0027graph.microsoft.com/v1.0/me/drive/root:/Documents/response.json:/content\u0027]);\\nlet oneDriveCallsRegex = dynamic([@\u0027graph\\\\.microsoft\\\\.com\\\\/v1\\\\.0\\\\/me\\\\/drive\\\\/root\\\\:\\\\/Uploaded\\\\/.*\\\\:\\\\/content\u0027,@\u0027graph\\\\.microsoft\\\\.com\\\\/v1\\\\.0\\\\/me\\\\/drive\\\\/root\\\\:\\\\/Downloaded\\\\/.*\\\\:\\\\/content\u0027]);\\nCommonSecurityLog\\n| where RequestURL has_any (oneDriveCalls) or RequestURL matches regex tostring(oneDriveCallsRegex[0]) or RequestURL matches regex tostring(oneDriveCallsRegex[1])\\n| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"SourceHostName\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"CreepyDrive URLs\",\"description\":\"CreepyDrive uses OneDrive for command and control. This detection identifies URLs specific to CreepyDrive.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/011c84d8-85f0-4370-b864-24c13455aa94\",\"name\":\"011c84d8-85f0-4370-b864-24c13455aa94\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityAlert\\n| extend Extprop = parse_json(ExtendedProperties)\\n| extend Computer = iff(isnotempty(toupper(tostring(Extprop[\\\"Compromised Host\\\"]))), toupper(tostring(Extprop[\\\"Compromised Host\\\"])), tostring(parse_json(Entities)[0].HostName))\\n| extend Account = iff(isnotempty(tolower(tostring(Extprop[\\\"User Name\\\"]))), tolower(tostring(Extprop[\\\"User Name\\\"])), tolower(tostring(Extprop[\\\"user name\\\"])))\\n| extend IpAddress = tostring(parse_json(ExtendedProperties).[\\\"IpAddress\\\"]) \\n| project TimeGenerated, AlertName, Computer, Account, IpAddress, ExtendedProperties\\n| extend timestamp = TimeGenerated, Account, MachineName = Computer, IpAddress\\n| join kind=inner\\n(\\nCoreAzureBackup\\n| where State =~ \\\"Deleted\\\"\\n| where OperationName =~ \\\"BackupItem\\\"\\n| extend data = split(BackupItemUniqueId, \\\";\\\")\\n| extend AzureLocation = data[0], VaultId=data[1], MachineName=data[2], DrivesBackedUp=data[3]\\n| project timestamp = TimeGenerated, AzureLocation, VaultId, tostring(MachineName), DrivesBackedUp, State, BackupItemUniqueId, _ResourceId, OperationName, BackupItemFriendlyName\\n)\\non MachineName\\n| project timestamp, AlertName, HostCustomEntity = MachineName, AccountCustomEntity = Account, ResourceCustomEntity = _ResourceId, IPCustomEntity = IpAddress, VaultId, AzureLocation, DrivesBackedUp, State, BackupItemUniqueId, OperationName, BackupItemFriendlyName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"CoreBackUp Deletion in correlation with other related security alerts\",\"description\":\"This query will help detect attackers attempt to delete backup containers in correlation with other alerts that could have triggered to help possibly reveal more details of attacker activity. \\nThough such an activity could be legitimate as part of business operation, some ransomware actors may perform such operation to cause interruption to regular business services.\",\"lastUpdatedDateUTC\":\"2021-11-05T00:00:00Z\",\"createdDateUTC\":\"2021-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1218175f-c534-421c-8070-5dcaabf28067\",\"name\":\"1218175f-c534-421c-8070-5dcaabf28067\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let threshold = 3; \\nZoomLogs \\n| where Event =~ \\\"chat_message.sent\\\" \\n| extend Channel = tostring(parse_json(ChatEvents).Channel) \\n| extend Message = tostring(parse_json(ChatEvents).Message) \\n| where Message matches regex \\\"http(s?):\\\\\\\\/\\\\\\\\/\\\" \\n| summarize Channels = makeset(Channel), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Message, User, UserId\\n| extend ChannelCount = arraylength(Channels) \\n| where ChannelCount \u003e threshold\\n| extend timestamp = StartTime, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"Suspicious link sharing pattern\",\"description\":\"Alerts in links that have been shared across multiple Zoom chat channels by the same user in a short space if time. \\nAdjust the threshold figure to change the number of channels a message needs to be posted in before an alert is raised.\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\"name\":\"0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"DNS events related to mining pools\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95a15f39-d9cc-4667-8cdd-58f3113691c9\",\"name\":\"95a15f39-d9cc-4667-8cdd-58f3113691c9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where EventID == 4688\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| join kind=rightanti (\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where EventID == 4688) on NewProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where EventID == 4688 and EventData has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| join kind=rightanti (\\nWindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventID == 4688 and EventData has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)) on NewProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM New UM Service Child Process\",\"description\":\"This query looks for new processes being spawned by the Exchange UM service where that process has not previously been observed before. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f845881e-2500-44dc-8ed7-b372af3e1e25\",\"name\":\"f845881e-2500-44dc-8ed7-b372af3e1e25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let short_uaLength = 5;\\nlet long_uaLength = 1000;\\nlet c_threshold = 100;\\nW3CIISLog \\n// Exclude local IPs as these create noise\\n| where cIP !startswith \\\"192.168.\\\" and cIP != \\\"::1\\\"\\n| where isnotempty(csUserAgent) and csUserAgent !in~ (\\\"-\\\", \\\"MSRPC\\\") and (string_size(csUserAgent) \u003c= short_uaLength or string_size(csUserAgent) \u003e= long_uaLength)\\n| extend csUserAgent_size = string_size(csUserAgent)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ConnectionCount = count() by Computer, sSiteName, sPort, csUserAgent, csUserAgent_size, csUserName , csMethod, csUriStem, sIP, cIP, scStatus, scSubStatus, scWin32Status\\n| where ConnectionCount \u003c c_threshold\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomalous User Agent connection attempt\",\"description\":\"Identifies connection attempts (success or fail) from clients with very short or very long User Agent strings and with less than 100 connection attempts.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\"name\":\"a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n SecurityAlert \\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\\n | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray\\n // Parsing relevant entity column to filter type account and creating new column by combining account and UPNSuffix\\n | extend Entitytype = tostring(parse_json(EntitiesDynamicArray).Type), EntityName = tostring(parse_json(EntitiesDynamicArray).Name),\\n EntityUPNSuffix = tostring(parse_json(EntitiesDynamicArray).UPNSuffix)\\n | where Entitytype =~ \\\"account\\\"\\n | extend EntityEmail = tolower(strcat(EntityName, \\\"@\\\", EntityUPNSuffix))\\n | where EntityEmail matches regex emailregex\\n | extend Alert_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.EntityEmail\\n| where Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\\n| project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, \\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, EntityEmail, AlertName, AlertType,\\nAlertSeverity, Entities, ProviderName, VendorName\\n| extend timestamp = Alert_TimeGenerated, AccountCustomEntity = EntityEmail, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SecurityAlert\",\"description\":\"Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c9b6d281-b96b-4763-b728-9a04b9fe1246\",\"name\":\"c9b6d281-b96b-4763-b728-9a04b9fe1246\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlCategory has_any (\u0027Dynamic and Residential\u0027, \u0027Personal VPN\u0027)\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"Exfiltration\"],\"displayName\":\"Cisco Umbrella - Connection to non-corporate private network\",\"description\":\"IP addresses of broadband links that usually indicates users attempting to access their home network, for example for a remote session to a home computer.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/631d02df-ab51-46c1-8d72-32d0cfec0720\",\"name\":\"631d02df-ab51-46c1-8d72-32d0cfec0720\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let excludeProcs = dynamic([@\\\"\\\\SolarWinds\\\\Orion\\\\APM\\\\APMServiceControl.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\ExportToPDFCmd.Exe\\\", @\\\"\\\\SolarWinds.Credentials\\\\SolarWinds.Credentials.Orion.WebApi.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Topology\\\\SolarWinds.Orion.Topology.Calculator.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Database-Maint.exe\\\", @\\\"\\\\SolarWinds.Orion.ApiPoller.Service\\\\SolarWinds.Orion.ApiPoller.Service.exe\\\", @\\\"\\\\Windows\\\\SysWOW64\\\\WerFault.exe\\\"]);\\nimProcessCreate\\n| where Process hassuffix \u0027solarwinds.businesslayerhost.exe\u0027\\n| where not(Process has_any (excludeProcs))\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = ActorUsername,\\n HostCustomEntity = User,\\n AlgorithmCustomEntity = \\\"MD5\\\",\\n FileHashCustomEntity = TargetProcessMD5 // Change to *hash* once implemented\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST suspicious SolarWinds child processes (Normalized Process Events)\",\"description\":\"Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0bd65651-1404-438b-8f63-eecddcec87b4\",\"name\":\"0bd65651-1404-438b-8f63-eecddcec87b4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\n// Adjust for a longer timeframe for identifying ADFS Servers\\nlet lookback = 6d;\\n// Identify ADFS Servers\\nlet ADFS_Servers = ( union isfuzzy=true\\n( Event\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n),\\n( SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and EventData has \\\"0x3e4\\\" and EventData has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| where SubjectLogonId != \\\"0x3e4\\\"\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n)\\n| distinct Computer);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == 4688\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where ParentProcessName has \u0027wmiprvse.exe\u0027\\n// Looking for rundll32.exe is based on intel from the blog linked in the description\\n// This can be commented out or altered to filter out known internal uses\\n| where CommandLine has_any (\u0027rundll32\u0027) \\n| project TimeGenerated, TargetAccount, CommandLine, Computer, Account, TargetLogonId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n// Search for recent logons to identify lateral movement\\n| join kind= inner\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventID == 4624 and LogonType == 3\\n| where Account !endswith \\\"$\\\"\\n| project TargetLogonId\\n) on TargetLogonId\\n),\\n(\\nWindowsEvent\\n| where EventID == 4688\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where EventData has \u0027wmiprvse.exe\u0027 and EventData has_any (\u0027rundll32\u0027) \\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where ParentProcessName has \u0027wmiprvse.exe\u0027\\n// Looking for rundll32.exe is based on intel from the blog linked in the description\\n// This can be commented out or altered to filter out known internal uses\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has_any (\u0027rundll32\u0027) \\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend Account = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend TargetLogonId = tostring(EventData.TargetLogonId)\\n| project TimeGenerated, TargetAccount, CommandLine, Computer, Account, TargetLogonId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n// Search for recent logons to identify lateral movement\\n| join kind= inner\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventID == 4624 \\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 3\\n| extend Account = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| where Account !endswith \\\"$\\\"\\n| extend TargetLogonId = tostring(EventData.TargetLogonId)\\n| project TargetLogonId\\n) on TargetLogonId\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n// Check for WMI Events\\n| where Computer in~ (ADFS_Servers) and EventID in (19, 20, 21)\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| project TimeGenerated, EventType, Image, Computer, UserName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = UserName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Gain Code Execution on ADFS Server via Remote WMI Execution\",\"description\":\"This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through remote WMI Execution.\\nIn order to use this query you need to be collecting Sysmon EventIDs 19, 20, and 21.\\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\\n Failed to resolve scalar expression named \\\"[@Name]\\\"\\nFor more on how WMI was used in Solorigate see https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/.\\nThe query contains some features from the following detections to look for potentially malicious ADFS activity. See them for more details.\\n- ADFS Key Export (Sysmon): https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSKeyExportSysmon.yaml\\n- ADFS DKM Master Key Export: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d71fc38-f249-454e-8479-0a358382ef9a\",\"name\":\"3d71fc38-f249-454e-8479-0a358382ef9a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"SecurityNestedRecommendation\\n| where RemediationDescription has \u0027CVE-2021-44228\u0027\\n| parse ResourceDetails with * \u0027virtualMachines/\u0027 VirtualMAchine \u0027\\\"\u0027 *\\n| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId\\n| extend Timestamp = TimeGenerated, HostCustomEntity = VirtualMAchine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Execution\"],\"displayName\":\"Vulnerable Machines related to log4j CVE-2021-44228\",\"description\":\"This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to log4j CVE-2021-44228. Log4j is an open-source Apache logging library that is used in \\n many Java-based applications. Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).\\n Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/\\n Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal\\n Reference: https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/how-defender-for-cloud-displays-machines-affected-by-log4j/ba-p/3037271\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\"name\":\"a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Security Center for IoT\",\"displayName\":\"Create incidents based on Microsoft Defender for IOT alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for IOT\",\"lastUpdatedDateUTC\":\"2019-12-24T00:00:00Z\",\"createdDateUTC\":\"2019-12-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"IoT\",\"dataTypes\":[\"SecurityAlert (ASC for IoT)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d2e8fd50-8d66-11ec-b909-0242ac120002\",\"name\":\"d2e8fd50-8d66-11ec-b909-0242ac120002\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID in (4624,4625) and LogonType in (10) and IpAddress in (\\\"::1\\\",\\\"127.0.0.1\\\")\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, TargetUserName, TargetLogonId, LogonType, IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential Remote Desktop Tunneling\",\"description\":\"This query detects remote desktop authentication attempts with a localhost source address which can indicate a tunneled login.\\nRef: https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling\",\"lastUpdatedDateUTC\":\"2022-02-15T00:00:00Z\",\"createdDateUTC\":\"2022-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c37711a4-5f44-4472-8afc-0679bc0ef966\",\"name\":\"c37711a4-5f44-4472-8afc-0679bc0ef966\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.1.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/FoggyWebIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type == \\\"sha256\\\" | project IoC);\\nlet FilePaths = (iocs | where Type =~ \\\"FilePath\\\" | project IoC);\\nlet POST_URI = (iocs | where Type =~ \\\"URI1\\\" | project IoC);\\nlet GET_URI = (iocs | where Type =~ \\\"URI2\\\" | project IoC);\\n//Include in the list below, the ADFS servers you know about in your environment. In the next part of the query, we will try to identify them for you if you have the telemetry.\\nlet ADFS_Servers1 = datatable(Computer:string)\\n[ \\\"\u003cADFS01\u003e.\u003cDOMAIN\u003e.\u003cCOM\u003e\\\",\\n\\\"\u003cADFS02\u003e.\u003cDOMAIN\u003e.\u003cCOM\u003e\\\"\\n];\\n// Automatically identify potential ADFS services in your environment by searching process event telemetry for \\\"Microsoft.IdentityServer.ServiceHost.exe\\\".\\nlet ADFS_Servers2 = \\n(union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n),\\n( WindowsEvent\\n| where EventID == 4688 and EventData has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\" and EventData has \\\"0x3e4\\\"\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| where ProcessName == \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| where SubjectLogonId != \\\"0x3e4\\\"\\n| distinct Computer\\n),\\n(DeviceProcessEvents\\n| where InitiatingProcessFileName == \u0027Microsoft.IdentityServer.ServiceHost.exe\u0027\\n| extend Computer = DeviceName\\n| distinct Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n)\\n);\\nlet ADFS_Servers =\\nADFS_Servers1\\n| union (ADFS_Servers2 | distinct Computer);\\n(union isfuzzy=true\\n(DeviceNetworkEvents\\n| where DeviceName in (ADFS_Servers)\\n| where isnotempty(InitiatingProcessSHA256) or isnotempty(InitiatingProcessFolderPath)\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or InitiatingProcessFolderPath has_any (FilePaths)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\" and EventID == \u00277\u0027\\n| where Computer in (ADFS_Servers)\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend ImageLoaded = EventDetail.[5].[\\\"#text\\\"], Hashes = EventDetail.[11].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| where ImageLoaded has_any (FilePaths) or SHA256 has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, ImageLoaded, EventID\\n| extend Type = strcat(Type,\\\":\\\",EventID, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\\\"#text\\\"] \\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceEvents\\n| where DeviceName in (ADFS_Servers)\\n| extend FilePath = strcat(FolderPath, \u0027\\\\\\\\\u0027, FileName)\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceFileEvents\\n| where DeviceName in (ADFS_Servers)\\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceImageLoadEvents\\n| where DeviceName in (ADFS_Servers)\\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where Computer in (ADFS_Servers)\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| where EventDetail has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\\\"#text\\\"] \\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(W3CIISLog \\n| where ( csMethod == \u0027GET\u0027 and csUriStem has_any (GET_URI)) or (csMethod == \u0027POST\u0027 and csUriStem has_any (POST_URI))\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), cIP_MethodCount = count() \\nby cIP, cIP_MethodCountType = \\\"Count of repeated entries, this is to reduce rowsets returned\\\", csMethod, \\ncsHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, csReferer\\n| extend timestamp = StartTime, IPCustomEntity = cIP, HostCustomEntity = csHost, AccountCustomEntity = csUserName\\n),\\n(imFileEvent\\n| where DvcHostname in (ADFS_Servers)\\n| where TargetFileSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"NOBELIUM IOCs related to FoggyWeb backdoor\",\"description\":\"Identifies a match across various data feeds for IOCs related to FoggyWeb backdoor by the threat actor NOBELIUM.\\n FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server.\\n It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server.\\n Reference: https://aka.ms/nobelium-foggy-web\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/61988db3-0565-49b5-b8e3-747195baac6e\",\"name\":\"61988db3-0565-49b5-b8e3-747195baac6e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let procList = dynamic([\\\"cmd.exe\\\",\\\"ftp.exe\\\",\\\"schtasks.exe\\\",\\\"powershell.exe\\\",\\\"rundll32.exe\\\",\\\"regsvr32.exe\\\",\\\"msiexec.exe\\\"]); \\nimProcessCreate\\n| where CommandLine has \\\"recycler\\\"\\n| where Process has_any (procList)\\n| extend FileName = tostring(split(Process, \u0027\\\\\\\\\u0027)[-1])\\n| where FileName in~ (procList)\\n| project StartTimeUtc = TimeGenerated, Dvc, User, Process, FileName, CommandLine, ActingProcessName, EventVendor, EventProduct\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Malware in the recycle bin (Normalized Process Events)\",\"description\":\"Identifies malware that has been hidden in the recycle bin.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-23T00:00:00Z\",\"createdDateUTC\":\"2021-06-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ec491363-5fe7-4eff-b68e-f42dcb76fcf6\",\"name\":\"ec491363-5fe7-4eff-b68e-f42dcb76fcf6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| project-away claimsJson\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Azure Active Directory Hybrid Health AD FS New Server\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.\\nA threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.\\nThis can be done programmatically via HTTP requests to Azure. More information in this blog: https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/32ffb19e-8ed8-40ed-87a0-1adb4746b7c4\",\"name\":\"32ffb19e-8ed8-40ed-87a0-1adb4746b7c4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"// Enter a reference list of malicious file artifacts\\nlet MaliciousFileArtifacts = dynamic ([\\\"lsass.dmp\\\",\\\"test.pwd\\\",\\\"lsremora.dll\\\",\\\"lsremora64.dll\\\",\\\"fgexec.exe\\\",\\\"pwdump\\\",\\\"kirbi\\\",\\\"wce_ccache\\\",\\\"wce_krbtkts\\\",\\\"wceaux.dll\\\",\\\"PwHashes\\\",\\\"SAM.out\\\",\\\"SECURITY.out\\\",\\\"SYSTEM.out\\\",\\\"NTDS.out\\\" \\\"DumpExt.dll\\\",\\\"DumpSvc.exe\\\",\\\"cachedump64.exe\\\",\\\"cachedump.exe\\\",\\\"pstgdump.exe\\\",\\\"servpw64.exe\\\",\\\"servpw.exe\\\",\\\"pwdump.exe\\\",\\\"fgdump-log\\\"]);\\nEvent\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==11\\n| parse EventData with * \u0027TargetFilename\\\"\u003e\u0027 TargetFilename \\\"\u003c\\\" *\\n| where TargetFilename has_any (MaliciousFileArtifacts)\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, Image, ProcessGuid, TargetFilename\",\"entityMappings\":[{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"TargetFilename\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"Image\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Credential Dumping Tools - File Artifacts\",\"description\":\"This query detects the creation of credential dumping tools files. Several credential dumping tools export files with hardcoded file names.\\nRef: https://jpcertcc.github.io/ToolAnalysisResultSheet/\",\"lastUpdatedDateUTC\":\"2022-04-22T00:00:00Z\",\"createdDateUTC\":\"2022-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"Event\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/983a6922-894d-413c-9f04-d7add0ecc307\",\"name\":\"983a6922-894d-413c-9f04-d7add0ecc307\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P10D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Medium\",\"query\":\"let referencestarttime = 10d;\\nlet referenceendtime = 1d;\\nlet threshold = 100;\\nlet nxDomainDnsEvents = (stime:datetime, etime:datetime) \\n {_Im_Dns(responsecodename=\u0027NXDOMAIN\u0027, starttime=stime, endtime=etime)\\n | where DnsQueryTypeName in (\\\"A\\\", \\\"AAAA\\\")\\n | where ipv4_is_match(\\\"127.0.0.1\\\", SrcIpAddr) == False\\n | where DnsQuery !contains \\\"/\\\" and DnsQuery contains \\\".\\\"};\\nnxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now())\\n | extend sld = tostring(split(DnsQuery, \\\".\\\")[-2])\\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld) by SrcIpAddr\\n | where dcount_sld \u003e threshold\\n // Filter out previously seen IPs\\n | join kind=leftanti (nxDomainDnsEvents (stime=ago(referencestarttime), etime=ago(referenceendtime))\\n | extend sld = tostring(split(DnsQuery, \\\".\\\")[-2])\\n | summarize dcount(sld) by SrcIpAddr\\n | where dcount_sld \u003e threshold ) on SrcIpAddr\\n// Pull out sample NXDomain responses for those remaining potentially infected IPs\\n| join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential DGA detected (ASIM DNS Schema)\",\"description\":\"Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains\\nwhere most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with \\nNXDomain records in prior 10-day baseline period).\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/18dbdc22-b69f-4109-9e39-723d9465f45f\",\"name\":\"18dbdc22-b69f-4109-9e39-723d9465f45f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet AVHits = (iocs | where Type =~ \\\"AVDetection\\\"| project IoC);\\nSecurityAlert\\n| where ProviderName == \u0027MDATP\u0027\\n| extend ThreatName_ = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where ThreatName_ has_any (AVHits)\\n| extend Directory = tostring(parse_json(Entities)[0].Directory), SHA256 = tostring(parse_json(tostring(parse_json(Entities)[0].FileHashes))[2].Value), FileName = tostring(parse_json(Entities)[0].Name), Hostname = tostring(parse_json(Entities)[6].FQDN)| extend AccountName = tostring(parse_json(tostring(parse_json(Entities)[6].LoggedOnUsers))[0].AccountName)\\n| project TimeGenerated, AlertName, ThreatName_, ProviderName, AlertSeverity, Description, RemediationSteps, ExtendedProperties, Entities, FileName,SHA256, Directory, Hostname, AccountName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Hostname , AccountCustomEntity = AccountName, FileHashCustomEntity = SHA256\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"ACTINIUM AV hits - Feb 2022\",\"description\":\"Identifies a match in the Security Alert table for MDATP hits related to the ACTINIUM actor\",\"lastUpdatedDateUTC\":\"2022-02-04T00:00:00Z\",\"createdDateUTC\":\"2022-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f6a51e2c-2d6a-4f92-a090-cfb002ca611f\",\"name\":\"f6a51e2c-2d6a-4f92-a090-cfb002ca611f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nlet disallowed_ext = dynamic([\u0027ps1\u0027, \u0027exe\u0027, \u0027vbs\u0027, \u0027js\u0027, \u0027scr\u0027]);\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| extend attachedExt = todynamic(MsgParts)[0][\u0027detectedExt\u0027]\\n| where attachedExt in (disallowed_ext)\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = DstUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Suspicious attachment\",\"description\":\"Detects when email contains suspicious attachment (file type).\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/707494a5-8e44-486b-90f8-155d1797a8eb\",\"name\":\"707494a5-8e44-486b-90f8-155d1797a8eb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let auditLookbackStart = 2d;\\nlet auditLookbackEnd = 1d;\\nAuditLogs\\n| where TimeGenerated \u003e= ago(auditLookbackStart)\\n| where OperationName =~ \\\"Consent to application\\\" \\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| extend targetResourceName = tostring(target.displayName)\\n| extend targetResourceID = tostring(target.id)\\n| extend targetResourceType = tostring(target.type)\\n| extend targetModifiedProp = TargetResources[0].modifiedProperties\\n| extend isAdminConsent = targetModifiedProp[0].newValue\\n| extend Consent_ServicePrincipalNames = targetModifiedProp[5].newValue\\n| extend Consent_Permissions = targetModifiedProp[4].newValue\\n| extend Consent_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend Consent_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| join ( \\nAuditLogs\\n| where TimeGenerated \u003e= ago(auditLookbackEnd)\\n| where OperationName =~ \\\"Add service principal credentials\\\"\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| extend targetResourceName = tostring(target.displayName)\\n| extend targetResourceID = tostring(target.id)\\n| extend targetModifiedProp = TargetResources[0].modifiedProperties\\n| extend Credential_KeyDescription = targetModifiedProp[0].newValue\\n| extend UpdatedProperties = targetModifiedProp[1].newValue\\n| extend Credential_ServicePrincipalNames = targetModifiedProp[2].newValue\\n| extend Credential_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend Credential_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n) on targetResourceName, targetResourceID\\n| extend TimeConsent = TimeGenerated, TimeCred = TimeGenerated1\\n| where TimeConsent \u003e TimeCred \\n| project TimeConsent, TimeCred, Consent_InitiatingUserOrApp, Credential_InitiatingUserOrApp, targetResourceName, targetResourceType, isAdminConsent, Consent_ServicePrincipalNames, Credential_ServicePrincipalNames, Consent_Permissions, Credential_KeyDescription, Consent_InitiatingIpAddress, Credential_InitiatingIpAddress\\n| extend timestamp = TimeConsent, AccountCustomEntity = Consent_InitiatingUserOrApp, IPCustomEntity = Consent_InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Credential added after admin consented to Application\",\"description\":\"This query will identify instances where Service Principal credentials were added to an application by one user after the application was granted admin consent rights by another user.\\n If a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\n Additional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow.\\n For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2021-02-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/11bda520-a965-4654-9a45-d09f372f71aa\",\"name\":\"11bda520-a965-4654-9a45-d09f372f71aa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"High\",\"query\":\"AzureActivity\\n// Isolate run command actions\\n| where OperationNameValue == \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\\\"\\n// Confirm that the operation impacted a virtual machine\\n| where Authorization has \\\"virtualMachines\\\"\\n// Each runcommand operation consists of three events when successful, Started, Accepted (or Rejected), Successful (or Failed).\\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), max(CallerIpAddress), make_list(ActivityStatusValue) by CorrelationId, Authorization, Caller\\n// Limit to Run Command executions that Succeeded\\n| where list_ActivityStatusValue has \\\"Success\\\"\\n// Extract data from the Authorization field\\n| extend Authorization_d = parse_json(Authorization)\\n| extend Scope = Authorization_d.scope\\n| extend Scope_s = split(Scope, \\\"/\\\")\\n| extend Subscription = tostring(Scope_s[2])\\n| extend VirtualMachineName = tostring(Scope_s[-1])\\n| project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress\\n// Create a join key using the Caller (UPN)\\n| extend joinkey = tolower(Caller)\\n// Join the Run Command actions to UEBA data\\n| join kind = inner (\\n BehaviorAnalytics\\n // We are specifically interested in unusual logins\\n | where EventSource == \\\"Azure AD\\\" and ActivityInsights.ActionUncommonlyPerformedByUser == \\\"True\\\"\\n | project UEBAEventTime=TimeGenerated, UEBAActionType=ActionType, UserPrincipalName, UEBASourceIPLocation=SourceIPLocation, UEBAActivityInsights=ActivityInsights, UEBAUsersInsights=UsersInsights\\n | where isnotempty(UserPrincipalName) and isnotempty(UEBASourceIPLocation)\\n | extend joinkey = tolower(UserPrincipalName)\\n) on joinkey\\n// Create a window around the UEBA event times, check to see if the Run Command action was performed within them\\n| extend UEBAWindowStart = UEBAEventTime - 1h, UEBAWindowEnd = UEBAEventTime + 6h\\n| where StartTime between (UEBAWindowStart .. UEBAWindowEnd)\\n| project StartTime, EndTime, Subscription, VirtualMachineName, Caller, CallerIpAddress, UEBAEventTime, UEBAActionType, UEBASourceIPLocation, UEBAActivityInsights, UEBAUsersInsights\\n| extend timestamp = StartTime, AccountCustomEntity=Caller, IPCustomEntity=CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"LateralMovement\",\"CredentialAccess\"],\"displayName\":\"Azure VM Run Command operation executed during suspicious login window\",\"description\":\"Identifies when the Azure Run Command operation is executed by a UserPrincipalName and IP Address \\nthat has resulted in a recent user entity behaviour alert.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3fe3c520-04f1-44b8-8398-782ed21435f8\",\"name\":\"3fe3c520-04f1-44b8-8398-782ed21435f8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Low\",\"query\":\"let torProxies=dynamic([\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\"]);\\n_Im_Dns(domain_has_any=torProxies)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"DNS events related to ToR proxies (ASIM DNS Schema)\",\"description\":\"Identifies IP addresses performing DNS lookups associated with common ToR proxies.\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d9938c3b-16f9-444d-bc22-ea9a9110e0fd\",\"name\":\"d9938c3b-16f9-444d-bc22-ea9a9110e0fd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Azure AD Connect Health Agent - cf6d7e68-f018-4e0a-a7b3-126e053fb88d\\n// Azure Active Directory Connect - cb1056e2-e479-49de-ae31-7812af012ed8\\nlet appList = dynamic([\u0027cf6d7e68-f018-4e0a-a7b3-126e053fb88d\u0027,\u0027cb1056e2-e479-49de-ae31-7812af012ed8\u0027]);\\nlet operationNamesList = dynamic([\u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027,\u0027Microsoft.ADHybridHealthService/services/delete\u0027]);\\nAzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue in~ (operationNamesList)\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| where AppId !in (appList)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS Suspicious Application\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to a suspicious application adding a server instance to an Azure AD Hybrid health AD FS service or deleting the AD FS service instance.\\nUsually the Azure AD Connect Health Agent application with ID cf6d7e68-f018-4e0a-a7b3-126e053fb88d is used to perform those operations.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9d0295ee-cb75-4f2c-9952-e5acfbb67036\",\"name\":\"9d0295ee-cb75-4f2c-9952-e5acfbb67036\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.0\",\"severity\":\"Informational\",\"query\":\"let timeframe = ago(1d);\\nAppServiceAntivirusScanAuditLogs\\n| where NumberOfInfectedFiles \u003e 0\\n| extend HostCustomEntity = _ResourceId, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"displayName\":\"AppServices AV Scan with Infected Files\",\"description\":\"Identifies if an AV scan finds infected files in Azure App Services.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b2199398-8942-4b8c-91a9-b0a707c5d147\",\"name\":\"b2199398-8942-4b8c-91a9-b0a707c5d147\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/HiveRansomwareJuly2022.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n(imFileEvent\\n| where TargetFileSHA256 has_any (sha256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceImageLoadEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Hive Ransomware IOC - July 2022\",\"description\":\"Identifies a hash match related to Hive Ransomware across various data sources.\",\"lastUpdatedDateUTC\":\"2022-07-05T00:00:00Z\",\"createdDateUTC\":\"2022-01-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1ff56009-db01-4615-8211-d4fda21da02d\",\"name\":\"1ff56009-db01-4615-8211-d4fda21da02d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where AADOperationType =~ \\\"Assign\\\"\\n| where ActivityDisplayName has_any (\\\"Add delegated permission grant\\\",\\\"Add app role assignment to service principal\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ has_any (\\\"AppRole.Value\\\",\\\"DelegatedPermissionGrant.Scope\\\")\\n| extend Permission = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where Permission has \\\"RoleManagement.ReadWrite.Directory\\\"\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n| extend Target = tostring(parse_json(tostring(TargetResources.modifiedProperties[4].newValue)))\\n| extend TargetId = iif(displayName_ =~ \u0027DelegatedPermissionGrant.Scope\u0027,\\n tostring(parse_json(tostring(TargetResources.modifiedProperties[2].newValue))),\\n tostring(parse_json(tostring(TargetResources.modifiedProperties[3].newValue))))\\n| summarize by bin(TimeGenerated, 1h), OperationName, Initiator, Target, TargetId, Result\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Initiator\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Target\"}]}],\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure AD Role Management Permission Grant\",\"description\":\"Identifies when the Microsoft Graph RoleManagement.ReadWrite.Directory (Delegated or Application) permission is granted to a service principal.\\nThis permission allows an application to read and manage the role-based access control (RBAC) settings for your company\u0027s directory.\\nAn adversary could use this permission to add an Azure AD object to an Admin directory role and escalate privileges.\\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions\\nRef : https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0\u0026tabs=http\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/71d374e0-1cf8-4e50-aecd-ab6c519795c2\",\"name\":\"71d374e0-1cf8-4e50-aecd-ab6c519795c2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"Pipelines.PipelineRetentionSettingChanged\\\"\\n| where Data.SettingName in (\\\"PurgeArtifacts\\\", \\\"PurgeRuns\\\")\\n| where Data.NewValue == 1 or Data.NewValue \u003c Data.OldValue/2\\n| project-reorder TimeGenerated, OperationName, ActorUPN, IpAddress, UserAgent, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Retention Reduced\",\"description\":\"AzureDevOps retains items such as run records and produced artifacts for a configurable amount of time. An attacker looking to reduce the footprint left by their malicious activity may look to reduce the retention time for artifacts and runs.\\nThis query will look for where retention has been reduced to the minimum level - 1, or reduced by more than half.\",\"lastUpdatedDateUTC\":\"2021-11-02T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/979c42dd-533e-4ede-b18b-31a84ba8b3d6\",\"name\":\"979c42dd-533e-4ede-b18b-31a84ba8b3d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \\n| where TargetObject has (\\\"HKLM\\\\\\\\System\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\DsrmAdminLogonBehavior\\\") and Details == \\\"DWORD (0x00000002)\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"DSRM Account Abuse\",\"description\":\"This query detects an abuse of the DSRM account in order to maintain persistence and access to the organization\u0027s Active Directory.\\nRef: https://adsecurity.org/?p=1785\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d82eb796-d1eb-43c8-a813-325ce3417cef\",\"name\":\"d82eb796-d1eb-43c8-a813-325ce3417cef\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(DeviceFileEvents\\n| where ActionType == \\\"FileCreated\\\"\\n| where FileName endswith \\\".h0lyenc\\\" or FolderPath == \\\"C:\\\\\\\\FOR_DECRYPT.html\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName), HostCustomEntity = DeviceName, Type, InitiatingProcessId, FileName, FolderPath, EventType = ActionType, Commandline = InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessSHA256, FileHashCustomEntity = SHA256\\n),\\n(imFileEvent\\n| where EventType == \\\"FileCreated\\\" \\n| where TargetFilePath endswith \\\".h0lyenc\\\" or TargetFilePath == \\\"C:\\\\\\\\FOR_DECRYPT.html\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname, DvcId, Type, EventType, FileHashCustomEntity = TargetFileSHA256, Hash, TargetFilePath, Commandline = ActingProcessCommandLine\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Dev-0530 File Extension Rename\",\"description\":\"Dev-0530 actors are known to encrypt the contents of the victims device as well as renaming the file extensions. This query looks for the creation of files with .h0lyenc extension or presence of ransom note.\",\"lastUpdatedDateUTC\":\"2022-07-14T00:00:00Z\",\"createdDateUTC\":\"2022-07-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ba144bf8-75b8-406f-9420-ed74397f9479\",\"name\":\"ba144bf8-75b8-406f-9420-ed74397f9479\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"//Set a threshold of failed AAD signins from an IP address within 1 day above which we want to deem those logins suspicious.\\nlet signin_threshold = 5; \\n//Make a list of IPs with AAD signin failures above our threshold.\\nlet aadFunc = (tableName:string){\\nlet suspicious_signins = \\n table(tableName)\\n //Looking for logon failure results\\n | where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n //Exclude localhost addresses to reduce the chance of FPs\\n | where IPAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n | summarize count() by IPAddress\\n | where count_ \u003e signin_threshold\\n | summarize make_set(IPAddress);\\n suspicious_signins\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet suspicious_signins = \\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize make_set(set_IPAddress);\\n//See if any of those IPs have sucessfully logged into PA VPNs during the same timeperiod\\nCommonSecurityLog\\n //Select only PA VPN sucessful logons\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"globalprotect\\\"\\n | where Message has \\\"GlobalProtect gateway user authentication succeeded\\\"\\n //Parse out the logon source IP from the Message field to match on\\n | extend SourceIP = extract(\\\"Login from: ([^,]+)\\\", 1, Message) \\n | where SourceIP in (suspicious_signins)\\n | extend Reason = \\\"Multiple failed AAD logins from SourceIP\\\"\\n //Parse out other useful information from Message field\\n | extend User = extract(\u0027User name: ([^,]+)\u0027, 1, Message) \\n | extend ClientOS = extract(\u0027Client OS version: ([^,\\\\\\\"]+)\u0027, 1, Message)\\n | extend Location = extract(\u0027Source region: ([^,]{2})\u0027,1, Message)\\n | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName\\n | extend AccountCustomEntity = User, IPCustomEntity = SourceIP, timestamp = TimeGenerated, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN\",\"description\":\"This query creates a list of IP addresses with a number failed login attempts to AAD \\nabove a set threshold. It then looks for any successful Palo Alto VPN logins from any\\nof these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-09-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/32555639-b639-4c2b-afda-c0ae0abefa55\",\"name\":\"32555639-b639-4c2b-afda-c0ae0abefa55\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"GetCallerIdentity\\\" and UserIdentityType =~ \\\"AssumedRole\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by SourceIpAddress, EventName, EventTypeName, UserIdentityType, UserIdentityAccountId, UserIdentityPrincipalid, \\nUserAgent, UserIdentityUserName, SessionMfaAuthenticated,AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTime, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\\n| sort by EndTime desc nulls last\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Monitor AWS Credential abuse or hijacking\",\"description\":\"Looking for GetCallerIdentity Events where the UserID Type is AssumedRole \\nAn attacker who has assumed the role of a legitimate account can call the GetCallerIdentity function to determine what account they are using.\\nA legitimate user using legitimate credentials would not need to call GetCallerIdentity since they should already know what account they are using.\\nMore Information: https://duo.com/decipher/trailblazer-hunts-compromised-credentials-in-aws\\nAWS STS GetCallerIdentity API: https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/53e936c6-6c30-4d12-8343-b8a0456e8429\",\"name\":\"53e936c6-6c30-4d12-8343-b8a0456e8429\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let SUNSPOT_Hashes = dynamic([\\\"c45c9bda8db1d470f1fd0dcc346dc449839eb5ce9a948c70369230af0b3ef168\\\", \\\"0819db19be479122c1d48743e644070a8dc9a1c852df9a8c0dc2343e904da389\\\"]);\\nunion isfuzzy=true(\\nDeviceEvents\\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes)),\\n(DeviceImageLoadEvents\\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes))\\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"SUNSPOT malware hashes\",\"description\":\"This query uses Microsoft Defender for Endpoint data to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\\nMore details: \\n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \\n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceImageLoadEvents\",\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fcb9d75c-c3c1-4910-8697-f136bfef2363\",\"name\":\"fcb9d75c-c3c1-4910-8697-f136bfef2363\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Low\",\"query\":\"let querystarttime = 2d;\\nlet queryendtime = 1d;\\nlet TimeDeltaThreshold = 10;\\nlet TotalEventsThreshold = 15;\\nlet PercentBeaconThreshold = 80;\\n_Im_NetworkSession(starttime=querystarttime, endtime=queryendtime)\\n| where not(ipv4_is_private(DstIpAddr))\\n| project TimeGenerated, SrcIpAddr, SrcPortNumber, DstIpAddr, DstPortNumber, DstBytes, SrcBytes\\n| sort by SrcIpAddr asc,TimeGenerated asc, DstIpAddr asc, DstPortNumber asc\\n| serialize\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSrcIpAddr = next(SrcIpAddr, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\u0027second\u0027,nextTimeGenerated,TimeGenerated)\\n| where SrcIpAddr == nextSrcIpAddr\\n//Whitelisting criteria/ threshold criteria\\n| where TimeDeltainSeconds \u003e TimeDeltaThreshold \\n| project TimeGenerated, TimeDeltainSeconds, SrcIpAddr, SrcPortNumber, DstIpAddr, DstPortNumber, DstBytes, SrcBytes\\n| summarize count(), sum(DstBytes), sum(SrcBytes), make_list(TimeDeltainSeconds) \\nby TimeDeltainSeconds, bin(TimeGenerated, 1h), SrcIpAddr, DstIpAddr, DstPortNumber\\n| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSrcBytes = sum(sum_SrcBytes), TotalDstBytes = sum(sum_DstBytes) \\nby bin(TimeGenerated, 1h), SrcIpAddr, DstIpAddr, DstPortNumber\\n| where TotalEvents \u003e TotalEventsThreshold \\n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\\n| where BeaconPercent \u003e PercentBeaconThreshold\",\"customDetails\":{\"DstPortNumber\":\"DstPortNumber\",\"FrequencyCount\":\"TotalSrcBytes\",\"FrequencyTime\":\"MostFrequentTimeDeltaCount\",\"TotalDstBytes\":\"TotalDstBytes\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DstIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Potential beaconing from {{SrcIpAddr}} to {{DstIpAddr}} over port {{DstPortNumber}}\",\"alertDescriptionFormat\":\"Potential beaconing pattern from a client at address {{SrcIpAddr}} to a server at address {{DstIpAddr}} over port {{DstPortNumber}} identified. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/). The recurring frequency, reported as FrequencyTime in the custom details, and the total transferred volume reported as TotalDstBytes in the custom details, can help to determine the significance of this incident.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential beaconing activity (ASIM Network Session schema)\",\"description\":\"This rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/).\\\\\u003cbr\u003e\u003cbr\u003e\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b8b8ba09-1e89-45a1-8bd7-691cd23bfa32\",\"name\":\"b8b8ba09-1e89-45a1-8bd7-691cd23bfa32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let query_frequency = 15m;\\nlet missing_period = 1h;\\n//Enter a reference list of hostnames for your DC servers\\nlet DCServersList = dynamic ([\\\"DC01.simulandlabs.com\\\",\\\"DC02.simulandlabs.com\\\"]);\\n//Alternatively, a Watchlist can be used\\n//let DCServersList = _GetWatchlist(\u0027HostName-DomainControllers\u0027) | project HostName;\\nHeartbeat\\n| summarize arg_max(TimeGenerated, *) by Computer\\n| where Computer in (DCServersList)\\n//You may specify the OS type of your Domain Controllers\\n//| where OSType == \u0027Windows\u0027\\n| where TimeGenerated between (ago(query_frequency + missing_period) .. ago(missing_period))\\n| project TimeGenerated, Computer, OSType, Version, ComputerEnvironment, Type, Solutions\\n| sort by TimeGenerated asc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Impact\",\"DefenseEvasion\"],\"displayName\":\"Missing Domain Controller Heartbeat\",\"description\":\"This detection will go over the heartbeats received from the agents of Domain Controllers over the last hour, and will create alerts if the last heartbeats were received an hour ago.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-11-23T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/737a2ce1-70a3-4968-9e90-3e6aca836abf\",\"name\":\"737a2ce1-70a3-4968-9e90-3e6aca836abf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MLBehaviorAnalytics\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous RDP Login Detections\",\"description\":\"This detection uses machine learning (ML) to identify anomalous Remote Desktop Protocol (RDP) login activity, based on Windows Security Event data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Microsoft Sentinel to build a profile of normal activity for your environment.\\t\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events)\\n\\nBy enabling this rule, you give Microsoft permission to copy ingested data outside of your Microsoft Sentinel workspace\u0027s geography as necessary for processing by the machine learning engine.\",\"lastUpdatedDateUTC\":\"2021-03-26T00:00:00Z\",\"createdDateUTC\":\"2020-04-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/85aca4d1-5d15-4001-abd9-acb86ca1786a\",\"name\":\"85aca4d1-5d15-4001-abd9-acb86ca1786a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n DnsEvents\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n //Extract domain patterns from syslog message\\n | where isnotempty(Name)\\n | extend parts = split(Name, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend DNS_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.Name\\n| where DNS_TimeGenerated \u003c ExpirationDateTime\\n| summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated , *) by IndicatorId, Name\\n| project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, Computer, ClientIP, Name, QueryType\\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = ClientIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to DnsEvents\",\"description\":\"Identifies a match in DnsEvents from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2022-02-15T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\"name\":\"5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n//Exclude local addresses, using the ipv4_is_private operator\\n| where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n W3CIISLog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(cIP)\\n //Exclude local addresses, using the ipv4_is_private operator\\n | where ipv4_is_private(cIP) == false and cIP !startswith \\\"fe80\\\" and cIP !startswith \\\"::\\\" and cIP !startswith \\\"127.\\\"\\n // renaming time column so it is clear the log this came from\\n | extend W3CIISLog_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.cIP\\n| where W3CIISLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize W3CIISLog_TimeGenerated = arg_max(W3CIISLog_TimeGenerated, *) by IndicatorId, cIP\\n| project W3CIISLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, sSiteName, cIP, sIP, sPort, csMethod, csUserName, scStatus, scSubStatus, scWin32Status,\\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = W3CIISLog_TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to W3CIISLog\",\"description\":\"Identifies a match in W3CIISLog from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-04-26T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d564ff12-8f53-41b8-8649-44f76b37b99f\",\"name\":\"d564ff12-8f53-41b8-8649-44f76b37b99f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// How many greater than Service Connections you want to view per build/release\\nlet ServiceConnectionThreshold = 4;\\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\\n[\\n//\\\"103\\\", \\\"Release\\\", \\\"ProjectA\\\",\\n//\\\"42\\\", \\\"Release\\\", \\\"ProjectB\\\",\\n//\\\"122\\\", \\\"Build\\\", \\\"ProjectB\\\"\\n];\\nAzureDevOpsAuditing\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| parse ScopeDisplayName with OrganizationName \u0027 (Organization)\u0027\\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) \\n by OrganizationName, tostring(DefId), tostring(Type), ProjectId, ProjectName\\n| where CurrentCount \u003e ServiceConnectionThreshold\\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\\n| extend link = iif(\\n Type == \\\"Build\\\", strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_build?definitionId=\u0027, DefId),\\n strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_release?_a=releases\u0026view=mine\u0026definitionId=\u0027, DefId))\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure DevOps Service Connection Abuse\",\"description\":\"Flags builds/releases that use a large number of service connections if they aren\u0027t manually in the allow list.\\nThis is to determine if someone is hijacking a build/release and adding many service connections in order to abuse \\nor dump credentials from service connections.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/01e8ffff-dc0c-43fe-aa22-d459c4204553\",\"name\":\"01e8ffff-dc0c-43fe-aa22-d459c4204553\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let discord=dynamic([\\\"cdn.discordapp.com\\\", \\\"media.discordapp.com\\\"]);\\n _Im_WebSession(url_has_any=discord, eventresult=\u0027Success\u0027)\\n | where Url has \\\"attachments\\\"\\n | extend DiscordServerId = extract(@\\\"\\\\/attachments\\\\/([0-9]+)\\\\/\\\", 1, Url)\\n | summarize dcount(Url), make_set(SrcUsername), make_set(SrcIpAddr), make_set(Url), min(TimeGenerated), max(TimeGenerated), make_set(EventResult) by DiscordServerId\\n | mv-expand set_SrcUsername to typeof(string), set_Url to typeof(string), set_EventResult to typeof(string), set_SrcIpAddr to typeof(string)\\n | summarize by DiscordServerId, dcount_Url, set_SrcUsername, min_TimeGenerated, max_TimeGenerated, set_EventResult, set_SrcIpAddr, set_Url\\n | project StartTime=min_TimeGenerated, EndTime=max_TimeGenerated, Result=set_EventResult, SourceUser=set_SrcUsername, SourceIP=set_SrcIpAddr, RequestURL=set_Url\\n | where RequestURL has_any (\\\".bin\\\",\\\".exe\\\",\\\".dll\\\",\\\".bin\\\",\\\".msi\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SourceUser\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Discord CDN Risky File Download (ASIM Web Session Schema)\",\"description\":\"Identifies callouts to Discord CDN addresses for risky file extensions. This detection will trigger when a callout for a risky file is made to a discord server that has only been seen once in your environment. Unique discord servers are identified using the server ID that is included in the request URL (DiscordServerId in query). Discord CDN has been used in multiple campaigns to download additional payloads.\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4e5914a4-2ccd-429d-a845-fa597f0bd8c5\",\"name\":\"4e5914a4-2ccd-429d-a845-fa597f0bd8c5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let Hive_threats = dynamic([\\\"Ransom:Win64/Hive\\\", \\\"Ransom:Win32/Hive\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (Hive_threats) or ThreatFamilyName in~ (Hive_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"AV detections related to Hive Ransomware\",\"description\":\"This query looks for Microsoft Defender AV detections related to Hive Ransomware . In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device,\\n this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\",\"lastUpdatedDateUTC\":\"2022-07-11T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\"name\":\"361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let szOperationNames = dynamic([\\\"microsoft.compute/virtualMachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nlet starttime = 7d;\\nlet endtime = 1d;\\nAzureActivity\\n| where TimeGenerated between (startofday(ago(starttime)) .. startofday(ago(endtime)))\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress)\\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(7d)), now(), 1d) \\nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatusValue), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationNameValue , Resource, ResourceGroup\\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\\n| where Slope \u003e 0.2\\n| join kind=leftsemi (\\n// Last day\u0027s activity is anomalous\\nAzureActivity\\n| where TimeGenerated \u003e= startofday(ago(endtime))\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress)\\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(1d)), now(), 1d) \\nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatusValue), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationNameValue , Resource, ResourceGroup\\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\\n| where Slope \u003e 0.2 \\n) on Caller, CallerIpAddress \\n| mvexpand todynamic(ActivityTimeStamp), todynamic(ActivityStatusValue), todynamic(OperationIds), todynamic(CorrelationId)\\n| extend timestamp = ActivityTimeStamp, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Suspicious number of resource creation or deployment activities\",\"description\":\"Indicates when an anomalous number of VM creations or deployment activities occur in Azure via the AzureActivity log.\\nThe anomaly detection identifies activities that have occurred both since the start of the day 1 day ago and the start of the day 7 days ago.\\nThe start of the day is considered 12am UTC time.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/050b9b3d-53d0-4364-a3da-1b678b8211ec\",\"name\":\"050b9b3d-53d0-4364-a3da-1b678b8211ec\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\")\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n// Uncomment below to not alert for PIM activations\\n//| where Initiator != \\\"MS-PIM\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| summarize by bin(TimeGenerated, 1h), OperationName, RoleName, Target, Initiator, Result\\n| extend AccountCustomEntity = Target\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Initiator\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User Assigned Privileged Role\",\"description\":\"Identifies when a new privileged role is assigned to a user. Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn\u0027t the responsibility of the account holder, investigate.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/48607a29-a26a-4abf-8078-a06dbdd174a4\",\"name\":\"48607a29-a26a-4abf-8078-a06dbdd174a4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let timeRange = 3d;\\nlet lookBack = 7d;\\nlet authenticationWindow = 20m;\\nlet authenticationThreshold = 5;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet failureCodes = dynamic([50053, 50126, 50055]); // invalid password, account is locked - too many sign ins, expired password\\nlet successCodes = dynamic([0, 50055, 50057, 50155, 50105, 50133, 50005, 50076, 50079, 50173, 50158, 50072, 50074, 53003, 53000, 53001, 50129]);\\n// Lookup up resolved identities from last 7 days\\nlet aadFunc = (tableName:string){\\nlet identityLookup = table(tableName)\\n| where TimeGenerated \u003e= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| where isnotempty(UserId)\\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName, Type;\\n// collect window threshold breaches\\ntable(tableName)\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(failureCodes)\\n| summarize FailedPrincipalCount = dcount(UserPrincipalName) by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName, Type\\n| where FailedPrincipalCount \u003e= authenticationThreshold\\n| summarize WindowThresholdBreaches = count() by IPAddress, Type\\n| join kind= inner (\\n// where we breached a threshold, join the details back on all failure data\\ntable(tableName)\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(failureCodes)\\n| extend LocationDetails = todynamic(LocationDetails)\\n| extend FullLocation = strcat(LocationDetails.countryOrRegion,\u0027|\u0027, LocationDetails.state, \u0027|\u0027, LocationDetails.city)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed), make_set(FullLocation), FailureCount = count() by IPAddress, AppDisplayName, UserPrincipalName, UserDisplayName, Identity, UserId, Type\\n// lookup any unresolved identities\\n| extend UnresolvedUserId = iff(Identity matches regex isGUID, UserId, \\\"\\\")\\n| join kind= leftouter (\\n identityLookup \\n) on $left.UnresolvedUserId==$right.UserId\\n| extend UserDisplayName=iff(isempty(lu_UserDisplayName), UserDisplayName, lu_UserDisplayName)\\n| extend UserPrincipalName=iff(isempty(lu_UserPrincipalName), UserPrincipalName, lu_UserPrincipalName)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), make_set(UserPrincipalName), make_set(UserDisplayName), make_set(set_ClientAppUsed), make_set(set_FullLocation), make_list(FailureCount) by IPAddress, AppDisplayName, Type\\n| extend FailedPrincipalCount = arraylength(set_UserPrincipalName)\\n) on IPAddress\\n| project IPAddress, StartTime, EndTime, TargetedApplication=AppDisplayName, FailedPrincipalCount, UserPrincipalNames=set_UserPrincipalName, UserDisplayNames=set_UserDisplayName, ClientAppsUsed=set_set_ClientAppUsed, Locations=set_set_FullLocation, FailureCountByPrincipal=list_FailureCount, WindowThresholdBreaches, Type\\n| join kind= inner (\\ntable(tableName) // get data on success vs. failure history for each IP\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(successCodes) or ResultType in(failureCodes) // success or failure types\\n| summarize GlobalSuccessPrincipalCount = dcountif(UserPrincipalName, (ResultType in(successCodes))), ResultTypeSuccesses = make_set_if(ResultType, (ResultType in(successCodes))), GlobalFailPrincipalCount = dcountif(UserPrincipalName, (ResultType in(failureCodes))), ResultTypeFailures = make_set_if(ResultType, (ResultType in(failureCodes))) by IPAddress, Type\\n| where GlobalFailPrincipalCount \u003e GlobalSuccessPrincipalCount // where the number of failed principals is greater than success - eliminates FPs from IPs who authenticate successfully alot and as a side effect have alot of failures\\n) on IPAddress\\n| project-away IPAddress1\\n| extend timestamp=StartTime, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Password spray attack against Azure AD application\",\"description\":\"Identifies evidence of password spray activity against Azure AD applications by looking for failures from multiple accounts from the same\\nIP address within a time window. If the number of accounts breaches the threshold just once, all failures from the IP address within the time range\\nare bought into the result. Details on whether there were successful authentications by the IP address within the time window are also included.\\nThis can be an indicator that an attack was successful.\\nThe default failure acccount threshold is 5, Default time window for failures is 20m and default look back window is 3 days\\nNote: Due to the number of possible accounts involved in a password spray it is not possible to map identities to a custom entity.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\"lastUpdatedDateUTC\":\"2022-02-16T00:00:00Z\",\"createdDateUTC\":\"2020-03-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\"name\":\"7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"154.223.45.38\\\",\\\"185.141.207.140\\\",\\\"185.234.73.19\\\",\\\"216.245.210.106\\\",\\\"51.91.48.210\\\",\\\"46.255.230.229\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n|extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account\\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DnsResponseName, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host, AccountCustomEntity=User\\n),\\n(_Im_WebSession (srcipaddr_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DstIpAddr, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(_Im_NetworkSession (srcipaddr_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DstIpAddr, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(_Im_NetworkSession (dstipaddr_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DstIpAddr, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(SigninLogs\\n| where isnotempty(IPAddress)\\n| where IPAddress in (IPList)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(AADNonInteractiveUserSignInLogs\\n| where isnotempty(IPAddress)\\n| where IPAddress in (IPList)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(W3CIISLog \\n| where isnotempty(cIP)\\n| where cIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(AzureActivity \\n| where isnotempty(CallerIpAddress)\\n| where CallerIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller\\n),\\n(\\nAWSCloudTrail\\n| where isnotempty(SourceIpAddress)\\n| where SourceIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known IRIDIUM IP\",\"description\":\"IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d7424fd9-abb3-4ded-a723-eebe023aaa0b\",\"name\":\"d7424fd9-abb3-4ded-a723-eebe023aaa0b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Administrative roles to look for, default is all admin roles\\nlet roles = dynamic([\\\"Administrator\\\", \\\"Admin\\\"]);\\n// The maximum distances between and invite and acceptance\\nlet maxTimeBetweenInviteAccept = 30min;\\n// The delta (minutes) between the invite being sent and the account being escalated\\nlet deltaBetweenInviteEscalation = 60;\\n// Collect external user invitations\\nlet invite = AuditLogs\\n| where Category =~ \\\"UserManagement\\\"\\n| where OperationName =~ \\\"Invite external user\\\"\\n| extend Target = tostring(TargetResources[0].[\\\"userPrincipalName\\\"])\\n| extend InviteInitiator = tostring(InitiatedBy.[\\\"user\\\"].[\\\"userPrincipalName\\\"])\\n| where isnotempty(InviteInitiator);\\n// Collect redeem events\\nlet redeem = AuditLogs\\n| where Category =~ \\\"UserManagement\\\"\\n| where OperationName =~ \\\"Redeem external user invite\\\"\\n| where Result =~ \\\"success\\\"\\n| extend Target = tostring(TargetResources[0].[\\\"displayName\\\"]) | extend Target = tostring(extract(@\\\"UPN\\\\:\\\\s(.+)\\\\,\\\\sEmail\\\",1,Target))\\n| where isnotempty(Target);\\n// Union the inivtation and redeem data then run the sequence_detect kusto plugin\\ninvite\\n| union redeem\\n| order by TimeGenerated\\n| project TimeGenerated, Target, InviteInitiator, OperationName, TenantId\\n| evaluate sequence_detect(TimeGenerated, maxTimeBetweenInviteAccept, maxTimeBetweenInviteAccept, invite=(OperationName has \\\"Invite external user\\\"), redeem=(OperationName has \\\"Redeem external user invite\\\"), Target)\\n| join (\\nAuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\")\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n// Limit to external accounts\\n| where TargetResources.userPrincipalName has \\\"EXT\\\"\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n// Perform check for admin roles\\n| where RoleName has_any(roles)\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n| where Initiator != \\\"MS-PIM\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| summarize by TimeGenerated, OperationName, RoleName, Target, Initiator, Result\\n) on Target\\n// Calculate delta between the invite and the account escalation\\n| extend delta = datetime_diff(\\\"minute\\\", TimeGenerated, invite_TimeGenerated)\\n| where delta \u003c= deltaBetweenInviteEscalation\\n| project InvitationTime=invite_TimeGenerated, RedeemTime=redeem_TimeGenerated, GrantTime=TimeGenerated, ExternalUser=Target, RoleGranted=RoleName, AdminInitiator=Initiator, MinsBetweenInviteAndEscalation=delta\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ExternalUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AdminInitiator\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"New External User Granted Admin\",\"description\":\"This query will detect instances where a newly invited external user is granted an administrative role. By default this query\\nwill alert on any granted administrative role, however this can be modified using the roles variable if false positives occur\\nin your environment. The maximum delta between invite and escalation to admin is 60 minues, this can be configured using the \\ndeltaBetweenInviteEscalation variable.\",\"lastUpdatedDateUTC\":\"2022-06-16T00:00:00Z\",\"createdDateUTC\":\"2022-06-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6bf1931-b1eb-448d-90b2-de118559c7ce\",\"name\":\"d6bf1931-b1eb-448d-90b2-de118559c7ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlCategory contains \u0027Adult Themes\u0027 or\\n UrlCategory contains \u0027Adware\u0027 or\\n UrlCategory contains \u0027Alcohol\u0027 or\\n UrlCategory contains \u0027Illegal Downloads\u0027 or\\n UrlCategory contains \u0027Drugs\u0027 or\\n UrlCategory contains \u0027Child Abuse Content\u0027 or\\n UrlCategory contains \u0027Hate/Discrimination\u0027 or\\n UrlCategory contains \u0027Nudity\u0027 or\\n UrlCategory contains \u0027Pornography\u0027 or\\n UrlCategory contains \u0027Proxy/Anonymizer\u0027 or\\n UrlCategory contains \u0027Sexuality\u0027 or\\n UrlCategory contains \u0027Tasteless\u0027 or\\n UrlCategory contains \u0027Terrorism\u0027 or\\n UrlCategory contains \u0027Web Spam\u0027 or\\n UrlCategory contains \u0027German Youth Protection\u0027 or\\n UrlCategory contains \u0027Illegal Activities\u0027 or\\n UrlCategory contains \u0027Lingerie/Bikini\u0027 or\\n UrlCategory contains \u0027Weapons\u0027\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"InitialAccess\"],\"displayName\":\"Cisco Umbrella - Request Allowed to harmful/malicious URI category\",\"description\":\"It is reccomended that these Categories shoud be blocked by policies because they provide harmful/malicious content..\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee55dc85-d2da-48c1-a6c0-3eaee62a8d56\",\"name\":\"ee55dc85-d2da-48c1-a6c0-3eaee62a8d56\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"// Add the environments expected username format regex below before deploying\\n let user_regex = \\\"\\\";\\n AuditLogs\\n | where OperationName =~ \\\"Add user\\\"\\n | where Result =~ \\\"success\\\"\\n | extend userAgent = tostring(AdditionalDetails[0].value)\\n | extend addingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend addingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend AddedBy = iif(isnotempty(addingUser), addingUser, addingApp)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | extend AddedUser = tostring(TargetResources[0].userPrincipalName)\\n | where AddedUser matches regex user_regex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedUser\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User Account Created Using Incorrect Naming Format\",\"description\":\"This query looks for accounts being created where the name does not match a defined pattern.\\n Attackers may attempt to add accounts as a means of establishing persistant access to an environment, looking for anomalies in created accounts may help identify illegitimately created accounts.\\n Created accounts should be investigated to ensure they were legitimated created.\\n The user_regex field in the query needs to be populated with the expected pattern for the environment before deployment.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#accounts-not-following-naming-policies\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\"name\":\"0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"let threshold = 20;\\nlet ReasontoSubStatus = datatable(SubStatus:string,Reason:string) [\\n\\\"0xC000005E\\\", \\\"There are currently no logon servers available to service the logon request.\\\",\\n\\\"0xC0000064\\\", \\\"User logon with misspelled or bad user account\\\", \\n\\\"0xC000006A\\\", \\\"User logon with misspelled or bad password\\\",\\n\\\"0xC000006D\\\", \\\"Bad user name or password\\\",\\n\\\"0xC000006E\\\", \\\"Unknown user name or bad password\\\",\\n\\\"0xC000006F\\\", \\\"User logon outside authorized hours\\\",\\n\\\"0xC0000070\\\", \\\"User logon from unauthorized workstation\\\",\\n\\\"0xC0000071\\\", \\\"User logon with expired password\\\",\\n\\\"0xC0000072\\\", \\\"User logon to account disabled by administrator\\\",\\n\\\"0xC00000DC\\\", \\\"Indicates the Sam Server was in the wrong state to perform the desired operation\\\",\\n\\\"0xC0000133\\\", \\\"Clocks between DC and other computer too far out of sync\\\",\\n\\\"0xC000015B\\\", \\\"The user has not been granted the requested logon type (aka logon right) at this machine\\\",\\n\\\"0xC000018C\\\", \\\"The logon request failed because the trust relationship between the primary domain and the trusted domain failed\\\",\\n\\\"0xC0000192\\\", \\\"An attempt was made to logon, but the Netlogon service was not started\\\",\\n\\\"0xC0000193\\\", \\\"User logon with expired account\\\",\\n\\\"0xC0000224\\\", \\\"User is required to change password at next logon\\\",\\n\\\"0xC0000225\\\", \\\"Evidently a bug in Windows and not a risk\\\",\\n\\\"0xC0000234\\\", \\\"User logon with account locked\\\",\\n\\\"0xC00002EE\\\", \\\"Failure Reason: An Error occurred during Logon\\\",\\n\\\"0xC0000413\\\", \\\"Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine\\\"\\n];\\n(union isfuzzy=true\\n(SecurityEvent \\n| where EventID == 4625\\n| where AccountType =~ \\\"User\\\"\\n| where SubStatus !=\u00270xc0000064\u0027 and Account !in (\u0027\\\\\\\\\u0027, \u0027-\\\\\\\\-\u0027)\\n// SubStatus \u00270xc0000064\u0027 signifies \u0027Account name does not exist\u0027\\n| extend ResourceId = column_ifexists(\\\"_ResourceId\\\", _ResourceId), SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", SourceComputerId)\\n| lookup ReasontoSubStatus on SubStatus\\n| extend coalesce(Reason, strcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), FailedLogonCount = count() by EventID, \\nActivity, Computer, Account, TargetAccount, TargetUserName, TargetDomainName, \\nLogonType, LogonTypeName, LogonProcessName, Status, SubStatus, Reason, ResourceId, SourceComputerId, WorkstationName, IpAddress\\n| where FailedLogonCount \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n(\\n(WindowsEvent \\n| where EventID == 4625 and not(EventData has \u00270xc0000064\u0027)\\n| extend TargetAccount = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend AccountType=case(EventData.TargetUserName endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType =~ \\\"User\\\"\\n| extend SubStatus = tostring(EventData.SubStatus)\\n| where SubStatus !=\u00270xc0000064\u0027 and TargetAccount !in (\u0027\\\\\\\\\u0027, \u0027-\\\\\\\\-\u0027)\\n// SubStatus \u00270xc0000064\u0027 signifies \u0027Account name does not exist\u0027\\n| extend ResourceId = column_ifexists(\\\"_ResourceId\\\", _ResourceId), SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", \\\"\\\")\\n| lookup ReasontoSubStatus on SubStatus\\n| extend coalesce(Reason, strcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n| extend Activity=\\\"4625 - An account failed to log on.\\\"\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend TargetDomainName = tostring(EventData.TargetDomainName)\\n| extend LogonType = tostring(EventData.LogonType)\\n| extend Status= tostring(EventData.Status)\\n| extend LogonProcessName = tostring(EventData.LogonProcessName)\\n| extend WorkstationName = tostring(EventData.WorkstationName)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend LogonTypeName=case(LogonType==2,\\\"2 - Interactive\\\", LogonType==3,\\\"3 - Network\\\", LogonType==4, \\\"4 - Batch\\\",LogonType==5, \\\"5 - Service\\\", LogonType==7, \\\"7 - Unlock\\\", LogonType==8, \\\"8 - NetworkCleartext\\\", LogonType==9, \\\"9 - NewCredentials\\\", LogonType==10, \\\"10 - RemoteInteractive\\\", LogonType==11, \\\"11 - CachedInteractive\\\",tostring(LogonType))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), FailedLogonCount = count() by EventID, \\nActivity, Computer, TargetAccount, TargetUserName, TargetDomainName, \\nLogonType, LogonTypeName, LogonProcessName, Status, SubStatus, Reason, ResourceId, SourceComputerId, WorkstationName, IpAddress\\n| where FailedLogonCount \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n)))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed logon attempts by valid accounts within 10 mins\",\"description\":\"Identifies when failed logon attempts are 20 or higher during a 10 minute period (2 failed logons per minute minimum) from valid account.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b9a44d7-c651-45ed-816c-eae583a6f2f1\",\"name\":\"3b9a44d7-c651-45ed-816c-eae583a6f2f1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\nlet historical_data =\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend variables = Data.Variables\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend UserKey = strcat(VariableGroupId, \\\"-\\\", ActorUserId)\\n| project UserKey;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend VariableGroupName = tostring(Data.VariableGroupName)\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend UserKey = strcat(VariableGroupId, \\\"-\\\", ActorUserId)\\n| where UserKey !in (historical_data)\\n| project-away UserKey\\n| project-reorder TimeGenerated, VariableGroupName, ActorUPN, IpAddress, UserAgent\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Build Variable Modified by New User.\",\"description\":\"Variables can be configured and used at any stage of the build process in Azure DevOps to inject values. An attacker with the required permissions could modify \\nor add to these variables to conduct malicious activity such as changing paths or remote endpoints called during the build. As variables are often changed by users, \\njust detecting these changes would have a high false positive rate. This detection looks for modifications to variable groups where that user has not been observed \\nmodifying them before.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8127962-7739-4211-a4a9-390a7a00e91f\",\"name\":\"f8127962-7739-4211-a4a9-390a7a00e91f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet lbperiod = 14d;\\nlet knownrecipients = ProofpointPOD\\n| where TimeGenerated \u003e ago(lbperiod)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where SrcUserUpn != \u0027\u0027\\n| where array_length(todynamic(DstUserUpn)) == 1\\n| summarize recipients = make_set(tostring(todynamic(DstUserUpn)[0])) by SrcUserUpn\\n| extend commcol = SrcUserUpn;\\nProofpointPOD\\n| where TimeGenerated between (ago(lbtime) .. now())\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| extend isProtected = todynamic(MsgParts)[0][\u0027isProtected\u0027]\\n| extend mimePgp = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where isProtected == \u0027true\u0027 or mimePgp == \u0027application/pgp-encrypted\u0027\\n| extend DstUserMail = tostring(todynamic(DstUserUpn)[0])\\n| extend commcol = tostring(todynamic(DstUserUpn)[0])\\n| join knownrecipients on commcol\\n| where recipients !contains DstUserMail\\n| project SrcUserUpn, DstUserMail\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple protected emails to unknown recipient\",\"description\":\"Detects when multiple protected messages where sent to early not seen recipient.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee1818ec-5f65-4991-b711-bcf2ab7e36c3\",\"name\":\"ee1818ec-5f65-4991-b711-bcf2ab7e36c3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlOriginal matches regex @\u0027\\\\Ahttp:\\\\/\\\\/\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}.*\u0027\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - URI contains IP address\",\"description\":\"Malware can use IP address to communicate with C2.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23005e87-2d3a-482b-b03d-edbebd1ae151\",\"name\":\"23005e87-2d3a-482b-b03d-edbebd1ae151\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let exchange_servers = (\\nW3CIISLog\\n| where TimeGenerated \u003e ago(14d)\\n| where sSiteName =~ \\\"Exchange Back End\\\"\\n| summarize by Computer);\\nW3CIISLog\\n| where TimeGenerated \u003e ago(1d)\\n| where Computer in (exchange_servers)\\n| where csUriQuery startswith \\\"t=\\\"\\n| project-reorder TimeGenerated, Computer, csUriStem, csUriQuery, csUserName, csUserAgent, cIP\\n| extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious Exchange Request\",\"description\":\"This query looks for suspicious request patterns to Exchange servers that fit a pattern observed by HAFNIUM actors.\\nThe same query can be run on HTTPProxy logs from on-premise hosted Exchange servers.\\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ac9e233e-44d4-45eb-b522-6e47445f6582\",\"name\":\"ac9e233e-44d4-45eb-b522-6e47445f6582\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"imRegistry\\n | where EventType in (\\\"RegistryValueSet\\\", \\\"RegistryKeyCreated\\\")\\n | where RegistryKey has \\\"Software\\\\\\\\Classes\\\\\\\\ms-settings\\\\\\\\shell\\\\\\\\open\\\\\\\\command\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)\\n | join (imProcess\\n | where Process endswith \\\"fodhelper.exe\\\"\\n | where ParentProcessName endswith \\\"cmd.exe\\\" or ParentProcessName endswith \\\"powershell.exe\\\" or ParentProcessName endswith \\\"powershell_ise.exe\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)) on TimeKey, Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DvcHostname\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DvcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Potential Fodhelper UAC Bypass (ASIM Version)\",\"description\":\"This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process within 1 hour - this can be tweaked as required.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\"name\":\"ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Office 365 Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Office 365 alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Office 365\",\"lastUpdatedDateUTC\":\"2020-09-01T00:00:00Z\",\"createdDateUTC\":\"2020-04-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert (OATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a333d8bf-22a3-4c55-a1e9-5f0a135c0253\",\"name\":\"a333d8bf-22a3-4c55-a1e9-5f0a135c0253\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let mde_threats = dynamic([\\\"Behavior:Win32/SuspAzureRequest.A\\\", \\\"Behavior:Win32/SuspAzureRequest.B\\\", \\\"Behavior:Win32/SuspAzureRequest.C\\\", \\\"Behavior:Win32/LaunchingSuspCMD.B\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (mde_threats) or ThreatFamilyName in~ (mde_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Microsoft Defender for Endpoint (MDE) signatures for Azure Synapse pipelines and Azure Data Factory\",\"description\":\"This query looks for Microsoft Defender for Endpoint detections related to the remote command execution attempts on Azure IR with Managed VNet or SHIR. \\nIn Microsoft Sentinel, the SecurityAlerts table includes the name of the impacted device. Additionally, this query joins the DeviceInfo table to connect other information such as device group, \\nIP address, signed in users, and others allowing analysts using Microsoft Sentinel to have more context related to the alert. \\nReference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29972 , \\nhttps://msrc-blog.microsoft.com/2022/05/09/vulnerability-mitigated-in-the-third-party-data-connector-used-in-azure-synapse-pipelines-and-azure-data-factory-cve-2022-29972\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5db427b2-f406-4274-b413-e9fcb29412f8\",\"name\":\"5db427b2-f406-4274-b413-e9fcb29412f8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where ActivityDisplayName =~\u0027Add member to role completed (PIM activation)\u0027\\n| where Result == \\\"failure\\\"\\n| extend Role = tostring(TargetResources[3].displayName)\\n| extend User = tostring(TargetResources[2].displayName)\\n| project-reorder TimeGenerated, User, Role, OperationName, Result, ResultDescription\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| extend IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"NRT PIM Elevation Request Rejected\",\"description\":\"Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/03e04c97-8cae-48b3-9d2f-4ab262e4ffff\",\"name\":\"03e04c97-8cae-48b3-9d2f-4ab262e4ffff\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]);\\nhttp_proxy_oab_CL\\n| where RawData contains \\\"Download failed and temporary file\\\"\\n| extend File = extract(\\\"([^\\\\\\\\\\\\\\\\]*)(\\\\\\\\\\\\\\\\[^\u0027]*)\\\",2,RawData)\\n| extend Extension = strcat(\\\".\\\",split(File, \\\".\\\")[-1])\\n| extend InteractiveFile = iif(Extension in (scriptExtensions), \\\"Yes\\\", \\\"No\\\")\\n// Uncomment the following line to alert only on interactive file download type\\n//| where InteractiveFile =~ \\\"Yes\\\"\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious File Downloads.\",\"description\":\"This query looks for messages related to file downloads of suspicious file types. This query uses the Exchange HttpProxy AOBGeneratorLog, you will need to onboard this log as a custom log under the table http_proxy_oab_CL before using this query. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d5b32cd4-2328-43da-ab47-cd289c1f5efc\",\"name\":\"d5b32cd4-2328-43da-ab47-cd289c1f5efc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\",\\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\",\\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\",\\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\",\\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\",\\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\",\\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\",\\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\",\\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\")\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"NRT DNS events related to mining pools\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/de58ee9e-b229-4252-8537-41a4c2f4045e\",\"name\":\"de58ee9e-b229-4252-8537-41a4c2f4045e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let file_ext_blocklist = dynamic([\u0027.ps1\u0027, \u0027.vbs\u0027, \u0027.bat\u0027, \u0027.scr\u0027]);\\nlet lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| extend file_ext = extract(@\u0027.*(\\\\.\\\\w+)$\u0027, 1, UrlOriginal)\\n| extend Filename = extract(@\u0027.*\\\\/*\\\\/(.*\\\\.\\\\w+)$\u0027, 1, UrlOriginal)\\n| where file_ext in (file_ext_blocklist)\\n| project TimeGenerated, SrcIpAddr, Identities, Filename\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Cisco Umbrella - Request to blocklisted file type\",\"description\":\"Detects request to potentially harmful file types (.ps1, .bat, .vbs, etc.).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\"name\":\"97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let LearningPeriod = 7d; \\nlet BinTime = 1h; \\nlet RunTime = 1h; \\nlet StartTime = 1h; \\nlet NumberOfStds = 3; \\nlet MinThreshold = 10.0; \\nlet EndRunTime = StartTime - RunTime; \\nlet EndLearningTime = StartTime + LearningPeriod;\\nlet aadFunc = (tableName:string){\\nlet GitHubFailedSSOLogins = (table(tableName) \\n| where AppDisplayName == \\\"GitHub.com\\\" \\n| where ResultType != 0); \\nGitHubFailedSSOLogins \\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime)) \\n| summarize FailedLoginsCountInBinTime = count() by UserPrincipalName, bin(TimeGenerated, BinTime), Type\\n| summarize AvgOfFailedLoginsInLearning = avg(FailedLoginsCountInBinTime), StdOfFailedLoginsInLearning = stdev(FailedLoginsCountInBinTime) by UserPrincipalName, Type\\n| extend LearningThreshold = max_of(AvgOfFailedLoginsInLearning + StdOfFailedLoginsInLearning * NumberOfStds, MinThreshold) \\n| join kind=innerunique ( \\n GitHubFailedSSOLogins \\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime)) \\n | summarize FailedLoginsCountInRunTime = count() by User = Identity, UserPrincipalName, bin(TimeGenerated, BinTime), Type\\n) on UserPrincipalName \\n| where FailedLoginsCountInRunTime \u003e LearningThreshold\\n| extend AccountCustomEntity = UserPrincipalName , timestamp = TimeGenerated\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute Force Attack against GitHub Account\",\"description\":\"Attackers who are trying to guess your users\u0027 passwords or use brute-force methods to get in. If your organization is using SSO with Azure Active Directory, authentication logs to GitHub.com will be generated. Using the following query can help you identify a sudden increase in failed logon attempt of users.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/12dcea64-bec2-41c9-9df2-9f28461b1295\",\"name\":\"12dcea64-bec2-41c9-9df2-9f28461b1295\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\n// Adjust for a longer timeframe for identifying ADFS Servers\\nlet lookback = 6d;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where NewProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n);\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where Account !endswith \\\"$\\\"\\n// Check for scheduled task events\\n| where EventID in (4697, 4698, 4699, 4700, 4701, 4702)\\n| extend EventDataParsed = parse_xml(EventData)\\n| extend SubjectLogonId = tostring(EventDataParsed.EventData.Data[3][\\\"#text\\\"])\\n// Check specifically for access to IPC$ share and PIPE\\\\svcctl and PIPE\\\\atsvc for Service Control Services and Schedule Control Services\\n| union (\\n SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n | where Account !endswith \\\"$\\\"\\n | where EventID == 5145\\n | where RelativeTargetName =~ \\\"svcctl\\\" or RelativeTargetName =~ \\\"atsvc\\\"\\n)\\n// Check for lateral movement\\n| join kind=inner\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Account !endswith \\\"$\\\"\\n| where EventID == 4624 and LogonType == 3\\n) on $left.SubjectLogonId == $right.TargetLogonId\\n| project TimeGenerated, Account, Computer, EventID, RelativeTargetName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task\",\"description\":\"This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through SMB and Remote Service or Scheduled Task.\",\"lastUpdatedDateUTC\":\"2022-01-30T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/155f40c6-610d-497d-85fc-3cf06ec13256\",\"name\":\"155f40c6-610d-497d-85fc-3cf06ec13256\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"yahoo-verification.org\\\",\\\"support-servics.com\\\",\\\"verification-live.com\\\",\\\"com-mailbox.com\\\",\\\"com-myaccuants.com\\\",\\\"notification-accountservice.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\\"verify-linkedin.net\\\", \\n\\\"yahoo-verification.net\\\",\\\"yahoo-verify.net\\\",\\\"outlook-verify.net\\\",\\\"com-users.net\\\",\\\"verifiy-account.net\\\",\\\"te1egram.net\\\",\\\"account-verifiy.net\\\",\\\"myaccount-services.net\\\",\\n\\\"com-identifier-servicelog.name\\\",\\\"microsoft-update.bid\\\",\\\"outlook-livecom.bid\\\",\\\"update-microsoft.bid\\\",\\\"documentsfilesharing.cloud\\\",\\\"com-microsoftonline.club\\\",\\n\\\"confirm-session-identifier.info\\\",\\\"session-management.info\\\",\\\"confirmation-service.info\\\",\\\"document-share.info\\\",\\\"broadcast-news.info\\\",\\\"customize-identity.info\\\",\\\"webemail.info\\\",\\n\\\"com-identifier-servicelog.info\\\",\\\"documentsharing.info\\\",\\\"notification-accountservice.info\\\",\\\"identifier-activities.info\\\",\\\"documentofficupdate.info\\\",\\\"recoveryusercustomer.info\\\",\\n\\\"serverbroadcast.info\\\",\\\"account-profile-users.info\\\",\\\"account-service-management.info\\\",\\\"accounts-manager.info\\\",\\\"activity-confirmation-service.info\\\",\\\"com-accountidentifier.info\\\",\\n\\\"com-privacy-help.info\\\",\\\"com-sessionidentifier.info\\\",\\\"com-useraccount.info\\\",\\\"confirmation-users-service.info\\\",\\\"confirm-identity.info\\\",\\\"confirm-session-identification.info\\\",\\n\\\"continue-session-identifier.info\\\",\\\"customer-recovery.info\\\",\\\"customers-activities.info\\\",\\\"elitemaildelivery.info\\\",\\\"email-delivery.info\\\",\\\"identify-user-session.info\\\",\\n\\\"message-serviceprovider.info\\\",\\\"notificationapp.info\\\",\\\"notification-manager.info\\\",\\\"recognized-activity.info\\\",\\\"recover-customers-service.info\\\",\\\"recovery-session-change.info\\\",\\n\\\"service-recovery-session.info\\\",\\\"service-session-continue.info\\\",\\\"session-mail-customers.info\\\",\\\"session-managment.info\\\",\\\"session-verify-user.info\\\",\\\"shop-sellwear.info\\\",\\n\\\"supportmailservice.info\\\",\\\"terms-service-notification.info\\\",\\\"user-activity-issues.info\\\",\\\"useridentity-confirm.info\\\",\\\"users-issue-services.info\\\",\\\"verify-user-session.info\\\",\\n\\\"login-gov.info\\\",\\\"notification-signal-agnecy.info\\\",\\\"notifications-center.info\\\",\\\"identifier-services-sessions.info\\\",\\\"customers-manager.info\\\",\\\"session-manager.info\\\",\\n\\\"customer-managers.info\\\",\\\"confirmation-recovery-options.info\\\",\\\"service-session-confirm.info\\\",\\\"session-recovery-options.info\\\",\\\"services-session-confirmation.info\\\",\\n\\\"notification-managers.info\\\",\\\"activities-services-notification.info\\\",\\\"activities-recovery-options.info\\\",\\\"activity-session-recovery.info\\\",\\\"customers-services.info\\\",\\n\\\"sessions-notification.info\\\",\\\"download-teamspeak.info\\\",\\\"services-issue-notification.info\\\",\\\"microsoft-upgrade.mobi\\\",\\\"broadcastnews.pro\\\",\\\"mobile-messengerplus.network\\\"]);\\nlet IPList = dynamic([\\\"51.91.200.147\\\"]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(SourceIP) and SourceIP in (IPList)) or (isnotempty(DestinationIP) and DestinationIP in (IPList)) \\nor (isnotempty(DNSName) and DNSName in~ (DomainNames)) or (isnotempty(DestinationHostName) and DestinationHostName in~ (DomainNames)) or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames) or RequestURLIP in (IPList))) \\nor (isnotempty(Message) and MessageIP in (IPList))\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURLIP in (IPList), \\\"RequestUrl\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP,IPMatch == \\\"Message\\\", MessageIP,\\nIPMatch == \\\"RequestUrl\\\", RequestURLIP,\\\"NoMatch\\\"), Account = SourceUserID, Host = DeviceName\\n),\\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\\n(_Im_WebSession(url_has_any=DomainNames)\\n| extend DestinationIPAddress = DstIpAddr, DNSName = tostring(parse_url(Url)[\\\"Host\\\"]), Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) or isnotempty(DNSName)\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or DNSName in~ (DomainNames)\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer),\\n(OfficeActivity\\n| extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPCustomEntity = SourceHost \\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Phosphorus group domains/IP\",\"description\":\"Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-10-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a1bddaf8-982b-4089-ba9e-6590dfcf80ea\",\"name\":\"a1bddaf8-982b-4089-ba9e-6590dfcf80ea\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let error403_count_threshold=200;\\n_Im_WebSession(eventresultdetails_in=\\\"403\\\")\\n| extend ParsedUrl=parse_url(Url)\\n| extend UrlHost=tostring(ParsedUrl[\\\"Host\\\"]), UrlSchema=tostring(ParsedUrl[\\\"Schema\\\"])\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = count(), Urls=makeset(Url) by UrlHost, SrcIpAddr\\n| where NumberOfErrors \u003e error403_count_threshold\\n| sort by NumberOfErrors desc\\n| extend Url=tostring(Urls[0])\",\"customDetails\":{\"NumberOfErrors\":\"NumberOfErrors\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URL\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Excessive number of HTTP authentication failures from {{SrcIpAddr}\",\"alertDescriptionFormat\":\"A client with address {{SrcIpAddr}} generated a large number of failed authentication HTTP requests. This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Persistence\",\"CredentialAccess\"],\"displayName\":\"Excessive number of HTTP authentication failures from a source (ASIM Web Session schema)\",\"description\":\"This rule identifies a source that repeatedly fails to authenticate to a web service (HTTP response code 403). This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.\u003cbr\u003e\u003cbr\u003e\\nThis rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutSIM) and supports any web session source that complies with ASIM. \",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2a09f8cb-deb7-4c40-b08b-9137667f1c0b\",\"name\":\"2a09f8cb-deb7-4c40-b08b-9137667f1c0b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n | where OperationName in (\\\"Add eligible member (permanent)\\\", \\\"Add eligible member (eligible)\\\")\\n | extend Role = tostring(TargetResources[0].displayName)\\n | where Role contains \\\"admin\\\"\\n | extend AddedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend AddedUser = tostring(TargetResources[2].userPrincipalName)\\n | project-reorder TimeGenerated, AddedUser, Role, AddedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedUser\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"User Added to Admin Role\",\"description\":\"Detects a user being added to a new privileged role. Monitor these additions to ensure the users are made eligible for these roles are intended to have these levels of access.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dc99e38c-f4e9-4837-94d7-353ac0b01a77\",\"name\":\"dc99e38c-f4e9-4837-94d7-353ac0b01a77\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let threshold = 10;\\n let default_ad_attributes = dynamic([\\\"LastDirSyncTime\\\", \\\"StsRefreshTokensValidFrom\\\", \\\"Included Updated Properties\\\", \\\"AccountEnabled\\\", \\\"Action Client Name\\\", \\\"SourceAnchor\\\"]);\\n AuditLogs\\n | where OperationName =~ \\\"Add user\\\"\\n | where Result =~ \\\"success\\\"\\n | extend properties = TargetResources[0].modifiedProperties\\n | mv-expand properties\\n | evaluate bag_unpack(properties)\\n | summarize count() by displayName, TenantId\\n | where displayName !in (default_ad_attributes)\\n | top threshold by count_ desc\\n | summarize make_set(displayName) by TenantId\\n | join kind=inner (AuditLogs\\n | where Result =~ \\\"success\\\"\\n | where OperationName =~ \\\"Add user\\\"\\n | extend CreatingUserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend CreatedUserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | extend AccountProperties = TargetResources[0].modifiedProperties\\n | mv-expand AccountProperties\\n | extend PropName = tostring(AccountProperties.displayName)) on TenantId\\n | summarize makeset(PropName) by TimeGenerated, CorrelationId, CreatedUserPrincipalName, CreatingUserPrincipalName, tostring(set_displayName)\\n | extend missing_props = set_difference(todynamic(set_displayName), set_PropName)\\n | where array_length(missing_props) \u003e 0\\n | join kind=innerunique (AuditLogs\\n | where Result =~ \\\"success\\\"\\n | where OperationName =~ \\\"Add user\\\"\\n | extend CreatedUserPrincipalName = tostring(TargetResources[0].userPrincipalName)) on CorrelationId, CreatedUserPrincipalName\\n | extend ExpectedProperties = set_displayName\\n | project-away set_displayName, set_PropName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CreatingUserPrincipalName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CreatedUserPrincipalName\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User account created without expected attributes defined\",\"description\":\"This query looks for accounts being created that do not have attributes populated that are commonly populated in the tenant.\\n Attackers may attempt to add accounts as a means of establishing persistant access to an environment, looking for anomalies in created accounts may help identify illegitimately created accounts.\\n Created accounts should be investigated to ensure they were legitimated created.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#accounts-not-following-naming-policies\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aa1eff90-29d4-49dc-a3ea-b65199f516db\",\"name\":\"aa1eff90-29d4-49dc-a3ea-b65199f516db\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Low\",\"query\":\"(union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4720\\n| where AccountType == \\\"User\\\"\\n| project CreatedUserTime = TimeGenerated, CreatedUserEventID = EventID, CreatedUserActivity = Activity, Computer = toupper(Computer), \\nCreatedUser = tolower(TargetAccount), CreatedUserSid = TargetSid, AccountUsedToCreateUser = strcat(SubjectAccount), SidofAccountUsedToCreateUser = SubjectUserSid\\n),\\n(WindowsEvent\\n| where EventID == 4720\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType == \\\"User\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend Activity=\\\"4720 - A user account was created.\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| project CreatedUserTime = TimeGenerated, CreatedUserEventID = EventID, CreatedUserActivity = Activity, Computer = toupper(Computer), \\nCreatedUser = tolower(TargetAccount), CreatedUserSid = TargetSid, AccountUsedToCreateUser = strcat(SubjectAccount), SidofAccountUsedToCreateUser = SubjectUserSid\\n))\\n| join ((union isfuzzy=true\\n(SecurityEvent \\n| where AccountType == \\\"User\\\"\\n// 4732 - A member was added to a security-enabled local group\\n| where EventID == 4732\\n// TargetSid is the builin Admins group: S-1-5-32-544\\n| where TargetSid == \\\"S-1-5-32-544\\\"\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, Computer = toupper(Computer), GroupName = tolower(TargetAccount), \\nGroupSid = TargetSid, AccountThatAddedUser = SubjectAccount, SIDofAccountThatAddedUser = SubjectUserSid, CreatedUserSid = MemberSid\\n),\\n( WindowsEvent \\n// 4732 - A member was added to a security-enabled local group\\n| where EventID == 4732 and EventData has \\\"S-1-5-32-544\\\"\\n//TargetSid is the builin Admins group: S-1-5-32-544\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType == \\\"User\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid == \\\"S-1-5-32-544\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend Activity=\\\"4732 - A member was added to a security-enabled local group.\\\"\\n| extend MemberSid = tostring(EventData.MemberSid)\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, Computer = toupper(Computer), GroupName = tolower(TargetAccount), \\nGroupSid = TargetSid, AccountThatAddedUser = SubjectAccount, SIDofAccountThatAddedUser = SubjectUserSid, CreatedUserSid = MemberSid)\\n))\\non CreatedUserSid\\n//Create User first, then the add to the group.\\n| project Computer, CreatedUserTime, CreatedUserEventID, CreatedUserActivity, CreatedUser, CreatedUserSid, GroupAddTime, GroupAddEventID, \\nGroupAddActivity, AccountUsedToCreateUser, GroupName, GroupSid, AccountThatAddedUser, SIDofAccountThatAddedUser \\n| extend timestamp = CreatedUserTime, AccountCustomEntity = CreatedUser, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"CreatedUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"New user created and added to the built-in administrators group\",\"description\":\"Identifies when a user account was created and then added to the builtin Administrators group in the same day.\\nThis should be monitored closely and all additions reviewed.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d23ed927-5be3-4902-a9c1-85f841eb4fa1\",\"name\":\"d23ed927-5be3-4902-a9c1-85f841eb4fa1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n DuoSecurityAuthentication_CL\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(access_device_ip_s)\\n // renaming time column so it is clear the log this came from\\n | extend Duo_TimeGenerated = isotimestamp_t\\n)\\non $left.TI_ipEntity == $right.access_device_ip_s\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Duo_TimeGenerated,\\nTI_ipEntity, user_name_s, factor_s, result_s, application_name_s, event_type_s, txid_g, user_key_s, access_device_ip_s, access_device_location_city_s, access_device_location_state_s, access_device_location_country_s\\n| extend timestamp = Duo_TimeGenerated, IPCustomEntity = access_device_ip_s, AccountCustomEntity = user_name_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Duo Security\",\"description\":\"Identifies a match in DuoSecurity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae\",\"name\":\"2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 4656\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, TargetAccount, Computer, EventSourceName, Channel, Task, Level, EventID, Activity, TargetLogonId, SourceComputerId, EventOriginId, Type, _ResourceId, TenantId, SourceSystem, ManagementGroupName, IpAddress, Account)\\n| extend ObjectServer = column_ifexists(\u0027ObjectServer\u0027, \\\"\\\"), ObjectType = column_ifexists(\u0027ObjectType\u0027, \\\"\\\"), ObjectName = column_ifexists(\u0027ObjectName\u0027, \\\"\\\")\\n| where isnotempty(ObjectServer) and isnotempty(ObjectType) and isnotempty(ObjectName)\\n| where ObjectServer =~ \\\"SC Manager\\\" and ObjectType =~ \\\"SERVICE OBJECT\\\" and ObjectName =~ \\\"HealthService\\\"\\n// Comment out the join below if the SACL only audits users that are part of the Network logon users, i.e. with user/group target pointing to \\\"NU.\\\"\\n| join kind=leftouter (\\n SecurityEvent\\n | where EventID == 4624\\n) on TargetLogonId\\n| project TimeGenerated, Computer, Account, TargetAccount, IpAddress,TargetLogonId, ObjectServer, ObjectType, ObjectName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Starting or Stopping HealthService to Avoid Detection\",\"description\":\"This query detects events where an actor is stopping or starting HealthService to disable telemetry collection/detection from the agent.\\n The query requires a SACL to audit for access request to the service.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-03-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bff093b2-500e-4ae5-bb49-a5b1423cbd5b\",\"name\":\"bff093b2-500e-4ae5-bb49-a5b1423cbd5b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n| where Operation =~ \\\"MemberAdded\\\"\\n| extend UPN = tostring(parse_json(Members)[0].UPN)\\n| where UPN contains (\\\"#EXT#\\\")\\n| project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName\\n| join (\\n OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n| where Operation =~ \\\"MemberRemoved\\\"\\n| extend UPN = tostring(parse_json(Members)[0].UPN)\\n| where UPN contains (\\\"#EXT#\\\")\\n| project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName\\n) on UPN\\n| where TimeDeleted \u003e TimeAdded\\n| project TimeAdded, TimeDeleted, UPN, UserWhoAdded, UserWhoDeleted, TeamName\\n| extend timestamp = TimeAdded, AccountCustomEntity = UPN\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"External user added and removed in short timeframe\",\"description\":\"This detection flags the occurances of external user accounts that are added to a Team and then removed within\\none hour.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9367dff0-941d-44e2-8875-cb48570c7add\",\"name\":\"9367dff0-941d-44e2-8875-cb48570c7add\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \\n| where TargetObject has \\\"\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_DLLs\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Registry Persistence via AppInit DLLs Modification\",\"description\":\"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. \\nDynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows or HKEY_LOCAL_MACHINE\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library.\\nRef: https://attack.mitre.org/techniques/T1546/010/\",\"lastUpdatedDateUTC\":\"2022-03-21T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8d537f3c-094f-430c-a588-8a87da36ee3a\",\"name\":\"8d537f3c-094f-430c-a588-8a87da36ee3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nlet user_agents=dynamic([\\n \u0027(hydra)\u0027,\\n \u0027 arachni/\u0027,\\n \u0027 BFAC \u0027,\\n \u0027 brutus \u0027,\\n \u0027 cgichk \u0027,\\n \u0027core-project/1.0\u0027,\\n \u0027 crimscanner/\u0027,\\n \u0027datacha0s\u0027,\\n \u0027dirbuster\u0027,\\n \u0027domino hunter\u0027,\\n \u0027dotdotpwn\u0027,\\n \u0027FHScan Core\u0027,\\n \u0027floodgate\u0027,\\n \u0027get-minimal\u0027,\\n \u0027gootkit auto-rooter scanner\u0027,\\n \u0027grendel-scan\u0027,\\n \u0027 inspath \u0027,\\n \u0027internet ninja\u0027,\\n \u0027jaascois\u0027,\\n \u0027 zmeu \u0027,\\n \u0027masscan\u0027,\\n \u0027 metis \u0027,\\n \u0027morfeus fucking scanner\u0027,\\n \u0027n-stealth\u0027,\\n \u0027nsauditor\u0027,\\n \u0027pmafind\u0027,\\n \u0027security scan\u0027,\\n \u0027springenwerk\u0027,\\n \u0027teh forest lobster\u0027,\\n \u0027toata dragostea\u0027,\\n \u0027 vega/\u0027,\\n \u0027voideye\u0027,\\n \u0027webshag\u0027,\\n \u0027webvulnscan\u0027,\\n \u0027 whcc/\u0027,\\n \u0027 Havij\u0027,\\n \u0027absinthe\u0027,\\n \u0027bsqlbf\u0027,\\n \u0027mysqloit\u0027,\\n \u0027pangolin\u0027,\\n \u0027sql power injector\u0027,\\n \u0027sqlmap\u0027,\\n \u0027sqlninja\u0027,\\n \u0027uil2pn\u0027,\\n \u0027ruler\u0027,\\n \u0027Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)\u0027\\n ]);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal has_any (user_agents)\\n| extend Message = \\\"Hack Tool User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Hack Tool User-Agent Detected\",\"description\":\"Detects suspicious user agent strings used by known hack tools\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/30c8b802-ace1-4408-bc29-4c5c5afb49e1\",\"name\":\"30c8b802-ace1-4408-bc29-4c5c5afb49e1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"imProcess\\n | where EventType =~ \\\"ProcessCreated\\\"\\n | where Process endswith \\\"svchost.exe\\\"\\n | where CommandLine has \\\"-k GPSvcGroup\\\" or CommandLine has \\\"-s gpsvc\\\"\\n | extend timekey = bin(TimeGenerated, 1m)\\n | project timekey, ActingProcessId, Dvc\\n | join kind=inner (imProcess\\n | where EventType =~ \\\"ProcessCreated\\\"\\n | where Process =~ \\\"sdelete.exe\\\" or CommandLine has \\\"sdelete\\\"\\n | where ActingProcessName endswith \\\"svchost.exe\\\"\\n | where CommandLine has_all (\\\"-s\\\", \\\"-r\\\")\\n | extend timekey = bin(TimeGenerated, 1m)\\n ) on $left.ActingProcessId == $right.ParentProcessId, timekey, Dvc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DvcIpAddr\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Sdelete deployed via GPO and run recursively (ASIM Version)\",\"description\":\"This query looks for the Sdelete process being run recursively after being deployed to a host via GPO. Attackers could use this technique to deploy Sdelete to multiple host and delete data on them.\\n This query uses the Advanced Security Information Model. Parsers will need to be deployed before use: https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84cccc86-5c11-4b3a-aca6-7c8f738ed0f7\",\"name\":\"84cccc86-5c11-4b3a-aca6-7c8f738ed0f7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where OperationName has_all (\\\"member to role\\\", \\\"add\\\")\\n | where Result =~ \\\"Success\\\"\\n | extend type_ = tostring(TargetResources[0].type)\\n | where type_ =~ \\\"ServicePrincipal\\\"\\n | where isnotempty(TargetResources)\\n | extend ServicePrincipal = tostring(TargetResources[0].displayName)\\n | extend SPID = tostring(TargetResources[0].id)\\n | mv-expand TargetResources[0].modifiedProperties\\n | extend TargetResources_0_modifiedProperties = columnifexists(\\\"TargetResources_0_modifiedProperties\\\", \u0027\u0027)\\n | where isnotempty(TargetResources_0_modifiedProperties)\\n | where TargetResources_0_modifiedProperties.displayName =~ \\\"Role.DisplayName\\\"\\n | extend TargetRole = parse_json(tostring(TargetResources_0_modifiedProperties.newValue))\\n | where TargetRole contains \\\"admin\\\"\\n | extend AddedByApp = iif(\\n isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName)),\\n tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName),\\n tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n )\\n | extend AddedByUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend AddedBy = iif(isnotempty(AddedByApp), AddedByApp, AddedByUser)\\n | extend IpAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | project-reorder TimeGenerated, ServicePrincipal, SPID, TargetRole, AddedBy, IpAddress\\n | project-away AddedByApp, AddedByUser\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"SPID\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Service Principal Assigned Privileged Role\",\"description\":\"Detects a privileged role being added to a Service Principal.\\n Ensure that any assignment to a Service Principal is valid and appropriate - Service Principals should not be assigned to very highly privileged roles such as Global Admin.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182\",\"name\":\"8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT5M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = ago(5m);\\nDuoSecurityTrustMonitor_CL\\n| where TimeGenerated \u003e= timeframe\\n| extend AccountCustomEntity = surfaced_auth_user_name_s, IPCustomEntity = surfaced_auth_access_device_ip_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Trust Monitor Event\",\"description\":\"This query identifies when a new trust monitor event is detected.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dcdf9bfc-c239-4764-a9f9-3612e6dff49c\",\"name\":\"dcdf9bfc-c239-4764-a9f9-3612e6dff49c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 6d;\\n// Adjust this to adjust the key export detection timeframe\\n//let timeframe = 1d;\\n// Start be identifying ADFS servers to reduce FP chance\\nlet ADFS_Servers = (\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\")\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| summarize by Computer);\\n// Look for ADFS servers where Named Pipes event are present\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| where Computer in~ (ADFS_Servers)\\n| extend RenderedDescription = tostring(split(RenderedDescription, \\\":\\\")[0])\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend RuleName = column_ifexists(\\\"RuleName\\\", \\\"\\\"),\\n TechniqueId = column_ifexists(\\\"TechniqueId\\\", \\\"\\\"),\\n TechniqueName = column_ifexists(\\\"TechniqueName\\\", \\\"\\\"),\\n Image = column_ifexists(\\\"Image\\\", \\\"\\\"),\\n PipeName = column_ifexists(\\\"PipeName\\\", \\\"\\\"),\\n EventType = column_ifexists(\\\"EventType\\\", \\\"\\\")\\n| parse RuleName with * \u0027technique_id=\u0027 TechniqueId \u0027,\u0027 * \u0027technique_name=\u0027 TechniqueName\\n// Look for Pipe related to querying the WID\\n| where PipeName == \\\"\\\\\\\\MICROSOFT##WID\\\\\\\\tsql\\\\\\\\query\\\"\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n// Exclude expected processes\\n| where process !in (\\\"Microsoft.IdentityServer.ServiceHost.exe\\\", \\\"Microsoft.Identity.Health.Adfs.PshSurrogate.exe\\\", \\\"AzureADConnect.exe\\\", \\\"Microsoft.Tri.Sensor.exe\\\", \\\"wsmprovhost.exe\\\",\\\"mmc.exe\\\", \\\"sqlservr.exe\\\")\\n| extend Operation = RenderedDescription\\n| project-reorder TimeGenerated, EventType, Operation, process, Image, Computer, UserName\\n| extend HostCustomEntity = Computer, AccountCustomEntity = UserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"ADFS Database Named Pipe Connection\",\"description\":\"This detection uses Sysmon telemetry to detect suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).\\nIn order to use this query you need to be collecting Sysmon EventIdD 18 (Pipe Connected).\\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\\nFailed to resolve scalar expression named \\\"[@Name]\",\"lastUpdatedDateUTC\":\"2021-11-23T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3617d76d-b15e-4c6f-985e-a1dac73c592d\",\"name\":\"3617d76d-b15e-4c6f-985e-a1dac73c592d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SigninLogs\\n| where ResultType == 500121\\n| extend additionalDetails_ = tostring(Status.additionalDetails)\\n| where additionalDetails_ =~ \\\"MFA denied; user declined the authentication\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"NRT MFA Rejected by User\",\"description\":\"Identifies occurrences where a user has rejected an MFA prompt. This could be an indicator that a threat actor has compromised the username and password of this user account and is using it to try and log into the account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-02-08T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5436f471-b03d-41cb-b333-65891f887c43\",\"name\":\"5436f471-b03d-41cb-b333-65891f887c43\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Informational\",\"query\":\"GitHubRepo\\n| where Action == \\\"vulnerabilityAlert\\\"\\n| project TimeGenerated, DismmisedAt, Reason, vulnerableManifestFilename, Description, Link, PublishedAt, Severity, Summary\",\"entityMappings\":[],\"displayName\":\"GitHub Security Vulnerability in Repository\",\"description\":\"This alerts when there is a new security vulnerability in a GitHub repository.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-10T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d82e1987-4356-4a7b-bc5e-064f29b143c0\",\"name\":\"d82e1987-4356-4a7b-bc5e-064f29b143c0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true \\n(SecurityEvent\\n| where EventID == 4688\\n| where Process =~ \u0027rundll32.exe\u0027 \\n| where CommandLine has_all (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n),\\n(WindowsEvent\\n| where EventID == 4688 and EventData has \u0027rundll32.exe\u0027 and EventData has_any (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process =~ \u0027rundll32.exe\u0027 \\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has_all (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName) \\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n) )\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"NOBELIUM - suspicious rundll32.exe execution of vbscript\",\"description\":\"This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/961b6a81-5c53-40b6-9800-4f661a8faea7\",\"name\":\"961b6a81-5c53-40b6-9800-4f661a8faea7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0586.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet Command_Line = (iocs | where Type =~ \\\"CommandLine\\\" | project IoC);\\n(union isfuzzy=true\\n(DeviceProcessEvents\\n| where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) or ( InitiatingProcessCommandLine has (\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and InitiatingProcessCommandLine has_any (Command_Line))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, AccountName, SHA256\\n| extend Account = AccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = case(InitiatingProcessSHA256 in (sha256Hashes), \\\"InitiatingProcessSHA256\\\", SHA256 in (sha256Hashes), \\\"SHA256\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = case(FileHash == \\\"InitiatingProcessSHA256\\\", InitiatingProcessSHA256, FileHash == \\\"SHA256\\\", SHA256, \\\"No Match\\\")\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has (@\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and CommandLine has_any (Command_Line))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, EventID\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n( CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n( imFileEvent\\n| where Hash in~ (sha256Hashes) or ( ActingProcessCommandLine has (\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and ActingProcessCommandLine has_any (Command_Line))\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) or ( CommandLine has (\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and CommandLine has_any (Command_Line)) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashAlgo\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"DEV-0586 Actor IOC - January 2022\",\"description\":\"Identifies a match across IOC\u0027s related to an actor tracked by Microsoft as DEV-0586\\n Refrence: https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2022-01-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/66c81ae2-1f89-4433-be00-2fbbd9ba5ebe\",\"name\":\"66c81ae2-1f89-4433-be00-2fbbd9ba5ebe\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MessageIP = extract(IPRegex, 0, Message)\\n | extend CS_ipEntity = iff(isnotempty(SourceIP), SourceIP, DestinationIP)\\n | extend CS_ipEntity = iff(isempty(CS_ipEntity) and isnotempty(MessageIP), MessageIP, CS_ipEntity)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CS_ipEntity\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, CS_ipEntity\\n| project CommonSecurityLog_TimeGenerated, SourceIP, DestinationIP, MessageIP, Message, DeviceVendor, DeviceProduct, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CS_ipEntity, LogSeverity, DeviceAction\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = CS_ipEntity\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to CommonSecurityLog\",\"description\":\"Identifies a match in CommonSecurityLog from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/17f23fbe-bb73-4324-8ecf-a18545a5dc26\",\"name\":\"17f23fbe-bb73-4324-8ecf-a18545a5dc26\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P3D\",\"queryPeriod\":\"P3D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 3d;\\n// Get Release Pipeline Creation Events and group by day\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineCreated\\\"\\n// Group by day\\n| extend timekey = bin(TimeGenerated, 1d)\\n| extend PipelineId = tostring(Data.PipelineId)\\n| extend PipelineName = tostring(Data.PipelineName)\\n// Rename some columns to make output clearer\\n| project-rename TimeCreated = TimeGenerated, CreatingUser = ActorUPN, CreatingUserAgent = UserAgent, CreatingIP = IpAddress\\n// Join with Release Pipeline Deletions where Pipeline ID is the same and deletion occurred on same day as creation\\n| join (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineDeleted\\\"\\n// Group by day\\n| extend timekey = bin(TimeGenerated, 1d)\\n| extend PipelineId = tostring(Data.PipelineId)\\n| extend PipelineName = tostring(Data.PipelineName)\\n// Rename some things to make the output clearer\\n| project-rename TimeDeleted = TimeGenerated, DeletingUser = ActorUPN, DeletingUserAgent = UserAgent, DeletingIP = IpAddress) on PipelineId, timekey\\n| project TimeCreated, TimeDeleted, PipelineName, PipelineId, CreatingUser, CreatingIP, CreatingUserAgent, DeletingUser, DeletingIP, DeletingUserAgent, ScopeDisplayName, ProjectName, Data, OperationName, OperationName1\\n| extend timestamp = TimeCreated, AccountCustomEntity = CreatingUser, IPCustomEntity = CreatingIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeletingUser\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DeletingIP\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Azure DevOps Pipeline Created and Deleted on the Same Day\",\"description\":\"An attacker with access to Azure DevOps could create a pipeline to inject artifacts used by other pipelines, \\nor to create a malicious software build that looks legitimate by using a pipeline that incorporates legitimate elements. \\nAn attacker would also likely want to cover their tracks once conducting such activity. This query looks for Pipelines \\ncreated and deleted within the same day, this is unlikely to be legitimate user activity in the majority of cases.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\"name\":\"83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":3,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let current = 1d;\\nlet auditLookback = 7d;\\n// Setting threshold to 3 as a default, change as needed. \\n// Any operation that has been initiated by a user or app more than 3 times in the past 7 days will be excluded\\nlet threshold = 3;\\n// Gather initial data from lookback period, excluding current, adjust current to more than a single day if no results\\nlet AuditTrail = AuditLogs | where TimeGenerated \u003e= ago(auditLookback) and TimeGenerated \u003c ago(current)\\n// 2 other operations that can be part of malicious activity in this situation are \\n// \\\"Add OAuth2PermissionGrant\\\" and \\\"Add service principal\\\", extend the filter below to capture these too\\n| where OperationName has \\\"Consent to application\\\"\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\n| summarize max(TimeGenerated), OperationCount = count() by OperationName, InitiatedBy, TargetResourceName\\n// only including operations by initiated by a user or app that is above the threshold so we produce only rare and has not occurred in last 7 days\\n| where OperationCount \u003e threshold\\n;\\n// Gather current period of audit data\\nlet RecentConsent = AuditLogs | where TimeGenerated \u003e= ago(current)\\n| where OperationName has \\\"Consent to application\\\"\\n| extend IpAddress = case(\\nisnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), \\nisnotempty(tostring(parse_json(tostring(InitiatedBy.app)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.app)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.app)).ipAddress),\\n\u0027Not Available\u0027)\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\n| parse TargetResources.[0].modifiedProperties with * \\\"ConsentType: \\\" ConsentType \\\"]\\\" *\\n| mv-expand AdditionalDetails\\n| extend UserAgent = iff(AdditionalDetails.key == \\\"User-Agent\\\",tostring(AdditionalDetails.value),\\\"\\\")\\n| project TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type;\\n// Exclude previously seen audit activity for \\\"Consent to application\\\" that was seen in the lookback period\\n// First for rare InitiatedBy\\nlet RareConsentBy = RecentConsent | join kind= leftanti AuditTrail on OperationName, InitiatedBy \\n| extend Reason = \\\"Previously unseen user consenting\\\";\\n// Second for rare TargetResourceName\\nlet RareConsentApp = RecentConsent | join kind= leftanti AuditTrail on OperationName, TargetResourceName\\n| extend Reason = \\\"Previously unseen app granted consent\\\";\\nRareConsentBy | union RareConsentApp\\n| summarize Reason = makeset(Reason) by TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatedBy, HostCustomEntity = TargetResourceName, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Rare application consent\",\"description\":\"This will alert when the \\\"Consent to application\\\" operation occurs by a user that has not done this operation before or rarely does this.\\nThis could indicate that permissions to access the listed Azure App were provided to a malicious actor. \\nConsent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events. \\nThis may help detect the Oauth2 attack that can be initiated by this publicly available tool - https://github.com/fireeye/PwnAuth\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-07-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69b7723c-2889-469f-8b55-a2d355ed9c87\",\"name\":\"69b7723c-2889-469f-8b55-a2d355ed9c87\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.3\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n DnsEvents\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where SubType =~ \\\"LookupQuery\\\" and isnotempty(IPAddresses)\\n | mv-expand SingleIP = split(IPAddresses, \\\", \\\") to typeof(string)\\n // renaming time column so it is clear the log this came from\\n | extend DNS_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SingleIP\\n| where DNS_TimeGenerated \u003c ExpirationDateTime\\n| summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated , *) by IndicatorId, SingleIP\\n| project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = DNS_TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to DnsEvents\",\"description\":\"Identifies a match in DnsEvents from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-06-27T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd\",\"name\":\"c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let args = dynamic([\\\"objectcategory\\\",\\\"domainlist\\\",\\\"dcmodes\\\",\\\"adinfo\\\",\\\"trustdmp\\\",\\\"computers_pwdnotreqd\\\",\\\"Domain Admins\\\", \\\"objectcategory=person\\\", \\\"objectcategory=computer\\\", \\\"objectcategory=*\\\",\\\"dclist\\\"]);\\nlet parentProcesses = dynamic([\\\"pwsh.exe\\\",\\\"powershell.exe\\\",\\\"cmd.exe\\\"]);\\nDeviceProcessEvents\\n//looks for execution from a shell\\n| where InitiatingProcessFileName in (parentProcesses)\\n// main filter\\n| where FileName =~ \\\"AdFind.exe\\\" or SHA256 == \\\"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\\\"\\n // AdFind common Flags to check for from various threat actor TTPs\\n or ProcessCommandLine has_any (args)\\n| extend AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, ProcessCustomEntity = InitiatingProcessFileName, CommandLineCustomEntity = ProcessCommandLine, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = SHA256\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"},{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLineCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Probable AdFind Recon Tool Usage\",\"description\":\"Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.\",\"lastUpdatedDateUTC\":\"2021-11-30T00:00:00Z\",\"createdDateUTC\":\"2021-04-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\"name\":\"b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n Syslog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // Extract URL from the Syslog message but only take messages that include URLs\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,SyslogMessage)\\n | where isnotempty(Url)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n) on Url\\n| where Syslog_TimeGenerated \u003c ExpirationDateTime\\n| summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, Url\\n| project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, Url, HostIP\\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to Syslog data\",\"description\":\"Identifies a match in Syslog data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/af435ca1-fb70-4de1-92c1-7435c48482a9\",\"name\":\"af435ca1-fb70-4de1-92c1-7435c48482a9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let admin_users = (IdentityInfo\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | where AssignedRoles contains \\\"admin\\\"\\n | summarize by tolower(AccountUPN));\\n let admin_asn = (SigninLogs\\n | where TimeGenerated between (ago(7d)..ago(1d))\\n | where tolower(UserPrincipalName) in (admin_users)\\n | summarize by AutonomousSystemNumber);\\n let admin_locations = (SigninLogs\\n | where TimeGenerated between (ago(7d)..ago(1d))\\n | where tolower(UserPrincipalName) in (admin_users)\\n | summarize by Location);\\n let admin_devices = (SigninLogs\\n | where TimeGenerated between (ago(7d)..ago(1d))\\n | where tolower(UserPrincipalName) in (admin_users)\\n | extend deviceId = tostring(DeviceDetail.deviceId)\\n | where isnotempty(deviceId)\\n | summarize by deviceId);\\n SigninLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType == 0\\n | where tolower(UserPrincipalName) in (admin_users)\\n | extend deviceId = tostring(DeviceDetail.deviceId)\\n | where AutonomousSystemNumber !in (admin_asn) and deviceId !in (admin_devices) and Location !in (admin_locations)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Authentications of Privileged Accounts Outside of Expected Controls\",\"description\":\"Detects when a privileged user account successfully authenticates from a location, device or ASN that another admin has not logged in from in the last 7 days.\\n Privileged accounts are a key target for threat actors, monitoring for logins from these accounts that deviate from normal activity can help identify compromised accounts.\\n Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a357535e-f722-4afe-b375-cff362b2b376\",\"name\":\"a357535e-f722-4afe-b375-cff362b2b376\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(OfficeActivity | where UserAgent != \\\"\\\"),\\n(OfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectory\\\", \\\"AzureActiveDirectoryStsLogon\\\")\\n| extend OperationName = Operation\\n| parse ExtendedProperties with * \u0027User-Agent\\\\\\\\\\\":\\\\\\\\\\\"\u0027 UserAgent2 \u0027\\\\\\\\\u0027 *\\n| parse ExtendedProperties with * \u0027UserAgent\\\", \\\"Value\\\": \\\"\u0027 UserAgent1 \u0027\\\"\u0027 *\\n| where isnotempty(UserAgent1) or isnotempty(UserAgent2)\\n| extend UserAgent = iff( RecordType == \u0027AzureActiveDirectoryStsLogon\u0027, UserAgent1, UserAgent2)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\\n),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"APPLICATIONGATEWAYS\\\" \\n| where OperationName =~ \\\"ApplicationGatewayAccess\\\" \\n| extend ClientIP = columnifexists(\\\"clientIP_s\\\", \\\"None\\\"), UserAgent = columnifexists(\\\"userAgent_s\\\", \\\"None\\\")\\n| where UserAgent != \u0027-\u0027\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, requestUri_s, httpMethod_s, host_s, requestQuery_s, Type\\n),\\n(\\nW3CIISLog\\n| where isnotempty(csUserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\\n),\\n(SigninLogs\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n)\\n)\\n// Likely artefact of hardcoding\\n| where UserAgent startswith \\\"User\\\" or UserAgent startswith \u0027\\\\\\\"\u0027\\n// Incorrect casing\\nor (UserAgent startswith \\\"Mozilla\\\" and not(UserAgent containscs \\\"Mozilla\\\"))\\n// Incorrect casing\\nor UserAgent containscs \\\"(Compatible;\\\"\\n// Missing MSIE version\\nor UserAgent matches regex @\\\"MSIE\\\\s?;\\\"\\n// Incorrect spacing around MSIE version\\nor UserAgent matches regex @\\\"MSIE(?:\\\\d|.{1,5}?\\\\d\\\\s;)\\\"\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CommandAndControl\",\"Execution\"],\"displayName\":\"Malformed user agent\",\"description\":\"Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware.\\nMalformed user agents can be an indication of such malware.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4acd3a04-2fad-4efc-8a4b-51476594cec4\",\"name\":\"4acd3a04-2fad-4efc-8a4b-51476594cec4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let triThreshold = 500;\\nlet startTime = 6h;\\nlet dgaLengthThreshold = 8;\\n// fetch the alexa top 1M domains\\nlet top1M = (externaldata (Position:int, Domain:string) [@\\\"http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip\\\"] with (format=\\\"csv\\\", zipPattern=\\\"*.csv\\\"));\\n// extract tri grams that are above our threshold - i.e. are common\\nlet triBaseline = top1M\\n| extend Domain = tolower(extract(\\\"([^.]*).{0,7}$\\\", 1, Domain))\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", Domain), extract_all(\\\"(...)\\\", substring(Domain, 1)), extract_all(\\\"(...)\\\", substring(Domain, 2)))\\n| mvexpand Trigram=AllTriGrams\\n| summarize triCount=count() by tostring(Trigram)\\n| sort by triCount desc\\n| where triCount \u003e triThreshold\\n| distinct Trigram;\\n// collect domain information from common security log, filter and extract the DGA candidate and its trigrams\\nlet allDataSummarized = CommonSecurityLog\\n| where TimeGenerated \u003e ago(startTime)\\n| where isnotempty(DestinationHostName)\\n| extend Name = tolower(DestinationHostName)\\n| distinct Name\\n| where Name has \\\".\\\"\\n| where Name !endswith \\\".home\\\" and Name !endswith \\\".lan\\\"\\n// extract DGA candidate\\n| extend DGADomain = extract(\\\"([^.]*).{0,7}$\\\", 1, Name)\\n| where strlen(DGADomain) \u003e dgaLengthThreshold\\n// throw out domains with number in them\\n| where DGADomain matches regex \\\"^[A-Za-z]{0,}$\\\"\\n// extract the tri grams from summarized data\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", DGADomain), extract_all(\\\"(...)\\\", substring(DGADomain, 1)), extract_all(\\\"(...)\\\", substring(DGADomain, 2)));\\n// throw out domains that have repeating tri\u0027s and/or \u003e=3 repeating letters\\nlet nonRepeatingTris = allDataSummarized\\n| join kind=leftanti\\n(\\n allDataSummarized\\n | mvexpand AllTriGrams\\n | summarize count() by tostring(AllTriGrams), DGADomain\\n | where count_ \u003e 1\\n | distinct DGADomain\\n)\\non DGADomain;\\n// find domains that do not have a common tri in the baseline\\nlet dataWithRareTris = nonRepeatingTris\\n| join kind=leftanti\\n(\\n nonRepeatingTris\\n | mvexpand AllTriGrams\\n | extend Trigram = tostring(AllTriGrams)\\n | distinct Trigram, DGADomain\\n | join kind=inner\\n (\\n triBaseline\\n )\\n on Trigram\\n | distinct DGADomain\\n)\\non DGADomain;\\ndataWithRareTris\\n// join DGAs back on connection data\\n| join kind=inner\\n(\\n CommonSecurityLog\\n | where TimeGenerated \u003e ago(startTime)\\n | where isnotempty(DestinationHostName)\\n | extend DestinationHostName = tolower(DestinationHostName)\\n | project-rename Name=DestinationHostName, DataSource=DeviceVendor\\n | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) by Name, SourceIP, DestinationIP, DataSource\\n)\\non Name\\n| project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, DataSource\\n| extend timestamp=StartTime, IPCustomEntity=SourceIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"Name\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Possible contact with a domain generated by a DGA\",\"description\":\"Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used\\nby malware to generate rendezvous points that are difficult to predict in advance. This detection uses the Alexa Top 1 million domain names to build a model\\nof what normal domains look like. It uses this to identify domains that may have been randomly generated by an algorithm.\\nThe triThreshold is set to 500 - increase this to report on domains that are less likely to have been randomly generated, decrease it for more likely.\\nThe start time and end time look back over 6 hours of data and the dgaLengthThreshold is set to 8 - meaning domains whose length is 8 or more are reported.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Barracuda\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aac495a9-feb1-446d-b08e-a1164a539452\",\"name\":\"aac495a9-feb1-446d-b08e-a1164a539452\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"ThreatIntelligenceIndicator\\n| where Action == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n GitHubAudit\\n | extend GitHubAudit_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.IPaddress\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, GitHubAudit_TimeGenerated, TI_ipEntity, IPaddress, Actor, Action, Country, OperationType, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = GitHubAudit_TimeGenerated, IPCustomEntity = IPaddress, AccountCustomEntity = Actor\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to GitHub_CL\",\"description\":\"Identifies a match in GitHub_CL table from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2cfc3c6e-f424-4b88-9cc9-c89f482d016a\",\"name\":\"2cfc3c6e-f424-4b88-9cc9-c89f482d016a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set == \\\"[]\\\"\\n| mv-expand new_value_set\\n| parse new_value_set with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"First access credential added to Application or Service Principal where no credential was present\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-02-11T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0dd422ee-e6af-4204-b219-f59ac172e4c6\",\"name\":\"0dd422ee-e6af-4204-b219-f59ac172e4c6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"ThreatIntelligence\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"Persistence\",\"LateralMovement\"],\"displayName\":\"(Preview) Microsoft Threat Intelligence Analytics\",\"description\":\"This rule generates an alert when a Microsoft Threat Intelligence Indicator gets matched with your event logs. The alerts are very high fidelity.\\n\\nNote : It is advised to turn off any custom alert rules which match the threat intelligence indicators with the same event logs matched by this analytics to prevent duplicate alerts.\",\"lastUpdatedDateUTC\":\"2021-07-28T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/074ce265-f684-41cd-af07-613c5f3e6d0d\",\"name\":\"074ce265-f684-41cd-af07-613c5f3e6d0d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"irf.services\\\",\\\"microsoft-onthehub.com\\\",\\\"msofficelab.com\\\",\\\"com-mailbox.com\\\",\\\"my-sharefile.com\\\",\\\"my-sharepoints.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\n\\\"onedrive-sharedfile.com\\\",\\\"onedrv-live.com\\\",\\\"transparencyinternational-my-sharepoint.com\\\",\\\"transparencyinternational-my-sharepoints.com\\\",\\\"soros-my-sharepoint.com\\\"]);\\n(union isfuzzy=true\\n (CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | extend Account = SourceUserID, Host = DeviceName, IPAddress = SourceIP\\n ),\\n (_Im_Dns(domain_has_any=DomainNames)\\n | extend IPAddress = SrcIpAddr, DNSName = DnsQuery, Host = Dvc),\\n (VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n | extend IPAddress = RemoteIp, Host = Computer\\n ),\\n (AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | extend DNSName = DestinationHost \\n | extend IPAddress = SourceHost\\n ),\\n (\\n _Im_WebSession(url_has_any=DomainNames)\\n | extend IPCustomEntity=IpAddr, HostCustomEntity=Hostname, AccoutCustomEntity=User\\n )\\n)\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = Account, HostCustomEntity = Host\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known STRONTIUM group domains - July 2019\",\"description\":\"Matches domain name IOCs related to Strontium group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2019-07-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a50766a7-0674-4ccb-8845-15dc55a80ba1\",\"name\":\"a50766a7-0674-4ccb-8845-15dc55a80ba1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n WireData | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(RemoteIP)\\n // renaming time column so it is clear the log this came from\\n | extend WireData_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIP\\n| where WireData_TimeGenerated \u003c ExpirationDateTime\\n| summarize WireData_TimeGenerated = arg_max(WireData_TimeGenerated, *) by IndicatorId, RemoteIP\\n| project WireData_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, LocalIP, RemoteIP, ProcessName, ApplicationProtocol, LocalPortNumber, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = WireData_TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to WireData\",\"description\":\"Identifies a match in WireData from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6d7214d9-4a28-44df-aafb-0910b9e6ae3e\",\"name\":\"6d7214d9-4a28-44df-aafb-0910b9e6ae3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Low\",\"query\":\"let match_window = 3m;\\nAzureActivity\\n| where ResourceGroup has \\\"cloud-shell\\\"\\n| where (OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/listKeys/action\\\") \\n| where ActivityStatusValue == \\\"Success\\\"\\n| extend TimeKey = bin(TimeGenerated, match_window), AzureIP = CallerIpAddress\\n| join kind = inner\\n(AzureActivity\\n| where ResourceGroup has \\\"cloud-shell\\\"\\n| where (OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/write\\\") \\n| extend TimeKey = bin(TimeGenerated, match_window), UserIP = CallerIpAddress\\n) on Caller, TimeKey\\n| summarize count() by TimeKey, Caller, ResourceGroup, SubscriptionId, TenantId, AzureIP, UserIP, HTTPRequest, Type, Properties, CategoryValue, OperationList = strcat(OperationNameValue, \u0027 , \u0027, OperationNameValue1)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"UserIP\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"New CloudShell User\",\"description\":\"Identifies when a user creates an Azure CloudShell for the first time.\\nMonitor this activity to ensure only expected user are using CloudShell\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5170c3c4-b8c9-485c-910d-a21d965ee181\",\"name\":\"5170c3c4-b8c9-485c-910d-a21d965ee181\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let queryfrequency = 30m;\\nlet accountthreshold = 10;\\nlet successCodes = dynamic([0, 50144]);\\nADFSSignInLogs\\n| extend IngestionTime = ingestion_time()\\n| where IngestionTime \u003e ago(queryfrequency)\\n| where not(todynamic(AuthenticationDetails)[0].authenticationMethod == \\\"Integrated Windows Authentication\\\")\\n| summarize\\n DistinctFailureCount = dcountif(UserPrincipalName, ResultType !in (successCodes)),\\n DistinctSuccessCount = dcountif(UserPrincipalName, ResultType in (successCodes)),\\n SuccessAccounts = make_set_if(UserPrincipalName, ResultType in (successCodes), 250),\\n arg_min(TimeGenerated, *)\\n by IPAddress\\n| where DistinctFailureCount \u003e DistinctSuccessCount and DistinctFailureCount \u003e= accountthreshold\\n//| extend SuccessAccounts = iff(array_length(SuccessAccounts) != 0, SuccessAccounts, dynamic([\\\"null\\\"]))\\n//| mv-expand SuccessAccounts\\n| project TimeGenerated, Category, OperationName, IPAddress, DistinctFailureCount, DistinctSuccessCount, SuccessAccounts, AuthenticationRequirement, ConditionalAccessStatus, IsInteractive, UserAgent, NetworkLocationDetails, DeviceDetail, TokenIssuerType, TokenIssuerName, ResourceIdentity\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Password spray attack against ADFSSignInLogs\",\"description\":\"Identifies evidence of password spray activity against Connect Health for AD FS sign-in events by looking for failures from multiple accounts from the same IP address within a time window.\\nReference: https://adfshelp.microsoft.com/References/ConnectHealthErrorCodeReference\",\"lastUpdatedDateUTC\":\"2022-05-04T00:00:00Z\",\"createdDateUTC\":\"2022-03-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"ADFSSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6d63efa6-7c25-4bd4-a486-aa6bf50fde8a\",\"name\":\"6d63efa6-7c25-4bd4-a486-aa6bf50fde8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// Add non-approved user principal names to the list below to search for their account creation/deletion activity\\n// ex: dynamic([\\\"UPN1\\\", \\\"upn123\\\"])\\nlet nonapproved_users = dynamic([]);\\nAuditLogs\\n| where OperationName == \\\"Add user\\\" or OperationName == \\\"Delete user\\\"\\n| where Result == \\\"success\\\"\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| where InitiatingUser has_any (nonapproved_users)\\n| project-reorder TimeGenerated, ResourceId, OperationName, InitiatingUser, TargetResources\\n| extend AccountCustomEntity = InitiatingUser, IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Account created or deleted by non-approved user\",\"description\":\"Identifies accounts that were created or deleted by a defined list of non-approved user principal names. Add to this list before running the query for accurate results.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/11b4c19d-2a79-4da3-af38-b067e1273dee\",\"name\":\"11b4c19d-2a79-4da3-af38-b067e1273dee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID in (17,18)\\n| where EventData has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend PipeName = column_ifexists(\\\"PipeName\\\", \\\"\\\")\\n| extend Account = UserName\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00275145\u0027\\n// %%4418 looks for presence of CreatePipeInstance value \\n| where AccessList has \u0027%%4418\u0027 \\n| where RelativeTargetName has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n),\\n(\\nWindowsEvent\\n| where EventID == \u00275145\u0027 and EventData has \u0027%%4418\u0027 and EventData has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027 \\n// %%4418 looks for presence of CreatePipeInstance value \\n| extend AccessList= tostring(EventData.AccessList)\\n| where AccessList has \u0027%%4418\u0027 \\n| extend RelativeTargetName= tostring(EventData.RelativeTargetName)\\n| where RelativeTargetName has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\"],\"displayName\":\"Solorigate Named Pipe\",\"description\":\"Identifies a match across various data feeds for named pipe IOCs related to the Solorigate incident.\\n For the sysmon events required for this detection, logging for Named Pipe Events needs to be configured in Sysmon config (Event ID 17 and Event ID 18)\\n Reference: https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2020-12-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\"name\":\"532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n Syslog\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n //Extract domain patterns from syslog message\\n | extend domain = extract(\\\"(([a-z0-9]+(-[a-z0-9]+)*\\\\\\\\.)+[a-z]{2,})\\\",1, tolower(SyslogMessage))\\n | where isnotempty(domain)\\n | extend parts = split(domain, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.domain\\n| where Syslog_TimeGenerated \u003c ExpirationDateTime\\n| summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, domain\\n| project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, domain, HostIP, Url\\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to Syslog\",\"description\":\"Identifies a match in Syslog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/19e01883-15d8-4eb6-a7a5-3276cd668388\",\"name\":\"19e01883-15d8-4eb6-a7a5-3276cd668388\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeBin = 1m;\\nlet failedThreshold = 20;\\nW3CIISLog\\n| where scStatus in (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of failed attempts from same client IP\\n| summarize makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\\n| where FailedConnectionsCount \u003e= failedThreshold\\n| project TimeGenerated, cIP, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"High count of failed attempts from same client IP\",\"description\":\"Identifies when 20 or more failed attempts from a given client IP in 1 minute occur on the IIS server.\\nThis could be indicative of an attempted brute force. This could also simply indicate a misconfigured service or device.\\nRecommendations: Validate that these are expected connections from the given Client IP. If the client IP is not recognized, \\npotentially block these connections at the edge device.\\nIf these are expected connections, verify the credentials are properly configured on the system, service, application or device \\nthat is associated with the client IP.\\nReferences:\\nIIS status code mapping: https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping: https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd78a122-d377-415a-afe9-f22e08d2112c\",\"name\":\"dd78a122-d377-415a-afe9-f22e08d2112c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Add other permissions to this list as needed\\n let permissions = dynamic([\\\"Mail.Read\\\", \\\"offline_access\\\", \\\"Files.Read\\\", \\\"Notes.Read\\\", \\\"ChannelMessage.Read\\\", \\\"Chat.Read\\\", \\\"TeamsActivity.Read\\\",\\n \\\"Group.Read\\\", \\\"EWS.AccessAsUser.All\\\", \\\"EAS.AccessAsUser.All\\\"]);\\n AuditLogs\\n | where OperationName =~ \\\"Add app role assignment to service principal\\\"\\n | mv-expand TargetResources[0].modifiedProperties\\n | extend TargetResources_0_modifiedProperties = columnifexists(\\\"TargetResources_0_modifiedProperties\\\", \u0027\u0027)\\n | where isnotempty(TargetResources_0_modifiedProperties)\\n | where TargetResources_0_modifiedProperties.displayName =~ \\\"AppRole.Value\\\" or TargetResources_0_modifiedProperties.displayName =~ \\\"DelegatedPermissionGrant.Scope\\\"\\n | extend Permissions = split((parse_json(tostring(TargetResources_0_modifiedProperties.newValue))), \\\" \\\")\\n | where Permissions has_any (permissions)\\n | summarize AddedPermissions=make_set(Permissions) by CorrelationId\\n | join kind=inner (AuditLogs\\n | where OperationName =~ \\\"Add app role assignment to service principal\\\") on CorrelationId\\n | extend InitiatedBy = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))\\n | extend ServicePrincipal = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[4].newValue)))\\n | extend SPID = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[6].newValue)))\\n | extend InitiatedBy = pack(\\\"User\\\", InitiatedBy, \\\"UA\\\", UserAgent, \\\"IPAddress\\\", IpAddress)\\n | mv-expand kind=array AddedPermissions\\n | summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), make_set(InitiatedBy), make_set(AddedPermissions) by SPID, ServicePrincipal\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ServicePrincipal\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"SPID\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Service Principal Assigned App Role With Sensitive Access\",\"description\":\"Detects a Service Principal being assigned an app role that has sensitive access such as Mail.Read.\\n A threat actor who compromises a Service Principal may assign it an app role to allow it to access sensitive data, or to perform other actions.\\n Ensure that any assignment to a Service Principal is valid and appropriate.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d9f28fdf-abc8-4f1a-a7e7-1aaec87a2fc5\",\"name\":\"d9f28fdf-abc8-4f1a-a7e7-1aaec87a2fc5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID == 4688\\n | where Process =~ \\\"svchost.exe\\\"\\n | where CommandLine has \\\"-k GPSvcGroup\\\" or CommandLine has \\\"-s gpsvc\\\"\\n | extend timekey = bin(TimeGenerated, 1m)\\n | project timekey, NewProcessId, Computer\\n | join kind=inner (SecurityEvent\\n | where EventID == 4688\\n | where Process =~ \\\"sdelete.exe\\\" or CommandLine has \\\"sdelete\\\"\\n | where ParentProcessName endswith \\\"svchost.exe\\\"\\n | where CommandLine has_all (\\\"-s\\\", \\\"-r\\\")\\n | extend newProcess = Process\\n | extend timekey = bin(TimeGenerated, 1m)\\n ) on $left.NewProcessId == $right.ProcessId, timekey, Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Sdelete deployed via GPO and run recursively\",\"description\":\"This query looks for the Sdelete process being run recursively after being deployed to a host via GPO. Attackers could use this technique to deploy Sdelete to multiple host and delete data on them.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5dd76a87-9f87-4576-bab3-268b0e2b338b\",\"name\":\"5dd76a87-9f87-4576-bab3-268b0e2b338b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 5;\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet historicalActivity =\\nOfficeActivity\\n| where TimeGenerated between(ago(starttime)..ago(endtime))\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| summarize historicalCount = count() by UserAgent, RecordType, Operation;\\nlet recentActivity = OfficeActivity\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where TimeGenerated \u003e ago(endtime)\\n| where isnotempty(UserAgent)\\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by UserAgent, RecordType, Operation;\\nlet RareUserAgent = recentActivity | join kind = leftanti (historicalActivity) on UserAgent\\n| order by recentCount desc, UserAgent\\n// More than 5 downloads/uploads from a new user agent today\\n| where recentCount \u003e threshold;\\nOfficeActivity \\n| where TimeGenerated \u003e ago(endtime) \\n| where RecordType =~ szSharePointFileOperation \\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| join kind= inner (RareUserAgent)\\non UserAgent, RecordType, Operation \\n| where Start_Time between(min_Start_Time .. max_Start_Time)\\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserAgent, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgentSeenCount = recentCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\\n| order by UserAgentSeenCount desc, UserAgent asc, Operation asc, UserId asc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"SharePointFileOperation via devices with previously unseen user agents\",\"description\":\"Identifies if the number of documents uploaded or downloaded from device(s) associated\\nwith a previously unseen user agent exceeds a threshold (default is 5).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f80d951a-eddc-4171-b9d0-d616bb83efdc\",\"name\":\"f80d951a-eddc-4171-b9d0-d616bb83efdc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where AADOperationType =~ \\\"Assign\\\"\\n| where ActivityDisplayName =~ \\\"Add app role assignment to service principal\\\"\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"AppRole.Value\\\"\\n| extend AppRole = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where AppRole has \\\"RoleManagement.ReadWrite.Directory\\\"\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n| extend Target = tostring(parse_json(tostring(TargetResources.modifiedProperties[4].newValue)))\\n| extend TargetId = tostring(parse_json(tostring(TargetResources.modifiedProperties[3].newValue)))\\n| project TimeGenerated, OperationName, Initiator, Target, TargetId, Result\\n| join kind=innerunique (\\n AuditLogs\\n | where LoggedByService =~ \\\"Core Directory\\\"\\n | where Category =~ \\\"RoleManagement\\\"\\n | where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\")\\n | where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n | where displayName_ =~ \\\"Role.DisplayName\\\"\\n | extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n | where RoleName contains \\\"Admin\\\"\\n | extend Initiator = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend InitiatorId = tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalId)\\n | extend TargetUser = tostring(TargetResources.userPrincipalName)\\n | extend Target = iif(isnotempty(TargetUser), TargetUser, tostring(TargetResources.displayName))\\n | extend TargetType = tostring(TargetResources.type)\\n | extend TargetId = tostring(TargetResources.id)\\n | project TimeGenerated, OperationName, RoleName, Initiator, InitiatorId, Target, TargetId, TargetType, Result\\n) on $left.TargetId == $right.InitiatorId\\n| extend TimeRoleMgGrant = TimeGenerated, TimeAdminPromo = TimeGenerated1, ServicePrincipal = Initiator1, ServicePrincipalId = InitiatorId,\\n TargetObject = Target1, TargetObjectId = TargetId1, TargetObjectType = TargetType\\n| where TimeRoleMgGrant \u003c TimeAdminPromo\\n| project TimeRoleMgGrant, TimeAdminPromo, RoleName, ServicePrincipal, ServicePrincipalId, TargetObject, TargetObjectId, TargetObjectType\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ServicePrincipal\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetObject\"}]}],\"tactics\":[\"PrivilegeEscalation\",\"Persistence\"],\"displayName\":\"Admin promotion after Role Management Application Permission Grant\",\"description\":\"This rule looks for a service principal being granted the Microsoft Graph RoleManagement.ReadWrite.Directory (application) permission before being used to add an Azure AD object or user account to an Admin directory role (i.e. Global Administrators).\\nThis is a known attack path that is usually abused when a service principal already has the AppRoleAssignment.ReadWrite.All permission granted. This permission Allows an app to manage permission grants for application permissions to any API.\\nA service principal can promote itself or other service principals to admin roles (i.e. Global Administrators). This would be considered a privilege escalation technique.\\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions, https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0\u0026tabs=http\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\"name\":\"79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let timeframe = 1h;\\nlet last1h = CommonSecurityLog \\n| where TimeGenerated \u003e= ago(timeframe)\\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend CurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend CurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend CumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize last1hCumTotal = sum(CumulativeTotal), last1hAvgRatePerSec = avg(CurrentAvgRatePerSec), last1hAvgBurstRatePerSec = avg(CurrentBurstRatePerSec) by DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlet prev6h = CommonSecurityLog \\n| where TimeGenerated between (ago(6h) .. ago(1h))\\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend prevCurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend prevCurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend prevCumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), prev6hCumTotal = sum(prevCumulativeTotal), prev6hAvgRatePerSec = avg(prevCurrentAvgRatePerSec), prev6hAvgBurstRatePerSec = avg(prevCurrentBurstRatePerSec) \\nby DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlast1h | join (\\n prev6h \\n) on DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate\\n| project StartTimeUtc, EndTimeUtc, DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate, last1hCumTotal, prev6hCumTotal, prev6hAvgCumTotal = prev6hCumTotal/6, last1hAvgRatePerSec, prev6hAvgRatePerSec, last1hAvgBurstRatePerSec, prev6hAvgBurstRatePerSec\\n// Select only events that indicate a doubling of the expected rate in the last hour over the previous 6 hours\\n| where last1hCumTotal \u003e 2*prev6hAvgCumTotal or last1hAvgRatePerSec \u003e 2*prev6hAvgRatePerSec or last1hAvgBurstRatePerSec \u003e 2*prev6hAvgBurstRatePerSec\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\",\"Impact\"],\"displayName\":\"Cisco ASA - average attack detection rate increase\",\"description\":\"This will help you determine if Cisco ASA devices are under heavier attack than normal over the last hour versus the previous 6 hours based on DeviceEventClassID 733100\\nReferences: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/826bb2f8-7894-4785-9a6b-a8a855d8366f\",\"name\":\"826bb2f8-7894-4785-9a6b-a8a855d8366f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let EventNameList = dynamic([\\\"AttachUserPolicy\\\",\\\"AttachRolePolicy\\\",\\\"AttachGroupPolicy\\\"]);\\nlet createPolicy = \\\"CreatePolicy\\\";\\nlet timeframe = 1d;\\nlet lookback = 14d;\\n// Creating Master table with all the events to use with materialize for better performance\\nlet EventInfo = AWSCloudTrail\\n| where TimeGenerated \u003e= ago(lookback)\\n| where EventName in (EventNameList) or EventName == createPolicy;\\n//Checking for Policy creation event with Full Admin Privileges since lookback period.\\nlet FullAdminPolicyEvents = materialize( EventInfo\\n| where TimeGenerated \u003e= ago(lookback)\\n| where EventName == createPolicy\\n| extend PolicyName = tostring(parse_json(RequestParameters).policyName)\\n| extend Statement = parse_json(tostring((parse_json(RequestParameters).policyDocument))).Statement\\n| mvexpand Statement\\n| extend Action = parse_json(Statement).Action , Effect = tostring(parse_json(Statement).Effect), Resource = tostring(parse_json(Statement).Resource)\\n| mvexpand Action\\n| extend Action = tostring(Action)\\n| where Effect =~ \\\"Allow\\\" and Action == \\\"*\\\" and Resource == \\\"*\\\"\\n| distinct TimeGenerated, EventName, PolicyName, SourceIpAddress, UserIdentityArn, UserIdentityUserName\\n| extend UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,\u0027/\u0027)[-1]))\\n| project-rename StartTime = TimeGenerated );\\nlet PolicyAttach = materialize( EventInfo\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventName in (EventNameList)\\n| extend PolicyName = tostring(split(tostring(parse_json(RequestParameters).policyArn),\\\"/\\\")[1])\\n| summarize AttachEventCount=count(), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventSource, EventName, UserIdentityType , UserIdentityArn, SourceIpAddress, UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,\u0027/\u0027)[-1])), PolicyName\\n| extend AttachEvent = pack(\\\"StartTime\\\", StartTime, \\\"EndTime\\\", EndTime, \\\"EventName\\\", EventName, \\\"UserIdentityType\\\", UserIdentityType, \\\"UserIdentityArn\\\", UserIdentityArn, \\\"SourceIpAddress\\\", SourceIpAddress, \\\"UserIdentityUserName\\\", UserIdentityUserName)\\n| project EventSource, PolicyName, AttachEvent, AttachEventCount\\n);\\n// Joining the list of PolicyNames and checking if it has been attached to any Roles/Users/Groups.\\n// These Roles/Users/Groups will be Privileged and can be used by adversaries as pivot point for privilege escalation via multiple ways.\\nFullAdminPolicyEvents\\n| join kind=leftouter\\n(\\n PolicyAttach\\n)\\non PolicyName\\n| project-away PolicyName1\\n| extend timestamp = StartTime, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Full Admin policy created and then attached to Roles, Users or Groups\",\"description\":\"Identity and Access Management (IAM) securely manages access to AWS services and resources. \\nIdentifies when a policy is created with Full Administrators Access (Allow-Action:*,Resource:*). \\nThis policy can be attached to role,user or group and may be used by an adversary to escalate a normal user privileges to an adminsitrative level.\\nAWS IAM Policy Grammar: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html\\nand AWS IAM API at https://docs.aws.amazon.com/IAM/latest/APIReference/API_Operations.html\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2020-04-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/34c5aff9-a8c2-4601-9654-c7e46342d03b\",\"name\":\"34c5aff9-a8c2-4601-9654-c7e46342d03b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 5;\\nlet aadFunc = (tableName:string){\\n IdentityInfo\\n | where TimeGenerated \u003e ago(starttime)\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | mv-expand AssignedRoles\\n | where AssignedRoles matches regex \u0027Admin\u0027\\n | summarize Roles = make_list(AssignedRoles) by AccountUPN = tolower(AccountUPN)\\n | join kind=inner (\\n table(tableName)\\n | where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n | where ResultType != 0\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n ) on $left.AccountUPN == $right.UserPrincipalName\\n | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, Roles = tostring(Roles)\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt;\\nlet TimeSeriesAlerts = \\n allSignins\\n | make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step 1h by UserPrincipalName, Roles\\n | extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, \u0027linefit\u0027)\\n | mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n // Filtering low count events per baselinethreshold\\n | where anomalies \u003e 0 and baseline \u003e baselinethreshold\\n | extend AnomalyHour = TimeGenerated\\n | project UserPrincipalName, Roles, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\n// Filter the alerts for specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e startofday(ago(timeframe))\\n| join kind=inner ( \\n allSignins\\n | where TimeGenerated \u003e startofday(ago(timeframe))\\n // create a new column and round to hour\\n | extend DateHour = bin(TimeGenerated, 1h)\\n | summarize PartialFailedSignins = count(), LatestAnomalyTime = arg_max(TimeGenerated, *) by bin(TimeGenerated, 1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, Roles, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\\n) on UserPrincipalName, $left.AnomalyHour == $right.DateHour\\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, Roles = todynamic(Roles), UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, PartialFailedSignins, TotalFailedSignins = HourlyCount, baseline, anomalies, score\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Privileged Accounts - Sign in Failure Spikes\",\"description\":\" Identifies spike in failed sign-ins from Privileged accounts. Privileged accounts list can be based on IdentityInfo UEBA table or built-in watchlist.\\nSpike is determined based on Time series anomaly which will look at historical baseline values.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor\",\"lastUpdatedDateUTC\":\"2022-01-25T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/106813db-679e-4382-a51b-1bfc463befc3\",\"name\":\"106813db-679e-4382-a51b-1bfc463befc3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n // Select on Palo Alto logs\\n | where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Select logs where URL data is populated\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url), extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | where isnotempty(PA_Url)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n) on $left.Url == $right.PA_Url\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, PA_Url\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, SourceIP, PA_Url, DeviceName\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to PaloAlto data\",\"description\":\"Identifies a match in PaloAlto data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884ead54-cb3f-4676-a1eb-b26532d6cbfd\",\"name\":\"884ead54-cb3f-4676-a1eb-b26532d6cbfd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let SensitiveOperationList = dynamic(\\n[\\\"VaultDelete\\\", \\\"KeyDelete\\\", \\\"SecretDelete\\\", \\\"SecretPurge\\\", \\\"KeyPurge\\\", \\\"SecretBackup\\\", \\\"KeyBackup\\\"]);\\nAzureDiagnostics\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in~ (SensitiveOperationList)\\n| summarize EventCount=count(), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIPMax\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"NRT Sensitive Azure Key Vault operations\",\"description\":\"Identifies when sensitive Azure Key Vault operations are used. This includes: VaultDelete, KeyDelete, SecretDelete, SecretPurge, KeyPurge, SecretBackup, KeyBackup.\\nAny Backup operations should match with expected scheduled backup activity.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95dc4ae3-e0f2-48bd-b996-cdd22b90f9af\",\"name\":\"95dc4ae3-e0f2-48bd-b996-cdd22b90f9af\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(\\nAuditLogs\\n| where OperationName =~ \\\"Set federation settings on domain\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName)\\n| mv-expand AdditionalDetails\\n),\\n(\\nAuditLogs\\n| where OperationName =~ \\\"Set domain authentication\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName), NewDomainValue=tostring(parse_json(modifiedProperties).newValue)\\n| where NewDomainValue has \\\"Federated\\\"\\n)\\n)\\n| extend UserAgent = iff(AdditionalDetails.key == \\\"User-Agent\\\",tostring(AdditionalDetails.value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Modified domain federation trust settings\",\"description\":\"This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ac891683-53c3-4f86-86b4-c361708e2b2b\",\"name\":\"ac891683-53c3-4f86-86b4-c361708e2b2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"// Allowlisted UPNs should likely stay empty\\nlet AllowlistedUpns = datatable(UPN:string)[\u0027foo@bar.com\u0027, \u0027test@foo.com\u0027];\\n// Operation Name parts that will alert\\nlet HasAnyBlocklist = datatable(OperationNamePart:string)[\u0027Security.\u0027,\u0027Project.\u0027,\u0027AuditLog.\u0027,\u0027Extension.\u0027];\\n// Distinct Operation Names that will flag\\nlet HasExactBlocklist = datatable(OperationName:string)[\u0027Group.UpdateGroupMembership.Add\u0027,\u0027Library.ServiceConnectionExecuted\u0027,\u0027Pipelines.PipelineModified\u0027,\\n\u0027Release.ReleasePipelineModified\u0027, \u0027Git.RefUpdatePoliciesBypassed\u0027];\\nAzureDevOpsAuditing\\n| where AuthenticationMechanism startswith \\\"PAT\\\" and (OperationName has_any (HasAnyBlocklist) or OperationName in (HasExactBlocklist))\\n and ActorUPN !in (AllowlistedUpns)\\n| project TimeGenerated, AuthenticationMechanism, ProjectName, ActorUPN, ActorDisplayName, IpAddress, UserAgent, OperationName, Details, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Impact\"],\"displayName\":\"Azure DevOps Personal Access Token (PAT) misuse\",\"description\":\"This Alert detects whenever a PAT is used in ways that PATs are not normally used. May require an allow list and baselining.\\nReference - https://docs.microsoft.com/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops\u0026tabs=preview-page\\nUse this query for baselining:\\nAzureDevOpsAuditing\\n| distinct OperationName\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-06-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/acfdee3f-b794-404a-aeba-ef6a1fa08ad1\",\"name\":\"acfdee3f-b794-404a-aeba-ef6a1fa08ad1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let lookback = 14d;\\nlet timewindow = 7d;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback)\\n| where OperationName =~ \\\"Library.AgentPoolCreated\\\"\\n| extend AgentCloudId = tostring(Data.AgentCloudId)\\n| extend PoolType = iif(isnotempty(AgentCloudId), \\\"Azure VMs\\\", \\\"Self Hosted\\\")\\n// Comment this line out to include cloud pools as well\\n| where PoolType == \\\"Self Hosted\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend AgentPoolId = tostring(Data.AgentPoolId)\\n| extend IsHosted = tostring(Data.IsHosted)\\n| extend IsLegacy = tostring(Data.IsLegacy)\\n| extend timekey = bin(TimeGenerated, timewindow)\\n// Join only with pools deleted in the same window\\n| join (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback)\\n| where OperationName =~ \\\"Library.AgentPoolDeleted\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend AgentPoolId = tostring(Data.AgentPoolId)\\n| extend timekey = bin(TimeGenerated, timewindow)) on AgentPoolId, timekey\\n| project-reorder TimeGenerated, ActorUPN, UserAgent, IpAddress, AuthenticationMechanism, OperationName, AgentPoolName, IsHosted, IsLegacy, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Agent Pool Created Then Deleted\",\"description\":\"As well as adding build agents to an existing pool to execute malicious activity within a pipeline, an attacker could create a complete new agent pool and use this for execution.\\nAzure DevOps allows for the creation of agent pools with Azure hosted infrastructure or self-hosted infrastructure. Given the additional customizability of self-hosted agents this \\ndetection focuses on the creation of new self-hosted pools. To further reduce false positive rates the detection looks for pools created and deleted relatively quickly (within 7 days by default), \\nas an attacker is likely to remove a malicious pool once used in order to reduce/remove evidence of their activity.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/26a3b261-b997-4374-94ea-6c37f67f4f39\",\"name\":\"26a3b261-b997-4374-94ea-6c37f67f4f39\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.5.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"asyspy256.ddns.net\\\",\\\"hotkillmail9sddcc.ddns.net\\\",\\\"rosaf112.ddns.net\\\",\\\"cvdfhjh1231.myftp.biz\\\",\\\"sz2016rose.ddns.net\\\",\\\"dffwescwer4325.myftp.biz\\\",\\\"cvdfhjh1231.ddns.net\\\"]);\\nlet SHA1Hash = dynamic ([\\\"53a44c2396d15c3a03723fa5e5db54cafd527635\\\", \\\"9c5e496921e3bc882dc40694f1dcc3746a75db19\\\", \\\"aeb573accfd95758550cf30bf04f389a92922844\\\", \\\"79ef78a797403a4ed1a616c68e07fff868a8650a\\\", \\\"4f6f38b4cec35e895d91c052b1f5a83d665c2196\\\", \\\"1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d\\\", \\\"e841a63e47361a572db9a7334af459ddca11347a\\\", \\\"c28f606df28a9bc8df75a4d5e5837fc5522dd34d\\\", \\\"2e94b305d6812a9f96e6781c888e48c7fb157b6b\\\", \\\"dd44133716b8a241957b912fa6a02efde3ce3025\\\", \\\"8793bf166cb89eb55f0593404e4e933ab605e803\\\", \\\"a39b57032dbb2335499a51e13470a7cd5d86b138\\\", \\\"41cc2b15c662bc001c0eb92f6cc222934f0beeea\\\", \\\"d209430d6af54792371174e70e27dd11d3def7a7\\\", \\\"1c6452026c56efd2c94cea7e0f671eb55515edb0\\\", \\\"c6b41d3afdcdcaf9f442bbe772f5da871801fd5a\\\", \\\"4923d460e22fbbf165bbbaba168e5a46b8157d9f\\\", \\\"f201504bd96e81d0d350c3a8332593ee1c9e09de\\\", \\\"ddd2db1127632a2a52943a2fe516a2e7d05d70d2\\\"]);\\nlet SHA256Hash = dynamic ([\\\"9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd\\\", \\\"7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b\\\", \\\"657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5\\\", \\\"2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29\\\", \\\"52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77\\\", \\\"a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3\\\", \\\"5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022\\\", \\\"6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883\\\", \\\"3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e\\\", \\\"1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7\\\", \\\"fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1\\\", \\\"7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c\\\", \\\"178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945\\\", \\\"51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9\\\", \\\"889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79\\\", \\\"332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf\\\", \\\"44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08\\\", \\\"63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef\\\", \\\"056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070\\\"]);\\nlet SigNames = dynamic([\\\"TrojanDropper:Win32/BlackMould.A!dha\\\", \\\"Trojan:Win32/BlackMould.B!dha\\\", \\\"Trojan:Win32/QuarkBandit.A!dha\\\", \\\"Trojan:Win32/Sidelod.A!dha\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n( _Im_Dns(domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA1=\u0027 SHA1 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA1Hash) \\n| extend Account = UserName\\n),\\n(SecurityAlert\\n| where ProductName == \\\"Microsoft Defender Advanced Threat Protection\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where isnotempty(ThreatName)\\n| where ThreatName has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName)\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known GALLIUM domains and hashes\",\"description\":\"GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. \\n Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\\n References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ \",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2019-12-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/52aec824-96c1-4a03-8e44-bb70532e6cea\",\"name\":\"52aec824-96c1-4a03-8e44-bb70532e6cea\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"SecurityEvent\\n| where EventID == 5136 and EventData contains \\\"\u003cData Name=\\\\\\\"ObjectDN\\\\\\\"\u003eCN=AdminSDHolder,CN=System\\\"\\n| parse EventData with * \u0027ObjectDN\\\"\u003e\u0027 ObjectDN \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, SubjectUserSid, SubjectLogonId, ObjectDN\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AdminSDHolder Modifications\",\"description\":\"This query detects modification in the AdminSDHolder in the Active Directory which could indicate an attempt for persistence. \\nAdminSDHolder Modification is a persistence technique in which an attacker abuses the SDProp process in Active Directory to establish a persistent backdoor to Active Directory.\\nThis query searches for the event id 5136 where the Object DN is AdminSDHolder.\\nRef: https://attack.stealthbits.com/adminsdholder-modification-ad-persistence\",\"lastUpdatedDateUTC\":\"2022-01-20T00:00:00Z\",\"createdDateUTC\":\"2021-12-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8540c842-5bbc-4a24-9fb2-a836c0e55a51\",\"name\":\"8540c842-5bbc-4a24-9fb2-a836c0e55a51\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where OperationName =~ \\\"Set federation settings on domain\\\" or OperationName =~ \\\"Set domain authentication\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName), NewDomainValue=tostring(parse_json(modifiedProperties).newValue)\\n| extend Federated = iif(OperationName =~ \\\"Set domain authentication\\\", iif(NewDomainValue has \\\"Federated\\\", True, False), True)\\n| where Federated == True\\n| mv-expand AdditionalDetails\\n| extend UserAgent = iff(AdditionalDetails.key == \\\"User-Agent\\\",tostring(AdditionalDetails.value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserOrApp\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"NRT Modified domain federation trust settings\",\"description\":\"This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/327cd4ed-ca42-454b-887c-54e1c91363c6\",\"name\":\"327cd4ed-ca42-454b-887c-54e1c91363c6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft Defender Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Endpoint alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Endpoint\",\"lastUpdatedDateUTC\":\"2019-10-24T00:00:00Z\",\"createdDateUTC\":\"2019-10-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\"name\":\"0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.1.1\",\"severity\":\"Low\",\"query\":\"let PerUserThreshold = 5;\\nlet TotalThreshold = 100;\\nlet action = dynamic([\\\"change\\\", \\\"changed\\\", \\\"reset\\\"]);\\nlet pWord = dynamic([\\\"password\\\", \\\"credentials\\\"]);\\nlet PasswordResetMultiDataSource =\\n(union isfuzzy=true\\n(//Password reset events\\n//4723: An attempt was made to change an account\u0027s password\\n//4724: An attempt was made to reset an accounts password\\nSecurityEvent\\n| where EventID in (\\\"4723\\\",\\\"4724\\\")\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName),\\n(//Password reset events\\n//4723: An attempt was made to change an account\u0027s password\\n//4724: An attempt was made to reset an accounts password\\nWindowsEvent\\n| where EventID in (\\\"4723\\\",\\\"4724\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName),\\n(//Azure Active Directory Password reset events\\nAuditLogs\\n| where OperationName has_any (pWord) and OperationName has_any (action) and Result =~ \\\"success\\\"\\n| extend AccountType = tostring(TargetResources[0].type), Account = tostring(TargetResources[0].userPrincipalName), \\nTargetUserName = tolower(tostring(TargetResources[0].displayName))\\n| project TimeGenerated, AccountType, Account, Computer = \\\"\\\", Type),\\n(//OfficeActive ActiveDirectory Password reset events\\nOfficeActivity\\n| where OfficeWorkload == \\\"AzureActiveDirectory\\\" \\n| where (ExtendedProperties has_any (pWord) or ModifiedProperties has_any (pWord)) and (ExtendedProperties has_any (action) or ModifiedProperties has_any (action))\\n| extend AccountType = UserType, Account = OfficeObjectId \\n| project TimeGenerated, AccountType, Account, Type, Computer = \\\"\\\"),\\n(// Unix syslog password reset events\\nSyslog\\n| where Facility in (\\\"auth\\\",\\\"authpriv\\\")\\n| where SyslogMessage has_any (pWord) and SyslogMessage has_any (action)\\n| extend AccountType = iif(SyslogMessage contains \\\"root\\\", \\\"Root\\\", \\\"Non-Root\\\")\\n| where SyslogMessage matches regex \\\".*password changed for.*\\\"\\n| parse SyslogMessage with * \\\"password changed for\\\" Account\\n| project TimeGenerated, AccountType, Account, Computer = HostName, Type)\\n);\\nlet pwrmd = PasswordResetMultiDataSource\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName;\\n(union isfuzzy=true \\n(pwrmd\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Computerlist = make_set(Computer, 25), AccountType = make_set(AccountType, 25), Computer = arg_max(Computer , TimeGenerated), TargetUserList = make_set(TargetUserName, 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), Total=count() by Account, Type\\n| where Total \u003e PerUserThreshold\\n| extend ResetPivot = \\\"PerUserReset\\\"), \\n(pwrmd\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerList = make_set(Computer, 25), AccountList = make_set(Account, 25), AccountType = make_set(AccountType, 25), Computer = arg_max(Computer , TimeGenerated), TargetUserList = make_set(TargetUserName, 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), Total=count() by Type\\n| where Total \u003e TotalThreshold\\n| extend ResetPivot = \\\"TotalUserReset\\\")\\n)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserName\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Multiple Password Reset by user\",\"description\":\"This query will determine multiple password resets by user across multiple data sources. \\nAccount manipulation including password reset may aid adversaries in maintaining access to credentials \\nand certain permission levels within an environment.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-09-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d804b39c-03a4-417c-a949-bdbf21fa3305\",\"name\":\"d804b39c-03a4-417c-a949-bdbf21fa3305\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.7.2\",\"severity\":\"Medium\",\"query\":\"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\\n[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet file_paths = (iocs | where Type =~ \\\"filepath\\\" | project IoC);\\nlet sha256s = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet ips = (iocs | where Type =~ \\\"ip\\\" | project IoC);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\" | project IoC);\\nlet dyndomains = todynamic(toscalar((domains | summarize make_set(IoC))));\\nunion isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4663\\n| where ObjectName in (file_paths)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(WindowsEvent\\n| where EventID == 4663 and EventData has_any (file_paths)\\n| extend ObjectName = tostring(EventData.ObjectName) \\n| where ObjectName in (file_paths)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName), \\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(imFileEvent\\n| where TargetFileName in (file_paths)\\n or\\n TargetFileSHA256 in (sha256s)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\\n),\\n(DeviceFileEvents\\n| where FolderPath in (file_paths)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 in (sha256s)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\\n),\\n (CommonSecurityLog\\n| where FileHash in (sha256s)\\n| extend timestamp = TimeGenerated\\n),\\n(Event // File iocs\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| where isnotempty(Hashes)\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 *\\n| where SHA256 in~ (sha256s)\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = Hashes\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where (SourceIP in (ips) or DestinationIP in (ips) or Message has_any (ips)) or (RequestURL has_any (domains))\\n| extend IPMatch = case(SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"Message\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\")\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(WireData\\n| where isnotempty(RemoteIP)\\n| where RemoteIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer\\n),\\n(W3CIISLog\\n| where isnotempty(cIP)\\n| where cIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(\\nWindowsFirewall\\n| where SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n),\\n(\\n _Im_NetworkSession(srcipaddr_has_any_prefix=ips) \\n | extend IPCustomEntity = SrcIpAddr, AccountCustomEntity= User, HostCustomEntity=Hostname\\n),\\n (\\n _Im_NetworkSession(dstipaddr_has_any_prefix=ips) \\n | extend IPCustomEntity = DstIpAddr, AccountCustomEntity= User, HostCustomEntity=Hostname\\n),\\n(_Im_Dns(domain_has_any=dyndomains)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\\n)\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange Server Vulnerabilities Disclosed March 2021 IoC Match\",\"description\":\"This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements.\\nRef: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-03-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog (Cisco)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog (F5)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09ec8fa2-b25f-4696-bfae-05a7b85d7b9e\",\"name\":\"09ec8fa2-b25f-4696-bfae-05a7b85d7b9e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT3H\",\"queryPeriod\":\"PT3H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"let timeframe = ago(3h);\\nlet threshold = 2;\\nimAuthentication\\n| where TimeGenerated \u003e timeframe\\n| where EventType==\u0027Logon\u0027 and EventResult==\u0027Success\u0027\\n| where isnotempty(SrcGeoCountry)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Vendors=make_set(EventVendor), Products=make_set(EventProduct)\\n , NumOfCountries = dcount(SrcGeoCountry)\\n by TargetUserId, TargetUsername, TargetUserType\\n| where NumOfCountries \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = TargetUsername\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"User login from different countries within 3 hours (Uses Authentication Normalization)\",\"description\":\"This query searches for successful user logins from different countries within 3 hours.\\n To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/67775878-7f8b-4380-ac54-115e1e828901\",\"name\":\"67775878-7f8b-4380-ac54-115e1e828901\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX=10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet IP_TI = (ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\\\"\\\")\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true);\\nlet TI_IP_List=IP_TI | summarize NIPs=dcount(TI_ipEntity), IP_List=make_set( TI_ipEntity) \\n| project IP_List=iff(NIPs \u003e HAS_ANY_MAX, dynamic([]), IP_List);\\n_Im_Dns(starttime=ago(dt_lookBack), response_has_any_prefix=todynamic(toscalar(TI_IP_List)))\\n | extend tilist = toscalar(TI_IP_List)\\n | mv-expand tilist\\n | extend SingleIP=tostring(tilist)\\n | project-away tilist\\n | where has_ipv4(DnsResponseName, SingleIP)\\n | extend DNS_TimeGenerated = TimeGenerated\\n| join IP_TI\\n on $left.SingleIP == $right.TI_ipEntity\\n| where DNS_TimeGenerated \u003e= TimeGenerated and DNS_TimeGenerated \u003c ExpirationDateTime\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated,\\nTI_ipEntity, Dvc, EventSubType, SrcIpAddr, DnsQuery, DnsResponseName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = DNS_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Dvc, URLCustomEntity = Url\",\"customDetails\":{\"LatestIndicatorTime\":\"LatestIndicatorTime\",\"Description\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"ExpirationDateTime\":\"ExpirationDateTime\",\"ConfidenceScore\":\"ConfidenceScore\",\"DNSRequestTime\":\"DNS_TimeGenerated\",\"SourceIPAddress\":\"SrcIpAddr\",\"SubType\":\"EventSubType\",\"DnsQuery\":\"DnsQuery\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map IP entity to Dns Events (ASIM DNS Schema)\",\"description\":\"Identifies a match in DNS events from any IP IOC from TI\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-27T00:00:00Z\",\"createdDateUTC\":\"2021-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\"name\":\"ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let ProcessCreationEvents=() {\\nlet processEvents=(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,\\nFileName = Process, CommandLine, ParentProcessName\\n),\\n(WindowsEvent\\n| where EventID==4688\\n| where EventData has \\\"TVqQAAMAAAAEAAA\\\"\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where isnotempty(CommandLine)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,\\nFileName = Process, CommandLine, ParentProcessName));\\nprocessEvents};\\nProcessCreationEvents\\n| where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Base64 encoded Windows process command-lines\",\"description\":\"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2018-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\"name\":\"90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Security Center\",\"severitiesFilter\":[\"Low\",\"Medium\",\"High\"],\"displayName\":\"Create incidents based on Microsoft Defender for Cloud\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Cloud\",\"lastUpdatedDateUTC\":\"2021-07-25T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert (ASC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d57c33a9-76b9-40e0-9dfa-ff0404546410\",\"name\":\"d57c33a9-76b9-40e0-9dfa-ff0404546410\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 0d;\\n// Adjust this to adjust detection timeframe\\n//let timeframe = 1d;\\n// Filter out other servers in the AD FS farm\\nlet ADFSServersList = dynamic([\\\"ADFS02.domain.com\\\",\\\"ADFS03.domain.com\\\"]);\\n// Start by identifying ADFS servers to reduce FP chance\\nlet ADFS_Servers = (\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| where Computer !in (ADFSServersList)\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\")\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| summarize by Computer\\n);\\n// Look for ADFS servers receiving connections over port 80\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where Computer in~ (ADFS_Servers)\\n| extend RenderedDescription = tostring(split(RenderedDescription, \\\":\\\")[0])\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, _ResourceId)\\n| extend RuleName = column_ifexists(\\\"RuleName\\\", \\\"\\\"), TechniqueId = column_ifexists(\\\"TechniqueId\\\", \\\"\\\"), TechniqueName = column_ifexists(\\\"TechniqueName\\\", \\\"\\\")\\n| parse RuleName with * \u0027technique_id=\u0027 TechniqueId \u0027,\u0027 * \u0027technique_name=\u0027 TechniqueName\\n| where EventID == 3\\n// Look for endpoints connecting to the AD FS server over port 80\\n| extend DestinationPort = column_ifexists(\\\"DestinationPort\\\", \\\"\\\"), Image = column_ifexists(\\\"Image\\\", \\\"\\\"), Initiated = column_ifexists(\\\"Initiated\\\", \\\"\\\"), SourceIp = column_ifexists(\\\"DestinationIp\\\", \\\"\\\"), DestinationIp = column_ifexists(\\\"DestinationIp\\\", \\\"\\\")\\n| where DestinationPort == 80\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n// Look for the System process receiving connections\\n| where process == \u0027System\u0027 and Initiated == \u0027false\u0027\\n| where DestinationIp !in (\u0027::1\u0027,\u00270:0:0:0:0:0:0:1\u0027)\\n| extend Operation = RenderedDescription\\n| project-reorder TimeGenerated, Operation, Image, Computer, UserName\\n| extend HostCustomEntity = Computer, AccountCustomEntity = UserName, IPCustomEntity = SourceIp\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"AD FS Remote HTTP Network Connection\",\"description\":\"This detection uses Sysmon events (NetworkConnect events) to detect incoming network traffic on port 80 on AD FS servers. This could be a sign of a threat actor\\ntrying to use replication services on the AD FS server to get its configuration settings and extract sensitive information such as AD FS certificates.\\nIn order to use this query you need to enable Sysmon telemetry on the AD FS Server.\\nReference: https://twitter.com/OTR_Community/status/1387038995016732672\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c1faf5e8-6958-11ec-90d6-0242ac120003\",\"name\":\"c1faf5e8-6958-11ec-90d6-0242ac120003\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 4720 and TargetUserName endswith \\\"$\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectUserName, SubjectUserSid, SubjectLogonId, TargetUserName, TargetSid\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectUserName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Fake computer account created\",\"description\":\"This query detects domain user accounts creation (event ID 4720) where the username ends with $. \\nAccounts that end with $ are normally domain computer accounts and when they are created the event ID 4741 is generated instead.\\nRef: https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights.html\",\"lastUpdatedDateUTC\":\"2022-01-19T00:00:00Z\",\"createdDateUTC\":\"2021-12-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/04384937-e927-4595-8f3c-89ff58ed231f\",\"name\":\"04384937-e927-4595-8f3c-89ff58ed231f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let IPs = dynamic ([\\\"199.249.230.\\\",\\\"185.220.101.\\\",\\\"23.129.64.\\\",\\\"109.70.100.\\\",\\\"185.220.102.\\\"]);\\nOfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != \u0027UserLoggedIn\u0027\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = ExtendedProperties.Value\\n| where ClientIP has_any (IPs)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts \u003e 2500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\"entityMappings\":[],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Possible STRONTIUM attempted credential harvesting - Sept 2020\",\"description\":\"Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.\\nReferences: https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7d7e20f8-3384-4b71-811c-f5e950e8306c\",\"name\":\"7d7e20f8-3384-4b71-811c-f5e950e8306c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where ActivityDisplayName =~\u0027Add member to role completed (PIM activation)\u0027\\n| where Result == \\\"failure\\\"\\n| extend Role = tostring(TargetResources[3].displayName)\\n| extend User = tostring(TargetResources[2].displayName)\\n| project-reorder TimeGenerated, User, Role, OperationName, Result, ResultDescription\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| extend AccountCustomEntity = User, IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"PIM Elevation Request Rejected\",\"description\":\"Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6852d9da-8015-4b95-8ecf-d9572ee0395d\",\"name\":\"6852d9da-8015-4b95-8ecf-d9572ee0395d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let queryfrequency = 1h;\\nlet wait_for_deletion = 10m;\\nlet account_created =\\n AuditLogs \\n | where ActivityDisplayName == \\\"Add service principal\\\"\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend creationTime = ActivityDateTime\\n | extend userPrincipalName_creator = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend ipAddress_creator = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\\nlet account_activity =\\n AADServicePrincipalSignInLogs\\n | extend Activities = pack(\\\"ActivityTime\\\", TimeGenerated ,\\\"IpAddress\\\", IPAddress, \\\"ResourceDisplayName\\\", ResourceDisplayName)\\n | extend AppID = AppId\\n | summarize make_list(Activities) by AppID;\\nlet account_deleted =\\n AuditLogs \\n | where OperationName == \\\"Remove service principal\\\"\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend deletionTime = ActivityDateTime\\n | extend userPrincipalName_deleter = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend ipAddress_deleter = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\\nlet account_credentials =\\n AuditLogs\\n | where OperationName has_all (\\\"Update application\\\", \\\"Certificates and secrets management\\\")\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend credentialCreationTime = ActivityDateTime;\\nlet roles_assigned =\\n AuditLogs\\n | where ActivityDisplayName == \\\"Add app role assignment to service principal\\\"\\n | extend AppID = tostring(TargetResources[1].displayName)\\n | extend AssignedRole = iff(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].displayName)==\\\"AppRole.Value\\\", tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue))),\\\"\\\")\\n | extend AssignedRoles = pack(\\\"Role\\\", AssignedRole)\\n | summarize make_list(AssignedRoles) by AppID;\\naccount_created\\n| where TimeGenerated between (ago(wait_for_deletion+queryfrequency)..ago(wait_for_deletion))\\n| join kind= inner (account_activity) on AppID\\n| join kind= inner (account_deleted) on AppID\\n| join kind= inner (account_credentials) on AppID\\n| join kind= inner (roles_assigned) on AppID\\n| where deletionTime - creationTime between (time(0s)..wait_for_deletion)\\n| extend AliveTime = deletionTime - creationTime\\n| project AADTenantId, AppID, creationTime, deletionTime, userPrincipalName_creator, userPrincipalName_deleter, ipAddress_creator, ipAddress_deleter, list_Activities, list_AssignedRoles, AliveTime\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName_creator\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName_deleter\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress_creator\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress_deleter\"}]}],\"tactics\":[\"CredentialAccess\",\"PrivilegeEscalation\",\"InitialAccess\"],\"displayName\":\"Suspicious Service Principal creation activity\",\"description\":\"This alert will detect creation of an SPN, permissions granted, credentials created, activity and deletion of the SPN in a time frame (default 10 minutes)\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\",\"AADServicePrincipalSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ec21493c-2684-4acd-9bc2-696dbad72426\",\"name\":\"ec21493c-2684-4acd-9bc2-696dbad72426\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation of extracted domains\\nlet list_tlds = ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e ago(ioc_lookBack)\\n | where isnotempty(DomainName)\\n | extend DomainName = tolower(DomainName)\\n | extend parts = split(DomainName, \u0027.\u0027)\\n | extend tld = parts[(array_length(parts)-1)]\\n | summarize count() by tostring(tld)\\n | summarize make_list(tld);\\n ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true\\n // Picking up only IOC\u0027s that contain the entities we want\\n | where isnotempty(DomainName)\\n // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n | join kind=innerunique (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n | where DeviceVendor =~ \u0027Palo Alto Networks\u0027\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | extend Domain = trim(@\\\"\\\"\\\"\\\",tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend parts = split(Domain, \u0027.\u0027)\\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\\n | where tld in~ (list_tlds)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n ) on $left.DomainName==$right.Domain\\n | where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, Domain\\n | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, \\n DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\\n | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to PaloAlto\",\"description\":\"Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/caf78b95-d886-4ac3-957a-a7a3691ff4ed\",\"name\":\"caf78b95-d886-4ac3-957a-a7a3691ff4ed\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Tarrask.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n(imFileEvent\\n| where TargetFileSHA256 has_any (sha256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceImageLoadEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Tarrask malware IOC - April 2022\",\"description\":\"Identifies a hash match related to Tarrask malware across various data sources.\\n Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/\",\"lastUpdatedDateUTC\":\"2022-04-12T00:00:00Z\",\"createdDateUTC\":\"2022-01-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2560515c-07d1-434e-87fb-ebe3af267760\",\"name\":\"2560515c-07d1-434e-87fb-ebe3af267760\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add delegated permission grant\\\",\\\"Add app role assignment to service principal\\\")\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend props = parse_json(tostring(TargetResources[0].modifiedProperties))\\n| mv-expand props\\n| extend UserAgent = tostring(AdditionalDetails[0].value)\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| extend UserIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| extend DisplayName = tostring(props.displayName)\\n| extend Permissions = tostring(parse_json(tostring(props.newValue)))\\n| where Permissions has_any (\\\"Mail.Read\\\", \\\"Mail.ReadWrite\\\")\\n| extend PermissionsAddedTo = tostring(TargetResources[0].displayName)\\n| extend Type = tostring(TargetResources[0].type)\\n| project-away props\\n| join kind=leftouter(\\n AuditLogs\\n | where ActivityDisplayName has \\\"Consent to application\\\"\\n | extend AppName = tostring(TargetResources[0].displayName)\\n | extend AppId = tostring(TargetResources[0].id)\\n | project AppName, AppId, CorrelationId) on CorrelationId\\n| project-reorder TimeGenerated, OperationName, InitiatingUser, UserIPAddress, UserAgent, PermissionsAddedTo, Permissions, AppName, AppId, CorrelationId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUser, IPCustomEntity = UserIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Mail.Read Permissions Granted to Application\",\"description\":\"This query look for applications that have been granted (Delegated or App/Role) permissions to Read Mail (Permissions field has Mail.Read) and subsequently has been consented to. This can help identify applications that have been abused to gain access to mailboxes.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532c1811-79ee-4d9f-8d4d-6304c840daa1\",\"name\":\"532c1811-79ee-4d9f-8d4d-6304c840daa1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Active Directory Identity Protection\",\"displayName\":\"Create incidents based on Azure Active Directory Identity Protection alerts\",\"description\":\"Create incidents based on all alerts generated in Azure Active Directory Identity Protection\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb616d82-108f-47d3-9dec-9652ea0d3bf6\",\"name\":\"bb616d82-108f-47d3-9dec-9652ea0d3bf6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let queryfrequency = 1h;\\nlet queryperiod = 1d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(queryfrequency)\\n| where OperationName =~ \\\"Delete user\\\"\\n//extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n| extend UserPrincipalName = extract(@\u0027([a-f0-9]{32})?(.*)\u0027, 2, tostring(TargetResources[0].userPrincipalName))\\n| extend DeletedByUser = tostring(InitiatedBy.user.userPrincipalName), DeletedByIPAddress = tostring(InitiatedBy.user.ipAddress)\\n| extend DeletedByApp = tostring(InitiatedBy.app.displayName)\\n| project Deletion_TimeGenerated = TimeGenerated, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, Deletion_AdditionalDetails = AdditionalDetails, Deletion_InitiatedBy = InitiatedBy, Deletion_TargetResources = TargetResources\\n| join kind=inner (\\n AuditLogs\\n | where TimeGenerated \u003e ago(queryperiod)\\n | where OperationName =~ \\\"Add user\\\"\\n | extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | project-rename Creation_TimeGenerated = TimeGenerated\\n) on UserPrincipalName\\n| extend TimeDelta = Deletion_TimeGenerated - Creation_TimeGenerated\\n| where TimeDelta between (time(0s) .. queryperiod)\\n| extend CreatedByUser = tostring(InitiatedBy.user.userPrincipalName), CreatedByIPAddress = tostring(InitiatedBy.user.ipAddress)\\n| extend CreatedByApp = tostring(InitiatedBy.app.displayName)\\n| project Creation_TimeGenerated, Deletion_TimeGenerated, TimeDelta, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, CreatedByUser, CreatedByIPAddress, CreatedByApp, Creation_AdditionalDetails = AdditionalDetails, Creation_InitiatedBy = InitiatedBy, Creation_TargetResources = TargetResources, Deletion_AdditionalDetails, Deletion_InitiatedBy, Deletion_TargetResources\\n| extend timestamp = Deletion_TimeGenerated, CustomAccountEntity = UserPrincipalName, IPCustomEntity = DeletedByIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CustomAccountEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Account Created and Deleted in Short Timeframe\",\"description\":\"Search for user principal name (UPN) events. Look for accounts created and then deleted in under 24 hours. Attackers may create an account for their use, and then remove the account when no longer needed.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-account\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a0907abe-6925-4d90-af2b-c7e89dc201a6\",\"name\":\"a0907abe-6925-4d90-af2b-c7e89dc201a6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P10D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 10d;\\nlet endtime = 1d;\\nlet threshold = 100;\\nlet nxDomainDnsEvents = DnsEvents \\n| where ResultCode == 3 \\n| where QueryType in (\\\"A\\\", \\\"AAAA\\\")\\n| where ipv4_is_match(\\\"127.0.0.1\\\", ClientIP) == False\\n| where Name !contains \\\"/\\\"\\n| where Name contains \\\".\\\";\\nnxDomainDnsEvents\\n| where TimeGenerated \u003e ago(endtime)\\n| extend sld = tostring(split(Name, \\\".\\\")[-2])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld) by ClientIP\\n| where dcount_sld \u003e threshold\\n// Filter out previously seen IPs\\n| join kind=leftanti (nxDomainDnsEvents\\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | extend sld = tostring(split(Name, \\\".\\\")[-2])\\n | summarize dcount(sld) by ClientIP\\n | where dcount_sld \u003e threshold ) on ClientIP\\n// Pull out sample NXDomain responses for those remaining potentially infected IPs\\n| join kind = inner (nxDomainDnsEvents | summarize by Name, ClientIP) on ClientIP\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(Name, 100) by ClientIP, dcount_sld\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential DGA detected\",\"description\":\"Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains\\nwhere most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with \\nNXDomain records in prior 10-day baseline period).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ef895ada-e8e8-4cf0-9313-b1ab67fab69f\",\"name\":\"ef895ada-e8e8-4cf0-9313-b1ab67fab69f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let known_locations =\\n union isfuzzy=True AADNonInteractiveUserSignInLogs, SigninLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where ResultType == 0\\n | summarize by Location;\\n union isfuzzy=True AADNonInteractiveUserSignInLogs, SigninLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType != 50126\\n | where Location !in (known_locations)\\n | extend LocationDetails_dynamic = column_ifexists(\\\"LocationDetails_dynamic\\\", \\\"\\\")\\n | extend DeviceDetail_dynamic = column_ifexists(\\\"DeviceDetail_dynamic\\\", \\\"\\\")\\n | extend LocationDetails = iif(isnotempty(LocationDetails_dynamic), LocationDetails_dynamic, parse_json(LocationDetails_string))\\n | extend DeviceDetail = iif(isnotempty(DeviceDetail_dynamic), DeviceDetail_dynamic, parse_json(DeviceDetail_string))\\n | extend City = tostring(LocationDetails.city)\\n | extend State = tostring(LocationDetails.state)\\n | extend Place = strcat(City, \\\" - \\\", State)\\n | extend DeviceId = tostring(DeviceDetail.deviceId)\\n | extend Result = strcat(tostring(ResultType), \\\" - \\\", ResultDescription)\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), make_set(Result), make_set(IPAddress), make_set(UserAgent), make_set(Place), make_set(DeviceId) by UserPrincipalName, Location, Category\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Authentication Attempt from New Country\",\"description\":\"Detects when there is a log in attempt from a country that has not seen a successful login in the previous 14 days.\\n Threat actors may attempt to authenticate with credentials from compromised accounts - monitoring attempts from anomalous locations may help identify these attempts.\\n Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\",\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9713e3c0-1410-468d-b79e-383448434b2d\",\"name\":\"9713e3c0-1410-468d-b79e-383448434b2d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n VMConnection\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend VMConnection_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIp\\n| where VMConnection_TimeGenerated \u003c ExpirationDateTime\\n| summarize VMConnection_TimeGenerated = arg_max(VMConnection_TimeGenerated, *) by IndicatorId, RemoteIp\\n| project VMConnection_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = VMConnection_TimeGenerated, IPCustomEntity = RemoteIp, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to VMConnection\",\"description\":\"Identifies a match in VMConnection from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/017e095a-94d8-430c-a047-e51a11fb737b\",\"name\":\"017e095a-94d8-430c-a047-e51a11fb737b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let domains =\\n SigninLogs\\n | where ResultType == 0\\n | extend domain = split(UserPrincipalName, \\\"@\\\")[1]\\n | extend domain = tostring(split(UserPrincipalName, \\\"@\\\")[1])\\n | summarize by tolower(tostring(domain));\\n AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where Result =~ \\\"success\\\"\\n | where OperationName =~ \u0027Update Application\u0027\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | where TargetResources_modifiedProperties.displayName =~ \\\"AppAddress\\\"\\n | extend Key = tostring(TargetResources_modifiedProperties.displayName)\\n | extend NewValue = TargetResources_modifiedProperties.newValue\\n | extend OldValue = TargetResources_modifiedProperties.oldValue\\n | where isnotempty(Key) and isnotempty(NewValue)\\n | project-reorder Key, NewValue, OldValue\\n | extend NewUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(NewValue))\\n | extend OldUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(OldValue))\\n | extend AddedUrls = set_difference(NewUrls, OldUrls)\\n | where array_length(AddedUrls) \u003e 0\\n | extend UserAgent = iif(tostring(AdditionalDetails[0].key) == \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), \\\"\\\")\\n | extend AddingUser = iif(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) , tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), \\\"\\\")\\n | extend AddingApp = iif(isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName)) , tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName), \\\"\\\")\\n | extend AddedBy = iif(isnotempty(AddingUser), AddingUser, AddingApp)\\n | project-away AddingApp, AddingUser\\n | extend AppDisplayName = tostring(TargetResources.displayName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | where isnotempty(AddedUrls)\\n | mv-expand AddedUrls\\n | extend Domain = extract(\\\"^(?:https?:\\\\\\\\/\\\\\\\\/)?(?:[^@\\\\\\\\/\\\\\\\\n]+@)?(?:www\\\\\\\\.)?([^:\\\\\\\\/?\\\\\\\\n]+)/\\\", 1, replace_string(tolower(tostring(AddedUrls)), \u0027\\\"\u0027, \\\"\\\"))\\n | where isnotempty(Domain)\\n | extend Domain = strcat(split(Domain, \\\".\\\")[-2], \\\".\\\", split(Domain, \\\".\\\")[-1])\\n | where Domain !in (domains)\\n | project-reorder TimeGenerated, AppDisplayName, AddedUrls, AddedBy, UserAgent, ipAddress\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"AddedUrls\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"URL Added to Application from Unknown Domain\",\"description\":\"Detects a URL being added to an application where the domain is not one that is associated with the tenant.\\n The query uses domains seen in sign in logs to determine if the domain is associated with the tenant.\\n Applications associated with URLs not controlled by the organization can pose a security risk.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#application-configuration-changes\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d\",\"name\":\"b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"//Collect the alert events\\nlet alertData = SecurityAlert \\n| where DisplayName has \\\"Potential malware uploaded to\\\" \\n| extend Entities = parse_json(Entities) \\n| mv-expand Entities;\\n//Parse the IP address data\\nlet ipData = alertData \\n| where Entities[\u0027Type\u0027] =~ \\\"ip\\\" \\n| extend AttackerIP = tostring(Entities[\u0027Address\u0027]), AttackerCountry = tostring(Entities[\u0027Location\u0027][\u0027CountryName\u0027]);\\n//Parse the file data\\nlet FileData = alertData \\n| where Entities[\u0027Type\u0027] =~ \\\"file\\\" \\n| extend MaliciousFileDirectory = tostring(Entities[\u0027Directory\u0027]), MaliciousFileName = tostring(Entities[\u0027Name\u0027]), MaliciousFileHashes = tostring(Entities[\u0027FileHashes\u0027]);\\n//Combine the File and IP data together\\nipData \\n| join (FileData) on VendorOriginalId \\n| summarize by TimeGenerated, AttackerIP, AttackerCountry, DisplayName, ResourceId, AlertType, MaliciousFileDirectory, MaliciousFileName, MaliciousFileHashes\\n//Create a type column so we can track if it was a File storage or blobl storage upload \\n| extend type = iff(DisplayName has \\\"file\\\", \\\"File\\\", \\\"Blob\\\") \\n| join (\\n union\\n StorageFileLogs, \\n StorageBlobLogs \\n //File upload operations \\n | where OperationName =~ \\\"PutBlob\\\" or OperationName =~ \\\"PutRange\\\"\\n //Parse out the uploader IP \\n | extend ClientIP = tostring(split(CallerIpAddress, \\\":\\\", 0)[0])\\n //Extract the filename from the Uri \\n | extend FileName = extract(@\\\"\\\\/([\\\\w\\\\-. ]+)\\\\?\\\", 1, Uri)\\n //Base64 decode the MD5 filehash, we will encounter non-ascii hex so string operations don\u0027t work\\n //We can work around this by making it an array then converting it to hex from an int \\n | extend base64Char = base64_decode_toarray(ResponseMd5) \\n | mv-expand base64Char \\n | extend hexChar = tohex(toint(base64Char))\\n | extend hexChar = iff(strlen(hexChar) \u003c 2, strcat(\\\"0\\\", hexChar), hexChar) \\n | extend SourceTable = iff(OperationName has \\\"range\\\", \\\"StorageFileLogs\\\", \\\"StorageBlobLogs\\\") \\n | summarize make_list(hexChar) by CorrelationId, ResponseMd5, FileName, AccountName, TimeGenerated, RequestBodySize, ClientIP, SourceTable \\n | extend Md5Hash = strcat_array(list_hexChar, \\\"\\\")\\n //Pack the file information the summarise into a ClientIP row \\n | extend p = pack(\\\"FileName\\\", FileName, \\\"FileSize\\\", RequestBodySize, \\\"Md5Hash\\\", Md5Hash, \\\"Time\\\", TimeGenerated, \\\"SourceTable\\\", SourceTable) \\n | summarize UploadedFileInfo=make_list(p), FilesUploaded=count() by ClientIP \\n | join kind=leftouter (\\n union\\n StorageFileLogs,\\n StorageBlobLogs \\n | where OperationName =~ \\\"DeleteFile\\\" or OperationName =~ \\\"DeleteBlob\\\" \\n | extend ClientIP = tostring(split(CallerIpAddress, \\\":\\\", 0)[0]) \\n | extend FileName = extract(@\\\"\\\\/([\\\\w\\\\-. ]+)\\\\?\\\", 1, Uri) \\n | extend SourceTable = iff(OperationName has \\\"range\\\", \\\"StorageFileLogs\\\", \\\"StorageBlobLogs\\\") \\n | extend p = pack(\\\"FileName\\\", FileName, \\\"Time\\\", TimeGenerated, \\\"SourceTable\\\", SourceTable) \\n | summarize DeletedFileInfo=make_list(p), FilesDeleted=count() by ClientIP\\n ) on ClientIP\\n ) on $left.AttackerIP == $right.ClientIP \\n| mvexpand UploadedFileInfo \\n| extend LinkedMaliciousFileName = UploadedFileInfo.FileName \\n| extend LinkedMaliciousFileHash = UploadedFileInfo.Md5Hash \\n| project AlertTimeGenerated = TimeGenerated, tostring(LinkedMaliciousFileName), tostring(LinkedMaliciousFileHash), AlertType, AttackerIP, AttackerCountry, MaliciousFileDirectory, MaliciousFileName, FilesUploaded, UploadedFileInfo \\n| extend FileHashCustomEntity = LinkedMaliciousFileName, HashAlgorithm = \\\"MD5\\\", IPCustomEntity = AttackerIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"Exfiltration\"],\"displayName\":\"Linked Malicious Storage Artifacts\",\"description\":\"An IP address which uploaded malicious content to an Azure Blob or File Storage container (triggering a malware alert) also uploaded additional files.\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2021-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c7cd6073-6d2c-4284-a5c8-da27605bdfde\",\"name\":\"c7cd6073-6d2c-4284-a5c8-da27605bdfde\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| where FilterModulesSpamScoresOverall == \u0027100\u0027\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - High risk message not discarded\",\"description\":\"Detects when email with high risk score was not rejected or discarded by filters.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\"name\":\"c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"let DomainNames = \\\"miniodaum.ml\\\";\\nlet SHA256Hash = dynamic ([\\\"53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0dfd44771762257\\\", \\\"0897c80df8b80b4c49bf1ccf876f5f782849608b830c3b5cb3ad212dc3e19eff\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName =~ DomainNames\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n (_Im_Dns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery \\n| extend IPAddress = SrcIpAddr, Computer = Dvc\\n), \\n(_Im_WebSession(url_has_any=DomainNames) \\n| extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n| extend IPAddress = SrcIpAddr, Account=User\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName =~ DomainNames\\n| extend IPAddress = RemoteIp\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known CERIUM domains and hashes\",\"description\":\"CERIUM malicious webserver and hash values for maldocs and malware. \\n Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/712fab52-2a7d-401e-a08c-ff939cc7c25e\",\"name\":\"712fab52-2a7d-401e-a08c-ff939cc7c25e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AuditLogs\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // Extract the URL that is contained within the JSON data\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\\\", 1,tostring(TargetResources))\\n | where isnotempty(Url)\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend TargetResourceDisplayName = tostring(TargetResources[0].displayName)\\n | extend Audit_TimeGenerated = TimeGenerated\\n) on Url\\n| where Audit_TimeGenerated \u003c ExpirationDateTime\\n| summarize Audit_TimeGenerated = arg_max(Audit_TimeGenerated, *) by IndicatorId, Url\\n| project Audit_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nOperationName, Identity, userPrincipalName, TargetResourceDisplayName, Url\\n| extend timestamp = Audit_TimeGenerated, AccountCustomEntity = userPrincipalName, HostCustomEntity = TargetResourceDisplayName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to AuditLogs\",\"description\":\"Identifies a match in AuditLogs from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ab4b6944-a20d-42ab-8b63-238426525801\",\"name\":\"ab4b6944-a20d-42ab-8b63-238426525801\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\nlet timeframe = 1h;\\nlet connections = VMConnection \\n | where TimeGenerated \u003e= ago(timeframe)\\n | extend DNSName = set_union(todynamic(RemoteDnsCanonicalNames),todynamic(RemoteDnsQuestions))\\n | mv-expand DNSName\\n | where isnotempty(DNSName)\\n | where DNSName has_any (domains)\\n | extend IPCustomEntity = RemoteIp\\n | summarize TimeGenerated = arg_min(TimeGenerated, *), requests = count() by IPCustomEntity, DNSName = tostring(DNSName), AgentId, Machine, Process;\\nlet processes = VMProcess\\n | where TimeGenerated \u003e= ago(timeframe)\\n | project AgentId, Machine, Process, UserName, UserDomain, ExecutablePath, CommandLine, FirstPid\\n | extend exePathArr = split(ExecutablePath, \\\"\\\\\\\\\\\")\\n | extend DirectoryName = array_strcat(array_slice(exePathArr, 0, array_length(exePathArr) - 2), \\\"\\\\\\\\\\\")\\n | extend Filename = array_strcat(array_slice(exePathArr, array_length(exePathArr) - 1, array_length(exePathArr)), \\\"\\\\\\\\\\\")\\n | project-away exePathArr;\\nlet computers = VMComputer\\n | where TimeGenerated \u003e= ago(timeframe)\\n | project HostCustomEntity = HostName, AzureResourceId = _ResourceId, AgentId, Machine;\\nconnections | join kind = inner (processes) on AgentId, Machine, Process\\n | join kind = inner (computers) on AgentId, Machine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"FirstPid\"},{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Directory\",\"columnName\":\"DirectoryName\"},{\"identifier\":\"Name\",\"columnName\":\"Filename\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Solorigate Domains Found in VM Insights\",\"description\":\"Identifies connections to Solorigate-related DNS records based on VM insights data\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMProcess\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMComputer\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\"name\":\"1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with failed Windows host logins above threshold\\nlet win_fails = \\nSecurityEvent\\n| where EventID == 4625\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| summarize count() by IpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_list(IpAddress);\\nlet wef_fails =\\nWindowsEvent\\n| where EventID == 4625\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType in (10, 7, 3)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| where IpAddress != \\\"-\\\"\\n| summarize count() by IpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_list(IpAddress);\\n//Make a list of IPs with failed *nix host logins above threshold\\nlet nix_fails = \\nSyslog\\n| where Facility contains \u0027auth\u0027 and ProcessName != \u0027sudo\u0027\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP != \\\"\\\" and SourceIP != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIP\\n| where count_ \u003e signin_threshold\\n| summarize make_list(SourceIP);\\n//See if any of the IPs with failed host logins hve had a sucessful Azure AD login\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (win_fails) or IPAddress in (nix_fails) or IPAddress in (wef_fails)\\n| extend Reason= \\\"Multiple failed host logins from IP address with successful Azure AD login\\\"\\n| extend timstamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, Type = Type\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed host logons but success logon to AzureAD\",\"description\":\"Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts.\\nUses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\"name\":\"28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"Medium\",\"query\":\"let timeRange = 24h;\\nlet failureCountThreshold = 5;\\nlet authenticationWindow = 20m;\\nlet aadFunc = (tableName:string){\\n table(tableName)\\n| where AppDisplayName has \\\"Azure Portal\\\"\\n| extend\\n DeviceDetail = todynamic(DeviceDetail),\\n //Status = todynamic(Status),\\n LocationDetails = todynamic(LocationDetails)\\n| extend\\n OS = tostring(DeviceDetail.operatingSystem),\\n Browser = tostring(DeviceDetail.browser),\\n //StatusCode = tostring(Status.errorCode),\\n //StatusDetails = tostring(Status.additionalDetails),\\n State = tostring(LocationDetails.state),\\n City = tostring(LocationDetails.city),\\n Region = tostring(LocationDetails.countryOrRegion)\\n// Split out failure versus non-failure types\\n| extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\") \\n// bin outcomes based on authenticationWindow\\n| summarize take_anyif(UserPrincipalName, not(UserPrincipalName matches regex @\\\"[a-f\\\\d]+\\\\-[a-f\\\\d]+\\\\-[a-f\\\\d]+\\\\-[a-f\\\\d]+\\\\-[a-f\\\\d]+\\\")),\\n take_anyif(UserDisplayName, isnotempty(UserDisplayName)), FailureOrSuccessCount = count() by FailureOrSuccess, UserId, UserDisplayName, AppDisplayName, IPAddress, Browser, OS, State, City, Region, Type, CorrelationId, bin(TimeGenerated, authenticationWindow), ResultType\\n// sort for sessionizing - by UserPrincipalName and time of the authentication outcome\\n| sort by UserPrincipalName asc, TimeGenerated asc\\n| serialize \\n// sessionize into failure groupings until either the account changes or there is a success\\n| extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, UserPrincipalName != prev(UserPrincipalName) or prev(FailureOrSuccess) == \\\"Success\\\")\\n// count the failures in each session\\n| summarize FailureCountBeforeSuccess=sumif(FailureOrSuccessCount, FailureOrSuccess == \\\"Failure\\\"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), makelist(FailureOrSuccess), IPAddress = make_set(IPAddress), make_set(Browser), make_set(City), make_set(State), make_set(Region), make_set(ResultType) by SessionStartedUtc, UserPrincipalName, CorrelationId, AppDisplayName, UserId, Type\\n// the session must not start with a success, and must end with one\\n| where array_index_of(list_FailureOrSuccess, \\\"Success\\\") != 0\\n| where array_index_of(list_FailureOrSuccess, \\\"Success\\\") == array_length(list_FailureOrSuccess) - 1\\n| project-away SessionStartedUtc, list_FailureOrSuccess\\n// where the number of failures before the success is above the threshold \\n| where FailureCountBeforeSuccess \u003e= failureCountThreshold \\n// expand out ip for entity assignment\\n| mv-expand IPAddress\\n| extend IPAddress = tostring(IPAddress)\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n};\\n let aadSignin = aadFunc(\\\"SigninLogs\\\");\\n let aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\n union isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against Azure Portal\",\"description\":\"Identifies evidence of brute force activity against Azure Portal by highlighting multiple authentication failures \\nand by a successful authentication within a given time window. \\nDefault Failure count is 5 and default Time Window is 20 minutes.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-04-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23de46ea-c425-4a77-b456-511ae4855d69\",\"name\":\"23de46ea-c425-4a77-b456-511ae4855d69\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\nlet SensitiveOperationList = dynamic([\\\"microsoft.compute/snapshots/write\\\", \\\"microsoft.network/networksecuritygroups/write\\\", \\\"microsoft.storage/storageaccounts/listkeys/action\\\"]);\\nlet SensitiveActivity = AzureActivity\\n| where OperationNameValue in~ (SensitiveOperationList) or OperationNameValue hassuffix \\\"listkeys/action\\\"\\n| where ActivityStatusValue =~ \\\"Success\\\";\\nSensitiveActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller, OperationNameValue\\n| where count_ \u003e= alertOperationThreshold\\n| join kind = rightanti ( \\nSensitiveActivity\\n| where TimeGenerated \u003e= ago(endtime)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CorrelationIds = makelist(CorrelationId), Resources = makelist(Resource), ResourceGroups = makelist(ResourceGroup), ResourceIds = makelist(ResourceId), ActivityCountByCallerIPAddress = count() \\nby CallerIpAddress, Caller, OperationNameValue\\n) on CallerIpAddress, Caller, OperationNameValue\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"Rare subscription-level operations in Azure\",\"description\":\"This query looks for a few sensitive subscription-level events based on Azure Activity Logs. \\n For example this monitors for the operation name \u0027Create or Update Snapshot\u0027 which is used for creating backups but could be misused by attackers \\n to dump hashes or extract sensitive information from the disk.\",\"lastUpdatedDateUTC\":\"2022-03-15T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84cf1d59-f620-4fee-b569-68daf7008b7b\",\"name\":\"84cf1d59-f620-4fee-b569-68daf7008b7b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetection_CL\\n| mv-expand todynamic(Detections_s)\\n| extend Status = tostring(Detections_s.Status), Vulnerability = tostring(Detections_s.Results), Severity = tostring(Detections_s.Severity)\\n| where Status =~ \\\"New\\\" and Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(Detections_s.QID)\\n| where dcount_NetBios_s \u003e= threshold\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"tactics\":[\"InitialAccess\"],\"displayName\":\"New High Severity Vulnerability Detected Across Multiple Hosts\",\"description\":\"This creates an incident when a new high severity vulnerability is detected across multilple hosts\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bc5ffe2a-84d6-48fe-bc7b-1055100469bc\",\"name\":\"bc5ffe2a-84d6-48fe-bc7b-1055100469bc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"let SunburstMD5=dynamic([\\\"b91ce2fa41029f6955bff20079468448\\\",\\\"02af7cec58b9a5da1c542b5a32151ba1\\\",\\\"2c4a910a1299cdae2a4e55988a2f102e\\\",\\\"846e27a652a5e1bfbd0ddd38a16dc865\\\",\\\"4f2eb62fa529c0283b28d05ddd311fae\\\"]);\\nlet SupernovaMD5=\\\"56ceb6d0011d87b6e4d7023d7ef85676\\\";\\nimFileEvent\\n| where TargetFileMD5 in(SunburstMD5) or TargetFileMD5 in(SupernovaMD5)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = User, \\n HostCustomEntity = DvcHostname,\\n FileHashCustomEntity = TargetFileMD5,\\n AlgorithmCustomEntity = \\\"MD5\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events)\",\"description\":\"Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in File Events\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimFileEvent)\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8cbc3215-fa58-4bd6-aaaa-f0029c351730\",\"name\":\"8cbc3215-fa58-4bd6-aaaa-f0029c351730\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let threatCategory=\\\"Cryptominer\\\";\\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\\n [ @\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\\\"] \\n with(format=\\\"csv\\\", ignoreFirstRecord=True));\\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet customUserAgents=toscalar(_GetWatchlist(\\\"UnusualUserAgents\\\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\\\"UserAgent\\\",\\\"\\\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet fullUAList = array_concat(knownUserAgents,customUserAgents);\\n_Im_WebSession(httpuseragent_has_any=fullUAList)\\n| summarize N_Events=count() by SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername\",\"customDetails\":{\"UserAgent\":\"HttpUserAgent\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"SrcUsername\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"The host {{SrcIpAddr}} is potentially running a crypto miner\",\"alertDescriptionFormat\":\"The host at address {{SrcIpAddr}} sent an HTTP request to the URL {{Url}} with the HTTP user agent header {{HttpUserAgent}}. This user agent is known to be used by crypto miners and indicates crypto mining activity on the client.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"A host is potentially running a crypto miner (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request with a user agent header known to belong to a crypto miner. This indicates a crypto miner may have infected the client machine.\u003cbr\u003eYou can add custom crypto mining indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).\u003cbr\u003e\u003cbr\u003e This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\"name\":\"24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"let EventCountThreshold = 25;\\n// To avoid any False Positives, filtering using AppId is recommended.\\n// For example the AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds \\n// to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\\n// The AppId 8cae6e77-e04e-42ce-b5cb-50d82bce26b1 has been added as it correspond to Microsoft Policy Insights Provider Data Plane performing VaultGet operations for policies checks.\\nlet Allowedappid = dynamic([\\\"509e4652-da8d-478d-a730-e9d4a1996ca4\\\",\\\"8cae6e77-e04e-42ce-b5cb-50d82bce26b1\\\"]);\\nlet OperationList = dynamic(\\n[\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nAzureDiagnostics\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList) \\n| summarize count() by identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, OperationName\\n| where count_ \u003e EventCountThreshold \\n| join (\\nAzureDiagnostics\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where OperationName in~ (OperationList) \\n) on identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g \\n| summarize EventCount=sum(count_), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\\n| extend timestamp = EndTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Mass secret retrieval from Azure Key Vault\",\"description\":\"Identifies mass secret retrieval from Azure Key Vault observed by a single user. \\nMass secret retrival crossing a certain threshold is an indication of credential dump operations or mis-configured applications. \\nYou can tweak the EventCountThreshold based on average count seen in your environment \\nand also filter any known sources (IP/Account) and useragent combinations based on historical analysis to further reduce noise\",\"lastUpdatedDateUTC\":\"2022-07-04T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b619d1f1-7f39-4c7e-bf9e-afbb46457997\",\"name\":\"b619d1f1-7f39-4c7e-bf9e-afbb46457997\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal contains \\\"XMRig\\\" or HttpUserAgentOriginal contains \\\"ccminer\\\"\\n| extend Message = \\\"Crypto Miner User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Crypto Miner User-Agent Detected\",\"description\":\"Detects suspicious user agent strings used by crypto miners in proxy logs.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd03057e-4347-4853-bf1e-2b2d21eb4e59\",\"name\":\"dd03057e-4347-4853-bf1e-2b2d21eb4e59\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\\"xmrget.com\\\",\\n\\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\\"supportxmr.com\\\",\\n\\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\\"gntl.co.uk\\\", \\\"semipool.com\\\",\\n\\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\",\\n\\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\\"extrmepool.org\\\", \\\"webcoin.me\\\",\\n\\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\",\\n\\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\",\\n\\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\",\\n\\\"shscrypto.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage),\\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage),\\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage),\\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \u0027200\u0027\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URL\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"NRT Squid proxy events related to mining pools\",\"description\":\"Checks for Squid proxy events in Syslog associated with common mining pools .This query presumes the default Squid log format is being used.\\n http://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-07-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2b701288-b428-4fb8-805e-e4372c574786\",\"name\":\"2b701288-b428-4fb8-805e-e4372c574786\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"//The bigger the window the better the data sample size, as we use IP prevalence, more sample data is better.\\n//The minimum number of countries that the account has been accessed from [default: 2]\\nlet minimumCountries = 2;\\n//The delta (%) between the largest in-use IP and the smallest [default: 95]\\nlet deltaThreshold = 95;\\n//The maximum (%) threshold that the country appears in login data [default: 10]\\nlet countryPrevalenceThreshold = 10;\\n//The time to project forward after the last login activity [default: 60min]\\nlet projectedEndTime = 60m;\\nlet queryfrequency = 1d;\\nlet queryperiod = 14d;\\nlet aadFunc = (tableName: string) {\\n // Get successful signins to Teams\\n let signinData =\\n table(tableName)\\n | where TimeGenerated \u003e ago(queryperiod)\\n | where AppDisplayName has \\\"Teams\\\" and ConditionalAccessStatus =~ \\\"success\\\"\\n | extend Country = tostring(todynamic(LocationDetails)[\u0027countryOrRegion\u0027])\\n | where isnotempty(Country) and isnotempty(IPAddress);\\n // Calculate prevalence of countries\\n let countryPrevalence =\\n signinData\\n | summarize CountCountrySignin = count() by Country\\n | extend TotalSignin = toscalar(signinData | summarize count())\\n | extend CountryPrevalence = toreal(CountCountrySignin) / toreal(TotalSignin) * 100;\\n // Count signins by user and IP address\\n let userIpSignin =\\n signinData\\n | summarize CountIPSignin = count(), Country = any(Country), ListSigninTimeGenerated = make_list(TimeGenerated) by IPAddress, UserPrincipalName;\\n // Calculate delta between the IP addresses with the most and minimum activity by user\\n let userIpDelta =\\n userIpSignin\\n | summarize MaxIPSignin = max(CountIPSignin), MinIPSignin = min(CountIPSignin), DistinctCountries = dcount(Country), make_set(Country) by UserPrincipalName\\n | extend UserIPDelta = toreal(MaxIPSignin - MinIPSignin) / toreal(MaxIPSignin) * 100;\\n // Collect Team operations the user account has performed within a time range of the suspicious signins\\n OfficeActivity\\n | where TimeGenerated \u003e ago(queryfrequency)\\n | where Operation in~ (\\\"TeamsAdminAction\\\", \\\"MemberAdded\\\", \\\"MemberRemoved\\\", \\\"MemberRoleChanged\\\", \\\"AppInstalled\\\", \\\"BotAddedToTeam\\\")\\n | project OperationTimeGenerated = TimeGenerated, UserId = tolower(UserId), Operation\\n | join kind = inner(\\n userIpDelta\\n // Check users with activity from distinct countries\\n | where DistinctCountries \u003e= minimumCountries\\n // Check users with high IP delta\\n | where UserIPDelta \u003e= deltaThreshold\\n // Add information about signins and countries\\n | join kind = leftouter userIpSignin on UserPrincipalName\\n | join kind = leftouter countryPrevalence on Country\\n // Check activity that comes from nonprevalent countries\\n | where CountryPrevalence \u003c countryPrevalenceThreshold\\n | project\\n UserPrincipalName,\\n SuspiciousIP = IPAddress,\\n UserIPDelta,\\n SuspiciousSigninCountry = Country,\\n SuspiciousCountryPrevalence = CountryPrevalence,\\n EventTimes = ListSigninTimeGenerated\\n ) on $left.UserId == $right.UserPrincipalName\\n // Check the signins occured 60 min before the Teams operations\\n | mv-expand SigninTimeGenerated = EventTimes\\n | extend SigninTimeGenerated = todatetime(SigninTimeGenerated)\\n | where OperationTimeGenerated between (SigninTimeGenerated .. (SigninTimeGenerated + projectedEndTime))\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize arg_max(SigninTimeGenerated, *) by UserPrincipalName, SuspiciousIP, OperationTimeGenerated\\n| summarize\\n ActivitySummary = make_bag(pack(tostring(SigninTimeGenerated), pack(\\\"Operation\\\", tostring(Operation), \\\"OperationTime\\\", OperationTimeGenerated)))\\n by UserPrincipalName, SuspiciousIP, SuspiciousSigninCountry, SuspiciousCountryPrevalence\\n| extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Anomalous login followed by Teams action\",\"description\":\"Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed.\\nQuery calculates IP usage Delta for each user account and selects accounts where a delta \u003e= 90% is observed between the most and least used IP.\\nTo further reduce results the query performs a prevalence check on the lowest used IP\u0027s country, only keeping IP\u0027s where the country is unusual for the tenant (dynamic ranges)\\nFinally the user accounts activity within Teams logs is checked for suspicious commands (modifying user privileges or admin actions) during the period the suspicious IP was active.\",\"lastUpdatedDateUTC\":\"2022-03-21T00:00:00Z\",\"createdDateUTC\":\"2020-06-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fa118b98-de46-4e94-87f9-8e6d5060b60b\",\"name\":\"fa118b98-de46-4e94-87f9-8e6d5060b60b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MLBehaviorAnalytics\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous SSH Login Detection\",\"description\":\"This detection uses machine learning (ML) to identify anomalous Secure Shell (SSH) login activity, based on syslog data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Microsoft Sentinel to build a profile of normal activity for your environment.\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-syslog#configure-the-syslog-connector-for-anomalous-ssh-login-detection)\\n\\nBy enabling this rule, you give Microsoft permission to copy ingested data outside of your Microsoft Sentinel workspace\u0027s geography as necessary for processing by the machine learning engine.\",\"lastUpdatedDateUTC\":\"2021-03-26T00:00:00Z\",\"createdDateUTC\":\"2019-08-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c094384d-7ea7-4091-83be-18706ecca981\",\"name\":\"c094384d-7ea7-4091-83be-18706ecca981\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Low\",\"query\":\"let minersDomains=dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\"]);\\n_Im_Dns(domain_has_any=minersDomains)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"DNS events related to mining pools (ASIM DNS Schema)\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/99d589fa-7337-40d7-91a0-c96d0c4fa437\",\"name\":\"99d589fa-7337-40d7-91a0-c96d0c4fa437\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let core_domains = (SigninLogs\\n | where TimeGenerated \u003e ago(7d)\\n | where ResultType == 0\\n | extend domain = tolower(split(UserPrincipalName, \\\"@\\\")[1])\\n | summarize by tostring(domain));\\n let alternative_domains = (SigninLogs\\n | where TimeGenerated \u003e ago(7d)\\n | where isnotempty(AlternateSignInName)\\n | where ResultType == 0\\n | extend domain = tolower(split(AlternateSignInName, \\\"@\\\")[1])\\n | summarize by tostring(domain));\\n AuditLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where OperationName =~ \\\"Add User\\\"\\n | extend AddingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend AddingSPN = tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName)\\n | extend AddedBy = iif(isnotempty(AddingUser), AddingUser, AddingSPN)\\n | extend UserAdded = tostring(TargetResources[0].userPrincipalName)\\n | extend Domain = tolower(split(UserAdded, \\\"@\\\")[1])\\n | where Domain !in (core_domains) and Domain !in (alternative_domains)\\n | project-away AddingUser\\n | project-reorder TimeGenerated, UserAdded, Domain, AddedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserAdded\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Account created from non-approved sources\",\"description\":\"This query looks for account being created from a domain that is not regularly seen in a tenant.\\n Attackers may attempt to add accounts from these sources as a means of establishing persistant access to an environment.\\n Created accounts should be investigated to ensure they were legitimated created.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\",\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/15ae38a2-2e29-48f7-883f-863fb25a5a06\",\"name\":\"15ae38a2-2e29-48f7-883f-863fb25a5a06\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 10;\\nDnsEvents \\n| where TimeGenerated \u003e ago(endtime)\\n| where Name contains \\\"in-addr.arpa\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(Name) by ClientIP\\n| where dcount_Name \u003e threshold\\n| project StartTimeUtc, EndTimeUtc, ClientIP , dcount_Name \\n| join kind=leftanti (DnsEvents \\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | where Name contains \\\"in-addr.arpa\\\" \\n | summarize dcount(Name) by ClientIP, bin(TimeGenerated, 1d)\\n | where dcount_Name \u003e threshold\\n | project ClientIP , dcount_Name \\n) on ClientIP\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Rare client observed with high reverse DNS lookup count\",\"description\":\"Identifies clients with a high reverse DNS counts which could be carrying out reconnaissance or discovery activity.\\nAlert is generated if the IP performing such reverse DNS lookups was not seen doing so in the preceding 7-day period.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\"name\":\"a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\n let ioc_lookBack = 14d;\\n ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true\\n | where isnotempty(FileHashValue)\\n | extend FileHashValue = toupper(FileHashValue)\\n // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n | join kind=innerunique ( union isfuzzy=true \\n (SecurityEvent | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where EventID in (\\\"8003\\\",\\\"8002\\\",\\\"8005\\\")\\n | where isnotempty(FileHash)\\n | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID, FileHash = toupper(FileHash)\\n ),\\n (WindowsEvent | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where EventID in (\\\"8003\\\",\\\"8002\\\",\\\"8005\\\")\\n | where isnotempty(EventData.FileHash)\\n | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID, FileHash = toupper(EventData.FileHash)\\n )\\n )\\n on $left.FileHashValue == $right.FileHash\\n | where SecurityEvent_TimeGenerated \u003c ExpirationDateTime\\n | summarize SecurityEvent_TimeGenerated = arg_max(SecurityEvent_TimeGenerated, *) by IndicatorId, FileHash\\n | project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\n Process, FileHash, Computer, Account, Event, FileHashValue, FileHashType\\n | extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Value\",\"columnName\":\"FileHashValue\"},{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map File Hash to Security Event\",\"description\":\"Identifies a match in Security Event data from any File Hash IOC from TI\",\"lastUpdatedDateUTC\":\"2022-07-07T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1bf6e165-5e32-420e-ab4f-0da8558a8be2\",\"name\":\"1bf6e165-5e32-420e-ab4f-0da8558a8be2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// How far back to look for events from\\nlet timeframe = 1d;\\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\\nlet time_window = 5m;\\n// Edit this to include build processes used\\nlet build_processes = dynamic([\\\"MSBuild.exe\\\", \\\"dotnet.exe\\\", \\\"VBCSCompiler.exe\\\"]);\\n// Include any processes that you want to allow to edit files during/around the build process\\nlet allow_list = dynamic([]);\\nDeviceProcessEvents\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where FileName has_any (build_processes)\\n| summarize by BuildParentProcess=InitiatingProcessFileName, BuildProcess=FileName, BuildAccount = AccountName, DeviceName, BuildCommand=ProcessCommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nDeviceFileEvents\\n| where TimeGenerated \u003e ago(timeframe)\\n| where InitiatingProcessFileName !in (allow_list)\\n| where ActionType == \\\"FileCreated\\\" or ActionType == \\\"FileModified\\\"\\n// Look for code files, edit this to include file extensions used in build.\\n| where FileName endswith \\\".cs\\\" or FileName endswith \\\".cpp\\\"\\n| summarize by FileEditParentProcess=InitiatingProcessParentFileName, FileEditAccount = InitiatingProcessAccountName, DeviceName, FileEdited=FileName, FileEditProcess=InitiatingProcessFileName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, DeviceName\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, DeviceName, BuildParentProcess, BuildProcess\\n| extend HostCustomEntity=DeviceName, timestamp=timekey\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Potential Build Process Compromise - MDE\",\"description\":\"The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process. This query uses Microsoft Defender for Endpoint telemetry.\\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\",\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/957cb240-f45d-4491-9ba5-93430a3c08be\",\"name\":\"957cb240-f45d-4491-9ba5-93430a3c08be\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"OfficeActivity\\n| where Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Add-MailboxFolderPermission\\\", \\\"Set-Mailbox\\\", \\\"New-ManagementRoleAssignment\\\", \\\"New-InboxRule\\\", \\\"Set-InboxRule\\\", \\\"Set-TransportRule\\\")\\nand not(UserId has_any (\u0027NT AUTHORITY\\\\\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\u0027, \u0027NT AUTHORITY\\\\\\\\SYSTEM (w3wp)\u0027, \u0027devilfish-applicationaccount\u0027) and Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Set-Mailbox\\\"))\\n| extend ClientIPOnly = tostring(extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?\u0027, dynamic([\\\"IPAddress\\\"]), ClientIP)[0][0])\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIPOnly\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"Collection\"],\"displayName\":\"Rare and potentially high-risk Office operations\",\"description\":\"Identifies Office operations that are typically rare and can provide capabilities useful to attackers.\",\"lastUpdatedDateUTC\":\"2022-05-24T00:00:00Z\",\"createdDateUTC\":\"2019-02-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2fc5d810-c9cc-491a-b564-841427ae0e50\",\"name\":\"2fc5d810-c9cc-491a-b564-841427ae0e50\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique ( \\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(TargetUserName)\\n//Normalizing the column to lower case for exact match with EmailSenderAddress column\\n| extend TargetUserName = tolower(TargetUserName)\\n// renaming timestamp column so it is clear the log this came from SecurityEvent table\\n| extend SecurityEvent_TimeGenerated = TimeGenerated\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(dt_lookBack) \\n| extend TargetUserName = tostring(EventData.TargetUserName) \\n| where isnotempty(TargetUserName)\\n//Normalizing the column to lower case for exact match with EmailSenderAddress column\\n| extend TargetUserName = tolower(TargetUserName)\\n// renaming timestamp column so it is clear the log this came from SecurityEvent table\\n| extend SecurityEvent_TimeGenerated = TimeGenerated\\n))\\n)\\non $left.EmailSenderAddress == $right.TargetUserName\\n| where SecurityEvent_TimeGenerated \u003c ExpirationDateTime\\n| summarize SecurityEvent_TimeGenerated = arg_max(SecurityEvent_TimeGenerated, *) by IndicatorId, TargetUserName\\n| project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Computer, EventID, TargetUserName, Activity, IpAddress, AccountType,\\nLogonTypeName, LogonProcessName, Status, SubStatus\\n| extend\\ntimestamp = SecurityEvent_TimeGenerated,\\nAccountCustomEntity = TargetUserName,\\nIPCustomEntity = IpAddress,\\nHostCustomEntity = Computer,\\nURLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SecurityEvent\",\"description\":\"Identifies a match in SecurityEvent table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/01f64465-b1ef-41ea-a7f5-31553a11ad43\",\"name\":\"01f64465-b1ef-41ea-a7f5-31553a11ad43\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let endpointData = \\n(union isfuzzy=true\\n(SecurityEvent\\n | where EventID == 4688\\n | extend shortFileName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n ),\\n (WindowsEvent\\n | where EventID == 4688\\n | extend NewProcessName = tostring(EventData.NewProcessName)\\n | extend shortFileName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n | extend TargetUserName = tostring(EventData.TargetUserName)\\n ));\\n// Correlate suspect executables seen in TrendMicro rule updates with similar activity on endpoints\\nCommonSecurityLog\\n| where DeviceVendor =~ \\\"Trend Micro\\\"\\n| where Activity =~ \\\"Deny List updated\\\" \\n| where RequestURL endswith \\\".exe\\\"\\n| project TimeGenerated, Activity , RequestURL , SourceIP, DestinationIP\\n| extend suspectExeName = tolower(tostring(split(RequestURL, \u0027/\u0027)[-1]))\\n| join (endpointData) on $left.suspectExeName == $right.shortFileName \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = TargetUserName, HostCustomEntity = Computer, URLCustomEntity = RequestURL\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Network endpoint to host executable correlation\",\"description\":\"Correlates blocked URLs hosting [malicious] executables with host endpoint data\\nto identify potential instances of executables of the same name having been recently run.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"TrendMicro\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5efb0cfd-063d-417a-803b-562eae5b0301\",\"name\":\"5efb0cfd-063d-417a-803b-562eae5b0301\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 6h;\\n// Ignore Build/Releases with less/equal this number\\nlet ServiceConnectionThreshold = 3;\\n// New Connections need to exhibit execution of more \\\"new\\\" connections than this number.\\nlet NewConnectionThreshold = 1;\\n// List of Builds/Releases to ignore in your space\\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\\n[\\n//\\\"103\\\", \\\"Release\\\", \\\"ProjectA\\\",\\n//\\\"42\\\", \\\"Release\\\", \\\"ProjectB\\\",\\n//\\\"122\\\", \\\"Build\\\", \\\"ProjectB\\\"\\n];\\nlet HistoricDefs = AzureDevOpsAuditing\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| summarize HistoricCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)) \\n by DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e= ago(endtime)\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| parse ScopeDisplayName with OrganizationName \u0027 (Organization)\u0027\\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) \\n by OrganizationName, DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN\\n| where CurrentCount \u003e ServiceConnectionThreshold\\n| join (HistoricDefs) on ProjectId, DefId, Type, ActorUPN\\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\\n| extend link = iff(\\nType == \\\"Build\\\", strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_build?definitionId=\u0027, DefId),\\nstrcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_release?_a=releases\u0026view=mine\u0026definitionId=\u0027, DefId))\\n| where CurrentCount \u003e= HistoricCount + NewConnectionThreshold\\n| project StartTime, OrganizationName, ProjectName, DefId, link, RecentDistinctServiceConnections = CurrentCount, HistoricDistinctServiceConnections = HistoricCount, \\n RecentConnections = ConnectionNames, HistoricConnections = ConnectionNames1, ActorUPN\\n| extend timestamp = StartTime, AccountCustomEntity = ActorUPN\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure DevOps Service Connection Addition/Abuse - Historic allow list\",\"description\":\"This detection builds an allow list of historic service connection use by Builds and Releases and compares to recent history, flagging growth of service connection use which are not manually included in the allow list and \\nnot historically included in the allow list Build/Release runs. This is to determine if someone is hijacking a build/release and adding many service connections in order to abuse or dump credentials from service connections.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3bd33158-3f0b-47e3-a50f-7c20a1b88038\",\"name\":\"3bd33158-3f0b-47e3-a50f-7c20a1b88038\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let SpringShell_threats = dynamic([\\\"Trojan:Python/SpringShellExpl\\\", \\\"Exploit:Python/SpringShell\\\", \\\"Backdoor:PHP/Remoteshell.V\\\", \\\"SpringShell\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (SpringShell_threats) or ThreatFamilyName in~ (SpringShell_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"AV detections related to SpringShell Vulnerability\",\"description\":\"This query looks for Microsoft Defender AV detections related to SpringShell Vulnerability. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, \\n this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\\n Reference: https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b4ceb583-4c44-4555-8ecf-39f572e827ba\",\"name\":\"b4ceb583-4c44-4555-8ecf-39f572e827ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 1.5;\\nlet percentthreshold = 50;\\n// Preparing the time series data aggregated hourly count of MailItemsAccessd Operation in the form of multi-value array to use with time series anomaly function.\\nlet TimeSeriesData =\\nOfficeActivity\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where OfficeWorkload=~ \\\"Exchange\\\" and Operation =~ \\\"MailItemsAccessed\\\" and ResultStatus =~ \\\"Succeeded\\\"\\n| project TimeGenerated, Operation, MailboxOwnerUPN\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe;\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0\\n| project TimeGenerated, Total, baseline, anomalies, score;\\n// Joining the flagged outlier from the previous step with the original dataset to present contextual information\\n// during the anomalyhour to analysts to conduct investigation or informed decisions.\\nTimeSeriesAlerts | where TimeGenerated \u003e ago(2d)\\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\\n| join (\\n OfficeActivity\\n | where TimeGenerated \u003e ago(2d)\\n | extend DateHour = bin(TimeGenerated, 1h)\\n | where OfficeWorkload=~ \\\"Exchange\\\" and Operation =~ \\\"MailItemsAccessed\\\" and ResultStatus =~ \\\"Succeeded\\\"\\n | summarize HourlyCount=count(), TimeGeneratedMax = arg_max(TimeGenerated, *), IPAdressList = make_set(Client_IPAddress), SourceIPMax= arg_max(Client_IPAddress, *), ClientInfoStringList= make_set(ClientInfoString) by MailboxOwnerUPN, Logon_Type, TenantId, UserType, TimeGenerated = bin(TimeGenerated, 1h) \\n | where HourlyCount \u003e 25 // Only considering operations with more than 25 hourly count to reduce False Positivies\\n | order by HourlyCount desc \\n) on TimeGenerated\\n| extend PercentofTotal = round(HourlyCount/Total, 2) * 100 \\n| where PercentofTotal \u003e percentthreshold // Filter Users with count of less than 5 percent of TotalEvents per Hour to remove FPs/ users with very low count of MailItemsAccessed events\\n| order by PercentofTotal desc \\n| project-reorder TimeGeneratedMax, Type, OfficeWorkload, Operation, UserId,SourceIPMax ,IPAdressList, ClientInfoStringList, HourlyCount, PercentofTotal, Total, baseline, score, anomalies\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"Exchange workflow MailItemsAccessed operation anomaly\",\"description\":\"Identifies anomalous increases in Exchange mail items accessed operations.\\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\\nSudden increases in execution frequency of sensitive actions should be further investigated for malicious activity.\\nManually change scorethreshold from 1.5 to 3 or higher to reduce the noise based on outliers flagged from the query criteria.\\nRead more about MailItemsAccessed- https://docs.microsoft.com/microsoft-365/compliance/advanced-audit?view=o365-worldwide#mailitemsaccessed\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/00cb180c-08a8-4e55-a276-63fb1442d5b5\",\"name\":\"00cb180c-08a8-4e55-a276-63fb1442d5b5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let cmdTokens0 = dynamic([\u0027vbscript\u0027,\u0027jscript\u0027]);\\nlet cmdTokens1 = dynamic([\u0027mshtml\u0027,\u0027RunHTMLApplication\u0027]);\\nlet cmdTokens2 = dynamic([\u0027Execute\u0027,\u0027CreateObject\u0027,\u0027RegRead\u0027,\u0027window.close\u0027]);\\n(union isfuzzy=true \\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(14d)\\n| where EventID == 4688\\n| where CommandLine has @\u0027\\\\Microsoft\\\\Windows\\\\CurrentVersion\u0027\\n| where not(CommandLine has_any (@\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\u0027, @\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\u0027))\\n// If you are receiving false positives, then it may help to make the query more strict by uncommenting one or both of the lines below to refine the matches\\n//| where CommandLine has_any (cmdTokens0)\\n//| where CommandLine has_all (cmdTokens1)\\n| where CommandLine has_all (cmdTokens2)\\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(14d)\\n| where EventID == 4688 and EventData has_all(cmdTokens2) and EventData has @\u0027\\\\Microsoft\\\\Windows\\\\CurrentVersion\u0027\\n| where not(EventData has_any (@\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\u0027, @\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\u0027))\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has @\u0027\\\\Microsoft\\\\Windows\\\\CurrentVersion\u0027\\n| where not(CommandLine has_any (@\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\u0027, @\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\u0027))\\n// If you are receiving false positives, then it may help to make the query more strict by uncommenting one or both of the lines below to refine the matches\\n//| where CommandLine has_any (cmdTokens0)\\n//| where CommandLine has_all (cmdTokens1)\\n| where CommandLine has_all (cmdTokens2)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend ParentProcessName = tostring(EventData.ParentProcessName) \\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"NOBELIUM - Script payload stored in Registry\",\"description\":\"This query idenifies when a process execution commandline indicates that a registry value is written to allow for later execution a malicious script\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3cc5ccd8-b416-4141-bb2d-4eba370e37a5\",\"name\":\"3cc5ccd8-b416-4141-bb2d-4eba370e37a5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let OMIVulnerabilityPatchVersion = \\\"OMIVulnerabilityPatchVersion:1.13.40-0\\\";\\nHeartbeat\\n| where Category == \\\"Direct Agent\\\"\\n| summarize arg_max(TimeGenerated,*) by Computer\\n| parse strcat(\\\"Version:\\\" , Version) with * \\\"Version:\\\" Major:long \\\".\\\"\\nMinor:long \\\".\\\" Patch:long \\\"-\\\" *\\n| parse OMIVulnerabilityPatchVersion with * \\\"OMIVulnerabilityPatchVersion:\\\"\\nOMIVersionMajor:long \\\".\\\" OMIVersionMinor:long \\\".\\\" OMIVersionPatch:long \\\"-\\\" *\\n| where Major \u003cOMIVersionMajor or (Major==OMIVersionMajor and Minor\\n\u003cOMIVersionMinor) or (Major==OMIVersionMajor and Minor==OMIVersionMinor and\\nPatch\u003cOMIVersionPatch) \\n| project Version, Major,Minor,Patch,\\nComputer,ComputerIP,OSType,OSName,ResourceId\",\"customDetails\":{\"HostIp\":\"ComputerIP\",\"OSType\":\"OSType\",\"OSName\":\"OSName\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"OMI Vulnerability Exploitation\",\"description\":\"Following the September 14th, 2021 release of three Elevation of Privilege\\n(EoP) vulnerabilities (CVE-2021-38645, CVE-2021-38649, CVE-2021-38648) and one\\nunauthenticated Remote Code Execution (RCE) vulnerability (CVE-2021-38647) in\\nthe Open Management Infrastructure (OMI) Framework.\\nThis detection validates that any OMS-agent that is reporting to the Microsoft\\nSentinel workspace is updated with the patch. The detection will go over the\\nheartbeats received from all agents over the last day and will create alert\\nfor those agents who are not updated.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-09-23T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c1c66f0b-5531-4a3e-a619-9d2f770ef730\",\"name\":\"c1c66f0b-5531-4a3e-a619-9d2f770ef730\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where OperationName =~ \\\"Add member to role completed (PIM activation)\\\"\\n | where Result =~ \\\"success\\\"\\n | extend ElevatedUser = tostring(TargetResources[2].userPrincipalName)\\n | extend displayName = tostring(TargetResources[0].displayName)\\n | extend displayName2 = tostring(TargetResources[3].displayName)\\n | extend ElevatedRole = iif(displayName =~ \\\"Member\\\", displayName2, displayName)\\n | join kind = rightanti (AuditLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where OperationName =~ \\\"Add member to role completed (PIM activation)\\\"\\n | where Result =~ \\\"success\\\"\\n | extend ElevatedUser = tostring(TargetResources[2].userPrincipalName)\\n | extend displayName = tostring(TargetResources[0].displayName)\\n | extend displayName2 = tostring(TargetResources[3].displayName)\\n | extend ElevatedRole = iif(displayName =~ \\\"Member\\\", displayName2, displayName)\\n | extend ElevatedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) on ElevatedRole, ElevatedUser\\n | project-reorder ElevatedUser, ElevatedRole, ResultReason,ElevatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ElevatedUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ElevatedBy\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Account Elevated to New Role\",\"description\":\"Detects an account that is elevated to a new role where that account has not had that role in the last 14 days.\\n Role elevations are a key mechanism for gaining permissions, monitoring which users have which roles, and for anomalies in those roles is useful for finding suspicious activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d0c82b7f-40b2-4180-a4d6-7aa0541b7599\",\"name\":\"d0c82b7f-40b2-4180-a4d6-7aa0541b7599\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let threshold = 3;\\nPulseConnectSecure\\n| where Messages contains \\\"Unauthenticated request url /dana-na/\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by Source_IP\\n| where count_ \u003e threshold\\n| extend timestamp = StartTime, IPCustomEntity = Source_IP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"PulseConnectSecure - CVE-2021-22893 Possible Pulse Connect Secure RCE Vulnerability Attack\",\"description\":\"This query identifies exploitation attempts using Pulse Connect Secure(PCS) vulnerability (CVE-2021-22893) to the VPN server\",\"lastUpdatedDateUTC\":\"2022-05-11T00:00:00Z\",\"createdDateUTC\":\"2022-05-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PulseConnectSecure\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bf0cde21-0c41-48f6-a40c-6b5bd71fa106\",\"name\":\"bf0cde21-0c41-48f6-a40c-6b5bd71fa106\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"AWSGuardDuty | extend tokens = split(ActivityType,\\\":\\\") | extend ThreatPurpose = tokens[0], tokens= split(tokens[1],\\\"/\\\") | extend ResourceTypeAffected = tokens[0], ThreatFamilyName= tokens[1] | extend UniqueFindingId = Id | extend AWSAcoundId = AccountId | project-away tokens,ActivityType, Id, AccountId | project-away TimeGenerated, TenantId, SchemaVersion, Region, Partition | extend Severity= iff(Severity between (7.0..8.9),\\\"High\\\",iff(Severity between (4.0..6.9), \\\"Medium\\\", iff(Severity between (1.0..3.9),\\\"Low\\\",\\\"Unknown\\\")))\",\"customDetails\":{\"ThreatPurpose\":\"ThreatPurpose\",\"ResourceTypeAffected\":\"ResourceTypeAffected\",\"UniqueFindingId\":\"UniqueFindingId\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Arn\"},{\"identifier\":\"ObjectGuid\",\"columnName\":\"AWSAcoundId\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"{{Title}}\",\"alertDescriptionFormat\":\"{{Description}}\",\"alertTacticsColumnName\":\"ThreatPurpose\",\"alertSeverityColumnName\":\"Severity\"},\"displayName\":\"AWS Guard Duty Alert\",\"description\":\"Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. This templates create an alert for each Amazon GuardDuty finding.\",\"lastUpdatedDateUTC\":\"2022-02-08T00:00:00Z\",\"createdDateUTC\":\"2021-11-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSGuardDuty\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b6685757-3ed1-4b05-a5bd-2cacadc86c2a\",\"name\":\"b6685757-3ed1-4b05-a5bd-2cacadc86c2a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"let UA_threats = dynamic([\\\"FoxBlade\\\", \\\"WhisperGate\\\", \\\"Lasainraw\\\", \\\"SonicVote\\\"]);\\n SecurityAlert\\n | where ProviderName == \\\"MDATP\\\"\\n | extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n | where ThreatFamilyName in (UA_threats)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"AV detections related to Ukraine threats\",\"description\":\"This query looks for Microsoft Defender AV detections for malware observed in relation to the war in Ukraine.\\n Ref: https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/ \",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cf3ede88-a429-493b-9108-3e46d3c741f7\",\"name\":\"cf3ede88-a429-493b-9108-3e46d3c741f7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let timeRange = 6h;\\nlet authenticationWindow = 1h;\\nlet authenticationThreshold = 5;\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeRange)\\n| where EventID == 4624 or EventID == 4625\\n| where IpAddress != \\\"-\\\" and isnotempty(Account)\\n| extend Outcome = iff(EventID == 4624, \\\"Success\\\", \\\"Failure\\\")\\n// bin outcomes into 5 minute windows to reduce the volume of data\\n| summarize OutcomeCount=count() by Account, IpAddress, Computer, Outcome, bin(TimeGenerated, 5m)\\n| project TimeGenerated, Account, IpAddress, Computer, Outcome, OutcomeCount\\n// sort ready for sessionizing - by account and time of the authentication outcome\\n| sort by Account asc, TimeGenerated asc\\n| serialize \\n// sessionize into failure groupings until either the account changes or there is a success\\n| extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, Account != prev(Account) or prev(Outcome) == \\\"Success\\\")\\n// count the failures in each session\\n| summarize FailureCountBeforeSuccess=sumif(OutcomeCount, Outcome == \\\"Failure\\\"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), makelist(Outcome), makeset(Computer), makeset(IpAddress) by SessionStartedUtc, Account\\n// the session must not start with a success, and must end with one\\n| where array_index_of(list_Outcome, \\\"Success\\\") != 0\\n| where array_index_of(list_Outcome, \\\"Success\\\") == array_length(list_Outcome) - 1\\n| project-away SessionStartedUtc, list_Outcome \\n// where the number of failures before the success is above the threshold \\n| where FailureCountBeforeSuccess \u003e= authenticationThreshold\\n// expand out ip and computer for customer entity assignment\\n| mvexpand set_IpAddress, set_Computer\\n| extend IpAddress = tostring(set_IpAddress), Computer = tostring(set_Computer)\\n| extend timestamp=StartTime, AccountCustomEntity=Account, HostCustomEntity=Computer, IPCustomEntity=IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"SecurityEvent - Multiple authentication failures followed by a success\",\"description\":\"Identifies accounts who have failed to logon to the domain multiple times in a row, followed by a successful authentication\\nwithin a short time frame. Multiple failed attempts followed by a success can be an indication of a brute force attempt or\\npossible mis-configuration of a service account within an environment.\\nThe lookback is set to 6h and the authentication window and threshold are set to 1h and 5, meaning we need to see a minimum\\nof 5 failures followed by a success for an account within 1 hour to surface an alert.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"name\":\"cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | where DNSName in~ (domains) or DestinationHostName has_any (domains) or RequestURL has_any(domains)\\n | extend AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName, IPCustomEntity = SourceIP\\n ),\\n(_Im_Dns (domain_has_any=domains)\\n | extend DNSName = DnsQuery\\n | extend IPCustomEntity = SrcIpAddr\\n ),\\n(VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n | where isnotempty(DNSName)\\n | where DNSName in~ (domains)\\n | extend IPCustomEntity = RemoteIp\\n ),\\n(DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl has_any (domains) \\n | extend DNSName = RemoteUrl\\n | extend IPCustomEntity = RemoteIP \\n | extend HostCustomEntity = DeviceName \\n ),\\n(AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (domains) \\n | extend DNSName = DestinationHost \\n | extend IPCustomEntity = SourceHost\\n ) \\n )\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Solorigate Network Beacon\",\"description\":\"Identifies a match across various data feeds for domains IOCs related to the Solorigate incident.\\n References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \\n https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2790795b-7dba-483e-853f-44aa0bc9c985\",\"name\":\"2790795b-7dba-483e-853f-44aa0bc9c985\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"CommonSecurityLog\\n| where DeviceProduct =~ \\\"Wazuh\\\"\\n| where Activity has \\\"Web server 400 error code.\\\"\\n| where Message has \\\"403\\\"\\n| extend HostName=substring(split(DeviceCustomString1,\\\")\\\")[0],1)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = dcount(SourceIP) by HostName, SourceIP\\n| where NumberOfErrors \u003e 400\\n| sort by NumberOfErrors desc\\n| extend timestamp = StartTime, HostCustomEntity = HostName, IPCustomEntity = SourceIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Wazuh - Large Number of Web errors from an IP\",\"description\":\"Identifies instances where Wazuh logged over 400 \u0027403\u0027 Web Errors from one IP Address. To onboard Wazuh data into Sentinel please view: https://github.com/wazuh/wazuh-documentation/blob/master/source/azure/monitoring%20activity.rst\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2020-04-21T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/78979d32-e63f-4740-b206-cfb300c735e0\",\"name\":\"78979d32-e63f-4740-b206-cfb300c735e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n ProofpointPOD \\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(SrcIpAddr)\\n | extend ProofpointPOD_TimeGenerated = TimeGenerated, ClientIP = SrcIpAddr\\n )\\non $left.TI_ipEntity == $right.ClientIP\\n| where ProofpointPOD_TimeGenerated \u003c ExpirationDateTime\\n| summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientIP\\n| project ProofpointPOD_TimeGenerated, SrcUserUpn, DstUserUpn, SrcIpAddr, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ClientIP\\n| extend timestamp = ProofpointPOD_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SrcUserUpn\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Exfiltration\",\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Email sender IP in TI list\",\"description\":\"Email sender IP in TI list.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_maillog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2b328487-162d-4034-b472-59f1d53684a1\",\"name\":\"2b328487-162d-4034-b472-59f1d53684a1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal == \u0027\u0027\\n| extend Message = \\\"Empty User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Empty User Agent Detected\",\"description\":\"Rule helps to detect empty and unusual user agent indicating web browsing activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\"name\":\"a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == 500121\\n| where Status has \\\"MFA Denied; user declined the authentication\\\" or Status has \\\"MFA denied; Phone App Reported Fraud\\\"\\n| extend Type = Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = ClientAppUsed\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Explicit MFA Deny\",\"description\":\"User explicitly denies MFA push, indicating that login was not expected and the account\u0027s password may be compromised.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-10-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}}]}", "isContentBase64": false } }, - "Get-AzSentinelAlertRuleTemplate+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRuleTemplates?api-version=2021-09-01-preview+1": { + "Get-AzSentinelAlertRuleTemplate+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRuleTemplates?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRuleTemplates?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRuleTemplates?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "169" ], - "x-ms-client-request-id": [ "3915ef58-6993-40fa-8056-4fe7e285a636" ], + "x-ms-unique-id": [ "170" ], + "x-ms-client-request-id": [ "f5e86cbc-d63a-4b6e-97dd-d0b6a31e1f05" ], "CommandName": [ "Get-AzSentinelAlertRuleTemplate" ], "FullCommandName": [ "Get-AzSentinelAlertRuleTemplate_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -106,35 +106,35 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-reads": [ "11989" ], - "x-ms-request-id": [ "5a2c0f6c-bbe5-45d1-9301-0d033fbbccbc" ], - "x-ms-correlation-request-id": [ "5a2c0f6c-bbe5-45d1-9301-0d033fbbccbc" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T015413Z:5a2c0f6c-bbe5-45d1-9301-0d033fbbccbc" ], + "x-ms-request-id": [ "18e918a8-1c4d-4650-b7f5-c4b301a42804" ], + "x-ms-correlation-request-id": [ "18e918a8-1c4d-4650-b7f5-c4b301a42804" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183111Z:18e918a8-1c4d-4650-b7f5-c4b301a42804" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 01:54:12 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:31:10 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1139662" ], + "Content-Length": [ "1418736" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/738702fd-0a66-42c7-8586-e30f0583f8fe\",\"name\":\"738702fd-0a66-42c7-8586-e30f0583f8fe\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"DeviceEvents\\n| where ActionType has \\\"ExploitGuardNonMicrosoftSignedBlocked\\\"\\n| where InitiatingProcessFileName contains \\\"svchost.exe\\\" and FileName contains \\\"NetSetupSvc.dll\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\nHostCustomEntity = DeviceName, FileHashCustomEntity = InitiatingProcessSHA1, FileHashType = \\\"SHA1\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"TEARDROP memory-only dropper\",\"description\":\"Identifies SolarWinds TEARDROP memory-only dropper IOCs in Window\u0027s defender Exploit Guard activity\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/968358d6-6af8-49bb-aaa4-187b3067fb95\",\"name\":\"968358d6-6af8-49bb-aaa4-187b3067fb95\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let successCodes = dynamic([200, 302, 401]);\\nW3CIISLog\\n| where scStatus has_any (successCodes)\\n| where ipv4_is_private(cIP) == False\\n| where csUriStem hasprefix \\\"/autodiscover/autodiscover.json\\\"\\n| project TimeGenerated, cIP, sIP, sSiteName, csUriStem, csUriQuery, Computer, csUserName, _ResourceId, FileUri\\n| where (csUriQuery !has \\\"Protocol\\\" and isnotempty(csUriQuery))\\nor (csUriQuery has_any(\\\"/mapi/\\\", \\\"powershell\\\"))\\nor (csUriQuery contains \\\"@\\\" and csUriQuery matches regex @\\\"\\\\.[a-zA-Z]{2,4}?(?:[a-zA-Z]{2,4}\\\\/)\\\")\\nor (csUriQuery contains \\\":\\\" and csUriQuery matches regex @\\\"\\\\:[0-9]{2,4}\\\\/\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP, AccountCustomEntity = csUserName, ResourceCustomEntity = _ResourceId, FileCustomEntity = FileUri\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange SSRF Autodiscover ProxyShell - Detection\",\"description\":\"This query looks for suspicious request patterns to Exchange servers that fit patterns recently\\nblogged about by PeterJson. This exploitation chain utilises an SSRF vulnerability in Exchange\\nwhich eventually allows the attacker to execute arbitrary Powershell on the server. In the example\\npowershell can be used to write an email to disk with an encoded attachment containing a shell.\\nReference: https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-09T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69b7723c-2889-469f-8b55-a2d355ed9c87\",\"name\":\"69b7723c-2889-469f-8b55-a2d355ed9c87\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n DnsEvents | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where SubType =~ \\\"LookupQuery\\\" and isnotempty(IPAddresses)\\n | extend SingleIP = split(IPAddresses, \\\",\\\")\\n | mvexpand SingleIP\\n | extend SingleIP = tostring(SingleIP)\\n // renaming time column so it is clear the log this came from\\n | extend DNS_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SingleIP\\n| where DNS_TimeGenerated \u003e= TimeGenerated and DNS_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated,\\nTI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = DNS_TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.2\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to DnsEvents\",\"description\":\"Identifies a match in DnsEvents from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-18T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\"name\":\"d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\" \\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed), LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\\n| where MFAUsed !~ \\\"Yes\\\" and LoginResult !~ \\\"Failure\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUsed, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"Login to AWS Management Console without MFA\",\"description\":\"Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.\\nYou can limit this detection to trigger for adminsitrative accounts if you do not have MFA enabled on all accounts.\\nThis is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used \\nand the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/321f9dbd-64b7-4541-81dc-08cf7732ccb0\",\"name\":\"321f9dbd-64b7-4541-81dc-08cf7732ccb0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Edit this variable to only keep the Severity level where an incident needs to be created (Defaults are: \\\"Low\\\", \\\"Medium\\\", \\\"High\\\", \\\"Critical\\\" ) \\nlet configured_level = dynamic([\\\"Low\\\", \\\"Medium\\\", \\\"High\\\", \\\"Critical\\\"]);\\nlet upn_has_prefix = \\\":\\\";\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Vectra Networks\\\"\\n| where DeviceProduct == \\\"X Series\\\"\\n| where DeviceEventClassID == \\\"asc\\\"\\n| extend saccount = extract(\\\"saccount=(.+?);\\\", 1, AdditionalExtensions)\\n| extend type = iff(saccount matches regex upn_has_prefix, tostring(split(saccount,\\\":\\\")[0]) ,\\\"network\\\" ) \\n| extend upn = iff(saccount matches regex upn_has_prefix, tostring(split(saccount,\\\":\\\")[1]) , saccount )\\n| project-rename threat_score = FlexNumber1\\n| project-rename certainty_score = FlexNumber2\\n| project-rename vectra_URL = DeviceCustomString4\\n| project-rename detection_name = DeviceEventClassID\\n| project-rename score_decreases = DeviceCustomString3\\n| extend level = case( threat_score \u003c 50 and certainty_score \u003c 50, \\\"Low\\\",\\n threat_score \u003c 50 and certainty_score \u003e= 50 , \\\"Medium\\\", \\n threat_score \u003e= 50 and certainty_score \u003c= 50, \\\"High\\\", \\n threat_score \u003e= 50 and certainty_score \u003e= 50, \\\"Critical\\\",\\n \\\"UNKNOWN\\\")\\n| extend Severity = case( level == \\\"Low\\\", \\\"Low\\\",\\n level == \\\"Medium\\\", \\\"Medium\\\",\\n level == \\\"High\\\", \\\"Medium\\\",\\n level == \\\"Critical\\\", \\\"High\\\",\\n \\\"UNKNOWN\\\")\\n| where level in (configured_level) \\n//keep only the event with the highest threat score per Host\\n| summarize arg_max(threat_score, *) by saccount\\n| project TimeGenerated, saccount, level, Severity, upn, type, threat_score, certainty_score, vectra_URL\\n| extend AccountCustomEntity = upn, URLCustomEntity = vectra_URL, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Discovery\",\"LateralMovement\",\"Collection\",\"CommandAndControl\",\"Exfiltration\",\"Impact\"],\"displayName\":\"Vectra AI Detect - Suspected Compromised Account\",\"description\":\"Create an incident when an Account is suspected to be compromised. \\nThe higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. \\nLevel of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.\",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2021-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AIVectraDetect\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884be6e7-e568-418e-9c12-89229865ffde\",\"name\":\"884be6e7-e568-418e-9c12-89229865ffde\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let FailureThreshold = 15;\\nlet FailedLogins = Okta_CL\\n| where eventType_s =~ \\\"user.session.start\\\" and outcome_reason_s =~ \\\"VERIFICATION_ERROR\\\"\\n| summarize count() by actor_alternateId_s, client_ipAddress_s, bin(TimeGenerated, 5m)\\n| where count_ \u003e FailureThreshold\\n| project client_ipAddress_s, actor_alternateId_s;\\nOkta_CL\\n| join kind=inner (FailedLogins) on client_ipAddress_s, actor_alternateId_s\\n| where eventType_s =~ \\\"user.session.start\\\" and outcome_reason_s =~ \\\"VERIFICATION_ERROR\\\"\\n| summarize count() by actor_alternateId_s, ClientIP = client_ipAddress_s, City = client_geographicalContext_city_s, Country = client_geographicalContext_country_s, column_ifexists(\u0027published_t\u0027, now())\\n| sort by column_ifexists(\u0027published_t\u0027, now()) desc\\n| extend timestamp = column_ifexists(\u0027published_t\u0027, now()), IPCustomEntity = ClientIP, AccountCustomEntity = actor_alternateId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed Logins from Unknown or Invalid User\",\"description\":\"This query searches for numerous login attempts to the management console with an unknown or invalid user name\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OktaSSO\",\"dataTypes\":[\"Okta_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/213252f1-497c-4124-91da-6cb43902d5b1\",\"name\":\"213252f1-497c-4124-91da-6cb43902d5b1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.4\",\"techniques\":[\"T1046\",\"T1135\",\"T1071\",\"T1095\",\"T1571\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"5\",\"maximum\":\"15\",\"value\":\"7\",\"name\":\"Number of distinct signatures in a day\",\"description\":\"Triggers anomalies when daily signatures triggered is more than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Discovery\",\"CommandAndControl\"],\"displayName\":\"(Preview) Unusual external firewall alarm detected\",\"description\":\"This algorithm identifies unusual external firewall alarms which are threat signatures released by a firewall vendor. \\nThe anomaly takes last 7 days activities to calculate top 10 noisy signatures and also noisy source hosts which are repeatedly seen \\ntriggering threat signatures. After excluding both type of noisy events, it triggers an anomaly only after exceeding the threshold of \\nnumber of signatures triggered in a single day.\",\"lastUpdatedDateUTC\":\"2021-07-10T00:00:00Z\",\"createdDateUTC\":\"2021-04-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1f3b4dfd-21ff-4ed3-8e27-afc219e05c50\",\"name\":\"1f3b4dfd-21ff-4ed3-8e27-afc219e05c50\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where LoggedByService =~ \\\"PIM\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has \\\"Disable PIM Alert\\\"\\n| extend IpAddress = case(\\n isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), \\n isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.app)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.app)).ipAddress),\\n \u0027Not Available\u0027)\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName)), UserRoles = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| project InitiatedBy, ActivityDateTime, ActivityDisplayName, IpAddress, AADOperationType, AADTenantId, ResourceId, CorrelationId, Identity\\n| extend timestamp = ActivityDateTime, IPCustomEntity = IpAddress, AccountCustomEntity = tolower(InitiatedBy), ResourceCustomEntity = ResourceId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Detect PIM Alert Disabling activity\",\"description\":\"Privileged Identity Management (PIM) generates alerts when there is suspicious or unsafe activity in Azure Active Directory (Azure AD) organization. \\nThis query will help detect attackers attempts to disable in product PIM alerts which are associated with Azure MFA requirements and could indicate activation of privileged access\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56b0a0cd-894e-4b38-a0a1-c41d9f96649a\",\"name\":\"56b0a0cd-894e-4b38-a0a1-c41d9f96649a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let lbtime = 1h;\\nlet tls_ciphers = dynamic([\u0027RC4-SHA\u0027, \u0027DES-CBC3-SHA\u0027]);\\nProofpointPOD\\n| where EventType == \u0027message\u0027\\n| where TlsCipher in (tls_ciphers)\\n| extend IpCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"displayName\":\"ProofpointPOD - Weak ciphers\",\"description\":\"Detects when weak TLS ciphers are used.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8e267e91-6bda-4b3c-bf68-9f5cbdd103a3\",\"name\":\"8e267e91-6bda-4b3c-bf68-9f5cbdd103a3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"ZoomLogs \\n| where Event =~ \\\"account.settings_updated\\\" \\n| extend EnforceLogin = columnifexists(\\\"payload_object_settings_schedule_meeting_enfore_login_b\\\", \\\"\\\") \\n| extend EnforceLoginDomain = columnifexists(\\\"payload_object_settings_schedule_meeting_enfore_login_b\\\", \\\"\\\") \\n| extend GuestAlerts = columnifexists(\\\"payload_object_settings_in_meeting_alert_guest_join_b\\\", \\\"\\\") \\n| where EnforceLogin == \u0027false\u0027 or EnforceLoginDomain == \u0027false\u0027 or GuestAlerts == \u0027false\u0027 \\n| extend SettingChanged = case(EnforceLogin == \u0027false\u0027 and EnforceLoginDomain == \u0027false\u0027 and GuestAlerts == \u0027false\u0027, \\\"All settings changed\\\", \\n EnforceLogin == \u0027false\u0027 and EnforceLoginDomain == \u0027false\u0027, \\\"Enforced Logons and Restricted Domains Changed\\\", \\n EnforceLoginDomain == \u0027false\u0027 and GuestAlerts == \u0027false\u0027, \\\"Enforced Domains Changed\\\", \\n EnforceLoginDomain == \u0027false\u0027, \\\"Enfored Domains Changed\\\", \\n GuestAlerts == \u0027false\u0027, \\\"Guest Join Alerts Changed\\\", \\n EnforceLogin == \u0027false\u0027, \\\"Enforced Logins Changed\\\", \\n \\\"No Changes\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"External User Access Enabled\",\"description\":\"This alerts when the account setting is changed to allow either external domain access or anonymous access to meetings.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ba239935-42c2-472d-80ba-689186099ea1\",\"name\":\"ba239935-42c2-472d-80ba-689186099ea1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"afad_parser\\n| where MessageType == 2 and Codename == \\\"Password Guessing\\\"\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid Password Guessing\",\"description\":\"Searches for bruteforce Password Guessing attacks\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09ec8fa2-b25f-4696-bfae-05a7b85d7b9e\",\"name\":\"09ec8fa2-b25f-4696-bfae-05a7b85d7b9e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT3H\",\"queryPeriod\":\"PT3H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let timeframe = ago(3h);\\nlet threshold = 2;\\nimAuthentication\\n| where TimeGenerated \u003e timeframe\\n| where EventType==\u0027Logon\u0027 and EventResult==\u0027Success\u0027\\n| where isnotempty(SrcGeoCountry)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Vendors=make_set(EventVendor), Products=make_set(EventProduct)\\n , NumOfCountries = dcount(SrcGeoCountry)\\n by TargetUserId, TargetUsername, TargetUserType\\n| where NumOfCountries \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = TargetUsername\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.2.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"User login from different countries within 3 hours (Uses Authentication Normalization)\",\"description\":\"This query searches for successful user logins from different countries within 3 hours.\\n To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelAuthentication)\",\"lastUpdatedDateUTC\":\"2021-10-26T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb32dc8a-4f6b-4274-a28f-50f3400070b4\",\"name\":\"bb32dc8a-4f6b-4274-a28f-50f3400070b4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.1\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.2\",\"name\":\"Anomaly score threshold\",\"description\":\"Generate an anomaly when the anomaly score is greater than the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous Sign In\",\"description\":\"Adversaries may steal the credentials of a specific user or service account using Credential\\nAccess techniques or capture credentials earlier in their reconnaissance process through\\nsocial engineering for means of gaining Persistence.\",\"lastUpdatedDateUTC\":\"2021-08-25T00:00:00Z\",\"createdDateUTC\":\"2021-08-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884c4957-70ea-4f57-80b9-1bca3890315b\",\"name\":\"884c4957-70ea-4f57-80b9-1bca3890315b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeBin = 10m;\\nlet failedThreshold = 100;\\nW3CIISLog\\n| where scStatus in (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n// Handling Exchange specific items in IIS logs to remove the unique log identifier in the URI\\n| extend csUriQuery = iff(csUriQuery startswith \\\"MailboxId=\\\", tostring(split(csUriQuery, \\\"\u0026\\\")[0]) , csUriQuery )\\n| extend csUriQuery = iff(csUriQuery startswith \\\"X-ARR-CACHE-HIT=\\\", strcat(tostring(split(csUriQuery, \\\"\u0026\\\")[0]),tostring(split(csUriQuery, \\\"\u0026\\\")[1])) , csUriQuery )\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of failed logons by a user\\n| summarize makeset(decodedUriQuery), makeset(cIP), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), csUserName, Computer, sIP\\n| where FailedConnectionsCount \u003e= failedThreshold\\n| project TimeGenerated, csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_cIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"High count of failed logons by a user\",\"description\":\"Identifies when 100 or more failed attempts by a given user in 10 minutes occur on the IIS Server.\\nThis could be indicative of attempted brute force based on known account information.\\nThis could also simply indicate a misconfigured service or device. \\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/78979d32-e63f-4740-b206-cfb300c735e0\",\"name\":\"78979d32-e63f-4740-b206-cfb300c735e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ioc_lookBack = 30d;\\nlet timeframe = 1h;\\nlet TI_IP_List =\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(NetworkIP)\\n| summarize make_list(NetworkIP);\\nProofpointPOD \\n| where TimeGenerated \u003e ago(timeframe)\\n| where isnotempty(SrcIpAddr)\\n| where SrcIpAddr in~ (TI_IP_List)\\n| extend Message = \\\"Email sender IP in TI list\\\"\\n| project Message, SrcUserUpn, DstUserUpn, SrcIpAddr\\n| extend AccountCustomEntity = SrcUserUpn, IpCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\",\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Email sender IP in TI list\",\"description\":\"Email sender IP in TI list.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_maillog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\"name\":\"28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let failureCountThreshold = 5;\\nlet successCountThreshold = 1;\\nlet authenticationWindow = 20m;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n| where AppDisplayName has \\\"Azure Portal\\\"\\n// Split out failure versus non-failure types\\n| extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = make_set(IPAddress), make_set(OS), make_set(Browser), make_set(City),\\nmake_set(State), make_set(Region),make_set(ResultType), FailureCount = countif(FailureOrSuccess==\\\"Failure\\\"), SuccessCount = countif(FailureOrSuccess==\\\"Success\\\") \\nby bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName, AppDisplayName, Type\\n| where FailureCount \u003e= failureCountThreshold and SuccessCount \u003e= successCountThreshold\\n| mvexpand IPAddress\\n| extend IPAddress = tostring(IPAddress)\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against Azure Portal\",\"description\":\"Identifies evidence of brute force activity against Azure Portal by highlighting multiple authentication failures \\nand by a successful authentication within a given time window. \\n(The query does not enforce any sequence - eg requiring the successful authentication to occur last.)\\nDefault Failure count is 5, Default Success count is 1 and default Time Window is 20 minutes.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/694c91ee-d606-4ba9-928e-405a2dd0ff0f\",\"name\":\"694c91ee-d606-4ba9-928e-405a2dd0ff0f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let VIPUsers = (IdentityInfo\\n| where AssignedRoles contains \\\"Admin\\\"\\n| summarize by tolower(AccountUPN));\\nAuditLogs\\n| where Category =~ \\\"UserManagement\\\"\\n| where ActivityDisplayName =~ \\\"User registered security info\\\"\\n| where LoggedByService =~ \\\"Authentication Methods\\\"\\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| where AccountCustomEntity in (VIPUsers)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\"],\"displayName\":\"Authentication Methods Changed for Privileged Account\",\"description\":\"Identifies authentication methods being changed for a privileged account. This could be an indicated of an attacker adding an auth method to the account so they can have continued access.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ae9128e8-2740-4b62-8bde-54e62b183fca\",\"name\":\"ae9128e8-2740-4b62-8bde-54e62b183fca\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.5\",\"techniques\":[\"T1030\",\"T1071\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Palo Alto Networks\",\"Fortinet\",\"Check Point\"],\"supportedValuesKql\":null,\"value\":\"Palo Alto Networks\",\"name\":\"Device vendor\",\"description\":\"Select device vendor of network connection logs from CommonSecurityLog\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"1\",\"maximum\":\"100\",\"value\":\"25\",\"name\":\"Daily data transfer threshold in MB\",\"description\":\"Suppress anomalies when daily data transfered (in MB) per hour is less than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"2\",\"maximum\":\"10\",\"value\":\"3\",\"name\":\"Number of standard deviations\",\"description\":\"Triggers anomalies when number of standard deviations is greater than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"(Preview) Unusual network communication on commonly used ports\",\"description\":\"This algorithm identifies unusual network communication on commonly used ports, comparing daily traffic to a baseline from the previous 7 days.\\nThis includes traffic on commonly used ports (22, 53, 80, 443, 8080, 8888), and compares daily traffic to the mean and standard deviation of several\\nnetwork traffic attributes calculated over the baseline period. The traffic attributes considered are daily total events, daily data transfer and \\nnumber of distinct destination IP addresses per port. An anomaly is triggered when the daily values are greater than the configured number of standard deviations above the mean.\",\"lastUpdatedDateUTC\":\"2021-07-10T00:00:00Z\",\"createdDateUTC\":\"2021-05-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/35a0792a-1269-431e-ac93-7ae2980d4dde\",\"name\":\"35a0792a-1269-431e-ac93-7ae2980d4dde\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ioc_lookBack = 30d;\\nlet timeframe = 1h;\\nlet TI_email_List =\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(EmailSenderAddress)\\n| summarize make_list(EmailSenderAddress);\\nProofpointPOD \\n| where TimeGenerated \u003e ago(timeframe)\\n| where isnotempty(SrcUserUpn)\\n| where SrcUserUpn in~ (TI_email_List)\\n| extend Message = \\\"Email sender in TI list\\\"\\n| project Message, SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\",\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Email sender in TI list\",\"description\":\"Email sender in TI list.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_maillog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bc5ffe2a-84d6-48fe-bc7b-1055100469bc\",\"name\":\"bc5ffe2a-84d6-48fe-bc7b-1055100469bc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let SunburstMD5=dynamic([\\\"b91ce2fa41029f6955bff20079468448\\\",\\\"02af7cec58b9a5da1c542b5a32151ba1\\\",\\\"2c4a910a1299cdae2a4e55988a2f102e\\\",\\\"846e27a652a5e1bfbd0ddd38a16dc865\\\",\\\"4f2eb62fa529c0283b28d05ddd311fae\\\"]);\\nlet SupernovaMD5=\\\"56ceb6d0011d87b6e4d7023d7ef85676\\\";\\nimFileEvent\\n| where TargetFileMD5 in(SunburstMD5) or TargetFileMD5 in(SupernovaMD5)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = User, \\n HostCustomEntity = DvcHostname,\\n FileHashCustomEntity = TargetFileMD5\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"MD5\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events)\",\"description\":\"Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in File Events\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelFileEvent)\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/62085097-d113-459f-9ea7-30216f2ee6af\",\"name\":\"62085097-d113-459f-9ea7-30216f2ee6af\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P3D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let starttime = 3d;\\nlet SecEvents = materialize ( SecurityEvent | where TimeGenerated \u003e= ago(starttime)\\n| where EventID in (4722,4723) | where TargetUserName !endswith \\\"$\\\"\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, SubjectAccount, SubjectUserSid);\\nlet userEnable = SecEvents\\n| extend EventID4722Time = TimeGenerated\\n// 4722: User Account Enabled\\n| where EventID == 4722\\n| project Time_Event4722 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4722 = SubjectAccount, SubjectUserSid_Event4722 = SubjectUserSid, Activity_4722 = Activity, Computer_4722 = Computer;\\nlet userPwdSet = SecEvents\\n// 4723: Attempt made by user to set password\\n| where EventID == 4723\\n| project Time_Event4723 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4723 = SubjectAccount, SubjectUserSid_Event4723 = SubjectUserSid, Activity_4723 = Activity, Computer_4723 = Computer;\\nuserEnable | join kind=leftouter userPwdSet on TargetAccount, TargetSid\\n| extend PasswordSetAttemptDelta_Min = datetime_diff(\u0027minute\u0027, Time_Event4723, Time_Event4722)\\n| where PasswordSetAttemptDelta_Min \u003e 2880 or isempty(PasswordSetAttemptDelta_Min)\\n| project-away TargetAccount1, TargetSid1\\n| extend Reason = @\\\"User either has not yet attempted to set the initial password after account was enabled or it occurred after 48 hours\\\"\\n| order by Time_Event4722 asc \\n| extend timestamp = Time_Event4722, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer_4722\\n| project-reorder Time_Event4722, Time_Event4723, PasswordSetAttemptDelta_Min, TargetAccount, TargetSid\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"AD user enabled and password not set within 48 hours\",\"description\":\"Identifies when an account is enabled with a default password and the password is not set by the user within 48 hours.\\nEffectively, there is an event 4722 indicating an account was enabled and within 48 hours, no event 4723 occurs which \\nindicates there was no attempt by the user to set the password. This will show any attempts (success or fail) that occur \\nafter 48 hours, which can indicate too long of a time period in setting the password to something that only the user knows.\\nIt is recommended that this time period is adjusted per your internal company policy.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/11b4c19d-2a79-4da3-af38-b067e1273dee\",\"name\":\"11b4c19d-2a79-4da3-af38-b067e1273dee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID in (17,18)\\n| where EventData has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend PipeName = column_ifexists(\\\"PipeName\\\", \\\"\\\")\\n| extend Account = UserName\\n),\\n(\\n SecurityEvent\\n| where EventID == \u00275145\u0027\\n// %%4418 looks for presence of CreatePipeInstance value \\n| where AccessList has \u0027%%4418\u0027 \\n| where RelativeTargetName has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\"],\"displayName\":\"Solorigate Named Pipe\",\"description\":\"Identifies a match across various data feeds for named pipe IOCs related to the Solorigate incident.\\n For the sysmon events required for this detection, logging for Named Pipe Events needs to be configured in Sysmon config (Event ID 17 and Event ID 18)\\n Reference: https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\"name\":\"9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Low\",\"query\":\"let tokens = dynamic([\\\"416\\\",\\\"208\\\",\\\"128\\\",\\\"120\\\",\\\"96\\\",\\\"80\\\",\\\"72\\\",\\\"64\\\",\\\"48\\\",\\\"44\\\",\\\"40\\\",\\\"g5\\\",\\\"gs5\\\",\\\"g4\\\",\\\"gs4\\\",\\\"nc12\\\",\\\"nc24\\\",\\\"nv12\\\"]);\\nlet operationList = dynamic([\\\"microsoft.compute/virtualmachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nAzureActivity\\n| where tolower(OperationNameValue) in (operationList)\\n| where ActivityStatusValue == \\\"Accepted\\\" \\n| where isnotempty(Properties)\\n| extend vmSize = tolower(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).hardwareProfile)).vmSize))\\n| where isnotempty(vmSize)\\n| where vmSize has_any (tokens) \\n| extend ComputerName = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).osProfile)).computerName)\\n| extend clientIpAddress = tostring(parse_json(HTTPRequest).clientIpAddress)\\n| project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Creation of expensive computes in Azure\",\"description\":\"Identifies the creation of large size/expensive VMs (GPU or with large no of virtual CPUs) in Azure.\\nAdversary may create new or update existing virtual machines sizes to evade defenses \\nor use it for cryptomining purposes.\\nFor Windows/Linux Vm Sizes - https://docs.microsoft.com/azure/virtual-machines/windows/sizes \\nAzure VM Naming Conventions - https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f15370f4-c6fa-42c5-9be4-1d308f40284e\",\"name\":\"f15370f4-c6fa-42c5-9be4-1d308f40284e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n OfficeActivity | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.ClientIP\\n| where OfficeActivity_TimeGenerated \u003e= TimeGenerated and OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, OfficeActivity_TimeGenerated,\\nTI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = OfficeActivity_TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to OfficeActivity\",\"description\":\"Identifies a match in OfficeActivity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\"name\":\"ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(DestinationUserID)\\n // Filtering PAN Logs for specific event type to match relevant email entities\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"wildfire\\\" and ApplicationProtocol in (\\\"smtp\\\",\\\"pop3\\\")\\n | extend DestinationUserID = tolower(DestinationUserID)\\n | where DestinationUserID matches regex emailregex\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.DestinationUserID\\n| where CommonSecurityLog_TimeGenerated \u003e= TimeGenerated and CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, CommonSecurityLog_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction,\\nSourceIP, SourcePort, DestinationIP, DestinationPort, Protocol, ApplicationProtocol\\n| extend timestamp = CommonSecurityLog_TimeGenerated, AccountCustomEntity = DestinationUserID, IPCustomEntity = SourceIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to CommonSecurityLog\",\"description\":\"Identifies a match in CommonSecurityLog table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/11bda520-a965-4654-9a45-d09f372f71aa\",\"name\":\"11bda520-a965-4654-9a45-d09f372f71aa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AzureActivity\\n// Isolate run command actions\\n| where OperationNameValue == \\\"Microsoft.Compute/virtualMachines/runCommand/action\\\"\\n// Confirm that the operation impacted a virtual machine\\n| where Authorization has \\\"virtualMachines\\\"\\n// Each runcommand operation consists of three events when successful, Started, Accepted (or Rejected), Successful (or Failed).\\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), max(CallerIpAddress), make_list(ActivityStatusValue) by CorrelationId, Authorization, Caller\\n// Limit to Run Command executions that Succeeded\\n| where list_ActivityStatusValue has \\\"Succeeded\\\"\\n// Extract data from the Authorization field, allowing us to later extract the Caller (UPN) and CallerIpAddress\\n| extend Authorization_d = parse_json(Authorization)\\n| extend Scope = Authorization_d.scope\\n| extend Scope_s = split(Scope, \\\"/\\\")\\n| extend Subscription = tostring(Scope_s[2])\\n| extend VirtualMachineName = tostring(Scope_s[-1])\\n| project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress\\n// Create a join key using the Caller (UPN) and the Caller IP\\n| extend joinkey = tolower(Caller)\\n// Join the Run Command actions to UEBA data\\n| join kind = inner (\\n BehaviorAnalytics\\n // We are specifically interested in unsual logins\\n | where EventSource == \\\"Azure AD\\\"\\n | project UEBAEventTime=TimeGenerated, UEBAActionType=ActionType, UserPrincipalName, UEBASourceIPLocation=SourceIPLocation, UEBAActivityInsights=ActivityInsights, UEBAUsersInsights=UsersInsights\\n | where isnotempty(UserPrincipalName) and isnotempty(UEBASourceIPLocation)\\n | extend joinkey = tolower(UserPrincipalName)\\n) on joinkey\\n| project StartTime, EndTime, Subscription, VirtualMachineName, Caller, CallerIpAddress, UEBAEventTime, UEBAActionType, UEBASourceIPLocation, UEBAActivityInsights, UEBAUsersInsights\\n// Create a window around the UEBA event times, check to see if the Run Command action was performed within them\\n| extend UEBAWindowStart = UEBAEventTime - 1h | extend UEBAWindowEnd = UEBAEventTime - 6h\\n| where StartTime between (UEBAWindowStart .. UEBAWindowEnd)\\n| project StartTime, EndTime, Subscription, VirtualMachineName, Caller, CallerIpAddress, UEBAEventTime, UEBAActionType, UEBASourceIPLocation, UEBAActivityInsights, UEBAUsersInsights\\n| extend timestamp = StartTime, AccountCustomEntity=Caller, IPCustomEntity=CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"LateralMovement\",\"CredentialAccess\"],\"displayName\":\"Azure VM Run Command operation executed during suspicious login window\",\"description\":\"Identifies when the Azure Run Command operation is executed by a UserPrincipalName and IP Address \\nthat has resulted in a recent user entity behaviour alert.\",\"lastUpdatedDateUTC\":\"2021-11-04T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/18e6a87e-9d06-4a4e-8b59-3469cd49552d\",\"name\":\"18e6a87e-9d06-4a4e-8b59-3469cd49552d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true (SecurityEvent \\n| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created. \\n| where ObjectServer == \u0027DS\u0027\\n| where OperationType == \u0027Object Access\u0027\\n//| where ObjectName contains \u0027\u003cGUID of ADFS Policy Store DKM Group object\u0027 This is unique to the domain. Check description for more details.\\n| where ObjectType contains \u00275cb41ed0-0e4c-11d0-a286-00aa003049e2\u0027 // Contact Class\\n| where Properties contains \u00278d3bca50-1d7e-11d0-a081-00aa006c33ed\u0027 // Picture Attribute - Ldap-Display-Name: thumbnailPhoto\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = SubjectAccount),\\n(DeviceEvents\\n| where ActionType =~ \\\"LdapSearch\\\"\\n| where AdditionalFields.AttributeList contains \\\"thumbnailPhoto\\\"\\n| where AdditionalFields.DistinguishedName contains \\\"CN=ADFS,CN=Microsoft,CN=Program Data\\\" // Filter results to show only hits related to the ADFS AD container\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = InitiatingProcessAccountName)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"ADFS DKM Master Key Export\",\"description\":\"Identifies an export of the ADFS DKM Master Key from Active Directory.\\nReferences: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \\nhttps://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1\\nTo understand further the details behind this detection, please review the details in the original PR and subequent PR update to this:\\nhttps://github.com/Azure/Azure-Sentinel/pull/1562#issue-551542469\\nhttps://github.com/Azure/Azure-Sentinel/pull/1512#issue-543053339\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65c78944-930b-4cae-bd79-c3664ae30ba7\",\"name\":\"65c78944-930b-4cae-bd79-c3664ae30ba7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(AuditLogs \\n| where OperationName =~ \\\"Disable Strong Authentication\\\"\\n| extend IPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) \\n| extend InitiatedByUser = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend Targetprop = todynamic(TargetResources)\\n| extend TargetUser = tostring(Targetprop[0].userPrincipalName) \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, InitiatedByUser , Operation = OperationName , CorrelationId, IPAddress, Category, Source = SourceSystem , AADTenantId, Type\\n),\\n(AWSCloudTrail\\n| where EventName in~ (\\\"DeactivateMFADevice\\\", \\\"DeleteVirtualMFADevice\\\") \\n| extend InstanceProfileName = tostring(parse_json(RequestParameters).InstanceProfileName)\\n| extend TargetUser = tostring(parse_json(RequestParameters).userName)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, Source = EventSource , Operation = EventName , TenantorInstance_Detail = InstanceProfileName, IPAddress = SourceIpAddress\\n)\\n)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"MFA disabled for a user\",\"description\":\"Multi-Factor Authentication (MFA) helps prevent credential compromise. This alert identifies when an attempt has been made to disable MFA for a user \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95dc4ae3-e0f2-48bd-b996-cdd22b90f9af\",\"name\":\"95dc4ae3-e0f2-48bd-b996-cdd22b90f9af\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(\\nAuditLogs\\n| where OperationName =~ \\\"Set federation settings on domain\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName)\\n| mv-expand AdditionalDetails\\n),\\n(\\nAuditLogs\\n| where OperationName =~ \\\"Set domain authentication\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName), NewDomainValue=tostring(parse_json(modifiedProperties).newValue)\\n| where NewDomainValue has \\\"Federated\\\"\\n)\\n)\\n| extend UserAgent = iff(AdditionalDetails.key == \\\"User-Agent\\\",tostring(AdditionalDetails.value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Modified domain federation trust settings\",\"description\":\"This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/66276b14-32c5-4226-88e3-080dacc31ce1\",\"name\":\"66276b14-32c5-4226-88e3-080dacc31ce1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet AccountAllowList = dynamic([\u0027SYSTEM\u0027]);\\nlet SubCategoryList = dynamic([\\\"Logoff\\\", \\\"Account Lockout\\\", \\\"User Account Management\\\", \\\"Authorization Policy Change\\\"]); // Add any Category in the list to be allowed or disallowed\\nlet tokens = dynamic([\\\"clear\\\", \\\"remove\\\", \\\"success:disable\\\",\\\"failure:disable\\\"]); \\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n//| where Process =~ \\\"auditpol.exe\\\" \\n| where CommandLine has_any (tokens)\\n| where AccountType !~ \\\"Machine\\\" and Account !in~ (AccountAllowList)\\n| parse CommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n// | where InitiatingProcessFileName =~ \\\"auditpol.exe\\\" \\n| where InitiatingProcessCommandLine has_any (tokens)\\n| where AccountName !in~ (AccountAllowList)\\n| parse InitiatingProcessCommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n// | where OriginalFileName =~ \\\"auditpol.exe\\\"\\n| where CommandLine has_any (tokens)\\n| where User !in~ (AccountAllowList)\\n| parse CommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, Computer, User, Process, ParentImage, CommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\"],\"displayName\":\"Audit policy manipulation using auditpol utility\",\"description\":\"This detects attempt to manipulate audit policies using auditpol command.\\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\\nThe process name in each data source is commented out as an adversary could rename it. It is advisable to keep process name commented but \\nif the results show unrelated false positives, users may want to uncomment it.\\nRefer to auditpol syntax: https://docs.microsoft.com/windows-server/administration/windows-commands/auditpol \\nRefer to our M365 blog for details on use during the Solorigate attack:\\nhttps://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80733eb7-35b2-45b6-b2b8-3c51df258206\",\"name\":\"80733eb7-35b2-45b6-b2b8-3c51df258206\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\\"xmrget.com\\\", \\n\\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\\"supportxmr.com\\\",\\n\\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\n\\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\n\\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\n\\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\n\\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\",\\n\\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\",\\n\\\"shscrypto.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage), \\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage), \\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage), \\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \u0027200\u0027\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Squid proxy events related to mining pools\",\"description\":\"Checks for Squid proxy events in Syslog associated with common mining pools .This query presumes the default Squid log format is being used. \\n http://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bff093b2-500e-4ae5-bb49-a5b1423cbd5b\",\"name\":\"bff093b2-500e-4ae5-bb49-a5b1423cbd5b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n| where Operation =~ \\\"MemberAdded\\\"\\n| extend UPN = tostring(parse_json(Members)[0].UPN)\\n| where UPN contains (\\\"#EXT#\\\")\\n| project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName\\n| join (\\n OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n| where Operation =~ \\\"MemberRemoved\\\"\\n| extend UPN = tostring(parse_json(Members)[0].UPN)\\n| where UPN contains (\\\"#EXT#\\\")\\n| project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName\\n) on UPN\\n| where TimeDeleted \u003e TimeAdded\\n| project TimeAdded, TimeDeleted, UPN, UserWhoAdded, UserWhoDeleted, TeamName\\n| extend timestamp = TimeAdded, AccountCustomEntity = UPN\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"External user added and removed in short timeframe\",\"description\":\"This detection flags the occurances of external user accounts that are added to a Team and then removed within\\none hour.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/be52662c-3b23-435a-a6fa-f39bdfc849e6\",\"name\":\"be52662c-3b23-435a-a6fa-f39bdfc849e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetection_CL\\n| mv-expand todynamic(Detections_s)\\n| where Detections_s.Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\\n| where count_ \u003e= threshold\\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"High Number of Urgent Vulnerabilities Detected\",\"description\":\"This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/eb68b129-5f17-4f56-bf6d-dde48d5e615a\",\"name\":\"eb68b129-5f17-4f56-bf6d-dde48d5e615a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| extend attachedMimeType = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where attachedMimeType == \u0027application/zip\u0027\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = DstUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Binary file in attachment\",\"description\":\"Detects when email recieved with binary file as attachment.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d29b1d66-d4d9-4be2-b607-63278fc4fe6b\",\"name\":\"d29b1d66-d4d9-4be2-b607-63278fc4fe6b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let mediumRisk = 2;\\nlet financial = \u0027Financial Information\u0027;\\nCognniIncidents_CL \\n| where Severity == mediumRisk\\n| where informationType_s == financial\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Medium Sensitivity Financial Information\",\"description\":\"Display incidents in which medium sensitive financial information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b783df9c-4088-452e-a791-0c4fca47a109\",\"name\":\"b783df9c-4088-452e-a791-0c4fca47a109\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.4\",\"techniques\":[\"T1568\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\".lan, .home\",\"dataType\":\"string\",\"name\":\"Top level domain\",\"description\":\"Give comma separated TLDs to exclude from source data within double quotes, example: \\\".lan, .home\\\"\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.9\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"(Preview) Domain generation algorithm (DGA) on DNS domains\",\"description\":\"This machine learning model indicates potential DGA domains in the second-level-domain (SLD) from the last day in the DNS logs.\\nThe algorithm applies to the DNS records that resolve to IPv4 and IPv6 addresses.\",\"lastUpdatedDateUTC\":\"2021-05-21T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7d7e20f8-3384-4b71-811c-f5e950e8306c\",\"name\":\"7d7e20f8-3384-4b71-811c-f5e950e8306c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AuditLogs\\n| where ActivityDisplayName =~\u0027Add member to role completed (PIM activation)\u0027\\n| where Result == \\\"failure\\\"\\n| extend Role = tostring(TargetResources[3].displayName)\\n| extend User = tostring(TargetResources[2].displayName)\\n| project-reorder TimeGenerated, User, Role, OperationName, Result, ResultDescription\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| extend AccountCustomEntity = User, IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\"],\"displayName\":\"PIM Elevation Request Rejected\",\"description\":\"Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d82e1987-4356-4a7b-bc5e-064f29b143c0\",\"name\":\"d82e1987-4356-4a7b-bc5e-064f29b143c0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 4688\\n| where Process =~ \u0027rundll32.exe\u0027 \\n| where CommandLine has_all (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"NOBELIUM - suspicious rundll32.exe execution of vbscript\",\"description\":\"This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/48607a29-a26a-4abf-8078-a06dbdd174a4\",\"name\":\"48607a29-a26a-4abf-8078-a06dbdd174a4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeRange = 3d;\\nlet lookBack = 7d;\\nlet authenticationWindow = 20m;\\nlet authenticationThreshold = 5;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet failureCodes = dynamic([50053, 50126, 50055]); // invalid password, account is locked - too many sign ins, expired password\\nlet successCodes = dynamic([0, 50055, 50057, 50155, 50105, 50133, 50005, 50076, 50079, 50173, 50158, 50072, 50074, 53003, 53000, 53001, 50129]);\\n// Lookup up resolved identities from last 7 days\\nlet aadFunc = (tableName:string){\\nlet identityLookup = table(tableName)\\n| where TimeGenerated \u003e= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| where isnotempty(UserId)\\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName, Type;\\n// collect window threshold breaches\\ntable(tableName)\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(failureCodes)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed), count() by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName, UserPrincipalName, Type\\n| summarize FailedPrincipalCount = dcount(UserPrincipalName) by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName, Type\\n| where FailedPrincipalCount \u003e= authenticationThreshold\\n| summarize WindowThresholdBreaches = count() by IPAddress, Type\\n| join kind= inner (\\n// where we breached a threshold, join the details back on all failure data\\ntable(tableName)\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(failureCodes)\\n| extend LocationDetails = todynamic(LocationDetails)\\n| extend FullLocation = strcat(LocationDetails.countryOrRegion,\u0027|\u0027, LocationDetails.state, \u0027|\u0027, LocationDetails.city)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed), make_set(FullLocation), FailureCount = count() by IPAddress, AppDisplayName, UserPrincipalName, UserDisplayName, Identity, UserId, Type\\n// lookup any unresolved identities\\n| extend UnresolvedUserId = iff(Identity matches regex isGUID, UserId, \\\"\\\")\\n| join kind= leftouter (\\n identityLookup \\n) on $left.UnresolvedUserId==$right.UserId\\n| extend UserDisplayName=iff(isempty(lu_UserDisplayName), UserDisplayName, lu_UserDisplayName)\\n| extend UserPrincipalName=iff(isempty(lu_UserPrincipalName), UserPrincipalName, lu_UserPrincipalName)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), make_set(UserPrincipalName), make_set(UserDisplayName), make_set(set_ClientAppUsed), make_set(set_FullLocation), make_list(FailureCount) by IPAddress, AppDisplayName, Type\\n| extend FailedPrincipalCount = arraylength(set_UserPrincipalName)\\n) on IPAddress\\n| project IPAddress, StartTime, EndTime, TargetedApplication=AppDisplayName, FailedPrincipalCount, UserPrincipalNames=set_UserPrincipalName, UserDisplayNames=set_UserDisplayName, ClientAppsUsed=set_set_ClientAppUsed, Locations=set_set_FullLocation, FailureCountByPrincipal=list_FailureCount, WindowThresholdBreaches, Type\\n| join kind= inner (\\ntable(tableName) // get data on success vs. failure history for each IP\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(successCodes) or ResultType in(failureCodes) // success or failure types\\n| summarize GlobalSuccessPrincipalCount = dcountif(UserPrincipalName, (ResultType in(successCodes))), ResultTypeSuccesses = make_set_if(ResultType, (ResultType in(successCodes))), GlobalFailPrincipalCount = dcountif(UserPrincipalName, (ResultType in(failureCodes))), ResultTypeFailures = make_set_if(ResultType, (ResultType in(failureCodes))) by IPAddress, Type\\n| where GlobalFailPrincipalCount \u003e GlobalSuccessPrincipalCount // where the number of failed principals is greater than success - eliminates FPs from IPs who authenticate successfully alot and as a side effect have alot of failures\\n) on IPAddress\\n| project-away IPAddress1\\n| extend timestamp=StartTime, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Password spray attack against Azure AD application\",\"description\":\"Identifies evidence of password spray activity against Azure AD applications by looking for failures from multiple accounts from the same\\nIP address within a time window. If the number of accounts breaches the threshold just once, all failures from the IP address within the time range\\nare bought into the result. Details on whether there were successful authentications by the IP address within the time window are also included.\\nThis can be an indicator that an attack was successful.\\nThe default failure acccount threshold is 5, Default time window for failures is 20m and default look back window is 3 days\\nNote: Due to the number of possible accounts involved in a password spray it is not possible to map identities to a custom entity.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2c286288-3756-4824-b599-d3c499836c11\",\"name\":\"2c286288-3756-4824-b599-d3c499836c11\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let mediumRisk = 2;\\nlet business = \u0027Business Information\u0027;\\nCognniIncidents_CL \\n| where Severity == mediumRisk\\n| where informationType_s == business\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Medium Sensitivity Business Information\",\"description\":\"Display incidents in which medium sensitivity business information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\"name\":\"83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":3,\"severity\":\"Medium\",\"query\":\"let current = 1d;\\nlet auditLookback = 7d;\\n// Setting threshold to 3 as a default, change as needed. \\n// Any operation that has been initiated by a user or app more than 3 times in the past 7 days will be excluded\\nlet threshold = 3;\\n// Gather initial data from lookback period, excluding current, adjust current to more than a single day if no results\\nlet AuditTrail = AuditLogs | where TimeGenerated \u003e= ago(auditLookback) and TimeGenerated \u003c ago(current)\\n// 2 other operations that can be part of malicious activity in this situation are \\n// \\\"Add OAuth2PermissionGrant\\\" and \\\"Add service principal\\\", extend the filter below to capture these too\\n| where OperationName has \\\"Consent to application\\\"\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\n| summarize max(TimeGenerated), OperationCount = count() by OperationName, InitiatedBy, TargetResourceName\\n// only including operations by initiated by a user or app that is above the threshold so we produce only rare and has not occurred in last 7 days\\n| where OperationCount \u003e threshold\\n;\\n// Gather current period of audit data\\nlet RecentConsent = AuditLogs | where TimeGenerated \u003e= ago(current)\\n| where OperationName has \\\"Consent to application\\\"\\n| extend IpAddress = case(\\nisnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), \\nisnotempty(tostring(parse_json(tostring(InitiatedBy.app)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.app)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.app)).ipAddress),\\n\u0027Not Available\u0027)\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\n| parse TargetResources.[0].modifiedProperties with * \\\"ConsentType: \\\" ConsentType \\\"]\\\" *\\n| mv-expand AdditionalDetails\\n| extend UserAgent = iff(AdditionalDetails.key == \\\"User-Agent\\\",tostring(AdditionalDetails.value),\\\"\\\")\\n| project TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type;\\n// Exclude previously seen audit activity for \\\"Consent to application\\\" that was seen in the lookback period\\n// First for rare InitiatedBy\\nlet RareConsentBy = RecentConsent | join kind= leftanti AuditTrail on OperationName, InitiatedBy \\n| extend Reason = \\\"Previously unseen user consenting\\\";\\n// Second for rare TargetResourceName\\nlet RareConsentApp = RecentConsent | join kind= leftanti AuditTrail on OperationName, TargetResourceName\\n| extend Reason = \\\"Previously unseen app granted consent\\\";\\nRareConsentBy | union RareConsentApp\\n| summarize Reason = makeset(Reason) by TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatedBy, HostCustomEntity = TargetResourceName, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Persistence\",\"LateralMovement\",\"Collection\"],\"displayName\":\"Rare application consent\",\"description\":\"This will alert when the \\\"Consent to application\\\" operation occurs by a user that has not done this operation before or rarely does this.\\nThis could indicate that permissions to access the listed Azure App were provided to a malicious actor. \\nConsent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events. \\nThis may help detect the Oauth2 attack that can be initiated by this publicly available tool - https://github.com/fireeye/PwnAuth\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e1ce0eab-10d1-4aae-863f-9a383345ba88\",\"name\":\"e1ce0eab-10d1-4aae-863f-9a383345ba88\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let threshold = 15;\\nSyslog\\n| where SyslogMessage contains \\\"Failed password for invalid user\\\"\\n| where ProcessName =~ \\\"sshd\\\" \\n| parse kind=relaxed SyslogMessage with * \\\"invalid user\\\" user \\\" from \\\" ip \\\" port\\\" port \\\" ssh2\\\"\\n| project user, ip, port, SyslogMessage, EventTime\\n| summarize EventTimes = make_list(EventTime), PerHourCount = count() by ip, bin(EventTime, 4h), user\\n| where PerHourCount \u003e threshold\\n| mvexpand EventTimes\\n| extend EventTimes = tostring(EventTimes) \\n| summarize StartTimeUtc = min(EventTimes), EndTimeUtc = max(EventTimes), UserList = makeset(user), sum(PerHourCount) by IPAddress = ip\\n| extend UserList = tostring(UserList) \\n| extend timestamp = StartTimeUtc, IPCustomEntity = IPAddress, AccountCustomEntity = UserList\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"SSH - Potential Brute Force\",\"description\":\"Identifies an IP address that had 15 failed attempts to sign in via SSH in a 4 hour block during a 24 hour time period.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532c1811-79ee-4d9f-8d4d-6304c840daa1\",\"name\":\"532c1811-79ee-4d9f-8d4d-6304c840daa1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Active Directory Identity Protection\",\"displayName\":\"Create incidents based on Azure Active Directory Identity Protection alerts\",\"description\":\"Create incidents based on all alerts generated in Azure Active Directory Identity Protection\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0c804654-63b9-4241-89f8-1cddd7e9cacd\",\"name\":\"0c804654-63b9-4241-89f8-1cddd7e9cacd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.0\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.2\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of AWS write API calls from a user account \",\"description\":\"This algorithm detects an unusually high volume of AWS write API calls per user account within the last day. The model is trained on the previous 21 days of AWS cloud trail log events on a user account basis. This activity may indicate that the account is compromised.\",\"lastUpdatedDateUTC\":\"2021-10-26T00:00:00Z\",\"createdDateUTC\":\"2021-10-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65360bb0-8986-4ade-a89d-af3cf44d28aa\",\"name\":\"65360bb0-8986-4ade-a89d-af3cf44d28aa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"CreateNetworkAclEntry\\\",\\\"CreateRoute\\\",\\\"CreateRouteTable\\\",\\\"CreateInternetGateway\\\",\\\"CreateNatGateway\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"PrivilegeEscalation\",\"LateralMovement\"],\"displayName\":\"Changes to Amazon VPC settings\",\"description\":\"Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources\\nin a virtual network that you define.\\nThis identifies changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries,routes, routetable or Gateways.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\nand AWS VPC API Docs: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/OperationList-query-vpc.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5ef06767-b37c-4818-b035-47de950d0046\",\"name\":\"5ef06767-b37c-4818-b035-47de950d0046\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// How far back to look for events from\\nlet timeframe = 1d;\\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\\nlet time_window = 5m;\\n// Edit this to include build processes used\\nlet build_processes = dynamic([\\\"MSBuild.exe\\\", \\\"dotnet.exe\\\", \\\"VBCSCompiler.exe\\\"]);\\n// Include any processes that you want to allow to edit files during/around the build process\\nlet allow_list = dynamic([\\\"\\\"]);\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where EventID == 4688\\n| where Process has_any (build_processes)\\n| summarize by BuildParentProcess=ParentProcessName, BuildProcess=Process, BuildAccount = Account, Computer, BuildCommand=CommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for file modifications to code file\\n| where EventID == 4663\\n| where Process !in (allow_list)\\n// Look for code files, edit this to include file extensions used in build.\\n| where ObjectName endswith \\\".cs\\\" or ObjectName endswith \\\".cpp\\\"\\n// 0x6 and 0x4 for file append, 0x100 for file replacements\\n| where AccessMask == \\\"0x6\\\" or AccessMask == \\\"0x4\\\" or AccessMask == \\\"0X100\\\"\\n| summarize by FileEditParentProcess=ParentProcessName, FileEditAccount = Account, Computer, FileEdited=ObjectName, FileEditProcess=ProcessName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, Computer\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, Computer, BuildParentProcess, BuildProcess\\n| extend HostCustomEntity=Computer, timestamp=timekey\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Potential Build Process Compromise\",\"description\":\"The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process.\\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ec21493c-2684-4acd-9bc2-696dbad72426\",\"name\":\"ec21493c-2684-4acd-9bc2-696dbad72426\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation of extracted domains\\nlet list_tlds = ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e ago(ioc_lookBack)\\n | where isnotempty(DomainName)\\n | extend DomainName = tolower(DomainName)\\n | extend parts = split(DomainName, \u0027.\u0027)\\n | extend tld = parts[(array_length(parts)-1)]\\n | summarize count() by tostring(tld)\\n | summarize make_list(tld);\\n ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true\\n // Picking up only IOC\u0027s that contain the entities we want\\n | where isnotempty(DomainName)\\n | join (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n | where DeviceVendor =~ \u0027Palo Alto Networks\u0027\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | extend Domain = trim(@\\\"\\\"\\\"\\\",tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend parts = split(Domain, \u0027.\u0027)\\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\\n | where tld in~ (list_tlds)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n ) on $left.DomainName==$right.Domain\\n | where CommonSecurityLog_TimeGenerated \u003e= TimeGenerated and CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n | project LatestIndicatorTime, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, CommonSecurityLog_TimeGenerated, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\\n | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to PaloAlto\",\"description\":\"Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\"name\":\"f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"// Replace these with the username or emails of your VIP users you wish to monitor for.\\nlet vips = dynamic([\u0027vip1@email.com\u0027,\u0027vip2@email.com\u0027]);\\n// Add users who are allowed to conduct these searches - this could be specific SOC team members\\nlet allowed_users = dynamic([]);\\nLAQueryLogs\\n| where QueryText has_any (vips) or QueryText has_any (\u0027_GetWatchlist(\\\"VIPUsers\\\")\u0027, \\\"_GetWatchlist(\u0027VIPUsers\u0027)\\\")\\n| where AADEmail !in (allowed_users)\\n| project TimeGenerated, AADEmail, RequestClientApp, QueryText, ResponseRowCount, RequestTarget\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AADEmail\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"RequestTarget\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Users searching for VIP user activity\",\"description\":\"This query monitors for users running Log Analytics queries that contain filters\\nfor specific, defined VIP user accounts or the VIPUser watchlist template.\\nUse this detection to alert for users specifically searching for activity of sensitive users.\",\"lastUpdatedDateUTC\":\"2021-11-11T00:00:00Z\",\"createdDateUTC\":\"2020-09-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d0bd9611-2fc1-42cb-af4e-793b6f28ba92\",\"name\":\"d0bd9611-2fc1-42cb-af4e-793b6f28ba92\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.7\",\"techniques\":[\"T1030\",\"T1041\",\"T1011\",\"T1567\",\"T1029\",\"T1537\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.87\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"(Preview) Excessive upload via Palo Alto GlobalProtect\",\"description\":\"This algorithm detects unusually high volume of upload per user account via Palo Alto VPN solution.\\nThe model is trained on the previous 14 days of the VPN logs.\\nIt indicates anomalous high volume of upload in the last day.\",\"lastUpdatedDateUTC\":\"2021-11-17T00:00:00Z\",\"createdDateUTC\":\"2020-11-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\"name\":\"532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n| join (\\n Syslog\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n //Extract domain patterns from syslog message\\n | extend domain = extract(\\\"(([a-z0-9]+(-[a-z0-9]+)*\\\\\\\\.)+[a-z]{2,})\\\",1, tolower(SyslogMessage))\\n | where isnotempty(domain)\\n | extend parts = split(domain, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.domain\\n| where Syslog_TimeGenerated \u003e= TimeGenerated and Syslog_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, domain, HostIP, Url\\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to Syslog\",\"description\":\"Identifies a match in Syslog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a9956d3a-07a9-44a6-a279-081a85020cae\",\"name\":\"a9956d3a-07a9-44a6-a279-081a85020cae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 15;\\nlet rejectedAccess = SymantecVIP\\n| where isnotempty(RADIUSAuth)\\n| where RADIUSAuth =~ \\\"Reject\\\"\\n| summarize Total = count() by ClientIP, bin(TimeGenerated, 15m)\\n| where Total \u003e threshold\\n| project ClientIP;\\nSymantecVIP\\n| where isnotempty(RADIUSAuth)\\n| where RADIUSAuth =~ \\\"Reject\\\"\\n| join kind=inner rejectedAccess on ClientIP\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by ClientIP, User\\n| extend timestamp = StartTime, IPCustomEntity = ClientIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"ClientDeniedAccess\",\"description\":\"Creates an incident in the event a Client has an excessive amounts of denied access requests.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SymantecVIP\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2dd4a3a-ebac-4994-9499-1a859938c947\",\"name\":\"f2dd4a3a-ebac-4994-9499-1a859938c947\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet bytessentperhourthreshold = 10;\\nlet PrivateIPregex = @\u0027^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.\u0027;\\nlet TimeSeriesData = (union isfuzzy=true\\n(\\nVMConnection\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\\n| extend DestinationIpType = iff(DestinationIp matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIpType == \\\"public\\\" | extend DeviceVendor = \\\"VMConnection\\\"\\n| project TimeGenerated, BytesSent, DeviceVendor\\n| make-series TotalBytesSent=sum(BytesSent) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n),\\n(\\nCommonSecurityLog\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| extend DestinationIpType = iff(DestinationIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIpType == \\\"public\\\"\\n| project TimeGenerated, SentBytes, DeviceVendor\\n| make-series TotalBytesSent=sum(SentBytes) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n)\\n);\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(TotalBytesSent, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand TotalBytesSent to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| extend TotalBytesSentinMBperHour = round(((TotalBytesSent / 1024)/1024),2), baselinebytessentperHour = round(((baseline / 1024)/1024),2), score = round(score,2)\\n| project DeviceVendor, AnomalyHour, TimeGenerated, TotalBytesSentinMBperHour, baselinebytessentperHour, anomalies, score);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\n//Union of all BaseLogs aggregated per hour\\nlet BaseLogs = (union isfuzzy=true\\n(\\nCommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend DestinationIpType = iff(DestinationIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIpType == \\\"public\\\"\\n| extend SentBytesinMB = ((SentBytes / 1024)/1024), ReceivedBytesinMB = ((ReceivedBytes / 1024)/1024)\\n| summarize HourlyCount = count(), TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort,100), TotalSentBytesinMB = sum(SentBytesinMB), TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| where TotalSentBytesinMB \u003e bytessentperhourthreshold\\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\\n| where Rank \u003c 10 // Selecting Top 10 records with Highest BytesSent in each Hour\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\\n),\\n(\\nVMConnection\\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend SourceIP = SourceIp, DestinationIP = DestinationIp\\n| extend DestinationIpType = iff(DestinationIp matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIpType == \\\"public\\\" | extend DeviceVendor = \\\"VMConnection\\\"\\n| extend SentBytesinMB = ((BytesSent / 1024)/1024), ReceivedBytesinMB = ((BytesReceived / 1024)/1024)\\n| summarize HourlyCount = count(),TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort, 100), TotalSentBytesinMB = sum(SentBytesinMB),TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| where TotalSentBytesinMB \u003e bytessentperhourthreshold\\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\\n| where Rank \u003c 10 // Selecting Top 10 records with Highest BytesSent in each Hour\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\\n)\\n);\\n// Join against base logs to retrive records associated with the hour of anomoly\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\n BaseLogs | extend AnomalyHour = TimeGeneratedHour\\n) on DeviceVendor, AnomalyHour | sort by score desc\\n| project DeviceVendor, AnomalyHour,TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\\n| summarize EventCount = count(), StartTimeUtc= min(TimeGeneratedMax), EndTimeUtc= max(TimeGeneratedMax), SourceIPMax= arg_max(SourceIP,*), TotalBytesSentinMB = sum(TotalSentBytesinMB), TotalBytesReceivedinMB = sum(TotalReceivedBytesinMB), SourceIPList = make_set(SourceIP, 100), DestinationIPList = make_set(DestinationIPList, 100) by AnomalyHour,TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\\n| project DeviceVendor, AnomalyHour, StartTimeUtc, EndTimeUtc, SourceIPMax, SourceIPList, DestinationIPList, DestinationPortList, TotalBytesSentinMB, TotalBytesReceivedinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies, EventCount\\n| extend timestamp =EndTimeUtc, IPCustomEntity = SourceIPMax\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"Time series anomaly for data size transferred to public internet\",\"description\":\"Identifies anomalous data transfer to public networks. The query leverages built-in KQL anomaly detection algorithms that detects large deviations from a baseline pattern.\\nA sudden increase in data transferred to unknown public networks is an indication of data exfiltration attempts and should be investigated.\\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port bytes sent traffic observed in the flagged anomaly hour.\\nThe source IP addresses which were sending less than bytessentperhourthreshold have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-05-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95002681-4ecb-4da3-9ece-26d7e5feaa33\",\"name\":\"95002681-4ecb-4da3-9ece-26d7e5feaa33\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"imAuthentication\\n| where EventResult ==\u0027Failure\u0027\\n| where EventResultDetails == \u0027User disabled\u0027\\n| summarize StartTime=min(EventStartTime), EndTime=max(EventEndTime), disabledAccountLoginAttempts = count()\\n , disabledAccountsTargeted = dcount(TargetUsername), disabledAccountSet = make_set(TargetUsername)\\n , applicationsTargeted = dcount(TargetAppName)\\n , applicationSet = make_set(TargetAppName) \\n by SrcDvcIpAddr, Type\\n| order by disabledAccountLoginAttempts desc\\n| join kind=leftouter \\n (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n imAuthentication\\n | where EventResult==\u0027Success\u0027\\n | summarize successfulAccountSigninCount = dcount(TargetUsername), successfulAccountSigninSet = makeset(TargetUsername, 15) by SrcDvcIpAddr, Type\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount \u003c 100\\n )\\n on SrcDvcIpAddr\\n| where isnotempty(successfulAccountSigninCount)\\n| project StartTime, EndTime, SrcDvcIpAddr, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\nsuccessfulAccountSigninCount, successfulAccountSigninSet, Type\\n| order by disabledAccountLoginAttempts\\n| extend timestamp = StartTime, IPCustomEntity = SrcDvcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelAuthentication)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-07-27T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a50766a7-0674-4ccb-8845-15dc55a80ba1\",\"name\":\"a50766a7-0674-4ccb-8845-15dc55a80ba1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n WireData | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(RemoteIP)\\n // renaming time column so it is clear the log this came from\\n | extend WireData_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIP\\n| where WireData_TimeGenerated \u003e= TimeGenerated and WireData_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, WireData_TimeGenerated,\\nTI_ipEntity, Computer, LocalIP, RemoteIP, ProcessName, ApplicationProtocol, LocalPortNumber, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = WireData_TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to WireData\",\"description\":\"Identifies a match in WireData from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\"name\":\"d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let SensitiveOperationList = dynamic(\\n[\\\"VaultDelete\\\", \\\"KeyDelete\\\", \\\"SecretDelete\\\", \\\"SecretPurge\\\", \\\"KeyPurge\\\", \\\"SecretBackup\\\", \\\"KeyBackup\\\"]);\\nAzureDiagnostics\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\" \\n| where OperationName in~ (SensitiveOperationList) \\n| summarize EventCount=count(), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\\n| extend timestamp = StartTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Impact\"],\"displayName\":\"Sensitive Azure Key Vault operations\",\"description\":\"Identifies when sensitive Azure Key Vault operations are used. This includes: VaultDelete, KeyDelete, SecretDelete, SecretPurge, KeyPurge, SecretBackup, KeyBackup. \\nAny Backup operations should match with expected scheduled backup activity.\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/04384937-e927-4595-8f3c-89ff58ed231f\",\"name\":\"04384937-e927-4595-8f3c-89ff58ed231f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let IPs = dynamic ([\\\"199.249.230.\\\",\\\"185.220.101.\\\",\\\"23.129.64.\\\",\\\"109.70.100.\\\",\\\"185.220.102.\\\"]);\\nOfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != \u0027UserLoggedIn\u0027\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = ExtendedProperties.Value\\n| where ClientIP has_any (IPs)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts \u003e 2500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Possible STRONTIUM attempted credential harvesting - Sept 2020\",\"description\":\"Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.\\nReferences: https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/427e4c9e-8cf4-4094-a684-a2d060dbca38\",\"name\":\"427e4c9e-8cf4-4094-a684-a2d060dbca38\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 50;\\nSophosXGFirewall\\n| where Log_Type =~ \\\"Firewall\\\"\\n| where not(ipv4_is_match(\\\"10.0.0.0\\\",Src_IP,8) or ipv4_is_match(\\\"172.16.0.0\\\",Src_IP,12) or ipv4_is_match(\\\"192.168.0.0\\\",Src_IP,16))\\n| summarize dcount(Dst_Port) by Src_IP, bin(TimeGenerated, 5m)\\n| where dcount_Dst_Port \u003e threshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = Src_IP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\"],\"displayName\":\"Port Scan Detected\",\"description\":\"This alert creates an incident when a source IP addresses attempt to communicate with a large amount of distinct ports within a short period.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SophosXGFirewall\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/86a036b2-3686-42eb-b417-909fc0867771\",\"name\":\"86a036b2-3686-42eb-b417-909fc0867771\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/delete\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS Service Delete\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.\\nA threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.\\nThe health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.\\nMore information in this blog https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/00cb180c-08a8-4e55-a276-63fb1442d5b5\",\"name\":\"00cb180c-08a8-4e55-a276-63fb1442d5b5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let cmdTokens0 = dynamic([\u0027vbscript\u0027,\u0027jscript\u0027]);\\nlet cmdTokens1 = dynamic([\u0027mshtml\u0027,\u0027RunHTMLApplication\u0027]);\\nlet cmdTokens2 = dynamic([\u0027Execute\u0027,\u0027CreateObject\u0027,\u0027RegRead\u0027,\u0027window.close\u0027]);\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(14d)\\n| where EventID == 4688\\n| where CommandLine has @\u0027\\\\Microsoft\\\\Windows\\\\CurrentVersion\u0027\\n| where not(CommandLine has_any (@\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\u0027, @\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\u0027))\\n// If you are receiving false positives, then it may help to make the query more strict by uncommenting one or both of the lines below to refine the matches\\n//| where CommandLine has_any (cmdTokens0)\\n//| where CommandLine has_all (cmdTokens1)\\n| where CommandLine has_all (cmdTokens2)\\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\"],\"displayName\":\"NOBELIUM - Script payload stored in Registry\",\"description\":\"This query idenifies when a process execution commandline indicates that a registry value is written to allow for later execution a malicious script\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d023f64-8225-41a2-9570-2bd7c2c4535e\",\"name\":\"3d023f64-8225-41a2-9570-2bd7c2c4535e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\nSecurityEvent \\n| where TimeGenerated \u003e ago(2*timeframe) \\n// A user account was enabled\\n| where EventID == 4722\\n| where AccountType =~ \\\"User\\\"\\n| where TargetAccount !hassuffix \\\"$\\\"\\n| project EnableTime = TimeGenerated, EnableEventID = EventID, EnableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToEnable = SubjectAccount, SIDofAccountUsedToEnable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n| join kind= inner (\\n SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe) \\n // A user account was disabled \\n | where EventID == 4725\\n| where AccountType =~ \\\"User\\\"\\n| project DisableTime = TimeGenerated, DisableEventID = EventID, DisableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToDisable = SubjectAccount, SIDofAccountUsedToDisable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n) on Computer, TargetAccount\\n| where DisableTime - EnableTime \u003c spanoftime\\n| extend TimeDelta = DisableTime - EnableTime\\n| where tolong(TimeDelta) \u003e= threshold\\n| project TimeDelta, EnableTime, EnableEventID, EnableActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToEnable, SIDofAccountUsedToEnable, \\nDisableTime, DisableEventID, DisableActivity, AccountUsedToDisable, SIDofAccountUsedToDisable\\n| extend timestamp = EnableTime, AccountCustomEntity = AccountUsedToEnable, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"SIDofAccountUsedToEnable\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account enabled and disabled within 10 mins\",\"description\":\"Identifies when a user account is enabled and then disabled within 10 minutes. This can be an indication of compromise and\\nan adversary attempting to hide in the noise.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/707494a5-8e44-486b-90f8-155d1797a8eb\",\"name\":\"707494a5-8e44-486b-90f8-155d1797a8eb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let auditLookbackStart = 2d;\\nlet auditLookbackEnd = 1d;\\nAuditLogs\\n| where TimeGenerated \u003e= ago(auditLookbackStart)\\n| where OperationName =~ \\\"Consent to application\\\" \\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| extend targetResourceName = tostring(target.displayName)\\n| extend targetResourceID = tostring(target.id)\\n| extend targetResourceType = tostring(target.type)\\n| extend targetModifiedProp = TargetResources[0].modifiedProperties\\n| extend isAdminConsent = targetModifiedProp[0].newValue\\n| extend Consent_ServicePrincipalNames = targetModifiedProp[5].newValue\\n| extend Consent_Permissions = targetModifiedProp[4].newValue\\n| extend Consent_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend Consent_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| join ( \\nAuditLogs\\n| where TimeGenerated \u003e= ago(auditLookbackEnd)\\n| where OperationName =~ \\\"Add service principal credentials\\\"\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| extend targetResourceName = tostring(target.displayName)\\n| extend targetResourceID = tostring(target.id)\\n| extend targetModifiedProp = TargetResources[0].modifiedProperties\\n| extend Credential_KeyDescription = targetModifiedProp[0].newValue\\n| extend UpdatedProperties = targetModifiedProp[1].newValue\\n| extend Credential_ServicePrincipalNames = targetModifiedProp[2].newValue\\n| extend Credential_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend Credential_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n) on targetResourceName, targetResourceID\\n| extend TimeConsent = TimeGenerated, TimeCred = TimeGenerated1\\n| where TimeConsent \u003e TimeCred \\n| project TimeConsent, TimeCred, Consent_InitiatingUserOrApp, Credential_InitiatingUserOrApp, targetResourceName, targetResourceType, isAdminConsent, Consent_ServicePrincipalNames, Credential_ServicePrincipalNames, Consent_Permissions, Credential_KeyDescription, Consent_InitiatingIpAddress, Credential_InitiatingIpAddress\\n| extend timestamp = TimeConsent, AccountCustomEntity = Consent_InitiatingUserOrApp, IPCustomEntity = Consent_InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Credential added after admin consented to Application\",\"description\":\"This query will identify instances where Service Principal credentials were added to an application by one user after the application was granted admin consent rights by another user.\\n If a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\n Additional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow.\\n For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/610d3850-c26f-4f20-8d86-f10fdf2425f5\",\"name\":\"610d3850-c26f-4f20-8d86-f10fdf2425f5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"UpdateTrail\\\",\\\"DeleteTrail\\\",\\\"StopLogging\\\",\\\"DeleteFlowLogs\\\",\\\"DeleteEventBus\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Changes made to AWS CloudTrail logs\",\"description\":\"Attackers often try to hide their steps by deleting or stopping the collection of logs that could show their activity. \\nThis alert identifies any manipulation of AWS CloudTrail, Cloudwatch/EventBridge or VPC Flow logs.\\nMore Information: AWS CloudTrail API: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html\\nAWS Cloudwatch/Eventbridge API: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_Operations.html\\nAWS DelteteFlowLogs API : https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2cfc3c6e-f424-4b88-9cc9-c89f482d016a\",\"name\":\"2cfc3c6e-f424-4b88-9cc9-c89f482d016a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set == \\\"[]\\\"\\n| parse new_value_set with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"First access credential added to Application or Service Principal where no credential was present\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d722831e-88f5-4e25-b106-4ef6e29f8c13\",\"name\":\"d722831e-88f5-4e25-b106-4ef6e29f8c13\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"// a threshold can be enabled, see commented line below for PrevSeenCount\\nlet threshold = 2;\\nlet uploadOp = \u0027FileUploaded\u0027;\\n// Extensions that are interesting. Add/Remove to this list as you see fit\\nlet execExt = dynamic([\u0027exe\u0027, \u0027inf\u0027, \u0027gzip\u0027, \u0027cmd\u0027, \u0027bat\u0027]);\\nlet starttime = 8d;\\nlet endtime = 1d;\\nOfficeActivity | where TimeGenerated \u003e= ago(endtime)\\n// Limited to File Uploads due to potential noise, comment out the Operation statement below to include any operation type\\n// Additional, but potentially noisy operation types that include Uploads and Downloads can be included by adding the following - Operation contains \\\"upload\\\" or Operation contains \\\"download\\\"\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| project TimeGenerated, OfficeId, OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, UserAgent, Site_Url, SourceRelativeUrl, SourceFileName\\n| join kind= leftanti (\\nOfficeActivity | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| summarize SourceRelativeUrl = make_set(SourceRelativeUrl), UserId = make_set(UserId) , PrevSeenCount = count() by SourceFileName\\n// To exclude previous matches when only above a specific count, change threshold above and uncomment the line below\\n//| where PrevSeenCount \u003e threshold\\n| mvexpand SourceRelativeUrl, UserId\\n| extend SourceRelativeUrl = tostring(SourceRelativeUrl), UserId = tostring(UserId)\\n) on SourceFileName, SourceRelativeUrl, UserId \\n| extend SiteUrlUserFolder = tolower(split(Site_Url, \u0027/\u0027)[-2])\\n| extend UserIdUserFolderFormat = tolower(replace(\u0027@|\\\\\\\\.\u0027, \u0027_\u0027,UserId))\\n// identify when UserId is not a match to the specific site url personal folder reference\\n| extend UserIdDiffThanUserFolder = iff(Site_Url has \u0027/personal/\u0027 and SiteUrlUserFolder != UserIdUserFolderFormat, true , false ) \\n| summarize TimeGenerated = make_list(TimeGenerated), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), \\nUserAgents = make_list(UserAgent), OfficeIds = make_list(OfficeId), SourceRelativeUrls = make_list(SourceRelativeUrl), FileNames = make_list(SourceFileName)\\nby OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, Site_Url, SiteUrlUserFolder, UserIdUserFolderFormat, UserIdDiffThanUserFolder\\n| extend timestamp = StartTime, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"New executable via Office FileUploaded Operation\",\"description\":\"Identifies when executable file types are uploaded to Office services such as SharePoint and OneDrive.\\nList currently includes \u0027exe\u0027, \u0027inf\u0027, \u0027gzip\u0027, \u0027cmd\u0027, \u0027bat\u0027 file extensions.\\nAdditionally, identifies when a given user is uploading these files to another users workspace.\\nThis may be indication of a staging location for malware or other malicious activity.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d804b39c-03a4-417c-a949-bdbf21fa3305\",\"name\":\"d804b39c-03a4-417c-a949-bdbf21fa3305\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\\n[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet file_paths = (iocs | where Type =~ \\\"filepath\\\" | project IoC);\\nlet sha256s = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet ips = (iocs | where Type =~ \\\"ip\\\" | project IoC);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\" | project IoC);\\nunion isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4663\\n| where ObjectName in (file_paths)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(imFileEvent\\n| where TargetFileName in (file_paths)\\n or\\n TargetFileSHA256 in (sha256s)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\\n),\\n(DeviceFileEvents\\n| where FolderPath in (file_paths)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 in (sha256s)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256s)\\n| extend timestamp = TimeGenerated\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| where isnotempty(Hashes)\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 *\\n| where SHA256 in~ (sha256s)\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = Hashes\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where (SourceIP in (ips) or DestinationIP in (ips) or Message has_any (ips)) or (RequestURL has_any (domains))\\n| extend IPMatch = case(SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"Message\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\")\\n),\\n(VMConnection\\n| where isnotempty(SourceIp) or isnotempty(DestinationIp)\\n| where SourceIp in (ips) or DestinationIp in (ips)\\n| extend IPMatch = case( SourceIp in (ips), \\\"SourceIP\\\", DestinationIp in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(WireData\\n| where isnotempty(RemoteIP)\\n| where RemoteIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer\\n),\\n(W3CIISLog\\n| where isnotempty(cIP)\\n| where cIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(\\nDeviceNetworkEvents\\n| where (RemoteIPType =~ \\\"Public\\\" and RemoteUrl has_any (domains)) or (isnotempty(RemoteIP) and RemoteIP in (ips))\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(\\nWindowsFirewall\\n| where SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n),\\n(\\nDnsEvents\\n| where SubType =~ \\\"LookupQuery\\\"\\n| where Name has_any (domains)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\\n),\\n(\\nimDns(domain_has_any=domains)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\\n)\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.4.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange Server Vulnerabilities Disclosed March 2021 IoC Match\",\"description\":\"This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements.\\nRef: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog (Cisco)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog (F5)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dcdf9bfc-c239-4764-a9f9-3612e6dff49c\",\"name\":\"dcdf9bfc-c239-4764-a9f9-3612e6dff49c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 6d;\\n// Adjust this to adjust the key export detection timeframe\\n//let timeframe = 1d;\\n// Start be identifying ADFS servers to reduce FP chance\\nlet ADFS_Servers = (\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\")\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| summarize by Computer);\\n// Look for ADFS servers where Named Pipes event are present\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| where Computer in~ (ADFS_Servers)\\n| extend RenderedDescription = tostring(split(RenderedDescription, \\\":\\\")[0])\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend RuleName = column_ifexists(\\\"RuleName\\\", \\\"\\\"),\\n TechniqueId = column_ifexists(\\\"TechniqueId\\\", \\\"\\\"),\\n TechniqueName = column_ifexists(\\\"TechniqueName\\\", \\\"\\\"),\\n Image = column_ifexists(\\\"Image\\\", \\\"\\\"),\\n PipeName = column_ifexists(\\\"PipeName\\\", \\\"\\\"),\\n EventType = column_ifexists(\\\"EventType\\\", \\\"\\\")\\n| parse RuleName with * \u0027technique_id=\u0027 TechniqueId \u0027,\u0027 * \u0027technique_name=\u0027 TechniqueName\\n// Look for Pipe related to querying the WID\\n| where PipeName == \\\"\\\\\\\\MICROSOFT##WID\\\\\\\\tsql\\\\\\\\query\\\"\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n// Exclude expected processes\\n| where process !in (\\\"Microsoft.IdentityServer.ServiceHost.exe\\\", \\\"Microsoft.Identity.Health.Adfs.PshSurrogate.exe\\\", \\\"AzureADConnect.exe\\\", \\\"Microsoft.Tri.Sensor.exe\\\", \\\"wsmprovhost.exe\\\",\\\"mmc.exe\\\", \\\"sqlservr.exe\\\")\\n| extend Operation = RenderedDescription\\n| project-reorder TimeGenerated, EventType, Operation, process, Image, Computer, UserName\\n| extend HostCustomEntity = Computer, AccountCustomEntity = UserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Collection\"],\"displayName\":\"ADFS Database Named Pipe Connection\",\"description\":\"This detection uses Sysmon telemetry to detect suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).\\nIn order to use this query you need to be collecting Sysmon EventIdD 18 (Pipe Connected).\\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\\nFailed to resolve scalar expression named \\\"[@Name]\",\"lastUpdatedDateUTC\":\"2021-11-23T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a0647a60-16f9-4175-b344-5cdd2934413f\",\"name\":\"a0647a60-16f9-4175-b344-5cdd2934413f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let lowRisk = 1;\\nlet business = \u0027Business Information\u0027;\\nCognniIncidents_CL \\n| where Severity == lowRisk\\n| where informationType_s == business\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Low Sensitivity Business Information\",\"description\":\"Display incidents in which low sensitivity business information] was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5f0d80db-3415-4265-9d52-8466b7372e3a\",\"name\":\"5f0d80db-3415-4265-9d52-8466b7372e3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AzureDevOpsAuditing\\n| where AuthenticationMechanism startswith \\\"PAT\\\"\\n// Look for useragents that include a redenring engine\\n| where UserAgent has_any (\\\"Gecko\\\", \\\"WebKit\\\", \\\"Presto\\\", \\\"Trident\\\", \\\"EdgeHTML\\\", \\\"Blink\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure DevOps PAT used with Browser.\",\"description\":\"Personal Access Tokens (PATs) are used as an alternate password to authenticate into Azure DevOps. PATs are intended for programmatic access use in code or applications. \\nThis can be prone to attacker theft if not adequately secured. This query looks for the use of a PAT in authentication but from a User Agent indicating a browser. \\nThis should not be normal activity and could be an indicator of an attacker using a stolen PAT.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\"name\":\"30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nlet aadFunc = (tableName:string){\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n table(tableName) | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(UserPrincipalName)\\n //Normalizing the column to lower case for exact match with EmailSenderAddress column\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n | where UserPrincipalName matches regex emailregex\\n | extend Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n // renaming timestamp column so it is clear the log this came from SigninLogs table\\n | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type\\n)\\non $left.EmailSenderAddress == $right.UserPrincipalName\\n| where SigninLogs_TimeGenerated \u003e= TimeGenerated and SigninLogs_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, SigninLogs_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, IPAddress, UserPrincipalName, AppDisplayName,\\nStatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, Type\\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SigninLogs\",\"description\":\"Identifies a match in SigninLogs table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75bf9902-0789-47c1-a5d8-f57046aa72df\",\"name\":\"75bf9902-0789-47c1-a5d8-f57046aa72df\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let procList = dynamic([\\\"cmd.exe\\\",\\\"ftp.exe\\\",\\\"schtasks.exe\\\",\\\"powershell.exe\\\",\\\"rundll32.exe\\\",\\\"regsvr32.exe\\\",\\\"msiexec.exe\\\"]);\\nlet ProcessCreationEvents=() {\\nlet processEvents=SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,\\nFileName = Process, CommandLine, ParentProcessName;\\nprocessEvents};\\nProcessCreationEvents \\n| where FileName in~ (procList)\\n| where CommandLine contains \\\":\\\\\\\\recycler\\\"\\n| project StartTimeUtc = TimeGenerated, Computer, Account, NewProcessName, FileName, CommandLine, ParentProcessName\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Malware in the recycle bin\",\"description\":\"Identifies malware that has been hidden in the recycle bin.\\nReferences: https://azure.microsoft.com/blog/how-azure-security-center-helps-reveal-a-cyberattack/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2018-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23005e87-2d3a-482b-b03d-edbebd1ae151\",\"name\":\"23005e87-2d3a-482b-b03d-edbebd1ae151\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let exchange_servers = (\\nW3CIISLog\\n| where TimeGenerated \u003e ago(14d)\\n| where sSiteName =~ \\\"Exchange Back End\\\"\\n| summarize by Computer);\\nW3CIISLog\\n| where TimeGenerated \u003e ago(1d)\\n| where Computer in (exchange_servers)\\n| where csUriQuery startswith \\\"t=\\\"\\n| project-reorder TimeGenerated, Computer, csUriStem, csUriQuery, csUserName, csUserAgent, cIP\\n| extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious Exchange Request\",\"description\":\"This query looks for suspicious request patterns to Exchange servers that fit a pattern observed by HAFNIUM actors.\\nThe same query can be run on HTTPProxy logs from on-premise hosted Exchange servers.\\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3ff0fffb-d963-40c0-b235-3404f915add7\",\"name\":\"3ff0fffb-d963-40c0-b235-3404f915add7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"GitHubAudit\\n| where Action == \\\"org.disable_two_factor_requirement\\\"\\n| project TimeGenerated, Action, Actor, Country, IPaddress, Repository\\n| extend AccountCustomEntity = Actor, IPCustomEntity = IPaddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"GitHub Two Factor Auth Disable\",\"description\":\"Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/473d57e6-f787-435c-a16b-b38b51fa9a4b\",\"name\":\"473d57e6-f787-435c-a16b-b38b51fa9a4b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let servicelist = dynamic([\u0027Services\\\\\\\\HealthService\u0027, \u0027Services\\\\\\\\Sense\u0027, \u0027Services\\\\\\\\WinDefend\u0027, \u0027Services\\\\\\\\MsSecFlt\u0027, \u0027Services\\\\\\\\DiagTrack\u0027, \u0027Services\\\\\\\\SgrmBroker\u0027, \u0027Services\\\\\\\\SgrmAgent\u0027, \u0027Services\\\\\\\\AATPSensorUpdater\u0027 , \u0027Services\\\\\\\\AATPSensor\u0027, \u0027Services\\\\\\\\mpssvc\u0027]);\\nlet filename = dynamic([\\\"subinacl.exe\\\",\u0027SetACL.exe\u0027]);\\nlet parameters = dynamic ([\u0027/deny=SYSTEM\u0027, \u0027/deny=S-1-5-18\u0027, \u0027/grant=SYSTEM=r\u0027, \u0027/grant=S-1-5-18=r\u0027, \u0027n:SYSTEM;p:READ\u0027, \u0027n1:SYSTEM;ta:remtrst;w:dacl\u0027]);\\nlet FullAccess = dynamic([\u0027A;CI;KA;;;SY\u0027, \u0027A;ID;KA;;;SY\u0027, \u0027A;CIID;KA;;;SY\u0027]);\\nlet ReadAccess = dynamic([\u0027A;CI;KR;;;SY\u0027, \u0027A;ID;KR;;;SY\u0027, \u0027A;CIID;KR;;;SY\u0027]);\\nlet DenyAccess = dynamic([\u0027D;CI;KR;;;SY\u0027, \u0027D;ID;KR;;;SY\u0027, \u0027D;CIID;KR;;;SY\u0027]);\\nlet timeframe = 1d;\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4670\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName has_any (servicelist)\\n| parse EventData with * \u0027OldSd\\\"\u003e\u0027 OldSd \\\"\u003c\\\" *\\n| parse EventData with * \u0027NewSd\\\"\u003e\u0027 NewSd \\\"\u003c\\\" *\\n| extend Reason = case( (OldSd has \u0027;;;SY\u0027 and NewSd !has \u0027;;;SY\u0027), \u0027System Account is removed\u0027, (OldSd has_any (FullAccess) and NewSd has_any (ReadAccess)) , \u0027System permission has been changed to read from full access\u0027, (OldSd has_any (FullAccess) and NewSd has_any (DenyAccess)), \u0027System account has been given denied permission\u0027, \u0027None\u0027)\\n| project TimeGenerated, Computer, Account, ProcessName, ProcessId, ObjectName, EventData, Activity, HandleId, SubjectLogonId, OldSd, NewSd , Reason\\n),\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688\\n| extend ProcessName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ProcessName in~ (filename) \\n| where CommandLine has_any (servicelist) and CommandLine has_any (parameters)\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where InitiatingProcessFileName in~ (filename) \\n| where InitiatingProcessCommandLine has_any(servicelist) and InitiatingProcessCommandLine has_any (parameters)\\n| extend Account = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName), Computer = DeviceName\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName = InitiatingProcessFileName, ProcessNameFullPath = FolderPath, Activity = ActionType, CommandLine = InitiatingProcessCommandLine, Type, InitiatingProcessParentFileName\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Security Service Registry ACL Modification\",\"description\":\"Identifies attempts to modify registry ACL to evade security solutions. In the Solorigate attack, the attackers were found modifying registry permissions so services.exe cannot access the relevant registry keys to start the service.\\n The detection leverages Security Event as well as MDE data to identify when specific security services registry permissions are modified. \\n Only some portions of this detection are related to Solorigate, it also includes coverage for some common tools that perform this activity. \\n Reference on guidance for enabling registry auditing:\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing-faq\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-registry\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4670\\n - For the event 4670 to be created the audit policy for the registry must have auditing enabled for Write DAC and/or Write Owner\\n - https://github.com/OTRF/Set-AuditRule \\n - https://docs.microsoft.com/dotnet/api/system.security.accesscontrol.registryrights?view=dotnet-plat-ext-5.0\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b619d1f1-7f39-4c7e-bf9e-afbb46457997\",\"name\":\"b619d1f1-7f39-4c7e-bf9e-afbb46457997\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal contains \\\"XMRig\\\" or HttpUserAgentOriginal contains \\\"ccminer\\\"\\n| extend Message = \\\"Crypto Miner User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Crypto Miner User-Agent Detected\",\"description\":\"Detects suspicious user agent strings used by crypto miners in proxy logs.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/17f23fbe-bb73-4324-8ecf-a18545a5dc26\",\"name\":\"17f23fbe-bb73-4324-8ecf-a18545a5dc26\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P3D\",\"queryPeriod\":\"P3D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 3d;\\n// Get Release Pipeline Creation Events and group by day\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineCreated\\\"\\n// Group by day\\n| extend timekey = bin(TimeGenerated, 1d)\\n| extend PipelineId = tostring(Data.PipelineId)\\n| extend PipelineName = tostring(Data.PipelineName)\\n// Rename some columns to make output clearer\\n| project-rename TimeCreated = TimeGenerated, CreatingUser = ActorUPN, CreatingUserAgent = UserAgent, CreatingIP = IpAddress\\n// Join with Release Pipeline Deletions where Pipeline ID is the same and deletion occurred on same day as creation\\n| join (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineDeleted\\\"\\n// Group by day\\n| extend timekey = bin(TimeGenerated, 1d)\\n| extend PipelineId = tostring(Data.PipelineId)\\n| extend PipelineName = tostring(Data.PipelineName)\\n// Rename some things to make the output clearer\\n| project-rename TimeDeleted = TimeGenerated, DeletingUser = ActorUPN, DeletingUserAgent = UserAgent, DeletingIP = IpAddress) on PipelineId, timekey\\n| project TimeCreated, TimeDeleted, PipelineName, PipelineId, CreatingUser, CreatingIP, CreatingUserAgent, DeletingUser, DeletingIP, DeletingUserAgent, ScopeDisplayName, ProjectName, Data, OperationName, OperationName1\\n| extend timestamp = TimeCreated, AccountCustomEntity = CreatingUser, IPCustomEntity = CreatingIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeletingUser\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DeletingIP\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\"],\"displayName\":\"Azure DevOps Pipeline Created and Deleted on the Same Day\",\"description\":\"An attacker with access to Azure DevOps could create a pipeline to inject artifacts used by other pipelines, \\nor to create a malicious software build that looks legitimate by using a pipeline that incorporates legitimate elements. \\nAn attacker would also likely want to cover their tracks once conducting such activity. This query looks for Pipelines \\ncreated and deleted within the same day, this is unlikely to be legitimate user activity in the majority of cases.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\"name\":\"5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n W3CIISLog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(cIP)\\n // renaming time column so it is clear the log this came from\\n | extend W3CIISLog_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.cIP\\n| where W3CIISLog_TimeGenerated \u003e= TimeGenerated and W3CIISLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nW3CIISLog_TimeGenerated, TI_ipEntity, Computer, sSiteName, cIP, sIP, sPort, csMethod, csUserName, scStatus, scSubStatus, scWin32Status,\\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = W3CIISLog_TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to W3CIISLog\",\"description\":\"Identifies a match in W3CIISLog from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7564d76-ec6b-4519-a66b-fcc80c42332b\",\"name\":\"a7564d76-ec6b-4519-a66b-fcc80c42332b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet GroupAddition = SecurityEvent \\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group \\n| where EventID in (\\\"4728\\\", \\\"4732\\\", \\\"4756\\\") \\n| where AccountType =~ \\\"User\\\" and MemberName == \\\"-\\\"\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, GroupAddComputer = Computer, GroupAddTargetAccount = TargetAccount, \\nGroupAddTargetSid = TargetSid, GroupAddSubjectAccount = SubjectAccount, GroupAddSubjectUserSid = SubjectUserSid, GroupSid = MemberSid;\\nlet GroupCreated = SecurityEvent\\n// 4727 - A security-enabled global group was created\\n// 4731 - A security-enabled local group was created\\n// 4754 - A security-enabled universal group was created\\n| where EventID in (\\\"4727\\\", \\\"4731\\\", \\\"4754\\\")\\n| where AccountType =~ \\\"User\\\"\\n| project GroupCreateTime = TimeGenerated, GroupCreateEventID = EventID, GroupCreateActivity = Activity, GroupCreateComputer = Computer, GroupCreateTargetAccount = TargetAccount, \\nGroupCreateSubjectAccount = SubjectAccount, GroupCreateSubjectUserSid = SubjectUserSid, GroupSid = TargetSid;\\nGroupCreated\\n| join (\\nGroupAddition\\n) on GroupSid \\n| extend timestamp = GroupCreateTime, AccountCustomEntity = GroupCreateSubjectAccount, HostCustomEntity = GroupCreateComputer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"GroupCreateSubjectUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Group created then added to built in domain local or global group\",\"description\":\"Identifies when a recently created Group was added to a privileged built in domain local group or global group such as the \\nEnterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\\nReferences: For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/67775878-7f8b-4380-ac54-115e1e828901\",\"name\":\"67775878-7f8b-4380-ac54-115e1e828901\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet IP_TI = (ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\\\"\\\")\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId);\\nlet TI_IP_List=IP_TI | summarize make_set( TI_ipEntity);\\nimDns(starttime=ago(dt_lookBack), response_has_any_prefix=todynamic(toscalar(TI_IP_List)))\\n | extend tilist = toscalar(TI_IP_List)\\n | mv-expand tilist\\n | extend SingleIP=tostring(tilist)\\n | project-away tilist\\n | where has_ipv4(DnsResponseName, SingleIP)\\n | extend DNS_TimeGenerated = TimeGenerated\\n| join IP_TI\\n on $left.SingleIP == $right.TI_ipEntity\\n| where DNS_TimeGenerated \u003e= TimeGenerated and DNS_TimeGenerated \u003c ExpirationDateTime\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated,\\nTI_ipEntity, Dvc, EventId, SubType, SrcIpAddr, DnsQuery, DnsResponseName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = DNS_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Dvc, URLCustomEntity = Url\",\"customDetails\":{\"LatestIndicatorTime\":\"LatestIndicatorTime\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"ConfidenceScore\":\"ConfidenceScore\",\"DnsQuery\":\"DnsQuery\",\"Description\":\"Description\",\"EventId\":\"EventId\",\"IndicatorId\":\"IndicatorId\",\"DNSRequestTime\":\"DNS_TimeGenerated\",\"ThreatType\":\"ThreatType\",\"ExpirationDateTime\":\"ExpirationDateTime\",\"SubType\":\"SubType\",\"SourceIPAddress\":\"SrcIpAddr\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map IP entity to Dns Events (Normalized DNS)\",\"description\":\"Identifies a match in DNS events from any IP IOC from TI\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns).\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3863d8b-8be1-4f52-8ba2-d6cec98b606b\",\"name\":\"a3863d8b-8be1-4f52-8ba2-d6cec98b606b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.1.7\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.7\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of logins to user account with elevated token\",\"description\":\"This algorithm detects an unusually high volume of successful logins with elevated token per user account. The model is trained on the previous 21 days of security event ID 4624 on an account. It indicates anomalous high volume of successful logins with administrator privileges in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/983a6922-894d-413c-9f04-d7add0ecc307\",\"name\":\"983a6922-894d-413c-9f04-d7add0ecc307\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P10D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let referencestarttime = 10d;\\nlet referenceendtime = 1d;\\nlet threshold = 100;\\nlet nxDomainDnsEvents = (stime:datetime, etime:datetime) \\n {imDns(responsecodename=\u0027NXDOMAIN\u0027, starttime=stime, endtime=etime)\\n | where DnsQueryTypeName in (\\\"A\\\", \\\"AAAA\\\")\\n | where ipv4_is_match(\\\"127.0.0.1\\\", SrcIpAddr) == False\\n | where DnsQuery !contains \\\"/\\\" and DnsQuery contains \\\".\\\"};\\nnxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now())\\n | extend sld = tostring(split(DnsQuery, \\\".\\\")[-2])\\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld) by SrcIpAddr\\n | where dcount_sld \u003e threshold\\n // Filter out previously seen IPs\\n | join kind=leftanti (nxDomainDnsEvents (stime=ago(referencestarttime), etime=ago(referenceendtime))\\n | extend sld = tostring(split(DnsQuery, \\\".\\\")[-2])\\n | summarize dcount(sld) by SrcIpAddr\\n | where dcount_sld \u003e threshold ) on SrcIpAddr\\n// Pull out sample NXDomain responses for those remaining potentially infected IPs\\n| join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential DGA detected (ASimDNS)\",\"description\":\"Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains\\nwhere most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with \\nNXDomain records in prior 10-day baseline period).\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"name\":\"cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | where DNSName in~ (domains) or DestinationHostName has_any (domains) or RequestURL has_any(domains)\\n | extend AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName, IPCustomEntity = SourceIP\\n ),\\n(DnsEvents \\n | extend DNSName = Name\\n | where isnotempty(DNSName)\\n | where DNSName has_any (domains)\\n | extend IPCustomEntity = ClientIP\\n ),\\n(imDns (domain_has_any=domains)\\n | extend DNSName = DnsQuery\\n | extend IPCustomEntity = SrcIpAddr\\n ),\\n(VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n | where isnotempty(DNSName)\\n | where DNSName in~ (domains)\\n | extend IPCustomEntity = RemoteIp\\n ),\\n(DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl has_any (domains) \\n | extend DNSName = RemoteUrl\\n | extend IPCustomEntity = RemoteIP \\n | extend HostCustomEntity = DeviceName \\n ),\\n(AzureDiagnostics\\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallDnsProxy\\\"\\n | parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n | where Request_Name has_any (domains) \\n | extend DNSName = Request_Name\\n | extend IPCustomEntity = ClientIP \\n ),\\n(AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (domains) \\n | extend DNSName = DestinationHost \\n | extend IPCustomEntity = SourceHost\\n ) \\n )\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"version\":\"1.3.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Solorigate Network Beacon\",\"description\":\"Identifies a match across various data feeds for domains IOCs related to the Solorigate incident.\\n References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \\n https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5436f471-b03d-41cb-b333-65891f887c43\",\"name\":\"5436f471-b03d-41cb-b333-65891f887c43\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Informational\",\"query\":\"GitHubRepo\\n| where Action == \\\"vulnerabilityAlert\\\"\\n| project TimeGenerated, DismmisedAt, Reason, vulnerableManifestFilename, Description, Link, PublishedAt, Severity, Summary\",\"entityMappings\":[],\"version\":\"1.0.0\",\"displayName\":\"GitHub Security Vulnerability in Repository\",\"description\":\"This alerts when there is a new security vulnerability in a GitHub repository.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-10T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb8a3481-dd14-4e76-8dcc-bbec8776d695\",\"name\":\"bb8a3481-dd14-4e76-8dcc-bbec8776d695\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let DomainNames = dynamic([\u0027onetechcompany.com\u0027, \u0027reyweb.com\u0027, \u0027srfnetwork.org\u0027, \u0027sense4baby.fr\u0027, \u0027nikeoutletinc.org\u0027, \u0027megatoolkit.com\u0027]);\\nlet IPList = dynamic([\u0027185.225.69.69\u0027]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (DomainNames) or RequestURL has_any (DomainNames) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (DomainNames), \\\"RequestUrl\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) or Name has_any (DomainNames) \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(imDns\\n| where DnsResponseName has_any (IPList) or DnsQuery has_any(DomainNames) \\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (DomainNames)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer\\n),\\n(OfficeActivity\\n| where ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (DomainNames) or RemoteIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"NOBELIUM - Domain and IP IOCs - March 2021\",\"description\":\"Identifies a match across various data feeds for domains and IP IOCs related to NOBELIUM.\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2d3e33c6-d8e6-4b51-92d6-dbe8bd9efb05\",\"name\":\"2d3e33c6-d8e6-4b51-92d6-dbe8bd9efb05\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.4\",\"techniques\":[\"T1078\",\"T1566\",\"T1133\"],\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"Fraction of failed signins\",\"Number of failed signins\",\"Failed signins to successful signins ratio\",\"Number of signins with incorrect passwords\",\"Incorrect passwords to correct passwords ratio\",\"Fraction of incorrect password signins\",\"Distinct number of app ids\",\"Distinct number of client apps\",\"Distinct number of ip addresses\",\"Distinct number of opperating systems\",\"Distinct number of browsers\",\"Distinct number of cities\",\"Distinct number of states\",\"Distinct number of countries\"],\"values\":[\"Fraction of failed signins\",\"Number of failed signins\",\"Failed signins to successful signins ratio\",\"Number of signins with incorrect passwords\",\"Incorrect passwords to correct passwords ratio\",\"Fraction of incorrect password signins\",\"Distinct number of app ids\",\"Distinct number of client apps\",\"Distinct number of ip addresses\",\"Distinct number of opperating systems\",\"Distinct number of browsers\",\"Distinct number of cities\",\"Distinct number of states\",\"Distinct number of countries\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Top reason for high anomaly score\",\"description\":\"Include only anomalies where the top reason is one of these values.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.5\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous Azure AD sign-in sessions\",\"description\":\"The machine learning model groups the Azure AD sign-in logs on a per-user basis.\\nThe model is trained on the previous 6 days of user sign-in behavior.\\nIt indicates anomalous user sign-in sessions in the last day.\\nThis algorithm checks for sufficient volume of data before training the model.\\n\\nAn autoencoder model is used.\\nIts aim is to compress the user sign-in sessions into a bottleneck encoding.\\nIt then attempts to reconstruct the input sessions as best it can from the bottleneck encoding.\\nThe sessions with high reconstruction errors are assumed to be anomalous.\",\"lastUpdatedDateUTC\":\"2021-07-07T00:00:00Z\",\"createdDateUTC\":\"2020-11-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6d63efa6-7c25-4bd4-a486-aa6bf50fde8a\",\"name\":\"6d63efa6-7c25-4bd4-a486-aa6bf50fde8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Add non-approved user principal names to the list below to search for their account creation/deletion activity\\n// ex: dynamic([\\\"UPN1\\\", \\\"upn123\\\"])\\nlet nonapproved_users = dynamic([]);\\nAuditLogs\\n| where OperationName == \\\"Add user\\\" or OperationName == \\\"Delete user\\\"\\n| where Result == \\\"success\\\"\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| where InitiatingUser has_any (nonapproved_users)\\n| project-reorder TimeGenerated, ResourceId, OperationName, InitiatingUser, TargetResources\\n| extend AccountCustomEntity = InitiatingUser, IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Account created or deleted by non-approved user\",\"description\":\"Identifies accounts that were created or deleted by a defined list of non-approved user principal names. Add to this list before running the query for accurate results.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts\",\"lastUpdatedDateUTC\":\"2021-10-29T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b40a7a5b-5d39-46fe-a79e-2acdb38e1ce7\",\"name\":\"b40a7a5b-5d39-46fe-a79e-2acdb38e1ce7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.3\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.01\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of failed login attempts to AWS Console by each group user account\",\"description\":\"This algorithm detects an unusually high volume of AWS cloud trail log console failed login events per group user account within the last day. The model is trained on the previous 21 days of AWS cloud trail log events on group user account basis. This activity may indicate that the account is compromised.\",\"lastUpdatedDateUTC\":\"2021-10-26T00:00:00Z\",\"createdDateUTC\":\"2021-08-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\"name\":\"4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n OfficeActivity | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(UserId)\\n | where UserId matches regex emailregex\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.UserId\\n| where OfficeActivity_TimeGenerated \u003e= TimeGenerated and OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, OfficeActivity_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters\\n| extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to OfficeActivity\",\"description\":\"Identifies a match in OfficeActivity table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d4f9d54b-6dec-4655-8631-0fa8d4954fea\",\"name\":\"d4f9d54b-6dec-4655-8631-0fa8d4954fea\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.4\",\"techniques\":[\"T1568\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.99\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"(Preview) Domain Reputation Palo Alto anomaly\",\"description\":\"This anomaly evaluates the reputation for all domains seen specifically for Palo Alto firewall (PAN-OS product).\\nA high anomaly score indicates a low reputation, suggesting that the domain has been observed to host malicious content or is likely to do so.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-07-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1218175f-c534-421c-8070-5dcaabf28067\",\"name\":\"1218175f-c534-421c-8070-5dcaabf28067\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let threshold = 3; \\nZoomLogs \\n| where Event =~ \\\"chat_message.sent\\\" \\n| extend Channel = tostring(parse_json(ChatEvents).Channel) \\n| extend Message = tostring(parse_json(ChatEvents).Message) \\n| where Message matches regex \\\"http(s?):\\\\\\\\/\\\\\\\\/\\\" \\n| summarize Channels = makeset(Channel), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Message, User, UserId\\n| extend ChannelCount = arraylength(Channels) \\n| where ChannelCount \u003e threshold\\n| extend timestamp = StartTime, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"Suspicious link sharing pattern\",\"description\":\"Alerts in links that have been shared across multiple Zoom chat channels by the same user in a short space if time. \\nAdjust the threshold figure to change the number of channels a message needs to be posted in before an alert is raised.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/154fde9f-ae00-4422-a8da-ef00b11da3fc\",\"name\":\"154fde9f-ae00-4422-a8da-ef00b11da3fc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nafad_parser\\n| where MessageType == 0\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid Indicators of Exposures\",\"description\":\"Searches for triggered Indicators of Exposures\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f948a32f-226c-4116-bddd-d95e91d97eb9\",\"name\":\"f948a32f-226c-4116-bddd-d95e91d97eb9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"mailboxsettings\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"contacts.read\\\" and ConsentFull contains \\\"user.read\\\" and ConsentFull contains \\\"mail.read\\\" and ConsentFull contains \\\"notes.read.all\\\" and ConsentFull contains \\\"mailboxsettings.readwrite\\\" and ConsentFull contains \\\"Files.ReadWrite.All\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), \\\"\\\")\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Suspicious application consent similar to O365 Attack Toolkit\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\\nThe default permissions/scope for the MDSec O365 Attack toolkit are contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, and files.readwrite.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/45b903c5-6f56-4969-af10-ae62ac709718\",\"name\":\"45b903c5-6f56-4969-af10-ae62ac709718\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count() \\nby Account = tolower(Account), Computer = toupper(Computer), IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n// use left anti to exclude anything from the previous 14 days that is not rare\\n| join kind=leftanti (\\nSecurityEvent\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where EventID == 4624\\n| summarize by Computer = toupper(Computer), IpAddress, Account = tolower(Account)\\n) on Account, Computer\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), ConnectionCount = sum(ConnectionCount) \\nby Account, Computer, IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\"],\"displayName\":\"Rare RDP Connections\",\"description\":\"Identifies when an RDP connection is new or rare related to any logon type by a given account today based on comparison with the previous 14 days.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-01-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/327cd4ed-ca42-454b-887c-54e1c91363c6\",\"name\":\"327cd4ed-ca42-454b-887c-54e1c91363c6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft Defender Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Endpoint alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Endpoint\",\"lastUpdatedDateUTC\":\"2019-10-24T00:00:00Z\",\"createdDateUTC\":\"2019-10-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4915c713-ab38-432e-800b-8e2d46933de6\",\"name\":\"4915c713-ab38-432e-800b-8e2d46933de6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let PrivateIPregex = @\u0027^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.\u0027; \\nlet avgthreshold = 0;\\nlet probabilityLimit = 0.01;\\nlet ssh_logins = Syslog\\n| where Facility contains \\\"auth\\\" and ProcessName =~ \\\"sshd\\\"\\n| where SyslogMessage has \\\"Accepted\\\"\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage) \\n| where isnotempty(SourceIP)\\n| extend ipType = iff(SourceIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\");\\nssh_logins \\n| summarize privatecount=countif(ipType==\\\"private\\\"), publiccount=countif(ipType==\\\"public\\\") by HostName, HostIP, bin(EventTime, 1d)\\n| summarize \\npublicIPLoginHistory = make_list(pack(\u0027IPCount\u0027, publiccount, \u0027logon_time\u0027, EventTime)),\\nprivateIPLoginHistory = make_list(pack(\u0027IPCount\u0027, privatecount, \u0027logon_time\u0027, EventTime)) by HostName, HostIP\\n| mv-apply publicIPLoginHistory = publicIPLoginHistory on\\n(\\n order by todatetime(publicIPLoginHistory[\u0027logon_time\u0027]) asc\\n | summarize publicIPLoginCountList=make_list(toint(publicIPLoginHistory[\u0027IPCount\u0027])), publicAverage=avg(toint(publicIPLoginHistory[\u0027IPCount\u0027])), publicStd=stdev(toint(publicIPLoginHistory[\u0027IPCount\u0027])), maxPublicLoginCount=max(toint(publicIPLoginHistory[\u0027IPCount\u0027]))\\n)\\n| mv-apply privateIPLoginHistory = privateIPLoginHistory on\\n(\\n order by todatetime(privateIPLoginHistory[\u0027logon_time\u0027]) asc\\n | summarize privateIPLoginCountList=make_list(toint(privateIPLoginHistory[\u0027IPCount\u0027])), privateAverage=avg(toint(privateIPLoginHistory[\u0027IPCount\u0027])), privateStd=stdev(toint(privateIPLoginHistory[\u0027IPCount\u0027]))\\n)\\n// Some logins from private IPs\\n| where privateAverage \u003e avgthreshold\\n// There is a non-zero number of logins from public IPs\\n| where publicAverage \u003e avgthreshold\\n// Approximate probability of seeing login from a public IP is \u003c 1%\\n| extend probabilityPublic = publicAverage / (privateAverage + publicAverage)\\n| where probabilityPublic \u003c probabilityLimit\\n// Today has the highest number of logins from public IPs that we\u0027ve seen in the last week\\n| extend publicLoginCountToday = publicIPLoginCountList[-1]\\n| where publicLoginCountToday \u003e= maxPublicLoginCount\\n| extend HostCustomEntity = HostName\\n// Optionally retrieve the original raw data for those logins that we\u0027ve identified as potentially suspect\\n// | join kind=rightsemi (\\n// ssh_logins\\n// | where ipType == \\\"public\\\"\\n// ) on HostName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"New internet-exposed SSH endpoints\",\"description\":\"Looks for SSH endpoints with a history of sign-ins only from private IP addresses are accessed from a public IP address.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd\",\"name\":\"c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let args = dynamic([\\\"objectcategory\\\",\\\"domainlist\\\",\\\"dcmodes\\\",\\\"adinfo\\\",\\\"trustdmp\\\",\\\"computers_pwdnotreqd\\\",\\\"Domain Admins\\\", \\\"objectcategory=person\\\", \\\"objectcategory=computer\\\", \\\"objectcategory=*\\\",\\\"dclist\\\"]);\\nlet parentProcesses = dynamic([\\\"pwsh.exe\\\",\\\"powershell.exe\\\",\\\"cmd.exe\\\"]);\\nDeviceProcessEvents\\n//looks for execution from a shell\\n| where InitiatingProcessFileName in (parentProcesses)\\n// main filter\\n| where FileName =~ \\\"AdFind.exe\\\" or SHA256 == \\\"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\\\"\\n // AdFind common Flags to check for from various threat actor TTPs\\n or ProcessCommandLine has_any (args)\\n| extend AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = SHA256\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"SHA256\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\"],\"displayName\":\"Probable AdFind Recon Tool Usage\",\"description\":\"Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-04-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c094384d-7ea7-4091-83be-18706ecca981\",\"name\":\"c094384d-7ea7-4091-83be-18706ecca981\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let minersDomains=dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\"]);\\nimDns(domain_has_any=minersDomains)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.2.0\",\"tactics\":[\"Impact\"],\"displayName\":\"DNS events related to mining pools (Normalized DNS)\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1f6d7abe-2cb7-4a4c-aeca-91fe6bfad0b2\",\"name\":\"1f6d7abe-2cb7-4a4c-aeca-91fe6bfad0b2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.3\",\"techniques\":[\"T1189\",\"T1071\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Palo Alto Networks\",\"Fortinet\",\"Zscaler\",\"Check Point\"],\"supportedValuesKql\":null,\"value\":\"Palo Alto Networks\",\"name\":\"Device vendor\",\"description\":\"Select device vendor of network connection logs from CommonSecurityLog\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"10\",\"maximum\":\"1000\",\"value\":\"25\",\"name\":\"Degree of source IPs\",\"description\":\"Suppress anomalies when the number of source IPs in a day accessing the URL is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"10\",\"maximum\":\"1000\",\"value\":\"30\",\"name\":\"Daily web requests threshold\",\"description\":\"Suppress anomalies when the number of daily web requests is less than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"},{\"minimum\":\"1\",\"maximum\":\"25\",\"value\":\"4\",\"name\":\"Number of distinct URLs for the destination IP\",\"description\":\"Suppress anomalies when number of distinct URLs are less than the chosen value\",\"sequenceNumber\":3,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\",\"CommandAndControl\"],\"displayName\":\"(Preview) Unusual web traffic detected with IP in URL path\",\"description\":\"This algorithm identifies unusual web requests which have a direct IP address as the host. This can be an attempt to bypass URL reputation services etc for \\nmalicious purposes. The anomaly filters all web requests with IP addresses in the URL path and compares them with the previous week of data to exclude known benign traffic. \\nAfter excluding known benign traffic, it triggers an anomaly only after exceeding certain thresholds with configured values such as total web requests, \\nnumbers of URLs seen with same host destination IP address, and number of distinct source IPs within the set of URLs with the same destination IP address.\",\"lastUpdatedDateUTC\":\"2021-07-10T00:00:00Z\",\"createdDateUTC\":\"2021-05-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f041e01d-840d-43da-95c8-4188f6cef546\",\"name\":\"f041e01d-840d-43da-95c8-4188f6cef546\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let LearningPeriod = 7d;\\nlet RunTime = 1h;\\nlet StartTime = 1h;\\nlet EndRunTime = StartTime - RunTime;\\nlet EndLearningTime = StartTime + LearningPeriod;\\nlet GitHubCountryCodeLogs = (GitHubAudit\\n| where Country != \\\"\\\");\\n GitHubCountryCodeLogs\\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime))\\n| summarize makeset(Country) by Actor\\n| join kind=innerunique (\\n GitHubCountryCodeLogs\\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime))\\n | distinct Country, Actor, TimeGenerated\\n) on Actor \\n| where set_Country !contains Country\\n| extend AccountCustomEntity = Actor , timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"GitHub Activites from a New Country\",\"description\":\"Detect activities from a location that was not recently or was never visited by the user or by any user in your organization.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d7309cb9-b16b-4c7a-9e4b-3e9009bd373d\",\"name\":\"d7309cb9-b16b-4c7a-9e4b-3e9009bd373d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.0\",\"techniques\":[\"T1190\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.7\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous Azure operations\",\"description\":\"This detection algorithm generates anomaly of a caller who performed sequence of an operation(s) which is uncommon in their workspace.\\nWe collect and featurize last 21 days of operation happened in the workspace grouped by the caller as a training data for ML algorithm.\\nThe trained model is used to score the operation performed by the caller on the test date and we tag those caller as anomaly whose error score is greater than given thershold.\\nFrom Security perspective, this anomaly will capture the caller along with operation performed on the test date which are not common in their workspace.\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2021-11-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8b3c49c-4087-499b-920f-0dcfaff0cbca\",\"name\":\"f8b3c49c-4087-499b-920f-0dcfaff0cbca\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"imProcessCreate\\n | where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n | where isnotempty(Process)\\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Dvc, ActorUsername, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\\n | extend timestamp = StartTimeUtc, AccountCustomEntity = ActorUsername, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Base64 encoded Windows process command-lines (Normalized Process Events)\",\"description\":\"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2018-09-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e4779bdc-397a-4b71-be28-59e6a1e1d16b\",\"name\":\"e4779bdc-397a-4b71-be28-59e6a1e1d16b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"ZoomLogs\\n| where Event =~ \\\"account.settings_updated\\\"\\n| extend NewE2ESetting = columnifexists(\\\"payload_object_settings_in_meeting_e2e_encryption_b\\\", \\\"\\\")\\n| extend OldE2ESetting = columnifexists(\\\"payload_old_object_settings_in_meeting_e2e_encryption_b\\\", \\\"\\\")\\n| where OldE2ESetting =~ \u0027false\u0027 and NewE2ESetting =~ \u0027true\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Discovery\"],\"displayName\":\"Zoom E2E Encryption Disabled\",\"description\":\"This alerts when end to end encryption is disabled for Zoom meetings.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/85aca4d1-5d15-4001-abd9-acb86ca1786a\",\"name\":\"85aca4d1-5d15-4001-abd9-acb86ca1786a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n| join (\\n DnsEvents\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n //Extract domain patterns from syslog message\\n | where isnotempty(Name)\\n | extend parts = split(Name, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend DNS_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.Name\\n| where DNS_TimeGenerated \u003e= TimeGenerated and DNS_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Computer, ClientIP, Name, QueryType\\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = ClientIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to DnsEvent\",\"description\":\"Identifies a match in DnsEvent table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b8266f81-2715-41a6-9062-42486cbc9c73\",\"name\":\"b8266f81-2715-41a6-9062-42486cbc9c73\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 200;\\nInfobloxNIOS\\n| where ProcessName =~ \\\"named\\\" and Log_Type =~ \\\"client\\\"\\n| where isnotempty(ResponseCode)\\n| where ResponseCode =~ \\\"NXDOMAIN\\\"\\n| summarize count() by Client_IP, bin(TimeGenerated,15m)\\n| where count_ \u003e threshold\\n| join kind=inner (InfobloxNIOS\\n | where ProcessName =~ \\\"named\\\" and Log_Type =~ \\\"client\\\"\\n | where isnotempty(ResponseCode)\\n | where ResponseCode =~ \\\"NXDOMAIN\\\"\\n ) on Client_IP\\n| extend timestamp = TimeGenerated, IPCustomEntity = Client_IP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Excessive NXDOMAIN DNS Queries\",\"description\":\"This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/25e0b2dd-3ad3-4d5b-80dd-720f4ef0f12c\",\"name\":\"25e0b2dd-3ad3-4d5b-80dd-720f4ef0f12c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"afad_parser\\n| where MessageType == 2 and Codename == \\\"DCShadow\\\"\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Alsid DCShadow\",\"description\":\"Searches for DCShadow attacks\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06bbf969-fcbe-43fa-bac2-b2fa131d113a\",\"name\":\"06bbf969-fcbe-43fa-bac2-b2fa131d113a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// ADHealthAgent Registry Key\\nlet aadConnectHealthRegKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\ADHealthAgent\\\";\\n// Filter out known processes\\nlet aadConnectHealthProcs = dynamic ([\\n \u0027Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.InsightsService.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.PshSurrogate.exe\u0027,\\n \u0027Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe\u0027\\n]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| extend SubjectUserName = column_ifexists(\\\"SubjectUserName\\\", \\\"\\\"),\\n SubjectDomainName = column_ifexists(\\\"SubjectDomainName\\\", \\\"\\\"),\\n ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),\\n ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\"),\\n ProcessName = column_ifexists(\\\"ProcessName\\\", \\\"\\\")\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],\\n Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName startswith aadConnectHealthRegKey\\n| where Process !in (aadConnectHealthProcs)\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName startswith aadConnectHealthRegKey\\n| where Process !in (aadConnectHealthProcs)\\n)\\n)\\n// You can filter out potential machine accounts\\n//| where AccountType != \u0027Machine\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Azure AD Health Service Agents Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).\\nInformation from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).\\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\\\\SOFTWARE\\\\Microsoft\\\\ADHealthAgent.\\nMake sure you set the SACL to propagate to its sub-keys. You can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/999e9f5d-db4a-4b07-a206-29c4e667b7e8\",\"name\":\"999e9f5d-db4a-4b07-a206-29c4e667b7e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet DomainTIs= ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n // Picking up only IOC\u0027s that contain the entities we want\\n | where isnotempty(DomainName)\\n | where Active == true\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId;\\nlet Domains= toscalar(DomainTIs | where isnotempty(DomainName) |summarize make_set(DomainName));\\nDomainTIs\\n | join (\\n imDns(starttime=ago(dt_lookBack), domain_has_any=(Domains))\\n | extend DNS_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.DnsQuery\\n| where DNS_TimeGenerated \u003c ExpirationDateTime\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, QueryType\\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url\",\"customDetails\":{\"IndicatorId\":\"IndicatorId\",\"SourceIPAddress\":\"SrcIpAddr\",\"ThreatType\":\"ThreatType\",\"ConfidenceScore\":\"ConfidenceScore\",\"DnsQuery\":\"DnsQuery\",\"Description\":\"Description\",\"ExpirationDateTime\":\"ExpirationDateTime\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"LatestIndicatorTime\":\"LatestIndicatorTime\",\"QueryType\":\"QueryType\",\"DNSRequestTime\":\"DNS_TimeGenerated\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map Domain entity to Dns Events (Normalized DNS)\",\"description\":\"Identifies a match in DNS events from any Domain IOC from TI\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns).\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/12dcea64-bec2-41c9-9df2-9f28461b1295\",\"name\":\"12dcea64-bec2-41c9-9df2-9f28461b1295\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\n// Adjust for a longer timeframe for identifying ADFS Servers\\nlet lookback = 6d;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n);\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where Account !endswith \\\"$\\\"\\n// Check for scheduled task events\\n| where EventID in (4697, 4698, 4699, 4700, 4701, 4702)\\n| extend EventDataParsed = parse_xml(EventData)\\n| extend SubjectLogonId = tostring(EventDataParsed.EventData.Data[3][\\\"#text\\\"])\\n// Check specifically for access to IPC$ share and PIPE\\\\svcctl and PIPE\\\\atsvc for Service Control Services and Schedule Control Services\\n| union ( \\n SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n | where Account !endswith \\\"$\\\"\\n | where EventID == 5145\\n | where RelativeTargetName =~ \\\"svcctl\\\" or RelativeTargetName =~ \\\"atsvc\\\"\\n)\\n// Check for lateral movement\\n| join kind=inner\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Account !endswith \\\"$\\\"\\n| where EventID == 4624 and LogonType == 3\\n) on $left.SubjectLogonId == $right.TargetLogonId\\n| project TimeGenerated, Account, Computer, EventID, RelativeTargetName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\"],\"displayName\":\"Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task\",\"description\":\"This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through SMB and Remote Service or Scheduled Task.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f0be259a-34ac-4946-aa15-ca2b115d5feb\",\"name\":\"f0be259a-34ac-4946-aa15-ca2b115d5feb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let starttime = 2d;\\nlet endtime = 1d;\\nlet TimeDeltaThreshold = 10;\\nlet TotalEventsThreshold = 15;\\nlet PercentBeaconThreshold = 80;\\nlet PrivateIPregex = @\u0027^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.\u0027;\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Palo Alto Networks\\\" and Activity == \\\"TRAFFIC\\\"\\n| where TimeGenerated between (ago(starttime)..ago(endtime))\\n| extend DestinationIPType = iff(DestinationIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIPType == \\\"public\\\"\\n| project TimeGenerated, DeviceName, SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, ReceivedBytes, SentBytes\\n| sort by SourceIP asc,TimeGenerated asc, DestinationIP asc, DestinationPort asc\\n| serialize\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\u0027second\u0027,nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP\\n//Whitelisting criteria/ threshold criteria\\n| where TimeDeltainSeconds \u003e TimeDeltaThreshold \\n| project TimeGenerated, TimeDeltainSeconds, DeviceName, SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, ReceivedBytes, SentBytes\\n| summarize count(), sum(ReceivedBytes), sum(SentBytes), make_list(TimeDeltainSeconds) \\nby TimeDeltainSeconds, bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSentBytes = sum(sum_SentBytes), TotalReceivedBytes = sum(sum_ReceivedBytes) \\nby bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| where TotalEvents \u003e TotalEventsThreshold \\n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\\n| where BeaconPercent \u003e PercentBeaconThreshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Palo Alto - potential beaconing detected\",\"description\":\"Identifies beaconing patterns from Palo Alto Network traffic logs based on recurrent timedelta patterns. \\nThe query leverages various KQL functions to calculate time deltas and then compares it with total events observed in a day to find percentage of beaconing. \\nThis outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts.\\nReference Blog:\\nhttp://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-05-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/622844c2-fc11-4efc-91e6-c05b06ab3008\",\"name\":\"622844c2-fc11-4efc-91e6-c05b06ab3008\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.5\",\"techniques\":[\"T1001\",\"T1008\",\"T1071\",\"T1090\",\"T1095\",\"T1102\",\"T1104\",\"T1132\",\"T1205\",\"T1568\",\"T1571\",\"T1572\",\"T1573\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"10\",\"maximum\":\"1000\",\"value\":\"25\",\"name\":\"Degree of source IPs\",\"description\":\"Suppress anomalies when degree of source IPs is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"10\",\"maximum\":\"1000\",\"value\":\"30\",\"name\":\"Daily event count threshold\",\"description\":\"Suppress anomalies when daily event count is less than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"},{\"minimum\":\"10\",\"maximum\":\"1000\",\"value\":\"60\",\"name\":\"Time delta threshold in seconds\",\"description\":\"Suppress anomalies when time delta in seconds between network connections is less than the chosen value\",\"sequenceNumber\":3,\"rerun\":\"RerunAlways\"},{\"minimum\":\"50\",\"maximum\":\"100\",\"value\":\"75\",\"name\":\"Percent beaconing threshold\",\"description\":\"Generate an anomaly when percent beaconing is greater than the chosen value\",\"sequenceNumber\":4,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"(Preview) Detect machine generated network beaconing behavior\",\"description\":\"This algorithm identifies beaconing patterns from network traffic connection logs based on recurrent time delta patterns.\\nAny network connection towards the untrusted public networks at repetitive time delta is an indication of malware callbacks or data exfiltration attempts. \\nThe anomaly will calculate time delta between consecutive network connection between same source and destination ip as well as count (Connections in time-delta sequence) of \\ntime-delta sequence between same source and destination. Percentage of beaconing is calculated between connections in time-delta sequence against total connections in a day.\",\"lastUpdatedDateUTC\":\"2021-07-10T00:00:00Z\",\"createdDateUTC\":\"2021-04-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/32686052-5bed-48ef-9ffa-39fc7699f085\",\"name\":\"32686052-5bed-48ef-9ffa-39fc7699f085\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.0\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.1\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of AWS API calls from Non-AWS source IP address from a user account id per workspace on a daily basis\",\"description\":\"This algorithm detects an unusually high volume of AWS API calls from Source IPs not in AWS Source IP ranges from one user account per workspace within the last day. The model is trained on the previous 21 days of AWS cloud trail log events on source IP address basis. This activity may indicate that the user account is compromised.\",\"lastUpdatedDateUTC\":\"2021-10-07T00:00:00Z\",\"createdDateUTC\":\"2021-10-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2d8a60aa-c15e-442e-9ce3-ee924889d2a6\",\"name\":\"2d8a60aa-c15e-442e-9ce3-ee924889d2a6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT5M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"eset_CL\\n| where event_type_s == \\\"Threat_Event\\\"\\n| extend HostCustomEntity = hostname_s, AccountCustomEntity = username_s, IPCustomEntity = ipv4_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"CredentialAccess\",\"PrivilegeEscalation\"],\"displayName\":\"Threats detected by Eset\",\"description\":\"Escalates threats detected by Eset.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-09T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"EsetSMC\",\"dataTypes\":[\"eset_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a5fe9489-cf8b-47ae-a87e-8f3a13e4203e\",\"name\":\"a5fe9489-cf8b-47ae-a87e-8f3a13e4203e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nlet codeNameList = datatable(Codename:string)[\\\"C-PRIV-ACCOUNTS-SPN\\\", \\\"C-NATIVE-ADM-GROUP-MEMBERS\\\", \\\"C-KRBTGT-PASSWORD\\\", \\\"C-PROTECTED-USERS-GROUP-UNUSED\\\", \\\"C-ADMINCOUNT-ACCOUNT-PROPS\\\", \\\"C-ADM-ACC-USAGE\\\", \\\"C-LAPS-UNSECURE-CONFIG\\\", \\\"C-DISABLED-ACCOUNTS-PRIV-GROUPS\\\"];\\nafad_parser\\n| where MessageType == 0 and Codename in~ (codeNameList)\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid privileged accounts issues\",\"description\":\"Searches for triggered Indicators of Exposures related to privileged accounts issues\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\"name\":\"90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Security Center\",\"severitiesFilter\":[\"Low\",\"Medium\",\"High\"],\"displayName\":\"Create incidents based on Azure Defender alerts\",\"description\":\"Create incidents based on all alerts generated in Azure Defender\",\"lastUpdatedDateUTC\":\"2021-07-25T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert (ASC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\"name\":\"b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n Syslog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // Extract URL from the Syslog message but only take messages that include URLs\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,SyslogMessage)\\n | where isnotempty(Url)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n) on Url\\n| where Syslog_TimeGenerated \u003e= TimeGenerated and Syslog_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, Url, HostIP\\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to Syslog data\",\"description\":\"Identifies a match in Syslog data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0625fcce-6d52-491e-8c68-1d9b801d25b9\",\"name\":\"0625fcce-6d52-491e-8c68-1d9b801d25b9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"Event\\n| where EventLog =~ \\\"Application\\\"\\n| where Source startswith \\\"MSExchange\\\"\\n| where EventLevelName =~ \\\"error\\\"\\n| where (RenderedDescription startswith \\\"Watson report\\\" and RenderedDescription contains \\\"umworkerprocess\\\" and RenderedDescription contains \\\"TextFormattingRunProperties\\\") or RenderedDescription startswith \\\"An unhandled exception occurred in a UM worker process\\\" or RenderedDescription startswith \\\"The Microsoft Exchange Unified Messaging service\\\" or RenderedDescription contains \\\"MSExchange Unified Messaging\\\"\\n| where RenderedDescription !contains \\\"System.OutOfMemoryException\\\"\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious UM Service Error\",\"description\":\"This query looks for errors that may indicate that an attacker is attempting to exploit a vulnerability in the service. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/26a3b261-b997-4374-94ea-6c37f67f4f39\",\"name\":\"26a3b261-b997-4374-94ea-6c37f67f4f39\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"asyspy256.ddns.net\\\",\\\"hotkillmail9sddcc.ddns.net\\\",\\\"rosaf112.ddns.net\\\",\\\"cvdfhjh1231.myftp.biz\\\",\\\"sz2016rose.ddns.net\\\",\\\"dffwescwer4325.myftp.biz\\\",\\\"cvdfhjh1231.ddns.net\\\"]);\\nlet SHA1Hash = dynamic ([\\\"53a44c2396d15c3a03723fa5e5db54cafd527635\\\", \\\"9c5e496921e3bc882dc40694f1dcc3746a75db19\\\", \\\"aeb573accfd95758550cf30bf04f389a92922844\\\", \\\"79ef78a797403a4ed1a616c68e07fff868a8650a\\\", \\\"4f6f38b4cec35e895d91c052b1f5a83d665c2196\\\", \\\"1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d\\\", \\\"e841a63e47361a572db9a7334af459ddca11347a\\\", \\\"c28f606df28a9bc8df75a4d5e5837fc5522dd34d\\\", \\\"2e94b305d6812a9f96e6781c888e48c7fb157b6b\\\", \\\"dd44133716b8a241957b912fa6a02efde3ce3025\\\", \\\"8793bf166cb89eb55f0593404e4e933ab605e803\\\", \\\"a39b57032dbb2335499a51e13470a7cd5d86b138\\\", \\\"41cc2b15c662bc001c0eb92f6cc222934f0beeea\\\", \\\"d209430d6af54792371174e70e27dd11d3def7a7\\\", \\\"1c6452026c56efd2c94cea7e0f671eb55515edb0\\\", \\\"c6b41d3afdcdcaf9f442bbe772f5da871801fd5a\\\", \\\"4923d460e22fbbf165bbbaba168e5a46b8157d9f\\\", \\\"f201504bd96e81d0d350c3a8332593ee1c9e09de\\\", \\\"ddd2db1127632a2a52943a2fe516a2e7d05d70d2\\\"]);\\nlet SHA256Hash = dynamic ([\\\"9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd\\\", \\\"7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b\\\", \\\"657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5\\\", \\\"2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29\\\", \\\"52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77\\\", \\\"a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3\\\", \\\"5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022\\\", \\\"6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883\\\", \\\"3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e\\\", \\\"1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7\\\", \\\"fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1\\\", \\\"7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c\\\", \\\"178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945\\\", \\\"51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9\\\", \\\"889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79\\\", \\\"332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf\\\", \\\"44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08\\\", \\\"63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef\\\", \\\"056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070\\\"]);\\nlet SigNames = dynamic([\\\"TrojanDropper:Win32/BlackMould.A!dha\\\", \\\"Trojan:Win32/BlackMould.B!dha\\\", \\\"Trojan:Win32/QuarkBandit.A!dha\\\", \\\"Trojan:Win32/Sidelod.A!dha\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(DnsEvents \\n| extend DNSName = Name\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend IPAddress = ClientIP\\n),\\n( imDns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA1=\u0027 SHA1 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA1Hash) \\n| extend Account = UserName\\n),\\n(SecurityAlert\\n| where Entities has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName)\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend DNSName = Request_Name\\n| extend IPAddress = ClientIP \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.3.0\",\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known GALLIUM domains and hashes\",\"description\":\"GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. \\n Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\\n References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-12-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3acf5617-7c41-4085-9a79-cc3a425ba83a\",\"name\":\"3acf5617-7c41-4085-9a79-cc3a425ba83a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"afad_parser\\n| where MessageType == 2 and Codename == \\\"OS Credential Dumping: LSASS Memory\\\"\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid LSASS Memory\",\"description\":\"Searches for OS Credentials dumping attacks\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2560515c-07d1-434e-87fb-ebe3af267760\",\"name\":\"2560515c-07d1-434e-87fb-ebe3af267760\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add delegated permission grant\\\",\\\"Add app role assignment to service principal\\\")\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend props = parse_json(tostring(TargetResources[0].modifiedProperties))\\n| mv-expand props\\n| extend UserAgent = tostring(AdditionalDetails[0].value)\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| extend UserIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| extend DisplayName = tostring(props.displayName)\\n| extend Permissions = tostring(parse_json(tostring(props.newValue)))\\n| where Permissions has_any (\\\"Mail.Read\\\", \\\"Mail.ReadWrite\\\")\\n| extend PermissionsAddedTo = tostring(TargetResources[0].displayName)\\n| extend Type = tostring(TargetResources[0].type)\\n| project-away props\\n| join kind=leftouter(\\n AuditLogs\\n | where ActivityDisplayName has \\\"Consent to application\\\"\\n | extend AppName = tostring(TargetResources[0].displayName)\\n | extend AppId = tostring(TargetResources[0].id)\\n | project AppName, AppId, CorrelationId) on CorrelationId\\n| project-reorder TimeGenerated, OperationName, InitiatingUser, UserIPAddress, UserAgent, PermissionsAddedTo, Permissions, AppName, AppId, CorrelationId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUser, IPCustomEntity = UserIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Mail.Read Permissions Granted to Application\",\"description\":\"This query look for applications that have been granted (Delegated or App/Role) permissions to Read Mail (Permissions field has Mail.Read) and subsequently has been consented to. This can help identify applications that have been abused to gain access to mailboxes.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a4025a76-6490-4e6b-bb69-d02be4b03f07\",\"name\":\"a4025a76-6490-4e6b-bb69-d02be4b03f07\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n AzureNetworkAnalytics_CL\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AzureNetworkAnalytics_CL_TimeGenerated = TimeGenerated\\n // NSG Flow Logs have additional information concat with Public IP, removing onlp Public IP\\n | extend PIPs = split(PublicIPs_s, \u0027|\u0027, 0)\\n | extend PIP = tostring(PIPs[0])\\n)\\non $left.TI_ipEntity == $right.PIP\\n| where AzureNetworkAnalytics_CL_TimeGenerated \u003e= TimeGenerated and AzureNetworkAnalytics_CL_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n// Set to alert on Allowed NSG Flows from TI Public IP IOC\\n| where FlowStatus_s == \\\"A\\\"\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AzureNetworkAnalytics_CL_TimeGenerated,\\nTI_ipEntity, Computer, FlowDirection_s, FlowStatus_s, FlowType_s, SrcPublicIPs_s, DestPublicIPs_s, PublicIPs_s, L7Protocol_s, DestPort_d, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureNetworkAnalytics_CL_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)\",\"description\":\"Identifies a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI that was Allowed\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/01f64465-b1ef-41ea-a7f5-31553a11ad43\",\"name\":\"01f64465-b1ef-41ea-a7f5-31553a11ad43\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let endpointData = \\n(SecurityEvent\\n | where EventID == 4688\\n | extend shortFileName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n );\\n// Correlate suspect executables seen in TrendMicro rule updates with similar activity on endpoints\\nCommonSecurityLog\\n| where DeviceVendor =~ \\\"Trend Micro\\\"\\n| where Activity =~ \\\"Deny List updated\\\" \\n| where RequestURL endswith \\\".exe\\\"\\n| project TimeGenerated, Activity , RequestURL , SourceIP, DestinationIP\\n| extend suspectExeName = tolower(tostring(split(RequestURL, \u0027/\u0027)[-1]))\\n| join (endpointData) on $left.suspectExeName == $right.shortFileName \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = TargetUserName, HostCustomEntity = Computer, URLCustomEntity = RequestURL\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\"],\"displayName\":\"Network endpoint to host executable correlation\",\"description\":\"Correlates blocked URLs hosting [malicious] executables with host endpoint data\\nto identify potential instances of executables of the same name having been recently run.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"TrendMicro\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\"name\":\"9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let szOperationNames = dynamic([\\\"Microsoft.Compute/virtualMachines/write\\\", \\\"Microsoft.Resources/deployments/write\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet RareCaller = AzureActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationNameValue in~ (szOperationNames)\\n| project ResourceGroup, Caller, OperationNameValue, CallerIpAddress\\n| join kind=rightantisemi (\\nAzureActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityStatusValue = makeset(ActivityStatusValue), OperationIds = makeset(OperationId), CallerIpAddress = makeset(CallerIpAddress) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n) on Caller, ResourceGroup \\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress);\\nlet Counts = RareCaller | summarize ActivityCountByCaller = count() by Caller;\\nRareCaller | join kind= inner (Counts) on Caller | project-away Caller1\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = tostring(CallerIpAddress)\\n| sort by ActivityCountByCaller desc nulls last\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"Suspicious Resource deployment\",\"description\":\"Identifies when a rare Resource and ResourceGroup deployment occurs by a previously unseen Caller.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6116dc19-475a-4148-84b2-efe89c073e27\",\"name\":\"6116dc19-475a-4148-84b2-efe89c073e27\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetectionV2_CL\\n| extend Status = tostring(Status_s), Vulnerability = tostring(QID_s), Severity = tostring(Severity_s)\\n| where Status =~ \\\"New\\\" and Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(QID_s)\\n| where dcount_NetBios_s \u003e= threshold\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"New High Severity Vulnerability Detected Across Multiple Hosts\",\"description\":\"This creates an incident when a new high severity vulnerability is detected across multilple hosts\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetectionV2_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2f561e20-d97b-4b13-b02d-18b34af6e87c\",\"name\":\"2f561e20-d97b-4b13-b02d-18b34af6e87c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet cmdList = dynamic([\\\"Set-CASMailbox\\\",\\\"ActiveSyncAllowedDeviceIDs\\\",\\\"add\\\"]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where CommandLine has_all (cmdList)\\n| project Type, TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where InitiatingProcessCommandLine has_all (cmdList)\\n| project Type, TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where CommandLine has_all (cmdList)\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| project Type, TimeGenerated, Computer, User, Process, ParentImage, CommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Email access via active sync\",\"description\":\"This query detects attempts to add attacker devices as allowed IDs for active sync using the Set-CASMailbox command.\\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\\n- Note that this query can be changed to use the KQL \\\"has_all\\\" operator, which hasn\u0027t yet been documented officially, but will be soon.\\n In short, \\\"has_all\\\" will only match when the referenced field has all strings in the list.\\n- Refer to Set-CASMailbox syntax: https://docs.microsoft.com/powershell/module/exchange/set-casmailbox?view=exchange-ps \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fb9e0b51-8867-48d7-86f4-6e76f2176bf8\",\"name\":\"fb9e0b51-8867-48d7-86f4-6e76f2176bf8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nlet codeNameList = datatable(Codename:string)[\\\"C-ACCOUNTS-DANG-SID-HISTORY\\\", \\\"C-PRE-WIN2000-ACCESS-MEMBERS\\\", \\\"C-PASSWORD-DONT-EXPIRE\\\", \\\"C-SLEEPING-ACCOUNTS\\\", \\\"C-DANG-PRIMGROUPID\\\", \\\"C-PASSWORD-NOT-REQUIRED\\\", \\\"C-USER-PASSWORD\\\"];\\nafad_parser\\n| where MessageType == 0 and Codename in~ (codeNameList)\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid user accounts issues\",\"description\":\"Searches for triggered Indicators of Exposures related to user accounts issues\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/29094df8-e0c7-4475-a74c-bda74a07affb\",\"name\":\"29094df8-e0c7-4475-a74c-bda74a07affb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.8\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.03\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of logins to user account by logon types\",\"description\":\"This algorithm detects an unusually high volume of successful logins per user account by different logon types. The model is trained on the previous 21 days of security event ID 4624 on an account. It indicates anomalous high volume of successful logins in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3a9d5ede-2b9d-43a2-acc4-d272321ff77c\",\"name\":\"3a9d5ede-2b9d-43a2-acc4-d272321ff77c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 5;\\nlet aadFunc = (tableName:string){\\n // Failed Signins attempts with reasoning related to conditional access policies.\\n table(tableName)\\n | where TimeGenerated between (startofday(ago(starttime))..startofday(ago(timeframe)))\\n | where ResultDescription has_any (\\\"conditional access\\\", \\\"CA\\\") or ResultType in (50005, 50131, 53000, 53001, 53002, 52003, 70044)\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt ;\\nlet TimeSeriesData = union isfuzzy=true aadSignin, aadNonInt \\n| project TimeGenerated, UserPrincipalName\\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by UserPrincipalName\\n| project TimeGenerated, UserPrincipalName, HourlyCount;\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| where baseline \u003e baselinethreshold // Filtering low count events per baselinethreshold\\n| project UserPrincipalName, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated;\\n// Filter the alerts for specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join kind=inner ( \\nunion isfuzzy=true aadSignin, aadNonInt\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n | summarize HourlyCount=count(), LatestAnomalyTime = arg_max(timestamp,*) by bin(TimeGenerated,1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\\n) on UserPrincipalName\\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, HourlyCount, baseline, anomalies, score\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"User Accounts - Sign in Failure due to CA Spikes\",\"description\":\" Identifies spike in failed sign-ins from user accounts due to conditional access policied.\\nSpike is determined based on Time series anomaly which will look at historical baseline values.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aa1eff90-29d4-49dc-a3ea-b65199f516db\",\"name\":\"aa1eff90-29d4-49dc-a3ea-b65199f516db\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"SecurityEvent\\n| where EventID == 4720\\n| where AccountType == \\\"User\\\"\\n| project CreatedUserTime = TimeGenerated, CreatedUserEventID = EventID, CreatedUserActivity = Activity, Computer = toupper(Computer), \\nCreatedUser = tolower(TargetAccount), CreatedUserSid = TargetSid, AccountUsedToCreateUser = strcat(SubjectAccount), SidofAccountUsedToCreateUser = SubjectUserSid\\n| join (\\nSecurityEvent \\n| where AccountType == \\\"User\\\"\\n// 4732 - A member was added to a security-enabled local group\\n| where EventID == 4732\\n//TargetSid is the builin Admins group: S-1-5-32-544\\n| where TargetSid == \\\"S-1-5-32-544\\\"\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, Computer = toupper(Computer), GroupName = tolower(TargetAccount), \\nGroupSid = TargetSid, AccountThatAddedUser = SubjectAccount, SIDofAccountThatAddedUser = SubjectUserSid, CreatedUserSid = MemberSid\\n)\\non CreatedUserSid\\n//Create User first, then the add to the group.\\n| project Computer, CreatedUserTime, CreatedUserEventID, CreatedUserActivity, CreatedUser, CreatedUserSid, GroupAddTime, GroupAddEventID, \\nGroupAddActivity, AccountUsedToCreateUser, GroupName, GroupSid, AccountThatAddedUser, SIDofAccountThatAddedUser \\n| extend timestamp = CreatedUserTime, AccountCustomEntity = CreatedUser, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"CreatedUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"New user created and added to the built-in administrators group\",\"description\":\"Identifies when a user account was created and then added to the builtin Administrators group in the same day.\\nThis should be monitored closely and all additions reviewed.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4f45f43b-3a4b-491b-9cbe-d649603384aa\",\"name\":\"4f45f43b-3a4b-491b-9cbe-d649603384aa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let highRisk = 3;\\nlet legal = \u0027Legal Information\u0027;\\nCognniIncidents_CL \\n| where Severity == highRisk\\n| where informationType_s == legal\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Highly Sensitive Legal Information\",\"description\":\"Display incidents in which highly sensitive legal information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/200f05a2-db6e-4ff7-be83-bbc30b44755f\",\"name\":\"200f05a2-db6e-4ff7-be83-bbc30b44755f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.3.8\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.07\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of logins to user account\",\"description\":\"This algorithm detects an unusually high volume of successful logins per user account. The model is trained on the previous 21 days of security event ID 4624 on an account. It indicates anomalous high volume of successful logins in the last day\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2020-12-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3edb7215-250b-40c0-8b46-79093949242d\",\"name\":\"3edb7215-250b-40c0-8b46-79093949242d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetectionV2_CL\\n| where Severity_s == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\\n| where count_ \u003e= threshold\\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"High Number of Urgent Vulnerabilities Detected\",\"description\":\"This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetectionV2_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd0a6029-ecef-4507-89c4-fc355ac52111\",\"name\":\"dd0a6029-ecef-4507-89c4-fc355ac52111\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation of extracted domains\\nlet list_tlds = ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e ago(ioc_lookBack)\\n | where isnotempty(DomainName)\\n | extend DomainName = tolower(DomainName)\\n | extend parts = split(DomainName, \u0027.\u0027)\\n | extend tld = parts[(array_length(parts)-1)]\\n | summarize count() by tostring(tld)\\n | summarize make_list(tld);\\n ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true\\n // Picking up only IOC\u0027s that contain the entities we want\\n | where isnotempty(DomainName)\\n | join (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | extend Domain = trim(@\\\"\\\"\\\"\\\",tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend parts = split(Domain, \u0027.\u0027)\\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\\n | where tld in~ (list_tlds)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n ) on $left.DomainName==$right.Domain\\n | where CommonSecurityLog_TimeGenerated \u003e= TimeGenerated and CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n | project LatestIndicatorTime, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, CommonSecurityLog_TimeGenerated, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\\n | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to CommonSecurityLog\",\"description\":\"Identifies a match in CommonSecurityLog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5dd76a87-9f87-4576-bab3-268b0e2b338b\",\"name\":\"5dd76a87-9f87-4576-bab3-268b0e2b338b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 5;\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet historicalActivity =\\nOfficeActivity\\n| where TimeGenerated between(ago(starttime)..ago(endtime))\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| summarize historicalCount = count() by UserAgent, RecordType, Operation;\\nlet recentActivity = OfficeActivity\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where TimeGenerated \u003e ago(endtime)\\n| where isnotempty(UserAgent)\\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by UserAgent, RecordType, Operation;\\nlet RareUserAgent = recentActivity | join kind = leftanti (historicalActivity) on UserAgent\\n| order by recentCount desc, UserAgent\\n// More than 5 downloads/uploads from a new user agent today\\n| where recentCount \u003e threshold;\\nOfficeActivity \\n| where TimeGenerated \u003e ago(endtime) \\n| where RecordType =~ szSharePointFileOperation \\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| join kind= inner (RareUserAgent)\\non UserAgent, RecordType, Operation \\n| where Start_Time between(min_Start_Time .. max_Start_Time)\\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserAgent, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgentSeenCount = recentCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\\n| order by UserAgentSeenCount desc, UserAgent asc, Operation asc, UserId asc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"SharePointFileOperation via devices with previously unseen user agents\",\"description\":\"Identifies if the number of documents uploaded or downloaded from device(s) associated\\nwith a previously unseen user agent exceeds a threshold (default is 5).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84cf1d59-f620-4fee-b569-68daf7008b7b\",\"name\":\"84cf1d59-f620-4fee-b569-68daf7008b7b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetection_CL\\n| mv-expand todynamic(Detections_s)\\n| extend Status = tostring(Detections_s.Status), Vulnerability = tostring(Detections_s.Results), Severity = tostring(Detections_s.Severity)\\n| where Status =~ \\\"New\\\" and Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(Detections_s.QID)\\n| where dcount_NetBios_s \u003e= threshold\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"New High Severity Vulnerability Detected Across Multiple Hosts\",\"description\":\"This creates an incident when a new high severity vulnerability is detected across multilple hosts\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/011c84d8-85f0-4370-b864-24c13455aa94\",\"name\":\"011c84d8-85f0-4370-b864-24c13455aa94\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SecurityAlert\\n| extend Extprop = parse_json(ExtendedProperties)\\n| extend Computer = iff(isnotempty(toupper(tostring(Extprop[\\\"Compromised Host\\\"]))), toupper(tostring(Extprop[\\\"Compromised Host\\\"])), tostring(parse_json(Entities)[0].HostName))\\n| extend Account = iff(isnotempty(tolower(tostring(Extprop[\\\"User Name\\\"]))), tolower(tostring(Extprop[\\\"User Name\\\"])), tolower(tostring(Extprop[\\\"user name\\\"])))\\n| extend IpAddress = tostring(parse_json(ExtendedProperties).[\\\"IpAddress\\\"]) \\n| project TimeGenerated, AlertName, Computer, Account, IpAddress, ExtendedProperties\\n| extend timestamp = TimeGenerated, Account, MachineName = Computer, IpAddress\\n| join kind=inner\\n(\\nCoreAzureBackup\\n| where State =~ \\\"Deleted\\\"\\n| where OperationName =~ \\\"BackupItem\\\"\\n| extend data = split(BackupItemUniqueId, \\\";\\\")\\n| extend AzureLocation = data[0], VaultId=data[1], MachineName=data[2], DrivesBackedUp=data[3]\\n| project timestamp = TimeGenerated, AzureLocation, VaultId, tostring(MachineName), DrivesBackedUp, State, BackupItemUniqueId, _ResourceId, OperationName, BackupItemFriendlyName\\n)\\non MachineName\\n| project timestamp, AlertName, HostCustomEntity = MachineName, AccountCustomEntity = Account, ResourceCustomEntity = _ResourceId, IPCustomEntity = IpAddress, VaultId, AzureLocation, DrivesBackedUp, State, BackupItemUniqueId, OperationName, BackupItemFriendlyName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"CoreBackUp Deletion in correlation with other related security alerts\",\"description\":\"This query will help detect attackers attempt to delete backup containers in correlation with other alerts that could have triggered to help possibly reveal more details of attacker activity. \\nThough such an activity could be legitimate as part of business operation, some ransomware actors may perform such operation to cause interruption to regular business services.\",\"lastUpdatedDateUTC\":\"2021-11-06T00:00:00Z\",\"createdDateUTC\":\"2021-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/157c0cfc-d76d-463b-8755-c781608cdc1a\",\"name\":\"157c0cfc-d76d-463b-8755-c781608cdc1a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let PrivateIPregex = @\u0027^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.\u0027;\\nlet aadFunc = (tableName:string){\\nCommonSecurityLog\\n| where DeviceVendor =~ \\\"Cisco\\\"\\n| where DeviceAction =~ \\\"denied\\\"\\n| extend SourceIPType = iff(SourceIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where SourceIPType == \\\"public\\\"\\n| summarize count() by SourceIP\\n| join (\\n // Successful signins from IPs blocked by the firewall solution are suspect\\n // Include fully successful sign-ins, but also ones that failed only at MFA stage\\n // as that supposes the password was sucessfully guessed.\\n table(tableName)\\n | where ResultType in (\\\"0\\\", \\\"50074\\\", \\\"50076\\\") \\n) on $left.SourceIP == $right.IPAddress\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Cisco - firewall block but success logon to Azure AD\",\"description\":\"Correlate IPs blocked by a Cisco firewall appliance with successful Azure Active Directory signins. \\nBecause the IP was blocked by the firewall, that same IP logging on successfully to AAD is potentially suspect\\nand could indicate credential compromise for the user account.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\"name\":\"7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"154.223.45.38\\\",\\\"185.141.207.140\\\",\\\"185.234.73.19\\\",\\\"216.245.210.106\\\",\\\"51.91.48.210\\\",\\\"46.255.230.229\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n|extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account\\n),\\n(DnsEvents \\n| extend DestinationIPAddress = IPAddresses, Host = Computer\\n| where DestinationIPAddress has_any (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(imDns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DnsResponseName, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(VMConnection \\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) \\n| where SourceIp in (IPList) or DestinationIp in (IPList) \\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(SigninLogs\\n| where isnotempty(IPAddress)\\n| where IPAddress in (IPList)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(AADNonInteractiveUserSignInLogs\\n| where isnotempty(IPAddress)\\n| where IPAddress in (IPList)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(W3CIISLog \\n| where isnotempty(cIP)\\n| where cIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(AzureActivity \\n| where isnotempty(CallerIpAddress)\\n| where CallerIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller\\n),\\n(\\nAWSCloudTrail\\n| where isnotempty(SourceIpAddress)\\n| where SourceIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.2.1\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known IRIDIUM IP\",\"description\":\"IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.\",\"lastUpdatedDateUTC\":\"2021-11-25T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a04cf847-a832-4c60-b687-b0b6147da219\",\"name\":\"a04cf847-a832-4c60-b687-b0b6147da219\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"45.63.52.41\\\",\\\"140.82.17.161\\\",\\\"207.148.101.95\\\",\\\"45.32.87.51\\\",\\\"66.42.98.156\\\",\\\"45.76.144.105\\\",\\\"217.163.28.35\\\",\\\"45.32.141.174\\\",\\\"149.28.165.249\\\",\\\"209.250.225.247\\\",\\\"45.63.100.115\\\",\\\"95.179.229.230\\\",\\\"209.250.233.247\\\",\\\"45.77.121.232\\\",\\\"45.76.175.65\\\",\\\"104.238.160.237\\\",\\\"45.77.181.97\\\",\\\"95.179.192.125\\\",\\\"149.28.93.184\\\",\\\"140.82.16.81\\\",\\\"45.76.173.103\\\",\\\"45.77.255.22\\\",\\\"45.32.11.71\\\",\\\"149.28.77.26\\\",\\\"45.32.54.50\\\",\\\"104.156.233.156\\\",\\\"45.32.21.118\\\",\\\"45.63.62.109\\\",\\\"45.77.244.202\\\",\\\"149.248.11.205\\\",\\\"104.238.190.244\\\"]);\\nlet IOCTerms = \\\"\\\\\\\\?lang=[/..]*/dev/cmdb/sslvpn_websession|/dana-na/jam/[/..]*home/webserver/htdocs/dana/html5acc/guacamole[/..]*etc/passwd\\\\\\\\?\\\";\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or has_any_ipv4 (Message, IPList)\\n| extend IPMatch = case(\\nSourceIP in (IPList), \\\"SourceIP\\\", \\nDestinationIP in (IPList), \\\"DestinationIP\\\",\\n\\\"Message\\\") \\n| where Message matches regex IOCTerms\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n| where isnotempty(UserAgent) and ClientIP in (IPList)\\n| where UserAgent contains \\\"ExchangeServicesClient/0.0.0.0\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP = ClientIP, Account = UserId, Type, RecordType, OfficeWorkload, UserAgent, OfficeObjectId, IPMatch = \\\"ClientIP\\\"\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"InitialAccess\",\"Collection\"],\"displayName\":\"Known Manganese IP and UserAgent activity\",\"description\":\"Matches IP plus UserAgent IOCs in OfficeActivity data, along with IP plus Connection string information in the CommonSecurityLog data related to Manganese group activity.\\nReferences: \\nhttps://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/\\nhttps://fortiguard.com/psirt/FG-IR-18-384\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-10-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\"name\":\"02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let logonDiff = 10m;\\nlet aadFunc = (tableName:string){\\ntable(tableName) \\n| where ResultType == \\\"0\\\" \\n| where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\")\\n| project SuccessLogonTime = TimeGenerated, UserPrincipalName, SuccessIPAddress = IPAddress, AppDisplayName, SuccessIPBlock = strcat(split(IPAddress, \\\".\\\")[0], \\\".\\\", split(IPAddress, \\\".\\\")[1]), Type\\n| join kind= inner (\\n table(tableName)\\n | where ResultType !in (\\\"0\\\", \\\"50140\\\") \\n | where ResultDescription !~ \\\"Other\\\" \\n | where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\")\\n | project FailedLogonTime = TimeGenerated, UserPrincipalName, FailedIPAddress = IPAddress, AppDisplayName, ResultType, ResultDescription, Type\\n) on UserPrincipalName, AppDisplayName \\n| where SuccessLogonTime \u003c FailedLogonTime and FailedLogonTime - SuccessLogonTime \u003c= logonDiff and FailedIPAddress !startswith SuccessIPBlock\\n| summarize FailedLogonTime = max(FailedLogonTime), SuccessLogonTime = max(SuccessLogonTime) by UserPrincipalName, SuccessIPAddress, AppDisplayName, FailedIPAddress, ResultType, ResultDescription, Type\\n| extend timestamp = SuccessLogonTime\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SuccessIPAddress\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"FailedIPAddress\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"CredentialAccess\",\"InitialAccess\"],\"displayName\":\"Successful logon from IP and failure from a different IP\",\"description\":\"Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP.\\nThis may indicate a malicious attempt at password guessing based on knowledge of the users account.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\"name\":\"90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage), \\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage), \\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage), \\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \\\"200\\\"\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Squid proxy events for ToR proxies\",\"description\":\"Check for Squid proxy events associated with common ToR proxies. This query presumes the default squid log format is being used.\\nhttp://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b4ceb583-4c44-4555-8ecf-39f572e827ba\",\"name\":\"b4ceb583-4c44-4555-8ecf-39f572e827ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 1.5;\\nlet percentthreshold = 50;\\n// Preparing the time series data aggregated hourly count of MailItemsAccessd Operation in the form of multi-value array to use with time series anomaly function.\\nlet TimeSeriesData =\\nOfficeActivity\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where OfficeWorkload=~ \\\"Exchange\\\" and Operation =~ \\\"MailItemsAccessed\\\" and ResultStatus =~ \\\"Succeeded\\\"\\n| project TimeGenerated, Operation, MailboxOwnerUPN\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe;\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0\\n| project TimeGenerated, Total, baseline, anomalies, score;\\n// Joining the flagged outlier from the previous step with the original dataset to present contextual information\\n// during the anomalyhour to analysts to conduct investigation or informed decisions.\\nTimeSeriesAlerts | where TimeGenerated \u003e ago(2d)\\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\\n| join (\\n OfficeActivity\\n | where TimeGenerated \u003e ago(2d)\\n | extend DateHour = bin(TimeGenerated, 1h)\\n | where OfficeWorkload=~ \\\"Exchange\\\" and Operation =~ \\\"MailItemsAccessed\\\" and ResultStatus =~ \\\"Succeeded\\\"\\n | summarize HourlyCount=count(), TimeGeneratedMax = arg_max(TimeGenerated, *), IPAdressList = make_set(Client_IPAddress), SourceIPMax= arg_max(Client_IPAddress, *), ClientInfoStringList= make_set(ClientInfoString) by MailboxOwnerUPN, Logon_Type, TenantId, UserType, TimeGenerated = bin(TimeGenerated, 1h) \\n | where HourlyCount \u003e 25 // Only considering operations with more than 25 hourly count to reduce False Positivies\\n | order by HourlyCount desc \\n) on TimeGenerated\\n| extend PercentofTotal = round(HourlyCount/Total, 2) * 100 \\n| where PercentofTotal \u003e percentthreshold // Filter Users with count of less than 5 percent of TotalEvents per Hour to remove FPs/ users with very low count of MailItemsAccessed events\\n| order by PercentofTotal desc \\n| project-reorder TimeGeneratedMax, Type, OfficeWorkload, Operation, UserId,SourceIPMax ,IPAdressList, ClientInfoStringList, HourlyCount, PercentofTotal, Total, baseline, score, anomalies\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Exchange workflow MailItemsAccessed operation anomaly\",\"description\":\"Identifies anomalous increases in Exchange mail items accessed operations.\\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\\nSudden increases in execution frequency of sensitive actions should be further investigated for malicious activity.\\nManually change scorethreshold from 1.5 to 3 or higher to reduce the noise based on outliers flagged from the query criteria.\\nRead more about MailItemsAccessed- https://docs.microsoft.com/microsoft-365/compliance/advanced-audit?view=o365-worldwide#mailitemsaccessed\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182\",\"name\":\"8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT5M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = ago(5m);\\nDuoSecurityTrustMonitor_CL\\n| where TimeGenerated \u003e= timeframe\\n| extend AccountCustomEntity = surfaced_auth_user_name_s, IPCustomEntity = surfaced_auth_access_device_ip_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Trust Monitor Event\",\"description\":\"This query identifies when a new trust monitor event is detected.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\"name\":\"8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"AuthorizeDBSecurityGroupIngress\\\",\\\"CreateDBSecurityGroup\\\",\\\"DeleteDBSecurityGroup\\\",\\\"RevokeDBSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to internet facing AWS RDS Database instances\",\"description\":\"Amazon Relational Database Service (RDS) is scalable relational database in the cloud. \\nIf your organization have one or more AWS RDS Databases running, monitoring changes to especially internet facing AWS RDS (Relational Database Service) \\nOnce alerts triggered, validate if changes observed are authorized and adhere to change control policy. \\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255\\nand RDS API Reference Docs: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Operations.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09551db0-e147-4a0c-9e7b-918f88847605\",\"name\":\"09551db0-e147-4a0c-9e7b-918f88847605\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let tokens = dynamic([\\\"SSL_HandShaking\\\", \\\"ASN2_TYPE_new\\\", \\\"sql_blob_open\\\", \\\"cmsSetLogHandlerTHR\\\", \\\"ntSystemInfo\\\", \\\"SetWebFilterString\\\", \\\"CleanupBrokerString\\\", \\\"glInitSampler\\\", \\\"deflateSuffix\\\", \\\"ntWindowsProc\\\"]);\\nlet DomainNames = dynamic([\u0027codevexillium.org\u0027, \u0027angeldonationblog.com\u0027, \u0027investbooking.de\u0027, \u0027krakenfolio.com\u0027]);\\nlet SHA256Hash = dynamic([\u002758a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495\u0027,\u0027e0e59bfc22876c170af65dcbf19f744ae560cc43b720b23b9d248f4505c02f3e\u0027,\u00273d3195697521973efe0097a320cbce0f0f98d29d50e044f4505e1fbc043e8cf9\u0027, \u00270a2d81164d524be7022ba8fd4e1e8e01bfd65407148569d172e2171b5cd76cd4\u0027, \u002796d7a93f6691303d39a9cc270b8814151dfec5683e12094537fd580afdf2e5fe\u0027,\u0027dc4cf164635db06b2a0b62d313dbd186350bca6fc88438617411a68df13ec83c\u0027, \u002746efd5179e43c9cbf07dcec22ce0d5527e2402655aee3afc016e5c260650284a\u0027, \u002795e42a94d4df1e7e472998f43b9879eb34aaa93f3705d7d3ef9e3b97349d7008\u0027, \u00279d5320e883264a80ea214077f44b1d4b22155446ad5083f4b27d2ab5bd127ef5\u0027, \u00279fd05063ad203581a126232ac68027ca731290d17bd43b5d3311e8153c893fe3\u0027, \u0027ada7e80c9d09f3efb39b729af238fcdf375383caaf0e9e0aed303931dc73b720\u0027, \u0027edb1597789c7ed784b85367a36440bf05267ac786efe5a4044ec23e490864cee\u0027, \u002733665ce1157ddb7cd7e905e3356b39245dfba17b7a658bdbf02b6968656b9998\u0027, \u00273ab770458577eb72bd6239fe97c35e7eb8816bce5a4b47da7bd0382622854f7c\u0027, \u0027b630ad8ffa11003693ce8431d2f1c6b8b126cd32b657a4bfa9c0dbe70b007d6c\u0027, \u002753f3e55c1217dafb8801af7087e7d68b605e2b6dde6368fceea14496c8a9f3e5\u0027, \u002799c95b5272c5b11093eed3ef2272e304b7a9311a22ff78caeb91632211fcb777\u0027, \u0027f21abadef52b4dbd01ad330efb28ef50f8205f57916a26daf5de02249c0f24ef\u0027, \u00272cbdea62e26d06080d114bbd922d6368807d7c6b950b1421d0aa030eca7e85da\u0027, \u0027079659fac6bd9a1ce28384e7e3a465be4380acade3b4a4a4f0e67fd0260e9447\u0027]);\\nlet SigNames = dynamic([\\\"Backdoor:Script/ComebackerCompile.A!dha\\\", \\\"Trojan:Win64/Comebacker.A!dha\\\", \\\"Trojan:Win64/Comebacker.A.gen!dha\\\", \\\"Trojan:Win64/Comebacker.B.gen!dha\\\", \\\"Trojan:Win32/Comebacker.C.gen!dha\\\", \\\"Trojan:Win32/Klackring.A!dha\\\", \\\"Trojan:Win32/Klackring.B!dha\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in~ (SHA256Hash) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n| project Type, TimeGenerated, Computer, Account, IPAddress, FileHash, DNSName\\n),\\n(DnsEvents\\n| extend DNSName = Name\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend Type = \\\"DnsEvents\\\", IPAddress = ClientIP\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(imDns(domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend Type = \\\"imDns\\\", IPAddress = SrcIpAddr, Computer=Dvc\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(VMConnection\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| where isnotempty(Hashes)\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 * \\n| where SHA256 in~ (SHA256Hash) \\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = Hashes\\n| project Type, TimeGenerated, Computer, Account, FileHash\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (SHA256Hash)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (SHA256Hash)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl in~ (DomainNames)\\n| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName\\n| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl\\n),\\n(SecurityAlert\\n| where Entities has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName) \\n| project Type, TimeGenerated, Computer\\n),\\n(DeviceProcessEvents\\n| where FileName =~ \\\"powershell.exe\\\" or FileName =~ \\\"rundll32.exe\\\"\\n| where (ProcessCommandLine has \\\"is64bitoperatingsystem\\\" and ProcessCommandLine has \\\"Debug\\\\\\\\Browse\\\") or (ProcessCommandLine has_any (tokens))\\n| extend Computer = DeviceName, Account = AccountName, CommandLine = ProcessCommandLine\\n| project Type, TimeGenerated, Computer, Account, CommandLine, FileName\\n),\\n(SecurityEvent\\n| where ProcessName has_any (\\\"powershell.exe\\\", \\\"rundll32.exe\\\")\\n| where (CommandLine has \\\"is64bitoperatingsystem\\\" and CommandLine has \\\"Debug\\\\\\\\Browse\\\") or (CommandLine has_any (tokens))\\n| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine \\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend DNSName = Request_Name\\n| extend IPAddress = ClientIP \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.3.0\",\"tactics\":[\"CommandAndControl\",\"Execution\"],\"displayName\":\"Known ZINC Comebacker and Klackring malware hashes\",\"description\":\"ZINC attacks against security researcher campaign malware hashes.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\"name\":\"a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n| where isnotempty(FileHashValue)\\n| join (\\n SecurityEvent | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where EventID in (\\\"8003\\\",\\\"8002\\\",\\\"8005\\\")\\n | where isnotempty(FileHash)\\n | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID\\n)\\non $left.FileHashValue == $right.FileHash\\n| where SecurityEvent_TimeGenerated \u003e= TimeGenerated and SecurityEvent_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nSecurityEvent_TimeGenerated, Process, FileHash, Computer, Account, Event\\n| extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map File Hash to Security Event\",\"description\":\"Identifies a match in Security Event data from any File Hash IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\"name\":\"e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 15;\\n// Below pulls messages from syslog-authpriv logs where there was an authentication failure with an unknown user.\\n// IP address of system attempting logon is also extracted from the SyslogMessage field. Some of these messages\\n// are aggregated.\\nlet authfail = Syslog\\n| where Facility =~ \\\"authpriv\\\" // looks at authpriv messages\\n| where SyslogMessage contains \\\"authentication failure\\\" and SyslogMessage contains \\\" uid=0\\\"\\n| parse SyslogMessage with * \\\"rhost=\\\" ExternalIP\\n| project TimeGenerated, Computer, ProcessName, HostIP, ExternalIP, ProcessID; \\n// Below pulls messages from syslog-authpriv logs that show each instance an unknown user tried to logon. \\nlet userfail = Syslog \\n| where Facility =~ \\\"authpriv\\\" \\n| where SyslogMessage contains \\\"user unknown\\\"\\n| project TimeGenerated, Computer, HostIP, ProcessID;\\n// Join the two log messages above\\nlet userauthfail = authfail | join (userfail) on Computer, HostIP, ProcessID\\n| project TimeGenerated, Computer, HostIP, ExternalIP, ProcessID ;\\n// Extract the EventTime of the first logon attempt\\nlet firstfail = userauthfail\\n| summarize arg_min(TimeGenerated, *) by Computer, ExternalIP\\n| project Computer, ExternalIP, FirstLogonAttempt = TimeGenerated;\\n// Extract the EventTime of the last logon attempt\\nlet lastfail = userauthfail\\n| summarize arg_max(TimeGenerated, *) by Computer, ExternalIP\\n| project Computer, ExternalIP, LatestLogonAttempt = TimeGenerated;\\n// Join first and last logon attempt data and calculate the time between them (AttemptPeriodLength).\\nlet faildates = firstfail | join (lastfail) on Computer, ExternalIP\\n| project ExternalIP, Computer, FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts = LatestLogonAttempt - FirstLogonAttempt;\\n// Count the number of failed logon attempts by External IP and internal machine\\nlet totalfails = userauthfail\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), TotalLogonAttempts = count() by ExternalIP, Computer, HostIP\\n| project StartTimeUtc, EndTimeUtc, ExternalIP, Computer, HostIP, TotalLogonAttempts;\\n// Combine total attempts with timing data from above\\nlet finalfails = totalfails | join (faildates) on Computer, ExternalIP\\n| project StartTimeUtc, EndTimeUtc, SourceAddress = ExternalIP, DestinationHost = Computer, DestinationIP = HostIP, TotalLogonAttempts, FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts\\n| order by DestinationHost asc nulls last;\\nfinalfails \\n| where TotalLogonAttempts \u003e= threshold\\n| extend timestamp = StartTimeUtc, HostCustomEntity = DestinationHost, IPCustomEntity = DestinationIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed logon attempts in authpriv\",\"description\":\"Identifies failed logon attempts from unknown users in Syslog authpriv logs. The unknown user means the account that tried to log in \\nisn\u0027t provisioned on the machine. A few hits could indicate someone attempting to access a machine they aren\u0027t authorized to access. \\nIf there are many of hits, especially from outside your network, it could indicate a brute force attack. \\nDefault threshold for logon attempts is 15.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\"name\":\"a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == 500121\\n| where Status has \\\"MFA Denied; user declined the authentication\\\"\\n| extend Type = Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = ClientAppUsed\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Explicit MFA Deny\",\"description\":\"User explicitly denies MFA push, indicating that login was not expected and the account\u0027s password may be compromised.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\"name\":\"68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let User_Agents = dynamic ([\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70\\\", \\n\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.1 Safari/605.1.15\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\", \\n\\\"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\"]);\\nOfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != \u0027UserLoggedIn\u0027\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = todynamic(ExtendedProperties).Value\\n| where UserAgent =~ \\\"ms-office\\\" or UserAgent has_any (User_Agents)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts \u003e 500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Possible STRONTIUM attempted credential harvesting - Oct 2020\",\"description\":\"Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/de58ee9e-b229-4252-8537-41a4c2f4045e\",\"name\":\"de58ee9e-b229-4252-8537-41a4c2f4045e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let file_ext_blocklist = dynamic([\u0027.ps1\u0027, \u0027.vbs\u0027, \u0027.bat\u0027, \u0027.scr\u0027]);\\nlet lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| extend file_ext = extract(@\u0027.*(\\\\.\\\\w+)$\u0027, 1, UrlOriginal)\\n| extend Filename = extract(@\u0027.*\\\\/*\\\\/(.*\\\\.\\\\w+)$\u0027, 1, UrlOriginal)\\n| where file_ext in (file_ext_blocklist)\\n| project TimeGenerated, SrcIpAddr, Identities, Filename\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Cisco Umbrella - Request to blocklisted file type\",\"description\":\"Detects request to potentially harmful file types (.ps1, .bat, .vbs, etc.).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fc1b7e7a-bc24-42c3-ad67-5c76c8fcb2d6\",\"name\":\"fc1b7e7a-bc24-42c3-ad67-5c76c8fcb2d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.3\",\"techniques\":[\"T1530\",\"T1213\",\"T1005\",\"T1039\",\"T1114\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\".txt,.jpg,.mp4\",\"dataType\":\"string\",\"name\":\"File extension\",\"description\":\"Give comma separated file extension to exclude from source data within double quotes, example: \\\".txt,.jpg,.mp4\\\"\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"5\",\"maximum\":\"100\",\"value\":\"10\",\"name\":\"Minimum number of downgrades\",\"description\":\"Generate an anomaly when number of downgrade label is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Collection\"],\"displayName\":\"(Preview) Unusual mass downgrade AIP label\",\"description\":\"This algorithm detects unusual high volume of downgrade label activity in Azure Information Protection (AIP) logs.\\nIt considers \\\"AIP\\\" workload records for a given number of days and determines the sequence of activity performed on documents along with the label applied to classify unusual volume of downgrade activity.\",\"lastUpdatedDateUTC\":\"2021-06-04T00:00:00Z\",\"createdDateUTC\":\"2020-11-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureInformationProtection\",\"dataTypes\":[\"InformationProtectionLogs_CL\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/53e936c6-6c30-4d12-8343-b8a0456e8429\",\"name\":\"53e936c6-6c30-4d12-8343-b8a0456e8429\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let SUNSPOT_Hashes = dynamic([\\\"c45c9bda8db1d470f1fd0dcc346dc449839eb5ce9a948c70369230af0b3ef168\\\", \\\"0819db19be479122c1d48743e644070a8dc9a1c852df9a8c0dc2343e904da389\\\"]);\\nunion isfuzzy=true(\\nDeviceEvents\\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes)),\\n(DeviceImageLoadEvents\\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes))\\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"SUNSPOT malware hashes\",\"description\":\"This query uses Microsoft Defender for Endpoint data to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\\nMore details: \\n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \\n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceImageLoadEvents\",\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b9a44d7-c651-45ed-816c-eae583a6f2f1\",\"name\":\"3b9a44d7-c651-45ed-816c-eae583a6f2f1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\nlet historical_data =\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend variables = Data.Variables\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend UserKey = strcat(VariableGroupId, \\\"-\\\", ActorUserId)\\n| project UserKey;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend VariableGroupName = tostring(Data.VariableGroupName)\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend UserKey = strcat(VariableGroupId, \\\"-\\\", ActorUserId)\\n| where UserKey !in (historical_data)\\n| project-away UserKey\\n| project-reorder TimeGenerated, VariableGroupName, ActorUPN, IpAddress, UserAgent\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Build Variable Modified by New User.\",\"description\":\"Variables can be configured and used at any stage of the build process in Azure DevOps to inject values. An attacker with the required permissions could modify \\nor add to these variables to conduct malicious activity such as changing paths or remote endpoints called during the build. As variables are often changed by users, \\njust detecting these changes would have a high false positive rate. This detection looks for modifications to variable groups where that user has not been observed \\nmodifying them before.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c3b11fb2-9201-4844-b7b9-6b7bf6d9b851\",\"name\":\"c3b11fb2-9201-4844-b7b9-6b7bf6d9b851\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 200;\\nimDns(responsecodename=\u0027NXDOMAIN\u0027)\\n| where isnotempty(DnsResponseCodeName)\\n//| where DnsResponseCodeName =~ \\\"NXDOMAIN\\\"\\n| summarize count() by SrcIpAddr, bin(TimeGenerated,15m)\\n| where count_ \u003e threshold\\n| join kind=inner (imDns(responsecodename=\u0027NXDOMAIN\u0027)\\n ) on SrcIpAddr\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.2.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Excessive NXDOMAIN DNS Queries (Normalized DNS)\",\"description\":\"This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. \\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8ee967a2-a645-4832-85f4-72b635bcb3a6\",\"name\":\"8ee967a2-a645-4832-85f4-72b635bcb3a6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit the environment\\nlet signin_threshold = 5;\\n//Make a list of all IPs with failed signins to AAD above our threshold\\nlet aadFunc = (tableName:string){\\nlet suspicious_signins =\\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress !in (\u0027127.0.0.1\u0027, \u0027::1\u0027)\\n| summarize count() by IPAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(IPAddress);\\n//See if any of these IPs have sucessfully logged into *nix hosts\\nlet linux_logons =\\nSyslog\\n| where Facility contains \\\"auth\\\" and ProcessName != \\\"sudo\\\"\\n| where SyslogMessage has \\\"Accepted\\\"\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Computer, HostIP, IpAddress = SourceIP, SyslogMessage, Facility, ProcessName, Reason;\\n//See if any of these IPs have sucessfully logged into Windows hosts\\nlet win_logons =\\nSecurityEvent\\n| where EventID == 4624\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| where IpAddress in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Account, AccountType, Computer, Activity, EventID, LogonProcessName, IpAddress, LogonTypeName, TargetUserSid, Reason;\\nunion isfuzzy=true linux_logons,win_logons\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, IPCustomEntity = IpAddress, HostCustomEntity = Computer\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AzureAD logons but success logon to host\",\"description\":\"Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory.\\nUses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/543c9254-eb6f-4fdd-858d-783e0e3d5cb9\",\"name\":\"543c9254-eb6f-4fdd-858d-783e0e3d5cb9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.3\",\"techniques\":[\"T1530\",\"T1213\",\"T1005\",\"T1039\",\"T1114\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\".msg,.jpg,.txt\",\"dataType\":\"string\",\"name\":\"File extension\",\"description\":\"Give comma separated file extension to exclude from source data, for example: .txt,.jpg,.mp4\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.9\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the error percentile is greater than chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Collection\"],\"displayName\":\"(Preview) Suspicious number of protected documents accessed\",\"description\":\"This algorithm is to detect high volume of access to protected documents in Azure Information Protection (AIP) logs. \\nIt considers AIP workload records for a given number of days and determines whether the user performed unusual access to protected documents in a day given his/her historical behavior.\",\"lastUpdatedDateUTC\":\"2021-06-04T00:00:00Z\",\"createdDateUTC\":\"2021-02-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureInformationProtection\",\"dataTypes\":[\"InformationProtectionLogs_CL\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d23ed927-5be3-4902-a9c1-85f841eb4fa1\",\"name\":\"d23ed927-5be3-4902-a9c1-85f841eb4fa1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n DuoSecurityAuthentication_CL\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(access_device_ip_s)\\n // renaming time column so it is clear the log this came from\\n | extend Duo_TimeGenerated = isotimestamp_t\\n)\\non $left.TI_ipEntity == $right.access_device_ip_s\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Duo_TimeGenerated,\\nTI_ipEntity, user_name_s, factor_s, result_s, application_name_s, event_type_s, txid_g, user_key_s, access_device_ip_s, access_device_location_city_s, access_device_location_state_s, access_device_location_country_s\\n| extend timestamp = Duo_TimeGenerated, IPCustomEntity = access_device_ip_s, AccountCustomEntity = user_name_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Duo Security\",\"description\":\"Identifies a match in DuoSecurity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3073ac-7383-48a9-90a8-eb6716183a54\",\"name\":\"4a3073ac-7383-48a9-90a8-eb6716183a54\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let excludeProcs = dynamic([@\\\"\\\\SolarWinds\\\\Orion\\\\APM\\\\APMServiceControl.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\ExportToPDFCmd.Exe\\\", @\\\"\\\\SolarWinds.Credentials\\\\SolarWinds.Credentials.Orion.WebApi.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Topology\\\\SolarWinds.Orion.Topology.Calculator.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Database-Maint.exe\\\", @\\\"\\\\SolarWinds.Orion.ApiPoller.Service\\\\SolarWinds.Orion.ApiPoller.Service.exe\\\", @\\\"\\\\Windows\\\\SysWOW64\\\\WerFault.exe\\\"]);\\nDeviceProcessEvents\\n| where InitiatingProcessFileName =~ \\\"solarwinds.businesslayerhost.exe\\\"\\n| where not(FolderPath has_any (excludeProcs))\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n FileHashCustomEntity = MD5\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"MD5\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST suspicious SolarWinds child processes\",\"description\":\"Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/269435e3-1db8-4423-9dfc-9bf59997da1c\",\"name\":\"269435e3-1db8-4423-9dfc-9bf59997da1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName =~ \u0027Add member to role (permanent)\u0027\\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Privleged Role Assigned Outside PIM\",\"description\":\"Identifies a privileged role being assigned to a user outside of PIM\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\"name\":\"6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"SecurityEvent\\n| where EventID == 4738\\n// 2089 value indicates the Don\u0027t Expire Password value has been set\\n| where UserAccountControl has \\\"%%2089\\\" \\n| extend Value_2089 = iff(UserAccountControl has \\\"%%2089\\\",\\\"\u0027Don\u0027t Expire Password\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n// 2050 indicates that the Password Not Required value is NOT set, this often shows up at the same time as a 2089 and is the recommended value. This value may not be in the event. \\n| extend Value_2050 = iff(UserAccountControl has \\\"%%2050\\\",\\\"\u0027Password Not Required\u0027 - Disabled\\\", \\\"Not Changed\\\")\\n// If value %%2082 is present in the 4738 event, this indicates the account has been configured to logon WITHOUT a password. Generally you should only see this value when an account is created and only in Event 4720: Account Creation Event. \\n| extend Value_2082 = iff(UserAccountControl has \\\"%%2082\\\",\\\"\u0027Password Not Required\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n| project StartTime = TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, AccountType, UserAccountControl, Value_2089, Value_2050, Value_2082, SubjectAccount\\n| extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"AD account with Don\u0027t Expire Password\",\"description\":\"Identifies whenever a user account has the setting \\\"Password Never Expires\\\" in the user account properties selected.\\nThis is indicated in Security event 4738 in the EventData item labeled UserAccountControl with an included value of %%2089.\\n%%2089 resolves to \\\"Don\u0027t Expire Password - Enabled\\\".\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2ca4e7fc-c61a-49e5-9736-5da8035c47e0\",\"name\":\"2ca4e7fc-c61a-49e5-9736-5da8035c47e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 8;\\nCarbonBlackNotifications_CL\\n| where threatHunterInfo_score_d \u003e= threshold\\n| extend eventTime = datetime(1970-01-01) + tolong(threatHunterInfo_time_d/1000) * 1sec\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by eventTime, Threat_Name = threatHunterInfo_reportName_s, Device_Name = deviceInfo_deviceName_s, Internal_IP = deviceInfo_internalIpAddress_s, External_IP = deviceInfo_externalIpAddress_s, Threat_Score = threatHunterInfo_score_d\\n| project-away count_\\n| extend timestamp = StartTime, HostCustomEntity = Device_Name, IPCustomEntity = Internal_IP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\"],\"displayName\":\"Critical Threat Detected\",\"description\":\"This creates an incident in the event a critical threat was identified on a Carbon Black managed endpoint.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"VMwareCarbonBlack\",\"dataTypes\":[\"CarbonBlackNotifications_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d992b87b-eb49-4a9d-aa96-baacf9d26247\",\"name\":\"d992b87b-eb49-4a9d-aa96-baacf9d26247\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let IPList = dynamic([\\\"185.63.90.137\\\"]); \\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet sha256Hashes = \\ndynamic([\\\"53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441\\\",\\n\\\"c297e545b8f150cc5ff56dbb68dc74fe30a421d9d40f38f4a53083192697c44c\\\",\\n\\\"17921368901f23e0cad0d2fe4ce5694aebaf4727699ed0358117500701914d1b\\\",\\n\\\"198a2d42df010d838b4207f478d885ef36e3db13b1744d673e221b828c28bf77\\\",\\n\\\"71d7b48c2fdc7b57b104a7858a35165bbed21d2fa7e34828d6c1d50b2b33a1d0\\\",\\n\\\"601227d52c6e367e11b80240183d07d38bc11a88e844e8401fce17eb25e92ba8\\\",\\n\\\"63ff04bed4fdb120a9cb9b1ea7fd88e83f12fb01ab6a057088f8016e663b48d4\\\",\\n\\\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\\\",\\n\\\"e19b8be1b21c066d60725e550f8455f824065abbf1b43f7b2fe4fb338b241ffc\\\",\\n\\\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\\\"\\n]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", MessageIP in (IPList), \\\"Message\\\", \\\"NoMatch\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DeviceNetworkEvents\\n| where RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) \\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP\\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost) \\n| where SourceHost in (IPList) or DestinationHost in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(DeviceFileEvents\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash\\n| where FileHash in (sha256Hashes)\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = FileHash\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 in~ (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash\\n),\\n(SecurityEvent\\n| where EventID == \u00274688\u0027\\n| where NewProcessName in (IPList) \\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"SHA256\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Impact\"],\"displayName\":\"Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021\",\"description\":\"Identifies a match across various data feeds for IP,hashes and IOCs related to Windows/ELF malware published by Black Lotus Labs\\nReference: \\nhttps://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders/\\nhttps://github.com/ManuelBerrueta/YARA-rules/blob/master/BlackLotusLabs-WSLMalware/BLL_SneakyWSL.yar\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32\",\"name\":\"d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet msgthreshold = 3;\\nlet msgszthreshold = 3000000;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where NetworkBytes \u003e msgszthreshold\\n| summarize count() by SrcUserUpn, DstUserUpn\\n| where count_ \u003e msgthreshold\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple large emails to the same recipient\",\"description\":\"Detects when multiple emails with lage size where sent to the same recipient.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae\",\"name\":\"2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 4656\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, TargetAccount, Computer, EventSourceName, Channel, Task, Level, EventID, Activity, TargetLogonId, SourceComputerId, EventOriginId, Type, _ResourceId, TenantId, SourceSystem, ManagementGroupName, IpAddress, Account)\\n| extend ObjectServer = column_ifexists(\u0027ObjectServer\u0027, \\\"\\\"), ObjectType = column_ifexists(\u0027ObjectType\u0027, \\\"\\\"), ObjectName = column_ifexists(\u0027ObjectName\u0027, \\\"\\\")\\n| where isnotempty(ObjectServer) and isnotempty(ObjectType) and isnotempty(ObjectName)\\n| where ObjectServer =~ \\\"SC Manager\\\" and ObjectType =~ \\\"SERVICE OBJECT\\\" and ObjectName =~ \\\"HealthService\\\"\\n// Comment out the join below if the SACL only audits users that are part of the Network logon users, i.e. with user/group target pointing to \\\"NU.\\\"\\n| join kind=leftouter (\\n SecurityEvent\\n | where EventID == 4624\\n) on TargetLogonId\\n| project TimeGenerated, Computer, Account, TargetAccount, IpAddress,TargetLogonId, ObjectServer, ObjectType, ObjectName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Starting or Stopping HealthService to Avoid Detection\",\"description\":\"This query detects events where an actor is stopping or starting HealthService to disable telemetry collection/detection from the agent.\\n The query requires a SACL to audit for access request to the service.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4acd3a04-2fad-4efc-8a4b-51476594cec4\",\"name\":\"4acd3a04-2fad-4efc-8a4b-51476594cec4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let triThreshold = 500;\\nlet startTime = 6h;\\nlet dgaLengthThreshold = 8;\\n// fetch the alexa top 1M domains\\nlet top1M = (externaldata (Position:int, Domain:string) [@\\\"http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip\\\"] with (format=\\\"csv\\\", zipPattern=\\\"*.csv\\\"));\\n// extract tri grams that are above our threshold - i.e. are common\\nlet triBaseline = top1M\\n| extend Domain = tolower(extract(\\\"([^.]*).{0,7}$\\\", 1, Domain))\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", Domain), extract_all(\\\"(...)\\\", substring(Domain, 1)), extract_all(\\\"(...)\\\", substring(Domain, 2)))\\n| mvexpand Trigram=AllTriGrams\\n| summarize triCount=count() by tostring(Trigram)\\n| sort by triCount desc\\n| where triCount \u003e triThreshold\\n| distinct Trigram;\\n// collect domain information from common security log, filter and extract the DGA candidate and its trigrams\\nlet allDataSummarized = CommonSecurityLog\\n| where TimeGenerated \u003e ago(startTime)\\n| where isnotempty(DestinationHostName)\\n| extend Name = tolower(DestinationHostName)\\n| distinct Name\\n| where Name has \\\".\\\"\\n| where Name !endswith \\\".home\\\" and Name !endswith \\\".lan\\\"\\n// extract DGA candidate\\n| extend DGADomain = extract(\\\"([^.]*).{0,7}$\\\", 1, Name)\\n| where strlen(DGADomain) \u003e dgaLengthThreshold\\n// throw out domains with number in them\\n| where DGADomain matches regex \\\"^[A-Za-z]{0,}$\\\"\\n// extract the tri grams from summarized data\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", DGADomain), extract_all(\\\"(...)\\\", substring(DGADomain, 1)), extract_all(\\\"(...)\\\", substring(DGADomain, 2)));\\n// throw out domains that have repeating tri\u0027s and/or \u003e=3 repeating letters\\nlet nonRepeatingTris = allDataSummarized\\n| join kind=leftanti\\n(\\n allDataSummarized\\n | mvexpand AllTriGrams\\n | summarize count() by tostring(AllTriGrams), DGADomain\\n | where count_ \u003e 1\\n | distinct DGADomain\\n)\\non DGADomain;\\n// find domains that do not have a common tri in the baseline\\nlet dataWithRareTris = nonRepeatingTris\\n| join kind=leftanti\\n(\\n nonRepeatingTris\\n | mvexpand AllTriGrams\\n | extend Trigram = tostring(AllTriGrams)\\n | distinct Trigram, DGADomain\\n | join kind=inner\\n (\\n triBaseline\\n )\\n on Trigram\\n | distinct DGADomain\\n)\\non DGADomain;\\ndataWithRareTris\\n// join DGAs back on connection data\\n| join kind=inner\\n(\\n CommonSecurityLog\\n | where TimeGenerated \u003e ago(startTime)\\n | where isnotempty(DestinationHostName)\\n | extend DestinationHostName = tolower(DestinationHostName)\\n | project-rename Name=DestinationHostName, DataSource=DeviceVendor\\n | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) by Name, SourceIP, DestinationIP, DataSource\\n)\\non Name\\n| project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, DataSource\\n| extend timestamp=StartTime, IPCustomEntity=SourceIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"Name\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Possible contact with a domain generated by a DGA\",\"description\":\"Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used\\nby malware to generate rendezvous points that are difficult to predict in advance. This detection uses the Alexa Top 1 million domain names to build a model\\nof what normal domains look like. It uses this to identify domains that may have been randomly generated by an algorithm.\\nThe triThreshold is set to 500 - increase this to report on domains that are less likely to have been randomly generated, decrease it for more likely.\\nThe start time and end time look back over 6 hours of data and the dgaLengthThreshold is set to 8 - meaning domains whose length is 8 or more are reported.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Barracuda\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/78422ef2-62bf-48ca-9bab-72c69818a425\",\"name\":\"78422ef2-62bf-48ca-9bab-72c69818a425\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let endtime = 1d;\\nlet starttime = 8d;\\nlet threshold = 2.0;\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName) \\nby Account, IpAddress, AccountType, Activity, LogonTypeName\\n| join kind=inner (\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n| summarize ComputerCountPrev7Days = dcount(Computer) by Account, IpAddress\\n) on Account, IpAddress\\n| extend Ratio = ComputerCountToday/(ComputerCountPrev7Days*1.0)\\n// Where the ratio of today to previous 7 days is more than double.\\n| where Ratio \u003e threshold\\n| project StartTimeUtc, EndTimeUtc, Account, IpAddress, ComputerSet, ComputerCountToday, ComputerCountPrev7Days, Ratio, AccountType, Activity, LogonTypeName, ProcessSet\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\"],\"displayName\":\"Multiple RDP connections from Single System\",\"description\":\"Identifies when an RDP connection is made to multiple systems and above the normal for the previous 7 days. \\nConnections from the same system with the same account within the same day.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-10-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9d0295ee-cb75-4f2c-9952-e5acfbb67036\",\"name\":\"9d0295ee-cb75-4f2c-9952-e5acfbb67036\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Informational\",\"query\":\"let timeframe = ago(1d);\\nAppServiceAntivirusScanAuditLogs\\n| where NumberOfInfectedFiles \u003e 0\\n| extend HostCustomEntity = _ResourceId, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"displayName\":\"AppServices AV Scan with Infected Files\",\"description\":\"Identifies if an AV scan finds infected files in Azure App Services.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/30dea201-74da-4141-8d21-8a18f0861d60\",\"name\":\"30dea201-74da-4141-8d21-8a18f0861d60\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.3\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.02\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of AWS cloud trail logs events of group user account by EventTypeName\",\"description\":\"This algorithm detects an unusually high volume of AWS cloud trail log events per group user account by different event types (AwsApiCall, AwsServiceEvent, AwsConsoleSignIn, AwsConsoleAction) within the last day. The model is trained on the previous 21 days of AWS cloud trail log events on a group user account basis. This activity may indicate that the account is compromised.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-06-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\"name\":\"a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n SecurityAlert \\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\\n | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray\\n // Parsing relevant entity column to filter type account and creating new column by combining account and UPNSuffix\\n | extend Entitytype = tostring(parse_json(EntitiesDynamicArray).Type), EntityName = tostring(parse_json(EntitiesDynamicArray).Name),\\n EntityUPNSuffix = tostring(parse_json(EntitiesDynamicArray).UPNSuffix)\\n | where Entitytype =~ \\\"account\\\"\\n | extend EntityEmail = tolower(strcat(EntityName, \\\"@\\\", EntityUPNSuffix))\\n | where EntityEmail matches regex emailregex\\n | extend Alert_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.EntityEmail\\n| where Alert_TimeGenerated \u003e= TimeGenerated and Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Alert_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, EntityEmail, AlertName, AlertType,\\nAlertSeverity, Entities, ProviderName, VendorName\\n| extend timestamp = Alert_TimeGenerated, AccountCustomEntity = EntityEmail, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.2\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SecurityAlert\",\"description\":\"Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others\",\"lastUpdatedDateUTC\":\"2021-11-24T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bda5a2bd-979b-4828-a91f-27c2a5048f7f\",\"name\":\"bda5a2bd-979b-4828-a91f-27c2a5048f7f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet msgthreshold = 3;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| extend attachedMimeType = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where attachedMimeType == \u0027application/zip\u0027\\n| summarize count() by SrcUserUpn, DstUserUpn\\n| where count_ \u003e msgthreshold\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple archived attachments to the same recipient\",\"description\":\"Detects when multiple emails where sent to the same recipient with large archived attachments.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5d33fc63-b83b-4913-b95e-94d13f0d379f\",\"name\":\"5d33fc63-b83b-4913-b95e-94d13f0d379f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet fileHashIndicators = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n| where isnotempty(FileHashValue);\\n// Handle matches against both lower case and uppercase versions of the hash:\\n( fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n |union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n| join (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.FileHashValue == $right.FileHash\\n| where CommonSecurityLog_TimeGenerated \u003e= TimeGenerated and CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nCommonSecurityLog_TimeGenerated, SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction,\\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map File Hash to CommonSecurityLog Event\",\"description\":\"Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/00282588-11e7-436d-90e8-011256c3c691\",\"name\":\"00282588-11e7-436d-90e8-011256c3c691\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let threshold = 100;\\nTrendMicro_XDR_CL \\n| where modelSeverity_s == \u0027medium\u0027 or modelSeverity_s == \u0027low\u0027\\n| extend AccountCustomEntity = impactScope_account_s, HostCustomEntity = impactScope_hostname_s, IPCustomEntity = impactScope_host_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"displayName\":\"Create Incident for XDR Alerts (Medium \u0026 Low)\",\"description\":\"This Query creates an incident based on Trend Micro XDR Workbench Alerts and maps the impacted entities for Microsoft Sentinel usage. (Medium \u0026 Low Serverity Alerts)\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-12-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"TrendMicroXDR\",\"dataTypes\":[\"TrendMicro_XDR_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ef8654b1-b2cf-4f6c-ae5c-eca635a764e8\",\"name\":\"ef8654b1-b2cf-4f6c-ae5c-eca635a764e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let lowRisk = 1;\\nlet hr = \u0027HR Information\u0027;\\nCognniIncidents_CL \\n| where Severity == lowRisk\\n| where informationType_s == hr\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Low Sensitivity HR Information\",\"description\":\"Display incidents in which low sensitive HR information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/46ac55ae-47b8-414a-8f94-89ccd1962178\",\"name\":\"46ac55ae-47b8-414a-8f94-89ccd1962178\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let mode = \u0027Blocked\u0027; \\nlet successCode = dynamic([\u0027200\u0027, \u0027101\u0027,\u0027204\u0027, \u0027400\u0027,\u0027504\u0027,\u0027304\u0027,\u0027401\u0027,\u0027500\u0027]);\\nlet minTime = ago(1d);\\nlet maxSessionWindow = 1h;\\nlet sessionBin = maxSessionWindow/2.0;\\nAzureDiagnostics\\n| where TimeGenerated \u003e minTime\\n| where Category == \u0027ApplicationGatewayFirewallLog\u0027\\n| where action_s == mode\\n| sort by hostname_s asc, clientIp_s asc, TimeGenerated asc\\n| extend SessionStarted = row_window_session(TimeGenerated, maxSessionWindow, 10m, ((clientIp_s != prev(clientIp_s)) or (hostname_s != prev(hostname_s))))\\n| summarize minTime = min(TimeGenerated), maxTime = max(TimeGenerated), SessionBlockedCount=count() by hostname_s, clientIp_s, SessionStarted\\n| extend duration = maxTime - minTime\\n| extend TimeKey = bin(SessionStarted, sessionBin)\\n| join kind = inner(\\nAzureDiagnostics\\n| where TimeGenerated \u003e minTime\\n| where Category == \u0027ApplicationGatewayAccessLog\u0027\\n| where httpStatus_d in (successCode) or isempty(httpStatus_d)\\n| extend TimeKey = range(bin(TimeGenerated-maxSessionWindow, sessionBin), bin(TimeGenerated, sessionBin), sessionBin)\\n| mv-expand TimeKey to typeof(datetime)\\n) on $left.hostname_s == $right.host_s, $left.clientIp_s == $right.clientIP_s, TimeKey\\n| where (TimeGenerated - SessionStarted) between (0m .. duration)\\n| extend originalRequestUriWithArgs_s = column_ifexists(\\\"originalRequestUriWithArgs_s\\\", \\\"\\\")\\n| extend serverStatus_s = column_ifexists(\\\"serverStatus_s\\\", \\\"\\\")\\n| extend timestamp = SessionStarted, IPCustomEntity = clientIP_s\\n| summarize SuccessfulAccessLogCount = count(), UserAgents = make_set(userAgent_s), RequestURIs = make_set(requestUri_s) , OriginalRequestURIs = make_set(originalRequestUriWithArgs_s), \\nSuccessCodes = make_set(httpStatus_d), SuccessCodes_BackendServer = make_set(serverStatus_s) by timestamp, hostname_s, IPCustomEntity, SessionBlockedCount\\n| extend BlockvsSuccessRatio = SessionBlockedCount/SuccessfulAccessLogCount\\n| sort by BlockvsSuccessRatio desc, timestamp asc\\n| where SessionBlockedCount \u003e SuccessfulAccessLogCount\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"A potentially malicious web request was executed against a web server\",\"description\":\"Detects unobstructed Web Application Firewall (WAF) activity in sessions where the WAF blocked incoming requests by computing the \\nratio between blocked requests and unobstructed WAF requests in these sessions (BlockvsSuccessRatio metric). A high ratio value for \\na given client IP and hostname calls for further investigation of the WAF data in that session, due to the significantly high number \\nof blocked requests and a few unobstructed logs which may be malicious but have passed undetected through the WAF. The successCode \\nvariable defines what the detection thinks is a successful status code, and should be altered to fit the environment.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/edc946ae-cba8-419f-8e90-309966895956\",\"name\":\"edc946ae-cba8-419f-8e90-309966895956\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.2\",\"techniques\":[\"T1190\",\"T1505\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Include regularly repeating anomalies for URI stems\",\"Exclude regularly repeating anomalies for URI stems\"],\"supportedValuesKql\":null,\"value\":\"Exclude regularly repeating anomalies for URI stems\",\"name\":\"Handle regularly repeating anomalies for URI stems\",\"description\":\"Choose to exclude URI stems that have been regularly occuring in the Anomalies table in Log Analytics.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":[{\"prioritize\":\".asp, .aspx, .armx, .asax, .ashz, .asmx, .axd, .cshtml, .php, .phps, .php3, .php4, .php5, .php7, .jsp, .jspx, .cfm, .cfml, .phtml\",\"exclude\":null,\"dataType\":\"string\",\"name\":\"Prioritize script suffixes of the URI stems\",\"description\":\"Give comma separated script suffixes of the URI stems that should be included in the prioritize field.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"prioritize\":null,\"exclude\":\"\",\"dataType\":\"string\",\"name\":\"Exclude noisy URI stems\",\"description\":\"Give comma separated URI stems that are frequently observing noisy sessions, and should be excluded from the Anomalies table in Log Analytics.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.2\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"(Preview) Anomalous web request activity\",\"description\":\"This algorithm groups the W3CIIS logs into per site name and per URI stem hourly sessions.\\nThe machine learning model identifies the sessions with anomalous requests that triggered response code 5xx in the last day.\\n5xx codes are an indication that some application instability or error condition has been triggered by the request.\\nThey can be an indication that an attacker is probing the URI stem for vulnerabilities and configuration issues, performing some exploitation activity such as SQL injection, or leveraging an unpatched vulnerability.\\n\\nThe algorithm uses 6 days of data for training.\\nIt identifies unusual high volume of web requests that generated respond code 5xx in the last day.\",\"lastUpdatedDateUTC\":\"2021-06-10T00:00:00Z\",\"createdDateUTC\":\"2021-04-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d500e6d-c984-43a3-9f39-7edec8dcc04d\",\"name\":\"4d500e6d-c984-43a3-9f39-7edec8dcc04d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".aspx\\\", \\\".asp\\\", \\\".cfml\\\"]);\\n//The number of URI\u0027s seen to be suspicious, higher = less likely to be suspicious\\nlet uriThreshold = 1;\\nCommonSecurityLog\\n// Only look at connections that were allowed through the web proxy\\n| where DeviceVendor =~ \\\"Zscaler\\\" and DeviceAction =~ \\\"Allowed\\\"\\n// Only look where some data was exchanged.\\n| where SentBytes \u003e 0 and ReceivedBytes \u003e 0\\n// Extract the Domain\\n| extend Domain = iff(countof(DestinationHostName,\u0027.\u0027) \u003e= 2, strcat(split(DestinationHostName,\u0027.\u0027)[-2], \u0027.\u0027,split(DestinationHostName,\u0027.\u0027)[-1]), DestinationHostName)\\n| extend GetData=iff(RequestURL == \\\"?\\\", 1, 0)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), makelist(RequestURL), makelist(DestinationIP), makelist(SourceIP), numOfConnections = count(), make_set(RequestMethod), max(GetData), max(RequestContext) by Domain\\n// Determine the number of URIs that have been visited for the domain\\n| extend destinationURI = arraylength(list_RequestURL)\\n| where destinationURI \u003c= uriThreshold\\n| where tostring(list_RequestURL) has_any(scriptExtensions)\\n//Remove matches with referer\\n| where max_RequestContext == \\\"\\\"\\n//Keep requests where data was trasferred either in a GET with parameters or a POST\\n| where set_RequestMethod in~ (\\\"POST\\\") or max_GetData == 1\\n//Defeat email click tracking, may increase FN\u0027s while decreasing FP\u0027s\\n| where list_RequestURL !has \\\"click\\\" and set_RequestMethod !has \\\"GET\\\"\\n| mvexpand list_RequestURL, list_DestinationIP\\n| extend RequestURL = tostring(list_RequestURL), DestinationIP = tostring(list_DestinationIP), ClientIP = tostring(list_SourceIP)\\n//Extend custom entitites for incidents\\n| extend timestamp = StartTimeUtc, IPCustomEntity = DestinationIP\\n| project-away list_RequestURL, list_DestinationIP, list_SourceIP, destinationURI, Domain, StartTimeUtc, EndTimeUtc, max_GetData, max_RequestContext\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Request for single resource on domain\",\"description\":\"This will look for connections to a domain where only a single file is requested, this is unusual as most modern web applications require additional recources. This type of activity is often assocaited with malware beaconing or tracking URL\u0027s delivered in emails. Developed for Zscaler but applicable to any outbound web logging.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/155f40c6-610d-497d-85fc-3cf06ec13256\",\"name\":\"155f40c6-610d-497d-85fc-3cf06ec13256\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"yahoo-verification.org\\\",\\\"support-servics.com\\\",\\\"verification-live.com\\\",\\\"com-mailbox.com\\\",\\\"com-myaccuants.com\\\",\\\"notification-accountservice.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\\"verify-linkedin.net\\\", \\n\\\"yahoo-verification.net\\\",\\\"yahoo-verify.net\\\",\\\"outlook-verify.net\\\",\\\"com-users.net\\\",\\\"verifiy-account.net\\\",\\\"te1egram.net\\\",\\\"account-verifiy.net\\\",\\\"myaccount-services.net\\\",\\n\\\"com-identifier-servicelog.name\\\",\\\"microsoft-update.bid\\\",\\\"outlook-livecom.bid\\\",\\\"update-microsoft.bid\\\",\\\"documentsfilesharing.cloud\\\",\\\"com-microsoftonline.club\\\",\\n\\\"confirm-session-identifier.info\\\",\\\"session-management.info\\\",\\\"confirmation-service.info\\\",\\\"document-share.info\\\",\\\"broadcast-news.info\\\",\\\"customize-identity.info\\\",\\\"webemail.info\\\",\\n\\\"com-identifier-servicelog.info\\\",\\\"documentsharing.info\\\",\\\"notification-accountservice.info\\\",\\\"identifier-activities.info\\\",\\\"documentofficupdate.info\\\",\\\"recoveryusercustomer.info\\\",\\n\\\"serverbroadcast.info\\\",\\\"account-profile-users.info\\\",\\\"account-service-management.info\\\",\\\"accounts-manager.info\\\",\\\"activity-confirmation-service.info\\\",\\\"com-accountidentifier.info\\\",\\n\\\"com-privacy-help.info\\\",\\\"com-sessionidentifier.info\\\",\\\"com-useraccount.info\\\",\\\"confirmation-users-service.info\\\",\\\"confirm-identity.info\\\",\\\"confirm-session-identification.info\\\",\\n\\\"continue-session-identifier.info\\\",\\\"customer-recovery.info\\\",\\\"customers-activities.info\\\",\\\"elitemaildelivery.info\\\",\\\"email-delivery.info\\\",\\\"identify-user-session.info\\\",\\n\\\"message-serviceprovider.info\\\",\\\"notificationapp.info\\\",\\\"notification-manager.info\\\",\\\"recognized-activity.info\\\",\\\"recover-customers-service.info\\\",\\\"recovery-session-change.info\\\",\\n\\\"service-recovery-session.info\\\",\\\"service-session-continue.info\\\",\\\"session-mail-customers.info\\\",\\\"session-managment.info\\\",\\\"session-verify-user.info\\\",\\\"shop-sellwear.info\\\",\\n\\\"supportmailservice.info\\\",\\\"terms-service-notification.info\\\",\\\"user-activity-issues.info\\\",\\\"useridentity-confirm.info\\\",\\\"users-issue-services.info\\\",\\\"verify-user-session.info\\\",\\n\\\"login-gov.info\\\",\\\"notification-signal-agnecy.info\\\",\\\"notifications-center.info\\\",\\\"identifier-services-sessions.info\\\",\\\"customers-manager.info\\\",\\\"session-manager.info\\\",\\n\\\"customer-managers.info\\\",\\\"confirmation-recovery-options.info\\\",\\\"service-session-confirm.info\\\",\\\"session-recovery-options.info\\\",\\\"services-session-confirmation.info\\\",\\n\\\"notification-managers.info\\\",\\\"activities-services-notification.info\\\",\\\"activities-recovery-options.info\\\",\\\"activity-session-recovery.info\\\",\\\"customers-services.info\\\",\\n\\\"sessions-notification.info\\\",\\\"download-teamspeak.info\\\",\\\"services-issue-notification.info\\\",\\\"microsoft-upgrade.mobi\\\",\\\"broadcastnews.pro\\\",\\\"mobile-messengerplus.network\\\"]);\\nlet IPList = dynamic([\\\"51.91.200.147\\\"]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(SourceIP) and SourceIP in (IPList)) or (isnotempty(DestinationIP) and DestinationIP in (IPList)) \\nor (isnotempty(DNSName) and DNSName in~ (DomainNames)) or (isnotempty(DestinationHostName) and DestinationHostName in~ (DomainNames)) or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames) or RequestURLIP in (IPList))) \\nor (isnotempty(Message) and MessageIP in (IPList))\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURLIP in (IPList), \\\"RequestUrl\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP,IPMatch == \\\"Message\\\", MessageIP,\\nIPMatch == \\\"RequestUrl\\\", RequestURLIP,\\\"NoMatch\\\"), Account = SourceUserID, Host = DeviceName\\n),\\n(DnsEvents \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| where DestinationIPAddress in (IPList) or DNSName has_any (DomainNames) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),\\n(imDns\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| where DestinationIPAddress has_any (IPList) or DNSName has_any (DomainNames) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) or isnotempty(DNSName)\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or DNSName in~ (DomainNames)\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer),\\n(OfficeActivity\\n| extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend DNSName = Request_Name\\n| extend IPCustomEntity = ClientIP),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPCustomEntity = SourceHost \\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.2.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Phosphorus group domains/IP\",\"description\":\"Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d94d4a9-dc96-450a-9dea-4d4d4594199b\",\"name\":\"4d94d4a9-dc96-450a-9dea-4d4d4594199b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"SecurityNestedRecommendation\\n| where RemediationDescription has \u0027CVE-2021-38647\u0027\\n| parse ResourceDetails with * \u0027virtualMachines/\u0027 VirtualMAchine \u0027\\\"\u0027 *\\n| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId\\n| extend Timestamp = TimeGenerated, HostCustomEntity = VirtualMAchine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.2\",\"tactics\":[\"InitialAccess\",\"Execution\"],\"displayName\":\"Vulnerable Machines related to OMIGOD CVE-2021-38647\",\"description\":\"This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to OMIGOD CVE-2021-38647. OMI is the Linux equivalent of Windows WMI and \\n helps users manage configurations across remote and local environments. The query aims to find machines that have this OMI vulnerability (CVE-2021-38647).\\n Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).\\n Reference: https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure\\n Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/050b9b3d-53d0-4364-a3da-1b678b8211ec\",\"name\":\"050b9b3d-53d0-4364-a3da-1b678b8211ec\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\")\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| summarize by bin(TimeGenerated, 1h), OperationName, RoleName, Target, Initiator, Result\\n| extend AccountCustomEntity = Target\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Initiator\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\"],\"displayName\":\"User Assigned Privileged Role\",\"description\":\"Identifies when a new privileged role is assigned to a user. Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn\u0027t the responsibility of the account holder, investigate.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75ff4f7d-0564-4a55-8b25-a75be951cde3\",\"name\":\"75ff4f7d-0564-4a55-8b25-a75be951cde3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let mediumRisk = 2;\\nlet hr = \u0027HR Information\u0027;\\nCognniIncidents_CL \\n| where Severity == mediumRisk\\n| where informationType_s == hr\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Medium Sensitivity HR Information\",\"description\":\"Display incidents in which medium sensitivity HR information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbfbf530-506b-49a4-81ad-4030885a195c\",\"name\":\"fbfbf530-506b-49a4-81ad-4030885a195c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let alertTimeWindow = 1h;\\nlet logTimeWindow = 7d;\\n// Define script extensions that suit your web application environment - a sample are provided below\\nlet scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]); \\nlet alertData = materialize(SecurityAlert \\n| where TimeGenerated \u003e ago(alertTimeWindow) \\n| where ProviderName == \\\"MDATP\\\" \\n// Parse and expand the alert JSON \\n| extend alertData = parse_json(Entities) \\n| mvexpand alertData);\\nlet fileData = alertData\\n// Extract web script files from MDATP alerts - our malicious web scripts - candidate webshells\\n| where alertData.Type =~ \\\"file\\\" \\n| where alertData.Name has_any(scriptExtensions) \\n| extend FileName = tostring(alertData.Name), Directory = tostring(alertData.Directory);\\nlet hostData = alertData\\n// Extract server details from alerts and map to alert id\\n| where alertData.Type =~ \\\"host\\\"\\n| project HostName = tostring(alertData.HostName), DnsDomain = tostring(alertData.DnsDomain), SystemAlertId\\n| distinct HostName, DnsDomain, SystemAlertId;\\n// Join the files on their impacted servers\\nlet webshellData = fileData\\n| join kind=inner (hostData) on SystemAlertId \\n| project TimeGenerated, FileName, Directory, HostName, DnsDomain;\\nwebshellData\\n| join ( \\n// Find requests that were made to this file on the impacted server in the W3CIISLog table \\nW3CIISLog \\n| where TimeGenerated \u003e ago(logTimeWindow) \\n// Restrict to accesses to script extensions \\n| where csUriStem has_any(scriptExtensions)\\n| extend splitUriStem = split(csUriStem, \\\"/\\\") \\n| extend FileName = splitUriStem[-1], HostName = sComputerName\\n// Summarize potential attacker activity\\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), RequestUserAgents=make_set(csUserAgent), ReqestMethods=make_set(csMethod), RequestStatusCodes=make_set(scStatus), RequestCookies=make_set(csCookie), RequestReferers=make_set(csReferer), RequestQueryStrings=make_set(csUriQuery) by AttackerIP=cIP, SiteName=sSiteName, ShellLocation=csUriStem, tostring(FileName), HostName \\n) on FileName, HostName\\n| project StartTime, EndTime, AttackerIP, RequestUserAgents, HostName, SiteName, ShellLocation, ReqestMethods, RequestStatusCodes, RequestCookies, RequestReferers, RequestQueryStrings, RequestCount = count_\\n// Expose the attacker ip address as a custom entity\\n| extend timestamp=StartTime, IPCustomEntity = AttackerIP, HostCustomEntity = HostName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Malicious web application requests linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts\",\"description\":\"Takes Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts where web scripts are present in the evidence and correlates with requests made to those scripts\\nin the WCSIISLog to surface new alerts for potentially malicious web request activity.\\nThe lookback for alerts is set to 1h and the lookback for W3CIISLogs is set to 7d. A sample set of popular web script extensions\\nhas been provided in scriptExtensions that should be tailored to your environment.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-05-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e7277475-4e31-41c7-9997-0b8b3d7f00cd\",\"name\":\"e7277475-4e31-41c7-9997-0b8b3d7f00cd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.2\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.01\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of failed login attempts to AWS Console by each source IP address\",\"description\":\"This algorithm detects an unusually high volume of AWS cloud trail log console failed login events per source IP address within the last day. The model is trained on the previous 21 days of AWS cloud trail log events on source IP address basis. This activity may indicate that the IP address is compromised.\",\"lastUpdatedDateUTC\":\"2021-10-26T00:00:00Z\",\"createdDateUTC\":\"2021-08-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0bd65651-1404-438b-8f63-eecddcec87b4\",\"name\":\"0bd65651-1404-438b-8f63-eecddcec87b4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\n// Adjust for a longer timeframe for identifying ADFS Servers\\nlet lookback = 6d;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\nEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n| union isfuzzy=true (\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n)\\n| distinct Computer);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where ParentProcessName has \u0027wmiprvse.exe\u0027\\n// Looking for rundll32.exe is based on intel from the blog linked in the description\\n// This can be commented out or altered to filter out known internal uses\\n| where CommandLine has_any (\u0027rundll32\u0027) \\n| project TimeGenerated, TargetAccount, CommandLine, Computer, Account, TargetLogonId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n// Search for recent logons to identify lateral movement\\n| join kind= inner\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventID == 4624 and LogonType == 3\\n| where Account !endswith \\\"$\\\"\\n| project TargetLogonId\\n) on TargetLogonId\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n// Check for WMI Events\\n| where Computer in~ (ADFS_Servers) and EventID in (19, 20, 21)\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| project TimeGenerated, EventType, Image, Computer, UserName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = UserName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\"],\"displayName\":\"Gain Code Execution on ADFS Server via Remote WMI Execution\",\"description\":\"This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through remote WMI Execution.\\nIn order to use this query you need to be collecting Sysmon EventIDs 19, 20, and 21.\\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\\n Failed to resolve scalar expression named \\\"[@Name]\\\"\\nFor more on how WMI was used in Solorigate see https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/.\\nThe query contains some features from the following detections to look for potentially malicious ADFS activity. See them for more details.\\n- ADFS Key Export (Sysmon): https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSKeyExportSysmon.yaml\\n- ADFS DKM Master Key Export: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/03e04c97-8cae-48b3-9d2f-4ab262e4ffff\",\"name\":\"03e04c97-8cae-48b3-9d2f-4ab262e4ffff\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]);\\nhttp_proxy_oab_CL\\n| where RawData contains \\\"Download failed and temporary file\\\"\\n| extend File = extract(\\\"([^\\\\\\\\\\\\\\\\]*)(\\\\\\\\\\\\\\\\[^\u0027]*)\\\",2,RawData)\\n| extend Extension = strcat(\\\".\\\",split(File, \\\".\\\")[-1])\\n| extend InteractiveFile = iif(Extension in (scriptExtensions), \\\"Yes\\\", \\\"No\\\")\\n// Uncomment the following line to alert only on interactive file download type\\n//| where InteractiveFile =~ \\\"Yes\\\"\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious File Downloads.\",\"description\":\"This query looks for messages related to file downloads of suspicious file types. This query uses the Exchange HttpProxy AOBGeneratorLog, you will need to onboard this log as a custom log under the table http_proxy_oab_CL before using this query. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/194dd92e-d6e7-4249-85a5-273350a7f5ce\",\"name\":\"194dd92e-d6e7-4249-85a5-273350a7f5ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\") \\n// Only admin or global-admin can disable audit logging\\n| where Operation =~ \\\"Set-AdminAuditLogConfig\\\" \\n| extend AdminAuditLogEnabledValue = tostring(parse_json(tostring(parse_json(tostring(array_slice(parse_json(Parameters),3,3)))[0])).Value)\\n| where AdminAuditLogEnabledValue =~ \\\"False\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP, ResultStatus, Parameters, AdminAuditLogEnabledValue\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Exchange AuditLog disabled\",\"description\":\"Identifies when the exchange audit logging has been disabled which may be an adversary attempt\\nto evade detection or avoid other defenses.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c37711a4-5f44-4472-8afc-0679bc0ef966\",\"name\":\"c37711a4-5f44-4472-8afc-0679bc0ef966\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/FoggyWebIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type == \\\"sha256\\\" | project IoC);\\nlet FilePaths = (iocs | where Type =~ \\\"FilePath\\\" | project IoC);\\nlet POST_URI = (iocs | where Type =~ \\\"URI1\\\" | project IoC);\\nlet GET_URI = (iocs | where Type =~ \\\"URI2\\\" | project IoC);\\n//Include in the list below, the ADFS servers you know about in your environment. In the next part of the query, we will try to identify them for you if you have the telemetry.\\nlet ADFS_Servers1 = datatable(Computer:string)\\n[ \\\"\u003cADFS01\u003e.\u003cDOMAIN\u003e.\u003cCOM\u003e\\\",\\n\\\"\u003cADFS02\u003e.\u003cDOMAIN\u003e.\u003cCOM\u003e\\\"\\n];\\n// Automatically identify potential ADFS services in your environment by searching process event telemetry for \\\"Microsoft.IdentityServer.ServiceHost.exe\\\".\\nlet ADFS_Servers2 = \\n(union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n),\\n(DeviceProcessEvents\\n| where InitiatingProcessFileName == \u0027Microsoft.IdentityServer.ServiceHost.exe\u0027\\n| extend Computer = DeviceName\\n| distinct Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n)\\n);\\nlet ADFS_Servers =\\nADFS_Servers1\\n| union (ADFS_Servers2 | distinct Computer);\\n(union isfuzzy=true\\n(DeviceNetworkEvents\\n| where DeviceName in (ADFS_Servers)\\n| where isnotempty(InitiatingProcessSHA256) or isnotempty(InitiatingProcessFolderPath)\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or InitiatingProcessFolderPath has_any (FilePaths)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\" and EventID == \u00277\u0027\\n| where Computer in (ADFS_Servers)\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend ImageLoaded = EventDetail.[5].[\\\"#text\\\"], Hashes = EventDetail.[11].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| where ImageLoaded has_any (FilePaths) or SHA256 has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, ImageLoaded, EventID\\n| extend Type = strcat(Type,\\\":\\\",EventID, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\\\"#text\\\"] \\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = FileHash\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = FileHash\\n),\\n(DeviceEvents\\n| where DeviceName in (ADFS_Servers)\\n| extend FilePath = strcat(FolderPath, \u0027\\\\\\\\\u0027, FileName)\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash\\n),\\n(DeviceFileEvents\\n| where DeviceName in (ADFS_Servers)\\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash\\n),\\n(DeviceImageLoadEvents\\n| where DeviceName in (ADFS_Servers)\\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where Computer in (ADFS_Servers)\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| where EventDetail has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\\\"#text\\\"] \\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = FileHash\\n),\\n(W3CIISLog \\n| where ( csMethod == \u0027GET\u0027 and csUriStem has_any (GET_URI)) or (csMethod == \u0027POST\u0027 and csUriStem has_any (POST_URI))\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), cIP_MethodCount = count() \\nby cIP, cIP_MethodCountType = \\\"Count of repeated entries, this is to reduce rowsets returned\\\", csMethod, \\ncsHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, csReferer\\n| extend timestamp = StartTime, IPCustomEntity = cIP, HostCustomEntity = csHost, AccountCustomEntity = csUserName\\n),\\n(imFileEvent\\n| where DvcHostname in (ADFS_Servers)\\n| where TargetFileSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"SHA256\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"version\":\"2.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"NOBELIUM IOCs related to FoggyWeb backdoor\",\"description\":\"Identifies a match across various data feeds for IOCs related to FoggyWeb backdoor by the threat actor NOBELIUM.\\n FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server.\\n It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server.\\n Reference: https://aka.ms/nobelium-foggy-web\",\"lastUpdatedDateUTC\":\"2021-11-16T00:00:00Z\",\"createdDateUTC\":\"2021-09-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\"name\":\"7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet AC_Add = \\nSecurityEvent\\n// Event ID related to member addition.\\n| where EventID in (4728, 4732,4756) \\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountAdded \\\",OU\\\" *\\n| where isnotempty(AccountAdded)\\n| extend GroupAddedTo = TargetUserName, AddingAccount = Account \\n| extend AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, \\\"||\\\", GroupAddedTo, \\\"||\\\", AddingAccount )\\n| project AccountAdded_GroupAddedTo_AddingAccount, AccountAddedTime = TimeGenerated;\\nlet AC_Remove = \\nSecurityEvent\\n// Event IDs related to member removal.\\n| where EventID in (4729,4733,4757)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountRemoved \\\",OU\\\" * \\n| where isnotempty(AccountRemoved)\\n| extend GroupRemovedFrom = TargetUserName, RemovingAccount = Account\\n| extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, \\\"||\\\", GroupRemovedFrom, \\\"||\\\", RemovingAccount)\\n| project AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime = TimeGenerated, Computer, RemovedAccountId = tolower(AccountRemoved), \\nRemovedByUser = SubjectUserName, RemovedByUserLogonId = SubjectLogonId, GroupRemovedFrom = TargetUserName, TargetDomainName; \\nAC_Add \\n| join kind= inner AC_Remove on $left.AccountAdded_GroupAddedTo_AddingAccount == $right.AccountRemoved_GroupRemovedFrom_RemovingAccount \\n| extend DurationinSecondAfter_Removed = datetime_diff (\u0027second\u0027, AccountRemovedTime, AccountAddedTime)\\n| where DurationinSecondAfter_Removed \u003e 0\\n| project-away AccountRemoved_GroupRemovedFrom_RemovingAccount\\n| extend timestamp = AccountAddedTime, AccountCustomEntity = RemovedAccountId, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Account added and removed from privileged groups\",\"description\":\"Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise.\u0027 \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/472b7cf4-bf1a-4061-b9ab-9fe4894e3c17\",\"name\":\"472b7cf4-bf1a-4061-b9ab-9fe4894e3c17\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nlet codeNameList = datatable(Codename:string)[\\\"C-CLEARTEXT-PASSWORD\\\", \\\"C-PASSWORD-DONT-EXPIRE\\\", \\\"C-USER-REVER-PWDS\\\", \\\"C-PASSWORD-POLICY\\\", \\\"C-USER-PASSWORD\\\", \\\"C-KRBTGT-PASSWORD\\\", \\\"C-AAD-SSO-PASSWORD\\\", \\\"C-REVER-PWD-GPO\\\"];\\nafad_parser\\n| where MessageType == 0 and Codename in~ (codeNameList)\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid Password issues\",\"description\":\"Searches for triggered Indicators of Exposures related to password issues\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/25bf2f45-1cf0-47d2-b394-a7b331d707b3\",\"name\":\"25bf2f45-1cf0-47d2-b394-a7b331d707b3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"2.0.0\",\"techniques\":[\"T1133\",\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Yes\",\"No\"],\"supportedValuesKql\":null,\"value\":\"Yes\",\"name\":\"Use region adjacency\",\"description\":\"Suppress anomalies originated from two adjacent regions.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"supportedValues\":[\"Yes\",\"No\"],\"supportedValuesKql\":null,\"value\":\"No\",\"name\":\"Check for matching device\",\"description\":\"Suppress anomalies which are originated from the same device.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":null,\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious geography change in Palo Alto GlobalProtect account logins\",\"description\":\"When a Palo Alto GlobalProtect account logs in from a geographically new region that is not the same as the last region the day before, an anomaly will be generated.\",\"lastUpdatedDateUTC\":\"2021-07-13T00:00:00Z\",\"createdDateUTC\":\"2021-04-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7ebb7386-6c99-4331-aab1-a185a603eb47\",\"name\":\"7ebb7386-6c99-4331-aab1-a185a603eb47\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let highRisk = 3;\\nlet financial = \u0027Financial Information\u0027;\\nCognniIncidents_CL \\n| where Severity == highRisk\\n| where informationType_s == financial\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Highly Sensitive Financial Information\",\"description\":\"Display incidents in which highly sensitive financial information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b443f22-9be9-4c35-ac70-a94757748439\",\"name\":\"3b443f22-9be9-4c35-ac70-a94757748439\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let files1 = dynamic([\\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\lsa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pc.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\Rar.exe\\\"]);\\nlet files2 = dynamic([\\\"svchost.exe\\\",\\\"wdmsvc.exe\\\"]);\\nlet FileHash1 = dynamic([\\\"43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\\\", \\\"ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\\\", \\\"010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77\\\", \\\"56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7\\\"]);\\nlet FileHash2 = dynamic([\\\"2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\\\", \\\"9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\\\", \\\"18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\\\"]);\\nDeviceProcessEvents\\n| where ( FolderPath has_any (files1) and SHA256 has_any (FileHash1)) or (FolderPath has_any (files2) and SHA256 has_any (FileHash2))\\n| extend DvcId = DeviceId\\n| join kind=leftouter (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| mv-expand todynamic(Entities)\\n| extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)\\n| where isnotempty(DvcId)\\n// Higher risk score are for Defender alerts related to threat actor\\n| extend AlertRiskScore = iif(ThreatName has_any (\\\"Backdoor:MSIL/ShellClient.A\\\", \\\"Backdoor:MSIL/ShellClient.A!dll\\\", \\\"Trojan:MSIL/Mimikatz.BA!MTB\\\"), 1.0, 0.5)\\n| project DvcId, AlertRiskScore) on DvcId\\n| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = AccountName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileName\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Execution\"],\"displayName\":\"Dev-0228 File Path Hashes November 2021\",\"description\":\"This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.\\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.\",\"lastUpdatedDateUTC\":\"2021-11-18T00:00:00Z\",\"createdDateUTC\":\"2021-11-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95a15f39-d9cc-4667-8cdd-58f3113691c9\",\"name\":\"95a15f39-d9cc-4667-8cdd-58f3113691c9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\nSecurityEvent\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where EventID == 4688\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| join kind=rightanti (\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where EventID == 4688) on NewProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM New UM Service Child Process\",\"description\":\"This query looks for new processes being spawned by the Exchange UM service where that process has not previously been observed before. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\"name\":\"7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lookBack_long = 7d;\\nlet lookBack_med = 3d;\\nlet lookBack = 1d;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack_long))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n// Create time series \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_long)),now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n// Compute best fit line for each entry \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount) \\n// Chart the 3 most interesting lines \\n// A 0-value slope corresponds to an account being completely stable over time for a given Azure Active Directory application\\n| where Slope \u003e 0.3\\n| top 50 by Slope desc\\n| join kind = leftsemi (\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack_med))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_med)) ,now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount)\\n| where Slope \u003e 0.3\\n| top 50 by Slope desc\\n) on UserPrincipalName, AppDisplayName\\n| join kind = leftsemi (\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack)) ,now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount)\\n| where Slope \u003e 5\\n| top 50 by Slope desc\\n// Higher threshold requirement on last day anomaly\\n) on UserPrincipalName, AppDisplayName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomalous sign-in location by user account and authenticating application\",\"description\":\"This query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active \\nDirectory application and picks out the most anomalous change in location profile for a user within an \\nindividual application. An alert is generated for recent sign-ins that have location counts that are anomalous\\nover last day but also over the last 3-day and 7-day periods.\\nPlease note that on workspaces with larger volume of Signin data (~10M+ events a day) may timeout when using this default query time period.\\nIt is recommended that you test and tune this appropriately for the workspace.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6a2e2ff4-5568-475e-bef2-b95f12b9367b\",\"name\":\"6a2e2ff4-5568-475e-bef2-b95f12b9367b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let FailureThreshold = 15;\\nimAuthentication\\n| where EventType== \u0027Logon\u0027 and EventResult== \u0027Failure\u0027\\n// reason: creds \\n| where EventResultDetails in (\u0027No such user or password\u0027, \u0027Incorrect password\u0027)\\n| summarize UserCount=dcount(TargetUserId), Vendors=make_set(EventVendor), Products=make_set(EventVendor)\\n , Users = make_set(TargetUserId,100) \\n by SrcDvcIpAddr, SrcGeoCountry, bin(TimeGenerated, 5m)\\n| where UserCount \u003e FailureThreshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcDvcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Potential Password Spray Attack (Uses Authentication Normalization)\",\"description\":\"This query searches for failed attempts to log in from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack\\n To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelAuthentication)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\"name\":\"79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let timeframe = 1h;\\nlet last1h = CommonSecurityLog \\n| where TimeGenerated \u003e= ago(timeframe)\\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend CurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend CurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend CumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize last1hCumTotal = sum(CumulativeTotal), last1hAvgRatePerSec = avg(CurrentAvgRatePerSec), last1hAvgBurstRatePerSec = avg(CurrentBurstRatePerSec) by DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlet prev6h = CommonSecurityLog \\n| where TimeGenerated between (ago(6h) .. ago(1h))\\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend prevCurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend prevCurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend prevCumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), prev6hCumTotal = sum(prevCumulativeTotal), prev6hAvgRatePerSec = avg(prevCurrentAvgRatePerSec), prev6hAvgBurstRatePerSec = avg(prevCurrentBurstRatePerSec) \\nby DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlast1h | join (\\n prev6h \\n) on DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate\\n| project StartTimeUtc, EndTimeUtc, DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate, last1hCumTotal, prev6hCumTotal, prev6hAvgCumTotal = prev6hCumTotal/6, last1hAvgRatePerSec, prev6hAvgRatePerSec, last1hAvgBurstRatePerSec, prev6hAvgBurstRatePerSec\\n// Select only events that indicate a doubling of the expected rate in the last hour over the previous 6 hours\\n| where last1hCumTotal \u003e 2*prev6hAvgCumTotal or last1hAvgRatePerSec \u003e 2*prev6hAvgRatePerSec or last1hAvgBurstRatePerSec \u003e 2*prev6hAvgBurstRatePerSec\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\",\"Impact\"],\"displayName\":\"Cisco ASA - average attack detection rate increase\",\"description\":\"This will help you determine if Cisco ASA devices are under heavier attack than normal over the last hour versus the previous 6 hours based on DeviceEventClassID 733100\\nReferences: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a34d0338-eda0-42b5-8b93-32aae0d7a501\",\"name\":\"a34d0338-eda0-42b5-8b93-32aae0d7a501\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"CommonSecurityLog\\n| where DeviceVendor == \\\"Vectra Networks\\\"\\n| where DeviceProduct == \\\"X Series\\\"\\n| where DeviceEventClassID contains \\\"campaign\\\"\\n| where DeviceAction == \\\"START\\\"\\n| extend reason = extract(\\\"reason=(.+?)$\\\", 1, AdditionalExtensions)\\n| project-rename vectra_URL = DeviceCustomString4\\n| project Activity,SourceHostName, reason, vectra_URL\\n| extend HostCustomEntity = SourceHostName, URLCustomEntity = vectra_URL\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"LateralMovement\",\"CommandAndControl\"],\"displayName\":\"Vectra AI Detect - New Campaign Detected\",\"description\":\"Identifies when a new Campaign has been detected. This occurs when multiple Detections accross different Hosts are suspected to be part of the same Attack Campaign.\",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2021-05-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AIVectraDetect\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\"name\":\"7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\nOfficeActivity\\n| where Operation =~ \\\"New-InboxRule\\\"\\n| where Parameters has \\\"Deleted Items\\\" or Parameters has \\\"Junk Email\\\" or Parameters has \\\"DeleteMessage\\\"\\n| extend Events=todynamic(Parameters)\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords \u0027}\u0027*\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords \u0027}\u0027*\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords \u0027}\u0027*\\n| where SubjectContainsWords has_any (Keywords)\\n or BodyContainsWords has_any (Keywords)\\n or SubjectOrBodyContainsWords has_any (Keywords)\\n| extend ClientIPAddress = case( ClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), ClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))), ClientIP )\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\n| extend RuleDetail = case(OfficeObjectId contains \u0027/\u0027 , tostring(split(OfficeObjectId, \u0027/\u0027)[-1]) , tostring(split(OfficeObjectId, \u0027\\\\\\\\\u0027)[-1]))\\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation, UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIPAddress, AccountCustomEntity = UserId , HostCustomEntity = OriginatingServer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Malicious Inbox Rule\",\"description\":\"Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords. \\n This is done so as to limit ability to warn compromised users that they\u0027ve been compromised. Below is a sample query that tries to detect this.\\nReference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6d7214d9-4a28-44df-aafb-0910b9e6ae3e\",\"name\":\"6d7214d9-4a28-44df-aafb-0910b9e6ae3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let match_window = 3m;\\nAzureActivity\\n| where ResourceGroup has \\\"cloud-shell\\\"\\n| where (OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/listKeys/action\\\") \\n| where ActivityStatusValue == \\\"Success\\\"\\n| extend TimeKey = bin(TimeGenerated, match_window), AzureIP = CallerIpAddress\\n| join kind = inner\\n(AzureActivity\\n| where ResourceGroup has \\\"cloud-shell\\\"\\n| where (OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/write\\\") \\n| extend TimeKey = bin(TimeGenerated, match_window), UserIP = CallerIpAddress\\n) on Caller, TimeKey\\n| summarize count() by TimeKey, Caller, ResourceGroup, SubscriptionId, TenantId, AzureIP, UserIP, HTTPRequest, Type, Properties, CategoryValue, OperationList = strcat(OperationNameValue, \u0027 , \u0027, OperationNameValue1)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"UserIP\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Execution\"],\"displayName\":\"New CloudShell User\",\"description\":\"Identifies when a user creates an Azure CloudShell for the first time.\\nMonitor this activity to ensure only expected user are using CloudShell\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cf3ede88-a429-493b-9108-3e46d3c741f7\",\"name\":\"cf3ede88-a429-493b-9108-3e46d3c741f7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let timeRange = 6h;\\nlet authenticationWindow = 1h;\\nlet authenticationThreshold = 5;\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeRange)\\n| where EventID == 4624 or EventID == 4625\\n| where IpAddress != \\\"-\\\" and isnotempty(Account)\\n| extend Outcome = iff(EventID == 4624, \\\"Success\\\", \\\"Failure\\\")\\n// bin outcomes into 5 minute windows to reduce the volume of data\\n| summarize OutcomeCount=count() by Account, IpAddress, Computer, Outcome, bin(TimeGenerated, 5m)\\n| project TimeGenerated, Account, IpAddress, Computer, Outcome, OutcomeCount\\n// sort ready for sessionizing - by account and time of the authentication outcome\\n| sort by Account asc, TimeGenerated asc\\n| serialize \\n// sessionize into failure groupings until either the account changes or there is a success\\n| extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, Account != prev(Account) or prev(Outcome) == \\\"Success\\\")\\n// count the failures in each session\\n| summarize FailureCountBeforeSuccess=sumif(OutcomeCount, Outcome == \\\"Failure\\\"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), makelist(Outcome), makeset(Computer), makeset(IpAddress) by SessionStartedUtc, Account\\n// the session must not start with a success, and must end with one\\n| where array_index_of(list_Outcome, \\\"Success\\\") != 0\\n| where array_index_of(list_Outcome, \\\"Success\\\") == array_length(list_Outcome) - 1\\n| project-away SessionStartedUtc, list_Outcome \\n// where the number of failures before the success is above the threshold \\n| where FailureCountBeforeSuccess \u003e= authenticationThreshold\\n// expand out ip and computer for customer entity assignment\\n| mvexpand set_IpAddress, set_Computer\\n| extend IpAddress = tostring(set_IpAddress), Computer = tostring(set_Computer)\\n| extend timestamp=StartTime, AccountCustomEntity=Account, HostCustomEntity=Computer, IPCustomEntity=IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"SecurityEvent - Multiple authentication failures followed by a success\",\"description\":\"Identifies accounts who have failed to logon to the domain multiple times in a row, followed by a successful authentication\\nwithin a short time frame. Multiple failed attempts followed by a success can be an indication of a brute force attempt or\\npossible mis-configuration of a service account within an environment.\\nThe lookback is set to 6h and the authentication window and threshold are set to 1h and 5, meaning we need to see a minimum\\nof 5 failures followed by a success for an account within 1 hour to surface an alert.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7a58b253-0ef2-4248-b4e5-c350f15a8346\",\"name\":\"7a58b253-0ef2-4248-b4e5-c350f15a8346\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let threshold = 100;\\nSymantecProxySG \\n| where sc_filter_result =~ \\\"DENIED\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by c_ip, cs_host\\n| where count_ \u003e threshold\\n| extend timestamp = StartTime, HostCustomEntity = cs_host, IPCustomEntity = c_ip\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Excessive Denied Proxy Traffic\",\"description\":\"This alert creates an incident when a client generates an excessive amounts of denied proxy traffic.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SymantecProxySG\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\"name\":\"75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 3;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == \\\"50057\\\"\\n| where ResultDescription =~ \\\"User account is disabled. The account has been disabled by an administrator.\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), applicationCount = dcount(AppDisplayName), \\napplicationSet = make_set(AppDisplayName), count() by UserPrincipalName, IPAddress, Type\\n| where applicationCount \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Attempts to sign in to disabled accounts\",\"description\":\"Identifies failed attempts to sign in to disabled accounts across multiple Azure Applications.\\nDefault threshold for Azure Applications attempted to sign in to is 3.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/910124df-913c-47e3-a7cd-29e1643fa55e\",\"name\":\"910124df-913c-47e3-a7cd-29e1643fa55e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with failed AWS console logins\\nlet aws_fails = AWSCloudTrail\\n| where EventName == \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \\n| where LoginResult != \\\"Success\\\"\\n| where SourceIpAddress != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_list(SourceIpAddress);\\n//See if any of those IPs have sucessfully logged into Azure AD.\\nSigninLogs\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (aws_fails) \\n| extend Reason = \\\"Multiple failed AWS Console logins from IP address\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AWS Console logons but success logon to AzureAD\",\"description\":\"Identifies a list of IP addresses with a minimum numbe(default of 5) of failed logon attempts to AWS Console.\\nUses that list to identify any successful Azure Active Directory logons from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/32555639-b639-4c2b-afda-c0ae0abefa55\",\"name\":\"32555639-b639-4c2b-afda-c0ae0abefa55\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"GetCallerIdentity\\\" and UserIdentityType =~ \\\"AssumedRole\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by SourceIpAddress, EventName, EventTypeName, UserIdentityType, UserIdentityAccountId, UserIdentityPrincipalid, \\nUserAgent, UserIdentityUserName, SessionMfaAuthenticated,AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTime, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\\n| sort by EndTime desc nulls last\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\"],\"displayName\":\"Monitor AWS Credential abuse or hijacking\",\"description\":\"Looking for GetCallerIdentity Events where the UserID Type is AssumedRole \\nAn attacker who has assumed the role of a legitimate account can call the GetCallerIdentity function to determine what account they are using.\\nA legitimate user using legitimate credentials would not need to call GetCallerIdentity since they should already know what account they are using.\\nMore Information: https://duo.com/decipher/trailblazer-hunts-compromised-credentials-in-aws\\nAWS STS GetCallerIdentity API: https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fb0f4a93-d8ad-4b54-9931-85bdb7550f90\",\"name\":\"fb0f4a93-d8ad-4b54-9931-85bdb7550f90\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SymantecProxySG\\n| mv-expand cs_categories\\n| where cs_categories has_any (\\\"Suspicious\\\",\\\"phishing\\\", \\\"hacking\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by sc_filter_result, cs_userdn, c_ip, cs_host, Computer, tostring(cs_categories)\\n| extend timestamp = StartTime, AccountCustomEntity = cs_userdn, IPCustomEntity = c_ip, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"User Accessed Suspicious URL Categories\",\"description\":\"Creates an incident in the event the requested URL accessed by the user has been identified as Suspicious, Phishing, or Hacking.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SymantecProxySG\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bfb1c90f-8006-4325-98be-c7fffbc254d6\",\"name\":\"bfb1c90f-8006-4325-98be-c7fffbc254d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let s_threshold = 30;\\nlet l_threshold = 3;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where OperationName =~ \\\"Sign-in activity\\\"\\n// Error codes that we want to look at as they are related to the use of incorrect password.\\n| where ResultType in (\\\"50126\\\", \\\"50053\\\" , \\\"50055\\\", \\\"50056\\\")\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend LocationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), LocationCount=dcount(LocationString), Location = make_set(LocationString), \\nIPAddress = make_set(IPAddress), IPAddressCount = dcount(IPAddress), AppDisplayName = make_set(AppDisplayName), ResultDescription = make_set(ResultDescription), \\nBrowser = make_set(Browser), OS = make_set(OS), SigninCount = count() by UserPrincipalName, Type \\n// Setting a generic threshold - Can be different for different environment\\n| where SigninCount \u003e s_threshold and LocationCount \u003e= l_threshold\\n| extend tostring(Location), tostring(IPAddress), tostring(AppDisplayName), tostring(ResultDescription), tostring(Browser), tostring(OS)\\n| distinct *\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Distributed Password cracking attempts in AzureAD\",\"description\":\"Identifies distributed password cracking attempts from the Azure Active Directory SigninLogs.\\nThe query looks for unusually high number of failed password attempts coming from multiple locations for a user account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50053 Account is locked because the user tried to sign in too many times with an incorrect user ID or password.\\n50055 Invalid password, entered expired password.\\n50056 Invalid or null password - Password does not exist in store for this user.\\n50126 Invalid username or password, or invalid on-premises username or password.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ef88eb96-861c-43a0-ab16-f3835a97c928\",\"name\":\"ef88eb96-861c-43a0-ab16-f3835a97c928\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let regexEmpire = @\\\"SetDelay|GetDelay|Set-LostLimit|Get-LostLimit|Set-Killdate|Get-Killdate|Set-WorkingHours|Get-WorkingHours|Get-Sysinfo|Add-Servers|Invoke-ShellCommand|Start-AgentJob|Update-Profile|Get-FilePart|Encrypt-Bytes|Decrypt-Bytes|Encode-Packet|Decode-Packet|Send-Message|Process-Packet|Process-Tasking|Get-Task|Start-Negotiate|Invoke-DllInjection|Invoke-ReflectivePEInjection|Invoke-Shellcode|Invoke-ShellcodeMSIL|Get-ChromeDump|Get-ClipboardContents|Get-IndexedItem|Get-Keystrokes|Invoke-Inveigh|Invoke-NetRipper|local:Invoke-PatchDll|Invoke-NinjaCopy|Get-Win32Types|Get-Win32Constants|Get-Win32Functions|Sub-SignedIntAsUnsigned|Add-SignedIntAsUnsigned|Compare-Val1GreaterThanVal2AsUInt|Convert-UIntToInt|Test-MemoryRangeValid|Write-BytesToMemory|Get-DelegateType|Get-ProcAddress|Enable-SeDebugPrivilege|Invoke-CreateRemoteThread|Get-ImageNtHeaders|Get-PEBasicInfo|Get-PEDetailedInfo|Import-DllInRemoteProcess|Get-RemoteProcAddress|Copy-Sections|Update-MemoryAddresses|Import-DllImports|Get-VirtualProtectValue|Update-MemoryProtectionFlags|Update-ExeFunctions|Copy-ArrayOfMemAddresses|Get-MemoryProcAddress|Invoke-MemoryLoadLibrary|Invoke-MemoryFreeLibrary|Out-Minidump|Get-VaultCredential|Invoke-DCSync|Translate-Name|Get-NetDomain|Get-NetForest|Get-NetForestDomain|Get-DomainSearcher|Get-NetComputer|Get-NetGroupMember|Get-NetUser|Invoke-Mimikatz|Invoke-PowerDump|Invoke-TokenManipulation|Exploit-JMXConsole|Exploit-JBoss|Invoke-Thunderstruck|Invoke-VoiceTroll|Set-WallPaper|Invoke-PsExec|Invoke-SSHCommand|Invoke-PSInject|Invoke-RunAs|Invoke-SendMail|Invoke-Rule|Get-OSVersion|Select-EmailItem|View-Email|Get-OutlookFolder|Get-EmailItems|Invoke-MailSearch|Get-SubFolders|Get-GlobalAddressList|Invoke-SearchGAL|Get-SMTPAddress|Disable-SecuritySettings|Reset-SecuritySettings|Get-OutlookInstance|New-HoneyHash|Set-MacAttribute|Invoke-PatchDll|Get-SecurityPackages|Install-SSP|Invoke-BackdoorLNK|New-ElevatedPersistenceOption|New-UserPersistenceOption|Add-Persistence|Invoke-CallbackIEX|Add-PSFirewallRules|Invoke-EventLoop|Invoke-PortBind|Invoke-DNSLoop|Invoke-PacketKnock|Invoke-CallbackLoop|Invoke-BypassUAC|Get-DecryptedCpassword|Get-GPPInnerFields|Invoke-WScriptBypassUAC|Get-ModifiableFile|Get-ServiceUnquoted|Get-ServiceFilePermission|Get-ServicePermission|Invoke-ServiceUserAdd|Invoke-ServiceCMD|Write-UserAddServiceBinary|Write-CMDServiceBinary|Write-ServiceEXE|Write-ServiceEXECMD|Restore-ServiceEXE|Invoke-ServiceStart|Invoke-ServiceStop|Invoke-ServiceEnable|Invoke-ServiceDisable|Get-ServiceDetail|Find-DLLHijack|Find-PathHijack|Write-HijackDll|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-VulnAutoRun|Get-VulnSchTask|Get-UnattendedInstallFile|Get-Webconfig|Get-ApplicationHost|Write-UserAddMSI|Invoke-AllChecks|Invoke-ThreadedFunction|Test-Login|Get-UserAgent|Test-Password|Get-ComputerDetails|Find-4648Logons|Find-4624Logons|Find-AppLockerLogs|Find-PSScriptsInPSAppLog|Find-RDPClientConnections|Get-SystemDNSServer|Invoke-Paranoia|Invoke-WinEnum{|Get-SPN|Invoke-ARPScan|Invoke-Portscan|Invoke-ReverseDNSLookup|Invoke-SMBScanner|New-InMemoryModule|Add-Win32Type|Export-PowerViewCSV|Get-MacAttribute|Copy-ClonedFile|Get-IPAddress|Convert-NameToSid|Convert-SidToName|Convert-NT4toCanonical|Get-Proxy|Get-PathAcl|Get-NameField|Convert-LDAPProperty|Get-NetDomainController|Add-NetUser|Add-NetGroupUser|Get-UserProperty|Find-UserField|Get-UserEvent|Get-ObjectAcl|Add-ObjectAcl|Invoke-ACLScanner|Get-GUIDMap|Get-ADObject|Set-ADObject|Get-ComputerProperty|Find-ComputerField|Get-NetOU|Get-NetSite|Get-NetSubnet|Get-DomainSID|Get-NetGroup|Get-NetFileServer|SplitPath|Get-DFSshare|Get-DFSshareV1|Get-DFSshareV2|Get-GptTmpl|Get-GroupsXML|Get-NetGPO|Get-NetGPOGroup|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Invoke-ImpersonateUser|Create-ProcessWithToken|Free-AllTokens|Enum-AllTokens|Invoke-RevertToSelf|Set-Speaker(\\\\$Volume){\\\\$wshShell|Local:Get-RandomString|Local:Invoke-PsExecCmd|Get-GPPPassword|Local:Inject-BypassStuff|Local:Invoke-CopyFile\\\\(\\\\$sSource,|ind-Fruit|New-IPv4Range|New-IPv4RangeFromCIDR|Parse-Hosts|Parse-ILHosts|Exclude-Hosts|Get-TopPort|Parse-Ports|Parse-IpPorts|Remove-Ports|Write-PortscanOut|Convert-SwitchtoBool|Get-ForeignUser|Get-ForeignGroup\\\";\\nlet ProcessCreationEvents=() {\\nlet processEvents=SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName;\\nprocessEvents};\\nlet decodedPS = ProcessCreationEvents\\n| where CommandLine contains \\\" -encodedCommand\\\"\\n| parse kind=regex flags=i CommandLine with * \\\"-EncodedCommand \\\" encodedCommand\\n| project StartTimeUtc = TimeGenerated, encodedCommand = tostring(split(encodedCommand, \u0027 \u0027)[0]), CommandLine\\n// Note: currently the base64_decode_tostring function is limited to supporting UTF8\\n| extend decodedCommand = translate(\u0027\\\\0\u0027,\u0027\u0027, base64_decode_tostring(substring(encodedCommand, 0, strlen(encodedCommand) - (strlen(encodedCommand) %8)))), encodedCommand, CommandLine , strlen(encodedCommand);\\n(decodedPS\\n| union \\n(ProcessCreationEvents\\n| where FileName in~ (\\\"powershell.exe\\\",\\\"powershell_ise.exe\\\")\\n| where CommandLine !contains \\\"-encodedcommand\\\")\\n| extend StartTimeUtc = TimeGenerated\\n)\\n| where CommandLine matches regex regexEmpire\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"Powershell Empire cmdlets seen in command line\",\"description\":\"Identifies instances of PowerShell Empire cmdlets in powershell process command line data.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a0907abe-6925-4d90-af2b-c7e89dc201a6\",\"name\":\"a0907abe-6925-4d90-af2b-c7e89dc201a6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P10D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 10d;\\nlet endtime = 1d;\\nlet threshold = 100;\\nlet nxDomainDnsEvents = DnsEvents \\n| where ResultCode == 3 \\n| where QueryType in (\\\"A\\\", \\\"AAAA\\\")\\n| where ipv4_is_match(\\\"127.0.0.1\\\", ClientIP) == False\\n| where Name !contains \\\"/\\\"\\n| where Name contains \\\".\\\";\\nnxDomainDnsEvents\\n| where TimeGenerated \u003e ago(endtime)\\n| extend sld = tostring(split(Name, \\\".\\\")[-2])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld) by ClientIP\\n| where dcount_sld \u003e threshold\\n// Filter out previously seen IPs\\n| join kind=leftanti (nxDomainDnsEvents\\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | extend sld = tostring(split(Name, \\\".\\\")[-2])\\n | summarize dcount(sld) by ClientIP\\n | where dcount_sld \u003e threshold ) on ClientIP\\n// Pull out sample NXDomain responses for those remaining potentially infected IPs\\n| join kind = inner (nxDomainDnsEvents | summarize by Name, ClientIP) on ClientIP\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(Name, 100) by ClientIP, dcount_sld\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential DGA detected\",\"description\":\"Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains\\nwhere most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with \\nNXDomain records in prior 10-day baseline period).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c2da1106-bfe4-4a63-bf14-5ab73130ccd5\",\"name\":\"c2da1106-bfe4-4a63-bf14-5ab73130ccd5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Informational\",\"query\":\"let timeframe = ago(1d);\\nAppServiceAntivirusScanAuditLogs\\n| where ScanStatus == \\\"Failed\\\"\\n| extend HostCustomEntity = _ResourceId, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"displayName\":\"AppServices AV Scan Failure\",\"description\":\"Identifies if an AV scan fails in Azure App Services.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d9938c3b-16f9-444d-bc22-ea9a9110e0fd\",\"name\":\"d9938c3b-16f9-444d-bc22-ea9a9110e0fd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Azure AD Connect Health Agent - cf6d7e68-f018-4e0a-a7b3-126e053fb88d\\n// Azure Active Directory Connect - cb1056e2-e479-49de-ae31-7812af012ed8\\nlet appList = dynamic([\u0027cf6d7e68-f018-4e0a-a7b3-126e053fb88d\u0027,\u0027cb1056e2-e479-49de-ae31-7812af012ed8\u0027]);\\nlet operationNamesList = dynamic([\u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027,\u0027Microsoft.ADHybridHealthService/services/delete\u0027]);\\nAzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue in~ (operationNamesList)\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| where AppId !in (appList)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS Suspicious Application\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to a suspicious application adding a server instance to an Azure AD Hybrid health AD FS service or deleting the AD FS service instance.\\nUsually the Azure AD Connect Health Agent application with ID cf6d7e68-f018-4e0a-a7b3-126e053fb88d is used to perform those operations.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c5644575-4982-4a07-8884-b11ec2866dc3\",\"name\":\"c5644575-4982-4a07-8884-b11ec2866dc3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.0\",\"techniques\":[\"T1136\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\"srcdomain1\\\\account1, srcdomain1\\\\account1\",\"dataType\":\"string\",\"name\":\"Source user allowlist\",\"description\":\"Enter comma separated source usernames to be suppressed while triggering anomalies. This should be within double quotes and is case sensitive, example: \\\"srcdomain1\\\\\\\\account1, srcdomain2\\\\\\\\account2\\\"\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"prioritize\":null,\"exclude\":\"account1, account2\",\"dataType\":\"string\",\"name\":\"Destination user allowlist\",\"description\":\"Enter comma separated destination usernames to be suppressed while triggering anomalies. This should be within double quotes and is case sensitive, example: \\\"account1, account2\\\"\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":null,\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Persistence\"],\"displayName\":\"(Preview) Anomalous local account creation\",\"description\":\"This algorithm is to detect anomalous local account creation on windows systems. Adversaries may create local accounts to maintain access to victim systems.\\nThis algorithm analyzes historical local account creation activity (14 days) by users and compare with current day to find similar activity from the users who were not \\npreviously seen in historical activity. You can further customize the allowlist to filter known users from triggering this anomaly.\",\"lastUpdatedDateUTC\":\"2021-09-22T00:00:00Z\",\"createdDateUTC\":\"2021-09-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/faf1a6ff-53b5-4f92-8c55-4b20e9957594\",\"name\":\"faf1a6ff-53b5-4f92-8c55-4b20e9957594\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"SecurityEvent\\n// Look for specific Directory Service Changes and parse data\\n| where EventID == 5136\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion = array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value),TimeGenerated, EventID, Computer, Account, AccountType, EventSourceName, Activity, SubjectAccount)\\n// Where changes relate to Exchange OAB\\n| extend ObjectClass = column_ifexists(\\\"ObjectClass\\\", \\\"\\\")\\n| where ObjectClass =~ \\\"msExchOABVirtualDirectory\\\"\\n// Look for InternalHostName or ExternalHostName properties being changed\\n| extend AttributeLDAPDisplayName = column_ifexists(\\\"AttributeLDAPDisplayName\\\", \\\"\\\")\\n| where AttributeLDAPDisplayName in (\\\"msExchExternalHostName\\\", \\\"msExchInternalHostName\\\")\\n// Look for suspected webshell activity\\n| extend AttributeValue = column_ifexists(\\\"AttributeValue\\\", \\\"\\\")\\n| where AttributeValue has \\\"script\\\"\\n| project-rename LastSeen = TimeGenerated\\n| extend ObjectDN = column_ifexists(\\\"ObjectDN\\\", \\\"\\\")\\n| project-reorder LastSeen, Computer, Account, ObjectDN, AttributeLDAPDisplayName, AttributeValue\\n| extend timestamp = LastSeen, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange OAB Virtual Directory Attribute Containing Potential Webshell\",\"description\":\"This query uses Windows Event ID 5136 in order to detect potential webshell deployment by exploitation of CVE-2021-27065.\\nThis query looks for changes to the InternalHostName or ExternalHostName properties of Exchange OAB Virtual Directory objects in AD Directory Services\\nwhere the new objects contain potential webshell objects. Ref: https://aka.ms/ExchangeVulns\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/61988db3-0565-49b5-b8e3-747195baac6e\",\"name\":\"61988db3-0565-49b5-b8e3-747195baac6e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let procList = dynamic([\\\"cmd.exe\\\",\\\"ftp.exe\\\",\\\"schtasks.exe\\\",\\\"powershell.exe\\\",\\\"rundll32.exe\\\",\\\"regsvr32.exe\\\",\\\"msiexec.exe\\\"]); \\nimProcessCreate\\n| where CommandLine has \\\"recycler\\\"\\n| where Process has_any (procList)\\n| extend FileName = tostring(split(Process, \u0027\\\\\\\\\u0027)[-1])\\n| where FileName in~ (procList)\\n| project StartTimeUtc = TimeGenerated, Dvc, User, Process, FileName, CommandLine, ActingProcessName, EventVendor, EventProduct\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.2.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Malware in the recycle bin (Normalized Process Events)\",\"description\":\"Identifies malware that has been hidden in the recycle bin.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)\",\"lastUpdatedDateUTC\":\"2021-10-26T00:00:00Z\",\"createdDateUTC\":\"2021-06-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5efb0cfd-063d-417a-803b-562eae5b0301\",\"name\":\"5efb0cfd-063d-417a-803b-562eae5b0301\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 6h;\\n// Ignore Build/Releases with less/equal this number\\nlet ServiceConnectionThreshold = 3;\\n// New Connections need to exhibit execution of more \\\"new\\\" connections than this number.\\nlet NewConnectionThreshold = 1;\\n// List of Builds/Releases to ignore in your space\\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\\n[\\n//\\\"103\\\", \\\"Release\\\", \\\"ProjectA\\\",\\n//\\\"42\\\", \\\"Release\\\", \\\"ProjectB\\\",\\n//\\\"122\\\", \\\"Build\\\", \\\"ProjectB\\\"\\n];\\nlet HistoricDefs = AzureDevOpsAuditing\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| summarize HistoricCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)) \\n by DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e= ago(endtime)\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| parse ScopeDisplayName with OrganizationName \u0027 (Organization)\u0027\\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) \\n by OrganizationName, DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN\\n| where CurrentCount \u003e ServiceConnectionThreshold\\n| join (HistoricDefs) on ProjectId, DefId, Type, ActorUPN\\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\\n| extend link = iff(\\nType == \\\"Build\\\", strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_build?definitionId=\u0027, DefId),\\nstrcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_release?_a=releases\u0026view=mine\u0026definitionId=\u0027, DefId))\\n| where CurrentCount \u003e= HistoricCount + NewConnectionThreshold\\n| project StartTime, OrganizationName, ProjectName, DefId, link, RecentDistinctServiceConnections = CurrentCount, HistoricDistinctServiceConnections = HistoricCount, \\n RecentConnections = ConnectionNames, HistoricConnections = ConnectionNames1, ActorUPN\\n| extend timestamp = StartTime, AccountCustomEntity = ActorUPN\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure DevOps Service Connection Addition/Abuse - Historic allow list\",\"description\":\"This detection builds an allow list of historic service connection use by Builds and Releases and compares to recent history, flagging growth of service connection use which are not manually included in the allow list and \\nnot historically included in the allow list Build/Release runs. This is to determine if someone is hijacking a build/release and adding many service connections in order to abuse or dump credentials from service connections.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2b701288-b428-4fb8-805e-e4372c574786\",\"name\":\"2b701288-b428-4fb8-805e-e4372c574786\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//The bigger the window the better the data sample size, as we use IP prevalence, more sample data is better.\\n//The minimum number of countries that the account has been accessed from [default: 2]\\nlet minimumCountries = 2;\\n//The delta (%) between the largest in-use IP and the smallest [default: 90]\\nlet deltaThreshold = 95;\\n//The maximum (%) threshold that the country appears in login data [default: 10]\\nlet countryPrevalenceThreshold = 10;\\n//The time to project forward after the last login activity [default: 60min]\\nlet projectedEndTime = 60min; \\n//Get Teams successful signins globally\\nlet aadFunc = (tableName:string){\\nlet signinData =\\n table(tableName)\\n | where AppDisplayName has \\\"Teams\\\"\\n | where ConditionalAccessStatus =~ \\\"success\\\"\\n | extend country = tostring(todynamic(LocationDetails)[\u0027countryOrRegion\u0027])\\n | where isnotempty(country) and isnotempty(IPAddress);\\n// Collect successful signins to teams\\nlet loginEvents = \\n signinData\\n | summarize count(), country=any(country), make_list(TimeGenerated) by IPAddress, UserPrincipalName;\\n//Calcualte delta between logins\\nlet loginDelta =\\n loginEvents\\n | summarize max(count_), min(count_) by UserPrincipalName\\n | extend delta = toreal(max_count_ - min_count_) / max_count_ * 100\\n | where delta \u003e= deltaThreshold;\\n//Count number of countries used to sign in\\nlet countryCount =\\n loginEvents\\n | summarize Countries = dcount(country) by UserPrincipalName;\\n//Join delta and sign in counts to successful logins\\nloginDelta\\n| join kind=rightouter (\\n loginEvents\\n) on UserPrincipalName\\n| join kind=rightouter (\\n countryCount\\n) on UserPrincipalName\\n//Check where the record meets the minimum required countries\\n| where Countries \u003e= minimumCountries\\n| join kind=leftouter (\\n signinData\\n | summarize count() by country\\n | join (\\n //Now get the total number of logins from any country and join it to the previous count in a single table\\n signinData\\n | summarize count() by country\\n | summarize sum(count_), make_list(country)\\n | mv-expand list_country\\n | extend country = tostring(list_country)\\n ) on country\\n | summarize by country, count_, sum_count_\\n //Now calculate each countries prevalence within login events\\n | extend prevalence = toreal(count_) / toreal(sum_count_) * 100\\n | project-away sum_count_\\n | order by prevalence\\n) on country\\n//The % that suspicious country is prevalent in data, this can be configured, less than 10% is uncommon\\n| where prevalence \u003c countryPrevalenceThreshold\\n| where min_count_ == count_\\n//Login start and end times from the JSON object, this is the activity window the suspicious IP was active within\\n| extend EventTimes = list_TimeGenerated\\n| extend SuspiciousIP = IPAddress\\n| project UserPrincipalName, SuspiciousIP, UserIPDelta = delta, SuspiciousLoginCountry = country, SuspiciousCountryPrevalence = prevalence, EventTimes\\n//Teams join to collect operations the user account has performed within the given time range\\n| join kind=inner( \\n OfficeActivity\\n | where Operation in~ (\\\"TeamsAdminAction\\\", \\\"MemberAdded\\\", \\\"MemberRemoved\\\", \\\"MemberRoleChanged\\\", \\\"AppInstalled\\\", \\\"BotAddedToTeam\\\")\\n | project Operation, UserId=tolower(UserId), OperationTime=TimeGenerated\\n) on $left.UserPrincipalName == $right.UserId\\n| mv-expand StartTime = EventTimes\\n| extend StartTime = make_datetime(StartTime)\\n//The end time is projected 60 minutes forward, in case actions took place within the last hour of the final login for the suspicious IP\\n| extend ProjectedEndTime = make_datetime(StartTime + projectedEndTime)\\n//Limit to operations carried out by the user account in the timeframe the IP was active\\n| where OperationTime between (StartTime .. ProjectedEndTime)\\n| project UserPrincipalName, SuspiciousIP, StartTime, ProjectedEndTime, OperationTime, Operation, SuspiciousLoginCountry, SuspiciousCountryPrevalence\\n//Filter on suspicious actions\\n| extend activitySummary = pack(tostring(StartTime), pack(\\\"Operation\\\",tostring(Operation), \\\"OperationTime\\\", OperationTime))\\n| summarize make_bag(activitySummary) by UserPrincipalName, SuspiciousIP, SuspiciousLoginCountry, SuspiciousCountryPrevalence\\n| extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Anomalous login followed by Teams action\",\"description\":\"Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed.\\nQuery calculates IP usage Delta for each user account and selects accounts where a delta \u003e= 90% is observed between the most and least used IP.\\nTo further reduce results the query performs a prevalence check on the lowest used IP\u0027s country, only keeping IP\u0027s where the country is unusual for the tenant (dynamic ranges)\\nFinally the user accounts activity within Teams logs is checked for suspicious commands (modifying user privileges or admin actions) during the period the suspicious IP was active.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ca74dc0-8352-4ac5-893c-73571cc78331\",\"name\":\"4ca74dc0-8352-4ac5-893c-73571cc78331\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let keywords = dynamic([\\\"secret\\\", \\\"secrets\\\", \\\"password\\\", \\\"PAT\\\", \\\"passwd\\\", \\\"pswd\\\", \\\"pwd\\\", \\\"cred\\\", \\\"creds\\\", \\\"credentials\\\", \\\"credential\\\", \\\"key\\\"]);\\nAzureDevOpsAuditing\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend Type = tostring(Data.Type)\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend VariableGroupName = tostring(Data.VariableGroupName)\\n| mv-expand Data.Variables\\n| where VariableGroupName has_any (keywords) or Data_Variables has_any (keywords)\\n| where Type != \\\"AzureKeyVault\\\"\\n| where Data_Variables !has \\\"IsSecret\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure DevOps Variable Secret Not Secured\",\"description\":\"Credentials used in the build process may be stored as Azure DevOps variables. To secure these variables they should be stored in KeyVault or marked as Secrets. \\nThis detection looks for new variables added with names that suggest they are credentials but where they are not set as Secrets or stored in KeyVault.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c9b6d281-b96b-4763-b728-9a04b9fe1246\",\"name\":\"c9b6d281-b96b-4763-b728-9a04b9fe1246\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlCategory has_any (\u0027Dynamic and Residential\u0027, \u0027Personal VPN\u0027)\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"Exfiltration\"],\"displayName\":\"Cisco Umbrella - Connection to non-corporate private network\",\"description\":\"IP addresses of broadband links that usually indicates users attempting to access their home network, for example for a remote session to a home computer.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75297f62-10a8-4fc1-9b2a-12f25c6f05a7\",\"name\":\"75297f62-10a8-4fc1-9b2a-12f25c6f05a7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let domain_lookBack= 14d;\\nlet timeframe = 1d;\\nlet top_million_list = Cisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(domain_lookBack) and TimeGenerated \u003c ago(timeframe)\\n| extend Hostname = parse_url(UrlOriginal)[\\\"Host\\\"]\\n| summarize count() by tostring(Hostname)\\n| top 1000000 by count_\\n| summarize make_list(Hostname);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| extend Hostname = parse_url(UrlOriginal)[\\\"Host\\\"]\\n| where Hostname !in (top_million_list)\\n| extend Message = \\\"Connect to unpopular website (possible malicious payload delivery)\\\"\\n| project Message, SrcIpAddr, DstIpAddr,UrlOriginal, TimeGenerated\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Connection to Unpopular Website Detected\",\"description\":\"Detects first connection to an unpopular website (possible malicious payload delivery).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c775a46b-21b1-46d7-afa6-37e3e577a27b\",\"name\":\"c775a46b-21b1-46d7-afa6-37e3e577a27b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 15;\\nSymantecVIP\\n| where isnotempty(RADIUSAuth)\\n| where RADIUSAuth =~ \\\"Reject\\\"\\n| summarize Total = count() by bin(TimeGenerated, 15m), User, ClientIP\\n| where Total \u003e threshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Excessive Failed Authentication from Invalid Inputs\",\"description\":\"Creates an incident in the event that a user generates an excessive amount of failed authentications due to invalid inputs, indications of a potential brute force.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SymantecVIP\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3fbc20a4-04c4-464e-8fcb-6667f53e4987\",\"name\":\"3fbc20a4-04c4-464e-8fcb-6667f53e4987\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let failureCountThreshold = 5;\\nlet successCountThreshold = 1;\\nlet authenticationWindow = 20m;\\nSigninLogs\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\\n| where AppDisplayName =~ \\\"Windows Sign In\\\"\\n// Split out failure versus non-failure types\\n| extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = makeset(IPAddress), makeset(OS), makeset(Browser), makeset(City), \\nmakeset(ResultType), FailureCount = countif(FailureOrSuccess==\\\"Failure\\\"), SuccessCount = countif(FailureOrSuccess==\\\"Success\\\") \\nby bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName, AppDisplayName\\n| where FailureCount \u003e= failureCountThreshold and SuccessCount \u003e= successCountThreshold\\n| mvexpand IPAddress\\n| extend IPAddress = tostring(IPAddress)\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against a Cloud PC\",\"description\":\"Identifies evidence of brute force activity against a Windows 365 Cloud PC by highlighting multiple authentication failures and by a successful authentication within a given time window.\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2021-10-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3fe3c520-04f1-44b8-8398-782ed21435f8\",\"name\":\"3fe3c520-04f1-44b8-8398-782ed21435f8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let torProxies=dynamic([\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\"]);\\nimDns(domain_has_any=torProxies)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.2.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"DNS events related to ToR proxies (Normalized DNS)\",\"description\":\"Identifies IP addresses performing DNS lookups associated with common ToR proxies.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c1d4a005-e220-4d06-9e53-7326a22b8fe4\",\"name\":\"c1d4a005-e220-4d06-9e53-7326a22b8fe4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let mediumRisk = 2;\\nlet goverence = \u0027Goverence Information\u0027;\\nCognniIncidents_CL \\n| where Severity == mediumRisk\\n| where informationType_s == goverence\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Medium Sensitivity Governance Information\",\"description\":\"Display incidents in which medium sensitivity governance information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/595a10c9-91be-4abb-bbc7-ae9c57848bef\",\"name\":\"595a10c9-91be-4abb-bbc7-ae9c57848bef\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, DNSName, Type\\n| extend MessageIP = extract(IPRegex, 0, Message), RequestIP = extract(IPRegex, 0, RequestURL)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL has_any (domains), \\\"RequestUrl\\\", \\\"NoMatch\\\"), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID, UrlCustomEntity = RequestURL \\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) or Name in~ (domains) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer, ProcessCustomEntity = ProcessName\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Image has_any (process)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = split(Image, \u0027\\\\\\\\\u0027, -1)[-1], HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) \\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, AlertDetail = \u0027Chia crypto IOC detected\u0027, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (domains) or RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) or InitiatingProcessFileName has_any (process)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, AlertDetail = \u0027Chia crypto IOC detected\u0027, UrlCustomEntity =RemoteUrl\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\"), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains) or ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| where EventDetail has_any (sha256Hashes) \\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\\\"#text\\\"] , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = split(Image, \u0027\\\\\\\\\u0027, -1)[-1], FileHashCustomEntity = FileHash\\n),\\n(DeviceFileEvents\\n| where InitiatingProcessFolderPath has_any (process)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = FileHash, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| project TimeGenerated, EventDetail, UserName, Computer, Type\\n| extend Image = EventDetail.[4].[\\\"#text\\\"] , CommandLine = EventDetail.[10].[\\\"#text\\\"], Account = UserName, FileHash = EventDetail.[17].[\\\"#text\\\"] , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| where Image has_any (process)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = split(Image, \u0027\\\\\\\\\u0027, -1)[-1], FileHashCustomEntity = FileHash\\n),\\n(DeviceEvents\\n| where InitiatingProcessFileName has_any (process) or InitiatingProcessSHA256 in~ (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash\\n),\\n( SecurityEvent\\n| where EventID == \u00274688\u0027\\n| where NewProcessName has_any (process)\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"SHA256\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021\",\"description\":\"Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-06-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d0aa8969-1bbe-4da3-9e76-09e5f67c9d85\",\"name\":\"d0aa8969-1bbe-4da3-9e76-09e5f67c9d85\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now() \\n| where Active == true\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureDiagnostics\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where ResourceProvider == \u0027MICROSOFT.SQL\u0027\\n | where Category == \u0027SQLSecurityAuditEvents\u0027\\n | extend SQLSecurityAuditEvents_TimeGenerated = TimeGenerated\\n // projecting fields with column if exists as this is in AzureDiag and if the event is not in the table, then queries will fail due to event specific schemas\\n | extend ClientIP = column_ifexists(\\\"client_ip_s\\\", \\\"Not Available\\\"), Action = column_ifexists(\\\"action_name_s\\\", \\\"Not Available\\\"), \\n Application = column_ifexists(\\\"application_name_s\\\", \\\"Not Available\\\"), HostName = column_ifexists(\\\"host_name_s\\\", \\\"Not Available\\\")\\n)\\non $left.TI_ipEntity == $right.ClientIP\\n| where SQLSecurityAuditEvents_TimeGenerated \u003c ExpirationDateTime\\n| summarize SQLSecurityAuditEvents_TimeGenerated = arg_max(SQLSecurityAuditEvents_TimeGenerated, *) by IndicatorId, ClientIP\\n| project SQLSecurityAuditEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ResourceId, ClientIP, Action, Application, HostName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = SQLSecurityAuditEvents_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Azure SQL Security Audit Events\",\"description\":\"Identifies a match in SQLSecurityAuditEvents from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8a602940-4153-4045-a741-3bf15591ae29\",\"name\":\"8a602940-4153-4045-a741-3bf15591ae29\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.2.8\",\"techniques\":[\"T1110\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.4\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"(Preview) Attempted computer bruteforce\",\"description\":\"This algorithm detects an unusually high volume of failed login attempts to each computer. The model is trained on the previous 21 days of security event ID 4625 on a computer. It indicates anomalous high volume of failed login attempts in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2020-12-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/45076281-35ae-45e0-b443-c32aa0baf965\",\"name\":\"45076281-35ae-45e0-b443-c32aa0baf965\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let args = dynamic([\\\"objectcategory\\\",\\\"domainlist\\\",\\\"dcmodes\\\",\\\"adinfo\\\",\\\"trustdmp\\\",\\\"computers_pwdnotreqd\\\",\\\"Domain Admins\\\", \\\"objectcategory=person\\\", \\\"objectcategory=computer\\\", \\\"objectcategory=*\\\",\\\"dclist\\\"]);\\nlet parentProcesses = dynamic([\\\"pwsh.exe\\\",\\\"powershell.exe\\\",\\\"cmd.exe\\\"]);\\nimProcessCreate\\n//looks for execution from a shell\\n| where ActingProcessName has_any (parentProcesses)\\n| extend ActingProcessFileName = tostring(split(ActingProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ActingProcessFileName in~ (parentProcesses)\\n// main filter\\n| where Process hassuffix \\\"AdFind.exe\\\" or TargetProcessSHA256 == \\\"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\\\"\\n // AdFind common Flags to check for from various threat actor TTPs\\n or CommandLine has_any (args)\\n| extend AccountCustomEntity = User, HostCustomEntity = Dvc, ProcessCustomEntity = ActingProcessName, FileHashCustomEntity = TargetProcessSHA256\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"SHA256\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Discovery\"],\"displayName\":\"Probable AdFind Recon Tool Usage (Normalized Process Events)\",\"description\":\"Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-06-09T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/106813db-679e-4382-a51b-1bfc463befc3\",\"name\":\"106813db-679e-4382-a51b-1bfc463befc3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n // Select on Palo Alto logs\\n | where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Select logs where URL data is populated\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url), extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | where isnotempty(PA_Url)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n) on $left.Url == $right.PA_Url\\n| where CommonSecurityLog_TimeGenerated \u003e= TimeGenerated and CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, SourceIP, CommonSecurityLog_TimeGenerated, PA_Url, DeviceName\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to PaloAlto data\",\"description\":\"Identifies a match in PaloAlto data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\"name\":\"97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let LearningPeriod = 7d; \\nlet BinTime = 1h; \\nlet RunTime = 1h; \\nlet StartTime = 1h; \\nlet NumberOfStds = 3; \\nlet MinThreshold = 10.0; \\nlet EndRunTime = StartTime - RunTime; \\nlet EndLearningTime = StartTime + LearningPeriod;\\nlet aadFunc = (tableName:string){\\nlet GitHubFailedSSOLogins = (table(tableName) \\n| where AppDisplayName == \\\"GitHub.com\\\" \\n| where ResultType != 0); \\nGitHubFailedSSOLogins \\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime)) \\n| summarize FailedLoginsCountInBinTime = count() by UserPrincipalName, bin(TimeGenerated, BinTime), Type\\n| summarize AvgOfFailedLoginsInLearning = avg(FailedLoginsCountInBinTime), StdOfFailedLoginsInLearning = stdev(FailedLoginsCountInBinTime) by UserPrincipalName, Type\\n| extend LearningThreshold = max_of(AvgOfFailedLoginsInLearning + StdOfFailedLoginsInLearning * NumberOfStds, MinThreshold) \\n| join kind=innerunique ( \\n GitHubFailedSSOLogins \\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime)) \\n | summarize FailedLoginsCountInRunTime = count() by User = Identity, UserPrincipalName, bin(TimeGenerated, BinTime), Type\\n) on UserPrincipalName \\n| where FailedLoginsCountInRunTime \u003e LearningThreshold\\n| extend AccountCustomEntity = UserPrincipalName , timestamp = TimeGenerated\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute Force Attack against GitHub Account\",\"description\":\"Attackers who are trying to guess your users\u0027 passwords or use brute-force methods to get in. If your organization is using SSO with Azure Active Directory, authentication logs to GitHub.com will be generated. Using the following query can help you identify a sudden increase in failed logon attempt of users.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8\",\"name\":\"f71aba3d-28fb-450b-b192-4e76a83015c8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Fusion\",\"properties\":{\"severity\":\"High\",\"tactics\":[\"Collection\",\"CommandAndControl\",\"CredentialAccess\",\"DefenseEvasion\",\"Discovery\",\"Execution\",\"Exfiltration\",\"Impact\",\"InitialAccess\",\"LateralMovement\",\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Advanced Multistage Attack Detection\",\"description\":\"Microsoft Sentinel uses Fusion, a correlation engine based on scalable machine learning algorithms, to automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.\\n\\nSince Fusion correlates multiple signals from various products to detect advanced multistage attacks, successful Fusion detections are presented as Fusion incidents on the Microsoft Sentinel Incidents page. This rule covers the following detections:\\n- Fusion for emerging threats\\n- Fusion for ransomware\\n- Scenario-based Fusion detections (122 scenarios)\\n\\nTo enable these detections, we recommend you configure the following data connectors for best results:\\n- Out-of-the-box anomaly detections\\n- Azure Active Directory Identity Protection\\n- Azure Defender\\n- Azure Defender for IoT\\n- Microsoft 365 Defender\\n- Microsoft Cloud App Security \\n- Microsoft Defender for Endpoint\\n- Microsoft Defender for Identity\\n- Microsoft Defender for Office 365\\n- Palo Alto Networks\\n- Scheduled analytics rules, both built-in and those created by your security analysts. Analytics rules must contain kill-chain (tactics) and entity mapping information in order to be used by Fusion.\\n\\nFor the full description of each detection that is supported by Fusion, go to https://aka.ms/SentinelFusion.\",\"lastUpdatedDateUTC\":\"2021-06-09T00:00:00Z\",\"createdDateUTC\":\"2019-07-25T00:00:00Z\",\"status\":\"Installed\",\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/677da133-e487-4108-a150-5b926591a92b\",\"name\":\"677da133-e487-4108-a150-5b926591a92b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\\n[@\\\"https://raw.githubusercontent.com/microsoft/mstic/master/Indicators/May21-NOBELIUM/May21NOBELIUMIoCs.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256s = (iocs | where Type =~ \\\"SHA256\\\"| project IoC);\\nlet ips = (iocs | where Type =~ \\\"IP\\\"| project IoC);\\nlet IPList = dynamic([\\\"192.99.221.77\\\",\\\"83.171.237.173\\\"]);\\nlet domains = (iocs | where Type =~ \\\"Domain\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet sha256Hashes = dynamic([\\\"2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252\\\",\\n\\\"d035d394a82ae1e44b25e273f99eae8e2369da828d6b6fdb95076fd3eb5de142\\\",\\n\\\"94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916\\\",\\n\\\"48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0\\\",\\n\\\"ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c\\\",\\n\\\"ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (domains) or RequestURL has_any (domains) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (domains), \\\"RequestUrl\\\", SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) or IPAddresses in (ips) or Name in~ (domains) \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or SourceIp in (ips) or DestinationIp in (ips) or RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", SourceIp in (ips), \\\"SourceIP\\\", DestinationIp in (ips), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) or ClientIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (domains) or RemoteIP in (IPList) or RemoteIP in (ips)\\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| where EventDetail has_any (sha256Hashes) or EventDetail has_any (sha256s)\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, FileHash\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (sha256Hashes) or SHA256 in~ (sha256s)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (sha256Hashes) or TargetFileSHA256 in~ (sha256s)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes) or FileHash in (sha256s)\\n| extend timestamp = TimeGenerated\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"version\":\"1.3.0\",\"tactics\":[\"CommandAndControl\",\"Execution\"],\"displayName\":\"NOBELIUM - Domain, Hash and IP IOCs - May 2021\",\"description\":\"Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM.\\nRef: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f6a51e2c-2d6a-4f92-a090-cfb002ca611f\",\"name\":\"f6a51e2c-2d6a-4f92-a090-cfb002ca611f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nlet disallowed_ext = dynamic([\u0027ps1\u0027, \u0027exe\u0027, \u0027vbs\u0027, \u0027js\u0027, \u0027scr\u0027]);\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| extend attachedExt = todynamic(MsgParts)[0][\u0027detectedExt\u0027]\\n| where attachedExt in (disallowed_ext)\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = DstUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Suspicious attachment\",\"description\":\"Detects when email contains suspicious attachment (file type).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/643c2025-9604-47c5-833f-7b4b9378a1f5\",\"name\":\"643c2025-9604-47c5-833f-7b4b9378a1f5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit your environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with AAD signin failures above our threshold\\nlet aadFunc = (tableName:string){\\nlet Suspicious_signins = \\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n| summarize count() by IPAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(IPAddress);\\nSuspicious_signins\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet Suspicious_signins = \\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize make_set(set_IPAddress);\\n//See if any of those IPs have sucessfully logged into the AWS console\\nAWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \\n| where LoginResult =~ \\\"Success\\\"\\n| where SourceIpAddress in (Suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed)\\n| extend User = iif(isempty(UserIdentityUserName), UserIdentityType, UserIdentityUserName) \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Reason, LoginResult, EventTypeName, UserIdentityType, User, AWSRegion, SourceIpAddress, UserAgent, MFAUsed\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AzureAD logons but success logon to AWS Console\",\"description\":\"Identifies a list of IP addresses with a minimum number(defualt of 5) of failed logon attempts to Azure Active Directory.\\nUses that list to identify any successful AWS Console logons from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/39e48890-2c02-487e-aa9e-3ba494061798\",\"name\":\"39e48890-2c02-487e-aa9e-3ba494061798\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"// Edit this variable to only keep the tactics where an incident needs to be created (Defaults are: \\\"COMMAND \u0026 CONTROL\\\", \\\"BOTNET ACTIVITY\\\", \\\"EXFILTRATION\\\", \\\"LATERAL MOVEMENT\\\", \\\"RECONNAISSANCE\\\") \\nlet configured_tactics = dynamic([\\\"COMMAND \u0026 CONTROL\\\", \\\"BOTNET ACTIVITY\\\", \\\"EXFILTRATION\\\", \\\"LATERAL MOVEMENT\\\", \\\"RECONNAISSANCE\\\"]);\\n//default threshold is 7 (meaning a threat score of 70)\\nlet severity_threshold = 7.0;\\n//Map by default to High Severity in Sentinel\\nlet Severity = \\\"High\\\";\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Vectra Networks\\\"\\n| where DeviceProduct == \\\"X Series\\\"\\n| where DeviceEventClassID != \\\"campaigns\\\" and DeviceEventClassID != \\\"hsc\\\" and DeviceEventClassID != \\\"audit\\\" and DeviceEventClassID != \\\"health\\\" and DeviceEventClassID != \\\"asc\\\"\\n| extend Category = extract(\\\"cat=(.+?);\\\", 1, AdditionalExtensions) \\n| project-rename threat_score = FlexNumber1\\n| project-rename certainty_score = FlexNumber2\\n| project-rename vectra_URL = DeviceCustomString4\\n| project-rename detection_name = DeviceEventClassID\\n| where todecimal(LogSeverity) \u003e= severity_threshold\\n| extend Tactic = case( Category == \\\"COMMAND \u0026 CONTROL\\\", \\\"CommandAndControl\\\",\\n Category == \\\"BOTNET ACTIVITY\\\" , \\\"Impact\\\",\\n Category == \\\"EXFILTRATION\\\", \\\"Exfiltration\\\",\\n Category == \\\"LATERAL MOVEMENT\\\", \\\"LateralMovement\\\",\\n Category == \\\"RECONNAISSANCE\\\", \\\"Discovery\\\",\\n \\\"UNKNOWN\\\")\\n| extend account = extract(\\\"account=(.+?);\\\", 1, AdditionalExtensions)\\n| extend upn = iff(account matches regex \\\":\\\", tostring(split(account,\\\":\\\")[1]) ,tostring(split(account,\\\":\\\")[0])) \\n| extend source_entity = case( isnotempty(upn), upn,\\n isnotempty(SourceHostName), SourceHostName,\\n \\\"UNKNWON\\\") \\n| where Category in (configured_tactics) \\n| summarize arg_max(threat_score, *) by source_entity, Activity\\n| sort by TimeGenerated\\n| project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Tactic, Activity, LogSeverity, Severity, vectra_URL\\n| extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Discovery\",\"LateralMovement\",\"Collection\",\"CommandAndControl\",\"Exfiltration\",\"Impact\"],\"displayName\":\"Vectra AI Detect - Detections with High Severity\",\"description\":\"Create an incident for high severity malicious behavior detected by Vectra AI (Threat score superior to 7.0). \\nThe Severity is a mapping with the Threat score assigned to a detection. It ranges between 0 and 10. \\nThe severity_threshold variable can be adjusted as desired.\u0027 \",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2021-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AIVectraDetect\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2fc5d810-c9cc-491a-b564-841427ae0e50\",\"name\":\"2fc5d810-c9cc-491a-b564-841427ae0e50\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n SecurityEvent | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(TargetUserName)\\n //Normalizing the column to lower case for exact match with EmailSenderAddress column\\n | extend TargetUserName = tolower(TargetUserName)\\n // renaming timestamp column so it is clear the log this came from SecurityEvent table\\n | extend SecurityEvent_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.TargetUserName\\n| where SecurityEvent_TimeGenerated \u003e= TimeGenerated and SecurityEvent_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, SecurityEvent_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Computer, EventID, TargetUserName, Activity, IpAddress, AccountType,\\nLogonTypeName, LogonProcessName, Status, SubStatus\\n| extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SecurityEvent\",\"description\":\"Identifies a match in SecurityEvent table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fa118b98-de46-4e94-87f9-8e6d5060b60b\",\"name\":\"fa118b98-de46-4e94-87f9-8e6d5060b60b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MLBehaviorAnalytics\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous SSH Login Detection\",\"description\":\"This detection uses machine learning (ML) to identify anomalous Secure Shell (SSH) login activity, based on syslog data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Microsoft Sentinel to build a profile of normal activity for your environment.\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-syslog#configure-the-syslog-connector-for-anomalous-ssh-login-detection)\\n\\nBy enabling this rule, you give Microsoft permission to copy ingested data outside of your Microsoft Sentinel workspace\u0027s geography as necessary for processing by the machine learning engine.\",\"lastUpdatedDateUTC\":\"2021-03-26T00:00:00Z\",\"createdDateUTC\":\"2019-08-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8e0403b1-07f8-4865-b2e9-74d1e83200a4\",\"name\":\"8e0403b1-07f8-4865-b2e9-74d1e83200a4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let timeframe = 14d;\\nlet time_generated_bucket = 1h;\\nlet min_urgency = 9;\\nlet maxTimeGeneratedBucket = toscalar(\\n CyberpionActionItems_CL\\n | where TimeGenerated \u003e ago(timeframe)\\n | summarize max(bin(TimeGenerated, time_generated_bucket))\\n );\\nCyberpionActionItems_CL\\n | where TimeGenerated \u003e ago(timeframe) and is_open_b == true\\n | where bin(TimeGenerated, time_generated_bucket) == maxTimeGeneratedBucket\\n | where urgency_d \u003e= min_urgency\\n | extend timestamp = opening_datetime_t\\n | extend DNSCustomEntity = host_s\",\"entityMappings\":[{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"High Urgency Cyberpion Action Items\",\"description\":\"This query creates an alert for active Cyberpion Action Items with high urgency (9-10).\\n Urgency can be altered using the \\\"min_urgency\\\" variable in the query.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CyberpionSecurityLogs\",\"dataTypes\":[\"CyberpionActionItems_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5239248b-abfb-4c6a-8177-b104ade5db56\",\"name\":\"5239248b-abfb-4c6a-8177-b104ade5db56\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let RunCommandData = materialize ( AzureActivity\\n// Isolate run command actions\\n| where OperationNameValue == \\\"Microsoft.Compute/virtualMachines/runCommand/action\\\"\\n// Confirm that the operation impacted a virtual machine\\n| where Authorization has \\\"virtualMachines\\\"\\n// Each runcommand operation consists of three events when successful, StartTimeed, Accepted (or Rejected), Successful (or Failed).\\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), max(CallerIpAddress), make_list(ActivityStatusValue) by CorrelationId, Authorization, Caller\\n// Limit to Run Command executions that Succeeded\\n| where list_ActivityStatusValue has \\\"Succeeded\\\"\\n// Extract data from the Authorization field, allowing us to later extract the Caller (UPN) and CallerIpAddress\\n| extend Authorization_d = parse_json(Authorization)\\n| extend Scope = Authorization_d.scope\\n| extend Scope_s = split(Scope, \\\"/\\\")\\n| extend Subscription = tostring(Scope_s[2])\\n| extend VirtualMachineName = tostring(Scope_s[-1])\\n| project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress\\n| join kind=leftouter (\\n DeviceFileEvents\\n | where InitiatingProcessFileName == \\\"RunCommandExtension.exe\\\"\\n | extend VirtualMachineName = tostring(split(DeviceName, \\\".\\\")[0])\\n | project VirtualMachineName, PowershellFileCreatedTimestamp=TimeGenerated, FileName, FileSize, InitiatingProcessAccountName, InitiatingProcessAccountDomain, InitiatingProcessFolderPath, InitiatingProcessId\\n) on VirtualMachineName\\n// We need to filter by time sadly, this is the only way to link events\\n| where PowershellFileCreatedTimestamp between (StartTime .. EndTime)\\n| project StartTime, EndTime, PowershellFileCreatedTimestamp, VirtualMachineName, Caller, CallerIpAddress, FileName, FileSize, InitiatingProcessId, InitiatingProcessAccountDomain, InitiatingProcessFolderPath\\n| join kind=inner(\\n DeviceEvents\\n | extend VirtualMachineName = tostring(split(DeviceName, \\\".\\\")[0])\\n | where InitiatingProcessCommandLine has \\\"-File\\\"\\n // Extract the script name based on the structure used by the RunCommand extension\\n | extend PowershellFileName = extract(@\\\"\\\\-File\\\\s(script[0-9]{1,9}\\\\.ps1)\\\", 1, InitiatingProcessCommandLine)\\n // Discard results that didn\u0027t successfully extract, these are not run command related\\n | where isnotempty(PowershellFileName)\\n | extend PSCommand = tostring(parse_json(AdditionalFields).Command)\\n // The first execution of PowerShell will be the RunCommand script itself, we can discard this as it will break our hash later\\n | where PSCommand != PowershellFileName \\n // Now we normalise the cmdlets, we\u0027re aiming to hash them to find scripts using rare combinations\\n | extend PSCommand = toupper(PSCommand)\\n | order by PSCommand asc\\n | summarize PowershellExecStartTime=min(TimeGenerated), PowershellExecEnd=max(TimeGenerated), make_list(PSCommand) by PowershellFileName, InitiatingProcessCommandLine\\n) on $left.FileName == $right.PowershellFileName\\n| project StartTime, EndTime, PowershellFileCreatedTimestamp, PowershellExecStartTime, PowershellExecEnd, PowershellFileName, PowershellScriptCommands=list_PSCommand, Caller, CallerIpAddress, InitiatingProcessCommandLine, PowershellFileSize=FileSize, VirtualMachineName\\n| order by StartTime asc \\n// We generate the hash based on the cmdlets called and the size of the powershell script\\n| extend TempFingerprintString = strcat(PowershellScriptCommands, PowershellFileSize)\\n| extend ScriptFingerprintHash = hash_sha256(tostring(PowershellScriptCommands)));\\nlet totals = toscalar (RunCommandData\\n| summarize count());\\nlet hashTotals = RunCommandData\\n| summarize HashCount=count() by ScriptFingerprintHash;\\nRunCommandData\\n| join kind=leftouter (\\nhashTotals\\n) on ScriptFingerprintHash\\n// Calculate prevelance, while we don\u0027t need this, it may be useful for responders to know how rare this script is in relation to normal activity\\n| extend Prevelance = toreal(HashCount) / toreal(totals) * 100\\n// Where the hash was only ever seen once.\\n| where HashCount == 1\\n| extend timestamp = StartTime, IPCustomEntity=CallerIpAddress, AccountCustomEntity=Caller, HostCustomEntity=VirtualMachineName\\n| project timestamp, StartTime, EndTime, PowershellFileName, VirtualMachineName, Caller, CallerIpAddress, PowershellScriptCommands, PowershellFileSize, ScriptFingerprintHash, IPCustomEntity, AccountCustomEntity, HostCustomEntity\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\",\"CredentialAccess\"],\"displayName\":\"Azure VM Run Command operations executing a unique powershell script\",\"description\":\"Identifies when Azure Run command is used to execute a powershell script on a VM that is unique.\\nThe uniqueness of the powershell script is determined by taking a combined hash of the cmdlets it imports\\nand the filesize of the PowerShell script. Alerts from this detection indicate a unique PowerShell was executed\\nin your environment.\",\"lastUpdatedDateUTC\":\"2021-10-25T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2926ce29-08d2-4654-b2e8-7d8df70095d9\",\"name\":\"2926ce29-08d2-4654-b2e8-7d8df70095d9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let highRisk = 3;\\nlet governance = \u0027Governance Information\u0027;\\nCognniIncidents_CL \\n| where Severity == highRisk\\n| where informationType_s == governance\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Highly Sensitive Governance Information\",\"description\":\"Display incidents in which highly sensitive governance information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/40ba9493-4183-4eee-974f-87fe39c8f267\",\"name\":\"40ba9493-4183-4eee-974f-87fe39c8f267\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Identity alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Identity\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (AATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f819c592-c5f9-4d5c-a79f-1e6819863533\",\"name\":\"f819c592-c5f9-4d5c-a79f-1e6819863533\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// ADHealth Monitoring Agent Registry Key\\nlet aadHealthMonAgentRegKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Microsoft Online\\\\\\\\Reporting\\\\\\\\MonitoringAgent\\\";\\n// Filter out known processes\\nlet aadConnectHealthProcs = dynamic ([\\n \u0027Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.InsightsService.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.PshSurrogate.exe\u0027,\\n \u0027Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe\u0027\\n]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| extend SubjectUserName = column_ifexists(\\\"SubjectUserName\\\", \\\"\\\"),\\n SubjectDomainName = column_ifexists(\\\"SubjectDomainName\\\", \\\"\\\"),\\n ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),\\n ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\"),\\n ProcessName = column_ifexists(\\\"ProcessName\\\", \\\"\\\")\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],\\n Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| where Process !in (aadConnectHealthProcs)\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| where Process !in (aadConnectHealthProcs)\\n)\\n)\\n// You can filter out potential machine accounts\\n//| where AccountType != \u0027Machine\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n| summarize count() by ProcessName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Azure AD Health Monitoring Agent Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.\\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\\\\SOFTWARE\\\\Microsoft\\\\Microsoft Online\\\\Reporting\\\\MonitoringAgent.\\nYou can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_monitoring_agent.yml\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ffe3625d-a933-4f63-b192-7e6ebf3be5fb\",\"name\":\"ffe3625d-a933-4f63-b192-7e6ebf3be5fb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.2.8\",\"techniques\":[\"T1110\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.1\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"(Preview) Attempted user account bruteforce\",\"description\":\"This algorithm detects an unusually high volume of failed login attempts per user account. The model is trained on the previous 21 days of security event ID 4625 on an account. It indicates anomalous high volume of failed login attempts in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2020-12-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d3980830-dd9d-40a5-911f-76b44dfdce16\",\"name\":\"d3980830-dd9d-40a5-911f-76b44dfdce16\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where AppDisplayName == \\\"GitHub.com\\\"\\n| where ResultType == 0\\n| summarize CountOfLocations = dcount(Location), Locations = make_set(Location), BurstStartTime = min(TimeGenerated), BurstEndTime = max(TimeGenerated) by UserPrincipalName, Type\\n| where CountOfLocations \u003e 1\\n| extend timestamp = BurstStartTime, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"GitHub Signin Burst from Multiple Locations\",\"description\":\"This alerts when there Signin burst from multiple locations in GitHub (AAD SSO).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d57c33a9-76b9-40e0-9dfa-ff0404546410\",\"name\":\"d57c33a9-76b9-40e0-9dfa-ff0404546410\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 0d;\\n// Adjust this to adjust detection timeframe\\n//let timeframe = 1d;\\n// Filter out other servers in the AD FS farm\\nlet ADFSServersList = dynamic([\\\"ADFS02.domain.com\\\",\\\"ADFS03.domain.com\\\"]);\\n// Start by identifying ADFS servers to reduce FP chance\\nlet ADFS_Servers = (\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| where Computer !in (ADFSServersList)\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\")\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| summarize by Computer\\n);\\n// Look for ADFS servers receiving connections over port 80\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where Computer in~ (ADFS_Servers)\\n| extend RenderedDescription = tostring(split(RenderedDescription, \\\":\\\")[0])\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, _ResourceId)\\n| extend RuleName = column_ifexists(\\\"RuleName\\\", \\\"\\\"), TechniqueId = column_ifexists(\\\"TechniqueId\\\", \\\"\\\"), TechniqueName = column_ifexists(\\\"TechniqueName\\\", \\\"\\\")\\n| parse RuleName with * \u0027technique_id=\u0027 TechniqueId \u0027,\u0027 * \u0027technique_name=\u0027 TechniqueName\\n| where EventID == 3\\n// Look for endpoints connecting to the AD FS server over port 80\\n| extend DestinationPort = column_ifexists(\\\"DestinationPort\\\", \\\"\\\"), Image = column_ifexists(\\\"Image\\\", \\\"\\\"), Initiated = column_ifexists(\\\"Initiated\\\", \\\"\\\"), SourceIp = column_ifexists(\\\"DestinationIp\\\", \\\"\\\"), DestinationIp = column_ifexists(\\\"DestinationIp\\\", \\\"\\\")\\n| where DestinationPort == 80\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n// Look for the System process receiving connections\\n| where process == \u0027System\u0027 and Initiated == \u0027false\u0027\\n| where DestinationIp !in (\u0027::1\u0027,\u00270:0:0:0:0:0:0:1\u0027)\\n| extend Operation = RenderedDescription\\n| project-reorder TimeGenerated, Operation, Image, Computer, UserName\\n| extend HostCustomEntity = Computer, AccountCustomEntity = UserName, IPCustomEntity = SourceIp\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"AD FS Remote HTTP Network Connection\",\"description\":\"This detection uses Sysmon events (NetworkConnect events) to detect incoming network traffic on port 80 on AD FS servers. This could be a sign of a threat actor\\ntrying to use replication services on the AD FS server to get its configuration settings and extract sensitive information such as AD FS certificates.\\nIn order to use this query you need to enable Sysmon telemetry on the AD FS Server.\\nReference: https://twitter.com/OTR_Community/status/1387038995016732672\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3c144f9-8051-47d4-ac29-ffb0c312c910\",\"name\":\"a3c144f9-8051-47d4-ac29-ffb0c312c910\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let SunburstMD5=dynamic([\\\"b91ce2fa41029f6955bff20079468448\\\",\\\"02af7cec58b9a5da1c542b5a32151ba1\\\",\\\"2c4a910a1299cdae2a4e55988a2f102e\\\",\\\"846e27a652a5e1bfbd0ddd38a16dc865\\\",\\\"4f2eb62fa529c0283b28d05ddd311fae\\\"]);\\nlet SupernovaMD5=\\\"56ceb6d0011d87b6e4d7023d7ef85676\\\";\\nDeviceFileEvents\\n| where MD5 in(SunburstMD5) or MD5 in(SupernovaMD5)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n FileHashCustomEntity = MD5\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"MD5\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST and SUPERNOVA backdoor hashes\",\"description\":\"Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in DeviceFileEvents\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ba144bf8-75b8-406f-9420-ed74397f9479\",\"name\":\"ba144bf8-75b8-406f-9420-ed74397f9479\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//Set a threshold of failed AAD signins from an IP address within 1 day above which we want to deem those logins suspicious.\\nlet signin_threshold = 5; \\n//Make a list of IPs with AAD signin failures above our threshold.\\nlet aadFunc = (tableName:string){\\nlet suspicious_signins = \\n table(tableName)\\n //Looking for logon failure results\\n | where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n //Exclude localhost addresses to reduce the chance of FPs\\n | where IPAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n | summarize count() by IPAddress\\n | where count_ \u003e signin_threshold\\n | summarize make_set(IPAddress);\\n suspicious_signins\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet suspicious_signins = \\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize make_set(set_IPAddress);\\n//See if any of those IPs have sucessfully logged into PA VPNs during the same timeperiod\\nCommonSecurityLog\\n //Select only PA VPN sucessful logons\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"globalprotect\\\"\\n | where Message has \\\"GlobalProtect gateway user authentication succeeded\\\"\\n //Parse out the logon source IP from the Message field to match on\\n | extend SourceIP = extract(\\\"Login from: ([^,]+)\\\", 1, Message) \\n | where SourceIP in (suspicious_signins)\\n | extend Reason = \\\"Multiple failed AAD logins from SourceIP\\\"\\n //Parse out other useful information from Message field\\n | extend User = extract(\u0027User name: ([^,]+)\u0027, 1, Message) \\n | extend ClientOS = extract(\u0027Client OS version: ([^,\\\\\\\"]+)\u0027, 1, Message)\\n | extend Location = extract(\u0027Source region: ([^,]{2})\u0027,1, Message)\\n | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName\\n | extend AccountCustomEntity = User, IPCustomEntity = SourceIP, timestamp = TimeGenerated, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN\",\"description\":\"This query creates a list of IP addresses with a number failed login attempts to AAD \\nabove a set threshold. It then looks for any successful Palo Alto VPN logins from any\\nof these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-09-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9f86885f-f31f-4e66-a39d-352771ee789e\",\"name\":\"9f86885f-f31f-4e66-a39d-352771ee789e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"CarbonBlackEvents_CL\\n| extend eventTime = datetime(1970-01-01) + tolong(eventTime_d/1000) * 1sec\\n| where targetApp_effectiveReputation_s =~ \\\"KNOWN_MALWARE\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by eventTime, deviceDetails_deviceName_s, deviceDetails_deviceIpAddress_s, processDetails_fullUserName_s, processDetails_targetName_s\\n| extend timestamp = StartTime, AccountCustomEntity = processDetails_fullUserName_s, HostCustomEntity = deviceDetails_deviceName_s, IPCustomEntity = deviceDetails_deviceIpAddress_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\"],\"displayName\":\"Known Malware Detected\",\"description\":\"This creates an incident when a known Malware is detected on a endpoint managed by a Carbon Black.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"VMwareCarbonBlack\",\"dataTypes\":[\"CarbonBlackEvents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/957cb240-f45d-4491-9ba5-93430a3c08be\",\"name\":\"957cb240-f45d-4491-9ba5-93430a3c08be\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"OfficeActivity\\n| where Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Add-MailboxFolderPermission\\\", \\\"Set-Mailbox\\\", \\\"New-ManagementRoleAssignment\\\")\\nand not(UserId has_any (\u0027NT AUTHORITY\\\\\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\u0027,\u0027devilfish-applicationaccount\u0027) and Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Set-Mailbox\\\"))\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"Collection\"],\"displayName\":\"Rare and potentially high-risk Office operations\",\"description\":\"Identifies Office operations that are typically rare and can provide capabilities useful to attackers.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9c712bb2-08dc-44d3-b66b-af154dfc1c4f\",\"name\":\"9c712bb2-08dc-44d3-b66b-af154dfc1c4f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.2.8\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.07\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of logins to computer\",\"description\":\"This algorithm detects an unusually high volume of successful logins per computer. The model is trained on the previous 21 days of security event ID 4624 on a computer. It indicates anomalous high volume of successful logins in the last day\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2020-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/44a555d8-ecee-4a25-95ce-055879b4b14b\",\"name\":\"44a555d8-ecee-4a25-95ce-055879b4b14b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeBin = 10m;\\nlet portThreshold = 30;\\nW3CIISLog\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of attempts by client IP on many ports\\n| summarize makeset(sPort), makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), ConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\\n| extend portCount = arraylength(set_sPort)\\n| where portCount \u003e= portThreshold\\n| project TimeGenerated, cIP, set_sPort, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, ConnectionsCount, portCount\\n| order by portCount\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"High count of connections by client IP on many ports\",\"description\":\"Identifies when 30 or more ports are used for a given client IP in 10 minutes occurring on the IIS server.\\nThis could be indicative of attempted port scanning or exploit attempt at internet facing web applications. \\nThis could also simply indicate a misconfigured service or device.\\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\"name\":\"fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let opList = OfficeActivity \\n| summarize by Operation\\n//| where Operation startswith \\\"Remove-\\\" or Operation startswith \\\"Disable-\\\"\\n| where Operation has_any (\\\"Remove\\\", \\\"Disable\\\")\\n| where Operation contains \\\"AntiPhish\\\" or Operation contains \\\"SafeAttachment\\\" or Operation contains \\\"SafeLinks\\\" or Operation contains \\\"Dlp\\\" or Operation contains \\\"Audit\\\"\\n| summarize make_set(Operation);\\nOfficeActivity\\n// Only admin or global-admin can disable/remove policy\\n| where RecordType =~ \\\"ExchangeAdmin\\\"\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\")\\n// Pass in interesting Operation list\\n| where Operation in~ (opList)\\n| extend ClientIPOnly = case( \\nClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), \\nClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))),\\nClientIP\\n) \\n| extend Port = case(\\nClientIP has \\\".\\\", (split(ClientIP,\\\":\\\")[1]),\\nClientIP has \\\"[\\\", tostring(split(ClientIP,\\\"]:\\\")[1]),\\nClientIP\\n)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP = ClientIPOnly, Port, ResultStatus, Parameters\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Office policy tampering\",\"description\":\"Identifies if any tampering is done to either auditlog, ATP Safelink, SafeAttachment, AntiPhish or Dlp policy. \\nAn adversary may use this technique to evade detection or avoid other policy based defenses.\\nReferences: https://docs.microsoft.com/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ab4b6944-a20d-42ab-8b63-238426525801\",\"name\":\"ab4b6944-a20d-42ab-8b63-238426525801\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\nlet timeframe = 1h;\\nlet connections = VMConnection \\n | where TimeGenerated \u003e= ago(timeframe)\\n | extend DNSName = set_union(todynamic(RemoteDnsCanonicalNames),todynamic(RemoteDnsQuestions))\\n | mv-expand DNSName\\n | where isnotempty(DNSName)\\n | where DNSName has_any (domains)\\n | extend IPCustomEntity = RemoteIp\\n | summarize TimeGenerated = arg_min(TimeGenerated, *), requests = count() by IPCustomEntity, DNSName = tostring(DNSName), AgentId, Machine, Process;\\nlet processes = VMProcess\\n | where TimeGenerated \u003e= ago(timeframe)\\n | project AgentId, Machine, Process, UserName, UserDomain, ExecutablePath, CommandLine, FirstPid\\n | extend exePathArr = split(ExecutablePath, \\\"\\\\\\\\\\\")\\n | extend DirectoryName = array_strcat(array_slice(exePathArr, 0, array_length(exePathArr) - 2), \\\"\\\\\\\\\\\")\\n | extend Filename = array_strcat(array_slice(exePathArr, array_length(exePathArr) - 1, array_length(exePathArr)), \\\"\\\\\\\\\\\")\\n | project-away exePathArr;\\nlet computers = VMComputer\\n | where TimeGenerated \u003e= ago(timeframe)\\n | project HostCustomEntity = HostName, AzureResourceId = _ResourceId, AgentId, Machine;\\nconnections | join kind = inner (processes) on AgentId, Machine, Process\\n | join kind = inner (computers) on AgentId, Machine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"FirstPid\"},{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Directory\",\"columnName\":\"DirectoryName\"},{\"identifier\":\"Name\",\"columnName\":\"Filename\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Solorigate Domains Found in VM Insights\",\"description\":\"Identifies connections to Solorigate-related DNS records based on VM insights data\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMProcess\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMComputer\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\"name\":\"c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"ApplySecurityGroupsToLoadBalancer\\\", \\\"SetSecurityGroups\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \\nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion,\\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to AWS Elastic Load Balancer security groups\",\"description\":\"Elastic Load Balancer distributes incoming traffic across multiple instances in multiple availability Zones. This increases the fault tolerance of your applications. \\n Unwanted changes to Elastic Load Balancer specific security groups could open your environment to attack and hence needs monitoring.\\n More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\n and https://aws.amazon.com/elasticloadbalancing/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d99cf5c3-d660-436c-895b-8a8f8448da23\",\"name\":\"d99cf5c3-d660-436c-895b-8a8f8448da23\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SigninLogs\\n| where ResultType == 500121\\n| extend additionalDetails_ = tostring(Status.additionalDetails)\\n| where additionalDetails_ =~ \\\"MFA denied; user declined the authentication\\\"\\n| extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"MFA Rejected by User\",\"description\":\"Identifies accurances where a user has rejected an MFA prompt. This could be an indicator that a threat actor has compromised the username and password of this user account and is using it to try and log into the account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\"name\":\"70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"seoulhobi.biz\\\", \\\"reader.cash\\\", \\\"pieceview.club\\\", \\\"app-wallet.com\\\", \\\"bigwnet.com\\\", \\\"bitwoll.com\\\", \\\"cexrout.com\\\", \\\"change-pw.com\\\", \\\"checkprofie.com\\\", \\\"cloudwebappservice.com\\\", \\\"ctquast.com\\\", \\\"dataviewering.com\\\", \\\"day-post.com\\\", \\\"dialy-post.com\\\", \\\"documentviewingcom.com\\\", \\\"dovvn-mail.com\\\", \\\"down-error.com\\\", \\\"drivecheckingcom.com\\\", \\\"drog-service.com\\\", \\\"encodingmail.com\\\", \\\"filinvestment.com\\\", \\\"foldershareing.com\\\", \\\"golangapis.com\\\", \\\"hotrnall.com\\\", \\\"lh-logins.com\\\", \\\"login-use.com\\\", \\\"mail-down.com\\\", \\\"matmiho.com\\\", \\\"mihomat.com\\\", \\\"natwpersonal-online.com\\\", \\\"nidlogin.com\\\", \\\"nid-login.com\\\", \\\"nidlogon.com\\\", \\\"pw-change.com\\\", \\\"rnaii.com\\\", \\\"rnailm.com\\\", \\\"sec-live.com\\\", \\\"secrityprocessing.com\\\", \\\"securitedmode.com\\\", \\\"securytingmail.com\\\", \\\"set-login.com\\\", \\\"usrchecking.com\\\", \\\"com-serviceround.info\\\", \\\"mai1.info\\\", \\\"reviewer.mobi\\\", \\\"files-download.net\\\", \\\"fixcool.net\\\", \\\"hanrnaii.net\\\", \\\"office356-us.org\\\", \\\"smtper.org\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(DnsEvents \\n| extend DNSName = Name\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend IPAddress = ClientIP\\n),\\n(imDns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend DNSName = Request_Name\\n| extend IPAddress = ClientIP \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost \\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.3.0\",\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"THALLIUM domains included in DCU takedown\",\"description\":\"THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. \\n Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\\n References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-01-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/29a29e5d-354e-4f5e-8321-8b39d25047bf\",\"name\":\"29a29e5d-354e-4f5e-8321-8b39d25047bf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let files1 = dynamic([\\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\lsa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pc.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\Rar.exe\\\"]);\\nlet files2 = dynamic([\\\"svchost.exe\\\",\\\"wdmsvc.exe\\\"]);\\nlet FileHash1 = dynamic([\\\"43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\\\", \\\"ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\\\", \\\"010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77\\\", \\\"56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7\\\"]);\\nlet FileHash2 = dynamic([\\\"2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\\\", \\\"9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\\\", \\\"18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\\\"]);\\nimFileEvent\\n| where ((FilePath has_any (files1)) and (ActingProcessSHA256 has_any (FileHash1))) or ((FilePath has_any (files2)) and (ActingProcessSHA256 has_any (FileHash2)))\\n// Increase risk score if recent alerts for the host\\n| join kind=leftouter (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| mv-expand todynamic(Entities)\\n| extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)\\n| where isnotempty(DvcId)\\n// Higher risk score are for Defender alerts related to threat actor\\n| extend AlertRiskScore = iif(ThreatName has_any (\\\"Backdoor:MSIL/ShellClient.A\\\", \\\"Backdoor:MSIL/ShellClient.A!dll\\\", \\\"Trojan:MSIL/Mimikatz.BA!MTB\\\"), 1.0, 0.5)\\n| project DvcId, AlertRiskScore) on DvcId\\n| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = ActorUsername\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileName\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"CredentialAccess\",\"Execution\"],\"displayName\":\"Dev-0228 File Path Hashes November 2021 - ASIM\",\"description\":\"This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.\\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.\\n This query uses the Microsoft Sentinel Information Model - https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2021-11-18T00:00:00Z\",\"createdDateUTC\":\"2021-11-18T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/44e80f00-b4f5-486b-a57d-4073746276df\",\"name\":\"44e80f00-b4f5-486b-a57d-4073746276df\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let highRisk = 3;\\nlet business = \u0027Business Information\u0027;\\nCognniIncidents_CL \\n| where Severity == highRisk\\n| where informationType_s == business\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Highly Sensitive Business Information\",\"description\":\"Display incidents in which highly sensitive business information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2acc91c3-17c2-4388-938e-4eac2d5894e8\",\"name\":\"2acc91c3-17c2-4388-938e-4eac2d5894e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"W3CIISLog\\n| where csMethod == \u0027GET\u0027\\n| where isnotempty(csUriStem) and isnotempty(csUriQuery)\\n| where csUriStem contains \\\"logoimagehandler.ashx\\\"\\n| where csUriQuery contains \\\"codes\\\" and csUriQuery contains \\\"clazz\\\" and csUriQuery contains \\\"method\\\" and csUriQuery contains \\\"args\\\"\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"SUPERNOVA webshell\",\"description\":\"Identifies SUPERNOVA webshell based on W3CIISLog data.\\n References:\\n - https://unit42.paloaltonetworks.com/solarstorm-supernova/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6190dde-8fd2-456a-ac5b-0a32400b0464\",\"name\":\"d6190dde-8fd2-456a-ac5b-0a32400b0464\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ProcessCreationEvents=() {\\nlet processEvents=SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName;\\nprocessEvents;\\n};\\nProcessCreationEvents \\n| where CommandLine contains \\\".decode(\u0027base64\u0027)\\\"\\n or CommandLine contains \\\"base64 --decode\\\"\\n or CommandLine contains \\\".decode64(\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), CountToday = count() by Computer, Account, AccountDomain, FileName, CommandLine, ParentProcessName \\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Process executed from binary hidden in Base64 encoded file\",\"description\":\"Encoding malicious software is a technique used to obfuscate files from detection. \\nThe first CommandLine component is looking for Python decoding base64. \\nThe second CommandLine component is looking for Bash/sh command line base64 decoding.\\nThe third one is looking for Ruby decoding base64.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bdf04f58-242b-4729-b376-577c4bdf5d3a\",\"name\":\"bdf04f58-242b-4729-b376-577c4bdf5d3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"imProcessCreate\\n| where Process hassuffix \u0027rundll32.exe\u0027\\n| where CommandLine has_any (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| project TimeGenerated, Dvc, User, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\\n| extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"NOBELIUM - suspicious rundll32.exe execution of vbscript (Normalized Process Events)\",\"description\":\"This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\\nReferences: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/712fab52-2a7d-401e-a08c-ff939cc7c25e\",\"name\":\"712fab52-2a7d-401e-a08c-ff939cc7c25e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n AuditLogs\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // Extract the URL that is contained within the JSON data\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\\\", 1,tostring(TargetResources))\\n | where isnotempty(Url)\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend TargetResourceDisplayName = tostring(TargetResources[0].displayName)\\n | extend Audit_TimeGenerated = TimeGenerated\\n) on Url\\n| where Audit_TimeGenerated \u003e= TimeGenerated and Audit_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nAudit_TimeGenerated, OperationName, Identity, userPrincipalName, TargetResourceDisplayName, Url\\n| extend timestamp = Audit_TimeGenerated, AccountCustomEntity = userPrincipalName, HostCustomEntity = TargetResourceDisplayName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to AuditLogs\",\"description\":\"Identifies a match in AuditLogs from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1bf6e165-5e32-420e-ab4f-0da8558a8be2\",\"name\":\"1bf6e165-5e32-420e-ab4f-0da8558a8be2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// How far back to look for events from\\nlet timeframe = 1d;\\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\\nlet time_window = 5m;\\n// Edit this to include build processes used\\nlet build_processes = dynamic([\\\"MSBuild.exe\\\", \\\"dotnet.exe\\\", \\\"VBCSCompiler.exe\\\"]);\\n// Include any processes that you want to allow to edit files during/around the build process\\nlet allow_list = dynamic([]);\\nDeviceProcessEvents\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where FileName has_any (build_processes)\\n| summarize by BuildParentProcess=InitiatingProcessFileName, BuildProcess=FileName, BuildAccount = AccountName, DeviceName, BuildCommand=ProcessCommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nDeviceFileEvents\\n| where TimeGenerated \u003e ago(timeframe)\\n| where InitiatingProcessFileName !in (allow_list)\\n| where ActionType == \\\"FileCreated\\\" or ActionType == \\\"FileModified\\\"\\n// Look for code files, edit this to include file extensions used in build.\\n| where FileName endswith \\\".cs\\\" or FileName endswith \\\".cpp\\\"\\n| summarize by FileEditParentProcess=InitiatingProcessParentFileName, FileEditAccount = InitiatingProcessAccountName, DeviceName, FileEdited=FileName, FileEditProcess=InitiatingProcessFileName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, DeviceName\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, DeviceName, BuildParentProcess, BuildProcess\\n| extend HostCustomEntity=DeviceName, timestamp=timekey\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Potential Build Process Compromise - MDE\",\"description\":\"The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process. This query uses Microsoft Defender for Endpoint telemetry.\\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\",\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b93c5af-d20b-4236-b696-a28b8c51407f\",\"name\":\"4b93c5af-d20b-4236-b696-a28b8c51407f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\nSecurityEvent \\n| where TimeGenerated \u003e ago(2*timeframe) \\n// A user account was created\\n| where EventID == 4720\\n| where AccountType =~ \\\"User\\\"\\n| project creationTime = TimeGenerated, CreateEventID = EventID, CreateActivity = Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToCreate = SubjectAccount, SIDofAccountUsedToCreate = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n| join kind= inner (\\n SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe) \\n // A user account was deleted \\n | where EventID == 4726\\n| where AccountType == \\\"User\\\"\\n| project deletionTime = TimeGenerated, DeleteEventID = EventID, DeleteActivity = Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToDelete = SubjectAccount, SIDofAccountUsedToDelete = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n) on Computer, TargetAccount\\n| where deletionTime - creationTime \u003c spanoftime\\n| extend TimeDelta = deletionTime - creationTime\\n| where tolong(TimeDelta) \u003e= threshold\\n| project TimeDelta, creationTime, CreateEventID, CreateActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToCreate, SIDofAccountUsedToCreate,\\ndeletionTime, DeleteEventID, DeleteActivity, AccountUsedToDelete, SIDofAccountUsedToDelete\\n| extend timestamp = creationTime, AccountCustomEntity = AccountUsedToCreate, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"SIDofAccountUsedToCreate\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account created and deleted within 10 mins\",\"description\":\"Identifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and\\nan adversary attempting to hide in the noise.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23de46ea-c425-4a77-b456-511ae4855d69\",\"name\":\"23de46ea-c425-4a77-b456-511ae4855d69\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\nlet SensitiveOperationList = dynamic([\\\"microsoft.compute/snapshots/write\\\", \\\"microsoft.network/networksecuritygroups/write\\\", \\\"microsoft.storage/storageaccounts/listkeys/action\\\"]);\\nlet SensitiveActivity = AzureActivity\\n| where OperationNameValue in~ (SensitiveOperationList) or OperationNameValue hassuffix \\\"listkeys/action\\\"\\n| where ActivityStatusValue =~ \\\"Succeeded\\\";\\nSensitiveActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller, OperationNameValue\\n| where count_ \u003e= alertOperationThreshold\\n| join kind = rightanti ( \\nSensitiveActivity\\n| where TimeGenerated \u003e= ago(endtime)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CorrelationIds = makelist(CorrelationId), Resources = makelist(Resource), ResourceGroups = makelist(ResourceGroup), ResourceIds = makelist(ResourceId), ActivityCountByCallerIPAddress = count() \\nby CallerIpAddress, Caller, OperationNameValue\\n) on CallerIpAddress, Caller, OperationNameValue\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"Rare subscription-level operations in Azure\",\"description\":\"This query looks for a few sensitive subscription-level events based on Azure Activity Logs. \\n For example this monitors for the operation name \u0027Create or Update Snapshot\u0027 which is used for creating backups but could be misused by attackers \\n to dump hashes or extract sensitive information from the disk.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c7cd6073-6d2c-4284-a5c8-da27605bdfde\",\"name\":\"c7cd6073-6d2c-4284-a5c8-da27605bdfde\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| where FilterModulesSpamScoresOverall == \u0027100\u0027\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - High risk message not discarded\",\"description\":\"Detects when email with high risk score was not rejected or discarded by filters.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/16d55bbb-8c54-4c1d-8537-521824e76bb6\",\"name\":\"16d55bbb-8c54-4c1d-8537-521824e76bb6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.2\",\"techniques\":[\"T1114\",\"T1213\",\"T1098\",\"T1136\",\"T1137\",\"T1505\",\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"Distinct number of operations\",\"Distinct number of ClientInfoString\",\"Distinct number of mailboxes\",\"Number of operations\",\"Distinct number of IP addresses\",\"Distinct number of /24 subnets\",\"Distinct number of /16 subnets\",\"Number of MessageBind operations\",\"Number of FolderBind operations\",\"Number of UpdateInboxRules operations\",\"Number of MailItemsAccessed operations\"],\"values\":[\"Distinct number of operations\",\"Distinct number of ClientInfoString\",\"Distinct number of mailboxes\",\"Number of operations\",\"Distinct number of IP addresses\",\"Distinct number of /24 subnets\",\"Distinct number of /16 subnets\",\"Number of MessageBind operations\",\"Number of FolderBind operations\",\"Number of UpdateInboxRules operations\",\"Number of MailItemsAccessed operations\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Top reason for high anomaly score\",\"description\":\"Include only anomalies where the top reason is one of these values.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.6\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Collection\",\"Persistence\"],\"displayName\":\"(Preview) Anomalous user activities in Office Exchange\",\"description\":\"This machine learning model groups the Office Exchange logs on a per-user basis into hourly buckets. We define one\\nhour as a session. The model is trained on the previous 7 days of behavior across all regular (non-admin) users.\\nIt indicates anomalous user Office Exchange sessions in the last day.\\nThis algorithm checks for sufficient volume of data before training the model.\\n\\nAn autoencoder model is used.\\nIts aim is to compress the user Office Exchange sessions into a bottleneck encoding.\\nIt then attempts to reconstruct the input sessions as best it can from the bottleneck encoding.\\nThe sessions with high reconstruction errors are assumed to be anomalous.\",\"lastUpdatedDateUTC\":\"2021-06-09T00:00:00Z\",\"createdDateUTC\":\"2021-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Exchange)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4759ddb4-2daf-43cb-b34e-d85b85b4e4a5\",\"name\":\"4759ddb4-2daf-43cb-b34e-d85b85b4e4a5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\nlet parentprocess = (iocs | where Type =~ \\\"parentprocess\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or RequestURL has_any (IPList) or Message has_any (IPList)\\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, Type\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (IPList), \\\"RequestUrl\\\",\\\"NoMatch\\\"), AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, IPMatch == \\\"RequestUrl\\\", RequestURL, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer, ProcessCustomEntity = ProcessName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) \\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, AlertDetail = \u0027Dev-0322 IOC match\u0027, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, AlertDetail = \u0027Dev-0322 IOC match\u0027, UrlCustomEntity =RemoteUrl, ProcessCustomEntity = InitiatingProcessFileName\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\"), AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where SourceHost in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend ParentImage = EventDetail.[20].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where ( ParentImage has_any (parentprocess) and Image has_any (process))\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256,Image, ParentImage \\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = FileHash\\n),\\n(DeviceFileEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type, CommandLineIP\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash, IPCustomEntity = CommandLineIP\\n),\\n(DeviceEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, CommandLineIP\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash, IPCustomEntity = CommandLineIP\\n),\\n(DeviceProcessEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, CommandLineIP, AccountName\\n| extend Account = AccountName, Computer = DeviceName, IPAddress = CommandLineIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = FileHash, IPCustomEntity = IPAddress\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| extend CommandLineIP = extract(IPRegex, 0, CommandLine)\\n| where CommandLineIP in (IPList) or (NewProcessName has_any (process) and ParentProcessName has_any (parentprocess))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, CommandLine, CommandLineIP\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = \u0027Dev-0322 IOC match\u0027, IPCustomEntity = CommandLineIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"SHA256\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"DEV-0322 Serv-U related IOCs - July 2021\",\"description\":\"Identifies a match across IOC\u0027s related to DEV-0322 targeting SolarWinds Serv-U software.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-06-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\"name\":\"f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Medium\",\"query\":\"let threshold = 1;\\nAzureDiagnostics\\n | where OperationName in (\\\"AzureFirewallApplicationRuleLog\\\",\\\"AzureFirewallNetworkRuleLog\\\")\\n | extend msg_s_replaced0 = replace(@\\\"\\\\s\\\\s\\\",@\\\" \\\",msg_s)\\n | extend msg_s_replaced1 = replace(@\\\"\\\\.\\\\s\\\",@\\\" \\\",msg_s_replaced0)\\n | extend msg_a = split(msg_s_replaced1,\\\" \\\")\\n | extend srcAddr_a = split(msg_a[3],\\\":\\\") , destAddr_a = split(msg_a[5],\\\":\\\")\\n | extend protocol = tostring(msg_a[0]), srcIp = tostring(srcAddr_a[0]), srcPort = tostring(srcAddr_a[1]), destIp = tostring(destAddr_a[0]), destPort = tostring(destAddr_a[1]), action = tostring(msg_a[7])\\n | where action == \\\"Deny\\\"\\n | extend url = iff(destIp matches regex \\\"\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\",\\\"\\\",destIp)\\n | summarize StartTime = min(TimeGenerated), count() by srcIp, destIp, url, action, protocol\\n | where count_ \u003e= [\\\"threshold\\\"]\\n | extend timestamp = StartTime, URLCustomEntity = url, IPCustomEntity = srcIp\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\",\"LateralMovement\",\"CommandAndControl\"],\"displayName\":\"Several deny actions registered\",\"description\":\"Identifies attack pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/57e56fc9-417a-4f41-a579-5475aea7b8ce\",\"name\":\"57e56fc9-417a-4f41-a579-5475aea7b8ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 1000;\\nInfobloxNIOS\\n| where ProcessName =~ \\\"dhcpd\\\" and Log_Type =~ \\\"DHCPREQUEST\\\"\\n| summarize count() by ServerIP, bin(TimeGenerated,5m)\\n| where count_ \u003e threshold\\n| join kind=inner (InfobloxNIOS\\n | where ProcessName =~ \\\"dhcpd\\\" and Log_Type =~ \\\"DHCPREQUEST\\\"\\n ) on ServerIP\\n| extend timestamp = TimeGenerated, IPCustomEntity = ServerIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Potential DHCP Starvation Attack\",\"description\":\"This creates an incident in the event that an excessive amount of DHCPREQUEST have been recieved by a DHCP Server and could potentially be an indication of a DHCP Starvation Attack.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0dd422ee-e6af-4204-b219-f59ac172e4c6\",\"name\":\"0dd422ee-e6af-4204-b219-f59ac172e4c6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"ThreatIntelligence\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"Persistence\",\"LateralMovement\"],\"displayName\":\"(Preview) Microsoft Threat Intelligence Analytics\",\"description\":\"This rule generates an alert when a Microsoft Threat Intelligence Indicator gets matched with your event logs. The alerts are very high fidelity.\\n\\nNote : It is advised to turn off any custom alert rules which match the threat intelligence indicators with the same event logs matched by this analytics to prevent duplicate alerts.\",\"lastUpdatedDateUTC\":\"2021-07-28T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508\",\"name\":\"e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let FailureThreshold = 15;\\nlet FailedEvents = Okta_CL\\n| where eventType_s =~ \\\"user.session.start\\\"and outcome_reason_s in (\\\"VERIFICATION_ERROR\\\",\\\"INVALID_CREDENTIALS\\\")\\n| summarize dcount(actor_alternateId_s) by client_ipAddress_s, bin(TimeGenerated, 5m)\\n| where dcount_actor_alternateId_s \u003e FailureThreshold\\n| project client_ipAddress_s, TimeGenerated;\\nOkta_CL\\n| where eventType_s =~ \\\"user.session.start\\\"and outcome_reason_s in (\\\"VERIFICATION_ERROR\\\",\\\"INVALID_CREDENTIALS\\\")\\n| summarize Users = make_set(actor_alternateId_s) by client_ipAddress_s, City = client_geographicalContext_city_s, Country = client_geographicalContext_country_s, bin(TimeGenerated, 5m)\\n| join kind=inner (FailedEvents) on client_ipAddress_s, TimeGenerated\\n| sort by TimeGenerated desc\\n| extend timestamp = TimeGenerated, IPCustomEntity = client_ipAddress_s\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Potential Password Spray Attack\",\"description\":\"This query searches for failed attempts to log into the Okta console from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OktaSSO\",\"dataTypes\":[\"Okta_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/93c4b361-ea7d-40f4-9ca6-e501cdef9c53\",\"name\":\"93c4b361-ea7d-40f4-9ca6-e501cdef9c53\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.1.6\",\"techniques\":[\"T1110\"],\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"\\\\%%2305-The specified user account has expired\",\"\\\\%%2309-The specified account\u0027s password has expired\",\"\\\\%%2310-Account currently disabled\",\"\\\\%%2311-Account logon time restriction violation\",\"\\\\%%2312-User not allowed to logon at this computer\",\"\\\\%%2313-Unknown user name or bad password\",\"\\\\%%2307-Account locked out\",\"\\\\%%2304-An Error occurred during Logon\"],\"values\":[\"\\\\%%2305-The specified user account has expired\",\"\\\\%%2309-The specified account\u0027s password has expired\",\"\\\\%%2310-Account currently disabled\",\"\\\\%%2311-Account logon time restriction violation\",\"\\\\%%2312-User not allowed to logon at this computer\",\"\\\\%%2313-Unknown user name or bad password\",\"\\\\%%2307-Account locked out\",\"\\\\%%2304-An Error occurred during Logon\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Failure Reasons\",\"description\":\"Include only selected failure reasons in anomaly results.\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.3\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"(Preview) Attempted user account bruteforce per failure reason\",\"description\":\"This algorithm detects an unusually high volume of failed login attempts per user account per failure reason. The model is trained on the previous 21 days of security event ID 4625 on an account and a failure reason. It indicates anomalous high volume of failed login attempts with certain failure reason in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-04-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e\",\"name\":\"7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]);\\nunion isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4663\\n| where Process has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where ObjectName has_any (scriptExtensions)\\n| where AccessMask in (\u00270x2\u0027,\u00270x100\u0027, \u00270x10\u0027, \u00270x4\u0027)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n(imFileEvent\\n| where EventType == \\\"FileCreated\\\"\\n| where ActingProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n and\\n TargetFileName has_any (scriptExtensions)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\\n),\\n(DeviceFileEvents\\n| where ActionType =~ \\\"FileCreated\\\"\\n| where InitiatingProcessFileName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where FileName has_any(scriptExtensions)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName, IPCustomEntity = RequestSourceIP)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingProcessAccountUpn\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM UM Service writing suspicious file\",\"description\":\"This query looks for the Exchange server UM process writing suspicious files that may be indicative of webshells.\\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d3c658bd-8da9-4372-82e4-aaffa922f428\",\"name\":\"d3c658bd-8da9-4372-82e4-aaffa922f428\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"afad_parser\\n| where MessageType == 2 and Codename == \\\"DCSync\\\"\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid DCSync\",\"description\":\"Searches for DCSync attacks\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/88f453ff-7b9e-45bb-8c12-4058ca5e44ee\",\"name\":\"88f453ff-7b9e-45bb-8c12-4058ca5e44ee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS New Server\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.\\nA threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.\\nThis can be done programmatically via HTTP requests to Azure. More information in this blog: https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\"name\":\"1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 1d;\\nlet endtime = 1h;\\nlet prev23hThreshold = 4;\\nlet prev1hThreshold = 15;\\nlet Kerbevent =\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(starttime)\\n| where EventID == 4769\\n| parse EventData with * \u0027TicketEncryptionType\\\"\u003e\u0027 TicketEncryptionType \\\"\u003c\\\" *\\n| where TicketEncryptionType == \u00270x17\u0027\\n| parse EventData with * \u0027TicketOptions\\\"\u003e\u0027 TicketOptions \\\"\u003c\\\" *\\n| where TicketOptions == \u00270x40810000\u0027\\n| parse EventData with * \u0027Status\\\"\u003e\u0027 Status \\\"\u003c\\\" *\\n| where Status == \u00270x0\u0027\\n| parse EventData with * \u0027ServiceName\\\"\u003e\u0027 ServiceName \\\"\u003c\\\" *\\n| where ServiceName !contains \\\"$\\\" and ServiceName !contains \\\"krbtgt\\\" \\n| parse EventData with * \u0027TargetUserName\\\"\u003e\u0027 TargetUserName \\\"\u003c\\\" *\\n| where TargetUserName !contains \\\"$@\\\" and TargetUserName !contains ServiceName\\n| parse EventData with * \u0027IpAddress\\\"\u003e::ffff:\u0027 ClientIPAddress \\\"\u003c\\\" *;\\nlet Kerbevent23h = Kerbevent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| summarize ServiceNameCountPrev23h = dcount(ServiceName), ServiceNameSet23h = makeset(ServiceName) \\nby Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status\\n| where ServiceNameCountPrev23h \u003c prev23hThreshold;\\nlet Kerbevent1h = \\nKerbevent\\n| where TimeGenerated \u003e= ago(endtime)\\n| summarize min(TimeGenerated), max(TimeGenerated), ServiceNameCountPrev1h = dcount(ServiceName), ServiceNameSet1h = makeset(ServiceName) \\nby Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status;\\nKerbevent1h \\n| join kind=leftanti\\n(\\nKerbevent23h\\n) on TargetUserName, TargetDomainName\\n// Threshold value set above is based on testing, this value may need to be changed for your environment.\\n| where ServiceNameCountPrev1h \u003e prev1hThreshold\\n| project StartTimeUtc = min_TimeGenerated, EndTimeUtc = max_TimeGenerated, TargetUserName, Computer, ClientIPAddress, TicketOptions, \\nTicketEncryptionType, Status, ServiceNameCountPrev1h, ServiceNameSet1h, TargetDomainName\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = strcat(TargetDomainName,\\\"\\\\\\\\\\\", TargetUserName), HostCustomEntity = Computer, IPCustomEntity = ClientIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Potential Kerberoasting\",\"description\":\"A service principal name (SPN) is used to uniquely identify a service instance in a Windows environment. \\nEach SPN is usually associated with a service account. Organizations may have used service accounts with weak passwords in their environment. \\nAn attacker can try requesting Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC) which contains \\na hash of the Service account. This can then be used for offline cracking. This hunting query looks for accounts that are generating excessive \\nrequests to different resources within the last hour compared with the previous 24 hours. Normal users would not make an unusually large number \\nof request within a small time window. This is based on 4769 events which can be very noisy so environment based tweaking might be needed.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/972c89fa-c969-4d12-932f-04d55d145299\",\"name\":\"972c89fa-c969-4d12-932f-04d55d145299\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"( union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| extend FileName = Process, ProcessCommandLine = CommandLine\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\n or ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(DeviceProcessEvents\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\nor ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1 \\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\"), ProcessCommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| extend FileName = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\n or ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\"],\"displayName\":\"MSHTML vulnerability CVE-2021-40444 attack\",\"description\":\"This query detects attacks that exploit the CVE-2021-40444 MSHTML vulnerability using specially crafted Microsoft Office documents. \\n The detection searches for relevant files used in the attack along with regex matches in commnadline to look for pattern similar to : \\\".cpl:../../msword.inf\\\"\\n Refrence: https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0914adab-90b5-47a3-a79f-7cdcac843aa7\",\"name\":\"0914adab-90b5-47a3-a79f-7cdcac843aa7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 5;\\n// To avoid any False Positives, filtering using AppId is recommended. For example the AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds \\n// to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\\nlet Allowedappid = dynamic([\\\"509e4652-da8d-478d-a730-e9d4a1996ca4\\\"]);\\nlet OperationList = dynamic(\\n[\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nlet TimeSeriesData = AzureDiagnostics\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList)\\n| project TimeGenerated, OperationName, Resource, CallerIPAddress\\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by Resource;\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| where baseline \u003e baselinethreshold // Filtering low count events per baselinethreshold\\n| project Resource, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated;\\n// Filter the alerts since specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\\n| join (\\nAzureDiagnostics\\n| where TimeGenerated \u003e ago(timeframe)\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList)\\n| summarize PerOperationCount=count(), LatestAnomalyTime = arg_max(TimeGenerated,*) by bin(TimeGenerated,1h), Resource, OperationName, id_s, CallerIPAddress, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, requestUri_s, clientInfo_s\\n) on Resource, TimeGenerated\\n| summarize EventCount=count(), OperationNameList = make_set(OperationName), RequestURLList = make_set(requestUri_s, 100), AccountList = make_set(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, 100), AccountMax = arg_max(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g,*) by Resource, id_s, clientInfo_s, LatestAnomalyTime\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = CallerIPAddress, AccountCustomEntity = AccountMax\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.2\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure Key Vault access TimeSeries anomaly\",\"description\":\"Indentifies a sudden increase in count of Azure Key Vault secret or vault access operations by CallerIPAddress. The query leverages a built-in KQL anomaly detection algorithm\\nto find large deviations from baseline Azure Key Vault access patterns. Any sudden increase in the count of Azure Key Vault accesses can be an\\nindication of adversary dumping credentials via automated methods. If you are seeing any noise, try filtering known source(IP/Account) and user-agent combinations.\\nTimeSeries Reference Blog: https://techcommunity.microsoft.com/t5/azure-sentinel/looking-for-unknown-anomalies-what-is-normal-time-series/ba-p/555052\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500415fb-bba7-4227-a08a-9857fb61b6a7\",\"name\":\"500415fb-bba7-4227-a08a-9857fb61b6a7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where OfficeWorkload == \\\"Exchange\\\"\\n| where Operation in~ (\\\"New-TransportRule\\\", \\\"Set-TransportRule\\\")\\n| extend p = parse_json(Parameters)\\n| extend RuleName = case(\\n Operation =~ \\\"Set-TransportRule\\\", tostring(OfficeObjectId),\\n Operation =~ \\\"New-TransportRule\\\", tostring(p[1].Value),\\n \\\"Unknown\\\"\\n ) \\n| mvexpand p\\n| where (p.Name =~ \\\"BlindCopyTo\\\" or p.Name =~ \\\"RedirectMessageTo\\\") and isnotempty(p.Value)\\n| extend RedirectTo = p.Value\\n| extend ClientIPOnly = case( \\n ClientIP has \\\".\\\" and ClientIP has \\\":\\\", tostring(split(ClientIP,\\\":\\\")[0]), \\n ClientIP has \\\".\\\" and ClientIP has \\\"-\\\", tostring(split(ClientIP,\\\"-\\\")[0]), \\n ClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))),\\n ClientIP\\n ) \\n| extend Port = case(\\n ClientIP has \\\".\\\" and ClientIP has \\\":\\\", (split(ClientIP,\\\":\\\")[1]),\\n ClientIP has \\\".\\\" and ClientIP has \\\"-\\\", (split(ClientIP,\\\"-\\\")[1]),\\n ClientIP has \\\"[\\\" and ClientIP has \\\":\\\", tostring(split(ClientIP,\\\"]:\\\")[1]),\\n ClientIP has \\\"[\\\" and ClientIP has \\\"-\\\", tostring(split(ClientIP,\\\"]-\\\")[1]),\\n ClientIP\\n )\\n| extend ClientIP = ClientIPOnly\\n| project TimeGenerated, RedirectTo, ClientIP, Port, UserId, Operation, RuleName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Mail redirect via ExO transport rule\",\"description\":\"Identifies when Exchange Online transport rule configured to forward emails.\\nThis could be an adversary mailbox configured to collect mail from multiple user accounts.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-05-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/57c7e832-64eb-411f-8928-4133f01f4a25\",\"name\":\"57c7e832-64eb-411f-8928-4133f01f4a25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now() \\n| where Active == true\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureDiagnostics\\n | where ResourceType =~ \\\"VAULTS\\\"\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend KeyVaultEvents_TimeGenerated = TimeGenerated, ClientIP = CallerIPAddress\\n)\\non $left.TI_ipEntity == $right.ClientIP\\n| where KeyVaultEvents_TimeGenerated \u003c ExpirationDateTime\\n| summarize KeyVaultEvents_TimeGenerated = arg_max(KeyVaultEvents_TimeGenerated, *) by IndicatorId, ClientIP\\n| project KeyVaultEvents_TimeGenerated , Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ClientIP, ResourceId, SubscriptionId, OperationName, ResultType, CorrelationId, id_s, clientInfo_s, httpStatusCode_d, identity_claim_appid_g, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\n| extend timestamp = KeyVaultEvents_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Azure Key Vault logs\",\"description\":\"Identifies a match in Azure Key Vault logsfrom any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f845881e-2500-44dc-8ed7-b372af3e1e25\",\"name\":\"f845881e-2500-44dc-8ed7-b372af3e1e25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let short_uaLength = 5;\\nlet long_uaLength = 1000;\\nlet c_threshold = 100;\\nW3CIISLog \\n// Exclude local IPs as these create noise\\n| where cIP !startswith \\\"192.168.\\\" and cIP != \\\"::1\\\"\\n| where isnotempty(csUserAgent) and csUserAgent !in~ (\\\"-\\\", \\\"MSRPC\\\") and (string_size(csUserAgent) \u003c= short_uaLength or string_size(csUserAgent) \u003e= long_uaLength)\\n| extend csUserAgent_size = string_size(csUserAgent)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ConnectionCount = count() by Computer, sSiteName, sPort, csUserAgent, csUserAgent_size, csUserName , csMethod, csUriStem, sIP, cIP, scStatus, scSubStatus, scWin32Status\\n| where ConnectionCount \u003c c_threshold\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomalous User Agent connection attempt\",\"description\":\"Identifies connection attempts (success or fail) from clients with very short or very long User Agent strings and with less than 100 connection attempts.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cca3b4d9-ac39-4109-8b93-65bb284003e6\",\"name\":\"cca3b4d9-ac39-4109-8b93-65bb284003e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n| join (\\n AzureActivity | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(Caller)\\n | extend Caller = tolower(Caller)\\n | where Caller matches regex emailregex\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.Caller\\n| where AzureActivity_TimeGenerated \u003e= TimeGenerated and AzureActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, AzureActivity_TimeGenerated,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Caller, Level, CallerIpAddress, CategoryValue,\\nOperationNameValue, ActivityStatusValue, ResourceGroup, SubscriptionId\\n| extend timestamp = AzureActivity_TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to AzureActivity\",\"description\":\"Identifies a match in AzureActivity table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/71d374e0-1cf8-4e50-aecd-ab6c519795c2\",\"name\":\"71d374e0-1cf8-4e50-aecd-ab6c519795c2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"Pipelines.PipelineRetentionSettingChanged\\\"\\n| where Data.SettingName in (\\\"PurgeArtifacts\\\", \\\"PurgeRuns\\\")\\n| where Data.NewValue == 1 or Data.NewValue \u003c Data.OldValue/2\\n| project-reorder TimeGenerated, OperationName, ActorUPN, IpAddress, UserAgent, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.2\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Retention Reduced\",\"description\":\"AzureDevOps retains items such as run records and produced artifacts for a configurable amount of time. An attacker looking to reduce the footprint left by their malicious activity may look to reduce the retention time for artifacts and runs.\\nThis query will look for where retention has been reduced to the minimum level - 1, or reduced by more than half.\",\"lastUpdatedDateUTC\":\"2021-11-02T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d2e40c79-fe8c-428e-8cb9-0e2282d4558c\",\"name\":\"d2e40c79-fe8c-428e-8cb9-0e2282d4558c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let lowRisk = 1;\\nlet governance = \u0027Governance Information\u0027;\\nCognniIncidents_CL \\n| where Severity == lowRisk\\n| where informationType_s == governance\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Low Sensitivity Governance Information\",\"description\":\"Display incidents in which low sensitivity governance information] was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\"name\":\"4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let OperationList = dynamic([\\\"Add member to role\\\",\\\"Add member to role in PIM requested (permanent)\\\"]);\\nlet PrivilegedGroups = dynamic([\\\"UserAccountAdmins\\\",\\\"PrivilegedRoleAdmins\\\",\\\"TenantAdmins\\\"]);\\nAuditLogs\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName in~ (OperationList)\\n| mv-expand TargetResources\\n| extend modProps = parse_json(TargetResources).modifiedProperties\\n| mv-expand bagexpansion=array modProps\\n| evaluate bag_unpack(modProps)\\n| extend displayName = column_ifexists(\\\"displayName\\\", \\\"NotAvailable\\\"), newValue = column_ifexists(\\\"newValue\\\", \\\"NotAvailable\\\")\\n| where displayName =~ \\\"Role.WellKnownObjectName\\\"\\n| extend DisplayName = displayName, GroupName = replace(\u0027\\\"\u0027,\u0027\u0027,newValue)\\n| extend initByApp = parse_json(InitiatedBy).app, initByUser = parse_json(InitiatedBy).user\\n| extend AppId = initByApp.appId, \\nInitiatedByDisplayName = case(isnotempty(initByApp.displayName), initByApp.displayName, isnotempty(initByUser.displayName), initByUser.displayName, \\\"not available\\\"),\\nServicePrincipalId = tostring(initByApp.servicePrincipalId),\\nServicePrincipalName = tostring(initByApp.servicePrincipalName),\\nUserId = initByUser.id,\\nUserIPAddress = initByUser.ipAddress,\\nUserRoles = initByUser.roles,\\nUserPrincipalName = tostring(initByUser.userPrincipalName),\\nTargetUserPrincipalName = tostring(TargetResources.userPrincipalName)\\n| where GroupName in~ (PrivilegedGroups)\\n// If you don\u0027t want to alert for operations from PIM, remove below filtering for MS-PIM.\\n//| where InitiatedByDisplayName != \\\"MS-PIM\\\"\\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, isnotempty(ServicePrincipalId), ServicePrincipalId, isnotempty(UserPrincipalName), UserPrincipalName, \\\"not available\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User added to Azure Active Directory Privileged Groups\",\"description\":\"This will alert when a user is added to any of the Privileged Groups.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\\nFor Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500c103a-0319-4d56-8e99-3cec8d860757\",\"name\":\"500c103a-0319-4d56-8e99-3cec8d860757\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == \\\"50057\\\" \\n| where ResultDescription == \\\"User account is disabled. The account has been disabled by an administrator.\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), disabledAccountLoginAttempts = count(), \\ndisabledAccountsTargeted = dcount(UserPrincipalName), applicationsTargeted = dcount(AppDisplayName), disabledAccountSet = make_set(UserPrincipalName), \\napplicationSet = make_set(AppDisplayName) by IPAddress, Type\\n| order by disabledAccountLoginAttempts desc\\n| join kind= leftouter (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n table(tableName)\\n | where ResultType == 0\\n | summarize successfulAccountSigninCount = dcount(UserPrincipalName), successfulAccountSigninSet = make_set(UserPrincipalName, 15) by IPAddress, Type\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount \u003c 100\\n) on IPAddress \\n// IPs from which attempts to authenticate as disabled user accounts originated, and had a non-zero success rate for some other account\\n| where isnotempty(successfulAccountSigninCount)\\n| project StartTime, EndTime, IPAddress, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\nsuccessfulAccountSigninCount, successfulAccountSigninSet, Type\\n| order by disabledAccountLoginAttempts\\n| extend timestamp = StartTime, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts and where that same IP has had successful signins from other accounts.\\nThis could indicate an attacker who obtained credentials for a list of accounts and is attempting to login with those accounts, some of which may have already been disabled.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"lastUpdatedDateUTC\":\"2021-10-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9e20eb4e-cc0d-4349-a99d-cad756859dfb\",\"name\":\"9e20eb4e-cc0d-4349-a99d-cad756859dfb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"afad_parser\\n| where MessageType == 2 and Codename == \\\"Password Spraying\\\"\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid Password Spraying\",\"description\":\"Searches for Password spraying attacks\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8d537f3c-094f-430c-a588-8a87da36ee3a\",\"name\":\"8d537f3c-094f-430c-a588-8a87da36ee3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nlet user_agents=dynamic([\\n \u0027(hydra)\u0027,\\n \u0027 arachni/\u0027,\\n \u0027 BFAC \u0027,\\n \u0027 brutus \u0027,\\n \u0027 cgichk \u0027,\\n \u0027core-project/1.0\u0027,\\n \u0027 crimscanner/\u0027,\\n \u0027datacha0s\u0027,\\n \u0027dirbuster\u0027,\\n \u0027domino hunter\u0027,\\n \u0027dotdotpwn\u0027,\\n \u0027FHScan Core\u0027,\\n \u0027floodgate\u0027,\\n \u0027get-minimal\u0027,\\n \u0027gootkit auto-rooter scanner\u0027,\\n \u0027grendel-scan\u0027,\\n \u0027 inspath \u0027,\\n \u0027internet ninja\u0027,\\n \u0027jaascois\u0027,\\n \u0027 zmeu \u0027,\\n \u0027masscan\u0027,\\n \u0027 metis \u0027,\\n \u0027morfeus fucking scanner\u0027,\\n \u0027n-stealth\u0027,\\n \u0027nsauditor\u0027,\\n \u0027pmafind\u0027,\\n \u0027security scan\u0027,\\n \u0027springenwerk\u0027,\\n \u0027teh forest lobster\u0027,\\n \u0027toata dragostea\u0027,\\n \u0027 vega/\u0027,\\n \u0027voideye\u0027,\\n \u0027webshag\u0027,\\n \u0027webvulnscan\u0027,\\n \u0027 whcc/\u0027,\\n \u0027 Havij\u0027,\\n \u0027absinthe\u0027,\\n \u0027bsqlbf\u0027,\\n \u0027mysqloit\u0027,\\n \u0027pangolin\u0027,\\n \u0027sql power injector\u0027,\\n \u0027sqlmap\u0027,\\n \u0027sqlninja\u0027,\\n \u0027uil2pn\u0027,\\n \u0027ruler\u0027,\\n \u0027Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)\u0027\\n ]);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal has_any (user_agents)\\n| extend Message = \\\"Hack Tool User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Hack Tool User-Agent Detected\",\"description\":\"Detects suspicious user agent strings used by known hack tools\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/87210ca1-49a4-4a7d-bb4a-4988752f978c\",\"name\":\"87210ca1-49a4-4a7d-bb4a-4988752f978c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Get details of current Azure Ranges (note this URL updates regularly so will need to be manually updated over time)\\n// You may find the name of the new JSON here: https://www.microsoft.com/download/details.aspx?id=56519\\nlet azure_ranges = externaldata(changeNumber: string, cloud: string, values: dynamic)\\n[\\\"https://download.microsoft.com/download/7/1/D/71D86715-5596-4529-9B13-DA13A5DE5B63/ServiceTags_Public_20211108.json\\\"]\\nwith(format=\u0027multijson\u0027)\\n| mv-expand values\\n| mv-expand values.properties.addressPrefixes\\n| mv-expand values_properties_addressPrefixes\\n| summarize by tostring(values_properties_addressPrefixes);\\nSigninLogs\\n// Limiting to Azure Portal really reduces false positives and helps focus on potential admin activity\\n| where AppDisplayName =~ \\\"Azure Portal\\\"\\n// Only get logons where the IP address is in an Azure range\\n| evaluate ipv4_lookup(azure_ranges, IPAddress, values_properties_addressPrefixes)\\n// Limit to where the user is external to the tenant\\n| where HomeTenantId != ResourceTenantId\\n// Further limit it to just access to the current tenant (you can drop this if you wanted to look elsewhere as well but it helps reduce FPs)\\n| where ResourceTenantId == TenantId\\n| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), make_set(ResourceDisplayName) by UserPrincipalName, IPAddress, UserAgent, Location, HomeTenantId, ResourceTenantId\\n| extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure Portal Signin from another Azure Tenant\",\"description\":\"This query looks for sign in attempts to the Azure Portal where the user who is signing in from another Azure tenant,\\n and the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look\\n to pivot to other tenants leveraging cross-tenant delegated access in this manner.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f209187f-1d17-4431-94af-c141bf5f23db\",\"name\":\"f209187f-1d17-4431-94af-c141bf5f23db\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.1\",\"techniques\":[\"T1136\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.4\",\"name\":\"Anomaly score threshold\",\"description\":\"Generate an anomaly when the anomaly score is greater than the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Persistence\"],\"displayName\":\"(Preview) Anomalous Account Creation\",\"description\":\"Adversaries may create an account to maintain access to victim systems. With a sufficient level of access,\\ncreating such accounts may be used to establish secondary credentialed access\\nthat do not require persistent remote access tools to be deployed on the system.\",\"lastUpdatedDateUTC\":\"2021-07-26T00:00:00Z\",\"createdDateUTC\":\"2021-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b12b3dab-d973-45af-b07e-e29bb34d8db9\",\"name\":\"b12b3dab-d973-45af-b07e-e29bb34d8db9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal contains \\\"WindowsPowerShell\\\"\\n| extend Message = \\\"Windows PowerShell User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"DefenseEvasion\"],\"displayName\":\"Cisco Umbrella - Windows PowerShell User-Agent Detected\",\"description\":\"Rule helps to detect Powershell user-agent activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/34663177-8abf-4db1-b0a4-5683ab273f44\",\"name\":\"34663177-8abf-4db1-b0a4-5683ab273f44\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let threshold = 20;\\nPulseConnectSecure\\n| where Messages contains \\\"Login failed\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by User, Source_IP\\n| where count_ \u003e threshold\\n| extend timestamp = StartTime, AccountCustomEntity = User, IPCustomEntity = Source_IP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"PulseConnectSecure - Potential Brute Force Attempts\",\"description\":\"This query identifies evidence of potential brute force attack by looking at multiple failed attempts to log into the VPN server\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PulseConnectSecure\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/15ae38a2-2e29-48f7-883f-863fb25a5a06\",\"name\":\"15ae38a2-2e29-48f7-883f-863fb25a5a06\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 10;\\nDnsEvents \\n| where TimeGenerated \u003e ago(endtime)\\n| where Name contains \\\"in-addr.arpa\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(Name) by ClientIP\\n| where dcount_Name \u003e threshold\\n| project StartTimeUtc, EndTimeUtc, ClientIP , dcount_Name \\n| join kind=leftanti (DnsEvents \\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | where Name contains \\\"in-addr.arpa\\\" \\n | summarize dcount(Name) by ClientIP, bin(TimeGenerated, 1d)\\n | where dcount_Name \u003e threshold\\n | project ClientIP , dcount_Name \\n) on ClientIP\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\"],\"displayName\":\"Rare client observed with high reverse DNS lookup count\",\"description\":\"Identifies clients with a high reverse DNS counts which could be carrying out reconnaissance or discovery activity.\\nAlert is generated if the IP performing such reverse DNS lookups was not seen doing so in the preceding 7-day period.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\"name\":\"24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let EventCountThreshold = 25;\\n// To avoid any False Positives, filtering using AppId is recommended. For example the AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds \\n// to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\\nlet Allowedappid = dynamic([\\\"509e4652-da8d-478d-a730-e9d4a1996ca4\\\"]);\\nlet OperationList = dynamic(\\n[\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nAzureDiagnostics\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList) \\n| summarize count() by identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, OperationName\\n| where count_ \u003e EventCountThreshold \\n| join (\\nAzureDiagnostics\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where OperationName in~ (OperationList) \\n) on identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g \\n| summarize EventCount=sum(count_), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\\n| extend timestamp = EndTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.2\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Mass secret retrieval from Azure Key Vault\",\"description\":\"Identifies mass secret retrieval from Azure Key Vault observed by a single user. \\nMass secret retrival crossing a certain threshold is an indication of credential dump operations or mis-configured applications. \\nYou can tweak the EventCountThreshold based on average count seen in your environment \\nand also filter any known sources (IP/Account) and useragent combinations based on historical analysis to further reduce noise\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/39198934-62a0-4781-8416-a81265c03fd6\",\"name\":\"39198934-62a0-4781-8416-a81265c03fd6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"user.read\\\" and ConsentFull contains \\\"offline_access\\\" and ConsentFull contains \\\"mail.readwrite\\\" and ConsentFull contains \\\"mail.send\\\" and ConsentFull contains \\\"files.read.all\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\")\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Suspicious application consent similar to PwnAuth\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the FireEye PwnAuth toolkit (https://github.com/fireeye/PwnAuth).\\nThe default permissions/scope for the PwnAuth toolkit are user.read, offline_access, mail.readwrite, mail.send, and files.read.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/35ce9aff-1708-45b8-a295-5e9a307f5f17\",\"name\":\"35ce9aff-1708-45b8-a295-5e9a307f5f17\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"Group.UpdateGroupMembership.Add\\\"\\n| where Details has_any (\\\"Project Administrators\\\", \\\"Project Collection Administrators\\\", \\\"Project Collection Service Accounts\\\", \\\"Build Administrator\\\")\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, AuthenticationMechanism, ScopeDisplayName\\n| extend timekey = bin(TimeGenerated, 1h)\\n| extend ActorUserId = tostring(Data.MemberId)\\n| project timekey, ActorUserId, AddingUser=ActorUPN, TimeAdded=TimeGenerated, PermissionGrantDetails = Details\\n// Get details of operations conducted by user soon after elevation of permissions\\n| join (AzureDevOpsAuditing\\n| extend ActorUserId = tostring(Data.MemberId)\\n| extend timekey = bin(TimeGenerated, 1h)) on timekey, ActorUserId\\n| summarize ActionsWhenAdded = make_set(OperationName) by ActorUPN, AddingUser, TimeAdded, PermissionGrantDetails, IpAddress, UserAgent\\n| extend timestamp = TimeAdded, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddingUser\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"New PA, PCA, or PCAS added to Azure DevOps\",\"description\":\"In order for an attacker to be able to conduct many potential attacks against Azure DevOps they will need to gain elevated permissions. \\nThis detection looks for users being granted key administrative permissions. If the principal of least privilege is applied, the number of \\nusers granted these permissions should be small. Note that permissions can also be granted via Azure AD groups and monitoring of these \\nshould also be conducted.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0b904747-1336-4363-8d84-df2710bfe5e7\",\"name\":\"0b904747-1336-4363-8d84-df2710bfe5e7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n AzureDiagnostics\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where OperationName in (\\\"AzureFirewallApplicationRuleLog\\\",\\\"AzureFirewallNetworkRuleLog\\\")\\n | parse kind=regex flags=U msg_s with Protocol \u0027request from \u0027 SourceHost \u0027to \u0027 DestinationHost @\u0027\\\\.? Action:\u0027 Action\\n | extend SourceAddress = extract(@\u0027([\\\\.0-9]+)(:[\\\\.0-9]+)?\u0027,1,SourceHost)\\n | extend DestinationAddress = extract(@\u0027([\\\\.0-9]+)(:[\\\\.0-9]+)?\u0027,1,DestinationHost)\\n | where not(ipv4_is_private(DestinationAddress))\\n | project-rename AzureFirewall_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.DestinationAddress\\n| where AzureFirewall_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureFirewall_TimeGenerated = arg_max(AzureFirewall_TimeGenerated, *) by IndicatorId, SourceAddress\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, AzureFirewall_TimeGenerated,\\nTI_ipEntity, Resource, Category, msg_s, SourceAddress, DestinationAddress, Action, Protocol, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureFirewall_TimeGenerated, IPCustomEntity = TI_ipEntity, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureFirewall\",\"description\":\"Identifies a match in AzureFirewall (NetworkRule \u0026 ApplicationRule Logs) from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3df4a32-4805-4c6d-8699-f3c888af2f67\",\"name\":\"a3df4a32-4805-4c6d-8699-f3c888af2f67\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let Alert1 = \\nSecurityAlert\\n| where AlertName == \\\"Unfamiliar sign-in properties\\\"\\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\\\"User Account\\\"])\\n| extend Alert1Time = TimeGenerated\\n| extend Alert1 = AlertName\\n| extend Alert1Severity = AlertSeverity\\n;\\nlet Alert2 = \\nSecurityAlert\\n| where AlertName == \\\"Atypical travel\\\"\\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\\\"User Account\\\"])\\n| extend Alert2Time = TimeGenerated\\n| extend Alert2 = AlertName\\n| extend Alert2Severity = AlertSeverity\\n| extend CurrentLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[1].Location)).CountryCode), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[1].Location)).State), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[1].Location)).City))\\n| extend PreviousLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[2].Location)).CountryCode), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).State), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).City))\\n| extend CurrentIPAddress = tostring(parse_json(Entities)[1].Address)\\n| extend PreviousIPAddress = tostring(parse_json(Entities)[2].Address)\\n;\\nAlert1\\n| join kind=inner Alert2 on UserPrincipalName\\n| where abs(datetime_diff(\u0027minute\u0027, Alert1Time, Alert2Time)) \u003c=10\\n| extend TimeDelta = Alert1Time - Alert2Time\\n| project UserPrincipalName, Alert1, Alert1Time, Alert1Severity, Alert2, Alert2Time, Alert2Severity, TimeDelta, CurrentLocation, PreviousLocation, CurrentIPAddress, PreviousIPAddress\\n| extend AccountCustomEntity = UserPrincipalName\\n| extend IPCustomEntity = CurrentIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Correlate Unfamiliar sign-in properties and atypical travel alerts\",\"description\":\"The combination of an Unfamiliar sign-in properties alert and an Atypical travel alert about the same user within a +10m or -10m window is considered a high severity incident.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3174a9ec-d0ad-4152-8307-94ed04fa450a\",\"name\":\"3174a9ec-d0ad-4152-8307-94ed04fa450a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let SHA256Hash = \\\"1174fd03271f80f5e2a6435c72bdd0272a6e3a37049f6190abf125b216a83471\\\" ;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) \\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA265 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA256Hash) \\n| extend Account = UserName\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known ZINC related maldoc hash\",\"description\":\"Document hash used by ZINC in highly targeted spear phishing campaign.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/acfdee3f-b794-404a-aeba-ef6a1fa08ad1\",\"name\":\"acfdee3f-b794-404a-aeba-ef6a1fa08ad1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let lookback = 14d;\\nlet timewindow = 7d;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback)\\n| where OperationName =~ \\\"Library.AgentPoolCreated\\\"\\n| extend AgentCloudId = tostring(Data.AgentCloudId)\\n| extend PoolType = iif(isnotempty(AgentCloudId), \\\"Azure VMs\\\", \\\"Self Hosted\\\")\\n// Comment this line out to include cloud pools as well\\n| where PoolType == \\\"Self Hosted\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend AgentPoolId = tostring(Data.AgentPoolId)\\n| extend IsHosted = tostring(Data.IsHosted)\\n| extend IsLegacy = tostring(Data.IsLegacy)\\n| extend timekey = bin(TimeGenerated, timewindow)\\n// Join only with pools deleted in the same window\\n| join (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback)\\n| where OperationName =~ \\\"Library.AgentPoolDeleted\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend AgentPoolId = tostring(Data.AgentPoolId)\\n| extend timekey = bin(TimeGenerated, timewindow)) on AgentPoolId, timekey\\n| project-reorder TimeGenerated, ActorUPN, UserAgent, IpAddress, AuthenticationMechanism, OperationName, AgentPoolName, IsHosted, IsLegacy, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Agent Pool Created Then Deleted\",\"description\":\"As well as adding build agents to an existing pool to execute malicious activity within a pipeline, an attacker could create a complete new agent pool and use this for execution.\\nAzure DevOps allows for the creation of agent pools with Azure hosted infrastructure or self-hosted infrastructure. Given the additional customizability of self-hosted agents this \\ndetection focuses on the creation of new self-hosted pools. To further reduce false positive rates the detection looks for pools created and deleted relatively quickly (within 7 days by default), \\nas an attacker is likely to remove a malicious pool once used in order to reduce/remove evidence of their activity.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2b328487-162d-4034-b472-59f1d53684a1\",\"name\":\"2b328487-162d-4034-b472-59f1d53684a1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal == \u0027\u0027\\n| extend Message = \\\"Empty User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Empty User Agent Detected\",\"description\":\"Rule helps to detect empty and unusual user agent indicating web browsing activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3533f74c-9207-4047-96e2-0eb9383be587\",\"name\":\"3533f74c-9207-4047-96e2-0eb9383be587\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"offline_access\\\" and ConsentFull contains \\\"Files.Read\\\" or ConsentFull contains \\\"Mail.Read\\\" or ConsentFull contains \\\"Notes.Read\\\" or ConsentFull contains \\\"ChannelMessage.Read\\\" or ConsentFull contains \\\"Chat.Read\\\" or ConsentFull contains \\\"TeamsActivity.Read\\\" or ConsentFull contains \\\"Group.Read\\\" or ConsentFull contains \\\"EWS.AccessAsUser.All\\\" or ConsentFull contains \\\"EAS.AccessAsUser.All\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))\\n| extend GrantUserAgent = tostring(iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\"))\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Suspicious application consent for offline access\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with offline access via OAuth.\\nOffline access will provide the Azure App with access to the listed resources without requiring two-factor authentication.\\nConsent to applications with offline access and read capabilities should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\"name\":\"c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let DomainNames = \\\"miniodaum.ml\\\";\\nlet SHA256Hash = dynamic ([\\\"53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0dfd44771762257\\\", \\\"0897c80df8b80b4c49bf1ccf876f5f782849608b830c3b5cb3ad212dc3e19eff\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName =~ DomainNames\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(DnsEvents \\n| extend DNSName = Name\\n| where isnotempty(DNSName)\\n| where DNSName =~ DomainNames\\n| extend IPAddress = ClientIP\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName =~ DomainNames\\n| extend IPAddress = RemoteIp\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (DomainNames) \\n| extend DNSName = Request_Name\\n| extend IPAddress = ClientIP \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known CERIUM domains and hashes\",\"description\":\"CERIUM malicious webserver and hash values for maldocs and malware. \\n Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f30a47c1-65fb-42b1-a7f4-00941c12550b\",\"name\":\"f30a47c1-65fb-42b1-a7f4-00941c12550b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n SecurityAlert\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n // Extract URL from JSON data\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,Entities)\\n // We only want alerts that actually contain URL data\\n | where isnotempty(Url)\\n // Extract hostname from JSON data for entity mapping\\n | extend Compromised_Host = tostring(parse_json(ExtendedProperties).[\\\"Compromised Host\\\"])\\n | extend Alert_TimeGenerated = TimeGenerated\\n) on Url\\n| where Alert_TimeGenerated \u003e= TimeGenerated and Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Alert_TimeGenerated,\\nAlertName, AlertSeverity, Description, Url, Compromised_Host\\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = Compromised_Host, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.2\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to SecurityAlert data\",\"description\":\"Identifies a match in SecurityAlert data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-24T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8374ec0f-d857-4c17-b1e7-93d11800f8fb\",\"name\":\"8374ec0f-d857-4c17-b1e7-93d11800f8fb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let lowRisk = 1;\\nlet legal = \u0027Legal Information\u0027;\\nCognniIncidents_CL \\n| where Severity == lowRisk\\n| where informationType_s == legal\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Low Sensitivity Legal Information\",\"description\":\"Display incidents in which low sensitivity legal information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06107abb-1b68-4fdc-841b-8a1ff9301467\",\"name\":\"06107abb-1b68-4fdc-841b-8a1ff9301467\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.6\",\"techniques\":[\"T1030\",\"T1041\",\"T1011\",\"T1567\",\"T1029\",\"T1537\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.87\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"(Preview) Excessive Downloads via Palo Alto GlobalProtect\",\"description\":\"This algorithm detects unusually high volume of download per user account via Palo Alto VPN solution. The model is trained on the previous 14 days of the VPN logs. It indicates anomalous high volume of downloads in the last day.\",\"lastUpdatedDateUTC\":\"2021-06-10T00:00:00Z\",\"createdDateUTC\":\"2020-11-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/87890d78-3e05-43ec-9ab9-ba32f4e01250\",\"name\":\"87890d78-3e05-43ec-9ab9-ba32f4e01250\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n| join (\\n SecurityAlert\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n //Extract domain patterns from message\\n | extend domain = extract(\\\"(([a-z0-9]+(-[a-z0-9]+)*\\\\\\\\.)+[a-z]{2,})\\\", 1, tolower(Entities))\\n | where isnotempty(domain)\\n | extend parts = split(domain, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\\n | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray\\n // Parsing relevant entity column extract hostname and IP address\\n | extend EntityType = tostring(parse_json(EntitiesDynamicArray).Type), EntityAddress = tostring(EntitiesDynamicArray.Address), EntityHostName = tostring(EntitiesDynamicArray.HostName)\\n | extend HostName = iif(EntityType == \u0027host\u0027, EntityHostName, \u0027\u0027)\\n | extend IP_addr = iif(EntityType == \u0027ip\u0027, EntityAddress, \u0027\u0027)\\n | extend Alert_TimeGenerated = TimeGenerated\\n | extend Alert_Description = Description\\n) on $left.DomainName==$right.domain\\n| where Alert_TimeGenerated \u003e= TimeGenerated and Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Alert_TimeGenerated, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url\\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = HostName, IPCustomEntity = IP_addr, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.2\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to SecurityAlert\",\"description\":\"Identifies a match in SecurityAlert table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-24T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\"name\":\"5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"CommonSecurityLog \\n| where isnotempty(DestinationPort) and DeviceAction !in (\\\"reset-both\\\", \\\"deny\\\") \\n// filter out common usage ports. Add ports that are legitimate for your environment\\n| where DestinationPort !in (\\\"443\\\", \\\"53\\\", \\\"389\\\", \\\"80\\\", \\\"0\\\", \\\"880\\\", \\\"8888\\\", \\\"8080\\\")\\n| where ApplicationProtocol == \\\"incomplete\\\" \\n// filter out IANA ephemeral or negotiated ports as per https://en.wikipedia.org/wiki/Ephemeral_port\\n| where DestinationPort !between (toint(49512) .. toint(65535)) \\n| where Computer != \\\"\\\" \\n| where DestinationIP !startswith \\\"10.\\\"\\n// Filter out any graceful reset reasons of AGED OUT which occurs when a TCP session closes with a FIN due to aging out. \\n| where AdditionalExtensions !has \\\"reason=aged-out\\\" \\n// Filter out any TCP FIN which occurs when a TCP FIN is used to gracefully close half or both sides of a connection.\\n| where AdditionalExtensions !has \\\"reason=tcp-fin\\\" \\n// Uncomment one of the following where clauses to trigger on specific TCP reset reasons\\n// See Palo Alto article for details - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK\\n// TCP RST-server - Occurs when the server sends a TCP reset to the client\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-server\\\" \\n// TCP RST-client - Occurs when the client sends a TCP reset to the server\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-client\\\" \\n| extend reason = tostring(split(AdditionalExtensions, \\\";\\\")[3])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction, DestinationIP\\n| where count_ \u003e= 10\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), makeset(DestinationIP), totalcount = sum(count_) by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\"],\"displayName\":\"Palo Alto - possible internal to external port scanning\",\"description\":\"Identifies a list of internal Source IPs (10.x.x.x Hosts) that have triggered 10 or more non-graceful tcp server resets from one or more Destination IPs which \\nresults in an \\\"ApplicationProtocol = incomplete\\\" designation. The server resets coupled with an \\\"Incomplete\\\" ApplicationProtocol designation can be an indication \\nof internal to external port scanning or probing attack. \\nReferences: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK and\\nhttps://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTaCAK\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69a45b05-71f5-45ca-8944-2e038747fb39\",\"name\":\"69a45b05-71f5-45ca-8944-2e038747fb39\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let endtime = 1d;\\nlet starttime = 8d;\\n// The threshold below excludes matching on RDP connection computer counts of 5 or more by a given account and IP in a given day. Change the threshold as needed.\\nlet threshold = 5;\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n// Labeling the first RDP connection time, computer and ip\\n| extend FirstHop = TimeGenerated, FirstComputer = toupper(Computer), FirstIPAddress = IpAddress, Account = tolower(Account) \\n| join kind=inner (\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n// Labeling the second RDP connection time, computer and ip\\n| extend SecondHop = TimeGenerated, SecondComputer = toupper(Computer), SecondIPAddress = IpAddress, Account = tolower(Account)\\n) on Account\\n// Make sure that the first connection is after the second connection --\u003e SecondHop \u003e FirstHop\\n// Then identify only RDP to another computer from within the first RDP connection by only choosing matches where the Computer names do not match --\u003e FirstComputer != SecondComputer\\n// Then make sure the IPAddresses do not match by excluding connections from the same computers with first hop RDP connections to multiple computers --\u003e FirstIPAddress != SecondIPAddress\\n| where FirstComputer != SecondComputer and FirstIPAddress != SecondIPAddress and SecondHop \u003e FirstHop\\n// where the second hop occurs within 30 minutes of the first hop\\n| where SecondHop \u003c= FirstHop+30m\\n| distinct Account, FirstHop, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, SecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\\n// use left anti to exclude anything from the previous 7 days where the Account and IP has connected 5 or more computers.\\n| join kind=leftanti (\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime) \\n| where EventID == 4624 and LogonType == 10\\n| summarize makeset(Computer), ComputerCount = dcount(Computer) by bin(TimeGenerated, 1d), Account = tolower(Account), IpAddress\\n// Connection count to computer by same account and IP to exclude counts of 5 or more on a given day\\n| where ComputerCount \u003e= threshold\\n| mvexpand set_Computer\\n| extend Computer = toupper(set_Computer)\\n) on Account, $left.SecondComputer == $right.Computer, $left.SecondIPAddress == $right.IpAddress\\n| summarize FirstHopFirstSeen = min(FirstHop), FirstHopLastSeen = max(FirstHop) by Account, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, \\nSecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\\n| extend timestamp = FirstHopFirstSeen, AccountCustomEntity = Account, HostCustomEntity = FirstComputer, IPCustomEntity = FirstIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"LateralMovement\"],\"displayName\":\"RDP Nesting\",\"description\":\"Identifies when an RDP connection is made to a first system and then an RDP connection is made from the first system \\nto another system with the same account within the 60 minutes. Additionally, if historically daily \\nRDP connections are indicated by the logged EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-10-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9c27cee8-0a33-4abe-8683-212c0a98fc28\",\"name\":\"9c27cee8-0a33-4abe-8683-212c0a98fc28\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.6\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.1\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Suspicious volume of logins to computer with elevated token\",\"description\":\"This algorithm detects an unusually high volume of successful logins with elevated token per computer. The model is trained on the previous 21 days of security event ID 4624 on a computer. It indicates anomalous high volume of successful logins with administrator privileges in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84ad2f8a-b64c-49bc-b669-bdb4fd3071e9\",\"name\":\"84ad2f8a-b64c-49bc-b669-bdb4fd3071e9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT5M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"eset_CL\\n| where event_type_s == \u0027FilteredWebsites_Event\u0027\\n| extend AccountCustomEntity = username_s, URLCustomEntity = object_uri_s, HostCustomEntity = hostname_s, IPCustomEntity = ipv4_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\",\"CommandAndControl\",\"InitialAccess\"],\"displayName\":\"Web sites blocked by Eset\",\"description\":\"Create alert on web sites blocked by Eset.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-09T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"EsetSMC\",\"dataTypes\":[\"eset_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/223db5c1-1bf8-47d8-8806-bed401b356a4\",\"name\":\"223db5c1-1bf8-47d8-8806-bed401b356a4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let timeRange = 1d;\\nlet lookBack = 7d;\\nlet threshold_Failed = 5;\\nlet threshold_FailedwithSingleIP = 20;\\nlet threshold_IPAddressCount = 2;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet aadFunc = (tableName:string){\\nlet azPortalSignins = materialize(table(tableName)\\n| where TimeGenerated \u003e= ago(lookBack)\\n// Azure Portal only\\n| where AppDisplayName =~ \\\"Azure Portal\\\")\\n;\\nlet successPortalSignins = azPortalSignins\\n| where TimeGenerated \u003e= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n// Tagging identities not resolved to friendly names\\n//| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n| distinct TimeGenerated, UserPrincipalName, Id, ResultType\\n;\\nlet failPortalSignins = azPortalSignins\\n| where TimeGenerated \u003e= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n// Tagging identities not resolved to friendly names\\n| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n;\\n// Verify there is no success for the same connection attempt after the fail\\nlet failnoSuccess = failPortalSignins | join kind= leftouter (\\n successPortalSignins \\n) on UserPrincipalName, Id\\n| where TimeGenerated \u003e TimeGenerated1\\n| project-away TimeGenerated1, UserPrincipalName1, Id1, ResultType1\\n;\\n// Lookup up resolved identities from last 7 days\\nlet identityLookup = azPortalSignins\\n| where TimeGenerated \u003e= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName;\\n// Join resolved names to unresolved list from portal signins\\nlet unresolvedNames = failnoSuccess | where Unresolved == true | join kind= inner (\\n identityLookup \\n) on UserId\\n| extend UserDisplayName = lu_UserDisplayName, UserPrincipalName = lu_UserPrincipalName\\n| project-away lu_UserDisplayName, lu_UserPrincipalName;\\n// Join Signins that had resolved names with list of unresolved that now have a resolved name\\nlet u_azPortalSignins = failnoSuccess | where Unresolved == false | union unresolvedNames;\\nu_azPortalSignins\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend Status = strcat(ResultType, \\\": \\\", ResultDescription), OS = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n| extend FullLocation = strcat(Region,\u0027|\u0027, State, \u0027|\u0027, City)\\n| summarize TimeGenerated = makelist(TimeGenerated), Status = makelist(Status), IPAddresses = makelist(IPAddress), IPAddressCount = dcount(IPAddress), FailedLogonCount = count()\\nby UserPrincipalName, UserId, UserDisplayName, AppDisplayName, Browser, OS, FullLocation, Type\\n| mvexpand TimeGenerated, IPAddresses, Status\\n| extend TimeGenerated = todatetime(tostring(TimeGenerated)), IPAddress = tostring(IPAddresses), Status = tostring(Status)\\n| project-away IPAddresses\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserPrincipalName, UserId, UserDisplayName, Status, FailedLogonCount, IPAddress, IPAddressCount, AppDisplayName, Browser, OS, FullLocation, Type\\n| where (IPAddressCount \u003e= threshold_IPAddressCount and FailedLogonCount \u003e= threshold_Failed) or FailedLogonCount \u003e= threshold_FailedwithSingleIP\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed login attempts to Azure Portal\",\"description\":\"Identifies failed login attempts in the Azure Active Directory SigninLogs to the Azure Portal. Many failed logon \\nattempts or some failed logon attempts from multiple IPs could indicate a potential brute force attack. \\nThe following are excluded due to success and non-failure results:\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n0 - successful logon\\n50125 - Sign-in was interrupted due to a password reset or password registration entry.\\n50140 - This error occurred due to \u0027Keep me signed in\u0027 interrupt when the user was signing-in.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\"name\":\"1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with failed Windows host logins above threshold\\nlet win_fails = \\nSecurityEvent\\n| where EventID == 4625\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| summarize count() by IpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_list(IpAddress);\\n//Make a list of IPs with failed *nix host logins above threshold\\nlet nix_fails = \\nSyslog\\n| where Facility contains \u0027auth\u0027 and ProcessName != \u0027sudo\u0027\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP != \\\"\\\" and SourceIP != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIP\\n| where count_ \u003e signin_threshold\\n| summarize make_list(SourceIP);\\n//See if any of the IPs with failed host logins hve had a sucessful Azure AD login\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (win_fails) or IPAddress in (nix_fails)\\n| extend Reason= \\\"Multiple failed host logins from IP address with successful Azure AD login\\\"\\n| extend timstamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, Type = Type\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed host logons but success logon to AzureAD\",\"description\":\"Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts.\\nUses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8546330c-e1fb-422a-9388-5c09e9a8f4ca\",\"name\":\"8546330c-e1fb-422a-9388-5c09e9a8f4ca\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.1\",\"techniques\":[\"T1133\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.8\",\"name\":\"Score\",\"description\":\"Generate an anomaly when a region rarity score is less than the threshold.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"minimum\":\"2\",\"maximum\":\"100\",\"value\":\"100\",\"name\":\"Minimum users per region\",\"description\":\"whitelist an anomaly if the number of users from a rare region is greater than this limit.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\",\"LateralMovement\"],\"displayName\":\"(Preview) Login from an unusual region via Palo Alto GlobalProtect account logins\",\"description\":\"When a Palo Alto GlobalProtect account logs in from a source region that has rarely been logged in\\nfrom during the last 14 days, an anomaly is triggered. This anomaly may indicate that the account\\nhas been compromised.\",\"lastUpdatedDateUTC\":\"2021-06-07T00:00:00Z\",\"createdDateUTC\":\"2021-06-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d564ff12-8f53-41b8-8649-44f76b37b99f\",\"name\":\"d564ff12-8f53-41b8-8649-44f76b37b99f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// How many greater than Service Connections you want to view per build/release\\nlet ServiceConnectionThreshold = 4;\\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\\n[\\n//\\\"103\\\", \\\"Release\\\", \\\"ProjectA\\\",\\n//\\\"42\\\", \\\"Release\\\", \\\"ProjectB\\\",\\n//\\\"122\\\", \\\"Build\\\", \\\"ProjectB\\\"\\n];\\nAzureDevOpsAuditing\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| parse ScopeDisplayName with OrganizationName \u0027 (Organization)\u0027\\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) \\n by OrganizationName, tostring(DefId), tostring(Type), ProjectId, ProjectName\\n| where CurrentCount \u003e ServiceConnectionThreshold\\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\\n| extend link = iif(\\n Type == \\\"Build\\\", strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_build?definitionId=\u0027, DefId),\\n strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_release?_a=releases\u0026view=mine\u0026definitionId=\u0027, DefId))\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure DevOps Service Connection Abuse\",\"description\":\"Flags builds/releases that use a large number of service connections if they aren\u0027t manually in the allow list.\\nThis is to determine if someone is hijacking a build/release and adding many service connections in order to abuse \\nor dump credentials from service connections.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c0e84221-f240-4dd7-ab1e-37e034ea2a4e\",\"name\":\"c0e84221-f240-4dd7-ab1e-37e034ea2a4e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"union isfuzzy=true\\n(DeviceFileEvents\\n| where FolderPath endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated),\\n(SecurityEvent\\n| where EventID == 4663\\n| where ObjectName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = Computer, timestamp=TimeGenerated),\\n(imFileEvent\\n| where TargetFileName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = DvcHostname, timestamp=TimeGenerated\\n)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"SUNSPOT log file creation\",\"description\":\"This query uses Microsoft Defender for Endpoint data and Windows Event Logs to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\\nMore details: \\n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \\n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2bb167bf-3951-435b-a932-8b03bfde0a2b\",\"name\":\"2bb167bf-3951-435b-a932-8b03bfde0a2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.3\",\"techniques\":[\"T1046\"],\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"accept\",\"allow\",\"start\"],\"values\":[\"accept\",\"allow\",\"start\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Device action\",\"description\":\"Include only these specific device actions\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\"53,67,80,8080,123,137,138,443,445,3389\",\"dataType\":\"string\",\"name\":\"Exclude ports\",\"description\":\"Provide a comma separated list to exclude specific ports from source data. This should be within double quotes, example: \\\"53, 67, 80, 8080, 123, 137, 138, 443, 445, 3389\\\"\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"1\",\"maximum\":\"60000000\",\"value\":\"600\",\"name\":\"Destination IP count\",\"description\":\"The minimum distinct destination IP count per hour required for inclusion. Default is 600. This is an OR condition with destination port count.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"minimum\":\"1\",\"maximum\":\"60000000\",\"value\":\"600\",\"name\":\"Destination port count\",\"description\":\"The minimum distinct destination port count per hour required for inclusion. Default is 600. This is an OR condition with destination IP count.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"0.00\",\"maximum\":\"1.00\",\"value\":\"1.00\",\"name\":\"IP ratio\",\"description\":\"The distinct source IP (always 1) to distinct destination IP count with a default minimum ratio of 1.00 or lower (converted to Base 10 to the -4 power of original value). This is an OR condition with port ratio.\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"},{\"minimum\":\"0.00\",\"maximum\":\"1.00\",\"value\":\"1.00\",\"name\":\"Port ratio\",\"description\":\"The distinct source port to distinct destination port count with a default minimum ratio of 1.00 or lower (converted to Base 10 to the -4 power of original value). This is an OR condition with IP Ratio.\",\"sequenceNumber\":3,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) Anomalous scanning activity\",\"description\":\"The Scanning Activity anomaly is looking to determine if there is potential port scanning anomaly in an environment coming from a single source IP to one or more destination IPs. \\nThe algorithm takes into account whether the IP is public, meaning external, or private, meaning internal, and the event is marked accordingly. Only private to public or public \\nto private is considered at this time. Scanning activity can indicate an attacker attempting to determine available services in an environment that can be potentially \\nexploited and used for ingress or lateral movement.\\nA high number of source ports and high number of destination ports from a single source IP to either a single or multiple destination IP or IPs can be interesting and indicate \\nanomalous scanning. Additionally, if there is a high ratio of destination IPs to the single source IP this can indicate anomalous scanning.\\nConfiguration details -\\nJob run default is daily, with hourly bins\\nThe algorithm uses the following defaults to limit the results based on hourly bins, each is configurable\\n-\u003e Included device actions - accept, allow, start\\n-\u003e Excluded ports - 53, 67, 80, 8080, 123, 137, 138, 443, 445, 3389\\n-\u003e Distinct destination port count \u003e= 600\\n-\u003e Distinct source port count \u003e= 600\\n-\u003e Distinct source port count divided by distinct destination port, ratio converted to percent \u003e= 99.99\\n-\u003e Source IP (always 1) divided by destination IP, ratio converted to percent \u003e= 99.99\",\"lastUpdatedDateUTC\":\"2021-07-10T00:00:00Z\",\"createdDateUTC\":\"2021-04-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/34c5aff9-a8c2-4601-9654-c7e46342d03b\",\"name\":\"34c5aff9-a8c2-4601-9654-c7e46342d03b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 5;\\nlet aadFunc = (tableName:string){\\nIdentityInfo\\n| where AssignedRoles contains \\\"Admin\\\"\\n| mv-expand AssignedRoles\\n| extend Roles = tostring(AssignedRoles), AccountUPN = tolower(AccountUPN)\\n| where Roles contains \\\"Admin\\\"\\n| distinct Roles, AccountUPN\\n| join kind=inner (\\n // Failed Signins attempts with reasoning related to MFA.\\n table(tableName)\\n | where TimeGenerated between (startofday(ago(starttime))..startofday(ago(timeframe)))\\n | where ResultType != 0\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n) on $left.AccountUPN == $right.UserPrincipalName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt ;\\nlet TimeSeriesData = union isfuzzy=true aadSignin, aadNonInt \\n| project TimeGenerated, Roles, UserPrincipalName\\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by UserPrincipalName, Roles\\n| project TimeGenerated, Roles, UserPrincipalName, HourlyCount;\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| where baseline \u003e baselinethreshold // Filtering low count events per baselinethreshold\\n| project Roles, UserPrincipalName, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated;\\n// Filter the alerts for specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join kind=inner ( \\nunion isfuzzy=true aadSignin, aadNonInt\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n | summarize HourlyCount=count(), LatestAnomalyTime = arg_max(timestamp,*) by bin(TimeGenerated,1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\\n) on UserPrincipalName\\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, HourlyCount, baseline, anomalies, score\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Privileged Accounts - Sign in Failure Spikes\",\"description\":\" Identifies spike in failed sign-ins from Privileged accounts. Privileged accounts list can be based on IdentityInfo UEBA table or built-in watchlist.\\nSpike is determined based on Time series anomaly which will look at historical baseline values.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor\",\"lastUpdatedDateUTC\":\"2021-11-01T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f110287e-1358-490d-8147-ed804b328514\",\"name\":\"f110287e-1358-490d-8147-ed804b328514\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n AWSCloudTrail | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AWSCloudTrail_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SourceIpAddress\\n| where AWSCloudTrail_TimeGenerated \u003e= TimeGenerated and AWSCloudTrail_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AWSCloudTrail_TimeGenerated,\\nTI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress,\\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AWSCloudTrail_TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AWSCloudTrail\",\"description\":\"Identifies a match in AWSCloudTrail from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c097bfdb-8b4b-4a98-b74d-1871ffd50a03\",\"name\":\"c097bfdb-8b4b-4a98-b74d-1871ffd50a03\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.6\",\"techniques\":[\"T1110\"],\"customizableObservations\":{\"multiSelectObservations\":[{\"supportedValues\":[\"2-Interactive\",\"3-Network\",\"4-Batch\",\"5-Service\",\"7-Unlock\",\"8-NetworkCleartext\",\"9-NewCredentials\",\"10-RemoteInteractive\",\"11-CachedInteractive\"],\"values\":[\"2-Interactive\",\"3-Network\",\"4-Batch\",\"5-Service\",\"7-Unlock\",\"8-NetworkCleartext\",\"9-NewCredentials\",\"10-RemoteInteractive\",\"11-CachedInteractive\"],\"supportedValuesKql\":null,\"valuesKql\":null,\"name\":\"Logon Types\",\"description\":\"Include only selected logon types in anomaly results.\",\"sequenceNumber\":0,\"rerun\":\"NotRequired\"}],\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0.03\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"NotRequired\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"(Preview) Attempted user account bruteforce per logon type\",\"description\":\"This algorithm detects an unusually high volume of failed login attempts per user account per logon type. The model is trained on the previous 21 days of security event ID 4625 on an account and a logon type. It indicates anomalous high volume of failed login attempts with certain logon type in the last day.\",\"lastUpdatedDateUTC\":\"2021-10-06T00:00:00Z\",\"createdDateUTC\":\"2021-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2954d424-f786-4677-9ffc-c24c44c6e7d5\",\"name\":\"2954d424-f786-4677-9ffc-c24c44c6e7d5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT3H\",\"queryPeriod\":\"PT3H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let timeframe = ago(3h);\\nlet threshold = 2;\\nOkta_CL\\n| where column_ifexists(\u0027published_t\u0027, now()) \u003e= timeframe\\n| where eventType_s =~ \\\"user.session.start\\\"\\n| where outcome_result_s =~ \\\"SUCCESS\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumOfCountries = dcount(client_geographicalContext_country_s) by actor_alternateId_s\\n| where NumOfCountries \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = actor_alternateId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"User Login from Different Countries within 3 hours\",\"description\":\"This query searches for successful user logins to the Okta Console from different countries within 3 hours\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OktaSSO\",\"dataTypes\":[\"Okta_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/adc32a33-1cd6-46f5-8801-e3ed8337885f\",\"name\":\"adc32a33-1cd6-46f5-8801-e3ed8337885f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Add any known allowed sources and source locations to the filter below (the NuGet Gallery has been added here as an example).\\nlet allowed_sources = dynamic([\\\"NuGet Gallery\\\"]);\\nlet allowed_locations = dynamic([\\\"https://api.nuget.org/v3/index.json\\\"]);\\nAzureDevOpsAuditing\\n// Look for feeds created or modified at either the organization or project level\\n| where OperationName matches regex \\\"Artifacts.Feed.(Org|Project).Modify\\\"\\n| where Details has \\\"UpstreamSources, added\\\"\\n| extend FeedName = tostring(Data.FeedName)\\n| extend FeedId = tostring(Data.FeedId)\\n| extend UpstreamsAdded = Data.UpstreamsAdded\\n// As multiple feeds may be added expand these out\\n| mv-expand UpstreamsAdded\\n// Only focus on external feeds\\n| where UpstreamsAdded.UpstreamSourceType !~ \\\"internal\\\"\\n| extend SourceLocation = tostring(UpstreamsAdded.Location)\\n| extend SourceName = tostring(UpstreamsAdded.Name)\\n// Exclude sources and locations in the allow list\\n| where SourceLocation !in (allowed_locations) and SourceName !in (allowed_sources)\\n| extend SourceProtocol = tostring(UpstreamsAdded.Protocol)\\n| extend SourceStatus = tostring(UpstreamsAdded.Status)\\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, ProjectName, FeedName, SourceName, SourceLocation, SourceProtocol, ActorUPN, UserAgent, IpAddress\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"External Upstream Source Added to Azure DevOps Feed\",\"description\":\"The detection looks for new external sources added to an Azure DevOps feed. An allow list can be customized to explicitly allow known good sources. \\nAn attacker could look to add a malicious feed in order to inject malicious packages into a build pipeline.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6852d9da-8015-4b95-8ecf-d9572ee0395d\",\"name\":\"6852d9da-8015-4b95-8ecf-d9572ee0395d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let timeframe = 60m;\\nlet lookback = 10m;\\nlet account_created =\\nAuditLogs \\n | where ActivityDisplayName == \\\"Add service principal\\\"\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend creationTime = ActivityDateTime\\n | extend userPrincipalName_creator = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend ipAddress_creator = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\\nlet account_activity =\\nAADServicePrincipalSignInLogs\\n | extend Activities = pack(\\\"ActivityTime\\\", TimeGenerated ,\\\"IpAddress\\\", IPAddress, \\\"ResourceDisplayName\\\", ResourceDisplayName)\\n | extend AppID = AppId\\n | summarize make_list(Activities) by AppID;\\nlet account_deleted =\\nAuditLogs \\n | where OperationName == \\\"Remove service principal\\\"\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend deletionTime = ActivityDateTime\\n | extend userPrincipalName_deleter = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend ipAddress_deleter = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\\nlet account_credentials =\\nAuditLogs\\n | where OperationName contains \\\"Update application - Certificates and secrets management\\\"\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend credentialCreationTime = ActivityDateTime;\\nlet roles_assigned =\\nAuditLogs\\n | where ActivityDisplayName == \\\"Add app role assignment to service principal\\\"\\n | extend AppID = tostring(TargetResources[1].displayName)\\n | extend AssignedRole = iff(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].displayName)==\\\"AppRole.Value\\\", tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue))),\\\"\\\")\\n | extend AssignedRoles = pack(\\\"Role\\\", AssignedRole)\\n |summarize make_list(AssignedRoles) by AppID;\\naccount_created \\n | join kind= inner (account_activity) on AppID, AppID \\n | join kind= inner (account_deleted) on AppID, AppID \\n | join kind= inner (account_credentials) on AppID, AppID \\n | join kind= inner (roles_assigned) on AppID, AppID\\n | where deletionTime - creationTime \u003c lookback\\n | where tolong(deletionTime - creationTime) \u003e= 0\\n | where creationTime \u003e ago(timeframe)\\n | extend AliveTime = deletionTime - creationTime\\n | project AADTenantId, AppID, creationTime, deletionTime, userPrincipalName_creator, userPrincipalName_deleter, ipAddress_creator, ipAddress_deleter, list_Activities , list_AssignedRoles, AliveTime\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName_creator\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName_deleter\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress_creator\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress_deleter\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"PrivilegeEscalation\",\"InitialAccess\"],\"displayName\":\"Suspicious Service Principal creation activity\",\"description\":\"This alert will detect creation of an SPN, permissions granted, credentials cretaed, activity and deletion of the SPN in a time frame (default 10 minutes)\",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2021-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\",\"AADServicePrincipalSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2eb15bd-8a88-4b24-9281-e133edfba315\",\"name\":\"f2eb15bd-8a88-4b24-9281-e133edfba315\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet aadFunc = (tableName:string){\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join kind=innerunique (\\n table(tableName) | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend Status = todynamic(Status), LocationDetails = todynamic(LocationDetails)\\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails), StatusReason = tostring(Status.failureReason)\\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n // renaming time column so it is clear the log this came from\\n | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type\\n)\\non $left.TI_ipEntity == $right.IPAddress\\n| where SigninLogs_TimeGenerated \u003c ExpirationDateTime\\n| summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, IPAddress\\n| project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDetails, StatusReason, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.2\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to SigninLogs\",\"description\":\"Identifies a match in SigninLogs from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/60eb6cf0-3fa1-44c1-b1fe-220fbee23d63\",\"name\":\"60eb6cf0-3fa1-44c1-b1fe-220fbee23d63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"// Edit this variable to only keep the Severity level where an incident needs to be created (Defaults are: \\\"Low\\\", \\\"Medium\\\", \\\"High\\\", \\\"Critical\\\" ) \\nlet configured_level = dynamic([\\\"Low\\\", \\\"Medium\\\", \\\"High\\\", \\\"Critical\\\"]);\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Vectra Networks\\\"\\n| where DeviceProduct == \\\"X Series\\\"\\n| where DeviceEventClassID == \\\"hsc\\\"\\n| project-rename threat_score = FlexNumber1\\n| project-rename certainty_score = FlexNumber2\\n| project-rename vectra_URL = DeviceCustomString4\\n| project-rename detection_name = DeviceEventClassID\\n| project-rename score_decreases = DeviceCustomString3\\n| extend level = case( threat_score \u003c 50 and certainty_score \u003c 50, \\\"Low\\\",\\n threat_score \u003c 50 and certainty_score \u003e= 50 , \\\"Medium\\\", \\n threat_score \u003e= 50 and certainty_score \u003c= 50, \\\"High\\\", \\n threat_score \u003e= 50 and certainty_score \u003e= 50, \\\"Critical\\\",\\n \\\"UNKNOWN\\\")\\n| extend Severity = case( level == \\\"Low\\\", \\\"Low\\\",\\n level == \\\"Medium\\\", \\\"Medium\\\",\\n level == \\\"High\\\", \\\"Medium\\\",\\n level == \\\"Critical\\\", \\\"High\\\",\\n \\\"UNKNOWN\\\")\\n| where level in (configured_level) \\n//keep only the event with the highest threat score per Host\\n| summarize arg_max(threat_score, *) by SourceHostName\\n| project SourceHostName, level, Severity, TimeGenerated, SourceIP, threat_score, certainty_score, vectra_URL\\n| extend HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Discovery\",\"LateralMovement\",\"Collection\",\"CommandAndControl\",\"Exfiltration\",\"Impact\"],\"displayName\":\"Vectra AI Detect - Suspected Compromised Host\",\"description\":\"Create an incident when a Host is suspected to be compromised. \\nThe higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. \\nLevel of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.\",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2021-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AIVectraDetect\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/03401f05-5c45-4f2d-9295-092764090e02\",\"name\":\"03401f05-5c45-4f2d-9295-092764090e02\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"2.0.0\",\"techniques\":[\"T1078\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Yes\",\"No\"],\"supportedValuesKql\":null,\"value\":\"Yes\",\"name\":\"Use region adjacency\",\"description\":\"Suppress anomalies originated from two adjacent regions.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"2\",\"maximum\":\"10\",\"value\":\"2\",\"name\":\"Minimum daily regions for anomaly\",\"description\":\"Generate an anomaly when a user logs in from this many or more regions in a day\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\",\"DefenseEvasion\"],\"displayName\":\"(Preview) Multi-region logins in a single day via Palo Alto GlobalProtect\",\"description\":\"This algorithm detects a user account which had logins from multiple non-adjacent regions in a single day via Palo Alto VPN.\",\"lastUpdatedDateUTC\":\"2021-07-13T00:00:00Z\",\"createdDateUTC\":\"2021-04-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/074ce265-f684-41cd-af07-613c5f3e6d0d\",\"name\":\"074ce265-f684-41cd-af07-613c5f3e6d0d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"irf.services\\\",\\\"microsoft-onthehub.com\\\",\\\"msofficelab.com\\\",\\\"com-mailbox.com\\\",\\\"my-sharefile.com\\\",\\\"my-sharepoints.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\n\\\"onedrive-sharedfile.com\\\",\\\"onedrv-live.com\\\",\\\"transparencyinternational-my-sharepoint.com\\\",\\\"transparencyinternational-my-sharepoints.com\\\",\\\"soros-my-sharepoint.com\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend Account = SourceUserID, Host = DeviceName, IPAddress = SourceIP),\\n(DnsEvents \\n| extend IPAddress = ClientIP, DNSName = Name, Host = Computer),\\n(imDns (domain_has_any=DomainNames)\\n| extend IPAddress = SrcIpAddr, DNSName = DnsQuery, Host = Dvc),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| extend IPAddress = RemoteIp, Host = Computer),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| extend DNSName = Request_Name\\n| extend IPAddress = ClientIP),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost)\\n)\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = Account, HostCustomEntity = Host\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.3.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known STRONTIUM group domains - July 2019\",\"description\":\"Matches domain name IOCs related to Strontium group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-07-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b3cfc7c0-092c-481c-a55b-34a3979758cb\",\"name\":\"b3cfc7c0-092c-481c-a55b-34a3979758cb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft Cloud App Security\",\"displayName\":\"Create incidents based on Microsoft Cloud App Security alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Cloud App Security\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert (MCAS)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/77171efa-4502-4ab7-9d23-d12305ff5a5e\",\"name\":\"77171efa-4502-4ab7-9d23-d12305ff5a5e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let lowRisk = 1;\\nlet financial = \u0027Financial Information\u0027;\\nCognniIncidents_CL \\n| where Severity == lowRisk\\n| where informationType_s == financial\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Low Sensitivity Financial Information\",\"description\":\"Display incidents in which low sensitivity financial information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/173f8699-6af5-484a-8b06-8c47ba89b380\",\"name\":\"173f8699-6af5-484a-8b06-8c47ba89b380\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"// Adjust this value to change how many Teams should be deleted before including\\nlet max_delete_count = 3;\\n// Adjust this value to change the timewindow the query runs over\\n OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\" \\n| where Operation =~ \\\"TeamDeleted\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DeletedTeams = make_set(TeamName) by UserId\\n| where array_length(DeletedTeams) \u003e max_delete_count\\n| extend timestamp = StartTime, AccountCustomEntity = UserId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Impact\"],\"displayName\":\"Multiple Teams deleted by a single user\",\"description\":\"This detection flags the occurrences of deleting multiple teams within an hour.\\nThis data is a part of Office 365 Connector in Microsoft Sentinel.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a35f2c18-1b97-458f-ad26-e033af18eb99\",\"name\":\"a35f2c18-1b97-458f-ad26-e033af18eb99\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"// For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups\\nlet WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nSecurityEvent \\n// When MemberName contains \u0027-\u0027 this indicates addition of a group to a group\\n| where AccountType == \\\"User\\\" and MemberName != \\\"-\\\"\\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group\\n| where EventID in (4728, 4732, 4756) \\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| extend SimpleMemberName = substring(MemberName, 3, indexof_regex(MemberName, @\\\",OU|,CN\\\") - 3)\\n| project TimeGenerated, EventID, Activity, Computer, SimpleMemberName, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SimpleMemberName, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.2.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account added to built in domain local or global group\",\"description\":\"Identifies when a user account has been added to a privileged built in domain local group or global group \\nsuch as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\",\"lastUpdatedDateUTC\":\"2021-11-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/631d02df-ab51-46c1-8d72-32d0cfec0720\",\"name\":\"631d02df-ab51-46c1-8d72-32d0cfec0720\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let excludeProcs = dynamic([@\\\"\\\\SolarWinds\\\\Orion\\\\APM\\\\APMServiceControl.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\ExportToPDFCmd.Exe\\\", @\\\"\\\\SolarWinds.Credentials\\\\SolarWinds.Credentials.Orion.WebApi.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Topology\\\\SolarWinds.Orion.Topology.Calculator.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Database-Maint.exe\\\", @\\\"\\\\SolarWinds.Orion.ApiPoller.Service\\\\SolarWinds.Orion.ApiPoller.Service.exe\\\", @\\\"\\\\Windows\\\\SysWOW64\\\\WerFault.exe\\\"]);\\nimProcessCreate\\n| where Process hassuffix \u0027solarwinds.businesslayerhost.exe\u0027\\n| where not(Process has_any (excludeProcs))\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = ActorUsername,\\n HostCustomEntity = User,\\n FileHashCustomEntity = TargetProcessMD5 // Change to *hash* once implemented\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"MD5\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST suspicious SolarWinds child processes (Normalized Process Events)\",\"description\":\"Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\"name\":\"4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([ \\\"AuthorizeSecurityGroupEgress\\\", \\\"AuthorizeSecurityGroupIngress\\\", \\\"RevokeSecurityGroupEgress\\\", \\\"RevokeSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \\nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion, \\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to AWS Security Group ingress and egress settings\",\"description\":\"A Security Group acts as a virtual firewall of an instance to control inbound and outbound traffic. \\n Hence, ingress and egress settings changes to AWS Security Group should be monitored as these can expose the enviornment to new attack vectors.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/737a2ce1-70a3-4968-9e90-3e6aca836abf\",\"name\":\"737a2ce1-70a3-4968-9e90-3e6aca836abf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MLBehaviorAnalytics\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous RDP Login Detections\",\"description\":\"This detection uses machine learning (ML) to identify anomalous Remote Desktop Protocol (RDP) login activity, based on Windows Security Event data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Microsoft Sentinel to build a profile of normal activity for your environment.\\t\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events)\\n\\nBy enabling this rule, you give Microsoft permission to copy ingested data outside of your Microsoft Sentinel workspace\u0027s geography as necessary for processing by the machine learning engine.\",\"lastUpdatedDateUTC\":\"2021-03-26T00:00:00Z\",\"createdDateUTC\":\"2020-04-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9713e3c0-1410-468d-b79e-383448434b2d\",\"name\":\"9713e3c0-1410-468d-b79e-383448434b2d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n VMConnection\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend VMConnection_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIp\\n| where VMConnection_TimeGenerated \u003e= TimeGenerated and VMConnection_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, VMConnection_TimeGenerated,\\nTI_ipEntity, Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = VMConnection_TimeGenerated, IPCustomEntity = RemoteIp, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to VMConnection\",\"description\":\"Identifies a match in VMConnection from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/19e01883-15d8-4eb6-a7a5-3276cd668388\",\"name\":\"19e01883-15d8-4eb6-a7a5-3276cd668388\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let timeBin = 1m;\\nlet failedThreshold = 20;\\nW3CIISLog\\n| where scStatus in (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of failed attempts from same client IP\\n| summarize makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\\n| where FailedConnectionsCount \u003e= failedThreshold\\n| project TimeGenerated, cIP, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"High count of failed attempts from same client IP\",\"description\":\"Identifies when 20 or more failed attempts from a given client IP in 1 minute occur on the IIS server.\\nThis could be indicative of an attempted brute force. This could also simply indicate a misconfigured service or device.\\nRecommendations: Validate that these are expected connections from the given Client IP. If the client IP is not recognized, \\npotentially block these connections at the edge device.\\nIf these are expected connections, verify the credentials are properly configured on the system, service, application or device \\nthat is associated with the client IP.\\nReferences:\\nIIS status code mapping: https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping: https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e70fa6e0-796a-4e85-9420-98b17b0bb749\",\"name\":\"e70fa6e0-796a-4e85-9420-98b17b0bb749\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"DeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where ThreatName has \\\"Solorigate\\\"\\n| extend HostCustomEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.HostCustomEntity\\n| project TimeGenerated, DisplayName, ThreatName, CompromisedEntity, PublicIP, MachineGroup, AlertSeverity, Description, LoggedOnUsers, DeviceId, TenantId, HostCustomEntity\\n| extend timestamp = TimeGenerated, IPCustomEntity = PublicIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Solorigate Defender Detections\",\"description\":\"Surfaces any Defender Alert for Solorigate Events. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as \\n Device group, ip, logged on users etc. This way, the Microsoft Sentinel user can have all the pertinent device info in one view for all the the Solarigate Defender alerts.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7249500f-3038-4b83-8549-9cd8dfa2d498\",\"name\":\"7249500f-3038-4b83-8549-9cd8dfa2d498\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"de-ma.online\\\", \\\"g20saudi.000webhostapp.com\\\", \\\"ksat20.000webhostapp.com\\\"]);\\nlet EmailAddresses = dynamic([\\\"munichconference1962@gmail.com\\\",\\\"munichconference@outlook.de\\\", \\\"munichconference@outlook.com\\\", \\\"t20saudiarabia@gmail.com\\\", \\\"t20saudiarabia@hotmail.com\\\", \\\"t20saudiarabia@outlook.sa\\\"]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(DNSName) and DNSName has_any (DomainNames)) \\n or (isnotempty(DestinationHostName) and DestinationHostName has_any (DomainNames)) \\n or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames)))\\n| extend timestamp = TimeGenerated , AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\\n),\\n(DnsEvents \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| where DNSName has_any (DomainNames) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend timestamp = TimeGenerated , HostCustomEntity = Computer),\\n(SecurityAlert\\n| where ProviderName =~ \u0027OATP\u0027\\n| extend UPN = case(isnotempty(parse_json(Entities)[0].Upn), parse_json(Entities)[0].Upn, \\n isnotempty(parse_json(Entities)[1].Upn), parse_json(Entities)[1].Upn,\\n isnotempty(parse_json(Entities)[2].Upn), parse_json(Entities)[2].Upn,\\n isnotempty(parse_json(Entities)[3].Upn), parse_json(Entities)[3].Upn,\\n isnotempty(parse_json(Entities)[4].Upn), parse_json(Entities)[4].Upn,\\n isnotempty(parse_json(Entities)[5].Upn), parse_json(Entities)[5].Upn,\\n isnotempty(parse_json(Entities)[6].Upn), parse_json(Entities)[6].Upn,\\n isnotempty(parse_json(Entities)[7].Upn), parse_json(Entities)[7].Upn,\\n isnotempty(parse_json(Entities)[8].Upn), parse_json(Entities)[8].Upn,\\n parse_json(Entities)[9].Upn)\\n| where Entities has_any (EmailAddresses)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = tostring(UPN)),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"AZUREFIREWALLS\\\"\\n| where msg_s has_any (DomainNames)\\n| extend timestamp = TimeGenerated))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"InitialAccess\"],\"displayName\":\"Known PHOSPHORUS group domains/IP - October 2020\",\"description\":\"Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\\nReferences: \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog (Cisco)\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert (OATP)\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics (Azure Firewall)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3caa67ef-8ed3-4ab5-baf2-3850d3667f3d\",\"name\":\"3caa67ef-8ed3-4ab5-baf2-3850d3667f3d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nafad_parser\\n| where MessageType == 2\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid Indicators of Attack\",\"description\":\"Searches for triggered Indicators of Attack\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d8de9e6-263e-4845-8618-cd23a4f58b70\",\"name\":\"4d8de9e6-263e-4845-8618-cd23a4f58b70\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT3H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 3h;\\n// Add full UPN (user@domain.com) to Authorized Bypassers to ignore policy bypasses by certain authorized users\\nlet AuthorizedBypassers = dynamic([\u0027foo@baz.com\u0027, \u0027test@foo.com\u0027]);\\nlet historicBypassers = AzureDevOpsAuditing\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationName == \u0027Git.RefUpdatePoliciesBypassed\u0027\\n| distinct ActorUPN;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e= ago(endtime)\\n| where OperationName == \u0027Git.RefUpdatePoliciesBypassed\u0027\\n| where ActorUPN !in (historicBypassers) and ActorUPN !in (AuthorizedBypassers)\\n| parse ScopeDisplayName with OrganizationName \u0027(Organization)\u0027\\n| project TimeGenerated, ActorUPN, IpAddress, UserAgent, OrganizationName, ProjectName, RepoName = Data.RepoName, AlertDetails = Details, Branch = Data.Name, \\n BypassReason = Data.BypassReason, PRLink = strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_git/\u0027, Data.RepoName, \u0027/pullrequest/\u0027, Data.PullRequestId)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps Pull Request Policy Bypassing - Historic allow list\",\"description\":\"This detection builds an allow list of historic PR policy bypasses and compares to recent history, flagging pull request bypasses that are not manually in the allow list and not historically included in the allow list.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\"name\":\"ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Office 365 Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Office 365 alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Office 365\",\"lastUpdatedDateUTC\":\"2020-09-01T00:00:00Z\",\"createdDateUTC\":\"2020-04-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert (OATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bf0cde21-0c41-48f6-a40c-6b5bd71fa106\",\"name\":\"bf0cde21-0c41-48f6-a40c-6b5bd71fa106\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AWSGuardDuty | extend tokens = split(ActivityType,\\\":\\\") | extend ThreatPurpose = tokens[0], tokens= split(tokens[1],\\\"/\\\") | extend ResourceTypeAffected = tokens[0], ThreatFamilyName= tokens[1] | extend UniqueFindingId = Id | extend AWSAcoundId = AccountId | project-away tokens,ActivityType, Id, AccountId | project-away TimeGenerated, TenantId, SchemaVersion, Region, Partition | extend Severity= iff(Severity between (7.0..8.9),\\\"High\\\",iff(Severity between (4.0..6.9), \\\"Medium\\\", iff(Severity between (1.0..3.9),\\\"Low\\\",\\\"Unknown\\\")))\",\"customDetails\":{\"ThreatPurpos\":\"ThreatPurpose\",\"ResourceTypeAffected\":\"ResourceTypeAffected\",\"UniqueFindingId\":\"UniqueFindingId\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Arn\"},{\"identifier\":\"ObjectGuid\",\"columnName\":\"AWSAcoundId\"}]}],\"version\":\"1.0.0\",\"displayName\":\"AWS Guard Duty Alert\",\"description\":\"Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. This templates create an alert for each Amazon GuardDuty finding.\",\"lastUpdatedDateUTC\":\"2021-11-18T00:00:00Z\",\"createdDateUTC\":\"2021-11-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSGuardDuty\",\"dataTypes\":[\"AWSGuardDuty\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\"name\":\"a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Security Center for IoT\",\"displayName\":\"Create incidents based on Azure Defender for IOT alerts\",\"description\":\"Create incidents based on all alerts generated in Azure Defender for IOT\",\"lastUpdatedDateUTC\":\"2019-12-24T00:00:00Z\",\"createdDateUTC\":\"2019-12-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"IoT\",\"dataTypes\":[\"SecurityAlert (ASC for IoT)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ac891683-53c3-4f86-86b4-c361708e2b2b\",\"name\":\"ac891683-53c3-4f86-86b4-c361708e2b2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"// Allowlisted UPNs should likely stay empty\\nlet AllowlistedUpns = datatable(UPN:string)[\u0027foo@bar.com\u0027, \u0027test@foo.com\u0027];\\n// Operation Name parts that will alert\\nlet HasAnyBlocklist = datatable(OperationNamePart:string)[\u0027Security.\u0027,\u0027Project.\u0027,\u0027AuditLog.\u0027,\u0027Extension.\u0027];\\n// Distinct Operation Names that will flag\\nlet HasExactBlocklist = datatable(OperationName:string)[\u0027Group.UpdateGroupMembership.Add\u0027,\u0027Library.ServiceConnectionExecuted\u0027,\u0027Pipelines.PipelineModified\u0027,\\n\u0027Release.ReleasePipelineModified\u0027, \u0027Git.RefUpdatePoliciesBypassed\u0027];\\nAzureDevOpsAuditing\\n| where AuthenticationMechanism startswith \\\"PAT\\\" and (OperationName has_any (HasAnyBlocklist) or OperationName in (HasExactBlocklist))\\n and ActorUPN !in (AllowlistedUpns)\\n| project TimeGenerated, AuthenticationMechanism, ProjectName, ActorUPN, ActorDisplayName, IpAddress, UserAgent, OperationName, Details, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Execution\",\"Impact\"],\"displayName\":\"Azure DevOps Personal Access Token (PAT) misuse\",\"description\":\"This Alert detects whenever a PAT is used in ways that PATs are not normally used. May require an allow list and baselining.\\nReference - https://docs.microsoft.com/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops\u0026tabs=preview-page\\nUse this query for baselining:\\nAzureDevOpsAuditing\\n| distinct OperationName\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6cb75f65-231f-46c4-a0b3-50ff21ee6ed3\",\"name\":\"6cb75f65-231f-46c4-a0b3-50ff21ee6ed3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Edit this variable to only keep the tactics where an incident needs to be created (Defaults are: \\\"COMMAND \u0026 CONTROL\\\", \\\"BOTNET ACTIVITY\\\", \\\"EXFILTRATION\\\", \\\"LATERAL MOVEMENT\\\", \\\"RECONNAISSANCE\\\") \\nlet configured_tactics = dynamic([\\\"COMMAND \u0026 CONTROL\\\", \\\"BOTNET ACTIVITY\\\", \\\"EXFILTRATION\\\", \\\"LATERAL MOVEMENT\\\", \\\"RECONNAISSANCE\\\"]);\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Vectra Networks\\\"\\n| where DeviceProduct == \\\"X Series\\\"\\n| where DeviceEventClassID != \\\"campaigns\\\" and DeviceEventClassID != \\\"hsc\\\" and DeviceEventClassID != \\\"audit\\\" and DeviceEventClassID != \\\"health\\\" and DeviceEventClassID != \\\"asc\\\" \\n| extend Category = extract(\\\"cat=(.+?);\\\", 1, AdditionalExtensions) \\n| project-rename threat_score = FlexNumber1\\n| project-rename certainty_score = FlexNumber2\\n| project-rename triaged = DeviceCustomString5\\n| project-rename vectra_URL = DeviceCustomString4\\n| project-rename detection_name = DeviceEventClassID\\n| extend Tactic = case( Category == \\\"COMMAND \u0026 CONTROL\\\", \\\"CommandAndControl\\\",\\n Category == \\\"BOTNET ACTIVITY\\\" , \\\"Impact\\\",\\n Category == \\\"EXFILTRATION\\\", \\\"Exfiltration\\\",\\n Category == \\\"LATERAL MOVEMENT\\\", \\\"LateralMovement\\\",\\n Category == \\\"RECONNAISSANCE\\\", \\\"Discovery\\\",\\n \\\"UNKNOWN\\\")\\n| extend level = case( threat_score \u003c 50 and certainty_score \u003c 50, \\\"Low\\\",\\n threat_score \u003c 50 and certainty_score \u003e= 50 , \\\"Medium\\\", \\n threat_score \u003e= 50 and certainty_score \u003c= 50, \\\"High\\\", \\n threat_score \u003e= 50 and certainty_score \u003e= 50, \\\"Critical\\\",\\n \\\"UNKNOWN\\\")\\n| extend Severity = case( level == \\\"Low\\\", \\\"Low\\\",\\n level == \\\"Medium\\\", \\\"Medium\\\",\\n level == \\\"High\\\", \\\"Medium\\\",\\n level == \\\"Critical\\\", \\\"High\\\",\\n \\\"UNKNOWN\\\")\\n| extend account = extract(\\\"account=(.+?);\\\", 1, AdditionalExtensions)\\n| extend upn = iff(account matches regex \\\":\\\", tostring(split(account,\\\":\\\")[1]) ,tostring(split(account,\\\":\\\")[0])) \\n| extend source_entity = case( isnotempty(upn), upn,\\n isnotempty(SourceHostName), SourceHostName,\\n \\\"UNKNWON\\\") \\n| where Category in (configured_tactics) \\n| summarize arg_max(threat_score, *) by source_entity , Activity\\n| project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Activity, Tactic, Severity, threat_score, certainty_score, triaged, vectra_URL\\n| extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\",\"Discovery\",\"LateralMovement\",\"Collection\",\"CommandAndControl\",\"Exfiltration\",\"Impact\"],\"displayName\":\"Vectra AI Detect - Suspicious Behaviors\",\"description\":\"Create an incident for each new malicious behavior detected by Vectra Detect. \\nBy default, it looks through all tactics. This can be modified to create incident only for a subset of tactics.\",\"lastUpdatedDateUTC\":\"2021-11-21T00:00:00Z\",\"createdDateUTC\":\"2021-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AIVectraDetect\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\"name\":\"0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let PerUserThreshold = 5;\\nlet TotalThreshold = 100;\\nlet action = dynamic([\\\"change\\\", \\\"changed\\\", \\\"reset\\\"]);\\nlet pWord = dynamic([\\\"password\\\", \\\"credentials\\\"]);\\nlet PasswordResetMultiDataSource =\\n(union isfuzzy=true\\n(//Password reset events\\n//4723: An attempt was made to change an account\u0027s password\\n//4724: An attempt was made to reset an accounts password\\nSecurityEvent\\n| where EventID in (\\\"4723\\\",\\\"4724\\\")\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName),\\n(//Azure Active Directory Password reset events\\nAuditLogs\\n| where OperationName has_any (pWord) and OperationName has_any (action) and Result =~ \\\"success\\\"\\n| extend AccountType = tostring(TargetResources[0].type), Account = tostring(TargetResources[0].userPrincipalName), \\nTargetUserName = tolower(tostring(TargetResources[0].displayName))\\n| project TimeGenerated, AccountType, Account, Computer = \\\"\\\", Type),\\n(//OfficeActive ActiveDirectory Password reset events\\nOfficeActivity\\n| where OfficeWorkload == \\\"AzureActiveDirectory\\\" \\n| where (ExtendedProperties has_any (pWord) or ModifiedProperties has_any (pWord)) and (ExtendedProperties has_any (action) or ModifiedProperties has_any (action))\\n| extend AccountType = UserType, Account = OfficeObjectId \\n| project TimeGenerated, AccountType, Account, Type, Computer = \\\"\\\"),\\n(// Unix syslog password reset events\\nSyslog\\n| where Facility in (\\\"auth\\\",\\\"authpriv\\\")\\n| where SyslogMessage has_any (pWord) and SyslogMessage has_any (action)\\n| extend AccountType = iif(SyslogMessage contains \\\"root\\\", \\\"Root\\\", \\\"Non-Root\\\")\\n| where SyslogMessage matches regex \\\".*password changed for.*\\\"\\n| parse SyslogMessage with * \\\"password changed for\\\" Account\\n| project TimeGenerated, AccountType, Account, Computer = HostName, Type)\\n);\\nlet pwrmd = PasswordResetMultiDataSource\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName;\\n(union isfuzzy=true \\n(pwrmd\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Computerlist = make_set(Computer, 25), AccountType = make_set(AccountType, 25), Computer = arg_max(Computer , TimeGenerated), TargetUserList = make_set(TargetUserName, 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), Total=count() by Account, Type\\n| where Total \u003e PerUserThreshold\\n| extend ResetPivot = \\\"PerUserReset\\\"), \\n(pwrmd\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerList = make_set(Computer, 25), AccountList = make_set(Account, 25), AccountType = make_set(AccountType, 25), Account = arg_max(Account, TimeGenerated), Computer = arg_max(Computer , TimeGenerated), TargetUserList = make_set(TargetUserName, 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), Total=count() by Type\\n| where Total \u003e TotalThreshold\\n| extend ResetPivot = \\\"TotalUserReset\\\")\\n)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserName\"}]}],\"version\":\"2.0.0\",\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Multiple Password Reset by user\",\"description\":\"This query will determine multiple password resets by user across multiple data sources. \\nAccount manipulation including password reset may aid adversaries in maintaining access to credentials \\nand certain permission levels within an environment.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-09-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6ee72a9e-2e54-459c-bc9a-9c09a6502a63\",\"name\":\"6ee72a9e-2e54-459c-bc9a-9c09a6502a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"216.24.185.74\\\", \\\"107.175.189.159\\\", \\\"192.210.132.102\\\", \\\"67.230.163.214\\\", \\n \\\"199.19.110.240\\\", \\\"107.148.130.176\\\", \\\"154.212.129.218\\\", \\\"172.86.75.54\\\", \\\"45.61.136.199\\\", \\n \\\"149.28.150.195\\\", \\\"108.61.214.194\\\", \\\"144.202.98.198\\\", \\\"149.28.84.98\\\", \\\"103.99.209.78\\\", \\n \\\"45.61.136.2\\\", \\\"176.122.162.149\\\", \\\"192.3.80.245\\\", \\\"149.28.23.32\\\", \\\"107.182.18.149\\\", \\\"107.174.45.134\\\", \\n \\\"149.248.18.104\\\", \\\"65.49.192.74\\\", \\\"156.255.2.154\\\", \\\"45.76.6.149\\\", \\\"8.9.11.130\\\", \\\"140.238.27.255\\\", \\n \\\"107.182.24.70\\\", \\\"176.122.188.254\\\", \\\"192.161.161.108\\\", \\\"64.64.234.24\\\", \\\"104.224.185.36\\\", \\n \\\"104.233.224.227\\\", \\\"104.36.69.105\\\", \\\"119.28.139.120\\\", \\\"161.117.39.130\\\", \\\"66.42.100.42\\\", \\\"45.76.31.159\\\", \\n \\\"149.248.8.134\\\", \\\"216.24.182.48\\\", \\\"66.42.103.222\\\", \\\"218.89.236.11\\\", \\\"180.150.227.249\\\", \\\"47.75.80.23\\\",\\n \\\"124.156.164.19\\\", \\\"149.248.62.83\\\", \\\"150.109.76.174\\\", \\\"222.209.187.207\\\", \\\"218.38.191.38\\\", \\n \\\"119.28.226.59\\\", \\\"66.42.98.220\\\", \\\"74.82.201.8\\\", \\\"173.242.122.198\\\", \\\"45.32.130.72\\\", \\\"89.35.178.10\\\", \\n \\\"89.43.60.113\\\"]); \\n(union isfuzzy=true \\n(CommonSecurityLog \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch \\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n), \\n(OfficeActivity \\n|extend SourceIPAddress = ClientIP, Account = UserId \\n| where SourceIPAddress in (IPList) \\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \\n),\\n(DnsEvents \\n| extend DestinationIPAddress = IPAddresses, Host = Computer \\n| where DestinationIPAddress has_any (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \\n), \\n(imDns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \\n), \\n(VMConnection \\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) \\n| where SourceIp in (IPList) or DestinationIp in (IPList) \\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer \\n), \\n(Event \\n| where Source == \\\"Microsoft-Windows-Sysmon\\\" \\n| where EventID == 3 \\n| extend EvData = parse_xml(EventData) \\n| extend EventDetail = EvData.DataItem.EventData.Data \\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"] \\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\") \\n), \\n(WireData \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer \\n), \\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Barium IP\",\"description\":\"Identifies a match across various data feeds for IP IOCs related to the Barium activity group. \\n References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer\u0027 \",\"lastUpdatedDateUTC\":\"2021-11-25T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\"name\":\"a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"DNS events related to ToR proxies\",\"description\":\"Identifies IP addresses performing DNS lookups associated with common ToR proxies.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\"name\":\"3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let starttime = 1d;\\nlet TimeDeltaThresholdInSeconds = 60; // we ignore beacons diffs that fall below this threshold \\nlet TotalBeaconsThreshold = 4; // minimum number of beacons required in a session to surface a row\\nlet JitterTolerance = 0.2; // tolerance to jitter, e.g. - 0.2 = 20% jitter is tolerated either side of the periodicity\\nlet PrivateIPregex = @\\\"^127\\\\.|^10\\\\.|^172\\\\.1[6-9]\\\\.|^172\\\\.2[0-9]\\\\.|^172\\\\.3[0-1]\\\\.|^192\\\\.168\\\\.\\\"; // exclude destinations that fall into this category\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Fortinet\\\"\\n| where TimeGenerated \u003e ago(starttime)\\n// eliminate bad data\\n| where isnotempty(SourceIP) and isnotempty(DestinationIP) and SourceIP != \\\"0.0.0.0\\\"\\n// filter out deny, close, rst and SNMP to reduce data volume\\n| where DeviceAction !in (\\\"close\\\", \\\"client-rst\\\", \\\"server-rst\\\", \\\"deny\\\") and DestinationPort != 161\\n// map input fields\\n| project TimeGenerated , SourceIP, DestinationIP, DestinationPort, ReceivedBytes, SentBytes, DeviceAction \\n// where destination IPs are public\\n| extend DestinationIPType = iff(DestinationIP matches regex PrivateIPregex,\\\"private\\\" ,\\\"public\\\" )\\n| where DestinationIPType == \\\"public\\\"\\n// sort into source-\u003edestination \u0027sessions\u0027\\n| sort by SourceIP asc, DestinationIP asc, DestinationPort asc, TimeGenerated asc\\n| serialize\\n// time diff the contact times between source and destination to get a list of deltas\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1), nextDestIP = next(DestinationIP, 1), nextDestPort = next(DestinationPort, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\\\"second\\\",nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP and DestinationIP == nextDestIP and DestinationPort == nextDestPort\\n// remove small time deltas below the set threshold\\n| where TimeDeltainSeconds \u003e TimeDeltaThresholdInSeconds\\n| project TimeGenerated, TimeDeltainSeconds, SourceIP, DestinationIP, DestinationPort, ReceivedBytes, SentBytes, DeviceAction \\n// summarize the deltas by source-\u003edestination\\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), sum(ReceivedBytes), sum(SentBytes), makelist(TimeDeltainSeconds), makeset(DeviceAction) by SourceIP, DestinationIP, DestinationPort\\n// get some statistical properties of the delta distribution and smooth any outliers (e.g. laptop shut overnight, working hours)\\n| extend series_stats(list_TimeDeltainSeconds), outliers=series_outliers(list_TimeDeltainSeconds)\\n// expand the deltas and the outliers\\n| mvexpand list_TimeDeltainSeconds to typeof(double), outliers to typeof(double)\\n// replace outliers with the average of the distribution\\n| extend list_TimeDeltainSeconds_normalized=iff(outliers \u003e 1.5 or outliers \u003c -1.5, series_stats_list_TimeDeltainSeconds_avg , list_TimeDeltainSeconds)\\n// summarize with the smoothed distribution\\n| summarize BeaconCount=count(), makelist(list_TimeDeltainSeconds), list_TimeDeltainSeconds_normalized=makelist(list_TimeDeltainSeconds_normalized), makeset(set_DeviceAction) by StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, sum_ReceivedBytes, sum_SentBytes\\n// get stats on the smoothed distribution\\n| extend series_stats(list_TimeDeltainSeconds_normalized)\\n// match jitter tolerance on smoothed distrib\\n| extend MaxJitter = (series_stats_list_TimeDeltainSeconds_normalized_avg*JitterTolerance)\\n| where series_stats_list_TimeDeltainSeconds_normalized_stdev \u003c MaxJitter\\n// where the minimum beacon threshold is satisfied and there was some data transfer\\n| where BeaconCount \u003e TotalBeaconsThreshold and (sum_SentBytes \u003e 0 or sum_ReceivedBytes \u003e 0)\\n// final projection\\n| project StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, BeaconCount, TimeDeltasInSeconds=list_list_TimeDeltainSeconds, Periodicity=series_stats_list_TimeDeltainSeconds_normalized_avg, ReceivedBytes=sum_ReceivedBytes, SentBytes=sum_SentBytes, Actions=set_set_DeviceAction\\n// where periodicity is order of magnitude larger than time delta threshold (eliminates FPs whose periodicity is close to the values we ignored)\\n| where Periodicity \u003e= (10*TimeDeltaThresholdInSeconds)\\n| extend timestamp = StartTime, IPCustomEntity = DestinationIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Fortinet - Beacon pattern detected\",\"description\":\"Identifies patterns in the time deltas of contacts between internal and external IPs in Fortinet network data that are consistent with beaconing.\\n Accounts for randomness (jitter) and seasonality such as working hours that may have been introduced into the beacon pattern.\\n The lookback is set to 1d, the minimum granularity in time deltas is set to 60 seconds and the minimum number of beacons required to emit a\\n detection is set to 4.\\n Increase the lookback period to capture beacons with larger periodicities.\\n The jitter tolerance is set to 0.2 - This means we account for an overall 20% deviation from the infered beacon periodicity. Seasonality is dealt with\\n automatically using series_outliers.\\n Note: In large environments it may be necessary to reduce the lookback period to get fast query times.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d\",\"name\":\"b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"//Collect the alert events\\nlet alertData = SecurityAlert \\n| where DisplayName has \\\"Potential malware uploaded to\\\" \\n| extend Entities = parse_json(Entities) \\n| mv-expand Entities;\\n//Parse the IP address data\\nlet ipData = alertData \\n| where Entities[\u0027Type\u0027] =~ \\\"ip\\\" \\n| extend AttackerIP = tostring(Entities[\u0027Address\u0027]), AttackerCountry = tostring(Entities[\u0027Location\u0027][\u0027CountryName\u0027]);\\n//Parse the file data\\nlet FileData = alertData \\n| where Entities[\u0027Type\u0027] =~ \\\"file\\\" \\n| extend MaliciousFileDirectory = tostring(Entities[\u0027Directory\u0027]), MaliciousFileName = tostring(Entities[\u0027Name\u0027]), MaliciousFileHashes = tostring(Entities[\u0027FileHashes\u0027]);\\n//Combine the File and IP data together\\nipData \\n| join (FileData) on VendorOriginalId \\n| summarize by TimeGenerated, AttackerIP, AttackerCountry, DisplayName, ResourceId, AlertType, MaliciousFileDirectory, MaliciousFileName, MaliciousFileHashes\\n//Create a type column so we can track if it was a File storage or blobl storage upload \\n| extend type = iff(DisplayName has \\\"file\\\", \\\"File\\\", \\\"Blob\\\") \\n| join (\\n union\\n StorageFileLogs, \\n StorageBlobLogs \\n //File upload operations \\n | where OperationName =~ \\\"PutBlob\\\" or OperationName =~ \\\"PutRange\\\"\\n //Parse out the uploader IP \\n | extend ClientIP = tostring(split(CallerIpAddress, \\\":\\\", 0)[0])\\n //Extract the filename from the Uri \\n | extend FileName = extract(@\\\"\\\\/([\\\\w\\\\-. ]+)\\\\?\\\", 1, Uri)\\n //Base64 decode the MD5 filehash, we will encounter non-ascii hex so string operations don\u0027t work\\n //We can work around this by making it an array then converting it to hex from an int \\n | extend base64Char = base64_decode_toarray(ResponseMd5) \\n | mv-expand base64Char \\n | extend hexChar = tohex(toint(base64Char))\\n | extend hexChar = iff(strlen(hexChar) \u003c 2, strcat(\\\"0\\\", hexChar), hexChar) \\n | extend SourceTable = iff(OperationName has \\\"range\\\", \\\"StorageFileLogs\\\", \\\"StorageBlobLogs\\\") \\n | summarize make_list(hexChar) by CorrelationId, ResponseMd5, FileName, AccountName, TimeGenerated, RequestBodySize, ClientIP, SourceTable \\n | extend Md5Hash = strcat_array(list_hexChar, \\\"\\\")\\n //Pack the file information the summarise into a ClientIP row \\n | extend p = pack(\\\"FileName\\\", FileName, \\\"FileSize\\\", RequestBodySize, \\\"Md5Hash\\\", Md5Hash, \\\"Time\\\", TimeGenerated, \\\"SourceTable\\\", SourceTable) \\n | summarize UploadedFileInfo=make_list(p), FilesUploaded=count() by ClientIP \\n | join kind=leftouter (\\n union\\n StorageFileLogs,\\n StorageBlobLogs \\n | where OperationName =~ \\\"DeleteFile\\\" or OperationName =~ \\\"DeleteBlob\\\" \\n | extend ClientIP = tostring(split(CallerIpAddress, \\\":\\\", 0)[0]) \\n | extend FileName = extract(@\\\"\\\\/([\\\\w\\\\-. ]+)\\\\?\\\", 1, Uri) \\n | extend SourceTable = iff(OperationName has \\\"range\\\", \\\"StorageFileLogs\\\", \\\"StorageBlobLogs\\\") \\n | extend p = pack(\\\"FileName\\\", FileName, \\\"Time\\\", TimeGenerated, \\\"SourceTable\\\", SourceTable) \\n | summarize DeletedFileInfo=make_list(p), FilesDeleted=count() by ClientIP\\n ) on ClientIP\\n ) on $left.AttackerIP == $right.ClientIP \\n| mvexpand UploadedFileInfo \\n| extend LinkedMaliciousFileName = UploadedFileInfo.FileName \\n| extend LinkedMaliciousFileHash = UploadedFileInfo.Md5Hash \\n| project AlertTimeGenerated = TimeGenerated, tostring(LinkedMaliciousFileName), tostring(LinkedMaliciousFileHash), AlertType, AttackerIP, AttackerCountry, MaliciousFileDirectory, MaliciousFileName, FilesUploaded, UploadedFileInfo \\n| extend FileHashCustomEntity = LinkedMaliciousFileName, HashAlgorithm = \\\"MD5\\\", IPCustomEntity = AttackerIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"Exfiltration\"],\"displayName\":\"Linked Malicious Storage Artifacts\",\"description\":\"An IP address which uploaded malicious content to an Azure Blob or File Storage container (triggering a malware alert) also uploaded additional files.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b9d2eebc-5dcb-4888-8165-900db44443ab\",\"name\":\"b9d2eebc-5dcb-4888-8165-900db44443ab\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"// Enter a reference list of hostnames for your DC servers\\n//let DCServersList = dynamic ([\\\"DC01.simulandlabs.com\\\",\\\"DC02.simulandlabs.com\\\"]);\\nSecurityEvent\\n//| where Computer in (DCServersList)\\n| where EventID == 4662 and ObjectServer == \u0027DS\u0027\\n| where AccountType != \u0027Machine\u0027\\n| where Properties has \u00271131f6aa-9c07-11d1-f79f-00c04fc2dcd2\u0027 //DS-Replication-Get-Changes\\n or Properties has \u00271131f6ad-9c07-11d1-f79f-00c04fc2dcd2\u0027 //DS-Replication-Get-Changes-All\\n or Properties has \u002789e95b76-444d-4c62-991a-0facbeda640c\u0027 //DS-Replication-Get-Changes-In-Filtered-Set\\n| project TimeGenerated, Account, Activity, Properties, SubjectLogonId, Computer\\n| join kind=leftouter\\n(\\n SecurityEvent\\n //| where Computer in (DCServersList)\\n | where EventID == 4624 and LogonType == 3\\n | where AccountType != \u0027Machine\u0027\\n | project TargetLogonId, IpAddress\\n)\\non $left.SubjectLogonId == $right.TargetLogonId\\n| project-reorder TimeGenerated, Computer, Account, IpAddress\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, SourceAddress = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceAddress\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Non Domain Controller Active Directory Replication\",\"description\":\"This query detects potential attempts by non-computer accounts (non domain controllers) to retrieve/synchronize an active directory object leveraging directory replication services (DRS).\\nA Domain Controller (computer account) would usually be performing these actions in a domain environment. Another detection rule can be created to cover domain controllers accounts doing at rare times.\\nA domain user with privileged permissions to use directory replication services is rare. Ref: https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html\",\"lastUpdatedDateUTC\":\"2021-11-08T00:00:00Z\",\"createdDateUTC\":\"2021-05-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8127962-7739-4211-a4a9-390a7a00e91f\",\"name\":\"f8127962-7739-4211-a4a9-390a7a00e91f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet lbperiod = 30d;\\nlet knownrecipients = ProofpointPOD\\n| where TimeGenerated \u003e ago(lbperiod)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where SrcUserUpn != \u0027\u0027\\n| where array_length(todynamic(DstUserUpn)) == 1\\n| summarize recipients = make_set(tostring(todynamic(DstUserUpn)[0])) by SrcUserUpn\\n| extend commcol = SrcUserUpn;\\nProofpointPOD\\n| where TimeGenerated between (ago(lbtime) .. now())\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| extend isProtected = todynamic(MsgParts)[0][\u0027isProtected\u0027]\\n| extend mimePgp = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where isProtected == \u0027true\u0027 or mimePgp == \u0027application/pgp-encrypted\u0027\\n| extend DstUserMail = tostring(todynamic(DstUserUpn)[0])\\n| extend commcol = tostring(todynamic(DstUserUpn)[0])\\n| join knownrecipients on commcol\\n| where recipients !contains DstUserMail\\n| project SrcUserUpn, DstUserMail\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple protected emails to unknown recipient\",\"description\":\"Detects when multiple protected messages where sent to early not seen recipient.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/826bb2f8-7894-4785-9a6b-a8a855d8366f\",\"name\":\"826bb2f8-7894-4785-9a6b-a8a855d8366f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let EventNameList = dynamic([\\\"AttachUserPolicy\\\",\\\"AttachRolePolicy\\\",\\\"AttachGroupPolicy\\\"]);\\nlet createPolicy = \\\"CreatePolicy\\\";\\nlet timeframe = 1d;\\nlet lookback = 14d;\\n// Creating Master table with all the events to use with materialize for better performance\\nlet EventInfo = AWSCloudTrail\\n| where TimeGenerated \u003e= ago(lookback)\\n| where EventName in (EventNameList) or EventName == createPolicy;\\n//Checking for Policy creation event with Full Admin Privileges since lookback period.\\nlet FullAdminPolicyEvents = materialize( EventInfo\\n| where TimeGenerated \u003e= ago(lookback)\\n| where EventName == createPolicy\\n| extend PolicyName = tostring(parse_json(RequestParameters).policyName)\\n| extend Statement = parse_json(tostring((parse_json(RequestParameters).policyDocument))).Statement\\n| mvexpand Statement\\n| extend Action = parse_json(Statement).Action , Effect = tostring(parse_json(Statement).Effect), Resource = tostring(parse_json(Statement).Resource)\\n| mvexpand Action\\n| extend Action = tostring(Action)\\n| where Effect =~ \\\"Allow\\\" and Action == \\\"*\\\" and Resource == \\\"*\\\"\\n| distinct TimeGenerated, EventName, PolicyName, SourceIpAddress, UserIdentityArn, UserIdentityUserName\\n| extend UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,\u0027/\u0027)[-1]))\\n| project-rename StartTime = TimeGenerated );\\nlet PolicyAttach = materialize( EventInfo\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventName in (EventNameList)\\n| extend PolicyName = tostring(split(tostring(parse_json(RequestParameters).policyArn),\\\"/\\\")[1])\\n| summarize AttachEventCount=count(), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventSource, EventName, UserIdentityType , UserIdentityArn, SourceIpAddress, UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,\u0027/\u0027)[-1])), PolicyName\\n| extend AttachEvent = pack(\\\"StartTime\\\", StartTime, \\\"EndTime\\\", EndTime, \\\"EventName\\\", EventName, \\\"UserIdentityType\\\", UserIdentityType, \\\"UserIdentityArn\\\", UserIdentityArn, \\\"SourceIpAddress\\\", SourceIpAddress, \\\"UserIdentityUserName\\\", UserIdentityUserName)\\n| project EventSource, PolicyName, AttachEvent, AttachEventCount\\n);\\n// Joining the list of PolicyNames and checking if it has been attached to any Roles/Users/Groups.\\n// These Roles/Users/Groups will be Privileged and can be used by adversaries as pivot point for privilege escalation via multiple ways.\\nFullAdminPolicyEvents\\n| join kind=leftouter\\n(\\n PolicyAttach\\n)\\non PolicyName\\n| project-away PolicyName1\\n| extend timestamp = StartTime, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Full Admin policy created and then attached to Roles, Users or Groups\",\"description\":\"Identity and Access Management (IAM) securely manages access to AWS services and resources. \\nIdentifies when a policy is created with Full Administrators Access (Allow-Action:*,Resource:*). \\nThis policy can be attached to role,user or group and may be used by an adversary to escalate a normal user privileges to an adminsitrative level.\\nAWS IAM Policy Grammar: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html\\nand AWS IAM API at https://docs.aws.amazon.com/IAM/latest/APIReference/API_Operations.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/155e9134-d5ad-4a6f-88f3-99c220040b66\",\"name\":\"155e9134-d5ad-4a6f-88f3-99c220040b66\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Set the lookback to determine if user has created pipelines before\\nlet timeback = 14d;\\n// Set the period for detections\\nlet timeframe = 1d;\\n// Get a list of previous Release Pipeline creators to exclude\\nlet releaseusers = AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName in (\\\"Release.ReleasePipelineCreated\\\", \\\"Release.ReleasePipelineModified\\\")\\n// We want to look for users performing actions in specific projects so we create this userscope object to match on\\n| extend UserScope = strcat(ActorUserId, \\\"-\\\", ProjectName)\\n| summarize by UserScope;\\n// Get Release Pipeline creations by new users\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineModified\\\"\\n| extend UserScope = strcat(ActorUserId, \\\"-\\\", ProjectName)\\n| where UserScope !in (releaseusers)\\n| extend ActorUPN = tolower(ActorUPN)\\n| project-away Id, ActivityId, ActorCUID, ScopeId, ProjectId, TenantId, SourceSystem, UserScope\\n// See if any of these users have Azure AD alerts associated with them in the same timeframe\\n| join kind = leftouter (\\nSecurityAlert\\n| where TimeGenerated \u003e ago(timeframe)\\n| where ProviderName == \\\"IPC\\\"\\n| extend AadUserId = tostring(parse_json(Entities)[0].AadUserId)\\n| summarize Alerts=count() by AadUserId) on $left.ActorUserId == $right.AadUserId\\n| extend Alerts = iif(isnotempty(Alerts), Alerts, 0)\\n// Uncomment the line below to only show results where the user as AADIdP alerts\\n//| where Alerts \u003e 0\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Pipeline modified by a new user.\",\"description\":\"There are several potential pipeline steps that could be modified by an attacker to inject malicious code into the build cycle. A likely attacker path is the modification to an existing pipeline that they have access to. \\nThis detection looks for users modifying a pipeline when they have not previously been observed modifying or creating that pipeline before. This query also joins events with data to Azure AD Identity Protection (AAD IdP) \\nin order to show if the user conducting the action has any associated AAD IdP alerts. You can also choose to filter this detection to only alert when the user also has AAD IdP alerts associated with them.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79566f41-df67-4e10-a703-c38a6213afd8\",\"name\":\"79566f41-df67-4e10-a703-c38a6213afd8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set != \\\"[]\\\"\\n| extend diff = set_difference(new_value_set, old_value_set)\\n| where isnotempty(diff)\\n| parse diff with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away diff, new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"New access credential added to Application or Service Principal\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6bf1931-b1eb-448d-90b2-de118559c7ce\",\"name\":\"d6bf1931-b1eb-448d-90b2-de118559c7ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlCategory contains \u0027Adult Themes\u0027 or\\n UrlCategory contains \u0027Adware\u0027 or\\n UrlCategory contains \u0027Alcohol\u0027 or\\n UrlCategory contains \u0027Illegal Downloads\u0027 or\\n UrlCategory contains \u0027Drugs\u0027 or\\n UrlCategory contains \u0027Child Abuse Content\u0027 or\\n UrlCategory contains \u0027Hate/Discrimination\u0027 or\\n UrlCategory contains \u0027Nudity\u0027 or\\n UrlCategory contains \u0027Pornography\u0027 or\\n UrlCategory contains \u0027Proxy/Anonymizer\u0027 or\\n UrlCategory contains \u0027Sexuality\u0027 or\\n UrlCategory contains \u0027Tasteless\u0027 or\\n UrlCategory contains \u0027Terrorism\u0027 or\\n UrlCategory contains \u0027Web Spam\u0027 or\\n UrlCategory contains \u0027German Youth Protection\u0027 or\\n UrlCategory contains \u0027Illegal Activities\u0027 or\\n UrlCategory contains \u0027Lingerie/Bikini\u0027 or\\n UrlCategory contains \u0027Weapons\u0027\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\",\"InitialAccess\"],\"displayName\":\"Cisco Umbrella - Request Allowed to harmful/malicious URI category\",\"description\":\"It is reccomended that these Categories shoud be blocked by policies because they provide harmful/malicious content..\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c805d9b1-97e7-4bc0-9172-67edb36273e4\",\"name\":\"c805d9b1-97e7-4bc0-9172-67edb36273e4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft 365 Insider Risk Management\",\"displayName\":\"(Private Preview) Create incidents based on Microsoft 365 Insider Risk Management\",\"description\":\"Create incidents based on all alerts generated in Microsoft 365 Insider Risk Management\",\"lastUpdatedDateUTC\":\"2021-05-13T00:00:00Z\",\"createdDateUTC\":\"2021-05-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeIRM\",\"dataTypes\":[\"SecurityAlert (OfficeIRM)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4e8238bd-ff4f-4126-a9f6-09b3b6801b3d\",\"name\":\"4e8238bd-ff4f-4126-a9f6-09b3b6801b3d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"AuditLog.StreamDisabledByUser\\\"\\n| extend StreamType = tostring(Data.ConsumerType)\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, StreamType\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Audit Stream Disabled\",\"description\":\"Azure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams \\nbefore conducting activity and then re-enabling the stream after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action \\nits unlikely to have a high false positive rate.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d645a88-2724-41a7-adea-db74c439cf79\",\"name\":\"3d645a88-2724-41a7-adea-db74c439cf79\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 5000;\\nSophosXGFirewall\\n| where Log_Type =~ \\\"Firewall\\\" and Status =~ \\\"Deny\\\"\\n| summarize count() by Src_IP, bin(TimeGenerated,5m)\\n| where count_ \u003e threshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = Src_IP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"Excessive Amount of Denied Connections from a Single Source\",\"description\":\"This creates an incident in the event that a single source IP address generates a excessive amount of denied connections.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SophosXGFirewall\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a357535e-f722-4afe-b375-cff362b2b376\",\"name\":\"a357535e-f722-4afe-b375-cff362b2b376\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(OfficeActivity | where UserAgent != \\\"\\\"),\\n(OfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectory\\\", \\\"AzureActiveDirectoryStsLogon\\\")\\n| extend OperationName = Operation\\n| parse ExtendedProperties with * \u0027User-Agent\\\\\\\\\\\":\\\\\\\\\\\"\u0027 UserAgent2 \u0027\\\\\\\\\u0027 *\\n| parse ExtendedProperties with * \u0027UserAgent\\\", \\\"Value\\\": \\\"\u0027 UserAgent1 \u0027\\\"\u0027 *\\n| where isnotempty(UserAgent1) or isnotempty(UserAgent2)\\n| extend UserAgent = iff( RecordType == \u0027AzureActiveDirectoryStsLogon\u0027, UserAgent1, UserAgent2)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\\n),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"APPLICATIONGATEWAYS\\\" \\n| where OperationName =~ \\\"ApplicationGatewayAccess\\\" \\n| extend ClientIP = columnifexists(\\\"clientIP_s\\\", \\\"None\\\"), UserAgent = columnifexists(\\\"userAgent_s\\\", \\\"None\\\")\\n| where UserAgent != \u0027-\u0027\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, requestUri_s, httpMethod_s, host_s, requestQuery_s, Type\\n),\\n(\\nW3CIISLog\\n| where isnotempty(csUserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\\n),\\n(SigninLogs\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n)\\n)\\n// Likely artefact of hardcoding\\n| where UserAgent startswith \\\"User\\\" or UserAgent startswith \u0027\\\\\\\"\u0027\\n// Incorrect casing\\nor (UserAgent startswith \\\"Mozilla\\\" and not(UserAgent containscs \\\"Mozilla\\\"))\\n// Incorrect casing\\nor UserAgent containscs \\\"(Compatible;\\\"\\n// Missing MSIE version\\nor UserAgent matches regex @\\\"MSIE\\\\s?;\\\"\\n// Incorrect spacing around MSIE version\\nor UserAgent matches regex @\\\"MSIE(?:\\\\d|.{1,5}?\\\\d\\\\s;)\\\"\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CommandAndControl\",\"Execution\"],\"displayName\":\"Malformed user agent\",\"description\":\"Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware.\\nMalformed user agents can be an indication of such malware.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee1818ec-5f65-4991-b711-bcf2ab7e36c3\",\"name\":\"ee1818ec-5f65-4991-b711-bcf2ab7e36c3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlOriginal matches regex @\u0027\\\\Ahttp:\\\\/\\\\/\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}.*\u0027\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - URI contains IP address\",\"description\":\"Malware can use IP address to communicate with C2.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bf07ca9c-e408-443a-8939-6860a45a929e\",\"name\":\"bf07ca9c-e408-443a-8939-6860a45a929e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let allowed_publishers = dynamic([]);\\nAzureDevOpsAuditing\\n| where OperationName =~ \\\"Extension.Installed\\\"\\n| extend ExtensionName = tostring(Data.ExtensionName)\\n| extend PublisherName = tostring(Data.PublisherName)\\n| where PublisherName !in (allowed_publishers)\\n| project-reorder TimeGenerated, OperationName, ExtensionName, PublisherName, ActorUPN, IpAddress, UserAgent, ScopeDisplayName, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps New Extension Added\",\"description\":\"Extensions add additional features to Azure DevOps. An attacker could use a malicious extension to conduct malicious activity. \\nThis query looks for new extensions that are not from a configurable list of approved publishers.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/89e6adbd-612c-4fbe-bc3d-32f81baf3b6c\",\"name\":\"89e6adbd-612c-4fbe-bc3d-32f81baf3b6c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT4H\",\"queryPeriod\":\"PT4H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Change to true to monitor for Project Administrator adds to *any* project\\nlet MonitorAllProjects = false;\\n// If MonitorAllProjects is false, trigger only on Project Administrator add for the following projects\\nlet ProjectsToMonitor = dynamic([\u0027\u003cproject_X\u003e\u0027,\u0027\u003cproject_Y\u003e\u0027]);\\nAzureDevOpsAuditing\\n| where Area == \\\"Group\\\" and OperationName == \\\"Group.UpdateGroupMembership.Add\\\"\\n| where Details has \u0027Administrators\u0027\\n| where Details has \\\"was added as a member of group\\\" and (Details endswith \u0027\\\\\\\\Project Administrators\u0027 or Details endswith \u0027\\\\\\\\Project Collection Administrators\u0027)\\n| parse Details with AddedIdentity \u0027 was added as a member of group [\u0027 EntityName \u0027]\\\\\\\\\u0027 GroupName\\n| extend Level = iif(GroupName == \u0027Project Collection Administrators\u0027, \u0027Organization\u0027, \u0027Project\u0027), AddedIdentityId = Data.MemberId\\n| extend Severity = iif(Level == \u0027Organization\u0027, \u0027High\u0027, \u0027Medium\u0027), AlertDetails = strcat(\u0027At \u0027, TimeGenerated, \u0027 UTC \u0027, ActorUPN, \u0027/\u0027, ActorDisplayName, \u0027 added \u0027, AddedIdentity, \u0027 to the \u0027, EntityName, \u0027 \u0027, Level)\\n| where MonitorAllProjects == true or EntityName in (ProjectsToMonitor) or Level == \u0027Organization\u0027\\n| project TimeGenerated, Severity, Adder = ActorUPN, AddedIdentity, AddedIdentityId, AlertDetails, Level, EntityName, GroupName, ActorAuthType = AuthenticationMechanism, \\n ActorIpAddress = IpAddress, ActorUserAgent = UserAgent, RawDetails = Details\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Adder, IPCustomEntity = ActorIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps Administrator Group Monitoring\",\"description\":\"This detection monitors for additions to projects or project collection administration groups in an Azure DevOps Organization.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/218f60de-c269-457a-b882-9966632b9dc6\",\"name\":\"218f60de-c269-457a-b882-9966632b9dc6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| summarize dcount(Target) by bin(TimeGenerated, 1h)\\n| where dcount_Target \u003e 9\\n| join kind=rightsemi (AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| extend TimeWindow = bin(TimeGenerated, 1h)) on $left.TimeGenerated == $right.TimeWindow\\n| extend AccountCustomEntity = Target\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Bulk Changes to Privileged Account Permissions\",\"description\":\"Identifies when changes to multiple users permissions are changed at once. Investigate immediately if not a planned change. This setting could enable an attacker access to Azure subscriptions in your environment.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\"name\":\"795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"CommonSecurityLog \\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID in (\\\"733101\\\",\\\"733102\\\",\\\"733103\\\",\\\"733104\\\",\\\"733105\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Discovery\",\"Impact\"],\"displayName\":\"Cisco ASA - threat detection message fired\",\"description\":\"Identifies when the Cisco ASA Threat Detection engine fired an alert based on malicious activity occurring on the network inicated by DeviceEventClassID 733101-733105\\nResources: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/58fc0170-0877-4ea8-a9ff-d805e361cfae\",\"name\":\"58fc0170-0877-4ea8-a9ff-d805e361cfae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let schedule_lookback = 14d; \\nlet join_lookback = 1d; \\n// If you want to whitelist specific timezones include them in a list here\\nlet tz_whitelist = dynamic([]);\\nlet meetings = ( \\nZoomLogs \\n| where TimeGenerated \u003e= ago(schedule_lookback) \\n| where Event =~ \\\"meeting.created\\\" \\n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId) \\n| extend SchedTimezone = tostring(parse_json(MeetingEvents).Timezone)); \\nZoomLogs \\n| where TimeGenerated \u003e= ago(join_lookback) \\n| where Event =~ \\\"meeting.participant_joined\\\" \\n| extend JoinedTimeZone = tostring(parse_json(MeetingEvents).Timezone) \\n| extend MeetingName = tostring(parse_json(MeetingEvents).MeetingName) \\n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId) \\n| where JoinedTimeZone !in (tz_whitelist)\\n| join (meetings) on MeetingId \\n| where SchedTimezone != JoinedTimeZone \\n| project TimeGenerated, MeetingName, JoiningUser=payload_object_participant_user_name_s, JoinedTimeZone, SchedTimezone, MeetingScheduler=User1 \\n| extend timestamp = TimeGenerated, AccountCustomEntity = JoiningUser\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"User joining Zoom meeting from suspicious timezone\",\"description\":\"The alert shows users that join a Zoom meeting from a time zone other than the one the meeting was created in.\\nYou can also whitelist known good time zones in the tz_whitelist value using the tz database name format https://en.wikipedia.org/wiki/List_of_tz_database_time_zones\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95514e77-1b23-4f05-817c-ae363c53aad3\",\"name\":\"95514e77-1b23-4f05-817c-ae363c53aad3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.4\",\"techniques\":[\"T1030\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Akamai\",\"Aruba Networks\",\"Check Point\",\"Dell\",\"Forcepoint\",\"Fortinet\",\"McAfee\",\"Palo Alto Networks\",\"SonicWall\",\"Trend Micro\",\"Vectra Networks\",\"Zscaler\"],\"supportedValuesKql\":null,\"value\":\"Palo Alto Networks\",\"name\":\"Device vendor\",\"description\":\"Select device vendor reporting network connection logs to CommonSecurityLog\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"10\",\"maximum\":\"10000\",\"value\":\"10\",\"name\":\"Hourly event count threshold\",\"description\":\"Suppress anomalies when hourly event count is less than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\".98\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"(Preview) Unusual network volume anomaly\",\"description\":\"This algorithm is to detect unusually high volume of connections in network logs. \\nIt uses time series to decompose the data into seasonal, trend and residual components to \\ncalculate baseline. Any sudden large deviation from the historical baseline is considered as anomalous activity.\",\"lastUpdatedDateUTC\":\"2021-07-10T00:00:00Z\",\"createdDateUTC\":\"2021-04-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6\",\"name\":\"2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 0d;\\n// Adjust this to adjust detection timeframe\\n//let timeframe = 1d;\\n// SamAccountName of AD FS Service Account. Filter on the use of a specific AD FS user account\\n//let adfsuser = \u0027adfsadmin\u0027;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\n SecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe+lookback)\\n | where EventSourceName == \u0027AD FS Auditing\u0027\\n | distinct Computer\\n);\\nSecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n // A token of type \u0027http://schemas.microsoft.com/ws/2006/05/servicemodel/tokens/SecureConversation\u0027\\n // for relying party \u0027-\u0027 was successfully authenticated.\\n | where EventID == 412\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | extend InstanceId = tostring(EventData[0])\\n| join kind=inner\\n(\\n SecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n // Events to identify caller identity from event 412\\n | where EventID == 501\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | where tostring(EventData[1]) contains \u0027identity/claims/name\u0027\\n | extend InstanceId = tostring(EventData[0])\\n | extend ClaimsName = tostring(EventData[2])\\n // Filter on the use of a specific AD FS user account\\n //| where ClaimsName contains adfsuser\\n)\\non $left.InstanceId == $right.InstanceId\\n| join kind=inner\\n(\\n SecurityEvent\\n | where EventID == 5156\\n | where Computer in~ (ADFS_Servers)\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | mv-expand bagexpansion=array EventData\\n | evaluate bag_unpack(EventData)\\n | extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n | evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n | extend DestPort = column_ifexists(\\\"DestPort\\\", \\\"\\\"),\\n Direction = column_ifexists(\\\"Direction\\\", \\\"\\\"),\\n Application = column_ifexists(\\\"Application\\\", \\\"\\\"),\\n DestAddress = column_ifexists(\\\"DestAddress\\\", \\\"\\\"),\\n SourceAddress = column_ifexists(\\\"SourceAddress\\\", \\\"\\\"),\\n SourcePort = column_ifexists(\\\"SourcePort\\\", \\\"\\\")\\n // Look for inbound connections from endpoints on port 80\\n | where DestPort == 80 and Direction == \u0027%%14592\u0027 and Application == \u0027System\u0027\\n | where DestAddress !in (\u0027::1\u0027,\u00270:0:0:0:0:0:0:1\u0027) \\n)\\non $left.Computer == $right.Computer\\n| project TimeGenerated, Computer, ClaimsName, SourceAddress, SourcePort\\n| extend HostCustomEntity = Computer, AccountCustomEntity = ClaimsName, IPCustomEntity = SourceAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"AD FS Remote Auth Sync Connection\",\"description\":\"This detection uses Security events from the \\\"AD FS Auditing\\\" provider to detect suspicious authentication events on an AD FS server. The results then get\\ncorrelated with events from the Windows Filtering Platform (WFP) to detect suspicious incoming network traffic on port 80 on the AD FS server.\\nThis could be a sign of a threat actor trying to use replication services on the AD FS server to get its configuration settings and extract\\nsensitive information such as AD FS certificates.\\nIn order to use this query you need to enable AD FS auditing on the AD FS Server.\\nReference: https://twitter.com/OTR_Community/status/1387038995016732672\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-04-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\"name\":\"2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n AzureActivity | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CallerIpAddress\\n| where AzureActivity_TimeGenerated \u003e= TimeGenerated and AzureActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AzureActivity_TimeGenerated,\\nTI_ipEntity, CallerIpAddress, Caller, OperationNameValue, ActivityStatusValue, CategoryValue, ResourceId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureActivity_TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureActivity\",\"description\":\"Identifies a match in AzureActivity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\"name\":\"4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 50;\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet historicalActivity =\\nOfficeActivity\\n| where TimeGenerated between(ago(starttime)..ago(endtime))\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| summarize historicalCount = count() by ClientIP, RecordType, Operation;\\nlet recentActivity = OfficeActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by ClientIP, RecordType, Operation;\\nlet RareIP = recentActivity | join kind= leftanti ( historicalActivity ) on ClientIP, RecordType, Operation\\n// More than 50 downloads/uploads from a new IP\\n| where recentCount \u003e threshold;\\nOfficeActivity \\n| where TimeGenerated \u003e= ago(endtime) \\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| join kind= inner (RareIP) on ClientIP, RecordType, Operation\\n| where Start_Time between(min_Start_Time .. max_Start_Time)\\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgent, IPSeenCount = recentCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\\n| order by IPSeenCount desc, ClientIP asc, Operation asc, UserId asc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"SharePointFileOperation via previously unseen IPs\",\"description\":\"Identifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses\\nexceeds a threshold (default is 50).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0febd8cc-1b8d-45ed-87b3-e1e8a57d14cd\",\"name\":\"0febd8cc-1b8d-45ed-87b3-e1e8a57d14cd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let threshold = 100;\\nTrendMicro_XDR_CL \\n| where modelSeverity_s == \u0027high\u0027 or modelSeverity_s == \u0027critical\u0027\\n| extend AccountCustomEntity = impactScope_account_s, HostCustomEntity = impactScope_hostname_s, IPCustomEntity = impactScope_host_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"displayName\":\"Create Incident for XDR Alerts (Critical \u0026 High)\",\"description\":\"This Query creates an incident based on Trend Micro XDR Workbench Alerts and maps the impacted entities for Microsoft Sentinel usage. (Critical \u0026 High Serverity Alerts)\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-12-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"TrendMicroXDR\",\"dataTypes\":[\"TrendMicro_XDR_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/50574fac-f8d1-4395-81c7-78a463ff0c52\",\"name\":\"50574fac-f8d1-4395-81c7-78a463ff0c52\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where AppId =~ \\\"1b730954-1685-4b74-9bfd-dac224a7b894\\\" // AppDisplayName IS Azure Active Directory PowerShell\\n| where TokenIssuerType =~ \\\"AzureAD\\\"\\n| where ResourceIdentity !in (\\\"00000002-0000-0000-c000-000000000000\\\", \\\"00000003-0000-0000-c000-000000000000\\\") // ResourceDisplayName IS NOT Windows Azure Active Directory OR Microsoft Graph\\n| extend Status = todynamic(Status)\\n| where Status.errorCode == 0 // Success\\n| project-reorder IPAddress, UserAgent, ResourceDisplayName, UserDisplayName, UserId, UserPrincipalName, Type\\n| order by TimeGenerated desc\\n// New entity mapping\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure Active Directory PowerShell accessing non-AAD resources\",\"description\":\"This will alert when a user or application signs in using Azure Active Directory PowerShell to access non-Active Directory resources, such as the Azure Key Vault, which may be undesired or unauthorized behavior.\\nFor capabilities and expected behavior of the Azure Active Directory PowerShell module, see: https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0.\\nFor further information on Azure Active Directory Signin activity reports, see: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb616d82-108f-47d3-9dec-9652ea0d3bf6\",\"name\":\"bb616d82-108f-47d3-9dec-9652ea0d3bf6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"AuditLogs\\n| where OperationName =~ \\\"Add user\\\"\\n| extend UPN = tostring(TargetResources[0].userPrincipalName)\\n| join kind=inner (AuditLogs\\n| where OperationName =~ \\\"Delete user\\\"\\n| extend UPN = tostring(TargetResources[0].userPrincipalName)\\n| extend IPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) on UPN\\n| extend timedelta = TimeGenerated1 - TimeGenerated\\n| project-reorder TimeGenerated, TimeGenerated1, timedelta\\n| where timedelta \u003c timespan(24h) and timedelta \u003e timespan(0h)\\n| extend CustomAccountEntity = UPN, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CustomAccountEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"Account Created and Deleted in Short Timeframe\",\"description\":\"Search for user principal name (UPN) events. Look for accounts created and then deleted in under 24 hours. Attackers may create an account for their use, and then remove the account when no longer needed.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-account\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\"name\":\"0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"DNS events related to mining pools\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3cc5ccd8-b416-4141-bb2d-4eba370e37a5\",\"name\":\"3cc5ccd8-b416-4141-bb2d-4eba370e37a5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let OMIVulnerabilityPatchVersion = \\\"OMIVulnerabilityPatchVersion:1.13.40-0\\\";\\nHeartbeat\\n| where Category == \\\"Direct Agent\\\"\\n| summarize arg_max(TimeGenerated,*) by Computer\\n| parse strcat(\\\"Version:\\\" , Version) with * \\\"Version:\\\" Major:long \\\".\\\"\\nMinor:long \\\".\\\" Patch:long \\\"-\\\" *\\n| parse OMIVulnerabilityPatchVersion with * \\\"OMIVulnerabilityPatchVersion:\\\"\\nOMIVersionMajor:long \\\".\\\" OMIVersionMinor:long \\\".\\\" OMIVersionPatch:long \\\"-\\\" *\\n| where Major \u003cOMIVersionMajor or (Major==OMIVersionMajor and Minor\\n\u003cOMIVersionMinor) or (Major==OMIVersionMajor and Minor==OMIVersionMinor and\\nPatch\u003cOMIVersionPatch) \\n| project Version, Major,Minor,Patch,\\nComputer,ComputerIP,OSType,OSName,ResourceId\",\"customDetails\":{\"OSName\":\"OSName\",\"OSType\":\"OSType\",\"HostIp\":\"ComputerIP\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"OMI Vulnerability Exploitation\",\"description\":\"Following the September 14th, 2021 release of three Elevation of Privilege\\n(EoP) vulnerabilities (CVE-2021-38645, CVE-2021-38649, CVE-2021-38648) and one\\nunauthenticated Remote Code Execution (RCE) vulnerability (CVE-2021-38647) in\\nthe Open Management Infrastructure (OMI) Framework.\\nThis detection validates that any OMS-agent that is reporting to the Microsoft\\nSentinel workspace is updated with the patch. The detection will go over the\\nheartbeats received from all agents over the last day and will create alert\\nfor those agents who are not updated.\",\"lastUpdatedDateUTC\":\"2021-11-18T00:00:00Z\",\"createdDateUTC\":\"2021-09-23T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9649e203-3cb7-47ff-89a9-42f2a5eefe31\",\"name\":\"9649e203-3cb7-47ff-89a9-42f2a5eefe31\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let SeverityTable=datatable(Severity:string,Level:int) [\\n\\\"low\\\", 1,\\n\\\"medium\\\", 2,\\n\\\"high\\\", 3,\\n\\\"critical\\\", 4\\n];\\nlet codeNameList = datatable(Codename:string)[\\\"C-PRIV-ACCOUNTS-SPN\\\", \\\"C-SDPROP-CONSISTENCY\\\", \\\"C-DANG-PRIMGROUPID\\\", \\\"C-GPO-HARDENING\\\", \\\"C-DC-ACCESS-CONSISTENCY\\\", \\\"C-DANGEROUS-TRUST-RELATIONSHIP\\\", \\\"C-UNCONST-DELEG\\\", \\\"C-ABNORMAL-ENTRIES-IN-SCHEMA\\\"];\\nafad_parser\\n| where MessageType == 0 and Codename in~ (codeNameList)\\n| lookup kind=leftouter SeverityTable on Severity\\n| order by Level\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid Active Directory attacks pathways\",\"description\":\"Searches for triggered Indicators of Exposures related to Active Directory attacks pathways\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\"name\":\"3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let threshold = 1;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ConditionalAccessStatus == 1 or ConditionalAccessStatus =~ \\\"failure\\\"\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion) \\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend ConditionalAccessPolicies = todynamic(ConditionalAccessPolicies)\\n| extend ConditionalAccessPol0Name = tostring(ConditionalAccessPolicies[0].displayName)\\n| extend ConditionalAccessPol1Name = tostring(ConditionalAccessPolicies[1].displayName)\\n| extend ConditionalAccessPol2Name = tostring(ConditionalAccessPolicies[2].displayName)\\n| extend Status = strcat(StatusCode, \\\": \\\", ResultDescription) \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Status = make_list(Status), StatusDetails = make_list(StatusDetails), IPAddresses = make_list(IPAddress), IPAddressCount = dcount(IPAddress), CorrelationIds = make_list(CorrelationId) \\nby UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name, Type\\n| where IPAddressCount \u003e threshold and StatusDetails !has \\\"MFA successfully completed\\\"\\n| mvexpand IPAddresses, Status, StatusDetails, CorrelationIds\\n| extend Status = strcat(Status, \\\" \\\", StatusDetails)\\n| summarize IPAddresses = make_set(IPAddresses), Status = make_set(Status), CorrelationIds = make_set(CorrelationIds) \\nby StartTime, EndTime, UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name, IPAddressCount, Type\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = tostring(IPAddresses)\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Attempt to bypass conditional access rule in Azure AD\",\"description\":\"Identifies an attempt to Bypass conditional access rule(s) in Azure Active Directory.\\nThe ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access\\nor if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1).\\nReferences: \\nhttps://docs.microsoft.com/azure/active-directory/conditional-access/overview\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\nConditionalAccessStatus == 0 // Success\\nConditionalAccessStatus == 1 // Failure\\nConditionalAccessStatus == 2 // Not Applied\\nConditionalAccessStatus == 3 // unknown\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4899-42cb-910c-5ffaf9d7997d\",\"name\":\"70b12a3b-4899-42cb-910c-5ffaf9d7997d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"0.ns1.dns-info.gq\\\", \\\"1.ns1.dns-info.gq\\\", \\\"10.ns1.dns-info.gq\\\", \\\"102.ns1.dns-info.gq\\\", \\n \\\"104.ns1.dns-info.gq\\\", \\\"11.ns1.dns-info.gq\\\", \\\"110.ns1.dns-info.gq\\\", \\\"115.ns1.dns-info.gq\\\", \\\"116.ns1.dns-info.gq\\\", \\n \\\"117.ns1.dns-info.gq\\\", \\\"118.ns1.dns-info.gq\\\", \\\"12.ns1.dns-info.gq\\\", \\\"120.ns1.dns-info.gq\\\", \\\"122.ns1.dns-info.gq\\\", \\n \\\"123.ns1.dns-info.gq\\\", \\\"128.ns1.dns-info.gq\\\", \\\"13.ns1.dns-info.gq\\\", \\\"134.ns1.dns-info.gq\\\", \\\"135.ns1.dns-info.gq\\\", \\n \\\"138.ns1.dns-info.gq\\\", \\\"14.ns1.dns-info.gq\\\", \\\"144.ns1.dns-info.gq\\\", \\\"15.ns1.dns-info.gq\\\", \\\"153.ns1.dns-info.gq\\\", \\n \\\"157.ns1.dns-info.gq\\\", \\\"16.ns1.dns-info.gq\\\", \\\"17.ns1.dns-info.gq\\\", \\\"18.ns1.dns-info.gq\\\", \\\"19.ns1.dns-info.gq\\\", \\n \\\"1a9604fa.ns1.feedsdns.com\\\", \\\"1c7606b6.ns1.steamappstore.com\\\", \\\"2.ns1.dns-info.gq\\\", \\\"20.ns1.dns-info.gq\\\", \\n \\\"201.ns1.dns-info.gq\\\", \\\"202.ns1.dns-info.gq\\\", \\\"204.ns1.dns-info.gq\\\", \\\"207.ns1.dns-info.gq\\\", \\\"21.ns1.dns-info.gq\\\", \\n \\\"210.ns1.dns-info.gq\\\", \\\"211.ns1.dns-info.gq\\\", \\\"216.ns1.dns-info.gq\\\", \\\"22.ns1.dns-info.gq\\\", \\\"220.ns1.dns-info.gq\\\", \\n \\\"223.ns1.dns-info.gq\\\", \\\"23.ns1.dns-info.gq\\\", \\\"24.ns1.dns-info.gq\\\", \\\"25.ns1.dns-info.gq\\\", \\\"26.ns1.dns-info.gq\\\", \\n \\\"27.ns1.dns-info.gq\\\", \\\"28.ns1.dns-info.gq\\\", \\\"29.ns1.dns-info.gq\\\", \\\"3.ns1.dns-info.gq\\\", \\\"30.ns1.dns-info.gq\\\", \\n \\\"31.ns1.dns-info.gq\\\", \\\"32.ns1.dns-info.gq\\\", \\\"33.ns1.dns-info.gq\\\", \\\"34.ns1.dns-info.gq\\\", \\\"35.ns1.dns-info.gq\\\", \\n \\\"36.ns1.dns-info.gq\\\", \\\"37.ns1.dns-info.gq\\\", \\\"39.ns1.dns-info.gq\\\", \\\"3d6fe4b2.ns1.steamappstore.com\\\", \\n \\\"4.ns1.dns-info.gq\\\", \\\"40.ns1.dns-info.gq\\\", \\\"42.ns1.dns-info.gq\\\", \\\"43.ns1.dns-info.gq\\\", \\\"44.ns1.dns-info.gq\\\", \\n \\\"45.ns1.dns-info.gq\\\", \\\"46.ns1.dns-info.gq\\\", \\\"48.ns1.dns-info.gq\\\", \\\"5.ns1.dns-info.gq\\\", \\\"50.ns1.dns-info.gq\\\", \\n \\\"50417.service.gstatic.dnset.com\\\", \\\"51.ns1.dns-info.gq\\\", \\\"52.ns1.dns-info.gq\\\", \\\"53.ns1.dns-info.gq\\\",\\n \\\"54.ns1.dns-info.gq\\\", \\\"55.ns1.dns-info.gq\\\", \\\"56.ns1.dns-info.gq\\\", \\\"57.ns1.dns-info.gq\\\", \\\"58.ns1.dns-info.gq\\\", \\n \\\"6.ns1.dns-info.gq\\\", \\\"60.ns1.dns-info.gq\\\", \\\"62.ns1.dns-info.gq\\\", \\\"63.ns1.dns-info.gq\\\", \\\"64.ns1.dns-info.gq\\\", \\n \\\"65.ns1.dns-info.gq\\\", \\\"67.ns1.dns-info.gq\\\", \\\"7.ns1.dns-info.gq\\\", \\\"70.ns1.dns-info.gq\\\", \\\"71.ns1.dns-info.gq\\\",\\n \\\"73.ns1.dns-info.gq\\\", \\\"77.ns1.dns-info.gq\\\", \\\"77075.service.gstatic.dnset.com\\\", \\\"7c1947fa.ns1.steamappstore.com\\\",\\n \\\"8.ns1.dns-info.gq\\\", \\\"81.ns1.dns-info.gq\\\", \\\"86.ns1.dns-info.gq\\\", \\\"87.ns1.dns-info.gq\\\", \\\"9.ns1.dns-info.gq\\\", \\n \\\"94343.service.gstatic.dnset.com\\\", \\\"9939.service.gstatic.dnset.com\\\", \\\"aa.ns.mircosoftdoc.com\\\", \\n \\\"aaa.feeds.api.ns1.feedsdns.com\\\", \\\"aaa.googlepublic.feeds.ns1.dns-info.gq\\\", \\n \\\"aaa.resolution.174547._get.cache.up.sourcedns.tk\\\", \\\"acc.microsoftonetravel.com\\\", \\n \\\"accounts.longmusic.com\\\", \\\"admin.dnstemplog.com\\\", \\\"agent.updatenai.com\\\", \\n \\\"alibaba.zzux.com\\\", \\\"api.feedsdns.com\\\", \\\"app.portomnail.com\\\", \\\"asia.updatenai.com\\\", \\n \\\"battllestategames.com\\\", \\\"bguha.serveuser.com\\\", \\\"binann-ce.com\\\", \\\"bing.dsmtp.com\\\", \\n \\\"blog.cdsend.xyz\\\", \\\"brives.minivineyapp.com\\\", \\\"bsbana.dynamic-dns.net\\\", \\n \\\"californiaforce.000webhostapp.com\\\", \\\"californiafroce.000webhostapp.com\\\", \\n \\\"cdn.freetcp.com\\\", \\\"cdsend.xyz\\\", \\\"cipla.zzux.com\\\", \\\"cloudfeeddns.com\\\", \\\"comcleanner.info\\\",\\n \\\"cs.microsoftsonline.net\\\", \\\"dns-info.gq\\\", \\\"dns05.cf\\\", \\\"dns22.ml\\\", \\\"dns224.com\\\", \\n \\\"dnsdist.org\\\", \\\"dnstemplog.com\\\", \\\"doc.mircosoftdoc.com\\\", \\\"dropdns.com\\\", \\n \\\"eshop.cdn.freetcp.com\\\", \\\"exchange.dumb1.com\\\", \\\"exchange.misecure.com\\\", \\\"exchange.mrbasic.com\\\",\\n \\\"facebookdocs.com\\\", \\\"facebookint.com\\\", \\\"facebookvi.com\\\", \\\"feed.ns1.dns-info.gq\\\", \\\"feedsdns.com\\\", \\n \\\"firejun.freeddns.com\\\", \\\"ftp.dns-info.dyndns.pro\\\", \\\"goallbandungtravel.com\\\", \\\"goodhk.azurewebsites.net\\\", \\n \\\"googlepublic.feed.ns1.dns-info.gq\\\", \\\"gp.spotifylite.cloud\\\", \\\"gskytop.com\\\", \\\"gstatic.dnset.com\\\", \\n \\\"gxxservice.com\\\", \\\"helpdesk.cdn.freetcp.com\\\", \\\"id.serveuser.com\\\", \\\"infestexe.com\\\", \\\"item.itemdb.com\\\",\\n \\\"m.mircosoftdoc.com\\\", \\\"mail.transferdkim.xyz\\\", \\\"mcafee.updatenai.com\\\", \\\"mecgjm.mircosoftdoc.com\\\",\\n \\\"microdocs.ga\\\", \\\"microsock.website\\\", \\\"microsocks.net\\\", \\\"microsoft.sendsmtp.com\\\", \\n \\\"microsoftbook.dns05.com\\\", \\\"microsoftcontactcenter.com\\\", \\\"microsoftdocs.dns05.com\\\", \\\"microsoftdocs.ml\\\", \\n \\\"microsoftonetravel.com\\\", \\\"microsoftonlines.net\\\", \\\"microsoftprod.com\\\", \\\"microsofts.dns1.us\\\", \\\"microsoftsonline.net\\\",\\n \\\"minivineyapp.com\\\", \\\"mircosoftdoc.com\\\", \\\"mircosoftdocs.com\\\", \\\"mlcrosoft.ninth.biz\\\", \\\"mlcrosoft.site\\\", \\n \\\"mm.portomnail.com\\\", \\\"msdnupdate.com\\\", \\\"msecdn.cloud\\\", \\\"mtnl1.dynamic-dns.net\\\", \\\"ns.gstatic.dnset.com\\\", \\n \\\"ns.microsoftprod.com\\\", \\\"ns.steamappstore.com\\\", \\\"ns1.cdn.freetcp.com\\\", \\\"ns1.comcleanner.info\\\", \\\"ns1.dns-info.gq\\\", \\n \\\"ns1.dns05.cf\\\", \\\"ns1.dnstemplog.com\\\", \\\"ns1.dropdns.com\\\", \\\"ns1.microsoftonetravel.com\\\", \\n \\\"ns1.microsoftonlines.net\\\", \\\"ns1.microsoftprod.com\\\", \\\"ns1.microsoftsonline.net\\\", \\\"ns1.mlcrosoft.site\\\", \\n \\\"ns1.teams.wikaba.com\\\", \\\"ns1.windowsdefende.com\\\", \\\"ns2.comcleanner.info\\\", \\\"ns2.dnstemplog.com\\\", \\n \\\"ns2.microsoftonetravel.com\\\", \\\"ns2.microsoftprod.com\\\", \\\"ns2.microsoftsonline.net\\\", \\\"ns2.mlcrosoft.site\\\", \\n \\\"ns2.windowsdefende.com\\\", \\\"ns3.microsoftprod.com\\\", \\\"ns3.mlcrosoft.site\\\", \\\"nutrition.mrbasic.com\\\", \\n \\\"nutrition.youdontcare.com\\\", \\\"online.mlcrosoft.site\\\", \\\"online.msdnupdate.com\\\", \\\"outlookservce.site\\\", \\n \\\"owa.jetos.com\\\", \\\"owa.otzo.com\\\", \\\"pornotime.co\\\", \\\"portomnail.com\\\", \\n \\\"post.1a0.066e063ac.7c1947fa.ns1.steamappstore.com\\\", \\\"pricingdmdk.com\\\", \\\"prod.microsoftprod.com\\\", \\n \\\"product.microsoftprod.com\\\", \\\"ptcl.yourtrap.com\\\", \\\"query.api.sourcedns.tk\\\", \\\"rb.itemdb.com\\\", \\\"redditcdn.com\\\", \\n \\\"rss.otzo.com\\\", \\\"secure.msdnupdate.com\\\", \\\"service.dns22.ml\\\", \\\"service.gstatic.dnset.com\\\", \\\"service04.dns04.com\\\", \\n \\\"settings.teams.wikaba.com\\\", \\\"sip.outlookservce.site\\\", \\\"sixindent.epizy.com\\\", \\\"soft.msdnupdate.com\\\", \\\"sourcedns.ml\\\", \\n \\\"sourcedns.tk\\\", \\\"sport.msdnupdate.com\\\", \\\"spotifylite.cloud\\\", \\\"static.misecure.com\\\", \\\"steamappstore.com\\\", \\n \\\"store.otzo.com\\\", \\\"survey.outlookservce.site\\\", \\\"team.itemdb.com\\\", \\\"temp221.com\\\", \\\"test.microsoftprod.com\\\", \\n \\\"thisisaaa.000webhostapp.com\\\", \\\"token.dns04.com\\\", \\\"token.dns05.com\\\", \\\"transferdkim.xyz\\\", \\n \\\"travelsanignacio.com\\\", \\\"update08.com\\\", \\\"updated08.com\\\", \\\"updatenai.com\\\", \\\"wantforspeed.com\\\",\\n \\\"web.mircosoftdoc.com\\\", \\\"webmail.pornotime.co\\\", \\\"webwhois.team.itemdb.com\\\", \\\"windowsdefende.com\\\", \\\"wnswindows.com\\\",\\n \\\"ashcrack.freetcp.com\\\", \\\"battllestategames.com\\\", \\\"binannce.com\\\", \\\"cdsend.xyz\\\", \\\"comcleanner.info\\\", \\\"microsock.website\\\", \\n \\\"microsocks.net\\\", \\\"microsoftsonline.net\\\", \\\"mlcrosoft.site\\\", \\\"notify.serveuser.com\\\", \\\"ns1.microsoftprod.com\\\", \\n \\\"ns2.microsoftprod.com\\\", \\\"pricingdmdk.com\\\", \\\"steamappstore.com\\\", \\\"update08.com\\\", \\\"wnswindows.com\\\", \\n \\\"youtube.dns05.com\\\", \\\"z1.zalofilescdn.com\\\", \\\"z2.zalofilescdn.com\\\", \\\"zalofilescdn.com\\\"]); \\n(union isfuzzy=true \\n (CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | where DNSName in~ (DomainNames) \\n | extend Account = SourceUserID, Computer = DeviceName, IPAddress = DestinationIP \\n ), \\n (DnsEvents \\n | extend DNSName = Name \\n | where isnotempty(DNSName) \\n | where DNSName has_any (DomainNames) \\n | extend IPAddress = ClientIP \\n ), \\n (imDns (domain_has_any=DomainNames)\\n | extend DNSName = DnsQuery \\n | extend IPAddress = SrcIpAddr, Computer = Dvc\\n ), \\n (VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 * \\n | where isnotempty(DNSName) \\n | where DNSName in~ (DomainNames) \\n | extend IPAddress = RemoteIp \\n ), \\n ( \\n DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl in~ (DomainNames) \\n | extend IPAddress = RemoteIP \\n | extend Computer = DeviceName \\n ),\\n (AzureDiagnostics\\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallDnsProxy\\\"\\n | parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n | where Request_Name has_any (DomainNames) \\n | extend DNSName = Request_Name\\n | extend IPAddress = ClientIP \\n ),\\n (AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (DomainNames) \\n | extend DNSName = DestinationHost \\n | extend IPAddress = SourceHost\\n ) \\n ) \\n | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.3.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Barium domains\",\"description\":\"Identifies a match across various data feeds for domains IOCs related to the Barium activity group.\\n References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\"name\":\"2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet TotalEventsThreshold = 5;\\nlet ExeList = dynamic([\\\"powershell.exe\\\",\\\"cmd.exe\\\",\\\"wmic.exe\\\",\\\"psexec.exe\\\",\\\"cacls.exe\\\",\\\"rundll.exe\\\"]);\\nlet TimeSeriesData =\\nSecurityEvent\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where Process in (ExeList)\\n| project TimeGenerated, Computer, AccountType, Account, Process\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by Process;\\nlet TimeSeriesAlerts = materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 1.5, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0\\n| project Process, TimeGenerated, Total, baseline, anomalies, score\\n| where Total \u003e TotalEventsThreshold);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\nSecurityEvent\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| summarize CommandlineCount = count() by bin(TimeGenerated, 1h), Process, CommandLine, Computer, Account\\n) on Process, TimeGenerated\\n| project AnomalyHour = TimeGenerated, Computer, Account, Process, CommandLine, CommandlineCount, Total, baseline, anomalies, score\\n| extend timestamp = AnomalyHour, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Execution\"],\"displayName\":\"Process execution frequency anomaly\",\"description\":\"Identifies anomalous spike in frequency of executions of sensitive processes which are often leveraged as attack vectors.\\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\\nSudden increases in execution frequency of sensitive processes should be further investigated for malicious activity.\\nTune the values from 1.5 to 3 in series_decompose_anomalies for further outliers or based on custom threshold values for score.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-05-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ce1e7025-866c-41f3-9b08-ec170e05e73e\",\"name\":\"ce1e7025-866c-41f3-9b08-ec170e05e73e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let SunburstURL=dynamic([\\\"panhardware.com\\\",\\\"databasegalore.com\\\",\\\"avsvmcloud.com\\\",\\\"freescanonline.com\\\",\\\"thedoccloud.com\\\",\\\"deftsecurity.com\\\"]);\\nDeviceNetworkEvents\\n| where ActionType == \\\"ConnectionSuccess\\\"\\n| where RemoteUrl in(SunburstURL)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n FileHashCustomEntity = InitiatingProcessMD5, \\n HashAlgorithm = \u0027MD5\u0027,\\n URLCustomEntity = RemoteUrl,\\n IPCustomEntity = RemoteIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST network beacons\",\"description\":\"Identifies SolarWinds SUNBURST domain beacon IOCs in DeviceNetworkEvents\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06a9b845-6a95-4432-a78b-83919b28c375\",\"name\":\"06a9b845-6a95-4432-a78b-83919b28c375\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":3,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet percentotalthreshold = 50;\\nlet TimeSeriesData = CommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| project TimeGenerated,SourceIP, DestinationIP, DeviceVendor\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor;\\n// Filtering specific records associated with spikes as outliers\\nlet TimeSeriesAlerts=materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend score = round(score,2), AnomalyHour = TimeGenerated\\n| project DeviceVendor,AnomalyHour, TimeGenerated, Total, baseline, anomalies, score);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\n// Join anomalies with Base Data to popalate associated records for investigation - Results sorted by score in descending order\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\n CommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| summarize HourlyCount = count(), TimeGeneratedMax = arg_max(TimeGenerated, *), DestinationIPlist = make_set(DestinationIP, 100), DestinationPortlist = make_set(DestinationPort, 100) by DeviceVendor, SourceIP, TimeGeneratedHour= bin(TimeGenerated, 1h)\\n| extend AnomalyHour = TimeGeneratedHour\\n) on AnomalyHour, DeviceVendor\\n| extend PercentTotal = round((HourlyCount / Total) * 100, 3)\\n| where PercentTotal \u003e percentotalthreshold\\n| project DeviceVendor , AnomalyHour, TimeGeneratedMax, SourceIP, DestinationIPlist, DestinationPortlist, HourlyCount, PercentTotal, Total, baseline, score, anomalies\\n| summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist, 100), DestinationPortlist = make_set(DestinationPortlist, 100) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies\\n| project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies\\n| extend timestamp= EndTimeUtc , IPCustomEntity = SourceIPMax\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"Time series anomaly detection for total volume of traffic\",\"description\":\"Identifies anamalous spikes in network traffic logs as compared to baseline or normal historical patterns.\\nThe query leverages a KQL built-in anomaly detection algorithm to find large deviations from baseline patterns.\\nSudden increases in network traffic volume may be an indication of data exfiltration attempts and should be investigated.\\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port traffic observed in the flagged anomaly hour.\\nThe source IP addresses which were sending less than percentotalthreshold of the total traffic have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-05-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Barracuda\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/871ba14c-88ef-48aa-ad38-810f26760ca3\",\"name\":\"871ba14c-88ef-48aa-ad38-810f26760ca3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where Operation =~ \\\"Set-Mailbox\\\"\\n| where Parameters has \\\"ForwardingSmtpAddress\\\"\\n| extend parsed = parse_json(Parameters)\\n| mv-expand parsed\\n| where parsed.Name == \\\"ForwardingSmtpAddress\\\"\\n| extend parameterName = tostring(parsed.Name), fwdingDestination = tostring(parsed.Value)\\n| where isnotempty(fwdingDestination)\\n| extend ClientIPOnly = case( \\nClientIP has \\\".\\\" and ClientIP has \u0027:\u0027, tostring(split(ClientIP,\\\":\\\")[0]), \\nClientIP has \\\".\\\" and ClientIP has \u0027-\u0027, tostring(split(ClientIP,\\\"-\\\")[0]), \\nClientIP has \u0027]-\u0027, tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))),\\nClientIP has \u0027]:\u0027, tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))),\\nisempty(ClientIP) and ClientIP_ has \\\".\\\" and ClientIP_ has \u0027:\u0027, tostring(split(ClientIP_,\\\":\\\")[0]), \\nisempty(ClientIP) and ClientIP_ has \\\".\\\" and ClientIP_ has \u0027-\u0027, tostring(split(ClientIP_,\\\"-\\\")[0]), \\nisempty(ClientIP) and ClientIP_ has \u0027]-\u0027, tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP_,\\\"]\\\")[0]))),\\nisempty(ClientIP) and ClientIP_ has \u0027]:\u0027, tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP_,\\\"]\\\")[0]))),\\nisnotempty(ClientIP), ClientIP,\\nisnotempty(ClientIP_), ClientIP_,\\n\\\"IP Not Available\\\"\\n) \\n| extend Port = case(\\nClientIP has \\\".\\\" and ClientIP has \u0027:\u0027, tostring(split(ClientIP,\\\":\\\")[1]), \\nClientIP has \\\".\\\" and ClientIP has \u0027-\u0027, tostring(split(ClientIP,\\\"-\\\")[1]), \\nClientIP has \u0027]-\u0027, tostring(split(ClientIP,\\\"]-\\\")[1]), \\nClientIP has \u0027]:\u0027, tostring(split(ClientIP,\\\"]:\\\")[1]), \\nisempty(ClientIP) and ClientIP_ has \\\".\\\" and ClientIP_ has \u0027:\u0027, tostring(split(ClientIP_,\\\":\\\")[1]), \\nisempty(ClientIP) and ClientIP_ has \\\".\\\" and ClientIP_ has \u0027-\u0027, tostring(split(ClientIP_,\\\"-\\\")[1]), \\nisempty(ClientIP) and ClientIP_ has \u0027]-\u0027, tostring(split(ClientIP_,\\\"]-\\\")[1]),\\nisempty(ClientIP) and ClientIP_ has \u0027]:\u0027, tostring(split(ClientIP_,\\\"]:\\\")[1]),\\nisnotempty(ClientIP), ClientIP,\\nisnotempty(ClientIP_), ClientIP_,\\n\\\"IP Not Available\\\"\\n)\\n| extend UserId = iff(isempty(UserId), UserId_, UserId)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId), \\nPorts = make_set(Port), EventCount = count() by fwdingDestination, ClientIP = ClientIPOnly \\n| where DistinctUserCount \u003e 1\\n| mv-expand UserId\\n| extend UserId = tostring(UserId), Ports = tostring(Ports)\\n| distinct StartTimeUtc, EndTimeUtc, UserId, DistinctUserCount, ClientIP, Ports, fwdingDestination, EventCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Multiple users email forwarded to same destination\",\"description\":\"Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination. \\nThis could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aedc5b33-2d7c-42cb-a692-f25ef637cbb1\",\"name\":\"aedc5b33-2d7c-42cb-a692-f25ef637cbb1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where array_length(todynamic(DstUserUpn)) == 1\\n| extend sender = extract(@\u0027\\\\A(.*?)@\u0027, 1, SrcUserUpn)\\n| extend sender_domain = extract(@\u0027@(.*)$\u0027, 1, SrcUserUpn)\\n| extend recipient = extract(@\u0027\\\\A(.*?)@\u0027, 1, tostring(todynamic(DstUserUpn)[0]))\\n| extend recipient_domain = extract(@\u0027@(.*)$\u0027, 1, tostring(todynamic(DstUserUpn)[0]))\\n| where sender =~ recipient\\n| where sender_domain != recipient_domain\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Possible data exfiltration to private email\",\"description\":\"Detects when sender sent email to the non-corporate domain and recipient\u0027s username is the same as sender\u0027s username.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\"name\":\"36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n| join (\\n OfficeActivity\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n //Extract the Url from a number of potential fields\\n | extend Url = iif(OfficeWorkload == \\\"AzureActiveDirectory\\\",extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\\\", 1,ModifiedProperties),tostring(parse_json(ModifiedProperties)[12].NewValue))\\n | where isnotempty(Url)\\n // Ensure we get a clean URL\\n | extend Url = tostring(split(Url, \u0027;\u0027)[0])\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n // Project a single user identity that we can use for entity mapping\\n | extend User = iif(isnotempty(UserId), UserId, iif(isnotempty(Actor), tostring(parse_json(Actor)[0].ID), tostring(parse_json(Parameters)[0].Vlaue))) \\n) on Url\\n| where OfficeActivity_TimeGenerated \u003e= TimeGenerated and OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Operation, \\nUserType, OfficeWorkload, Parameters, OfficeActivity_TimeGenerated, Url, User\\n| extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = User, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to OfficeActivity data\",\"description\":\"Identifies a match in OfficeActivity data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\"name\":\"80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 1102 and EventSourceName == \\\"Microsoft-Windows-Eventlog\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Security Event log cleared\",\"description\":\"Checks for event id 1102 which indicates the security event log was cleared. \\nIt uses Event Source Name \\\"Microsoft-Windows-Eventlog\\\" to avoid generating false positives from other sources, like AD FS servers for instance.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1fa1528e-f746-4794-8a41-14827f4cb798\",\"name\":\"1fa1528e-f746-4794-8a41-14827f4cb798\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let threshold = 100;\\nPulseConnectSecure\\n| where Messages startswith \\\"Login failed\\\"\\n| summarize dcount(User) by Computer, bin(TimeGenerated, 15m)\\n| where dcount_User \u003e threshold\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"PulseConnectSecure - Large Number of Distinct Failed User Logins\",\"description\":\"This query identifies evidence of failed login attempts from a large number of distinct users on a Pulse Connect Secure VPN server\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PulseConnectSecure\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/94749332-1ad9-49dd-a5ab-5ff2170788fc\",\"name\":\"94749332-1ad9-49dd-a5ab-5ff2170788fc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet file_path1 = (iocs | where Type =~ \\\"filepath1\\\" | project IoC);\\nlet file_path2 = (iocs | where Type =~ \\\"filepath2\\\" | project IoC);\\nlet file_path3 = (iocs | where Type =~ \\\"filepath3\\\" | project IoC);\\nlet reg_key = (iocs | where Type =~ \\\"regkey\\\" | project IoC);\\n (union isfuzzy=true\\n(CommonSecurityLog\\n| where DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (domains)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 *\\n| project TimeGenerated, Message, SourceUserID, RequestURL, DestinationHostName, Type, SourceIP, DestinationIP, DNSName\\n| extend Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SourceUserID, UrlCustomEntity = RequestURL , IPCustomEntity = DestinationIP, DNSCustomEntity = DNSName\\n),\\n(DnsEvents\\n| where Name in~ (domains)\\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DNSName = Name, Host = Computer , Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Host, DNSCustomEntity = DNSName, IPCustomEntity = IPAddresses\\n),\\n(VMConnection\\n| where RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, RemoteDnsCanonicalNames, ProcessName, SourceIp, DestinationIp, DestinationPort, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIp, HostCustomEntity = Computer, ProcessCustomEntity = ProcessName, DNSCustomEntity = DNSName, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where Image has_any (file_path1) or Image has_any (file_path3)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, EventDetail, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = split(Image, \u0027\\\\\\\\\u0027, -1)[-1], HostCustomEntity = Computer , IPCustomEntity = DestinationIP, Alert = \u0027SOURGUM IOC detected\u0027\\n), \\n(DeviceNetworkEvents\\n| where (RemoteUrl has_any (domains)) or (InitiatingProcessSHA256 in (sha256Hashes) and InitiatingProcessFolderPath has_any (file_path1)) or InitiatingProcessFolderPath has_any (file_path3)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, Alert = \u0027SOURGUM IOC detected\u0027, UrlCustomEntity =RemoteUrl\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"]\\n| where (SHA256 has_any (sha256Hashes) and Image has_any (file_path1)) or (Image has_any (file_path3)) or ( CommandLine has_any (file_path3)) or ( CommandLine has_any (file_path1)) or ( CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source), Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = split(Image, \u0027\\\\\\\\\u0027, -1)[-1], FileHashCustomEntity = SHA256\\n),\\n(DeviceRegistryEvents\\n| where RegistryKey has_any (reg_key) and RegistryValueData has_any (file_path2)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type \\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceProcessEvents\\n| where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3)) or ( InitiatingProcessCommandLine has \u0027reg add\u0027 and InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceFileEvents\\n| where (InitiatingProcessSHA256 has_any (sha256Hashes) and InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3)) or ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = RequestAccountName, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceEvents\\n| where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3)) or ( InitiatingProcessCommandLine has \u0027reg add\u0027 and InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend CommandLine = InitiatingProcessCommandLine, Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = InitiatingProcessSHA256\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has_any (file_path1)) or ( CommandLine has_any (file_path3)) or ( CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) or (NewProcessName has_any (file_path1)) or (NewProcessName has_any (file_path3)) or (ParentProcessName has_any (file_path1)) or (ParentProcessName has_any (file_path3))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = \u0027SOURGUM IOC detected\u0027\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"SHA256\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"SOURGUM Actor IOC - July 2021\",\"description\":\"Identifies a match across IOC\u0027s related to an actor tracked by Microsoft as SOURGUM\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-07-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceRegistryEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a6c435a2-b1a0-466d-b730-9f8af69262e8\",\"name\":\"a6c435a2-b1a0-466d-b730-9f8af69262e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let failureCountThreshold = 10;\\nlet successCountThreshold = 1;\\nlet authenticationWindow = 20m;\\nimAuthentication\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = make_set(SrcDvcIpAddr)\\n , FailureCount = countif(EventResult==\u0027Failure\u0027)\\n , SuccessCount = countif(EventResult==\u0027Success\u0027) \\n // might be improved by counting FailReason:Outdated as Success.\\nby bin(TimeGenerated, authenticationWindow), TargetUserId, TargetUsername, TargetUserType \\n| where FailureCount \u003e= failureCountThreshold and SuccessCount \u003e= successCountThreshold\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against user credentials (Uses Authentication Normalization)\",\"description\":\"Identifies evidence of brute force activity against a user highlighting multiple authentication failures \\nand by a successful authentication within a given time window. \\n(The query does not enforce any sequence - eg requiring the successful authentication to occur last.)\\nDefault Failure count is 10, Default Success count is 1 and default Time Window is 20 minutes.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelAuthentication)\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8a12afde-ed27-46ac-a5ef-392e3d4f071f\",\"name\":\"8a12afde-ed27-46ac-a5ef-392e3d4f071f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.0\",\"techniques\":[\"T1190\",\"T1505\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"1\",\"2\",\"3\"],\"supportedValuesKql\":null,\"value\":\"3\",\"name\":\"Number of reasons for anomalous activity\",\"description\":\"Provide explanations for the specified number of reasons why a W3CIIS session is anomalous.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"},{\"supportedValues\":[\"Distinct number of methods\",\"Distinct number of uri queries\",\"Distinct number of uri stems\",\"Distinct number of statuses\",\"Distinct number of user agents\",\"Total number of operations\",\"Total number of http verbs\",\"Total number of http statuses\",\"None\"],\"supportedValuesKql\":null,\"value\":\"None\",\"name\":\"Display anomalies for a specific top reason\",\"description\":\"Display anomalies only where the top reason is specified in the checklist.\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"supportedValues\":[\"Public IPs\",\"Private IPs\",\"All IPs\"],\"supportedValuesKql\":null,\"value\":\"All IPs\",\"name\":\"Display anomalies for public, private, or all IPs\",\"description\":\"Choose to display anomalies for public, private, or all IPs.\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":null,\"dataType\":\"string\",\"name\":\"Exclude client IPs from the anomalies generated\",\"description\":\"Enter comma separated client IPs (prefixed client IP entities supported) that the anomalies should not display results for, in the exclude field.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"0.0\",\"maximum\":\"1.0\",\"value\":\"0.7\",\"name\":\"Score\",\"description\":\"Generate an anomaly when the anomaly score is greater than or equal to the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"(Preview) Anomalous W3CIIS logs activity\",\"description\":\"This anomaly indicates anomalous W3CIIS sessions within the last day, due to reasons such as a high number of distinct uri queries, specific http verbs or http statuses, user agents, or an unusually high number of logs in a session.\\nThe machine learning algorithm identifies unusual W3CIIS log events within an hourly session, grouped by site name and client IP.\\nThe model is trained on the previous 7 days of W3CIIS activity, using an autoencoder. The algorithm checks for sufficient volume of W3CIIS activity before training the model.\\nThe autoencoder compressess these site name/client IP sessions using a bottleneck encoding, and reconstructs the input sessions using a decoder.\\nSessions with high reconstruction errors are marked as anomalous.\",\"lastUpdatedDateUTC\":\"2021-07-26T00:00:00Z\",\"createdDateUTC\":\"2021-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f9949656-473f-4503-bf43-a9d9890f7d08\",\"name\":\"f9949656-473f-4503-bf43-a9d9890f7d08\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n AppServiceHTTPLogs | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(CIp)\\n | extend WebApp = split(_ResourceId, \u0027/\u0027)[8]\\n // renaming time column so it is clear the log this came from\\n | extend AppService_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CIp\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, AppService_TimeGenerated, TI_ipEntity, CsUsername, WebApp = split(_ResourceId, \u0027/\u0027)[8], CIp, CsHost, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AppService_TimeGenerated, AccountCustomEntity = CsUsername, IPCustomEntity = CIp, URLCustomEntity = CsHost\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"version\":\"1.1.1\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AppServiceHTTPLogs\",\"description\":\"Identifies a match in AppServiceHTTPLogs from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-13T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/21ab3f52-6d79-47e3-97f8-ad65f2cb29fb\",\"name\":\"21ab3f52-6d79-47e3-97f8-ad65f2cb29fb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"afad_parser\\n| where MessageType == 2 and Codename == \\\"Golden Ticket\\\"\",\"entityMappings\":[],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Alsid Golden Ticket\",\"description\":\"Searches for Golden Ticket attacks\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AlsidForAD\",\"dataTypes\":[\"AlsidForADLog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\"name\":\"0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let threshold = 20;\\nSecurityEvent \\n| where EventID == 4625\\n| where AccountType =~ \\\"User\\\"\\n| where SubStatus !=\u00270xc0000064\u0027 and Account !in (\u0027\\\\\\\\\u0027, \u0027-\\\\\\\\-\u0027)\\n// SubStatus \u00270xc0000064\u0027 signifies \u0027Account name does not exist\u0027\\n| extend ResourceId = column_ifexists(\\\"_ResourceId\\\", _ResourceId), SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", SourceComputerId)\\n| extend Reason = case(\\nSubStatus =~ \u00270xC000005E\u0027, \u0027There are currently no logon servers available to service the logon request.\u0027,\\nSubStatus =~ \u00270xC0000064\u0027, \u0027User logon with misspelled or bad user account\u0027,\\nSubStatus =~ \u00270xC000006A\u0027, \u0027User logon with misspelled or bad password\u0027, \\nSubStatus =~ \u00270xC000006D\u0027, \u0027Bad user name or password\u0027,\\nSubStatus =~ \u00270xC000006E\u0027, \u0027Unknown user name or bad password\u0027,\\nSubStatus =~ \u00270xC000006F\u0027, \u0027User logon outside authorized hours\u0027,\\nSubStatus =~ \u00270xC0000070\u0027, \u0027User logon from unauthorized workstation\u0027,\\nSubStatus =~ \u00270xC0000071\u0027, \u0027User logon with expired password\u0027,\\nSubStatus =~ \u00270xC0000072\u0027, \u0027User logon to account disabled by administrator\u0027,\\nSubStatus =~ \u00270xC00000DC\u0027, \u0027Indicates the Sam Server was in the wrong state to perform the desired operation\u0027, \\nSubStatus =~ \u00270xC0000133\u0027, \u0027Clocks between DC and other computer too far out of sync\u0027,\\nSubStatus =~ \u00270xC000015B\u0027, \u0027The user has not been granted the requested logon type (aka logon right) at this machine\u0027,\\nSubStatus =~ \u00270xC000018C\u0027, \u0027The logon request failed because the trust relationship between the primary domain and the trusted domain failed\u0027,\\nSubStatus =~ \u00270xC0000192\u0027, \u0027An attempt was made to logon, but the Netlogon service was not started\u0027,\\nSubStatus =~ \u00270xC0000193\u0027, \u0027User logon with expired account\u0027,\\nSubStatus =~ \u00270xC0000224\u0027, \u0027User is required to change password at next logon\u0027,\\nSubStatus =~ \u00270xC0000225\u0027, \u0027Evidently a bug in Windows and not a risk\u0027,\\nSubStatus =~ \u00270xC0000234\u0027, \u0027User logon with account locked\u0027,\\nSubStatus =~ \u00270xC00002EE\u0027, \u0027Failure Reason: An Error occurred during Logon\u0027,\\nSubStatus =~ \u00270xC0000413\u0027, \u0027Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine\u0027,\\nstrcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), FailedLogonCount = count() by EventID, \\nActivity, Computer, Account, TargetAccount, TargetUserName, TargetDomainName, \\nLogonType, LogonTypeName, LogonProcessName, Status, SubStatus, Reason, ResourceId, SourceComputerId, WorkstationName, IpAddress\\n| where FailedLogonCount \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed logon attempts by valid accounts within 10 mins\",\"description\":\"Identifies when failed logon attempts are 20 or higher during a 10 minute period (2 failed logons per minute minimum) from valid account.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\"name\":\"b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\nlet createRoleAssignmentActivity = AzureActivity\\n| where OperationNameValue =~ \\\"microsoft.authorization/roleassignments/write\\\";\\ncreateRoleAssignmentActivity \\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller\\n| where count_ \u003e= alertOperationThreshold\\n| join kind = rightanti ( \\ncreateRoleAssignmentActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = make_set(TimeGenerated), ActivityStatusValue = make_set(ActivityStatusValue), \\nOperationIds = make_set(OperationId), CorrelationId = make_set(CorrelationId), ActivityCountByCallerIPAddress = count() \\nby ResourceId, CallerIpAddress, Caller, OperationNameValue, Resource, ResourceGroup\\n) on CallerIpAddress, Caller\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Suspicious granting of permissions to an account\",\"description\":\"Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2790795b-7dba-483e-853f-44aa0bc9c985\",\"name\":\"2790795b-7dba-483e-853f-44aa0bc9c985\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"CommonSecurityLog\\n| where DeviceProduct =~ \\\"Wazuh\\\"\\n| where Activity has \\\"Web server 400 error code.\\\"\\n| where Message has \\\"403\\\"\\n| extend HostName=substring(split(DeviceCustomString1,\\\")\\\")[0],1)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = dcount(SourceIP) by HostName, SourceIP\\n| where NumberOfErrors \u003e 400\\n| sort by NumberOfErrors desc\\n| extend timestamp = StartTime, HostCustomEntity = HostName, IPCustomEntity = SourceIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Persistence\"],\"displayName\":\"Wazuh - Large Number of Web errors from an IP\",\"description\":\"Identifies instances where Wazuh logged over 400 \u0027403\u0027 Web Errors from one IP Address. To onboard Wazuh data into Sentinel please view: https://github.com/wazuh/wazuh-documentation/blob/master/source/azure/monitoring%20activity.rst\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-21T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ce177b3-56b1-4f0e-b83e-27eed4cb0b16\",\"name\":\"4ce177b3-56b1-4f0e-b83e-27eed4cb0b16\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\n// exclude allowed users from query such as the ADO service\\nlet allowed_users = dynamic([\\\"Azure DevOps Service\\\"]);\\nunion\\n// Look for agents being added to a pool of a OS type not seen with that pool before\\n(AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName =~ \\\"Library.AgentAdded\\\"\\n| where ActorUPN !in (allowed_users)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| where isnotempty(OsDescription)\\n| extend OsDescription = tostring(split(OsDescription, \\\"#\\\", 0)[0])\\n| project AgentPoolName, OsDescription\\n| join kind=rightanti (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName == \\\"Library.AgentAdded\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| where isnotempty(OsDescription)\\n| extend OsDescription = tostring(split(OsDescription, \\\"#\\\", 0)[0])) on AgentPoolName, OsDescription),\\n// Look for users addeing agents to a pool that they have not added agents to before.\\n(AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| where ActorUPN !in (allowed_users)\\n| project AgentPoolName, ActorUPN\\n| join kind=rightanti (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName == \\\"Library.AgentAdded\\\"\\n| where ActorUPN !in (allowed_users)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n) on AgentPoolName, ActorUPN)\\n| extend AgentName = tostring(Data.AgentName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| extend SystemDetails = Data.SystemCapabilities\\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, AgentPoolName, AgentName, ActorUPN, IpAddress, UserAgent, OsDescription, SystemDetails, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.1\",\"tactics\":[\"Execution\"],\"displayName\":\"New Agent Added to Pool by New User or Added to a New OS Type.\",\"description\":\"As seen in attacks such as SolarWinds attackers can look to subvert a build process by controlling build servers. Azure DevOps uses agent pools to execute pipeline tasks. \\nAn attacker could insert compromised agents that they control into the pools in order to execute malicious code. This query looks for users adding agents to pools they have \\nnot added agents to before, or adding agents to a pool of an OS that has not been added to that pool before. This detection has potential for false positives so has a \\nconfigurable allow list to allow for certain users to be excluded from the logic.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\"name\":\"ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ProcessCreationEvents=() {\\nlet processEvents=SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,\\nFileName = Process, CommandLine, ParentProcessName;\\nprocessEvents};\\nProcessCreationEvents\\n| where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Base64 encoded Windows process command-lines\",\"description\":\"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2018-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/af7fd11a-f305-44e1-8f46-f31580a15eab\",\"name\":\"af7fd11a-f305-44e1-8f46-f31580a15eab\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.0\",\"techniques\":[\"T1074\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":[{\"prioritize\":null,\"exclude\":\"app@sharepoint,user@example.com\",\"dataType\":\"string\",\"name\":\"User allowlist\",\"description\":\"Enter comma separated userids to be suppressed while triggering anomalies. This should be within double quotes and is case insensitive, example: \\\"user@exmaple.com, app@sharepoint\\\"\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"thresholdObservations\":[{\"minimum\":\"10\",\"maximum\":\"100\",\"value\":\"25\",\"name\":\"Number of distinct files dowloaded per day\",\"description\":\"Suppress anomalies when daily number of distinct files downloaded per day is less than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"2\",\"maximum\":\"10\",\"value\":\"3\",\"name\":\"Number of standard deviations\",\"description\":\"Triggers anomalies when number of standard deviations is greater than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Collection\"],\"displayName\":\"(Preview) Potential data staging\",\"description\":\"The algorithm compares the downloads of distinct files on a per user basis from the previous week with the downloads for the current day for each user and \\nan anomaly is triggered when the number of downloads of distinct files exceeds the configured number of standard deviations above the mean. \\nCurrently the algorithm only analyze commonly seen files during exfiltration of type documents, images, videos and archives with the extensions\\n[\\\"doc\\\",\\\"docx\\\",\\\"xls\\\",\\\"xlsx\\\",\\\"xlsm\\\",\\\"ppt\\\",\\\"pptx\\\",\\\"one\\\",\\\"pdf\\\",\\\"zip\\\",\\\"rar\\\",\\\"bmp\\\",\\\"jpg\\\",\\\"mp3\\\",\\\"mp4\\\",\\\"mov\\\"].\",\"lastUpdatedDateUTC\":\"2021-08-24T00:00:00Z\",\"createdDateUTC\":\"2021-08-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Exchange)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\"name\":\"b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet UserAgentAll =\\n(union isfuzzy=true\\n(OfficeActivity\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\\n),\\n(\\nW3CIISLog\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(csUserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\\n))\\n// remove wordSize blocks of non-numeric hex characters prior to word extraction\\n| extend UserAgentNoHexAlphas = replace(\\\"([A-Fa-f]{4,})\\\", \\\"x\\\", UserAgent)\\n// once blocks of hex chars are removed, extract wordSize blocks of a-z\\n| extend Tokens = extract_all(\\\"([A-Za-z]{4,})\\\", UserAgentNoHexAlphas)\\n// concatenate extracted words to create a summarized user agent for baseline and comparison\\n| extend NormalizedUserAgent = strcat_array(Tokens, \\\"|\\\")\\n| project-away UserAgentNoHexAlphas, Tokens;\\nUserAgentAll\\n| where StartTime \u003e= ago(endtime)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), count() by UserAgent, NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n| join kind=leftanti\\n(\\nUserAgentAll\\n| where StartTime \u003c ago(endtime)\\n| summarize by NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n)\\non NormalizedUserAgent\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"InitialAccess\",\"CommandAndControl\",\"Execution\"],\"displayName\":\"New UserAgent observed in last 24 hours\",\"description\":\"Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection\\nextracts words from user agents to build the baseline and determine rareity rather than perform a\\ndirect comparison. This avoids FPs caused by version numbers and other high entropy user agent components.\\nThese new UserAgents could be benign. However, in normally stable environments,\\nthese new UserAgents could provide a starting point for investigating malicious activity.\\nNote: W3CIISLog can be noisy depending on the environment, however OfficeActivity and AWSCloudTrail are\\nusually stable with low numbers of detections.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23850aa1-37d3-4b4b-9f39-4ebf5feb59fd\",\"name\":\"23850aa1-37d3-4b4b-9f39-4ebf5feb59fd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.5\",\"techniques\":[\"T1011\",\"T1029\",\"T1030\",\"T1041\",\"T1011\",\"T1537\",\"T1567\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":[{\"supportedValues\":[\"Akamai\",\"Aruba Networks\",\"Check Point\",\"Dell\",\"Forcepoint\",\"Fortinet\",\"McAfee\",\"Palo Alto Networks\",\"SonicWall\",\"Trend Micro\",\"Vectra Networks\",\"Zscaler\"],\"supportedValuesKql\":null,\"value\":\"Palo Alto Networks\",\"name\":\"Device vendor\",\"description\":\"Select device vendor reporting network connection logs to CommonSecurityLog\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"}],\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"1\",\"maximum\":\"10000\",\"value\":\"1\",\"name\":\"Hourly data transfer threshold in MB\",\"description\":\"Suppress anomalies when hourly data transfered (in MB) per hour is less than the chosen value\",\"sequenceNumber\":1,\"rerun\":\"RerunAlways\"},{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\".98\",\"name\":\"Score\",\"description\":\"Generate an anomaly when score is greater than the chosen value\",\"sequenceNumber\":2,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Exfiltration\"],\"displayName\":\"(Preview) Excessive data transfer anomaly\",\"description\":\"This algorithm is to detect unusually high data transfer seen in network logs. \\nIt uses time series to decompose the data into seasonal, trend and residual components to \\ncalculate baseline. Any sudden large deviation from the historical baseline is considered anomalous activity.\",\"lastUpdatedDateUTC\":\"2021-07-10T00:00:00Z\",\"createdDateUTC\":\"2021-04-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\"name\":\"361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let szOperationNames = dynamic([\\\"microsoft.compute/virtualMachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nlet starttime = 7d;\\nlet endtime = 1d;\\nAzureActivity\\n| where TimeGenerated between (startofday(ago(starttime)) .. startofday(ago(endtime)))\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress)\\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(7d)), now(), 1d) \\nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatusValue), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationNameValue , Resource, ResourceGroup\\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\\n| where Slope \u003e 0.2\\n| join kind=leftsemi (\\n// Last day\u0027s activity is anomalous\\nAzureActivity\\n| where TimeGenerated \u003e= startofday(ago(endtime))\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress)\\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(1d)), now(), 1d) \\nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatusValue), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationNameValue , Resource, ResourceGroup\\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\\n| where Slope \u003e 0.2 \\n) on Caller, CallerIpAddress \\n| mvexpand todynamic(ActivityTimeStamp), todynamic(ActivityStatusValue), todynamic(OperationIds), todynamic(CorrelationId)\\n| extend timestamp = ActivityTimeStamp, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.1.0\",\"tactics\":[\"Impact\"],\"displayName\":\"Suspicious number of resource creation or deployment activities\",\"description\":\"Indicates when an anomalous number of VM creations or deployment activities occur in Azure via the AzureActivity log.\\nThe anomaly detection identifies activities that have occurred both since the start of the day 1 day ago and the start of the day 7 days ago.\\nThe start of the day is considered 12am UTC time.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/db750607-d48f-4aef-b238-085f4a9882f1\",\"name\":\"db750607-d48f-4aef-b238-085f4a9882f1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let mediumRisk = 2;\\nlet legal = \u0027Legal Information\u0027;\\nCognniIncidents_CL \\n| where Severity == mediumRisk\\n| where informationType_s == legal\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Medium Sensitivity Legal Information\",\"description\":\"Display incidents in which medium sensitivity legal information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8c8de3fa-6425-4623-9cd9-45de1dd0569a\",\"name\":\"8c8de3fa-6425-4623-9cd9-45de1dd0569a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let lookBack = 14d;\\nlet timeframe = 1d;\\nlet user_agents_list = Cisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(lookBack) and TimeGenerated \u003c ago(timeframe)\\n| summarize count() by HttpUserAgentOriginal\\n| summarize make_list(HttpUserAgentOriginal);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal !in (user_agents_list)\\n| extend Message = \\\"Rare User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Rare User Agent Detected\",\"description\":\"Rule helps to detect a rare user-agents indicating web browsing activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8595d264-2f64-442d-b293-4e16dffc9882\",\"name\":\"8595d264-2f64-442d-b293-4e16dffc9882\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Anomaly\",\"properties\":{\"severity\":\"Informational\",\"anomalyDefinitionVersion\":\"1.0.1\",\"techniques\":[\"T1059\"],\"customizableObservations\":{\"multiSelectObservations\":null,\"singleSelectObservations\":null,\"prioritizeExcludeObservations\":null,\"thresholdObservations\":[{\"minimum\":\"0\",\"maximum\":\"1\",\"value\":\"0\",\"name\":\"Anomaly score threshold\",\"description\":\"Generate an anomaly when the anomaly score is greater than the chosen value.\",\"sequenceNumber\":0,\"rerun\":\"RerunAlways\"}],\"singleValueObservations\":null},\"frequency\":\"P1D\",\"tactics\":[\"Execution\"],\"displayName\":\"(Preview) Anomalous Code Execution\",\"description\":\"Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.\\nThese interfaces and languages provide ways of interacting with computer systems\\nand are a common feature across many different platforms.\",\"lastUpdatedDateUTC\":\"2021-07-26T00:00:00Z\",\"createdDateUTC\":\"2021-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2be4ef67-a93f-4d8a-981a-88158cb73abd\",\"name\":\"2be4ef67-a93f-4d8a-981a-88158cb73abd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet covidIndicators = (externaldata(TimeGenerated:datetime, FileHashValue:string, FileHashType: string, TlpLevel: string, Product: string, ThreatType: string, Description: string )\\n[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.csv\\\"] with (format=\\\"csv\\\"));\\nlet fileHashIndicators = covidIndicators\\n| where isnotempty(FileHashValue);\\n// Handle matches against both lower case and uppercase versions of the hash:\\n( fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n | union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n| join (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack) \\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.FileHashValue == $right.FileHash\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by FileHashValue\\n| project LatestIndicatorTime, FileHashValue, FileHashType, Description, ThreatType, \\nCommonSecurityLog_TimeGenerated, SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, \\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"Microsoft COVID-19 file hash indicator matches\",\"description\":\"Identifies a match in CommonSecurityLog Event data from any FileHash published in the Microsoft COVID-19 Threat Intel Feed - as described at https://www.microsoft.com/security/blog/2020/05/14/open-sourcing-covid-threat-intelligence/\",\"lastUpdatedDateUTC\":\"2021-10-30T00:00:00Z\",\"createdDateUTC\":\"2019-08-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f68846cf-ec99-497d-9ce1-80a9441564fb\",\"name\":\"f68846cf-ec99-497d-9ce1-80a9441564fb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"High\",\"query\":\"let highRisk = 3;\\nlet hr = \u0027HR Information\u0027;\\nCognniIncidents_CL \\n| where Severity == highRisk\\n| where informationType_s == hr\\n| where TimeGenerated \u003e= ago(5h)\\n| extend AccountCustomEntity = userId_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Collection\"],\"displayName\":\"Cognni Incidents for Highly Sensitive HR Information\",\"description\":\"Display incidents in which highly sensitive HR information was placed at risk by user sharing.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-05-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CognniSentinelDataConnector\",\"dataTypes\":[\"CognniIncidents_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2391ce61-8c8d-41ac-9723-d945b2e90720\",\"name\":\"2391ce61-8c8d-41ac-9723-d945b2e90720\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Low\",\"query\":\"let starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 0.333;\\nlet countlimit = 50;\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4625 and AccountType =~ \\\"User\\\"\\n| where IpAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), CountToday = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress, Process\\n| join kind=leftouter (\\n SecurityEvent \\n | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n | where EventID == 4625 and AccountType =~ \\\"User\\\"\\n | where IpAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n | summarize CountPrev7day = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n) on EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n| where CountToday \u003e= coalesce(CountPrev7day,0)*threshold and CountToday \u003e= countlimit\\n//SubStatus Codes are detailed here - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4625\\n| extend Reason = case(\\nSubStatus =~ \u00270xC000005E\u0027, \u0027There are currently no logon servers available to service the logon request.\u0027,\\nSubStatus =~ \u00270xC0000064\u0027, \u0027User logon with misspelled or bad user account\u0027,\\nSubStatus =~ \u00270xC000006A\u0027, \u0027User logon with misspelled or bad password\u0027, \\nSubStatus =~ \u00270xC000006D\u0027, \u0027Bad user name or password\u0027,\\nSubStatus =~ \u00270xC000006E\u0027, \u0027Unknown user name or bad password\u0027,\\nSubStatus =~ \u00270xC000006F\u0027, \u0027User logon outside authorized hours\u0027,\\nSubStatus =~ \u00270xC0000070\u0027, \u0027User logon from unauthorized workstation\u0027,\\nSubStatus =~ \u00270xC0000071\u0027, \u0027User logon with expired password\u0027,\\nSubStatus =~ \u00270xC0000072\u0027, \u0027User logon to account disabled by administrator\u0027,\\nSubStatus =~ \u00270xC00000DC\u0027, \u0027Indicates the Sam Server was in the wrong state to perform the desired operation\u0027, \\nSubStatus =~ \u00270xC0000133\u0027, \u0027Clocks between DC and other computer too far out of sync\u0027,\\nSubStatus =~ \u00270xC000015B\u0027, \u0027The user has not been granted the requested logon type (aka logon right) at this machine\u0027,\\nSubStatus =~ \u00270xC000018C\u0027, \u0027The logon request failed because the trust relationship between the primary domain and the trusted domain failed\u0027,\\nSubStatus =~ \u00270xC0000192\u0027, \u0027An attempt was made to logon, but the Netlogon service was not started\u0027,\\nSubStatus =~ \u00270xC0000193\u0027, \u0027User logon with expired account\u0027,\\nSubStatus =~ \u00270xC0000224\u0027, \u0027User is required to change password at next logon\u0027,\\nSubStatus =~ \u00270xC0000225\u0027, \u0027Evidently a bug in Windows and not a risk\u0027,\\nSubStatus =~ \u00270xC0000234\u0027, \u0027User logon with account locked\u0027,\\nSubStatus =~ \u00270xC00002EE\u0027, \u0027Failure Reason: An Error occurred during Logon\u0027,\\nSubStatus =~ \u00270xC0000413\u0027, \u0027Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine\u0027,\\nstrcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n| extend WorkstationName = iff(WorkstationName == \\\"-\\\" or isempty(WorkstationName), Computer , WorkstationName) \\n| project StartTime, EndTime, EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, Computer, WorkstationName, IpAddress, CountToday, CountPrev7day, Avg7Day = round(CountPrev7day*1.00/7,2), Process\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), Computer = make_set(Computer,128), IpAddressList = make_set(IpAddress,128), sum(CountToday), sum(CountPrev7day), avg(Avg7Day) \\nby EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, WorkstationName, Process\\n| order by sum_CountToday desc nulls last \\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = WorkstationName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"Process\"}]}],\"version\":\"2.0.0\",\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Excessive Windows logon failures\",\"description\":\"User has over 50 Windows logon failures today and at least 33% of the count of logon failures over the previous 7 days.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aac495a9-feb1-446d-b08e-a1164a539452\",\"name\":\"aac495a9-feb1-446d-b08e-a1164a539452\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"ThreatIntelligenceIndicator\\n| where Action == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n GitHubAudit\\n | extend GitHubAudit_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.IPaddress\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, GitHubAudit_TimeGenerated, TI_ipEntity, IPaddress, Actor, Action, Country, OperationType, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = GitHubAudit_TimeGenerated, IPCustomEntity = IPaddress, AccountCustomEntity = Actor\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"version\":\"1.0.0\",\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to GitHub_CL\",\"description\":\"Identifies a match in GitHub_CL table from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8\",\"name\":\"f71aba3d-28fb-450b-b192-4e76a83015c8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Fusion\",\"properties\":{\"severity\":\"High\",\"tactics\":[\"Collection\",\"CommandAndControl\",\"CredentialAccess\",\"DefenseEvasion\",\"Discovery\",\"Execution\",\"Exfiltration\",\"Impact\",\"InitialAccess\",\"LateralMovement\",\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Advanced Multistage Attack Detection\",\"description\":\"Microsoft Sentinel uses Fusion, a correlation engine based on scalable machine learning algorithms, to automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.\\n\\nSince Fusion correlates multiple signals from various products to detect advanced multistage attacks, successful Fusion detections are presented as Fusion incidents on the Microsoft Sentinel Incidents page. This rule covers the following detections:\\n- Fusion for emerging threats\\n- Fusion for ransomware\\n- Scenario-based Fusion detections (122 scenarios)\\n\\nTo enable these detections, we recommend you configure the following data connectors for best results:\\n- Out-of-the-box anomaly detections\\n- Azure Active Directory Identity Protection\\n- Azure Defender\\n- Azure Defender for IoT\\n- Microsoft 365 Defender\\n- Microsoft Cloud App Security \\n- Microsoft Defender for Endpoint\\n- Microsoft Defender for Identity\\n- Microsoft Defender for Office 365\\n- Scheduled analytics rules, both built-in and those created by your security analysts. Analytics rules must contain kill-chain (tactics) and entity mapping information in order to be used by Fusion.\\n\\nFor the full description of each detection that is supported by Fusion, go to https://aka.ms/SentinelFusion.\",\"lastUpdatedDateUTC\":\"2021-06-09T00:00:00Z\",\"createdDateUTC\":\"2019-07-25T00:00:00Z\",\"status\":\"Installed\",\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/57c7e832-64eb-411f-8928-4133f01f4a25\",\"name\":\"57c7e832-64eb-411f-8928-4133f01f4a25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureDiagnostics\\n | where ResourceType =~ \\\"VAULTS\\\"\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend KeyVaultEvents_TimeGenerated = TimeGenerated, ClientIP = CallerIPAddress\\n)\\non $left.TI_ipEntity == $right.ClientIP\\n| where KeyVaultEvents_TimeGenerated \u003c ExpirationDateTime\\n| summarize KeyVaultEvents_TimeGenerated = arg_max(KeyVaultEvents_TimeGenerated, *) by IndicatorId, ClientIP\\n| project KeyVaultEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ClientIP, ResourceId, SubscriptionId, OperationName, ResultType, CorrelationId, id_s, clientInfo_s, httpStatusCode_d, identity_claim_appid_g, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\n| extend timestamp = KeyVaultEvents_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Azure Key Vault logs\",\"description\":\"Identifies a match in Azure Key Vault logsfrom any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f948a32f-226c-4116-bddd-d95e91d97eb9\",\"name\":\"f948a32f-226c-4116-bddd-d95e91d97eb9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"mailboxsettings\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"contacts.read\\\" and ConsentFull contains \\\"user.read\\\" and ConsentFull contains \\\"mail.read\\\" and ConsentFull contains \\\"notes.read.all\\\" and ConsentFull contains \\\"mailboxsettings.readwrite\\\" and ConsentFull contains \\\"Files.ReadWrite.All\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), \\\"\\\")\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Suspicious application consent similar to O365 Attack Toolkit\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\\nThe default permissions/scope for the MDSec O365 Attack toolkit are contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, and files.readwrite.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3c144f9-8051-47d4-ac29-ffb0c312c910\",\"name\":\"a3c144f9-8051-47d4-ac29-ffb0c312c910\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"let SunburstMD5=dynamic([\\\"b91ce2fa41029f6955bff20079468448\\\",\\\"02af7cec58b9a5da1c542b5a32151ba1\\\",\\\"2c4a910a1299cdae2a4e55988a2f102e\\\",\\\"846e27a652a5e1bfbd0ddd38a16dc865\\\",\\\"4f2eb62fa529c0283b28d05ddd311fae\\\"]);\\nlet SupernovaMD5=\\\"56ceb6d0011d87b6e4d7023d7ef85676\\\";\\nDeviceFileEvents\\n| where MD5 in(SunburstMD5) or MD5 in(SupernovaMD5)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n AlgorithmCustomEntity = \\\"MD5\\\",\\n FileHashCustomEntity = MD5\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"SUNBURST and SUPERNOVA backdoor hashes\",\"description\":\"Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in DeviceFileEvents\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/87210ca1-49a4-4a7d-bb4a-4988752f978c\",\"name\":\"87210ca1-49a4-4a7d-bb4a-4988752f978c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"// Get details of current Azure Ranges (note this URL updates regularly so will need to be manually updated over time)\\n// You may find the name of the new JSON here: https://www.microsoft.com/download/details.aspx?id=56519\\n// On the downloads page, click the \u0027details\u0027 button, and then replace just the filename in the URL below\\nlet azure_ranges = externaldata(changeNumber: string, cloud: string, values: dynamic)\\n[\\\"https://download.microsoft.com/download/7/1/D/71D86715-5596-4529-9B13-DA13A5DE5B63/ServiceTags_Public_20220321.json\\\"]\\nwith(format=\u0027multijson\u0027)\\n| mv-expand values\\n| mv-expand values.properties.addressPrefixes\\n| mv-expand values_properties_addressPrefixes\\n| summarize by tostring(values_properties_addressPrefixes);\\nSigninLogs\\n// Limiting to Azure Portal really reduces false positives and helps focus on potential admin activity\\n| where AppDisplayName =~ \\\"Azure Portal\\\"\\n// Only get logons where the IP address is in an Azure range\\n| evaluate ipv4_lookup(azure_ranges, IPAddress, values_properties_addressPrefixes)\\n// Limit to where the user is external to the tenant\\n| where HomeTenantId != ResourceTenantId\\n// Further limit it to just access to the current tenant (you can drop this if you wanted to look elsewhere as well but it helps reduce FPs)\\n| where ResourceTenantId == AADTenantId\\n| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), make_set(ResourceDisplayName) by UserPrincipalName, IPAddress, UserAgent, Location, HomeTenantId, ResourceTenantId\\n| extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure Portal Signin from another Azure Tenant\",\"description\":\"This query looks for sign in attempts to the Azure Portal where the user who is signing in from another Azure tenant,\\n and the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look\\n to pivot to other tenants leveraging cross-tenant delegated access in this manner.\",\"lastUpdatedDateUTC\":\"2022-03-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/29a29e5d-354e-4f5e-8321-8b39d25047bf\",\"name\":\"29a29e5d-354e-4f5e-8321-8b39d25047bf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"High\",\"query\":\"let files1 = dynamic([\\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\lsa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pc.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\Rar.exe\\\"]);\\nlet files2 = dynamic([\\\"svchost.exe\\\",\\\"wdmsvc.exe\\\"]);\\nlet FileHash1 = dynamic([\\\"43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\\\", \\\"ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\\\", \\\"010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77\\\", \\\"56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7\\\"]);\\nlet FileHash2 = dynamic([\\\"2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\\\", \\\"9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\\\", \\\"18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\\\"]);\\nimFileEvent\\n| where ((FilePath has_any (files1)) and (ActingProcessSHA256 has_any (FileHash1))) or ((FilePath has_any (files2)) and (ActingProcessSHA256 has_any (FileHash2)))\\n// Increase risk score if recent alerts for the host\\n| join kind=leftouter (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| mv-expand todynamic(Entities)\\n| extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)\\n| where isnotempty(DvcId)\\n// Higher risk score are for Defender alerts related to threat actor\\n| extend AlertRiskScore = iif(ThreatName has_any (\\\"Backdoor:MSIL/ShellClient.A\\\", \\\"Backdoor:MSIL/ShellClient.A!dll\\\", \\\"Trojan:MSIL/Mimikatz.BA!MTB\\\"), 1.0, 0.5)\\n| project DvcId, AlertRiskScore) on DvcId\\n| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = ActorUsername\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileName\"}]}],\"tactics\":[\"CredentialAccess\",\"Execution\"],\"displayName\":\"Dev-0228 File Path Hashes November 2021 (ASIM Version)\",\"description\":\"This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.\\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.\\n This query uses the Microsoft Sentinel Information Model - https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-11-18T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0dd2a343-4bf9-4c93-a547-adf3658ddaec\",\"name\":\"0dd2a343-4bf9-4c93-a547-adf3658ddaec\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let known_processes = (\\n imProcess\\n // Change these values if adjusting Query Frequency or Query Period\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where Process has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | summarize by Process);\\n imProcess\\n // Change these values if adjusting Query Frequency or Query Period\\n | where TimeGenerated \u003e ago(1d)\\n | where Process has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | where Process !in (known_processes)\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, CommandLine, DvcHostname\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DvcHostname\"}]}],\"tactics\":[\"Execution\",\"LateralMovement\"],\"displayName\":\"New EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version)\",\"description\":\"This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice is that these policies should not be used for deployment of files.\\n A threat actor may use these policies to deploy files or scripts to all hosts in a domain.\\n This query uses the ASIM parsers and will need them deployed before usage - https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/871ba14c-88ef-48aa-ad38-810f26760ca3\",\"name\":\"871ba14c-88ef-48aa-ad38-810f26760ca3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let queryfrequency = 1d;\\nlet queryperiod = 7d;\\nOfficeActivity\\n| where TimeGenerated \u003e ago(queryperiod)\\n| where OfficeWorkload =~ \\\"Exchange\\\"\\n//| where Operation in (\\\"Set-Mailbox\\\", \\\"New-InboxRule\\\", \\\"Set-InboxRule\\\")\\n| where Parameters has_any (\\\"ForwardTo\\\", \\\"RedirectTo\\\", \\\"ForwardingSmtpAddress\\\")\\n| mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))\\n| evaluate bag_unpack(ParsedParameters, columnsConflict=\u0027replace_source\u0027)\\n| extend DestinationMailAddress = tolower(case(\\n isnotempty(column_ifexists(\\\"ForwardTo\\\", \\\"\\\")), column_ifexists(\\\"ForwardTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"RedirectTo\\\", \\\"\\\")), column_ifexists(\\\"RedirectTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")), trim_start(@\\\"smtp:\\\", column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")),\\n \\\"\\\"))\\n| where isnotempty(DestinationMailAddress)\\n| mv-expand split(DestinationMailAddress, \\\";\\\")\\n| extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n| extend ClientIP = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1])\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId, 250), Ports = make_set(Port, 250), EventCount = count() by tostring(DestinationMailAddress), ClientIP\\n| where DistinctUserCount \u003e 1 and EndTime \u003e ago(queryfrequency)\\n| mv-expand UserId to typeof(string)\\n| extend timestamp = StartTime, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Multiple users email forwarded to same destination\",\"description\":\"Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination. \\nThis could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.\",\"lastUpdatedDateUTC\":\"2022-06-24T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a6c435a2-b1a0-466d-b730-9f8af69262e8\",\"name\":\"a6c435a2-b1a0-466d-b730-9f8af69262e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT20M\",\"queryPeriod\":\"PT20M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let failureCountThreshold = 10;\\nlet successCountThreshold = 1;\\n// let authenticationWindow = 20m; // Implicit in the analytic rule query period \\nimAuthentication\\n| summarize \\n StartTime = min(TimeGenerated), \\n EndTime = max(TimeGenerated), \\n IpAddresses = make_set (SrcDvcIpAddr, 100),\\n ReportedBy = make_set (strcat (EventVendor, \\\"/\\\", EventProduct), 100),\\n FailureCount = countif(EventResult==\u0027Failure\u0027),\\n SuccessCount = countif(EventResult==\u0027Success\u0027)\\n by \\n TargetUserId, TargetUsername, TargetUserType \\n| where FailureCount \u003e= failureCountThreshold and SuccessCount \u003e= successCountThreshold\\n| extend\\n IpAddresses = strcat_array(IpAddresses, \\\", \\\"), \\n ReportedBy = strcat_array(ReportedBy, \\\", \\\")\",\"customDetails\":{\"IpAddresses\":\"IpAddresses\",\"ReportedBy\":\"ReportedBy\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUsername\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against user credentials (Uses Authentication Normalization)\",\"description\":\"Identifies evidence of brute force activity against a user based on multiple authentication failures \\nand at least one successful authentication within a given time window. Note that the query does not enforce any sequence,\\nand does not require the successful authentication to occur last.\\nThe default failure threshold is 10, success threshold is 1, and the default time window is 20 minutes.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb8a3481-dd14-4e76-8dcc-bbec8776d695\",\"name\":\"bb8a3481-dd14-4e76-8dcc-bbec8776d695\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Medium\",\"query\":\"let DomainNames = dynamic([\u0027onetechcompany.com\u0027, \u0027reyweb.com\u0027, \u0027srfnetwork.org\u0027, \u0027sense4baby.fr\u0027, \u0027nikeoutletinc.org\u0027, \u0027megatoolkit.com\u0027]);\\nlet IPList = dynamic([\u0027185.225.69.69\u0027]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (DomainNames) or RequestURL has_any (DomainNames) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (DomainNames), \\\"RequestUrl\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(_Im_WebSession(url_has_any=DomainNames)\\n| extend DestinationIPAddress = DstIpAddr, DNSName = tostring(parse_url(Url)[\\\"Host\\\"]), Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (DomainNames)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer\\n),\\n(OfficeActivity\\n| where ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (DomainNames) or RemoteIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"NOBELIUM - Domain and IP IOCs - March 2021\",\"description\":\"Identifies a match across various data feeds for domains and IP IOCs related to NOBELIUM.\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\"name\":\"f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"// Replace these with the username or emails of your VIP users you wish to monitor for.\\nlet vips = dynamic([\u0027vip1@email.com\u0027,\u0027vip2@email.com\u0027]);\\n// Add users who are allowed to conduct these searches - this could be specific SOC team members\\nlet allowed_users = dynamic([]);\\nLAQueryLogs\\n| where QueryText has_any (vips) or QueryText has_any (\u0027_GetWatchlist(\\\"VIPUsers\\\")\u0027, \\\"_GetWatchlist(\u0027VIPUsers\u0027)\\\")\\n| where AADEmail !in (allowed_users)\\n| project TimeGenerated, AADEmail, RequestClientApp, QueryText, ResponseRowCount, RequestTarget\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AADEmail\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"RequestTarget\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Users searching for VIP user activity\",\"description\":\"This query monitors for users running Log Analytics queries that contain filters\\nfor specific, defined VIP user accounts or the VIPUser watchlist template.\\nUse this detection to alert for users specifically searching for activity of sensitive users.\",\"lastUpdatedDateUTC\":\"2021-11-11T00:00:00Z\",\"createdDateUTC\":\"2020-09-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/62085097-d113-459f-9ea7-30216f2ee6af\",\"name\":\"62085097-d113-459f-9ea7-30216f2ee6af\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P3D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let starttime = 3d;\\nlet SecEvents = materialize ( SecurityEvent | where TimeGenerated \u003e= ago(starttime)\\n| where EventID in (4722,4723) | where TargetUserName !endswith \\\"$\\\"\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, SubjectAccount, SubjectUserSid);\\nlet userEnable = SecEvents\\n| extend EventID4722Time = TimeGenerated\\n// 4722: User Account Enabled\\n| where EventID == 4722\\n| project Time_Event4722 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4722 = SubjectAccount, SubjectUserSid_Event4722 = SubjectUserSid, Activity_4722 = Activity, Computer_4722 = Computer;\\nlet userPwdSet = SecEvents\\n// 4723: Attempt made by user to set password\\n| where EventID == 4723\\n| project Time_Event4723 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4723 = SubjectAccount, SubjectUserSid_Event4723 = SubjectUserSid, Activity_4723 = Activity, Computer_4723 = Computer;\\nuserEnable | join kind=leftouter userPwdSet on TargetAccount, TargetSid\\n| extend PasswordSetAttemptDelta_Min = datetime_diff(\u0027minute\u0027, Time_Event4723, Time_Event4722)\\n| where PasswordSetAttemptDelta_Min \u003e 2880 or isempty(PasswordSetAttemptDelta_Min)\\n| project-away TargetAccount1, TargetSid1\\n| extend Reason = @\\\"User either has not yet attempted to set the initial password after account was enabled or it occurred after 48 hours\\\"\\n| order by Time_Event4722 asc \\n| extend timestamp = Time_Event4722, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer_4722\\n| project-reorder Time_Event4722, Time_Event4723, PasswordSetAttemptDelta_Min, TargetAccount, TargetSid\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AD user enabled and password not set within 48 hours\",\"description\":\"Identifies when an account is enabled with a default password and the password is not set by the user within 48 hours.\\nEffectively, there is an event 4722 indicating an account was enabled and within 48 hours, no event 4723 occurs which \\nindicates there was no attempt by the user to set the password. This will show any attempts (success or fail) that occur \\nafter 48 hours, which can indicate too long of a time period in setting the password to something that only the user knows.\\nIt is recommended that this time period is adjusted per your internal company policy.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f9949656-473f-4503-bf43-a9d9890f7d08\",\"name\":\"f9949656-473f-4503-bf43-a9d9890f7d08\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.3\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n//Exclude local addresses, using the ipv4_is_private operator\\n| where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AppServiceHTTPLogs | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(CIp)\\n | extend WebApp = split(_ResourceId, \u0027/\u0027)[8]\\n // renaming time column so it is clear the log this came from\\n | extend AppService_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CIp\\n| where AppService_TimeGenerated \u003c ExpirationDateTime\\n| summarize AppService_TimeGenerated = arg_max(AppService_TimeGenerated, *) by IndicatorId, CIp\\n| project AppService_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CsUsername, \\nWebApp = split(_ResourceId, \u0027/\u0027)[8], CIp, CsHost, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, _ResourceId\\n| extend timestamp = AppService_TimeGenerated, AccountCustomEntity = CsUsername, IPCustomEntity = CIp, URLCustomEntity = Url, HostCustomEntity = CsHost\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"_ResourceId\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AppServiceHTTPLogs\",\"description\":\"Identifies a match in AppServiceHTTPLogs from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-04-26T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8b3c49c-4087-499b-920f-0dcfaff0cbca\",\"name\":\"f8b3c49c-4087-499b-920f-0dcfaff0cbca\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"imProcessCreate\\n | where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n | where isnotempty(Process)\\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Dvc, ActorUsername, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\\n | extend timestamp = StartTimeUtc, AccountCustomEntity = ActorUsername, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Base64 encoded Windows process command-lines (Normalized Process Events)\",\"description\":\"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2018-09-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c3e5dbaa-a540-408c-8b36-68bdfb3df088\",\"name\":\"c3e5dbaa-a540-408c-8b36-68bdfb3df088\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID==4688\\n | where isnotempty(CommandLine)\\n | where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"NRT Base64 encoded Windows process command-lines\",\"description\":\"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2022-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0433c8a3-9aa6-4577-beef-2ea23be41137\",\"name\":\"0433c8a3-9aa6-4577-beef-2ea23be41137\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let admin_users = (IdentityInfo\\n | where TimeGenerated \u003e ago(2d)\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | where AssignedRoles contains \\\"admin\\\"\\n | summarize by tolower(AccountUPN));\\n AuditLogs\\n | where Category =~ \\\"RoleManagement\\\"\\n | where OperationName has \\\"Add eligible member\\\"\\n | extend userPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | where tolower(userPrincipalName) in (admin_users)\\n | extend Group = tostring(TargetResources[0].displayName)\\n | extend AddedTo = iif(isnotempty(userPrincipalName), userPrincipalName, Group)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend AddedBy = iif(isnotempty(appName), appName, UPN)\\n | mv-expand mod_props\\n | where mod_props.displayName == \\\"Role.DisplayName\\\"\\n | extend RoleAdded = tostring(parse_json(tostring(mod_props.newValue)))\\n | project-reorder TimeGenerated, OperationName, AddedTo, RoleAdded, AddedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Privileged Account Permissions Changed\",\"description\":\"Detects changes to permissions assigned to admin users. Threat actors may try and increase permission scope by adding additional roles to already privileged accounts.\\nReview any modifications to ensure they were made legitimately.\\nRef: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79566f41-df67-4e10-a703-c38a6213afd8\",\"name\":\"79566f41-df67-4e10-a703-c38a6213afd8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set != \\\"[]\\\"\\n| extend diff = set_difference(new_value_set, old_value_set)\\n| where isnotempty(diff)\\n| parse diff with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away diff, new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"New access credential added to Application or Service Principal\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/66276b14-32c5-4226-88e3-080dacc31ce1\",\"name\":\"66276b14-32c5-4226-88e3-080dacc31ce1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet AccountAllowList = dynamic([\u0027SYSTEM\u0027]);\\nlet SubCategoryList = dynamic([\\\"Logoff\\\", \\\"Account Lockout\\\", \\\"User Account Management\\\", \\\"Authorization Policy Change\\\"]); // Add any Category in the list to be allowed or disallowed\\nlet tokens = dynamic([\\\"clear\\\", \\\"remove\\\", \\\"success:disable\\\",\\\"failure:disable\\\"]); \\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n//| where Process =~ \\\"auditpol.exe\\\" \\n| where CommandLine has_any (tokens)\\n| where AccountType !~ \\\"Machine\\\" and Account !in~ (AccountAllowList)\\n| parse CommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n// | where InitiatingProcessFileName =~ \\\"auditpol.exe\\\" \\n| where InitiatingProcessCommandLine has_any (tokens)\\n| where AccountName !in~ (AccountAllowList)\\n| parse InitiatingProcessCommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n// | where OriginalFileName =~ \\\"auditpol.exe\\\"\\n| where CommandLine has_any (tokens)\\n| where User !in~ (AccountAllowList)\\n| parse CommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, Computer, User, Process, ParentImage, CommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Audit policy manipulation using auditpol utility\",\"description\":\"This detects attempt to manipulate audit policies using auditpol command.\\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\\nThe process name in each data source is commented out as an adversary could rename it. It is advisable to keep process name commented but \\nif the results show unrelated false positives, users may want to uncomment it.\\nRefer to auditpol syntax: https://docs.microsoft.com/windows-server/administration/windows-commands/auditpol \\nRefer to our M365 blog for details on use during the Solorigate attack:\\nhttps://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/18e6a87e-9d06-4a4e-8b59-3469cd49552d\",\"name\":\"18e6a87e-9d06-4a4e-8b59-3469cd49552d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true \\n(SecurityEvent \\n| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created. \\n| where ObjectServer == \u0027DS\u0027\\n| where OperationType == \u0027Object Access\u0027\\n//| where ObjectName contains \u0027\u003cGUID of ADFS Policy Store DKM Group object\u0027 This is unique to the domain. Check description for more details.\\n| where ObjectType contains \u00275cb41ed0-0e4c-11d0-a286-00aa003049e2\u0027 // Contact Class\\n| where Properties contains \u00278d3bca50-1d7e-11d0-a081-00aa006c33ed\u0027 // Picture Attribute - Ldap-Display-Name: thumbnailPhoto\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = SubjectAccount\\n),\\n( WindowsEvent \\n| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created. \\n| where EventData has_all(\u0027Object Access\u0027, \u00275cb41ed0-0e4c-11d0-a286-00aa003049e2\u0027,\u00278d3bca50-1d7e-11d0-a081-00aa006c33ed\u0027) \\n| extend ObjectServer = tostring(EventData.ObjectServer)\\n| where ObjectServer == \u0027DS\u0027\\n| extend OperationType = tostring(EventData.OperationType)\\n| where OperationType == \u0027Object Access\u0027\\n//| where ObjectName contains \u0027\u003cGUID of ADFS Policy Store DKM Group object\u0027 This is unique to the domain. Check description for more details.\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType contains \u00275cb41ed0-0e4c-11d0-a286-00aa003049e2\u0027 // Contact Class\\n| extend Properties = tostring(EventData.Properties)\\n| where Properties contains \u00278d3bca50-1d7e-11d0-a081-00aa006c33ed\u0027 // Picture Attribute - Ldap-Display-Name: thumbnailPhoto\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName), \\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend \\n timestamp = TimeGenerated,\\n HostCustomEntity = Computer,\\n AccountCustomEntity = SubjectAccount\\n),\\n(DeviceEvents\\n| where ActionType =~ \\\"LdapSearch\\\"\\n| where AdditionalFields.AttributeList contains \\\"thumbnailPhoto\\\"\\n| where AdditionalFields.DistinguishedName contains \\\"CN=ADFS,CN=Microsoft,CN=Program Data\\\" // Filter results to show only hits related to the ADFS AD container\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = InitiatingProcessAccountName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"ADFS DKM Master Key Export\",\"description\":\"Identifies an export of the ADFS DKM Master Key from Active Directory.\\nReferences: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \\nhttps://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1\\nTo understand further the details behind this detection, please review the details in the original PR and subequent PR update to this:\\nhttps://github.com/Azure/Azure-Sentinel/pull/1562#issue-551542469\\nhttps://github.com/Azure/Azure-Sentinel/pull/1512#issue-543053339\\n\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2391ce61-8c8d-41ac-9723-d945b2e90720\",\"name\":\"2391ce61-8c8d-41ac-9723-d945b2e90720\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"Low\",\"query\":\"let starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 0.333;\\nlet countlimit = 50;\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4625 and AccountType =~ \\\"User\\\"\\n| where IpAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), CountToday = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress, Process\\n| join kind=leftouter (\\n SecurityEvent \\n | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n | where EventID == 4625 and AccountType =~ \\\"User\\\"\\n | where IpAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n | summarize CountPrev7day = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n) on EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n| where CountToday \u003e= coalesce(CountPrev7day,0)*threshold and CountToday \u003e= countlimit\\n//SubStatus Codes are detailed here - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4625\\n| extend Reason = case(\\nSubStatus =~ \u00270xC000005E\u0027, \u0027There are currently no logon servers available to service the logon request.\u0027,\\nSubStatus =~ \u00270xC0000064\u0027, \u0027User logon with misspelled or bad user account\u0027,\\nSubStatus =~ \u00270xC000006A\u0027, \u0027User logon with misspelled or bad password\u0027, \\nSubStatus =~ \u00270xC000006D\u0027, \u0027Bad user name or password\u0027,\\nSubStatus =~ \u00270xC000006E\u0027, \u0027Unknown user name or bad password\u0027,\\nSubStatus =~ \u00270xC000006F\u0027, \u0027User logon outside authorized hours\u0027,\\nSubStatus =~ \u00270xC0000070\u0027, \u0027User logon from unauthorized workstation\u0027,\\nSubStatus =~ \u00270xC0000071\u0027, \u0027User logon with expired password\u0027,\\nSubStatus =~ \u00270xC0000072\u0027, \u0027User logon to account disabled by administrator\u0027,\\nSubStatus =~ \u00270xC00000DC\u0027, \u0027Indicates the Sam Server was in the wrong state to perform the desired operation\u0027, \\nSubStatus =~ \u00270xC0000133\u0027, \u0027Clocks between DC and other computer too far out of sync\u0027,\\nSubStatus =~ \u00270xC000015B\u0027, \u0027The user has not been granted the requested logon type (aka logon right) at this machine\u0027,\\nSubStatus =~ \u00270xC000018C\u0027, \u0027The logon request failed because the trust relationship between the primary domain and the trusted domain failed\u0027,\\nSubStatus =~ \u00270xC0000192\u0027, \u0027An attempt was made to logon, but the Netlogon service was not started\u0027,\\nSubStatus =~ \u00270xC0000193\u0027, \u0027User logon with expired account\u0027,\\nSubStatus =~ \u00270xC0000224\u0027, \u0027User is required to change password at next logon\u0027,\\nSubStatus =~ \u00270xC0000225\u0027, \u0027Evidently a bug in Windows and not a risk\u0027,\\nSubStatus =~ \u00270xC0000234\u0027, \u0027User logon with account locked\u0027,\\nSubStatus =~ \u00270xC00002EE\u0027, \u0027Failure Reason: An Error occurred during Logon\u0027,\\nSubStatus =~ \u00270xC0000413\u0027, \u0027Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine\u0027,\\nstrcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n| extend WorkstationName = iff(WorkstationName == \\\"-\\\" or isempty(WorkstationName), Computer , WorkstationName) \\n| project StartTime, EndTime, EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, Computer, WorkstationName, IpAddress, CountToday, CountPrev7day, Avg7Day = round(CountPrev7day*1.00/7,2), Process\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), Computer = make_set(Computer,128), IpAddressList = make_set(IpAddress,128), sum(CountToday), sum(CountPrev7day), avg(Avg7Day) \\nby EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, WorkstationName, Process\\n| order by sum_CountToday desc nulls last \\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = WorkstationName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"Process\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Excessive Windows logon failures\",\"description\":\"User has over 50 Windows logon failures today and at least 33% of the count of logon failures over the previous 7 days.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56f3f35c-3aca-4437-a1fb-b7a84dc4af00\",\"name\":\"56f3f35c-3aca-4437-a1fb-b7a84dc4af00\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID == 4657\\n | parse ObjectName with \\\"\\\\\\\\REGISTRY\\\\\\\\\\\" KeyPrefix \\\"\\\\\\\\\\\" RegistryKey\\n | project-reorder RegistryKey\\n | where RegistryKey has \\\"Software\\\\\\\\Classes\\\\\\\\ms-settings\\\\\\\\shell\\\\\\\\open\\\\\\\\command\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)\\n | join (\\n SecurityEvent\\n | where EventID == 4688\\n | where Process =~ \\\"fodhelper.exe\\\"\\n | where ParentProcessName endswith \\\"cmd.exe\\\" or ParentProcessName endswith \\\"powershell.exe\\\" or ParentProcessName endswith \\\"powershell_ise.exe\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)) on TimeKey, Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Potential Fodhelper UAC Bypass\",\"description\":\"This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process within 1 hour - this can be tweaked as required.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b93c5af-d20b-4236-b696-a28b8c51407f\",\"name\":\"4b93c5af-d20b-4236-b696-a28b8c51407f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1DT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\n (union isfuzzy=true\\n (SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+spanoftime)\\n// A user account was created\\n| where EventID == 4720\\n| where AccountType =~ \\\"User\\\"\\n| project creationTime = TimeGenerated, CreateEventID = EventID, CreateActivity = Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToCreate = SubjectAccount, SIDofAccountUsedToCreate = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e ago(timeframe+spanoftime)\\n// A user account was created\\n| where EventID == 4720\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType =~ \\\"User\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| extend Activity = \\\"4720 - A user account was created.\\\"\\n| extend TargetUserName = tostring(EventData.TargetUserName) \\n| project creationTime = TimeGenerated, CreateEventID = EventID, CreateActivity = Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToCreate = SubjectAccount, SIDofAccountUsedToCreate = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid \\n))\\n| join kind= inner (\\n (union isfuzzy=true\\n (SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n // A user account was deleted\\n | where EventID == 4726\\n| where AccountType == \\\"User\\\"\\n| project deletionTime = TimeGenerated, DeleteEventID = EventID, DeleteActivity = Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToDelete = SubjectAccount, SIDofAccountUsedToDelete = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n // A user account was deleted\\n| where EventID == 4726\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(SubjectAccount endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType == \\\"User\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| extend Activity = \\\"4726 - A user account was deleted.\\\"\\n| extend TargetUserName = tostring(EventData.TargetUserName) \\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| project deletionTime = TimeGenerated, DeleteEventID = EventID, DeleteActivity = Activity, Computer, TargetUserName, UserPrincipalName, AccountUsedToDelete = SubjectAccount, SIDofAccountUsedToDelete = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid))\\n) on Computer, TargetAccount\\n| where deletionTime - creationTime \u003c spanoftime\\n| extend TimeDelta = deletionTime - creationTime\\n| where tolong(TimeDelta) \u003e= threshold\\n| project TimeDelta, creationTime, CreateEventID, CreateActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToCreate, SIDofAccountUsedToCreate,\\ndeletionTime, DeleteEventID, DeleteActivity, AccountUsedToDelete, SIDofAccountUsedToDelete\\n| extend timestamp = creationTime, AccountCustomEntity = AccountUsedToCreate, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"SIDofAccountUsedToCreate\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account created and deleted within 10 mins\",\"description\":\"Identifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and\\nan adversary attempting to hide in the noise.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d7feb859-f03e-4e8d-8b21-617be0213b13\",\"name\":\"d7feb859-f03e-4e8d-8b21-617be0213b13\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let admin_users = (IdentityInfo\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | where AssignedRoles contains \\\"admin\\\"\\n | summarize by tolower(AccountUPN));\\n AuditLogs\\n | where OperationName =~ \\\"Admin registered security info\\\"\\n | where ResultReason =~ \\\"Admin registered temporary access pass method for user\\\"\\n | extend userPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | where tolower(userPrincipalName) in (admin_users)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Addition of a Temporary Access Pass to a Privileged Account\",\"description\":\"Detects when a Temporary Access Pass (TAP) is created for a Privileged Account.\\n A Temporary Access Pass is a time-limited passcode issued by an admin that satisfies strong authentication requirements and can be used to onboard other authentication methods, including Passwordless ones such as Microsoft Authenticator or even Windows Hello.\\n A threat actor could use a TAP to register a new authentication method to maintain persistance to an account.\\n Review any TAP creations to ensure they were used legitimately.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1399664f-9434-497c-9cde-42e4d74ae20e\",\"name\":\"1399664f-9434-497c-9cde-42e4d74ae20e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityAlert \\n| where AlertName == \\\"Impossible travel activity\\\"\\n| extend Extprop = parsejson(Entities)\\n| mv-expand Extprop\\n| extend Extprop = parsejson(Extprop)\\n| extend CmdLine = iff(Extprop[\u0027Type\u0027]==\\\"process\\\", Extprop[\u0027CommandLine\u0027], \u0027\u0027)\\n| extend File = iff(Extprop[\u0027Type\u0027]==\\\"file\\\", Extprop[\u0027Name\u0027], \u0027\u0027)\\n| extend Account = Extprop[\u0027Name\u0027]\\n| extend Domain = Extprop[\u0027UPNSuffix\u0027]\\n| extend Account = iif(isnotempty(Domain) and Extprop[\u0027Type\u0027]==\\\"account\\\", tolower(strcat(Account, \\\"@\\\", Domain)), iif(Extprop[\u0027Type\u0027]==\\\"account\\\", tolower(Account), \\\"\\\"))\\n| extend IpAddress = iff(Extprop[\\\"Type\\\"] == \\\"ip\\\",Extprop[\u0027Address\u0027], \u0027\u0027)\\n| extend Process = iff(isnotempty(CmdLine), CmdLine, File)\\n| project TimeGenerated,Account,IpAddress,CompromisedEntity,Description,ProviderName,ResourceId\\n| join kind=inner\\n(\\nOfficeActivity\\n| where Operation =~ \\\"Add-MailboxPermission\\\"\\n| extend value = tostring(parse_json(Parameters)[3].Value)\\n| where value contains \\\"FullAccess\\\"\\n| where ResultStatus == \\\"True\\\"\\n| project Parameters,TimeGenerated,value,RecordType,Operation,OrganizationId,UserType,UserKey,OfficeWorkload,ResultStatus,OfficeObjectId,UserId,ClientIP,ExternalAccess,OriginatingServer,OrganizationName,TenantId,ElevationTime,SourceSystem,OfficeId,OfficeTenantId,Type,SourceRecordId\\n) on $left.Account == $right.UserId\\n| join kind=inner\\n(\\nAuditLogs\\n| where ActivityDisplayName =~ \\\"Add eligible member to role in PIM requested (timebound)\\\"\\n| where AADOperationType =~ \\\"CreateRequestEligibleRole\\\"\\n| where TargetResources has_any (\\\"-PRIV\\\", \\\"Administrator\\\", \\\"Security\\\")\\n| extend BuiltinRole = tostring(parse_json(TargetResources[0].displayName))\\n| extend CustomGroup = tostring(parse_json(TargetResources[3].displayName))\\n| extend TargetAccount = tostring(parse_json(TargetResources[2].displayName))\\n| extend Initiatedby = Identity\\n| project TimeGenerated, ActivityDisplayName, AADOperationType, Initiatedby, TargetAccount, BuiltinRole, CustomGroup, LoggedByService, Result, ResourceId, Id\\n| sort by TimeGenerated desc\\n) on $left.UserId == $right.Initiatedby\\n| project AADOperationType, ActivityDisplayName,AccountCustomEntity=Initiatedby, Id,ResourceId,IPCustomEntity=IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"PrivilegeEscalation\"],\"displayName\":\"Detecting Impossible travel with mailbox permission tampering \u0026 Privilege Escalation attempt\",\"description\":\"This hunting query will alert on any Impossible travel activity in correlation with mailbox permission tampering followed by account being added to a PIM managed privileged group.\\nEnsure this impossible travel incident with increase of privileges is legitimate in your environment.\",\"lastUpdatedDateUTC\":\"2022-02-09T00:00:00Z\",\"createdDateUTC\":\"2022-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert (ASC)\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\"name\":\"4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([ \\\"AuthorizeSecurityGroupEgress\\\", \\\"AuthorizeSecurityGroupIngress\\\", \\\"RevokeSecurityGroupEgress\\\", \\\"RevokeSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \\nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion, \\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to AWS Security Group ingress and egress settings\",\"description\":\"A Security Group acts as a virtual firewall of an instance to control inbound and outbound traffic. \\n Hence, ingress and egress settings changes to AWS Security Group should be monitored as these can expose the enviornment to new attack vectors.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0914adab-90b5-47a3-a79f-7cdcac843aa7\",\"name\":\"0914adab-90b5-47a3-a79f-7cdcac843aa7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 5;\\n// To avoid any False Positives, filtering using AppId is recommended. For example the AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds \\n// to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\\nlet Allowedappid = dynamic([\\\"509e4652-da8d-478d-a730-e9d4a1996ca4\\\"]);\\nlet OperationList = dynamic(\\n[\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nlet TimeSeriesData = AzureDiagnostics\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList)\\n| project TimeGenerated, OperationName, Resource, CallerIPAddress\\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by Resource;\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| where baseline \u003e baselinethreshold // Filtering low count events per baselinethreshold\\n| project Resource, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated;\\n// Filter the alerts since specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\\n| join (\\nAzureDiagnostics\\n| where TimeGenerated \u003e ago(timeframe)\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList)\\n| summarize PerOperationCount=count(), LatestAnomalyTime = arg_max(TimeGenerated,*) by bin(TimeGenerated,1h), Resource, OperationName, id_s, CallerIPAddress, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, requestUri_s, clientInfo_s\\n) on Resource, TimeGenerated\\n| summarize EventCount=count(), OperationNameList = make_set(OperationName), RequestURLList = make_set(requestUri_s, 100), AccountList = make_set(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, 100), AccountMax = arg_max(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g,*) by Resource, id_s, clientInfo_s, LatestAnomalyTime\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = CallerIPAddress, AccountCustomEntity = AccountMax\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure Key Vault access TimeSeries anomaly\",\"description\":\"Indentifies a sudden increase in count of Azure Key Vault secret or vault access operations by CallerIPAddress. The query leverages a built-in KQL anomaly detection algorithm\\nto find large deviations from baseline Azure Key Vault access patterns. Any sudden increase in the count of Azure Key Vault accesses can be an\\nindication of adversary dumping credentials via automated methods. If you are seeing any noise, try filtering known source(IP/Account) and user-agent combinations.\\nTimeSeries Reference Blog: https://techcommunity.microsoft.com/t5/azure-sentinel/looking-for-unknown-anomalies-what-is-normal-time-series/ba-p/555052\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6a2e2ff4-5568-475e-bef2-b95f12b9367b\",\"name\":\"6a2e2ff4-5568-475e-bef2-b95f12b9367b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let FailureThreshold = 15;\\nimAuthentication\\n| where EventType== \u0027Logon\u0027 and EventResult== \u0027Failure\u0027\\n// reason: creds \\n| where EventResultDetails in (\u0027No such user or password\u0027, \u0027Incorrect password\u0027)\\n| summarize UserCount=dcount(TargetUserId), Vendors=make_set(EventVendor), Products=make_set(EventVendor)\\n , Users = make_set(TargetUserId,100) \\n by SrcDvcIpAddr, SrcGeoCountry, bin(TimeGenerated, 5m)\\n| where UserCount \u003e FailureThreshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcDvcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Potential Password Spray Attack (Uses Authentication Normalization)\",\"description\":\"This query searches for failed attempts to log in from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack\\n To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a5b3429d-f1da-42b9-883c-327ecb7b91ff\",\"name\":\"a5b3429d-f1da-42b9-883c-327ecb7b91ff\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityAlert \\n| where AlertName == \\\"Sign-in from an infected device\\\"\\n| extend Extprop = parsejson(Entities)\\n| mv-expand Extprop\\n| extend Extprop = parsejson(Extprop)\\n| extend CmdLine = iff(Extprop[\u0027Type\u0027]==\\\"process\\\", Extprop[\u0027CommandLine\u0027], \u0027\u0027)\\n| extend File = iff(Extprop[\u0027Type\u0027]==\\\"file\\\", Extprop[\u0027Name\u0027], \u0027\u0027)\\n| extend Account = Extprop[\u0027Name\u0027]\\n| extend Domain = Extprop[\u0027UPNSuffix\u0027]\\n| extend Account = iif(isnotempty(Domain) and Extprop[\u0027Type\u0027]==\\\"account\\\", tolower(strcat(Account, \\\"@\\\", Domain)), iif(Extprop[\u0027Type\u0027]==\\\"account\\\", tolower(Account), \\\"\\\"))\\n| extend IpAddress = iff(Extprop[\\\"Type\\\"] == \\\"ip\\\",Extprop[\u0027Address\u0027], \u0027\u0027)\\n| extend Process = iff(isnotempty(CmdLine), CmdLine, File)\\n| summarize count() by AlertName, AlertSeverity, CompromisedEntity, Account, IpAddress\\n| join kind=inner \\n(\\nAzureActivity\\n| where OperationNameValue hassuffix (\\\"/workspaces/computes/delete\\\")\\n| where ActivityStatusValue =~ \\\"Succeeded\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), OperationIds = makelist(OperationId), CorrelationIds = makelist(CorrelationId), Resources = makelist(Resource), ResourceGroups = makelist(ResourceGroup), ResourceIds = makelist(ResourceId), ActivityCountByCallerIPAddress = count() \\nby CallerIpAddress, Caller, OperationNameValue\\n) on $left. IpAddress == $right. CallerIpAddress\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Impact\"],\"displayName\":\"Workspace deletion attempt from an infected device\",\"description\":\"This hunting query will alert on any sign-ins from devices infected with malware in correlation with potential workspace deletion activity. \\nAttackers may attempt to delete workspaces containing compute instances after successful compromise to cause service unavailability to regular business operation.\",\"lastUpdatedDateUTC\":\"2022-04-11T00:00:00Z\",\"createdDateUTC\":\"2022-04-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8e267e91-6bda-4b3c-bf68-9f5cbdd103a3\",\"name\":\"8e267e91-6bda-4b3c-bf68-9f5cbdd103a3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"ZoomLogs\\n| where Event =~ \\\"account.settings_updated\\\" \\n| extend EnforceLogin = columnifexists(\\\"payload_object_settings_schedule_meeting_enfore_login_b\\\", \\\"\\\") \\n| extend EnforceLoginDomain = columnifexists(\\\"payload_object_settings_schedule_meeting_enfore_login_b\\\", \\\"\\\") \\n| extend GuestAlerts = columnifexists(\\\"payload_object_settings_in_meeting_alert_guest_join_b\\\", \\\"\\\") \\n| where EnforceLogin == \u0027false\u0027 or EnforceLoginDomain == \u0027false\u0027 or GuestAlerts == \u0027false\u0027 \\n| extend SettingChanged = case(EnforceLogin == \u0027false\u0027 and EnforceLoginDomain == \u0027false\u0027 and GuestAlerts == \u0027false\u0027, \\\"All settings changed\\\", \\n EnforceLogin == \u0027false\u0027 and EnforceLoginDomain == \u0027false\u0027, \\\"Enforced Logons and Restricted Domains Changed\\\", \\n EnforceLoginDomain == \u0027false\u0027 and GuestAlerts == \u0027false\u0027, \\\"Enforced Domains Changed\\\", \\n EnforceLoginDomain == \u0027false\u0027, \\\"Enfored Domains Changed\\\", \\n GuestAlerts == \u0027false\u0027, \\\"Guest Join Alerts Changed\\\", \\n EnforceLogin == \u0027false\u0027, \\\"Enforced Logins Changed\\\", \\n \\\"No Changes\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"External User Access Enabled\",\"description\":\"This alerts when the account setting is changed to allow either external domain access or anonymous access to meetings.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56b0a0cd-894e-4b38-a0a1-c41d9f96649a\",\"name\":\"56b0a0cd-894e-4b38-a0a1-c41d9f96649a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let lbtime = 1h;\\nlet tls_ciphers = dynamic([\u0027RC4-SHA\u0027, \u0027DES-CBC3-SHA\u0027]);\\nProofpointPOD\\n| where EventType == \u0027message\u0027\\n| where TlsCipher in (tls_ciphers)\\n| extend IpCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"ProofpointPOD - Weak ciphers\",\"description\":\"Detects when weak TLS ciphers are used.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/87890d78-3e05-43ec-9ab9-ba32f4e01250\",\"name\":\"87890d78-3e05-43ec-9ab9-ba32f4e01250\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.3\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n SecurityAlert\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n //Extract domain patterns from message\\n | extend domain = todynamic(dynamic_to_json(extract_all(@\\\"(((xn--)?[a-z0-9\\\\-]+\\\\.)+([a-z]+|(xn--[a-z0-9]+)))\\\", dynamic([1]), tolower(Entities))))\\n | mv-expand domain\\n | extend domain = tostring(domain[0])\\n | extend parts = split(domain, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\\n | extend EntitiesDynamicArray = parse_json(Entities)\\n | mv-apply EntitiesDynamicArray on\\n (summarize\\n HostName = take_anyif(tostring(EntitiesDynamicArray.HostName), EntitiesDynamicArray.Type == \\\"host\\\"),\\n IP_addr = take_anyif(tostring(EntitiesDynamicArray.Address), EntitiesDynamicArray.Type == \\\"ip\\\")\\n )\\n | extend Alert_TimeGenerated = TimeGenerated\\n | extend Alert_Description = Description\\n) on $left.DomainName==$right.domain\\n| where Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\\n| project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DomainName, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url, Entities\\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = HostName, IPCustomEntity = IP_addr, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to SecurityAlert\",\"description\":\"Identifies a match in SecurityAlert table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/88f453ff-7b9e-45bb-8c12-4058ca5e44ee\",\"name\":\"88f453ff-7b9e-45bb-8c12-4058ca5e44ee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS New Server\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.\\nA threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.\\nThis can be done programmatically via HTTP requests to Azure. More information in this blog: https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e1ce0eab-10d1-4aae-863f-9a383345ba88\",\"name\":\"e1ce0eab-10d1-4aae-863f-9a383345ba88\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let threshold = 15;\\nSyslog\\n| where SyslogMessage contains \\\"Failed password for invalid user\\\"\\n| where ProcessName =~ \\\"sshd\\\" \\n| parse kind=relaxed SyslogMessage with * \\\"invalid user\\\" user \\\" from \\\" ip \\\" port\\\" port \\\" ssh2\\\"\\n| project user, ip, port, SyslogMessage, EventTime\\n| summarize EventTimes = make_list(EventTime), PerHourCount = count() by ip, bin(EventTime, 4h), user\\n| where PerHourCount \u003e threshold\\n| mvexpand EventTimes\\n| extend EventTimes = tostring(EventTimes) \\n| summarize StartTimeUtc = min(EventTimes), EndTimeUtc = max(EventTimes), UserList = makeset(user), sum(PerHourCount) by IPAddress = ip\\n| extend UserList = tostring(UserList) \\n| extend timestamp = StartTimeUtc, IPCustomEntity = IPAddress, AccountCustomEntity = UserList\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"SSH - Potential Brute Force\",\"description\":\"Identifies an IP address that had 15 failed attempts to sign in via SSH in a 4 hour block during a 24 hour time period.\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-02-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/55073036-bb86-47d3-a85a-b113ac3d9396\",\"name\":\"55073036-bb86-47d3-a85a-b113ac3d9396\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let admins=(IdentityInfo\\n | where AssignedRoles contains \\\"admin\\\"\\n | summarize by tolower(AccountUPN));\\n let known_asns = (\\n SigninLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where ResultType == 0\\n | summarize by AutonomousSystemNumber);\\n SigninLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType == 0\\n | where tolower(UserPrincipalName) in (admins)\\n | where AutonomousSystemNumber !in (known_asns)\\n | project-reorder TimeGenerated, UserPrincipalName, UserAgent, IpAddress, AutonomousSystemNumber\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"UserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Privileged User Logon from new ASN\",\"description\":\"Detects a successful logon by a privileged account from an ASN not logged in from in the last 14 days.\\n Monitor these logons to ensure they are legitimate and identify if there are any similar sign ins.\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7b9df32-1367-402d-b385-882daf6e3020\",\"name\":\"a7b9df32-1367-402d-b385-882daf6e3020\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==10\\n| parse EventData with * \u0027TargetImage\\\"\u003e\u0027 TargetImage \\\"\u003c\\\" * \u0027GrantedAccess\\\"\u003e\u0027 GrantedAccess \\\"\u003c\\\" * \u0027CallTrace\\\"\u003e\u0027 CallTrace \\\"\u003c\\\" * \\n| where GrantedAccess == \\\"0x1FFFFF\\\" and TargetImage == \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\" and CallTrace has_any (\\\"dbghelp.dll\\\",\\\"dbgcore.dll\\\")\\n| parse EventData with * \u0027SourceProcessGUID\\\"\u003e\u0027 SourceProcessGUID \\\"\u003c\\\" * \u0027SourceImage\\\"\u003e\u0027 SourceImage \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, SourceProcessGUID, SourceImage, GrantedAccess, TargetImage, CallTrace\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"SourceImage\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Dumping LSASS Process Into a File\",\"description\":\"Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). \\nAfter a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. \\nThese credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement using Use Alternate Authentication Material. \\nAs well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.\\nRef: https://attack.mitre.org/techniques/T1003/001/\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/94749332-1ad9-49dd-a5ab-5ff2170788fc\",\"name\":\"94749332-1ad9-49dd-a5ab-5ff2170788fc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet file_path1 = (iocs | where Type =~ \\\"filepath1\\\" | project IoC);\\nlet file_path2 = (iocs | where Type =~ \\\"filepath2\\\" | project IoC);\\nlet file_path3 = (iocs | where Type =~ \\\"filepath3\\\" | project IoC);\\nlet reg_key = (iocs | where Type =~ \\\"regkey\\\" | project IoC);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (domains)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 *\\n| project TimeGenerated, Message, SourceUserID, RequestURL, DestinationHostName, Type, SourceIP, DestinationIP, DNSName\\n| extend Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SourceUserID, UrlCustomEntity = RequestURL , IPCustomEntity = DestinationIP, DNSCustomEntity = DNSName\\n),\\n(DnsEvents\\n| where Name in~ (domains)\\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DNSName = Name, Host = Computer , Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Host, DNSCustomEntity = DNSName, IPCustomEntity = IPAddresses\\n),\\n(VMConnection\\n| where RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, RemoteDnsCanonicalNames, ProcessName, SourceIp, DestinationIp, DestinationPort, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIp, HostCustomEntity = Computer, ProcessCustomEntity = ProcessName, DNSCustomEntity = DNSName, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"]), Image = EventDetail.[4].[\\\"#text\\\"]\\n| where Image has_any (file_path1) or Image has_any (file_path3)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, EventDetail, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), HostCustomEntity = Computer , IPCustomEntity = DestinationIP, Alert = \u0027SOURGUM IOC detected\u0027\\n), \\n(DeviceNetworkEvents\\n| where (RemoteUrl has_any (domains)) or (InitiatingProcessSHA256 in (sha256Hashes) and InitiatingProcessFolderPath has_any (file_path1)) or InitiatingProcessFolderPath has_any (file_path3)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, Alert = \u0027SOURGUM IOC detected\u0027, UrlCustomEntity =RemoteUrl\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"]\\n| where (SHA256 has_any (sha256Hashes) and Image has_any (file_path1)) or (Image has_any (file_path3)) or ( CommandLine has_any (file_path3)) or ( CommandLine has_any (file_path1)) or ( CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source), Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = SHA256\\n),\\n(DeviceRegistryEvents\\n| where RegistryKey has_any (reg_key) and RegistryValueData has_any (file_path2)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type \\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceProcessEvents\\n| where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3)) or ( InitiatingProcessCommandLine has \u0027reg add\u0027 and InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceFileEvents\\n| where (InitiatingProcessSHA256 has_any (sha256Hashes) and InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3)) or ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = RequestAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceEvents\\n| where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3)) or ( InitiatingProcessCommandLine has \u0027reg add\u0027 and InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend CommandLine = InitiatingProcessCommandLine, Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has_any (file_path1)) or ( CommandLine has_any (file_path3)) or ( CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) or (NewProcessName has_any (file_path1)) or (NewProcessName has_any (file_path3)) or (ParentProcessName has_any (file_path1)) or (ParentProcessName has_any (file_path3))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = \u0027SOURGUM IOC detected\u0027\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"SOURGUM Actor IOC - July 2021\",\"description\":\"Identifies a match across IOC\u0027s related to an actor tracked by Microsoft as SOURGUM\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-07-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceRegistryEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95407904-0131-4918-bc49-ebf282ce149a\",\"name\":\"95407904-0131-4918-bc49-ebf282ce149a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"135.125.147.170:80\\\",\\\"185.244.129.79:63047\\\",\\\"185.244.129.79:80\\\",\\\"45.80.149.108:63047\\\",\\\"45.80.149.108:80\\\",\\\"45.80.149.57:63047\\\",\\\"45.80.149.68:63047\\\",\\\"45.80.149.71:80\\\",\\\"185.244.129.109\\\",\\\"172.96.188.51\\\",\\\"51.83.246.73\\\"]); \\n(union isfuzzy=true \\n(CommonSecurityLog \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch \\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n), \\n(OfficeActivity \\n|extend SourceIPAddress = ClientIP, Account = UserId \\n| where SourceIPAddress in (IPList) \\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \\n), \\n(_Im_NetworkSession (srcipaddr_has_any_prefix=IPList)\\n | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Hostname, AccountCustomEntity=User\\n), \\n(_Im_NetworkSession (dstipaddr_has_any_prefix=IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = Hostname , AccountCustomEntity = User\\n), \\n(WireData \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer \\n), \\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known POLONIUM IP\",\"description\":\"Identifies a match across various data feeds for IP IOCs related to the POLONIUM activity group. \\n References: BLOGURL\u0027 \",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ed43bdb7-eaab-4ea4-be52-6951fcfa7e3b\",\"name\":\"ed43bdb7-eaab-4ea4-be52-6951fcfa7e3b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet TotalEventsThreshold = 25; \\nlet TimeSeriesData = \\nAzureActivity \\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where OperationNameValue endswith \\\"delete\\\" \\n| project TimeGenerated, Caller \\n| make-series Total = count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by Caller; \\nlet TimeSeriesAlerts = materialize(TimeSeriesData \\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 3, -1, \u0027linefit\u0027) \\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long) \\n| where anomalies \u003e 0 \\n| project Caller, TimeGenerated, Total, baseline, anomalies, score \\n| where Total \u003e TotalEventsThreshold and baseline \u003e 0 ); \\nTimeSeriesAlerts \\n| where TimeGenerated \u003e (ago(endtime)) \\n| project TimeGenerated, Caller \\n| join (AzureActivity \\n| where TimeGenerated \u003e (ago(endtime)) \\n| where OperationNameValue endswith \\\"delete\\\" \\n| summarize count(), make_set(OperationNameValue), make_set(Resource) by bin(TimeGenerated, 1h), Caller) on TimeGenerated, Caller \\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Mass Cloud resource deletions Time Series Anomaly\",\"description\":\"This query generates baseline pattern of cloud resource deletions by an user and generated anomaly \\nwhen any unusual spike is detected.\\nThese anomalies from unusual or privileged users could be an indication of cloud infrastructure \\ntake-down by an adversary \",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2022-03-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b6988c32-4f3b-4a45-8313-b46b33061a74\",\"name\":\"b6988c32-4f3b-4a45-8313-b46b33061a74\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set == \\\"[]\\\"\\n| mv-expand new_value_set\\n| parse new_value_set with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT First access credential added to Application or Service Principal where no credential was present\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-06-01T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba\",\"name\":\"fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let account_threshold = 5;\\nAADNonInteractiveUserSignInLogs\\n//| where ResultType == \\\"81016\\\"\\n| where ResultType startswith \\\"81\\\"\\n| summarize DistinctAccounts = dcount(UserPrincipalName), DistinctAddresses = make_set(IPAddress) by ResultType\\n| where DistinctAccounts \u003e account_threshold\\n| mv-expand IPAddress = DistinctAddresses\\n| extend IPAddress = tostring(IPAddress)\\n| join kind=leftouter (union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs) on IPAddress\\n| summarize\\n StartTime = min(TimeGenerated),\\n EndTime = max(TimeGenerated),\\n UserPrincipalName = make_set(UserPrincipalName),\\n UserAgent = make_set(UserAgent),\\n ResultDescription = take_any(ResultDescription),\\n ResultSignature = take_any(ResultSignature)\\n by IPAddress, Type, ResultType\\n| project Type, StartTime, EndTime, IPAddress, ResultType, ResultDescription, ResultSignature, UserPrincipalName, UserAgent = iff(array_length(UserAgent) == 1, UserAgent[0], UserAgent)\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Password spray attack against Azure AD Seamless SSO\",\"description\":\"This query detects when there is a spike in Azure AD Seamless SSO errors. They may not be caused by a Password Spray attack, but the cause of the errors might need to be investigated.\\nAzure AD only logs the requests that matched existing accounts, thus there might have been unlogged requests for non-existing accounts.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2022-03-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/825991eb-ea39-4590-9de2-ee97ef42eb93\",\"name\":\"825991eb-ea39-4590-9de2-ee97ef42eb93\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\n(union isfuzzy=true\\n(DeviceProcessEvents\\n| where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) or (ProcessCommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and ProcessCommandLine has (\u0027/tr \\\"wscript.exe\u0027) and ProcessCommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and ProcessCommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (ProcessCommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and ProcessCommandLine has (\u0027.wav\u0027) and ProcessCommandLine has (\u0027//e:VBScript //b\u0027) \\nor (ProcessCommandLine has_all (\\\"schtasks.exe\\\", \\\"create\\\", \\\"wscript\\\", \\\"e:vbscript\\\", \\\".wav\\\")))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessCommandLine, FolderPath, InitiatingProcessFolderPath, ProcessId, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, AccountName, SHA256, FileName\\n| extend Account = AccountName, Computer = DeviceName, FileHash = case(InitiatingProcessSHA256 in (sha256Hashes), \\\"InitiatingProcessSHA256\\\", SHA256 in (sha256Hashes), \\\"SHA256\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = FileName, FileHashCustomEntity = case(FileHash == \\\"InitiatingProcessSHA256\\\", InitiatingProcessSHA256, FileHash == \\\"SHA256\\\", SHA256, \\\"No Match\\\")\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where (CommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and CommandLine has (\u0027/tr \\\"wscript.exe\u0027) and CommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and CommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (CommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and CommandLine has (\u0027.wav\u0027) and CommandLine has (\u0027//e:VBScript //b\u0027))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, EventID\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n( CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n( imFileEvent\\n| where Hash in~ (sha256Hashes) or (ActingProcessCommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and ActingProcessCommandLine has (\u0027/tr \\\"wscript.exe\u0027) and ActingProcessCommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and ActingProcessCommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (ActingProcessCommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and ActingProcessCommandLine has (\u0027.wav\u0027) and ActingProcessCommandLine has (\u0027//e:VBScript //b\u0027) \\n or (ActingProcessCommandLine has_all (\\\"schtasks.exe\\\", \\\"create\\\", \\\"wscript\\\", \\\"e:vbscript\\\", \\\".wav\\\")))\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = Hash\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) or (CommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and CommandLine has (\u0027/tr \\\"wscript.exe\u0027) and CommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and CommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (CommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and CommandLine has (\u0027.wav\u0027) and CommandLine has (\u0027//e:VBScript //b\u0027) or (CommandLine has_all (\\\"schtasks.exe\\\", \\\"create\\\", \\\"wscript\\\", \\\"e:vbscript\\\", \\\".wav\\\")))\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n),\\n(DnsEvents\\n| where Name in~ (domains) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Computer \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress\\n),\\n(VMConnection\\n| where RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIp, File = ProcessName\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(DeviceNetworkEvents \\n| where isnotempty(RemoteUrl) \\n| where RemoteUrl in~ (domains) \\n| project Type, TimeGenerated, DeviceName, RemoteIP, RemoteUrl, InitiatingProcessAccountName\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, DNSName = RemoteUrl, IPCustomEntity = RemoteIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"ACTINIUM Actor IOCs - Feb 2022\",\"description\":\"Identifies a match across various data feeds for domains, hashes and commands related to an actor tracked by Microsoft as Actinium.\",\"lastUpdatedDateUTC\":\"2022-03-09T00:00:00Z\",\"createdDateUTC\":\"2022-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65360bb0-8986-4ade-a89d-af3cf44d28aa\",\"name\":\"65360bb0-8986-4ade-a89d-af3cf44d28aa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"CreateNetworkAclEntry\\\",\\\"CreateRoute\\\",\\\"CreateRouteTable\\\",\\\"CreateInternetGateway\\\",\\\"CreateNatGateway\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\",\"LateralMovement\"],\"displayName\":\"Changes to Amazon VPC settings\",\"description\":\"Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources\\nin a virtual network that you define.\\nThis identifies changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries,routes, routetable or Gateways.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\nand AWS VPC API Docs: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/OperationList-query-vpc.html\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2eb15bd-8a88-4b24-9281-e133edfba315\",\"name\":\"f2eb15bd-8a88-4b24-9281-e133edfba315\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet aadFunc = (tableName:string){\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n table(tableName) | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend Status = todynamic(Status), LocationDetails = todynamic(LocationDetails)\\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails), StatusReason = tostring(Status.failureReason)\\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n // renaming time column so it is clear the log this came from\\n | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type\\n)\\non $left.TI_ipEntity == $right.IPAddress\\n| where SigninLogs_TimeGenerated \u003c ExpirationDateTime\\n| summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, IPAddress\\n| project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDetails, StatusReason, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to SigninLogs\",\"description\":\"Identifies a match in SigninLogs from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6e715730-82c0-496c-983b-7a20c4590bd9\",\"name\":\"6e715730-82c0-496c-983b-7a20c4590bd9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let accountLookback = 3d;\\nlet requestLookback = 3d;\\nlet extraction_regex = @\\\"(?:\\\\?|\u0026)[a-zA-Z0-9\\\\%]*=([a-zA-Z0-9\\\\/\\\\+\\\\=]*)\\\";\\n// Collect account names and base64 encode them\\nDeviceEvents\\n| where TimeGenerated \u003e ago(accountLookback)\\n| summarize make_set(DeviceId), make_set(DeviceName) by InitiatingProcessAccountName\\n| where isnotempty(InitiatingProcessAccountName)\\n| extend base64_user = base64_encode_tostring(InitiatingProcessAccountName)\\n| join (\\n // Collect requests and extract base64 parameters\\n CommonSecurityLog\\n | where TimeGenerated \u003e ago(requestLookback)\\n | where isnotempty(RequestURL)\\n // Summarize early on the RequestURL\\n | summarize FirstRequest=min(TimeGenerated), LastRequest=max(TimeGenerated), NumberOfRequests=count() by RequestURL\\n | extend base64_candidate = extract_all(extraction_regex, RequestURL)\\n | mv-expand base64_candidate to typeof(string)\\n) on $left.base64_user == $right.base64_candidate\\n| project FirstRequest, LastRequest, NumberOfRequests, RequestURL, DeviceIds=set_DeviceId, DeviceNames=set_DeviceName, UserName=InitiatingProcessAccountName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceNames\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"UserName\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"Windows host username encoded in base64 web request\",\"description\":\"This detection will identify network requests in HTTP proxy data that contains Base64 encoded usernames from machines in the DeviceEvents table.\\nThis technique was seen usee by POLONIUM in their RunningRAT tool.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e4779bdc-397a-4b71-be28-59e6a1e1d16b\",\"name\":\"e4779bdc-397a-4b71-be28-59e6a1e1d16b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"ZoomLogs\\n| where Event =~ \\\"account.settings_updated\\\"\\n| extend NewE2ESetting = columnifexists(\\\"payload_object_settings_in_meeting_e2e_encryption_b\\\", \\\"\\\")\\n| extend OldE2ESetting = columnifexists(\\\"payload_old_object_settings_in_meeting_e2e_encryption_b\\\", \\\"\\\")\\n| where OldE2ESetting =~ \u0027false\u0027 and NewE2ESetting =~ \u0027true\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Discovery\"],\"displayName\":\"Zoom E2E Encryption Disabled\",\"description\":\"This alerts when end to end encryption is disabled for Zoom meetings.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/194dd92e-d6e7-4249-85a5-273350a7f5ce\",\"name\":\"194dd92e-d6e7-4249-85a5-273350a7f5ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\") \\n// Only admin or global-admin can disable audit logging\\n| where Operation =~ \\\"Set-AdminAuditLogConfig\\\" \\n| extend AdminAuditLogEnabledValue = tostring(parse_json(tostring(parse_json(tostring(array_slice(parse_json(Parameters),3,3)))[0])).Value)\\n| where AdminAuditLogEnabledValue =~ \\\"False\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP, ResultStatus, Parameters, AdminAuditLogEnabledValue\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Exchange AuditLog disabled\",\"description\":\"Identifies when the exchange audit logging has been disabled which may be an adversary attempt\\nto evade detection or avoid other defenses.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/218f60de-c269-457a-b882-9966632b9dc6\",\"name\":\"218f60de-c269-457a-b882-9966632b9dc6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| summarize dcount(Target) by bin(TimeGenerated, 1h)\\n| where dcount_Target \u003e 9\\n| join kind=rightsemi (AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| extend TimeWindow = bin(TimeGenerated, 1h)) on $left.TimeGenerated == $right.TimeWindow\\n| extend AccountCustomEntity = Target\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Bulk Changes to Privileged Account Permissions\",\"description\":\"Identifies when changes to multiple users permissions are changed at once. Investigate immediately if not a planned change. This setting could enable an attacker access to Azure subscriptions in your environment.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6e575295-a7e6-464c-8192-3e1d8fd6a990\",\"name\":\"6e575295-a7e6-464c-8192-3e1d8fd6a990\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.1\",\"severity\":\"High\",\"query\":\"let IPList = externaldata(IPAddress:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Log4j_IOC_List.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n//Network logs\\nlet CSlogSourceIP = CommonSecurityLog | summarize by IPAddress = SourceIP, Type;\\nlet CSlogDestIP = CommonSecurityLog | summarize by IPAddress = DestinationIP, Type;\\nlet CSlogMsgIP = CommonSecurityLog | extend MessageIP = extract(IPRegex, 0, Message) | summarize by IPAddress = MessageIP, Type;\\nlet DnsIP = DnsEvents | summarize by IPAddress = IPAddresses, Type;\\n// If you have enabled the imDNS and/or imNetworkSession normalization in your workspace, you can uncomment one or both below. Reference - https://docs.microsoft.com/azure/sentinel/normalization\\n//let imDnsIP = imDns (response_has_any_prefix=IPList) | summarize by IPAddress = ResponseName, Type;\\n//let imNetSessIP = imNetworkSession (dstipaddr_has_any_prefix=IPList) | summarize by IPAddress = DstIpAddr, Type;\\n//Cloud service logs\\nlet officeIP = OfficeActivity | summarize by IPAddress = ClientIP, Type;\\nlet signinIP = SigninLogs | summarize by IPAddress, Type;\\nlet nonintSigninIP = AADNonInteractiveUserSignInLogs | summarize by IPAddress, Type;\\nlet azureActIP = AzureActivity | summarize by IPAddress = CallerIpAddress, Type;\\nlet awsCtIP = AWSCloudTrail | summarize by IPAddress = SourceIpAddress, Type;\\n//Device logs\\nlet vmConnSourceIP = VMConnection | summarize by IPAddress = SourceIp, Type;\\nlet vmConnDestIP = VMConnection | summarize by IPAddress = DestinationIp, Type;\\nlet iisLogIP = W3CIISLog | summarize by IPAddress = cIP, Type;\\nlet devNetIP = DeviceNetworkEvents | summarize by IPAddress = RemoteIP, Type;\\n//need to parse to get IP\\nlet azureDiagIP = AzureDiagnostics | where ResourceType == \\\"AZUREFIREWALLS\\\" | where Category in (\\\"AzureFirewallApplicationRule\\\", \\\"AzureFirewallNetworkRule\\\") \\n| where msg_s has_any (IPList) | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action | summarize by IPAddress = DestinationHost, Type;\\nlet sysEvtIP = Event | where Source == \\\"Microsoft-Windows-Sysmon\\\" | where EventID == 3 | where EventData has_any (IPList) | extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"])\\n| where SourceIP in (IPList) or DestinationIP in (IPList) | extend IPAddress = iff(SourceIP in (IPList), SourceIP, DestinationIP) | summarize by IPAddress, Type;\\n// If you have enabled the imDNS and/or imNetworkSession normalization in your workdspace, you can uncomment below and include. Reference - https://docs.microsoft.com/azure/sentinel/normalization\\n//let ipsort = union isfuzzy=true CSlogDestIP, CSlogMsgIP, CSlogSourceIP, DnsIP, officeIP, signinIP, nonintSigninIP, azureActIP, awsCtIP, vmConnDestIP, vmConnSourceIP, azureDiagIP, sysEvtIP, imDnsIP, imNetSessIP\\n// If you uncomment above, then comment out the line below\\nlet ipsort = union isfuzzy=true CSlogDestIP, CSlogMsgIP, CSlogSourceIP, DnsIP, officeIP, signinIP, nonintSigninIP, azureActIP, awsCtIP, vmConnDestIP, vmConnSourceIP, azureDiagIP, sysEvtIP\\n| summarize by IPAddress\\n| where isnotempty(IPAddress) | where not(ipv4_is_private(IPAddress)) and IPAddress !in (\u00270.0.0.0\u0027,\u0027127.0.0.1\u0027);\\nlet ipMatch = ipsort | where IPAddress in (IPList);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (ipMatch) or DestinationIP in (ipMatch) or Message has_any (ipMatch)\\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, Type\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (ipMatch), \\\"SourceIP\\\", DestinationIP in (ipMatch), \\\"DestinationIP\\\", MessageIP in (ipMatch), \\\"Message\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"No Match\\\")\\n),\\n(OfficeActivity\\n| where ClientIP in (ipMatch)\\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, Type\\n| extend SourceIPAddress = ClientIP, Account = UserId\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account\\n),\\n(DnsEvents\\n| where IPAddresses has_any (ipMatch)\\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, Host = Computer\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (ipMatch) or DestinationIp in (ipMatch)\\n| project TimeGenerated, Computer, SourceIp, DestinationIp, Type\\n| extend IPMatch = case( SourceIp in (ipMatch), \\\"SourceIP\\\", DestinationIp in (ipMatch), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| where EventData has_any (ipMatch)\\n| project TimeGenerated, EventData, UserName, Computer, Type\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"])\\n| where SourceIP in (ipMatch) or DestinationIP in (ipMatch)\\n| extend IPMatch = case( SourceIP in (ipMatch), \\\"SourceIP\\\", DestinationIP in (ipMatch), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(SigninLogs\\n| where IPAddress in (ipMatch)\\n| project TimeGenerated, UserPrincipalName, IPAddress, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(AADNonInteractiveUserSignInLogs\\n| where IPAddress in (ipMatch)\\n| project TimeGenerated, UserPrincipalName, IPAddress, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(W3CIISLog\\n| where cIP in (ipMatch)\\n| project TimeGenerated, Computer, cIP, csUserName, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(AzureActivity\\n| where CallerIpAddress in (ipMatch)\\n| project TimeGenerated, CallerIpAddress, Caller, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller\\n),\\n(\\nAWSCloudTrail\\n| where SourceIpAddress in (ipMatch)\\n| project TimeGenerated, SourceIpAddress, UserIdentityUserName, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\\n), \\n( \\nDeviceNetworkEvents\\n| where RemoteIP in (ipMatch)\\n| where ActionType == \\\"InboundConnectionAccepted\\\"\\n| project TimeGenerated, RemoteIP, DeviceName, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category in (\\\"AzureFirewallApplicationRule\\\", \\\"AzureFirewallNetworkRule\\\")\\n| where msg_s has_any (ipMatch)\\n| project TimeGenerated, msg_s, Type\\n| parse msg_s with Protocol \u0027request from \u0027 SourceIP \u0027:\u0027 SourcePort \u0027to \u0027 DestinationIP \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where DestinationIP has_any (ipMatch)\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP\\n)\\n// If you have enabled the imDNS and/or imNetworkSession normalization in your workdspace, you can uncomment below and include. Reference - https://docs.microsoft.com/azure/sentinel/normalization\\n//,\\n//(imDns (response_has_any_prefix=IPList)\\n//| project TimeGenerated, ResponseName, SrcIpAddr, Type\\n//| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr\\n//| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n//),\\n//(imNetworkSession (dstipaddr_has_any_prefix=IPList)\\n//| project TimeGenerated, DstIpAddr, SrcIpAddr, Type\\n//| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = SrcIpAddr\\n//)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Log4j vulnerability exploit aka Log4Shell IP IOC\",\"description\":\"Identifies a match across various data feeds for IP IOCs related to the Log4j vulnerability exploit aka Log4Shell described in CVE-2021-44228. \\n References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228\u0027 \",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bda5a2bd-979b-4828-a91f-27c2a5048f7f\",\"name\":\"bda5a2bd-979b-4828-a91f-27c2a5048f7f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet msgthreshold = 3;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| extend attachedMimeType = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where attachedMimeType == \u0027application/zip\u0027\\n| summarize count() by SrcUserUpn, DstUserUpn\\n| where count_ \u003e msgthreshold\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple archived attachments to the same recipient\",\"description\":\"Detects when multiple emails where sent to the same recipient with large archived attachments.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1baaaf00-655f-4de9-8ff8-312e902cda71\",\"name\":\"1baaaf00-655f-4de9-8ff8-312e902cda71\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let known_locations = (\\n AADServicePrincipalSignInLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where ResultType == 0\\n | summarize by Location);\\n AADServicePrincipalSignInLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType != 50126\\n | where Location !in (known_locations)\\n | extend City = tostring(parse_json(LocationDetails).city)\\n | extend State = tostring(parse_json(LocationDetails).state)\\n | extend Place = strcat(City, \\\" - \\\", State)\\n | extend Result = strcat(tostring(ResultType), \\\" - \\\", ResultDescription)\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), make_set(Result), make_set(IPAddress), make_set(Place) by ServicePrincipalName, Location\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ServicePrincipalName\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Service Principal Authentication Attempt from New Country\",\"description\":\"Detects when there is a Service Principal login attempt from a country that has not seen a successful login in the previous 14 days.\\n Threat actors may attempt to authenticate with credentials from compromised accounts - monitoring attempts from anomalous locations may help identify these attempts.\\n Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADServicePrincipalSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/39198934-62a0-4781-8416-a81265c03fd6\",\"name\":\"39198934-62a0-4781-8416-a81265c03fd6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"user.read\\\" and ConsentFull contains \\\"offline_access\\\" and ConsentFull contains \\\"mail.readwrite\\\" and ConsentFull contains \\\"mail.send\\\" and ConsentFull contains \\\"files.read.all\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\")\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Suspicious application consent similar to PwnAuth\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the FireEye PwnAuth toolkit (https://github.com/fireeye/PwnAuth).\\nThe default permissions/scope for the PwnAuth toolkit are user.read, offline_access, mail.readwrite, mail.send, and files.read.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\"name\":\"fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let opList = OfficeActivity \\n| summarize by Operation\\n//| where Operation startswith \\\"Remove-\\\" or Operation startswith \\\"Disable-\\\"\\n| where Operation has_any (\\\"Remove\\\", \\\"Disable\\\")\\n| where Operation contains \\\"AntiPhish\\\" or Operation contains \\\"SafeAttachment\\\" or Operation contains \\\"SafeLinks\\\" or Operation contains \\\"Dlp\\\" or Operation contains \\\"Audit\\\"\\n| summarize make_set(Operation);\\nOfficeActivity\\n// Only admin or global-admin can disable/remove policy\\n| where RecordType =~ \\\"ExchangeAdmin\\\"\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\")\\n// Pass in interesting Operation list\\n| where Operation in~ (opList)\\n| extend ClientIPOnly = case( \\nClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), \\nClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))),\\nClientIP\\n) \\n| extend Port = case(\\nClientIP has \\\".\\\", (split(ClientIP,\\\":\\\")[1]),\\nClientIP has \\\"[\\\", tostring(split(ClientIP,\\\"]:\\\")[1]),\\nClientIP\\n)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP = ClientIPOnly, Port, ResultStatus, Parameters\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Office policy tampering\",\"description\":\"Identifies if any tampering is done to either auditlog, ATP Safelink, SafeAttachment, AntiPhish or Dlp policy. \\nAn adversary may use this technique to evade detection or avoid other policy based defenses.\\nReferences: https://docs.microsoft.com/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06a9b845-6a95-4432-a78b-83919b28c375\",\"name\":\"06a9b845-6a95-4432-a78b-83919b28c375\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":3,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet percentotalthreshold = 50;\\nlet TimeSeriesData = CommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| project TimeGenerated,SourceIP, DestinationIP, DeviceVendor\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor;\\n// Filtering specific records associated with spikes as outliers\\nlet TimeSeriesAlerts=materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend score = round(score,2), AnomalyHour = TimeGenerated\\n| project DeviceVendor,AnomalyHour, TimeGenerated, Total, baseline, anomalies, score);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\n// Join anomalies with Base Data to popalate associated records for investigation - Results sorted by score in descending order\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\n CommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| summarize HourlyCount = count(), TimeGeneratedMax = arg_max(TimeGenerated, *), DestinationIPlist = make_set(DestinationIP, 100), DestinationPortlist = make_set(DestinationPort, 100) by DeviceVendor, SourceIP, TimeGeneratedHour= bin(TimeGenerated, 1h)\\n| extend AnomalyHour = TimeGeneratedHour\\n) on AnomalyHour, DeviceVendor\\n| extend PercentTotal = round((HourlyCount / Total) * 100, 3)\\n| where PercentTotal \u003e percentotalthreshold\\n| project DeviceVendor , AnomalyHour, TimeGeneratedMax, SourceIP, DestinationIPlist, DestinationPortlist, HourlyCount, PercentTotal, Total, baseline, score, anomalies\\n| summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist, 100), DestinationPortlist = make_set(DestinationPortlist, 100) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies\\n| project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies\\n| extend timestamp= EndTimeUtc , IPCustomEntity = SourceIPMax\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"Time series anomaly detection for total volume of traffic\",\"description\":\"Identifies anamalous spikes in network traffic logs as compared to baseline or normal historical patterns.\\nThe query leverages a KQL built-in anomaly detection algorithm to find large deviations from baseline patterns.\\nSudden increases in network traffic volume may be an indication of data exfiltration attempts and should be investigated.\\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port traffic observed in the flagged anomaly hour.\\nThe source IP addresses which were sending less than percentotalthreshold of the total traffic have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Barracuda\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f110287e-1358-490d-8147-ed804b328514\",\"name\":\"f110287e-1358-490d-8147-ed804b328514\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AWSCloudTrail | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AWSCloudTrail_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SourceIpAddress\\n| where AWSCloudTrail_TimeGenerated \u003c ExpirationDateTime\\n| summarize AWSCloudTrail_TimeGenerated = arg_max(AWSCloudTrail_TimeGenerated, *) by IndicatorId, SourceIpAddress\\n| project AWSCloudTrail_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress,\\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AWSCloudTrail_TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AWSCloudTrail\",\"description\":\"Identifies a match in AWSCloudTrail from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7249500f-3038-4b83-8549-9cd8dfa2d498\",\"name\":\"7249500f-3038-4b83-8549-9cd8dfa2d498\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"de-ma.online\\\", \\\"g20saudi.000webhostapp.com\\\", \\\"ksat20.000webhostapp.com\\\"]);\\nlet EmailAddresses = dynamic([\\\"munichconference1962@gmail.com\\\",\\\"munichconference@outlook.de\\\", \\\"munichconference@outlook.com\\\", \\\"t20saudiarabia@gmail.com\\\", \\\"t20saudiarabia@hotmail.com\\\", \\\"t20saudiarabia@outlook.sa\\\"]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(DNSName) and DNSName has_any (DomainNames)) \\n or (isnotempty(DestinationHostName) and DestinationHostName has_any (DomainNames)) \\n or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames)))\\n| extend timestamp = TimeGenerated , AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\\n),\\n(DnsEvents \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| where DNSName has_any (DomainNames) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend timestamp = TimeGenerated , HostCustomEntity = Computer),\\n(SecurityAlert\\n| where ProviderName =~ \u0027OATP\u0027\\n| extend UPN = case(isnotempty(parse_json(Entities)[0].Upn), parse_json(Entities)[0].Upn, \\n isnotempty(parse_json(Entities)[1].Upn), parse_json(Entities)[1].Upn,\\n isnotempty(parse_json(Entities)[2].Upn), parse_json(Entities)[2].Upn,\\n isnotempty(parse_json(Entities)[3].Upn), parse_json(Entities)[3].Upn,\\n isnotempty(parse_json(Entities)[4].Upn), parse_json(Entities)[4].Upn,\\n isnotempty(parse_json(Entities)[5].Upn), parse_json(Entities)[5].Upn,\\n isnotempty(parse_json(Entities)[6].Upn), parse_json(Entities)[6].Upn,\\n isnotempty(parse_json(Entities)[7].Upn), parse_json(Entities)[7].Upn,\\n isnotempty(parse_json(Entities)[8].Upn), parse_json(Entities)[8].Upn,\\n parse_json(Entities)[9].Upn)\\n| where Entities has_any (EmailAddresses)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = tostring(UPN)),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"AZUREFIREWALLS\\\"\\n| where msg_s has_any (DomainNames)\\n| extend timestamp = TimeGenerated))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"InitialAccess\"],\"displayName\":\"Known PHOSPHORUS group domains/IP - October 2020\",\"description\":\"Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\\nReferences: \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog (Cisco)\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert (OATP)\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics (Azure Firewall)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5ef06767-b37c-4818-b035-47de950d0046\",\"name\":\"5ef06767-b37c-4818-b035-47de950d0046\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"// How far back to look for events from\\nlet timeframe = 1d;\\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\\nlet time_window = 5m;\\n// Edit this to include build processes used\\nlet build_processes = dynamic([\\\"MSBuild.exe\\\", \\\"dotnet.exe\\\", \\\"VBCSCompiler.exe\\\"]);\\n// Include any processes that you want to allow to edit files during/around the build process\\nlet allow_list = dynamic([\\\"\\\"]);\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where EventID == 4688\\n| where Process has_any (build_processes)\\n| summarize by BuildParentProcess=ParentProcessName, BuildProcess=Process, BuildAccount = Account, Computer, BuildCommand=CommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for file modifications to code file\\n| where EventID == 4663\\n| where Process !in (allow_list)\\n// Look for code files, edit this to include file extensions used in build.\\n| where ObjectName endswith \\\".cs\\\" or ObjectName endswith \\\".cpp\\\"\\n// 0x6 and 0x4 for file append, 0x100 for file replacements\\n| where AccessMask == \\\"0x6\\\" or AccessMask == \\\"0x4\\\" or AccessMask == \\\"0X100\\\"\\n| summarize by FileEditParentProcess=ParentProcessName, FileEditAccount = Account, Computer, FileEdited=ObjectName, FileEditProcess=ProcessName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, Computer\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, Computer, BuildParentProcess, BuildProcess\\n| extend HostCustomEntity=Computer, timestamp=timekey\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where EventID == 4688 and EventData has_any (build_processes)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process has_any (build_processes)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend CommandLine = tostring(EventData.CommandLine) \\n| summarize by BuildParentProcess=ParentProcessName, BuildProcess=Process, BuildAccount = Account, Computer, BuildCommand=CommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nWindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for file modifications to code file\\n| where EventID == 4663 and EventData has_any (\\\"0x6\\\", \\\"0x4\\\", \\\"0X100\\\") and EventData has_any (\\\".cs\\\", \\\".cpp\\\")\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (allow_list)\\n// Look for code files, edit this to include file extensions used in build.\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName endswith \\\".cs\\\" or ObjectName endswith \\\".cpp\\\"\\n// 0x6 and 0x4 for file append, 0x100 for file replacements\\n| extend AccessMask = tostring(EventData.AccessMask) \\n| where AccessMask == \\\"0x6\\\" or AccessMask == \\\"0x4\\\" or AccessMask == \\\"0X100\\\"\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| summarize by FileEditParentProcess=ParentProcessName, FileEditAccount = Account, Computer, FileEdited=ObjectName, FileEditProcess=ProcessName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, Computer\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, Computer, BuildParentProcess, BuildProcess\\n| extend HostCustomEntity=Computer, timestamp=timekey\\n))\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Potential Build Process Compromise\",\"description\":\"The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process.\\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\"name\":\"a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"DNS events related to ToR proxies\",\"description\":\"Identifies IP addresses performing DNS lookups associated with common ToR proxies.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/42436753-9944-4d70-801c-daaa4d19ddd2\",\"name\":\"42436753-9944-4d70-801c-daaa4d19ddd2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let threatCategory=\\\"Powershell\\\";\\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\\n [ @\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\\\"]\\n with(format=\\\"csv\\\", ignoreFirstRecord=True));\\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet customUserAgents=toscalar(_GetWatchlist(\\\"UnusualUserAgents\\\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\\\"UserAgent\\\",\\\"\\\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet fullUAList = array_concat(knownUserAgents,customUserAgents);\\n_Im_WebSession(httpuseragent_has_any=fullUAList)\\n| project SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername\",\"customDetails\":{\"UserAgent\":\"HttpUserAgent\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"SrcUsername\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Host {{SrcIpAddr}} is potentially running PowerShell\",\"alertDescriptionFormat\":\"The host at address {{SrcIpAddr}} sent an HTTP request to the URL {{Url}} with the HTTP user agent header {{HttpUserAgent}}. This user agent is known to be used by PoerShell and indicates suspicious activity on the host.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\",\"DefenseEvasion\"],\"displayName\":\"A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request with a user agent header known to belong PowerShell. \u003cbr\u003eYou can add custom Powershell indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).\u003cbr\u003e\u003cbr\u003e\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56fe0db0-6779-46fa-b3c5-006082a53064\",\"name\":\"56fe0db0-6779-46fa-b3c5-006082a53064\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let tokens = dynamic([\\\"416\\\",\\\"208\\\",\\\"128\\\",\\\"120\\\",\\\"96\\\",\\\"80\\\",\\\"72\\\",\\\"64\\\",\\\"48\\\",\\\"44\\\",\\\"40\\\",\\\"g5\\\",\\\"gs5\\\",\\\"g4\\\",\\\"gs4\\\",\\\"nc12\\\",\\\"nc24\\\",\\\"nv12\\\"]);\\nlet operationList = dynamic([\\\"microsoft.compute/virtualmachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nAzureActivity\\n| where tolower(OperationNameValue) in (operationList)\\n| where ActivityStatusValue == \\\"Accepted\\\" \\n| where isnotempty(Properties)\\n| extend vmSize = tolower(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).hardwareProfile)).vmSize))\\n| where isnotempty(vmSize)\\n| where vmSize has_any (tokens) \\n| extend ComputerName = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).osProfile)).computerName)\\n| extend clientIpAddress = tostring(parse_json(HTTPRequest).clientIpAddress)\\n| project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Creation of expensive computes in Azure\",\"description\":\"Identifies the creation of large size/expensive VMs (GPU or with large no of virtual CPUs) in Azure.\\nAdversary may create new or update existing virtual machines sizes to evade defenses \\nor use it for cryptomining purposes.\\nFor Windows/Linux Vm Sizes - https://docs.microsoft.com/azure/virtual-machines/windows/sizes \\nAzure VM Naming Conventions - https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions\",\"lastUpdatedDateUTC\":\"2022-03-31T00:00:00Z\",\"createdDateUTC\":\"2020-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5d33fc63-b83b-4913-b95e-94d13f0d379f\",\"name\":\"5d33fc63-b83b-4913-b95e-94d13f0d379f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet fileHashIndicators = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n| where isnotempty(FileHashValue);\\n// Handle matches against both lower case and uppercase versions of the hash:\\n(fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n| union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n )\\non $left.FileHashValue == $right.FileHash\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, FileHashValue\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nSourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction,\\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity, FileHashValue, FileHashType\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Value\",\"columnName\":\"FileHashValue\"},{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map File Hash to CommonSecurityLog Event\",\"description\":\"Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI\",\"lastUpdatedDateUTC\":\"2022-07-07T00:00:00Z\",\"createdDateUTC\":\"2019-08-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1f3b4dfd-21ff-4ed3-8e27-afc219e05c50\",\"name\":\"1f3b4dfd-21ff-4ed3-8e27-afc219e05c50\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where LoggedByService =~ \\\"PIM\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has \\\"Disable PIM Alert\\\"\\n| extend IpAddress = case(\\n isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), \\n isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.app)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.app)).ipAddress),\\n \u0027Not Available\u0027)\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName)), UserRoles = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| project InitiatedBy, ActivityDateTime, ActivityDisplayName, IpAddress, AADOperationType, AADTenantId, ResourceId, CorrelationId, Identity\\n| extend timestamp = ActivityDateTime, IPCustomEntity = IpAddress, AccountCustomEntity = tolower(InitiatedBy), ResourceCustomEntity = ResourceId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Detect PIM Alert Disabling activity\",\"description\":\"Privileged Identity Management (PIM) generates alerts when there is suspicious or unsafe activity in Azure Active Directory (Azure AD) organization. \\nThis query will help detect attackers attempts to disable in product PIM alerts which are associated with Azure MFA requirements and could indicate activation of privileged access\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d99cf5c3-d660-436c-895b-8a8f8448da23\",\"name\":\"d99cf5c3-d660-436c-895b-8a8f8448da23\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"SigninLogs\\n| where ResultType == 500121\\n| extend additionalDetails_ = tostring(Status.additionalDetails)\\n| where additionalDetails_ =~ \\\"MFA denied; user declined the authentication\\\"\\n| extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"AadUserId\",\"columnName\":\"UserId\"},{\"identifier\":\"AadTenantId\",\"columnName\":\"AADTenantId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"MFA Rejected by User\",\"description\":\"Identifies accurances where a user has rejected an MFA prompt. This could be an indicator that a threat actor has compromised the username and password of this user account and is using it to try and log into the account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d0aa8969-1bbe-4da3-9e76-09e5f67c9d85\",\"name\":\"d0aa8969-1bbe-4da3-9e76-09e5f67c9d85\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureDiagnostics\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where ResourceProvider == \u0027MICROSOFT.SQL\u0027\\n | where Category == \u0027SQLSecurityAuditEvents\u0027\\n | extend SQLSecurityAuditEvents_TimeGenerated = TimeGenerated\\n // projecting fields with column if exists as this is in AzureDiag and if the event is not in the table, then queries will fail due to event specific schemas\\n | extend ClientIP = column_ifexists(\\\"client_ip_s\\\", \\\"Not Available\\\"), Action = column_ifexists(\\\"action_name_s\\\", \\\"Not Available\\\"), \\n Application = column_ifexists(\\\"application_name_s\\\", \\\"Not Available\\\"), HostName = column_ifexists(\\\"host_name_s\\\", \\\"Not Available\\\")\\n)\\non $left.TI_ipEntity == $right.ClientIP\\n| where SQLSecurityAuditEvents_TimeGenerated \u003c ExpirationDateTime\\n| summarize SQLSecurityAuditEvents_TimeGenerated = arg_max(SQLSecurityAuditEvents_TimeGenerated, *) by IndicatorId, ClientIP\\n| project SQLSecurityAuditEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ResourceId, ClientIP, Action, Application, HostName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = SQLSecurityAuditEvents_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Azure SQL Security Audit Events\",\"description\":\"Identifies a match in SQLSecurityAuditEvents from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\"name\":\"4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n OfficeActivity | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(UserId)\\n | where UserId matches regex emailregex\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.UserId\\n| where OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, UserId\\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters\\n| extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to OfficeActivity\",\"description\":\"Identifies a match in OfficeActivity table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/44a555d8-ecee-4a25-95ce-055879b4b14b\",\"name\":\"44a555d8-ecee-4a25-95ce-055879b4b14b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeBin = 10m;\\nlet portThreshold = 30;\\nW3CIISLog\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of attempts by client IP on many ports\\n| summarize makeset(sPort), makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), ConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\\n| extend portCount = arraylength(set_sPort)\\n| where portCount \u003e= portThreshold\\n| project TimeGenerated, cIP, set_sPort, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, ConnectionsCount, portCount\\n| order by portCount\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"High count of connections by client IP on many ports\",\"description\":\"Identifies when 30 or more ports are used for a given client IP in 10 minutes occurring on the IIS server.\\nThis could be indicative of attempted port scanning or exploit attempt at internet facing web applications. \\nThis could also simply indicate a misconfigured service or device.\\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2de8abd6-a613-450e-95ed-08e503369fb3\",\"name\":\"2de8abd6-a613-450e-95ed-08e503369fb3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"AzureDiagnostics\\n| where details_data_s has \\\"jndi:\\\"\\n| parse details_data_s with * \u0027${\u0027 MaliciousCommand \u0027}\u0027 *\\n| extend EncodeCmd = iff(MaliciousCommand has \u0027Base64/\u0027, split(split(MaliciousCommand, \\\"Base64/\\\",1)[0], \\\"}\\\", 0)[0], \\\"\\\")\\n| extend EncodeCmd1 = iff(MaliciousCommand has \u0027base64/\u0027, split(split(MaliciousCommand, \\\"base64/\\\",1)[0], \\\"}\\\", 0)[0], \\\"\\\")\\n| extend CmdLine = iff( isnotempty(EncodeCmd), EncodeCmd, EncodeCmd1)\\n| extend DecodedCmdLine = base64_decode_tostring(tostring(CmdLine))\\n| extend DecodedCmdLine = iff( isnotempty(DecodedCmdLine), DecodedCmdLine, \\\"Unable to decode\\\")\\n| project TimeGenerated, Target=hostname_s, MaliciousHost = clientIp_s, MaliciousCommand, details_data_s, DecodedCmdLine, Message, ruleSetType_s, OperationName, SubscriptionId, details_message_s, details_file_s \\n| extend IPCustomEntity = MaliciousHost, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure WAF matching for Log4j vuln(CVE-2021-44228)\",\"description\":\"This query will alert on a positive pattern match by Azure WAF for CVE-2021-44228 log4j vulnerability exploitation attempt. If possible, it then decodes the malicious command for further analysis.\\n Refrence: https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-12-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/972c89fa-c969-4d12-932f-04d55d145299\",\"name\":\"972c89fa-c969-4d12-932f-04d55d145299\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"( union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| extend FileName = Process, ProcessCommandLine = CommandLine\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\n or ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(DeviceProcessEvents\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\nor ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1 \\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\"), ProcessCommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| extend FileName = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\n or ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"MSHTML vulnerability CVE-2021-40444 attack\",\"description\":\"This query detects attacks that exploit the CVE-2021-40444 MSHTML vulnerability using specially crafted Microsoft Office documents. \\n The detection searches for relevant files used in the attack along with regex matches in commnadline to look for pattern similar to : \\\".cpl:../../msword.inf\\\"\\n Refrence: https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ca74dc0-8352-4ac5-893c-73571cc78331\",\"name\":\"4ca74dc0-8352-4ac5-893c-73571cc78331\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let keywords = dynamic([\\\"secret\\\", \\\"secrets\\\", \\\"password\\\", \\\"PAT\\\", \\\"passwd\\\", \\\"pswd\\\", \\\"pwd\\\", \\\"cred\\\", \\\"creds\\\", \\\"credentials\\\", \\\"credential\\\", \\\"key\\\"]);\\nAzureDevOpsAuditing\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend Type = tostring(Data.Type)\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend VariableGroupName = tostring(Data.VariableGroupName)\\n| mv-expand Data.Variables\\n| where VariableGroupName has_any (keywords) or Data_Variables has_any (keywords)\\n| where Type != \\\"AzureKeyVault\\\"\\n| where Data_Variables !has \\\"IsSecret\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure DevOps Variable Secret Not Secured\",\"description\":\"Credentials used in the build process may be stored as Azure DevOps variables. To secure these variables they should be stored in KeyVault or marked as Secrets. \\nThis detection looks for new variables added with names that suggest they are credentials but where they are not set as Secrets or stored in KeyVault.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cc5780ce-3245-4bba-8bc1-e9048c2257ce\",\"name\":\"cc5780ce-3245-4bba-8bc1-e9048c2257ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where OperationName =~ \\\"Add owner to application\\\"\\n | extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend UpdatedBy = iif(isnotempty(appName), appName, UPN)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | extend AddedUser = TargetResources[0].userPrincipalName\\n | mv-expand mod_props\\n | where mod_props.displayName =~ \\\"Application.DisplayName\\\"\\n | extend AppName = tostring(parse_json(tostring(mod_props.newValue)))\\n | project-reorder TimeGenerated, OperationName, AppName, AddedUser, UpdatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatedBy\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedUser\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Changes to Application Ownership\",\"description\":\"Detects changes to the ownership of an appplicaiton.\\n Monitor these changes to make sure that they were authorized.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#new-owner\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/15049017-527f-4d3b-b011-b0e99e68ef45\",\"name\":\"15049017-527f-4d3b-b011-b0e99e68ef45\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let procList = externaldata(Process:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Microsoft_Lolbas_Execution_Binaries.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityEvent\\n| where EventID == 4688 and Process has_any (procList) and not (NewProcessName has (\\\"C:\\\\\\\\Windows\\\\\\\\\\\"))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, SubjectUserName, NewProcessName, Process, CommandLine\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectUserName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Windows Binaries Executed from Non-Default Directory\",\"description\":\"The query detects Windows binaries, that can be executed from a non-default directory (e.g. C:\\\\Windows\\\\, C:\\\\Windows\\\\System32 etc.). \\nRef: https://lolbas-project.github.io/\",\"lastUpdatedDateUTC\":\"2022-02-15T00:00:00Z\",\"createdDateUTC\":\"2022-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6\",\"name\":\"2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 0d;\\n// Adjust this to adjust detection timeframe\\n//let timeframe = 1d;\\n// SamAccountName of AD FS Service Account. Filter on the use of a specific AD FS user account\\n//let adfsuser = \u0027adfsadmin\u0027;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\n SecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe+lookback)\\n | where EventSourceName == \u0027AD FS Auditing\u0027\\n | distinct Computer\\n);\\nSecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n // A token of type \u0027http://schemas.microsoft.com/ws/2006/05/servicemodel/tokens/SecureConversation\u0027\\n // for relying party \u0027-\u0027 was successfully authenticated.\\n | where EventID == 412\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | extend InstanceId = tostring(EventData[0])\\n| join kind=inner\\n(\\n SecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n // Events to identify caller identity from event 412\\n | where EventID == 501\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | where tostring(EventData[1]) contains \u0027identity/claims/name\u0027\\n | extend InstanceId = tostring(EventData[0])\\n | extend ClaimsName = tostring(EventData[2])\\n // Filter on the use of a specific AD FS user account\\n //| where ClaimsName contains adfsuser\\n)\\non $left.InstanceId == $right.InstanceId\\n| join kind=inner\\n(\\n SecurityEvent\\n | where EventID == 5156\\n | where Computer in~ (ADFS_Servers)\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | mv-expand bagexpansion=array EventData\\n | evaluate bag_unpack(EventData)\\n | extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n | evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n | extend DestPort = column_ifexists(\\\"DestPort\\\", \\\"\\\"),\\n Direction = column_ifexists(\\\"Direction\\\", \\\"\\\"),\\n Application = column_ifexists(\\\"Application\\\", \\\"\\\"),\\n DestAddress = column_ifexists(\\\"DestAddress\\\", \\\"\\\"),\\n SourceAddress = column_ifexists(\\\"SourceAddress\\\", \\\"\\\"),\\n SourcePort = column_ifexists(\\\"SourcePort\\\", \\\"\\\")\\n // Look for inbound connections from endpoints on port 80\\n | where DestPort == 80 and Direction == \u0027%%14592\u0027 and Application == \u0027System\u0027\\n | where DestAddress !in (\u0027::1\u0027,\u00270:0:0:0:0:0:0:1\u0027) \\n)\\non $left.Computer == $right.Computer\\n| project TimeGenerated, Computer, ClaimsName, SourceAddress, SourcePort\\n| extend HostCustomEntity = Computer, AccountCustomEntity = ClaimsName, IPCustomEntity = SourceAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"AD FS Remote Auth Sync Connection\",\"description\":\"This detection uses Security events from the \\\"AD FS Auditing\\\" provider to detect suspicious authentication events on an AD FS server. The results then get\\ncorrelated with events from the Windows Filtering Platform (WFP) to detect suspicious incoming network traffic on port 80 on the AD FS server.\\nThis could be a sign of a threat actor trying to use replication services on the AD FS server to get its configuration settings and extract\\nsensitive information such as AD FS certificates.\\nIn order to use this query you need to enable AD FS auditing on the AD FS Server.\\nReference: https://twitter.com/OTR_Community/status/1387038995016732672\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-04-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d992b87b-eb49-4a9d-aa96-baacf9d26247\",\"name\":\"d992b87b-eb49-4a9d-aa96-baacf9d26247\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let IPList = dynamic([\\\"185.63.90.137\\\"]); \\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet sha256Hashes = \\ndynamic([\\\"53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441\\\",\\n\\\"c297e545b8f150cc5ff56dbb68dc74fe30a421d9d40f38f4a53083192697c44c\\\",\\n\\\"17921368901f23e0cad0d2fe4ce5694aebaf4727699ed0358117500701914d1b\\\",\\n\\\"198a2d42df010d838b4207f478d885ef36e3db13b1744d673e221b828c28bf77\\\",\\n\\\"71d7b48c2fdc7b57b104a7858a35165bbed21d2fa7e34828d6c1d50b2b33a1d0\\\",\\n\\\"601227d52c6e367e11b80240183d07d38bc11a88e844e8401fce17eb25e92ba8\\\",\\n\\\"63ff04bed4fdb120a9cb9b1ea7fd88e83f12fb01ab6a057088f8016e663b48d4\\\",\\n\\\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\\\",\\n\\\"e19b8be1b21c066d60725e550f8455f824065abbf1b43f7b2fe4fb338b241ffc\\\",\\n\\\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\\\"\\n]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", MessageIP in (IPList), \\\"Message\\\", \\\"NoMatch\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DeviceNetworkEvents\\n| where RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) \\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP\\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost) \\n| where SourceHost in (IPList) or DestinationHost in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(DeviceFileEvents\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n| where FileHash in (sha256Hashes)\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash\\n| extend timestamp = TimeGenerated, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 in~ (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(SecurityEvent\\n| where EventID == \u00274688\u0027\\n| where CommandLine has_any (IPList) \\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n(WindowsEvent\\n| where EventID == \u00274688\u0027 and has_any_ipv4(EventData, toscalar(IPList)) \\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| where NewProcessName in (IPList) \\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend NewProcessId = tostring(EventData.NewProcessId)\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021\",\"description\":\"Identifies a match across various data feeds for IP,hashes and IOCs related to Windows/ELF malware published by Black Lotus Labs\\nReference: \\nhttps://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders\\nhttps://github.com/ManuelBerrueta/YARA-rules/blob/master/BlackLotusLabs-WSLMalware/BLL_SneakyWSL.yar\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ce1e7025-866c-41f3-9b08-ec170e05e73e\",\"name\":\"ce1e7025-866c-41f3-9b08-ec170e05e73e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let SunburstURL=dynamic([\\\"panhardware.com\\\",\\\"databasegalore.com\\\",\\\"avsvmcloud.com\\\",\\\"freescanonline.com\\\",\\\"thedoccloud.com\\\",\\\"deftsecurity.com\\\"]);\\nDeviceNetworkEvents\\n| where ActionType == \\\"ConnectionSuccess\\\"\\n| where RemoteUrl in(SunburstURL)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n FileHashCustomEntity = InitiatingProcessMD5, \\n HashAlgorithm = \u0027MD5\u0027,\\n URLCustomEntity = RemoteUrl,\\n IPCustomEntity = RemoteIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"SUNBURST network beacons\",\"description\":\"Identifies SolarWinds SUNBURST domain beacon IOCs in DeviceNetworkEvents\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/baedfdf4-7cc8-45a1-81a9-065821628b83\",\"name\":\"baedfdf4-7cc8-45a1-81a9-065821628b83\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let runningRAT_parameters = dynamic([\u0027/ui/chk\u0027, \u0027mactok=\u0027, \u0027UsRnMe=\u0027, \u0027IlocalP=\u0027, \u0027kMnD=\u0027]);\\nCommonSecurityLog\\n| where RequestMethod == \\\"GET\\\"\\n| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication\\n| where RequestURL has_any (runningRAT_parameters)\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DestinationIP\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"SourceHostName\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"RunningRAT request parameters\",\"description\":\"This detection will alert when RunningRAT URI parameters or paths are detect in an HTTP request. Id the device blocked this communication\\npresence of this alert means the RunningRAT implant is likely still executing on the source host.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d8de9e6-263e-4845-8618-cd23a4f58b70\",\"name\":\"4d8de9e6-263e-4845-8618-cd23a4f58b70\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT3H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 3h;\\n// Add full UPN (user@domain.com) to Authorized Bypassers to ignore policy bypasses by certain authorized users\\nlet AuthorizedBypassers = dynamic([\u0027foo@baz.com\u0027, \u0027test@foo.com\u0027]);\\nlet historicBypassers = AzureDevOpsAuditing\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationName == \u0027Git.RefUpdatePoliciesBypassed\u0027\\n| distinct ActorUPN;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e= ago(endtime)\\n| where OperationName == \u0027Git.RefUpdatePoliciesBypassed\u0027\\n| where ActorUPN !in (historicBypassers) and ActorUPN !in (AuthorizedBypassers)\\n| parse ScopeDisplayName with OrganizationName \u0027(Organization)\u0027\\n| project TimeGenerated, ActorUPN, IpAddress, UserAgent, OrganizationName, ProjectName, RepoName = Data.RepoName, AlertDetails = Details, Branch = Data.Name, \\n BypassReason = Data.BypassReason, PRLink = strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_git/\u0027, Data.RepoName, \u0027/pullrequest/\u0027, Data.PullRequestId)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps Pull Request Policy Bypassing - Historic allow list\",\"description\":\"This detection builds an allow list of historic PR policy bypasses and compares to recent history, flagging pull request bypasses that are not manually in the allow list and not historically included in the allow list.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75bf9902-0789-47c1-a5d8-f57046aa72df\",\"name\":\"75bf9902-0789-47c1-a5d8-f57046aa72df\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let procList = externaldata(Process:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Microsoft_Lolbas_Execution_Binaries.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet ProcessCreationEvents=() {\\nlet processEvents=(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,\\nFileName = Process, CommandLine, ParentProcessName\\n),\\n(WindowsEvent\\n| where EventID==4688 and EventData has_any (procList) and EventData has \\\":\\\\\\\\recycler\\\"\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where isnotempty(CommandLine)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName) \\n| extend NewProcessName = tostring(EventData.NewProcessName) \\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,\\nFileName = Process, CommandLine, ParentProcessName\\n));\\nprocessEvents};\\nProcessCreationEvents \\n| where FileName in~ (procList)\\n| where CommandLine contains \\\":\\\\\\\\recycler\\\"\\n| project StartTimeUtc = TimeGenerated, Computer, Account, NewProcessName, FileName, CommandLine, ParentProcessName\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Malware in the recycle bin\",\"description\":\"The query detects Windows binaries, that can be used for executing malware, that have been hidden in the recycle bin. \\n The list of these binaries are sourced from https://lolbas-project.github.io/\\n References: https://azure.microsoft.com/blog/how-azure-security-center-helps-reveal-a-cyberattack/.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2018-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e2399891-383c-4caf-ae67-68a008b9f89e\",\"name\":\"e2399891-383c-4caf-ae67-68a008b9f89e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet IP_TI=ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\\\"NO_IP\\\")\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where TI_ipEntity != \\\"NO_IP\\\";\\nlet IP_TI_list=toscalar(IP_TI | summarize NIoCs=dcount(TI_ipEntity), IoCs=make_set( TI_ipEntity)\\n | project IoCs=iff(NIoCs \u003e HAS_ANY_MAX, dynamic([]), IoCs));\\nIP_TI\\n // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n | join kind=innerunique \\n (\\n union \\n (\\n _Im_NetworkSession (starttime=ago(dt_lookBack), dstipaddr_has_any_prefix=IP_TI_list)\\n | where isnotempty(SrcIpAddr)\\n // renaming time column so it is clear the log this came from\\n | extend imNWS_TimeGenerated = TimeGenerated, IoCIP=DstIpAddr, IoCIPDirection=\u0027Destination\u0027\\n ),\\n (\\n _Im_NetworkSession (starttime=ago(dt_lookBack), srcipaddr_has_any_prefix=IP_TI_list)\\n | where isnotempty(DstIpAddr)\\n // renaming time column so it is clear the log this came from\\n | extend imNWS_TimeGenerated = TimeGenerated, IoCIP=SrcIpAddr, IoCIPDirection=\u0027Source\u0027\\n )\\n)on $left.TI_ipEntity == $right.IoCIP\\n| where imNWS_TimeGenerated \u003c ExpirationDateTime\\n| summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, IoCIP, IoCIPDirection\\n| project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Dvc, SrcIpAddr, DstIpAddr, IoCIPDirection, IoCIP\",\"customDetails\":{\"EventTime\":\"imNWS_TimeGenerated\",\"IoCDescription\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"IoCExpirationTime\":\"ExpirationDateTime\",\"IoCConfidenceScore\":\"ConfidenceScore\",\"IoCIPDirection\":\"IoCIPDirection\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IoCIP\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"A network session {{IoCIPDirection}} address {{IoCIP}} matched an IoC.\",\"alertDescriptionFormat\":\"The {{IoCIPDirection}} address {{IoCIP}} of a network session matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blead for more information on the indicator.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map IP entity to Network Session Events (ASIM Network Session schema)\",\"description\":\"This rule identifies a match Network Sessions for which the source of destination IP address is a known IoC. \u003cbr\u003e\u003cbr\u003e\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2022-04-27T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\"name\":\"8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"AuthorizeDBSecurityGroupIngress\\\",\\\"CreateDBSecurityGroup\\\",\\\"DeleteDBSecurityGroup\\\",\\\"RevokeDBSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to internet facing AWS RDS Database instances\",\"description\":\"Amazon Relational Database Service (RDS) is scalable relational database in the cloud. \\nIf your organization have one or more AWS RDS Databases running, monitoring changes to especially internet facing AWS RDS (Relational Database Service) \\nOnce alerts triggered, validate if changes observed are authorized and adhere to change control policy. \\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255\\nand RDS API Reference Docs: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Operations.html\",\"lastUpdatedDateUTC\":\"2021-11-28T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6ee72a9e-2e54-459c-bc9a-9c09a6502a63\",\"name\":\"6ee72a9e-2e54-459c-bc9a-9c09a6502a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"216.24.185.74\\\", \\\"107.175.189.159\\\", \\\"192.210.132.102\\\", \\\"67.230.163.214\\\", \\n \\\"199.19.110.240\\\", \\\"107.148.130.176\\\", \\\"154.212.129.218\\\", \\\"172.86.75.54\\\", \\\"45.61.136.199\\\", \\n \\\"149.28.150.195\\\", \\\"108.61.214.194\\\", \\\"144.202.98.198\\\", \\\"149.28.84.98\\\", \\\"103.99.209.78\\\", \\n \\\"45.61.136.2\\\", \\\"176.122.162.149\\\", \\\"192.3.80.245\\\", \\\"149.28.23.32\\\", \\\"107.182.18.149\\\", \\\"107.174.45.134\\\", \\n \\\"149.248.18.104\\\", \\\"65.49.192.74\\\", \\\"156.255.2.154\\\", \\\"45.76.6.149\\\", \\\"8.9.11.130\\\", \\\"140.238.27.255\\\", \\n \\\"107.182.24.70\\\", \\\"176.122.188.254\\\", \\\"192.161.161.108\\\", \\\"64.64.234.24\\\", \\\"104.224.185.36\\\", \\n \\\"104.233.224.227\\\", \\\"104.36.69.105\\\", \\\"119.28.139.120\\\", \\\"161.117.39.130\\\", \\\"66.42.100.42\\\", \\\"45.76.31.159\\\", \\n \\\"149.248.8.134\\\", \\\"216.24.182.48\\\", \\\"66.42.103.222\\\", \\\"218.89.236.11\\\", \\\"180.150.227.249\\\", \\\"47.75.80.23\\\",\\n \\\"124.156.164.19\\\", \\\"149.248.62.83\\\", \\\"150.109.76.174\\\", \\\"222.209.187.207\\\", \\\"218.38.191.38\\\", \\n \\\"119.28.226.59\\\", \\\"66.42.98.220\\\", \\\"74.82.201.8\\\", \\\"173.242.122.198\\\", \\\"45.32.130.72\\\", \\\"89.35.178.10\\\", \\n \\\"89.43.60.113\\\"]); \\n(union isfuzzy=true \\n(CommonSecurityLog \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch \\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n), \\n(OfficeActivity \\n|extend SourceIPAddress = ClientIP, Account = UserId \\n| where SourceIPAddress in (IPList) \\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \\n), \\n(_Im_NetworkSession (srcipaddr_has_any_prefix=IPList)\\n | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Hostname, AccountCustomEntity=User\\n), \\n(_Im_NetworkSession (dstipaddr_has_any_prefix=IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = Hostname , AccountCustomEntity = User\\n), \\n(WireData \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer \\n), \\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Barium IP\",\"description\":\"Identifies a match across various data feeds for IP IOCs related to the Barium activity group. \\n References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer\u0027 \",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/595a10c9-91be-4abb-bbc7-ae9c57848bef\",\"name\":\"595a10c9-91be-4abb-bbc7-ae9c57848bef\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Low\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n//This query uses sysmon data, sections that have - | where Source == \\\"Microsoft-Windows-Sysmon\\\" - may need to be updated with latest\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, DNSName, Type\\n| extend MessageIP = extract(IPRegex, 0, Message), RequestIP = extract(IPRegex, 0, RequestURL)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL has_any (domains), \\\"RequestUrl\\\", \\\"NoMatch\\\"), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), Account = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) or Name in~ (domains) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Computer , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPEntity = DestinationIPAddress\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), File = ProcessName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"]), Image = tostring(EventDetail.[4].[\\\"#text\\\"])\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Image has_any (process)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, Account = UserName, Computer, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, File = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n| extend FilePath = replace_string(Image, File, \u0027\u0027)\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) \\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, AlertDetail = \u0027Chia crypto IOC detected\u0027, Type\\n| extend timestamp = TimeGenerated, IPEntity = ClientIP, Account = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (domains) or RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) or InitiatingProcessFileName has_any (process)\\n| project TimeGenerated, ActionType, DeviceId, Computer = DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPEntity = RemoteIP, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\"), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, Computer, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains) or ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPEntity = ClientIP, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPEntity = SourceHost, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| where EventDetail has_any (sha256Hashes) \\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = tostring(EventDetail.[4].[\\\"#text\\\"]), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath = replace_string(Image, File, \u0027\u0027)\\n),\\n(DeviceFileEvents\\n| where InitiatingProcessFolderPath has_any (process)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, Computer, Account, File = InitiatingProcessFileName, FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath = replace_string(InitiatingProcessFolderPath, File, \u0027\u0027)\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, AlertDetail = \u0027Chia crypto IOC detected\u0027, FileHashAlgo = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| project TimeGenerated, EventDetail, UserName, Computer, Type\\n| extend Image = tostring(EventDetail.[4].[\\\"#text\\\"]), CommandLine = tostring(EventDetail.[10].[\\\"#text\\\"]), Account = UserName, FileHash = tostring(EventDetail.[17].[\\\"#text\\\"]), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| where Image has_any (process)\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath= replace_string(Image, File, \u0027\u0027)\\n),\\n(DeviceEvents\\n| where InitiatingProcessFileName has_any (process) or InitiatingProcessSHA256 in~ (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, Computer, Account, File = InitiatingProcessFileName, FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath = replace_string(InitiatingProcessFolderPath, File, \u0027\u0027)\\n),\\n(SecurityEvent\\n| where EventID == \u00274688\u0027\\n| where NewProcessName has_any (process)\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027, -1)[-1]), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend FilePath = replace_string(NewProcessName, File, \u0027\u0027)\\n)\\n)\\n| extend AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPEntity, FileCustomEntity = File, FilePathCustomEntity = FilePath, FileHashCustomEntity = FileHash\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileCustomEntity\"},{\"identifier\":\"Directory\",\"columnName\":\"FilePathCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashAlgo\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021\",\"description\":\"Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.\",\"lastUpdatedDateUTC\":\"2021-12-08T00:00:00Z\",\"createdDateUTC\":\"2021-06-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd0a6029-ecef-4507-89c4-fc355ac52111\",\"name\":\"dd0a6029-ecef-4507-89c4-fc355ac52111\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation of extracted domains\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend DomainName = tolower(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | extend Domain = trim(@\\\"\\\"\\\"\\\",tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend parts = split(Domain, \u0027.\u0027)\\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\\n | where tld in~ (list_tlds)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n ) on $left.DomainName==$right.Domain\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, FileHashValue\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to CommonSecurityLog\",\"description\":\"Identifies a match in CommonSecurityLog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\"name\":\"6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"union isfuzzy=true \\n(\\n SecurityEvent\\n | where EventID == 4738\\n // 2089 value indicates the Don\u0027t Expire Password value has been set\\n | where UserAccountControl has \\\"%%2089\\\" \\n | extend Value_2089 = iff(UserAccountControl has \\\"%%2089\\\",\\\"\u0027Don\u0027t Expire Password\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n // 2050 indicates that the Password Not Required value is NOT set, this often shows up at the same time as a 2089 and is the recommended value. This value may not be in the event. \\n | extend Value_2050 = iff(UserAccountControl has \\\"%%2050\\\",\\\"\u0027Password Not Required\u0027 - Disabled\\\", \\\"Not Changed\\\")\\n // If value %%2082 is present in the 4738 event, this indicates the account has been configured to logon WITHOUT a password. Generally you should only see this value when an account is created and only in Event 4720: Account Creation Event. \\n | extend Value_2082 = iff(UserAccountControl has \\\"%%2082\\\",\\\"\u0027Password Not Required\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n | project StartTime = TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, AccountType, UserAccountControl, Value_2089, Value_2050, Value_2082, SubjectAccount\\n | extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer\\n ),\\n (\\n WindowsEvent\\n | where EventID == 4738 and EventData has \u00272089\u0027\\n // 2089 value indicates the Don\u0027t Expire Password value has been set\\n | extend UserAccountControl = tostring(EventData.UserAccountControl)\\n | where UserAccountControl has \\\"%%2089\\\" \\n | extend Value_2089 = iff(UserAccountControl has \\\"%%2089\\\",\\\"\u0027Don\u0027t Expire Password\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n // 2050 indicates that the Password Not Required value is NOT set, this often shows up at the same time as a 2089 and is the recommended value. This value may not be in the event. \\n | extend Value_2050 = iff(UserAccountControl has \\\"%%2050\\\",\\\"\u0027Password Not Required\u0027 - Disabled\\\", \\\"Not Changed\\\")\\n // If value %%2082 is present in the 4738 event, this indicates the account has been configured to logon WITHOUT a password. Generally you should only see this value when an account is created and only in Event 4720: Account Creation Event. \\n | extend Value_2082 = iff(UserAccountControl has \\\"%%2082\\\",\\\"\u0027Password Not Required\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n | extend Activity=\\\"4738 - A user account was changed.\\\"\\n | extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n | extend TargetSid = tostring(EventData.TargetSid)\\n | extend SubjectAccount = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n | extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n | extend AccountType=case(SubjectAccount endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n | project StartTime = TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, AccountType, UserAccountControl, Value_2089, Value_2050, Value_2082, SubjectAccount\\n | extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer\\n )\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AD account with Don\u0027t Expire Password\",\"description\":\"Identifies whenever a user account has the setting \\\"Password Never Expires\\\" in the user account properties selected.\\nThis is indicated in Security event 4738 in the EventData item labeled UserAccountControl with an included value of %%2089.\\n%%2089 resolves to \\\"Don\u0027t Expire Password - Enabled\\\".\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4e8238bd-ff4f-4126-a9f6-09b3b6801b3d\",\"name\":\"4e8238bd-ff4f-4126-a9f6-09b3b6801b3d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"AuditLog.StreamDisabledByUser\\\"\\n| extend StreamType = tostring(Data.ConsumerType)\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, StreamType\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Audit Stream Disabled\",\"description\":\"Azure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams \\nbefore conducting activity and then re-enabling the stream after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action \\nits unlikely to have a high false positive rate.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e2559891-383c-4caf-ae67-55a008b9f89e\",\"name\":\"e2559891-383c-4caf-ae67-55a008b9f89e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet IP_TI=ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\\\"NO_IP\\\")\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where TI_ipEntity != \\\"NO_IP\\\";\\nlet IP_TI_list=toscalar(IP_TI | summarize NIoCs= dcount(TI_ipEntity), IoCs=make_set(TI_ipEntity) \\n | project IoCs=iff(NIoCs \u003e HAS_ANY_MAX, dynamic([]), IoCs ) );\\nIP_TI\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n _Im_WebSession (starttime=ago(dt_lookBack), srcipaddr_has_any_prefix=IP_TI_list)\\n | where isnotempty(SrcIpAddr)\\n // renaming time column so it is clear the log this came from\\n | extend imNWS_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SrcIpAddr\\n| where imNWS_TimeGenerated \u003c ExpirationDateTime\\n| summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, DstIpAddr\\n| project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Dvc, SrcIpAddr, DstIpAddr\",\"customDetails\":{\"EventTime\":\"imNWS_TimeGenerated\",\"IoCDescription\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"IoCExpirationTime\":\"ExpirationDateTime\",\"IoCConfidenceScore\":\"ConfidenceScore\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DstIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"The IP {{SrcIpAddr}} of a web request to hostname {{domain}} matched an IoC\",\"alertDescriptionFormat\":\"The source address {{SrcIpAddr}} of a web request for URL {{Url}} matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blead for more information on the indicator.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map IP entity to Web Session Events (ASIM Web Session schema)\",\"description\":\"This rule identifies Web Sessions for which the source IP address is a known IoC. \u003cbr\u003e\u003cbr\u003eThis rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM.\",\"lastUpdatedDateUTC\":\"2022-03-15T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\"name\":\"c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"ApplySecurityGroupsToLoadBalancer\\\", \\\"SetSecurityGroups\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \\nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion,\\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to AWS Elastic Load Balancer security groups\",\"description\":\"Elastic Load Balancer distributes incoming traffic across multiple instances in multiple availability Zones. This increases the fault tolerance of your applications. \\n Unwanted changes to Elastic Load Balancer specific security groups could open your environment to attack and hence needs monitoring.\\n More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\n and https://aws.amazon.com/elasticloadbalancing/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bdf04f58-242b-4729-b376-577c4bdf5d3a\",\"name\":\"bdf04f58-242b-4729-b376-577c4bdf5d3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"imProcessCreate\\n| where Process hassuffix \u0027rundll32.exe\u0027\\n| where CommandLine has_any (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| project TimeGenerated, Dvc, User, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\\n| extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"NOBELIUM - suspicious rundll32.exe execution of vbscript (Normalized Process Events)\",\"description\":\"This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\\nReferences: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f30a47c1-65fb-42b1-a7f4-00941c12550b\",\"name\":\"f30a47c1-65fb-42b1-a7f4-00941c12550b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n SecurityAlert\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n // Extract URL from JSON data\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,Entities)\\n // We only want alerts that actually contain URL data\\n | where isnotempty(Url)\\n // Extract hostname from JSON data for entity mapping\\n | extend Compromised_Host = tostring(parse_json(ExtendedProperties).[\\\"Compromised Host\\\"])\\n | extend Alert_TimeGenerated = TimeGenerated\\n) on Url\\n| where Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\\n| project Alert_TimeGenerated, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, AlertName, AlertSeverity, Description, Url, Compromised_Host\\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = Compromised_Host, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to SecurityAlert data\",\"description\":\"Identifies a match in SecurityAlert data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\"name\":\"80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == 1102 and EventSourceName == \\\"Microsoft-Windows-Eventlog\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(\\nWindowsEvent\\n| where EventID == 1102 and Provider == \\\"Microsoft-Windows-Eventlog\\\" \\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend Activity= \\\"1102 - The audit log was cleared.\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Security Event log cleared\",\"description\":\"Checks for event id 1102 which indicates the security event log was cleared. \\nIt uses Event Source Name \\\"Microsoft-Windows-Eventlog\\\" to avoid generating false positives from other sources, like AD FS servers for instance.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\"name\":\"36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n OfficeActivity\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n //Extract the Url from a number of potential fields\\n | extend Url = iif(OfficeWorkload == \\\"AzureActiveDirectory\\\",extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\\\", 1,ModifiedProperties),tostring(parse_json(ModifiedProperties)[12].NewValue))\\n | where isnotempty(Url)\\n // Ensure we get a clean URL\\n | extend Url = tostring(split(Url, \u0027;\u0027)[0])\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n // Project a single user identity that we can use for entity mapping\\n | extend User = iif(isnotempty(UserId), UserId, iif(isnotempty(Actor), tostring(parse_json(Actor)[0].ID), tostring(parse_json(Parameters)[0].Value)))\\n) on Url\\n| where OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, Url\\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Operation, \\nUserType, OfficeWorkload, Parameters, Url, User\\n| extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = User, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to OfficeActivity data\",\"description\":\"Identifies a match in OfficeActivity data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f0be259a-34ac-4946-aa15-ca2b115d5feb\",\"name\":\"f0be259a-34ac-4946-aa15-ca2b115d5feb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let starttime = 2d;\\nlet endtime = 1d;\\nlet TimeDeltaThreshold = 25;\\nlet TotalEventsThreshold = 30;\\nlet MostFrequentTimeDeltaThreshold = 25;\\nlet PercentBeaconThreshold = 80;\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Palo Alto Networks\\\" and Activity == \\\"TRAFFIC\\\"\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where ipv4_is_private(DestinationIP)== false\\n| project TimeGenerated, DeviceName, SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, ReceivedBytes, SentBytes\\n| sort by SourceIP asc,TimeGenerated asc, DestinationIP asc, DestinationPort asc\\n| serialize\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\u0027second\u0027,nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP\\n//Whitelisting criteria/ threshold criteria\\n| where TimeDeltainSeconds \u003e TimeDeltaThreshold \\n| summarize count(), sum(ReceivedBytes), sum(SentBytes)\\nby TimeDeltainSeconds, bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSentBytes = sum(sum_SentBytes), TotalReceivedBytes = sum(sum_ReceivedBytes) \\nby bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| where TotalEvents \u003e TotalEventsThreshold and MostFrequentTimeDeltaCount \u003e MostFrequentTimeDeltaThreshold\\n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\\n| where BeaconPercent \u003e PercentBeaconThreshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Palo Alto - potential beaconing detected\",\"description\":\"Identifies beaconing patterns from Palo Alto Network traffic logs based on recurrent timedelta patterns. \\nThe query leverages various KQL functions to calculate time deltas and then compares it with total events observed in a day to find percentage of beaconing. \\nThis outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts.\\nReference Blog:\\nhttp://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/\\nhttps://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/detect-network-beaconing-via-intra-request-time-delta-patterns/ba-p/779586\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/14f6da04-2f96-44ee-9210-9ccc1be6401e\",\"name\":\"14f6da04-2f96-44ee-9210-9ccc1be6401e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName has \\\"Add member to role outside of PIM\\\"\\n or (LoggedByService == \\\"Core Directory\\\" and OperationName == \\\"Add member to role\\\" and Identity != \\\"MS-PIM\\\")\\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"NRT Privileged Role Assigned Outside PIM\",\"description\":\"Identifies a privileged role being assigned to a user outside of PIM\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-04-22T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f6502545-ae3a-4232-a8b0-79d87e5c98d7\",\"name\":\"f6502545-ae3a-4232-a8b0-79d87e5c98d7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \\n| where TargetObject==\\\"HKLM\\\\\\\\System\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\SecurityProviders\\\\\\\\WDigest\\\\\\\\UseLogonCredential\\\" and Details !=\\\"DWORD (0x00000000)\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"WDigest downgrade attack\",\"description\":\"When the WDigest Authentication protocol is enabled, plain text passwords are stored in the Local Security Authority Subsystem Service (LSASS) exposing them to theft. This setting will prevent WDigest from storing credentials in memory.\\nRef: https://www.stigviewer.com/stig/windows_7/2016-12-19/finding/V-72753\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2022-03-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\"name\":\"b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet UserAgentAll =\\n(union isfuzzy=true\\n(OfficeActivity\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\\n),\\n(\\nW3CIISLog\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(csUserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\\n))\\n// remove wordSize blocks of non-numeric hex characters prior to word extraction\\n| extend UserAgentNoHexAlphas = replace(\\\"([A-Fa-f]{4,})\\\", \\\"x\\\", UserAgent)\\n// once blocks of hex chars are removed, extract wordSize blocks of a-z\\n| extend Tokens = extract_all(\\\"([A-Za-z]{4,})\\\", UserAgentNoHexAlphas)\\n// concatenate extracted words to create a summarized user agent for baseline and comparison\\n| extend NormalizedUserAgent = strcat_array(Tokens, \\\"|\\\")\\n| project-away UserAgentNoHexAlphas, Tokens;\\nUserAgentAll\\n| where StartTime \u003e= ago(endtime)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), count() by UserAgent, NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n| join kind=leftanti\\n(\\nUserAgentAll\\n| where StartTime \u003c ago(endtime)\\n| summarize by NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n)\\non NormalizedUserAgent\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CommandAndControl\",\"Execution\"],\"displayName\":\"New UserAgent observed in last 24 hours\",\"description\":\"Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection\\nextracts words from user agents to build the baseline and determine rareity rather than perform a\\ndirect comparison. This avoids FPs caused by version numbers and other high entropy user agent components.\\nThese new UserAgents could be benign. However, in normally stable environments,\\nthese new UserAgents could provide a starting point for investigating malicious activity.\\nNote: W3CIISLog can be noisy depending on the environment, however OfficeActivity and AWSCloudTrail are\\nusually stable with low numbers of detections.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/155e9134-d5ad-4a6f-88f3-99c220040b66\",\"name\":\"155e9134-d5ad-4a6f-88f3-99c220040b66\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"// Set the lookback to determine if user has created pipelines before\\nlet timeback = 14d;\\n// Set the period for detections\\nlet timeframe = 1d;\\n// Get a list of previous Release Pipeline creators to exclude\\nlet releaseusers = AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName in (\\\"Release.ReleasePipelineCreated\\\", \\\"Release.ReleasePipelineModified\\\")\\n// We want to look for users performing actions in specific projects so we create this userscope object to match on\\n| extend UserScope = strcat(ActorUserId, \\\"-\\\", ProjectName)\\n| summarize by UserScope;\\n// Get Release Pipeline creations by new users\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineModified\\\"\\n| extend UserScope = strcat(ActorUserId, \\\"-\\\", ProjectName)\\n| where UserScope !in (releaseusers)\\n| extend ActorUPN = tolower(ActorUPN)\\n| project-away Id, ActivityId, ActorCUID, ScopeId, ProjectId, TenantId, SourceSystem, UserScope\\n// See if any of these users have Azure AD alerts associated with them in the same timeframe\\n| join kind = leftouter (\\nSecurityAlert\\n| where TimeGenerated \u003e ago(timeframe)\\n| where ProviderName == \\\"IPC\\\"\\n| extend AadUserId = tostring(parse_json(Entities)[0].AadUserId)\\n| summarize Alerts=count() by AadUserId) on $left.ActorUserId == $right.AadUserId\\n| extend Alerts = iif(isnotempty(Alerts), Alerts, 0)\\n// Uncomment the line below to only show results where the user as AADIdP alerts\\n//| where Alerts \u003e 0\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Pipeline modified by a new user.\",\"description\":\"There are several potential pipeline steps that could be modified by an attacker to inject malicious code into the build cycle. A likely attacker path is the modification to an existing pipeline that they have access to. \\nThis detection looks for users modifying a pipeline when they have not previously been observed modifying or creating that pipeline before. This query also joins events with data to Azure AD Identity Protection (AAD IdP) \\nin order to show if the user conducting the action has any associated AAD IdP alerts. You can also choose to filter this detection to only alert when the user also has AAD IdP alerts associated with them.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d023f64-8225-41a2-9570-2bd7c2c4535e\",\"name\":\"3d023f64-8225-41a2-9570-2bd7c2c4535e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1DT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+spanoftime)\\n// A user account was enabled\\n| where EventID == 4722\\n| where AccountType =~ \\\"User\\\"\\n| where TargetAccount !endswith \\\"$\\\"\\n| project EnableTime = TimeGenerated, EnableEventID = EventID, EnableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToEnable = SubjectAccount, SIDofAccountUsedToEnable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e ago(timeframe+spanoftime)\\n// A user account was enabled\\n| where EventID == 4722\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType =~ \\\"User\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| where TargetAccount !endswith \\\"$\\\"\\n| extend Activity=\\\"4722 - A user account was enabled.\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| project EnableTime = TimeGenerated, EnableEventID = EventID, EnableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToEnable = SubjectAccount, SIDofAccountUsedToEnable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n))\\n| join kind= inner (\\n (union isfuzzy=true\\n (SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n // A user account was disabled\\n | where EventID == 4725\\n| where AccountType =~ \\\"User\\\"\\n| project DisableTime = TimeGenerated, DisableEventID = EventID, DisableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToDisable = SubjectAccount, SIDofAccountUsedToDisable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n),\\n(WindowsEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n // A user account was disabled\\n | where EventID == 4725\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType =~ \\\"User\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| extend Activity = \\\"4725 - A user account was disabled.\\\"\\n| project DisableTime = TimeGenerated, DisableEventID = EventID, DisableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToDisable = SubjectAccount, SIDofAccountUsedToDisable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid))\\n) on Computer, TargetAccount\\n| where DisableTime - EnableTime \u003c spanoftime\\n| extend TimeDelta = DisableTime - EnableTime\\n| where tolong(TimeDelta) \u003e= threshold\\n| project TimeDelta, EnableTime, EnableEventID, EnableActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToEnable, SIDofAccountUsedToEnable, \\nDisableTime, DisableEventID, DisableActivity, AccountUsedToDisable, SIDofAccountUsedToDisable\\n| extend timestamp = EnableTime, AccountCustomEntity = AccountUsedToEnable, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"SIDofAccountUsedToEnable\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account enabled and disabled within 10 mins\",\"description\":\"Identifies when a user account is enabled and then disabled within 10 minutes. This can be an indication of compromise and\\nan adversary attempting to hide in the noise.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0625fcce-6d52-491e-8c68-1d9b801d25b9\",\"name\":\"0625fcce-6d52-491e-8c68-1d9b801d25b9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"Event\\n| where EventLog =~ \\\"Application\\\"\\n| where Source startswith \\\"MSExchange\\\"\\n| where EventLevelName =~ \\\"error\\\"\\n| where (RenderedDescription startswith \\\"Watson report\\\" and RenderedDescription contains \\\"umworkerprocess\\\" and RenderedDescription contains \\\"TextFormattingRunProperties\\\") or RenderedDescription startswith \\\"An unhandled exception occurred in a UM worker process\\\" or RenderedDescription startswith \\\"The Microsoft Exchange Unified Messaging service\\\" or RenderedDescription contains \\\"MSExchange Unified Messaging\\\"\\n| where RenderedDescription !contains \\\"System.OutOfMemoryException\\\"\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious UM Service Error\",\"description\":\"This query looks for errors that may indicate that an attacker is attempting to exploit a vulnerability in the service. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09c49590-4e9d-4da9-a34d-17222d0c9e7e\",\"name\":\"09c49590-4e9d-4da9-a34d-17222d0c9e7e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let default_file_ext_blocklist = dynamic([\u0027.ps1\u0027, \u0027.vbs\u0027, \u0027.bat\u0027, \u0027.scr\u0027]);\\nlet custom_file_ext_blocklist=toscalar(_GetWatchlist(\u0027RiskyFileTypes\u0027) | extend Extension=column_ifexists(\\\"Extension\\\",\\\"\\\") | where isnotempty(Extension) | summarize make_set(Extension));\\nlet file_ext_blocklist = array_concat(default_file_ext_blocklist, custom_file_ext_blocklist);\\n_Im_WebSession(url_has_any=file_ext_blocklist, eventresult=\u0027Success\u0027)\\n| extend requestedFileName=tostring(split(tostring(parse_url(Url)[\\\"Path\\\"]),\u0027/\u0027)[-1])\\n| extend requestedFileExt=extract(@(\\\\.\\\\w+)$,1,requestedFileName, typeof(string))\\n| where requestedFileExtension in (file_ext_blocklist)\\n| summarize LastAttemptTime=max(TimeGenerated), NumFailedAttempts=count() by SrcIpAddr, requestedFileName, Url\\n| extend IPCustomEntity = SrcIpAddr, UrlCustomEntity=Url\",\"customDetails\":{\"requestedFileName\":\"requestedFileName\",\"requestedFileExt\":\"requestedFileExt\",\"Username\":\"SrcUsername\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Client {{SrcIpAddr}} accessed a URL with potentially harmful extension {{requestedFileExt}}\",\"alertDescriptionFormat\":\"The client at address {{SrcIpAddr}} accessed the URL {{Url}} that has the extension {{requestedFileExt}}. Downloading a file with this extension may be harmful and may indicate malicious activity.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"InitialAccess\"],\"displayName\":\"A client made a web request to a potentially harmful file (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request to a URL that holds a file type, including .ps1, .bat, .vbs, and .scr that can be harmful if downloaded. This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM. To use this Analytics Rule, deploy the Advanced Security Information Model (ASIM).\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\"name\":\"ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(DestinationUserID)\\n // Filtering PAN Logs for specific event type to match relevant email entities\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"wildfire\\\" and ApplicationProtocol in (\\\"smtp\\\",\\\"pop3\\\")\\n | extend DestinationUserID = tolower(DestinationUserID)\\n | where DestinationUserID matches regex emailregex\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.DestinationUserID\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, DestinationUserID\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, EmailSenderName, EmailRecipient, \\nEmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction, SourceIP, SourcePort, \\nDestinationIP, DestinationPort, Protocol, ApplicationProtocol\\n| extend timestamp = CommonSecurityLog_TimeGenerated, AccountCustomEntity = DestinationUserID, IPCustomEntity = SourceIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to CommonSecurityLog\",\"description\":\"Identifies a match in CommonSecurityLog table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\"name\":\"7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let lookBack_long = 7d;\\nlet lookBack_med = 3d;\\nlet lookBack = 1d;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack_long))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n// Create time series \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_long)),now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n// Compute best fit line for each entry \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount) \\n// Chart the 3 most interesting lines \\n// A 0-value slope corresponds to an account being completely stable over time for a given Azure Active Directory application\\n| where Slope \u003e 0.3\\n| top 50 by Slope desc\\n| join kind = leftsemi (\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack_med))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_med)) ,now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount)\\n| where Slope \u003e 0.3\\n| top 50 by Slope desc\\n) on UserPrincipalName, AppDisplayName\\n| join kind = leftsemi (\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack)) ,now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount)\\n| where Slope \u003e 5\\n| top 50 by Slope desc\\n// Higher threshold requirement on last day anomaly\\n) on UserPrincipalName, AppDisplayName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomalous sign-in location by user account and authenticating application\",\"description\":\"This query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active \\nDirectory application and picks out the most anomalous change in location profile for a user within an \\nindividual application. An alert is generated for recent sign-ins that have location counts that are anomalous\\nover last day but also over the last 3-day and 7-day periods.\\nPlease note that on workspaces with larger volume of Signin data (~10M+ events a day) may timeout when using this default query time period.\\nIt is recommended that you test and tune this appropriately for the workspace.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1da9853f-3dea-4ea9-b7e5-26730da3d537\",\"name\":\"1da9853f-3dea-4ea9-b7e5-26730da3d537\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let PortScanThreshold = 50;\\n_Im_NetworkSession\\n| where ipv4_is_private(SrcIpAddr) == False\\n| summarize AttemptedPortsCount=dcount(DstPortNumber) by SrcIpAddr, bin(TimeGenerated, 5m)\\n| where AttemptedPortsCount \u003e PortScanThreshold\",\"customDetails\":{\"AttemptedPortsCount\":\"AttemptedPortsCount\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Potential port scan from {{SrcIpAddr}}\",\"alertDescriptionFormat\":\"A port scan has been performed from address {{SrcIpAddr}} over {{AttemptedPortsCount}} pots within 5 minutes. This may indicate that a [port scanner](https://en.wikipedia.org/wiki/Port_scanner) is trying to identify open ports in order to penetrate a system.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Discovery\"],\"displayName\":\"Port scan detected (ASIM Network Session schema)\",\"description\":\"This rule identifies a possible port scan, in which a single source tries to access a large number of different ports is a short time frame. This may indicate that a [port scanner](https://en.wikipedia.org/wiki/Port_scanner) is trying to identify open ports in order to penetrate a system.\u003cbr\u003e\u003cbr\u003e\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/eda260eb-f4a1-4379-ad98-452604da9b3e\",\"name\":\"eda260eb-f4a1-4379-ad98-452604da9b3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let eventsThreshold = 20;\\nCommonSecurityLog\\n| where isnotempty(RequestURL)\\n| project TimeGenerated, RequestURL, RequestMethod, SourceIP, SourceHostName\\n| evaluate sequence_detect(TimeGenerated, 5s, 8s, login=(RequestURL has \\\"login.microsoftonline.com/consumers/oauth2/v2.0/token\\\"), graph=(RequestURL has \\\"graph.microsoft.com/v1.0/me/drive/\\\"), SourceIP, SourceHostName)\\n| summarize Events=count() by SourceIP, SourceHostName\\n| where Events \u003e= eventsThreshold\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"SourceHostName\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"CreepyDrive request URL sequence\",\"description\":\"CreepyDrive uses OneDrive for command and control, however, it makes regular requests to predicatable paths.\\nThis detecton will alert when over 20 sequences are observed in a single day.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3533f74c-9207-4047-96e2-0eb9383be587\",\"name\":\"3533f74c-9207-4047-96e2-0eb9383be587\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"offline_access\\\" and ConsentFull contains \\\"Files.Read\\\" or ConsentFull contains \\\"Mail.Read\\\" or ConsentFull contains \\\"Notes.Read\\\" or ConsentFull contains \\\"ChannelMessage.Read\\\" or ConsentFull contains \\\"Chat.Read\\\" or ConsentFull contains \\\"TeamsActivity.Read\\\" or ConsentFull contains \\\"Group.Read\\\" or ConsentFull contains \\\"EWS.AccessAsUser.All\\\" or ConsentFull contains \\\"EAS.AccessAsUser.All\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))\\n| extend GrantUserAgent = tostring(iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\"))\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Suspicious application consent for offline access\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with offline access via OAuth.\\nOffline access will provide the Azure App with access to the listed resources without requiring two-factor authentication.\\nConsent to applications with offline access and read capabilities should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0ee2aafb-4500-4e36-bcb1-e90eec2f0b9b\",\"name\":\"0ee2aafb-4500-4e36-bcb1-e90eec2f0b9b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\"\\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed), LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\\n| where MFAUsed !~ \\\"Yes\\\" and LoginResult !~ \\\"Failure\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUsed, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent,\\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserIdentityUserName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"NRT Login to AWS Management Console without MFA\",\"description\":\"Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.\\nYou can limit this detection to trigger for administrative accounts if you do not have MFA enabled on all accounts.\\nThis is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used\\nand the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.\",\"lastUpdatedDateUTC\":\"2022-02-08T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/269435e3-1db8-4423-9dfc-9bf59997da1c\",\"name\":\"269435e3-1db8-4423-9dfc-9bf59997da1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName has \\\"Add member to role outside of PIM\\\"\\n or (LoggedByService == \\\"Core Directory\\\" and OperationName == \\\"Add member to role\\\" and Identity != \\\"MS-PIM\\\")\\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Privileged Role Assigned Outside PIM\",\"description\":\"Identifies a privileged role being assigned to a user outside of PIM\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2be4ef67-a93f-4d8a-981a-88158cb73abd\",\"name\":\"2be4ef67-a93f-4d8a-981a-88158cb73abd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet covidIndicators = (externaldata(TimeGenerated:datetime, FileHashValue:string, FileHashType: string, TlpLevel: string, Product: string, ThreatType: string, Description: string )\\n[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.csv\\\"] with (format=\\\"csv\\\"));\\nlet fileHashIndicators = covidIndicators\\n| where isnotempty(FileHashValue);\\n// Handle matches against both lower case and uppercase versions of the hash:\\n(fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n| union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack) \\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n )\\non $left.FileHashValue == $right.FileHash\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by FileHashValue\\n| project CommonSecurityLog_TimeGenerated, FileHashValue, FileHashType, Description, ThreatType, \\nSourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, \\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Value\",\"columnName\":\"FileHashValue\"},{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Microsoft COVID-19 file hash indicator matches\",\"description\":\"Identifies a match in CommonSecurityLog Event data from any FileHash published in the Microsoft COVID-19 Threat Intel Feed - as described at https://www.microsoft.com/security/blog/2020/05/14/open-sourcing-covid-threat-intelligence/\",\"lastUpdatedDateUTC\":\"2022-07-07T00:00:00Z\",\"createdDateUTC\":\"2019-08-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\"name\":\"5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"CommonSecurityLog\\n| where isnotempty(DestinationPort) and DeviceAction !in (\\\"reset-both\\\", \\\"deny\\\") \\n// filter out common usage ports. Add ports that are legitimate for your environment\\n| where DestinationPort !in (\\\"443\\\", \\\"53\\\", \\\"389\\\", \\\"80\\\", \\\"0\\\", \\\"880\\\", \\\"8888\\\", \\\"8080\\\")\\n| where ApplicationProtocol == \\\"incomplete\\\" \\n// filter out IANA ephemeral or negotiated ports as per https://en.wikipedia.org/wiki/Ephemeral_port\\n| where DestinationPort !between (toint(49512) .. toint(65535)) \\n| where Computer != \\\"\\\" \\n| where DestinationIP !startswith \\\"10.\\\"\\n| extend Reason = coalesce(\\n column_ifexists(\\\"Reason\\\", \\\"\\\"), \\n extract(\\\"reason=(.+?)(;|$)\\\", 1, AdditionalExtensions),\\n \\\"\\\"\\n )\\n// Filter out any graceful reset reasons of AGED OUT which occurs when a TCP session closes with a FIN due to aging out. \\n| where Reason !has \\\"aged-out\\\" \\n// Filter out any TCP FIN which occurs when a TCP FIN is used to gracefully close half or both sides of a connection.\\n| where Reason !has \\\"tcp-fin\\\" \\n// Uncomment one of the following where clauses to trigger on specific TCP reset reasons\\n// See Palo Alto article for details - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK\\n// TCP RST-server - Occurs when the server sends a TCP reset to the client\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-server\\\" \\n// TCP RST-client - Occurs when the client sends a TCP reset to the server\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-client\\\" \\n// Already performed\\n//| extend reason = tostring(split(AdditionalExtensions, \\\";\\\")[3])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, Reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction, DestinationIP\\n| where count_ \u003e= 10\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), makeset(DestinationIP), totalcount = sum(count_) by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, Reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Palo Alto - possible internal to external port scanning\",\"description\":\"Identifies a list of internal Source IPs (10.x.x.x Hosts) that have triggered 10 or more non-graceful tcp server resets from one or more Destination IPs which \\nresults in an \\\"ApplicationProtocol = incomplete\\\" designation. The server resets coupled with an \\\"Incomplete\\\" ApplicationProtocol designation can be an indication \\nof internal to external port scanning or probing attack. \\nReferences: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK and\\nhttps://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTaCAK\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/677da133-e487-4108-a150-5b926591a92b\",\"name\":\"677da133-e487-4108-a150-5b926591a92b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.5.1\",\"severity\":\"Medium\",\"query\":\"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\\n[@\\\"https://raw.githubusercontent.com/microsoft/mstic/master/Indicators/May21-NOBELIUM/May21NOBELIUMIoCs.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256s = (iocs | where Type =~ \\\"SHA256\\\"| project IoC);\\nlet ips = (iocs | where Type =~ \\\"IP\\\"| project IoC);\\nlet IPList = dynamic([\\\"192.99.221.77\\\",\\\"83.171.237.173\\\"]);\\nlet ips_list=toscalar(ips | summarize makeset(IoC));\\nlet full_ip_list= array_concat(ips_list, IPList);\\nlet domains = (iocs | where Type =~ \\\"Domain\\\"| project IoC);\\nlet domain_list=toscalar(domains | summarize make_set(IoC));\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet sha256Hashes = dynamic([\\\"2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252\\\",\\n\\\"d035d394a82ae1e44b25e273f99eae8e2369da828d6b6fdb95076fd3eb5de142\\\",\\n\\\"94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916\\\",\\n\\\"48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0\\\",\\n\\\"ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c\\\",\\n\\\"ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (domains) or RequestURL has_any (domains) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (domains), \\\"RequestUrl\\\", SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(_Im_Dns (domain_has_any=todynamic(domain_list))\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(_Im_Dns (response_has_any_prefix=todynamic(full_ip_list))\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or SourceIp in (ips) or DestinationIp in (ips) or RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", SourceIp in (ips), \\\"SourceIP\\\", DestinationIp in (ips), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer\\n),\\n(OfficeActivity\\n| where ClientIP in (IPList) or ClientIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n),\\n(_Im_NetworkSession(srcipaddr_has_any_prefix=full_ip_list)\\n | extend IPMatch = \\\"SourceIP\\\"\\n | extend timestamp = TimeGenerated, HostCustomEntity = Dvc , IPCustomEntity = SrcIpAddr //, AccountCustomEntity =User\\n),\\n(_Im_NetworkSession(dstipaddr_has_any_prefix=full_ip_list)\\n | extend IPMatch = \\\"DestinationIP\\\"\\n | extend timestamp = TimeGenerated, HostCustomEntity = Dvc , IPCustomEntity = DstIpAddr //, AccountCustomEntity =User\\n),\\n(_Im_WebSession(url_has_any=domains)\\n | extend timestamp=TimeGenerated, HostCustomEntity=Dvc , DNSName=tostring(parse_url(Url)[\\\"Host\\\"]), AccountCustomEntity=User\\n),\\n(_Im_WebSession(srcipaddr_has_any_prefix=full_ip_list)\\n | extend timestamp=TimeGenerated, HostCustomEntity=Dvc , DNSName=tostring(parse_url(Url)[\\\"Host\\\"]), AccountCustomEntity=User\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| where EventDetail has_any (sha256Hashes) or EventDetail has_any (sha256s)\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, FileHash\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (sha256Hashes) or SHA256 in~ (sha256s)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (sha256Hashes) or TargetFileSHA256 in~ (sha256s)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes) or FileHash in (sha256s)\\n| extend timestamp = TimeGenerated\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"tactics\":[\"CommandAndControl\",\"Execution\"],\"displayName\":\"NOBELIUM - Domain, Hash and IP IOCs - May 2021\",\"description\":\"Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM.\\nRef: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/35ce9aff-1708-45b8-a295-5e9a307f5f17\",\"name\":\"35ce9aff-1708-45b8-a295-5e9a307f5f17\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"Group.UpdateGroupMembership.Add\\\"\\n| where Details has_any (\\\"Project Administrators\\\", \\\"Project Collection Administrators\\\", \\\"Project Collection Service Accounts\\\", \\\"Build Administrator\\\")\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, AuthenticationMechanism, ScopeDisplayName\\n| extend timekey = bin(TimeGenerated, 1h)\\n| extend ActorUserId = tostring(Data.MemberId)\\n| project timekey, ActorUserId, AddingUser=ActorUPN, TimeAdded=TimeGenerated, PermissionGrantDetails = Details\\n// Get details of operations conducted by user soon after elevation of permissions\\n| join (AzureDevOpsAuditing\\n| extend ActorUserId = tostring(Data.MemberId)\\n| extend timekey = bin(TimeGenerated, 1h)) on timekey, ActorUserId\\n| summarize ActionsWhenAdded = make_set(OperationName) by ActorUPN, AddingUser, TimeAdded, PermissionGrantDetails, IpAddress, UserAgent\\n| extend timestamp = TimeAdded, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddingUser\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"New PA, PCA, or PCAS added to Azure DevOps\",\"description\":\"In order for an attacker to be able to conduct many potential attacks against Azure DevOps they will need to gain elevated permissions. \\nThis detection looks for users being granted key administrative permissions. If the principal of least privilege is applied, the number of \\nusers granted these permissions should be small. Note that permissions can also be granted via Azure AD groups and monitoring of these \\nshould also be conducted.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bf07ca9c-e408-443a-8939-6860a45a929e\",\"name\":\"bf07ca9c-e408-443a-8939-6860a45a929e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let allowed_publishers = dynamic([]);\\nAzureDevOpsAuditing\\n| where OperationName =~ \\\"Extension.Installed\\\"\\n| extend ExtensionName = tostring(Data.ExtensionName)\\n| extend PublisherName = tostring(Data.PublisherName)\\n| where PublisherName !in (allowed_publishers)\\n| project-reorder TimeGenerated, OperationName, ExtensionName, PublisherName, ActorUPN, IpAddress, UserAgent, ScopeDisplayName, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps New Extension Added\",\"description\":\"Extensions add additional features to Azure DevOps. An attacker could use a malicious extension to conduct malicious activity. \\nThis query looks for new extensions that are not from a configurable list of approved publishers.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65c78944-930b-4cae-bd79-c3664ae30ba7\",\"name\":\"65c78944-930b-4cae-bd79-c3664ae30ba7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(AuditLogs \\n| where OperationName =~ \\\"Disable Strong Authentication\\\"\\n| extend IPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) \\n| extend InitiatedByUser = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend Targetprop = todynamic(TargetResources)\\n| extend TargetUser = tostring(Targetprop[0].userPrincipalName) \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, InitiatedByUser , Operation = OperationName , CorrelationId, IPAddress, Category, Source = SourceSystem , AADTenantId, Type\\n),\\n(AWSCloudTrail\\n| where EventName in~ (\\\"DeactivateMFADevice\\\", \\\"DeleteVirtualMFADevice\\\") \\n| extend InstanceProfileName = tostring(parse_json(RequestParameters).InstanceProfileName)\\n| extend TargetUser = tostring(parse_json(RequestParameters).userName)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, Source = EventSource , Operation = EventName , TenantorInstance_Detail = InstanceProfileName, IPAddress = SourceIpAddress\\n)\\n)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"MFA disabled for a user\",\"description\":\"Multi-Factor Authentication (MFA) helps prevent credential compromise. This alert identifies when an attempt has been made to disable MFA for a user \",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4759ddb4-2daf-43cb-b34e-d85b85b4e4a5\",\"name\":\"4759ddb4-2daf-43cb-b34e-d85b85b4e4a5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\nlet parentprocess = (iocs | where Type =~ \\\"parentprocess\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or RequestURL has_any (IPList) or Message has_any (IPList)\\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, Type\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (IPList), \\\"RequestUrl\\\",\\\"NoMatch\\\"), AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, IPMatch == \\\"RequestUrl\\\", RequestURL, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer, ProcessCustomEntity = ProcessName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) \\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, AlertDetail = \u0027Dev-0322 IOC match\u0027, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, AlertDetail = \u0027Dev-0322 IOC match\u0027, UrlCustomEntity =RemoteUrl, ProcessCustomEntity = InitiatingProcessFileName\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\"), AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where SourceHost in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend ParentImage = EventDetail.[20].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where ( ParentImage has_any (parentprocess) and Image has_any (process))\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256,Image, ParentImage \\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceFileEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type, CommandLineIP\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash, IPCustomEntity = CommandLineIP\\n),\\n(DeviceEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, CommandLineIP\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash, IPCustomEntity = CommandLineIP\\n),\\n(DeviceProcessEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, CommandLineIP, AccountName\\n| extend Account = AccountName, Computer = DeviceName, IPAddress = CommandLineIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash, IPCustomEntity = IPAddress\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| extend CommandLineIP = extract(IPRegex, 0, CommandLine)\\n| where CommandLineIP in (IPList) or (NewProcessName has_any (process) and ParentProcessName has_any (parentprocess))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, CommandLine, CommandLineIP\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = \u0027Dev-0322 IOC match\u0027, IPCustomEntity = CommandLineIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"DEV-0322 Serv-U related IOCs - July 2021\",\"description\":\"Identifies a match across IOC\u0027s related to DEV-0322 targeting SolarWinds Serv-U software.\",\"lastUpdatedDateUTC\":\"2021-11-30T00:00:00Z\",\"createdDateUTC\":\"2021-06-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\"name\":\"d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let SensitiveOperationList = dynamic(\\n[\\\"VaultDelete\\\", \\\"KeyDelete\\\", \\\"SecretDelete\\\", \\\"SecretPurge\\\", \\\"KeyPurge\\\", \\\"SecretBackup\\\", \\\"KeyBackup\\\"]);\\nAzureDiagnostics\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\" \\n| where OperationName in~ (SensitiveOperationList) \\n| summarize EventCount=count(), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\\n| extend timestamp = StartTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Sensitive Azure Key Vault operations\",\"description\":\"Identifies when sensitive Azure Key Vault operations are used. This includes: VaultDelete, KeyDelete, SecretDelete, SecretPurge, KeyPurge, SecretBackup, KeyBackup. \\nAny Backup operations should match with expected scheduled backup activity.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4899-42cb-910c-5ffaf9d7997d\",\"name\":\"70b12a3b-4899-42cb-910c-5ffaf9d7997d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.6.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"0.ns1.dns-info.gq\\\", \\\"1.ns1.dns-info.gq\\\", \\\"10.ns1.dns-info.gq\\\", \\\"102.ns1.dns-info.gq\\\", \\n \\\"104.ns1.dns-info.gq\\\", \\\"11.ns1.dns-info.gq\\\", \\\"110.ns1.dns-info.gq\\\", \\\"115.ns1.dns-info.gq\\\", \\\"116.ns1.dns-info.gq\\\", \\n \\\"117.ns1.dns-info.gq\\\", \\\"118.ns1.dns-info.gq\\\", \\\"12.ns1.dns-info.gq\\\", \\\"120.ns1.dns-info.gq\\\", \\\"122.ns1.dns-info.gq\\\", \\n \\\"123.ns1.dns-info.gq\\\", \\\"128.ns1.dns-info.gq\\\", \\\"13.ns1.dns-info.gq\\\", \\\"134.ns1.dns-info.gq\\\", \\\"135.ns1.dns-info.gq\\\", \\n \\\"138.ns1.dns-info.gq\\\", \\\"14.ns1.dns-info.gq\\\", \\\"144.ns1.dns-info.gq\\\", \\\"15.ns1.dns-info.gq\\\", \\\"153.ns1.dns-info.gq\\\", \\n \\\"157.ns1.dns-info.gq\\\", \\\"16.ns1.dns-info.gq\\\", \\\"17.ns1.dns-info.gq\\\", \\\"18.ns1.dns-info.gq\\\", \\\"19.ns1.dns-info.gq\\\", \\n \\\"1a9604fa.ns1.feedsdns.com\\\", \\\"1c7606b6.ns1.steamappstore.com\\\", \\\"2.ns1.dns-info.gq\\\", \\\"20.ns1.dns-info.gq\\\", \\n \\\"201.ns1.dns-info.gq\\\", \\\"202.ns1.dns-info.gq\\\", \\\"204.ns1.dns-info.gq\\\", \\\"207.ns1.dns-info.gq\\\", \\\"21.ns1.dns-info.gq\\\", \\n \\\"210.ns1.dns-info.gq\\\", \\\"211.ns1.dns-info.gq\\\", \\\"216.ns1.dns-info.gq\\\", \\\"22.ns1.dns-info.gq\\\", \\\"220.ns1.dns-info.gq\\\", \\n \\\"223.ns1.dns-info.gq\\\", \\\"23.ns1.dns-info.gq\\\", \\\"24.ns1.dns-info.gq\\\", \\\"25.ns1.dns-info.gq\\\", \\\"26.ns1.dns-info.gq\\\", \\n \\\"27.ns1.dns-info.gq\\\", \\\"28.ns1.dns-info.gq\\\", \\\"29.ns1.dns-info.gq\\\", \\\"3.ns1.dns-info.gq\\\", \\\"30.ns1.dns-info.gq\\\", \\n \\\"31.ns1.dns-info.gq\\\", \\\"32.ns1.dns-info.gq\\\", \\\"33.ns1.dns-info.gq\\\", \\\"34.ns1.dns-info.gq\\\", \\\"35.ns1.dns-info.gq\\\", \\n \\\"36.ns1.dns-info.gq\\\", \\\"37.ns1.dns-info.gq\\\", \\\"39.ns1.dns-info.gq\\\", \\\"3d6fe4b2.ns1.steamappstore.com\\\", \\n \\\"4.ns1.dns-info.gq\\\", \\\"40.ns1.dns-info.gq\\\", \\\"42.ns1.dns-info.gq\\\", \\\"43.ns1.dns-info.gq\\\", \\\"44.ns1.dns-info.gq\\\", \\n \\\"45.ns1.dns-info.gq\\\", \\\"46.ns1.dns-info.gq\\\", \\\"48.ns1.dns-info.gq\\\", \\\"5.ns1.dns-info.gq\\\", \\\"50.ns1.dns-info.gq\\\", \\n \\\"50417.service.gstatic.dnset.com\\\", \\\"51.ns1.dns-info.gq\\\", \\\"52.ns1.dns-info.gq\\\", \\\"53.ns1.dns-info.gq\\\",\\n \\\"54.ns1.dns-info.gq\\\", \\\"55.ns1.dns-info.gq\\\", \\\"56.ns1.dns-info.gq\\\", \\\"57.ns1.dns-info.gq\\\", \\\"58.ns1.dns-info.gq\\\", \\n \\\"6.ns1.dns-info.gq\\\", \\\"60.ns1.dns-info.gq\\\", \\\"62.ns1.dns-info.gq\\\", \\\"63.ns1.dns-info.gq\\\", \\\"64.ns1.dns-info.gq\\\", \\n \\\"65.ns1.dns-info.gq\\\", \\\"67.ns1.dns-info.gq\\\", \\\"7.ns1.dns-info.gq\\\", \\\"70.ns1.dns-info.gq\\\", \\\"71.ns1.dns-info.gq\\\",\\n \\\"73.ns1.dns-info.gq\\\", \\\"77.ns1.dns-info.gq\\\", \\\"77075.service.gstatic.dnset.com\\\", \\\"7c1947fa.ns1.steamappstore.com\\\",\\n \\\"8.ns1.dns-info.gq\\\", \\\"81.ns1.dns-info.gq\\\", \\\"86.ns1.dns-info.gq\\\", \\\"87.ns1.dns-info.gq\\\", \\\"9.ns1.dns-info.gq\\\", \\n \\\"94343.service.gstatic.dnset.com\\\", \\\"9939.service.gstatic.dnset.com\\\", \\\"aa.ns.mircosoftdoc.com\\\", \\n \\\"aaa.feeds.api.ns1.feedsdns.com\\\", \\\"aaa.googlepublic.feeds.ns1.dns-info.gq\\\", \\n \\\"aaa.resolution.174547._get.cache.up.sourcedns.tk\\\", \\\"acc.microsoftonetravel.com\\\", \\n \\\"accounts.longmusic.com\\\", \\\"admin.dnstemplog.com\\\", \\\"agent.updatenai.com\\\", \\n \\\"alibaba.zzux.com\\\", \\\"api.feedsdns.com\\\", \\\"app.portomnail.com\\\", \\\"asia.updatenai.com\\\", \\n \\\"battllestategames.com\\\", \\\"bguha.serveuser.com\\\", \\\"binann-ce.com\\\", \\\"bing.dsmtp.com\\\", \\n \\\"blog.cdsend.xyz\\\", \\\"brives.minivineyapp.com\\\", \\\"bsbana.dynamic-dns.net\\\", \\n \\\"californiaforce.000webhostapp.com\\\", \\\"californiafroce.000webhostapp.com\\\", \\n \\\"cdn.freetcp.com\\\", \\\"cdsend.xyz\\\", \\\"cipla.zzux.com\\\", \\\"cloudfeeddns.com\\\", \\\"comcleanner.info\\\",\\n \\\"cs.microsoftsonline.net\\\", \\\"dns-info.gq\\\", \\\"dns05.cf\\\", \\\"dns22.ml\\\", \\\"dns224.com\\\", \\n \\\"dnsdist.org\\\", \\\"dnstemplog.com\\\", \\\"doc.mircosoftdoc.com\\\", \\\"dropdns.com\\\", \\n \\\"eshop.cdn.freetcp.com\\\", \\\"exchange.dumb1.com\\\", \\\"exchange.misecure.com\\\", \\\"exchange.mrbasic.com\\\",\\n \\\"facebookdocs.com\\\", \\\"facebookint.com\\\", \\\"facebookvi.com\\\", \\\"feed.ns1.dns-info.gq\\\", \\\"feedsdns.com\\\", \\n \\\"firejun.freeddns.com\\\", \\\"ftp.dns-info.dyndns.pro\\\", \\\"goallbandungtravel.com\\\", \\\"goodhk.azurewebsites.net\\\", \\n \\\"googlepublic.feed.ns1.dns-info.gq\\\", \\\"gp.spotifylite.cloud\\\", \\\"gskytop.com\\\", \\\"gstatic.dnset.com\\\", \\n \\\"gxxservice.com\\\", \\\"helpdesk.cdn.freetcp.com\\\", \\\"id.serveuser.com\\\", \\\"infestexe.com\\\", \\\"item.itemdb.com\\\",\\n \\\"m.mircosoftdoc.com\\\", \\\"mail.transferdkim.xyz\\\", \\\"mcafee.updatenai.com\\\", \\\"mecgjm.mircosoftdoc.com\\\",\\n \\\"microdocs.ga\\\", \\\"microsock.website\\\", \\\"microsocks.net\\\", \\\"microsoft.sendsmtp.com\\\", \\n \\\"microsoftbook.dns05.com\\\", \\\"microsoftcontactcenter.com\\\", \\\"microsoftdocs.dns05.com\\\", \\\"microsoftdocs.ml\\\", \\n \\\"microsoftonetravel.com\\\", \\\"microsoftonlines.net\\\", \\\"microsoftprod.com\\\", \\\"microsofts.dns1.us\\\", \\\"microsoftsonline.net\\\",\\n \\\"minivineyapp.com\\\", \\\"mircosoftdoc.com\\\", \\\"mircosoftdocs.com\\\", \\\"mlcrosoft.ninth.biz\\\", \\\"mlcrosoft.site\\\", \\n \\\"mm.portomnail.com\\\", \\\"msdnupdate.com\\\", \\\"msecdn.cloud\\\", \\\"mtnl1.dynamic-dns.net\\\", \\\"ns.gstatic.dnset.com\\\", \\n \\\"ns.microsoftprod.com\\\", \\\"ns.steamappstore.com\\\", \\\"ns1.cdn.freetcp.com\\\", \\\"ns1.comcleanner.info\\\", \\\"ns1.dns-info.gq\\\", \\n \\\"ns1.dns05.cf\\\", \\\"ns1.dnstemplog.com\\\", \\\"ns1.dropdns.com\\\", \\\"ns1.microsoftonetravel.com\\\", \\n \\\"ns1.microsoftonlines.net\\\", \\\"ns1.microsoftprod.com\\\", \\\"ns1.microsoftsonline.net\\\", \\\"ns1.mlcrosoft.site\\\", \\n \\\"ns1.teams.wikaba.com\\\", \\\"ns1.windowsdefende.com\\\", \\\"ns2.comcleanner.info\\\", \\\"ns2.dnstemplog.com\\\", \\n \\\"ns2.microsoftonetravel.com\\\", \\\"ns2.microsoftprod.com\\\", \\\"ns2.microsoftsonline.net\\\", \\\"ns2.mlcrosoft.site\\\", \\n \\\"ns2.windowsdefende.com\\\", \\\"ns3.microsoftprod.com\\\", \\\"ns3.mlcrosoft.site\\\", \\\"nutrition.mrbasic.com\\\", \\n \\\"nutrition.youdontcare.com\\\", \\\"online.mlcrosoft.site\\\", \\\"online.msdnupdate.com\\\", \\\"outlookservce.site\\\", \\n \\\"owa.jetos.com\\\", \\\"owa.otzo.com\\\", \\\"pornotime.co\\\", \\\"portomnail.com\\\", \\n \\\"post.1a0.066e063ac.7c1947fa.ns1.steamappstore.com\\\", \\\"pricingdmdk.com\\\", \\\"prod.microsoftprod.com\\\", \\n \\\"product.microsoftprod.com\\\", \\\"ptcl.yourtrap.com\\\", \\\"query.api.sourcedns.tk\\\", \\\"rb.itemdb.com\\\", \\\"redditcdn.com\\\", \\n \\\"rss.otzo.com\\\", \\\"secure.msdnupdate.com\\\", \\\"service.dns22.ml\\\", \\\"service.gstatic.dnset.com\\\", \\\"service04.dns04.com\\\", \\n \\\"settings.teams.wikaba.com\\\", \\\"sip.outlookservce.site\\\", \\\"sixindent.epizy.com\\\", \\\"soft.msdnupdate.com\\\", \\\"sourcedns.ml\\\", \\n \\\"sourcedns.tk\\\", \\\"sport.msdnupdate.com\\\", \\\"spotifylite.cloud\\\", \\\"static.misecure.com\\\", \\\"steamappstore.com\\\", \\n \\\"store.otzo.com\\\", \\\"survey.outlookservce.site\\\", \\\"team.itemdb.com\\\", \\\"temp221.com\\\", \\\"test.microsoftprod.com\\\", \\n \\\"thisisaaa.000webhostapp.com\\\", \\\"token.dns04.com\\\", \\\"token.dns05.com\\\", \\\"transferdkim.xyz\\\", \\n \\\"travelsanignacio.com\\\", \\\"update08.com\\\", \\\"updated08.com\\\", \\\"updatenai.com\\\", \\\"wantforspeed.com\\\",\\n \\\"web.mircosoftdoc.com\\\", \\\"webmail.pornotime.co\\\", \\\"webwhois.team.itemdb.com\\\", \\\"windowsdefende.com\\\", \\\"wnswindows.com\\\",\\n \\\"ashcrack.freetcp.com\\\", \\\"battllestategames.com\\\", \\\"binannce.com\\\", \\\"cdsend.xyz\\\", \\\"comcleanner.info\\\", \\\"microsock.website\\\", \\n \\\"microsocks.net\\\", \\\"microsoftsonline.net\\\", \\\"mlcrosoft.site\\\", \\\"notify.serveuser.com\\\", \\\"ns1.microsoftprod.com\\\", \\n \\\"ns2.microsoftprod.com\\\", \\\"pricingdmdk.com\\\", \\\"steamappstore.com\\\", \\\"update08.com\\\", \\\"wnswindows.com\\\", \\n \\\"youtube.dns05.com\\\", \\\"z1.zalofilescdn.com\\\", \\\"z2.zalofilescdn.com\\\", \\\"zalofilescdn.com\\\"]); \\n(union isfuzzy=true \\n (CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | where DNSName in~ (DomainNames) \\n | extend Account = SourceUserID, Computer = DeviceName, IPAddress = DestinationIP \\n ), \\n (_Im_Dns (domain_has_any=DomainNames)\\n | extend DNSName = DnsQuery \\n | extend IPAddress = SrcIpAddr, Computer = Dvc\\n ), \\n (_Im_WebSession (url_has_any=DomainNames)\\n | extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n | extend IPAddress = SrcIpAddr, Computer = Dvc\\n ), \\n (VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 * \\n | where isnotempty(DNSName) \\n | where DNSName in~ (DomainNames) \\n | extend IPAddress = RemoteIp \\n ), \\n ( \\n DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl in~ (DomainNames) \\n | extend IPAddress = RemoteIP \\n | extend Computer = DeviceName \\n ),\\n (AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (DomainNames) \\n | extend DNSName = DestinationHost \\n | extend IPAddress = SourceHost\\n ) \\n ) \\n | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Barium domains\",\"description\":\"Identifies a match across various data feeds for domains IOCs related to the Barium activity group.\\n References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bff058b2-500e-4ae5-bb49-a5b1423cbd5b\",\"name\":\"bff058b2-500e-4ae5-bb49-a5b1423cbd5b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let fileAccessThrehold = 10;\\nOfficeActivity\\n | where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n | where Operation =~ \\\"MemberAdded\\\"\\n | extend UPN = tostring(parse_json(Members)[0].UPN)\\n | where UPN contains (\\\"#EXT#\\\")\\n | project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName\\n | join kind = inner(\\n OfficeActivity\\n | where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n | where Operation =~ \\\"MemberRemoved\\\"\\n | extend UPN = tostring(parse_json(Members)[0].UPN)\\n | where UPN contains (\\\"#EXT#\\\")\\n | project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName\\n ) on UPN\\n | where TimeDeleted \u003e TimeAdded\\n | join kind=inner \\n (\\n OfficeActivity\\n | where RecordType == \\\"SharePointFileOperation\\\"\\n | where SourceRelativeUrl has \\\"Microsoft Teams Chat Files\\\"\\n | where Operation == \\\"FileUploaded\\\"\\n | join kind = inner \\n (\\n OfficeActivity\\n | where RecordType == \\\"SharePointFileOperation\\\"\\n | where Operation == \\\"FileAccessed\\\"\\n | where SourceRelativeUrl has \\\"Microsoft Teams Chat Files\\\"\\n | summarize FileAccessCount = count() by OfficeObjectId\\n | where FileAccessCount \u003e fileAccessThrehold\\n ) on $left.OfficeObjectId == $right.OfficeObjectId\\n )on $left.UPN == $right.UserId\\n | extend timestamp=TimeGenerated, AccountCustomEntity = UserWhoAdded\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Accessed files shared by temporary external user\",\"description\":\"This detection identifies an external user is added to a Team or Teams chat\\nand shares a files which is accessed by many users (\u003e10) and the users is removed within short period of time. This might be\\nan indicator of suspicious activity.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2020-08-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/610d3850-c26f-4f20-8d86-f10fdf2425f5\",\"name\":\"610d3850-c26f-4f20-8d86-f10fdf2425f5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"UpdateTrail\\\",\\\"DeleteTrail\\\",\\\"StopLogging\\\",\\\"DeleteFlowLogs\\\",\\\"DeleteEventBus\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Changes made to AWS CloudTrail logs\",\"description\":\"Attackers often try to hide their steps by deleting or stopping the collection of logs that could show their activity. \\nThis alert identifies any manipulation of AWS CloudTrail, Cloudwatch/EventBridge or VPC Flow logs.\\nMore Information: AWS CloudTrail API: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html\\nAWS Cloudwatch/Eventbridge API: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_Operations.html\\nAWS DelteteFlowLogs API : https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html \",\"lastUpdatedDateUTC\":\"2022-01-11T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3fbc20a4-04c4-464e-8fcb-6667f53e4987\",\"name\":\"3fbc20a4-04c4-464e-8fcb-6667f53e4987\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let failureCountThreshold = 5;\\nlet successCountThreshold = 1;\\nlet authenticationWindow = 20m;\\nSigninLogs\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\\n| where AppDisplayName =~ \\\"Windows Sign In\\\"\\n// Split out failure versus non-failure types\\n| extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = makeset(IPAddress), makeset(OS), makeset(Browser), makeset(City), \\nmakeset(ResultType), FailureCount = countif(FailureOrSuccess==\\\"Failure\\\"), SuccessCount = countif(FailureOrSuccess==\\\"Success\\\") \\nby bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName, AppDisplayName\\n| where FailureCount \u003e= failureCountThreshold and SuccessCount \u003e= successCountThreshold\\n| mvexpand IPAddress\\n| extend IPAddress = tostring(IPAddress)\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against a Cloud PC\",\"description\":\"Identifies evidence of brute force activity against a Windows 365 Cloud PC by highlighting multiple authentication failures and by a successful authentication within a given time window.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/173f8699-6af5-484a-8b06-8c47ba89b380\",\"name\":\"173f8699-6af5-484a-8b06-8c47ba89b380\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"// Adjust this value to change how many Teams should be deleted before including\\nlet max_delete_count = 3;\\n// Adjust this value to change the timewindow the query runs over\\n OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\" \\n| where Operation =~ \\\"TeamDeleted\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DeletedTeams = make_set(TeamName) by UserId\\n| where array_length(DeletedTeams) \u003e max_delete_count\\n| extend timestamp = StartTime, AccountCustomEntity = UserId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Multiple Teams deleted by a single user\",\"description\":\"This detection flags the occurrences of deleting multiple teams within an hour.\\nThis data is a part of Office 365 Connector in Microsoft Sentinel.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5f171045-88ab-4634-baae-a7b6509f483b\",\"name\":\"5f171045-88ab-4634-baae-a7b6509f483b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let Dev0530_threats = dynamic([\\\"Trojan:Win32/SiennaPurple.A\\\", \\\"Ransom:Win32/SiennaBlue.A\\\", \\\"Ransom:Win32/SiennaBlue.B\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (Dev0530_threats) or ThreatFamilyName in~ (Dev0530_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"AV detections related to Dev-0530 actors\",\"description\":\"This query looks for Microsoft Defender AV detections related to Dev-0530 actors. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, \\n this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\",\"lastUpdatedDateUTC\":\"2022-07-14T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbfbf530-506b-49a4-81ad-4030885a195c\",\"name\":\"fbfbf530-506b-49a4-81ad-4030885a195c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let alertTimeWindow = 1h;\\nlet logTimeWindow = 7d;\\n// Define script extensions that suit your web application environment - a sample are provided below\\nlet scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]); \\nlet alertData = materialize(SecurityAlert \\n| where TimeGenerated \u003e ago(alertTimeWindow) \\n| where ProviderName == \\\"MDATP\\\" \\n// Parse and expand the alert JSON \\n| extend alertData = parse_json(Entities) \\n| mvexpand alertData);\\nlet fileData = alertData\\n// Extract web script files from MDATP alerts - our malicious web scripts - candidate webshells\\n| where alertData.Type =~ \\\"file\\\" \\n| where alertData.Name has_any(scriptExtensions) \\n| extend FileName = tostring(alertData.Name), Directory = tostring(alertData.Directory);\\nlet hostData = alertData\\n// Extract server details from alerts and map to alert id\\n| where alertData.Type =~ \\\"host\\\"\\n| project HostName = tostring(alertData.HostName), DnsDomain = tostring(alertData.DnsDomain), SystemAlertId\\n| distinct HostName, DnsDomain, SystemAlertId;\\n// Join the files on their impacted servers\\nlet webshellData = fileData\\n| join kind=inner (hostData) on SystemAlertId \\n| project TimeGenerated, FileName, Directory, HostName, DnsDomain;\\nwebshellData\\n| join ( \\n// Find requests that were made to this file on the impacted server in the W3CIISLog table \\nW3CIISLog \\n| where TimeGenerated \u003e ago(logTimeWindow) \\n// Restrict to accesses to script extensions \\n| where csUriStem has_any(scriptExtensions)\\n| extend splitUriStem = split(csUriStem, \\\"/\\\") \\n| extend FileName = splitUriStem[-1], HostName = sComputerName\\n// Summarize potential attacker activity\\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), RequestUserAgents=make_set(csUserAgent), ReqestMethods=make_set(csMethod), RequestStatusCodes=make_set(scStatus), RequestCookies=make_set(csCookie), RequestReferers=make_set(csReferer), RequestQueryStrings=make_set(csUriQuery) by AttackerIP=cIP, SiteName=sSiteName, ShellLocation=csUriStem, tostring(FileName), HostName \\n) on FileName, HostName\\n| project StartTime, EndTime, AttackerIP, RequestUserAgents, HostName, SiteName, ShellLocation, ReqestMethods, RequestStatusCodes, RequestCookies, RequestReferers, RequestQueryStrings, RequestCount = count_\\n// Expose the attacker ip address as a custom entity\\n| extend timestamp=StartTime, IPCustomEntity = AttackerIP, HostCustomEntity = HostName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Malicious web application requests linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts\",\"description\":\"Takes Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts where web scripts are present in the evidence and correlates with requests made to those scripts\\nin the WCSIISLog to surface new alerts for potentially malicious web request activity.\\nThe lookback for alerts is set to 1h and the lookback for W3CIISLogs is set to 7d. A sample set of popular web script extensions\\nhas been provided in scriptExtensions that should be tailored to your environment.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-05-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5f0d80db-3415-4265-9d52-8466b7372e3a\",\"name\":\"5f0d80db-3415-4265-9d52-8466b7372e3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"AzureDevOpsAuditing\\n| where AuthenticationMechanism startswith \\\"PAT\\\"\\n// Look for useragents that include a redenring engine\\n| where UserAgent has_any (\\\"Gecko\\\", \\\"WebKit\\\", \\\"Presto\\\", \\\"Trident\\\", \\\"EdgeHTML\\\", \\\"Blink\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure DevOps PAT used with Browser.\",\"description\":\"Personal Access Tokens (PATs) are used as an alternate password to authenticate into Azure DevOps. PATs are intended for programmatic access use in code or applications. \\nThis can be prone to attacker theft if not adequately secured. This query looks for the use of a PAT in authentication but from a User Agent indicating a browser. \\nThis should not be normal activity and could be an indicator of an attacker using a stolen PAT.\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/86a036b2-3686-42eb-b417-909fc0867771\",\"name\":\"86a036b2-3686-42eb-b417-909fc0867771\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/delete\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS Service Delete\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.\\nA threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.\\nThe health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.\\nMore information in this blog https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\"name\":\"b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\nlet createRoleAssignmentActivity = AzureActivity\\n| where OperationNameValue =~ \\\"microsoft.authorization/roleassignments/write\\\";\\ncreateRoleAssignmentActivity \\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller\\n| where count_ \u003e= alertOperationThreshold\\n| join kind = rightanti ( \\ncreateRoleAssignmentActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = make_set(TimeGenerated), ActivityStatusValue = make_set(ActivityStatusValue), \\nOperationIds = make_set(OperationId), CorrelationId = make_set(CorrelationId), ActivityCountByCallerIPAddress = count() \\nby ResourceId, CallerIpAddress, Caller, OperationNameValue, Resource, ResourceGroup\\n) on CallerIpAddress, Caller\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Suspicious granting of permissions to an account\",\"description\":\"Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\"name\":\"9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let szOperationNames = dynamic([\\\"Microsoft.Compute/virtualMachines/write\\\", \\\"Microsoft.Resources/deployments/write\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet RareCaller = AzureActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationNameValue in~ (szOperationNames)\\n| project ResourceGroup, Caller, OperationNameValue, CallerIpAddress\\n| join kind=rightantisemi (\\nAzureActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityStatusValue = makeset(ActivityStatusValue), OperationIds = makeset(OperationId), CallerIpAddress = makeset(CallerIpAddress) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n) on Caller, ResourceGroup \\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress);\\nlet Counts = RareCaller | summarize ActivityCountByCaller = count() by Caller;\\nRareCaller | join kind= inner (Counts) on Caller | project-away Caller1\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = tostring(CallerIpAddress)\\n| sort by ActivityCountByCaller desc nulls last\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Suspicious Resource deployment\",\"description\":\"Identifies when a rare Resource and ResourceGroup deployment occurs by a previously unseen Caller.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4902eddb-34f7-44a8-ac94-8486366e9494\",\"name\":\"4902eddb-34f7-44a8-ac94-8486366e9494\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 5000;\\n_Im_NetworkSession(eventresult=\u0027Failure\u0027)\\n| summarize Count=count() by SrcIpAddr, bin(TimeGenerated,5m)\\n| where Count \u003e threshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr\",\"customDetails\":{\"NumberOfDenies\":\"Count\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Excessive number of failed connections from {{SrcIpAddr}}\",\"alertDescriptionFormat\":\"The client at address {{SrcIpAddr}} generated more than {{threshold}} failures over a 5 minutes time window, which may indicate malicious activity.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Impact\"],\"displayName\":\"Excessive number of failed connections from a single source (ASIM Network Session schema)\",\"description\":\"This rule identifies that a single source generates an excessive amount of failed connections. Modify the threshold to change the sensitivity of the rule: the higher the threshold, the less sensitive is the rule and less incidents will be generated.\u003cbr\u003e\u003cbr\u003e\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f7c3f5c8-71ea-49ff-b8b3-148f0e346291\",\"name\":\"f7c3f5c8-71ea-49ff-b8b3-148f0e346291\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let known_locations = (SigninLogs\\n | where TimeGenerated between(ago(7d)..ago(1d))\\n | where ResultType == 0\\n | extend LocationDetail = strcat(Location, \\\"-\\\", LocationDetails.state)\\n | summarize by LocationDetail);\\n let known_asn = (SigninLogs\\n | where TimeGenerated between(ago(7d)..ago(1d))\\n | where ResultType == 0\\n | summarize by AutonomousSystemNumber);\\n SigninLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType == 0\\n | where isempty(DeviceDetail.deviceId)\\n | where AuthenticationRequirement == \\\"singleFactorAuthentication\\\"\\n | extend LocationDetail = strcat(Location, \\\"-\\\", LocationDetails.state)\\n | where AutonomousSystemNumber !in (known_asn) and LocationDetail !in (known_locations)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"UserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomolous Single Factor Signin\",\"description\":\"Detects successful signins using single factor authentication where the device, location, and ASN are abnormal.\\n Single factor authentications pose an opportunity to access compromised accounts, investigate these for anomalous occurrencess.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\"name\":\"1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 1d;\\nlet endtime = 1h;\\nlet prev23hThreshold = 4;\\nlet prev1hThreshold = 15;\\nlet Kerbevent = (union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(starttime)\\n| where EventID == 4769\\n| parse EventData with * \u0027TicketEncryptionType\\\"\u003e\u0027 TicketEncryptionType \\\"\u003c\\\" *\\n| where TicketEncryptionType == \u00270x17\u0027\\n| parse EventData with * \u0027TicketOptions\\\"\u003e\u0027 TicketOptions \\\"\u003c\\\" *\\n| where TicketOptions == \u00270x40810000\u0027\\n| parse EventData with * \u0027Status\\\"\u003e\u0027 Status \\\"\u003c\\\" *\\n| where Status == \u00270x0\u0027\\n| parse EventData with * \u0027ServiceName\\\"\u003e\u0027 ServiceName \\\"\u003c\\\" *\\n| where ServiceName !contains \\\"$\\\" and ServiceName !contains \\\"krbtgt\\\" \\n| parse EventData with * \u0027TargetUserName\\\"\u003e\u0027 TargetUserName \\\"\u003c\\\" *\\n| where TargetUserName !contains \\\"$@\\\" and TargetUserName !contains ServiceName\\n| parse EventData with * \u0027IpAddress\\\"\u003e::ffff:\u0027 ClientIPAddress \\\"\u003c\\\" *\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e= ago(starttime)\\n| where EventID == 4769 and EventData has \u00270x17\u0027 and EventData has \u00270x40810000\u0027 and EventData has \u0027krbtgt\u0027\\n| extend TicketEncryptionType = tostring(EventData.TicketEncryptionType)\\n| where TicketEncryptionType == \u00270x17\u0027\\n| extend TicketOptions = tostring(EventData.TicketOptions)\\n| where TicketOptions == \u00270x40810000\u0027\\n| extend Status = tostring(EventData.Status)\\n| where Status == \u00270x0\u0027\\n| extend ServiceName = tostring(EventData.ServiceName)\\n| where ServiceName !contains \\\"$\\\" and ServiceName !contains \\\"krbtgt\\\"\\n| extend TargetUserName = tostring(EventData.TargetUserName) \\n| where TargetUserName !contains \\\"$@\\\" and TargetUserName !contains ServiceName\\n| extend ClientIPAddress = tostring(EventData.IpAddress) \\n));\\nlet Kerbevent23h = Kerbevent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| summarize ServiceNameCountPrev23h = dcount(ServiceName), ServiceNameSet23h = makeset(ServiceName) \\nby Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status\\n| where ServiceNameCountPrev23h \u003c prev23hThreshold;\\nlet Kerbevent1h = \\nKerbevent\\n| where TimeGenerated \u003e= ago(endtime)\\n| summarize min(TimeGenerated), max(TimeGenerated), ServiceNameCountPrev1h = dcount(ServiceName), ServiceNameSet1h = makeset(ServiceName) \\nby Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status;\\nKerbevent1h \\n| join kind=leftanti\\n(\\nKerbevent23h\\n) on TargetUserName, TargetDomainName\\n// Threshold value set above is based on testing, this value may need to be changed for your environment.\\n| where ServiceNameCountPrev1h \u003e prev1hThreshold\\n| project StartTimeUtc = min_TimeGenerated, EndTimeUtc = max_TimeGenerated, TargetUserName, Computer, ClientIPAddress, TicketOptions, \\nTicketEncryptionType, Status, ServiceNameCountPrev1h, ServiceNameSet1h, TargetDomainName\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = strcat(TargetDomainName,\\\"\\\\\\\\\\\", TargetUserName), HostCustomEntity = Computer, IPCustomEntity = ClientIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Potential Kerberoasting\",\"description\":\"A service principal name (SPN) is used to uniquely identify a service instance in a Windows environment. \\nEach SPN is usually associated with a service account. Organizations may have used service accounts with weak passwords in their environment. \\nAn attacker can try requesting Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC) which contains \\na hash of the Service account. This can then be used for offline cracking. This hunting query looks for accounts that are generating excessive \\nrequests to different resources within the last hour compared with the previous 24 hours. Normal users would not make an unusually large number \\nof request within a small time window. This is based on 4769 events which can be very noisy so environment based tweaking might be needed.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-04-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/508cef41-2cd8-4d40-a519-b04826a9085f\",\"name\":\"508cef41-2cd8-4d40-a519-b04826a9085f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 1102 and EventSourceName == \\\"Microsoft-Windows-Eventlog\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Security Event log cleared\",\"description\":\"Checks for event id 1102 which indicates the security event log was cleared.\\nIt uses Event Source Name \\\"Microsoft-Windows-Eventlog\\\" to avoid generating false positives from other sources, like AD FS servers for instance.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3ff0fffb-d963-40c0-b235-3404f915add7\",\"name\":\"3ff0fffb-d963-40c0-b235-3404f915add7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"GitHubAudit\\n| where Action == \\\"org.disable_two_factor_requirement\\\"\\n| project TimeGenerated, Action, Actor, Country, IPaddress, Repository\\n| extend AccountCustomEntity = Actor, IPCustomEntity = IPaddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"GitHub Two Factor Auth Disable\",\"description\":\"Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/594c653d-719a-4c23-b028-36e3413e632e\",\"name\":\"594c653d-719a-4c23-b028-36e3413e632e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"GitHubAudit\\n| where Action == \\\"org.disable_two_factor_requirement\\\"\\n| project TimeGenerated, Action, Actor, Country, IPaddress, Repository\\n| extend AccountCustomEntity = Actor, IPCustomEntity = IPaddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT GitHub Two Factor Auth Disable\",\"description\":\"Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. \",\"lastUpdatedDateUTC\":\"2022-05-22T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/50cbf34a-4cdd-45d7-b3f5-8b53a1d0d14f\",\"name\":\"50cbf34a-4cdd-45d7-b3f5-8b53a1d0d14f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n| parse EventData with * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" *\\n| where ParentCommandLine == \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe -k DcomLaunch\\\" and CommandLine == \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe -Embedding\\\"\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Lateral Movement via DCOM\",\"description\":\"This query detects a fairly uncommon attack technique using the Windows Distributed Component Object Model (DCOM) to make a remote execution call to another computer system and gain lateral movement throughout the network.\\nRef: http://thenegative.zone/incident%20response/2017/02/04/MMC20.Application-Lateral-Movement-Analysis.html\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b1832f60-6c3d-4722-a0a5-3d564ee61a63\",\"name\":\"b1832f60-6c3d-4722-a0a5-3d564ee61a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet DOMAIN_TI=ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName);\\nlet DOMAIN_TI_list= todynamic(toscalar(DOMAIN_TI | summarize NIoCs = dcount(DomainName), Domains = make_set(DomainName) \\n | project Domains=iff(NIoCs \u003e HAS_ANY_MAX, dynamic([]), Domains) ));\\nDOMAIN_TI\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n _Im_WebSession(starttime=ago(dt_lookBack), url_has_any= DOMAIN_TI_list )\\n //Extract domain patterns from syslog message\\n | extend domain = tostring(parse_url(Url)[\\\"Host\\\"])\\n | where isnotempty(domain)\\n | extend tld = tostring(split(domain, \u0027.\u0027)[-1])\\n | extend Event_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.domain\\n| where Event_TimeGenerated \u003c ExpirationDateTime\\n| summarize Event_TimeGenerated = arg_max(Event_TimeGenerated , *) by IndicatorId, domain\\n| project Event_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, domain, SrcIpAddr, Url\",\"customDetails\":{\"EventTime\":\"Event_TimeGenerated\",\"IoCDescription\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"IoCExpirationTime\":\"ExpirationDateTime\",\"IoCConfidenceScore\":\"ConfidenceScore\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"A web request from {{SrcIpAddr}} to hostname {{domain}} matched an IoC\",\"alertDescriptionFormat\":\"A client with address {{SrcIpAddr}} requested the URL {{Url}}, whose hostname is a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blead for more information on the indicator.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map Domain entity to Web Session Events (ASIM Web Session schema)\",\"description\":\"This rule identifies Web Sessions for which the target URL hostname is a known IoC. \u003cbr\u003e\u003cbr\u003eThis rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutSIM) and supports any web session source that complies with ASIM.\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/643c2025-9604-47c5-833f-7b4b9378a1f5\",\"name\":\"643c2025-9604-47c5-833f-7b4b9378a1f5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit your environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with AAD signin failures above our threshold\\nlet aadFunc = (tableName:string){\\nlet Suspicious_signins = \\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n| summarize count() by IPAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(IPAddress);\\nSuspicious_signins\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet Suspicious_signins = \\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize make_set(set_IPAddress);\\n//See if any of those IPs have sucessfully logged into the AWS console\\nAWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \\n| where LoginResult =~ \\\"Success\\\"\\n| where SourceIpAddress in (Suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed)\\n| extend User = iif(isempty(UserIdentityUserName), UserIdentityType, UserIdentityUserName) \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Reason, LoginResult, EventTypeName, UserIdentityType, User, AWSRegion, SourceIpAddress, UserAgent, MFAUsed\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AzureAD logons but success logon to AWS Console\",\"description\":\"Identifies a list of IP addresses with a minimum number(defualt of 5) of failed logon attempts to Azure Active Directory.\\nUses that list to identify any successful AWS Console logons from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e\",\"name\":\"7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]);\\nunion isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4663\\n| where Process has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where ObjectName has_any (scriptExtensions)\\n| where AccessMask in (\u00270x2\u0027,\u00270x100\u0027, \u00270x10\u0027, \u00270x4\u0027)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n (WindowsEvent\\n| where EventID == 4663 and EventData has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\") and EventData has_any (scriptExtensions) \\n| where EventData has_any (\u00270x2\u0027,\u00270x100\u0027, \u00270x10\u0027, \u00270x4\u0027)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName has_any (scriptExtensions)\\n| extend AccessMask = tostring(EventData.AccessMask)\\n| where AccessMask in (\u00270x2\u0027,\u00270x100\u0027, \u00270x10\u0027, \u00270x4\u0027)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n(imFileEvent\\n| where EventType == \\\"FileCreated\\\"\\n| where ActingProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n and\\n TargetFileName has_any (scriptExtensions)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\\n),\\n(DeviceFileEvents\\n| where ActionType =~ \\\"FileCreated\\\"\\n| where InitiatingProcessFileName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where FileName has_any(scriptExtensions)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName, IPCustomEntity = RequestSourceIP)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingProcessAccountUpn\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM UM Service writing suspicious file\",\"description\":\"This query looks for the Exchange server UM process writing suspicious files that may be indicative of webshells.\\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d714ef62-1a56-4779-804f-91c4158e528d\",\"name\":\"d714ef62-1a56-4779-804f-91c4158e528d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let ImagesList = dynamic ([\\\"sethc.exe\\\",\\\"utilman.exe\\\",\\\"osk.exe\\\",\\\"Magnify.exe\\\",\\\"Narrator.exe\\\",\\\"DisplaySwitch.exe\\\",\\\"AtBroker.exe\\\"]); \\nlet OriginalFileNameList = dynamic ([\\\"sethc.exe\\\",\\\"utilman.exe\\\",\\\"osk.exe\\\",\\\"Magnify.exe\\\",\\\"Narrator.exe\\\",\\\"DisplaySwitch.exe\\\",\\\"AtBroker.exe\\\",\\\"SR.exe\\\",\\\"utilman2.exe\\\",\\\"ScreenMagnifier.exe\\\"]); \\nEvent\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n| parse EventData with * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027OriginalFileName\\\"\u003e\u0027 OriginalFileName \\\"\u003c\\\" *\\n| where Image has_any (ImagesList) and not (OriginalFileName has_any (OriginalFileNameList))\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027Hashes\\\"\u003e\u0027 Hashes \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description, OriginalFileName, CurrentDirectory, Hashes\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Modification of Accessibility Features\",\"description\":\"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\\n Two common accessibility programs are C:\\\\Windows\\\\System32\\\\sethc.exe, launched when the shift key is pressed five times and C:\\\\Windows\\\\System32\\\\utilman.exe, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as \\\"sticky keys\\\", and has been used by adversaries for unauthenticated access through a remote desktop login screen. [1]\\nRef: https://attack.mitre.org/techniques/T1546/008/\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\"name\":\"f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let threshold = 1;\\nAzureDiagnostics\\n | where OperationName in (\\\"AzureFirewallApplicationRuleLog\\\",\\\"AzureFirewallNetworkRuleLog\\\")\\n | extend msg_s_replaced0 = replace(@\\\"\\\\s\\\\s\\\",@\\\" \\\",msg_s)\\n | extend msg_s_replaced1 = replace(@\\\"\\\\.\\\\s\\\",@\\\" \\\",msg_s_replaced0)\\n | extend msg_a = split(msg_s_replaced1,\\\" \\\")\\n | extend srcAddr_a = split(msg_a[3],\\\":\\\") , destAddr_a = split(msg_a[5],\\\":\\\")\\n | extend protocol = tostring(msg_a[0]), srcIp = tostring(srcAddr_a[0]), srcPort = tostring(srcAddr_a[1]), destIp = tostring(destAddr_a[0]), destPort = tostring(destAddr_a[1]), action = tostring(msg_a[7])\\n | where action == \\\"Deny\\\"\\n | extend url = iff(destIp matches regex \\\"\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\",\\\"\\\",destIp)\\n | summarize StartTime = min(TimeGenerated), count() by srcIp, destIp, url, action, protocol\\n | where count_ \u003e= [\\\"threshold\\\"]\\n | extend timestamp = StartTime, URLCustomEntity = url, IPCustomEntity = srcIp\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Discovery\",\"LateralMovement\",\"CommandAndControl\"],\"displayName\":\"Several deny actions registered\",\"description\":\"Identifies attack pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-10-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b9d2eebc-5dcb-4888-8165-900db44443ab\",\"name\":\"b9d2eebc-5dcb-4888-8165-900db44443ab\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"// Enter a reference list of hostnames for your DC servers\\n//let DCServersList = dynamic ([\\\"DC01.simulandlabs.com\\\",\\\"DC02.simulandlabs.com\\\"]);\\nSecurityEvent\\n//| where Computer in (DCServersList)\\n| where EventID == 4662 and ObjectServer == \u0027DS\u0027\\n| where AccountType != \u0027Machine\u0027\\n| where Properties has \u00271131f6aa-9c07-11d1-f79f-00c04fc2dcd2\u0027 //DS-Replication-Get-Changes\\n or Properties has \u00271131f6ad-9c07-11d1-f79f-00c04fc2dcd2\u0027 //DS-Replication-Get-Changes-All\\n or Properties has \u002789e95b76-444d-4c62-991a-0facbeda640c\u0027 //DS-Replication-Get-Changes-In-Filtered-Set\\n| project TimeGenerated, Account, Activity, Properties, SubjectLogonId, Computer\\n| join kind=leftouter\\n(\\n SecurityEvent\\n //| where Computer in (DCServersList)\\n | where EventID == 4624 and LogonType == 3\\n | where AccountType != \u0027Machine\u0027\\n | project TargetLogonId, IpAddress\\n)\\non $left.SubjectLogonId == $right.TargetLogonId\\n| project-reorder TimeGenerated, Computer, Account, IpAddress\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, SourceAddress = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Non Domain Controller Active Directory Replication\",\"description\":\"This query detects potential attempts by non-computer accounts (non domain controllers) to retrieve/synchronize an active directory object leveraging directory replication services (DRS).\\nA Domain Controller (computer account) would usually be performing these actions in a domain environment. Another detection rule can be created to cover domain controllers accounts doing at rare times.\\nA domain user with privileged permissions to use directory replication services is rare. Ref: https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html\",\"lastUpdatedDateUTC\":\"2021-11-08T00:00:00Z\",\"createdDateUTC\":\"2021-05-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75297f62-10a8-4fc1-9b2a-12f25c6f05a7\",\"name\":\"75297f62-10a8-4fc1-9b2a-12f25c6f05a7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let domain_lookBack= 14d;\\nlet timeframe = 1d;\\nlet top_million_list = Cisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(domain_lookBack) and TimeGenerated \u003c ago(timeframe)\\n| extend Hostname = parse_url(UrlOriginal)[\\\"Host\\\"]\\n| summarize count() by tostring(Hostname)\\n| top 1000000 by count_\\n| summarize make_list(Hostname);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| extend Hostname = parse_url(UrlOriginal)[\\\"Host\\\"]\\n| where Hostname !in (top_million_list)\\n| extend Message = \\\"Connect to unpopular website (possible malicious payload delivery)\\\"\\n| project Message, SrcIpAddr, DstIpAddr,UrlOriginal, TimeGenerated\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Connection to Unpopular Website Detected\",\"description\":\"Detects first connection to an unpopular website (possible malicious payload delivery).\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/89a86f70-615f-4a79-9621-6f68c50f365f\",\"name\":\"89a86f70-615f-4a79-9621-6f68c50f365f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 7d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet HistThreshold = 25; \\nlet CurrThreshold = 10; \\nlet HistoricalThreats = CommonSecurityLog\\n| where isnotempty(SourceIP)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n| where Activity =~ \\\"THREAT\\\" and SimplifiedDeviceAction =~ \\\"alert\\\" \\n| where DeviceEventClassID in (\u0027spyware\u0027, \u0027scan\u0027, \u0027file\u0027, \u0027vulnerability\u0027, \u0027flood\u0027, \u0027packet\u0027, \u0027virus\u0027,\u0027wildfire\u0027, \u0027wildfire-virus\u0027)\\n| summarize TotalEvents = count(), ThreatTypes = make_set(DeviceEventClassID), DestinationIpList = make_set(DestinationIP), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by SourceIP, DeviceAction, DeviceVendor;\\nlet CurrentHourThreats = CommonSecurityLog\\n| where isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(timeframe)\\n| where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n| where Activity =~ \\\"THREAT\\\" and SimplifiedDeviceAction =~ \\\"alert\\\" \\n| where DeviceEventClassID in (\u0027spyware\u0027, \u0027scan\u0027, \u0027file\u0027, \u0027vulnerability\u0027, \u0027flood\u0027, \u0027packet\u0027, \u0027virus\u0027,\u0027wildfire\u0027, \u0027wildfire-virus\u0027)\\n| summarize TotalEvents = count(), ThreatTypes = make_set(DeviceEventClassID), DestinationIpList = make_set(DestinationIP), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by SourceIP, DeviceAction, DeviceProduct, DeviceVendor;\\nCurrentHourThreats \\n| where TotalEvents \u003c CurrThreshold\\n| join kind = leftanti (HistoricalThreats \\n| where TotalEvents \u003e HistThreshold) on SourceIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]}],\"tactics\":[\"Discovery\",\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"Palo Alto Threat signatures from Unusual IP addresses\",\"description\":\"Identifies Palo Alto Threat signatures from unusual IP addresses which are not historically seen. \\nThis detection is also leveraged and required for MDE and PAN Fusion scenario\\nhttps://docs.microsoft.com/Azure/sentinel/fusion-scenario-reference#network-request-to-tor-anonymization-service-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall\",\"lastUpdatedDateUTC\":\"2022-04-20T00:00:00Z\",\"createdDateUTC\":\"2022-03-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/35a0792a-1269-431e-ac93-7ae2980d4dde\",\"name\":\"35a0792a-1269-431e-ac93-7ae2980d4dde\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now() \\n| where Active == true\\n| where isnotempty(EmailSenderAddress)\\n| extend TI_emailEntity = EmailSenderAddress\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n ProofpointPOD \\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(SrcUserUpn)\\n | extend ProofpointPOD_TimeGenerated = TimeGenerated, ClientEmail = SrcUserUpn\\n\\n)\\non $left.TI_emailEntity == $right.ClientEmail\\n| where ProofpointPOD_TimeGenerated \u003c ExpirationDateTime\\n| summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientEmail\\n| project ProofpointPOD_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, ClientEmail\\n| extend timestamp = ProofpointPOD_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ClientEmail\"}]}],\"tactics\":[\"Exfiltration\",\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Email sender in TI list\",\"description\":\"Email sender in TI list.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_maillog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c3b11fb2-9201-4844-b7b9-6b7bf6d9b851\",\"name\":\"c3b11fb2-9201-4844-b7b9-6b7bf6d9b851\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Medium\",\"query\":\"let threshold = 200;\\n_Im_Dns(responsecodename=\u0027NXDOMAIN\u0027)\\n| where isnotempty(DnsResponseCodeName)\\n//| where DnsResponseCodeName =~ \\\"NXDOMAIN\\\"\\n| summarize count() by SrcIpAddr, bin(TimeGenerated,15m)\\n| where count_ \u003e threshold\\n| join kind=inner (_Im_Dns(responsecodename=\u0027NXDOMAIN\u0027)\\n ) on SrcIpAddr\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Excessive NXDOMAIN DNS Queries (ASIM DNS Schema)\",\"description\":\"This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. \\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a172107d-794c-48c0-bc26-d3349fe10b4d\",\"name\":\"a172107d-794c-48c0-bc26-d3349fe10b4d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Dev-0530_July2022.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\n(union isfuzzy=true \\n(DeviceProcessEvents\\n| where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) or ( InitiatingProcessCommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) \\nand InitiatingProcessCommandLine has (\u0027sc minute /mo 1 /F /ru system\u0027))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, AccountName, SHA256\\n| extend Account = AccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = case(InitiatingProcessSHA256 in (sha256Hashes), \\\"InitiatingProcessSHA256\\\", SHA256 in (sha256Hashes), \\\"SHA256\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = case(FileHash == \\\"InitiatingProcessSHA256\\\", InitiatingProcessSHA256, FileHash == \\\"SHA256\\\", SHA256, \\\"No Match\\\")\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) and CommandLine has (\u0027/sc minute /mo 1 /F /ru system\u0027))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, EventID, CommandLine\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n( imFileEvent\\n| where Hash in~ (sha256Hashes) or ( ActingProcessCommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) and ActingProcessCommandLine has (\u0027/sc minute /mo 1 /F /ru system\u0027))\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, FileHashCustomEntity = FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) or ( CommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) and CommandLine has (\u0027/sc minute /mo 1 /F /ru system\u0027)) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(EmailEvents\\n| where SenderFromAddress == \u0027H0lyGh0st@mail2tor.com\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = SenderIPv4, AccountCustomEntity = SenderFromAddress \\n),\\n(CommonSecurityLog \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) or FileHash in (sha256Hashes)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch , FileHash\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n), \\n(OfficeActivity \\n|extend SourceIPAddress = ClientIP, Account = UserId \\n| where SourceIPAddress in (IPList) \\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \\n),\\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Dev-0530 IOC - July 2022\",\"description\":\"Identifies a IOC match related to Dev-0530 actor across various data sources.\",\"lastUpdatedDateUTC\":\"2022-07-14T00:00:00Z\",\"createdDateUTC\":\"2022-07-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceProcessEvents\",\"DeviceNetworkEvents\",\"EmailEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/572e75ef-5147-49d9-9d65-13f2ed1e3a86\",\"name\":\"572e75ef-5147-49d9-9d65-13f2ed1e3a86\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let inviting_users = (AuditLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where OperationName =~ \\\"Invite external user\\\"\\n | where Result =~ \\\"success\\\"\\n | extend invitingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | where isnotempty(invitingUser)\\n | summarize by invitingUser);\\n AuditLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where OperationName =~ \\\"Invite external user\\\"\\n | where Result =~ \\\"success\\\"\\n | extend invitingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | where isnotempty(invitingUser) and invitingUser !in (inviting_users)\\n | extend invitedUserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"invitingUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"invitedUserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Guest Users Invited to Tenant by New Inviters\",\"description\":\"Detects when a Guest User is added by a user account that has not been seen adding a guest in the previous 14 days.\\n Monitoring guest accounts and the access they are provided is important to detect potential account abuse.\\n Accounts added should be investigated to ensure the activity was legitimate.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500415fb-bba7-4227-a08a-9857fb61b6a7\",\"name\":\"500415fb-bba7-4227-a08a-9857fb61b6a7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where OfficeWorkload == \\\"Exchange\\\"\\n| where Operation in~ (\\\"New-TransportRule\\\", \\\"Set-TransportRule\\\")\\n| mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))\\n| extend RuleName = case(\\n Operation =~ \\\"Set-TransportRule\\\", OfficeObjectId,\\n Operation =~ \\\"New-TransportRule\\\", ParsedParameters.Name,\\n \\\"Unknown\\\")\\n| mv-expand ExpandedParameters = todynamic(Parameters)\\n| where ExpandedParameters.Name in~ (\\\"BlindCopyTo\\\", \\\"RedirectMessageTo\\\") and isnotempty(ExpandedParameters.Value)\\n| extend RedirectTo = ExpandedParameters.Value\\n| extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n| project TimeGenerated, RedirectTo, IPAddress = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1]), UserId, Operation, RuleName, Parameters\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Mail redirect via ExO transport rule\",\"description\":\"Identifies when Exchange Online transport rule configured to forward emails.\\nThis could be an adversary mailbox configured to collect mail from multiple user accounts.\",\"lastUpdatedDateUTC\":\"2022-04-18T00:00:00Z\",\"createdDateUTC\":\"2020-05-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500c103a-0319-4d56-8e99-3cec8d860757\",\"name\":\"500c103a-0319-4d56-8e99-3cec8d860757\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == \\\"50057\\\" \\n| where ResultDescription == \\\"User account is disabled. The account has been disabled by an administrator.\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), disabledAccountLoginAttempts = count(), \\ndisabledAccountsTargeted = dcount(UserPrincipalName), applicationsTargeted = dcount(AppDisplayName), disabledAccountSet = make_set(UserPrincipalName), \\napplicationSet = make_set(AppDisplayName) by IPAddress, Type\\n| order by disabledAccountLoginAttempts desc\\n| join kind= leftouter (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n table(tableName)\\n | where ResultType == 0\\n | summarize successfulAccountSigninCount = dcount(UserPrincipalName), successfulAccountSigninSet = make_set(UserPrincipalName, 15) by IPAddress, Type\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount \u003c 100\\n) on IPAddress \\n// IPs from which attempts to authenticate as disabled user accounts originated, and had a non-zero success rate for some other account\\n| where isnotempty(successfulAccountSigninCount)\\n| project StartTime, EndTime, IPAddress, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\nsuccessfulAccountSigninCount, successfulAccountSigninSet, Type\\n| order by disabledAccountLoginAttempts\\n| extend timestamp = StartTime, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts and where that same IP has had successful signins from other accounts.\\nThis could indicate an attacker who obtained credentials for a list of accounts and is attempting to login with those accounts, some of which may have already been disabled.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"lastUpdatedDateUTC\":\"2021-10-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e7470b35-0128-4508-bfc9-e01cfb3c2eb7\",\"name\":\"e7470b35-0128-4508-bfc9-e01cfb3c2eb7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n | where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n | parse EventData with * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" *\\n | where ParentImage has \\\"svchost.exe\\\" and Image has \\\"rundll32.exe\\\" and CommandLine has \\\"{c08afd90-f2a1-11d1-8455-00a0c91f3880}\\\"\\n | parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Detecting Macro Invoking ShellBrowserWindow COM Objects\",\"description\":\"This query detects a macro invoking ShellBrowserWindow COM Objects evade naive parent/child Office detection rules.\\nRef: https://blog.menasec.net/2019/02/threat-hunting-doc-with-macro-invoking.html\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c2da1106-bfe4-4a63-bf14-5ab73130ccd5\",\"name\":\"c2da1106-bfe4-4a63-bf14-5ab73130ccd5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.0\",\"severity\":\"Informational\",\"query\":\"let timeframe = ago(1d);\\nAppServiceAntivirusScanAuditLogs\\n| where ScanStatus == \\\"Failed\\\"\\n| extend HostCustomEntity = _ResourceId, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"displayName\":\"AppServices AV Scan Failure\",\"description\":\"Identifies if an AV scan fails in Azure App Services.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\"name\":\"68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let User_Agents = dynamic ([\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70\\\", \\n\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.1 Safari/605.1.15\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\", \\n\\\"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\"]);\\nOfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != \u0027UserLoggedIn\u0027\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = todynamic(ExtendedProperties).Value\\n| where UserAgent =~ \\\"ms-office\\\" or UserAgent has_any (User_Agents)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts \u003e 500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\"entityMappings\":[],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Possible STRONTIUM attempted credential harvesting - Oct 2020\",\"description\":\"Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\"name\":\"e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let threshold = 15;\\n// Below pulls messages from syslog-authpriv logs where there was an authentication failure with an unknown user.\\n// IP address of system attempting logon is also extracted from the SyslogMessage field. Some of these messages\\n// are aggregated.\\nSyslog\\n| where Facility =~ \\\"authpriv\\\"\\n| where SyslogMessage has \\\"authentication failure\\\" and SyslogMessage has \\\" uid=0\\\"\\n| parse SyslogMessage with * \\\"rhost=\\\" RemoteIP\\n| project TimeGenerated, Computer, ProcessName, HostIP, RemoteIP, ProcessID\\n| join kind=innerunique (\\n // Below pulls messages from syslog-authpriv logs that show each instance an unknown user tried to logon. \\n Syslog \\n | where Facility =~ \\\"authpriv\\\"\\n | where SyslogMessage has \\\"user unknown\\\"\\n | project Computer, HostIP, ProcessID\\n ) on Computer, HostIP, ProcessID\\n// Count the number of failed logon attempts by External IP and internal machine\\n| summarize FirstLogonAttempt = min(TimeGenerated), LatestLogonAttempt = max(TimeGenerated), TotalLogonAttempts = count() by Computer, HostIP, RemoteIP\\n// Calculate the time between first and last logon attempt (AttemptPeriodLength)\\n| extend TimeBetweenLogonAttempts = LatestLogonAttempt - FirstLogonAttempt\\n| where TotalLogonAttempts \u003e= threshold\\n| project FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts, TotalLogonAttempts, SourceAddress = RemoteIP, DestinationHost = Computer, DestinationAddress = HostIP\\n| sort by DestinationHost asc nulls last\\n| extend timestamp = FirstLogonAttempt, HostCustomEntity = DestinationHost, IPCustomEntity = DestinationAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed logon attempts in authpriv\",\"description\":\"Identifies failed logon attempts from unknown users in Syslog authpriv logs. The unknown user means the account that tried to log in \\nisn\u0027t provisioned on the machine. A few hits could indicate someone attempting to access a machine they aren\u0027t authorized to access. \\nIf there are many of hits, especially from outside your network, it could indicate a brute force attack. \\nDefault threshold for logon attempts is 15.\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f041e01d-840d-43da-95c8-4188f6cef546\",\"name\":\"f041e01d-840d-43da-95c8-4188f6cef546\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let LearningPeriod = 7d;\\nlet RunTime = 1h;\\nlet StartTime = 1h;\\nlet EndRunTime = StartTime - RunTime;\\nlet EndLearningTime = StartTime + LearningPeriod;\\nlet GitHubCountryCodeLogs = (GitHubAudit\\n| where Country != \\\"\\\");\\n GitHubCountryCodeLogs\\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime))\\n| summarize makeset(Country) by Actor\\n| join kind=innerunique (\\n GitHubCountryCodeLogs\\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime))\\n | distinct Country, Actor, TimeGenerated\\n) on Actor \\n| where set_Country !contains Country\\n| extend AccountCustomEntity = Actor , timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"GitHub Activites from a New Country\",\"description\":\"Detect activities from a location that was not recently or was never visited by the user or by any user in your organization.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/40ba9493-4183-4eee-974f-87fe39c8f267\",\"name\":\"40ba9493-4183-4eee-974f-87fe39c8f267\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Identity alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Identity\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (AATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\"name\":\"4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 50;\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet historicalActivity =\\nOfficeActivity\\n| where TimeGenerated between(ago(starttime)..ago(endtime))\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| summarize historicalCount = count() by ClientIP, RecordType, Operation;\\nlet recentActivity = OfficeActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by ClientIP, RecordType, Operation;\\nlet RareIP = recentActivity | join kind= leftanti ( historicalActivity ) on ClientIP, RecordType, Operation\\n// More than 50 downloads/uploads from a new IP\\n| where recentCount \u003e threshold;\\nOfficeActivity \\n| where TimeGenerated \u003e= ago(endtime) \\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| join kind= inner (RareIP) on ClientIP, RecordType, Operation\\n| where Start_Time between(min_Start_Time .. max_Start_Time)\\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgent, IPSeenCount = recentCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\\n| order by IPSeenCount desc, ClientIP asc, Operation asc, UserId asc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"SharePointFileOperation via previously unseen IPs\",\"description\":\"Identifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses\\nexceeds a threshold (default is 50).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3073ac-7383-48a9-90a8-eb6716183a54\",\"name\":\"4a3073ac-7383-48a9-90a8-eb6716183a54\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let excludeProcs = dynamic([@\\\"\\\\SolarWinds\\\\Orion\\\\APM\\\\APMServiceControl.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\ExportToPDFCmd.Exe\\\", @\\\"\\\\SolarWinds.Credentials\\\\SolarWinds.Credentials.Orion.WebApi.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Topology\\\\SolarWinds.Orion.Topology.Calculator.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Database-Maint.exe\\\", @\\\"\\\\SolarWinds.Orion.ApiPoller.Service\\\\SolarWinds.Orion.ApiPoller.Service.exe\\\", @\\\"\\\\Windows\\\\SysWOW64\\\\WerFault.exe\\\"]);\\nDeviceProcessEvents\\n| where InitiatingProcessFileName =~ \\\"solarwinds.businesslayerhost.exe\\\"\\n| where not(FolderPath has_any (excludeProcs))\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n AlgorithmCustomEntity = \\\"MD5\\\",\\n FileHashCustomEntity = MD5\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST suspicious SolarWinds child processes\",\"description\":\"Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-02-01T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32\",\"name\":\"d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet msgthreshold = 3;\\nlet msgszthreshold = 3000000;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where NetworkBytes \u003e msgszthreshold\\n| summarize count() by SrcUserUpn, DstUserUpn\\n| where count_ \u003e msgthreshold\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple large emails to the same recipient\",\"description\":\"Detects when multiple emails with large size where sent to the same recipient.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6dd2629c-534b-4275-8201-d7968b4fa77e\",\"name\":\"6dd2629c-534b-4275-8201-d7968b4fa77e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"SecurityEvent\\n| where EventID == 4657\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, TargetAccount, Computer, EventSourceName, Channel, Task, Level, EventID, Activity, TargetLogonId, SourceComputerId, EventOriginId, Type, _ResourceId, TenantId, SourceSystem, ManagementGroupName, IpAddress, Account)\\n| extend ObjectName = column_ifexists(\u0027ObjectName\u0027, \\\"\\\"), OperationType = column_ifexists(\u0027OperationType\u0027, \\\"\\\"), ObjectValueName = column_ifexists(\u0027ObjectValueName\u0027, \\\"\\\")\\n| where ObjectName has \u0027Schedule\\\\\\\\TaskCache\\\\\\\\Tree\u0027 and ObjectValueName == \\\"SD\\\" and OperationType == \\\"%%1906\\\" // %%1906 - Registry value deleted\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Scheduled Task Hide\",\"description\":\"This query detects attempts by malware to hide the scheduled task by deleting the SD (Security Descriptor) value. Removal of SD value results in the scheduled task disappearing from schtasks /query and Task Scheduler.\\n The query requires auditing to be turned on for HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree registry hive as well as audit policy for registry auditing to be turned on.\\n Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/\\n Reference: https://4sysops.com/archives/audit-changes-in-the-windows-registry/\",\"lastUpdatedDateUTC\":\"2022-04-12T00:00:00Z\",\"createdDateUTC\":\"2022-04-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3f0c20d5-6228-48ef-92f3-9ff7822c1954\",\"name\":\"3f0c20d5-6228-48ef-92f3-9ff7822c1954\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let threatCategory=\\\"Hacking Tool\\\";\\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\\n [ @\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\\\"] \\n with(format=\\\"csv\\\", ignoreFirstRecord=True));\\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet customUserAgents=toscalar(_GetWatchlist(\\\"UnusualUserAgents\\\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\\\"UserAgent\\\",\\\"\\\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet fullUAList = array_concat(knownUserAgents,customUserAgents);\\n_Im_WebSession(httpuseragent_has_any=fullUAList)\\n| project SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername\",\"customDetails\":{\"UserAgent\":\"HttpUserAgent\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"SrcUsername\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Host {{SrcIpAddr}} is potentially running a hacking tool\",\"alertDescriptionFormat\":\"The host at address {{SrcIpAddr}} sent an HTTP request to the URL {{Url}} with the HTTP user agent header {{HttpUserAgent}}. This user agent is known to be used by a hacking tool and indicates suspicious activity on the host.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"A host is potentially running a hacking tool (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request with a user agent header known to belong to a hacking tool. This indicates a hacking tool is used on the host.\u003cbr\u003eYou can add custom hacking tool indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).\u003cbr\u003e\u003cbr\u003e\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/738702fd-0a66-42c7-8586-e30f0583f8fe\",\"name\":\"738702fd-0a66-42c7-8586-e30f0583f8fe\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"DeviceEvents\\n| where ActionType has \\\"ExploitGuardNonMicrosoftSignedBlocked\\\"\\n| where InitiatingProcessFileName contains \\\"svchost.exe\\\" and FileName contains \\\"NetSetupSvc.dll\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\nHostCustomEntity = DeviceName, FileHashCustomEntity = InitiatingProcessSHA1, FileHashType = \\\"SHA1\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"TEARDROP memory-only dropper\",\"description\":\"Identifies SolarWinds TEARDROP memory-only dropper IOCs in Window\u0027s defender Exploit Guard activity\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a4025a76-6490-4e6b-bb69-d02be4b03f07\",\"name\":\"a4025a76-6490-4e6b-bb69-d02be4b03f07\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureNetworkAnalytics_CL\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AzureNetworkAnalytics_CL_TimeGenerated = TimeGenerated\\n // NSG Flow Logs have additional information concat with Public IP, removing onlp Public IP\\n | extend PIPs = split(PublicIPs_s, \u0027|\u0027, 0)\\n | extend PIP = tostring(PIPs[0])\\n)\\non $left.TI_ipEntity == $right.PIP\\n| where AzureNetworkAnalytics_CL_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureNetworkAnalytics_CL_TimeGenerated = arg_max(AzureNetworkAnalytics_CL_TimeGenerated, *) by IndicatorId, PIP\\n// Set to alert on Allowed NSG Flows from TI Public IP IOC\\n| where FlowStatus_s == \\\"A\\\"\\n| project AzureNetworkAnalytics_CL_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, FlowDirection_s, FlowStatus_s, FlowType_s, SrcPublicIPs_s, DestPublicIPs_s, PublicIPs_s, L7Protocol_s, DestPort_d, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureNetworkAnalytics_CL_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)\",\"description\":\"Identifies a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI that was Allowed\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/968358d6-6af8-49bb-aaa4-187b3067fb95\",\"name\":\"968358d6-6af8-49bb-aaa4-187b3067fb95\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let successCodes = dynamic([200, 302, 401]);\\nW3CIISLog\\n| where scStatus has_any (successCodes)\\n| where ipv4_is_private(cIP) == False\\n| where csUriStem hasprefix \\\"/autodiscover/autodiscover.json\\\"\\n| project TimeGenerated, cIP, sIP, sSiteName, csUriStem, csUriQuery, Computer, csUserName, _ResourceId, FileUri\\n| where (csUriQuery !has \\\"Protocol\\\" and isnotempty(csUriQuery))\\nor (csUriQuery has_any(\\\"/mapi/\\\", \\\"powershell\\\"))\\nor (csUriQuery contains \\\"@\\\" and csUriQuery matches regex @\\\"\\\\.[a-zA-Z]{2,4}?(?:[a-zA-Z]{2,4}\\\\/)\\\")\\nor (csUriQuery contains \\\":\\\" and csUriQuery matches regex @\\\"\\\\:[0-9]{2,4}\\\\/\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP, AccountCustomEntity = csUserName, ResourceCustomEntity = _ResourceId, FileCustomEntity = FileUri\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange SSRF Autodiscover ProxyShell - Detection\",\"description\":\"This query looks for suspicious request patterns to Exchange servers that fit patterns recently\\nblogged about by PeterJson. This exploitation chain utilises an SSRF vulnerability in Exchange\\nwhich eventually allows the attacker to execute arbitrary Powershell on the server. In the example\\npowershell can be used to write an email to disk with an encoded attachment containing a shell.\\nReference: https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-09T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/999e9f5d-db4a-4b07-a206-29c4e667b7e8\",\"name\":\"999e9f5d-db4a-4b07-a206-29c4e667b7e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet DomainTIs= ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n // Picking up only IOC\u0027s that contain the entities we want\\n | where isnotempty(DomainName)\\n | where Active == true\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId;\\nlet Domains = DomainTIs | where isnotempty(DomainName) |summarize NDomains=dcount(DomainName), DomainsList=make_set(DomainName) \\n | project DomainList = iff(NDomains \u003e HAS_ANY_MAX, dynamic([]), DomainsList) ;\\nDomainTIs\\n | join (\\n _Im_Dns(starttime=ago(dt_lookBack), domain_has_any=toscalar(Domains))\\n | extend DNS_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.DnsQuery\\n| where DNS_TimeGenerated \u003c ExpirationDateTime\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, DnsQueryType\\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url\",\"customDetails\":{\"LatestIndicatorTime\":\"LatestIndicatorTime\",\"Description\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"ExpirationDateTime\":\"ExpirationDateTime\",\"ConfidenceScore\":\"ConfidenceScore\",\"DNSRequestTime\":\"DNS_TimeGenerated\",\"SourceIPAddress\":\"SrcIpAddr\",\"DnsQuery\":\"DnsQuery\",\"QueryType\":\"DnsQueryType\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map Domain entity to Dns Events (ASIM DNS Schema)\",\"description\":\"Identifies a match in DNS events from any Domain IOC from TI\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-27T00:00:00Z\",\"createdDateUTC\":\"2021-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2dd4a3a-ebac-4994-9499-1a859938c947\",\"name\":\"f2dd4a3a-ebac-4994-9499-1a859938c947\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet bytessentperhourthreshold = 10;\\nlet TimeSeriesData = (union isfuzzy=true\\n(\\nVMConnection\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\\n| extend SourceIP = SourceIp, DestinationIP = DestinationIp\\n| where ipv4_is_private(DestinationIP) == false\\n| extend DeviceVendor = \\\"VMConnection\\\"\\n| project TimeGenerated, BytesSent, DeviceVendor\\n| make-series TotalBytesSent=sum(BytesSent) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n),\\n(\\nCommonSecurityLog\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where ipv4_is_private(DestinationIP) == false\\n| project TimeGenerated, SentBytes, DeviceVendor\\n| make-series TotalBytesSent=sum(SentBytes) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n)\\n);\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(TotalBytesSent, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand TotalBytesSent to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| extend TotalBytesSentinMBperHour = round(((TotalBytesSent / 1024)/1024),2), baselinebytessentperHour = round(((baseline / 1024)/1024),2), score = round(score,2)\\n| project DeviceVendor, AnomalyHour, TimeGenerated, TotalBytesSentinMBperHour, baselinebytessentperHour, anomalies, score);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\n//Union of all BaseLogs aggregated per hour\\nlet BaseLogs = (union isfuzzy=true\\n(\\nCommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| where ipv4_is_private(DestinationIP) == false\\n| extend SentBytesinMB = ((SentBytes / 1024)/1024), ReceivedBytesinMB = ((ReceivedBytes / 1024)/1024)\\n| summarize HourlyCount = count(), TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort,100), TotalSentBytesinMB = sum(SentBytesinMB), TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| where TotalSentBytesinMB \u003e bytessentperhourthreshold\\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\\n| where Rank \u003c 10 // Selecting Top 10 records with Highest BytesSent in each Hour\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\\n),\\n(\\nVMConnection\\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend SourceIP = SourceIp, DestinationIP = DestinationIp\\n| where ipv4_is_private(DestinationIP) == false | extend DeviceVendor = \\\"VMConnection\\\"\\n| extend SentBytesinMB = ((BytesSent / 1024)/1024), ReceivedBytesinMB = ((BytesReceived / 1024)/1024)\\n| summarize HourlyCount = count(),TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort, 100), TotalSentBytesinMB = sum(SentBytesinMB),TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| where TotalSentBytesinMB \u003e bytessentperhourthreshold\\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\\n| where Rank \u003c 10 // Selecting Top 10 records with Highest BytesSent in each Hour\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\\n)\\n);\\n// Join against base logs to retrive records associated with the hour of anomoly\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\n BaseLogs | extend AnomalyHour = TimeGeneratedHour\\n) on DeviceVendor, AnomalyHour | sort by score desc\\n| project DeviceVendor, AnomalyHour,TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\\n| summarize EventCount = count(), StartTimeUtc= min(TimeGeneratedMax), EndTimeUtc= max(TimeGeneratedMax), SourceIPMax= arg_max(SourceIP,*), TotalBytesSentinMB = sum(TotalSentBytesinMB), TotalBytesReceivedinMB = sum(TotalReceivedBytesinMB), SourceIPList = make_set(SourceIP, 100), DestinationIPList = make_set(DestinationIPList, 100) by AnomalyHour,TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\\n| project DeviceVendor, AnomalyHour, StartTimeUtc, EndTimeUtc, SourceIPMax, SourceIPList, DestinationIPList, DestinationPortList, TotalBytesSentinMB, TotalBytesReceivedinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies, EventCount\\n| extend timestamp =EndTimeUtc, IPCustomEntity = SourceIPMax\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"Time series anomaly for data size transferred to public internet\",\"description\":\"Identifies anomalous data transfer to public networks. The query leverages built-in KQL anomaly detection algorithms that detects large deviations from a baseline pattern.\\nA sudden increase in data transferred to unknown public networks is an indication of data exfiltration attempts and should be investigated.\\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port bytes sent traffic observed in the flagged anomaly hour.\\nThe source IP addresses which were sending less than bytessentperhourthreshold have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06bbf969-fcbe-43fa-bac2-b2fa131d113a\",\"name\":\"06bbf969-fcbe-43fa-bac2-b2fa131d113a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"// ADHealth Monitoring Agent Registry Key\\nlet aadHealthMonAgentRegKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\MicrosoftOnline\\\\\\\\Reporting\\\\\\\\MonitoringAgent\\\";\\n// Filter out known processes\\nlet aadConnectHealthProcs = dynamic ([\\n \u0027Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.InsightsService.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.PshSurrogate.exe\u0027,\\n \u0027Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe\u0027,\\n \u0027Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.AadConnect.Health.AadSync.Host.exe\u0027,\\n \u0027Microsoft.Azure.ActiveDirectory.Synchronization.Upgrader.exe\u0027,\\n \u0027miiserver.exe\u0027\\n]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| where EventData has aadHealthMonAgentRegKey\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| extend ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),\\n ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\")\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend SubjectUserName = column_ifexists(\\\"SubjectUserName\\\", \\\"\\\"),\\n SubjectDomainName = column_ifexists(\\\"SubjectDomainName\\\", \\\"\\\"),\\n ProcessName = column_ifexists(\\\"ProcessName\\\", \\\"\\\")\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],\\n Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n ( WindowsEvent\\n| where EventID == \u00274656\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n( WindowsEvent\\n| where EventID == \u00274663\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n)\\n)\\n// You can filter out potential machine accounts\\n//| where AccountType != \u0027Machine\u0027\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"Azure AD Health Service Agents Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).\\nInformation from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).\\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\\\\SOFTWARE\\\\Microsoft\\\\ADHealthAgent.\\nMake sure you set the SACL to propagate to its sub-keys. You can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml\\n\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a35f2c18-1b97-458f-ad26-e033af18eb99\",\"name\":\"a35f2c18-1b97-458f-ad26-e033af18eb99\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.2\",\"severity\":\"Low\",\"query\":\"// For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups\\nlet WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nunion isfuzzy=true \\n(\\nSecurityEvent \\n// When MemberName contains \u0027-\u0027 this indicates addition of a group to a group\\n| where AccountType == \\\"User\\\" and MemberName != \\\"-\\\"\\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group\\n| where EventID in (4728, 4732, 4756) \\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| extend SimpleMemberName = substring(MemberName, 3, indexof_regex(MemberName, @\\\",OU|,CN\\\") - 3)\\n| project TimeGenerated, EventID, Activity, Computer, SimpleMemberName, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SimpleMemberName, HostCustomEntity = Computer\\n),\\n(\\nWindowsEvent \\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group\\n| where EventID in (4728, 4732, 4756) and not(EventData has \\\"S-1-5-32-555\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| extend MemberName = tostring(EventData.MemberName)\\n// When MemberName contains \u0027-\u0027 this indicates addition of a group to a group\\n| where AccountType == \\\"User\\\" and MemberName != \\\"-\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| extend SimpleMemberName = substring(MemberName, 3, indexof_regex(MemberName, @\\\",OU|,CN\\\") - 3)\\n| extend MemberSid = tostring(EventData.MemberSid)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend TargetDomainName = tostring(EventData.TargetDomainName)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| project TimeGenerated, EventID, Computer, SimpleMemberName, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SimpleMemberName, HostCustomEntity = Computer\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account added to built in domain local or global group\",\"description\":\"Identifies when a user account has been added to a privileged built in domain local group or global group \\nsuch as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2acc91c3-17c2-4388-938e-4eac2d5894e8\",\"name\":\"2acc91c3-17c2-4388-938e-4eac2d5894e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"W3CIISLog\\n| where csMethod == \u0027GET\u0027\\n| where isnotempty(csUriStem) and isnotempty(csUriQuery)\\n| where csUriStem contains \\\"logoimagehandler.ashx\\\"\\n| where csUriQuery contains \\\"codes\\\" and csUriQuery contains \\\"clazz\\\" and csUriQuery contains \\\"method\\\" and csUriQuery contains \\\"args\\\"\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"CommandAndControl\"],\"displayName\":\"SUPERNOVA webshell\",\"description\":\"Identifies SUPERNOVA webshell based on W3CIISLog data.\\n References:\\n - https://unit42.paloaltonetworks.com/solarstorm-supernova/\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-01-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/223db5c1-1bf8-47d8-8806-bed401b356a4\",\"name\":\"223db5c1-1bf8-47d8-8806-bed401b356a4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let timeRange = 1d;\\nlet lookBack = 7d;\\nlet threshold_Failed = 5;\\nlet threshold_FailedwithSingleIP = 20;\\nlet threshold_IPAddressCount = 2;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet aadFunc = (tableName:string){\\nlet azPortalSignins = materialize(table(tableName)\\n| where TimeGenerated \u003e= ago(lookBack)\\n// Azure Portal only\\n| where AppDisplayName =~ \\\"Azure Portal\\\")\\n;\\nlet successPortalSignins = azPortalSignins\\n| where TimeGenerated \u003e= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n// Tagging identities not resolved to friendly names\\n//| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n| distinct TimeGenerated, UserPrincipalName\\n;\\nlet failPortalSignins = azPortalSignins\\n| where TimeGenerated \u003e= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70044\\\", \\\"70043\\\")\\n// Tagging identities not resolved to friendly names\\n| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n;\\n// Verify there is no success for the same connection attempt after the fail\\nlet failnoSuccess = failPortalSignins | join kind= leftouter (\\n successPortalSignins \\n) on UserPrincipalName\\n| where TimeGenerated \u003e TimeGenerated1 or isempty(TimeGenerated1)\\n| project-away TimeGenerated1, UserPrincipalName1\\n;\\n// Lookup up resolved identities from last 7 days\\nlet identityLookup = azPortalSignins\\n| where TimeGenerated \u003e= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName;\\n// Join resolved names to unresolved list from portal signins\\nlet unresolvedNames = failnoSuccess | where Unresolved == true | join kind= inner (\\n identityLookup \\n) on UserId\\n| extend UserDisplayName = lu_UserDisplayName, UserPrincipalName = lu_UserPrincipalName\\n| project-away lu_UserDisplayName, lu_UserPrincipalName;\\n// Join Signins that had resolved names with list of unresolved that now have a resolved name\\nlet u_azPortalSignins = failnoSuccess | where Unresolved == false | union unresolvedNames;\\nu_azPortalSignins\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend Status = strcat(ResultType, \\\": \\\", ResultDescription), OS = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n| extend FullLocation = strcat(Region,\u0027|\u0027, State, \u0027|\u0027, City)\\n| summarize TimeGenerated = makelist(TimeGenerated), Status = makelist(Status), IPAddresses = makelist(IPAddress), IPAddressCount = dcount(IPAddress), FailedLogonCount = count()\\nby UserPrincipalName, UserId, UserDisplayName, AppDisplayName, Browser, OS, FullLocation, Type\\n| mvexpand TimeGenerated, IPAddresses, Status\\n| extend TimeGenerated = todatetime(tostring(TimeGenerated)), IPAddress = tostring(IPAddresses), Status = tostring(Status)\\n| project-away IPAddresses\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserPrincipalName, UserId, UserDisplayName, Status, FailedLogonCount, IPAddress, IPAddressCount, AppDisplayName, Browser, OS, FullLocation, Type\\n| where (IPAddressCount \u003e= threshold_IPAddressCount and FailedLogonCount \u003e= threshold_Failed) or FailedLogonCount \u003e= threshold_FailedwithSingleIP\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed login attempts to Azure Portal\",\"description\":\"Identifies failed login attempts in the Azure Active Directory SigninLogs to the Azure Portal. Many failed logon \\nattempts or some failed logon attempts from multiple IPs could indicate a potential brute force attack. \\nThe following are excluded due to success and non-failure results:\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n0 - successful logon\\n50125 - Sign-in was interrupted due to a password reset or password registration entry.\\n50140 - This error occurred due to \u0027Keep me signed in\u0027 interrupt when the user was signing-in.\",\"lastUpdatedDateUTC\":\"2022-04-21T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/acc4c247-aaf7-494b-b5da-17f18863878a\",\"name\":\"acc4c247-aaf7-494b-b5da-17f18863878a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"let queryfrequency = 1h;\\nlet queryperiod = 1d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(queryperiod)\\n| where OperationName in (\\\"Invite external user\\\", \\\"Bulk invite users - started (bulk)\\\", \\\"Invite external user with reset invitation status\\\")\\n| extend InitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\\n// Uncomment the following line to filter events where the inviting user was a guest user\\n//| where InitiatedBy has_any (\\\"live.com#\\\", \\\"#EXT#\\\")\\n| extend InvitedUser = TargetResources[0].userPrincipalName\\n| mv-expand UserToCompare = pack_array(InitiatedBy, InvitedUser) to typeof(string)\\n| where UserToCompare has_any (\\\"live.com#\\\", \\\"#EXT#\\\")\\n| extend\\n parsedUser = replace_string(tolower(iff(UserToCompare startswith \\\"live.com#\\\", tostring(split(UserToCompare, \\\"#\\\")[1]), tostring(split(UserToCompare, \\\"#EXT#\\\")[0]))), \\\"@\\\", \\\"_\\\"),\\n InvitationTime = TimeGenerated\\n| join (\\n (union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs)\\n | where TimeGenerated \u003e ago(queryfrequency)\\n | where UserType != \\\"Member\\\"\\n | where AppId has_any\\n (\\\"1b730954-1685-4b74-9bfd-dac224a7b894\\\",// Azure Active Directory PowerShell\\n \\\"04b07795-8ddb-461a-bbee-02f9e1bf7b46\\\",// Microsoft Azure CLI\\n \\\"1950a258-227b-4e31-a9cf-717495945fc2\\\",// Microsoft Azure PowerShell\\n \\\"a0c73c16-a7e3-4564-9a95-2bdf47383716\\\",// Microsoft Exchange Online Remote PowerShell\\n \\\"fb78d390-0c51-40cd-8e17-fdbfab77341b\\\",// Microsoft Exchange REST API Based Powershell\\n \\\"d1ddf0e4-d672-4dae-b554-9d5bdfd93547\\\",// Microsoft Intune PowerShell\\n \\\"9bc3ab49-b65d-410a-85ad-de819febfddc\\\",// Microsoft SharePoint Online Management Shell\\n \\\"12128f48-ec9e-42f0-b203-ea49fb6af367\\\",// MS Teams Powershell Cmdlets\\n \\\"23d8f6bd-1eb0-4cc2-a08c-7bf525c67bcd\\\",// Power BI PowerShell\\n \\\"31359c7f-bd7e-475c-86db-fdb8c937548e\\\",// PnP Management Shell\\n \\\"90f610bf-206d-4950-b61d-37fa6fd1b224\\\" // Aadrm Admin Powershell\\n )\\n | summarize arg_min(TimeGenerated, *) by UserPrincipalName\\n | extend\\n parsedUser = replace_string(UserPrincipalName, \\\"@\\\", \\\"_\\\"),\\n SigninTime = TimeGenerated\\n )\\n on parsedUser\\n| project InvitationTime, InitiatedBy, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, IPAddress, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InvitedUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatedBy\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\",\"Discovery\"],\"displayName\":\"External guest invitation followed by Azure AD PowerShell signin\",\"description\":\"By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests\\nusers, who have been invited or have invited recently, who also are logging via various PowerShell CLI.\\nRef : \u0027https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\"name\":\"3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let threshold = 1;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ConditionalAccessStatus == 1 or ConditionalAccessStatus =~ \\\"failure\\\"\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion) \\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend ConditionalAccessPolicies = todynamic(ConditionalAccessPolicies)\\n| extend ConditionalAccessPol0Name = tostring(ConditionalAccessPolicies[0].displayName)\\n| extend ConditionalAccessPol1Name = tostring(ConditionalAccessPolicies[1].displayName)\\n| extend ConditionalAccessPol2Name = tostring(ConditionalAccessPolicies[2].displayName)\\n| extend Status = strcat(StatusCode, \\\": \\\", ResultDescription) \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Status = make_list(Status), StatusDetails = make_list(StatusDetails), IPAddresses = make_list(IPAddress), IPAddressCount = dcount(IPAddress), CorrelationIds = make_list(CorrelationId) \\nby UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name, Type\\n| where IPAddressCount \u003e threshold and StatusDetails !has \\\"MFA successfully completed\\\"\\n| mvexpand IPAddresses, Status, StatusDetails, CorrelationIds\\n| extend Status = strcat(Status, \\\" \\\", StatusDetails)\\n| summarize IPAddresses = make_set(IPAddresses), Status = make_set(Status), CorrelationIds = make_set(CorrelationIds) \\nby StartTime, EndTime, UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name, IPAddressCount, Type\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = tostring(IPAddresses)\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Attempt to bypass conditional access rule in Azure AD\",\"description\":\"Identifies an attempt to Bypass conditional access rule(s) in Azure Active Directory.\\nThe ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access\\nor if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1).\\nReferences: \\nhttps://docs.microsoft.com/azure/active-directory/conditional-access/overview\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\nConditionalAccessStatus == 0 // Success\\nConditionalAccessStatus == 1 // Failure\\nConditionalAccessStatus == 2 // Not Applied\\nConditionalAccessStatus == 3 // unknown\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0b904747-1336-4363-8d84-df2710bfe5e7\",\"name\":\"0b904747-1336-4363-8d84-df2710bfe5e7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureDiagnostics\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where OperationName in (\\\"AzureFirewallApplicationRuleLog\\\", \\\"AzureFirewallNetworkRuleLog\\\")\\n | parse kind=regex flags=U msg_s with Protocol \u0027request from \u0027 SourceHost \u0027to \u0027 DestinationHost @\u0027\\\\.? Action: \u0027 Firewall_Action @\u0027\\\\.\u0027 Rest_msg\\n | extend SourceAddress = extract(@\u0027([\\\\.0-9]+)(:[\\\\.0-9]+)?\u0027, 1, SourceHost)\\n | extend DestinationAddress = extract(@\u0027([\\\\.0-9]+)(:[\\\\.0-9]+)?\u0027, 1, DestinationHost)\\n | extend RemoteIP = case(not(ipv4_is_private(DestinationAddress)), DestinationAddress, not(ipv4_is_private(SourceAddress)), SourceAddress, \\\"\\\")\\n // Traffic that involves a public address, and in case this is the source address then the traffic was not denied\\n | where isnotempty(RemoteIP)\\n | project-rename AzureFirewall_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIP\\n| where AzureFirewall_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureFirewall_TimeGenerated = arg_max(AzureFirewall_TimeGenerated, *) by IndicatorId, RemoteIP\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, AzureFirewall_TimeGenerated,\\nTI_ipEntity, Resource, Category, msg_s, SourceAddress, DestinationAddress, Firewall_Action, Protocol, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureFirewall_TimeGenerated, IPCustomEntity = TI_ipEntity, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureFirewall\",\"description\":\"Identifies a match in AzureFirewall (NetworkRule \u0026 ApplicationRule Logs) from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ebbb5c2-8802-11ec-a8a3-0242ac120002\",\"name\":\"4ebbb5c2-8802-11ec-a8a3-0242ac120002\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"// Enter a reference list of decoy users (usernames) \\\"Case Sensitive\\\"\\nlet MaliciousServiceArtifacts = dynamic ([\\\"fgexec\\\",\\\"cachedump\\\",\\\"mimikatz\\\",\\\"mimidrv\\\",\\\"wceservice\\\",\\\"pwdump\\\"]);\\nEvent\\n| where Source == \\\"Service Control Manager\\\" and EventID == 7045\\n| parse EventData with * \u0027ServiceName\\\"\u003e\u0027 ServiceName \\\"\u003c\\\" * \u0027ImagePath\\\"\u003e\u0027 ImagePath \\\"\u003c\\\" *\\n| where ServiceName has_any (MaliciousServiceArtifacts) or ImagePath has_any (MaliciousServiceArtifacts)\\n| parse EventData with * \u0027AccountName\\\"\u003e\u0027 AccountName \\\"\u003c\\\" *\\n|summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, ServiceName, ImagePath, AccountName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountName\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ImagePath\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Credential Dumping Tools - Service Installation\",\"description\":\"This query detects the installation of a Windows service that contains artifacts from credential dumping tools such as Mimikatz.\\nRef: https://blueteamblog.com/darkside-ransomware-operations-preventions-and-detections\",\"lastUpdatedDateUTC\":\"2022-04-22T00:00:00Z\",\"createdDateUTC\":\"2022-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"Event\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/adc32a33-1cd6-46f5-8801-e3ed8337885f\",\"name\":\"adc32a33-1cd6-46f5-8801-e3ed8337885f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// Add any known allowed sources and source locations to the filter below (the NuGet Gallery has been added here as an example).\\nlet allowed_sources = dynamic([\\\"NuGet Gallery\\\"]);\\nlet allowed_locations = dynamic([\\\"https://api.nuget.org/v3/index.json\\\"]);\\nAzureDevOpsAuditing\\n// Look for feeds created or modified at either the organization or project level\\n| where OperationName matches regex \\\"Artifacts.Feed.(Org|Project).Modify\\\"\\n| where Details has \\\"UpstreamSources, added\\\"\\n| extend FeedName = tostring(Data.FeedName)\\n| extend FeedId = tostring(Data.FeedId)\\n| extend UpstreamsAdded = Data.UpstreamsAdded\\n// As multiple feeds may be added expand these out\\n| mv-expand UpstreamsAdded\\n// Only focus on external feeds\\n| where UpstreamsAdded.UpstreamSourceType !~ \\\"internal\\\"\\n| extend SourceLocation = tostring(UpstreamsAdded.Location)\\n| extend SourceName = tostring(UpstreamsAdded.Name)\\n// Exclude sources and locations in the allow list\\n| where SourceLocation !in (allowed_locations) and SourceName !in (allowed_sources)\\n| extend SourceProtocol = tostring(UpstreamsAdded.Protocol)\\n| extend SourceStatus = tostring(UpstreamsAdded.Status)\\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, ProjectName, FeedName, SourceName, SourceLocation, SourceProtocol, ActorUPN, UserAgent, IpAddress\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"External Upstream Source Added to Azure DevOps Feed\",\"description\":\"The detection looks for new external sources added to an Azure DevOps feed. An allow list can be customized to explicitly allow known good sources. \\nAn attacker could look to add a malicious feed in order to inject malicious packages into a build pipeline.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/feb0a2fb-ae75-4343-8cbc-ed545f1da289\",\"name\":\"feb0a2fb-ae75-4343-8cbc-ed545f1da289\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let VIPUsers = (IdentityInfo\\n| where AssignedRoles contains \\\"Admin\\\"\\n| summarize by tolower(AccountUPN));\\nAuditLogs\\n| where Category =~ \\\"UserManagement\\\"\\n| where ActivityDisplayName =~ \\\"User registered security info\\\"\\n| where LoggedByService =~ \\\"Authentication Methods\\\"\\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| where AccountCustomEntity in (VIPUsers)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Authentication Method Changed for Privileged Account\",\"description\":\"Identifies authentication methods being changed for a privileged account. This could be an indicated of an attacker adding an auth method to the account so they can have continued access.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2937bc6b-7cda-4fba-b452-ea43ba8e835f\",\"name\":\"2937bc6b-7cda-4fba-b452-ea43ba8e835f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 5136 \\n| parse EventData with * \u0027ObjectClass\\\"\u003e\u0027 ObjectClass \\\"\u003c\\\" *\\n| parse EventData with * \u0027AttributeLDAPDisplayName\\\"\u003e\u0027 AttributeLDAPDisplayName \\\"\u003c\\\" *\\n| where ObjectClass == \\\"computer\\\" and AttributeLDAPDisplayName == \\\"msDS-AllowedToActOnBehalfOfOtherIdentity\\\"\\n| parse EventData with * \u0027ObjectDN\\\"\u003e\u0027 ObjectDN \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, SubjectUserSid, SubjectLogonId, ObjectDN, AttributeLDAPDisplayName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Possible Resource-Based Constrained Delegation Abuse\",\"description\":\"This query identifies Active Directory computer objects modifications that allow an adversary to abuse the Resource-based constrained delegation. \\nThis query checks for event id 5136 that the Object Class field is \\\"computer\\\" and the LDAP Display Name is \\\"msDS-AllowedToActOnBehalfOfOtherIdentity\\\" which is an indicator of Resource-based constrained delegation.\\nRef: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html\",\"lastUpdatedDateUTC\":\"2022-01-19T00:00:00Z\",\"createdDateUTC\":\"2022-01-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/89e6adbd-612c-4fbe-bc3d-32f81baf3b6c\",\"name\":\"89e6adbd-612c-4fbe-bc3d-32f81baf3b6c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT4H\",\"queryPeriod\":\"PT4H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// Change to true to monitor for Project Administrator adds to *any* project\\nlet MonitorAllProjects = false;\\n// If MonitorAllProjects is false, trigger only on Project Administrator add for the following projects\\nlet ProjectsToMonitor = dynamic([\u0027\u003cproject_X\u003e\u0027,\u0027\u003cproject_Y\u003e\u0027]);\\nAzureDevOpsAuditing\\n| where Area == \\\"Group\\\" and OperationName == \\\"Group.UpdateGroupMembership.Add\\\"\\n| where Details has \u0027Administrators\u0027\\n| where Details has \\\"was added as a member of group\\\" and (Details endswith \u0027\\\\\\\\Project Administrators\u0027 or Details endswith \u0027\\\\\\\\Project Collection Administrators\u0027)\\n| parse Details with AddedIdentity \u0027 was added as a member of group [\u0027 EntityName \u0027]\\\\\\\\\u0027 GroupName\\n| extend Level = iif(GroupName == \u0027Project Collection Administrators\u0027, \u0027Organization\u0027, \u0027Project\u0027), AddedIdentityId = Data.MemberId\\n| extend Severity = iif(Level == \u0027Organization\u0027, \u0027High\u0027, \u0027Medium\u0027), AlertDetails = strcat(\u0027At \u0027, TimeGenerated, \u0027 UTC \u0027, ActorUPN, \u0027/\u0027, ActorDisplayName, \u0027 added \u0027, AddedIdentity, \u0027 to the \u0027, EntityName, \u0027 \u0027, Level)\\n| where MonitorAllProjects == true or EntityName in (ProjectsToMonitor) or Level == \u0027Organization\u0027\\n| project TimeGenerated, Severity, Adder = ActorUPN, AddedIdentity, AddedIdentityId, AlertDetails, Level, EntityName, GroupName, ActorAuthType = AuthenticationMechanism, \\n ActorIpAddress = IpAddress, ActorUserAgent = UserAgent, RawDetails = Details\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Adder, IPCustomEntity = ActorIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps Administrator Group Monitoring\",\"description\":\"This detection monitors for additions to projects or project collection administration groups in an Azure DevOps Organization.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/473d57e6-f787-435c-a16b-b38b51fa9a4b\",\"name\":\"473d57e6-f787-435c-a16b-b38b51fa9a4b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"let servicelist = dynamic([\u0027Services\\\\\\\\HealthService\u0027, \u0027Services\\\\\\\\Sense\u0027, \u0027Services\\\\\\\\WinDefend\u0027, \u0027Services\\\\\\\\MsSecFlt\u0027, \u0027Services\\\\\\\\DiagTrack\u0027, \u0027Services\\\\\\\\SgrmBroker\u0027, \u0027Services\\\\\\\\SgrmAgent\u0027, \u0027Services\\\\\\\\AATPSensorUpdater\u0027 , \u0027Services\\\\\\\\AATPSensor\u0027, \u0027Services\\\\\\\\mpssvc\u0027]);\\nlet filename = dynamic([\\\"subinacl.exe\\\",\u0027SetACL.exe\u0027]);\\nlet parameters = dynamic ([\u0027/deny=SYSTEM\u0027, \u0027/deny=S-1-5-18\u0027, \u0027/grant=SYSTEM=r\u0027, \u0027/grant=S-1-5-18=r\u0027, \u0027n:SYSTEM;p:READ\u0027, \u0027n1:SYSTEM;ta:remtrst;w:dacl\u0027]);\\nlet FullAccess = dynamic([\u0027A;CI;KA;;;SY\u0027, \u0027A;ID;KA;;;SY\u0027, \u0027A;CIID;KA;;;SY\u0027]);\\nlet ReadAccess = dynamic([\u0027A;CI;KR;;;SY\u0027, \u0027A;ID;KR;;;SY\u0027, \u0027A;CIID;KR;;;SY\u0027]);\\nlet DenyAccess = dynamic([\u0027D;CI;KR;;;SY\u0027, \u0027D;ID;KR;;;SY\u0027, \u0027D;CIID;KR;;;SY\u0027]);\\nlet timeframe = 1d;\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4670\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName has_any (servicelist)\\n| parse EventData with * \u0027OldSd\\\"\u003e\u0027 OldSd \\\"\u003c\\\" *\\n| parse EventData with * \u0027NewSd\\\"\u003e\u0027 NewSd \\\"\u003c\\\" *\\n| extend Reason = case( (OldSd has \u0027;;;SY\u0027 and NewSd !has \u0027;;;SY\u0027), \u0027System Account is removed\u0027, (OldSd has_any (FullAccess) and NewSd has_any (ReadAccess)) , \u0027System permission has been changed to read from full access\u0027, (OldSd has_any (FullAccess) and NewSd has_any (DenyAccess)), \u0027System account has been given denied permission\u0027, \u0027None\u0027)\\n| project TimeGenerated, Computer, Account, ProcessName, ProcessId, ObjectName, EventData, Activity, HandleId, SubjectLogonId, OldSd, NewSd , Reason\\n),\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688\\n| extend ProcessName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ProcessName in~ (filename) \\n| where CommandLine has_any (servicelist) and CommandLine has_any (parameters)\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4670 and EventData has_any (servicelist) and EventData has \u0027Key\u0027\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName has_any (servicelist)\\n| extend OldSd = tostring(EventData.OldSd)\\n| extend NewSd = tostring(EventData.NewSd)\\n| extend Reason = case( (OldSd has \u0027;;;SY\u0027 and NewSd !has \u0027;;;SY\u0027), \u0027System Account is removed\u0027, (OldSd has_any (FullAccess) and NewSd has_any (ReadAccess)) , \u0027System permission has been changed to read from full access\u0027, (OldSd has_any (FullAccess) and NewSd has_any (DenyAccess)), \u0027System account has been given denied permission\u0027, \u0027None\u0027)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend ProcessId = tostring(EventData.ProcessId)\\n| extend Activity= \\\"4670 - Permissions on an object were changed.\\\"\\n| extend HandleId = tostring(EventData.HandleId)\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| project TimeGenerated, Computer, Account, ProcessName, ProcessId, ObjectName, EventData, Activity, HandleId, SubjectLogonId, OldSd, NewSd , Reason\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688 and EventData has_any (filename) and EventData has_any (servicelist) and EventData has_any (parameters)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend ProcessName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ProcessName in~ (filename) \\n| extend CommandLine = tostring(EventData.CommandLine) \\n| where CommandLine has_any (servicelist) and CommandLine has_any (parameters)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountDomain = tostring(EventData.AccountDomain)\\n| extend Activity=\\\"4688 - A new process has been created.\\\"\\n| extend EventSourceName=Provider\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where InitiatingProcessFileName in~ (filename) \\n| where InitiatingProcessCommandLine has_any(servicelist) and InitiatingProcessCommandLine has_any (parameters)\\n| extend Account = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName), Computer = DeviceName\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName = InitiatingProcessFileName, ProcessNameFullPath = FolderPath, Activity = ActionType, CommandLine = InitiatingProcessCommandLine, Type, InitiatingProcessParentFileName\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Security Service Registry ACL Modification\",\"description\":\"Identifies attempts to modify registry ACL to evade security solutions. In the Solorigate attack, the attackers were found modifying registry permissions so services.exe cannot access the relevant registry keys to start the service.\\n The detection leverages Security Event as well as MDE data to identify when specific security services registry permissions are modified. \\n Only some portions of this detection are related to Solorigate, it also includes coverage for some common tools that perform this activity. \\n Reference on guidance for enabling registry auditing:\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing-faq\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-registry\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4670\\n - For the event 4670 to be created the audit policy for the registry must have auditing enabled for Write DAC and/or Write Owner\\n - https://github.com/OTRF/Set-AuditRule \\n - https://docs.microsoft.com/dotnet/api/system.security.accesscontrol.registryrights?view=dotnet-plat-ext-5.0\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-01-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/29283b22-a1c0-4d16-b0a9-3460b655a46a\",\"name\":\"29283b22-a1c0-4d16-b0a9-3460b655a46a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let UserAgentString = dynamic ([\\\"${jndi:ldap:/\\\", \\\"${jndi:rmi:/\\\", \\\"${jndi:ldaps:/\\\", \\\"${jndi:dns:/\\\", \\\"${jndi:iiop:/\\\",\\\"${jndi:\\\",\\\"${jndi:nds:/\\\",\\\"${jndi:corba/\\\"]);\\nlet UARegexMinimalString=dynamic([\u0027{\u0027,\u0027%7b\u0027, \u0027%7B\u0027]);\\nlet UARegex = @\u0027(\\\\\\\\$|%24)(\\\\\\\\{|%7B)([^jJ]*[jJ])([^nN]*[nN])([^dD]*[dD])([^iI]*[iI])(:|%3A|\\\\\\\\$|%24|}|%7D)\u0027;\\n(union isfuzzy=true\\n(OfficeActivity\\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, Operation\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n),\\n(AzureDiagnostics\\n| where Category in (\\\"FrontdoorWebApplicationFirewallLog\\\", \\\"FrontdoorAccessLog\\\", \\\"ApplicationGatewayFirewallLog\\\", \\\"ApplicationGatewayAccessLog\\\")\\n| where userAgent_s has_any (UserAgentString) or userAgent_s matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = userAgent_s, SourceIP = clientIP_s, Type, host_s, requestUri_s, httpStatus_d\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, UrlCustomEntity = requestUri_s\\n),\\n(\\nW3CIISLog\\n| where csUserAgent has_any (UserAgentString) or csUserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP, UrlCustomEntity = csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventName\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n),\\n(SigninLogs\\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, Operation = OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n),\\n(AADNonInteractiveUserSignInLogs \\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, Operation = OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n),\\n(_Im_WebSession (httpuseragent_has_any=array_concat(UserAgentString,UARegexMinimalString))\\n| where HttpUserAgent has_any (UserAgentString) or HttpUserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by HttpUserAgent, SourceIP = SrcIpAddr, DstIpAddr, Account = SrcUsername, Url, Type\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP, UrlCustomEntity = Url\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"User agent search for log4j exploitation attempt\",\"description\":\"This query uses various log sources having user agent data to look for log4j CVE-2021-44228 exploitation attempt based on user agent pattern. Log4j is an open-source Apache logging library that is used in \\n many Java-based applications. The regex and the string matching look for the most common attacks. This might not be comprehensive to detect every possible user agent variation.\\n Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\"name\":\"3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let starttime = 1d;\\nlet TimeDeltaThresholdInSeconds = 60; // we ignore beacons diffs that fall below this threshold \\nlet TotalBeaconsThreshold = 4; // minimum number of beacons required in a session to surface a row\\nlet JitterTolerance = 0.2; // tolerance to jitter, e.g. - 0.2 = 20% jitter is tolerated either side of the periodicity\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Fortinet\\\"\\n| where TimeGenerated \u003e ago(starttime)\\n// eliminate bad data\\n| where isnotempty(SourceIP) and isnotempty(DestinationIP) and SourceIP != \\\"0.0.0.0\\\"\\n// filter out deny, close, rst and SNMP to reduce data volume\\n| where DeviceAction !in (\\\"close\\\", \\\"client-rst\\\", \\\"server-rst\\\", \\\"deny\\\") and DestinationPort != 161\\n// map input fields\\n| project TimeGenerated , SourceIP, DestinationIP, DestinationPort, ReceivedBytes, SentBytes, DeviceAction \\n// where destination IPs are public\\n| where ipv4_is_private(DestinationIP) == false\\n// sort into source-\u003edestination \u0027sessions\u0027\\n| sort by SourceIP asc, DestinationIP asc, DestinationPort asc, TimeGenerated asc\\n| serialize\\n// time diff the contact times between source and destination to get a list of deltas\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1), nextDestIP = next(DestinationIP, 1), nextDestPort = next(DestinationPort, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\\\"second\\\",nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP and DestinationIP == nextDestIP and DestinationPort == nextDestPort\\n// remove small time deltas below the set threshold\\n| where TimeDeltainSeconds \u003e TimeDeltaThresholdInSeconds\\n// summarize the deltas by source-\u003edestination\\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), sum(ReceivedBytes), sum(SentBytes), makelist(TimeDeltainSeconds), makeset(DeviceAction) by SourceIP, DestinationIP, DestinationPort\\n// get some statistical properties of the delta distribution and smooth any outliers (e.g. laptop shut overnight, working hours)\\n| extend series_stats(list_TimeDeltainSeconds), outliers=series_outliers(list_TimeDeltainSeconds)\\n// expand the deltas and the outliers\\n| mvexpand list_TimeDeltainSeconds to typeof(double), outliers to typeof(double)\\n// replace outliers with the average of the distribution\\n| extend list_TimeDeltainSeconds_normalized=iff(outliers \u003e 1.5 or outliers \u003c -1.5, series_stats_list_TimeDeltainSeconds_avg , list_TimeDeltainSeconds)\\n// summarize with the smoothed distribution\\n| summarize BeaconCount=count(), makelist(list_TimeDeltainSeconds), list_TimeDeltainSeconds_normalized=makelist(list_TimeDeltainSeconds_normalized), makeset(set_DeviceAction) by StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, sum_ReceivedBytes, sum_SentBytes\\n// get stats on the smoothed distribution\\n| extend series_stats(list_TimeDeltainSeconds_normalized)\\n// match jitter tolerance on smoothed distrib\\n| extend MaxJitter = (series_stats_list_TimeDeltainSeconds_normalized_avg*JitterTolerance)\\n| where series_stats_list_TimeDeltainSeconds_normalized_stdev \u003c MaxJitter\\n// where the minimum beacon threshold is satisfied and there was some data transfer\\n| where BeaconCount \u003e TotalBeaconsThreshold and (sum_SentBytes \u003e 0 or sum_ReceivedBytes \u003e 0)\\n// final projection\\n| project StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, BeaconCount, TimeDeltasInSeconds=list_list_TimeDeltainSeconds, Periodicity=series_stats_list_TimeDeltainSeconds_normalized_avg, ReceivedBytes=sum_ReceivedBytes, SentBytes=sum_SentBytes, Actions=set_set_DeviceAction\\n// where periodicity is order of magnitude larger than time delta threshold (eliminates FPs whose periodicity is close to the values we ignored)\\n| where Periodicity \u003e= (10*TimeDeltaThresholdInSeconds)\\n| extend timestamp = StartTime, IPCustomEntity = DestinationIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Fortinet - Beacon pattern detected\",\"description\":\"Identifies patterns in the time deltas of contacts between internal and external IPs in Fortinet network data that are consistent with beaconing.\\n Accounts for randomness (jitter) and seasonality such as working hours that may have been introduced into the beacon pattern.\\n The lookback is set to 1d, the minimum granularity in time deltas is set to 60 seconds and the minimum number of beacons required to emit a\\n detection is set to 4.\\n Increase the lookback period to capture beacons with larger periodicities.\\n The jitter tolerance is set to 0.2 - This means we account for an overall 20% deviation from the infered beacon periodicity. Seasonality is dealt with\\n automatically using series_outliers.\\n Note: In large environments it may be necessary to reduce the lookback period to get fast query times.\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2020-03-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80733eb7-35b2-45b6-b2b8-3c51df258206\",\"name\":\"80733eb7-35b2-45b6-b2b8-3c51df258206\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\\"xmrget.com\\\", \\n\\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\\"supportxmr.com\\\",\\n\\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\n\\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\n\\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\n\\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\n\\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\",\\n\\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\",\\n\\\"shscrypto.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage), \\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage), \\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage), \\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \u0027200\u0027\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Squid proxy events related to mining pools\",\"description\":\"Checks for Squid proxy events in Syslog associated with common mining pools .This query presumes the default Squid log format is being used. \\n http://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-07-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b05727d-a8d1-477d-bbdd-d957da96ac7b\",\"name\":\"3b05727d-a8d1-477d-bbdd-d957da96ac7b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where OfficeWorkload =~ \\\"Exchange\\\"\\n| where Parameters has_any (\\\"ForwardTo\\\", \\\"RedirectTo\\\", \\\"ForwardingSmtpAddress\\\")\\n| mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))\\n| evaluate bag_unpack(ParsedParameters, columnsConflict=\u0027replace_source\u0027)\\n| extend DestinationMailAddress = tolower(case(\\n isnotempty(column_ifexists(\\\"ForwardTo\\\", \\\"\\\")), column_ifexists(\\\"ForwardTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"RedirectTo\\\", \\\"\\\")), column_ifexists(\\\"RedirectTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")), trim_start(@\\\"smtp:\\\", column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")),\\n \\\"\\\"))\\n| where isnotempty(DestinationMailAddress)\\n| mv-expand split(DestinationMailAddress, \\\";\\\")\\n| extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n| extend ClientIP = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1])\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId, 250), Ports = make_set(Port, 250), EventCount = count() by tostring(DestinationMailAddress), ClientIP\\n| where DistinctUserCount \u003e 1\\n| mv-expand UserId to typeof(string)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"NRT Multiple users email forwarded to same destination\",\"description\":\"Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination.\\nThis could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.\",\"lastUpdatedDateUTC\":\"2022-06-24T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\"name\":\"75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 3;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == \\\"50057\\\"\\n| where ResultDescription =~ \\\"User account is disabled. The account has been disabled by an administrator.\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), applicationCount = dcount(AppDisplayName), \\napplicationSet = make_set(AppDisplayName), count() by UserPrincipalName, IPAddress, Type\\n| where applicationCount \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Attempts to sign in to disabled accounts\",\"description\":\"Identifies failed attempts to sign in to disabled accounts across multiple Azure Applications.\\nDefault threshold for Azure Applications attempted to sign in to is 3.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bfb1c90f-8006-4325-98be-c7fffbc254d6\",\"name\":\"bfb1c90f-8006-4325-98be-c7fffbc254d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let s_threshold = 30;\\nlet l_threshold = 3;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where OperationName =~ \\\"Sign-in activity\\\"\\n// Error codes that we want to look at as they are related to the use of incorrect password.\\n| where ResultType in (\\\"50126\\\", \\\"50053\\\" , \\\"50055\\\", \\\"50056\\\")\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend LocationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), LocationCount=dcount(LocationString), Location = make_set(LocationString), \\nIPAddress = make_set(IPAddress), IPAddressCount = dcount(IPAddress), AppDisplayName = make_set(AppDisplayName), ResultDescription = make_set(ResultDescription), \\nBrowser = make_set(Browser), OS = make_set(OS), SigninCount = count() by UserPrincipalName, Type \\n// Setting a generic threshold - Can be different for different environment\\n| where SigninCount \u003e s_threshold and LocationCount \u003e= l_threshold\\n| extend tostring(Location), tostring(IPAddress), tostring(AppDisplayName), tostring(ResultDescription), tostring(Browser), tostring(OS)\\n| distinct *\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Distributed Password cracking attempts in AzureAD\",\"description\":\"Identifies distributed password cracking attempts from the Azure Active Directory SigninLogs.\\nThe query looks for unusually high number of failed password attempts coming from multiple locations for a user account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50053 Account is locked because the user tried to sign in too many times with an incorrect user ID or password.\\n50055 Invalid password, entered expired password.\\n50056 Invalid or null password - Password does not exist in store for this user.\\n50126 Invalid username or password, or invalid on-premises username or password.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7ad4c32b-d0d2-411c-a0e8-b557afa12fce\",\"name\":\"7ad4c32b-d0d2-411c-a0e8-b557afa12fce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName\\n| where CommandLine contains \\\".decode(\u0027base64\u0027)\\\"\\n or CommandLine contains \\\"base64 --decode\\\"\\n or CommandLine contains \\\".decode64(\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"NRT Process executed from binary hidden in Base64 encoded file\",\"description\":\"Encoding malicious software is a technique used to obfuscate files from detection.\\nThe first CommandLine component is looking for Python decoding base64.\\nThe second CommandLine component is looking for Bash/sh command line base64 decoding.\\nThe third one is looking for Ruby decoding base64.\",\"lastUpdatedDateUTC\":\"2022-02-08T00:00:00Z\",\"createdDateUTC\":\"2019-01-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95002681-4ecb-4da3-9ece-26d7e5feaa33\",\"name\":\"95002681-4ecb-4da3-9ece-26d7e5feaa33\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"imAuthentication\\n| where EventResult ==\u0027Failure\u0027\\n| where EventResultDetails == \u0027User disabled\u0027\\n| summarize StartTime=min(EventStartTime), EndTime=max(EventEndTime), disabledAccountLoginAttempts = count()\\n , disabledAccountsTargeted = dcount(TargetUsername), disabledAccountSet = make_set(TargetUsername)\\n , applicationsTargeted = dcount(TargetAppName)\\n , applicationSet = make_set(TargetAppName) \\n by SrcDvcIpAddr, Type\\n| order by disabledAccountLoginAttempts desc\\n| join kind=leftouter \\n (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n imAuthentication\\n | where EventResult==\u0027Success\u0027\\n | summarize successfulAccountSigninCount = dcount(TargetUsername), successfulAccountSigninSet = makeset(TargetUsername, 15) by SrcDvcIpAddr, Type\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount \u003c 100\\n )\\n on SrcDvcIpAddr\\n| where isnotempty(successfulAccountSigninCount)\\n| project StartTime, EndTime, SrcDvcIpAddr, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\nsuccessfulAccountSigninCount, successfulAccountSigninSet, Type\\n| order by disabledAccountLoginAttempts\\n| extend timestamp = StartTime, IPCustomEntity = SrcDvcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-07-27T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\"name\":\"795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"CommonSecurityLog \\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID in (\\\"733101\\\",\\\"733102\\\",\\\"733103\\\",\\\"733104\\\",\\\"733105\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\",\"Impact\"],\"displayName\":\"Cisco ASA - threat detection message fired\",\"description\":\"Identifies when the Cisco ASA Threat Detection engine fired an alert based on malicious activity occurring on the network inicated by DeviceEventClassID 733101-733105\\nResources: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1785d372-b9fe-4283-96a6-3a1d83cabfd1\",\"name\":\"1785d372-b9fe-4283-96a6-3a1d83cabfd1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let Tarrask_threats = dynamic([\\\"HackTool:Win64/Tarrask!MS\\\", \\\"HackTool:Win64/Ligolo!MSR\\\", \\\"Behavior:Win32/ScheduledTaskHide.A\\\", \\\"Tarrask\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=rightouter ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (Tarrask_threats) or ThreatFamilyName in~ (Tarrask_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AV detections related to Tarrask malware\",\"description\":\"This query looks for Microsoft Defender AV detections related to Tarrask malware. In Microsoft Sentinel the SecurityAlerts table \\n includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. \\n This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\\n Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-04-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/157c0cfc-d76d-463b-8755-c781608cdc1a\",\"name\":\"157c0cfc-d76d-463b-8755-c781608cdc1a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\nCommonSecurityLog\\n| where DeviceVendor =~ \\\"Cisco\\\"\\n| where DeviceAction =~ \\\"denied\\\"\\n| where ipv4_is_private(SourceIP) == false\\n| summarize count() by SourceIP\\n| join (\\n // Successful signins from IPs blocked by the firewall solution are suspect\\n // Include fully successful sign-ins, but also ones that failed only at MFA stage\\n // as that supposes the password was sucessfully guessed.\\n table(tableName)\\n | where ResultType in (\\\"0\\\", \\\"50074\\\", \\\"50076\\\") \\n) on $left.SourceIP == $right.IPAddress\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Cisco - firewall block but success logon to Azure AD\",\"description\":\"Correlate IPs blocked by a Cisco firewall appliance with successful Azure Active Directory signins. \\nBecause the IP was blocked by the firewall, that same IP logging on successfully to AAD is potentially suspect\\nand could indicate credential compromise for the user account.\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2019-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/875d0eb1-883a-4191-bd0e-dbfdeb95a464\",\"name\":\"875d0eb1-883a-4191-bd0e-dbfdeb95a464\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 5136 \\n| parse EventData with * \u0027AttributeLDAPDisplayName\\\"\u003e\u0027 AttributeLDAPDisplayName \\\"\u003c\\\" *\\n| parse EventData with * \u0027ObjectClass\\\"\u003e\u0027 ObjectClass \\\"\u003c\\\" *\\n| where AttributeLDAPDisplayName == \\\"servicePrincipalName\\\" and ObjectClass == \\\"user\\\"\\n| parse EventData with * \u0027ObjectDN\\\"\u003e\u0027 ObjectDN \\\"\u003c\\\" *\\n| parse EventData with * \u0027AttributeValue\\\"\u003e\u0027 AttributeValue \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, ObjectDN, AttributeValue\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Service Principal Name (SPN) Assigned to User Account\",\"description\":\"This query identifies whether a Active Directory user object was assigned a service principal name which could indicate that an adversary is preparing for performing Kerberoasting. \\nThis query checks for event id 5136 that the Object Class field is \\\"user\\\" and the LDAP Display Name is \\\"servicePrincipalName\\\".\\nRef: https://thevivi.net/assets/docs/2019/theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf\",\"lastUpdatedDateUTC\":\"2022-02-02T00:00:00Z\",\"createdDateUTC\":\"2022-01-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/45076281-35ae-45e0-b443-c32aa0baf965\",\"name\":\"45076281-35ae-45e0-b443-c32aa0baf965\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"High\",\"query\":\"let args = dynamic([\\\"objectcategory\\\",\\\"domainlist\\\",\\\"dcmodes\\\",\\\"adinfo\\\",\\\"trustdmp\\\",\\\"computers_pwdnotreqd\\\",\\\"Domain Admins\\\", \\\"objectcategory=person\\\", \\\"objectcategory=computer\\\", \\\"objectcategory=*\\\",\\\"dclist\\\"]);\\nlet parentProcesses = dynamic([\\\"pwsh.exe\\\",\\\"powershell.exe\\\",\\\"cmd.exe\\\"]);\\nimProcessCreate\\n//looks for execution from a shell\\n| where ActingProcessName has_any (parentProcesses)\\n| extend ActingProcessFileName = tostring(split(ActingProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ActingProcessFileName in~ (parentProcesses)\\n// main filter\\n| where Process hassuffix \\\"AdFind.exe\\\" or TargetProcessSHA256 == \\\"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\\\"\\n // AdFind common Flags to check for from various threat actor TTPs\\n or CommandLine has_any (args)\\n| extend AccountCustomEntity = User, HostCustomEntity = Dvc, ProcessCustomEntity = ActingProcessName, CommandLineCustomEntity = CommandLine, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = TargetProcessSHA256\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"},{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLineCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Probable AdFind Recon Tool Usage (Normalized Process Events)\",\"description\":\"Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-06-09T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/910124df-913c-47e3-a7cd-29e1643fa55e\",\"name\":\"910124df-913c-47e3-a7cd-29e1643fa55e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with failed AWS console logins\\nlet aws_fails = AWSCloudTrail\\n| where EventName == \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \\n| where LoginResult != \\\"Success\\\"\\n| where SourceIpAddress != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(SourceIpAddress);\\n//See if any of those IPs have sucessfully logged into Azure AD.\\nSigninLogs\\n| where ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (aws_fails) \\n| extend Reason = \\\"Multiple failed AWS Console logins from IP address\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AWS Console logons but success logon to AzureAD\",\"description\":\"Identifies a list of IP addresses with a minimum numbe(default of 5) of failed logon attempts to AWS Console.\\nUses that list to identify any successful Azure Active Directory logons from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aedc5b33-2d7c-42cb-a692-f25ef637cbb1\",\"name\":\"aedc5b33-2d7c-42cb-a692-f25ef637cbb1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where array_length(todynamic(DstUserUpn)) == 1\\n| extend sender = extract(@\u0027\\\\A(.*?)@\u0027, 1, SrcUserUpn)\\n| extend sender_domain = extract(@\u0027@(.*)$\u0027, 1, SrcUserUpn)\\n| extend recipient = extract(@\u0027\\\\A(.*?)@\u0027, 1, tostring(todynamic(DstUserUpn)[0]))\\n| extend recipient_domain = extract(@\u0027@(.*)$\u0027, 1, tostring(todynamic(DstUserUpn)[0]))\\n| where sender =~ recipient\\n| where sender_domain != recipient_domain\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Possible data exfiltration to private email\",\"description\":\"Detects when sender sent email to the non-corporate domain and recipient\u0027s username is the same as sender\u0027s username.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\"name\":\"30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nlet aadFunc = (tableName:string){\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n table(tableName) | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(UserPrincipalName)\\n //Normalizing the column to lower case for exact match with EmailSenderAddress column\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n | where UserPrincipalName matches regex emailregex\\n | extend Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n // renaming timestamp column so it is clear the log this came from SigninLogs table\\n | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type\\n)\\non $left.EmailSenderAddress == $right.UserPrincipalName\\n| where SigninLogs_TimeGenerated \u003c ExpirationDateTime\\n| summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, UserPrincipalName\\n| project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, IPAddress, UserPrincipalName, AppDisplayName,\\nStatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, Type\\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SigninLogs\",\"description\":\"Identifies a match in SigninLogs table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6190dde-8fd2-456a-ac5b-0a32400b0464\",\"name\":\"d6190dde-8fd2-456a-ac5b-0a32400b0464\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let ProcessCreationEvents=() {\\nlet processEvents=(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName\\n),\\n(WindowsEvent\\n| where EventID==4688\\n| where EventData has_any (\\\".decode(\u0027base64\u0027)\\\", \\\"base64 --decode\\\", \\\".decode64(\\\" )\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where isnotempty(CommandLine)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend FileName=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, CommandLine, ParentProcessName\\n));\\nprocessEvents;\\n};\\nProcessCreationEvents \\n| where CommandLine contains \\\".decode(\u0027base64\u0027)\\\"\\n or CommandLine contains \\\"base64 --decode\\\"\\n or CommandLine contains \\\".decode64(\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), CountToday = count() by Computer, Account, AccountDomain, FileName, CommandLine, ParentProcessName \\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Process executed from binary hidden in Base64 encoded file\",\"description\":\"Encoding malicious software is a technique used to obfuscate files from detection. \\nThe first CommandLine component is looking for Python decoding base64. \\nThe second CommandLine component is looking for Bash/sh command line base64 decoding.\\nThe third one is looking for Ruby decoding base64.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-01-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a04cf847-a832-4c60-b687-b0b6147da219\",\"name\":\"a04cf847-a832-4c60-b687-b0b6147da219\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"45.63.52.41\\\",\\\"140.82.17.161\\\",\\\"207.148.101.95\\\",\\\"45.32.87.51\\\",\\\"66.42.98.156\\\",\\\"45.76.144.105\\\",\\\"217.163.28.35\\\",\\\"45.32.141.174\\\",\\\"149.28.165.249\\\",\\\"209.250.225.247\\\",\\\"45.63.100.115\\\",\\\"95.179.229.230\\\",\\\"209.250.233.247\\\",\\\"45.77.121.232\\\",\\\"45.76.175.65\\\",\\\"104.238.160.237\\\",\\\"45.77.181.97\\\",\\\"95.179.192.125\\\",\\\"149.28.93.184\\\",\\\"140.82.16.81\\\",\\\"45.76.173.103\\\",\\\"45.77.255.22\\\",\\\"45.32.11.71\\\",\\\"149.28.77.26\\\",\\\"45.32.54.50\\\",\\\"104.156.233.156\\\",\\\"45.32.21.118\\\",\\\"45.63.62.109\\\",\\\"45.77.244.202\\\",\\\"149.248.11.205\\\",\\\"104.238.190.244\\\"]);\\nlet IOCTerms = \\\"\\\\\\\\?lang=[/..]*/dev/cmdb/sslvpn_websession|/dana-na/jam/[/..]*home/webserver/htdocs/dana/html5acc/guacamole[/..]*etc/passwd\\\\\\\\?\\\";\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or has_any_ipv4 (Message, IPList)\\n| extend IPMatch = case(\\nSourceIP in (IPList), \\\"SourceIP\\\", \\nDestinationIP in (IPList), \\\"DestinationIP\\\",\\n\\\"Message\\\") \\n| where Message matches regex IOCTerms\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n| where isnotempty(UserAgent) and ClientIP in (IPList)\\n| where UserAgent contains \\\"ExchangeServicesClient/0.0.0.0\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP = ClientIP, Account = UserId, Type, RecordType, OfficeWorkload, UserAgent, OfficeObjectId, IPMatch = \\\"ClientIP\\\"\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Collection\"],\"displayName\":\"Known Manganese IP and UserAgent activity\",\"description\":\"Matches IP plus UserAgent IOCs in OfficeActivity data, along with IP plus Connection string information in the CommonSecurityLog data related to Manganese group activity.\\nReferences: \\nhttps://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/\\nhttps://fortiguard.com/psirt/FG-IR-18-384\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-10-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/74ed028d-e392-40b7-baef-e69627bf89d1\",\"name\":\"74ed028d-e392-40b7-baef-e69627bf89d1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"AuditLog.StreamDisabledByUser\\\"\\n| extend StreamType = tostring(Data.ConsumerType)\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, StreamType\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Azure DevOps Audit Stream Disabled\",\"description\":\"Azure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams \\n before conducting activity and then re-enabling the stream after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action \\n its unlikely to have a high false positive rate.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a356c8bd-c81d-428b-aa36-83be706be034\",\"name\":\"a356c8bd-c81d-428b-aa36-83be706be034\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// AADJoined or Register Device Registry Keys\\nlet aadJoinRoot = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet001\\\\\\\\Control\\\\\\\\CloudDomainJoin\\\\\\\\JoinInfo\\\\\\\\\\\";\\nlet aadRegisteredRoot = \\\"\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\WorkplaceJoin\\\";\\n// Transport Key Registry Key\\nlet keyTransportKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet001\\\\\\\\Control\\\\\\\\Cryptography\\\\\\\\Ngc\\\\\\\\KeyTransportKey\\\\\\\\\\\";\\n(union isfuzzy=true\\n(\\n// Access to Object Requested\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| where EventData contains aadJoinRoot or EventData contains aadRegisteredRoot\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName startswith aadJoinRoot and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n| extend ProcessId = column_ifexists(\\\"ProcessId\\\", \\\"\\\"), Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| join kind=innerunique (\\n SecurityEvent\\n | where EventID == \u00274656\u0027\\n | where EventData contains keyTransportKey\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | mv-expand bagexpansion=array EventData\\n | evaluate bag_unpack(EventData)\\n | extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n | evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n | extend ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\")\\n | where ObjectType == \u0027Key\u0027\\n | where ObjectName startswith keyTransportKey and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n | extend ProcessId = column_ifexists(\\\"ProcessId\\\", \\\"\\\"), Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n) on $left.Computer == $right.Computer and $left.SubjectLogonId == $right.SubjectLogonId and $left.ProcessId == $right.ProcessId\\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, SubjectLogonId, ObjectName, tostring(Process), ProcessName, ProcessId, EventID\\n),\\n// Accessing Object\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| where ObjectType == \u0027Key\u0027\\n| where (ObjectName startswith aadJoinRoot or ObjectName contains aadRegisteredRoot) and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n| extend Account = SubjectAccount\\n| join kind=innerunique (\\n SecurityEvent\\n | where EventID == \u00274663\u0027\\n | where ObjectType == \u0027Key\u0027\\n | where ObjectName contains keyTransportKey and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n | extend Account = SubjectAccount\\n) on $left.Computer == $right.Computer and $left.SubjectLogonId == $right.SubjectLogonId and $left.ProcessId == $right.ProcessId\\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, SubjectLogonId, ObjectName, Process, ProcessName, ProcessId, EventID\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"AAD Local Device Join Information and Transport Key Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts by the same process\\n to registry keys that provide information about an AAD joined or registered devices and Transport keys (tkpub / tkpriv).\\n This information can be used to export the Device Certificate (dkpub / dkpriv) and Transport key (tkpub/tkpriv).\\n These set of keys can be used to impersonate existing Azure AD joined devices.\\n This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable objects:\\n HKLM:\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\CloudDomainJoin (AAD joined devices)\\n HKCU:\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\WorkplaceJoin (AAD registered devices)\\n HKLM:\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Cryptography\\\\Ngc\\\\KeyTransportKey (Transport Key)\\n Make sure you set the SACL to propagate to its sub-keys. You can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml\\n Reference: https://o365blog.com/post/deviceidentity/\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/58fc0170-0877-4ea8-a9ff-d805e361cfae\",\"name\":\"58fc0170-0877-4ea8-a9ff-d805e361cfae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let schedule_lookback = 14d; \\nlet join_lookback = 1d; \\n// If you want to whitelist specific timezones include them in a list here\\nlet tz_whitelist = dynamic([]);\\nlet meetings = ( \\nZoomLogs \\n| where TimeGenerated \u003e= ago(schedule_lookback) \\n| where Event =~ \\\"meeting.created\\\" \\n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId) \\n| extend SchedTimezone = tostring(parse_json(MeetingEvents).Timezone)); \\nZoomLogs \\n| where TimeGenerated \u003e= ago(join_lookback) \\n| where Event =~ \\\"meeting.participant_joined\\\" \\n| extend JoinedTimeZone = tostring(parse_json(MeetingEvents).Timezone) \\n| extend MeetingName = tostring(parse_json(MeetingEvents).MeetingName) \\n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId) \\n| where JoinedTimeZone !in (tz_whitelist)\\n| join (meetings) on MeetingId \\n| where SchedTimezone != JoinedTimeZone \\n| project TimeGenerated, MeetingName, JoiningUser=payload_object_participant_user_name_s, JoinedTimeZone, SchedTimezone, MeetingScheduler=User1 \\n| extend timestamp = TimeGenerated, AccountCustomEntity = JoiningUser\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"PrivilegeEscalation\"],\"displayName\":\"User joining Zoom meeting from suspicious timezone\",\"description\":\"The alert shows users that join a Zoom meeting from a time zone other than the one the meeting was created in.\\nYou can also whitelist known good time zones in the tz_whitelist value using the tz database name format https://en.wikipedia.org/wiki/List_of_tz_database_time_zones\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a09a0b8e-30fe-4ebf-94a0-cffe50f579cd\",\"name\":\"a09a0b8e-30fe-4ebf-94a0-cffe50f579cd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where OperationName =~ \\\"Update user\\\"\\n | where Result =~ \\\"success\\\"\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | where TargetResources_modifiedProperties.displayName =~ \\\"TargetId.UserType\\\"\\n | extend UpdatingServicePrincipal = tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalId)\\n | extend UpdatingUserPrincipal = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend UpdatingUser = iif(isnotempty(UpdatingServicePrincipal), UpdatingServicePrincipal, UpdatingUserPrincipal)\\n | extend UpdatedUserPrincipalName = tostring(TargetResources.userPrincipalName)\\n | project-reorder TimeGenerated, UpdatedUserPrincipalName, UpdatingUser\\n | where parse_json(tostring(TargetResources_modifiedProperties.newValue)) =~ \\\"\\\\\\\"Member\\\\\\\"\\\" and parse_json(tostring(TargetResources_modifiedProperties.oldValue)) =~ \\\"\\\\\\\"Guest\\\\\\\"\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatingUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatedUserPrincipalName\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User State changed from Guest to Member\",\"description\":\"Detects when a guest account in a tenant is converted to a member of the tenant.\\n Monitoring guest accounts and the access they are provided is important to detect potential account abuse.\\n Accounts converted to members should be investigated to ensure the activity was legitimate.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b12b3dab-d973-45af-b07e-e29bb34d8db9\",\"name\":\"b12b3dab-d973-45af-b07e-e29bb34d8db9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal contains \\\"WindowsPowerShell\\\"\\n| extend Message = \\\"Windows PowerShell User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"DefenseEvasion\"],\"displayName\":\"Cisco Umbrella - Windows PowerShell User-Agent Detected\",\"description\":\"Rule helps to detect Powershell user-agent activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d722831e-88f5-4e25-b106-4ef6e29f8c13\",\"name\":\"d722831e-88f5-4e25-b106-4ef6e29f8c13\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"// a threshold can be enabled, see commented line below for PrevSeenCount\\nlet threshold = 2;\\nlet uploadOp = \u0027FileUploaded\u0027;\\n// Extensions that are interesting. Add/Remove to this list as you see fit\\nlet execExt = dynamic([\u0027exe\u0027, \u0027inf\u0027, \u0027gzip\u0027, \u0027cmd\u0027, \u0027bat\u0027]);\\nlet starttime = 8d;\\nlet endtime = 1d;\\nOfficeActivity | where TimeGenerated \u003e= ago(endtime)\\n// Limited to File Uploads due to potential noise, comment out the Operation statement below to include any operation type\\n// Additional, but potentially noisy operation types that include Uploads and Downloads can be included by adding the following - Operation contains \\\"upload\\\" or Operation contains \\\"download\\\"\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| project TimeGenerated, OfficeId, OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, UserAgent, Site_Url, SourceRelativeUrl, SourceFileName\\n| join kind= leftanti (\\nOfficeActivity | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| summarize SourceRelativeUrl = make_set(SourceRelativeUrl), UserId = make_set(UserId) , PrevSeenCount = count() by SourceFileName\\n// To exclude previous matches when only above a specific count, change threshold above and uncomment the line below\\n//| where PrevSeenCount \u003e threshold\\n| mvexpand SourceRelativeUrl, UserId\\n| extend SourceRelativeUrl = tostring(SourceRelativeUrl), UserId = tostring(UserId)\\n) on SourceFileName, SourceRelativeUrl, UserId \\n| extend SiteUrlUserFolder = tolower(split(Site_Url, \u0027/\u0027)[-2])\\n| extend UserIdUserFolderFormat = tolower(replace(\u0027@|\\\\\\\\.\u0027, \u0027_\u0027,UserId))\\n// identify when UserId is not a match to the specific site url personal folder reference\\n| extend UserIdDiffThanUserFolder = iff(Site_Url has \u0027/personal/\u0027 and SiteUrlUserFolder != UserIdUserFolderFormat, true , false ) \\n| summarize TimeGenerated = make_list(TimeGenerated), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), \\nUserAgents = make_list(UserAgent), OfficeIds = make_list(OfficeId), SourceRelativeUrls = make_list(SourceRelativeUrl), FileNames = make_list(SourceFileName)\\nby OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, Site_Url, SiteUrlUserFolder, UserIdUserFolderFormat, UserIdDiffThanUserFolder\\n| extend timestamp = StartTime, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"New executable via Office FileUploaded Operation\",\"description\":\"Identifies when executable file types are uploaded to Office services such as SharePoint and OneDrive.\\nList currently includes \u0027exe\u0027, \u0027inf\u0027, \u0027gzip\u0027, \u0027cmd\u0027, \u0027bat\u0027 file extensions.\\nAdditionally, identifies when a given user is uploading these files to another users workspace.\\nThis may be indication of a staging location for malware or other malicious activity.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69a45b05-71f5-45ca-8944-2e038747fb39\",\"name\":\"69a45b05-71f5-45ca-8944-2e038747fb39\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let endtime = 1d;\\nlet starttime = 8d;\\n// The threshold below excludes matching on RDP connection computer counts of 5 or more by a given account and IP in a given day. Change the threshold as needed.\\nlet threshold = 5;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n// Labeling the first RDP connection time, computer and ip\\n| extend FirstHop = TimeGenerated, FirstComputer = toupper(Computer), FirstIPAddress = IpAddress, Account = tolower(Account)\\n),\\n( WindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10 // Labeling the first RDP connection time, computer and ip\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend FirstHop = TimeGenerated, FirstComputer = toupper(Computer), FirstIPAddress = IpAddress, Account = tolower(Account)\\n))\\n| join kind=inner (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n// Labeling the second RDP connection time, computer and ip\\n| extend SecondHop = TimeGenerated, SecondComputer = toupper(Computer), SecondIPAddress = IpAddress, Account = tolower(Account)\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = toint(EventData.LogonType)\\n| where LogonType == 10 // Labeling the second RDP connection time, computer and ip\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend SecondHop = TimeGenerated, SecondComputer = toupper(Computer), SecondIPAddress = IpAddress, Account = tolower(Account)\\n))\\n) on Account\\n// Make sure that the first connection is after the second connection --\u003e SecondHop \u003e FirstHop\\n// Then identify only RDP to another computer from within the first RDP connection by only choosing matches where the Computer names do not match --\u003e FirstComputer != SecondComputer\\n// Then make sure the IPAddresses do not match by excluding connections from the same computers with first hop RDP connections to multiple computers --\u003e FirstIPAddress != SecondIPAddress\\n| where FirstComputer != SecondComputer and FirstIPAddress != SecondIPAddress and SecondHop \u003e FirstHop\\n// where the second hop occurs within 30 minutes of the first hop\\n| where SecondHop \u003c= FirstHop+30m\\n| distinct Account, FirstHop, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, SecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\\n// use left anti to exclude anything from the previous 7 days where the Account and IP has connected 5 or more computers.\\n| join kind=leftanti (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize makeset(Computer), ComputerCount = dcount(Computer) by bin(TimeGenerated, 1d), Account = tolower(Account), IpAddress\\n// Connection count to computer by same account and IP to exclude counts of 5 or more on a given day\\n| where ComputerCount \u003e= threshold\\n| mvexpand set_Computer\\n| extend Computer = toupper(set_Computer)\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10 \\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| summarize makeset(Computer), ComputerCount = dcount(Computer) by bin(TimeGenerated, 1d), Account = tolower(Account), IpAddress\\n// Connection count to computer by same account and IP to exclude counts of 5 or more on a given day\\n| where ComputerCount \u003e= threshold\\n| mvexpand set_Computer\\n| extend Computer = toupper(set_Computer)\\n))\\n) on Account, $left.SecondComputer == $right.Computer, $left.SecondIPAddress == $right.IpAddress\\n| summarize FirstHopFirstSeen = min(FirstHop), FirstHopLastSeen = max(FirstHop) by Account, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, \\nSecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\\n| extend timestamp = FirstHopFirstSeen, AccountCustomEntity = Account, HostCustomEntity = FirstComputer, IPCustomEntity = FirstIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"RDP Nesting\",\"description\":\"Identifies when an RDP connection is made to a first system and then an RDP connection is made from the first system\\nto another system with the same account within the 60 minutes. Additionally, if historically daily\\nRDP connections are indicated by the logged EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-10-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884c4957-70ea-4f57-80b9-1bca3890315b\",\"name\":\"884c4957-70ea-4f57-80b9-1bca3890315b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeBin = 10m;\\nlet failedThreshold = 100;\\nW3CIISLog\\n| where scStatus in (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n// Handling Exchange specific items in IIS logs to remove the unique log identifier in the URI\\n| extend csUriQuery = iff(csUriQuery startswith \\\"MailboxId=\\\", tostring(split(csUriQuery, \\\"\u0026\\\")[0]) , csUriQuery )\\n| extend csUriQuery = iff(csUriQuery startswith \\\"X-ARR-CACHE-HIT=\\\", strcat(tostring(split(csUriQuery, \\\"\u0026\\\")[0]),tostring(split(csUriQuery, \\\"\u0026\\\")[1])) , csUriQuery )\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of failed logons by a user\\n| summarize makeset(decodedUriQuery), makeset(cIP), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), csUserName, Computer, sIP\\n| where FailedConnectionsCount \u003e= failedThreshold\\n| project TimeGenerated, csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_cIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"High count of failed logons by a user\",\"description\":\"Identifies when 100 or more failed attempts by a given user in 10 minutes occur on the IIS Server.\\nThis could be indicative of attempted brute force based on known account information.\\nThis could also simply indicate a misconfigured service or device. \\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\"name\":\"7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"let WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet AC_Add = \\n(union isfuzzy=true \\n(SecurityEvent\\n// Event ID related to member addition.\\n| where EventID in (4728, 4732,4756) \\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountAdded \\\",OU\\\" *\\n| where isnotempty(AccountAdded)\\n| extend GroupAddedTo = TargetUserName, AddingAccount = Account \\n| extend AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, \\\"||\\\", GroupAddedTo, \\\"||\\\", AddingAccount )\\n| project AccountAdded_GroupAddedTo_AddingAccount, AccountAddedTime = TimeGenerated\\n),\\n(WindowsEvent\\n// Event ID related to member addition.\\n| where EventID in (4728, 4732,4756) \\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData.MemberName with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountAdded \\\",OU\\\" *\\n| where isnotempty(AccountAdded)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend AddingAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend GroupAddedTo = TargetUserName\\n| extend AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, \\\"||\\\", GroupAddedTo, \\\"||\\\", AddingAccount )\\n| project AccountAdded_GroupAddedTo_AddingAccount, AccountAddedTime = TimeGenerated\\n)\\n);\\nlet AC_Remove = \\n( union isfuzzy=true \\n(SecurityEvent\\n// Event IDs related to member removal.\\n| where EventID in (4729,4733,4757)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountRemoved \\\",OU\\\" * \\n| where isnotempty(AccountRemoved)\\n| extend GroupRemovedFrom = TargetUserName, RemovingAccount = Account\\n| extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, \\\"||\\\", GroupRemovedFrom, \\\"||\\\", RemovingAccount)\\n| project AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime = TimeGenerated, Computer, RemovedAccountId = tolower(AccountRemoved), \\nRemovedByUser = SubjectUserName, RemovedByUserLogonId = SubjectLogonId, GroupRemovedFrom = TargetUserName, TargetDomainName\\n),\\n(WindowsEvent\\n// Event IDs related to member removal.\\n| where EventID in (4729,4733,4757)\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData.MemberName with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountRemoved \\\",OU\\\" * \\n| where isnotempty(AccountRemoved)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend RemovingAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend GroupRemovedFrom = TargetUserName\\n| extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, \\\"||\\\", GroupRemovedFrom, \\\"||\\\", RemovingAccount)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| extend TargetDomainName = tostring(EventData.TargetDomainName)\\n| project AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime = TimeGenerated, Computer, RemovedAccountId = tolower(AccountRemoved), \\nRemovedByUser = SubjectUserName, RemovedByUserLogonId = SubjectLogonId, GroupRemovedFrom = TargetUserName, TargetDomainName\\n)); \\nAC_Add \\n| join kind= inner AC_Remove on $left.AccountAdded_GroupAddedTo_AddingAccount == $right.AccountRemoved_GroupRemovedFrom_RemovingAccount \\n| extend DurationinSecondAfter_Removed = datetime_diff (\u0027second\u0027, AccountRemovedTime, AccountAddedTime)\\n| where DurationinSecondAfter_Removed \u003e 0\\n| project-away AccountRemoved_GroupRemovedFrom_RemovingAccount\\n| extend timestamp = AccountAddedTime, AccountCustomEntity = RemovedAccountId, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Account added and removed from privileged groups\",\"description\":\"Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise.\u0027 \",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-04-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3df4a32-4805-4c6d-8699-f3c888af2f67\",\"name\":\"a3df4a32-4805-4c6d-8699-f3c888af2f67\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let Alert1 = \\nSecurityAlert\\n| where AlertName == \\\"Unfamiliar sign-in properties\\\"\\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\\\"User Account\\\"])\\n| extend Alert1Time = TimeGenerated\\n| extend Alert1 = AlertName\\n| extend Alert1Severity = AlertSeverity\\n;\\nlet Alert2 = \\nSecurityAlert\\n| where AlertName == \\\"Atypical travel\\\"\\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\\\"User Account\\\"])\\n| extend Alert2Time = TimeGenerated\\n| extend Alert2 = AlertName\\n| extend Alert2Severity = AlertSeverity\\n| extend CurrentLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[2].Location)).CountryCode), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).State), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).City))\\n| extend PreviousLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[3].Location)).CountryCode), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[3].Location)).State), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[3].Location)).City))\\n| extend CurrentIPAddress = tostring(parse_json(Entities)[2].Address)\\n| extend PreviousIPAddress = tostring(parse_json(Entities)[3].Address)\\n;\\nAlert1\\n| join kind=inner Alert2 on UserPrincipalName\\n| where abs(datetime_diff(\u0027minute\u0027, Alert1Time, Alert2Time)) \u003c=10\\n| extend TimeDelta = Alert1Time - Alert2Time\\n| project UserPrincipalName, Alert1, Alert1Time, Alert1Severity, Alert2, Alert2Time, Alert2Severity, TimeDelta, CurrentLocation, PreviousLocation, CurrentIPAddress, PreviousIPAddress\\n| extend AccountCustomEntity = UserPrincipalName\\n| extend IPCustomEntity = CurrentIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Correlate Unfamiliar sign-in properties and atypical travel alerts\",\"description\":\"The combination of an Unfamiliar sign-in properties alert and an Atypical travel alert about the same user within a +10m or -10m window is considered a high severity incident.\",\"lastUpdatedDateUTC\":\"2021-12-07T00:00:00Z\",\"createdDateUTC\":\"2020-09-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7564d76-ec6b-4519-a66b-fcc80c42332b\",\"name\":\"a7564d76-ec6b-4519-a66b-fcc80c42332b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet GroupAddition = (union isfuzzy=true \\n(SecurityEvent \\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group \\n| where EventID in (\\\"4728\\\", \\\"4732\\\", \\\"4756\\\") \\n| where AccountType =~ \\\"User\\\" and MemberName == \\\"-\\\"\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, GroupAddComputer = Computer, GroupAddTargetAccount = TargetAccount, \\nGroupAddTargetSid = TargetSid, GroupAddSubjectAccount = SubjectAccount, GroupAddSubjectUserSid = SubjectUserSid, GroupSid = MemberSid\\n),\\n(\\nWindowsEvent \\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group \\n| where EventID in (\\\"4728\\\", \\\"4732\\\", \\\"4756\\\") and not(EventData has \\\"S-1-5-32-555\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| extend MemberName = tostring(EventData.MemberName)\\n| where AccountType =~ \\\"User\\\" and MemberName == \\\"-\\\"\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend MemberSid = tostring(EventData.MemberSid)\\n| extend Activity= \\\"GroupAddActivity\\\"\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, GroupAddComputer = Computer, GroupAddTargetAccount = TargetAccount, \\nGroupAddTargetSid = TargetSid, GroupAddSubjectAccount = Account, GroupAddSubjectUserSid = SubjectUserSid, GroupSid = MemberSid\\n));\\nlet GroupCreated = (union isfuzzy=true \\n(SecurityEvent\\n// 4727 - A security-enabled global group was created\\n// 4731 - A security-enabled local group was created\\n// 4754 - A security-enabled universal group was created\\n| where EventID in (\\\"4727\\\", \\\"4731\\\", \\\"4754\\\")\\n| where AccountType =~ \\\"User\\\"\\n| project GroupCreateTime = TimeGenerated, GroupCreateEventID = EventID, GroupCreateActivity = Activity, GroupCreateComputer = Computer, GroupCreateTargetAccount = TargetAccount, \\nGroupCreateSubjectAccount = SubjectAccount, GroupCreateSubjectUserSid = SubjectUserSid, GroupSid = TargetSid\\n),\\n(WindowsEvent\\n// 4727 - A security-enabled global group was created\\n// 4731 - A security-enabled local group was created\\n// 4754 - A security-enabled universal group was created\\n| where EventID in (\\\"4727\\\", \\\"4731\\\", \\\"4754\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\", \\\"Machine\\\", iff(SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", iff(isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")))\\n| where AccountType =~ \\\"User\\\"\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend SubjectAccount = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName) \\n| extend TargetSid = tostring(EventData.TargetSid) \\n| extend Activity= \\\"GroupAddActivity\\\"\\n| project GroupCreateTime = TimeGenerated, GroupCreateEventID = EventID, GroupCreateActivity = Activity, GroupCreateComputer = Computer, GroupCreateTargetAccount = TargetAccount, \\nGroupCreateSubjectAccount = SubjectAccount, GroupCreateSubjectUserSid = SubjectUserSid, GroupSid = TargetSid\\n));\\nGroupCreated\\n| join (\\nGroupAddition\\n) on GroupSid \\n| extend timestamp = GroupCreateTime, AccountCustomEntity = GroupCreateSubjectAccount, HostCustomEntity = GroupCreateComputer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"GroupCreateSubjectUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Group created then added to built in domain local or global group\",\"description\":\"Identifies when a recently created Group was added to a privileged built in domain local group or global group such as the \\nEnterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\\nReferences: For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b443f22-9be9-4c35-ac70-a94757748439\",\"name\":\"3b443f22-9be9-4c35-ac70-a94757748439\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let files1 = dynamic([\\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\lsa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pc.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\Rar.exe\\\"]);\\nlet files2 = dynamic([\\\"svchost.exe\\\",\\\"wdmsvc.exe\\\"]);\\nlet FileHash1 = dynamic([\\\"43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\\\", \\\"ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\\\", \\\"010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77\\\", \\\"56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7\\\"]);\\nlet FileHash2 = dynamic([\\\"2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\\\", \\\"9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\\\", \\\"18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\\\"]);\\nDeviceProcessEvents\\n| where ( FolderPath has_any (files1) and SHA256 has_any (FileHash1)) or (FolderPath has_any (files2) and SHA256 has_any (FileHash2))\\n| extend DvcId = DeviceId\\n| join kind=leftouter (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| mv-expand todynamic(Entities)\\n| extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)\\n| where isnotempty(DvcId)\\n// Higher risk score are for Defender alerts related to threat actor\\n| extend AlertRiskScore = iif(ThreatName has_any (\\\"Backdoor:MSIL/ShellClient.A\\\", \\\"Backdoor:MSIL/ShellClient.A!dll\\\", \\\"Trojan:MSIL/Mimikatz.BA!MTB\\\"), 1.0, 0.5)\\n| project DvcId, AlertRiskScore) on DvcId\\n| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = AccountName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileName\"}]}],\"tactics\":[\"CredentialAccess\",\"Execution\"],\"displayName\":\"Dev-0228 File Path Hashes November 2021\",\"description\":\"This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.\\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-11-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2f561e20-d97b-4b13-b02d-18b34af6e87c\",\"name\":\"2f561e20-d97b-4b13-b02d-18b34af6e87c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet cmdList = dynamic([\\\"Set-CASMailbox\\\",\\\"ActiveSyncAllowedDeviceIDs\\\",\\\"add\\\"]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688\\n| where CommandLine has_all (cmdList)\\n| project Type, TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n( WindowsEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688\\n| where EventData has_all (cmdList)\\n| extend CommandLine = tostring(EventData.CommandLine) \\n| where CommandLine has_all (cmdList)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| project Type, TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where InitiatingProcessCommandLine has_all (cmdList)\\n| project Type, TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where CommandLine has_all (cmdList)\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| project Type, TimeGenerated, Computer, User, Process, ParentImage, CommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Email access via active sync\",\"description\":\"This query detects attempts to add attacker devices as allowed IDs for active sync using the Set-CASMailbox command.\\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\\n- Note that this query can be changed to use the KQL \\\"has_all\\\" operator, which hasn\u0027t yet been documented officially, but will be soon.\\n In short, \\\"has_all\\\" will only match when the referenced field has all strings in the list.\\n- Refer to Set-CASMailbox syntax: https://docs.microsoft.com/powershell/module/exchange/set-casmailbox?view=exchange-ps \",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-02-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\"name\":\"2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet TotalEventsThreshold = 5;\\nlet ExeList = dynamic([\\\"powershell.exe\\\",\\\"cmd.exe\\\",\\\"wmic.exe\\\",\\\"psexec.exe\\\",\\\"cacls.exe\\\",\\\"rundll.exe\\\"]);\\nlet TimeSeriesData =\\nSecurityEvent\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where Process in (ExeList)\\n| project TimeGenerated, Computer, AccountType, Account, Process\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by Process;\\nlet TimeSeriesAlerts = materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 1.5, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0\\n| project Process, TimeGenerated, Total, baseline, anomalies, score\\n| where Total \u003e TotalEventsThreshold);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\nSecurityEvent\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| summarize CommandlineCount = count() by bin(TimeGenerated, 1h), Process, CommandLine, Computer, Account\\n) on Process, TimeGenerated\\n| project AnomalyHour = TimeGenerated, Computer, Account, Process, CommandLine, CommandlineCount, Total, baseline, anomalies, score\\n| extend timestamp = AnomalyHour, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Process execution frequency anomaly\",\"description\":\"Identifies anomalous spike in frequency of executions of sensitive processes which are often leveraged as attack vectors.\\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\\nSudden increases in execution frequency of sensitive processes should be further investigated for malicious activity.\\nTune the values from 1.5 to 3 in series_decompose_anomalies for further outliers or based on custom threshold values for score.\",\"lastUpdatedDateUTC\":\"2022-03-07T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/694c91ee-d606-4ba9-928e-405a2dd0ff0f\",\"name\":\"694c91ee-d606-4ba9-928e-405a2dd0ff0f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"High\",\"query\":\"let queryperiod = 14d;\\nlet queryfrequency = 2h;\\nlet security_info_actions = dynamic([\\\"User registered security info\\\", \\\"User changed default security info\\\", \\\"User deleted security info\\\", \\\"Admin updated security info\\\", \\\"User reviewed security info\\\", \\\"Admin deleted security info\\\", \\\"Admin registered security info\\\"]);\\nlet VIPUsers = (\\n IdentityInfo\\n | where TimeGenerated \u003e ago(queryperiod)\\n | mv-expand AssignedRoles\\n | where AssignedRoles matches regex \u0027Admin\u0027\\n | summarize by tolower(AccountUPN));\\nAuditLogs\\n| where TimeGenerated \u003e ago(queryfrequency)\\n| where Category =~ \\\"UserManagement\\\"\\n| where ActivityDisplayName in (security_info_actions)\\n| extend Initiator = tostring(InitiatedBy.user.userPrincipalName)\\n| extend IP = tostring(InitiatedBy.user.ipAddress)\\n| extend Target = tolower(tostring(TargetResources[0].userPrincipalName))\\n| where Target in (VIPUsers)\\n// Uncomment the line below if you are experiencing high volumes of Target entities. If this is uncommented, the Target column will not be mapped to an entity.\\n//| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason, MaxSize=8), Targets=make_set(Target, MaxSize=256) by Initiator, IP, Result\\n// Comment out this line below, if line above is used.\\n| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason, MaxSize=8) by Initiator, IP, Result, Targets = Target\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Targets\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Initiator\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IP\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Authentication Methods Changed for Privileged Account\",\"description\":\"Identifies authentication methods being changed for a privileged account. This could be an indication of an attacker adding an auth method to the account so they can have continued access.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6267ce44-1e9d-471b-9f1e-ae76a6b7aa84\",\"name\":\"6267ce44-1e9d-471b-9f1e-ae76a6b7aa84\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityAlert\\n| where AlertName =~ \\\"mass download by a single user\\\"\\n| extend Extprop = parse_json(ExtendedProperties)\\n| extend Computer = iff(isnotempty(toupper(tostring(Extprop[\\\"Compromised Host\\\"]))), toupper(tostring(Extprop[\\\"Compromised Host\\\"])), tostring(parse_json(Entities)[0].HostName))\\n| extend Account = iff(isnotempty(tolower(tostring(Extprop[\\\"User Name\\\"]))), tolower(tostring(Extprop[\\\"User Name\\\"])), tolower(tostring(Extprop[\\\"user name\\\"])))\\n| extend IpAddress = tostring(parse_json(ExtendedProperties).[\\\"IpAddress\\\"]) \\n| project timestamp=TimeGenerated, AlertName, Computer, Account, IpAddress, ExtendedProperties\\n| join kind=inner\\n( \\nDeviceEvents\\n| where ActionType == \\\"PnpDeviceConnected\\\"\\n| extend parsed = parse_json(AdditionalFields)\\n| project DeviceId, DriveClass = tostring(parsed.ClassName), UsbDeviceId = tostring(parsed.DeviceId), ClassId = tostring(parsed.DeviceId), DeviceDescription = tostring(parsed.DeviceDescription), VendorIds = tostring(parsed.VendorIds), AccountDomain,AccountName,TimeGenerated, ActionType, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, Type\\n| where DriveClass == \u0027USB\u0027 and DeviceDescription == \u0027USB Mass Storage Device\u0027\\n) on $left.Account == $right.AccountName\\n| join kind=inner \\n(\\nDeviceFileEvents\\n| where FolderPath !startswith \\\"c\\\" and FolderPath !startswith @\\\"\\\\\\\"\\n) on DeviceId\\n| project TimeGenerated, ActionType, Computer, FileName, FileSize, IpAddress, InitiatingProcessCommandLine, InitiatingProcessFileName, Account\\n| extend timestamp = TimeGenerated, CompromisedEntity = Computer, AccountCustomEntity=Account, ProcessCustomEntity = InitiatingProcessFileName, IPCustomEntity=IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"Mass Download \u0026 copy to USB device by single user\",\"description\":\"This query looks for any mass download by a single user with possible file copy activity to a new USB drive. Malicious insiders may perform such activities that may cause harm to the organization. \\nThis query could also reveal unintentional insider that had no intention of malicious activity but their actions may impact an organizations security posture.\\nReference:https://docs.microsoft.com/defender-cloud-apps/policy-template-reference\",\"lastUpdatedDateUTC\":\"2022-05-04T00:00:00Z\",\"createdDateUTC\":\"2022-04-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\",\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3edb7215-250b-40c0-8b46-79093949242d\",\"name\":\"3edb7215-250b-40c0-8b46-79093949242d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetectionV2_CL\\n| where Severity_s == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\\n| where count_ \u003e= threshold\\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"High Number of Urgent Vulnerabilities Detected\",\"description\":\"This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.\",\"lastUpdatedDateUTC\":\"2021-12-08T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/492fbe35-cbac-4a8c-9059-826782e6915a\",\"name\":\"492fbe35-cbac-4a8c-9059-826782e6915a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where OperationName has_any (\\\"Update Application\\\", \\\"Update Service principal\\\")\\n | extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend UpdatedBy = iif(isnotempty(appName), appName, UPN)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | extend AppName = tostring(TargetResources[0].displayName)\\n | mv-expand mod_props\\n | extend Action = tostring(mod_props.displayName)\\n | where Action contains \\\"Url\\\"\\n | extend OldURL = tostring(mod_props.oldValue)\\n | extend NewURL = tostring(mod_props.newValue)\\n | project-reorder TimeGenerated, OperationName, Action, AppName, OldURL, NewURL, UpdatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatedBy\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"OldURL\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"NewURL\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Changes to Application Logout URL\",\"description\":\"Detects changes to an applications sign out URL.\\n Look for any modifications to a sign out URL. Blank entries or entries to non-existent locations would stop a user from terminating a session.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#logout-url-modified-or-removed\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\"name\":\"2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureActivity | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CallerIpAddress\\n| where AzureActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureActivity_TimeGenerated = arg_max(AzureActivity_TimeGenerated, *) by IndicatorId, CallerIpAddress\\n| project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CallerIpAddress, \\nCaller, OperationNameValue, ActivityStatusValue, CategoryValue, ResourceId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureActivity_TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureActivity\",\"description\":\"Identifies a match in AzureActivity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3174a9ec-d0ad-4152-8307-94ed04fa450a\",\"name\":\"3174a9ec-d0ad-4152-8307-94ed04fa450a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let SHA256Hash = \\\"1174fd03271f80f5e2a6435c72bdd0272a6e3a37049f6190abf125b216a83471\\\" ;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) \\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA265 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA256Hash) \\n| extend Account = UserName\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known ZINC related maldoc hash\",\"description\":\"Document hash used by ZINC in highly targeted spear phishing campaign.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\"name\":\"d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\" \\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed), LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\\n| where MFAUsed !~ \\\"Yes\\\" and LoginResult !~ \\\"Failure\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUsed, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"Login to AWS Management Console without MFA\",\"description\":\"Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.\\nYou can limit this detection to trigger for adminsitrative accounts if you do not have MFA enabled on all accounts.\\nThis is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used \\nand the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0ed0fe7c-af29-4990-af7f-bb5ccb231198\",\"name\":\"0ed0fe7c-af29-4990-af7f-bb5ccb231198\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"AuditLogs\\n | where Category =~ \\\"RoleManagement\\\"\\n | where OperationName =~ \\\"Update role setting in PIM\\\"\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | project-reorder TimeGenerated, OperationName, ResultReason, userPrincipalName, ipAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Changes to PIM Settings\",\"description\":\"PIM provides a key mechanism for assigning privileges to accounts, this query detects changes to PIM role settings.\\n Monitor these changes to ensure they are being made legitimately and don\u0027t confer more privileges than expected or reduce the security of a PIM elevation.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c805d9b1-97e7-4bc0-9172-67edb36273e4\",\"name\":\"c805d9b1-97e7-4bc0-9172-67edb36273e4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft 365 Insider Risk Management\",\"displayName\":\"(Private Preview) Create incidents based on Microsoft 365 Insider Risk Management\",\"description\":\"Create incidents based on all alerts generated in Microsoft 365 Insider Risk Management\",\"lastUpdatedDateUTC\":\"2021-05-13T00:00:00Z\",\"createdDateUTC\":\"2021-05-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeIRM\",\"dataTypes\":[\"SecurityAlert (OfficeIRM)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09551db0-e147-4a0c-9e7b-918f88847605\",\"name\":\"09551db0-e147-4a0c-9e7b-918f88847605\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.6.2\",\"severity\":\"High\",\"query\":\"let tokens = dynamic([\\\"SSL_HandShaking\\\", \\\"ASN2_TYPE_new\\\", \\\"sql_blob_open\\\", \\\"cmsSetLogHandlerTHR\\\", \\\"ntSystemInfo\\\", \\\"SetWebFilterString\\\", \\\"CleanupBrokerString\\\", \\\"glInitSampler\\\", \\\"deflateSuffix\\\", \\\"ntWindowsProc\\\"]);\\nlet DomainNames = dynamic([\u0027codevexillium.org\u0027, \u0027angeldonationblog.com\u0027, \u0027investbooking.de\u0027, \u0027krakenfolio.com\u0027]);\\nlet SHA256Hash = dynamic([\u002758a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495\u0027,\u0027e0e59bfc22876c170af65dcbf19f744ae560cc43b720b23b9d248f4505c02f3e\u0027,\u00273d3195697521973efe0097a320cbce0f0f98d29d50e044f4505e1fbc043e8cf9\u0027, \u00270a2d81164d524be7022ba8fd4e1e8e01bfd65407148569d172e2171b5cd76cd4\u0027, \u002796d7a93f6691303d39a9cc270b8814151dfec5683e12094537fd580afdf2e5fe\u0027,\u0027dc4cf164635db06b2a0b62d313dbd186350bca6fc88438617411a68df13ec83c\u0027, \u002746efd5179e43c9cbf07dcec22ce0d5527e2402655aee3afc016e5c260650284a\u0027, \u002795e42a94d4df1e7e472998f43b9879eb34aaa93f3705d7d3ef9e3b97349d7008\u0027, \u00279d5320e883264a80ea214077f44b1d4b22155446ad5083f4b27d2ab5bd127ef5\u0027, \u00279fd05063ad203581a126232ac68027ca731290d17bd43b5d3311e8153c893fe3\u0027, \u0027ada7e80c9d09f3efb39b729af238fcdf375383caaf0e9e0aed303931dc73b720\u0027, \u0027edb1597789c7ed784b85367a36440bf05267ac786efe5a4044ec23e490864cee\u0027, \u002733665ce1157ddb7cd7e905e3356b39245dfba17b7a658bdbf02b6968656b9998\u0027, \u00273ab770458577eb72bd6239fe97c35e7eb8816bce5a4b47da7bd0382622854f7c\u0027, \u0027b630ad8ffa11003693ce8431d2f1c6b8b126cd32b657a4bfa9c0dbe70b007d6c\u0027, \u002753f3e55c1217dafb8801af7087e7d68b605e2b6dde6368fceea14496c8a9f3e5\u0027, \u002799c95b5272c5b11093eed3ef2272e304b7a9311a22ff78caeb91632211fcb777\u0027, \u0027f21abadef52b4dbd01ad330efb28ef50f8205f57916a26daf5de02249c0f24ef\u0027, \u00272cbdea62e26d06080d114bbd922d6368807d7c6b950b1421d0aa030eca7e85da\u0027, \u0027079659fac6bd9a1ce28384e7e3a465be4380acade3b4a4a4f0e67fd0260e9447\u0027]);\\nlet SigNames = dynamic([\\\"Backdoor:Script/ComebackerCompile.A!dha\\\", \\\"Trojan:Win64/Comebacker.A!dha\\\", \\\"Trojan:Win64/Comebacker.A.gen!dha\\\", \\\"Trojan:Win64/Comebacker.B.gen!dha\\\", \\\"Trojan:Win32/Comebacker.C.gen!dha\\\", \\\"Trojan:Win32/Klackring.A!dha\\\", \\\"Trojan:Win32/Klackring.B!dha\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in~ (SHA256Hash) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n| project Type, TimeGenerated, Computer, Account, IPAddress, FileHash, DNSName\\n),\\n(_Im_Dns(domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend Type = \\\"imDns\\\", IPAddress = SrcIpAddr, Computer=Dvc\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(VMConnection\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| where isnotempty(Hashes)\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 * \\n| where SHA256 in~ (SHA256Hash) \\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = Hashes\\n| project Type, TimeGenerated, Computer, Account, FileHash\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (SHA256Hash)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (SHA256Hash)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl in~ (DomainNames)\\n| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName\\n| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl\\n),\\n(SecurityAlert\\n| where ProductName == \\\"Microsoft Defender Advanced Threat Protection\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where isnotempty(ThreatName)\\n| where ThreatName has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName) \\n| project Type, TimeGenerated, Computer\\n),\\n(DeviceProcessEvents\\n| where FileName =~ \\\"powershell.exe\\\" or FileName =~ \\\"rundll32.exe\\\"\\n| where (ProcessCommandLine has \\\"is64bitoperatingsystem\\\" and ProcessCommandLine has \\\"Debug\\\\\\\\Browse\\\") or (ProcessCommandLine has_any (tokens))\\n| extend Computer = DeviceName, Account = AccountName, CommandLine = ProcessCommandLine\\n| project Type, TimeGenerated, Computer, Account, CommandLine, FileName\\n),\\n(SecurityEvent\\n| where EventID == 4688\\n| where ProcessName has_any (\\\"powershell.exe\\\", \\\"rundll32.exe\\\")\\n| where (CommandLine has \\\"is64bitoperatingsystem\\\" and CommandLine has \\\"Debug\\\\\\\\Browse\\\") or (CommandLine has_any (tokens))\\n| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine \\n),\\n( WindowsEvent\\n| where EventID == 4688\\n| where EventData has_any (\\\"powershell.exe\\\", \\\"rundll32.exe\\\") and EventData has_any (tokens, \\\"Debug\\\\\\\\Browse\\\",\\\"is64bitoperatingsystem\\\" ) \\n| extend ProcessName = tostring(EventData.ProcessName)\\n| where ProcessName has_any (\\\"powershell.exe\\\", \\\"rundll32.exe\\\")\\n| extend CommandLine = tostring(EventData.CommandLine) \\n| where (CommandLine has \\\"is64bitoperatingsystem\\\" and CommandLine has \\\"Debug\\\\\\\\Browse\\\") or (CommandLine has_any (tokens))\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"Execution\"],\"displayName\":\"Known ZINC Comebacker and Klackring malware hashes\",\"description\":\"ZINC attacks against security researcher campaign malware hashes.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ce177b3-56b1-4f0e-b83e-27eed4cb0b16\",\"name\":\"4ce177b3-56b1-4f0e-b83e-27eed4cb0b16\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\n// exclude allowed users from query such as the ADO service\\nlet allowed_users = dynamic([\\\"Azure DevOps Service\\\"]);\\nunion\\n// Look for agents being added to a pool of a OS type not seen with that pool before\\n(AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName =~ \\\"Library.AgentAdded\\\"\\n| where ActorUPN !in (allowed_users)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| where isnotempty(OsDescription)\\n| extend OsDescription = tostring(split(OsDescription, \\\"#\\\", 0)[0])\\n| project AgentPoolName, OsDescription\\n| join kind=rightanti (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName == \\\"Library.AgentAdded\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| where isnotempty(OsDescription)\\n| extend OsDescription = tostring(split(OsDescription, \\\"#\\\", 0)[0])) on AgentPoolName, OsDescription),\\n// Look for users addeing agents to a pool that they have not added agents to before.\\n(AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| where ActorUPN !in (allowed_users)\\n| project AgentPoolName, ActorUPN\\n| join kind=rightanti (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName == \\\"Library.AgentAdded\\\"\\n| where ActorUPN !in (allowed_users)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n) on AgentPoolName, ActorUPN)\\n| extend AgentName = tostring(Data.AgentName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| extend SystemDetails = Data.SystemCapabilities\\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, AgentPoolName, AgentName, ActorUPN, IpAddress, UserAgent, OsDescription, SystemDetails, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"New Agent Added to Pool by New User or Added to a New OS Type.\",\"description\":\"As seen in attacks such as SolarWinds attackers can look to subvert a build process by controlling build servers. Azure DevOps uses agent pools to execute pipeline tasks. \\nAn attacker could insert compromised agents that they control into the pools in order to execute malicious code. This query looks for users adding agents to pools they have \\nnot added agents to before, or adding agents to a pool of an OS that has not been added to that pool before. This detection has potential for false positives so has a \\nconfigurable allow list to allow for certain users to be excluded from the logic.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/05b4bccd-dd12-423d-8de4-5a6fb526bb4f\",\"name\":\"05b4bccd-dd12-423d-8de4-5a6fb526bb4f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let known_processes = (\\n SecurityEvent\\n // If adjusting Query Period or Frequency update these\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where EventID == 4688\\n | where NewProcessName has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | summarize by Process);\\n SecurityEvent\\n // If adjusting Query Period or Frequency update these\\n | where TimeGenerated \u003e ago(1d)\\n | where EventID == 4688\\n | where NewProcessName has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | where Process !in (known_processes)\\n // This will likely apply to multiple hosts so summarize these data\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, NewProcessName, CommandLine, Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Execution\",\"LateralMovement\"],\"displayName\":\"New EXE deployed via Default Domain or Default Domain Controller Policies\",\"description\":\"This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice is that these policies should not be used for deployment of files.\\nA threat actor may use these policies to deploy files or scripts to all hosts in a domain.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c61ad0ac-ad68-4ebb-b41a-74296d3e0044\",\"name\":\"c61ad0ac-ad68-4ebb-b41a-74296d3e0044\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \\n| where TargetObject has (\\\"\\\\\\\\Control\\\\\\\\Session Manager\\\\\\\\AppCertDLLs\\\\\\\\\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Registry Persistence via AppCert DLL Modification\",\"description\":\"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. \\nDynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\ are loaded into every process that calls the ubiquitously used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec.\\nRef: https://attack.mitre.org/techniques/T1546/009/\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8ee967a2-a645-4832-85f4-72b635bcb3a6\",\"name\":\"8ee967a2-a645-4832-85f4-72b635bcb3a6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit the environment\\nlet signin_threshold = 5;\\n//Make a list of all IPs with failed signins to AAD above our threshold\\nlet aadFunc = (tableName:string){\\nlet suspicious_signins =\\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress !in (\u0027127.0.0.1\u0027, \u0027::1\u0027)\\n| summarize count() by IPAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(IPAddress);\\n//See if any of these IPs have sucessfully logged into *nix hosts\\nlet linux_logons =\\nSyslog\\n| where Facility contains \\\"auth\\\" and ProcessName != \\\"sudo\\\"\\n| where SyslogMessage has \\\"Accepted\\\"\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Computer, HostIP, IpAddress = SourceIP, SyslogMessage, Facility, ProcessName, Reason;\\n//See if any of these IPs have sucessfully logged into Windows hosts\\nlet win_logons = (union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4624\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| where IpAddress in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Account, AccountType, Computer, Activity, EventID, LogonProcessName, IpAddress, LogonTypeName, TargetUserSid, Reason\\n),\\n(WindowsEvent\\n| where EventID == 4624 and has_any_ipv4(EventData, toscalar(suspicious_signins))\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType in (10, 7, 3)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| where IpAddress != \\\"-\\\"\\n| where IpAddress in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| extend Activity = \\\"4624 - An account was successfully logged on.\\\"\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend AccountType =case(Account endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| extend LogonProcessName = tostring(EventData.LogonProcessName)\\n| project TimeGenerated, Account, AccountType, Computer, Activity, EventID, LogonProcessName, IpAddress, TargetUserSid, Reason\\n)\\n);\\nunion isfuzzy=true linux_logons,win_logons\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, IPCustomEntity = IpAddress, HostCustomEntity = Computer\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AzureAD logons but success logon to host\",\"description\":\"Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory.\\nUses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/46ac55ae-47b8-414a-8f94-89ccd1962178\",\"name\":\"46ac55ae-47b8-414a-8f94-89ccd1962178\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let queryperiod = 1d;\\nlet mode = \u0027Blocked\u0027;\\nlet successCode = dynamic([\u0027200\u0027, \u0027101\u0027,\u0027204\u0027, \u0027400\u0027,\u0027504\u0027,\u0027304\u0027,\u0027401\u0027,\u0027500\u0027]);\\nlet sessionBin = 30m;\\nAzureDiagnostics\\n| where TimeGenerated \u003e ago(queryperiod)\\n| where Category == \u0027ApplicationGatewayFirewallLog\u0027 and action_s == mode\\n| sort by hostname_s asc, clientIp_s asc, TimeGenerated asc\\n| extend SessionBlockedStarted = row_window_session(TimeGenerated, queryperiod, 10m, ((clientIp_s != prev(clientIp_s)) or (hostname_s != prev(hostname_s))))\\n| summarize SessionBlockedEnded = max(TimeGenerated), SessionBlockedCount = count() by hostname_s, clientIp_s, SessionBlockedStarted\\n| extend TimeKey = range(bin(SessionBlockedStarted, sessionBin), bin(SessionBlockedEnded, sessionBin), sessionBin)\\n| mv-expand TimeKey to typeof(datetime)\\n| join kind = inner(\\n AzureDiagnostics\\n | where TimeGenerated \u003e ago(queryperiod)\\n | where Category == \u0027ApplicationGatewayAccessLog\u0027 and (isempty(httpStatus_d) or httpStatus_d in (successCode))\\n | extend TimeKey = bin(TimeGenerated, sessionBin)\\n) on TimeKey, $left.hostname_s == $right.host_s, $left.clientIp_s == $right.clientIP_s\\n| where TimeGenerated between (SessionBlockedStarted..SessionBlockedEnded)\\n| extend\\n originalRequestUriWithArgs_s = column_ifexists(\\\"originalRequestUriWithArgs_s\\\", \\\"\\\"),\\n serverStatus_s = column_ifexists(\\\"serverStatus_s\\\", \\\"\\\")\\n| summarize\\n SuccessfulAccessCount = count(),\\n UserAgents = make_set(userAgent_s, 250),\\n RequestURIs = make_set(requestUri_s, 250),\\n OriginalRequestURIs = make_set(originalRequestUriWithArgs_s, 250),\\n SuccessCodes = make_set(httpStatus_d, 250),\\n SuccessCodes_BackendServer = make_set(serverStatus_s, 250),\\n take_any(SessionBlockedEnded, SessionBlockedCount)\\n by hostname_s, clientIp_s, SessionBlockedStarted\\n| where SessionBlockedCount \u003e SuccessfulAccessCount\\n| extend timestamp = SessionBlockedStarted, IPCustomEntity = clientIp_s\\n| extend BlockvsSuccessRatio = SessionBlockedCount/toreal(SuccessfulAccessCount)\\n| sort by BlockvsSuccessRatio desc, timestamp asc\\n| project-reorder SessionBlockedStarted, SessionBlockedEnded, hostname_s, clientIp_s, SessionBlockedCount, SuccessfulAccessCount, BlockvsSuccessRatio, SuccessCodes, RequestURIs, OriginalRequestURIs, UserAgents\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"A potentially malicious web request was executed against a web server\",\"description\":\"Detects unobstructed Web Application Firewall (WAF) activity in sessions where the WAF blocked incoming requests by computing the \\nratio between blocked requests and unobstructed WAF requests in these sessions (BlockvsSuccessRatio metric). A high ratio value for \\na given client IP and hostname calls for further investigation of the WAF data in that session, due to the significantly high number \\nof blocked requests and a few unobstructed logs which may be malicious but have passed undetected through the WAF. The successCode \\nvariable defines what the detection thinks is a successful status code, and should be altered to fit the environment.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2020-11-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d173248-439b-4741-8b37-f63ad0c896ae\",\"name\":\"4d173248-439b-4741-8b37-f63ad0c896ae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\n//This query uses sysmon data, sections that have - | where Source == \\\"Microsoft-Windows-Sysmon\\\" - may need to be updated with latest\\nWindowsEvent\\n| where EventID == \u00274688\u0027 and EventData has_any (process)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| where NewProcessName has_any (process)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n , Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n , NewProcessId = tostring(EventData.NewProcessId)\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027, -1)[-1]), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend FilePath = replace_string(NewProcessName, File, \u0027\u0027)\\n| project TimeGenerated, timestamp, File, AlertDetail, FilePath,Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileCustomEntity\"},{\"identifier\":\"Directory\",\"columnName\":\"FilePathCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashAlgo\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021\",\"description\":\"Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.\",\"lastUpdatedDateUTC\":\"2022-05-19T00:00:00Z\",\"createdDateUTC\":\"2022-02-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\"name\":\"7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\nOfficeActivity\\n| where Operation =~ \\\"New-InboxRule\\\"\\n| where Parameters has \\\"Deleted Items\\\" or Parameters has \\\"Junk Email\\\" or Parameters has \\\"DeleteMessage\\\"\\n| extend Events=todynamic(Parameters)\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords \u0027}\u0027*\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords \u0027}\u0027*\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords \u0027}\u0027*\\n| where SubjectContainsWords has_any (Keywords)\\n or BodyContainsWords has_any (Keywords)\\n or SubjectOrBodyContainsWords has_any (Keywords)\\n| extend ClientIPAddress = case( ClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), ClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))), ClientIP )\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\n| extend RuleDetail = case(OfficeObjectId contains \u0027/\u0027 , tostring(split(OfficeObjectId, \u0027/\u0027)[-1]) , tostring(split(OfficeObjectId, \u0027\\\\\\\\\u0027)[-1]))\\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation, UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIPAddress, AccountCustomEntity = UserId , HostCustomEntity = OriginatingServer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Malicious Inbox Rule\",\"description\":\"Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords. \\n This is done so as to limit ability to warn compromised users that they\u0027ve been compromised. Below is a sample query that tries to detect this.\\nReference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ef88eb96-861c-43a0-ab16-f3835a97c928\",\"name\":\"ef88eb96-861c-43a0-ab16-f3835a97c928\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let regexEmpire = @\\\"SetDelay|GetDelay|Set-LostLimit|Get-LostLimit|Set-Killdate|Get-Killdate|Set-WorkingHours|Get-WorkingHours|Get-Sysinfo|Add-Servers|Invoke-ShellCommand|Start-AgentJob|Update-Profile|Get-FilePart|Encrypt-Bytes|Decrypt-Bytes|Encode-Packet|Decode-Packet|Send-Message|Process-Packet|Process-Tasking|Get-Task|Start-Negotiate|Invoke-DllInjection|Invoke-ReflectivePEInjection|Invoke-Shellcode|Invoke-ShellcodeMSIL|Get-ChromeDump|Get-ClipboardContents|Get-IndexedItem|Get-Keystrokes|Invoke-Inveigh|Invoke-NetRipper|local:Invoke-PatchDll|Invoke-NinjaCopy|Get-Win32Types|Get-Win32Constants|Get-Win32Functions|Sub-SignedIntAsUnsigned|Add-SignedIntAsUnsigned|Compare-Val1GreaterThanVal2AsUInt|Convert-UIntToInt|Test-MemoryRangeValid|Write-BytesToMemory|Get-DelegateType|Get-ProcAddress|Enable-SeDebugPrivilege|Invoke-CreateRemoteThread|Get-ImageNtHeaders|Get-PEBasicInfo|Get-PEDetailedInfo|Import-DllInRemoteProcess|Get-RemoteProcAddress|Copy-Sections|Update-MemoryAddresses|Import-DllImports|Get-VirtualProtectValue|Update-MemoryProtectionFlags|Update-ExeFunctions|Copy-ArrayOfMemAddresses|Get-MemoryProcAddress|Invoke-MemoryLoadLibrary|Invoke-MemoryFreeLibrary|Out-Minidump|Get-VaultCredential|Invoke-DCSync|Translate-Name|Get-NetDomain|Get-NetForest|Get-NetForestDomain|Get-DomainSearcher|Get-NetComputer|Get-NetGroupMember|Get-NetUser|Invoke-Mimikatz|Invoke-PowerDump|Invoke-TokenManipulation|Exploit-JMXConsole|Exploit-JBoss|Invoke-Thunderstruck|Invoke-VoiceTroll|Set-WallPaper|Invoke-PsExec|Invoke-SSHCommand|Invoke-PSInject|Invoke-RunAs|Invoke-SendMail|Invoke-Rule|Get-OSVersion|Select-EmailItem|View-Email|Get-OutlookFolder|Get-EmailItems|Invoke-MailSearch|Get-SubFolders|Get-GlobalAddressList|Invoke-SearchGAL|Get-SMTPAddress|Disable-SecuritySettings|Reset-SecuritySettings|Get-OutlookInstance|New-HoneyHash|Set-MacAttribute|Invoke-PatchDll|Get-SecurityPackages|Install-SSP|Invoke-BackdoorLNK|New-ElevatedPersistenceOption|New-UserPersistenceOption|Add-Persistence|Invoke-CallbackIEX|Add-PSFirewallRules|Invoke-EventLoop|Invoke-PortBind|Invoke-DNSLoop|Invoke-PacketKnock|Invoke-CallbackLoop|Invoke-BypassUAC|Get-DecryptedCpassword|Get-GPPInnerFields|Invoke-WScriptBypassUAC|Get-ModifiableFile|Get-ServiceUnquoted|Get-ServiceFilePermission|Get-ServicePermission|Invoke-ServiceUserAdd|Invoke-ServiceCMD|Write-UserAddServiceBinary|Write-CMDServiceBinary|Write-ServiceEXE|Write-ServiceEXECMD|Restore-ServiceEXE|Invoke-ServiceStart|Invoke-ServiceStop|Invoke-ServiceEnable|Invoke-ServiceDisable|Get-ServiceDetail|Find-DLLHijack|Find-PathHijack|Write-HijackDll|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-VulnAutoRun|Get-VulnSchTask|Get-UnattendedInstallFile|Get-Webconfig|Get-ApplicationHost|Write-UserAddMSI|Invoke-AllChecks|Invoke-ThreadedFunction|Test-Login|Get-UserAgent|Test-Password|Get-ComputerDetails|Find-4648Logons|Find-4624Logons|Find-AppLockerLogs|Find-PSScriptsInPSAppLog|Find-RDPClientConnections|Get-SystemDNSServer|Invoke-Paranoia|Invoke-WinEnum{|Get-SPN|Invoke-ARPScan|Invoke-Portscan|Invoke-ReverseDNSLookup|Invoke-SMBScanner|New-InMemoryModule|Add-Win32Type|Export-PowerViewCSV|Get-MacAttribute|Copy-ClonedFile|Get-IPAddress|Convert-NameToSid|Convert-SidToName|Convert-NT4toCanonical|Get-Proxy|Get-PathAcl|Get-NameField|Convert-LDAPProperty|Get-NetDomainController|Add-NetUser|Add-NetGroupUser|Get-UserProperty|Find-UserField|Get-UserEvent|Get-ObjectAcl|Add-ObjectAcl|Invoke-ACLScanner|Get-GUIDMap|Get-ADObject|Set-ADObject|Get-ComputerProperty|Find-ComputerField|Get-NetOU|Get-NetSite|Get-NetSubnet|Get-DomainSID|Get-NetGroup|Get-NetFileServer|SplitPath|Get-DFSshare|Get-DFSshareV1|Get-DFSshareV2|Get-GptTmpl|Get-GroupsXML|Get-NetGPO|Get-NetGPOGroup|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Invoke-ImpersonateUser|Create-ProcessWithToken|Free-AllTokens|Enum-AllTokens|Invoke-RevertToSelf|Set-Speaker\\\\(\\\\$Volume\\\\){\\\\$wshShell|Local:Get-RandomString|Local:Invoke-PsExecCmd|Get-GPPPassword|Local:Inject-BypassStuff|Local:Invoke-CopyFile\\\\(\\\\$sSource,|ind-Fruit|New-IPv4Range|New-IPv4RangeFromCIDR|Parse-Hosts|Parse-ILHosts|Exclude-Hosts|Get-TopPort|Parse-Ports|Parse-IpPorts|Remove-Ports|Write-PortscanOut|Convert-SwitchtoBool|Get-ForeignUser|Get-ForeignGroup\\\";\\n(union isfuzzy=true\\n (SecurityEvent\\n| where EventID == 4688\\n//consider filtering on filename if perf issues occur\\n//where FileName in~ (\\\"powershell.exe\\\",\\\"powershell_ise.exe\\\",\\\"pwsh.exe\\\")\\n| where not(ParentProcessName has_any (\u0027gc_worker.exe\u0027, \u0027gc_service.exe\u0027))\\n| where CommandLine has \\\"-encodedCommand\\\"\\n| parse kind=regex flags=i CommandLine with * \\\"-EncodedCommand \\\" encodedCommand\\n| extend encodedCommand = iff(encodedCommand has \\\" \\\", tostring(split(encodedCommand, \\\" \\\")[0]), encodedCommand)\\n// Note: currently the base64_decode_tostring function is limited to supporting UTF8\\n| extend decodedCommand = translate(\u0027\\\\0\u0027,\u0027\u0027, base64_decode_tostring(substring(encodedCommand, 0, strlen(encodedCommand) - (strlen(encodedCommand) %8)))), encodedCommand, CommandLine , strlen(encodedCommand)\\n| extend EfectiveCommand = iff(isnotempty(encodedCommand), decodedCommand, CommandLine)\\n| where EfectiveCommand matches regex regexEmpire\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, EfectiveCommand, decodedCommand, encodedCommand, CommandLine, ParentProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(WindowsEvent\\n| where EventID == 4688 \\n| where EventData has_any (\\\"-encodedCommand\\\", \\\"powershell.exe\\\",\\\"powershell_ise.exe\\\",\\\"pwsh.exe\\\")\\n| where not(EventData has_any (\u0027gc_worker.exe\u0027, \u0027gc_service.exe\u0027))\\n//consider filtering on filename if perf issues occur\\n//extend NewProcessName = tostring(EventData.NewProcessName)\\n//extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n//FileName = Process\\n//where FileName in~ (\\\"powershell.exe\\\",\\\"powershell_ise.exe\\\",\\\"pwsh.exe\\\")\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where not(ParentProcessName has_any (\u0027gc_worker.exe\u0027, \u0027gc_service.exe\u0027))\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has \\\"-encodedCommand\\\"\\n| parse kind=regex flags=i CommandLine with * \\\"-EncodedCommand \\\" encodedCommand\\n| extend encodedCommand = iff(encodedCommand has \\\" \\\", tostring(split(encodedCommand, \\\" \\\")[0]), encodedCommand)\\n// Note: currently the base64_decode_tostring function is limited to supporting UTF8\\n| extend decodedCommand = translate(\u0027\\\\0\u0027,\u0027\u0027, base64_decode_tostring(substring(encodedCommand, 0, strlen(encodedCommand) - (strlen(encodedCommand) %8)))), encodedCommand, CommandLine , strlen(encodedCommand)\\n| extend EfectiveCommand = iff(isnotempty(encodedCommand), decodedCommand, CommandLine)\\n| where EfectiveCommand matches regex regexEmpire\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, EfectiveCommand, decodedCommand, encodedCommand, CommandLine, ParentProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"Powershell Empire cmdlets seen in command line\",\"description\":\"Identifies instances of PowerShell Empire cmdlets in powershell process command line data.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-01-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cda5928c-2c1e-4575-9dfa-07568bc27a4f\",\"name\":\"cda5928c-2c1e-4575-9dfa-07568bc27a4f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let lookback = 7d; \\nlet timeframe = 1h; \\nlet GlobalAdminsRemoved = AuditLogs \\n| where TimeGenerated \u003e ago(timeframe) \\n| where Category =~ \\\"RoleManagement\\\" \\n| where AADOperationType in (\\\"Unassign\\\", \\\"RemoveEligibleRole\\\") \\n| where ActivityDisplayName has_any (\\\"Remove member from role\\\", \\\"Remove eligible member from role\\\") \\n| mv-expand TargetResources \\n| mv-expand TargetResources.modifiedProperties \\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName) \\n| where displayName_ =~ \\\"Role.DisplayName\\\" \\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.oldValue))) \\n| where RoleName == \\\"Global Administrator\\\" // Add other Privileged role if applicable \\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName) \\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) \\n| where Initiator != \\\"MS-PIM\\\" // Filtering PIM events \\n| extend Target = tostring(TargetResources.userPrincipalName) \\n| summarize RemovedGlobalAdminTime = max(TimeGenerated), TargetAdmins = make_set(Target) by OperationName, RoleName, Initiator, Result; \\nlet GlobalAdminsAdded = AuditLogs \\n| where TimeGenerated \u003e ago(lookback) \\n| where Category =~ \\\"RoleManagement\\\" \\n| where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\") \\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\") and Result == \\\"success\\\" \\n| mv-expand TargetResources \\n| mv-expand TargetResources.modifiedProperties \\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName) \\n| where displayName_ =~ \\\"Role.DisplayName\\\" \\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue))) \\n| where RoleName == \\\"Global Administrator\\\" // Add other Privileged role if applicable \\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName) \\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) \\n| where Initiator != \\\"MS-PIM\\\" // Filtering PIM events \\n| extend Target = tostring(TargetResources.userPrincipalName) \\n| summarize AddedGlobalAdminTime = max(TimeGenerated) by OperationName, RoleName, Target, Initiator, Result \\n| extend AccountCustomEntity = Target; \\nGlobalAdminsAdded \\n| join kind= inner GlobalAdminsRemoved on $left.Target == $right.Initiator \\n| where AddedGlobalAdminTime \u003c RemovedGlobalAdminTime \\n| extend NoofAdminsRemoved = array_length(TargetAdmins) \\n| where NoofAdminsRemoved \u003e 1\\n| project AddedGlobalAdminTime, Initiator, Target, AccountCustomEntity, RemovedGlobalAdminTime, TargetAdmins, NoofAdminsRemoved\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Multiple admin membership removals from newly created admin.\",\"description\":\"This query detects when newly created Global admin removes multiple existing global admins which can be an attempt by adversaries to lock down organization and retain sole access. \\n Investigate reasoning and intention of multiple membership removal by new Global admins and take necessary actions accordingly.\",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2022-03-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/be52662c-3b23-435a-a6fa-f39bdfc849e6\",\"name\":\"be52662c-3b23-435a-a6fa-f39bdfc849e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetection_CL\\n| mv-expand todynamic(Detections_s)\\n| where Detections_s.Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\\n| where count_ \u003e= threshold\\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"High Number of Urgent Vulnerabilities Detected\",\"description\":\"This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/45b903c5-6f56-4969-af10-ae62ac709718\",\"name\":\"45b903c5-6f56-4969-af10-ae62ac709718\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count()\\nby Account = tolower(Account), Computer = toupper(Computer), IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n// use left anti to exclude anything from the previous 14 days that is not rare\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10 \\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend AccountType=case(Account endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| extend Activity=\\\"4624 - An account was successfully logged on.\\\"\\n| extend LogonTypeName=\\\"10 - RemoteInteractive\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count()\\nby Account = tolower(Account), Computer = toupper(Computer), IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n))\\n| join kind=leftanti (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where EventID == 4624\\n| summarize by Computer = toupper(Computer), IpAddress, Account = tolower(Account)\\n),\\n( WindowsEvent\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where EventID == 4624\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| summarize by Computer = toupper(Computer), IpAddress, Account = tolower(Account)\\n))\\n) on Account, Computer\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), ConnectionCount = sum(ConnectionCount)\\nby Account, Computer, IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Rare RDP Connections\",\"description\":\"Identifies when an RDP connection is new or rare related to any logon type by a given account today based on comparison with the previous 14 days.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2020-01-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a1080fc1-13d1-479b-8340-255f0290d96c\",\"name\":\"a1080fc1-13d1-479b-8340-255f0290d96c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where Result =~ \\\"success\\\"\\n | where OperationName =~ \u0027Update Application\u0027\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | where TargetResources_modifiedProperties.displayName =~ \\\"AppAddress\\\"\\n | extend Key = tostring(TargetResources_modifiedProperties.displayName)\\n | extend NewValue = TargetResources_modifiedProperties.newValue\\n | extend OldValue = TargetResources_modifiedProperties.oldValue\\n | where isnotempty(Key) and isnotempty(NewValue)\\n | project-reorder Key, NewValue, OldValue\\n | extend NewUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(NewValue))\\n | extend OldUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(OldValue))\\n | extend AddedUrls = set_difference(NewUrls, OldUrls)\\n | where array_length(AddedUrls) \u003e 0\\n | extend UserAgent = iif(tostring(AdditionalDetails[0].key) == \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), \\\"\\\")\\n | extend AddingUser = iif(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) , tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), \\\"\\\")\\n | extend AddingApp = iif(isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName)) , tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName), \\\"\\\")\\n | extend AddedBy = iif(isnotempty(AddingUser), AddingUser, AddingApp)\\n | project-away AddingApp, AddingUser\\n | extend AppDisplayName = tostring(TargetResources.displayName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | project-reorder TimeGenerated, AppDisplayName, AddedUrls, AddedBy, UserAgent, ipAddress\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"AddedUrls\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Application Redirect URL Update\",\"description\":\"Detects the redirect URL of an app being changed.\\n Applications associated with URLs not controlled by the organization can pose a security risk.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#application-configuration-changes\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e42e889a-caaf-4dbb-aec6-371b37d64298\",\"name\":\"e42e889a-caaf-4dbb-aec6-371b37d64298\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\")\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set != \\\"[]\\\"\\n| extend diff = set_difference(new_value_set, old_value_set)\\n| where isnotempty(diff)\\n| parse diff with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away diff, new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserOrApp\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT New access credential added to Application or Service Principal\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b79f6190-d104-4691-b7db-823e05980895\",\"name\":\"b79f6190-d104-4691-b7db-823e05980895\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\nOfficeActivity\\n| where OfficeWorkload =~ \\\"Exchange\\\"\\n| where Parameters has \\\"Deleted Items\\\" or Parameters has \\\"Junk Email\\\" or Parameters has \\\"DeleteMessage\\\"\\n| extend Events=todynamic(Parameters)\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords \u0027}\u0027*\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords \u0027}\u0027*\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords \u0027}\u0027*\\n| where SubjectContainsWords has_any (Keywords)\\n or BodyContainsWords has_any (Keywords)\\n or SubjectOrBodyContainsWords has_any (Keywords)\\n| extend ClientIPAddress = case( ClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), ClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))), ClientIP )\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\n| extend RuleDetail = case(OfficeObjectId contains \u0027/\u0027 , tostring(split(OfficeObjectId, \u0027/\u0027)[-1]) , tostring(split(OfficeObjectId, \u0027\\\\\\\\\u0027)[-1]))\\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"OriginatingServer\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIPAddress\"}]}],\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"NRT Malicious Inbox Rule\",\"description\":\"Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords.\\n This is done so as to limit ability to warn compromised users that they\u0027ve been compromised. Below is a sample query that tries to detect this.\\nReference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/\",\"lastUpdatedDateUTC\":\"2022-03-07T00:00:00Z\",\"createdDateUTC\":\"2020-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9fb2ee72-959f-4c2b-bc38-483affc539e4\",\"name\":\"9fb2ee72-959f-4c2b-bc38-483affc539e4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where Category == \\\"ApplicationManagement\\\"\\n | where OperationName has_any (\\\"Update Application\\\", \\\"Update Service principal\\\")\\n | extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend UpdatedBy = iif(isnotempty(appName), appName, UPN)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | extend AppName = tostring(TargetResources[0].displayName)\\n | mv-expand mod_props\\n | where mod_props.displayName has \\\"AppIdentifierUri\\\"\\n | extend OldURI = tostring(mod_props.oldValue)\\n | extend NewURI = tostring(mod_props.newValue)\\n | project-reorder TimeGenerated, OperationName, AppName, OldURI, NewURI, UpdatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatedBy\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"NewURI\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Application ID URI Changed\",\"description\":\"Detects changes to an Application ID URI.\\n Monitor these changes to make sure that they were authorized.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#appid-uri-added-modified-or-removed\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/faf1a6ff-53b5-4f92-8c55-4b20e9957594\",\"name\":\"faf1a6ff-53b5-4f92-8c55-4b20e9957594\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"SecurityEvent\\n// Look for specific Directory Service Changes and parse data\\n| where EventID == 5136\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion = array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value),TimeGenerated, EventID, Computer, Account, AccountType, EventSourceName, Activity, SubjectAccount)\\n// Where changes relate to Exchange OAB\\n| extend ObjectClass = column_ifexists(\\\"ObjectClass\\\", \\\"\\\")\\n| where ObjectClass =~ \\\"msExchOABVirtualDirectory\\\"\\n// Look for InternalHostName or ExternalHostName properties being changed\\n| extend AttributeLDAPDisplayName = column_ifexists(\\\"AttributeLDAPDisplayName\\\", \\\"\\\")\\n| where AttributeLDAPDisplayName in (\\\"msExchExternalHostName\\\", \\\"msExchInternalHostName\\\")\\n// Look for suspected webshell activity\\n| extend AttributeValue = column_ifexists(\\\"AttributeValue\\\", \\\"\\\")\\n| where AttributeValue has \\\"script\\\"\\n| project-rename LastSeen = TimeGenerated\\n| extend ObjectDN = column_ifexists(\\\"ObjectDN\\\", \\\"\\\")\\n| project-reorder LastSeen, Computer, Account, ObjectDN, AttributeLDAPDisplayName, AttributeValue\\n| extend timestamp = LastSeen, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange OAB Virtual Directory Attribute Containing Potential Webshell\",\"description\":\"This query uses Windows Event ID 5136 in order to detect potential webshell deployment by exploitation of CVE-2021-27065.\\nThis query looks for changes to the InternalHostName or ExternalHostName properties of Exchange OAB Virtual Directory objects in AD Directory Services\\nwhere the new objects contain potential webshell objects. Ref: https://aka.ms/ExchangeVulns\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b3cfc7c0-092c-481c-a55b-34a3979758cb\",\"name\":\"b3cfc7c0-092c-481c-a55b-34a3979758cb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft Cloud App Security\",\"displayName\":\"Create incidents based on Microsoft Cloud App Security alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Cloud Apps\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert (MCAS)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/eb68b129-5f17-4f56-bf6d-dde48d5e615a\",\"name\":\"eb68b129-5f17-4f56-bf6d-dde48d5e615a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| extend attachedMimeType = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where attachedMimeType == \u0027application/zip\u0027\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = DstUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Binary file in attachment\",\"description\":\"Detects when email received with binary file as attachment.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c0e84221-f240-4dd7-ab1e-37e034ea2a4e\",\"name\":\"c0e84221-f240-4dd7-ab1e-37e034ea2a4e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"union isfuzzy=true\\n(DeviceFileEvents\\n| where FolderPath endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated),\\n(WindowsEvent\\n| where EventID == 4663 and EventData has \\\"vmware-vmdmp.log\\\"\\n| extend ObjectName = tostring(EventData.ObjectName) \\n| where ObjectName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = Computer, timestamp=TimeGenerated),\\n(SecurityEvent\\n| where EventID == 4663\\n| where ObjectName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = Computer, timestamp=TimeGenerated),\\n(imFileEvent\\n| where TargetFileName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = DvcHostname, timestamp=TimeGenerated\\n)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"SUNSPOT log file creation\",\"description\":\"This query uses Microsoft Defender for Endpoint data and Windows Event Logs to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\\nMore details: \\n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \\n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5b6ae038-f66e-4f74-9315-df52fd492be4\",\"name\":\"5b6ae038-f66e-4f74-9315-df52fd492be4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"imProcess\\n | where CommandLine has_all (\\\"accepteula\\\", \\\"-s\\\", \\\"-r\\\", \\\"-q\\\")\\n | where Process !endswith \\\"sdelete.exe\\\"\\n | where CommandLine !has \\\"sdelete\\\"\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DvcHostname\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DvcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"}]}],\"tactics\":[\"DefenseEvasion\",\"Impact\"],\"displayName\":\"Potential re-named sdelete usage (ASIM Version)\",\"description\":\"This detection looks for command line parameters associated with the use of Sysinternals sdelete (https://docs.microsoft.com/sysinternals/downloads/sdelete) to delete multiple files on a host\u0027s C drive.\\nA threat actor may re-name the tool to avoid detection and then use it for destructive attacks on a host.\\nThis detection uses the ASIM imProcess parser, this will need to be deployed before use - https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8c8de3fa-6425-4623-9cd9-45de1dd0569a\",\"name\":\"8c8de3fa-6425-4623-9cd9-45de1dd0569a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let lookBack = 14d;\\nlet timeframe = 1d;\\nlet user_agents_list = Cisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(lookBack) and TimeGenerated \u003c ago(timeframe)\\n| summarize count() by HttpUserAgentOriginal\\n| summarize make_list(HttpUserAgentOriginal);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal !in (user_agents_list)\\n| extend Message = \\\"Rare User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Rare User Agent Detected\",\"description\":\"Rule helps to detect a rare user-agents indicating web browsing activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\"name\":\"02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let logonDiff = 10m;\\nlet aadFunc = (tableName:string){\\ntable(tableName) \\n| where ResultType == \\\"0\\\" \\n| where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\")\\n| project SuccessLogonTime = TimeGenerated, UserPrincipalName, SuccessIPAddress = IPAddress, AppDisplayName, SuccessIPBlock = strcat(split(IPAddress, \\\".\\\")[0], \\\".\\\", split(IPAddress, \\\".\\\")[1]), Type\\n| join kind= inner (\\n table(tableName)\\n | where ResultType !in (\\\"0\\\", \\\"50140\\\") \\n | where ResultDescription !~ \\\"Other\\\" \\n | where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\")\\n | project FailedLogonTime = TimeGenerated, UserPrincipalName, FailedIPAddress = IPAddress, AppDisplayName, ResultType, ResultDescription, Type\\n) on UserPrincipalName, AppDisplayName \\n| where SuccessLogonTime \u003c FailedLogonTime and FailedLogonTime - SuccessLogonTime \u003c= logonDiff and FailedIPAddress !startswith SuccessIPBlock\\n| summarize FailedLogonTime = max(FailedLogonTime), SuccessLogonTime = max(SuccessLogonTime) by UserPrincipalName, SuccessIPAddress, AppDisplayName, FailedIPAddress, ResultType, ResultDescription, Type\\n| extend timestamp = SuccessLogonTime\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SuccessIPAddress\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"FailedIPAddress\"}]}],\"tactics\":[\"CredentialAccess\",\"InitialAccess\"],\"displayName\":\"Successful logon from IP and failure from a different IP\",\"description\":\"Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP.\\nThis may indicate a malicious attempt at password guessing based on knowledge of the users account.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\"name\":\"9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.1.0\",\"severity\":\"Low\",\"query\":\"let tokens = dynamic([\\\"416\\\",\\\"208\\\",\\\"128\\\",\\\"120\\\",\\\"96\\\",\\\"80\\\",\\\"72\\\",\\\"64\\\",\\\"48\\\",\\\"44\\\",\\\"40\\\",\\\"g5\\\",\\\"gs5\\\",\\\"g4\\\",\\\"gs4\\\",\\\"nc12\\\",\\\"nc24\\\",\\\"nv12\\\"]);\\nlet operationList = dynamic([\\\"microsoft.compute/virtualmachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nAzureActivity\\n| where tolower(OperationNameValue) in (operationList)\\n| where ActivityStatusValue == \\\"Accepted\\\" \\n| where isnotempty(Properties)\\n| extend vmSize = tolower(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).hardwareProfile)).vmSize))\\n| where isnotempty(vmSize)\\n| where vmSize has_any (tokens) \\n| extend ComputerName = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).osProfile)).computerName)\\n| extend clientIpAddress = tostring(parse_json(HTTPRequest).clientIpAddress)\\n| project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Creation of expensive computes in Azure\",\"description\":\"Identifies the creation of large size/expensive VMs (GPU or with large no of virtual CPUs) in Azure.\\nAdversary may create new or update existing virtual machines sizes to evade defenses \\nor use it for cryptomining purposes.\\nFor Windows/Linux Vm Sizes - https://docs.microsoft.com/azure/virtual-machines/windows/sizes \\nAzure VM Naming Conventions - https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/78422ef2-62bf-48ca-9bab-72c69818a425\",\"name\":\"78422ef2-62bf-48ca-9bab-72c69818a425\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Low\",\"query\":\"let endtime = 1d;\\nlet starttime = 8d;\\nlet threshold = 2.0;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName)\\nby Account, IpAddress, AccountType, Activity, LogonTypeName),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 \\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend AccountType=case(Account endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| extend Activity=\\\"4624 - An account was successfully logged on.\\\"\\n| extend LogonTypeName=\\\"10 - RemoteInteractive\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName)\\nby Account, IpAddress, AccountType, Activity, LogonTypeName)\\n)\\n| join kind=inner (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize ComputerCountPrev7Days = dcount(Computer) by Account = tolower(Account), IpAddress\\n),\\n( WindowsEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = toint(EventData.LogonType)\\n| where LogonType == 10\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| summarize ComputerCountPrev7Days = dcount(Computer) by Account = tolower(Account), IpAddress)\\n)\\n) on Account, IpAddress\\n| extend Ratio = iff(isempty(ComputerCountPrev7Days), toreal(ComputerCountToday), ComputerCountToday / (ComputerCountPrev7Days * 1.0))\\n// Where the ratio of today to previous 7 days is more than double.\\n| where Ratio \u003e threshold\\n| project StartTimeUtc, EndTimeUtc, Account, IpAddress, ComputerSet, ComputerCountToday, ComputerCountPrev7Days, Ratio, AccountType, Activity, LogonTypeName, ProcessSet\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Multiple RDP connections from Single System\",\"description\":\"Identifies when an RDP connection is made to multiple systems and above the normal for the previous 7 days.\\nConnections from the same system with the same account within the same day.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-10-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d94d4a9-dc96-450a-9dea-4d4d4594199b\",\"name\":\"4d94d4a9-dc96-450a-9dea-4d4d4594199b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"SecurityNestedRecommendation\\n| where RemediationDescription has \u0027CVE-2021-38647\u0027\\n| parse ResourceDetails with * \u0027virtualMachines/\u0027 VirtualMAchine \u0027\\\"\u0027 *\\n| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId\\n| extend Timestamp = TimeGenerated, HostCustomEntity = VirtualMAchine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Execution\"],\"displayName\":\"Vulnerable Machines related to OMIGOD CVE-2021-38647\",\"description\":\"This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to OMIGOD CVE-2021-38647. OMI is the Linux equivalent of Windows WMI and \\n helps users manage configurations across remote and local environments. The query aims to find machines that have this OMI vulnerability (CVE-2021-38647).\\n Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).\\n Reference: https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure\\n Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d3980830-dd9d-40a5-911f-76b44dfdce16\",\"name\":\"d3980830-dd9d-40a5-911f-76b44dfdce16\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where AppDisplayName == \\\"GitHub.com\\\"\\n| where ResultType == 0\\n| summarize CountOfLocations = dcount(Location), Locations = make_set(Location), BurstStartTime = min(TimeGenerated), BurstEndTime = max(TimeGenerated) by UserPrincipalName, Type\\n| where CountOfLocations \u003e 1\\n| extend timestamp = BurstStartTime, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"GitHub Signin Burst from Multiple Locations\",\"description\":\"This alerts when there Signin burst from multiple locations in GitHub (AAD SSO).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/25a7f951-54b7-4cf5-9862-ebc04306c590\",\"name\":\"25a7f951-54b7-4cf5-9862-ebc04306c590\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let known_users = (AuditLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where OperationName has \\\"conditional access policy\\\"\\n | where Result =~ \\\"success\\\"\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | summarize by userPrincipalName);\\n AuditLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where OperationName has \\\"conditional access policy\\\"\\n | where Result =~ \\\"success\\\"\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend CAPolicyName = tostring(TargetResources[0].displayName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | where userPrincipalName !in (known_users)\\n | extend NewPolicyValues = TargetResources[0].modifiedProperties[0].newValue\\n | extend OldPolicyValues = TargetResources[0].modifiedProperties[0].oldValue\\n | project-reorder TimeGenerated, OperationName, CAPolicyName, userPrincipalName, ipAddress, NewPolicyValues, OldPolicyValues\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Conditional Access Policy Modified by New User\",\"description\":\"Detects a Conditional Access Policy being modified by a user who has not modified a policy in the last 14 days.\\n A threat actor may try to modify policies to weaken the security controls in place.\\n Investigate any change to ensure they are approved.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\"name\":\"70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"seoulhobi.biz\\\", \\\"reader.cash\\\", \\\"pieceview.club\\\", \\\"app-wallet.com\\\", \\\"bigwnet.com\\\", \\\"bitwoll.com\\\", \\\"cexrout.com\\\", \\\"change-pw.com\\\", \\\"checkprofie.com\\\", \\\"cloudwebappservice.com\\\", \\\"ctquast.com\\\", \\\"dataviewering.com\\\", \\\"day-post.com\\\", \\\"dialy-post.com\\\", \\\"documentviewingcom.com\\\", \\\"dovvn-mail.com\\\", \\\"down-error.com\\\", \\\"drivecheckingcom.com\\\", \\\"drog-service.com\\\", \\\"encodingmail.com\\\", \\\"filinvestment.com\\\", \\\"foldershareing.com\\\", \\\"golangapis.com\\\", \\\"hotrnall.com\\\", \\\"lh-logins.com\\\", \\\"login-use.com\\\", \\\"mail-down.com\\\", \\\"matmiho.com\\\", \\\"mihomat.com\\\", \\\"natwpersonal-online.com\\\", \\\"nidlogin.com\\\", \\\"nid-login.com\\\", \\\"nidlogon.com\\\", \\\"pw-change.com\\\", \\\"rnaii.com\\\", \\\"rnailm.com\\\", \\\"sec-live.com\\\", \\\"secrityprocessing.com\\\", \\\"securitedmode.com\\\", \\\"securytingmail.com\\\", \\\"set-login.com\\\", \\\"usrchecking.com\\\", \\\"com-serviceround.info\\\", \\\"mai1.info\\\", \\\"reviewer.mobi\\\", \\\"files-download.net\\\", \\\"fixcool.net\\\", \\\"hanrnaii.net\\\", \\\"office356-us.org\\\", \\\"smtper.org\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost \\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"THALLIUM domains included in DCU takedown\",\"description\":\"THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. \\n Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\\n References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ \",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2020-01-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\"name\":\"4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let OperationList = dynamic([\\\"Add member to role\\\",\\\"Add member to role in PIM requested (permanent)\\\"]);\\nlet PrivilegedGroups = dynamic([\\\"UserAccountAdmins\\\",\\\"PrivilegedRoleAdmins\\\",\\\"TenantAdmins\\\"]);\\nAuditLogs\\n//| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName in~ (OperationList)\\n| mv-expand TargetResources\\n| extend modProps = parse_json(TargetResources).modifiedProperties\\n| mv-expand bagexpansion=array modProps\\n| evaluate bag_unpack(modProps)\\n| extend displayName = column_ifexists(\\\"displayName\\\", \\\"NotAvailable\\\"), newValue = column_ifexists(\\\"newValue\\\", \\\"NotAvailable\\\")\\n| where displayName =~ \\\"Role.WellKnownObjectName\\\"\\n| extend DisplayName = displayName, GroupName = replace(\u0027\\\"\u0027,\u0027\u0027,newValue)\\n| extend initByApp = parse_json(InitiatedBy).app, initByUser = parse_json(InitiatedBy).user\\n| extend AppId = initByApp.appId, \\nInitiatedByDisplayName = case(isnotempty(initByApp.displayName), initByApp.displayName, isnotempty(initByUser.displayName), initByUser.displayName, \\\"not available\\\"),\\nServicePrincipalId = tostring(initByApp.servicePrincipalId),\\nServicePrincipalName = tostring(initByApp.servicePrincipalName),\\nUserId = initByUser.id,\\nUserIPAddress = initByUser.ipAddress,\\nUserRoles = initByUser.roles,\\nUserPrincipalName = tostring(initByUser.userPrincipalName),\\nTargetUserPrincipalName = tostring(TargetResources.userPrincipalName)\\n| where GroupName in~ (PrivilegedGroups)\\n// If you don\u0027t want to alert for operations from PIM, remove below filtering for MS-PIM.\\n//| where InitiatedByDisplayName != \\\"MS-PIM\\\"\\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, isnotempty(ServicePrincipalId), ServicePrincipalId, isnotempty(UserPrincipalName), UserPrincipalName, \\\"not available\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User added to Azure Active Directory Privileged Groups\",\"description\":\"This will alert when a user is added to any of the Privileged Groups.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\\nFor Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles\",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2020-07-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/50574fac-f8d1-4395-81c7-78a463ff0c52\",\"name\":\"50574fac-f8d1-4395-81c7-78a463ff0c52\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where AppId =~ \\\"1b730954-1685-4b74-9bfd-dac224a7b894\\\" // AppDisplayName IS Azure Active Directory PowerShell\\n| where TokenIssuerType =~ \\\"AzureAD\\\"\\n| where ResourceIdentity !in (\\\"00000002-0000-0000-c000-000000000000\\\", \\\"00000003-0000-0000-c000-000000000000\\\") // ResourceDisplayName IS NOT Windows Azure Active Directory OR Microsoft Graph\\n| extend Status = todynamic(Status)\\n| where Status.errorCode == 0 // Success\\n| project-reorder IPAddress, UserAgent, ResourceDisplayName, UserDisplayName, UserId, UserPrincipalName, Type\\n| order by TimeGenerated desc\\n// New entity mapping\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure Active Directory PowerShell accessing non-AAD resources\",\"description\":\"This will alert when a user or application signs in using Azure Active Directory PowerShell to access non-Active Directory resources, such as the Azure Key Vault, which may be undesired or unauthorized behavior.\\nFor capabilities and expected behavior of the Azure Active Directory PowerShell module, see: https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0.\\nFor further information on Azure Active Directory Signin activity reports, see: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins.\",\"lastUpdatedDateUTC\":\"2022-02-23T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cca3b4d9-ac39-4109-8b93-65bb284003e6\",\"name\":\"cca3b4d9-ac39-4109-8b93-65bb284003e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureActivity | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(Caller)\\n | extend Caller = tolower(Caller)\\n | where Caller matches regex emailregex\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.Caller\\n| where AzureActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureActivity_TimeGenerated = arg_max(AzureActivity_TimeGenerated, *) by IndicatorId, Caller\\n| project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, EmailSenderName, EmailRecipient, \\nEmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Caller, Level, CallerIpAddress, CategoryValue, OperationNameValue, ActivityStatusValue, \\nResourceGroup, SubscriptionId\\n| extend timestamp = AzureActivity_TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to AzureActivity\",\"description\":\"Identifies a match in AzureActivity table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9122a9cb-916b-4d98-a199-1b7b0af8d598\",\"name\":\"9122a9cb-916b-4d98-a199-1b7b0af8d598\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"beesweiserdog.com\\\", \\n \\\"bluehostfit.com\\\", \\n \\\"business-toys.com\\\", \\n \\\"cleanskycloud.com\\\", \\n \\\"cumberbat.com\\\", \\n \\\"czreadsecurity.com\\\", \\n \\\"dgtresorgouv.com\\\", \\n \\\"dimediamikedask.com\\\", \\n \\\"diresitioscon.com\\\", \\n \\\"elcolectador.com\\\", \\n \\\"elperuanos.org\\\", \\n \\\"eprotectioneu.com\\\", \\n \\\"fheacor.com\\\", \\n \\\"followthewaterdata.com\\\", \\n \\\"francevrteepress.com\\\", \\n \\\"futtuhy.com\\\", \\n \\\"gardienweb.com\\\", \\n \\\"heimflugaustr.com\\\", \\n \\\"ivpsers.com\\\", \\n \\\"jkeducation.org\\\", \\n \\\"micrlmb.com\\\", \\n \\\"muthesck.com\\\", \\n \\\"netscalertech.com\\\", \\n \\\"newgoldbalmap.com\\\", \\n \\\"news-laestrella.com\\\", \\n \\\"noticialif.com\\\", \\n \\\"opentanzanfoundation.com\\\", \\n \\\"optonlinepress.com\\\", \\n \\\"palazzochigi.com\\\", \\n \\\"pandemicacre.com\\\", \\n \\\"papa-ser.com\\\", \\n \\\"pekematclouds.com\\\", \\n \\\"pipcake.com\\\", \\n \\\"popularservicenter.com\\\", \\n \\\"projectsyndic.com\\\", \\n \\\"qsadtv.com\\\", \\n \\\"sankreal.com\\\", \\n \\\"scielope.com\\\", \\n \\\"seoamdcopywriting.com\\\", \\n \\\"slidenshare.com\\\", \\n \\\"somoswake.com\\\", \\n \\\"squarespacenow.com\\\", \\n \\\"subapostilla.com\\\", \\n \\\"suzukicycles.net\\\", \\n \\\"tatanotakeeps.com\\\", \\n \\\"tijuanazxc.com\\\", \\n \\\"transactioninfo.net\\\", \\n \\\"eurolabspro.com\\\", \\n \\\"adelluminate.com\\\", \\n \\\"headhunterblue.com\\\", \\n \\\"primenuesty.com\\\" \\n ]);\\nlet SHA256Hashes = dynamic ([\\\"02daf4544bcefb2de865d0b45fc406bee3630704be26a9d6da25c9abe906e7d2\\\", \\n \\\"0a45ec3da31838aa7f56e4cbe70d5b3b3809029f9159ff0235837e5b7a4cb34c\\\", \\n \\\"0d7965489810446ca7acc7a2160795b22e452a164261313c634a6529a0090a0c\\\", \\n \\\"10bb4e056fd19f2debe61d8fc5665434f56064a93ca0ec0bef946a4c3e098b95\\\", \\n \\\"12d914f24fe5501e09f5edf503820cc5fe8b763827a1c6d44cdb705e48651b21\\\", \\n \\\"1899f761123fedfeba0fee6a11f830a29cd3653bcdcf70380b72a05b921b4b49\\\", \\n \\\"22e68e366dd3323e5bb68161b0938da8e1331e4f1c1819c8e84a97e704d93844\\\", \\n \\\"259783405ec2cb37fdd8fd16304328edbb6a0703bc3d551eba252d9b450554ef\\\", \\n \\\"26debed09b1bbf24545e3b4501b799b66a0146d4020f882776465b5071e91822\\\", \\n \\\"35c5f22bb11f7dd7a2bb03808e0337cb7f9c0d96047b94c8afdab63efc0b9bb2\\\", \\n \\\"3ae2d9ffa4e53519e62cc0a75696f9023f9cce09b0a917f25699b48d0f7c4838\\\", \\n \\\"3bac2e459c69fcef8c1c93c18e5f4f3e3102d8d0f54a63e0650072aeb2a5fa65\\\", \\n \\\"3c0bf69f6faf85523d9e60d13218e77122b2adb0136ffebbad0f39f3e3eed4e6\\\", \\n \\\"3dc0001a11d54925d2591aec4ea296e64f1d4fdf17ff3343ddeea82e9bd5e4f1\\\", \\n \\\"3fd73af89e94af180b1fbf442bbfb7d7a6c4cf9043abd22ac0aa2f8149bafc90\\\", \\n \\\"6854df6aa0af46f7c77667c450796d5658b3058219158456e869ebd39a47d54b\\\", \\n \\\"6b79b807a66c786bd2e57d1c761fc7e69dd9f790ffab7ce74086c4115c9305ce\\\", \\n \\\"7944a86fbef6238d2a55c14c660c3a3d361c172f6b8fa490686cc8889b7a51a0\\\", \\n \\\"926904f7c0da13a6b8689c36dab9d20b3a2e6d32f212fca9e5f8cf2c6055333c\\\", \\n \\\"95e98c811ea9d212673d0e84046d6da94cbd9134284275195800278593594b5a\\\", \\n \\\"a142625512e5372a1728595be19dbee23eea50524b4827cb64ed5aaeaaa0270b\\\", \\n \\\"afe5e9145882e0b98a795468a4c0352f5b1ddb7b4a534783c9e8fc366914cf6a\\\", \\n \\\"b9027bad09a9f5c917cf0f811610438e46e42e5e984a8984b6d69206ceb74124\\\", \\n \\\"c132d59a3bf0099e0f9f5667daf7b65dba66780f4addd88f04eecae47d5d99fa\\\", \\n \\\"c9a5765561f52bbe34382ce06f4431f7ac65bafe786db5de89c29748cf371dda\\\", \\n \\\"ce0408f92635e42aadc99da3cc1cbc0044e63441129c597e7aa1d76bf2700c94\\\", \\n \\\"ce47bacc872516f91263f5e59441c54f14e9856cf213ca3128470217655fc5e6\\\", \\n \\\"d0fe4562970676e30a4be8cb4923dc9bfd1fca8178e8e7fea0f3f02e0c7435ce\\\", \\n \\\"d5b36648dc9828e69242b57aca91a0bb73296292bf987720c73fcd3d2becbae6\\\", \\n \\\"e72d142a2bc49572e2d99ed15827fc27c67fc0999e90d4bf1352b075f86a83ba\\\"\\n ]);\\nlet SigNames = dynamic([\\\"Backdoor:Win32/Leeson\\\", \\\"Trojan:Win32/Kechang\\\", \\\"Backdoor:Win32/Nightimp!dha\\\", \\\"Trojan:Win32/QuarkBandit.A!dha\\\", \\\"TrojanSpy:Win32/KeyLogger\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hashes) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(_Im_Dns(domain_has_any = DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(_Im_WebSession(url_has_any = DomainNames)\\n| extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n| extend IPAddress = SrcIpAddr\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA256Hashes) \\n| extend Account = UserName\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (SHA256Hashes)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (SHA256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl in~ (DomainNames)\\n| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName\\n| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl\\n),\\n(SecurityAlert\\n| where ProductName == \\\"Microsoft Defender Advanced Threat Protection\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where isnotempty(ThreatName)\\n| where ThreatName has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName)\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known NICKEL domains and hashes\",\"description\":\"IOC domains and hash values for tools and malware used by NICKEL. \\n Matches domain name, hash IOCs and M365 Defender sigs related to the NICKEL activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/720d12c6-a08c-44c4-b18f-2236412d59b0\",\"name\":\"720d12c6-a08c-44c4-b18f-2236412d59b0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"SecurityEvent\\n | where EventID == 4688\\n | where Process !~ \\\"sdelete.exe\\\"\\n | where CommandLine has_all (\\\"accepteula\\\", \\\"-r\\\", \\\"-s\\\", \\\"-q\\\", \\\"c:/\\\")\\n | where CommandLine !has (\\\"sdelete\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"DefenseEvasion\",\"Impact\"],\"displayName\":\"Potential re-named sdelete usage\",\"description\":\"This detection looks for command line parameters associated with the use of Sysinternals sdelete (https://docs.microsoft.com/sysinternals/downloads/sdelete) to delete multiple files on a host\u0027s C drive.\\nA threat actor may re-name the tool to avoid detection and then use it for destructive attacks on a host.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/009b9bae-23dd-43c4-bcb9-11c4ba7c784a\",\"name\":\"009b9bae-23dd-43c4-bcb9-11c4ba7c784a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where OperationName has \\\"Consent to application\\\"\\n | where Result =~ \\\"failure\\\"\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend userAgent = iif(AdditionalDetails[0].key == \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), tostring(AdditionalDetails[1].value))\\n | where isnotempty(TargetResources)\\n | extend AppName = tostring(TargetResources[0].displayName)\\n | mv-expand TargetResources[0].modifiedProperties\\n | extend TargetResources_0_modifiedProperties = columnifexists(\\\"TargetResources_0_modifiedProperties\\\", \u0027\u0027)\\n | where isnotempty(TargetResources_0_modifiedProperties)\\n | where TargetResources_0_modifiedProperties.displayName =~ \\\"MethodExecutionResult.\\\"\\n | extend FailureReason = tostring(parse_json(tostring(TargetResources_0_modifiedProperties.newValue)))\\n | where FailureReason contains \\\"Risky\\\"\\n | project-reorder TimeGenerated, OperationName, Result, AppName, FailureReason, userPrincipalName, userAgent, ipAddress\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"End-user consent stopped due to risk-based consent\",\"description\":\"Detects a user\u0027s consent to an OAuth application being blocked due to it being too risky.\\n These events should be investigated to understand why the user attempted to consent to the applicaiton and what other applicaitons they may have consented to.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#end-user-stopped-due-to-risk-based-consent\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e70fa6e0-796a-4e85-9420-98b17b0bb749\",\"name\":\"e70fa6e0-796a-4e85-9420-98b17b0bb749\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"DeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where ThreatName has \\\"Solorigate\\\"\\n| extend HostCustomEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.HostCustomEntity\\n| project TimeGenerated, DisplayName, ThreatName, CompromisedEntity, PublicIP, MachineGroup, AlertSeverity, Description, LoggedOnUsers, DeviceId, TenantId, HostCustomEntity\\n| extend timestamp = TimeGenerated, IPCustomEntity = PublicIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Solorigate Defender Detections\",\"description\":\"Surfaces any Defender Alert for Solorigate Events. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as \\n Device group, ip, logged on users etc. This way, the Microsoft Sentinel user can have all the pertinent device info in one view for all the the Solarigate Defender alerts.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9176b18f-a946-42c6-a2f6-0f6d17cd6a8a\",\"name\":\"9176b18f-a946-42c6-a2f6-0f6d17cd6a8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let triThreshold = 500;\\nlet querystarttime = 6h;\\nlet dgaLengthThreshold = 8;\\n// fetch the cisco umbrella top 1M domains\\nlet top1M = (externaldata (Position:int, Domain:string) [@\\\"http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip\\\"] with (format=\\\"csv\\\", zipPattern=\\\"*.csv\\\"));\\n// extract tri grams that are above our threshold - i.e. are common\\nlet triBaseline = top1M\\n | extend Domain = tolower(extract(\\\"([^.]*).{0,7}$\\\", 1, Domain))\\n | extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", Domain), extract_all(\\\"(...)\\\", substring(Domain, 1)), extract_all(\\\"(...)\\\", substring(Domain, 2)))\\n | mvexpand Trigram=AllTriGrams to typeof(string)\\n | summarize triCount=count() by Trigram\\n | sort by triCount desc\\n | where triCount \u003e triThreshold\\n | distinct Trigram;\\n// collect domain information from common security log, filter and extract the DGA candidate and its trigrams\\nlet allDataSummarized = _Im_WebSession \\n| where isnotempty(Url) \\n| extend Name = tolower(tostring(parse_url(Url)[\\\"Host\\\"]))\\n| summarize NameCount=count() by Name\\n| where Name has \\\".\\\"\\n| where Name !endswith \\\".home\\\" and Name !endswith \\\".lan\\\"\\n// extract DGA candidate\\n| extend DGADomain = extract(\\\"([^.]*).{0,7}$\\\", 1, Name)\\n| where strlen(DGADomain) \u003e dgaLengthThreshold\\n// throw out domains with number in them\\n| where DGADomain matches regex \\\"^[A-Za-z]{0,}$\\\"\\n// extract the tri grams from summarized data\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", DGADomain), extract_all(\\\"(...)\\\", substring(DGADomain, 1)), extract_all(\\\"(...)\\\", substring(DGADomain, 2)));\\n// throw out domains that have repeating tri\u0027s and/or \u003e=3 repeating letters\\nlet nonRepeatingTris = allDataSummarized\\n| join kind=leftanti\\n(\\n allDataSummarized\\n | mvexpand AllTriGrams\\n | summarize count() by tostring(AllTriGrams), DGADomain\\n | where count_ \u003e 1\\n | distinct DGADomain\\n)\\non DGADomain;\\n// find domains that do not have a common tri in the baseline\\nlet dataWithRareTris = nonRepeatingTris\\n| join kind=leftanti\\n(\\n nonRepeatingTris\\n | mvexpand AllTriGrams\\n | extend Trigram = tostring(AllTriGrams)\\n | distinct Trigram, DGADomain\\n | join kind=inner\\n (\\n triBaseline\\n )\\n on Trigram\\n | distinct DGADomain\\n)\\non DGADomain;\\ndataWithRareTris\\n// join DGAs back on connection data\\n| join kind=inner\\n(\\n _Im_WebSession\\n | where isnotempty(Url)\\n | extend Url = tolower(Url)\\n | summarize arg_max(TimeGenerated, EventVendor, SrcIpAddr) by Url\\n | extend Name=tostring(parse_url(Url)[\\\"Host\\\"])\\n | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) by Name, SrcIpAddr, Url\\n)\\non Name\\n| project StartTime, EndTime, Name, DGADomain, SrcIpAddr, Url, NameCount\",\"customDetails\":{\"DGAPattern\":\"DGADomain\",\"NameCount\":\"NameCount\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URL\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Potential communication from {{SrcIpAddr} with a Domain Generation Algorithm (DGA) based host {{Name}}\",\"alertDescriptionFormat\":\"A client with address {{SrcIpAddr}} communicated with host {{Name}} that have a domain name that might have been generated by a Domain Generation Algorithm (DGA), identified by the pattern {{DGADomain}}. DGAs are used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the top 1 million domain names to build a model of what normal domains look like and uses the model to identify domains that may have been randomly generated by an algorithm.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential communication with a Domain Generation Algorithm (DGA) based hostname (ASIM Web Session schema)\",\"description\":\"This rule identifies communication with hosts that have a domain name that might have been generated by a Domain Generation Algorithm (DGA). DGAs are used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the top 1 million domain names to build a model of what normal domains look like nad uses the model to identify domains that may have been randomly generated by an algorithm. You can modify the triThreshold and dgaLengthThreshold query parameters to change Analytic Rule sensitivity. The higher the numbers, the less noisy the rule is. \u003cbr\u003e\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f819c592-c5f9-4d5c-a79f-1e6819863533\",\"name\":\"f819c592-c5f9-4d5c-a79f-1e6819863533\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"// ADHealth Monitoring Agent Registry Key\\nlet aadHealthMonAgentRegKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Microsoft Online\\\\\\\\Reporting\\\\\\\\MonitoringAgent\\\";\\n// Filter out known processes\\nlet aadConnectHealthProcs = dynamic ([\\n \u0027Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.InsightsService.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.PshSurrogate.exe\u0027,\\n \u0027Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe\u0027,\\n \u0027Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.AadConnect.Health.AadSync.Host.exe\u0027,\\n \u0027Microsoft.Azure.ActiveDirectory.Synchronization.Upgrader.exe\u0027,\\n \u0027miiserver.exe\u0027\\n]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| where EventData has aadHealthMonAgentRegKey\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| extend ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),\\n ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\")\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend SubjectUserName = column_ifexists(\\\"SubjectUserName\\\", \\\"\\\"),\\n SubjectDomainName = column_ifexists(\\\"SubjectDomainName\\\", \\\"\\\"),\\n ProcessName = column_ifexists(\\\"ProcessName\\\", \\\"\\\")\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],\\n Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n(\\nWindowsEvent\\n| where EventID == \u00274656\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n (\\nWindowsEvent\\n| where EventID == \u00274663\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n)\\n)\\n// You can filter out potential machine accounts\\n//| where AccountType != \u0027Machine\u0027\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"Azure AD Health Monitoring Agent Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.\\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\\\\SOFTWARE\\\\Microsoft\\\\Microsoft Online\\\\Reporting\\\\MonitoringAgent.\\nYou can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_monitoring_agent.yml\\n\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/066395ac-ef91-4993-8bf6-25c61ab0ca5a\",\"name\":\"066395ac-ef91-4993-8bf6-25c61ab0ca5a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet file_path1 = (iocs | where Type =~ \\\"filepath1\\\" | project IoC);\\nlet file_path2 = (iocs | where Type =~ \\\"filepath2\\\" | project IoC);\\nlet file_path3 = (iocs | where Type =~ \\\"filepath3\\\" | project IoC);\\nlet reg_key = (iocs | where Type =~ \\\"regkey\\\" | project IoC);\\nWindowsEvent\\n| where EventID == 4688 and (EventData has_any (file_path1) or EventData has_any (file_path2) or EventData has_any (file_path3) or EventData has_any (\u0027reg add\u0027) or EventData has_any (reg_key) )\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where (CommandLine has_any (file_path1)) or\\n (CommandLine has_any (file_path3)) or\\n (CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) or \\n (NewProcessName has_any (file_path1)) or\\n (NewProcessName has_any (file_path3)) or\\n (ParentProcessName has_any (file_path1)) or \\n (ParentProcessName has_any (file_path3)) \\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend NewProcessId = tostring(EventData.NewProcessId)\\n| extend IPCustomEntity = tostring(EventData.IpAddress)\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, IPCustomEntity\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = \u0027SOURGUM IOC detected\u0027\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"SOURGUM Actor IOC - July 2021\",\"description\":\"Identifies a match across IOC\u0027s related to an actor tracked by Microsoft as SOURGUM\",\"lastUpdatedDateUTC\":\"2022-05-19T00:00:00Z\",\"createdDateUTC\":\"2022-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6116dc19-475a-4148-84b2-efe89c073e27\",\"name\":\"6116dc19-475a-4148-84b2-efe89c073e27\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetectionV2_CL\\n| extend Status = tostring(Status_s), Vulnerability = tostring(QID_s), Severity = tostring(Severity_s)\\n| where Status =~ \\\"New\\\" and Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(QID_s)\\n| where dcount_NetBios_s \u003e= threshold\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"tactics\":[\"InitialAccess\"],\"displayName\":\"New High Severity Vulnerability Detected Across Multiple Hosts\",\"description\":\"This creates an incident when a new high severity vulnerability is detected across multilple hosts\",\"lastUpdatedDateUTC\":\"2021-12-08T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\"name\":\"90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage), \\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage), \\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage), \\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \\\"200\\\"\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Squid proxy events for ToR proxies\",\"description\":\"Check for Squid proxy events associated with common ToR proxies. This query presumes the default squid log format is being used.\\nhttp://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-07-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70fc7201-f28e-4ba7-b9ea-c04b96701f13\",\"name\":\"70fc7201-f28e-4ba7-b9ea-c04b96701f13\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let OperationList = dynamic([\\\"Add member to role\\\",\\\"Add member to role in PIM requested (permanent)\\\"]);\\nlet PrivilegedGroups = dynamic([\\\"UserAccountAdmins\\\",\\\"PrivilegedRoleAdmins\\\",\\\"TenantAdmins\\\"]);\\nAuditLogs\\n//| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName in~ (OperationList)\\n| mv-expand TargetResources\\n| extend modProps = parse_json(TargetResources).modifiedProperties\\n| mv-expand bagexpansion=array modProps\\n| evaluate bag_unpack(modProps)\\n| extend displayName = column_ifexists(\\\"displayName\\\", \\\"NotAvailable\\\"), newValue = column_ifexists(\\\"newValue\\\", \\\"NotAvailable\\\")\\n| where displayName =~ \\\"Role.WellKnownObjectName\\\"\\n| extend DisplayName = displayName, GroupName = replace(\u0027\\\"\u0027,\u0027\u0027,newValue)\\n| extend initByApp = parse_json(InitiatedBy).app, initByUser = parse_json(InitiatedBy).user\\n| extend AppId = initByApp.appId,\\nInitiatedByDisplayName = case(isnotempty(initByApp.displayName), initByApp.displayName, isnotempty(initByUser.displayName), initByUser.displayName, \\\"not available\\\"),\\nServicePrincipalId = tostring(initByApp.servicePrincipalId),\\nServicePrincipalName = tostring(initByApp.servicePrincipalName),\\nUserId = initByUser.id,\\nUserIPAddress = initByUser.ipAddress,\\nUserRoles = initByUser.roles,\\nUserPrincipalName = tostring(initByUser.userPrincipalName),\\nTargetUserPrincipalName = tostring(TargetResources.userPrincipalName)\\n| where GroupName in~ (PrivilegedGroups)\\n// If you don\u0027t want to alert for operations from PIM, remove below filtering for MS-PIM.\\n//| where InitiatedByDisplayName != \\\"MS-PIM\\\"\\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName\\n| extend AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, isnotempty(ServicePrincipalId), ServicePrincipalId, isnotempty(UserPrincipalName), UserPrincipalName, \\\"not available\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"NRT User added to Azure Active Directory Privileged Groups\",\"description\":\"This will alert when a user is added to any of the Privileged Groups.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\\nFor Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles\",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2020-07-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5239248b-abfb-4c6a-8177-b104ade5db56\",\"name\":\"5239248b-abfb-4c6a-8177-b104ade5db56\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let RunCommandData = materialize ( AzureActivity\\n// Isolate run command actions\\n| where OperationNameValue == \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\\\"\\n// Confirm that the operation impacted a virtual machine\\n| where Authorization has \\\"virtualMachines\\\"\\n// Each runcommand operation consists of three events when successful, StartTimeed, Accepted (or Rejected), Successful (or Failed).\\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), max(CallerIpAddress), make_list(ActivityStatusValue) by CorrelationId, Authorization, Caller\\n// Limit to Run Command executions that Succeeded\\n| where list_ActivityStatusValue has \\\"Success\\\"\\n// Extract data from the Authorization field, allowing us to later extract the Caller (UPN) and CallerIpAddress\\n| extend Authorization_d = parse_json(Authorization)\\n| extend Scope = Authorization_d.scope\\n| extend Scope_s = split(Scope, \\\"/\\\")\\n| extend Subscription = tostring(Scope_s[2])\\n| extend VirtualMachineName = tostring(Scope_s[-1])\\n| project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress\\n| join kind=leftouter (\\n DeviceFileEvents\\n | where InitiatingProcessFileName == \\\"RunCommandExtension.exe\\\"\\n | extend VirtualMachineName = tostring(split(DeviceName, \\\".\\\")[0])\\n | project VirtualMachineName, PowershellFileCreatedTimestamp=TimeGenerated, FileName, FileSize, InitiatingProcessAccountName, InitiatingProcessAccountDomain, InitiatingProcessFolderPath, InitiatingProcessId\\n) on VirtualMachineName\\n// We need to filter by time sadly, this is the only way to link events\\n| where PowershellFileCreatedTimestamp between (StartTime .. EndTime)\\n| project StartTime, EndTime, PowershellFileCreatedTimestamp, VirtualMachineName, Caller, CallerIpAddress, FileName, FileSize, InitiatingProcessId, InitiatingProcessAccountDomain, InitiatingProcessFolderPath\\n| join kind=inner(\\n DeviceEvents\\n | extend VirtualMachineName = tostring(split(DeviceName, \\\".\\\")[0])\\n | where InitiatingProcessCommandLine has \\\"-File\\\"\\n // Extract the script name based on the structure used by the RunCommand extension\\n | extend PowershellFileName = extract(@\\\"\\\\-File\\\\s(script[0-9]{1,9}\\\\.ps1)\\\", 1, InitiatingProcessCommandLine)\\n // Discard results that didn\u0027t successfully extract, these are not run command related\\n | where isnotempty(PowershellFileName)\\n | extend PSCommand = tostring(parse_json(AdditionalFields).Command)\\n // The first execution of PowerShell will be the RunCommand script itself, we can discard this as it will break our hash later\\n | where PSCommand != PowershellFileName \\n // Now we normalise the cmdlets, we\u0027re aiming to hash them to find scripts using rare combinations\\n | extend PSCommand = toupper(PSCommand)\\n | order by PSCommand asc\\n | summarize PowershellExecStartTime=min(TimeGenerated), PowershellExecEnd=max(TimeGenerated), make_list(PSCommand) by PowershellFileName, InitiatingProcessCommandLine\\n) on $left.FileName == $right.PowershellFileName\\n| project StartTime, EndTime, PowershellFileCreatedTimestamp, PowershellExecStartTime, PowershellExecEnd, PowershellFileName, PowershellScriptCommands=list_PSCommand, Caller, CallerIpAddress, InitiatingProcessCommandLine, PowershellFileSize=FileSize, VirtualMachineName\\n| order by StartTime asc \\n// We generate the hash based on the cmdlets called and the size of the powershell script\\n| extend TempFingerprintString = strcat(PowershellScriptCommands, PowershellFileSize)\\n| extend ScriptFingerprintHash = hash_sha256(tostring(PowershellScriptCommands)));\\nlet totals = toscalar (RunCommandData\\n| summarize count());\\nlet hashTotals = RunCommandData\\n| summarize HashCount=count() by ScriptFingerprintHash;\\nRunCommandData\\n| join kind=leftouter (\\nhashTotals\\n) on ScriptFingerprintHash\\n// Calculate prevalence, while we don\u0027t need this, it may be useful for responders to know how rare this script is in relation to normal activity\\n| extend Prevalence = toreal(HashCount) / toreal(totals) * 100\\n// Where the hash was only ever seen once.\\n| where HashCount == 1\\n| extend timestamp = StartTime, IPCustomEntity=CallerIpAddress, AccountCustomEntity=Caller, HostCustomEntity=VirtualMachineName\\n| project timestamp, StartTime, EndTime, PowershellFileName, VirtualMachineName, Caller, CallerIpAddress, PowershellScriptCommands, PowershellFileSize, ScriptFingerprintHash, Prevalence, IPCustomEntity, AccountCustomEntity, HostCustomEntity\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"LateralMovement\",\"Execution\"],\"displayName\":\"Azure VM Run Command operations executing a unique PowerShell script\",\"description\":\"Identifies when Azure Run command is used to execute a PowerShell script on a VM that is unique.\\nThe uniqueness of the PowerShell script is determined by taking a combined hash of the cmdLets it imports\\nand the file size of the PowerShell script. Alerts from this detection indicate a unique PowerShell was executed\\nin your environment.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f15370f4-c6fa-42c5-9be4-1d308f40284e\",\"name\":\"f15370f4-c6fa-42c5-9be4-1d308f40284e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n OfficeActivity\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(ClientIP)\\n | extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]%]+)(%\\\\d+)?\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n | extend IPAddress = tostring(ClientIPValues[0])\\n // renaming time column so it is clear the log this came from\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.IPAddress\\n| where OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId\\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = OfficeActivity_TimeGenerated, IPCustomEntity = TI_ipEntity, AccountCustomEntity = UserId, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to OfficeActivity\",\"description\":\"Identifies a match in OfficeActivity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a4ce20ae-a2e4-4d50-b40d-d49f1353b6cc\",\"name\":\"a4ce20ae-a2e4-4d50-b40d-d49f1353b6cc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Extracts plaintext IPv4 addresses\\nlet ipv4_plaintext_extraction_regex = @\\\"((?:(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])(?:\\\\.)){3}(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]){1,3})\\\";\\n// Identified base64 encoded IPv4 addresses\\nlet ipv4_encoded_identification_regex = @\\\"\\\\=([a-zA-Z0-9\\\\/\\\\+]*(?:(?:MC|Au|wL|MS|Eu|xL|Mi|Iu|yL|My|Mu|zL|NC|Qu|0L|NS|Uu|1L|Ni|Yu|2L|Ny|cu|3L|OC|gu|4L|OS|ku|5L){1}[a-zA-Z0-9\\\\/\\\\+]{2,4}){3}[a-zA-Z0-9\\\\/\\\\+\\\\=]*)\\\";\\n// Extractes IPv4 addresses as hex values\\nlet ipv4_decoded_hex_extract = @\\\"((?:(?:61|62|63|64|65|66|67|68|69|6a|6b|6c|6d|6e|6f|70|71|72|73|74|75|76|77|78|79|7a|41|42|43|44|45|46|47|48|49|4a|4b|4c|4d|4e|4f|50|51|52|53|54|55|56|57|58|59|5a|2f|2b|3d),){7,15})\\\";\\nCommonSecurityLog\\n| where isnotempty(RequestURL)\\n// Identify requests with encoded IPv4 addresses\\n| where RequestURL matches regex ipv4_encoded_identification_regex\\n| project TimeGenerated, RequestURL\\n// Extract IP candidates in their base64 encoded format, significantly reducing the dataset\\n| extend extracted_encoded_ip_candidate = extract_all(ipv4_encoded_identification_regex, RequestURL)\\n// We could have more than one candidate, expand them out\\n| mv-expand extracted_encoded_ip_candidate to typeof(string)\\n| summarize Start=min(TimeGenerated), End=max(TimeGenerated), make_set(RequestURL) by extracted_encoded_ip_candidate\\n// Pad if we need to\\n| extend extracted_encoded_ip_candidate = iff(strlen(extracted_encoded_ip_candidate) % 2 == 0, extracted_encoded_ip_candidate, strcat(extracted_encoded_ip_candidate, \\\"=\\\"))\\n// Now decode the candidate to a long array, we cannot go straight to string as it cannot handle non-UTF8, we need to strip that first\\n| extend extracted_encoded_ip_candidate = tostring(base64_decode_toarray(extracted_encoded_ip_candidate))\\n// Extract the IP candidates from the array\\n| extend hex_extracted = extract_all(ipv4_decoded_hex_extract, extracted_encoded_ip_candidate)\\n// Expand, it\u0027s still possible that we might have more than 1 IP\\n| mv-expand hex_extracted\\n// Now we should have a clean string. We need to put it back into a dynamic array to convert back to a string.\\n| extend hex_extracted = trim_end(\\\",\\\", tostring(hex_extracted))\\n| extend hex_extracted = strcat(\\\"[\\\",hex_extracted,\\\"]\\\")\\n| extend hex_extracted = todynamic(hex_extracted)\\n| extend extracted_encoded_ip_candidate = todynamic(extracted_encoded_ip_candidate)\\n// Convert the array back into a string\\n| extend decoded_ip_candidate = make_string(hex_extracted)\\n| summarize by decoded_ip_candidate, tostring(set_RequestURL), Start, End\\n// Now the IP candidates will be in plaintext, extract the IPs using a regex\\n| extend ipmatch = extract_all(ipv4_plaintext_extraction_regex, decoded_ip_candidate)\\n// If it\u0027s not an IP, throw it out\\n| where isnotnull(ipmatch)\\n| mv-expand ipmatch to typeof(string)\\n// Join with DeviceNetworkEvents to find instances where an IP of a machine in our MDE estate sent it\u0027s IP in a base64 encoded string\\n| join (\\n DeviceNetworkEvents\\n | summarize make_set(DeviceId), make_set(DeviceName) by RemoteIP\\n) on $left.ipmatch == $right.RemoteIP\\n| project Start, End, IPmatch=ipmatch, RequestURL=set_RequestURL, DeviceNames=set_DeviceName, DeviceIds=set_DeviceId, RemoteIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPmatch\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceNames\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"IP address of Windows host encoded in web request\",\"description\":\"This detection will identify network requests in HTTP proxy data that contains Base64 encoded IP addresses. After identifying candidates the query\\njoins with DeviceNetworkEvents to idnetify any machine within the network using that IP address. Alerts indicate that the IP address of a machine\\nwithin your network was seen with it\u0027s IP address base64 encoded in an outbounf web request. This method of egressing the IP was seen used in POLONIUM\u0027s\\nRunningRAT tool, however the detection is generic.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cbf6ad48-fa5c-4bf7-b205-28dbadb91255\",\"name\":\"cbf6ad48-fa5c-4bf7-b205-28dbadb91255\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let procList = externaldata(Process:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Microsoft_Lolbas_Execution_Binaries.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nEvent\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n| parse EventData with * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027OriginalFileName\\\"\u003e\u0027 OriginalFileName \\\"\u003c\\\" *\\n| where OriginalFileName has_any (procList) and not (Image has_any (procList))\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027Hashes\\\"\u003e\u0027 Hashes \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description, OriginalFileName, CurrentDirectory, Hashes\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Windows Binaries Lolbins Renamed\",\"description\":\"This query detects the execution of renamed Windows binaries (Lolbins). This is a common technique used by adversaries to evade detection. \\nRef: https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/execution-of-renamed-lolbin.html\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3a9d5ede-2b9d-43a2-acc4-d272321ff77c\",\"name\":\"3a9d5ede-2b9d-43a2-acc4-d272321ff77c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 50;\\nlet aadFunc = (tableName:string){\\n // Failed Signins attempts with reasoning related to conditional access policies.\\n table(tableName)\\n | where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n | where ResultDescription has_any (\\\"conditional access\\\", \\\"CA\\\") or ResultType in (50005, 50131, 53000, 53001, 53002, 52003, 70044)\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt;\\nlet TimeSeriesAlerts = \\nallSignins\\n| make-series DailyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step 1d by UserPrincipalName\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(DailyCount, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand DailyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n// Filtering low count events per baselinethreshold\\n| where anomalies \u003e 0 and baseline \u003e baselinethreshold\\n| extend AnomalyHour = TimeGenerated\\n| project UserPrincipalName, AnomalyHour, TimeGenerated, DailyCount, baseline, anomalies, score;\\n// Filter the alerts for specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e startofday(ago(timeframe))\\n| join kind=inner ( \\n allSignins\\n | where TimeGenerated \u003e startofday(ago(timeframe))\\n // create a new column and round to hour\\n | extend DateHour = bin(TimeGenerated, 1h)\\n | summarize PartialFailedSignins = count(), LatestAnomalyTime = arg_max(TimeGenerated, *) by bin(TimeGenerated, 1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\\n) on UserPrincipalName, $left.AnomalyHour == $right.DateHour\\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, PartialFailedSignins, TotalFailedSignins = DailyCount, baseline, anomalies, score\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"User Accounts - Sign in Failure due to CA Spikes\",\"description\":\" Identifies spike in failed sign-ins from user accounts due to conditional access policied.\\nSpike is determined based on Time series anomaly which will look at historical baseline values.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b6d03b88-4d27-49a2-9c1c-29f1ad2842dc\",\"name\":\"b6d03b88-4d27-49a2-9c1c-29f1ad2842dc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let oneDriveCalls = dynamic([\u0027graph.microsoft.com/v1.0/me/drive/root:/Documents/data.txt:/content\u0027,\u0027graph.microsoft.com/v1.0/me/drive/root:/Documents/response.json:/content\u0027]);\\nlet oneDriveCallsRegex = dynamic([@\u0027graph\\\\.microsoft\\\\.com\\\\/v1\\\\.0\\\\/me\\\\/drive\\\\/root\\\\:\\\\/Uploaded\\\\/.*\\\\:\\\\/content\u0027,@\u0027graph\\\\.microsoft\\\\.com\\\\/v1\\\\.0\\\\/me\\\\/drive\\\\/root\\\\:\\\\/Downloaded\\\\/.*\\\\:\\\\/content\u0027]);\\nCommonSecurityLog\\n| where RequestURL has_any (oneDriveCalls) or RequestURL matches regex tostring(oneDriveCallsRegex[0]) or RequestURL matches regex tostring(oneDriveCallsRegex[1])\\n| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"SourceHostName\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"CreepyDrive URLs\",\"description\":\"CreepyDrive uses OneDrive for command and control. This detection identifies URLs specific to CreepyDrive.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/011c84d8-85f0-4370-b864-24c13455aa94\",\"name\":\"011c84d8-85f0-4370-b864-24c13455aa94\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityAlert\\n| extend Extprop = parse_json(ExtendedProperties)\\n| extend Computer = iff(isnotempty(toupper(tostring(Extprop[\\\"Compromised Host\\\"]))), toupper(tostring(Extprop[\\\"Compromised Host\\\"])), tostring(parse_json(Entities)[0].HostName))\\n| extend Account = iff(isnotempty(tolower(tostring(Extprop[\\\"User Name\\\"]))), tolower(tostring(Extprop[\\\"User Name\\\"])), tolower(tostring(Extprop[\\\"user name\\\"])))\\n| extend IpAddress = tostring(parse_json(ExtendedProperties).[\\\"IpAddress\\\"]) \\n| project TimeGenerated, AlertName, Computer, Account, IpAddress, ExtendedProperties\\n| extend timestamp = TimeGenerated, Account, MachineName = Computer, IpAddress\\n| join kind=inner\\n(\\nCoreAzureBackup\\n| where State =~ \\\"Deleted\\\"\\n| where OperationName =~ \\\"BackupItem\\\"\\n| extend data = split(BackupItemUniqueId, \\\";\\\")\\n| extend AzureLocation = data[0], VaultId=data[1], MachineName=data[2], DrivesBackedUp=data[3]\\n| project timestamp = TimeGenerated, AzureLocation, VaultId, tostring(MachineName), DrivesBackedUp, State, BackupItemUniqueId, _ResourceId, OperationName, BackupItemFriendlyName\\n)\\non MachineName\\n| project timestamp, AlertName, HostCustomEntity = MachineName, AccountCustomEntity = Account, ResourceCustomEntity = _ResourceId, IPCustomEntity = IpAddress, VaultId, AzureLocation, DrivesBackedUp, State, BackupItemUniqueId, OperationName, BackupItemFriendlyName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"CoreBackUp Deletion in correlation with other related security alerts\",\"description\":\"This query will help detect attackers attempt to delete backup containers in correlation with other alerts that could have triggered to help possibly reveal more details of attacker activity. \\nThough such an activity could be legitimate as part of business operation, some ransomware actors may perform such operation to cause interruption to regular business services.\",\"lastUpdatedDateUTC\":\"2021-11-05T00:00:00Z\",\"createdDateUTC\":\"2021-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1218175f-c534-421c-8070-5dcaabf28067\",\"name\":\"1218175f-c534-421c-8070-5dcaabf28067\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let threshold = 3; \\nZoomLogs \\n| where Event =~ \\\"chat_message.sent\\\" \\n| extend Channel = tostring(parse_json(ChatEvents).Channel) \\n| extend Message = tostring(parse_json(ChatEvents).Message) \\n| where Message matches regex \\\"http(s?):\\\\\\\\/\\\\\\\\/\\\" \\n| summarize Channels = makeset(Channel), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Message, User, UserId\\n| extend ChannelCount = arraylength(Channels) \\n| where ChannelCount \u003e threshold\\n| extend timestamp = StartTime, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"Suspicious link sharing pattern\",\"description\":\"Alerts in links that have been shared across multiple Zoom chat channels by the same user in a short space if time. \\nAdjust the threshold figure to change the number of channels a message needs to be posted in before an alert is raised.\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\"name\":\"0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"DNS events related to mining pools\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95a15f39-d9cc-4667-8cdd-58f3113691c9\",\"name\":\"95a15f39-d9cc-4667-8cdd-58f3113691c9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where EventID == 4688\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| join kind=rightanti (\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where EventID == 4688) on NewProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where EventID == 4688 and EventData has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| join kind=rightanti (\\nWindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventID == 4688 and EventData has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)) on NewProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM New UM Service Child Process\",\"description\":\"This query looks for new processes being spawned by the Exchange UM service where that process has not previously been observed before. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f845881e-2500-44dc-8ed7-b372af3e1e25\",\"name\":\"f845881e-2500-44dc-8ed7-b372af3e1e25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let short_uaLength = 5;\\nlet long_uaLength = 1000;\\nlet c_threshold = 100;\\nW3CIISLog \\n// Exclude local IPs as these create noise\\n| where cIP !startswith \\\"192.168.\\\" and cIP != \\\"::1\\\"\\n| where isnotempty(csUserAgent) and csUserAgent !in~ (\\\"-\\\", \\\"MSRPC\\\") and (string_size(csUserAgent) \u003c= short_uaLength or string_size(csUserAgent) \u003e= long_uaLength)\\n| extend csUserAgent_size = string_size(csUserAgent)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ConnectionCount = count() by Computer, sSiteName, sPort, csUserAgent, csUserAgent_size, csUserName , csMethod, csUriStem, sIP, cIP, scStatus, scSubStatus, scWin32Status\\n| where ConnectionCount \u003c c_threshold\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomalous User Agent connection attempt\",\"description\":\"Identifies connection attempts (success or fail) from clients with very short or very long User Agent strings and with less than 100 connection attempts.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\"name\":\"a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n SecurityAlert \\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\\n | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray\\n // Parsing relevant entity column to filter type account and creating new column by combining account and UPNSuffix\\n | extend Entitytype = tostring(parse_json(EntitiesDynamicArray).Type), EntityName = tostring(parse_json(EntitiesDynamicArray).Name),\\n EntityUPNSuffix = tostring(parse_json(EntitiesDynamicArray).UPNSuffix)\\n | where Entitytype =~ \\\"account\\\"\\n | extend EntityEmail = tolower(strcat(EntityName, \\\"@\\\", EntityUPNSuffix))\\n | where EntityEmail matches regex emailregex\\n | extend Alert_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.EntityEmail\\n| where Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\\n| project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, \\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, EntityEmail, AlertName, AlertType,\\nAlertSeverity, Entities, ProviderName, VendorName\\n| extend timestamp = Alert_TimeGenerated, AccountCustomEntity = EntityEmail, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SecurityAlert\",\"description\":\"Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c9b6d281-b96b-4763-b728-9a04b9fe1246\",\"name\":\"c9b6d281-b96b-4763-b728-9a04b9fe1246\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlCategory has_any (\u0027Dynamic and Residential\u0027, \u0027Personal VPN\u0027)\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"Exfiltration\"],\"displayName\":\"Cisco Umbrella - Connection to non-corporate private network\",\"description\":\"IP addresses of broadband links that usually indicates users attempting to access their home network, for example for a remote session to a home computer.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/631d02df-ab51-46c1-8d72-32d0cfec0720\",\"name\":\"631d02df-ab51-46c1-8d72-32d0cfec0720\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let excludeProcs = dynamic([@\\\"\\\\SolarWinds\\\\Orion\\\\APM\\\\APMServiceControl.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\ExportToPDFCmd.Exe\\\", @\\\"\\\\SolarWinds.Credentials\\\\SolarWinds.Credentials.Orion.WebApi.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Topology\\\\SolarWinds.Orion.Topology.Calculator.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Database-Maint.exe\\\", @\\\"\\\\SolarWinds.Orion.ApiPoller.Service\\\\SolarWinds.Orion.ApiPoller.Service.exe\\\", @\\\"\\\\Windows\\\\SysWOW64\\\\WerFault.exe\\\"]);\\nimProcessCreate\\n| where Process hassuffix \u0027solarwinds.businesslayerhost.exe\u0027\\n| where not(Process has_any (excludeProcs))\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = ActorUsername,\\n HostCustomEntity = User,\\n AlgorithmCustomEntity = \\\"MD5\\\",\\n FileHashCustomEntity = TargetProcessMD5 // Change to *hash* once implemented\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST suspicious SolarWinds child processes (Normalized Process Events)\",\"description\":\"Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0bd65651-1404-438b-8f63-eecddcec87b4\",\"name\":\"0bd65651-1404-438b-8f63-eecddcec87b4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\n// Adjust for a longer timeframe for identifying ADFS Servers\\nlet lookback = 6d;\\n// Identify ADFS Servers\\nlet ADFS_Servers = ( union isfuzzy=true\\n( Event\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n),\\n( SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and EventData has \\\"0x3e4\\\" and EventData has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| where SubjectLogonId != \\\"0x3e4\\\"\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n)\\n| distinct Computer);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == 4688\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where ParentProcessName has \u0027wmiprvse.exe\u0027\\n// Looking for rundll32.exe is based on intel from the blog linked in the description\\n// This can be commented out or altered to filter out known internal uses\\n| where CommandLine has_any (\u0027rundll32\u0027) \\n| project TimeGenerated, TargetAccount, CommandLine, Computer, Account, TargetLogonId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n// Search for recent logons to identify lateral movement\\n| join kind= inner\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventID == 4624 and LogonType == 3\\n| where Account !endswith \\\"$\\\"\\n| project TargetLogonId\\n) on TargetLogonId\\n),\\n(\\nWindowsEvent\\n| where EventID == 4688\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where EventData has \u0027wmiprvse.exe\u0027 and EventData has_any (\u0027rundll32\u0027) \\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where ParentProcessName has \u0027wmiprvse.exe\u0027\\n// Looking for rundll32.exe is based on intel from the blog linked in the description\\n// This can be commented out or altered to filter out known internal uses\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has_any (\u0027rundll32\u0027) \\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend Account = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend TargetLogonId = tostring(EventData.TargetLogonId)\\n| project TimeGenerated, TargetAccount, CommandLine, Computer, Account, TargetLogonId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n// Search for recent logons to identify lateral movement\\n| join kind= inner\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventID == 4624 \\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 3\\n| extend Account = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| where Account !endswith \\\"$\\\"\\n| extend TargetLogonId = tostring(EventData.TargetLogonId)\\n| project TargetLogonId\\n) on TargetLogonId\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n// Check for WMI Events\\n| where Computer in~ (ADFS_Servers) and EventID in (19, 20, 21)\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| project TimeGenerated, EventType, Image, Computer, UserName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = UserName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Gain Code Execution on ADFS Server via Remote WMI Execution\",\"description\":\"This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through remote WMI Execution.\\nIn order to use this query you need to be collecting Sysmon EventIDs 19, 20, and 21.\\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\\n Failed to resolve scalar expression named \\\"[@Name]\\\"\\nFor more on how WMI was used in Solorigate see https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/.\\nThe query contains some features from the following detections to look for potentially malicious ADFS activity. See them for more details.\\n- ADFS Key Export (Sysmon): https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSKeyExportSysmon.yaml\\n- ADFS DKM Master Key Export: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d71fc38-f249-454e-8479-0a358382ef9a\",\"name\":\"3d71fc38-f249-454e-8479-0a358382ef9a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"SecurityNestedRecommendation\\n| where RemediationDescription has \u0027CVE-2021-44228\u0027\\n| parse ResourceDetails with * \u0027virtualMachines/\u0027 VirtualMAchine \u0027\\\"\u0027 *\\n| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId\\n| extend Timestamp = TimeGenerated, HostCustomEntity = VirtualMAchine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Execution\"],\"displayName\":\"Vulnerable Machines related to log4j CVE-2021-44228\",\"description\":\"This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to log4j CVE-2021-44228. Log4j is an open-source Apache logging library that is used in \\n many Java-based applications. Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).\\n Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/\\n Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal\\n Reference: https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/how-defender-for-cloud-displays-machines-affected-by-log4j/ba-p/3037271\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\"name\":\"a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Security Center for IoT\",\"displayName\":\"Create incidents based on Microsoft Defender for IOT alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for IOT\",\"lastUpdatedDateUTC\":\"2019-12-24T00:00:00Z\",\"createdDateUTC\":\"2019-12-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"IoT\",\"dataTypes\":[\"SecurityAlert (ASC for IoT)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d2e8fd50-8d66-11ec-b909-0242ac120002\",\"name\":\"d2e8fd50-8d66-11ec-b909-0242ac120002\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID in (4624,4625) and LogonType in (10) and IpAddress in (\\\"::1\\\",\\\"127.0.0.1\\\")\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, TargetUserName, TargetLogonId, LogonType, IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential Remote Desktop Tunneling\",\"description\":\"This query detects remote desktop authentication attempts with a localhost source address which can indicate a tunneled login.\\nRef: https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling\",\"lastUpdatedDateUTC\":\"2022-02-15T00:00:00Z\",\"createdDateUTC\":\"2022-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c37711a4-5f44-4472-8afc-0679bc0ef966\",\"name\":\"c37711a4-5f44-4472-8afc-0679bc0ef966\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.1.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/FoggyWebIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type == \\\"sha256\\\" | project IoC);\\nlet FilePaths = (iocs | where Type =~ \\\"FilePath\\\" | project IoC);\\nlet POST_URI = (iocs | where Type =~ \\\"URI1\\\" | project IoC);\\nlet GET_URI = (iocs | where Type =~ \\\"URI2\\\" | project IoC);\\n//Include in the list below, the ADFS servers you know about in your environment. In the next part of the query, we will try to identify them for you if you have the telemetry.\\nlet ADFS_Servers1 = datatable(Computer:string)\\n[ \\\"\u003cADFS01\u003e.\u003cDOMAIN\u003e.\u003cCOM\u003e\\\",\\n\\\"\u003cADFS02\u003e.\u003cDOMAIN\u003e.\u003cCOM\u003e\\\"\\n];\\n// Automatically identify potential ADFS services in your environment by searching process event telemetry for \\\"Microsoft.IdentityServer.ServiceHost.exe\\\".\\nlet ADFS_Servers2 = \\n(union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n),\\n( WindowsEvent\\n| where EventID == 4688 and EventData has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\" and EventData has \\\"0x3e4\\\"\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| where ProcessName == \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| where SubjectLogonId != \\\"0x3e4\\\"\\n| distinct Computer\\n),\\n(DeviceProcessEvents\\n| where InitiatingProcessFileName == \u0027Microsoft.IdentityServer.ServiceHost.exe\u0027\\n| extend Computer = DeviceName\\n| distinct Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n)\\n);\\nlet ADFS_Servers =\\nADFS_Servers1\\n| union (ADFS_Servers2 | distinct Computer);\\n(union isfuzzy=true\\n(DeviceNetworkEvents\\n| where DeviceName in (ADFS_Servers)\\n| where isnotempty(InitiatingProcessSHA256) or isnotempty(InitiatingProcessFolderPath)\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or InitiatingProcessFolderPath has_any (FilePaths)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\" and EventID == \u00277\u0027\\n| where Computer in (ADFS_Servers)\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend ImageLoaded = EventDetail.[5].[\\\"#text\\\"], Hashes = EventDetail.[11].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| where ImageLoaded has_any (FilePaths) or SHA256 has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, ImageLoaded, EventID\\n| extend Type = strcat(Type,\\\":\\\",EventID, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\\\"#text\\\"] \\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceEvents\\n| where DeviceName in (ADFS_Servers)\\n| extend FilePath = strcat(FolderPath, \u0027\\\\\\\\\u0027, FileName)\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceFileEvents\\n| where DeviceName in (ADFS_Servers)\\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceImageLoadEvents\\n| where DeviceName in (ADFS_Servers)\\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where Computer in (ADFS_Servers)\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| where EventDetail has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\\\"#text\\\"] \\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(W3CIISLog \\n| where ( csMethod == \u0027GET\u0027 and csUriStem has_any (GET_URI)) or (csMethod == \u0027POST\u0027 and csUriStem has_any (POST_URI))\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), cIP_MethodCount = count() \\nby cIP, cIP_MethodCountType = \\\"Count of repeated entries, this is to reduce rowsets returned\\\", csMethod, \\ncsHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, csReferer\\n| extend timestamp = StartTime, IPCustomEntity = cIP, HostCustomEntity = csHost, AccountCustomEntity = csUserName\\n),\\n(imFileEvent\\n| where DvcHostname in (ADFS_Servers)\\n| where TargetFileSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"NOBELIUM IOCs related to FoggyWeb backdoor\",\"description\":\"Identifies a match across various data feeds for IOCs related to FoggyWeb backdoor by the threat actor NOBELIUM.\\n FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server.\\n It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server.\\n Reference: https://aka.ms/nobelium-foggy-web\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/61988db3-0565-49b5-b8e3-747195baac6e\",\"name\":\"61988db3-0565-49b5-b8e3-747195baac6e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let procList = dynamic([\\\"cmd.exe\\\",\\\"ftp.exe\\\",\\\"schtasks.exe\\\",\\\"powershell.exe\\\",\\\"rundll32.exe\\\",\\\"regsvr32.exe\\\",\\\"msiexec.exe\\\"]); \\nimProcessCreate\\n| where CommandLine has \\\"recycler\\\"\\n| where Process has_any (procList)\\n| extend FileName = tostring(split(Process, \u0027\\\\\\\\\u0027)[-1])\\n| where FileName in~ (procList)\\n| project StartTimeUtc = TimeGenerated, Dvc, User, Process, FileName, CommandLine, ActingProcessName, EventVendor, EventProduct\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Malware in the recycle bin (Normalized Process Events)\",\"description\":\"Identifies malware that has been hidden in the recycle bin.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-23T00:00:00Z\",\"createdDateUTC\":\"2021-06-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ec491363-5fe7-4eff-b68e-f42dcb76fcf6\",\"name\":\"ec491363-5fe7-4eff-b68e-f42dcb76fcf6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| project-away claimsJson\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Azure Active Directory Hybrid Health AD FS New Server\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.\\nA threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.\\nThis can be done programmatically via HTTP requests to Azure. More information in this blog: https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/32ffb19e-8ed8-40ed-87a0-1adb4746b7c4\",\"name\":\"32ffb19e-8ed8-40ed-87a0-1adb4746b7c4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"// Enter a reference list of malicious file artifacts\\nlet MaliciousFileArtifacts = dynamic ([\\\"lsass.dmp\\\",\\\"test.pwd\\\",\\\"lsremora.dll\\\",\\\"lsremora64.dll\\\",\\\"fgexec.exe\\\",\\\"pwdump\\\",\\\"kirbi\\\",\\\"wce_ccache\\\",\\\"wce_krbtkts\\\",\\\"wceaux.dll\\\",\\\"PwHashes\\\",\\\"SAM.out\\\",\\\"SECURITY.out\\\",\\\"SYSTEM.out\\\",\\\"NTDS.out\\\" \\\"DumpExt.dll\\\",\\\"DumpSvc.exe\\\",\\\"cachedump64.exe\\\",\\\"cachedump.exe\\\",\\\"pstgdump.exe\\\",\\\"servpw64.exe\\\",\\\"servpw.exe\\\",\\\"pwdump.exe\\\",\\\"fgdump-log\\\"]);\\nEvent\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==11\\n| parse EventData with * \u0027TargetFilename\\\"\u003e\u0027 TargetFilename \\\"\u003c\\\" *\\n| where TargetFilename has_any (MaliciousFileArtifacts)\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, Image, ProcessGuid, TargetFilename\",\"entityMappings\":[{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"TargetFilename\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"Image\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Credential Dumping Tools - File Artifacts\",\"description\":\"This query detects the creation of credential dumping tools files. Several credential dumping tools export files with hardcoded file names.\\nRef: https://jpcertcc.github.io/ToolAnalysisResultSheet/\",\"lastUpdatedDateUTC\":\"2022-04-22T00:00:00Z\",\"createdDateUTC\":\"2022-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"Event\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/983a6922-894d-413c-9f04-d7add0ecc307\",\"name\":\"983a6922-894d-413c-9f04-d7add0ecc307\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P10D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Medium\",\"query\":\"let referencestarttime = 10d;\\nlet referenceendtime = 1d;\\nlet threshold = 100;\\nlet nxDomainDnsEvents = (stime:datetime, etime:datetime) \\n {_Im_Dns(responsecodename=\u0027NXDOMAIN\u0027, starttime=stime, endtime=etime)\\n | where DnsQueryTypeName in (\\\"A\\\", \\\"AAAA\\\")\\n | where ipv4_is_match(\\\"127.0.0.1\\\", SrcIpAddr) == False\\n | where DnsQuery !contains \\\"/\\\" and DnsQuery contains \\\".\\\"};\\nnxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now())\\n | extend sld = tostring(split(DnsQuery, \\\".\\\")[-2])\\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld) by SrcIpAddr\\n | where dcount_sld \u003e threshold\\n // Filter out previously seen IPs\\n | join kind=leftanti (nxDomainDnsEvents (stime=ago(referencestarttime), etime=ago(referenceendtime))\\n | extend sld = tostring(split(DnsQuery, \\\".\\\")[-2])\\n | summarize dcount(sld) by SrcIpAddr\\n | where dcount_sld \u003e threshold ) on SrcIpAddr\\n// Pull out sample NXDomain responses for those remaining potentially infected IPs\\n| join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential DGA detected (ASIM DNS Schema)\",\"description\":\"Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains\\nwhere most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with \\nNXDomain records in prior 10-day baseline period).\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/18dbdc22-b69f-4109-9e39-723d9465f45f\",\"name\":\"18dbdc22-b69f-4109-9e39-723d9465f45f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet AVHits = (iocs | where Type =~ \\\"AVDetection\\\"| project IoC);\\nSecurityAlert\\n| where ProviderName == \u0027MDATP\u0027\\n| extend ThreatName_ = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where ThreatName_ has_any (AVHits)\\n| extend Directory = tostring(parse_json(Entities)[0].Directory), SHA256 = tostring(parse_json(tostring(parse_json(Entities)[0].FileHashes))[2].Value), FileName = tostring(parse_json(Entities)[0].Name), Hostname = tostring(parse_json(Entities)[6].FQDN)| extend AccountName = tostring(parse_json(tostring(parse_json(Entities)[6].LoggedOnUsers))[0].AccountName)\\n| project TimeGenerated, AlertName, ThreatName_, ProviderName, AlertSeverity, Description, RemediationSteps, ExtendedProperties, Entities, FileName,SHA256, Directory, Hostname, AccountName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Hostname , AccountCustomEntity = AccountName, FileHashCustomEntity = SHA256\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"ACTINIUM AV hits - Feb 2022\",\"description\":\"Identifies a match in the Security Alert table for MDATP hits related to the ACTINIUM actor\",\"lastUpdatedDateUTC\":\"2022-02-04T00:00:00Z\",\"createdDateUTC\":\"2022-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f6a51e2c-2d6a-4f92-a090-cfb002ca611f\",\"name\":\"f6a51e2c-2d6a-4f92-a090-cfb002ca611f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nlet disallowed_ext = dynamic([\u0027ps1\u0027, \u0027exe\u0027, \u0027vbs\u0027, \u0027js\u0027, \u0027scr\u0027]);\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| extend attachedExt = todynamic(MsgParts)[0][\u0027detectedExt\u0027]\\n| where attachedExt in (disallowed_ext)\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = DstUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Suspicious attachment\",\"description\":\"Detects when email contains suspicious attachment (file type).\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/707494a5-8e44-486b-90f8-155d1797a8eb\",\"name\":\"707494a5-8e44-486b-90f8-155d1797a8eb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let auditLookbackStart = 2d;\\nlet auditLookbackEnd = 1d;\\nAuditLogs\\n| where TimeGenerated \u003e= ago(auditLookbackStart)\\n| where OperationName =~ \\\"Consent to application\\\" \\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| extend targetResourceName = tostring(target.displayName)\\n| extend targetResourceID = tostring(target.id)\\n| extend targetResourceType = tostring(target.type)\\n| extend targetModifiedProp = TargetResources[0].modifiedProperties\\n| extend isAdminConsent = targetModifiedProp[0].newValue\\n| extend Consent_ServicePrincipalNames = targetModifiedProp[5].newValue\\n| extend Consent_Permissions = targetModifiedProp[4].newValue\\n| extend Consent_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend Consent_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| join ( \\nAuditLogs\\n| where TimeGenerated \u003e= ago(auditLookbackEnd)\\n| where OperationName =~ \\\"Add service principal credentials\\\"\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| extend targetResourceName = tostring(target.displayName)\\n| extend targetResourceID = tostring(target.id)\\n| extend targetModifiedProp = TargetResources[0].modifiedProperties\\n| extend Credential_KeyDescription = targetModifiedProp[0].newValue\\n| extend UpdatedProperties = targetModifiedProp[1].newValue\\n| extend Credential_ServicePrincipalNames = targetModifiedProp[2].newValue\\n| extend Credential_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend Credential_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n) on targetResourceName, targetResourceID\\n| extend TimeConsent = TimeGenerated, TimeCred = TimeGenerated1\\n| where TimeConsent \u003e TimeCred \\n| project TimeConsent, TimeCred, Consent_InitiatingUserOrApp, Credential_InitiatingUserOrApp, targetResourceName, targetResourceType, isAdminConsent, Consent_ServicePrincipalNames, Credential_ServicePrincipalNames, Consent_Permissions, Credential_KeyDescription, Consent_InitiatingIpAddress, Credential_InitiatingIpAddress\\n| extend timestamp = TimeConsent, AccountCustomEntity = Consent_InitiatingUserOrApp, IPCustomEntity = Consent_InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Credential added after admin consented to Application\",\"description\":\"This query will identify instances where Service Principal credentials were added to an application by one user after the application was granted admin consent rights by another user.\\n If a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\n Additional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow.\\n For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2021-02-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/11bda520-a965-4654-9a45-d09f372f71aa\",\"name\":\"11bda520-a965-4654-9a45-d09f372f71aa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"High\",\"query\":\"AzureActivity\\n// Isolate run command actions\\n| where OperationNameValue == \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\\\"\\n// Confirm that the operation impacted a virtual machine\\n| where Authorization has \\\"virtualMachines\\\"\\n// Each runcommand operation consists of three events when successful, Started, Accepted (or Rejected), Successful (or Failed).\\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), max(CallerIpAddress), make_list(ActivityStatusValue) by CorrelationId, Authorization, Caller\\n// Limit to Run Command executions that Succeeded\\n| where list_ActivityStatusValue has \\\"Success\\\"\\n// Extract data from the Authorization field\\n| extend Authorization_d = parse_json(Authorization)\\n| extend Scope = Authorization_d.scope\\n| extend Scope_s = split(Scope, \\\"/\\\")\\n| extend Subscription = tostring(Scope_s[2])\\n| extend VirtualMachineName = tostring(Scope_s[-1])\\n| project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress\\n// Create a join key using the Caller (UPN)\\n| extend joinkey = tolower(Caller)\\n// Join the Run Command actions to UEBA data\\n| join kind = inner (\\n BehaviorAnalytics\\n // We are specifically interested in unusual logins\\n | where EventSource == \\\"Azure AD\\\" and ActivityInsights.ActionUncommonlyPerformedByUser == \\\"True\\\"\\n | project UEBAEventTime=TimeGenerated, UEBAActionType=ActionType, UserPrincipalName, UEBASourceIPLocation=SourceIPLocation, UEBAActivityInsights=ActivityInsights, UEBAUsersInsights=UsersInsights\\n | where isnotempty(UserPrincipalName) and isnotempty(UEBASourceIPLocation)\\n | extend joinkey = tolower(UserPrincipalName)\\n) on joinkey\\n// Create a window around the UEBA event times, check to see if the Run Command action was performed within them\\n| extend UEBAWindowStart = UEBAEventTime - 1h, UEBAWindowEnd = UEBAEventTime + 6h\\n| where StartTime between (UEBAWindowStart .. UEBAWindowEnd)\\n| project StartTime, EndTime, Subscription, VirtualMachineName, Caller, CallerIpAddress, UEBAEventTime, UEBAActionType, UEBASourceIPLocation, UEBAActivityInsights, UEBAUsersInsights\\n| extend timestamp = StartTime, AccountCustomEntity=Caller, IPCustomEntity=CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"LateralMovement\",\"CredentialAccess\"],\"displayName\":\"Azure VM Run Command operation executed during suspicious login window\",\"description\":\"Identifies when the Azure Run Command operation is executed by a UserPrincipalName and IP Address \\nthat has resulted in a recent user entity behaviour alert.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3fe3c520-04f1-44b8-8398-782ed21435f8\",\"name\":\"3fe3c520-04f1-44b8-8398-782ed21435f8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Low\",\"query\":\"let torProxies=dynamic([\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\"]);\\n_Im_Dns(domain_has_any=torProxies)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"DNS events related to ToR proxies (ASIM DNS Schema)\",\"description\":\"Identifies IP addresses performing DNS lookups associated with common ToR proxies.\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d9938c3b-16f9-444d-bc22-ea9a9110e0fd\",\"name\":\"d9938c3b-16f9-444d-bc22-ea9a9110e0fd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Azure AD Connect Health Agent - cf6d7e68-f018-4e0a-a7b3-126e053fb88d\\n// Azure Active Directory Connect - cb1056e2-e479-49de-ae31-7812af012ed8\\nlet appList = dynamic([\u0027cf6d7e68-f018-4e0a-a7b3-126e053fb88d\u0027,\u0027cb1056e2-e479-49de-ae31-7812af012ed8\u0027]);\\nlet operationNamesList = dynamic([\u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027,\u0027Microsoft.ADHybridHealthService/services/delete\u0027]);\\nAzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue in~ (operationNamesList)\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| where AppId !in (appList)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS Suspicious Application\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to a suspicious application adding a server instance to an Azure AD Hybrid health AD FS service or deleting the AD FS service instance.\\nUsually the Azure AD Connect Health Agent application with ID cf6d7e68-f018-4e0a-a7b3-126e053fb88d is used to perform those operations.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9d0295ee-cb75-4f2c-9952-e5acfbb67036\",\"name\":\"9d0295ee-cb75-4f2c-9952-e5acfbb67036\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.0\",\"severity\":\"Informational\",\"query\":\"let timeframe = ago(1d);\\nAppServiceAntivirusScanAuditLogs\\n| where NumberOfInfectedFiles \u003e 0\\n| extend HostCustomEntity = _ResourceId, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"displayName\":\"AppServices AV Scan with Infected Files\",\"description\":\"Identifies if an AV scan finds infected files in Azure App Services.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b2199398-8942-4b8c-91a9-b0a707c5d147\",\"name\":\"b2199398-8942-4b8c-91a9-b0a707c5d147\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/HiveRansomwareJuly2022.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n(imFileEvent\\n| where TargetFileSHA256 has_any (sha256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceImageLoadEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Hive Ransomware IOC - July 2022\",\"description\":\"Identifies a hash match related to Hive Ransomware across various data sources.\",\"lastUpdatedDateUTC\":\"2022-07-05T00:00:00Z\",\"createdDateUTC\":\"2022-01-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1ff56009-db01-4615-8211-d4fda21da02d\",\"name\":\"1ff56009-db01-4615-8211-d4fda21da02d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where AADOperationType =~ \\\"Assign\\\"\\n| where ActivityDisplayName has_any (\\\"Add delegated permission grant\\\",\\\"Add app role assignment to service principal\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ has_any (\\\"AppRole.Value\\\",\\\"DelegatedPermissionGrant.Scope\\\")\\n| extend Permission = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where Permission has \\\"RoleManagement.ReadWrite.Directory\\\"\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n| extend Target = tostring(parse_json(tostring(TargetResources.modifiedProperties[4].newValue)))\\n| extend TargetId = iif(displayName_ =~ \u0027DelegatedPermissionGrant.Scope\u0027,\\n tostring(parse_json(tostring(TargetResources.modifiedProperties[2].newValue))),\\n tostring(parse_json(tostring(TargetResources.modifiedProperties[3].newValue))))\\n| summarize by bin(TimeGenerated, 1h), OperationName, Initiator, Target, TargetId, Result\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Initiator\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Target\"}]}],\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure AD Role Management Permission Grant\",\"description\":\"Identifies when the Microsoft Graph RoleManagement.ReadWrite.Directory (Delegated or Application) permission is granted to a service principal.\\nThis permission allows an application to read and manage the role-based access control (RBAC) settings for your company\u0027s directory.\\nAn adversary could use this permission to add an Azure AD object to an Admin directory role and escalate privileges.\\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions\\nRef : https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0\u0026tabs=http\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/71d374e0-1cf8-4e50-aecd-ab6c519795c2\",\"name\":\"71d374e0-1cf8-4e50-aecd-ab6c519795c2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"Pipelines.PipelineRetentionSettingChanged\\\"\\n| where Data.SettingName in (\\\"PurgeArtifacts\\\", \\\"PurgeRuns\\\")\\n| where Data.NewValue == 1 or Data.NewValue \u003c Data.OldValue/2\\n| project-reorder TimeGenerated, OperationName, ActorUPN, IpAddress, UserAgent, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Retention Reduced\",\"description\":\"AzureDevOps retains items such as run records and produced artifacts for a configurable amount of time. An attacker looking to reduce the footprint left by their malicious activity may look to reduce the retention time for artifacts and runs.\\nThis query will look for where retention has been reduced to the minimum level - 1, or reduced by more than half.\",\"lastUpdatedDateUTC\":\"2021-11-02T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/979c42dd-533e-4ede-b18b-31a84ba8b3d6\",\"name\":\"979c42dd-533e-4ede-b18b-31a84ba8b3d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \\n| where TargetObject has (\\\"HKLM\\\\\\\\System\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\DsrmAdminLogonBehavior\\\") and Details == \\\"DWORD (0x00000002)\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"DSRM Account Abuse\",\"description\":\"This query detects an abuse of the DSRM account in order to maintain persistence and access to the organization\u0027s Active Directory.\\nRef: https://adsecurity.org/?p=1785\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d82eb796-d1eb-43c8-a813-325ce3417cef\",\"name\":\"d82eb796-d1eb-43c8-a813-325ce3417cef\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(DeviceFileEvents\\n| where ActionType == \\\"FileCreated\\\"\\n| where FileName endswith \\\".h0lyenc\\\" or FolderPath == \\\"C:\\\\\\\\FOR_DECRYPT.html\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName), HostCustomEntity = DeviceName, Type, InitiatingProcessId, FileName, FolderPath, EventType = ActionType, Commandline = InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessSHA256, FileHashCustomEntity = SHA256\\n),\\n(imFileEvent\\n| where EventType == \\\"FileCreated\\\" \\n| where TargetFilePath endswith \\\".h0lyenc\\\" or TargetFilePath == \\\"C:\\\\\\\\FOR_DECRYPT.html\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname, DvcId, Type, EventType, FileHashCustomEntity = TargetFileSHA256, Hash, TargetFilePath, Commandline = ActingProcessCommandLine\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Dev-0530 File Extension Rename\",\"description\":\"Dev-0530 actors are known to encrypt the contents of the victims device as well as renaming the file extensions. This query looks for the creation of files with .h0lyenc extension or presence of ransom note.\",\"lastUpdatedDateUTC\":\"2022-07-14T00:00:00Z\",\"createdDateUTC\":\"2022-07-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ba144bf8-75b8-406f-9420-ed74397f9479\",\"name\":\"ba144bf8-75b8-406f-9420-ed74397f9479\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"//Set a threshold of failed AAD signins from an IP address within 1 day above which we want to deem those logins suspicious.\\nlet signin_threshold = 5; \\n//Make a list of IPs with AAD signin failures above our threshold.\\nlet aadFunc = (tableName:string){\\nlet suspicious_signins = \\n table(tableName)\\n //Looking for logon failure results\\n | where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n //Exclude localhost addresses to reduce the chance of FPs\\n | where IPAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n | summarize count() by IPAddress\\n | where count_ \u003e signin_threshold\\n | summarize make_set(IPAddress);\\n suspicious_signins\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet suspicious_signins = \\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize make_set(set_IPAddress);\\n//See if any of those IPs have sucessfully logged into PA VPNs during the same timeperiod\\nCommonSecurityLog\\n //Select only PA VPN sucessful logons\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"globalprotect\\\"\\n | where Message has \\\"GlobalProtect gateway user authentication succeeded\\\"\\n //Parse out the logon source IP from the Message field to match on\\n | extend SourceIP = extract(\\\"Login from: ([^,]+)\\\", 1, Message) \\n | where SourceIP in (suspicious_signins)\\n | extend Reason = \\\"Multiple failed AAD logins from SourceIP\\\"\\n //Parse out other useful information from Message field\\n | extend User = extract(\u0027User name: ([^,]+)\u0027, 1, Message) \\n | extend ClientOS = extract(\u0027Client OS version: ([^,\\\\\\\"]+)\u0027, 1, Message)\\n | extend Location = extract(\u0027Source region: ([^,]{2})\u0027,1, Message)\\n | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName\\n | extend AccountCustomEntity = User, IPCustomEntity = SourceIP, timestamp = TimeGenerated, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN\",\"description\":\"This query creates a list of IP addresses with a number failed login attempts to AAD \\nabove a set threshold. It then looks for any successful Palo Alto VPN logins from any\\nof these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-09-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/32555639-b639-4c2b-afda-c0ae0abefa55\",\"name\":\"32555639-b639-4c2b-afda-c0ae0abefa55\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"GetCallerIdentity\\\" and UserIdentityType =~ \\\"AssumedRole\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by SourceIpAddress, EventName, EventTypeName, UserIdentityType, UserIdentityAccountId, UserIdentityPrincipalid, \\nUserAgent, UserIdentityUserName, SessionMfaAuthenticated,AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTime, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\\n| sort by EndTime desc nulls last\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Monitor AWS Credential abuse or hijacking\",\"description\":\"Looking for GetCallerIdentity Events where the UserID Type is AssumedRole \\nAn attacker who has assumed the role of a legitimate account can call the GetCallerIdentity function to determine what account they are using.\\nA legitimate user using legitimate credentials would not need to call GetCallerIdentity since they should already know what account they are using.\\nMore Information: https://duo.com/decipher/trailblazer-hunts-compromised-credentials-in-aws\\nAWS STS GetCallerIdentity API: https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/53e936c6-6c30-4d12-8343-b8a0456e8429\",\"name\":\"53e936c6-6c30-4d12-8343-b8a0456e8429\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let SUNSPOT_Hashes = dynamic([\\\"c45c9bda8db1d470f1fd0dcc346dc449839eb5ce9a948c70369230af0b3ef168\\\", \\\"0819db19be479122c1d48743e644070a8dc9a1c852df9a8c0dc2343e904da389\\\"]);\\nunion isfuzzy=true(\\nDeviceEvents\\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes)),\\n(DeviceImageLoadEvents\\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes))\\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"SUNSPOT malware hashes\",\"description\":\"This query uses Microsoft Defender for Endpoint data to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\\nMore details: \\n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \\n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceImageLoadEvents\",\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fcb9d75c-c3c1-4910-8697-f136bfef2363\",\"name\":\"fcb9d75c-c3c1-4910-8697-f136bfef2363\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Low\",\"query\":\"let querystarttime = 2d;\\nlet queryendtime = 1d;\\nlet TimeDeltaThreshold = 10;\\nlet TotalEventsThreshold = 15;\\nlet PercentBeaconThreshold = 80;\\n_Im_NetworkSession(starttime=querystarttime, endtime=queryendtime)\\n| where not(ipv4_is_private(DstIpAddr))\\n| project TimeGenerated, SrcIpAddr, SrcPortNumber, DstIpAddr, DstPortNumber, DstBytes, SrcBytes\\n| sort by SrcIpAddr asc,TimeGenerated asc, DstIpAddr asc, DstPortNumber asc\\n| serialize\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSrcIpAddr = next(SrcIpAddr, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\u0027second\u0027,nextTimeGenerated,TimeGenerated)\\n| where SrcIpAddr == nextSrcIpAddr\\n//Whitelisting criteria/ threshold criteria\\n| where TimeDeltainSeconds \u003e TimeDeltaThreshold \\n| project TimeGenerated, TimeDeltainSeconds, SrcIpAddr, SrcPortNumber, DstIpAddr, DstPortNumber, DstBytes, SrcBytes\\n| summarize count(), sum(DstBytes), sum(SrcBytes), make_list(TimeDeltainSeconds) \\nby TimeDeltainSeconds, bin(TimeGenerated, 1h), SrcIpAddr, DstIpAddr, DstPortNumber\\n| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSrcBytes = sum(sum_SrcBytes), TotalDstBytes = sum(sum_DstBytes) \\nby bin(TimeGenerated, 1h), SrcIpAddr, DstIpAddr, DstPortNumber\\n| where TotalEvents \u003e TotalEventsThreshold \\n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\\n| where BeaconPercent \u003e PercentBeaconThreshold\",\"customDetails\":{\"DstPortNumber\":\"DstPortNumber\",\"FrequencyCount\":\"TotalSrcBytes\",\"FrequencyTime\":\"MostFrequentTimeDeltaCount\",\"TotalDstBytes\":\"TotalDstBytes\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DstIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Potential beaconing from {{SrcIpAddr}} to {{DstIpAddr}} over port {{DstPortNumber}}\",\"alertDescriptionFormat\":\"Potential beaconing pattern from a client at address {{SrcIpAddr}} to a server at address {{DstIpAddr}} over port {{DstPortNumber}} identified. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/). The recurring frequency, reported as FrequencyTime in the custom details, and the total transferred volume reported as TotalDstBytes in the custom details, can help to determine the significance of this incident.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential beaconing activity (ASIM Network Session schema)\",\"description\":\"This rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/).\\\\\u003cbr\u003e\u003cbr\u003e\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b8b8ba09-1e89-45a1-8bd7-691cd23bfa32\",\"name\":\"b8b8ba09-1e89-45a1-8bd7-691cd23bfa32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let query_frequency = 15m;\\nlet missing_period = 1h;\\n//Enter a reference list of hostnames for your DC servers\\nlet DCServersList = dynamic ([\\\"DC01.simulandlabs.com\\\",\\\"DC02.simulandlabs.com\\\"]);\\n//Alternatively, a Watchlist can be used\\n//let DCServersList = _GetWatchlist(\u0027HostName-DomainControllers\u0027) | project HostName;\\nHeartbeat\\n| summarize arg_max(TimeGenerated, *) by Computer\\n| where Computer in (DCServersList)\\n//You may specify the OS type of your Domain Controllers\\n//| where OSType == \u0027Windows\u0027\\n| where TimeGenerated between (ago(query_frequency + missing_period) .. ago(missing_period))\\n| project TimeGenerated, Computer, OSType, Version, ComputerEnvironment, Type, Solutions\\n| sort by TimeGenerated asc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Impact\",\"DefenseEvasion\"],\"displayName\":\"Missing Domain Controller Heartbeat\",\"description\":\"This detection will go over the heartbeats received from the agents of Domain Controllers over the last hour, and will create alerts if the last heartbeats were received an hour ago.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-11-23T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/737a2ce1-70a3-4968-9e90-3e6aca836abf\",\"name\":\"737a2ce1-70a3-4968-9e90-3e6aca836abf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MLBehaviorAnalytics\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous RDP Login Detections\",\"description\":\"This detection uses machine learning (ML) to identify anomalous Remote Desktop Protocol (RDP) login activity, based on Windows Security Event data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Microsoft Sentinel to build a profile of normal activity for your environment.\\t\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events)\\n\\nBy enabling this rule, you give Microsoft permission to copy ingested data outside of your Microsoft Sentinel workspace\u0027s geography as necessary for processing by the machine learning engine.\",\"lastUpdatedDateUTC\":\"2021-03-26T00:00:00Z\",\"createdDateUTC\":\"2020-04-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/85aca4d1-5d15-4001-abd9-acb86ca1786a\",\"name\":\"85aca4d1-5d15-4001-abd9-acb86ca1786a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n DnsEvents\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n //Extract domain patterns from syslog message\\n | where isnotempty(Name)\\n | extend parts = split(Name, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend DNS_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.Name\\n| where DNS_TimeGenerated \u003c ExpirationDateTime\\n| summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated , *) by IndicatorId, Name\\n| project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, Computer, ClientIP, Name, QueryType\\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = ClientIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to DnsEvents\",\"description\":\"Identifies a match in DnsEvents from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2022-02-15T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\"name\":\"5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n//Exclude local addresses, using the ipv4_is_private operator\\n| where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n W3CIISLog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(cIP)\\n //Exclude local addresses, using the ipv4_is_private operator\\n | where ipv4_is_private(cIP) == false and cIP !startswith \\\"fe80\\\" and cIP !startswith \\\"::\\\" and cIP !startswith \\\"127.\\\"\\n // renaming time column so it is clear the log this came from\\n | extend W3CIISLog_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.cIP\\n| where W3CIISLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize W3CIISLog_TimeGenerated = arg_max(W3CIISLog_TimeGenerated, *) by IndicatorId, cIP\\n| project W3CIISLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, sSiteName, cIP, sIP, sPort, csMethod, csUserName, scStatus, scSubStatus, scWin32Status,\\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = W3CIISLog_TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to W3CIISLog\",\"description\":\"Identifies a match in W3CIISLog from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-04-26T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d564ff12-8f53-41b8-8649-44f76b37b99f\",\"name\":\"d564ff12-8f53-41b8-8649-44f76b37b99f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// How many greater than Service Connections you want to view per build/release\\nlet ServiceConnectionThreshold = 4;\\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\\n[\\n//\\\"103\\\", \\\"Release\\\", \\\"ProjectA\\\",\\n//\\\"42\\\", \\\"Release\\\", \\\"ProjectB\\\",\\n//\\\"122\\\", \\\"Build\\\", \\\"ProjectB\\\"\\n];\\nAzureDevOpsAuditing\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| parse ScopeDisplayName with OrganizationName \u0027 (Organization)\u0027\\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) \\n by OrganizationName, tostring(DefId), tostring(Type), ProjectId, ProjectName\\n| where CurrentCount \u003e ServiceConnectionThreshold\\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\\n| extend link = iif(\\n Type == \\\"Build\\\", strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_build?definitionId=\u0027, DefId),\\n strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_release?_a=releases\u0026view=mine\u0026definitionId=\u0027, DefId))\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure DevOps Service Connection Abuse\",\"description\":\"Flags builds/releases that use a large number of service connections if they aren\u0027t manually in the allow list.\\nThis is to determine if someone is hijacking a build/release and adding many service connections in order to abuse \\nor dump credentials from service connections.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/01e8ffff-dc0c-43fe-aa22-d459c4204553\",\"name\":\"01e8ffff-dc0c-43fe-aa22-d459c4204553\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let discord=dynamic([\\\"cdn.discordapp.com\\\", \\\"media.discordapp.com\\\"]);\\n _Im_WebSession(url_has_any=discord, eventresult=\u0027Success\u0027)\\n | where Url has \\\"attachments\\\"\\n | extend DiscordServerId = extract(@\\\"\\\\/attachments\\\\/([0-9]+)\\\\/\\\", 1, Url)\\n | summarize dcount(Url), make_set(SrcUsername), make_set(SrcIpAddr), make_set(Url), min(TimeGenerated), max(TimeGenerated), make_set(EventResult) by DiscordServerId\\n | mv-expand set_SrcUsername to typeof(string), set_Url to typeof(string), set_EventResult to typeof(string), set_SrcIpAddr to typeof(string)\\n | summarize by DiscordServerId, dcount_Url, set_SrcUsername, min_TimeGenerated, max_TimeGenerated, set_EventResult, set_SrcIpAddr, set_Url\\n | project StartTime=min_TimeGenerated, EndTime=max_TimeGenerated, Result=set_EventResult, SourceUser=set_SrcUsername, SourceIP=set_SrcIpAddr, RequestURL=set_Url\\n | where RequestURL has_any (\\\".bin\\\",\\\".exe\\\",\\\".dll\\\",\\\".bin\\\",\\\".msi\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SourceUser\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Discord CDN Risky File Download (ASIM Web Session Schema)\",\"description\":\"Identifies callouts to Discord CDN addresses for risky file extensions. This detection will trigger when a callout for a risky file is made to a discord server that has only been seen once in your environment. Unique discord servers are identified using the server ID that is included in the request URL (DiscordServerId in query). Discord CDN has been used in multiple campaigns to download additional payloads.\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4e5914a4-2ccd-429d-a845-fa597f0bd8c5\",\"name\":\"4e5914a4-2ccd-429d-a845-fa597f0bd8c5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let Hive_threats = dynamic([\\\"Ransom:Win64/Hive\\\", \\\"Ransom:Win32/Hive\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (Hive_threats) or ThreatFamilyName in~ (Hive_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"AV detections related to Hive Ransomware\",\"description\":\"This query looks for Microsoft Defender AV detections related to Hive Ransomware . In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device,\\n this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\",\"lastUpdatedDateUTC\":\"2022-07-11T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\"name\":\"361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let szOperationNames = dynamic([\\\"microsoft.compute/virtualMachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nlet starttime = 7d;\\nlet endtime = 1d;\\nAzureActivity\\n| where TimeGenerated between (startofday(ago(starttime)) .. startofday(ago(endtime)))\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress)\\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(7d)), now(), 1d) \\nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatusValue), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationNameValue , Resource, ResourceGroup\\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\\n| where Slope \u003e 0.2\\n| join kind=leftsemi (\\n// Last day\u0027s activity is anomalous\\nAzureActivity\\n| where TimeGenerated \u003e= startofday(ago(endtime))\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress)\\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(1d)), now(), 1d) \\nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatusValue), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationNameValue , Resource, ResourceGroup\\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\\n| where Slope \u003e 0.2 \\n) on Caller, CallerIpAddress \\n| mvexpand todynamic(ActivityTimeStamp), todynamic(ActivityStatusValue), todynamic(OperationIds), todynamic(CorrelationId)\\n| extend timestamp = ActivityTimeStamp, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Suspicious number of resource creation or deployment activities\",\"description\":\"Indicates when an anomalous number of VM creations or deployment activities occur in Azure via the AzureActivity log.\\nThe anomaly detection identifies activities that have occurred both since the start of the day 1 day ago and the start of the day 7 days ago.\\nThe start of the day is considered 12am UTC time.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/050b9b3d-53d0-4364-a3da-1b678b8211ec\",\"name\":\"050b9b3d-53d0-4364-a3da-1b678b8211ec\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\")\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n// Uncomment below to not alert for PIM activations\\n//| where Initiator != \\\"MS-PIM\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| summarize by bin(TimeGenerated, 1h), OperationName, RoleName, Target, Initiator, Result\\n| extend AccountCustomEntity = Target\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Initiator\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User Assigned Privileged Role\",\"description\":\"Identifies when a new privileged role is assigned to a user. Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn\u0027t the responsibility of the account holder, investigate.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/48607a29-a26a-4abf-8078-a06dbdd174a4\",\"name\":\"48607a29-a26a-4abf-8078-a06dbdd174a4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let timeRange = 3d;\\nlet lookBack = 7d;\\nlet authenticationWindow = 20m;\\nlet authenticationThreshold = 5;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet failureCodes = dynamic([50053, 50126, 50055]); // invalid password, account is locked - too many sign ins, expired password\\nlet successCodes = dynamic([0, 50055, 50057, 50155, 50105, 50133, 50005, 50076, 50079, 50173, 50158, 50072, 50074, 53003, 53000, 53001, 50129]);\\n// Lookup up resolved identities from last 7 days\\nlet aadFunc = (tableName:string){\\nlet identityLookup = table(tableName)\\n| where TimeGenerated \u003e= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| where isnotempty(UserId)\\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName, Type;\\n// collect window threshold breaches\\ntable(tableName)\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(failureCodes)\\n| summarize FailedPrincipalCount = dcount(UserPrincipalName) by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName, Type\\n| where FailedPrincipalCount \u003e= authenticationThreshold\\n| summarize WindowThresholdBreaches = count() by IPAddress, Type\\n| join kind= inner (\\n// where we breached a threshold, join the details back on all failure data\\ntable(tableName)\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(failureCodes)\\n| extend LocationDetails = todynamic(LocationDetails)\\n| extend FullLocation = strcat(LocationDetails.countryOrRegion,\u0027|\u0027, LocationDetails.state, \u0027|\u0027, LocationDetails.city)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed), make_set(FullLocation), FailureCount = count() by IPAddress, AppDisplayName, UserPrincipalName, UserDisplayName, Identity, UserId, Type\\n// lookup any unresolved identities\\n| extend UnresolvedUserId = iff(Identity matches regex isGUID, UserId, \\\"\\\")\\n| join kind= leftouter (\\n identityLookup \\n) on $left.UnresolvedUserId==$right.UserId\\n| extend UserDisplayName=iff(isempty(lu_UserDisplayName), UserDisplayName, lu_UserDisplayName)\\n| extend UserPrincipalName=iff(isempty(lu_UserPrincipalName), UserPrincipalName, lu_UserPrincipalName)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), make_set(UserPrincipalName), make_set(UserDisplayName), make_set(set_ClientAppUsed), make_set(set_FullLocation), make_list(FailureCount) by IPAddress, AppDisplayName, Type\\n| extend FailedPrincipalCount = arraylength(set_UserPrincipalName)\\n) on IPAddress\\n| project IPAddress, StartTime, EndTime, TargetedApplication=AppDisplayName, FailedPrincipalCount, UserPrincipalNames=set_UserPrincipalName, UserDisplayNames=set_UserDisplayName, ClientAppsUsed=set_set_ClientAppUsed, Locations=set_set_FullLocation, FailureCountByPrincipal=list_FailureCount, WindowThresholdBreaches, Type\\n| join kind= inner (\\ntable(tableName) // get data on success vs. failure history for each IP\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(successCodes) or ResultType in(failureCodes) // success or failure types\\n| summarize GlobalSuccessPrincipalCount = dcountif(UserPrincipalName, (ResultType in(successCodes))), ResultTypeSuccesses = make_set_if(ResultType, (ResultType in(successCodes))), GlobalFailPrincipalCount = dcountif(UserPrincipalName, (ResultType in(failureCodes))), ResultTypeFailures = make_set_if(ResultType, (ResultType in(failureCodes))) by IPAddress, Type\\n| where GlobalFailPrincipalCount \u003e GlobalSuccessPrincipalCount // where the number of failed principals is greater than success - eliminates FPs from IPs who authenticate successfully alot and as a side effect have alot of failures\\n) on IPAddress\\n| project-away IPAddress1\\n| extend timestamp=StartTime, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Password spray attack against Azure AD application\",\"description\":\"Identifies evidence of password spray activity against Azure AD applications by looking for failures from multiple accounts from the same\\nIP address within a time window. If the number of accounts breaches the threshold just once, all failures from the IP address within the time range\\nare bought into the result. Details on whether there were successful authentications by the IP address within the time window are also included.\\nThis can be an indicator that an attack was successful.\\nThe default failure acccount threshold is 5, Default time window for failures is 20m and default look back window is 3 days\\nNote: Due to the number of possible accounts involved in a password spray it is not possible to map identities to a custom entity.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\"lastUpdatedDateUTC\":\"2022-02-16T00:00:00Z\",\"createdDateUTC\":\"2020-03-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\"name\":\"7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"154.223.45.38\\\",\\\"185.141.207.140\\\",\\\"185.234.73.19\\\",\\\"216.245.210.106\\\",\\\"51.91.48.210\\\",\\\"46.255.230.229\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n|extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account\\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DnsResponseName, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host, AccountCustomEntity=User\\n),\\n(_Im_WebSession (srcipaddr_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DstIpAddr, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(_Im_NetworkSession (srcipaddr_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DstIpAddr, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(_Im_NetworkSession (dstipaddr_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DstIpAddr, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(SigninLogs\\n| where isnotempty(IPAddress)\\n| where IPAddress in (IPList)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(AADNonInteractiveUserSignInLogs\\n| where isnotempty(IPAddress)\\n| where IPAddress in (IPList)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(W3CIISLog \\n| where isnotempty(cIP)\\n| where cIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(AzureActivity \\n| where isnotempty(CallerIpAddress)\\n| where CallerIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller\\n),\\n(\\nAWSCloudTrail\\n| where isnotempty(SourceIpAddress)\\n| where SourceIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known IRIDIUM IP\",\"description\":\"IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d7424fd9-abb3-4ded-a723-eebe023aaa0b\",\"name\":\"d7424fd9-abb3-4ded-a723-eebe023aaa0b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Administrative roles to look for, default is all admin roles\\nlet roles = dynamic([\\\"Administrator\\\", \\\"Admin\\\"]);\\n// The maximum distances between and invite and acceptance\\nlet maxTimeBetweenInviteAccept = 30min;\\n// The delta (minutes) between the invite being sent and the account being escalated\\nlet deltaBetweenInviteEscalation = 60;\\n// Collect external user invitations\\nlet invite = AuditLogs\\n| where Category =~ \\\"UserManagement\\\"\\n| where OperationName =~ \\\"Invite external user\\\"\\n| extend Target = tostring(TargetResources[0].[\\\"userPrincipalName\\\"])\\n| extend InviteInitiator = tostring(InitiatedBy.[\\\"user\\\"].[\\\"userPrincipalName\\\"])\\n| where isnotempty(InviteInitiator);\\n// Collect redeem events\\nlet redeem = AuditLogs\\n| where Category =~ \\\"UserManagement\\\"\\n| where OperationName =~ \\\"Redeem external user invite\\\"\\n| where Result =~ \\\"success\\\"\\n| extend Target = tostring(TargetResources[0].[\\\"displayName\\\"]) | extend Target = tostring(extract(@\\\"UPN\\\\:\\\\s(.+)\\\\,\\\\sEmail\\\",1,Target))\\n| where isnotempty(Target);\\n// Union the inivtation and redeem data then run the sequence_detect kusto plugin\\ninvite\\n| union redeem\\n| order by TimeGenerated\\n| project TimeGenerated, Target, InviteInitiator, OperationName, TenantId\\n| evaluate sequence_detect(TimeGenerated, maxTimeBetweenInviteAccept, maxTimeBetweenInviteAccept, invite=(OperationName has \\\"Invite external user\\\"), redeem=(OperationName has \\\"Redeem external user invite\\\"), Target)\\n| join (\\nAuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\")\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n// Limit to external accounts\\n| where TargetResources.userPrincipalName has \\\"EXT\\\"\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n// Perform check for admin roles\\n| where RoleName has_any(roles)\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n| where Initiator != \\\"MS-PIM\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| summarize by TimeGenerated, OperationName, RoleName, Target, Initiator, Result\\n) on Target\\n// Calculate delta between the invite and the account escalation\\n| extend delta = datetime_diff(\\\"minute\\\", TimeGenerated, invite_TimeGenerated)\\n| where delta \u003c= deltaBetweenInviteEscalation\\n| project InvitationTime=invite_TimeGenerated, RedeemTime=redeem_TimeGenerated, GrantTime=TimeGenerated, ExternalUser=Target, RoleGranted=RoleName, AdminInitiator=Initiator, MinsBetweenInviteAndEscalation=delta\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ExternalUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AdminInitiator\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"New External User Granted Admin\",\"description\":\"This query will detect instances where a newly invited external user is granted an administrative role. By default this query\\nwill alert on any granted administrative role, however this can be modified using the roles variable if false positives occur\\nin your environment. The maximum delta between invite and escalation to admin is 60 minues, this can be configured using the \\ndeltaBetweenInviteEscalation variable.\",\"lastUpdatedDateUTC\":\"2022-06-16T00:00:00Z\",\"createdDateUTC\":\"2022-06-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6bf1931-b1eb-448d-90b2-de118559c7ce\",\"name\":\"d6bf1931-b1eb-448d-90b2-de118559c7ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlCategory contains \u0027Adult Themes\u0027 or\\n UrlCategory contains \u0027Adware\u0027 or\\n UrlCategory contains \u0027Alcohol\u0027 or\\n UrlCategory contains \u0027Illegal Downloads\u0027 or\\n UrlCategory contains \u0027Drugs\u0027 or\\n UrlCategory contains \u0027Child Abuse Content\u0027 or\\n UrlCategory contains \u0027Hate/Discrimination\u0027 or\\n UrlCategory contains \u0027Nudity\u0027 or\\n UrlCategory contains \u0027Pornography\u0027 or\\n UrlCategory contains \u0027Proxy/Anonymizer\u0027 or\\n UrlCategory contains \u0027Sexuality\u0027 or\\n UrlCategory contains \u0027Tasteless\u0027 or\\n UrlCategory contains \u0027Terrorism\u0027 or\\n UrlCategory contains \u0027Web Spam\u0027 or\\n UrlCategory contains \u0027German Youth Protection\u0027 or\\n UrlCategory contains \u0027Illegal Activities\u0027 or\\n UrlCategory contains \u0027Lingerie/Bikini\u0027 or\\n UrlCategory contains \u0027Weapons\u0027\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"InitialAccess\"],\"displayName\":\"Cisco Umbrella - Request Allowed to harmful/malicious URI category\",\"description\":\"It is reccomended that these Categories shoud be blocked by policies because they provide harmful/malicious content..\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee55dc85-d2da-48c1-a6c0-3eaee62a8d56\",\"name\":\"ee55dc85-d2da-48c1-a6c0-3eaee62a8d56\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"// Add the environments expected username format regex below before deploying\\n let user_regex = \\\"\\\";\\n AuditLogs\\n | where OperationName =~ \\\"Add user\\\"\\n | where Result =~ \\\"success\\\"\\n | extend userAgent = tostring(AdditionalDetails[0].value)\\n | extend addingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend addingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend AddedBy = iif(isnotempty(addingUser), addingUser, addingApp)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | extend AddedUser = tostring(TargetResources[0].userPrincipalName)\\n | where AddedUser matches regex user_regex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedUser\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User Account Created Using Incorrect Naming Format\",\"description\":\"This query looks for accounts being created where the name does not match a defined pattern.\\n Attackers may attempt to add accounts as a means of establishing persistant access to an environment, looking for anomalies in created accounts may help identify illegitimately created accounts.\\n Created accounts should be investigated to ensure they were legitimated created.\\n The user_regex field in the query needs to be populated with the expected pattern for the environment before deployment.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#accounts-not-following-naming-policies\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\"name\":\"0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"let threshold = 20;\\nlet ReasontoSubStatus = datatable(SubStatus:string,Reason:string) [\\n\\\"0xC000005E\\\", \\\"There are currently no logon servers available to service the logon request.\\\",\\n\\\"0xC0000064\\\", \\\"User logon with misspelled or bad user account\\\", \\n\\\"0xC000006A\\\", \\\"User logon with misspelled or bad password\\\",\\n\\\"0xC000006D\\\", \\\"Bad user name or password\\\",\\n\\\"0xC000006E\\\", \\\"Unknown user name or bad password\\\",\\n\\\"0xC000006F\\\", \\\"User logon outside authorized hours\\\",\\n\\\"0xC0000070\\\", \\\"User logon from unauthorized workstation\\\",\\n\\\"0xC0000071\\\", \\\"User logon with expired password\\\",\\n\\\"0xC0000072\\\", \\\"User logon to account disabled by administrator\\\",\\n\\\"0xC00000DC\\\", \\\"Indicates the Sam Server was in the wrong state to perform the desired operation\\\",\\n\\\"0xC0000133\\\", \\\"Clocks between DC and other computer too far out of sync\\\",\\n\\\"0xC000015B\\\", \\\"The user has not been granted the requested logon type (aka logon right) at this machine\\\",\\n\\\"0xC000018C\\\", \\\"The logon request failed because the trust relationship between the primary domain and the trusted domain failed\\\",\\n\\\"0xC0000192\\\", \\\"An attempt was made to logon, but the Netlogon service was not started\\\",\\n\\\"0xC0000193\\\", \\\"User logon with expired account\\\",\\n\\\"0xC0000224\\\", \\\"User is required to change password at next logon\\\",\\n\\\"0xC0000225\\\", \\\"Evidently a bug in Windows and not a risk\\\",\\n\\\"0xC0000234\\\", \\\"User logon with account locked\\\",\\n\\\"0xC00002EE\\\", \\\"Failure Reason: An Error occurred during Logon\\\",\\n\\\"0xC0000413\\\", \\\"Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine\\\"\\n];\\n(union isfuzzy=true\\n(SecurityEvent \\n| where EventID == 4625\\n| where AccountType =~ \\\"User\\\"\\n| where SubStatus !=\u00270xc0000064\u0027 and Account !in (\u0027\\\\\\\\\u0027, \u0027-\\\\\\\\-\u0027)\\n// SubStatus \u00270xc0000064\u0027 signifies \u0027Account name does not exist\u0027\\n| extend ResourceId = column_ifexists(\\\"_ResourceId\\\", _ResourceId), SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", SourceComputerId)\\n| lookup ReasontoSubStatus on SubStatus\\n| extend coalesce(Reason, strcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), FailedLogonCount = count() by EventID, \\nActivity, Computer, Account, TargetAccount, TargetUserName, TargetDomainName, \\nLogonType, LogonTypeName, LogonProcessName, Status, SubStatus, Reason, ResourceId, SourceComputerId, WorkstationName, IpAddress\\n| where FailedLogonCount \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n(\\n(WindowsEvent \\n| where EventID == 4625 and not(EventData has \u00270xc0000064\u0027)\\n| extend TargetAccount = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend AccountType=case(EventData.TargetUserName endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType =~ \\\"User\\\"\\n| extend SubStatus = tostring(EventData.SubStatus)\\n| where SubStatus !=\u00270xc0000064\u0027 and TargetAccount !in (\u0027\\\\\\\\\u0027, \u0027-\\\\\\\\-\u0027)\\n// SubStatus \u00270xc0000064\u0027 signifies \u0027Account name does not exist\u0027\\n| extend ResourceId = column_ifexists(\\\"_ResourceId\\\", _ResourceId), SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", \\\"\\\")\\n| lookup ReasontoSubStatus on SubStatus\\n| extend coalesce(Reason, strcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n| extend Activity=\\\"4625 - An account failed to log on.\\\"\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend TargetDomainName = tostring(EventData.TargetDomainName)\\n| extend LogonType = tostring(EventData.LogonType)\\n| extend Status= tostring(EventData.Status)\\n| extend LogonProcessName = tostring(EventData.LogonProcessName)\\n| extend WorkstationName = tostring(EventData.WorkstationName)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend LogonTypeName=case(LogonType==2,\\\"2 - Interactive\\\", LogonType==3,\\\"3 - Network\\\", LogonType==4, \\\"4 - Batch\\\",LogonType==5, \\\"5 - Service\\\", LogonType==7, \\\"7 - Unlock\\\", LogonType==8, \\\"8 - NetworkCleartext\\\", LogonType==9, \\\"9 - NewCredentials\\\", LogonType==10, \\\"10 - RemoteInteractive\\\", LogonType==11, \\\"11 - CachedInteractive\\\",tostring(LogonType))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), FailedLogonCount = count() by EventID, \\nActivity, Computer, TargetAccount, TargetUserName, TargetDomainName, \\nLogonType, LogonTypeName, LogonProcessName, Status, SubStatus, Reason, ResourceId, SourceComputerId, WorkstationName, IpAddress\\n| where FailedLogonCount \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n)))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed logon attempts by valid accounts within 10 mins\",\"description\":\"Identifies when failed logon attempts are 20 or higher during a 10 minute period (2 failed logons per minute minimum) from valid account.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b9a44d7-c651-45ed-816c-eae583a6f2f1\",\"name\":\"3b9a44d7-c651-45ed-816c-eae583a6f2f1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\nlet historical_data =\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend variables = Data.Variables\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend UserKey = strcat(VariableGroupId, \\\"-\\\", ActorUserId)\\n| project UserKey;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend VariableGroupName = tostring(Data.VariableGroupName)\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend UserKey = strcat(VariableGroupId, \\\"-\\\", ActorUserId)\\n| where UserKey !in (historical_data)\\n| project-away UserKey\\n| project-reorder TimeGenerated, VariableGroupName, ActorUPN, IpAddress, UserAgent\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Build Variable Modified by New User.\",\"description\":\"Variables can be configured and used at any stage of the build process in Azure DevOps to inject values. An attacker with the required permissions could modify \\nor add to these variables to conduct malicious activity such as changing paths or remote endpoints called during the build. As variables are often changed by users, \\njust detecting these changes would have a high false positive rate. This detection looks for modifications to variable groups where that user has not been observed \\nmodifying them before.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8127962-7739-4211-a4a9-390a7a00e91f\",\"name\":\"f8127962-7739-4211-a4a9-390a7a00e91f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet lbperiod = 14d;\\nlet knownrecipients = ProofpointPOD\\n| where TimeGenerated \u003e ago(lbperiod)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where SrcUserUpn != \u0027\u0027\\n| where array_length(todynamic(DstUserUpn)) == 1\\n| summarize recipients = make_set(tostring(todynamic(DstUserUpn)[0])) by SrcUserUpn\\n| extend commcol = SrcUserUpn;\\nProofpointPOD\\n| where TimeGenerated between (ago(lbtime) .. now())\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| extend isProtected = todynamic(MsgParts)[0][\u0027isProtected\u0027]\\n| extend mimePgp = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where isProtected == \u0027true\u0027 or mimePgp == \u0027application/pgp-encrypted\u0027\\n| extend DstUserMail = tostring(todynamic(DstUserUpn)[0])\\n| extend commcol = tostring(todynamic(DstUserUpn)[0])\\n| join knownrecipients on commcol\\n| where recipients !contains DstUserMail\\n| project SrcUserUpn, DstUserMail\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple protected emails to unknown recipient\",\"description\":\"Detects when multiple protected messages where sent to early not seen recipient.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee1818ec-5f65-4991-b711-bcf2ab7e36c3\",\"name\":\"ee1818ec-5f65-4991-b711-bcf2ab7e36c3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlOriginal matches regex @\u0027\\\\Ahttp:\\\\/\\\\/\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}.*\u0027\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - URI contains IP address\",\"description\":\"Malware can use IP address to communicate with C2.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23005e87-2d3a-482b-b03d-edbebd1ae151\",\"name\":\"23005e87-2d3a-482b-b03d-edbebd1ae151\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let exchange_servers = (\\nW3CIISLog\\n| where TimeGenerated \u003e ago(14d)\\n| where sSiteName =~ \\\"Exchange Back End\\\"\\n| summarize by Computer);\\nW3CIISLog\\n| where TimeGenerated \u003e ago(1d)\\n| where Computer in (exchange_servers)\\n| where csUriQuery startswith \\\"t=\\\"\\n| project-reorder TimeGenerated, Computer, csUriStem, csUriQuery, csUserName, csUserAgent, cIP\\n| extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious Exchange Request\",\"description\":\"This query looks for suspicious request patterns to Exchange servers that fit a pattern observed by HAFNIUM actors.\\nThe same query can be run on HTTPProxy logs from on-premise hosted Exchange servers.\\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ac9e233e-44d4-45eb-b522-6e47445f6582\",\"name\":\"ac9e233e-44d4-45eb-b522-6e47445f6582\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"imRegistry\\n | where EventType in (\\\"RegistryValueSet\\\", \\\"RegistryKeyCreated\\\")\\n | where RegistryKey has \\\"Software\\\\\\\\Classes\\\\\\\\ms-settings\\\\\\\\shell\\\\\\\\open\\\\\\\\command\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)\\n | join (imProcess\\n | where Process endswith \\\"fodhelper.exe\\\"\\n | where ParentProcessName endswith \\\"cmd.exe\\\" or ParentProcessName endswith \\\"powershell.exe\\\" or ParentProcessName endswith \\\"powershell_ise.exe\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)) on TimeKey, Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DvcHostname\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DvcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Potential Fodhelper UAC Bypass (ASIM Version)\",\"description\":\"This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process within 1 hour - this can be tweaked as required.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\"name\":\"ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Office 365 Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Office 365 alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Office 365\",\"lastUpdatedDateUTC\":\"2020-09-01T00:00:00Z\",\"createdDateUTC\":\"2020-04-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert (OATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a333d8bf-22a3-4c55-a1e9-5f0a135c0253\",\"name\":\"a333d8bf-22a3-4c55-a1e9-5f0a135c0253\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let mde_threats = dynamic([\\\"Behavior:Win32/SuspAzureRequest.A\\\", \\\"Behavior:Win32/SuspAzureRequest.B\\\", \\\"Behavior:Win32/SuspAzureRequest.C\\\", \\\"Behavior:Win32/LaunchingSuspCMD.B\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (mde_threats) or ThreatFamilyName in~ (mde_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Microsoft Defender for Endpoint (MDE) signatures for Azure Synapse pipelines and Azure Data Factory\",\"description\":\"This query looks for Microsoft Defender for Endpoint detections related to the remote command execution attempts on Azure IR with Managed VNet or SHIR. \\nIn Microsoft Sentinel, the SecurityAlerts table includes the name of the impacted device. Additionally, this query joins the DeviceInfo table to connect other information such as device group, \\nIP address, signed in users, and others allowing analysts using Microsoft Sentinel to have more context related to the alert. \\nReference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29972 , \\nhttps://msrc-blog.microsoft.com/2022/05/09/vulnerability-mitigated-in-the-third-party-data-connector-used-in-azure-synapse-pipelines-and-azure-data-factory-cve-2022-29972\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5db427b2-f406-4274-b413-e9fcb29412f8\",\"name\":\"5db427b2-f406-4274-b413-e9fcb29412f8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where ActivityDisplayName =~\u0027Add member to role completed (PIM activation)\u0027\\n| where Result == \\\"failure\\\"\\n| extend Role = tostring(TargetResources[3].displayName)\\n| extend User = tostring(TargetResources[2].displayName)\\n| project-reorder TimeGenerated, User, Role, OperationName, Result, ResultDescription\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| extend IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"NRT PIM Elevation Request Rejected\",\"description\":\"Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/03e04c97-8cae-48b3-9d2f-4ab262e4ffff\",\"name\":\"03e04c97-8cae-48b3-9d2f-4ab262e4ffff\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]);\\nhttp_proxy_oab_CL\\n| where RawData contains \\\"Download failed and temporary file\\\"\\n| extend File = extract(\\\"([^\\\\\\\\\\\\\\\\]*)(\\\\\\\\\\\\\\\\[^\u0027]*)\\\",2,RawData)\\n| extend Extension = strcat(\\\".\\\",split(File, \\\".\\\")[-1])\\n| extend InteractiveFile = iif(Extension in (scriptExtensions), \\\"Yes\\\", \\\"No\\\")\\n// Uncomment the following line to alert only on interactive file download type\\n//| where InteractiveFile =~ \\\"Yes\\\"\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious File Downloads.\",\"description\":\"This query looks for messages related to file downloads of suspicious file types. This query uses the Exchange HttpProxy AOBGeneratorLog, you will need to onboard this log as a custom log under the table http_proxy_oab_CL before using this query. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d5b32cd4-2328-43da-ab47-cd289c1f5efc\",\"name\":\"d5b32cd4-2328-43da-ab47-cd289c1f5efc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\",\\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\",\\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\",\\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\",\\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\",\\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\",\\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\",\\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\",\\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\")\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"NRT DNS events related to mining pools\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/de58ee9e-b229-4252-8537-41a4c2f4045e\",\"name\":\"de58ee9e-b229-4252-8537-41a4c2f4045e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let file_ext_blocklist = dynamic([\u0027.ps1\u0027, \u0027.vbs\u0027, \u0027.bat\u0027, \u0027.scr\u0027]);\\nlet lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| extend file_ext = extract(@\u0027.*(\\\\.\\\\w+)$\u0027, 1, UrlOriginal)\\n| extend Filename = extract(@\u0027.*\\\\/*\\\\/(.*\\\\.\\\\w+)$\u0027, 1, UrlOriginal)\\n| where file_ext in (file_ext_blocklist)\\n| project TimeGenerated, SrcIpAddr, Identities, Filename\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Cisco Umbrella - Request to blocklisted file type\",\"description\":\"Detects request to potentially harmful file types (.ps1, .bat, .vbs, etc.).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\"name\":\"97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let LearningPeriod = 7d; \\nlet BinTime = 1h; \\nlet RunTime = 1h; \\nlet StartTime = 1h; \\nlet NumberOfStds = 3; \\nlet MinThreshold = 10.0; \\nlet EndRunTime = StartTime - RunTime; \\nlet EndLearningTime = StartTime + LearningPeriod;\\nlet aadFunc = (tableName:string){\\nlet GitHubFailedSSOLogins = (table(tableName) \\n| where AppDisplayName == \\\"GitHub.com\\\" \\n| where ResultType != 0); \\nGitHubFailedSSOLogins \\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime)) \\n| summarize FailedLoginsCountInBinTime = count() by UserPrincipalName, bin(TimeGenerated, BinTime), Type\\n| summarize AvgOfFailedLoginsInLearning = avg(FailedLoginsCountInBinTime), StdOfFailedLoginsInLearning = stdev(FailedLoginsCountInBinTime) by UserPrincipalName, Type\\n| extend LearningThreshold = max_of(AvgOfFailedLoginsInLearning + StdOfFailedLoginsInLearning * NumberOfStds, MinThreshold) \\n| join kind=innerunique ( \\n GitHubFailedSSOLogins \\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime)) \\n | summarize FailedLoginsCountInRunTime = count() by User = Identity, UserPrincipalName, bin(TimeGenerated, BinTime), Type\\n) on UserPrincipalName \\n| where FailedLoginsCountInRunTime \u003e LearningThreshold\\n| extend AccountCustomEntity = UserPrincipalName , timestamp = TimeGenerated\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute Force Attack against GitHub Account\",\"description\":\"Attackers who are trying to guess your users\u0027 passwords or use brute-force methods to get in. If your organization is using SSO with Azure Active Directory, authentication logs to GitHub.com will be generated. Using the following query can help you identify a sudden increase in failed logon attempt of users.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/12dcea64-bec2-41c9-9df2-9f28461b1295\",\"name\":\"12dcea64-bec2-41c9-9df2-9f28461b1295\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\n// Adjust for a longer timeframe for identifying ADFS Servers\\nlet lookback = 6d;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where NewProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n);\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where Account !endswith \\\"$\\\"\\n// Check for scheduled task events\\n| where EventID in (4697, 4698, 4699, 4700, 4701, 4702)\\n| extend EventDataParsed = parse_xml(EventData)\\n| extend SubjectLogonId = tostring(EventDataParsed.EventData.Data[3][\\\"#text\\\"])\\n// Check specifically for access to IPC$ share and PIPE\\\\svcctl and PIPE\\\\atsvc for Service Control Services and Schedule Control Services\\n| union (\\n SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n | where Account !endswith \\\"$\\\"\\n | where EventID == 5145\\n | where RelativeTargetName =~ \\\"svcctl\\\" or RelativeTargetName =~ \\\"atsvc\\\"\\n)\\n// Check for lateral movement\\n| join kind=inner\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Account !endswith \\\"$\\\"\\n| where EventID == 4624 and LogonType == 3\\n) on $left.SubjectLogonId == $right.TargetLogonId\\n| project TimeGenerated, Account, Computer, EventID, RelativeTargetName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task\",\"description\":\"This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through SMB and Remote Service or Scheduled Task.\",\"lastUpdatedDateUTC\":\"2022-01-30T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/155f40c6-610d-497d-85fc-3cf06ec13256\",\"name\":\"155f40c6-610d-497d-85fc-3cf06ec13256\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"yahoo-verification.org\\\",\\\"support-servics.com\\\",\\\"verification-live.com\\\",\\\"com-mailbox.com\\\",\\\"com-myaccuants.com\\\",\\\"notification-accountservice.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\\"verify-linkedin.net\\\", \\n\\\"yahoo-verification.net\\\",\\\"yahoo-verify.net\\\",\\\"outlook-verify.net\\\",\\\"com-users.net\\\",\\\"verifiy-account.net\\\",\\\"te1egram.net\\\",\\\"account-verifiy.net\\\",\\\"myaccount-services.net\\\",\\n\\\"com-identifier-servicelog.name\\\",\\\"microsoft-update.bid\\\",\\\"outlook-livecom.bid\\\",\\\"update-microsoft.bid\\\",\\\"documentsfilesharing.cloud\\\",\\\"com-microsoftonline.club\\\",\\n\\\"confirm-session-identifier.info\\\",\\\"session-management.info\\\",\\\"confirmation-service.info\\\",\\\"document-share.info\\\",\\\"broadcast-news.info\\\",\\\"customize-identity.info\\\",\\\"webemail.info\\\",\\n\\\"com-identifier-servicelog.info\\\",\\\"documentsharing.info\\\",\\\"notification-accountservice.info\\\",\\\"identifier-activities.info\\\",\\\"documentofficupdate.info\\\",\\\"recoveryusercustomer.info\\\",\\n\\\"serverbroadcast.info\\\",\\\"account-profile-users.info\\\",\\\"account-service-management.info\\\",\\\"accounts-manager.info\\\",\\\"activity-confirmation-service.info\\\",\\\"com-accountidentifier.info\\\",\\n\\\"com-privacy-help.info\\\",\\\"com-sessionidentifier.info\\\",\\\"com-useraccount.info\\\",\\\"confirmation-users-service.info\\\",\\\"confirm-identity.info\\\",\\\"confirm-session-identification.info\\\",\\n\\\"continue-session-identifier.info\\\",\\\"customer-recovery.info\\\",\\\"customers-activities.info\\\",\\\"elitemaildelivery.info\\\",\\\"email-delivery.info\\\",\\\"identify-user-session.info\\\",\\n\\\"message-serviceprovider.info\\\",\\\"notificationapp.info\\\",\\\"notification-manager.info\\\",\\\"recognized-activity.info\\\",\\\"recover-customers-service.info\\\",\\\"recovery-session-change.info\\\",\\n\\\"service-recovery-session.info\\\",\\\"service-session-continue.info\\\",\\\"session-mail-customers.info\\\",\\\"session-managment.info\\\",\\\"session-verify-user.info\\\",\\\"shop-sellwear.info\\\",\\n\\\"supportmailservice.info\\\",\\\"terms-service-notification.info\\\",\\\"user-activity-issues.info\\\",\\\"useridentity-confirm.info\\\",\\\"users-issue-services.info\\\",\\\"verify-user-session.info\\\",\\n\\\"login-gov.info\\\",\\\"notification-signal-agnecy.info\\\",\\\"notifications-center.info\\\",\\\"identifier-services-sessions.info\\\",\\\"customers-manager.info\\\",\\\"session-manager.info\\\",\\n\\\"customer-managers.info\\\",\\\"confirmation-recovery-options.info\\\",\\\"service-session-confirm.info\\\",\\\"session-recovery-options.info\\\",\\\"services-session-confirmation.info\\\",\\n\\\"notification-managers.info\\\",\\\"activities-services-notification.info\\\",\\\"activities-recovery-options.info\\\",\\\"activity-session-recovery.info\\\",\\\"customers-services.info\\\",\\n\\\"sessions-notification.info\\\",\\\"download-teamspeak.info\\\",\\\"services-issue-notification.info\\\",\\\"microsoft-upgrade.mobi\\\",\\\"broadcastnews.pro\\\",\\\"mobile-messengerplus.network\\\"]);\\nlet IPList = dynamic([\\\"51.91.200.147\\\"]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(SourceIP) and SourceIP in (IPList)) or (isnotempty(DestinationIP) and DestinationIP in (IPList)) \\nor (isnotempty(DNSName) and DNSName in~ (DomainNames)) or (isnotempty(DestinationHostName) and DestinationHostName in~ (DomainNames)) or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames) or RequestURLIP in (IPList))) \\nor (isnotempty(Message) and MessageIP in (IPList))\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURLIP in (IPList), \\\"RequestUrl\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP,IPMatch == \\\"Message\\\", MessageIP,\\nIPMatch == \\\"RequestUrl\\\", RequestURLIP,\\\"NoMatch\\\"), Account = SourceUserID, Host = DeviceName\\n),\\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\\n(_Im_WebSession(url_has_any=DomainNames)\\n| extend DestinationIPAddress = DstIpAddr, DNSName = tostring(parse_url(Url)[\\\"Host\\\"]), Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) or isnotempty(DNSName)\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or DNSName in~ (DomainNames)\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer),\\n(OfficeActivity\\n| extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPCustomEntity = SourceHost \\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Phosphorus group domains/IP\",\"description\":\"Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-10-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a1bddaf8-982b-4089-ba9e-6590dfcf80ea\",\"name\":\"a1bddaf8-982b-4089-ba9e-6590dfcf80ea\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let error403_count_threshold=200;\\n_Im_WebSession(eventresultdetails_in=\\\"403\\\")\\n| extend ParsedUrl=parse_url(Url)\\n| extend UrlHost=tostring(ParsedUrl[\\\"Host\\\"]), UrlSchema=tostring(ParsedUrl[\\\"Schema\\\"])\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = count(), Urls=makeset(Url) by UrlHost, SrcIpAddr\\n| where NumberOfErrors \u003e error403_count_threshold\\n| sort by NumberOfErrors desc\\n| extend Url=tostring(Urls[0])\",\"customDetails\":{\"NumberOfErrors\":\"NumberOfErrors\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URL\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Excessive number of HTTP authentication failures from {{SrcIpAddr}\",\"alertDescriptionFormat\":\"A client with address {{SrcIpAddr}} generated a large number of failed authentication HTTP requests. This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Persistence\",\"CredentialAccess\"],\"displayName\":\"Excessive number of HTTP authentication failures from a source (ASIM Web Session schema)\",\"description\":\"This rule identifies a source that repeatedly fails to authenticate to a web service (HTTP response code 403). This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.\u003cbr\u003e\u003cbr\u003e\\nThis rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutSIM) and supports any web session source that complies with ASIM. \",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2a09f8cb-deb7-4c40-b08b-9137667f1c0b\",\"name\":\"2a09f8cb-deb7-4c40-b08b-9137667f1c0b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n | where OperationName in (\\\"Add eligible member (permanent)\\\", \\\"Add eligible member (eligible)\\\")\\n | extend Role = tostring(TargetResources[0].displayName)\\n | where Role contains \\\"admin\\\"\\n | extend AddedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend AddedUser = tostring(TargetResources[2].userPrincipalName)\\n | project-reorder TimeGenerated, AddedUser, Role, AddedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedUser\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"User Added to Admin Role\",\"description\":\"Detects a user being added to a new privileged role. Monitor these additions to ensure the users are made eligible for these roles are intended to have these levels of access.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dc99e38c-f4e9-4837-94d7-353ac0b01a77\",\"name\":\"dc99e38c-f4e9-4837-94d7-353ac0b01a77\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let threshold = 10;\\n let default_ad_attributes = dynamic([\\\"LastDirSyncTime\\\", \\\"StsRefreshTokensValidFrom\\\", \\\"Included Updated Properties\\\", \\\"AccountEnabled\\\", \\\"Action Client Name\\\", \\\"SourceAnchor\\\"]);\\n AuditLogs\\n | where OperationName =~ \\\"Add user\\\"\\n | where Result =~ \\\"success\\\"\\n | extend properties = TargetResources[0].modifiedProperties\\n | mv-expand properties\\n | evaluate bag_unpack(properties)\\n | summarize count() by displayName, TenantId\\n | where displayName !in (default_ad_attributes)\\n | top threshold by count_ desc\\n | summarize make_set(displayName) by TenantId\\n | join kind=inner (AuditLogs\\n | where Result =~ \\\"success\\\"\\n | where OperationName =~ \\\"Add user\\\"\\n | extend CreatingUserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend CreatedUserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | extend AccountProperties = TargetResources[0].modifiedProperties\\n | mv-expand AccountProperties\\n | extend PropName = tostring(AccountProperties.displayName)) on TenantId\\n | summarize makeset(PropName) by TimeGenerated, CorrelationId, CreatedUserPrincipalName, CreatingUserPrincipalName, tostring(set_displayName)\\n | extend missing_props = set_difference(todynamic(set_displayName), set_PropName)\\n | where array_length(missing_props) \u003e 0\\n | join kind=innerunique (AuditLogs\\n | where Result =~ \\\"success\\\"\\n | where OperationName =~ \\\"Add user\\\"\\n | extend CreatedUserPrincipalName = tostring(TargetResources[0].userPrincipalName)) on CorrelationId, CreatedUserPrincipalName\\n | extend ExpectedProperties = set_displayName\\n | project-away set_displayName, set_PropName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CreatingUserPrincipalName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CreatedUserPrincipalName\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User account created without expected attributes defined\",\"description\":\"This query looks for accounts being created that do not have attributes populated that are commonly populated in the tenant.\\n Attackers may attempt to add accounts as a means of establishing persistant access to an environment, looking for anomalies in created accounts may help identify illegitimately created accounts.\\n Created accounts should be investigated to ensure they were legitimated created.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#accounts-not-following-naming-policies\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aa1eff90-29d4-49dc-a3ea-b65199f516db\",\"name\":\"aa1eff90-29d4-49dc-a3ea-b65199f516db\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Low\",\"query\":\"(union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4720\\n| where AccountType == \\\"User\\\"\\n| project CreatedUserTime = TimeGenerated, CreatedUserEventID = EventID, CreatedUserActivity = Activity, Computer = toupper(Computer), \\nCreatedUser = tolower(TargetAccount), CreatedUserSid = TargetSid, AccountUsedToCreateUser = strcat(SubjectAccount), SidofAccountUsedToCreateUser = SubjectUserSid\\n),\\n(WindowsEvent\\n| where EventID == 4720\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType == \\\"User\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend Activity=\\\"4720 - A user account was created.\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| project CreatedUserTime = TimeGenerated, CreatedUserEventID = EventID, CreatedUserActivity = Activity, Computer = toupper(Computer), \\nCreatedUser = tolower(TargetAccount), CreatedUserSid = TargetSid, AccountUsedToCreateUser = strcat(SubjectAccount), SidofAccountUsedToCreateUser = SubjectUserSid\\n))\\n| join ((union isfuzzy=true\\n(SecurityEvent \\n| where AccountType == \\\"User\\\"\\n// 4732 - A member was added to a security-enabled local group\\n| where EventID == 4732\\n// TargetSid is the builin Admins group: S-1-5-32-544\\n| where TargetSid == \\\"S-1-5-32-544\\\"\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, Computer = toupper(Computer), GroupName = tolower(TargetAccount), \\nGroupSid = TargetSid, AccountThatAddedUser = SubjectAccount, SIDofAccountThatAddedUser = SubjectUserSid, CreatedUserSid = MemberSid\\n),\\n( WindowsEvent \\n// 4732 - A member was added to a security-enabled local group\\n| where EventID == 4732 and EventData has \\\"S-1-5-32-544\\\"\\n//TargetSid is the builin Admins group: S-1-5-32-544\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType == \\\"User\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid == \\\"S-1-5-32-544\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend Activity=\\\"4732 - A member was added to a security-enabled local group.\\\"\\n| extend MemberSid = tostring(EventData.MemberSid)\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, Computer = toupper(Computer), GroupName = tolower(TargetAccount), \\nGroupSid = TargetSid, AccountThatAddedUser = SubjectAccount, SIDofAccountThatAddedUser = SubjectUserSid, CreatedUserSid = MemberSid)\\n))\\non CreatedUserSid\\n//Create User first, then the add to the group.\\n| project Computer, CreatedUserTime, CreatedUserEventID, CreatedUserActivity, CreatedUser, CreatedUserSid, GroupAddTime, GroupAddEventID, \\nGroupAddActivity, AccountUsedToCreateUser, GroupName, GroupSid, AccountThatAddedUser, SIDofAccountThatAddedUser \\n| extend timestamp = CreatedUserTime, AccountCustomEntity = CreatedUser, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"CreatedUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"New user created and added to the built-in administrators group\",\"description\":\"Identifies when a user account was created and then added to the builtin Administrators group in the same day.\\nThis should be monitored closely and all additions reviewed.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d23ed927-5be3-4902-a9c1-85f841eb4fa1\",\"name\":\"d23ed927-5be3-4902-a9c1-85f841eb4fa1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n DuoSecurityAuthentication_CL\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(access_device_ip_s)\\n // renaming time column so it is clear the log this came from\\n | extend Duo_TimeGenerated = isotimestamp_t\\n)\\non $left.TI_ipEntity == $right.access_device_ip_s\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Duo_TimeGenerated,\\nTI_ipEntity, user_name_s, factor_s, result_s, application_name_s, event_type_s, txid_g, user_key_s, access_device_ip_s, access_device_location_city_s, access_device_location_state_s, access_device_location_country_s\\n| extend timestamp = Duo_TimeGenerated, IPCustomEntity = access_device_ip_s, AccountCustomEntity = user_name_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Duo Security\",\"description\":\"Identifies a match in DuoSecurity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae\",\"name\":\"2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 4656\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, TargetAccount, Computer, EventSourceName, Channel, Task, Level, EventID, Activity, TargetLogonId, SourceComputerId, EventOriginId, Type, _ResourceId, TenantId, SourceSystem, ManagementGroupName, IpAddress, Account)\\n| extend ObjectServer = column_ifexists(\u0027ObjectServer\u0027, \\\"\\\"), ObjectType = column_ifexists(\u0027ObjectType\u0027, \\\"\\\"), ObjectName = column_ifexists(\u0027ObjectName\u0027, \\\"\\\")\\n| where isnotempty(ObjectServer) and isnotempty(ObjectType) and isnotempty(ObjectName)\\n| where ObjectServer =~ \\\"SC Manager\\\" and ObjectType =~ \\\"SERVICE OBJECT\\\" and ObjectName =~ \\\"HealthService\\\"\\n// Comment out the join below if the SACL only audits users that are part of the Network logon users, i.e. with user/group target pointing to \\\"NU.\\\"\\n| join kind=leftouter (\\n SecurityEvent\\n | where EventID == 4624\\n) on TargetLogonId\\n| project TimeGenerated, Computer, Account, TargetAccount, IpAddress,TargetLogonId, ObjectServer, ObjectType, ObjectName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Starting or Stopping HealthService to Avoid Detection\",\"description\":\"This query detects events where an actor is stopping or starting HealthService to disable telemetry collection/detection from the agent.\\n The query requires a SACL to audit for access request to the service.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-03-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bff093b2-500e-4ae5-bb49-a5b1423cbd5b\",\"name\":\"bff093b2-500e-4ae5-bb49-a5b1423cbd5b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n| where Operation =~ \\\"MemberAdded\\\"\\n| extend UPN = tostring(parse_json(Members)[0].UPN)\\n| where UPN contains (\\\"#EXT#\\\")\\n| project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName\\n| join (\\n OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n| where Operation =~ \\\"MemberRemoved\\\"\\n| extend UPN = tostring(parse_json(Members)[0].UPN)\\n| where UPN contains (\\\"#EXT#\\\")\\n| project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName\\n) on UPN\\n| where TimeDeleted \u003e TimeAdded\\n| project TimeAdded, TimeDeleted, UPN, UserWhoAdded, UserWhoDeleted, TeamName\\n| extend timestamp = TimeAdded, AccountCustomEntity = UPN\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"External user added and removed in short timeframe\",\"description\":\"This detection flags the occurances of external user accounts that are added to a Team and then removed within\\none hour.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9367dff0-941d-44e2-8875-cb48570c7add\",\"name\":\"9367dff0-941d-44e2-8875-cb48570c7add\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \\n| where TargetObject has \\\"\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_DLLs\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Registry Persistence via AppInit DLLs Modification\",\"description\":\"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. \\nDynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows or HKEY_LOCAL_MACHINE\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library.\\nRef: https://attack.mitre.org/techniques/T1546/010/\",\"lastUpdatedDateUTC\":\"2022-03-21T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8d537f3c-094f-430c-a588-8a87da36ee3a\",\"name\":\"8d537f3c-094f-430c-a588-8a87da36ee3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nlet user_agents=dynamic([\\n \u0027(hydra)\u0027,\\n \u0027 arachni/\u0027,\\n \u0027 BFAC \u0027,\\n \u0027 brutus \u0027,\\n \u0027 cgichk \u0027,\\n \u0027core-project/1.0\u0027,\\n \u0027 crimscanner/\u0027,\\n \u0027datacha0s\u0027,\\n \u0027dirbuster\u0027,\\n \u0027domino hunter\u0027,\\n \u0027dotdotpwn\u0027,\\n \u0027FHScan Core\u0027,\\n \u0027floodgate\u0027,\\n \u0027get-minimal\u0027,\\n \u0027gootkit auto-rooter scanner\u0027,\\n \u0027grendel-scan\u0027,\\n \u0027 inspath \u0027,\\n \u0027internet ninja\u0027,\\n \u0027jaascois\u0027,\\n \u0027 zmeu \u0027,\\n \u0027masscan\u0027,\\n \u0027 metis \u0027,\\n \u0027morfeus fucking scanner\u0027,\\n \u0027n-stealth\u0027,\\n \u0027nsauditor\u0027,\\n \u0027pmafind\u0027,\\n \u0027security scan\u0027,\\n \u0027springenwerk\u0027,\\n \u0027teh forest lobster\u0027,\\n \u0027toata dragostea\u0027,\\n \u0027 vega/\u0027,\\n \u0027voideye\u0027,\\n \u0027webshag\u0027,\\n \u0027webvulnscan\u0027,\\n \u0027 whcc/\u0027,\\n \u0027 Havij\u0027,\\n \u0027absinthe\u0027,\\n \u0027bsqlbf\u0027,\\n \u0027mysqloit\u0027,\\n \u0027pangolin\u0027,\\n \u0027sql power injector\u0027,\\n \u0027sqlmap\u0027,\\n \u0027sqlninja\u0027,\\n \u0027uil2pn\u0027,\\n \u0027ruler\u0027,\\n \u0027Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)\u0027\\n ]);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal has_any (user_agents)\\n| extend Message = \\\"Hack Tool User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Hack Tool User-Agent Detected\",\"description\":\"Detects suspicious user agent strings used by known hack tools\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/30c8b802-ace1-4408-bc29-4c5c5afb49e1\",\"name\":\"30c8b802-ace1-4408-bc29-4c5c5afb49e1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"imProcess\\n | where EventType =~ \\\"ProcessCreated\\\"\\n | where Process endswith \\\"svchost.exe\\\"\\n | where CommandLine has \\\"-k GPSvcGroup\\\" or CommandLine has \\\"-s gpsvc\\\"\\n | extend timekey = bin(TimeGenerated, 1m)\\n | project timekey, ActingProcessId, Dvc\\n | join kind=inner (imProcess\\n | where EventType =~ \\\"ProcessCreated\\\"\\n | where Process =~ \\\"sdelete.exe\\\" or CommandLine has \\\"sdelete\\\"\\n | where ActingProcessName endswith \\\"svchost.exe\\\"\\n | where CommandLine has_all (\\\"-s\\\", \\\"-r\\\")\\n | extend timekey = bin(TimeGenerated, 1m)\\n ) on $left.ActingProcessId == $right.ParentProcessId, timekey, Dvc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DvcIpAddr\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Sdelete deployed via GPO and run recursively (ASIM Version)\",\"description\":\"This query looks for the Sdelete process being run recursively after being deployed to a host via GPO. Attackers could use this technique to deploy Sdelete to multiple host and delete data on them.\\n This query uses the Advanced Security Information Model. Parsers will need to be deployed before use: https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84cccc86-5c11-4b3a-aca6-7c8f738ed0f7\",\"name\":\"84cccc86-5c11-4b3a-aca6-7c8f738ed0f7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where OperationName has_all (\\\"member to role\\\", \\\"add\\\")\\n | where Result =~ \\\"Success\\\"\\n | extend type_ = tostring(TargetResources[0].type)\\n | where type_ =~ \\\"ServicePrincipal\\\"\\n | where isnotempty(TargetResources)\\n | extend ServicePrincipal = tostring(TargetResources[0].displayName)\\n | extend SPID = tostring(TargetResources[0].id)\\n | mv-expand TargetResources[0].modifiedProperties\\n | extend TargetResources_0_modifiedProperties = columnifexists(\\\"TargetResources_0_modifiedProperties\\\", \u0027\u0027)\\n | where isnotempty(TargetResources_0_modifiedProperties)\\n | where TargetResources_0_modifiedProperties.displayName =~ \\\"Role.DisplayName\\\"\\n | extend TargetRole = parse_json(tostring(TargetResources_0_modifiedProperties.newValue))\\n | where TargetRole contains \\\"admin\\\"\\n | extend AddedByApp = iif(\\n isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName)),\\n tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName),\\n tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n )\\n | extend AddedByUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend AddedBy = iif(isnotempty(AddedByApp), AddedByApp, AddedByUser)\\n | extend IpAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | project-reorder TimeGenerated, ServicePrincipal, SPID, TargetRole, AddedBy, IpAddress\\n | project-away AddedByApp, AddedByUser\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"SPID\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Service Principal Assigned Privileged Role\",\"description\":\"Detects a privileged role being added to a Service Principal.\\n Ensure that any assignment to a Service Principal is valid and appropriate - Service Principals should not be assigned to very highly privileged roles such as Global Admin.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182\",\"name\":\"8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT5M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = ago(5m);\\nDuoSecurityTrustMonitor_CL\\n| where TimeGenerated \u003e= timeframe\\n| extend AccountCustomEntity = surfaced_auth_user_name_s, IPCustomEntity = surfaced_auth_access_device_ip_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Trust Monitor Event\",\"description\":\"This query identifies when a new trust monitor event is detected.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dcdf9bfc-c239-4764-a9f9-3612e6dff49c\",\"name\":\"dcdf9bfc-c239-4764-a9f9-3612e6dff49c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 6d;\\n// Adjust this to adjust the key export detection timeframe\\n//let timeframe = 1d;\\n// Start be identifying ADFS servers to reduce FP chance\\nlet ADFS_Servers = (\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\")\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| summarize by Computer);\\n// Look for ADFS servers where Named Pipes event are present\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| where Computer in~ (ADFS_Servers)\\n| extend RenderedDescription = tostring(split(RenderedDescription, \\\":\\\")[0])\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend RuleName = column_ifexists(\\\"RuleName\\\", \\\"\\\"),\\n TechniqueId = column_ifexists(\\\"TechniqueId\\\", \\\"\\\"),\\n TechniqueName = column_ifexists(\\\"TechniqueName\\\", \\\"\\\"),\\n Image = column_ifexists(\\\"Image\\\", \\\"\\\"),\\n PipeName = column_ifexists(\\\"PipeName\\\", \\\"\\\"),\\n EventType = column_ifexists(\\\"EventType\\\", \\\"\\\")\\n| parse RuleName with * \u0027technique_id=\u0027 TechniqueId \u0027,\u0027 * \u0027technique_name=\u0027 TechniqueName\\n// Look for Pipe related to querying the WID\\n| where PipeName == \\\"\\\\\\\\MICROSOFT##WID\\\\\\\\tsql\\\\\\\\query\\\"\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n// Exclude expected processes\\n| where process !in (\\\"Microsoft.IdentityServer.ServiceHost.exe\\\", \\\"Microsoft.Identity.Health.Adfs.PshSurrogate.exe\\\", \\\"AzureADConnect.exe\\\", \\\"Microsoft.Tri.Sensor.exe\\\", \\\"wsmprovhost.exe\\\",\\\"mmc.exe\\\", \\\"sqlservr.exe\\\")\\n| extend Operation = RenderedDescription\\n| project-reorder TimeGenerated, EventType, Operation, process, Image, Computer, UserName\\n| extend HostCustomEntity = Computer, AccountCustomEntity = UserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"ADFS Database Named Pipe Connection\",\"description\":\"This detection uses Sysmon telemetry to detect suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).\\nIn order to use this query you need to be collecting Sysmon EventIdD 18 (Pipe Connected).\\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\\nFailed to resolve scalar expression named \\\"[@Name]\",\"lastUpdatedDateUTC\":\"2021-11-23T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3617d76d-b15e-4c6f-985e-a1dac73c592d\",\"name\":\"3617d76d-b15e-4c6f-985e-a1dac73c592d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SigninLogs\\n| where ResultType == 500121\\n| extend additionalDetails_ = tostring(Status.additionalDetails)\\n| where additionalDetails_ =~ \\\"MFA denied; user declined the authentication\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"NRT MFA Rejected by User\",\"description\":\"Identifies occurrences where a user has rejected an MFA prompt. This could be an indicator that a threat actor has compromised the username and password of this user account and is using it to try and log into the account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-02-08T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5436f471-b03d-41cb-b333-65891f887c43\",\"name\":\"5436f471-b03d-41cb-b333-65891f887c43\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Informational\",\"query\":\"GitHubRepo\\n| where Action == \\\"vulnerabilityAlert\\\"\\n| project TimeGenerated, DismmisedAt, Reason, vulnerableManifestFilename, Description, Link, PublishedAt, Severity, Summary\",\"entityMappings\":[],\"displayName\":\"GitHub Security Vulnerability in Repository\",\"description\":\"This alerts when there is a new security vulnerability in a GitHub repository.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-10T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d82e1987-4356-4a7b-bc5e-064f29b143c0\",\"name\":\"d82e1987-4356-4a7b-bc5e-064f29b143c0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true \\n(SecurityEvent\\n| where EventID == 4688\\n| where Process =~ \u0027rundll32.exe\u0027 \\n| where CommandLine has_all (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n),\\n(WindowsEvent\\n| where EventID == 4688 and EventData has \u0027rundll32.exe\u0027 and EventData has_any (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process =~ \u0027rundll32.exe\u0027 \\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has_all (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName) \\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n) )\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"NOBELIUM - suspicious rundll32.exe execution of vbscript\",\"description\":\"This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/961b6a81-5c53-40b6-9800-4f661a8faea7\",\"name\":\"961b6a81-5c53-40b6-9800-4f661a8faea7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0586.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet Command_Line = (iocs | where Type =~ \\\"CommandLine\\\" | project IoC);\\n(union isfuzzy=true\\n(DeviceProcessEvents\\n| where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) or ( InitiatingProcessCommandLine has (\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and InitiatingProcessCommandLine has_any (Command_Line))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, AccountName, SHA256\\n| extend Account = AccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = case(InitiatingProcessSHA256 in (sha256Hashes), \\\"InitiatingProcessSHA256\\\", SHA256 in (sha256Hashes), \\\"SHA256\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = case(FileHash == \\\"InitiatingProcessSHA256\\\", InitiatingProcessSHA256, FileHash == \\\"SHA256\\\", SHA256, \\\"No Match\\\")\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has (@\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and CommandLine has_any (Command_Line))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, EventID\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n( CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n( imFileEvent\\n| where Hash in~ (sha256Hashes) or ( ActingProcessCommandLine has (\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and ActingProcessCommandLine has_any (Command_Line))\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) or ( CommandLine has (\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and CommandLine has_any (Command_Line)) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashAlgo\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"DEV-0586 Actor IOC - January 2022\",\"description\":\"Identifies a match across IOC\u0027s related to an actor tracked by Microsoft as DEV-0586\\n Refrence: https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2022-01-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/66c81ae2-1f89-4433-be00-2fbbd9ba5ebe\",\"name\":\"66c81ae2-1f89-4433-be00-2fbbd9ba5ebe\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MessageIP = extract(IPRegex, 0, Message)\\n | extend CS_ipEntity = iff(isnotempty(SourceIP), SourceIP, DestinationIP)\\n | extend CS_ipEntity = iff(isempty(CS_ipEntity) and isnotempty(MessageIP), MessageIP, CS_ipEntity)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CS_ipEntity\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, CS_ipEntity\\n| project CommonSecurityLog_TimeGenerated, SourceIP, DestinationIP, MessageIP, Message, DeviceVendor, DeviceProduct, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CS_ipEntity, LogSeverity, DeviceAction\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = CS_ipEntity\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to CommonSecurityLog\",\"description\":\"Identifies a match in CommonSecurityLog from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/17f23fbe-bb73-4324-8ecf-a18545a5dc26\",\"name\":\"17f23fbe-bb73-4324-8ecf-a18545a5dc26\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P3D\",\"queryPeriod\":\"P3D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 3d;\\n// Get Release Pipeline Creation Events and group by day\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineCreated\\\"\\n// Group by day\\n| extend timekey = bin(TimeGenerated, 1d)\\n| extend PipelineId = tostring(Data.PipelineId)\\n| extend PipelineName = tostring(Data.PipelineName)\\n// Rename some columns to make output clearer\\n| project-rename TimeCreated = TimeGenerated, CreatingUser = ActorUPN, CreatingUserAgent = UserAgent, CreatingIP = IpAddress\\n// Join with Release Pipeline Deletions where Pipeline ID is the same and deletion occurred on same day as creation\\n| join (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineDeleted\\\"\\n// Group by day\\n| extend timekey = bin(TimeGenerated, 1d)\\n| extend PipelineId = tostring(Data.PipelineId)\\n| extend PipelineName = tostring(Data.PipelineName)\\n// Rename some things to make the output clearer\\n| project-rename TimeDeleted = TimeGenerated, DeletingUser = ActorUPN, DeletingUserAgent = UserAgent, DeletingIP = IpAddress) on PipelineId, timekey\\n| project TimeCreated, TimeDeleted, PipelineName, PipelineId, CreatingUser, CreatingIP, CreatingUserAgent, DeletingUser, DeletingIP, DeletingUserAgent, ScopeDisplayName, ProjectName, Data, OperationName, OperationName1\\n| extend timestamp = TimeCreated, AccountCustomEntity = CreatingUser, IPCustomEntity = CreatingIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeletingUser\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DeletingIP\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Azure DevOps Pipeline Created and Deleted on the Same Day\",\"description\":\"An attacker with access to Azure DevOps could create a pipeline to inject artifacts used by other pipelines, \\nor to create a malicious software build that looks legitimate by using a pipeline that incorporates legitimate elements. \\nAn attacker would also likely want to cover their tracks once conducting such activity. This query looks for Pipelines \\ncreated and deleted within the same day, this is unlikely to be legitimate user activity in the majority of cases.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\"name\":\"83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":3,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let current = 1d;\\nlet auditLookback = 7d;\\n// Setting threshold to 3 as a default, change as needed. \\n// Any operation that has been initiated by a user or app more than 3 times in the past 7 days will be excluded\\nlet threshold = 3;\\n// Gather initial data from lookback period, excluding current, adjust current to more than a single day if no results\\nlet AuditTrail = AuditLogs | where TimeGenerated \u003e= ago(auditLookback) and TimeGenerated \u003c ago(current)\\n// 2 other operations that can be part of malicious activity in this situation are \\n// \\\"Add OAuth2PermissionGrant\\\" and \\\"Add service principal\\\", extend the filter below to capture these too\\n| where OperationName has \\\"Consent to application\\\"\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\n| summarize max(TimeGenerated), OperationCount = count() by OperationName, InitiatedBy, TargetResourceName\\n// only including operations by initiated by a user or app that is above the threshold so we produce only rare and has not occurred in last 7 days\\n| where OperationCount \u003e threshold\\n;\\n// Gather current period of audit data\\nlet RecentConsent = AuditLogs | where TimeGenerated \u003e= ago(current)\\n| where OperationName has \\\"Consent to application\\\"\\n| extend IpAddress = case(\\nisnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), \\nisnotempty(tostring(parse_json(tostring(InitiatedBy.app)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.app)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.app)).ipAddress),\\n\u0027Not Available\u0027)\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\n| parse TargetResources.[0].modifiedProperties with * \\\"ConsentType: \\\" ConsentType \\\"]\\\" *\\n| mv-expand AdditionalDetails\\n| extend UserAgent = iff(AdditionalDetails.key == \\\"User-Agent\\\",tostring(AdditionalDetails.value),\\\"\\\")\\n| project TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type;\\n// Exclude previously seen audit activity for \\\"Consent to application\\\" that was seen in the lookback period\\n// First for rare InitiatedBy\\nlet RareConsentBy = RecentConsent | join kind= leftanti AuditTrail on OperationName, InitiatedBy \\n| extend Reason = \\\"Previously unseen user consenting\\\";\\n// Second for rare TargetResourceName\\nlet RareConsentApp = RecentConsent | join kind= leftanti AuditTrail on OperationName, TargetResourceName\\n| extend Reason = \\\"Previously unseen app granted consent\\\";\\nRareConsentBy | union RareConsentApp\\n| summarize Reason = makeset(Reason) by TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatedBy, HostCustomEntity = TargetResourceName, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Rare application consent\",\"description\":\"This will alert when the \\\"Consent to application\\\" operation occurs by a user that has not done this operation before or rarely does this.\\nThis could indicate that permissions to access the listed Azure App were provided to a malicious actor. \\nConsent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events. \\nThis may help detect the Oauth2 attack that can be initiated by this publicly available tool - https://github.com/fireeye/PwnAuth\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-07-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69b7723c-2889-469f-8b55-a2d355ed9c87\",\"name\":\"69b7723c-2889-469f-8b55-a2d355ed9c87\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.3\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n DnsEvents\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where SubType =~ \\\"LookupQuery\\\" and isnotempty(IPAddresses)\\n | mv-expand SingleIP = split(IPAddresses, \\\", \\\") to typeof(string)\\n // renaming time column so it is clear the log this came from\\n | extend DNS_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SingleIP\\n| where DNS_TimeGenerated \u003c ExpirationDateTime\\n| summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated , *) by IndicatorId, SingleIP\\n| project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = DNS_TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to DnsEvents\",\"description\":\"Identifies a match in DnsEvents from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-06-27T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd\",\"name\":\"c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let args = dynamic([\\\"objectcategory\\\",\\\"domainlist\\\",\\\"dcmodes\\\",\\\"adinfo\\\",\\\"trustdmp\\\",\\\"computers_pwdnotreqd\\\",\\\"Domain Admins\\\", \\\"objectcategory=person\\\", \\\"objectcategory=computer\\\", \\\"objectcategory=*\\\",\\\"dclist\\\"]);\\nlet parentProcesses = dynamic([\\\"pwsh.exe\\\",\\\"powershell.exe\\\",\\\"cmd.exe\\\"]);\\nDeviceProcessEvents\\n//looks for execution from a shell\\n| where InitiatingProcessFileName in (parentProcesses)\\n// main filter\\n| where FileName =~ \\\"AdFind.exe\\\" or SHA256 == \\\"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\\\"\\n // AdFind common Flags to check for from various threat actor TTPs\\n or ProcessCommandLine has_any (args)\\n| extend AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, ProcessCustomEntity = InitiatingProcessFileName, CommandLineCustomEntity = ProcessCommandLine, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = SHA256\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"},{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLineCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Probable AdFind Recon Tool Usage\",\"description\":\"Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.\",\"lastUpdatedDateUTC\":\"2021-11-30T00:00:00Z\",\"createdDateUTC\":\"2021-04-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\"name\":\"b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n Syslog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // Extract URL from the Syslog message but only take messages that include URLs\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,SyslogMessage)\\n | where isnotempty(Url)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n) on Url\\n| where Syslog_TimeGenerated \u003c ExpirationDateTime\\n| summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, Url\\n| project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, Url, HostIP\\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to Syslog data\",\"description\":\"Identifies a match in Syslog data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/af435ca1-fb70-4de1-92c1-7435c48482a9\",\"name\":\"af435ca1-fb70-4de1-92c1-7435c48482a9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let admin_users = (IdentityInfo\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | where AssignedRoles contains \\\"admin\\\"\\n | summarize by tolower(AccountUPN));\\n let admin_asn = (SigninLogs\\n | where TimeGenerated between (ago(7d)..ago(1d))\\n | where tolower(UserPrincipalName) in (admin_users)\\n | summarize by AutonomousSystemNumber);\\n let admin_locations = (SigninLogs\\n | where TimeGenerated between (ago(7d)..ago(1d))\\n | where tolower(UserPrincipalName) in (admin_users)\\n | summarize by Location);\\n let admin_devices = (SigninLogs\\n | where TimeGenerated between (ago(7d)..ago(1d))\\n | where tolower(UserPrincipalName) in (admin_users)\\n | extend deviceId = tostring(DeviceDetail.deviceId)\\n | where isnotempty(deviceId)\\n | summarize by deviceId);\\n SigninLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType == 0\\n | where tolower(UserPrincipalName) in (admin_users)\\n | extend deviceId = tostring(DeviceDetail.deviceId)\\n | where AutonomousSystemNumber !in (admin_asn) and deviceId !in (admin_devices) and Location !in (admin_locations)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Authentications of Privileged Accounts Outside of Expected Controls\",\"description\":\"Detects when a privileged user account successfully authenticates from a location, device or ASN that another admin has not logged in from in the last 7 days.\\n Privileged accounts are a key target for threat actors, monitoring for logins from these accounts that deviate from normal activity can help identify compromised accounts.\\n Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a357535e-f722-4afe-b375-cff362b2b376\",\"name\":\"a357535e-f722-4afe-b375-cff362b2b376\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(OfficeActivity | where UserAgent != \\\"\\\"),\\n(OfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectory\\\", \\\"AzureActiveDirectoryStsLogon\\\")\\n| extend OperationName = Operation\\n| parse ExtendedProperties with * \u0027User-Agent\\\\\\\\\\\":\\\\\\\\\\\"\u0027 UserAgent2 \u0027\\\\\\\\\u0027 *\\n| parse ExtendedProperties with * \u0027UserAgent\\\", \\\"Value\\\": \\\"\u0027 UserAgent1 \u0027\\\"\u0027 *\\n| where isnotempty(UserAgent1) or isnotempty(UserAgent2)\\n| extend UserAgent = iff( RecordType == \u0027AzureActiveDirectoryStsLogon\u0027, UserAgent1, UserAgent2)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\\n),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"APPLICATIONGATEWAYS\\\" \\n| where OperationName =~ \\\"ApplicationGatewayAccess\\\" \\n| extend ClientIP = columnifexists(\\\"clientIP_s\\\", \\\"None\\\"), UserAgent = columnifexists(\\\"userAgent_s\\\", \\\"None\\\")\\n| where UserAgent != \u0027-\u0027\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, requestUri_s, httpMethod_s, host_s, requestQuery_s, Type\\n),\\n(\\nW3CIISLog\\n| where isnotempty(csUserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\\n),\\n(SigninLogs\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n)\\n)\\n// Likely artefact of hardcoding\\n| where UserAgent startswith \\\"User\\\" or UserAgent startswith \u0027\\\\\\\"\u0027\\n// Incorrect casing\\nor (UserAgent startswith \\\"Mozilla\\\" and not(UserAgent containscs \\\"Mozilla\\\"))\\n// Incorrect casing\\nor UserAgent containscs \\\"(Compatible;\\\"\\n// Missing MSIE version\\nor UserAgent matches regex @\\\"MSIE\\\\s?;\\\"\\n// Incorrect spacing around MSIE version\\nor UserAgent matches regex @\\\"MSIE(?:\\\\d|.{1,5}?\\\\d\\\\s;)\\\"\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CommandAndControl\",\"Execution\"],\"displayName\":\"Malformed user agent\",\"description\":\"Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware.\\nMalformed user agents can be an indication of such malware.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4acd3a04-2fad-4efc-8a4b-51476594cec4\",\"name\":\"4acd3a04-2fad-4efc-8a4b-51476594cec4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let triThreshold = 500;\\nlet startTime = 6h;\\nlet dgaLengthThreshold = 8;\\n// fetch the alexa top 1M domains\\nlet top1M = (externaldata (Position:int, Domain:string) [@\\\"http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip\\\"] with (format=\\\"csv\\\", zipPattern=\\\"*.csv\\\"));\\n// extract tri grams that are above our threshold - i.e. are common\\nlet triBaseline = top1M\\n| extend Domain = tolower(extract(\\\"([^.]*).{0,7}$\\\", 1, Domain))\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", Domain), extract_all(\\\"(...)\\\", substring(Domain, 1)), extract_all(\\\"(...)\\\", substring(Domain, 2)))\\n| mvexpand Trigram=AllTriGrams\\n| summarize triCount=count() by tostring(Trigram)\\n| sort by triCount desc\\n| where triCount \u003e triThreshold\\n| distinct Trigram;\\n// collect domain information from common security log, filter and extract the DGA candidate and its trigrams\\nlet allDataSummarized = CommonSecurityLog\\n| where TimeGenerated \u003e ago(startTime)\\n| where isnotempty(DestinationHostName)\\n| extend Name = tolower(DestinationHostName)\\n| distinct Name\\n| where Name has \\\".\\\"\\n| where Name !endswith \\\".home\\\" and Name !endswith \\\".lan\\\"\\n// extract DGA candidate\\n| extend DGADomain = extract(\\\"([^.]*).{0,7}$\\\", 1, Name)\\n| where strlen(DGADomain) \u003e dgaLengthThreshold\\n// throw out domains with number in them\\n| where DGADomain matches regex \\\"^[A-Za-z]{0,}$\\\"\\n// extract the tri grams from summarized data\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", DGADomain), extract_all(\\\"(...)\\\", substring(DGADomain, 1)), extract_all(\\\"(...)\\\", substring(DGADomain, 2)));\\n// throw out domains that have repeating tri\u0027s and/or \u003e=3 repeating letters\\nlet nonRepeatingTris = allDataSummarized\\n| join kind=leftanti\\n(\\n allDataSummarized\\n | mvexpand AllTriGrams\\n | summarize count() by tostring(AllTriGrams), DGADomain\\n | where count_ \u003e 1\\n | distinct DGADomain\\n)\\non DGADomain;\\n// find domains that do not have a common tri in the baseline\\nlet dataWithRareTris = nonRepeatingTris\\n| join kind=leftanti\\n(\\n nonRepeatingTris\\n | mvexpand AllTriGrams\\n | extend Trigram = tostring(AllTriGrams)\\n | distinct Trigram, DGADomain\\n | join kind=inner\\n (\\n triBaseline\\n )\\n on Trigram\\n | distinct DGADomain\\n)\\non DGADomain;\\ndataWithRareTris\\n// join DGAs back on connection data\\n| join kind=inner\\n(\\n CommonSecurityLog\\n | where TimeGenerated \u003e ago(startTime)\\n | where isnotempty(DestinationHostName)\\n | extend DestinationHostName = tolower(DestinationHostName)\\n | project-rename Name=DestinationHostName, DataSource=DeviceVendor\\n | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) by Name, SourceIP, DestinationIP, DataSource\\n)\\non Name\\n| project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, DataSource\\n| extend timestamp=StartTime, IPCustomEntity=SourceIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"Name\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Possible contact with a domain generated by a DGA\",\"description\":\"Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used\\nby malware to generate rendezvous points that are difficult to predict in advance. This detection uses the Alexa Top 1 million domain names to build a model\\nof what normal domains look like. It uses this to identify domains that may have been randomly generated by an algorithm.\\nThe triThreshold is set to 500 - increase this to report on domains that are less likely to have been randomly generated, decrease it for more likely.\\nThe start time and end time look back over 6 hours of data and the dgaLengthThreshold is set to 8 - meaning domains whose length is 8 or more are reported.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Barracuda\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aac495a9-feb1-446d-b08e-a1164a539452\",\"name\":\"aac495a9-feb1-446d-b08e-a1164a539452\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"ThreatIntelligenceIndicator\\n| where Action == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n GitHubAudit\\n | extend GitHubAudit_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.IPaddress\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, GitHubAudit_TimeGenerated, TI_ipEntity, IPaddress, Actor, Action, Country, OperationType, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = GitHubAudit_TimeGenerated, IPCustomEntity = IPaddress, AccountCustomEntity = Actor\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to GitHub_CL\",\"description\":\"Identifies a match in GitHub_CL table from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2cfc3c6e-f424-4b88-9cc9-c89f482d016a\",\"name\":\"2cfc3c6e-f424-4b88-9cc9-c89f482d016a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set == \\\"[]\\\"\\n| mv-expand new_value_set\\n| parse new_value_set with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"First access credential added to Application or Service Principal where no credential was present\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-02-11T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0dd422ee-e6af-4204-b219-f59ac172e4c6\",\"name\":\"0dd422ee-e6af-4204-b219-f59ac172e4c6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"ThreatIntelligence\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"Persistence\",\"LateralMovement\"],\"displayName\":\"(Preview) Microsoft Threat Intelligence Analytics\",\"description\":\"This rule generates an alert when a Microsoft Threat Intelligence Indicator gets matched with your event logs. The alerts are very high fidelity.\\n\\nNote : It is advised to turn off any custom alert rules which match the threat intelligence indicators with the same event logs matched by this analytics to prevent duplicate alerts.\",\"lastUpdatedDateUTC\":\"2021-07-28T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/074ce265-f684-41cd-af07-613c5f3e6d0d\",\"name\":\"074ce265-f684-41cd-af07-613c5f3e6d0d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"irf.services\\\",\\\"microsoft-onthehub.com\\\",\\\"msofficelab.com\\\",\\\"com-mailbox.com\\\",\\\"my-sharefile.com\\\",\\\"my-sharepoints.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\n\\\"onedrive-sharedfile.com\\\",\\\"onedrv-live.com\\\",\\\"transparencyinternational-my-sharepoint.com\\\",\\\"transparencyinternational-my-sharepoints.com\\\",\\\"soros-my-sharepoint.com\\\"]);\\n(union isfuzzy=true\\n (CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | extend Account = SourceUserID, Host = DeviceName, IPAddress = SourceIP\\n ),\\n (_Im_Dns(domain_has_any=DomainNames)\\n | extend IPAddress = SrcIpAddr, DNSName = DnsQuery, Host = Dvc),\\n (VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n | extend IPAddress = RemoteIp, Host = Computer\\n ),\\n (AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | extend DNSName = DestinationHost \\n | extend IPAddress = SourceHost\\n ),\\n (\\n _Im_WebSession(url_has_any=DomainNames)\\n | extend IPCustomEntity=IpAddr, HostCustomEntity=Hostname, AccoutCustomEntity=User\\n )\\n)\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = Account, HostCustomEntity = Host\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known STRONTIUM group domains - July 2019\",\"description\":\"Matches domain name IOCs related to Strontium group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2019-07-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a50766a7-0674-4ccb-8845-15dc55a80ba1\",\"name\":\"a50766a7-0674-4ccb-8845-15dc55a80ba1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n WireData | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(RemoteIP)\\n // renaming time column so it is clear the log this came from\\n | extend WireData_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIP\\n| where WireData_TimeGenerated \u003c ExpirationDateTime\\n| summarize WireData_TimeGenerated = arg_max(WireData_TimeGenerated, *) by IndicatorId, RemoteIP\\n| project WireData_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, LocalIP, RemoteIP, ProcessName, ApplicationProtocol, LocalPortNumber, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = WireData_TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to WireData\",\"description\":\"Identifies a match in WireData from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6d7214d9-4a28-44df-aafb-0910b9e6ae3e\",\"name\":\"6d7214d9-4a28-44df-aafb-0910b9e6ae3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Low\",\"query\":\"let match_window = 3m;\\nAzureActivity\\n| where ResourceGroup has \\\"cloud-shell\\\"\\n| where (OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/listKeys/action\\\") \\n| where ActivityStatusValue == \\\"Success\\\"\\n| extend TimeKey = bin(TimeGenerated, match_window), AzureIP = CallerIpAddress\\n| join kind = inner\\n(AzureActivity\\n| where ResourceGroup has \\\"cloud-shell\\\"\\n| where (OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/write\\\") \\n| extend TimeKey = bin(TimeGenerated, match_window), UserIP = CallerIpAddress\\n) on Caller, TimeKey\\n| summarize count() by TimeKey, Caller, ResourceGroup, SubscriptionId, TenantId, AzureIP, UserIP, HTTPRequest, Type, Properties, CategoryValue, OperationList = strcat(OperationNameValue, \u0027 , \u0027, OperationNameValue1)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"UserIP\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"New CloudShell User\",\"description\":\"Identifies when a user creates an Azure CloudShell for the first time.\\nMonitor this activity to ensure only expected user are using CloudShell\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5170c3c4-b8c9-485c-910d-a21d965ee181\",\"name\":\"5170c3c4-b8c9-485c-910d-a21d965ee181\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let queryfrequency = 30m;\\nlet accountthreshold = 10;\\nlet successCodes = dynamic([0, 50144]);\\nADFSSignInLogs\\n| extend IngestionTime = ingestion_time()\\n| where IngestionTime \u003e ago(queryfrequency)\\n| where not(todynamic(AuthenticationDetails)[0].authenticationMethod == \\\"Integrated Windows Authentication\\\")\\n| summarize\\n DistinctFailureCount = dcountif(UserPrincipalName, ResultType !in (successCodes)),\\n DistinctSuccessCount = dcountif(UserPrincipalName, ResultType in (successCodes)),\\n SuccessAccounts = make_set_if(UserPrincipalName, ResultType in (successCodes), 250),\\n arg_min(TimeGenerated, *)\\n by IPAddress\\n| where DistinctFailureCount \u003e DistinctSuccessCount and DistinctFailureCount \u003e= accountthreshold\\n//| extend SuccessAccounts = iff(array_length(SuccessAccounts) != 0, SuccessAccounts, dynamic([\\\"null\\\"]))\\n//| mv-expand SuccessAccounts\\n| project TimeGenerated, Category, OperationName, IPAddress, DistinctFailureCount, DistinctSuccessCount, SuccessAccounts, AuthenticationRequirement, ConditionalAccessStatus, IsInteractive, UserAgent, NetworkLocationDetails, DeviceDetail, TokenIssuerType, TokenIssuerName, ResourceIdentity\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Password spray attack against ADFSSignInLogs\",\"description\":\"Identifies evidence of password spray activity against Connect Health for AD FS sign-in events by looking for failures from multiple accounts from the same IP address within a time window.\\nReference: https://adfshelp.microsoft.com/References/ConnectHealthErrorCodeReference\",\"lastUpdatedDateUTC\":\"2022-05-04T00:00:00Z\",\"createdDateUTC\":\"2022-03-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"ADFSSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6d63efa6-7c25-4bd4-a486-aa6bf50fde8a\",\"name\":\"6d63efa6-7c25-4bd4-a486-aa6bf50fde8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// Add non-approved user principal names to the list below to search for their account creation/deletion activity\\n// ex: dynamic([\\\"UPN1\\\", \\\"upn123\\\"])\\nlet nonapproved_users = dynamic([]);\\nAuditLogs\\n| where OperationName == \\\"Add user\\\" or OperationName == \\\"Delete user\\\"\\n| where Result == \\\"success\\\"\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| where InitiatingUser has_any (nonapproved_users)\\n| project-reorder TimeGenerated, ResourceId, OperationName, InitiatingUser, TargetResources\\n| extend AccountCustomEntity = InitiatingUser, IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Account created or deleted by non-approved user\",\"description\":\"Identifies accounts that were created or deleted by a defined list of non-approved user principal names. Add to this list before running the query for accurate results.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/11b4c19d-2a79-4da3-af38-b067e1273dee\",\"name\":\"11b4c19d-2a79-4da3-af38-b067e1273dee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID in (17,18)\\n| where EventData has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend PipeName = column_ifexists(\\\"PipeName\\\", \\\"\\\")\\n| extend Account = UserName\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00275145\u0027\\n// %%4418 looks for presence of CreatePipeInstance value \\n| where AccessList has \u0027%%4418\u0027 \\n| where RelativeTargetName has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n),\\n(\\nWindowsEvent\\n| where EventID == \u00275145\u0027 and EventData has \u0027%%4418\u0027 and EventData has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027 \\n// %%4418 looks for presence of CreatePipeInstance value \\n| extend AccessList= tostring(EventData.AccessList)\\n| where AccessList has \u0027%%4418\u0027 \\n| extend RelativeTargetName= tostring(EventData.RelativeTargetName)\\n| where RelativeTargetName has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\"],\"displayName\":\"Solorigate Named Pipe\",\"description\":\"Identifies a match across various data feeds for named pipe IOCs related to the Solorigate incident.\\n For the sysmon events required for this detection, logging for Named Pipe Events needs to be configured in Sysmon config (Event ID 17 and Event ID 18)\\n Reference: https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2020-12-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\"name\":\"532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n Syslog\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n //Extract domain patterns from syslog message\\n | extend domain = extract(\\\"(([a-z0-9]+(-[a-z0-9]+)*\\\\\\\\.)+[a-z]{2,})\\\",1, tolower(SyslogMessage))\\n | where isnotempty(domain)\\n | extend parts = split(domain, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.domain\\n| where Syslog_TimeGenerated \u003c ExpirationDateTime\\n| summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, domain\\n| project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, domain, HostIP, Url\\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to Syslog\",\"description\":\"Identifies a match in Syslog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/19e01883-15d8-4eb6-a7a5-3276cd668388\",\"name\":\"19e01883-15d8-4eb6-a7a5-3276cd668388\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeBin = 1m;\\nlet failedThreshold = 20;\\nW3CIISLog\\n| where scStatus in (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of failed attempts from same client IP\\n| summarize makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\\n| where FailedConnectionsCount \u003e= failedThreshold\\n| project TimeGenerated, cIP, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"High count of failed attempts from same client IP\",\"description\":\"Identifies when 20 or more failed attempts from a given client IP in 1 minute occur on the IIS server.\\nThis could be indicative of an attempted brute force. This could also simply indicate a misconfigured service or device.\\nRecommendations: Validate that these are expected connections from the given Client IP. If the client IP is not recognized, \\npotentially block these connections at the edge device.\\nIf these are expected connections, verify the credentials are properly configured on the system, service, application or device \\nthat is associated with the client IP.\\nReferences:\\nIIS status code mapping: https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping: https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd78a122-d377-415a-afe9-f22e08d2112c\",\"name\":\"dd78a122-d377-415a-afe9-f22e08d2112c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Add other permissions to this list as needed\\n let permissions = dynamic([\\\"Mail.Read\\\", \\\"offline_access\\\", \\\"Files.Read\\\", \\\"Notes.Read\\\", \\\"ChannelMessage.Read\\\", \\\"Chat.Read\\\", \\\"TeamsActivity.Read\\\",\\n \\\"Group.Read\\\", \\\"EWS.AccessAsUser.All\\\", \\\"EAS.AccessAsUser.All\\\"]);\\n AuditLogs\\n | where OperationName =~ \\\"Add app role assignment to service principal\\\"\\n | mv-expand TargetResources[0].modifiedProperties\\n | extend TargetResources_0_modifiedProperties = columnifexists(\\\"TargetResources_0_modifiedProperties\\\", \u0027\u0027)\\n | where isnotempty(TargetResources_0_modifiedProperties)\\n | where TargetResources_0_modifiedProperties.displayName =~ \\\"AppRole.Value\\\" or TargetResources_0_modifiedProperties.displayName =~ \\\"DelegatedPermissionGrant.Scope\\\"\\n | extend Permissions = split((parse_json(tostring(TargetResources_0_modifiedProperties.newValue))), \\\" \\\")\\n | where Permissions has_any (permissions)\\n | summarize AddedPermissions=make_set(Permissions) by CorrelationId\\n | join kind=inner (AuditLogs\\n | where OperationName =~ \\\"Add app role assignment to service principal\\\") on CorrelationId\\n | extend InitiatedBy = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))\\n | extend ServicePrincipal = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[4].newValue)))\\n | extend SPID = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[6].newValue)))\\n | extend InitiatedBy = pack(\\\"User\\\", InitiatedBy, \\\"UA\\\", UserAgent, \\\"IPAddress\\\", IpAddress)\\n | mv-expand kind=array AddedPermissions\\n | summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), make_set(InitiatedBy), make_set(AddedPermissions) by SPID, ServicePrincipal\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ServicePrincipal\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"SPID\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Service Principal Assigned App Role With Sensitive Access\",\"description\":\"Detects a Service Principal being assigned an app role that has sensitive access such as Mail.Read.\\n A threat actor who compromises a Service Principal may assign it an app role to allow it to access sensitive data, or to perform other actions.\\n Ensure that any assignment to a Service Principal is valid and appropriate.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d9f28fdf-abc8-4f1a-a7e7-1aaec87a2fc5\",\"name\":\"d9f28fdf-abc8-4f1a-a7e7-1aaec87a2fc5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID == 4688\\n | where Process =~ \\\"svchost.exe\\\"\\n | where CommandLine has \\\"-k GPSvcGroup\\\" or CommandLine has \\\"-s gpsvc\\\"\\n | extend timekey = bin(TimeGenerated, 1m)\\n | project timekey, NewProcessId, Computer\\n | join kind=inner (SecurityEvent\\n | where EventID == 4688\\n | where Process =~ \\\"sdelete.exe\\\" or CommandLine has \\\"sdelete\\\"\\n | where ParentProcessName endswith \\\"svchost.exe\\\"\\n | where CommandLine has_all (\\\"-s\\\", \\\"-r\\\")\\n | extend newProcess = Process\\n | extend timekey = bin(TimeGenerated, 1m)\\n ) on $left.NewProcessId == $right.ProcessId, timekey, Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Sdelete deployed via GPO and run recursively\",\"description\":\"This query looks for the Sdelete process being run recursively after being deployed to a host via GPO. Attackers could use this technique to deploy Sdelete to multiple host and delete data on them.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5dd76a87-9f87-4576-bab3-268b0e2b338b\",\"name\":\"5dd76a87-9f87-4576-bab3-268b0e2b338b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 5;\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet historicalActivity =\\nOfficeActivity\\n| where TimeGenerated between(ago(starttime)..ago(endtime))\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| summarize historicalCount = count() by UserAgent, RecordType, Operation;\\nlet recentActivity = OfficeActivity\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where TimeGenerated \u003e ago(endtime)\\n| where isnotempty(UserAgent)\\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by UserAgent, RecordType, Operation;\\nlet RareUserAgent = recentActivity | join kind = leftanti (historicalActivity) on UserAgent\\n| order by recentCount desc, UserAgent\\n// More than 5 downloads/uploads from a new user agent today\\n| where recentCount \u003e threshold;\\nOfficeActivity \\n| where TimeGenerated \u003e ago(endtime) \\n| where RecordType =~ szSharePointFileOperation \\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| join kind= inner (RareUserAgent)\\non UserAgent, RecordType, Operation \\n| where Start_Time between(min_Start_Time .. max_Start_Time)\\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserAgent, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgentSeenCount = recentCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\\n| order by UserAgentSeenCount desc, UserAgent asc, Operation asc, UserId asc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"SharePointFileOperation via devices with previously unseen user agents\",\"description\":\"Identifies if the number of documents uploaded or downloaded from device(s) associated\\nwith a previously unseen user agent exceeds a threshold (default is 5).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f80d951a-eddc-4171-b9d0-d616bb83efdc\",\"name\":\"f80d951a-eddc-4171-b9d0-d616bb83efdc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where AADOperationType =~ \\\"Assign\\\"\\n| where ActivityDisplayName =~ \\\"Add app role assignment to service principal\\\"\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"AppRole.Value\\\"\\n| extend AppRole = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where AppRole has \\\"RoleManagement.ReadWrite.Directory\\\"\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n| extend Target = tostring(parse_json(tostring(TargetResources.modifiedProperties[4].newValue)))\\n| extend TargetId = tostring(parse_json(tostring(TargetResources.modifiedProperties[3].newValue)))\\n| project TimeGenerated, OperationName, Initiator, Target, TargetId, Result\\n| join kind=innerunique (\\n AuditLogs\\n | where LoggedByService =~ \\\"Core Directory\\\"\\n | where Category =~ \\\"RoleManagement\\\"\\n | where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\")\\n | where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n | where displayName_ =~ \\\"Role.DisplayName\\\"\\n | extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n | where RoleName contains \\\"Admin\\\"\\n | extend Initiator = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend InitiatorId = tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalId)\\n | extend TargetUser = tostring(TargetResources.userPrincipalName)\\n | extend Target = iif(isnotempty(TargetUser), TargetUser, tostring(TargetResources.displayName))\\n | extend TargetType = tostring(TargetResources.type)\\n | extend TargetId = tostring(TargetResources.id)\\n | project TimeGenerated, OperationName, RoleName, Initiator, InitiatorId, Target, TargetId, TargetType, Result\\n) on $left.TargetId == $right.InitiatorId\\n| extend TimeRoleMgGrant = TimeGenerated, TimeAdminPromo = TimeGenerated1, ServicePrincipal = Initiator1, ServicePrincipalId = InitiatorId,\\n TargetObject = Target1, TargetObjectId = TargetId1, TargetObjectType = TargetType\\n| where TimeRoleMgGrant \u003c TimeAdminPromo\\n| project TimeRoleMgGrant, TimeAdminPromo, RoleName, ServicePrincipal, ServicePrincipalId, TargetObject, TargetObjectId, TargetObjectType\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ServicePrincipal\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetObject\"}]}],\"tactics\":[\"PrivilegeEscalation\",\"Persistence\"],\"displayName\":\"Admin promotion after Role Management Application Permission Grant\",\"description\":\"This rule looks for a service principal being granted the Microsoft Graph RoleManagement.ReadWrite.Directory (application) permission before being used to add an Azure AD object or user account to an Admin directory role (i.e. Global Administrators).\\nThis is a known attack path that is usually abused when a service principal already has the AppRoleAssignment.ReadWrite.All permission granted. This permission Allows an app to manage permission grants for application permissions to any API.\\nA service principal can promote itself or other service principals to admin roles (i.e. Global Administrators). This would be considered a privilege escalation technique.\\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions, https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0\u0026tabs=http\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\"name\":\"79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let timeframe = 1h;\\nlet last1h = CommonSecurityLog \\n| where TimeGenerated \u003e= ago(timeframe)\\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend CurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend CurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend CumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize last1hCumTotal = sum(CumulativeTotal), last1hAvgRatePerSec = avg(CurrentAvgRatePerSec), last1hAvgBurstRatePerSec = avg(CurrentBurstRatePerSec) by DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlet prev6h = CommonSecurityLog \\n| where TimeGenerated between (ago(6h) .. ago(1h))\\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend prevCurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend prevCurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend prevCumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), prev6hCumTotal = sum(prevCumulativeTotal), prev6hAvgRatePerSec = avg(prevCurrentAvgRatePerSec), prev6hAvgBurstRatePerSec = avg(prevCurrentBurstRatePerSec) \\nby DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlast1h | join (\\n prev6h \\n) on DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate\\n| project StartTimeUtc, EndTimeUtc, DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate, last1hCumTotal, prev6hCumTotal, prev6hAvgCumTotal = prev6hCumTotal/6, last1hAvgRatePerSec, prev6hAvgRatePerSec, last1hAvgBurstRatePerSec, prev6hAvgBurstRatePerSec\\n// Select only events that indicate a doubling of the expected rate in the last hour over the previous 6 hours\\n| where last1hCumTotal \u003e 2*prev6hAvgCumTotal or last1hAvgRatePerSec \u003e 2*prev6hAvgRatePerSec or last1hAvgBurstRatePerSec \u003e 2*prev6hAvgBurstRatePerSec\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\",\"Impact\"],\"displayName\":\"Cisco ASA - average attack detection rate increase\",\"description\":\"This will help you determine if Cisco ASA devices are under heavier attack than normal over the last hour versus the previous 6 hours based on DeviceEventClassID 733100\\nReferences: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/826bb2f8-7894-4785-9a6b-a8a855d8366f\",\"name\":\"826bb2f8-7894-4785-9a6b-a8a855d8366f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let EventNameList = dynamic([\\\"AttachUserPolicy\\\",\\\"AttachRolePolicy\\\",\\\"AttachGroupPolicy\\\"]);\\nlet createPolicy = \\\"CreatePolicy\\\";\\nlet timeframe = 1d;\\nlet lookback = 14d;\\n// Creating Master table with all the events to use with materialize for better performance\\nlet EventInfo = AWSCloudTrail\\n| where TimeGenerated \u003e= ago(lookback)\\n| where EventName in (EventNameList) or EventName == createPolicy;\\n//Checking for Policy creation event with Full Admin Privileges since lookback period.\\nlet FullAdminPolicyEvents = materialize( EventInfo\\n| where TimeGenerated \u003e= ago(lookback)\\n| where EventName == createPolicy\\n| extend PolicyName = tostring(parse_json(RequestParameters).policyName)\\n| extend Statement = parse_json(tostring((parse_json(RequestParameters).policyDocument))).Statement\\n| mvexpand Statement\\n| extend Action = parse_json(Statement).Action , Effect = tostring(parse_json(Statement).Effect), Resource = tostring(parse_json(Statement).Resource)\\n| mvexpand Action\\n| extend Action = tostring(Action)\\n| where Effect =~ \\\"Allow\\\" and Action == \\\"*\\\" and Resource == \\\"*\\\"\\n| distinct TimeGenerated, EventName, PolicyName, SourceIpAddress, UserIdentityArn, UserIdentityUserName\\n| extend UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,\u0027/\u0027)[-1]))\\n| project-rename StartTime = TimeGenerated );\\nlet PolicyAttach = materialize( EventInfo\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventName in (EventNameList)\\n| extend PolicyName = tostring(split(tostring(parse_json(RequestParameters).policyArn),\\\"/\\\")[1])\\n| summarize AttachEventCount=count(), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventSource, EventName, UserIdentityType , UserIdentityArn, SourceIpAddress, UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,\u0027/\u0027)[-1])), PolicyName\\n| extend AttachEvent = pack(\\\"StartTime\\\", StartTime, \\\"EndTime\\\", EndTime, \\\"EventName\\\", EventName, \\\"UserIdentityType\\\", UserIdentityType, \\\"UserIdentityArn\\\", UserIdentityArn, \\\"SourceIpAddress\\\", SourceIpAddress, \\\"UserIdentityUserName\\\", UserIdentityUserName)\\n| project EventSource, PolicyName, AttachEvent, AttachEventCount\\n);\\n// Joining the list of PolicyNames and checking if it has been attached to any Roles/Users/Groups.\\n// These Roles/Users/Groups will be Privileged and can be used by adversaries as pivot point for privilege escalation via multiple ways.\\nFullAdminPolicyEvents\\n| join kind=leftouter\\n(\\n PolicyAttach\\n)\\non PolicyName\\n| project-away PolicyName1\\n| extend timestamp = StartTime, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Full Admin policy created and then attached to Roles, Users or Groups\",\"description\":\"Identity and Access Management (IAM) securely manages access to AWS services and resources. \\nIdentifies when a policy is created with Full Administrators Access (Allow-Action:*,Resource:*). \\nThis policy can be attached to role,user or group and may be used by an adversary to escalate a normal user privileges to an adminsitrative level.\\nAWS IAM Policy Grammar: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html\\nand AWS IAM API at https://docs.aws.amazon.com/IAM/latest/APIReference/API_Operations.html\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2020-04-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/34c5aff9-a8c2-4601-9654-c7e46342d03b\",\"name\":\"34c5aff9-a8c2-4601-9654-c7e46342d03b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 5;\\nlet aadFunc = (tableName:string){\\n IdentityInfo\\n | where TimeGenerated \u003e ago(starttime)\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | mv-expand AssignedRoles\\n | where AssignedRoles matches regex \u0027Admin\u0027\\n | summarize Roles = make_list(AssignedRoles) by AccountUPN = tolower(AccountUPN)\\n | join kind=inner (\\n table(tableName)\\n | where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n | where ResultType != 0\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n ) on $left.AccountUPN == $right.UserPrincipalName\\n | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, Roles = tostring(Roles)\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt;\\nlet TimeSeriesAlerts = \\n allSignins\\n | make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step 1h by UserPrincipalName, Roles\\n | extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, \u0027linefit\u0027)\\n | mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n // Filtering low count events per baselinethreshold\\n | where anomalies \u003e 0 and baseline \u003e baselinethreshold\\n | extend AnomalyHour = TimeGenerated\\n | project UserPrincipalName, Roles, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\n// Filter the alerts for specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e startofday(ago(timeframe))\\n| join kind=inner ( \\n allSignins\\n | where TimeGenerated \u003e startofday(ago(timeframe))\\n // create a new column and round to hour\\n | extend DateHour = bin(TimeGenerated, 1h)\\n | summarize PartialFailedSignins = count(), LatestAnomalyTime = arg_max(TimeGenerated, *) by bin(TimeGenerated, 1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, Roles, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\\n) on UserPrincipalName, $left.AnomalyHour == $right.DateHour\\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, Roles = todynamic(Roles), UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, PartialFailedSignins, TotalFailedSignins = HourlyCount, baseline, anomalies, score\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Privileged Accounts - Sign in Failure Spikes\",\"description\":\" Identifies spike in failed sign-ins from Privileged accounts. Privileged accounts list can be based on IdentityInfo UEBA table or built-in watchlist.\\nSpike is determined based on Time series anomaly which will look at historical baseline values.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor\",\"lastUpdatedDateUTC\":\"2022-01-25T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/106813db-679e-4382-a51b-1bfc463befc3\",\"name\":\"106813db-679e-4382-a51b-1bfc463befc3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n // Select on Palo Alto logs\\n | where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Select logs where URL data is populated\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url), extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | where isnotempty(PA_Url)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n) on $left.Url == $right.PA_Url\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, PA_Url\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, SourceIP, PA_Url, DeviceName\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to PaloAlto data\",\"description\":\"Identifies a match in PaloAlto data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884ead54-cb3f-4676-a1eb-b26532d6cbfd\",\"name\":\"884ead54-cb3f-4676-a1eb-b26532d6cbfd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let SensitiveOperationList = dynamic(\\n[\\\"VaultDelete\\\", \\\"KeyDelete\\\", \\\"SecretDelete\\\", \\\"SecretPurge\\\", \\\"KeyPurge\\\", \\\"SecretBackup\\\", \\\"KeyBackup\\\"]);\\nAzureDiagnostics\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in~ (SensitiveOperationList)\\n| summarize EventCount=count(), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIPMax\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"NRT Sensitive Azure Key Vault operations\",\"description\":\"Identifies when sensitive Azure Key Vault operations are used. This includes: VaultDelete, KeyDelete, SecretDelete, SecretPurge, KeyPurge, SecretBackup, KeyBackup.\\nAny Backup operations should match with expected scheduled backup activity.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95dc4ae3-e0f2-48bd-b996-cdd22b90f9af\",\"name\":\"95dc4ae3-e0f2-48bd-b996-cdd22b90f9af\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(\\nAuditLogs\\n| where OperationName =~ \\\"Set federation settings on domain\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName)\\n| mv-expand AdditionalDetails\\n),\\n(\\nAuditLogs\\n| where OperationName =~ \\\"Set domain authentication\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName), NewDomainValue=tostring(parse_json(modifiedProperties).newValue)\\n| where NewDomainValue has \\\"Federated\\\"\\n)\\n)\\n| extend UserAgent = iff(AdditionalDetails.key == \\\"User-Agent\\\",tostring(AdditionalDetails.value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Modified domain federation trust settings\",\"description\":\"This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ac891683-53c3-4f86-86b4-c361708e2b2b\",\"name\":\"ac891683-53c3-4f86-86b4-c361708e2b2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"// Allowlisted UPNs should likely stay empty\\nlet AllowlistedUpns = datatable(UPN:string)[\u0027foo@bar.com\u0027, \u0027test@foo.com\u0027];\\n// Operation Name parts that will alert\\nlet HasAnyBlocklist = datatable(OperationNamePart:string)[\u0027Security.\u0027,\u0027Project.\u0027,\u0027AuditLog.\u0027,\u0027Extension.\u0027];\\n// Distinct Operation Names that will flag\\nlet HasExactBlocklist = datatable(OperationName:string)[\u0027Group.UpdateGroupMembership.Add\u0027,\u0027Library.ServiceConnectionExecuted\u0027,\u0027Pipelines.PipelineModified\u0027,\\n\u0027Release.ReleasePipelineModified\u0027, \u0027Git.RefUpdatePoliciesBypassed\u0027];\\nAzureDevOpsAuditing\\n| where AuthenticationMechanism startswith \\\"PAT\\\" and (OperationName has_any (HasAnyBlocklist) or OperationName in (HasExactBlocklist))\\n and ActorUPN !in (AllowlistedUpns)\\n| project TimeGenerated, AuthenticationMechanism, ProjectName, ActorUPN, ActorDisplayName, IpAddress, UserAgent, OperationName, Details, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Impact\"],\"displayName\":\"Azure DevOps Personal Access Token (PAT) misuse\",\"description\":\"This Alert detects whenever a PAT is used in ways that PATs are not normally used. May require an allow list and baselining.\\nReference - https://docs.microsoft.com/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops\u0026tabs=preview-page\\nUse this query for baselining:\\nAzureDevOpsAuditing\\n| distinct OperationName\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-06-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/acfdee3f-b794-404a-aeba-ef6a1fa08ad1\",\"name\":\"acfdee3f-b794-404a-aeba-ef6a1fa08ad1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let lookback = 14d;\\nlet timewindow = 7d;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback)\\n| where OperationName =~ \\\"Library.AgentPoolCreated\\\"\\n| extend AgentCloudId = tostring(Data.AgentCloudId)\\n| extend PoolType = iif(isnotempty(AgentCloudId), \\\"Azure VMs\\\", \\\"Self Hosted\\\")\\n// Comment this line out to include cloud pools as well\\n| where PoolType == \\\"Self Hosted\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend AgentPoolId = tostring(Data.AgentPoolId)\\n| extend IsHosted = tostring(Data.IsHosted)\\n| extend IsLegacy = tostring(Data.IsLegacy)\\n| extend timekey = bin(TimeGenerated, timewindow)\\n// Join only with pools deleted in the same window\\n| join (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback)\\n| where OperationName =~ \\\"Library.AgentPoolDeleted\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend AgentPoolId = tostring(Data.AgentPoolId)\\n| extend timekey = bin(TimeGenerated, timewindow)) on AgentPoolId, timekey\\n| project-reorder TimeGenerated, ActorUPN, UserAgent, IpAddress, AuthenticationMechanism, OperationName, AgentPoolName, IsHosted, IsLegacy, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Agent Pool Created Then Deleted\",\"description\":\"As well as adding build agents to an existing pool to execute malicious activity within a pipeline, an attacker could create a complete new agent pool and use this for execution.\\nAzure DevOps allows for the creation of agent pools with Azure hosted infrastructure or self-hosted infrastructure. Given the additional customizability of self-hosted agents this \\ndetection focuses on the creation of new self-hosted pools. To further reduce false positive rates the detection looks for pools created and deleted relatively quickly (within 7 days by default), \\nas an attacker is likely to remove a malicious pool once used in order to reduce/remove evidence of their activity.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/26a3b261-b997-4374-94ea-6c37f67f4f39\",\"name\":\"26a3b261-b997-4374-94ea-6c37f67f4f39\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.5.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"asyspy256.ddns.net\\\",\\\"hotkillmail9sddcc.ddns.net\\\",\\\"rosaf112.ddns.net\\\",\\\"cvdfhjh1231.myftp.biz\\\",\\\"sz2016rose.ddns.net\\\",\\\"dffwescwer4325.myftp.biz\\\",\\\"cvdfhjh1231.ddns.net\\\"]);\\nlet SHA1Hash = dynamic ([\\\"53a44c2396d15c3a03723fa5e5db54cafd527635\\\", \\\"9c5e496921e3bc882dc40694f1dcc3746a75db19\\\", \\\"aeb573accfd95758550cf30bf04f389a92922844\\\", \\\"79ef78a797403a4ed1a616c68e07fff868a8650a\\\", \\\"4f6f38b4cec35e895d91c052b1f5a83d665c2196\\\", \\\"1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d\\\", \\\"e841a63e47361a572db9a7334af459ddca11347a\\\", \\\"c28f606df28a9bc8df75a4d5e5837fc5522dd34d\\\", \\\"2e94b305d6812a9f96e6781c888e48c7fb157b6b\\\", \\\"dd44133716b8a241957b912fa6a02efde3ce3025\\\", \\\"8793bf166cb89eb55f0593404e4e933ab605e803\\\", \\\"a39b57032dbb2335499a51e13470a7cd5d86b138\\\", \\\"41cc2b15c662bc001c0eb92f6cc222934f0beeea\\\", \\\"d209430d6af54792371174e70e27dd11d3def7a7\\\", \\\"1c6452026c56efd2c94cea7e0f671eb55515edb0\\\", \\\"c6b41d3afdcdcaf9f442bbe772f5da871801fd5a\\\", \\\"4923d460e22fbbf165bbbaba168e5a46b8157d9f\\\", \\\"f201504bd96e81d0d350c3a8332593ee1c9e09de\\\", \\\"ddd2db1127632a2a52943a2fe516a2e7d05d70d2\\\"]);\\nlet SHA256Hash = dynamic ([\\\"9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd\\\", \\\"7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b\\\", \\\"657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5\\\", \\\"2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29\\\", \\\"52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77\\\", \\\"a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3\\\", \\\"5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022\\\", \\\"6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883\\\", \\\"3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e\\\", \\\"1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7\\\", \\\"fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1\\\", \\\"7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c\\\", \\\"178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945\\\", \\\"51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9\\\", \\\"889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79\\\", \\\"332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf\\\", \\\"44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08\\\", \\\"63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef\\\", \\\"056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070\\\"]);\\nlet SigNames = dynamic([\\\"TrojanDropper:Win32/BlackMould.A!dha\\\", \\\"Trojan:Win32/BlackMould.B!dha\\\", \\\"Trojan:Win32/QuarkBandit.A!dha\\\", \\\"Trojan:Win32/Sidelod.A!dha\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n( _Im_Dns(domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA1=\u0027 SHA1 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA1Hash) \\n| extend Account = UserName\\n),\\n(SecurityAlert\\n| where ProductName == \\\"Microsoft Defender Advanced Threat Protection\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where isnotempty(ThreatName)\\n| where ThreatName has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName)\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known GALLIUM domains and hashes\",\"description\":\"GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. \\n Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\\n References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ \",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2019-12-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/52aec824-96c1-4a03-8e44-bb70532e6cea\",\"name\":\"52aec824-96c1-4a03-8e44-bb70532e6cea\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"SecurityEvent\\n| where EventID == 5136 and EventData contains \\\"\u003cData Name=\\\\\\\"ObjectDN\\\\\\\"\u003eCN=AdminSDHolder,CN=System\\\"\\n| parse EventData with * \u0027ObjectDN\\\"\u003e\u0027 ObjectDN \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, SubjectUserSid, SubjectLogonId, ObjectDN\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AdminSDHolder Modifications\",\"description\":\"This query detects modification in the AdminSDHolder in the Active Directory which could indicate an attempt for persistence. \\nAdminSDHolder Modification is a persistence technique in which an attacker abuses the SDProp process in Active Directory to establish a persistent backdoor to Active Directory.\\nThis query searches for the event id 5136 where the Object DN is AdminSDHolder.\\nRef: https://attack.stealthbits.com/adminsdholder-modification-ad-persistence\",\"lastUpdatedDateUTC\":\"2022-01-20T00:00:00Z\",\"createdDateUTC\":\"2021-12-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8540c842-5bbc-4a24-9fb2-a836c0e55a51\",\"name\":\"8540c842-5bbc-4a24-9fb2-a836c0e55a51\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where OperationName =~ \\\"Set federation settings on domain\\\" or OperationName =~ \\\"Set domain authentication\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName), NewDomainValue=tostring(parse_json(modifiedProperties).newValue)\\n| extend Federated = iif(OperationName =~ \\\"Set domain authentication\\\", iif(NewDomainValue has \\\"Federated\\\", True, False), True)\\n| where Federated == True\\n| mv-expand AdditionalDetails\\n| extend UserAgent = iff(AdditionalDetails.key == \\\"User-Agent\\\",tostring(AdditionalDetails.value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserOrApp\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"NRT Modified domain federation trust settings\",\"description\":\"This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/327cd4ed-ca42-454b-887c-54e1c91363c6\",\"name\":\"327cd4ed-ca42-454b-887c-54e1c91363c6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft Defender Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Endpoint alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Endpoint\",\"lastUpdatedDateUTC\":\"2019-10-24T00:00:00Z\",\"createdDateUTC\":\"2019-10-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\"name\":\"0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.1.1\",\"severity\":\"Low\",\"query\":\"let PerUserThreshold = 5;\\nlet TotalThreshold = 100;\\nlet action = dynamic([\\\"change\\\", \\\"changed\\\", \\\"reset\\\"]);\\nlet pWord = dynamic([\\\"password\\\", \\\"credentials\\\"]);\\nlet PasswordResetMultiDataSource =\\n(union isfuzzy=true\\n(//Password reset events\\n//4723: An attempt was made to change an account\u0027s password\\n//4724: An attempt was made to reset an accounts password\\nSecurityEvent\\n| where EventID in (\\\"4723\\\",\\\"4724\\\")\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName),\\n(//Password reset events\\n//4723: An attempt was made to change an account\u0027s password\\n//4724: An attempt was made to reset an accounts password\\nWindowsEvent\\n| where EventID in (\\\"4723\\\",\\\"4724\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName),\\n(//Azure Active Directory Password reset events\\nAuditLogs\\n| where OperationName has_any (pWord) and OperationName has_any (action) and Result =~ \\\"success\\\"\\n| extend AccountType = tostring(TargetResources[0].type), Account = tostring(TargetResources[0].userPrincipalName), \\nTargetUserName = tolower(tostring(TargetResources[0].displayName))\\n| project TimeGenerated, AccountType, Account, Computer = \\\"\\\", Type),\\n(//OfficeActive ActiveDirectory Password reset events\\nOfficeActivity\\n| where OfficeWorkload == \\\"AzureActiveDirectory\\\" \\n| where (ExtendedProperties has_any (pWord) or ModifiedProperties has_any (pWord)) and (ExtendedProperties has_any (action) or ModifiedProperties has_any (action))\\n| extend AccountType = UserType, Account = OfficeObjectId \\n| project TimeGenerated, AccountType, Account, Type, Computer = \\\"\\\"),\\n(// Unix syslog password reset events\\nSyslog\\n| where Facility in (\\\"auth\\\",\\\"authpriv\\\")\\n| where SyslogMessage has_any (pWord) and SyslogMessage has_any (action)\\n| extend AccountType = iif(SyslogMessage contains \\\"root\\\", \\\"Root\\\", \\\"Non-Root\\\")\\n| where SyslogMessage matches regex \\\".*password changed for.*\\\"\\n| parse SyslogMessage with * \\\"password changed for\\\" Account\\n| project TimeGenerated, AccountType, Account, Computer = HostName, Type)\\n);\\nlet pwrmd = PasswordResetMultiDataSource\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName;\\n(union isfuzzy=true \\n(pwrmd\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Computerlist = make_set(Computer, 25), AccountType = make_set(AccountType, 25), Computer = arg_max(Computer , TimeGenerated), TargetUserList = make_set(TargetUserName, 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), Total=count() by Account, Type\\n| where Total \u003e PerUserThreshold\\n| extend ResetPivot = \\\"PerUserReset\\\"), \\n(pwrmd\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerList = make_set(Computer, 25), AccountList = make_set(Account, 25), AccountType = make_set(AccountType, 25), Computer = arg_max(Computer , TimeGenerated), TargetUserList = make_set(TargetUserName, 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), Total=count() by Type\\n| where Total \u003e TotalThreshold\\n| extend ResetPivot = \\\"TotalUserReset\\\")\\n)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserName\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Multiple Password Reset by user\",\"description\":\"This query will determine multiple password resets by user across multiple data sources. \\nAccount manipulation including password reset may aid adversaries in maintaining access to credentials \\nand certain permission levels within an environment.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-09-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d804b39c-03a4-417c-a949-bdbf21fa3305\",\"name\":\"d804b39c-03a4-417c-a949-bdbf21fa3305\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.7.2\",\"severity\":\"Medium\",\"query\":\"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\\n[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet file_paths = (iocs | where Type =~ \\\"filepath\\\" | project IoC);\\nlet sha256s = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet ips = (iocs | where Type =~ \\\"ip\\\" | project IoC);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\" | project IoC);\\nlet dyndomains = todynamic(toscalar((domains | summarize make_set(IoC))));\\nunion isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4663\\n| where ObjectName in (file_paths)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(WindowsEvent\\n| where EventID == 4663 and EventData has_any (file_paths)\\n| extend ObjectName = tostring(EventData.ObjectName) \\n| where ObjectName in (file_paths)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName), \\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(imFileEvent\\n| where TargetFileName in (file_paths)\\n or\\n TargetFileSHA256 in (sha256s)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\\n),\\n(DeviceFileEvents\\n| where FolderPath in (file_paths)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 in (sha256s)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\\n),\\n (CommonSecurityLog\\n| where FileHash in (sha256s)\\n| extend timestamp = TimeGenerated\\n),\\n(Event // File iocs\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| where isnotempty(Hashes)\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 *\\n| where SHA256 in~ (sha256s)\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = Hashes\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where (SourceIP in (ips) or DestinationIP in (ips) or Message has_any (ips)) or (RequestURL has_any (domains))\\n| extend IPMatch = case(SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"Message\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\")\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(WireData\\n| where isnotempty(RemoteIP)\\n| where RemoteIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer\\n),\\n(W3CIISLog\\n| where isnotempty(cIP)\\n| where cIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(\\nWindowsFirewall\\n| where SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n),\\n(\\n _Im_NetworkSession(srcipaddr_has_any_prefix=ips) \\n | extend IPCustomEntity = SrcIpAddr, AccountCustomEntity= User, HostCustomEntity=Hostname\\n),\\n (\\n _Im_NetworkSession(dstipaddr_has_any_prefix=ips) \\n | extend IPCustomEntity = DstIpAddr, AccountCustomEntity= User, HostCustomEntity=Hostname\\n),\\n(_Im_Dns(domain_has_any=dyndomains)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\\n)\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange Server Vulnerabilities Disclosed March 2021 IoC Match\",\"description\":\"This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements.\\nRef: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-03-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog (Cisco)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog (F5)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09ec8fa2-b25f-4696-bfae-05a7b85d7b9e\",\"name\":\"09ec8fa2-b25f-4696-bfae-05a7b85d7b9e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT3H\",\"queryPeriod\":\"PT3H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"let timeframe = ago(3h);\\nlet threshold = 2;\\nimAuthentication\\n| where TimeGenerated \u003e timeframe\\n| where EventType==\u0027Logon\u0027 and EventResult==\u0027Success\u0027\\n| where isnotempty(SrcGeoCountry)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Vendors=make_set(EventVendor), Products=make_set(EventProduct)\\n , NumOfCountries = dcount(SrcGeoCountry)\\n by TargetUserId, TargetUsername, TargetUserType\\n| where NumOfCountries \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = TargetUsername\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"User login from different countries within 3 hours (Uses Authentication Normalization)\",\"description\":\"This query searches for successful user logins from different countries within 3 hours.\\n To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/67775878-7f8b-4380-ac54-115e1e828901\",\"name\":\"67775878-7f8b-4380-ac54-115e1e828901\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX=10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet IP_TI = (ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\\\"\\\")\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true);\\nlet TI_IP_List=IP_TI | summarize NIPs=dcount(TI_ipEntity), IP_List=make_set( TI_ipEntity) \\n| project IP_List=iff(NIPs \u003e HAS_ANY_MAX, dynamic([]), IP_List);\\n_Im_Dns(starttime=ago(dt_lookBack), response_has_any_prefix=todynamic(toscalar(TI_IP_List)))\\n | extend tilist = toscalar(TI_IP_List)\\n | mv-expand tilist\\n | extend SingleIP=tostring(tilist)\\n | project-away tilist\\n | where has_ipv4(DnsResponseName, SingleIP)\\n | extend DNS_TimeGenerated = TimeGenerated\\n| join IP_TI\\n on $left.SingleIP == $right.TI_ipEntity\\n| where DNS_TimeGenerated \u003e= TimeGenerated and DNS_TimeGenerated \u003c ExpirationDateTime\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated,\\nTI_ipEntity, Dvc, EventSubType, SrcIpAddr, DnsQuery, DnsResponseName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = DNS_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Dvc, URLCustomEntity = Url\",\"customDetails\":{\"LatestIndicatorTime\":\"LatestIndicatorTime\",\"Description\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"ExpirationDateTime\":\"ExpirationDateTime\",\"ConfidenceScore\":\"ConfidenceScore\",\"DNSRequestTime\":\"DNS_TimeGenerated\",\"SourceIPAddress\":\"SrcIpAddr\",\"SubType\":\"EventSubType\",\"DnsQuery\":\"DnsQuery\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map IP entity to Dns Events (ASIM DNS Schema)\",\"description\":\"Identifies a match in DNS events from any IP IOC from TI\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-27T00:00:00Z\",\"createdDateUTC\":\"2021-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\"name\":\"ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let ProcessCreationEvents=() {\\nlet processEvents=(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,\\nFileName = Process, CommandLine, ParentProcessName\\n),\\n(WindowsEvent\\n| where EventID==4688\\n| where EventData has \\\"TVqQAAMAAAAEAAA\\\"\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where isnotempty(CommandLine)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,\\nFileName = Process, CommandLine, ParentProcessName));\\nprocessEvents};\\nProcessCreationEvents\\n| where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Base64 encoded Windows process command-lines\",\"description\":\"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2018-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\"name\":\"90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Security Center\",\"severitiesFilter\":[\"Low\",\"Medium\",\"High\"],\"displayName\":\"Create incidents based on Microsoft Defender for Cloud\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Cloud\",\"lastUpdatedDateUTC\":\"2021-07-25T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert (ASC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d57c33a9-76b9-40e0-9dfa-ff0404546410\",\"name\":\"d57c33a9-76b9-40e0-9dfa-ff0404546410\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 0d;\\n// Adjust this to adjust detection timeframe\\n//let timeframe = 1d;\\n// Filter out other servers in the AD FS farm\\nlet ADFSServersList = dynamic([\\\"ADFS02.domain.com\\\",\\\"ADFS03.domain.com\\\"]);\\n// Start by identifying ADFS servers to reduce FP chance\\nlet ADFS_Servers = (\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| where Computer !in (ADFSServersList)\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\")\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| summarize by Computer\\n);\\n// Look for ADFS servers receiving connections over port 80\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where Computer in~ (ADFS_Servers)\\n| extend RenderedDescription = tostring(split(RenderedDescription, \\\":\\\")[0])\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, _ResourceId)\\n| extend RuleName = column_ifexists(\\\"RuleName\\\", \\\"\\\"), TechniqueId = column_ifexists(\\\"TechniqueId\\\", \\\"\\\"), TechniqueName = column_ifexists(\\\"TechniqueName\\\", \\\"\\\")\\n| parse RuleName with * \u0027technique_id=\u0027 TechniqueId \u0027,\u0027 * \u0027technique_name=\u0027 TechniqueName\\n| where EventID == 3\\n// Look for endpoints connecting to the AD FS server over port 80\\n| extend DestinationPort = column_ifexists(\\\"DestinationPort\\\", \\\"\\\"), Image = column_ifexists(\\\"Image\\\", \\\"\\\"), Initiated = column_ifexists(\\\"Initiated\\\", \\\"\\\"), SourceIp = column_ifexists(\\\"DestinationIp\\\", \\\"\\\"), DestinationIp = column_ifexists(\\\"DestinationIp\\\", \\\"\\\")\\n| where DestinationPort == 80\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n// Look for the System process receiving connections\\n| where process == \u0027System\u0027 and Initiated == \u0027false\u0027\\n| where DestinationIp !in (\u0027::1\u0027,\u00270:0:0:0:0:0:0:1\u0027)\\n| extend Operation = RenderedDescription\\n| project-reorder TimeGenerated, Operation, Image, Computer, UserName\\n| extend HostCustomEntity = Computer, AccountCustomEntity = UserName, IPCustomEntity = SourceIp\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"AD FS Remote HTTP Network Connection\",\"description\":\"This detection uses Sysmon events (NetworkConnect events) to detect incoming network traffic on port 80 on AD FS servers. This could be a sign of a threat actor\\ntrying to use replication services on the AD FS server to get its configuration settings and extract sensitive information such as AD FS certificates.\\nIn order to use this query you need to enable Sysmon telemetry on the AD FS Server.\\nReference: https://twitter.com/OTR_Community/status/1387038995016732672\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c1faf5e8-6958-11ec-90d6-0242ac120003\",\"name\":\"c1faf5e8-6958-11ec-90d6-0242ac120003\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 4720 and TargetUserName endswith \\\"$\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectUserName, SubjectUserSid, SubjectLogonId, TargetUserName, TargetSid\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectUserName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Fake computer account created\",\"description\":\"This query detects domain user accounts creation (event ID 4720) where the username ends with $. \\nAccounts that end with $ are normally domain computer accounts and when they are created the event ID 4741 is generated instead.\\nRef: https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights.html\",\"lastUpdatedDateUTC\":\"2022-01-19T00:00:00Z\",\"createdDateUTC\":\"2021-12-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/04384937-e927-4595-8f3c-89ff58ed231f\",\"name\":\"04384937-e927-4595-8f3c-89ff58ed231f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let IPs = dynamic ([\\\"199.249.230.\\\",\\\"185.220.101.\\\",\\\"23.129.64.\\\",\\\"109.70.100.\\\",\\\"185.220.102.\\\"]);\\nOfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != \u0027UserLoggedIn\u0027\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = ExtendedProperties.Value\\n| where ClientIP has_any (IPs)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts \u003e 2500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\"entityMappings\":[],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Possible STRONTIUM attempted credential harvesting - Sept 2020\",\"description\":\"Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.\\nReferences: https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7d7e20f8-3384-4b71-811c-f5e950e8306c\",\"name\":\"7d7e20f8-3384-4b71-811c-f5e950e8306c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where ActivityDisplayName =~\u0027Add member to role completed (PIM activation)\u0027\\n| where Result == \\\"failure\\\"\\n| extend Role = tostring(TargetResources[3].displayName)\\n| extend User = tostring(TargetResources[2].displayName)\\n| project-reorder TimeGenerated, User, Role, OperationName, Result, ResultDescription\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| extend AccountCustomEntity = User, IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"PIM Elevation Request Rejected\",\"description\":\"Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6852d9da-8015-4b95-8ecf-d9572ee0395d\",\"name\":\"6852d9da-8015-4b95-8ecf-d9572ee0395d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let queryfrequency = 1h;\\nlet wait_for_deletion = 10m;\\nlet account_created =\\n AuditLogs \\n | where ActivityDisplayName == \\\"Add service principal\\\"\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend creationTime = ActivityDateTime\\n | extend userPrincipalName_creator = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend ipAddress_creator = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\\nlet account_activity =\\n AADServicePrincipalSignInLogs\\n | extend Activities = pack(\\\"ActivityTime\\\", TimeGenerated ,\\\"IpAddress\\\", IPAddress, \\\"ResourceDisplayName\\\", ResourceDisplayName)\\n | extend AppID = AppId\\n | summarize make_list(Activities) by AppID;\\nlet account_deleted =\\n AuditLogs \\n | where OperationName == \\\"Remove service principal\\\"\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend deletionTime = ActivityDateTime\\n | extend userPrincipalName_deleter = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend ipAddress_deleter = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\\nlet account_credentials =\\n AuditLogs\\n | where OperationName has_all (\\\"Update application\\\", \\\"Certificates and secrets management\\\")\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend credentialCreationTime = ActivityDateTime;\\nlet roles_assigned =\\n AuditLogs\\n | where ActivityDisplayName == \\\"Add app role assignment to service principal\\\"\\n | extend AppID = tostring(TargetResources[1].displayName)\\n | extend AssignedRole = iff(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].displayName)==\\\"AppRole.Value\\\", tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue))),\\\"\\\")\\n | extend AssignedRoles = pack(\\\"Role\\\", AssignedRole)\\n | summarize make_list(AssignedRoles) by AppID;\\naccount_created\\n| where TimeGenerated between (ago(wait_for_deletion+queryfrequency)..ago(wait_for_deletion))\\n| join kind= inner (account_activity) on AppID\\n| join kind= inner (account_deleted) on AppID\\n| join kind= inner (account_credentials) on AppID\\n| join kind= inner (roles_assigned) on AppID\\n| where deletionTime - creationTime between (time(0s)..wait_for_deletion)\\n| extend AliveTime = deletionTime - creationTime\\n| project AADTenantId, AppID, creationTime, deletionTime, userPrincipalName_creator, userPrincipalName_deleter, ipAddress_creator, ipAddress_deleter, list_Activities, list_AssignedRoles, AliveTime\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName_creator\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName_deleter\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress_creator\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress_deleter\"}]}],\"tactics\":[\"CredentialAccess\",\"PrivilegeEscalation\",\"InitialAccess\"],\"displayName\":\"Suspicious Service Principal creation activity\",\"description\":\"This alert will detect creation of an SPN, permissions granted, credentials created, activity and deletion of the SPN in a time frame (default 10 minutes)\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\",\"AADServicePrincipalSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ec21493c-2684-4acd-9bc2-696dbad72426\",\"name\":\"ec21493c-2684-4acd-9bc2-696dbad72426\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation of extracted domains\\nlet list_tlds = ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e ago(ioc_lookBack)\\n | where isnotempty(DomainName)\\n | extend DomainName = tolower(DomainName)\\n | extend parts = split(DomainName, \u0027.\u0027)\\n | extend tld = parts[(array_length(parts)-1)]\\n | summarize count() by tostring(tld)\\n | summarize make_list(tld);\\n ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true\\n // Picking up only IOC\u0027s that contain the entities we want\\n | where isnotempty(DomainName)\\n // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n | join kind=innerunique (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n | where DeviceVendor =~ \u0027Palo Alto Networks\u0027\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | extend Domain = trim(@\\\"\\\"\\\"\\\",tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend parts = split(Domain, \u0027.\u0027)\\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\\n | where tld in~ (list_tlds)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n ) on $left.DomainName==$right.Domain\\n | where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, Domain\\n | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, \\n DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\\n | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to PaloAlto\",\"description\":\"Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/caf78b95-d886-4ac3-957a-a7a3691ff4ed\",\"name\":\"caf78b95-d886-4ac3-957a-a7a3691ff4ed\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Tarrask.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n(imFileEvent\\n| where TargetFileSHA256 has_any (sha256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceImageLoadEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Tarrask malware IOC - April 2022\",\"description\":\"Identifies a hash match related to Tarrask malware across various data sources.\\n Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/\",\"lastUpdatedDateUTC\":\"2022-04-12T00:00:00Z\",\"createdDateUTC\":\"2022-01-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2560515c-07d1-434e-87fb-ebe3af267760\",\"name\":\"2560515c-07d1-434e-87fb-ebe3af267760\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add delegated permission grant\\\",\\\"Add app role assignment to service principal\\\")\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend props = parse_json(tostring(TargetResources[0].modifiedProperties))\\n| mv-expand props\\n| extend UserAgent = tostring(AdditionalDetails[0].value)\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| extend UserIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| extend DisplayName = tostring(props.displayName)\\n| extend Permissions = tostring(parse_json(tostring(props.newValue)))\\n| where Permissions has_any (\\\"Mail.Read\\\", \\\"Mail.ReadWrite\\\")\\n| extend PermissionsAddedTo = tostring(TargetResources[0].displayName)\\n| extend Type = tostring(TargetResources[0].type)\\n| project-away props\\n| join kind=leftouter(\\n AuditLogs\\n | where ActivityDisplayName has \\\"Consent to application\\\"\\n | extend AppName = tostring(TargetResources[0].displayName)\\n | extend AppId = tostring(TargetResources[0].id)\\n | project AppName, AppId, CorrelationId) on CorrelationId\\n| project-reorder TimeGenerated, OperationName, InitiatingUser, UserIPAddress, UserAgent, PermissionsAddedTo, Permissions, AppName, AppId, CorrelationId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUser, IPCustomEntity = UserIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Mail.Read Permissions Granted to Application\",\"description\":\"This query look for applications that have been granted (Delegated or App/Role) permissions to Read Mail (Permissions field has Mail.Read) and subsequently has been consented to. This can help identify applications that have been abused to gain access to mailboxes.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532c1811-79ee-4d9f-8d4d-6304c840daa1\",\"name\":\"532c1811-79ee-4d9f-8d4d-6304c840daa1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Active Directory Identity Protection\",\"displayName\":\"Create incidents based on Azure Active Directory Identity Protection alerts\",\"description\":\"Create incidents based on all alerts generated in Azure Active Directory Identity Protection\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb616d82-108f-47d3-9dec-9652ea0d3bf6\",\"name\":\"bb616d82-108f-47d3-9dec-9652ea0d3bf6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let queryfrequency = 1h;\\nlet queryperiod = 1d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(queryfrequency)\\n| where OperationName =~ \\\"Delete user\\\"\\n//extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n| extend UserPrincipalName = extract(@\u0027([a-f0-9]{32})?(.*)\u0027, 2, tostring(TargetResources[0].userPrincipalName))\\n| extend DeletedByUser = tostring(InitiatedBy.user.userPrincipalName), DeletedByIPAddress = tostring(InitiatedBy.user.ipAddress)\\n| extend DeletedByApp = tostring(InitiatedBy.app.displayName)\\n| project Deletion_TimeGenerated = TimeGenerated, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, Deletion_AdditionalDetails = AdditionalDetails, Deletion_InitiatedBy = InitiatedBy, Deletion_TargetResources = TargetResources\\n| join kind=inner (\\n AuditLogs\\n | where TimeGenerated \u003e ago(queryperiod)\\n | where OperationName =~ \\\"Add user\\\"\\n | extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | project-rename Creation_TimeGenerated = TimeGenerated\\n) on UserPrincipalName\\n| extend TimeDelta = Deletion_TimeGenerated - Creation_TimeGenerated\\n| where TimeDelta between (time(0s) .. queryperiod)\\n| extend CreatedByUser = tostring(InitiatedBy.user.userPrincipalName), CreatedByIPAddress = tostring(InitiatedBy.user.ipAddress)\\n| extend CreatedByApp = tostring(InitiatedBy.app.displayName)\\n| project Creation_TimeGenerated, Deletion_TimeGenerated, TimeDelta, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, CreatedByUser, CreatedByIPAddress, CreatedByApp, Creation_AdditionalDetails = AdditionalDetails, Creation_InitiatedBy = InitiatedBy, Creation_TargetResources = TargetResources, Deletion_AdditionalDetails, Deletion_InitiatedBy, Deletion_TargetResources\\n| extend timestamp = Deletion_TimeGenerated, CustomAccountEntity = UserPrincipalName, IPCustomEntity = DeletedByIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CustomAccountEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Account Created and Deleted in Short Timeframe\",\"description\":\"Search for user principal name (UPN) events. Look for accounts created and then deleted in under 24 hours. Attackers may create an account for their use, and then remove the account when no longer needed.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-account\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a0907abe-6925-4d90-af2b-c7e89dc201a6\",\"name\":\"a0907abe-6925-4d90-af2b-c7e89dc201a6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P10D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 10d;\\nlet endtime = 1d;\\nlet threshold = 100;\\nlet nxDomainDnsEvents = DnsEvents \\n| where ResultCode == 3 \\n| where QueryType in (\\\"A\\\", \\\"AAAA\\\")\\n| where ipv4_is_match(\\\"127.0.0.1\\\", ClientIP) == False\\n| where Name !contains \\\"/\\\"\\n| where Name contains \\\".\\\";\\nnxDomainDnsEvents\\n| where TimeGenerated \u003e ago(endtime)\\n| extend sld = tostring(split(Name, \\\".\\\")[-2])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld) by ClientIP\\n| where dcount_sld \u003e threshold\\n// Filter out previously seen IPs\\n| join kind=leftanti (nxDomainDnsEvents\\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | extend sld = tostring(split(Name, \\\".\\\")[-2])\\n | summarize dcount(sld) by ClientIP\\n | where dcount_sld \u003e threshold ) on ClientIP\\n// Pull out sample NXDomain responses for those remaining potentially infected IPs\\n| join kind = inner (nxDomainDnsEvents | summarize by Name, ClientIP) on ClientIP\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(Name, 100) by ClientIP, dcount_sld\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential DGA detected\",\"description\":\"Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains\\nwhere most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with \\nNXDomain records in prior 10-day baseline period).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ef895ada-e8e8-4cf0-9313-b1ab67fab69f\",\"name\":\"ef895ada-e8e8-4cf0-9313-b1ab67fab69f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let known_locations =\\n union isfuzzy=True AADNonInteractiveUserSignInLogs, SigninLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where ResultType == 0\\n | summarize by Location;\\n union isfuzzy=True AADNonInteractiveUserSignInLogs, SigninLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType != 50126\\n | where Location !in (known_locations)\\n | extend LocationDetails_dynamic = column_ifexists(\\\"LocationDetails_dynamic\\\", \\\"\\\")\\n | extend DeviceDetail_dynamic = column_ifexists(\\\"DeviceDetail_dynamic\\\", \\\"\\\")\\n | extend LocationDetails = iif(isnotempty(LocationDetails_dynamic), LocationDetails_dynamic, parse_json(LocationDetails_string))\\n | extend DeviceDetail = iif(isnotempty(DeviceDetail_dynamic), DeviceDetail_dynamic, parse_json(DeviceDetail_string))\\n | extend City = tostring(LocationDetails.city)\\n | extend State = tostring(LocationDetails.state)\\n | extend Place = strcat(City, \\\" - \\\", State)\\n | extend DeviceId = tostring(DeviceDetail.deviceId)\\n | extend Result = strcat(tostring(ResultType), \\\" - \\\", ResultDescription)\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), make_set(Result), make_set(IPAddress), make_set(UserAgent), make_set(Place), make_set(DeviceId) by UserPrincipalName, Location, Category\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Authentication Attempt from New Country\",\"description\":\"Detects when there is a log in attempt from a country that has not seen a successful login in the previous 14 days.\\n Threat actors may attempt to authenticate with credentials from compromised accounts - monitoring attempts from anomalous locations may help identify these attempts.\\n Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\",\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9713e3c0-1410-468d-b79e-383448434b2d\",\"name\":\"9713e3c0-1410-468d-b79e-383448434b2d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n VMConnection\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend VMConnection_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIp\\n| where VMConnection_TimeGenerated \u003c ExpirationDateTime\\n| summarize VMConnection_TimeGenerated = arg_max(VMConnection_TimeGenerated, *) by IndicatorId, RemoteIp\\n| project VMConnection_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = VMConnection_TimeGenerated, IPCustomEntity = RemoteIp, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to VMConnection\",\"description\":\"Identifies a match in VMConnection from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/017e095a-94d8-430c-a047-e51a11fb737b\",\"name\":\"017e095a-94d8-430c-a047-e51a11fb737b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let domains =\\n SigninLogs\\n | where ResultType == 0\\n | extend domain = split(UserPrincipalName, \\\"@\\\")[1]\\n | extend domain = tostring(split(UserPrincipalName, \\\"@\\\")[1])\\n | summarize by tolower(tostring(domain));\\n AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where Result =~ \\\"success\\\"\\n | where OperationName =~ \u0027Update Application\u0027\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | where TargetResources_modifiedProperties.displayName =~ \\\"AppAddress\\\"\\n | extend Key = tostring(TargetResources_modifiedProperties.displayName)\\n | extend NewValue = TargetResources_modifiedProperties.newValue\\n | extend OldValue = TargetResources_modifiedProperties.oldValue\\n | where isnotempty(Key) and isnotempty(NewValue)\\n | project-reorder Key, NewValue, OldValue\\n | extend NewUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(NewValue))\\n | extend OldUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(OldValue))\\n | extend AddedUrls = set_difference(NewUrls, OldUrls)\\n | where array_length(AddedUrls) \u003e 0\\n | extend UserAgent = iif(tostring(AdditionalDetails[0].key) == \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), \\\"\\\")\\n | extend AddingUser = iif(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) , tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), \\\"\\\")\\n | extend AddingApp = iif(isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName)) , tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName), \\\"\\\")\\n | extend AddedBy = iif(isnotempty(AddingUser), AddingUser, AddingApp)\\n | project-away AddingApp, AddingUser\\n | extend AppDisplayName = tostring(TargetResources.displayName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | where isnotempty(AddedUrls)\\n | mv-expand AddedUrls\\n | extend Domain = extract(\\\"^(?:https?:\\\\\\\\/\\\\\\\\/)?(?:[^@\\\\\\\\/\\\\\\\\n]+@)?(?:www\\\\\\\\.)?([^:\\\\\\\\/?\\\\\\\\n]+)/\\\", 1, replace_string(tolower(tostring(AddedUrls)), \u0027\\\"\u0027, \\\"\\\"))\\n | where isnotempty(Domain)\\n | extend Domain = strcat(split(Domain, \\\".\\\")[-2], \\\".\\\", split(Domain, \\\".\\\")[-1])\\n | where Domain !in (domains)\\n | project-reorder TimeGenerated, AppDisplayName, AddedUrls, AddedBy, UserAgent, ipAddress\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"AddedUrls\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"URL Added to Application from Unknown Domain\",\"description\":\"Detects a URL being added to an application where the domain is not one that is associated with the tenant.\\n The query uses domains seen in sign in logs to determine if the domain is associated with the tenant.\\n Applications associated with URLs not controlled by the organization can pose a security risk.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#application-configuration-changes\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d\",\"name\":\"b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"//Collect the alert events\\nlet alertData = SecurityAlert \\n| where DisplayName has \\\"Potential malware uploaded to\\\" \\n| extend Entities = parse_json(Entities) \\n| mv-expand Entities;\\n//Parse the IP address data\\nlet ipData = alertData \\n| where Entities[\u0027Type\u0027] =~ \\\"ip\\\" \\n| extend AttackerIP = tostring(Entities[\u0027Address\u0027]), AttackerCountry = tostring(Entities[\u0027Location\u0027][\u0027CountryName\u0027]);\\n//Parse the file data\\nlet FileData = alertData \\n| where Entities[\u0027Type\u0027] =~ \\\"file\\\" \\n| extend MaliciousFileDirectory = tostring(Entities[\u0027Directory\u0027]), MaliciousFileName = tostring(Entities[\u0027Name\u0027]), MaliciousFileHashes = tostring(Entities[\u0027FileHashes\u0027]);\\n//Combine the File and IP data together\\nipData \\n| join (FileData) on VendorOriginalId \\n| summarize by TimeGenerated, AttackerIP, AttackerCountry, DisplayName, ResourceId, AlertType, MaliciousFileDirectory, MaliciousFileName, MaliciousFileHashes\\n//Create a type column so we can track if it was a File storage or blobl storage upload \\n| extend type = iff(DisplayName has \\\"file\\\", \\\"File\\\", \\\"Blob\\\") \\n| join (\\n union\\n StorageFileLogs, \\n StorageBlobLogs \\n //File upload operations \\n | where OperationName =~ \\\"PutBlob\\\" or OperationName =~ \\\"PutRange\\\"\\n //Parse out the uploader IP \\n | extend ClientIP = tostring(split(CallerIpAddress, \\\":\\\", 0)[0])\\n //Extract the filename from the Uri \\n | extend FileName = extract(@\\\"\\\\/([\\\\w\\\\-. ]+)\\\\?\\\", 1, Uri)\\n //Base64 decode the MD5 filehash, we will encounter non-ascii hex so string operations don\u0027t work\\n //We can work around this by making it an array then converting it to hex from an int \\n | extend base64Char = base64_decode_toarray(ResponseMd5) \\n | mv-expand base64Char \\n | extend hexChar = tohex(toint(base64Char))\\n | extend hexChar = iff(strlen(hexChar) \u003c 2, strcat(\\\"0\\\", hexChar), hexChar) \\n | extend SourceTable = iff(OperationName has \\\"range\\\", \\\"StorageFileLogs\\\", \\\"StorageBlobLogs\\\") \\n | summarize make_list(hexChar) by CorrelationId, ResponseMd5, FileName, AccountName, TimeGenerated, RequestBodySize, ClientIP, SourceTable \\n | extend Md5Hash = strcat_array(list_hexChar, \\\"\\\")\\n //Pack the file information the summarise into a ClientIP row \\n | extend p = pack(\\\"FileName\\\", FileName, \\\"FileSize\\\", RequestBodySize, \\\"Md5Hash\\\", Md5Hash, \\\"Time\\\", TimeGenerated, \\\"SourceTable\\\", SourceTable) \\n | summarize UploadedFileInfo=make_list(p), FilesUploaded=count() by ClientIP \\n | join kind=leftouter (\\n union\\n StorageFileLogs,\\n StorageBlobLogs \\n | where OperationName =~ \\\"DeleteFile\\\" or OperationName =~ \\\"DeleteBlob\\\" \\n | extend ClientIP = tostring(split(CallerIpAddress, \\\":\\\", 0)[0]) \\n | extend FileName = extract(@\\\"\\\\/([\\\\w\\\\-. ]+)\\\\?\\\", 1, Uri) \\n | extend SourceTable = iff(OperationName has \\\"range\\\", \\\"StorageFileLogs\\\", \\\"StorageBlobLogs\\\") \\n | extend p = pack(\\\"FileName\\\", FileName, \\\"Time\\\", TimeGenerated, \\\"SourceTable\\\", SourceTable) \\n | summarize DeletedFileInfo=make_list(p), FilesDeleted=count() by ClientIP\\n ) on ClientIP\\n ) on $left.AttackerIP == $right.ClientIP \\n| mvexpand UploadedFileInfo \\n| extend LinkedMaliciousFileName = UploadedFileInfo.FileName \\n| extend LinkedMaliciousFileHash = UploadedFileInfo.Md5Hash \\n| project AlertTimeGenerated = TimeGenerated, tostring(LinkedMaliciousFileName), tostring(LinkedMaliciousFileHash), AlertType, AttackerIP, AttackerCountry, MaliciousFileDirectory, MaliciousFileName, FilesUploaded, UploadedFileInfo \\n| extend FileHashCustomEntity = LinkedMaliciousFileName, HashAlgorithm = \\\"MD5\\\", IPCustomEntity = AttackerIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"Exfiltration\"],\"displayName\":\"Linked Malicious Storage Artifacts\",\"description\":\"An IP address which uploaded malicious content to an Azure Blob or File Storage container (triggering a malware alert) also uploaded additional files.\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2021-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c7cd6073-6d2c-4284-a5c8-da27605bdfde\",\"name\":\"c7cd6073-6d2c-4284-a5c8-da27605bdfde\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| where FilterModulesSpamScoresOverall == \u0027100\u0027\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - High risk message not discarded\",\"description\":\"Detects when email with high risk score was not rejected or discarded by filters.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\"name\":\"c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"let DomainNames = \\\"miniodaum.ml\\\";\\nlet SHA256Hash = dynamic ([\\\"53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0dfd44771762257\\\", \\\"0897c80df8b80b4c49bf1ccf876f5f782849608b830c3b5cb3ad212dc3e19eff\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName =~ DomainNames\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n (_Im_Dns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery \\n| extend IPAddress = SrcIpAddr, Computer = Dvc\\n), \\n(_Im_WebSession(url_has_any=DomainNames) \\n| extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n| extend IPAddress = SrcIpAddr, Account=User\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName =~ DomainNames\\n| extend IPAddress = RemoteIp\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known CERIUM domains and hashes\",\"description\":\"CERIUM malicious webserver and hash values for maldocs and malware. \\n Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/712fab52-2a7d-401e-a08c-ff939cc7c25e\",\"name\":\"712fab52-2a7d-401e-a08c-ff939cc7c25e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AuditLogs\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // Extract the URL that is contained within the JSON data\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\\\", 1,tostring(TargetResources))\\n | where isnotempty(Url)\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend TargetResourceDisplayName = tostring(TargetResources[0].displayName)\\n | extend Audit_TimeGenerated = TimeGenerated\\n) on Url\\n| where Audit_TimeGenerated \u003c ExpirationDateTime\\n| summarize Audit_TimeGenerated = arg_max(Audit_TimeGenerated, *) by IndicatorId, Url\\n| project Audit_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nOperationName, Identity, userPrincipalName, TargetResourceDisplayName, Url\\n| extend timestamp = Audit_TimeGenerated, AccountCustomEntity = userPrincipalName, HostCustomEntity = TargetResourceDisplayName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to AuditLogs\",\"description\":\"Identifies a match in AuditLogs from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ab4b6944-a20d-42ab-8b63-238426525801\",\"name\":\"ab4b6944-a20d-42ab-8b63-238426525801\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\nlet timeframe = 1h;\\nlet connections = VMConnection \\n | where TimeGenerated \u003e= ago(timeframe)\\n | extend DNSName = set_union(todynamic(RemoteDnsCanonicalNames),todynamic(RemoteDnsQuestions))\\n | mv-expand DNSName\\n | where isnotempty(DNSName)\\n | where DNSName has_any (domains)\\n | extend IPCustomEntity = RemoteIp\\n | summarize TimeGenerated = arg_min(TimeGenerated, *), requests = count() by IPCustomEntity, DNSName = tostring(DNSName), AgentId, Machine, Process;\\nlet processes = VMProcess\\n | where TimeGenerated \u003e= ago(timeframe)\\n | project AgentId, Machine, Process, UserName, UserDomain, ExecutablePath, CommandLine, FirstPid\\n | extend exePathArr = split(ExecutablePath, \\\"\\\\\\\\\\\")\\n | extend DirectoryName = array_strcat(array_slice(exePathArr, 0, array_length(exePathArr) - 2), \\\"\\\\\\\\\\\")\\n | extend Filename = array_strcat(array_slice(exePathArr, array_length(exePathArr) - 1, array_length(exePathArr)), \\\"\\\\\\\\\\\")\\n | project-away exePathArr;\\nlet computers = VMComputer\\n | where TimeGenerated \u003e= ago(timeframe)\\n | project HostCustomEntity = HostName, AzureResourceId = _ResourceId, AgentId, Machine;\\nconnections | join kind = inner (processes) on AgentId, Machine, Process\\n | join kind = inner (computers) on AgentId, Machine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"FirstPid\"},{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Directory\",\"columnName\":\"DirectoryName\"},{\"identifier\":\"Name\",\"columnName\":\"Filename\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Solorigate Domains Found in VM Insights\",\"description\":\"Identifies connections to Solorigate-related DNS records based on VM insights data\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMProcess\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMComputer\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\"name\":\"1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with failed Windows host logins above threshold\\nlet win_fails = \\nSecurityEvent\\n| where EventID == 4625\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| summarize count() by IpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_list(IpAddress);\\nlet wef_fails =\\nWindowsEvent\\n| where EventID == 4625\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType in (10, 7, 3)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| where IpAddress != \\\"-\\\"\\n| summarize count() by IpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_list(IpAddress);\\n//Make a list of IPs with failed *nix host logins above threshold\\nlet nix_fails = \\nSyslog\\n| where Facility contains \u0027auth\u0027 and ProcessName != \u0027sudo\u0027\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP != \\\"\\\" and SourceIP != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIP\\n| where count_ \u003e signin_threshold\\n| summarize make_list(SourceIP);\\n//See if any of the IPs with failed host logins hve had a sucessful Azure AD login\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (win_fails) or IPAddress in (nix_fails) or IPAddress in (wef_fails)\\n| extend Reason= \\\"Multiple failed host logins from IP address with successful Azure AD login\\\"\\n| extend timstamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, Type = Type\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed host logons but success logon to AzureAD\",\"description\":\"Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts.\\nUses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\"name\":\"28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"Medium\",\"query\":\"let timeRange = 24h;\\nlet failureCountThreshold = 5;\\nlet authenticationWindow = 20m;\\nlet aadFunc = (tableName:string){\\n table(tableName)\\n| where AppDisplayName has \\\"Azure Portal\\\"\\n| extend\\n DeviceDetail = todynamic(DeviceDetail),\\n //Status = todynamic(Status),\\n LocationDetails = todynamic(LocationDetails)\\n| extend\\n OS = tostring(DeviceDetail.operatingSystem),\\n Browser = tostring(DeviceDetail.browser),\\n //StatusCode = tostring(Status.errorCode),\\n //StatusDetails = tostring(Status.additionalDetails),\\n State = tostring(LocationDetails.state),\\n City = tostring(LocationDetails.city),\\n Region = tostring(LocationDetails.countryOrRegion)\\n// Split out failure versus non-failure types\\n| extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\") \\n// bin outcomes based on authenticationWindow\\n| summarize take_anyif(UserPrincipalName, not(UserPrincipalName matches regex @\\\"[a-f\\\\d]+\\\\-[a-f\\\\d]+\\\\-[a-f\\\\d]+\\\\-[a-f\\\\d]+\\\\-[a-f\\\\d]+\\\")),\\n take_anyif(UserDisplayName, isnotempty(UserDisplayName)), FailureOrSuccessCount = count() by FailureOrSuccess, UserId, UserDisplayName, AppDisplayName, IPAddress, Browser, OS, State, City, Region, Type, CorrelationId, bin(TimeGenerated, authenticationWindow), ResultType\\n// sort for sessionizing - by UserPrincipalName and time of the authentication outcome\\n| sort by UserPrincipalName asc, TimeGenerated asc\\n| serialize \\n// sessionize into failure groupings until either the account changes or there is a success\\n| extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, UserPrincipalName != prev(UserPrincipalName) or prev(FailureOrSuccess) == \\\"Success\\\")\\n// count the failures in each session\\n| summarize FailureCountBeforeSuccess=sumif(FailureOrSuccessCount, FailureOrSuccess == \\\"Failure\\\"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), makelist(FailureOrSuccess), IPAddress = make_set(IPAddress), make_set(Browser), make_set(City), make_set(State), make_set(Region), make_set(ResultType) by SessionStartedUtc, UserPrincipalName, CorrelationId, AppDisplayName, UserId, Type\\n// the session must not start with a success, and must end with one\\n| where array_index_of(list_FailureOrSuccess, \\\"Success\\\") != 0\\n| where array_index_of(list_FailureOrSuccess, \\\"Success\\\") == array_length(list_FailureOrSuccess) - 1\\n| project-away SessionStartedUtc, list_FailureOrSuccess\\n// where the number of failures before the success is above the threshold \\n| where FailureCountBeforeSuccess \u003e= failureCountThreshold \\n// expand out ip for entity assignment\\n| mv-expand IPAddress\\n| extend IPAddress = tostring(IPAddress)\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n};\\n let aadSignin = aadFunc(\\\"SigninLogs\\\");\\n let aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\n union isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against Azure Portal\",\"description\":\"Identifies evidence of brute force activity against Azure Portal by highlighting multiple authentication failures \\nand by a successful authentication within a given time window. \\nDefault Failure count is 5 and default Time Window is 20 minutes.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-04-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23de46ea-c425-4a77-b456-511ae4855d69\",\"name\":\"23de46ea-c425-4a77-b456-511ae4855d69\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\nlet SensitiveOperationList = dynamic([\\\"microsoft.compute/snapshots/write\\\", \\\"microsoft.network/networksecuritygroups/write\\\", \\\"microsoft.storage/storageaccounts/listkeys/action\\\"]);\\nlet SensitiveActivity = AzureActivity\\n| where OperationNameValue in~ (SensitiveOperationList) or OperationNameValue hassuffix \\\"listkeys/action\\\"\\n| where ActivityStatusValue =~ \\\"Success\\\";\\nSensitiveActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller, OperationNameValue\\n| where count_ \u003e= alertOperationThreshold\\n| join kind = rightanti ( \\nSensitiveActivity\\n| where TimeGenerated \u003e= ago(endtime)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CorrelationIds = makelist(CorrelationId), Resources = makelist(Resource), ResourceGroups = makelist(ResourceGroup), ResourceIds = makelist(ResourceId), ActivityCountByCallerIPAddress = count() \\nby CallerIpAddress, Caller, OperationNameValue\\n) on CallerIpAddress, Caller, OperationNameValue\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"Rare subscription-level operations in Azure\",\"description\":\"This query looks for a few sensitive subscription-level events based on Azure Activity Logs. \\n For example this monitors for the operation name \u0027Create or Update Snapshot\u0027 which is used for creating backups but could be misused by attackers \\n to dump hashes or extract sensitive information from the disk.\",\"lastUpdatedDateUTC\":\"2022-03-15T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84cf1d59-f620-4fee-b569-68daf7008b7b\",\"name\":\"84cf1d59-f620-4fee-b569-68daf7008b7b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetection_CL\\n| mv-expand todynamic(Detections_s)\\n| extend Status = tostring(Detections_s.Status), Vulnerability = tostring(Detections_s.Results), Severity = tostring(Detections_s.Severity)\\n| where Status =~ \\\"New\\\" and Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(Detections_s.QID)\\n| where dcount_NetBios_s \u003e= threshold\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"tactics\":[\"InitialAccess\"],\"displayName\":\"New High Severity Vulnerability Detected Across Multiple Hosts\",\"description\":\"This creates an incident when a new high severity vulnerability is detected across multilple hosts\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bc5ffe2a-84d6-48fe-bc7b-1055100469bc\",\"name\":\"bc5ffe2a-84d6-48fe-bc7b-1055100469bc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"let SunburstMD5=dynamic([\\\"b91ce2fa41029f6955bff20079468448\\\",\\\"02af7cec58b9a5da1c542b5a32151ba1\\\",\\\"2c4a910a1299cdae2a4e55988a2f102e\\\",\\\"846e27a652a5e1bfbd0ddd38a16dc865\\\",\\\"4f2eb62fa529c0283b28d05ddd311fae\\\"]);\\nlet SupernovaMD5=\\\"56ceb6d0011d87b6e4d7023d7ef85676\\\";\\nimFileEvent\\n| where TargetFileMD5 in(SunburstMD5) or TargetFileMD5 in(SupernovaMD5)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = User, \\n HostCustomEntity = DvcHostname,\\n FileHashCustomEntity = TargetFileMD5,\\n AlgorithmCustomEntity = \\\"MD5\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events)\",\"description\":\"Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in File Events\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimFileEvent)\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8cbc3215-fa58-4bd6-aaaa-f0029c351730\",\"name\":\"8cbc3215-fa58-4bd6-aaaa-f0029c351730\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let threatCategory=\\\"Cryptominer\\\";\\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\\n [ @\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\\\"] \\n with(format=\\\"csv\\\", ignoreFirstRecord=True));\\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet customUserAgents=toscalar(_GetWatchlist(\\\"UnusualUserAgents\\\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\\\"UserAgent\\\",\\\"\\\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet fullUAList = array_concat(knownUserAgents,customUserAgents);\\n_Im_WebSession(httpuseragent_has_any=fullUAList)\\n| summarize N_Events=count() by SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername\",\"customDetails\":{\"UserAgent\":\"HttpUserAgent\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"SrcUsername\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"The host {{SrcIpAddr}} is potentially running a crypto miner\",\"alertDescriptionFormat\":\"The host at address {{SrcIpAddr}} sent an HTTP request to the URL {{Url}} with the HTTP user agent header {{HttpUserAgent}}. This user agent is known to be used by crypto miners and indicates crypto mining activity on the client.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"A host is potentially running a crypto miner (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request with a user agent header known to belong to a crypto miner. This indicates a crypto miner may have infected the client machine.\u003cbr\u003eYou can add custom crypto mining indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).\u003cbr\u003e\u003cbr\u003e This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\"name\":\"24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"let EventCountThreshold = 25;\\n// To avoid any False Positives, filtering using AppId is recommended.\\n// For example the AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds \\n// to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\\n// The AppId 8cae6e77-e04e-42ce-b5cb-50d82bce26b1 has been added as it correspond to Microsoft Policy Insights Provider Data Plane performing VaultGet operations for policies checks.\\nlet Allowedappid = dynamic([\\\"509e4652-da8d-478d-a730-e9d4a1996ca4\\\",\\\"8cae6e77-e04e-42ce-b5cb-50d82bce26b1\\\"]);\\nlet OperationList = dynamic(\\n[\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nAzureDiagnostics\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList) \\n| summarize count() by identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, OperationName\\n| where count_ \u003e EventCountThreshold \\n| join (\\nAzureDiagnostics\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where OperationName in~ (OperationList) \\n) on identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g \\n| summarize EventCount=sum(count_), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\\n| extend timestamp = EndTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Mass secret retrieval from Azure Key Vault\",\"description\":\"Identifies mass secret retrieval from Azure Key Vault observed by a single user. \\nMass secret retrival crossing a certain threshold is an indication of credential dump operations or mis-configured applications. \\nYou can tweak the EventCountThreshold based on average count seen in your environment \\nand also filter any known sources (IP/Account) and useragent combinations based on historical analysis to further reduce noise\",\"lastUpdatedDateUTC\":\"2022-07-04T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b619d1f1-7f39-4c7e-bf9e-afbb46457997\",\"name\":\"b619d1f1-7f39-4c7e-bf9e-afbb46457997\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal contains \\\"XMRig\\\" or HttpUserAgentOriginal contains \\\"ccminer\\\"\\n| extend Message = \\\"Crypto Miner User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Crypto Miner User-Agent Detected\",\"description\":\"Detects suspicious user agent strings used by crypto miners in proxy logs.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd03057e-4347-4853-bf1e-2b2d21eb4e59\",\"name\":\"dd03057e-4347-4853-bf1e-2b2d21eb4e59\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\\"xmrget.com\\\",\\n\\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\\"supportxmr.com\\\",\\n\\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\\"gntl.co.uk\\\", \\\"semipool.com\\\",\\n\\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\",\\n\\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\\"extrmepool.org\\\", \\\"webcoin.me\\\",\\n\\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\",\\n\\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\",\\n\\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\",\\n\\\"shscrypto.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage),\\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage),\\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage),\\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \u0027200\u0027\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URL\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"NRT Squid proxy events related to mining pools\",\"description\":\"Checks for Squid proxy events in Syslog associated with common mining pools .This query presumes the default Squid log format is being used.\\n http://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-07-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2b701288-b428-4fb8-805e-e4372c574786\",\"name\":\"2b701288-b428-4fb8-805e-e4372c574786\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"//The bigger the window the better the data sample size, as we use IP prevalence, more sample data is better.\\n//The minimum number of countries that the account has been accessed from [default: 2]\\nlet minimumCountries = 2;\\n//The delta (%) between the largest in-use IP and the smallest [default: 95]\\nlet deltaThreshold = 95;\\n//The maximum (%) threshold that the country appears in login data [default: 10]\\nlet countryPrevalenceThreshold = 10;\\n//The time to project forward after the last login activity [default: 60min]\\nlet projectedEndTime = 60m;\\nlet queryfrequency = 1d;\\nlet queryperiod = 14d;\\nlet aadFunc = (tableName: string) {\\n // Get successful signins to Teams\\n let signinData =\\n table(tableName)\\n | where TimeGenerated \u003e ago(queryperiod)\\n | where AppDisplayName has \\\"Teams\\\" and ConditionalAccessStatus =~ \\\"success\\\"\\n | extend Country = tostring(todynamic(LocationDetails)[\u0027countryOrRegion\u0027])\\n | where isnotempty(Country) and isnotempty(IPAddress);\\n // Calculate prevalence of countries\\n let countryPrevalence =\\n signinData\\n | summarize CountCountrySignin = count() by Country\\n | extend TotalSignin = toscalar(signinData | summarize count())\\n | extend CountryPrevalence = toreal(CountCountrySignin) / toreal(TotalSignin) * 100;\\n // Count signins by user and IP address\\n let userIpSignin =\\n signinData\\n | summarize CountIPSignin = count(), Country = any(Country), ListSigninTimeGenerated = make_list(TimeGenerated) by IPAddress, UserPrincipalName;\\n // Calculate delta between the IP addresses with the most and minimum activity by user\\n let userIpDelta =\\n userIpSignin\\n | summarize MaxIPSignin = max(CountIPSignin), MinIPSignin = min(CountIPSignin), DistinctCountries = dcount(Country), make_set(Country) by UserPrincipalName\\n | extend UserIPDelta = toreal(MaxIPSignin - MinIPSignin) / toreal(MaxIPSignin) * 100;\\n // Collect Team operations the user account has performed within a time range of the suspicious signins\\n OfficeActivity\\n | where TimeGenerated \u003e ago(queryfrequency)\\n | where Operation in~ (\\\"TeamsAdminAction\\\", \\\"MemberAdded\\\", \\\"MemberRemoved\\\", \\\"MemberRoleChanged\\\", \\\"AppInstalled\\\", \\\"BotAddedToTeam\\\")\\n | project OperationTimeGenerated = TimeGenerated, UserId = tolower(UserId), Operation\\n | join kind = inner(\\n userIpDelta\\n // Check users with activity from distinct countries\\n | where DistinctCountries \u003e= minimumCountries\\n // Check users with high IP delta\\n | where UserIPDelta \u003e= deltaThreshold\\n // Add information about signins and countries\\n | join kind = leftouter userIpSignin on UserPrincipalName\\n | join kind = leftouter countryPrevalence on Country\\n // Check activity that comes from nonprevalent countries\\n | where CountryPrevalence \u003c countryPrevalenceThreshold\\n | project\\n UserPrincipalName,\\n SuspiciousIP = IPAddress,\\n UserIPDelta,\\n SuspiciousSigninCountry = Country,\\n SuspiciousCountryPrevalence = CountryPrevalence,\\n EventTimes = ListSigninTimeGenerated\\n ) on $left.UserId == $right.UserPrincipalName\\n // Check the signins occured 60 min before the Teams operations\\n | mv-expand SigninTimeGenerated = EventTimes\\n | extend SigninTimeGenerated = todatetime(SigninTimeGenerated)\\n | where OperationTimeGenerated between (SigninTimeGenerated .. (SigninTimeGenerated + projectedEndTime))\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize arg_max(SigninTimeGenerated, *) by UserPrincipalName, SuspiciousIP, OperationTimeGenerated\\n| summarize\\n ActivitySummary = make_bag(pack(tostring(SigninTimeGenerated), pack(\\\"Operation\\\", tostring(Operation), \\\"OperationTime\\\", OperationTimeGenerated)))\\n by UserPrincipalName, SuspiciousIP, SuspiciousSigninCountry, SuspiciousCountryPrevalence\\n| extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Anomalous login followed by Teams action\",\"description\":\"Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed.\\nQuery calculates IP usage Delta for each user account and selects accounts where a delta \u003e= 90% is observed between the most and least used IP.\\nTo further reduce results the query performs a prevalence check on the lowest used IP\u0027s country, only keeping IP\u0027s where the country is unusual for the tenant (dynamic ranges)\\nFinally the user accounts activity within Teams logs is checked for suspicious commands (modifying user privileges or admin actions) during the period the suspicious IP was active.\",\"lastUpdatedDateUTC\":\"2022-03-21T00:00:00Z\",\"createdDateUTC\":\"2020-06-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fa118b98-de46-4e94-87f9-8e6d5060b60b\",\"name\":\"fa118b98-de46-4e94-87f9-8e6d5060b60b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MLBehaviorAnalytics\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous SSH Login Detection\",\"description\":\"This detection uses machine learning (ML) to identify anomalous Secure Shell (SSH) login activity, based on syslog data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Microsoft Sentinel to build a profile of normal activity for your environment.\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-syslog#configure-the-syslog-connector-for-anomalous-ssh-login-detection)\\n\\nBy enabling this rule, you give Microsoft permission to copy ingested data outside of your Microsoft Sentinel workspace\u0027s geography as necessary for processing by the machine learning engine.\",\"lastUpdatedDateUTC\":\"2021-03-26T00:00:00Z\",\"createdDateUTC\":\"2019-08-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c094384d-7ea7-4091-83be-18706ecca981\",\"name\":\"c094384d-7ea7-4091-83be-18706ecca981\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Low\",\"query\":\"let minersDomains=dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\"]);\\n_Im_Dns(domain_has_any=minersDomains)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"DNS events related to mining pools (ASIM DNS Schema)\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/99d589fa-7337-40d7-91a0-c96d0c4fa437\",\"name\":\"99d589fa-7337-40d7-91a0-c96d0c4fa437\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let core_domains = (SigninLogs\\n | where TimeGenerated \u003e ago(7d)\\n | where ResultType == 0\\n | extend domain = tolower(split(UserPrincipalName, \\\"@\\\")[1])\\n | summarize by tostring(domain));\\n let alternative_domains = (SigninLogs\\n | where TimeGenerated \u003e ago(7d)\\n | where isnotempty(AlternateSignInName)\\n | where ResultType == 0\\n | extend domain = tolower(split(AlternateSignInName, \\\"@\\\")[1])\\n | summarize by tostring(domain));\\n AuditLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where OperationName =~ \\\"Add User\\\"\\n | extend AddingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend AddingSPN = tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName)\\n | extend AddedBy = iif(isnotempty(AddingUser), AddingUser, AddingSPN)\\n | extend UserAdded = tostring(TargetResources[0].userPrincipalName)\\n | extend Domain = tolower(split(UserAdded, \\\"@\\\")[1])\\n | where Domain !in (core_domains) and Domain !in (alternative_domains)\\n | project-away AddingUser\\n | project-reorder TimeGenerated, UserAdded, Domain, AddedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserAdded\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Account created from non-approved sources\",\"description\":\"This query looks for account being created from a domain that is not regularly seen in a tenant.\\n Attackers may attempt to add accounts from these sources as a means of establishing persistant access to an environment.\\n Created accounts should be investigated to ensure they were legitimated created.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\",\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/15ae38a2-2e29-48f7-883f-863fb25a5a06\",\"name\":\"15ae38a2-2e29-48f7-883f-863fb25a5a06\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 10;\\nDnsEvents \\n| where TimeGenerated \u003e ago(endtime)\\n| where Name contains \\\"in-addr.arpa\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(Name) by ClientIP\\n| where dcount_Name \u003e threshold\\n| project StartTimeUtc, EndTimeUtc, ClientIP , dcount_Name \\n| join kind=leftanti (DnsEvents \\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | where Name contains \\\"in-addr.arpa\\\" \\n | summarize dcount(Name) by ClientIP, bin(TimeGenerated, 1d)\\n | where dcount_Name \u003e threshold\\n | project ClientIP , dcount_Name \\n) on ClientIP\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Rare client observed with high reverse DNS lookup count\",\"description\":\"Identifies clients with a high reverse DNS counts which could be carrying out reconnaissance or discovery activity.\\nAlert is generated if the IP performing such reverse DNS lookups was not seen doing so in the preceding 7-day period.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\"name\":\"a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\n let ioc_lookBack = 14d;\\n ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true\\n | where isnotempty(FileHashValue)\\n | extend FileHashValue = toupper(FileHashValue)\\n // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n | join kind=innerunique ( union isfuzzy=true \\n (SecurityEvent | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where EventID in (\\\"8003\\\",\\\"8002\\\",\\\"8005\\\")\\n | where isnotempty(FileHash)\\n | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID, FileHash = toupper(FileHash)\\n ),\\n (WindowsEvent | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where EventID in (\\\"8003\\\",\\\"8002\\\",\\\"8005\\\")\\n | where isnotempty(EventData.FileHash)\\n | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID, FileHash = toupper(EventData.FileHash)\\n )\\n )\\n on $left.FileHashValue == $right.FileHash\\n | where SecurityEvent_TimeGenerated \u003c ExpirationDateTime\\n | summarize SecurityEvent_TimeGenerated = arg_max(SecurityEvent_TimeGenerated, *) by IndicatorId, FileHash\\n | project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\n Process, FileHash, Computer, Account, Event, FileHashValue, FileHashType\\n | extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Value\",\"columnName\":\"FileHashValue\"},{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map File Hash to Security Event\",\"description\":\"Identifies a match in Security Event data from any File Hash IOC from TI\",\"lastUpdatedDateUTC\":\"2022-07-07T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1bf6e165-5e32-420e-ab4f-0da8558a8be2\",\"name\":\"1bf6e165-5e32-420e-ab4f-0da8558a8be2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// How far back to look for events from\\nlet timeframe = 1d;\\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\\nlet time_window = 5m;\\n// Edit this to include build processes used\\nlet build_processes = dynamic([\\\"MSBuild.exe\\\", \\\"dotnet.exe\\\", \\\"VBCSCompiler.exe\\\"]);\\n// Include any processes that you want to allow to edit files during/around the build process\\nlet allow_list = dynamic([]);\\nDeviceProcessEvents\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where FileName has_any (build_processes)\\n| summarize by BuildParentProcess=InitiatingProcessFileName, BuildProcess=FileName, BuildAccount = AccountName, DeviceName, BuildCommand=ProcessCommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nDeviceFileEvents\\n| where TimeGenerated \u003e ago(timeframe)\\n| where InitiatingProcessFileName !in (allow_list)\\n| where ActionType == \\\"FileCreated\\\" or ActionType == \\\"FileModified\\\"\\n// Look for code files, edit this to include file extensions used in build.\\n| where FileName endswith \\\".cs\\\" or FileName endswith \\\".cpp\\\"\\n| summarize by FileEditParentProcess=InitiatingProcessParentFileName, FileEditAccount = InitiatingProcessAccountName, DeviceName, FileEdited=FileName, FileEditProcess=InitiatingProcessFileName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, DeviceName\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, DeviceName, BuildParentProcess, BuildProcess\\n| extend HostCustomEntity=DeviceName, timestamp=timekey\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Potential Build Process Compromise - MDE\",\"description\":\"The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process. This query uses Microsoft Defender for Endpoint telemetry.\\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\",\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/957cb240-f45d-4491-9ba5-93430a3c08be\",\"name\":\"957cb240-f45d-4491-9ba5-93430a3c08be\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"OfficeActivity\\n| where Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Add-MailboxFolderPermission\\\", \\\"Set-Mailbox\\\", \\\"New-ManagementRoleAssignment\\\", \\\"New-InboxRule\\\", \\\"Set-InboxRule\\\", \\\"Set-TransportRule\\\")\\nand not(UserId has_any (\u0027NT AUTHORITY\\\\\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\u0027, \u0027NT AUTHORITY\\\\\\\\SYSTEM (w3wp)\u0027, \u0027devilfish-applicationaccount\u0027) and Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Set-Mailbox\\\"))\\n| extend ClientIPOnly = tostring(extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?\u0027, dynamic([\\\"IPAddress\\\"]), ClientIP)[0][0])\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIPOnly\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"Collection\"],\"displayName\":\"Rare and potentially high-risk Office operations\",\"description\":\"Identifies Office operations that are typically rare and can provide capabilities useful to attackers.\",\"lastUpdatedDateUTC\":\"2022-05-24T00:00:00Z\",\"createdDateUTC\":\"2019-02-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2fc5d810-c9cc-491a-b564-841427ae0e50\",\"name\":\"2fc5d810-c9cc-491a-b564-841427ae0e50\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique ( \\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(TargetUserName)\\n//Normalizing the column to lower case for exact match with EmailSenderAddress column\\n| extend TargetUserName = tolower(TargetUserName)\\n// renaming timestamp column so it is clear the log this came from SecurityEvent table\\n| extend SecurityEvent_TimeGenerated = TimeGenerated\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(dt_lookBack) \\n| extend TargetUserName = tostring(EventData.TargetUserName) \\n| where isnotempty(TargetUserName)\\n//Normalizing the column to lower case for exact match with EmailSenderAddress column\\n| extend TargetUserName = tolower(TargetUserName)\\n// renaming timestamp column so it is clear the log this came from SecurityEvent table\\n| extend SecurityEvent_TimeGenerated = TimeGenerated\\n))\\n)\\non $left.EmailSenderAddress == $right.TargetUserName\\n| where SecurityEvent_TimeGenerated \u003c ExpirationDateTime\\n| summarize SecurityEvent_TimeGenerated = arg_max(SecurityEvent_TimeGenerated, *) by IndicatorId, TargetUserName\\n| project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Computer, EventID, TargetUserName, Activity, IpAddress, AccountType,\\nLogonTypeName, LogonProcessName, Status, SubStatus\\n| extend\\ntimestamp = SecurityEvent_TimeGenerated,\\nAccountCustomEntity = TargetUserName,\\nIPCustomEntity = IpAddress,\\nHostCustomEntity = Computer,\\nURLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SecurityEvent\",\"description\":\"Identifies a match in SecurityEvent table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/01f64465-b1ef-41ea-a7f5-31553a11ad43\",\"name\":\"01f64465-b1ef-41ea-a7f5-31553a11ad43\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let endpointData = \\n(union isfuzzy=true\\n(SecurityEvent\\n | where EventID == 4688\\n | extend shortFileName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n ),\\n (WindowsEvent\\n | where EventID == 4688\\n | extend NewProcessName = tostring(EventData.NewProcessName)\\n | extend shortFileName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n | extend TargetUserName = tostring(EventData.TargetUserName)\\n ));\\n// Correlate suspect executables seen in TrendMicro rule updates with similar activity on endpoints\\nCommonSecurityLog\\n| where DeviceVendor =~ \\\"Trend Micro\\\"\\n| where Activity =~ \\\"Deny List updated\\\" \\n| where RequestURL endswith \\\".exe\\\"\\n| project TimeGenerated, Activity , RequestURL , SourceIP, DestinationIP\\n| extend suspectExeName = tolower(tostring(split(RequestURL, \u0027/\u0027)[-1]))\\n| join (endpointData) on $left.suspectExeName == $right.shortFileName \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = TargetUserName, HostCustomEntity = Computer, URLCustomEntity = RequestURL\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Network endpoint to host executable correlation\",\"description\":\"Correlates blocked URLs hosting [malicious] executables with host endpoint data\\nto identify potential instances of executables of the same name having been recently run.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"TrendMicro\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5efb0cfd-063d-417a-803b-562eae5b0301\",\"name\":\"5efb0cfd-063d-417a-803b-562eae5b0301\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 6h;\\n// Ignore Build/Releases with less/equal this number\\nlet ServiceConnectionThreshold = 3;\\n// New Connections need to exhibit execution of more \\\"new\\\" connections than this number.\\nlet NewConnectionThreshold = 1;\\n// List of Builds/Releases to ignore in your space\\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\\n[\\n//\\\"103\\\", \\\"Release\\\", \\\"ProjectA\\\",\\n//\\\"42\\\", \\\"Release\\\", \\\"ProjectB\\\",\\n//\\\"122\\\", \\\"Build\\\", \\\"ProjectB\\\"\\n];\\nlet HistoricDefs = AzureDevOpsAuditing\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| summarize HistoricCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)) \\n by DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e= ago(endtime)\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| parse ScopeDisplayName with OrganizationName \u0027 (Organization)\u0027\\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) \\n by OrganizationName, DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN\\n| where CurrentCount \u003e ServiceConnectionThreshold\\n| join (HistoricDefs) on ProjectId, DefId, Type, ActorUPN\\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\\n| extend link = iff(\\nType == \\\"Build\\\", strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_build?definitionId=\u0027, DefId),\\nstrcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_release?_a=releases\u0026view=mine\u0026definitionId=\u0027, DefId))\\n| where CurrentCount \u003e= HistoricCount + NewConnectionThreshold\\n| project StartTime, OrganizationName, ProjectName, DefId, link, RecentDistinctServiceConnections = CurrentCount, HistoricDistinctServiceConnections = HistoricCount, \\n RecentConnections = ConnectionNames, HistoricConnections = ConnectionNames1, ActorUPN\\n| extend timestamp = StartTime, AccountCustomEntity = ActorUPN\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure DevOps Service Connection Addition/Abuse - Historic allow list\",\"description\":\"This detection builds an allow list of historic service connection use by Builds and Releases and compares to recent history, flagging growth of service connection use which are not manually included in the allow list and \\nnot historically included in the allow list Build/Release runs. This is to determine if someone is hijacking a build/release and adding many service connections in order to abuse or dump credentials from service connections.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3bd33158-3f0b-47e3-a50f-7c20a1b88038\",\"name\":\"3bd33158-3f0b-47e3-a50f-7c20a1b88038\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let SpringShell_threats = dynamic([\\\"Trojan:Python/SpringShellExpl\\\", \\\"Exploit:Python/SpringShell\\\", \\\"Backdoor:PHP/Remoteshell.V\\\", \\\"SpringShell\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (SpringShell_threats) or ThreatFamilyName in~ (SpringShell_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"AV detections related to SpringShell Vulnerability\",\"description\":\"This query looks for Microsoft Defender AV detections related to SpringShell Vulnerability. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, \\n this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\\n Reference: https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b4ceb583-4c44-4555-8ecf-39f572e827ba\",\"name\":\"b4ceb583-4c44-4555-8ecf-39f572e827ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 1.5;\\nlet percentthreshold = 50;\\n// Preparing the time series data aggregated hourly count of MailItemsAccessd Operation in the form of multi-value array to use with time series anomaly function.\\nlet TimeSeriesData =\\nOfficeActivity\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where OfficeWorkload=~ \\\"Exchange\\\" and Operation =~ \\\"MailItemsAccessed\\\" and ResultStatus =~ \\\"Succeeded\\\"\\n| project TimeGenerated, Operation, MailboxOwnerUPN\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe;\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0\\n| project TimeGenerated, Total, baseline, anomalies, score;\\n// Joining the flagged outlier from the previous step with the original dataset to present contextual information\\n// during the anomalyhour to analysts to conduct investigation or informed decisions.\\nTimeSeriesAlerts | where TimeGenerated \u003e ago(2d)\\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\\n| join (\\n OfficeActivity\\n | where TimeGenerated \u003e ago(2d)\\n | extend DateHour = bin(TimeGenerated, 1h)\\n | where OfficeWorkload=~ \\\"Exchange\\\" and Operation =~ \\\"MailItemsAccessed\\\" and ResultStatus =~ \\\"Succeeded\\\"\\n | summarize HourlyCount=count(), TimeGeneratedMax = arg_max(TimeGenerated, *), IPAdressList = make_set(Client_IPAddress), SourceIPMax= arg_max(Client_IPAddress, *), ClientInfoStringList= make_set(ClientInfoString) by MailboxOwnerUPN, Logon_Type, TenantId, UserType, TimeGenerated = bin(TimeGenerated, 1h) \\n | where HourlyCount \u003e 25 // Only considering operations with more than 25 hourly count to reduce False Positivies\\n | order by HourlyCount desc \\n) on TimeGenerated\\n| extend PercentofTotal = round(HourlyCount/Total, 2) * 100 \\n| where PercentofTotal \u003e percentthreshold // Filter Users with count of less than 5 percent of TotalEvents per Hour to remove FPs/ users with very low count of MailItemsAccessed events\\n| order by PercentofTotal desc \\n| project-reorder TimeGeneratedMax, Type, OfficeWorkload, Operation, UserId,SourceIPMax ,IPAdressList, ClientInfoStringList, HourlyCount, PercentofTotal, Total, baseline, score, anomalies\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"Exchange workflow MailItemsAccessed operation anomaly\",\"description\":\"Identifies anomalous increases in Exchange mail items accessed operations.\\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\\nSudden increases in execution frequency of sensitive actions should be further investigated for malicious activity.\\nManually change scorethreshold from 1.5 to 3 or higher to reduce the noise based on outliers flagged from the query criteria.\\nRead more about MailItemsAccessed- https://docs.microsoft.com/microsoft-365/compliance/advanced-audit?view=o365-worldwide#mailitemsaccessed\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/00cb180c-08a8-4e55-a276-63fb1442d5b5\",\"name\":\"00cb180c-08a8-4e55-a276-63fb1442d5b5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let cmdTokens0 = dynamic([\u0027vbscript\u0027,\u0027jscript\u0027]);\\nlet cmdTokens1 = dynamic([\u0027mshtml\u0027,\u0027RunHTMLApplication\u0027]);\\nlet cmdTokens2 = dynamic([\u0027Execute\u0027,\u0027CreateObject\u0027,\u0027RegRead\u0027,\u0027window.close\u0027]);\\n(union isfuzzy=true \\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(14d)\\n| where EventID == 4688\\n| where CommandLine has @\u0027\\\\Microsoft\\\\Windows\\\\CurrentVersion\u0027\\n| where not(CommandLine has_any (@\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\u0027, @\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\u0027))\\n// If you are receiving false positives, then it may help to make the query more strict by uncommenting one or both of the lines below to refine the matches\\n//| where CommandLine has_any (cmdTokens0)\\n//| where CommandLine has_all (cmdTokens1)\\n| where CommandLine has_all (cmdTokens2)\\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(14d)\\n| where EventID == 4688 and EventData has_all(cmdTokens2) and EventData has @\u0027\\\\Microsoft\\\\Windows\\\\CurrentVersion\u0027\\n| where not(EventData has_any (@\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\u0027, @\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\u0027))\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has @\u0027\\\\Microsoft\\\\Windows\\\\CurrentVersion\u0027\\n| where not(CommandLine has_any (@\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\u0027, @\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\u0027))\\n// If you are receiving false positives, then it may help to make the query more strict by uncommenting one or both of the lines below to refine the matches\\n//| where CommandLine has_any (cmdTokens0)\\n//| where CommandLine has_all (cmdTokens1)\\n| where CommandLine has_all (cmdTokens2)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend ParentProcessName = tostring(EventData.ParentProcessName) \\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"NOBELIUM - Script payload stored in Registry\",\"description\":\"This query idenifies when a process execution commandline indicates that a registry value is written to allow for later execution a malicious script\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3cc5ccd8-b416-4141-bb2d-4eba370e37a5\",\"name\":\"3cc5ccd8-b416-4141-bb2d-4eba370e37a5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let OMIVulnerabilityPatchVersion = \\\"OMIVulnerabilityPatchVersion:1.13.40-0\\\";\\nHeartbeat\\n| where Category == \\\"Direct Agent\\\"\\n| summarize arg_max(TimeGenerated,*) by Computer\\n| parse strcat(\\\"Version:\\\" , Version) with * \\\"Version:\\\" Major:long \\\".\\\"\\nMinor:long \\\".\\\" Patch:long \\\"-\\\" *\\n| parse OMIVulnerabilityPatchVersion with * \\\"OMIVulnerabilityPatchVersion:\\\"\\nOMIVersionMajor:long \\\".\\\" OMIVersionMinor:long \\\".\\\" OMIVersionPatch:long \\\"-\\\" *\\n| where Major \u003cOMIVersionMajor or (Major==OMIVersionMajor and Minor\\n\u003cOMIVersionMinor) or (Major==OMIVersionMajor and Minor==OMIVersionMinor and\\nPatch\u003cOMIVersionPatch) \\n| project Version, Major,Minor,Patch,\\nComputer,ComputerIP,OSType,OSName,ResourceId\",\"customDetails\":{\"HostIp\":\"ComputerIP\",\"OSType\":\"OSType\",\"OSName\":\"OSName\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"OMI Vulnerability Exploitation\",\"description\":\"Following the September 14th, 2021 release of three Elevation of Privilege\\n(EoP) vulnerabilities (CVE-2021-38645, CVE-2021-38649, CVE-2021-38648) and one\\nunauthenticated Remote Code Execution (RCE) vulnerability (CVE-2021-38647) in\\nthe Open Management Infrastructure (OMI) Framework.\\nThis detection validates that any OMS-agent that is reporting to the Microsoft\\nSentinel workspace is updated with the patch. The detection will go over the\\nheartbeats received from all agents over the last day and will create alert\\nfor those agents who are not updated.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-09-23T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c1c66f0b-5531-4a3e-a619-9d2f770ef730\",\"name\":\"c1c66f0b-5531-4a3e-a619-9d2f770ef730\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where OperationName =~ \\\"Add member to role completed (PIM activation)\\\"\\n | where Result =~ \\\"success\\\"\\n | extend ElevatedUser = tostring(TargetResources[2].userPrincipalName)\\n | extend displayName = tostring(TargetResources[0].displayName)\\n | extend displayName2 = tostring(TargetResources[3].displayName)\\n | extend ElevatedRole = iif(displayName =~ \\\"Member\\\", displayName2, displayName)\\n | join kind = rightanti (AuditLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where OperationName =~ \\\"Add member to role completed (PIM activation)\\\"\\n | where Result =~ \\\"success\\\"\\n | extend ElevatedUser = tostring(TargetResources[2].userPrincipalName)\\n | extend displayName = tostring(TargetResources[0].displayName)\\n | extend displayName2 = tostring(TargetResources[3].displayName)\\n | extend ElevatedRole = iif(displayName =~ \\\"Member\\\", displayName2, displayName)\\n | extend ElevatedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) on ElevatedRole, ElevatedUser\\n | project-reorder ElevatedUser, ElevatedRole, ResultReason,ElevatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ElevatedUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ElevatedBy\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Account Elevated to New Role\",\"description\":\"Detects an account that is elevated to a new role where that account has not had that role in the last 14 days.\\n Role elevations are a key mechanism for gaining permissions, monitoring which users have which roles, and for anomalies in those roles is useful for finding suspicious activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d0c82b7f-40b2-4180-a4d6-7aa0541b7599\",\"name\":\"d0c82b7f-40b2-4180-a4d6-7aa0541b7599\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let threshold = 3;\\nPulseConnectSecure\\n| where Messages contains \\\"Unauthenticated request url /dana-na/\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by Source_IP\\n| where count_ \u003e threshold\\n| extend timestamp = StartTime, IPCustomEntity = Source_IP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"PulseConnectSecure - CVE-2021-22893 Possible Pulse Connect Secure RCE Vulnerability Attack\",\"description\":\"This query identifies exploitation attempts using Pulse Connect Secure(PCS) vulnerability (CVE-2021-22893) to the VPN server\",\"lastUpdatedDateUTC\":\"2022-05-11T00:00:00Z\",\"createdDateUTC\":\"2022-05-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PulseConnectSecure\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bf0cde21-0c41-48f6-a40c-6b5bd71fa106\",\"name\":\"bf0cde21-0c41-48f6-a40c-6b5bd71fa106\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"AWSGuardDuty | extend tokens = split(ActivityType,\\\":\\\") | extend ThreatPurpose = tokens[0], tokens= split(tokens[1],\\\"/\\\") | extend ResourceTypeAffected = tokens[0], ThreatFamilyName= tokens[1] | extend UniqueFindingId = Id | extend AWSAcoundId = AccountId | project-away tokens,ActivityType, Id, AccountId | project-away TimeGenerated, TenantId, SchemaVersion, Region, Partition | extend Severity= iff(Severity between (7.0..8.9),\\\"High\\\",iff(Severity between (4.0..6.9), \\\"Medium\\\", iff(Severity between (1.0..3.9),\\\"Low\\\",\\\"Unknown\\\")))\",\"customDetails\":{\"ThreatPurpose\":\"ThreatPurpose\",\"ResourceTypeAffected\":\"ResourceTypeAffected\",\"UniqueFindingId\":\"UniqueFindingId\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Arn\"},{\"identifier\":\"ObjectGuid\",\"columnName\":\"AWSAcoundId\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"{{Title}}\",\"alertDescriptionFormat\":\"{{Description}}\",\"alertTacticsColumnName\":\"ThreatPurpose\",\"alertSeverityColumnName\":\"Severity\"},\"displayName\":\"AWS Guard Duty Alert\",\"description\":\"Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. This templates create an alert for each Amazon GuardDuty finding.\",\"lastUpdatedDateUTC\":\"2022-02-08T00:00:00Z\",\"createdDateUTC\":\"2021-11-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSGuardDuty\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b6685757-3ed1-4b05-a5bd-2cacadc86c2a\",\"name\":\"b6685757-3ed1-4b05-a5bd-2cacadc86c2a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"let UA_threats = dynamic([\\\"FoxBlade\\\", \\\"WhisperGate\\\", \\\"Lasainraw\\\", \\\"SonicVote\\\"]);\\n SecurityAlert\\n | where ProviderName == \\\"MDATP\\\"\\n | extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n | where ThreatFamilyName in (UA_threats)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"AV detections related to Ukraine threats\",\"description\":\"This query looks for Microsoft Defender AV detections for malware observed in relation to the war in Ukraine.\\n Ref: https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/ \",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cf3ede88-a429-493b-9108-3e46d3c741f7\",\"name\":\"cf3ede88-a429-493b-9108-3e46d3c741f7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let timeRange = 6h;\\nlet authenticationWindow = 1h;\\nlet authenticationThreshold = 5;\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeRange)\\n| where EventID == 4624 or EventID == 4625\\n| where IpAddress != \\\"-\\\" and isnotempty(Account)\\n| extend Outcome = iff(EventID == 4624, \\\"Success\\\", \\\"Failure\\\")\\n// bin outcomes into 5 minute windows to reduce the volume of data\\n| summarize OutcomeCount=count() by Account, IpAddress, Computer, Outcome, bin(TimeGenerated, 5m)\\n| project TimeGenerated, Account, IpAddress, Computer, Outcome, OutcomeCount\\n// sort ready for sessionizing - by account and time of the authentication outcome\\n| sort by Account asc, TimeGenerated asc\\n| serialize \\n// sessionize into failure groupings until either the account changes or there is a success\\n| extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, Account != prev(Account) or prev(Outcome) == \\\"Success\\\")\\n// count the failures in each session\\n| summarize FailureCountBeforeSuccess=sumif(OutcomeCount, Outcome == \\\"Failure\\\"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), makelist(Outcome), makeset(Computer), makeset(IpAddress) by SessionStartedUtc, Account\\n// the session must not start with a success, and must end with one\\n| where array_index_of(list_Outcome, \\\"Success\\\") != 0\\n| where array_index_of(list_Outcome, \\\"Success\\\") == array_length(list_Outcome) - 1\\n| project-away SessionStartedUtc, list_Outcome \\n// where the number of failures before the success is above the threshold \\n| where FailureCountBeforeSuccess \u003e= authenticationThreshold\\n// expand out ip and computer for customer entity assignment\\n| mvexpand set_IpAddress, set_Computer\\n| extend IpAddress = tostring(set_IpAddress), Computer = tostring(set_Computer)\\n| extend timestamp=StartTime, AccountCustomEntity=Account, HostCustomEntity=Computer, IPCustomEntity=IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"SecurityEvent - Multiple authentication failures followed by a success\",\"description\":\"Identifies accounts who have failed to logon to the domain multiple times in a row, followed by a successful authentication\\nwithin a short time frame. Multiple failed attempts followed by a success can be an indication of a brute force attempt or\\npossible mis-configuration of a service account within an environment.\\nThe lookback is set to 6h and the authentication window and threshold are set to 1h and 5, meaning we need to see a minimum\\nof 5 failures followed by a success for an account within 1 hour to surface an alert.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"name\":\"cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | where DNSName in~ (domains) or DestinationHostName has_any (domains) or RequestURL has_any(domains)\\n | extend AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName, IPCustomEntity = SourceIP\\n ),\\n(_Im_Dns (domain_has_any=domains)\\n | extend DNSName = DnsQuery\\n | extend IPCustomEntity = SrcIpAddr\\n ),\\n(VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n | where isnotempty(DNSName)\\n | where DNSName in~ (domains)\\n | extend IPCustomEntity = RemoteIp\\n ),\\n(DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl has_any (domains) \\n | extend DNSName = RemoteUrl\\n | extend IPCustomEntity = RemoteIP \\n | extend HostCustomEntity = DeviceName \\n ),\\n(AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (domains) \\n | extend DNSName = DestinationHost \\n | extend IPCustomEntity = SourceHost\\n ) \\n )\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Solorigate Network Beacon\",\"description\":\"Identifies a match across various data feeds for domains IOCs related to the Solorigate incident.\\n References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \\n https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2790795b-7dba-483e-853f-44aa0bc9c985\",\"name\":\"2790795b-7dba-483e-853f-44aa0bc9c985\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"CommonSecurityLog\\n| where DeviceProduct =~ \\\"Wazuh\\\"\\n| where Activity has \\\"Web server 400 error code.\\\"\\n| where Message has \\\"403\\\"\\n| extend HostName=substring(split(DeviceCustomString1,\\\")\\\")[0],1)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = dcount(SourceIP) by HostName, SourceIP\\n| where NumberOfErrors \u003e 400\\n| sort by NumberOfErrors desc\\n| extend timestamp = StartTime, HostCustomEntity = HostName, IPCustomEntity = SourceIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Wazuh - Large Number of Web errors from an IP\",\"description\":\"Identifies instances where Wazuh logged over 400 \u0027403\u0027 Web Errors from one IP Address. To onboard Wazuh data into Sentinel please view: https://github.com/wazuh/wazuh-documentation/blob/master/source/azure/monitoring%20activity.rst\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2020-04-21T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/78979d32-e63f-4740-b206-cfb300c735e0\",\"name\":\"78979d32-e63f-4740-b206-cfb300c735e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n ProofpointPOD \\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(SrcIpAddr)\\n | extend ProofpointPOD_TimeGenerated = TimeGenerated, ClientIP = SrcIpAddr\\n )\\non $left.TI_ipEntity == $right.ClientIP\\n| where ProofpointPOD_TimeGenerated \u003c ExpirationDateTime\\n| summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientIP\\n| project ProofpointPOD_TimeGenerated, SrcUserUpn, DstUserUpn, SrcIpAddr, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ClientIP\\n| extend timestamp = ProofpointPOD_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SrcUserUpn\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Exfiltration\",\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Email sender IP in TI list\",\"description\":\"Email sender IP in TI list.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_maillog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2b328487-162d-4034-b472-59f1d53684a1\",\"name\":\"2b328487-162d-4034-b472-59f1d53684a1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal == \u0027\u0027\\n| extend Message = \\\"Empty User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Empty User Agent Detected\",\"description\":\"Rule helps to detect empty and unusual user agent indicating web browsing activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\"name\":\"a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == 500121\\n| where Status has \\\"MFA Denied; user declined the authentication\\\" or Status has \\\"MFA denied; Phone App Reported Fraud\\\"\\n| extend Type = Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = ClientAppUsed\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Explicit MFA Deny\",\"description\":\"User explicitly denies MFA push, indicating that login was not expected and the account\u0027s password may be compromised.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-10-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}}]}", "isContentBase64": false } }, - "Get-AzSentinelAlertRuleTemplate+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8?api-version=2021-09-01-preview+2": { + "Get-AzSentinelAlertRuleTemplate+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8?api-version=2021-09-01-preview+2": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "170" ], - "x-ms-client-request-id": [ "b8c53d8e-cc22-4686-86be-c4722bd12ca0" ], + "x-ms-unique-id": [ "171" ], + "x-ms-client-request-id": [ "7292037b-c81e-4636-b914-ae3bfa13f78f" ], "CommandName": [ "Get-AzSentinelAlertRuleTemplate" ], "FullCommandName": [ "Get-AzSentinelAlertRuleTemplate_GetViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -147,19 +147,19 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-reads": [ "11988" ], - "x-ms-request-id": [ "a75b22f0-4c1e-4f1c-ad86-7ff9baf9725f" ], - "x-ms-correlation-request-id": [ "a75b22f0-4c1e-4f1c-ad86-7ff9baf9725f" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T015418Z:a75b22f0-4c1e-4f1c-ad86-7ff9baf9725f" ], + "x-ms-request-id": [ "3c561ab7-c065-4b7f-a4f1-4a3b07cc84dc" ], + "x-ms-correlation-request-id": [ "3c561ab7-c065-4b7f-a4f1-4a3b07cc84dc" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183115Z:3c561ab7-c065-4b7f-a4f1-4a3b07cc84dc" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 01:54:17 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:31:15 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "2430" ], + "Content-Length": [ "2408" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8\",\"name\":\"f71aba3d-28fb-450b-b192-4e76a83015c8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Fusion\",\"properties\":{\"severity\":\"High\",\"tactics\":[\"Collection\",\"CommandAndControl\",\"CredentialAccess\",\"DefenseEvasion\",\"Discovery\",\"Execution\",\"Exfiltration\",\"Impact\",\"InitialAccess\",\"LateralMovement\",\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Advanced Multistage Attack Detection\",\"description\":\"Microsoft Sentinel uses Fusion, a correlation engine based on scalable machine learning algorithms, to automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.\\n\\nSince Fusion correlates multiple signals from various products to detect advanced multistage attacks, successful Fusion detections are presented as Fusion incidents on the Microsoft Sentinel Incidents page. This rule covers the following detections:\\n- Fusion for emerging threats\\n- Fusion for ransomware\\n- Scenario-based Fusion detections (122 scenarios)\\n\\nTo enable these detections, we recommend you configure the following data connectors for best results:\\n- Out-of-the-box anomaly detections\\n- Azure Active Directory Identity Protection\\n- Azure Defender\\n- Azure Defender for IoT\\n- Microsoft 365 Defender\\n- Microsoft Cloud App Security \\n- Microsoft Defender for Endpoint\\n- Microsoft Defender for Identity\\n- Microsoft Defender for Office 365\\n- Palo Alto Networks\\n- Scheduled analytics rules, both built-in and those created by your security analysts. Analytics rules must contain kill-chain (tactics) and entity mapping information in order to be used by Fusion.\\n\\nFor the full description of each detection that is supported by Fusion, go to https://aka.ms/SentinelFusion.\",\"lastUpdatedDateUTC\":\"2021-06-09T00:00:00Z\",\"createdDateUTC\":\"2019-07-25T00:00:00Z\",\"status\":\"Installed\",\"alertRulesCreatedByTemplateCount\":1}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8\",\"name\":\"f71aba3d-28fb-450b-b192-4e76a83015c8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Fusion\",\"properties\":{\"severity\":\"High\",\"tactics\":[\"Collection\",\"CommandAndControl\",\"CredentialAccess\",\"DefenseEvasion\",\"Discovery\",\"Execution\",\"Exfiltration\",\"Impact\",\"InitialAccess\",\"LateralMovement\",\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Advanced Multistage Attack Detection\",\"description\":\"Microsoft Sentinel uses Fusion, a correlation engine based on scalable machine learning algorithms, to automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.\\n\\nSince Fusion correlates multiple signals from various products to detect advanced multistage attacks, successful Fusion detections are presented as Fusion incidents on the Microsoft Sentinel Incidents page. This rule covers the following detections:\\n- Fusion for emerging threats\\n- Fusion for ransomware\\n- Scenario-based Fusion detections (122 scenarios)\\n\\nTo enable these detections, we recommend you configure the following data connectors for best results:\\n- Out-of-the-box anomaly detections\\n- Azure Active Directory Identity Protection\\n- Azure Defender\\n- Azure Defender for IoT\\n- Microsoft 365 Defender\\n- Microsoft Cloud App Security \\n- Microsoft Defender for Endpoint\\n- Microsoft Defender for Identity\\n- Microsoft Defender for Office 365\\n- Scheduled analytics rules, both built-in and those created by your security analysts. Analytics rules must contain kill-chain (tactics) and entity mapping information in order to be used by Fusion.\\n\\nFor the full description of each detection that is supported by Fusion, go to https://aka.ms/SentinelFusion.\",\"lastUpdatedDateUTC\":\"2021-06-09T00:00:00Z\",\"createdDateUTC\":\"2019-07-25T00:00:00Z\",\"status\":\"Installed\",\"alertRulesCreatedByTemplateCount\":1}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Get-AzSentinelAutomationRule.Recording.json b/src/SecurityInsights/test/Get-AzSentinelAutomationRule.Recording.json index 30cbc5d44324..43ff3e74f9dd 100644 --- a/src/SecurityInsights/test/Get-AzSentinelAutomationRule.Recording.json +++ b/src/SecurityInsights/test/Get-AzSentinelAutomationRule.Recording.json @@ -1,17 +1,17 @@ { - "Get-AzSentinelAutomationRule+[NoContext]+List+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules?api-version=2021-09-01-preview+1": { + "Get-AzSentinelAutomationRule+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/automationRules?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/automationRules?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "171" ], - "x-ms-client-request-id": [ "89eee22f-9145-4286-b477-5e07ac0c3d51" ], + "x-ms-unique-id": [ "172" ], + "x-ms-client-request-id": [ "a82481c7-3284-48c3-81c3-78e40efd704b" ], "CommandName": [ "Get-AzSentinelAutomationRule" ], "FullCommandName": [ "Get-AzSentinelAutomationRule_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -24,35 +24,35 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], - "x-ms-request-id": [ "d26d4155-c9e7-49c2-a5d4-6e57259a343f" ], - "x-ms-correlation-request-id": [ "d26d4155-c9e7-49c2-a5d4-6e57259a343f" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T015439Z:d26d4155-c9e7-49c2-a5d4-6e57259a343f" ], + "x-ms-request-id": [ "af94b9af-c24c-4bed-87a3-008616e11d79" ], + "x-ms-correlation-request-id": [ "af94b9af-c24c-4bed-87a3-008616e11d79" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183117Z:af94b9af-c24c-4bed-87a3-008616e11d79" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 01:54:39 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:31:16 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "6768" ], + "Content-Length": [ "6468" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AutomationRules/34534660-0566-46ea-98f2-4f5ff70d51e4\",\"name\":\"34534660-0566-46ea-98f2-4f5ff70d51e4\",\"etag\":\"\\\"7900c58f-0000-0100-0000-61b5510c0000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"GetAutomationRulezbilmf\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"}}],\"lastModifiedTimeUtc\":\"2021-12-12T01:31:56Z\",\"createdTimeUtc\":\"2021-12-12T01:31:56Z\",\"lastModifiedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"},\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AutomationRules/a3adc54b-e32d-4c80-8af2-988f5d59f102\",\"name\":\"a3adc54b-e32d-4c80-8af2-988f5d59f102\",\"etag\":\"\\\"79001a91-0000-0100-0000-61b5512a0000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"RemoveAutomationRule0cjsva\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"}}],\"lastModifiedTimeUtc\":\"2021-12-12T01:32:26Z\",\"createdTimeUtc\":\"2021-12-12T01:32:26Z\",\"lastModifiedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"},\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AutomationRules/37a50acc-05b0-41ad-be1d-7a53c88ff383\",\"name\":\"37a50acc-05b0-41ad-be1d-7a53c88ff383\",\"etag\":\"\\\"79000c93-0000-0100-0000-61b5514a0000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"RemoveViaIdAutomationRule1whyd4\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"}}],\"lastModifiedTimeUtc\":\"2021-12-12T01:32:58Z\",\"createdTimeUtc\":\"2021-12-12T01:32:58Z\",\"lastModifiedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"},\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AutomationRules/6b61f56c-c075-4127-9f2a-56a855dee096\",\"name\":\"6b61f56c-c075-4127-9f2a-56a855dee096\",\"etag\":\"\\\"79008294-0000-0100-0000-61b551690000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"UpdateAutomationRule1ceigy\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"}}],\"lastModifiedTimeUtc\":\"2021-12-12T01:33:29Z\",\"createdTimeUtc\":\"2021-12-12T01:33:29Z\",\"lastModifiedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"},\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AutomationRules/61701d90-8353-4d61-b435-f9905a31142d\",\"name\":\"61701d90-8353-4d61-b435-f9905a31142d\",\"etag\":\"\\\"79002696-0000-0100-0000-61b551880000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"UpdateViaIdAutomationRulezi05h4\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"}}],\"lastModifiedTimeUtc\":\"2021-12-12T01:34:00Z\",\"createdTimeUtc\":\"2021-12-12T01:34:00Z\",\"lastModifiedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"},\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"}}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AutomationRules/2f630cbc-756d-4cfc-a1e8-95ccdaf5253e\",\"name\":\"2f630cbc-756d-4cfc-a1e8-95ccdaf5253e\",\"etag\":\"\\\"030048b1-0000-0100-0000-62e4217f0000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"GetAutomationRulemisk67\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}],\"lastModifiedTimeUtc\":\"2022-07-29T18:05:51Z\",\"createdTimeUtc\":\"2022-07-29T18:05:51Z\",\"lastModifiedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"},\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AutomationRules/632f22f0-6b77-433b-bc93-6e56ae21a844\",\"name\":\"632f22f0-6b77-433b-bc93-6e56ae21a844\",\"etag\":\"\\\"030052b1-0000-0100-0000-62e422020000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"RemoveAutomationRuletdnlpa\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}],\"lastModifiedTimeUtc\":\"2022-07-29T18:08:02Z\",\"createdTimeUtc\":\"2022-07-29T18:08:02Z\",\"lastModifiedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"},\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AutomationRules/c3503a3a-93d6-4aa8-b557-d2f4ac6cfa00\",\"name\":\"c3503a3a-93d6-4aa8-b557-d2f4ac6cfa00\",\"etag\":\"\\\"030056b1-0000-0100-0000-62e422200000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"RemoveViaIdAutomationRuledlcn6a\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}],\"lastModifiedTimeUtc\":\"2022-07-29T18:08:32Z\",\"createdTimeUtc\":\"2022-07-29T18:08:32Z\",\"lastModifiedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"},\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AutomationRules/5d9b905b-1fc5-459f-b9fd-5836c565dc34\",\"name\":\"5d9b905b-1fc5-459f-b9fd-5836c565dc34\",\"etag\":\"\\\"030058b1-0000-0100-0000-62e422460000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"UpdateAutomationRulek1wb4p\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}],\"lastModifiedTimeUtc\":\"2022-07-29T18:09:10Z\",\"createdTimeUtc\":\"2022-07-29T18:09:10Z\",\"lastModifiedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"},\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AutomationRules/21451d32-deaf-4698-9f46-8fc02bc5e632\",\"name\":\"21451d32-deaf-4698-9f46-8fc02bc5e632\",\"etag\":\"\\\"03005fb1-0000-0100-0000-62e422690000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"UpdateViaIdAutomationRules3o6wd\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}],\"lastModifiedTimeUtc\":\"2022-07-29T18:09:45Z\",\"createdTimeUtc\":\"2022-07-29T18:09:45Z\",\"lastModifiedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"},\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}]}", "isContentBase64": false } }, - "Get-AzSentinelAutomationRule+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/34534660-0566-46ea-98f2-4f5ff70d51e4?api-version=2021-09-01-preview+1": { + "Get-AzSentinelAutomationRule+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/automationRules/2f630cbc-756d-4cfc-a1e8-95ccdaf5253e?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/34534660-0566-46ea-98f2-4f5ff70d51e4?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/automationRules/2f630cbc-756d-4cfc-a1e8-95ccdaf5253e?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "172" ], - "x-ms-client-request-id": [ "0e920e48-4286-4f8b-8c5b-6fce44d2b068" ], + "x-ms-unique-id": [ "173" ], + "x-ms-client-request-id": [ "1c8e25e2-b597-49cc-bb3f-bb666affca08" ], "CommandName": [ "Get-AzSentinelAutomationRule" ], "FullCommandName": [ "Get-AzSentinelAutomationRule_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -65,35 +65,35 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], - "x-ms-request-id": [ "e7262c18-b846-43b8-8dae-834cb4c09b11" ], - "x-ms-correlation-request-id": [ "e7262c18-b846-43b8-8dae-834cb4c09b11" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T015440Z:e7262c18-b846-43b8-8dae-834cb4c09b11" ], + "x-ms-request-id": [ "7b68d952-0c12-4bce-a4ab-d724e878add6" ], + "x-ms-correlation-request-id": [ "7b68d952-0c12-4bce-a4ab-d724e878add6" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183117Z:7b68d952-0c12-4bce-a4ab-d724e878add6" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 01:54:39 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:31:17 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1346" ], + "Content-Length": [ "1286" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AutomationRules/34534660-0566-46ea-98f2-4f5ff70d51e4\",\"name\":\"34534660-0566-46ea-98f2-4f5ff70d51e4\",\"etag\":\"\\\"7900c58f-0000-0100-0000-61b5510c0000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"GetAutomationRulezbilmf\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"}}],\"lastModifiedTimeUtc\":\"2021-12-12T01:31:56Z\",\"createdTimeUtc\":\"2021-12-12T01:31:56Z\",\"lastModifiedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"},\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AutomationRules/2f630cbc-756d-4cfc-a1e8-95ccdaf5253e\",\"name\":\"2f630cbc-756d-4cfc-a1e8-95ccdaf5253e\",\"etag\":\"\\\"030048b1-0000-0100-0000-62e4217f0000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"GetAutomationRulemisk67\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}],\"lastModifiedTimeUtc\":\"2022-07-29T18:05:51Z\",\"createdTimeUtc\":\"2022-07-29T18:05:51Z\",\"lastModifiedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"},\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}", "isContentBase64": false } }, - "Get-AzSentinelAutomationRule+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/34534660-0566-46ea-98f2-4f5ff70d51e4?api-version=2021-09-01-preview+1": { + "Get-AzSentinelAutomationRule+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/automationRules/2f630cbc-756d-4cfc-a1e8-95ccdaf5253e?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/34534660-0566-46ea-98f2-4f5ff70d51e4?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/automationRules/2f630cbc-756d-4cfc-a1e8-95ccdaf5253e?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "173" ], - "x-ms-client-request-id": [ "2ffef0f0-16f6-4651-b9fb-dab342d27d78" ], + "x-ms-unique-id": [ "174" ], + "x-ms-client-request-id": [ "2c9eb621-d3fc-4173-982c-216113c027cc" ], "CommandName": [ "Get-AzSentinelAutomationRule" ], "FullCommandName": [ "Get-AzSentinelAutomationRule_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -106,35 +106,35 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "497" ], - "x-ms-request-id": [ "afd4f5f1-3f95-4119-8816-76e3cacf6c7b" ], - "x-ms-correlation-request-id": [ "afd4f5f1-3f95-4119-8816-76e3cacf6c7b" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T015440Z:afd4f5f1-3f95-4119-8816-76e3cacf6c7b" ], + "x-ms-request-id": [ "e0e5ebf6-a18a-4763-a9a9-480c37b13deb" ], + "x-ms-correlation-request-id": [ "e0e5ebf6-a18a-4763-a9a9-480c37b13deb" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183117Z:e0e5ebf6-a18a-4763-a9a9-480c37b13deb" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 01:54:39 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:31:17 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1346" ], + "Content-Length": [ "1286" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AutomationRules/34534660-0566-46ea-98f2-4f5ff70d51e4\",\"name\":\"34534660-0566-46ea-98f2-4f5ff70d51e4\",\"etag\":\"\\\"7900c58f-0000-0100-0000-61b5510c0000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"GetAutomationRulezbilmf\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"}}],\"lastModifiedTimeUtc\":\"2021-12-12T01:31:56Z\",\"createdTimeUtc\":\"2021-12-12T01:31:56Z\",\"lastModifiedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"},\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AutomationRules/2f630cbc-756d-4cfc-a1e8-95ccdaf5253e\",\"name\":\"2f630cbc-756d-4cfc-a1e8-95ccdaf5253e\",\"etag\":\"\\\"030048b1-0000-0100-0000-62e4217f0000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"GetAutomationRulemisk67\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}],\"lastModifiedTimeUtc\":\"2022-07-29T18:05:51Z\",\"createdTimeUtc\":\"2022-07-29T18:05:51Z\",\"lastModifiedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"},\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}", "isContentBase64": false } }, - "Get-AzSentinelAutomationRule+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/34534660-0566-46ea-98f2-4f5ff70d51e4?api-version=2021-09-01-preview+2": { + "Get-AzSentinelAutomationRule+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/automationRules/2f630cbc-756d-4cfc-a1e8-95ccdaf5253e?api-version=2021-09-01-preview+2": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/34534660-0566-46ea-98f2-4f5ff70d51e4?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/automationRules/2f630cbc-756d-4cfc-a1e8-95ccdaf5253e?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "174" ], - "x-ms-client-request-id": [ "83ac92cd-0958-49e1-8e9f-389a5e155aab" ], + "x-ms-unique-id": [ "175" ], + "x-ms-client-request-id": [ "f1438bec-49a4-47d6-a042-84ebe9e0e494" ], "CommandName": [ "Get-AzSentinelAutomationRule" ], "FullCommandName": [ "Get-AzSentinelAutomationRule_GetViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -147,19 +147,19 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "496" ], - "x-ms-request-id": [ "4ddec940-73a6-424f-a5cd-df17f2ad68c7" ], - "x-ms-correlation-request-id": [ "4ddec940-73a6-424f-a5cd-df17f2ad68c7" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T015440Z:4ddec940-73a6-424f-a5cd-df17f2ad68c7" ], + "x-ms-request-id": [ "271f5497-9234-4d3d-850a-bff63b2d00a3" ], + "x-ms-correlation-request-id": [ "271f5497-9234-4d3d-850a-bff63b2d00a3" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183118Z:271f5497-9234-4d3d-850a-bff63b2d00a3" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 01:54:39 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:31:17 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1346" ], + "Content-Length": [ "1286" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AutomationRules/34534660-0566-46ea-98f2-4f5ff70d51e4\",\"name\":\"34534660-0566-46ea-98f2-4f5ff70d51e4\",\"etag\":\"\\\"7900c58f-0000-0100-0000-61b5510c0000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"GetAutomationRulezbilmf\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"}}],\"lastModifiedTimeUtc\":\"2021-12-12T01:31:56Z\",\"createdTimeUtc\":\"2021-12-12T01:31:56Z\",\"lastModifiedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"},\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AutomationRules/2f630cbc-756d-4cfc-a1e8-95ccdaf5253e\",\"name\":\"2f630cbc-756d-4cfc-a1e8-95ccdaf5253e\",\"etag\":\"\\\"030048b1-0000-0100-0000-62e4217f0000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"GetAutomationRulemisk67\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}],\"lastModifiedTimeUtc\":\"2022-07-29T18:05:51Z\",\"createdTimeUtc\":\"2022-07-29T18:05:51Z\",\"lastModifiedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"},\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Get-AzSentinelBookmark.Recording.json b/src/SecurityInsights/test/Get-AzSentinelBookmark.Recording.json index f7ed885ded11..9a23bb6f8fab 100644 --- a/src/SecurityInsights/test/Get-AzSentinelBookmark.Recording.json +++ b/src/SecurityInsights/test/Get-AzSentinelBookmark.Recording.json @@ -1,17 +1,17 @@ { - "Get-AzSentinelBookmark+[NoContext]+List+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks?api-version=2021-09-01-preview+1": { + "Get-AzSentinelBookmark+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "175" ], - "x-ms-client-request-id": [ "913eb8f4-b416-43b1-b3fc-75e5faabe775" ], + "x-ms-unique-id": [ "176" ], + "x-ms-client-request-id": [ "fa019330-1d79-4c09-9803-f02f8e9c2a23" ], "CommandName": [ "Get-AzSentinelbookmark" ], "FullCommandName": [ "Get-AzSentinelBookmark_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -24,35 +24,35 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-reads": [ "11987" ], - "x-ms-request-id": [ "435df7cf-2c49-4ca6-826f-3431e381252f" ], - "x-ms-correlation-request-id": [ "435df7cf-2c49-4ca6-826f-3431e381252f" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T015502Z:435df7cf-2c49-4ca6-826f-3431e381252f" ], + "x-ms-request-id": [ "68fd7679-c950-4056-a487-cffbdeb6962a" ], + "x-ms-correlation-request-id": [ "68fd7679-c950-4056-a487-cffbdeb6962a" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183119Z:68fd7679-c950-4056-a487-cffbdeb6962a" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 01:55:02 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:31:18 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "44318" ], + "Content-Length": [ "43830" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/6eca09df-59e8-44f1-b96e-d316b4d3ad08\",\"name\":\"6eca09df-59e8-44f1-b96e-d316b4d3ad08\",\"etag\":\"\\\"6b027c97-0000-0100-0000-61b551a60000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Getbookmark3k6sjz\",\"created\":\"2021-12-12T01:34:30.6913373+00:00\",\"updated\":\"2021-12-12T01:34:30.6913373+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2021-12-11T01:00:00+00:00\",\"queryEndTime\":\"2021-12-12T01:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/9ff7b322-3212-4574-bfad-4408206875f8\",\"name\":\"9ff7b322-3212-4574-bfad-4408206875f8\",\"etag\":\"\\\"6b02bf99-0000-0100-0000-61b551c50000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Removebookmarkorux9k\",\"created\":\"2021-12-12T01:35:01.4256876+00:00\",\"updated\":\"2021-12-12T01:35:01.4256876+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2021-12-11T01:00:00+00:00\",\"queryEndTime\":\"2021-12-12T01:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/4327ac2f-6115-4602-9616-83cf991298a5\",\"name\":\"4327ac2f-6115-4602-9616-83cf991298a5\",\"etag\":\"\\\"6b02319c-0000-0100-0000-61b551e60000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"RemoveViaIdbookmark061i4x\",\"created\":\"2021-12-12T01:35:34.2696125+00:00\",\"updated\":\"2021-12-12T01:35:34.2696125+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2021-12-11T01:00:00+00:00\",\"queryEndTime\":\"2021-12-12T01:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/c6b3fee2-4b8e-4966-aaa7-94bd47e67021\",\"name\":\"c6b3fee2-4b8e-4966-aaa7-94bd47e67021\",\"etag\":\"\\\"6b02ce9f-0000-0100-0000-61b552060000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Updatebookmarktfriza\",\"created\":\"2021-12-12T01:36:06.6776344+00:00\",\"updated\":\"2021-12-12T01:36:06.6776344+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2021-12-11T01:00:00+00:00\",\"queryEndTime\":\"2021-12-12T01:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/e19c0b42-e8cf-4fae-8690-7d632b11beaf\",\"name\":\"e19c0b42-e8cf-4fae-8690-7d632b11beaf\",\"etag\":\"\\\"6b02e6a2-0000-0100-0000-61b552250000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateViaIdbookmark63g7uz\",\"created\":\"2021-12-12T01:36:37.0345164+00:00\",\"updated\":\"2021-12-12T01:36:37.0345164+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2021-12-11T01:00:00+00:00\",\"queryEndTime\":\"2021-12-12T01:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/b35d430d-02ac-4025-a10e-32cd2ffbe46b\",\"name\":\"b35d430d-02ac-4025-a10e-32cd2ffbe46b\",\"etag\":\"\\\"6b02e1a5-0000-0100-0000-61b552440000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Expandbookmarkq42uhy\",\"created\":\"2021-12-12T01:37:08.7269486+00:00\",\"updated\":\"2021-12-12T01:37:08.7269486+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2021-12-11T01:00:00+00:00\",\"queryEndTime\":\"2021-12-12T01:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/5df694bf-7774-49cf-a84b-282fd43a926b\",\"name\":\"5df694bf-7774-49cf-a84b-282fd43a926b\",\"etag\":\"\\\"6b0265a9-0000-0100-0000-61b552650000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"GetbookmarkRelationBookmarkNamezks1qr\",\"created\":\"2021-12-12T01:37:40.5117261+00:00\",\"updated\":\"2021-12-12T01:37:40.5117261+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2021-12-11T01:00:00+00:00\",\"queryEndTime\":\"2021-12-12T01:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"69e3141d-30e8-49d1-9152-33f3b44cf6b0\",\"title\":\"GetbookmarkRelationIncidentNames3ckzp\",\"relationName\":\"4a09f636-6002-4389-80a1-b6a357af8225\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/20d8a730-18a5-4a76-9420-a32e46ce5888\",\"name\":\"20d8a730-18a5-4a76-9420-a32e46ce5888\",\"etag\":\"\\\"6b020aad-0000-0100-0000-61b552840000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"RemovebookmarkRelationBookmarkNamepvhuk4\",\"created\":\"2021-12-12T01:38:11.2924904+00:00\",\"updated\":\"2021-12-12T01:38:11.2924904+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2021-12-11T01:00:00+00:00\",\"queryEndTime\":\"2021-12-12T01:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"4908bd22-0eb2-40fc-83ce-b6c8ba7a26a1\",\"title\":\"RemovebookmarkRelationIncidentNamehynb4o\",\"relationName\":\"adad6e56-9f94-4fba-ba3b-96f4616cdf68\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/675541b3-2ae4-4199-b3b3-59f4b6c1f5b4\",\"name\":\"675541b3-2ae4-4199-b3b3-59f4b6c1f5b4\",\"etag\":\"\\\"6b0254b0-0000-0100-0000-61b552a20000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"RemoveViaIdbookmarkRelationBookmarkNamexlrb8u\",\"created\":\"2021-12-12T01:38:41.8962323+00:00\",\"updated\":\"2021-12-12T01:38:41.8962323+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2021-12-11T01:00:00+00:00\",\"queryEndTime\":\"2021-12-12T01:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"7d56a89d-59f4-4b3a-aa71-34494c2f5f5c\",\"title\":\"RemoveViaIdbookmarkRelationIncidentNameyci6fv\",\"relationName\":\"e6624397-ccd0-42fd-98b4-9730d7baa0e2\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/6548e330-d18d-4690-b6fa-b5ba7f5eac27\",\"name\":\"6548e330-d18d-4690-b6fa-b5ba7f5eac27\",\"etag\":\"\\\"6b0226b3-0000-0100-0000-61b552c20000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdatebookmarkRelationBookmarkNamecawzes\",\"created\":\"2021-12-12T01:39:13.5533963+00:00\",\"updated\":\"2021-12-12T01:39:13.5533963+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2021-12-11T01:00:00+00:00\",\"queryEndTime\":\"2021-12-12T01:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"e788124d-3280-4da8-b9f7-3f464296947e\",\"title\":\"UpdatebookmarkRelationIncidentNamehqlcfb\",\"relationName\":\"3106728c-12de-4dad-b0c6-603a9285765e\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/463b2e8b-17c1-48d6-94a3-7443b0ba2cbf\",\"name\":\"463b2e8b-17c1-48d6-94a3-7443b0ba2cbf\",\"etag\":\"\\\"6b026ab6-0000-0100-0000-61b552e00000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateViaIdbookmarkRelationBookmarkName5modef\",\"created\":\"2021-12-12T01:39:43.9875375+00:00\",\"updated\":\"2021-12-12T01:39:43.9875375+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2021-12-11T01:00:00+00:00\",\"queryEndTime\":\"2021-12-12T01:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"6cbc4e33-d46b-4993-96e4-ecb0e44415cb\",\"title\":\"UpdateViaIdbookmarkRelationIncidentName84x0ne\",\"relationName\":\"e2e68737-82b4-49f0-822f-f9196f65aac8\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/21e8e280-fe09-4a83-a662-4b0711e9c127\",\"name\":\"21e8e280-fe09-4a83-a662-4b0711e9c127\",\"etag\":\"\\\"6b0223c7-0000-0100-0000-61b554f40000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"GetincidentRelationBookmarkNameib8ohc\",\"created\":\"2021-12-12T01:48:35.4604989+00:00\",\"updated\":\"2021-12-12T01:48:35.4604989+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2021-12-11T01:00:00+00:00\",\"queryEndTime\":\"2021-12-12T01:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0\",\"title\":\"GetincidentRelationIncidentNamerea364\",\"relationName\":\"0ef2e445-e524-42ad-8810-fdd6cbe3e5f7\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/ee0bcd82-8a83-41c3-8f97-9502c91951ec\",\"name\":\"ee0bcd82-8a83-41c3-8f97-9502c91951ec\",\"etag\":\"\\\"6b02abc7-0000-0100-0000-61b555140000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"RemoveincidentRelationBookmarkName72z1my\",\"created\":\"2021-12-12T01:49:07.7080162+00:00\",\"updated\":\"2021-12-12T01:49:07.7080162+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2021-12-11T01:00:00+00:00\",\"queryEndTime\":\"2021-12-12T01:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"0c5dc585-a174-461c-a546-75dc9d7bedc8\",\"title\":\"RemoveincidentRelationIncidentNameuk6d50\",\"relationName\":\"969e8896-2438-40e6-9455-f5fd9b30d396\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/3dcbfb4e-d6fb-40df-a64a-29695148826d\",\"name\":\"3dcbfb4e-d6fb-40df-a64a-29695148826d\",\"etag\":\"\\\"6b025fc8-0000-0100-0000-61b555330000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"RemoveViaIdincidentRelationBookmarkNamebtlx8k\",\"created\":\"2021-12-12T01:49:38.6183798+00:00\",\"updated\":\"2021-12-12T01:49:38.6183798+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2021-12-11T01:00:00+00:00\",\"queryEndTime\":\"2021-12-12T01:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"7bfb344d-ad2a-431d-9e39-78747ac51f54\",\"title\":\"RemoveViaIdincidentRelationIncidentName150wxv\",\"relationName\":\"827874ba-8b75-40d5-ad61-57fbb9594309\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/201247f4-bb20-4a3b-8e89-3609968c888f\",\"name\":\"201247f4-bb20-4a3b-8e89-3609968c888f\",\"etag\":\"\\\"6b02fac8-0000-0100-0000-61b555530000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateincidentRelationBookmarkNamewqmnkf\",\"created\":\"2021-12-12T01:50:09.9581751+00:00\",\"updated\":\"2021-12-12T01:50:09.9581751+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2021-12-11T01:00:00+00:00\",\"queryEndTime\":\"2021-12-12T01:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"473aa008-13fc-4a61-9ea2-c3fdc64a828c\",\"title\":\"UpdateincidentRelationIncidentNametdo819\",\"relationName\":\"defc1116-f142-4647-a377-6869110f6e77\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/f18e48e7-15f9-49c8-bb2b-fdf166e7cf9a\",\"name\":\"f18e48e7-15f9-49c8-bb2b-fdf166e7cf9a\",\"etag\":\"\\\"6b028ec9-0000-0100-0000-61b555710000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateViaIdincidentRelationBookmarkNamehd50fa\",\"created\":\"2021-12-12T01:50:40.6751074+00:00\",\"updated\":\"2021-12-12T01:50:40.6751074+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2021-12-11T01:00:00+00:00\",\"queryEndTime\":\"2021-12-12T01:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"43aedae6-3726-41c1-b0e8-9876df66aa2d\",\"title\":\"UpdateViaIdincidentRelationIncidentNameewut32\",\"relationName\":\"b03e0e3c-97ce-4eb5-a1f0-e096bbeeddd4\",\"severity\":\"Informational\"}}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/cf23ef92-aa60-4e4a-9598-c30417b601db\",\"name\":\"cf23ef92-aa60-4e4a-9598-c30417b601db\",\"etag\":\"\\\"01006993-0000-0100-0000-62e422850000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Getbookmarks1c0pz\",\"created\":\"2022-07-29T18:10:13.2097324+00:00\",\"updated\":\"2022-07-29T18:10:13.2097324+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-07-29T06:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2022-07-28T06:00:00+00:00\",\"queryEndTime\":\"2022-07-29T06:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/a8dfd8ae-256a-44fb-a72c-0fb43307c128\",\"name\":\"a8dfd8ae-256a-44fb-a72c-0fb43307c128\",\"etag\":\"\\\"01007093-0000-0100-0000-62e422a30000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Removebookmarkbu2rns\",\"created\":\"2022-07-29T18:10:43.713377+00:00\",\"updated\":\"2022-07-29T18:10:43.713377+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-07-29T06:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2022-07-28T06:00:00+00:00\",\"queryEndTime\":\"2022-07-29T06:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/1064e218-7849-4caf-993c-93373d0c6ce5\",\"name\":\"1064e218-7849-4caf-993c-93373d0c6ce5\",\"etag\":\"\\\"01007193-0000-0100-0000-62e422c30000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"RemoveViaIdbookmarkdr69tz\",\"created\":\"2022-07-29T18:11:15.4410362+00:00\",\"updated\":\"2022-07-29T18:11:15.4410362+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-07-29T06:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2022-07-28T06:00:00+00:00\",\"queryEndTime\":\"2022-07-29T06:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/8a947749-f012-465f-b5fd-cb60e5eae27d\",\"name\":\"8a947749-f012-465f-b5fd-cb60e5eae27d\",\"etag\":\"\\\"01007393-0000-0100-0000-62e422e40000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Updatebookmarkdytufp\",\"created\":\"2022-07-29T18:11:48.096609+00:00\",\"updated\":\"2022-07-29T18:11:48.096609+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-07-29T06:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2022-07-28T06:00:00+00:00\",\"queryEndTime\":\"2022-07-29T06:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/f73c7f57-f526-4119-9dc6-07c693c5309b\",\"name\":\"f73c7f57-f526-4119-9dc6-07c693c5309b\",\"etag\":\"\\\"01007493-0000-0100-0000-62e423030000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateViaIdbookmarkpulz5j\",\"created\":\"2022-07-29T18:12:19.6896524+00:00\",\"updated\":\"2022-07-29T18:12:19.6896524+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-07-29T06:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2022-07-28T06:00:00+00:00\",\"queryEndTime\":\"2022-07-29T06:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/2aadadc6-6e10-4a92-99df-4ac9c6ebdb6c\",\"name\":\"2aadadc6-6e10-4a92-99df-4ac9c6ebdb6c\",\"etag\":\"\\\"01007793-0000-0100-0000-62e423240000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Expandbookmarko9kf32\",\"created\":\"2022-07-29T18:12:52.2378424+00:00\",\"updated\":\"2022-07-29T18:12:52.2378424+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-07-29T06:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2022-07-28T06:00:00+00:00\",\"queryEndTime\":\"2022-07-29T06:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/72c19fb6-dca6-4381-9175-229d52e8908a\",\"name\":\"72c19fb6-dca6-4381-9175-229d52e8908a\",\"etag\":\"\\\"01008093-0000-0100-0000-62e423420000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"GetbookmarkRelationBookmarkNameqen0ym\",\"created\":\"2022-07-29T18:13:22.0780891+00:00\",\"updated\":\"2022-07-29T18:13:22.0780891+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-07-29T06:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2022-07-28T06:00:00+00:00\",\"queryEndTime\":\"2022-07-29T06:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"e31f4f52-858c-4a29-bacc-b0b91ca86f43\",\"title\":\"GetbookmarkRelationIncidentName5jgmqo\",\"relationName\":\"eacf9694-518d-404c-85a0-6703db574c22\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/3e29d94a-e491-42d0-97d4-7a7f3e4725b4\",\"name\":\"3e29d94a-e491-42d0-97d4-7a7f3e4725b4\",\"etag\":\"\\\"01008393-0000-0100-0000-62e423600000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"RemovebookmarkRelationBookmarkNamej8c2iu\",\"created\":\"2022-07-29T18:13:52.4505914+00:00\",\"updated\":\"2022-07-29T18:13:52.4505914+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-07-29T06:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2022-07-28T06:00:00+00:00\",\"queryEndTime\":\"2022-07-29T06:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"d30f1432-3e76-4b4b-bb30-f62eb4ee3611\",\"title\":\"RemovebookmarkRelationIncidentNameljqs90\",\"relationName\":\"edcd0fb3-81ce-42e0-b54f-e753ea3c6fdb\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/a34d217c-2b9d-4b72-b7d9-5a3850f0f17c\",\"name\":\"a34d217c-2b9d-4b72-b7d9-5a3850f0f17c\",\"etag\":\"\\\"01008593-0000-0100-0000-62e423810000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"RemoveViaIdbookmarkRelationBookmarkNameu6v1fs\",\"created\":\"2022-07-29T18:14:24.4254193+00:00\",\"updated\":\"2022-07-29T18:14:24.4254193+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-07-29T06:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2022-07-28T06:00:00+00:00\",\"queryEndTime\":\"2022-07-29T06:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"68159ff1-4122-4fc3-9152-8bf489a4304d\",\"title\":\"RemoveViaIdbookmarkRelationIncidentName3tykhx\",\"relationName\":\"3416cbe9-ea30-4e98-aead-419270c45bf8\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/9b38dab1-2c2e-4c71-809d-95301194aa91\",\"name\":\"9b38dab1-2c2e-4c71-809d-95301194aa91\",\"etag\":\"\\\"01008793-0000-0100-0000-62e4239f0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdatebookmarkRelationBookmarkNameuxbzmh\",\"created\":\"2022-07-29T18:14:55.6456911+00:00\",\"updated\":\"2022-07-29T18:14:55.6456911+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-07-29T06:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2022-07-28T06:00:00+00:00\",\"queryEndTime\":\"2022-07-29T06:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"0f49b19c-24d3-4775-92ae-dc0ecd5e1ace\",\"title\":\"UpdatebookmarkRelationIncidentNamern5xam\",\"relationName\":\"382966e8-f4b2-444c-b4e8-514194ff8544\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/04b58a5a-2a5e-47e2-9c22-3cd6229599ec\",\"name\":\"04b58a5a-2a5e-47e2-9c22-3cd6229599ec\",\"etag\":\"\\\"01008993-0000-0100-0000-62e423bf0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateViaIdbookmarkRelationBookmarkNamelv8k2z\",\"created\":\"2022-07-29T18:15:27.205325+00:00\",\"updated\":\"2022-07-29T18:15:27.205325+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-07-29T06:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2022-07-28T06:00:00+00:00\",\"queryEndTime\":\"2022-07-29T06:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"75bd63a7-0ac6-4f43-8a15-18ff73172bb5\",\"title\":\"UpdateViaIdbookmarkRelationIncidentNamejdsg8m\",\"relationName\":\"c36ddb20-11ec-4179-a995-51e6fcfd1e58\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/e809aa96-66b0-4c25-83cc-f6a969445995\",\"name\":\"e809aa96-66b0-4c25-83cc-f6a969445995\",\"etag\":\"\\\"0100b593-0000-0100-0000-62e426930000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"GetincidentRelationBookmarkName0eyhda\",\"created\":\"2022-07-29T18:27:31.0896601+00:00\",\"updated\":\"2022-07-29T18:27:31.0896601+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-07-29T06:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2022-07-28T06:00:00+00:00\",\"queryEndTime\":\"2022-07-29T06:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"ccca6513-b2b1-46be-925b-40f25e28a448\",\"title\":\"GetincidentRelationIncidentNamentimyo\",\"relationName\":\"38ffa7b2-a413-4ab4-979f-8ec4ca096552\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/5c0c39f4-96c8-4054-8b78-69edbf33a92f\",\"name\":\"5c0c39f4-96c8-4054-8b78-69edbf33a92f\",\"etag\":\"\\\"0100b893-0000-0100-0000-62e426b20000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"RemoveincidentRelationBookmarkNamem6df2w\",\"created\":\"2022-07-29T18:28:02.3972388+00:00\",\"updated\":\"2022-07-29T18:28:02.3972388+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-07-29T06:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2022-07-28T06:00:00+00:00\",\"queryEndTime\":\"2022-07-29T06:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"da728eb4-6e7e-4be8-8397-cb2b45877bf9\",\"title\":\"RemoveincidentRelationIncidentName01bqho\",\"relationName\":\"33ce22e5-46d5-4249-9e1a-06495ad77a1a\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/e4d28edd-4f20-45f9-9c8c-6b7e97f4fa8a\",\"name\":\"e4d28edd-4f20-45f9-9c8c-6b7e97f4fa8a\",\"etag\":\"\\\"0100c493-0000-0100-0000-62e426d30000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"RemoveViaIdincidentRelationBookmarkName32qtdl\",\"created\":\"2022-07-29T18:28:34.4037226+00:00\",\"updated\":\"2022-07-29T18:28:34.4037226+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-07-29T06:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2022-07-28T06:00:00+00:00\",\"queryEndTime\":\"2022-07-29T06:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"095d8360-b30b-4f75-804d-8837b78db3ed\",\"title\":\"RemoveViaIdincidentRelationIncidentNameqm47li\",\"relationName\":\"fa2cc2d8-13f8-4ea6-b2ce-6fdea28a0790\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/f2f5a5bb-f894-4441-b6c7-b7c9d95193d1\",\"name\":\"f2f5a5bb-f894-4441-b6c7-b7c9d95193d1\",\"etag\":\"\\\"0100c793-0000-0100-0000-62e426f20000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateincidentRelationBookmarkName0rvjph\",\"created\":\"2022-07-29T18:29:05.846489+00:00\",\"updated\":\"2022-07-29T18:29:05.846489+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-07-29T06:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2022-07-28T06:00:00+00:00\",\"queryEndTime\":\"2022-07-29T06:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"bf284b9a-a101-4094-9387-503fd6afb8db\",\"title\":\"UpdateincidentRelationIncidentNamey5sjd6\",\"relationName\":\"986b271a-b0de-4c02-bb6a-f7df9e484025\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/90ad9f1f-1d2d-4360-b617-cf345b5c4f58\",\"name\":\"90ad9f1f-1d2d-4360-b617-cf345b5c4f58\",\"etag\":\"\\\"0100c993-0000-0100-0000-62e427110000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateViaIdincidentRelationBookmarkName0wac48\",\"created\":\"2022-07-29T18:29:37.1166016+00:00\",\"updated\":\"2022-07-29T18:29:37.1166016+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-07-29T06:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2022-07-28T06:00:00+00:00\",\"queryEndTime\":\"2022-07-29T06:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"854d68b0-7cef-4c43-a0f3-03df09f60906\",\"title\":\"UpdateViaIdincidentRelationIncidentName17euac\",\"relationName\":\"da90eff1-20a8-49a2-8392-57e18de4707a\",\"severity\":\"Informational\"}}}]}", "isContentBase64": false } }, - "Get-AzSentinelBookmark+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/6eca09df-59e8-44f1-b96e-d316b4d3ad08?api-version=2021-09-01-preview+1": { + "Get-AzSentinelBookmark+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/cf23ef92-aa60-4e4a-9598-c30417b601db?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/6eca09df-59e8-44f1-b96e-d316b4d3ad08?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/cf23ef92-aa60-4e4a-9598-c30417b601db?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "176" ], - "x-ms-client-request-id": [ "1573c77a-d964-4b7c-87fb-64bbad1506b7" ], + "x-ms-unique-id": [ "177" ], + "x-ms-client-request-id": [ "a044777f-5113-46ca-b173-a41f0fae1949" ], "CommandName": [ "Get-AzSentinelbookmark" ], "FullCommandName": [ "Get-AzSentinelBookmark_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -65,35 +65,35 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-reads": [ "11986" ], - "x-ms-request-id": [ "a6f0c3d0-7492-4d18-8d26-2dde17901092" ], - "x-ms-correlation-request-id": [ "a6f0c3d0-7492-4d18-8d26-2dde17901092" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T015502Z:a6f0c3d0-7492-4d18-8d26-2dde17901092" ], + "x-ms-request-id": [ "fed89bac-d640-4012-b30a-b8c0065bcbad" ], + "x-ms-correlation-request-id": [ "fed89bac-d640-4012-b30a-b8c0065bcbad" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183119Z:fed89bac-d640-4012-b30a-b8c0065bcbad" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 01:55:02 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:31:19 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "5318" ], + "Content-Length": [ "5288" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/6eca09df-59e8-44f1-b96e-d316b4d3ad08\",\"name\":\"6eca09df-59e8-44f1-b96e-d316b4d3ad08\",\"etag\":\"\\\"6b027c97-0000-0100-0000-61b551a60000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Getbookmark3k6sjz\",\"created\":\"2021-12-12T01:34:30.6913373+00:00\",\"updated\":\"2021-12-12T01:34:30.6913373+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2021-12-11T01:00:00+00:00\",\"queryEndTime\":\"2021-12-12T01:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/cf23ef92-aa60-4e4a-9598-c30417b601db\",\"name\":\"cf23ef92-aa60-4e4a-9598-c30417b601db\",\"etag\":\"\\\"01006993-0000-0100-0000-62e422850000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Getbookmarks1c0pz\",\"created\":\"2022-07-29T18:10:13.2097324+00:00\",\"updated\":\"2022-07-29T18:10:13.2097324+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-07-29T06:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2022-07-28T06:00:00+00:00\",\"queryEndTime\":\"2022-07-29T06:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", "isContentBase64": false } }, - "Get-AzSentinelBookmark+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/6eca09df-59e8-44f1-b96e-d316b4d3ad08?api-version=2021-09-01-preview+1": { + "Get-AzSentinelBookmark+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/cf23ef92-aa60-4e4a-9598-c30417b601db?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/6eca09df-59e8-44f1-b96e-d316b4d3ad08?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/cf23ef92-aa60-4e4a-9598-c30417b601db?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "177" ], - "x-ms-client-request-id": [ "47087007-a3e4-469e-bb34-f20498017770" ], + "x-ms-unique-id": [ "178" ], + "x-ms-client-request-id": [ "7f17c942-dda4-41fd-a508-b8da604eb080" ], "CommandName": [ "Get-AzSentinelbookmark" ], "FullCommandName": [ "Get-AzSentinelBookmark_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -106,35 +106,35 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-reads": [ "11985" ], - "x-ms-request-id": [ "2b897cfc-05a9-49e1-a794-53629eac9f2e" ], - "x-ms-correlation-request-id": [ "2b897cfc-05a9-49e1-a794-53629eac9f2e" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T015502Z:2b897cfc-05a9-49e1-a794-53629eac9f2e" ], + "x-ms-request-id": [ "8840281d-4aac-447e-b560-b44205e245a7" ], + "x-ms-correlation-request-id": [ "8840281d-4aac-447e-b560-b44205e245a7" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183119Z:8840281d-4aac-447e-b560-b44205e245a7" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 01:55:02 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:31:19 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "5318" ], + "Content-Length": [ "5288" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/6eca09df-59e8-44f1-b96e-d316b4d3ad08\",\"name\":\"6eca09df-59e8-44f1-b96e-d316b4d3ad08\",\"etag\":\"\\\"6b027c97-0000-0100-0000-61b551a60000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Getbookmark3k6sjz\",\"created\":\"2021-12-12T01:34:30.6913373+00:00\",\"updated\":\"2021-12-12T01:34:30.6913373+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2021-12-11T01:00:00+00:00\",\"queryEndTime\":\"2021-12-12T01:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/cf23ef92-aa60-4e4a-9598-c30417b601db\",\"name\":\"cf23ef92-aa60-4e4a-9598-c30417b601db\",\"etag\":\"\\\"01006993-0000-0100-0000-62e422850000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Getbookmarks1c0pz\",\"created\":\"2022-07-29T18:10:13.2097324+00:00\",\"updated\":\"2022-07-29T18:10:13.2097324+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-07-29T06:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2022-07-28T06:00:00+00:00\",\"queryEndTime\":\"2022-07-29T06:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", "isContentBase64": false } }, - "Get-AzSentinelBookmark+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/6eca09df-59e8-44f1-b96e-d316b4d3ad08?api-version=2021-09-01-preview+2": { + "Get-AzSentinelBookmark+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/cf23ef92-aa60-4e4a-9598-c30417b601db?api-version=2021-09-01-preview+2": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/6eca09df-59e8-44f1-b96e-d316b4d3ad08?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/cf23ef92-aa60-4e4a-9598-c30417b601db?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "178" ], - "x-ms-client-request-id": [ "f3557608-69db-46dc-8c5b-6943a35806c3" ], + "x-ms-unique-id": [ "179" ], + "x-ms-client-request-id": [ "fa1debc2-995e-473d-9a24-8d943eff80cf" ], "CommandName": [ "Get-AzSentinelbookmark" ], "FullCommandName": [ "Get-AzSentinelBookmark_GetViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -147,19 +147,19 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-reads": [ "11984" ], - "x-ms-request-id": [ "6f86cf92-90a8-42fd-9138-36bc918877b7" ], - "x-ms-correlation-request-id": [ "6f86cf92-90a8-42fd-9138-36bc918877b7" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T015502Z:6f86cf92-90a8-42fd-9138-36bc918877b7" ], + "x-ms-request-id": [ "b6a5069a-dac9-438a-8829-d574d1de3a82" ], + "x-ms-correlation-request-id": [ "b6a5069a-dac9-438a-8829-d574d1de3a82" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183119Z:b6a5069a-dac9-438a-8829-d574d1de3a82" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 01:55:02 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:31:19 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "5318" ], + "Content-Length": [ "5288" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/6eca09df-59e8-44f1-b96e-d316b4d3ad08\",\"name\":\"6eca09df-59e8-44f1-b96e-d316b4d3ad08\",\"etag\":\"\\\"6b027c97-0000-0100-0000-61b551a60000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Getbookmark3k6sjz\",\"created\":\"2021-12-12T01:34:30.6913373+00:00\",\"updated\":\"2021-12-12T01:34:30.6913373+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2021-12-11T01:00:00+00:00\",\"queryEndTime\":\"2021-12-12T01:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/cf23ef92-aa60-4e4a-9598-c30417b601db\",\"name\":\"cf23ef92-aa60-4e4a-9598-c30417b601db\",\"etag\":\"\\\"01006993-0000-0100-0000-62e422850000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Getbookmarks1c0pz\",\"created\":\"2022-07-29T18:10:13.2097324+00:00\",\"updated\":\"2022-07-29T18:10:13.2097324+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-07-29T06:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2022-07-28T06:00:00+00:00\",\"queryEndTime\":\"2022-07-29T06:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Get-AzSentinelBookmarkRelation.Recording.json b/src/SecurityInsights/test/Get-AzSentinelBookmarkRelation.Recording.json index a12690eee6e3..117ffd3cc6fa 100644 --- a/src/SecurityInsights/test/Get-AzSentinelBookmarkRelation.Recording.json +++ b/src/SecurityInsights/test/Get-AzSentinelBookmarkRelation.Recording.json @@ -1,17 +1,17 @@ { - "Get-AzSentinelBookmarkRelation+[NoContext]+List+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/5df694bf-7774-49cf-a84b-282fd43a926b/relations?api-version=2021-09-01-preview+1": { + "Get-AzSentinelBookmarkRelation+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/72c19fb6-dca6-4381-9175-229d52e8908a/relations?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/5df694bf-7774-49cf-a84b-282fd43a926b/relations?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/72c19fb6-dca6-4381-9175-229d52e8908a/relations?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "179" ], - "x-ms-client-request-id": [ "ec3b8cab-30fa-4cc8-ab80-a8e87156cf78" ], + "x-ms-unique-id": [ "180" ], + "x-ms-client-request-id": [ "5bbdb4ac-027a-4224-af6a-0504b06b47d2" ], "CommandName": [ "Get-AzSentinelbookmarkRelation" ], "FullCommandName": [ "Get-AzSentinelBookmarkRelation_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -24,35 +24,35 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-reads": [ "11983" ], - "x-ms-request-id": [ "94232814-f7a6-47aa-9c6e-7e3a5ef63aa7" ], - "x-ms-correlation-request-id": [ "94232814-f7a6-47aa-9c6e-7e3a5ef63aa7" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T015523Z:94232814-f7a6-47aa-9c6e-7e3a5ef63aa7" ], + "x-ms-request-id": [ "164cd14c-55a1-41a8-870b-a741ab0535ea" ], + "x-ms-correlation-request-id": [ "164cd14c-55a1-41a8-870b-a741ab0535ea" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183120Z:164cd14c-55a1-41a8-870b-a741ab0535ea" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 01:55:23 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:31:20 GMT" ] }, "ContentHeaders": { "Content-Length": [ "840" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/5df694bf-7774-49cf-a84b-282fd43a926b/relations/4a09f636-6002-4389-80a1-b6a357af8225\",\"name\":\"4a09f636-6002-4389-80a1-b6a357af8225\",\"etag\":\"\\\"6b0265a9-0000-0100-0000-61b552650000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/69e3141d-30e8-49d1-9152-33f3b44cf6b0\",\"relatedResourceName\":\"69e3141d-30e8-49d1-9152-33f3b44cf6b0\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/72c19fb6-dca6-4381-9175-229d52e8908a/relations/eacf9694-518d-404c-85a0-6703db574c22\",\"name\":\"eacf9694-518d-404c-85a0-6703db574c22\",\"etag\":\"\\\"01008093-0000-0100-0000-62e423420000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/e31f4f52-858c-4a29-bacc-b0b91ca86f43\",\"relatedResourceName\":\"e31f4f52-858c-4a29-bacc-b0b91ca86f43\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}]}", "isContentBase64": false } }, - "Get-AzSentinelBookmarkRelation+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/5df694bf-7774-49cf-a84b-282fd43a926b/relations/4a09f636-6002-4389-80a1-b6a357af8225?api-version=2021-09-01-preview+1": { + "Get-AzSentinelBookmarkRelation+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/72c19fb6-dca6-4381-9175-229d52e8908a/relations/eacf9694-518d-404c-85a0-6703db574c22?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/5df694bf-7774-49cf-a84b-282fd43a926b/relations/4a09f636-6002-4389-80a1-b6a357af8225?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/72c19fb6-dca6-4381-9175-229d52e8908a/relations/eacf9694-518d-404c-85a0-6703db574c22?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "180" ], - "x-ms-client-request-id": [ "797ffe9f-42a7-4f8e-85b6-b6139680dbc7" ], + "x-ms-unique-id": [ "181" ], + "x-ms-client-request-id": [ "30bead21-c0ce-4d9d-848f-1713ae4d6823" ], "CommandName": [ "Get-AzSentinelbookmarkRelation" ], "FullCommandName": [ "Get-AzSentinelBookmarkRelation_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -65,35 +65,35 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-reads": [ "11982" ], - "x-ms-request-id": [ "1643ccf9-e232-4827-b91d-0a71ba3574bf" ], - "x-ms-correlation-request-id": [ "1643ccf9-e232-4827-b91d-0a71ba3574bf" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T015523Z:1643ccf9-e232-4827-b91d-0a71ba3574bf" ], + "x-ms-request-id": [ "5a11baea-3fc4-49e3-a5ad-f2bcbfe4a8cd" ], + "x-ms-correlation-request-id": [ "5a11baea-3fc4-49e3-a5ad-f2bcbfe4a8cd" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183121Z:5a11baea-3fc4-49e3-a5ad-f2bcbfe4a8cd" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 01:55:23 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:31:20 GMT" ] }, "ContentHeaders": { "Content-Length": [ "828" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/5df694bf-7774-49cf-a84b-282fd43a926b/relations/4a09f636-6002-4389-80a1-b6a357af8225\",\"name\":\"4a09f636-6002-4389-80a1-b6a357af8225\",\"etag\":\"\\\"6b0265a9-0000-0100-0000-61b552650000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/69e3141d-30e8-49d1-9152-33f3b44cf6b0\",\"relatedResourceName\":\"69e3141d-30e8-49d1-9152-33f3b44cf6b0\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/72c19fb6-dca6-4381-9175-229d52e8908a/relations/eacf9694-518d-404c-85a0-6703db574c22\",\"name\":\"eacf9694-518d-404c-85a0-6703db574c22\",\"etag\":\"\\\"01008093-0000-0100-0000-62e423420000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/e31f4f52-858c-4a29-bacc-b0b91ca86f43\",\"relatedResourceName\":\"e31f4f52-858c-4a29-bacc-b0b91ca86f43\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", "isContentBase64": false } }, - "Get-AzSentinelBookmarkRelation+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/5df694bf-7774-49cf-a84b-282fd43a926b/relations/4a09f636-6002-4389-80a1-b6a357af8225?api-version=2021-09-01-preview+1": { + "Get-AzSentinelBookmarkRelation+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/72c19fb6-dca6-4381-9175-229d52e8908a/relations/eacf9694-518d-404c-85a0-6703db574c22?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/5df694bf-7774-49cf-a84b-282fd43a926b/relations/4a09f636-6002-4389-80a1-b6a357af8225?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/72c19fb6-dca6-4381-9175-229d52e8908a/relations/eacf9694-518d-404c-85a0-6703db574c22?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "181" ], - "x-ms-client-request-id": [ "44689ac9-3345-4e7e-afda-2ffe63d7fb90" ], + "x-ms-unique-id": [ "182" ], + "x-ms-client-request-id": [ "05d5e748-190e-4048-ad11-44853e2f455d" ], "CommandName": [ "Get-AzSentinelbookmarkRelation" ], "FullCommandName": [ "Get-AzSentinelBookmarkRelation_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -106,35 +106,35 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-reads": [ "11981" ], - "x-ms-request-id": [ "bdbb996e-6c8c-49a3-b263-7b584bf9230e" ], - "x-ms-correlation-request-id": [ "bdbb996e-6c8c-49a3-b263-7b584bf9230e" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T015523Z:bdbb996e-6c8c-49a3-b263-7b584bf9230e" ], + "x-ms-request-id": [ "26ea4362-d477-4cb2-a986-e9a8dd2ed2bf" ], + "x-ms-correlation-request-id": [ "26ea4362-d477-4cb2-a986-e9a8dd2ed2bf" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183121Z:26ea4362-d477-4cb2-a986-e9a8dd2ed2bf" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 01:55:23 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:31:20 GMT" ] }, "ContentHeaders": { "Content-Length": [ "828" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/5df694bf-7774-49cf-a84b-282fd43a926b/relations/4a09f636-6002-4389-80a1-b6a357af8225\",\"name\":\"4a09f636-6002-4389-80a1-b6a357af8225\",\"etag\":\"\\\"6b0265a9-0000-0100-0000-61b552650000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/69e3141d-30e8-49d1-9152-33f3b44cf6b0\",\"relatedResourceName\":\"69e3141d-30e8-49d1-9152-33f3b44cf6b0\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/72c19fb6-dca6-4381-9175-229d52e8908a/relations/eacf9694-518d-404c-85a0-6703db574c22\",\"name\":\"eacf9694-518d-404c-85a0-6703db574c22\",\"etag\":\"\\\"01008093-0000-0100-0000-62e423420000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/e31f4f52-858c-4a29-bacc-b0b91ca86f43\",\"relatedResourceName\":\"e31f4f52-858c-4a29-bacc-b0b91ca86f43\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", "isContentBase64": false } }, - "Get-AzSentinelBookmarkRelation+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/5df694bf-7774-49cf-a84b-282fd43a926b/relations/4a09f636-6002-4389-80a1-b6a357af8225?api-version=2021-09-01-preview+2": { + "Get-AzSentinelBookmarkRelation+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/72c19fb6-dca6-4381-9175-229d52e8908a/relations/eacf9694-518d-404c-85a0-6703db574c22?api-version=2021-09-01-preview+2": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/5df694bf-7774-49cf-a84b-282fd43a926b/relations/4a09f636-6002-4389-80a1-b6a357af8225?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/72c19fb6-dca6-4381-9175-229d52e8908a/relations/eacf9694-518d-404c-85a0-6703db574c22?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "182" ], - "x-ms-client-request-id": [ "578d2294-6c45-4278-b066-4cc314dc7c98" ], + "x-ms-unique-id": [ "183" ], + "x-ms-client-request-id": [ "0f30c4d5-7a40-4f24-b044-8f6a0baf278e" ], "CommandName": [ "Get-AzSentinelbookmarkRelation" ], "FullCommandName": [ "Get-AzSentinelBookmarkRelation_GetViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -147,19 +147,19 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-reads": [ "11980" ], - "x-ms-request-id": [ "557a6e40-c70c-43a5-9cbc-a10d9f72ffb0" ], - "x-ms-correlation-request-id": [ "557a6e40-c70c-43a5-9cbc-a10d9f72ffb0" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T015523Z:557a6e40-c70c-43a5-9cbc-a10d9f72ffb0" ], + "x-ms-request-id": [ "d8056e50-a564-4c3f-a370-acf5e04170c5" ], + "x-ms-correlation-request-id": [ "d8056e50-a564-4c3f-a370-acf5e04170c5" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183121Z:d8056e50-a564-4c3f-a370-acf5e04170c5" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 01:55:23 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:31:21 GMT" ] }, "ContentHeaders": { "Content-Length": [ "828" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/5df694bf-7774-49cf-a84b-282fd43a926b/relations/4a09f636-6002-4389-80a1-b6a357af8225\",\"name\":\"4a09f636-6002-4389-80a1-b6a357af8225\",\"etag\":\"\\\"6b0265a9-0000-0100-0000-61b552650000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/69e3141d-30e8-49d1-9152-33f3b44cf6b0\",\"relatedResourceName\":\"69e3141d-30e8-49d1-9152-33f3b44cf6b0\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/72c19fb6-dca6-4381-9175-229d52e8908a/relations/eacf9694-518d-404c-85a0-6703db574c22\",\"name\":\"eacf9694-518d-404c-85a0-6703db574c22\",\"etag\":\"\\\"01008093-0000-0100-0000-62e423420000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/e31f4f52-858c-4a29-bacc-b0b91ca86f43\",\"relatedResourceName\":\"e31f4f52-858c-4a29-bacc-b0b91ca86f43\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Get-AzSentinelDataConnector.Recording.json b/src/SecurityInsights/test/Get-AzSentinelDataConnector.Recording.json index 595c82678ef5..7eaf3c67688d 100644 --- a/src/SecurityInsights/test/Get-AzSentinelDataConnector.Recording.json +++ b/src/SecurityInsights/test/Get-AzSentinelDataConnector.Recording.json @@ -1,17 +1,17 @@ { - "Get-AzSentinelDataConnector+[NoContext]+List+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors?api-version=2021-09-01-preview+1": { + "Get-AzSentinelDataConnector+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "183" ], - "x-ms-client-request-id": [ "9ca37a10-31ec-41f6-adf8-4f12db2f49a6" ], + "x-ms-unique-id": [ "184" ], + "x-ms-client-request-id": [ "bb46760f-7041-4532-ab46-b832679b1954" ], "CommandName": [ "Get-AzSentineldataConnector" ], "FullCommandName": [ "Get-AzSentinelDataConnector_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -23,36 +23,36 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11979" ], - "x-ms-request-id": [ "a33da1cc-5dec-42c3-a1e2-2cf4ba3a86bc" ], - "x-ms-correlation-request-id": [ "a33da1cc-5dec-42c3-a1e2-2cf4ba3a86bc" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T015546Z:a33da1cc-5dec-42c3-a1e2-2cf4ba3a86bc" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], + "x-ms-request-id": [ "016cb2a0-f878-4631-bc3e-b73fa09907a4" ], + "x-ms-correlation-request-id": [ "016cb2a0-f878-4631-bc3e-b73fa09907a4" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183122Z:016cb2a0-f878-4631-bc3e-b73fa09907a4" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 01:55:46 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:31:21 GMT" ] }, "ContentHeaders": { "Content-Length": [ "1122" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/88da8507-46cb-4c34-9cf3-189e58b34c9e\",\"name\":\"88da8507-46cb-4c34-9cf3-189e58b34c9e\",\"etag\":\"66942b87-5147-46a2-8696-f8fde8f4193b\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"AzureSecurityCenter\",\"properties\":{\"subscriptionId\":\"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\",\"dataTypes\":{\"alerts\":{\"state\":\"enabled\"}}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/b4b8bb52-2917-4179-a28d-fb197dc52aa6\",\"name\":\"b4b8bb52-2917-4179-a28d-fb197dc52aa6\",\"etag\":\"b233bb7e-98ea-415f-895d-e389655250ac\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"Office365\",\"properties\":{\"dataTypes\":{\"sharePoint\":{\"state\":\"disabled\"},\"exchange\":{\"state\":\"enabled\"},\"teams\":{\"state\":\"disabled\"}},\"tenantId\":\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/8fee2c52-7010-4d95-a6ce-eb73f2921e20\",\"name\":\"8fee2c52-7010-4d95-a6ce-eb73f2921e20\",\"etag\":\"21402add-7ae9-4da3-90ab-c0fd725e7818\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"AzureSecurityCenter\",\"properties\":{\"subscriptionId\":\"51a36d38-3b14-471f-8dde-a5867f5e51eb\",\"dataTypes\":{\"alerts\":{\"state\":\"enabled\"}}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/0c45acce-4689-4024-8bfa-4ff3b300e29a\",\"name\":\"0c45acce-4689-4024-8bfa-4ff3b300e29a\",\"etag\":\"e6fe5716-cd55-4449-8cfc-8949597baddd\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"Office365\",\"properties\":{\"dataTypes\":{\"sharePoint\":{\"state\":\"disabled\"},\"exchange\":{\"state\":\"enabled\"},\"teams\":{\"state\":\"disabled\"}},\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}]}", "isContentBase64": false } }, - "Get-AzSentinelDataConnector+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/88da8507-46cb-4c34-9cf3-189e58b34c9e?api-version=2021-09-01-preview+1": { + "Get-AzSentinelDataConnector+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/8fee2c52-7010-4d95-a6ce-eb73f2921e20?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/88da8507-46cb-4c34-9cf3-189e58b34c9e?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/8fee2c52-7010-4d95-a6ce-eb73f2921e20?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "184" ], - "x-ms-client-request-id": [ "3f28bef1-d283-4989-83dc-560e93ad206f" ], + "x-ms-unique-id": [ "185" ], + "x-ms-client-request-id": [ "07599939-75b5-43df-9307-d400605393d6" ], "CommandName": [ "Get-AzSentineldataConnector" ], "FullCommandName": [ "Get-AzSentinelDataConnector_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -64,36 +64,36 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11978" ], - "x-ms-request-id": [ "45ac5272-df88-40f2-92d4-b69198bf3f5c" ], - "x-ms-correlation-request-id": [ "45ac5272-df88-40f2-92d4-b69198bf3f5c" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T015546Z:45ac5272-df88-40f2-92d4-b69198bf3f5c" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], + "x-ms-request-id": [ "768c429e-c74a-4ae2-9b24-deb0eedd196f" ], + "x-ms-correlation-request-id": [ "768c429e-c74a-4ae2-9b24-deb0eedd196f" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183122Z:768c429e-c74a-4ae2-9b24-deb0eedd196f" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 01:55:46 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:31:22 GMT" ] }, "ContentHeaders": { "Content-Length": [ "530" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/88da8507-46cb-4c34-9cf3-189e58b34c9e\",\"name\":\"88da8507-46cb-4c34-9cf3-189e58b34c9e\",\"etag\":\"66942b87-5147-46a2-8696-f8fde8f4193b\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"AzureSecurityCenter\",\"properties\":{\"subscriptionId\":\"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\",\"dataTypes\":{\"alerts\":{\"state\":\"enabled\"}}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/8fee2c52-7010-4d95-a6ce-eb73f2921e20\",\"name\":\"8fee2c52-7010-4d95-a6ce-eb73f2921e20\",\"etag\":\"21402add-7ae9-4da3-90ab-c0fd725e7818\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"AzureSecurityCenter\",\"properties\":{\"subscriptionId\":\"51a36d38-3b14-471f-8dde-a5867f5e51eb\",\"dataTypes\":{\"alerts\":{\"state\":\"enabled\"}}}}", "isContentBase64": false } }, - "Get-AzSentinelDataConnector+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/88da8507-46cb-4c34-9cf3-189e58b34c9e?api-version=2021-09-01-preview+1": { + "Get-AzSentinelDataConnector+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/8fee2c52-7010-4d95-a6ce-eb73f2921e20?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/88da8507-46cb-4c34-9cf3-189e58b34c9e?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/8fee2c52-7010-4d95-a6ce-eb73f2921e20?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "185" ], - "x-ms-client-request-id": [ "f0b9c309-c273-44b3-81df-88c1e8add32c" ], + "x-ms-unique-id": [ "186" ], + "x-ms-client-request-id": [ "3eaedcab-eab5-4cb0-8921-42731fc4a901" ], "CommandName": [ "Get-AzSentineldataConnector" ], "FullCommandName": [ "Get-AzSentinelDataConnector_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -105,36 +105,36 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11977" ], - "x-ms-request-id": [ "d79df0b1-5b5a-406e-9f37-3e9ef2ec3186" ], - "x-ms-correlation-request-id": [ "d79df0b1-5b5a-406e-9f37-3e9ef2ec3186" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T015547Z:d79df0b1-5b5a-406e-9f37-3e9ef2ec3186" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "497" ], + "x-ms-request-id": [ "1a04a512-d681-47a6-813e-d479fb807684" ], + "x-ms-correlation-request-id": [ "1a04a512-d681-47a6-813e-d479fb807684" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183122Z:1a04a512-d681-47a6-813e-d479fb807684" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 01:55:46 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:31:22 GMT" ] }, "ContentHeaders": { "Content-Length": [ "530" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/88da8507-46cb-4c34-9cf3-189e58b34c9e\",\"name\":\"88da8507-46cb-4c34-9cf3-189e58b34c9e\",\"etag\":\"66942b87-5147-46a2-8696-f8fde8f4193b\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"AzureSecurityCenter\",\"properties\":{\"subscriptionId\":\"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\",\"dataTypes\":{\"alerts\":{\"state\":\"enabled\"}}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/8fee2c52-7010-4d95-a6ce-eb73f2921e20\",\"name\":\"8fee2c52-7010-4d95-a6ce-eb73f2921e20\",\"etag\":\"21402add-7ae9-4da3-90ab-c0fd725e7818\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"AzureSecurityCenter\",\"properties\":{\"subscriptionId\":\"51a36d38-3b14-471f-8dde-a5867f5e51eb\",\"dataTypes\":{\"alerts\":{\"state\":\"enabled\"}}}}", "isContentBase64": false } }, - "Get-AzSentinelDataConnector+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/88da8507-46cb-4c34-9cf3-189e58b34c9e?api-version=2021-09-01-preview+2": { + "Get-AzSentinelDataConnector+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/8fee2c52-7010-4d95-a6ce-eb73f2921e20?api-version=2021-09-01-preview+2": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/88da8507-46cb-4c34-9cf3-189e58b34c9e?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/8fee2c52-7010-4d95-a6ce-eb73f2921e20?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "186" ], - "x-ms-client-request-id": [ "9cf28c4c-0667-4cd3-92b8-1a38a856b836" ], + "x-ms-unique-id": [ "187" ], + "x-ms-client-request-id": [ "0d7c4957-fbd4-47a1-8d64-6e82988463ee" ], "CommandName": [ "Get-AzSentineldataConnector" ], "FullCommandName": [ "Get-AzSentinelDataConnector_GetViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -146,20 +146,20 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11976" ], - "x-ms-request-id": [ "22ba730e-db64-430e-bf46-e675d9070622" ], - "x-ms-correlation-request-id": [ "22ba730e-db64-430e-bf46-e675d9070622" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T015547Z:22ba730e-db64-430e-bf46-e675d9070622" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "496" ], + "x-ms-request-id": [ "02e27ddd-e5ee-4599-8500-f0fcb0a7d5b6" ], + "x-ms-correlation-request-id": [ "02e27ddd-e5ee-4599-8500-f0fcb0a7d5b6" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183123Z:02e27ddd-e5ee-4599-8500-f0fcb0a7d5b6" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 01:55:46 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:31:22 GMT" ] }, "ContentHeaders": { "Content-Length": [ "530" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/88da8507-46cb-4c34-9cf3-189e58b34c9e\",\"name\":\"88da8507-46cb-4c34-9cf3-189e58b34c9e\",\"etag\":\"66942b87-5147-46a2-8696-f8fde8f4193b\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"AzureSecurityCenter\",\"properties\":{\"subscriptionId\":\"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\",\"dataTypes\":{\"alerts\":{\"state\":\"enabled\"}}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/8fee2c52-7010-4d95-a6ce-eb73f2921e20\",\"name\":\"8fee2c52-7010-4d95-a6ce-eb73f2921e20\",\"etag\":\"21402add-7ae9-4da3-90ab-c0fd725e7818\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"AzureSecurityCenter\",\"properties\":{\"subscriptionId\":\"51a36d38-3b14-471f-8dde-a5867f5e51eb\",\"dataTypes\":{\"alerts\":{\"state\":\"enabled\"}}}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Get-AzSentinelEnrichment.Recording.json b/src/SecurityInsights/test/Get-AzSentinelEnrichment.Recording.json index d8b483fa1586..74c0cde9dad3 100644 --- a/src/SecurityInsights/test/Get-AzSentinelEnrichment.Recording.json +++ b/src/SecurityInsights/test/Get-AzSentinelEnrichment.Recording.json @@ -1,17 +1,17 @@ { - "Get-AzSentinelEnrichment+[NoContext]+Get_IP+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.SecurityInsights/enrichment/ip/geodata/?api-version=2021-09-01-preview\u0026ipAddress=8.8.8.8+1": { + "Get-AzSentinelEnrichment+[NoContext]+Get_IP+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.SecurityInsights/enrichment/ip/geodata/?api-version=2021-09-01-preview\u0026ipAddress=8.8.8.8+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.SecurityInsights/enrichment/ip/geodata/?api-version=2021-09-01-preview\u0026ipAddress=8.8.8.8", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.SecurityInsights/enrichment/ip/geodata/?api-version=2021-09-01-preview\u0026ipAddress=8.8.8.8", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "187" ], - "x-ms-client-request-id": [ "12efe3e7-d714-40b6-84d0-5750915d645f" ], + "x-ms-unique-id": [ "188" ], + "x-ms-client-request-id": [ "cdb526a4-224f-405e-9446-a30f480cbb5d" ], "CommandName": [ "Get-AzSentinelEnrichment" ], "FullCommandName": [ "Get-AzSentinelEnrichment_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -23,36 +23,36 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11975" ], - "x-ms-request-id": [ "4c2036d5-9b43-43df-aeaf-3bd0dde1750c" ], - "x-ms-correlation-request-id": [ "4c2036d5-9b43-43df-aeaf-3bd0dde1750c" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T015608Z:4c2036d5-9b43-43df-aeaf-3bd0dde1750c" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11979" ], + "x-ms-request-id": [ "dd4c8ada-84ec-45db-948e-673d38c35129" ], + "x-ms-correlation-request-id": [ "dd4c8ada-84ec-45db-948e-673d38c35129" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183123Z:dd4c8ada-84ec-45db-948e-673d38c35129" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 01:56:08 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:31:23 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "375" ], + "Content-Length": [ "363" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"asn\":\"15169\",\"carrier\":\"google llc\",\"city\":\"mountain view\",\"cityCf\":80,\"continent\":\"north america\",\"country\":\"united states\",\"countryCf\":99,\"ipAddr\":\"8.8.8.8\",\"ipRoutingType\":\"fixed\",\"latitude\":\"37.38802\",\"longitude\":\"-122.07431\",\"organization\":\"google\",\"organizationType\":\"Internet Service Provider\",\"region\":\"southwest\",\"state\":\"california\",\"stateCf\":95,\"stateCode\":\"ca\"}", + "Content": "{\"asn\":\"15169\",\"carrier\":\"google llc\",\"city\":\"glenmont\",\"cityCf\":80,\"continent\":\"north america\",\"country\":\"united states\",\"countryCf\":99,\"ipAddr\":\"8.8.8.8\",\"ipRoutingType\":\"fixed\",\"latitude\":\"40.537\",\"longitude\":\"-82.12859\",\"organization\":\"google\",\"organizationType\":\"Internet Service Provider\",\"region\":\"great lakes\",\"state\":\"ohio\",\"stateCf\":95,\"stateCode\":\"oh\"}", "isContentBase64": false } }, - "Get-AzSentinelEnrichment+[NoContext]+Get_Domain+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.SecurityInsights/enrichment/domain/whois/?api-version=2021-09-01-preview\u0026domain=google.com+1": { + "Get-AzSentinelEnrichment+[NoContext]+Get_Domain+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.SecurityInsights/enrichment/domain/whois/?api-version=2021-09-01-preview\u0026domain=google.com+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.SecurityInsights/enrichment/domain/whois/?api-version=2021-09-01-preview\u0026domain=google.com", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.SecurityInsights/enrichment/domain/whois/?api-version=2021-09-01-preview\u0026domain=google.com", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "188" ], - "x-ms-client-request-id": [ "faec6059-9760-4bf5-b8f8-830c947b9b44" ], + "x-ms-unique-id": [ "189" ], + "x-ms-client-request-id": [ "f2467200-22e1-4c1e-bb81-7f533b898379" ], "CommandName": [ "Get-AzSentinelEnrichment" ], "FullCommandName": [ "Get-AzSentinelEnrichment_Get1" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -64,20 +64,20 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11974" ], - "x-ms-request-id": [ "8814fca2-cec6-4158-bf67-abd08c2602bf" ], - "x-ms-correlation-request-id": [ "8814fca2-cec6-4158-bf67-abd08c2602bf" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T015609Z:8814fca2-cec6-4158-bf67-abd08c2602bf" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11978" ], + "x-ms-request-id": [ "a813e2c5-2550-4866-a948-92b0d717d8f3" ], + "x-ms-correlation-request-id": [ "a813e2c5-2550-4866-a948-92b0d717d8f3" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183124Z:a813e2c5-2550-4866-a948-92b0d717d8f3" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 01:56:08 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:31:23 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1408" ], + "Content-Length": [ "1403" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"domain\":\"google.com\",\"server\":\"whois.markmonitor.com\",\"created\":\"1997-09-15T00:00:00\",\"updated\":\"2019-09-09T00:00:00\",\"expires\":\"2028-09-14T00:00:00\",\"parsed_whois\":{\"registrar\":{\"name\":\"MarkMonitor, Inc.\",\"abuse_contact_phone\":\"12083895770\",\"abuse_contact_email\":\"abusecomplaints@markmonitor.com\",\"iana_id\":\"292\",\"url\":\"http://www.markmonitor.com\",\"whois_server\":\"whois.markmonitor.com\"},\"contacts\":{\"admin\":{\"name\":\"\",\"org\":\"Google LLC\",\"street\":[],\"city\":\"\",\"state\":\"CA\",\"postal\":\"\",\"country\":\"us\",\"phone\":\"\",\"fax\":\"\",\"email\":\"Select Request Email Form at https://domains.markmonitor.com/whois/google.com\"},\"registrant\":{\"name\":\"\",\"org\":\"Google LLC\",\"street\":[],\"city\":\"\",\"state\":\"CA\",\"postal\":\"\",\"country\":\"us\",\"phone\":\"\",\"fax\":\"\",\"email\":\"Select Request Email Form at https://domains.markmonitor.com/whois/google.com\"},\"billing\":{\"name\":\"\",\"org\":\"\",\"street\":[],\"city\":\"\",\"state\":\"\",\"postal\":\"\",\"country\":\"\",\"phone\":\"\",\"fax\":\"\",\"email\":\"\"},\"tech\":{\"name\":\"\",\"org\":\"Google LLC\",\"street\":[],\"city\":\"\",\"state\":\"CA\",\"postal\":\"\",\"country\":\"us\",\"phone\":\"\",\"fax\":\"\",\"email\":\"Select Request Email Form at https://domains.markmonitor.com/whois/google.com\"}},\"name_servers\":[\"ns1.google.com\",\"ns2.google.com\",\"ns3.google.com\",\"ns4.google.com\"],\"statuses\":[\"clientUpdateProhibited\",\"clientTransferProhibited\",\"clientDeleteProhibited\",\"serverUpdateProhibited\",\"serverTransferProhibited\",\"serverDeleteProhibited\"]}}", + "Content": "{\"domain\":\"google.com\",\"server\":\"whois.markmonitor.com\",\"created\":\"1997-09-15T00:00:00Z\",\"updated\":\"2019-09-09T00:00:00Z\",\"expires\":\"2028-09-14T00:00:00Z\",\"parsedWhois\":{\"registrar\":{\"name\":\"MarkMonitor, Inc.\",\"abuseContactPhone\":\"12086851750\",\"abuseContactEmail\":\"abusecomplaints@markmonitor.com\",\"ianaId\":\"292\",\"url\":\"http://www.markmonitor.com\",\"whoisServer\":\"whois.markmonitor.com\"},\"contacts\":{\"admin\":{\"name\":\"\",\"org\":\"Google LLC\",\"street\":[],\"city\":\"\",\"state\":\"CA\",\"postal\":\"\",\"country\":\"us\",\"phone\":\"\",\"fax\":\"\",\"email\":\"Select Request Email Form at https://domains.markmonitor.com/whois/google.com\"},\"registrant\":{\"name\":\"\",\"org\":\"Google LLC\",\"street\":[],\"city\":\"\",\"state\":\"CA\",\"postal\":\"\",\"country\":\"us\",\"phone\":\"\",\"fax\":\"\",\"email\":\"Select Request Email Form at https://domains.markmonitor.com/whois/google.com\"},\"billing\":{\"name\":\"\",\"org\":\"\",\"street\":[],\"city\":\"\",\"state\":\"\",\"postal\":\"\",\"country\":\"\",\"phone\":\"\",\"fax\":\"\",\"email\":\"\"},\"tech\":{\"name\":\"\",\"org\":\"Google LLC\",\"street\":[],\"city\":\"\",\"state\":\"CA\",\"postal\":\"\",\"country\":\"us\",\"phone\":\"\",\"fax\":\"\",\"email\":\"Select Request Email Form at https://domains.markmonitor.com/whois/google.com\"}},\"nameServers\":[\"ns1.google.com\",\"ns2.google.com\",\"ns3.google.com\",\"ns4.google.com\"],\"statuses\":[\"clientUpdateProhibited\",\"clientTransferProhibited\",\"clientDeleteProhibited\",\"serverUpdateProhibited\",\"serverTransferProhibited\",\"serverDeleteProhibited\"]}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Get-AzSentinelEntity.Recording.json b/src/SecurityInsights/test/Get-AzSentinelEntity.Recording.json index 2617a84eb81d..885c98a24435 100644 --- a/src/SecurityInsights/test/Get-AzSentinelEntity.Recording.json +++ b/src/SecurityInsights/test/Get-AzSentinelEntity.Recording.json @@ -1,17 +1,17 @@ { - "Get-AzSentinelEntity+[NoContext]+List+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview+1": { + "Get-AzSentinelEntity+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "189" ], - "x-ms-client-request-id": [ "af05e47d-2a7c-454b-b7c7-bf35c1b686c5" ], + "x-ms-unique-id": [ "190" ], + "x-ms-client-request-id": [ "484b44a2-7a87-4eeb-be91-e117c8c05e65" ], "CommandName": [ "Get-AzSentinelentity" ], "FullCommandName": [ "Get-AzSentinelEntity_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -23,36 +23,36 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11973" ], - "x-ms-request-id": [ "b437ade9-ae56-4259-9c59-fe545172ae4d" ], - "x-ms-correlation-request-id": [ "b437ade9-ae56-4259-9c59-fe545172ae4d" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T015630Z:b437ade9-ae56-4259-9c59-fe545172ae4d" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11977" ], + "x-ms-request-id": [ "d8862eed-373d-4d86-8e82-c0228549c30e" ], + "x-ms-correlation-request-id": [ "d8862eed-373d-4d86-8e82-c0228549c30e" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183125Z:d8862eed-373d-4d86-8e82-c0228549c30e" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 01:56:30 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:31:25 GMT" ] }, "ContentHeaders": { "Content-Length": [ "461" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"additionalData\":{\"AlertCount\":\"6\"},\"friendlyName\":\"175.45.176.99\"}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"additionalData\":{\"AlertCount\":\"6\"},\"friendlyName\":\"175.45.176.99\"}}]}", "isContentBase64": false } }, - "Get-AzSentinelEntity+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview+1": { + "Get-AzSentinelEntity+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "190" ], - "x-ms-client-request-id": [ "40fc19d6-790d-4129-b422-33cbfb745571" ], + "x-ms-unique-id": [ "191" ], + "x-ms-client-request-id": [ "5b12f79a-13e7-4e55-bf13-c57c555a3029" ], "CommandName": [ "Get-AzSentinelentity" ], "FullCommandName": [ "Get-AzSentinelEntity_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -64,36 +64,36 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11972" ], - "x-ms-request-id": [ "2443a7c7-ab0b-48f0-b3f6-ffa3e4675bd3" ], - "x-ms-correlation-request-id": [ "2443a7c7-ab0b-48f0-b3f6-ffa3e4675bd3" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T015631Z:2443a7c7-ab0b-48f0-b3f6-ffa3e4675bd3" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11976" ], + "x-ms-request-id": [ "409cbd21-a823-4ff3-afc1-c5d676b27496" ], + "x-ms-correlation-request-id": [ "409cbd21-a823-4ff3-afc1-c5d676b27496" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183125Z:409cbd21-a823-4ff3-afc1-c5d676b27496" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 01:56:30 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:31:25 GMT" ] }, "ContentHeaders": { "Content-Length": [ "461" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"additionalData\":{\"AlertCount\":\"6\"},\"friendlyName\":\"175.45.176.99\"}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"additionalData\":{\"AlertCount\":\"6\"},\"friendlyName\":\"175.45.176.99\"}}]}", "isContentBase64": false } }, - "Get-AzSentinelEntity+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d?api-version=2021-09-01-preview+2": { + "Get-AzSentinelEntity+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d?api-version=2021-09-01-preview+2": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "191" ], - "x-ms-client-request-id": [ "d2959a56-b498-437a-b324-ad0289b52252" ], + "x-ms-unique-id": [ "192" ], + "x-ms-client-request-id": [ "48423662-7c77-4fec-9bea-e567a8df0432" ], "CommandName": [ "Get-AzSentinelentity" ], "FullCommandName": [ "Get-AzSentinelEntity_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -105,36 +105,36 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11971" ], - "x-ms-request-id": [ "cf68626a-a59c-4d3d-9f8e-c8c8f7317a01" ], - "x-ms-correlation-request-id": [ "cf68626a-a59c-4d3d-9f8e-c8c8f7317a01" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T015631Z:cf68626a-a59c-4d3d-9f8e-c8c8f7317a01" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11975" ], + "x-ms-request-id": [ "17e0f0f0-34b8-4666-b216-40deb881e509" ], + "x-ms-correlation-request-id": [ "17e0f0f0-34b8-4666-b216-40deb881e509" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183126Z:17e0f0f0-34b8-4666-b216-40deb881e509" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 01:56:31 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:31:26 GMT" ] }, "ContentHeaders": { "Content-Length": [ "413" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"friendlyName\":\"175.45.176.99\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"friendlyName\":\"175.45.176.99\"}}", "isContentBase64": false } }, - "Get-AzSentinelEntity+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview+1": { + "Get-AzSentinelEntity+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "192" ], - "x-ms-client-request-id": [ "fb1bb058-e36c-4d32-9db8-ff5f656d1037" ], + "x-ms-unique-id": [ "193" ], + "x-ms-client-request-id": [ "f876cb3e-bce4-490b-b25f-bf6d90c82030" ], "CommandName": [ "Get-AzSentinelentity" ], "FullCommandName": [ "Get-AzSentinelEntity_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -146,36 +146,36 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11970" ], - "x-ms-request-id": [ "67cff94a-8ea6-4ce5-8777-6314a012ceee" ], - "x-ms-correlation-request-id": [ "67cff94a-8ea6-4ce5-8777-6314a012ceee" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T015632Z:67cff94a-8ea6-4ce5-8777-6314a012ceee" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11974" ], + "x-ms-request-id": [ "645e5bd4-0485-47fc-a961-cfaa70723375" ], + "x-ms-correlation-request-id": [ "645e5bd4-0485-47fc-a961-cfaa70723375" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183126Z:645e5bd4-0485-47fc-a961-cfaa70723375" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 01:56:31 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:31:26 GMT" ] }, "ContentHeaders": { "Content-Length": [ "461" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"additionalData\":{\"AlertCount\":\"6\"},\"friendlyName\":\"175.45.176.99\"}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"additionalData\":{\"AlertCount\":\"6\"},\"friendlyName\":\"175.45.176.99\"}}]}", "isContentBase64": false } }, - "Get-AzSentinelEntity+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d?api-version=2021-09-01-preview+2": { + "Get-AzSentinelEntity+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d?api-version=2021-09-01-preview+2": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "193" ], - "x-ms-client-request-id": [ "6e1955bd-faad-4f20-a643-5956f9ac47ff" ], + "x-ms-unique-id": [ "194" ], + "x-ms-client-request-id": [ "5a0d9eab-13c4-4113-a579-bd0ea3b6b08d" ], "CommandName": [ "Get-AzSentinelentity" ], "FullCommandName": [ "Get-AzSentinelEntity_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -187,36 +187,36 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11969" ], - "x-ms-request-id": [ "687044df-ca03-4391-879a-195164267c13" ], - "x-ms-correlation-request-id": [ "687044df-ca03-4391-879a-195164267c13" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T015632Z:687044df-ca03-4391-879a-195164267c13" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11973" ], + "x-ms-request-id": [ "bfca1590-fe6d-43c6-adec-58eead231d44" ], + "x-ms-correlation-request-id": [ "bfca1590-fe6d-43c6-adec-58eead231d44" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183127Z:bfca1590-fe6d-43c6-adec-58eead231d44" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 01:56:32 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:31:26 GMT" ] }, "ContentHeaders": { "Content-Length": [ "413" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"friendlyName\":\"175.45.176.99\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"friendlyName\":\"175.45.176.99\"}}", "isContentBase64": false } }, - "Get-AzSentinelEntity+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d?api-version=2021-09-01-preview+3": { + "Get-AzSentinelEntity+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d?api-version=2021-09-01-preview+3": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "194" ], - "x-ms-client-request-id": [ "4df17961-e010-4663-a97c-305403a5b564" ], + "x-ms-unique-id": [ "195" ], + "x-ms-client-request-id": [ "706d4b7a-d46e-4ef2-8c28-ce6fec044bc7" ], "CommandName": [ "Get-AzSentinelentity" ], "FullCommandName": [ "Get-AzSentinelEntity_GetViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -228,20 +228,20 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11968" ], - "x-ms-request-id": [ "0cd7c978-84df-4556-a772-4b5bb9bfb3d0" ], - "x-ms-correlation-request-id": [ "0cd7c978-84df-4556-a772-4b5bb9bfb3d0" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T015633Z:0cd7c978-84df-4556-a772-4b5bb9bfb3d0" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11972" ], + "x-ms-request-id": [ "a32df2cc-93ab-4063-9521-4d262c7fb624" ], + "x-ms-correlation-request-id": [ "a32df2cc-93ab-4063-9521-4d262c7fb624" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183127Z:a32df2cc-93ab-4063-9521-4d262c7fb624" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 01:56:32 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:31:26 GMT" ] }, "ContentHeaders": { "Content-Length": [ "413" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"friendlyName\":\"175.45.176.99\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"friendlyName\":\"175.45.176.99\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Get-AzSentinelEntityActivity.Recording.json b/src/SecurityInsights/test/Get-AzSentinelEntityActivity.Recording.json index 1dd40543e6d3..915887806150 100644 --- a/src/SecurityInsights/test/Get-AzSentinelEntityActivity.Recording.json +++ b/src/SecurityInsights/test/Get-AzSentinelEntityActivity.Recording.json @@ -1,17 +1,17 @@ { - "Get-AzSentinelEntityActivity+[NoContext]+Queries+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview+1": { + "Get-AzSentinelEntityActivity+[NoContext]+Queries+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "195" ], - "x-ms-client-request-id": [ "3a8d1b1a-15d4-4a1d-9bc7-cbae66fc4666" ], + "x-ms-unique-id": [ "196" ], + "x-ms-client-request-id": [ "c14ef63e-2349-4660-91ad-28d0921af51e" ], "CommandName": [ "Get-AzSentinelentity" ], "FullCommandName": [ "Get-AzSentinelEntity_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -23,36 +23,36 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11967" ], - "x-ms-request-id": [ "519fca47-ffd0-415a-9ce6-e2788d98c593" ], - "x-ms-correlation-request-id": [ "519fca47-ffd0-415a-9ce6-e2788d98c593" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T015654Z:519fca47-ffd0-415a-9ce6-e2788d98c593" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11971" ], + "x-ms-request-id": [ "a27023a0-6f7b-4ab4-b614-78ec88518182" ], + "x-ms-correlation-request-id": [ "a27023a0-6f7b-4ab4-b614-78ec88518182" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183128Z:a27023a0-6f7b-4ab4-b614-78ec88518182" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 01:56:54 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:31:27 GMT" ] }, "ContentHeaders": { "Content-Length": [ "461" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"additionalData\":{\"AlertCount\":\"6\"},\"friendlyName\":\"175.45.176.99\"}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"additionalData\":{\"AlertCount\":\"6\"},\"friendlyName\":\"175.45.176.99\"}}]}", "isContentBase64": false } }, - "Get-AzSentinelEntityActivity+[NoContext]+Queries+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/queries?api-version=2021-09-01-preview\u0026kind=Insight+2": { + "Get-AzSentinelEntityActivity+[NoContext]+Queries+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/queries?api-version=2021-09-01-preview\u0026kind=Insight+2": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/queries?api-version=2021-09-01-preview\u0026kind=Insight", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/queries?api-version=2021-09-01-preview\u0026kind=Insight", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "196" ], - "x-ms-client-request-id": [ "9ace68b3-6c28-4e38-8315-983d38166b5d" ], + "x-ms-unique-id": [ "197" ], + "x-ms-client-request-id": [ "16990f62-534d-4d5b-8f31-faa95508f1f4" ], "CommandName": [ "Get-AzSentinelEntityActivity" ], "FullCommandName": [ "Get-AzSentinelEntityActivity_Queries" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -64,20 +64,20 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11966" ], - "x-ms-request-id": [ "81bb2c7b-c1b0-413c-b117-402a71f99be2" ], - "x-ms-correlation-request-id": [ "81bb2c7b-c1b0-413c-b117-402a71f99be2" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T015658Z:81bb2c7b-c1b0-413c-b117-402a71f99be2" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11970" ], + "x-ms-request-id": [ "e71c3158-f301-44c2-a8df-7ffeeb832c06" ], + "x-ms-correlation-request-id": [ "e71c3158-f301-44c2-a8df-7ffeeb832c06" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183131Z:e71c3158-f301-44c2-a8df-7ffeeb832c06" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 01:56:57 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:31:30 GMT" ] }, "ContentHeaders": { "Content-Length": [ "20801" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/queries/b8e2df44-f98f-4c95-bcbe-f8210f3e0f23\",\"name\":\"b8e2df44-f98f-4c95-bcbe-f8210f3e0f23\",\"type\":\"Microsoft.SecurityInsights/entities/queries\",\"kind\":\"Insight\",\"properties\":{\"displayName\":\"IP address remote connections\",\"description\":\"\u0027Provides the remote IP connection count information for outbound and inbound connections to an IP address. Note due to potential performance impact, data is limited to a 7 day max window.\u0027\\n\",\"baseQuery\":\"let GetIPStats = (Ip_Address:string){\\n//checking time span to lock to 7 days or less for Entity page usage\\nlet start = datetime(\u0027{{StartTimeISO}}\u0027);\\nlet end = datetime(\u0027{{EndTimeISO}}\u0027);\\nlet end_start = datetime_diff(\u0027day\u0027,end,start);\\nlet start_time = iff(end_start \u003e 7, end - 7d, start);\\nlet end_time = end;\\nlet IpStats = (union isfuzzy=true\\n(\\nVMConnection\\n| where TimeGenerated between (start_time..end_time)\\n| where SourceIp =~ Ip_Address\\n| where SourceIp != DestinationIp\\n| where Direction =~ \\\"outbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), OutboundCount = countif(Direction =~ \\\"outbound\\\") by IPAddress = SourceIp, Type, RemoteIPAddress = DestinationIp, Direction, SentBytes = tolong(BytesSent), ReceivedBytes = tolong(BytesReceived)\\n),\\n(\\nVMConnection\\n| where TimeGenerated between (start_time..end_time)\\n| where DestinationIp =~ Ip_Address\\n| where SourceIp != DestinationIp\\n| where Direction =~ \\\"inbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(Direction =~ \\\"inbound\\\") by IPAddress = DestinationIp, Type, RemoteIPAddress = SourceIp, Direction, SentBytes = tolong(BytesSent), ReceivedBytes = tolong(BytesReceived)\\n),\\n(\\nWireData\\n| where TimeGenerated between (start_time..end_time)\\n| where LocalIP =~ Ip_Address\\n| where LocalIP != RemoteIP\\n| where Direction =~ \\\"outbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), OutboundCount = countif(Direction =~ \\\"outbound\\\") by IPAddress = LocalIP, Type, RemoteIPAddress = RemoteIP, Direction\\n),\\n(\\nWireData\\n| where TimeGenerated between (start_time..end_time)\\n| where RemoteIP =~ Ip_Address\\n| where LocalIP != RemoteIP\\n| where Direction =~ \\\"inbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(Direction =~ \\\"inbound\\\") by IPAddress = RemoteIP, Type, RemoteIPAddress = LocalIP, Direction\\n),\\n(\\nDeviceNetworkEvents\\n| where TimeGenerated between (start_time..end_time)\\n| where LocalIP =~ Ip_Address\\n| where LocalIP != RemoteIP\\n| extend Direction = \\\"outbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), OutboundCount = countif(ActionType =~ \\\"ConnectionSuccess\\\") by IPAddress = LocalIP, Type, RemoteIPAddress = RemoteIP, Direction\\n),\\n(\\nDeviceNetworkEvents\\n| where TimeGenerated between (start_time..end_time)\\n| where RemoteIP =~ Ip_Address\\n| where LocalIP != RemoteIP\\n| extend Direction = \\\"inbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(ActionType =~ \\\"InboundConnectionAccepted\\\") by IPAddress = RemoteIP, Type, RemoteIPAddress = LocalIP, Direction\\n),\\n(\\nCommonSecurityLog\\n| where TimeGenerated between (start_time..end_time)\\n| where SourceIP =~ Ip_Address\\n| where SourceIP != DestinationIP\\n//| where DeviceAction has_any (\u0027allow\u0027, \u0027allowed\u0027, \u0027accept\u0027, \u0027built\u0027, \u0027start\u0027, \u0027connect\u0027, \u0027\u0027)\\n//| where not(DeviceAction has_any (\u0027built\u0027,\u0027deny\u0027, \u0027denied\u0027, \u0027rst\u0027, \u0027blocked\u0027, \u0027teardown\u0027))\\n| extend Direction = iff(CommunicationDirection !in~ (\u0027outbound\u0027,\u00270\u0027) or CommunicationDirection !in~ (\u0027inbound\u0027,\u00271\u0027), \u0027NotAvailable\u0027, CommunicationDirection)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(Direction in~ (\u0027Inbound\u0027,\u00271\u0027)), OutboundCount = countif(Direction in~ (\u0027Outbound\u0027, \u00270\u0027)), UnknownDirection = countif(Direction =~ \u0027NotAvailable\u0027) by IPAddress = SourceIP, Type = strcat(Type,\u0027:\u0027, DeviceVendor,\u0027-\u0027, DeviceProduct), RemoteIPAddress = DestinationIP, Direction, SentBytes = tolong(SentBytes), ReceivedBytes = tolong(ReceivedBytes)\\n),\\n(\\nCommonSecurityLog\\n| where TimeGenerated between (start_time..end_time)\\n| where DestinationIP =~ Ip_Address\\n| where SourceIP != DestinationIP\\n//| where DeviceAction has_any (\u0027allow\u0027, \u0027allowed\u0027, \u0027accept\u0027, \u0027built\u0027, \u0027start\u0027, \u0027connect\u0027, \u0027\u0027)\\n//| where not(DeviceAction has_any (\u0027built\u0027,\u0027deny\u0027, \u0027denied\u0027, \u0027rst\u0027, \u0027blocked\u0027, \u0027teardown\u0027))\\n| extend Direction = iff(CommunicationDirection !in~ (\u0027outbound\u0027,\u00270\u0027) or CommunicationDirection !in~ (\u0027inbound\u0027,\u00271\u0027), \u0027NotAvailable\u0027, CommunicationDirection)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(Direction in~ (\u0027Inbound\u0027,\u00271\u0027)), OutboundCount = countif(Direction in~ (\u0027Outbound\u0027, \u00270\u0027)), UnknownDirection = countif(Direction =~ \u0027NotAvailable\u0027) by IPAddress = DestinationIP, Type = strcat(Type,\u0027:\u0027, DeviceVendor,\u0027-\u0027, DeviceProduct), RemoteIPAddress = SourceIP, Direction, SentBytes = tolong(SentBytes), ReceivedBytes = tolong(ReceivedBytes)\\n)\\n);\\nIpStats\\n};\\nGetIPStats(\u0027175.45.176.99\u0027)\",\"tableQuery\":{\"columnsDefinitions\":[{\"header\":\"Direction\",\"outputType\":\"String\",\"supportDeepLink\":false},{\"header\":\"IPAddress\",\"outputType\":\"String\",\"supportDeepLink\":true},{\"header\":\"RemoteIP/Count\",\"outputType\":\"String\",\"supportDeepLink\":true},{\"header\":\"Total\",\"outputType\":\"Number\",\"supportDeepLink\":true}],\"queriesDefinitions\":[{\"filter\":\"where InboundCount \u003e 0\",\"summarize\":\"summarize Total = sum(InboundCount) by IPAddress, RemoteIPAddress | top 1 by Total\",\"project\":\"project Direction = \u0027Top In\u0027, IPAddress, RemoteIP = RemoteIPAddress, Total\",\"linkColumnsDefinitions\":[{\"projectedName\":\"Direction\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"IPAddress\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"RemoteIP\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"Total\",\"Query\":\"{{BaseQuery}} | \"}]},{\"filter\":\"where OutboundCount \u003e 0\",\"summarize\":\"summarize Total = sum(OutboundCount) by IPAddress, RemoteIPAddress | top 1 by Total\",\"project\":\"project Direction = \u0027Top Out\u0027, IPAddress, RemoteIP = RemoteIPAddress, Total\",\"linkColumnsDefinitions\":[{\"projectedName\":\"Direction\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"IPAddress\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"RemoteIP\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"Total\",\"Query\":\"{{BaseQuery}} | \"}]},{\"filter\":\"where UnknownDirection \u003e 0\",\"summarize\":\"summarize Total = sum(UnknownDirection) by IPAddress, RemoteIPAddress | top 1 by Total\",\"project\":\"project Direction = \u0027Top Unknown\u0027, IPAddress, RemoteIP = RemoteIPAddress, Total\",\"linkColumnsDefinitions\":[{\"projectedName\":\"Direction\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"IPAddress\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"RemoteIP\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"Total\",\"Query\":\"{{BaseQuery}} | \"}]},{\"filter\":\"project IPAddress, RemoteIPAddress, InboundCount, OutboundCount, UnknownDirection\",\"summarize\":\"summarize Inbound = sum(InboundCount), Outbound = sum(OutboundCount), Unknown = sum(UnknownDirection), RemIPs = make_set(RemoteIPAddress) by IPAddress | extend Total = tolong(Inbound + Outbound + Unknown)\",\"project\":\"project Direction = \u0027All\u0027, IPAddress, RemoteIP = case(array_length(RemIPs) == 1, tostring(RemIPs[0]), array_length(RemIPs) \u003e 1 and array_length(RemIPs) \u003c= 100, strcat(tostring(array_length(RemIPs)),\u0027 IPs\u0027), array_length(RemIPs) \u003e= 101, \u0027\u003e 100 IPs\u0027 , \u0027None\u0027), Total\",\"linkColumnsDefinitions\":[{\"projectedName\":\"Direction\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"IPAddress\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"RemoteIP\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"Total\",\"Query\":\"{{BaseQuery}} | \"}]}]},\"chartQuery\":null,\"additionalQuery\":{\"text\":\"See All connections\",\"query\":\"summarize StartTime = min(StartTime), EndTime = max(EndTime), InboundTotal = sum(InboundCount), OutboundTotal = sum(OutboundCount), ReceivedBytesTotal = sum(ReceivedBytes), SentBytesTotal = sum(SentBytes), UnknownDirectionBytesTotal = sum(UnknownDirection) by IPAddress, RemoteIPAddress, Type\"},\"defaultTimeRange\":{\"beforeRange\":\"12h\",\"afterRange\":\"12h\"},\"referenceTimeRange\":null,\"dataTypes\":[{\"dataType\":\"Heartbeat\"},{\"dataType\":\"VMConnection\"},{\"dataType\":\"VMComputer\"},{\"dataType\":\"WireData\"},{\"dataType\":\"ProtectionStatus\"},{\"dataType\":\"DeviceNetworkInfo\"},{\"dataType\":\"DeviceNetworkEvents\"},{\"dataType\":\"DnsEvents\"},{\"dataType\":\"CommonSecurityLog\"},{\"dataType\":\"Event\"},{\"dataType\":\"SecurityEvent\"},{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Ip\",\"requiredInputFieldsSets\":[[\"Ip_Address\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/queries/340e5f6f-d218-4a11-8638-09e1af7847cc\",\"name\":\"340e5f6f-d218-4a11-8638-09e1af7847cc\",\"type\":\"Microsoft.SecurityInsights/entities/queries\",\"kind\":\"Insight\",\"properties\":{\"displayName\":\"IP address remote connections with TI match\",\"description\":\"\u0027Provides the threat intelligence related hits for the remote IP address. Note due to potential performance impact, data is limited to a 7 day max window.\u0027\\n\",\"baseQuery\":\"let GetIPStats = (Ip_Address:string){\\n//checking time span to lock to 7 days or less for Entity page usage\\nlet start = datetime(\u0027{{StartTimeISO}}\u0027);\\nlet end = datetime(\u0027{{EndTimeISO}}\u0027);\\nlet end_start = datetime_diff(\u0027day\u0027,end,start);\\nlet start_time = iff(end_start \u003e 7, end - 7d, start);\\nlet end_time = end;\\nlet IpStats = (union isfuzzy=true\\n(\\nVMConnection\\n| where TimeGenerated between (start_time..end_time)\\n| where SourceIp =~ Ip_Address\\n| where SourceIp != DestinationIp\\n| where Direction =~ \\\"outbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), OutboundCount = countif(Direction =~ \\\"outbound\\\") by IPAddress = SourceIp, Type, RemoteIPAddress = DestinationIp, Direction, SentBytes = tolong(BytesSent), ReceivedBytes = tolong(BytesReceived)\\n),\\n(\\nVMConnection\\n| where TimeGenerated between (start_time..end_time)\\n| where DestinationIp =~ Ip_Address\\n| where SourceIp != DestinationIp\\n| where Direction =~ \\\"inbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(Direction =~ \\\"inbound\\\") by IPAddress = DestinationIp, Type, RemoteIPAddress = SourceIp, Direction, SentBytes = tolong(BytesSent), ReceivedBytes = tolong(BytesReceived)\\n),\\n(\\nWireData\\n| where TimeGenerated between (start_time..end_time)\\n| where LocalIP =~ Ip_Address\\n| where LocalIP != RemoteIP\\n| where Direction =~ \\\"outbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), OutboundCount = countif(Direction =~ \\\"outbound\\\") by IPAddress = LocalIP, Type, RemoteIPAddress = RemoteIP, Direction\\n),\\n(\\nWireData\\n| where TimeGenerated between (start_time..end_time)\\n| where RemoteIP =~ Ip_Address\\n| where LocalIP != RemoteIP\\n| where Direction =~ \\\"inbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(Direction =~ \\\"inbound\\\") by IPAddress = RemoteIP, Type, RemoteIPAddress = LocalIP, Direction\\n),\\n(\\nDeviceNetworkEvents\\n| where TimeGenerated between (start_time..end_time)\\n| where LocalIP =~ Ip_Address\\n| where LocalIP != RemoteIP\\n| extend Direction = \\\"outbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), OutboundCount = countif(ActionType =~ \\\"ConnectionSuccess\\\") by IPAddress = LocalIP, Type, RemoteIPAddress = RemoteIP, Direction\\n),\\n(\\nDeviceNetworkEvents\\n| where TimeGenerated between (start_time..end_time)\\n| where RemoteIP =~ Ip_Address\\n| where LocalIP != RemoteIP\\n| extend Direction = \\\"inbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(ActionType =~ \\\"InboundConnectionAccepted\\\") by IPAddress = RemoteIP, Type, RemoteIPAddress = LocalIP, Direction\\n),\\n(\\nCommonSecurityLog\\n| where TimeGenerated between (start_time..end_time)\\n| where SourceIP =~ Ip_Address\\n| where SourceIP != DestinationIP\\n| extend Direction = iff(CommunicationDirection !in~ (\u0027outbound\u0027,\u00270\u0027) or CommunicationDirection !in~ (\u0027inbound\u0027,\u00271\u0027), \u0027NotAvailable\u0027, CommunicationDirection)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(Direction in~ (\u0027Inbound\u0027,\u00271\u0027)), OutboundCount = countif(Direction in~ (\u0027Outbound\u0027, \u00270\u0027)), UnknownDirection = countif(Direction =~ \u0027NotAvailable\u0027) by IPAddress = SourceIP, Type = strcat(Type,\u0027:\u0027, DeviceVendor,\u0027-\u0027, DeviceProduct), RemoteIPAddress = DestinationIP, Direction, SentBytes = tolong(SentBytes), ReceivedBytes = tolong(ReceivedBytes)\\n),\\n(\\nCommonSecurityLog\\n| where TimeGenerated between (start_time..end_time)\\n| where DestinationIP =~ Ip_Address\\n| where SourceIP != DestinationIP\\n| extend Direction = iff(CommunicationDirection !in~ (\u0027outbound\u0027,\u00270\u0027) or CommunicationDirection !in~ (\u0027inbound\u0027,\u00271\u0027), \u0027NotAvailable\u0027, CommunicationDirection)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(Direction in~ (\u0027Inbound\u0027,\u00271\u0027)), OutboundCount = countif(Direction in~ (\u0027Outbound\u0027, \u00270\u0027)), UnknownDirection = countif(Direction =~ \u0027NotAvailable\u0027) by IPAddress = DestinationIP, Type = strcat(Type,\u0027:\u0027, DeviceVendor,\u0027-\u0027, DeviceProduct), RemoteIPAddress = SourceIP, Direction, SentBytes = tolong(SentBytes), ReceivedBytes = tolong(ReceivedBytes)\\n)\\n);\\nIpStats\\n| join kind=inner (ThreatIntelligenceIndicator | where TimeGenerated \u003c ago(1m)\\n| where Active = true\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = case(\\nisnotempty(NetworkIP), NetworkIP,\\nisempty(NetworkIP) and isnotempty(NetworkSourceIP), NetworkSourceIP,\\nisempty(NetworkIP) and isempty(NetworkSourceIP) and isnotempty(NetworkDestinationIP), NetworkDestinationIP,\\nisempty(NetworkIP) and isempty(NetworkSourceIP) and isempty(NetworkDestinationIP), EmailSourceIpAddress,\\n\\\"NotAvailable\\\"\\n)\\n| summarize arg_max(TimeGenerated, *) by ThreatIntelMatch = Description, ThreatType, TI_ipEntity) on $left.RemoteIPAddress == $right.TI_ipEntity\\n};\\nGetIPStats(\u0027175.45.176.99\u0027)\",\"tableQuery\":{\"columnsDefinitions\":[{\"header\":\"Direction\",\"outputType\":\"String\",\"supportDeepLink\":false},{\"header\":\"IPAddress\",\"outputType\":\"String\",\"supportDeepLink\":true},{\"header\":\"RemoteIP\",\"outputType\":\"String\",\"supportDeepLink\":true},{\"header\":\"ThreatType\",\"outputType\":\"String\",\"supportDeepLink\":false}],\"queriesDefinitions\":[{\"filter\":\"project IPAddress, RemoteIPAddress, InboundCount, ThreatType\",\"summarize\":\"summarize Inbound = sum(InboundCount) by IPAddress, RemoteIPAddress, ThreatType | where Inbound \u003e 0\",\"project\":\"project Direction = \u0027In\u0027, IPAddress, RemoteIP = RemoteIPAddress, ThreatType\",\"linkColumnsDefinitions\":[{\"projectedName\":\"Direction\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"IPAddress\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"RemoteIP\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"ThreatType\",\"Query\":\"{{BaseQuery}} | \"}]},{\"filter\":\"project IPAddress, RemoteIPAddress, OutboundCount, ThreatType\",\"summarize\":\"summarize Outbound = sum(OutboundCount) by IPAddress, RemoteIPAddress, ThreatType | where Outbound \u003e 0\",\"project\":\"project Direction = \u0027Out\u0027, IPAddress, RemoteIP = RemoteIPAddress, ThreatType\",\"linkColumnsDefinitions\":[{\"projectedName\":\"Direction\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"IPAddress\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"RemoteIP\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"ThreatType\",\"Query\":\"{{BaseQuery}} | \"}]},{\"filter\":\"project IPAddress, RemoteIPAddress, UnknownDirection, ThreatType\",\"summarize\":\"summarize UnknownCount = sum(UnknownDirection) by IPAddress, RemoteIPAddress, ThreatType | where UnknownCount \u003e 0\",\"project\":\"project Direction = \u0027Unknown\u0027, IPAddress, RemoteIP = RemoteIPAddress, ThreatType\",\"linkColumnsDefinitions\":[{\"projectedName\":\"Direction\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"IPAddress\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"RemoteIP\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"ThreatType\",\"Query\":\"{{BaseQuery}} | \"}]}]},\"chartQuery\":{\"title\":\"Connection Count to IP in TI\",\"dataSets\":[{\"query\":\"summarize Count = max(InboundCount) by Time = bin(StartTime, 1d), RemoteIPAddress = strcat(RemoteIPAddress,\u0027 - In\u0027) | where isnotempty(Count) and Count \u003e 0\",\"xColumnName\":\"Time\",\"yColumnName\":\"Count\",\"legendColumnName\":\"RemoteIPAddress\"},{\"query\":\"summarize Count = max(OutboundCount) by Time = bin(StartTime, 1d), RemoteIPAddress = strcat(RemoteIPAddress,\u0027 - Out\u0027) | where isnotempty(Count) and Count \u003e 0\",\"xColumnName\":\"Time\",\"yColumnName\":\"Count\",\"legendColumnName\":\"RemoteIPAddress\"},{\"query\":\"summarize Count = max(UnknownDirection) by Time = bin(StartTime, 1d), RemoteIPAddress = strcat(RemoteIPAddress,\u0027 - UnknownDirection\u0027) | where isnotempty(Count) and Count \u003e 0\",\"xColumnName\":\"Time\",\"yColumnName\":\"Count\",\"legendColumnName\":\"RemoteIPAddress\"}],\"type\":\"BarChart\"},\"additionalQuery\":{\"text\":\"See All connections\",\"query\":\"project StartTime, EndTime, IPAddress, RemoteIPAddress, InboundCount, OutboundCount, ReceivedBytes, SentBytes, UnknownDirection, Type, ThreatType, ThreatIntelMatch\"},\"defaultTimeRange\":{\"beforeRange\":\"12h\",\"afterRange\":\"12h\"},\"referenceTimeRange\":null,\"dataTypes\":[{\"dataType\":\"Heartbeat\"},{\"dataType\":\"VMConnection\"},{\"dataType\":\"VMComputer\"},{\"dataType\":\"WireData\"},{\"dataType\":\"ProtectionStatus\"},{\"dataType\":\"DeviceNetworkInfo\"},{\"dataType\":\"DeviceNetworkEvents\"},{\"dataType\":\"DnsEvents\"},{\"dataType\":\"CommonSecurityLog\"},{\"dataType\":\"Event\"},{\"dataType\":\"SecurityEvent\"},{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Ip\",\"requiredInputFieldsSets\":[[\"Ip_Address\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/queries/3834647e-ac3e-4fb4-a5f8-0dd50ba2b66c\",\"name\":\"3834647e-ac3e-4fb4-a5f8-0dd50ba2b66c\",\"type\":\"Microsoft.SecurityInsights/entities/queries\",\"kind\":\"Insight\",\"properties\":{\"displayName\":\"Watchlist Insights (Preview)\",\"description\":\"### Description\\n ___\\nThis insight aggregates data from the watchlists templates (Network Addresses) regarding the IP address.\",\"baseQuery\":\"let defaultValue = \u0027defaultValue\u0027; \\n let myIP = \u0027175.45.176.99\u0027; \\n let ips = _GetWatchlist(\u0027NetworkAddresses\u0027); \\n ips | extend IPSubnet = column_ifexists(\u0027IP Subnet\u0027, defaultValue) | extend FirstIP = split(IPSubnet , \u0027-\u0027).[0], SecondIP = split(IPSubnet, \u0027-\u0027).[1], checkIPv4 = parse_ipv4(myIP) | extend myIPnum = iff(isempty(checkIPv4), (parse_ipv6(myIP)), tostring(checkIPv4)) | extend firstIPparsed = iff(isempty(checkIPv4), parse_ipv6(tostring(FirstIP)), tostring(parse_ipv4(tostring(FirstIP)))), secondIPparsed = iff(isempty(checkIPv4), parse_ipv6(tostring(SecondIP)), tostring(parse_ipv4(tostring(SecondIP)))) | extend results = iff((isnotempty(checkIPv4) and tolong(firstIPparsed) \u003c= tolong(myIPnum) and (tolong(myIPnum) \u003c= tolong(secondIPparsed)) or (ipv4_is_in_range(myIP, tostring(SecondIP)) or (ipv6_compare(myIP, tostring(FirstIP)) == 0) or (ipv6_compare(myIP, tostring(SecondIP))==0))), True, false) | where results == true | extend RangeName = column_ifexists(\u0027Range Name\u0027, defaultValue) | extend IPSubnet = column_ifexists(\u0027IP Subnet\u0027, defaultValue) | extend Tags = column_ifexists(\u0027Tags\u0027, defaultValue) | extend [\u0027Watchlist Insight\u0027] = \u0027IP Address is within a known range\u0027 | extend [\u0027Additional Data\u0027] = strcat(\u0027Range Name: \u0027, RangeName,\u0027, \u0027,\u0027IP Range: \u0027, IPSubnet) | project [\u0027Watchlist Insight\u0027],[\u0027Additional Data\u0027], Tags\",\"tableQuery\":{\"columnsDefinitions\":[{\"header\":\"Watchlist Insight\",\"outputType\":\"String\",\"supportDeepLink\":false},{\"header\":\"Additional Data\",\"outputType\":\"String\",\"supportDeepLink\":false},{\"header\":\"Tags\",\"outputType\":\"String\",\"supportDeepLink\":false}],\"queriesDefinitions\":[{\"filter\":\" where 1 == 1\",\"summarize\":\" summarize count() by [\u0027Watchlist Insight\u0027], [\u0027Additional Data\u0027], Tags\",\"project\":\" project [\u0027Watchlist Insight\u0027], [\u0027Additional Data\u0027], Tags\",\"linkColumnsDefinitions\":[]}]},\"chartQuery\":null,\"additionalQuery\":null,\"defaultTimeRange\":{\"beforeRange\":\"0d\",\"afterRange\":\"0d\"},\"referenceTimeRange\":{\"beforeRange\":\"0d\"},\"dataTypes\":[{\"dataType\":\"Watchlist templates\"}],\"inputEntityType\":\"Ip\",\"requiredInputFieldsSets\":[[\"IP_Address\"]],\"entitiesFilter\":{}}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/queries/b8e2df44-f98f-4c95-bcbe-f8210f3e0f23\",\"name\":\"b8e2df44-f98f-4c95-bcbe-f8210f3e0f23\",\"type\":\"Microsoft.SecurityInsights/entities/queries\",\"kind\":\"Insight\",\"properties\":{\"displayName\":\"IP address remote connections\",\"description\":\"\u0027Provides the remote IP connection count information for outbound and inbound connections to an IP address. Note due to potential performance impact, data is limited to a 7 day max window.\u0027\\n\",\"baseQuery\":\"let GetIPStats = (Ip_Address:string){\\n//checking time span to lock to 7 days or less for Entity page usage\\nlet start = datetime(\u0027{{StartTimeISO}}\u0027);\\nlet end = datetime(\u0027{{EndTimeISO}}\u0027);\\nlet end_start = datetime_diff(\u0027day\u0027,end,start);\\nlet start_time = iff(end_start \u003e 7, end - 7d, start);\\nlet end_time = end;\\nlet IpStats = (union isfuzzy=true\\n(\\nVMConnection\\n| where TimeGenerated between (start_time..end_time)\\n| where SourceIp =~ Ip_Address\\n| where SourceIp != DestinationIp\\n| where Direction =~ \\\"outbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), OutboundCount = countif(Direction =~ \\\"outbound\\\") by IPAddress = SourceIp, Type, RemoteIPAddress = DestinationIp, Direction, SentBytes = tolong(BytesSent), ReceivedBytes = tolong(BytesReceived)\\n),\\n(\\nVMConnection\\n| where TimeGenerated between (start_time..end_time)\\n| where DestinationIp =~ Ip_Address\\n| where SourceIp != DestinationIp\\n| where Direction =~ \\\"inbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(Direction =~ \\\"inbound\\\") by IPAddress = DestinationIp, Type, RemoteIPAddress = SourceIp, Direction, SentBytes = tolong(BytesSent), ReceivedBytes = tolong(BytesReceived)\\n),\\n(\\nWireData\\n| where TimeGenerated between (start_time..end_time)\\n| where LocalIP =~ Ip_Address\\n| where LocalIP != RemoteIP\\n| where Direction =~ \\\"outbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), OutboundCount = countif(Direction =~ \\\"outbound\\\") by IPAddress = LocalIP, Type, RemoteIPAddress = RemoteIP, Direction\\n),\\n(\\nWireData\\n| where TimeGenerated between (start_time..end_time)\\n| where RemoteIP =~ Ip_Address\\n| where LocalIP != RemoteIP\\n| where Direction =~ \\\"inbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(Direction =~ \\\"inbound\\\") by IPAddress = RemoteIP, Type, RemoteIPAddress = LocalIP, Direction\\n),\\n(\\nDeviceNetworkEvents\\n| where TimeGenerated between (start_time..end_time)\\n| where LocalIP =~ Ip_Address\\n| where LocalIP != RemoteIP\\n| extend Direction = \\\"outbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), OutboundCount = countif(ActionType =~ \\\"ConnectionSuccess\\\") by IPAddress = LocalIP, Type, RemoteIPAddress = RemoteIP, Direction\\n),\\n(\\nDeviceNetworkEvents\\n| where TimeGenerated between (start_time..end_time)\\n| where RemoteIP =~ Ip_Address\\n| where LocalIP != RemoteIP\\n| extend Direction = \\\"inbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(ActionType =~ \\\"InboundConnectionAccepted\\\") by IPAddress = RemoteIP, Type, RemoteIPAddress = LocalIP, Direction\\n),\\n(\\nCommonSecurityLog\\n| where TimeGenerated between (start_time..end_time)\\n| where SourceIP =~ Ip_Address\\n| where SourceIP != DestinationIP\\n//| where DeviceAction has_any (\u0027allow\u0027, \u0027allowed\u0027, \u0027accept\u0027, \u0027built\u0027, \u0027start\u0027, \u0027connect\u0027, \u0027\u0027)\\n//| where not(DeviceAction has_any (\u0027built\u0027,\u0027deny\u0027, \u0027denied\u0027, \u0027rst\u0027, \u0027blocked\u0027, \u0027teardown\u0027))\\n| extend Direction = iff(CommunicationDirection !in~ (\u0027outbound\u0027,\u00270\u0027) or CommunicationDirection !in~ (\u0027inbound\u0027,\u00271\u0027), \u0027NotAvailable\u0027, CommunicationDirection)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(Direction in~ (\u0027Inbound\u0027,\u00271\u0027)), OutboundCount = countif(Direction in~ (\u0027Outbound\u0027, \u00270\u0027)), UnknownDirection = countif(Direction =~ \u0027NotAvailable\u0027) by IPAddress = SourceIP, Type = strcat(Type,\u0027:\u0027, DeviceVendor,\u0027-\u0027, DeviceProduct), RemoteIPAddress = DestinationIP, Direction, SentBytes = tolong(SentBytes), ReceivedBytes = tolong(ReceivedBytes)\\n),\\n(\\nCommonSecurityLog\\n| where TimeGenerated between (start_time..end_time)\\n| where DestinationIP =~ Ip_Address\\n| where SourceIP != DestinationIP\\n//| where DeviceAction has_any (\u0027allow\u0027, \u0027allowed\u0027, \u0027accept\u0027, \u0027built\u0027, \u0027start\u0027, \u0027connect\u0027, \u0027\u0027)\\n//| where not(DeviceAction has_any (\u0027built\u0027,\u0027deny\u0027, \u0027denied\u0027, \u0027rst\u0027, \u0027blocked\u0027, \u0027teardown\u0027))\\n| extend Direction = iff(CommunicationDirection !in~ (\u0027outbound\u0027,\u00270\u0027) or CommunicationDirection !in~ (\u0027inbound\u0027,\u00271\u0027), \u0027NotAvailable\u0027, CommunicationDirection)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(Direction in~ (\u0027Inbound\u0027,\u00271\u0027)), OutboundCount = countif(Direction in~ (\u0027Outbound\u0027, \u00270\u0027)), UnknownDirection = countif(Direction =~ \u0027NotAvailable\u0027) by IPAddress = DestinationIP, Type = strcat(Type,\u0027:\u0027, DeviceVendor,\u0027-\u0027, DeviceProduct), RemoteIPAddress = SourceIP, Direction, SentBytes = tolong(SentBytes), ReceivedBytes = tolong(ReceivedBytes)\\n)\\n);\\nIpStats\\n};\\nGetIPStats(\u0027175.45.176.99\u0027)\",\"tableQuery\":{\"columnsDefinitions\":[{\"header\":\"Direction\",\"outputType\":\"String\",\"supportDeepLink\":false},{\"header\":\"IPAddress\",\"outputType\":\"String\",\"supportDeepLink\":true},{\"header\":\"RemoteIP/Count\",\"outputType\":\"String\",\"supportDeepLink\":true},{\"header\":\"Total\",\"outputType\":\"Number\",\"supportDeepLink\":true}],\"queriesDefinitions\":[{\"filter\":\"where InboundCount \u003e 0\",\"summarize\":\"summarize Total = sum(InboundCount) by IPAddress, RemoteIPAddress | top 1 by Total\",\"project\":\"project Direction = \u0027Top In\u0027, IPAddress, RemoteIP = RemoteIPAddress, Total\",\"linkColumnsDefinitions\":[{\"projectedName\":\"Direction\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"IPAddress\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"RemoteIP\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"Total\",\"Query\":\"{{BaseQuery}} | \"}]},{\"filter\":\"where OutboundCount \u003e 0\",\"summarize\":\"summarize Total = sum(OutboundCount) by IPAddress, RemoteIPAddress | top 1 by Total\",\"project\":\"project Direction = \u0027Top Out\u0027, IPAddress, RemoteIP = RemoteIPAddress, Total\",\"linkColumnsDefinitions\":[{\"projectedName\":\"Direction\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"IPAddress\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"RemoteIP\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"Total\",\"Query\":\"{{BaseQuery}} | \"}]},{\"filter\":\"where UnknownDirection \u003e 0\",\"summarize\":\"summarize Total = sum(UnknownDirection) by IPAddress, RemoteIPAddress | top 1 by Total\",\"project\":\"project Direction = \u0027Top Unknown\u0027, IPAddress, RemoteIP = RemoteIPAddress, Total\",\"linkColumnsDefinitions\":[{\"projectedName\":\"Direction\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"IPAddress\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"RemoteIP\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"Total\",\"Query\":\"{{BaseQuery}} | \"}]},{\"filter\":\"project IPAddress, RemoteIPAddress, InboundCount, OutboundCount, UnknownDirection\",\"summarize\":\"summarize Inbound = sum(InboundCount), Outbound = sum(OutboundCount), Unknown = sum(UnknownDirection), RemIPs = make_set(RemoteIPAddress) by IPAddress | extend Total = tolong(Inbound + Outbound + Unknown)\",\"project\":\"project Direction = \u0027All\u0027, IPAddress, RemoteIP = case(array_length(RemIPs) == 1, tostring(RemIPs[0]), array_length(RemIPs) \u003e 1 and array_length(RemIPs) \u003c= 100, strcat(tostring(array_length(RemIPs)),\u0027 IPs\u0027), array_length(RemIPs) \u003e= 101, \u0027\u003e 100 IPs\u0027 , \u0027None\u0027), Total\",\"linkColumnsDefinitions\":[{\"projectedName\":\"Direction\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"IPAddress\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"RemoteIP\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"Total\",\"Query\":\"{{BaseQuery}} | \"}]}]},\"chartQuery\":null,\"additionalQuery\":{\"text\":\"See All connections\",\"query\":\"summarize StartTime = min(StartTime), EndTime = max(EndTime), InboundTotal = sum(InboundCount), OutboundTotal = sum(OutboundCount), ReceivedBytesTotal = sum(ReceivedBytes), SentBytesTotal = sum(SentBytes), UnknownDirectionBytesTotal = sum(UnknownDirection) by IPAddress, RemoteIPAddress, Type\"},\"defaultTimeRange\":{\"beforeRange\":\"12h\",\"afterRange\":\"12h\"},\"referenceTimeRange\":null,\"dataTypes\":[{\"dataType\":\"Heartbeat\"},{\"dataType\":\"VMConnection\"},{\"dataType\":\"VMComputer\"},{\"dataType\":\"WireData\"},{\"dataType\":\"ProtectionStatus\"},{\"dataType\":\"DeviceNetworkInfo\"},{\"dataType\":\"DeviceNetworkEvents\"},{\"dataType\":\"DnsEvents\"},{\"dataType\":\"CommonSecurityLog\"},{\"dataType\":\"Event\"},{\"dataType\":\"SecurityEvent\"},{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Ip\",\"requiredInputFieldsSets\":[[\"Ip_Address\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/queries/340e5f6f-d218-4a11-8638-09e1af7847cc\",\"name\":\"340e5f6f-d218-4a11-8638-09e1af7847cc\",\"type\":\"Microsoft.SecurityInsights/entities/queries\",\"kind\":\"Insight\",\"properties\":{\"displayName\":\"IP address remote connections with TI match\",\"description\":\"\u0027Provides the threat intelligence related hits for the remote IP address. Note due to potential performance impact, data is limited to a 7 day max window.\u0027\\n\",\"baseQuery\":\"let GetIPStats = (Ip_Address:string){\\n//checking time span to lock to 7 days or less for Entity page usage\\nlet start = datetime(\u0027{{StartTimeISO}}\u0027);\\nlet end = datetime(\u0027{{EndTimeISO}}\u0027);\\nlet end_start = datetime_diff(\u0027day\u0027,end,start);\\nlet start_time = iff(end_start \u003e 7, end - 7d, start);\\nlet end_time = end;\\nlet IpStats = (union isfuzzy=true\\n(\\nVMConnection\\n| where TimeGenerated between (start_time..end_time)\\n| where SourceIp =~ Ip_Address\\n| where SourceIp != DestinationIp\\n| where Direction =~ \\\"outbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), OutboundCount = countif(Direction =~ \\\"outbound\\\") by IPAddress = SourceIp, Type, RemoteIPAddress = DestinationIp, Direction, SentBytes = tolong(BytesSent), ReceivedBytes = tolong(BytesReceived)\\n),\\n(\\nVMConnection\\n| where TimeGenerated between (start_time..end_time)\\n| where DestinationIp =~ Ip_Address\\n| where SourceIp != DestinationIp\\n| where Direction =~ \\\"inbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(Direction =~ \\\"inbound\\\") by IPAddress = DestinationIp, Type, RemoteIPAddress = SourceIp, Direction, SentBytes = tolong(BytesSent), ReceivedBytes = tolong(BytesReceived)\\n),\\n(\\nWireData\\n| where TimeGenerated between (start_time..end_time)\\n| where LocalIP =~ Ip_Address\\n| where LocalIP != RemoteIP\\n| where Direction =~ \\\"outbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), OutboundCount = countif(Direction =~ \\\"outbound\\\") by IPAddress = LocalIP, Type, RemoteIPAddress = RemoteIP, Direction\\n),\\n(\\nWireData\\n| where TimeGenerated between (start_time..end_time)\\n| where RemoteIP =~ Ip_Address\\n| where LocalIP != RemoteIP\\n| where Direction =~ \\\"inbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(Direction =~ \\\"inbound\\\") by IPAddress = RemoteIP, Type, RemoteIPAddress = LocalIP, Direction\\n),\\n(\\nDeviceNetworkEvents\\n| where TimeGenerated between (start_time..end_time)\\n| where LocalIP =~ Ip_Address\\n| where LocalIP != RemoteIP\\n| extend Direction = \\\"outbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), OutboundCount = countif(ActionType =~ \\\"ConnectionSuccess\\\") by IPAddress = LocalIP, Type, RemoteIPAddress = RemoteIP, Direction\\n),\\n(\\nDeviceNetworkEvents\\n| where TimeGenerated between (start_time..end_time)\\n| where RemoteIP =~ Ip_Address\\n| where LocalIP != RemoteIP\\n| extend Direction = \\\"inbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(ActionType =~ \\\"InboundConnectionAccepted\\\") by IPAddress = RemoteIP, Type, RemoteIPAddress = LocalIP, Direction\\n),\\n(\\nCommonSecurityLog\\n| where TimeGenerated between (start_time..end_time)\\n| where SourceIP =~ Ip_Address\\n| where SourceIP != DestinationIP\\n| extend Direction = iff(CommunicationDirection !in~ (\u0027outbound\u0027,\u00270\u0027) or CommunicationDirection !in~ (\u0027inbound\u0027,\u00271\u0027), \u0027NotAvailable\u0027, CommunicationDirection)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(Direction in~ (\u0027Inbound\u0027,\u00271\u0027)), OutboundCount = countif(Direction in~ (\u0027Outbound\u0027, \u00270\u0027)), UnknownDirection = countif(Direction =~ \u0027NotAvailable\u0027) by IPAddress = SourceIP, Type = strcat(Type,\u0027:\u0027, DeviceVendor,\u0027-\u0027, DeviceProduct), RemoteIPAddress = DestinationIP, Direction, SentBytes = tolong(SentBytes), ReceivedBytes = tolong(ReceivedBytes)\\n),\\n(\\nCommonSecurityLog\\n| where TimeGenerated between (start_time..end_time)\\n| where DestinationIP =~ Ip_Address\\n| where SourceIP != DestinationIP\\n| extend Direction = iff(CommunicationDirection !in~ (\u0027outbound\u0027,\u00270\u0027) or CommunicationDirection !in~ (\u0027inbound\u0027,\u00271\u0027), \u0027NotAvailable\u0027, CommunicationDirection)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(Direction in~ (\u0027Inbound\u0027,\u00271\u0027)), OutboundCount = countif(Direction in~ (\u0027Outbound\u0027, \u00270\u0027)), UnknownDirection = countif(Direction =~ \u0027NotAvailable\u0027) by IPAddress = DestinationIP, Type = strcat(Type,\u0027:\u0027, DeviceVendor,\u0027-\u0027, DeviceProduct), RemoteIPAddress = SourceIP, Direction, SentBytes = tolong(SentBytes), ReceivedBytes = tolong(ReceivedBytes)\\n)\\n);\\nIpStats\\n| join kind=inner (ThreatIntelligenceIndicator | where TimeGenerated \u003c ago(1m)\\n| where Active = true\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = case(\\nisnotempty(NetworkIP), NetworkIP,\\nisempty(NetworkIP) and isnotempty(NetworkSourceIP), NetworkSourceIP,\\nisempty(NetworkIP) and isempty(NetworkSourceIP) and isnotempty(NetworkDestinationIP), NetworkDestinationIP,\\nisempty(NetworkIP) and isempty(NetworkSourceIP) and isempty(NetworkDestinationIP), EmailSourceIpAddress,\\n\\\"NotAvailable\\\"\\n)\\n| summarize arg_max(TimeGenerated, *) by ThreatIntelMatch = Description, ThreatType, TI_ipEntity) on $left.RemoteIPAddress == $right.TI_ipEntity\\n};\\nGetIPStats(\u0027175.45.176.99\u0027)\",\"tableQuery\":{\"columnsDefinitions\":[{\"header\":\"Direction\",\"outputType\":\"String\",\"supportDeepLink\":false},{\"header\":\"IPAddress\",\"outputType\":\"String\",\"supportDeepLink\":true},{\"header\":\"RemoteIP\",\"outputType\":\"String\",\"supportDeepLink\":true},{\"header\":\"ThreatType\",\"outputType\":\"String\",\"supportDeepLink\":false}],\"queriesDefinitions\":[{\"filter\":\"project IPAddress, RemoteIPAddress, InboundCount, ThreatType\",\"summarize\":\"summarize Inbound = sum(InboundCount) by IPAddress, RemoteIPAddress, ThreatType | where Inbound \u003e 0\",\"project\":\"project Direction = \u0027In\u0027, IPAddress, RemoteIP = RemoteIPAddress, ThreatType\",\"linkColumnsDefinitions\":[{\"projectedName\":\"Direction\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"IPAddress\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"RemoteIP\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"ThreatType\",\"Query\":\"{{BaseQuery}} | \"}]},{\"filter\":\"project IPAddress, RemoteIPAddress, OutboundCount, ThreatType\",\"summarize\":\"summarize Outbound = sum(OutboundCount) by IPAddress, RemoteIPAddress, ThreatType | where Outbound \u003e 0\",\"project\":\"project Direction = \u0027Out\u0027, IPAddress, RemoteIP = RemoteIPAddress, ThreatType\",\"linkColumnsDefinitions\":[{\"projectedName\":\"Direction\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"IPAddress\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"RemoteIP\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"ThreatType\",\"Query\":\"{{BaseQuery}} | \"}]},{\"filter\":\"project IPAddress, RemoteIPAddress, UnknownDirection, ThreatType\",\"summarize\":\"summarize UnknownCount = sum(UnknownDirection) by IPAddress, RemoteIPAddress, ThreatType | where UnknownCount \u003e 0\",\"project\":\"project Direction = \u0027Unknown\u0027, IPAddress, RemoteIP = RemoteIPAddress, ThreatType\",\"linkColumnsDefinitions\":[{\"projectedName\":\"Direction\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"IPAddress\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"RemoteIP\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"ThreatType\",\"Query\":\"{{BaseQuery}} | \"}]}]},\"chartQuery\":{\"title\":\"Connection Count to IP in TI\",\"dataSets\":[{\"query\":\"summarize Count = max(InboundCount) by Time = bin(StartTime, 1d), RemoteIPAddress = strcat(RemoteIPAddress,\u0027 - In\u0027) | where isnotempty(Count) and Count \u003e 0\",\"xColumnName\":\"Time\",\"yColumnName\":\"Count\",\"legendColumnName\":\"RemoteIPAddress\"},{\"query\":\"summarize Count = max(OutboundCount) by Time = bin(StartTime, 1d), RemoteIPAddress = strcat(RemoteIPAddress,\u0027 - Out\u0027) | where isnotempty(Count) and Count \u003e 0\",\"xColumnName\":\"Time\",\"yColumnName\":\"Count\",\"legendColumnName\":\"RemoteIPAddress\"},{\"query\":\"summarize Count = max(UnknownDirection) by Time = bin(StartTime, 1d), RemoteIPAddress = strcat(RemoteIPAddress,\u0027 - UnknownDirection\u0027) | where isnotempty(Count) and Count \u003e 0\",\"xColumnName\":\"Time\",\"yColumnName\":\"Count\",\"legendColumnName\":\"RemoteIPAddress\"}],\"type\":\"BarChart\"},\"additionalQuery\":{\"text\":\"See All connections\",\"query\":\"project StartTime, EndTime, IPAddress, RemoteIPAddress, InboundCount, OutboundCount, ReceivedBytes, SentBytes, UnknownDirection, Type, ThreatType, ThreatIntelMatch\"},\"defaultTimeRange\":{\"beforeRange\":\"12h\",\"afterRange\":\"12h\"},\"referenceTimeRange\":null,\"dataTypes\":[{\"dataType\":\"Heartbeat\"},{\"dataType\":\"VMConnection\"},{\"dataType\":\"VMComputer\"},{\"dataType\":\"WireData\"},{\"dataType\":\"ProtectionStatus\"},{\"dataType\":\"DeviceNetworkInfo\"},{\"dataType\":\"DeviceNetworkEvents\"},{\"dataType\":\"DnsEvents\"},{\"dataType\":\"CommonSecurityLog\"},{\"dataType\":\"Event\"},{\"dataType\":\"SecurityEvent\"},{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Ip\",\"requiredInputFieldsSets\":[[\"Ip_Address\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/queries/3834647e-ac3e-4fb4-a5f8-0dd50ba2b66c\",\"name\":\"3834647e-ac3e-4fb4-a5f8-0dd50ba2b66c\",\"type\":\"Microsoft.SecurityInsights/entities/queries\",\"kind\":\"Insight\",\"properties\":{\"displayName\":\"Watchlist Insights (Preview)\",\"description\":\"### Description\\n ___\\nThis insight aggregates data from the watchlists templates (Network Addresses) regarding the IP address.\",\"baseQuery\":\"let defaultValue = \u0027defaultValue\u0027; \\n let myIP = \u0027175.45.176.99\u0027; \\n let ips = _GetWatchlist(\u0027NetworkAddresses\u0027); \\n ips | extend IPSubnet = column_ifexists(\u0027IP Subnet\u0027, defaultValue) | extend FirstIP = split(IPSubnet , \u0027-\u0027).[0], SecondIP = split(IPSubnet, \u0027-\u0027).[1], checkIPv4 = parse_ipv4(myIP) | extend myIPnum = iff(isempty(checkIPv4), (parse_ipv6(myIP)), tostring(checkIPv4)) | extend firstIPparsed = iff(isempty(checkIPv4), parse_ipv6(tostring(FirstIP)), tostring(parse_ipv4(tostring(FirstIP)))), secondIPparsed = iff(isempty(checkIPv4), parse_ipv6(tostring(SecondIP)), tostring(parse_ipv4(tostring(SecondIP)))) | extend results = iff((isnotempty(checkIPv4) and tolong(firstIPparsed) \u003c= tolong(myIPnum) and (tolong(myIPnum) \u003c= tolong(secondIPparsed)) or (ipv4_is_in_range(myIP, tostring(SecondIP)) or (ipv6_compare(myIP, tostring(FirstIP)) == 0) or (ipv6_compare(myIP, tostring(SecondIP))==0))), True, false) | where results == true | extend RangeName = column_ifexists(\u0027Range Name\u0027, defaultValue) | extend IPSubnet = column_ifexists(\u0027IP Subnet\u0027, defaultValue) | extend Tags = column_ifexists(\u0027Tags\u0027, defaultValue) | extend [\u0027Watchlist Insight\u0027] = \u0027IP Address is within a known range\u0027 | extend [\u0027Additional Data\u0027] = strcat(\u0027Range Name: \u0027, RangeName,\u0027, \u0027,\u0027IP Range: \u0027, IPSubnet) | project [\u0027Watchlist Insight\u0027],[\u0027Additional Data\u0027], Tags\",\"tableQuery\":{\"columnsDefinitions\":[{\"header\":\"Watchlist Insight\",\"outputType\":\"String\",\"supportDeepLink\":false},{\"header\":\"Additional Data\",\"outputType\":\"String\",\"supportDeepLink\":false},{\"header\":\"Tags\",\"outputType\":\"String\",\"supportDeepLink\":false}],\"queriesDefinitions\":[{\"filter\":\" where 1 == 1\",\"summarize\":\" summarize count() by [\u0027Watchlist Insight\u0027], [\u0027Additional Data\u0027], Tags\",\"project\":\" project [\u0027Watchlist Insight\u0027], [\u0027Additional Data\u0027], Tags\",\"linkColumnsDefinitions\":[]}]},\"chartQuery\":null,\"additionalQuery\":null,\"defaultTimeRange\":{\"beforeRange\":\"0d\",\"afterRange\":\"0d\"},\"referenceTimeRange\":{\"beforeRange\":\"0d\"},\"dataTypes\":[{\"dataType\":\"Watchlist templates\"}],\"inputEntityType\":\"Ip\",\"requiredInputFieldsSets\":[[\"IP_Address\"]],\"entitiesFilter\":{}}}]}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Get-AzSentinelEntityInsight.Recording.json b/src/SecurityInsights/test/Get-AzSentinelEntityInsight.Recording.json index 1b91850f78ac..c37c7f3c4d70 100644 --- a/src/SecurityInsights/test/Get-AzSentinelEntityInsight.Recording.json +++ b/src/SecurityInsights/test/Get-AzSentinelEntityInsight.Recording.json @@ -1,17 +1,17 @@ { - "Get-AzSentinelEntityInsight+[NoContext]+GetExpanded+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview+1": { + "Get-AzSentinelEntityInsight+[NoContext]+GetExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "197" ], - "x-ms-client-request-id": [ "c99f59a5-31cc-4138-b561-8fe621ad89c5" ], + "x-ms-unique-id": [ "198" ], + "x-ms-client-request-id": [ "224e476f-5445-42cb-a2bb-2d38e2428610" ], "CommandName": [ "Get-AzSentinelentity" ], "FullCommandName": [ "Get-AzSentinelEntity_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -23,28 +23,28 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11965" ], - "x-ms-request-id": [ "4af5eb56-43e2-4815-86bb-80a1da31432f" ], - "x-ms-correlation-request-id": [ "4af5eb56-43e2-4815-86bb-80a1da31432f" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T015719Z:4af5eb56-43e2-4815-86bb-80a1da31432f" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11969" ], + "x-ms-request-id": [ "f532cced-8e20-4dac-a823-cd27456e421d" ], + "x-ms-correlation-request-id": [ "f532cced-8e20-4dac-a823-cd27456e421d" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183131Z:f532cced-8e20-4dac-a823-cd27456e421d" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 01:57:19 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:31:31 GMT" ] }, "ContentHeaders": { "Content-Length": [ "461" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"additionalData\":{\"AlertCount\":\"6\"},\"friendlyName\":\"175.45.176.99\"}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"additionalData\":{\"AlertCount\":\"6\"},\"friendlyName\":\"175.45.176.99\"}}]}", "isContentBase64": false } }, - "Get-AzSentinelEntityInsight+[NoContext]+GetExpanded+$POST+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/getInsights?api-version=2021-09-01-preview+2": { + "Get-AzSentinelEntityInsight+[NoContext]+GetExpanded+$POST+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/getInsights?api-version=2021-09-01-preview+2": { "Request": { "Method": "POST", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/getInsights?api-version=2021-09-01-preview", - "Content": "{\n \"startTime\": \"2021-12-11T01:00:00.0000000+00:00\",\n \"endTime\": \"2021-12-12T01:00:00.0000000+00:00\"\n}", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/getInsights?api-version=2021-09-01-preview", + "Content": "{\n \"startTime\": \"2022-07-28T06:00:00.0000000+00:00\",\n \"endTime\": \"2022-07-29T06:00:00.0000000+00:00\"\n}", "isContentBase64": false, "Headers": { }, @@ -59,20 +59,20 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11964" ], - "x-ms-request-id": [ "0f5df074-c8e7-464b-8a83-3d63d3cdce91" ], - "x-ms-correlation-request-id": [ "0f5df074-c8e7-464b-8a83-3d63d3cdce91" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T015723Z:0f5df074-c8e7-464b-8a83-3d63d3cdce91" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11968" ], + "x-ms-request-id": [ "a983f815-234e-4a13-a0b9-b6be3f9e738c" ], + "x-ms-correlation-request-id": [ "a983f815-234e-4a13-a0b9-b6be3f9e738c" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183138Z:a983f815-234e-4a13-a0b9-b6be3f9e738c" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 01:57:23 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:31:37 GMT" ] }, "ContentHeaders": { "Content-Length": [ "1719" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"tableQueryResults\":{\"columns\":[{\"name\":\"Direction\",\"type\":\"string\"},{\"name\":\"IPAddress\",\"type\":\"string\"},{\"name\":\"RemoteIP\",\"type\":\"string\"},{\"name\":\"Total\",\"type\":\"long\"},{\"name\":\"InternalOrder\",\"type\":\"long\"},{\"name\":\"Index\",\"type\":\"long\"}],\"rows\":[]},\"chartQueryResults\":[],\"queryTimeInterval\":{\"startTime\":\"2021-12-11T01:00:00+00:00\",\"endTime\":\"2021-12-12T01:00:00+00:00\"},\"queryId\":\"b8e2df44-f98f-4c95-bcbe-f8210f3e0f23\"},{\"tableQueryResults\":{\"columns\":[{\"name\":\"Direction\",\"type\":\"string\"},{\"name\":\"IPAddress\",\"type\":\"string\"},{\"name\":\"RemoteIP\",\"type\":\"string\"},{\"name\":\"ThreatType\",\"type\":\"string\"},{\"name\":\"InternalOrder\",\"type\":\"long\"},{\"name\":\"Index\",\"type\":\"long\"}],\"rows\":[]},\"chartQueryResults\":[{\"columns\":[{\"name\":\"Time\",\"type\":\"datetime\"},{\"name\":\"RemoteIPAddress\",\"type\":\"string\"},{\"name\":\"Count\",\"type\":\"long\"}],\"rows\":[]},{\"columns\":[{\"name\":\"Time\",\"type\":\"datetime\"},{\"name\":\"RemoteIPAddress\",\"type\":\"string\"},{\"name\":\"Count\",\"type\":\"long\"}],\"rows\":[]},{\"columns\":[{\"name\":\"Time\",\"type\":\"datetime\"},{\"name\":\"RemoteIPAddress\",\"type\":\"string\"},{\"name\":\"Count\",\"type\":\"long\"}],\"rows\":[]}],\"queryTimeInterval\":{\"startTime\":\"2021-12-11T01:00:00+00:00\",\"endTime\":\"2021-12-12T01:00:00+00:00\"},\"queryId\":\"340e5f6f-d218-4a11-8638-09e1af7847cc\"},{\"tableQueryResults\":{\"columns\":[{\"name\":\"Watchlist Insight\",\"type\":\"string\"},{\"name\":\"Additional Data\",\"type\":\"string\"},{\"name\":\"Tags\",\"type\":\"string\"},{\"name\":\"InternalOrder\",\"type\":\"long\"},{\"name\":\"Index\",\"type\":\"long\"}],\"rows\":[]},\"chartQueryResults\":[],\"queryTimeInterval\":{\"startTime\":\"2021-12-11T01:00:00+00:00\",\"endTime\":\"2021-12-12T01:00:00+00:00\"},\"queryId\":\"3834647e-ac3e-4fb4-a5f8-0dd50ba2b66c\"}],\"metaData\":{\"totalCount\":3,\"errors\":[]}}", + "Content": "{\"value\":[{\"tableQueryResults\":{\"columns\":[{\"name\":\"Direction\",\"type\":\"string\"},{\"name\":\"IPAddress\",\"type\":\"string\"},{\"name\":\"RemoteIP\",\"type\":\"string\"},{\"name\":\"Total\",\"type\":\"long\"},{\"name\":\"InternalOrder\",\"type\":\"long\"},{\"name\":\"Index\",\"type\":\"long\"}],\"rows\":[]},\"chartQueryResults\":[],\"queryTimeInterval\":{\"startTime\":\"2022-07-28T06:00:00+00:00\",\"endTime\":\"2022-07-29T06:00:00+00:00\"},\"queryId\":\"b8e2df44-f98f-4c95-bcbe-f8210f3e0f23\"},{\"tableQueryResults\":{\"columns\":[{\"name\":\"Direction\",\"type\":\"string\"},{\"name\":\"IPAddress\",\"type\":\"string\"},{\"name\":\"RemoteIP\",\"type\":\"string\"},{\"name\":\"ThreatType\",\"type\":\"string\"},{\"name\":\"InternalOrder\",\"type\":\"long\"},{\"name\":\"Index\",\"type\":\"long\"}],\"rows\":[]},\"chartQueryResults\":[{\"columns\":[{\"name\":\"Time\",\"type\":\"datetime\"},{\"name\":\"RemoteIPAddress\",\"type\":\"string\"},{\"name\":\"Count\",\"type\":\"long\"}],\"rows\":[]},{\"columns\":[{\"name\":\"Time\",\"type\":\"datetime\"},{\"name\":\"RemoteIPAddress\",\"type\":\"string\"},{\"name\":\"Count\",\"type\":\"long\"}],\"rows\":[]},{\"columns\":[{\"name\":\"Time\",\"type\":\"datetime\"},{\"name\":\"RemoteIPAddress\",\"type\":\"string\"},{\"name\":\"Count\",\"type\":\"long\"}],\"rows\":[]}],\"queryTimeInterval\":{\"startTime\":\"2022-07-28T06:00:00+00:00\",\"endTime\":\"2022-07-29T06:00:00+00:00\"},\"queryId\":\"340e5f6f-d218-4a11-8638-09e1af7847cc\"},{\"tableQueryResults\":{\"columns\":[{\"name\":\"Watchlist Insight\",\"type\":\"string\"},{\"name\":\"Additional Data\",\"type\":\"string\"},{\"name\":\"Tags\",\"type\":\"string\"},{\"name\":\"InternalOrder\",\"type\":\"long\"},{\"name\":\"Index\",\"type\":\"long\"}],\"rows\":[]},\"chartQueryResults\":[],\"queryTimeInterval\":{\"startTime\":\"2022-07-28T06:00:00+00:00\",\"endTime\":\"2022-07-29T06:00:00+00:00\"},\"queryId\":\"3834647e-ac3e-4fb4-a5f8-0dd50ba2b66c\"}],\"metaData\":{\"totalCount\":3,\"errors\":[]}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Get-AzSentinelEntityQueryTemplate.Recording.json b/src/SecurityInsights/test/Get-AzSentinelEntityQueryTemplate.Recording.json index 81d8de3dcd35..d0ba6c0baafa 100644 --- a/src/SecurityInsights/test/Get-AzSentinelEntityQueryTemplate.Recording.json +++ b/src/SecurityInsights/test/Get-AzSentinelEntityQueryTemplate.Recording.json @@ -1,17 +1,17 @@ { - "Get-AzSentinelEntityQueryTemplate+[NoContext]+List+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates?api-version=2021-09-01-preview+1": { + "Get-AzSentinelEntityQueryTemplate+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "203" ], - "x-ms-client-request-id": [ "e0396517-e4b0-43b4-acfc-bd6083c1ae8f" ], + "x-ms-unique-id": [ "201" ], + "x-ms-client-request-id": [ "7d1ed0f0-2147-4db1-8419-7ad1d7cd487e" ], "CommandName": [ "Get-AzSentinelentityQueryTemplate" ], "FullCommandName": [ "Get-AzSentinelEntityQueryTemplate_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -23,36 +23,36 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11959" ], - "x-ms-request-id": [ "a6207471-5adf-4afe-991e-fbad1946447e" ], - "x-ms-correlation-request-id": [ "a6207471-5adf-4afe-991e-fbad1946447e" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T015809Z:a6207471-5adf-4afe-991e-fbad1946447e" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11966" ], + "x-ms-request-id": [ "a9d33b1e-0d89-40ac-98fa-8ece51022f58" ], + "x-ms-correlation-request-id": [ "a9d33b1e-0d89-40ac-98fa-8ece51022f58" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183143Z:a9d33b1e-0d89-40ac-98fa-8ece51022f58" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 01:58:09 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:31:42 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "187304" ], + "Content-Length": [ "191910" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/d6d08c94-455f-4ea5-8f76-fc6c0c442cfa\",\"name\":\"d6d08c94-455f-4ea5-8f76-fc6c0c442cfa\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has created an account\",\"content\":\"The user {{InitiatedByAccount}} has created the account {{TargetAccount}} {{Count}} time(s)\",\"description\":\"This activity displays account creation events performed by the user\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AADUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) or Account_AADUserId =~ tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ SubjectAccount or Account_Sid =~ SubjectUserSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AADUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Add user\u0027, \u00274720\u0027) \\n| project InitiatedByAccount, TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AADUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/e0459780-ac9d-4b72-8bd4-fecf6b46a0a1\",\"name\":\"e0459780-ac9d-4b72-8bd4-fecf6b46a0a1\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has deleted an account\",\"content\":\"The user {{InitiatedByAccount}} has deleted the account {{TargetAccount}} {{Count}} time(s)\",\"description\":\"This activity displays account deletion events performed by the user\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AADUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) or Account_AADUserId =~ tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ SubjectAccount or Account_Sid =~ SubjectUserSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AADUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Delete user\u0027, \u00274726\u0027) \\n| project InitiatedByAccount, TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AADUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/ad1f4269-5418-4c46-a3b6-4ec01031de60\",\"name\":\"ad1f4269-5418-4c46-a3b6-4ec01031de60\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has reset an account\u0027s password\",\"content\":\"The password for account {{TargetAccount}} was reset by the user {{InitiatedByAccount}} {{Count}} time(s)\",\"description\":\"This activity displays password reset events performed by the user\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AADUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) or Account_AADUserId =~ tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ SubjectAccount or Account_Sid =~ SubjectUserSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AADUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (by admin)\u0027, \u0027Reset password (self-service)\u0027, \u00274724\u0027, \u00274723\u0027) \\n| project InitiatedByAccount, TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AADUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/fde1b9cc-9480-4418-ae21-91723d16b24d\",\"name\":\"fde1b9cc-9480-4418-ae21-91723d16b24d\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user account was created\",\"content\":\"The user account {{TargetAccount}} was created\",\"description\":\"This activity displays the user account events for when it was created\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AADUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(TargetResources[0].userPrincipalName) or Account_AADUserId =~ tostring(TargetResources[0].id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ TargetAccount or Account_Sid =~ TargetSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AADUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Add user\u0027, \u00274720\u0027) \\n| project TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AADUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/b15901ba-8679-4f6a-b312-722031ab58f2\",\"name\":\"b15901ba-8679-4f6a-b312-722031ab58f2\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user account was deleted\",\"content\":\"The user account {{TargetAccount}} was deleted\",\"description\":\"This activity displays the user account events for when it was deleted\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AADUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(TargetResources[0].userPrincipalName) or Account_AADUserId =~ tostring(TargetResources[0].id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ TargetAccount or Account_Sid =~ TargetSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AADUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Delete user\u0027, \u00274726\u0027) \\n| project TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AADUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/c07d1d02-0a06-455e-add9-12c5a5e426f3\",\"name\":\"c07d1d02-0a06-455e-add9-12c5a5e426f3\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user account password was reset\",\"content\":\"The user account {{TargetAccount}} had a password reset\",\"description\":\"This activity displays the user account events for when the password was reset\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AADUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(TargetResources[0].userPrincipalName) or Account_AADUserId =~ tostring(TargetResources[0].id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ TargetAccount or Account_Sid =~ TargetSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AADUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (by admin)\u0027, \u0027Reset password (self-service)\u0027, \u00274723\u0027, \u00274724\u0027) \\n| project TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AADUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/5e9ecee5-e7a4-4a2a-94c4-9c0e22e1b673\",\"name\":\"5e9ecee5-e7a4-4a2a-94c4-9c0e22e1b673\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user consented to OAuth application\",\"content\":\"The user consented to the OAuth application named {{Target_CloudApplication_Name}} {{Count}} time(s)\",\"description\":\"This activity lists user\u0027s consents to an OAuth applications.\",\"queryDefinitions\":{\"query\":\"let UserConsentToApplication = (Account_Name:string, Account_UPNSuffix:string, Account_AadUserId:string){\\nlet account_upn = iff(Account_Name != \\\"\\\" and Account_UPNSuffix != \\\"\\\"\\n, strcat(Account_Name,\\\"@\\\",Account_UPNSuffix)\\n,\\\"\\\" );\\nAuditLogs\\n| where OperationName == \\\"Consent to application\\\"\\n| extend Source_Account_UPNSuffix = tostring(todynamic(InitiatedBy) [\\\"user\\\"][\\\"userPrincipalName\\\"]), Source_Account_AadUserId = tostring(todynamic(InitiatedBy) [\\\"user\\\"][\\\"id\\\"])\\n| where (account_upn != \\\"\\\" and account_upn =~ Source_Account_UPNSuffix) \\nor (Account_AadUserId != \\\"\\\" and Account_AadUserId =~ Source_Account_AadUserId)\\n| extend Target_CloudApplication_Name = tostring(todynamic(TargetResources)[0][\\\"displayName\\\"]), Target_CloudApplication_AppId = tostring(todynamic(TargetResources)[0][\\\"id\\\"])\\n};\\nUserConsentToApplication(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027) \\n| project Target_CloudApplication_AppId, Target_CloudApplication_Name, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/cab4058a-0707-4a02-b76f-cf96270823ed\",\"name\":\"cab4058a-0707-4a02-b76f-cf96270823ed\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"User performed operation on azure resource from IP\",\"content\":\"User performed operation {{OperationName}} on azure resource: {{shortResourceId}} from IP {{Source_IP_Address}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s activities on Azure.\",\"queryDefinitions\":{\"query\":\"let AzureRunProcess = (Account_Name:string, Account_UPNSuffix:string,Account_AadUserId:string){\\nlet upn = strcat(Account_Name,\\\"@\\\",Account_UPNSuffix);\\nAzureActivity \\n| where (isnotempty(Account_AadUserId) and Caller =~ Account_AadUserId) or Caller =~ upn\\n| where OperationName contains \\\"Run Command on Virtual Machine\\\"\\n or (OperationName == \\\"List Storage Account Keys\\\" and ActivityStatus == \\\"Succeeded\\\")\\n or OperationName == \\\"Create or Update Virtual Machine\\\" \\n or OperationName == \\\"Create Deployment\\\"\\n or OperationName == \\\"Create role assignment\\\"\\n| project-rename Target_AzureResource_ResourceId = _ResourceId, Source_IP_Address = CallerIpAddress\\n| extend shortResourceId = tostring(split(ResourceId,\u0027/\u0027)[-1])\\n};\\nAzureRunProcess(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027) \\n| project Target_AzureResource_ResourceId, Source_IP_Address, shortResourceId, OperationName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/febba410-e7d6-4c63-8fe5-2b93f448b7a1\",\"name\":\"febba410-e7d6-4c63-8fe5-2b93f448b7a1\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added accounts to a local privileged group\",\"content\":\"The user has added accounts to the local privileged group, {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays the user that added accounts to a local privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == false and MemberNTDomainMatch == false) or MemberSidMatch == false) and TargetSid matches regex WellKnownLocalGroupSID | where TargetSid !in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/0e98c61c-6ae0-4e13-8071-d807dc25082a\",\"name\":\"0e98c61c-6ae0-4e13-8071-d807dc25082a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added accounts to a domain privileged group\",\"content\":\"The user has added accounts to the domain privileged group, {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays the user that added accounts to a domain privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == false and MemberNTDomainMatch == false) or MemberSidMatch == false) and TargetSid matches regex WellKnownDomainGroupSID \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/0caf9819-3269-48ac-b162-eeee638e4aa9\",\"name\":\"0caf9819-3269-48ac-b162-eeee638e4aa9\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to a local privileged group\",\"content\":\"This user was added to the local privileged group {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays that this user was added to a local privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and TargetSid matches regex WellKnownLocalGroupSID | where TargetSid !in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/d57681e4-18e6-459f-b61d-4d4a1f205b70\",\"name\":\"d57681e4-18e6-459f-b61d-4d4a1f205b70\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to a domain privileged group\",\"content\":\"This user was added to the domain privileged group {{TargetAccount}}\",\"description\":\"This activity displays that this user was added to a domain privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and TargetSid matches regex WellKnownDomainGroupSID \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/5ae2baf4-de7b-40f0-a861-8852266bfcd0\",\"name\":\"5ae2baf4-de7b-40f0-a861-8852266bfcd0\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added accounts to the Remote Desktop Users group\",\"content\":\"The user has added accounts to the {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays the user that added accounts to Remote Desktop group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == false and MemberNTDomainMatch == false) or MemberSidMatch == false) and TargetSid in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/60ef2e21-5f90-48bf-9bbc-d2a1829c3861\",\"name\":\"60ef2e21-5f90-48bf-9bbc-d2a1829c3861\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to the Remote Desktop Users group\",\"content\":\"This user was added to the {{TargetAccount}} group\",\"description\":\"This activity displays that this user was added to the Remote Desktop group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and TargetSid in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/bf56473d-b9bd-4eb1-96d0-8569ec7a9003\",\"name\":\"bf56473d-b9bd-4eb1-96d0-8569ec7a9003\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added an account to a security group\",\"content\":\"The user has added {{MemberAdded}} to the {{TargetAccount}} group\",\"description\":\"This activity displays the user that added an account and the account that was added to a security group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true) and not(TargetSid matches regex WellKnownLocalGroupSID or TargetSid matches regex WellKnownDomainGroupSID) \\n| project SubjectAccount, MemberAdded, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/252c9ad7-2957-43cd-8f33-4ac4bb56e119\",\"name\":\"252c9ad7-2957-43cd-8f33-4ac4bb56e119\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to a security group\",\"content\":\"This user was added to the {{TargetAccount}} group, {{Count}} time(s)\",\"description\":\"This activity displays that this user was added to a security group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and not(TargetSid matches regex WellKnownLocalGroupSID or TargetSid matches regex WellKnownDomainGroupSID) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/1f82f263-d694-469a-9717-1b3edf9d3bb2\",\"name\":\"1f82f263-d694-469a-9717-1b3edf9d3bb2\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user acted on another accounts mailbox\",\"content\":\"The user acted on mailbox {{MailboxOwnerUPN}} {{Count}} time(s)\",\"description\":\"This activity lists user\u0027s activities on others\u0027 mailbox\",\"queryDefinitions\":{\"query\":\"let TLQ_UserActedOnForeignMailbox = (Account_Name:string, Account_UPNSuffix:string, account_sid:string){\\nlet account_upn = iff(Account_Name!=\\\"\\\" and Account_UPNSuffix != \\\"\\\"\\n,strcat(Account_Name,\\\"@\\\",Account_UPNSuffix)\\n,\\\"\\\");\\nOfficeActivity\\n| where RecordType == \\\"ExchangeItem\\\" and UserType ==\\\"Regular\\\" and Operation !contains \\\"InboxRule\\\"\\n| where LogonUserSid != MailboxOwnerSid \\n| where ((account_sid != \\\"\\\" and LogonUserSid =~ account_sid)\\n or ( account_upn != \\\"\\\" and UserId =~ account_upn ))\\n};\\nTLQ_UserActedOnForeignMailbox(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| project MailboxOwnerSid, MailboxOwnerUPN, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/e480efd0-016d-428e-b892-84b9d586d004\",\"name\":\"e480efd0-016d-428e-b892-84b9d586d004\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user modified inbox rules on another accounts mailbox\",\"content\":\"User Modified {{Count}} inbox rules on {{MailboxOwnerUPN}}\u0027s Mailbox\",\"description\":\"User modified inbox rules on a mailbox\",\"queryDefinitions\":{\"query\":\"let ruleChangeRecordTypes = dynamic( [\\\"ExchangeAdmin\\\", \\\"ExchangeItem\\\"]);\\nlet TLQ_UserModifiedinboxRules = (Account_Name: string, Account_UPNSuffix: string, Account_Sid: string){\\nlet upn = iff(Account_Name != \\\"\\\" and Account_UPNSuffix != \\\"\\\"\\n, strcat(Account_Name, \\\"@\\\", Account_UPNSuffix)\\n, \\\"\\\");\\nOfficeActivity\\n| where RecordType in~ (ruleChangeRecordTypes) and Operation contains \\\"InboxRule\\\"\\n| where((Account_Sid != \\\"\\\" and LogonUserSid == Account_Sid)\\nor(upn != \\\"\\\" and UserId == upn )\\n)\\n};\\nTLQ_UserModifiedinboxRules(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| project MailboxOwnerSid, MailboxOwnerUPN, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/0eabec03-51e7-4909-b0cb-1adc76759e93\",\"name\":\"0eabec03-51e7-4909-b0cb-1adc76759e93\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"User uploaded files to SharePoint\",\"content\":\"User uploaded {{Count}} file(s) To SharePoint from {{Source_IP_Address}}\",\"description\":\"This activity lists the user\u0027s SharePoint uploads.\",\"queryDefinitions\":{\"query\":\"let TLQ_UserUploadFiles = (Account_Name:string, Account_UPNSuffix:string){\\nlet upn = strcat(Account_Name,\\\"@\\\",Account_UPNSuffix);\\nOfficeActivity\\n| where RecordType =~ \\\"SharePointFileOperation\\\" and Operation in~ (\\\"FileUploaded\\\", \\\"FileDownloaded\\\")\\n| where upn =~UserId\\n| extend Subject_File_Directory = tostring(split(OfficeObjectId,SourceFileName)[0])\\n| project-rename Source_IP_Address = ClientIP\\n};\\nTLQ_UserUploadFiles(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027) \\n| where Operation =~ \\\"FileUploaded\\\" \\n| project Source_IP_Address, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/df564e7b-bf6d-4dc4-a32d-79b00bd2cc7b\",\"name\":\"df564e7b-bf6d-4dc4-a32d-79b00bd2cc7b\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"User downloaded files from SharePoint\",\"content\":\"User downloaded {{Count}} File(s) from SharePoint from {{Source_IP_Address}}\",\"description\":\"This activity lists the user\u0027s SharePoint downloads.\",\"queryDefinitions\":{\"query\":\"let TLQ_UserUploadFiles = (Account_Name:string, Account_UPNSuffix:string){\\nlet upn = strcat(Account_Name,\\\"@\\\",Account_UPNSuffix);\\nOfficeActivity\\n| where RecordType =~ \\\"SharePointFileOperation\\\" and Operation in~ (\\\"FileUploaded\\\", \\\"FileDownloaded\\\")\\n| where upn =~UserId\\n| extend Subject_File_Directory = tostring(split(OfficeObjectId,SourceFileName)[0])\\n| project-rename Source_IP_Address = ClientIP\\n};\\nTLQ_UserUploadFiles(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027) \\n| where Operation =~ \\\"FileDownloaded\\\" \\n| project Source_IP_Address, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/0f328f28-7e21-4596-b71c-54309fee5551\",\"name\":\"0f328f28-7e21-4596-b71c-54309fee5551\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user signed in to an Azure resource\",\"content\":\"The user signed in to {{shortResourceId}} {{Count}} time(s)\",\"description\":\"This activity lists user\u0027s sign ins to Azure Resources\",\"queryDefinitions\":{\"query\":\"let SignInsByResource = (Account_Name:string, Account_UPNSuffix:string, Account_AadUserId:string){\\nlet acc_upn = iff(Account_Name != \\\"\\\" and Account_UPNSuffix != \\\"\\\" ,strcat(Account_Name,\\\"@\\\" ,Account_UPNSuffix),\\\"\\\");\\nSigninLogs\\n| where (acc_upn != \\\"\\\" and UserPrincipalName =~ acc_upn) or\\n   (Account_AadUserId != \\\"\\\" and Account_AadUserId =~ UserId) // UserPrincipalName, UserId\\n| extend shortResourceId = tostring(split(ResourceId,\\\"/\\\")[-1])\\n};\\nSignInsByResource(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027) \\n| project shortResourceId, ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SigninLogs\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/0d4ec12e-e44a-40a4-bb87-3db84d2a8057\",\"name\":\"0d4ec12e-e44a-40a4-bb87-3db84d2a8057\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s interactive log-ins grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID==4624 and LogonTypeName == \u00272 - Interactive\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/c9da5786-6c3c-45b5-9a46-53200ed9df09\",\"name\":\"c9da5786-6c3c-45b5-9a46-53200ed9df09\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Network log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s network log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID ==4624 and LogonTypeName == \u00273 - Network\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/8a302bfc-00e3-43b3-a516-102fd0cb0dbc\",\"name\":\"8a302bfc-00e3-43b3-a516-102fd0cb0dbc\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Remote interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s remote interactive log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID ==4624 and LogonTypeName == \u002710 - RemoteInteractive\u0027| extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/ec87b066-17ad-4f9b-97c2-c2f2ee2d99e0\",\"name\":\"ec87b066-17ad-4f9b-97c2-c2f2ee2d99e0\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"New credentials log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s log-ins with new credentials, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID ==4624 and LogonTypeName == \u00279 - NewCredentials\u0027| extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/e1c4c03c-2b40-47cf-9b8c-49e0a37a6da6\",\"name\":\"e1c4c03c-2b40-47cf-9b8c-49e0a37a6da6\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Privileged log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s privileged log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID == 4672 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/a6fc3ad9-1a61-41f5-a5e2-bd1f5a6fe44d\",\"name\":\"a6fc3ad9-1a61-41f5-a5e2-bd1f5a6fe44d\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Failed interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s failed interactive log-ins grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet =~ \u0027AllEvents\u0027 and EventID == 4625 and LogonTypeName == \u00272 - Interactive\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/11449689-6542-4867-86dc-56264abbd90c\",\"name\":\"11449689-6542-4867-86dc-56264abbd90c\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Failed network log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s failed network log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet =~ \u0027AllEvents\u0027 and EventID == 4625 and LogonTypeName == \u00273 - Network\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/686cf7e8-87c7-4391-8898-25adf1033a54\",\"name\":\"686cf7e8-87c7-4391-8898-25adf1033a54\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Failed remote interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} failed to logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s failed remote interactive log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet =~ \u0027AllEvents\u0027 and EventID == 4625 and LogonTypeName == \u002710 - RemoteInteractive\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/c6523929-5696-4e94-8a61-61aeb1c953d1\",\"name\":\"c6523929-5696-4e94-8a61-61aeb1c953d1\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Custom Script Extension execution (Preview)\",\"content\":\"The account {{Caller}} ran the custom script extension {{extName}} {{Count}} time(s)\",\"description\":\"This activity indicated Custom Script Extension execution\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| extend resBody = parse_json(Properties).responseBody\\n| where resBody != \\\"\\\"\\n| extend resBody = parse_json(tostring(resBody))\\n| extend extName = tostring(resBody.name), extType = resBody.properties.type\\n| where extType in (\\\"CustomScriptExtension\\\", \\\"CustomScript\\\", \\\"CustomScriptForLinux\\\")\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource, extType, extName \\n| project Caller, _ResourceId, extName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/a8b50062-f80e-4331-a247-de0e10d7b83f\",\"name\":\"a8b50062-f80e-4331-a247-de0e10d7b83f\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Storage account keys list (Preview)\",\"content\":\"The account {{Caller}} retrieved the keys of the storage account {{_ResourceId}} {{Count}} time(s)\",\"description\":\"This activity indicated storage account keys list operation\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/listKeys/action\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/e24d372a-ce9a-424e-99ba-5894177365a0\",\"name\":\"e24d372a-ce9a-424e-99ba-5894177365a0\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Storage account keys list were regenerated (Preview)\",\"content\":\"The account {{Caller}} regenerated the keys of the storage account {{_ResourceId}} {{Count}} time(s)\",\"description\":\"This activity indicated storage account keys list regeneration\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/2276eacb-9400-47e9-88c9-600b9b04ad81\",\"name\":\"2276eacb-9400-47e9-88c9-600b9b04ad81\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"VM Run Command execution (Preview)\",\"content\":\"The account {{Caller}} used Run Command on the VM {{Count}} time(s)\",\"description\":\"This activity indicates usage of Run Command\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/0aa3626b-30dd-4731-9d1e-39872a73949c\",\"name\":\"0aa3626b-30dd-4731-9d1e-39872a73949c\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"VM access extension execution (Preview)\",\"content\":\"The account {{Caller}} ran VM Access extension on the VM {{Count}} time(s)\",\"description\":\"This activity indicated VM access extension execution\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| extend resBody = parse_json(Properties).responseBody\\n| where resBody != \\\"\\\"\\n| extend resBody = parse_json(tostring(resBody))\\n| extend extName = resBody.name, extType = resBody.properties.type\\n| where extType in (\\\"VMAccessAgent\\\", \\\"VMAccessForLinux\\\")\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/307c85ee-39a2-4da3-952e-4fd79aa46d3a\",\"name\":\"307c85ee-39a2-4da3-952e-4fd79aa46d3a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was created on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was created by \u0027{{AddedBy}}\u0027\",\"description\":\"Account created on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId\\n| extend AddedBy = SubjectUserName\\n// Future support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount\\n};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where EventID == 4720 \\n| project Computer, TargetAccount, AddedBy, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/31529548-dbd2-4d5d-8270-710330cdcec7\",\"name\":\"31529548-dbd2-4d5d-8270-710330cdcec7\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was deleted by \u0027{{AddedBy}}\u0027\",\"description\":\"Account deleted on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId\\n| extend AddedBy = SubjectUserName\\n// Future support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount\\n};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where EventID == 4726 \\n| project Computer, TargetAccount, AddedBy, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/2fcda698-9526-454f-8fe0-4a0fd7af13f2\",\"name\":\"2fcda698-9526-454f-8fe0-4a0fd7af13f2\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Security Event log cleared by account on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{SubjectAccount}}\u0027 cleared the \u0027{{LogName}}\u0027 log, EventID: \u0027{{EventID}}\u0027\",\"description\":\"Security Event log cleared by account\",\"queryDefinitions\":{\"query\":\"let SystemAccount = datatable(AccountName:string)[\u0027NT AUTHORITY\\\\\\\\SYSTEM\u0027, \u0027NT AUTHORITY\\\\\\\\NETWORK SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\LOCAL SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\IUSR\u0027, \u0027NTAUTHORITY\\\\\\\\ANONYMOUS LOGON\u0027];\\nlet SvcAcctList = dynamic([\\\"Local SYSTEM\\\",\\\"Local SERVICE\\\",\\\"Network SERVICE\\\",\\\"NT AUTHORITY\\\"]);\\nlet ServiceAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and LogonType == \u00275\u0027 and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet MachineAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and AccountType == \\\"Machine\\\" and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet Accounts = union isfuzzy=true SystemAccount, ServiceAccount, MachineAccount;\\nlet source = \u0027Microsoft-Windows-Eventlog\u0027;\\nlet tableFunc = (tableName:string, event:int){\\ntable(tableName) \\n| where EventID == event\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| extend SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", \\\"NotAvailable\\\"), EventOriginId = column_ifexists(\\\"EventOriginId\\\", \\\"NotAvailable\\\")\\n| parse EventData with * \u0027SubjectUserName\u003e\u0027 SubjectUserName \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectUserSid\u003e\u0027 SubjectUserSid \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectLogonId\u003e\u0027 SubjectLogonId \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectDomainName\u003e\u0027 SubjectDomainName \u0027\u003c\u0027 *\\n| extend SubjectAccount = strcat(SubjectDomainName, \u0027\\\\\\\\\u0027, SubjectUserName)\\n};\\nlet HostClearedEventLog = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string)\\n{\\nlet Event104 = tableFunc(\u0027Event\u0027, event=104)\\n| where Source =~ source\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| parse RenderedDescription with * \u0027The\u0027 LogName \u0027log\u0027 *\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nlet Event1102 = tableFunc(\u0027SecurityEvent\u0027, event=1102)\\n| where EventSourceName == source\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| extend LogName = \u0027Security\u0027\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nunion isfuzzy=true Event104, Event1102\\n};\\nHostClearedEventLog(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where LogName =~ \u0027Security\u0027 \\n| project Computer, SubjectAccount, LogName, EventID, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"},{\"dataType\":\"Event\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/3ff675ee-3052-4e0b-88ad-f34ed1732adc\",\"name\":\"3ff675ee-3052-4e0b-88ad-f34ed1732adc\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Event log(s) cleared by account on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{SubjectAccount}}\u0027 cleared the \u0027{{LogName}}\u0027 log, EventID: \u0027{{EventID}}\u0027\",\"description\":\"Event logs cleared by account\",\"queryDefinitions\":{\"query\":\"let SystemAccount = datatable(AccountName:string)[\u0027NT AUTHORITY\\\\\\\\SYSTEM\u0027, \u0027NT AUTHORITY\\\\\\\\NETWORK SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\LOCAL SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\IUSR\u0027, \u0027NTAUTHORITY\\\\\\\\ANONYMOUS LOGON\u0027];\\nlet SvcAcctList = dynamic([\\\"Local SYSTEM\\\",\\\"Local SERVICE\\\",\\\"Network SERVICE\\\",\\\"NT AUTHORITY\\\"]);\\nlet ServiceAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and LogonType == \u00275\u0027 and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet MachineAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and AccountType == \\\"Machine\\\" and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet Accounts = union isfuzzy=true SystemAccount, ServiceAccount, MachineAccount;\\nlet source = \u0027Microsoft-Windows-Eventlog\u0027;\\nlet tableFunc = (tableName:string, event:int){\\ntable(tableName) \\n| where EventID == event\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| extend SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", \\\"NotAvailable\\\"), EventOriginId = column_ifexists(\\\"EventOriginId\\\", \\\"NotAvailable\\\")\\n| parse EventData with * \u0027SubjectUserName\u003e\u0027 SubjectUserName \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectUserSid\u003e\u0027 SubjectUserSid \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectLogonId\u003e\u0027 SubjectLogonId \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectDomainName\u003e\u0027 SubjectDomainName \u0027\u003c\u0027 *\\n| extend SubjectAccount = strcat(SubjectDomainName, \u0027\\\\\\\\\u0027, SubjectUserName)\\n};\\nlet HostClearedEventLog = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string)\\n{\\nlet Event104 = tableFunc(\u0027Event\u0027, event=104)\\n| where Source =~ source\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| parse RenderedDescription with * \u0027The\u0027 LogName \u0027log\u0027 *\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nlet Event1102 = tableFunc(\u0027SecurityEvent\u0027, event=1102)\\n| where EventSourceName == source\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| extend LogName = \u0027Security\u0027\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nunion isfuzzy=true Event104, Event1102\\n};\\nHostClearedEventLog(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where LogName !~ \u0027Security\u0027 \\n| project Computer, SubjectAccount, LogName, EventID, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"},{\"dataType\":\"Event\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/b880ad94-f905-4ba8-8a3f-9088b19b12fa\",\"name\":\"b880ad94-f905-4ba8-8a3f-9088b19b12fa\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the local Administrators group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to local Administrators group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where TargetSid == \u0027S-1-5-32-544\u0027 \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/aaad22c3-be50-465f-b258-8570d629c3db\",\"name\":\"aaad22c3-be50-465f-b258-8570d629c3db\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the Domain Admins group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to the Domain Admins group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-512$\u0027 \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/cf3469b3-f64c-4ae2-9900-289617443d74\",\"name\":\"cf3469b3-f64c-4ae2-9900-289617443d74\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the Enterprise Admins group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to the Enterprise Admins group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-519$\u0027 \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/5ba7b064-c667-4bb9-b8ac-7e87872ae479\",\"name\":\"5ba7b064-c667-4bb9-b8ac-7e87872ae479\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Account added to a privileged group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to privileged group.\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where (TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID) and TargetSid != \u0027S-1-5-32-544\u0027 and not(TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-512$\u0027) and not(TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-519$\u0027) \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/290032e9-c52e-4e66-841a-7428f0b356bb\",\"name\":\"290032e9-c52e-4e66-841a-7428f0b356bb\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was created on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{User}}\u0027 was created by sudo\",\"description\":\"Account created on Host\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where ProcessName in~ (\u0027useradd\u0027,\u0027userdel\u0027)\\n| where SyslogMessage startswith \u0027new user:\u0027 or SyslogMessage startswith \u0027delete user \u0027\\n| extend User = case(SyslogMessage startswith \u0027new user:\u0027, tostring(split(tostring(split(SyslogMessage, \u0027name=\u0027)[1]), \u0027,\u0027)[0]),\\nSyslogMessage startswith \u0027delete user \u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]),\\n\u0027Not Available\u0027)\\n| extend Action = case( SyslogMessage startswith \u0027new user\u0027, \u0027new user\u0027, SyslogMessage startswith \u0027delete user\u0027, \u0027delete user\u0027, \u0027None\u0027)\\n| project TimeGenerated, Computer, HostIP, User, Facility, ProcessName, Action, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action == \u0027new user\u0027 \\n| project Computer, User, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/ce9e87c7-2ffa-42cb-92e5-f1a4f21f007a\",\"name\":\"ce9e87c7-2ffa-42cb-92e5-f1a4f21f007a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{User}}\u0027 was deleted by sudo\",\"description\":\"Account deleted on Host\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where ProcessName in~ (\u0027useradd\u0027,\u0027userdel\u0027)\\n| where SyslogMessage startswith \u0027new user:\u0027 or SyslogMessage startswith \u0027delete user \u0027\\n| extend User = case(SyslogMessage startswith \u0027new user:\u0027, tostring(split(tostring(split(SyslogMessage, \u0027name=\u0027)[1]), \u0027,\u0027)[0]),\\nSyslogMessage startswith \u0027delete user \u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]),\\n\u0027Not Available\u0027)\\n| extend Action = case( SyslogMessage startswith \u0027new user\u0027, \u0027new user\u0027, SyslogMessage startswith \u0027delete user\u0027, \u0027delete user\u0027, \u0027None\u0027)\\n| project TimeGenerated, Computer, HostIP, User, Facility, ProcessName, Action, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action == \u0027delete user\u0027 \\n| project Computer, User, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/46aeae2d-187c-41f9-b8d6-9d75c43bce0a\",\"name\":\"46aeae2d-187c-41f9-b8d6-9d75c43bce0a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the sudo group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{User}}\u0027 was added by \u0027{{AcctMakingChange}}\u0027 to group: \u0027{{Group}}\u0027\",\"description\":\"Account added to the sudo group\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where SyslogMessage !startswith \\\"omsagent\\\"\\n| where SyslogMessage has \u0027COMMAND\u0027 or ProcessName in~ (\u0027gpasswd\u0027, \u0027useradd\u0027, \u0027userdel\u0027)\\n| parse SyslogMessage with * \u0027user \u0027 User \u0027 \u0027 Verb \u0027 by \u0027 AcctMakingChange \u0027 \u0027 Preposition \u0027 group \u0027 Group\\n| extend Group = case(\\nSyslogMessage startswith \u0027removed group\u0027 or SyslogMessage startswith \u0027removed shadow group\u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]), \\nSyslogMessage startswith \u0027new group\u0027, tostring(split(tostring(split(SyslogMessage, \u0027=\u0027)[1]),\u0027,\u0027)[0]),\\nGroup)\\n| extend Action = case(\\nisnotempty(Verb) or isnotempty(Preposition), strcat(Verb, \u0027 \u0027, Preposition),\\nSyslogMessage startswith \u0027new group\u0027, \u0027new group\u0027,\\nSyslogMessage startswith \u0027removed group\u0027, \u0027removed group\u0027,\\nSyslogMessage startswith \u0027removed shadow group\u0027, \u0027removed shadow group\u0027,\\n\u0027None\u0027)\\n| where isnotempty(Action) and Action != \u0027None\u0027 and isnotempty(Group)\\n| project TimeGenerated, Computer, HostIP, User, Action, Group, Facility, ProcessName, AcctMakingChange, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action =~ \u0027added to\u0027 and Group =~ \u0027sudo\u0027 \\n| project Computer, User, AcctMakingChange, Group, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/e24dd437-c65e-40e1-8d59-cd303ad4496a\",\"name\":\"e24dd437-c65e-40e1-8d59-cd303ad4496a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was removed from the sudo group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{User}}\u0027 was added by \u0027{{AcctMakingChange}}\u0027 to group: \u0027{{Group}}\u0027\",\"description\":\"Account removed from sudo group\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where SyslogMessage !startswith \\\"omsagent\\\"\\n| where SyslogMessage has \u0027COMMAND\u0027 or ProcessName in~ (\u0027gpasswd\u0027, \u0027useradd\u0027, \u0027userdel\u0027)\\n| parse SyslogMessage with * \u0027user \u0027 User \u0027 \u0027 Verb \u0027 by \u0027 AcctMakingChange \u0027 \u0027 Preposition \u0027 group \u0027 Group\\n| extend Group = case(\\nSyslogMessage startswith \u0027removed group\u0027 or SyslogMessage startswith \u0027removed shadow group\u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]), \\nSyslogMessage startswith \u0027new group\u0027, tostring(split(tostring(split(SyslogMessage, \u0027=\u0027)[1]),\u0027,\u0027)[0]),\\nGroup)\\n| extend Action = case(\\nisnotempty(Verb) or isnotempty(Preposition), strcat(Verb, \u0027 \u0027, Preposition),\\nSyslogMessage startswith \u0027new group\u0027, \u0027new group\u0027,\\nSyslogMessage startswith \u0027removed group\u0027, \u0027removed group\u0027,\\nSyslogMessage startswith \u0027removed shadow group\u0027, \u0027removed shadow group\u0027,\\n\u0027None\u0027)\\n| where isnotempty(Action) and Action != \u0027None\u0027 and isnotempty(Group)\\n| project TimeGenerated, Computer, HostIP, User, Action, Group, Facility, ProcessName, AcctMakingChange, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action =~ \u0027removed from\u0027 and Group =~ \u0027sudo\u0027 \\n| project Computer, User, AcctMakingChange, Group, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/c91cb743-7c6c-4ccf-b066-13448c9c085c\",\"name\":\"c91cb743-7c6c-4ccf-b066-13448c9c085c\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Windows Defender Application Control activities on this host\",\"content\":\"{{FriendlyActivityName}} by {{InitiatingProcessAccountUpn}} {{Count}} time(s)\",\"description\":\"Microsoft Defender Application Control activities\",\"queryDefinitions\":{\"query\":\"let AppControlEvents=(v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\nlet p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain));\\nlet AppControls=datatable(ActionType:string, Description:string, FriendlyActivityName:string)\\n [\\\"AppControlAppInstallationAudited\\\", \\\"Application control detected the installation of an untrusted app.\\\",\\\"Untrusted app installed\\\"\\n ,\\\"AppControlAppInstallationBlocked\\\", \\\"Application control blocked the installation of an untrusted app.\\\", \\\"Untrusted app installation blocked\\\"\\n ,\\\"AppControlCodeIntegrityDriverRevoked\\\", \\\"Application control found a driver with a revoked certificate.\\\", \\\"Driver with revoked certificate detected\\\"\\n ,\\\"AppControlCodeIntegrityImageRevoked\\\", \\\"Application control found an executable file with a revoked certificate.\\\", \\\"Executable with revoked certificate detected\\\"\\n ,\\\"AppControlExecutableAudited\\\",\\\"Application control detected the use of an untrusted executable.\\\",\\\"Untrusted executable used\\\"\\n ,\\\"AppControlExecutableBlocked\\\",\\\"Application control blocked the use of an untrusted executable.\\\",\\\"Untrusted executable blocked\\\"\\n ,\\\"AppControlScriptAudited\\\", \\\"Application control detected the use of an untrusted script.\\\", \\\"Untrusted script detected\\\"\\n ,\\\"AppControlScriptBlocked\\\", \\\"Application control blocked the use of an untrusted script.\\\", \\\"Untrusted script blocked\\\" ];\\nDeviceEvents\\n| where ActionType in (AppControls) \\n| where DeviceName ==p_FullDeviceName\\n| lookup AppControls on ActionType\\n};\\nAppControlEvents(\u0027{{Host_HostName}}\u0027,\u0027{{Host_NTDomain}}\u0027,\u0027{{Host_DnsDomain}}\u0027) \\n| project DeviceName, ActionType, FriendlyActivityName, InitiatingProcessAccountUpn, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/c7def1db-6a27-45dc-bee0-0c5fd5e7f1fe\",\"name\":\"c7def1db-6a27-45dc-bee0-0c5fd5e7f1fe\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Screenshot taken\",\"content\":\"The user \u0027{{InitiatingProcessAccountUpn}}\u0027 has taken {{Count}} screenshot(s) on the host\",\"description\":\"A screenshot was taken on the host\",\"queryDefinitions\":{\"query\":\"let ScreenshotTakers= (v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\n let p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain) );\\n DeviceEvents \\n | where ActionType ==\u0027ScreenshotTaken\u0027 \\n | where DeviceName =~ p_FullDeviceName\\n};\\nScreenshotTakers(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027) \\n| where 1==1 \\n| project InitiatingProcessAccountName, InitiatingProcessAccountUpn, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/8d0e9356-be1e-45ac-9403-d0ac3f1605b7\",\"name\":\"8d0e9356-be1e-45ac-9403-d0ac3f1605b7\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Exploit protection blocked the launch of a process from an image file that is not signed by Microsoft\",\"content\":\"Launch of unsigned file \u0027{{FileName}}\u0027 by process \u0027{{InitiatingProcessFileName}}\u0027 initiated by \u0027{{InitiatingProcessAccountName}}\u0027 was blocked. \",\"description\":\"Exploit protection blocked the launch of a process from an image file that is not signed by Microsoft\",\"queryDefinitions\":{\"query\":\"let NonMSSignedBlocked= (v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\n let p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain) );\\n DeviceEvents\\n | where ActionType in (\\\"ExploitGuardNonMicrosoftSignedBlocked\\\", \\\"ExploitGuardNonMicrosoftSignedAudited\\\") \\n and FileName !hassuffix \u0027.ni.dll\u0027\\n | where DeviceName =~ p_FullDeviceName\\n | project TimeGenerated\\n , FileName\\n ,InitiatingProcessFileName\\n , InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid\\n , DeviceName , ActionType\\n};\\nNonMSSignedBlocked(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027) \\n| where ActionType =~ \u0027ExploitGuardNonMicrosoftSignedBlocked\u0027 \\n| project FileName, InitiatingProcessFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/3ff80327-7c54-449d-95d4-613848f7d60b\",\"name\":\"3ff80327-7c54-449d-95d4-613848f7d60b\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Exploit protection detected the launch of a process from an image file that is not signed by Microsoft\",\"content\":\"Launch of unsigned file \u0027{{FileName}}\u0027 by process \u0027{{InitiatingProcessFileName}}\u0027 initiated by \u0027{{InitiatingProcessAccountName}}\u0027 was audited.\",\"description\":\"Exploit protection detected the launch of a process from an image file that is not signed by Microsoft\",\"queryDefinitions\":{\"query\":\"let NonMSSignedBlocked= (v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\n let p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain) );\\n DeviceEvents\\n | where ActionType in (\\\"ExploitGuardNonMicrosoftSignedBlocked\\\", \\\"ExploitGuardNonMicrosoftSignedAudited\\\") \\n and FileName !hassuffix \u0027.ni.dll\u0027\\n | where DeviceName =~ p_FullDeviceName\\n | project TimeGenerated\\n , FileName\\n ,InitiatingProcessFileName\\n , InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid\\n , DeviceName , ActionType\\n};\\nNonMSSignedBlocked(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027) \\n| where ActionType =~ \u0027ExploitGuardNonMicrosoftSignedAudited\u0027 \\n| project FileName, InitiatingProcessFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/3f7059b2-67ea-4fc1-af34-37f5fc69a630\",\"name\":\"3f7059b2-67ea-4fc1-af34-37f5fc69a630\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Windows Defender Antivirus activities on this host\",\"content\":\"Window Defender Antivirus \u0027{{ActionType}}\u0027 activity was spotted on Host {{Host_HostName}}\",\"description\":\"Windows Defender Antivirus activities\",\"queryDefinitions\":{\"query\":\"let AntivirusEvents=(v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\nlet Severity= datatable(ActionType:string, Severity:int)[\\\"AntivirusMalwareActionFailed\\\",1,\\\"AntivirusDetection\\\",2,\\\"AntivirusScanFailed\\\",3, \\\"AntivirusError\\\",4, \\\"AntivirusDefinitionsUpdateFailed\\\",5];\\nlet p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain));\\nDeviceEvents\\n| where ActionType hasprefix \\\"Antivirus\\\" and ActionType !in( \\\"AntivirusReport\\\", \\\"AntivirusScanCompleted\\\", \\\"AntivirusDefinitionsUpdated\\\",\\\"AntivirusEmergencyUpdatesInstalled\\\")\\n| where DeviceName ==p_FullDeviceName\\n| lookup Severity on ActionType};\\nAntivirusEvents(\u0027{{Host_HostName}}\u0027,\u0027{{Host_NTDomain}}\u0027,\u0027{{Host_DnsDomain}}\u0027) \\n| where ActionType !in( \\\"AntivirusReport\\\", \\\"AntivirusScanCompleted\\\", \\\"AntivirusDefinitionsUpdated\\\",\\\"AntivirusEmergencyUpdatesInstalled\\\") \\n| project ActionType, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/d6d08c94-455f-4ea5-8f76-fc6c0c442cfa\",\"name\":\"d6d08c94-455f-4ea5-8f76-fc6c0c442cfa\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has created an account\",\"content\":\"The user {{InitiatedByAccount}} has created the account {{TargetAccount}} {{Count}} time(s)\",\"description\":\"This activity displays account creation events performed by the user\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) or Account_AadUserId =~ tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ SubjectAccount or Account_Sid =~ SubjectUserSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Add user\u0027, \u00274720\u0027) \\n| project InitiatedByAccount, TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/e0459780-ac9d-4b72-8bd4-fecf6b46a0a1\",\"name\":\"e0459780-ac9d-4b72-8bd4-fecf6b46a0a1\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has deleted an account\",\"content\":\"The user {{InitiatedByAccount}} has deleted the account {{TargetAccount}} {{Count}} time(s)\",\"description\":\"This activity displays account deletion events performed by the user\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) or Account_AadUserId =~ tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ SubjectAccount or Account_Sid =~ SubjectUserSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Delete user\u0027, \u00274726\u0027) \\n| project InitiatedByAccount, TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/ad1f4269-5418-4c46-a3b6-4ec01031de60\",\"name\":\"ad1f4269-5418-4c46-a3b6-4ec01031de60\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has reset an account\u0027s password\",\"content\":\"The password for account {{TargetAccount}} was reset by the user {{InitiatedByAccount}} {{Count}} time(s)\",\"description\":\"This activity displays password reset events performed by the user\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) or Account_AadUserId =~ tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ SubjectAccount or Account_Sid =~ SubjectUserSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (by admin)\u0027, \u0027Reset password (self-service)\u0027, \u00274724\u0027, \u00274723\u0027) \\n| project InitiatedByAccount, TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/fde1b9cc-9480-4418-ae21-91723d16b24d\",\"name\":\"fde1b9cc-9480-4418-ae21-91723d16b24d\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user account was created\",\"content\":\"The user account {{TargetAccount}} was created\",\"description\":\"This activity displays the user account events for when it was created\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(TargetResources[0].userPrincipalName) or Account_AadUserId =~ tostring(TargetResources[0].id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ TargetAccount or Account_Sid =~ TargetSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Add user\u0027, \u00274720\u0027) \\n| project TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/b15901ba-8679-4f6a-b312-722031ab58f2\",\"name\":\"b15901ba-8679-4f6a-b312-722031ab58f2\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user account was deleted\",\"content\":\"The user account {{TargetAccount}} was deleted\",\"description\":\"This activity displays the user account events for when it was deleted\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(TargetResources[0].userPrincipalName) or Account_AadUserId =~ tostring(TargetResources[0].id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ TargetAccount or Account_Sid =~ TargetSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Delete user\u0027, \u00274726\u0027) \\n| project TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/c07d1d02-0a06-455e-add9-12c5a5e426f3\",\"name\":\"c07d1d02-0a06-455e-add9-12c5a5e426f3\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user account password was reset\",\"content\":\"The user account {{TargetAccount}} had a password reset\",\"description\":\"This activity displays the user account events for when the password was reset\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(TargetResources[0].userPrincipalName) or Account_AadUserId =~ tostring(TargetResources[0].id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ TargetAccount or Account_Sid =~ TargetSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (by admin)\u0027, \u0027Reset password (self-service)\u0027, \u00274723\u0027, \u00274724\u0027) \\n| project TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/5e9ecee5-e7a4-4a2a-94c4-9c0e22e1b673\",\"name\":\"5e9ecee5-e7a4-4a2a-94c4-9c0e22e1b673\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user consented to OAuth application\",\"content\":\"The user consented to the OAuth application named {{Target_CloudApplication_Name}} {{Count}} time(s)\",\"description\":\"This activity lists user\u0027s consents to an OAuth applications.\",\"queryDefinitions\":{\"query\":\"let UserConsentToApplication = (Account_Name:string, Account_UPNSuffix:string, Account_AadUserId:string){\\nlet account_upn = iff(Account_Name != \\\"\\\" and Account_UPNSuffix != \\\"\\\"\\n, strcat(Account_Name,\\\"@\\\",Account_UPNSuffix)\\n,\\\"\\\" );\\nAuditLogs\\n| where OperationName == \\\"Consent to application\\\"\\n| extend Source_Account_UPNSuffix = tostring(todynamic(InitiatedBy) [\\\"user\\\"][\\\"userPrincipalName\\\"]), Source_Account_AadUserId = tostring(todynamic(InitiatedBy) [\\\"user\\\"][\\\"id\\\"])\\n| where (account_upn != \\\"\\\" and account_upn =~ Source_Account_UPNSuffix) \\nor (Account_AadUserId != \\\"\\\" and Account_AadUserId =~ Source_Account_AadUserId)\\n| extend Target_CloudApplication_Name = tostring(todynamic(TargetResources)[0][\\\"displayName\\\"]), Target_CloudApplication_AppId = tostring(todynamic(TargetResources)[0][\\\"id\\\"])\\n};\\nUserConsentToApplication(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027) \\n| project Target_CloudApplication_AppId, Target_CloudApplication_Name, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/cab4058a-0707-4a02-b76f-cf96270823ed\",\"name\":\"cab4058a-0707-4a02-b76f-cf96270823ed\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"User performed operation on azure resource from IP\",\"content\":\"User performed operation {{OperationNameValue}} on azure resource: {{shortResourceId}} from IP {{Source_IP_Address}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s activities on Azure.\",\"queryDefinitions\":{\"query\":\"let AzureRunProcess = (Account_Name:string, Account_UPNSuffix:string,Account_AadUserId:string){\\nlet upn = strcat(Account_Name,\\\"@\\\",Account_UPNSuffix);\\nAzureActivity\\n| where (isnotempty(Account_AadUserId) and Caller =~ Account_AadUserId) or Caller =~ upn\\n| where OperationNameValue contains \\\"Run Command on Virtual Machine\\\"\\n or (OperationNameValue == \\\"List Storage Account Keys\\\" and ActivityStatusValue == \\\"Succeeded\\\")\\n or OperationNameValue == \\\"Create or Update Virtual Machine\\\"\\n or OperationNameValue == \\\"Create Deployment\\\"\\n or OperationNameValue == \\\"Create role assignment\\\"\\n| project-rename Target_AzureResource_ResourceId = _ResourceId, Source_IP_Address = CallerIpAddress\\n| extend shortResourceId = tostring(split(ResourceId,\u0027/\u0027)[-1])\\n};\\nAzureRunProcess(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027) \\n| project Target_AzureResource_ResourceId, Source_IP_Address, shortResourceId, OperationNameValue, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/febba410-e7d6-4c63-8fe5-2b93f448b7a1\",\"name\":\"febba410-e7d6-4c63-8fe5-2b93f448b7a1\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added accounts to a local privileged group\",\"content\":\"The user has added accounts to the local privileged group, {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays the user that added accounts to a local privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == false and MemberNTDomainMatch == false) or MemberSidMatch == false) and TargetSid matches regex WellKnownLocalGroupSID | where TargetSid !in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/0e98c61c-6ae0-4e13-8071-d807dc25082a\",\"name\":\"0e98c61c-6ae0-4e13-8071-d807dc25082a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added accounts to a domain privileged group\",\"content\":\"The user has added accounts to the domain privileged group, {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays the user that added accounts to a domain privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == false and MemberNTDomainMatch == false) or MemberSidMatch == false) and TargetSid matches regex WellKnownDomainGroupSID \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/0caf9819-3269-48ac-b162-eeee638e4aa9\",\"name\":\"0caf9819-3269-48ac-b162-eeee638e4aa9\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to a local privileged group\",\"content\":\"This user was added to the local privileged group {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays that this user was added to a local privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and TargetSid matches regex WellKnownLocalGroupSID | where TargetSid !in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/d57681e4-18e6-459f-b61d-4d4a1f205b70\",\"name\":\"d57681e4-18e6-459f-b61d-4d4a1f205b70\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to a domain privileged group\",\"content\":\"This user was added to the domain privileged group {{TargetAccount}}\",\"description\":\"This activity displays that this user was added to a domain privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and TargetSid matches regex WellKnownDomainGroupSID \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/5ae2baf4-de7b-40f0-a861-8852266bfcd0\",\"name\":\"5ae2baf4-de7b-40f0-a861-8852266bfcd0\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added accounts to the Remote Desktop Users group\",\"content\":\"The user has added accounts to the {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays the user that added accounts to Remote Desktop group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == false and MemberNTDomainMatch == false) or MemberSidMatch == false) and TargetSid in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/60ef2e21-5f90-48bf-9bbc-d2a1829c3861\",\"name\":\"60ef2e21-5f90-48bf-9bbc-d2a1829c3861\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to the Remote Desktop Users group\",\"content\":\"This user was added to the {{TargetAccount}} group\",\"description\":\"This activity displays that this user was added to the Remote Desktop group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and TargetSid in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/bf56473d-b9bd-4eb1-96d0-8569ec7a9003\",\"name\":\"bf56473d-b9bd-4eb1-96d0-8569ec7a9003\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added an account to a security group\",\"content\":\"The user has added {{MemberAdded}} to the {{TargetAccount}} group\",\"description\":\"This activity displays the user that added an account and the account that was added to a security group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true) and not(TargetSid matches regex WellKnownLocalGroupSID or TargetSid matches regex WellKnownDomainGroupSID) \\n| project SubjectAccount, MemberAdded, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/252c9ad7-2957-43cd-8f33-4ac4bb56e119\",\"name\":\"252c9ad7-2957-43cd-8f33-4ac4bb56e119\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to a security group\",\"content\":\"This user was added to the {{TargetAccount}} group, {{Count}} time(s)\",\"description\":\"This activity displays that this user was added to a security group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and not(TargetSid matches regex WellKnownLocalGroupSID or TargetSid matches regex WellKnownDomainGroupSID) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/1f82f263-d694-469a-9717-1b3edf9d3bb2\",\"name\":\"1f82f263-d694-469a-9717-1b3edf9d3bb2\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user acted on another accounts mailbox\",\"content\":\"The user acted on mailbox {{MailboxOwnerUPN}} {{Count}} time(s)\",\"description\":\"This activity lists user\u0027s activities on others\u0027 mailbox\",\"queryDefinitions\":{\"query\":\"let TLQ_UserActedOnForeignMailbox = (Account_Name:string, Account_UPNSuffix:string, account_sid:string){\\nlet account_upn = iff(Account_Name!=\\\"\\\" and Account_UPNSuffix != \\\"\\\"\\n,strcat(Account_Name,\\\"@\\\",Account_UPNSuffix)\\n,\\\"\\\");\\nOfficeActivity\\n| where RecordType == \\\"ExchangeItem\\\" and UserType ==\\\"Regular\\\" and Operation !contains \\\"InboxRule\\\"\\n| where LogonUserSid != MailboxOwnerSid \\n| where ((account_sid != \\\"\\\" and LogonUserSid =~ account_sid)\\n or ( account_upn != \\\"\\\" and UserId =~ account_upn ))\\n};\\nTLQ_UserActedOnForeignMailbox(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| project MailboxOwnerSid, MailboxOwnerUPN, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/e480efd0-016d-428e-b892-84b9d586d004\",\"name\":\"e480efd0-016d-428e-b892-84b9d586d004\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user modified inbox rules on another accounts mailbox\",\"content\":\"User Modified {{Count}} inbox rules on {{MailboxOwnerUPN}}\u0027s Mailbox\",\"description\":\"User modified inbox rules on a mailbox\",\"queryDefinitions\":{\"query\":\"let ruleChangeRecordTypes = dynamic( [\\\"ExchangeAdmin\\\", \\\"ExchangeItem\\\"]);\\nlet TLQ_UserModifiedinboxRules = (Account_Name: string, Account_UPNSuffix: string, Account_Sid: string){\\nlet upn = iff(Account_Name != \\\"\\\" and Account_UPNSuffix != \\\"\\\"\\n, strcat(Account_Name, \\\"@\\\", Account_UPNSuffix)\\n, \\\"\\\");\\nOfficeActivity\\n| where RecordType in~ (ruleChangeRecordTypes) and Operation contains \\\"InboxRule\\\"\\n| where((Account_Sid != \\\"\\\" and LogonUserSid == Account_Sid)\\nor(upn != \\\"\\\" and UserId == upn )\\n)\\n};\\nTLQ_UserModifiedinboxRules(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| project MailboxOwnerSid, MailboxOwnerUPN, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/0eabec03-51e7-4909-b0cb-1adc76759e93\",\"name\":\"0eabec03-51e7-4909-b0cb-1adc76759e93\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"User uploaded files to SharePoint\",\"content\":\"User uploaded {{Count}} file(s) To SharePoint from {{Source_IP_Address}}\",\"description\":\"This activity lists the user\u0027s SharePoint uploads.\",\"queryDefinitions\":{\"query\":\"let TLQ_UserUploadFiles = (Account_Name:string, Account_UPNSuffix:string){\\nlet upn = strcat(Account_Name,\\\"@\\\",Account_UPNSuffix);\\nOfficeActivity\\n| where RecordType =~ \\\"SharePointFileOperation\\\" and Operation in~ (\\\"FileUploaded\\\", \\\"FileDownloaded\\\")\\n| where upn =~UserId\\n| extend Subject_File_Directory = tostring(split(OfficeObjectId,SourceFileName)[0])\\n| project-rename Source_IP_Address = ClientIP\\n};\\nTLQ_UserUploadFiles(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027) \\n| where Operation =~ \\\"FileUploaded\\\" \\n| project Source_IP_Address, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/df564e7b-bf6d-4dc4-a32d-79b00bd2cc7b\",\"name\":\"df564e7b-bf6d-4dc4-a32d-79b00bd2cc7b\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"User downloaded files from SharePoint\",\"content\":\"User downloaded {{Count}} File(s) from SharePoint from {{Source_IP_Address}}\",\"description\":\"This activity lists the user\u0027s SharePoint downloads.\",\"queryDefinitions\":{\"query\":\"let TLQ_UserUploadFiles = (Account_Name:string, Account_UPNSuffix:string){\\nlet upn = strcat(Account_Name,\\\"@\\\",Account_UPNSuffix);\\nOfficeActivity\\n| where RecordType =~ \\\"SharePointFileOperation\\\" and Operation in~ (\\\"FileUploaded\\\", \\\"FileDownloaded\\\")\\n| where upn =~UserId\\n| extend Subject_File_Directory = tostring(split(OfficeObjectId,SourceFileName)[0])\\n| project-rename Source_IP_Address = ClientIP\\n};\\nTLQ_UserUploadFiles(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027) \\n| where Operation =~ \\\"FileDownloaded\\\" \\n| project Source_IP_Address, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/0f328f28-7e21-4596-b71c-54309fee5551\",\"name\":\"0f328f28-7e21-4596-b71c-54309fee5551\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user signed in to an Azure resource\",\"content\":\"The user signed in to {{shortResourceId}} {{Count}} time(s)\",\"description\":\"This activity lists user\u0027s sign ins to Azure Resources\",\"queryDefinitions\":{\"query\":\"let SignInsByResource = (Account_Name:string, Account_UPNSuffix:string, Account_AadUserId:string){\\nlet acc_upn = iff(Account_Name != \\\"\\\" and Account_UPNSuffix != \\\"\\\" ,strcat(Account_Name,\\\"@\\\" ,Account_UPNSuffix),\\\"\\\");\\nSigninLogs\\n| where (acc_upn != \\\"\\\" and UserPrincipalName =~ acc_upn) or\\n   (Account_AadUserId != \\\"\\\" and Account_AadUserId =~ UserId) // UserPrincipalName, UserId\\n| extend shortResourceId = tostring(split(ResourceId,\\\"/\\\")[-1])\\n};\\nSignInsByResource(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027) \\n| project shortResourceId, ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SigninLogs\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/0d4ec12e-e44a-40a4-bb87-3db84d2a8057\",\"name\":\"0d4ec12e-e44a-40a4-bb87-3db84d2a8057\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s interactive log-ins grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID==4624 and LogonTypeName == \u00272 - Interactive\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/c9da5786-6c3c-45b5-9a46-53200ed9df09\",\"name\":\"c9da5786-6c3c-45b5-9a46-53200ed9df09\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Network log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s network log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID ==4624 and LogonTypeName == \u00273 - Network\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/8a302bfc-00e3-43b3-a516-102fd0cb0dbc\",\"name\":\"8a302bfc-00e3-43b3-a516-102fd0cb0dbc\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Remote interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s remote interactive log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID ==4624 and LogonTypeName == \u002710 - RemoteInteractive\u0027| extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/ec87b066-17ad-4f9b-97c2-c2f2ee2d99e0\",\"name\":\"ec87b066-17ad-4f9b-97c2-c2f2ee2d99e0\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"New credentials log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s log-ins with new credentials, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID ==4624 and LogonTypeName == \u00279 - NewCredentials\u0027| extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/e1c4c03c-2b40-47cf-9b8c-49e0a37a6da6\",\"name\":\"e1c4c03c-2b40-47cf-9b8c-49e0a37a6da6\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Privileged log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s privileged log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID == 4672 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/a6fc3ad9-1a61-41f5-a5e2-bd1f5a6fe44d\",\"name\":\"a6fc3ad9-1a61-41f5-a5e2-bd1f5a6fe44d\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Failed interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s failed interactive log-ins grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet =~ \u0027AllEvents\u0027 and EventID == 4625 and LogonTypeName == \u00272 - Interactive\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/11449689-6542-4867-86dc-56264abbd90c\",\"name\":\"11449689-6542-4867-86dc-56264abbd90c\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Failed network log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s failed network log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet =~ \u0027AllEvents\u0027 and EventID == 4625 and LogonTypeName == \u00273 - Network\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/686cf7e8-87c7-4391-8898-25adf1033a54\",\"name\":\"686cf7e8-87c7-4391-8898-25adf1033a54\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Failed remote interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} failed to logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s failed remote interactive log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet =~ \u0027AllEvents\u0027 and EventID == 4625 and LogonTypeName == \u002710 - RemoteInteractive\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/c6523929-5696-4e94-8a61-61aeb1c953d1\",\"name\":\"c6523929-5696-4e94-8a61-61aeb1c953d1\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Custom Script Extension execution (Preview)\",\"content\":\"The account {{Caller}} ran the custom script extension {{extName}} {{Count}} time(s)\",\"description\":\"This activity indicated Custom Script Extension execution\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| extend resBody = parse_json(Properties).responseBody\\n| where resBody != \\\"\\\"\\n| extend resBody = parse_json(tostring(resBody))\\n| extend extName = tostring(resBody.name), extType = resBody.properties.type\\n| where extType in (\\\"CustomScriptExtension\\\", \\\"CustomScript\\\", \\\"CustomScriptForLinux\\\")\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource, extType, extName \\n| project Caller, _ResourceId, extName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/5a2b8371-8708-4e41-8613-b64bbcbd0199\",\"name\":\"5a2b8371-8708-4e41-8613-b64bbcbd0199\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Azure Key Vault sensitive operation\",\"content\":\"The operation {{OperationName}} was observed from the IP {{CallerIPAddress}} {{Count}} time(s)\",\"description\":\"This activity indicated sensitive operation of Azure Key Valut\",\"queryDefinitions\":{\"query\":\"let SensitiveOperationList = dynamic([\\\"VaultDelete\\\", \\\"KeyDelete\\\", \\\"SecretDelete\\\", \\\"SecretPurge\\\", \\\"KeyPurge\\\", \\\"SecretBackup\\\", \\\"KeyBackup\\\"]);\\n AzureDiagnostics\\n | where ResourceType == \\\"VAULTS\\\"\\n | where Category == \\\"AuditEvent\\\"\\n | where ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n | extend Result = columnifexists(\\\"ResultType\\\", \\\"NoResult\\\")\\n | extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n | extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n | where Result !~ \\\"None\\\" and isnotempty(Result)\\n | where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n | where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n | where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n | where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n | where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n | where ResourceType =~ \\\"VAULTS\\\" and Result =~ \\\"Success\\\"\\n | where OperationName in~ (SensitiveOperationList)\\n | project TimeGenerated, ResourceId, Result, OperationName, CallerIPAddress \\n| project ResourceId, OperationName, CallerIPAddress, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureDiagnostics\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/a8b50062-f80e-4331-a247-de0e10d7b83f\",\"name\":\"a8b50062-f80e-4331-a247-de0e10d7b83f\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Storage account keys list (Preview)\",\"content\":\"The account {{Caller}} retrieved the keys of the storage account {{_ResourceId}} {{Count}} time(s)\",\"description\":\"This activity indicated storage account keys list operation\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/listKeys/action\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/e24d372a-ce9a-424e-99ba-5894177365a0\",\"name\":\"e24d372a-ce9a-424e-99ba-5894177365a0\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Storage account keys list were regenerated (Preview)\",\"content\":\"The account {{Caller}} regenerated the keys of the storage account {{_ResourceId}} {{Count}} time(s)\",\"description\":\"This activity indicated storage account keys list regeneration\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/2276eacb-9400-47e9-88c9-600b9b04ad81\",\"name\":\"2276eacb-9400-47e9-88c9-600b9b04ad81\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"VM Run Command execution (Preview)\",\"content\":\"The account {{Caller}} used Run Command on the VM {{Count}} time(s)\",\"description\":\"This activity indicates usage of Run Command\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/0aa3626b-30dd-4731-9d1e-39872a73949c\",\"name\":\"0aa3626b-30dd-4731-9d1e-39872a73949c\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"VM access extension execution (Preview)\",\"content\":\"The account {{Caller}} ran VM Access extension on the VM {{Count}} time(s)\",\"description\":\"This activity indicated VM access extension execution\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| extend resBody = parse_json(Properties).responseBody\\n| where resBody != \\\"\\\"\\n| extend resBody = parse_json(tostring(resBody))\\n| extend extName = resBody.name, extType = resBody.properties.type\\n| where extType in (\\\"VMAccessAgent\\\", \\\"VMAccessForLinux\\\")\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/307c85ee-39a2-4da3-952e-4fd79aa46d3a\",\"name\":\"307c85ee-39a2-4da3-952e-4fd79aa46d3a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was created on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was created by \u0027{{AddedBy}}\u0027\",\"description\":\"Account created on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId\\n| extend AddedBy = SubjectUserName\\n// Future support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount\\n};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where EventID == 4720 \\n| project Computer, TargetAccount, AddedBy, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/31529548-dbd2-4d5d-8270-710330cdcec7\",\"name\":\"31529548-dbd2-4d5d-8270-710330cdcec7\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was deleted by \u0027{{AddedBy}}\u0027\",\"description\":\"Account deleted on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId\\n| extend AddedBy = SubjectUserName\\n// Future support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount\\n};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where EventID == 4726 \\n| project Computer, TargetAccount, AddedBy, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/2fcda698-9526-454f-8fe0-4a0fd7af13f2\",\"name\":\"2fcda698-9526-454f-8fe0-4a0fd7af13f2\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Security Event log cleared by account on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{SubjectAccount}}\u0027 cleared the \u0027{{LogName}}\u0027 log, EventID: \u0027{{EventID}}\u0027\",\"description\":\"Security Event log cleared by account\",\"queryDefinitions\":{\"query\":\"let SystemAccount = datatable(AccountName:string)[\u0027NT AUTHORITY\\\\\\\\SYSTEM\u0027, \u0027NT AUTHORITY\\\\\\\\NETWORK SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\LOCAL SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\IUSR\u0027, \u0027NTAUTHORITY\\\\\\\\ANONYMOUS LOGON\u0027];\\nlet SvcAcctList = dynamic([\\\"Local SYSTEM\\\",\\\"Local SERVICE\\\",\\\"Network SERVICE\\\",\\\"NT AUTHORITY\\\"]);\\nlet ServiceAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and LogonType == \u00275\u0027 and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet MachineAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and AccountType == \\\"Machine\\\" and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet Accounts = union isfuzzy=true SystemAccount, ServiceAccount, MachineAccount;\\nlet source = \u0027Microsoft-Windows-Eventlog\u0027;\\nlet tableFunc = (tableName:string, event:int){\\ntable(tableName) \\n| where EventID == event\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| extend SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", \\\"NotAvailable\\\"), EventOriginId = column_ifexists(\\\"EventOriginId\\\", \\\"NotAvailable\\\")\\n| parse EventData with * \u0027SubjectUserName\u003e\u0027 SubjectUserName \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectUserSid\u003e\u0027 SubjectUserSid \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectLogonId\u003e\u0027 SubjectLogonId \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectDomainName\u003e\u0027 SubjectDomainName \u0027\u003c\u0027 *\\n| extend SubjectAccount = strcat(SubjectDomainName, \u0027\\\\\\\\\u0027, SubjectUserName)\\n};\\nlet HostClearedEventLog = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string)\\n{\\nlet Event104 = tableFunc(\u0027Event\u0027, event=104)\\n| where Source =~ source\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| parse RenderedDescription with * \u0027The\u0027 LogName \u0027log\u0027 *\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nlet Event1102 = tableFunc(\u0027SecurityEvent\u0027, event=1102)\\n| where EventSourceName == source\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| extend LogName = \u0027Security\u0027\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nunion isfuzzy=true Event104, Event1102\\n};\\nHostClearedEventLog(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where LogName =~ \u0027Security\u0027 \\n| project Computer, SubjectAccount, LogName, EventID, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"},{\"dataType\":\"Event\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/3ff675ee-3052-4e0b-88ad-f34ed1732adc\",\"name\":\"3ff675ee-3052-4e0b-88ad-f34ed1732adc\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Event log(s) cleared by account on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{SubjectAccount}}\u0027 cleared the \u0027{{LogName}}\u0027 log, EventID: \u0027{{EventID}}\u0027\",\"description\":\"Event logs cleared by account\",\"queryDefinitions\":{\"query\":\"let SystemAccount = datatable(AccountName:string)[\u0027NT AUTHORITY\\\\\\\\SYSTEM\u0027, \u0027NT AUTHORITY\\\\\\\\NETWORK SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\LOCAL SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\IUSR\u0027, \u0027NTAUTHORITY\\\\\\\\ANONYMOUS LOGON\u0027];\\nlet SvcAcctList = dynamic([\\\"Local SYSTEM\\\",\\\"Local SERVICE\\\",\\\"Network SERVICE\\\",\\\"NT AUTHORITY\\\"]);\\nlet ServiceAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and LogonType == \u00275\u0027 and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet MachineAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and AccountType == \\\"Machine\\\" and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet Accounts = union isfuzzy=true SystemAccount, ServiceAccount, MachineAccount;\\nlet source = \u0027Microsoft-Windows-Eventlog\u0027;\\nlet tableFunc = (tableName:string, event:int){\\ntable(tableName) \\n| where EventID == event\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| extend SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", \\\"NotAvailable\\\"), EventOriginId = column_ifexists(\\\"EventOriginId\\\", \\\"NotAvailable\\\")\\n| parse EventData with * \u0027SubjectUserName\u003e\u0027 SubjectUserName \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectUserSid\u003e\u0027 SubjectUserSid \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectLogonId\u003e\u0027 SubjectLogonId \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectDomainName\u003e\u0027 SubjectDomainName \u0027\u003c\u0027 *\\n| extend SubjectAccount = strcat(SubjectDomainName, \u0027\\\\\\\\\u0027, SubjectUserName)\\n};\\nlet HostClearedEventLog = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string)\\n{\\nlet Event104 = tableFunc(\u0027Event\u0027, event=104)\\n| where Source =~ source\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| parse RenderedDescription with * \u0027The\u0027 LogName \u0027log\u0027 *\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nlet Event1102 = tableFunc(\u0027SecurityEvent\u0027, event=1102)\\n| where EventSourceName == source\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| extend LogName = \u0027Security\u0027\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nunion isfuzzy=true Event104, Event1102\\n};\\nHostClearedEventLog(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where LogName !~ \u0027Security\u0027 \\n| project Computer, SubjectAccount, LogName, EventID, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"},{\"dataType\":\"Event\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/b880ad94-f905-4ba8-8a3f-9088b19b12fa\",\"name\":\"b880ad94-f905-4ba8-8a3f-9088b19b12fa\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the local Administrators group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to local Administrators group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where TargetSid == \u0027S-1-5-32-544\u0027 \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/aaad22c3-be50-465f-b258-8570d629c3db\",\"name\":\"aaad22c3-be50-465f-b258-8570d629c3db\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the Domain Admins group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to the Domain Admins group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-512$\u0027 \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/cf3469b3-f64c-4ae2-9900-289617443d74\",\"name\":\"cf3469b3-f64c-4ae2-9900-289617443d74\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the Enterprise Admins group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to the Enterprise Admins group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-519$\u0027 \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/5ba7b064-c667-4bb9-b8ac-7e87872ae479\",\"name\":\"5ba7b064-c667-4bb9-b8ac-7e87872ae479\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Account added to a privileged group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to privileged group.\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where (TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID) and TargetSid != \u0027S-1-5-32-544\u0027 and not(TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-512$\u0027) and not(TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-519$\u0027) \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/290032e9-c52e-4e66-841a-7428f0b356bb\",\"name\":\"290032e9-c52e-4e66-841a-7428f0b356bb\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was created on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{User}}\u0027 was created by sudo\",\"description\":\"Account created on Host\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where ProcessName in~ (\u0027useradd\u0027,\u0027userdel\u0027)\\n| where SyslogMessage startswith \u0027new user:\u0027 or SyslogMessage startswith \u0027delete user \u0027\\n| extend User = case(SyslogMessage startswith \u0027new user:\u0027, tostring(split(tostring(split(SyslogMessage, \u0027name=\u0027)[1]), \u0027,\u0027)[0]),\\nSyslogMessage startswith \u0027delete user \u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]),\\n\u0027Not Available\u0027)\\n| extend Action = case( SyslogMessage startswith \u0027new user\u0027, \u0027new user\u0027, SyslogMessage startswith \u0027delete user\u0027, \u0027delete user\u0027, \u0027None\u0027)\\n| project TimeGenerated, Computer, HostIP, User, Facility, ProcessName, Action, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action == \u0027new user\u0027 \\n| project Computer, User, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/ce9e87c7-2ffa-42cb-92e5-f1a4f21f007a\",\"name\":\"ce9e87c7-2ffa-42cb-92e5-f1a4f21f007a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{User}}\u0027 was deleted by sudo\",\"description\":\"Account deleted on Host\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where ProcessName in~ (\u0027useradd\u0027,\u0027userdel\u0027)\\n| where SyslogMessage startswith \u0027new user:\u0027 or SyslogMessage startswith \u0027delete user \u0027\\n| extend User = case(SyslogMessage startswith \u0027new user:\u0027, tostring(split(tostring(split(SyslogMessage, \u0027name=\u0027)[1]), \u0027,\u0027)[0]),\\nSyslogMessage startswith \u0027delete user \u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]),\\n\u0027Not Available\u0027)\\n| extend Action = case( SyslogMessage startswith \u0027new user\u0027, \u0027new user\u0027, SyslogMessage startswith \u0027delete user\u0027, \u0027delete user\u0027, \u0027None\u0027)\\n| project TimeGenerated, Computer, HostIP, User, Facility, ProcessName, Action, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action == \u0027delete user\u0027 \\n| project Computer, User, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/46aeae2d-187c-41f9-b8d6-9d75c43bce0a\",\"name\":\"46aeae2d-187c-41f9-b8d6-9d75c43bce0a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the sudo group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{User}}\u0027 was added by \u0027{{AcctMakingChange}}\u0027 to group: \u0027{{Group}}\u0027\",\"description\":\"Account added to the sudo group\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where SyslogMessage !startswith \\\"omsagent\\\"\\n| where SyslogMessage has \u0027COMMAND\u0027 or ProcessName in~ (\u0027gpasswd\u0027, \u0027useradd\u0027, \u0027userdel\u0027)\\n| parse SyslogMessage with * \u0027user \u0027 User \u0027 \u0027 Verb \u0027 by \u0027 AcctMakingChange \u0027 \u0027 Preposition \u0027 group \u0027 Group\\n| extend Group = case(\\nSyslogMessage startswith \u0027removed group\u0027 or SyslogMessage startswith \u0027removed shadow group\u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]), \\nSyslogMessage startswith \u0027new group\u0027, tostring(split(tostring(split(SyslogMessage, \u0027=\u0027)[1]),\u0027,\u0027)[0]),\\nGroup)\\n| extend Action = case(\\nisnotempty(Verb) or isnotempty(Preposition), strcat(Verb, \u0027 \u0027, Preposition),\\nSyslogMessage startswith \u0027new group\u0027, \u0027new group\u0027,\\nSyslogMessage startswith \u0027removed group\u0027, \u0027removed group\u0027,\\nSyslogMessage startswith \u0027removed shadow group\u0027, \u0027removed shadow group\u0027,\\n\u0027None\u0027)\\n| where isnotempty(Action) and Action != \u0027None\u0027 and isnotempty(Group)\\n| project TimeGenerated, Computer, HostIP, User, Action, Group, Facility, ProcessName, AcctMakingChange, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action =~ \u0027added to\u0027 and Group =~ \u0027sudo\u0027 \\n| project Computer, User, AcctMakingChange, Group, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/e24dd437-c65e-40e1-8d59-cd303ad4496a\",\"name\":\"e24dd437-c65e-40e1-8d59-cd303ad4496a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was removed from the sudo group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{User}}\u0027 was added by \u0027{{AcctMakingChange}}\u0027 to group: \u0027{{Group}}\u0027\",\"description\":\"Account removed from sudo group\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where SyslogMessage !startswith \\\"omsagent\\\"\\n| where SyslogMessage has \u0027COMMAND\u0027 or ProcessName in~ (\u0027gpasswd\u0027, \u0027useradd\u0027, \u0027userdel\u0027)\\n| parse SyslogMessage with * \u0027user \u0027 User \u0027 \u0027 Verb \u0027 by \u0027 AcctMakingChange \u0027 \u0027 Preposition \u0027 group \u0027 Group\\n| extend Group = case(\\nSyslogMessage startswith \u0027removed group\u0027 or SyslogMessage startswith \u0027removed shadow group\u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]), \\nSyslogMessage startswith \u0027new group\u0027, tostring(split(tostring(split(SyslogMessage, \u0027=\u0027)[1]),\u0027,\u0027)[0]),\\nGroup)\\n| extend Action = case(\\nisnotempty(Verb) or isnotempty(Preposition), strcat(Verb, \u0027 \u0027, Preposition),\\nSyslogMessage startswith \u0027new group\u0027, \u0027new group\u0027,\\nSyslogMessage startswith \u0027removed group\u0027, \u0027removed group\u0027,\\nSyslogMessage startswith \u0027removed shadow group\u0027, \u0027removed shadow group\u0027,\\n\u0027None\u0027)\\n| where isnotempty(Action) and Action != \u0027None\u0027 and isnotempty(Group)\\n| project TimeGenerated, Computer, HostIP, User, Action, Group, Facility, ProcessName, AcctMakingChange, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action =~ \u0027removed from\u0027 and Group =~ \u0027sudo\u0027 \\n| project Computer, User, AcctMakingChange, Group, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/c91cb743-7c6c-4ccf-b066-13448c9c085c\",\"name\":\"c91cb743-7c6c-4ccf-b066-13448c9c085c\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Windows Defender Application Control activities on this host\",\"content\":\"{{FriendlyActivityName}} by {{InitiatingProcessAccountUpn}} {{Count}} time(s)\",\"description\":\"Microsoft Defender Application Control activities\",\"queryDefinitions\":{\"query\":\"let AppControlEvents=(v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\nlet p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain));\\nlet AppControls=datatable(ActionType:string, Description:string, FriendlyActivityName:string)\\n [\\\"AppControlAppInstallationAudited\\\", \\\"Application control detected the installation of an untrusted app.\\\",\\\"Untrusted app installed\\\"\\n ,\\\"AppControlAppInstallationBlocked\\\", \\\"Application control blocked the installation of an untrusted app.\\\", \\\"Untrusted app installation blocked\\\"\\n ,\\\"AppControlCodeIntegrityDriverRevoked\\\", \\\"Application control found a driver with a revoked certificate.\\\", \\\"Driver with revoked certificate detected\\\"\\n ,\\\"AppControlCodeIntegrityImageRevoked\\\", \\\"Application control found an executable file with a revoked certificate.\\\", \\\"Executable with revoked certificate detected\\\"\\n ,\\\"AppControlExecutableAudited\\\",\\\"Application control detected the use of an untrusted executable.\\\",\\\"Untrusted executable used\\\"\\n ,\\\"AppControlExecutableBlocked\\\",\\\"Application control blocked the use of an untrusted executable.\\\",\\\"Untrusted executable blocked\\\"\\n ,\\\"AppControlScriptAudited\\\", \\\"Application control detected the use of an untrusted script.\\\", \\\"Untrusted script detected\\\"\\n ,\\\"AppControlScriptBlocked\\\", \\\"Application control blocked the use of an untrusted script.\\\", \\\"Untrusted script blocked\\\" ];\\nDeviceEvents\\n| where ActionType in (AppControls) \\n| where DeviceName ==p_FullDeviceName\\n| lookup AppControls on ActionType\\n};\\nAppControlEvents(\u0027{{Host_HostName}}\u0027,\u0027{{Host_NTDomain}}\u0027,\u0027{{Host_DnsDomain}}\u0027) \\n| project DeviceName, ActionType, FriendlyActivityName, InitiatingProcessAccountUpn, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/c7def1db-6a27-45dc-bee0-0c5fd5e7f1fe\",\"name\":\"c7def1db-6a27-45dc-bee0-0c5fd5e7f1fe\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Screenshot taken\",\"content\":\"The user \u0027{{InitiatingProcessAccountUpn}}\u0027 has taken {{Count}} screenshot(s) on the host\",\"description\":\"A screenshot was taken on the host\",\"queryDefinitions\":{\"query\":\"let ScreenshotTakers= (v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\n let p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain) );\\n DeviceEvents \\n | where ActionType ==\u0027ScreenshotTaken\u0027 \\n | where DeviceName =~ p_FullDeviceName\\n};\\nScreenshotTakers(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027) \\n| where 1==1 \\n| project InitiatingProcessAccountName, InitiatingProcessAccountUpn, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/8d0e9356-be1e-45ac-9403-d0ac3f1605b7\",\"name\":\"8d0e9356-be1e-45ac-9403-d0ac3f1605b7\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Exploit protection blocked the launch of a process from an image file that is not signed by Microsoft\",\"content\":\"Launch of unsigned file \u0027{{FileName}}\u0027 by process \u0027{{InitiatingProcessFileName}}\u0027 initiated by \u0027{{InitiatingProcessAccountName}}\u0027 was blocked. \",\"description\":\"Exploit protection blocked the launch of a process from an image file that is not signed by Microsoft\",\"queryDefinitions\":{\"query\":\"let NonMSSignedBlocked= (v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\n let p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain) );\\n DeviceEvents\\n | where ActionType in (\\\"ExploitGuardNonMicrosoftSignedBlocked\\\", \\\"ExploitGuardNonMicrosoftSignedAudited\\\") \\n and FileName !hassuffix \u0027.ni.dll\u0027\\n | where DeviceName =~ p_FullDeviceName\\n | project TimeGenerated\\n , FileName\\n ,InitiatingProcessFileName\\n , InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid\\n , DeviceName , ActionType\\n};\\nNonMSSignedBlocked(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027) \\n| where ActionType =~ \u0027ExploitGuardNonMicrosoftSignedBlocked\u0027 \\n| project FileName, InitiatingProcessFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/3ff80327-7c54-449d-95d4-613848f7d60b\",\"name\":\"3ff80327-7c54-449d-95d4-613848f7d60b\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Exploit protection detected the launch of a process from an image file that is not signed by Microsoft\",\"content\":\"Launch of unsigned file \u0027{{FileName}}\u0027 by process \u0027{{InitiatingProcessFileName}}\u0027 initiated by \u0027{{InitiatingProcessAccountName}}\u0027 was audited.\",\"description\":\"Exploit protection detected the launch of a process from an image file that is not signed by Microsoft\",\"queryDefinitions\":{\"query\":\"let NonMSSignedBlocked= (v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\n let p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain) );\\n DeviceEvents\\n | where ActionType in (\\\"ExploitGuardNonMicrosoftSignedBlocked\\\", \\\"ExploitGuardNonMicrosoftSignedAudited\\\") \\n and FileName !hassuffix \u0027.ni.dll\u0027\\n | where DeviceName =~ p_FullDeviceName\\n | project TimeGenerated\\n , FileName\\n ,InitiatingProcessFileName\\n , InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid\\n , DeviceName , ActionType\\n};\\nNonMSSignedBlocked(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027) \\n| where ActionType =~ \u0027ExploitGuardNonMicrosoftSignedAudited\u0027 \\n| project FileName, InitiatingProcessFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/3f7059b2-67ea-4fc1-af34-37f5fc69a630\",\"name\":\"3f7059b2-67ea-4fc1-af34-37f5fc69a630\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Windows Defender Antivirus activities on this host\",\"content\":\"Window Defender Antivirus \u0027{{ActionType}}\u0027 activity was spotted on Host {{Host_HostName}}\",\"description\":\"Windows Defender Antivirus activities\",\"queryDefinitions\":{\"query\":\"let AntivirusEvents=(v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\nlet Severity= datatable(ActionType:string, Severity:int)[\\\"AntivirusMalwareActionFailed\\\",1,\\\"AntivirusDetection\\\",2,\\\"AntivirusScanFailed\\\",3, \\\"AntivirusError\\\",4, \\\"AntivirusDefinitionsUpdateFailed\\\",5];\\nlet p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain));\\nDeviceEvents\\n| where ActionType hasprefix \\\"Antivirus\\\" and ActionType !in( \\\"AntivirusReport\\\", \\\"AntivirusScanCompleted\\\", \\\"AntivirusDefinitionsUpdated\\\",\\\"AntivirusEmergencyUpdatesInstalled\\\")\\n| where DeviceName ==p_FullDeviceName\\n| lookup Severity on ActionType};\\nAntivirusEvents(\u0027{{Host_HostName}}\u0027,\u0027{{Host_NTDomain}}\u0027,\u0027{{Host_DnsDomain}}\u0027) \\n| where ActionType !in( \\\"AntivirusReport\\\", \\\"AntivirusScanCompleted\\\", \\\"AntivirusDefinitionsUpdated\\\",\\\"AntivirusEmergencyUpdatesInstalled\\\") \\n| project ActionType, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}}]}", "isContentBase64": false } }, - "Get-AzSentinelEntityQueryTemplate+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates?api-version=2021-09-01-preview+1": { + "Get-AzSentinelEntityQueryTemplate+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "204" ], - "x-ms-client-request-id": [ "c806251a-84a5-4cda-96a3-9481c0232d15" ], + "x-ms-unique-id": [ "202" ], + "x-ms-client-request-id": [ "cb88b9be-dc63-421d-9e4b-2c9018c7be91" ], "CommandName": [ "Get-AzSentinelentityQueryTemplate" ], "FullCommandName": [ "Get-AzSentinelEntityQueryTemplate_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -64,36 +64,36 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11958" ], - "x-ms-request-id": [ "1a72f600-be84-4ce9-a11e-eca776b3444e" ], - "x-ms-correlation-request-id": [ "1a72f600-be84-4ce9-a11e-eca776b3444e" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T015812Z:1a72f600-be84-4ce9-a11e-eca776b3444e" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11965" ], + "x-ms-request-id": [ "269e98af-8375-48ac-a5f2-f9e5f910ec5f" ], + "x-ms-correlation-request-id": [ "269e98af-8375-48ac-a5f2-f9e5f910ec5f" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183146Z:269e98af-8375-48ac-a5f2-f9e5f910ec5f" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 01:58:11 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:31:45 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "187304" ], + "Content-Length": [ "191910" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/d6d08c94-455f-4ea5-8f76-fc6c0c442cfa\",\"name\":\"d6d08c94-455f-4ea5-8f76-fc6c0c442cfa\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has created an account\",\"content\":\"The user {{InitiatedByAccount}} has created the account {{TargetAccount}} {{Count}} time(s)\",\"description\":\"This activity displays account creation events performed by the user\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AADUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) or Account_AADUserId =~ tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ SubjectAccount or Account_Sid =~ SubjectUserSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AADUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Add user\u0027, \u00274720\u0027) \\n| project InitiatedByAccount, TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AADUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/e0459780-ac9d-4b72-8bd4-fecf6b46a0a1\",\"name\":\"e0459780-ac9d-4b72-8bd4-fecf6b46a0a1\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has deleted an account\",\"content\":\"The user {{InitiatedByAccount}} has deleted the account {{TargetAccount}} {{Count}} time(s)\",\"description\":\"This activity displays account deletion events performed by the user\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AADUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) or Account_AADUserId =~ tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ SubjectAccount or Account_Sid =~ SubjectUserSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AADUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Delete user\u0027, \u00274726\u0027) \\n| project InitiatedByAccount, TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AADUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/ad1f4269-5418-4c46-a3b6-4ec01031de60\",\"name\":\"ad1f4269-5418-4c46-a3b6-4ec01031de60\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has reset an account\u0027s password\",\"content\":\"The password for account {{TargetAccount}} was reset by the user {{InitiatedByAccount}} {{Count}} time(s)\",\"description\":\"This activity displays password reset events performed by the user\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AADUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) or Account_AADUserId =~ tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ SubjectAccount or Account_Sid =~ SubjectUserSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AADUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (by admin)\u0027, \u0027Reset password (self-service)\u0027, \u00274724\u0027, \u00274723\u0027) \\n| project InitiatedByAccount, TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AADUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/fde1b9cc-9480-4418-ae21-91723d16b24d\",\"name\":\"fde1b9cc-9480-4418-ae21-91723d16b24d\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user account was created\",\"content\":\"The user account {{TargetAccount}} was created\",\"description\":\"This activity displays the user account events for when it was created\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AADUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(TargetResources[0].userPrincipalName) or Account_AADUserId =~ tostring(TargetResources[0].id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ TargetAccount or Account_Sid =~ TargetSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AADUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Add user\u0027, \u00274720\u0027) \\n| project TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AADUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/b15901ba-8679-4f6a-b312-722031ab58f2\",\"name\":\"b15901ba-8679-4f6a-b312-722031ab58f2\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user account was deleted\",\"content\":\"The user account {{TargetAccount}} was deleted\",\"description\":\"This activity displays the user account events for when it was deleted\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AADUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(TargetResources[0].userPrincipalName) or Account_AADUserId =~ tostring(TargetResources[0].id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ TargetAccount or Account_Sid =~ TargetSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AADUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Delete user\u0027, \u00274726\u0027) \\n| project TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AADUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/c07d1d02-0a06-455e-add9-12c5a5e426f3\",\"name\":\"c07d1d02-0a06-455e-add9-12c5a5e426f3\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user account password was reset\",\"content\":\"The user account {{TargetAccount}} had a password reset\",\"description\":\"This activity displays the user account events for when the password was reset\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AADUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(TargetResources[0].userPrincipalName) or Account_AADUserId =~ tostring(TargetResources[0].id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ TargetAccount or Account_Sid =~ TargetSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AADUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (by admin)\u0027, \u0027Reset password (self-service)\u0027, \u00274723\u0027, \u00274724\u0027) \\n| project TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AADUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/5e9ecee5-e7a4-4a2a-94c4-9c0e22e1b673\",\"name\":\"5e9ecee5-e7a4-4a2a-94c4-9c0e22e1b673\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user consented to OAuth application\",\"content\":\"The user consented to the OAuth application named {{Target_CloudApplication_Name}} {{Count}} time(s)\",\"description\":\"This activity lists user\u0027s consents to an OAuth applications.\",\"queryDefinitions\":{\"query\":\"let UserConsentToApplication = (Account_Name:string, Account_UPNSuffix:string, Account_AadUserId:string){\\nlet account_upn = iff(Account_Name != \\\"\\\" and Account_UPNSuffix != \\\"\\\"\\n, strcat(Account_Name,\\\"@\\\",Account_UPNSuffix)\\n,\\\"\\\" );\\nAuditLogs\\n| where OperationName == \\\"Consent to application\\\"\\n| extend Source_Account_UPNSuffix = tostring(todynamic(InitiatedBy) [\\\"user\\\"][\\\"userPrincipalName\\\"]), Source_Account_AadUserId = tostring(todynamic(InitiatedBy) [\\\"user\\\"][\\\"id\\\"])\\n| where (account_upn != \\\"\\\" and account_upn =~ Source_Account_UPNSuffix) \\nor (Account_AadUserId != \\\"\\\" and Account_AadUserId =~ Source_Account_AadUserId)\\n| extend Target_CloudApplication_Name = tostring(todynamic(TargetResources)[0][\\\"displayName\\\"]), Target_CloudApplication_AppId = tostring(todynamic(TargetResources)[0][\\\"id\\\"])\\n};\\nUserConsentToApplication(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027) \\n| project Target_CloudApplication_AppId, Target_CloudApplication_Name, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/cab4058a-0707-4a02-b76f-cf96270823ed\",\"name\":\"cab4058a-0707-4a02-b76f-cf96270823ed\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"User performed operation on azure resource from IP\",\"content\":\"User performed operation {{OperationName}} on azure resource: {{shortResourceId}} from IP {{Source_IP_Address}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s activities on Azure.\",\"queryDefinitions\":{\"query\":\"let AzureRunProcess = (Account_Name:string, Account_UPNSuffix:string,Account_AadUserId:string){\\nlet upn = strcat(Account_Name,\\\"@\\\",Account_UPNSuffix);\\nAzureActivity \\n| where (isnotempty(Account_AadUserId) and Caller =~ Account_AadUserId) or Caller =~ upn\\n| where OperationName contains \\\"Run Command on Virtual Machine\\\"\\n or (OperationName == \\\"List Storage Account Keys\\\" and ActivityStatus == \\\"Succeeded\\\")\\n or OperationName == \\\"Create or Update Virtual Machine\\\" \\n or OperationName == \\\"Create Deployment\\\"\\n or OperationName == \\\"Create role assignment\\\"\\n| project-rename Target_AzureResource_ResourceId = _ResourceId, Source_IP_Address = CallerIpAddress\\n| extend shortResourceId = tostring(split(ResourceId,\u0027/\u0027)[-1])\\n};\\nAzureRunProcess(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027) \\n| project Target_AzureResource_ResourceId, Source_IP_Address, shortResourceId, OperationName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/febba410-e7d6-4c63-8fe5-2b93f448b7a1\",\"name\":\"febba410-e7d6-4c63-8fe5-2b93f448b7a1\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added accounts to a local privileged group\",\"content\":\"The user has added accounts to the local privileged group, {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays the user that added accounts to a local privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == false and MemberNTDomainMatch == false) or MemberSidMatch == false) and TargetSid matches regex WellKnownLocalGroupSID | where TargetSid !in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/0e98c61c-6ae0-4e13-8071-d807dc25082a\",\"name\":\"0e98c61c-6ae0-4e13-8071-d807dc25082a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added accounts to a domain privileged group\",\"content\":\"The user has added accounts to the domain privileged group, {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays the user that added accounts to a domain privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == false and MemberNTDomainMatch == false) or MemberSidMatch == false) and TargetSid matches regex WellKnownDomainGroupSID \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/0caf9819-3269-48ac-b162-eeee638e4aa9\",\"name\":\"0caf9819-3269-48ac-b162-eeee638e4aa9\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to a local privileged group\",\"content\":\"This user was added to the local privileged group {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays that this user was added to a local privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and TargetSid matches regex WellKnownLocalGroupSID | where TargetSid !in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/d57681e4-18e6-459f-b61d-4d4a1f205b70\",\"name\":\"d57681e4-18e6-459f-b61d-4d4a1f205b70\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to a domain privileged group\",\"content\":\"This user was added to the domain privileged group {{TargetAccount}}\",\"description\":\"This activity displays that this user was added to a domain privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and TargetSid matches regex WellKnownDomainGroupSID \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/5ae2baf4-de7b-40f0-a861-8852266bfcd0\",\"name\":\"5ae2baf4-de7b-40f0-a861-8852266bfcd0\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added accounts to the Remote Desktop Users group\",\"content\":\"The user has added accounts to the {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays the user that added accounts to Remote Desktop group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == false and MemberNTDomainMatch == false) or MemberSidMatch == false) and TargetSid in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/60ef2e21-5f90-48bf-9bbc-d2a1829c3861\",\"name\":\"60ef2e21-5f90-48bf-9bbc-d2a1829c3861\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to the Remote Desktop Users group\",\"content\":\"This user was added to the {{TargetAccount}} group\",\"description\":\"This activity displays that this user was added to the Remote Desktop group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and TargetSid in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/bf56473d-b9bd-4eb1-96d0-8569ec7a9003\",\"name\":\"bf56473d-b9bd-4eb1-96d0-8569ec7a9003\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added an account to a security group\",\"content\":\"The user has added {{MemberAdded}} to the {{TargetAccount}} group\",\"description\":\"This activity displays the user that added an account and the account that was added to a security group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true) and not(TargetSid matches regex WellKnownLocalGroupSID or TargetSid matches regex WellKnownDomainGroupSID) \\n| project SubjectAccount, MemberAdded, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/252c9ad7-2957-43cd-8f33-4ac4bb56e119\",\"name\":\"252c9ad7-2957-43cd-8f33-4ac4bb56e119\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to a security group\",\"content\":\"This user was added to the {{TargetAccount}} group, {{Count}} time(s)\",\"description\":\"This activity displays that this user was added to a security group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and not(TargetSid matches regex WellKnownLocalGroupSID or TargetSid matches regex WellKnownDomainGroupSID) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/1f82f263-d694-469a-9717-1b3edf9d3bb2\",\"name\":\"1f82f263-d694-469a-9717-1b3edf9d3bb2\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user acted on another accounts mailbox\",\"content\":\"The user acted on mailbox {{MailboxOwnerUPN}} {{Count}} time(s)\",\"description\":\"This activity lists user\u0027s activities on others\u0027 mailbox\",\"queryDefinitions\":{\"query\":\"let TLQ_UserActedOnForeignMailbox = (Account_Name:string, Account_UPNSuffix:string, account_sid:string){\\nlet account_upn = iff(Account_Name!=\\\"\\\" and Account_UPNSuffix != \\\"\\\"\\n,strcat(Account_Name,\\\"@\\\",Account_UPNSuffix)\\n,\\\"\\\");\\nOfficeActivity\\n| where RecordType == \\\"ExchangeItem\\\" and UserType ==\\\"Regular\\\" and Operation !contains \\\"InboxRule\\\"\\n| where LogonUserSid != MailboxOwnerSid \\n| where ((account_sid != \\\"\\\" and LogonUserSid =~ account_sid)\\n or ( account_upn != \\\"\\\" and UserId =~ account_upn ))\\n};\\nTLQ_UserActedOnForeignMailbox(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| project MailboxOwnerSid, MailboxOwnerUPN, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/e480efd0-016d-428e-b892-84b9d586d004\",\"name\":\"e480efd0-016d-428e-b892-84b9d586d004\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user modified inbox rules on another accounts mailbox\",\"content\":\"User Modified {{Count}} inbox rules on {{MailboxOwnerUPN}}\u0027s Mailbox\",\"description\":\"User modified inbox rules on a mailbox\",\"queryDefinitions\":{\"query\":\"let ruleChangeRecordTypes = dynamic( [\\\"ExchangeAdmin\\\", \\\"ExchangeItem\\\"]);\\nlet TLQ_UserModifiedinboxRules = (Account_Name: string, Account_UPNSuffix: string, Account_Sid: string){\\nlet upn = iff(Account_Name != \\\"\\\" and Account_UPNSuffix != \\\"\\\"\\n, strcat(Account_Name, \\\"@\\\", Account_UPNSuffix)\\n, \\\"\\\");\\nOfficeActivity\\n| where RecordType in~ (ruleChangeRecordTypes) and Operation contains \\\"InboxRule\\\"\\n| where((Account_Sid != \\\"\\\" and LogonUserSid == Account_Sid)\\nor(upn != \\\"\\\" and UserId == upn )\\n)\\n};\\nTLQ_UserModifiedinboxRules(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| project MailboxOwnerSid, MailboxOwnerUPN, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/0eabec03-51e7-4909-b0cb-1adc76759e93\",\"name\":\"0eabec03-51e7-4909-b0cb-1adc76759e93\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"User uploaded files to SharePoint\",\"content\":\"User uploaded {{Count}} file(s) To SharePoint from {{Source_IP_Address}}\",\"description\":\"This activity lists the user\u0027s SharePoint uploads.\",\"queryDefinitions\":{\"query\":\"let TLQ_UserUploadFiles = (Account_Name:string, Account_UPNSuffix:string){\\nlet upn = strcat(Account_Name,\\\"@\\\",Account_UPNSuffix);\\nOfficeActivity\\n| where RecordType =~ \\\"SharePointFileOperation\\\" and Operation in~ (\\\"FileUploaded\\\", \\\"FileDownloaded\\\")\\n| where upn =~UserId\\n| extend Subject_File_Directory = tostring(split(OfficeObjectId,SourceFileName)[0])\\n| project-rename Source_IP_Address = ClientIP\\n};\\nTLQ_UserUploadFiles(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027) \\n| where Operation =~ \\\"FileUploaded\\\" \\n| project Source_IP_Address, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/df564e7b-bf6d-4dc4-a32d-79b00bd2cc7b\",\"name\":\"df564e7b-bf6d-4dc4-a32d-79b00bd2cc7b\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"User downloaded files from SharePoint\",\"content\":\"User downloaded {{Count}} File(s) from SharePoint from {{Source_IP_Address}}\",\"description\":\"This activity lists the user\u0027s SharePoint downloads.\",\"queryDefinitions\":{\"query\":\"let TLQ_UserUploadFiles = (Account_Name:string, Account_UPNSuffix:string){\\nlet upn = strcat(Account_Name,\\\"@\\\",Account_UPNSuffix);\\nOfficeActivity\\n| where RecordType =~ \\\"SharePointFileOperation\\\" and Operation in~ (\\\"FileUploaded\\\", \\\"FileDownloaded\\\")\\n| where upn =~UserId\\n| extend Subject_File_Directory = tostring(split(OfficeObjectId,SourceFileName)[0])\\n| project-rename Source_IP_Address = ClientIP\\n};\\nTLQ_UserUploadFiles(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027) \\n| where Operation =~ \\\"FileDownloaded\\\" \\n| project Source_IP_Address, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/0f328f28-7e21-4596-b71c-54309fee5551\",\"name\":\"0f328f28-7e21-4596-b71c-54309fee5551\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user signed in to an Azure resource\",\"content\":\"The user signed in to {{shortResourceId}} {{Count}} time(s)\",\"description\":\"This activity lists user\u0027s sign ins to Azure Resources\",\"queryDefinitions\":{\"query\":\"let SignInsByResource = (Account_Name:string, Account_UPNSuffix:string, Account_AadUserId:string){\\nlet acc_upn = iff(Account_Name != \\\"\\\" and Account_UPNSuffix != \\\"\\\" ,strcat(Account_Name,\\\"@\\\" ,Account_UPNSuffix),\\\"\\\");\\nSigninLogs\\n| where (acc_upn != \\\"\\\" and UserPrincipalName =~ acc_upn) or\\n   (Account_AadUserId != \\\"\\\" and Account_AadUserId =~ UserId) // UserPrincipalName, UserId\\n| extend shortResourceId = tostring(split(ResourceId,\\\"/\\\")[-1])\\n};\\nSignInsByResource(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027) \\n| project shortResourceId, ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SigninLogs\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/0d4ec12e-e44a-40a4-bb87-3db84d2a8057\",\"name\":\"0d4ec12e-e44a-40a4-bb87-3db84d2a8057\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s interactive log-ins grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID==4624 and LogonTypeName == \u00272 - Interactive\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/c9da5786-6c3c-45b5-9a46-53200ed9df09\",\"name\":\"c9da5786-6c3c-45b5-9a46-53200ed9df09\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Network log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s network log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID ==4624 and LogonTypeName == \u00273 - Network\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/8a302bfc-00e3-43b3-a516-102fd0cb0dbc\",\"name\":\"8a302bfc-00e3-43b3-a516-102fd0cb0dbc\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Remote interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s remote interactive log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID ==4624 and LogonTypeName == \u002710 - RemoteInteractive\u0027| extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/ec87b066-17ad-4f9b-97c2-c2f2ee2d99e0\",\"name\":\"ec87b066-17ad-4f9b-97c2-c2f2ee2d99e0\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"New credentials log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s log-ins with new credentials, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID ==4624 and LogonTypeName == \u00279 - NewCredentials\u0027| extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/e1c4c03c-2b40-47cf-9b8c-49e0a37a6da6\",\"name\":\"e1c4c03c-2b40-47cf-9b8c-49e0a37a6da6\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Privileged log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s privileged log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID == 4672 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/a6fc3ad9-1a61-41f5-a5e2-bd1f5a6fe44d\",\"name\":\"a6fc3ad9-1a61-41f5-a5e2-bd1f5a6fe44d\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Failed interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s failed interactive log-ins grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet =~ \u0027AllEvents\u0027 and EventID == 4625 and LogonTypeName == \u00272 - Interactive\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/11449689-6542-4867-86dc-56264abbd90c\",\"name\":\"11449689-6542-4867-86dc-56264abbd90c\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Failed network log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s failed network log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet =~ \u0027AllEvents\u0027 and EventID == 4625 and LogonTypeName == \u00273 - Network\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/686cf7e8-87c7-4391-8898-25adf1033a54\",\"name\":\"686cf7e8-87c7-4391-8898-25adf1033a54\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Failed remote interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} failed to logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s failed remote interactive log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet =~ \u0027AllEvents\u0027 and EventID == 4625 and LogonTypeName == \u002710 - RemoteInteractive\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/c6523929-5696-4e94-8a61-61aeb1c953d1\",\"name\":\"c6523929-5696-4e94-8a61-61aeb1c953d1\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Custom Script Extension execution (Preview)\",\"content\":\"The account {{Caller}} ran the custom script extension {{extName}} {{Count}} time(s)\",\"description\":\"This activity indicated Custom Script Extension execution\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| extend resBody = parse_json(Properties).responseBody\\n| where resBody != \\\"\\\"\\n| extend resBody = parse_json(tostring(resBody))\\n| extend extName = tostring(resBody.name), extType = resBody.properties.type\\n| where extType in (\\\"CustomScriptExtension\\\", \\\"CustomScript\\\", \\\"CustomScriptForLinux\\\")\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource, extType, extName \\n| project Caller, _ResourceId, extName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/a8b50062-f80e-4331-a247-de0e10d7b83f\",\"name\":\"a8b50062-f80e-4331-a247-de0e10d7b83f\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Storage account keys list (Preview)\",\"content\":\"The account {{Caller}} retrieved the keys of the storage account {{_ResourceId}} {{Count}} time(s)\",\"description\":\"This activity indicated storage account keys list operation\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/listKeys/action\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/e24d372a-ce9a-424e-99ba-5894177365a0\",\"name\":\"e24d372a-ce9a-424e-99ba-5894177365a0\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Storage account keys list were regenerated (Preview)\",\"content\":\"The account {{Caller}} regenerated the keys of the storage account {{_ResourceId}} {{Count}} time(s)\",\"description\":\"This activity indicated storage account keys list regeneration\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/2276eacb-9400-47e9-88c9-600b9b04ad81\",\"name\":\"2276eacb-9400-47e9-88c9-600b9b04ad81\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"VM Run Command execution (Preview)\",\"content\":\"The account {{Caller}} used Run Command on the VM {{Count}} time(s)\",\"description\":\"This activity indicates usage of Run Command\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/0aa3626b-30dd-4731-9d1e-39872a73949c\",\"name\":\"0aa3626b-30dd-4731-9d1e-39872a73949c\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"VM access extension execution (Preview)\",\"content\":\"The account {{Caller}} ran VM Access extension on the VM {{Count}} time(s)\",\"description\":\"This activity indicated VM access extension execution\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| extend resBody = parse_json(Properties).responseBody\\n| where resBody != \\\"\\\"\\n| extend resBody = parse_json(tostring(resBody))\\n| extend extName = resBody.name, extType = resBody.properties.type\\n| where extType in (\\\"VMAccessAgent\\\", \\\"VMAccessForLinux\\\")\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/307c85ee-39a2-4da3-952e-4fd79aa46d3a\",\"name\":\"307c85ee-39a2-4da3-952e-4fd79aa46d3a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was created on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was created by \u0027{{AddedBy}}\u0027\",\"description\":\"Account created on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId\\n| extend AddedBy = SubjectUserName\\n// Future support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount\\n};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where EventID == 4720 \\n| project Computer, TargetAccount, AddedBy, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/31529548-dbd2-4d5d-8270-710330cdcec7\",\"name\":\"31529548-dbd2-4d5d-8270-710330cdcec7\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was deleted by \u0027{{AddedBy}}\u0027\",\"description\":\"Account deleted on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId\\n| extend AddedBy = SubjectUserName\\n// Future support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount\\n};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where EventID == 4726 \\n| project Computer, TargetAccount, AddedBy, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/2fcda698-9526-454f-8fe0-4a0fd7af13f2\",\"name\":\"2fcda698-9526-454f-8fe0-4a0fd7af13f2\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Security Event log cleared by account on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{SubjectAccount}}\u0027 cleared the \u0027{{LogName}}\u0027 log, EventID: \u0027{{EventID}}\u0027\",\"description\":\"Security Event log cleared by account\",\"queryDefinitions\":{\"query\":\"let SystemAccount = datatable(AccountName:string)[\u0027NT AUTHORITY\\\\\\\\SYSTEM\u0027, \u0027NT AUTHORITY\\\\\\\\NETWORK SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\LOCAL SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\IUSR\u0027, \u0027NTAUTHORITY\\\\\\\\ANONYMOUS LOGON\u0027];\\nlet SvcAcctList = dynamic([\\\"Local SYSTEM\\\",\\\"Local SERVICE\\\",\\\"Network SERVICE\\\",\\\"NT AUTHORITY\\\"]);\\nlet ServiceAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and LogonType == \u00275\u0027 and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet MachineAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and AccountType == \\\"Machine\\\" and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet Accounts = union isfuzzy=true SystemAccount, ServiceAccount, MachineAccount;\\nlet source = \u0027Microsoft-Windows-Eventlog\u0027;\\nlet tableFunc = (tableName:string, event:int){\\ntable(tableName) \\n| where EventID == event\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| extend SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", \\\"NotAvailable\\\"), EventOriginId = column_ifexists(\\\"EventOriginId\\\", \\\"NotAvailable\\\")\\n| parse EventData with * \u0027SubjectUserName\u003e\u0027 SubjectUserName \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectUserSid\u003e\u0027 SubjectUserSid \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectLogonId\u003e\u0027 SubjectLogonId \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectDomainName\u003e\u0027 SubjectDomainName \u0027\u003c\u0027 *\\n| extend SubjectAccount = strcat(SubjectDomainName, \u0027\\\\\\\\\u0027, SubjectUserName)\\n};\\nlet HostClearedEventLog = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string)\\n{\\nlet Event104 = tableFunc(\u0027Event\u0027, event=104)\\n| where Source =~ source\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| parse RenderedDescription with * \u0027The\u0027 LogName \u0027log\u0027 *\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nlet Event1102 = tableFunc(\u0027SecurityEvent\u0027, event=1102)\\n| where EventSourceName == source\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| extend LogName = \u0027Security\u0027\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nunion isfuzzy=true Event104, Event1102\\n};\\nHostClearedEventLog(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where LogName =~ \u0027Security\u0027 \\n| project Computer, SubjectAccount, LogName, EventID, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"},{\"dataType\":\"Event\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/3ff675ee-3052-4e0b-88ad-f34ed1732adc\",\"name\":\"3ff675ee-3052-4e0b-88ad-f34ed1732adc\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Event log(s) cleared by account on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{SubjectAccount}}\u0027 cleared the \u0027{{LogName}}\u0027 log, EventID: \u0027{{EventID}}\u0027\",\"description\":\"Event logs cleared by account\",\"queryDefinitions\":{\"query\":\"let SystemAccount = datatable(AccountName:string)[\u0027NT AUTHORITY\\\\\\\\SYSTEM\u0027, \u0027NT AUTHORITY\\\\\\\\NETWORK SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\LOCAL SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\IUSR\u0027, \u0027NTAUTHORITY\\\\\\\\ANONYMOUS LOGON\u0027];\\nlet SvcAcctList = dynamic([\\\"Local SYSTEM\\\",\\\"Local SERVICE\\\",\\\"Network SERVICE\\\",\\\"NT AUTHORITY\\\"]);\\nlet ServiceAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and LogonType == \u00275\u0027 and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet MachineAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and AccountType == \\\"Machine\\\" and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet Accounts = union isfuzzy=true SystemAccount, ServiceAccount, MachineAccount;\\nlet source = \u0027Microsoft-Windows-Eventlog\u0027;\\nlet tableFunc = (tableName:string, event:int){\\ntable(tableName) \\n| where EventID == event\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| extend SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", \\\"NotAvailable\\\"), EventOriginId = column_ifexists(\\\"EventOriginId\\\", \\\"NotAvailable\\\")\\n| parse EventData with * \u0027SubjectUserName\u003e\u0027 SubjectUserName \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectUserSid\u003e\u0027 SubjectUserSid \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectLogonId\u003e\u0027 SubjectLogonId \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectDomainName\u003e\u0027 SubjectDomainName \u0027\u003c\u0027 *\\n| extend SubjectAccount = strcat(SubjectDomainName, \u0027\\\\\\\\\u0027, SubjectUserName)\\n};\\nlet HostClearedEventLog = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string)\\n{\\nlet Event104 = tableFunc(\u0027Event\u0027, event=104)\\n| where Source =~ source\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| parse RenderedDescription with * \u0027The\u0027 LogName \u0027log\u0027 *\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nlet Event1102 = tableFunc(\u0027SecurityEvent\u0027, event=1102)\\n| where EventSourceName == source\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| extend LogName = \u0027Security\u0027\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nunion isfuzzy=true Event104, Event1102\\n};\\nHostClearedEventLog(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where LogName !~ \u0027Security\u0027 \\n| project Computer, SubjectAccount, LogName, EventID, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"},{\"dataType\":\"Event\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/b880ad94-f905-4ba8-8a3f-9088b19b12fa\",\"name\":\"b880ad94-f905-4ba8-8a3f-9088b19b12fa\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the local Administrators group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to local Administrators group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where TargetSid == \u0027S-1-5-32-544\u0027 \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/aaad22c3-be50-465f-b258-8570d629c3db\",\"name\":\"aaad22c3-be50-465f-b258-8570d629c3db\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the Domain Admins group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to the Domain Admins group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-512$\u0027 \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/cf3469b3-f64c-4ae2-9900-289617443d74\",\"name\":\"cf3469b3-f64c-4ae2-9900-289617443d74\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the Enterprise Admins group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to the Enterprise Admins group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-519$\u0027 \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/5ba7b064-c667-4bb9-b8ac-7e87872ae479\",\"name\":\"5ba7b064-c667-4bb9-b8ac-7e87872ae479\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Account added to a privileged group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to privileged group.\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where (TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID) and TargetSid != \u0027S-1-5-32-544\u0027 and not(TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-512$\u0027) and not(TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-519$\u0027) \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/290032e9-c52e-4e66-841a-7428f0b356bb\",\"name\":\"290032e9-c52e-4e66-841a-7428f0b356bb\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was created on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{User}}\u0027 was created by sudo\",\"description\":\"Account created on Host\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where ProcessName in~ (\u0027useradd\u0027,\u0027userdel\u0027)\\n| where SyslogMessage startswith \u0027new user:\u0027 or SyslogMessage startswith \u0027delete user \u0027\\n| extend User = case(SyslogMessage startswith \u0027new user:\u0027, tostring(split(tostring(split(SyslogMessage, \u0027name=\u0027)[1]), \u0027,\u0027)[0]),\\nSyslogMessage startswith \u0027delete user \u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]),\\n\u0027Not Available\u0027)\\n| extend Action = case( SyslogMessage startswith \u0027new user\u0027, \u0027new user\u0027, SyslogMessage startswith \u0027delete user\u0027, \u0027delete user\u0027, \u0027None\u0027)\\n| project TimeGenerated, Computer, HostIP, User, Facility, ProcessName, Action, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action == \u0027new user\u0027 \\n| project Computer, User, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/ce9e87c7-2ffa-42cb-92e5-f1a4f21f007a\",\"name\":\"ce9e87c7-2ffa-42cb-92e5-f1a4f21f007a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{User}}\u0027 was deleted by sudo\",\"description\":\"Account deleted on Host\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where ProcessName in~ (\u0027useradd\u0027,\u0027userdel\u0027)\\n| where SyslogMessage startswith \u0027new user:\u0027 or SyslogMessage startswith \u0027delete user \u0027\\n| extend User = case(SyslogMessage startswith \u0027new user:\u0027, tostring(split(tostring(split(SyslogMessage, \u0027name=\u0027)[1]), \u0027,\u0027)[0]),\\nSyslogMessage startswith \u0027delete user \u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]),\\n\u0027Not Available\u0027)\\n| extend Action = case( SyslogMessage startswith \u0027new user\u0027, \u0027new user\u0027, SyslogMessage startswith \u0027delete user\u0027, \u0027delete user\u0027, \u0027None\u0027)\\n| project TimeGenerated, Computer, HostIP, User, Facility, ProcessName, Action, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action == \u0027delete user\u0027 \\n| project Computer, User, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/46aeae2d-187c-41f9-b8d6-9d75c43bce0a\",\"name\":\"46aeae2d-187c-41f9-b8d6-9d75c43bce0a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the sudo group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{User}}\u0027 was added by \u0027{{AcctMakingChange}}\u0027 to group: \u0027{{Group}}\u0027\",\"description\":\"Account added to the sudo group\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where SyslogMessage !startswith \\\"omsagent\\\"\\n| where SyslogMessage has \u0027COMMAND\u0027 or ProcessName in~ (\u0027gpasswd\u0027, \u0027useradd\u0027, \u0027userdel\u0027)\\n| parse SyslogMessage with * \u0027user \u0027 User \u0027 \u0027 Verb \u0027 by \u0027 AcctMakingChange \u0027 \u0027 Preposition \u0027 group \u0027 Group\\n| extend Group = case(\\nSyslogMessage startswith \u0027removed group\u0027 or SyslogMessage startswith \u0027removed shadow group\u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]), \\nSyslogMessage startswith \u0027new group\u0027, tostring(split(tostring(split(SyslogMessage, \u0027=\u0027)[1]),\u0027,\u0027)[0]),\\nGroup)\\n| extend Action = case(\\nisnotempty(Verb) or isnotempty(Preposition), strcat(Verb, \u0027 \u0027, Preposition),\\nSyslogMessage startswith \u0027new group\u0027, \u0027new group\u0027,\\nSyslogMessage startswith \u0027removed group\u0027, \u0027removed group\u0027,\\nSyslogMessage startswith \u0027removed shadow group\u0027, \u0027removed shadow group\u0027,\\n\u0027None\u0027)\\n| where isnotempty(Action) and Action != \u0027None\u0027 and isnotempty(Group)\\n| project TimeGenerated, Computer, HostIP, User, Action, Group, Facility, ProcessName, AcctMakingChange, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action =~ \u0027added to\u0027 and Group =~ \u0027sudo\u0027 \\n| project Computer, User, AcctMakingChange, Group, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/e24dd437-c65e-40e1-8d59-cd303ad4496a\",\"name\":\"e24dd437-c65e-40e1-8d59-cd303ad4496a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was removed from the sudo group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{User}}\u0027 was added by \u0027{{AcctMakingChange}}\u0027 to group: \u0027{{Group}}\u0027\",\"description\":\"Account removed from sudo group\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where SyslogMessage !startswith \\\"omsagent\\\"\\n| where SyslogMessage has \u0027COMMAND\u0027 or ProcessName in~ (\u0027gpasswd\u0027, \u0027useradd\u0027, \u0027userdel\u0027)\\n| parse SyslogMessage with * \u0027user \u0027 User \u0027 \u0027 Verb \u0027 by \u0027 AcctMakingChange \u0027 \u0027 Preposition \u0027 group \u0027 Group\\n| extend Group = case(\\nSyslogMessage startswith \u0027removed group\u0027 or SyslogMessage startswith \u0027removed shadow group\u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]), \\nSyslogMessage startswith \u0027new group\u0027, tostring(split(tostring(split(SyslogMessage, \u0027=\u0027)[1]),\u0027,\u0027)[0]),\\nGroup)\\n| extend Action = case(\\nisnotempty(Verb) or isnotempty(Preposition), strcat(Verb, \u0027 \u0027, Preposition),\\nSyslogMessage startswith \u0027new group\u0027, \u0027new group\u0027,\\nSyslogMessage startswith \u0027removed group\u0027, \u0027removed group\u0027,\\nSyslogMessage startswith \u0027removed shadow group\u0027, \u0027removed shadow group\u0027,\\n\u0027None\u0027)\\n| where isnotempty(Action) and Action != \u0027None\u0027 and isnotempty(Group)\\n| project TimeGenerated, Computer, HostIP, User, Action, Group, Facility, ProcessName, AcctMakingChange, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action =~ \u0027removed from\u0027 and Group =~ \u0027sudo\u0027 \\n| project Computer, User, AcctMakingChange, Group, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/c91cb743-7c6c-4ccf-b066-13448c9c085c\",\"name\":\"c91cb743-7c6c-4ccf-b066-13448c9c085c\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Windows Defender Application Control activities on this host\",\"content\":\"{{FriendlyActivityName}} by {{InitiatingProcessAccountUpn}} {{Count}} time(s)\",\"description\":\"Microsoft Defender Application Control activities\",\"queryDefinitions\":{\"query\":\"let AppControlEvents=(v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\nlet p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain));\\nlet AppControls=datatable(ActionType:string, Description:string, FriendlyActivityName:string)\\n [\\\"AppControlAppInstallationAudited\\\", \\\"Application control detected the installation of an untrusted app.\\\",\\\"Untrusted app installed\\\"\\n ,\\\"AppControlAppInstallationBlocked\\\", \\\"Application control blocked the installation of an untrusted app.\\\", \\\"Untrusted app installation blocked\\\"\\n ,\\\"AppControlCodeIntegrityDriverRevoked\\\", \\\"Application control found a driver with a revoked certificate.\\\", \\\"Driver with revoked certificate detected\\\"\\n ,\\\"AppControlCodeIntegrityImageRevoked\\\", \\\"Application control found an executable file with a revoked certificate.\\\", \\\"Executable with revoked certificate detected\\\"\\n ,\\\"AppControlExecutableAudited\\\",\\\"Application control detected the use of an untrusted executable.\\\",\\\"Untrusted executable used\\\"\\n ,\\\"AppControlExecutableBlocked\\\",\\\"Application control blocked the use of an untrusted executable.\\\",\\\"Untrusted executable blocked\\\"\\n ,\\\"AppControlScriptAudited\\\", \\\"Application control detected the use of an untrusted script.\\\", \\\"Untrusted script detected\\\"\\n ,\\\"AppControlScriptBlocked\\\", \\\"Application control blocked the use of an untrusted script.\\\", \\\"Untrusted script blocked\\\" ];\\nDeviceEvents\\n| where ActionType in (AppControls) \\n| where DeviceName ==p_FullDeviceName\\n| lookup AppControls on ActionType\\n};\\nAppControlEvents(\u0027{{Host_HostName}}\u0027,\u0027{{Host_NTDomain}}\u0027,\u0027{{Host_DnsDomain}}\u0027) \\n| project DeviceName, ActionType, FriendlyActivityName, InitiatingProcessAccountUpn, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/c7def1db-6a27-45dc-bee0-0c5fd5e7f1fe\",\"name\":\"c7def1db-6a27-45dc-bee0-0c5fd5e7f1fe\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Screenshot taken\",\"content\":\"The user \u0027{{InitiatingProcessAccountUpn}}\u0027 has taken {{Count}} screenshot(s) on the host\",\"description\":\"A screenshot was taken on the host\",\"queryDefinitions\":{\"query\":\"let ScreenshotTakers= (v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\n let p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain) );\\n DeviceEvents \\n | where ActionType ==\u0027ScreenshotTaken\u0027 \\n | where DeviceName =~ p_FullDeviceName\\n};\\nScreenshotTakers(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027) \\n| where 1==1 \\n| project InitiatingProcessAccountName, InitiatingProcessAccountUpn, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/8d0e9356-be1e-45ac-9403-d0ac3f1605b7\",\"name\":\"8d0e9356-be1e-45ac-9403-d0ac3f1605b7\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Exploit protection blocked the launch of a process from an image file that is not signed by Microsoft\",\"content\":\"Launch of unsigned file \u0027{{FileName}}\u0027 by process \u0027{{InitiatingProcessFileName}}\u0027 initiated by \u0027{{InitiatingProcessAccountName}}\u0027 was blocked. \",\"description\":\"Exploit protection blocked the launch of a process from an image file that is not signed by Microsoft\",\"queryDefinitions\":{\"query\":\"let NonMSSignedBlocked= (v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\n let p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain) );\\n DeviceEvents\\n | where ActionType in (\\\"ExploitGuardNonMicrosoftSignedBlocked\\\", \\\"ExploitGuardNonMicrosoftSignedAudited\\\") \\n and FileName !hassuffix \u0027.ni.dll\u0027\\n | where DeviceName =~ p_FullDeviceName\\n | project TimeGenerated\\n , FileName\\n ,InitiatingProcessFileName\\n , InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid\\n , DeviceName , ActionType\\n};\\nNonMSSignedBlocked(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027) \\n| where ActionType =~ \u0027ExploitGuardNonMicrosoftSignedBlocked\u0027 \\n| project FileName, InitiatingProcessFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/3ff80327-7c54-449d-95d4-613848f7d60b\",\"name\":\"3ff80327-7c54-449d-95d4-613848f7d60b\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Exploit protection detected the launch of a process from an image file that is not signed by Microsoft\",\"content\":\"Launch of unsigned file \u0027{{FileName}}\u0027 by process \u0027{{InitiatingProcessFileName}}\u0027 initiated by \u0027{{InitiatingProcessAccountName}}\u0027 was audited.\",\"description\":\"Exploit protection detected the launch of a process from an image file that is not signed by Microsoft\",\"queryDefinitions\":{\"query\":\"let NonMSSignedBlocked= (v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\n let p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain) );\\n DeviceEvents\\n | where ActionType in (\\\"ExploitGuardNonMicrosoftSignedBlocked\\\", \\\"ExploitGuardNonMicrosoftSignedAudited\\\") \\n and FileName !hassuffix \u0027.ni.dll\u0027\\n | where DeviceName =~ p_FullDeviceName\\n | project TimeGenerated\\n , FileName\\n ,InitiatingProcessFileName\\n , InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid\\n , DeviceName , ActionType\\n};\\nNonMSSignedBlocked(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027) \\n| where ActionType =~ \u0027ExploitGuardNonMicrosoftSignedAudited\u0027 \\n| project FileName, InitiatingProcessFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/3f7059b2-67ea-4fc1-af34-37f5fc69a630\",\"name\":\"3f7059b2-67ea-4fc1-af34-37f5fc69a630\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Windows Defender Antivirus activities on this host\",\"content\":\"Window Defender Antivirus \u0027{{ActionType}}\u0027 activity was spotted on Host {{Host_HostName}}\",\"description\":\"Windows Defender Antivirus activities\",\"queryDefinitions\":{\"query\":\"let AntivirusEvents=(v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\nlet Severity= datatable(ActionType:string, Severity:int)[\\\"AntivirusMalwareActionFailed\\\",1,\\\"AntivirusDetection\\\",2,\\\"AntivirusScanFailed\\\",3, \\\"AntivirusError\\\",4, \\\"AntivirusDefinitionsUpdateFailed\\\",5];\\nlet p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain));\\nDeviceEvents\\n| where ActionType hasprefix \\\"Antivirus\\\" and ActionType !in( \\\"AntivirusReport\\\", \\\"AntivirusScanCompleted\\\", \\\"AntivirusDefinitionsUpdated\\\",\\\"AntivirusEmergencyUpdatesInstalled\\\")\\n| where DeviceName ==p_FullDeviceName\\n| lookup Severity on ActionType};\\nAntivirusEvents(\u0027{{Host_HostName}}\u0027,\u0027{{Host_NTDomain}}\u0027,\u0027{{Host_DnsDomain}}\u0027) \\n| where ActionType !in( \\\"AntivirusReport\\\", \\\"AntivirusScanCompleted\\\", \\\"AntivirusDefinitionsUpdated\\\",\\\"AntivirusEmergencyUpdatesInstalled\\\") \\n| project ActionType, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/d6d08c94-455f-4ea5-8f76-fc6c0c442cfa\",\"name\":\"d6d08c94-455f-4ea5-8f76-fc6c0c442cfa\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has created an account\",\"content\":\"The user {{InitiatedByAccount}} has created the account {{TargetAccount}} {{Count}} time(s)\",\"description\":\"This activity displays account creation events performed by the user\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) or Account_AadUserId =~ tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ SubjectAccount or Account_Sid =~ SubjectUserSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Add user\u0027, \u00274720\u0027) \\n| project InitiatedByAccount, TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/e0459780-ac9d-4b72-8bd4-fecf6b46a0a1\",\"name\":\"e0459780-ac9d-4b72-8bd4-fecf6b46a0a1\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has deleted an account\",\"content\":\"The user {{InitiatedByAccount}} has deleted the account {{TargetAccount}} {{Count}} time(s)\",\"description\":\"This activity displays account deletion events performed by the user\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) or Account_AadUserId =~ tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ SubjectAccount or Account_Sid =~ SubjectUserSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Delete user\u0027, \u00274726\u0027) \\n| project InitiatedByAccount, TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/ad1f4269-5418-4c46-a3b6-4ec01031de60\",\"name\":\"ad1f4269-5418-4c46-a3b6-4ec01031de60\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has reset an account\u0027s password\",\"content\":\"The password for account {{TargetAccount}} was reset by the user {{InitiatedByAccount}} {{Count}} time(s)\",\"description\":\"This activity displays password reset events performed by the user\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) or Account_AadUserId =~ tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ SubjectAccount or Account_Sid =~ SubjectUserSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (by admin)\u0027, \u0027Reset password (self-service)\u0027, \u00274724\u0027, \u00274723\u0027) \\n| project InitiatedByAccount, TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/fde1b9cc-9480-4418-ae21-91723d16b24d\",\"name\":\"fde1b9cc-9480-4418-ae21-91723d16b24d\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user account was created\",\"content\":\"The user account {{TargetAccount}} was created\",\"description\":\"This activity displays the user account events for when it was created\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(TargetResources[0].userPrincipalName) or Account_AadUserId =~ tostring(TargetResources[0].id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ TargetAccount or Account_Sid =~ TargetSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Add user\u0027, \u00274720\u0027) \\n| project TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/b15901ba-8679-4f6a-b312-722031ab58f2\",\"name\":\"b15901ba-8679-4f6a-b312-722031ab58f2\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user account was deleted\",\"content\":\"The user account {{TargetAccount}} was deleted\",\"description\":\"This activity displays the user account events for when it was deleted\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(TargetResources[0].userPrincipalName) or Account_AadUserId =~ tostring(TargetResources[0].id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ TargetAccount or Account_Sid =~ TargetSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Delete user\u0027, \u00274726\u0027) \\n| project TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/c07d1d02-0a06-455e-add9-12c5a5e426f3\",\"name\":\"c07d1d02-0a06-455e-add9-12c5a5e426f3\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user account password was reset\",\"content\":\"The user account {{TargetAccount}} had a password reset\",\"description\":\"This activity displays the user account events for when the password was reset\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(TargetResources[0].userPrincipalName) or Account_AadUserId =~ tostring(TargetResources[0].id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ TargetAccount or Account_Sid =~ TargetSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (by admin)\u0027, \u0027Reset password (self-service)\u0027, \u00274723\u0027, \u00274724\u0027) \\n| project TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/5e9ecee5-e7a4-4a2a-94c4-9c0e22e1b673\",\"name\":\"5e9ecee5-e7a4-4a2a-94c4-9c0e22e1b673\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user consented to OAuth application\",\"content\":\"The user consented to the OAuth application named {{Target_CloudApplication_Name}} {{Count}} time(s)\",\"description\":\"This activity lists user\u0027s consents to an OAuth applications.\",\"queryDefinitions\":{\"query\":\"let UserConsentToApplication = (Account_Name:string, Account_UPNSuffix:string, Account_AadUserId:string){\\nlet account_upn = iff(Account_Name != \\\"\\\" and Account_UPNSuffix != \\\"\\\"\\n, strcat(Account_Name,\\\"@\\\",Account_UPNSuffix)\\n,\\\"\\\" );\\nAuditLogs\\n| where OperationName == \\\"Consent to application\\\"\\n| extend Source_Account_UPNSuffix = tostring(todynamic(InitiatedBy) [\\\"user\\\"][\\\"userPrincipalName\\\"]), Source_Account_AadUserId = tostring(todynamic(InitiatedBy) [\\\"user\\\"][\\\"id\\\"])\\n| where (account_upn != \\\"\\\" and account_upn =~ Source_Account_UPNSuffix) \\nor (Account_AadUserId != \\\"\\\" and Account_AadUserId =~ Source_Account_AadUserId)\\n| extend Target_CloudApplication_Name = tostring(todynamic(TargetResources)[0][\\\"displayName\\\"]), Target_CloudApplication_AppId = tostring(todynamic(TargetResources)[0][\\\"id\\\"])\\n};\\nUserConsentToApplication(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027) \\n| project Target_CloudApplication_AppId, Target_CloudApplication_Name, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/cab4058a-0707-4a02-b76f-cf96270823ed\",\"name\":\"cab4058a-0707-4a02-b76f-cf96270823ed\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"User performed operation on azure resource from IP\",\"content\":\"User performed operation {{OperationNameValue}} on azure resource: {{shortResourceId}} from IP {{Source_IP_Address}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s activities on Azure.\",\"queryDefinitions\":{\"query\":\"let AzureRunProcess = (Account_Name:string, Account_UPNSuffix:string,Account_AadUserId:string){\\nlet upn = strcat(Account_Name,\\\"@\\\",Account_UPNSuffix);\\nAzureActivity\\n| where (isnotempty(Account_AadUserId) and Caller =~ Account_AadUserId) or Caller =~ upn\\n| where OperationNameValue contains \\\"Run Command on Virtual Machine\\\"\\n or (OperationNameValue == \\\"List Storage Account Keys\\\" and ActivityStatusValue == \\\"Succeeded\\\")\\n or OperationNameValue == \\\"Create or Update Virtual Machine\\\"\\n or OperationNameValue == \\\"Create Deployment\\\"\\n or OperationNameValue == \\\"Create role assignment\\\"\\n| project-rename Target_AzureResource_ResourceId = _ResourceId, Source_IP_Address = CallerIpAddress\\n| extend shortResourceId = tostring(split(ResourceId,\u0027/\u0027)[-1])\\n};\\nAzureRunProcess(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027) \\n| project Target_AzureResource_ResourceId, Source_IP_Address, shortResourceId, OperationNameValue, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/febba410-e7d6-4c63-8fe5-2b93f448b7a1\",\"name\":\"febba410-e7d6-4c63-8fe5-2b93f448b7a1\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added accounts to a local privileged group\",\"content\":\"The user has added accounts to the local privileged group, {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays the user that added accounts to a local privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == false and MemberNTDomainMatch == false) or MemberSidMatch == false) and TargetSid matches regex WellKnownLocalGroupSID | where TargetSid !in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/0e98c61c-6ae0-4e13-8071-d807dc25082a\",\"name\":\"0e98c61c-6ae0-4e13-8071-d807dc25082a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added accounts to a domain privileged group\",\"content\":\"The user has added accounts to the domain privileged group, {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays the user that added accounts to a domain privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == false and MemberNTDomainMatch == false) or MemberSidMatch == false) and TargetSid matches regex WellKnownDomainGroupSID \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/0caf9819-3269-48ac-b162-eeee638e4aa9\",\"name\":\"0caf9819-3269-48ac-b162-eeee638e4aa9\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to a local privileged group\",\"content\":\"This user was added to the local privileged group {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays that this user was added to a local privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and TargetSid matches regex WellKnownLocalGroupSID | where TargetSid !in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/d57681e4-18e6-459f-b61d-4d4a1f205b70\",\"name\":\"d57681e4-18e6-459f-b61d-4d4a1f205b70\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to a domain privileged group\",\"content\":\"This user was added to the domain privileged group {{TargetAccount}}\",\"description\":\"This activity displays that this user was added to a domain privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and TargetSid matches regex WellKnownDomainGroupSID \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/5ae2baf4-de7b-40f0-a861-8852266bfcd0\",\"name\":\"5ae2baf4-de7b-40f0-a861-8852266bfcd0\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added accounts to the Remote Desktop Users group\",\"content\":\"The user has added accounts to the {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays the user that added accounts to Remote Desktop group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == false and MemberNTDomainMatch == false) or MemberSidMatch == false) and TargetSid in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/60ef2e21-5f90-48bf-9bbc-d2a1829c3861\",\"name\":\"60ef2e21-5f90-48bf-9bbc-d2a1829c3861\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to the Remote Desktop Users group\",\"content\":\"This user was added to the {{TargetAccount}} group\",\"description\":\"This activity displays that this user was added to the Remote Desktop group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and TargetSid in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/bf56473d-b9bd-4eb1-96d0-8569ec7a9003\",\"name\":\"bf56473d-b9bd-4eb1-96d0-8569ec7a9003\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added an account to a security group\",\"content\":\"The user has added {{MemberAdded}} to the {{TargetAccount}} group\",\"description\":\"This activity displays the user that added an account and the account that was added to a security group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true) and not(TargetSid matches regex WellKnownLocalGroupSID or TargetSid matches regex WellKnownDomainGroupSID) \\n| project SubjectAccount, MemberAdded, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/252c9ad7-2957-43cd-8f33-4ac4bb56e119\",\"name\":\"252c9ad7-2957-43cd-8f33-4ac4bb56e119\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to a security group\",\"content\":\"This user was added to the {{TargetAccount}} group, {{Count}} time(s)\",\"description\":\"This activity displays that this user was added to a security group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and not(TargetSid matches regex WellKnownLocalGroupSID or TargetSid matches regex WellKnownDomainGroupSID) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/1f82f263-d694-469a-9717-1b3edf9d3bb2\",\"name\":\"1f82f263-d694-469a-9717-1b3edf9d3bb2\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user acted on another accounts mailbox\",\"content\":\"The user acted on mailbox {{MailboxOwnerUPN}} {{Count}} time(s)\",\"description\":\"This activity lists user\u0027s activities on others\u0027 mailbox\",\"queryDefinitions\":{\"query\":\"let TLQ_UserActedOnForeignMailbox = (Account_Name:string, Account_UPNSuffix:string, account_sid:string){\\nlet account_upn = iff(Account_Name!=\\\"\\\" and Account_UPNSuffix != \\\"\\\"\\n,strcat(Account_Name,\\\"@\\\",Account_UPNSuffix)\\n,\\\"\\\");\\nOfficeActivity\\n| where RecordType == \\\"ExchangeItem\\\" and UserType ==\\\"Regular\\\" and Operation !contains \\\"InboxRule\\\"\\n| where LogonUserSid != MailboxOwnerSid \\n| where ((account_sid != \\\"\\\" and LogonUserSid =~ account_sid)\\n or ( account_upn != \\\"\\\" and UserId =~ account_upn ))\\n};\\nTLQ_UserActedOnForeignMailbox(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| project MailboxOwnerSid, MailboxOwnerUPN, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/e480efd0-016d-428e-b892-84b9d586d004\",\"name\":\"e480efd0-016d-428e-b892-84b9d586d004\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user modified inbox rules on another accounts mailbox\",\"content\":\"User Modified {{Count}} inbox rules on {{MailboxOwnerUPN}}\u0027s Mailbox\",\"description\":\"User modified inbox rules on a mailbox\",\"queryDefinitions\":{\"query\":\"let ruleChangeRecordTypes = dynamic( [\\\"ExchangeAdmin\\\", \\\"ExchangeItem\\\"]);\\nlet TLQ_UserModifiedinboxRules = (Account_Name: string, Account_UPNSuffix: string, Account_Sid: string){\\nlet upn = iff(Account_Name != \\\"\\\" and Account_UPNSuffix != \\\"\\\"\\n, strcat(Account_Name, \\\"@\\\", Account_UPNSuffix)\\n, \\\"\\\");\\nOfficeActivity\\n| where RecordType in~ (ruleChangeRecordTypes) and Operation contains \\\"InboxRule\\\"\\n| where((Account_Sid != \\\"\\\" and LogonUserSid == Account_Sid)\\nor(upn != \\\"\\\" and UserId == upn )\\n)\\n};\\nTLQ_UserModifiedinboxRules(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| project MailboxOwnerSid, MailboxOwnerUPN, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/0eabec03-51e7-4909-b0cb-1adc76759e93\",\"name\":\"0eabec03-51e7-4909-b0cb-1adc76759e93\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"User uploaded files to SharePoint\",\"content\":\"User uploaded {{Count}} file(s) To SharePoint from {{Source_IP_Address}}\",\"description\":\"This activity lists the user\u0027s SharePoint uploads.\",\"queryDefinitions\":{\"query\":\"let TLQ_UserUploadFiles = (Account_Name:string, Account_UPNSuffix:string){\\nlet upn = strcat(Account_Name,\\\"@\\\",Account_UPNSuffix);\\nOfficeActivity\\n| where RecordType =~ \\\"SharePointFileOperation\\\" and Operation in~ (\\\"FileUploaded\\\", \\\"FileDownloaded\\\")\\n| where upn =~UserId\\n| extend Subject_File_Directory = tostring(split(OfficeObjectId,SourceFileName)[0])\\n| project-rename Source_IP_Address = ClientIP\\n};\\nTLQ_UserUploadFiles(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027) \\n| where Operation =~ \\\"FileUploaded\\\" \\n| project Source_IP_Address, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/df564e7b-bf6d-4dc4-a32d-79b00bd2cc7b\",\"name\":\"df564e7b-bf6d-4dc4-a32d-79b00bd2cc7b\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"User downloaded files from SharePoint\",\"content\":\"User downloaded {{Count}} File(s) from SharePoint from {{Source_IP_Address}}\",\"description\":\"This activity lists the user\u0027s SharePoint downloads.\",\"queryDefinitions\":{\"query\":\"let TLQ_UserUploadFiles = (Account_Name:string, Account_UPNSuffix:string){\\nlet upn = strcat(Account_Name,\\\"@\\\",Account_UPNSuffix);\\nOfficeActivity\\n| where RecordType =~ \\\"SharePointFileOperation\\\" and Operation in~ (\\\"FileUploaded\\\", \\\"FileDownloaded\\\")\\n| where upn =~UserId\\n| extend Subject_File_Directory = tostring(split(OfficeObjectId,SourceFileName)[0])\\n| project-rename Source_IP_Address = ClientIP\\n};\\nTLQ_UserUploadFiles(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027) \\n| where Operation =~ \\\"FileDownloaded\\\" \\n| project Source_IP_Address, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/0f328f28-7e21-4596-b71c-54309fee5551\",\"name\":\"0f328f28-7e21-4596-b71c-54309fee5551\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user signed in to an Azure resource\",\"content\":\"The user signed in to {{shortResourceId}} {{Count}} time(s)\",\"description\":\"This activity lists user\u0027s sign ins to Azure Resources\",\"queryDefinitions\":{\"query\":\"let SignInsByResource = (Account_Name:string, Account_UPNSuffix:string, Account_AadUserId:string){\\nlet acc_upn = iff(Account_Name != \\\"\\\" and Account_UPNSuffix != \\\"\\\" ,strcat(Account_Name,\\\"@\\\" ,Account_UPNSuffix),\\\"\\\");\\nSigninLogs\\n| where (acc_upn != \\\"\\\" and UserPrincipalName =~ acc_upn) or\\n   (Account_AadUserId != \\\"\\\" and Account_AadUserId =~ UserId) // UserPrincipalName, UserId\\n| extend shortResourceId = tostring(split(ResourceId,\\\"/\\\")[-1])\\n};\\nSignInsByResource(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027) \\n| project shortResourceId, ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SigninLogs\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/0d4ec12e-e44a-40a4-bb87-3db84d2a8057\",\"name\":\"0d4ec12e-e44a-40a4-bb87-3db84d2a8057\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s interactive log-ins grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID==4624 and LogonTypeName == \u00272 - Interactive\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/c9da5786-6c3c-45b5-9a46-53200ed9df09\",\"name\":\"c9da5786-6c3c-45b5-9a46-53200ed9df09\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Network log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s network log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID ==4624 and LogonTypeName == \u00273 - Network\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/8a302bfc-00e3-43b3-a516-102fd0cb0dbc\",\"name\":\"8a302bfc-00e3-43b3-a516-102fd0cb0dbc\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Remote interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s remote interactive log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID ==4624 and LogonTypeName == \u002710 - RemoteInteractive\u0027| extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/ec87b066-17ad-4f9b-97c2-c2f2ee2d99e0\",\"name\":\"ec87b066-17ad-4f9b-97c2-c2f2ee2d99e0\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"New credentials log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s log-ins with new credentials, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID ==4624 and LogonTypeName == \u00279 - NewCredentials\u0027| extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/e1c4c03c-2b40-47cf-9b8c-49e0a37a6da6\",\"name\":\"e1c4c03c-2b40-47cf-9b8c-49e0a37a6da6\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Privileged log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s privileged log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID == 4672 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/a6fc3ad9-1a61-41f5-a5e2-bd1f5a6fe44d\",\"name\":\"a6fc3ad9-1a61-41f5-a5e2-bd1f5a6fe44d\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Failed interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s failed interactive log-ins grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet =~ \u0027AllEvents\u0027 and EventID == 4625 and LogonTypeName == \u00272 - Interactive\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/11449689-6542-4867-86dc-56264abbd90c\",\"name\":\"11449689-6542-4867-86dc-56264abbd90c\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Failed network log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s failed network log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet =~ \u0027AllEvents\u0027 and EventID == 4625 and LogonTypeName == \u00273 - Network\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/686cf7e8-87c7-4391-8898-25adf1033a54\",\"name\":\"686cf7e8-87c7-4391-8898-25adf1033a54\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Failed remote interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} failed to logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s failed remote interactive log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet =~ \u0027AllEvents\u0027 and EventID == 4625 and LogonTypeName == \u002710 - RemoteInteractive\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/c6523929-5696-4e94-8a61-61aeb1c953d1\",\"name\":\"c6523929-5696-4e94-8a61-61aeb1c953d1\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Custom Script Extension execution (Preview)\",\"content\":\"The account {{Caller}} ran the custom script extension {{extName}} {{Count}} time(s)\",\"description\":\"This activity indicated Custom Script Extension execution\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| extend resBody = parse_json(Properties).responseBody\\n| where resBody != \\\"\\\"\\n| extend resBody = parse_json(tostring(resBody))\\n| extend extName = tostring(resBody.name), extType = resBody.properties.type\\n| where extType in (\\\"CustomScriptExtension\\\", \\\"CustomScript\\\", \\\"CustomScriptForLinux\\\")\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource, extType, extName \\n| project Caller, _ResourceId, extName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/5a2b8371-8708-4e41-8613-b64bbcbd0199\",\"name\":\"5a2b8371-8708-4e41-8613-b64bbcbd0199\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Azure Key Vault sensitive operation\",\"content\":\"The operation {{OperationName}} was observed from the IP {{CallerIPAddress}} {{Count}} time(s)\",\"description\":\"This activity indicated sensitive operation of Azure Key Valut\",\"queryDefinitions\":{\"query\":\"let SensitiveOperationList = dynamic([\\\"VaultDelete\\\", \\\"KeyDelete\\\", \\\"SecretDelete\\\", \\\"SecretPurge\\\", \\\"KeyPurge\\\", \\\"SecretBackup\\\", \\\"KeyBackup\\\"]);\\n AzureDiagnostics\\n | where ResourceType == \\\"VAULTS\\\"\\n | where Category == \\\"AuditEvent\\\"\\n | where ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n | extend Result = columnifexists(\\\"ResultType\\\", \\\"NoResult\\\")\\n | extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n | extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n | where Result !~ \\\"None\\\" and isnotempty(Result)\\n | where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n | where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n | where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n | where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n | where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n | where ResourceType =~ \\\"VAULTS\\\" and Result =~ \\\"Success\\\"\\n | where OperationName in~ (SensitiveOperationList)\\n | project TimeGenerated, ResourceId, Result, OperationName, CallerIPAddress \\n| project ResourceId, OperationName, CallerIPAddress, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureDiagnostics\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/a8b50062-f80e-4331-a247-de0e10d7b83f\",\"name\":\"a8b50062-f80e-4331-a247-de0e10d7b83f\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Storage account keys list (Preview)\",\"content\":\"The account {{Caller}} retrieved the keys of the storage account {{_ResourceId}} {{Count}} time(s)\",\"description\":\"This activity indicated storage account keys list operation\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/listKeys/action\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/e24d372a-ce9a-424e-99ba-5894177365a0\",\"name\":\"e24d372a-ce9a-424e-99ba-5894177365a0\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Storage account keys list were regenerated (Preview)\",\"content\":\"The account {{Caller}} regenerated the keys of the storage account {{_ResourceId}} {{Count}} time(s)\",\"description\":\"This activity indicated storage account keys list regeneration\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/2276eacb-9400-47e9-88c9-600b9b04ad81\",\"name\":\"2276eacb-9400-47e9-88c9-600b9b04ad81\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"VM Run Command execution (Preview)\",\"content\":\"The account {{Caller}} used Run Command on the VM {{Count}} time(s)\",\"description\":\"This activity indicates usage of Run Command\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/0aa3626b-30dd-4731-9d1e-39872a73949c\",\"name\":\"0aa3626b-30dd-4731-9d1e-39872a73949c\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"VM access extension execution (Preview)\",\"content\":\"The account {{Caller}} ran VM Access extension on the VM {{Count}} time(s)\",\"description\":\"This activity indicated VM access extension execution\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| extend resBody = parse_json(Properties).responseBody\\n| where resBody != \\\"\\\"\\n| extend resBody = parse_json(tostring(resBody))\\n| extend extName = resBody.name, extType = resBody.properties.type\\n| where extType in (\\\"VMAccessAgent\\\", \\\"VMAccessForLinux\\\")\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/307c85ee-39a2-4da3-952e-4fd79aa46d3a\",\"name\":\"307c85ee-39a2-4da3-952e-4fd79aa46d3a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was created on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was created by \u0027{{AddedBy}}\u0027\",\"description\":\"Account created on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId\\n| extend AddedBy = SubjectUserName\\n// Future support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount\\n};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where EventID == 4720 \\n| project Computer, TargetAccount, AddedBy, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/31529548-dbd2-4d5d-8270-710330cdcec7\",\"name\":\"31529548-dbd2-4d5d-8270-710330cdcec7\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was deleted by \u0027{{AddedBy}}\u0027\",\"description\":\"Account deleted on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId\\n| extend AddedBy = SubjectUserName\\n// Future support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount\\n};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where EventID == 4726 \\n| project Computer, TargetAccount, AddedBy, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/2fcda698-9526-454f-8fe0-4a0fd7af13f2\",\"name\":\"2fcda698-9526-454f-8fe0-4a0fd7af13f2\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Security Event log cleared by account on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{SubjectAccount}}\u0027 cleared the \u0027{{LogName}}\u0027 log, EventID: \u0027{{EventID}}\u0027\",\"description\":\"Security Event log cleared by account\",\"queryDefinitions\":{\"query\":\"let SystemAccount = datatable(AccountName:string)[\u0027NT AUTHORITY\\\\\\\\SYSTEM\u0027, \u0027NT AUTHORITY\\\\\\\\NETWORK SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\LOCAL SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\IUSR\u0027, \u0027NTAUTHORITY\\\\\\\\ANONYMOUS LOGON\u0027];\\nlet SvcAcctList = dynamic([\\\"Local SYSTEM\\\",\\\"Local SERVICE\\\",\\\"Network SERVICE\\\",\\\"NT AUTHORITY\\\"]);\\nlet ServiceAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and LogonType == \u00275\u0027 and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet MachineAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and AccountType == \\\"Machine\\\" and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet Accounts = union isfuzzy=true SystemAccount, ServiceAccount, MachineAccount;\\nlet source = \u0027Microsoft-Windows-Eventlog\u0027;\\nlet tableFunc = (tableName:string, event:int){\\ntable(tableName) \\n| where EventID == event\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| extend SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", \\\"NotAvailable\\\"), EventOriginId = column_ifexists(\\\"EventOriginId\\\", \\\"NotAvailable\\\")\\n| parse EventData with * \u0027SubjectUserName\u003e\u0027 SubjectUserName \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectUserSid\u003e\u0027 SubjectUserSid \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectLogonId\u003e\u0027 SubjectLogonId \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectDomainName\u003e\u0027 SubjectDomainName \u0027\u003c\u0027 *\\n| extend SubjectAccount = strcat(SubjectDomainName, \u0027\\\\\\\\\u0027, SubjectUserName)\\n};\\nlet HostClearedEventLog = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string)\\n{\\nlet Event104 = tableFunc(\u0027Event\u0027, event=104)\\n| where Source =~ source\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| parse RenderedDescription with * \u0027The\u0027 LogName \u0027log\u0027 *\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nlet Event1102 = tableFunc(\u0027SecurityEvent\u0027, event=1102)\\n| where EventSourceName == source\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| extend LogName = \u0027Security\u0027\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nunion isfuzzy=true Event104, Event1102\\n};\\nHostClearedEventLog(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where LogName =~ \u0027Security\u0027 \\n| project Computer, SubjectAccount, LogName, EventID, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"},{\"dataType\":\"Event\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/3ff675ee-3052-4e0b-88ad-f34ed1732adc\",\"name\":\"3ff675ee-3052-4e0b-88ad-f34ed1732adc\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Event log(s) cleared by account on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{SubjectAccount}}\u0027 cleared the \u0027{{LogName}}\u0027 log, EventID: \u0027{{EventID}}\u0027\",\"description\":\"Event logs cleared by account\",\"queryDefinitions\":{\"query\":\"let SystemAccount = datatable(AccountName:string)[\u0027NT AUTHORITY\\\\\\\\SYSTEM\u0027, \u0027NT AUTHORITY\\\\\\\\NETWORK SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\LOCAL SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\IUSR\u0027, \u0027NTAUTHORITY\\\\\\\\ANONYMOUS LOGON\u0027];\\nlet SvcAcctList = dynamic([\\\"Local SYSTEM\\\",\\\"Local SERVICE\\\",\\\"Network SERVICE\\\",\\\"NT AUTHORITY\\\"]);\\nlet ServiceAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and LogonType == \u00275\u0027 and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet MachineAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and AccountType == \\\"Machine\\\" and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet Accounts = union isfuzzy=true SystemAccount, ServiceAccount, MachineAccount;\\nlet source = \u0027Microsoft-Windows-Eventlog\u0027;\\nlet tableFunc = (tableName:string, event:int){\\ntable(tableName) \\n| where EventID == event\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| extend SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", \\\"NotAvailable\\\"), EventOriginId = column_ifexists(\\\"EventOriginId\\\", \\\"NotAvailable\\\")\\n| parse EventData with * \u0027SubjectUserName\u003e\u0027 SubjectUserName \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectUserSid\u003e\u0027 SubjectUserSid \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectLogonId\u003e\u0027 SubjectLogonId \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectDomainName\u003e\u0027 SubjectDomainName \u0027\u003c\u0027 *\\n| extend SubjectAccount = strcat(SubjectDomainName, \u0027\\\\\\\\\u0027, SubjectUserName)\\n};\\nlet HostClearedEventLog = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string)\\n{\\nlet Event104 = tableFunc(\u0027Event\u0027, event=104)\\n| where Source =~ source\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| parse RenderedDescription with * \u0027The\u0027 LogName \u0027log\u0027 *\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nlet Event1102 = tableFunc(\u0027SecurityEvent\u0027, event=1102)\\n| where EventSourceName == source\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| extend LogName = \u0027Security\u0027\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nunion isfuzzy=true Event104, Event1102\\n};\\nHostClearedEventLog(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where LogName !~ \u0027Security\u0027 \\n| project Computer, SubjectAccount, LogName, EventID, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"},{\"dataType\":\"Event\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/b880ad94-f905-4ba8-8a3f-9088b19b12fa\",\"name\":\"b880ad94-f905-4ba8-8a3f-9088b19b12fa\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the local Administrators group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to local Administrators group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where TargetSid == \u0027S-1-5-32-544\u0027 \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/aaad22c3-be50-465f-b258-8570d629c3db\",\"name\":\"aaad22c3-be50-465f-b258-8570d629c3db\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the Domain Admins group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to the Domain Admins group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-512$\u0027 \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/cf3469b3-f64c-4ae2-9900-289617443d74\",\"name\":\"cf3469b3-f64c-4ae2-9900-289617443d74\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the Enterprise Admins group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to the Enterprise Admins group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-519$\u0027 \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/5ba7b064-c667-4bb9-b8ac-7e87872ae479\",\"name\":\"5ba7b064-c667-4bb9-b8ac-7e87872ae479\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Account added to a privileged group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to privileged group.\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where (TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID) and TargetSid != \u0027S-1-5-32-544\u0027 and not(TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-512$\u0027) and not(TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-519$\u0027) \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/290032e9-c52e-4e66-841a-7428f0b356bb\",\"name\":\"290032e9-c52e-4e66-841a-7428f0b356bb\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was created on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{User}}\u0027 was created by sudo\",\"description\":\"Account created on Host\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where ProcessName in~ (\u0027useradd\u0027,\u0027userdel\u0027)\\n| where SyslogMessage startswith \u0027new user:\u0027 or SyslogMessage startswith \u0027delete user \u0027\\n| extend User = case(SyslogMessage startswith \u0027new user:\u0027, tostring(split(tostring(split(SyslogMessage, \u0027name=\u0027)[1]), \u0027,\u0027)[0]),\\nSyslogMessage startswith \u0027delete user \u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]),\\n\u0027Not Available\u0027)\\n| extend Action = case( SyslogMessage startswith \u0027new user\u0027, \u0027new user\u0027, SyslogMessage startswith \u0027delete user\u0027, \u0027delete user\u0027, \u0027None\u0027)\\n| project TimeGenerated, Computer, HostIP, User, Facility, ProcessName, Action, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action == \u0027new user\u0027 \\n| project Computer, User, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/ce9e87c7-2ffa-42cb-92e5-f1a4f21f007a\",\"name\":\"ce9e87c7-2ffa-42cb-92e5-f1a4f21f007a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{User}}\u0027 was deleted by sudo\",\"description\":\"Account deleted on Host\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where ProcessName in~ (\u0027useradd\u0027,\u0027userdel\u0027)\\n| where SyslogMessage startswith \u0027new user:\u0027 or SyslogMessage startswith \u0027delete user \u0027\\n| extend User = case(SyslogMessage startswith \u0027new user:\u0027, tostring(split(tostring(split(SyslogMessage, \u0027name=\u0027)[1]), \u0027,\u0027)[0]),\\nSyslogMessage startswith \u0027delete user \u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]),\\n\u0027Not Available\u0027)\\n| extend Action = case( SyslogMessage startswith \u0027new user\u0027, \u0027new user\u0027, SyslogMessage startswith \u0027delete user\u0027, \u0027delete user\u0027, \u0027None\u0027)\\n| project TimeGenerated, Computer, HostIP, User, Facility, ProcessName, Action, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action == \u0027delete user\u0027 \\n| project Computer, User, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/46aeae2d-187c-41f9-b8d6-9d75c43bce0a\",\"name\":\"46aeae2d-187c-41f9-b8d6-9d75c43bce0a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the sudo group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{User}}\u0027 was added by \u0027{{AcctMakingChange}}\u0027 to group: \u0027{{Group}}\u0027\",\"description\":\"Account added to the sudo group\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where SyslogMessage !startswith \\\"omsagent\\\"\\n| where SyslogMessage has \u0027COMMAND\u0027 or ProcessName in~ (\u0027gpasswd\u0027, \u0027useradd\u0027, \u0027userdel\u0027)\\n| parse SyslogMessage with * \u0027user \u0027 User \u0027 \u0027 Verb \u0027 by \u0027 AcctMakingChange \u0027 \u0027 Preposition \u0027 group \u0027 Group\\n| extend Group = case(\\nSyslogMessage startswith \u0027removed group\u0027 or SyslogMessage startswith \u0027removed shadow group\u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]), \\nSyslogMessage startswith \u0027new group\u0027, tostring(split(tostring(split(SyslogMessage, \u0027=\u0027)[1]),\u0027,\u0027)[0]),\\nGroup)\\n| extend Action = case(\\nisnotempty(Verb) or isnotempty(Preposition), strcat(Verb, \u0027 \u0027, Preposition),\\nSyslogMessage startswith \u0027new group\u0027, \u0027new group\u0027,\\nSyslogMessage startswith \u0027removed group\u0027, \u0027removed group\u0027,\\nSyslogMessage startswith \u0027removed shadow group\u0027, \u0027removed shadow group\u0027,\\n\u0027None\u0027)\\n| where isnotempty(Action) and Action != \u0027None\u0027 and isnotempty(Group)\\n| project TimeGenerated, Computer, HostIP, User, Action, Group, Facility, ProcessName, AcctMakingChange, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action =~ \u0027added to\u0027 and Group =~ \u0027sudo\u0027 \\n| project Computer, User, AcctMakingChange, Group, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/e24dd437-c65e-40e1-8d59-cd303ad4496a\",\"name\":\"e24dd437-c65e-40e1-8d59-cd303ad4496a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was removed from the sudo group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{User}}\u0027 was added by \u0027{{AcctMakingChange}}\u0027 to group: \u0027{{Group}}\u0027\",\"description\":\"Account removed from sudo group\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where SyslogMessage !startswith \\\"omsagent\\\"\\n| where SyslogMessage has \u0027COMMAND\u0027 or ProcessName in~ (\u0027gpasswd\u0027, \u0027useradd\u0027, \u0027userdel\u0027)\\n| parse SyslogMessage with * \u0027user \u0027 User \u0027 \u0027 Verb \u0027 by \u0027 AcctMakingChange \u0027 \u0027 Preposition \u0027 group \u0027 Group\\n| extend Group = case(\\nSyslogMessage startswith \u0027removed group\u0027 or SyslogMessage startswith \u0027removed shadow group\u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]), \\nSyslogMessage startswith \u0027new group\u0027, tostring(split(tostring(split(SyslogMessage, \u0027=\u0027)[1]),\u0027,\u0027)[0]),\\nGroup)\\n| extend Action = case(\\nisnotempty(Verb) or isnotempty(Preposition), strcat(Verb, \u0027 \u0027, Preposition),\\nSyslogMessage startswith \u0027new group\u0027, \u0027new group\u0027,\\nSyslogMessage startswith \u0027removed group\u0027, \u0027removed group\u0027,\\nSyslogMessage startswith \u0027removed shadow group\u0027, \u0027removed shadow group\u0027,\\n\u0027None\u0027)\\n| where isnotempty(Action) and Action != \u0027None\u0027 and isnotempty(Group)\\n| project TimeGenerated, Computer, HostIP, User, Action, Group, Facility, ProcessName, AcctMakingChange, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action =~ \u0027removed from\u0027 and Group =~ \u0027sudo\u0027 \\n| project Computer, User, AcctMakingChange, Group, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/c91cb743-7c6c-4ccf-b066-13448c9c085c\",\"name\":\"c91cb743-7c6c-4ccf-b066-13448c9c085c\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Windows Defender Application Control activities on this host\",\"content\":\"{{FriendlyActivityName}} by {{InitiatingProcessAccountUpn}} {{Count}} time(s)\",\"description\":\"Microsoft Defender Application Control activities\",\"queryDefinitions\":{\"query\":\"let AppControlEvents=(v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\nlet p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain));\\nlet AppControls=datatable(ActionType:string, Description:string, FriendlyActivityName:string)\\n [\\\"AppControlAppInstallationAudited\\\", \\\"Application control detected the installation of an untrusted app.\\\",\\\"Untrusted app installed\\\"\\n ,\\\"AppControlAppInstallationBlocked\\\", \\\"Application control blocked the installation of an untrusted app.\\\", \\\"Untrusted app installation blocked\\\"\\n ,\\\"AppControlCodeIntegrityDriverRevoked\\\", \\\"Application control found a driver with a revoked certificate.\\\", \\\"Driver with revoked certificate detected\\\"\\n ,\\\"AppControlCodeIntegrityImageRevoked\\\", \\\"Application control found an executable file with a revoked certificate.\\\", \\\"Executable with revoked certificate detected\\\"\\n ,\\\"AppControlExecutableAudited\\\",\\\"Application control detected the use of an untrusted executable.\\\",\\\"Untrusted executable used\\\"\\n ,\\\"AppControlExecutableBlocked\\\",\\\"Application control blocked the use of an untrusted executable.\\\",\\\"Untrusted executable blocked\\\"\\n ,\\\"AppControlScriptAudited\\\", \\\"Application control detected the use of an untrusted script.\\\", \\\"Untrusted script detected\\\"\\n ,\\\"AppControlScriptBlocked\\\", \\\"Application control blocked the use of an untrusted script.\\\", \\\"Untrusted script blocked\\\" ];\\nDeviceEvents\\n| where ActionType in (AppControls) \\n| where DeviceName ==p_FullDeviceName\\n| lookup AppControls on ActionType\\n};\\nAppControlEvents(\u0027{{Host_HostName}}\u0027,\u0027{{Host_NTDomain}}\u0027,\u0027{{Host_DnsDomain}}\u0027) \\n| project DeviceName, ActionType, FriendlyActivityName, InitiatingProcessAccountUpn, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/c7def1db-6a27-45dc-bee0-0c5fd5e7f1fe\",\"name\":\"c7def1db-6a27-45dc-bee0-0c5fd5e7f1fe\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Screenshot taken\",\"content\":\"The user \u0027{{InitiatingProcessAccountUpn}}\u0027 has taken {{Count}} screenshot(s) on the host\",\"description\":\"A screenshot was taken on the host\",\"queryDefinitions\":{\"query\":\"let ScreenshotTakers= (v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\n let p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain) );\\n DeviceEvents \\n | where ActionType ==\u0027ScreenshotTaken\u0027 \\n | where DeviceName =~ p_FullDeviceName\\n};\\nScreenshotTakers(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027) \\n| where 1==1 \\n| project InitiatingProcessAccountName, InitiatingProcessAccountUpn, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/8d0e9356-be1e-45ac-9403-d0ac3f1605b7\",\"name\":\"8d0e9356-be1e-45ac-9403-d0ac3f1605b7\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Exploit protection blocked the launch of a process from an image file that is not signed by Microsoft\",\"content\":\"Launch of unsigned file \u0027{{FileName}}\u0027 by process \u0027{{InitiatingProcessFileName}}\u0027 initiated by \u0027{{InitiatingProcessAccountName}}\u0027 was blocked. \",\"description\":\"Exploit protection blocked the launch of a process from an image file that is not signed by Microsoft\",\"queryDefinitions\":{\"query\":\"let NonMSSignedBlocked= (v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\n let p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain) );\\n DeviceEvents\\n | where ActionType in (\\\"ExploitGuardNonMicrosoftSignedBlocked\\\", \\\"ExploitGuardNonMicrosoftSignedAudited\\\") \\n and FileName !hassuffix \u0027.ni.dll\u0027\\n | where DeviceName =~ p_FullDeviceName\\n | project TimeGenerated\\n , FileName\\n ,InitiatingProcessFileName\\n , InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid\\n , DeviceName , ActionType\\n};\\nNonMSSignedBlocked(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027) \\n| where ActionType =~ \u0027ExploitGuardNonMicrosoftSignedBlocked\u0027 \\n| project FileName, InitiatingProcessFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/3ff80327-7c54-449d-95d4-613848f7d60b\",\"name\":\"3ff80327-7c54-449d-95d4-613848f7d60b\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Exploit protection detected the launch of a process from an image file that is not signed by Microsoft\",\"content\":\"Launch of unsigned file \u0027{{FileName}}\u0027 by process \u0027{{InitiatingProcessFileName}}\u0027 initiated by \u0027{{InitiatingProcessAccountName}}\u0027 was audited.\",\"description\":\"Exploit protection detected the launch of a process from an image file that is not signed by Microsoft\",\"queryDefinitions\":{\"query\":\"let NonMSSignedBlocked= (v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\n let p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain) );\\n DeviceEvents\\n | where ActionType in (\\\"ExploitGuardNonMicrosoftSignedBlocked\\\", \\\"ExploitGuardNonMicrosoftSignedAudited\\\") \\n and FileName !hassuffix \u0027.ni.dll\u0027\\n | where DeviceName =~ p_FullDeviceName\\n | project TimeGenerated\\n , FileName\\n ,InitiatingProcessFileName\\n , InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid\\n , DeviceName , ActionType\\n};\\nNonMSSignedBlocked(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027) \\n| where ActionType =~ \u0027ExploitGuardNonMicrosoftSignedAudited\u0027 \\n| project FileName, InitiatingProcessFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/3f7059b2-67ea-4fc1-af34-37f5fc69a630\",\"name\":\"3f7059b2-67ea-4fc1-af34-37f5fc69a630\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Windows Defender Antivirus activities on this host\",\"content\":\"Window Defender Antivirus \u0027{{ActionType}}\u0027 activity was spotted on Host {{Host_HostName}}\",\"description\":\"Windows Defender Antivirus activities\",\"queryDefinitions\":{\"query\":\"let AntivirusEvents=(v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\nlet Severity= datatable(ActionType:string, Severity:int)[\\\"AntivirusMalwareActionFailed\\\",1,\\\"AntivirusDetection\\\",2,\\\"AntivirusScanFailed\\\",3, \\\"AntivirusError\\\",4, \\\"AntivirusDefinitionsUpdateFailed\\\",5];\\nlet p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain));\\nDeviceEvents\\n| where ActionType hasprefix \\\"Antivirus\\\" and ActionType !in( \\\"AntivirusReport\\\", \\\"AntivirusScanCompleted\\\", \\\"AntivirusDefinitionsUpdated\\\",\\\"AntivirusEmergencyUpdatesInstalled\\\")\\n| where DeviceName ==p_FullDeviceName\\n| lookup Severity on ActionType};\\nAntivirusEvents(\u0027{{Host_HostName}}\u0027,\u0027{{Host_NTDomain}}\u0027,\u0027{{Host_DnsDomain}}\u0027) \\n| where ActionType !in( \\\"AntivirusReport\\\", \\\"AntivirusScanCompleted\\\", \\\"AntivirusDefinitionsUpdated\\\",\\\"AntivirusEmergencyUpdatesInstalled\\\") \\n| project ActionType, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}}]}", "isContentBase64": false } }, - "Get-AzSentinelEntityQueryTemplate+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/d6d08c94-455f-4ea5-8f76-fc6c0c442cfa?api-version=2021-09-01-preview+2": { + "Get-AzSentinelEntityQueryTemplate+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/d6d08c94-455f-4ea5-8f76-fc6c0c442cfa?api-version=2021-09-01-preview+2": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/d6d08c94-455f-4ea5-8f76-fc6c0c442cfa?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/d6d08c94-455f-4ea5-8f76-fc6c0c442cfa?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "205" ], - "x-ms-client-request-id": [ "383f2cec-54da-4e58-9428-626dea7ce23d" ], + "x-ms-unique-id": [ "203" ], + "x-ms-client-request-id": [ "dec0b5ca-8c7b-4a04-a8c5-1cda44704fbe" ], "CommandName": [ "Get-AzSentinelentityQueryTemplate" ], "FullCommandName": [ "Get-AzSentinelEntityQueryTemplate_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -105,20 +105,20 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11957" ], - "x-ms-request-id": [ "6f0db073-ea27-45ff-91d2-e1a23af5579c" ], - "x-ms-correlation-request-id": [ "6f0db073-ea27-45ff-91d2-e1a23af5579c" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T015815Z:6f0db073-ea27-45ff-91d2-e1a23af5579c" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11964" ], + "x-ms-request-id": [ "1c120dc5-4267-4b5a-8bc1-92198cacac56" ], + "x-ms-correlation-request-id": [ "1c120dc5-4267-4b5a-8bc1-92198cacac56" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183149Z:1c120dc5-4267-4b5a-8bc1-92198cacac56" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 01:58:14 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:31:48 GMT" ] }, "ContentHeaders": { "Content-Length": [ "3224" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueryTemplates/d6d08c94-455f-4ea5-8f76-fc6c0c442cfa\",\"name\":\"d6d08c94-455f-4ea5-8f76-fc6c0c442cfa\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has created an account\",\"content\":\"The user {{InitiatedByAccount}} has created the account {{TargetAccount}} {{Count}} time(s)\",\"description\":\"This activity displays account creation events performed by the user\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AADUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) or Account_AADUserId =~ tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ SubjectAccount or Account_Sid =~ SubjectUserSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AADUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Add user\u0027, \u00274720\u0027) \\n| project InitiatedByAccount, TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AADUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/d6d08c94-455f-4ea5-8f76-fc6c0c442cfa\",\"name\":\"d6d08c94-455f-4ea5-8f76-fc6c0c442cfa\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has created an account\",\"content\":\"The user {{InitiatedByAccount}} has created the account {{TargetAccount}} {{Count}} time(s)\",\"description\":\"This activity displays account creation events performed by the user\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) or Account_AadUserId =~ tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ SubjectAccount or Account_Sid =~ SubjectUserSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Add user\u0027, \u00274720\u0027) \\n| project InitiatedByAccount, TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Get-AzSentinelEntityTimeline.Recording.json b/src/SecurityInsights/test/Get-AzSentinelEntityTimeline.Recording.json index 4aa4103e97ae..09caa8858e7f 100644 --- a/src/SecurityInsights/test/Get-AzSentinelEntityTimeline.Recording.json +++ b/src/SecurityInsights/test/Get-AzSentinelEntityTimeline.Recording.json @@ -1,17 +1,17 @@ { - "Get-AzSentinelEntityTimeline+[NoContext]+ListExpanded+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview+1": { + "Get-AzSentinelEntityTimeline+[NoContext]+ListExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "206" ], - "x-ms-client-request-id": [ "81504883-85f8-4e9f-a467-387ece9a56a4" ], + "x-ms-unique-id": [ "204" ], + "x-ms-client-request-id": [ "e2058862-1df8-46b3-8f8a-08ab726199fa" ], "CommandName": [ "Get-AzSentinelentity" ], "FullCommandName": [ "Get-AzSentinelEntity_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -23,28 +23,28 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11956" ], - "x-ms-request-id": [ "c8613f2f-a444-468e-94f2-595cdf668ec6" ], - "x-ms-correlation-request-id": [ "c8613f2f-a444-468e-94f2-595cdf668ec6" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T015857Z:c8613f2f-a444-468e-94f2-595cdf668ec6" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11963" ], + "x-ms-request-id": [ "5b800789-ae4f-443a-adf8-0c4f5eef055b" ], + "x-ms-correlation-request-id": [ "5b800789-ae4f-443a-adf8-0c4f5eef055b" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183150Z:5b800789-ae4f-443a-adf8-0c4f5eef055b" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 01:58:57 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:31:50 GMT" ] }, "ContentHeaders": { "Content-Length": [ "461" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"additionalData\":{\"AlertCount\":\"6\"},\"friendlyName\":\"175.45.176.99\"}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"additionalData\":{\"AlertCount\":\"6\"},\"friendlyName\":\"175.45.176.99\"}}]}", "isContentBase64": false } }, - "Get-AzSentinelEntityTimeline+[NoContext]+ListExpanded+$POST+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/getTimeline?api-version=2021-09-01-preview+2": { + "Get-AzSentinelEntityTimeline+[NoContext]+ListExpanded+$POST+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/getTimeline?api-version=2021-09-01-preview+2": { "Request": { "Method": "POST", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/getTimeline?api-version=2021-09-01-preview", - "Content": "{\n \"startTime\": \"2021-12-11T01:00:00.0000000+00:00\",\n \"endTime\": \"2021-12-12T01:00:00.0000000+00:00\"\n}", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/getTimeline?api-version=2021-09-01-preview", + "Content": "{\n \"startTime\": \"2022-07-28T06:00:00.0000000+00:00\",\n \"endTime\": \"2022-07-29T06:00:00.0000000+00:00\"\n}", "isContentBase64": false, "Headers": { }, @@ -59,13 +59,13 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11955" ], - "x-ms-request-id": [ "c2a1f10e-b74e-4cba-b516-5e1d00b59a40" ], - "x-ms-correlation-request-id": [ "c2a1f10e-b74e-4cba-b516-5e1d00b59a40" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T015900Z:c2a1f10e-b74e-4cba-b516-5e1d00b59a40" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11962" ], + "x-ms-request-id": [ "161e1150-5a91-4d95-b7af-378dda71d4c7" ], + "x-ms-correlation-request-id": [ "161e1150-5a91-4d95-b7af-378dda71d4c7" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183153Z:161e1150-5a91-4d95-b7af-378dda71d4c7" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 01:58:59 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:31:52 GMT" ] }, "ContentHeaders": { "Content-Length": [ "152" ], diff --git a/src/SecurityInsights/test/Get-AzSentinelIncident.Recording.json b/src/SecurityInsights/test/Get-AzSentinelIncident.Recording.json index 71b9ebd0487e..03ea77af4bcf 100644 --- a/src/SecurityInsights/test/Get-AzSentinelIncident.Recording.json +++ b/src/SecurityInsights/test/Get-AzSentinelIncident.Recording.json @@ -1,17 +1,17 @@ { - "Get-AzSentinelIncident+[NoContext]+List+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents?api-version=2021-09-01-preview+1": { + "Get-AzSentinelIncident+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "208" ], - "x-ms-client-request-id": [ "1618b3e6-b413-4db4-917b-bff18620916a" ], + "x-ms-unique-id": [ "206" ], + "x-ms-client-request-id": [ "ab1aa0d8-640b-4798-9f42-f68c10ca51a7" ], "CommandName": [ "Get-AzSentinelincident" ], "FullCommandName": [ "Get-AzSentinelIncident_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -23,36 +23,36 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11954" ], - "x-ms-request-id": [ "c541cfb6-9955-445d-adf0-05353e2da147" ], - "x-ms-correlation-request-id": [ "c541cfb6-9955-445d-adf0-05353e2da147" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T015921Z:c541cfb6-9955-445d-adf0-05353e2da147" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11961" ], + "x-ms-request-id": [ "6fd5801e-1258-48b9-b3ee-367efcc124b8" ], + "x-ms-correlation-request-id": [ "6fd5801e-1258-48b9-b3ee-367efcc124b8" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183154Z:6fd5801e-1258-48b9-b3ee-367efcc124b8" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 01:59:20 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:31:53 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "26515" ], + "Content-Length": [ "26513" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/43aedae6-3726-41c1-b0e8-9876df66aa2d\",\"name\":\"43aedae6-3726-41c1-b0e8-9876df66aa2d\",\"etag\":\"\\\"3c006463-0000-0100-0000-61b555710000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdincidentRelationIncidentNameewut32\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:50:41.6370473Z\",\"createdTimeUtc\":\"2021-12-12T01:50:41.1927933Z\",\"incidentNumber\":21,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/43aedae6-3726-41c1-b0e8-9876df66aa2d\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"21\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/473aa008-13fc-4a61-9ea2-c3fdc64a828c\",\"name\":\"473aa008-13fc-4a61-9ea2-c3fdc64a828c\",\"etag\":\"\\\"3c009162-0000-0100-0000-61b555530000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateincidentRelationIncidentNametdo819\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:50:11.0669406Z\",\"createdTimeUtc\":\"2021-12-12T01:50:10.6585571Z\",\"incidentNumber\":20,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/473aa008-13fc-4a61-9ea2-c3fdc64a828c\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"20\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/7bfb344d-ad2a-431d-9e39-78747ac51f54\",\"name\":\"7bfb344d-ad2a-431d-9e39-78747ac51f54\",\"etag\":\"\\\"3c00b661-0000-0100-0000-61b555330000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdincidentRelationIncidentName150wxv\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:49:39.5308437Z\",\"createdTimeUtc\":\"2021-12-12T01:49:39.1352139Z\",\"incidentNumber\":19,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/7bfb344d-ad2a-431d-9e39-78747ac51f54\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"19\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/0c5dc585-a174-461c-a546-75dc9d7bedc8\",\"name\":\"0c5dc585-a174-461c-a546-75dc9d7bedc8\",\"etag\":\"\\\"3c003f61-0000-0100-0000-61b555140000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveincidentRelationIncidentNameuk6d50\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:49:08.8163447Z\",\"createdTimeUtc\":\"2021-12-12T01:49:08.4291239Z\",\"incidentNumber\":18,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/0c5dc585-a174-461c-a546-75dc9d7bedc8\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"18\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0\",\"name\":\"e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0\",\"etag\":\"\\\"3c008760-0000-0100-0000-61b554f40000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetincidentRelationIncidentNamerea364\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:48:36.3299209Z\",\"createdTimeUtc\":\"2021-12-12T01:48:35.946428Z\",\"incidentNumber\":17,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"17\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/aa0c1725-78eb-4c1e-87b8-9dd801ebf670\",\"name\":\"aa0c1725-78eb-4c1e-87b8-9dd801ebf670\",\"etag\":\"\\\"3c00f15f-0000-0100-0000-61b554d40000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdincidentCommentoq4cge\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:48:04.5197134Z\",\"createdTimeUtc\":\"2021-12-12T01:48:03.7828Z\",\"incidentNumber\":16,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/aa0c1725-78eb-4c1e-87b8-9dd801ebf670\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"16\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/4d88d68e-1a03-4287-b8d2-919981228c5c\",\"name\":\"4d88d68e-1a03-4287-b8d2-919981228c5c\",\"etag\":\"\\\"3c00675f-0000-0100-0000-61b554b40000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateincidentCommentjmgwit\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:47:32.914693Z\",\"createdTimeUtc\":\"2021-12-12T01:47:32.2205967Z\",\"incidentNumber\":15,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/4d88d68e-1a03-4287-b8d2-919981228c5c\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"15\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/754fd7ba-74d1-42cc-8aa0-25593496d4bd\",\"name\":\"754fd7ba-74d1-42cc-8aa0-25593496d4bd\",\"etag\":\"\\\"3c00ae5e-0000-0100-0000-61b554960000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdincidentComment8ftdy3\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:47:02.132971Z\",\"createdTimeUtc\":\"2021-12-12T01:47:01.6162756Z\",\"incidentNumber\":14,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/754fd7ba-74d1-42cc-8aa0-25593496d4bd\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"14\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/39c0047a-27bf-41d3-940d-bfb849d18460\",\"name\":\"39c0047a-27bf-41d3-940d-bfb849d18460\",\"etag\":\"\\\"3c00525e-0000-0100-0000-61b554760000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveincidentCommentmhcwg3\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:46:30.3340484Z\",\"createdTimeUtc\":\"2021-12-12T01:46:29.8715201Z\",\"incidentNumber\":13,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/39c0047a-27bf-41d3-940d-bfb849d18460\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"13\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/03f0e7ca-255a-49dc-a98d-19f65584d06c\",\"name\":\"03f0e7ca-255a-49dc-a98d-19f65584d06c\",\"etag\":\"\\\"3c00de5d-0000-0100-0000-61b554580000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetincidentComment48q5k9\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:46:00.3354391Z\",\"createdTimeUtc\":\"2021-12-12T01:45:59.6977853Z\",\"incidentNumber\":12,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/03f0e7ca-255a-49dc-a98d-19f65584d06c\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"12\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/85b206c3-bf60-48e0-b492-71a79bb8503a\",\"name\":\"85b206c3-bf60-48e0-b492-71a79bb8503a\",\"etag\":\"\\\"3c002c5d-0000-0100-0000-61b554370000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:45:27.6270446Z\",\"createdTimeUtc\":\"2021-12-12T01:45:27.6270446Z\",\"incidentNumber\":11,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/85b206c3-bf60-48e0-b492-71a79bb8503a\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"11\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/23dc6b0b-2413-4b21-94b3-242f576b73c2\",\"name\":\"23dc6b0b-2413-4b21-94b3-242f576b73c2\",\"etag\":\"\\\"3c00aa5c-0000-0100-0000-61b554180000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:44:56.0348538Z\",\"createdTimeUtc\":\"2021-12-12T01:44:56.0348538Z\",\"incidentNumber\":10,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/23dc6b0b-2413-4b21-94b3-242f576b73c2\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"10\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/1f88da2c-e158-4900-8d6e-a467f72fdd34\",\"name\":\"1f88da2c-e158-4900-8d6e-a467f72fdd34\",\"etag\":\"\\\"3c00cd5b-0000-0100-0000-61b553f90000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:44:25.0620632Z\",\"createdTimeUtc\":\"2021-12-12T01:44:25.0620632Z\",\"incidentNumber\":9,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/1f88da2c-e158-4900-8d6e-a467f72fdd34\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"9\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/cc0a7c84-b29b-4136-acbb-648a7237df0a\",\"name\":\"cc0a7c84-b29b-4136-acbb-648a7237df0a\",\"etag\":\"\\\"3c00435b-0000-0100-0000-61b553d90000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:43:53.2153466Z\",\"createdTimeUtc\":\"2021-12-12T01:43:53.2153466Z\",\"incidentNumber\":8,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/cc0a7c84-b29b-4136-acbb-648a7237df0a\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"8\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/853e143c-97fd-48f1-86df-c8a68dbb87f1\",\"name\":\"853e143c-97fd-48f1-86df-c8a68dbb87f1\",\"etag\":\"\\\"3c007d5a-0000-0100-0000-61b553ba0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:43:22.8314686Z\",\"createdTimeUtc\":\"2021-12-12T01:43:22.8314686Z\",\"incidentNumber\":7,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/853e143c-97fd-48f1-86df-c8a68dbb87f1\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"7\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/6cbc4e33-d46b-4993-96e4-ecb0e44415cb\",\"name\":\"6cbc4e33-d46b-4993-96e4-ecb0e44415cb\",\"etag\":\"\\\"3c00ec54-0000-0100-0000-61b552e00000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdbookmarkRelationIncidentName84x0ne\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:39:44.4784666Z\",\"createdTimeUtc\":\"2021-12-12T01:39:44.1016486Z\",\"incidentNumber\":6,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/6cbc4e33-d46b-4993-96e4-ecb0e44415cb\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"6\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/e788124d-3280-4da8-b9f7-3f464296947e\",\"name\":\"e788124d-3280-4da8-b9f7-3f464296947e\",\"etag\":\"\\\"3c00b853-0000-0100-0000-61b552c20000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdatebookmarkRelationIncidentNamehqlcfb\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:39:14.3220984Z\",\"createdTimeUtc\":\"2021-12-12T01:39:13.3611655Z\",\"incidentNumber\":5,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/e788124d-3280-4da8-b9f7-3f464296947e\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"5\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/7d56a89d-59f4-4b3a-aa71-34494c2f5f5c\",\"name\":\"7d56a89d-59f4-4b3a-aa71-34494c2f5f5c\",\"etag\":\"\\\"3c00a552-0000-0100-0000-61b552a20000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdbookmarkRelationIncidentNameyci6fv\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:38:42.3519492Z\",\"createdTimeUtc\":\"2021-12-12T01:38:41.8102576Z\",\"incidentNumber\":4,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/7d56a89d-59f4-4b3a-aa71-34494c2f5f5c\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"4\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/4908bd22-0eb2-40fc-83ce-b6c8ba7a26a1\",\"name\":\"4908bd22-0eb2-40fc-83ce-b6c8ba7a26a1\",\"etag\":\"\\\"3c008b51-0000-0100-0000-61b552840000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemovebookmarkRelationIncidentNamehynb4o\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:38:12.1498788Z\",\"createdTimeUtc\":\"2021-12-12T01:38:11.2263698Z\",\"incidentNumber\":3,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/4908bd22-0eb2-40fc-83ce-b6c8ba7a26a1\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"3\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/69e3141d-30e8-49d1-9152-33f3b44cf6b0\",\"name\":\"69e3141d-30e8-49d1-9152-33f3b44cf6b0\",\"etag\":\"\\\"3c007450-0000-0100-0000-61b552650000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetbookmarkRelationIncidentNames3ckzp\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:37:41.3961428Z\",\"createdTimeUtc\":\"2021-12-12T01:37:40.4966895Z\",\"incidentNumber\":2,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/69e3141d-30e8-49d1-9152-33f3b44cf6b0\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"2\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/b2d155b7-a5b2-78f2-6872-d80f33937101\",\"name\":\"b2d155b7-a5b2-78f2-6872-d80f33937101\",\"etag\":\"\\\"3c00ce60-0000-0100-0000-61b554fc0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"severity\":\"Medium\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"firstActivityTimeUtc\":\"2021-12-12T00:48:37.8638145Z\",\"lastActivityTimeUtc\":\"2021-12-12T01:43:37.8638145Z\",\"lastModifiedTimeUtc\":\"2021-12-12T01:48:44.1406751Z\",\"createdTimeUtc\":\"2021-12-12T01:23:43.793478Z\",\"incidentNumber\":1,\"additionalData\":{\"alertsCount\":6,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[\"Azure Sentinel\"],\"tactics\":[\"InitialAccess\",\"Persistence\"]},\"relatedAnalyticRuleIds\":[\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/10a698ca-8310-4b90-a86e-2f43fe285e56\"],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/b2d155b7-a5b2-78f2-6872-d80f33937101\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"1\"}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/854d68b0-7cef-4c43-a0f3-03df09f60906\",\"name\":\"854d68b0-7cef-4c43-a0f3-03df09f60906\",\"etag\":\"\\\"12009b0b-0000-0100-0000-62e427110000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdincidentRelationIncidentName17euac\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:29:37.6445076Z\",\"createdTimeUtc\":\"2022-07-29T18:29:37.3993248Z\",\"incidentNumber\":21,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/854d68b0-7cef-4c43-a0f3-03df09f60906\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"21\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/bf284b9a-a101-4094-9387-503fd6afb8db\",\"name\":\"bf284b9a-a101-4094-9387-503fd6afb8db\",\"etag\":\"\\\"1200960b-0000-0100-0000-62e426f20000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateincidentRelationIncidentNamey5sjd6\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:29:06.559002Z\",\"createdTimeUtc\":\"2022-07-29T18:29:06.1809341Z\",\"incidentNumber\":20,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/bf284b9a-a101-4094-9387-503fd6afb8db\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"20\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/095d8360-b30b-4f75-804d-8837b78db3ed\",\"name\":\"095d8360-b30b-4f75-804d-8837b78db3ed\",\"etag\":\"\\\"12008a0b-0000-0100-0000-62e426d30000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdincidentRelationIncidentNameqm47li\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:28:35.4952307Z\",\"createdTimeUtc\":\"2022-07-29T18:28:34.9586136Z\",\"incidentNumber\":19,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/095d8360-b30b-4f75-804d-8837b78db3ed\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"19\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/da728eb4-6e7e-4be8-8397-cb2b45877bf9\",\"name\":\"da728eb4-6e7e-4be8-8397-cb2b45877bf9\",\"etag\":\"\\\"1200860b-0000-0100-0000-62e426b20000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveincidentRelationIncidentName01bqho\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:28:02.8745162Z\",\"createdTimeUtc\":\"2022-07-29T18:28:02.6751341Z\",\"incidentNumber\":18,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/da728eb4-6e7e-4be8-8397-cb2b45877bf9\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"18\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/ccca6513-b2b1-46be-925b-40f25e28a448\",\"name\":\"ccca6513-b2b1-46be-925b-40f25e28a448\",\"etag\":\"\\\"1200760b-0000-0100-0000-62e426930000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetincidentRelationIncidentNamentimyo\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:27:31.6228258Z\",\"createdTimeUtc\":\"2022-07-29T18:27:31.3953919Z\",\"incidentNumber\":17,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/ccca6513-b2b1-46be-925b-40f25e28a448\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"17\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/7141874b-1f5d-4bf7-9e25-bb748ff70946\",\"name\":\"7141874b-1f5d-4bf7-9e25-bb748ff70946\",\"etag\":\"\\\"12005b0b-0000-0100-0000-62e426730000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdincidentCommentvuackw\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:26:59.8178224Z\",\"createdTimeUtc\":\"2022-07-29T18:26:59.4284144Z\",\"incidentNumber\":16,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/7141874b-1f5d-4bf7-9e25-bb748ff70946\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"16\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/a0b8657f-5c36-4cb2-8952-f90affa7e0da\",\"name\":\"a0b8657f-5c36-4cb2-8952-f90affa7e0da\",\"etag\":\"\\\"1200510b-0000-0100-0000-62e426540000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateincidentCommentzfpjdm\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:26:28.8086603Z\",\"createdTimeUtc\":\"2022-07-29T18:26:28.262521Z\",\"incidentNumber\":15,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/a0b8657f-5c36-4cb2-8952-f90affa7e0da\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"15\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/39c25766-18b0-4620-9a63-3dfb2144ddd9\",\"name\":\"39c25766-18b0-4620-9a63-3dfb2144ddd9\",\"etag\":\"\\\"12004d0b-0000-0100-0000-62e426330000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdincidentCommentximhku\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:25:55.0138633Z\",\"createdTimeUtc\":\"2022-07-29T18:25:54.4964012Z\",\"incidentNumber\":14,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/39c25766-18b0-4620-9a63-3dfb2144ddd9\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"14\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/08556638-7485-4a5e-afda-02c5f77474d7\",\"name\":\"08556638-7485-4a5e-afda-02c5f77474d7\",\"etag\":\"\\\"1200460b-0000-0100-0000-62e426120000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveincidentComment35ly2k\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:25:22.1480666Z\",\"createdTimeUtc\":\"2022-07-29T18:25:21.7590822Z\",\"incidentNumber\":13,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/08556638-7485-4a5e-afda-02c5f77474d7\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"13\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/36740e38-b328-4f70-a514-867d90c8361d\",\"name\":\"36740e38-b328-4f70-a514-867d90c8361d\",\"etag\":\"\\\"12003c0b-0000-0100-0000-62e425f20000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetincidentComment7wxaop\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:24:50.6557332Z\",\"createdTimeUtc\":\"2022-07-29T18:24:50.2248863Z\",\"incidentNumber\":12,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/36740e38-b328-4f70-a514-867d90c8361d\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"12\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/25b19fe9-0ff9-4267-8faa-ac26e7c7c6ae\",\"name\":\"25b19fe9-0ff9-4267-8faa-ac26e7c7c6ae\",\"etag\":\"\\\"1200370b-0000-0100-0000-62e425d30000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:24:19.3733002Z\",\"createdTimeUtc\":\"2022-07-29T18:24:19.3733002Z\",\"incidentNumber\":11,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/25b19fe9-0ff9-4267-8faa-ac26e7c7c6ae\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"11\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/c98e79b2-3851-4fe2-be7b-d02281b03ea8\",\"name\":\"c98e79b2-3851-4fe2-be7b-d02281b03ea8\",\"etag\":\"\\\"1200360b-0000-0100-0000-62e425b30000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:23:47.4434597Z\",\"createdTimeUtc\":\"2022-07-29T18:23:47.4434597Z\",\"incidentNumber\":10,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/c98e79b2-3851-4fe2-be7b-d02281b03ea8\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"10\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/4adb65b9-7def-47bb-9594-c1e1ca284952\",\"name\":\"4adb65b9-7def-47bb-9594-c1e1ca284952\",\"etag\":\"\\\"1200310b-0000-0100-0000-62e425930000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:23:15.5881312Z\",\"createdTimeUtc\":\"2022-07-29T18:23:15.5881312Z\",\"incidentNumber\":9,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/4adb65b9-7def-47bb-9594-c1e1ca284952\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"9\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/6bc1d179-d8b5-45ee-82d8-dc7f59b9168a\",\"name\":\"6bc1d179-d8b5-45ee-82d8-dc7f59b9168a\",\"etag\":\"\\\"12002a0b-0000-0100-0000-62e425730000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:22:43.5468872Z\",\"createdTimeUtc\":\"2022-07-29T18:22:43.5468872Z\",\"incidentNumber\":8,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/6bc1d179-d8b5-45ee-82d8-dc7f59b9168a\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"8\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/1db90f1b-ef78-4f10-afb8-7dc242e09ba1\",\"name\":\"1db90f1b-ef78-4f10-afb8-7dc242e09ba1\",\"etag\":\"\\\"12001a0b-0000-0100-0000-62e425540000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:22:12.4027907Z\",\"createdTimeUtc\":\"2022-07-29T18:22:12.4027907Z\",\"incidentNumber\":7,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/1db90f1b-ef78-4f10-afb8-7dc242e09ba1\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"7\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/75bd63a7-0ac6-4f43-8a15-18ff73172bb5\",\"name\":\"75bd63a7-0ac6-4f43-8a15-18ff73172bb5\",\"etag\":\"\\\"1200c50a-0000-0100-0000-62e423bf0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdbookmarkRelationIncidentNamejdsg8m\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:15:27.8216444Z\",\"createdTimeUtc\":\"2022-07-29T18:15:27.2119419Z\",\"incidentNumber\":6,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/75bd63a7-0ac6-4f43-8a15-18ff73172bb5\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"6\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/0f49b19c-24d3-4775-92ae-dc0ecd5e1ace\",\"name\":\"0f49b19c-24d3-4775-92ae-dc0ecd5e1ace\",\"etag\":\"\\\"1200c10a-0000-0100-0000-62e4239f0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdatebookmarkRelationIncidentNamern5xam\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:14:55.9126545Z\",\"createdTimeUtc\":\"2022-07-29T18:14:55.652449Z\",\"incidentNumber\":5,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/0f49b19c-24d3-4775-92ae-dc0ecd5e1ace\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"5\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/68159ff1-4122-4fc3-9152-8bf489a4304d\",\"name\":\"68159ff1-4122-4fc3-9152-8bf489a4304d\",\"etag\":\"\\\"1200b70a-0000-0100-0000-62e423810000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdbookmarkRelationIncidentName3tykhx\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:14:25.0070286Z\",\"createdTimeUtc\":\"2022-07-29T18:14:24.4686462Z\",\"incidentNumber\":4,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/68159ff1-4122-4fc3-9152-8bf489a4304d\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"4\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/d30f1432-3e76-4b4b-bb30-f62eb4ee3611\",\"name\":\"d30f1432-3e76-4b4b-bb30-f62eb4ee3611\",\"etag\":\"\\\"1200b50a-0000-0100-0000-62e423600000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemovebookmarkRelationIncidentNameljqs90\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:13:52.6650817Z\",\"createdTimeUtc\":\"2022-07-29T18:13:52.43298Z\",\"incidentNumber\":3,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/d30f1432-3e76-4b4b-bb30-f62eb4ee3611\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"3\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/e31f4f52-858c-4a29-bacc-b0b91ca86f43\",\"name\":\"e31f4f52-858c-4a29-bacc-b0b91ca86f43\",\"etag\":\"\\\"1200a80a-0000-0100-0000-62e423420000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetbookmarkRelationIncidentName5jgmqo\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:13:22.783952Z\",\"createdTimeUtc\":\"2022-07-29T18:13:22.0852Z\",\"incidentNumber\":2,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/e31f4f52-858c-4a29-bacc-b0b91ca86f43\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"2\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/b38b9337-951a-0983-3a4d-8c0a4a243798\",\"name\":\"b38b9337-951a-0983-3a4d-8c0a4a243798\",\"etag\":\"\\\"1200810b-0000-0100-0000-62e426b00000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"severity\":\"Medium\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"firstActivityTimeUtc\":\"2022-07-29T17:27:56.0097765Z\",\"lastActivityTimeUtc\":\"2022-07-29T18:22:56.0097765Z\",\"lastModifiedTimeUtc\":\"2022-07-29T18:28:00.0552776Z\",\"createdTimeUtc\":\"2022-07-29T18:02:59.5521439Z\",\"incidentNumber\":1,\"additionalData\":{\"alertsCount\":6,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[\"Azure Sentinel\"],\"tactics\":[\"InitialAccess\",\"Persistence\"]},\"relatedAnalyticRuleIds\":[\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/5c8dc0ac-8808-40f3-a6b4-1401369a9e1e\"],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/b38b9337-951a-0983-3a4d-8c0a4a243798\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"1\"}}]}", "isContentBase64": false } }, - "Get-AzSentinelIncident+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/853e143c-97fd-48f1-86df-c8a68dbb87f1?api-version=2021-09-01-preview+1": { + "Get-AzSentinelIncident+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/1db90f1b-ef78-4f10-afb8-7dc242e09ba1?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/853e143c-97fd-48f1-86df-c8a68dbb87f1?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/1db90f1b-ef78-4f10-afb8-7dc242e09ba1?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "209" ], - "x-ms-client-request-id": [ "09469cc9-e322-451c-bbc4-7fbc230b7978" ], + "x-ms-unique-id": [ "207" ], + "x-ms-client-request-id": [ "5ebda592-7e87-402e-9cf2-d9f6696ae5f5" ], "CommandName": [ "Get-AzSentinelincident" ], "FullCommandName": [ "Get-AzSentinelIncident_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -64,36 +64,36 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11953" ], - "x-ms-request-id": [ "f1c6c0c6-31c2-43f4-ac4b-d5cceae8f2a9" ], - "x-ms-correlation-request-id": [ "f1c6c0c6-31c2-43f4-ac4b-d5cceae8f2a9" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T015921Z:f1c6c0c6-31c2-43f4-ac4b-d5cceae8f2a9" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11960" ], + "x-ms-request-id": [ "27b11933-2550-428e-b345-0862f8b0aa08" ], + "x-ms-correlation-request-id": [ "27b11933-2550-428e-b345-0862f8b0aa08" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183154Z:27b11933-2550-428e-b345-0862f8b0aa08" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 01:59:20 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:31:54 GMT" ] }, "ContentHeaders": { "Content-Length": [ "1206" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/853e143c-97fd-48f1-86df-c8a68dbb87f1\",\"name\":\"853e143c-97fd-48f1-86df-c8a68dbb87f1\",\"etag\":\"\\\"3c007d5a-0000-0100-0000-61b553ba0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:43:22.8314686Z\",\"createdTimeUtc\":\"2021-12-12T01:43:22.8314686Z\",\"incidentNumber\":7,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/853e143c-97fd-48f1-86df-c8a68dbb87f1\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"7\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/1db90f1b-ef78-4f10-afb8-7dc242e09ba1\",\"name\":\"1db90f1b-ef78-4f10-afb8-7dc242e09ba1\",\"etag\":\"\\\"12001a0b-0000-0100-0000-62e425540000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:22:12.4027907Z\",\"createdTimeUtc\":\"2022-07-29T18:22:12.4027907Z\",\"incidentNumber\":7,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/1db90f1b-ef78-4f10-afb8-7dc242e09ba1\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"7\"}}", "isContentBase64": false } }, - "Get-AzSentinelIncident+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/853e143c-97fd-48f1-86df-c8a68dbb87f1?api-version=2021-09-01-preview+1": { + "Get-AzSentinelIncident+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/1db90f1b-ef78-4f10-afb8-7dc242e09ba1?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/853e143c-97fd-48f1-86df-c8a68dbb87f1?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/1db90f1b-ef78-4f10-afb8-7dc242e09ba1?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "210" ], - "x-ms-client-request-id": [ "ef690bf8-1fe4-4e13-8a0d-d3020df2bab3" ], + "x-ms-unique-id": [ "208" ], + "x-ms-client-request-id": [ "626b9165-7c71-4211-a86b-c46f1e140f58" ], "CommandName": [ "Get-AzSentinelincident" ], "FullCommandName": [ "Get-AzSentinelIncident_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -105,36 +105,36 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11952" ], - "x-ms-request-id": [ "f671c02e-8936-42ff-ba04-9731718fc2f6" ], - "x-ms-correlation-request-id": [ "f671c02e-8936-42ff-ba04-9731718fc2f6" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T015921Z:f671c02e-8936-42ff-ba04-9731718fc2f6" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11959" ], + "x-ms-request-id": [ "65673ccd-0b5c-4cc4-8dc2-af7af1405806" ], + "x-ms-correlation-request-id": [ "65673ccd-0b5c-4cc4-8dc2-af7af1405806" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183155Z:65673ccd-0b5c-4cc4-8dc2-af7af1405806" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 01:59:21 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:31:54 GMT" ] }, "ContentHeaders": { "Content-Length": [ "1206" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/853e143c-97fd-48f1-86df-c8a68dbb87f1\",\"name\":\"853e143c-97fd-48f1-86df-c8a68dbb87f1\",\"etag\":\"\\\"3c007d5a-0000-0100-0000-61b553ba0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:43:22.8314686Z\",\"createdTimeUtc\":\"2021-12-12T01:43:22.8314686Z\",\"incidentNumber\":7,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/853e143c-97fd-48f1-86df-c8a68dbb87f1\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"7\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/1db90f1b-ef78-4f10-afb8-7dc242e09ba1\",\"name\":\"1db90f1b-ef78-4f10-afb8-7dc242e09ba1\",\"etag\":\"\\\"12001a0b-0000-0100-0000-62e425540000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:22:12.4027907Z\",\"createdTimeUtc\":\"2022-07-29T18:22:12.4027907Z\",\"incidentNumber\":7,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/1db90f1b-ef78-4f10-afb8-7dc242e09ba1\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"7\"}}", "isContentBase64": false } }, - "Get-AzSentinelIncident+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/853e143c-97fd-48f1-86df-c8a68dbb87f1?api-version=2021-09-01-preview+2": { + "Get-AzSentinelIncident+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/1db90f1b-ef78-4f10-afb8-7dc242e09ba1?api-version=2021-09-01-preview+2": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/853e143c-97fd-48f1-86df-c8a68dbb87f1?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/1db90f1b-ef78-4f10-afb8-7dc242e09ba1?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "211" ], - "x-ms-client-request-id": [ "cf47aa68-5549-4bbb-bed9-a700a6887532" ], + "x-ms-unique-id": [ "209" ], + "x-ms-client-request-id": [ "2f0fb3e8-9f61-463d-a5ec-d9f2c5ada7f0" ], "CommandName": [ "Get-AzSentinelincident" ], "FullCommandName": [ "Get-AzSentinelIncident_GetViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -146,20 +146,20 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11951" ], - "x-ms-request-id": [ "48feafa1-bdb4-4686-897f-b966354d8091" ], - "x-ms-correlation-request-id": [ "48feafa1-bdb4-4686-897f-b966354d8091" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T015921Z:48feafa1-bdb4-4686-897f-b966354d8091" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11958" ], + "x-ms-request-id": [ "90586b8e-5ba7-4b8c-b063-b561123a89ab" ], + "x-ms-correlation-request-id": [ "90586b8e-5ba7-4b8c-b063-b561123a89ab" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183155Z:90586b8e-5ba7-4b8c-b063-b561123a89ab" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 01:59:21 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:31:54 GMT" ] }, "ContentHeaders": { "Content-Length": [ "1206" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/853e143c-97fd-48f1-86df-c8a68dbb87f1\",\"name\":\"853e143c-97fd-48f1-86df-c8a68dbb87f1\",\"etag\":\"\\\"3c007d5a-0000-0100-0000-61b553ba0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:43:22.8314686Z\",\"createdTimeUtc\":\"2021-12-12T01:43:22.8314686Z\",\"incidentNumber\":7,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/853e143c-97fd-48f1-86df-c8a68dbb87f1\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"7\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/1db90f1b-ef78-4f10-afb8-7dc242e09ba1\",\"name\":\"1db90f1b-ef78-4f10-afb8-7dc242e09ba1\",\"etag\":\"\\\"12001a0b-0000-0100-0000-62e425540000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:22:12.4027907Z\",\"createdTimeUtc\":\"2022-07-29T18:22:12.4027907Z\",\"incidentNumber\":7,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/1db90f1b-ef78-4f10-afb8-7dc242e09ba1\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"7\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Get-AzSentinelIncidentAlert.Recording.json b/src/SecurityInsights/test/Get-AzSentinelIncidentAlert.Recording.json index d6ebd51b53ba..dee386401470 100644 --- a/src/SecurityInsights/test/Get-AzSentinelIncidentAlert.Recording.json +++ b/src/SecurityInsights/test/Get-AzSentinelIncidentAlert.Recording.json @@ -1,17 +1,17 @@ { - "Get-AzSentinelIncidentAlert+[NoContext]+List+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents?api-version=2021-09-01-preview+1": { + "Get-AzSentinelIncidentAlert+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "212" ], - "x-ms-client-request-id": [ "d30beebf-7b72-4cd3-abad-11f13e973a35" ], + "x-ms-unique-id": [ "210" ], + "x-ms-client-request-id": [ "ad992083-3cc0-4443-8ab7-6eaf72295d20" ], "CommandName": [ "Get-AzSentinelIncident" ], "FullCommandName": [ "Get-AzSentinelIncident_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -23,36 +23,36 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11950" ], - "x-ms-request-id": [ "ef078886-f7ce-4b2f-b68b-af941c842a3d" ], - "x-ms-correlation-request-id": [ "ef078886-f7ce-4b2f-b68b-af941c842a3d" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T015941Z:ef078886-f7ce-4b2f-b68b-af941c842a3d" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11957" ], + "x-ms-request-id": [ "6d92668b-dfc4-460c-ae57-227c6f4a9844" ], + "x-ms-correlation-request-id": [ "6d92668b-dfc4-460c-ae57-227c6f4a9844" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183156Z:6d92668b-dfc4-460c-ae57-227c6f4a9844" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 01:59:41 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:31:55 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "26515" ], + "Content-Length": [ "26513" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/43aedae6-3726-41c1-b0e8-9876df66aa2d\",\"name\":\"43aedae6-3726-41c1-b0e8-9876df66aa2d\",\"etag\":\"\\\"3c006463-0000-0100-0000-61b555710000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdincidentRelationIncidentNameewut32\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:50:41.6370473Z\",\"createdTimeUtc\":\"2021-12-12T01:50:41.1927933Z\",\"incidentNumber\":21,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/43aedae6-3726-41c1-b0e8-9876df66aa2d\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"21\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/473aa008-13fc-4a61-9ea2-c3fdc64a828c\",\"name\":\"473aa008-13fc-4a61-9ea2-c3fdc64a828c\",\"etag\":\"\\\"3c009162-0000-0100-0000-61b555530000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateincidentRelationIncidentNametdo819\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:50:11.0669406Z\",\"createdTimeUtc\":\"2021-12-12T01:50:10.6585571Z\",\"incidentNumber\":20,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/473aa008-13fc-4a61-9ea2-c3fdc64a828c\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"20\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/7bfb344d-ad2a-431d-9e39-78747ac51f54\",\"name\":\"7bfb344d-ad2a-431d-9e39-78747ac51f54\",\"etag\":\"\\\"3c00b661-0000-0100-0000-61b555330000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdincidentRelationIncidentName150wxv\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:49:39.5308437Z\",\"createdTimeUtc\":\"2021-12-12T01:49:39.1352139Z\",\"incidentNumber\":19,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/7bfb344d-ad2a-431d-9e39-78747ac51f54\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"19\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/0c5dc585-a174-461c-a546-75dc9d7bedc8\",\"name\":\"0c5dc585-a174-461c-a546-75dc9d7bedc8\",\"etag\":\"\\\"3c003f61-0000-0100-0000-61b555140000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveincidentRelationIncidentNameuk6d50\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:49:08.8163447Z\",\"createdTimeUtc\":\"2021-12-12T01:49:08.4291239Z\",\"incidentNumber\":18,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/0c5dc585-a174-461c-a546-75dc9d7bedc8\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"18\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0\",\"name\":\"e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0\",\"etag\":\"\\\"3c008760-0000-0100-0000-61b554f40000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetincidentRelationIncidentNamerea364\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:48:36.3299209Z\",\"createdTimeUtc\":\"2021-12-12T01:48:35.946428Z\",\"incidentNumber\":17,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"17\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/aa0c1725-78eb-4c1e-87b8-9dd801ebf670\",\"name\":\"aa0c1725-78eb-4c1e-87b8-9dd801ebf670\",\"etag\":\"\\\"3c00f15f-0000-0100-0000-61b554d40000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdincidentCommentoq4cge\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:48:04.5197134Z\",\"createdTimeUtc\":\"2021-12-12T01:48:03.7828Z\",\"incidentNumber\":16,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/aa0c1725-78eb-4c1e-87b8-9dd801ebf670\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"16\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/4d88d68e-1a03-4287-b8d2-919981228c5c\",\"name\":\"4d88d68e-1a03-4287-b8d2-919981228c5c\",\"etag\":\"\\\"3c00675f-0000-0100-0000-61b554b40000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateincidentCommentjmgwit\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:47:32.914693Z\",\"createdTimeUtc\":\"2021-12-12T01:47:32.2205967Z\",\"incidentNumber\":15,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/4d88d68e-1a03-4287-b8d2-919981228c5c\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"15\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/754fd7ba-74d1-42cc-8aa0-25593496d4bd\",\"name\":\"754fd7ba-74d1-42cc-8aa0-25593496d4bd\",\"etag\":\"\\\"3c00ae5e-0000-0100-0000-61b554960000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdincidentComment8ftdy3\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:47:02.132971Z\",\"createdTimeUtc\":\"2021-12-12T01:47:01.6162756Z\",\"incidentNumber\":14,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/754fd7ba-74d1-42cc-8aa0-25593496d4bd\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"14\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/39c0047a-27bf-41d3-940d-bfb849d18460\",\"name\":\"39c0047a-27bf-41d3-940d-bfb849d18460\",\"etag\":\"\\\"3c00525e-0000-0100-0000-61b554760000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveincidentCommentmhcwg3\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:46:30.3340484Z\",\"createdTimeUtc\":\"2021-12-12T01:46:29.8715201Z\",\"incidentNumber\":13,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/39c0047a-27bf-41d3-940d-bfb849d18460\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"13\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/03f0e7ca-255a-49dc-a98d-19f65584d06c\",\"name\":\"03f0e7ca-255a-49dc-a98d-19f65584d06c\",\"etag\":\"\\\"3c00de5d-0000-0100-0000-61b554580000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetincidentComment48q5k9\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:46:00.3354391Z\",\"createdTimeUtc\":\"2021-12-12T01:45:59.6977853Z\",\"incidentNumber\":12,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/03f0e7ca-255a-49dc-a98d-19f65584d06c\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"12\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/85b206c3-bf60-48e0-b492-71a79bb8503a\",\"name\":\"85b206c3-bf60-48e0-b492-71a79bb8503a\",\"etag\":\"\\\"3c002c5d-0000-0100-0000-61b554370000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:45:27.6270446Z\",\"createdTimeUtc\":\"2021-12-12T01:45:27.6270446Z\",\"incidentNumber\":11,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/85b206c3-bf60-48e0-b492-71a79bb8503a\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"11\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/23dc6b0b-2413-4b21-94b3-242f576b73c2\",\"name\":\"23dc6b0b-2413-4b21-94b3-242f576b73c2\",\"etag\":\"\\\"3c00aa5c-0000-0100-0000-61b554180000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:44:56.0348538Z\",\"createdTimeUtc\":\"2021-12-12T01:44:56.0348538Z\",\"incidentNumber\":10,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/23dc6b0b-2413-4b21-94b3-242f576b73c2\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"10\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/1f88da2c-e158-4900-8d6e-a467f72fdd34\",\"name\":\"1f88da2c-e158-4900-8d6e-a467f72fdd34\",\"etag\":\"\\\"3c00cd5b-0000-0100-0000-61b553f90000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:44:25.0620632Z\",\"createdTimeUtc\":\"2021-12-12T01:44:25.0620632Z\",\"incidentNumber\":9,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/1f88da2c-e158-4900-8d6e-a467f72fdd34\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"9\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/cc0a7c84-b29b-4136-acbb-648a7237df0a\",\"name\":\"cc0a7c84-b29b-4136-acbb-648a7237df0a\",\"etag\":\"\\\"3c00435b-0000-0100-0000-61b553d90000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:43:53.2153466Z\",\"createdTimeUtc\":\"2021-12-12T01:43:53.2153466Z\",\"incidentNumber\":8,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/cc0a7c84-b29b-4136-acbb-648a7237df0a\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"8\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/853e143c-97fd-48f1-86df-c8a68dbb87f1\",\"name\":\"853e143c-97fd-48f1-86df-c8a68dbb87f1\",\"etag\":\"\\\"3c007d5a-0000-0100-0000-61b553ba0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:43:22.8314686Z\",\"createdTimeUtc\":\"2021-12-12T01:43:22.8314686Z\",\"incidentNumber\":7,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/853e143c-97fd-48f1-86df-c8a68dbb87f1\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"7\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/6cbc4e33-d46b-4993-96e4-ecb0e44415cb\",\"name\":\"6cbc4e33-d46b-4993-96e4-ecb0e44415cb\",\"etag\":\"\\\"3c00ec54-0000-0100-0000-61b552e00000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdbookmarkRelationIncidentName84x0ne\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:39:44.4784666Z\",\"createdTimeUtc\":\"2021-12-12T01:39:44.1016486Z\",\"incidentNumber\":6,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/6cbc4e33-d46b-4993-96e4-ecb0e44415cb\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"6\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/e788124d-3280-4da8-b9f7-3f464296947e\",\"name\":\"e788124d-3280-4da8-b9f7-3f464296947e\",\"etag\":\"\\\"3c00b853-0000-0100-0000-61b552c20000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdatebookmarkRelationIncidentNamehqlcfb\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:39:14.3220984Z\",\"createdTimeUtc\":\"2021-12-12T01:39:13.3611655Z\",\"incidentNumber\":5,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/e788124d-3280-4da8-b9f7-3f464296947e\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"5\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/7d56a89d-59f4-4b3a-aa71-34494c2f5f5c\",\"name\":\"7d56a89d-59f4-4b3a-aa71-34494c2f5f5c\",\"etag\":\"\\\"3c00a552-0000-0100-0000-61b552a20000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdbookmarkRelationIncidentNameyci6fv\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:38:42.3519492Z\",\"createdTimeUtc\":\"2021-12-12T01:38:41.8102576Z\",\"incidentNumber\":4,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/7d56a89d-59f4-4b3a-aa71-34494c2f5f5c\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"4\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/4908bd22-0eb2-40fc-83ce-b6c8ba7a26a1\",\"name\":\"4908bd22-0eb2-40fc-83ce-b6c8ba7a26a1\",\"etag\":\"\\\"3c008b51-0000-0100-0000-61b552840000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemovebookmarkRelationIncidentNamehynb4o\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:38:12.1498788Z\",\"createdTimeUtc\":\"2021-12-12T01:38:11.2263698Z\",\"incidentNumber\":3,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/4908bd22-0eb2-40fc-83ce-b6c8ba7a26a1\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"3\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/69e3141d-30e8-49d1-9152-33f3b44cf6b0\",\"name\":\"69e3141d-30e8-49d1-9152-33f3b44cf6b0\",\"etag\":\"\\\"3c007450-0000-0100-0000-61b552650000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetbookmarkRelationIncidentNames3ckzp\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:37:41.3961428Z\",\"createdTimeUtc\":\"2021-12-12T01:37:40.4966895Z\",\"incidentNumber\":2,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/69e3141d-30e8-49d1-9152-33f3b44cf6b0\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"2\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/b2d155b7-a5b2-78f2-6872-d80f33937101\",\"name\":\"b2d155b7-a5b2-78f2-6872-d80f33937101\",\"etag\":\"\\\"3c00ce60-0000-0100-0000-61b554fc0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"severity\":\"Medium\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"firstActivityTimeUtc\":\"2021-12-12T00:48:37.8638145Z\",\"lastActivityTimeUtc\":\"2021-12-12T01:43:37.8638145Z\",\"lastModifiedTimeUtc\":\"2021-12-12T01:48:44.1406751Z\",\"createdTimeUtc\":\"2021-12-12T01:23:43.793478Z\",\"incidentNumber\":1,\"additionalData\":{\"alertsCount\":6,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[\"Azure Sentinel\"],\"tactics\":[\"InitialAccess\",\"Persistence\"]},\"relatedAnalyticRuleIds\":[\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/10a698ca-8310-4b90-a86e-2f43fe285e56\"],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/b2d155b7-a5b2-78f2-6872-d80f33937101\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"1\"}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/854d68b0-7cef-4c43-a0f3-03df09f60906\",\"name\":\"854d68b0-7cef-4c43-a0f3-03df09f60906\",\"etag\":\"\\\"12009b0b-0000-0100-0000-62e427110000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdincidentRelationIncidentName17euac\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:29:37.6445076Z\",\"createdTimeUtc\":\"2022-07-29T18:29:37.3993248Z\",\"incidentNumber\":21,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/854d68b0-7cef-4c43-a0f3-03df09f60906\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"21\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/bf284b9a-a101-4094-9387-503fd6afb8db\",\"name\":\"bf284b9a-a101-4094-9387-503fd6afb8db\",\"etag\":\"\\\"1200960b-0000-0100-0000-62e426f20000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateincidentRelationIncidentNamey5sjd6\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:29:06.559002Z\",\"createdTimeUtc\":\"2022-07-29T18:29:06.1809341Z\",\"incidentNumber\":20,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/bf284b9a-a101-4094-9387-503fd6afb8db\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"20\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/095d8360-b30b-4f75-804d-8837b78db3ed\",\"name\":\"095d8360-b30b-4f75-804d-8837b78db3ed\",\"etag\":\"\\\"12008a0b-0000-0100-0000-62e426d30000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdincidentRelationIncidentNameqm47li\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:28:35.4952307Z\",\"createdTimeUtc\":\"2022-07-29T18:28:34.9586136Z\",\"incidentNumber\":19,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/095d8360-b30b-4f75-804d-8837b78db3ed\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"19\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/da728eb4-6e7e-4be8-8397-cb2b45877bf9\",\"name\":\"da728eb4-6e7e-4be8-8397-cb2b45877bf9\",\"etag\":\"\\\"1200860b-0000-0100-0000-62e426b20000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveincidentRelationIncidentName01bqho\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:28:02.8745162Z\",\"createdTimeUtc\":\"2022-07-29T18:28:02.6751341Z\",\"incidentNumber\":18,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/da728eb4-6e7e-4be8-8397-cb2b45877bf9\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"18\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/ccca6513-b2b1-46be-925b-40f25e28a448\",\"name\":\"ccca6513-b2b1-46be-925b-40f25e28a448\",\"etag\":\"\\\"1200760b-0000-0100-0000-62e426930000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetincidentRelationIncidentNamentimyo\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:27:31.6228258Z\",\"createdTimeUtc\":\"2022-07-29T18:27:31.3953919Z\",\"incidentNumber\":17,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/ccca6513-b2b1-46be-925b-40f25e28a448\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"17\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/7141874b-1f5d-4bf7-9e25-bb748ff70946\",\"name\":\"7141874b-1f5d-4bf7-9e25-bb748ff70946\",\"etag\":\"\\\"12005b0b-0000-0100-0000-62e426730000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdincidentCommentvuackw\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:26:59.8178224Z\",\"createdTimeUtc\":\"2022-07-29T18:26:59.4284144Z\",\"incidentNumber\":16,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/7141874b-1f5d-4bf7-9e25-bb748ff70946\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"16\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/a0b8657f-5c36-4cb2-8952-f90affa7e0da\",\"name\":\"a0b8657f-5c36-4cb2-8952-f90affa7e0da\",\"etag\":\"\\\"1200510b-0000-0100-0000-62e426540000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateincidentCommentzfpjdm\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:26:28.8086603Z\",\"createdTimeUtc\":\"2022-07-29T18:26:28.262521Z\",\"incidentNumber\":15,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/a0b8657f-5c36-4cb2-8952-f90affa7e0da\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"15\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/39c25766-18b0-4620-9a63-3dfb2144ddd9\",\"name\":\"39c25766-18b0-4620-9a63-3dfb2144ddd9\",\"etag\":\"\\\"12004d0b-0000-0100-0000-62e426330000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdincidentCommentximhku\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:25:55.0138633Z\",\"createdTimeUtc\":\"2022-07-29T18:25:54.4964012Z\",\"incidentNumber\":14,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/39c25766-18b0-4620-9a63-3dfb2144ddd9\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"14\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/08556638-7485-4a5e-afda-02c5f77474d7\",\"name\":\"08556638-7485-4a5e-afda-02c5f77474d7\",\"etag\":\"\\\"1200460b-0000-0100-0000-62e426120000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveincidentComment35ly2k\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:25:22.1480666Z\",\"createdTimeUtc\":\"2022-07-29T18:25:21.7590822Z\",\"incidentNumber\":13,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/08556638-7485-4a5e-afda-02c5f77474d7\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"13\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/36740e38-b328-4f70-a514-867d90c8361d\",\"name\":\"36740e38-b328-4f70-a514-867d90c8361d\",\"etag\":\"\\\"12003c0b-0000-0100-0000-62e425f20000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetincidentComment7wxaop\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:24:50.6557332Z\",\"createdTimeUtc\":\"2022-07-29T18:24:50.2248863Z\",\"incidentNumber\":12,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/36740e38-b328-4f70-a514-867d90c8361d\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"12\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/25b19fe9-0ff9-4267-8faa-ac26e7c7c6ae\",\"name\":\"25b19fe9-0ff9-4267-8faa-ac26e7c7c6ae\",\"etag\":\"\\\"1200370b-0000-0100-0000-62e425d30000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:24:19.3733002Z\",\"createdTimeUtc\":\"2022-07-29T18:24:19.3733002Z\",\"incidentNumber\":11,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/25b19fe9-0ff9-4267-8faa-ac26e7c7c6ae\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"11\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/c98e79b2-3851-4fe2-be7b-d02281b03ea8\",\"name\":\"c98e79b2-3851-4fe2-be7b-d02281b03ea8\",\"etag\":\"\\\"1200360b-0000-0100-0000-62e425b30000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:23:47.4434597Z\",\"createdTimeUtc\":\"2022-07-29T18:23:47.4434597Z\",\"incidentNumber\":10,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/c98e79b2-3851-4fe2-be7b-d02281b03ea8\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"10\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/4adb65b9-7def-47bb-9594-c1e1ca284952\",\"name\":\"4adb65b9-7def-47bb-9594-c1e1ca284952\",\"etag\":\"\\\"1200310b-0000-0100-0000-62e425930000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:23:15.5881312Z\",\"createdTimeUtc\":\"2022-07-29T18:23:15.5881312Z\",\"incidentNumber\":9,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/4adb65b9-7def-47bb-9594-c1e1ca284952\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"9\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/6bc1d179-d8b5-45ee-82d8-dc7f59b9168a\",\"name\":\"6bc1d179-d8b5-45ee-82d8-dc7f59b9168a\",\"etag\":\"\\\"12002a0b-0000-0100-0000-62e425730000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:22:43.5468872Z\",\"createdTimeUtc\":\"2022-07-29T18:22:43.5468872Z\",\"incidentNumber\":8,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/6bc1d179-d8b5-45ee-82d8-dc7f59b9168a\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"8\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/1db90f1b-ef78-4f10-afb8-7dc242e09ba1\",\"name\":\"1db90f1b-ef78-4f10-afb8-7dc242e09ba1\",\"etag\":\"\\\"12001a0b-0000-0100-0000-62e425540000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:22:12.4027907Z\",\"createdTimeUtc\":\"2022-07-29T18:22:12.4027907Z\",\"incidentNumber\":7,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/1db90f1b-ef78-4f10-afb8-7dc242e09ba1\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"7\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/75bd63a7-0ac6-4f43-8a15-18ff73172bb5\",\"name\":\"75bd63a7-0ac6-4f43-8a15-18ff73172bb5\",\"etag\":\"\\\"1200c50a-0000-0100-0000-62e423bf0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdbookmarkRelationIncidentNamejdsg8m\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:15:27.8216444Z\",\"createdTimeUtc\":\"2022-07-29T18:15:27.2119419Z\",\"incidentNumber\":6,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/75bd63a7-0ac6-4f43-8a15-18ff73172bb5\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"6\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/0f49b19c-24d3-4775-92ae-dc0ecd5e1ace\",\"name\":\"0f49b19c-24d3-4775-92ae-dc0ecd5e1ace\",\"etag\":\"\\\"1200c10a-0000-0100-0000-62e4239f0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdatebookmarkRelationIncidentNamern5xam\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:14:55.9126545Z\",\"createdTimeUtc\":\"2022-07-29T18:14:55.652449Z\",\"incidentNumber\":5,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/0f49b19c-24d3-4775-92ae-dc0ecd5e1ace\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"5\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/68159ff1-4122-4fc3-9152-8bf489a4304d\",\"name\":\"68159ff1-4122-4fc3-9152-8bf489a4304d\",\"etag\":\"\\\"1200b70a-0000-0100-0000-62e423810000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdbookmarkRelationIncidentName3tykhx\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:14:25.0070286Z\",\"createdTimeUtc\":\"2022-07-29T18:14:24.4686462Z\",\"incidentNumber\":4,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/68159ff1-4122-4fc3-9152-8bf489a4304d\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"4\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/d30f1432-3e76-4b4b-bb30-f62eb4ee3611\",\"name\":\"d30f1432-3e76-4b4b-bb30-f62eb4ee3611\",\"etag\":\"\\\"1200b50a-0000-0100-0000-62e423600000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemovebookmarkRelationIncidentNameljqs90\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:13:52.6650817Z\",\"createdTimeUtc\":\"2022-07-29T18:13:52.43298Z\",\"incidentNumber\":3,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/d30f1432-3e76-4b4b-bb30-f62eb4ee3611\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"3\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/e31f4f52-858c-4a29-bacc-b0b91ca86f43\",\"name\":\"e31f4f52-858c-4a29-bacc-b0b91ca86f43\",\"etag\":\"\\\"1200a80a-0000-0100-0000-62e423420000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetbookmarkRelationIncidentName5jgmqo\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:13:22.783952Z\",\"createdTimeUtc\":\"2022-07-29T18:13:22.0852Z\",\"incidentNumber\":2,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/e31f4f52-858c-4a29-bacc-b0b91ca86f43\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"2\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/b38b9337-951a-0983-3a4d-8c0a4a243798\",\"name\":\"b38b9337-951a-0983-3a4d-8c0a4a243798\",\"etag\":\"\\\"1200810b-0000-0100-0000-62e426b00000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"severity\":\"Medium\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"firstActivityTimeUtc\":\"2022-07-29T17:27:56.0097765Z\",\"lastActivityTimeUtc\":\"2022-07-29T18:22:56.0097765Z\",\"lastModifiedTimeUtc\":\"2022-07-29T18:28:00.0552776Z\",\"createdTimeUtc\":\"2022-07-29T18:02:59.5521439Z\",\"incidentNumber\":1,\"additionalData\":{\"alertsCount\":6,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[\"Azure Sentinel\"],\"tactics\":[\"InitialAccess\",\"Persistence\"]},\"relatedAnalyticRuleIds\":[\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/5c8dc0ac-8808-40f3-a6b4-1401369a9e1e\"],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/b38b9337-951a-0983-3a4d-8c0a4a243798\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"1\"}}]}", "isContentBase64": false } }, - "Get-AzSentinelIncidentAlert+[NoContext]+List+$POST+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/b2d155b7-a5b2-78f2-6872-d80f33937101/alerts?api-version=2021-09-01-preview+2": { + "Get-AzSentinelIncidentAlert+[NoContext]+List+$POST+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/b38b9337-951a-0983-3a4d-8c0a4a243798/alerts?api-version=2021-09-01-preview+2": { "Request": { "Method": "POST", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/b2d155b7-a5b2-78f2-6872-d80f33937101/alerts?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/b38b9337-951a-0983-3a4d-8c0a4a243798/alerts?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "213" ], - "x-ms-client-request-id": [ "6e6c449f-5e47-4b23-90c3-ee86ae7891a3" ], + "x-ms-unique-id": [ "211" ], + "x-ms-client-request-id": [ "3235ac5e-2f7f-4c39-9d87-78779c1b3b0f" ], "CommandName": [ "Get-AzSentinelIncidentAlert" ], "FullCommandName": [ "Get-AzSentinelIncidentAlert_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -65,19 +65,19 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], - "x-ms-request-id": [ "c2f7c390-aa19-48e5-9c54-a6d413f0974c" ], - "x-ms-correlation-request-id": [ "c2f7c390-aa19-48e5-9c54-a6d413f0974c" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T015941Z:c2f7c390-aa19-48e5-9c54-a6d413f0974c" ], + "x-ms-request-id": [ "e2182d8f-8274-489e-b028-a190182e174e" ], + "x-ms-correlation-request-id": [ "e2182d8f-8274-489e-b028-a190182e174e" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183156Z:e2182d8f-8274-489e-b028-a190182e174e" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 01:59:41 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:31:55 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "10322" ], + "Content-Length": [ "11105" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Entities/58fb97d0-4b98-ebac-3e8d-e1d3af7038f6\",\"name\":\"58fb97d0-4b98-ebac-3e8d-e1d3af7038f6\",\"type\":\"Microsoft.SecurityInsights/Entities\",\"kind\":\"SecurityAlert\",\"properties\":{\"systemAlertId\":\"58fb97d0-4b98-ebac-3e8d-e1d3af7038f6\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"alertDisplayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"confidenceLevel\":\"Unknown\",\"severity\":\"Medium\",\"vendorName\":\"Microsoft\",\"productName\":\"Azure Sentinel\",\"productComponentName\":\"Scheduled Alerts\",\"alertType\":\"04acdb04-b6a1-4292-a956-621f955f6a5f_10a698ca-8310-4b90-a86e-2f43fe285e56\",\"processingEndTime\":\"2021-12-12T01:23:43.455803Z\",\"status\":\"New\",\"endTimeUtc\":\"2021-12-12T01:18:37.8638145Z\",\"startTimeUtc\":\"2021-12-12T00:48:37.8638145Z\",\"timeGenerated\":\"2021-12-12T01:23:43.4558068Z\",\"providerAlertId\":\"62114603-97d6-4e81-aa88-9c046bdb6ffb\",\"resourceIdentifiers\":[{\"type\":\"LogAnalytics\",\"workspaceId\":\"04acdb04-b6a1-4292-a956-621f955f6a5f\",\"subscriptionId\":\"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\",\"resourceGroup\":\"aspstest91v7fr\"}],\"additionalData\":{\"AlertMessageEnqueueTime\":\"2021-12-12T01:23:43.597Z\"},\"friendlyName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Entities/65ed6a1f-9a9b-ce95-a6a7-ffc8a5aac53d\",\"name\":\"65ed6a1f-9a9b-ce95-a6a7-ffc8a5aac53d\",\"type\":\"Microsoft.SecurityInsights/Entities\",\"kind\":\"SecurityAlert\",\"properties\":{\"systemAlertId\":\"65ed6a1f-9a9b-ce95-a6a7-ffc8a5aac53d\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"alertDisplayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"confidenceLevel\":\"Unknown\",\"severity\":\"Medium\",\"vendorName\":\"Microsoft\",\"productName\":\"Azure Sentinel\",\"productComponentName\":\"Scheduled Alerts\",\"alertType\":\"04acdb04-b6a1-4292-a956-621f955f6a5f_10a698ca-8310-4b90-a86e-2f43fe285e56\",\"processingEndTime\":\"2021-12-12T01:28:40.8799388Z\",\"status\":\"New\",\"endTimeUtc\":\"2021-12-12T01:23:37.8638145Z\",\"startTimeUtc\":\"2021-12-12T00:53:37.8638145Z\",\"timeGenerated\":\"2021-12-12T01:28:40.8799421Z\",\"providerAlertId\":\"8abf1a2b-486b-441e-9358-50d973e0e3c2\",\"resourceIdentifiers\":[{\"type\":\"LogAnalytics\",\"workspaceId\":\"04acdb04-b6a1-4292-a956-621f955f6a5f\",\"subscriptionId\":\"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\",\"resourceGroup\":\"aspstest91v7fr\"}],\"additionalData\":{\"AlertMessageEnqueueTime\":\"2021-12-12T01:28:41.081Z\"},\"friendlyName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Entities/936b5422-dc31-6382-a81f-1daebd2c950d\",\"name\":\"936b5422-dc31-6382-a81f-1daebd2c950d\",\"type\":\"Microsoft.SecurityInsights/Entities\",\"kind\":\"SecurityAlert\",\"properties\":{\"systemAlertId\":\"936b5422-dc31-6382-a81f-1daebd2c950d\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"alertDisplayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"confidenceLevel\":\"Unknown\",\"severity\":\"Medium\",\"vendorName\":\"Microsoft\",\"productName\":\"Azure Sentinel\",\"productComponentName\":\"Scheduled Alerts\",\"alertType\":\"04acdb04-b6a1-4292-a956-621f955f6a5f_10a698ca-8310-4b90-a86e-2f43fe285e56\",\"processingEndTime\":\"2021-12-12T01:33:40.9195282Z\",\"status\":\"New\",\"endTimeUtc\":\"2021-12-12T01:28:37.8638145Z\",\"startTimeUtc\":\"2021-12-12T00:58:37.8638145Z\",\"timeGenerated\":\"2021-12-12T01:33:40.9195312Z\",\"providerAlertId\":\"3979b3b4-491f-4d88-bf9e-9d4c87d19ed3\",\"resourceIdentifiers\":[{\"type\":\"LogAnalytics\",\"workspaceId\":\"04acdb04-b6a1-4292-a956-621f955f6a5f\",\"subscriptionId\":\"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\",\"resourceGroup\":\"aspstest91v7fr\"}],\"additionalData\":{\"AlertMessageEnqueueTime\":\"2021-12-12T01:33:41.089Z\"},\"friendlyName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Entities/89785dc9-8d86-e3b6-5467-cebafeab044d\",\"name\":\"89785dc9-8d86-e3b6-5467-cebafeab044d\",\"type\":\"Microsoft.SecurityInsights/Entities\",\"kind\":\"SecurityAlert\",\"properties\":{\"systemAlertId\":\"89785dc9-8d86-e3b6-5467-cebafeab044d\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"alertDisplayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"confidenceLevel\":\"Unknown\",\"severity\":\"Medium\",\"vendorName\":\"Microsoft\",\"productName\":\"Azure Sentinel\",\"productComponentName\":\"Scheduled Alerts\",\"alertType\":\"04acdb04-b6a1-4292-a956-621f955f6a5f_10a698ca-8310-4b90-a86e-2f43fe285e56\",\"processingEndTime\":\"2021-12-12T01:38:41.118344Z\",\"status\":\"New\",\"endTimeUtc\":\"2021-12-12T01:33:37.8638145Z\",\"startTimeUtc\":\"2021-12-12T01:03:37.8638145Z\",\"timeGenerated\":\"2021-12-12T01:38:41.1183474Z\",\"providerAlertId\":\"201f798f-b46b-4c26-9c21-e24082f5cf85\",\"resourceIdentifiers\":[{\"type\":\"LogAnalytics\",\"workspaceId\":\"04acdb04-b6a1-4292-a956-621f955f6a5f\",\"subscriptionId\":\"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\",\"resourceGroup\":\"aspstest91v7fr\"}],\"additionalData\":{\"AlertMessageEnqueueTime\":\"2021-12-12T01:38:41.28Z\"},\"friendlyName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Entities/637c5319-a9f1-b241-662f-f9b19323150a\",\"name\":\"637c5319-a9f1-b241-662f-f9b19323150a\",\"type\":\"Microsoft.SecurityInsights/Entities\",\"kind\":\"SecurityAlert\",\"properties\":{\"systemAlertId\":\"637c5319-a9f1-b241-662f-f9b19323150a\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"alertDisplayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"confidenceLevel\":\"Unknown\",\"severity\":\"Medium\",\"vendorName\":\"Microsoft\",\"productName\":\"Azure Sentinel\",\"productComponentName\":\"Scheduled Alerts\",\"alertType\":\"04acdb04-b6a1-4292-a956-621f955f6a5f_10a698ca-8310-4b90-a86e-2f43fe285e56\",\"processingEndTime\":\"2021-12-12T01:43:46.6351857Z\",\"status\":\"New\",\"endTimeUtc\":\"2021-12-12T01:38:37.8638145Z\",\"startTimeUtc\":\"2021-12-12T01:08:37.8638145Z\",\"timeGenerated\":\"2021-12-12T01:43:46.6351897Z\",\"providerAlertId\":\"c8375355-483a-4815-b9ad-ef06115266f0\",\"resourceIdentifiers\":[{\"type\":\"LogAnalytics\",\"workspaceId\":\"04acdb04-b6a1-4292-a956-621f955f6a5f\",\"subscriptionId\":\"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\",\"resourceGroup\":\"aspstest91v7fr\"}],\"additionalData\":{\"AlertMessageEnqueueTime\":\"2021-12-12T01:43:46.778Z\"},\"friendlyName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Entities/0ceeae80-6e19-e31b-c6dc-ab7c22834f90\",\"name\":\"0ceeae80-6e19-e31b-c6dc-ab7c22834f90\",\"type\":\"Microsoft.SecurityInsights/Entities\",\"kind\":\"SecurityAlert\",\"properties\":{\"systemAlertId\":\"0ceeae80-6e19-e31b-c6dc-ab7c22834f90\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"alertDisplayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"confidenceLevel\":\"Unknown\",\"severity\":\"Medium\",\"vendorName\":\"Microsoft\",\"productName\":\"Azure Sentinel\",\"productComponentName\":\"Scheduled Alerts\",\"alertType\":\"04acdb04-b6a1-4292-a956-621f955f6a5f_10a698ca-8310-4b90-a86e-2f43fe285e56\",\"processingEndTime\":\"2021-12-12T01:48:43.7008681Z\",\"status\":\"New\",\"endTimeUtc\":\"2021-12-12T01:43:37.8638145Z\",\"startTimeUtc\":\"2021-12-12T01:13:37.8638145Z\",\"timeGenerated\":\"2021-12-12T01:48:43.7008712Z\",\"providerAlertId\":\"1af2d93d-fdc2-4c5b-9232-d5f601f6ac2a\",\"resourceIdentifiers\":[{\"type\":\"LogAnalytics\",\"workspaceId\":\"04acdb04-b6a1-4292-a956-621f955f6a5f\",\"subscriptionId\":\"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\",\"resourceGroup\":\"aspstest91v7fr\"}],\"additionalData\":{\"AlertMessageEnqueueTime\":\"2021-12-12T01:48:43.904Z\"},\"friendlyName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\"}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Entities/c5473b1d-f6c7-85ec-1aaf-ee751028529e\",\"name\":\"c5473b1d-f6c7-85ec-1aaf-ee751028529e\",\"type\":\"Microsoft.SecurityInsights/Entities\",\"kind\":\"SecurityAlert\",\"properties\":{\"systemAlertId\":\"c5473b1d-f6c7-85ec-1aaf-ee751028529e\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"alertDisplayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"confidenceLevel\":\"Unknown\",\"severity\":\"Medium\",\"vendorName\":\"Microsoft\",\"productName\":\"Azure Sentinel\",\"productComponentName\":\"Scheduled Alerts\",\"alertType\":\"24e84d4f-281e-4a2d-8963-f554a6812d57_5c8dc0ac-8808-40f3-a6b4-1401369a9e1e\",\"processingEndTime\":\"2022-07-29T18:02:59.2250498Z\",\"status\":\"New\",\"endTimeUtc\":\"2022-07-29T17:57:56.0097765Z\",\"startTimeUtc\":\"2022-07-29T17:27:56.0097765Z\",\"timeGenerated\":\"2022-07-29T18:02:59.2915043Z\",\"providerAlertId\":\"b9bd472b-d65f-48c4-abcf-0e2fca5fa2ba\",\"resourceIdentifiers\":[{\"type\":\"LogAnalytics\",\"workspaceId\":\"24e84d4f-281e-4a2d-8963-f554a6812d57\",\"subscriptionId\":\"51a36d38-3b14-471f-8dde-a5867f5e51eb\",\"resourceGroup\":\"aspstestt6jdws\"}],\"additionalData\":{\"AlertMessageEnqueueTime\":\"2022-07-29T18:02:59.352Z\",\"Search Query Results Overall Count\":\"1\",\"OriginalProductName\":\"Azure Sentinel\",\"OriginalProductComponentName\":\"Scheduled Alerts\"},\"friendlyName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Entities/9df5d2ab-8d32-9cd6-feca-0bd1208a9a44\",\"name\":\"9df5d2ab-8d32-9cd6-feca-0bd1208a9a44\",\"type\":\"Microsoft.SecurityInsights/Entities\",\"kind\":\"SecurityAlert\",\"properties\":{\"systemAlertId\":\"9df5d2ab-8d32-9cd6-feca-0bd1208a9a44\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"alertDisplayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"confidenceLevel\":\"Unknown\",\"severity\":\"Medium\",\"vendorName\":\"Microsoft\",\"productName\":\"Azure Sentinel\",\"productComponentName\":\"Scheduled Alerts\",\"alertType\":\"24e84d4f-281e-4a2d-8963-f554a6812d57_5c8dc0ac-8808-40f3-a6b4-1401369a9e1e\",\"processingEndTime\":\"2022-07-29T18:07:59.7428619Z\",\"status\":\"New\",\"endTimeUtc\":\"2022-07-29T18:02:56.0097765Z\",\"startTimeUtc\":\"2022-07-29T17:32:56.0097765Z\",\"timeGenerated\":\"2022-07-29T18:07:59.8512573Z\",\"providerAlertId\":\"f815afc1-a677-4b8d-be70-088946d29a6f\",\"resourceIdentifiers\":[{\"type\":\"LogAnalytics\",\"workspaceId\":\"24e84d4f-281e-4a2d-8963-f554a6812d57\",\"subscriptionId\":\"51a36d38-3b14-471f-8dde-a5867f5e51eb\",\"resourceGroup\":\"aspstestt6jdws\"}],\"additionalData\":{\"AlertMessageEnqueueTime\":\"2022-07-29T18:07:59.885Z\",\"Search Query Results Overall Count\":\"1\",\"OriginalProductName\":\"Azure Sentinel\",\"OriginalProductComponentName\":\"Scheduled Alerts\"},\"friendlyName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Entities/7fba227d-ce32-d21c-ea99-cd7d1502b305\",\"name\":\"7fba227d-ce32-d21c-ea99-cd7d1502b305\",\"type\":\"Microsoft.SecurityInsights/Entities\",\"kind\":\"SecurityAlert\",\"properties\":{\"systemAlertId\":\"7fba227d-ce32-d21c-ea99-cd7d1502b305\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"alertDisplayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"confidenceLevel\":\"Unknown\",\"severity\":\"Medium\",\"vendorName\":\"Microsoft\",\"productName\":\"Azure Sentinel\",\"productComponentName\":\"Scheduled Alerts\",\"alertType\":\"24e84d4f-281e-4a2d-8963-f554a6812d57_5c8dc0ac-8808-40f3-a6b4-1401369a9e1e\",\"processingEndTime\":\"2022-07-29T18:13:01.6548178Z\",\"status\":\"New\",\"endTimeUtc\":\"2022-07-29T18:07:56.0097765Z\",\"startTimeUtc\":\"2022-07-29T17:37:56.0097765Z\",\"timeGenerated\":\"2022-07-29T18:13:01.7730875Z\",\"providerAlertId\":\"38bfbcc6-4481-48f8-840e-3bf86e9077d1\",\"resourceIdentifiers\":[{\"type\":\"LogAnalytics\",\"workspaceId\":\"24e84d4f-281e-4a2d-8963-f554a6812d57\",\"subscriptionId\":\"51a36d38-3b14-471f-8dde-a5867f5e51eb\",\"resourceGroup\":\"aspstestt6jdws\"}],\"additionalData\":{\"AlertMessageEnqueueTime\":\"2022-07-29T18:13:01.808Z\",\"Search Query Results Overall Count\":\"1\",\"OriginalProductName\":\"Azure Sentinel\",\"OriginalProductComponentName\":\"Scheduled Alerts\"},\"friendlyName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Entities/a9de18cf-740d-4ed6-e4e7-994ccaf989ed\",\"name\":\"a9de18cf-740d-4ed6-e4e7-994ccaf989ed\",\"type\":\"Microsoft.SecurityInsights/Entities\",\"kind\":\"SecurityAlert\",\"properties\":{\"systemAlertId\":\"a9de18cf-740d-4ed6-e4e7-994ccaf989ed\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"alertDisplayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"confidenceLevel\":\"Unknown\",\"severity\":\"Medium\",\"vendorName\":\"Microsoft\",\"productName\":\"Azure Sentinel\",\"productComponentName\":\"Scheduled Alerts\",\"alertType\":\"24e84d4f-281e-4a2d-8963-f554a6812d57_5c8dc0ac-8808-40f3-a6b4-1401369a9e1e\",\"processingEndTime\":\"2022-07-29T18:17:59.4082677Z\",\"status\":\"New\",\"endTimeUtc\":\"2022-07-29T18:12:56.0097765Z\",\"startTimeUtc\":\"2022-07-29T17:42:56.0097765Z\",\"timeGenerated\":\"2022-07-29T18:17:59.5014214Z\",\"providerAlertId\":\"28477268-d598-4447-950d-0de29137faa0\",\"resourceIdentifiers\":[{\"type\":\"LogAnalytics\",\"workspaceId\":\"24e84d4f-281e-4a2d-8963-f554a6812d57\",\"subscriptionId\":\"51a36d38-3b14-471f-8dde-a5867f5e51eb\",\"resourceGroup\":\"aspstestt6jdws\"}],\"additionalData\":{\"AlertMessageEnqueueTime\":\"2022-07-29T18:17:59.531Z\",\"Search Query Results Overall Count\":\"1\",\"OriginalProductName\":\"Azure Sentinel\",\"OriginalProductComponentName\":\"Scheduled Alerts\"},\"friendlyName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Entities/66e0a2c7-c7de-7487-fc4f-994484f615d3\",\"name\":\"66e0a2c7-c7de-7487-fc4f-994484f615d3\",\"type\":\"Microsoft.SecurityInsights/Entities\",\"kind\":\"SecurityAlert\",\"properties\":{\"systemAlertId\":\"66e0a2c7-c7de-7487-fc4f-994484f615d3\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"alertDisplayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"confidenceLevel\":\"Unknown\",\"severity\":\"Medium\",\"vendorName\":\"Microsoft\",\"productName\":\"Azure Sentinel\",\"productComponentName\":\"Scheduled Alerts\",\"alertType\":\"24e84d4f-281e-4a2d-8963-f554a6812d57_5c8dc0ac-8808-40f3-a6b4-1401369a9e1e\",\"processingEndTime\":\"2022-07-29T18:22:59.3022284Z\",\"status\":\"New\",\"endTimeUtc\":\"2022-07-29T18:17:56.0097765Z\",\"startTimeUtc\":\"2022-07-29T17:47:56.0097765Z\",\"timeGenerated\":\"2022-07-29T18:22:59.3995318Z\",\"providerAlertId\":\"f3922aba-2438-461b-9966-ffb2cbbe0638\",\"resourceIdentifiers\":[{\"type\":\"LogAnalytics\",\"workspaceId\":\"24e84d4f-281e-4a2d-8963-f554a6812d57\",\"subscriptionId\":\"51a36d38-3b14-471f-8dde-a5867f5e51eb\",\"resourceGroup\":\"aspstestt6jdws\"}],\"additionalData\":{\"AlertMessageEnqueueTime\":\"2022-07-29T18:22:59.447Z\",\"Search Query Results Overall Count\":\"1\",\"OriginalProductName\":\"Azure Sentinel\",\"OriginalProductComponentName\":\"Scheduled Alerts\"},\"friendlyName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Entities/8b522632-83f2-bd35-bf66-7adf568ad274\",\"name\":\"8b522632-83f2-bd35-bf66-7adf568ad274\",\"type\":\"Microsoft.SecurityInsights/Entities\",\"kind\":\"SecurityAlert\",\"properties\":{\"systemAlertId\":\"8b522632-83f2-bd35-bf66-7adf568ad274\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"alertDisplayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"confidenceLevel\":\"Unknown\",\"severity\":\"Medium\",\"vendorName\":\"Microsoft\",\"productName\":\"Azure Sentinel\",\"productComponentName\":\"Scheduled Alerts\",\"alertType\":\"24e84d4f-281e-4a2d-8963-f554a6812d57_5c8dc0ac-8808-40f3-a6b4-1401369a9e1e\",\"processingEndTime\":\"2022-07-29T18:27:59.7225921Z\",\"status\":\"New\",\"endTimeUtc\":\"2022-07-29T18:22:56.0097765Z\",\"startTimeUtc\":\"2022-07-29T17:52:56.0097765Z\",\"timeGenerated\":\"2022-07-29T18:27:59.8098849Z\",\"providerAlertId\":\"9f02c11e-148c-4209-bfd3-ba79c38dba88\",\"resourceIdentifiers\":[{\"type\":\"LogAnalytics\",\"workspaceId\":\"24e84d4f-281e-4a2d-8963-f554a6812d57\",\"subscriptionId\":\"51a36d38-3b14-471f-8dde-a5867f5e51eb\",\"resourceGroup\":\"aspstestt6jdws\"}],\"additionalData\":{\"AlertMessageEnqueueTime\":\"2022-07-29T18:27:59.813Z\",\"Search Query Results Overall Count\":\"1\",\"OriginalProductName\":\"Azure Sentinel\",\"OriginalProductComponentName\":\"Scheduled Alerts\"},\"friendlyName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\"}}]}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Get-AzSentinelIncidentBookmark.Recording.json b/src/SecurityInsights/test/Get-AzSentinelIncidentBookmark.Recording.json index c98f9b7315c2..96df19f04187 100644 --- a/src/SecurityInsights/test/Get-AzSentinelIncidentBookmark.Recording.json +++ b/src/SecurityInsights/test/Get-AzSentinelIncidentBookmark.Recording.json @@ -1,17 +1,17 @@ { - "Get-AzSentinelIncidentBookmark+[NoContext]+List+$POST+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0/bookmarks?api-version=2021-09-01-preview+1": { + "Get-AzSentinelIncidentBookmark+[NoContext]+List+$POST+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/ccca6513-b2b1-46be-925b-40f25e28a448/bookmarks?api-version=2021-09-01-preview+1": { "Request": { "Method": "POST", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0/bookmarks?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/ccca6513-b2b1-46be-925b-40f25e28a448/bookmarks?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "214" ], - "x-ms-client-request-id": [ "49eeb730-e1fd-4563-865c-2e2e149f81ca" ], + "x-ms-unique-id": [ "212" ], + "x-ms-client-request-id": [ "1b11c0a7-6bff-4779-88ac-bbf8518ab12e" ], "CommandName": [ "Get-AzSentinelIncidentBookmark" ], "FullCommandName": [ "Get-AzSentinelIncidentBookmark_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -22,21 +22,21 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], "Server": [ "Kestrel" ], - "x-ms-request-id": [ "20823661-e1ef-489f-86f5-d4a18d3fc683" ], - "x-ms-correlation-request-id": [ "20823661-e1ef-489f-86f5-d4a18d3fc683" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T020003Z:20823661-e1ef-489f-86f5-d4a18d3fc683" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], + "x-ms-request-id": [ "544a6797-dec1-42b5-a4bd-0bc48bee50d8" ], + "x-ms-correlation-request-id": [ "544a6797-dec1-42b5-a4bd-0bc48bee50d8" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183157Z:544a6797-dec1-42b5-a4bd-0bc48bee50d8" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:00:02 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:31:56 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1148" ], + "Content-Length": [ "1118" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Entities/21e8e280-fe09-4a83-a662-4b0711e9c127\",\"name\":\"21e8e280-fe09-4a83-a662-4b0711e9c127\",\"type\":\"Microsoft.SecurityInsights/Entities\",\"kind\":\"Bookmark\",\"properties\":{\"displayName\":\"GetincidentRelationBookmarkNameib8ohc\",\"created\":\"2021-12-12T01:48:35.4604989+00:00\",\"updated\":\"2021-12-12T01:48:35.4604989+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"additionalData\":{\"EntityMappings\":\"[]\",\"Tactics\":\"[]\",\"Techniques\":\"[]\",\"ETag\":\"\\\"6b0223c7-0000-0100-0000-61b554f40000\\\"\",\"EntityId\":\"21e8e280-fe09-4a83-a662-4b0711e9c127\"},\"friendlyName\":\"GetincidentRelationBookmarkNameib8ohc\"}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Entities/e809aa96-66b0-4c25-83cc-f6a969445995\",\"name\":\"e809aa96-66b0-4c25-83cc-f6a969445995\",\"type\":\"Microsoft.SecurityInsights/Entities\",\"kind\":\"Bookmark\",\"properties\":{\"displayName\":\"GetincidentRelationBookmarkName0eyhda\",\"created\":\"2022-07-29T18:27:31.0896601+00:00\",\"updated\":\"2022-07-29T18:27:31.0896601+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-07-29T06:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"additionalData\":{\"EntityMappings\":\"[]\",\"Tactics\":\"[]\",\"Techniques\":\"[]\",\"ETag\":\"\\\"0100b593-0000-0100-0000-62e426930000\\\"\",\"EntityId\":\"e809aa96-66b0-4c25-83cc-f6a969445995\"},\"friendlyName\":\"GetincidentRelationBookmarkName0eyhda\"}}]}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Get-AzSentinelIncidentComment.Recording.json b/src/SecurityInsights/test/Get-AzSentinelIncidentComment.Recording.json index 7e19c23f469b..5e8e87678414 100644 --- a/src/SecurityInsights/test/Get-AzSentinelIncidentComment.Recording.json +++ b/src/SecurityInsights/test/Get-AzSentinelIncidentComment.Recording.json @@ -1,17 +1,17 @@ { - "Get-AzSentinelIncidentComment+[NoContext]+List+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/03f0e7ca-255a-49dc-a98d-19f65584d06c/comments?api-version=2021-09-01-preview+1": { + "Get-AzSentinelIncidentComment+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/36740e38-b328-4f70-a514-867d90c8361d/comments?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/03f0e7ca-255a-49dc-a98d-19f65584d06c/comments?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/36740e38-b328-4f70-a514-867d90c8361d/comments?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "215" ], - "x-ms-client-request-id": [ "e78c0393-ce99-4aa0-853a-84fe18c3b571" ], + "x-ms-unique-id": [ "213" ], + "x-ms-client-request-id": [ "56a7dfbc-5edb-417e-9a50-8388b58007bd" ], "CommandName": [ "Get-AzSentinelincidentComment" ], "FullCommandName": [ "Get-AzSentinelIncidentComment_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -24,35 +24,35 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], - "x-ms-request-id": [ "4f874d63-7966-47c9-bdd2-bafaa659e669" ], - "x-ms-correlation-request-id": [ "4f874d63-7966-47c9-bdd2-bafaa659e669" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T020024Z:4f874d63-7966-47c9-bdd2-bafaa659e669" ], + "x-ms-request-id": [ "5792f431-610a-4792-8313-2bc1bbd64310" ], + "x-ms-correlation-request-id": [ "5792f431-610a-4792-8313-2bc1bbd64310" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183158Z:5792f431-610a-4792-8313-2bc1bbd64310" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:00:23 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:31:57 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "801" ], + "Content-Length": [ "771" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/03f0e7ca-255a-49dc-a98d-19f65584d06c/Comments/1b475d8b-b763-4d91-9dc9-c2125a6531e9\",\"name\":\"1b475d8b-b763-4d91-9dc9-c2125a6531e9\",\"etag\":\"\\\"3c00dd5d-0000-0100-0000-61b554580000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/Comments\",\"properties\":{\"message\":\"GetincidentComment48q5k9\",\"createdTimeUtc\":\"2021-12-12T01:46:00.3142181Z\",\"lastModifiedTimeUtc\":\"2021-12-12T01:46:00.3142181Z\",\"author\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"}}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/36740e38-b328-4f70-a514-867d90c8361d/Comments/15f33241-6289-4a35-a84a-ae4d9f5f0d31\",\"name\":\"15f33241-6289-4a35-a84a-ae4d9f5f0d31\",\"etag\":\"\\\"12003b0b-0000-0100-0000-62e425f20000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/Comments\",\"properties\":{\"message\":\"GetincidentComment7wxaop\",\"createdTimeUtc\":\"2022-07-29T18:24:50.6368637Z\",\"lastModifiedTimeUtc\":\"2022-07-29T18:24:50.6368637Z\",\"author\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}]}", "isContentBase64": false } }, - "Get-AzSentinelIncidentComment+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/03f0e7ca-255a-49dc-a98d-19f65584d06c/comments/1b475d8b-b763-4d91-9dc9-c2125a6531e9?api-version=2021-09-01-preview+1": { + "Get-AzSentinelIncidentComment+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/36740e38-b328-4f70-a514-867d90c8361d/comments/15f33241-6289-4a35-a84a-ae4d9f5f0d31?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/03f0e7ca-255a-49dc-a98d-19f65584d06c/comments/1b475d8b-b763-4d91-9dc9-c2125a6531e9?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/36740e38-b328-4f70-a514-867d90c8361d/comments/15f33241-6289-4a35-a84a-ae4d9f5f0d31?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "216" ], - "x-ms-client-request-id": [ "6302306a-1456-4455-8ef3-3fc6284ddd0c" ], + "x-ms-unique-id": [ "214" ], + "x-ms-client-request-id": [ "fc59bcb9-f76b-4d0e-aa76-f8d6ca4087e9" ], "CommandName": [ "Get-AzSentinelincidentComment" ], "FullCommandName": [ "Get-AzSentinelIncidentComment_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -65,19 +65,19 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], - "x-ms-request-id": [ "634b8ea9-8a00-42d6-a7e5-d64e371a11e3" ], - "x-ms-correlation-request-id": [ "634b8ea9-8a00-42d6-a7e5-d64e371a11e3" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T020024Z:634b8ea9-8a00-42d6-a7e5-d64e371a11e3" ], + "x-ms-request-id": [ "57d621ed-ecfa-45b3-bf48-30502437a34a" ], + "x-ms-correlation-request-id": [ "57d621ed-ecfa-45b3-bf48-30502437a34a" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183158Z:57d621ed-ecfa-45b3-bf48-30502437a34a" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:00:23 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:31:57 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "789" ], + "Content-Length": [ "759" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/03f0e7ca-255a-49dc-a98d-19f65584d06c/Comments/1b475d8b-b763-4d91-9dc9-c2125a6531e9\",\"name\":\"1b475d8b-b763-4d91-9dc9-c2125a6531e9\",\"etag\":\"\\\"3c00dd5d-0000-0100-0000-61b554580000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/Comments\",\"properties\":{\"message\":\"GetincidentComment48q5k9\",\"createdTimeUtc\":\"2021-12-12T01:46:00.3142181Z\",\"lastModifiedTimeUtc\":\"2021-12-12T01:46:00.3142181Z\",\"author\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/36740e38-b328-4f70-a514-867d90c8361d/Comments/15f33241-6289-4a35-a84a-ae4d9f5f0d31\",\"name\":\"15f33241-6289-4a35-a84a-ae4d9f5f0d31\",\"etag\":\"\\\"12003b0b-0000-0100-0000-62e425f20000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/Comments\",\"properties\":{\"message\":\"GetincidentComment7wxaop\",\"createdTimeUtc\":\"2022-07-29T18:24:50.6368637Z\",\"lastModifiedTimeUtc\":\"2022-07-29T18:24:50.6368637Z\",\"author\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Get-AzSentinelIncidentEntity.Recording.json b/src/SecurityInsights/test/Get-AzSentinelIncidentEntity.Recording.json index caabcbc362a4..22840934f8d9 100644 --- a/src/SecurityInsights/test/Get-AzSentinelIncidentEntity.Recording.json +++ b/src/SecurityInsights/test/Get-AzSentinelIncidentEntity.Recording.json @@ -1,17 +1,17 @@ { - "Get-AzSentinelIncidentEntity+[NoContext]+List+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents?api-version=2021-09-01-preview+1": { + "Get-AzSentinelIncidentEntity+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "217" ], - "x-ms-client-request-id": [ "b70ee8b3-92d6-4fca-a293-3eafc9df299b" ], + "x-ms-unique-id": [ "215" ], + "x-ms-client-request-id": [ "a3901740-0108-4cbf-a78d-1b4bcd6f131c" ], "CommandName": [ "Get-AzSentinelIncident" ], "FullCommandName": [ "Get-AzSentinelIncident_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -23,36 +23,36 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11949" ], - "x-ms-request-id": [ "e9a3d79b-fa50-48eb-83ed-84ec56b1da76" ], - "x-ms-correlation-request-id": [ "e9a3d79b-fa50-48eb-83ed-84ec56b1da76" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T020046Z:e9a3d79b-fa50-48eb-83ed-84ec56b1da76" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11956" ], + "x-ms-request-id": [ "b82f052a-4f67-43de-ac19-75aff2105807" ], + "x-ms-correlation-request-id": [ "b82f052a-4f67-43de-ac19-75aff2105807" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183159Z:b82f052a-4f67-43de-ac19-75aff2105807" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:00:45 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:31:58 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "26515" ], + "Content-Length": [ "26513" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/43aedae6-3726-41c1-b0e8-9876df66aa2d\",\"name\":\"43aedae6-3726-41c1-b0e8-9876df66aa2d\",\"etag\":\"\\\"3c006463-0000-0100-0000-61b555710000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdincidentRelationIncidentNameewut32\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:50:41.6370473Z\",\"createdTimeUtc\":\"2021-12-12T01:50:41.1927933Z\",\"incidentNumber\":21,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/43aedae6-3726-41c1-b0e8-9876df66aa2d\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"21\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/473aa008-13fc-4a61-9ea2-c3fdc64a828c\",\"name\":\"473aa008-13fc-4a61-9ea2-c3fdc64a828c\",\"etag\":\"\\\"3c009162-0000-0100-0000-61b555530000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateincidentRelationIncidentNametdo819\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:50:11.0669406Z\",\"createdTimeUtc\":\"2021-12-12T01:50:10.6585571Z\",\"incidentNumber\":20,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/473aa008-13fc-4a61-9ea2-c3fdc64a828c\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"20\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/7bfb344d-ad2a-431d-9e39-78747ac51f54\",\"name\":\"7bfb344d-ad2a-431d-9e39-78747ac51f54\",\"etag\":\"\\\"3c00b661-0000-0100-0000-61b555330000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdincidentRelationIncidentName150wxv\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:49:39.5308437Z\",\"createdTimeUtc\":\"2021-12-12T01:49:39.1352139Z\",\"incidentNumber\":19,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/7bfb344d-ad2a-431d-9e39-78747ac51f54\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"19\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/0c5dc585-a174-461c-a546-75dc9d7bedc8\",\"name\":\"0c5dc585-a174-461c-a546-75dc9d7bedc8\",\"etag\":\"\\\"3c003f61-0000-0100-0000-61b555140000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveincidentRelationIncidentNameuk6d50\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:49:08.8163447Z\",\"createdTimeUtc\":\"2021-12-12T01:49:08.4291239Z\",\"incidentNumber\":18,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/0c5dc585-a174-461c-a546-75dc9d7bedc8\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"18\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0\",\"name\":\"e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0\",\"etag\":\"\\\"3c008760-0000-0100-0000-61b554f40000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetincidentRelationIncidentNamerea364\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:48:36.3299209Z\",\"createdTimeUtc\":\"2021-12-12T01:48:35.946428Z\",\"incidentNumber\":17,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"17\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/aa0c1725-78eb-4c1e-87b8-9dd801ebf670\",\"name\":\"aa0c1725-78eb-4c1e-87b8-9dd801ebf670\",\"etag\":\"\\\"3c00f15f-0000-0100-0000-61b554d40000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdincidentCommentoq4cge\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:48:04.5197134Z\",\"createdTimeUtc\":\"2021-12-12T01:48:03.7828Z\",\"incidentNumber\":16,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/aa0c1725-78eb-4c1e-87b8-9dd801ebf670\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"16\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/4d88d68e-1a03-4287-b8d2-919981228c5c\",\"name\":\"4d88d68e-1a03-4287-b8d2-919981228c5c\",\"etag\":\"\\\"3c00675f-0000-0100-0000-61b554b40000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateincidentCommentjmgwit\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:47:32.914693Z\",\"createdTimeUtc\":\"2021-12-12T01:47:32.2205967Z\",\"incidentNumber\":15,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/4d88d68e-1a03-4287-b8d2-919981228c5c\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"15\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/754fd7ba-74d1-42cc-8aa0-25593496d4bd\",\"name\":\"754fd7ba-74d1-42cc-8aa0-25593496d4bd\",\"etag\":\"\\\"3c00ae5e-0000-0100-0000-61b554960000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdincidentComment8ftdy3\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:47:02.132971Z\",\"createdTimeUtc\":\"2021-12-12T01:47:01.6162756Z\",\"incidentNumber\":14,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/754fd7ba-74d1-42cc-8aa0-25593496d4bd\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"14\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/39c0047a-27bf-41d3-940d-bfb849d18460\",\"name\":\"39c0047a-27bf-41d3-940d-bfb849d18460\",\"etag\":\"\\\"3c00525e-0000-0100-0000-61b554760000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveincidentCommentmhcwg3\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:46:30.3340484Z\",\"createdTimeUtc\":\"2021-12-12T01:46:29.8715201Z\",\"incidentNumber\":13,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/39c0047a-27bf-41d3-940d-bfb849d18460\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"13\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/03f0e7ca-255a-49dc-a98d-19f65584d06c\",\"name\":\"03f0e7ca-255a-49dc-a98d-19f65584d06c\",\"etag\":\"\\\"3c00de5d-0000-0100-0000-61b554580000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetincidentComment48q5k9\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:46:00.3354391Z\",\"createdTimeUtc\":\"2021-12-12T01:45:59.6977853Z\",\"incidentNumber\":12,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/03f0e7ca-255a-49dc-a98d-19f65584d06c\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"12\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/85b206c3-bf60-48e0-b492-71a79bb8503a\",\"name\":\"85b206c3-bf60-48e0-b492-71a79bb8503a\",\"etag\":\"\\\"3c002c5d-0000-0100-0000-61b554370000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:45:27.6270446Z\",\"createdTimeUtc\":\"2021-12-12T01:45:27.6270446Z\",\"incidentNumber\":11,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/85b206c3-bf60-48e0-b492-71a79bb8503a\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"11\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/23dc6b0b-2413-4b21-94b3-242f576b73c2\",\"name\":\"23dc6b0b-2413-4b21-94b3-242f576b73c2\",\"etag\":\"\\\"3c00aa5c-0000-0100-0000-61b554180000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:44:56.0348538Z\",\"createdTimeUtc\":\"2021-12-12T01:44:56.0348538Z\",\"incidentNumber\":10,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/23dc6b0b-2413-4b21-94b3-242f576b73c2\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"10\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/1f88da2c-e158-4900-8d6e-a467f72fdd34\",\"name\":\"1f88da2c-e158-4900-8d6e-a467f72fdd34\",\"etag\":\"\\\"3c00cd5b-0000-0100-0000-61b553f90000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:44:25.0620632Z\",\"createdTimeUtc\":\"2021-12-12T01:44:25.0620632Z\",\"incidentNumber\":9,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/1f88da2c-e158-4900-8d6e-a467f72fdd34\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"9\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/cc0a7c84-b29b-4136-acbb-648a7237df0a\",\"name\":\"cc0a7c84-b29b-4136-acbb-648a7237df0a\",\"etag\":\"\\\"3c00435b-0000-0100-0000-61b553d90000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:43:53.2153466Z\",\"createdTimeUtc\":\"2021-12-12T01:43:53.2153466Z\",\"incidentNumber\":8,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/cc0a7c84-b29b-4136-acbb-648a7237df0a\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"8\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/853e143c-97fd-48f1-86df-c8a68dbb87f1\",\"name\":\"853e143c-97fd-48f1-86df-c8a68dbb87f1\",\"etag\":\"\\\"3c007d5a-0000-0100-0000-61b553ba0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:43:22.8314686Z\",\"createdTimeUtc\":\"2021-12-12T01:43:22.8314686Z\",\"incidentNumber\":7,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/853e143c-97fd-48f1-86df-c8a68dbb87f1\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"7\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/6cbc4e33-d46b-4993-96e4-ecb0e44415cb\",\"name\":\"6cbc4e33-d46b-4993-96e4-ecb0e44415cb\",\"etag\":\"\\\"3c00ec54-0000-0100-0000-61b552e00000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdbookmarkRelationIncidentName84x0ne\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:39:44.4784666Z\",\"createdTimeUtc\":\"2021-12-12T01:39:44.1016486Z\",\"incidentNumber\":6,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/6cbc4e33-d46b-4993-96e4-ecb0e44415cb\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"6\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/e788124d-3280-4da8-b9f7-3f464296947e\",\"name\":\"e788124d-3280-4da8-b9f7-3f464296947e\",\"etag\":\"\\\"3c00b853-0000-0100-0000-61b552c20000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdatebookmarkRelationIncidentNamehqlcfb\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:39:14.3220984Z\",\"createdTimeUtc\":\"2021-12-12T01:39:13.3611655Z\",\"incidentNumber\":5,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/e788124d-3280-4da8-b9f7-3f464296947e\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"5\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/7d56a89d-59f4-4b3a-aa71-34494c2f5f5c\",\"name\":\"7d56a89d-59f4-4b3a-aa71-34494c2f5f5c\",\"etag\":\"\\\"3c00a552-0000-0100-0000-61b552a20000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdbookmarkRelationIncidentNameyci6fv\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:38:42.3519492Z\",\"createdTimeUtc\":\"2021-12-12T01:38:41.8102576Z\",\"incidentNumber\":4,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/7d56a89d-59f4-4b3a-aa71-34494c2f5f5c\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"4\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/4908bd22-0eb2-40fc-83ce-b6c8ba7a26a1\",\"name\":\"4908bd22-0eb2-40fc-83ce-b6c8ba7a26a1\",\"etag\":\"\\\"3c008b51-0000-0100-0000-61b552840000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemovebookmarkRelationIncidentNamehynb4o\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:38:12.1498788Z\",\"createdTimeUtc\":\"2021-12-12T01:38:11.2263698Z\",\"incidentNumber\":3,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/4908bd22-0eb2-40fc-83ce-b6c8ba7a26a1\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"3\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/69e3141d-30e8-49d1-9152-33f3b44cf6b0\",\"name\":\"69e3141d-30e8-49d1-9152-33f3b44cf6b0\",\"etag\":\"\\\"3c007450-0000-0100-0000-61b552650000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetbookmarkRelationIncidentNames3ckzp\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:37:41.3961428Z\",\"createdTimeUtc\":\"2021-12-12T01:37:40.4966895Z\",\"incidentNumber\":2,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/69e3141d-30e8-49d1-9152-33f3b44cf6b0\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"2\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/b2d155b7-a5b2-78f2-6872-d80f33937101\",\"name\":\"b2d155b7-a5b2-78f2-6872-d80f33937101\",\"etag\":\"\\\"3c00ce60-0000-0100-0000-61b554fc0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"severity\":\"Medium\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"firstActivityTimeUtc\":\"2021-12-12T00:48:37.8638145Z\",\"lastActivityTimeUtc\":\"2021-12-12T01:43:37.8638145Z\",\"lastModifiedTimeUtc\":\"2021-12-12T01:48:44.1406751Z\",\"createdTimeUtc\":\"2021-12-12T01:23:43.793478Z\",\"incidentNumber\":1,\"additionalData\":{\"alertsCount\":6,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[\"Azure Sentinel\"],\"tactics\":[\"InitialAccess\",\"Persistence\"]},\"relatedAnalyticRuleIds\":[\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/10a698ca-8310-4b90-a86e-2f43fe285e56\"],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/b2d155b7-a5b2-78f2-6872-d80f33937101\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"1\"}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/854d68b0-7cef-4c43-a0f3-03df09f60906\",\"name\":\"854d68b0-7cef-4c43-a0f3-03df09f60906\",\"etag\":\"\\\"12009b0b-0000-0100-0000-62e427110000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdincidentRelationIncidentName17euac\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:29:37.6445076Z\",\"createdTimeUtc\":\"2022-07-29T18:29:37.3993248Z\",\"incidentNumber\":21,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/854d68b0-7cef-4c43-a0f3-03df09f60906\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"21\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/bf284b9a-a101-4094-9387-503fd6afb8db\",\"name\":\"bf284b9a-a101-4094-9387-503fd6afb8db\",\"etag\":\"\\\"1200960b-0000-0100-0000-62e426f20000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateincidentRelationIncidentNamey5sjd6\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:29:06.559002Z\",\"createdTimeUtc\":\"2022-07-29T18:29:06.1809341Z\",\"incidentNumber\":20,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/bf284b9a-a101-4094-9387-503fd6afb8db\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"20\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/095d8360-b30b-4f75-804d-8837b78db3ed\",\"name\":\"095d8360-b30b-4f75-804d-8837b78db3ed\",\"etag\":\"\\\"12008a0b-0000-0100-0000-62e426d30000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdincidentRelationIncidentNameqm47li\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:28:35.4952307Z\",\"createdTimeUtc\":\"2022-07-29T18:28:34.9586136Z\",\"incidentNumber\":19,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/095d8360-b30b-4f75-804d-8837b78db3ed\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"19\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/da728eb4-6e7e-4be8-8397-cb2b45877bf9\",\"name\":\"da728eb4-6e7e-4be8-8397-cb2b45877bf9\",\"etag\":\"\\\"1200860b-0000-0100-0000-62e426b20000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveincidentRelationIncidentName01bqho\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:28:02.8745162Z\",\"createdTimeUtc\":\"2022-07-29T18:28:02.6751341Z\",\"incidentNumber\":18,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/da728eb4-6e7e-4be8-8397-cb2b45877bf9\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"18\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/ccca6513-b2b1-46be-925b-40f25e28a448\",\"name\":\"ccca6513-b2b1-46be-925b-40f25e28a448\",\"etag\":\"\\\"1200760b-0000-0100-0000-62e426930000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetincidentRelationIncidentNamentimyo\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:27:31.6228258Z\",\"createdTimeUtc\":\"2022-07-29T18:27:31.3953919Z\",\"incidentNumber\":17,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/ccca6513-b2b1-46be-925b-40f25e28a448\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"17\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/7141874b-1f5d-4bf7-9e25-bb748ff70946\",\"name\":\"7141874b-1f5d-4bf7-9e25-bb748ff70946\",\"etag\":\"\\\"12005b0b-0000-0100-0000-62e426730000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdincidentCommentvuackw\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:26:59.8178224Z\",\"createdTimeUtc\":\"2022-07-29T18:26:59.4284144Z\",\"incidentNumber\":16,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/7141874b-1f5d-4bf7-9e25-bb748ff70946\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"16\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/a0b8657f-5c36-4cb2-8952-f90affa7e0da\",\"name\":\"a0b8657f-5c36-4cb2-8952-f90affa7e0da\",\"etag\":\"\\\"1200510b-0000-0100-0000-62e426540000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateincidentCommentzfpjdm\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:26:28.8086603Z\",\"createdTimeUtc\":\"2022-07-29T18:26:28.262521Z\",\"incidentNumber\":15,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/a0b8657f-5c36-4cb2-8952-f90affa7e0da\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"15\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/39c25766-18b0-4620-9a63-3dfb2144ddd9\",\"name\":\"39c25766-18b0-4620-9a63-3dfb2144ddd9\",\"etag\":\"\\\"12004d0b-0000-0100-0000-62e426330000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdincidentCommentximhku\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:25:55.0138633Z\",\"createdTimeUtc\":\"2022-07-29T18:25:54.4964012Z\",\"incidentNumber\":14,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/39c25766-18b0-4620-9a63-3dfb2144ddd9\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"14\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/08556638-7485-4a5e-afda-02c5f77474d7\",\"name\":\"08556638-7485-4a5e-afda-02c5f77474d7\",\"etag\":\"\\\"1200460b-0000-0100-0000-62e426120000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveincidentComment35ly2k\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:25:22.1480666Z\",\"createdTimeUtc\":\"2022-07-29T18:25:21.7590822Z\",\"incidentNumber\":13,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/08556638-7485-4a5e-afda-02c5f77474d7\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"13\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/36740e38-b328-4f70-a514-867d90c8361d\",\"name\":\"36740e38-b328-4f70-a514-867d90c8361d\",\"etag\":\"\\\"12003c0b-0000-0100-0000-62e425f20000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetincidentComment7wxaop\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:24:50.6557332Z\",\"createdTimeUtc\":\"2022-07-29T18:24:50.2248863Z\",\"incidentNumber\":12,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/36740e38-b328-4f70-a514-867d90c8361d\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"12\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/25b19fe9-0ff9-4267-8faa-ac26e7c7c6ae\",\"name\":\"25b19fe9-0ff9-4267-8faa-ac26e7c7c6ae\",\"etag\":\"\\\"1200370b-0000-0100-0000-62e425d30000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:24:19.3733002Z\",\"createdTimeUtc\":\"2022-07-29T18:24:19.3733002Z\",\"incidentNumber\":11,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/25b19fe9-0ff9-4267-8faa-ac26e7c7c6ae\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"11\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/c98e79b2-3851-4fe2-be7b-d02281b03ea8\",\"name\":\"c98e79b2-3851-4fe2-be7b-d02281b03ea8\",\"etag\":\"\\\"1200360b-0000-0100-0000-62e425b30000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:23:47.4434597Z\",\"createdTimeUtc\":\"2022-07-29T18:23:47.4434597Z\",\"incidentNumber\":10,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/c98e79b2-3851-4fe2-be7b-d02281b03ea8\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"10\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/4adb65b9-7def-47bb-9594-c1e1ca284952\",\"name\":\"4adb65b9-7def-47bb-9594-c1e1ca284952\",\"etag\":\"\\\"1200310b-0000-0100-0000-62e425930000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:23:15.5881312Z\",\"createdTimeUtc\":\"2022-07-29T18:23:15.5881312Z\",\"incidentNumber\":9,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/4adb65b9-7def-47bb-9594-c1e1ca284952\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"9\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/6bc1d179-d8b5-45ee-82d8-dc7f59b9168a\",\"name\":\"6bc1d179-d8b5-45ee-82d8-dc7f59b9168a\",\"etag\":\"\\\"12002a0b-0000-0100-0000-62e425730000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:22:43.5468872Z\",\"createdTimeUtc\":\"2022-07-29T18:22:43.5468872Z\",\"incidentNumber\":8,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/6bc1d179-d8b5-45ee-82d8-dc7f59b9168a\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"8\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/1db90f1b-ef78-4f10-afb8-7dc242e09ba1\",\"name\":\"1db90f1b-ef78-4f10-afb8-7dc242e09ba1\",\"etag\":\"\\\"12001a0b-0000-0100-0000-62e425540000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:22:12.4027907Z\",\"createdTimeUtc\":\"2022-07-29T18:22:12.4027907Z\",\"incidentNumber\":7,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/1db90f1b-ef78-4f10-afb8-7dc242e09ba1\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"7\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/75bd63a7-0ac6-4f43-8a15-18ff73172bb5\",\"name\":\"75bd63a7-0ac6-4f43-8a15-18ff73172bb5\",\"etag\":\"\\\"1200c50a-0000-0100-0000-62e423bf0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdbookmarkRelationIncidentNamejdsg8m\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:15:27.8216444Z\",\"createdTimeUtc\":\"2022-07-29T18:15:27.2119419Z\",\"incidentNumber\":6,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/75bd63a7-0ac6-4f43-8a15-18ff73172bb5\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"6\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/0f49b19c-24d3-4775-92ae-dc0ecd5e1ace\",\"name\":\"0f49b19c-24d3-4775-92ae-dc0ecd5e1ace\",\"etag\":\"\\\"1200c10a-0000-0100-0000-62e4239f0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdatebookmarkRelationIncidentNamern5xam\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:14:55.9126545Z\",\"createdTimeUtc\":\"2022-07-29T18:14:55.652449Z\",\"incidentNumber\":5,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/0f49b19c-24d3-4775-92ae-dc0ecd5e1ace\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"5\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/68159ff1-4122-4fc3-9152-8bf489a4304d\",\"name\":\"68159ff1-4122-4fc3-9152-8bf489a4304d\",\"etag\":\"\\\"1200b70a-0000-0100-0000-62e423810000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdbookmarkRelationIncidentName3tykhx\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:14:25.0070286Z\",\"createdTimeUtc\":\"2022-07-29T18:14:24.4686462Z\",\"incidentNumber\":4,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/68159ff1-4122-4fc3-9152-8bf489a4304d\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"4\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/d30f1432-3e76-4b4b-bb30-f62eb4ee3611\",\"name\":\"d30f1432-3e76-4b4b-bb30-f62eb4ee3611\",\"etag\":\"\\\"1200b50a-0000-0100-0000-62e423600000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemovebookmarkRelationIncidentNameljqs90\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:13:52.6650817Z\",\"createdTimeUtc\":\"2022-07-29T18:13:52.43298Z\",\"incidentNumber\":3,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/d30f1432-3e76-4b4b-bb30-f62eb4ee3611\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"3\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/e31f4f52-858c-4a29-bacc-b0b91ca86f43\",\"name\":\"e31f4f52-858c-4a29-bacc-b0b91ca86f43\",\"etag\":\"\\\"1200a80a-0000-0100-0000-62e423420000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetbookmarkRelationIncidentName5jgmqo\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:13:22.783952Z\",\"createdTimeUtc\":\"2022-07-29T18:13:22.0852Z\",\"incidentNumber\":2,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/e31f4f52-858c-4a29-bacc-b0b91ca86f43\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"2\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/b38b9337-951a-0983-3a4d-8c0a4a243798\",\"name\":\"b38b9337-951a-0983-3a4d-8c0a4a243798\",\"etag\":\"\\\"1200810b-0000-0100-0000-62e426b00000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"severity\":\"Medium\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"firstActivityTimeUtc\":\"2022-07-29T17:27:56.0097765Z\",\"lastActivityTimeUtc\":\"2022-07-29T18:22:56.0097765Z\",\"lastModifiedTimeUtc\":\"2022-07-29T18:28:00.0552776Z\",\"createdTimeUtc\":\"2022-07-29T18:02:59.5521439Z\",\"incidentNumber\":1,\"additionalData\":{\"alertsCount\":6,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[\"Azure Sentinel\"],\"tactics\":[\"InitialAccess\",\"Persistence\"]},\"relatedAnalyticRuleIds\":[\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/5c8dc0ac-8808-40f3-a6b4-1401369a9e1e\"],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/b38b9337-951a-0983-3a4d-8c0a4a243798\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"1\"}}]}", "isContentBase64": false } }, - "Get-AzSentinelIncidentEntity+[NoContext]+List+$POST+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/b2d155b7-a5b2-78f2-6872-d80f33937101/entities?api-version=2021-09-01-preview+2": { + "Get-AzSentinelIncidentEntity+[NoContext]+List+$POST+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/b38b9337-951a-0983-3a4d-8c0a4a243798/entities?api-version=2021-09-01-preview+2": { "Request": { "Method": "POST", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/b2d155b7-a5b2-78f2-6872-d80f33937101/entities?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/b38b9337-951a-0983-3a4d-8c0a4a243798/entities?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "218" ], - "x-ms-client-request-id": [ "ba327d30-bb62-4d6d-8a53-18c62d38ac74" ], + "x-ms-unique-id": [ "216" ], + "x-ms-client-request-id": [ "9a4d97de-63cc-4f21-bef3-898a539b0e6e" ], "CommandName": [ "Get-AzSentinelIncidentEntity" ], "FullCommandName": [ "Get-AzSentinelIncidentEntity_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -65,19 +65,19 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], - "x-ms-request-id": [ "6d58458d-1041-4431-892a-9a90e46d7fe4" ], - "x-ms-correlation-request-id": [ "6d58458d-1041-4431-892a-9a90e46d7fe4" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T020047Z:6d58458d-1041-4431-892a-9a90e46d7fe4" ], + "x-ms-request-id": [ "a9bd12e2-b0d3-4e2b-b283-3e072f1b198a" ], + "x-ms-correlation-request-id": [ "a9bd12e2-b0d3-4e2b-b283-3e072f1b198a" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183200Z:a9bd12e2-b0d3-4e2b-b283-3e072f1b198a" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:00:46 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:31:59 GMT" ] }, "ContentHeaders": { "Content-Length": [ "471" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"entities\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/Entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"friendlyName\":\"175.45.176.99\"}}],\"metaData\":[{\"entityKind\":\"Ip\",\"count\":1}]}", + "Content": "{\"entities\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/Entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"friendlyName\":\"175.45.176.99\"}}],\"metaData\":[{\"entityKind\":\"Ip\",\"count\":1}]}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Get-AzSentinelIncidentRelation.Recording.json b/src/SecurityInsights/test/Get-AzSentinelIncidentRelation.Recording.json index 4427cd11cf34..2c2e4ffbd04f 100644 --- a/src/SecurityInsights/test/Get-AzSentinelIncidentRelation.Recording.json +++ b/src/SecurityInsights/test/Get-AzSentinelIncidentRelation.Recording.json @@ -1,17 +1,17 @@ { - "Get-AzSentinelIncidentRelation+[NoContext]+List+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0/relations?api-version=2021-09-01-preview+1": { + "Get-AzSentinelIncidentRelation+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/ccca6513-b2b1-46be-925b-40f25e28a448/relations?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0/relations?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/ccca6513-b2b1-46be-925b-40f25e28a448/relations?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "219" ], - "x-ms-client-request-id": [ "543939f3-469d-45b7-94e2-442b3b121f93" ], + "x-ms-unique-id": [ "217" ], + "x-ms-client-request-id": [ "2cbe0942-9ba8-476d-852b-df36af4e2621" ], "CommandName": [ "Get-AzSentinelincidentRelation" ], "FullCommandName": [ "Get-AzSentinelIncidentRelation_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -24,35 +24,35 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], - "x-ms-request-id": [ "220ce4f4-4ecf-43ea-8e24-96a33224d870" ], - "x-ms-correlation-request-id": [ "220ce4f4-4ecf-43ea-8e24-96a33224d870" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T020108Z:220ce4f4-4ecf-43ea-8e24-96a33224d870" ], + "x-ms-request-id": [ "23ff53a2-15c4-4746-8abd-64854ae974a4" ], + "x-ms-correlation-request-id": [ "23ff53a2-15c4-4746-8abd-64854ae974a4" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183201Z:23ff53a2-15c4-4746-8abd-64854ae974a4" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:01:08 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:32:00 GMT" ] }, "ContentHeaders": { "Content-Length": [ "840" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0/relations/0ef2e445-e524-42ad-8810-fdd6cbe3e5f7\",\"name\":\"0ef2e445-e524-42ad-8810-fdd6cbe3e5f7\",\"etag\":\"\\\"3c008760-0000-0100-0000-61b554f40000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/21e8e280-fe09-4a83-a662-4b0711e9c127\",\"relatedResourceName\":\"21e8e280-fe09-4a83-a662-4b0711e9c127\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/ccca6513-b2b1-46be-925b-40f25e28a448/relations/38ffa7b2-a413-4ab4-979f-8ec4ca096552\",\"name\":\"38ffa7b2-a413-4ab4-979f-8ec4ca096552\",\"etag\":\"\\\"1200760b-0000-0100-0000-62e426930000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/e809aa96-66b0-4c25-83cc-f6a969445995\",\"relatedResourceName\":\"e809aa96-66b0-4c25-83cc-f6a969445995\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}]}", "isContentBase64": false } }, - "Get-AzSentinelIncidentRelation+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0/relations/0ef2e445-e524-42ad-8810-fdd6cbe3e5f7?api-version=2021-09-01-preview+1": { + "Get-AzSentinelIncidentRelation+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/ccca6513-b2b1-46be-925b-40f25e28a448/relations/38ffa7b2-a413-4ab4-979f-8ec4ca096552?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0/relations/0ef2e445-e524-42ad-8810-fdd6cbe3e5f7?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/ccca6513-b2b1-46be-925b-40f25e28a448/relations/38ffa7b2-a413-4ab4-979f-8ec4ca096552?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "220" ], - "x-ms-client-request-id": [ "d1b7e789-6b33-473d-865e-c57bbba761b7" ], + "x-ms-unique-id": [ "218" ], + "x-ms-client-request-id": [ "4f008b1c-faff-4b49-90b2-01db7519eea4" ], "CommandName": [ "Get-AzSentinelincidentRelation" ], "FullCommandName": [ "Get-AzSentinelIncidentRelation_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -65,35 +65,35 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], - "x-ms-request-id": [ "6cbbc917-4ae1-45e6-b407-5cc8119abf2f" ], - "x-ms-correlation-request-id": [ "6cbbc917-4ae1-45e6-b407-5cc8119abf2f" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T020108Z:6cbbc917-4ae1-45e6-b407-5cc8119abf2f" ], + "x-ms-request-id": [ "16d368ca-2fef-46b4-b85a-c1288786951c" ], + "x-ms-correlation-request-id": [ "16d368ca-2fef-46b4-b85a-c1288786951c" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183201Z:16d368ca-2fef-46b4-b85a-c1288786951c" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:01:08 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:32:00 GMT" ] }, "ContentHeaders": { "Content-Length": [ "828" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0/relations/0ef2e445-e524-42ad-8810-fdd6cbe3e5f7\",\"name\":\"0ef2e445-e524-42ad-8810-fdd6cbe3e5f7\",\"etag\":\"\\\"3c008760-0000-0100-0000-61b554f40000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/21e8e280-fe09-4a83-a662-4b0711e9c127\",\"relatedResourceName\":\"21e8e280-fe09-4a83-a662-4b0711e9c127\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/ccca6513-b2b1-46be-925b-40f25e28a448/relations/38ffa7b2-a413-4ab4-979f-8ec4ca096552\",\"name\":\"38ffa7b2-a413-4ab4-979f-8ec4ca096552\",\"etag\":\"\\\"1200760b-0000-0100-0000-62e426930000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/e809aa96-66b0-4c25-83cc-f6a969445995\",\"relatedResourceName\":\"e809aa96-66b0-4c25-83cc-f6a969445995\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", "isContentBase64": false } }, - "Get-AzSentinelIncidentRelation+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0/relations/0ef2e445-e524-42ad-8810-fdd6cbe3e5f7?api-version=2021-09-01-preview+1": { + "Get-AzSentinelIncidentRelation+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/ccca6513-b2b1-46be-925b-40f25e28a448/relations/38ffa7b2-a413-4ab4-979f-8ec4ca096552?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0/relations/0ef2e445-e524-42ad-8810-fdd6cbe3e5f7?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/ccca6513-b2b1-46be-925b-40f25e28a448/relations/38ffa7b2-a413-4ab4-979f-8ec4ca096552?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "221" ], - "x-ms-client-request-id": [ "2dc9a5c1-f9ed-4c1d-9f26-d97477d427e7" ], + "x-ms-unique-id": [ "219" ], + "x-ms-client-request-id": [ "6cebddaa-f855-4a2e-8f7a-b4dea44f6343" ], "CommandName": [ "Get-AzSentinelincidentRelation" ], "FullCommandName": [ "Get-AzSentinelIncidentRelation_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -106,35 +106,35 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "497" ], - "x-ms-request-id": [ "dd5162c6-d074-4f49-8fb6-d3aa805a70b0" ], - "x-ms-correlation-request-id": [ "dd5162c6-d074-4f49-8fb6-d3aa805a70b0" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T020109Z:dd5162c6-d074-4f49-8fb6-d3aa805a70b0" ], + "x-ms-request-id": [ "5778a143-2fb7-48b9-b812-36a505cad98b" ], + "x-ms-correlation-request-id": [ "5778a143-2fb7-48b9-b812-36a505cad98b" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183201Z:5778a143-2fb7-48b9-b812-36a505cad98b" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:01:09 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:32:00 GMT" ] }, "ContentHeaders": { "Content-Length": [ "828" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0/relations/0ef2e445-e524-42ad-8810-fdd6cbe3e5f7\",\"name\":\"0ef2e445-e524-42ad-8810-fdd6cbe3e5f7\",\"etag\":\"\\\"3c008760-0000-0100-0000-61b554f40000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/21e8e280-fe09-4a83-a662-4b0711e9c127\",\"relatedResourceName\":\"21e8e280-fe09-4a83-a662-4b0711e9c127\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/ccca6513-b2b1-46be-925b-40f25e28a448/relations/38ffa7b2-a413-4ab4-979f-8ec4ca096552\",\"name\":\"38ffa7b2-a413-4ab4-979f-8ec4ca096552\",\"etag\":\"\\\"1200760b-0000-0100-0000-62e426930000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/e809aa96-66b0-4c25-83cc-f6a969445995\",\"relatedResourceName\":\"e809aa96-66b0-4c25-83cc-f6a969445995\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", "isContentBase64": false } }, - "Get-AzSentinelIncidentRelation+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0/relations/0ef2e445-e524-42ad-8810-fdd6cbe3e5f7?api-version=2021-09-01-preview+2": { + "Get-AzSentinelIncidentRelation+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/ccca6513-b2b1-46be-925b-40f25e28a448/relations/38ffa7b2-a413-4ab4-979f-8ec4ca096552?api-version=2021-09-01-preview+2": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0/relations/0ef2e445-e524-42ad-8810-fdd6cbe3e5f7?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/ccca6513-b2b1-46be-925b-40f25e28a448/relations/38ffa7b2-a413-4ab4-979f-8ec4ca096552?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "222" ], - "x-ms-client-request-id": [ "5130bf8f-1387-4aa0-9792-07f416857f49" ], + "x-ms-unique-id": [ "220" ], + "x-ms-client-request-id": [ "17c638f5-e5b1-4590-8413-e629440a6045" ], "CommandName": [ "Get-AzSentinelincidentRelation" ], "FullCommandName": [ "Get-AzSentinelIncidentRelation_GetViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -147,19 +147,19 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "496" ], - "x-ms-request-id": [ "ffb84286-5c2f-4f62-9b0a-ed13404e11f1" ], - "x-ms-correlation-request-id": [ "ffb84286-5c2f-4f62-9b0a-ed13404e11f1" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T020109Z:ffb84286-5c2f-4f62-9b0a-ed13404e11f1" ], + "x-ms-request-id": [ "7477d45b-6161-4853-a463-8dc1590fc0e5" ], + "x-ms-correlation-request-id": [ "7477d45b-6161-4853-a463-8dc1590fc0e5" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183201Z:7477d45b-6161-4853-a463-8dc1590fc0e5" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:01:09 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:32:01 GMT" ] }, "ContentHeaders": { "Content-Length": [ "828" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0/relations/0ef2e445-e524-42ad-8810-fdd6cbe3e5f7\",\"name\":\"0ef2e445-e524-42ad-8810-fdd6cbe3e5f7\",\"etag\":\"\\\"3c008760-0000-0100-0000-61b554f40000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/21e8e280-fe09-4a83-a662-4b0711e9c127\",\"relatedResourceName\":\"21e8e280-fe09-4a83-a662-4b0711e9c127\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/ccca6513-b2b1-46be-925b-40f25e28a448/relations/38ffa7b2-a413-4ab4-979f-8ec4ca096552\",\"name\":\"38ffa7b2-a413-4ab4-979f-8ec4ca096552\",\"etag\":\"\\\"1200760b-0000-0100-0000-62e426930000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/e809aa96-66b0-4c25-83cc-f6a969445995\",\"relatedResourceName\":\"e809aa96-66b0-4c25-83cc-f6a969445995\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Get-AzSentinelMetadata.Recording.json b/src/SecurityInsights/test/Get-AzSentinelMetadata.Recording.json index 29cf397dd2d9..47e032457f69 100644 --- a/src/SecurityInsights/test/Get-AzSentinelMetadata.Recording.json +++ b/src/SecurityInsights/test/Get-AzSentinelMetadata.Recording.json @@ -1,17 +1,17 @@ { - "Get-AzSentinelMetadata+[NoContext]+List+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/metadata?api-version=2021-09-01-preview+1": { + "Get-AzSentinelMetadata+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/metadata?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/metadata?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/metadata?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "223" ], - "x-ms-client-request-id": [ "7dd14f19-3c79-40e6-a9e1-2efdc697dc80" ], + "x-ms-unique-id": [ "221" ], + "x-ms-client-request-id": [ "35c2d85d-23de-4255-858a-3b977b17397c" ], "CommandName": [ "Get-AzSentinelMetadata" ], "FullCommandName": [ "Get-AzSentinelMetadata_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -23,36 +23,36 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11948" ], - "x-ms-request-id": [ "f6e0872f-3306-4826-a2e1-384ec749455e" ], - "x-ms-correlation-request-id": [ "f6e0872f-3306-4826-a2e1-384ec749455e" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T020131Z:f6e0872f-3306-4826-a2e1-384ec749455e" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11955" ], + "x-ms-request-id": [ "ca5256e0-f15a-40d4-94b8-fecee8db0f16" ], + "x-ms-correlation-request-id": [ "ca5256e0-f15a-40d4-94b8-fecee8db0f16" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183202Z:ca5256e0-f15a-40d4-94b8-fecee8db0f16" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:01:30 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:32:02 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "2675" ], + "Content-Length": [ "2645" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourcegroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust\",\"name\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"type\":\"Microsoft.SecurityInsights/metadata\",\"systemData\":{\"createdAt\":\"2021-12-12T01:51:12.9027539Z\",\"createdBy\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"createdByType\":\"User\",\"lastModifiedAt\":\"2021-12-12T01:51:12.9027539Z\",\"lastModifiedBy\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"lastModifiedByType\":\"User\"},\"properties\":{\"contentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"parentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"kind\":\"Solution\",\"version\":\"1.0.5\",\"source\":{\"kind\":\"Solution\",\"name\":\"ZeroTrust(TIC3.0)\",\"sourceId\":\"azuresentinel.azure-sentinel-solution-zerotrust\"},\"author\":{\"name\":\"Nikhil Tripathi\",\"email\":\"v-ntripathi@microsoft.com\"},\"support\":{\"tier\":\"Microsoft\",\"name\":\"Microsoft Corporation\",\"email\":\"support@microsoft.com\",\"link\":\"https://support.microsoft.com\"},\"dependencies\":{\"criteria\":[{\"contentId\":\"ZeroTrustTIC3.0_workbook\",\"kind\":\"Workbook\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDNSFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDataProtectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEmailFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEnterpriseFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustFilesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustIntrusionDetectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustNetworkingFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustResiliencyFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUCCFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUniversalSecurityCapabilitiesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustWebFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"}],\"operator\":\"AND\"},\"providers\":[\"Microsoft\"],\"categories\":{\"domains\":[\"Identity\",\"Security - Others\"],\"verticals\":null},\"firstPublishDate\":\"2021-10-20\"}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourcegroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust\",\"name\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"type\":\"Microsoft.SecurityInsights/metadata\",\"systemData\":{\"createdAt\":\"2022-07-29T18:30:08.5807719Z\",\"createdBy\":\"nicholas@zeronetworks.com\",\"createdByType\":\"User\",\"lastModifiedAt\":\"2022-07-29T18:30:08.5807719Z\",\"lastModifiedBy\":\"nicholas@zeronetworks.com\",\"lastModifiedByType\":\"User\"},\"properties\":{\"contentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"parentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"kind\":\"Solution\",\"version\":\"1.0.5\",\"source\":{\"kind\":\"Solution\",\"name\":\"ZeroTrust(TIC3.0)\",\"sourceId\":\"azuresentinel.azure-sentinel-solution-zerotrust\"},\"author\":{\"name\":\"Nikhil Tripathi\",\"email\":\"v-ntripathi@microsoft.com\"},\"support\":{\"tier\":\"Microsoft\",\"name\":\"Microsoft Corporation\",\"email\":\"support@microsoft.com\",\"link\":\"https://support.microsoft.com\"},\"dependencies\":{\"criteria\":[{\"contentId\":\"ZeroTrustTIC3.0_workbook\",\"kind\":\"Workbook\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDNSFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDataProtectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEmailFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEnterpriseFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustFilesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustIntrusionDetectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustNetworkingFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustResiliencyFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUCCFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUniversalSecurityCapabilitiesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustWebFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"}],\"operator\":\"AND\"},\"providers\":[\"Microsoft\"],\"categories\":{\"domains\":[\"Identity\",\"Security - Others\"],\"verticals\":null},\"firstPublishDate\":\"2021-10-20\"}}]}", "isContentBase64": false } }, - "Get-AzSentinelMetadata+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust?api-version=2021-09-01-preview+1": { + "Get-AzSentinelMetadata+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "224" ], - "x-ms-client-request-id": [ "12cf9fc0-accc-40b9-917d-fc64e2a26fe8" ], + "x-ms-unique-id": [ "222" ], + "x-ms-client-request-id": [ "dceec427-b930-4121-a106-c605c8bcb034" ], "CommandName": [ "Get-AzSentinelMetadata" ], "FullCommandName": [ "Get-AzSentinelMetadata_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -64,36 +64,36 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11947" ], - "x-ms-request-id": [ "a8a30997-baec-41f5-bd47-d2b2535f0e21" ], - "x-ms-correlation-request-id": [ "a8a30997-baec-41f5-bd47-d2b2535f0e21" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T020131Z:a8a30997-baec-41f5-bd47-d2b2535f0e21" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11954" ], + "x-ms-request-id": [ "b37c65b8-973f-4360-9627-207c7c061fdf" ], + "x-ms-correlation-request-id": [ "b37c65b8-973f-4360-9627-207c7c061fdf" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183203Z:b37c65b8-973f-4360-9627-207c7c061fdf" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:01:31 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:32:02 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "2663" ], + "Content-Length": [ "2633" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourcegroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust\",\"name\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"type\":\"Microsoft.SecurityInsights/metadata\",\"systemData\":{\"createdAt\":\"2021-12-12T01:51:12.9027539Z\",\"createdBy\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"createdByType\":\"User\",\"lastModifiedAt\":\"2021-12-12T01:51:12.9027539Z\",\"lastModifiedBy\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"lastModifiedByType\":\"User\"},\"properties\":{\"contentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"parentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"kind\":\"Solution\",\"version\":\"1.0.5\",\"source\":{\"kind\":\"Solution\",\"name\":\"ZeroTrust(TIC3.0)\",\"sourceId\":\"azuresentinel.azure-sentinel-solution-zerotrust\"},\"author\":{\"name\":\"Nikhil Tripathi\",\"email\":\"v-ntripathi@microsoft.com\"},\"support\":{\"tier\":\"Microsoft\",\"name\":\"Microsoft Corporation\",\"email\":\"support@microsoft.com\",\"link\":\"https://support.microsoft.com\"},\"dependencies\":{\"criteria\":[{\"contentId\":\"ZeroTrustTIC3.0_workbook\",\"kind\":\"Workbook\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDNSFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDataProtectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEmailFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEnterpriseFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustFilesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustIntrusionDetectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustNetworkingFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustResiliencyFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUCCFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUniversalSecurityCapabilitiesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustWebFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"}],\"operator\":\"AND\"},\"providers\":[\"Microsoft\"],\"categories\":{\"domains\":[\"Identity\",\"Security - Others\"],\"verticals\":null},\"firstPublishDate\":\"2021-10-20\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourcegroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust\",\"name\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"type\":\"Microsoft.SecurityInsights/metadata\",\"systemData\":{\"createdAt\":\"2022-07-29T18:30:08.5807719Z\",\"createdBy\":\"nicholas@zeronetworks.com\",\"createdByType\":\"User\",\"lastModifiedAt\":\"2022-07-29T18:30:08.5807719Z\",\"lastModifiedBy\":\"nicholas@zeronetworks.com\",\"lastModifiedByType\":\"User\"},\"properties\":{\"contentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"parentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"kind\":\"Solution\",\"version\":\"1.0.5\",\"source\":{\"kind\":\"Solution\",\"name\":\"ZeroTrust(TIC3.0)\",\"sourceId\":\"azuresentinel.azure-sentinel-solution-zerotrust\"},\"author\":{\"name\":\"Nikhil Tripathi\",\"email\":\"v-ntripathi@microsoft.com\"},\"support\":{\"tier\":\"Microsoft\",\"name\":\"Microsoft Corporation\",\"email\":\"support@microsoft.com\",\"link\":\"https://support.microsoft.com\"},\"dependencies\":{\"criteria\":[{\"contentId\":\"ZeroTrustTIC3.0_workbook\",\"kind\":\"Workbook\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDNSFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDataProtectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEmailFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEnterpriseFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustFilesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustIntrusionDetectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustNetworkingFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustResiliencyFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUCCFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUniversalSecurityCapabilitiesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustWebFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"}],\"operator\":\"AND\"},\"providers\":[\"Microsoft\"],\"categories\":{\"domains\":[\"Identity\",\"Security - Others\"],\"verticals\":null},\"firstPublishDate\":\"2021-10-20\"}}", "isContentBase64": false } }, - "Get-AzSentinelMetadata+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust?api-version=2021-09-01-preview+1": { + "Get-AzSentinelMetadata+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "225" ], - "x-ms-client-request-id": [ "36630d0d-af71-425a-8b20-fa0e83c2c13d" ], + "x-ms-unique-id": [ "223" ], + "x-ms-client-request-id": [ "8055dd57-1179-476a-8c52-c3cabd7deb47" ], "CommandName": [ "Get-AzSentinelMetadata" ], "FullCommandName": [ "Get-AzSentinelMetadata_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -105,36 +105,36 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11946" ], - "x-ms-request-id": [ "24ade85f-3414-43e9-8634-292b32ca4f5d" ], - "x-ms-correlation-request-id": [ "24ade85f-3414-43e9-8634-292b32ca4f5d" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T020131Z:24ade85f-3414-43e9-8634-292b32ca4f5d" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11953" ], + "x-ms-request-id": [ "216f1c37-56e0-46cd-b27f-ceaf61f4a994" ], + "x-ms-correlation-request-id": [ "216f1c37-56e0-46cd-b27f-ceaf61f4a994" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183203Z:216f1c37-56e0-46cd-b27f-ceaf61f4a994" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:01:31 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:32:02 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "2663" ], + "Content-Length": [ "2633" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourcegroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust\",\"name\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"type\":\"Microsoft.SecurityInsights/metadata\",\"systemData\":{\"createdAt\":\"2021-12-12T01:51:12.9027539Z\",\"createdBy\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"createdByType\":\"User\",\"lastModifiedAt\":\"2021-12-12T01:51:12.9027539Z\",\"lastModifiedBy\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"lastModifiedByType\":\"User\"},\"properties\":{\"contentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"parentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"kind\":\"Solution\",\"version\":\"1.0.5\",\"source\":{\"kind\":\"Solution\",\"name\":\"ZeroTrust(TIC3.0)\",\"sourceId\":\"azuresentinel.azure-sentinel-solution-zerotrust\"},\"author\":{\"name\":\"Nikhil Tripathi\",\"email\":\"v-ntripathi@microsoft.com\"},\"support\":{\"tier\":\"Microsoft\",\"name\":\"Microsoft Corporation\",\"email\":\"support@microsoft.com\",\"link\":\"https://support.microsoft.com\"},\"dependencies\":{\"criteria\":[{\"contentId\":\"ZeroTrustTIC3.0_workbook\",\"kind\":\"Workbook\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDNSFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDataProtectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEmailFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEnterpriseFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustFilesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustIntrusionDetectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustNetworkingFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustResiliencyFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUCCFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUniversalSecurityCapabilitiesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustWebFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"}],\"operator\":\"AND\"},\"providers\":[\"Microsoft\"],\"categories\":{\"domains\":[\"Identity\",\"Security - Others\"],\"verticals\":null},\"firstPublishDate\":\"2021-10-20\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourcegroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust\",\"name\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"type\":\"Microsoft.SecurityInsights/metadata\",\"systemData\":{\"createdAt\":\"2022-07-29T18:30:08.5807719Z\",\"createdBy\":\"nicholas@zeronetworks.com\",\"createdByType\":\"User\",\"lastModifiedAt\":\"2022-07-29T18:30:08.5807719Z\",\"lastModifiedBy\":\"nicholas@zeronetworks.com\",\"lastModifiedByType\":\"User\"},\"properties\":{\"contentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"parentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"kind\":\"Solution\",\"version\":\"1.0.5\",\"source\":{\"kind\":\"Solution\",\"name\":\"ZeroTrust(TIC3.0)\",\"sourceId\":\"azuresentinel.azure-sentinel-solution-zerotrust\"},\"author\":{\"name\":\"Nikhil Tripathi\",\"email\":\"v-ntripathi@microsoft.com\"},\"support\":{\"tier\":\"Microsoft\",\"name\":\"Microsoft Corporation\",\"email\":\"support@microsoft.com\",\"link\":\"https://support.microsoft.com\"},\"dependencies\":{\"criteria\":[{\"contentId\":\"ZeroTrustTIC3.0_workbook\",\"kind\":\"Workbook\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDNSFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDataProtectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEmailFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEnterpriseFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustFilesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustIntrusionDetectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustNetworkingFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustResiliencyFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUCCFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUniversalSecurityCapabilitiesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustWebFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"}],\"operator\":\"AND\"},\"providers\":[\"Microsoft\"],\"categories\":{\"domains\":[\"Identity\",\"Security - Others\"],\"verticals\":null},\"firstPublishDate\":\"2021-10-20\"}}", "isContentBase64": false } }, - "Get-AzSentinelMetadata+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust?api-version=2021-09-01-preview+2": { + "Get-AzSentinelMetadata+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust?api-version=2021-09-01-preview+2": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "226" ], - "x-ms-client-request-id": [ "498626d9-5833-4d56-8ac9-8d31747f7b08" ], + "x-ms-unique-id": [ "224" ], + "x-ms-client-request-id": [ "7277403c-8857-4234-8582-347455015b1e" ], "CommandName": [ "Get-AzSentinelMetadata" ], "FullCommandName": [ "Get-AzSentinelMetadata_GetViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -146,20 +146,20 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11945" ], - "x-ms-request-id": [ "48113ccf-2d4e-4d65-8083-daa784e033b2" ], - "x-ms-correlation-request-id": [ "48113ccf-2d4e-4d65-8083-daa784e033b2" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T020131Z:48113ccf-2d4e-4d65-8083-daa784e033b2" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11952" ], + "x-ms-request-id": [ "325fb1cb-2cdb-4e6b-92f8-e66580243723" ], + "x-ms-correlation-request-id": [ "325fb1cb-2cdb-4e6b-92f8-e66580243723" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183203Z:325fb1cb-2cdb-4e6b-92f8-e66580243723" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:01:31 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:32:03 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "2663" ], + "Content-Length": [ "2633" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourcegroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust\",\"name\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"type\":\"Microsoft.SecurityInsights/metadata\",\"systemData\":{\"createdAt\":\"2021-12-12T01:51:12.9027539Z\",\"createdBy\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"createdByType\":\"User\",\"lastModifiedAt\":\"2021-12-12T01:51:12.9027539Z\",\"lastModifiedBy\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"lastModifiedByType\":\"User\"},\"properties\":{\"contentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"parentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"kind\":\"Solution\",\"version\":\"1.0.5\",\"source\":{\"kind\":\"Solution\",\"name\":\"ZeroTrust(TIC3.0)\",\"sourceId\":\"azuresentinel.azure-sentinel-solution-zerotrust\"},\"author\":{\"name\":\"Nikhil Tripathi\",\"email\":\"v-ntripathi@microsoft.com\"},\"support\":{\"tier\":\"Microsoft\",\"name\":\"Microsoft Corporation\",\"email\":\"support@microsoft.com\",\"link\":\"https://support.microsoft.com\"},\"dependencies\":{\"criteria\":[{\"contentId\":\"ZeroTrustTIC3.0_workbook\",\"kind\":\"Workbook\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDNSFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDataProtectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEmailFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEnterpriseFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustFilesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustIntrusionDetectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustNetworkingFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustResiliencyFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUCCFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUniversalSecurityCapabilitiesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustWebFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"}],\"operator\":\"AND\"},\"providers\":[\"Microsoft\"],\"categories\":{\"domains\":[\"Identity\",\"Security - Others\"],\"verticals\":null},\"firstPublishDate\":\"2021-10-20\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourcegroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust\",\"name\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"type\":\"Microsoft.SecurityInsights/metadata\",\"systemData\":{\"createdAt\":\"2022-07-29T18:30:08.5807719Z\",\"createdBy\":\"nicholas@zeronetworks.com\",\"createdByType\":\"User\",\"lastModifiedAt\":\"2022-07-29T18:30:08.5807719Z\",\"lastModifiedBy\":\"nicholas@zeronetworks.com\",\"lastModifiedByType\":\"User\"},\"properties\":{\"contentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"parentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"kind\":\"Solution\",\"version\":\"1.0.5\",\"source\":{\"kind\":\"Solution\",\"name\":\"ZeroTrust(TIC3.0)\",\"sourceId\":\"azuresentinel.azure-sentinel-solution-zerotrust\"},\"author\":{\"name\":\"Nikhil Tripathi\",\"email\":\"v-ntripathi@microsoft.com\"},\"support\":{\"tier\":\"Microsoft\",\"name\":\"Microsoft Corporation\",\"email\":\"support@microsoft.com\",\"link\":\"https://support.microsoft.com\"},\"dependencies\":{\"criteria\":[{\"contentId\":\"ZeroTrustTIC3.0_workbook\",\"kind\":\"Workbook\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDNSFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDataProtectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEmailFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEnterpriseFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustFilesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustIntrusionDetectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustNetworkingFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustResiliencyFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUCCFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUniversalSecurityCapabilitiesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustWebFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"}],\"operator\":\"AND\"},\"providers\":[\"Microsoft\"],\"categories\":{\"domains\":[\"Identity\",\"Security - Others\"],\"verticals\":null},\"firstPublishDate\":\"2021-10-20\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Get-AzSentinelOnboardingState.Recording.json b/src/SecurityInsights/test/Get-AzSentinelOnboardingState.Recording.json index ba421bec4e80..fe8ac921fb52 100644 --- a/src/SecurityInsights/test/Get-AzSentinelOnboardingState.Recording.json +++ b/src/SecurityInsights/test/Get-AzSentinelOnboardingState.Recording.json @@ -1,17 +1,17 @@ { - "Get-AzSentinelOnboardingState+[NoContext]+List+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/onboardingStates?api-version=2021-09-01-preview+1": { + "Get-AzSentinelOnboardingState+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/onboardingStates?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/onboardingStates?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/onboardingStates?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "227" ], - "x-ms-client-request-id": [ "f8b5c201-6908-4a89-9cdb-38b731b3ed50" ], + "x-ms-unique-id": [ "225" ], + "x-ms-client-request-id": [ "1e40b73a-7084-4c64-b548-27396a5fb135" ], "CommandName": [ "Get-AzSentinelonboardingState" ], "FullCommandName": [ "Get-AzSentinelOnboardingState_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -24,35 +24,35 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "11" ], - "x-ms-request-id": [ "21be829e-a8b0-4e8e-a5b1-b4827b31c49d" ], - "x-ms-correlation-request-id": [ "21be829e-a8b0-4e8e-a5b1-b4827b31c49d" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T020214Z:21be829e-a8b0-4e8e-a5b1-b4827b31c49d" ], + "x-ms-request-id": [ "caa50af3-8252-4723-8589-345b81169659" ], + "x-ms-correlation-request-id": [ "caa50af3-8252-4723-8589-345b81169659" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183205Z:caa50af3-8252-4723-8589-345b81169659" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:02:14 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:32:04 GMT" ] }, "ContentHeaders": { "Content-Length": [ "331" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/onboardingStates/default\",\"name\":\"default\",\"type\":\"Microsoft.SecurityInsights/onboardingStates\",\"systemData\":{},\"properties\":{}}]}", + "Content": "{\"value\":[{\"properties\":{},\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/onboardingStates/default\",\"name\":\"default\",\"type\":\"Microsoft.SecurityInsights/onboardingStates\",\"systemData\":{}}]}", "isContentBase64": false } }, - "Get-AzSentinelOnboardingState+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview+1": { + "Get-AzSentinelOnboardingState+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "228" ], - "x-ms-client-request-id": [ "c3004244-1407-42db-99d3-d644bf0b6cbd" ], + "x-ms-unique-id": [ "226" ], + "x-ms-client-request-id": [ "28c05e08-7327-4140-9161-4b08bc42cd0c" ], "CommandName": [ "Get-AzSentinelonboardingState" ], "FullCommandName": [ "Get-AzSentinelOnboardingState_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -65,35 +65,35 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "10" ], - "x-ms-request-id": [ "c8ee9bf7-8a35-4ccf-873e-77e03768c3b8" ], - "x-ms-correlation-request-id": [ "c8ee9bf7-8a35-4ccf-873e-77e03768c3b8" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T020215Z:c8ee9bf7-8a35-4ccf-873e-77e03768c3b8" ], + "x-ms-request-id": [ "60ac84ea-eeec-4fc8-8dd6-7583e0e5068d" ], + "x-ms-correlation-request-id": [ "60ac84ea-eeec-4fc8-8dd6-7583e0e5068d" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183206Z:60ac84ea-eeec-4fc8-8dd6-7583e0e5068d" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:02:14 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:32:05 GMT" ] }, "ContentHeaders": { "Content-Length": [ "319" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/onboardingStates/default\",\"name\":\"default\",\"type\":\"Microsoft.SecurityInsights/onboardingStates\",\"systemData\":{},\"properties\":{}}", + "Content": "{\"properties\":{},\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/onboardingStates/default\",\"name\":\"default\",\"type\":\"Microsoft.SecurityInsights/onboardingStates\",\"systemData\":{}}", "isContentBase64": false } }, - "Get-AzSentinelOnboardingState+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview+1": { + "Get-AzSentinelOnboardingState+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "229" ], - "x-ms-client-request-id": [ "b3c157ba-e1de-428d-b56a-fa42997984bf" ], + "x-ms-unique-id": [ "227" ], + "x-ms-client-request-id": [ "5ab4483f-c530-4f49-9a4d-ac4a5a4c39db" ], "CommandName": [ "Get-AzSentinelonboardingState" ], "FullCommandName": [ "Get-AzSentinelOnboardingState_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -106,35 +106,35 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "9" ], - "x-ms-request-id": [ "8fa2b1bd-5d0d-4330-9813-ff3ec7166aec" ], - "x-ms-correlation-request-id": [ "8fa2b1bd-5d0d-4330-9813-ff3ec7166aec" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T020215Z:8fa2b1bd-5d0d-4330-9813-ff3ec7166aec" ], + "x-ms-request-id": [ "29c1bd05-1dd6-45ff-8862-34865bb5a6b0" ], + "x-ms-correlation-request-id": [ "29c1bd05-1dd6-45ff-8862-34865bb5a6b0" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183206Z:29c1bd05-1dd6-45ff-8862-34865bb5a6b0" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:02:14 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:32:05 GMT" ] }, "ContentHeaders": { "Content-Length": [ "319" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/onboardingStates/default\",\"name\":\"default\",\"type\":\"Microsoft.SecurityInsights/onboardingStates\",\"systemData\":{},\"properties\":{}}", + "Content": "{\"properties\":{},\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/onboardingStates/default\",\"name\":\"default\",\"type\":\"Microsoft.SecurityInsights/onboardingStates\",\"systemData\":{}}", "isContentBase64": false } }, - "Get-AzSentinelOnboardingState+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview+2": { + "Get-AzSentinelOnboardingState+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview+2": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "230" ], - "x-ms-client-request-id": [ "8cb0dc3e-413d-45fc-9e44-61e1c76c245a" ], + "x-ms-unique-id": [ "228" ], + "x-ms-client-request-id": [ "dcdad4b7-b7c2-4e03-b029-3d1bf171d24c" ], "CommandName": [ "Get-AzSentinelonboardingState" ], "FullCommandName": [ "Get-AzSentinelOnboardingState_GetViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -147,19 +147,19 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "8" ], - "x-ms-request-id": [ "81d8195e-0d70-46df-8eaa-3ed5dad15a0f" ], - "x-ms-correlation-request-id": [ "81d8195e-0d70-46df-8eaa-3ed5dad15a0f" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T020215Z:81d8195e-0d70-46df-8eaa-3ed5dad15a0f" ], + "x-ms-request-id": [ "e1b47ec6-4dc2-4a5d-935d-76615f7bb2dc" ], + "x-ms-correlation-request-id": [ "e1b47ec6-4dc2-4a5d-935d-76615f7bb2dc" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183206Z:e1b47ec6-4dc2-4a5d-935d-76615f7bb2dc" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:02:15 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:32:06 GMT" ] }, "ContentHeaders": { "Content-Length": [ "319" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/onboardingStates/default\",\"name\":\"default\",\"type\":\"Microsoft.SecurityInsights/onboardingStates\",\"systemData\":{},\"properties\":{}}", + "Content": "{\"properties\":{},\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/onboardingStates/default\",\"name\":\"default\",\"type\":\"Microsoft.SecurityInsights/onboardingStates\",\"systemData\":{}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Get-AzSentinelSetting.Recording.json b/src/SecurityInsights/test/Get-AzSentinelSetting.Recording.json index 6e0f0902468e..043083a54547 100644 --- a/src/SecurityInsights/test/Get-AzSentinelSetting.Recording.json +++ b/src/SecurityInsights/test/Get-AzSentinelSetting.Recording.json @@ -1,17 +1,17 @@ { - "Get-AzSentinelSetting+[NoContext]+List+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/settings?api-version=2021-09-01-preview+1": { + "Get-AzSentinelSetting+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/settings?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/settings?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/settings?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "231" ], - "x-ms-client-request-id": [ "19eb3922-a3ee-46a7-8ef5-4ece366d0ea2" ], + "x-ms-unique-id": [ "229" ], + "x-ms-client-request-id": [ "16dd286b-bd92-4cd0-9c9d-0d8c41978d92" ], "CommandName": [ "Get-AzSentinelSetting" ], "FullCommandName": [ "Get-AzSentinelSetting_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -23,36 +23,36 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11944" ], - "x-ms-request-id": [ "79611318-1db6-4131-869d-d09447af501c" ], - "x-ms-correlation-request-id": [ "79611318-1db6-4131-869d-d09447af501c" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T020236Z:79611318-1db6-4131-869d-d09447af501c" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11951" ], + "x-ms-request-id": [ "5c7d4497-db3c-4582-94e6-906901577cdf" ], + "x-ms-correlation-request-id": [ "5c7d4497-db3c-4582-94e6-906901577cdf" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183207Z:5c7d4497-db3c-4582-94e6-906901577cdf" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:02:36 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:32:06 GMT" ] }, "ContentHeaders": { "Content-Length": [ "1178" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/settings/EyesOn\",\"name\":\"EyesOn\",\"etag\":\"\\\"85013658-0000-0300-0000-61b54cae0000\\\"\",\"type\":\"Microsoft.SecurityInsights/settings\",\"kind\":\"EyesOn\",\"systemData\":{},\"properties\":{\"isEnabled\":true}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/settings/IPSyncer\",\"name\":\"IPSyncer\",\"etag\":\"\\\"85019b58-0000-0300-0000-61b54caf0000\\\"\",\"type\":\"Microsoft.SecurityInsights/settings\",\"kind\":\"IPSyncer\",\"systemData\":{},\"properties\":{\"isEnabled\":true}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/settings/Anomalies\",\"name\":\"Anomalies\",\"etag\":\"\\\"8501b258-0000-0300-0000-61b54cb00000\\\"\",\"type\":\"Microsoft.SecurityInsights/settings\",\"kind\":\"Anomalies\",\"systemData\":{},\"properties\":{\"isEnabled\":true}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/settings/EyesOn\",\"name\":\"EyesOn\",\"etag\":\"\\\"10001a5a-0000-0300-0000-62e41cb50000\\\"\",\"type\":\"Microsoft.SecurityInsights/settings\",\"kind\":\"EyesOn\",\"systemData\":{},\"properties\":{\"isEnabled\":true}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/settings/IPSyncer\",\"name\":\"IPSyncer\",\"etag\":\"\\\"1000155a-0000-0300-0000-62e41cb50000\\\"\",\"type\":\"Microsoft.SecurityInsights/settings\",\"kind\":\"IPSyncer\",\"systemData\":{},\"properties\":{\"isEnabled\":true}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/settings/Anomalies\",\"name\":\"Anomalies\",\"etag\":\"\\\"1000165a-0000-0300-0000-62e41cb50000\\\"\",\"type\":\"Microsoft.SecurityInsights/settings\",\"kind\":\"Anomalies\",\"systemData\":{},\"properties\":{\"isEnabled\":true}}]}", "isContentBase64": false } }, - "Get-AzSentinelSetting+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/settings/Anomalies?api-version=2021-09-01-preview+1": { + "Get-AzSentinelSetting+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/settings/Anomalies?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/settings/Anomalies?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/settings/Anomalies?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "232" ], - "x-ms-client-request-id": [ "9691a5fd-cc67-4d7e-b1f7-caaeeae13eb0" ], + "x-ms-unique-id": [ "230" ], + "x-ms-client-request-id": [ "aaa14d5a-8cc2-4b18-a1e6-61f56f205173" ], "CommandName": [ "Get-AzSentinelSetting" ], "FullCommandName": [ "Get-AzSentinelSetting_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -64,20 +64,20 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11943" ], - "x-ms-request-id": [ "55e0d8b4-2be2-46ab-b149-3d9babe269a0" ], - "x-ms-correlation-request-id": [ "55e0d8b4-2be2-46ab-b149-3d9babe269a0" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T020236Z:55e0d8b4-2be2-46ab-b149-3d9babe269a0" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11950" ], + "x-ms-request-id": [ "97f99953-2aaf-4b62-9bb9-1156f91d4bd6" ], + "x-ms-correlation-request-id": [ "97f99953-2aaf-4b62-9bb9-1156f91d4bd6" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183208Z:97f99953-2aaf-4b62-9bb9-1156f91d4bd6" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:02:36 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:32:07 GMT" ] }, "ContentHeaders": { "Content-Length": [ "392" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/settings/Anomalies\",\"name\":\"Anomalies\",\"etag\":\"\\\"8501b258-0000-0300-0000-61b54cb00000\\\"\",\"type\":\"Microsoft.SecurityInsights/settings\",\"kind\":\"Anomalies\",\"systemData\":{},\"properties\":{\"isEnabled\":true}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/settings/Anomalies\",\"name\":\"Anomalies\",\"etag\":\"\\\"1000165a-0000-0300-0000-62e41cb50000\\\"\",\"type\":\"Microsoft.SecurityInsights/settings\",\"kind\":\"Anomalies\",\"systemData\":{},\"properties\":{\"isEnabled\":true}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Get-AzSentinelThreatIntelligenceIndicator.Recording.json b/src/SecurityInsights/test/Get-AzSentinelThreatIntelligenceIndicator.Recording.json index 264f33201f42..be054afc992e 100644 --- a/src/SecurityInsights/test/Get-AzSentinelThreatIntelligenceIndicator.Recording.json +++ b/src/SecurityInsights/test/Get-AzSentinelThreatIntelligenceIndicator.Recording.json @@ -1,17 +1,17 @@ { - "Get-AzSentinelThreatIntelligenceIndicator+[NoContext]+List+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators?api-version=2021-09-01-preview+1": { + "Get-AzSentinelThreatIntelligenceIndicator+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "233" ], - "x-ms-client-request-id": [ "b28d579b-2e72-4762-ac11-e87bf2eef599" ], + "x-ms-unique-id": [ "231" ], + "x-ms-client-request-id": [ "700dc6ff-6327-4f53-93b3-8df3fccae5a3" ], "CommandName": [ "Get-AzSentinelthreatIntelligenceIndicator" ], "FullCommandName": [ "Get-AzSentinelThreatIntelligenceIndicator_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -23,36 +23,36 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11942" ], - "x-ms-request-id": [ "570b860d-d1f5-4f34-bf8c-c0a96c141f0e" ], - "x-ms-correlation-request-id": [ "570b860d-d1f5-4f34-bf8c-c0a96c141f0e" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T020340Z:570b860d-d1f5-4f34-bf8c-c0a96c141f0e" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11949" ], + "x-ms-request-id": [ "938a5d75-8876-4665-ab9e-a2f84bd5076b" ], + "x-ms-correlation-request-id": [ "938a5d75-8876-4665-ab9e-a2f84bd5076b" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183210Z:938a5d75-8876-4665-ab9e-a2f84bd5076b" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:03:39 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:32:09 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "4753" ], + "Content-Length": [ "5013" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/threatIntelligence/e43bf713-da7f-8329-80bb-e1556c70abdd\",\"name\":\"e43bf713-da7f-8329-80bb-e1556c70abdd\",\"etag\":\"\\\"00004c9d-0000-0200-0000-61b555c10000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2021-12-12T01:51:49.8349782Z\",\"externalId\":\"indicator--1a8e6023-38be-4bf1-92a9-d0f8bff496f3\",\"lastUpdatedTimeUtc\":\"2021-12-12T01:51:49.8423586Z\",\"revoked\":false,\"source\":\"Azure Sentinel\",\"displayName\":\"UpdateViaIdthreatIntelligenceIndicatorol6dht\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.5\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.5\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2021-12-12T01:00:00Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/threatIntelligence/857acee8-b9d5-9c49-56c4-93496d0bf3bf\",\"name\":\"857acee8-b9d5-9c49-56c4-93496d0bf3bf\",\"etag\":\"\\\"00004a9d-0000-0200-0000-61b555b60000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2021-12-12T01:51:48.9401782Z\",\"externalId\":\"indicator--2310bb8d-83b8-4d07-b46a-082da3184294\",\"lastUpdatedTimeUtc\":\"2021-12-12T01:51:48.9404217Z\",\"revoked\":false,\"source\":\"Azure Sentinel\",\"displayName\":\"UpdatethreatIntelligenceIndicator9tg8p7\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.4\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.4\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2021-12-12T01:00:00Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/threatIntelligence/b37ddba1-7a4f-1feb-9959-e1161d3bf335\",\"name\":\"b37ddba1-7a4f-1feb-9959-e1161d3bf335\",\"etag\":\"\\\"0000459d-0000-0200-0000-61b555b40000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2021-12-12T01:51:48.0131394Z\",\"externalId\":\"indicator--01627cbb-77f2-4832-9dbe-9c3cf232ddef\",\"lastUpdatedTimeUtc\":\"2021-12-12T01:51:48.0976111Z\",\"revoked\":false,\"source\":\"Azure Sentinel\",\"displayName\":\"RemoveViaIdthreatIntelligenceIndicatornqcsd9\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.3\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.3\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2021-12-12T01:00:00Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/threatIntelligence/ccfb7869-be18-0f44-ff2c-a9b36e598fd1\",\"name\":\"ccfb7869-be18-0f44-ff2c-a9b36e598fd1\",\"etag\":\"\\\"0000429d-0000-0200-0000-61b555b30000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2021-12-12T01:51:46.6007607Z\",\"externalId\":\"indicator--f7049b64-f651-4bd5-8324-3d13dc40ebc7\",\"lastUpdatedTimeUtc\":\"2021-12-12T01:51:46.8679787Z\",\"revoked\":false,\"source\":\"Azure Sentinel\",\"displayName\":\"RemovethreatIntelligenceIndicatorows6tu\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.2\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.2\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2021-12-12T01:00:00Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/threatIntelligence/711bdb9e-2ecc-abba-d962-171ce4710199\",\"name\":\"711bdb9e-2ecc-abba-d962-171ce4710199\",\"etag\":\"\\\"00004b9d-0000-0200-0000-61b555c00000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2021-12-12T01:51:42.7595857Z\",\"externalId\":\"indicator--6990ddd5-505d-42ac-9880-ab23363f30c7\",\"lastUpdatedTimeUtc\":\"2021-12-12T01:51:45.3738433Z\",\"revoked\":false,\"source\":\"Azure Sentinel\",\"displayName\":\"GetthreatIntelligenceIndicator2c47h8\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.1\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.1\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2021-12-12T01:00:00Z\"}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/threatIntelligence/4b4270c1-7b75-b9ba-58c7-b8420b7e6291\",\"name\":\"4b4270c1-7b75-b9ba-58c7-b8420b7e6291\",\"etag\":\"\\\"1200f4ed-0000-0100-0000-62e4275b0000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2022-07-29T18:30:51.1335761Z\",\"extensions\":{\"sentinel-ext\":{\"severity\":null}},\"externalId\":\"indicator--e6a04e80-47b0-6528-bd57-ed3840d7e56a\",\"lastUpdatedTimeUtc\":\"2022-07-29T18:30:51.1359187Z\",\"revoked\":false,\"source\":\"Microsoft Sentinel\",\"displayName\":\"UpdateViaIdthreatIntelligenceIndicatorftrdne\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.5\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.5\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2022-07-29T06:00:00Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/threatIntelligence/a40d90cd-3425-dcc7-87c9-8c9298f3641d\",\"name\":\"a40d90cd-3425-dcc7-87c9-8c9298f3641d\",\"etag\":\"\\\"6f007aa7-0000-0500-0000-62e4275a0000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2022-07-29T18:30:50.5129497Z\",\"extensions\":{\"sentinel-ext\":{\"severity\":null}},\"externalId\":\"indicator--829fe799-e4bd-6619-9c4d-3947faf519ca\",\"lastUpdatedTimeUtc\":\"2022-07-29T18:30:50.5154541Z\",\"revoked\":false,\"source\":\"Microsoft Sentinel\",\"displayName\":\"UpdatethreatIntelligenceIndicator2fbu57\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.4\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.4\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2022-07-29T06:00:00Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/threatIntelligence/8bc7c1a2-ceb7-dea2-025b-a90dc873bf63\",\"name\":\"8bc7c1a2-ceb7-dea2-025b-a90dc873bf63\",\"etag\":\"\\\"1200efed-0000-0100-0000-62e4275a0000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2022-07-29T18:30:49.8829555Z\",\"extensions\":{\"sentinel-ext\":{\"severity\":null}},\"externalId\":\"indicator--2980def0-bd4a-78b5-1fa4-1be337609a85\",\"lastUpdatedTimeUtc\":\"2022-07-29T18:30:49.8876488Z\",\"revoked\":false,\"source\":\"Microsoft Sentinel\",\"displayName\":\"RemoveViaIdthreatIntelligenceIndicator8hwpzl\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.3\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.3\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2022-07-29T06:00:00Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/threatIntelligence/aba922f2-cd9e-75df-4232-a8d47c94bc03\",\"name\":\"aba922f2-cd9e-75df-4232-a8d47c94bc03\",\"etag\":\"\\\"1200eced-0000-0100-0000-62e427590000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2022-07-29T18:30:48.7921022Z\",\"extensions\":{\"sentinel-ext\":{\"severity\":null}},\"externalId\":\"indicator--d4498499-c9ed-7c0e-0fc3-92fb16d27879\",\"lastUpdatedTimeUtc\":\"2022-07-29T18:30:49.1618991Z\",\"revoked\":false,\"source\":\"Microsoft Sentinel\",\"displayName\":\"RemovethreatIntelligenceIndicatorlzk6wg\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.2\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.2\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2022-07-29T06:00:00Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/threatIntelligence/bd45b979-3f35-b698-a82a-23f3058f60bc\",\"name\":\"bd45b979-3f35-b698-a82a-23f3058f60bc\",\"etag\":\"\\\"1200e5ed-0000-0100-0000-62e427580000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2022-07-29T18:30:39.8736843Z\",\"extensions\":{\"sentinel-ext\":{\"severity\":null}},\"externalId\":\"indicator--f894ccd9-d5a5-b553-4496-649bd57372ad\",\"lastUpdatedTimeUtc\":\"2022-07-29T18:30:43.3438345Z\",\"revoked\":false,\"source\":\"Microsoft Sentinel\",\"displayName\":\"GetthreatIntelligenceIndicator3o7nfw\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.1\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.1\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2022-07-29T06:00:00Z\"}}]}", "isContentBase64": false } }, - "Get-AzSentinelThreatIntelligenceIndicator+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/711bdb9e-2ecc-abba-d962-171ce4710199?api-version=2021-09-01-preview+1": { + "Get-AzSentinelThreatIntelligenceIndicator+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/bd45b979-3f35-b698-a82a-23f3058f60bc?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/711bdb9e-2ecc-abba-d962-171ce4710199?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/bd45b979-3f35-b698-a82a-23f3058f60bc?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "234" ], - "x-ms-client-request-id": [ "1ac48501-1464-4138-ab5f-1d5687f396d5" ], + "x-ms-unique-id": [ "232" ], + "x-ms-client-request-id": [ "31dce92b-2325-4e46-91f7-a2312818031a" ], "CommandName": [ "Get-AzSentinelthreatIntelligenceIndicator" ], "FullCommandName": [ "Get-AzSentinelThreatIntelligenceIndicator_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -64,20 +64,20 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11941" ], - "x-ms-request-id": [ "694a71b8-847c-47b2-8b2b-b4806b31c7e7" ], - "x-ms-correlation-request-id": [ "694a71b8-847c-47b2-8b2b-b4806b31c7e7" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T020340Z:694a71b8-847c-47b2-8b2b-b4806b31c7e7" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11948" ], + "x-ms-request-id": [ "1d8c9f1e-e510-4d79-a10f-a3518771823a" ], + "x-ms-correlation-request-id": [ "1d8c9f1e-e510-4d79-a10f-a3518771823a" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183210Z:1d8c9f1e-e510-4d79-a10f-a3518771823a" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:03:39 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:32:09 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "943" ], + "Content-Length": [ "995" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/threatIntelligence/711bdb9e-2ecc-abba-d962-171ce4710199\",\"name\":\"711bdb9e-2ecc-abba-d962-171ce4710199\",\"etag\":\"\\\"00004b9d-0000-0200-0000-61b555c00000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2021-12-12T01:51:42.7595857Z\",\"externalId\":\"indicator--6990ddd5-505d-42ac-9880-ab23363f30c7\",\"lastUpdatedTimeUtc\":\"2021-12-12T01:51:45.3738433Z\",\"revoked\":false,\"source\":\"Azure Sentinel\",\"displayName\":\"GetthreatIntelligenceIndicator2c47h8\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.1\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.1\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2021-12-12T01:00:00Z\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/threatIntelligence/bd45b979-3f35-b698-a82a-23f3058f60bc\",\"name\":\"bd45b979-3f35-b698-a82a-23f3058f60bc\",\"etag\":\"\\\"1200e5ed-0000-0100-0000-62e427580000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2022-07-29T18:30:39.8736843Z\",\"extensions\":{\"sentinel-ext\":{\"severity\":null}},\"externalId\":\"indicator--f894ccd9-d5a5-b553-4496-649bd57372ad\",\"lastUpdatedTimeUtc\":\"2022-07-29T18:30:43.3438345Z\",\"revoked\":false,\"source\":\"Microsoft Sentinel\",\"displayName\":\"GetthreatIntelligenceIndicator3o7nfw\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.1\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.1\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2022-07-29T06:00:00Z\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Get-AzSentinelThreatIntelligenceIndicatorMetric.Recording.json b/src/SecurityInsights/test/Get-AzSentinelThreatIntelligenceIndicatorMetric.Recording.json index 36cdc113d0c9..343076b4846c 100644 --- a/src/SecurityInsights/test/Get-AzSentinelThreatIntelligenceIndicatorMetric.Recording.json +++ b/src/SecurityInsights/test/Get-AzSentinelThreatIntelligenceIndicatorMetric.Recording.json @@ -1,17 +1,17 @@ { - "Get-AzSentinelThreatIntelligenceIndicatorMetric+[NoContext]+List+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/threatIntelligence/main/metrics?api-version=2021-09-01-preview+1": { + "Get-AzSentinelThreatIntelligenceIndicatorMetric+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/threatIntelligence/main/metrics?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/threatIntelligence/main/metrics?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/threatIntelligence/main/metrics?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "235" ], - "x-ms-client-request-id": [ "13903039-a3c7-45c0-87bf-f121e21932a0" ], + "x-ms-unique-id": [ "233" ], + "x-ms-client-request-id": [ "73164ebf-7ab5-4aa2-b857-973428e1e433" ], "CommandName": [ "Get-AzSentinelthreatIntelligenceIndicatorMetric" ], "FullCommandName": [ "Get-AzSentinelThreatIntelligenceIndicatorMetric_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -23,20 +23,20 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11940" ], - "x-ms-request-id": [ "ab5f8907-6953-427d-8fbe-fb1671d65579" ], - "x-ms-correlation-request-id": [ "ab5f8907-6953-427d-8fbe-fb1671d65579" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T020401Z:ab5f8907-6953-427d-8fbe-fb1671d65579" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11947" ], + "x-ms-request-id": [ "02893eb6-c78c-4dc4-9786-77e8b20243e5" ], + "x-ms-correlation-request-id": [ "02893eb6-c78c-4dc4-9786-77e8b20243e5" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183211Z:02893eb6-c78c-4dc4-9786-77e8b20243e5" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:04:01 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:32:10 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "275" ], + "Content-Length": [ "279" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"properties\":{\"lastUpdatedTimeUtc\":\"2021-12-12T02:04:01.6827262Z\",\"threatTypeMetrics\":[{\"metricName\":\"unknown\",\"metricValue\":5}],\"patternTypeMetrics\":[{\"metricName\":\"ipv4-addr\",\"metricValue\":5}],\"sourceMetrics\":[{\"metricName\":\"Azure Sentinel\",\"metricValue\":5}]}}]}", + "Content": "{\"value\":[{\"properties\":{\"lastUpdatedTimeUtc\":\"2022-07-29T18:32:11.3523407Z\",\"threatTypeMetrics\":[{\"metricName\":\"unknown\",\"metricValue\":5}],\"patternTypeMetrics\":[{\"metricName\":\"ipv4-addr\",\"metricValue\":5}],\"sourceMetrics\":[{\"metricName\":\"Microsoft Sentinel\",\"metricValue\":5}]}}]}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Invoke-AzSentinelDataConnectorCheckRequirement.Tests.ps1 b/src/SecurityInsights/test/Invoke-AzSentinelDataConnectorCheckRequirement.Tests.ps1 deleted file mode 100644 index 33cc9de276a4..000000000000 --- a/src/SecurityInsights/test/Invoke-AzSentinelDataConnectorCheckRequirement.Tests.ps1 +++ /dev/null @@ -1,25 +0,0 @@ -if(($null -eq $TestName) -or ($TestName -contains 'Invoke-AzSentinelDataConnectorCheckRequirement')) -{ - $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' - if (-Not (Test-Path -Path $loadEnvPath)) { - $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' - } - . ($loadEnvPath) - $TestRecordingFile = Join-Path $PSScriptRoot 'Invoke-AzSentinelDataConnectorCheckRequirement.Recording.json' - $currentPath = $PSScriptRoot - while(-not $mockingPath) { - $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File - $currentPath = Split-Path -Path $currentPath -Parent - } - . ($mockingPath | Select-Object -First 1).FullName -} - -Describe 'Invoke-AzSentinelDataConnectorCheckRequirement' { - It 'AADTenant' -skip { - { throw [System.NotImplementedException] } | Should -Not -Throw - } - - It 'AzureSecurityCenter' -skip { - { throw [System.NotImplementedException] } | Should -Not -Throw - } -} diff --git a/src/SecurityInsights/test/Invoke-AzSentinelDataConnectorsCheckRequirement.Recording.json b/src/SecurityInsights/test/Invoke-AzSentinelDataConnectorsCheckRequirement.Recording.json deleted file mode 100644 index ac4d88f5b1c8..000000000000 --- a/src/SecurityInsights/test/Invoke-AzSentinelDataConnectorsCheckRequirement.Recording.json +++ /dev/null @@ -1,434 +0,0 @@ -{ - "Invoke-AzSentinelDataConnectorsCheckRequirement+[NoContext]+Custom_AzureSecurityCenter+$POST+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview+1": { - "Request": { - "Method": "POST", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview", - "Content": "{\n \"kind\": \"AzureSecurityCenter\",\n \"properties\": {\n \"subscriptionId\": \"1c61ccbf-70b3-45a3-a1fb-848ce46d70a6\"\n }\n}", - "isContentBase64": false, - "Headers": { - }, - "ContentHeaders": { - "Content-Type": [ "application/json" ], - "Content-Length": [ "119" ] - } - }, - "Response": { - "StatusCode": 200, - "Headers": { - "Cache-Control": [ "no-cache" ], - "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-writes": [ "1199" ], - "x-ms-request-id": [ "067a90a9-90af-4389-8e0d-dfaa9ca97fdf" ], - "x-ms-correlation-request-id": [ "067a90a9-90af-4389-8e0d-dfaa9ca97fdf" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T020424Z:067a90a9-90af-4389-8e0d-dfaa9ca97fdf" ], - "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], - "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:04:24 GMT" ] - }, - "ContentHeaders": { - "Content-Length": [ "53" ], - "Content-Type": [ "application/json; charset=utf-8" ], - "Expires": [ "-1" ] - }, - "Content": "{\"authorizationState\":\"Valid\",\"licenseState\":\"Valid\"}", - "isContentBase64": false - } - }, - "Invoke-AzSentinelDataConnectorsCheckRequirement+[NoContext]+Custom_AzureActiveDirectory+$POST+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview+1": { - "Request": { - "Method": "POST", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview", - "Content": "{\n \"kind\": \"AzureActiveDirectory\",\n \"properties\": {\n \"tenantId\": \"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"\n }\n}", - "isContentBase64": false, - "Headers": { - }, - "ContentHeaders": { - "Content-Type": [ "application/json" ], - "Content-Length": [ "114" ] - } - }, - "Response": { - "StatusCode": 200, - "Headers": { - "Cache-Control": [ "no-cache" ], - "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-writes": [ "1198" ], - "x-ms-request-id": [ "31d44d8e-f917-453c-94f7-8084bf96b0b9" ], - "x-ms-correlation-request-id": [ "31d44d8e-f917-453c-94f7-8084bf96b0b9" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T020424Z:31d44d8e-f917-453c-94f7-8084bf96b0b9" ], - "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], - "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:04:24 GMT" ] - }, - "ContentHeaders": { - "Content-Length": [ "53" ], - "Content-Type": [ "application/json; charset=utf-8" ], - "Expires": [ "-1" ] - }, - "Content": "{\"authorizationState\":\"Valid\",\"licenseState\":\"Valid\"}", - "isContentBase64": false - } - }, - "Invoke-AzSentinelDataConnectorsCheckRequirement+[NoContext]+Custom_AzureAdvancedThreatProtection+$POST+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview+1": { - "Request": { - "Method": "POST", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview", - "Content": "{\n \"kind\": \"AzureAdvancedThreatProtection\",\n \"properties\": {\n \"tenantId\": \"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"\n }\n}", - "isContentBase64": false, - "Headers": { - }, - "ContentHeaders": { - "Content-Type": [ "application/json" ], - "Content-Length": [ "123" ] - } - }, - "Response": { - "StatusCode": 200, - "Headers": { - "Cache-Control": [ "no-cache" ], - "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-writes": [ "1197" ], - "x-ms-request-id": [ "a0ffb256-0622-4b9d-851d-104c022195d7" ], - "x-ms-correlation-request-id": [ "a0ffb256-0622-4b9d-851d-104c022195d7" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T020425Z:a0ffb256-0622-4b9d-851d-104c022195d7" ], - "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], - "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:04:25 GMT" ] - }, - "ContentHeaders": { - "Content-Length": [ "53" ], - "Content-Type": [ "application/json; charset=utf-8" ], - "Expires": [ "-1" ] - }, - "Content": "{\"authorizationState\":\"Valid\",\"licenseState\":\"Valid\"}", - "isContentBase64": false - } - }, - "Invoke-AzSentinelDataConnectorsCheckRequirement+[NoContext]+Custom_Dynamics365+$POST+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview+1": { - "Request": { - "Method": "POST", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview", - "Content": "{\n \"kind\": \"Dynamics365\",\n \"properties\": {\n \"tenantId\": \"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"\n }\n}", - "isContentBase64": false, - "Headers": { - }, - "ContentHeaders": { - "Content-Type": [ "application/json" ], - "Content-Length": [ "105" ] - } - }, - "Response": { - "StatusCode": 200, - "Headers": { - "Cache-Control": [ "no-cache" ], - "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-writes": [ "1196" ], - "x-ms-request-id": [ "00f29027-4aed-4d77-b5b2-937ca09c1b7f" ], - "x-ms-correlation-request-id": [ "00f29027-4aed-4d77-b5b2-937ca09c1b7f" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T020425Z:00f29027-4aed-4d77-b5b2-937ca09c1b7f" ], - "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], - "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:04:25 GMT" ] - }, - "ContentHeaders": { - "Content-Length": [ "53" ], - "Content-Type": [ "application/json; charset=utf-8" ], - "Expires": [ "-1" ] - }, - "Content": "{\"authorizationState\":\"Valid\",\"licenseState\":\"Valid\"}", - "isContentBase64": false - } - }, - "Invoke-AzSentinelDataConnectorsCheckRequirement+[NoContext]+Custom_MicrosoftCloudAppSecurity+$POST+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview+1": { - "Request": { - "Method": "POST", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview", - "Content": "{\n \"kind\": \"MicrosoftCloudAppSecurity\",\n \"properties\": {\n \"tenantId\": \"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"\n }\n}", - "isContentBase64": false, - "Headers": { - }, - "ContentHeaders": { - "Content-Type": [ "application/json" ], - "Content-Length": [ "119" ] - } - }, - "Response": { - "StatusCode": 200, - "Headers": { - "Cache-Control": [ "no-cache" ], - "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-writes": [ "1195" ], - "x-ms-request-id": [ "d259aace-10bd-4183-a041-cce090f09496" ], - "x-ms-correlation-request-id": [ "d259aace-10bd-4183-a041-cce090f09496" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T020426Z:d259aace-10bd-4183-a041-cce090f09496" ], - "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], - "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:04:25 GMT" ] - }, - "ContentHeaders": { - "Content-Length": [ "53" ], - "Content-Type": [ "application/json; charset=utf-8" ], - "Expires": [ "-1" ] - }, - "Content": "{\"authorizationState\":\"Valid\",\"licenseState\":\"Valid\"}", - "isContentBase64": false - } - }, - "Invoke-AzSentinelDataConnectorsCheckRequirement+[NoContext]+Custom_MicrosoftDefenderAdvancedThreatProtection+$POST+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview+1": { - "Request": { - "Method": "POST", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview", - "Content": "{\n \"kind\": \"MicrosoftDefenderAdvancedThreatProtection\",\n \"properties\": {\n \"tenantId\": \"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"\n }\n}", - "isContentBase64": false, - "Headers": { - }, - "ContentHeaders": { - "Content-Type": [ "application/json" ], - "Content-Length": [ "135" ] - } - }, - "Response": { - "StatusCode": 200, - "Headers": { - "Cache-Control": [ "no-cache" ], - "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-writes": [ "1194" ], - "x-ms-request-id": [ "d0278114-9296-43b6-a2bc-8342394a3f83" ], - "x-ms-correlation-request-id": [ "d0278114-9296-43b6-a2bc-8342394a3f83" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T020426Z:d0278114-9296-43b6-a2bc-8342394a3f83" ], - "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], - "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:04:26 GMT" ] - }, - "ContentHeaders": { - "Content-Length": [ "53" ], - "Content-Type": [ "application/json; charset=utf-8" ], - "Expires": [ "-1" ] - }, - "Content": "{\"authorizationState\":\"Valid\",\"licenseState\":\"Valid\"}", - "isContentBase64": false - } - }, - "Invoke-AzSentinelDataConnectorsCheckRequirement+[NoContext]+Custom_MicrosoftThreatIntelligence+$POST+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview+1": { - "Request": { - "Method": "POST", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview", - "Content": "{\n \"kind\": \"MicrosoftThreatIntelligence\",\n \"properties\": {\n \"tenantId\": \"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"\n }\n}", - "isContentBase64": false, - "Headers": { - }, - "ContentHeaders": { - "Content-Type": [ "application/json" ], - "Content-Length": [ "121" ] - } - }, - "Response": { - "StatusCode": 200, - "Headers": { - "Cache-Control": [ "no-cache" ], - "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-writes": [ "1193" ], - "x-ms-request-id": [ "635f1a34-5786-42ff-81a9-678b7a1637d0" ], - "x-ms-correlation-request-id": [ "635f1a34-5786-42ff-81a9-678b7a1637d0" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T020426Z:635f1a34-5786-42ff-81a9-678b7a1637d0" ], - "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], - "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:04:26 GMT" ] - }, - "ContentHeaders": { - "Content-Length": [ "53" ], - "Content-Type": [ "application/json; charset=utf-8" ], - "Expires": [ "-1" ] - }, - "Content": "{\"authorizationState\":\"Valid\",\"licenseState\":\"Valid\"}", - "isContentBase64": false - } - }, - "Invoke-AzSentinelDataConnectorsCheckRequirement+[NoContext]+Custom_MicrosoftThreatProtection+$POST+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview+1": { - "Request": { - "Method": "POST", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview", - "Content": "{\n \"kind\": \"MicrosoftThreatProtection\",\n \"properties\": {\n \"tenantId\": \"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"\n }\n}", - "isContentBase64": false, - "Headers": { - }, - "ContentHeaders": { - "Content-Type": [ "application/json" ], - "Content-Length": [ "119" ] - } - }, - "Response": { - "StatusCode": 200, - "Headers": { - "Cache-Control": [ "no-cache" ], - "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-writes": [ "1192" ], - "x-ms-request-id": [ "29e7c947-2e90-46d1-8f58-f9154c2e25ff" ], - "x-ms-correlation-request-id": [ "29e7c947-2e90-46d1-8f58-f9154c2e25ff" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T020427Z:29e7c947-2e90-46d1-8f58-f9154c2e25ff" ], - "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], - "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:04:27 GMT" ] - }, - "ContentHeaders": { - "Content-Length": [ "53" ], - "Content-Type": [ "application/json; charset=utf-8" ], - "Expires": [ "-1" ] - }, - "Content": "{\"authorizationState\":\"Valid\",\"licenseState\":\"Valid\"}", - "isContentBase64": false - } - }, - "Invoke-AzSentinelDataConnectorsCheckRequirement+[NoContext]+Custom_OfficeATP+$POST+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview+1": { - "Request": { - "Method": "POST", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview", - "Content": "{\n \"kind\": \"OfficeATP\",\n \"properties\": {\n \"tenantId\": \"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"\n }\n}", - "isContentBase64": false, - "Headers": { - }, - "ContentHeaders": { - "Content-Type": [ "application/json" ], - "Content-Length": [ "103" ] - } - }, - "Response": { - "StatusCode": 200, - "Headers": { - "Cache-Control": [ "no-cache" ], - "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-writes": [ "1191" ], - "x-ms-request-id": [ "46f168bf-2db7-4ec3-b817-7e6ff0011250" ], - "x-ms-correlation-request-id": [ "46f168bf-2db7-4ec3-b817-7e6ff0011250" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T020428Z:46f168bf-2db7-4ec3-b817-7e6ff0011250" ], - "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], - "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:04:27 GMT" ] - }, - "ContentHeaders": { - "Content-Length": [ "53" ], - "Content-Type": [ "application/json; charset=utf-8" ], - "Expires": [ "-1" ] - }, - "Content": "{\"authorizationState\":\"Valid\",\"licenseState\":\"Valid\"}", - "isContentBase64": false - } - }, - "Invoke-AzSentinelDataConnectorsCheckRequirement+[NoContext]+Custom_OfficeIRM+$POST+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview+1": { - "Request": { - "Method": "POST", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview", - "Content": "{\n \"kind\": \"OfficeIRM\",\n \"properties\": {\n \"tenantId\": \"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"\n }\n}", - "isContentBase64": false, - "Headers": { - }, - "ContentHeaders": { - "Content-Type": [ "application/json" ], - "Content-Length": [ "103" ] - } - }, - "Response": { - "StatusCode": 200, - "Headers": { - "Cache-Control": [ "no-cache" ], - "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-writes": [ "1190" ], - "x-ms-request-id": [ "f98dc21c-eb87-4827-834b-ec49e690671b" ], - "x-ms-correlation-request-id": [ "f98dc21c-eb87-4827-834b-ec49e690671b" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T020428Z:f98dc21c-eb87-4827-834b-ec49e690671b" ], - "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], - "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:04:28 GMT" ] - }, - "ContentHeaders": { - "Content-Length": [ "53" ], - "Content-Type": [ "application/json; charset=utf-8" ], - "Expires": [ "-1" ] - }, - "Content": "{\"authorizationState\":\"Valid\",\"licenseState\":\"Valid\"}", - "isContentBase64": false - } - }, - "Invoke-AzSentinelDataConnectorsCheckRequirement+[NoContext]+Custom_ThreatIntelligence+$POST+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview+1": { - "Request": { - "Method": "POST", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview", - "Content": "{\n \"kind\": \"ThreatIntelligence\",\n \"properties\": {\n \"tenantId\": \"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"\n }\n}", - "isContentBase64": false, - "Headers": { - }, - "ContentHeaders": { - "Content-Type": [ "application/json" ], - "Content-Length": [ "112" ] - } - }, - "Response": { - "StatusCode": 200, - "Headers": { - "Cache-Control": [ "no-cache" ], - "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-writes": [ "1189" ], - "x-ms-request-id": [ "dfcf88c3-d99b-413f-be34-4d8e19da0dc8" ], - "x-ms-correlation-request-id": [ "dfcf88c3-d99b-413f-be34-4d8e19da0dc8" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T020428Z:dfcf88c3-d99b-413f-be34-4d8e19da0dc8" ], - "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], - "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:04:28 GMT" ] - }, - "ContentHeaders": { - "Content-Length": [ "53" ], - "Content-Type": [ "application/json; charset=utf-8" ], - "Expires": [ "-1" ] - }, - "Content": "{\"authorizationState\":\"Valid\",\"licenseState\":\"Valid\"}", - "isContentBase64": false - } - }, - "Invoke-AzSentinelDataConnectorsCheckRequirement+[NoContext]+Custom_ThreatIntelligenceTaxii+$POST+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview+1": { - "Request": { - "Method": "POST", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements?api-version=2021-09-01-preview", - "Content": "{\n \"kind\": \"ThreatIntelligenceTaxii\",\n \"properties\": {\n \"tenantId\": \"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"\n }\n}", - "isContentBase64": false, - "Headers": { - }, - "ContentHeaders": { - "Content-Type": [ "application/json" ], - "Content-Length": [ "117" ] - } - }, - "Response": { - "StatusCode": 200, - "Headers": { - "Cache-Control": [ "no-cache" ], - "Pragma": [ "no-cache" ], - "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-writes": [ "1188" ], - "x-ms-request-id": [ "1f027955-e01b-400d-8018-f815fc1e5710" ], - "x-ms-correlation-request-id": [ "1f027955-e01b-400d-8018-f815fc1e5710" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T020429Z:1f027955-e01b-400d-8018-f815fc1e5710" ], - "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], - "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:04:28 GMT" ] - }, - "ContentHeaders": { - "Content-Length": [ "53" ], - "Content-Type": [ "application/json; charset=utf-8" ], - "Expires": [ "-1" ] - }, - "Content": "{\"authorizationState\":\"Valid\",\"licenseState\":\"Valid\"}", - "isContentBase64": false - } - } -} \ No newline at end of file diff --git a/src/SecurityInsights/test/Invoke-AzSentinelDataConnectorsCheckRequirement.Tests.ps1 b/src/SecurityInsights/test/Invoke-AzSentinelDataConnectorsCheckRequirement.Tests.ps1 deleted file mode 100644 index b44ad970e8b9..000000000000 --- a/src/SecurityInsights/test/Invoke-AzSentinelDataConnectorsCheckRequirement.Tests.ps1 +++ /dev/null @@ -1,77 +0,0 @@ -if(($null -eq $TestName) -or ($TestName -contains 'Invoke-AzSentinelDataConnectorsCheckRequirement')) -{ - $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1' - if (-Not (Test-Path -Path $loadEnvPath)) { - $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1' - } - . ($loadEnvPath) - $TestRecordingFile = Join-Path $PSScriptRoot 'Invoke-AzSentinelDataConnectorsCheckRequirement.Recording.json' - $currentPath = $PSScriptRoot - while(-not $mockingPath) { - $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File - $currentPath = Split-Path -Path $currentPath -Parent - } - . ($mockingPath | Select-Object -First 1).FullName -} - -Describe 'Invoke-AzSentinelDataConnectorsCheckRequirement' { - It 'Custom_AzureSecurityCenter' { - $result = Invoke-AzSentinelDataConnectorsCheckRequirement -ResourceGroupName $env.ResourceGroupName -WorkspaceName $env.workspaceName -Kind AzureSecurityCenter -ASCSubscriptionId $env.SubscriptionId - $result | Should -Not -Be $null - } - - It 'Custom_AzureActiveDirectory' { - $result = Invoke-AzSentinelDataConnectorsCheckRequirement -ResourceGroupName $env.ResourceGroupName -WorkspaceName $env.workspaceName -Kind AzureActiveDirectory -TenantId $env.Tenant - $result | Should -Not -Be $null - } - - It 'Custom_AzureAdvancedThreatProtection' { - $result = Invoke-AzSentinelDataConnectorsCheckRequirement -ResourceGroupName $env.ResourceGroupName -WorkspaceName $env.workspaceName -Kind AzureAdvancedThreatProtection -TenantId $env.Tenant - $result | Should -Not -Be $null - } - - It 'Custom_Dynamics365' { - $result = Invoke-AzSentinelDataConnectorsCheckRequirement -ResourceGroupName $env.ResourceGroupName -WorkspaceName $env.workspaceName -Kind Dynamics365 -TenantId $env.Tenant - $result | Should -Not -Be $null - } - - It 'Custom_MicrosoftCloudAppSecurity' { - $result = Invoke-AzSentinelDataConnectorsCheckRequirement -ResourceGroupName $env.ResourceGroupName -WorkspaceName $env.workspaceName -Kind MicrosoftCloudAppSecurity -TenantId $env.Tenant - $result | Should -Not -Be $null - } - - It 'Custom_MicrosoftDefenderAdvancedThreatProtection' { - $result = Invoke-AzSentinelDataConnectorsCheckRequirement -ResourceGroupName $env.ResourceGroupName -WorkspaceName $env.workspaceName -Kind MicrosoftDefenderAdvancedThreatProtection -TenantId $env.Tenant - $result | Should -Not -Be $null - } - - It 'Custom_MicrosoftThreatIntelligence' { - $result = Invoke-AzSentinelDataConnectorsCheckRequirement -ResourceGroupName $env.ResourceGroupName -WorkspaceName $env.workspaceName -Kind MicrosoftThreatIntelligence -TenantId $env.Tenant - $result | Should -Not -Be $null - } - - It 'Custom_MicrosoftThreatProtection' { - $result = Invoke-AzSentinelDataConnectorsCheckRequirement -ResourceGroupName $env.ResourceGroupName -WorkspaceName $env.workspaceName -Kind MicrosoftThreatProtection -TenantId $env.Tenant - $result | Should -Not -Be $null - } - - It 'Custom_OfficeATP' { - $result = Invoke-AzSentinelDataConnectorsCheckRequirement -ResourceGroupName $env.ResourceGroupName -WorkspaceName $env.workspaceName -Kind OfficeATP -TenantId $env.Tenant - $result | Should -Not -Be $null - } - - It 'Custom_OfficeIRM' { - $result = Invoke-AzSentinelDataConnectorsCheckRequirement -ResourceGroupName $env.ResourceGroupName -WorkspaceName $env.workspaceName -Kind OfficeIRM -TenantId $env.Tenant - $result | Should -Not -Be $null - } - - It 'Custom_ThreatIntelligence' { - $result = Invoke-AzSentinelDataConnectorsCheckRequirement -ResourceGroupName $env.ResourceGroupName -WorkspaceName $env.workspaceName -Kind ThreatIntelligence -TenantId $env.Tenant - $result | Should -Not -Be $null - } - - It 'Custom_ThreatIntelligenceTaxii' { - $result = Invoke-AzSentinelDataConnectorsCheckRequirement -ResourceGroupName $env.ResourceGroupName -WorkspaceName $env.workspaceName -Kind ThreatIntelligenceTaxii -TenantId $env.Tenant - $result | Should -Not -Be $null - } -} diff --git a/src/SecurityInsights/test/Invoke-AzSentinelThreatIntelligenceIndicatorQuery.Recording.json b/src/SecurityInsights/test/Invoke-AzSentinelThreatIntelligenceIndicatorQuery.Recording.json index bc429ea06f43..18a5bb2dbdb4 100644 --- a/src/SecurityInsights/test/Invoke-AzSentinelThreatIntelligenceIndicatorQuery.Recording.json +++ b/src/SecurityInsights/test/Invoke-AzSentinelThreatIntelligenceIndicatorQuery.Recording.json @@ -1,8 +1,8 @@ { - "Invoke-AzSentinelThreatIntelligenceIndicatorQuery+[NoContext]+QueryExpanded+$POST+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/threatIntelligence/main/queryIndicators?api-version=2021-09-01-preview+1": { + "Invoke-AzSentinelThreatIntelligenceIndicatorQuery+[NoContext]+QueryExpanded+$POST+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/threatIntelligence/main/queryIndicators?api-version=2021-09-01-preview+1": { "Request": { "Method": "POST", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/threatIntelligence/main/queryIndicators?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/threatIntelligence/main/queryIndicators?api-version=2021-09-01-preview", "Content": "{\n \"pageSize\": 10,\n \"includeDisabled\": true\n}", "isContentBase64": false, "Headers": { @@ -18,20 +18,20 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11939" ], - "x-ms-request-id": [ "6ffbdd72-7b6b-47e7-bbf5-5f789fdd5f19" ], - "x-ms-correlation-request-id": [ "6ffbdd72-7b6b-47e7-bbf5-5f789fdd5f19" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T020450Z:6ffbdd72-7b6b-47e7-bbf5-5f789fdd5f19" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11946" ], + "x-ms-request-id": [ "8843fc5d-9a2a-46b5-93bc-121567004e12" ], + "x-ms-correlation-request-id": [ "8843fc5d-9a2a-46b5-93bc-121567004e12" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183212Z:8843fc5d-9a2a-46b5-93bc-121567004e12" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:04:50 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:32:11 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "4753" ], + "Content-Length": [ "5013" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/threatIntelligence/e43bf713-da7f-8329-80bb-e1556c70abdd\",\"name\":\"e43bf713-da7f-8329-80bb-e1556c70abdd\",\"etag\":\"\\\"00004c9d-0000-0200-0000-61b555c10000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2021-12-12T01:51:49.8349782Z\",\"externalId\":\"indicator--1a8e6023-38be-4bf1-92a9-d0f8bff496f3\",\"lastUpdatedTimeUtc\":\"2021-12-12T01:51:49.8423586Z\",\"revoked\":false,\"source\":\"Azure Sentinel\",\"displayName\":\"UpdateViaIdthreatIntelligenceIndicatorol6dht\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.5\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.5\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2021-12-12T01:00:00Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/threatIntelligence/857acee8-b9d5-9c49-56c4-93496d0bf3bf\",\"name\":\"857acee8-b9d5-9c49-56c4-93496d0bf3bf\",\"etag\":\"\\\"00004a9d-0000-0200-0000-61b555b60000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2021-12-12T01:51:48.9401782Z\",\"externalId\":\"indicator--2310bb8d-83b8-4d07-b46a-082da3184294\",\"lastUpdatedTimeUtc\":\"2021-12-12T01:51:48.9404217Z\",\"revoked\":false,\"source\":\"Azure Sentinel\",\"displayName\":\"UpdatethreatIntelligenceIndicator9tg8p7\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.4\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.4\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2021-12-12T01:00:00Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/threatIntelligence/b37ddba1-7a4f-1feb-9959-e1161d3bf335\",\"name\":\"b37ddba1-7a4f-1feb-9959-e1161d3bf335\",\"etag\":\"\\\"0000459d-0000-0200-0000-61b555b40000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2021-12-12T01:51:48.0131394Z\",\"externalId\":\"indicator--01627cbb-77f2-4832-9dbe-9c3cf232ddef\",\"lastUpdatedTimeUtc\":\"2021-12-12T01:51:48.0976111Z\",\"revoked\":false,\"source\":\"Azure Sentinel\",\"displayName\":\"RemoveViaIdthreatIntelligenceIndicatornqcsd9\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.3\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.3\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2021-12-12T01:00:00Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/threatIntelligence/ccfb7869-be18-0f44-ff2c-a9b36e598fd1\",\"name\":\"ccfb7869-be18-0f44-ff2c-a9b36e598fd1\",\"etag\":\"\\\"0000429d-0000-0200-0000-61b555b30000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2021-12-12T01:51:46.6007607Z\",\"externalId\":\"indicator--f7049b64-f651-4bd5-8324-3d13dc40ebc7\",\"lastUpdatedTimeUtc\":\"2021-12-12T01:51:46.8679787Z\",\"revoked\":false,\"source\":\"Azure Sentinel\",\"displayName\":\"RemovethreatIntelligenceIndicatorows6tu\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.2\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.2\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2021-12-12T01:00:00Z\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/threatIntelligence/711bdb9e-2ecc-abba-d962-171ce4710199\",\"name\":\"711bdb9e-2ecc-abba-d962-171ce4710199\",\"etag\":\"\\\"00004b9d-0000-0200-0000-61b555c00000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2021-12-12T01:51:42.7595857Z\",\"externalId\":\"indicator--6990ddd5-505d-42ac-9880-ab23363f30c7\",\"lastUpdatedTimeUtc\":\"2021-12-12T01:51:45.3738433Z\",\"revoked\":false,\"source\":\"Azure Sentinel\",\"displayName\":\"GetthreatIntelligenceIndicator2c47h8\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.1\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.1\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2021-12-12T01:00:00Z\"}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/threatIntelligence/4b4270c1-7b75-b9ba-58c7-b8420b7e6291\",\"name\":\"4b4270c1-7b75-b9ba-58c7-b8420b7e6291\",\"etag\":\"\\\"1200f4ed-0000-0100-0000-62e4275b0000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2022-07-29T18:30:51.1335761Z\",\"extensions\":{\"sentinel-ext\":{\"severity\":null}},\"externalId\":\"indicator--e6a04e80-47b0-6528-bd57-ed3840d7e56a\",\"lastUpdatedTimeUtc\":\"2022-07-29T18:30:51.1359187Z\",\"revoked\":false,\"source\":\"Microsoft Sentinel\",\"displayName\":\"UpdateViaIdthreatIntelligenceIndicatorftrdne\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.5\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.5\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2022-07-29T06:00:00Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/threatIntelligence/a40d90cd-3425-dcc7-87c9-8c9298f3641d\",\"name\":\"a40d90cd-3425-dcc7-87c9-8c9298f3641d\",\"etag\":\"\\\"6f007aa7-0000-0500-0000-62e4275a0000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2022-07-29T18:30:50.5129497Z\",\"extensions\":{\"sentinel-ext\":{\"severity\":null}},\"externalId\":\"indicator--829fe799-e4bd-6619-9c4d-3947faf519ca\",\"lastUpdatedTimeUtc\":\"2022-07-29T18:30:50.5154541Z\",\"revoked\":false,\"source\":\"Microsoft Sentinel\",\"displayName\":\"UpdatethreatIntelligenceIndicator2fbu57\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.4\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.4\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2022-07-29T06:00:00Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/threatIntelligence/8bc7c1a2-ceb7-dea2-025b-a90dc873bf63\",\"name\":\"8bc7c1a2-ceb7-dea2-025b-a90dc873bf63\",\"etag\":\"\\\"1200efed-0000-0100-0000-62e4275a0000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2022-07-29T18:30:49.8829555Z\",\"extensions\":{\"sentinel-ext\":{\"severity\":null}},\"externalId\":\"indicator--2980def0-bd4a-78b5-1fa4-1be337609a85\",\"lastUpdatedTimeUtc\":\"2022-07-29T18:30:49.8876488Z\",\"revoked\":false,\"source\":\"Microsoft Sentinel\",\"displayName\":\"RemoveViaIdthreatIntelligenceIndicator8hwpzl\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.3\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.3\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2022-07-29T06:00:00Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/threatIntelligence/aba922f2-cd9e-75df-4232-a8d47c94bc03\",\"name\":\"aba922f2-cd9e-75df-4232-a8d47c94bc03\",\"etag\":\"\\\"1200eced-0000-0100-0000-62e427590000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2022-07-29T18:30:48.7921022Z\",\"extensions\":{\"sentinel-ext\":{\"severity\":null}},\"externalId\":\"indicator--d4498499-c9ed-7c0e-0fc3-92fb16d27879\",\"lastUpdatedTimeUtc\":\"2022-07-29T18:30:49.1618991Z\",\"revoked\":false,\"source\":\"Microsoft Sentinel\",\"displayName\":\"RemovethreatIntelligenceIndicatorlzk6wg\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.2\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.2\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2022-07-29T06:00:00Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/threatIntelligence/bd45b979-3f35-b698-a82a-23f3058f60bc\",\"name\":\"bd45b979-3f35-b698-a82a-23f3058f60bc\",\"etag\":\"\\\"1200e5ed-0000-0100-0000-62e427580000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2022-07-29T18:30:39.8736843Z\",\"extensions\":{\"sentinel-ext\":{\"severity\":null}},\"externalId\":\"indicator--f894ccd9-d5a5-b553-4496-649bd57372ad\",\"lastUpdatedTimeUtc\":\"2022-07-29T18:30:43.3438345Z\",\"revoked\":false,\"source\":\"Microsoft Sentinel\",\"displayName\":\"GetthreatIntelligenceIndicator3o7nfw\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.1\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.1\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2022-07-29T06:00:00Z\"}}]}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/New-AzSentinelAlertRule.Recording.json b/src/SecurityInsights/test/New-AzSentinelAlertRule.Recording.json index 721e709eb8ad..d956dc56f43b 100644 --- a/src/SecurityInsights/test/New-AzSentinelAlertRule.Recording.json +++ b/src/SecurityInsights/test/New-AzSentinelAlertRule.Recording.json @@ -1,15 +1,15 @@ { - "New-AzSentinelAlertRule+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/5147f709-f401-4e34-865c-e348fcfdf633?api-version=2021-09-01-preview+1": { + "New-AzSentinelAlertRule+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/5a84cae5-b8d3-49c5-9418-9f3d635d30b8?api-version=2021-09-01-preview+1": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/5147f709-f401-4e34-865c-e348fcfdf633?api-version=2021-09-01-preview", - "Content": "{\n \"kind\": \"Scheduled\",\n \"properties\": {\n \"queryFrequency\": \"PT1H\",\n \"queryPeriod\": \"P1D\",\n \"triggerOperator\": \"GreaterThan\",\n \"triggerThreshold\": 1,\n \"incidentConfiguration\": {\n \"groupingConfiguration\": {\n \"enabled\": false,\n \"reopenClosedIncident\": false,\n \"lookbackDuration\": \"PT5H\",\n \"matchingMethod\": \"AllEntities\"\n },\n \"createIncident\": false\n },\n \"query\": \"SecurityEvent | take 1\",\n \"displayName\": \"NewAlertRulePSTest\",\n \"enabled\": true,\n \"suppressionDuration\": \"PT5H\",\n \"suppressionEnabled\": false,\n \"severity\": \"Informational\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/5a84cae5-b8d3-49c5-9418-9f3d635d30b8?api-version=2021-09-01-preview", + "Content": "{\n \"kind\": \"Scheduled\",\n \"properties\": {\n \"queryFrequency\": \"PT1H\",\n \"queryPeriod\": \"P1D\",\n \"triggerOperator\": \"GreaterThan\",\n \"triggerThreshold\": 1,\n \"incidentConfiguration\": {\n \"groupingConfiguration\": {\n \"enabled\": false,\n \"reopenClosedIncident\": false,\n \"lookbackDuration\": \"PT5H\",\n \"matchingMethod\": \"AllEntities\"\n },\n \"createIncident\": false\n },\n \"query\": \"SecurityEvent | take 1\",\n \"displayName\": \"NewAlertRulePSTest\",\n \"enabled\": false,\n \"suppressionDuration\": \"PT5H\",\n \"suppressionEnabled\": false,\n \"severity\": \"Informational\"\n }\n}", "isContentBase64": false, "Headers": { }, "ContentHeaders": { "Content-Type": [ "application/json" ], - "Content-Length": [ "621" ] + "Content-Length": [ "622" ] } }, "Response": { @@ -19,19 +19,19 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-writes": [ "1199" ], - "x-ms-request-id": [ "83a95078-452b-4182-bc87-232dfeea8d3f" ], - "x-ms-correlation-request-id": [ "83a95078-452b-4182-bc87-232dfeea8d3f" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T020513Z:83a95078-452b-4182-bc87-232dfeea8d3f" ], + "x-ms-request-id": [ "6bbc7bc0-800d-4e23-9dc9-23def5929916" ], + "x-ms-correlation-request-id": [ "6bbc7bc0-800d-4e23-9dc9-23def5929916" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183213Z:6bbc7bc0-800d-4e23-9dc9-23def5929916" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:05:12 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:32:12 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1047" ], + "Content-Length": [ "1048" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/5147f709-f401-4e34-865c-e348fcfdf633\",\"name\":\"5147f709-f401-4e34-865c-e348fcfdf633\",\"etag\":\"\\\"930033c9-0000-0100-0000-61b558d80000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":false,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":null,\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Informational\",\"query\":\"SecurityEvent | take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":null,\"displayName\":\"NewAlertRulePSTest\",\"enabled\":true,\"description\":null,\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T02:05:12.5081355Z\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/5a84cae5-b8d3-49c5-9418-9f3d635d30b8\",\"name\":\"5a84cae5-b8d3-49c5-9418-9f3d635d30b8\",\"etag\":\"\\\"2e00873f-0000-0100-0000-62e427ad0000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":false,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":null,\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Informational\",\"query\":\"SecurityEvent | take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":null,\"displayName\":\"NewAlertRulePSTest\",\"enabled\":false,\"description\":null,\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-07-29T18:32:13.2109287Z\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/New-AzSentinelAlertRule.Tests.ps1 b/src/SecurityInsights/test/New-AzSentinelAlertRule.Tests.ps1 index e2ad07c21c56..99ef9a01265d 100644 --- a/src/SecurityInsights/test/New-AzSentinelAlertRule.Tests.ps1 +++ b/src/SecurityInsights/test/New-AzSentinelAlertRule.Tests.ps1 @@ -17,7 +17,7 @@ if(($null -eq $TestName) -or ($TestName -contains 'New-AzSentinelAlertRule')) Describe 'New-AzSentinelAlertRule' { It 'CreateExpanded' { $alertRule = New-AzSentinelAlertRule -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` - -Kind Scheduled -Disabled -Query 'SecurityEvent | take 1' -DisplayName "NewAlertRulePSTest" -Severity Informational ` + -Kind Scheduled -Query 'SecurityEvent | take 1' -DisplayName "NewAlertRulePSTest" -Severity Informational ` -QueryFrequency (New-TimeSpan -Hours 1) -QueryPeriod (New-TimeSpan -Days 1) -TriggerOperator "GreaterThan" -TriggerThreshold 1 $alertRule.DisplayName | Should -Be "NewAlertRulePSTest" } diff --git a/src/SecurityInsights/test/New-AzSentinelAlertRuleAction.Recording.json b/src/SecurityInsights/test/New-AzSentinelAlertRuleAction.Recording.json index 63d58aca0652..68d82516d255 100644 --- a/src/SecurityInsights/test/New-AzSentinelAlertRuleAction.Recording.json +++ b/src/SecurityInsights/test/New-AzSentinelAlertRuleAction.Recording.json @@ -1,15 +1,15 @@ { - "New-AzSentinelAlertRuleAction+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/973adaf2-4d97-4f62-af62-b19edbf22e69?api-version=2021-09-01-preview+1": { + "New-AzSentinelAlertRuleAction+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/2a06ef26-4b40-4fe2-b06c-35967b0b841a?api-version=2021-09-01-preview+1": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/973adaf2-4d97-4f62-af62-b19edbf22e69?api-version=2021-09-01-preview", - "Content": "{\n \"kind\": \"Scheduled\",\n \"properties\": {\n \"queryFrequency\": \"PT1H\",\n \"queryPeriod\": \"P1D\",\n \"triggerOperator\": \"GreaterThan\",\n \"triggerThreshold\": 1,\n \"incidentConfiguration\": {\n \"groupingConfiguration\": {\n \"enabled\": false,\n \"reopenClosedIncident\": false,\n \"lookbackDuration\": \"PT5H\",\n \"matchingMethod\": \"AllEntities\"\n },\n \"createIncident\": false\n },\n \"query\": \"SecurityEvent | take 1\",\n \"displayName\": \"NewAlertRulePSTest\",\n \"enabled\": true,\n \"suppressionDuration\": \"PT5H\",\n \"suppressionEnabled\": false,\n \"severity\": \"Informational\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/2a06ef26-4b40-4fe2-b06c-35967b0b841a?api-version=2021-09-01-preview", + "Content": "{\n \"kind\": \"Scheduled\",\n \"properties\": {\n \"queryFrequency\": \"PT1H\",\n \"queryPeriod\": \"P1D\",\n \"triggerOperator\": \"GreaterThan\",\n \"triggerThreshold\": 1,\n \"incidentConfiguration\": {\n \"groupingConfiguration\": {\n \"enabled\": false,\n \"reopenClosedIncident\": false,\n \"lookbackDuration\": \"PT5H\",\n \"matchingMethod\": \"AllEntities\"\n },\n \"createIncident\": false\n },\n \"query\": \"SecurityEvent | take 1\",\n \"displayName\": \"NewAlertRulePSTest\",\n \"enabled\": false,\n \"suppressionDuration\": \"PT5H\",\n \"suppressionEnabled\": false,\n \"severity\": \"Informational\"\n }\n}", "isContentBase64": false, "Headers": { }, "ContentHeaders": { "Content-Type": [ "application/json" ], - "Content-Length": [ "621" ] + "Content-Length": [ "622" ] } }, "Response": { @@ -19,27 +19,27 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-writes": [ "1198" ], - "x-ms-request-id": [ "d6a72ee0-a7dc-4bab-b03d-651e9c5731b5" ], - "x-ms-correlation-request-id": [ "d6a72ee0-a7dc-4bab-b03d-651e9c5731b5" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T020534Z:d6a72ee0-a7dc-4bab-b03d-651e9c5731b5" ], + "x-ms-request-id": [ "44c8fefb-1964-4049-8644-a0a70e34d50a" ], + "x-ms-correlation-request-id": [ "44c8fefb-1964-4049-8644-a0a70e34d50a" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183214Z:44c8fefb-1964-4049-8644-a0a70e34d50a" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:05:33 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:32:13 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1047" ], + "Content-Length": [ "1048" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/973adaf2-4d97-4f62-af62-b19edbf22e69\",\"name\":\"973adaf2-4d97-4f62-af62-b19edbf22e69\",\"etag\":\"\\\"9300f3cc-0000-0100-0000-61b558ee0000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":false,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":null,\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Informational\",\"query\":\"SecurityEvent | take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":null,\"displayName\":\"NewAlertRulePSTest\",\"enabled\":true,\"description\":null,\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T02:05:33.9989938Z\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/2a06ef26-4b40-4fe2-b06c-35967b0b841a\",\"name\":\"2a06ef26-4b40-4fe2-b06c-35967b0b841a\",\"etag\":\"\\\"2e00883f-0000-0100-0000-62e427ae0000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":false,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":null,\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Informational\",\"query\":\"SecurityEvent | take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":null,\"displayName\":\"NewAlertRulePSTest\",\"enabled\":false,\"description\":null,\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-07-29T18:32:14.0922704Z\"}}", "isContentBase64": false } }, - "New-AzSentinelAlertRuleAction+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/973adaf2-4d97-4f62-af62-b19edbf22e69/actions/e9a08151-4f8b-43ae-9199-2c0df1ce9038?api-version=2021-09-01-preview+2": { + "New-AzSentinelAlertRuleAction+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/2a06ef26-4b40-4fe2-b06c-35967b0b841a/actions/d5d437c2-9aaf-4704-95a8-a7b5f3f1b905?api-version=2021-09-01-preview+2": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/973adaf2-4d97-4f62-af62-b19edbf22e69/actions/e9a08151-4f8b-43ae-9199-2c0df1ce9038?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\",\n \"triggerUri\": \"https://prod-07.centralus.logic.azure.com:443/workflows/3647b421918e40f19a5e9346dc633c61/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2016-06-01\\u0026sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun\\u0026sv=1.0\\u0026sig=8SgwCaNwsGFFEsJ0yKJoTXy329Qt949c0AsSDlv48sQ\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/2a06ef26-4b40-4fe2-b06c-35967b0b841a/actions/d5d437c2-9aaf-4704-95a8-a7b5f3f1b905?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"logicAppResourceId\": \"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\",\n \"triggerUri\": \"https://prod-26.centralus.logic.azure.com:443/workflows/e25a9538589f4273ac4b33c4251b7af4/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2016-06-01\\u0026sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun\\u0026sv=1.0\\u0026sig=Hj0XFCgxJZSvdepbdqqkhAyUOVNJNiGHf8Sbpdvny6k\"\n }\n}", "isContentBase64": false, "Headers": { }, @@ -55,19 +55,19 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], - "x-ms-request-id": [ "8027ce88-1f97-4221-8074-99b3ee7d128b" ], - "x-ms-correlation-request-id": [ "8027ce88-1f97-4221-8074-99b3ee7d128b" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T020535Z:8027ce88-1f97-4221-8074-99b3ee7d128b" ], + "x-ms-request-id": [ "bf4dbfcf-a535-4bf4-be0d-dab4ab47230b" ], + "x-ms-correlation-request-id": [ "bf4dbfcf-a535-4bf4-be0d-dab4ab47230b" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183215Z:bf4dbfcf-a535-4bf4-be0d-dab4ab47230b" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:05:34 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:32:14 GMT" ] }, "ContentHeaders": { "Content-Length": [ "610" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/973adaf2-4d97-4f62-af62-b19edbf22e69/actions/e9a08151-4f8b-43ae-9199-2c0df1ce9038\",\"name\":\"e9a08151-4f8b-43ae-9199-2c0df1ce9038\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"3647b421918e40f19a5e9346dc633c61\",\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/2a06ef26-4b40-4fe2-b06c-35967b0b841a/actions/d5d437c2-9aaf-4704-95a8-a7b5f3f1b905\",\"name\":\"d5d437c2-9aaf-4704-95a8-a7b5f3f1b905\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"e25a9538589f4273ac4b33c4251b7af4\",\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/New-AzSentinelAlertRuleAction.Tests.ps1 b/src/SecurityInsights/test/New-AzSentinelAlertRuleAction.Tests.ps1 index d44be2f4904b..24966ff8faee 100644 --- a/src/SecurityInsights/test/New-AzSentinelAlertRuleAction.Tests.ps1 +++ b/src/SecurityInsights/test/New-AzSentinelAlertRuleAction.Tests.ps1 @@ -17,9 +17,9 @@ if(($null -eq $TestName) -or ($TestName -contains 'New-AzSentinelAlertRuleAction Describe 'New-AzSentinelAlertRuleAction' { It 'CreateExpanded' { $alertRule = New-AzSentinelAlertRule -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` - -Kind Scheduled -Disabled -Query "SecurityEvent | take 1" -DisplayName "NewAlertRulePSTest" -Severity Informational ` + -Kind Scheduled -Query "SecurityEvent | take 1" -DisplayName "NewAlertRulePSTest" -Severity Informational ` -QueryFrequency (New-TimeSpan -Hours 1) -QueryPeriod (New-TimeSpan -Days 1) -TriggerOperator "GreaterThan" -TriggerThreshold 1 - $alertRuleAction = New-AzSentinelAlertRuleAction -Id ((New-Guid).Guid) -ResourceGroupName $env.ResourceGroupName ` + $alertRuleAction = New-AzSentinelAlertRuleAction -ResourceGroupName $env.ResourceGroupName ` -RuleId ($alertRule.Name) -WorkspaceName $env.workspaceName -LogicAppResourceId $env.Playbook1LogicAppResourceId ` -TriggerUri $env.Playbook1TriggerUrl $alertRuleAction.LogicAppResourceId | Should -Be $env.Playbook1LogicAppResourceId diff --git a/src/SecurityInsights/test/New-AzSentinelAutomationRule.Recording.json b/src/SecurityInsights/test/New-AzSentinelAutomationRule.Recording.json index b52dd85f383d..e2dc88a88c64 100644 --- a/src/SecurityInsights/test/New-AzSentinelAutomationRule.Recording.json +++ b/src/SecurityInsights/test/New-AzSentinelAutomationRule.Recording.json @@ -1,9 +1,9 @@ { - "New-AzSentinelAutomationRule+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/9612d8a8-8eef-4188-b4d3-11b66bfc0800?api-version=2021-09-01-preview+1": { + "New-AzSentinelAutomationRule+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/automationRules/c095abfc-e7b8-4556-907d-caa5e924e955?api-version=2021-09-01-preview+1": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/9612d8a8-8eef-4188-b4d3-11b66bfc0800?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"triggeringLogic\": {\n \"isEnabled\": true,\n \"triggersOn\": \"Incidents\",\n \"triggersWhen\": \"Created\"\n },\n \"displayName\": \"NewAutomationRulePSTest\",\n \"order\": 2,\n \"actions\": [\n {\n \"order\": 1,\n \"actionType\": \"RunPlaybook\",\n \"actionConfiguration\": {\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\n \"tenantId\": \"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"\n }\n }\n ]\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/automationRules/c095abfc-e7b8-4556-907d-caa5e924e955?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"triggeringLogic\": {\n \"isEnabled\": true,\n \"triggersOn\": \"Incidents\",\n \"triggersWhen\": \"Created\"\n },\n \"displayName\": \"NewAutomationRulePSTest\",\n \"order\": 2,\n \"actions\": [\n {\n \"order\": 1,\n \"actionType\": \"RunPlaybook\",\n \"actionConfiguration\": {\n \"logicAppResourceId\": \"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\n \"tenantId\": \"d6eebbdd-d77c-465e-b008-4339027b4006\"\n }\n }\n ]\n }\n}", "isContentBase64": false, "Headers": { }, @@ -19,19 +19,19 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], - "x-ms-request-id": [ "b7e7f700-5069-48ec-9bd6-e1b1cfacb9c2" ], - "x-ms-correlation-request-id": [ "b7e7f700-5069-48ec-9bd6-e1b1cfacb9c2" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T020558Z:b7e7f700-5069-48ec-9bd6-e1b1cfacb9c2" ], + "x-ms-request-id": [ "bf7cdb59-cde6-4c06-b32d-2de9097bf583" ], + "x-ms-correlation-request-id": [ "bf7cdb59-cde6-4c06-b32d-2de9097bf583" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183217Z:bf7cdb59-cde6-4c06-b32d-2de9097bf583" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:05:57 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:32:16 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1346" ], + "Content-Length": [ "1286" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AutomationRules/9612d8a8-8eef-4188-b4d3-11b66bfc0800\",\"name\":\"9612d8a8-8eef-4188-b4d3-11b66bfc0800\",\"etag\":\"\\\"79004be5-0000-0100-0000-61b559060000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"NewAutomationRulePSTest\",\"order\":2,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"}}],\"lastModifiedTimeUtc\":\"2021-12-12T02:05:58Z\",\"createdTimeUtc\":\"2021-12-12T02:05:58Z\",\"lastModifiedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"},\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AutomationRules/c095abfc-e7b8-4556-907d-caa5e924e955\",\"name\":\"c095abfc-e7b8-4556-907d-caa5e924e955\",\"etag\":\"\\\"03009cb1-0000-0100-0000-62e427b10000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"NewAutomationRulePSTest\",\"order\":2,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}],\"lastModifiedTimeUtc\":\"2022-07-29T18:32:17Z\",\"createdTimeUtc\":\"2022-07-29T18:32:17Z\",\"lastModifiedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"},\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/New-AzSentinelAutomationRule.Tests.ps1 b/src/SecurityInsights/test/New-AzSentinelAutomationRule.Tests.ps1 index b5be0e04d2a6..e827b7d0fd75 100644 --- a/src/SecurityInsights/test/New-AzSentinelAutomationRule.Tests.ps1 +++ b/src/SecurityInsights/test/New-AzSentinelAutomationRule.Tests.ps1 @@ -21,7 +21,7 @@ Describe 'New-AzSentinelAutomationRule' { $automationRuleAction.ActionType = "RunPlaybook" $automationRuleAction.ActionConfigurationLogicAppResourceId = $env.Playbook2LogicAppResourceId $automationRuleAction.ActionConfigurationTenantId = $env.Tenant - $automationRule = New-AzSentinelAutomationRule -Id ((New-Guid).Guid) -ResourceGroupName $env.resourceGroupName ` + $automationRule = New-AzSentinelAutomationRule -ResourceGroupName $env.resourceGroupName ` -WorkspaceName $env.workspaceName -Action $automationRuleAction -DisplayName "NewAutomationRulePSTest" -Order 2 ` -TriggeringLogicIsEnabled $automationRule.DisplayName | Should -Be "NewAutomationRulePSTest" diff --git a/src/SecurityInsights/test/New-AzSentinelBookmark.Recording.json b/src/SecurityInsights/test/New-AzSentinelBookmark.Recording.json index 3e6bf985d937..e49f7723f16c 100644 --- a/src/SecurityInsights/test/New-AzSentinelBookmark.Recording.json +++ b/src/SecurityInsights/test/New-AzSentinelBookmark.Recording.json @@ -1,9 +1,9 @@ { - "New-AzSentinelBookmark+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/aa863e57-e1ec-45cf-a4d9-1db1a64a354d?api-version=2021-09-01-preview+1": { + "New-AzSentinelBookmark+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/c82c0df3-53fe-4bd4-8ac7-b47f3b7a1d1d?api-version=2021-09-01-preview+1": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/aa863e57-e1ec-45cf-a4d9-1db1a64a354d?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"displayName\": \"NewBookmarkPSTest\",\n \"query\": \"SecurityEvent | take 1\",\n \"eventTime\": \"2021-12-12T02:06:29.0674151Z\",\n \"queryStartTime\": \"2021-12-11T02:06:29.0660871Z\",\n \"queryEndTime\": \"2021-12-12T02:06:29.0666390Z\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/c82c0df3-53fe-4bd4-8ac7-b47f3b7a1d1d?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"displayName\": \"NewBookmarkPSTest\",\n \"query\": \"SecurityEvent | take 1\",\n \"eventTime\": \"2022-07-29T18:32:17.8931904Z\",\n \"queryStartTime\": \"2022-07-28T18:32:17.8929330Z\",\n \"queryEndTime\": \"2022-07-29T18:32:17.8930837Z\"\n }\n}", "isContentBase64": false, "Headers": { }, @@ -19,19 +19,19 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-writes": [ "1197" ], - "x-ms-request-id": [ "607f3836-8646-408b-aa27-0348a676b88e" ], - "x-ms-correlation-request-id": [ "607f3836-8646-408b-aa27-0348a676b88e" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T020620Z:607f3836-8646-408b-aa27-0348a676b88e" ], + "x-ms-request-id": [ "bdec5dac-d068-440d-bc7e-3c5ab751527b" ], + "x-ms-correlation-request-id": [ "bdec5dac-d068-440d-bc7e-3c5ab751527b" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183218Z:bdec5dac-d068-440d-bc7e-3c5ab751527b" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:06:20 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:32:17 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1074" ], + "Content-Length": [ "1044" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/aa863e57-e1ec-45cf-a4d9-1db1a64a354d\",\"name\":\"aa863e57-e1ec-45cf-a4d9-1db1a64a354d\",\"etag\":\"\\\"6b02b4e0-0000-0100-0000-61b5591c0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"NewBookmarkPSTest\",\"created\":\"2021-12-12T02:06:20.7338899+00:00\",\"updated\":\"2021-12-12T02:06:20+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T02:06:29.0674151+00:00\",\"labels\":[],\"query\":\"SecurityEvent | take 1\",\"queryStartTime\":\"2021-12-11T02:06:29.0660871+00:00\",\"queryEndTime\":\"2021-12-12T02:06:29.066639+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/c82c0df3-53fe-4bd4-8ac7-b47f3b7a1d1d\",\"name\":\"c82c0df3-53fe-4bd4-8ac7-b47f3b7a1d1d\",\"etag\":\"\\\"0100d593-0000-0100-0000-62e427b20000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"NewBookmarkPSTest\",\"created\":\"2022-07-29T18:32:18.0693425+00:00\",\"updated\":\"2022-07-29T18:32:18+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-07-29T18:32:17.8931904+00:00\",\"labels\":[],\"query\":\"SecurityEvent | take 1\",\"queryStartTime\":\"2022-07-28T18:32:17.892933+00:00\",\"queryEndTime\":\"2022-07-29T18:32:17.8930837+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/New-AzSentinelBookmark.Tests.ps1 b/src/SecurityInsights/test/New-AzSentinelBookmark.Tests.ps1 index 0f6230c9300e..7d130f6bb69d 100644 --- a/src/SecurityInsights/test/New-AzSentinelBookmark.Tests.ps1 +++ b/src/SecurityInsights/test/New-AzSentinelBookmark.Tests.ps1 @@ -16,7 +16,7 @@ if(($null -eq $TestName) -or ($TestName -contains 'New-AzSentinelBookmark')) Describe 'New-AzSentinelBookmark' { It 'CreateExpanded' { - $bookmark = New-AzSentinelBookmark -Id ((New-Guid).Guid) -ResourceGroupName $env.resourceGroupName ` + $bookmark = New-AzSentinelBookmark -ResourceGroupName $env.resourceGroupName ` -WorkspaceName $env.workspaceName -DisplayName "NewBookmarkPSTest" -Query "SecurityEvent | take 1" ` -QueryStartTime (get-date).AddDays(-1).ToUniversalTime() -QueryEndTime (get-date).ToUniversalTime() -EventTime (get-date).ToUniversalTime() $bookmark.DisplayName | Should -Be "NewBookmarkPSTest" diff --git a/src/SecurityInsights/test/New-AzSentinelBookmarkRelation.Recording.json b/src/SecurityInsights/test/New-AzSentinelBookmarkRelation.Recording.json index c193128326b0..186dfb09fc52 100644 --- a/src/SecurityInsights/test/New-AzSentinelBookmarkRelation.Recording.json +++ b/src/SecurityInsights/test/New-AzSentinelBookmarkRelation.Recording.json @@ -1,9 +1,9 @@ { - "New-AzSentinelBookmarkRelation+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/c14cba0a-4aa1-4d5f-9080-c510f9057e39?api-version=2021-09-01-preview+1": { + "New-AzSentinelBookmarkRelation+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/24122f4f-0774-4453-bd32-f036e3c86ad2?api-version=2021-09-01-preview+1": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/c14cba0a-4aa1-4d5f-9080-c510f9057e39?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"displayName\": \"NewBookmarkRelationPSTest\",\n \"query\": \"SecurityEvent\\\\n| take 1\",\n \"eventTime\": \"2021-12-12T02:06:50.3515249Z\",\n \"queryStartTime\": \"2021-12-11T02:06:50.3509781Z\",\n \"queryEndTime\": \"2021-12-12T02:06:50.3513391Z\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/24122f4f-0774-4453-bd32-f036e3c86ad2?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"displayName\": \"NewBookmarkRelationPSTest\",\n \"query\": \"SecurityEvent\\\\n| take 1\",\n \"eventTime\": \"2022-07-29T18:32:18.7020279Z\",\n \"queryStartTime\": \"2022-07-28T18:32:18.7017934Z\",\n \"queryEndTime\": \"2022-07-29T18:32:18.7019239Z\"\n }\n}", "isContentBase64": false, "Headers": { }, @@ -19,26 +19,26 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-writes": [ "1196" ], - "x-ms-request-id": [ "54f92a27-3ce0-451c-a6a7-57c490614229" ], - "x-ms-correlation-request-id": [ "54f92a27-3ce0-451c-a6a7-57c490614229" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T020641Z:54f92a27-3ce0-451c-a6a7-57c490614229" ], + "x-ms-request-id": [ "a873c55d-260a-47f9-b260-bf7d852b6f03" ], + "x-ms-correlation-request-id": [ "a873c55d-260a-47f9-b260-bf7d852b6f03" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183218Z:a873c55d-260a-47f9-b260-bf7d852b6f03" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:06:41 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:32:17 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1085" ], + "Content-Length": [ "1055" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/c14cba0a-4aa1-4d5f-9080-c510f9057e39\",\"name\":\"c14cba0a-4aa1-4d5f-9080-c510f9057e39\",\"etag\":\"\\\"6b0269e1-0000-0100-0000-61b559310000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"NewBookmarkRelationPSTest\",\"created\":\"2021-12-12T02:06:41.8714854+00:00\",\"updated\":\"2021-12-12T02:06:41+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T02:06:50.3515249+00:00\",\"labels\":[],\"query\":\"SecurityEvent\\\\n| take 1\",\"queryStartTime\":\"2021-12-11T02:06:50.3509781+00:00\",\"queryEndTime\":\"2021-12-12T02:06:50.3513391+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/24122f4f-0774-4453-bd32-f036e3c86ad2\",\"name\":\"24122f4f-0774-4453-bd32-f036e3c86ad2\",\"etag\":\"\\\"0100d693-0000-0100-0000-62e427b20000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"NewBookmarkRelationPSTest\",\"created\":\"2022-07-29T18:32:18.8385163+00:00\",\"updated\":\"2022-07-29T18:32:18+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-07-29T18:32:18.7020279+00:00\",\"labels\":[],\"query\":\"SecurityEvent\\\\n| take 1\",\"queryStartTime\":\"2022-07-28T18:32:18.7017934+00:00\",\"queryEndTime\":\"2022-07-29T18:32:18.7019239+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", "isContentBase64": false } }, - "New-AzSentinelBookmarkRelation+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/878b8f0f-3f11-47bd-849f-24a935b0efd5?api-version=2021-09-01-preview+2": { + "New-AzSentinelBookmarkRelation+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/23a88e7f-7b54-4f34-87f6-7e28d9ffb8e6?api-version=2021-09-01-preview+2": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/878b8f0f-3f11-47bd-849f-24a935b0efd5?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/23a88e7f-7b54-4f34-87f6-7e28d9ffb8e6?api-version=2021-09-01-preview", "Content": "{\n \"properties\": {\n \"severity\": \"Informational\",\n \"status\": \"New\",\n \"title\": \"NewBookmarkRelationPSTest\"\n }\n}", "isContentBase64": false, "Headers": { @@ -55,27 +55,27 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], - "x-ms-request-id": [ "4f33c507-2951-4059-a27f-37ed38709947" ], - "x-ms-correlation-request-id": [ "4f33c507-2951-4059-a27f-37ed38709947" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T020642Z:4f33c507-2951-4059-a27f-37ed38709947" ], + "x-ms-request-id": [ "16dc5e8a-031d-4e2e-a904-cab37bbedfb4" ], + "x-ms-correlation-request-id": [ "16dc5e8a-031d-4e2e-a904-cab37bbedfb4" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183219Z:16dc5e8a-031d-4e2e-a904-cab37bbedfb4" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:06:42 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:32:18 GMT" ] }, "ContentHeaders": { "Content-Length": [ "1219" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/878b8f0f-3f11-47bd-849f-24a935b0efd5\",\"name\":\"878b8f0f-3f11-47bd-849f-24a935b0efd5\",\"etag\":\"\\\"3c009578-0000-0100-0000-61b559320000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"NewBookmarkRelationPSTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T02:06:42.155687Z\",\"createdTimeUtc\":\"2021-12-12T02:06:42.155687Z\",\"incidentNumber\":22,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/878b8f0f-3f11-47bd-849f-24a935b0efd5\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"22\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/23a88e7f-7b54-4f34-87f6-7e28d9ffb8e6\",\"name\":\"23a88e7f-7b54-4f34-87f6-7e28d9ffb8e6\",\"etag\":\"\\\"1200b30b-0000-0100-0000-62e427b30000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"NewBookmarkRelationPSTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:32:19.183455Z\",\"createdTimeUtc\":\"2022-07-29T18:32:19.183455Z\",\"incidentNumber\":22,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/23a88e7f-7b54-4f34-87f6-7e28d9ffb8e6\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"22\"}}", "isContentBase64": false } }, - "New-AzSentinelBookmarkRelation+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/c14cba0a-4aa1-4d5f-9080-c510f9057e39/relations/c68fd237-f983-4d0a-8c76-6933a86e15d7?api-version=2021-09-01-preview+3": { + "New-AzSentinelBookmarkRelation+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/24122f4f-0774-4453-bd32-f036e3c86ad2/relations/5e7e189d-d2b3-421e-9552-a224176962bb?api-version=2021-09-01-preview+3": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/c14cba0a-4aa1-4d5f-9080-c510f9057e39/relations/c68fd237-f983-4d0a-8c76-6933a86e15d7?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"relatedResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/878b8f0f-3f11-47bd-849f-24a935b0efd5\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/24122f4f-0774-4453-bd32-f036e3c86ad2/relations/5e7e189d-d2b3-421e-9552-a224176962bb?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"relatedResourceId\": \"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/23a88e7f-7b54-4f34-87f6-7e28d9ffb8e6\"\n }\n}", "isContentBase64": false, "Headers": { }, @@ -91,19 +91,19 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-writes": [ "1195" ], - "x-ms-request-id": [ "e4184674-c345-4f93-a706-44473e0ef70e" ], - "x-ms-correlation-request-id": [ "e4184674-c345-4f93-a706-44473e0ef70e" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T020642Z:e4184674-c345-4f93-a706-44473e0ef70e" ], + "x-ms-request-id": [ "09dbf693-010b-48cc-a1d1-989eaa712346" ], + "x-ms-correlation-request-id": [ "09dbf693-010b-48cc-a1d1-989eaa712346" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183219Z:09dbf693-010b-48cc-a1d1-989eaa712346" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:06:42 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:32:18 GMT" ] }, "ContentHeaders": { "Content-Length": [ "828" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/c14cba0a-4aa1-4d5f-9080-c510f9057e39/relations/c68fd237-f983-4d0a-8c76-6933a86e15d7\",\"name\":\"c68fd237-f983-4d0a-8c76-6933a86e15d7\",\"etag\":\"\\\"6b0273e1-0000-0100-0000-61b559320000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/878b8f0f-3f11-47bd-849f-24a935b0efd5\",\"relatedResourceName\":\"878b8f0f-3f11-47bd-849f-24a935b0efd5\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/24122f4f-0774-4453-bd32-f036e3c86ad2/relations/5e7e189d-d2b3-421e-9552-a224176962bb\",\"name\":\"5e7e189d-d2b3-421e-9552-a224176962bb\",\"etag\":\"\\\"0100d793-0000-0100-0000-62e427b30000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/23a88e7f-7b54-4f34-87f6-7e28d9ffb8e6\",\"relatedResourceName\":\"23a88e7f-7b54-4f34-87f6-7e28d9ffb8e6\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/New-AzSentinelBookmarkRelation.Tests.ps1 b/src/SecurityInsights/test/New-AzSentinelBookmarkRelation.Tests.ps1 index a25434a3f3c8..b9cb1b5bed27 100644 --- a/src/SecurityInsights/test/New-AzSentinelBookmarkRelation.Tests.ps1 +++ b/src/SecurityInsights/test/New-AzSentinelBookmarkRelation.Tests.ps1 @@ -16,12 +16,12 @@ if(($null -eq $TestName) -or ($TestName -contains 'New-AzSentinelBookmarkRelatio Describe 'New-AzSentinelBookmarkRelation' { It 'CreateExpanded' { - $bookmark = New-AzSentinelBookmark -Id ((New-Guid).Guid) -ResourceGroupName $env.resourceGroupName ` + $bookmark = New-AzSentinelBookmark -ResourceGroupName $env.resourceGroupName ` -WorkspaceName $env.workspaceName -DisplayName "NewBookmarkRelationPSTest" -Query "SecurityEvent\n| take 1" ` -QueryStartTime (get-date).AddDays(-1).ToUniversalTime() -QueryEndTime (get-date).ToUniversalTime() -EventTime (get-date).ToUniversalTime() $incident = New-AzSentinelIncident -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` - -Id ((New-Guid).Guid) -Severity Informational -Status New -Title "NewBookmarkRelationPSTest" - $bookmarkRelation = New-AzSentinelBookmarkRelation -BookmarkId $bookmark.Name -RelationName ((New-Guid).Guid) ` + -Severity Informational -Status New -Title "NewBookmarkRelationPSTest" + $bookmarkRelation = New-AzSentinelBookmarkRelation -BookmarkId $bookmark.Name ` -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -RelatedResourceId $incident.Id $bookmarkRelation.RelatedResourceId | Should -Be $incident.Id } diff --git a/src/SecurityInsights/test/New-AzSentinelDataConnector.Recording.json b/src/SecurityInsights/test/New-AzSentinelDataConnector.Recording.json index 26e0adb53f53..6ace0d7c98cc 100644 --- a/src/SecurityInsights/test/New-AzSentinelDataConnector.Recording.json +++ b/src/SecurityInsights/test/New-AzSentinelDataConnector.Recording.json @@ -1,9 +1,9 @@ { - "New-AzSentinelDataConnector+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/a9a5afd4-43fd-4973-9a02-c30a6b06c40d?api-version=2021-09-01-preview+1": { + "New-AzSentinelDataConnector+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/3b07915c-32d6-4bcc-a6f3-525cc869a8ef?api-version=2021-09-01-preview+1": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/a9a5afd4-43fd-4973-9a02-c30a6b06c40d?api-version=2021-09-01-preview", - "Content": "{\n \"kind\": \"MicrosoftThreatIntelligence\",\n \"properties\": {\n \"tenantId\": \"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\",\n \"dataTypes\": {\n \"bingSafetyPhishingURL\": {\n \"state\": \"Enabled\",\n \"lookbackPeriod\": \"1970-01-01T00:00:00.000Z\"\n },\n \"microsoftEmergingThreatFeed\": {\n \"state\": \"Enabled\",\n \"lookbackPeriod\": \"1970-01-01T00:00:00.000Z\"\n }\n }\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/3b07915c-32d6-4bcc-a6f3-525cc869a8ef?api-version=2021-09-01-preview", + "Content": "{\n \"kind\": \"MicrosoftThreatIntelligence\",\n \"properties\": {\n \"tenantId\": \"d6eebbdd-d77c-465e-b008-4339027b4006\",\n \"dataTypes\": {\n \"bingSafetyPhishingURL\": {\n \"state\": \"Enabled\",\n \"lookbackPeriod\": \"1970-01-01T00:00:00.000Z\"\n },\n \"microsoftEmergingThreatFeed\": {\n \"state\": \"Enabled\",\n \"lookbackPeriod\": \"1970-01-01T00:00:00.000Z\"\n }\n }\n }\n}", "isContentBase64": false, "Headers": { }, @@ -18,20 +18,20 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-writes": [ "1194" ], - "x-ms-request-id": [ "64586126-56b6-4bdf-9b06-bc6b048fd665" ], - "x-ms-correlation-request-id": [ "64586126-56b6-4bdf-9b06-bc6b048fd665" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T020704Z:64586126-56b6-4bdf-9b06-bc6b048fd665" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], + "x-ms-request-id": [ "d37a4f4f-63dd-41a1-b877-3731ea712f62" ], + "x-ms-correlation-request-id": [ "d37a4f4f-63dd-41a1-b877-3731ea712f62" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183220Z:d37a4f4f-63dd-41a1-b877-3731ea712f62" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:07:04 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:32:19 GMT" ] }, "ContentHeaders": { "Content-Length": [ "675" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/a9a5afd4-43fd-4973-9a02-c30a6b06c40d\",\"name\":\"a9a5afd4-43fd-4973-9a02-c30a6b06c40d\",\"etag\":\"340c63e1-c0f5-4771-89ed-8d5652f9c15d\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"MicrosoftThreatIntelligence\",\"properties\":{\"dataTypes\":{\"bingSafetyPhishingURL\":{\"state\":\"enabled\",\"lookbackPeriod\":\"01/01/1970 00:00:00\"},\"microsoftEmergingThreatFeed\":{\"state\":\"enabled\",\"lookbackPeriod\":\"01/01/1970 00:00:00\"}},\"tenantId\":\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/3b07915c-32d6-4bcc-a6f3-525cc869a8ef\",\"name\":\"3b07915c-32d6-4bcc-a6f3-525cc869a8ef\",\"etag\":\"943180a1-92f2-4907-a28f-a66966a4505c\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"MicrosoftThreatIntelligence\",\"properties\":{\"dataTypes\":{\"bingSafetyPhishingURL\":{\"state\":\"enabled\",\"lookbackPeriod\":\"01/01/1970 00:00:00\"},\"microsoftEmergingThreatFeed\":{\"state\":\"enabled\",\"lookbackPeriod\":\"01/01/1970 00:00:00\"}},\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/New-AzSentinelDataConnector.Tests.ps1 b/src/SecurityInsights/test/New-AzSentinelDataConnector.Tests.ps1 index f9c0e921740a..4a3db9a436ea 100644 --- a/src/SecurityInsights/test/New-AzSentinelDataConnector.Tests.ps1 +++ b/src/SecurityInsights/test/New-AzSentinelDataConnector.Tests.ps1 @@ -17,8 +17,9 @@ if(($null -eq $TestName) -or ($TestName -contains 'New-AzSentinelDataConnector') Describe 'New-AzSentinelDataConnector' { It 'CreateExpanded' { $dataConnector = New-AzSentinelDataConnector -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` - -DataConnectorId ((New-Guid).Guid) -Kind 'MicrosoftThreatIntelligence' -BingSafetyPhishingURL Enabled -BingSafetyPhishingUrlLookbackPeriod All ` + -Kind 'MicrosoftThreatIntelligence' -BingSafetyPhishingURL Enabled -BingSafetyPhishingUrlLookbackPeriod All ` -MicrosoftEmergingThreatFeed Enabled -MicrosoftEmergingThreatFeedLookbackPeriod All $dataConnector | Should -Not -Be $null } } + \ No newline at end of file diff --git a/src/SecurityInsights/test/New-AzSentinelEntityQuery.Recording.json b/src/SecurityInsights/test/New-AzSentinelEntityQuery.Recording.json index 7a2b32327b20..44917c205df0 100644 --- a/src/SecurityInsights/test/New-AzSentinelEntityQuery.Recording.json +++ b/src/SecurityInsights/test/New-AzSentinelEntityQuery.Recording.json @@ -1,8 +1,8 @@ { - "New-AzSentinelEntityQuery+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/56959909-d6b6-4cf1-95b3-6c86f0a7dc5e?api-version=2021-09-01-preview+1": { + "New-AzSentinelEntityQuery+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueries/97a72f13-f00c-4a70-9d9e-c06259cb1816?api-version=2021-09-01-preview+1": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/56959909-d6b6-4cf1-95b3-6c86f0a7dc5e?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueries/97a72f13-f00c-4a70-9d9e-c06259cb1816?api-version=2021-09-01-preview", "Content": "{\n \"kind\": \"Activity\",\n \"properties\": {\n \"queryDefinitions\": {\n \"query\": \"let UserConsentToApplication = (Account_Name:string, Account_UPNSuffix:string, Account_AadUserId:string){\\r\\n let account_upn = iff(Account_Name != \\\"\\\" and Account_UPNSuffix != \\\"\\\", strcat(Account_Name,\\\"@\\\",Account_UPNSuffix),\\\"\\\" );\\r\\n AuditLogs\\r\\n | where OperationName == \\\"Consent to application\\\"\\r\\n | extend Source_Account_UPNSuffix = tostring(todynamic(InitiatedBy) [\\\"user\\\"][\\\"userPrincipalName\\\"]), Source_Account_AadUserId = tostring(todynamic(InitiatedBy) [\\\"user\\\"][\\\"id\\\"])\\r\\n | where (account_upn != \\\"\\\" and account_upn =~ Source_Account_UPNSuffix) \\r\\n or (Account_AadUserId != \\\"\\\" and Account_AadUserId =~ Source_Account_AadUserId)\\r\\n | extend Target_CloudApplication_Name = tostring(todynamic(TargetResources)[0][\\\"displayName\\\"]), Target_CloudApplication_AppId = tostring(todynamic(TargetResources)[0][\\\"id\\\"])\\r\\n };\\r\\n UserConsentToApplication(\\u0027{{Account_Name}}\\u0027, \\u0027{{Account_UPNSuffix}}\\u0027, \\u0027{{Account_AadUserId}}\\u0027) \\r\\n | project Target_CloudApplication_AppId, Target_CloudApplication_Name, TimeGenerated\"\n },\n \"title\": \"The user consented to OAuth application\",\n \"content\": \"The user consented to the OAuth application named {{Target_CloudApplication_Name}} {{Count}} time(s)\",\n \"description\": \"This activity lists user\\u0027s consents to an OAuth applications.\",\n \"inputEntityType\": \"Account\"\n }\n}", "isContentBase64": false, "Headers": { @@ -18,20 +18,20 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-writes": [ "1193" ], - "x-ms-request-id": [ "8b652823-01cc-42b7-88c7-36b658aaa3bb" ], - "x-ms-correlation-request-id": [ "8b652823-01cc-42b7-88c7-36b658aaa3bb" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T020726Z:8b652823-01cc-42b7-88c7-36b658aaa3bb" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1194" ], + "x-ms-request-id": [ "44b3ffba-7387-47dc-959f-e5e1eff70287" ], + "x-ms-correlation-request-id": [ "44b3ffba-7387-47dc-959f-e5e1eff70287" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183222Z:44b3ffba-7387-47dc-959f-e5e1eff70287" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:07:26 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:32:21 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "2034" ], + "Content-Length": [ "2032" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/56959909-d6b6-4cf1-95b3-6c86f0a7dc5e\",\"name\":\"56959909-d6b6-4cf1-95b3-6c86f0a7dc5e\",\"etag\":\"\\\"5101f127-0000-0100-0000-61b5595e0000\\\"\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user consented to OAuth application\",\"content\":\"The user consented to the OAuth application named {{Target_CloudApplication_Name}} {{Count}} time(s)\",\"description\":\"This activity lists user\u0027s consents to an OAuth applications.\",\"queryDefinitions\":{\"query\":\"let UserConsentToApplication = (Account_Name:string, Account_UPNSuffix:string, Account_AadUserId:string){\\r\\n let account_upn = iff(Account_Name != \\\"\\\" and Account_UPNSuffix != \\\"\\\", strcat(Account_Name,\\\"@\\\",Account_UPNSuffix),\\\"\\\" );\\r\\n AuditLogs\\r\\n | where OperationName == \\\"Consent to application\\\"\\r\\n | extend Source_Account_UPNSuffix = tostring(todynamic(InitiatedBy) [\\\"user\\\"][\\\"userPrincipalName\\\"]), Source_Account_AadUserId = tostring(todynamic(InitiatedBy) [\\\"user\\\"][\\\"id\\\"])\\r\\n | where (account_upn != \\\"\\\" and account_upn =~ Source_Account_UPNSuffix) \\r\\n or (Account_AadUserId != \\\"\\\" and Account_AadUserId =~ Source_Account_AadUserId)\\r\\n | extend Target_CloudApplication_Name = tostring(todynamic(TargetResources)[0][\\\"displayName\\\"]), Target_CloudApplication_AppId = tostring(todynamic(TargetResources)[0][\\\"id\\\"])\\r\\n };\\r\\n UserConsentToApplication(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027) \\r\\n | project Target_CloudApplication_AppId, Target_CloudApplication_Name, TimeGenerated\"},\"requiredInputFieldsSets\":[],\"entitiesFilter\":{},\"enabled\":true,\"createdTimeUtc\":\"2021-12-12T02:07:26.3377287Z\",\"lastModifiedTimeUtc\":\"2021-12-12T02:07:26.3377287Z\",\"inputEntityType\":\"Account\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueries/97a72f13-f00c-4a70-9d9e-c06259cb1816\",\"name\":\"97a72f13-f00c-4a70-9d9e-c06259cb1816\",\"etag\":\"\\\"890061d5-0000-0100-0000-62e427b60000\\\"\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user consented to OAuth application\",\"content\":\"The user consented to the OAuth application named {{Target_CloudApplication_Name}} {{Count}} time(s)\",\"description\":\"This activity lists user\u0027s consents to an OAuth applications.\",\"queryDefinitions\":{\"query\":\"let UserConsentToApplication = (Account_Name:string, Account_UPNSuffix:string, Account_AadUserId:string){\\r\\n let account_upn = iff(Account_Name != \\\"\\\" and Account_UPNSuffix != \\\"\\\", strcat(Account_Name,\\\"@\\\",Account_UPNSuffix),\\\"\\\" );\\r\\n AuditLogs\\r\\n | where OperationName == \\\"Consent to application\\\"\\r\\n | extend Source_Account_UPNSuffix = tostring(todynamic(InitiatedBy) [\\\"user\\\"][\\\"userPrincipalName\\\"]), Source_Account_AadUserId = tostring(todynamic(InitiatedBy) [\\\"user\\\"][\\\"id\\\"])\\r\\n | where (account_upn != \\\"\\\" and account_upn =~ Source_Account_UPNSuffix) \\r\\n or (Account_AadUserId != \\\"\\\" and Account_AadUserId =~ Source_Account_AadUserId)\\r\\n | extend Target_CloudApplication_Name = tostring(todynamic(TargetResources)[0][\\\"displayName\\\"]), Target_CloudApplication_AppId = tostring(todynamic(TargetResources)[0][\\\"id\\\"])\\r\\n };\\r\\n UserConsentToApplication(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027) \\r\\n | project Target_CloudApplication_AppId, Target_CloudApplication_Name, TimeGenerated\"},\"requiredInputFieldsSets\":[],\"entitiesFilter\":{},\"enabled\":true,\"createdTimeUtc\":\"2022-07-29T18:32:22.163164Z\",\"lastModifiedTimeUtc\":\"2022-07-29T18:32:22.163164Z\",\"inputEntityType\":\"Account\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/New-AzSentinelEntityQuery.Tests.ps1 b/src/SecurityInsights/test/New-AzSentinelEntityQuery.Tests.ps1 index 563857267e84..93e231090527 100644 --- a/src/SecurityInsights/test/New-AzSentinelEntityQuery.Tests.ps1 +++ b/src/SecurityInsights/test/New-AzSentinelEntityQuery.Tests.ps1 @@ -28,7 +28,7 @@ Describe 'New-AzSentinelEntityQuery' { UserConsentToApplication(''{{Account_Name}}'', ''{{Account_UPNSuffix}}'', ''{{Account_AadUserId}}'') | project Target_CloudApplication_AppId, Target_CloudApplication_Name, TimeGenerated' $entityQuery = New-AzSentinelEntityQuery -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` - -EntityQueryId ((New-Guid).Guid) -Kind Activity -Title "The user consented to OAuth application" ` + -Kind Activity -Title "The user consented to OAuth application" ` -InputEntityType "Account" -Content "The user consented to the OAuth application named {{Target_CloudApplication_Name}} {{Count}} time(s)" ` -Description "This activity lists user's consents to an OAuth applications." ` -QueryDefinitionQuery $query diff --git a/src/SecurityInsights/test/New-AzSentinelIncident.Recording.json b/src/SecurityInsights/test/New-AzSentinelIncident.Recording.json index 75dc6cbdf0e4..b6498e367b67 100644 --- a/src/SecurityInsights/test/New-AzSentinelIncident.Recording.json +++ b/src/SecurityInsights/test/New-AzSentinelIncident.Recording.json @@ -1,8 +1,8 @@ { - "New-AzSentinelIncident+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/0e4bfdc2-dfdf-46a5-88e8-f8184be9d9aa?api-version=2021-09-01-preview+1": { + "New-AzSentinelIncident+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/d6b3eed6-9e82-498d-9a8f-7da330698be6?api-version=2021-09-01-preview+1": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/0e4bfdc2-dfdf-46a5-88e8-f8184be9d9aa?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/d6b3eed6-9e82-498d-9a8f-7da330698be6?api-version=2021-09-01-preview", "Content": "{\n \"properties\": {\n \"severity\": \"Informational\",\n \"status\": \"New\",\n \"title\": \"NewIncidentPSTest\"\n }\n}", "isContentBase64": false, "Headers": { @@ -19,19 +19,19 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], - "x-ms-request-id": [ "2c3ed61a-6a11-4eb0-97c9-554725d92685" ], - "x-ms-correlation-request-id": [ "2c3ed61a-6a11-4eb0-97c9-554725d92685" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T020747Z:2c3ed61a-6a11-4eb0-97c9-554725d92685" ], + "x-ms-request-id": [ "65a14e82-fb19-46ef-8ef7-1c75229af55f" ], + "x-ms-correlation-request-id": [ "65a14e82-fb19-46ef-8ef7-1c75229af55f" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183223Z:65a14e82-fb19-46ef-8ef7-1c75229af55f" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:07:47 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:32:22 GMT" ] }, "ContentHeaders": { "Content-Length": [ "1213" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/0e4bfdc2-dfdf-46a5-88e8-f8184be9d9aa\",\"name\":\"0e4bfdc2-dfdf-46a5-88e8-f8184be9d9aa\",\"etag\":\"\\\"3c006b7a-0000-0100-0000-61b559730000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"NewIncidentPSTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T02:07:47.5655543Z\",\"createdTimeUtc\":\"2021-12-12T02:07:47.5655543Z\",\"incidentNumber\":23,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/0e4bfdc2-dfdf-46a5-88e8-f8184be9d9aa\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"23\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/d6b3eed6-9e82-498d-9a8f-7da330698be6\",\"name\":\"d6b3eed6-9e82-498d-9a8f-7da330698be6\",\"etag\":\"\\\"1200b50b-0000-0100-0000-62e427b70000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"NewIncidentPSTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:32:23.0283919Z\",\"createdTimeUtc\":\"2022-07-29T18:32:23.0283919Z\",\"incidentNumber\":23,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/d6b3eed6-9e82-498d-9a8f-7da330698be6\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"23\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/New-AzSentinelIncident.Tests.ps1 b/src/SecurityInsights/test/New-AzSentinelIncident.Tests.ps1 index 5599eb9c01ae..ad82bfe68a6c 100644 --- a/src/SecurityInsights/test/New-AzSentinelIncident.Tests.ps1 +++ b/src/SecurityInsights/test/New-AzSentinelIncident.Tests.ps1 @@ -17,7 +17,7 @@ if(($null -eq $TestName) -or ($TestName -contains 'New-AzSentinelIncident')) Describe 'New-AzSentinelIncident' { It 'CreateExpanded' { $incident = New-AzSentinelIncident -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` - -Id ((New-Guid).Guid) -Severity Informational -Status New -Title "NewIncidentPSTest" + -Severity Informational -Status New -Title "NewIncidentPSTest" $incident.Title | Should -Be "NewIncidentPSTest" } } diff --git a/src/SecurityInsights/test/New-AzSentinelIncidentComment.Recording.json b/src/SecurityInsights/test/New-AzSentinelIncidentComment.Recording.json index 65af3b90c983..37df8028ad63 100644 --- a/src/SecurityInsights/test/New-AzSentinelIncidentComment.Recording.json +++ b/src/SecurityInsights/test/New-AzSentinelIncidentComment.Recording.json @@ -1,8 +1,8 @@ { - "New-AzSentinelIncidentComment+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/ded5d1ef-0f12-402a-adab-bbd723756ea1?api-version=2021-09-01-preview+1": { + "New-AzSentinelIncidentComment+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/9edc5c11-747d-4c8c-af05-299ab9499f5d?api-version=2021-09-01-preview+1": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/ded5d1ef-0f12-402a-adab-bbd723756ea1?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/9edc5c11-747d-4c8c-af05-299ab9499f5d?api-version=2021-09-01-preview", "Content": "{\n \"properties\": {\n \"severity\": \"Informational\",\n \"status\": \"New\",\n \"title\": \"NewIncidentCommentPSTest\"\n }\n}", "isContentBase64": false, "Headers": { @@ -19,26 +19,26 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "497" ], - "x-ms-request-id": [ "b9a2fecf-a534-4b99-b1f6-db6642e90197" ], - "x-ms-correlation-request-id": [ "b9a2fecf-a534-4b99-b1f6-db6642e90197" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T020809Z:b9a2fecf-a534-4b99-b1f6-db6642e90197" ], + "x-ms-request-id": [ "a4084f2f-eb3d-4623-8c04-a769eac16f62" ], + "x-ms-correlation-request-id": [ "a4084f2f-eb3d-4623-8c04-a769eac16f62" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183224Z:a4084f2f-eb3d-4623-8c04-a769eac16f62" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:08:08 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:32:23 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1220" ], + "Content-Length": [ "1218" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/ded5d1ef-0f12-402a-adab-bbd723756ea1\",\"name\":\"ded5d1ef-0f12-402a-adab-bbd723756ea1\",\"etag\":\"\\\"3c00ec7a-0000-0100-0000-61b559890000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"NewIncidentCommentPSTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T02:08:09.5235385Z\",\"createdTimeUtc\":\"2021-12-12T02:08:09.5235385Z\",\"incidentNumber\":24,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/ded5d1ef-0f12-402a-adab-bbd723756ea1\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"24\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/9edc5c11-747d-4c8c-af05-299ab9499f5d\",\"name\":\"9edc5c11-747d-4c8c-af05-299ab9499f5d\",\"etag\":\"\\\"1200b60b-0000-0100-0000-62e427b80000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"NewIncidentCommentPSTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:32:24.073146Z\",\"createdTimeUtc\":\"2022-07-29T18:32:24.073146Z\",\"incidentNumber\":24,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/9edc5c11-747d-4c8c-af05-299ab9499f5d\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"24\"}}", "isContentBase64": false } }, - "New-AzSentinelIncidentComment+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/ded5d1ef-0f12-402a-adab-bbd723756ea1/comments/af24ae68-4352-4fb3-837b-8bce51dae455?api-version=2021-09-01-preview+2": { + "New-AzSentinelIncidentComment+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/9edc5c11-747d-4c8c-af05-299ab9499f5d/comments/eef705df-6d30-4c10-8727-98bae3da3b93?api-version=2021-09-01-preview+2": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/ded5d1ef-0f12-402a-adab-bbd723756ea1/comments/af24ae68-4352-4fb3-837b-8bce51dae455?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/9edc5c11-747d-4c8c-af05-299ab9499f5d/comments/eef705df-6d30-4c10-8727-98bae3da3b93?api-version=2021-09-01-preview", "Content": "{\n \"properties\": {\n \"message\": \"NewIncidentCommentPSTest\"\n }\n}", "isContentBase64": false, "Headers": { @@ -55,19 +55,19 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], - "x-ms-request-id": [ "2dc93090-c394-4f85-bf6e-2bb4d0f38179" ], - "x-ms-correlation-request-id": [ "2dc93090-c394-4f85-bf6e-2bb4d0f38179" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T020810Z:2dc93090-c394-4f85-bf6e-2bb4d0f38179" ], + "x-ms-request-id": [ "dfffd8d8-0377-4134-998a-f4fb1ecb0e6a" ], + "x-ms-correlation-request-id": [ "dfffd8d8-0377-4134-998a-f4fb1ecb0e6a" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183224Z:dfffd8d8-0377-4134-998a-f4fb1ecb0e6a" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:08:09 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:32:23 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "789" ], + "Content-Length": [ "759" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/ded5d1ef-0f12-402a-adab-bbd723756ea1/Comments/af24ae68-4352-4fb3-837b-8bce51dae455\",\"name\":\"af24ae68-4352-4fb3-837b-8bce51dae455\",\"etag\":\"\\\"3c00f17a-0000-0100-0000-61b559890000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/Comments\",\"properties\":{\"message\":\"NewIncidentCommentPSTest\",\"createdTimeUtc\":\"2021-12-12T02:08:09.9001761Z\",\"lastModifiedTimeUtc\":\"2021-12-12T02:08:09.9001761Z\",\"author\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/9edc5c11-747d-4c8c-af05-299ab9499f5d/Comments/eef705df-6d30-4c10-8727-98bae3da3b93\",\"name\":\"eef705df-6d30-4c10-8727-98bae3da3b93\",\"etag\":\"\\\"1200b70b-0000-0100-0000-62e427b80000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/Comments\",\"properties\":{\"message\":\"NewIncidentCommentPSTest\",\"createdTimeUtc\":\"2022-07-29T18:32:24.6441099Z\",\"lastModifiedTimeUtc\":\"2022-07-29T18:32:24.6441099Z\",\"author\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/New-AzSentinelIncidentComment.Tests.ps1 b/src/SecurityInsights/test/New-AzSentinelIncidentComment.Tests.ps1 index 4e940249a4c1..2c2a85cdcd09 100644 --- a/src/SecurityInsights/test/New-AzSentinelIncidentComment.Tests.ps1 +++ b/src/SecurityInsights/test/New-AzSentinelIncidentComment.Tests.ps1 @@ -17,9 +17,9 @@ if(($null -eq $TestName) -or ($TestName -contains 'New-AzSentinelIncidentComment Describe 'New-AzSentinelIncidentComment' { It 'CreateExpanded' { $incident = New-AzSentinelIncident -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` - -Id ((New-Guid).Guid) -Severity Informational -Status New -Title "NewIncidentCommentPSTest" + -Severity Informational -Status New -Title "NewIncidentCommentPSTest" $incidentComment = New-AzSentinelIncidentComment -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` - -Id ((New-Guid).Guid) -IncidentId $incident.Name -Message "NewIncidentCommentPSTest" + -IncidentId $incident.Name -Message "NewIncidentCommentPSTest" $incidentComment.Message | Should -Be "NewIncidentCommentPSTest" } } diff --git a/src/SecurityInsights/test/New-AzSentinelIncidentRelation.Recording.json b/src/SecurityInsights/test/New-AzSentinelIncidentRelation.Recording.json index 9c7cd908c266..b35468d72dba 100644 --- a/src/SecurityInsights/test/New-AzSentinelIncidentRelation.Recording.json +++ b/src/SecurityInsights/test/New-AzSentinelIncidentRelation.Recording.json @@ -1,9 +1,9 @@ { - "New-AzSentinelIncidentRelation+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/a6a9698e-7a5e-4406-a2a3-d5ca77107d6c?api-version=2021-09-01-preview+1": { + "New-AzSentinelIncidentRelation+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/b3ba187e-b3fb-40de-b20f-d04b03937f21?api-version=2021-09-01-preview+1": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/a6a9698e-7a5e-4406-a2a3-d5ca77107d6c?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"displayName\": \"NewIncidentRelationPSTest\",\n \"query\": \"SecurityEvent\\\\n| take 1\",\n \"eventTime\": \"2021-12-12T02:08:40.3864588Z\",\n \"queryStartTime\": \"2021-12-11T02:08:40.3860073Z\",\n \"queryEndTime\": \"2021-12-12T02:08:40.3862850Z\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/b3ba187e-b3fb-40de-b20f-d04b03937f21?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"displayName\": \"NewIncidentRelationPSTest\",\n \"query\": \"SecurityEvent\\\\n| take 1\",\n \"eventTime\": \"2022-07-29T18:32:25.9295103Z\",\n \"queryStartTime\": \"2022-07-28T18:32:25.9292171Z\",\n \"queryEndTime\": \"2022-07-29T18:32:25.9293781Z\"\n }\n}", "isContentBase64": false, "Headers": { }, @@ -18,27 +18,27 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-writes": [ "1192" ], - "x-ms-request-id": [ "bc0d5cf8-db13-427e-8272-e2ad13b7830a" ], - "x-ms-correlation-request-id": [ "bc0d5cf8-db13-427e-8272-e2ad13b7830a" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T020831Z:bc0d5cf8-db13-427e-8272-e2ad13b7830a" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1193" ], + "x-ms-request-id": [ "37deffd3-9f01-486b-9c07-a77b3a13211b" ], + "x-ms-correlation-request-id": [ "37deffd3-9f01-486b-9c07-a77b3a13211b" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183226Z:37deffd3-9f01-486b-9c07-a77b3a13211b" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:08:31 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:32:26 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1084" ], + "Content-Length": [ "1055" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/a6a9698e-7a5e-4406-a2a3-d5ca77107d6c\",\"name\":\"a6a9698e-7a5e-4406-a2a3-d5ca77107d6c\",\"etag\":\"\\\"6b02fee4-0000-0100-0000-61b5599f0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"NewIncidentRelationPSTest\",\"created\":\"2021-12-12T02:08:31.8504366+00:00\",\"updated\":\"2021-12-12T02:08:31+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T02:08:40.3864588+00:00\",\"labels\":[],\"query\":\"SecurityEvent\\\\n| take 1\",\"queryStartTime\":\"2021-12-11T02:08:40.3860073+00:00\",\"queryEndTime\":\"2021-12-12T02:08:40.386285+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/b3ba187e-b3fb-40de-b20f-d04b03937f21\",\"name\":\"b3ba187e-b3fb-40de-b20f-d04b03937f21\",\"etag\":\"\\\"0100d893-0000-0100-0000-62e427ba0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"NewIncidentRelationPSTest\",\"created\":\"2022-07-29T18:32:26.1500016+00:00\",\"updated\":\"2022-07-29T18:32:26+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-07-29T18:32:25.9295103+00:00\",\"labels\":[],\"query\":\"SecurityEvent\\\\n| take 1\",\"queryStartTime\":\"2022-07-28T18:32:25.9292171+00:00\",\"queryEndTime\":\"2022-07-29T18:32:25.9293781+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", "isContentBase64": false } }, - "New-AzSentinelIncidentRelation+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/d87bcc72-7d44-45a7-bf59-dcf7fc67b8d1?api-version=2021-09-01-preview+2": { + "New-AzSentinelIncidentRelation+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/6f3032ce-aec7-4bc2-9d19-0693f40ccd73?api-version=2021-09-01-preview+2": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/d87bcc72-7d44-45a7-bf59-dcf7fc67b8d1?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/6f3032ce-aec7-4bc2-9d19-0693f40ccd73?api-version=2021-09-01-preview", "Content": "{\n \"properties\": {\n \"severity\": \"Informational\",\n \"status\": \"New\",\n \"title\": \"NewIncidentRelationPSTest\"\n }\n}", "isContentBase64": false, "Headers": { @@ -55,27 +55,27 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "496" ], - "x-ms-request-id": [ "8b21f6cc-e664-484d-97a9-45898efa2ef7" ], - "x-ms-correlation-request-id": [ "8b21f6cc-e664-484d-97a9-45898efa2ef7" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T020832Z:8b21f6cc-e664-484d-97a9-45898efa2ef7" ], + "x-ms-request-id": [ "1ca228d1-cd5f-4b00-9c6e-0413abfd7d4f" ], + "x-ms-correlation-request-id": [ "1ca228d1-cd5f-4b00-9c6e-0413abfd7d4f" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183227Z:1ca228d1-cd5f-4b00-9c6e-0413abfd7d4f" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:08:31 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:32:27 GMT" ] }, "ContentHeaders": { "Content-Length": [ "1221" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/d87bcc72-7d44-45a7-bf59-dcf7fc67b8d1\",\"name\":\"d87bcc72-7d44-45a7-bf59-dcf7fc67b8d1\",\"etag\":\"\\\"3c00807b-0000-0100-0000-61b559a00000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"NewIncidentRelationPSTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T02:08:32.0999195Z\",\"createdTimeUtc\":\"2021-12-12T02:08:32.0999195Z\",\"incidentNumber\":25,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/d87bcc72-7d44-45a7-bf59-dcf7fc67b8d1\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"25\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/6f3032ce-aec7-4bc2-9d19-0693f40ccd73\",\"name\":\"6f3032ce-aec7-4bc2-9d19-0693f40ccd73\",\"etag\":\"\\\"1200b90b-0000-0100-0000-62e427bb0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"NewIncidentRelationPSTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:32:27.0748517Z\",\"createdTimeUtc\":\"2022-07-29T18:32:27.0748517Z\",\"incidentNumber\":25,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/6f3032ce-aec7-4bc2-9d19-0693f40ccd73\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"25\"}}", "isContentBase64": false } }, - "New-AzSentinelIncidentRelation+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/d87bcc72-7d44-45a7-bf59-dcf7fc67b8d1/relations/b7b6b9c0-028a-46c8-968c-802c214340b3?api-version=2021-09-01-preview+3": { + "New-AzSentinelIncidentRelation+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/6f3032ce-aec7-4bc2-9d19-0693f40ccd73/relations/0d41c976-cb1d-4723-bb04-7aabb2fc688b?api-version=2021-09-01-preview+3": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/d87bcc72-7d44-45a7-bf59-dcf7fc67b8d1/relations/b7b6b9c0-028a-46c8-968c-802c214340b3?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"relatedResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/a6a9698e-7a5e-4406-a2a3-d5ca77107d6c\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/6f3032ce-aec7-4bc2-9d19-0693f40ccd73/relations/0d41c976-cb1d-4723-bb04-7aabb2fc688b?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"relatedResourceId\": \"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/b3ba187e-b3fb-40de-b20f-d04b03937f21\"\n }\n}", "isContentBase64": false, "Headers": { }, @@ -91,19 +91,19 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], - "x-ms-request-id": [ "1a8c3539-e9c8-4ae7-93c3-cd2f29626ab2" ], - "x-ms-correlation-request-id": [ "1a8c3539-e9c8-4ae7-93c3-cd2f29626ab2" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T020832Z:1a8c3539-e9c8-4ae7-93c3-cd2f29626ab2" ], + "x-ms-request-id": [ "ac8f7ea2-badb-4fec-acce-89254f0aef8d" ], + "x-ms-correlation-request-id": [ "ac8f7ea2-badb-4fec-acce-89254f0aef8d" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183228Z:ac8f7ea2-badb-4fec-acce-89254f0aef8d" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:08:31 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:32:28 GMT" ] }, "ContentHeaders": { "Content-Length": [ "828" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/d87bcc72-7d44-45a7-bf59-dcf7fc67b8d1/relations/b7b6b9c0-028a-46c8-968c-802c214340b3\",\"name\":\"b7b6b9c0-028a-46c8-968c-802c214340b3\",\"etag\":\"\\\"3c00847b-0000-0100-0000-61b559a00000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/a6a9698e-7a5e-4406-a2a3-d5ca77107d6c\",\"relatedResourceName\":\"a6a9698e-7a5e-4406-a2a3-d5ca77107d6c\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/6f3032ce-aec7-4bc2-9d19-0693f40ccd73/relations/0d41c976-cb1d-4723-bb04-7aabb2fc688b\",\"name\":\"0d41c976-cb1d-4723-bb04-7aabb2fc688b\",\"etag\":\"\\\"1200ba0b-0000-0100-0000-62e427bc0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/b3ba187e-b3fb-40de-b20f-d04b03937f21\",\"relatedResourceName\":\"b3ba187e-b3fb-40de-b20f-d04b03937f21\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/New-AzSentinelIncidentRelation.Tests.ps1 b/src/SecurityInsights/test/New-AzSentinelIncidentRelation.Tests.ps1 index 54d60f23df2d..8c9d1a17559f 100644 --- a/src/SecurityInsights/test/New-AzSentinelIncidentRelation.Tests.ps1 +++ b/src/SecurityInsights/test/New-AzSentinelIncidentRelation.Tests.ps1 @@ -17,12 +17,12 @@ if(($null -eq $TestName) -or ($TestName -contains 'New-AzSentinelIncidentRelatio Describe 'New-AzSentinelIncidentRelation' { It 'CreateExpanded' { $bookmark = New-AzSentinelBookmark -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` - -Id ((New-Guid).Guid) -DisplayName "NewIncidentRelationPSTest" -Query "SecurityEvent\n| take 1" ` + -DisplayName "NewIncidentRelationPSTest" -Query "SecurityEvent\n| take 1" ` -QueryStartTime (get-date).AddDays(-1).ToUniversalTime() -QueryEndTime (get-date).ToUniversalTime() -EventTime (get-date).ToUniversalTime() $incident = New-AzSentinelIncident -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` - -Id ((New-Guid).Guid) -Severity Informational -Status New -Title "NewIncidentRelationPSTest" + -Severity Informational -Status New -Title "NewIncidentRelationPSTest" $incidentRelation = New-AzSentinelIncidentRelation -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` - -IncidentId $incident.Name -RelationName ((New-Guid).Guid) -RelatedResourceId $bookmark.Id + -IncidentId $incident.Name -RelatedResourceId $bookmark.Id $incidentRelation.RelatedResourceId | Should -Be $bookmark.Id } } diff --git a/src/SecurityInsights/test/New-AzSentinelIncidentTeam.Recording.json b/src/SecurityInsights/test/New-AzSentinelIncidentTeam.Recording.json index 9f260a1d3ef8..037fc6ca7346 100644 --- a/src/SecurityInsights/test/New-AzSentinelIncidentTeam.Recording.json +++ b/src/SecurityInsights/test/New-AzSentinelIncidentTeam.Recording.json @@ -1,8 +1,8 @@ { - "New-AzSentinelIncidentTeam+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/8be31373-5184-4105-a012-dd4a94188a6e?api-version=2021-09-01-preview+1": { + "New-AzSentinelIncidentTeam+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/c49d13fe-bc00-46b4-9bcb-c750b9512d7e?api-version=2021-09-01-preview+1": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/8be31373-5184-4105-a012-dd4a94188a6e?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/c49d13fe-bc00-46b4-9bcb-c750b9512d7e?api-version=2021-09-01-preview", "Content": "{\n \"properties\": {\n \"severity\": \"Informational\",\n \"status\": \"New\",\n \"title\": \"NITPSTest\"\n }\n}", "isContentBase64": false, "Headers": { @@ -19,26 +19,26 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "495" ], - "x-ms-request-id": [ "b747fabb-3578-4c20-879e-e8f9d3967805" ], - "x-ms-correlation-request-id": [ "b747fabb-3578-4c20-879e-e8f9d3967805" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T020854Z:b747fabb-3578-4c20-879e-e8f9d3967805" ], + "x-ms-request-id": [ "0e8ba032-fc94-4c22-8627-fa9c231acba0" ], + "x-ms-correlation-request-id": [ "0e8ba032-fc94-4c22-8627-fa9c231acba0" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183230Z:0e8ba032-fc94-4c22-8627-fa9c231acba0" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:08:53 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:32:30 GMT" ] }, "ContentHeaders": { "Content-Length": [ "1205" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/8be31373-5184-4105-a012-dd4a94188a6e\",\"name\":\"8be31373-5184-4105-a012-dd4a94188a6e\",\"etag\":\"\\\"3c00e17b-0000-0100-0000-61b559b60000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"NITPSTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T02:08:54.1822429Z\",\"createdTimeUtc\":\"2021-12-12T02:08:54.1822429Z\",\"incidentNumber\":26,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/8be31373-5184-4105-a012-dd4a94188a6e\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"26\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/c49d13fe-bc00-46b4-9bcb-c750b9512d7e\",\"name\":\"c49d13fe-bc00-46b4-9bcb-c750b9512d7e\",\"etag\":\"\\\"1200bc0b-0000-0100-0000-62e427be0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"NITPSTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:32:30.2459595Z\",\"createdTimeUtc\":\"2022-07-29T18:32:30.2459595Z\",\"incidentNumber\":26,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/c49d13fe-bc00-46b4-9bcb-c750b9512d7e\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"26\"}}", "isContentBase64": false } }, - "New-AzSentinelIncidentTeam+[NoContext]+CreateExpanded+$POST+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/8be31373-5184-4105-a012-dd4a94188a6e/createTeam?api-version=2021-09-01-preview+2": { + "New-AzSentinelIncidentTeam+[NoContext]+CreateExpanded+$POST+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/c49d13fe-bc00-46b4-9bcb-c750b9512d7e/createTeam?api-version=2021-09-01-preview+2": { "Request": { "Method": "POST", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/8be31373-5184-4105-a012-dd4a94188a6e/createTeam?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/c49d13fe-bc00-46b4-9bcb-c750b9512d7e/createTeam?api-version=2021-09-01-preview", "Content": "{\n \"teamName\": \"NITPSTest\"\n}", "isContentBase64": false, "Headers": { @@ -54,20 +54,20 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-writes": [ "1187" ], - "x-ms-request-id": [ "9debb5c1-62f8-4b27-bf6e-dd87c24a9805" ], - "x-ms-correlation-request-id": [ "9debb5c1-62f8-4b27-bf6e-dd87c24a9805" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T020857Z:9debb5c1-62f8-4b27-bf6e-dd87c24a9805" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1199" ], + "x-ms-request-id": [ "6f903f0c-41f4-482b-9454-dbceb731e2ac" ], + "x-ms-correlation-request-id": [ "6f903f0c-41f4-482b-9454-dbceb731e2ac" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183234Z:6f903f0c-41f4-482b-9454-dbceb731e2ac" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:08:57 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:32:34 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "351" ], + "Content-Length": [ "353" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"teamId\":\"f35942d5-9ccd-4683-b9f3-9e606644bdef\",\"primaryChannelUrl\":\"https://teams.microsoft.com/l/team/19:Rd-gdsF3H1aQfej8OHndmWn6d1YcVARleCI3HazjTdI1%40thread.tacv2/conversations?groupId=f35942d5-9ccd-4683-b9f3-9e606644bdef\u0026tenantId=5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\",\"teamCreationTimeUtc\":\"2021-12-12T02:08:57.4447948+00:00\",\"name\":\"NITPSTest\"}", + "Content": "{\"teamId\":\"e8abde8e-20bf-4d28-a0cf-a25b8ef731e5\",\"primaryChannelUrl\":\"https://teams.microsoft.com/l/team/19%3awAxTFtJrxhqz0Tl15zSTytL-_r6BsNe_mDZssyUE85Q1%40thread.tacv2/conversations?groupId=e8abde8e-20bf-4d28-a0cf-a25b8ef731e5\u0026tenantId=d6eebbdd-d77c-465e-b008-4339027b4006\",\"teamCreationTimeUtc\":\"2022-07-29T18:32:34.8930575+00:00\",\"name\":\"NITPSTest\"}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/New-AzSentinelIncidentTeam.Tests.ps1 b/src/SecurityInsights/test/New-AzSentinelIncidentTeam.Tests.ps1 index f080e9ad5564..8464f81abfbd 100644 --- a/src/SecurityInsights/test/New-AzSentinelIncidentTeam.Tests.ps1 +++ b/src/SecurityInsights/test/New-AzSentinelIncidentTeam.Tests.ps1 @@ -17,7 +17,7 @@ if(($null -eq $TestName) -or ($TestName -contains 'New-AzSentinelIncidentTeam')) Describe 'New-AzSentinelIncidentTeam' { It 'CreateExpanded' { $incident = New-AzSentinelIncident -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` - -Id ((New-Guid).Guid) -Severity Informational -Status New -Title "NITPSTest" + -Severity Informational -Status New -Title "NITPSTest" $team = New-AzSentinelIncidentTeam -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` -TeamName "NITPSTest" -IncidentId $incident.Name $team.Name | Should -Be "NITPSTest" diff --git a/src/SecurityInsights/test/Remove-AzSentinelAlertRule.Recording.json b/src/SecurityInsights/test/Remove-AzSentinelAlertRule.Recording.json index 6acf6c6fd5fe..d83ce8cd2e4a 100644 --- a/src/SecurityInsights/test/Remove-AzSentinelAlertRule.Recording.json +++ b/src/SecurityInsights/test/Remove-AzSentinelAlertRule.Recording.json @@ -1,17 +1,17 @@ { - "Remove-AzSentinelAlertRule+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/fdbab4a1-bd45-4dc1-a93b-e4aa20d16262?api-version=2021-09-01-preview+1": { + "Remove-AzSentinelAlertRule+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/c1c55dcf-8a31-4c94-93d7-bbb13c8da4c6?api-version=2021-09-01-preview+1": { "Request": { "Method": "DELETE", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/fdbab4a1-bd45-4dc1-a93b-e4aa20d16262?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/c1c55dcf-8a31-4c94-93d7-bbb13c8da4c6?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "269" ], - "x-ms-client-request-id": [ "f9d2be0b-03a7-4e01-a67d-5f2d62438d10" ], + "x-ms-unique-id": [ "253" ], + "x-ms-client-request-id": [ "5551094d-fd43-455d-9df5-88df2e321c1f" ], "CommandName": [ "Remove-AzSentinelAlertRule" ], "FullCommandName": [ "Remove-AzSentinelAlertRule_Delete" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -24,12 +24,12 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-deletes": [ "14999" ], - "x-ms-request-id": [ "8c4f2dd6-858d-4b62-9ecb-25353516f6d5" ], - "x-ms-correlation-request-id": [ "8c4f2dd6-858d-4b62-9ecb-25353516f6d5" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021024Z:8c4f2dd6-858d-4b62-9ecb-25353516f6d5" ], + "x-ms-request-id": [ "645c97a6-773f-4c19-9241-89d0c21aefbe" ], + "x-ms-correlation-request-id": [ "645c97a6-773f-4c19-9241-89d0c21aefbe" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183237Z:645c97a6-773f-4c19-9241-89d0c21aefbe" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:10:23 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:32:37 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2" ], @@ -40,19 +40,19 @@ "isContentBase64": false } }, - "Remove-AzSentinelAlertRule+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/952fd6df-a3b8-4d0c-825a-53dcc519a480?api-version=2021-09-01-preview+1": { + "Remove-AzSentinelAlertRule+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/c1a9cd5e-f882-4d57-b94f-742b0e2ae177?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/952fd6df-a3b8-4d0c-825a-53dcc519a480?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/c1a9cd5e-f882-4d57-b94f-742b0e2ae177?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "270" ], - "x-ms-client-request-id": [ "5c460652-1a17-4fc5-bb9e-0ea05c7214ef" ], + "x-ms-unique-id": [ "254" ], + "x-ms-client-request-id": [ "bde45a7f-c081-431d-8a8d-a67793d159d9" ], "CommandName": [ "Get-AzSentinelAlertRule" ], "FullCommandName": [ "Get-AzSentinelAlertRule_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -64,36 +64,36 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11938" ], - "x-ms-request-id": [ "54e41a3d-a03e-4268-9632-9f8ef9460555" ], - "x-ms-correlation-request-id": [ "54e41a3d-a03e-4268-9632-9f8ef9460555" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021024Z:54e41a3d-a03e-4268-9632-9f8ef9460555" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11945" ], + "x-ms-request-id": [ "0d8fb610-91c8-4b8e-ac71-564d1eff8379" ], + "x-ms-correlation-request-id": [ "0d8fb610-91c8-4b8e-ac71-564d1eff8379" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183238Z:0d8fb610-91c8-4b8e-ac71-564d1eff8379" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:10:23 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:32:37 GMT" ] }, "ContentHeaders": { "Content-Length": [ "1180" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/952fd6df-a3b8-4d0c-825a-53dcc519a480\",\"name\":\"952fd6df-a3b8-4d0c-825a-53dcc519a480\",\"etag\":\"\\\"9200b415-0000-0100-0000-61b54f960000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"RemoveViaIdAlertRule62imtb\",\"enabled\":true,\"description\":\"RemoveViaIdAlertRule62imtb 952fd6df-a3b8-4d0c-825a-53dcc519a480\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T01:25:42.5246541Z\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/c1a9cd5e-f882-4d57-b94f-742b0e2ae177\",\"name\":\"c1a9cd5e-f882-4d57-b94f-742b0e2ae177\",\"etag\":\"\\\"2e00e832-0000-0100-0000-62e420250000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"RemoveViaIdAlertRuleg7sd5h\",\"enabled\":true,\"description\":\"RemoveViaIdAlertRuleg7sd5h c1a9cd5e-f882-4d57-b94f-742b0e2ae177\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-07-29T18:00:04.2817896Z\"}}", "isContentBase64": false } }, - "Remove-AzSentinelAlertRule+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/952fd6df-a3b8-4d0c-825a-53dcc519a480?api-version=2021-09-01-preview+2": { + "Remove-AzSentinelAlertRule+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/c1a9cd5e-f882-4d57-b94f-742b0e2ae177?api-version=2021-09-01-preview+2": { "Request": { "Method": "DELETE", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/952fd6df-a3b8-4d0c-825a-53dcc519a480?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/c1a9cd5e-f882-4d57-b94f-742b0e2ae177?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "271" ], - "x-ms-client-request-id": [ "09bfc100-0d59-4301-827a-446ddfe1d034" ], + "x-ms-unique-id": [ "255" ], + "x-ms-client-request-id": [ "897599c6-3e8c-4ee0-b903-a432291a884d" ], "CommandName": [ "Remove-AzSentinelAlertRule" ], "FullCommandName": [ "Remove-AzSentinelAlertRule_DeleteViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -106,12 +106,12 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-deletes": [ "14998" ], - "x-ms-request-id": [ "544a85ae-3aa7-4d13-8736-d1fbcf11bc8f" ], - "x-ms-correlation-request-id": [ "544a85ae-3aa7-4d13-8736-d1fbcf11bc8f" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021024Z:544a85ae-3aa7-4d13-8736-d1fbcf11bc8f" ], + "x-ms-request-id": [ "b80a54bf-fdc5-44ce-90ff-c7181be1c005" ], + "x-ms-correlation-request-id": [ "b80a54bf-fdc5-44ce-90ff-c7181be1c005" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183238Z:b80a54bf-fdc5-44ce-90ff-c7181be1c005" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:10:23 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:32:38 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2" ], diff --git a/src/SecurityInsights/test/Remove-AzSentinelAlertRuleAction.Recording.json b/src/SecurityInsights/test/Remove-AzSentinelAlertRuleAction.Recording.json index d12cf459335c..1ce9408269e7 100644 --- a/src/SecurityInsights/test/Remove-AzSentinelAlertRuleAction.Recording.json +++ b/src/SecurityInsights/test/Remove-AzSentinelAlertRuleAction.Recording.json @@ -1,17 +1,17 @@ { - "Remove-AzSentinelAlertRuleAction+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/3e459759-acb2-48cd-b091-f325a2618fb6/actions/d359018e-774c-4345-aad4-eaf449a72b0c?api-version=2021-09-01-preview+1": { + "Remove-AzSentinelAlertRuleAction+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/5259fc88-ad43-4c0f-8712-e276f794f08a/actions/f6e536dc-b77c-422c-b349-a58813fc9f17?api-version=2021-09-01-preview+1": { "Request": { "Method": "DELETE", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/3e459759-acb2-48cd-b091-f325a2618fb6/actions/d359018e-774c-4345-aad4-eaf449a72b0c?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/5259fc88-ad43-4c0f-8712-e276f794f08a/actions/f6e536dc-b77c-422c-b349-a58813fc9f17?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "272" ], - "x-ms-client-request-id": [ "dbc99097-45e4-4ce8-ad2c-ab0995cfdbaa" ], + "x-ms-unique-id": [ "256" ], + "x-ms-client-request-id": [ "62da2c80-c345-415b-8088-d4b7aa782a43" ], "CommandName": [ "Remove-AzSentinelAlertRuleAction" ], "FullCommandName": [ "Remove-AzSentinelAlertRuleAction_Delete" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -24,12 +24,12 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-deletes": [ "14997" ], - "x-ms-request-id": [ "acc2a458-3098-41cf-a945-7b2de7a674cb" ], - "x-ms-correlation-request-id": [ "acc2a458-3098-41cf-a945-7b2de7a674cb" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021046Z:acc2a458-3098-41cf-a945-7b2de7a674cb" ], + "x-ms-request-id": [ "b3eaf42e-2b96-4c9a-ad65-3408f0218814" ], + "x-ms-correlation-request-id": [ "b3eaf42e-2b96-4c9a-ad65-3408f0218814" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183239Z:b3eaf42e-2b96-4c9a-ad65-3408f0218814" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:10:45 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:32:39 GMT" ] }, "ContentHeaders": { "Expires": [ "-1" ], @@ -39,19 +39,19 @@ "isContentBase64": false } }, - "Remove-AzSentinelAlertRuleAction+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/a2dda58f-98fd-44db-ac37-397a9ccd9e25/actions/49c62647-0f89-442a-8fc1-76a2159daa80?api-version=2021-09-01-preview+1": { + "Remove-AzSentinelAlertRuleAction+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/61843a21-8ee0-4c56-bb89-a4a9b306b43d/actions/19e41336-dba7-4df1-94f6-075f34d10aae?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/a2dda58f-98fd-44db-ac37-397a9ccd9e25/actions/49c62647-0f89-442a-8fc1-76a2159daa80?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/61843a21-8ee0-4c56-bb89-a4a9b306b43d/actions/19e41336-dba7-4df1-94f6-075f34d10aae?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "273" ], - "x-ms-client-request-id": [ "a1ffcfe9-2e9f-4977-a742-bd67e6bfae66" ], + "x-ms-unique-id": [ "257" ], + "x-ms-client-request-id": [ "dc233be7-aedc-45a5-b4f2-552658e5a2b1" ], "CommandName": [ "Get-AzSentinelAlertRuleAction" ], "FullCommandName": [ "Get-AzSentinelAlertRuleAction_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -63,36 +63,36 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11937" ], - "x-ms-request-id": [ "f928eb20-886a-4e9f-ac2b-418095866ce6" ], - "x-ms-correlation-request-id": [ "f928eb20-886a-4e9f-ac2b-418095866ce6" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021047Z:f928eb20-886a-4e9f-ac2b-418095866ce6" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11944" ], + "x-ms-request-id": [ "a4ab316e-db63-4796-8d4c-9ad8ebecaf52" ], + "x-ms-correlation-request-id": [ "a4ab316e-db63-4796-8d4c-9ad8ebecaf52" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183240Z:a4ab316e-db63-4796-8d4c-9ad8ebecaf52" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:10:46 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:32:40 GMT" ] }, "ContentHeaders": { "Content-Length": [ "660" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/a2dda58f-98fd-44db-ac37-397a9ccd9e25/actions/49c62647-0f89-442a-8fc1-76a2159daa80\",\"name\":\"49c62647-0f89-442a-8fc1-76a2159daa80\",\"etag\":\"\\\"2600e554-0000-0300-0000-61b550330000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"3647b421918e40f19a5e9346dc633c61\",\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/61843a21-8ee0-4c56-bb89-a4a9b306b43d/actions/19e41336-dba7-4df1-94f6-075f34d10aae\",\"name\":\"19e41336-dba7-4df1-94f6-075f34d10aae\",\"etag\":\"\\\"8a00a9c9-0000-0300-0000-62e420c30000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"e25a9538589f4273ac4b33c4251b7af4\",\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}", "isContentBase64": false } }, - "Remove-AzSentinelAlertRuleAction+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/a2dda58f-98fd-44db-ac37-397a9ccd9e25/actions/49c62647-0f89-442a-8fc1-76a2159daa80?api-version=2021-09-01-preview+2": { + "Remove-AzSentinelAlertRuleAction+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/61843a21-8ee0-4c56-bb89-a4a9b306b43d/actions/19e41336-dba7-4df1-94f6-075f34d10aae?api-version=2021-09-01-preview+2": { "Request": { "Method": "DELETE", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/a2dda58f-98fd-44db-ac37-397a9ccd9e25/actions/49c62647-0f89-442a-8fc1-76a2159daa80?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/61843a21-8ee0-4c56-bb89-a4a9b306b43d/actions/19e41336-dba7-4df1-94f6-075f34d10aae?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "274" ], - "x-ms-client-request-id": [ "75cd3713-b8a9-4013-b834-41d7af4399db" ], + "x-ms-unique-id": [ "258" ], + "x-ms-client-request-id": [ "d38f5b83-fbec-48a0-bb84-fb4b59a4caa0" ], "CommandName": [ "Remove-AzSentinelAlertRuleAction" ], "FullCommandName": [ "Remove-AzSentinelAlertRuleAction_DeleteViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -105,12 +105,12 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-deletes": [ "14996" ], - "x-ms-request-id": [ "3f232c75-0ea5-4687-a3bf-22d656c9e5ef" ], - "x-ms-correlation-request-id": [ "3f232c75-0ea5-4687-a3bf-22d656c9e5ef" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021048Z:3f232c75-0ea5-4687-a3bf-22d656c9e5ef" ], + "x-ms-request-id": [ "0f5b6140-502f-4ad6-b551-ec719d6c6157" ], + "x-ms-correlation-request-id": [ "0f5b6140-502f-4ad6-b551-ec719d6c6157" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183241Z:0f5b6140-502f-4ad6-b551-ec719d6c6157" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:10:47 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:32:40 GMT" ] }, "ContentHeaders": { "Expires": [ "-1" ], diff --git a/src/SecurityInsights/test/Remove-AzSentinelAutomationRule.Recording.json b/src/SecurityInsights/test/Remove-AzSentinelAutomationRule.Recording.json index 9890b36e8728..ac09f482a3ec 100644 --- a/src/SecurityInsights/test/Remove-AzSentinelAutomationRule.Recording.json +++ b/src/SecurityInsights/test/Remove-AzSentinelAutomationRule.Recording.json @@ -1,17 +1,17 @@ { - "Remove-AzSentinelAutomationRule+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/a3adc54b-e32d-4c80-8af2-988f5d59f102?api-version=2021-09-01-preview+1": { + "Remove-AzSentinelAutomationRule+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/automationRules/632f22f0-6b77-433b-bc93-6e56ae21a844?api-version=2021-09-01-preview+1": { "Request": { "Method": "DELETE", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/a3adc54b-e32d-4c80-8af2-988f5d59f102?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/automationRules/632f22f0-6b77-433b-bc93-6e56ae21a844?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "275" ], - "x-ms-client-request-id": [ "c4479378-6f8f-4564-9baa-c7941f8b8853" ], + "x-ms-unique-id": [ "259" ], + "x-ms-client-request-id": [ "407c9d0f-7f05-4c07-b119-aeac71ded485" ], "CommandName": [ "Remove-AzSentinelAutomationRule" ], "FullCommandName": [ "Remove-AzSentinelAutomationRule_Delete" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -24,12 +24,12 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-deletes": [ "14995" ], - "x-ms-request-id": [ "cb3b9051-fc4c-4bc8-951c-e5ddbca0d15c" ], - "x-ms-correlation-request-id": [ "cb3b9051-fc4c-4bc8-951c-e5ddbca0d15c" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021110Z:cb3b9051-fc4c-4bc8-951c-e5ddbca0d15c" ], + "x-ms-request-id": [ "9aae58c7-2c3f-4688-b737-7f70429ba3f6" ], + "x-ms-correlation-request-id": [ "9aae58c7-2c3f-4688-b737-7f70429ba3f6" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183242Z:9aae58c7-2c3f-4688-b737-7f70429ba3f6" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:11:10 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:32:41 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2" ], @@ -40,19 +40,19 @@ "isContentBase64": false } }, - "Remove-AzSentinelAutomationRule+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/37a50acc-05b0-41ad-be1d-7a53c88ff383?api-version=2021-09-01-preview+1": { + "Remove-AzSentinelAutomationRule+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/automationRules/c3503a3a-93d6-4aa8-b557-d2f4ac6cfa00?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/37a50acc-05b0-41ad-be1d-7a53c88ff383?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/automationRules/c3503a3a-93d6-4aa8-b557-d2f4ac6cfa00?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "276" ], - "x-ms-client-request-id": [ "941690b1-0c9a-4f3f-8270-3b496e8efb48" ], + "x-ms-unique-id": [ "260" ], + "x-ms-client-request-id": [ "9b1cd28c-de40-4d50-80a5-f22beac2a491" ], "CommandName": [ "Get-AzSentinelAutomationRule" ], "FullCommandName": [ "Get-AzSentinelAutomationRule_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -64,36 +64,36 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], - "x-ms-request-id": [ "4fa25446-f052-49cf-995a-ebd22dbac529" ], - "x-ms-correlation-request-id": [ "4fa25446-f052-49cf-995a-ebd22dbac529" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021110Z:4fa25446-f052-49cf-995a-ebd22dbac529" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "495" ], + "x-ms-request-id": [ "82b66b0d-28aa-4862-9343-3ba68cc4e9be" ], + "x-ms-correlation-request-id": [ "82b66b0d-28aa-4862-9343-3ba68cc4e9be" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183242Z:82b66b0d-28aa-4862-9343-3ba68cc4e9be" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:11:10 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:32:42 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1354" ], + "Content-Length": [ "1294" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AutomationRules/37a50acc-05b0-41ad-be1d-7a53c88ff383\",\"name\":\"37a50acc-05b0-41ad-be1d-7a53c88ff383\",\"etag\":\"\\\"79000c93-0000-0100-0000-61b5514a0000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"RemoveViaIdAutomationRule1whyd4\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"}}],\"lastModifiedTimeUtc\":\"2021-12-12T01:32:58Z\",\"createdTimeUtc\":\"2021-12-12T01:32:58Z\",\"lastModifiedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"},\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AutomationRules/c3503a3a-93d6-4aa8-b557-d2f4ac6cfa00\",\"name\":\"c3503a3a-93d6-4aa8-b557-d2f4ac6cfa00\",\"etag\":\"\\\"030056b1-0000-0100-0000-62e422200000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"RemoveViaIdAutomationRuledlcn6a\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}],\"lastModifiedTimeUtc\":\"2022-07-29T18:08:32Z\",\"createdTimeUtc\":\"2022-07-29T18:08:32Z\",\"lastModifiedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"},\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}", "isContentBase64": false } }, - "Remove-AzSentinelAutomationRule+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/37a50acc-05b0-41ad-be1d-7a53c88ff383?api-version=2021-09-01-preview+2": { + "Remove-AzSentinelAutomationRule+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/automationRules/c3503a3a-93d6-4aa8-b557-d2f4ac6cfa00?api-version=2021-09-01-preview+2": { "Request": { "Method": "DELETE", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/37a50acc-05b0-41ad-be1d-7a53c88ff383?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/automationRules/c3503a3a-93d6-4aa8-b557-d2f4ac6cfa00?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "277" ], - "x-ms-client-request-id": [ "8e085c3b-bebc-448b-a8e7-d262c731b62f" ], + "x-ms-unique-id": [ "261" ], + "x-ms-client-request-id": [ "d282f043-429c-462f-8a7e-ba9d97883e53" ], "CommandName": [ "Remove-AzSentinelAutomationRule" ], "FullCommandName": [ "Remove-AzSentinelAutomationRule_DeleteViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -106,12 +106,12 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-deletes": [ "14994" ], - "x-ms-request-id": [ "73787d6a-a355-42e0-9e1e-09b17db17146" ], - "x-ms-correlation-request-id": [ "73787d6a-a355-42e0-9e1e-09b17db17146" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021110Z:73787d6a-a355-42e0-9e1e-09b17db17146" ], + "x-ms-request-id": [ "aaea563c-9b90-4d40-844a-119464b85fdd" ], + "x-ms-correlation-request-id": [ "aaea563c-9b90-4d40-844a-119464b85fdd" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183243Z:aaea563c-9b90-4d40-844a-119464b85fdd" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:11:10 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:32:42 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2" ], diff --git a/src/SecurityInsights/test/Remove-AzSentinelBookmark.Recording.json b/src/SecurityInsights/test/Remove-AzSentinelBookmark.Recording.json index a1f3b9763cdb..0ce5286a6ced 100644 --- a/src/SecurityInsights/test/Remove-AzSentinelBookmark.Recording.json +++ b/src/SecurityInsights/test/Remove-AzSentinelBookmark.Recording.json @@ -1,17 +1,17 @@ { - "Remove-AzSentinelBookmark+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/9ff7b322-3212-4574-bfad-4408206875f8?api-version=2021-09-01-preview+1": { + "Remove-AzSentinelBookmark+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/a8dfd8ae-256a-44fb-a72c-0fb43307c128?api-version=2021-09-01-preview+1": { "Request": { "Method": "DELETE", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/9ff7b322-3212-4574-bfad-4408206875f8?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/a8dfd8ae-256a-44fb-a72c-0fb43307c128?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "278" ], - "x-ms-client-request-id": [ "e8476f9a-f07a-4121-98ae-0005160b8a62" ], + "x-ms-unique-id": [ "262" ], + "x-ms-client-request-id": [ "76b93b88-2909-4552-8c2f-4511a4bedb0b" ], "CommandName": [ "Remove-AzSentinelBookmark" ], "FullCommandName": [ "Remove-AzSentinelBookmark_Delete" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -24,12 +24,12 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-deletes": [ "14993" ], - "x-ms-request-id": [ "35b19d0f-e78d-4290-8ed7-89ca3ac6d6a7" ], - "x-ms-correlation-request-id": [ "35b19d0f-e78d-4290-8ed7-89ca3ac6d6a7" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021133Z:35b19d0f-e78d-4290-8ed7-89ca3ac6d6a7" ], + "x-ms-request-id": [ "5e9eb770-0e69-4b72-b9bb-e509e25a273b" ], + "x-ms-correlation-request-id": [ "5e9eb770-0e69-4b72-b9bb-e509e25a273b" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183244Z:5e9eb770-0e69-4b72-b9bb-e509e25a273b" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:11:33 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:32:43 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2" ], @@ -40,19 +40,19 @@ "isContentBase64": false } }, - "Remove-AzSentinelBookmark+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/4327ac2f-6115-4602-9616-83cf991298a5?api-version=2021-09-01-preview+1": { + "Remove-AzSentinelBookmark+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/1064e218-7849-4caf-993c-93373d0c6ce5?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/4327ac2f-6115-4602-9616-83cf991298a5?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/1064e218-7849-4caf-993c-93373d0c6ce5?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "279" ], - "x-ms-client-request-id": [ "6acd6fc2-853e-4f07-a2a8-a9f2ea22fc11" ], + "x-ms-unique-id": [ "263" ], + "x-ms-client-request-id": [ "b7f6514f-5e4e-4264-b807-b6dc0e9a2902" ], "CommandName": [ "Get-AzSentinelBookmark" ], "FullCommandName": [ "Get-AzSentinelBookmark_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -64,36 +64,36 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11936" ], - "x-ms-request-id": [ "cf1450bd-cc4a-4753-9fc5-ab09e5a2e11a" ], - "x-ms-correlation-request-id": [ "cf1450bd-cc4a-4753-9fc5-ab09e5a2e11a" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021133Z:cf1450bd-cc4a-4753-9fc5-ab09e5a2e11a" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11943" ], + "x-ms-request-id": [ "23c1cb0f-2335-4eeb-a469-46bc6f487a4e" ], + "x-ms-correlation-request-id": [ "23c1cb0f-2335-4eeb-a469-46bc6f487a4e" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183244Z:23c1cb0f-2335-4eeb-a469-46bc6f487a4e" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:11:33 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:32:44 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "5326" ], + "Content-Length": [ "5296" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/4327ac2f-6115-4602-9616-83cf991298a5\",\"name\":\"4327ac2f-6115-4602-9616-83cf991298a5\",\"etag\":\"\\\"6b02319c-0000-0100-0000-61b551e60000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"RemoveViaIdbookmark061i4x\",\"created\":\"2021-12-12T01:35:34.2696125+00:00\",\"updated\":\"2021-12-12T01:35:34.2696125+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2021-12-11T01:00:00+00:00\",\"queryEndTime\":\"2021-12-12T01:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/1064e218-7849-4caf-993c-93373d0c6ce5\",\"name\":\"1064e218-7849-4caf-993c-93373d0c6ce5\",\"etag\":\"\\\"01007193-0000-0100-0000-62e422c30000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"RemoveViaIdbookmarkdr69tz\",\"created\":\"2022-07-29T18:11:15.4410362+00:00\",\"updated\":\"2022-07-29T18:11:15.4410362+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-07-29T06:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2022-07-28T06:00:00+00:00\",\"queryEndTime\":\"2022-07-29T06:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", "isContentBase64": false } }, - "Remove-AzSentinelBookmark+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/4327ac2f-6115-4602-9616-83cf991298a5?api-version=2021-09-01-preview+2": { + "Remove-AzSentinelBookmark+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/1064e218-7849-4caf-993c-93373d0c6ce5?api-version=2021-09-01-preview+2": { "Request": { "Method": "DELETE", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/4327ac2f-6115-4602-9616-83cf991298a5?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/1064e218-7849-4caf-993c-93373d0c6ce5?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "280" ], - "x-ms-client-request-id": [ "3cf9b7de-7557-4b52-a511-75d856d1962a" ], + "x-ms-unique-id": [ "264" ], + "x-ms-client-request-id": [ "17c4aae1-389f-4fb9-808d-5ec4bac3f8c4" ], "CommandName": [ "Remove-AzSentinelBookmark" ], "FullCommandName": [ "Remove-AzSentinelBookmark_DeleteViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -106,12 +106,12 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-deletes": [ "14992" ], - "x-ms-request-id": [ "e9e5bc04-72d1-4bcc-8eee-34f724b78bde" ], - "x-ms-correlation-request-id": [ "e9e5bc04-72d1-4bcc-8eee-34f724b78bde" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021134Z:e9e5bc04-72d1-4bcc-8eee-34f724b78bde" ], + "x-ms-request-id": [ "6231fd02-a0e7-4bf0-80ac-1057ad618385" ], + "x-ms-correlation-request-id": [ "6231fd02-a0e7-4bf0-80ac-1057ad618385" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183245Z:6231fd02-a0e7-4bf0-80ac-1057ad618385" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:11:34 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:32:45 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2" ], diff --git a/src/SecurityInsights/test/Remove-AzSentinelBookmarkRelation.Recording.json b/src/SecurityInsights/test/Remove-AzSentinelBookmarkRelation.Recording.json index d9c26fe06ae8..2d50babe2ac5 100644 --- a/src/SecurityInsights/test/Remove-AzSentinelBookmarkRelation.Recording.json +++ b/src/SecurityInsights/test/Remove-AzSentinelBookmarkRelation.Recording.json @@ -1,17 +1,17 @@ { - "Remove-AzSentinelBookmarkRelation+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/20d8a730-18a5-4a76-9420-a32e46ce5888/relations/adad6e56-9f94-4fba-ba3b-96f4616cdf68?api-version=2021-09-01-preview+1": { + "Remove-AzSentinelBookmarkRelation+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/3e29d94a-e491-42d0-97d4-7a7f3e4725b4/relations/edcd0fb3-81ce-42e0-b54f-e753ea3c6fdb?api-version=2021-09-01-preview+1": { "Request": { "Method": "DELETE", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/20d8a730-18a5-4a76-9420-a32e46ce5888/relations/adad6e56-9f94-4fba-ba3b-96f4616cdf68?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/3e29d94a-e491-42d0-97d4-7a7f3e4725b4/relations/edcd0fb3-81ce-42e0-b54f-e753ea3c6fdb?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "281" ], - "x-ms-client-request-id": [ "a8e52b88-2b95-4183-bda7-9b192bbe6eea" ], + "x-ms-unique-id": [ "265" ], + "x-ms-client-request-id": [ "4bd63219-9027-4f82-84e4-60c1cc4ca1e3" ], "CommandName": [ "Remove-AzSentinelBookmarkRelation" ], "FullCommandName": [ "Remove-AzSentinelBookmarkRelation_Delete" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -24,12 +24,12 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-deletes": [ "14991" ], - "x-ms-request-id": [ "e563fe49-40fd-4119-95b8-af7c4c887deb" ], - "x-ms-correlation-request-id": [ "e563fe49-40fd-4119-95b8-af7c4c887deb" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021156Z:e563fe49-40fd-4119-95b8-af7c4c887deb" ], + "x-ms-request-id": [ "e9c76e46-e657-44da-beb1-07967a20d11f" ], + "x-ms-correlation-request-id": [ "e9c76e46-e657-44da-beb1-07967a20d11f" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183247Z:e9c76e46-e657-44da-beb1-07967a20d11f" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:11:56 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:32:47 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2" ], @@ -40,19 +40,19 @@ "isContentBase64": false } }, - "Remove-AzSentinelBookmarkRelation+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/675541b3-2ae4-4199-b3b3-59f4b6c1f5b4/relations/e6624397-ccd0-42fd-98b4-9730d7baa0e2?api-version=2021-09-01-preview+1": { + "Remove-AzSentinelBookmarkRelation+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/a34d217c-2b9d-4b72-b7d9-5a3850f0f17c/relations/3416cbe9-ea30-4e98-aead-419270c45bf8?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/675541b3-2ae4-4199-b3b3-59f4b6c1f5b4/relations/e6624397-ccd0-42fd-98b4-9730d7baa0e2?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/a34d217c-2b9d-4b72-b7d9-5a3850f0f17c/relations/3416cbe9-ea30-4e98-aead-419270c45bf8?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "282" ], - "x-ms-client-request-id": [ "0e9b0a62-8442-402b-8a94-7512c9c6a6c8" ], + "x-ms-unique-id": [ "266" ], + "x-ms-client-request-id": [ "c07d07ac-0a95-48b8-ab6c-9ae1ce376148" ], "CommandName": [ "Get-AzSentinelBookmarkRelation" ], "FullCommandName": [ "Get-AzSentinelBookmarkRelation_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -64,36 +64,36 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11935" ], - "x-ms-request-id": [ "cc098520-2b65-4165-9046-f57ce899c1ca" ], - "x-ms-correlation-request-id": [ "cc098520-2b65-4165-9046-f57ce899c1ca" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021156Z:cc098520-2b65-4165-9046-f57ce899c1ca" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11942" ], + "x-ms-request-id": [ "effd5894-5b8e-4687-9258-f23cdd008986" ], + "x-ms-correlation-request-id": [ "effd5894-5b8e-4687-9258-f23cdd008986" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183247Z:effd5894-5b8e-4687-9258-f23cdd008986" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:11:56 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:32:47 GMT" ] }, "ContentHeaders": { "Content-Length": [ "828" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/675541b3-2ae4-4199-b3b3-59f4b6c1f5b4/relations/e6624397-ccd0-42fd-98b4-9730d7baa0e2\",\"name\":\"e6624397-ccd0-42fd-98b4-9730d7baa0e2\",\"etag\":\"\\\"6b0254b0-0000-0100-0000-61b552a20000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/7d56a89d-59f4-4b3a-aa71-34494c2f5f5c\",\"relatedResourceName\":\"7d56a89d-59f4-4b3a-aa71-34494c2f5f5c\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/a34d217c-2b9d-4b72-b7d9-5a3850f0f17c/relations/3416cbe9-ea30-4e98-aead-419270c45bf8\",\"name\":\"3416cbe9-ea30-4e98-aead-419270c45bf8\",\"etag\":\"\\\"01008593-0000-0100-0000-62e423810000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/68159ff1-4122-4fc3-9152-8bf489a4304d\",\"relatedResourceName\":\"68159ff1-4122-4fc3-9152-8bf489a4304d\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", "isContentBase64": false } }, - "Remove-AzSentinelBookmarkRelation+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/675541b3-2ae4-4199-b3b3-59f4b6c1f5b4/relations/e6624397-ccd0-42fd-98b4-9730d7baa0e2?api-version=2021-09-01-preview+2": { + "Remove-AzSentinelBookmarkRelation+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/a34d217c-2b9d-4b72-b7d9-5a3850f0f17c/relations/3416cbe9-ea30-4e98-aead-419270c45bf8?api-version=2021-09-01-preview+2": { "Request": { "Method": "DELETE", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/675541b3-2ae4-4199-b3b3-59f4b6c1f5b4/relations/e6624397-ccd0-42fd-98b4-9730d7baa0e2?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/a34d217c-2b9d-4b72-b7d9-5a3850f0f17c/relations/3416cbe9-ea30-4e98-aead-419270c45bf8?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "283" ], - "x-ms-client-request-id": [ "75dedba1-e385-4668-82f4-9d6186ef3845" ], + "x-ms-unique-id": [ "267" ], + "x-ms-client-request-id": [ "e0224a2b-a910-4060-a02f-a1374c9fc3d6" ], "CommandName": [ "Remove-AzSentinelBookmarkRelation" ], "FullCommandName": [ "Remove-AzSentinelBookmarkRelation_DeleteViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -106,12 +106,12 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-deletes": [ "14990" ], - "x-ms-request-id": [ "a0f51d36-ff18-4054-9f30-8877d6bd7f4a" ], - "x-ms-correlation-request-id": [ "a0f51d36-ff18-4054-9f30-8877d6bd7f4a" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021157Z:a0f51d36-ff18-4054-9f30-8877d6bd7f4a" ], + "x-ms-request-id": [ "ba4e9caa-6886-4f62-a5c9-912be8555175" ], + "x-ms-correlation-request-id": [ "ba4e9caa-6886-4f62-a5c9-912be8555175" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183248Z:ba4e9caa-6886-4f62-a5c9-912be8555175" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:11:56 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:32:48 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2" ], diff --git a/src/SecurityInsights/test/Remove-AzSentinelDataConnector.Recording.json b/src/SecurityInsights/test/Remove-AzSentinelDataConnector.Recording.json index 77b652862e92..c5cdecc007a8 100644 --- a/src/SecurityInsights/test/Remove-AzSentinelDataConnector.Recording.json +++ b/src/SecurityInsights/test/Remove-AzSentinelDataConnector.Recording.json @@ -1,15 +1,15 @@ { - "Remove-AzSentinelDataConnector+[NoContext]+Delete+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/6ba8eed7-c5fb-4756-8441-1a211e0a6eea?api-version=2021-09-01-preview+1": { + "Remove-AzSentinelDataConnector+[NoContext]+Delete+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/b828ce66-b908-49fc-86a0-f881249cd9c5?api-version=2021-09-01-preview+1": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/6ba8eed7-c5fb-4756-8441-1a211e0a6eea?api-version=2021-09-01-preview", - "Content": "{\n \"kind\": \"MicrosoftCloudAppSecurity\",\n \"properties\": {\n \"tenantId\": \"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\",\n \"dataTypes\": {\n \"alerts\": {\n \"state\": \"Enabled\"\n }\n }\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/b828ce66-b908-49fc-86a0-f881249cd9c5?api-version=2021-09-01-preview", + "Content": "{\n \"kind\": \"MicrosoftCloudAppSecurity\",\n \"properties\": {\n \"tenantId\": \"d6eebbdd-d77c-465e-b008-4339027b4006\",\n \"dataTypes\": {\n \"alerts\": {\n \"state\": \"Enabled\"\n },\n \"discoveryLogs\": {\n \"state\": \"Disabled\"\n }\n }\n }\n}", "isContentBase64": false, "Headers": { }, "ContentHeaders": { "Content-Type": [ "application/json" ], - "Content-Length": [ "198" ] + "Content-Length": [ "260" ] } }, "Response": { @@ -18,36 +18,36 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-writes": [ "1190" ], - "x-ms-request-id": [ "d764a3df-4f12-4563-903f-3d84addd6046" ], - "x-ms-correlation-request-id": [ "d764a3df-4f12-4563-903f-3d84addd6046" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021219Z:d764a3df-4f12-4563-903f-3d84addd6046" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], + "x-ms-request-id": [ "1795fef3-ca8c-4f02-8e1e-b666bcb44109" ], + "x-ms-correlation-request-id": [ "1795fef3-ca8c-4f02-8e1e-b666bcb44109" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183250Z:1795fef3-ca8c-4f02-8e1e-b666bcb44109" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:12:18 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:32:50 GMT" ] }, "ContentHeaders": { "Content-Length": [ "567" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/6ba8eed7-c5fb-4756-8441-1a211e0a6eea\",\"name\":\"6ba8eed7-c5fb-4756-8441-1a211e0a6eea\",\"etag\":\"8777901f-f253-4327-98a9-2841f902da12\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"MicrosoftCloudAppSecurity\",\"properties\":{\"dataTypes\":{\"alerts\":{\"state\":\"enabled\"},\"discoveryLogs\":{\"state\":\"disabled\"}},\"tenantId\":\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/b828ce66-b908-49fc-86a0-f881249cd9c5\",\"name\":\"b828ce66-b908-49fc-86a0-f881249cd9c5\",\"etag\":\"69db6e74-3bf1-4d9b-b726-391481846c74\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"MicrosoftCloudAppSecurity\",\"properties\":{\"dataTypes\":{\"discoveryLogs\":{\"state\":\"disabled\"},\"alerts\":{\"state\":\"enabled\"}},\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}", "isContentBase64": false } }, - "Remove-AzSentinelDataConnector+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/6ba8eed7-c5fb-4756-8441-1a211e0a6eea?api-version=2021-09-01-preview+2": { + "Remove-AzSentinelDataConnector+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/b828ce66-b908-49fc-86a0-f881249cd9c5?api-version=2021-09-01-preview+2": { "Request": { "Method": "DELETE", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/6ba8eed7-c5fb-4756-8441-1a211e0a6eea?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/b828ce66-b908-49fc-86a0-f881249cd9c5?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "285" ], - "x-ms-client-request-id": [ "49737722-1805-4d80-9e73-2bd45b6058b1" ], + "x-ms-unique-id": [ "269" ], + "x-ms-client-request-id": [ "11556ec0-a03a-4b99-8855-325a6e6b785c" ], "CommandName": [ "Remove-AzSentinelDataConnector" ], "FullCommandName": [ "Remove-AzSentinelDataConnector_Delete" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -59,13 +59,13 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-deletes": [ "14989" ], - "x-ms-request-id": [ "9475ca24-66a5-4018-91c1-912457c89898" ], - "x-ms-correlation-request-id": [ "9475ca24-66a5-4018-91c1-912457c89898" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021219Z:9475ca24-66a5-4018-91c1-912457c89898" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], + "x-ms-request-id": [ "2dfcd972-b58b-4016-9070-0eac96278560" ], + "x-ms-correlation-request-id": [ "2dfcd972-b58b-4016-9070-0eac96278560" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183251Z:2dfcd972-b58b-4016-9070-0eac96278560" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:12:19 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:32:51 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2" ], @@ -76,17 +76,17 @@ "isContentBase64": false } }, - "Remove-AzSentinelDataConnector+[NoContext]+DeleteViaIdentity+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/d932006a-f4c7-43ed-8c91-2fe5485678fd?api-version=2021-09-01-preview+1": { + "Remove-AzSentinelDataConnector+[NoContext]+DeleteViaIdentity+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/c83037e5-4501-44fb-b200-d63f1502c07d?api-version=2021-09-01-preview+1": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/d932006a-f4c7-43ed-8c91-2fe5485678fd?api-version=2021-09-01-preview", - "Content": "{\n \"kind\": \"MicrosoftCloudAppSecurity\",\n \"properties\": {\n \"tenantId\": \"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\",\n \"dataTypes\": {\n \"alerts\": {\n \"state\": \"Enabled\"\n }\n }\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/c83037e5-4501-44fb-b200-d63f1502c07d?api-version=2021-09-01-preview", + "Content": "{\n \"kind\": \"MicrosoftCloudAppSecurity\",\n \"properties\": {\n \"tenantId\": \"d6eebbdd-d77c-465e-b008-4339027b4006\",\n \"dataTypes\": {\n \"alerts\": {\n \"state\": \"Enabled\"\n },\n \"discoveryLogs\": {\n \"state\": \"Disabled\"\n }\n }\n }\n}", "isContentBase64": false, "Headers": { }, "ContentHeaders": { "Content-Type": [ "application/json" ], - "Content-Length": [ "198" ] + "Content-Length": [ "260" ] } }, "Response": { @@ -95,36 +95,36 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-writes": [ "1189" ], - "x-ms-request-id": [ "dbe15727-44a0-4ae9-9260-6f28caa3834b" ], - "x-ms-correlation-request-id": [ "dbe15727-44a0-4ae9-9260-6f28caa3834b" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021220Z:dbe15727-44a0-4ae9-9260-6f28caa3834b" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "497" ], + "x-ms-request-id": [ "59f2e6be-36a9-41fa-a56f-3be19d291a65" ], + "x-ms-correlation-request-id": [ "59f2e6be-36a9-41fa-a56f-3be19d291a65" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183254Z:59f2e6be-36a9-41fa-a56f-3be19d291a65" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:12:20 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:32:54 GMT" ] }, "ContentHeaders": { "Content-Length": [ "567" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/d932006a-f4c7-43ed-8c91-2fe5485678fd\",\"name\":\"d932006a-f4c7-43ed-8c91-2fe5485678fd\",\"etag\":\"73cea443-5e30-47db-b856-8635bd63e9f2\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"MicrosoftCloudAppSecurity\",\"properties\":{\"dataTypes\":{\"alerts\":{\"state\":\"enabled\"},\"discoveryLogs\":{\"state\":\"disabled\"}},\"tenantId\":\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/c83037e5-4501-44fb-b200-d63f1502c07d\",\"name\":\"c83037e5-4501-44fb-b200-d63f1502c07d\",\"etag\":\"4a3a0aeb-4aa3-444a-9849-720261d65539\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"MicrosoftCloudAppSecurity\",\"properties\":{\"dataTypes\":{\"discoveryLogs\":{\"state\":\"disabled\"},\"alerts\":{\"state\":\"enabled\"}},\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}", "isContentBase64": false } }, - "Remove-AzSentinelDataConnector+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/d932006a-f4c7-43ed-8c91-2fe5485678fd?api-version=2021-09-01-preview+2": { + "Remove-AzSentinelDataConnector+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/c83037e5-4501-44fb-b200-d63f1502c07d?api-version=2021-09-01-preview+2": { "Request": { "Method": "DELETE", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/d932006a-f4c7-43ed-8c91-2fe5485678fd?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/c83037e5-4501-44fb-b200-d63f1502c07d?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "287" ], - "x-ms-client-request-id": [ "3a2801d9-0d21-403e-985b-6c0f17a9ad13" ], + "x-ms-unique-id": [ "271" ], + "x-ms-client-request-id": [ "beb45709-0a6e-4bcf-a643-320028dd37ed" ], "CommandName": [ "Remove-AzSentinelDataConnector" ], "FullCommandName": [ "Remove-AzSentinelDataConnector_DeleteViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -136,13 +136,13 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-deletes": [ "14988" ], - "x-ms-request-id": [ "e6d2a8fb-7e6e-4ad9-b0fe-77c71ae06281" ], - "x-ms-correlation-request-id": [ "e6d2a8fb-7e6e-4ad9-b0fe-77c71ae06281" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021221Z:e6d2a8fb-7e6e-4ad9-b0fe-77c71ae06281" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], + "x-ms-request-id": [ "930f199f-38f1-426e-b3f1-055a81348fa2" ], + "x-ms-correlation-request-id": [ "930f199f-38f1-426e-b3f1-055a81348fa2" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183255Z:930f199f-38f1-426e-b3f1-055a81348fa2" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:12:20 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:32:55 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2" ], diff --git a/src/SecurityInsights/test/Remove-AzSentinelDataConnector.Tests.ps1 b/src/SecurityInsights/test/Remove-AzSentinelDataConnector.Tests.ps1 index 89201404f566..16c1c6f08b2b 100644 --- a/src/SecurityInsights/test/Remove-AzSentinelDataConnector.Tests.ps1 +++ b/src/SecurityInsights/test/Remove-AzSentinelDataConnector.Tests.ps1 @@ -17,13 +17,14 @@ if(($null -eq $TestName) -or ($TestName -contains 'Remove-AzSentinelDataConnecto Describe 'Remove-AzSentinelDataConnector' { It 'Delete' { $dataConnector = New-AzSentinelDataConnector -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` - -DataConnectorId ((New-Guid).Guid) -Kind 'MicrosoftCloudAppSecurity' -Alerts "Enabled" + -Kind 'MicrosoftCloudAppSecurity' -Alerts "Enabled" -DiscoveryLog "Disabled" { Remove-AzSentinelDataConnector -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Id $dataConnector.Name } | Should -Not -Throw - } + } It 'DeleteViaIdentity' { $dataConnector = New-AzSentinelDataConnector -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` - -DataConnectorId ((New-Guid).Guid) -Kind 'MicrosoftCloudAppSecurity' -Alerts "Enabled" + -Kind 'MicrosoftCloudAppSecurity' -Alerts "Enabled" -DiscoveryLog "Disabled" { Remove-AzSentinelDataConnector -InputObject $dataConnector } | Should -Not -Throw } } + \ No newline at end of file diff --git a/src/SecurityInsights/test/Remove-AzSentinelEntityQuery.Recording.json b/src/SecurityInsights/test/Remove-AzSentinelEntityQuery.Recording.json index c830d07b7fb5..4347b4ee0a05 100644 --- a/src/SecurityInsights/test/Remove-AzSentinelEntityQuery.Recording.json +++ b/src/SecurityInsights/test/Remove-AzSentinelEntityQuery.Recording.json @@ -1,17 +1,17 @@ { - "Remove-AzSentinelEntityQuery+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/6feafad3-e3a9-4c0f-b9a7-f74b31c2c4db?api-version=2021-09-01-preview+1": { + "Remove-AzSentinelEntityQuery+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueries/27d20f12-f14e-48ae-a17a-51e823a08d54?api-version=2021-09-01-preview+1": { "Request": { "Method": "DELETE", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/6feafad3-e3a9-4c0f-b9a7-f74b31c2c4db?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueries/27d20f12-f14e-48ae-a17a-51e823a08d54?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "288" ], - "x-ms-client-request-id": [ "f3353721-6954-4ce5-97d0-b78e750f1313" ], + "x-ms-unique-id": [ "272" ], + "x-ms-client-request-id": [ "50041e2d-9145-4ef6-b45c-b5ec682bf298" ], "CommandName": [ "Remove-AzSentinelEntityQuery" ], "FullCommandName": [ "Remove-AzSentinelEntityQuery_Delete" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -23,13 +23,13 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-deletes": [ "14987" ], - "x-ms-request-id": [ "3d39b250-9f16-44c0-98a4-d1a3eb60e730" ], - "x-ms-correlation-request-id": [ "3d39b250-9f16-44c0-98a4-d1a3eb60e730" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021242Z:3d39b250-9f16-44c0-98a4-d1a3eb60e730" ], + "x-ms-ratelimit-remaining-subscription-deletes": [ "14989" ], + "x-ms-request-id": [ "541e3d21-e895-4aac-8f4e-7fc948da9e8d" ], + "x-ms-correlation-request-id": [ "541e3d21-e895-4aac-8f4e-7fc948da9e8d" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183256Z:541e3d21-e895-4aac-8f4e-7fc948da9e8d" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:12:41 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:32:56 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2" ], @@ -40,19 +40,19 @@ "isContentBase64": false } }, - "Remove-AzSentinelEntityQuery+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/f75cff94-cd35-4d3e-a20b-4c4eee51dd8e?api-version=2021-09-01-preview+1": { + "Remove-AzSentinelEntityQuery+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueries/56d115fc-3330-4d1a-82ce-c92ec67f38d6?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/f75cff94-cd35-4d3e-a20b-4c4eee51dd8e?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueries/56d115fc-3330-4d1a-82ce-c92ec67f38d6?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "289" ], - "x-ms-client-request-id": [ "2160734d-69fa-4379-a011-4f58077788cc" ], + "x-ms-unique-id": [ "273" ], + "x-ms-client-request-id": [ "ef69209a-251f-422e-b1cb-0a95ef7c7a5a" ], "CommandName": [ "Get-AzSentinelEntityQuery" ], "FullCommandName": [ "Get-AzSentinelEntityQuery_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -64,36 +64,36 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11934" ], - "x-ms-request-id": [ "8c0f7930-5d20-4760-b414-94e36e7675b9" ], - "x-ms-correlation-request-id": [ "8c0f7930-5d20-4760-b414-94e36e7675b9" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021242Z:8c0f7930-5d20-4760-b414-94e36e7675b9" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11941" ], + "x-ms-request-id": [ "dc7d73fd-a836-4e5c-adb9-e13a144aec50" ], + "x-ms-correlation-request-id": [ "dc7d73fd-a836-4e5c-adb9-e13a144aec50" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183257Z:dc7d73fd-a836-4e5c-adb9-e13a144aec50" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:12:41 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:32:56 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2326" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/f75cff94-cd35-4d3e-a20b-4c4eee51dd8e\",\"name\":\"f75cff94-cd35-4d3e-a20b-4c4eee51dd8e\",\"etag\":\"\\\"50013ae2-0000-0100-0000-61b5535d0000\\\"\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was deleted by \",\"description\":\"Account deleted on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027)\\n \\n| where EventID == 4726 \"},\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]},\"enabled\":true,\"createdTimeUtc\":\"2021-12-12T01:41:49.6134342Z\",\"lastModifiedTimeUtc\":\"2021-12-12T01:41:49.6134342Z\",\"inputEntityType\":\"Host\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueries/56d115fc-3330-4d1a-82ce-c92ec67f38d6\",\"name\":\"56d115fc-3330-4d1a-82ce-c92ec67f38d6\",\"etag\":\"\\\"89000fa8-0000-0100-0000-62e424840000\\\"\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was deleted by \",\"description\":\"Account deleted on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027)\\n \\n| where EventID == 4726 \"},\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]},\"enabled\":true,\"createdTimeUtc\":\"2022-07-29T18:18:44.2828335Z\",\"lastModifiedTimeUtc\":\"2022-07-29T18:18:44.2828335Z\",\"inputEntityType\":\"Host\"}}", "isContentBase64": false } }, - "Remove-AzSentinelEntityQuery+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/f75cff94-cd35-4d3e-a20b-4c4eee51dd8e?api-version=2021-09-01-preview+2": { + "Remove-AzSentinelEntityQuery+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueries/56d115fc-3330-4d1a-82ce-c92ec67f38d6?api-version=2021-09-01-preview+2": { "Request": { "Method": "DELETE", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/f75cff94-cd35-4d3e-a20b-4c4eee51dd8e?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueries/56d115fc-3330-4d1a-82ce-c92ec67f38d6?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "290" ], - "x-ms-client-request-id": [ "af1f747e-7f78-4d0e-993d-c8530a04e4e3" ], + "x-ms-unique-id": [ "274" ], + "x-ms-client-request-id": [ "560fd2db-7d9d-4eda-93c1-be74d321dc59" ], "CommandName": [ "Remove-AzSentinelEntityQuery" ], "FullCommandName": [ "Remove-AzSentinelEntityQuery_DeleteViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -105,13 +105,13 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-deletes": [ "14986" ], - "x-ms-request-id": [ "367c75ba-89ae-481a-b829-5f173538b0b5" ], - "x-ms-correlation-request-id": [ "367c75ba-89ae-481a-b829-5f173538b0b5" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021242Z:367c75ba-89ae-481a-b829-5f173538b0b5" ], + "x-ms-ratelimit-remaining-subscription-deletes": [ "14988" ], + "x-ms-request-id": [ "095a75de-d167-4650-9dd4-18bf32c9600a" ], + "x-ms-correlation-request-id": [ "095a75de-d167-4650-9dd4-18bf32c9600a" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183257Z:095a75de-d167-4650-9dd4-18bf32c9600a" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:12:42 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:32:57 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2" ], diff --git a/src/SecurityInsights/test/Remove-AzSentinelIncident.Recording.json b/src/SecurityInsights/test/Remove-AzSentinelIncident.Recording.json index dd0e17816391..c567f75de903 100644 --- a/src/SecurityInsights/test/Remove-AzSentinelIncident.Recording.json +++ b/src/SecurityInsights/test/Remove-AzSentinelIncident.Recording.json @@ -1,17 +1,17 @@ { - "Remove-AzSentinelIncident+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/cc0a7c84-b29b-4136-acbb-648a7237df0a?api-version=2021-09-01-preview+1": { + "Remove-AzSentinelIncident+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/6bc1d179-d8b5-45ee-82d8-dc7f59b9168a?api-version=2021-09-01-preview+1": { "Request": { "Method": "DELETE", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/cc0a7c84-b29b-4136-acbb-648a7237df0a?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/6bc1d179-d8b5-45ee-82d8-dc7f59b9168a?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "291" ], - "x-ms-client-request-id": [ "574a9df9-4e96-4bf7-b983-de396ac7a8f7" ], + "x-ms-unique-id": [ "275" ], + "x-ms-client-request-id": [ "5faa3426-61b7-4f33-a3a3-ba779899c4b9" ], "CommandName": [ "Remove-AzSentinelIncident" ], "FullCommandName": [ "Remove-AzSentinelIncident_Delete" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -23,13 +23,13 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-deletes": [ "14985" ], - "x-ms-request-id": [ "ba411cec-55f6-4380-8706-301eac432d72" ], - "x-ms-correlation-request-id": [ "ba411cec-55f6-4380-8706-301eac432d72" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021303Z:ba411cec-55f6-4380-8706-301eac432d72" ], + "x-ms-ratelimit-remaining-subscription-deletes": [ "14987" ], + "x-ms-request-id": [ "d0d0918d-3fc7-40cc-9953-ac687592240d" ], + "x-ms-correlation-request-id": [ "d0d0918d-3fc7-40cc-9953-ac687592240d" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183258Z:d0d0918d-3fc7-40cc-9953-ac687592240d" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:13:02 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:32:58 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2" ], @@ -40,19 +40,19 @@ "isContentBase64": false } }, - "Remove-AzSentinelIncident+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/1f88da2c-e158-4900-8d6e-a467f72fdd34?api-version=2021-09-01-preview+1": { + "Remove-AzSentinelIncident+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/4adb65b9-7def-47bb-9594-c1e1ca284952?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/1f88da2c-e158-4900-8d6e-a467f72fdd34?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/4adb65b9-7def-47bb-9594-c1e1ca284952?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "292" ], - "x-ms-client-request-id": [ "572569e4-b995-4a3c-9303-6c9c128da808" ], + "x-ms-unique-id": [ "276" ], + "x-ms-client-request-id": [ "fbf2dd90-0807-43df-aef6-a43ace2fc3da" ], "CommandName": [ "Get-AzSentinelIncident" ], "FullCommandName": [ "Get-AzSentinelIncident_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -64,36 +64,36 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11933" ], - "x-ms-request-id": [ "7c8960fa-dabc-4c98-ac69-444a9d0313a4" ], - "x-ms-correlation-request-id": [ "7c8960fa-dabc-4c98-ac69-444a9d0313a4" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021303Z:7c8960fa-dabc-4c98-ac69-444a9d0313a4" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11940" ], + "x-ms-request-id": [ "04918f89-f715-4353-b7ac-52ec2bd0e388" ], + "x-ms-correlation-request-id": [ "04918f89-f715-4353-b7ac-52ec2bd0e388" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183258Z:04918f89-f715-4353-b7ac-52ec2bd0e388" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:13:02 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:32:58 GMT" ] }, "ContentHeaders": { "Content-Length": [ "1206" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/1f88da2c-e158-4900-8d6e-a467f72fdd34\",\"name\":\"1f88da2c-e158-4900-8d6e-a467f72fdd34\",\"etag\":\"\\\"3c00cd5b-0000-0100-0000-61b553f90000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:44:25.0620632Z\",\"createdTimeUtc\":\"2021-12-12T01:44:25.0620632Z\",\"incidentNumber\":9,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/1f88da2c-e158-4900-8d6e-a467f72fdd34\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"9\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/4adb65b9-7def-47bb-9594-c1e1ca284952\",\"name\":\"4adb65b9-7def-47bb-9594-c1e1ca284952\",\"etag\":\"\\\"1200310b-0000-0100-0000-62e425930000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:23:15.5881312Z\",\"createdTimeUtc\":\"2022-07-29T18:23:15.5881312Z\",\"incidentNumber\":9,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/4adb65b9-7def-47bb-9594-c1e1ca284952\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"9\"}}", "isContentBase64": false } }, - "Remove-AzSentinelIncident+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/1f88da2c-e158-4900-8d6e-a467f72fdd34?api-version=2021-09-01-preview+2": { + "Remove-AzSentinelIncident+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/4adb65b9-7def-47bb-9594-c1e1ca284952?api-version=2021-09-01-preview+2": { "Request": { "Method": "DELETE", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/1f88da2c-e158-4900-8d6e-a467f72fdd34?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/4adb65b9-7def-47bb-9594-c1e1ca284952?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "293" ], - "x-ms-client-request-id": [ "09e42b86-ecb3-4fcb-8027-9fa8147f1be2" ], + "x-ms-unique-id": [ "277" ], + "x-ms-client-request-id": [ "c88cd316-bf39-4214-b491-28d37ac17d3c" ], "CommandName": [ "Remove-AzSentinelIncident" ], "FullCommandName": [ "Remove-AzSentinelIncident_DeleteViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -105,13 +105,13 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-deletes": [ "14984" ], - "x-ms-request-id": [ "6adbda51-5299-4e10-ade3-e69443b3e4cc" ], - "x-ms-correlation-request-id": [ "6adbda51-5299-4e10-ade3-e69443b3e4cc" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021303Z:6adbda51-5299-4e10-ade3-e69443b3e4cc" ], + "x-ms-ratelimit-remaining-subscription-deletes": [ "14986" ], + "x-ms-request-id": [ "b3079a31-5c8b-47a9-9650-17d3a6886105" ], + "x-ms-correlation-request-id": [ "b3079a31-5c8b-47a9-9650-17d3a6886105" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183259Z:b3079a31-5c8b-47a9-9650-17d3a6886105" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:13:02 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:32:58 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2" ], diff --git a/src/SecurityInsights/test/Remove-AzSentinelIncidentComment.Recording.json b/src/SecurityInsights/test/Remove-AzSentinelIncidentComment.Recording.json index 009621cf4459..928babd58445 100644 --- a/src/SecurityInsights/test/Remove-AzSentinelIncidentComment.Recording.json +++ b/src/SecurityInsights/test/Remove-AzSentinelIncidentComment.Recording.json @@ -1,17 +1,17 @@ { - "Remove-AzSentinelIncidentComment+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/39c0047a-27bf-41d3-940d-bfb849d18460/comments/2305a5f7-84eb-482c-bc88-33d76495c69c?api-version=2021-09-01-preview+1": { + "Remove-AzSentinelIncidentComment+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/08556638-7485-4a5e-afda-02c5f77474d7/comments/f81c3566-1019-43de-8cee-9ba0d8f53028?api-version=2021-09-01-preview+1": { "Request": { "Method": "DELETE", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/39c0047a-27bf-41d3-940d-bfb849d18460/comments/2305a5f7-84eb-482c-bc88-33d76495c69c?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/08556638-7485-4a5e-afda-02c5f77474d7/comments/f81c3566-1019-43de-8cee-9ba0d8f53028?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "294" ], - "x-ms-client-request-id": [ "15babaea-3ef5-46e9-a706-02b3d6c966c2" ], + "x-ms-unique-id": [ "278" ], + "x-ms-client-request-id": [ "442e5ad3-20e8-4e08-8970-25983a09f9ff" ], "CommandName": [ "Remove-AzSentinelIncidentComment" ], "FullCommandName": [ "Remove-AzSentinelIncidentComment_Delete" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -24,12 +24,12 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], - "x-ms-request-id": [ "06dcefee-e140-4cf5-b425-b81c11b059b2" ], - "x-ms-correlation-request-id": [ "06dcefee-e140-4cf5-b425-b81c11b059b2" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021324Z:06dcefee-e140-4cf5-b425-b81c11b059b2" ], + "x-ms-request-id": [ "1bd370ad-5c4b-4dac-81dd-469df29536ef" ], + "x-ms-correlation-request-id": [ "1bd370ad-5c4b-4dac-81dd-469df29536ef" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183300Z:1bd370ad-5c4b-4dac-81dd-469df29536ef" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:13:24 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:33:00 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2" ], @@ -40,19 +40,19 @@ "isContentBase64": false } }, - "Remove-AzSentinelIncidentComment+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/754fd7ba-74d1-42cc-8aa0-25593496d4bd/comments/97010b56-8d45-49b6-9f11-02d55ed685b8?api-version=2021-09-01-preview+1": { + "Remove-AzSentinelIncidentComment+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/39c25766-18b0-4620-9a63-3dfb2144ddd9/comments/1130726d-fadf-4bc2-a3c4-b4b78c20c22a?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/754fd7ba-74d1-42cc-8aa0-25593496d4bd/comments/97010b56-8d45-49b6-9f11-02d55ed685b8?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/39c25766-18b0-4620-9a63-3dfb2144ddd9/comments/1130726d-fadf-4bc2-a3c4-b4b78c20c22a?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "295" ], - "x-ms-client-request-id": [ "f3278cb2-da91-40b4-ac8e-5fa8cfa66a23" ], + "x-ms-unique-id": [ "279" ], + "x-ms-client-request-id": [ "8d114737-7f09-4827-af72-25f583cefcc8" ], "CommandName": [ "Get-AzSentinelIncidentComment" ], "FullCommandName": [ "Get-AzSentinelIncidentComment_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -64,36 +64,36 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], - "x-ms-request-id": [ "4a175543-f6e7-4898-ac14-aed7e9905217" ], - "x-ms-correlation-request-id": [ "4a175543-f6e7-4898-ac14-aed7e9905217" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021324Z:4a175543-f6e7-4898-ac14-aed7e9905217" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "497" ], + "x-ms-request-id": [ "a38c85fd-92e2-45e3-a970-41af88250005" ], + "x-ms-correlation-request-id": [ "a38c85fd-92e2-45e3-a970-41af88250005" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183300Z:a38c85fd-92e2-45e3-a970-41af88250005" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:13:24 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:33:00 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "797" ], + "Content-Length": [ "767" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/754fd7ba-74d1-42cc-8aa0-25593496d4bd/Comments/97010b56-8d45-49b6-9f11-02d55ed685b8\",\"name\":\"97010b56-8d45-49b6-9f11-02d55ed685b8\",\"etag\":\"\\\"3c00ac5e-0000-0100-0000-61b554960000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/Comments\",\"properties\":{\"message\":\"RemoveViaIdincidentComment8ftdy3\",\"createdTimeUtc\":\"2021-12-12T01:47:02.1178777Z\",\"lastModifiedTimeUtc\":\"2021-12-12T01:47:02.1178777Z\",\"author\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/39c25766-18b0-4620-9a63-3dfb2144ddd9/Comments/1130726d-fadf-4bc2-a3c4-b4b78c20c22a\",\"name\":\"1130726d-fadf-4bc2-a3c4-b4b78c20c22a\",\"etag\":\"\\\"12004c0b-0000-0100-0000-62e426320000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/Comments\",\"properties\":{\"message\":\"RemoveViaIdincidentCommentximhku\",\"createdTimeUtc\":\"2022-07-29T18:25:54.9956015Z\",\"lastModifiedTimeUtc\":\"2022-07-29T18:25:54.9956015Z\",\"author\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}", "isContentBase64": false } }, - "Remove-AzSentinelIncidentComment+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/754fd7ba-74d1-42cc-8aa0-25593496d4bd/comments/97010b56-8d45-49b6-9f11-02d55ed685b8?api-version=2021-09-01-preview+2": { + "Remove-AzSentinelIncidentComment+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/39c25766-18b0-4620-9a63-3dfb2144ddd9/comments/1130726d-fadf-4bc2-a3c4-b4b78c20c22a?api-version=2021-09-01-preview+2": { "Request": { "Method": "DELETE", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/754fd7ba-74d1-42cc-8aa0-25593496d4bd/comments/97010b56-8d45-49b6-9f11-02d55ed685b8?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/39c25766-18b0-4620-9a63-3dfb2144ddd9/comments/1130726d-fadf-4bc2-a3c4-b4b78c20c22a?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "296" ], - "x-ms-client-request-id": [ "60ee7844-7239-4bbc-bf2a-cc4ec66a49d0" ], + "x-ms-unique-id": [ "280" ], + "x-ms-client-request-id": [ "6f020725-93c8-4ddf-99bf-c66bff143acd" ], "CommandName": [ "Remove-AzSentinelIncidentComment" ], "FullCommandName": [ "Remove-AzSentinelIncidentComment_DeleteViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -106,12 +106,12 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], - "x-ms-request-id": [ "c10d476f-3190-4ce5-8b93-98a50d36ffbb" ], - "x-ms-correlation-request-id": [ "c10d476f-3190-4ce5-8b93-98a50d36ffbb" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021325Z:c10d476f-3190-4ce5-8b93-98a50d36ffbb" ], + "x-ms-request-id": [ "fe701558-b5ce-4c81-97b5-d0899f3ac59f" ], + "x-ms-correlation-request-id": [ "fe701558-b5ce-4c81-97b5-d0899f3ac59f" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183301Z:fe701558-b5ce-4c81-97b5-d0899f3ac59f" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:13:24 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:33:00 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2" ], diff --git a/src/SecurityInsights/test/Remove-AzSentinelIncidentRelation.Recording.json b/src/SecurityInsights/test/Remove-AzSentinelIncidentRelation.Recording.json index 723b1d498b24..d301795f9e13 100644 --- a/src/SecurityInsights/test/Remove-AzSentinelIncidentRelation.Recording.json +++ b/src/SecurityInsights/test/Remove-AzSentinelIncidentRelation.Recording.json @@ -1,17 +1,17 @@ { - "Remove-AzSentinelIncidentRelation+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/39c0047a-27bf-41d3-940d-bfb849d18460/relations/969e8896-2438-40e6-9455-f5fd9b30d396?api-version=2021-09-01-preview+1": { + "Remove-AzSentinelIncidentRelation+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/08556638-7485-4a5e-afda-02c5f77474d7/relations/33ce22e5-46d5-4249-9e1a-06495ad77a1a?api-version=2021-09-01-preview+1": { "Request": { "Method": "DELETE", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/39c0047a-27bf-41d3-940d-bfb849d18460/relations/969e8896-2438-40e6-9455-f5fd9b30d396?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/08556638-7485-4a5e-afda-02c5f77474d7/relations/33ce22e5-46d5-4249-9e1a-06495ad77a1a?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "297" ], - "x-ms-client-request-id": [ "1d8a4923-93be-4a4b-a886-dfe9bfa70be1" ], + "x-ms-unique-id": [ "281" ], + "x-ms-client-request-id": [ "42c386fb-1791-46a8-a827-bcdeb0400fff" ], "CommandName": [ "Remove-AzSentinelIncidentRelation" ], "FullCommandName": [ "Remove-AzSentinelIncidentRelation_Delete" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -24,12 +24,12 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], - "x-ms-request-id": [ "db3b0bfd-7fb5-48fd-8488-f81d19191a3e" ], - "x-ms-correlation-request-id": [ "db3b0bfd-7fb5-48fd-8488-f81d19191a3e" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021347Z:db3b0bfd-7fb5-48fd-8488-f81d19191a3e" ], + "x-ms-request-id": [ "8b4bea26-42f9-453b-88aa-fc41daba4bad" ], + "x-ms-correlation-request-id": [ "8b4bea26-42f9-453b-88aa-fc41daba4bad" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183302Z:8b4bea26-42f9-453b-88aa-fc41daba4bad" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:13:46 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:33:01 GMT" ] }, "ContentHeaders": { "Expires": [ "-1" ] @@ -38,19 +38,19 @@ "isContentBase64": false } }, - "Remove-AzSentinelIncidentRelation+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/7bfb344d-ad2a-431d-9e39-78747ac51f54/relations/827874ba-8b75-40d5-ad61-57fbb9594309?api-version=2021-09-01-preview+1": { + "Remove-AzSentinelIncidentRelation+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/095d8360-b30b-4f75-804d-8837b78db3ed/relations/fa2cc2d8-13f8-4ea6-b2ce-6fdea28a0790?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/7bfb344d-ad2a-431d-9e39-78747ac51f54/relations/827874ba-8b75-40d5-ad61-57fbb9594309?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/095d8360-b30b-4f75-804d-8837b78db3ed/relations/fa2cc2d8-13f8-4ea6-b2ce-6fdea28a0790?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "298" ], - "x-ms-client-request-id": [ "cbfc9c68-1cf2-4e27-b06f-ef17307a6764" ], + "x-ms-unique-id": [ "282" ], + "x-ms-client-request-id": [ "6cbee9ca-7842-41d1-8df4-193146677f9c" ], "CommandName": [ "Get-AzSentinelIncidentRelation" ], "FullCommandName": [ "Get-AzSentinelIncidentRelation_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -62,36 +62,36 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], - "x-ms-request-id": [ "cb853e40-f2b4-410f-a94f-55aa7a478627" ], - "x-ms-correlation-request-id": [ "cb853e40-f2b4-410f-a94f-55aa7a478627" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021347Z:cb853e40-f2b4-410f-a94f-55aa7a478627" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "495" ], + "x-ms-request-id": [ "124cb56e-40b0-41ee-a251-e55a3c8b2549" ], + "x-ms-correlation-request-id": [ "124cb56e-40b0-41ee-a251-e55a3c8b2549" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183302Z:124cb56e-40b0-41ee-a251-e55a3c8b2549" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:13:46 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:33:02 GMT" ] }, "ContentHeaders": { "Content-Length": [ "828" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/7bfb344d-ad2a-431d-9e39-78747ac51f54/relations/827874ba-8b75-40d5-ad61-57fbb9594309\",\"name\":\"827874ba-8b75-40d5-ad61-57fbb9594309\",\"etag\":\"\\\"3c00b661-0000-0100-0000-61b555330000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/3dcbfb4e-d6fb-40df-a64a-29695148826d\",\"relatedResourceName\":\"3dcbfb4e-d6fb-40df-a64a-29695148826d\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/095d8360-b30b-4f75-804d-8837b78db3ed/relations/fa2cc2d8-13f8-4ea6-b2ce-6fdea28a0790\",\"name\":\"fa2cc2d8-13f8-4ea6-b2ce-6fdea28a0790\",\"etag\":\"\\\"12008a0b-0000-0100-0000-62e426d30000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/e4d28edd-4f20-45f9-9c8c-6b7e97f4fa8a\",\"relatedResourceName\":\"e4d28edd-4f20-45f9-9c8c-6b7e97f4fa8a\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", "isContentBase64": false } }, - "Remove-AzSentinelIncidentRelation+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/7bfb344d-ad2a-431d-9e39-78747ac51f54/relations/827874ba-8b75-40d5-ad61-57fbb9594309?api-version=2021-09-01-preview+2": { + "Remove-AzSentinelIncidentRelation+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/095d8360-b30b-4f75-804d-8837b78db3ed/relations/fa2cc2d8-13f8-4ea6-b2ce-6fdea28a0790?api-version=2021-09-01-preview+2": { "Request": { "Method": "DELETE", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/7bfb344d-ad2a-431d-9e39-78747ac51f54/relations/827874ba-8b75-40d5-ad61-57fbb9594309?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/095d8360-b30b-4f75-804d-8837b78db3ed/relations/fa2cc2d8-13f8-4ea6-b2ce-6fdea28a0790?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "299" ], - "x-ms-client-request-id": [ "07a06a05-0cf8-4c71-a63e-c0f4633a9835" ], + "x-ms-unique-id": [ "283" ], + "x-ms-client-request-id": [ "fcbf495c-628d-40d0-8789-62b66a087abe" ], "CommandName": [ "Remove-AzSentinelIncidentRelation" ], "FullCommandName": [ "Remove-AzSentinelIncidentRelation_DeleteViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -104,12 +104,12 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], - "x-ms-request-id": [ "6fd54667-8971-4f70-ae03-f1e0b4da3242" ], - "x-ms-correlation-request-id": [ "6fd54667-8971-4f70-ae03-f1e0b4da3242" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021347Z:6fd54667-8971-4f70-ae03-f1e0b4da3242" ], + "x-ms-request-id": [ "5639a299-84a1-4fed-b011-3d039cdfc18b" ], + "x-ms-correlation-request-id": [ "5639a299-84a1-4fed-b011-3d039cdfc18b" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183303Z:5639a299-84a1-4fed-b011-3d039cdfc18b" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:13:47 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:33:02 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2" ], diff --git a/src/SecurityInsights/test/Remove-AzSentinelOnboardingState.Recording.json b/src/SecurityInsights/test/Remove-AzSentinelOnboardingState.Recording.json index 7bae50663116..75ca4a7fd025 100644 --- a/src/SecurityInsights/test/Remove-AzSentinelOnboardingState.Recording.json +++ b/src/SecurityInsights/test/Remove-AzSentinelOnboardingState.Recording.json @@ -1,17 +1,17 @@ { - "Remove-AzSentinelOnboardingState+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptestdlvh1s/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview+1": { + "Remove-AzSentinelOnboardingState+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptesty1avre/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview+1": { "Request": { "Method": "DELETE", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptestdlvh1s/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptesty1avre/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "304" ], - "x-ms-client-request-id": [ "a1499210-7039-49aa-8d0a-efbddac44cb5" ], + "x-ms-unique-id": [ "284" ], + "x-ms-client-request-id": [ "2ec47508-a16d-4923-8aef-8c9c14406f48" ], "CommandName": [ "Remove-AzSentinelOnboardingState" ], "FullCommandName": [ "Remove-AzSentinelOnboardingState_Delete" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -23,13 +23,13 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-deletes": [ "14981" ], - "x-ms-request-id": [ "0a1c6133-0e9e-4d99-b392-2a7de9d73fea" ], - "x-ms-correlation-request-id": [ "0a1c6133-0e9e-4d99-b392-2a7de9d73fea" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021455Z:0a1c6133-0e9e-4d99-b392-2a7de9d73fea" ], + "x-ms-ratelimit-remaining-subscription-deletes": [ "14985" ], + "x-ms-request-id": [ "539bc935-743b-4c6a-bf20-13f0eeef63eb" ], + "x-ms-correlation-request-id": [ "539bc935-743b-4c6a-bf20-13f0eeef63eb" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183310Z:539bc935-743b-4c6a-bf20-13f0eeef63eb" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:14:54 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:33:09 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2" ], diff --git a/src/SecurityInsights/test/Update-AzSentinelAlertRule.Recording.json b/src/SecurityInsights/test/Update-AzSentinelAlertRule.Recording.json index c001a4156df5..41830f6a79e4 100644 --- a/src/SecurityInsights/test/Update-AzSentinelAlertRule.Recording.json +++ b/src/SecurityInsights/test/Update-AzSentinelAlertRule.Recording.json @@ -1,15 +1,15 @@ { - "Update-AzSentinelAlertRule+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/98981b11-0c0a-40bb-adc9-63f3693592bf?api-version=2021-09-01-preview+1": { + "Update-AzSentinelAlertRule+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/a47d38eb-4d52-4b54-afaf-3f5ac2f847f9?api-version=2021-09-01-preview+1": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/98981b11-0c0a-40bb-adc9-63f3693592bf?api-version=2021-09-01-preview", - "Content": "{\n \"etag\": \"\\\"9200241b-0000-0100-0000-61b54fb50000\\\"\",\n \"kind\": \"Scheduled\",\n \"properties\": {\n \"eventGroupingSettings\": {\n \"aggregationKind\": \"SingleAlert\"\n },\n \"queryFrequency\": \"P1D\",\n \"queryPeriod\": \"P1D\",\n \"triggerOperator\": \"GreaterThan\",\n \"triggerThreshold\": 0,\n \"incidentConfiguration\": {\n \"groupingConfiguration\": {\n \"enabled\": false,\n \"reopenClosedIncident\": false,\n \"lookbackDuration\": \"PT5H\",\n \"matchingMethod\": \"AllEntities\",\n \"groupByEntities\": [ ]\n },\n \"createIncident\": false\n },\n \"description\": \"UpdateAlertRulevi15sc 98981b11-0c0a-40bb-adc9-63f3693592bf\",\n \"query\": \"SecurityEvent\\n| take 1\",\n \"displayName\": \"UpdateAlertRulevi15sc\",\n \"enabled\": true,\n \"suppressionDuration\": \"PT5H\",\n \"suppressionEnabled\": false,\n \"severity\": \"Informational\",\n \"tactics\": [ \"Execution\" ]\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/a47d38eb-4d52-4b54-afaf-3f5ac2f847f9?api-version=2021-09-01-preview", + "Content": "{\n \"etag\": \"\\\"2e000233-0000-0100-0000-62e420440000\\\"\",\n \"kind\": \"Scheduled\",\n \"properties\": {\n \"eventGroupingSettings\": {\n \"aggregationKind\": \"SingleAlert\"\n },\n \"queryFrequency\": \"P1D\",\n \"queryPeriod\": \"P1D\",\n \"triggerOperator\": \"GreaterThan\",\n \"triggerThreshold\": 0,\n \"incidentConfiguration\": {\n \"groupingConfiguration\": {\n \"enabled\": false,\n \"reopenClosedIncident\": false,\n \"lookbackDuration\": \"PT5H\",\n \"matchingMethod\": \"AllEntities\",\n \"groupByEntities\": [ ]\n },\n \"createIncident\": false\n },\n \"description\": \"UpdateAlertRulet0r6jh a47d38eb-4d52-4b54-afaf-3f5ac2f847f9\",\n \"query\": \"SecurityEvent\\n| take 1\",\n \"displayName\": \"UpdateAlertRulet0r6jh\",\n \"enabled\": false,\n \"suppressionDuration\": \"PT5H\",\n \"suppressionEnabled\": false,\n \"severity\": \"Informational\",\n \"tactics\": [ \"Execution\" ]\n }\n}", "isContentBase64": false, "Headers": { }, "ContentHeaders": { "Content-Type": [ "application/json" ], - "Content-Length": [ "900" ] + "Content-Length": [ "901" ] } }, "Response": { @@ -18,20 +18,20 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-writes": [ "1186" ], - "x-ms-request-id": [ "6ca0716c-8691-4fe1-ba57-92dd0e89a9a1" ], - "x-ms-correlation-request-id": [ "6ca0716c-8691-4fe1-ba57-92dd0e89a9a1" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021541Z:6ca0716c-8691-4fe1-ba57-92dd0e89a9a1" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1192" ], + "x-ms-request-id": [ "fccc44bb-4dbd-48db-b0aa-262b13557ddf" ], + "x-ms-correlation-request-id": [ "fccc44bb-4dbd-48db-b0aa-262b13557ddf" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183312Z:fccc44bb-4dbd-48db-b0aa-262b13557ddf" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:15:41 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:33:11 GMT" ] }, "ContentHeaders": { "Content-Length": [ "1171" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/98981b11-0c0a-40bb-adc9-63f3693592bf\",\"name\":\"98981b11-0c0a-40bb-adc9-63f3693592bf\",\"etag\":\"\\\"9400d13c-0000-0100-0000-61b55b4d0000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":false,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"UpdateAlertRulevi15sc\",\"enabled\":true,\"description\":\"UpdateAlertRulevi15sc 98981b11-0c0a-40bb-adc9-63f3693592bf\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2021-12-12T02:15:39.3269202Z\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/a47d38eb-4d52-4b54-afaf-3f5ac2f847f9\",\"name\":\"a47d38eb-4d52-4b54-afaf-3f5ac2f847f9\",\"etag\":\"\\\"2e00ac3f-0000-0100-0000-62e427e80000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":false,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"UpdateAlertRulet0r6jh\",\"enabled\":false,\"description\":\"UpdateAlertRulet0r6jh a47d38eb-4d52-4b54-afaf-3f5ac2f847f9\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-07-29T18:33:12.122441Z\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Update-AzSentinelAlertRule.Tests.ps1 b/src/SecurityInsights/test/Update-AzSentinelAlertRule.Tests.ps1 index c3f044d17718..d9116207d6d7 100644 --- a/src/SecurityInsights/test/Update-AzSentinelAlertRule.Tests.ps1 +++ b/src/SecurityInsights/test/Update-AzSentinelAlertRule.Tests.ps1 @@ -16,8 +16,8 @@ if(($null -eq $TestName) -or ($TestName -contains 'Update-AzSentinelAlertRule')) Describe 'Update-AzSentinelAlertRule' { It 'UpdateExpanded' { - $alertRule = Update-AzSentinelAlertRule -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -RuleId $env.UpdateAlertRuleId -Disabled - $alertRule.Enabled | Should -Be $true + $alertRule = Update-AzSentinelAlertRule -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -RuleId $env.UpdateAlertRuleId -Scheduled -Disabled + $alertRule.Enabled | Should -Be $false } It 'UpdateViaIdentityExpanded' -skip { diff --git a/src/SecurityInsights/test/Update-AzSentinelAlertRuleAction.Recording.json b/src/SecurityInsights/test/Update-AzSentinelAlertRuleAction.Recording.json index d21e529faef4..d0aa1954ade7 100644 --- a/src/SecurityInsights/test/Update-AzSentinelAlertRuleAction.Recording.json +++ b/src/SecurityInsights/test/Update-AzSentinelAlertRuleAction.Recording.json @@ -1,9 +1,9 @@ { - "Update-AzSentinelAlertRuleAction+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/09b5716f-9b0b-4663-8302-e17b94a12ead/actions/5ec4ff48-a958-4a95-aab5-4ae7e8cddbdf?api-version=2021-09-01-preview+1": { + "Update-AzSentinelAlertRuleAction+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/c3f83b09-6bfc-4365-813e-56f9b186baac/actions/542659a3-3a74-4d87-8e04-a0e4fcbd5537?api-version=2021-09-01-preview+1": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/09b5716f-9b0b-4663-8302-e17b94a12ead/actions/5ec4ff48-a958-4a95-aab5-4ae7e8cddbdf?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Alert\",\n \"triggerUri\": \"https://prod-29.centralus.logic.azure.com:443/workflows/6e83051f6df6465c872c5540c8c167f5/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2016-06-01\\u0026sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun\\u0026sv=1.0\\u0026sig=7_edWmU4wZ31-sXPdtbxReXl11jbmLX99HIT9l134Wo\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/c3f83b09-6bfc-4365-813e-56f9b186baac/actions/542659a3-3a74-4d87-8e04-a0e4fcbd5537?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"logicAppResourceId\": \"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Alert\",\n \"triggerUri\": \"https://prod-24.centralus.logic.azure.com:443/workflows/ab40a6a85a1740e6afde7c424b958360/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2016-06-01\\u0026sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun\\u0026sv=1.0\\u0026sig=kr0Vgz_1AOwo76EyJZOQH02w-49rIjGhEWCffgZeJKs\"\n }\n}", "isContentBase64": false, "Headers": { }, @@ -18,36 +18,36 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], - "x-ms-request-id": [ "be5a5298-67cd-4ecc-8868-2c86d113e1f4" ], - "x-ms-correlation-request-id": [ "be5a5298-67cd-4ecc-8868-2c86d113e1f4" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021604Z:be5a5298-67cd-4ecc-8868-2c86d113e1f4" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], + "x-ms-request-id": [ "d2c0d15f-052f-48ae-a7bc-051f7d6d080c" ], + "x-ms-correlation-request-id": [ "d2c0d15f-052f-48ae-a7bc-051f7d6d080c" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183313Z:d2c0d15f-052f-48ae-a7bc-051f7d6d080c" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:16:04 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:33:13 GMT" ] }, "ContentHeaders": { "Content-Length": [ "617" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/09b5716f-9b0b-4663-8302-e17b94a12ead/actions/5ec4ff48-a958-4a95-aab5-4ae7e8cddbdf\",\"name\":\"5ec4ff48-a958-4a95-aab5-4ae7e8cddbdf\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"6e83051f6df6465c872c5540c8c167f5\",\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Alert\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/c3f83b09-6bfc-4365-813e-56f9b186baac/actions/542659a3-3a74-4d87-8e04-a0e4fcbd5537\",\"name\":\"542659a3-3a74-4d87-8e04-a0e4fcbd5537\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"ab40a6a85a1740e6afde7c424b958360\",\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Alert\"}}", "isContentBase64": false } }, - "Update-AzSentinelAlertRuleAction+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/a555c523-e318-4501-bfe8-b9c6da354af7/actions/34ec4b87-3f90-443e-9034-c32e77c5fb6e?api-version=2021-09-01-preview+1": { + "Update-AzSentinelAlertRuleAction+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/1190f2a9-3661-474d-8c8a-cc808bce7b2e/actions/b3c6275b-ed98-4d51-a0f1-17c00cdbefd8?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/a555c523-e318-4501-bfe8-b9c6da354af7/actions/34ec4b87-3f90-443e-9034-c32e77c5fb6e?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/1190f2a9-3661-474d-8c8a-cc808bce7b2e/actions/b3c6275b-ed98-4d51-a0f1-17c00cdbefd8?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "309" ], - "x-ms-client-request-id": [ "4b5c6ed0-5e91-4f9c-b469-ced7536e5041" ], + "x-ms-unique-id": [ "288" ], + "x-ms-client-request-id": [ "e9f700e4-9822-49dc-88b3-45425bad8457" ], "CommandName": [ "Get-AzSentinelAlertRuleAction" ], "FullCommandName": [ "Get-AzSentinelAlertRuleAction_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -59,28 +59,28 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11931" ], - "x-ms-request-id": [ "4f5c1141-ed11-41ad-b56d-4587eda36fa6" ], - "x-ms-correlation-request-id": [ "4f5c1141-ed11-41ad-b56d-4587eda36fa6" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021604Z:4f5c1141-ed11-41ad-b56d-4587eda36fa6" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11938" ], + "x-ms-request-id": [ "63229b65-dab6-4455-832c-409ee3810c1f" ], + "x-ms-correlation-request-id": [ "63229b65-dab6-4455-832c-409ee3810c1f" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183314Z:63229b65-dab6-4455-832c-409ee3810c1f" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:16:04 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:33:13 GMT" ] }, "ContentHeaders": { "Content-Length": [ "660" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/a555c523-e318-4501-bfe8-b9c6da354af7/actions/34ec4b87-3f90-443e-9034-c32e77c5fb6e\",\"name\":\"34ec4b87-3f90-443e-9034-c32e77c5fb6e\",\"etag\":\"\\\"26005c56-0000-0300-0000-61b550730000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"3647b421918e40f19a5e9346dc633c61\",\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/1190f2a9-3661-474d-8c8a-cc808bce7b2e/actions/b3c6275b-ed98-4d51-a0f1-17c00cdbefd8\",\"name\":\"b3c6275b-ed98-4d51-a0f1-17c00cdbefd8\",\"etag\":\"\\\"8a009dec-0000-0300-0000-62e421010000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"e25a9538589f4273ac4b33c4251b7af4\",\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}", "isContentBase64": false } }, - "Update-AzSentinelAlertRuleAction+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/a555c523-e318-4501-bfe8-b9c6da354af7/actions/34ec4b87-3f90-443e-9034-c32e77c5fb6e?api-version=2021-09-01-preview+2": { + "Update-AzSentinelAlertRuleAction+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/1190f2a9-3661-474d-8c8a-cc808bce7b2e/actions/b3c6275b-ed98-4d51-a0f1-17c00cdbefd8?api-version=2021-09-01-preview+2": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/a555c523-e318-4501-bfe8-b9c6da354af7/actions/34ec4b87-3f90-443e-9034-c32e77c5fb6e?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Alert\",\n \"triggerUri\": \"https://prod-29.centralus.logic.azure.com:443/workflows/6e83051f6df6465c872c5540c8c167f5/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2016-06-01\\u0026sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun\\u0026sv=1.0\\u0026sig=7_edWmU4wZ31-sXPdtbxReXl11jbmLX99HIT9l134Wo\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/1190f2a9-3661-474d-8c8a-cc808bce7b2e/actions/b3c6275b-ed98-4d51-a0f1-17c00cdbefd8?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"logicAppResourceId\": \"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Alert\",\n \"triggerUri\": \"https://prod-24.centralus.logic.azure.com:443/workflows/ab40a6a85a1740e6afde7c424b958360/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2016-06-01\\u0026sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun\\u0026sv=1.0\\u0026sig=kr0Vgz_1AOwo76EyJZOQH02w-49rIjGhEWCffgZeJKs\"\n }\n}", "isContentBase64": false, "Headers": { }, @@ -95,20 +95,20 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], - "x-ms-request-id": [ "ab262b0f-7a2a-4402-ac4a-bf7649c8f96b" ], - "x-ms-correlation-request-id": [ "ab262b0f-7a2a-4402-ac4a-bf7649c8f96b" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021606Z:ab262b0f-7a2a-4402-ac4a-bf7649c8f96b" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "497" ], + "x-ms-request-id": [ "0272d0fd-0e1d-4fa9-a792-fe3deb5ff9d3" ], + "x-ms-correlation-request-id": [ "0272d0fd-0e1d-4fa9-a792-fe3deb5ff9d3" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183315Z:0272d0fd-0e1d-4fa9-a792-fe3deb5ff9d3" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:16:06 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:33:14 GMT" ] }, "ContentHeaders": { "Content-Length": [ "617" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/alertRules/a555c523-e318-4501-bfe8-b9c6da354af7/actions/34ec4b87-3f90-443e-9034-c32e77c5fb6e\",\"name\":\"34ec4b87-3f90-443e-9034-c32e77c5fb6e\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"6e83051f6df6465c872c5540c8c167f5\",\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Alert\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/1190f2a9-3661-474d-8c8a-cc808bce7b2e/actions/b3c6275b-ed98-4d51-a0f1-17c00cdbefd8\",\"name\":\"b3c6275b-ed98-4d51-a0f1-17c00cdbefd8\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"ab40a6a85a1740e6afde7c424b958360\",\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Alert\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Update-AzSentinelAutomationRule.Recording.json b/src/SecurityInsights/test/Update-AzSentinelAutomationRule.Recording.json index 8622059da0bb..6cb11c5a4145 100644 --- a/src/SecurityInsights/test/Update-AzSentinelAutomationRule.Recording.json +++ b/src/SecurityInsights/test/Update-AzSentinelAutomationRule.Recording.json @@ -1,17 +1,17 @@ { - "Update-AzSentinelAutomationRule+[NoContext]+UpdateExpanded+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/6b61f56c-c075-4127-9f2a-56a855dee096?api-version=2021-09-01-preview+1": { + "Update-AzSentinelAutomationRule+[NoContext]+UpdateExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/automationRules/5d9b905b-1fc5-459f-b9fd-5836c565dc34?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/6b61f56c-c075-4127-9f2a-56a855dee096?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/automationRules/5d9b905b-1fc5-459f-b9fd-5836c565dc34?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "311" ], - "x-ms-client-request-id": [ "0525ef71-01e7-4abf-b7f2-24f81d44d550" ], + "x-ms-unique-id": [ "290" ], + "x-ms-client-request-id": [ "49708c05-95bc-4abb-87c8-09bb7bda0d3f" ], "CommandName": [ "Get-AzSentinelAutomationRule" ], "FullCommandName": [ "Get-AzSentinelAutomationRule_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -23,28 +23,28 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], - "x-ms-request-id": [ "9b313ce0-d2f0-49e5-a83b-56e83219b5ed" ], - "x-ms-correlation-request-id": [ "9b313ce0-d2f0-49e5-a83b-56e83219b5ed" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021628Z:9b313ce0-d2f0-49e5-a83b-56e83219b5ed" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "494" ], + "x-ms-request-id": [ "9d088bdc-cd26-4727-9619-1115c038028b" ], + "x-ms-correlation-request-id": [ "9d088bdc-cd26-4727-9619-1115c038028b" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183316Z:9d088bdc-cd26-4727-9619-1115c038028b" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:16:28 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:33:15 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1349" ], + "Content-Length": [ "1289" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AutomationRules/6b61f56c-c075-4127-9f2a-56a855dee096\",\"name\":\"6b61f56c-c075-4127-9f2a-56a855dee096\",\"etag\":\"\\\"79008294-0000-0100-0000-61b551690000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"UpdateAutomationRule1ceigy\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"}}],\"lastModifiedTimeUtc\":\"2021-12-12T01:33:29Z\",\"createdTimeUtc\":\"2021-12-12T01:33:29Z\",\"lastModifiedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"},\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AutomationRules/5d9b905b-1fc5-459f-b9fd-5836c565dc34\",\"name\":\"5d9b905b-1fc5-459f-b9fd-5836c565dc34\",\"etag\":\"\\\"030058b1-0000-0100-0000-62e422460000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"UpdateAutomationRulek1wb4p\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}],\"lastModifiedTimeUtc\":\"2022-07-29T18:09:10Z\",\"createdTimeUtc\":\"2022-07-29T18:09:10Z\",\"lastModifiedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"},\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}", "isContentBase64": false } }, - "Update-AzSentinelAutomationRule+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/6b61f56c-c075-4127-9f2a-56a855dee096?api-version=2021-09-01-preview+2": { + "Update-AzSentinelAutomationRule+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/automationRules/5d9b905b-1fc5-459f-b9fd-5836c565dc34?api-version=2021-09-01-preview+2": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/6b61f56c-c075-4127-9f2a-56a855dee096?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"triggeringLogic\": {\n \"isEnabled\": true,\n \"triggersOn\": \"Incidents\",\n \"triggersWhen\": \"Created\"\n },\n \"displayName\": \"UpdateAutomationRule1ceigy\",\n \"order\": 1,\n \"actions\": [\n {\n \"order\": 1,\n \"actionType\": \"RunPlaybook\",\n \"actionConfiguration\": {\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Incident\",\n \"tenantId\": \"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"\n }\n }\n ]\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/automationRules/5d9b905b-1fc5-459f-b9fd-5836c565dc34?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"triggeringLogic\": {\n \"isEnabled\": true,\n \"triggersOn\": \"Incidents\",\n \"triggersWhen\": \"Created\"\n },\n \"displayName\": \"UpdateAutomationRulek1wb4p\",\n \"order\": 1,\n \"actions\": [\n {\n \"order\": 1,\n \"actionType\": \"RunPlaybook\",\n \"actionConfiguration\": {\n \"logicAppResourceId\": \"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Incident\",\n \"tenantId\": \"d6eebbdd-d77c-465e-b008-4339027b4006\"\n }\n }\n ]\n }\n}", "isContentBase64": false, "Headers": { }, @@ -59,36 +59,36 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], - "x-ms-request-id": [ "fc1403e8-c556-4eab-904b-5943a77e4c09" ], - "x-ms-correlation-request-id": [ "fc1403e8-c556-4eab-904b-5943a77e4c09" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021629Z:fc1403e8-c556-4eab-904b-5943a77e4c09" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], + "x-ms-request-id": [ "c5352c66-12ec-4a9b-ad77-3d7928010e26" ], + "x-ms-correlation-request-id": [ "c5352c66-12ec-4a9b-ad77-3d7928010e26" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183316Z:c5352c66-12ec-4a9b-ad77-3d7928010e26" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:16:29 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:33:16 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1356" ], + "Content-Length": [ "1296" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AutomationRules/6b61f56c-c075-4127-9f2a-56a855dee096\",\"name\":\"6b61f56c-c075-4127-9f2a-56a855dee096\",\"etag\":\"\\\"7a00f80c-0000-0100-0000-61b55b7d0000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"UpdateAutomationRule1ceigy\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Incident\",\"tenantId\":\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"}}],\"lastModifiedTimeUtc\":\"2021-12-12T02:16:29Z\",\"createdTimeUtc\":\"2021-12-12T01:33:29Z\",\"lastModifiedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"},\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AutomationRules/5d9b905b-1fc5-459f-b9fd-5836c565dc34\",\"name\":\"5d9b905b-1fc5-459f-b9fd-5836c565dc34\",\"etag\":\"\\\"03009eb1-0000-0100-0000-62e427ec0000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"UpdateAutomationRulek1wb4p\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Incident\",\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}],\"lastModifiedTimeUtc\":\"2022-07-29T18:33:16Z\",\"createdTimeUtc\":\"2022-07-29T18:09:10Z\",\"lastModifiedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"},\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}", "isContentBase64": false } }, - "Update-AzSentinelAutomationRule+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/6b61f56c-c075-4127-9f2a-56a855dee096?api-version=2021-09-01-preview+1": { + "Update-AzSentinelAutomationRule+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/automationRules/5d9b905b-1fc5-459f-b9fd-5836c565dc34?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/6b61f56c-c075-4127-9f2a-56a855dee096?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/automationRules/5d9b905b-1fc5-459f-b9fd-5836c565dc34?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "313" ], - "x-ms-client-request-id": [ "c77aae63-9c15-419d-a9bc-3f5e88d54b19" ], + "x-ms-unique-id": [ "292" ], + "x-ms-client-request-id": [ "2db919c6-63ec-4a4b-a01e-6c2520806224" ], "CommandName": [ "Get-AzSentinelAutomationRule" ], "FullCommandName": [ "Get-AzSentinelAutomationRule_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -100,28 +100,28 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "497" ], - "x-ms-request-id": [ "69eb9712-d889-41c4-9a51-03c0eb2ca2ac" ], - "x-ms-correlation-request-id": [ "69eb9712-d889-41c4-9a51-03c0eb2ca2ac" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021630Z:69eb9712-d889-41c4-9a51-03c0eb2ca2ac" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "493" ], + "x-ms-request-id": [ "da1c553a-0bd6-4637-b755-c766ff8a9ee0" ], + "x-ms-correlation-request-id": [ "da1c553a-0bd6-4637-b755-c766ff8a9ee0" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183317Z:da1c553a-0bd6-4637-b755-c766ff8a9ee0" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:16:29 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:33:16 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1356" ], + "Content-Length": [ "1296" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AutomationRules/6b61f56c-c075-4127-9f2a-56a855dee096\",\"name\":\"6b61f56c-c075-4127-9f2a-56a855dee096\",\"etag\":\"\\\"7a00f80c-0000-0100-0000-61b55b7d0000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"UpdateAutomationRule1ceigy\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Incident\",\"tenantId\":\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"}}],\"lastModifiedTimeUtc\":\"2021-12-12T02:16:29Z\",\"createdTimeUtc\":\"2021-12-12T01:33:29Z\",\"lastModifiedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"},\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AutomationRules/5d9b905b-1fc5-459f-b9fd-5836c565dc34\",\"name\":\"5d9b905b-1fc5-459f-b9fd-5836c565dc34\",\"etag\":\"\\\"03009eb1-0000-0100-0000-62e427ec0000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"UpdateAutomationRulek1wb4p\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Incident\",\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}],\"lastModifiedTimeUtc\":\"2022-07-29T18:33:16Z\",\"createdTimeUtc\":\"2022-07-29T18:09:10Z\",\"lastModifiedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"},\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}", "isContentBase64": false } }, - "Update-AzSentinelAutomationRule+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/6b61f56c-c075-4127-9f2a-56a855dee096?api-version=2021-09-01-preview+2": { + "Update-AzSentinelAutomationRule+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/automationRules/5d9b905b-1fc5-459f-b9fd-5836c565dc34?api-version=2021-09-01-preview+2": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/automationRules/6b61f56c-c075-4127-9f2a-56a855dee096?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"triggeringLogic\": {\n \"isEnabled\": true,\n \"triggersOn\": \"Incidents\",\n \"triggersWhen\": \"Created\"\n },\n \"displayName\": \"UpdateAutomationRule1ceigy\",\n \"order\": 1,\n \"actions\": [\n {\n \"order\": 1,\n \"actionType\": \"RunPlaybook\",\n \"actionConfiguration\": {\n \"logicAppResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Incident\",\n \"tenantId\": \"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"\n }\n }\n ]\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/automationRules/5d9b905b-1fc5-459f-b9fd-5836c565dc34?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"triggeringLogic\": {\n \"isEnabled\": true,\n \"triggersOn\": \"Incidents\",\n \"triggersWhen\": \"Created\"\n },\n \"displayName\": \"UpdateAutomationRulek1wb4p\",\n \"order\": 1,\n \"actions\": [\n {\n \"order\": 1,\n \"actionType\": \"RunPlaybook\",\n \"actionConfiguration\": {\n \"logicAppResourceId\": \"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Incident\",\n \"tenantId\": \"d6eebbdd-d77c-465e-b008-4339027b4006\"\n }\n }\n ]\n }\n}", "isContentBase64": false, "Headers": { }, @@ -136,20 +136,20 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], - "x-ms-request-id": [ "4d4b42cb-ea8c-4746-8f18-114855163bbf" ], - "x-ms-correlation-request-id": [ "4d4b42cb-ea8c-4746-8f18-114855163bbf" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021631Z:4d4b42cb-ea8c-4746-8f18-114855163bbf" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "497" ], + "x-ms-request-id": [ "3d44ad19-314f-4eee-99a6-22d1b9edc167" ], + "x-ms-correlation-request-id": [ "3d44ad19-314f-4eee-99a6-22d1b9edc167" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183317Z:3d44ad19-314f-4eee-99a6-22d1b9edc167" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:16:30 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:33:17 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1356" ], + "Content-Length": [ "1296" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/AutomationRules/6b61f56c-c075-4127-9f2a-56a855dee096\",\"name\":\"6b61f56c-c075-4127-9f2a-56a855dee096\",\"etag\":\"\\\"7a00070d-0000-0100-0000-61b55b7e0000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"UpdateAutomationRule1ceigy\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Incident\",\"tenantId\":\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"}}],\"lastModifiedTimeUtc\":\"2021-12-12T02:16:30Z\",\"createdTimeUtc\":\"2021-12-12T01:33:29Z\",\"lastModifiedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"},\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AutomationRules/5d9b905b-1fc5-459f-b9fd-5836c565dc34\",\"name\":\"5d9b905b-1fc5-459f-b9fd-5836c565dc34\",\"etag\":\"\\\"03009fb1-0000-0100-0000-62e427ed0000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"UpdateAutomationRulek1wb4p\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Incident\",\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}],\"lastModifiedTimeUtc\":\"2022-07-29T18:33:17Z\",\"createdTimeUtc\":\"2022-07-29T18:09:10Z\",\"lastModifiedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"},\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Update-AzSentinelBookmark.Recording.json b/src/SecurityInsights/test/Update-AzSentinelBookmark.Recording.json index 8d34e003ad91..8722b1cde6e8 100644 --- a/src/SecurityInsights/test/Update-AzSentinelBookmark.Recording.json +++ b/src/SecurityInsights/test/Update-AzSentinelBookmark.Recording.json @@ -1,17 +1,17 @@ { - "Update-AzSentinelBookmark+[NoContext]+UpdateExpanded+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/c6b3fee2-4b8e-4966-aaa7-94bd47e67021?api-version=2021-09-01-preview+1": { + "Update-AzSentinelBookmark+[NoContext]+UpdateExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/8a947749-f012-465f-b5fd-cb60e5eae27d?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/c6b3fee2-4b8e-4966-aaa7-94bd47e67021?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/8a947749-f012-465f-b5fd-cb60e5eae27d?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "315" ], - "x-ms-client-request-id": [ "5fcb1435-2914-4d90-9863-6293574ccb0c" ], + "x-ms-unique-id": [ "294" ], + "x-ms-client-request-id": [ "9cdf260f-b962-4d87-b13e-ead28ce0110e" ], "CommandName": [ "Get-AzSentinelBookmark" ], "FullCommandName": [ "Get-AzSentinelBookmark_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -22,28 +22,28 @@ "Headers": { "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11930" ], "Server": [ "Kestrel" ], - "x-ms-request-id": [ "3d8569f0-29eb-48cf-982b-bc78b18b9545" ], - "x-ms-correlation-request-id": [ "3d8569f0-29eb-48cf-982b-bc78b18b9545" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021652Z:3d8569f0-29eb-48cf-982b-bc78b18b9545" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11937" ], + "x-ms-request-id": [ "43c5d2c4-c71d-4b3a-a28b-413bffed95e9" ], + "x-ms-correlation-request-id": [ "43c5d2c4-c71d-4b3a-a28b-413bffed95e9" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183318Z:43c5d2c4-c71d-4b3a-a28b-413bffed95e9" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:16:51 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:33:18 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "5321" ], + "Content-Length": [ "5289" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/c6b3fee2-4b8e-4966-aaa7-94bd47e67021\",\"name\":\"c6b3fee2-4b8e-4966-aaa7-94bd47e67021\",\"etag\":\"\\\"6b02ce9f-0000-0100-0000-61b552060000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Updatebookmarktfriza\",\"created\":\"2021-12-12T01:36:06.6776344+00:00\",\"updated\":\"2021-12-12T01:36:06.6776344+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T01:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2021-12-11T01:00:00+00:00\",\"queryEndTime\":\"2021-12-12T01:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/8a947749-f012-465f-b5fd-cb60e5eae27d\",\"name\":\"8a947749-f012-465f-b5fd-cb60e5eae27d\",\"etag\":\"\\\"01007393-0000-0100-0000-62e422e40000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Updatebookmarkdytufp\",\"created\":\"2022-07-29T18:11:48.096609+00:00\",\"updated\":\"2022-07-29T18:11:48.096609+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-07-29T06:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2022-07-28T06:00:00+00:00\",\"queryEndTime\":\"2022-07-29T06:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", "isContentBase64": false } }, - "Update-AzSentinelBookmark+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/c6b3fee2-4b8e-4966-aaa7-94bd47e67021?api-version=2021-09-01-preview+2": { + "Update-AzSentinelBookmark+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/8a947749-f012-465f-b5fd-cb60e5eae27d?api-version=2021-09-01-preview+2": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/c6b3fee2-4b8e-4966-aaa7-94bd47e67021?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/8a947749-f012-465f-b5fd-cb60e5eae27d?api-version=2021-09-01-preview", "Content": "{\n \"properties\": {\n \"displayName\": \"UpdateBookmarkPSTest\"\n }\n}", "isContentBase64": false, "Headers": { @@ -59,36 +59,36 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-writes": [ "1185" ], - "x-ms-request-id": [ "5ff39c1c-4597-4147-a0f4-ce71106ce1ea" ], - "x-ms-correlation-request-id": [ "5ff39c1c-4597-4147-a0f4-ce71106ce1ea" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021653Z:5ff39c1c-4597-4147-a0f4-ce71106ce1ea" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1191" ], + "x-ms-request-id": [ "124b1f0e-9ed2-4e2e-82a3-88df491dbf46" ], + "x-ms-correlation-request-id": [ "124b1f0e-9ed2-4e2e-82a3-88df491dbf46" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183319Z:124b1f0e-9ed2-4e2e-82a3-88df491dbf46" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:16:52 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:33:18 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "941" ], + "Content-Length": [ "910" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/c6b3fee2-4b8e-4966-aaa7-94bd47e67021\",\"name\":\"c6b3fee2-4b8e-4966-aaa7-94bd47e67021\",\"etag\":\"\\\"6b0299f0-0000-0100-0000-61b55b950000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateBookmarkPSTest\",\"created\":\"2021-12-12T01:36:06.6776344+00:00\",\"updated\":\"2021-12-12T02:16:53+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T02:16:53.1695666+00:00\",\"labels\":[],\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/8a947749-f012-465f-b5fd-cb60e5eae27d\",\"name\":\"8a947749-f012-465f-b5fd-cb60e5eae27d\",\"etag\":\"\\\"0100e393-0000-0100-0000-62e427ef0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateBookmarkPSTest\",\"created\":\"2022-07-29T18:11:48.096609+00:00\",\"updated\":\"2022-07-29T18:33:19+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-07-29T18:33:19.1654707+00:00\",\"labels\":[],\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", "isContentBase64": false } }, - "Update-AzSentinelBookmark+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/c6b3fee2-4b8e-4966-aaa7-94bd47e67021?api-version=2021-09-01-preview+1": { + "Update-AzSentinelBookmark+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/8a947749-f012-465f-b5fd-cb60e5eae27d?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/c6b3fee2-4b8e-4966-aaa7-94bd47e67021?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/8a947749-f012-465f-b5fd-cb60e5eae27d?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "317" ], - "x-ms-client-request-id": [ "bf852d4c-f0b1-4047-bb5f-f5a328ef936d" ], + "x-ms-unique-id": [ "296" ], + "x-ms-client-request-id": [ "16c9cdce-9ba1-460f-8eaa-29c8411917f6" ], "CommandName": [ "Get-AzSentinelBookmark" ], "FullCommandName": [ "Get-AzSentinelBookmark_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -100,27 +100,27 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11929" ], - "x-ms-request-id": [ "00463f13-8de4-43dd-80d0-f1af7f6a19cf" ], - "x-ms-correlation-request-id": [ "00463f13-8de4-43dd-80d0-f1af7f6a19cf" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021653Z:00463f13-8de4-43dd-80d0-f1af7f6a19cf" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11936" ], + "x-ms-request-id": [ "44359b2e-ceed-4449-beae-316c1fd47f11" ], + "x-ms-correlation-request-id": [ "44359b2e-ceed-4449-beae-316c1fd47f11" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183319Z:44359b2e-ceed-4449-beae-316c1fd47f11" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:16:52 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:33:19 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "949" ], + "Content-Length": [ "918" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/c6b3fee2-4b8e-4966-aaa7-94bd47e67021\",\"name\":\"c6b3fee2-4b8e-4966-aaa7-94bd47e67021\",\"etag\":\"\\\"6b0299f0-0000-0100-0000-61b55b950000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateBookmarkPSTest\",\"created\":\"2021-12-12T01:36:06.6776344+00:00\",\"updated\":\"2021-12-12T02:16:53.1698187+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T02:16:53.1695666+00:00\",\"labels\":[],\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/8a947749-f012-465f-b5fd-cb60e5eae27d\",\"name\":\"8a947749-f012-465f-b5fd-cb60e5eae27d\",\"etag\":\"\\\"0100e393-0000-0100-0000-62e427ef0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateBookmarkPSTest\",\"created\":\"2022-07-29T18:11:48.096609+00:00\",\"updated\":\"2022-07-29T18:33:19.1657829+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-07-29T18:33:19.1654707+00:00\",\"labels\":[],\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", "isContentBase64": false } }, - "Update-AzSentinelBookmark+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/c6b3fee2-4b8e-4966-aaa7-94bd47e67021?api-version=2021-09-01-preview+2": { + "Update-AzSentinelBookmark+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/8a947749-f012-465f-b5fd-cb60e5eae27d?api-version=2021-09-01-preview+2": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/c6b3fee2-4b8e-4966-aaa7-94bd47e67021?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/8a947749-f012-465f-b5fd-cb60e5eae27d?api-version=2021-09-01-preview", "Content": "{\n \"properties\": {\n \"displayName\": \"UpdateBookmarkPSTest\"\n }\n}", "isContentBase64": false, "Headers": { @@ -136,20 +136,20 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-writes": [ "1184" ], - "x-ms-request-id": [ "cf766814-ac08-4045-9b3e-47195d1ec81b" ], - "x-ms-correlation-request-id": [ "cf766814-ac08-4045-9b3e-47195d1ec81b" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021653Z:cf766814-ac08-4045-9b3e-47195d1ec81b" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1190" ], + "x-ms-request-id": [ "4e806084-e99b-4e92-9699-451f17bcb85d" ], + "x-ms-correlation-request-id": [ "4e806084-e99b-4e92-9699-451f17bcb85d" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183320Z:4e806084-e99b-4e92-9699-451f17bcb85d" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:16:52 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:33:19 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "941" ], + "Content-Length": [ "910" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/c6b3fee2-4b8e-4966-aaa7-94bd47e67021\",\"name\":\"c6b3fee2-4b8e-4966-aaa7-94bd47e67021\",\"etag\":\"\\\"6b029df0-0000-0100-0000-61b55b950000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateBookmarkPSTest\",\"created\":\"2021-12-12T01:36:06.6776344+00:00\",\"updated\":\"2021-12-12T02:16:53+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T02:16:53.6063277+00:00\",\"labels\":[],\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/8a947749-f012-465f-b5fd-cb60e5eae27d\",\"name\":\"8a947749-f012-465f-b5fd-cb60e5eae27d\",\"etag\":\"\\\"0100e493-0000-0100-0000-62e427ef0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateBookmarkPSTest\",\"created\":\"2022-07-29T18:11:48.096609+00:00\",\"updated\":\"2022-07-29T18:33:19+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-07-29T18:33:19.9639215+00:00\",\"labels\":[],\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Update-AzSentinelBookmarkRelation.Recording.json b/src/SecurityInsights/test/Update-AzSentinelBookmarkRelation.Recording.json index a576258895f0..060d9c8769ac 100644 --- a/src/SecurityInsights/test/Update-AzSentinelBookmarkRelation.Recording.json +++ b/src/SecurityInsights/test/Update-AzSentinelBookmarkRelation.Recording.json @@ -1,8 +1,8 @@ { - "Update-AzSentinelBookmarkRelation+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/0eaa2e17-5832-4e33-a3db-a7712b8fc0e8?api-version=2021-09-01-preview+1": { + "Update-AzSentinelBookmarkRelation+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/7681373f-76bc-43b2-8e7e-57eaef2f0e81?api-version=2021-09-01-preview+1": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/0eaa2e17-5832-4e33-a3db-a7712b8fc0e8?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/7681373f-76bc-43b2-8e7e-57eaef2f0e81?api-version=2021-09-01-preview", "Content": "{\n \"properties\": {\n \"severity\": \"Informational\",\n \"status\": \"New\",\n \"title\": \"UpdateBookmarkRelationPSTest\"\n }\n}", "isContentBase64": false, "Headers": { @@ -18,28 +18,28 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], - "x-ms-request-id": [ "da61e2ed-0fb1-40e3-ae81-4eefa718f3e7" ], - "x-ms-correlation-request-id": [ "da61e2ed-0fb1-40e3-ae81-4eefa718f3e7" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021716Z:da61e2ed-0fb1-40e3-ae81-4eefa718f3e7" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "494" ], + "x-ms-request-id": [ "efa81e6f-c33c-4279-ad5c-0fede556476c" ], + "x-ms-correlation-request-id": [ "efa81e6f-c33c-4279-ad5c-0fede556476c" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183320Z:efa81e6f-c33c-4279-ad5c-0fede556476c" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:17:16 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:33:20 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1224" ], + "Content-Length": [ "1222" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/0eaa2e17-5832-4e33-a3db-a7712b8fc0e8\",\"name\":\"0eaa2e17-5832-4e33-a3db-a7712b8fc0e8\",\"etag\":\"\\\"3c005a8d-0000-0100-0000-61b55bac0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateBookmarkRelationPSTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T02:17:16.8238616Z\",\"createdTimeUtc\":\"2021-12-12T02:17:16.8238616Z\",\"incidentNumber\":27,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/0eaa2e17-5832-4e33-a3db-a7712b8fc0e8\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"27\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/7681373f-76bc-43b2-8e7e-57eaef2f0e81\",\"name\":\"7681373f-76bc-43b2-8e7e-57eaef2f0e81\",\"etag\":\"\\\"1200e30b-0000-0100-0000-62e427f00000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateBookmarkRelationPSTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:33:20.871293Z\",\"createdTimeUtc\":\"2022-07-29T18:33:20.871293Z\",\"incidentNumber\":27,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/7681373f-76bc-43b2-8e7e-57eaef2f0e81\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"27\"}}", "isContentBase64": false } }, - "Update-AzSentinelBookmarkRelation+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/6548e330-d18d-4690-b6fa-b5ba7f5eac27/relations/3106728c-12de-4dad-b0c6-603a9285765e?api-version=2021-09-01-preview+2": { + "Update-AzSentinelBookmarkRelation+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/9b38dab1-2c2e-4c71-809d-95301194aa91/relations/382966e8-f4b2-444c-b4e8-514194ff8544?api-version=2021-09-01-preview+2": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/6548e330-d18d-4690-b6fa-b5ba7f5eac27/relations/3106728c-12de-4dad-b0c6-603a9285765e?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"relatedResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/0eaa2e17-5832-4e33-a3db-a7712b8fc0e8\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/9b38dab1-2c2e-4c71-809d-95301194aa91/relations/382966e8-f4b2-444c-b4e8-514194ff8544?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"relatedResourceId\": \"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/7681373f-76bc-43b2-8e7e-57eaef2f0e81\"\n }\n}", "isContentBase64": false, "Headers": { }, @@ -54,27 +54,27 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-writes": [ "1183" ], - "x-ms-request-id": [ "9dd4b482-6d59-4cf2-b15f-9cf2ae6b0136" ], - "x-ms-correlation-request-id": [ "9dd4b482-6d59-4cf2-b15f-9cf2ae6b0136" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021717Z:9dd4b482-6d59-4cf2-b15f-9cf2ae6b0136" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1189" ], + "x-ms-request-id": [ "c16e93ad-f753-4ffe-ab11-f8b6df3aef4f" ], + "x-ms-correlation-request-id": [ "c16e93ad-f753-4ffe-ab11-f8b6df3aef4f" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183321Z:c16e93ad-f753-4ffe-ab11-f8b6df3aef4f" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:17:17 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:33:20 GMT" ] }, "ContentHeaders": { "Content-Length": [ "828" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/6548e330-d18d-4690-b6fa-b5ba7f5eac27/relations/3106728c-12de-4dad-b0c6-603a9285765e\",\"name\":\"3106728c-12de-4dad-b0c6-603a9285765e\",\"etag\":\"\\\"6b0226f1-0000-0100-0000-61b55bad0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/0eaa2e17-5832-4e33-a3db-a7712b8fc0e8\",\"relatedResourceName\":\"0eaa2e17-5832-4e33-a3db-a7712b8fc0e8\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/9b38dab1-2c2e-4c71-809d-95301194aa91/relations/382966e8-f4b2-444c-b4e8-514194ff8544\",\"name\":\"382966e8-f4b2-444c-b4e8-514194ff8544\",\"etag\":\"\\\"0100e593-0000-0100-0000-62e427f10000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/7681373f-76bc-43b2-8e7e-57eaef2f0e81\",\"relatedResourceName\":\"7681373f-76bc-43b2-8e7e-57eaef2f0e81\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", "isContentBase64": false } }, - "Update-AzSentinelBookmarkRelation+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/450d9025-3a65-4e80-8dd9-90f973a9cbb9?api-version=2021-09-01-preview+1": { + "Update-AzSentinelBookmarkRelation+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/5ded4516-22d5-4a69-9e6f-d0ec7c2fcd82?api-version=2021-09-01-preview+1": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/450d9025-3a65-4e80-8dd9-90f973a9cbb9?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/5ded4516-22d5-4a69-9e6f-d0ec7c2fcd82?api-version=2021-09-01-preview", "Content": "{\n \"properties\": {\n \"severity\": \"Informational\",\n \"status\": \"New\",\n \"title\": \"UpdateViaIdBookmarkRelationPSTest\"\n }\n}", "isContentBase64": false, "Headers": { @@ -90,36 +90,36 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], - "x-ms-request-id": [ "7189d02f-9e4b-4ab3-904e-1e6138da2b0f" ], - "x-ms-correlation-request-id": [ "7189d02f-9e4b-4ab3-904e-1e6138da2b0f" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021717Z:7189d02f-9e4b-4ab3-904e-1e6138da2b0f" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "493" ], + "x-ms-request-id": [ "e25b894a-6ab7-40b3-bc20-7121ab8a672d" ], + "x-ms-correlation-request-id": [ "e25b894a-6ab7-40b3-bc20-7121ab8a672d" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183321Z:e25b894a-6ab7-40b3-bc20-7121ab8a672d" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:17:17 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:33:21 GMT" ] }, "ContentHeaders": { "Content-Length": [ "1229" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/450d9025-3a65-4e80-8dd9-90f973a9cbb9\",\"name\":\"450d9025-3a65-4e80-8dd9-90f973a9cbb9\",\"etag\":\"\\\"3c00648d-0000-0100-0000-61b55bad0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdBookmarkRelationPSTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T02:17:17.3702395Z\",\"createdTimeUtc\":\"2021-12-12T02:17:17.3702395Z\",\"incidentNumber\":28,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/450d9025-3a65-4e80-8dd9-90f973a9cbb9\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"28\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/5ded4516-22d5-4a69-9e6f-d0ec7c2fcd82\",\"name\":\"5ded4516-22d5-4a69-9e6f-d0ec7c2fcd82\",\"etag\":\"\\\"1200e50b-0000-0100-0000-62e427f10000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdBookmarkRelationPSTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:33:21.6047137Z\",\"createdTimeUtc\":\"2022-07-29T18:33:21.6047137Z\",\"incidentNumber\":28,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/5ded4516-22d5-4a69-9e6f-d0ec7c2fcd82\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"28\"}}", "isContentBase64": false } }, - "Update-AzSentinelBookmarkRelation+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/463b2e8b-17c1-48d6-94a3-7443b0ba2cbf/relations/e2e68737-82b4-49f0-822f-f9196f65aac8?api-version=2021-09-01-preview+2": { + "Update-AzSentinelBookmarkRelation+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/04b58a5a-2a5e-47e2-9c22-3cd6229599ec/relations/c36ddb20-11ec-4179-a995-51e6fcfd1e58?api-version=2021-09-01-preview+2": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/463b2e8b-17c1-48d6-94a3-7443b0ba2cbf/relations/e2e68737-82b4-49f0-822f-f9196f65aac8?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/04b58a5a-2a5e-47e2-9c22-3cd6229599ec/relations/c36ddb20-11ec-4179-a995-51e6fcfd1e58?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "322" ], - "x-ms-client-request-id": [ "cdb860a8-60c2-4148-8365-c73bda64c033" ], + "x-ms-unique-id": [ "301" ], + "x-ms-client-request-id": [ "f72bd6aa-1366-4752-b2c3-dcefc8d4d314" ], "CommandName": [ "Get-AzSentinelBookmarkRelation" ], "FullCommandName": [ "Get-AzSentinelBookmarkRelation_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -131,28 +131,28 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11928" ], - "x-ms-request-id": [ "e92b4ad7-5b17-4e13-a59b-539921307c3e" ], - "x-ms-correlation-request-id": [ "e92b4ad7-5b17-4e13-a59b-539921307c3e" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021717Z:e92b4ad7-5b17-4e13-a59b-539921307c3e" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11935" ], + "x-ms-request-id": [ "2af6e528-a4e7-4391-b21d-df1197d83c52" ], + "x-ms-correlation-request-id": [ "2af6e528-a4e7-4391-b21d-df1197d83c52" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183322Z:2af6e528-a4e7-4391-b21d-df1197d83c52" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:17:17 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:33:22 GMT" ] }, "ContentHeaders": { "Content-Length": [ "828" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/463b2e8b-17c1-48d6-94a3-7443b0ba2cbf/relations/e2e68737-82b4-49f0-822f-f9196f65aac8\",\"name\":\"e2e68737-82b4-49f0-822f-f9196f65aac8\",\"etag\":\"\\\"6b026ab6-0000-0100-0000-61b552e00000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/6cbc4e33-d46b-4993-96e4-ecb0e44415cb\",\"relatedResourceName\":\"6cbc4e33-d46b-4993-96e4-ecb0e44415cb\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/04b58a5a-2a5e-47e2-9c22-3cd6229599ec/relations/c36ddb20-11ec-4179-a995-51e6fcfd1e58\",\"name\":\"c36ddb20-11ec-4179-a995-51e6fcfd1e58\",\"etag\":\"\\\"01008993-0000-0100-0000-62e423bf0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/75bd63a7-0ac6-4f43-8a15-18ff73172bb5\",\"relatedResourceName\":\"75bd63a7-0ac6-4f43-8a15-18ff73172bb5\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", "isContentBase64": false } }, - "Update-AzSentinelBookmarkRelation+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/463b2e8b-17c1-48d6-94a3-7443b0ba2cbf/relations/e2e68737-82b4-49f0-822f-f9196f65aac8?api-version=2021-09-01-preview+3": { + "Update-AzSentinelBookmarkRelation+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/04b58a5a-2a5e-47e2-9c22-3cd6229599ec/relations/c36ddb20-11ec-4179-a995-51e6fcfd1e58?api-version=2021-09-01-preview+3": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/463b2e8b-17c1-48d6-94a3-7443b0ba2cbf/relations/e2e68737-82b4-49f0-822f-f9196f65aac8?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"relatedResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/450d9025-3a65-4e80-8dd9-90f973a9cbb9\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/04b58a5a-2a5e-47e2-9c22-3cd6229599ec/relations/c36ddb20-11ec-4179-a995-51e6fcfd1e58?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"relatedResourceId\": \"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/5ded4516-22d5-4a69-9e6f-d0ec7c2fcd82\"\n }\n}", "isContentBase64": false, "Headers": { }, @@ -167,20 +167,20 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-writes": [ "1182" ], - "x-ms-request-id": [ "1fbc8f36-f6ca-434a-b0d3-386e1704074e" ], - "x-ms-correlation-request-id": [ "1fbc8f36-f6ca-434a-b0d3-386e1704074e" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021717Z:1fbc8f36-f6ca-434a-b0d3-386e1704074e" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1188" ], + "x-ms-request-id": [ "ea0e6164-1eeb-4712-82fb-e7679bac4bf9" ], + "x-ms-correlation-request-id": [ "ea0e6164-1eeb-4712-82fb-e7679bac4bf9" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183323Z:ea0e6164-1eeb-4712-82fb-e7679bac4bf9" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:17:17 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:33:22 GMT" ] }, "ContentHeaders": { "Content-Length": [ "828" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/463b2e8b-17c1-48d6-94a3-7443b0ba2cbf/relations/e2e68737-82b4-49f0-822f-f9196f65aac8\",\"name\":\"e2e68737-82b4-49f0-822f-f9196f65aac8\",\"etag\":\"\\\"6b0227f1-0000-0100-0000-61b55bad0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/450d9025-3a65-4e80-8dd9-90f973a9cbb9\",\"relatedResourceName\":\"450d9025-3a65-4e80-8dd9-90f973a9cbb9\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/04b58a5a-2a5e-47e2-9c22-3cd6229599ec/relations/c36ddb20-11ec-4179-a995-51e6fcfd1e58\",\"name\":\"c36ddb20-11ec-4179-a995-51e6fcfd1e58\",\"etag\":\"\\\"0100e693-0000-0100-0000-62e427f30000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/5ded4516-22d5-4a69-9e6f-d0ec7c2fcd82\",\"relatedResourceName\":\"5ded4516-22d5-4a69-9e6f-d0ec7c2fcd82\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Update-AzSentinelBookmarkRelation.Tests.ps1 b/src/SecurityInsights/test/Update-AzSentinelBookmarkRelation.Tests.ps1 index 7d65a5b39cf3..6a093883f443 100644 --- a/src/SecurityInsights/test/Update-AzSentinelBookmarkRelation.Tests.ps1 +++ b/src/SecurityInsights/test/Update-AzSentinelBookmarkRelation.Tests.ps1 @@ -17,7 +17,7 @@ if(($null -eq $TestName) -or ($TestName -contains 'Update-AzSentinelBookmarkRela Describe 'Update-AzSentinelBookmarkRelation' { It 'UpdateExpanded' { $incident = New-AzSentinelIncident -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` - -Id ((New-Guid).Guid) -Severity Informational -Status New -Title "UpdateBookmarkRelationPSTest" + -Severity Informational -Status New -Title "UpdateBookmarkRelationPSTest" $bookmarkRelation = Update-AzSentinelBookmarkRelation -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` -BookmarkId $env.UpdatebookmarkRelationBookmarkId -RelationName $env.UpdateBookmarkRelationId -RelatedResourceId $incident.Id $bookmarkRelation.RelatedResourceId | Should -Be $incident.Id @@ -25,7 +25,7 @@ Describe 'Update-AzSentinelBookmarkRelation' { It 'UpdateViaIdentityExpanded' { $incident = New-AzSentinelIncident -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` - -Id ((New-Guid).Guid) -Severity Informational -Status New -Title "UpdateViaIdBookmarkRelationPSTest" + -Severity Informational -Status New -Title "UpdateViaIdBookmarkRelationPSTest" $bookmarkRelation = Get-AzSentinelBookmarkRelation -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` -BookmarkId $env.UpdateViaIdbookmarkRelationBookmarkId -RelationName $env.UpdateViaIdBookmarkRelationId $bookmarkRelationUpdate = Update-AzSentinelBookmarkRelation -InputObject $bookmarkRelation -RelatedResourceId $incident.Id diff --git a/src/SecurityInsights/test/Update-AzSentinelDataConnector.Recording.json b/src/SecurityInsights/test/Update-AzSentinelDataConnector.Recording.json index b31fe151e8b5..ee323db3da3f 100644 --- a/src/SecurityInsights/test/Update-AzSentinelDataConnector.Recording.json +++ b/src/SecurityInsights/test/Update-AzSentinelDataConnector.Recording.json @@ -1,9 +1,9 @@ { - "Update-AzSentinelDataConnector+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/b4b8bb52-2917-4179-a28d-fb197dc52aa6?api-version=2021-09-01-preview+1": { + "Update-AzSentinelDataConnector+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/0c45acce-4689-4024-8bfa-4ff3b300e29a?api-version=2021-09-01-preview+1": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/b4b8bb52-2917-4179-a28d-fb197dc52aa6?api-version=2021-09-01-preview", - "Content": "{\n \"etag\": \"b233bb7e-98ea-415f-895d-e389655250ac\",\n \"kind\": \"Office365\",\n \"properties\": {\n \"tenantId\": \"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\",\n \"dataTypes\": {\n \"exchange\": {\n \"state\": \"enabled\"\n },\n \"sharePoint\": {\n \"state\": \"Enabled\"\n },\n \"teams\": {\n \"state\": \"disabled\"\n }\n }\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/0c45acce-4689-4024-8bfa-4ff3b300e29a?api-version=2021-09-01-preview", + "Content": "{\n \"etag\": \"e6fe5716-cd55-4449-8cfc-8949597baddd\",\n \"kind\": \"Office365\",\n \"properties\": {\n \"tenantId\": \"d6eebbdd-d77c-465e-b008-4339027b4006\",\n \"dataTypes\": {\n \"exchange\": {\n \"state\": \"enabled\"\n },\n \"sharePoint\": {\n \"state\": \"Enabled\"\n },\n \"teams\": {\n \"state\": \"disabled\"\n }\n }\n }\n}", "isContentBase64": false, "Headers": { }, @@ -18,36 +18,36 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-writes": [ "1181" ], - "x-ms-request-id": [ "b5cc095f-8c79-4962-8620-d5dbc20bff51" ], - "x-ms-correlation-request-id": [ "b5cc095f-8c79-4962-8620-d5dbc20bff51" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021740Z:b5cc095f-8c79-4962-8620-d5dbc20bff51" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "496" ], + "x-ms-request-id": [ "ad9520ae-76b5-4d8a-8b9c-6f86e405d79f" ], + "x-ms-correlation-request-id": [ "ad9520ae-76b5-4d8a-8b9c-6f86e405d79f" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183325Z:ad9520ae-76b5-4d8a-8b9c-6f86e405d79f" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:17:40 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:33:24 GMT" ] }, "ContentHeaders": { "Content-Length": [ "578" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/b4b8bb52-2917-4179-a28d-fb197dc52aa6\",\"name\":\"b4b8bb52-2917-4179-a28d-fb197dc52aa6\",\"etag\":\"1fb2ee18-a126-48b7-a304-0b6c1250783f\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"Office365\",\"properties\":{\"dataTypes\":{\"sharePoint\":{\"state\":\"enabled\"},\"exchange\":{\"state\":\"enabled\"},\"teams\":{\"state\":\"disabled\"}},\"tenantId\":\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/0c45acce-4689-4024-8bfa-4ff3b300e29a\",\"name\":\"0c45acce-4689-4024-8bfa-4ff3b300e29a\",\"etag\":\"4460b801-38f2-4432-80bb-4aa9bb3fb7f3\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"Office365\",\"properties\":{\"dataTypes\":{\"sharePoint\":{\"state\":\"enabled\"},\"exchange\":{\"state\":\"enabled\"},\"teams\":{\"state\":\"disabled\"}},\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}", "isContentBase64": false } }, - "Update-AzSentinelDataConnector+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/b4b8bb52-2917-4179-a28d-fb197dc52aa6?api-version=2021-09-01-preview+1": { + "Update-AzSentinelDataConnector+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/0c45acce-4689-4024-8bfa-4ff3b300e29a?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/b4b8bb52-2917-4179-a28d-fb197dc52aa6?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/0c45acce-4689-4024-8bfa-4ff3b300e29a?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "326" ], - "x-ms-client-request-id": [ "f4a28c41-9844-4978-a6d9-02f66c8debe3" ], + "x-ms-unique-id": [ "305" ], + "x-ms-client-request-id": [ "abadd129-2601-4db3-8d8f-a6b9a7af145a" ], "CommandName": [ "Get-AzSentinelDataConnector" ], "FullCommandName": [ "Get-AzSentinelDataConnector_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -59,28 +59,28 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11926" ], - "x-ms-request-id": [ "bb0def68-94d4-4c1d-aec5-0fde5342d46f" ], - "x-ms-correlation-request-id": [ "bb0def68-94d4-4c1d-aec5-0fde5342d46f" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021741Z:bb0def68-94d4-4c1d-aec5-0fde5342d46f" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "494" ], + "x-ms-request-id": [ "68627483-0b82-4213-8023-25e8e810dd9b" ], + "x-ms-correlation-request-id": [ "68627483-0b82-4213-8023-25e8e810dd9b" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183325Z:68627483-0b82-4213-8023-25e8e810dd9b" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:17:41 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:33:25 GMT" ] }, "ContentHeaders": { "Content-Length": [ "578" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/b4b8bb52-2917-4179-a28d-fb197dc52aa6\",\"name\":\"b4b8bb52-2917-4179-a28d-fb197dc52aa6\",\"etag\":\"1fb2ee18-a126-48b7-a304-0b6c1250783f\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"Office365\",\"properties\":{\"dataTypes\":{\"sharePoint\":{\"state\":\"enabled\"},\"exchange\":{\"state\":\"enabled\"},\"teams\":{\"state\":\"disabled\"}},\"tenantId\":\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/0c45acce-4689-4024-8bfa-4ff3b300e29a\",\"name\":\"0c45acce-4689-4024-8bfa-4ff3b300e29a\",\"etag\":\"4460b801-38f2-4432-80bb-4aa9bb3fb7f3\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"Office365\",\"properties\":{\"dataTypes\":{\"sharePoint\":{\"state\":\"enabled\"},\"exchange\":{\"state\":\"enabled\"},\"teams\":{\"state\":\"disabled\"}},\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}", "isContentBase64": false } }, - "Update-AzSentinelDataConnector+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/b4b8bb52-2917-4179-a28d-fb197dc52aa6?api-version=2021-09-01-preview+2": { + "Update-AzSentinelDataConnector+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/0c45acce-4689-4024-8bfa-4ff3b300e29a?api-version=2021-09-01-preview+2": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/b4b8bb52-2917-4179-a28d-fb197dc52aa6?api-version=2021-09-01-preview", - "Content": "{\n \"etag\": \"1fb2ee18-a126-48b7-a304-0b6c1250783f\",\n \"kind\": \"Office365\",\n \"properties\": {\n \"tenantId\": \"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\",\n \"dataTypes\": {\n \"exchange\": {\n \"state\": \"enabled\"\n },\n \"sharePoint\": {\n \"state\": \"enabled\"\n },\n \"teams\": {\n \"state\": \"Enabled\"\n }\n }\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/0c45acce-4689-4024-8bfa-4ff3b300e29a?api-version=2021-09-01-preview", + "Content": "{\n \"etag\": \"4460b801-38f2-4432-80bb-4aa9bb3fb7f3\",\n \"kind\": \"Office365\",\n \"properties\": {\n \"tenantId\": \"d6eebbdd-d77c-465e-b008-4339027b4006\",\n \"dataTypes\": {\n \"exchange\": {\n \"state\": \"enabled\"\n },\n \"sharePoint\": {\n \"state\": \"enabled\"\n },\n \"teams\": {\n \"state\": \"Enabled\"\n }\n }\n }\n}", "isContentBase64": false, "Headers": { }, @@ -95,20 +95,20 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-writes": [ "1180" ], - "x-ms-request-id": [ "dca440dc-282f-4154-b26a-0a180c937e11" ], - "x-ms-correlation-request-id": [ "dca440dc-282f-4154-b26a-0a180c937e11" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021742Z:dca440dc-282f-4154-b26a-0a180c937e11" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "495" ], + "x-ms-request-id": [ "567b922e-55b4-43fa-bef3-a12751d04f70" ], + "x-ms-correlation-request-id": [ "567b922e-55b4-43fa-bef3-a12751d04f70" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183327Z:567b922e-55b4-43fa-bef3-a12751d04f70" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:17:42 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:33:27 GMT" ] }, "ContentHeaders": { "Content-Length": [ "577" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/dataConnectors/b4b8bb52-2917-4179-a28d-fb197dc52aa6\",\"name\":\"b4b8bb52-2917-4179-a28d-fb197dc52aa6\",\"etag\":\"e0ea214e-c798-468a-a3ed-ea1de3deea54\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"Office365\",\"properties\":{\"dataTypes\":{\"sharePoint\":{\"state\":\"enabled\"},\"exchange\":{\"state\":\"enabled\"},\"teams\":{\"state\":\"enabled\"}},\"tenantId\":\"5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/0c45acce-4689-4024-8bfa-4ff3b300e29a\",\"name\":\"0c45acce-4689-4024-8bfa-4ff3b300e29a\",\"etag\":\"46522b22-41b7-49db-aa42-9e7b270b9f98\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"Office365\",\"properties\":{\"dataTypes\":{\"sharePoint\":{\"state\":\"enabled\"},\"exchange\":{\"state\":\"enabled\"},\"teams\":{\"state\":\"enabled\"}},\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Update-AzSentinelDataConnector.Tests.ps1 b/src/SecurityInsights/test/Update-AzSentinelDataConnector.Tests.ps1 index 6e4534861b80..e2129fb32c8e 100644 --- a/src/SecurityInsights/test/Update-AzSentinelDataConnector.Tests.ps1 +++ b/src/SecurityInsights/test/Update-AzSentinelDataConnector.Tests.ps1 @@ -17,14 +17,14 @@ if(($null -eq $TestName) -or ($TestName -contains 'Update-AzSentinelDataConnecto Describe 'Update-AzSentinelDataConnector' { It 'UpdateExpanded' { $dataConnector = Update-AzSentinelDataConnector -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` - -DataConnectorId $env.updateDataConnectorId -SharePoint "Enabled" + -Id $env.updateDataConnectorId -Office365 -SharePoint "Enabled" $dataConnector.SharePointState | Should -Be "Enabled" } It 'UpdateViaIdentityExpanded' { $dataConnector = Get-AzSentinelDataConnector -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` - -DataConnectorId $env.updateDataConnectorId - $dataConnectorUpdate = Update-AzSentinelDataConnector -InputObject $dataConnector -Teams "Enabled" + -Id $env.updateDataConnectorId + $dataConnectorUpdate = Update-AzSentinelDataConnector -InputObject $dataConnector -Office365 -Teams "Enabled" $dataConnectorUpdate.TeamState | Should -Be "Enabled" } } diff --git a/src/SecurityInsights/test/Update-AzSentinelEntityQuery.Recording.json b/src/SecurityInsights/test/Update-AzSentinelEntityQuery.Recording.json index 4ed152e938b6..312eb94d40c1 100644 --- a/src/SecurityInsights/test/Update-AzSentinelEntityQuery.Recording.json +++ b/src/SecurityInsights/test/Update-AzSentinelEntityQuery.Recording.json @@ -1,9 +1,9 @@ { - "Update-AzSentinelEntityQuery+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/64feba96-1f57-4f3d-8068-a1532ed4e2dc?api-version=2021-09-01-preview+1": { + "Update-AzSentinelEntityQuery+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueries/27b638f3-fbfb-4387-bb6a-353001b9794a?api-version=2021-09-01-preview+1": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/64feba96-1f57-4f3d-8068-a1532ed4e2dc?api-version=2021-09-01-preview", - "Content": "{\n \"etag\": \"\\\"50014de4-0000-0100-0000-61b5537d0000\\\"\",\n \"kind\": \"Activity\",\n \"properties\": {\n \"queryDefinitions\": {\n \"query\": \"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \\u0027@\\u0027, tostring(split(Computer, \\u0027@\\u0027)[0]),\\nComputer has \\u0027\\\\\\\\\\u0027, tostring(split(Computer, \\u0027\\\\\\\\\\u0027)[1]),\\nComputer has \\u0027.\\u0027, tostring(split(Computer, \\u0027.\\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \\u0027\\\\\\\\\\u0027, tostring(split(Computer, \\u0027\\\\\\\\\\u0027)[0]), \\nComputer has \\u0027.\\u0027, tostring(split(Computer, \\u0027.\\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \\u0027\\\\\\\\\\u0027, tostring(split(Computer, \\u0027\\\\\\\\\\u0027)[0]), \\nComputer has \\u0027.\\u0027, strcat_array(array_slice(split(Computer,\\u0027.\\u0027),-2,-1),\\u0027.\\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid};\\nGetAccountActions(\\u0027{{Host_HostName}}\\u0027, \\u0027{{Host_NTDomain}}\\u0027, \\u0027{{Host_DnsDomain}}\\u0027, \\u0027{{Host_AzureID}}\\u0027, \\u0027{{Host_OMSAgentID}}\\u0027)\\n \\n| where EventID == 4726 \"\n },\n \"title\": \"UpdateEntityQueryPSTest\",\n \"content\": \"On \\u0027{{Computer}}\\u0027 the account \\u0027{{TargetAccount}}\\u0027 was deleted by \",\n \"description\": \"Account deleted on host\",\n \"inputEntityType\": \"Host\",\n \"requiredInputFieldsSets\": [\n [ \"Host_HostName\", \"Host_NTDomain\" ],\n [ \"Host_HostName\", \"Host_DnsDomain\" ],\n [ \"Host_AzureID\" ],\n [ \"Host_OMSAgentID\" ]\n ],\n \"enabled\": true\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueries/27b638f3-fbfb-4387-bb6a-353001b9794a?api-version=2021-09-01-preview", + "Content": "{\n \"etag\": \"\\\"890006ae-0000-0100-0000-62e425150000\\\"\",\n \"kind\": \"Activity\",\n \"properties\": {\n \"queryDefinitions\": {\n \"query\": \"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \\u0027@\\u0027, tostring(split(Computer, \\u0027@\\u0027)[0]),\\nComputer has \\u0027\\\\\\\\\\u0027, tostring(split(Computer, \\u0027\\\\\\\\\\u0027)[1]),\\nComputer has \\u0027.\\u0027, tostring(split(Computer, \\u0027.\\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \\u0027\\\\\\\\\\u0027, tostring(split(Computer, \\u0027\\\\\\\\\\u0027)[0]), \\nComputer has \\u0027.\\u0027, tostring(split(Computer, \\u0027.\\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \\u0027\\\\\\\\\\u0027, tostring(split(Computer, \\u0027\\\\\\\\\\u0027)[0]), \\nComputer has \\u0027.\\u0027, strcat_array(array_slice(split(Computer,\\u0027.\\u0027),-2,-1),\\u0027.\\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid};\\nGetAccountActions(\\u0027{{Host_HostName}}\\u0027, \\u0027{{Host_NTDomain}}\\u0027, \\u0027{{Host_DnsDomain}}\\u0027, \\u0027{{Host_AzureID}}\\u0027, \\u0027{{Host_OMSAgentID}}\\u0027)\\n \\n| where EventID == 4726 \"\n },\n \"title\": \"UpdateEntityQueryPSTest\",\n \"content\": \"On \\u0027{{Computer}}\\u0027 the account \\u0027{{TargetAccount}}\\u0027 was deleted by \",\n \"description\": \"Account deleted on host\",\n \"inputEntityType\": \"Host\",\n \"requiredInputFieldsSets\": [\n [ \"Host_HostName\", \"Host_NTDomain\" ],\n [ \"Host_HostName\", \"Host_DnsDomain\" ],\n [ \"Host_AzureID\" ],\n [ \"Host_OMSAgentID\" ]\n ],\n \"enabled\": true\n }\n}", "isContentBase64": false, "Headers": { }, @@ -18,36 +18,36 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-writes": [ "1179" ], - "x-ms-request-id": [ "47be5e27-77bb-4c44-9d29-dbfd2d09caca" ], - "x-ms-correlation-request-id": [ "47be5e27-77bb-4c44-9d29-dbfd2d09caca" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021804Z:47be5e27-77bb-4c44-9d29-dbfd2d09caca" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1187" ], + "x-ms-request-id": [ "0a7fd701-72ba-401e-97c2-e8c4b2ab7550" ], + "x-ms-correlation-request-id": [ "0a7fd701-72ba-401e-97c2-e8c4b2ab7550" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183330Z:0a7fd701-72ba-401e-97c2-e8c4b2ab7550" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:18:04 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:33:30 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "2286" ], + "Content-Length": [ "2287" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/64feba96-1f57-4f3d-8068-a1532ed4e2dc\",\"name\":\"64feba96-1f57-4f3d-8068-a1532ed4e2dc\",\"etag\":\"\\\"51016d4c-0000-0100-0000-61b55bdc0000\\\"\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Activity\",\"properties\":{\"title\":\"UpdateEntityQueryPSTest\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was deleted by \",\"description\":\"Account deleted on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027)\\n \\n| where EventID == 4726 \"},\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{},\"enabled\":true,\"createdTimeUtc\":\"2021-12-12T01:42:21.052492Z\",\"lastModifiedTimeUtc\":\"2021-12-12T02:18:04.8210404Z\",\"inputEntityType\":\"Host\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueries/27b638f3-fbfb-4387-bb6a-353001b9794a\",\"name\":\"27b638f3-fbfb-4387-bb6a-353001b9794a\",\"etag\":\"\\\"890067d9-0000-0100-0000-62e427fa0000\\\"\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Activity\",\"properties\":{\"title\":\"UpdateEntityQueryPSTest\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was deleted by \",\"description\":\"Account deleted on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027)\\n \\n| where EventID == 4726 \"},\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{},\"enabled\":true,\"createdTimeUtc\":\"2022-07-29T18:21:09.2143131Z\",\"lastModifiedTimeUtc\":\"2022-07-29T18:33:30.5362686Z\",\"inputEntityType\":\"Host\"}}", "isContentBase64": false } }, - "Update-AzSentinelEntityQuery+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/fb33bcbe-0bc0-433f-9910-e474dbfab616?api-version=2021-09-01-preview+1": { + "Update-AzSentinelEntityQuery+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueries/9934ce9e-b735-43ca-885c-729dc54cb4d1?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/fb33bcbe-0bc0-433f-9910-e474dbfab616?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueries/9934ce9e-b735-43ca-885c-729dc54cb4d1?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "331" ], - "x-ms-client-request-id": [ "56b3e04b-7397-4e92-bac4-1a888d915fa0" ], + "x-ms-unique-id": [ "310" ], + "x-ms-client-request-id": [ "0688d249-c2c3-4ca8-a289-8273d58aeb79" ], "CommandName": [ "Get-AzSentinelEntityQuery" ], "FullCommandName": [ "Get-AzSentinelEntityQuery_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -59,28 +59,28 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11923" ], - "x-ms-request-id": [ "94857087-f52f-4f97-854d-d04d9f315fde" ], - "x-ms-correlation-request-id": [ "94857087-f52f-4f97-854d-d04d9f315fde" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021805Z:94857087-f52f-4f97-854d-d04d9f315fde" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11933" ], + "x-ms-request-id": [ "af431aa5-2462-48a5-9f7d-a6ac7682504e" ], + "x-ms-correlation-request-id": [ "af431aa5-2462-48a5-9f7d-a6ac7682504e" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183331Z:af431aa5-2462-48a5-9f7d-a6ac7682504e" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:18:04 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:33:30 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2326" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/fb33bcbe-0bc0-433f-9910-e474dbfab616\",\"name\":\"fb33bcbe-0bc0-433f-9910-e474dbfab616\",\"etag\":\"\\\"500183e6-0000-0100-0000-61b5539e0000\\\"\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was deleted by \",\"description\":\"Account deleted on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027)\\n \\n| where EventID == 4726 \"},\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]},\"enabled\":true,\"createdTimeUtc\":\"2021-12-12T01:42:54.0134159Z\",\"lastModifiedTimeUtc\":\"2021-12-12T01:42:54.0134159Z\",\"inputEntityType\":\"Host\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueries/9934ce9e-b735-43ca-885c-729dc54cb4d1\",\"name\":\"9934ce9e-b735-43ca-885c-729dc54cb4d1\",\"etag\":\"\\\"8900f2ae-0000-0100-0000-62e425340000\\\"\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was deleted by \",\"description\":\"Account deleted on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027)\\n \\n| where EventID == 4726 \"},\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]},\"enabled\":true,\"createdTimeUtc\":\"2022-07-29T18:21:40.2793364Z\",\"lastModifiedTimeUtc\":\"2022-07-29T18:21:40.2793364Z\",\"inputEntityType\":\"Host\"}}", "isContentBase64": false } }, - "Update-AzSentinelEntityQuery+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/fb33bcbe-0bc0-433f-9910-e474dbfab616?api-version=2021-09-01-preview+2": { + "Update-AzSentinelEntityQuery+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueries/9934ce9e-b735-43ca-885c-729dc54cb4d1?api-version=2021-09-01-preview+2": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/fb33bcbe-0bc0-433f-9910-e474dbfab616?api-version=2021-09-01-preview", - "Content": "{\n \"etag\": \"\\\"500183e6-0000-0100-0000-61b5539e0000\\\"\",\n \"kind\": \"Activity\",\n \"properties\": {\n \"queryDefinitions\": {\n \"query\": \"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \\u0027@\\u0027, tostring(split(Computer, \\u0027@\\u0027)[0]),\\nComputer has \\u0027\\\\\\\\\\u0027, tostring(split(Computer, \\u0027\\\\\\\\\\u0027)[1]),\\nComputer has \\u0027.\\u0027, tostring(split(Computer, \\u0027.\\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \\u0027\\\\\\\\\\u0027, tostring(split(Computer, \\u0027\\\\\\\\\\u0027)[0]), \\nComputer has \\u0027.\\u0027, tostring(split(Computer, \\u0027.\\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \\u0027\\\\\\\\\\u0027, tostring(split(Computer, \\u0027\\\\\\\\\\u0027)[0]), \\nComputer has \\u0027.\\u0027, strcat_array(array_slice(split(Computer,\\u0027.\\u0027),-2,-1),\\u0027.\\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid};\\nGetAccountActions(\\u0027{{Host_HostName}}\\u0027, \\u0027{{Host_NTDomain}}\\u0027, \\u0027{{Host_DnsDomain}}\\u0027, \\u0027{{Host_AzureID}}\\u0027, \\u0027{{Host_OMSAgentID}}\\u0027)\\n \\n| where EventID == 4726 \"\n },\n \"title\": \"UpdateEntityQueryPSTest\",\n \"content\": \"On \\u0027{{Computer}}\\u0027 the account \\u0027{{TargetAccount}}\\u0027 was deleted by \",\n \"description\": \"Account deleted on host\",\n \"inputEntityType\": \"Host\",\n \"requiredInputFieldsSets\": [\n [ \"Host_HostName\", \"Host_NTDomain\" ],\n [ \"Host_HostName\", \"Host_DnsDomain\" ],\n [ \"Host_AzureID\" ],\n [ \"Host_OMSAgentID\" ]\n ],\n \"enabled\": true\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueries/9934ce9e-b735-43ca-885c-729dc54cb4d1?api-version=2021-09-01-preview", + "Content": "{\n \"etag\": \"\\\"8900f2ae-0000-0100-0000-62e425340000\\\"\",\n \"kind\": \"Activity\",\n \"properties\": {\n \"queryDefinitions\": {\n \"query\": \"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \\u0027@\\u0027, tostring(split(Computer, \\u0027@\\u0027)[0]),\\nComputer has \\u0027\\\\\\\\\\u0027, tostring(split(Computer, \\u0027\\\\\\\\\\u0027)[1]),\\nComputer has \\u0027.\\u0027, tostring(split(Computer, \\u0027.\\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \\u0027\\\\\\\\\\u0027, tostring(split(Computer, \\u0027\\\\\\\\\\u0027)[0]), \\nComputer has \\u0027.\\u0027, tostring(split(Computer, \\u0027.\\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \\u0027\\\\\\\\\\u0027, tostring(split(Computer, \\u0027\\\\\\\\\\u0027)[0]), \\nComputer has \\u0027.\\u0027, strcat_array(array_slice(split(Computer,\\u0027.\\u0027),-2,-1),\\u0027.\\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid};\\nGetAccountActions(\\u0027{{Host_HostName}}\\u0027, \\u0027{{Host_NTDomain}}\\u0027, \\u0027{{Host_DnsDomain}}\\u0027, \\u0027{{Host_AzureID}}\\u0027, \\u0027{{Host_OMSAgentID}}\\u0027)\\n \\n| where EventID == 4726 \"\n },\n \"title\": \"UpdateEntityQueryPSTest\",\n \"content\": \"On \\u0027{{Computer}}\\u0027 the account \\u0027{{TargetAccount}}\\u0027 was deleted by \",\n \"description\": \"Account deleted on host\",\n \"inputEntityType\": \"Host\",\n \"requiredInputFieldsSets\": [\n [ \"Host_HostName\", \"Host_NTDomain\" ],\n [ \"Host_HostName\", \"Host_DnsDomain\" ],\n [ \"Host_AzureID\" ],\n [ \"Host_OMSAgentID\" ]\n ],\n \"enabled\": true\n }\n}", "isContentBase64": false, "Headers": { }, @@ -95,20 +95,20 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-writes": [ "1178" ], - "x-ms-request-id": [ "89238b4f-3f72-49a3-857d-9cd796715ab0" ], - "x-ms-correlation-request-id": [ "89238b4f-3f72-49a3-857d-9cd796715ab0" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021806Z:89238b4f-3f72-49a3-857d-9cd796715ab0" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1186" ], + "x-ms-request-id": [ "751805b8-b26d-46bd-b438-75f77734d700" ], + "x-ms-correlation-request-id": [ "751805b8-b26d-46bd-b438-75f77734d700" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183333Z:751805b8-b26d-46bd-b438-75f77734d700" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:18:05 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:33:32 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2287" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/fb33bcbe-0bc0-433f-9910-e474dbfab616\",\"name\":\"fb33bcbe-0bc0-433f-9910-e474dbfab616\",\"etag\":\"\\\"5101754c-0000-0100-0000-61b55bde0000\\\"\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Activity\",\"properties\":{\"title\":\"UpdateEntityQueryPSTest\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was deleted by \",\"description\":\"Account deleted on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027)\\n \\n| where EventID == 4726 \"},\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{},\"enabled\":true,\"createdTimeUtc\":\"2021-12-12T01:42:54.0134159Z\",\"lastModifiedTimeUtc\":\"2021-12-12T02:18:05.9962445Z\",\"inputEntityType\":\"Host\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueries/9934ce9e-b735-43ca-885c-729dc54cb4d1\",\"name\":\"9934ce9e-b735-43ca-885c-729dc54cb4d1\",\"etag\":\"\\\"890093d9-0000-0100-0000-62e427fd0000\\\"\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Activity\",\"properties\":{\"title\":\"UpdateEntityQueryPSTest\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was deleted by \",\"description\":\"Account deleted on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027)\\n \\n| where EventID == 4726 \"},\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{},\"enabled\":true,\"createdTimeUtc\":\"2022-07-29T18:21:40.2793364Z\",\"lastModifiedTimeUtc\":\"2022-07-29T18:33:33.3131081Z\",\"inputEntityType\":\"Host\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Update-AzSentinelIncident.Recording.json b/src/SecurityInsights/test/Update-AzSentinelIncident.Recording.json index dba41cd72fca..3cf775559a1a 100644 --- a/src/SecurityInsights/test/Update-AzSentinelIncident.Recording.json +++ b/src/SecurityInsights/test/Update-AzSentinelIncident.Recording.json @@ -1,17 +1,17 @@ { - "Update-AzSentinelIncident+[NoContext]+UpdateExpanded+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/23dc6b0b-2413-4b21-94b3-242f576b73c2?api-version=2021-09-01-preview+1": { + "Update-AzSentinelIncident+[NoContext]+UpdateExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/c98e79b2-3851-4fe2-be7b-d02281b03ea8?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/23dc6b0b-2413-4b21-94b3-242f576b73c2?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/c98e79b2-3851-4fe2-be7b-d02281b03ea8?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "334" ], - "x-ms-client-request-id": [ "7bc4824c-999c-46ec-9943-3ccd1a9c07aa" ], + "x-ms-unique-id": [ "313" ], + "x-ms-client-request-id": [ "6ba00cb2-f6c3-4045-88ed-0df432245c93" ], "CommandName": [ "Get-AzSentinelIncident" ], "FullCommandName": [ "Get-AzSentinelIncident_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -23,27 +23,27 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11921" ], - "x-ms-request-id": [ "bd9d0795-7b5b-4fed-bc81-2ff41ef058bd" ], - "x-ms-correlation-request-id": [ "bd9d0795-7b5b-4fed-bc81-2ff41ef058bd" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021827Z:bd9d0795-7b5b-4fed-bc81-2ff41ef058bd" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11931" ], + "x-ms-request-id": [ "37e310e4-695c-4569-aca9-03e3000b8dcf" ], + "x-ms-correlation-request-id": [ "37e310e4-695c-4569-aca9-03e3000b8dcf" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183334Z:37e310e4-695c-4569-aca9-03e3000b8dcf" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:18:26 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:33:33 GMT" ] }, "ContentHeaders": { "Content-Length": [ "1208" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/23dc6b0b-2413-4b21-94b3-242f576b73c2\",\"name\":\"23dc6b0b-2413-4b21-94b3-242f576b73c2\",\"etag\":\"\\\"3c00aa5c-0000-0100-0000-61b554180000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:44:56.0348538Z\",\"createdTimeUtc\":\"2021-12-12T01:44:56.0348538Z\",\"incidentNumber\":10,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/23dc6b0b-2413-4b21-94b3-242f576b73c2\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"10\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/c98e79b2-3851-4fe2-be7b-d02281b03ea8\",\"name\":\"c98e79b2-3851-4fe2-be7b-d02281b03ea8\",\"etag\":\"\\\"1200360b-0000-0100-0000-62e425b30000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:23:47.4434597Z\",\"createdTimeUtc\":\"2022-07-29T18:23:47.4434597Z\",\"incidentNumber\":10,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/c98e79b2-3851-4fe2-be7b-d02281b03ea8\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"10\"}}", "isContentBase64": false } }, - "Update-AzSentinelIncident+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/23dc6b0b-2413-4b21-94b3-242f576b73c2?api-version=2021-09-01-preview+2": { + "Update-AzSentinelIncident+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/c98e79b2-3851-4fe2-be7b-d02281b03ea8?api-version=2021-09-01-preview+2": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/23dc6b0b-2413-4b21-94b3-242f576b73c2?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/c98e79b2-3851-4fe2-be7b-d02281b03ea8?api-version=2021-09-01-preview", "Content": "{\n \"properties\": {\n \"severity\": \"Informational\",\n \"status\": \"Active\",\n \"title\": \"IncidentTest\"\n }\n}", "isContentBase64": false, "Headers": { @@ -59,36 +59,36 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "497" ], - "x-ms-request-id": [ "3547cbac-4ecd-4133-8334-6f717cc195a6" ], - "x-ms-correlation-request-id": [ "3547cbac-4ecd-4133-8334-6f717cc195a6" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021827Z:3547cbac-4ecd-4133-8334-6f717cc195a6" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "492" ], + "x-ms-request-id": [ "d90bc611-1d83-4b82-ad33-b78a872de298" ], + "x-ms-correlation-request-id": [ "d90bc611-1d83-4b82-ad33-b78a872de298" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183334Z:d90bc611-1d83-4b82-ad33-b78a872de298" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:18:27 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:33:34 GMT" ] }, "ContentHeaders": { "Content-Length": [ "1211" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/23dc6b0b-2413-4b21-94b3-242f576b73c2\",\"name\":\"23dc6b0b-2413-4b21-94b3-242f576b73c2\",\"etag\":\"\\\"3c00de92-0000-0100-0000-61b55bf30000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"Active\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T02:18:27.4677391Z\",\"createdTimeUtc\":\"2021-12-12T01:44:56.0348538Z\",\"incidentNumber\":10,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/23dc6b0b-2413-4b21-94b3-242f576b73c2\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"10\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/c98e79b2-3851-4fe2-be7b-d02281b03ea8\",\"name\":\"c98e79b2-3851-4fe2-be7b-d02281b03ea8\",\"etag\":\"\\\"1200e80b-0000-0100-0000-62e427fe0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"Active\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:33:34.7072753Z\",\"createdTimeUtc\":\"2022-07-29T18:23:47.4434597Z\",\"incidentNumber\":10,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/c98e79b2-3851-4fe2-be7b-d02281b03ea8\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"10\"}}", "isContentBase64": false } }, - "Update-AzSentinelIncident+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/85b206c3-bf60-48e0-b492-71a79bb8503a?api-version=2021-09-01-preview+1": { + "Update-AzSentinelIncident+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/25b19fe9-0ff9-4267-8faa-ac26e7c7c6ae?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/85b206c3-bf60-48e0-b492-71a79bb8503a?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/25b19fe9-0ff9-4267-8faa-ac26e7c7c6ae?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "336" ], - "x-ms-client-request-id": [ "b4f38023-2f12-4c7f-9a76-a99d449d5609" ], + "x-ms-unique-id": [ "315" ], + "x-ms-client-request-id": [ "a2b3a508-8cd5-4383-b7cc-d3314d50fc1a" ], "CommandName": [ "Get-AzSentinelIncident" ], "FullCommandName": [ "Get-AzSentinelIncident_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -100,27 +100,27 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11920" ], - "x-ms-request-id": [ "722bd76b-a708-49d0-b44e-1c9674312111" ], - "x-ms-correlation-request-id": [ "722bd76b-a708-49d0-b44e-1c9674312111" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021827Z:722bd76b-a708-49d0-b44e-1c9674312111" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11930" ], + "x-ms-request-id": [ "2027722e-3c68-4802-a04f-59d219757d68" ], + "x-ms-correlation-request-id": [ "2027722e-3c68-4802-a04f-59d219757d68" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183335Z:2027722e-3c68-4802-a04f-59d219757d68" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:18:27 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:33:34 GMT" ] }, "ContentHeaders": { "Content-Length": [ "1208" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/85b206c3-bf60-48e0-b492-71a79bb8503a\",\"name\":\"85b206c3-bf60-48e0-b492-71a79bb8503a\",\"etag\":\"\\\"3c002c5d-0000-0100-0000-61b554370000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T01:45:27.6270446Z\",\"createdTimeUtc\":\"2021-12-12T01:45:27.6270446Z\",\"incidentNumber\":11,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/85b206c3-bf60-48e0-b492-71a79bb8503a\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"11\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/25b19fe9-0ff9-4267-8faa-ac26e7c7c6ae\",\"name\":\"25b19fe9-0ff9-4267-8faa-ac26e7c7c6ae\",\"etag\":\"\\\"1200370b-0000-0100-0000-62e425d30000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:24:19.3733002Z\",\"createdTimeUtc\":\"2022-07-29T18:24:19.3733002Z\",\"incidentNumber\":11,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/25b19fe9-0ff9-4267-8faa-ac26e7c7c6ae\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"11\"}}", "isContentBase64": false } }, - "Update-AzSentinelIncident+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/85b206c3-bf60-48e0-b492-71a79bb8503a?api-version=2021-09-01-preview+2": { + "Update-AzSentinelIncident+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/25b19fe9-0ff9-4267-8faa-ac26e7c7c6ae?api-version=2021-09-01-preview+2": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/85b206c3-bf60-48e0-b492-71a79bb8503a?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/25b19fe9-0ff9-4267-8faa-ac26e7c7c6ae?api-version=2021-09-01-preview", "Content": "{\n \"properties\": {\n \"severity\": \"Informational\",\n \"status\": \"Active\",\n \"title\": \"IncidentTest\"\n }\n}", "isContentBase64": false, "Headers": { @@ -136,20 +136,20 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "496" ], - "x-ms-request-id": [ "216cf4f2-6a17-4c28-98bc-92cf583523f8" ], - "x-ms-correlation-request-id": [ "216cf4f2-6a17-4c28-98bc-92cf583523f8" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021827Z:216cf4f2-6a17-4c28-98bc-92cf583523f8" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "491" ], + "x-ms-request-id": [ "e457cf1e-0ac2-43aa-8fde-35858db68a3f" ], + "x-ms-correlation-request-id": [ "e457cf1e-0ac2-43aa-8fde-35858db68a3f" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183335Z:e457cf1e-0ac2-43aa-8fde-35858db68a3f" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:18:27 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:33:35 GMT" ] }, "ContentHeaders": { "Content-Length": [ "1211" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/85b206c3-bf60-48e0-b492-71a79bb8503a\",\"name\":\"85b206c3-bf60-48e0-b492-71a79bb8503a\",\"etag\":\"\\\"3c00e892-0000-0100-0000-61b55bf30000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"Active\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2021-12-12T02:18:27.9035618Z\",\"createdTimeUtc\":\"2021-12-12T01:45:27.6270446Z\",\"incidentNumber\":11,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/85b206c3-bf60-48e0-b492-71a79bb8503a\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"11\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/25b19fe9-0ff9-4267-8faa-ac26e7c7c6ae\",\"name\":\"25b19fe9-0ff9-4267-8faa-ac26e7c7c6ae\",\"etag\":\"\\\"1200e90b-0000-0100-0000-62e427ff0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"Active\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:33:35.5908141Z\",\"createdTimeUtc\":\"2022-07-29T18:24:19.3733002Z\",\"incidentNumber\":11,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/25b19fe9-0ff9-4267-8faa-ac26e7c7c6ae\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"11\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Update-AzSentinelIncidentComment.Recording.json b/src/SecurityInsights/test/Update-AzSentinelIncidentComment.Recording.json index 53fdd252db9b..2040eea7b838 100644 --- a/src/SecurityInsights/test/Update-AzSentinelIncidentComment.Recording.json +++ b/src/SecurityInsights/test/Update-AzSentinelIncidentComment.Recording.json @@ -1,8 +1,8 @@ { - "Update-AzSentinelIncidentComment+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/4d88d68e-1a03-4287-b8d2-919981228c5c/comments/2e3b2f73-ae6b-4e88-be17-6fd85a9400ee?api-version=2021-09-01-preview+1": { + "Update-AzSentinelIncidentComment+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/a0b8657f-5c36-4cb2-8952-f90affa7e0da/comments/8b70f251-25ad-4599-b45c-72c283b93732?api-version=2021-09-01-preview+1": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/4d88d68e-1a03-4287-b8d2-919981228c5c/comments/2e3b2f73-ae6b-4e88-be17-6fd85a9400ee?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/a0b8657f-5c36-4cb2-8952-f90affa7e0da/comments/8b70f251-25ad-4599-b45c-72c283b93732?api-version=2021-09-01-preview", "Content": "{\n \"properties\": {\n \"message\": \"UpdateIncidentCommentPSTest\"\n }\n}", "isContentBase64": false, "Headers": { @@ -18,36 +18,36 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], - "x-ms-request-id": [ "1574a9cb-d657-455d-b357-360f32f17a87" ], - "x-ms-correlation-request-id": [ "1574a9cb-d657-455d-b357-360f32f17a87" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021850Z:1574a9cb-d657-455d-b357-360f32f17a87" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], + "x-ms-request-id": [ "5bb7fbc7-f221-4767-b919-7068c51aac09" ], + "x-ms-correlation-request-id": [ "5bb7fbc7-f221-4767-b919-7068c51aac09" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183336Z:5bb7fbc7-f221-4767-b919-7068c51aac09" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:18:49 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:33:36 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "792" ], + "Content-Length": [ "762" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/4d88d68e-1a03-4287-b8d2-919981228c5c/Comments/2e3b2f73-ae6b-4e88-be17-6fd85a9400ee\",\"name\":\"2e3b2f73-ae6b-4e88-be17-6fd85a9400ee\",\"etag\":\"\\\"3c009694-0000-0100-0000-61b55c090000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/Comments\",\"properties\":{\"message\":\"UpdateIncidentCommentPSTest\",\"createdTimeUtc\":\"2021-12-12T01:47:32.8969339Z\",\"lastModifiedTimeUtc\":\"2021-12-12T02:18:49.9965827Z\",\"author\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/a0b8657f-5c36-4cb2-8952-f90affa7e0da/Comments/8b70f251-25ad-4599-b45c-72c283b93732\",\"name\":\"8b70f251-25ad-4599-b45c-72c283b93732\",\"etag\":\"\\\"1200ea0b-0000-0100-0000-62e428000000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/Comments\",\"properties\":{\"message\":\"UpdateIncidentCommentPSTest\",\"createdTimeUtc\":\"2022-07-29T18:26:28.7906687Z\",\"lastModifiedTimeUtc\":\"2022-07-29T18:33:36.6408694Z\",\"author\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}", "isContentBase64": false } }, - "Update-AzSentinelIncidentComment+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/4d88d68e-1a03-4287-b8d2-919981228c5c/comments/2e3b2f73-ae6b-4e88-be17-6fd85a9400ee?api-version=2021-09-01-preview+1": { + "Update-AzSentinelIncidentComment+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/a0b8657f-5c36-4cb2-8952-f90affa7e0da/comments/8b70f251-25ad-4599-b45c-72c283b93732?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/4d88d68e-1a03-4287-b8d2-919981228c5c/comments/2e3b2f73-ae6b-4e88-be17-6fd85a9400ee?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/a0b8657f-5c36-4cb2-8952-f90affa7e0da/comments/8b70f251-25ad-4599-b45c-72c283b93732?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "339" ], - "x-ms-client-request-id": [ "430efa41-3b8e-46b8-9995-d6eb6ca455ca" ], + "x-ms-unique-id": [ "318" ], + "x-ms-client-request-id": [ "d7ba1f36-786a-45ef-9a57-3f61204a5b40" ], "CommandName": [ "Get-AzSentinelIncidentComment" ], "FullCommandName": [ "Get-AzSentinelIncidentComment_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -59,27 +59,27 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], - "x-ms-request-id": [ "878d5449-a418-49d2-afde-2d04dc43ff7a" ], - "x-ms-correlation-request-id": [ "878d5449-a418-49d2-afde-2d04dc43ff7a" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021850Z:878d5449-a418-49d2-afde-2d04dc43ff7a" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "496" ], + "x-ms-request-id": [ "c02c524d-a2f7-4b0d-905b-91ddf3679bd5" ], + "x-ms-correlation-request-id": [ "c02c524d-a2f7-4b0d-905b-91ddf3679bd5" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183336Z:c02c524d-a2f7-4b0d-905b-91ddf3679bd5" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:18:49 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:33:36 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "792" ], + "Content-Length": [ "762" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/4d88d68e-1a03-4287-b8d2-919981228c5c/Comments/2e3b2f73-ae6b-4e88-be17-6fd85a9400ee\",\"name\":\"2e3b2f73-ae6b-4e88-be17-6fd85a9400ee\",\"etag\":\"\\\"3c009694-0000-0100-0000-61b55c090000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/Comments\",\"properties\":{\"message\":\"UpdateIncidentCommentPSTest\",\"createdTimeUtc\":\"2021-12-12T01:47:32.8969339Z\",\"lastModifiedTimeUtc\":\"2021-12-12T02:18:49.9965827Z\",\"author\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/a0b8657f-5c36-4cb2-8952-f90affa7e0da/Comments/8b70f251-25ad-4599-b45c-72c283b93732\",\"name\":\"8b70f251-25ad-4599-b45c-72c283b93732\",\"etag\":\"\\\"1200ea0b-0000-0100-0000-62e428000000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/Comments\",\"properties\":{\"message\":\"UpdateIncidentCommentPSTest\",\"createdTimeUtc\":\"2022-07-29T18:26:28.7906687Z\",\"lastModifiedTimeUtc\":\"2022-07-29T18:33:36.6408694Z\",\"author\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}", "isContentBase64": false } }, - "Update-AzSentinelIncidentComment+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/4d88d68e-1a03-4287-b8d2-919981228c5c/comments/2e3b2f73-ae6b-4e88-be17-6fd85a9400ee?api-version=2021-09-01-preview+2": { + "Update-AzSentinelIncidentComment+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/a0b8657f-5c36-4cb2-8952-f90affa7e0da/comments/8b70f251-25ad-4599-b45c-72c283b93732?api-version=2021-09-01-preview+2": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/4d88d68e-1a03-4287-b8d2-919981228c5c/comments/2e3b2f73-ae6b-4e88-be17-6fd85a9400ee?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/a0b8657f-5c36-4cb2-8952-f90affa7e0da/comments/8b70f251-25ad-4599-b45c-72c283b93732?api-version=2021-09-01-preview", "Content": "{\n \"properties\": {\n \"message\": \"UpdateIncidentCommentPSTest\"\n }\n}", "isContentBase64": false, "Headers": { @@ -95,20 +95,20 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], - "x-ms-request-id": [ "5ab51cd2-2e10-4d39-8d0d-7d27eb6232bf" ], - "x-ms-correlation-request-id": [ "5ab51cd2-2e10-4d39-8d0d-7d27eb6232bf" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021850Z:5ab51cd2-2e10-4d39-8d0d-7d27eb6232bf" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "497" ], + "x-ms-request-id": [ "14dde734-0074-45ed-b10c-d31739690936" ], + "x-ms-correlation-request-id": [ "14dde734-0074-45ed-b10c-d31739690936" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183337Z:14dde734-0074-45ed-b10c-d31739690936" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:18:50 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:33:36 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "792" ], + "Content-Length": [ "762" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/4d88d68e-1a03-4287-b8d2-919981228c5c/Comments/2e3b2f73-ae6b-4e88-be17-6fd85a9400ee\",\"name\":\"2e3b2f73-ae6b-4e88-be17-6fd85a9400ee\",\"etag\":\"\\\"3c00a694-0000-0100-0000-61b55c0a0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/Comments\",\"properties\":{\"message\":\"UpdateIncidentCommentPSTest\",\"createdTimeUtc\":\"2021-12-12T01:47:32.8969339Z\",\"lastModifiedTimeUtc\":\"2021-12-12T02:18:50.8684487Z\",\"author\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"ndicola@buildseccxpninja.onmicrosoft.com\"}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/a0b8657f-5c36-4cb2-8952-f90affa7e0da/Comments/8b70f251-25ad-4599-b45c-72c283b93732\",\"name\":\"8b70f251-25ad-4599-b45c-72c283b93732\",\"etag\":\"\\\"1200ec0b-0000-0100-0000-62e428010000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/Comments\",\"properties\":{\"message\":\"UpdateIncidentCommentPSTest\",\"createdTimeUtc\":\"2022-07-29T18:26:28.7906687Z\",\"lastModifiedTimeUtc\":\"2022-07-29T18:33:37.2234532Z\",\"author\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Update-AzSentinelIncidentRelation.Recording.json b/src/SecurityInsights/test/Update-AzSentinelIncidentRelation.Recording.json index 44b169165908..640ad1deba43 100644 --- a/src/SecurityInsights/test/Update-AzSentinelIncidentRelation.Recording.json +++ b/src/SecurityInsights/test/Update-AzSentinelIncidentRelation.Recording.json @@ -1,9 +1,9 @@ { - "Update-AzSentinelIncidentRelation+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/e01832fb-3e0a-41eb-a95c-1ce5829701d9?api-version=2021-09-01-preview+1": { + "Update-AzSentinelIncidentRelation+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/2b33e875-e817-46eb-8e55-c965e2be515d?api-version=2021-09-01-preview+1": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/e01832fb-3e0a-41eb-a95c-1ce5829701d9?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"displayName\": \"UpdateIncidentRelationPSTest\",\n \"query\": \"SecurityEvent\\\\n| take 1\",\n \"eventTime\": \"2021-12-12T02:19:21.3879941Z\",\n \"queryStartTime\": \"2021-12-12T02:19:21.3875305Z\",\n \"queryEndTime\": \"2021-12-11T02:19:21.3877395Z\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/2b33e875-e817-46eb-8e55-c965e2be515d?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"displayName\": \"UpdateIncidentRelationPSTest\",\n \"query\": \"SecurityEvent\\\\n| take 1\",\n \"eventTime\": \"2022-07-29T18:33:38.0510972Z\",\n \"queryStartTime\": \"2022-07-29T18:33:38.0508576Z\",\n \"queryEndTime\": \"2022-07-28T18:33:38.0509851Z\"\n }\n}", "isContentBase64": false, "Headers": { }, @@ -18,28 +18,28 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-writes": [ "1177" ], - "x-ms-request-id": [ "d05bbaef-e156-4da8-80c7-121f113af754" ], - "x-ms-correlation-request-id": [ "d05bbaef-e156-4da8-80c7-121f113af754" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021913Z:d05bbaef-e156-4da8-80c7-121f113af754" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1185" ], + "x-ms-request-id": [ "c1bcb13e-85ca-4ac0-bb10-bb50334dec43" ], + "x-ms-correlation-request-id": [ "c1bcb13e-85ca-4ac0-bb10-bb50334dec43" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183338Z:c1bcb13e-85ca-4ac0-bb10-bb50334dec43" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:19:12 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:33:37 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1088" ], + "Content-Length": [ "1058" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/e01832fb-3e0a-41eb-a95c-1ce5829701d9\",\"name\":\"e01832fb-3e0a-41eb-a95c-1ce5829701d9\",\"etag\":\"\\\"6b02f1f3-0000-0100-0000-61b55c210000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateIncidentRelationPSTest\",\"created\":\"2021-12-12T02:19:13.2559774+00:00\",\"updated\":\"2021-12-12T02:19:13+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T02:19:21.3879941+00:00\",\"labels\":[],\"query\":\"SecurityEvent\\\\n| take 1\",\"queryStartTime\":\"2021-12-12T02:19:21.3875305+00:00\",\"queryEndTime\":\"2021-12-11T02:19:21.3877395+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/2b33e875-e817-46eb-8e55-c965e2be515d\",\"name\":\"2b33e875-e817-46eb-8e55-c965e2be515d\",\"etag\":\"\\\"0100e793-0000-0100-0000-62e428020000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateIncidentRelationPSTest\",\"created\":\"2022-07-29T18:33:38.2379258+00:00\",\"updated\":\"2022-07-29T18:33:38+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-07-29T18:33:38.0510972+00:00\",\"labels\":[],\"query\":\"SecurityEvent\\\\n| take 1\",\"queryStartTime\":\"2022-07-29T18:33:38.0508576+00:00\",\"queryEndTime\":\"2022-07-28T18:33:38.0509851+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", "isContentBase64": false } }, - "Update-AzSentinelIncidentRelation+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/473aa008-13fc-4a61-9ea2-c3fdc64a828c/relations/defc1116-f142-4647-a377-6869110f6e77?api-version=2021-09-01-preview+2": { + "Update-AzSentinelIncidentRelation+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/bf284b9a-a101-4094-9387-503fd6afb8db/relations/986b271a-b0de-4c02-bb6a-f7df9e484025?api-version=2021-09-01-preview+2": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/473aa008-13fc-4a61-9ea2-c3fdc64a828c/relations/defc1116-f142-4647-a377-6869110f6e77?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"relatedResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/e01832fb-3e0a-41eb-a95c-1ce5829701d9\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/bf284b9a-a101-4094-9387-503fd6afb8db/relations/986b271a-b0de-4c02-bb6a-f7df9e484025?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"relatedResourceId\": \"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/2b33e875-e817-46eb-8e55-c965e2be515d\"\n }\n}", "isContentBase64": false, "Headers": { }, @@ -54,28 +54,28 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], - "x-ms-request-id": [ "dbdd9fe0-d935-476e-b949-202e117f6649" ], - "x-ms-correlation-request-id": [ "dbdd9fe0-d935-476e-b949-202e117f6649" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021913Z:dbdd9fe0-d935-476e-b949-202e117f6649" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], + "x-ms-request-id": [ "90a590bb-a5d7-4b55-b836-f25b8aec3cd2" ], + "x-ms-correlation-request-id": [ "90a590bb-a5d7-4b55-b836-f25b8aec3cd2" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183338Z:90a590bb-a5d7-4b55-b836-f25b8aec3cd2" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:19:12 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:33:38 GMT" ] }, "ContentHeaders": { "Content-Length": [ "828" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/473aa008-13fc-4a61-9ea2-c3fdc64a828c/relations/defc1116-f142-4647-a377-6869110f6e77\",\"name\":\"defc1116-f142-4647-a377-6869110f6e77\",\"etag\":\"\\\"3c00f395-0000-0100-0000-61b55c210000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/e01832fb-3e0a-41eb-a95c-1ce5829701d9\",\"relatedResourceName\":\"e01832fb-3e0a-41eb-a95c-1ce5829701d9\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/bf284b9a-a101-4094-9387-503fd6afb8db/relations/986b271a-b0de-4c02-bb6a-f7df9e484025\",\"name\":\"986b271a-b0de-4c02-bb6a-f7df9e484025\",\"etag\":\"\\\"1200ee0b-0000-0100-0000-62e428020000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/2b33e875-e817-46eb-8e55-c965e2be515d\",\"relatedResourceName\":\"2b33e875-e817-46eb-8e55-c965e2be515d\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", "isContentBase64": false } }, - "Update-AzSentinelIncidentRelation+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/c61a86c4-1839-4800-b41e-6a232283462e?api-version=2021-09-01-preview+1": { + "Update-AzSentinelIncidentRelation+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/958cde12-71d3-4587-b971-d45a8aad36e2?api-version=2021-09-01-preview+1": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/bookmarks/c61a86c4-1839-4800-b41e-6a232283462e?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"displayName\": \"UpdateIncidentRelationPSTest\",\n \"query\": \"SecurityEvent\\\\n| take 1\",\n \"eventTime\": \"2021-12-12T02:19:22.5675905Z\",\n \"queryStartTime\": \"2021-12-12T02:19:22.5673080Z\",\n \"queryEndTime\": \"2021-12-11T02:19:22.5674628Z\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/958cde12-71d3-4587-b971-d45a8aad36e2?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"displayName\": \"UpdateIncidentRelationPSTest\",\n \"query\": \"SecurityEvent\\\\n| take 1\",\n \"eventTime\": \"2022-07-29T18:33:38.9917405Z\",\n \"queryStartTime\": \"2022-07-29T18:33:38.9913533Z\",\n \"queryEndTime\": \"2022-07-28T18:33:38.9915748Z\"\n }\n}", "isContentBase64": false, "Headers": { }, @@ -90,36 +90,36 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-writes": [ "1176" ], - "x-ms-request-id": [ "3b119088-390b-44d6-b71a-f2aecac50942" ], - "x-ms-correlation-request-id": [ "3b119088-390b-44d6-b71a-f2aecac50942" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021914Z:3b119088-390b-44d6-b71a-f2aecac50942" ], + "x-ms-ratelimit-remaining-subscription-writes": [ "1184" ], + "x-ms-request-id": [ "f0330b95-6a69-4854-aa36-54eb2bf196ee" ], + "x-ms-correlation-request-id": [ "f0330b95-6a69-4854-aa36-54eb2bf196ee" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183339Z:f0330b95-6a69-4854-aa36-54eb2bf196ee" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:19:13 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:33:38 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1087" ], + "Content-Length": [ "1058" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/c61a86c4-1839-4800-b41e-6a232283462e\",\"name\":\"c61a86c4-1839-4800-b41e-6a232283462e\",\"etag\":\"\\\"6b02f3f3-0000-0100-0000-61b55c220000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateIncidentRelationPSTest\",\"created\":\"2021-12-12T02:19:14.2335643+00:00\",\"updated\":\"2021-12-12T02:19:14+00:00\",\"createdBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"2b53ce42-3ff1-4523-a239-0f377d3e0fdb\",\"email\":\"ndicola@buildseccxpninja.onmicrosoft.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2021-12-12T02:19:22.5675905+00:00\",\"labels\":[],\"query\":\"SecurityEvent\\\\n| take 1\",\"queryStartTime\":\"2021-12-12T02:19:22.567308+00:00\",\"queryEndTime\":\"2021-12-11T02:19:22.5674628+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/958cde12-71d3-4587-b971-d45a8aad36e2\",\"name\":\"958cde12-71d3-4587-b971-d45a8aad36e2\",\"etag\":\"\\\"0100e993-0000-0100-0000-62e428030000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateIncidentRelationPSTest\",\"created\":\"2022-07-29T18:33:39.1230505+00:00\",\"updated\":\"2022-07-29T18:33:39+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-07-29T18:33:38.9917405+00:00\",\"labels\":[],\"query\":\"SecurityEvent\\\\n| take 1\",\"queryStartTime\":\"2022-07-29T18:33:38.9913533+00:00\",\"queryEndTime\":\"2022-07-28T18:33:38.9915748+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", "isContentBase64": false } }, - "Update-AzSentinelIncidentRelation+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/43aedae6-3726-41c1-b0e8-9876df66aa2d/relations/b03e0e3c-97ce-4eb5-a1f0-e096bbeeddd4?api-version=2021-09-01-preview+2": { + "Update-AzSentinelIncidentRelation+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/854d68b0-7cef-4c43-a0f3-03df09f60906/relations/da90eff1-20a8-49a2-8392-57e18de4707a?api-version=2021-09-01-preview+2": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/43aedae6-3726-41c1-b0e8-9876df66aa2d/relations/b03e0e3c-97ce-4eb5-a1f0-e096bbeeddd4?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/854d68b0-7cef-4c43-a0f3-03df09f60906/relations/da90eff1-20a8-49a2-8392-57e18de4707a?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "344" ], - "x-ms-client-request-id": [ "39c3accf-62d3-4018-b97d-504a21758816" ], + "x-ms-unique-id": [ "323" ], + "x-ms-client-request-id": [ "a25d4a92-9bbf-455a-96d3-66c455f4e6bc" ], "CommandName": [ "Get-AzSentinelIncidentRelation" ], "FullCommandName": [ "Get-AzSentinelIncidentRelation_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -131,28 +131,28 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], - "x-ms-request-id": [ "7f6f3763-8d78-4a6c-8759-a1f399002c26" ], - "x-ms-correlation-request-id": [ "7f6f3763-8d78-4a6c-8759-a1f399002c26" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021914Z:7f6f3763-8d78-4a6c-8759-a1f399002c26" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "494" ], + "x-ms-request-id": [ "a547f32e-c4ca-4a1b-94a5-2b76657b21eb" ], + "x-ms-correlation-request-id": [ "a547f32e-c4ca-4a1b-94a5-2b76657b21eb" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183339Z:a547f32e-c4ca-4a1b-94a5-2b76657b21eb" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:19:13 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:33:38 GMT" ] }, "ContentHeaders": { "Content-Length": [ "828" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/43aedae6-3726-41c1-b0e8-9876df66aa2d/relations/b03e0e3c-97ce-4eb5-a1f0-e096bbeeddd4\",\"name\":\"b03e0e3c-97ce-4eb5-a1f0-e096bbeeddd4\",\"etag\":\"\\\"3c006463-0000-0100-0000-61b555710000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/f18e48e7-15f9-49c8-bb2b-fdf166e7cf9a\",\"relatedResourceName\":\"f18e48e7-15f9-49c8-bb2b-fdf166e7cf9a\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/854d68b0-7cef-4c43-a0f3-03df09f60906/relations/da90eff1-20a8-49a2-8392-57e18de4707a\",\"name\":\"da90eff1-20a8-49a2-8392-57e18de4707a\",\"etag\":\"\\\"12009b0b-0000-0100-0000-62e427110000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/90ad9f1f-1d2d-4360-b617-cf345b5c4f58\",\"relatedResourceName\":\"90ad9f1f-1d2d-4360-b617-cf345b5c4f58\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", "isContentBase64": false } }, - "Update-AzSentinelIncidentRelation+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/43aedae6-3726-41c1-b0e8-9876df66aa2d/relations/b03e0e3c-97ce-4eb5-a1f0-e096bbeeddd4?api-version=2021-09-01-preview+3": { + "Update-AzSentinelIncidentRelation+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/854d68b0-7cef-4c43-a0f3-03df09f60906/relations/da90eff1-20a8-49a2-8392-57e18de4707a?api-version=2021-09-01-preview+3": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/incidents/43aedae6-3726-41c1-b0e8-9876df66aa2d/relations/b03e0e3c-97ce-4eb5-a1f0-e096bbeeddd4?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"relatedResourceId\": \"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/c61a86c4-1839-4800-b41e-6a232283462e\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/854d68b0-7cef-4c43-a0f3-03df09f60906/relations/da90eff1-20a8-49a2-8392-57e18de4707a?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"relatedResourceId\": \"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/958cde12-71d3-4587-b971-d45a8aad36e2\"\n }\n}", "isContentBase64": false, "Headers": { }, @@ -167,20 +167,20 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], - "x-ms-request-id": [ "88f9d12c-b36e-4ab8-b132-6978829996c3" ], - "x-ms-correlation-request-id": [ "88f9d12c-b36e-4ab8-b132-6978829996c3" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021914Z:88f9d12c-b36e-4ab8-b132-6978829996c3" ], + "x-ms-ratelimit-remaining-subscription-resource-requests": [ "497" ], + "x-ms-request-id": [ "0f225807-900e-4a3c-9720-b6ab5ae5ccf4" ], + "x-ms-correlation-request-id": [ "0f225807-900e-4a3c-9720-b6ab5ae5ccf4" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183340Z:0f225807-900e-4a3c-9720-b6ab5ae5ccf4" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:19:13 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:33:39 GMT" ] }, "ContentHeaders": { "Content-Length": [ "828" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Incidents/43aedae6-3726-41c1-b0e8-9876df66aa2d/relations/b03e0e3c-97ce-4eb5-a1f0-e096bbeeddd4\",\"name\":\"b03e0e3c-97ce-4eb5-a1f0-e096bbeeddd4\",\"etag\":\"\\\"3c000296-0000-0100-0000-61b55c220000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/Bookmarks/c61a86c4-1839-4800-b41e-6a232283462e\",\"relatedResourceName\":\"c61a86c4-1839-4800-b41e-6a232283462e\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/854d68b0-7cef-4c43-a0f3-03df09f60906/relations/da90eff1-20a8-49a2-8392-57e18de4707a\",\"name\":\"da90eff1-20a8-49a2-8392-57e18de4707a\",\"etag\":\"\\\"1200ef0b-0000-0100-0000-62e428040000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/958cde12-71d3-4587-b971-d45a8aad36e2\",\"relatedResourceName\":\"958cde12-71d3-4587-b971-d45a8aad36e2\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Update-AzSentinelIncidentRelation.Tests.ps1 b/src/SecurityInsights/test/Update-AzSentinelIncidentRelation.Tests.ps1 index 926389139c3b..c07f502822e3 100644 --- a/src/SecurityInsights/test/Update-AzSentinelIncidentRelation.Tests.ps1 +++ b/src/SecurityInsights/test/Update-AzSentinelIncidentRelation.Tests.ps1 @@ -16,7 +16,7 @@ if(($null -eq $TestName) -or ($TestName -contains 'Update-AzSentinelIncidentRela Describe 'Update-AzSentinelIncidentRelation' { It 'UpdateExpanded' { - $bookmark = New-AzSentinelBookmark -Id ((New-Guid).Guid) -ResourceGroupName $env.resourceGroupName ` + $bookmark = New-AzSentinelBookmark -ResourceGroupName $env.resourceGroupName ` -WorkspaceName $env.workspaceName -DisplayName "UpdateIncidentRelationPSTest" -Query "SecurityEvent\n| take 1" ` -QueryStartTime (get-date).ToUniversalTime() -QueryEndTime (get-date).AddDays(-1).ToUniversalTime() -EventTime (get-date).ToUniversalTime() $incidentRelation = Update-AzSentinelIncidentRelation -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` @@ -25,7 +25,7 @@ Describe 'Update-AzSentinelIncidentRelation' { } It 'UpdateViaIdentityExpanded' { - $bookmark = New-AzSentinelBookmark -Id ((New-Guid).Guid) -ResourceGroupName $env.resourceGroupName ` + $bookmark = New-AzSentinelBookmark -ResourceGroupName $env.resourceGroupName ` -WorkspaceName $env.workspaceName -DisplayName "UpdateIncidentRelationPSTest" -Query "SecurityEvent\n| take 1" ` -QueryStartTime (get-date).ToUniversalTime() -QueryEndTime (get-date).AddDays(-1).ToUniversalTime() -EventTime (get-date).ToUniversalTime() $incidentRelation = Get-AzSentinelIncidentRelation -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` diff --git a/src/SecurityInsights/test/Update-AzSentinelSetting.Recording.json b/src/SecurityInsights/test/Update-AzSentinelSetting.Recording.json index 5fa3de5c818e..b7a6cb1ed7c0 100644 --- a/src/SecurityInsights/test/Update-AzSentinelSetting.Recording.json +++ b/src/SecurityInsights/test/Update-AzSentinelSetting.Recording.json @@ -1,17 +1,17 @@ { - "Update-AzSentinelSetting+[NoContext]+UpdateExpanded+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/settings?api-version=2021-09-01-preview+1": { + "Update-AzSentinelSetting+[NoContext]+UpdateExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/settings?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/settings?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/settings?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "353" ], - "x-ms-client-request-id": [ "52b982d6-4a65-43ef-a2c7-830ed2d49deb" ], + "x-ms-unique-id": [ "327" ], + "x-ms-client-request-id": [ "1ece0edd-f135-4f0f-aa0f-dc3693e69543" ], "CommandName": [ "get-AzSentinelSetting" ], "FullCommandName": [ "Get-AzSentinelSetting_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -23,36 +23,36 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11917" ], - "x-ms-request-id": [ "ea7d0a30-9bee-49cb-b23f-90a90868e10f" ], - "x-ms-correlation-request-id": [ "ea7d0a30-9bee-49cb-b23f-90a90868e10f" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T021959Z:ea7d0a30-9bee-49cb-b23f-90a90868e10f" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11928" ], + "x-ms-request-id": [ "bc546fa4-894c-4437-aab4-dfb7c037bbaf" ], + "x-ms-correlation-request-id": [ "bc546fa4-894c-4437-aab4-dfb7c037bbaf" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183342Z:bc546fa4-894c-4437-aab4-dfb7c037bbaf" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:19:59 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:33:42 GMT" ] }, "ContentHeaders": { "Content-Length": [ "785" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/settings/EyesOn\",\"name\":\"EyesOn\",\"etag\":\"\\\"85013658-0000-0300-0000-61b54cae0000\\\"\",\"type\":\"Microsoft.SecurityInsights/settings\",\"kind\":\"EyesOn\",\"systemData\":{},\"properties\":{\"isEnabled\":true}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/settings/IPSyncer\",\"name\":\"IPSyncer\",\"etag\":\"\\\"85019b58-0000-0300-0000-61b54caf0000\\\"\",\"type\":\"Microsoft.SecurityInsights/settings\",\"kind\":\"IPSyncer\",\"systemData\":{},\"properties\":{\"isEnabled\":true}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/settings/EyesOn\",\"name\":\"EyesOn\",\"etag\":\"\\\"10001a5a-0000-0300-0000-62e41cb50000\\\"\",\"type\":\"Microsoft.SecurityInsights/settings\",\"kind\":\"EyesOn\",\"systemData\":{},\"properties\":{\"isEnabled\":true}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/settings/IPSyncer\",\"name\":\"IPSyncer\",\"etag\":\"\\\"1000155a-0000-0300-0000-62e41cb50000\\\"\",\"type\":\"Microsoft.SecurityInsights/settings\",\"kind\":\"IPSyncer\",\"systemData\":{},\"properties\":{\"isEnabled\":true}}]}", "isContentBase64": false } }, - "Update-AzSentinelSetting+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/settings/EyesOn?api-version=2021-09-01-preview+1": { + "Update-AzSentinelSetting+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/settings/EyesOn?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/settings/EyesOn?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/settings/EyesOn?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "354" ], - "x-ms-client-request-id": [ "1b1a5f23-3c84-4709-8959-99c92cdd5ff7" ], + "x-ms-unique-id": [ "328" ], + "x-ms-client-request-id": [ "e3f536b7-01e8-4f0c-8044-922d995ea1ac" ], "CommandName": [ "Get-AzSentinelSetting" ], "FullCommandName": [ "Get-AzSentinelSetting_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -64,36 +64,36 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11916" ], - "x-ms-request-id": [ "79fd4a7d-858f-48f3-a638-9872c5c9012b" ], - "x-ms-correlation-request-id": [ "79fd4a7d-858f-48f3-a638-9872c5c9012b" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T022000Z:79fd4a7d-858f-48f3-a638-9872c5c9012b" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11927" ], + "x-ms-request-id": [ "01d5e178-8826-4968-bef3-81ee57d98191" ], + "x-ms-correlation-request-id": [ "01d5e178-8826-4968-bef3-81ee57d98191" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183343Z:01d5e178-8826-4968-bef3-81ee57d98191" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:19:59 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:33:42 GMT" ] }, "ContentHeaders": { "Content-Length": [ "383" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/settings/EyesOn\",\"name\":\"EyesOn\",\"etag\":\"\\\"85013658-0000-0300-0000-61b54cae0000\\\"\",\"type\":\"Microsoft.SecurityInsights/settings\",\"kind\":\"EyesOn\",\"systemData\":{},\"properties\":{\"isEnabled\":true}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/settings/EyesOn\",\"name\":\"EyesOn\",\"etag\":\"\\\"10001a5a-0000-0300-0000-62e41cb50000\\\"\",\"type\":\"Microsoft.SecurityInsights/settings\",\"kind\":\"EyesOn\",\"systemData\":{},\"properties\":{\"isEnabled\":true}}", "isContentBase64": false } }, - "Update-AzSentinelSetting+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/settings?api-version=2021-09-01-preview+2": { + "Update-AzSentinelSetting+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/settings?api-version=2021-09-01-preview+2": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/settings?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/settings?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "357" ], - "x-ms-client-request-id": [ "3f577564-30c0-4629-8bf1-1a2da7453d06" ], + "x-ms-unique-id": [ "331" ], + "x-ms-client-request-id": [ "2dbc230b-8823-4010-8f7d-5809fcf0e952" ], "CommandName": [ "get-AzSentinelSetting" ], "FullCommandName": [ "Get-AzSentinelSetting_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -105,20 +105,20 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11914" ], - "x-ms-request-id": [ "14a48316-711a-4459-834c-a24190ab3126" ], - "x-ms-correlation-request-id": [ "14a48316-711a-4459-834c-a24190ab3126" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T022001Z:14a48316-711a-4459-834c-a24190ab3126" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11925" ], + "x-ms-request-id": [ "adb5a825-d88c-4d43-bfd2-8dba814ac337" ], + "x-ms-correlation-request-id": [ "adb5a825-d88c-4d43-bfd2-8dba814ac337" ], + "x-ms-routing-request-id": [ "EASTUS2:20220729T183344Z:adb5a825-d88c-4d43-bfd2-8dba814ac337" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 02:20:00 GMT" ] + "Date": [ "Fri, 29 Jul 2022 18:33:43 GMT" ] }, "ContentHeaders": { "Content-Length": [ "401" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/settings/IPSyncer\",\"name\":\"IPSyncer\",\"etag\":\"\\\"85019b58-0000-0300-0000-61b54caf0000\\\"\",\"type\":\"Microsoft.SecurityInsights/settings\",\"kind\":\"IPSyncer\",\"systemData\":{},\"properties\":{\"isEnabled\":true}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/settings/IPSyncer\",\"name\":\"IPSyncer\",\"etag\":\"\\\"1000155a-0000-0300-0000-62e41cb50000\\\"\",\"type\":\"Microsoft.SecurityInsights/settings\",\"kind\":\"IPSyncer\",\"systemData\":{},\"properties\":{\"isEnabled\":true}}]}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/constants.json b/src/SecurityInsights/test/constants.json index e204ea31dadb..8374b2790b40 100644 --- a/src/SecurityInsights/test/constants.json +++ b/src/SecurityInsights/test/constants.json @@ -1,4 +1,4 @@ { "location" : "Central US", - "ASIServicePrinicpal": "ffe300b4-cb65-4eb4-9d60-477cee66dd5e" + "ASIServicePrinicpal": "24594c91-ddc1-4a89-8ef7-4ab3e6ffad84" } \ No newline at end of file diff --git a/src/SecurityInsights/test/deployment-templates/alertRule/template.parameters.json b/src/SecurityInsights/test/deployment-templates/alertRule/template.parameters.json index e0ad7018fd73..856eb5635662 100644 --- a/src/SecurityInsights/test/deployment-templates/alertRule/template.parameters.json +++ b/src/SecurityInsights/test/deployment-templates/alertRule/template.parameters.json @@ -3,13 +3,13 @@ "contentVersion": "1.0.0.0", "parameters": { "alertRuleName": { - "value": "UpdateViaIdAlertRuledgk4wi" + "value": "UpdateViaIdAlertRules7my5u" }, "alertRuleId": { - "value": "6dde1054-1a0b-4c5a-a9a8-3587c76613a2" + "value": "819c1dad-0658-4633-b80c-74cae574c0f7" }, "workspaceName": { - "value": "asptest8xu4wd" + "value": "asptest1qlb2s" } } } diff --git a/src/SecurityInsights/test/deployment-templates/alertRuleAction/template.parameters.json b/src/SecurityInsights/test/deployment-templates/alertRuleAction/template.parameters.json index ed36ae3cec2d..718a2db5cc3d 100644 --- a/src/SecurityInsights/test/deployment-templates/alertRuleAction/template.parameters.json +++ b/src/SecurityInsights/test/deployment-templates/alertRuleAction/template.parameters.json @@ -3,22 +3,22 @@ "contentVersion": "1.0.0.0", "parameters": { "alertRuleActionRuleId": { - "value": "a555c523-e318-4501-bfe8-b9c6da354af7" + "value": "1190f2a9-3661-474d-8c8a-cc808bce7b2e" }, "alertRuleActionRuleName": { - "value": "UpdateViaIdalertRuleActionRuleNameymswnj" + "value": "UpdateViaIdalertRuleActionRuleNametyup2k" }, "alertRuleActionId": { - "value": "34ec4b87-3f90-443e-9034-c32e77c5fb6e" + "value": "b3c6275b-ed98-4d51-a0f1-17c00cdbefd8" }, "workspaceName": { - "value": "asptest8xu4wd" + "value": "asptest1qlb2s" }, "logicAppResourceId": { - "value": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Alert" + "value": "/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Block-AADUser-Alert" }, "triggerUrl": { - "value": "https://prod-07.centralus.logic.azure.com:443/workflows/3647b421918e40f19a5e9346dc633c61/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2016-06-01&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=8SgwCaNwsGFFEsJ0yKJoTXy329Qt949c0AsSDlv48sQ" + "value": "https://prod-26.centralus.logic.azure.com:443/workflows/e25a9538589f4273ac4b33c4251b7af4/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2016-06-01&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=Hj0XFCgxJZSvdepbdqqkhAyUOVNJNiGHf8Sbpdvny6k" } } } diff --git a/src/SecurityInsights/test/deployment-templates/authorization/template.parameters.json b/src/SecurityInsights/test/deployment-templates/authorization/template.parameters.json index 80cc3c6d007c..3867f8dbe6d3 100644 --- a/src/SecurityInsights/test/deployment-templates/authorization/template.parameters.json +++ b/src/SecurityInsights/test/deployment-templates/authorization/template.parameters.json @@ -3,7 +3,7 @@ "contentVersion": "1.0.0.0", "parameters": { "ASIServicePrinicpal": { - "value": "ffe300b4-cb65-4eb4-9d60-477cee66dd5e" + "value": "24594c91-ddc1-4a89-8ef7-4ab3e6ffad84" } } } diff --git a/src/SecurityInsights/test/deployment-templates/automationRule/template.parameters.json b/src/SecurityInsights/test/deployment-templates/automationRule/template.parameters.json index 0b2f0d689dac..6fd559450d44 100644 --- a/src/SecurityInsights/test/deployment-templates/automationRule/template.parameters.json +++ b/src/SecurityInsights/test/deployment-templates/automationRule/template.parameters.json @@ -3,16 +3,16 @@ "contentVersion": "1.0.0.0", "parameters": { "automationRuleName": { - "value": "UpdateViaIdAutomationRulezi05h4" + "value": "UpdateViaIdAutomationRules3o6wd" }, "automationRuleId": { - "value": "61701d90-8353-4d61-b435-f9905a31142d" + "value": "21451d32-deaf-4698-9f46-8fc02bc5e632" }, "workspaceName": { - "value": "asptest8xu4wd" + "value": "asptest1qlb2s" }, "logicAppResourceId": { - "value": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident" + "value": "/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Block-AADUser-Incident" } } } diff --git a/src/SecurityInsights/test/deployment-templates/bookmark/template.parameters.json b/src/SecurityInsights/test/deployment-templates/bookmark/template.parameters.json index 70c0ce3ee6dc..a463686773ae 100644 --- a/src/SecurityInsights/test/deployment-templates/bookmark/template.parameters.json +++ b/src/SecurityInsights/test/deployment-templates/bookmark/template.parameters.json @@ -3,19 +3,19 @@ "contentVersion": "1.0.0.0", "parameters": { "bookmarkName": { - "value": "Expandbookmarkq42uhy" + "value": "Expandbookmarko9kf32" }, "bookmarkId": { - "value": "b35d430d-02ac-4025-a10e-32cd2ffbe46b" + "value": "2aadadc6-6e10-4a92-99df-4ac9c6ebdb6c" }, "workspaceName": { - "value": "asptest8xu4wd" + "value": "asptest1qlb2s" }, "queryStartTime": { - "Value": "2021-12-11T01:00:00.000Z" + "Value": "2022-07-28T06:00:00.000Z" }, "queryEndTime": { - "Value": "2021-12-12T01:00:00.000Z" + "Value": "2022-07-29T06:00:00.000Z" } } } diff --git a/src/SecurityInsights/test/deployment-templates/bookmarkRelation/template.parameters.json b/src/SecurityInsights/test/deployment-templates/bookmarkRelation/template.parameters.json index 6f579cd722fa..a91d77f42ddf 100644 --- a/src/SecurityInsights/test/deployment-templates/bookmarkRelation/template.parameters.json +++ b/src/SecurityInsights/test/deployment-templates/bookmarkRelation/template.parameters.json @@ -3,28 +3,28 @@ "contentVersion": "1.0.0.0", "parameters": { "bookmarkRelationId": { - "value": "e2e68737-82b4-49f0-822f-f9196f65aac8" + "value": "c36ddb20-11ec-4179-a995-51e6fcfd1e58" }, "bookmarkRelationBookmarkId": { - "value": "463b2e8b-17c1-48d6-94a3-7443b0ba2cbf" + "value": "04b58a5a-2a5e-47e2-9c22-3cd6229599ec" }, "bookmarkRelationBookmarkName": { - "value": "UpdateViaIdbookmarkRelationBookmarkName5modef" + "value": "UpdateViaIdbookmarkRelationBookmarkNamelv8k2z" }, "queryStartTime": { - "value": "2021-12-11T01:00:00.000Z" + "value": "2022-07-28T06:00:00.000Z" }, "queryEndTime": { - "value": "2021-12-12T01:00:00.000Z" + "value": "2022-07-29T06:00:00.000Z" }, "bookmarkRelationIncidentId": { - "value": "6cbc4e33-d46b-4993-96e4-ecb0e44415cb" + "value": "75bd63a7-0ac6-4f43-8a15-18ff73172bb5" }, "bookmarkRelationIncidentName": { - "value": "UpdateViaIdbookmarkRelationIncidentName84x0ne" + "value": "UpdateViaIdbookmarkRelationIncidentNamejdsg8m" }, "workspaceName": { - "Value": "asptest8xu4wd" + "Value": "asptest1qlb2s" } } } diff --git a/src/SecurityInsights/test/deployment-templates/customData/alertRules.parameters.json b/src/SecurityInsights/test/deployment-templates/customData/alertRules.parameters.json index 8cadfedfa18e..2da47836a376 100644 --- a/src/SecurityInsights/test/deployment-templates/customData/alertRules.parameters.json +++ b/src/SecurityInsights/test/deployment-templates/customData/alertRules.parameters.json @@ -3,16 +3,16 @@ "contentVersion": "1.0.0.0", "parameters": { "solarigateRuleGuid": { - "value": "af03fc0e-d33f-447a-8397-d60726aa92c5" + "value": "6692b8a1-d2bc-4cd6-b724-5dd2e4293ab3" }, "disabledRuleGuid": { - "value": "10a698ca-8310-4b90-a86e-2f43fe285e56" + "value": "5c8dc0ac-8808-40f3-a6b4-1401369a9e1e" }, "mlRuleGuid": { - "value": "02874339-f9a1-4ced-bdaf-44b3d8eb57a6" + "value": "75c9560c-ce08-4332-aa4a-0e675fc0b17c" }, "workspaceName": { - "value": "asptest8xu4wd" + "value": "asptest1qlb2s" } } } diff --git a/src/SecurityInsights/test/deployment-templates/dataConnector/template.parameters.json b/src/SecurityInsights/test/deployment-templates/dataConnector/template.parameters.json index 221eaba78c18..d6b9ff853f74 100644 --- a/src/SecurityInsights/test/deployment-templates/dataConnector/template.parameters.json +++ b/src/SecurityInsights/test/deployment-templates/dataConnector/template.parameters.json @@ -3,13 +3,13 @@ "contentVersion": "1.0.0.0", "parameters": { "dataConnectorId": { - "value": "88da8507-46cb-4c34-9cf3-189e58b34c9e" + "value": "8fee2c52-7010-4d95-a6ce-eb73f2921e20" }, "updateDataConnectorId": { - "value": "b4b8bb52-2917-4179-a28d-fb197dc52aa6" + "value": "0c45acce-4689-4024-8bfa-4ff3b300e29a" }, "workspaceName": { - "value": "asptest8xu4wd" + "value": "asptest1qlb2s" } } } diff --git a/src/SecurityInsights/test/deployment-templates/entityQuery/template.parameters.json b/src/SecurityInsights/test/deployment-templates/entityQuery/template.parameters.json index 70a2d4ab57d5..121f6a6414ce 100644 --- a/src/SecurityInsights/test/deployment-templates/entityQuery/template.parameters.json +++ b/src/SecurityInsights/test/deployment-templates/entityQuery/template.parameters.json @@ -3,10 +3,10 @@ "contentVersion": "1.0.0.0", "parameters": { "entityQueryActivityId": { - "value": "fb33bcbe-0bc0-433f-9910-e474dbfab616" + "value": "9934ce9e-b735-43ca-885c-729dc54cb4d1" }, "workspaceName": { - "value": "asptest8xu4wd" + "value": "asptest1qlb2s" } } } diff --git a/src/SecurityInsights/test/deployment-templates/incident/template.parameters.json b/src/SecurityInsights/test/deployment-templates/incident/template.parameters.json index 4b5320dae2da..510a847a2421 100644 --- a/src/SecurityInsights/test/deployment-templates/incident/template.parameters.json +++ b/src/SecurityInsights/test/deployment-templates/incident/template.parameters.json @@ -3,10 +3,10 @@ "contentVersion": "1.0.0.0", "parameters": { "incidentId": { - "value": "85b206c3-bf60-48e0-b492-71a79bb8503a" + "value": "25b19fe9-0ff9-4267-8faa-ac26e7c7c6ae" }, "workspaceName": { - "value": "asptest8xu4wd" + "value": "asptest1qlb2s" } } } diff --git a/src/SecurityInsights/test/deployment-templates/incidentComment/template.parameters.json b/src/SecurityInsights/test/deployment-templates/incidentComment/template.parameters.json index 0dcdaac82e21..0e1e508401b3 100644 --- a/src/SecurityInsights/test/deployment-templates/incidentComment/template.parameters.json +++ b/src/SecurityInsights/test/deployment-templates/incidentComment/template.parameters.json @@ -3,16 +3,16 @@ "contentVersion": "1.0.0.0", "parameters": { "incidentCommentIncidentId": { - "value": "aa0c1725-78eb-4c1e-87b8-9dd801ebf670" + "value": "7141874b-1f5d-4bf7-9e25-bb748ff70946" }, "incidentCommentId": { - "value": "c3bc7c2d-a384-4bb5-8fde-e2ee44fc18be" + "value": "c6f306f8-0304-4f4d-8176-59df16a692fa" }, "incidentCommentName": { - "value": "UpdateViaIdincidentCommentoq4cge" + "value": "UpdateViaIdincidentCommentvuackw" }, "workspaceName": { - "value": "asptest8xu4wd" + "value": "asptest1qlb2s" } } } diff --git a/src/SecurityInsights/test/deployment-templates/incidentRelation/template.parameters.json b/src/SecurityInsights/test/deployment-templates/incidentRelation/template.parameters.json index cacae2c29971..30b8eb13ba5b 100644 --- a/src/SecurityInsights/test/deployment-templates/incidentRelation/template.parameters.json +++ b/src/SecurityInsights/test/deployment-templates/incidentRelation/template.parameters.json @@ -3,28 +3,28 @@ "contentVersion": "1.0.0.0", "parameters": { "incidentRelationBookmarkId": { - "value": "f18e48e7-15f9-49c8-bb2b-fdf166e7cf9a" + "value": "90ad9f1f-1d2d-4360-b617-cf345b5c4f58" }, "incidentRelationBookmarkName": { - "value": "UpdateViaIdincidentRelationBookmarkNamehd50fa" + "value": "UpdateViaIdincidentRelationBookmarkName0wac48" }, "queryStartTime": { - "value": "2021-12-11T01:00:00.000Z" + "value": "2022-07-28T06:00:00.000Z" }, "queryEndTime": { - "value": "2021-12-12T01:00:00.000Z" + "value": "2022-07-29T06:00:00.000Z" }, "incidentRelationIncidentId": { - "value": "43aedae6-3726-41c1-b0e8-9876df66aa2d" + "value": "854d68b0-7cef-4c43-a0f3-03df09f60906" }, "incidentRelationIncidentName": { - "value": "UpdateViaIdincidentRelationIncidentNameewut32" + "value": "UpdateViaIdincidentRelationIncidentName17euac" }, "incidentRelationId": { - "value": "b03e0e3c-97ce-4eb5-a1f0-e096bbeeddd4" + "value": "da90eff1-20a8-49a2-8392-57e18de4707a" }, "workspaceName": { - "value": "asptest8xu4wd" + "value": "asptest1qlb2s" } } } diff --git a/src/SecurityInsights/test/deployment-templates/metadata/template.parameters.json b/src/SecurityInsights/test/deployment-templates/metadata/template.parameters.json index 1e5d3a23f2a4..f59f9760eb74 100644 --- a/src/SecurityInsights/test/deployment-templates/metadata/template.parameters.json +++ b/src/SecurityInsights/test/deployment-templates/metadata/template.parameters.json @@ -3,7 +3,7 @@ "contentVersion": "1.0.0.0", "parameters": { "workspace": { - "value": "asptest8xu4wd" + "value": "asptest1qlb2s" } } } diff --git a/src/SecurityInsights/test/deployment-templates/threatIntelligenceIndicator/template.parameters.json b/src/SecurityInsights/test/deployment-templates/threatIntelligenceIndicator/template.parameters.json index 846e6a1c0a3d..4a0bd7273e4d 100644 --- a/src/SecurityInsights/test/deployment-templates/threatIntelligenceIndicator/template.parameters.json +++ b/src/SecurityInsights/test/deployment-templates/threatIntelligenceIndicator/template.parameters.json @@ -3,19 +3,19 @@ "contentVersion": "1.0.0.0", "parameters": { "threatIntelligenceIndicatorId": { - "value": "05df7de8-16b9-4b58-a76a-6aafb8a9932a" + "value": "c2153ac2-59e4-4168-a057-e09858b1ae6b" }, "threatIntelligenceIndicatorName": { - "value": "UpdateViaIdthreatIntelligenceIndicatorol6dht" + "value": "UpdateViaIdthreatIntelligenceIndicatorftrdne" }, "threatIntelligenceIndicatorDate": { - "value": "Sun, 12 Dec 2021 01:00:00 GMT" + "value": "Fri, 29 Jul 2022 06:00:00 GMT" }, "ip": { "value": "8.8.8.5" }, "workspaceName": { - "value": "asptest8xu4wd" + "value": "asptest1qlb2s" } } } diff --git a/src/SecurityInsights/test/deployment-templates/workspace/template.parameters.json b/src/SecurityInsights/test/deployment-templates/workspace/template.parameters.json index 8a59f12eb8a6..a36199c4530d 100644 --- a/src/SecurityInsights/test/deployment-templates/workspace/template.parameters.json +++ b/src/SecurityInsights/test/deployment-templates/workspace/template.parameters.json @@ -3,13 +3,13 @@ "contentVersion": "1.0.0.0", "parameters": { "workspaceName": { - "value": "asptest8xu4wd" + "value": "asptest1qlb2s" }, "newOnboardingStateWS": { - "value": "asptest0u4c9l" + "value": "asptest5jhi0p" }, "removeOnboardingStateWS": { - "value": "asptestdlvh1s" + "value": "asptesty1avre" } } } diff --git a/src/SecurityInsights/test/env.json b/src/SecurityInsights/test/env.json index 306ab0c29c22..e1a37f6f766e 100644 --- a/src/SecurityInsights/test/env.json +++ b/src/SecurityInsights/test/env.json @@ -1,184 +1,182 @@ { - "RemoveincidentRelationIncidentId": "0c5dc585-a174-461c-a546-75dc9d7bedc8", - "UpdateViaIdbookmarkRelationBookmarkName": "UpdateViaIdbookmarkRelationBookmarkName5modef", - "mlRuleGuid": "02874339-f9a1-4ced-bdaf-44b3d8eb57a6", - "GetincidentRelationId": "0ef2e445-e524-42ad-8810-fdd6cbe3e5f7", - "RemoveBookmarkRelationIncidentId": "4908bd22-0eb2-40fc-83ce-b6c8ba7a26a1", - "RemoveViaIdAlertRuleActionId": "49c62647-0f89-442a-8fc1-76a2159daa80", - "RemoveBookmarkRelationName": "RemovebookmarkRelationfmks41", - "UpdateViaIdBookmarkRelationId": "e2e68737-82b4-49f0-822f-f9196f65aac8", - "RemoveViaIdBookmarkRelationId": "e6624397-ccd0-42fd-98b4-9730d7baa0e2", - "Playbook2TriggerUrl": "https://prod-29.centralus.logic.azure.com:443/workflows/10ed265c78bd4fdebbf4cf7fdd6e38ba/triggers/When_Azure_Sentinel_incident_creation_rule_was_triggered/paths/invoke?api-version=2016-06-01&sp=%2Ftriggers%2FWhen_Azure_Sentinel_incident_creation_rule_was_triggered%2Frun&sv=1.0&sig=WpCBTIF6vR0G4L8RL36ZRYDJMKOOuGTaIH8RSwMqpqM", - "UpdateincidentCommentIncidentId": "4d88d68e-1a03-4287-b8d2-919981228c5c", - "RemoveentityQueryActivityName": "RemoveentityQueryActivity6ci45u", - "GetentityQueryActivityId": "1a4fe801-0031-4965-a4a1-5c68929b6d76", - "GetalertRuleActionRuleId": "453b8e9c-424a-4b50-8c6d-58de856d5abf", - "RemoveViaIdbookmarkRelationBookmarkId": "675541b3-2ae4-4199-b3b3-59f4b6c1f5b4", - "RemoveViaIdincidentCommentId": "97010b56-8d45-49b6-9f11-02d55ed685b8", - "UpdateViaIdincidentCommentName": "UpdateViaIdincidentCommentoq4cge", - "UpdateBookmarkRelationIncidentId": "e788124d-3280-4da8-b9f7-3f464296947e", - "UpdateBookmarkName": "Updatebookmarktfriza", - "UpdatebookmarkRelationIncidentName": "UpdatebookmarkRelationIncidentNamehqlcfb", - "RemoveViaIdincidentCommentIncidentId": "754fd7ba-74d1-42cc-8aa0-25593496d4bd", - "UpdateViaIdAutomationRule": "UpdateViaIdAutomationRulezi05h4", - "GetBookmarkRelationId": "4a09f636-6002-4389-80a1-b6a357af8225", - "UpdateincidentRelationIncidentId": "473aa008-13fc-4a61-9ea2-c3fdc64a828c", - "RemoveViaIdbookmarkRelationIncidentName": "RemoveViaIdbookmarkRelationIncidentNameyci6fv", - "GetbookmarkRelationIncidentName": "GetbookmarkRelationIncidentNames3ckzp", - "RemoveincidentRelationId": "969e8896-2438-40e6-9455-f5fd9b30d396", - "UpdateViaIdentityQueryActivityId": "fb33bcbe-0bc0-433f-9910-e474dbfab616", - "workspaceResourceId": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd", - "RemoveViaIdincidentRelationId": "827874ba-8b75-40d5-ad61-57fbb9594309", - "UpdateViaIdAlertRuleName": "UpdateViaIdAlertRuledgk4wi", - "Playbook4LogicAppResourceId": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Incident", - "UpdateViaIdAlertRuleId": "6dde1054-1a0b-4c5a-a9a8-3587c76613a2", - "metadataName": "azuresentinel.azure-sentinel-solution-zerotrust", - "RemoveAutomationRuleId": "a3adc54b-e32d-4c80-8af2-988f5d59f102", - "GetincidentRelationIncidentId": "e285f7ed-a5bf-4fbd-b04c-bc1fa8bbbec0", - "UpdateViaIdthreatIntelligenceIndicatorIP": "8.8.8.5", - "ASIServicePrinicpal": "ffe300b4-cb65-4eb4-9d60-477cee66dd5e", - "RemovethreatIntelligenceIndicatorName": "RemovethreatIntelligenceIndicatorows6tu", - "RemoveincidentRelationBookmarkId": "ee0bcd82-8a83-41c3-8f97-9502c91951ec", + "UpdateViaIdAutomationRule": "UpdateViaIdAutomationRules3o6wd", + "GetAutomationRuleId": "2f630cbc-756d-4cfc-a1e8-95ccdaf5253e", + "RemovethreatIntelligenceIndicatorId": "aba922f2-cd9e-75df-4232-a8d47c94bc03", + "RemoveBookmarkRelationIncidentId": "d30f1432-3e76-4b4b-bb30-f62eb4ee3611", + "UpdatebookmarkRelationIncidentName": "UpdatebookmarkRelationIncidentNamern5xam", + "RemoveViaIdAutomationRule": "RemoveViaIdAutomationRuledlcn6a", + "GetincidentCommentId": "15f33241-6289-4a35-a84a-ae4d9f5f0d31", + "GetBookmarkRelationName": "GetbookmarkRelationkygt9n", + "RemoveViaIdincidentRelationBookmarkId": "e4d28edd-4f20-45f9-9c8c-6b7e97f4fa8a", + "UpdateBookmarkName": "Updatebookmarkdytufp", + "UpdateViaIdAlertRuleName": "UpdateViaIdAlertRules7my5u", + "UpdateincidentRelationBookmarkId": "f2f5a5bb-f894-4441-b6c7-b7c9d95193d1", + "RemoveViaIdincidentId": "4adb65b9-7def-47bb-9594-c1e1ca284952", + "RemovebookmarkRelationBookmarkId": "3e29d94a-e491-42d0-97d4-7a7f3e4725b4", + "bookmarkExpansionId": "5ce54bfd-c953-41af-9ce6-04fe8382569b", + "UpdatethreatIntelligenceIndicatorName": "UpdatethreatIntelligenceIndicator2fbu57", + "UpdateViaIdthreatIntelligenceIndicatorName": "UpdateViaIdthreatIntelligenceIndicatorftrdne", + "RemoveViaIdentityQueryActivityName": "RemoveViaIdentityQueryActivitylr70cb", + "Tenant": "d6eebbdd-d77c-465e-b008-4339027b4006", + "UpdateincidentRelationIncidentName": "UpdateincidentRelationIncidentNamey5sjd6", + "GetincidentRelationBookmarkName": "GetincidentRelationBookmarkName0eyhda", + "GetincidentName": "Getincidental5x9z", + "UpdateViaIdAlertRuleActionId": "b3c6275b-ed98-4d51-a0f1-17c00cdbefd8", + "UpdateAlertRuleId": "a47d38eb-4d52-4b54-afaf-3f5ac2f847f9", + "UpdateViaIdthreatIntelligenceIndicatorId": "4b4270c1-7b75-b9ba-58c7-b8420b7e6291", + "RemoveincidentCommentName": "RemoveincidentComment35ly2k", + "workspaceName": "asptest1qlb2s", + "RemoveViaIdincidentRelationIncidentId": "095d8360-b30b-4f75-804d-8837b78db3ed", + "UpdateincidentCommentName": "UpdateincidentCommentzfpjdm", + "UpdateBookmarkRelationName": "UpdatebookmarkRelationfcns4a", + "RemoveincidentCommentIncidentId": "08556638-7485-4a5e-afda-02c5f77474d7", + "RemoveincidentRelationIncidentName": "RemoveincidentRelationIncidentName01bqho", + "UpdatebookmarkRelationBookmarkId": "9b38dab1-2c2e-4c71-809d-95301194aa91", + "UpdateViaIdBookmarkId": "f73c7f57-f526-4119-9dc6-07c693c5309b", + "UpdateViaIdincidentId": "25b19fe9-0ff9-4267-8faa-ac26e7c7c6ae", + "RemoveViaIdalertRuleActionRuleId": "61843a21-8ee0-4c56-bb89-a4a9b306b43d", + "ExpandBookmarkName": "Expandbookmarko9kf32", + "UpdateViaIdBookmarkRelationName": "UpdateViaIdbookmarkRelation7ncqz2", + "RemoveAlertRuleActionId": "f6e536dc-b77c-422c-b349-a58813fc9f17", + "GetbookmarkRelationBookmarkId": "72c19fb6-dca6-4381-9175-229d52e8908a", + "RemovethreatIntelligenceIndicatorName": "RemovethreatIntelligenceIndicatorlzk6wg", + "UpdatealertRuleActionRuleName": "UpdatealertRuleActionRuleName9zg8ih", + "GetincidentId": "1db90f1b-ef78-4f10-afb8-7dc242e09ba1", + "RemoveentityQueryActivityId": "27d20f12-f14e-48ae-a17a-51e823a08d54", + "GetincidentRelationBookmarkId": "e809aa96-66b0-4c25-83cc-f6a969445995", + "RemoveAutomationRuleId": "632f22f0-6b77-433b-bc93-6e56ae21a844", + "RemoveincidentRelationId": "33ce22e5-46d5-4249-9e1a-06495ad77a1a", + "UpdateViaIdbookmarkRelationBookmarkName": "UpdateViaIdbookmarkRelationBookmarkNamelv8k2z", + "UpdateViaIdalertRuleActionRuleName": "UpdateViaIdalertRuleActionRuleNametyup2k", + "UpdateincidentId": "c98e79b2-3851-4fe2-be7b-d02281b03ea8", + "Playbook4LogicAppResourceId": "/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Incident", + "RemoveincidentName": "Removeincidenti4dljg", + "Playbook3TriggerUrl": "https://prod-24.centralus.logic.azure.com:443/workflows/ab40a6a85a1740e6afde7c424b958360/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2016-06-01&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=kr0Vgz_1AOwo76EyJZOQH02w-49rIjGhEWCffgZeJKs", "GetthreatIntelligenceIndicatorIP": "8.8.8.1", - "GetAlertRuleActionId": "1ce91c05-b6a4-4476-9e83-4df36d224e97", - "UpdateincidentCommentName": "UpdateincidentCommentjmgwit", - "GetincidentRelationBookmarkId": "21e8e280-fe09-4a83-a662-4b0711e9c127", - "GetBookmarkRelationIncidentId": "69e3141d-30e8-49d1-9152-33f3b44cf6b0", - "RemoveBookmarkRelationId": "adad6e56-9f94-4fba-ba3b-96f4616cdf68", - "RemoveViaIdentityQueryActivityId": "f75cff94-cd35-4d3e-a20b-4c4eee51dd8e", - "RemovealertRuleActionRuleName": "RemovealertRuleActionRuleNamerey7av", - "RemoveViaIdBookmarkName": "RemoveViaIdbookmark061i4x", - "RemoveViaIdAutomationRule": "RemoveViaIdAutomationRule1whyd4", - "RemoveBookmarkName": "Removebookmarkorux9k", - "UpdateincidentRelationId": "defc1116-f142-4647-a377-6869110f6e77", - "RemoveViaIdthreatIntelligenceIndicatorId": "b37ddba1-7a4f-1feb-9959-e1161d3bf335", - "ExpandBookmarkName": "Expandbookmarkq42uhy", - "UpdateAlertRuleId": "98981b11-0c0a-40bb-adc9-63f3693592bf", - "UpdateViaIdAutomationRuleId": "61701d90-8353-4d61-b435-f9905a31142d", - "RemoveViaIdAlertRuleId": "952fd6df-a3b8-4d0c-825a-53dcc519a480", - "RemoveincidentCommentIncidentId": "39c0047a-27bf-41d3-940d-bfb849d18460", - "ExpandBookmarkId": "b35d430d-02ac-4025-a10e-32cd2ffbe46b", - "GetAutomationRuleId": "34534660-0566-46ea-98f2-4f5ff70d51e4", - "RemovebookmarkRelationBookmarkId": "20d8a730-18a5-4a76-9420-a32e46ce5888", - "UpdateViaIdincidentId": "85b206c3-bf60-48e0-b492-71a79bb8503a", - "UpdateViaIdincidentRelationIncidentId": "43aedae6-3726-41c1-b0e8-9876df66aa2d", - "RemoveViaIdAlertRuleName": "RemoveViaIdAlertRule62imtb", - "UpdateBookmarkId": "c6b3fee2-4b8e-4966-aaa7-94bd47e67021", - "RemoveentityQueryActivityId": "6feafad3-e3a9-4c0f-b9a7-f74b31c2c4db", - "UpdateViaIdBookmarkName": "UpdateViaIdbookmark63g7uz", - "disabledRuleGuid": "10a698ca-8310-4b90-a86e-2f43fe285e56", - "updateDataConnectorId": "b4b8bb52-2917-4179-a28d-fb197dc52aa6", - "Playbook4TriggerUrl": "https://prod-03.centralus.logic.azure.com:443/workflows/b350a92d152342fb8f3b1a63b7a0df71/triggers/When_Azure_Sentinel_incident_creation_rule_was_triggered/paths/invoke?api-version=2016-06-01&sp=%2Ftriggers%2FWhen_Azure_Sentinel_incident_creation_rule_was_triggered%2Frun&sv=1.0&sig=K2SOIlHPdarAt8bekyIFV4MNNTS2APO1E1EZrN2hmns", - "RemovebookmarkRelationIncidentName": "RemovebookmarkRelationIncidentNamehynb4o", - "UpdateincidentRelationName": "UpdateincidentRelationNamesk65ol", - "GetthreatIntelligenceIndicatorId": "711bdb9e-2ecc-abba-d962-171ce4710199", - "RemoveincidentCommentName": "RemoveincidentCommentmhcwg3", - "RemoveAutomationRule": "RemoveAutomationRule0cjsva", - "UpdateAutomationRule": "UpdateAutomationRule1ceigy", - "RemoveViaIdincidentCommentName": "RemoveViaIdincidentComment8ftdy3", - "UpdateViaIdincidentCommentIncidentId": "aa0c1725-78eb-4c1e-87b8-9dd801ebf670", - "GetAutomationRule": "GetAutomationRulezbilmf", - "UpdateentityQueryActivityId": "64feba96-1f57-4f3d-8068-a1532ed4e2dc", - "GetincidentRelationName": "GetincidentRelationNamek8m1ts", - "UpdateViaIdalertRuleActionRuleName": "UpdateViaIdalertRuleActionRuleNameymswnj", - "UpdateBookmarkRelationId": "3106728c-12de-4dad-b0c6-603a9285765e", - "UpdateViaIdthreatIntelligenceIndicatorId": "e43bf713-da7f-8329-80bb-e1556c70abdd", - "UpdateViaIdalertRuleActionRuleId": "a555c523-e318-4501-bfe8-b9c6da354af7", - "RemoveViaIdincidentRelationName": "RemoveViaIdincidentRelationNameq9l2gm", - "UpdateViaIdincidentRelationBookmarkName": "UpdateViaIdincidentRelationBookmarkNamehd50fa", "location": "Central US", - "GetentityQueryActivityName": "GetentityQueryActivity6pi5by", - "RemoveViaIdincidentName": "RemoveViaIdincidentt6k39e", - "workspaceName": "asptest8xu4wd", - "RemoveViaIdincidentRelationIncidentId": "7bfb344d-ad2a-431d-9e39-78747ac51f54", - "UpdatebookmarkRelationBookmarkId": "6548e330-d18d-4690-b6fa-b5ba7f5eac27", + "RemoveAlertRuleName": "RemoveAlertRulex6lvwk", + "UpdateViaIdbookmarkRelationBookmarkId": "04b58a5a-2a5e-47e2-9c22-3cd6229599ec", + "UpdateViaIdincidentRelationId": "da90eff1-20a8-49a2-8392-57e18de4707a", + "GetalertRuleActionRuleId": "28d676f4-c9d3-465b-a7bf-b359b492f49d", + "GetincidentRelationName": "GetincidentRelationName86qok5", + "UpdateViaIdthreatIntelligenceIndicatorIP": "8.8.8.5", + "UpdateViaIdincidentRelationBookmarkId": "90ad9f1f-1d2d-4360-b617-cf345b5c4f58", + "UpdateincidentRelationId": "986b271a-b0de-4c02-bb6a-f7df9e484025", + "GetincidentCommentName": "GetincidentComment7wxaop", + "GetthreatIntelligenceIndicatorName": "GetthreatIntelligenceIndicator3o7nfw", + "GetAlertRuleName": "GetAlertRuler93k8j", + "UpdateViaIdincidentRelationName": "UpdateViaIdincidentRelationNamekax1li", + "RemoveViaIdincidentRelationBookmarkName": "RemoveViaIdincidentRelationBookmarkName32qtdl", + "workspaceResourceId": "/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s", + "GetBookmarkRelationIncidentId": "e31f4f52-858c-4a29-bacc-b0b91ca86f43", + "UpdateincidentRelationIncidentId": "bf284b9a-a101-4094-9387-503fd6afb8db", + "UpdateBookmarkRelationId": "382966e8-f4b2-444c-b4e8-514194ff8544", + "RemoveViaIdincidentCommentIncidentId": "39c25766-18b0-4620-9a63-3dfb2144ddd9", + "UpdateincidentName": "Updateincidentjspby6", + "UpdateViaIdBookmarkRelationIncidentId": "75bd63a7-0ac6-4f43-8a15-18ff73172bb5", + "UpdateViaIdincidentCommentId": "c6f306f8-0304-4f4d-8176-59df16a692fa", + "RemoveBookmarkRelationId": "edcd0fb3-81ce-42e0-b54f-e753ea3c6fdb", + "GetAutomationRule": "GetAutomationRulemisk67", + "RemoveViaIdincidentRelationIncidentName": "RemoveViaIdincidentRelationIncidentNameqm47li", + "RemoveViaIdincidentCommentName": "RemoveViaIdincidentCommentximhku", + "RemoveAutomationRule": "RemoveAutomationRuletdnlpa", + "newOnboardingStateWS": "asptest5jhi0p", + "workspaceId": "24e84d4f-281e-4a2d-8963-f554a6812d57", + "RemoveincidentRelationBookmarkId": "5c0c39f4-96c8-4054-8b78-69edbf33a92f", + "UpdateincidentRelationBookmarkName": "UpdateincidentRelationBookmarkName0rvjph", + "UpdateBookmarkId": "8a947749-f012-465f-b5fd-cb60e5eae27d", + "GetalertRuleActionRuleName": "GetalertRuleActionRuleNamelboi79", + "GetthreatIntelligenceIndicatorId": "bd45b979-3f35-b698-a82a-23f3058f60bc", + "UpdateViaIdincidentRelationBookmarkName": "UpdateViaIdincidentRelationBookmarkName0wac48", + "RemoveViaIdAutomationRuleId": "c3503a3a-93d6-4aa8-b557-d2f4ac6cfa00", + "SubscriptionId": "51a36d38-3b14-471f-8dde-a5867f5e51eb", + "UpdatethreatIntelligenceIndicatorId": "a40d90cd-3425-dcc7-87c9-8c9298f3641d", + "UpdateAutomationRule": "UpdateAutomationRulek1wb4p", + "GetincidentRelationIncidentName": "GetincidentRelationIncidentNamentimyo", + "RemoveViaIdBookmarkRelationId": "3416cbe9-ea30-4e98-aead-419270c45bf8", + "GetbookmarkRelationIncidentName": "GetbookmarkRelationIncidentName5jgmqo", + "metadataName": "azuresentinel.azure-sentinel-solution-zerotrust", + "ExpandBookmarkId": "2aadadc6-6e10-4a92-99df-4ac9c6ebdb6c", + "RemoveBookmarkRelationName": "RemovebookmarkRelationx31quz", + "UpdateincidentRelationName": "UpdateincidentRelationNamer9x8f6", + "GetincidentRelationId": "38ffa7b2-a413-4ab4-979f-8ec4ca096552", + "RemoveincidentId": "6bc1d179-d8b5-45ee-82d8-dc7f59b9168a", + "RemovethreatIntelligenceIndicatorIP": "8.8.8.2", + "RemoveincidentRelationIncidentId": "da728eb4-6e7e-4be8-8397-cb2b45877bf9", + "UpdateViaIdalertRuleActionRuleId": "1190f2a9-3661-474d-8c8a-cc808bce7b2e", + "UpdateentityQueryActivityName": "UpdateentityQueryActivityuzypgr", + "UpdateViaIdbookmarkRelationIncidentName": "UpdateViaIdbookmarkRelationIncidentNamejdsg8m", + "RemoveViaIdincidentCommentId": "1130726d-fadf-4bc2-a3c4-b4b78c20c22a", + "RemoveViaIdbookmarkRelationBookmarkName": "RemoveViaIdbookmarkRelationBookmarkNameu6v1fs", + "RemoveViaIdincidentRelationName": "RemoveViaIdincidentRelationNamea5qvsi", + "UpdateAlertRuleName": "UpdateAlertRulet0r6jh", + "RemoveincidentRelationName": "RemoveincidentRelationNamewj4fdx", + "RemoveViaIdBookmarkRelationIncidentId": "68159ff1-4122-4fc3-9152-8bf489a4304d", + "RemoveViaIdBookmarkId": "1064e218-7849-4caf-993c-93373d0c6ce5", + "RemoveViaIdincidentRelationId": "fa2cc2d8-13f8-4ea6-b2ce-6fdea28a0790", + "RemovealertRuleActionRuleName": "RemovealertRuleActionRuleNamegnwkmx", + "UpdateViaIdBookmarkRelationId": "c36ddb20-11ec-4179-a995-51e6fcfd1e58", + "RemoveViaIdincidentName": "RemoveViaIdincidentomsla7", + "RemoveBookmarkId": "a8dfd8ae-256a-44fb-a72c-0fb43307c128", + "disabledRuleGuid": "5c8dc0ac-8808-40f3-a6b4-1401369a9e1e", + "UpdateAlertRuleActionId": "542659a3-3a74-4d87-8e04-a0e4fcbd5537", + "RemoveentityQueryActivityName": "RemoveentityQueryActivity0xhu5l", + "GetAlertRuleId": "a7f0377a-a2ab-4a1c-9103-f59066cc6c61", + "RemoveViaIdthreatIntelligenceIndicatorName": "RemoveViaIdthreatIntelligenceIndicator8hwpzl", + "UpdateincidentCommentId": "8b70f251-25ad-4599-b45c-72c283b93732", + "UpdateAutomationRuleId": "5d9b905b-1fc5-459f-b9fd-5836c565dc34", + "RemoveViaIdentityQueryActivityId": "56d115fc-3330-4d1a-82ce-c92ec67f38d6", + "updateDataConnectorId": "0c45acce-4689-4024-8bfa-4ff3b300e29a", + "RemoveBookmarkName": "Removebookmarkbu2rns", "RemoveViaIdthreatIntelligenceIndicatorIP": "8.8.8.3", - "UpdateViaIdBookmarkId": "e19c0b42-e8cf-4fae-8690-7d632b11beaf", - "GetAlertRuleId": "aa4274ad-8144-44e6-8dc2-669dc0b5ea0d", - "RemoveViaIdincidentRelationBookmarkId": "3dcbfb4e-d6fb-40df-a64a-29695148826d", - "UpdateViaIdentityQueryActivityName": "UpdateViaIdentityQueryActivity4n9kre", - "GetincidentRelationBookmarkName": "GetincidentRelationBookmarkNameib8ohc", - "UpdateViaIdthreatIntelligenceIndicatorName": "UpdateViaIdthreatIntelligenceIndicatorol6dht", - "UpdateincidentRelationBookmarkId": "201247f4-bb20-4a3b-8e89-3609968c888f", - "GetAlertRuleName": "GetAlertRulez4ros0", - "UpdatethreatIntelligenceIndicatorId": "857acee8-b9d5-9c49-56c4-93496d0bf3bf", - "RemoveViaIdentityQueryActivityName": "RemoveViaIdentityQueryActivityt6dc5y", - "RemoveViaIdalertRuleActionRuleId": "a2dda58f-98fd-44db-ac37-397a9ccd9e25", - "UpdateincidentRelationIncidentName": "UpdateincidentRelationIncidentNametdo819", - "SubscriptionId": "1c61ccbf-70b3-45a3-a1fb-848ce46d70a6", - "RemoveViaIdincidentId": "1f88da2c-e158-4900-8d6e-a467f72fdd34", - "UpdateViaIdincidentRelationId": "b03e0e3c-97ce-4eb5-a1f0-e096bbeeddd4", - "RemovealertRuleActionRuleId": "3e459759-acb2-48cd-b091-f325a2618fb6", - "UpdateincidentId": "23dc6b0b-2413-4b21-94b3-242f576b73c2", - "UpdateViaIdincidentRelationIncidentName": "UpdateViaIdincidentRelationIncidentNameewut32", - "RemovethreatIntelligenceIndicatorId": "ccfb7869-be18-0f44-ff2c-a9b36e598fd1", - "newOnboardingStateWS": "asptest0u4c9l", - "UpdateViaIdincidentCommentId": "c3bc7c2d-a384-4bb5-8fde-e2ee44fc18be", - "UpdateincidentCommentId": "2e3b2f73-ae6b-4e88-be17-6fd85a9400ee", - "RemoveViaIdAutomationRuleId": "37a50acc-05b0-41ad-be1d-7a53c88ff383", - "GetincidentCommentId": "1b475d8b-b763-4d91-9dc9-c2125a6531e9", - "RemoveViaIdincidentRelationBookmarkName": "RemoveViaIdincidentRelationBookmarkNamebtlx8k", - "UpdatealertRuleActionRuleId": "09b5716f-9b0b-4663-8302-e17b94a12ead", - "UpdatethreatIntelligenceIndicatorName": "UpdatethreatIntelligenceIndicator9tg8p7", - "UpdatealertRuleActionRuleName": "UpdatealertRuleActionRuleName1lirvu", - "RemoveAlertRuleId": "fdbab4a1-bd45-4dc1-a93b-e4aa20d16262", - "RemoveBookmarkId": "9ff7b322-3212-4574-bfad-4408206875f8", - "RemoveViaIdBookmarkRelationIncidentId": "7d56a89d-59f4-4b3a-aa71-34494c2f5f5c", - "RemoveViaIdalertRuleActionRuleName": "RemoveViaIdalertRuleActionRuleNamea13fz8", - "GetincidentRelationIncidentName": "GetincidentRelationIncidentNamerea364", - "Tenant": "5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b", - "UpdateincidentRelationBookmarkName": "UpdateincidentRelationBookmarkNamewqmnkf", - "UpdateAutomationRuleId": "6b61f56c-c075-4127-9f2a-56a855dee096", - "GetincidentCommentIncidentId": "03f0e7ca-255a-49dc-a98d-19f65584d06c", - "UpdateBookmarkRelationName": "UpdatebookmarkRelationg84prd", - "RemoveViaIdBookmarkId": "4327ac2f-6115-4602-9616-83cf991298a5", - "UpdateAlertRuleName": "UpdateAlertRulevi15sc", - "RemoveViaIdincidentRelationIncidentName": "RemoveViaIdincidentRelationIncidentName150wxv", - "RemoveViaIdthreatIntelligenceIndicatorName": "RemoveViaIdthreatIntelligenceIndicatornqcsd9", + "Playbook1LogicAppResourceId": "/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Block-AADUser-Alert", + "GetincidentRelationIncidentId": "ccca6513-b2b1-46be-925b-40f25e28a448", + "UpdateentityQueryActivityId": "27b638f3-fbfb-4387-bb6a-353001b9794a", + "RemovebookmarkRelationBookmarkName": "RemovebookmarkRelationBookmarkNamej8c2iu", + "Playbook2LogicAppResourceId": "/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Block-AADUser-Incident", + "RemoveincidentRelationBookmarkName": "RemoveincidentRelationBookmarkNamem6df2w", + "RemoveViaIdalertRuleActionRuleName": "RemoveViaIdalertRuleActionRuleNamebokia1", + "RemoveViaIdBookmarkName": "RemoveViaIdbookmarkdr69tz", + "Playbook3LogicAppResourceId": "/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Alert", "UpdatethreatIntelligenceIndicatorIP": "8.8.8.4", - "RemoveincidentId": "cc0a7c84-b29b-4136-acbb-648a7237df0a", - "GetbookmarkRelationBookmarkId": "5df694bf-7774-49cf-a84b-282fd43a926b", - "RemovebookmarkRelationBookmarkName": "RemovebookmarkRelationBookmarkNamepvhuk4", - "GetBookmarkRelationName": "GetbookmarkRelationt8sg7i", - "UpdateentityQueryActivityName": "UpdateentityQueryActivity1ewg7d", - "GetBookmarkName": "Getbookmark3k6sjz", - "Playbook3LogicAppResourceId": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Alert", - "GetincidentId": "853e143c-97fd-48f1-86df-c8a68dbb87f1", - "RemovethreatIntelligenceIndicatorIP": "8.8.8.2", - "UpdateAlertRuleActionId": "5ec4ff48-a958-4a95-aab5-4ae7e8cddbdf", - "UpdateViaIdincidentName": "UpdateViaIdincident1anj4u", - "GetBookmarkId": "6eca09df-59e8-44f1-b96e-d316b4d3ad08", - "Playbook1LogicAppResourceId": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Alert", - "GetalertRuleActionRuleName": "GetalertRuleActionRuleName1539nb", - "resourceGroupName": "aspstest91v7fr", - "removeOnboardingStateWS": "asptestdlvh1s", - "RemoveincidentRelationName": "RemoveincidentRelationNamewlc2fd", - "solarigateRuleGuid": "af03fc0e-d33f-447a-8397-d60726aa92c5", - "RemoveincidentRelationIncidentName": "RemoveincidentRelationIncidentNameuk6d50", - "Playbook2LogicAppResourceId": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident", - "Playbook1TriggerUrl": "https://prod-07.centralus.logic.azure.com:443/workflows/3647b421918e40f19a5e9346dc633c61/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2016-06-01&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=8SgwCaNwsGFFEsJ0yKJoTXy329Qt949c0AsSDlv48sQ", - "UpdateViaIdBookmarkRelationIncidentId": "6cbc4e33-d46b-4993-96e4-ecb0e44415cb", - "bookmarkExpansionId": "29d93f68-3f52-46b9-960c-ca3ea7bb8fa2", - "GetincidentCommentName": "GetincidentComment48q5k9", - "RemoveViaIdbookmarkRelationBookmarkName": "RemoveViaIdbookmarkRelationBookmarkNamexlrb8u", - "UpdatebookmarkRelationBookmarkName": "UpdatebookmarkRelationBookmarkNamecawzes", - "RemoveAlertRuleName": "RemoveAlertRulesuagz6", - "RemoveincidentName": "Removeincidentwy9zj7", - "UpdateViaIdBookmarkRelationName": "UpdateViaIdbookmarkRelationxgibse", - "UpdateincidentName": "Updateincident59odxy", - "RemoveAlertRuleActionId": "d359018e-774c-4345-aad4-eaf449a72b0c", - "RemoveViaIdBookmarkRelationName": "RemoveViaIdbookmarkRelationy7rd6c", - "UpdateViaIdincidentRelationBookmarkId": "f18e48e7-15f9-49c8-bb2b-fdf166e7cf9a", - "GetthreatIntelligenceIndicatorName": "GetthreatIntelligenceIndicator2c47h8", - "RemoveincidentCommentId": "2305a5f7-84eb-482c-bc88-33d76495c69c", - "UpdateViaIdincidentRelationName": "UpdateViaIdincidentRelationNamepuj3oy", - "RemoveincidentRelationBookmarkName": "RemoveincidentRelationBookmarkName72z1my", - "Playbook3TriggerUrl": "https://prod-29.centralus.logic.azure.com:443/workflows/6e83051f6df6465c872c5540c8c167f5/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2016-06-01&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=7_edWmU4wZ31-sXPdtbxReXl11jbmLX99HIT9l134Wo", - "dataConnectorId": "88da8507-46cb-4c34-9cf3-189e58b34c9e", - "GetincidentName": "Getincidentj0bimh", - "UpdateViaIdbookmarkRelationBookmarkId": "463b2e8b-17c1-48d6-94a3-7443b0ba2cbf", - "UpdateViaIdAlertRuleActionId": "34ec4b87-3f90-443e-9034-c32e77c5fb6e", - "UpdateViaIdbookmarkRelationIncidentName": "UpdateViaIdbookmarkRelationIncidentName84x0ne", - "GetbookmarkRelationBookmarkName": "GetbookmarkRelationBookmarkNamezks1qr", - "workspaceId": "04acdb04-b6a1-4292-a956-621f955f6a5f" + "UpdateViaIdincidentRelationIncidentName": "UpdateViaIdincidentRelationIncidentName17euac", + "UpdateViaIdAlertRuleId": "819c1dad-0658-4633-b80c-74cae574c0f7", + "UpdateViaIdentityQueryActivityName": "UpdateViaIdentityQueryActivitypltenj", + "UpdateViaIdAutomationRuleId": "21451d32-deaf-4698-9f46-8fc02bc5e632", + "UpdatebookmarkRelationBookmarkName": "UpdatebookmarkRelationBookmarkNameuxbzmh", + "RemoveincidentCommentId": "f81c3566-1019-43de-8cee-9ba0d8f53028", + "resourceGroupName": "aspstestt6jdws", + "RemoveViaIdAlertRuleActionId": "19e41336-dba7-4df1-94f6-075f34d10aae", + "mlRuleGuid": "75c9560c-ce08-4332-aa4a-0e675fc0b17c", + "RemoveViaIdthreatIntelligenceIndicatorId": "8bc7c1a2-ceb7-dea2-025b-a90dc873bf63", + "RemovealertRuleActionRuleId": "5259fc88-ad43-4c0f-8712-e276f794f08a", + "GetBookmarkRelationId": "eacf9694-518d-404c-85a0-6703db574c22", + "UpdateViaIdBookmarkName": "UpdateViaIdbookmarkpulz5j", + "UpdateViaIdincidentName": "UpdateViaIdincident68knyo", + "UpdateViaIdincidentRelationIncidentId": "854d68b0-7cef-4c43-a0f3-03df09f60906", + "dataConnectorId": "8fee2c52-7010-4d95-a6ce-eb73f2921e20", + "RemovebookmarkRelationIncidentName": "RemovebookmarkRelationIncidentNameljqs90", + "UpdateViaIdincidentCommentIncidentId": "7141874b-1f5d-4bf7-9e25-bb748ff70946", + "Playbook1TriggerUrl": "https://prod-26.centralus.logic.azure.com:443/workflows/e25a9538589f4273ac4b33c4251b7af4/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2016-06-01&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=Hj0XFCgxJZSvdepbdqqkhAyUOVNJNiGHf8Sbpdvny6k", + "UpdateViaIdincidentCommentName": "UpdateViaIdincidentCommentvuackw", + "GetBookmarkId": "cf23ef92-aa60-4e4a-9598-c30417b601db", + "Playbook2TriggerUrl": "https://prod-00.centralus.logic.azure.com:443/workflows/ed17f475ab554ad9ac3e67e6aee5a2d5/triggers/When_Azure_Sentinel_incident_creation_rule_was_triggered/paths/invoke?api-version=2016-06-01&sp=%2Ftriggers%2FWhen_Azure_Sentinel_incident_creation_rule_was_triggered%2Frun&sv=1.0&sig=DLC4cfruVLDvzNIWR8pPUZlaSgMGuaPYXY42aYNj85w", + "RemoveViaIdBookmarkRelationName": "RemoveViaIdbookmarkRelationkyfai8", + "UpdatealertRuleActionRuleId": "c3f83b09-6bfc-4365-813e-56f9b186baac", + "GetbookmarkRelationBookmarkName": "GetbookmarkRelationBookmarkNameqen0ym", + "RemoveAlertRuleId": "c1c55dcf-8a31-4c94-93d7-bbb13c8da4c6", + "RemoveViaIdbookmarkRelationIncidentName": "RemoveViaIdbookmarkRelationIncidentName3tykhx", + "RemoveViaIdbookmarkRelationBookmarkId": "a34d217c-2b9d-4b72-b7d9-5a3850f0f17c", + "RemoveViaIdAlertRuleName": "RemoveViaIdAlertRuleg7sd5h", + "removeOnboardingStateWS": "asptesty1avre", + "UpdateincidentCommentIncidentId": "a0b8657f-5c36-4cb2-8952-f90affa7e0da", + "ASIServicePrinicpal": "24594c91-ddc1-4a89-8ef7-4ab3e6ffad84", + "GetincidentCommentIncidentId": "36740e38-b328-4f70-a514-867d90c8361d", + "solarigateRuleGuid": "6692b8a1-d2bc-4cd6-b724-5dd2e4293ab3", + "GetAlertRuleActionId": "fbc77ebc-03d2-4653-a435-f072687e1b97", + "GetBookmarkName": "Getbookmarks1c0pz", + "UpdateBookmarkRelationIncidentId": "0f49b19c-24d3-4775-92ae-dc0ecd5e1ace", + "RemoveViaIdAlertRuleId": "c1a9cd5e-f882-4d57-b94f-742b0e2ae177", + "UpdateViaIdentityQueryActivityId": "9934ce9e-b735-43ca-885c-729dc54cb4d1", + "Playbook4TriggerUrl": "https://prod-17.centralus.logic.azure.com:443/workflows/04d2704a1afb4570bdf87b0b4d785630/triggers/When_Azure_Sentinel_incident_creation_rule_was_triggered/paths/invoke?api-version=2016-06-01&sp=%2Ftriggers%2FWhen_Azure_Sentinel_incident_creation_rule_was_triggered%2Frun&sv=1.0&sig=cH1hGx080cqs2EiK4l4O5W0XsLE3_q7Pr6j0FX_AcM8" } diff --git a/src/SecurityInsights/test/readme.md b/src/SecurityInsights/test/readme.md new file mode 100644 index 000000000000..1969200c6a09 --- /dev/null +++ b/src/SecurityInsights/test/readme.md @@ -0,0 +1,17 @@ +# Test +This directory contains the [Pester](https://www.powershellgallery.com/packages/Pester) tests to run for the module. We use Pester as it is the unofficial standard for PowerShell unit testing. Test stubs for custom cmdlets (created in `../custom`) will be generated into this folder when `build-module.ps1` is ran. These test stubs will fail automatically, to indicate that tests should be written for custom cmdlets. + +## Info +- Modifiable: yes +- Generated: partial +- Committed: yes +- Packaged: no + +## Details +We allow three testing modes: *live*, *record*, and *playback*. These can be selected using the `-Live`, `-Record`, and `-Playback` switches respectively on the `test-module.ps1` script. This script will run through any `.Tests.ps1` scripts in the `test` folder. If you choose the *record* mode, it will create a `.Recording.json` file of the REST calls between the client and server. Then, when you choose *playback* mode, it will use the `.Recording.json` file to mock the communication between server and client. The *live* mode runs the same as the *record* mode; however, it doesn't create the `.Recording.json` file. + +## Purpose +Custom cmdlets generally encompass additional functionality not described in the REST specification, or combines functionality generated from the REST spec. To validate this functionality continues to operate as intended, creating tests that can be ran and re-ran against custom cmdlets is part of the framework. + +## Usage +To execute tests, run the `test-module.ps1`. To write tests, [this example](https://github.com/pester/Pester/blob/8b9cf4248315e44f1ac6673be149f7e0d7f10466/Examples/Planets/Get-Planet.Tests.ps1#L1) from the Pester repository is very useful for getting started. \ No newline at end of file From 6e7b97c254e3dc91f7b80840775991453f657f07 Mon Sep 17 00:00:00 2001 From: Yeming Liu <11371776+isra-fel@users.noreply.github.com> Date: Tue, 9 Aug 2022 12:46:56 +0800 Subject: [PATCH 06/24] Delete readme.md --- src/SecurityInsights/readme.md | 27 --------------------------- 1 file changed, 27 deletions(-) delete mode 100644 src/SecurityInsights/readme.md diff --git a/src/SecurityInsights/readme.md b/src/SecurityInsights/readme.md deleted file mode 100644 index 3dce0ebe8383..000000000000 --- a/src/SecurityInsights/readme.md +++ /dev/null @@ -1,27 +0,0 @@ - -# Az.SecurityInsights -This directory contains the PowerShell module for the SecurityInsights service. - ---- -## Status -[![Az.SecurityInsights](https://img.shields.io/powershellgallery/v/Az.SecurityInsights.svg?style=flat-square&label=Az.SecurityInsights "Az.SecurityInsights")](https://www.powershellgallery.com/packages/Az.SecurityInsights/) - -## Info -- Modifiable: yes -- Generated: all -- Committed: yes -- Packaged: yes - ---- -## Detail -This module was primarily generated via [AutoRest](https://github.com/Azure/autorest) using the [PowerShell](https://github.com/Azure/autorest.powershell) extension. - -## Module Requirements -- [Az.Accounts module](https://www.powershellgallery.com/packages/Az.Accounts/), version 2.2.3 or greater - -## Authentication -AutoRest does not generate authentication code for the module. Authentication is handled via Az.Accounts by altering the HTTP payload before it is sent. - -## Development -For information on how to develop for `Az.SecurityInsights`, see [how-to.md](how-to.md). - From c49d551cf81ab225f2afdb22561d73e1e52894ce Mon Sep 17 00:00:00 2001 From: Yabo Hu Date: Tue, 9 Aug 2022 13:40:32 +0800 Subject: [PATCH 07/24] Delete readme.md --- src/SecurityInsights/custom/readme.md | 41 --------------------------- 1 file changed, 41 deletions(-) delete mode 100644 src/SecurityInsights/custom/readme.md diff --git a/src/SecurityInsights/custom/readme.md b/src/SecurityInsights/custom/readme.md deleted file mode 100644 index 43bd883b0e75..000000000000 --- a/src/SecurityInsights/custom/readme.md +++ /dev/null @@ -1,41 +0,0 @@ -# Custom -This directory contains custom implementation for non-generated cmdlets for the `Az.SecurityInsights` module. Both scripts (`.ps1`) and C# files (`.cs`) can be implemented here. They will be used during the build process in `build-module.ps1`, and create cmdlets into the `../exports` folder. The only generated file into this folder is the `Az.SecurityInsights.custom.psm1`. This file should not be modified. - -## Info -- Modifiable: yes -- Generated: partial -- Committed: yes -- Packaged: yes - -## Details -For `Az.SecurityInsights` to use custom cmdlets, it does this two different ways. We **highly recommend** creating script cmdlets, as they are easier to write and allow access to the other exported cmdlets. C# cmdlets *cannot access exported cmdlets*. - -For C# cmdlets, they are compiled with the rest of the generated low-level cmdlets into the `./bin/Az.SecurityInsights.private.dll`. The names of the cmdlets (methods) and files must follow the `[cmdletName]_[variantName]` syntax used for generated cmdlets. The `variantName` is used as the `ParameterSetName`, so use something appropriate that doesn't clash with already created variant or parameter set names. You cannot use the `ParameterSetName` property in the `Parameter` attribute on C# cmdlets. Each cmdlet must be separated into variants using the same pattern as seen in the `generated/cmdlets` folder. - -For script cmdlets, these are loaded via the `Az.SecurityInsights.custom.psm1`. Then, during the build process, this module is loaded and processed in the same manner as the C# cmdlets. The fundemental difference is the script cmdlets use the `ParameterSetName` attribute and C# cmdlets do not. To create a script cmdlet variant of a generated cmdlet, simply decorate all parameters in the script with the new `ParameterSetName` in the `Parameter` attribute. This will appropriately treat each parameter set as a separate variant when processed to be exported during the build. - -## Purpose -This allows the modules to have cmdlets that were not defined in the REST specification. It also allows combining logic using generated cmdlets. This is a level of customization beyond what can be done using the [readme configuration options](https://github.com/Azure/autorest/blob/master/docs/powershell/options.md) that are currently available. These custom cmdlets are then referenced by the cmdlets created at build-time in the `../exports` folder. - -## Usage -The easiest way currently to start developing custom cmdlets is to copy an existing cmdlet. For C# cmdlets, copy one from the `generated/cmdlets` folder. For script cmdlets, build the project using `build-module.ps1` and copy one of the scripts from the `../exports` folder. After that, if you want to add new parameter sets, follow the guidelines in the `Details` section above. For implementing a new cmdlets, at minimum, please keep these parameters: -- Break -- DefaultProfile -- HttpPipelineAppend -- HttpPipelinePrepend -- Proxy -- ProxyCredential -- ProxyUseDefaultCredentials - -These provide functionality to our HTTP pipeline and other useful features. In script, you can forward these parameters using `$PSBoundParameters` to the other cmdlets you're calling within `Az.SecurityInsights`. For C#, follow the usage seen in the `ProcessRecordAsync` method. - -### Attributes -For processing the cmdlets, we've created some additional attributes: -- `Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.DescriptionAttribute` - - Used in C# cmdlets to provide a high-level description of the cmdlet. This is propegated to reference documentation via [help comments](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_comment_based_help) in the exported scripts. -- `Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.DoNotExportAttribute` - - Used in C# and script cmdlets to suppress creating an exported cmdlet at build-time. These cmdlets will *not be exposed* by `Az.SecurityInsights`. -- `Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.InternalExportAttribute` - - Used in C# cmdlets to route exported cmdlets to the `../internal`, which are *not exposed* by `Az.SecurityInsights`. For more information, see [readme.md](../internal/readme.md) in the `../internal` folder. -- `Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.ProfileAttribute` - - Used in C# and script cmdlets to define which Azure profiles the cmdlet supports. This is only supported for Azure (`--azure`) modules. \ No newline at end of file From b0ff6a7f1c3526c04ba95070ebc08f6be923d571 Mon Sep 17 00:00:00 2001 From: Yabo Hu Date: Tue, 9 Aug 2022 13:41:16 +0800 Subject: [PATCH 08/24] Delete readme.md --- src/SecurityInsights/docs/readme.md | 11 ----------- 1 file changed, 11 deletions(-) delete mode 100644 src/SecurityInsights/docs/readme.md diff --git a/src/SecurityInsights/docs/readme.md b/src/SecurityInsights/docs/readme.md deleted file mode 100644 index f18a8fa38198..000000000000 --- a/src/SecurityInsights/docs/readme.md +++ /dev/null @@ -1,11 +0,0 @@ -# Docs -This directory contains the documentation of the cmdlets for the `Az.SecurityInsights` module. To run documentation generation, use the `generate-help.ps1` script at the root module folder. Files in this folder will *always be overriden on regeneration*. To update documentation examples, please use the `../examples` folder. - -## Info -- Modifiable: no -- Generated: all -- Committed: yes -- Packaged: yes - -## Details -The process of documentation generation loads `Az.SecurityInsights` and analyzes the exported cmdlets from the module. It recognizes the [help comments](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_comment_based_help) that are generated into the scripts in the `../exports` folder. Additionally, when writing custom cmdlets in the `../custom` folder, you can use the help comments syntax, which decorate the exported scripts at build-time. The documentation examples are taken from the `../examples` folder. \ No newline at end of file From 48ee25376c9cf815a9fd56038036670451fe11ac Mon Sep 17 00:00:00 2001 From: Yabo Hu Date: Tue, 9 Aug 2022 13:41:42 +0800 Subject: [PATCH 09/24] Delete readme.md --- src/SecurityInsights/test/readme.md | 17 ----------------- 1 file changed, 17 deletions(-) delete mode 100644 src/SecurityInsights/test/readme.md diff --git a/src/SecurityInsights/test/readme.md b/src/SecurityInsights/test/readme.md deleted file mode 100644 index 1969200c6a09..000000000000 --- a/src/SecurityInsights/test/readme.md +++ /dev/null @@ -1,17 +0,0 @@ -# Test -This directory contains the [Pester](https://www.powershellgallery.com/packages/Pester) tests to run for the module. We use Pester as it is the unofficial standard for PowerShell unit testing. Test stubs for custom cmdlets (created in `../custom`) will be generated into this folder when `build-module.ps1` is ran. These test stubs will fail automatically, to indicate that tests should be written for custom cmdlets. - -## Info -- Modifiable: yes -- Generated: partial -- Committed: yes -- Packaged: no - -## Details -We allow three testing modes: *live*, *record*, and *playback*. These can be selected using the `-Live`, `-Record`, and `-Playback` switches respectively on the `test-module.ps1` script. This script will run through any `.Tests.ps1` scripts in the `test` folder. If you choose the *record* mode, it will create a `.Recording.json` file of the REST calls between the client and server. Then, when you choose *playback* mode, it will use the `.Recording.json` file to mock the communication between server and client. The *live* mode runs the same as the *record* mode; however, it doesn't create the `.Recording.json` file. - -## Purpose -Custom cmdlets generally encompass additional functionality not described in the REST specification, or combines functionality generated from the REST spec. To validate this functionality continues to operate as intended, creating tests that can be ran and re-ran against custom cmdlets is part of the framework. - -## Usage -To execute tests, run the `test-module.ps1`. To write tests, [this example](https://github.com/pester/Pester/blob/8b9cf4248315e44f1ac6673be149f7e0d7f10466/Examples/Planets/Get-Planet.Tests.ps1#L1) from the Pester repository is very useful for getting started. \ No newline at end of file From e535f089f969c986813802083c1bd1b652678b2c Mon Sep 17 00:00:00 2001 From: VeryEarly Date: Tue, 9 Aug 2022 14:21:43 +0800 Subject: [PATCH 10/24] fix examples, type in custom --- .../custom/New-AzSentinelEntityQuery.ps1 | 1 + .../docs/Get-AzSentinelAlertRule.md | 2 +- .../docs/Get-AzSentinelAlertRuleAction.md | 2 +- .../docs/Get-AzSentinelAlertRuleTemplate.md | 2 +- .../docs/Get-AzSentinelAutomationRule.md | 2 +- .../docs/Get-AzSentinelBookmark.md | 2 +- .../docs/Get-AzSentinelBookmarkRelation.md | 2 +- .../docs/Get-AzSentinelDataConnector.md | 2 +- .../docs/Get-AzSentinelEnrichment.md | 2 +- .../docs/Get-AzSentinelEntity.md | 2 +- .../docs/Get-AzSentinelEntityQuery.md | 2 +- .../docs/Get-AzSentinelEntityQueryTemplate.md | 2 +- .../docs/Get-AzSentinelEntityRelation.md | 2 +- .../docs/Get-AzSentinelIncident.md | 2 +- .../docs/Get-AzSentinelIncidentComment.md | 2 +- .../docs/Get-AzSentinelIncidentRelation.md | 2 +- .../docs/Get-AzSentinelMetadata.md | 2 +- .../docs/Get-AzSentinelOnboardingState.md | 2 +- .../docs/Get-AzSentinelSetting.md | 2 +- ...t-AzSentinelThreatIntelligenceIndicator.md | 2 +- ...entinelThreatIntelligenceIndicatorQuery.md | 2 +- .../docs/New-AzSentinelAlertRule.md | 2 +- .../docs/New-AzSentinelAutomationRule.md | 14 +++---------- .../docs/New-AzSentinelBookmark.md | 2 +- .../docs/New-AzSentinelBookmarkRelation.md | 2 +- .../docs/New-AzSentinelDataConnector.md | 16 +++++++------- .../docs/New-AzSentinelEntityQuery.md | 6 +++--- .../docs/New-AzSentinelIncident.md | 4 ++-- .../docs/New-AzSentinelIncidentComment.md | 2 +- .../docs/New-AzSentinelIncidentRelation.md | 2 +- .../docs/New-AzSentinelIncidentTeam.md | 2 +- .../docs/New-AzSentinelOnboardingState.md | 2 +- .../docs/Remove-AzSentinelAlertRule.md | 2 +- .../docs/Remove-AzSentinelAlertRuleAction.md | 4 ++-- .../docs/Remove-AzSentinelAutomationRule.md | 4 ++-- .../docs/Remove-AzSentinelBookmark.md | 2 +- .../docs/Remove-AzSentinelBookmarkRelation.md | 2 +- .../docs/Remove-AzSentinelDataConnector.md | 2 +- .../docs/Remove-AzSentinelEntityQuery.md | 2 +- .../docs/Remove-AzSentinelIncident.md | 2 +- .../docs/Remove-AzSentinelIncidentComment.md | 2 +- .../docs/Remove-AzSentinelIncidentRelation.md | 4 ++-- .../docs/Remove-AzSentinelOnboardingState.md | 2 +- ...AzSentinelDataConnectorCheckRequirement.md | 21 +++---------------- .../docs/Update-AzSentinelAlertRule.md | 4 ++-- .../docs/Update-AzSentinelAlertRuleAction.md | 4 ++-- .../docs/Update-AzSentinelAutomationRule.md | 6 +++--- .../docs/Update-AzSentinelBookmark.md | 2 +- .../docs/Update-AzSentinelBookmarkRelation.md | 2 +- .../docs/Update-AzSentinelDataConnector.md | 16 +++++++------- .../docs/Update-AzSentinelEntityQuery.md | 4 ++-- .../docs/Update-AzSentinelIncident.md | 4 ++-- .../docs/Update-AzSentinelIncidentComment.md | 2 +- .../docs/Update-AzSentinelIncidentRelation.md | 2 +- .../docs/Update-AzSentinelSetting.md | 2 +- .../examples/Get-AzSentinelEntityActivity.md | 2 -- .../examples/Get-AzSentinelEntityRelation.md | 5 +---- .../examples/New-AzSentinelAlertRule.md | 13 ------------ .../examples/New-AzSentinelAlertRuleAction.md | 2 -- .../examples/New-AzSentinelAutomationRule.md | 8 +------ .../New-AzSentinelBookmarkRelation.md | 2 -- .../examples/New-AzSentinelDataConnector.md | 4 +--- .../examples/New-AzSentinelEntityQuery.md | 2 -- .../examples/New-AzSentinelIncidentComment.md | 2 -- .../examples/New-AzSentinelOnboardingState.md | 2 -- .../examples/Remove-AzSentinelAlertRule.md | 2 -- .../Remove-AzSentinelAlertRuleAction.md | 4 +--- .../Remove-AzSentinelAutomationRule.md | 4 +--- .../examples/Remove-AzSentinelBookmark.md | 2 -- .../Remove-AzSentinelBookmarkRelation.md | 2 -- .../Remove-AzSentinelDataConnector.md | 2 -- .../examples/Remove-AzSentinelEntityQuery.md | 4 ---- .../examples/Remove-AzSentinelIncident.md | 4 ---- .../Remove-AzSentinelIncidentComment.md | 6 +----- .../Remove-AzSentinelIncidentRelation.md | 4 +--- .../Remove-AzSentinelOnboardingState.md | 2 -- ...AzSentinelDataConnectorCheckRequirement.md | 20 +++--------------- .../examples/Update-AzSentinelAlertRule.md | 2 -- .../Update-AzSentinelAlertRuleAction.md | 4 +--- .../Update-AzSentinelAutomationRule.md | 4 +--- .../examples/Update-AzSentinelBookmark.md | 3 +-- .../Update-AzSentinelBookmarkRelation.md | 2 -- .../Update-AzSentinelDataConnector.md | 2 -- .../examples/Update-AzSentinelEntityQuery.md | 2 -- .../examples/Update-AzSentinelIncident.md | 2 -- .../Update-AzSentinelIncidentComment.md | 2 -- .../Update-AzSentinelIncidentRelation.md | 2 -- .../examples/Update-AzSentinelSetting.md | 2 -- 88 files changed, 98 insertions(+), 219 deletions(-) diff --git a/src/SecurityInsights/custom/New-AzSentinelEntityQuery.ps1 b/src/SecurityInsights/custom/New-AzSentinelEntityQuery.ps1 index 80541157d667..b91efbdfbb57 100644 --- a/src/SecurityInsights/custom/New-AzSentinelEntityQuery.ps1 +++ b/src/SecurityInsights/custom/New-AzSentinelEntityQuery.ps1 @@ -50,6 +50,7 @@ function New-AzSentinelEntityQuery { [Parameter(Mandatory)] [ArgumentCompleter( { param ( $CommandName, $EntityQueryName, $WordToComplete, $CommandAst, $FakeBoundParameters ) return @('Activity') })] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityQueryKind] # Kind of the the Entity Query ${Kind}, diff --git a/src/SecurityInsights/docs/Get-AzSentinelAlertRule.md b/src/SecurityInsights/docs/Get-AzSentinelAlertRule.md index cfc6b8728c36..90779dae796f 100644 --- a/src/SecurityInsights/docs/Get-AzSentinelAlertRule.md +++ b/src/SecurityInsights/docs/Get-AzSentinelAlertRule.md @@ -207,7 +207,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Get-AzSentinelAlertRuleAction.md b/src/SecurityInsights/docs/Get-AzSentinelAlertRuleAction.md index f6482fc95095..0cf1d83aeb61 100644 --- a/src/SecurityInsights/docs/Get-AzSentinelAlertRuleAction.md +++ b/src/SecurityInsights/docs/Get-AzSentinelAlertRuleAction.md @@ -181,7 +181,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Get-AzSentinelAlertRuleTemplate.md b/src/SecurityInsights/docs/Get-AzSentinelAlertRuleTemplate.md index 86b15193b94d..8f535b50f9d5 100644 --- a/src/SecurityInsights/docs/Get-AzSentinelAlertRuleTemplate.md +++ b/src/SecurityInsights/docs/Get-AzSentinelAlertRuleTemplate.md @@ -193,7 +193,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Get-AzSentinelAutomationRule.md b/src/SecurityInsights/docs/Get-AzSentinelAutomationRule.md index 43921221c76f..f4b76814a7f9 100644 --- a/src/SecurityInsights/docs/Get-AzSentinelAutomationRule.md +++ b/src/SecurityInsights/docs/Get-AzSentinelAutomationRule.md @@ -184,7 +184,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Get-AzSentinelBookmark.md b/src/SecurityInsights/docs/Get-AzSentinelBookmark.md index 51e41574b2b4..01fe1836136e 100644 --- a/src/SecurityInsights/docs/Get-AzSentinelBookmark.md +++ b/src/SecurityInsights/docs/Get-AzSentinelBookmark.md @@ -182,7 +182,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Get-AzSentinelBookmarkRelation.md b/src/SecurityInsights/docs/Get-AzSentinelBookmarkRelation.md index 29e9a3f98e06..6f22d30642c1 100644 --- a/src/SecurityInsights/docs/Get-AzSentinelBookmarkRelation.md +++ b/src/SecurityInsights/docs/Get-AzSentinelBookmarkRelation.md @@ -270,7 +270,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Get-AzSentinelDataConnector.md b/src/SecurityInsights/docs/Get-AzSentinelDataConnector.md index bdd246d7622c..45b3e1d4a717 100644 --- a/src/SecurityInsights/docs/Get-AzSentinelDataConnector.md +++ b/src/SecurityInsights/docs/Get-AzSentinelDataConnector.md @@ -181,7 +181,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Get-AzSentinelEnrichment.md b/src/SecurityInsights/docs/Get-AzSentinelEnrichment.md index 7797cbb23c00..5c84d74fb965 100644 --- a/src/SecurityInsights/docs/Get-AzSentinelEnrichment.md +++ b/src/SecurityInsights/docs/Get-AzSentinelEnrichment.md @@ -200,7 +200,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Get-AzSentinelEntity.md b/src/SecurityInsights/docs/Get-AzSentinelEntity.md index dd8e8b6380bf..4f18c8f67ceb 100644 --- a/src/SecurityInsights/docs/Get-AzSentinelEntity.md +++ b/src/SecurityInsights/docs/Get-AzSentinelEntity.md @@ -206,7 +206,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Get-AzSentinelEntityQuery.md b/src/SecurityInsights/docs/Get-AzSentinelEntityQuery.md index beef38e95c2b..e4b38711604b 100644 --- a/src/SecurityInsights/docs/Get-AzSentinelEntityQuery.md +++ b/src/SecurityInsights/docs/Get-AzSentinelEntityQuery.md @@ -226,7 +226,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Get-AzSentinelEntityQueryTemplate.md b/src/SecurityInsights/docs/Get-AzSentinelEntityQueryTemplate.md index defea674fb03..852d67205d98 100644 --- a/src/SecurityInsights/docs/Get-AzSentinelEntityQueryTemplate.md +++ b/src/SecurityInsights/docs/Get-AzSentinelEntityQueryTemplate.md @@ -214,7 +214,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Get-AzSentinelEntityRelation.md b/src/SecurityInsights/docs/Get-AzSentinelEntityRelation.md index 47df57a8d066..c7454f551b52 100644 --- a/src/SecurityInsights/docs/Get-AzSentinelEntityRelation.md +++ b/src/SecurityInsights/docs/Get-AzSentinelEntityRelation.md @@ -252,7 +252,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Get-AzSentinelIncident.md b/src/SecurityInsights/docs/Get-AzSentinelIncident.md index d03fb27d831b..fb959efeeafd 100644 --- a/src/SecurityInsights/docs/Get-AzSentinelIncident.md +++ b/src/SecurityInsights/docs/Get-AzSentinelIncident.md @@ -249,7 +249,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Get-AzSentinelIncidentComment.md b/src/SecurityInsights/docs/Get-AzSentinelIncidentComment.md index 17617fe272f0..988434c7439d 100644 --- a/src/SecurityInsights/docs/Get-AzSentinelIncidentComment.md +++ b/src/SecurityInsights/docs/Get-AzSentinelIncidentComment.md @@ -263,7 +263,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Get-AzSentinelIncidentRelation.md b/src/SecurityInsights/docs/Get-AzSentinelIncidentRelation.md index f88685604aa5..1eeca20f5536 100644 --- a/src/SecurityInsights/docs/Get-AzSentinelIncidentRelation.md +++ b/src/SecurityInsights/docs/Get-AzSentinelIncidentRelation.md @@ -278,7 +278,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Get-AzSentinelMetadata.md b/src/SecurityInsights/docs/Get-AzSentinelMetadata.md index 58447408cd4a..52ffb4547ae0 100644 --- a/src/SecurityInsights/docs/Get-AzSentinelMetadata.md +++ b/src/SecurityInsights/docs/Get-AzSentinelMetadata.md @@ -227,7 +227,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Get-AzSentinelOnboardingState.md b/src/SecurityInsights/docs/Get-AzSentinelOnboardingState.md index 77cbe4072e81..e9dba1a4da1e 100644 --- a/src/SecurityInsights/docs/Get-AzSentinelOnboardingState.md +++ b/src/SecurityInsights/docs/Get-AzSentinelOnboardingState.md @@ -174,7 +174,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Get-AzSentinelSetting.md b/src/SecurityInsights/docs/Get-AzSentinelSetting.md index a5c9f05dcc2f..9ea5481a88d4 100644 --- a/src/SecurityInsights/docs/Get-AzSentinelSetting.md +++ b/src/SecurityInsights/docs/Get-AzSentinelSetting.md @@ -205,7 +205,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Get-AzSentinelThreatIntelligenceIndicator.md b/src/SecurityInsights/docs/Get-AzSentinelThreatIntelligenceIndicator.md index 5fcf4043581b..0a3014bd751a 100644 --- a/src/SecurityInsights/docs/Get-AzSentinelThreatIntelligenceIndicator.md +++ b/src/SecurityInsights/docs/Get-AzSentinelThreatIntelligenceIndicator.md @@ -260,7 +260,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Invoke-AzSentinelThreatIntelligenceIndicatorQuery.md b/src/SecurityInsights/docs/Invoke-AzSentinelThreatIntelligenceIndicatorQuery.md index 3bf8cb69b0d5..d66fe5aa3422 100644 --- a/src/SecurityInsights/docs/Invoke-AzSentinelThreatIntelligenceIndicatorQuery.md +++ b/src/SecurityInsights/docs/Invoke-AzSentinelThreatIntelligenceIndicatorQuery.md @@ -347,7 +347,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`SORTBY `: Columns to sort by and sorting order +SORTBY : Columns to sort by and sorting order - `[ItemKey ]`: Column name - `[SortOrder ]`: Sorting order (ascending/descending/unsorted). diff --git a/src/SecurityInsights/docs/New-AzSentinelAlertRule.md b/src/SecurityInsights/docs/New-AzSentinelAlertRule.md index 22d572a9d818..5bef18b69398 100644 --- a/src/SecurityInsights/docs/New-AzSentinelAlertRule.md +++ b/src/SecurityInsights/docs/New-AzSentinelAlertRule.md @@ -764,7 +764,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`ENTITYMAPPING `: 'Account', 'Host', 'IP', 'Malware', 'File', 'Process', 'CloudApplication', 'DNS', 'AzureResource', 'FileHash', 'RegistryKey', 'RegistryValue', 'SecurityGroup', 'URL', 'Mailbox', 'MailCluster', 'MailMessage', 'SubmissionMail' +ENTITYMAPPING : 'Account', 'Host', 'IP', 'Malware', 'File', 'Process', 'CloudApplication', 'DNS', 'AzureResource', 'FileHash', 'RegistryKey', 'RegistryValue', 'SecurityGroup', 'URL', 'Mailbox', 'MailCluster', 'MailMessage', 'SubmissionMail' - `[EntityType ]`: The V3 type of the mapped entity - `[FieldMapping ]`: array of field mappings for the given entity mapping - `[ColumnName ]`: the column name to be mapped to the identifier diff --git a/src/SecurityInsights/docs/New-AzSentinelAutomationRule.md b/src/SecurityInsights/docs/New-AzSentinelAutomationRule.md index 5f43965e4591..a0a1ba63a37e 100644 --- a/src/SecurityInsights/docs/New-AzSentinelAutomationRule.md +++ b/src/SecurityInsights/docs/New-AzSentinelAutomationRule.md @@ -43,13 +43,9 @@ Creates or updates the automation rule. New-AzSentinelAutomationRule -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id ((New-Guid).Guid) -Action $automationRuleAction -DisplayName "Run Playbook to reset AAD password" -Order 2 -TriggeringLogicIsEnabled ``` -```output -{{ Add output here }} -``` - This command creates an Automation Rule that has an Action of Run Playbook. -### Example 2: {{ Add title here }} +### Example 2: Creates an Automation Rule that has an Action of changing the severity ```powershell $automationRuleAction = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AutomationRuleModifyPropertiesAction]::new() $automationRuleAction.Order = 1 @@ -58,10 +54,6 @@ This command creates an Automation Rule that has an Action of Run Playbook. New-AzSentinelAutomationRule -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id ((New-Guid).Guid) -Action $automationRuleAction -DisplayName "Change severity to Low" -Order 3 -TriggeringLogicIsEnabled ``` -```output -{{ Add output here }} -``` - This command creates an Automation Rule that has an Action of changing the severity. ## PARAMETERS @@ -285,11 +277,11 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`ACTION `: The actions to execute when the automation rule is triggered +ACTION : The actions to execute when the automation rule is triggered - `ActionType `: The type of the automation rule action - `Order `: The order of execution of the automation rule action -`AUTOMATIONRULE `: Represents an automation rule. +AUTOMATIONRULE : Represents an automation rule. - `[Etag ]`: Etag of the azure resource - `[SystemDataCreatedAt ]`: The timestamp of resource creation (UTC). - `[SystemDataCreatedBy ]`: The identity that created the resource. diff --git a/src/SecurityInsights/docs/New-AzSentinelBookmark.md b/src/SecurityInsights/docs/New-AzSentinelBookmark.md index cbf04db4e2d0..21f91ebedfc5 100644 --- a/src/SecurityInsights/docs/New-AzSentinelBookmark.md +++ b/src/SecurityInsights/docs/New-AzSentinelBookmark.md @@ -359,7 +359,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`BOOKMARK `: Represents a bookmark in Azure Security Insights. +BOOKMARK : Represents a bookmark in Azure Security Insights. - `[Etag ]`: Etag of the azure resource - `[SystemDataCreatedAt ]`: The timestamp of resource creation (UTC). - `[SystemDataCreatedBy ]`: The identity that created the resource. diff --git a/src/SecurityInsights/docs/New-AzSentinelBookmarkRelation.md b/src/SecurityInsights/docs/New-AzSentinelBookmarkRelation.md index 5345df5e9da5..aefcac037817 100644 --- a/src/SecurityInsights/docs/New-AzSentinelBookmarkRelation.md +++ b/src/SecurityInsights/docs/New-AzSentinelBookmarkRelation.md @@ -199,7 +199,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`RELATION `: Represents a relation between two resources +RELATION : Represents a relation between two resources - `[Etag ]`: Etag of the azure resource - `[SystemDataCreatedAt ]`: The timestamp of resource creation (UTC). - `[SystemDataCreatedBy ]`: The identity that created the resource. diff --git a/src/SecurityInsights/docs/New-AzSentinelDataConnector.md b/src/SecurityInsights/docs/New-AzSentinelDataConnector.md index 3bd1c32ad02f..def1c6ab8e00 100644 --- a/src/SecurityInsights/docs/New-AzSentinelDataConnector.md +++ b/src/SecurityInsights/docs/New-AzSentinelDataConnector.md @@ -133,7 +133,7 @@ Creates or updates the data connector. ## EXAMPLES -### Example 1: {{ Add title here }} +### Example 1: Enables the Threat Intelligence data connector ```powershell New-AzSentinelDataConnector -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Kind 'MicrosoftThreatIntelligence' -BingSafetyPhishingURL Enabled -BingSafetyPhishingUrlLookbackPeriod All -MicrosoftEmergingThreatFeed Enabled -MicrosoftEmergingThreatFeedLookbackPeriod All ``` @@ -904,11 +904,11 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`PERMISSIONCUSTOM `: [Parameter(ParameterSetName = 'APIPolling')] +PERMISSIONCUSTOM : [Parameter(ParameterSetName = 'APIPolling')] - `[Description ]`: Customs permissions description - `[Name ]`: Customs permissions name -`PERMISSIONRESOURCEPROVIDER `: [Parameter(ParameterSetName = 'APIPolling')] +PERMISSIONRESOURCEPROVIDER : [Parameter(ParameterSetName = 'APIPolling')] - `[PermissionsDisplayText ]`: Permission description text - `[Provider ]`: Provider name - `[ProviderDisplayName ]`: Permission provider display name @@ -918,27 +918,27 @@ To create the parameters described below, construct a hash table containing the - `[RequiredPermissionWrite ]`: write permission - `[Scope ]`: Permission provider scope -`UICONFIGCONNECTIVITYCRITERION `: [Parameter(ParameterSetName = 'APIPolling', Mandatory)] +UICONFIGCONNECTIVITYCRITERION : [Parameter(ParameterSetName = 'APIPolling', Mandatory)] - `[Type ]`: type of connectivity - `[Value ]`: Queries for checking connectivity -`UICONFIGDATATYPE `: [Parameter(ParameterSetName = 'APIPolling', Mandatory)] +UICONFIGDATATYPE : [Parameter(ParameterSetName = 'APIPolling', Mandatory)] - `[LastDataReceivedQuery ]`: Query for indicate last data received - `[Name ]`: Name of the data type to show in the graph. can be use with {{graphQueriesTableName}} placeholder -`UICONFIGGRAPHQUERY `: [Parameter(ParameterSetName = 'APIPolling', Mandatory)] +UICONFIGGRAPHQUERY : [Parameter(ParameterSetName = 'APIPolling', Mandatory)] - `[BaseQuery ]`: The base query for the graph - `[Legend ]`: The legend for the graph - `[MetricName ]`: the metric that the query is checking -`UICONFIGINSTRUCTIONSTEP `: [Parameter(ParameterSetName = 'APIPolling', Mandatory)] +UICONFIGINSTRUCTIONSTEP : [Parameter(ParameterSetName = 'APIPolling', Mandatory)] - `[Description ]`: Instruction step description - `[Instruction ]`: Instruction step details - `Type `: The kind of the setting - `[Parameter ]`: The parameters for the setting - `[Title ]`: Instruction step title -`UICONFIGSAMPLEQUERY `: [Parameter(ParameterSetName = 'APIPolling', Mandatory)] +UICONFIGSAMPLEQUERY : [Parameter(ParameterSetName = 'APIPolling', Mandatory)] - `[Description ]`: The sample query description - `[Query ]`: the sample query diff --git a/src/SecurityInsights/docs/New-AzSentinelEntityQuery.md b/src/SecurityInsights/docs/New-AzSentinelEntityQuery.md index 1ad6891cb05d..ca7b26e29896 100644 --- a/src/SecurityInsights/docs/New-AzSentinelEntityQuery.md +++ b/src/SecurityInsights/docs/New-AzSentinelEntityQuery.md @@ -14,7 +14,7 @@ Creates or updates the entity query. ``` New-AzSentinelEntityQuery -ResourceGroupName -WorkspaceName -Content - -Description -InputEntityType -Kind -QueryDefinitionQuery + -Description -InputEntityType -Kind -QueryDefinitionQuery -Title [-SubscriptionId ] [-EntitiesFilter ] [-RequiredInputFieldsSet ] [-TemplateName ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] @@ -148,7 +148,7 @@ Accept wildcard characters: False Kind of the the Entity Query ```yaml -Type: System.Object +Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityQueryKind Parameter Sets: (All) Aliases: @@ -330,7 +330,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`ENTITIESFILTER `: +ENTITIESFILTER : - `[(Any) ]`: This indicates any property can be added to this object. ## RELATED LINKS diff --git a/src/SecurityInsights/docs/New-AzSentinelIncident.md b/src/SecurityInsights/docs/New-AzSentinelIncident.md index 78e72edbf464..be182c72c718 100644 --- a/src/SecurityInsights/docs/New-AzSentinelIncident.md +++ b/src/SecurityInsights/docs/New-AzSentinelIncident.md @@ -424,7 +424,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INCIDENT `: Represents an incident in Azure Security Insights. +INCIDENT : Represents an incident in Azure Security Insights. - `[Etag ]`: Etag of the azure resource - `[SystemDataCreatedAt ]`: The timestamp of resource creation (UTC). - `[SystemDataCreatedBy ]`: The identity that created the resource. @@ -450,7 +450,7 @@ To create the parameters described below, construct a hash table containing the - `[Status ]`: The status of the incident - `[Title ]`: The title of the incident -`LABEL `: List of labels relevant to this incident +LABEL : List of labels relevant to this incident - `LabelName `: The name of the label ## RELATED LINKS diff --git a/src/SecurityInsights/docs/New-AzSentinelIncidentComment.md b/src/SecurityInsights/docs/New-AzSentinelIncidentComment.md index 72f9233554dd..e17c63877858 100644 --- a/src/SecurityInsights/docs/New-AzSentinelIncidentComment.md +++ b/src/SecurityInsights/docs/New-AzSentinelIncidentComment.md @@ -198,7 +198,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INCIDENTCOMMENT `: Represents an incident comment +INCIDENTCOMMENT : Represents an incident comment - `[Etag ]`: Etag of the azure resource - `[SystemDataCreatedAt ]`: The timestamp of resource creation (UTC). - `[SystemDataCreatedBy ]`: The identity that created the resource. diff --git a/src/SecurityInsights/docs/New-AzSentinelIncidentRelation.md b/src/SecurityInsights/docs/New-AzSentinelIncidentRelation.md index 65832c7b4d5b..2147fdc50602 100644 --- a/src/SecurityInsights/docs/New-AzSentinelIncidentRelation.md +++ b/src/SecurityInsights/docs/New-AzSentinelIncidentRelation.md @@ -206,7 +206,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`RELATION `: Represents a relation between two resources +RELATION : Represents a relation between two resources - `[Etag ]`: Etag of the azure resource - `[SystemDataCreatedAt ]`: The timestamp of resource creation (UTC). - `[SystemDataCreatedBy ]`: The identity that created the resource. diff --git a/src/SecurityInsights/docs/New-AzSentinelIncidentTeam.md b/src/SecurityInsights/docs/New-AzSentinelIncidentTeam.md index 69355576dcce..10cdbcacddeb 100644 --- a/src/SecurityInsights/docs/New-AzSentinelIncidentTeam.md +++ b/src/SecurityInsights/docs/New-AzSentinelIncidentTeam.md @@ -253,7 +253,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`TEAMPROPERTY `: Describes team properties +TEAMPROPERTY : Describes team properties - `TeamName `: The name of the team - `[GroupId ]`: List of group IDs to add their members to the team - `[MemberId ]`: List of member IDs to add to the team diff --git a/src/SecurityInsights/docs/New-AzSentinelOnboardingState.md b/src/SecurityInsights/docs/New-AzSentinelOnboardingState.md index f88917a5c857..648a211c7449 100644 --- a/src/SecurityInsights/docs/New-AzSentinelOnboardingState.md +++ b/src/SecurityInsights/docs/New-AzSentinelOnboardingState.md @@ -199,7 +199,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`SENTINELONBOARDINGSTATEPARAMETER `: Sentinel onboarding state +SENTINELONBOARDINGSTATEPARAMETER : Sentinel onboarding state - `[Etag ]`: Etag of the azure resource - `[SystemDataCreatedAt ]`: The timestamp of resource creation (UTC). - `[SystemDataCreatedBy ]`: The identity that created the resource. diff --git a/src/SecurityInsights/docs/Remove-AzSentinelAlertRule.md b/src/SecurityInsights/docs/Remove-AzSentinelAlertRule.md index ce4fd9a86de7..ad497279d3ed 100644 --- a/src/SecurityInsights/docs/Remove-AzSentinelAlertRule.md +++ b/src/SecurityInsights/docs/Remove-AzSentinelAlertRule.md @@ -196,7 +196,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Remove-AzSentinelAlertRuleAction.md b/src/SecurityInsights/docs/Remove-AzSentinelAlertRuleAction.md index 8e07886c9c66..d6e6dae46f47 100644 --- a/src/SecurityInsights/docs/Remove-AzSentinelAlertRuleAction.md +++ b/src/SecurityInsights/docs/Remove-AzSentinelAlertRuleAction.md @@ -30,7 +30,7 @@ Delete the action of alert rule. ## EXAMPLES -### Example 1: {{ Add title here }} +### Example 1: Removes an alert rule action ```powershell Remove-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -RuleId 29d2523f-84ce-42d3-b5f1-9e63c85aaed1 -Id 1a33301b-fb83-416a-8d58-3873c7c2dc86 ``` @@ -212,7 +212,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Remove-AzSentinelAutomationRule.md b/src/SecurityInsights/docs/Remove-AzSentinelAutomationRule.md index 5e025cf0d6d0..c45b896ded12 100644 --- a/src/SecurityInsights/docs/Remove-AzSentinelAutomationRule.md +++ b/src/SecurityInsights/docs/Remove-AzSentinelAutomationRule.md @@ -29,7 +29,7 @@ Delete the automation rule. ## EXAMPLES -### Example 1: {{ Add title here }} +### Example 1: Removes a Sentinel automation rule ```powershell Remove-AzSentinelAutomationRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Id 2f32af32-ad13-4fbb-9fbc-e19e0e7ff767 ``` @@ -196,7 +196,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Remove-AzSentinelBookmark.md b/src/SecurityInsights/docs/Remove-AzSentinelBookmark.md index 17bd7e967358..5f7d69f2e884 100644 --- a/src/SecurityInsights/docs/Remove-AzSentinelBookmark.md +++ b/src/SecurityInsights/docs/Remove-AzSentinelBookmark.md @@ -196,7 +196,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Remove-AzSentinelBookmarkRelation.md b/src/SecurityInsights/docs/Remove-AzSentinelBookmarkRelation.md index 3deb9a5537d2..b4e730b88644 100644 --- a/src/SecurityInsights/docs/Remove-AzSentinelBookmarkRelation.md +++ b/src/SecurityInsights/docs/Remove-AzSentinelBookmarkRelation.md @@ -212,7 +212,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Remove-AzSentinelDataConnector.md b/src/SecurityInsights/docs/Remove-AzSentinelDataConnector.md index 95bbec95565b..8fdb2b22f520 100644 --- a/src/SecurityInsights/docs/Remove-AzSentinelDataConnector.md +++ b/src/SecurityInsights/docs/Remove-AzSentinelDataConnector.md @@ -196,7 +196,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Remove-AzSentinelEntityQuery.md b/src/SecurityInsights/docs/Remove-AzSentinelEntityQuery.md index 89ce6c20501a..7f54196cc2af 100644 --- a/src/SecurityInsights/docs/Remove-AzSentinelEntityQuery.md +++ b/src/SecurityInsights/docs/Remove-AzSentinelEntityQuery.md @@ -204,7 +204,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Remove-AzSentinelIncident.md b/src/SecurityInsights/docs/Remove-AzSentinelIncident.md index 07ae5c6e957d..8d669823974e 100644 --- a/src/SecurityInsights/docs/Remove-AzSentinelIncident.md +++ b/src/SecurityInsights/docs/Remove-AzSentinelIncident.md @@ -203,7 +203,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Remove-AzSentinelIncidentComment.md b/src/SecurityInsights/docs/Remove-AzSentinelIncidentComment.md index 256bcc7b2f20..a820724e2316 100644 --- a/src/SecurityInsights/docs/Remove-AzSentinelIncidentComment.md +++ b/src/SecurityInsights/docs/Remove-AzSentinelIncidentComment.md @@ -212,7 +212,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Remove-AzSentinelIncidentRelation.md b/src/SecurityInsights/docs/Remove-AzSentinelIncidentRelation.md index 0800fb81b5ca..cc2ac6f62cb3 100644 --- a/src/SecurityInsights/docs/Remove-AzSentinelIncidentRelation.md +++ b/src/SecurityInsights/docs/Remove-AzSentinelIncidentRelation.md @@ -30,7 +30,7 @@ Delete the incident relation. ## EXAMPLES -### Example 1: {{ Add title here }} +### Example 1: Removes the incident relation ```powershell Remove-AzSentinelIncidentRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId 7cc984fe-61a2-43c2-a1a4-3583c8a89da2 -RelatedResourceId 7cc984fe-61a2-43c2-a1a4-3583c8a89db4 ``` @@ -212,7 +212,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Remove-AzSentinelOnboardingState.md b/src/SecurityInsights/docs/Remove-AzSentinelOnboardingState.md index ef99ec749e63..a7621e87efd9 100644 --- a/src/SecurityInsights/docs/Remove-AzSentinelOnboardingState.md +++ b/src/SecurityInsights/docs/Remove-AzSentinelOnboardingState.md @@ -197,7 +197,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Test-AzSentinelDataConnectorCheckRequirement.md b/src/SecurityInsights/docs/Test-AzSentinelDataConnectorCheckRequirement.md index ba8341f1cf06..120bbe67f4c1 100644 --- a/src/SecurityInsights/docs/Test-AzSentinelDataConnectorCheckRequirement.md +++ b/src/SecurityInsights/docs/Test-AzSentinelDataConnectorCheckRequirement.md @@ -31,27 +31,12 @@ Get requirements state for a data connector type. ## EXAMPLES -### Example 1: {{ Add title here }} +### Example 1: Test data connector check requirement ```powershell -{{ Add code here }} +Test-AzSentinelDataConnectorCheckRequirement -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Kind "APIPolling" ``` -```output -{{ Add output here }} -``` - -{{ Add description here }} - -### Example 2: {{ Add title here }} -```powershell -{{ Add code here }} -``` - -```output -{{ Add output here }} -``` - -{{ Add description here }} +Test data connector check requirement ## PARAMETERS diff --git a/src/SecurityInsights/docs/Update-AzSentinelAlertRule.md b/src/SecurityInsights/docs/Update-AzSentinelAlertRule.md index 0a40bc09c36b..a00ea8122723 100644 --- a/src/SecurityInsights/docs/Update-AzSentinelAlertRule.md +++ b/src/SecurityInsights/docs/Update-AzSentinelAlertRule.md @@ -828,13 +828,13 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`ENTITYMAPPING `: 'Account', 'Host', 'IP', 'Malware', 'File', 'Process', 'CloudApplication', 'DNS', 'AzureResource', 'FileHash', 'RegistryKey', 'RegistryValue', 'SecurityGroup', 'URL', 'Mailbox', 'MailCluster', 'MailMessage', 'SubmissionMail' +ENTITYMAPPING : 'Account', 'Host', 'IP', 'Malware', 'File', 'Process', 'CloudApplication', 'DNS', 'AzureResource', 'FileHash', 'RegistryKey', 'RegistryValue', 'SecurityGroup', 'URL', 'Mailbox', 'MailCluster', 'MailMessage', 'SubmissionMail' - `[EntityType ]`: The V3 type of the mapped entity - `[FieldMapping ]`: array of field mappings for the given entity mapping - `[ColumnName ]`: the column name to be mapped to the identifier - `[Identifier ]`: the V3 identifier of the entity -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Update-AzSentinelAlertRuleAction.md b/src/SecurityInsights/docs/Update-AzSentinelAlertRuleAction.md index 00e38512a8e7..3d0a0db3c294 100644 --- a/src/SecurityInsights/docs/Update-AzSentinelAlertRuleAction.md +++ b/src/SecurityInsights/docs/Update-AzSentinelAlertRuleAction.md @@ -30,7 +30,7 @@ Creates or updates the action of alert rule. ## EXAMPLES -### Example 1: {{ Add title here }} +### Example 1: Updates an alert rule action ```powershell $LogicAppResourceId = Get-AzLogicApp -ResourceGroupName "myLogicAppResourceGroupName" -Name "myLogicAppPlaybookName" $LogicAppTriggerUri = Get-AzLogicAppTriggerCallbackUrl -ResourceGroupName "myLogicAppResourceGroupName" -Name $LogicAppResourceId.Name -TriggerName "When_a_response_to_an_Azure_Sentinel_alert_is_triggered" @@ -229,7 +229,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Update-AzSentinelAutomationRule.md b/src/SecurityInsights/docs/Update-AzSentinelAutomationRule.md index 1e375fdbdd57..33f83c805f22 100644 --- a/src/SecurityInsights/docs/Update-AzSentinelAutomationRule.md +++ b/src/SecurityInsights/docs/Update-AzSentinelAutomationRule.md @@ -33,7 +33,7 @@ Creates or updates the automation rule. ## EXAMPLES -### Example 1: {{ Add title here }} +### Example 1: Updates an automation rule ```powershell $LogicAppResourceId = Get-AzLogicApp -ResourceGroupName "myResourceGroup" -Name "Reset-AADPassword" $automationRuleAction = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AutomationRuleRunPlaybookAction]::new() @@ -282,11 +282,11 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`ACTION `: The actions to execute when the automation rule is triggered +ACTION : The actions to execute when the automation rule is triggered - `ActionType `: The type of the automation rule action - `Order `: The order of execution of the automation rule action -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Update-AzSentinelBookmark.md b/src/SecurityInsights/docs/Update-AzSentinelBookmark.md index 88b71157ced8..2e81fc3913f0 100644 --- a/src/SecurityInsights/docs/Update-AzSentinelBookmark.md +++ b/src/SecurityInsights/docs/Update-AzSentinelBookmark.md @@ -369,7 +369,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Update-AzSentinelBookmarkRelation.md b/src/SecurityInsights/docs/Update-AzSentinelBookmarkRelation.md index e9a3b4f57a98..c25c247adf6c 100644 --- a/src/SecurityInsights/docs/Update-AzSentinelBookmarkRelation.md +++ b/src/SecurityInsights/docs/Update-AzSentinelBookmarkRelation.md @@ -212,7 +212,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Update-AzSentinelDataConnector.md b/src/SecurityInsights/docs/Update-AzSentinelDataConnector.md index 95d475820116..c98178ee1bae 100644 --- a/src/SecurityInsights/docs/Update-AzSentinelDataConnector.md +++ b/src/SecurityInsights/docs/Update-AzSentinelDataConnector.md @@ -1250,7 +1250,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: [Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI', Mandatory, ValueFromPipeline)] Identity Parameter +INPUTOBJECT : [Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI', Mandatory, ValueFromPipeline)] Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID @@ -1274,11 +1274,11 @@ To create the parameters described below, construct a hash table containing the - `[SubscriptionId ]`: The ID of the target subscription. - `[WorkspaceName ]`: The name of the workspace. -`PERMISSIONCUSTOM `: +PERMISSIONCUSTOM : - `[Description ]`: Customs permissions description - `[Name ]`: Customs permissions name -`PERMISSIONRESOURCEPROVIDER `: +PERMISSIONRESOURCEPROVIDER : - `[PermissionsDisplayText ]`: Permission description text - `[Provider ]`: Provider name - `[ProviderDisplayName ]`: Permission provider display name @@ -1288,27 +1288,27 @@ To create the parameters described below, construct a hash table containing the - `[RequiredPermissionWrite ]`: write permission - `[Scope ]`: Permission provider scope -`UICONFIGCONNECTIVITYCRITERION `: +UICONFIGCONNECTIVITYCRITERION : - `[Type ]`: type of connectivity - `[Value ]`: Queries for checking connectivity -`UICONFIGDATATYPE `: +UICONFIGDATATYPE : - `[LastDataReceivedQuery ]`: Query for indicate last data received - `[Name ]`: Name of the data type to show in the graph. can be use with {{graphQueriesTableName}} placeholder -`UICONFIGGRAPHQUERY `: +UICONFIGGRAPHQUERY : - `[BaseQuery ]`: The base query for the graph - `[Legend ]`: The legend for the graph - `[MetricName ]`: the metric that the query is checking -`UICONFIGINSTRUCTIONSTEP `: +UICONFIGINSTRUCTIONSTEP : - `[Description ]`: Instruction step description - `[Instruction ]`: Instruction step details - `Type `: The kind of the setting - `[Parameter ]`: The parameters for the setting - `[Title ]`: Instruction step title -`UICONFIGSAMPLEQUERY `: +UICONFIGSAMPLEQUERY : - `[Description ]`: The sample query description - `[Query ]`: the sample query diff --git a/src/SecurityInsights/docs/Update-AzSentinelEntityQuery.md b/src/SecurityInsights/docs/Update-AzSentinelEntityQuery.md index 6a008930da44..cdbf65fc62fc 100644 --- a/src/SecurityInsights/docs/Update-AzSentinelEntityQuery.md +++ b/src/SecurityInsights/docs/Update-AzSentinelEntityQuery.md @@ -368,10 +368,10 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`ENTITIESFILTER `: +ENTITIESFILTER : - `[(Any) ]`: This indicates any property can be added to this object. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Update-AzSentinelIncident.md b/src/SecurityInsights/docs/Update-AzSentinelIncident.md index 14025d559f22..111281eb86ec 100644 --- a/src/SecurityInsights/docs/Update-AzSentinelIncident.md +++ b/src/SecurityInsights/docs/Update-AzSentinelIncident.md @@ -433,7 +433,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID @@ -457,7 +457,7 @@ To create the parameters described below, construct a hash table containing the - `[SubscriptionId ]`: The ID of the target subscription. - `[WorkspaceName ]`: The name of the workspace. -`LABEL `: List of labels relevant to this incident +LABEL : List of labels relevant to this incident - `LabelName `: The name of the label ## RELATED LINKS diff --git a/src/SecurityInsights/docs/Update-AzSentinelIncidentComment.md b/src/SecurityInsights/docs/Update-AzSentinelIncidentComment.md index 114fa7c871cb..bf351701ca04 100644 --- a/src/SecurityInsights/docs/Update-AzSentinelIncidentComment.md +++ b/src/SecurityInsights/docs/Update-AzSentinelIncidentComment.md @@ -212,7 +212,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Update-AzSentinelIncidentRelation.md b/src/SecurityInsights/docs/Update-AzSentinelIncidentRelation.md index 8c3476bb9360..d05e67632af1 100644 --- a/src/SecurityInsights/docs/Update-AzSentinelIncidentRelation.md +++ b/src/SecurityInsights/docs/Update-AzSentinelIncidentRelation.md @@ -213,7 +213,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Update-AzSentinelSetting.md b/src/SecurityInsights/docs/Update-AzSentinelSetting.md index 562b297749b5..5b4fd613ab5f 100644 --- a/src/SecurityInsights/docs/Update-AzSentinelSetting.md +++ b/src/SecurityInsights/docs/Update-AzSentinelSetting.md @@ -272,7 +272,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/examples/Get-AzSentinelEntityActivity.md b/src/SecurityInsights/examples/Get-AzSentinelEntityActivity.md index 9797e2697567..57026a3977cf 100644 --- a/src/SecurityInsights/examples/Get-AzSentinelEntityActivity.md +++ b/src/SecurityInsights/examples/Get-AzSentinelEntityActivity.md @@ -23,7 +23,5 @@ This command gets insights and activities for an Entity. $Entity = Get-AzSentinelEntity -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -EntityId "4ebb68f3-a435-fac0-d3b6-94712d246f0a" $Entity | Get-AzSentinelEntityActivity ``` -```output -``` This command gets insights and activies for an Entity by object \ No newline at end of file diff --git a/src/SecurityInsights/examples/Get-AzSentinelEntityRelation.md b/src/SecurityInsights/examples/Get-AzSentinelEntityRelation.md index 55cebb5e75dd..91cc9efac8fb 100644 --- a/src/SecurityInsights/examples/Get-AzSentinelEntityRelation.md +++ b/src/SecurityInsights/examples/Get-AzSentinelEntityRelation.md @@ -2,8 +2,7 @@ ```powershell Get-AzSentinelEntityRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -EntityId "myEntityId" ``` -```output -``` + This command lists all Entity Relations for a given Entity. ### Example 2: Get an Entity Relation @@ -18,7 +17,5 @@ This command gets an Entity Relation for a given Entity. $EntityRelations = Get-AzSentinelEntityRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -EntityId "myEntityId" $EntityRelations[0] | Get-AzSentinelEntityRelation ``` -```output -``` This command gets a Entity Relation by object \ No newline at end of file diff --git a/src/SecurityInsights/examples/New-AzSentinelAlertRule.md b/src/SecurityInsights/examples/New-AzSentinelAlertRule.md index 8cb01d9a6dbe..388eb1bf3a81 100644 --- a/src/SecurityInsights/examples/New-AzSentinelAlertRule.md +++ b/src/SecurityInsights/examples/New-AzSentinelAlertRule.md @@ -3,8 +3,6 @@ $AlertRuleTemplateName = "f71aba3d-28fb-450b-b192-4e76a83015c8" New-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Kind Fusion -Enabled -AlertRuleTemplateName $AlertRuleTemplateName ``` -```output -``` This command creates an Alert Rule of the Fusion kind based on the template "Advanced Multistage Attack Detection" @@ -13,8 +11,6 @@ This command creates an Alert Rule of the Fusion kind based on the template "Adv $AlertRuleTemplateName = "fa118b98-de46-4e94-87f9-8e6d5060b60b" New-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Kind MLBehaviorAnalytics -Enabled -AlertRuleTemplateName $AlertRuleTemplateName ``` -```output -``` This command creates an Alert Rule of the MLBehaviorAnalytics kind based on the template "Anomalous SSH Login Detection" @@ -23,8 +19,6 @@ This command creates an Alert Rule of the MLBehaviorAnalytics kind based on the $AlertRuleTemplateName = "0dd422ee-e6af-4204-b219-f59ac172e4c6" New-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Kind ThreatIntelligence -Enabled -AlertRuleTemplateName $AlertRuleTemplateName ``` -```output -``` This command creates an Alert Rule of the ThreatIntelligence kind based on the template "Microsoft Threat Intelligence Analytics" @@ -33,9 +27,6 @@ This command creates an Alert Rule of the ThreatIntelligence kind based on the t $AlertRuleTemplateName = "a2e0eb51-1f11-461a-999b-cd0ebe5c7a72" New-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Kind MicrosoftSecurityIncidentCreation -Enabled -AlertRuleTemplateName $AlertRuleTemplateName -DisplayName "Create incidents based on Microsoft Defender for IoT" -ProductFilter "Azure Security Center for IoT" ``` -```output - -``` This command creates an Alert Rule of the MicrosoftSecurityIncidentCreation kind based on the template for Create incidents based on Azure Security Center for IoT alerts. @@ -43,8 +34,6 @@ This command creates an Alert Rule of the MicrosoftSecurityIncidentCreation kind ```powershell PS C:> New-AzSentinelAlertRule -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Kind Scheduled -Enabled -DisplayName "Powershell Exection Alert (Several Times per Hour)" -Severity Low -Query "SecurityEvent | where EventId == 4688" -QueryFrequency (New-TimeSpan -Hours 1) -QueryPeriod (New-TimeSpan -Hours 1) -TriggerThreshold 10 ``` -```output -``` This command creates an Alert Rule of the Scheduled kind. Please note that that query (parameter -Query) needs to be on a single line as as string. @@ -52,7 +41,5 @@ This command creates an Alert Rule of the Scheduled kind. Please note that that ```powershell PS C:> New-AzSentinelAlertRule -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Kind NRT -Enabled -DisplayName "Break glass account accessed" -Severity High -Query "let Break_Glass_Account = _GetWatchlist('break_glass_account')\n|project UPN;\nSigninLogs\n| where UserPrincipalName in (Break_Glass_Account)" ``` -```output -``` This command creates an Alert Rule of the NRT kind. Please note that that query (parameter -Query) needs to be on a single line as as string. diff --git a/src/SecurityInsights/examples/New-AzSentinelAlertRuleAction.md b/src/SecurityInsights/examples/New-AzSentinelAlertRuleAction.md index 36fd820aa512..969bbd45086b 100644 --- a/src/SecurityInsights/examples/New-AzSentinelAlertRuleAction.md +++ b/src/SecurityInsights/examples/New-AzSentinelAlertRuleAction.md @@ -4,8 +4,6 @@ $LogicAppTriggerUri = Get-AzLogicAppTriggerCallbackUrl -ResourceGroupName "myLogicAppResourceGroupName" -Name $LogicAppResourceId.Name -TriggerName "When_a_response_to_an_Azure_Sentinel_alert_is_triggered" New-AzSentinelAlertRuleAction -ResourceGroupName "mySentinelResourceGroupName" -workspaceName "myWorkspaceName" -RuleId "48bbf86d-540b-4a7b-9fee-2bd7d810dbed" -LogicAppResourceId ($LogicAppResourceId.Id) -TriggerUri ($LogicAppTriggerUri.Value) -Id ((New-Guid).Guid) ``` -```output -``` This command adds an existing Logic App Playbook to an existing analytics rule diff --git a/src/SecurityInsights/examples/New-AzSentinelAutomationRule.md b/src/SecurityInsights/examples/New-AzSentinelAutomationRule.md index 2005f7502ce8..4a94125b5efc 100644 --- a/src/SecurityInsights/examples/New-AzSentinelAutomationRule.md +++ b/src/SecurityInsights/examples/New-AzSentinelAutomationRule.md @@ -8,13 +8,10 @@ $automationRuleAction.ActionConfigurationTenantId = (Get-AzContext).Tenant.Id New-AzSentinelAutomationRule -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id ((New-Guid).Guid) -Action $automationRuleAction -DisplayName "Run Playbook to reset AAD password" -Order 2 -TriggeringLogicIsEnabled ``` -```output -{{ Add output here }} -``` This command creates an Automation Rule that has an Action of Run Playbook. -### Example 2: {{ Add title here }} +### Example 2: Creates an Automation Rule that has an Action of changing the severity ```powershell $automationRuleAction = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AutomationRuleModifyPropertiesAction]::new() $automationRuleAction.Order = 1 @@ -22,9 +19,6 @@ This command creates an Automation Rule that has an Action of Run Playbook. $automationRuleAction.ActionConfigurationSeverity = "Low" New-AzSentinelAutomationRule -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id ((New-Guid).Guid) -Action $automationRuleAction -DisplayName "Change severity to Low" -Order 3 -TriggeringLogicIsEnabled ``` -```output -{{ Add output here }} -``` This command creates an Automation Rule that has an Action of changing the severity. diff --git a/src/SecurityInsights/examples/New-AzSentinelBookmarkRelation.md b/src/SecurityInsights/examples/New-AzSentinelBookmarkRelation.md index a65ff7e72026..e7e93f686954 100644 --- a/src/SecurityInsights/examples/New-AzSentinelBookmarkRelation.md +++ b/src/SecurityInsights/examples/New-AzSentinelBookmarkRelation.md @@ -3,8 +3,6 @@ $incident = Get-AzSentinelIncident -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id "myIncidentId" $bookmarkRelation = New-AzSentinelBookmarkRelation -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -BookmarkId "myBookmarkId" -RelationName ((New-Guid).Guid) -RelatedResourceId ($incident.Id) ``` -```output -``` This command creates a Bookmark Relation connecting the Incident to the Bookmark. diff --git a/src/SecurityInsights/examples/New-AzSentinelDataConnector.md b/src/SecurityInsights/examples/New-AzSentinelDataConnector.md index f78559330f97..01150e7a8b13 100644 --- a/src/SecurityInsights/examples/New-AzSentinelDataConnector.md +++ b/src/SecurityInsights/examples/New-AzSentinelDataConnector.md @@ -1,8 +1,6 @@ -### Example 1: {{ Add title here }} +### Example 1: Enables the Threat Intelligence data connector ```powershell New-AzSentinelDataConnector -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Kind 'MicrosoftThreatIntelligence' -BingSafetyPhishingURL Enabled -BingSafetyPhishingUrlLookbackPeriod All -MicrosoftEmergingThreatFeed Enabled -MicrosoftEmergingThreatFeedLookbackPeriod All ``` -```output -``` This command enables the Threat Intelligence data connector \ No newline at end of file diff --git a/src/SecurityInsights/examples/New-AzSentinelEntityQuery.md b/src/SecurityInsights/examples/New-AzSentinelEntityQuery.md index af393f13958c..0a74b9fc86b5 100644 --- a/src/SecurityInsights/examples/New-AzSentinelEntityQuery.md +++ b/src/SecurityInsights/examples/New-AzSentinelEntityQuery.md @@ -21,8 +21,6 @@ This command creates an Entity Query by using a Template. ```powershell New-AzSentinelEntityQuery -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -EntityQueryId ((New-Guid).Guid) -Kind Activity -Title 'An account was deleted on this host' -InputEntityType 'Host' -Content "On '{{Computer}}' the account '{{TargetAccount}}' was deleted by '{{AddedBy}}'" -Description "Account deleted on host" -QueryDefinitionQuery 'let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\nSecurityEvent\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\n// parsing for Host to handle variety of conventions coming from data\n| extend Host_HostName = case(\nComputer has ''@'', tostring(split(Computer, ''@'')[0]),\nComputer has ''\\'', tostring(split(Computer, ''\\'')[1]),\nComputer has ''.'', tostring(split(Computer, ''.'')[0]),\nComputer\n)\n| extend Host_NTDomain = case(\nComputer has ''\\'', tostring(split(Computer, ''\\'')[0]), \nComputer has ''.'', tostring(split(Computer, ''.'')[-2]), \nComputer\n)\n| extend Host_DnsDomain = case(\nComputer has ''\\'', tostring(split(Computer, ''\\'')[0]), \nComputer has ''.'', strcat_array(array_slice(split(Computer,''.''),-2,-1),''.''), \nComputer\n)\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \nor v_Host_AzureID =~ _ResourceId \nor v_Host_OMSAgentID == SourceComputerId\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId\n| extend AddedBy = SubjectUserName\n// Future support for Activities\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount\n};\nGetAccountActions(''{{Host_HostName}}'', ''{{Host_NTDomain}}'', ''{{Host_DnsDomain}}'', ''{{Host_AzureID}}'', ''{{Host_OMSAgentID}}'')\n \n| where EventID == 4726' -RequiredInputFieldsSet @(@("Host_HostName","Host_NTDomain"),@("Host_HostName","Host_DnsDomain"),@("Host_AzureID"),@("Host_OMSAgentID")) -EntitiesFilter @{"Host_OsFamily" = @("Windows")} ``` -```output -``` This command creates an Entity Query. diff --git a/src/SecurityInsights/examples/New-AzSentinelIncidentComment.md b/src/SecurityInsights/examples/New-AzSentinelIncidentComment.md index 57cb99edde12..fb9e53bab2a5 100644 --- a/src/SecurityInsights/examples/New-AzSentinelIncidentComment.md +++ b/src/SecurityInsights/examples/New-AzSentinelIncidentComment.md @@ -2,7 +2,5 @@ ```powershell New-AzSentinelIncident -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -IncidentId "myIncidentId" -Id ((New-Guid).Guid) -Message "IncidentCommentGoesHere" ``` -```output -``` This command creates an Incident Comment. diff --git a/src/SecurityInsights/examples/New-AzSentinelOnboardingState.md b/src/SecurityInsights/examples/New-AzSentinelOnboardingState.md index aab625a4fa78..5e622f5a6de8 100644 --- a/src/SecurityInsights/examples/New-AzSentinelOnboardingState.md +++ b/src/SecurityInsights/examples/New-AzSentinelOnboardingState.md @@ -2,7 +2,5 @@ ```powershell AzSentinelOnboardingState -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Name "default" ``` -```output -``` This command configures the onboarding state of Sentinel \ No newline at end of file diff --git a/src/SecurityInsights/examples/Remove-AzSentinelAlertRule.md b/src/SecurityInsights/examples/Remove-AzSentinelAlertRule.md index 967f7193c13e..b78dcd4f3765 100644 --- a/src/SecurityInsights/examples/Remove-AzSentinelAlertRule.md +++ b/src/SecurityInsights/examples/Remove-AzSentinelAlertRule.md @@ -2,7 +2,5 @@ ```powershell Remove-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -RuleId 4a21e485-75ae-48b3-a7b9-e6a92bcfe434 ``` -```output -``` The command removes a Sentinel alert rule diff --git a/src/SecurityInsights/examples/Remove-AzSentinelAlertRuleAction.md b/src/SecurityInsights/examples/Remove-AzSentinelAlertRuleAction.md index dfea77edbf0d..20b8359a8a5a 100644 --- a/src/SecurityInsights/examples/Remove-AzSentinelAlertRuleAction.md +++ b/src/SecurityInsights/examples/Remove-AzSentinelAlertRuleAction.md @@ -1,8 +1,6 @@ -### Example 1: {{ Add title here }} +### Example 1: Removes an alert rule action ```powershell Remove-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -RuleId 29d2523f-84ce-42d3-b5f1-9e63c85aaed1 -Id 1a33301b-fb83-416a-8d58-3873c7c2dc86 ``` -```output -``` This command removes an alert rule action. diff --git a/src/SecurityInsights/examples/Remove-AzSentinelAutomationRule.md b/src/SecurityInsights/examples/Remove-AzSentinelAutomationRule.md index e064ccfe03ca..33d5800bdee2 100644 --- a/src/SecurityInsights/examples/Remove-AzSentinelAutomationRule.md +++ b/src/SecurityInsights/examples/Remove-AzSentinelAutomationRule.md @@ -1,9 +1,7 @@ -### Example 1: {{ Add title here }} +### Example 1: Removes a Sentinel automation rule ```powershell Remove-AzSentinelAutomationRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Id 2f32af32-ad13-4fbb-9fbc-e19e0e7ff767 ``` -```output -``` This command removes a Sentinel automation rule diff --git a/src/SecurityInsights/examples/Remove-AzSentinelBookmark.md b/src/SecurityInsights/examples/Remove-AzSentinelBookmark.md index 21f86032d0e0..8a755bb476c9 100644 --- a/src/SecurityInsights/examples/Remove-AzSentinelBookmark.md +++ b/src/SecurityInsights/examples/Remove-AzSentinelBookmark.md @@ -2,8 +2,6 @@ ```powershell Remove-AzSentinelBookmark -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id ``` -```output -``` This command removes a bookmark diff --git a/src/SecurityInsights/examples/Remove-AzSentinelBookmarkRelation.md b/src/SecurityInsights/examples/Remove-AzSentinelBookmarkRelation.md index d5121288e804..e9e8b61011ce 100644 --- a/src/SecurityInsights/examples/Remove-AzSentinelBookmarkRelation.md +++ b/src/SecurityInsights/examples/Remove-AzSentinelBookmarkRelation.md @@ -2,8 +2,6 @@ ```powershell Remove-AzSentinelBookmarkRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -BookmarkId 83846045-d8dc-4d6b-abbe-7588219c474e -RelationName 7cc984fe-61a2-43c2-a1a4-3583c8a89da2 ``` -```output -``` This command removes a bookmarkrelation diff --git a/src/SecurityInsights/examples/Remove-AzSentinelDataConnector.md b/src/SecurityInsights/examples/Remove-AzSentinelDataConnector.md index 6c0bc4200efe..9b431e126941 100644 --- a/src/SecurityInsights/examples/Remove-AzSentinelDataConnector.md +++ b/src/SecurityInsights/examples/Remove-AzSentinelDataConnector.md @@ -2,8 +2,6 @@ ```powershell Remove-AzSentinelDataConnector -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Id 661b961f-53d8-4bd1-be97-24e808fd04f5 ``` -```output -``` This command removes a data connector. diff --git a/src/SecurityInsights/examples/Remove-AzSentinelEntityQuery.md b/src/SecurityInsights/examples/Remove-AzSentinelEntityQuery.md index 00b3e18d85b9..83fcaaed2090 100644 --- a/src/SecurityInsights/examples/Remove-AzSentinelEntityQuery.md +++ b/src/SecurityInsights/examples/Remove-AzSentinelEntityQuery.md @@ -2,8 +2,6 @@ ```powershell Remove-AzSentinelEntityQuery -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Id "myEntityQueryTemplateId" ``` -```output -``` This command removes a specific entity query based on the entity query Id @@ -12,8 +10,6 @@ This command removes a specific entity query based on the entity query Id $queryTemplateId = Get-AzSentinelEntityQueryTemplate -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" | Where-Object {$_.Title -eq "The user has created an account"} Remove-AzSentinelEntityQuery -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Id $queryTemplateId.Name ``` -```output -``` This command removes a specific entity query based on the title diff --git a/src/SecurityInsights/examples/Remove-AzSentinelIncident.md b/src/SecurityInsights/examples/Remove-AzSentinelIncident.md index a94fc3cf7832..1c3365c73f26 100644 --- a/src/SecurityInsights/examples/Remove-AzSentinelIncident.md +++ b/src/SecurityInsights/examples/Remove-AzSentinelIncident.md @@ -2,8 +2,6 @@ ```powershell Remove-AzSentinelIncident -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id ``` -```output -``` This command removes an incident based on the incident id. @@ -11,8 +9,6 @@ This command removes an incident based on the incident id. ```powershell $myIncident = Get-AzSentinelIncident -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id | Where-Object {$_.Number -eq "780"} ``` -```output -``` The command removes an incident based on an incident number. diff --git a/src/SecurityInsights/examples/Remove-AzSentinelIncidentComment.md b/src/SecurityInsights/examples/Remove-AzSentinelIncidentComment.md index b574344fdcb8..6ae454e73c46 100644 --- a/src/SecurityInsights/examples/Remove-AzSentinelIncidentComment.md +++ b/src/SecurityInsights/examples/Remove-AzSentinelIncidentComment.md @@ -2,9 +2,5 @@ ```powershell Remove-AzSentinelIncidentComment -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId 7cc984fe-61a2-43c2-a1a4-3583c8a89da2 -Id 7a4c27ea-d61a-496b-b5c3-246770c857c1 ``` -```output -``` -This command removes an incident comment - - +This command removes an incident comment \ No newline at end of file diff --git a/src/SecurityInsights/examples/Remove-AzSentinelIncidentRelation.md b/src/SecurityInsights/examples/Remove-AzSentinelIncidentRelation.md index 3e198edb7915..64c58f8e45e8 100644 --- a/src/SecurityInsights/examples/Remove-AzSentinelIncidentRelation.md +++ b/src/SecurityInsights/examples/Remove-AzSentinelIncidentRelation.md @@ -1,8 +1,6 @@ -### Example 1: {{ Add title here }} +### Example 1: Removes the incident relation ```powershell Remove-AzSentinelIncidentRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId 7cc984fe-61a2-43c2-a1a4-3583c8a89da2 -RelatedResourceId 7cc984fe-61a2-43c2-a1a4-3583c8a89db4 ``` -```output -``` This command removes the incident relation diff --git a/src/SecurityInsights/examples/Remove-AzSentinelOnboardingState.md b/src/SecurityInsights/examples/Remove-AzSentinelOnboardingState.md index 484c8d529ff2..086b66f03f5e 100644 --- a/src/SecurityInsights/examples/Remove-AzSentinelOnboardingState.md +++ b/src/SecurityInsights/examples/Remove-AzSentinelOnboardingState.md @@ -2,7 +2,5 @@ ```powershell Remove-AzSentinelOnboardingState -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Name "default" ``` -```output -``` This commands removes the Sentinel onboarding state diff --git a/src/SecurityInsights/examples/Test-AzSentinelDataConnectorCheckRequirement.md b/src/SecurityInsights/examples/Test-AzSentinelDataConnectorCheckRequirement.md index 6ee1a83db970..bf368526866e 100644 --- a/src/SecurityInsights/examples/Test-AzSentinelDataConnectorCheckRequirement.md +++ b/src/SecurityInsights/examples/Test-AzSentinelDataConnectorCheckRequirement.md @@ -1,22 +1,8 @@ -### Example 1: {{ Add title here }} +### Example 1: Test data connector check requirement ```powershell -{{ Add code here }} +Test-AzSentinelDataConnectorCheckRequirement -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Kind "APIPolling" ``` -```output -{{ Add output here }} -``` - -{{ Add description here }} - -### Example 2: {{ Add title here }} -```powershell -{{ Add code here }} -``` - -```output -{{ Add output here }} -``` +Test data connector check requirement -{{ Add description here }} diff --git a/src/SecurityInsights/examples/Update-AzSentinelAlertRule.md b/src/SecurityInsights/examples/Update-AzSentinelAlertRule.md index 389248d8a314..02073de3773e 100644 --- a/src/SecurityInsights/examples/Update-AzSentinelAlertRule.md +++ b/src/SecurityInsights/examples/Update-AzSentinelAlertRule.md @@ -2,8 +2,6 @@ ```powershell Update-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -ruleId "4a21e485-75ae-48b3-a7b9-e6a92bcfe434" -Query "SecurityAlert | take 2" ``` -```output -``` This command updates a scheduled alert rule diff --git a/src/SecurityInsights/examples/Update-AzSentinelAlertRuleAction.md b/src/SecurityInsights/examples/Update-AzSentinelAlertRuleAction.md index d96a650adbb2..16a4b1984b2d 100644 --- a/src/SecurityInsights/examples/Update-AzSentinelAlertRuleAction.md +++ b/src/SecurityInsights/examples/Update-AzSentinelAlertRuleAction.md @@ -1,10 +1,8 @@ -### Example 1: {{ Add title here }} +### Example 1: Updates an alert rule action ```powershell $LogicAppResourceId = Get-AzLogicApp -ResourceGroupName "myLogicAppResourceGroupName" -Name "myLogicAppPlaybookName" $LogicAppTriggerUri = Get-AzLogicAppTriggerCallbackUrl -ResourceGroupName "myLogicAppResourceGroupName" -Name $LogicAppResourceId.Name -TriggerName "When_a_response_to_an_Azure_Sentinel_alert_is_triggered" Update-AzSentinelAlertRuleAction -ResourceGroupName "mySentinelResourceGroupName" -workspaceName "myWorkspaceName" -RuleId "48bbf86d-540b-4a7b-9fee-2bd7d810dbed" -LogicAppResourceId ($LogicAppResourceId.Id) -TriggerUri ($LogicAppTriggerUri.Value) -Id ((New-Guid).Guid) ``` -```output -``` This command updates an alert rule action diff --git a/src/SecurityInsights/examples/Update-AzSentinelAutomationRule.md b/src/SecurityInsights/examples/Update-AzSentinelAutomationRule.md index 7b0b3f63a6d7..6ed5714047f5 100644 --- a/src/SecurityInsights/examples/Update-AzSentinelAutomationRule.md +++ b/src/SecurityInsights/examples/Update-AzSentinelAutomationRule.md @@ -1,4 +1,4 @@ -### Example 1: {{ Add title here }} +### Example 1: Updates an automation rule ```powershell $LogicAppResourceId = Get-AzLogicApp -ResourceGroupName "myResourceGroup" -Name "Reset-AADPassword" $automationRuleAction = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AutomationRuleRunPlaybookAction]::new() @@ -8,8 +8,6 @@ $automationRuleAction.ActionConfigurationTenantId = (Get-AzContext).Tenant.Id Update-AzSentinelAutomationRule -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id ((New-Guid).Guid) -Action $automationRuleAction -DisplayName "Run Playbook to reset AAD password" -Order 2 -TriggeringLogicIsEnabled ``` -```output -``` This command updates an automation rule diff --git a/src/SecurityInsights/examples/Update-AzSentinelBookmark.md b/src/SecurityInsights/examples/Update-AzSentinelBookmark.md index 2250c14764ca..1572c679176e 100644 --- a/src/SecurityInsights/examples/Update-AzSentinelBookmark.md +++ b/src/SecurityInsights/examples/Update-AzSentinelBookmark.md @@ -4,8 +4,7 @@ $queryEndTime = (get-date).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" Update-AzSentinelBookmark -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id ((New-Guid).Guid) -DisplayName "Incident Evidence" -Query "SecurityEvent | take 1" -QueryStartTime $queryStartTime -QueryEndTime $queryEndTime -EventTime $queryEndTime ``` -```output -``` + This command updates a bookmark diff --git a/src/SecurityInsights/examples/Update-AzSentinelBookmarkRelation.md b/src/SecurityInsights/examples/Update-AzSentinelBookmarkRelation.md index 3341b9831628..30a113441287 100644 --- a/src/SecurityInsights/examples/Update-AzSentinelBookmarkRelation.md +++ b/src/SecurityInsights/examples/Update-AzSentinelBookmarkRelation.md @@ -2,8 +2,6 @@ ```powershell Update-AzSentinelBookmarkRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -BookmarkId 6a8d6ea6-04d5-49d7-8169-ffca8b0ced59 -RelationName f185b6f8-1a0d-43eb-97de-67720839ac67 -RelatedResourceId f185b6f8-1a0d-43eb-97de-67720839ac67 ``` -```output -``` This command updates a bookmark relation diff --git a/src/SecurityInsights/examples/Update-AzSentinelDataConnector.md b/src/SecurityInsights/examples/Update-AzSentinelDataConnector.md index abfca4b426dd..5dad2f75eecb 100644 --- a/src/SecurityInsights/examples/Update-AzSentinelDataConnector.md +++ b/src/SecurityInsights/examples/Update-AzSentinelDataConnector.md @@ -2,8 +2,6 @@ ```powershell Update-AzSentinelDataConnector -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Id 3bd6c555-1412-4103-9b9d-2b0b40cda6b6 -SharePoint "Enabled" ``` -```output -``` This command updates a Sentinel data connector diff --git a/src/SecurityInsights/examples/Update-AzSentinelEntityQuery.md b/src/SecurityInsights/examples/Update-AzSentinelEntityQuery.md index 14b95fa43b2e..7d7c016f3d06 100644 --- a/src/SecurityInsights/examples/Update-AzSentinelEntityQuery.md +++ b/src/SecurityInsights/examples/Update-AzSentinelEntityQuery.md @@ -2,7 +2,5 @@ ```powershell Update-AzSentinelEntityQuery -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -EntityQueryId "4a21e485-75ae-48b3-a7b9-e6a92bcfe434" -Title "myEntityQuery Title" ``` -```output -``` This command updates an entity query. diff --git a/src/SecurityInsights/examples/Update-AzSentinelIncident.md b/src/SecurityInsights/examples/Update-AzSentinelIncident.md index dead01cb4d92..28e32d27f0aa 100644 --- a/src/SecurityInsights/examples/Update-AzSentinelIncident.md +++ b/src/SecurityInsights/examples/Update-AzSentinelIncident.md @@ -2,7 +2,5 @@ ```powershell Update-AzSentinelEntityQuery -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Id "4a21e485-75ae-48b3-a7b9-e6a92bcfe434" -OwnerAssignedTo "user@mydomain.local" ``` -```output -``` This command updates an incident by assigning an owner. diff --git a/src/SecurityInsights/examples/Update-AzSentinelIncidentComment.md b/src/SecurityInsights/examples/Update-AzSentinelIncidentComment.md index 4d7aeeb393b3..4dc851dd9f21 100644 --- a/src/SecurityInsights/examples/Update-AzSentinelIncidentComment.md +++ b/src/SecurityInsights/examples/Update-AzSentinelIncidentComment.md @@ -2,8 +2,6 @@ ```powershell Update-AzSentinelIncidentComment -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId 7cc984fe-61a2-43c2-a1a4-3583c8a89da2 -Id 8bb5c1eb-a3a9-4575-9451-cd2834be0e0a -Message "my comment" ``` -```output -``` This command updates an incident comment diff --git a/src/SecurityInsights/examples/Update-AzSentinelIncidentRelation.md b/src/SecurityInsights/examples/Update-AzSentinelIncidentRelation.md index 9bd488db520c..3fbcc8d6468f 100644 --- a/src/SecurityInsights/examples/Update-AzSentinelIncidentRelation.md +++ b/src/SecurityInsights/examples/Update-AzSentinelIncidentRelation.md @@ -3,8 +3,6 @@ $bookmark = Get-AzSentinelBookmark -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id "myBookmarkId" Update-AzSentinelIncidentRelation -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -IncidentId "myIncidentId" -RelationName ((New-Guid).Guid) -RelatedResourceId ($bookmark.Id) ``` -```output -``` This command updates an incident relation diff --git a/src/SecurityInsights/examples/Update-AzSentinelSetting.md b/src/SecurityInsights/examples/Update-AzSentinelSetting.md index 00130cdb4ff6..c42fa3b19570 100644 --- a/src/SecurityInsights/examples/Update-AzSentinelSetting.md +++ b/src/SecurityInsights/examples/Update-AzSentinelSetting.md @@ -2,8 +2,6 @@ ```powershell Update-AzSentinelSetting -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -SettingsName 'Anomalies' -Enabled ``` -```output -``` This command updates the Anomalies setting, other settings are: EyesOn, EntityAnalytics and Ueba From d7bcbf0af84f7b5dfc1635841fc631917afc1c91 Mon Sep 17 00:00:00 2001 From: VeryEarly Date: Tue, 9 Aug 2022 16:37:50 +0800 Subject: [PATCH 11/24] suppress breakingchange and signature issues --- .../BreakingChangeIssues.csv | 287 ++++++++++++++++++ .../Az.SecurityInsights/SignatureIssues.csv | 16 +- 2 files changed, 289 insertions(+), 14 deletions(-) create mode 100644 tools/StaticAnalysis/Exceptions/Az.SecurityInsights/BreakingChangeIssues.csv diff --git a/tools/StaticAnalysis/Exceptions/Az.SecurityInsights/BreakingChangeIssues.csv b/tools/StaticAnalysis/Exceptions/Az.SecurityInsights/BreakingChangeIssues.csv new file mode 100644 index 000000000000..74be92541586 --- /dev/null +++ b/tools/StaticAnalysis/Exceptions/Az.SecurityInsights/BreakingChangeIssues.csv @@ -0,0 +1,287 @@ +"AssemblyFileName","ClassName","Target","Severity","ProblemId","Description","Remediation" +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRules.GetIncidents","Get-AzSentinelAlertRule","0","1020","The cmdlet 'Get-AzSentinelAlertRule' no longer has output type 'Microsoft.Azure.Commands.SecurityInsights.Models.AlertRules.PSSentinelAlertRule'.","Make cmdlet 'Get-AzSentinelAlertRule' return type 'Microsoft.Azure.Commands.SecurityInsights.Models.AlertRules.PSSentinelAlertRule'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRules.GetIncidents","Get-AzSentinelAlertRule","0","2000","The cmdlet 'Get-AzSentinelAlertRule' no longer supports the parameter 'AlertRuleId' and no alias was found for the original parameter name.","Add the parameter 'AlertRuleId' back to the cmdlet 'Get-AzSentinelAlertRule', or add an alias to the original parameter name." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRules.GetIncidents","Get-AzSentinelAlertRule","0","2000","The cmdlet 'Get-AzSentinelAlertRule' no longer supports the parameter 'ResourceId' and no alias was found for the original parameter name.","Add the parameter 'ResourceId' back to the cmdlet 'Get-AzSentinelAlertRule', or add an alias to the original parameter name." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRules.GetIncidents","Get-AzSentinelAlertRule","0","2020","The cmdlet 'Get-AzSentinelAlertRule' no longer supports the type 'Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer' for parameter 'DefaultProfile'.","Change the type for parameter 'DefaultProfile' back to 'Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRules.GetIncidents","Get-AzSentinelAlertRule","0","2010","The cmdlet 'Get-AzSentinelAlertRule' no longer supports the alias 'AzContext' for parameter 'DefaultProfile'.","Add the alias 'AzContext' back to parameter 'DefaultProfile'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRules.GetIncidents","Get-AzSentinelAlertRule","0","2010","The cmdlet 'Get-AzSentinelAlertRule' no longer supports the alias 'AzureRmContext' for parameter 'DefaultProfile'.","Add the alias 'AzureRmContext' back to parameter 'DefaultProfile'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRules.GetIncidents","Get-AzSentinelAlertRule","0","1050","The parameter set 'AlertRuleId' for cmdlet 'Get-AzSentinelAlertRule' has been removed.","Add parameter set 'AlertRuleId' back to cmdlet 'Get-AzSentinelAlertRule'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRules.GetIncidents","Get-AzSentinelAlertRule","0","1050","The parameter set 'ResourceId' for cmdlet 'Get-AzSentinelAlertRule' has been removed.","Add parameter set 'ResourceId' back to cmdlet 'Get-AzSentinelAlertRule'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.GetAlertRuleActions","Get-AzSentinelAlertRuleAction","0","1020","The cmdlet 'Get-AzSentinelAlertRuleAction' no longer has output type 'Microsoft.Azure.Commands.SecurityInsights.Models.Actions.PSSentinelActionResponse'.","Make cmdlet 'Get-AzSentinelAlertRuleAction' return type 'Microsoft.Azure.Commands.SecurityInsights.Models.Actions.PSSentinelActionResponse'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.GetAlertRuleActions","Get-AzSentinelAlertRuleAction","0","1060","The parameter set 'AlertRuleId' for cmdlet 'Get-AzSentinelAlertRuleAction' is no longer the default parameter set.","Change the default parameter for cmdlet 'Get-AzSentinelAlertRuleAction' back to 'AlertRuleId'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.GetAlertRuleActions","Get-AzSentinelAlertRuleAction","0","2000","The cmdlet 'Get-AzSentinelAlertRuleAction' no longer supports the parameter 'AlertRuleId' and no alias was found for the original parameter name.","Add the parameter 'AlertRuleId' back to the cmdlet 'Get-AzSentinelAlertRuleAction', or add an alias to the original parameter name." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.GetAlertRuleActions","Get-AzSentinelAlertRuleAction","0","2020","The cmdlet 'Get-AzSentinelAlertRuleAction' no longer supports the type 'Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer' for parameter 'DefaultProfile'.","Change the type for parameter 'DefaultProfile' back to 'Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.GetAlertRuleActions","Get-AzSentinelAlertRuleAction","0","2010","The cmdlet 'Get-AzSentinelAlertRuleAction' no longer supports the alias 'AzContext' for parameter 'DefaultProfile'.","Add the alias 'AzContext' back to parameter 'DefaultProfile'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.GetAlertRuleActions","Get-AzSentinelAlertRuleAction","0","2010","The cmdlet 'Get-AzSentinelAlertRuleAction' no longer supports the alias 'AzureRmContext' for parameter 'DefaultProfile'.","Add the alias 'AzureRmContext' back to parameter 'DefaultProfile'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.GetAlertRuleActions","Get-AzSentinelAlertRuleAction","0","1050","The parameter set 'AlertRuleId' for cmdlet 'Get-AzSentinelAlertRuleAction' has been removed.","Add parameter set 'AlertRuleId' back to cmdlet 'Get-AzSentinelAlertRuleAction'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.GetAlertRuleActions","Get-AzSentinelAlertRuleAction","0","1050","The parameter set 'ActionId' for cmdlet 'Get-AzSentinelAlertRuleAction' has been removed.","Add parameter set 'ActionId' back to cmdlet 'Get-AzSentinelAlertRuleAction'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRulesTemplates.GetAlertRuleTemplate","Get-AzSentinelAlertRuleTemplate","0","1020","The cmdlet 'Get-AzSentinelAlertRuleTemplate' no longer has output type 'Microsoft.Azure.Commands.SecurityInsights.Models.AlertRuleTemplates.PSSentinelAlertRuleTemplate'.","Make cmdlet 'Get-AzSentinelAlertRuleTemplate' return type 'Microsoft.Azure.Commands.SecurityInsights.Models.AlertRuleTemplates.PSSentinelAlertRuleTemplate'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRulesTemplates.GetAlertRuleTemplate","Get-AzSentinelAlertRuleTemplate","0","2000","The cmdlet 'Get-AzSentinelAlertRuleTemplate' no longer supports the parameter 'ResourceId' and no alias was found for the original parameter name.","Add the parameter 'ResourceId' back to the cmdlet 'Get-AzSentinelAlertRuleTemplate', or add an alias to the original parameter name." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRulesTemplates.GetAlertRuleTemplate","Get-AzSentinelAlertRuleTemplate","0","2020","The cmdlet 'Get-AzSentinelAlertRuleTemplate' no longer supports the type 'Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer' for parameter 'DefaultProfile'.","Change the type for parameter 'DefaultProfile' back to 'Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRulesTemplates.GetAlertRuleTemplate","Get-AzSentinelAlertRuleTemplate","0","2010","The cmdlet 'Get-AzSentinelAlertRuleTemplate' no longer supports the alias 'AzContext' for parameter 'DefaultProfile'.","Add the alias 'AzContext' back to parameter 'DefaultProfile'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRulesTemplates.GetAlertRuleTemplate","Get-AzSentinelAlertRuleTemplate","0","2010","The cmdlet 'Get-AzSentinelAlertRuleTemplate' no longer supports the alias 'AzureRmContext' for parameter 'DefaultProfile'.","Add the alias 'AzureRmContext' back to parameter 'DefaultProfile'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRulesTemplates.GetAlertRuleTemplate","Get-AzSentinelAlertRuleTemplate","0","1050","The parameter set 'AlertRuleTemplateId' for cmdlet 'Get-AzSentinelAlertRuleTemplate' has been removed.","Add parameter set 'AlertRuleTemplateId' back to cmdlet 'Get-AzSentinelAlertRuleTemplate'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRulesTemplates.GetAlertRuleTemplate","Get-AzSentinelAlertRuleTemplate","0","1050","The parameter set 'ResourceId' for cmdlet 'Get-AzSentinelAlertRuleTemplate' has been removed.","Add parameter set 'ResourceId' back to cmdlet 'Get-AzSentinelAlertRuleTemplate'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Bookmarks.GetBookmarks","Get-AzSentinelBookmark","0","1020","The cmdlet 'Get-AzSentinelBookmark' no longer has output type 'Microsoft.Azure.Commands.SecurityInsights.Models.Bookmarks.PSSentinelBookmark'.","Make cmdlet 'Get-AzSentinelBookmark' return type 'Microsoft.Azure.Commands.SecurityInsights.Models.Bookmarks.PSSentinelBookmark'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Bookmarks.GetBookmarks","Get-AzSentinelBookmark","0","2000","The cmdlet 'Get-AzSentinelBookmark' no longer supports the parameter 'ResourceId' and no alias was found for the original parameter name.","Add the parameter 'ResourceId' back to the cmdlet 'Get-AzSentinelBookmark', or add an alias to the original parameter name." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Bookmarks.GetBookmarks","Get-AzSentinelBookmark","0","2020","The cmdlet 'Get-AzSentinelBookmark' no longer supports the type 'Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer' for parameter 'DefaultProfile'.","Change the type for parameter 'DefaultProfile' back to 'Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Bookmarks.GetBookmarks","Get-AzSentinelBookmark","0","2010","The cmdlet 'Get-AzSentinelBookmark' no longer supports the alias 'AzContext' for parameter 'DefaultProfile'.","Add the alias 'AzContext' back to parameter 'DefaultProfile'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Bookmarks.GetBookmarks","Get-AzSentinelBookmark","0","2010","The cmdlet 'Get-AzSentinelBookmark' no longer supports the alias 'AzureRmContext' for parameter 'DefaultProfile'.","Add the alias 'AzureRmContext' back to parameter 'DefaultProfile'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Bookmarks.GetBookmarks","Get-AzSentinelBookmark","0","1050","The parameter set 'BookmarkId.' for cmdlet 'Get-AzSentinelBookmark' has been removed.","Add parameter set 'BookmarkId.' back to cmdlet 'Get-AzSentinelBookmark'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Bookmarks.GetBookmarks","Get-AzSentinelBookmark","0","1050","The parameter set 'ResourceId' for cmdlet 'Get-AzSentinelBookmark' has been removed.","Add parameter set 'ResourceId' back to cmdlet 'Get-AzSentinelBookmark'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.GetDataConnectors","Get-AzSentinelDataConnector","0","1020","The cmdlet 'Get-AzSentinelDataConnector' no longer has output type 'Microsoft.Azure.Commands.SecurityInsights.Models.DataConnectors.PSSentinelDataConnector'.","Make cmdlet 'Get-AzSentinelDataConnector' return type 'Microsoft.Azure.Commands.SecurityInsights.Models.DataConnectors.PSSentinelDataConnector'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.GetDataConnectors","Get-AzSentinelDataConnector","0","2000","The cmdlet 'Get-AzSentinelDataConnector' no longer supports the parameter 'ResourceId' and no alias was found for the original parameter name.","Add the parameter 'ResourceId' back to the cmdlet 'Get-AzSentinelDataConnector', or add an alias to the original parameter name." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.GetDataConnectors","Get-AzSentinelDataConnector","0","2020","The cmdlet 'Get-AzSentinelDataConnector' no longer supports the type 'Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer' for parameter 'DefaultProfile'.","Change the type for parameter 'DefaultProfile' back to 'Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.GetDataConnectors","Get-AzSentinelDataConnector","0","2010","The cmdlet 'Get-AzSentinelDataConnector' no longer supports the alias 'AzContext' for parameter 'DefaultProfile'.","Add the alias 'AzContext' back to parameter 'DefaultProfile'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.GetDataConnectors","Get-AzSentinelDataConnector","0","2010","The cmdlet 'Get-AzSentinelDataConnector' no longer supports the alias 'AzureRmContext' for parameter 'DefaultProfile'.","Add the alias 'AzureRmContext' back to parameter 'DefaultProfile'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.GetDataConnectors","Get-AzSentinelDataConnector","0","1050","The parameter set 'ResourceId' for cmdlet 'Get-AzSentinelDataConnector' has been removed.","Add parameter set 'ResourceId' back to cmdlet 'Get-AzSentinelDataConnector'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.GetIncidents","Get-AzSentinelIncident","0","1020","The cmdlet 'Get-AzSentinelIncident' no longer has output type 'Microsoft.Azure.Commands.SecurityInsights.Models.Incidents.PSSentinelIncident'.","Make cmdlet 'Get-AzSentinelIncident' return type 'Microsoft.Azure.Commands.SecurityInsights.Models.Incidents.PSSentinelIncident'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.GetIncidents","Get-AzSentinelIncident","0","1060","The parameter set 'WorkspaceScope' for cmdlet 'Get-AzSentinelIncident' is no longer the default parameter set.","Change the default parameter for cmdlet 'Get-AzSentinelIncident' back to 'WorkspaceScope'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.GetIncidents","Get-AzSentinelIncident","0","1060","The parameter set 'WorkspaceScope' for cmdlet 'Get-AzSentinelIncident' is no longer the default parameter set.","Change the default parameter for cmdlet 'Get-AzSentinelIncident' back to 'WorkspaceScope'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.GetIncidents","Get-AzSentinelIncident","0","2000","The cmdlet 'Get-AzSentinelIncident' no longer supports the parameter 'OrderBy' and no alias was found for the original parameter name.","Add the parameter 'OrderBy' back to the cmdlet 'Get-AzSentinelIncident', or add an alias to the original parameter name." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.GetIncidents","Get-AzSentinelIncident","0","2000","The cmdlet 'Get-AzSentinelIncident' no longer supports the parameter 'Max' and no alias was found for the original parameter name.","Add the parameter 'Max' back to the cmdlet 'Get-AzSentinelIncident', or add an alias to the original parameter name." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.GetIncidents","Get-AzSentinelIncident","0","2000","The cmdlet 'Get-AzSentinelIncident' no longer supports the parameter 'ResourceId' and no alias was found for the original parameter name.","Add the parameter 'ResourceId' back to the cmdlet 'Get-AzSentinelIncident', or add an alias to the original parameter name." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.GetIncidents","Get-AzSentinelIncident","0","2020","The cmdlet 'Get-AzSentinelIncident' no longer supports the type 'Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer' for parameter 'DefaultProfile'.","Change the type for parameter 'DefaultProfile' back to 'Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.GetIncidents","Get-AzSentinelIncident","0","2010","The cmdlet 'Get-AzSentinelIncident' no longer supports the alias 'AzContext' for parameter 'DefaultProfile'.","Add the alias 'AzContext' back to parameter 'DefaultProfile'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.GetIncidents","Get-AzSentinelIncident","0","2010","The cmdlet 'Get-AzSentinelIncident' no longer supports the alias 'AzureRmContext' for parameter 'DefaultProfile'.","Add the alias 'AzureRmContext' back to parameter 'DefaultProfile'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.GetIncidents","Get-AzSentinelIncident","0","1050","The parameter set 'WorkspaceScope' for cmdlet 'Get-AzSentinelIncident' has been removed.","Add parameter set 'WorkspaceScope' back to cmdlet 'Get-AzSentinelIncident'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.GetIncidents","Get-AzSentinelIncident","0","1050","The parameter set 'IncidentId' for cmdlet 'Get-AzSentinelIncident' has been removed.","Add parameter set 'IncidentId' back to cmdlet 'Get-AzSentinelIncident'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.GetIncidents","Get-AzSentinelIncident","0","1050","The parameter set 'ResourceId' for cmdlet 'Get-AzSentinelIncident' has been removed.","Add parameter set 'ResourceId' back to cmdlet 'Get-AzSentinelIncident'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.IncidentsComments.GetIncidentComments","Get-AzSentinelIncidentComment","0","1020","The cmdlet 'Get-AzSentinelIncidentComment' no longer has output type 'Microsoft.Azure.Commands.SecurityInsights.Models.IncidentComments.PSSentinelIncidentComment'.","Make cmdlet 'Get-AzSentinelIncidentComment' return type 'Microsoft.Azure.Commands.SecurityInsights.Models.IncidentComments.PSSentinelIncidentComment'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.IncidentsComments.GetIncidentComments","Get-AzSentinelIncidentComment","0","2000","The cmdlet 'Get-AzSentinelIncidentComment' no longer supports the parameter 'ResourceId' and no alias was found for the original parameter name.","Add the parameter 'ResourceId' back to the cmdlet 'Get-AzSentinelIncidentComment', or add an alias to the original parameter name." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.IncidentsComments.GetIncidentComments","Get-AzSentinelIncidentComment","0","2020","The cmdlet 'Get-AzSentinelIncidentComment' no longer supports the type 'Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer' for parameter 'DefaultProfile'.","Change the type for parameter 'DefaultProfile' back to 'Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.IncidentsComments.GetIncidentComments","Get-AzSentinelIncidentComment","0","2010","The cmdlet 'Get-AzSentinelIncidentComment' no longer supports the alias 'AzContext' for parameter 'DefaultProfile'.","Add the alias 'AzContext' back to parameter 'DefaultProfile'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.IncidentsComments.GetIncidentComments","Get-AzSentinelIncidentComment","0","2010","The cmdlet 'Get-AzSentinelIncidentComment' no longer supports the alias 'AzureRmContext' for parameter 'DefaultProfile'.","Add the alias 'AzureRmContext' back to parameter 'DefaultProfile'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.IncidentsComments.GetIncidentComments","Get-AzSentinelIncidentComment","0","1050","The parameter set 'ResourceId' for cmdlet 'Get-AzSentinelIncidentComment' has been removed.","Add parameter set 'ResourceId' back to cmdlet 'Get-AzSentinelIncidentComment'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRules.NewAlertRules","New-AzSentinelAlertRule","0","1020","The cmdlet 'New-AzSentinelAlertRule' no longer has output type 'Microsoft.Azure.Commands.SecurityInsights.Models.AlertRules.PSSentinelAlertRule'.","Make cmdlet 'New-AzSentinelAlertRule' return type 'Microsoft.Azure.Commands.SecurityInsights.Models.AlertRules.PSSentinelAlertRule'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRules.NewAlertRules","New-AzSentinelAlertRule","0","1060","The parameter set 'ScheduledAlertRule' for cmdlet 'New-AzSentinelAlertRule' is no longer the default parameter set.","Change the default parameter for cmdlet 'New-AzSentinelAlertRule' back to 'ScheduledAlertRule'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRules.NewAlertRules","New-AzSentinelAlertRule","0","1060","The parameter set 'ScheduledAlertRule' for cmdlet 'New-AzSentinelAlertRule' is no longer the default parameter set.","Change the default parameter for cmdlet 'New-AzSentinelAlertRule' back to 'ScheduledAlertRule'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRules.NewAlertRules","New-AzSentinelAlertRule","0","1060","The parameter set 'ScheduledAlertRule' for cmdlet 'New-AzSentinelAlertRule' is no longer the default parameter set.","Change the default parameter for cmdlet 'New-AzSentinelAlertRule' back to 'ScheduledAlertRule'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRules.NewAlertRules","New-AzSentinelAlertRule","0","1060","The parameter set 'ScheduledAlertRule' for cmdlet 'New-AzSentinelAlertRule' is no longer the default parameter set.","Change the default parameter for cmdlet 'New-AzSentinelAlertRule' back to 'ScheduledAlertRule'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRules.NewAlertRules","New-AzSentinelAlertRule","0","1060","The parameter set 'ScheduledAlertRule' for cmdlet 'New-AzSentinelAlertRule' is no longer the default parameter set.","Change the default parameter for cmdlet 'New-AzSentinelAlertRule' back to 'ScheduledAlertRule'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRules.NewAlertRules","New-AzSentinelAlertRule","0","1060","The parameter set 'ScheduledAlertRule' for cmdlet 'New-AzSentinelAlertRule' is no longer the default parameter set.","Change the default parameter for cmdlet 'New-AzSentinelAlertRule' back to 'ScheduledAlertRule'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRules.NewAlertRules","New-AzSentinelAlertRule","0","1060","The parameter set 'ScheduledAlertRule' for cmdlet 'New-AzSentinelAlertRule' is no longer the default parameter set.","Change the default parameter for cmdlet 'New-AzSentinelAlertRule' back to 'ScheduledAlertRule'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRules.NewAlertRules","New-AzSentinelAlertRule","0","1060","The parameter set 'ScheduledAlertRule' for cmdlet 'New-AzSentinelAlertRule' is no longer the default parameter set.","Change the default parameter for cmdlet 'New-AzSentinelAlertRule' back to 'ScheduledAlertRule'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRules.NewAlertRules","New-AzSentinelAlertRule","0","1060","The parameter set 'ScheduledAlertRule' for cmdlet 'New-AzSentinelAlertRule' is no longer the default parameter set.","Change the default parameter for cmdlet 'New-AzSentinelAlertRule' back to 'ScheduledAlertRule'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRules.NewAlertRules","New-AzSentinelAlertRule","0","1060","The parameter set 'ScheduledAlertRule' for cmdlet 'New-AzSentinelAlertRule' is no longer the default parameter set.","Change the default parameter for cmdlet 'New-AzSentinelAlertRule' back to 'ScheduledAlertRule'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRules.NewAlertRules","New-AzSentinelAlertRule","0","1060","The parameter set 'ScheduledAlertRule' for cmdlet 'New-AzSentinelAlertRule' is no longer the default parameter set.","Change the default parameter for cmdlet 'New-AzSentinelAlertRule' back to 'ScheduledAlertRule'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRules.NewAlertRules","New-AzSentinelAlertRule","0","1060","The parameter set 'ScheduledAlertRule' for cmdlet 'New-AzSentinelAlertRule' is no longer the default parameter set.","Change the default parameter for cmdlet 'New-AzSentinelAlertRule' back to 'ScheduledAlertRule'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRules.NewAlertRules","New-AzSentinelAlertRule","0","1060","The parameter set 'ScheduledAlertRule' for cmdlet 'New-AzSentinelAlertRule' is no longer the default parameter set.","Change the default parameter for cmdlet 'New-AzSentinelAlertRule' back to 'ScheduledAlertRule'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRules.NewAlertRules","New-AzSentinelAlertRule","0","1060","The parameter set 'ScheduledAlertRule' for cmdlet 'New-AzSentinelAlertRule' is no longer the default parameter set.","Change the default parameter for cmdlet 'New-AzSentinelAlertRule' back to 'ScheduledAlertRule'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRules.NewAlertRules","New-AzSentinelAlertRule","0","2000","The cmdlet 'New-AzSentinelAlertRule' no longer supports the parameter 'Scheduled' and no alias was found for the original parameter name.","Add the parameter 'Scheduled' back to the cmdlet 'New-AzSentinelAlertRule', or add an alias to the original parameter name." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRules.NewAlertRules","New-AzSentinelAlertRule","0","2000","The cmdlet 'New-AzSentinelAlertRule' no longer supports the parameter 'MicrosoftSecurityIncidentCreation' and no alias was found for the original parameter name.","Add the parameter 'MicrosoftSecurityIncidentCreation' back to the cmdlet 'New-AzSentinelAlertRule', or add an alias to the original parameter name." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRules.NewAlertRules","New-AzSentinelAlertRule","0","2000","The cmdlet 'New-AzSentinelAlertRule' no longer supports the parameter 'Fusion' and no alias was found for the original parameter name.","Add the parameter 'Fusion' back to the cmdlet 'New-AzSentinelAlertRule', or add an alias to the original parameter name." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRules.NewAlertRules","New-AzSentinelAlertRule","0","2000","The cmdlet 'New-AzSentinelAlertRule' no longer supports the parameter 'AlertRuleId' and no alias was found for the original parameter name.","Add the parameter 'AlertRuleId' back to the cmdlet 'New-AzSentinelAlertRule', or add an alias to the original parameter name." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRules.NewAlertRules","New-AzSentinelAlertRule","0","2020","The cmdlet 'New-AzSentinelAlertRule' no longer supports the type 'System.String' for parameter 'ProductFilter'.","Change the type for parameter 'ProductFilter' back to 'System.String'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRules.NewAlertRules","New-AzSentinelAlertRule","0","2020","The cmdlet 'New-AzSentinelAlertRule' no longer supports the type 'System.Collections.Generic.IList`1[System.String]' for parameter 'DisplayNamesExcludeFilter'.","Change the type for parameter 'DisplayNamesExcludeFilter' back to 'System.Collections.Generic.IList`1[System.String]'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRules.NewAlertRules","New-AzSentinelAlertRule","0","2020","The cmdlet 'New-AzSentinelAlertRule' no longer supports the type 'System.Collections.Generic.IList`1[System.String]' for parameter 'DisplayNamesFilter'.","Change the type for parameter 'DisplayNamesFilter' back to 'System.Collections.Generic.IList`1[System.String]'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRules.NewAlertRules","New-AzSentinelAlertRule","0","2020","The cmdlet 'New-AzSentinelAlertRule' no longer supports the type 'System.Collections.Generic.IList`1[System.String]' for parameter 'SeveritiesFilter'.","Change the type for parameter 'SeveritiesFilter' back to 'System.Collections.Generic.IList`1[System.String]'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRules.NewAlertRules","New-AzSentinelAlertRule","0","2020","The cmdlet 'New-AzSentinelAlertRule' no longer supports the type 'System.Nullable`1[System.TimeSpan]' for parameter 'QueryFrequency'.","Change the type for parameter 'QueryFrequency' back to 'System.Nullable`1[System.TimeSpan]'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRules.NewAlertRules","New-AzSentinelAlertRule","0","2020","The cmdlet 'New-AzSentinelAlertRule' no longer supports the type 'System.Nullable`1[System.TimeSpan]' for parameter 'QueryPeriod'.","Change the type for parameter 'QueryPeriod' back to 'System.Nullable`1[System.TimeSpan]'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRules.NewAlertRules","New-AzSentinelAlertRule","0","2020","The cmdlet 'New-AzSentinelAlertRule' no longer supports the type 'System.String' for parameter 'Severity'.","Change the type for parameter 'Severity' back to 'System.String'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRules.NewAlertRules","New-AzSentinelAlertRule","0","2020","The cmdlet 'New-AzSentinelAlertRule' no longer supports the type 'System.Collections.Generic.IList`1[System.String]' for parameter 'Tactic'.","Change the type for parameter 'Tactic' back to 'System.Collections.Generic.IList`1[System.String]'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRules.NewAlertRules","New-AzSentinelAlertRule","0","2020","The cmdlet 'New-AzSentinelAlertRule' no longer supports the type 'Microsoft.Azure.Management.SecurityInsights.Models.TriggerOperator' for parameter 'TriggerOperator'.","Change the type for parameter 'TriggerOperator' back to 'Microsoft.Azure.Management.SecurityInsights.Models.TriggerOperator'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRules.NewAlertRules","New-AzSentinelAlertRule","0","2020","The cmdlet 'New-AzSentinelAlertRule' no longer supports the type 'System.Nullable`1[System.Int32]' for parameter 'TriggerThreshold'.","Change the type for parameter 'TriggerThreshold' back to 'System.Nullable`1[System.Int32]'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRules.NewAlertRules","New-AzSentinelAlertRule","0","2020","The cmdlet 'New-AzSentinelAlertRule' no longer supports the type 'Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer' for parameter 'DefaultProfile'.","Change the type for parameter 'DefaultProfile' back to 'Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRules.NewAlertRules","New-AzSentinelAlertRule","0","2010","The cmdlet 'New-AzSentinelAlertRule' no longer supports the alias 'AzContext' for parameter 'DefaultProfile'.","Add the alias 'AzContext' back to parameter 'DefaultProfile'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRules.NewAlertRules","New-AzSentinelAlertRule","0","2010","The cmdlet 'New-AzSentinelAlertRule' no longer supports the alias 'AzureRmContext' for parameter 'DefaultProfile'.","Add the alias 'AzureRmContext' back to parameter 'DefaultProfile'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRules.NewAlertRules","New-AzSentinelAlertRule","0","1050","The parameter set 'FusionAlertRule' for cmdlet 'New-AzSentinelAlertRule' has been removed.","Add parameter set 'FusionAlertRule' back to cmdlet 'New-AzSentinelAlertRule'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRules.NewAlertRules","New-AzSentinelAlertRule","0","1050","The parameter set 'MicrosoftSecurityIncidentCreationRule' for cmdlet 'New-AzSentinelAlertRule' has been removed.","Add parameter set 'MicrosoftSecurityIncidentCreationRule' back to cmdlet 'New-AzSentinelAlertRule'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRules.NewAlertRules","New-AzSentinelAlertRule","0","1050","The parameter set 'ScheduledAlertRule' for cmdlet 'New-AzSentinelAlertRule' has been removed.","Add parameter set 'ScheduledAlertRule' back to cmdlet 'New-AzSentinelAlertRule'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRules.NewAlertRules","New-AzSentinelAlertRule","0","1050","The parameter set '__AllParameterSets' for cmdlet 'New-AzSentinelAlertRule' has been removed.","Add parameter set '__AllParameterSets' back to cmdlet 'New-AzSentinelAlertRule'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.NewAlertRuleActions","New-AzSentinelAlertRuleAction","0","1020","The cmdlet 'New-AzSentinelAlertRuleAction' no longer has output type 'Microsoft.Azure.Commands.SecurityInsights.Models.Actions.PSSentinelActionResponse'.","Make cmdlet 'New-AzSentinelAlertRuleAction' return type 'Microsoft.Azure.Commands.SecurityInsights.Models.Actions.PSSentinelActionResponse'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.NewAlertRuleActions","New-AzSentinelAlertRuleAction","0","2000","The cmdlet 'New-AzSentinelAlertRuleAction' no longer supports the parameter 'AlertRuleId' and no alias was found for the original parameter name.","Add the parameter 'AlertRuleId' back to the cmdlet 'New-AzSentinelAlertRuleAction', or add an alias to the original parameter name." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.NewAlertRuleActions","New-AzSentinelAlertRuleAction","0","2000","The cmdlet 'New-AzSentinelAlertRuleAction' no longer supports the parameter 'ActionId' and no alias was found for the original parameter name.","Add the parameter 'ActionId' back to the cmdlet 'New-AzSentinelAlertRuleAction', or add an alias to the original parameter name." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.NewAlertRuleActions","New-AzSentinelAlertRuleAction","0","2020","The cmdlet 'New-AzSentinelAlertRuleAction' no longer supports the type 'Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer' for parameter 'DefaultProfile'.","Change the type for parameter 'DefaultProfile' back to 'Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.NewAlertRuleActions","New-AzSentinelAlertRuleAction","0","2010","The cmdlet 'New-AzSentinelAlertRuleAction' no longer supports the alias 'AzContext' for parameter 'DefaultProfile'.","Add the alias 'AzContext' back to parameter 'DefaultProfile'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.NewAlertRuleActions","New-AzSentinelAlertRuleAction","0","2010","The cmdlet 'New-AzSentinelAlertRuleAction' no longer supports the alias 'AzureRmContext' for parameter 'DefaultProfile'.","Add the alias 'AzureRmContext' back to parameter 'DefaultProfile'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.NewAlertRuleActions","New-AzSentinelAlertRuleAction","0","1050","The parameter set 'ActionId' for cmdlet 'New-AzSentinelAlertRuleAction' has been removed.","Add parameter set 'ActionId' back to cmdlet 'New-AzSentinelAlertRuleAction'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.NewAlertRuleActions","New-AzSentinelAlertRuleAction","0","1050","The parameter set '__AllParameterSets' for cmdlet 'New-AzSentinelAlertRuleAction' has been removed.","Add parameter set '__AllParameterSets' back to cmdlet 'New-AzSentinelAlertRuleAction'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Bookmarks.NewBookmarks","New-AzSentinelBookmark","0","1020","The cmdlet 'New-AzSentinelBookmark' no longer has output type 'Microsoft.Azure.Commands.SecurityInsights.Models.Bookmarks.PSSentinelBookmark'.","Make cmdlet 'New-AzSentinelBookmark' return type 'Microsoft.Azure.Commands.SecurityInsights.Models.Bookmarks.PSSentinelBookmark'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Bookmarks.NewBookmarks","New-AzSentinelBookmark","0","1060","The parameter set 'BookmarkId.' for cmdlet 'New-AzSentinelBookmark' is no longer the default parameter set.","Change the default parameter for cmdlet 'New-AzSentinelBookmark' back to 'BookmarkId.'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Bookmarks.NewBookmarks","New-AzSentinelBookmark","0","1060","The parameter set 'BookmarkId.' for cmdlet 'New-AzSentinelBookmark' is no longer the default parameter set.","Change the default parameter for cmdlet 'New-AzSentinelBookmark' back to 'BookmarkId.'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Bookmarks.NewBookmarks","New-AzSentinelBookmark","0","2000","The cmdlet 'New-AzSentinelBookmark' no longer supports the parameter 'BookmarkId' and no alias was found for the original parameter name.","Add the parameter 'BookmarkId' back to the cmdlet 'New-AzSentinelBookmark', or add an alias to the original parameter name." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Bookmarks.NewBookmarks","New-AzSentinelBookmark","0","2000","The cmdlet 'New-AzSentinelBookmark' no longer supports the parameter 'IncidentInfo' and no alias was found for the original parameter name.","Add the parameter 'IncidentInfo' back to the cmdlet 'New-AzSentinelBookmark', or add an alias to the original parameter name." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Bookmarks.NewBookmarks","New-AzSentinelBookmark","0","2020","The cmdlet 'New-AzSentinelBookmark' no longer supports the type 'System.Collections.Generic.IList`1[System.String]' for parameter 'Label'.","Change the type for parameter 'Label' back to 'System.Collections.Generic.IList`1[System.String]'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Bookmarks.NewBookmarks","New-AzSentinelBookmark","0","2020","The cmdlet 'New-AzSentinelBookmark' no longer supports the type 'Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer' for parameter 'DefaultProfile'.","Change the type for parameter 'DefaultProfile' back to 'Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Bookmarks.NewBookmarks","New-AzSentinelBookmark","0","2010","The cmdlet 'New-AzSentinelBookmark' no longer supports the alias 'AzContext' for parameter 'DefaultProfile'.","Add the alias 'AzContext' back to parameter 'DefaultProfile'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Bookmarks.NewBookmarks","New-AzSentinelBookmark","0","2010","The cmdlet 'New-AzSentinelBookmark' no longer supports the alias 'AzureRmContext' for parameter 'DefaultProfile'.","Add the alias 'AzureRmContext' back to parameter 'DefaultProfile'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Bookmarks.NewBookmarks","New-AzSentinelBookmark","0","1050","The parameter set 'BookmarkId.' for cmdlet 'New-AzSentinelBookmark' has been removed.","Add parameter set 'BookmarkId.' back to cmdlet 'New-AzSentinelBookmark'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Bookmarks.NewBookmarks","New-AzSentinelBookmark","0","1050","The parameter set '__AllParameterSets' for cmdlet 'New-AzSentinelBookmark' has been removed.","Add parameter set '__AllParameterSets' back to cmdlet 'New-AzSentinelBookmark'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.NewDataConnectors","New-AzSentinelDataConnector","0","1020","The cmdlet 'New-AzSentinelDataConnector' no longer has output type 'Microsoft.Azure.Commands.SecurityInsights.Models.DataConnectors.PSSentinelDataConnector'.","Make cmdlet 'New-AzSentinelDataConnector' return type 'Microsoft.Azure.Commands.SecurityInsights.Models.DataConnectors.PSSentinelDataConnector'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.NewDataConnectors","New-AzSentinelDataConnector","0","1060","The parameter set 'AzureActiveDirectory' for cmdlet 'New-AzSentinelDataConnector' is no longer the default parameter set.","Change the default parameter for cmdlet 'New-AzSentinelDataConnector' back to 'AzureActiveDirectory'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.NewDataConnectors","New-AzSentinelDataConnector","0","1060","The parameter set 'AzureActiveDirectory' for cmdlet 'New-AzSentinelDataConnector' is no longer the default parameter set.","Change the default parameter for cmdlet 'New-AzSentinelDataConnector' back to 'AzureActiveDirectory'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.NewDataConnectors","New-AzSentinelDataConnector","0","2000","The cmdlet 'New-AzSentinelDataConnector' no longer supports the parameter 'DataConnectorId' and no alias was found for the original parameter name.","Add the parameter 'DataConnectorId' back to the cmdlet 'New-AzSentinelDataConnector', or add an alias to the original parameter name." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.NewDataConnectors","New-AzSentinelDataConnector","0","2000","The cmdlet 'New-AzSentinelDataConnector' no longer supports the parameter 'AzureActiveDirectory' and no alias was found for the original parameter name.","Add the parameter 'AzureActiveDirectory' back to the cmdlet 'New-AzSentinelDataConnector', or add an alias to the original parameter name." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.NewDataConnectors","New-AzSentinelDataConnector","0","2000","The cmdlet 'New-AzSentinelDataConnector' no longer supports the parameter 'AzureAdvancedThreatProtection' and no alias was found for the original parameter name.","Add the parameter 'AzureAdvancedThreatProtection' back to the cmdlet 'New-AzSentinelDataConnector', or add an alias to the original parameter name." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.NewDataConnectors","New-AzSentinelDataConnector","0","2000","The cmdlet 'New-AzSentinelDataConnector' no longer supports the parameter 'AzureSecurityCenter' and no alias was found for the original parameter name.","Add the parameter 'AzureSecurityCenter' back to the cmdlet 'New-AzSentinelDataConnector', or add an alias to the original parameter name." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.NewDataConnectors","New-AzSentinelDataConnector","0","2000","The cmdlet 'New-AzSentinelDataConnector' no longer supports the parameter 'AmazonWebServicesCloudTrail' and no alias was found for the original parameter name.","Add the parameter 'AmazonWebServicesCloudTrail' back to the cmdlet 'New-AzSentinelDataConnector', or add an alias to the original parameter name." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.NewDataConnectors","New-AzSentinelDataConnector","0","2000","The cmdlet 'New-AzSentinelDataConnector' no longer supports the parameter 'MicrosoftCloudAppSecurity' and no alias was found for the original parameter name.","Add the parameter 'MicrosoftCloudAppSecurity' back to the cmdlet 'New-AzSentinelDataConnector', or add an alias to the original parameter name." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.NewDataConnectors","New-AzSentinelDataConnector","0","2000","The cmdlet 'New-AzSentinelDataConnector' no longer supports the parameter 'MicrosoftDefenderAdvancedThreatProtection' and no alias was found for the original parameter name.","Add the parameter 'MicrosoftDefenderAdvancedThreatProtection' back to the cmdlet 'New-AzSentinelDataConnector', or add an alias to the original parameter name." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.NewDataConnectors","New-AzSentinelDataConnector","0","2000","The cmdlet 'New-AzSentinelDataConnector' no longer supports the parameter 'Office365' and no alias was found for the original parameter name.","Add the parameter 'Office365' back to the cmdlet 'New-AzSentinelDataConnector', or add an alias to the original parameter name." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.NewDataConnectors","New-AzSentinelDataConnector","0","2000","The cmdlet 'New-AzSentinelDataConnector' no longer supports the parameter 'ThreatIntelligence' and no alias was found for the original parameter name.","Add the parameter 'ThreatIntelligence' back to the cmdlet 'New-AzSentinelDataConnector', or add an alias to the original parameter name." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.NewDataConnectors","New-AzSentinelDataConnector","0","2000","The cmdlet 'New-AzSentinelDataConnector' no longer supports the parameter 'AwsRoleArn' and no alias was found for the original parameter name.","Add the parameter 'AwsRoleArn' back to the cmdlet 'New-AzSentinelDataConnector', or add an alias to the original parameter name." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.NewDataConnectors","New-AzSentinelDataConnector","0","2000","The cmdlet 'New-AzSentinelDataConnector' no longer supports the parameter 'DiscoveryLogs' and no alias was found for the original parameter name.","Add the parameter 'DiscoveryLogs' back to the cmdlet 'New-AzSentinelDataConnector', or add an alias to the original parameter name." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.NewDataConnectors","New-AzSentinelDataConnector","0","2000","The cmdlet 'New-AzSentinelDataConnector' no longer supports the parameter 'Indicators' and no alias was found for the original parameter name.","Add the parameter 'Indicators' back to the cmdlet 'New-AzSentinelDataConnector', or add an alias to the original parameter name." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.NewDataConnectors","New-AzSentinelDataConnector","0","2020","The cmdlet 'New-AzSentinelDataConnector' no longer supports the type 'Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer' for parameter 'DefaultProfile'.","Change the type for parameter 'DefaultProfile' back to 'Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.NewDataConnectors","New-AzSentinelDataConnector","0","2010","The cmdlet 'New-AzSentinelDataConnector' no longer supports the alias 'AzContext' for parameter 'DefaultProfile'.","Add the alias 'AzContext' back to parameter 'DefaultProfile'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.NewDataConnectors","New-AzSentinelDataConnector","0","2010","The cmdlet 'New-AzSentinelDataConnector' no longer supports the alias 'AzureRmContext' for parameter 'DefaultProfile'.","Add the alias 'AzureRmContext' back to parameter 'DefaultProfile'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.NewDataConnectors","New-AzSentinelDataConnector","0","1050","The parameter set 'AzureActiveDirectory' for cmdlet 'New-AzSentinelDataConnector' has been removed.","Add parameter set 'AzureActiveDirectory' back to cmdlet 'New-AzSentinelDataConnector'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.NewDataConnectors","New-AzSentinelDataConnector","0","1050","The parameter set 'AzureAdvancedThreatProtection' for cmdlet 'New-AzSentinelDataConnector' has been removed.","Add parameter set 'AzureAdvancedThreatProtection' back to cmdlet 'New-AzSentinelDataConnector'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.NewDataConnectors","New-AzSentinelDataConnector","0","1050","The parameter set 'AzureSecurityCenter' for cmdlet 'New-AzSentinelDataConnector' has been removed.","Add parameter set 'AzureSecurityCenter' back to cmdlet 'New-AzSentinelDataConnector'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.NewDataConnectors","New-AzSentinelDataConnector","0","1050","The parameter set 'AmazonWebServicesCloudTrail' for cmdlet 'New-AzSentinelDataConnector' has been removed.","Add parameter set 'AmazonWebServicesCloudTrail' back to cmdlet 'New-AzSentinelDataConnector'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.NewDataConnectors","New-AzSentinelDataConnector","0","1050","The parameter set 'MicrosoftCloudAppSecurity' for cmdlet 'New-AzSentinelDataConnector' has been removed.","Add parameter set 'MicrosoftCloudAppSecurity' back to cmdlet 'New-AzSentinelDataConnector'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.NewDataConnectors","New-AzSentinelDataConnector","0","1050","The parameter set 'MicrosoftDefenderAdvancedThreatProtection' for cmdlet 'New-AzSentinelDataConnector' has been removed.","Add parameter set 'MicrosoftDefenderAdvancedThreatProtection' back to cmdlet 'New-AzSentinelDataConnector'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.NewDataConnectors","New-AzSentinelDataConnector","0","1050","The parameter set 'Office365' for cmdlet 'New-AzSentinelDataConnector' has been removed.","Add parameter set 'Office365' back to cmdlet 'New-AzSentinelDataConnector'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.NewDataConnectors","New-AzSentinelDataConnector","0","1050","The parameter set 'ThreatIntelligence' for cmdlet 'New-AzSentinelDataConnector' has been removed.","Add parameter set 'ThreatIntelligence' back to cmdlet 'New-AzSentinelDataConnector'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.NewDataConnectors","New-AzSentinelDataConnector","0","1050","The parameter set '__AllParameterSets' for cmdlet 'New-AzSentinelDataConnector' has been removed.","Add parameter set '__AllParameterSets' back to cmdlet 'New-AzSentinelDataConnector'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.NewIncidents","New-AzSentinelIncident","0","1020","The cmdlet 'New-AzSentinelIncident' no longer has output type 'Microsoft.Azure.Commands.SecurityInsights.Models.Incidents.PSSentinelIncident'.","Make cmdlet 'New-AzSentinelIncident' return type 'Microsoft.Azure.Commands.SecurityInsights.Models.Incidents.PSSentinelIncident'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.NewIncidents","New-AzSentinelIncident","0","1060","The parameter set 'IncidentId' for cmdlet 'New-AzSentinelIncident' is no longer the default parameter set.","Change the default parameter for cmdlet 'New-AzSentinelIncident' back to 'IncidentId'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.NewIncidents","New-AzSentinelIncident","0","1060","The parameter set 'IncidentId' for cmdlet 'New-AzSentinelIncident' is no longer the default parameter set.","Change the default parameter for cmdlet 'New-AzSentinelIncident' back to 'IncidentId'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.NewIncidents","New-AzSentinelIncident","0","1060","The parameter set 'IncidentId' for cmdlet 'New-AzSentinelIncident' is no longer the default parameter set.","Change the default parameter for cmdlet 'New-AzSentinelIncident' back to 'IncidentId'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.NewIncidents","New-AzSentinelIncident","0","2000","The cmdlet 'New-AzSentinelIncident' no longer supports the parameter 'IncidentId' and no alias was found for the original parameter name.","Add the parameter 'IncidentId' back to the cmdlet 'New-AzSentinelIncident', or add an alias to the original parameter name." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.NewIncidents","New-AzSentinelIncident","0","2000","The cmdlet 'New-AzSentinelIncident' no longer supports the parameter 'Classificaton' and no alias was found for the original parameter name.","Add the parameter 'Classificaton' back to the cmdlet 'New-AzSentinelIncident', or add an alias to the original parameter name." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.NewIncidents","New-AzSentinelIncident","0","2020","The cmdlet 'New-AzSentinelIncident' no longer supports the type 'System.String' for parameter 'ClassificationReason'.","Change the type for parameter 'ClassificationReason' back to 'System.String'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.NewIncidents","New-AzSentinelIncident","0","2020","The cmdlet 'New-AzSentinelIncident' no longer supports the type 'System.Collections.Generic.IList`1[Microsoft.Azure.Commands.SecurityInsights.Models.Incidents.PSSentinelIncidentLabel]' for parameter 'Label'.","Change the type for parameter 'Label' back to 'System.Collections.Generic.IList`1[Microsoft.Azure.Commands.SecurityInsights.Models.Incidents.PSSentinelIncidentLabel]'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.NewIncidents","New-AzSentinelIncident","0","2000","The cmdlet 'New-AzSentinelIncident' no longer supports the parameter 'Owner' and no alias was found for the original parameter name.","Add the parameter 'Owner' back to the cmdlet 'New-AzSentinelIncident', or add an alias to the original parameter name." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.NewIncidents","New-AzSentinelIncident","0","2020","The cmdlet 'New-AzSentinelIncident' no longer supports the type 'System.String' for parameter 'Severity'.","Change the type for parameter 'Severity' back to 'System.String'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.NewIncidents","New-AzSentinelIncident","0","2020","The cmdlet 'New-AzSentinelIncident' no longer supports the type 'System.String' for parameter 'Status'.","Change the type for parameter 'Status' back to 'System.String'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.NewIncidents","New-AzSentinelIncident","0","2020","The cmdlet 'New-AzSentinelIncident' no longer supports the type 'Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer' for parameter 'DefaultProfile'.","Change the type for parameter 'DefaultProfile' back to 'Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.NewIncidents","New-AzSentinelIncident","0","2010","The cmdlet 'New-AzSentinelIncident' no longer supports the alias 'AzContext' for parameter 'DefaultProfile'.","Add the alias 'AzContext' back to parameter 'DefaultProfile'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.NewIncidents","New-AzSentinelIncident","0","2010","The cmdlet 'New-AzSentinelIncident' no longer supports the alias 'AzureRmContext' for parameter 'DefaultProfile'.","Add the alias 'AzureRmContext' back to parameter 'DefaultProfile'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.NewIncidents","New-AzSentinelIncident","0","1050","The parameter set 'IncidentId' for cmdlet 'New-AzSentinelIncident' has been removed.","Add parameter set 'IncidentId' back to cmdlet 'New-AzSentinelIncident'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.NewIncidents","New-AzSentinelIncident","0","1050","The parameter set '__AllParameterSets' for cmdlet 'New-AzSentinelIncident' has been removed.","Add parameter set '__AllParameterSets' back to cmdlet 'New-AzSentinelIncident'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.IncidentsComments.NewBookmarks","New-AzSentinelIncidentComment","0","1020","The cmdlet 'New-AzSentinelIncidentComment' no longer has output type 'Microsoft.Azure.Commands.SecurityInsights.Models.IncidentComments.PSSentinelIncidentComment'.","Make cmdlet 'New-AzSentinelIncidentComment' return type 'Microsoft.Azure.Commands.SecurityInsights.Models.IncidentComments.PSSentinelIncidentComment'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.IncidentsComments.NewBookmarks","New-AzSentinelIncidentComment","0","1060","The parameter set 'IncidentCommentId' for cmdlet 'New-AzSentinelIncidentComment' is no longer the default parameter set.","Change the default parameter for cmdlet 'New-AzSentinelIncidentComment' back to 'IncidentCommentId'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.IncidentsComments.NewBookmarks","New-AzSentinelIncidentComment","0","2000","The cmdlet 'New-AzSentinelIncidentComment' no longer supports the parameter 'IncidentCommentId' and no alias was found for the original parameter name.","Add the parameter 'IncidentCommentId' back to the cmdlet 'New-AzSentinelIncidentComment', or add an alias to the original parameter name." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.IncidentsComments.NewBookmarks","New-AzSentinelIncidentComment","0","2020","The cmdlet 'New-AzSentinelIncidentComment' no longer supports the type 'Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer' for parameter 'DefaultProfile'.","Change the type for parameter 'DefaultProfile' back to 'Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.IncidentsComments.NewBookmarks","New-AzSentinelIncidentComment","0","2010","The cmdlet 'New-AzSentinelIncidentComment' no longer supports the alias 'AzContext' for parameter 'DefaultProfile'.","Add the alias 'AzContext' back to parameter 'DefaultProfile'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.IncidentsComments.NewBookmarks","New-AzSentinelIncidentComment","0","2010","The cmdlet 'New-AzSentinelIncidentComment' no longer supports the alias 'AzureRmContext' for parameter 'DefaultProfile'.","Add the alias 'AzureRmContext' back to parameter 'DefaultProfile'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.IncidentsComments.NewBookmarks","New-AzSentinelIncidentComment","0","1050","The parameter set 'IncidentCommentId' for cmdlet 'New-AzSentinelIncidentComment' has been removed.","Add parameter set 'IncidentCommentId' back to cmdlet 'New-AzSentinelIncidentComment'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.IncidentsComments.NewBookmarks","New-AzSentinelIncidentComment","0","1050","The parameter set '__AllParameterSets' for cmdlet 'New-AzSentinelIncidentComment' has been removed.","Add parameter set '__AllParameterSets' back to cmdlet 'New-AzSentinelIncidentComment'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.NewIncidentsOwner","New-AzSentinelIncidentOwner","0","1000","The cmdlet 'New-AzSentinelIncidentOwner' has been removed and no alias was found for the original cmdlet name.","Add the cmdlet 'New-AzSentinelIncidentOwner' back to the module, or add an alias to the original cmdlet name." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRules.RemoveAlertRules","Remove-AzSentinelAlertRule","0","1020","The cmdlet 'Remove-AzSentinelAlertRule' no longer has output type 'Microsoft.Azure.Commands.SecurityInsights.Models.AlertRules.PSSentinelAlertRule'.","Make cmdlet 'Remove-AzSentinelAlertRule' return type 'Microsoft.Azure.Commands.SecurityInsights.Models.AlertRules.PSSentinelAlertRule'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRules.RemoveAlertRules","Remove-AzSentinelAlertRule","0","1060","The parameter set 'AlertRuleId' for cmdlet 'Remove-AzSentinelAlertRule' is no longer the default parameter set.","Change the default parameter for cmdlet 'Remove-AzSentinelAlertRule' back to 'AlertRuleId'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRules.RemoveAlertRules","Remove-AzSentinelAlertRule","0","2000","The cmdlet 'Remove-AzSentinelAlertRule' no longer supports the parameter 'AlertRuleId' and no alias was found for the original parameter name.","Add the parameter 'AlertRuleId' back to the cmdlet 'Remove-AzSentinelAlertRule', or add an alias to the original parameter name." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRules.RemoveAlertRules","Remove-AzSentinelAlertRule","0","2020","The cmdlet 'Remove-AzSentinelAlertRule' no longer supports the type 'Microsoft.Azure.Commands.SecurityInsights.Models.AlertRules.PSSentinelAlertRule' for parameter 'InputObject'.","Change the type for parameter 'InputObject' back to 'Microsoft.Azure.Commands.SecurityInsights.Models.AlertRules.PSSentinelAlertRule'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRules.RemoveAlertRules","Remove-AzSentinelAlertRule","0","2020","The cmdlet 'Remove-AzSentinelAlertRule' no longer supports the type 'Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer' for parameter 'DefaultProfile'.","Change the type for parameter 'DefaultProfile' back to 'Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRules.RemoveAlertRules","Remove-AzSentinelAlertRule","0","2010","The cmdlet 'Remove-AzSentinelAlertRule' no longer supports the alias 'AzContext' for parameter 'DefaultProfile'.","Add the alias 'AzContext' back to parameter 'DefaultProfile'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRules.RemoveAlertRules","Remove-AzSentinelAlertRule","0","2010","The cmdlet 'Remove-AzSentinelAlertRule' no longer supports the alias 'AzureRmContext' for parameter 'DefaultProfile'.","Add the alias 'AzureRmContext' back to parameter 'DefaultProfile'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRules.RemoveAlertRules","Remove-AzSentinelAlertRule","0","1050","The parameter set 'AlertRuleId' for cmdlet 'Remove-AzSentinelAlertRule' has been removed.","Add parameter set 'AlertRuleId' back to cmdlet 'Remove-AzSentinelAlertRule'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.RemoveAlertRuleActions","Remove-AzSentinelAlertRuleAction","0","1020","The cmdlet 'Remove-AzSentinelAlertRuleAction' no longer has output type 'Microsoft.Azure.Commands.SecurityInsights.Models.Actions.PSSentinelActionResponse'.","Make cmdlet 'Remove-AzSentinelAlertRuleAction' return type 'Microsoft.Azure.Commands.SecurityInsights.Models.Actions.PSSentinelActionResponse'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.RemoveAlertRuleActions","Remove-AzSentinelAlertRuleAction","0","1060","The parameter set 'ActionId' for cmdlet 'Remove-AzSentinelAlertRuleAction' is no longer the default parameter set.","Change the default parameter for cmdlet 'Remove-AzSentinelAlertRuleAction' back to 'ActionId'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.RemoveAlertRuleActions","Remove-AzSentinelAlertRuleAction","0","2000","The cmdlet 'Remove-AzSentinelAlertRuleAction' no longer supports the parameter 'AlertRuleId' and no alias was found for the original parameter name.","Add the parameter 'AlertRuleId' back to the cmdlet 'Remove-AzSentinelAlertRuleAction', or add an alias to the original parameter name." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.RemoveAlertRuleActions","Remove-AzSentinelAlertRuleAction","0","2020","The cmdlet 'Remove-AzSentinelAlertRuleAction' no longer supports the type 'Microsoft.Azure.Commands.SecurityInsights.Models.Actions.PSSentinelActionResponse' for parameter 'InputObject'.","Change the type for parameter 'InputObject' back to 'Microsoft.Azure.Commands.SecurityInsights.Models.Actions.PSSentinelActionResponse'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.RemoveAlertRuleActions","Remove-AzSentinelAlertRuleAction","0","2020","The cmdlet 'Remove-AzSentinelAlertRuleAction' no longer supports the type 'Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer' for parameter 'DefaultProfile'.","Change the type for parameter 'DefaultProfile' back to 'Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.RemoveAlertRuleActions","Remove-AzSentinelAlertRuleAction","0","2010","The cmdlet 'Remove-AzSentinelAlertRuleAction' no longer supports the alias 'AzContext' for parameter 'DefaultProfile'.","Add the alias 'AzContext' back to parameter 'DefaultProfile'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.RemoveAlertRuleActions","Remove-AzSentinelAlertRuleAction","0","2010","The cmdlet 'Remove-AzSentinelAlertRuleAction' no longer supports the alias 'AzureRmContext' for parameter 'DefaultProfile'.","Add the alias 'AzureRmContext' back to parameter 'DefaultProfile'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.RemoveAlertRuleActions","Remove-AzSentinelAlertRuleAction","0","1050","The parameter set 'ActionId' for cmdlet 'Remove-AzSentinelAlertRuleAction' has been removed.","Add parameter set 'ActionId' back to cmdlet 'Remove-AzSentinelAlertRuleAction'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Bookmarks.RemoveAlertRules","Remove-AzSentinelBookmark","0","1020","The cmdlet 'Remove-AzSentinelBookmark' no longer has output type 'Microsoft.Azure.Commands.SecurityInsights.Models.Bookmarks.PSSentinelBookmark'.","Make cmdlet 'Remove-AzSentinelBookmark' return type 'Microsoft.Azure.Commands.SecurityInsights.Models.Bookmarks.PSSentinelBookmark'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Bookmarks.RemoveAlertRules","Remove-AzSentinelBookmark","0","2020","The cmdlet 'Remove-AzSentinelBookmark' no longer supports the type 'Microsoft.Azure.Commands.SecurityInsights.Models.Bookmarks.PSSentinelBookmark' for parameter 'InputObject'.","Change the type for parameter 'InputObject' back to 'Microsoft.Azure.Commands.SecurityInsights.Models.Bookmarks.PSSentinelBookmark'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Bookmarks.RemoveAlertRules","Remove-AzSentinelBookmark","0","2020","The cmdlet 'Remove-AzSentinelBookmark' no longer supports the type 'Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer' for parameter 'DefaultProfile'.","Change the type for parameter 'DefaultProfile' back to 'Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Bookmarks.RemoveAlertRules","Remove-AzSentinelBookmark","0","2010","The cmdlet 'Remove-AzSentinelBookmark' no longer supports the alias 'AzContext' for parameter 'DefaultProfile'.","Add the alias 'AzContext' back to parameter 'DefaultProfile'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Bookmarks.RemoveAlertRules","Remove-AzSentinelBookmark","0","2010","The cmdlet 'Remove-AzSentinelBookmark' no longer supports the alias 'AzureRmContext' for parameter 'DefaultProfile'.","Add the alias 'AzureRmContext' back to parameter 'DefaultProfile'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Bookmarks.RemoveAlertRules","Remove-AzSentinelBookmark","0","1050","The parameter set 'BookmarkId.' for cmdlet 'Remove-AzSentinelBookmark' has been removed.","Add parameter set 'BookmarkId.' back to cmdlet 'Remove-AzSentinelBookmark'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.RemoveDataConnectors","Remove-AzSentinelDataConnector","0","1020","The cmdlet 'Remove-AzSentinelDataConnector' no longer has output type 'Microsoft.Azure.Commands.SecurityInsights.Models.DataConnectors.PSSentinelDataConnector'.","Make cmdlet 'Remove-AzSentinelDataConnector' return type 'Microsoft.Azure.Commands.SecurityInsights.Models.DataConnectors.PSSentinelDataConnector'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.RemoveDataConnectors","Remove-AzSentinelDataConnector","0","2020","The cmdlet 'Remove-AzSentinelDataConnector' no longer supports the type 'Microsoft.Azure.Commands.SecurityInsights.Models.DataConnectors.PSSentinelDataConnector' for parameter 'InputObject'.","Change the type for parameter 'InputObject' back to 'Microsoft.Azure.Commands.SecurityInsights.Models.DataConnectors.PSSentinelDataConnector'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.RemoveDataConnectors","Remove-AzSentinelDataConnector","0","2020","The cmdlet 'Remove-AzSentinelDataConnector' no longer supports the type 'Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer' for parameter 'DefaultProfile'.","Change the type for parameter 'DefaultProfile' back to 'Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.RemoveDataConnectors","Remove-AzSentinelDataConnector","0","2010","The cmdlet 'Remove-AzSentinelDataConnector' no longer supports the alias 'AzContext' for parameter 'DefaultProfile'.","Add the alias 'AzContext' back to parameter 'DefaultProfile'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.RemoveDataConnectors","Remove-AzSentinelDataConnector","0","2010","The cmdlet 'Remove-AzSentinelDataConnector' no longer supports the alias 'AzureRmContext' for parameter 'DefaultProfile'.","Add the alias 'AzureRmContext' back to parameter 'DefaultProfile'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.RemoveDataConnectors","Remove-AzSentinelDataConnector","0","1050","The parameter set 'DataConnectorId' for cmdlet 'Remove-AzSentinelDataConnector' has been removed.","Add parameter set 'DataConnectorId' back to cmdlet 'Remove-AzSentinelDataConnector'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.RemoveIncidents","Remove-AzSentinelIncident","0","2020","The cmdlet 'Remove-AzSentinelIncident' no longer supports the type 'Microsoft.Azure.Commands.SecurityInsights.Models.Incidents.PSSentinelIncident' for parameter 'InputObject'.","Change the type for parameter 'InputObject' back to 'Microsoft.Azure.Commands.SecurityInsights.Models.Incidents.PSSentinelIncident'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.RemoveIncidents","Remove-AzSentinelIncident","0","2020","The cmdlet 'Remove-AzSentinelIncident' no longer supports the type 'Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer' for parameter 'DefaultProfile'.","Change the type for parameter 'DefaultProfile' back to 'Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.RemoveIncidents","Remove-AzSentinelIncident","0","2010","The cmdlet 'Remove-AzSentinelIncident' no longer supports the alias 'AzContext' for parameter 'DefaultProfile'.","Add the alias 'AzContext' back to parameter 'DefaultProfile'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.RemoveIncidents","Remove-AzSentinelIncident","0","2010","The cmdlet 'Remove-AzSentinelIncident' no longer supports the alias 'AzureRmContext' for parameter 'DefaultProfile'.","Add the alias 'AzureRmContext' back to parameter 'DefaultProfile'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.RemoveIncidents","Remove-AzSentinelIncident","0","1050","The parameter set 'IncidentId' for cmdlet 'Remove-AzSentinelIncident' has been removed.","Add parameter set 'IncidentId' back to cmdlet 'Remove-AzSentinelIncident'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.UpdateAlertRules","Update-AzSentinelAlertRule","0","1020","The cmdlet 'Update-AzSentinelAlertRule' no longer has output type 'Microsoft.Azure.Commands.SecurityInsights.Models.AlertRules.PSSentinelAlertRule'.","Make cmdlet 'Update-AzSentinelAlertRule' return type 'Microsoft.Azure.Commands.SecurityInsights.Models.AlertRules.PSSentinelAlertRule'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.UpdateAlertRules","Update-AzSentinelAlertRule","0","1060","The parameter set 'AlertRuleId' for cmdlet 'Update-AzSentinelAlertRule' is no longer the default parameter set.","Change the default parameter for cmdlet 'Update-AzSentinelAlertRule' back to 'AlertRuleId'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.UpdateAlertRules","Update-AzSentinelAlertRule","0","1060","The parameter set 'AlertRuleId' for cmdlet 'Update-AzSentinelAlertRule' is no longer the default parameter set.","Change the default parameter for cmdlet 'Update-AzSentinelAlertRule' back to 'AlertRuleId'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.UpdateAlertRules","Update-AzSentinelAlertRule","0","1060","The parameter set 'AlertRuleId' for cmdlet 'Update-AzSentinelAlertRule' is no longer the default parameter set.","Change the default parameter for cmdlet 'Update-AzSentinelAlertRule' back to 'AlertRuleId'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.UpdateAlertRules","Update-AzSentinelAlertRule","0","1060","The parameter set 'AlertRuleId' for cmdlet 'Update-AzSentinelAlertRule' is no longer the default parameter set.","Change the default parameter for cmdlet 'Update-AzSentinelAlertRule' back to 'AlertRuleId'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.UpdateAlertRules","Update-AzSentinelAlertRule","0","1060","The parameter set 'AlertRuleId' for cmdlet 'Update-AzSentinelAlertRule' is no longer the default parameter set.","Change the default parameter for cmdlet 'Update-AzSentinelAlertRule' back to 'AlertRuleId'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.UpdateAlertRules","Update-AzSentinelAlertRule","0","1060","The parameter set 'AlertRuleId' for cmdlet 'Update-AzSentinelAlertRule' is no longer the default parameter set.","Change the default parameter for cmdlet 'Update-AzSentinelAlertRule' back to 'AlertRuleId'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.UpdateAlertRules","Update-AzSentinelAlertRule","0","2000","The cmdlet 'Update-AzSentinelAlertRule' no longer supports the parameter 'AlertRuleId' and no alias was found for the original parameter name.","Add the parameter 'AlertRuleId' back to the cmdlet 'Update-AzSentinelAlertRule', or add an alias to the original parameter name." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.UpdateAlertRules","Update-AzSentinelAlertRule","0","2020","The cmdlet 'Update-AzSentinelAlertRule' no longer supports the type 'System.String' for parameter 'ProductFilter'.","Change the type for parameter 'ProductFilter' back to 'System.String'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.UpdateAlertRules","Update-AzSentinelAlertRule","0","2020","The cmdlet 'Update-AzSentinelAlertRule' no longer supports the type 'System.Collections.Generic.IList`1[System.String]' for parameter 'DisplayNamesExcludeFilter'.","Change the type for parameter 'DisplayNamesExcludeFilter' back to 'System.Collections.Generic.IList`1[System.String]'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.UpdateAlertRules","Update-AzSentinelAlertRule","0","2020","The cmdlet 'Update-AzSentinelAlertRule' no longer supports the type 'System.Collections.Generic.IList`1[System.String]' for parameter 'DisplayNamesFilter'.","Change the type for parameter 'DisplayNamesFilter' back to 'System.Collections.Generic.IList`1[System.String]'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.UpdateAlertRules","Update-AzSentinelAlertRule","0","2020","The cmdlet 'Update-AzSentinelAlertRule' no longer supports the type 'System.Collections.Generic.IList`1[System.String]' for parameter 'SeveritiesFilter'.","Change the type for parameter 'SeveritiesFilter' back to 'System.Collections.Generic.IList`1[System.String]'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.UpdateAlertRules","Update-AzSentinelAlertRule","0","2000","The cmdlet 'Update-AzSentinelAlertRule' no longer supports the parameter 'SuppressionDisabled' and no alias was found for the original parameter name.","Add the parameter 'SuppressionDisabled' back to the cmdlet 'Update-AzSentinelAlertRule', or add an alias to the original parameter name." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.UpdateAlertRules","Update-AzSentinelAlertRule","0","2020","The cmdlet 'Update-AzSentinelAlertRule' no longer supports the type 'System.Nullable`1[System.TimeSpan]' for parameter 'QueryFrequency'.","Change the type for parameter 'QueryFrequency' back to 'System.Nullable`1[System.TimeSpan]'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.UpdateAlertRules","Update-AzSentinelAlertRule","0","2020","The cmdlet 'Update-AzSentinelAlertRule' no longer supports the type 'System.Nullable`1[System.TimeSpan]' for parameter 'QueryPeriod'.","Change the type for parameter 'QueryPeriod' back to 'System.Nullable`1[System.TimeSpan]'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.UpdateAlertRules","Update-AzSentinelAlertRule","0","2020","The cmdlet 'Update-AzSentinelAlertRule' no longer supports the type 'System.String' for parameter 'Severity'.","Change the type for parameter 'Severity' back to 'System.String'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.UpdateAlertRules","Update-AzSentinelAlertRule","0","2020","The cmdlet 'Update-AzSentinelAlertRule' no longer supports the type 'System.Collections.Generic.IList`1[System.String]' for parameter 'Tactic'.","Change the type for parameter 'Tactic' back to 'System.Collections.Generic.IList`1[System.String]'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.UpdateAlertRules","Update-AzSentinelAlertRule","0","2020","The cmdlet 'Update-AzSentinelAlertRule' no longer supports the type 'Microsoft.Azure.Management.SecurityInsights.Models.TriggerOperator' for parameter 'TriggerOperator'.","Change the type for parameter 'TriggerOperator' back to 'Microsoft.Azure.Management.SecurityInsights.Models.TriggerOperator'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.UpdateAlertRules","Update-AzSentinelAlertRule","0","2020","The cmdlet 'Update-AzSentinelAlertRule' no longer supports the type 'System.Nullable`1[System.Int32]' for parameter 'TriggerThreshold'.","Change the type for parameter 'TriggerThreshold' back to 'System.Nullable`1[System.Int32]'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.UpdateAlertRules","Update-AzSentinelAlertRule","0","2020","The cmdlet 'Update-AzSentinelAlertRule' no longer supports the type 'Microsoft.Azure.Commands.SecurityInsights.Models.AlertRules.PSSentinelAlertRule' for parameter 'InputObject'.","Change the type for parameter 'InputObject' back to 'Microsoft.Azure.Commands.SecurityInsights.Models.AlertRules.PSSentinelAlertRule'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.UpdateAlertRules","Update-AzSentinelAlertRule","0","2000","The cmdlet 'Update-AzSentinelAlertRule' no longer supports the parameter 'ResourceId' and no alias was found for the original parameter name.","Add the parameter 'ResourceId' back to the cmdlet 'Update-AzSentinelAlertRule', or add an alias to the original parameter name." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.UpdateAlertRules","Update-AzSentinelAlertRule","0","2020","The cmdlet 'Update-AzSentinelAlertRule' no longer supports the type 'Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer' for parameter 'DefaultProfile'.","Change the type for parameter 'DefaultProfile' back to 'Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.UpdateAlertRules","Update-AzSentinelAlertRule","0","2010","The cmdlet 'Update-AzSentinelAlertRule' no longer supports the alias 'AzContext' for parameter 'DefaultProfile'.","Add the alias 'AzContext' back to parameter 'DefaultProfile'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.UpdateAlertRules","Update-AzSentinelAlertRule","0","2010","The cmdlet 'Update-AzSentinelAlertRule' no longer supports the alias 'AzureRmContext' for parameter 'DefaultProfile'.","Add the alias 'AzureRmContext' back to parameter 'DefaultProfile'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.UpdateAlertRules","Update-AzSentinelAlertRule","0","1050","The parameter set 'AlertRuleId' for cmdlet 'Update-AzSentinelAlertRule' has been removed.","Add parameter set 'AlertRuleId' back to cmdlet 'Update-AzSentinelAlertRule'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.UpdateAlertRules","Update-AzSentinelAlertRule","0","1050","The parameter set '__AllParameterSets' for cmdlet 'Update-AzSentinelAlertRule' has been removed.","Add parameter set '__AllParameterSets' back to cmdlet 'Update-AzSentinelAlertRule'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.UpdateAlertRules","Update-AzSentinelAlertRule","0","1050","The parameter set 'InputObject' for cmdlet 'Update-AzSentinelAlertRule' has been removed.","Add parameter set 'InputObject' back to cmdlet 'Update-AzSentinelAlertRule'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.UpdateAlertRules","Update-AzSentinelAlertRule","0","1050","The parameter set 'ResourceId' for cmdlet 'Update-AzSentinelAlertRule' has been removed.","Add parameter set 'ResourceId' back to cmdlet 'Update-AzSentinelAlertRule'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.UpdateAlertRuleActions","Update-AzSentinelAlertRuleAction","0","1020","The cmdlet 'Update-AzSentinelAlertRuleAction' no longer has output type 'Microsoft.Azure.Commands.SecurityInsights.Models.Actions.PSSentinelActionResponse'.","Make cmdlet 'Update-AzSentinelAlertRuleAction' return type 'Microsoft.Azure.Commands.SecurityInsights.Models.Actions.PSSentinelActionResponse'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.UpdateAlertRuleActions","Update-AzSentinelAlertRuleAction","0","1060","The parameter set 'ActionId' for cmdlet 'Update-AzSentinelAlertRuleAction' is no longer the default parameter set.","Change the default parameter for cmdlet 'Update-AzSentinelAlertRuleAction' back to 'ActionId'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.UpdateAlertRuleActions","Update-AzSentinelAlertRuleAction","0","2000","The cmdlet 'Update-AzSentinelAlertRuleAction' no longer supports the parameter 'AlertRuleId' and no alias was found for the original parameter name.","Add the parameter 'AlertRuleId' back to the cmdlet 'Update-AzSentinelAlertRuleAction', or add an alias to the original parameter name." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.UpdateAlertRuleActions","Update-AzSentinelAlertRuleAction","0","2020","The cmdlet 'Update-AzSentinelAlertRuleAction' no longer supports the type 'Microsoft.Azure.Commands.SecurityInsights.Models.Actions.PSSentinelActionResponse' for parameter 'InputObject'.","Change the type for parameter 'InputObject' back to 'Microsoft.Azure.Commands.SecurityInsights.Models.Actions.PSSentinelActionResponse'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.UpdateAlertRuleActions","Update-AzSentinelAlertRuleAction","0","2000","The cmdlet 'Update-AzSentinelAlertRuleAction' no longer supports the parameter 'ResourceId' and no alias was found for the original parameter name.","Add the parameter 'ResourceId' back to the cmdlet 'Update-AzSentinelAlertRuleAction', or add an alias to the original parameter name." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.UpdateAlertRuleActions","Update-AzSentinelAlertRuleAction","0","2020","The cmdlet 'Update-AzSentinelAlertRuleAction' no longer supports the type 'Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer' for parameter 'DefaultProfile'.","Change the type for parameter 'DefaultProfile' back to 'Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.UpdateAlertRuleActions","Update-AzSentinelAlertRuleAction","0","2010","The cmdlet 'Update-AzSentinelAlertRuleAction' no longer supports the alias 'AzContext' for parameter 'DefaultProfile'.","Add the alias 'AzContext' back to parameter 'DefaultProfile'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.UpdateAlertRuleActions","Update-AzSentinelAlertRuleAction","0","2010","The cmdlet 'Update-AzSentinelAlertRuleAction' no longer supports the alias 'AzureRmContext' for parameter 'DefaultProfile'.","Add the alias 'AzureRmContext' back to parameter 'DefaultProfile'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.UpdateAlertRuleActions","Update-AzSentinelAlertRuleAction","0","1050","The parameter set 'ActionId' for cmdlet 'Update-AzSentinelAlertRuleAction' has been removed.","Add parameter set 'ActionId' back to cmdlet 'Update-AzSentinelAlertRuleAction'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.UpdateAlertRuleActions","Update-AzSentinelAlertRuleAction","0","1050","The parameter set 'ResourceId' for cmdlet 'Update-AzSentinelAlertRuleAction' has been removed.","Add parameter set 'ResourceId' back to cmdlet 'Update-AzSentinelAlertRuleAction'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Bookmarks.UpdateBoomarks","Update-AzSentinelBookmark","0","1020","The cmdlet 'Update-AzSentinelBookmark' no longer has output type 'Microsoft.Azure.Commands.SecurityInsights.Models.Bookmarks.PSSentinelBookmark'.","Make cmdlet 'Update-AzSentinelBookmark' return type 'Microsoft.Azure.Commands.SecurityInsights.Models.Bookmarks.PSSentinelBookmark'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Bookmarks.UpdateBoomarks","Update-AzSentinelBookmark","0","1060","The parameter set 'BookmarkId.' for cmdlet 'Update-AzSentinelBookmark' is no longer the default parameter set.","Change the default parameter for cmdlet 'Update-AzSentinelBookmark' back to 'BookmarkId.'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Bookmarks.UpdateBoomarks","Update-AzSentinelBookmark","0","2020","The cmdlet 'Update-AzSentinelBookmark' no longer supports the type 'Microsoft.Azure.Commands.SecurityInsights.Models.Bookmarks.PSSentinelBookmark' for parameter 'InputObject'.","Change the type for parameter 'InputObject' back to 'Microsoft.Azure.Commands.SecurityInsights.Models.Bookmarks.PSSentinelBookmark'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Bookmarks.UpdateBoomarks","Update-AzSentinelBookmark","0","2000","The cmdlet 'Update-AzSentinelBookmark' no longer supports the parameter 'ResourceId' and no alias was found for the original parameter name.","Add the parameter 'ResourceId' back to the cmdlet 'Update-AzSentinelBookmark', or add an alias to the original parameter name." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Bookmarks.UpdateBoomarks","Update-AzSentinelBookmark","0","2000","The cmdlet 'Update-AzSentinelBookmark' no longer supports the parameter 'IncidentInfo' and no alias was found for the original parameter name.","Add the parameter 'IncidentInfo' back to the cmdlet 'Update-AzSentinelBookmark', or add an alias to the original parameter name." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Bookmarks.UpdateBoomarks","Update-AzSentinelBookmark","0","2020","The cmdlet 'Update-AzSentinelBookmark' no longer supports the type 'System.Collections.Generic.IList`1[System.String]' for parameter 'Label'.","Change the type for parameter 'Label' back to 'System.Collections.Generic.IList`1[System.String]'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Bookmarks.UpdateBoomarks","Update-AzSentinelBookmark","0","2020","The cmdlet 'Update-AzSentinelBookmark' no longer supports the type 'Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer' for parameter 'DefaultProfile'.","Change the type for parameter 'DefaultProfile' back to 'Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Bookmarks.UpdateBoomarks","Update-AzSentinelBookmark","0","2010","The cmdlet 'Update-AzSentinelBookmark' no longer supports the alias 'AzContext' for parameter 'DefaultProfile'.","Add the alias 'AzContext' back to parameter 'DefaultProfile'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Bookmarks.UpdateBoomarks","Update-AzSentinelBookmark","0","2010","The cmdlet 'Update-AzSentinelBookmark' no longer supports the alias 'AzureRmContext' for parameter 'DefaultProfile'.","Add the alias 'AzureRmContext' back to parameter 'DefaultProfile'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Bookmarks.UpdateBoomarks","Update-AzSentinelBookmark","0","1050","The parameter set 'BookmarkId.' for cmdlet 'Update-AzSentinelBookmark' has been removed.","Add parameter set 'BookmarkId.' back to cmdlet 'Update-AzSentinelBookmark'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Bookmarks.UpdateBoomarks","Update-AzSentinelBookmark","0","1050","The parameter set 'InputObject' for cmdlet 'Update-AzSentinelBookmark' has been removed.","Add parameter set 'InputObject' back to cmdlet 'Update-AzSentinelBookmark'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Bookmarks.UpdateBoomarks","Update-AzSentinelBookmark","0","1050","The parameter set 'ResourceId' for cmdlet 'Update-AzSentinelBookmark' has been removed.","Add parameter set 'ResourceId' back to cmdlet 'Update-AzSentinelBookmark'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Bookmarks.UpdateBoomarks","Update-AzSentinelBookmark","0","1050","The parameter set '__AllParameterSets' for cmdlet 'Update-AzSentinelBookmark' has been removed.","Add parameter set '__AllParameterSets' back to cmdlet 'Update-AzSentinelBookmark'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.UpdateDataConnectors","Update-AzSentinelDataConnector","0","1020","The cmdlet 'Update-AzSentinelDataConnector' no longer has output type 'Microsoft.Azure.Commands.SecurityInsights.Models.DataConnectors.PSSentinelDataConnector'.","Make cmdlet 'Update-AzSentinelDataConnector' return type 'Microsoft.Azure.Commands.SecurityInsights.Models.DataConnectors.PSSentinelDataConnector'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.UpdateDataConnectors","Update-AzSentinelDataConnector","0","1060","The parameter set 'DataConnectorId' for cmdlet 'Update-AzSentinelDataConnector' is no longer the default parameter set.","Change the default parameter for cmdlet 'Update-AzSentinelDataConnector' back to 'DataConnectorId'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.UpdateDataConnectors","Update-AzSentinelDataConnector","0","1060","The parameter set 'DataConnectorId' for cmdlet 'Update-AzSentinelDataConnector' is no longer the default parameter set.","Change the default parameter for cmdlet 'Update-AzSentinelDataConnector' back to 'DataConnectorId'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.UpdateDataConnectors","Update-AzSentinelDataConnector","0","1060","The parameter set 'DataConnectorId' for cmdlet 'Update-AzSentinelDataConnector' is no longer the default parameter set.","Change the default parameter for cmdlet 'Update-AzSentinelDataConnector' back to 'DataConnectorId'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.UpdateDataConnectors","Update-AzSentinelDataConnector","0","1060","The parameter set 'DataConnectorId' for cmdlet 'Update-AzSentinelDataConnector' is no longer the default parameter set.","Change the default parameter for cmdlet 'Update-AzSentinelDataConnector' back to 'DataConnectorId'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.UpdateDataConnectors","Update-AzSentinelDataConnector","0","1060","The parameter set 'DataConnectorId' for cmdlet 'Update-AzSentinelDataConnector' is no longer the default parameter set.","Change the default parameter for cmdlet 'Update-AzSentinelDataConnector' back to 'DataConnectorId'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.UpdateDataConnectors","Update-AzSentinelDataConnector","0","1060","The parameter set 'DataConnectorId' for cmdlet 'Update-AzSentinelDataConnector' is no longer the default parameter set.","Change the default parameter for cmdlet 'Update-AzSentinelDataConnector' back to 'DataConnectorId'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.UpdateDataConnectors","Update-AzSentinelDataConnector","0","1060","The parameter set 'DataConnectorId' for cmdlet 'Update-AzSentinelDataConnector' is no longer the default parameter set.","Change the default parameter for cmdlet 'Update-AzSentinelDataConnector' back to 'DataConnectorId'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.UpdateDataConnectors","Update-AzSentinelDataConnector","0","1060","The parameter set 'DataConnectorId' for cmdlet 'Update-AzSentinelDataConnector' is no longer the default parameter set.","Change the default parameter for cmdlet 'Update-AzSentinelDataConnector' back to 'DataConnectorId'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.UpdateDataConnectors","Update-AzSentinelDataConnector","0","2000","The cmdlet 'Update-AzSentinelDataConnector' no longer supports the parameter 'DataConnectorId' and no alias was found for the original parameter name.","Add the parameter 'DataConnectorId' back to the cmdlet 'Update-AzSentinelDataConnector', or add an alias to the original parameter name." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.UpdateDataConnectors","Update-AzSentinelDataConnector","0","2020","The cmdlet 'Update-AzSentinelDataConnector' no longer supports the type 'Microsoft.Azure.Commands.SecurityInsights.Models.DataConnectors.PSSentinelDataConnector' for parameter 'InputObject'.","Change the type for parameter 'InputObject' back to 'Microsoft.Azure.Commands.SecurityInsights.Models.DataConnectors.PSSentinelDataConnector'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.UpdateDataConnectors","Update-AzSentinelDataConnector","0","2000","The cmdlet 'Update-AzSentinelDataConnector' no longer supports the parameter 'ResourceId' and no alias was found for the original parameter name.","Add the parameter 'ResourceId' back to the cmdlet 'Update-AzSentinelDataConnector', or add an alias to the original parameter name." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.UpdateDataConnectors","Update-AzSentinelDataConnector","0","2000","The cmdlet 'Update-AzSentinelDataConnector' no longer supports the parameter 'AwsRoleArn' and no alias was found for the original parameter name.","Add the parameter 'AwsRoleArn' back to the cmdlet 'Update-AzSentinelDataConnector', or add an alias to the original parameter name." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.UpdateDataConnectors","Update-AzSentinelDataConnector","0","2000","The cmdlet 'Update-AzSentinelDataConnector' no longer supports the parameter 'DiscoveryLogs' and no alias was found for the original parameter name.","Add the parameter 'DiscoveryLogs' back to the cmdlet 'Update-AzSentinelDataConnector', or add an alias to the original parameter name." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.UpdateDataConnectors","Update-AzSentinelDataConnector","0","2000","The cmdlet 'Update-AzSentinelDataConnector' no longer supports the parameter 'Indicators' and no alias was found for the original parameter name.","Add the parameter 'Indicators' back to the cmdlet 'Update-AzSentinelDataConnector', or add an alias to the original parameter name." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.UpdateDataConnectors","Update-AzSentinelDataConnector","0","2020","The cmdlet 'Update-AzSentinelDataConnector' no longer supports the type 'Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer' for parameter 'DefaultProfile'.","Change the type for parameter 'DefaultProfile' back to 'Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.UpdateDataConnectors","Update-AzSentinelDataConnector","0","2010","The cmdlet 'Update-AzSentinelDataConnector' no longer supports the alias 'AzContext' for parameter 'DefaultProfile'.","Add the alias 'AzContext' back to parameter 'DefaultProfile'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.UpdateDataConnectors","Update-AzSentinelDataConnector","0","2010","The cmdlet 'Update-AzSentinelDataConnector' no longer supports the alias 'AzureRmContext' for parameter 'DefaultProfile'.","Add the alias 'AzureRmContext' back to parameter 'DefaultProfile'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.UpdateDataConnectors","Update-AzSentinelDataConnector","0","1050","The parameter set 'DataConnectorId' for cmdlet 'Update-AzSentinelDataConnector' has been removed.","Add parameter set 'DataConnectorId' back to cmdlet 'Update-AzSentinelDataConnector'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.UpdateDataConnectors","Update-AzSentinelDataConnector","0","1050","The parameter set 'InputObject' for cmdlet 'Update-AzSentinelDataConnector' has been removed.","Add parameter set 'InputObject' back to cmdlet 'Update-AzSentinelDataConnector'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.UpdateDataConnectors","Update-AzSentinelDataConnector","0","1050","The parameter set 'ResourceId' for cmdlet 'Update-AzSentinelDataConnector' has been removed.","Add parameter set 'ResourceId' back to cmdlet 'Update-AzSentinelDataConnector'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.UpdateDataConnectors","Update-AzSentinelDataConnector","0","1050","The parameter set '__AllParameterSets' for cmdlet 'Update-AzSentinelDataConnector' has been removed.","Add parameter set '__AllParameterSets' back to cmdlet 'Update-AzSentinelDataConnector'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.UpdateIncidents","Update-AzSentinelIncident","0","1020","The cmdlet 'Update-AzSentinelIncident' no longer has output type 'Microsoft.Azure.Commands.SecurityInsights.Models.Incidents.PSSentinelIncident'.","Make cmdlet 'Update-AzSentinelIncident' return type 'Microsoft.Azure.Commands.SecurityInsights.Models.Incidents.PSSentinelIncident'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.UpdateIncidents","Update-AzSentinelIncident","0","1060","The parameter set 'IncidentId' for cmdlet 'Update-AzSentinelIncident' is no longer the default parameter set.","Change the default parameter for cmdlet 'Update-AzSentinelIncident' back to 'IncidentId'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.UpdateIncidents","Update-AzSentinelIncident","0","1060","The parameter set 'IncidentId' for cmdlet 'Update-AzSentinelIncident' is no longer the default parameter set.","Change the default parameter for cmdlet 'Update-AzSentinelIncident' back to 'IncidentId'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.UpdateIncidents","Update-AzSentinelIncident","0","2000","The cmdlet 'Update-AzSentinelIncident' no longer supports the parameter 'IncidentID' and no alias was found for the original parameter name.","Add the parameter 'IncidentID' back to the cmdlet 'Update-AzSentinelIncident', or add an alias to the original parameter name." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.UpdateIncidents","Update-AzSentinelIncident","0","2020","The cmdlet 'Update-AzSentinelIncident' no longer supports the type 'Microsoft.Azure.Commands.SecurityInsights.Models.Incidents.PSSentinelIncident' for parameter 'InputObject'.","Change the type for parameter 'InputObject' back to 'Microsoft.Azure.Commands.SecurityInsights.Models.Incidents.PSSentinelIncident'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.UpdateIncidents","Update-AzSentinelIncident","0","2000","The cmdlet 'Update-AzSentinelIncident' no longer supports the parameter 'ResourceId' and no alias was found for the original parameter name.","Add the parameter 'ResourceId' back to the cmdlet 'Update-AzSentinelIncident', or add an alias to the original parameter name." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.UpdateIncidents","Update-AzSentinelIncident","0","2020","The cmdlet 'Update-AzSentinelIncident' no longer supports the type 'System.String' for parameter 'Classification'.","Change the type for parameter 'Classification' back to 'System.String'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.UpdateIncidents","Update-AzSentinelIncident","0","2020","The cmdlet 'Update-AzSentinelIncident' no longer supports the type 'System.String' for parameter 'ClassificationReason'.","Change the type for parameter 'ClassificationReason' back to 'System.String'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.UpdateIncidents","Update-AzSentinelIncident","0","2020","The cmdlet 'Update-AzSentinelIncident' no longer supports the type 'System.Collections.Generic.IList`1[Microsoft.Azure.Commands.SecurityInsights.Models.Incidents.PSSentinelIncidentLabel]' for parameter 'Label'.","Change the type for parameter 'Label' back to 'System.Collections.Generic.IList`1[Microsoft.Azure.Commands.SecurityInsights.Models.Incidents.PSSentinelIncidentLabel]'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.UpdateIncidents","Update-AzSentinelIncident","0","2000","The cmdlet 'Update-AzSentinelIncident' no longer supports the parameter 'Owner' and no alias was found for the original parameter name.","Add the parameter 'Owner' back to the cmdlet 'Update-AzSentinelIncident', or add an alias to the original parameter name." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.UpdateIncidents","Update-AzSentinelIncident","0","2020","The cmdlet 'Update-AzSentinelIncident' no longer supports the type 'System.String' for parameter 'Severity'.","Change the type for parameter 'Severity' back to 'System.String'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.UpdateIncidents","Update-AzSentinelIncident","0","2020","The cmdlet 'Update-AzSentinelIncident' no longer supports the type 'System.String' for parameter 'Status'.","Change the type for parameter 'Status' back to 'System.String'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.UpdateIncidents","Update-AzSentinelIncident","0","2020","The cmdlet 'Update-AzSentinelIncident' no longer supports the type 'Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer' for parameter 'DefaultProfile'.","Change the type for parameter 'DefaultProfile' back to 'Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.UpdateIncidents","Update-AzSentinelIncident","0","2010","The cmdlet 'Update-AzSentinelIncident' no longer supports the alias 'AzContext' for parameter 'DefaultProfile'.","Add the alias 'AzContext' back to parameter 'DefaultProfile'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.UpdateIncidents","Update-AzSentinelIncident","0","2010","The cmdlet 'Update-AzSentinelIncident' no longer supports the alias 'AzureRmContext' for parameter 'DefaultProfile'.","Add the alias 'AzureRmContext' back to parameter 'DefaultProfile'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.UpdateIncidents","Update-AzSentinelIncident","0","1050","The parameter set 'IncidentId' for cmdlet 'Update-AzSentinelIncident' has been removed.","Add parameter set 'IncidentId' back to cmdlet 'Update-AzSentinelIncident'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.UpdateIncidents","Update-AzSentinelIncident","0","1050","The parameter set 'InputObject' for cmdlet 'Update-AzSentinelIncident' has been removed.","Add parameter set 'InputObject' back to cmdlet 'Update-AzSentinelIncident'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.UpdateIncidents","Update-AzSentinelIncident","0","1050","The parameter set 'ResourceId' for cmdlet 'Update-AzSentinelIncident' has been removed.","Add parameter set 'ResourceId' back to cmdlet 'Update-AzSentinelIncident'." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.UpdateIncidents","Update-AzSentinelIncident","0","1050","The parameter set '__AllParameterSets' for cmdlet 'Update-AzSentinelIncident' has been removed.","Add parameter set '__AllParameterSets' back to cmdlet 'Update-AzSentinelIncident'." diff --git a/tools/StaticAnalysis/Exceptions/Az.SecurityInsights/SignatureIssues.csv b/tools/StaticAnalysis/Exceptions/Az.SecurityInsights/SignatureIssues.csv index d96a3d39ebc7..1147fe460335 100644 --- a/tools/StaticAnalysis/Exceptions/Az.SecurityInsights/SignatureIssues.csv +++ b/tools/StaticAnalysis/Exceptions/Az.SecurityInsights/SignatureIssues.csv @@ -1,15 +1,3 @@ "AssemblyFileName","ClassName","Target","Severity","ProblemId","Description","Remediation" -"Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.dll","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.NewDataConnectors","New-AzSentinelDataConnector","1","8410","Parameter Alerts of cmdlet New-AzSentinelDataConnector does not follow the enforced naming convention of using a singular noun for a parameter name.","Consider using a singular noun for the parameter name." -"Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.dll","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.NewDataConnectors","New-AzSentinelDataConnector","1","8410","Parameter Logs of cmdlet New-AzSentinelDataConnector does not follow the enforced naming convention of using a singular noun for a parameter name.","Consider using a singular noun for the parameter name." -"Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.dll","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.NewDataConnectors","New-AzSentinelDataConnector","1","8410","Parameter DiscoveryLogs of cmdlet New-AzSentinelDataConnector does not follow the enforced naming convention of using a singular noun for a parameter name.","Consider using a singular noun for the parameter name." -"Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.dll","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.NewDataConnectors","New-AzSentinelDataConnector","1","8410","Parameter Indicators of cmdlet New-AzSentinelDataConnector does not follow the enforced naming convention of using a singular noun for a parameter name.","Consider using a singular noun for the parameter name." -"Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.dll","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.SetDataConnectors","Set-AzSentinelDataConnector","1","8410","Parameter Alerts of cmdlet Set-AzSentinelDataConnector does not follow the enforced naming convention of using a singular noun for a parameter name.","Consider using a singular noun for the parameter name." -"Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.dll","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.SetDataConnectors","Set-AzSentinelDataConnector","1","8410","Parameter Logs of cmdlet Set-AzSentinelDataConnector does not follow the enforced naming convention of using a singular noun for a parameter name.","Consider using a singular noun for the parameter name." -"Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.dll","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.SetDataConnectors","Set-AzSentinelDataConnector","1","8410","Parameter DiscoveryLogs of cmdlet Set-AzSentinelDataConnector does not follow the enforced naming convention of using a singular noun for a parameter name.","Consider using a singular noun for the parameter name." -"Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.dll","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.SetDataConnectors","Set-AzSentinelDataConnector","1","8410","Parameter Indicators of cmdlet Set-AzSentinelDataConnector does not follow the enforced naming convention of using a singular noun for a parameter name.","Consider using a singular noun for the parameter name." -"Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.dll","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.UpdateDataConnectors","Update-AzSentinelDataConnector","1","8410","Parameter Alerts of cmdlet Update-AzSentinelDataConnector does not follow the enforced naming convention of using a singular noun for a parameter name.","Consider using a singular noun for the parameter name." -"Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.dll","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.UpdateDataConnectors","Update-AzSentinelDataConnector","1","8410","Parameter Logs of cmdlet Update-AzSentinelDataConnector does not follow the enforced naming convention of using a singular noun for a parameter name.","Consider using a singular noun for the parameter name." -"Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.dll","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.UpdateDataConnectors","Update-AzSentinelDataConnector","1","8410","Parameter DiscoveryLogs of cmdlet Update-AzSentinelDataConnector does not follow the enforced naming convention of using a singular noun for a parameter name.","Consider using a singular noun for the parameter name." -"Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.dll","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.UpdateDataConnectors","Update-AzSentinelDataConnector","1","8410","Parameter Indicators of cmdlet Update-AzSentinelDataConnector does not follow the enforced naming convention of using a singular noun for a parameter name.","Consider using a singular noun for the parameter name." -"Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.dll","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.NewDataConnectors","New-AzSentinelDataConnector","1","8410","Parameter Teams of cmdlet New-AzSentinelDataConnector does not follow the enforced naming convention of using a singular noun for a parameter name.","Consider using a singular noun for the parameter name." -"Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.dll","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.UpdateDataConnectors","Update-AzSentinelDataConnector","1","8410","Parameter Teams of cmdlet Update-AzSentinelDataConnector does not follow the enforced naming convention of using a singular noun for a parameter name.","Consider using a singular noun for the parameter name." +"Az.SecurityInsights","New-AzSentinelDataConnector","New-AzSentinelDataConnector","1","8410","Parameter Teams of cmdlet New-AzSentinelDataConnector does not follow the enforced naming convention of using a singular noun for a parameter name.","Consider using a singular noun for the parameter name." +"Az.SecurityInsights","Update-AzSentinelDataConnector","Update-AzSentinelDataConnector","1","8410","Parameter Teams of cmdlet Update-AzSentinelDataConnector does not follow the enforced naming convention of using a singular noun for a parameter name.","Consider using a singular noun for the parameter name." \ No newline at end of file From cc31609b1e1934bf8ab60ef488e2bfc98cc1cd41 Mon Sep 17 00:00:00 2001 From: SecurityJedi Date: Tue, 9 Aug 2022 12:56:22 -0400 Subject: [PATCH 12/24] fix parameter name logs to log --- .../custom/New-AzSentinelDataConnector.ps1 | 16 ++++++++-------- .../custom/Update-AzSentinelDataConnector.ps1 | 14 +++++++------- .../docs/New-AzSentinelDataConnector.md | 13 ++++++++++--- .../docs/Remove-AzSentinelIncidentRelation.md | 7 +++++++ .../docs/Update-AzSentinelDataConnector.md | 10 +++++----- .../examples/New-AzSentinelDataConnector.md | 4 ++++ .../Remove-AzSentinelIncidentRelation.md | 4 ++++ 7 files changed, 45 insertions(+), 23 deletions(-) diff --git a/src/SecurityInsights/custom/New-AzSentinelDataConnector.ps1 b/src/SecurityInsights/custom/New-AzSentinelDataConnector.ps1 index c09896d8e728..f3b9931f347f 100644 --- a/src/SecurityInsights/custom/New-AzSentinelDataConnector.ps1 +++ b/src/SecurityInsights/custom/New-AzSentinelDataConnector.ps1 @@ -206,7 +206,7 @@ function New-AzSentinelDataConnector { [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] [System.String] - ${Logs}, + ${Log}, [Parameter(ParameterSetName = 'AmazonWebServicesS3', Mandatory)] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] @@ -606,9 +606,9 @@ function New-AzSentinelDataConnector { $DataConnector.AWSRoleArn = $PSBoundParameters['AWSRoleArn'] $null = $PSBoundParameters.Remove('AWSRoleArn') - If($PSBoundParameters['Logs']){ - $DataConnector.LogState = $PSBoundParameters['Logs'] - $null = $PSBoundParameters.Remove('Logs') + If($PSBoundParameters['Log']){ + $DataConnector.LogState = $PSBoundParameters['Log'] + $null = $PSBoundParameters.Remove('Log') } } if($PSBoundParameters['Kind'] -eq 'AmazonWebServicesS3'){ @@ -617,9 +617,9 @@ function New-AzSentinelDataConnector { $DataConnector.RoleArn = $PSBoundParameters['AWSRoleArn'] $null = $PSBoundParameters.Remove('AWSRoleArn') - If($PSBoundParameters['Logs']){ - $DataConnector.LogState = $PSBoundParameters['Logs'] - $null = $PSBoundParameters.Remove('Logs') + If($PSBoundParameters['Log']){ + $DataConnector.LogState = $PSBoundParameters['Log'] + $null = $PSBoundParameters.Remove('Log') } $DataConnector.SqsUrl = $PSBoundParameters['SQSURL'] @@ -640,7 +640,7 @@ function New-AzSentinelDataConnector { $DataConnector.ConnectorUiConfigDescriptionMarkdown = $PSBoundParameters['UiConfigDescriptionMarkdown'] $null = $PSBoundParameters.Remove('UiConfigDescriptionMarkdown') - If($PSBoundParameters['Logs']){ + If($PSBoundParameters['UiConfigCustomImage']){ $DataConnector.ConnectorUiConfigCustomImage = $PSBoundParameters['UiConfigCustomImage'] $null = $PSBoundParameters.Remove('UiConfigCustomImage') } diff --git a/src/SecurityInsights/custom/Update-AzSentinelDataConnector.ps1 b/src/SecurityInsights/custom/Update-AzSentinelDataConnector.ps1 index 78c2a4783fac..4122e19545bb 100644 --- a/src/SecurityInsights/custom/Update-AzSentinelDataConnector.ps1 +++ b/src/SecurityInsights/custom/Update-AzSentinelDataConnector.ps1 @@ -416,7 +416,7 @@ function Update-AzSentinelDataConnector { [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] [System.String] - ${Logs}, + ${Log}, [Parameter(ParameterSetName = 'UpdateAmazonWebServicesS3')] [Parameter(ParameterSetName = 'UpdateViaIdentityAmazonWebServicesS3')] @@ -841,9 +841,9 @@ function Update-AzSentinelDataConnector { $null = $PSBoundParameters.Remove('AWSRoleArn') } - If ($PSBoundParameters['Logs']) { - $DataConnector.LogState = $PSBoundParameters['Logs'] - $null = $PSBoundParameters.Remove('Logs') + If ($PSBoundParameters['Log']) { + $DataConnector.LogState = $PSBoundParameters['Log'] + $null = $PSBoundParameters.Remove('Log') } $null = $PSBoundParameters.Remove('AWSCloudTrail') } @@ -853,9 +853,9 @@ function Update-AzSentinelDataConnector { $null = $PSBoundParameters.Remove('AWSRoleArn') } - If ($PSBoundParameters['Logs']) { - $DataConnector.LogState = $PSBoundParameters['Logs'] - $null = $PSBoundParameters.Remove('Logs') + If ($PSBoundParameters['Log']) { + $DataConnector.LogState = $PSBoundParameters['Log'] + $null = $PSBoundParameters.Remove('Log') } If ($PSBoundParameters['SQSURL']) { diff --git a/src/SecurityInsights/docs/New-AzSentinelDataConnector.md b/src/SecurityInsights/docs/New-AzSentinelDataConnector.md index def1c6ab8e00..1c7e9363aeb5 100644 --- a/src/SecurityInsights/docs/New-AzSentinelDataConnector.md +++ b/src/SecurityInsights/docs/New-AzSentinelDataConnector.md @@ -22,14 +22,14 @@ New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName ### AmazonWebServicesCloudTrail ``` New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -AWSRoleArn - -Kind [-SubscriptionId ] [-Logs ] [-DefaultProfile ] [-AsJob] + -Kind [-SubscriptionId ] [-Log ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` ### AmazonWebServicesS3 ``` New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -AWSRoleArn - -DetinationTable -Kind -Logs -SQSURL + -DetinationTable -Kind -Log -SQSURL [-SubscriptionId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` @@ -135,6 +135,13 @@ Creates or updates the data connector. ### Example 1: Enables the Threat Intelligence data connector ```powershell + +``` + +======= + +### Example 1: Enable a data connector. +```powershell New-AzSentinelDataConnector -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Kind 'MicrosoftThreatIntelligence' -BingSafetyPhishingURL Enabled -BingSafetyPhishingUrlLookbackPeriod All -MicrosoftEmergingThreatFeed Enabled -MicrosoftEmergingThreatFeedLookbackPeriod All ``` @@ -427,7 +434,7 @@ Accept pipeline input: False Accept wildcard characters: False ``` -### -Logs +### -Log ```yaml diff --git a/src/SecurityInsights/docs/Remove-AzSentinelIncidentRelation.md b/src/SecurityInsights/docs/Remove-AzSentinelIncidentRelation.md index cc2ac6f62cb3..6d2623931cf5 100644 --- a/src/SecurityInsights/docs/Remove-AzSentinelIncidentRelation.md +++ b/src/SecurityInsights/docs/Remove-AzSentinelIncidentRelation.md @@ -32,6 +32,13 @@ Delete the incident relation. ### Example 1: Removes the incident relation ```powershell + +``` + +======= + +### Example 1: Delete an Incident relation +```powershell Remove-AzSentinelIncidentRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId 7cc984fe-61a2-43c2-a1a4-3583c8a89da2 -RelatedResourceId 7cc984fe-61a2-43c2-a1a4-3583c8a89db4 ``` diff --git a/src/SecurityInsights/docs/Update-AzSentinelDataConnector.md b/src/SecurityInsights/docs/Update-AzSentinelDataConnector.md index c98178ee1bae..7aecc29c3297 100644 --- a/src/SecurityInsights/docs/Update-AzSentinelDataConnector.md +++ b/src/SecurityInsights/docs/Update-AzSentinelDataConnector.md @@ -22,14 +22,14 @@ Update-AzSentinelDataConnector -Id -ResourceGroupName -Workspa ### UpdateAmazonWebServicesCloudTrail ``` Update-AzSentinelDataConnector -Id -ResourceGroupName -WorkspaceName -AWSCloudTrail - [-SubscriptionId ] [-AWSRoleArn ] [-Logs ] [-DefaultProfile ] [-AsJob] + [-SubscriptionId ] [-AWSRoleArn ] [-Log ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` ### UpdateAmazonWebServicesS3 ``` Update-AzSentinelDataConnector -Id -ResourceGroupName -WorkspaceName -AWSS3 - [-SubscriptionId ] [-AWSRoleArn ] [-DetinationTable ] [-Logs ] + [-SubscriptionId ] [-AWSRoleArn ] [-DetinationTable ] [-Log ] [-SQSURL ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` @@ -138,14 +138,14 @@ Update-AzSentinelDataConnector -InputObject -AzureAD ### UpdateViaIdentityAmazonWebServicesCloudTrail ``` Update-AzSentinelDataConnector -InputObject -AWSCloudTrail [-AWSRoleArn ] - [-Logs ] [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] + [-Log ] [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` ### UpdateViaIdentityAmazonWebServicesS3 ``` Update-AzSentinelDataConnector -InputObject -AWSS3 [-AWSRoleArn ] - [-DetinationTable ] [-Logs ] [-SQSURL ] [-TenantId ] + [-DetinationTable ] [-Log ] [-SQSURL ] [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` @@ -669,7 +669,7 @@ Accept pipeline input: True (ByValue) Accept wildcard characters: False ``` -### -Logs +### -Log ```yaml diff --git a/src/SecurityInsights/examples/New-AzSentinelDataConnector.md b/src/SecurityInsights/examples/New-AzSentinelDataConnector.md index 01150e7a8b13..d135c3ea082a 100644 --- a/src/SecurityInsights/examples/New-AzSentinelDataConnector.md +++ b/src/SecurityInsights/examples/New-AzSentinelDataConnector.md @@ -1,4 +1,8 @@ +<<<<<<< HEAD ### Example 1: Enables the Threat Intelligence data connector +======= +### Example 1: Enable a data connector. +>>>>>>> 16ff7bb8ad... Fixes per feedback ```powershell New-AzSentinelDataConnector -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Kind 'MicrosoftThreatIntelligence' -BingSafetyPhishingURL Enabled -BingSafetyPhishingUrlLookbackPeriod All -MicrosoftEmergingThreatFeed Enabled -MicrosoftEmergingThreatFeedLookbackPeriod All ``` diff --git a/src/SecurityInsights/examples/Remove-AzSentinelIncidentRelation.md b/src/SecurityInsights/examples/Remove-AzSentinelIncidentRelation.md index 64c58f8e45e8..021221d24452 100644 --- a/src/SecurityInsights/examples/Remove-AzSentinelIncidentRelation.md +++ b/src/SecurityInsights/examples/Remove-AzSentinelIncidentRelation.md @@ -1,4 +1,8 @@ +<<<<<<< HEAD ### Example 1: Removes the incident relation +======= +### Example 1: Delete an Incident relation +>>>>>>> 16ff7bb8ad... Fixes per feedback ```powershell Remove-AzSentinelIncidentRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId 7cc984fe-61a2-43c2-a1a4-3583c8a89da2 -RelatedResourceId 7cc984fe-61a2-43c2-a1a4-3583c8a89db4 ``` From 771ea17150605325c8bdbb9dca9112953981db05 Mon Sep 17 00:00:00 2001 From: SecurityJedi Date: Wed, 17 Aug 2022 01:00:47 -0400 Subject: [PATCH 13/24] Fixing tests (#19248) Had to update autorest readme and custom cmdlets to support testing record/playback --- src/SecurityInsights/README.md | 2 - .../custom/New-AzSentinelDataConnector.ps1 | 6 + .../custom/New-AzSentinelEntityQuery.ps1 | 6 + .../custom/Update-AzSentinelSetting.ps1 | 28 +- .../docs/Get-AzSentinelAlertRule.md | 2 +- .../docs/Get-AzSentinelAlertRuleAction.md | 2 +- .../docs/Get-AzSentinelAlertRuleTemplate.md | 2 +- .../docs/Get-AzSentinelAutomationRule.md | 2 +- .../docs/Get-AzSentinelBookmark.md | 2 +- .../docs/Get-AzSentinelBookmarkRelation.md | 2 +- .../docs/Get-AzSentinelDataConnector.md | 2 +- .../docs/Get-AzSentinelEnrichment.md | 2 +- .../docs/Get-AzSentinelEntity.md | 2 +- .../docs/Get-AzSentinelEntityQuery.md | 2 +- .../docs/Get-AzSentinelEntityQueryTemplate.md | 2 +- .../docs/Get-AzSentinelEntityRelation.md | 2 +- .../docs/Get-AzSentinelIncident.md | 2 +- .../docs/Get-AzSentinelIncidentComment.md | 2 +- .../docs/Get-AzSentinelIncidentRelation.md | 2 +- .../docs/Get-AzSentinelMetadata.md | 2 +- .../docs/Get-AzSentinelOnboardingState.md | 2 +- .../docs/Get-AzSentinelSetting.md | 2 +- ...t-AzSentinelThreatIntelligenceIndicator.md | 2 +- ...entinelThreatIntelligenceIndicatorQuery.md | 2 +- .../docs/New-AzSentinelAlertRule.md | 2 +- .../docs/New-AzSentinelAlertRuleAction.md | 19 +- .../docs/New-AzSentinelAutomationRule.md | 27 +- .../docs/New-AzSentinelBookmark.md | 24 +- .../docs/New-AzSentinelBookmarkRelation.md | 25 +- .../docs/New-AzSentinelDataConnector.md | 88 ++-- .../docs/New-AzSentinelEntityQuery.md | 24 +- .../docs/New-AzSentinelIncident.md | 26 +- .../docs/New-AzSentinelIncidentComment.md | 25 +- .../docs/New-AzSentinelIncidentRelation.md | 25 +- .../docs/New-AzSentinelIncidentTeam.md | 2 +- .../docs/New-AzSentinelOnboardingState.md | 2 +- .../docs/Remove-AzSentinelAlertRule.md | 2 +- .../docs/Remove-AzSentinelAlertRuleAction.md | 2 +- .../docs/Remove-AzSentinelAutomationRule.md | 2 +- .../docs/Remove-AzSentinelBookmark.md | 2 +- .../docs/Remove-AzSentinelBookmarkRelation.md | 2 +- .../docs/Remove-AzSentinelDataConnector.md | 2 +- .../docs/Remove-AzSentinelEntityQuery.md | 2 +- .../docs/Remove-AzSentinelIncident.md | 2 +- .../docs/Remove-AzSentinelIncidentComment.md | 2 +- .../docs/Remove-AzSentinelIncidentRelation.md | 2 +- .../docs/Remove-AzSentinelOnboardingState.md | 2 +- .../docs/Update-AzSentinelAlertRule.md | 4 +- .../docs/Update-AzSentinelAlertRuleAction.md | 2 +- .../docs/Update-AzSentinelAutomationRule.md | 4 +- .../docs/Update-AzSentinelBookmark.md | 2 +- .../docs/Update-AzSentinelBookmarkRelation.md | 2 +- .../docs/Update-AzSentinelDataConnector.md | 16 +- .../docs/Update-AzSentinelEntityQuery.md | 4 +- .../docs/Update-AzSentinelIncident.md | 4 +- .../docs/Update-AzSentinelIncidentComment.md | 2 +- .../docs/Update-AzSentinelIncidentRelation.md | 2 +- .../docs/Update-AzSentinelSetting.md | 39 +- src/SecurityInsights/docs/readme.md | 11 + .../examples/Update-AzSentinelSetting.md | 2 +- .../Get-AzSentinelAlertRule.Recording.json | 80 ++-- ...t-AzSentinelAlertRuleAction.Recording.json | 72 ++-- ...AzSentinelAlertRuleTemplate.Recording.json | 78 ++-- ...et-AzSentinelAutomationRule.Recording.json | 72 ++-- .../Get-AzSentinelBookmark.Recording.json | 74 ++-- ...-AzSentinelBookmarkRelation.Recording.json | 72 ++-- ...Get-AzSentinelDataConnector.Recording.json | 72 ++-- .../Get-AzSentinelEnrichment.Recording.json | 34 +- .../test/Get-AzSentinelEntity.Recording.json | 108 ++--- ...et-AzSentinelEntityActivity.Recording.json | 36 +- ...Get-AzSentinelEntityInsight.Recording.json | 34 +- .../Get-AzSentinelEntityQuery.Recording.json | 90 ++-- ...SentinelEntityQueryTemplate.Recording.json | 60 +-- ...et-AzSentinelEntityTimeline.Recording.json | 36 +- .../Get-AzSentinelIncident.Recording.json | 86 ++-- ...Get-AzSentinelIncidentAlert.Recording.json | 40 +- ...-AzSentinelIncidentBookmark.Recording.json | 18 +- ...t-AzSentinelIncidentComment.Recording.json | 40 +- ...et-AzSentinelIncidentEntity.Recording.json | 38 +- ...-AzSentinelIncidentRelation.Recording.json | 72 ++-- .../Get-AzSentinelMetadata.Recording.json | 80 ++-- ...t-AzSentinelOnboardingState.Recording.json | 72 ++-- .../test/Get-AzSentinelSetting.Recording.json | 40 +- ...ThreatIntelligenceIndicator.Recording.json | 42 +- ...IntelligenceIndicatorMetric.Recording.json | 22 +- ...tIntelligenceIndicatorQuery.Recording.json | 18 +- .../New-AzSentinelAlertRule.Recording.json | 16 +- .../test/New-AzSentinelAlertRule.Tests.ps1 | 4 +- ...w-AzSentinelAlertRuleAction.Recording.json | 36 +- .../New-AzSentinelAlertRuleAction.Tests.ps1 | 4 +- ...ew-AzSentinelAutomationRule.Recording.json | 16 +- .../New-AzSentinelAutomationRule.Tests.ps1 | 4 +- .../New-AzSentinelBookmark.Recording.json | 16 +- .../test/New-AzSentinelBookmark.Tests.ps1 | 4 +- ...-AzSentinelBookmarkRelation.Recording.json | 56 +-- .../New-AzSentinelBookmarkRelation.Tests.ps1 | 8 +- ...New-AzSentinelDataConnector.Recording.json | 14 +- .../New-AzSentinelDataConnector.Tests.ps1 | 2 +- .../New-AzSentinelEntityQuery.Recording.json | 16 +- .../test/New-AzSentinelEntityQuery.Tests.ps1 | 2 +- .../New-AzSentinelIncident.Recording.json | 16 +- .../test/New-AzSentinelIncident.Tests.ps1 | 4 +- ...w-AzSentinelIncidentComment.Recording.json | 36 +- .../New-AzSentinelIncidentComment.Tests.ps1 | 6 +- ...-AzSentinelIncidentRelation.Recording.json | 56 +-- .../New-AzSentinelIncidentRelation.Tests.ps1 | 6 +- .../New-AzSentinelIncidentTeam.Recording.json | 34 +- .../test/New-AzSentinelIncidentTeam.Tests.ps1 | 2 +- .../Remove-AzSentinelAlertRule.Recording.json | 52 +-- ...e-AzSentinelAlertRuleAction.Recording.json | 52 +-- ...ve-AzSentinelAutomationRule.Recording.json | 50 +-- .../Remove-AzSentinelBookmark.Recording.json | 52 +-- ...-AzSentinelBookmarkRelation.Recording.json | 52 +-- ...ove-AzSentinelDataConnector.Recording.json | 60 +-- .../Remove-AzSentinelDataConnector.Tests.ps1 | 4 +- ...emove-AzSentinelEntityQuery.Recording.json | 52 +-- .../Remove-AzSentinelIncident.Recording.json | 52 +-- ...e-AzSentinelIncidentComment.Recording.json | 50 +-- ...-AzSentinelIncidentRelation.Recording.json | 50 +-- ...e-AzSentinelOnboardingState.Recording.json | 16 +- .../Update-AzSentinelAlertRule.Recording.json | 18 +- ...e-AzSentinelAlertRuleAction.Recording.json | 52 +-- ...te-AzSentinelAutomationRule.Recording.json | 68 +-- .../Update-AzSentinelBookmark.Recording.json | 76 ++-- ...-AzSentinelBookmarkRelation.Recording.json | 92 ++-- ...pdate-AzSentinelBookmarkRelation.Tests.ps1 | 4 +- ...ate-AzSentinelDataConnector.Recording.json | 50 +-- ...pdate-AzSentinelEntityQuery.Recording.json | 54 +-- .../Update-AzSentinelIncident.Recording.json | 72 ++-- ...e-AzSentinelIncidentComment.Recording.json | 46 +- ...-AzSentinelIncidentRelation.Recording.json | 90 ++-- ...pdate-AzSentinelIncidentRelation.Tests.ps1 | 4 +- .../Update-AzSentinelSetting.Recording.json | 60 +-- .../test/Update-AzSentinelSetting.Tests.ps1 | 4 +- src/SecurityInsights/test/common.ps1 | 2 +- src/SecurityInsights/test/env.json | 396 ++++++++++-------- src/SecurityInsights/test/localEnv.json | 185 +------- src/SecurityInsights/test/utils.ps1 | 62 ++- 138 files changed, 2133 insertions(+), 2075 deletions(-) create mode 100644 src/SecurityInsights/docs/readme.md diff --git a/src/SecurityInsights/README.md b/src/SecurityInsights/README.md index 956cf1b3ce24..c6b807fa6b06 100644 --- a/src/SecurityInsights/README.md +++ b/src/SecurityInsights/README.md @@ -304,7 +304,6 @@ directive: verb: New subject: ^AlertRuleAction$|^AutomationRule$|^Bookmark$|^Incident$|^IncidentComment$| parameter-name: Id - hide: true set: default: script: '(New-Guid).Guid' @@ -312,7 +311,6 @@ directive: verb: New subject: ^BookmarkRelation$|^IncidentRelation$ parameter-name: RelationName - hide: true set: default: script: '(New-Guid).Guid' diff --git a/src/SecurityInsights/custom/New-AzSentinelDataConnector.ps1 b/src/SecurityInsights/custom/New-AzSentinelDataConnector.ps1 index f3b9931f347f..763da72ef0f7 100644 --- a/src/SecurityInsights/custom/New-AzSentinelDataConnector.ps1 +++ b/src/SecurityInsights/custom/New-AzSentinelDataConnector.ps1 @@ -45,6 +45,12 @@ function New-AzSentinelDataConnector { [System.String] # The name of the workspace. ${WorkspaceName}, + + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = '(New-Guid).Guid')] + [System.String] + # The Id of the Data Connector. + ${Id}, [Parameter(Mandatory)] [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataConnectorKind])] diff --git a/src/SecurityInsights/custom/New-AzSentinelEntityQuery.ps1 b/src/SecurityInsights/custom/New-AzSentinelEntityQuery.ps1 index b91efbdfbb57..ea63da0336f0 100644 --- a/src/SecurityInsights/custom/New-AzSentinelEntityQuery.ps1 +++ b/src/SecurityInsights/custom/New-AzSentinelEntityQuery.ps1 @@ -47,6 +47,12 @@ function New-AzSentinelEntityQuery { # The name of the workspace. ${WorkspaceName}, + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')] + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = '(New-Guid).Guid')] + [System.String] + # The Id of the Entity Query. + ${Id}, + [Parameter(Mandatory)] [ArgumentCompleter( { param ( $CommandName, $EntityQueryName, $WordToComplete, $CommandAst, $FakeBoundParameters ) return @('Activity') })] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] diff --git a/src/SecurityInsights/custom/Update-AzSentinelSetting.ps1 b/src/SecurityInsights/custom/Update-AzSentinelSetting.ps1 index 432afa05a3a5..2724d945c7a3 100644 --- a/src/SecurityInsights/custom/Update-AzSentinelSetting.ps1 +++ b/src/SecurityInsights/custom/Update-AzSentinelSetting.ps1 @@ -69,21 +69,15 @@ function Update-AzSentinelSetting { #Anomalies #.EyesOn #.EntityAnalytics - [Parameter(ParameterSetName = 'UpdateExpandedAnomaliesEyesOnEntityAnalytics')] - [Parameter(ParameterSetName = 'UpdateViaIdentityExpandedAnomaliesEyesOnEntityAnalytics')] + [Parameter(ParameterSetName = 'UpdateExpandedAnomaliesEyesOnEntityAnalytics', Mandatory)] + [Parameter(ParameterSetName = 'UpdateViaIdentityExpandedAnomaliesEyesOnEntityAnalytics', Mandatory)] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] - [Switch] + [System.Boolean] ${Enabled}, - [Parameter(ParameterSetName = 'UpdateExpandedAnomaliesEyesOnEntityAnalytics')] - [Parameter(ParameterSetName = 'UpdateViaIdentityExpandedAnomaliesEyesOnEntityAnalytics')] - [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] - [Switch] - ${Disabled}, - #.Ueba - [Parameter(ParameterSetName = 'UpdateExpandedUeba')] - [Parameter(ParameterSetName = 'UpdateViaIdentityExpandedUeba')] + [Parameter(ParameterSetName = 'UpdateExpandedUeba', Mandatory)] + [Parameter(ParameterSetName = 'UpdateViaIdentityExpandedUeba', Mandatory)] [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.UebaDataSources])] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')] [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.UebaDataSources[]] @@ -173,7 +167,7 @@ function Update-AzSentinelSetting { if ($Name -eq 'Anomalies'){ - If($PSBoundParameters['Enabled']){ + If($PSBoundParameters['Enabled'] -eq $true){ if($Settings.Name -contains 'Anomalies'){ Write-Host "$Name is already Enabled!" -ForegroundColor Green } @@ -182,7 +176,7 @@ function Update-AzSentinelSetting { } } - If($PSBoundParameters['Disabled']){ + If($PSBoundParameters['Enabled'] -eq $false){ if($Settings.Name -contains 'Anomalies'){ Az.SecurityInsights.internal\Remove-AzSentinelSetting -ResourceGroupName $GetPSBoundParameters['ResourceGroupName'] -WorkspaceName $GetPSBoundParameters['WorkspaceName'] -SettingsName $Name } @@ -192,7 +186,7 @@ function Update-AzSentinelSetting { } } if ($Name -eq 'EyesOn'){ - If($PSBoundParameters['Enabled']){ + If($PSBoundParameters['Enabled'] -eq $true){ if($Settings.Name -contains 'EyesOn'){ Write-Host "$Name is already Enabled!" -ForegroundColor Green } @@ -201,7 +195,7 @@ function Update-AzSentinelSetting { } } - If($PSBoundParameters['Disabled']){ + If($PSBoundParameters['Enabled'] -eq $false){ if($Settings.Name -contains 'EyesOn'){ Az.SecurityInsights.internal\Remove-AzSentinelSetting -ResourceGroupName $GetPSBoundParameters['ResourceGroupName'] -WorkspaceName $GetPSBoundParameters['WorkspaceName'] -SettingsName $Name } @@ -211,7 +205,7 @@ function Update-AzSentinelSetting { } } if ($Name -eq 'EntityAnalytics'){ - If($PSBoundParameters['Enabled']){ + If($PSBoundParameters['Enabled'] -eq $true){ if($Settings.Name -contains 'EntityAnalytics'){ Write-Host "$Name is already Enabled!" -ForegroundColor Green } @@ -220,7 +214,7 @@ function Update-AzSentinelSetting { } } - If($PSBoundParameters['Disabled']){ + If($PSBoundParameters['Enabled'] -eq $false){ if($Settings.Name -contains 'EntityAnalytics'){ Az.SecurityInsights.internal\Remove-AzSentinelSetting -ResourceGroupName $GetPSBoundParameters['ResourceGroupName'] -WorkspaceName $GetPSBoundParameters['WorkspaceName'] -SettingsName $Name } diff --git a/src/SecurityInsights/docs/Get-AzSentinelAlertRule.md b/src/SecurityInsights/docs/Get-AzSentinelAlertRule.md index 90779dae796f..cfc6b8728c36 100644 --- a/src/SecurityInsights/docs/Get-AzSentinelAlertRule.md +++ b/src/SecurityInsights/docs/Get-AzSentinelAlertRule.md @@ -207,7 +207,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -INPUTOBJECT : Identity Parameter +`INPUTOBJECT `: Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Get-AzSentinelAlertRuleAction.md b/src/SecurityInsights/docs/Get-AzSentinelAlertRuleAction.md index 0cf1d83aeb61..f6482fc95095 100644 --- a/src/SecurityInsights/docs/Get-AzSentinelAlertRuleAction.md +++ b/src/SecurityInsights/docs/Get-AzSentinelAlertRuleAction.md @@ -181,7 +181,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -INPUTOBJECT : Identity Parameter +`INPUTOBJECT `: Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Get-AzSentinelAlertRuleTemplate.md b/src/SecurityInsights/docs/Get-AzSentinelAlertRuleTemplate.md index 8f535b50f9d5..86b15193b94d 100644 --- a/src/SecurityInsights/docs/Get-AzSentinelAlertRuleTemplate.md +++ b/src/SecurityInsights/docs/Get-AzSentinelAlertRuleTemplate.md @@ -193,7 +193,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -INPUTOBJECT : Identity Parameter +`INPUTOBJECT `: Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Get-AzSentinelAutomationRule.md b/src/SecurityInsights/docs/Get-AzSentinelAutomationRule.md index f4b76814a7f9..43921221c76f 100644 --- a/src/SecurityInsights/docs/Get-AzSentinelAutomationRule.md +++ b/src/SecurityInsights/docs/Get-AzSentinelAutomationRule.md @@ -184,7 +184,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -INPUTOBJECT : Identity Parameter +`INPUTOBJECT `: Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Get-AzSentinelBookmark.md b/src/SecurityInsights/docs/Get-AzSentinelBookmark.md index 01fe1836136e..51e41574b2b4 100644 --- a/src/SecurityInsights/docs/Get-AzSentinelBookmark.md +++ b/src/SecurityInsights/docs/Get-AzSentinelBookmark.md @@ -182,7 +182,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -INPUTOBJECT : Identity Parameter +`INPUTOBJECT `: Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Get-AzSentinelBookmarkRelation.md b/src/SecurityInsights/docs/Get-AzSentinelBookmarkRelation.md index 6f22d30642c1..29e9a3f98e06 100644 --- a/src/SecurityInsights/docs/Get-AzSentinelBookmarkRelation.md +++ b/src/SecurityInsights/docs/Get-AzSentinelBookmarkRelation.md @@ -270,7 +270,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -INPUTOBJECT : Identity Parameter +`INPUTOBJECT `: Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Get-AzSentinelDataConnector.md b/src/SecurityInsights/docs/Get-AzSentinelDataConnector.md index 45b3e1d4a717..bdd246d7622c 100644 --- a/src/SecurityInsights/docs/Get-AzSentinelDataConnector.md +++ b/src/SecurityInsights/docs/Get-AzSentinelDataConnector.md @@ -181,7 +181,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -INPUTOBJECT : Identity Parameter +`INPUTOBJECT `: Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Get-AzSentinelEnrichment.md b/src/SecurityInsights/docs/Get-AzSentinelEnrichment.md index 5c84d74fb965..7797cbb23c00 100644 --- a/src/SecurityInsights/docs/Get-AzSentinelEnrichment.md +++ b/src/SecurityInsights/docs/Get-AzSentinelEnrichment.md @@ -200,7 +200,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -INPUTOBJECT : Identity Parameter +`INPUTOBJECT `: Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Get-AzSentinelEntity.md b/src/SecurityInsights/docs/Get-AzSentinelEntity.md index 4f18c8f67ceb..dd8e8b6380bf 100644 --- a/src/SecurityInsights/docs/Get-AzSentinelEntity.md +++ b/src/SecurityInsights/docs/Get-AzSentinelEntity.md @@ -206,7 +206,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -INPUTOBJECT : Identity Parameter +`INPUTOBJECT `: Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Get-AzSentinelEntityQuery.md b/src/SecurityInsights/docs/Get-AzSentinelEntityQuery.md index e4b38711604b..beef38e95c2b 100644 --- a/src/SecurityInsights/docs/Get-AzSentinelEntityQuery.md +++ b/src/SecurityInsights/docs/Get-AzSentinelEntityQuery.md @@ -226,7 +226,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -INPUTOBJECT : Identity Parameter +`INPUTOBJECT `: Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Get-AzSentinelEntityQueryTemplate.md b/src/SecurityInsights/docs/Get-AzSentinelEntityQueryTemplate.md index 852d67205d98..defea674fb03 100644 --- a/src/SecurityInsights/docs/Get-AzSentinelEntityQueryTemplate.md +++ b/src/SecurityInsights/docs/Get-AzSentinelEntityQueryTemplate.md @@ -214,7 +214,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -INPUTOBJECT : Identity Parameter +`INPUTOBJECT `: Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Get-AzSentinelEntityRelation.md b/src/SecurityInsights/docs/Get-AzSentinelEntityRelation.md index c7454f551b52..47df57a8d066 100644 --- a/src/SecurityInsights/docs/Get-AzSentinelEntityRelation.md +++ b/src/SecurityInsights/docs/Get-AzSentinelEntityRelation.md @@ -252,7 +252,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -INPUTOBJECT : Identity Parameter +`INPUTOBJECT `: Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Get-AzSentinelIncident.md b/src/SecurityInsights/docs/Get-AzSentinelIncident.md index fb959efeeafd..d03fb27d831b 100644 --- a/src/SecurityInsights/docs/Get-AzSentinelIncident.md +++ b/src/SecurityInsights/docs/Get-AzSentinelIncident.md @@ -249,7 +249,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -INPUTOBJECT : Identity Parameter +`INPUTOBJECT `: Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Get-AzSentinelIncidentComment.md b/src/SecurityInsights/docs/Get-AzSentinelIncidentComment.md index 988434c7439d..17617fe272f0 100644 --- a/src/SecurityInsights/docs/Get-AzSentinelIncidentComment.md +++ b/src/SecurityInsights/docs/Get-AzSentinelIncidentComment.md @@ -263,7 +263,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -INPUTOBJECT : Identity Parameter +`INPUTOBJECT `: Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Get-AzSentinelIncidentRelation.md b/src/SecurityInsights/docs/Get-AzSentinelIncidentRelation.md index 1eeca20f5536..f88685604aa5 100644 --- a/src/SecurityInsights/docs/Get-AzSentinelIncidentRelation.md +++ b/src/SecurityInsights/docs/Get-AzSentinelIncidentRelation.md @@ -278,7 +278,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -INPUTOBJECT : Identity Parameter +`INPUTOBJECT `: Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Get-AzSentinelMetadata.md b/src/SecurityInsights/docs/Get-AzSentinelMetadata.md index 52ffb4547ae0..58447408cd4a 100644 --- a/src/SecurityInsights/docs/Get-AzSentinelMetadata.md +++ b/src/SecurityInsights/docs/Get-AzSentinelMetadata.md @@ -227,7 +227,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -INPUTOBJECT : Identity Parameter +`INPUTOBJECT `: Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Get-AzSentinelOnboardingState.md b/src/SecurityInsights/docs/Get-AzSentinelOnboardingState.md index e9dba1a4da1e..77cbe4072e81 100644 --- a/src/SecurityInsights/docs/Get-AzSentinelOnboardingState.md +++ b/src/SecurityInsights/docs/Get-AzSentinelOnboardingState.md @@ -174,7 +174,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -INPUTOBJECT : Identity Parameter +`INPUTOBJECT `: Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Get-AzSentinelSetting.md b/src/SecurityInsights/docs/Get-AzSentinelSetting.md index 9ea5481a88d4..a5c9f05dcc2f 100644 --- a/src/SecurityInsights/docs/Get-AzSentinelSetting.md +++ b/src/SecurityInsights/docs/Get-AzSentinelSetting.md @@ -205,7 +205,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -INPUTOBJECT : Identity Parameter +`INPUTOBJECT `: Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Get-AzSentinelThreatIntelligenceIndicator.md b/src/SecurityInsights/docs/Get-AzSentinelThreatIntelligenceIndicator.md index 0a3014bd751a..5fcf4043581b 100644 --- a/src/SecurityInsights/docs/Get-AzSentinelThreatIntelligenceIndicator.md +++ b/src/SecurityInsights/docs/Get-AzSentinelThreatIntelligenceIndicator.md @@ -260,7 +260,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -INPUTOBJECT : Identity Parameter +`INPUTOBJECT `: Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Invoke-AzSentinelThreatIntelligenceIndicatorQuery.md b/src/SecurityInsights/docs/Invoke-AzSentinelThreatIntelligenceIndicatorQuery.md index d66fe5aa3422..3bf8cb69b0d5 100644 --- a/src/SecurityInsights/docs/Invoke-AzSentinelThreatIntelligenceIndicatorQuery.md +++ b/src/SecurityInsights/docs/Invoke-AzSentinelThreatIntelligenceIndicatorQuery.md @@ -347,7 +347,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -SORTBY : Columns to sort by and sorting order +`SORTBY `: Columns to sort by and sorting order - `[ItemKey ]`: Column name - `[SortOrder ]`: Sorting order (ascending/descending/unsorted). diff --git a/src/SecurityInsights/docs/New-AzSentinelAlertRule.md b/src/SecurityInsights/docs/New-AzSentinelAlertRule.md index 5bef18b69398..22d572a9d818 100644 --- a/src/SecurityInsights/docs/New-AzSentinelAlertRule.md +++ b/src/SecurityInsights/docs/New-AzSentinelAlertRule.md @@ -764,7 +764,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -ENTITYMAPPING : 'Account', 'Host', 'IP', 'Malware', 'File', 'Process', 'CloudApplication', 'DNS', 'AzureResource', 'FileHash', 'RegistryKey', 'RegistryValue', 'SecurityGroup', 'URL', 'Mailbox', 'MailCluster', 'MailMessage', 'SubmissionMail' +`ENTITYMAPPING `: 'Account', 'Host', 'IP', 'Malware', 'File', 'Process', 'CloudApplication', 'DNS', 'AzureResource', 'FileHash', 'RegistryKey', 'RegistryValue', 'SecurityGroup', 'URL', 'Mailbox', 'MailCluster', 'MailMessage', 'SubmissionMail' - `[EntityType ]`: The V3 type of the mapped entity - `[FieldMapping ]`: array of field mappings for the given entity mapping - `[ColumnName ]`: the column name to be mapped to the identifier diff --git a/src/SecurityInsights/docs/New-AzSentinelAlertRuleAction.md b/src/SecurityInsights/docs/New-AzSentinelAlertRuleAction.md index f11300427304..beefa37c1cc1 100644 --- a/src/SecurityInsights/docs/New-AzSentinelAlertRuleAction.md +++ b/src/SecurityInsights/docs/New-AzSentinelAlertRuleAction.md @@ -14,8 +14,8 @@ Creates or updates the action of alert rule. ``` New-AzSentinelAlertRuleAction -ResourceGroupName -RuleId -WorkspaceName - [-SubscriptionId ] [-LogicAppResourceId ] [-TriggerUri ] [-DefaultProfile ] - [-Confirm] [-WhatIf] [] + [-Id ] [-SubscriptionId ] [-LogicAppResourceId ] [-TriggerUri ] + [-DefaultProfile ] [-Confirm] [-WhatIf] [] ``` ## DESCRIPTION @@ -49,6 +49,21 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -Id +Action ID + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: ActionId + +Required: False +Position: Named +Default value: (New-Guid).Guid +Accept pipeline input: False +Accept wildcard characters: False +``` + ### -LogicAppResourceId Logic App Resource Id, /subscriptions/{my-subscription}/resourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my-workflow-id}. diff --git a/src/SecurityInsights/docs/New-AzSentinelAutomationRule.md b/src/SecurityInsights/docs/New-AzSentinelAutomationRule.md index a0a1ba63a37e..02e04a2439a3 100644 --- a/src/SecurityInsights/docs/New-AzSentinelAutomationRule.md +++ b/src/SecurityInsights/docs/New-AzSentinelAutomationRule.md @@ -14,8 +14,8 @@ Creates or updates the automation rule. ### CreateExpanded (Default) ``` -New-AzSentinelAutomationRule -ResourceGroupName -WorkspaceName [-SubscriptionId ] - [-Action ] [-DisplayName ] [-Order ] +New-AzSentinelAutomationRule -ResourceGroupName -WorkspaceName [-Id ] + [-SubscriptionId ] [-Action ] [-DisplayName ] [-Order ] [-TriggeringLogicCondition ] [-TriggeringLogicExpirationTimeUtc ] [-TriggeringLogicIsEnabled] [-DefaultProfile ] [-Confirm] [-WhatIf] [] ``` @@ -23,8 +23,8 @@ New-AzSentinelAutomationRule -ResourceGroupName -WorkspaceName ### Create ``` New-AzSentinelAutomationRule -ResourceGroupName -WorkspaceName - -AutomationRule [-SubscriptionId ] [-DefaultProfile ] [-Confirm] - [-WhatIf] [] + -AutomationRule [-Id ] [-SubscriptionId ] [-DefaultProfile ] + [-Confirm] [-WhatIf] [] ``` ## DESCRIPTION @@ -120,6 +120,21 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -Id +Automation rule ID + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: AutomationRuleId + +Required: False +Position: Named +Default value: (New-Guid).Guid +Accept pipeline input: False +Accept wildcard characters: False +``` + ### -Order The order of execution of the automation rule @@ -277,11 +292,11 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -ACTION : The actions to execute when the automation rule is triggered +`ACTION `: The actions to execute when the automation rule is triggered - `ActionType `: The type of the automation rule action - `Order `: The order of execution of the automation rule action -AUTOMATIONRULE : Represents an automation rule. +`AUTOMATIONRULE `: Represents an automation rule. - `[Etag ]`: Etag of the azure resource - `[SystemDataCreatedAt ]`: The timestamp of resource creation (UTC). - `[SystemDataCreatedBy ]`: The identity that created the resource. diff --git a/src/SecurityInsights/docs/New-AzSentinelBookmark.md b/src/SecurityInsights/docs/New-AzSentinelBookmark.md index 21f91ebedfc5..1b08de77a6fb 100644 --- a/src/SecurityInsights/docs/New-AzSentinelBookmark.md +++ b/src/SecurityInsights/docs/New-AzSentinelBookmark.md @@ -14,8 +14,8 @@ Creates or updates the bookmark. ### CreateExpanded (Default) ``` -New-AzSentinelBookmark -ResourceGroupName -WorkspaceName [-SubscriptionId ] - [-DisplayName ] [-EventTime ] [-IncidentInfoIncidentId ] +New-AzSentinelBookmark -ResourceGroupName -WorkspaceName [-Id ] + [-SubscriptionId ] [-DisplayName ] [-EventTime ] [-IncidentInfoIncidentId ] [-IncidentInfoRelationName ] [-IncidentInfoSeverity ] [-IncidentInfoTitle ] [-Label ] [-Note ] [-Query ] [-QueryEndTime ] [-QueryResult ] [-QueryStartTime ] [-DefaultProfile ] [-Confirm] [-WhatIf] [] @@ -24,7 +24,8 @@ New-AzSentinelBookmark -ResourceGroupName -WorkspaceName [-Sub ### Create ``` New-AzSentinelBookmark -ResourceGroupName -WorkspaceName -Bookmark - [-SubscriptionId ] [-DefaultProfile ] [-Confirm] [-WhatIf] [] + [-Id ] [-SubscriptionId ] [-DefaultProfile ] [-Confirm] [-WhatIf] + [] ``` ## DESCRIPTION @@ -112,6 +113,21 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -Id +Bookmark ID + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: BookmarkId + +Required: False +Position: Named +Default value: (New-Guid).Guid +Accept pipeline input: False +Accept wildcard characters: False +``` + ### -IncidentInfoIncidentId Incident Id @@ -359,7 +375,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -BOOKMARK : Represents a bookmark in Azure Security Insights. +`BOOKMARK `: Represents a bookmark in Azure Security Insights. - `[Etag ]`: Etag of the azure resource - `[SystemDataCreatedAt ]`: The timestamp of resource creation (UTC). - `[SystemDataCreatedBy ]`: The identity that created the resource. diff --git a/src/SecurityInsights/docs/New-AzSentinelBookmarkRelation.md b/src/SecurityInsights/docs/New-AzSentinelBookmarkRelation.md index aefcac037817..f8237ffb8f39 100644 --- a/src/SecurityInsights/docs/New-AzSentinelBookmarkRelation.md +++ b/src/SecurityInsights/docs/New-AzSentinelBookmarkRelation.md @@ -15,15 +15,15 @@ Creates the bookmark relation. ### CreateExpanded (Default) ``` New-AzSentinelBookmarkRelation -BookmarkId -ResourceGroupName -WorkspaceName - [-SubscriptionId ] [-RelatedResourceId ] [-DefaultProfile ] [-Confirm] [-WhatIf] - [] + [-RelationName ] [-SubscriptionId ] [-RelatedResourceId ] + [-DefaultProfile ] [-Confirm] [-WhatIf] [] ``` ### Create ``` New-AzSentinelBookmarkRelation -BookmarkId -ResourceGroupName -WorkspaceName - -Relation [-SubscriptionId ] [-DefaultProfile ] [-Confirm] [-WhatIf] - [] + -Relation [-RelationName ] [-SubscriptionId ] [-DefaultProfile ] + [-Confirm] [-WhatIf] [] ``` ## DESCRIPTION @@ -102,6 +102,21 @@ Accept pipeline input: True (ByValue) Accept wildcard characters: False ``` +### -RelationName +Relation Name + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: (New-Guid).Guid +Accept pipeline input: False +Accept wildcard characters: False +``` + ### -ResourceGroupName The name of the resource group. The name is case insensitive. @@ -199,7 +214,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -RELATION : Represents a relation between two resources +`RELATION `: Represents a relation between two resources - `[Etag ]`: Etag of the azure resource - `[SystemDataCreatedAt ]`: The timestamp of resource creation (UTC). - `[SystemDataCreatedBy ]`: The identity that created the resource. diff --git a/src/SecurityInsights/docs/New-AzSentinelDataConnector.md b/src/SecurityInsights/docs/New-AzSentinelDataConnector.md index 1c7e9363aeb5..e3464d5119ca 100644 --- a/src/SecurityInsights/docs/New-AzSentinelDataConnector.md +++ b/src/SecurityInsights/docs/New-AzSentinelDataConnector.md @@ -15,21 +15,21 @@ Creates or updates the data connector. ### AADAATP (Default) ``` New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -Kind - [-SubscriptionId ] [-Alerts ] [-TenantId ] [-DefaultProfile ] [-AsJob] - [-NoWait] [-Confirm] [-WhatIf] [] + [-Id ] [-SubscriptionId ] [-Alerts ] [-TenantId ] + [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` ### AmazonWebServicesCloudTrail ``` New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -AWSRoleArn - -Kind [-SubscriptionId ] [-Log ] [-DefaultProfile ] [-AsJob] - [-NoWait] [-Confirm] [-WhatIf] [] + -Kind [-Id ] [-SubscriptionId ] [-Log ] + [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` ### AmazonWebServicesS3 ``` New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -AWSRoleArn - -DetinationTable -Kind -Log -SQSURL + -DetinationTable -Kind -Log -SQSURL [-Id ] [-SubscriptionId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` @@ -37,14 +37,14 @@ New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName ### AzureSecurityCenter ``` New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -ASCSubscriptionId - -Kind [-SubscriptionId ] [-Alerts ] [-DefaultProfile ] [-AsJob] - [-NoWait] [-Confirm] [-WhatIf] [] + -Kind [-Id ] [-SubscriptionId ] [-Alerts ] + [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` ### Dynamics365 ``` New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -Kind - [-SubscriptionId ] [-CommonDataServiceActivity ] [-TenantId ] + [-Id ] [-SubscriptionId ] [-CommonDataServiceActivity ] [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` @@ -55,7 +55,7 @@ New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -UiConfigConnectivityCriterion -UiConfigDataType -UiConfigDescriptionMarkdown -UiConfigGraphQueriesTableName -UiConfigGraphQuery -UiConfigInstructionStep - -UiConfigPublisher -UiConfigSampleQuery -UiConfigTitle + -UiConfigPublisher -UiConfigSampleQuery -UiConfigTitle [-Id ] [-SubscriptionId ] [-AvailabilityStatus ] [-PermissionCustom ] [-PermissionResourceProvider ] [-UiConfigCustomImage ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] @@ -64,68 +64,69 @@ New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName ### MicrosoftCloudAppSecurity ``` New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -Kind - [-SubscriptionId ] [-Alerts ] [-DiscoveryLog ] [-TenantId ] + [-Id ] [-SubscriptionId ] [-Alerts ] [-DiscoveryLog ] [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` ### MicrosoftDefenderAdvancedThreatProtection ``` New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -Kind - [-SubscriptionId ] [-Alerts ] [-TenantId ] [-DefaultProfile ] [-AsJob] - [-NoWait] [-Confirm] [-WhatIf] [] + [-Id ] [-SubscriptionId ] [-Alerts ] [-TenantId ] + [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` ### MicrosoftThreatIntelligence ``` New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -Kind - [-SubscriptionId ] [-BingSafetyPhishingURL ] [-BingSafetyPhishingUrlLookbackPeriod ] - [-MicrosoftEmergingThreatFeed ] [-MicrosoftEmergingThreatFeedLookbackPeriod ] - [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] - [] + [-Id ] [-SubscriptionId ] [-BingSafetyPhishingURL ] + [-BingSafetyPhishingUrlLookbackPeriod ] [-MicrosoftEmergingThreatFeed ] + [-MicrosoftEmergingThreatFeedLookbackPeriod ] [-TenantId ] [-DefaultProfile ] + [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` ### MicrosoftThreatProtection ``` New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -Kind - [-SubscriptionId ] [-Incident ] [-TenantId ] [-DefaultProfile ] [-AsJob] - [-NoWait] [-Confirm] [-WhatIf] [] + [-Id ] [-SubscriptionId ] [-Incident ] [-TenantId ] + [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` ### Office365 ``` New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -Kind - [-SubscriptionId ] [-Exchange ] [-SharePoint ] [-Teams ] [-TenantId ] - [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] + [-Id ] [-SubscriptionId ] [-Exchange ] [-SharePoint ] [-Teams ] + [-TenantId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] + [] ``` ### OfficeATP ``` New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -Kind - [-SubscriptionId ] [-Alerts ] [-TenantId ] [-DefaultProfile ] [-AsJob] - [-NoWait] [-Confirm] [-WhatIf] [] + [-Id ] [-SubscriptionId ] [-Alerts ] [-TenantId ] + [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` ### OfficeIRM ``` New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -Kind - [-SubscriptionId ] [-Alerts ] [-TenantId ] [-DefaultProfile ] [-AsJob] - [-NoWait] [-Confirm] [-WhatIf] [] + [-Id ] [-SubscriptionId ] [-Alerts ] [-TenantId ] + [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` ### ThreatIntelligence ``` New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -Kind - [-SubscriptionId ] [-Indicator ] [-TenantId ] [-DefaultProfile ] [-AsJob] - [-NoWait] [-Confirm] [-WhatIf] [] + [-Id ] [-SubscriptionId ] [-Indicator ] [-TenantId ] + [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` ### ThreatIntelligenceTaxii ``` New-AzSentinelDataConnector -ResourceGroupName -WorkspaceName -APIRootURL -CollectionId -FriendlyName -Kind -PollingFrequency - -WorkspaceId [-SubscriptionId ] [-Password ] [-TaxiiLookbackPeriod ] - [-TenantId ] [-UserName ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] - [-WhatIf] [] + -WorkspaceId [-Id ] [-SubscriptionId ] [-Password ] + [-TaxiiLookbackPeriod ] [-TenantId ] [-UserName ] [-DefaultProfile ] + [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` ## DESCRIPTION @@ -389,6 +390,21 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -Id +The Id of the Data Connector. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: (New-Guid).Guid +Accept pipeline input: False +Accept wildcard characters: False +``` + ### -Incident @@ -911,11 +927,11 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -PERMISSIONCUSTOM : [Parameter(ParameterSetName = 'APIPolling')] +`PERMISSIONCUSTOM `: [Parameter(ParameterSetName = 'APIPolling')] - `[Description ]`: Customs permissions description - `[Name ]`: Customs permissions name -PERMISSIONRESOURCEPROVIDER : [Parameter(ParameterSetName = 'APIPolling')] +`PERMISSIONRESOURCEPROVIDER `: [Parameter(ParameterSetName = 'APIPolling')] - `[PermissionsDisplayText ]`: Permission description text - `[Provider ]`: Provider name - `[ProviderDisplayName ]`: Permission provider display name @@ -925,27 +941,27 @@ PERMISSIONRESOURCEPROVIDER : [Parameter(Param - `[RequiredPermissionWrite ]`: write permission - `[Scope ]`: Permission provider scope -UICONFIGCONNECTIVITYCRITERION : [Parameter(ParameterSetName = 'APIPolling', Mandatory)] +`UICONFIGCONNECTIVITYCRITERION `: [Parameter(ParameterSetName = 'APIPolling', Mandatory)] - `[Type ]`: type of connectivity - `[Value ]`: Queries for checking connectivity -UICONFIGDATATYPE : [Parameter(ParameterSetName = 'APIPolling', Mandatory)] +`UICONFIGDATATYPE `: [Parameter(ParameterSetName = 'APIPolling', Mandatory)] - `[LastDataReceivedQuery ]`: Query for indicate last data received - `[Name ]`: Name of the data type to show in the graph. can be use with {{graphQueriesTableName}} placeholder -UICONFIGGRAPHQUERY : [Parameter(ParameterSetName = 'APIPolling', Mandatory)] +`UICONFIGGRAPHQUERY `: [Parameter(ParameterSetName = 'APIPolling', Mandatory)] - `[BaseQuery ]`: The base query for the graph - `[Legend ]`: The legend for the graph - `[MetricName ]`: the metric that the query is checking -UICONFIGINSTRUCTIONSTEP : [Parameter(ParameterSetName = 'APIPolling', Mandatory)] +`UICONFIGINSTRUCTIONSTEP `: [Parameter(ParameterSetName = 'APIPolling', Mandatory)] - `[Description ]`: Instruction step description - `[Instruction ]`: Instruction step details - `Type `: The kind of the setting - `[Parameter ]`: The parameters for the setting - `[Title ]`: Instruction step title -UICONFIGSAMPLEQUERY : [Parameter(ParameterSetName = 'APIPolling', Mandatory)] +`UICONFIGSAMPLEQUERY `: [Parameter(ParameterSetName = 'APIPolling', Mandatory)] - `[Description ]`: The sample query description - `[Query ]`: the sample query diff --git a/src/SecurityInsights/docs/New-AzSentinelEntityQuery.md b/src/SecurityInsights/docs/New-AzSentinelEntityQuery.md index ca7b26e29896..9e1607760b6f 100644 --- a/src/SecurityInsights/docs/New-AzSentinelEntityQuery.md +++ b/src/SecurityInsights/docs/New-AzSentinelEntityQuery.md @@ -15,9 +15,10 @@ Creates or updates the entity query. ``` New-AzSentinelEntityQuery -ResourceGroupName -WorkspaceName -Content -Description -InputEntityType -Kind -QueryDefinitionQuery - -Title [-SubscriptionId ] [-EntitiesFilter ] - [-RequiredInputFieldsSet ] [-TemplateName ] [-DefaultProfile ] [-AsJob] [-NoWait] - [-Confirm] [-WhatIf] [] + -Title [-Id ] [-SubscriptionId ] + [-EntitiesFilter ] [-RequiredInputFieldsSet ] + [-TemplateName ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] + [] ``` ## DESCRIPTION @@ -129,6 +130,21 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -Id +The Id of the Entity Query. + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: (New-Guid).Guid +Accept pipeline input: False +Accept wildcard characters: False +``` + ### -InputEntityType @@ -330,7 +346,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -ENTITIESFILTER : +`ENTITIESFILTER `: - `[(Any) ]`: This indicates any property can be added to this object. ## RELATED LINKS diff --git a/src/SecurityInsights/docs/New-AzSentinelIncident.md b/src/SecurityInsights/docs/New-AzSentinelIncident.md index be182c72c718..bc9622c222e9 100644 --- a/src/SecurityInsights/docs/New-AzSentinelIncident.md +++ b/src/SecurityInsights/docs/New-AzSentinelIncident.md @@ -14,8 +14,8 @@ Creates or updates the incident. ### CreateExpanded (Default) ``` -New-AzSentinelIncident -ResourceGroupName -WorkspaceName [-SubscriptionId ] - [-Classification ] [-ClassificationComment ] +New-AzSentinelIncident -ResourceGroupName -WorkspaceName [-Id ] + [-SubscriptionId ] [-Classification ] [-ClassificationComment ] [-ClassificationReason ] [-Description ] [-FirstActivityTimeUtc ] [-Label ] [-LastActivityTimeUtc ] [-OwnerAssignedTo ] [-OwnerEmail ] [-OwnerObjectId ] @@ -27,7 +27,8 @@ New-AzSentinelIncident -ResourceGroupName -WorkspaceName [-Sub ### Create ``` New-AzSentinelIncident -ResourceGroupName -WorkspaceName -Incident - [-SubscriptionId ] [-DefaultProfile ] [-Confirm] [-WhatIf] [] + [-Id ] [-SubscriptionId ] [-DefaultProfile ] [-Confirm] [-WhatIf] + [] ``` ## DESCRIPTION @@ -145,6 +146,21 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -Id +Incident ID + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: IncidentId + +Required: False +Position: Named +Default value: (New-Guid).Guid +Accept pipeline input: False +Accept wildcard characters: False +``` + ### -Incident Represents an incident in Azure Security Insights. To construct, see NOTES section for INCIDENT properties and create a hash table. @@ -424,7 +440,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -INCIDENT : Represents an incident in Azure Security Insights. +`INCIDENT `: Represents an incident in Azure Security Insights. - `[Etag ]`: Etag of the azure resource - `[SystemDataCreatedAt ]`: The timestamp of resource creation (UTC). - `[SystemDataCreatedBy ]`: The identity that created the resource. @@ -450,7 +466,7 @@ INCIDENT : Represents an incident in Azure Security Insights. - `[Status ]`: The status of the incident - `[Title ]`: The title of the incident -LABEL : List of labels relevant to this incident +`LABEL `: List of labels relevant to this incident - `LabelName `: The name of the label ## RELATED LINKS diff --git a/src/SecurityInsights/docs/New-AzSentinelIncidentComment.md b/src/SecurityInsights/docs/New-AzSentinelIncidentComment.md index e17c63877858..814dc162f4f5 100644 --- a/src/SecurityInsights/docs/New-AzSentinelIncidentComment.md +++ b/src/SecurityInsights/docs/New-AzSentinelIncidentComment.md @@ -15,15 +15,15 @@ Creates or updates the incident comment. ### CreateExpanded (Default) ``` New-AzSentinelIncidentComment -IncidentId -ResourceGroupName -WorkspaceName - [-SubscriptionId ] [-Message ] [-DefaultProfile ] [-Confirm] [-WhatIf] - [] + [-Id ] [-SubscriptionId ] [-Message ] [-DefaultProfile ] [-Confirm] + [-WhatIf] [] ``` ### Create ``` New-AzSentinelIncidentComment -IncidentId -ResourceGroupName -WorkspaceName - -IncidentComment [-SubscriptionId ] [-DefaultProfile ] [-Confirm] - [-WhatIf] [] + -IncidentComment [-Id ] [-SubscriptionId ] [-DefaultProfile ] + [-Confirm] [-WhatIf] [] ``` ## DESCRIPTION @@ -55,6 +55,21 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -Id +Incident comment ID + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: IncidentCommentId + +Required: False +Position: Named +Default value: (New-Guid).Guid +Accept pipeline input: False +Accept wildcard characters: False +``` + ### -IncidentComment Represents an incident comment To construct, see NOTES section for INCIDENTCOMMENT properties and create a hash table. @@ -198,7 +213,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -INCIDENTCOMMENT : Represents an incident comment +`INCIDENTCOMMENT `: Represents an incident comment - `[Etag ]`: Etag of the azure resource - `[SystemDataCreatedAt ]`: The timestamp of resource creation (UTC). - `[SystemDataCreatedBy ]`: The identity that created the resource. diff --git a/src/SecurityInsights/docs/New-AzSentinelIncidentRelation.md b/src/SecurityInsights/docs/New-AzSentinelIncidentRelation.md index 2147fdc50602..200dab9cfbfc 100644 --- a/src/SecurityInsights/docs/New-AzSentinelIncidentRelation.md +++ b/src/SecurityInsights/docs/New-AzSentinelIncidentRelation.md @@ -15,15 +15,15 @@ Creates or updates the incident relation. ### CreateExpanded (Default) ``` New-AzSentinelIncidentRelation -IncidentId -ResourceGroupName -WorkspaceName - [-SubscriptionId ] [-RelatedResourceId ] [-DefaultProfile ] [-Confirm] [-WhatIf] - [] + [-RelationName ] [-SubscriptionId ] [-RelatedResourceId ] + [-DefaultProfile ] [-Confirm] [-WhatIf] [] ``` ### Create ``` New-AzSentinelIncidentRelation -IncidentId -ResourceGroupName -WorkspaceName - -Relation [-SubscriptionId ] [-DefaultProfile ] [-Confirm] [-WhatIf] - [] + -Relation [-RelationName ] [-SubscriptionId ] [-DefaultProfile ] + [-Confirm] [-WhatIf] [] ``` ## DESCRIPTION @@ -109,6 +109,21 @@ Accept pipeline input: True (ByValue) Accept wildcard characters: False ``` +### -RelationName +Relation Name + +```yaml +Type: System.String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: (New-Guid).Guid +Accept pipeline input: False +Accept wildcard characters: False +``` + ### -ResourceGroupName The name of the resource group. The name is case insensitive. @@ -206,7 +221,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -RELATION : Represents a relation between two resources +`RELATION `: Represents a relation between two resources - `[Etag ]`: Etag of the azure resource - `[SystemDataCreatedAt ]`: The timestamp of resource creation (UTC). - `[SystemDataCreatedBy ]`: The identity that created the resource. diff --git a/src/SecurityInsights/docs/New-AzSentinelIncidentTeam.md b/src/SecurityInsights/docs/New-AzSentinelIncidentTeam.md index 10cdbcacddeb..69355576dcce 100644 --- a/src/SecurityInsights/docs/New-AzSentinelIncidentTeam.md +++ b/src/SecurityInsights/docs/New-AzSentinelIncidentTeam.md @@ -253,7 +253,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -TEAMPROPERTY : Describes team properties +`TEAMPROPERTY `: Describes team properties - `TeamName `: The name of the team - `[GroupId ]`: List of group IDs to add their members to the team - `[MemberId ]`: List of member IDs to add to the team diff --git a/src/SecurityInsights/docs/New-AzSentinelOnboardingState.md b/src/SecurityInsights/docs/New-AzSentinelOnboardingState.md index 648a211c7449..f88917a5c857 100644 --- a/src/SecurityInsights/docs/New-AzSentinelOnboardingState.md +++ b/src/SecurityInsights/docs/New-AzSentinelOnboardingState.md @@ -199,7 +199,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -SENTINELONBOARDINGSTATEPARAMETER : Sentinel onboarding state +`SENTINELONBOARDINGSTATEPARAMETER `: Sentinel onboarding state - `[Etag ]`: Etag of the azure resource - `[SystemDataCreatedAt ]`: The timestamp of resource creation (UTC). - `[SystemDataCreatedBy ]`: The identity that created the resource. diff --git a/src/SecurityInsights/docs/Remove-AzSentinelAlertRule.md b/src/SecurityInsights/docs/Remove-AzSentinelAlertRule.md index ad497279d3ed..ce4fd9a86de7 100644 --- a/src/SecurityInsights/docs/Remove-AzSentinelAlertRule.md +++ b/src/SecurityInsights/docs/Remove-AzSentinelAlertRule.md @@ -196,7 +196,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -INPUTOBJECT : Identity Parameter +`INPUTOBJECT `: Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Remove-AzSentinelAlertRuleAction.md b/src/SecurityInsights/docs/Remove-AzSentinelAlertRuleAction.md index d6e6dae46f47..5fb49cc4016c 100644 --- a/src/SecurityInsights/docs/Remove-AzSentinelAlertRuleAction.md +++ b/src/SecurityInsights/docs/Remove-AzSentinelAlertRuleAction.md @@ -212,7 +212,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -INPUTOBJECT : Identity Parameter +`INPUTOBJECT `: Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Remove-AzSentinelAutomationRule.md b/src/SecurityInsights/docs/Remove-AzSentinelAutomationRule.md index c45b896ded12..4922397961f7 100644 --- a/src/SecurityInsights/docs/Remove-AzSentinelAutomationRule.md +++ b/src/SecurityInsights/docs/Remove-AzSentinelAutomationRule.md @@ -196,7 +196,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -INPUTOBJECT : Identity Parameter +`INPUTOBJECT `: Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Remove-AzSentinelBookmark.md b/src/SecurityInsights/docs/Remove-AzSentinelBookmark.md index 5f7d69f2e884..17bd7e967358 100644 --- a/src/SecurityInsights/docs/Remove-AzSentinelBookmark.md +++ b/src/SecurityInsights/docs/Remove-AzSentinelBookmark.md @@ -196,7 +196,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -INPUTOBJECT : Identity Parameter +`INPUTOBJECT `: Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Remove-AzSentinelBookmarkRelation.md b/src/SecurityInsights/docs/Remove-AzSentinelBookmarkRelation.md index b4e730b88644..3deb9a5537d2 100644 --- a/src/SecurityInsights/docs/Remove-AzSentinelBookmarkRelation.md +++ b/src/SecurityInsights/docs/Remove-AzSentinelBookmarkRelation.md @@ -212,7 +212,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -INPUTOBJECT : Identity Parameter +`INPUTOBJECT `: Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Remove-AzSentinelDataConnector.md b/src/SecurityInsights/docs/Remove-AzSentinelDataConnector.md index 8fdb2b22f520..95bbec95565b 100644 --- a/src/SecurityInsights/docs/Remove-AzSentinelDataConnector.md +++ b/src/SecurityInsights/docs/Remove-AzSentinelDataConnector.md @@ -196,7 +196,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -INPUTOBJECT : Identity Parameter +`INPUTOBJECT `: Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Remove-AzSentinelEntityQuery.md b/src/SecurityInsights/docs/Remove-AzSentinelEntityQuery.md index 7f54196cc2af..89ce6c20501a 100644 --- a/src/SecurityInsights/docs/Remove-AzSentinelEntityQuery.md +++ b/src/SecurityInsights/docs/Remove-AzSentinelEntityQuery.md @@ -204,7 +204,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -INPUTOBJECT : Identity Parameter +`INPUTOBJECT `: Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Remove-AzSentinelIncident.md b/src/SecurityInsights/docs/Remove-AzSentinelIncident.md index 8d669823974e..07ae5c6e957d 100644 --- a/src/SecurityInsights/docs/Remove-AzSentinelIncident.md +++ b/src/SecurityInsights/docs/Remove-AzSentinelIncident.md @@ -203,7 +203,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -INPUTOBJECT : Identity Parameter +`INPUTOBJECT `: Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Remove-AzSentinelIncidentComment.md b/src/SecurityInsights/docs/Remove-AzSentinelIncidentComment.md index a820724e2316..256bcc7b2f20 100644 --- a/src/SecurityInsights/docs/Remove-AzSentinelIncidentComment.md +++ b/src/SecurityInsights/docs/Remove-AzSentinelIncidentComment.md @@ -212,7 +212,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -INPUTOBJECT : Identity Parameter +`INPUTOBJECT `: Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Remove-AzSentinelIncidentRelation.md b/src/SecurityInsights/docs/Remove-AzSentinelIncidentRelation.md index 6d2623931cf5..e815c0640f32 100644 --- a/src/SecurityInsights/docs/Remove-AzSentinelIncidentRelation.md +++ b/src/SecurityInsights/docs/Remove-AzSentinelIncidentRelation.md @@ -219,7 +219,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -INPUTOBJECT : Identity Parameter +`INPUTOBJECT `: Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Remove-AzSentinelOnboardingState.md b/src/SecurityInsights/docs/Remove-AzSentinelOnboardingState.md index a7621e87efd9..ef99ec749e63 100644 --- a/src/SecurityInsights/docs/Remove-AzSentinelOnboardingState.md +++ b/src/SecurityInsights/docs/Remove-AzSentinelOnboardingState.md @@ -197,7 +197,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -INPUTOBJECT : Identity Parameter +`INPUTOBJECT `: Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Update-AzSentinelAlertRule.md b/src/SecurityInsights/docs/Update-AzSentinelAlertRule.md index a00ea8122723..0a40bc09c36b 100644 --- a/src/SecurityInsights/docs/Update-AzSentinelAlertRule.md +++ b/src/SecurityInsights/docs/Update-AzSentinelAlertRule.md @@ -828,13 +828,13 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -ENTITYMAPPING : 'Account', 'Host', 'IP', 'Malware', 'File', 'Process', 'CloudApplication', 'DNS', 'AzureResource', 'FileHash', 'RegistryKey', 'RegistryValue', 'SecurityGroup', 'URL', 'Mailbox', 'MailCluster', 'MailMessage', 'SubmissionMail' +`ENTITYMAPPING `: 'Account', 'Host', 'IP', 'Malware', 'File', 'Process', 'CloudApplication', 'DNS', 'AzureResource', 'FileHash', 'RegistryKey', 'RegistryValue', 'SecurityGroup', 'URL', 'Mailbox', 'MailCluster', 'MailMessage', 'SubmissionMail' - `[EntityType ]`: The V3 type of the mapped entity - `[FieldMapping ]`: array of field mappings for the given entity mapping - `[ColumnName ]`: the column name to be mapped to the identifier - `[Identifier ]`: the V3 identifier of the entity -INPUTOBJECT : Identity Parameter +`INPUTOBJECT `: Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Update-AzSentinelAlertRuleAction.md b/src/SecurityInsights/docs/Update-AzSentinelAlertRuleAction.md index 3d0a0db3c294..ca398883be6e 100644 --- a/src/SecurityInsights/docs/Update-AzSentinelAlertRuleAction.md +++ b/src/SecurityInsights/docs/Update-AzSentinelAlertRuleAction.md @@ -229,7 +229,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -INPUTOBJECT : Identity Parameter +`INPUTOBJECT `: Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Update-AzSentinelAutomationRule.md b/src/SecurityInsights/docs/Update-AzSentinelAutomationRule.md index 33f83c805f22..2711e5f5c00f 100644 --- a/src/SecurityInsights/docs/Update-AzSentinelAutomationRule.md +++ b/src/SecurityInsights/docs/Update-AzSentinelAutomationRule.md @@ -282,11 +282,11 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -ACTION : The actions to execute when the automation rule is triggered +`ACTION `: The actions to execute when the automation rule is triggered - `ActionType `: The type of the automation rule action - `Order `: The order of execution of the automation rule action -INPUTOBJECT : Identity Parameter +`INPUTOBJECT `: Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Update-AzSentinelBookmark.md b/src/SecurityInsights/docs/Update-AzSentinelBookmark.md index 2e81fc3913f0..88b71157ced8 100644 --- a/src/SecurityInsights/docs/Update-AzSentinelBookmark.md +++ b/src/SecurityInsights/docs/Update-AzSentinelBookmark.md @@ -369,7 +369,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -INPUTOBJECT : Identity Parameter +`INPUTOBJECT `: Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Update-AzSentinelBookmarkRelation.md b/src/SecurityInsights/docs/Update-AzSentinelBookmarkRelation.md index c25c247adf6c..e9a3b4f57a98 100644 --- a/src/SecurityInsights/docs/Update-AzSentinelBookmarkRelation.md +++ b/src/SecurityInsights/docs/Update-AzSentinelBookmarkRelation.md @@ -212,7 +212,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -INPUTOBJECT : Identity Parameter +`INPUTOBJECT `: Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Update-AzSentinelDataConnector.md b/src/SecurityInsights/docs/Update-AzSentinelDataConnector.md index 7aecc29c3297..8faa21daa939 100644 --- a/src/SecurityInsights/docs/Update-AzSentinelDataConnector.md +++ b/src/SecurityInsights/docs/Update-AzSentinelDataConnector.md @@ -1250,7 +1250,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -INPUTOBJECT : [Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI', Mandatory, ValueFromPipeline)] Identity Parameter +`INPUTOBJECT `: [Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI', Mandatory, ValueFromPipeline)] Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID @@ -1274,11 +1274,11 @@ INPUTOBJECT : [Parameter(ParameterSetName = 'UpdateVi - `[SubscriptionId ]`: The ID of the target subscription. - `[WorkspaceName ]`: The name of the workspace. -PERMISSIONCUSTOM : +`PERMISSIONCUSTOM `: - `[Description ]`: Customs permissions description - `[Name ]`: Customs permissions name -PERMISSIONRESOURCEPROVIDER : +`PERMISSIONRESOURCEPROVIDER `: - `[PermissionsDisplayText ]`: Permission description text - `[Provider ]`: Provider name - `[ProviderDisplayName ]`: Permission provider display name @@ -1288,27 +1288,27 @@ PERMISSIONRESOURCEPROVIDER : - `[RequiredPermissionWrite ]`: write permission - `[Scope ]`: Permission provider scope -UICONFIGCONNECTIVITYCRITERION : +`UICONFIGCONNECTIVITYCRITERION `: - `[Type ]`: type of connectivity - `[Value ]`: Queries for checking connectivity -UICONFIGDATATYPE : +`UICONFIGDATATYPE `: - `[LastDataReceivedQuery ]`: Query for indicate last data received - `[Name ]`: Name of the data type to show in the graph. can be use with {{graphQueriesTableName}} placeholder -UICONFIGGRAPHQUERY : +`UICONFIGGRAPHQUERY `: - `[BaseQuery ]`: The base query for the graph - `[Legend ]`: The legend for the graph - `[MetricName ]`: the metric that the query is checking -UICONFIGINSTRUCTIONSTEP : +`UICONFIGINSTRUCTIONSTEP `: - `[Description ]`: Instruction step description - `[Instruction ]`: Instruction step details - `Type `: The kind of the setting - `[Parameter ]`: The parameters for the setting - `[Title ]`: Instruction step title -UICONFIGSAMPLEQUERY : +`UICONFIGSAMPLEQUERY `: - `[Description ]`: The sample query description - `[Query ]`: the sample query diff --git a/src/SecurityInsights/docs/Update-AzSentinelEntityQuery.md b/src/SecurityInsights/docs/Update-AzSentinelEntityQuery.md index cdbf65fc62fc..6a008930da44 100644 --- a/src/SecurityInsights/docs/Update-AzSentinelEntityQuery.md +++ b/src/SecurityInsights/docs/Update-AzSentinelEntityQuery.md @@ -368,10 +368,10 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -ENTITIESFILTER : +`ENTITIESFILTER `: - `[(Any) ]`: This indicates any property can be added to this object. -INPUTOBJECT : Identity Parameter +`INPUTOBJECT `: Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Update-AzSentinelIncident.md b/src/SecurityInsights/docs/Update-AzSentinelIncident.md index 111281eb86ec..14025d559f22 100644 --- a/src/SecurityInsights/docs/Update-AzSentinelIncident.md +++ b/src/SecurityInsights/docs/Update-AzSentinelIncident.md @@ -433,7 +433,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -INPUTOBJECT : Identity Parameter +`INPUTOBJECT `: Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID @@ -457,7 +457,7 @@ INPUTOBJECT : Identity Parameter - `[SubscriptionId ]`: The ID of the target subscription. - `[WorkspaceName ]`: The name of the workspace. -LABEL : List of labels relevant to this incident +`LABEL `: List of labels relevant to this incident - `LabelName `: The name of the label ## RELATED LINKS diff --git a/src/SecurityInsights/docs/Update-AzSentinelIncidentComment.md b/src/SecurityInsights/docs/Update-AzSentinelIncidentComment.md index bf351701ca04..114fa7c871cb 100644 --- a/src/SecurityInsights/docs/Update-AzSentinelIncidentComment.md +++ b/src/SecurityInsights/docs/Update-AzSentinelIncidentComment.md @@ -212,7 +212,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -INPUTOBJECT : Identity Parameter +`INPUTOBJECT `: Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Update-AzSentinelIncidentRelation.md b/src/SecurityInsights/docs/Update-AzSentinelIncidentRelation.md index d05e67632af1..8c3476bb9360 100644 --- a/src/SecurityInsights/docs/Update-AzSentinelIncidentRelation.md +++ b/src/SecurityInsights/docs/Update-AzSentinelIncidentRelation.md @@ -213,7 +213,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -INPUTOBJECT : Identity Parameter +`INPUTOBJECT `: Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Update-AzSentinelSetting.md b/src/SecurityInsights/docs/Update-AzSentinelSetting.md index 5b4fd613ab5f..fbf9d7bb2010 100644 --- a/src/SecurityInsights/docs/Update-AzSentinelSetting.md +++ b/src/SecurityInsights/docs/Update-AzSentinelSetting.md @@ -14,27 +14,27 @@ Updates setting. ### UpdateExpandedAnomaliesEyesOnEntityAnalytics (Default) ``` -Update-AzSentinelSetting -ResourceGroupName -WorkspaceName -SettingsName - [-SubscriptionId ] [-Disabled] [-Enabled] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] +Update-AzSentinelSetting -ResourceGroupName -WorkspaceName -Enabled + -SettingsName [-SubscriptionId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` ### UpdateExpandedUeba ``` -Update-AzSentinelSetting -ResourceGroupName -WorkspaceName -SettingsName - [-SubscriptionId ] [-DataSource ] [-DefaultProfile ] [-AsJob] [-NoWait] - [-Confirm] [-WhatIf] [] +Update-AzSentinelSetting -ResourceGroupName -WorkspaceName -DataSource + -SettingsName [-SubscriptionId ] [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] + [-WhatIf] [] ``` ### UpdateViaIdentityExpandedAnomaliesEyesOnEntityAnalytics ``` -Update-AzSentinelSetting -InputObject [-Disabled] [-Enabled] +Update-AzSentinelSetting -InputObject -Enabled [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` ### UpdateViaIdentityExpandedUeba ``` -Update-AzSentinelSetting -InputObject [-DataSource ] +Update-AzSentinelSetting -InputObject -DataSource [-DefaultProfile ] [-AsJob] [-NoWait] [-Confirm] [-WhatIf] [] ``` @@ -45,7 +45,7 @@ Updates setting. ### Example 1: Update the Anomalies setting ```powershell - Update-AzSentinelSetting -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -SettingsName 'Anomalies' -Enabled + Update-AzSentinelSetting -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -SettingsName 'Anomalies' -Enabled $true ``` This command updates the Anomalies setting, other settings are: @@ -76,7 +76,7 @@ Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.UebaDataSource Parameter Sets: UpdateExpandedUeba, UpdateViaIdentityExpandedUeba Aliases: -Required: False +Required: True Position: Named Default value: None Accept pipeline input: False @@ -98,30 +98,15 @@ Accept pipeline input: False Accept wildcard characters: False ``` -### -Disabled - - -```yaml -Type: System.Management.Automation.SwitchParameter -Parameter Sets: UpdateExpandedAnomaliesEyesOnEntityAnalytics, UpdateViaIdentityExpandedAnomaliesEyesOnEntityAnalytics -Aliases: - -Required: False -Position: Named -Default value: None -Accept pipeline input: False -Accept wildcard characters: False -``` - ### -Enabled Anomalies ```yaml -Type: System.Management.Automation.SwitchParameter +Type: System.Boolean Parameter Sets: UpdateExpandedAnomaliesEyesOnEntityAnalytics, UpdateViaIdentityExpandedAnomaliesEyesOnEntityAnalytics Aliases: -Required: False +Required: True Position: Named Default value: None Accept pipeline input: False @@ -272,7 +257,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -INPUTOBJECT : Identity Parameter +`INPUTOBJECT `: Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/readme.md b/src/SecurityInsights/docs/readme.md new file mode 100644 index 000000000000..f18a8fa38198 --- /dev/null +++ b/src/SecurityInsights/docs/readme.md @@ -0,0 +1,11 @@ +# Docs +This directory contains the documentation of the cmdlets for the `Az.SecurityInsights` module. To run documentation generation, use the `generate-help.ps1` script at the root module folder. Files in this folder will *always be overriden on regeneration*. To update documentation examples, please use the `../examples` folder. + +## Info +- Modifiable: no +- Generated: all +- Committed: yes +- Packaged: yes + +## Details +The process of documentation generation loads `Az.SecurityInsights` and analyzes the exported cmdlets from the module. It recognizes the [help comments](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_comment_based_help) that are generated into the scripts in the `../exports` folder. Additionally, when writing custom cmdlets in the `../custom` folder, you can use the help comments syntax, which decorate the exported scripts at build-time. The documentation examples are taken from the `../examples` folder. \ No newline at end of file diff --git a/src/SecurityInsights/examples/Update-AzSentinelSetting.md b/src/SecurityInsights/examples/Update-AzSentinelSetting.md index c42fa3b19570..06549800d356 100644 --- a/src/SecurityInsights/examples/Update-AzSentinelSetting.md +++ b/src/SecurityInsights/examples/Update-AzSentinelSetting.md @@ -1,6 +1,6 @@ ### Example 1: Update the Anomalies setting ```powershell - Update-AzSentinelSetting -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -SettingsName 'Anomalies' -Enabled + Update-AzSentinelSetting -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -SettingsName 'Anomalies' -Enabled $true ``` This command updates the Anomalies setting, other settings are: diff --git a/src/SecurityInsights/test/Get-AzSentinelAlertRule.Recording.json b/src/SecurityInsights/test/Get-AzSentinelAlertRule.Recording.json index fae028081c25..cb3a1bf9660c 100644 --- a/src/SecurityInsights/test/Get-AzSentinelAlertRule.Recording.json +++ b/src/SecurityInsights/test/Get-AzSentinelAlertRule.Recording.json @@ -1,13 +1,13 @@ { - "Get-AzSentinelAlertRule+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules?api-version=2021-09-01-preview+1": { + "Get-AzSentinelAlertRule+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "160" ], - "x-ms-client-request-id": [ "ed523158-f5ad-4aeb-bbaf-88375bdc7e8b" ], + "x-ms-unique-id": [ "158" ], + "x-ms-client-request-id": [ "ce19bfa1-427c-4cb5-ad79-b773231600cc" ], "CommandName": [ "Get-AzSentinelAlertRule" ], "FullCommandName": [ "Get-AzSentinelAlertRule_List" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -24,31 +24,31 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-reads": [ "11999" ], - "x-ms-request-id": [ "3a6917c7-b248-4bf2-a907-147d74e6b496" ], - "x-ms-correlation-request-id": [ "3a6917c7-b248-4bf2-a907-147d74e6b496" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183054Z:3a6917c7-b248-4bf2-a907-147d74e6b496" ], + "x-ms-request-id": [ "9c8fd5a8-2fc9-4dad-9f24-ed55e3a6e9a1" ], + "x-ms-correlation-request-id": [ "9c8fd5a8-2fc9-4dad-9f24-ed55e3a6e9a1" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160647Z:9c8fd5a8-2fc9-4dad-9f24-ed55e3a6e9a1" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:30:53 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:06:46 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "54779" ], + "Content-Length": [ "54782" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/BuiltInFusion\",\"name\":\"BuiltInFusion\",\"etag\":\"\\\"2e007c30-0000-0100-0000-62e41cb30000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Fusion\",\"properties\":{\"displayName\":\"Advanced Multistage Attack Detection\",\"description\":\"Microsoft Sentinel uses Fusion, a correlation engine based on scalable machine learning algorithms, to automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.\\n\\nSince Fusion correlates multiple signals from various products to detect advanced multistage attacks, successful Fusion detections are presented as Fusion incidents on the Microsoft Sentinel Incidents page. This rule covers the following detections:\\n- Fusion for emerging threats\\n- Fusion for ransomware\\n- Scenario-based Fusion detections (122 scenarios)\\n\\nTo enable these detections, we recommend you configure the following data connectors for best results:\\n- Out-of-the-box anomaly detections\\n- Azure Active Directory Identity Protection\\n- Azure Defender\\n- Azure Defender for IoT\\n- Microsoft 365 Defender\\n- Microsoft Cloud App Security \\n- Microsoft Defender for Endpoint\\n- Microsoft Defender for Identity\\n- Microsoft Defender for Office 365\\n- Scheduled analytics rules, both built-in and those created by your security analysts. Analytics rules must contain kill-chain (tactics) and entity mapping information in order to be used by Fusion.\\n\\nFor the full description of each detection that is supported by Fusion, go to https://aka.ms/SentinelFusion.\",\"alertRuleTemplateName\":\"f71aba3d-28fb-450b-b192-4e76a83015c8\",\"tactics\":[\"Collection\",\"CommandAndControl\",\"CredentialAccess\",\"DefenseEvasion\",\"Discovery\",\"Execution\",\"Exfiltration\",\"Impact\",\"InitialAccess\",\"LateralMovement\",\"Persistence\",\"PrivilegeEscalation\"],\"severity\":\"High\",\"enabled\":true,\"lastModifiedUtc\":\"2022-07-29T17:45:23.4626713Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/75c9560c-ce08-4332-aa4a-0e675fc0b17c\",\"name\":\"75c9560c-ce08-4332-aa4a-0e675fc0b17c\",\"etag\":\"\\\"2e006c32-0000-0100-0000-62e41fa10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":true,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT12H\",\"matchingMethod\":\"Selected\",\"groupByEntities\":[\"Account\"],\"groupByAlertDetails\":[],\"groupByCustomDetails\":[]}},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId__s\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Malicious Inbox Rule, affected user {{UserId__s}}\",\"alertDescriptionFormat\":null,\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"severity\":\"Medium\",\"query\":\"let Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\r\\nOfficeActivity_CL\\r\\n| where Operation_s =~ \\\"New-InboxRule\\\"\\r\\n| where Parameters_s has \\\"Deleted Items\\\" or Parameters_s has \\\"Junk Email\\\" \\r\\n| extend Events=todynamic(Parameters_s)\\r\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords \u0027}\u0027*\\r\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords \u0027}\u0027*\\r\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords \u0027}\u0027*\\r\\n| where SubjectContainsWords has_any (Keywords)\\r\\nor BodyContainsWords has_any (Keywords)\\r\\nor SubjectOrBodyContainsWords has_any (Keywords)\\r\\n| extend ClientIPAddress = case( ClientIP_s has \\\".\\\", tostring(split(ClientIP_s,\\\":\\\")[0]), ClientIP_s has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP_s,\\\"]\\\")[0]))), ClientIP_s )\\r\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\r\\n| extend RuleDetail = case(OfficeObjectId_s contains \u0027/\u0027 , tostring(split(OfficeObjectId_s, \u0027/\u0027)[-1]) , tostring(split(OfficeObjectId_s, \u0027\\\\\\\\\u0027)[-1]))\\r\\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation_s, UserId__s, ClientIPAddress, ResultStatus_s, Keyword, OriginatingServer_s, OfficeObjectId_s, RuleDetail\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Malicious Inbox Rule - custom\",\"enabled\":true,\"description\":\"This rule is detecting on delete all traces of phishing email from user mailboxes\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-07-29T17:57:51.4044412Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/6692b8a1-d2bc-4cd6-b724-5dd2e4293ab3\",\"name\":\"6692b8a1-d2bc-4cd6-b724-5dd2e4293ab3\",\"etag\":\"\\\"2e006d32-0000-0100-0000-62e41fa10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":true,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AnyAlert\",\"groupByEntities\":[],\"groupByAlertDetails\":[],\"groupByCustomDetails\":[]}},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"High\",\"query\":\"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | where DNSName in~ (domains) or DestinationHostName has_any (domains) or RequestURL has_any(domains)\\n | extend AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName, IPCustomEntity = SourceIP\\n ),\\n(DnsEvents \\n | extend DNSName = Name\\n | where isnotempty(DNSName)\\n | where DNSName in~ (domains)\\n | extend IPCustomEntity = ClientIP\\n ),\\n(imDns \\n | where isnotempty(Query)\\n | where Query in~ (domains)\\n | extend DNSName = Query\\n | extend IPCustomEntity = SrcIpAddr\\n ),\\n(VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n | where isnotempty(DNSName)\\n | where DNSName in~ (domains)\\n | extend IPCustomEntity = RemoteIp\\n ),\\n(DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl has_any (domains) \\n | extend DNSName = RemoteUrl\\n | extend IPCustomEntity = RemoteIP \\n | extend HostCustomEntity = DeviceName \\n ),\\n(AzureDiagnostics\\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallDnsProxy\\\"\\n | parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n | where Request_Name has_any (domains) \\n | extend DNSName = Request_Name\\n | extend IPCustomEntity = ClientIP \\n ),\\n(AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (domains) \\n | extend DNSName = DestinationHost \\n | extend IPCustomEntity = SourceHost\\n ) \\n )\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Solorigate Network Beacon\",\"enabled\":true,\"description\":\"Identifies a match across various data feeds for domains IOCs related to the Solorigate incident.\\n References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \\n https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1\",\"alertRuleTemplateName\":\"cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"lastModifiedUtc\":\"2022-07-29T17:57:51.4443855Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/5c8dc0ac-8808-40f3-a6b4-1401369a9e1e\",\"name\":\"5c8dc0ac-8808-40f3-a6b4-1401369a9e1e\",\"etag\":\"\\\"2e006e32-0000-0100-0000-62e41fa20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":true,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[\"IP\"],\"groupByAlertDetails\":[],\"groupByCustomDetails\":[]}},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Medium\",\"query\":\"SigninLogs_CL\\n | where ResultType == \\\"50057\\\" \\n | where ResultDescription == \\\"User account is disabled. The account has been disabled by an administrator.\\\" \\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), disabledAccountLoginAttempts = count(), \\n disabledAccountsTargeted = dcount(UserPrincipalName_s), applicationsTargeted = dcount(AppDisplayName_s), disabledAccountSet = makeset(UserPrincipalName_s), \\n applicationSet = makeset(AppDisplayName_s)\\n by IPAddress, Type\\n | order by disabledAccountLoginAttempts desc\\n | join kind= leftouter (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n SigninLogs_CL\\n | where ResultType == 0\\n | summarize successfulAccountSigninCount = dcount(UserPrincipalName_s), successfulAccountSigninSet = makeset(UserPrincipalName_s, 15) by IPAddress, Type\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount \u003c 100\\n )\\n on IPAddress \\n | where successfulAccountSigninCount != 0\\n | project StartTime, EndTime, IPAddress, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\n successfulAccountSigninCount, successfulAccountSigninSet, Type\\n | order by disabledAccountLoginAttempts\\n | extend timestamp = StartTime, IPCustomEntity = IPAddress\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"enabled\":true,\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"alertRuleTemplateName\":\"500c103a-0319-4d56-8e99-3cec8d860757\",\"lastModifiedUtc\":\"2022-07-29T17:57:51.4503725Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/a7f0377a-a2ab-4a1c-9103-f59066cc6c61\",\"name\":\"a7f0377a-a2ab-4a1c-9103-f59066cc6c61\",\"etag\":\"\\\"2e00c932-0000-0100-0000-62e41fe50000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"GetAlertRuler93k8j\",\"enabled\":true,\"description\":\"GetAlertRuler93k8j a7f0377a-a2ab-4a1c-9103-f59066cc6c61\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-07-29T17:59:00.587924Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/c1c55dcf-8a31-4c94-93d7-bbb13c8da4c6\",\"name\":\"c1c55dcf-8a31-4c94-93d7-bbb13c8da4c6\",\"etag\":\"\\\"2e00de32-0000-0100-0000-62e420050000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"RemoveAlertRulex6lvwk\",\"enabled\":true,\"description\":\"RemoveAlertRulex6lvwk c1c55dcf-8a31-4c94-93d7-bbb13c8da4c6\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-07-29T17:59:32.8048022Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/c1a9cd5e-f882-4d57-b94f-742b0e2ae177\",\"name\":\"c1a9cd5e-f882-4d57-b94f-742b0e2ae177\",\"etag\":\"\\\"2e00e832-0000-0100-0000-62e420250000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"RemoveViaIdAlertRuleg7sd5h\",\"enabled\":true,\"description\":\"RemoveViaIdAlertRuleg7sd5h c1a9cd5e-f882-4d57-b94f-742b0e2ae177\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-07-29T18:00:04.2817896Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/a47d38eb-4d52-4b54-afaf-3f5ac2f847f9\",\"name\":\"a47d38eb-4d52-4b54-afaf-3f5ac2f847f9\",\"etag\":\"\\\"2e000233-0000-0100-0000-62e420440000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"UpdateAlertRulet0r6jh\",\"enabled\":true,\"description\":\"UpdateAlertRulet0r6jh a47d38eb-4d52-4b54-afaf-3f5ac2f847f9\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-07-29T18:00:35.8688539Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/819c1dad-0658-4633-b80c-74cae574c0f7\",\"name\":\"819c1dad-0658-4633-b80c-74cae574c0f7\",\"etag\":\"\\\"2e000f33-0000-0100-0000-62e420630000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"UpdateViaIdAlertRules7my5u\",\"enabled\":true,\"description\":\"UpdateViaIdAlertRules7my5u 819c1dad-0658-4633-b80c-74cae574c0f7\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-07-29T18:01:07.2111029Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/28d676f4-c9d3-465b-a7bf-b359b492f49d\",\"name\":\"28d676f4-c9d3-465b-a7bf-b359b492f49d\",\"etag\":\"\\\"2e001533-0000-0100-0000-62e420820000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"GetalertRuleActionRuleNamelboi79\",\"enabled\":true,\"description\":\"GetalertRuleActionRuleNamelboi79 28d676f4-c9d3-465b-a7bf-b359b492f49d\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-07-29T18:01:38.2323641Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/5259fc88-ad43-4c0f-8712-e276f794f08a\",\"name\":\"5259fc88-ad43-4c0f-8712-e276f794f08a\",\"etag\":\"\\\"2e006233-0000-0100-0000-62e420a20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"RemovealertRuleActionRuleNamegnwkmx\",\"enabled\":true,\"description\":\"RemovealertRuleActionRuleNamegnwkmx 5259fc88-ad43-4c0f-8712-e276f794f08a\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-07-29T18:02:09.910605Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/61843a21-8ee0-4c56-bb89-a4a9b306b43d\",\"name\":\"61843a21-8ee0-4c56-bb89-a4a9b306b43d\",\"etag\":\"\\\"2e009e33-0000-0100-0000-62e420c20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"RemoveViaIdalertRuleActionRuleNamebokia1\",\"enabled\":true,\"description\":\"RemoveViaIdalertRuleActionRuleNamebokia1 61843a21-8ee0-4c56-bb89-a4a9b306b43d\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-07-29T18:02:41.434286Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/c3f83b09-6bfc-4365-813e-56f9b186baac\",\"name\":\"c3f83b09-6bfc-4365-813e-56f9b186baac\",\"etag\":\"\\\"2e00b433-0000-0100-0000-62e420e20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"UpdatealertRuleActionRuleName9zg8ih\",\"enabled\":true,\"description\":\"UpdatealertRuleActionRuleName9zg8ih c3f83b09-6bfc-4365-813e-56f9b186baac\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-07-29T18:03:12.6101396Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/1190f2a9-3661-474d-8c8a-cc808bce7b2e\",\"name\":\"1190f2a9-3661-474d-8c8a-cc808bce7b2e\",\"etag\":\"\\\"2e00f133-0000-0100-0000-62e421000000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"UpdateViaIdalertRuleActionRuleNametyup2k\",\"enabled\":true,\"description\":\"UpdateViaIdalertRuleActionRuleNametyup2k 1190f2a9-3661-474d-8c8a-cc808bce7b2e\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-07-29T18:03:43.8469602Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/f853954a-a622-4649-b264-9a61959b4dc2\",\"name\":\"f853954a-a622-4649-b264-9a61959b4dc2\",\"etag\":\"\\\"2e002d3f-0000-0100-0000-62e427310000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027Web\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Web Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-07-29T18:30:09.0103126Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/4b9ab125-6c3f-49df-b2b8-eebddf99efc9\",\"name\":\"4b9ab125-6c3f-49df-b2b8-eebddf99efc9\",\"etag\":\"\\\"2e002e3f-0000-0100-0000-62e427310000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n| join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n| where Family == \u0027Intrusion Detection\u0027\\n| summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n| extend SuccessRatePercentage = (Success * 100 / Assessments)\\n| extend FailedRatePercentage = (Failed * 100 / Assessments)\\n| extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n| project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n| where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n// | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n| where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n| sort by FailedRatePercentage desc\\n| limit 250\\n| extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Intrusion Detection Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-07-29T18:30:09.0284881Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/94982952-13e2-49ca-8d0f-bb27e3191be7\",\"name\":\"94982952-13e2-49ca-8d0f-bb27e3191be7\",\"etag\":\"\\\"2e002f3f-0000-0100-0000-62e427310000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n| join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n| where Family == \u0027Unified Communications \u0026 Collaboration\u0027\\n| summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n| extend SuccessRatePercentage = (Success * 100 / Assessments)\\n| extend FailedRatePercentage = (Failed * 100 / Assessments)\\n| extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n| project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n| where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n// | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n| where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n| sort by FailedRatePercentage desc\\n| limit 250\\n| extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) UCC Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-07-29T18:30:09.027247Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/db311007-ed30-4aed-99bf-35424b5ac892\",\"name\":\"db311007-ed30-4aed-99bf-35424b5ac892\",\"etag\":\"\\\"2e00303f-0000-0100-0000-62e427310000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027Files\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Files Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-07-29T18:30:09.0393593Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/e86cabea-c73d-4add-b229-32b2e1a70d14\",\"name\":\"e86cabea-c73d-4add-b229-32b2e1a70d14\",\"etag\":\"\\\"2e00313f-0000-0100-0000-62e427310000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027Resiliency\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Resiliency Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-07-29T18:30:09.0327634Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/f85f5690-5b1a-466f-a277-88c3888dab5a\",\"name\":\"f85f5690-5b1a-466f-a277-88c3888dab5a\",\"etag\":\"\\\"2e00323f-0000-0100-0000-62e427310000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027Networking\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Networking Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-07-29T18:30:09.020468Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/18ed181f-e619-451e-bd0a-3e1bd6cc861e\",\"name\":\"18ed181f-e619-451e-bd0a-3e1bd6cc861e\",\"etag\":\"\\\"2e00333f-0000-0100-0000-62e427310000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027DNS\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) DNS Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-07-29T18:30:09.0201082Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/50552cfd-3606-4a5e-86b4-40b6529c0417\",\"name\":\"50552cfd-3606-4a5e-86b4-40b6529c0417\",\"etag\":\"\\\"2e00343f-0000-0100-0000-62e427310000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n| join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n| where Family == \u0027Enterprise\u0027\\n| summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n| extend SuccessRatePercentage = (Success * 100 / Assessments)\\n| extend FailedRatePercentage = (Failed * 100 / Assessments)\\n| extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n| project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n| where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n// | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n| where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n| sort by FailedRatePercentage desc\\n| limit 250\\n| extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Enterprise Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-07-29T18:30:09.0573302Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/3a63c6a2-7808-499d-bd4c-586968008fab\",\"name\":\"3a63c6a2-7808-499d-bd4c-586968008fab\",\"etag\":\"\\\"2e00353f-0000-0100-0000-62e427310000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n| join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n| where Family == \u0027Data Protection\u0027\\n| summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n| extend SuccessRatePercentage = (Success * 100 / Assessments)\\n| extend FailedRatePercentage = (Failed * 100 / Assessments)\\n| extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n| project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n| where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n// | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n| where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n| sort by FailedRatePercentage desc\\n| limit 250\\n| extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Data Protection Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-07-29T18:30:09.0160976Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/eb55a210-7f4a-4d1a-ad3c-de23c317f861\",\"name\":\"eb55a210-7f4a-4d1a-ad3c-de23c317f861\",\"etag\":\"\\\"2e00363f-0000-0100-0000-62e427310000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027Universal Security Capabilities\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Universal Security Capabilities Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-07-29T18:30:09.0422492Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/63860588-b4ea-401b-917d-1a29e4d94f7d\",\"name\":\"63860588-b4ea-401b-917d-1a29e4d94f7d\",\"etag\":\"\\\"2e00373f-0000-0100-0000-62e427310000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027Email\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Email Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-07-29T18:30:09.0521164Z\"}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/BuiltInFusion\",\"name\":\"BuiltInFusion\",\"etag\":\"\\\"0600a340-0000-0100-0000-62fbb75d0000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Fusion\",\"properties\":{\"displayName\":\"Advanced Multistage Attack Detection\",\"description\":\"Microsoft Sentinel uses Fusion, a correlation engine based on scalable machine learning algorithms, to automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.\\n\\nSince Fusion correlates multiple signals from various products to detect advanced multistage attacks, successful Fusion detections are presented as Fusion incidents on the Microsoft Sentinel Incidents page. This rule covers the following detections:\\n- Fusion for emerging threats\\n- Fusion for ransomware\\n- Scenario-based Fusion detections (122 scenarios)\\n\\nTo enable these detections, we recommend you configure the following data connectors for best results:\\n- Out-of-the-box anomaly detections\\n- Azure Active Directory Identity Protection\\n- Azure Defender\\n- Azure Defender for IoT\\n- Microsoft 365 Defender\\n- Microsoft Cloud App Security \\n- Microsoft Defender for Endpoint\\n- Microsoft Defender for Identity\\n- Microsoft Defender for Office 365\\n- Scheduled analytics rules, both built-in and those created by your security analysts. Analytics rules must contain kill-chain (tactics) and entity mapping information in order to be used by Fusion.\\n\\nFor the full description of each detection that is supported by Fusion, go to https://aka.ms/SentinelFusion.\",\"alertRuleTemplateName\":\"f71aba3d-28fb-450b-b192-4e76a83015c8\",\"tactics\":[\"Collection\",\"CommandAndControl\",\"CredentialAccess\",\"DefenseEvasion\",\"Discovery\",\"Execution\",\"Exfiltration\",\"Impact\",\"InitialAccess\",\"LateralMovement\",\"Persistence\",\"PrivilegeEscalation\"],\"severity\":\"High\",\"enabled\":true,\"lastModifiedUtc\":\"2022-08-16T15:27:25.3857989Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/e1b7c244-83f3-4fbd-b2c9-d08eaa704a85\",\"name\":\"e1b7c244-83f3-4fbd-b2c9-d08eaa704a85\",\"etag\":\"\\\"0600dc40-0000-0100-0000-62fbb9d90000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":true,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT12H\",\"matchingMethod\":\"Selected\",\"groupByEntities\":[\"Account\"],\"groupByAlertDetails\":[],\"groupByCustomDetails\":[]}},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId__s\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Malicious Inbox Rule, affected user {{UserId__s}}\",\"alertDescriptionFormat\":null,\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"severity\":\"Medium\",\"query\":\"let Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\r\\nOfficeActivity_CL\\r\\n| where Operation_s =~ \\\"New-InboxRule\\\"\\r\\n| where Parameters_s has \\\"Deleted Items\\\" or Parameters_s has \\\"Junk Email\\\" \\r\\n| extend Events=todynamic(Parameters_s)\\r\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords \u0027}\u0027*\\r\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords \u0027}\u0027*\\r\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords \u0027}\u0027*\\r\\n| where SubjectContainsWords has_any (Keywords)\\r\\nor BodyContainsWords has_any (Keywords)\\r\\nor SubjectOrBodyContainsWords has_any (Keywords)\\r\\n| extend ClientIPAddress = case( ClientIP_s has \\\".\\\", tostring(split(ClientIP_s,\\\":\\\")[0]), ClientIP_s has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP_s,\\\"]\\\")[0]))), ClientIP_s )\\r\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\r\\n| extend RuleDetail = case(OfficeObjectId_s contains \u0027/\u0027 , tostring(split(OfficeObjectId_s, \u0027/\u0027)[-1]) , tostring(split(OfficeObjectId_s, \u0027\\\\\\\\\u0027)[-1]))\\r\\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation_s, UserId__s, ClientIPAddress, ResultStatus_s, Keyword, OriginatingServer_s, OfficeObjectId_s, RuleDetail\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Malicious Inbox Rule - custom\",\"enabled\":true,\"description\":\"This rule is detecting on delete all traces of phishing email from user mailboxes\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T15:37:58.9257559Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/53274afe-2640-4c50-bd36-78c1c79f102c\",\"name\":\"53274afe-2640-4c50-bd36-78c1c79f102c\",\"etag\":\"\\\"0600dd40-0000-0100-0000-62fbb9d90000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":true,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[\"IP\"],\"groupByAlertDetails\":[],\"groupByCustomDetails\":[]}},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Medium\",\"query\":\"SigninLogs_CL\\n | where ResultType == \\\"50057\\\" \\n | where ResultDescription == \\\"User account is disabled. The account has been disabled by an administrator.\\\" \\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), disabledAccountLoginAttempts = count(), \\n disabledAccountsTargeted = dcount(UserPrincipalName_s), applicationsTargeted = dcount(AppDisplayName_s), disabledAccountSet = makeset(UserPrincipalName_s), \\n applicationSet = makeset(AppDisplayName_s)\\n by IPAddress, Type\\n | order by disabledAccountLoginAttempts desc\\n | join kind= leftouter (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n SigninLogs_CL\\n | where ResultType == 0\\n | summarize successfulAccountSigninCount = dcount(UserPrincipalName_s), successfulAccountSigninSet = makeset(UserPrincipalName_s, 15) by IPAddress, Type\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount \u003c 100\\n )\\n on IPAddress \\n | where successfulAccountSigninCount != 0\\n | project StartTime, EndTime, IPAddress, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\n successfulAccountSigninCount, successfulAccountSigninSet, Type\\n | order by disabledAccountLoginAttempts\\n | extend timestamp = StartTime, IPCustomEntity = IPAddress\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"enabled\":true,\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"alertRuleTemplateName\":\"500c103a-0319-4d56-8e99-3cec8d860757\",\"lastModifiedUtc\":\"2022-08-16T15:37:58.9088963Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/05cd1abd-2426-4d7e-be8a-cda489ed9cce\",\"name\":\"05cd1abd-2426-4d7e-be8a-cda489ed9cce\",\"etag\":\"\\\"0600de40-0000-0100-0000-62fbb9da0000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":true,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AnyAlert\",\"groupByEntities\":[],\"groupByAlertDetails\":[],\"groupByCustomDetails\":[]}},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"High\",\"query\":\"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | where DNSName in~ (domains) or DestinationHostName has_any (domains) or RequestURL has_any(domains)\\n | extend AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName, IPCustomEntity = SourceIP\\n ),\\n(DnsEvents \\n | extend DNSName = Name\\n | where isnotempty(DNSName)\\n | where DNSName in~ (domains)\\n | extend IPCustomEntity = ClientIP\\n ),\\n(imDns \\n | where isnotempty(Query)\\n | where Query in~ (domains)\\n | extend DNSName = Query\\n | extend IPCustomEntity = SrcIpAddr\\n ),\\n(VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n | where isnotempty(DNSName)\\n | where DNSName in~ (domains)\\n | extend IPCustomEntity = RemoteIp\\n ),\\n(DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl has_any (domains) \\n | extend DNSName = RemoteUrl\\n | extend IPCustomEntity = RemoteIP \\n | extend HostCustomEntity = DeviceName \\n ),\\n(AzureDiagnostics\\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallDnsProxy\\\"\\n | parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n | where Request_Name has_any (domains) \\n | extend DNSName = Request_Name\\n | extend IPCustomEntity = ClientIP \\n ),\\n(AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (domains) \\n | extend DNSName = DestinationHost \\n | extend IPCustomEntity = SourceHost\\n ) \\n )\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Solorigate Network Beacon\",\"enabled\":true,\"description\":\"Identifies a match across various data feeds for domains IOCs related to the Solorigate incident.\\n References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \\n https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1\",\"alertRuleTemplateName\":\"cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"lastModifiedUtc\":\"2022-08-16T15:37:58.8992375Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/cab7d557-3de0-4043-8dd4-b83629755ab8\",\"name\":\"cab7d557-3de0-4043-8dd4-b83629755ab8\",\"etag\":\"\\\"0600e240-0000-0100-0000-62fbba160000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"GetAlertRulem37adr\",\"enabled\":true,\"description\":\"GetAlertRulem37adr cab7d557-3de0-4043-8dd4-b83629755ab8\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T15:39:02.3687256Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/90872ee6-8ed3-48b8-8e93-2bcb1aa6825d\",\"name\":\"90872ee6-8ed3-48b8-8e93-2bcb1aa6825d\",\"etag\":\"\\\"0600e840-0000-0100-0000-62fbba370000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"RemoveAlertRule1qafoy\",\"enabled\":true,\"description\":\"RemoveAlertRule1qafoy 90872ee6-8ed3-48b8-8e93-2bcb1aa6825d\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T15:39:33.5961847Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/b5daebea-1da1-45a1-abb5-94ad8c8da5cb\",\"name\":\"b5daebea-1da1-45a1-abb5-94ad8c8da5cb\",\"etag\":\"\\\"0600ed40-0000-0100-0000-62fbba540000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"RemoveViaIdAlertRule81exqs\",\"enabled\":true,\"description\":\"RemoveViaIdAlertRule81exqs b5daebea-1da1-45a1-abb5-94ad8c8da5cb\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T15:40:04.5582676Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/e96e7960-a8a9-47a9-91f1-4207f5f82d88\",\"name\":\"e96e7960-a8a9-47a9-91f1-4207f5f82d88\",\"etag\":\"\\\"0600ef40-0000-0100-0000-62fbba750000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"UpdateAlertRulejkg1z9\",\"enabled\":true,\"description\":\"UpdateAlertRulejkg1z9 e96e7960-a8a9-47a9-91f1-4207f5f82d88\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T15:40:36.025072Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/658a3691-0950-4176-bc12-e3e4d4b52335\",\"name\":\"658a3691-0950-4176-bc12-e3e4d4b52335\",\"etag\":\"\\\"0600f040-0000-0100-0000-62fbba950000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"UpdateViaIdAlertRuler0cz6k\",\"enabled\":true,\"description\":\"UpdateViaIdAlertRuler0cz6k 658a3691-0950-4176-bc12-e3e4d4b52335\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T15:41:08.8217126Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/3f8b701e-a084-40d7-8f4b-a6b1482e8cc2\",\"name\":\"3f8b701e-a084-40d7-8f4b-a6b1482e8cc2\",\"etag\":\"\\\"0600f440-0000-0100-0000-62fbbac10000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"GetalertRuleActionRuleName2iy1g6\",\"enabled\":true,\"description\":\"GetalertRuleActionRuleName2iy1g6 3f8b701e-a084-40d7-8f4b-a6b1482e8cc2\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T15:41:52.5613781Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/7ebb90bb-a57a-42f6-8a23-a0393c176560\",\"name\":\"7ebb90bb-a57a-42f6-8a23-a0393c176560\",\"etag\":\"\\\"0600f740-0000-0100-0000-62fbbae20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"RemovealertRuleActionRuleName1ui932\",\"enabled\":true,\"description\":\"RemovealertRuleActionRuleName1ui932 7ebb90bb-a57a-42f6-8a23-a0393c176560\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T15:42:24.0884995Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/e5a90aef-2e88-486c-a745-66f415230a61\",\"name\":\"e5a90aef-2e88-486c-a745-66f415230a61\",\"etag\":\"\\\"0600f840-0000-0100-0000-62fbbb000000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"RemoveViaIdalertRuleActionRuleNametq71f5\",\"enabled\":true,\"description\":\"RemoveViaIdalertRuleActionRuleNametq71f5 e5a90aef-2e88-486c-a745-66f415230a61\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T15:42:55.4746161Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/f04b319e-dc64-427b-8640-eef21b6fb5cd\",\"name\":\"f04b319e-dc64-427b-8640-eef21b6fb5cd\",\"etag\":\"\\\"0600fc40-0000-0100-0000-62fbbb230000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"UpdatealertRuleActionRuleNamehp3sur\",\"enabled\":true,\"description\":\"UpdatealertRuleActionRuleNamehp3sur f04b319e-dc64-427b-8640-eef21b6fb5cd\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T15:43:31.1186326Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/90b62f2e-9b96-4bfb-a82a-5ceed7cd487e\",\"name\":\"90b62f2e-9b96-4bfb-a82a-5ceed7cd487e\",\"etag\":\"\\\"0600fd40-0000-0100-0000-62fbbb410000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"UpdateViaIdalertRuleActionRuleNameyb5ilx\",\"enabled\":true,\"description\":\"UpdateViaIdalertRuleActionRuleNameyb5ilx 90b62f2e-9b96-4bfb-a82a-5ceed7cd487e\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T15:43:58.9931835Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/3831a4ff-b6c9-413b-b1e1-6939da17f4b1\",\"name\":\"3831a4ff-b6c9-413b-b1e1-6939da17f4b1\",\"etag\":\"\\\"06006541-0000-0100-0000-62fbc0640000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n| join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n| where Family == \u0027Intrusion Detection\u0027\\n| summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n| extend SuccessRatePercentage = (Success * 100 / Assessments)\\n| extend FailedRatePercentage = (Failed * 100 / Assessments)\\n| extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n| project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n| where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n// | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n| where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n| sort by FailedRatePercentage desc\\n| limit 250\\n| extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Intrusion Detection Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T16:05:56.6133876Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/278781f7-07bf-42e2-a02a-e5ab74e29991\",\"name\":\"278781f7-07bf-42e2-a02a-e5ab74e29991\",\"etag\":\"\\\"06006641-0000-0100-0000-62fbc0640000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n| join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n| where Family == \u0027Unified Communications \u0026 Collaboration\u0027\\n| summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n| extend SuccessRatePercentage = (Success * 100 / Assessments)\\n| extend FailedRatePercentage = (Failed * 100 / Assessments)\\n| extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n| project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n| where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n// | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n| where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n| sort by FailedRatePercentage desc\\n| limit 250\\n| extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) UCC Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T16:05:56.6134901Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/7cd85217-8d3b-4ec1-b99c-589a49c492db\",\"name\":\"7cd85217-8d3b-4ec1-b99c-589a49c492db\",\"etag\":\"\\\"06006741-0000-0100-0000-62fbc0640000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027Resiliency\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Resiliency Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T16:05:56.6114797Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/b96548d0-9060-4f75-8006-28e7b7af9ce6\",\"name\":\"b96548d0-9060-4f75-8006-28e7b7af9ce6\",\"etag\":\"\\\"06006841-0000-0100-0000-62fbc0640000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027DNS\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) DNS Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T16:05:56.6152038Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/6698a851-845e-4145-92c8-f6ec017454c6\",\"name\":\"6698a851-845e-4145-92c8-f6ec017454c6\",\"etag\":\"\\\"06006941-0000-0100-0000-62fbc0640000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027Universal Security Capabilities\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Universal Security Capabilities Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T16:05:56.6243928Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/abb6d8a7-279d-4e65-b104-c37bfdf7938a\",\"name\":\"abb6d8a7-279d-4e65-b104-c37bfdf7938a\",\"etag\":\"\\\"06006a41-0000-0100-0000-62fbc0640000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n| join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n| where Family == \u0027Data Protection\u0027\\n| summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n| extend SuccessRatePercentage = (Success * 100 / Assessments)\\n| extend FailedRatePercentage = (Failed * 100 / Assessments)\\n| extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n| project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n| where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n// | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n| where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n| sort by FailedRatePercentage desc\\n| limit 250\\n| extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Data Protection Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T16:05:56.6176959Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/31a2f4dd-07c5-4b59-b5f5-cdb3b96090f0\",\"name\":\"31a2f4dd-07c5-4b59-b5f5-cdb3b96090f0\",\"etag\":\"\\\"06006b41-0000-0100-0000-62fbc0640000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n| join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n| where Family == \u0027Enterprise\u0027\\n| summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n| extend SuccessRatePercentage = (Success * 100 / Assessments)\\n| extend FailedRatePercentage = (Failed * 100 / Assessments)\\n| extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n| project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n| where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n// | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n| where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n| sort by FailedRatePercentage desc\\n| limit 250\\n| extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Enterprise Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T16:05:56.618616Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/0d6715bf-2e07-4317-8d34-ba4ec5c9e19b\",\"name\":\"0d6715bf-2e07-4317-8d34-ba4ec5c9e19b\",\"etag\":\"\\\"06006c41-0000-0100-0000-62fbc0640000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027Networking\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Networking Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T16:05:56.6176672Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/5004b7e9-d0d1-44da-ada0-a9937d21660d\",\"name\":\"5004b7e9-d0d1-44da-ada0-a9937d21660d\",\"etag\":\"\\\"06006d41-0000-0100-0000-62fbc0640000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027Web\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Web Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T16:05:56.6290249Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/1490edac-8296-457c-9acc-7ca5429e43cc\",\"name\":\"1490edac-8296-457c-9acc-7ca5429e43cc\",\"etag\":\"\\\"06006e41-0000-0100-0000-62fbc0640000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027Files\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Files Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T16:05:56.6495698Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/108bf7e1-f705-4447-9a72-9bd6f510e1c1\",\"name\":\"108bf7e1-f705-4447-9a72-9bd6f510e1c1\",\"etag\":\"\\\"06006f41-0000-0100-0000-62fbc0640000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5M\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"severity\":\"Medium\",\"query\":\"let ZeroTrustTIC3Mapping = externaldata(RecommendationDisplayName:string,Capability:string,Family:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ZeroTrustTIC3Mapping.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityRecommendation\\n | join kind=rightouter ZeroTrustTIC3Mapping on RecommendationDisplayName\\n | where Family == \u0027Email\u0027\\n | summarize\\n Assessments = count(),\\n Success = countif(RecommendationState == \u0027Healthy\u0027 or RecommendationState == \u0027NotApplicable\u0027 or RecommendationState == \u0027Removed\u0027),\\n Failed = countif(RecommendationState == \u0027Unhealthy\u0027)\\n by Capability, Family, RecommendationDisplayName\\n | extend SuccessRatePercentage = (Success * 100 / Assessments)\\n | extend FailedRatePercentage = (Failed * 100 / Assessments)\\n | extend RemediationLink = strcat(\u0027https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22\u0027)\\n | project\\n Capability,\\n Family,\\n RecommendationDisplayName,\\n Assessments,\\n SuccessRatePercentage,\\n FailedRatePercentage,\\n RemediationLink\\n | where RecommendationDisplayName \u003c\u003e \u0027\u0027\\n // | where RecommendationName \u003c\u003e \u0027\u0027 //Filter Out or Suppress Recommendations\\n | where FailedRatePercentage \u003e 30 //Adjust Either FailedRatePercentage or PasedRatePercentage Thresholds within Organizational Needs\\n | sort by FailedRatePercentage desc\\n | limit 250\\n | extend URLCustomEntity = RemediationLink\\n\",\"suppressionDuration\":\"PT1H\",\"suppressionEnabled\":false,\"tactics\":[\"Discovery\"],\"displayName\":\"(Preview) ZeroTrust(TIC3.0) Email Control Family Monitoring\",\"enabled\":false,\"description\":\"Zero Trust(TIC3.0) Control Assessments have Deviated from Configured Threshold Baselines\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T16:05:56.6572279Z\"}}]}", "isContentBase64": false } }, - "Get-AzSentinelAlertRule+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/a7f0377a-a2ab-4a1c-9103-f59066cc6c61?api-version=2021-09-01-preview+1": { + "Get-AzSentinelAlertRule+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/cab7d557-3de0-4043-8dd4-b83629755ab8?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/a7f0377a-a2ab-4a1c-9103-f59066cc6c61?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/cab7d557-3de0-4043-8dd4-b83629755ab8?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "161" ], - "x-ms-client-request-id": [ "b918c4ea-1d34-4df3-8d46-38f0b5a10980" ], + "x-ms-unique-id": [ "159" ], + "x-ms-client-request-id": [ "89157eb4-2bb8-4bbc-8e43-37e7b1c35ea8" ], "CommandName": [ "Get-AzSentinelAlertRule" ], "FullCommandName": [ "Get-AzSentinelAlertRule_Get" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -65,31 +65,31 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-reads": [ "11998" ], - "x-ms-request-id": [ "243a9296-2bd5-42cc-9606-b3e409477c5d" ], - "x-ms-correlation-request-id": [ "243a9296-2bd5-42cc-9606-b3e409477c5d" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183054Z:243a9296-2bd5-42cc-9606-b3e409477c5d" ], + "x-ms-request-id": [ "3cd67556-d70f-4081-afea-78635515fd98" ], + "x-ms-correlation-request-id": [ "3cd67556-d70f-4081-afea-78635515fd98" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160648Z:3cd67556-d70f-4081-afea-78635515fd98" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:30:54 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:06:47 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1163" ], + "Content-Length": [ "1164" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/a7f0377a-a2ab-4a1c-9103-f59066cc6c61\",\"name\":\"a7f0377a-a2ab-4a1c-9103-f59066cc6c61\",\"etag\":\"\\\"2e00c932-0000-0100-0000-62e41fe50000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"GetAlertRuler93k8j\",\"enabled\":true,\"description\":\"GetAlertRuler93k8j a7f0377a-a2ab-4a1c-9103-f59066cc6c61\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-07-29T17:59:00.587924Z\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/cab7d557-3de0-4043-8dd4-b83629755ab8\",\"name\":\"cab7d557-3de0-4043-8dd4-b83629755ab8\",\"etag\":\"\\\"0600e240-0000-0100-0000-62fbba160000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"GetAlertRulem37adr\",\"enabled\":true,\"description\":\"GetAlertRulem37adr cab7d557-3de0-4043-8dd4-b83629755ab8\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T15:39:02.3687256Z\"}}", "isContentBase64": false } }, - "Get-AzSentinelAlertRule+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/a7f0377a-a2ab-4a1c-9103-f59066cc6c61?api-version=2021-09-01-preview+1": { + "Get-AzSentinelAlertRule+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/cab7d557-3de0-4043-8dd4-b83629755ab8?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/a7f0377a-a2ab-4a1c-9103-f59066cc6c61?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/cab7d557-3de0-4043-8dd4-b83629755ab8?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "162" ], - "x-ms-client-request-id": [ "0336978f-33f7-41c4-8d10-51813f53ecf3" ], + "x-ms-unique-id": [ "160" ], + "x-ms-client-request-id": [ "57fe5617-25f0-498b-9598-335f6820bfbd" ], "CommandName": [ "Get-AzSentinelAlertRule" ], "FullCommandName": [ "Get-AzSentinelAlertRule_Get" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -106,31 +106,31 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-reads": [ "11997" ], - "x-ms-request-id": [ "ca23a09a-fe15-4551-982f-ef0fc5f4c0a3" ], - "x-ms-correlation-request-id": [ "ca23a09a-fe15-4551-982f-ef0fc5f4c0a3" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183055Z:ca23a09a-fe15-4551-982f-ef0fc5f4c0a3" ], + "x-ms-request-id": [ "ba7e2f26-7053-435a-8920-aec03f410ba1" ], + "x-ms-correlation-request-id": [ "ba7e2f26-7053-435a-8920-aec03f410ba1" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160648Z:ba7e2f26-7053-435a-8920-aec03f410ba1" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:30:55 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:06:47 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1163" ], + "Content-Length": [ "1164" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/a7f0377a-a2ab-4a1c-9103-f59066cc6c61\",\"name\":\"a7f0377a-a2ab-4a1c-9103-f59066cc6c61\",\"etag\":\"\\\"2e00c932-0000-0100-0000-62e41fe50000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"GetAlertRuler93k8j\",\"enabled\":true,\"description\":\"GetAlertRuler93k8j a7f0377a-a2ab-4a1c-9103-f59066cc6c61\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-07-29T17:59:00.587924Z\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/cab7d557-3de0-4043-8dd4-b83629755ab8\",\"name\":\"cab7d557-3de0-4043-8dd4-b83629755ab8\",\"etag\":\"\\\"0600e240-0000-0100-0000-62fbba160000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"GetAlertRulem37adr\",\"enabled\":true,\"description\":\"GetAlertRulem37adr cab7d557-3de0-4043-8dd4-b83629755ab8\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T15:39:02.3687256Z\"}}", "isContentBase64": false } }, - "Get-AzSentinelAlertRule+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/a7f0377a-a2ab-4a1c-9103-f59066cc6c61?api-version=2021-09-01-preview+2": { + "Get-AzSentinelAlertRule+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/cab7d557-3de0-4043-8dd4-b83629755ab8?api-version=2021-09-01-preview+2": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/a7f0377a-a2ab-4a1c-9103-f59066cc6c61?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/cab7d557-3de0-4043-8dd4-b83629755ab8?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "163" ], - "x-ms-client-request-id": [ "03b3eabc-e48c-4348-9e95-93405cfbaf4c" ], + "x-ms-unique-id": [ "161" ], + "x-ms-client-request-id": [ "5a43283e-69d6-4a20-ba0d-f07003ca6f47" ], "CommandName": [ "Get-AzSentinelAlertRule" ], "FullCommandName": [ "Get-AzSentinelAlertRule_GetViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -147,19 +147,19 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-reads": [ "11996" ], - "x-ms-request-id": [ "db665301-df9b-4443-86be-83cbb893a625" ], - "x-ms-correlation-request-id": [ "db665301-df9b-4443-86be-83cbb893a625" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183055Z:db665301-df9b-4443-86be-83cbb893a625" ], + "x-ms-request-id": [ "bf74d2e9-1095-4dd0-a3ba-4a4b537ec3d2" ], + "x-ms-correlation-request-id": [ "bf74d2e9-1095-4dd0-a3ba-4a4b537ec3d2" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160648Z:bf74d2e9-1095-4dd0-a3ba-4a4b537ec3d2" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:30:55 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:06:47 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1163" ], + "Content-Length": [ "1164" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/a7f0377a-a2ab-4a1c-9103-f59066cc6c61\",\"name\":\"a7f0377a-a2ab-4a1c-9103-f59066cc6c61\",\"etag\":\"\\\"2e00c932-0000-0100-0000-62e41fe50000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"GetAlertRuler93k8j\",\"enabled\":true,\"description\":\"GetAlertRuler93k8j a7f0377a-a2ab-4a1c-9103-f59066cc6c61\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-07-29T17:59:00.587924Z\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/cab7d557-3de0-4043-8dd4-b83629755ab8\",\"name\":\"cab7d557-3de0-4043-8dd4-b83629755ab8\",\"etag\":\"\\\"0600e240-0000-0100-0000-62fbba160000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"GetAlertRulem37adr\",\"enabled\":true,\"description\":\"GetAlertRulem37adr cab7d557-3de0-4043-8dd4-b83629755ab8\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T15:39:02.3687256Z\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Get-AzSentinelAlertRuleAction.Recording.json b/src/SecurityInsights/test/Get-AzSentinelAlertRuleAction.Recording.json index 6695d1502b58..307b14bb07f3 100644 --- a/src/SecurityInsights/test/Get-AzSentinelAlertRuleAction.Recording.json +++ b/src/SecurityInsights/test/Get-AzSentinelAlertRuleAction.Recording.json @@ -1,13 +1,13 @@ { - "Get-AzSentinelAlertRuleAction+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/28d676f4-c9d3-465b-a7bf-b359b492f49d/actions?api-version=2021-09-01-preview+1": { + "Get-AzSentinelAlertRuleAction+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/3f8b701e-a084-40d7-8f4b-a6b1482e8cc2/actions?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/28d676f4-c9d3-465b-a7bf-b359b492f49d/actions?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/3f8b701e-a084-40d7-8f4b-a6b1482e8cc2/actions?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "164" ], - "x-ms-client-request-id": [ "c0742a2a-be53-428b-98ad-f18e0e632440" ], + "x-ms-unique-id": [ "162" ], + "x-ms-client-request-id": [ "8494de4a-516c-4699-aebf-1c93f5dcea30" ], "CommandName": [ "Get-AzSentinelAlertRuleAction" ], "FullCommandName": [ "Get-AzSentinelAlertRuleAction_List" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -24,31 +24,31 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-reads": [ "11995" ], - "x-ms-request-id": [ "d360651f-48c4-4fb3-93b0-9bb178c856ea" ], - "x-ms-correlation-request-id": [ "d360651f-48c4-4fb3-93b0-9bb178c856ea" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183057Z:d360651f-48c4-4fb3-93b0-9bb178c856ea" ], + "x-ms-request-id": [ "98093655-efb4-4e46-86da-8b781f774b96" ], + "x-ms-correlation-request-id": [ "98093655-efb4-4e46-86da-8b781f774b96" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160649Z:98093655-efb4-4e46-86da-8b781f774b96" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:30:57 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:06:48 GMT" ] }, "ContentHeaders": { "Content-Length": [ "727" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/asicustomalertsv3_28d676f4-c9d3-465b-a7bf-b359b492f49d_fbc77ebc-03d2-4653-a435-f072687e1b97/actions/fbc77ebc-03d2-4653-a435-f072687e1b97\",\"name\":\"fbc77ebc-03d2-4653-a435-f072687e1b97\",\"etag\":\"\\\"8a006da2-0000-0300-0000-62e420830000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"e25a9538589f4273ac4b33c4251b7af4\",\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/asicustomalertsv3_3f8b701e-a084-40d7-8f4b-a6b1482e8cc2_0ad3cc1a-0d2e-44cc-854a-f5fa08f86098/actions/0ad3cc1a-0d2e-44cc-854a-f5fa08f86098\",\"name\":\"0ad3cc1a-0d2e-44cc-854a-f5fa08f86098\",\"etag\":\"\\\"be015f15-0000-0300-0000-62fbbac20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"eb03b1bc818942e0a642c05aeef2614b\",\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}]}", "isContentBase64": false } }, - "Get-AzSentinelAlertRuleAction+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/28d676f4-c9d3-465b-a7bf-b359b492f49d/actions/fbc77ebc-03d2-4653-a435-f072687e1b97?api-version=2021-09-01-preview+1": { + "Get-AzSentinelAlertRuleAction+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/3f8b701e-a084-40d7-8f4b-a6b1482e8cc2/actions/0ad3cc1a-0d2e-44cc-854a-f5fa08f86098?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/28d676f4-c9d3-465b-a7bf-b359b492f49d/actions/fbc77ebc-03d2-4653-a435-f072687e1b97?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/3f8b701e-a084-40d7-8f4b-a6b1482e8cc2/actions/0ad3cc1a-0d2e-44cc-854a-f5fa08f86098?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "165" ], - "x-ms-client-request-id": [ "8fa9cfef-bc43-4f51-a2ce-d2252dec975e" ], + "x-ms-unique-id": [ "163" ], + "x-ms-client-request-id": [ "651ca8ac-2c3e-400c-aa30-bbd0ce40243c" ], "CommandName": [ "Get-AzSentinelAlertRuleAction" ], "FullCommandName": [ "Get-AzSentinelAlertRuleAction_Get" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -65,31 +65,31 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-reads": [ "11994" ], - "x-ms-request-id": [ "dfb30144-8f40-4229-9219-7d31877fec92" ], - "x-ms-correlation-request-id": [ "dfb30144-8f40-4229-9219-7d31877fec92" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183058Z:dfb30144-8f40-4229-9219-7d31877fec92" ], + "x-ms-request-id": [ "2f9af32a-eb7e-48c8-88b9-174412d69a51" ], + "x-ms-correlation-request-id": [ "2f9af32a-eb7e-48c8-88b9-174412d69a51" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160650Z:2f9af32a-eb7e-48c8-88b9-174412d69a51" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:30:57 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:06:49 GMT" ] }, "ContentHeaders": { "Content-Length": [ "660" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/28d676f4-c9d3-465b-a7bf-b359b492f49d/actions/fbc77ebc-03d2-4653-a435-f072687e1b97\",\"name\":\"fbc77ebc-03d2-4653-a435-f072687e1b97\",\"etag\":\"\\\"8a006da2-0000-0300-0000-62e420830000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"e25a9538589f4273ac4b33c4251b7af4\",\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/3f8b701e-a084-40d7-8f4b-a6b1482e8cc2/actions/0ad3cc1a-0d2e-44cc-854a-f5fa08f86098\",\"name\":\"0ad3cc1a-0d2e-44cc-854a-f5fa08f86098\",\"etag\":\"\\\"be015f15-0000-0300-0000-62fbbac20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"eb03b1bc818942e0a642c05aeef2614b\",\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}", "isContentBase64": false } }, - "Get-AzSentinelAlertRuleAction+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/28d676f4-c9d3-465b-a7bf-b359b492f49d/actions/fbc77ebc-03d2-4653-a435-f072687e1b97?api-version=2021-09-01-preview+1": { + "Get-AzSentinelAlertRuleAction+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/3f8b701e-a084-40d7-8f4b-a6b1482e8cc2/actions/0ad3cc1a-0d2e-44cc-854a-f5fa08f86098?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/28d676f4-c9d3-465b-a7bf-b359b492f49d/actions/fbc77ebc-03d2-4653-a435-f072687e1b97?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/3f8b701e-a084-40d7-8f4b-a6b1482e8cc2/actions/0ad3cc1a-0d2e-44cc-854a-f5fa08f86098?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "166" ], - "x-ms-client-request-id": [ "8db94fbd-9c5f-447f-94f7-ea99127a5332" ], + "x-ms-unique-id": [ "164" ], + "x-ms-client-request-id": [ "6c64fdd3-d417-4739-9659-000c9bcbde9a" ], "CommandName": [ "Get-AzSentinelAlertRuleAction" ], "FullCommandName": [ "Get-AzSentinelAlertRuleAction_Get" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -106,31 +106,31 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-reads": [ "11993" ], - "x-ms-request-id": [ "c059db10-ca12-4241-b1af-688bd1bd8fa4" ], - "x-ms-correlation-request-id": [ "c059db10-ca12-4241-b1af-688bd1bd8fa4" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183058Z:c059db10-ca12-4241-b1af-688bd1bd8fa4" ], + "x-ms-request-id": [ "09604d7f-6625-4b3c-ad7c-6732ea0531d6" ], + "x-ms-correlation-request-id": [ "09604d7f-6625-4b3c-ad7c-6732ea0531d6" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160650Z:09604d7f-6625-4b3c-ad7c-6732ea0531d6" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:30:58 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:06:49 GMT" ] }, "ContentHeaders": { "Content-Length": [ "660" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/28d676f4-c9d3-465b-a7bf-b359b492f49d/actions/fbc77ebc-03d2-4653-a435-f072687e1b97\",\"name\":\"fbc77ebc-03d2-4653-a435-f072687e1b97\",\"etag\":\"\\\"8a006da2-0000-0300-0000-62e420830000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"e25a9538589f4273ac4b33c4251b7af4\",\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/3f8b701e-a084-40d7-8f4b-a6b1482e8cc2/actions/0ad3cc1a-0d2e-44cc-854a-f5fa08f86098\",\"name\":\"0ad3cc1a-0d2e-44cc-854a-f5fa08f86098\",\"etag\":\"\\\"be015f15-0000-0300-0000-62fbbac20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"eb03b1bc818942e0a642c05aeef2614b\",\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}", "isContentBase64": false } }, - "Get-AzSentinelAlertRuleAction+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/28d676f4-c9d3-465b-a7bf-b359b492f49d/actions/fbc77ebc-03d2-4653-a435-f072687e1b97?api-version=2021-09-01-preview+2": { + "Get-AzSentinelAlertRuleAction+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/3f8b701e-a084-40d7-8f4b-a6b1482e8cc2/actions/0ad3cc1a-0d2e-44cc-854a-f5fa08f86098?api-version=2021-09-01-preview+2": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/28d676f4-c9d3-465b-a7bf-b359b492f49d/actions/fbc77ebc-03d2-4653-a435-f072687e1b97?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/3f8b701e-a084-40d7-8f4b-a6b1482e8cc2/actions/0ad3cc1a-0d2e-44cc-854a-f5fa08f86098?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "167" ], - "x-ms-client-request-id": [ "1582a96b-eacf-4154-9481-65ec0e9f2e84" ], + "x-ms-unique-id": [ "165" ], + "x-ms-client-request-id": [ "d431e921-8af6-4b0b-a0f0-00e8a6b50c9d" ], "CommandName": [ "Get-AzSentinelAlertRuleAction" ], "FullCommandName": [ "Get-AzSentinelAlertRuleAction_GetViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -147,19 +147,19 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-reads": [ "11992" ], - "x-ms-request-id": [ "5fb320e0-7619-455c-ac4a-6c9dac2dbdd7" ], - "x-ms-correlation-request-id": [ "5fb320e0-7619-455c-ac4a-6c9dac2dbdd7" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183059Z:5fb320e0-7619-455c-ac4a-6c9dac2dbdd7" ], + "x-ms-request-id": [ "146450f1-0e8c-41de-98c4-b269dd19a83b" ], + "x-ms-correlation-request-id": [ "146450f1-0e8c-41de-98c4-b269dd19a83b" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160651Z:146450f1-0e8c-41de-98c4-b269dd19a83b" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:30:59 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:06:51 GMT" ] }, "ContentHeaders": { "Content-Length": [ "660" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/28d676f4-c9d3-465b-a7bf-b359b492f49d/actions/fbc77ebc-03d2-4653-a435-f072687e1b97\",\"name\":\"fbc77ebc-03d2-4653-a435-f072687e1b97\",\"etag\":\"\\\"8a006da2-0000-0300-0000-62e420830000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"e25a9538589f4273ac4b33c4251b7af4\",\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/3f8b701e-a084-40d7-8f4b-a6b1482e8cc2/actions/0ad3cc1a-0d2e-44cc-854a-f5fa08f86098\",\"name\":\"0ad3cc1a-0d2e-44cc-854a-f5fa08f86098\",\"etag\":\"\\\"be015f15-0000-0300-0000-62fbbac20000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"eb03b1bc818942e0a642c05aeef2614b\",\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Get-AzSentinelAlertRuleTemplate.Recording.json b/src/SecurityInsights/test/Get-AzSentinelAlertRuleTemplate.Recording.json index 2139a200ad90..0ac55c4ea51d 100644 --- a/src/SecurityInsights/test/Get-AzSentinelAlertRuleTemplate.Recording.json +++ b/src/SecurityInsights/test/Get-AzSentinelAlertRuleTemplate.Recording.json @@ -1,13 +1,13 @@ { - "Get-AzSentinelAlertRuleTemplate+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRuleTemplates?api-version=2021-09-01-preview+1": { + "Get-AzSentinelAlertRuleTemplate+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRuleTemplates?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRuleTemplates?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRuleTemplates?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "168" ], - "x-ms-client-request-id": [ "17411f3f-de7a-4ff4-be17-0d9be09c15e3" ], + "x-ms-unique-id": [ "166" ], + "x-ms-client-request-id": [ "afd845c9-c2b2-4d8e-a1b5-c47350b52f42" ], "CommandName": [ "Get-AzSentinelAlertRuleTemplate" ], "FullCommandName": [ "Get-AzSentinelAlertRuleTemplate_List" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -24,31 +24,31 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-reads": [ "11991" ], - "x-ms-request-id": [ "d484073f-f9f4-420e-ac21-638aa4bd8515" ], - "x-ms-correlation-request-id": [ "d484073f-f9f4-420e-ac21-638aa4bd8515" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183101Z:d484073f-f9f4-420e-ac21-638aa4bd8515" ], + "x-ms-request-id": [ "68c6970a-ff2b-40ee-8f4d-f9bbe6a5eafa" ], + "x-ms-correlation-request-id": [ "68c6970a-ff2b-40ee-8f4d-f9bbe6a5eafa" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160652Z:68c6970a-ff2b-40ee-8f4d-f9bbe6a5eafa" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:31:01 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:06:52 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1418736" ], + "Content-Length": [ "1435342" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8\",\"name\":\"f71aba3d-28fb-450b-b192-4e76a83015c8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Fusion\",\"properties\":{\"severity\":\"High\",\"tactics\":[\"Collection\",\"CommandAndControl\",\"CredentialAccess\",\"DefenseEvasion\",\"Discovery\",\"Execution\",\"Exfiltration\",\"Impact\",\"InitialAccess\",\"LateralMovement\",\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Advanced Multistage Attack Detection\",\"description\":\"Microsoft Sentinel uses Fusion, a correlation engine based on scalable machine learning algorithms, to automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.\\n\\nSince Fusion correlates multiple signals from various products to detect advanced multistage attacks, successful Fusion detections are presented as Fusion incidents on the Microsoft Sentinel Incidents page. This rule covers the following detections:\\n- Fusion for emerging threats\\n- Fusion for ransomware\\n- Scenario-based Fusion detections (122 scenarios)\\n\\nTo enable these detections, we recommend you configure the following data connectors for best results:\\n- Out-of-the-box anomaly detections\\n- Azure Active Directory Identity Protection\\n- Azure Defender\\n- Azure Defender for IoT\\n- Microsoft 365 Defender\\n- Microsoft Cloud App Security \\n- Microsoft Defender for Endpoint\\n- Microsoft Defender for Identity\\n- Microsoft Defender for Office 365\\n- Scheduled analytics rules, both built-in and those created by your security analysts. Analytics rules must contain kill-chain (tactics) and entity mapping information in order to be used by Fusion.\\n\\nFor the full description of each detection that is supported by Fusion, go to https://aka.ms/SentinelFusion.\",\"lastUpdatedDateUTC\":\"2021-06-09T00:00:00Z\",\"createdDateUTC\":\"2019-07-25T00:00:00Z\",\"status\":\"Installed\",\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/57c7e832-64eb-411f-8928-4133f01f4a25\",\"name\":\"57c7e832-64eb-411f-8928-4133f01f4a25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureDiagnostics\\n | where ResourceType =~ \\\"VAULTS\\\"\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend KeyVaultEvents_TimeGenerated = TimeGenerated, ClientIP = CallerIPAddress\\n)\\non $left.TI_ipEntity == $right.ClientIP\\n| where KeyVaultEvents_TimeGenerated \u003c ExpirationDateTime\\n| summarize KeyVaultEvents_TimeGenerated = arg_max(KeyVaultEvents_TimeGenerated, *) by IndicatorId, ClientIP\\n| project KeyVaultEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ClientIP, ResourceId, SubscriptionId, OperationName, ResultType, CorrelationId, id_s, clientInfo_s, httpStatusCode_d, identity_claim_appid_g, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\n| extend timestamp = KeyVaultEvents_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Azure Key Vault logs\",\"description\":\"Identifies a match in Azure Key Vault logsfrom any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f948a32f-226c-4116-bddd-d95e91d97eb9\",\"name\":\"f948a32f-226c-4116-bddd-d95e91d97eb9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"mailboxsettings\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"contacts.read\\\" and ConsentFull contains \\\"user.read\\\" and ConsentFull contains \\\"mail.read\\\" and ConsentFull contains \\\"notes.read.all\\\" and ConsentFull contains \\\"mailboxsettings.readwrite\\\" and ConsentFull contains \\\"Files.ReadWrite.All\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), \\\"\\\")\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Suspicious application consent similar to O365 Attack Toolkit\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\\nThe default permissions/scope for the MDSec O365 Attack toolkit are contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, and files.readwrite.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3c144f9-8051-47d4-ac29-ffb0c312c910\",\"name\":\"a3c144f9-8051-47d4-ac29-ffb0c312c910\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"let SunburstMD5=dynamic([\\\"b91ce2fa41029f6955bff20079468448\\\",\\\"02af7cec58b9a5da1c542b5a32151ba1\\\",\\\"2c4a910a1299cdae2a4e55988a2f102e\\\",\\\"846e27a652a5e1bfbd0ddd38a16dc865\\\",\\\"4f2eb62fa529c0283b28d05ddd311fae\\\"]);\\nlet SupernovaMD5=\\\"56ceb6d0011d87b6e4d7023d7ef85676\\\";\\nDeviceFileEvents\\n| where MD5 in(SunburstMD5) or MD5 in(SupernovaMD5)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n AlgorithmCustomEntity = \\\"MD5\\\",\\n FileHashCustomEntity = MD5\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"SUNBURST and SUPERNOVA backdoor hashes\",\"description\":\"Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in DeviceFileEvents\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/87210ca1-49a4-4a7d-bb4a-4988752f978c\",\"name\":\"87210ca1-49a4-4a7d-bb4a-4988752f978c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"// Get details of current Azure Ranges (note this URL updates regularly so will need to be manually updated over time)\\n// You may find the name of the new JSON here: https://www.microsoft.com/download/details.aspx?id=56519\\n// On the downloads page, click the \u0027details\u0027 button, and then replace just the filename in the URL below\\nlet azure_ranges = externaldata(changeNumber: string, cloud: string, values: dynamic)\\n[\\\"https://download.microsoft.com/download/7/1/D/71D86715-5596-4529-9B13-DA13A5DE5B63/ServiceTags_Public_20220321.json\\\"]\\nwith(format=\u0027multijson\u0027)\\n| mv-expand values\\n| mv-expand values.properties.addressPrefixes\\n| mv-expand values_properties_addressPrefixes\\n| summarize by tostring(values_properties_addressPrefixes);\\nSigninLogs\\n// Limiting to Azure Portal really reduces false positives and helps focus on potential admin activity\\n| where AppDisplayName =~ \\\"Azure Portal\\\"\\n// Only get logons where the IP address is in an Azure range\\n| evaluate ipv4_lookup(azure_ranges, IPAddress, values_properties_addressPrefixes)\\n// Limit to where the user is external to the tenant\\n| where HomeTenantId != ResourceTenantId\\n// Further limit it to just access to the current tenant (you can drop this if you wanted to look elsewhere as well but it helps reduce FPs)\\n| where ResourceTenantId == AADTenantId\\n| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), make_set(ResourceDisplayName) by UserPrincipalName, IPAddress, UserAgent, Location, HomeTenantId, ResourceTenantId\\n| extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure Portal Signin from another Azure Tenant\",\"description\":\"This query looks for sign in attempts to the Azure Portal where the user who is signing in from another Azure tenant,\\n and the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look\\n to pivot to other tenants leveraging cross-tenant delegated access in this manner.\",\"lastUpdatedDateUTC\":\"2022-03-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/29a29e5d-354e-4f5e-8321-8b39d25047bf\",\"name\":\"29a29e5d-354e-4f5e-8321-8b39d25047bf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"High\",\"query\":\"let files1 = dynamic([\\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\lsa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pc.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\Rar.exe\\\"]);\\nlet files2 = dynamic([\\\"svchost.exe\\\",\\\"wdmsvc.exe\\\"]);\\nlet FileHash1 = dynamic([\\\"43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\\\", \\\"ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\\\", \\\"010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77\\\", \\\"56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7\\\"]);\\nlet FileHash2 = dynamic([\\\"2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\\\", \\\"9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\\\", \\\"18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\\\"]);\\nimFileEvent\\n| where ((FilePath has_any (files1)) and (ActingProcessSHA256 has_any (FileHash1))) or ((FilePath has_any (files2)) and (ActingProcessSHA256 has_any (FileHash2)))\\n// Increase risk score if recent alerts for the host\\n| join kind=leftouter (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| mv-expand todynamic(Entities)\\n| extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)\\n| where isnotempty(DvcId)\\n// Higher risk score are for Defender alerts related to threat actor\\n| extend AlertRiskScore = iif(ThreatName has_any (\\\"Backdoor:MSIL/ShellClient.A\\\", \\\"Backdoor:MSIL/ShellClient.A!dll\\\", \\\"Trojan:MSIL/Mimikatz.BA!MTB\\\"), 1.0, 0.5)\\n| project DvcId, AlertRiskScore) on DvcId\\n| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = ActorUsername\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileName\"}]}],\"tactics\":[\"CredentialAccess\",\"Execution\"],\"displayName\":\"Dev-0228 File Path Hashes November 2021 (ASIM Version)\",\"description\":\"This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.\\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.\\n This query uses the Microsoft Sentinel Information Model - https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-11-18T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0dd2a343-4bf9-4c93-a547-adf3658ddaec\",\"name\":\"0dd2a343-4bf9-4c93-a547-adf3658ddaec\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let known_processes = (\\n imProcess\\n // Change these values if adjusting Query Frequency or Query Period\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where Process has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | summarize by Process);\\n imProcess\\n // Change these values if adjusting Query Frequency or Query Period\\n | where TimeGenerated \u003e ago(1d)\\n | where Process has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | where Process !in (known_processes)\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, CommandLine, DvcHostname\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DvcHostname\"}]}],\"tactics\":[\"Execution\",\"LateralMovement\"],\"displayName\":\"New EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version)\",\"description\":\"This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice is that these policies should not be used for deployment of files.\\n A threat actor may use these policies to deploy files or scripts to all hosts in a domain.\\n This query uses the ASIM parsers and will need them deployed before usage - https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/871ba14c-88ef-48aa-ad38-810f26760ca3\",\"name\":\"871ba14c-88ef-48aa-ad38-810f26760ca3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let queryfrequency = 1d;\\nlet queryperiod = 7d;\\nOfficeActivity\\n| where TimeGenerated \u003e ago(queryperiod)\\n| where OfficeWorkload =~ \\\"Exchange\\\"\\n//| where Operation in (\\\"Set-Mailbox\\\", \\\"New-InboxRule\\\", \\\"Set-InboxRule\\\")\\n| where Parameters has_any (\\\"ForwardTo\\\", \\\"RedirectTo\\\", \\\"ForwardingSmtpAddress\\\")\\n| mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))\\n| evaluate bag_unpack(ParsedParameters, columnsConflict=\u0027replace_source\u0027)\\n| extend DestinationMailAddress = tolower(case(\\n isnotempty(column_ifexists(\\\"ForwardTo\\\", \\\"\\\")), column_ifexists(\\\"ForwardTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"RedirectTo\\\", \\\"\\\")), column_ifexists(\\\"RedirectTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")), trim_start(@\\\"smtp:\\\", column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")),\\n \\\"\\\"))\\n| where isnotempty(DestinationMailAddress)\\n| mv-expand split(DestinationMailAddress, \\\";\\\")\\n| extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n| extend ClientIP = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1])\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId, 250), Ports = make_set(Port, 250), EventCount = count() by tostring(DestinationMailAddress), ClientIP\\n| where DistinctUserCount \u003e 1 and EndTime \u003e ago(queryfrequency)\\n| mv-expand UserId to typeof(string)\\n| extend timestamp = StartTime, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Multiple users email forwarded to same destination\",\"description\":\"Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination. \\nThis could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.\",\"lastUpdatedDateUTC\":\"2022-06-24T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a6c435a2-b1a0-466d-b730-9f8af69262e8\",\"name\":\"a6c435a2-b1a0-466d-b730-9f8af69262e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT20M\",\"queryPeriod\":\"PT20M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let failureCountThreshold = 10;\\nlet successCountThreshold = 1;\\n// let authenticationWindow = 20m; // Implicit in the analytic rule query period \\nimAuthentication\\n| summarize \\n StartTime = min(TimeGenerated), \\n EndTime = max(TimeGenerated), \\n IpAddresses = make_set (SrcDvcIpAddr, 100),\\n ReportedBy = make_set (strcat (EventVendor, \\\"/\\\", EventProduct), 100),\\n FailureCount = countif(EventResult==\u0027Failure\u0027),\\n SuccessCount = countif(EventResult==\u0027Success\u0027)\\n by \\n TargetUserId, TargetUsername, TargetUserType \\n| where FailureCount \u003e= failureCountThreshold and SuccessCount \u003e= successCountThreshold\\n| extend\\n IpAddresses = strcat_array(IpAddresses, \\\", \\\"), \\n ReportedBy = strcat_array(ReportedBy, \\\", \\\")\",\"customDetails\":{\"IpAddresses\":\"IpAddresses\",\"ReportedBy\":\"ReportedBy\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUsername\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against user credentials (Uses Authentication Normalization)\",\"description\":\"Identifies evidence of brute force activity against a user based on multiple authentication failures \\nand at least one successful authentication within a given time window. Note that the query does not enforce any sequence,\\nand does not require the successful authentication to occur last.\\nThe default failure threshold is 10, success threshold is 1, and the default time window is 20 minutes.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb8a3481-dd14-4e76-8dcc-bbec8776d695\",\"name\":\"bb8a3481-dd14-4e76-8dcc-bbec8776d695\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Medium\",\"query\":\"let DomainNames = dynamic([\u0027onetechcompany.com\u0027, \u0027reyweb.com\u0027, \u0027srfnetwork.org\u0027, \u0027sense4baby.fr\u0027, \u0027nikeoutletinc.org\u0027, \u0027megatoolkit.com\u0027]);\\nlet IPList = dynamic([\u0027185.225.69.69\u0027]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (DomainNames) or RequestURL has_any (DomainNames) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (DomainNames), \\\"RequestUrl\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(_Im_WebSession(url_has_any=DomainNames)\\n| extend DestinationIPAddress = DstIpAddr, DNSName = tostring(parse_url(Url)[\\\"Host\\\"]), Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (DomainNames)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer\\n),\\n(OfficeActivity\\n| where ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (DomainNames) or RemoteIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"NOBELIUM - Domain and IP IOCs - March 2021\",\"description\":\"Identifies a match across various data feeds for domains and IP IOCs related to NOBELIUM.\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\"name\":\"f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"// Replace these with the username or emails of your VIP users you wish to monitor for.\\nlet vips = dynamic([\u0027vip1@email.com\u0027,\u0027vip2@email.com\u0027]);\\n// Add users who are allowed to conduct these searches - this could be specific SOC team members\\nlet allowed_users = dynamic([]);\\nLAQueryLogs\\n| where QueryText has_any (vips) or QueryText has_any (\u0027_GetWatchlist(\\\"VIPUsers\\\")\u0027, \\\"_GetWatchlist(\u0027VIPUsers\u0027)\\\")\\n| where AADEmail !in (allowed_users)\\n| project TimeGenerated, AADEmail, RequestClientApp, QueryText, ResponseRowCount, RequestTarget\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AADEmail\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"RequestTarget\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Users searching for VIP user activity\",\"description\":\"This query monitors for users running Log Analytics queries that contain filters\\nfor specific, defined VIP user accounts or the VIPUser watchlist template.\\nUse this detection to alert for users specifically searching for activity of sensitive users.\",\"lastUpdatedDateUTC\":\"2021-11-11T00:00:00Z\",\"createdDateUTC\":\"2020-09-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/62085097-d113-459f-9ea7-30216f2ee6af\",\"name\":\"62085097-d113-459f-9ea7-30216f2ee6af\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P3D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let starttime = 3d;\\nlet SecEvents = materialize ( SecurityEvent | where TimeGenerated \u003e= ago(starttime)\\n| where EventID in (4722,4723) | where TargetUserName !endswith \\\"$\\\"\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, SubjectAccount, SubjectUserSid);\\nlet userEnable = SecEvents\\n| extend EventID4722Time = TimeGenerated\\n// 4722: User Account Enabled\\n| where EventID == 4722\\n| project Time_Event4722 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4722 = SubjectAccount, SubjectUserSid_Event4722 = SubjectUserSid, Activity_4722 = Activity, Computer_4722 = Computer;\\nlet userPwdSet = SecEvents\\n// 4723: Attempt made by user to set password\\n| where EventID == 4723\\n| project Time_Event4723 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4723 = SubjectAccount, SubjectUserSid_Event4723 = SubjectUserSid, Activity_4723 = Activity, Computer_4723 = Computer;\\nuserEnable | join kind=leftouter userPwdSet on TargetAccount, TargetSid\\n| extend PasswordSetAttemptDelta_Min = datetime_diff(\u0027minute\u0027, Time_Event4723, Time_Event4722)\\n| where PasswordSetAttemptDelta_Min \u003e 2880 or isempty(PasswordSetAttemptDelta_Min)\\n| project-away TargetAccount1, TargetSid1\\n| extend Reason = @\\\"User either has not yet attempted to set the initial password after account was enabled or it occurred after 48 hours\\\"\\n| order by Time_Event4722 asc \\n| extend timestamp = Time_Event4722, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer_4722\\n| project-reorder Time_Event4722, Time_Event4723, PasswordSetAttemptDelta_Min, TargetAccount, TargetSid\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AD user enabled and password not set within 48 hours\",\"description\":\"Identifies when an account is enabled with a default password and the password is not set by the user within 48 hours.\\nEffectively, there is an event 4722 indicating an account was enabled and within 48 hours, no event 4723 occurs which \\nindicates there was no attempt by the user to set the password. This will show any attempts (success or fail) that occur \\nafter 48 hours, which can indicate too long of a time period in setting the password to something that only the user knows.\\nIt is recommended that this time period is adjusted per your internal company policy.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f9949656-473f-4503-bf43-a9d9890f7d08\",\"name\":\"f9949656-473f-4503-bf43-a9d9890f7d08\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.3\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n//Exclude local addresses, using the ipv4_is_private operator\\n| where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AppServiceHTTPLogs | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(CIp)\\n | extend WebApp = split(_ResourceId, \u0027/\u0027)[8]\\n // renaming time column so it is clear the log this came from\\n | extend AppService_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CIp\\n| where AppService_TimeGenerated \u003c ExpirationDateTime\\n| summarize AppService_TimeGenerated = arg_max(AppService_TimeGenerated, *) by IndicatorId, CIp\\n| project AppService_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CsUsername, \\nWebApp = split(_ResourceId, \u0027/\u0027)[8], CIp, CsHost, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, _ResourceId\\n| extend timestamp = AppService_TimeGenerated, AccountCustomEntity = CsUsername, IPCustomEntity = CIp, URLCustomEntity = Url, HostCustomEntity = CsHost\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"_ResourceId\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AppServiceHTTPLogs\",\"description\":\"Identifies a match in AppServiceHTTPLogs from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-04-26T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8b3c49c-4087-499b-920f-0dcfaff0cbca\",\"name\":\"f8b3c49c-4087-499b-920f-0dcfaff0cbca\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"imProcessCreate\\n | where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n | where isnotempty(Process)\\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Dvc, ActorUsername, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\\n | extend timestamp = StartTimeUtc, AccountCustomEntity = ActorUsername, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Base64 encoded Windows process command-lines (Normalized Process Events)\",\"description\":\"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2018-09-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c3e5dbaa-a540-408c-8b36-68bdfb3df088\",\"name\":\"c3e5dbaa-a540-408c-8b36-68bdfb3df088\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID==4688\\n | where isnotempty(CommandLine)\\n | where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"NRT Base64 encoded Windows process command-lines\",\"description\":\"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2022-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0433c8a3-9aa6-4577-beef-2ea23be41137\",\"name\":\"0433c8a3-9aa6-4577-beef-2ea23be41137\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let admin_users = (IdentityInfo\\n | where TimeGenerated \u003e ago(2d)\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | where AssignedRoles contains \\\"admin\\\"\\n | summarize by tolower(AccountUPN));\\n AuditLogs\\n | where Category =~ \\\"RoleManagement\\\"\\n | where OperationName has \\\"Add eligible member\\\"\\n | extend userPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | where tolower(userPrincipalName) in (admin_users)\\n | extend Group = tostring(TargetResources[0].displayName)\\n | extend AddedTo = iif(isnotempty(userPrincipalName), userPrincipalName, Group)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend AddedBy = iif(isnotempty(appName), appName, UPN)\\n | mv-expand mod_props\\n | where mod_props.displayName == \\\"Role.DisplayName\\\"\\n | extend RoleAdded = tostring(parse_json(tostring(mod_props.newValue)))\\n | project-reorder TimeGenerated, OperationName, AddedTo, RoleAdded, AddedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Privileged Account Permissions Changed\",\"description\":\"Detects changes to permissions assigned to admin users. Threat actors may try and increase permission scope by adding additional roles to already privileged accounts.\\nReview any modifications to ensure they were made legitimately.\\nRef: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79566f41-df67-4e10-a703-c38a6213afd8\",\"name\":\"79566f41-df67-4e10-a703-c38a6213afd8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set != \\\"[]\\\"\\n| extend diff = set_difference(new_value_set, old_value_set)\\n| where isnotempty(diff)\\n| parse diff with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away diff, new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"New access credential added to Application or Service Principal\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/66276b14-32c5-4226-88e3-080dacc31ce1\",\"name\":\"66276b14-32c5-4226-88e3-080dacc31ce1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet AccountAllowList = dynamic([\u0027SYSTEM\u0027]);\\nlet SubCategoryList = dynamic([\\\"Logoff\\\", \\\"Account Lockout\\\", \\\"User Account Management\\\", \\\"Authorization Policy Change\\\"]); // Add any Category in the list to be allowed or disallowed\\nlet tokens = dynamic([\\\"clear\\\", \\\"remove\\\", \\\"success:disable\\\",\\\"failure:disable\\\"]); \\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n//| where Process =~ \\\"auditpol.exe\\\" \\n| where CommandLine has_any (tokens)\\n| where AccountType !~ \\\"Machine\\\" and Account !in~ (AccountAllowList)\\n| parse CommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n// | where InitiatingProcessFileName =~ \\\"auditpol.exe\\\" \\n| where InitiatingProcessCommandLine has_any (tokens)\\n| where AccountName !in~ (AccountAllowList)\\n| parse InitiatingProcessCommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n// | where OriginalFileName =~ \\\"auditpol.exe\\\"\\n| where CommandLine has_any (tokens)\\n| where User !in~ (AccountAllowList)\\n| parse CommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, Computer, User, Process, ParentImage, CommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Audit policy manipulation using auditpol utility\",\"description\":\"This detects attempt to manipulate audit policies using auditpol command.\\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\\nThe process name in each data source is commented out as an adversary could rename it. It is advisable to keep process name commented but \\nif the results show unrelated false positives, users may want to uncomment it.\\nRefer to auditpol syntax: https://docs.microsoft.com/windows-server/administration/windows-commands/auditpol \\nRefer to our M365 blog for details on use during the Solorigate attack:\\nhttps://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/18e6a87e-9d06-4a4e-8b59-3469cd49552d\",\"name\":\"18e6a87e-9d06-4a4e-8b59-3469cd49552d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true \\n(SecurityEvent \\n| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created. \\n| where ObjectServer == \u0027DS\u0027\\n| where OperationType == \u0027Object Access\u0027\\n//| where ObjectName contains \u0027\u003cGUID of ADFS Policy Store DKM Group object\u0027 This is unique to the domain. Check description for more details.\\n| where ObjectType contains \u00275cb41ed0-0e4c-11d0-a286-00aa003049e2\u0027 // Contact Class\\n| where Properties contains \u00278d3bca50-1d7e-11d0-a081-00aa006c33ed\u0027 // Picture Attribute - Ldap-Display-Name: thumbnailPhoto\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = SubjectAccount\\n),\\n( WindowsEvent \\n| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created. \\n| where EventData has_all(\u0027Object Access\u0027, \u00275cb41ed0-0e4c-11d0-a286-00aa003049e2\u0027,\u00278d3bca50-1d7e-11d0-a081-00aa006c33ed\u0027) \\n| extend ObjectServer = tostring(EventData.ObjectServer)\\n| where ObjectServer == \u0027DS\u0027\\n| extend OperationType = tostring(EventData.OperationType)\\n| where OperationType == \u0027Object Access\u0027\\n//| where ObjectName contains \u0027\u003cGUID of ADFS Policy Store DKM Group object\u0027 This is unique to the domain. Check description for more details.\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType contains \u00275cb41ed0-0e4c-11d0-a286-00aa003049e2\u0027 // Contact Class\\n| extend Properties = tostring(EventData.Properties)\\n| where Properties contains \u00278d3bca50-1d7e-11d0-a081-00aa006c33ed\u0027 // Picture Attribute - Ldap-Display-Name: thumbnailPhoto\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName), \\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend \\n timestamp = TimeGenerated,\\n HostCustomEntity = Computer,\\n AccountCustomEntity = SubjectAccount\\n),\\n(DeviceEvents\\n| where ActionType =~ \\\"LdapSearch\\\"\\n| where AdditionalFields.AttributeList contains \\\"thumbnailPhoto\\\"\\n| where AdditionalFields.DistinguishedName contains \\\"CN=ADFS,CN=Microsoft,CN=Program Data\\\" // Filter results to show only hits related to the ADFS AD container\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = InitiatingProcessAccountName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"ADFS DKM Master Key Export\",\"description\":\"Identifies an export of the ADFS DKM Master Key from Active Directory.\\nReferences: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \\nhttps://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1\\nTo understand further the details behind this detection, please review the details in the original PR and subequent PR update to this:\\nhttps://github.com/Azure/Azure-Sentinel/pull/1562#issue-551542469\\nhttps://github.com/Azure/Azure-Sentinel/pull/1512#issue-543053339\\n\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2391ce61-8c8d-41ac-9723-d945b2e90720\",\"name\":\"2391ce61-8c8d-41ac-9723-d945b2e90720\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"Low\",\"query\":\"let starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 0.333;\\nlet countlimit = 50;\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4625 and AccountType =~ \\\"User\\\"\\n| where IpAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), CountToday = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress, Process\\n| join kind=leftouter (\\n SecurityEvent \\n | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n | where EventID == 4625 and AccountType =~ \\\"User\\\"\\n | where IpAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n | summarize CountPrev7day = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n) on EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n| where CountToday \u003e= coalesce(CountPrev7day,0)*threshold and CountToday \u003e= countlimit\\n//SubStatus Codes are detailed here - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4625\\n| extend Reason = case(\\nSubStatus =~ \u00270xC000005E\u0027, \u0027There are currently no logon servers available to service the logon request.\u0027,\\nSubStatus =~ \u00270xC0000064\u0027, \u0027User logon with misspelled or bad user account\u0027,\\nSubStatus =~ \u00270xC000006A\u0027, \u0027User logon with misspelled or bad password\u0027, \\nSubStatus =~ \u00270xC000006D\u0027, \u0027Bad user name or password\u0027,\\nSubStatus =~ \u00270xC000006E\u0027, \u0027Unknown user name or bad password\u0027,\\nSubStatus =~ \u00270xC000006F\u0027, \u0027User logon outside authorized hours\u0027,\\nSubStatus =~ \u00270xC0000070\u0027, \u0027User logon from unauthorized workstation\u0027,\\nSubStatus =~ \u00270xC0000071\u0027, \u0027User logon with expired password\u0027,\\nSubStatus =~ \u00270xC0000072\u0027, \u0027User logon to account disabled by administrator\u0027,\\nSubStatus =~ \u00270xC00000DC\u0027, \u0027Indicates the Sam Server was in the wrong state to perform the desired operation\u0027, \\nSubStatus =~ \u00270xC0000133\u0027, \u0027Clocks between DC and other computer too far out of sync\u0027,\\nSubStatus =~ \u00270xC000015B\u0027, \u0027The user has not been granted the requested logon type (aka logon right) at this machine\u0027,\\nSubStatus =~ \u00270xC000018C\u0027, \u0027The logon request failed because the trust relationship between the primary domain and the trusted domain failed\u0027,\\nSubStatus =~ \u00270xC0000192\u0027, \u0027An attempt was made to logon, but the Netlogon service was not started\u0027,\\nSubStatus =~ \u00270xC0000193\u0027, \u0027User logon with expired account\u0027,\\nSubStatus =~ \u00270xC0000224\u0027, \u0027User is required to change password at next logon\u0027,\\nSubStatus =~ \u00270xC0000225\u0027, \u0027Evidently a bug in Windows and not a risk\u0027,\\nSubStatus =~ \u00270xC0000234\u0027, \u0027User logon with account locked\u0027,\\nSubStatus =~ \u00270xC00002EE\u0027, \u0027Failure Reason: An Error occurred during Logon\u0027,\\nSubStatus =~ \u00270xC0000413\u0027, \u0027Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine\u0027,\\nstrcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n| extend WorkstationName = iff(WorkstationName == \\\"-\\\" or isempty(WorkstationName), Computer , WorkstationName) \\n| project StartTime, EndTime, EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, Computer, WorkstationName, IpAddress, CountToday, CountPrev7day, Avg7Day = round(CountPrev7day*1.00/7,2), Process\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), Computer = make_set(Computer,128), IpAddressList = make_set(IpAddress,128), sum(CountToday), sum(CountPrev7day), avg(Avg7Day) \\nby EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, WorkstationName, Process\\n| order by sum_CountToday desc nulls last \\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = WorkstationName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"Process\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Excessive Windows logon failures\",\"description\":\"User has over 50 Windows logon failures today and at least 33% of the count of logon failures over the previous 7 days.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56f3f35c-3aca-4437-a1fb-b7a84dc4af00\",\"name\":\"56f3f35c-3aca-4437-a1fb-b7a84dc4af00\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID == 4657\\n | parse ObjectName with \\\"\\\\\\\\REGISTRY\\\\\\\\\\\" KeyPrefix \\\"\\\\\\\\\\\" RegistryKey\\n | project-reorder RegistryKey\\n | where RegistryKey has \\\"Software\\\\\\\\Classes\\\\\\\\ms-settings\\\\\\\\shell\\\\\\\\open\\\\\\\\command\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)\\n | join (\\n SecurityEvent\\n | where EventID == 4688\\n | where Process =~ \\\"fodhelper.exe\\\"\\n | where ParentProcessName endswith \\\"cmd.exe\\\" or ParentProcessName endswith \\\"powershell.exe\\\" or ParentProcessName endswith \\\"powershell_ise.exe\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)) on TimeKey, Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Potential Fodhelper UAC Bypass\",\"description\":\"This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process within 1 hour - this can be tweaked as required.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b93c5af-d20b-4236-b696-a28b8c51407f\",\"name\":\"4b93c5af-d20b-4236-b696-a28b8c51407f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1DT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\n (union isfuzzy=true\\n (SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+spanoftime)\\n// A user account was created\\n| where EventID == 4720\\n| where AccountType =~ \\\"User\\\"\\n| project creationTime = TimeGenerated, CreateEventID = EventID, CreateActivity = Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToCreate = SubjectAccount, SIDofAccountUsedToCreate = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e ago(timeframe+spanoftime)\\n// A user account was created\\n| where EventID == 4720\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType =~ \\\"User\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| extend Activity = \\\"4720 - A user account was created.\\\"\\n| extend TargetUserName = tostring(EventData.TargetUserName) \\n| project creationTime = TimeGenerated, CreateEventID = EventID, CreateActivity = Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToCreate = SubjectAccount, SIDofAccountUsedToCreate = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid \\n))\\n| join kind= inner (\\n (union isfuzzy=true\\n (SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n // A user account was deleted\\n | where EventID == 4726\\n| where AccountType == \\\"User\\\"\\n| project deletionTime = TimeGenerated, DeleteEventID = EventID, DeleteActivity = Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToDelete = SubjectAccount, SIDofAccountUsedToDelete = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n // A user account was deleted\\n| where EventID == 4726\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(SubjectAccount endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType == \\\"User\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| extend Activity = \\\"4726 - A user account was deleted.\\\"\\n| extend TargetUserName = tostring(EventData.TargetUserName) \\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| project deletionTime = TimeGenerated, DeleteEventID = EventID, DeleteActivity = Activity, Computer, TargetUserName, UserPrincipalName, AccountUsedToDelete = SubjectAccount, SIDofAccountUsedToDelete = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid))\\n) on Computer, TargetAccount\\n| where deletionTime - creationTime \u003c spanoftime\\n| extend TimeDelta = deletionTime - creationTime\\n| where tolong(TimeDelta) \u003e= threshold\\n| project TimeDelta, creationTime, CreateEventID, CreateActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToCreate, SIDofAccountUsedToCreate,\\ndeletionTime, DeleteEventID, DeleteActivity, AccountUsedToDelete, SIDofAccountUsedToDelete\\n| extend timestamp = creationTime, AccountCustomEntity = AccountUsedToCreate, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"SIDofAccountUsedToCreate\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account created and deleted within 10 mins\",\"description\":\"Identifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and\\nan adversary attempting to hide in the noise.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d7feb859-f03e-4e8d-8b21-617be0213b13\",\"name\":\"d7feb859-f03e-4e8d-8b21-617be0213b13\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let admin_users = (IdentityInfo\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | where AssignedRoles contains \\\"admin\\\"\\n | summarize by tolower(AccountUPN));\\n AuditLogs\\n | where OperationName =~ \\\"Admin registered security info\\\"\\n | where ResultReason =~ \\\"Admin registered temporary access pass method for user\\\"\\n | extend userPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | where tolower(userPrincipalName) in (admin_users)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Addition of a Temporary Access Pass to a Privileged Account\",\"description\":\"Detects when a Temporary Access Pass (TAP) is created for a Privileged Account.\\n A Temporary Access Pass is a time-limited passcode issued by an admin that satisfies strong authentication requirements and can be used to onboard other authentication methods, including Passwordless ones such as Microsoft Authenticator or even Windows Hello.\\n A threat actor could use a TAP to register a new authentication method to maintain persistance to an account.\\n Review any TAP creations to ensure they were used legitimately.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1399664f-9434-497c-9cde-42e4d74ae20e\",\"name\":\"1399664f-9434-497c-9cde-42e4d74ae20e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityAlert \\n| where AlertName == \\\"Impossible travel activity\\\"\\n| extend Extprop = parsejson(Entities)\\n| mv-expand Extprop\\n| extend Extprop = parsejson(Extprop)\\n| extend CmdLine = iff(Extprop[\u0027Type\u0027]==\\\"process\\\", Extprop[\u0027CommandLine\u0027], \u0027\u0027)\\n| extend File = iff(Extprop[\u0027Type\u0027]==\\\"file\\\", Extprop[\u0027Name\u0027], \u0027\u0027)\\n| extend Account = Extprop[\u0027Name\u0027]\\n| extend Domain = Extprop[\u0027UPNSuffix\u0027]\\n| extend Account = iif(isnotempty(Domain) and Extprop[\u0027Type\u0027]==\\\"account\\\", tolower(strcat(Account, \\\"@\\\", Domain)), iif(Extprop[\u0027Type\u0027]==\\\"account\\\", tolower(Account), \\\"\\\"))\\n| extend IpAddress = iff(Extprop[\\\"Type\\\"] == \\\"ip\\\",Extprop[\u0027Address\u0027], \u0027\u0027)\\n| extend Process = iff(isnotempty(CmdLine), CmdLine, File)\\n| project TimeGenerated,Account,IpAddress,CompromisedEntity,Description,ProviderName,ResourceId\\n| join kind=inner\\n(\\nOfficeActivity\\n| where Operation =~ \\\"Add-MailboxPermission\\\"\\n| extend value = tostring(parse_json(Parameters)[3].Value)\\n| where value contains \\\"FullAccess\\\"\\n| where ResultStatus == \\\"True\\\"\\n| project Parameters,TimeGenerated,value,RecordType,Operation,OrganizationId,UserType,UserKey,OfficeWorkload,ResultStatus,OfficeObjectId,UserId,ClientIP,ExternalAccess,OriginatingServer,OrganizationName,TenantId,ElevationTime,SourceSystem,OfficeId,OfficeTenantId,Type,SourceRecordId\\n) on $left.Account == $right.UserId\\n| join kind=inner\\n(\\nAuditLogs\\n| where ActivityDisplayName =~ \\\"Add eligible member to role in PIM requested (timebound)\\\"\\n| where AADOperationType =~ \\\"CreateRequestEligibleRole\\\"\\n| where TargetResources has_any (\\\"-PRIV\\\", \\\"Administrator\\\", \\\"Security\\\")\\n| extend BuiltinRole = tostring(parse_json(TargetResources[0].displayName))\\n| extend CustomGroup = tostring(parse_json(TargetResources[3].displayName))\\n| extend TargetAccount = tostring(parse_json(TargetResources[2].displayName))\\n| extend Initiatedby = Identity\\n| project TimeGenerated, ActivityDisplayName, AADOperationType, Initiatedby, TargetAccount, BuiltinRole, CustomGroup, LoggedByService, Result, ResourceId, Id\\n| sort by TimeGenerated desc\\n) on $left.UserId == $right.Initiatedby\\n| project AADOperationType, ActivityDisplayName,AccountCustomEntity=Initiatedby, Id,ResourceId,IPCustomEntity=IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"PrivilegeEscalation\"],\"displayName\":\"Detecting Impossible travel with mailbox permission tampering \u0026 Privilege Escalation attempt\",\"description\":\"This hunting query will alert on any Impossible travel activity in correlation with mailbox permission tampering followed by account being added to a PIM managed privileged group.\\nEnsure this impossible travel incident with increase of privileges is legitimate in your environment.\",\"lastUpdatedDateUTC\":\"2022-02-09T00:00:00Z\",\"createdDateUTC\":\"2022-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert (ASC)\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\"name\":\"4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([ \\\"AuthorizeSecurityGroupEgress\\\", \\\"AuthorizeSecurityGroupIngress\\\", \\\"RevokeSecurityGroupEgress\\\", \\\"RevokeSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \\nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion, \\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to AWS Security Group ingress and egress settings\",\"description\":\"A Security Group acts as a virtual firewall of an instance to control inbound and outbound traffic. \\n Hence, ingress and egress settings changes to AWS Security Group should be monitored as these can expose the enviornment to new attack vectors.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0914adab-90b5-47a3-a79f-7cdcac843aa7\",\"name\":\"0914adab-90b5-47a3-a79f-7cdcac843aa7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 5;\\n// To avoid any False Positives, filtering using AppId is recommended. For example the AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds \\n// to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\\nlet Allowedappid = dynamic([\\\"509e4652-da8d-478d-a730-e9d4a1996ca4\\\"]);\\nlet OperationList = dynamic(\\n[\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nlet TimeSeriesData = AzureDiagnostics\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList)\\n| project TimeGenerated, OperationName, Resource, CallerIPAddress\\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by Resource;\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| where baseline \u003e baselinethreshold // Filtering low count events per baselinethreshold\\n| project Resource, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated;\\n// Filter the alerts since specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\\n| join (\\nAzureDiagnostics\\n| where TimeGenerated \u003e ago(timeframe)\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList)\\n| summarize PerOperationCount=count(), LatestAnomalyTime = arg_max(TimeGenerated,*) by bin(TimeGenerated,1h), Resource, OperationName, id_s, CallerIPAddress, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, requestUri_s, clientInfo_s\\n) on Resource, TimeGenerated\\n| summarize EventCount=count(), OperationNameList = make_set(OperationName), RequestURLList = make_set(requestUri_s, 100), AccountList = make_set(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, 100), AccountMax = arg_max(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g,*) by Resource, id_s, clientInfo_s, LatestAnomalyTime\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = CallerIPAddress, AccountCustomEntity = AccountMax\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure Key Vault access TimeSeries anomaly\",\"description\":\"Indentifies a sudden increase in count of Azure Key Vault secret or vault access operations by CallerIPAddress. The query leverages a built-in KQL anomaly detection algorithm\\nto find large deviations from baseline Azure Key Vault access patterns. Any sudden increase in the count of Azure Key Vault accesses can be an\\nindication of adversary dumping credentials via automated methods. If you are seeing any noise, try filtering known source(IP/Account) and user-agent combinations.\\nTimeSeries Reference Blog: https://techcommunity.microsoft.com/t5/azure-sentinel/looking-for-unknown-anomalies-what-is-normal-time-series/ba-p/555052\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6a2e2ff4-5568-475e-bef2-b95f12b9367b\",\"name\":\"6a2e2ff4-5568-475e-bef2-b95f12b9367b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let FailureThreshold = 15;\\nimAuthentication\\n| where EventType== \u0027Logon\u0027 and EventResult== \u0027Failure\u0027\\n// reason: creds \\n| where EventResultDetails in (\u0027No such user or password\u0027, \u0027Incorrect password\u0027)\\n| summarize UserCount=dcount(TargetUserId), Vendors=make_set(EventVendor), Products=make_set(EventVendor)\\n , Users = make_set(TargetUserId,100) \\n by SrcDvcIpAddr, SrcGeoCountry, bin(TimeGenerated, 5m)\\n| where UserCount \u003e FailureThreshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcDvcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Potential Password Spray Attack (Uses Authentication Normalization)\",\"description\":\"This query searches for failed attempts to log in from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack\\n To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a5b3429d-f1da-42b9-883c-327ecb7b91ff\",\"name\":\"a5b3429d-f1da-42b9-883c-327ecb7b91ff\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityAlert \\n| where AlertName == \\\"Sign-in from an infected device\\\"\\n| extend Extprop = parsejson(Entities)\\n| mv-expand Extprop\\n| extend Extprop = parsejson(Extprop)\\n| extend CmdLine = iff(Extprop[\u0027Type\u0027]==\\\"process\\\", Extprop[\u0027CommandLine\u0027], \u0027\u0027)\\n| extend File = iff(Extprop[\u0027Type\u0027]==\\\"file\\\", Extprop[\u0027Name\u0027], \u0027\u0027)\\n| extend Account = Extprop[\u0027Name\u0027]\\n| extend Domain = Extprop[\u0027UPNSuffix\u0027]\\n| extend Account = iif(isnotempty(Domain) and Extprop[\u0027Type\u0027]==\\\"account\\\", tolower(strcat(Account, \\\"@\\\", Domain)), iif(Extprop[\u0027Type\u0027]==\\\"account\\\", tolower(Account), \\\"\\\"))\\n| extend IpAddress = iff(Extprop[\\\"Type\\\"] == \\\"ip\\\",Extprop[\u0027Address\u0027], \u0027\u0027)\\n| extend Process = iff(isnotempty(CmdLine), CmdLine, File)\\n| summarize count() by AlertName, AlertSeverity, CompromisedEntity, Account, IpAddress\\n| join kind=inner \\n(\\nAzureActivity\\n| where OperationNameValue hassuffix (\\\"/workspaces/computes/delete\\\")\\n| where ActivityStatusValue =~ \\\"Succeeded\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), OperationIds = makelist(OperationId), CorrelationIds = makelist(CorrelationId), Resources = makelist(Resource), ResourceGroups = makelist(ResourceGroup), ResourceIds = makelist(ResourceId), ActivityCountByCallerIPAddress = count() \\nby CallerIpAddress, Caller, OperationNameValue\\n) on $left. IpAddress == $right. CallerIpAddress\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Impact\"],\"displayName\":\"Workspace deletion attempt from an infected device\",\"description\":\"This hunting query will alert on any sign-ins from devices infected with malware in correlation with potential workspace deletion activity. \\nAttackers may attempt to delete workspaces containing compute instances after successful compromise to cause service unavailability to regular business operation.\",\"lastUpdatedDateUTC\":\"2022-04-11T00:00:00Z\",\"createdDateUTC\":\"2022-04-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8e267e91-6bda-4b3c-bf68-9f5cbdd103a3\",\"name\":\"8e267e91-6bda-4b3c-bf68-9f5cbdd103a3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"ZoomLogs\\n| where Event =~ \\\"account.settings_updated\\\" \\n| extend EnforceLogin = columnifexists(\\\"payload_object_settings_schedule_meeting_enfore_login_b\\\", \\\"\\\") \\n| extend EnforceLoginDomain = columnifexists(\\\"payload_object_settings_schedule_meeting_enfore_login_b\\\", \\\"\\\") \\n| extend GuestAlerts = columnifexists(\\\"payload_object_settings_in_meeting_alert_guest_join_b\\\", \\\"\\\") \\n| where EnforceLogin == \u0027false\u0027 or EnforceLoginDomain == \u0027false\u0027 or GuestAlerts == \u0027false\u0027 \\n| extend SettingChanged = case(EnforceLogin == \u0027false\u0027 and EnforceLoginDomain == \u0027false\u0027 and GuestAlerts == \u0027false\u0027, \\\"All settings changed\\\", \\n EnforceLogin == \u0027false\u0027 and EnforceLoginDomain == \u0027false\u0027, \\\"Enforced Logons and Restricted Domains Changed\\\", \\n EnforceLoginDomain == \u0027false\u0027 and GuestAlerts == \u0027false\u0027, \\\"Enforced Domains Changed\\\", \\n EnforceLoginDomain == \u0027false\u0027, \\\"Enfored Domains Changed\\\", \\n GuestAlerts == \u0027false\u0027, \\\"Guest Join Alerts Changed\\\", \\n EnforceLogin == \u0027false\u0027, \\\"Enforced Logins Changed\\\", \\n \\\"No Changes\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"External User Access Enabled\",\"description\":\"This alerts when the account setting is changed to allow either external domain access or anonymous access to meetings.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56b0a0cd-894e-4b38-a0a1-c41d9f96649a\",\"name\":\"56b0a0cd-894e-4b38-a0a1-c41d9f96649a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let lbtime = 1h;\\nlet tls_ciphers = dynamic([\u0027RC4-SHA\u0027, \u0027DES-CBC3-SHA\u0027]);\\nProofpointPOD\\n| where EventType == \u0027message\u0027\\n| where TlsCipher in (tls_ciphers)\\n| extend IpCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"ProofpointPOD - Weak ciphers\",\"description\":\"Detects when weak TLS ciphers are used.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/87890d78-3e05-43ec-9ab9-ba32f4e01250\",\"name\":\"87890d78-3e05-43ec-9ab9-ba32f4e01250\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.3\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n SecurityAlert\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n //Extract domain patterns from message\\n | extend domain = todynamic(dynamic_to_json(extract_all(@\\\"(((xn--)?[a-z0-9\\\\-]+\\\\.)+([a-z]+|(xn--[a-z0-9]+)))\\\", dynamic([1]), tolower(Entities))))\\n | mv-expand domain\\n | extend domain = tostring(domain[0])\\n | extend parts = split(domain, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\\n | extend EntitiesDynamicArray = parse_json(Entities)\\n | mv-apply EntitiesDynamicArray on\\n (summarize\\n HostName = take_anyif(tostring(EntitiesDynamicArray.HostName), EntitiesDynamicArray.Type == \\\"host\\\"),\\n IP_addr = take_anyif(tostring(EntitiesDynamicArray.Address), EntitiesDynamicArray.Type == \\\"ip\\\")\\n )\\n | extend Alert_TimeGenerated = TimeGenerated\\n | extend Alert_Description = Description\\n) on $left.DomainName==$right.domain\\n| where Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\\n| project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DomainName, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url, Entities\\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = HostName, IPCustomEntity = IP_addr, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to SecurityAlert\",\"description\":\"Identifies a match in SecurityAlert table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/88f453ff-7b9e-45bb-8c12-4058ca5e44ee\",\"name\":\"88f453ff-7b9e-45bb-8c12-4058ca5e44ee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS New Server\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.\\nA threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.\\nThis can be done programmatically via HTTP requests to Azure. More information in this blog: https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e1ce0eab-10d1-4aae-863f-9a383345ba88\",\"name\":\"e1ce0eab-10d1-4aae-863f-9a383345ba88\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let threshold = 15;\\nSyslog\\n| where SyslogMessage contains \\\"Failed password for invalid user\\\"\\n| where ProcessName =~ \\\"sshd\\\" \\n| parse kind=relaxed SyslogMessage with * \\\"invalid user\\\" user \\\" from \\\" ip \\\" port\\\" port \\\" ssh2\\\"\\n| project user, ip, port, SyslogMessage, EventTime\\n| summarize EventTimes = make_list(EventTime), PerHourCount = count() by ip, bin(EventTime, 4h), user\\n| where PerHourCount \u003e threshold\\n| mvexpand EventTimes\\n| extend EventTimes = tostring(EventTimes) \\n| summarize StartTimeUtc = min(EventTimes), EndTimeUtc = max(EventTimes), UserList = makeset(user), sum(PerHourCount) by IPAddress = ip\\n| extend UserList = tostring(UserList) \\n| extend timestamp = StartTimeUtc, IPCustomEntity = IPAddress, AccountCustomEntity = UserList\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"SSH - Potential Brute Force\",\"description\":\"Identifies an IP address that had 15 failed attempts to sign in via SSH in a 4 hour block during a 24 hour time period.\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-02-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/55073036-bb86-47d3-a85a-b113ac3d9396\",\"name\":\"55073036-bb86-47d3-a85a-b113ac3d9396\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let admins=(IdentityInfo\\n | where AssignedRoles contains \\\"admin\\\"\\n | summarize by tolower(AccountUPN));\\n let known_asns = (\\n SigninLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where ResultType == 0\\n | summarize by AutonomousSystemNumber);\\n SigninLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType == 0\\n | where tolower(UserPrincipalName) in (admins)\\n | where AutonomousSystemNumber !in (known_asns)\\n | project-reorder TimeGenerated, UserPrincipalName, UserAgent, IpAddress, AutonomousSystemNumber\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"UserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Privileged User Logon from new ASN\",\"description\":\"Detects a successful logon by a privileged account from an ASN not logged in from in the last 14 days.\\n Monitor these logons to ensure they are legitimate and identify if there are any similar sign ins.\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7b9df32-1367-402d-b385-882daf6e3020\",\"name\":\"a7b9df32-1367-402d-b385-882daf6e3020\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==10\\n| parse EventData with * \u0027TargetImage\\\"\u003e\u0027 TargetImage \\\"\u003c\\\" * \u0027GrantedAccess\\\"\u003e\u0027 GrantedAccess \\\"\u003c\\\" * \u0027CallTrace\\\"\u003e\u0027 CallTrace \\\"\u003c\\\" * \\n| where GrantedAccess == \\\"0x1FFFFF\\\" and TargetImage == \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\" and CallTrace has_any (\\\"dbghelp.dll\\\",\\\"dbgcore.dll\\\")\\n| parse EventData with * \u0027SourceProcessGUID\\\"\u003e\u0027 SourceProcessGUID \\\"\u003c\\\" * \u0027SourceImage\\\"\u003e\u0027 SourceImage \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, SourceProcessGUID, SourceImage, GrantedAccess, TargetImage, CallTrace\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"SourceImage\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Dumping LSASS Process Into a File\",\"description\":\"Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). \\nAfter a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. \\nThese credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement using Use Alternate Authentication Material. \\nAs well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.\\nRef: https://attack.mitre.org/techniques/T1003/001/\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/94749332-1ad9-49dd-a5ab-5ff2170788fc\",\"name\":\"94749332-1ad9-49dd-a5ab-5ff2170788fc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet file_path1 = (iocs | where Type =~ \\\"filepath1\\\" | project IoC);\\nlet file_path2 = (iocs | where Type =~ \\\"filepath2\\\" | project IoC);\\nlet file_path3 = (iocs | where Type =~ \\\"filepath3\\\" | project IoC);\\nlet reg_key = (iocs | where Type =~ \\\"regkey\\\" | project IoC);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (domains)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 *\\n| project TimeGenerated, Message, SourceUserID, RequestURL, DestinationHostName, Type, SourceIP, DestinationIP, DNSName\\n| extend Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SourceUserID, UrlCustomEntity = RequestURL , IPCustomEntity = DestinationIP, DNSCustomEntity = DNSName\\n),\\n(DnsEvents\\n| where Name in~ (domains)\\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DNSName = Name, Host = Computer , Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Host, DNSCustomEntity = DNSName, IPCustomEntity = IPAddresses\\n),\\n(VMConnection\\n| where RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, RemoteDnsCanonicalNames, ProcessName, SourceIp, DestinationIp, DestinationPort, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIp, HostCustomEntity = Computer, ProcessCustomEntity = ProcessName, DNSCustomEntity = DNSName, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"]), Image = EventDetail.[4].[\\\"#text\\\"]\\n| where Image has_any (file_path1) or Image has_any (file_path3)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, EventDetail, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), HostCustomEntity = Computer , IPCustomEntity = DestinationIP, Alert = \u0027SOURGUM IOC detected\u0027\\n), \\n(DeviceNetworkEvents\\n| where (RemoteUrl has_any (domains)) or (InitiatingProcessSHA256 in (sha256Hashes) and InitiatingProcessFolderPath has_any (file_path1)) or InitiatingProcessFolderPath has_any (file_path3)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, Alert = \u0027SOURGUM IOC detected\u0027, UrlCustomEntity =RemoteUrl\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"]\\n| where (SHA256 has_any (sha256Hashes) and Image has_any (file_path1)) or (Image has_any (file_path3)) or ( CommandLine has_any (file_path3)) or ( CommandLine has_any (file_path1)) or ( CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source), Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = SHA256\\n),\\n(DeviceRegistryEvents\\n| where RegistryKey has_any (reg_key) and RegistryValueData has_any (file_path2)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type \\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceProcessEvents\\n| where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3)) or ( InitiatingProcessCommandLine has \u0027reg add\u0027 and InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceFileEvents\\n| where (InitiatingProcessSHA256 has_any (sha256Hashes) and InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3)) or ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = RequestAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceEvents\\n| where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3)) or ( InitiatingProcessCommandLine has \u0027reg add\u0027 and InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend CommandLine = InitiatingProcessCommandLine, Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has_any (file_path1)) or ( CommandLine has_any (file_path3)) or ( CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) or (NewProcessName has_any (file_path1)) or (NewProcessName has_any (file_path3)) or (ParentProcessName has_any (file_path1)) or (ParentProcessName has_any (file_path3))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = \u0027SOURGUM IOC detected\u0027\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"SOURGUM Actor IOC - July 2021\",\"description\":\"Identifies a match across IOC\u0027s related to an actor tracked by Microsoft as SOURGUM\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-07-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceRegistryEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95407904-0131-4918-bc49-ebf282ce149a\",\"name\":\"95407904-0131-4918-bc49-ebf282ce149a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"135.125.147.170:80\\\",\\\"185.244.129.79:63047\\\",\\\"185.244.129.79:80\\\",\\\"45.80.149.108:63047\\\",\\\"45.80.149.108:80\\\",\\\"45.80.149.57:63047\\\",\\\"45.80.149.68:63047\\\",\\\"45.80.149.71:80\\\",\\\"185.244.129.109\\\",\\\"172.96.188.51\\\",\\\"51.83.246.73\\\"]); \\n(union isfuzzy=true \\n(CommonSecurityLog \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch \\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n), \\n(OfficeActivity \\n|extend SourceIPAddress = ClientIP, Account = UserId \\n| where SourceIPAddress in (IPList) \\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \\n), \\n(_Im_NetworkSession (srcipaddr_has_any_prefix=IPList)\\n | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Hostname, AccountCustomEntity=User\\n), \\n(_Im_NetworkSession (dstipaddr_has_any_prefix=IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = Hostname , AccountCustomEntity = User\\n), \\n(WireData \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer \\n), \\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known POLONIUM IP\",\"description\":\"Identifies a match across various data feeds for IP IOCs related to the POLONIUM activity group. \\n References: BLOGURL\u0027 \",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ed43bdb7-eaab-4ea4-be52-6951fcfa7e3b\",\"name\":\"ed43bdb7-eaab-4ea4-be52-6951fcfa7e3b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet TotalEventsThreshold = 25; \\nlet TimeSeriesData = \\nAzureActivity \\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where OperationNameValue endswith \\\"delete\\\" \\n| project TimeGenerated, Caller \\n| make-series Total = count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by Caller; \\nlet TimeSeriesAlerts = materialize(TimeSeriesData \\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 3, -1, \u0027linefit\u0027) \\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long) \\n| where anomalies \u003e 0 \\n| project Caller, TimeGenerated, Total, baseline, anomalies, score \\n| where Total \u003e TotalEventsThreshold and baseline \u003e 0 ); \\nTimeSeriesAlerts \\n| where TimeGenerated \u003e (ago(endtime)) \\n| project TimeGenerated, Caller \\n| join (AzureActivity \\n| where TimeGenerated \u003e (ago(endtime)) \\n| where OperationNameValue endswith \\\"delete\\\" \\n| summarize count(), make_set(OperationNameValue), make_set(Resource) by bin(TimeGenerated, 1h), Caller) on TimeGenerated, Caller \\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Mass Cloud resource deletions Time Series Anomaly\",\"description\":\"This query generates baseline pattern of cloud resource deletions by an user and generated anomaly \\nwhen any unusual spike is detected.\\nThese anomalies from unusual or privileged users could be an indication of cloud infrastructure \\ntake-down by an adversary \",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2022-03-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b6988c32-4f3b-4a45-8313-b46b33061a74\",\"name\":\"b6988c32-4f3b-4a45-8313-b46b33061a74\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set == \\\"[]\\\"\\n| mv-expand new_value_set\\n| parse new_value_set with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT First access credential added to Application or Service Principal where no credential was present\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-06-01T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba\",\"name\":\"fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let account_threshold = 5;\\nAADNonInteractiveUserSignInLogs\\n//| where ResultType == \\\"81016\\\"\\n| where ResultType startswith \\\"81\\\"\\n| summarize DistinctAccounts = dcount(UserPrincipalName), DistinctAddresses = make_set(IPAddress) by ResultType\\n| where DistinctAccounts \u003e account_threshold\\n| mv-expand IPAddress = DistinctAddresses\\n| extend IPAddress = tostring(IPAddress)\\n| join kind=leftouter (union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs) on IPAddress\\n| summarize\\n StartTime = min(TimeGenerated),\\n EndTime = max(TimeGenerated),\\n UserPrincipalName = make_set(UserPrincipalName),\\n UserAgent = make_set(UserAgent),\\n ResultDescription = take_any(ResultDescription),\\n ResultSignature = take_any(ResultSignature)\\n by IPAddress, Type, ResultType\\n| project Type, StartTime, EndTime, IPAddress, ResultType, ResultDescription, ResultSignature, UserPrincipalName, UserAgent = iff(array_length(UserAgent) == 1, UserAgent[0], UserAgent)\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Password spray attack against Azure AD Seamless SSO\",\"description\":\"This query detects when there is a spike in Azure AD Seamless SSO errors. They may not be caused by a Password Spray attack, but the cause of the errors might need to be investigated.\\nAzure AD only logs the requests that matched existing accounts, thus there might have been unlogged requests for non-existing accounts.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2022-03-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/825991eb-ea39-4590-9de2-ee97ef42eb93\",\"name\":\"825991eb-ea39-4590-9de2-ee97ef42eb93\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\n(union isfuzzy=true\\n(DeviceProcessEvents\\n| where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) or (ProcessCommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and ProcessCommandLine has (\u0027/tr \\\"wscript.exe\u0027) and ProcessCommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and ProcessCommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (ProcessCommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and ProcessCommandLine has (\u0027.wav\u0027) and ProcessCommandLine has (\u0027//e:VBScript //b\u0027) \\nor (ProcessCommandLine has_all (\\\"schtasks.exe\\\", \\\"create\\\", \\\"wscript\\\", \\\"e:vbscript\\\", \\\".wav\\\")))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessCommandLine, FolderPath, InitiatingProcessFolderPath, ProcessId, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, AccountName, SHA256, FileName\\n| extend Account = AccountName, Computer = DeviceName, FileHash = case(InitiatingProcessSHA256 in (sha256Hashes), \\\"InitiatingProcessSHA256\\\", SHA256 in (sha256Hashes), \\\"SHA256\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = FileName, FileHashCustomEntity = case(FileHash == \\\"InitiatingProcessSHA256\\\", InitiatingProcessSHA256, FileHash == \\\"SHA256\\\", SHA256, \\\"No Match\\\")\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where (CommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and CommandLine has (\u0027/tr \\\"wscript.exe\u0027) and CommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and CommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (CommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and CommandLine has (\u0027.wav\u0027) and CommandLine has (\u0027//e:VBScript //b\u0027))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, EventID\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n( CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n( imFileEvent\\n| where Hash in~ (sha256Hashes) or (ActingProcessCommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and ActingProcessCommandLine has (\u0027/tr \\\"wscript.exe\u0027) and ActingProcessCommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and ActingProcessCommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (ActingProcessCommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and ActingProcessCommandLine has (\u0027.wav\u0027) and ActingProcessCommandLine has (\u0027//e:VBScript //b\u0027) \\n or (ActingProcessCommandLine has_all (\\\"schtasks.exe\\\", \\\"create\\\", \\\"wscript\\\", \\\"e:vbscript\\\", \\\".wav\\\")))\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = Hash\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) or (CommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and CommandLine has (\u0027/tr \\\"wscript.exe\u0027) and CommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and CommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (CommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and CommandLine has (\u0027.wav\u0027) and CommandLine has (\u0027//e:VBScript //b\u0027) or (CommandLine has_all (\\\"schtasks.exe\\\", \\\"create\\\", \\\"wscript\\\", \\\"e:vbscript\\\", \\\".wav\\\")))\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n),\\n(DnsEvents\\n| where Name in~ (domains) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Computer \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress\\n),\\n(VMConnection\\n| where RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIp, File = ProcessName\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(DeviceNetworkEvents \\n| where isnotempty(RemoteUrl) \\n| where RemoteUrl in~ (domains) \\n| project Type, TimeGenerated, DeviceName, RemoteIP, RemoteUrl, InitiatingProcessAccountName\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, DNSName = RemoteUrl, IPCustomEntity = RemoteIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"ACTINIUM Actor IOCs - Feb 2022\",\"description\":\"Identifies a match across various data feeds for domains, hashes and commands related to an actor tracked by Microsoft as Actinium.\",\"lastUpdatedDateUTC\":\"2022-03-09T00:00:00Z\",\"createdDateUTC\":\"2022-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65360bb0-8986-4ade-a89d-af3cf44d28aa\",\"name\":\"65360bb0-8986-4ade-a89d-af3cf44d28aa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"CreateNetworkAclEntry\\\",\\\"CreateRoute\\\",\\\"CreateRouteTable\\\",\\\"CreateInternetGateway\\\",\\\"CreateNatGateway\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\",\"LateralMovement\"],\"displayName\":\"Changes to Amazon VPC settings\",\"description\":\"Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources\\nin a virtual network that you define.\\nThis identifies changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries,routes, routetable or Gateways.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\nand AWS VPC API Docs: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/OperationList-query-vpc.html\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2eb15bd-8a88-4b24-9281-e133edfba315\",\"name\":\"f2eb15bd-8a88-4b24-9281-e133edfba315\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet aadFunc = (tableName:string){\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n table(tableName) | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend Status = todynamic(Status), LocationDetails = todynamic(LocationDetails)\\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails), StatusReason = tostring(Status.failureReason)\\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n // renaming time column so it is clear the log this came from\\n | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type\\n)\\non $left.TI_ipEntity == $right.IPAddress\\n| where SigninLogs_TimeGenerated \u003c ExpirationDateTime\\n| summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, IPAddress\\n| project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDetails, StatusReason, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to SigninLogs\",\"description\":\"Identifies a match in SigninLogs from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6e715730-82c0-496c-983b-7a20c4590bd9\",\"name\":\"6e715730-82c0-496c-983b-7a20c4590bd9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let accountLookback = 3d;\\nlet requestLookback = 3d;\\nlet extraction_regex = @\\\"(?:\\\\?|\u0026)[a-zA-Z0-9\\\\%]*=([a-zA-Z0-9\\\\/\\\\+\\\\=]*)\\\";\\n// Collect account names and base64 encode them\\nDeviceEvents\\n| where TimeGenerated \u003e ago(accountLookback)\\n| summarize make_set(DeviceId), make_set(DeviceName) by InitiatingProcessAccountName\\n| where isnotempty(InitiatingProcessAccountName)\\n| extend base64_user = base64_encode_tostring(InitiatingProcessAccountName)\\n| join (\\n // Collect requests and extract base64 parameters\\n CommonSecurityLog\\n | where TimeGenerated \u003e ago(requestLookback)\\n | where isnotempty(RequestURL)\\n // Summarize early on the RequestURL\\n | summarize FirstRequest=min(TimeGenerated), LastRequest=max(TimeGenerated), NumberOfRequests=count() by RequestURL\\n | extend base64_candidate = extract_all(extraction_regex, RequestURL)\\n | mv-expand base64_candidate to typeof(string)\\n) on $left.base64_user == $right.base64_candidate\\n| project FirstRequest, LastRequest, NumberOfRequests, RequestURL, DeviceIds=set_DeviceId, DeviceNames=set_DeviceName, UserName=InitiatingProcessAccountName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceNames\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"UserName\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"Windows host username encoded in base64 web request\",\"description\":\"This detection will identify network requests in HTTP proxy data that contains Base64 encoded usernames from machines in the DeviceEvents table.\\nThis technique was seen usee by POLONIUM in their RunningRAT tool.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e4779bdc-397a-4b71-be28-59e6a1e1d16b\",\"name\":\"e4779bdc-397a-4b71-be28-59e6a1e1d16b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"ZoomLogs\\n| where Event =~ \\\"account.settings_updated\\\"\\n| extend NewE2ESetting = columnifexists(\\\"payload_object_settings_in_meeting_e2e_encryption_b\\\", \\\"\\\")\\n| extend OldE2ESetting = columnifexists(\\\"payload_old_object_settings_in_meeting_e2e_encryption_b\\\", \\\"\\\")\\n| where OldE2ESetting =~ \u0027false\u0027 and NewE2ESetting =~ \u0027true\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Discovery\"],\"displayName\":\"Zoom E2E Encryption Disabled\",\"description\":\"This alerts when end to end encryption is disabled for Zoom meetings.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/194dd92e-d6e7-4249-85a5-273350a7f5ce\",\"name\":\"194dd92e-d6e7-4249-85a5-273350a7f5ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\") \\n// Only admin or global-admin can disable audit logging\\n| where Operation =~ \\\"Set-AdminAuditLogConfig\\\" \\n| extend AdminAuditLogEnabledValue = tostring(parse_json(tostring(parse_json(tostring(array_slice(parse_json(Parameters),3,3)))[0])).Value)\\n| where AdminAuditLogEnabledValue =~ \\\"False\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP, ResultStatus, Parameters, AdminAuditLogEnabledValue\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Exchange AuditLog disabled\",\"description\":\"Identifies when the exchange audit logging has been disabled which may be an adversary attempt\\nto evade detection or avoid other defenses.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/218f60de-c269-457a-b882-9966632b9dc6\",\"name\":\"218f60de-c269-457a-b882-9966632b9dc6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| summarize dcount(Target) by bin(TimeGenerated, 1h)\\n| where dcount_Target \u003e 9\\n| join kind=rightsemi (AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| extend TimeWindow = bin(TimeGenerated, 1h)) on $left.TimeGenerated == $right.TimeWindow\\n| extend AccountCustomEntity = Target\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Bulk Changes to Privileged Account Permissions\",\"description\":\"Identifies when changes to multiple users permissions are changed at once. Investigate immediately if not a planned change. This setting could enable an attacker access to Azure subscriptions in your environment.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6e575295-a7e6-464c-8192-3e1d8fd6a990\",\"name\":\"6e575295-a7e6-464c-8192-3e1d8fd6a990\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.1\",\"severity\":\"High\",\"query\":\"let IPList = externaldata(IPAddress:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Log4j_IOC_List.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n//Network logs\\nlet CSlogSourceIP = CommonSecurityLog | summarize by IPAddress = SourceIP, Type;\\nlet CSlogDestIP = CommonSecurityLog | summarize by IPAddress = DestinationIP, Type;\\nlet CSlogMsgIP = CommonSecurityLog | extend MessageIP = extract(IPRegex, 0, Message) | summarize by IPAddress = MessageIP, Type;\\nlet DnsIP = DnsEvents | summarize by IPAddress = IPAddresses, Type;\\n// If you have enabled the imDNS and/or imNetworkSession normalization in your workspace, you can uncomment one or both below. Reference - https://docs.microsoft.com/azure/sentinel/normalization\\n//let imDnsIP = imDns (response_has_any_prefix=IPList) | summarize by IPAddress = ResponseName, Type;\\n//let imNetSessIP = imNetworkSession (dstipaddr_has_any_prefix=IPList) | summarize by IPAddress = DstIpAddr, Type;\\n//Cloud service logs\\nlet officeIP = OfficeActivity | summarize by IPAddress = ClientIP, Type;\\nlet signinIP = SigninLogs | summarize by IPAddress, Type;\\nlet nonintSigninIP = AADNonInteractiveUserSignInLogs | summarize by IPAddress, Type;\\nlet azureActIP = AzureActivity | summarize by IPAddress = CallerIpAddress, Type;\\nlet awsCtIP = AWSCloudTrail | summarize by IPAddress = SourceIpAddress, Type;\\n//Device logs\\nlet vmConnSourceIP = VMConnection | summarize by IPAddress = SourceIp, Type;\\nlet vmConnDestIP = VMConnection | summarize by IPAddress = DestinationIp, Type;\\nlet iisLogIP = W3CIISLog | summarize by IPAddress = cIP, Type;\\nlet devNetIP = DeviceNetworkEvents | summarize by IPAddress = RemoteIP, Type;\\n//need to parse to get IP\\nlet azureDiagIP = AzureDiagnostics | where ResourceType == \\\"AZUREFIREWALLS\\\" | where Category in (\\\"AzureFirewallApplicationRule\\\", \\\"AzureFirewallNetworkRule\\\") \\n| where msg_s has_any (IPList) | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action | summarize by IPAddress = DestinationHost, Type;\\nlet sysEvtIP = Event | where Source == \\\"Microsoft-Windows-Sysmon\\\" | where EventID == 3 | where EventData has_any (IPList) | extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"])\\n| where SourceIP in (IPList) or DestinationIP in (IPList) | extend IPAddress = iff(SourceIP in (IPList), SourceIP, DestinationIP) | summarize by IPAddress, Type;\\n// If you have enabled the imDNS and/or imNetworkSession normalization in your workdspace, you can uncomment below and include. Reference - https://docs.microsoft.com/azure/sentinel/normalization\\n//let ipsort = union isfuzzy=true CSlogDestIP, CSlogMsgIP, CSlogSourceIP, DnsIP, officeIP, signinIP, nonintSigninIP, azureActIP, awsCtIP, vmConnDestIP, vmConnSourceIP, azureDiagIP, sysEvtIP, imDnsIP, imNetSessIP\\n// If you uncomment above, then comment out the line below\\nlet ipsort = union isfuzzy=true CSlogDestIP, CSlogMsgIP, CSlogSourceIP, DnsIP, officeIP, signinIP, nonintSigninIP, azureActIP, awsCtIP, vmConnDestIP, vmConnSourceIP, azureDiagIP, sysEvtIP\\n| summarize by IPAddress\\n| where isnotempty(IPAddress) | where not(ipv4_is_private(IPAddress)) and IPAddress !in (\u00270.0.0.0\u0027,\u0027127.0.0.1\u0027);\\nlet ipMatch = ipsort | where IPAddress in (IPList);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (ipMatch) or DestinationIP in (ipMatch) or Message has_any (ipMatch)\\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, Type\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (ipMatch), \\\"SourceIP\\\", DestinationIP in (ipMatch), \\\"DestinationIP\\\", MessageIP in (ipMatch), \\\"Message\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"No Match\\\")\\n),\\n(OfficeActivity\\n| where ClientIP in (ipMatch)\\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, Type\\n| extend SourceIPAddress = ClientIP, Account = UserId\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account\\n),\\n(DnsEvents\\n| where IPAddresses has_any (ipMatch)\\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, Host = Computer\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (ipMatch) or DestinationIp in (ipMatch)\\n| project TimeGenerated, Computer, SourceIp, DestinationIp, Type\\n| extend IPMatch = case( SourceIp in (ipMatch), \\\"SourceIP\\\", DestinationIp in (ipMatch), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| where EventData has_any (ipMatch)\\n| project TimeGenerated, EventData, UserName, Computer, Type\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"])\\n| where SourceIP in (ipMatch) or DestinationIP in (ipMatch)\\n| extend IPMatch = case( SourceIP in (ipMatch), \\\"SourceIP\\\", DestinationIP in (ipMatch), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(SigninLogs\\n| where IPAddress in (ipMatch)\\n| project TimeGenerated, UserPrincipalName, IPAddress, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(AADNonInteractiveUserSignInLogs\\n| where IPAddress in (ipMatch)\\n| project TimeGenerated, UserPrincipalName, IPAddress, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(W3CIISLog\\n| where cIP in (ipMatch)\\n| project TimeGenerated, Computer, cIP, csUserName, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(AzureActivity\\n| where CallerIpAddress in (ipMatch)\\n| project TimeGenerated, CallerIpAddress, Caller, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller\\n),\\n(\\nAWSCloudTrail\\n| where SourceIpAddress in (ipMatch)\\n| project TimeGenerated, SourceIpAddress, UserIdentityUserName, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\\n), \\n( \\nDeviceNetworkEvents\\n| where RemoteIP in (ipMatch)\\n| where ActionType == \\\"InboundConnectionAccepted\\\"\\n| project TimeGenerated, RemoteIP, DeviceName, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category in (\\\"AzureFirewallApplicationRule\\\", \\\"AzureFirewallNetworkRule\\\")\\n| where msg_s has_any (ipMatch)\\n| project TimeGenerated, msg_s, Type\\n| parse msg_s with Protocol \u0027request from \u0027 SourceIP \u0027:\u0027 SourcePort \u0027to \u0027 DestinationIP \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where DestinationIP has_any (ipMatch)\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP\\n)\\n// If you have enabled the imDNS and/or imNetworkSession normalization in your workdspace, you can uncomment below and include. Reference - https://docs.microsoft.com/azure/sentinel/normalization\\n//,\\n//(imDns (response_has_any_prefix=IPList)\\n//| project TimeGenerated, ResponseName, SrcIpAddr, Type\\n//| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr\\n//| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n//),\\n//(imNetworkSession (dstipaddr_has_any_prefix=IPList)\\n//| project TimeGenerated, DstIpAddr, SrcIpAddr, Type\\n//| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = SrcIpAddr\\n//)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Log4j vulnerability exploit aka Log4Shell IP IOC\",\"description\":\"Identifies a match across various data feeds for IP IOCs related to the Log4j vulnerability exploit aka Log4Shell described in CVE-2021-44228. \\n References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228\u0027 \",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bda5a2bd-979b-4828-a91f-27c2a5048f7f\",\"name\":\"bda5a2bd-979b-4828-a91f-27c2a5048f7f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet msgthreshold = 3;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| extend attachedMimeType = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where attachedMimeType == \u0027application/zip\u0027\\n| summarize count() by SrcUserUpn, DstUserUpn\\n| where count_ \u003e msgthreshold\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple archived attachments to the same recipient\",\"description\":\"Detects when multiple emails where sent to the same recipient with large archived attachments.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1baaaf00-655f-4de9-8ff8-312e902cda71\",\"name\":\"1baaaf00-655f-4de9-8ff8-312e902cda71\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let known_locations = (\\n AADServicePrincipalSignInLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where ResultType == 0\\n | summarize by Location);\\n AADServicePrincipalSignInLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType != 50126\\n | where Location !in (known_locations)\\n | extend City = tostring(parse_json(LocationDetails).city)\\n | extend State = tostring(parse_json(LocationDetails).state)\\n | extend Place = strcat(City, \\\" - \\\", State)\\n | extend Result = strcat(tostring(ResultType), \\\" - \\\", ResultDescription)\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), make_set(Result), make_set(IPAddress), make_set(Place) by ServicePrincipalName, Location\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ServicePrincipalName\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Service Principal Authentication Attempt from New Country\",\"description\":\"Detects when there is a Service Principal login attempt from a country that has not seen a successful login in the previous 14 days.\\n Threat actors may attempt to authenticate with credentials from compromised accounts - monitoring attempts from anomalous locations may help identify these attempts.\\n Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADServicePrincipalSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/39198934-62a0-4781-8416-a81265c03fd6\",\"name\":\"39198934-62a0-4781-8416-a81265c03fd6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"user.read\\\" and ConsentFull contains \\\"offline_access\\\" and ConsentFull contains \\\"mail.readwrite\\\" and ConsentFull contains \\\"mail.send\\\" and ConsentFull contains \\\"files.read.all\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\")\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Suspicious application consent similar to PwnAuth\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the FireEye PwnAuth toolkit (https://github.com/fireeye/PwnAuth).\\nThe default permissions/scope for the PwnAuth toolkit are user.read, offline_access, mail.readwrite, mail.send, and files.read.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\"name\":\"fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let opList = OfficeActivity \\n| summarize by Operation\\n//| where Operation startswith \\\"Remove-\\\" or Operation startswith \\\"Disable-\\\"\\n| where Operation has_any (\\\"Remove\\\", \\\"Disable\\\")\\n| where Operation contains \\\"AntiPhish\\\" or Operation contains \\\"SafeAttachment\\\" or Operation contains \\\"SafeLinks\\\" or Operation contains \\\"Dlp\\\" or Operation contains \\\"Audit\\\"\\n| summarize make_set(Operation);\\nOfficeActivity\\n// Only admin or global-admin can disable/remove policy\\n| where RecordType =~ \\\"ExchangeAdmin\\\"\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\")\\n// Pass in interesting Operation list\\n| where Operation in~ (opList)\\n| extend ClientIPOnly = case( \\nClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), \\nClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))),\\nClientIP\\n) \\n| extend Port = case(\\nClientIP has \\\".\\\", (split(ClientIP,\\\":\\\")[1]),\\nClientIP has \\\"[\\\", tostring(split(ClientIP,\\\"]:\\\")[1]),\\nClientIP\\n)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP = ClientIPOnly, Port, ResultStatus, Parameters\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Office policy tampering\",\"description\":\"Identifies if any tampering is done to either auditlog, ATP Safelink, SafeAttachment, AntiPhish or Dlp policy. \\nAn adversary may use this technique to evade detection or avoid other policy based defenses.\\nReferences: https://docs.microsoft.com/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06a9b845-6a95-4432-a78b-83919b28c375\",\"name\":\"06a9b845-6a95-4432-a78b-83919b28c375\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":3,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet percentotalthreshold = 50;\\nlet TimeSeriesData = CommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| project TimeGenerated,SourceIP, DestinationIP, DeviceVendor\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor;\\n// Filtering specific records associated with spikes as outliers\\nlet TimeSeriesAlerts=materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend score = round(score,2), AnomalyHour = TimeGenerated\\n| project DeviceVendor,AnomalyHour, TimeGenerated, Total, baseline, anomalies, score);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\n// Join anomalies with Base Data to popalate associated records for investigation - Results sorted by score in descending order\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\n CommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| summarize HourlyCount = count(), TimeGeneratedMax = arg_max(TimeGenerated, *), DestinationIPlist = make_set(DestinationIP, 100), DestinationPortlist = make_set(DestinationPort, 100) by DeviceVendor, SourceIP, TimeGeneratedHour= bin(TimeGenerated, 1h)\\n| extend AnomalyHour = TimeGeneratedHour\\n) on AnomalyHour, DeviceVendor\\n| extend PercentTotal = round((HourlyCount / Total) * 100, 3)\\n| where PercentTotal \u003e percentotalthreshold\\n| project DeviceVendor , AnomalyHour, TimeGeneratedMax, SourceIP, DestinationIPlist, DestinationPortlist, HourlyCount, PercentTotal, Total, baseline, score, anomalies\\n| summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist, 100), DestinationPortlist = make_set(DestinationPortlist, 100) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies\\n| project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies\\n| extend timestamp= EndTimeUtc , IPCustomEntity = SourceIPMax\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"Time series anomaly detection for total volume of traffic\",\"description\":\"Identifies anamalous spikes in network traffic logs as compared to baseline or normal historical patterns.\\nThe query leverages a KQL built-in anomaly detection algorithm to find large deviations from baseline patterns.\\nSudden increases in network traffic volume may be an indication of data exfiltration attempts and should be investigated.\\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port traffic observed in the flagged anomaly hour.\\nThe source IP addresses which were sending less than percentotalthreshold of the total traffic have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Barracuda\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f110287e-1358-490d-8147-ed804b328514\",\"name\":\"f110287e-1358-490d-8147-ed804b328514\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AWSCloudTrail | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AWSCloudTrail_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SourceIpAddress\\n| where AWSCloudTrail_TimeGenerated \u003c ExpirationDateTime\\n| summarize AWSCloudTrail_TimeGenerated = arg_max(AWSCloudTrail_TimeGenerated, *) by IndicatorId, SourceIpAddress\\n| project AWSCloudTrail_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress,\\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AWSCloudTrail_TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AWSCloudTrail\",\"description\":\"Identifies a match in AWSCloudTrail from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7249500f-3038-4b83-8549-9cd8dfa2d498\",\"name\":\"7249500f-3038-4b83-8549-9cd8dfa2d498\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"de-ma.online\\\", \\\"g20saudi.000webhostapp.com\\\", \\\"ksat20.000webhostapp.com\\\"]);\\nlet EmailAddresses = dynamic([\\\"munichconference1962@gmail.com\\\",\\\"munichconference@outlook.de\\\", \\\"munichconference@outlook.com\\\", \\\"t20saudiarabia@gmail.com\\\", \\\"t20saudiarabia@hotmail.com\\\", \\\"t20saudiarabia@outlook.sa\\\"]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(DNSName) and DNSName has_any (DomainNames)) \\n or (isnotempty(DestinationHostName) and DestinationHostName has_any (DomainNames)) \\n or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames)))\\n| extend timestamp = TimeGenerated , AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\\n),\\n(DnsEvents \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| where DNSName has_any (DomainNames) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend timestamp = TimeGenerated , HostCustomEntity = Computer),\\n(SecurityAlert\\n| where ProviderName =~ \u0027OATP\u0027\\n| extend UPN = case(isnotempty(parse_json(Entities)[0].Upn), parse_json(Entities)[0].Upn, \\n isnotempty(parse_json(Entities)[1].Upn), parse_json(Entities)[1].Upn,\\n isnotempty(parse_json(Entities)[2].Upn), parse_json(Entities)[2].Upn,\\n isnotempty(parse_json(Entities)[3].Upn), parse_json(Entities)[3].Upn,\\n isnotempty(parse_json(Entities)[4].Upn), parse_json(Entities)[4].Upn,\\n isnotempty(parse_json(Entities)[5].Upn), parse_json(Entities)[5].Upn,\\n isnotempty(parse_json(Entities)[6].Upn), parse_json(Entities)[6].Upn,\\n isnotempty(parse_json(Entities)[7].Upn), parse_json(Entities)[7].Upn,\\n isnotempty(parse_json(Entities)[8].Upn), parse_json(Entities)[8].Upn,\\n parse_json(Entities)[9].Upn)\\n| where Entities has_any (EmailAddresses)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = tostring(UPN)),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"AZUREFIREWALLS\\\"\\n| where msg_s has_any (DomainNames)\\n| extend timestamp = TimeGenerated))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"InitialAccess\"],\"displayName\":\"Known PHOSPHORUS group domains/IP - October 2020\",\"description\":\"Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\\nReferences: \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog (Cisco)\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert (OATP)\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics (Azure Firewall)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5ef06767-b37c-4818-b035-47de950d0046\",\"name\":\"5ef06767-b37c-4818-b035-47de950d0046\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"// How far back to look for events from\\nlet timeframe = 1d;\\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\\nlet time_window = 5m;\\n// Edit this to include build processes used\\nlet build_processes = dynamic([\\\"MSBuild.exe\\\", \\\"dotnet.exe\\\", \\\"VBCSCompiler.exe\\\"]);\\n// Include any processes that you want to allow to edit files during/around the build process\\nlet allow_list = dynamic([\\\"\\\"]);\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where EventID == 4688\\n| where Process has_any (build_processes)\\n| summarize by BuildParentProcess=ParentProcessName, BuildProcess=Process, BuildAccount = Account, Computer, BuildCommand=CommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for file modifications to code file\\n| where EventID == 4663\\n| where Process !in (allow_list)\\n// Look for code files, edit this to include file extensions used in build.\\n| where ObjectName endswith \\\".cs\\\" or ObjectName endswith \\\".cpp\\\"\\n// 0x6 and 0x4 for file append, 0x100 for file replacements\\n| where AccessMask == \\\"0x6\\\" or AccessMask == \\\"0x4\\\" or AccessMask == \\\"0X100\\\"\\n| summarize by FileEditParentProcess=ParentProcessName, FileEditAccount = Account, Computer, FileEdited=ObjectName, FileEditProcess=ProcessName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, Computer\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, Computer, BuildParentProcess, BuildProcess\\n| extend HostCustomEntity=Computer, timestamp=timekey\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where EventID == 4688 and EventData has_any (build_processes)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process has_any (build_processes)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend CommandLine = tostring(EventData.CommandLine) \\n| summarize by BuildParentProcess=ParentProcessName, BuildProcess=Process, BuildAccount = Account, Computer, BuildCommand=CommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nWindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for file modifications to code file\\n| where EventID == 4663 and EventData has_any (\\\"0x6\\\", \\\"0x4\\\", \\\"0X100\\\") and EventData has_any (\\\".cs\\\", \\\".cpp\\\")\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (allow_list)\\n// Look for code files, edit this to include file extensions used in build.\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName endswith \\\".cs\\\" or ObjectName endswith \\\".cpp\\\"\\n// 0x6 and 0x4 for file append, 0x100 for file replacements\\n| extend AccessMask = tostring(EventData.AccessMask) \\n| where AccessMask == \\\"0x6\\\" or AccessMask == \\\"0x4\\\" or AccessMask == \\\"0X100\\\"\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| summarize by FileEditParentProcess=ParentProcessName, FileEditAccount = Account, Computer, FileEdited=ObjectName, FileEditProcess=ProcessName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, Computer\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, Computer, BuildParentProcess, BuildProcess\\n| extend HostCustomEntity=Computer, timestamp=timekey\\n))\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Potential Build Process Compromise\",\"description\":\"The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process.\\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\"name\":\"a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"DNS events related to ToR proxies\",\"description\":\"Identifies IP addresses performing DNS lookups associated with common ToR proxies.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/42436753-9944-4d70-801c-daaa4d19ddd2\",\"name\":\"42436753-9944-4d70-801c-daaa4d19ddd2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let threatCategory=\\\"Powershell\\\";\\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\\n [ @\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\\\"]\\n with(format=\\\"csv\\\", ignoreFirstRecord=True));\\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet customUserAgents=toscalar(_GetWatchlist(\\\"UnusualUserAgents\\\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\\\"UserAgent\\\",\\\"\\\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet fullUAList = array_concat(knownUserAgents,customUserAgents);\\n_Im_WebSession(httpuseragent_has_any=fullUAList)\\n| project SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername\",\"customDetails\":{\"UserAgent\":\"HttpUserAgent\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"SrcUsername\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Host {{SrcIpAddr}} is potentially running PowerShell\",\"alertDescriptionFormat\":\"The host at address {{SrcIpAddr}} sent an HTTP request to the URL {{Url}} with the HTTP user agent header {{HttpUserAgent}}. This user agent is known to be used by PoerShell and indicates suspicious activity on the host.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\",\"DefenseEvasion\"],\"displayName\":\"A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request with a user agent header known to belong PowerShell. \u003cbr\u003eYou can add custom Powershell indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).\u003cbr\u003e\u003cbr\u003e\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56fe0db0-6779-46fa-b3c5-006082a53064\",\"name\":\"56fe0db0-6779-46fa-b3c5-006082a53064\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let tokens = dynamic([\\\"416\\\",\\\"208\\\",\\\"128\\\",\\\"120\\\",\\\"96\\\",\\\"80\\\",\\\"72\\\",\\\"64\\\",\\\"48\\\",\\\"44\\\",\\\"40\\\",\\\"g5\\\",\\\"gs5\\\",\\\"g4\\\",\\\"gs4\\\",\\\"nc12\\\",\\\"nc24\\\",\\\"nv12\\\"]);\\nlet operationList = dynamic([\\\"microsoft.compute/virtualmachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nAzureActivity\\n| where tolower(OperationNameValue) in (operationList)\\n| where ActivityStatusValue == \\\"Accepted\\\" \\n| where isnotempty(Properties)\\n| extend vmSize = tolower(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).hardwareProfile)).vmSize))\\n| where isnotempty(vmSize)\\n| where vmSize has_any (tokens) \\n| extend ComputerName = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).osProfile)).computerName)\\n| extend clientIpAddress = tostring(parse_json(HTTPRequest).clientIpAddress)\\n| project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Creation of expensive computes in Azure\",\"description\":\"Identifies the creation of large size/expensive VMs (GPU or with large no of virtual CPUs) in Azure.\\nAdversary may create new or update existing virtual machines sizes to evade defenses \\nor use it for cryptomining purposes.\\nFor Windows/Linux Vm Sizes - https://docs.microsoft.com/azure/virtual-machines/windows/sizes \\nAzure VM Naming Conventions - https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions\",\"lastUpdatedDateUTC\":\"2022-03-31T00:00:00Z\",\"createdDateUTC\":\"2020-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5d33fc63-b83b-4913-b95e-94d13f0d379f\",\"name\":\"5d33fc63-b83b-4913-b95e-94d13f0d379f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet fileHashIndicators = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n| where isnotempty(FileHashValue);\\n// Handle matches against both lower case and uppercase versions of the hash:\\n(fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n| union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n )\\non $left.FileHashValue == $right.FileHash\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, FileHashValue\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nSourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction,\\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity, FileHashValue, FileHashType\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Value\",\"columnName\":\"FileHashValue\"},{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map File Hash to CommonSecurityLog Event\",\"description\":\"Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI\",\"lastUpdatedDateUTC\":\"2022-07-07T00:00:00Z\",\"createdDateUTC\":\"2019-08-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1f3b4dfd-21ff-4ed3-8e27-afc219e05c50\",\"name\":\"1f3b4dfd-21ff-4ed3-8e27-afc219e05c50\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where LoggedByService =~ \\\"PIM\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has \\\"Disable PIM Alert\\\"\\n| extend IpAddress = case(\\n isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), \\n isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.app)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.app)).ipAddress),\\n \u0027Not Available\u0027)\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName)), UserRoles = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| project InitiatedBy, ActivityDateTime, ActivityDisplayName, IpAddress, AADOperationType, AADTenantId, ResourceId, CorrelationId, Identity\\n| extend timestamp = ActivityDateTime, IPCustomEntity = IpAddress, AccountCustomEntity = tolower(InitiatedBy), ResourceCustomEntity = ResourceId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Detect PIM Alert Disabling activity\",\"description\":\"Privileged Identity Management (PIM) generates alerts when there is suspicious or unsafe activity in Azure Active Directory (Azure AD) organization. \\nThis query will help detect attackers attempts to disable in product PIM alerts which are associated with Azure MFA requirements and could indicate activation of privileged access\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d99cf5c3-d660-436c-895b-8a8f8448da23\",\"name\":\"d99cf5c3-d660-436c-895b-8a8f8448da23\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"SigninLogs\\n| where ResultType == 500121\\n| extend additionalDetails_ = tostring(Status.additionalDetails)\\n| where additionalDetails_ =~ \\\"MFA denied; user declined the authentication\\\"\\n| extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"AadUserId\",\"columnName\":\"UserId\"},{\"identifier\":\"AadTenantId\",\"columnName\":\"AADTenantId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"MFA Rejected by User\",\"description\":\"Identifies accurances where a user has rejected an MFA prompt. This could be an indicator that a threat actor has compromised the username and password of this user account and is using it to try and log into the account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d0aa8969-1bbe-4da3-9e76-09e5f67c9d85\",\"name\":\"d0aa8969-1bbe-4da3-9e76-09e5f67c9d85\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureDiagnostics\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where ResourceProvider == \u0027MICROSOFT.SQL\u0027\\n | where Category == \u0027SQLSecurityAuditEvents\u0027\\n | extend SQLSecurityAuditEvents_TimeGenerated = TimeGenerated\\n // projecting fields with column if exists as this is in AzureDiag and if the event is not in the table, then queries will fail due to event specific schemas\\n | extend ClientIP = column_ifexists(\\\"client_ip_s\\\", \\\"Not Available\\\"), Action = column_ifexists(\\\"action_name_s\\\", \\\"Not Available\\\"), \\n Application = column_ifexists(\\\"application_name_s\\\", \\\"Not Available\\\"), HostName = column_ifexists(\\\"host_name_s\\\", \\\"Not Available\\\")\\n)\\non $left.TI_ipEntity == $right.ClientIP\\n| where SQLSecurityAuditEvents_TimeGenerated \u003c ExpirationDateTime\\n| summarize SQLSecurityAuditEvents_TimeGenerated = arg_max(SQLSecurityAuditEvents_TimeGenerated, *) by IndicatorId, ClientIP\\n| project SQLSecurityAuditEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ResourceId, ClientIP, Action, Application, HostName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = SQLSecurityAuditEvents_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Azure SQL Security Audit Events\",\"description\":\"Identifies a match in SQLSecurityAuditEvents from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\"name\":\"4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n OfficeActivity | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(UserId)\\n | where UserId matches regex emailregex\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.UserId\\n| where OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, UserId\\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters\\n| extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to OfficeActivity\",\"description\":\"Identifies a match in OfficeActivity table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/44a555d8-ecee-4a25-95ce-055879b4b14b\",\"name\":\"44a555d8-ecee-4a25-95ce-055879b4b14b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeBin = 10m;\\nlet portThreshold = 30;\\nW3CIISLog\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of attempts by client IP on many ports\\n| summarize makeset(sPort), makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), ConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\\n| extend portCount = arraylength(set_sPort)\\n| where portCount \u003e= portThreshold\\n| project TimeGenerated, cIP, set_sPort, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, ConnectionsCount, portCount\\n| order by portCount\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"High count of connections by client IP on many ports\",\"description\":\"Identifies when 30 or more ports are used for a given client IP in 10 minutes occurring on the IIS server.\\nThis could be indicative of attempted port scanning or exploit attempt at internet facing web applications. \\nThis could also simply indicate a misconfigured service or device.\\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2de8abd6-a613-450e-95ed-08e503369fb3\",\"name\":\"2de8abd6-a613-450e-95ed-08e503369fb3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"AzureDiagnostics\\n| where details_data_s has \\\"jndi:\\\"\\n| parse details_data_s with * \u0027${\u0027 MaliciousCommand \u0027}\u0027 *\\n| extend EncodeCmd = iff(MaliciousCommand has \u0027Base64/\u0027, split(split(MaliciousCommand, \\\"Base64/\\\",1)[0], \\\"}\\\", 0)[0], \\\"\\\")\\n| extend EncodeCmd1 = iff(MaliciousCommand has \u0027base64/\u0027, split(split(MaliciousCommand, \\\"base64/\\\",1)[0], \\\"}\\\", 0)[0], \\\"\\\")\\n| extend CmdLine = iff( isnotempty(EncodeCmd), EncodeCmd, EncodeCmd1)\\n| extend DecodedCmdLine = base64_decode_tostring(tostring(CmdLine))\\n| extend DecodedCmdLine = iff( isnotempty(DecodedCmdLine), DecodedCmdLine, \\\"Unable to decode\\\")\\n| project TimeGenerated, Target=hostname_s, MaliciousHost = clientIp_s, MaliciousCommand, details_data_s, DecodedCmdLine, Message, ruleSetType_s, OperationName, SubscriptionId, details_message_s, details_file_s \\n| extend IPCustomEntity = MaliciousHost, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure WAF matching for Log4j vuln(CVE-2021-44228)\",\"description\":\"This query will alert on a positive pattern match by Azure WAF for CVE-2021-44228 log4j vulnerability exploitation attempt. If possible, it then decodes the malicious command for further analysis.\\n Refrence: https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-12-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/972c89fa-c969-4d12-932f-04d55d145299\",\"name\":\"972c89fa-c969-4d12-932f-04d55d145299\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"( union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| extend FileName = Process, ProcessCommandLine = CommandLine\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\n or ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(DeviceProcessEvents\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\nor ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1 \\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\"), ProcessCommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| extend FileName = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\n or ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"MSHTML vulnerability CVE-2021-40444 attack\",\"description\":\"This query detects attacks that exploit the CVE-2021-40444 MSHTML vulnerability using specially crafted Microsoft Office documents. \\n The detection searches for relevant files used in the attack along with regex matches in commnadline to look for pattern similar to : \\\".cpl:../../msword.inf\\\"\\n Refrence: https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ca74dc0-8352-4ac5-893c-73571cc78331\",\"name\":\"4ca74dc0-8352-4ac5-893c-73571cc78331\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let keywords = dynamic([\\\"secret\\\", \\\"secrets\\\", \\\"password\\\", \\\"PAT\\\", \\\"passwd\\\", \\\"pswd\\\", \\\"pwd\\\", \\\"cred\\\", \\\"creds\\\", \\\"credentials\\\", \\\"credential\\\", \\\"key\\\"]);\\nAzureDevOpsAuditing\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend Type = tostring(Data.Type)\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend VariableGroupName = tostring(Data.VariableGroupName)\\n| mv-expand Data.Variables\\n| where VariableGroupName has_any (keywords) or Data_Variables has_any (keywords)\\n| where Type != \\\"AzureKeyVault\\\"\\n| where Data_Variables !has \\\"IsSecret\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure DevOps Variable Secret Not Secured\",\"description\":\"Credentials used in the build process may be stored as Azure DevOps variables. To secure these variables they should be stored in KeyVault or marked as Secrets. \\nThis detection looks for new variables added with names that suggest they are credentials but where they are not set as Secrets or stored in KeyVault.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cc5780ce-3245-4bba-8bc1-e9048c2257ce\",\"name\":\"cc5780ce-3245-4bba-8bc1-e9048c2257ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where OperationName =~ \\\"Add owner to application\\\"\\n | extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend UpdatedBy = iif(isnotempty(appName), appName, UPN)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | extend AddedUser = TargetResources[0].userPrincipalName\\n | mv-expand mod_props\\n | where mod_props.displayName =~ \\\"Application.DisplayName\\\"\\n | extend AppName = tostring(parse_json(tostring(mod_props.newValue)))\\n | project-reorder TimeGenerated, OperationName, AppName, AddedUser, UpdatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatedBy\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedUser\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Changes to Application Ownership\",\"description\":\"Detects changes to the ownership of an appplicaiton.\\n Monitor these changes to make sure that they were authorized.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#new-owner\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/15049017-527f-4d3b-b011-b0e99e68ef45\",\"name\":\"15049017-527f-4d3b-b011-b0e99e68ef45\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let procList = externaldata(Process:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Microsoft_Lolbas_Execution_Binaries.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityEvent\\n| where EventID == 4688 and Process has_any (procList) and not (NewProcessName has (\\\"C:\\\\\\\\Windows\\\\\\\\\\\"))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, SubjectUserName, NewProcessName, Process, CommandLine\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectUserName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Windows Binaries Executed from Non-Default Directory\",\"description\":\"The query detects Windows binaries, that can be executed from a non-default directory (e.g. C:\\\\Windows\\\\, C:\\\\Windows\\\\System32 etc.). \\nRef: https://lolbas-project.github.io/\",\"lastUpdatedDateUTC\":\"2022-02-15T00:00:00Z\",\"createdDateUTC\":\"2022-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6\",\"name\":\"2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 0d;\\n// Adjust this to adjust detection timeframe\\n//let timeframe = 1d;\\n// SamAccountName of AD FS Service Account. Filter on the use of a specific AD FS user account\\n//let adfsuser = \u0027adfsadmin\u0027;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\n SecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe+lookback)\\n | where EventSourceName == \u0027AD FS Auditing\u0027\\n | distinct Computer\\n);\\nSecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n // A token of type \u0027http://schemas.microsoft.com/ws/2006/05/servicemodel/tokens/SecureConversation\u0027\\n // for relying party \u0027-\u0027 was successfully authenticated.\\n | where EventID == 412\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | extend InstanceId = tostring(EventData[0])\\n| join kind=inner\\n(\\n SecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n // Events to identify caller identity from event 412\\n | where EventID == 501\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | where tostring(EventData[1]) contains \u0027identity/claims/name\u0027\\n | extend InstanceId = tostring(EventData[0])\\n | extend ClaimsName = tostring(EventData[2])\\n // Filter on the use of a specific AD FS user account\\n //| where ClaimsName contains adfsuser\\n)\\non $left.InstanceId == $right.InstanceId\\n| join kind=inner\\n(\\n SecurityEvent\\n | where EventID == 5156\\n | where Computer in~ (ADFS_Servers)\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | mv-expand bagexpansion=array EventData\\n | evaluate bag_unpack(EventData)\\n | extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n | evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n | extend DestPort = column_ifexists(\\\"DestPort\\\", \\\"\\\"),\\n Direction = column_ifexists(\\\"Direction\\\", \\\"\\\"),\\n Application = column_ifexists(\\\"Application\\\", \\\"\\\"),\\n DestAddress = column_ifexists(\\\"DestAddress\\\", \\\"\\\"),\\n SourceAddress = column_ifexists(\\\"SourceAddress\\\", \\\"\\\"),\\n SourcePort = column_ifexists(\\\"SourcePort\\\", \\\"\\\")\\n // Look for inbound connections from endpoints on port 80\\n | where DestPort == 80 and Direction == \u0027%%14592\u0027 and Application == \u0027System\u0027\\n | where DestAddress !in (\u0027::1\u0027,\u00270:0:0:0:0:0:0:1\u0027) \\n)\\non $left.Computer == $right.Computer\\n| project TimeGenerated, Computer, ClaimsName, SourceAddress, SourcePort\\n| extend HostCustomEntity = Computer, AccountCustomEntity = ClaimsName, IPCustomEntity = SourceAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"AD FS Remote Auth Sync Connection\",\"description\":\"This detection uses Security events from the \\\"AD FS Auditing\\\" provider to detect suspicious authentication events on an AD FS server. The results then get\\ncorrelated with events from the Windows Filtering Platform (WFP) to detect suspicious incoming network traffic on port 80 on the AD FS server.\\nThis could be a sign of a threat actor trying to use replication services on the AD FS server to get its configuration settings and extract\\nsensitive information such as AD FS certificates.\\nIn order to use this query you need to enable AD FS auditing on the AD FS Server.\\nReference: https://twitter.com/OTR_Community/status/1387038995016732672\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-04-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d992b87b-eb49-4a9d-aa96-baacf9d26247\",\"name\":\"d992b87b-eb49-4a9d-aa96-baacf9d26247\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let IPList = dynamic([\\\"185.63.90.137\\\"]); \\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet sha256Hashes = \\ndynamic([\\\"53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441\\\",\\n\\\"c297e545b8f150cc5ff56dbb68dc74fe30a421d9d40f38f4a53083192697c44c\\\",\\n\\\"17921368901f23e0cad0d2fe4ce5694aebaf4727699ed0358117500701914d1b\\\",\\n\\\"198a2d42df010d838b4207f478d885ef36e3db13b1744d673e221b828c28bf77\\\",\\n\\\"71d7b48c2fdc7b57b104a7858a35165bbed21d2fa7e34828d6c1d50b2b33a1d0\\\",\\n\\\"601227d52c6e367e11b80240183d07d38bc11a88e844e8401fce17eb25e92ba8\\\",\\n\\\"63ff04bed4fdb120a9cb9b1ea7fd88e83f12fb01ab6a057088f8016e663b48d4\\\",\\n\\\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\\\",\\n\\\"e19b8be1b21c066d60725e550f8455f824065abbf1b43f7b2fe4fb338b241ffc\\\",\\n\\\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\\\"\\n]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", MessageIP in (IPList), \\\"Message\\\", \\\"NoMatch\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DeviceNetworkEvents\\n| where RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) \\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP\\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost) \\n| where SourceHost in (IPList) or DestinationHost in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(DeviceFileEvents\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n| where FileHash in (sha256Hashes)\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash\\n| extend timestamp = TimeGenerated, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 in~ (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(SecurityEvent\\n| where EventID == \u00274688\u0027\\n| where CommandLine has_any (IPList) \\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n(WindowsEvent\\n| where EventID == \u00274688\u0027 and has_any_ipv4(EventData, toscalar(IPList)) \\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| where NewProcessName in (IPList) \\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend NewProcessId = tostring(EventData.NewProcessId)\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021\",\"description\":\"Identifies a match across various data feeds for IP,hashes and IOCs related to Windows/ELF malware published by Black Lotus Labs\\nReference: \\nhttps://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders\\nhttps://github.com/ManuelBerrueta/YARA-rules/blob/master/BlackLotusLabs-WSLMalware/BLL_SneakyWSL.yar\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ce1e7025-866c-41f3-9b08-ec170e05e73e\",\"name\":\"ce1e7025-866c-41f3-9b08-ec170e05e73e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let SunburstURL=dynamic([\\\"panhardware.com\\\",\\\"databasegalore.com\\\",\\\"avsvmcloud.com\\\",\\\"freescanonline.com\\\",\\\"thedoccloud.com\\\",\\\"deftsecurity.com\\\"]);\\nDeviceNetworkEvents\\n| where ActionType == \\\"ConnectionSuccess\\\"\\n| where RemoteUrl in(SunburstURL)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n FileHashCustomEntity = InitiatingProcessMD5, \\n HashAlgorithm = \u0027MD5\u0027,\\n URLCustomEntity = RemoteUrl,\\n IPCustomEntity = RemoteIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"SUNBURST network beacons\",\"description\":\"Identifies SolarWinds SUNBURST domain beacon IOCs in DeviceNetworkEvents\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/baedfdf4-7cc8-45a1-81a9-065821628b83\",\"name\":\"baedfdf4-7cc8-45a1-81a9-065821628b83\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let runningRAT_parameters = dynamic([\u0027/ui/chk\u0027, \u0027mactok=\u0027, \u0027UsRnMe=\u0027, \u0027IlocalP=\u0027, \u0027kMnD=\u0027]);\\nCommonSecurityLog\\n| where RequestMethod == \\\"GET\\\"\\n| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication\\n| where RequestURL has_any (runningRAT_parameters)\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DestinationIP\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"SourceHostName\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"RunningRAT request parameters\",\"description\":\"This detection will alert when RunningRAT URI parameters or paths are detect in an HTTP request. Id the device blocked this communication\\npresence of this alert means the RunningRAT implant is likely still executing on the source host.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d8de9e6-263e-4845-8618-cd23a4f58b70\",\"name\":\"4d8de9e6-263e-4845-8618-cd23a4f58b70\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT3H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 3h;\\n// Add full UPN (user@domain.com) to Authorized Bypassers to ignore policy bypasses by certain authorized users\\nlet AuthorizedBypassers = dynamic([\u0027foo@baz.com\u0027, \u0027test@foo.com\u0027]);\\nlet historicBypassers = AzureDevOpsAuditing\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationName == \u0027Git.RefUpdatePoliciesBypassed\u0027\\n| distinct ActorUPN;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e= ago(endtime)\\n| where OperationName == \u0027Git.RefUpdatePoliciesBypassed\u0027\\n| where ActorUPN !in (historicBypassers) and ActorUPN !in (AuthorizedBypassers)\\n| parse ScopeDisplayName with OrganizationName \u0027(Organization)\u0027\\n| project TimeGenerated, ActorUPN, IpAddress, UserAgent, OrganizationName, ProjectName, RepoName = Data.RepoName, AlertDetails = Details, Branch = Data.Name, \\n BypassReason = Data.BypassReason, PRLink = strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_git/\u0027, Data.RepoName, \u0027/pullrequest/\u0027, Data.PullRequestId)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps Pull Request Policy Bypassing - Historic allow list\",\"description\":\"This detection builds an allow list of historic PR policy bypasses and compares to recent history, flagging pull request bypasses that are not manually in the allow list and not historically included in the allow list.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75bf9902-0789-47c1-a5d8-f57046aa72df\",\"name\":\"75bf9902-0789-47c1-a5d8-f57046aa72df\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let procList = externaldata(Process:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Microsoft_Lolbas_Execution_Binaries.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet ProcessCreationEvents=() {\\nlet processEvents=(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,\\nFileName = Process, CommandLine, ParentProcessName\\n),\\n(WindowsEvent\\n| where EventID==4688 and EventData has_any (procList) and EventData has \\\":\\\\\\\\recycler\\\"\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where isnotempty(CommandLine)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName) \\n| extend NewProcessName = tostring(EventData.NewProcessName) \\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,\\nFileName = Process, CommandLine, ParentProcessName\\n));\\nprocessEvents};\\nProcessCreationEvents \\n| where FileName in~ (procList)\\n| where CommandLine contains \\\":\\\\\\\\recycler\\\"\\n| project StartTimeUtc = TimeGenerated, Computer, Account, NewProcessName, FileName, CommandLine, ParentProcessName\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Malware in the recycle bin\",\"description\":\"The query detects Windows binaries, that can be used for executing malware, that have been hidden in the recycle bin. \\n The list of these binaries are sourced from https://lolbas-project.github.io/\\n References: https://azure.microsoft.com/blog/how-azure-security-center-helps-reveal-a-cyberattack/.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2018-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e2399891-383c-4caf-ae67-68a008b9f89e\",\"name\":\"e2399891-383c-4caf-ae67-68a008b9f89e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet IP_TI=ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\\\"NO_IP\\\")\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where TI_ipEntity != \\\"NO_IP\\\";\\nlet IP_TI_list=toscalar(IP_TI | summarize NIoCs=dcount(TI_ipEntity), IoCs=make_set( TI_ipEntity)\\n | project IoCs=iff(NIoCs \u003e HAS_ANY_MAX, dynamic([]), IoCs));\\nIP_TI\\n // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n | join kind=innerunique \\n (\\n union \\n (\\n _Im_NetworkSession (starttime=ago(dt_lookBack), dstipaddr_has_any_prefix=IP_TI_list)\\n | where isnotempty(SrcIpAddr)\\n // renaming time column so it is clear the log this came from\\n | extend imNWS_TimeGenerated = TimeGenerated, IoCIP=DstIpAddr, IoCIPDirection=\u0027Destination\u0027\\n ),\\n (\\n _Im_NetworkSession (starttime=ago(dt_lookBack), srcipaddr_has_any_prefix=IP_TI_list)\\n | where isnotempty(DstIpAddr)\\n // renaming time column so it is clear the log this came from\\n | extend imNWS_TimeGenerated = TimeGenerated, IoCIP=SrcIpAddr, IoCIPDirection=\u0027Source\u0027\\n )\\n)on $left.TI_ipEntity == $right.IoCIP\\n| where imNWS_TimeGenerated \u003c ExpirationDateTime\\n| summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, IoCIP, IoCIPDirection\\n| project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Dvc, SrcIpAddr, DstIpAddr, IoCIPDirection, IoCIP\",\"customDetails\":{\"EventTime\":\"imNWS_TimeGenerated\",\"IoCDescription\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"IoCExpirationTime\":\"ExpirationDateTime\",\"IoCConfidenceScore\":\"ConfidenceScore\",\"IoCIPDirection\":\"IoCIPDirection\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IoCIP\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"A network session {{IoCIPDirection}} address {{IoCIP}} matched an IoC.\",\"alertDescriptionFormat\":\"The {{IoCIPDirection}} address {{IoCIP}} of a network session matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blead for more information on the indicator.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map IP entity to Network Session Events (ASIM Network Session schema)\",\"description\":\"This rule identifies a match Network Sessions for which the source of destination IP address is a known IoC. \u003cbr\u003e\u003cbr\u003e\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2022-04-27T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\"name\":\"8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"AuthorizeDBSecurityGroupIngress\\\",\\\"CreateDBSecurityGroup\\\",\\\"DeleteDBSecurityGroup\\\",\\\"RevokeDBSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to internet facing AWS RDS Database instances\",\"description\":\"Amazon Relational Database Service (RDS) is scalable relational database in the cloud. \\nIf your organization have one or more AWS RDS Databases running, monitoring changes to especially internet facing AWS RDS (Relational Database Service) \\nOnce alerts triggered, validate if changes observed are authorized and adhere to change control policy. \\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255\\nand RDS API Reference Docs: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Operations.html\",\"lastUpdatedDateUTC\":\"2021-11-28T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6ee72a9e-2e54-459c-bc9a-9c09a6502a63\",\"name\":\"6ee72a9e-2e54-459c-bc9a-9c09a6502a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"216.24.185.74\\\", \\\"107.175.189.159\\\", \\\"192.210.132.102\\\", \\\"67.230.163.214\\\", \\n \\\"199.19.110.240\\\", \\\"107.148.130.176\\\", \\\"154.212.129.218\\\", \\\"172.86.75.54\\\", \\\"45.61.136.199\\\", \\n \\\"149.28.150.195\\\", \\\"108.61.214.194\\\", \\\"144.202.98.198\\\", \\\"149.28.84.98\\\", \\\"103.99.209.78\\\", \\n \\\"45.61.136.2\\\", \\\"176.122.162.149\\\", \\\"192.3.80.245\\\", \\\"149.28.23.32\\\", \\\"107.182.18.149\\\", \\\"107.174.45.134\\\", \\n \\\"149.248.18.104\\\", \\\"65.49.192.74\\\", \\\"156.255.2.154\\\", \\\"45.76.6.149\\\", \\\"8.9.11.130\\\", \\\"140.238.27.255\\\", \\n \\\"107.182.24.70\\\", \\\"176.122.188.254\\\", \\\"192.161.161.108\\\", \\\"64.64.234.24\\\", \\\"104.224.185.36\\\", \\n \\\"104.233.224.227\\\", \\\"104.36.69.105\\\", \\\"119.28.139.120\\\", \\\"161.117.39.130\\\", \\\"66.42.100.42\\\", \\\"45.76.31.159\\\", \\n \\\"149.248.8.134\\\", \\\"216.24.182.48\\\", \\\"66.42.103.222\\\", \\\"218.89.236.11\\\", \\\"180.150.227.249\\\", \\\"47.75.80.23\\\",\\n \\\"124.156.164.19\\\", \\\"149.248.62.83\\\", \\\"150.109.76.174\\\", \\\"222.209.187.207\\\", \\\"218.38.191.38\\\", \\n \\\"119.28.226.59\\\", \\\"66.42.98.220\\\", \\\"74.82.201.8\\\", \\\"173.242.122.198\\\", \\\"45.32.130.72\\\", \\\"89.35.178.10\\\", \\n \\\"89.43.60.113\\\"]); \\n(union isfuzzy=true \\n(CommonSecurityLog \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch \\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n), \\n(OfficeActivity \\n|extend SourceIPAddress = ClientIP, Account = UserId \\n| where SourceIPAddress in (IPList) \\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \\n), \\n(_Im_NetworkSession (srcipaddr_has_any_prefix=IPList)\\n | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Hostname, AccountCustomEntity=User\\n), \\n(_Im_NetworkSession (dstipaddr_has_any_prefix=IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = Hostname , AccountCustomEntity = User\\n), \\n(WireData \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer \\n), \\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Barium IP\",\"description\":\"Identifies a match across various data feeds for IP IOCs related to the Barium activity group. \\n References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer\u0027 \",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/595a10c9-91be-4abb-bbc7-ae9c57848bef\",\"name\":\"595a10c9-91be-4abb-bbc7-ae9c57848bef\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Low\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n//This query uses sysmon data, sections that have - | where Source == \\\"Microsoft-Windows-Sysmon\\\" - may need to be updated with latest\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, DNSName, Type\\n| extend MessageIP = extract(IPRegex, 0, Message), RequestIP = extract(IPRegex, 0, RequestURL)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL has_any (domains), \\\"RequestUrl\\\", \\\"NoMatch\\\"), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), Account = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) or Name in~ (domains) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Computer , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPEntity = DestinationIPAddress\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), File = ProcessName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"]), Image = tostring(EventDetail.[4].[\\\"#text\\\"])\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Image has_any (process)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, Account = UserName, Computer, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, File = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n| extend FilePath = replace_string(Image, File, \u0027\u0027)\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) \\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, AlertDetail = \u0027Chia crypto IOC detected\u0027, Type\\n| extend timestamp = TimeGenerated, IPEntity = ClientIP, Account = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (domains) or RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) or InitiatingProcessFileName has_any (process)\\n| project TimeGenerated, ActionType, DeviceId, Computer = DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPEntity = RemoteIP, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\"), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, Computer, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains) or ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPEntity = ClientIP, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPEntity = SourceHost, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| where EventDetail has_any (sha256Hashes) \\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = tostring(EventDetail.[4].[\\\"#text\\\"]), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath = replace_string(Image, File, \u0027\u0027)\\n),\\n(DeviceFileEvents\\n| where InitiatingProcessFolderPath has_any (process)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, Computer, Account, File = InitiatingProcessFileName, FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath = replace_string(InitiatingProcessFolderPath, File, \u0027\u0027)\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, AlertDetail = \u0027Chia crypto IOC detected\u0027, FileHashAlgo = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| project TimeGenerated, EventDetail, UserName, Computer, Type\\n| extend Image = tostring(EventDetail.[4].[\\\"#text\\\"]), CommandLine = tostring(EventDetail.[10].[\\\"#text\\\"]), Account = UserName, FileHash = tostring(EventDetail.[17].[\\\"#text\\\"]), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| where Image has_any (process)\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath= replace_string(Image, File, \u0027\u0027)\\n),\\n(DeviceEvents\\n| where InitiatingProcessFileName has_any (process) or InitiatingProcessSHA256 in~ (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, Computer, Account, File = InitiatingProcessFileName, FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath = replace_string(InitiatingProcessFolderPath, File, \u0027\u0027)\\n),\\n(SecurityEvent\\n| where EventID == \u00274688\u0027\\n| where NewProcessName has_any (process)\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027, -1)[-1]), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend FilePath = replace_string(NewProcessName, File, \u0027\u0027)\\n)\\n)\\n| extend AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPEntity, FileCustomEntity = File, FilePathCustomEntity = FilePath, FileHashCustomEntity = FileHash\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileCustomEntity\"},{\"identifier\":\"Directory\",\"columnName\":\"FilePathCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashAlgo\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021\",\"description\":\"Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.\",\"lastUpdatedDateUTC\":\"2021-12-08T00:00:00Z\",\"createdDateUTC\":\"2021-06-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd0a6029-ecef-4507-89c4-fc355ac52111\",\"name\":\"dd0a6029-ecef-4507-89c4-fc355ac52111\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation of extracted domains\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend DomainName = tolower(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | extend Domain = trim(@\\\"\\\"\\\"\\\",tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend parts = split(Domain, \u0027.\u0027)\\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\\n | where tld in~ (list_tlds)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n ) on $left.DomainName==$right.Domain\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, FileHashValue\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to CommonSecurityLog\",\"description\":\"Identifies a match in CommonSecurityLog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\"name\":\"6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"union isfuzzy=true \\n(\\n SecurityEvent\\n | where EventID == 4738\\n // 2089 value indicates the Don\u0027t Expire Password value has been set\\n | where UserAccountControl has \\\"%%2089\\\" \\n | extend Value_2089 = iff(UserAccountControl has \\\"%%2089\\\",\\\"\u0027Don\u0027t Expire Password\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n // 2050 indicates that the Password Not Required value is NOT set, this often shows up at the same time as a 2089 and is the recommended value. This value may not be in the event. \\n | extend Value_2050 = iff(UserAccountControl has \\\"%%2050\\\",\\\"\u0027Password Not Required\u0027 - Disabled\\\", \\\"Not Changed\\\")\\n // If value %%2082 is present in the 4738 event, this indicates the account has been configured to logon WITHOUT a password. Generally you should only see this value when an account is created and only in Event 4720: Account Creation Event. \\n | extend Value_2082 = iff(UserAccountControl has \\\"%%2082\\\",\\\"\u0027Password Not Required\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n | project StartTime = TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, AccountType, UserAccountControl, Value_2089, Value_2050, Value_2082, SubjectAccount\\n | extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer\\n ),\\n (\\n WindowsEvent\\n | where EventID == 4738 and EventData has \u00272089\u0027\\n // 2089 value indicates the Don\u0027t Expire Password value has been set\\n | extend UserAccountControl = tostring(EventData.UserAccountControl)\\n | where UserAccountControl has \\\"%%2089\\\" \\n | extend Value_2089 = iff(UserAccountControl has \\\"%%2089\\\",\\\"\u0027Don\u0027t Expire Password\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n // 2050 indicates that the Password Not Required value is NOT set, this often shows up at the same time as a 2089 and is the recommended value. This value may not be in the event. \\n | extend Value_2050 = iff(UserAccountControl has \\\"%%2050\\\",\\\"\u0027Password Not Required\u0027 - Disabled\\\", \\\"Not Changed\\\")\\n // If value %%2082 is present in the 4738 event, this indicates the account has been configured to logon WITHOUT a password. Generally you should only see this value when an account is created and only in Event 4720: Account Creation Event. \\n | extend Value_2082 = iff(UserAccountControl has \\\"%%2082\\\",\\\"\u0027Password Not Required\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n | extend Activity=\\\"4738 - A user account was changed.\\\"\\n | extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n | extend TargetSid = tostring(EventData.TargetSid)\\n | extend SubjectAccount = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n | extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n | extend AccountType=case(SubjectAccount endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n | project StartTime = TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, AccountType, UserAccountControl, Value_2089, Value_2050, Value_2082, SubjectAccount\\n | extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer\\n )\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AD account with Don\u0027t Expire Password\",\"description\":\"Identifies whenever a user account has the setting \\\"Password Never Expires\\\" in the user account properties selected.\\nThis is indicated in Security event 4738 in the EventData item labeled UserAccountControl with an included value of %%2089.\\n%%2089 resolves to \\\"Don\u0027t Expire Password - Enabled\\\".\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4e8238bd-ff4f-4126-a9f6-09b3b6801b3d\",\"name\":\"4e8238bd-ff4f-4126-a9f6-09b3b6801b3d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"AuditLog.StreamDisabledByUser\\\"\\n| extend StreamType = tostring(Data.ConsumerType)\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, StreamType\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Audit Stream Disabled\",\"description\":\"Azure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams \\nbefore conducting activity and then re-enabling the stream after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action \\nits unlikely to have a high false positive rate.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e2559891-383c-4caf-ae67-55a008b9f89e\",\"name\":\"e2559891-383c-4caf-ae67-55a008b9f89e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet IP_TI=ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\\\"NO_IP\\\")\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where TI_ipEntity != \\\"NO_IP\\\";\\nlet IP_TI_list=toscalar(IP_TI | summarize NIoCs= dcount(TI_ipEntity), IoCs=make_set(TI_ipEntity) \\n | project IoCs=iff(NIoCs \u003e HAS_ANY_MAX, dynamic([]), IoCs ) );\\nIP_TI\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n _Im_WebSession (starttime=ago(dt_lookBack), srcipaddr_has_any_prefix=IP_TI_list)\\n | where isnotempty(SrcIpAddr)\\n // renaming time column so it is clear the log this came from\\n | extend imNWS_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SrcIpAddr\\n| where imNWS_TimeGenerated \u003c ExpirationDateTime\\n| summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, DstIpAddr\\n| project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Dvc, SrcIpAddr, DstIpAddr\",\"customDetails\":{\"EventTime\":\"imNWS_TimeGenerated\",\"IoCDescription\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"IoCExpirationTime\":\"ExpirationDateTime\",\"IoCConfidenceScore\":\"ConfidenceScore\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DstIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"The IP {{SrcIpAddr}} of a web request to hostname {{domain}} matched an IoC\",\"alertDescriptionFormat\":\"The source address {{SrcIpAddr}} of a web request for URL {{Url}} matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blead for more information on the indicator.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map IP entity to Web Session Events (ASIM Web Session schema)\",\"description\":\"This rule identifies Web Sessions for which the source IP address is a known IoC. \u003cbr\u003e\u003cbr\u003eThis rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM.\",\"lastUpdatedDateUTC\":\"2022-03-15T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\"name\":\"c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"ApplySecurityGroupsToLoadBalancer\\\", \\\"SetSecurityGroups\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \\nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion,\\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to AWS Elastic Load Balancer security groups\",\"description\":\"Elastic Load Balancer distributes incoming traffic across multiple instances in multiple availability Zones. This increases the fault tolerance of your applications. \\n Unwanted changes to Elastic Load Balancer specific security groups could open your environment to attack and hence needs monitoring.\\n More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\n and https://aws.amazon.com/elasticloadbalancing/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bdf04f58-242b-4729-b376-577c4bdf5d3a\",\"name\":\"bdf04f58-242b-4729-b376-577c4bdf5d3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"imProcessCreate\\n| where Process hassuffix \u0027rundll32.exe\u0027\\n| where CommandLine has_any (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| project TimeGenerated, Dvc, User, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\\n| extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"NOBELIUM - suspicious rundll32.exe execution of vbscript (Normalized Process Events)\",\"description\":\"This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\\nReferences: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f30a47c1-65fb-42b1-a7f4-00941c12550b\",\"name\":\"f30a47c1-65fb-42b1-a7f4-00941c12550b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n SecurityAlert\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n // Extract URL from JSON data\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,Entities)\\n // We only want alerts that actually contain URL data\\n | where isnotempty(Url)\\n // Extract hostname from JSON data for entity mapping\\n | extend Compromised_Host = tostring(parse_json(ExtendedProperties).[\\\"Compromised Host\\\"])\\n | extend Alert_TimeGenerated = TimeGenerated\\n) on Url\\n| where Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\\n| project Alert_TimeGenerated, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, AlertName, AlertSeverity, Description, Url, Compromised_Host\\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = Compromised_Host, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to SecurityAlert data\",\"description\":\"Identifies a match in SecurityAlert data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\"name\":\"80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == 1102 and EventSourceName == \\\"Microsoft-Windows-Eventlog\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(\\nWindowsEvent\\n| where EventID == 1102 and Provider == \\\"Microsoft-Windows-Eventlog\\\" \\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend Activity= \\\"1102 - The audit log was cleared.\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Security Event log cleared\",\"description\":\"Checks for event id 1102 which indicates the security event log was cleared. \\nIt uses Event Source Name \\\"Microsoft-Windows-Eventlog\\\" to avoid generating false positives from other sources, like AD FS servers for instance.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\"name\":\"36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n OfficeActivity\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n //Extract the Url from a number of potential fields\\n | extend Url = iif(OfficeWorkload == \\\"AzureActiveDirectory\\\",extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\\\", 1,ModifiedProperties),tostring(parse_json(ModifiedProperties)[12].NewValue))\\n | where isnotempty(Url)\\n // Ensure we get a clean URL\\n | extend Url = tostring(split(Url, \u0027;\u0027)[0])\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n // Project a single user identity that we can use for entity mapping\\n | extend User = iif(isnotempty(UserId), UserId, iif(isnotempty(Actor), tostring(parse_json(Actor)[0].ID), tostring(parse_json(Parameters)[0].Value)))\\n) on Url\\n| where OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, Url\\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Operation, \\nUserType, OfficeWorkload, Parameters, Url, User\\n| extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = User, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to OfficeActivity data\",\"description\":\"Identifies a match in OfficeActivity data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f0be259a-34ac-4946-aa15-ca2b115d5feb\",\"name\":\"f0be259a-34ac-4946-aa15-ca2b115d5feb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let starttime = 2d;\\nlet endtime = 1d;\\nlet TimeDeltaThreshold = 25;\\nlet TotalEventsThreshold = 30;\\nlet MostFrequentTimeDeltaThreshold = 25;\\nlet PercentBeaconThreshold = 80;\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Palo Alto Networks\\\" and Activity == \\\"TRAFFIC\\\"\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where ipv4_is_private(DestinationIP)== false\\n| project TimeGenerated, DeviceName, SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, ReceivedBytes, SentBytes\\n| sort by SourceIP asc,TimeGenerated asc, DestinationIP asc, DestinationPort asc\\n| serialize\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\u0027second\u0027,nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP\\n//Whitelisting criteria/ threshold criteria\\n| where TimeDeltainSeconds \u003e TimeDeltaThreshold \\n| summarize count(), sum(ReceivedBytes), sum(SentBytes)\\nby TimeDeltainSeconds, bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSentBytes = sum(sum_SentBytes), TotalReceivedBytes = sum(sum_ReceivedBytes) \\nby bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| where TotalEvents \u003e TotalEventsThreshold and MostFrequentTimeDeltaCount \u003e MostFrequentTimeDeltaThreshold\\n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\\n| where BeaconPercent \u003e PercentBeaconThreshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Palo Alto - potential beaconing detected\",\"description\":\"Identifies beaconing patterns from Palo Alto Network traffic logs based on recurrent timedelta patterns. \\nThe query leverages various KQL functions to calculate time deltas and then compares it with total events observed in a day to find percentage of beaconing. \\nThis outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts.\\nReference Blog:\\nhttp://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/\\nhttps://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/detect-network-beaconing-via-intra-request-time-delta-patterns/ba-p/779586\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/14f6da04-2f96-44ee-9210-9ccc1be6401e\",\"name\":\"14f6da04-2f96-44ee-9210-9ccc1be6401e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName has \\\"Add member to role outside of PIM\\\"\\n or (LoggedByService == \\\"Core Directory\\\" and OperationName == \\\"Add member to role\\\" and Identity != \\\"MS-PIM\\\")\\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"NRT Privileged Role Assigned Outside PIM\",\"description\":\"Identifies a privileged role being assigned to a user outside of PIM\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-04-22T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f6502545-ae3a-4232-a8b0-79d87e5c98d7\",\"name\":\"f6502545-ae3a-4232-a8b0-79d87e5c98d7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \\n| where TargetObject==\\\"HKLM\\\\\\\\System\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\SecurityProviders\\\\\\\\WDigest\\\\\\\\UseLogonCredential\\\" and Details !=\\\"DWORD (0x00000000)\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"WDigest downgrade attack\",\"description\":\"When the WDigest Authentication protocol is enabled, plain text passwords are stored in the Local Security Authority Subsystem Service (LSASS) exposing them to theft. This setting will prevent WDigest from storing credentials in memory.\\nRef: https://www.stigviewer.com/stig/windows_7/2016-12-19/finding/V-72753\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2022-03-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\"name\":\"b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet UserAgentAll =\\n(union isfuzzy=true\\n(OfficeActivity\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\\n),\\n(\\nW3CIISLog\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(csUserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\\n))\\n// remove wordSize blocks of non-numeric hex characters prior to word extraction\\n| extend UserAgentNoHexAlphas = replace(\\\"([A-Fa-f]{4,})\\\", \\\"x\\\", UserAgent)\\n// once blocks of hex chars are removed, extract wordSize blocks of a-z\\n| extend Tokens = extract_all(\\\"([A-Za-z]{4,})\\\", UserAgentNoHexAlphas)\\n// concatenate extracted words to create a summarized user agent for baseline and comparison\\n| extend NormalizedUserAgent = strcat_array(Tokens, \\\"|\\\")\\n| project-away UserAgentNoHexAlphas, Tokens;\\nUserAgentAll\\n| where StartTime \u003e= ago(endtime)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), count() by UserAgent, NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n| join kind=leftanti\\n(\\nUserAgentAll\\n| where StartTime \u003c ago(endtime)\\n| summarize by NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n)\\non NormalizedUserAgent\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CommandAndControl\",\"Execution\"],\"displayName\":\"New UserAgent observed in last 24 hours\",\"description\":\"Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection\\nextracts words from user agents to build the baseline and determine rareity rather than perform a\\ndirect comparison. This avoids FPs caused by version numbers and other high entropy user agent components.\\nThese new UserAgents could be benign. However, in normally stable environments,\\nthese new UserAgents could provide a starting point for investigating malicious activity.\\nNote: W3CIISLog can be noisy depending on the environment, however OfficeActivity and AWSCloudTrail are\\nusually stable with low numbers of detections.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/155e9134-d5ad-4a6f-88f3-99c220040b66\",\"name\":\"155e9134-d5ad-4a6f-88f3-99c220040b66\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"// Set the lookback to determine if user has created pipelines before\\nlet timeback = 14d;\\n// Set the period for detections\\nlet timeframe = 1d;\\n// Get a list of previous Release Pipeline creators to exclude\\nlet releaseusers = AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName in (\\\"Release.ReleasePipelineCreated\\\", \\\"Release.ReleasePipelineModified\\\")\\n// We want to look for users performing actions in specific projects so we create this userscope object to match on\\n| extend UserScope = strcat(ActorUserId, \\\"-\\\", ProjectName)\\n| summarize by UserScope;\\n// Get Release Pipeline creations by new users\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineModified\\\"\\n| extend UserScope = strcat(ActorUserId, \\\"-\\\", ProjectName)\\n| where UserScope !in (releaseusers)\\n| extend ActorUPN = tolower(ActorUPN)\\n| project-away Id, ActivityId, ActorCUID, ScopeId, ProjectId, TenantId, SourceSystem, UserScope\\n// See if any of these users have Azure AD alerts associated with them in the same timeframe\\n| join kind = leftouter (\\nSecurityAlert\\n| where TimeGenerated \u003e ago(timeframe)\\n| where ProviderName == \\\"IPC\\\"\\n| extend AadUserId = tostring(parse_json(Entities)[0].AadUserId)\\n| summarize Alerts=count() by AadUserId) on $left.ActorUserId == $right.AadUserId\\n| extend Alerts = iif(isnotempty(Alerts), Alerts, 0)\\n// Uncomment the line below to only show results where the user as AADIdP alerts\\n//| where Alerts \u003e 0\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Pipeline modified by a new user.\",\"description\":\"There are several potential pipeline steps that could be modified by an attacker to inject malicious code into the build cycle. A likely attacker path is the modification to an existing pipeline that they have access to. \\nThis detection looks for users modifying a pipeline when they have not previously been observed modifying or creating that pipeline before. This query also joins events with data to Azure AD Identity Protection (AAD IdP) \\nin order to show if the user conducting the action has any associated AAD IdP alerts. You can also choose to filter this detection to only alert when the user also has AAD IdP alerts associated with them.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d023f64-8225-41a2-9570-2bd7c2c4535e\",\"name\":\"3d023f64-8225-41a2-9570-2bd7c2c4535e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1DT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+spanoftime)\\n// A user account was enabled\\n| where EventID == 4722\\n| where AccountType =~ \\\"User\\\"\\n| where TargetAccount !endswith \\\"$\\\"\\n| project EnableTime = TimeGenerated, EnableEventID = EventID, EnableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToEnable = SubjectAccount, SIDofAccountUsedToEnable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e ago(timeframe+spanoftime)\\n// A user account was enabled\\n| where EventID == 4722\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType =~ \\\"User\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| where TargetAccount !endswith \\\"$\\\"\\n| extend Activity=\\\"4722 - A user account was enabled.\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| project EnableTime = TimeGenerated, EnableEventID = EventID, EnableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToEnable = SubjectAccount, SIDofAccountUsedToEnable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n))\\n| join kind= inner (\\n (union isfuzzy=true\\n (SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n // A user account was disabled\\n | where EventID == 4725\\n| where AccountType =~ \\\"User\\\"\\n| project DisableTime = TimeGenerated, DisableEventID = EventID, DisableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToDisable = SubjectAccount, SIDofAccountUsedToDisable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n),\\n(WindowsEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n // A user account was disabled\\n | where EventID == 4725\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType =~ \\\"User\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| extend Activity = \\\"4725 - A user account was disabled.\\\"\\n| project DisableTime = TimeGenerated, DisableEventID = EventID, DisableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToDisable = SubjectAccount, SIDofAccountUsedToDisable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid))\\n) on Computer, TargetAccount\\n| where DisableTime - EnableTime \u003c spanoftime\\n| extend TimeDelta = DisableTime - EnableTime\\n| where tolong(TimeDelta) \u003e= threshold\\n| project TimeDelta, EnableTime, EnableEventID, EnableActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToEnable, SIDofAccountUsedToEnable, \\nDisableTime, DisableEventID, DisableActivity, AccountUsedToDisable, SIDofAccountUsedToDisable\\n| extend timestamp = EnableTime, AccountCustomEntity = AccountUsedToEnable, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"SIDofAccountUsedToEnable\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account enabled and disabled within 10 mins\",\"description\":\"Identifies when a user account is enabled and then disabled within 10 minutes. This can be an indication of compromise and\\nan adversary attempting to hide in the noise.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0625fcce-6d52-491e-8c68-1d9b801d25b9\",\"name\":\"0625fcce-6d52-491e-8c68-1d9b801d25b9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"Event\\n| where EventLog =~ \\\"Application\\\"\\n| where Source startswith \\\"MSExchange\\\"\\n| where EventLevelName =~ \\\"error\\\"\\n| where (RenderedDescription startswith \\\"Watson report\\\" and RenderedDescription contains \\\"umworkerprocess\\\" and RenderedDescription contains \\\"TextFormattingRunProperties\\\") or RenderedDescription startswith \\\"An unhandled exception occurred in a UM worker process\\\" or RenderedDescription startswith \\\"The Microsoft Exchange Unified Messaging service\\\" or RenderedDescription contains \\\"MSExchange Unified Messaging\\\"\\n| where RenderedDescription !contains \\\"System.OutOfMemoryException\\\"\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious UM Service Error\",\"description\":\"This query looks for errors that may indicate that an attacker is attempting to exploit a vulnerability in the service. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09c49590-4e9d-4da9-a34d-17222d0c9e7e\",\"name\":\"09c49590-4e9d-4da9-a34d-17222d0c9e7e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let default_file_ext_blocklist = dynamic([\u0027.ps1\u0027, \u0027.vbs\u0027, \u0027.bat\u0027, \u0027.scr\u0027]);\\nlet custom_file_ext_blocklist=toscalar(_GetWatchlist(\u0027RiskyFileTypes\u0027) | extend Extension=column_ifexists(\\\"Extension\\\",\\\"\\\") | where isnotempty(Extension) | summarize make_set(Extension));\\nlet file_ext_blocklist = array_concat(default_file_ext_blocklist, custom_file_ext_blocklist);\\n_Im_WebSession(url_has_any=file_ext_blocklist, eventresult=\u0027Success\u0027)\\n| extend requestedFileName=tostring(split(tostring(parse_url(Url)[\\\"Path\\\"]),\u0027/\u0027)[-1])\\n| extend requestedFileExt=extract(@(\\\\.\\\\w+)$,1,requestedFileName, typeof(string))\\n| where requestedFileExtension in (file_ext_blocklist)\\n| summarize LastAttemptTime=max(TimeGenerated), NumFailedAttempts=count() by SrcIpAddr, requestedFileName, Url\\n| extend IPCustomEntity = SrcIpAddr, UrlCustomEntity=Url\",\"customDetails\":{\"requestedFileName\":\"requestedFileName\",\"requestedFileExt\":\"requestedFileExt\",\"Username\":\"SrcUsername\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Client {{SrcIpAddr}} accessed a URL with potentially harmful extension {{requestedFileExt}}\",\"alertDescriptionFormat\":\"The client at address {{SrcIpAddr}} accessed the URL {{Url}} that has the extension {{requestedFileExt}}. Downloading a file with this extension may be harmful and may indicate malicious activity.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"InitialAccess\"],\"displayName\":\"A client made a web request to a potentially harmful file (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request to a URL that holds a file type, including .ps1, .bat, .vbs, and .scr that can be harmful if downloaded. This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM. To use this Analytics Rule, deploy the Advanced Security Information Model (ASIM).\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\"name\":\"ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(DestinationUserID)\\n // Filtering PAN Logs for specific event type to match relevant email entities\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"wildfire\\\" and ApplicationProtocol in (\\\"smtp\\\",\\\"pop3\\\")\\n | extend DestinationUserID = tolower(DestinationUserID)\\n | where DestinationUserID matches regex emailregex\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.DestinationUserID\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, DestinationUserID\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, EmailSenderName, EmailRecipient, \\nEmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction, SourceIP, SourcePort, \\nDestinationIP, DestinationPort, Protocol, ApplicationProtocol\\n| extend timestamp = CommonSecurityLog_TimeGenerated, AccountCustomEntity = DestinationUserID, IPCustomEntity = SourceIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to CommonSecurityLog\",\"description\":\"Identifies a match in CommonSecurityLog table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\"name\":\"7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let lookBack_long = 7d;\\nlet lookBack_med = 3d;\\nlet lookBack = 1d;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack_long))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n// Create time series \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_long)),now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n// Compute best fit line for each entry \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount) \\n// Chart the 3 most interesting lines \\n// A 0-value slope corresponds to an account being completely stable over time for a given Azure Active Directory application\\n| where Slope \u003e 0.3\\n| top 50 by Slope desc\\n| join kind = leftsemi (\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack_med))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_med)) ,now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount)\\n| where Slope \u003e 0.3\\n| top 50 by Slope desc\\n) on UserPrincipalName, AppDisplayName\\n| join kind = leftsemi (\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack)) ,now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount)\\n| where Slope \u003e 5\\n| top 50 by Slope desc\\n// Higher threshold requirement on last day anomaly\\n) on UserPrincipalName, AppDisplayName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomalous sign-in location by user account and authenticating application\",\"description\":\"This query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active \\nDirectory application and picks out the most anomalous change in location profile for a user within an \\nindividual application. An alert is generated for recent sign-ins that have location counts that are anomalous\\nover last day but also over the last 3-day and 7-day periods.\\nPlease note that on workspaces with larger volume of Signin data (~10M+ events a day) may timeout when using this default query time period.\\nIt is recommended that you test and tune this appropriately for the workspace.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1da9853f-3dea-4ea9-b7e5-26730da3d537\",\"name\":\"1da9853f-3dea-4ea9-b7e5-26730da3d537\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let PortScanThreshold = 50;\\n_Im_NetworkSession\\n| where ipv4_is_private(SrcIpAddr) == False\\n| summarize AttemptedPortsCount=dcount(DstPortNumber) by SrcIpAddr, bin(TimeGenerated, 5m)\\n| where AttemptedPortsCount \u003e PortScanThreshold\",\"customDetails\":{\"AttemptedPortsCount\":\"AttemptedPortsCount\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Potential port scan from {{SrcIpAddr}}\",\"alertDescriptionFormat\":\"A port scan has been performed from address {{SrcIpAddr}} over {{AttemptedPortsCount}} pots within 5 minutes. This may indicate that a [port scanner](https://en.wikipedia.org/wiki/Port_scanner) is trying to identify open ports in order to penetrate a system.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Discovery\"],\"displayName\":\"Port scan detected (ASIM Network Session schema)\",\"description\":\"This rule identifies a possible port scan, in which a single source tries to access a large number of different ports is a short time frame. This may indicate that a [port scanner](https://en.wikipedia.org/wiki/Port_scanner) is trying to identify open ports in order to penetrate a system.\u003cbr\u003e\u003cbr\u003e\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/eda260eb-f4a1-4379-ad98-452604da9b3e\",\"name\":\"eda260eb-f4a1-4379-ad98-452604da9b3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let eventsThreshold = 20;\\nCommonSecurityLog\\n| where isnotempty(RequestURL)\\n| project TimeGenerated, RequestURL, RequestMethod, SourceIP, SourceHostName\\n| evaluate sequence_detect(TimeGenerated, 5s, 8s, login=(RequestURL has \\\"login.microsoftonline.com/consumers/oauth2/v2.0/token\\\"), graph=(RequestURL has \\\"graph.microsoft.com/v1.0/me/drive/\\\"), SourceIP, SourceHostName)\\n| summarize Events=count() by SourceIP, SourceHostName\\n| where Events \u003e= eventsThreshold\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"SourceHostName\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"CreepyDrive request URL sequence\",\"description\":\"CreepyDrive uses OneDrive for command and control, however, it makes regular requests to predicatable paths.\\nThis detecton will alert when over 20 sequences are observed in a single day.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3533f74c-9207-4047-96e2-0eb9383be587\",\"name\":\"3533f74c-9207-4047-96e2-0eb9383be587\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"offline_access\\\" and ConsentFull contains \\\"Files.Read\\\" or ConsentFull contains \\\"Mail.Read\\\" or ConsentFull contains \\\"Notes.Read\\\" or ConsentFull contains \\\"ChannelMessage.Read\\\" or ConsentFull contains \\\"Chat.Read\\\" or ConsentFull contains \\\"TeamsActivity.Read\\\" or ConsentFull contains \\\"Group.Read\\\" or ConsentFull contains \\\"EWS.AccessAsUser.All\\\" or ConsentFull contains \\\"EAS.AccessAsUser.All\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))\\n| extend GrantUserAgent = tostring(iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\"))\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Suspicious application consent for offline access\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with offline access via OAuth.\\nOffline access will provide the Azure App with access to the listed resources without requiring two-factor authentication.\\nConsent to applications with offline access and read capabilities should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0ee2aafb-4500-4e36-bcb1-e90eec2f0b9b\",\"name\":\"0ee2aafb-4500-4e36-bcb1-e90eec2f0b9b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\"\\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed), LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\\n| where MFAUsed !~ \\\"Yes\\\" and LoginResult !~ \\\"Failure\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUsed, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent,\\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserIdentityUserName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"NRT Login to AWS Management Console without MFA\",\"description\":\"Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.\\nYou can limit this detection to trigger for administrative accounts if you do not have MFA enabled on all accounts.\\nThis is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used\\nand the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.\",\"lastUpdatedDateUTC\":\"2022-02-08T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/269435e3-1db8-4423-9dfc-9bf59997da1c\",\"name\":\"269435e3-1db8-4423-9dfc-9bf59997da1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName has \\\"Add member to role outside of PIM\\\"\\n or (LoggedByService == \\\"Core Directory\\\" and OperationName == \\\"Add member to role\\\" and Identity != \\\"MS-PIM\\\")\\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Privileged Role Assigned Outside PIM\",\"description\":\"Identifies a privileged role being assigned to a user outside of PIM\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2be4ef67-a93f-4d8a-981a-88158cb73abd\",\"name\":\"2be4ef67-a93f-4d8a-981a-88158cb73abd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet covidIndicators = (externaldata(TimeGenerated:datetime, FileHashValue:string, FileHashType: string, TlpLevel: string, Product: string, ThreatType: string, Description: string )\\n[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.csv\\\"] with (format=\\\"csv\\\"));\\nlet fileHashIndicators = covidIndicators\\n| where isnotempty(FileHashValue);\\n// Handle matches against both lower case and uppercase versions of the hash:\\n(fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n| union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack) \\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n )\\non $left.FileHashValue == $right.FileHash\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by FileHashValue\\n| project CommonSecurityLog_TimeGenerated, FileHashValue, FileHashType, Description, ThreatType, \\nSourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, \\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Value\",\"columnName\":\"FileHashValue\"},{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Microsoft COVID-19 file hash indicator matches\",\"description\":\"Identifies a match in CommonSecurityLog Event data from any FileHash published in the Microsoft COVID-19 Threat Intel Feed - as described at https://www.microsoft.com/security/blog/2020/05/14/open-sourcing-covid-threat-intelligence/\",\"lastUpdatedDateUTC\":\"2022-07-07T00:00:00Z\",\"createdDateUTC\":\"2019-08-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\"name\":\"5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"CommonSecurityLog\\n| where isnotempty(DestinationPort) and DeviceAction !in (\\\"reset-both\\\", \\\"deny\\\") \\n// filter out common usage ports. Add ports that are legitimate for your environment\\n| where DestinationPort !in (\\\"443\\\", \\\"53\\\", \\\"389\\\", \\\"80\\\", \\\"0\\\", \\\"880\\\", \\\"8888\\\", \\\"8080\\\")\\n| where ApplicationProtocol == \\\"incomplete\\\" \\n// filter out IANA ephemeral or negotiated ports as per https://en.wikipedia.org/wiki/Ephemeral_port\\n| where DestinationPort !between (toint(49512) .. toint(65535)) \\n| where Computer != \\\"\\\" \\n| where DestinationIP !startswith \\\"10.\\\"\\n| extend Reason = coalesce(\\n column_ifexists(\\\"Reason\\\", \\\"\\\"), \\n extract(\\\"reason=(.+?)(;|$)\\\", 1, AdditionalExtensions),\\n \\\"\\\"\\n )\\n// Filter out any graceful reset reasons of AGED OUT which occurs when a TCP session closes with a FIN due to aging out. \\n| where Reason !has \\\"aged-out\\\" \\n// Filter out any TCP FIN which occurs when a TCP FIN is used to gracefully close half or both sides of a connection.\\n| where Reason !has \\\"tcp-fin\\\" \\n// Uncomment one of the following where clauses to trigger on specific TCP reset reasons\\n// See Palo Alto article for details - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK\\n// TCP RST-server - Occurs when the server sends a TCP reset to the client\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-server\\\" \\n// TCP RST-client - Occurs when the client sends a TCP reset to the server\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-client\\\" \\n// Already performed\\n//| extend reason = tostring(split(AdditionalExtensions, \\\";\\\")[3])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, Reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction, DestinationIP\\n| where count_ \u003e= 10\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), makeset(DestinationIP), totalcount = sum(count_) by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, Reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Palo Alto - possible internal to external port scanning\",\"description\":\"Identifies a list of internal Source IPs (10.x.x.x Hosts) that have triggered 10 or more non-graceful tcp server resets from one or more Destination IPs which \\nresults in an \\\"ApplicationProtocol = incomplete\\\" designation. The server resets coupled with an \\\"Incomplete\\\" ApplicationProtocol designation can be an indication \\nof internal to external port scanning or probing attack. \\nReferences: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK and\\nhttps://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTaCAK\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/677da133-e487-4108-a150-5b926591a92b\",\"name\":\"677da133-e487-4108-a150-5b926591a92b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.5.1\",\"severity\":\"Medium\",\"query\":\"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\\n[@\\\"https://raw.githubusercontent.com/microsoft/mstic/master/Indicators/May21-NOBELIUM/May21NOBELIUMIoCs.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256s = (iocs | where Type =~ \\\"SHA256\\\"| project IoC);\\nlet ips = (iocs | where Type =~ \\\"IP\\\"| project IoC);\\nlet IPList = dynamic([\\\"192.99.221.77\\\",\\\"83.171.237.173\\\"]);\\nlet ips_list=toscalar(ips | summarize makeset(IoC));\\nlet full_ip_list= array_concat(ips_list, IPList);\\nlet domains = (iocs | where Type =~ \\\"Domain\\\"| project IoC);\\nlet domain_list=toscalar(domains | summarize make_set(IoC));\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet sha256Hashes = dynamic([\\\"2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252\\\",\\n\\\"d035d394a82ae1e44b25e273f99eae8e2369da828d6b6fdb95076fd3eb5de142\\\",\\n\\\"94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916\\\",\\n\\\"48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0\\\",\\n\\\"ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c\\\",\\n\\\"ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (domains) or RequestURL has_any (domains) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (domains), \\\"RequestUrl\\\", SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(_Im_Dns (domain_has_any=todynamic(domain_list))\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(_Im_Dns (response_has_any_prefix=todynamic(full_ip_list))\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or SourceIp in (ips) or DestinationIp in (ips) or RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", SourceIp in (ips), \\\"SourceIP\\\", DestinationIp in (ips), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer\\n),\\n(OfficeActivity\\n| where ClientIP in (IPList) or ClientIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n),\\n(_Im_NetworkSession(srcipaddr_has_any_prefix=full_ip_list)\\n | extend IPMatch = \\\"SourceIP\\\"\\n | extend timestamp = TimeGenerated, HostCustomEntity = Dvc , IPCustomEntity = SrcIpAddr //, AccountCustomEntity =User\\n),\\n(_Im_NetworkSession(dstipaddr_has_any_prefix=full_ip_list)\\n | extend IPMatch = \\\"DestinationIP\\\"\\n | extend timestamp = TimeGenerated, HostCustomEntity = Dvc , IPCustomEntity = DstIpAddr //, AccountCustomEntity =User\\n),\\n(_Im_WebSession(url_has_any=domains)\\n | extend timestamp=TimeGenerated, HostCustomEntity=Dvc , DNSName=tostring(parse_url(Url)[\\\"Host\\\"]), AccountCustomEntity=User\\n),\\n(_Im_WebSession(srcipaddr_has_any_prefix=full_ip_list)\\n | extend timestamp=TimeGenerated, HostCustomEntity=Dvc , DNSName=tostring(parse_url(Url)[\\\"Host\\\"]), AccountCustomEntity=User\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| where EventDetail has_any (sha256Hashes) or EventDetail has_any (sha256s)\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, FileHash\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (sha256Hashes) or SHA256 in~ (sha256s)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (sha256Hashes) or TargetFileSHA256 in~ (sha256s)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes) or FileHash in (sha256s)\\n| extend timestamp = TimeGenerated\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"tactics\":[\"CommandAndControl\",\"Execution\"],\"displayName\":\"NOBELIUM - Domain, Hash and IP IOCs - May 2021\",\"description\":\"Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM.\\nRef: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/35ce9aff-1708-45b8-a295-5e9a307f5f17\",\"name\":\"35ce9aff-1708-45b8-a295-5e9a307f5f17\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"Group.UpdateGroupMembership.Add\\\"\\n| where Details has_any (\\\"Project Administrators\\\", \\\"Project Collection Administrators\\\", \\\"Project Collection Service Accounts\\\", \\\"Build Administrator\\\")\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, AuthenticationMechanism, ScopeDisplayName\\n| extend timekey = bin(TimeGenerated, 1h)\\n| extend ActorUserId = tostring(Data.MemberId)\\n| project timekey, ActorUserId, AddingUser=ActorUPN, TimeAdded=TimeGenerated, PermissionGrantDetails = Details\\n// Get details of operations conducted by user soon after elevation of permissions\\n| join (AzureDevOpsAuditing\\n| extend ActorUserId = tostring(Data.MemberId)\\n| extend timekey = bin(TimeGenerated, 1h)) on timekey, ActorUserId\\n| summarize ActionsWhenAdded = make_set(OperationName) by ActorUPN, AddingUser, TimeAdded, PermissionGrantDetails, IpAddress, UserAgent\\n| extend timestamp = TimeAdded, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddingUser\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"New PA, PCA, or PCAS added to Azure DevOps\",\"description\":\"In order for an attacker to be able to conduct many potential attacks against Azure DevOps they will need to gain elevated permissions. \\nThis detection looks for users being granted key administrative permissions. If the principal of least privilege is applied, the number of \\nusers granted these permissions should be small. Note that permissions can also be granted via Azure AD groups and monitoring of these \\nshould also be conducted.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bf07ca9c-e408-443a-8939-6860a45a929e\",\"name\":\"bf07ca9c-e408-443a-8939-6860a45a929e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let allowed_publishers = dynamic([]);\\nAzureDevOpsAuditing\\n| where OperationName =~ \\\"Extension.Installed\\\"\\n| extend ExtensionName = tostring(Data.ExtensionName)\\n| extend PublisherName = tostring(Data.PublisherName)\\n| where PublisherName !in (allowed_publishers)\\n| project-reorder TimeGenerated, OperationName, ExtensionName, PublisherName, ActorUPN, IpAddress, UserAgent, ScopeDisplayName, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps New Extension Added\",\"description\":\"Extensions add additional features to Azure DevOps. An attacker could use a malicious extension to conduct malicious activity. \\nThis query looks for new extensions that are not from a configurable list of approved publishers.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65c78944-930b-4cae-bd79-c3664ae30ba7\",\"name\":\"65c78944-930b-4cae-bd79-c3664ae30ba7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(AuditLogs \\n| where OperationName =~ \\\"Disable Strong Authentication\\\"\\n| extend IPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) \\n| extend InitiatedByUser = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend Targetprop = todynamic(TargetResources)\\n| extend TargetUser = tostring(Targetprop[0].userPrincipalName) \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, InitiatedByUser , Operation = OperationName , CorrelationId, IPAddress, Category, Source = SourceSystem , AADTenantId, Type\\n),\\n(AWSCloudTrail\\n| where EventName in~ (\\\"DeactivateMFADevice\\\", \\\"DeleteVirtualMFADevice\\\") \\n| extend InstanceProfileName = tostring(parse_json(RequestParameters).InstanceProfileName)\\n| extend TargetUser = tostring(parse_json(RequestParameters).userName)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, Source = EventSource , Operation = EventName , TenantorInstance_Detail = InstanceProfileName, IPAddress = SourceIpAddress\\n)\\n)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"MFA disabled for a user\",\"description\":\"Multi-Factor Authentication (MFA) helps prevent credential compromise. This alert identifies when an attempt has been made to disable MFA for a user \",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4759ddb4-2daf-43cb-b34e-d85b85b4e4a5\",\"name\":\"4759ddb4-2daf-43cb-b34e-d85b85b4e4a5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\nlet parentprocess = (iocs | where Type =~ \\\"parentprocess\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or RequestURL has_any (IPList) or Message has_any (IPList)\\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, Type\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (IPList), \\\"RequestUrl\\\",\\\"NoMatch\\\"), AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, IPMatch == \\\"RequestUrl\\\", RequestURL, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer, ProcessCustomEntity = ProcessName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) \\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, AlertDetail = \u0027Dev-0322 IOC match\u0027, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, AlertDetail = \u0027Dev-0322 IOC match\u0027, UrlCustomEntity =RemoteUrl, ProcessCustomEntity = InitiatingProcessFileName\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\"), AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where SourceHost in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend ParentImage = EventDetail.[20].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where ( ParentImage has_any (parentprocess) and Image has_any (process))\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256,Image, ParentImage \\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceFileEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type, CommandLineIP\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash, IPCustomEntity = CommandLineIP\\n),\\n(DeviceEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, CommandLineIP\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash, IPCustomEntity = CommandLineIP\\n),\\n(DeviceProcessEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, CommandLineIP, AccountName\\n| extend Account = AccountName, Computer = DeviceName, IPAddress = CommandLineIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash, IPCustomEntity = IPAddress\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| extend CommandLineIP = extract(IPRegex, 0, CommandLine)\\n| where CommandLineIP in (IPList) or (NewProcessName has_any (process) and ParentProcessName has_any (parentprocess))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, CommandLine, CommandLineIP\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = \u0027Dev-0322 IOC match\u0027, IPCustomEntity = CommandLineIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"DEV-0322 Serv-U related IOCs - July 2021\",\"description\":\"Identifies a match across IOC\u0027s related to DEV-0322 targeting SolarWinds Serv-U software.\",\"lastUpdatedDateUTC\":\"2021-11-30T00:00:00Z\",\"createdDateUTC\":\"2021-06-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\"name\":\"d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let SensitiveOperationList = dynamic(\\n[\\\"VaultDelete\\\", \\\"KeyDelete\\\", \\\"SecretDelete\\\", \\\"SecretPurge\\\", \\\"KeyPurge\\\", \\\"SecretBackup\\\", \\\"KeyBackup\\\"]);\\nAzureDiagnostics\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\" \\n| where OperationName in~ (SensitiveOperationList) \\n| summarize EventCount=count(), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\\n| extend timestamp = StartTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Sensitive Azure Key Vault operations\",\"description\":\"Identifies when sensitive Azure Key Vault operations are used. This includes: VaultDelete, KeyDelete, SecretDelete, SecretPurge, KeyPurge, SecretBackup, KeyBackup. \\nAny Backup operations should match with expected scheduled backup activity.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4899-42cb-910c-5ffaf9d7997d\",\"name\":\"70b12a3b-4899-42cb-910c-5ffaf9d7997d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.6.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"0.ns1.dns-info.gq\\\", \\\"1.ns1.dns-info.gq\\\", \\\"10.ns1.dns-info.gq\\\", \\\"102.ns1.dns-info.gq\\\", \\n \\\"104.ns1.dns-info.gq\\\", \\\"11.ns1.dns-info.gq\\\", \\\"110.ns1.dns-info.gq\\\", \\\"115.ns1.dns-info.gq\\\", \\\"116.ns1.dns-info.gq\\\", \\n \\\"117.ns1.dns-info.gq\\\", \\\"118.ns1.dns-info.gq\\\", \\\"12.ns1.dns-info.gq\\\", \\\"120.ns1.dns-info.gq\\\", \\\"122.ns1.dns-info.gq\\\", \\n \\\"123.ns1.dns-info.gq\\\", \\\"128.ns1.dns-info.gq\\\", \\\"13.ns1.dns-info.gq\\\", \\\"134.ns1.dns-info.gq\\\", \\\"135.ns1.dns-info.gq\\\", \\n \\\"138.ns1.dns-info.gq\\\", \\\"14.ns1.dns-info.gq\\\", \\\"144.ns1.dns-info.gq\\\", \\\"15.ns1.dns-info.gq\\\", \\\"153.ns1.dns-info.gq\\\", \\n \\\"157.ns1.dns-info.gq\\\", \\\"16.ns1.dns-info.gq\\\", \\\"17.ns1.dns-info.gq\\\", \\\"18.ns1.dns-info.gq\\\", \\\"19.ns1.dns-info.gq\\\", \\n \\\"1a9604fa.ns1.feedsdns.com\\\", \\\"1c7606b6.ns1.steamappstore.com\\\", \\\"2.ns1.dns-info.gq\\\", \\\"20.ns1.dns-info.gq\\\", \\n \\\"201.ns1.dns-info.gq\\\", \\\"202.ns1.dns-info.gq\\\", \\\"204.ns1.dns-info.gq\\\", \\\"207.ns1.dns-info.gq\\\", \\\"21.ns1.dns-info.gq\\\", \\n \\\"210.ns1.dns-info.gq\\\", \\\"211.ns1.dns-info.gq\\\", \\\"216.ns1.dns-info.gq\\\", \\\"22.ns1.dns-info.gq\\\", \\\"220.ns1.dns-info.gq\\\", \\n \\\"223.ns1.dns-info.gq\\\", \\\"23.ns1.dns-info.gq\\\", \\\"24.ns1.dns-info.gq\\\", \\\"25.ns1.dns-info.gq\\\", \\\"26.ns1.dns-info.gq\\\", \\n \\\"27.ns1.dns-info.gq\\\", \\\"28.ns1.dns-info.gq\\\", \\\"29.ns1.dns-info.gq\\\", \\\"3.ns1.dns-info.gq\\\", \\\"30.ns1.dns-info.gq\\\", \\n \\\"31.ns1.dns-info.gq\\\", \\\"32.ns1.dns-info.gq\\\", \\\"33.ns1.dns-info.gq\\\", \\\"34.ns1.dns-info.gq\\\", \\\"35.ns1.dns-info.gq\\\", \\n \\\"36.ns1.dns-info.gq\\\", \\\"37.ns1.dns-info.gq\\\", \\\"39.ns1.dns-info.gq\\\", \\\"3d6fe4b2.ns1.steamappstore.com\\\", \\n \\\"4.ns1.dns-info.gq\\\", \\\"40.ns1.dns-info.gq\\\", \\\"42.ns1.dns-info.gq\\\", \\\"43.ns1.dns-info.gq\\\", \\\"44.ns1.dns-info.gq\\\", \\n \\\"45.ns1.dns-info.gq\\\", \\\"46.ns1.dns-info.gq\\\", \\\"48.ns1.dns-info.gq\\\", \\\"5.ns1.dns-info.gq\\\", \\\"50.ns1.dns-info.gq\\\", \\n \\\"50417.service.gstatic.dnset.com\\\", \\\"51.ns1.dns-info.gq\\\", \\\"52.ns1.dns-info.gq\\\", \\\"53.ns1.dns-info.gq\\\",\\n \\\"54.ns1.dns-info.gq\\\", \\\"55.ns1.dns-info.gq\\\", \\\"56.ns1.dns-info.gq\\\", \\\"57.ns1.dns-info.gq\\\", \\\"58.ns1.dns-info.gq\\\", \\n \\\"6.ns1.dns-info.gq\\\", \\\"60.ns1.dns-info.gq\\\", \\\"62.ns1.dns-info.gq\\\", \\\"63.ns1.dns-info.gq\\\", \\\"64.ns1.dns-info.gq\\\", \\n \\\"65.ns1.dns-info.gq\\\", \\\"67.ns1.dns-info.gq\\\", \\\"7.ns1.dns-info.gq\\\", \\\"70.ns1.dns-info.gq\\\", \\\"71.ns1.dns-info.gq\\\",\\n \\\"73.ns1.dns-info.gq\\\", \\\"77.ns1.dns-info.gq\\\", \\\"77075.service.gstatic.dnset.com\\\", \\\"7c1947fa.ns1.steamappstore.com\\\",\\n \\\"8.ns1.dns-info.gq\\\", \\\"81.ns1.dns-info.gq\\\", \\\"86.ns1.dns-info.gq\\\", \\\"87.ns1.dns-info.gq\\\", \\\"9.ns1.dns-info.gq\\\", \\n \\\"94343.service.gstatic.dnset.com\\\", \\\"9939.service.gstatic.dnset.com\\\", \\\"aa.ns.mircosoftdoc.com\\\", \\n \\\"aaa.feeds.api.ns1.feedsdns.com\\\", \\\"aaa.googlepublic.feeds.ns1.dns-info.gq\\\", \\n \\\"aaa.resolution.174547._get.cache.up.sourcedns.tk\\\", \\\"acc.microsoftonetravel.com\\\", \\n \\\"accounts.longmusic.com\\\", \\\"admin.dnstemplog.com\\\", \\\"agent.updatenai.com\\\", \\n \\\"alibaba.zzux.com\\\", \\\"api.feedsdns.com\\\", \\\"app.portomnail.com\\\", \\\"asia.updatenai.com\\\", \\n \\\"battllestategames.com\\\", \\\"bguha.serveuser.com\\\", \\\"binann-ce.com\\\", \\\"bing.dsmtp.com\\\", \\n \\\"blog.cdsend.xyz\\\", \\\"brives.minivineyapp.com\\\", \\\"bsbana.dynamic-dns.net\\\", \\n \\\"californiaforce.000webhostapp.com\\\", \\\"californiafroce.000webhostapp.com\\\", \\n \\\"cdn.freetcp.com\\\", \\\"cdsend.xyz\\\", \\\"cipla.zzux.com\\\", \\\"cloudfeeddns.com\\\", \\\"comcleanner.info\\\",\\n \\\"cs.microsoftsonline.net\\\", \\\"dns-info.gq\\\", \\\"dns05.cf\\\", \\\"dns22.ml\\\", \\\"dns224.com\\\", \\n \\\"dnsdist.org\\\", \\\"dnstemplog.com\\\", \\\"doc.mircosoftdoc.com\\\", \\\"dropdns.com\\\", \\n \\\"eshop.cdn.freetcp.com\\\", \\\"exchange.dumb1.com\\\", \\\"exchange.misecure.com\\\", \\\"exchange.mrbasic.com\\\",\\n \\\"facebookdocs.com\\\", \\\"facebookint.com\\\", \\\"facebookvi.com\\\", \\\"feed.ns1.dns-info.gq\\\", \\\"feedsdns.com\\\", \\n \\\"firejun.freeddns.com\\\", \\\"ftp.dns-info.dyndns.pro\\\", \\\"goallbandungtravel.com\\\", \\\"goodhk.azurewebsites.net\\\", \\n \\\"googlepublic.feed.ns1.dns-info.gq\\\", \\\"gp.spotifylite.cloud\\\", \\\"gskytop.com\\\", \\\"gstatic.dnset.com\\\", \\n \\\"gxxservice.com\\\", \\\"helpdesk.cdn.freetcp.com\\\", \\\"id.serveuser.com\\\", \\\"infestexe.com\\\", \\\"item.itemdb.com\\\",\\n \\\"m.mircosoftdoc.com\\\", \\\"mail.transferdkim.xyz\\\", \\\"mcafee.updatenai.com\\\", \\\"mecgjm.mircosoftdoc.com\\\",\\n \\\"microdocs.ga\\\", \\\"microsock.website\\\", \\\"microsocks.net\\\", \\\"microsoft.sendsmtp.com\\\", \\n \\\"microsoftbook.dns05.com\\\", \\\"microsoftcontactcenter.com\\\", \\\"microsoftdocs.dns05.com\\\", \\\"microsoftdocs.ml\\\", \\n \\\"microsoftonetravel.com\\\", \\\"microsoftonlines.net\\\", \\\"microsoftprod.com\\\", \\\"microsofts.dns1.us\\\", \\\"microsoftsonline.net\\\",\\n \\\"minivineyapp.com\\\", \\\"mircosoftdoc.com\\\", \\\"mircosoftdocs.com\\\", \\\"mlcrosoft.ninth.biz\\\", \\\"mlcrosoft.site\\\", \\n \\\"mm.portomnail.com\\\", \\\"msdnupdate.com\\\", \\\"msecdn.cloud\\\", \\\"mtnl1.dynamic-dns.net\\\", \\\"ns.gstatic.dnset.com\\\", \\n \\\"ns.microsoftprod.com\\\", \\\"ns.steamappstore.com\\\", \\\"ns1.cdn.freetcp.com\\\", \\\"ns1.comcleanner.info\\\", \\\"ns1.dns-info.gq\\\", \\n \\\"ns1.dns05.cf\\\", \\\"ns1.dnstemplog.com\\\", \\\"ns1.dropdns.com\\\", \\\"ns1.microsoftonetravel.com\\\", \\n \\\"ns1.microsoftonlines.net\\\", \\\"ns1.microsoftprod.com\\\", \\\"ns1.microsoftsonline.net\\\", \\\"ns1.mlcrosoft.site\\\", \\n \\\"ns1.teams.wikaba.com\\\", \\\"ns1.windowsdefende.com\\\", \\\"ns2.comcleanner.info\\\", \\\"ns2.dnstemplog.com\\\", \\n \\\"ns2.microsoftonetravel.com\\\", \\\"ns2.microsoftprod.com\\\", \\\"ns2.microsoftsonline.net\\\", \\\"ns2.mlcrosoft.site\\\", \\n \\\"ns2.windowsdefende.com\\\", \\\"ns3.microsoftprod.com\\\", \\\"ns3.mlcrosoft.site\\\", \\\"nutrition.mrbasic.com\\\", \\n \\\"nutrition.youdontcare.com\\\", \\\"online.mlcrosoft.site\\\", \\\"online.msdnupdate.com\\\", \\\"outlookservce.site\\\", \\n \\\"owa.jetos.com\\\", \\\"owa.otzo.com\\\", \\\"pornotime.co\\\", \\\"portomnail.com\\\", \\n \\\"post.1a0.066e063ac.7c1947fa.ns1.steamappstore.com\\\", \\\"pricingdmdk.com\\\", \\\"prod.microsoftprod.com\\\", \\n \\\"product.microsoftprod.com\\\", \\\"ptcl.yourtrap.com\\\", \\\"query.api.sourcedns.tk\\\", \\\"rb.itemdb.com\\\", \\\"redditcdn.com\\\", \\n \\\"rss.otzo.com\\\", \\\"secure.msdnupdate.com\\\", \\\"service.dns22.ml\\\", \\\"service.gstatic.dnset.com\\\", \\\"service04.dns04.com\\\", \\n \\\"settings.teams.wikaba.com\\\", \\\"sip.outlookservce.site\\\", \\\"sixindent.epizy.com\\\", \\\"soft.msdnupdate.com\\\", \\\"sourcedns.ml\\\", \\n \\\"sourcedns.tk\\\", \\\"sport.msdnupdate.com\\\", \\\"spotifylite.cloud\\\", \\\"static.misecure.com\\\", \\\"steamappstore.com\\\", \\n \\\"store.otzo.com\\\", \\\"survey.outlookservce.site\\\", \\\"team.itemdb.com\\\", \\\"temp221.com\\\", \\\"test.microsoftprod.com\\\", \\n \\\"thisisaaa.000webhostapp.com\\\", \\\"token.dns04.com\\\", \\\"token.dns05.com\\\", \\\"transferdkim.xyz\\\", \\n \\\"travelsanignacio.com\\\", \\\"update08.com\\\", \\\"updated08.com\\\", \\\"updatenai.com\\\", \\\"wantforspeed.com\\\",\\n \\\"web.mircosoftdoc.com\\\", \\\"webmail.pornotime.co\\\", \\\"webwhois.team.itemdb.com\\\", \\\"windowsdefende.com\\\", \\\"wnswindows.com\\\",\\n \\\"ashcrack.freetcp.com\\\", \\\"battllestategames.com\\\", \\\"binannce.com\\\", \\\"cdsend.xyz\\\", \\\"comcleanner.info\\\", \\\"microsock.website\\\", \\n \\\"microsocks.net\\\", \\\"microsoftsonline.net\\\", \\\"mlcrosoft.site\\\", \\\"notify.serveuser.com\\\", \\\"ns1.microsoftprod.com\\\", \\n \\\"ns2.microsoftprod.com\\\", \\\"pricingdmdk.com\\\", \\\"steamappstore.com\\\", \\\"update08.com\\\", \\\"wnswindows.com\\\", \\n \\\"youtube.dns05.com\\\", \\\"z1.zalofilescdn.com\\\", \\\"z2.zalofilescdn.com\\\", \\\"zalofilescdn.com\\\"]); \\n(union isfuzzy=true \\n (CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | where DNSName in~ (DomainNames) \\n | extend Account = SourceUserID, Computer = DeviceName, IPAddress = DestinationIP \\n ), \\n (_Im_Dns (domain_has_any=DomainNames)\\n | extend DNSName = DnsQuery \\n | extend IPAddress = SrcIpAddr, Computer = Dvc\\n ), \\n (_Im_WebSession (url_has_any=DomainNames)\\n | extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n | extend IPAddress = SrcIpAddr, Computer = Dvc\\n ), \\n (VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 * \\n | where isnotempty(DNSName) \\n | where DNSName in~ (DomainNames) \\n | extend IPAddress = RemoteIp \\n ), \\n ( \\n DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl in~ (DomainNames) \\n | extend IPAddress = RemoteIP \\n | extend Computer = DeviceName \\n ),\\n (AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (DomainNames) \\n | extend DNSName = DestinationHost \\n | extend IPAddress = SourceHost\\n ) \\n ) \\n | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Barium domains\",\"description\":\"Identifies a match across various data feeds for domains IOCs related to the Barium activity group.\\n References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bff058b2-500e-4ae5-bb49-a5b1423cbd5b\",\"name\":\"bff058b2-500e-4ae5-bb49-a5b1423cbd5b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let fileAccessThrehold = 10;\\nOfficeActivity\\n | where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n | where Operation =~ \\\"MemberAdded\\\"\\n | extend UPN = tostring(parse_json(Members)[0].UPN)\\n | where UPN contains (\\\"#EXT#\\\")\\n | project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName\\n | join kind = inner(\\n OfficeActivity\\n | where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n | where Operation =~ \\\"MemberRemoved\\\"\\n | extend UPN = tostring(parse_json(Members)[0].UPN)\\n | where UPN contains (\\\"#EXT#\\\")\\n | project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName\\n ) on UPN\\n | where TimeDeleted \u003e TimeAdded\\n | join kind=inner \\n (\\n OfficeActivity\\n | where RecordType == \\\"SharePointFileOperation\\\"\\n | where SourceRelativeUrl has \\\"Microsoft Teams Chat Files\\\"\\n | where Operation == \\\"FileUploaded\\\"\\n | join kind = inner \\n (\\n OfficeActivity\\n | where RecordType == \\\"SharePointFileOperation\\\"\\n | where Operation == \\\"FileAccessed\\\"\\n | where SourceRelativeUrl has \\\"Microsoft Teams Chat Files\\\"\\n | summarize FileAccessCount = count() by OfficeObjectId\\n | where FileAccessCount \u003e fileAccessThrehold\\n ) on $left.OfficeObjectId == $right.OfficeObjectId\\n )on $left.UPN == $right.UserId\\n | extend timestamp=TimeGenerated, AccountCustomEntity = UserWhoAdded\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Accessed files shared by temporary external user\",\"description\":\"This detection identifies an external user is added to a Team or Teams chat\\nand shares a files which is accessed by many users (\u003e10) and the users is removed within short period of time. This might be\\nan indicator of suspicious activity.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2020-08-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/610d3850-c26f-4f20-8d86-f10fdf2425f5\",\"name\":\"610d3850-c26f-4f20-8d86-f10fdf2425f5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"UpdateTrail\\\",\\\"DeleteTrail\\\",\\\"StopLogging\\\",\\\"DeleteFlowLogs\\\",\\\"DeleteEventBus\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Changes made to AWS CloudTrail logs\",\"description\":\"Attackers often try to hide their steps by deleting or stopping the collection of logs that could show their activity. \\nThis alert identifies any manipulation of AWS CloudTrail, Cloudwatch/EventBridge or VPC Flow logs.\\nMore Information: AWS CloudTrail API: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html\\nAWS Cloudwatch/Eventbridge API: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_Operations.html\\nAWS DelteteFlowLogs API : https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html \",\"lastUpdatedDateUTC\":\"2022-01-11T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3fbc20a4-04c4-464e-8fcb-6667f53e4987\",\"name\":\"3fbc20a4-04c4-464e-8fcb-6667f53e4987\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let failureCountThreshold = 5;\\nlet successCountThreshold = 1;\\nlet authenticationWindow = 20m;\\nSigninLogs\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\\n| where AppDisplayName =~ \\\"Windows Sign In\\\"\\n// Split out failure versus non-failure types\\n| extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = makeset(IPAddress), makeset(OS), makeset(Browser), makeset(City), \\nmakeset(ResultType), FailureCount = countif(FailureOrSuccess==\\\"Failure\\\"), SuccessCount = countif(FailureOrSuccess==\\\"Success\\\") \\nby bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName, AppDisplayName\\n| where FailureCount \u003e= failureCountThreshold and SuccessCount \u003e= successCountThreshold\\n| mvexpand IPAddress\\n| extend IPAddress = tostring(IPAddress)\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against a Cloud PC\",\"description\":\"Identifies evidence of brute force activity against a Windows 365 Cloud PC by highlighting multiple authentication failures and by a successful authentication within a given time window.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/173f8699-6af5-484a-8b06-8c47ba89b380\",\"name\":\"173f8699-6af5-484a-8b06-8c47ba89b380\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"// Adjust this value to change how many Teams should be deleted before including\\nlet max_delete_count = 3;\\n// Adjust this value to change the timewindow the query runs over\\n OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\" \\n| where Operation =~ \\\"TeamDeleted\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DeletedTeams = make_set(TeamName) by UserId\\n| where array_length(DeletedTeams) \u003e max_delete_count\\n| extend timestamp = StartTime, AccountCustomEntity = UserId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Multiple Teams deleted by a single user\",\"description\":\"This detection flags the occurrences of deleting multiple teams within an hour.\\nThis data is a part of Office 365 Connector in Microsoft Sentinel.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5f171045-88ab-4634-baae-a7b6509f483b\",\"name\":\"5f171045-88ab-4634-baae-a7b6509f483b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let Dev0530_threats = dynamic([\\\"Trojan:Win32/SiennaPurple.A\\\", \\\"Ransom:Win32/SiennaBlue.A\\\", \\\"Ransom:Win32/SiennaBlue.B\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (Dev0530_threats) or ThreatFamilyName in~ (Dev0530_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"AV detections related to Dev-0530 actors\",\"description\":\"This query looks for Microsoft Defender AV detections related to Dev-0530 actors. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, \\n this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\",\"lastUpdatedDateUTC\":\"2022-07-14T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbfbf530-506b-49a4-81ad-4030885a195c\",\"name\":\"fbfbf530-506b-49a4-81ad-4030885a195c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let alertTimeWindow = 1h;\\nlet logTimeWindow = 7d;\\n// Define script extensions that suit your web application environment - a sample are provided below\\nlet scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]); \\nlet alertData = materialize(SecurityAlert \\n| where TimeGenerated \u003e ago(alertTimeWindow) \\n| where ProviderName == \\\"MDATP\\\" \\n// Parse and expand the alert JSON \\n| extend alertData = parse_json(Entities) \\n| mvexpand alertData);\\nlet fileData = alertData\\n// Extract web script files from MDATP alerts - our malicious web scripts - candidate webshells\\n| where alertData.Type =~ \\\"file\\\" \\n| where alertData.Name has_any(scriptExtensions) \\n| extend FileName = tostring(alertData.Name), Directory = tostring(alertData.Directory);\\nlet hostData = alertData\\n// Extract server details from alerts and map to alert id\\n| where alertData.Type =~ \\\"host\\\"\\n| project HostName = tostring(alertData.HostName), DnsDomain = tostring(alertData.DnsDomain), SystemAlertId\\n| distinct HostName, DnsDomain, SystemAlertId;\\n// Join the files on their impacted servers\\nlet webshellData = fileData\\n| join kind=inner (hostData) on SystemAlertId \\n| project TimeGenerated, FileName, Directory, HostName, DnsDomain;\\nwebshellData\\n| join ( \\n// Find requests that were made to this file on the impacted server in the W3CIISLog table \\nW3CIISLog \\n| where TimeGenerated \u003e ago(logTimeWindow) \\n// Restrict to accesses to script extensions \\n| where csUriStem has_any(scriptExtensions)\\n| extend splitUriStem = split(csUriStem, \\\"/\\\") \\n| extend FileName = splitUriStem[-1], HostName = sComputerName\\n// Summarize potential attacker activity\\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), RequestUserAgents=make_set(csUserAgent), ReqestMethods=make_set(csMethod), RequestStatusCodes=make_set(scStatus), RequestCookies=make_set(csCookie), RequestReferers=make_set(csReferer), RequestQueryStrings=make_set(csUriQuery) by AttackerIP=cIP, SiteName=sSiteName, ShellLocation=csUriStem, tostring(FileName), HostName \\n) on FileName, HostName\\n| project StartTime, EndTime, AttackerIP, RequestUserAgents, HostName, SiteName, ShellLocation, ReqestMethods, RequestStatusCodes, RequestCookies, RequestReferers, RequestQueryStrings, RequestCount = count_\\n// Expose the attacker ip address as a custom entity\\n| extend timestamp=StartTime, IPCustomEntity = AttackerIP, HostCustomEntity = HostName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Malicious web application requests linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts\",\"description\":\"Takes Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts where web scripts are present in the evidence and correlates with requests made to those scripts\\nin the WCSIISLog to surface new alerts for potentially malicious web request activity.\\nThe lookback for alerts is set to 1h and the lookback for W3CIISLogs is set to 7d. A sample set of popular web script extensions\\nhas been provided in scriptExtensions that should be tailored to your environment.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-05-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5f0d80db-3415-4265-9d52-8466b7372e3a\",\"name\":\"5f0d80db-3415-4265-9d52-8466b7372e3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"AzureDevOpsAuditing\\n| where AuthenticationMechanism startswith \\\"PAT\\\"\\n// Look for useragents that include a redenring engine\\n| where UserAgent has_any (\\\"Gecko\\\", \\\"WebKit\\\", \\\"Presto\\\", \\\"Trident\\\", \\\"EdgeHTML\\\", \\\"Blink\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure DevOps PAT used with Browser.\",\"description\":\"Personal Access Tokens (PATs) are used as an alternate password to authenticate into Azure DevOps. PATs are intended for programmatic access use in code or applications. \\nThis can be prone to attacker theft if not adequately secured. This query looks for the use of a PAT in authentication but from a User Agent indicating a browser. \\nThis should not be normal activity and could be an indicator of an attacker using a stolen PAT.\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/86a036b2-3686-42eb-b417-909fc0867771\",\"name\":\"86a036b2-3686-42eb-b417-909fc0867771\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/delete\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS Service Delete\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.\\nA threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.\\nThe health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.\\nMore information in this blog https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\"name\":\"b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\nlet createRoleAssignmentActivity = AzureActivity\\n| where OperationNameValue =~ \\\"microsoft.authorization/roleassignments/write\\\";\\ncreateRoleAssignmentActivity \\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller\\n| where count_ \u003e= alertOperationThreshold\\n| join kind = rightanti ( \\ncreateRoleAssignmentActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = make_set(TimeGenerated), ActivityStatusValue = make_set(ActivityStatusValue), \\nOperationIds = make_set(OperationId), CorrelationId = make_set(CorrelationId), ActivityCountByCallerIPAddress = count() \\nby ResourceId, CallerIpAddress, Caller, OperationNameValue, Resource, ResourceGroup\\n) on CallerIpAddress, Caller\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Suspicious granting of permissions to an account\",\"description\":\"Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\"name\":\"9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let szOperationNames = dynamic([\\\"Microsoft.Compute/virtualMachines/write\\\", \\\"Microsoft.Resources/deployments/write\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet RareCaller = AzureActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationNameValue in~ (szOperationNames)\\n| project ResourceGroup, Caller, OperationNameValue, CallerIpAddress\\n| join kind=rightantisemi (\\nAzureActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityStatusValue = makeset(ActivityStatusValue), OperationIds = makeset(OperationId), CallerIpAddress = makeset(CallerIpAddress) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n) on Caller, ResourceGroup \\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress);\\nlet Counts = RareCaller | summarize ActivityCountByCaller = count() by Caller;\\nRareCaller | join kind= inner (Counts) on Caller | project-away Caller1\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = tostring(CallerIpAddress)\\n| sort by ActivityCountByCaller desc nulls last\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Suspicious Resource deployment\",\"description\":\"Identifies when a rare Resource and ResourceGroup deployment occurs by a previously unseen Caller.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4902eddb-34f7-44a8-ac94-8486366e9494\",\"name\":\"4902eddb-34f7-44a8-ac94-8486366e9494\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 5000;\\n_Im_NetworkSession(eventresult=\u0027Failure\u0027)\\n| summarize Count=count() by SrcIpAddr, bin(TimeGenerated,5m)\\n| where Count \u003e threshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr\",\"customDetails\":{\"NumberOfDenies\":\"Count\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Excessive number of failed connections from {{SrcIpAddr}}\",\"alertDescriptionFormat\":\"The client at address {{SrcIpAddr}} generated more than {{threshold}} failures over a 5 minutes time window, which may indicate malicious activity.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Impact\"],\"displayName\":\"Excessive number of failed connections from a single source (ASIM Network Session schema)\",\"description\":\"This rule identifies that a single source generates an excessive amount of failed connections. Modify the threshold to change the sensitivity of the rule: the higher the threshold, the less sensitive is the rule and less incidents will be generated.\u003cbr\u003e\u003cbr\u003e\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f7c3f5c8-71ea-49ff-b8b3-148f0e346291\",\"name\":\"f7c3f5c8-71ea-49ff-b8b3-148f0e346291\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let known_locations = (SigninLogs\\n | where TimeGenerated between(ago(7d)..ago(1d))\\n | where ResultType == 0\\n | extend LocationDetail = strcat(Location, \\\"-\\\", LocationDetails.state)\\n | summarize by LocationDetail);\\n let known_asn = (SigninLogs\\n | where TimeGenerated between(ago(7d)..ago(1d))\\n | where ResultType == 0\\n | summarize by AutonomousSystemNumber);\\n SigninLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType == 0\\n | where isempty(DeviceDetail.deviceId)\\n | where AuthenticationRequirement == \\\"singleFactorAuthentication\\\"\\n | extend LocationDetail = strcat(Location, \\\"-\\\", LocationDetails.state)\\n | where AutonomousSystemNumber !in (known_asn) and LocationDetail !in (known_locations)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"UserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomolous Single Factor Signin\",\"description\":\"Detects successful signins using single factor authentication where the device, location, and ASN are abnormal.\\n Single factor authentications pose an opportunity to access compromised accounts, investigate these for anomalous occurrencess.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\"name\":\"1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 1d;\\nlet endtime = 1h;\\nlet prev23hThreshold = 4;\\nlet prev1hThreshold = 15;\\nlet Kerbevent = (union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(starttime)\\n| where EventID == 4769\\n| parse EventData with * \u0027TicketEncryptionType\\\"\u003e\u0027 TicketEncryptionType \\\"\u003c\\\" *\\n| where TicketEncryptionType == \u00270x17\u0027\\n| parse EventData with * \u0027TicketOptions\\\"\u003e\u0027 TicketOptions \\\"\u003c\\\" *\\n| where TicketOptions == \u00270x40810000\u0027\\n| parse EventData with * \u0027Status\\\"\u003e\u0027 Status \\\"\u003c\\\" *\\n| where Status == \u00270x0\u0027\\n| parse EventData with * \u0027ServiceName\\\"\u003e\u0027 ServiceName \\\"\u003c\\\" *\\n| where ServiceName !contains \\\"$\\\" and ServiceName !contains \\\"krbtgt\\\" \\n| parse EventData with * \u0027TargetUserName\\\"\u003e\u0027 TargetUserName \\\"\u003c\\\" *\\n| where TargetUserName !contains \\\"$@\\\" and TargetUserName !contains ServiceName\\n| parse EventData with * \u0027IpAddress\\\"\u003e::ffff:\u0027 ClientIPAddress \\\"\u003c\\\" *\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e= ago(starttime)\\n| where EventID == 4769 and EventData has \u00270x17\u0027 and EventData has \u00270x40810000\u0027 and EventData has \u0027krbtgt\u0027\\n| extend TicketEncryptionType = tostring(EventData.TicketEncryptionType)\\n| where TicketEncryptionType == \u00270x17\u0027\\n| extend TicketOptions = tostring(EventData.TicketOptions)\\n| where TicketOptions == \u00270x40810000\u0027\\n| extend Status = tostring(EventData.Status)\\n| where Status == \u00270x0\u0027\\n| extend ServiceName = tostring(EventData.ServiceName)\\n| where ServiceName !contains \\\"$\\\" and ServiceName !contains \\\"krbtgt\\\"\\n| extend TargetUserName = tostring(EventData.TargetUserName) \\n| where TargetUserName !contains \\\"$@\\\" and TargetUserName !contains ServiceName\\n| extend ClientIPAddress = tostring(EventData.IpAddress) \\n));\\nlet Kerbevent23h = Kerbevent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| summarize ServiceNameCountPrev23h = dcount(ServiceName), ServiceNameSet23h = makeset(ServiceName) \\nby Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status\\n| where ServiceNameCountPrev23h \u003c prev23hThreshold;\\nlet Kerbevent1h = \\nKerbevent\\n| where TimeGenerated \u003e= ago(endtime)\\n| summarize min(TimeGenerated), max(TimeGenerated), ServiceNameCountPrev1h = dcount(ServiceName), ServiceNameSet1h = makeset(ServiceName) \\nby Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status;\\nKerbevent1h \\n| join kind=leftanti\\n(\\nKerbevent23h\\n) on TargetUserName, TargetDomainName\\n// Threshold value set above is based on testing, this value may need to be changed for your environment.\\n| where ServiceNameCountPrev1h \u003e prev1hThreshold\\n| project StartTimeUtc = min_TimeGenerated, EndTimeUtc = max_TimeGenerated, TargetUserName, Computer, ClientIPAddress, TicketOptions, \\nTicketEncryptionType, Status, ServiceNameCountPrev1h, ServiceNameSet1h, TargetDomainName\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = strcat(TargetDomainName,\\\"\\\\\\\\\\\", TargetUserName), HostCustomEntity = Computer, IPCustomEntity = ClientIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Potential Kerberoasting\",\"description\":\"A service principal name (SPN) is used to uniquely identify a service instance in a Windows environment. \\nEach SPN is usually associated with a service account. Organizations may have used service accounts with weak passwords in their environment. \\nAn attacker can try requesting Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC) which contains \\na hash of the Service account. This can then be used for offline cracking. This hunting query looks for accounts that are generating excessive \\nrequests to different resources within the last hour compared with the previous 24 hours. Normal users would not make an unusually large number \\nof request within a small time window. This is based on 4769 events which can be very noisy so environment based tweaking might be needed.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-04-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/508cef41-2cd8-4d40-a519-b04826a9085f\",\"name\":\"508cef41-2cd8-4d40-a519-b04826a9085f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 1102 and EventSourceName == \\\"Microsoft-Windows-Eventlog\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Security Event log cleared\",\"description\":\"Checks for event id 1102 which indicates the security event log was cleared.\\nIt uses Event Source Name \\\"Microsoft-Windows-Eventlog\\\" to avoid generating false positives from other sources, like AD FS servers for instance.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3ff0fffb-d963-40c0-b235-3404f915add7\",\"name\":\"3ff0fffb-d963-40c0-b235-3404f915add7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"GitHubAudit\\n| where Action == \\\"org.disable_two_factor_requirement\\\"\\n| project TimeGenerated, Action, Actor, Country, IPaddress, Repository\\n| extend AccountCustomEntity = Actor, IPCustomEntity = IPaddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"GitHub Two Factor Auth Disable\",\"description\":\"Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/594c653d-719a-4c23-b028-36e3413e632e\",\"name\":\"594c653d-719a-4c23-b028-36e3413e632e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"GitHubAudit\\n| where Action == \\\"org.disable_two_factor_requirement\\\"\\n| project TimeGenerated, Action, Actor, Country, IPaddress, Repository\\n| extend AccountCustomEntity = Actor, IPCustomEntity = IPaddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT GitHub Two Factor Auth Disable\",\"description\":\"Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. \",\"lastUpdatedDateUTC\":\"2022-05-22T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/50cbf34a-4cdd-45d7-b3f5-8b53a1d0d14f\",\"name\":\"50cbf34a-4cdd-45d7-b3f5-8b53a1d0d14f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n| parse EventData with * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" *\\n| where ParentCommandLine == \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe -k DcomLaunch\\\" and CommandLine == \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe -Embedding\\\"\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Lateral Movement via DCOM\",\"description\":\"This query detects a fairly uncommon attack technique using the Windows Distributed Component Object Model (DCOM) to make a remote execution call to another computer system and gain lateral movement throughout the network.\\nRef: http://thenegative.zone/incident%20response/2017/02/04/MMC20.Application-Lateral-Movement-Analysis.html\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b1832f60-6c3d-4722-a0a5-3d564ee61a63\",\"name\":\"b1832f60-6c3d-4722-a0a5-3d564ee61a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet DOMAIN_TI=ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName);\\nlet DOMAIN_TI_list= todynamic(toscalar(DOMAIN_TI | summarize NIoCs = dcount(DomainName), Domains = make_set(DomainName) \\n | project Domains=iff(NIoCs \u003e HAS_ANY_MAX, dynamic([]), Domains) ));\\nDOMAIN_TI\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n _Im_WebSession(starttime=ago(dt_lookBack), url_has_any= DOMAIN_TI_list )\\n //Extract domain patterns from syslog message\\n | extend domain = tostring(parse_url(Url)[\\\"Host\\\"])\\n | where isnotempty(domain)\\n | extend tld = tostring(split(domain, \u0027.\u0027)[-1])\\n | extend Event_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.domain\\n| where Event_TimeGenerated \u003c ExpirationDateTime\\n| summarize Event_TimeGenerated = arg_max(Event_TimeGenerated , *) by IndicatorId, domain\\n| project Event_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, domain, SrcIpAddr, Url\",\"customDetails\":{\"EventTime\":\"Event_TimeGenerated\",\"IoCDescription\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"IoCExpirationTime\":\"ExpirationDateTime\",\"IoCConfidenceScore\":\"ConfidenceScore\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"A web request from {{SrcIpAddr}} to hostname {{domain}} matched an IoC\",\"alertDescriptionFormat\":\"A client with address {{SrcIpAddr}} requested the URL {{Url}}, whose hostname is a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blead for more information on the indicator.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map Domain entity to Web Session Events (ASIM Web Session schema)\",\"description\":\"This rule identifies Web Sessions for which the target URL hostname is a known IoC. \u003cbr\u003e\u003cbr\u003eThis rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutSIM) and supports any web session source that complies with ASIM.\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/643c2025-9604-47c5-833f-7b4b9378a1f5\",\"name\":\"643c2025-9604-47c5-833f-7b4b9378a1f5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit your environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with AAD signin failures above our threshold\\nlet aadFunc = (tableName:string){\\nlet Suspicious_signins = \\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n| summarize count() by IPAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(IPAddress);\\nSuspicious_signins\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet Suspicious_signins = \\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize make_set(set_IPAddress);\\n//See if any of those IPs have sucessfully logged into the AWS console\\nAWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \\n| where LoginResult =~ \\\"Success\\\"\\n| where SourceIpAddress in (Suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed)\\n| extend User = iif(isempty(UserIdentityUserName), UserIdentityType, UserIdentityUserName) \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Reason, LoginResult, EventTypeName, UserIdentityType, User, AWSRegion, SourceIpAddress, UserAgent, MFAUsed\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AzureAD logons but success logon to AWS Console\",\"description\":\"Identifies a list of IP addresses with a minimum number(defualt of 5) of failed logon attempts to Azure Active Directory.\\nUses that list to identify any successful AWS Console logons from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e\",\"name\":\"7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]);\\nunion isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4663\\n| where Process has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where ObjectName has_any (scriptExtensions)\\n| where AccessMask in (\u00270x2\u0027,\u00270x100\u0027, \u00270x10\u0027, \u00270x4\u0027)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n (WindowsEvent\\n| where EventID == 4663 and EventData has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\") and EventData has_any (scriptExtensions) \\n| where EventData has_any (\u00270x2\u0027,\u00270x100\u0027, \u00270x10\u0027, \u00270x4\u0027)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName has_any (scriptExtensions)\\n| extend AccessMask = tostring(EventData.AccessMask)\\n| where AccessMask in (\u00270x2\u0027,\u00270x100\u0027, \u00270x10\u0027, \u00270x4\u0027)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n(imFileEvent\\n| where EventType == \\\"FileCreated\\\"\\n| where ActingProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n and\\n TargetFileName has_any (scriptExtensions)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\\n),\\n(DeviceFileEvents\\n| where ActionType =~ \\\"FileCreated\\\"\\n| where InitiatingProcessFileName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where FileName has_any(scriptExtensions)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName, IPCustomEntity = RequestSourceIP)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingProcessAccountUpn\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM UM Service writing suspicious file\",\"description\":\"This query looks for the Exchange server UM process writing suspicious files that may be indicative of webshells.\\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d714ef62-1a56-4779-804f-91c4158e528d\",\"name\":\"d714ef62-1a56-4779-804f-91c4158e528d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let ImagesList = dynamic ([\\\"sethc.exe\\\",\\\"utilman.exe\\\",\\\"osk.exe\\\",\\\"Magnify.exe\\\",\\\"Narrator.exe\\\",\\\"DisplaySwitch.exe\\\",\\\"AtBroker.exe\\\"]); \\nlet OriginalFileNameList = dynamic ([\\\"sethc.exe\\\",\\\"utilman.exe\\\",\\\"osk.exe\\\",\\\"Magnify.exe\\\",\\\"Narrator.exe\\\",\\\"DisplaySwitch.exe\\\",\\\"AtBroker.exe\\\",\\\"SR.exe\\\",\\\"utilman2.exe\\\",\\\"ScreenMagnifier.exe\\\"]); \\nEvent\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n| parse EventData with * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027OriginalFileName\\\"\u003e\u0027 OriginalFileName \\\"\u003c\\\" *\\n| where Image has_any (ImagesList) and not (OriginalFileName has_any (OriginalFileNameList))\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027Hashes\\\"\u003e\u0027 Hashes \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description, OriginalFileName, CurrentDirectory, Hashes\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Modification of Accessibility Features\",\"description\":\"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\\n Two common accessibility programs are C:\\\\Windows\\\\System32\\\\sethc.exe, launched when the shift key is pressed five times and C:\\\\Windows\\\\System32\\\\utilman.exe, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as \\\"sticky keys\\\", and has been used by adversaries for unauthenticated access through a remote desktop login screen. [1]\\nRef: https://attack.mitre.org/techniques/T1546/008/\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\"name\":\"f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let threshold = 1;\\nAzureDiagnostics\\n | where OperationName in (\\\"AzureFirewallApplicationRuleLog\\\",\\\"AzureFirewallNetworkRuleLog\\\")\\n | extend msg_s_replaced0 = replace(@\\\"\\\\s\\\\s\\\",@\\\" \\\",msg_s)\\n | extend msg_s_replaced1 = replace(@\\\"\\\\.\\\\s\\\",@\\\" \\\",msg_s_replaced0)\\n | extend msg_a = split(msg_s_replaced1,\\\" \\\")\\n | extend srcAddr_a = split(msg_a[3],\\\":\\\") , destAddr_a = split(msg_a[5],\\\":\\\")\\n | extend protocol = tostring(msg_a[0]), srcIp = tostring(srcAddr_a[0]), srcPort = tostring(srcAddr_a[1]), destIp = tostring(destAddr_a[0]), destPort = tostring(destAddr_a[1]), action = tostring(msg_a[7])\\n | where action == \\\"Deny\\\"\\n | extend url = iff(destIp matches regex \\\"\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\",\\\"\\\",destIp)\\n | summarize StartTime = min(TimeGenerated), count() by srcIp, destIp, url, action, protocol\\n | where count_ \u003e= [\\\"threshold\\\"]\\n | extend timestamp = StartTime, URLCustomEntity = url, IPCustomEntity = srcIp\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Discovery\",\"LateralMovement\",\"CommandAndControl\"],\"displayName\":\"Several deny actions registered\",\"description\":\"Identifies attack pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-10-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b9d2eebc-5dcb-4888-8165-900db44443ab\",\"name\":\"b9d2eebc-5dcb-4888-8165-900db44443ab\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"// Enter a reference list of hostnames for your DC servers\\n//let DCServersList = dynamic ([\\\"DC01.simulandlabs.com\\\",\\\"DC02.simulandlabs.com\\\"]);\\nSecurityEvent\\n//| where Computer in (DCServersList)\\n| where EventID == 4662 and ObjectServer == \u0027DS\u0027\\n| where AccountType != \u0027Machine\u0027\\n| where Properties has \u00271131f6aa-9c07-11d1-f79f-00c04fc2dcd2\u0027 //DS-Replication-Get-Changes\\n or Properties has \u00271131f6ad-9c07-11d1-f79f-00c04fc2dcd2\u0027 //DS-Replication-Get-Changes-All\\n or Properties has \u002789e95b76-444d-4c62-991a-0facbeda640c\u0027 //DS-Replication-Get-Changes-In-Filtered-Set\\n| project TimeGenerated, Account, Activity, Properties, SubjectLogonId, Computer\\n| join kind=leftouter\\n(\\n SecurityEvent\\n //| where Computer in (DCServersList)\\n | where EventID == 4624 and LogonType == 3\\n | where AccountType != \u0027Machine\u0027\\n | project TargetLogonId, IpAddress\\n)\\non $left.SubjectLogonId == $right.TargetLogonId\\n| project-reorder TimeGenerated, Computer, Account, IpAddress\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, SourceAddress = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Non Domain Controller Active Directory Replication\",\"description\":\"This query detects potential attempts by non-computer accounts (non domain controllers) to retrieve/synchronize an active directory object leveraging directory replication services (DRS).\\nA Domain Controller (computer account) would usually be performing these actions in a domain environment. Another detection rule can be created to cover domain controllers accounts doing at rare times.\\nA domain user with privileged permissions to use directory replication services is rare. Ref: https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html\",\"lastUpdatedDateUTC\":\"2021-11-08T00:00:00Z\",\"createdDateUTC\":\"2021-05-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75297f62-10a8-4fc1-9b2a-12f25c6f05a7\",\"name\":\"75297f62-10a8-4fc1-9b2a-12f25c6f05a7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let domain_lookBack= 14d;\\nlet timeframe = 1d;\\nlet top_million_list = Cisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(domain_lookBack) and TimeGenerated \u003c ago(timeframe)\\n| extend Hostname = parse_url(UrlOriginal)[\\\"Host\\\"]\\n| summarize count() by tostring(Hostname)\\n| top 1000000 by count_\\n| summarize make_list(Hostname);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| extend Hostname = parse_url(UrlOriginal)[\\\"Host\\\"]\\n| where Hostname !in (top_million_list)\\n| extend Message = \\\"Connect to unpopular website (possible malicious payload delivery)\\\"\\n| project Message, SrcIpAddr, DstIpAddr,UrlOriginal, TimeGenerated\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Connection to Unpopular Website Detected\",\"description\":\"Detects first connection to an unpopular website (possible malicious payload delivery).\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/89a86f70-615f-4a79-9621-6f68c50f365f\",\"name\":\"89a86f70-615f-4a79-9621-6f68c50f365f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 7d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet HistThreshold = 25; \\nlet CurrThreshold = 10; \\nlet HistoricalThreats = CommonSecurityLog\\n| where isnotempty(SourceIP)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n| where Activity =~ \\\"THREAT\\\" and SimplifiedDeviceAction =~ \\\"alert\\\" \\n| where DeviceEventClassID in (\u0027spyware\u0027, \u0027scan\u0027, \u0027file\u0027, \u0027vulnerability\u0027, \u0027flood\u0027, \u0027packet\u0027, \u0027virus\u0027,\u0027wildfire\u0027, \u0027wildfire-virus\u0027)\\n| summarize TotalEvents = count(), ThreatTypes = make_set(DeviceEventClassID), DestinationIpList = make_set(DestinationIP), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by SourceIP, DeviceAction, DeviceVendor;\\nlet CurrentHourThreats = CommonSecurityLog\\n| where isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(timeframe)\\n| where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n| where Activity =~ \\\"THREAT\\\" and SimplifiedDeviceAction =~ \\\"alert\\\" \\n| where DeviceEventClassID in (\u0027spyware\u0027, \u0027scan\u0027, \u0027file\u0027, \u0027vulnerability\u0027, \u0027flood\u0027, \u0027packet\u0027, \u0027virus\u0027,\u0027wildfire\u0027, \u0027wildfire-virus\u0027)\\n| summarize TotalEvents = count(), ThreatTypes = make_set(DeviceEventClassID), DestinationIpList = make_set(DestinationIP), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by SourceIP, DeviceAction, DeviceProduct, DeviceVendor;\\nCurrentHourThreats \\n| where TotalEvents \u003c CurrThreshold\\n| join kind = leftanti (HistoricalThreats \\n| where TotalEvents \u003e HistThreshold) on SourceIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]}],\"tactics\":[\"Discovery\",\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"Palo Alto Threat signatures from Unusual IP addresses\",\"description\":\"Identifies Palo Alto Threat signatures from unusual IP addresses which are not historically seen. \\nThis detection is also leveraged and required for MDE and PAN Fusion scenario\\nhttps://docs.microsoft.com/Azure/sentinel/fusion-scenario-reference#network-request-to-tor-anonymization-service-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall\",\"lastUpdatedDateUTC\":\"2022-04-20T00:00:00Z\",\"createdDateUTC\":\"2022-03-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/35a0792a-1269-431e-ac93-7ae2980d4dde\",\"name\":\"35a0792a-1269-431e-ac93-7ae2980d4dde\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now() \\n| where Active == true\\n| where isnotempty(EmailSenderAddress)\\n| extend TI_emailEntity = EmailSenderAddress\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n ProofpointPOD \\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(SrcUserUpn)\\n | extend ProofpointPOD_TimeGenerated = TimeGenerated, ClientEmail = SrcUserUpn\\n\\n)\\non $left.TI_emailEntity == $right.ClientEmail\\n| where ProofpointPOD_TimeGenerated \u003c ExpirationDateTime\\n| summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientEmail\\n| project ProofpointPOD_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, ClientEmail\\n| extend timestamp = ProofpointPOD_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ClientEmail\"}]}],\"tactics\":[\"Exfiltration\",\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Email sender in TI list\",\"description\":\"Email sender in TI list.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_maillog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c3b11fb2-9201-4844-b7b9-6b7bf6d9b851\",\"name\":\"c3b11fb2-9201-4844-b7b9-6b7bf6d9b851\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Medium\",\"query\":\"let threshold = 200;\\n_Im_Dns(responsecodename=\u0027NXDOMAIN\u0027)\\n| where isnotempty(DnsResponseCodeName)\\n//| where DnsResponseCodeName =~ \\\"NXDOMAIN\\\"\\n| summarize count() by SrcIpAddr, bin(TimeGenerated,15m)\\n| where count_ \u003e threshold\\n| join kind=inner (_Im_Dns(responsecodename=\u0027NXDOMAIN\u0027)\\n ) on SrcIpAddr\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Excessive NXDOMAIN DNS Queries (ASIM DNS Schema)\",\"description\":\"This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. \\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a172107d-794c-48c0-bc26-d3349fe10b4d\",\"name\":\"a172107d-794c-48c0-bc26-d3349fe10b4d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Dev-0530_July2022.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\n(union isfuzzy=true \\n(DeviceProcessEvents\\n| where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) or ( InitiatingProcessCommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) \\nand InitiatingProcessCommandLine has (\u0027sc minute /mo 1 /F /ru system\u0027))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, AccountName, SHA256\\n| extend Account = AccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = case(InitiatingProcessSHA256 in (sha256Hashes), \\\"InitiatingProcessSHA256\\\", SHA256 in (sha256Hashes), \\\"SHA256\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = case(FileHash == \\\"InitiatingProcessSHA256\\\", InitiatingProcessSHA256, FileHash == \\\"SHA256\\\", SHA256, \\\"No Match\\\")\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) and CommandLine has (\u0027/sc minute /mo 1 /F /ru system\u0027))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, EventID, CommandLine\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n( imFileEvent\\n| where Hash in~ (sha256Hashes) or ( ActingProcessCommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) and ActingProcessCommandLine has (\u0027/sc minute /mo 1 /F /ru system\u0027))\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, FileHashCustomEntity = FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) or ( CommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) and CommandLine has (\u0027/sc minute /mo 1 /F /ru system\u0027)) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(EmailEvents\\n| where SenderFromAddress == \u0027H0lyGh0st@mail2tor.com\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = SenderIPv4, AccountCustomEntity = SenderFromAddress \\n),\\n(CommonSecurityLog \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) or FileHash in (sha256Hashes)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch , FileHash\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n), \\n(OfficeActivity \\n|extend SourceIPAddress = ClientIP, Account = UserId \\n| where SourceIPAddress in (IPList) \\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \\n),\\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Dev-0530 IOC - July 2022\",\"description\":\"Identifies a IOC match related to Dev-0530 actor across various data sources.\",\"lastUpdatedDateUTC\":\"2022-07-14T00:00:00Z\",\"createdDateUTC\":\"2022-07-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceProcessEvents\",\"DeviceNetworkEvents\",\"EmailEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/572e75ef-5147-49d9-9d65-13f2ed1e3a86\",\"name\":\"572e75ef-5147-49d9-9d65-13f2ed1e3a86\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let inviting_users = (AuditLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where OperationName =~ \\\"Invite external user\\\"\\n | where Result =~ \\\"success\\\"\\n | extend invitingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | where isnotempty(invitingUser)\\n | summarize by invitingUser);\\n AuditLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where OperationName =~ \\\"Invite external user\\\"\\n | where Result =~ \\\"success\\\"\\n | extend invitingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | where isnotempty(invitingUser) and invitingUser !in (inviting_users)\\n | extend invitedUserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"invitingUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"invitedUserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Guest Users Invited to Tenant by New Inviters\",\"description\":\"Detects when a Guest User is added by a user account that has not been seen adding a guest in the previous 14 days.\\n Monitoring guest accounts and the access they are provided is important to detect potential account abuse.\\n Accounts added should be investigated to ensure the activity was legitimate.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500415fb-bba7-4227-a08a-9857fb61b6a7\",\"name\":\"500415fb-bba7-4227-a08a-9857fb61b6a7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where OfficeWorkload == \\\"Exchange\\\"\\n| where Operation in~ (\\\"New-TransportRule\\\", \\\"Set-TransportRule\\\")\\n| mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))\\n| extend RuleName = case(\\n Operation =~ \\\"Set-TransportRule\\\", OfficeObjectId,\\n Operation =~ \\\"New-TransportRule\\\", ParsedParameters.Name,\\n \\\"Unknown\\\")\\n| mv-expand ExpandedParameters = todynamic(Parameters)\\n| where ExpandedParameters.Name in~ (\\\"BlindCopyTo\\\", \\\"RedirectMessageTo\\\") and isnotempty(ExpandedParameters.Value)\\n| extend RedirectTo = ExpandedParameters.Value\\n| extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n| project TimeGenerated, RedirectTo, IPAddress = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1]), UserId, Operation, RuleName, Parameters\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Mail redirect via ExO transport rule\",\"description\":\"Identifies when Exchange Online transport rule configured to forward emails.\\nThis could be an adversary mailbox configured to collect mail from multiple user accounts.\",\"lastUpdatedDateUTC\":\"2022-04-18T00:00:00Z\",\"createdDateUTC\":\"2020-05-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500c103a-0319-4d56-8e99-3cec8d860757\",\"name\":\"500c103a-0319-4d56-8e99-3cec8d860757\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == \\\"50057\\\" \\n| where ResultDescription == \\\"User account is disabled. The account has been disabled by an administrator.\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), disabledAccountLoginAttempts = count(), \\ndisabledAccountsTargeted = dcount(UserPrincipalName), applicationsTargeted = dcount(AppDisplayName), disabledAccountSet = make_set(UserPrincipalName), \\napplicationSet = make_set(AppDisplayName) by IPAddress, Type\\n| order by disabledAccountLoginAttempts desc\\n| join kind= leftouter (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n table(tableName)\\n | where ResultType == 0\\n | summarize successfulAccountSigninCount = dcount(UserPrincipalName), successfulAccountSigninSet = make_set(UserPrincipalName, 15) by IPAddress, Type\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount \u003c 100\\n) on IPAddress \\n// IPs from which attempts to authenticate as disabled user accounts originated, and had a non-zero success rate for some other account\\n| where isnotempty(successfulAccountSigninCount)\\n| project StartTime, EndTime, IPAddress, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\nsuccessfulAccountSigninCount, successfulAccountSigninSet, Type\\n| order by disabledAccountLoginAttempts\\n| extend timestamp = StartTime, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts and where that same IP has had successful signins from other accounts.\\nThis could indicate an attacker who obtained credentials for a list of accounts and is attempting to login with those accounts, some of which may have already been disabled.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"lastUpdatedDateUTC\":\"2021-10-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e7470b35-0128-4508-bfc9-e01cfb3c2eb7\",\"name\":\"e7470b35-0128-4508-bfc9-e01cfb3c2eb7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n | where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n | parse EventData with * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" *\\n | where ParentImage has \\\"svchost.exe\\\" and Image has \\\"rundll32.exe\\\" and CommandLine has \\\"{c08afd90-f2a1-11d1-8455-00a0c91f3880}\\\"\\n | parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Detecting Macro Invoking ShellBrowserWindow COM Objects\",\"description\":\"This query detects a macro invoking ShellBrowserWindow COM Objects evade naive parent/child Office detection rules.\\nRef: https://blog.menasec.net/2019/02/threat-hunting-doc-with-macro-invoking.html\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c2da1106-bfe4-4a63-bf14-5ab73130ccd5\",\"name\":\"c2da1106-bfe4-4a63-bf14-5ab73130ccd5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.0\",\"severity\":\"Informational\",\"query\":\"let timeframe = ago(1d);\\nAppServiceAntivirusScanAuditLogs\\n| where ScanStatus == \\\"Failed\\\"\\n| extend HostCustomEntity = _ResourceId, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"displayName\":\"AppServices AV Scan Failure\",\"description\":\"Identifies if an AV scan fails in Azure App Services.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\"name\":\"68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let User_Agents = dynamic ([\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70\\\", \\n\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.1 Safari/605.1.15\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\", \\n\\\"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\"]);\\nOfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != \u0027UserLoggedIn\u0027\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = todynamic(ExtendedProperties).Value\\n| where UserAgent =~ \\\"ms-office\\\" or UserAgent has_any (User_Agents)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts \u003e 500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\"entityMappings\":[],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Possible STRONTIUM attempted credential harvesting - Oct 2020\",\"description\":\"Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\"name\":\"e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let threshold = 15;\\n// Below pulls messages from syslog-authpriv logs where there was an authentication failure with an unknown user.\\n// IP address of system attempting logon is also extracted from the SyslogMessage field. Some of these messages\\n// are aggregated.\\nSyslog\\n| where Facility =~ \\\"authpriv\\\"\\n| where SyslogMessage has \\\"authentication failure\\\" and SyslogMessage has \\\" uid=0\\\"\\n| parse SyslogMessage with * \\\"rhost=\\\" RemoteIP\\n| project TimeGenerated, Computer, ProcessName, HostIP, RemoteIP, ProcessID\\n| join kind=innerunique (\\n // Below pulls messages from syslog-authpriv logs that show each instance an unknown user tried to logon. \\n Syslog \\n | where Facility =~ \\\"authpriv\\\"\\n | where SyslogMessage has \\\"user unknown\\\"\\n | project Computer, HostIP, ProcessID\\n ) on Computer, HostIP, ProcessID\\n// Count the number of failed logon attempts by External IP and internal machine\\n| summarize FirstLogonAttempt = min(TimeGenerated), LatestLogonAttempt = max(TimeGenerated), TotalLogonAttempts = count() by Computer, HostIP, RemoteIP\\n// Calculate the time between first and last logon attempt (AttemptPeriodLength)\\n| extend TimeBetweenLogonAttempts = LatestLogonAttempt - FirstLogonAttempt\\n| where TotalLogonAttempts \u003e= threshold\\n| project FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts, TotalLogonAttempts, SourceAddress = RemoteIP, DestinationHost = Computer, DestinationAddress = HostIP\\n| sort by DestinationHost asc nulls last\\n| extend timestamp = FirstLogonAttempt, HostCustomEntity = DestinationHost, IPCustomEntity = DestinationAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed logon attempts in authpriv\",\"description\":\"Identifies failed logon attempts from unknown users in Syslog authpriv logs. The unknown user means the account that tried to log in \\nisn\u0027t provisioned on the machine. A few hits could indicate someone attempting to access a machine they aren\u0027t authorized to access. \\nIf there are many of hits, especially from outside your network, it could indicate a brute force attack. \\nDefault threshold for logon attempts is 15.\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f041e01d-840d-43da-95c8-4188f6cef546\",\"name\":\"f041e01d-840d-43da-95c8-4188f6cef546\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let LearningPeriod = 7d;\\nlet RunTime = 1h;\\nlet StartTime = 1h;\\nlet EndRunTime = StartTime - RunTime;\\nlet EndLearningTime = StartTime + LearningPeriod;\\nlet GitHubCountryCodeLogs = (GitHubAudit\\n| where Country != \\\"\\\");\\n GitHubCountryCodeLogs\\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime))\\n| summarize makeset(Country) by Actor\\n| join kind=innerunique (\\n GitHubCountryCodeLogs\\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime))\\n | distinct Country, Actor, TimeGenerated\\n) on Actor \\n| where set_Country !contains Country\\n| extend AccountCustomEntity = Actor , timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"GitHub Activites from a New Country\",\"description\":\"Detect activities from a location that was not recently or was never visited by the user or by any user in your organization.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/40ba9493-4183-4eee-974f-87fe39c8f267\",\"name\":\"40ba9493-4183-4eee-974f-87fe39c8f267\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Identity alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Identity\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (AATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\"name\":\"4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 50;\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet historicalActivity =\\nOfficeActivity\\n| where TimeGenerated between(ago(starttime)..ago(endtime))\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| summarize historicalCount = count() by ClientIP, RecordType, Operation;\\nlet recentActivity = OfficeActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by ClientIP, RecordType, Operation;\\nlet RareIP = recentActivity | join kind= leftanti ( historicalActivity ) on ClientIP, RecordType, Operation\\n// More than 50 downloads/uploads from a new IP\\n| where recentCount \u003e threshold;\\nOfficeActivity \\n| where TimeGenerated \u003e= ago(endtime) \\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| join kind= inner (RareIP) on ClientIP, RecordType, Operation\\n| where Start_Time between(min_Start_Time .. max_Start_Time)\\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgent, IPSeenCount = recentCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\\n| order by IPSeenCount desc, ClientIP asc, Operation asc, UserId asc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"SharePointFileOperation via previously unseen IPs\",\"description\":\"Identifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses\\nexceeds a threshold (default is 50).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3073ac-7383-48a9-90a8-eb6716183a54\",\"name\":\"4a3073ac-7383-48a9-90a8-eb6716183a54\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let excludeProcs = dynamic([@\\\"\\\\SolarWinds\\\\Orion\\\\APM\\\\APMServiceControl.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\ExportToPDFCmd.Exe\\\", @\\\"\\\\SolarWinds.Credentials\\\\SolarWinds.Credentials.Orion.WebApi.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Topology\\\\SolarWinds.Orion.Topology.Calculator.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Database-Maint.exe\\\", @\\\"\\\\SolarWinds.Orion.ApiPoller.Service\\\\SolarWinds.Orion.ApiPoller.Service.exe\\\", @\\\"\\\\Windows\\\\SysWOW64\\\\WerFault.exe\\\"]);\\nDeviceProcessEvents\\n| where InitiatingProcessFileName =~ \\\"solarwinds.businesslayerhost.exe\\\"\\n| where not(FolderPath has_any (excludeProcs))\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n AlgorithmCustomEntity = \\\"MD5\\\",\\n FileHashCustomEntity = MD5\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST suspicious SolarWinds child processes\",\"description\":\"Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-02-01T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32\",\"name\":\"d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet msgthreshold = 3;\\nlet msgszthreshold = 3000000;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where NetworkBytes \u003e msgszthreshold\\n| summarize count() by SrcUserUpn, DstUserUpn\\n| where count_ \u003e msgthreshold\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple large emails to the same recipient\",\"description\":\"Detects when multiple emails with large size where sent to the same recipient.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6dd2629c-534b-4275-8201-d7968b4fa77e\",\"name\":\"6dd2629c-534b-4275-8201-d7968b4fa77e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"SecurityEvent\\n| where EventID == 4657\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, TargetAccount, Computer, EventSourceName, Channel, Task, Level, EventID, Activity, TargetLogonId, SourceComputerId, EventOriginId, Type, _ResourceId, TenantId, SourceSystem, ManagementGroupName, IpAddress, Account)\\n| extend ObjectName = column_ifexists(\u0027ObjectName\u0027, \\\"\\\"), OperationType = column_ifexists(\u0027OperationType\u0027, \\\"\\\"), ObjectValueName = column_ifexists(\u0027ObjectValueName\u0027, \\\"\\\")\\n| where ObjectName has \u0027Schedule\\\\\\\\TaskCache\\\\\\\\Tree\u0027 and ObjectValueName == \\\"SD\\\" and OperationType == \\\"%%1906\\\" // %%1906 - Registry value deleted\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Scheduled Task Hide\",\"description\":\"This query detects attempts by malware to hide the scheduled task by deleting the SD (Security Descriptor) value. Removal of SD value results in the scheduled task disappearing from schtasks /query and Task Scheduler.\\n The query requires auditing to be turned on for HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree registry hive as well as audit policy for registry auditing to be turned on.\\n Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/\\n Reference: https://4sysops.com/archives/audit-changes-in-the-windows-registry/\",\"lastUpdatedDateUTC\":\"2022-04-12T00:00:00Z\",\"createdDateUTC\":\"2022-04-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3f0c20d5-6228-48ef-92f3-9ff7822c1954\",\"name\":\"3f0c20d5-6228-48ef-92f3-9ff7822c1954\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let threatCategory=\\\"Hacking Tool\\\";\\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\\n [ @\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\\\"] \\n with(format=\\\"csv\\\", ignoreFirstRecord=True));\\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet customUserAgents=toscalar(_GetWatchlist(\\\"UnusualUserAgents\\\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\\\"UserAgent\\\",\\\"\\\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet fullUAList = array_concat(knownUserAgents,customUserAgents);\\n_Im_WebSession(httpuseragent_has_any=fullUAList)\\n| project SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername\",\"customDetails\":{\"UserAgent\":\"HttpUserAgent\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"SrcUsername\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Host {{SrcIpAddr}} is potentially running a hacking tool\",\"alertDescriptionFormat\":\"The host at address {{SrcIpAddr}} sent an HTTP request to the URL {{Url}} with the HTTP user agent header {{HttpUserAgent}}. This user agent is known to be used by a hacking tool and indicates suspicious activity on the host.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"A host is potentially running a hacking tool (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request with a user agent header known to belong to a hacking tool. This indicates a hacking tool is used on the host.\u003cbr\u003eYou can add custom hacking tool indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).\u003cbr\u003e\u003cbr\u003e\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/738702fd-0a66-42c7-8586-e30f0583f8fe\",\"name\":\"738702fd-0a66-42c7-8586-e30f0583f8fe\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"DeviceEvents\\n| where ActionType has \\\"ExploitGuardNonMicrosoftSignedBlocked\\\"\\n| where InitiatingProcessFileName contains \\\"svchost.exe\\\" and FileName contains \\\"NetSetupSvc.dll\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\nHostCustomEntity = DeviceName, FileHashCustomEntity = InitiatingProcessSHA1, FileHashType = \\\"SHA1\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"TEARDROP memory-only dropper\",\"description\":\"Identifies SolarWinds TEARDROP memory-only dropper IOCs in Window\u0027s defender Exploit Guard activity\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a4025a76-6490-4e6b-bb69-d02be4b03f07\",\"name\":\"a4025a76-6490-4e6b-bb69-d02be4b03f07\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureNetworkAnalytics_CL\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AzureNetworkAnalytics_CL_TimeGenerated = TimeGenerated\\n // NSG Flow Logs have additional information concat with Public IP, removing onlp Public IP\\n | extend PIPs = split(PublicIPs_s, \u0027|\u0027, 0)\\n | extend PIP = tostring(PIPs[0])\\n)\\non $left.TI_ipEntity == $right.PIP\\n| where AzureNetworkAnalytics_CL_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureNetworkAnalytics_CL_TimeGenerated = arg_max(AzureNetworkAnalytics_CL_TimeGenerated, *) by IndicatorId, PIP\\n// Set to alert on Allowed NSG Flows from TI Public IP IOC\\n| where FlowStatus_s == \\\"A\\\"\\n| project AzureNetworkAnalytics_CL_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, FlowDirection_s, FlowStatus_s, FlowType_s, SrcPublicIPs_s, DestPublicIPs_s, PublicIPs_s, L7Protocol_s, DestPort_d, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureNetworkAnalytics_CL_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)\",\"description\":\"Identifies a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI that was Allowed\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/968358d6-6af8-49bb-aaa4-187b3067fb95\",\"name\":\"968358d6-6af8-49bb-aaa4-187b3067fb95\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let successCodes = dynamic([200, 302, 401]);\\nW3CIISLog\\n| where scStatus has_any (successCodes)\\n| where ipv4_is_private(cIP) == False\\n| where csUriStem hasprefix \\\"/autodiscover/autodiscover.json\\\"\\n| project TimeGenerated, cIP, sIP, sSiteName, csUriStem, csUriQuery, Computer, csUserName, _ResourceId, FileUri\\n| where (csUriQuery !has \\\"Protocol\\\" and isnotempty(csUriQuery))\\nor (csUriQuery has_any(\\\"/mapi/\\\", \\\"powershell\\\"))\\nor (csUriQuery contains \\\"@\\\" and csUriQuery matches regex @\\\"\\\\.[a-zA-Z]{2,4}?(?:[a-zA-Z]{2,4}\\\\/)\\\")\\nor (csUriQuery contains \\\":\\\" and csUriQuery matches regex @\\\"\\\\:[0-9]{2,4}\\\\/\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP, AccountCustomEntity = csUserName, ResourceCustomEntity = _ResourceId, FileCustomEntity = FileUri\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange SSRF Autodiscover ProxyShell - Detection\",\"description\":\"This query looks for suspicious request patterns to Exchange servers that fit patterns recently\\nblogged about by PeterJson. This exploitation chain utilises an SSRF vulnerability in Exchange\\nwhich eventually allows the attacker to execute arbitrary Powershell on the server. In the example\\npowershell can be used to write an email to disk with an encoded attachment containing a shell.\\nReference: https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-09T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/999e9f5d-db4a-4b07-a206-29c4e667b7e8\",\"name\":\"999e9f5d-db4a-4b07-a206-29c4e667b7e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet DomainTIs= ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n // Picking up only IOC\u0027s that contain the entities we want\\n | where isnotempty(DomainName)\\n | where Active == true\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId;\\nlet Domains = DomainTIs | where isnotempty(DomainName) |summarize NDomains=dcount(DomainName), DomainsList=make_set(DomainName) \\n | project DomainList = iff(NDomains \u003e HAS_ANY_MAX, dynamic([]), DomainsList) ;\\nDomainTIs\\n | join (\\n _Im_Dns(starttime=ago(dt_lookBack), domain_has_any=toscalar(Domains))\\n | extend DNS_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.DnsQuery\\n| where DNS_TimeGenerated \u003c ExpirationDateTime\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, DnsQueryType\\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url\",\"customDetails\":{\"LatestIndicatorTime\":\"LatestIndicatorTime\",\"Description\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"ExpirationDateTime\":\"ExpirationDateTime\",\"ConfidenceScore\":\"ConfidenceScore\",\"DNSRequestTime\":\"DNS_TimeGenerated\",\"SourceIPAddress\":\"SrcIpAddr\",\"DnsQuery\":\"DnsQuery\",\"QueryType\":\"DnsQueryType\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map Domain entity to Dns Events (ASIM DNS Schema)\",\"description\":\"Identifies a match in DNS events from any Domain IOC from TI\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-27T00:00:00Z\",\"createdDateUTC\":\"2021-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2dd4a3a-ebac-4994-9499-1a859938c947\",\"name\":\"f2dd4a3a-ebac-4994-9499-1a859938c947\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet bytessentperhourthreshold = 10;\\nlet TimeSeriesData = (union isfuzzy=true\\n(\\nVMConnection\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\\n| extend SourceIP = SourceIp, DestinationIP = DestinationIp\\n| where ipv4_is_private(DestinationIP) == false\\n| extend DeviceVendor = \\\"VMConnection\\\"\\n| project TimeGenerated, BytesSent, DeviceVendor\\n| make-series TotalBytesSent=sum(BytesSent) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n),\\n(\\nCommonSecurityLog\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where ipv4_is_private(DestinationIP) == false\\n| project TimeGenerated, SentBytes, DeviceVendor\\n| make-series TotalBytesSent=sum(SentBytes) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n)\\n);\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(TotalBytesSent, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand TotalBytesSent to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| extend TotalBytesSentinMBperHour = round(((TotalBytesSent / 1024)/1024),2), baselinebytessentperHour = round(((baseline / 1024)/1024),2), score = round(score,2)\\n| project DeviceVendor, AnomalyHour, TimeGenerated, TotalBytesSentinMBperHour, baselinebytessentperHour, anomalies, score);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\n//Union of all BaseLogs aggregated per hour\\nlet BaseLogs = (union isfuzzy=true\\n(\\nCommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| where ipv4_is_private(DestinationIP) == false\\n| extend SentBytesinMB = ((SentBytes / 1024)/1024), ReceivedBytesinMB = ((ReceivedBytes / 1024)/1024)\\n| summarize HourlyCount = count(), TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort,100), TotalSentBytesinMB = sum(SentBytesinMB), TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| where TotalSentBytesinMB \u003e bytessentperhourthreshold\\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\\n| where Rank \u003c 10 // Selecting Top 10 records with Highest BytesSent in each Hour\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\\n),\\n(\\nVMConnection\\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend SourceIP = SourceIp, DestinationIP = DestinationIp\\n| where ipv4_is_private(DestinationIP) == false | extend DeviceVendor = \\\"VMConnection\\\"\\n| extend SentBytesinMB = ((BytesSent / 1024)/1024), ReceivedBytesinMB = ((BytesReceived / 1024)/1024)\\n| summarize HourlyCount = count(),TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort, 100), TotalSentBytesinMB = sum(SentBytesinMB),TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| where TotalSentBytesinMB \u003e bytessentperhourthreshold\\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\\n| where Rank \u003c 10 // Selecting Top 10 records with Highest BytesSent in each Hour\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\\n)\\n);\\n// Join against base logs to retrive records associated with the hour of anomoly\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\n BaseLogs | extend AnomalyHour = TimeGeneratedHour\\n) on DeviceVendor, AnomalyHour | sort by score desc\\n| project DeviceVendor, AnomalyHour,TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\\n| summarize EventCount = count(), StartTimeUtc= min(TimeGeneratedMax), EndTimeUtc= max(TimeGeneratedMax), SourceIPMax= arg_max(SourceIP,*), TotalBytesSentinMB = sum(TotalSentBytesinMB), TotalBytesReceivedinMB = sum(TotalReceivedBytesinMB), SourceIPList = make_set(SourceIP, 100), DestinationIPList = make_set(DestinationIPList, 100) by AnomalyHour,TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\\n| project DeviceVendor, AnomalyHour, StartTimeUtc, EndTimeUtc, SourceIPMax, SourceIPList, DestinationIPList, DestinationPortList, TotalBytesSentinMB, TotalBytesReceivedinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies, EventCount\\n| extend timestamp =EndTimeUtc, IPCustomEntity = SourceIPMax\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"Time series anomaly for data size transferred to public internet\",\"description\":\"Identifies anomalous data transfer to public networks. The query leverages built-in KQL anomaly detection algorithms that detects large deviations from a baseline pattern.\\nA sudden increase in data transferred to unknown public networks is an indication of data exfiltration attempts and should be investigated.\\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port bytes sent traffic observed in the flagged anomaly hour.\\nThe source IP addresses which were sending less than bytessentperhourthreshold have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06bbf969-fcbe-43fa-bac2-b2fa131d113a\",\"name\":\"06bbf969-fcbe-43fa-bac2-b2fa131d113a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"// ADHealth Monitoring Agent Registry Key\\nlet aadHealthMonAgentRegKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\MicrosoftOnline\\\\\\\\Reporting\\\\\\\\MonitoringAgent\\\";\\n// Filter out known processes\\nlet aadConnectHealthProcs = dynamic ([\\n \u0027Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.InsightsService.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.PshSurrogate.exe\u0027,\\n \u0027Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe\u0027,\\n \u0027Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.AadConnect.Health.AadSync.Host.exe\u0027,\\n \u0027Microsoft.Azure.ActiveDirectory.Synchronization.Upgrader.exe\u0027,\\n \u0027miiserver.exe\u0027\\n]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| where EventData has aadHealthMonAgentRegKey\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| extend ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),\\n ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\")\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend SubjectUserName = column_ifexists(\\\"SubjectUserName\\\", \\\"\\\"),\\n SubjectDomainName = column_ifexists(\\\"SubjectDomainName\\\", \\\"\\\"),\\n ProcessName = column_ifexists(\\\"ProcessName\\\", \\\"\\\")\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],\\n Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n ( WindowsEvent\\n| where EventID == \u00274656\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n( WindowsEvent\\n| where EventID == \u00274663\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n)\\n)\\n// You can filter out potential machine accounts\\n//| where AccountType != \u0027Machine\u0027\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"Azure AD Health Service Agents Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).\\nInformation from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).\\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\\\\SOFTWARE\\\\Microsoft\\\\ADHealthAgent.\\nMake sure you set the SACL to propagate to its sub-keys. You can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml\\n\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a35f2c18-1b97-458f-ad26-e033af18eb99\",\"name\":\"a35f2c18-1b97-458f-ad26-e033af18eb99\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.2\",\"severity\":\"Low\",\"query\":\"// For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups\\nlet WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nunion isfuzzy=true \\n(\\nSecurityEvent \\n// When MemberName contains \u0027-\u0027 this indicates addition of a group to a group\\n| where AccountType == \\\"User\\\" and MemberName != \\\"-\\\"\\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group\\n| where EventID in (4728, 4732, 4756) \\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| extend SimpleMemberName = substring(MemberName, 3, indexof_regex(MemberName, @\\\",OU|,CN\\\") - 3)\\n| project TimeGenerated, EventID, Activity, Computer, SimpleMemberName, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SimpleMemberName, HostCustomEntity = Computer\\n),\\n(\\nWindowsEvent \\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group\\n| where EventID in (4728, 4732, 4756) and not(EventData has \\\"S-1-5-32-555\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| extend MemberName = tostring(EventData.MemberName)\\n// When MemberName contains \u0027-\u0027 this indicates addition of a group to a group\\n| where AccountType == \\\"User\\\" and MemberName != \\\"-\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| extend SimpleMemberName = substring(MemberName, 3, indexof_regex(MemberName, @\\\",OU|,CN\\\") - 3)\\n| extend MemberSid = tostring(EventData.MemberSid)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend TargetDomainName = tostring(EventData.TargetDomainName)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| project TimeGenerated, EventID, Computer, SimpleMemberName, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SimpleMemberName, HostCustomEntity = Computer\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account added to built in domain local or global group\",\"description\":\"Identifies when a user account has been added to a privileged built in domain local group or global group \\nsuch as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2acc91c3-17c2-4388-938e-4eac2d5894e8\",\"name\":\"2acc91c3-17c2-4388-938e-4eac2d5894e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"W3CIISLog\\n| where csMethod == \u0027GET\u0027\\n| where isnotempty(csUriStem) and isnotempty(csUriQuery)\\n| where csUriStem contains \\\"logoimagehandler.ashx\\\"\\n| where csUriQuery contains \\\"codes\\\" and csUriQuery contains \\\"clazz\\\" and csUriQuery contains \\\"method\\\" and csUriQuery contains \\\"args\\\"\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"CommandAndControl\"],\"displayName\":\"SUPERNOVA webshell\",\"description\":\"Identifies SUPERNOVA webshell based on W3CIISLog data.\\n References:\\n - https://unit42.paloaltonetworks.com/solarstorm-supernova/\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-01-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/223db5c1-1bf8-47d8-8806-bed401b356a4\",\"name\":\"223db5c1-1bf8-47d8-8806-bed401b356a4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let timeRange = 1d;\\nlet lookBack = 7d;\\nlet threshold_Failed = 5;\\nlet threshold_FailedwithSingleIP = 20;\\nlet threshold_IPAddressCount = 2;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet aadFunc = (tableName:string){\\nlet azPortalSignins = materialize(table(tableName)\\n| where TimeGenerated \u003e= ago(lookBack)\\n// Azure Portal only\\n| where AppDisplayName =~ \\\"Azure Portal\\\")\\n;\\nlet successPortalSignins = azPortalSignins\\n| where TimeGenerated \u003e= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n// Tagging identities not resolved to friendly names\\n//| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n| distinct TimeGenerated, UserPrincipalName\\n;\\nlet failPortalSignins = azPortalSignins\\n| where TimeGenerated \u003e= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70044\\\", \\\"70043\\\")\\n// Tagging identities not resolved to friendly names\\n| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n;\\n// Verify there is no success for the same connection attempt after the fail\\nlet failnoSuccess = failPortalSignins | join kind= leftouter (\\n successPortalSignins \\n) on UserPrincipalName\\n| where TimeGenerated \u003e TimeGenerated1 or isempty(TimeGenerated1)\\n| project-away TimeGenerated1, UserPrincipalName1\\n;\\n// Lookup up resolved identities from last 7 days\\nlet identityLookup = azPortalSignins\\n| where TimeGenerated \u003e= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName;\\n// Join resolved names to unresolved list from portal signins\\nlet unresolvedNames = failnoSuccess | where Unresolved == true | join kind= inner (\\n identityLookup \\n) on UserId\\n| extend UserDisplayName = lu_UserDisplayName, UserPrincipalName = lu_UserPrincipalName\\n| project-away lu_UserDisplayName, lu_UserPrincipalName;\\n// Join Signins that had resolved names with list of unresolved that now have a resolved name\\nlet u_azPortalSignins = failnoSuccess | where Unresolved == false | union unresolvedNames;\\nu_azPortalSignins\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend Status = strcat(ResultType, \\\": \\\", ResultDescription), OS = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n| extend FullLocation = strcat(Region,\u0027|\u0027, State, \u0027|\u0027, City)\\n| summarize TimeGenerated = makelist(TimeGenerated), Status = makelist(Status), IPAddresses = makelist(IPAddress), IPAddressCount = dcount(IPAddress), FailedLogonCount = count()\\nby UserPrincipalName, UserId, UserDisplayName, AppDisplayName, Browser, OS, FullLocation, Type\\n| mvexpand TimeGenerated, IPAddresses, Status\\n| extend TimeGenerated = todatetime(tostring(TimeGenerated)), IPAddress = tostring(IPAddresses), Status = tostring(Status)\\n| project-away IPAddresses\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserPrincipalName, UserId, UserDisplayName, Status, FailedLogonCount, IPAddress, IPAddressCount, AppDisplayName, Browser, OS, FullLocation, Type\\n| where (IPAddressCount \u003e= threshold_IPAddressCount and FailedLogonCount \u003e= threshold_Failed) or FailedLogonCount \u003e= threshold_FailedwithSingleIP\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed login attempts to Azure Portal\",\"description\":\"Identifies failed login attempts in the Azure Active Directory SigninLogs to the Azure Portal. Many failed logon \\nattempts or some failed logon attempts from multiple IPs could indicate a potential brute force attack. \\nThe following are excluded due to success and non-failure results:\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n0 - successful logon\\n50125 - Sign-in was interrupted due to a password reset or password registration entry.\\n50140 - This error occurred due to \u0027Keep me signed in\u0027 interrupt when the user was signing-in.\",\"lastUpdatedDateUTC\":\"2022-04-21T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/acc4c247-aaf7-494b-b5da-17f18863878a\",\"name\":\"acc4c247-aaf7-494b-b5da-17f18863878a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"let queryfrequency = 1h;\\nlet queryperiod = 1d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(queryperiod)\\n| where OperationName in (\\\"Invite external user\\\", \\\"Bulk invite users - started (bulk)\\\", \\\"Invite external user with reset invitation status\\\")\\n| extend InitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\\n// Uncomment the following line to filter events where the inviting user was a guest user\\n//| where InitiatedBy has_any (\\\"live.com#\\\", \\\"#EXT#\\\")\\n| extend InvitedUser = TargetResources[0].userPrincipalName\\n| mv-expand UserToCompare = pack_array(InitiatedBy, InvitedUser) to typeof(string)\\n| where UserToCompare has_any (\\\"live.com#\\\", \\\"#EXT#\\\")\\n| extend\\n parsedUser = replace_string(tolower(iff(UserToCompare startswith \\\"live.com#\\\", tostring(split(UserToCompare, \\\"#\\\")[1]), tostring(split(UserToCompare, \\\"#EXT#\\\")[0]))), \\\"@\\\", \\\"_\\\"),\\n InvitationTime = TimeGenerated\\n| join (\\n (union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs)\\n | where TimeGenerated \u003e ago(queryfrequency)\\n | where UserType != \\\"Member\\\"\\n | where AppId has_any\\n (\\\"1b730954-1685-4b74-9bfd-dac224a7b894\\\",// Azure Active Directory PowerShell\\n \\\"04b07795-8ddb-461a-bbee-02f9e1bf7b46\\\",// Microsoft Azure CLI\\n \\\"1950a258-227b-4e31-a9cf-717495945fc2\\\",// Microsoft Azure PowerShell\\n \\\"a0c73c16-a7e3-4564-9a95-2bdf47383716\\\",// Microsoft Exchange Online Remote PowerShell\\n \\\"fb78d390-0c51-40cd-8e17-fdbfab77341b\\\",// Microsoft Exchange REST API Based Powershell\\n \\\"d1ddf0e4-d672-4dae-b554-9d5bdfd93547\\\",// Microsoft Intune PowerShell\\n \\\"9bc3ab49-b65d-410a-85ad-de819febfddc\\\",// Microsoft SharePoint Online Management Shell\\n \\\"12128f48-ec9e-42f0-b203-ea49fb6af367\\\",// MS Teams Powershell Cmdlets\\n \\\"23d8f6bd-1eb0-4cc2-a08c-7bf525c67bcd\\\",// Power BI PowerShell\\n \\\"31359c7f-bd7e-475c-86db-fdb8c937548e\\\",// PnP Management Shell\\n \\\"90f610bf-206d-4950-b61d-37fa6fd1b224\\\" // Aadrm Admin Powershell\\n )\\n | summarize arg_min(TimeGenerated, *) by UserPrincipalName\\n | extend\\n parsedUser = replace_string(UserPrincipalName, \\\"@\\\", \\\"_\\\"),\\n SigninTime = TimeGenerated\\n )\\n on parsedUser\\n| project InvitationTime, InitiatedBy, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, IPAddress, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InvitedUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatedBy\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\",\"Discovery\"],\"displayName\":\"External guest invitation followed by Azure AD PowerShell signin\",\"description\":\"By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests\\nusers, who have been invited or have invited recently, who also are logging via various PowerShell CLI.\\nRef : \u0027https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\"name\":\"3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let threshold = 1;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ConditionalAccessStatus == 1 or ConditionalAccessStatus =~ \\\"failure\\\"\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion) \\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend ConditionalAccessPolicies = todynamic(ConditionalAccessPolicies)\\n| extend ConditionalAccessPol0Name = tostring(ConditionalAccessPolicies[0].displayName)\\n| extend ConditionalAccessPol1Name = tostring(ConditionalAccessPolicies[1].displayName)\\n| extend ConditionalAccessPol2Name = tostring(ConditionalAccessPolicies[2].displayName)\\n| extend Status = strcat(StatusCode, \\\": \\\", ResultDescription) \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Status = make_list(Status), StatusDetails = make_list(StatusDetails), IPAddresses = make_list(IPAddress), IPAddressCount = dcount(IPAddress), CorrelationIds = make_list(CorrelationId) \\nby UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name, Type\\n| where IPAddressCount \u003e threshold and StatusDetails !has \\\"MFA successfully completed\\\"\\n| mvexpand IPAddresses, Status, StatusDetails, CorrelationIds\\n| extend Status = strcat(Status, \\\" \\\", StatusDetails)\\n| summarize IPAddresses = make_set(IPAddresses), Status = make_set(Status), CorrelationIds = make_set(CorrelationIds) \\nby StartTime, EndTime, UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name, IPAddressCount, Type\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = tostring(IPAddresses)\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Attempt to bypass conditional access rule in Azure AD\",\"description\":\"Identifies an attempt to Bypass conditional access rule(s) in Azure Active Directory.\\nThe ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access\\nor if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1).\\nReferences: \\nhttps://docs.microsoft.com/azure/active-directory/conditional-access/overview\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\nConditionalAccessStatus == 0 // Success\\nConditionalAccessStatus == 1 // Failure\\nConditionalAccessStatus == 2 // Not Applied\\nConditionalAccessStatus == 3 // unknown\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0b904747-1336-4363-8d84-df2710bfe5e7\",\"name\":\"0b904747-1336-4363-8d84-df2710bfe5e7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureDiagnostics\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where OperationName in (\\\"AzureFirewallApplicationRuleLog\\\", \\\"AzureFirewallNetworkRuleLog\\\")\\n | parse kind=regex flags=U msg_s with Protocol \u0027request from \u0027 SourceHost \u0027to \u0027 DestinationHost @\u0027\\\\.? Action: \u0027 Firewall_Action @\u0027\\\\.\u0027 Rest_msg\\n | extend SourceAddress = extract(@\u0027([\\\\.0-9]+)(:[\\\\.0-9]+)?\u0027, 1, SourceHost)\\n | extend DestinationAddress = extract(@\u0027([\\\\.0-9]+)(:[\\\\.0-9]+)?\u0027, 1, DestinationHost)\\n | extend RemoteIP = case(not(ipv4_is_private(DestinationAddress)), DestinationAddress, not(ipv4_is_private(SourceAddress)), SourceAddress, \\\"\\\")\\n // Traffic that involves a public address, and in case this is the source address then the traffic was not denied\\n | where isnotempty(RemoteIP)\\n | project-rename AzureFirewall_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIP\\n| where AzureFirewall_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureFirewall_TimeGenerated = arg_max(AzureFirewall_TimeGenerated, *) by IndicatorId, RemoteIP\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, AzureFirewall_TimeGenerated,\\nTI_ipEntity, Resource, Category, msg_s, SourceAddress, DestinationAddress, Firewall_Action, Protocol, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureFirewall_TimeGenerated, IPCustomEntity = TI_ipEntity, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureFirewall\",\"description\":\"Identifies a match in AzureFirewall (NetworkRule \u0026 ApplicationRule Logs) from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ebbb5c2-8802-11ec-a8a3-0242ac120002\",\"name\":\"4ebbb5c2-8802-11ec-a8a3-0242ac120002\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"// Enter a reference list of decoy users (usernames) \\\"Case Sensitive\\\"\\nlet MaliciousServiceArtifacts = dynamic ([\\\"fgexec\\\",\\\"cachedump\\\",\\\"mimikatz\\\",\\\"mimidrv\\\",\\\"wceservice\\\",\\\"pwdump\\\"]);\\nEvent\\n| where Source == \\\"Service Control Manager\\\" and EventID == 7045\\n| parse EventData with * \u0027ServiceName\\\"\u003e\u0027 ServiceName \\\"\u003c\\\" * \u0027ImagePath\\\"\u003e\u0027 ImagePath \\\"\u003c\\\" *\\n| where ServiceName has_any (MaliciousServiceArtifacts) or ImagePath has_any (MaliciousServiceArtifacts)\\n| parse EventData with * \u0027AccountName\\\"\u003e\u0027 AccountName \\\"\u003c\\\" *\\n|summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, ServiceName, ImagePath, AccountName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountName\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ImagePath\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Credential Dumping Tools - Service Installation\",\"description\":\"This query detects the installation of a Windows service that contains artifacts from credential dumping tools such as Mimikatz.\\nRef: https://blueteamblog.com/darkside-ransomware-operations-preventions-and-detections\",\"lastUpdatedDateUTC\":\"2022-04-22T00:00:00Z\",\"createdDateUTC\":\"2022-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"Event\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/adc32a33-1cd6-46f5-8801-e3ed8337885f\",\"name\":\"adc32a33-1cd6-46f5-8801-e3ed8337885f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// Add any known allowed sources and source locations to the filter below (the NuGet Gallery has been added here as an example).\\nlet allowed_sources = dynamic([\\\"NuGet Gallery\\\"]);\\nlet allowed_locations = dynamic([\\\"https://api.nuget.org/v3/index.json\\\"]);\\nAzureDevOpsAuditing\\n// Look for feeds created or modified at either the organization or project level\\n| where OperationName matches regex \\\"Artifacts.Feed.(Org|Project).Modify\\\"\\n| where Details has \\\"UpstreamSources, added\\\"\\n| extend FeedName = tostring(Data.FeedName)\\n| extend FeedId = tostring(Data.FeedId)\\n| extend UpstreamsAdded = Data.UpstreamsAdded\\n// As multiple feeds may be added expand these out\\n| mv-expand UpstreamsAdded\\n// Only focus on external feeds\\n| where UpstreamsAdded.UpstreamSourceType !~ \\\"internal\\\"\\n| extend SourceLocation = tostring(UpstreamsAdded.Location)\\n| extend SourceName = tostring(UpstreamsAdded.Name)\\n// Exclude sources and locations in the allow list\\n| where SourceLocation !in (allowed_locations) and SourceName !in (allowed_sources)\\n| extend SourceProtocol = tostring(UpstreamsAdded.Protocol)\\n| extend SourceStatus = tostring(UpstreamsAdded.Status)\\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, ProjectName, FeedName, SourceName, SourceLocation, SourceProtocol, ActorUPN, UserAgent, IpAddress\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"External Upstream Source Added to Azure DevOps Feed\",\"description\":\"The detection looks for new external sources added to an Azure DevOps feed. An allow list can be customized to explicitly allow known good sources. \\nAn attacker could look to add a malicious feed in order to inject malicious packages into a build pipeline.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/feb0a2fb-ae75-4343-8cbc-ed545f1da289\",\"name\":\"feb0a2fb-ae75-4343-8cbc-ed545f1da289\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let VIPUsers = (IdentityInfo\\n| where AssignedRoles contains \\\"Admin\\\"\\n| summarize by tolower(AccountUPN));\\nAuditLogs\\n| where Category =~ \\\"UserManagement\\\"\\n| where ActivityDisplayName =~ \\\"User registered security info\\\"\\n| where LoggedByService =~ \\\"Authentication Methods\\\"\\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| where AccountCustomEntity in (VIPUsers)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Authentication Method Changed for Privileged Account\",\"description\":\"Identifies authentication methods being changed for a privileged account. This could be an indicated of an attacker adding an auth method to the account so they can have continued access.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2937bc6b-7cda-4fba-b452-ea43ba8e835f\",\"name\":\"2937bc6b-7cda-4fba-b452-ea43ba8e835f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 5136 \\n| parse EventData with * \u0027ObjectClass\\\"\u003e\u0027 ObjectClass \\\"\u003c\\\" *\\n| parse EventData with * \u0027AttributeLDAPDisplayName\\\"\u003e\u0027 AttributeLDAPDisplayName \\\"\u003c\\\" *\\n| where ObjectClass == \\\"computer\\\" and AttributeLDAPDisplayName == \\\"msDS-AllowedToActOnBehalfOfOtherIdentity\\\"\\n| parse EventData with * \u0027ObjectDN\\\"\u003e\u0027 ObjectDN \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, SubjectUserSid, SubjectLogonId, ObjectDN, AttributeLDAPDisplayName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Possible Resource-Based Constrained Delegation Abuse\",\"description\":\"This query identifies Active Directory computer objects modifications that allow an adversary to abuse the Resource-based constrained delegation. \\nThis query checks for event id 5136 that the Object Class field is \\\"computer\\\" and the LDAP Display Name is \\\"msDS-AllowedToActOnBehalfOfOtherIdentity\\\" which is an indicator of Resource-based constrained delegation.\\nRef: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html\",\"lastUpdatedDateUTC\":\"2022-01-19T00:00:00Z\",\"createdDateUTC\":\"2022-01-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/89e6adbd-612c-4fbe-bc3d-32f81baf3b6c\",\"name\":\"89e6adbd-612c-4fbe-bc3d-32f81baf3b6c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT4H\",\"queryPeriod\":\"PT4H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// Change to true to monitor for Project Administrator adds to *any* project\\nlet MonitorAllProjects = false;\\n// If MonitorAllProjects is false, trigger only on Project Administrator add for the following projects\\nlet ProjectsToMonitor = dynamic([\u0027\u003cproject_X\u003e\u0027,\u0027\u003cproject_Y\u003e\u0027]);\\nAzureDevOpsAuditing\\n| where Area == \\\"Group\\\" and OperationName == \\\"Group.UpdateGroupMembership.Add\\\"\\n| where Details has \u0027Administrators\u0027\\n| where Details has \\\"was added as a member of group\\\" and (Details endswith \u0027\\\\\\\\Project Administrators\u0027 or Details endswith \u0027\\\\\\\\Project Collection Administrators\u0027)\\n| parse Details with AddedIdentity \u0027 was added as a member of group [\u0027 EntityName \u0027]\\\\\\\\\u0027 GroupName\\n| extend Level = iif(GroupName == \u0027Project Collection Administrators\u0027, \u0027Organization\u0027, \u0027Project\u0027), AddedIdentityId = Data.MemberId\\n| extend Severity = iif(Level == \u0027Organization\u0027, \u0027High\u0027, \u0027Medium\u0027), AlertDetails = strcat(\u0027At \u0027, TimeGenerated, \u0027 UTC \u0027, ActorUPN, \u0027/\u0027, ActorDisplayName, \u0027 added \u0027, AddedIdentity, \u0027 to the \u0027, EntityName, \u0027 \u0027, Level)\\n| where MonitorAllProjects == true or EntityName in (ProjectsToMonitor) or Level == \u0027Organization\u0027\\n| project TimeGenerated, Severity, Adder = ActorUPN, AddedIdentity, AddedIdentityId, AlertDetails, Level, EntityName, GroupName, ActorAuthType = AuthenticationMechanism, \\n ActorIpAddress = IpAddress, ActorUserAgent = UserAgent, RawDetails = Details\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Adder, IPCustomEntity = ActorIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps Administrator Group Monitoring\",\"description\":\"This detection monitors for additions to projects or project collection administration groups in an Azure DevOps Organization.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/473d57e6-f787-435c-a16b-b38b51fa9a4b\",\"name\":\"473d57e6-f787-435c-a16b-b38b51fa9a4b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"let servicelist = dynamic([\u0027Services\\\\\\\\HealthService\u0027, \u0027Services\\\\\\\\Sense\u0027, \u0027Services\\\\\\\\WinDefend\u0027, \u0027Services\\\\\\\\MsSecFlt\u0027, \u0027Services\\\\\\\\DiagTrack\u0027, \u0027Services\\\\\\\\SgrmBroker\u0027, \u0027Services\\\\\\\\SgrmAgent\u0027, \u0027Services\\\\\\\\AATPSensorUpdater\u0027 , \u0027Services\\\\\\\\AATPSensor\u0027, \u0027Services\\\\\\\\mpssvc\u0027]);\\nlet filename = dynamic([\\\"subinacl.exe\\\",\u0027SetACL.exe\u0027]);\\nlet parameters = dynamic ([\u0027/deny=SYSTEM\u0027, \u0027/deny=S-1-5-18\u0027, \u0027/grant=SYSTEM=r\u0027, \u0027/grant=S-1-5-18=r\u0027, \u0027n:SYSTEM;p:READ\u0027, \u0027n1:SYSTEM;ta:remtrst;w:dacl\u0027]);\\nlet FullAccess = dynamic([\u0027A;CI;KA;;;SY\u0027, \u0027A;ID;KA;;;SY\u0027, \u0027A;CIID;KA;;;SY\u0027]);\\nlet ReadAccess = dynamic([\u0027A;CI;KR;;;SY\u0027, \u0027A;ID;KR;;;SY\u0027, \u0027A;CIID;KR;;;SY\u0027]);\\nlet DenyAccess = dynamic([\u0027D;CI;KR;;;SY\u0027, \u0027D;ID;KR;;;SY\u0027, \u0027D;CIID;KR;;;SY\u0027]);\\nlet timeframe = 1d;\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4670\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName has_any (servicelist)\\n| parse EventData with * \u0027OldSd\\\"\u003e\u0027 OldSd \\\"\u003c\\\" *\\n| parse EventData with * \u0027NewSd\\\"\u003e\u0027 NewSd \\\"\u003c\\\" *\\n| extend Reason = case( (OldSd has \u0027;;;SY\u0027 and NewSd !has \u0027;;;SY\u0027), \u0027System Account is removed\u0027, (OldSd has_any (FullAccess) and NewSd has_any (ReadAccess)) , \u0027System permission has been changed to read from full access\u0027, (OldSd has_any (FullAccess) and NewSd has_any (DenyAccess)), \u0027System account has been given denied permission\u0027, \u0027None\u0027)\\n| project TimeGenerated, Computer, Account, ProcessName, ProcessId, ObjectName, EventData, Activity, HandleId, SubjectLogonId, OldSd, NewSd , Reason\\n),\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688\\n| extend ProcessName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ProcessName in~ (filename) \\n| where CommandLine has_any (servicelist) and CommandLine has_any (parameters)\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4670 and EventData has_any (servicelist) and EventData has \u0027Key\u0027\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName has_any (servicelist)\\n| extend OldSd = tostring(EventData.OldSd)\\n| extend NewSd = tostring(EventData.NewSd)\\n| extend Reason = case( (OldSd has \u0027;;;SY\u0027 and NewSd !has \u0027;;;SY\u0027), \u0027System Account is removed\u0027, (OldSd has_any (FullAccess) and NewSd has_any (ReadAccess)) , \u0027System permission has been changed to read from full access\u0027, (OldSd has_any (FullAccess) and NewSd has_any (DenyAccess)), \u0027System account has been given denied permission\u0027, \u0027None\u0027)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend ProcessId = tostring(EventData.ProcessId)\\n| extend Activity= \\\"4670 - Permissions on an object were changed.\\\"\\n| extend HandleId = tostring(EventData.HandleId)\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| project TimeGenerated, Computer, Account, ProcessName, ProcessId, ObjectName, EventData, Activity, HandleId, SubjectLogonId, OldSd, NewSd , Reason\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688 and EventData has_any (filename) and EventData has_any (servicelist) and EventData has_any (parameters)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend ProcessName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ProcessName in~ (filename) \\n| extend CommandLine = tostring(EventData.CommandLine) \\n| where CommandLine has_any (servicelist) and CommandLine has_any (parameters)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountDomain = tostring(EventData.AccountDomain)\\n| extend Activity=\\\"4688 - A new process has been created.\\\"\\n| extend EventSourceName=Provider\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where InitiatingProcessFileName in~ (filename) \\n| where InitiatingProcessCommandLine has_any(servicelist) and InitiatingProcessCommandLine has_any (parameters)\\n| extend Account = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName), Computer = DeviceName\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName = InitiatingProcessFileName, ProcessNameFullPath = FolderPath, Activity = ActionType, CommandLine = InitiatingProcessCommandLine, Type, InitiatingProcessParentFileName\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Security Service Registry ACL Modification\",\"description\":\"Identifies attempts to modify registry ACL to evade security solutions. In the Solorigate attack, the attackers were found modifying registry permissions so services.exe cannot access the relevant registry keys to start the service.\\n The detection leverages Security Event as well as MDE data to identify when specific security services registry permissions are modified. \\n Only some portions of this detection are related to Solorigate, it also includes coverage for some common tools that perform this activity. \\n Reference on guidance for enabling registry auditing:\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing-faq\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-registry\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4670\\n - For the event 4670 to be created the audit policy for the registry must have auditing enabled for Write DAC and/or Write Owner\\n - https://github.com/OTRF/Set-AuditRule \\n - https://docs.microsoft.com/dotnet/api/system.security.accesscontrol.registryrights?view=dotnet-plat-ext-5.0\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-01-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/29283b22-a1c0-4d16-b0a9-3460b655a46a\",\"name\":\"29283b22-a1c0-4d16-b0a9-3460b655a46a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let UserAgentString = dynamic ([\\\"${jndi:ldap:/\\\", \\\"${jndi:rmi:/\\\", \\\"${jndi:ldaps:/\\\", \\\"${jndi:dns:/\\\", \\\"${jndi:iiop:/\\\",\\\"${jndi:\\\",\\\"${jndi:nds:/\\\",\\\"${jndi:corba/\\\"]);\\nlet UARegexMinimalString=dynamic([\u0027{\u0027,\u0027%7b\u0027, \u0027%7B\u0027]);\\nlet UARegex = @\u0027(\\\\\\\\$|%24)(\\\\\\\\{|%7B)([^jJ]*[jJ])([^nN]*[nN])([^dD]*[dD])([^iI]*[iI])(:|%3A|\\\\\\\\$|%24|}|%7D)\u0027;\\n(union isfuzzy=true\\n(OfficeActivity\\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, Operation\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n),\\n(AzureDiagnostics\\n| where Category in (\\\"FrontdoorWebApplicationFirewallLog\\\", \\\"FrontdoorAccessLog\\\", \\\"ApplicationGatewayFirewallLog\\\", \\\"ApplicationGatewayAccessLog\\\")\\n| where userAgent_s has_any (UserAgentString) or userAgent_s matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = userAgent_s, SourceIP = clientIP_s, Type, host_s, requestUri_s, httpStatus_d\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, UrlCustomEntity = requestUri_s\\n),\\n(\\nW3CIISLog\\n| where csUserAgent has_any (UserAgentString) or csUserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP, UrlCustomEntity = csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventName\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n),\\n(SigninLogs\\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, Operation = OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n),\\n(AADNonInteractiveUserSignInLogs \\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, Operation = OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n),\\n(_Im_WebSession (httpuseragent_has_any=array_concat(UserAgentString,UARegexMinimalString))\\n| where HttpUserAgent has_any (UserAgentString) or HttpUserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by HttpUserAgent, SourceIP = SrcIpAddr, DstIpAddr, Account = SrcUsername, Url, Type\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP, UrlCustomEntity = Url\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"User agent search for log4j exploitation attempt\",\"description\":\"This query uses various log sources having user agent data to look for log4j CVE-2021-44228 exploitation attempt based on user agent pattern. Log4j is an open-source Apache logging library that is used in \\n many Java-based applications. The regex and the string matching look for the most common attacks. This might not be comprehensive to detect every possible user agent variation.\\n Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\"name\":\"3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let starttime = 1d;\\nlet TimeDeltaThresholdInSeconds = 60; // we ignore beacons diffs that fall below this threshold \\nlet TotalBeaconsThreshold = 4; // minimum number of beacons required in a session to surface a row\\nlet JitterTolerance = 0.2; // tolerance to jitter, e.g. - 0.2 = 20% jitter is tolerated either side of the periodicity\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Fortinet\\\"\\n| where TimeGenerated \u003e ago(starttime)\\n// eliminate bad data\\n| where isnotempty(SourceIP) and isnotempty(DestinationIP) and SourceIP != \\\"0.0.0.0\\\"\\n// filter out deny, close, rst and SNMP to reduce data volume\\n| where DeviceAction !in (\\\"close\\\", \\\"client-rst\\\", \\\"server-rst\\\", \\\"deny\\\") and DestinationPort != 161\\n// map input fields\\n| project TimeGenerated , SourceIP, DestinationIP, DestinationPort, ReceivedBytes, SentBytes, DeviceAction \\n// where destination IPs are public\\n| where ipv4_is_private(DestinationIP) == false\\n// sort into source-\u003edestination \u0027sessions\u0027\\n| sort by SourceIP asc, DestinationIP asc, DestinationPort asc, TimeGenerated asc\\n| serialize\\n// time diff the contact times between source and destination to get a list of deltas\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1), nextDestIP = next(DestinationIP, 1), nextDestPort = next(DestinationPort, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\\\"second\\\",nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP and DestinationIP == nextDestIP and DestinationPort == nextDestPort\\n// remove small time deltas below the set threshold\\n| where TimeDeltainSeconds \u003e TimeDeltaThresholdInSeconds\\n// summarize the deltas by source-\u003edestination\\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), sum(ReceivedBytes), sum(SentBytes), makelist(TimeDeltainSeconds), makeset(DeviceAction) by SourceIP, DestinationIP, DestinationPort\\n// get some statistical properties of the delta distribution and smooth any outliers (e.g. laptop shut overnight, working hours)\\n| extend series_stats(list_TimeDeltainSeconds), outliers=series_outliers(list_TimeDeltainSeconds)\\n// expand the deltas and the outliers\\n| mvexpand list_TimeDeltainSeconds to typeof(double), outliers to typeof(double)\\n// replace outliers with the average of the distribution\\n| extend list_TimeDeltainSeconds_normalized=iff(outliers \u003e 1.5 or outliers \u003c -1.5, series_stats_list_TimeDeltainSeconds_avg , list_TimeDeltainSeconds)\\n// summarize with the smoothed distribution\\n| summarize BeaconCount=count(), makelist(list_TimeDeltainSeconds), list_TimeDeltainSeconds_normalized=makelist(list_TimeDeltainSeconds_normalized), makeset(set_DeviceAction) by StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, sum_ReceivedBytes, sum_SentBytes\\n// get stats on the smoothed distribution\\n| extend series_stats(list_TimeDeltainSeconds_normalized)\\n// match jitter tolerance on smoothed distrib\\n| extend MaxJitter = (series_stats_list_TimeDeltainSeconds_normalized_avg*JitterTolerance)\\n| where series_stats_list_TimeDeltainSeconds_normalized_stdev \u003c MaxJitter\\n// where the minimum beacon threshold is satisfied and there was some data transfer\\n| where BeaconCount \u003e TotalBeaconsThreshold and (sum_SentBytes \u003e 0 or sum_ReceivedBytes \u003e 0)\\n// final projection\\n| project StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, BeaconCount, TimeDeltasInSeconds=list_list_TimeDeltainSeconds, Periodicity=series_stats_list_TimeDeltainSeconds_normalized_avg, ReceivedBytes=sum_ReceivedBytes, SentBytes=sum_SentBytes, Actions=set_set_DeviceAction\\n// where periodicity is order of magnitude larger than time delta threshold (eliminates FPs whose periodicity is close to the values we ignored)\\n| where Periodicity \u003e= (10*TimeDeltaThresholdInSeconds)\\n| extend timestamp = StartTime, IPCustomEntity = DestinationIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Fortinet - Beacon pattern detected\",\"description\":\"Identifies patterns in the time deltas of contacts between internal and external IPs in Fortinet network data that are consistent with beaconing.\\n Accounts for randomness (jitter) and seasonality such as working hours that may have been introduced into the beacon pattern.\\n The lookback is set to 1d, the minimum granularity in time deltas is set to 60 seconds and the minimum number of beacons required to emit a\\n detection is set to 4.\\n Increase the lookback period to capture beacons with larger periodicities.\\n The jitter tolerance is set to 0.2 - This means we account for an overall 20% deviation from the infered beacon periodicity. Seasonality is dealt with\\n automatically using series_outliers.\\n Note: In large environments it may be necessary to reduce the lookback period to get fast query times.\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2020-03-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80733eb7-35b2-45b6-b2b8-3c51df258206\",\"name\":\"80733eb7-35b2-45b6-b2b8-3c51df258206\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\\"xmrget.com\\\", \\n\\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\\"supportxmr.com\\\",\\n\\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\n\\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\n\\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\n\\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\n\\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\",\\n\\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\",\\n\\\"shscrypto.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage), \\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage), \\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage), \\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \u0027200\u0027\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Squid proxy events related to mining pools\",\"description\":\"Checks for Squid proxy events in Syslog associated with common mining pools .This query presumes the default Squid log format is being used. \\n http://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-07-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b05727d-a8d1-477d-bbdd-d957da96ac7b\",\"name\":\"3b05727d-a8d1-477d-bbdd-d957da96ac7b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where OfficeWorkload =~ \\\"Exchange\\\"\\n| where Parameters has_any (\\\"ForwardTo\\\", \\\"RedirectTo\\\", \\\"ForwardingSmtpAddress\\\")\\n| mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))\\n| evaluate bag_unpack(ParsedParameters, columnsConflict=\u0027replace_source\u0027)\\n| extend DestinationMailAddress = tolower(case(\\n isnotempty(column_ifexists(\\\"ForwardTo\\\", \\\"\\\")), column_ifexists(\\\"ForwardTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"RedirectTo\\\", \\\"\\\")), column_ifexists(\\\"RedirectTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")), trim_start(@\\\"smtp:\\\", column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")),\\n \\\"\\\"))\\n| where isnotempty(DestinationMailAddress)\\n| mv-expand split(DestinationMailAddress, \\\";\\\")\\n| extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n| extend ClientIP = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1])\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId, 250), Ports = make_set(Port, 250), EventCount = count() by tostring(DestinationMailAddress), ClientIP\\n| where DistinctUserCount \u003e 1\\n| mv-expand UserId to typeof(string)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"NRT Multiple users email forwarded to same destination\",\"description\":\"Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination.\\nThis could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.\",\"lastUpdatedDateUTC\":\"2022-06-24T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\"name\":\"75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 3;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == \\\"50057\\\"\\n| where ResultDescription =~ \\\"User account is disabled. The account has been disabled by an administrator.\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), applicationCount = dcount(AppDisplayName), \\napplicationSet = make_set(AppDisplayName), count() by UserPrincipalName, IPAddress, Type\\n| where applicationCount \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Attempts to sign in to disabled accounts\",\"description\":\"Identifies failed attempts to sign in to disabled accounts across multiple Azure Applications.\\nDefault threshold for Azure Applications attempted to sign in to is 3.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bfb1c90f-8006-4325-98be-c7fffbc254d6\",\"name\":\"bfb1c90f-8006-4325-98be-c7fffbc254d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let s_threshold = 30;\\nlet l_threshold = 3;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where OperationName =~ \\\"Sign-in activity\\\"\\n// Error codes that we want to look at as they are related to the use of incorrect password.\\n| where ResultType in (\\\"50126\\\", \\\"50053\\\" , \\\"50055\\\", \\\"50056\\\")\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend LocationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), LocationCount=dcount(LocationString), Location = make_set(LocationString), \\nIPAddress = make_set(IPAddress), IPAddressCount = dcount(IPAddress), AppDisplayName = make_set(AppDisplayName), ResultDescription = make_set(ResultDescription), \\nBrowser = make_set(Browser), OS = make_set(OS), SigninCount = count() by UserPrincipalName, Type \\n// Setting a generic threshold - Can be different for different environment\\n| where SigninCount \u003e s_threshold and LocationCount \u003e= l_threshold\\n| extend tostring(Location), tostring(IPAddress), tostring(AppDisplayName), tostring(ResultDescription), tostring(Browser), tostring(OS)\\n| distinct *\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Distributed Password cracking attempts in AzureAD\",\"description\":\"Identifies distributed password cracking attempts from the Azure Active Directory SigninLogs.\\nThe query looks for unusually high number of failed password attempts coming from multiple locations for a user account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50053 Account is locked because the user tried to sign in too many times with an incorrect user ID or password.\\n50055 Invalid password, entered expired password.\\n50056 Invalid or null password - Password does not exist in store for this user.\\n50126 Invalid username or password, or invalid on-premises username or password.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7ad4c32b-d0d2-411c-a0e8-b557afa12fce\",\"name\":\"7ad4c32b-d0d2-411c-a0e8-b557afa12fce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName\\n| where CommandLine contains \\\".decode(\u0027base64\u0027)\\\"\\n or CommandLine contains \\\"base64 --decode\\\"\\n or CommandLine contains \\\".decode64(\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"NRT Process executed from binary hidden in Base64 encoded file\",\"description\":\"Encoding malicious software is a technique used to obfuscate files from detection.\\nThe first CommandLine component is looking for Python decoding base64.\\nThe second CommandLine component is looking for Bash/sh command line base64 decoding.\\nThe third one is looking for Ruby decoding base64.\",\"lastUpdatedDateUTC\":\"2022-02-08T00:00:00Z\",\"createdDateUTC\":\"2019-01-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95002681-4ecb-4da3-9ece-26d7e5feaa33\",\"name\":\"95002681-4ecb-4da3-9ece-26d7e5feaa33\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"imAuthentication\\n| where EventResult ==\u0027Failure\u0027\\n| where EventResultDetails == \u0027User disabled\u0027\\n| summarize StartTime=min(EventStartTime), EndTime=max(EventEndTime), disabledAccountLoginAttempts = count()\\n , disabledAccountsTargeted = dcount(TargetUsername), disabledAccountSet = make_set(TargetUsername)\\n , applicationsTargeted = dcount(TargetAppName)\\n , applicationSet = make_set(TargetAppName) \\n by SrcDvcIpAddr, Type\\n| order by disabledAccountLoginAttempts desc\\n| join kind=leftouter \\n (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n imAuthentication\\n | where EventResult==\u0027Success\u0027\\n | summarize successfulAccountSigninCount = dcount(TargetUsername), successfulAccountSigninSet = makeset(TargetUsername, 15) by SrcDvcIpAddr, Type\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount \u003c 100\\n )\\n on SrcDvcIpAddr\\n| where isnotempty(successfulAccountSigninCount)\\n| project StartTime, EndTime, SrcDvcIpAddr, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\nsuccessfulAccountSigninCount, successfulAccountSigninSet, Type\\n| order by disabledAccountLoginAttempts\\n| extend timestamp = StartTime, IPCustomEntity = SrcDvcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-07-27T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\"name\":\"795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"CommonSecurityLog \\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID in (\\\"733101\\\",\\\"733102\\\",\\\"733103\\\",\\\"733104\\\",\\\"733105\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\",\"Impact\"],\"displayName\":\"Cisco ASA - threat detection message fired\",\"description\":\"Identifies when the Cisco ASA Threat Detection engine fired an alert based on malicious activity occurring on the network inicated by DeviceEventClassID 733101-733105\\nResources: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1785d372-b9fe-4283-96a6-3a1d83cabfd1\",\"name\":\"1785d372-b9fe-4283-96a6-3a1d83cabfd1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let Tarrask_threats = dynamic([\\\"HackTool:Win64/Tarrask!MS\\\", \\\"HackTool:Win64/Ligolo!MSR\\\", \\\"Behavior:Win32/ScheduledTaskHide.A\\\", \\\"Tarrask\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=rightouter ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (Tarrask_threats) or ThreatFamilyName in~ (Tarrask_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AV detections related to Tarrask malware\",\"description\":\"This query looks for Microsoft Defender AV detections related to Tarrask malware. In Microsoft Sentinel the SecurityAlerts table \\n includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. \\n This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\\n Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-04-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/157c0cfc-d76d-463b-8755-c781608cdc1a\",\"name\":\"157c0cfc-d76d-463b-8755-c781608cdc1a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\nCommonSecurityLog\\n| where DeviceVendor =~ \\\"Cisco\\\"\\n| where DeviceAction =~ \\\"denied\\\"\\n| where ipv4_is_private(SourceIP) == false\\n| summarize count() by SourceIP\\n| join (\\n // Successful signins from IPs blocked by the firewall solution are suspect\\n // Include fully successful sign-ins, but also ones that failed only at MFA stage\\n // as that supposes the password was sucessfully guessed.\\n table(tableName)\\n | where ResultType in (\\\"0\\\", \\\"50074\\\", \\\"50076\\\") \\n) on $left.SourceIP == $right.IPAddress\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Cisco - firewall block but success logon to Azure AD\",\"description\":\"Correlate IPs blocked by a Cisco firewall appliance with successful Azure Active Directory signins. \\nBecause the IP was blocked by the firewall, that same IP logging on successfully to AAD is potentially suspect\\nand could indicate credential compromise for the user account.\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2019-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/875d0eb1-883a-4191-bd0e-dbfdeb95a464\",\"name\":\"875d0eb1-883a-4191-bd0e-dbfdeb95a464\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 5136 \\n| parse EventData with * \u0027AttributeLDAPDisplayName\\\"\u003e\u0027 AttributeLDAPDisplayName \\\"\u003c\\\" *\\n| parse EventData with * \u0027ObjectClass\\\"\u003e\u0027 ObjectClass \\\"\u003c\\\" *\\n| where AttributeLDAPDisplayName == \\\"servicePrincipalName\\\" and ObjectClass == \\\"user\\\"\\n| parse EventData with * \u0027ObjectDN\\\"\u003e\u0027 ObjectDN \\\"\u003c\\\" *\\n| parse EventData with * \u0027AttributeValue\\\"\u003e\u0027 AttributeValue \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, ObjectDN, AttributeValue\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Service Principal Name (SPN) Assigned to User Account\",\"description\":\"This query identifies whether a Active Directory user object was assigned a service principal name which could indicate that an adversary is preparing for performing Kerberoasting. \\nThis query checks for event id 5136 that the Object Class field is \\\"user\\\" and the LDAP Display Name is \\\"servicePrincipalName\\\".\\nRef: https://thevivi.net/assets/docs/2019/theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf\",\"lastUpdatedDateUTC\":\"2022-02-02T00:00:00Z\",\"createdDateUTC\":\"2022-01-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/45076281-35ae-45e0-b443-c32aa0baf965\",\"name\":\"45076281-35ae-45e0-b443-c32aa0baf965\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"High\",\"query\":\"let args = dynamic([\\\"objectcategory\\\",\\\"domainlist\\\",\\\"dcmodes\\\",\\\"adinfo\\\",\\\"trustdmp\\\",\\\"computers_pwdnotreqd\\\",\\\"Domain Admins\\\", \\\"objectcategory=person\\\", \\\"objectcategory=computer\\\", \\\"objectcategory=*\\\",\\\"dclist\\\"]);\\nlet parentProcesses = dynamic([\\\"pwsh.exe\\\",\\\"powershell.exe\\\",\\\"cmd.exe\\\"]);\\nimProcessCreate\\n//looks for execution from a shell\\n| where ActingProcessName has_any (parentProcesses)\\n| extend ActingProcessFileName = tostring(split(ActingProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ActingProcessFileName in~ (parentProcesses)\\n// main filter\\n| where Process hassuffix \\\"AdFind.exe\\\" or TargetProcessSHA256 == \\\"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\\\"\\n // AdFind common Flags to check for from various threat actor TTPs\\n or CommandLine has_any (args)\\n| extend AccountCustomEntity = User, HostCustomEntity = Dvc, ProcessCustomEntity = ActingProcessName, CommandLineCustomEntity = CommandLine, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = TargetProcessSHA256\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"},{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLineCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Probable AdFind Recon Tool Usage (Normalized Process Events)\",\"description\":\"Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-06-09T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/910124df-913c-47e3-a7cd-29e1643fa55e\",\"name\":\"910124df-913c-47e3-a7cd-29e1643fa55e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with failed AWS console logins\\nlet aws_fails = AWSCloudTrail\\n| where EventName == \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \\n| where LoginResult != \\\"Success\\\"\\n| where SourceIpAddress != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(SourceIpAddress);\\n//See if any of those IPs have sucessfully logged into Azure AD.\\nSigninLogs\\n| where ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (aws_fails) \\n| extend Reason = \\\"Multiple failed AWS Console logins from IP address\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AWS Console logons but success logon to AzureAD\",\"description\":\"Identifies a list of IP addresses with a minimum numbe(default of 5) of failed logon attempts to AWS Console.\\nUses that list to identify any successful Azure Active Directory logons from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aedc5b33-2d7c-42cb-a692-f25ef637cbb1\",\"name\":\"aedc5b33-2d7c-42cb-a692-f25ef637cbb1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where array_length(todynamic(DstUserUpn)) == 1\\n| extend sender = extract(@\u0027\\\\A(.*?)@\u0027, 1, SrcUserUpn)\\n| extend sender_domain = extract(@\u0027@(.*)$\u0027, 1, SrcUserUpn)\\n| extend recipient = extract(@\u0027\\\\A(.*?)@\u0027, 1, tostring(todynamic(DstUserUpn)[0]))\\n| extend recipient_domain = extract(@\u0027@(.*)$\u0027, 1, tostring(todynamic(DstUserUpn)[0]))\\n| where sender =~ recipient\\n| where sender_domain != recipient_domain\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Possible data exfiltration to private email\",\"description\":\"Detects when sender sent email to the non-corporate domain and recipient\u0027s username is the same as sender\u0027s username.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\"name\":\"30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nlet aadFunc = (tableName:string){\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n table(tableName) | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(UserPrincipalName)\\n //Normalizing the column to lower case for exact match with EmailSenderAddress column\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n | where UserPrincipalName matches regex emailregex\\n | extend Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n // renaming timestamp column so it is clear the log this came from SigninLogs table\\n | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type\\n)\\non $left.EmailSenderAddress == $right.UserPrincipalName\\n| where SigninLogs_TimeGenerated \u003c ExpirationDateTime\\n| summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, UserPrincipalName\\n| project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, IPAddress, UserPrincipalName, AppDisplayName,\\nStatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, Type\\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SigninLogs\",\"description\":\"Identifies a match in SigninLogs table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6190dde-8fd2-456a-ac5b-0a32400b0464\",\"name\":\"d6190dde-8fd2-456a-ac5b-0a32400b0464\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let ProcessCreationEvents=() {\\nlet processEvents=(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName\\n),\\n(WindowsEvent\\n| where EventID==4688\\n| where EventData has_any (\\\".decode(\u0027base64\u0027)\\\", \\\"base64 --decode\\\", \\\".decode64(\\\" )\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where isnotempty(CommandLine)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend FileName=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, CommandLine, ParentProcessName\\n));\\nprocessEvents;\\n};\\nProcessCreationEvents \\n| where CommandLine contains \\\".decode(\u0027base64\u0027)\\\"\\n or CommandLine contains \\\"base64 --decode\\\"\\n or CommandLine contains \\\".decode64(\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), CountToday = count() by Computer, Account, AccountDomain, FileName, CommandLine, ParentProcessName \\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Process executed from binary hidden in Base64 encoded file\",\"description\":\"Encoding malicious software is a technique used to obfuscate files from detection. \\nThe first CommandLine component is looking for Python decoding base64. \\nThe second CommandLine component is looking for Bash/sh command line base64 decoding.\\nThe third one is looking for Ruby decoding base64.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-01-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a04cf847-a832-4c60-b687-b0b6147da219\",\"name\":\"a04cf847-a832-4c60-b687-b0b6147da219\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"45.63.52.41\\\",\\\"140.82.17.161\\\",\\\"207.148.101.95\\\",\\\"45.32.87.51\\\",\\\"66.42.98.156\\\",\\\"45.76.144.105\\\",\\\"217.163.28.35\\\",\\\"45.32.141.174\\\",\\\"149.28.165.249\\\",\\\"209.250.225.247\\\",\\\"45.63.100.115\\\",\\\"95.179.229.230\\\",\\\"209.250.233.247\\\",\\\"45.77.121.232\\\",\\\"45.76.175.65\\\",\\\"104.238.160.237\\\",\\\"45.77.181.97\\\",\\\"95.179.192.125\\\",\\\"149.28.93.184\\\",\\\"140.82.16.81\\\",\\\"45.76.173.103\\\",\\\"45.77.255.22\\\",\\\"45.32.11.71\\\",\\\"149.28.77.26\\\",\\\"45.32.54.50\\\",\\\"104.156.233.156\\\",\\\"45.32.21.118\\\",\\\"45.63.62.109\\\",\\\"45.77.244.202\\\",\\\"149.248.11.205\\\",\\\"104.238.190.244\\\"]);\\nlet IOCTerms = \\\"\\\\\\\\?lang=[/..]*/dev/cmdb/sslvpn_websession|/dana-na/jam/[/..]*home/webserver/htdocs/dana/html5acc/guacamole[/..]*etc/passwd\\\\\\\\?\\\";\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or has_any_ipv4 (Message, IPList)\\n| extend IPMatch = case(\\nSourceIP in (IPList), \\\"SourceIP\\\", \\nDestinationIP in (IPList), \\\"DestinationIP\\\",\\n\\\"Message\\\") \\n| where Message matches regex IOCTerms\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n| where isnotempty(UserAgent) and ClientIP in (IPList)\\n| where UserAgent contains \\\"ExchangeServicesClient/0.0.0.0\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP = ClientIP, Account = UserId, Type, RecordType, OfficeWorkload, UserAgent, OfficeObjectId, IPMatch = \\\"ClientIP\\\"\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Collection\"],\"displayName\":\"Known Manganese IP and UserAgent activity\",\"description\":\"Matches IP plus UserAgent IOCs in OfficeActivity data, along with IP plus Connection string information in the CommonSecurityLog data related to Manganese group activity.\\nReferences: \\nhttps://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/\\nhttps://fortiguard.com/psirt/FG-IR-18-384\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-10-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/74ed028d-e392-40b7-baef-e69627bf89d1\",\"name\":\"74ed028d-e392-40b7-baef-e69627bf89d1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"AuditLog.StreamDisabledByUser\\\"\\n| extend StreamType = tostring(Data.ConsumerType)\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, StreamType\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Azure DevOps Audit Stream Disabled\",\"description\":\"Azure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams \\n before conducting activity and then re-enabling the stream after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action \\n its unlikely to have a high false positive rate.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a356c8bd-c81d-428b-aa36-83be706be034\",\"name\":\"a356c8bd-c81d-428b-aa36-83be706be034\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// AADJoined or Register Device Registry Keys\\nlet aadJoinRoot = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet001\\\\\\\\Control\\\\\\\\CloudDomainJoin\\\\\\\\JoinInfo\\\\\\\\\\\";\\nlet aadRegisteredRoot = \\\"\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\WorkplaceJoin\\\";\\n// Transport Key Registry Key\\nlet keyTransportKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet001\\\\\\\\Control\\\\\\\\Cryptography\\\\\\\\Ngc\\\\\\\\KeyTransportKey\\\\\\\\\\\";\\n(union isfuzzy=true\\n(\\n// Access to Object Requested\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| where EventData contains aadJoinRoot or EventData contains aadRegisteredRoot\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName startswith aadJoinRoot and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n| extend ProcessId = column_ifexists(\\\"ProcessId\\\", \\\"\\\"), Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| join kind=innerunique (\\n SecurityEvent\\n | where EventID == \u00274656\u0027\\n | where EventData contains keyTransportKey\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | mv-expand bagexpansion=array EventData\\n | evaluate bag_unpack(EventData)\\n | extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n | evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n | extend ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\")\\n | where ObjectType == \u0027Key\u0027\\n | where ObjectName startswith keyTransportKey and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n | extend ProcessId = column_ifexists(\\\"ProcessId\\\", \\\"\\\"), Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n) on $left.Computer == $right.Computer and $left.SubjectLogonId == $right.SubjectLogonId and $left.ProcessId == $right.ProcessId\\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, SubjectLogonId, ObjectName, tostring(Process), ProcessName, ProcessId, EventID\\n),\\n// Accessing Object\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| where ObjectType == \u0027Key\u0027\\n| where (ObjectName startswith aadJoinRoot or ObjectName contains aadRegisteredRoot) and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n| extend Account = SubjectAccount\\n| join kind=innerunique (\\n SecurityEvent\\n | where EventID == \u00274663\u0027\\n | where ObjectType == \u0027Key\u0027\\n | where ObjectName contains keyTransportKey and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n | extend Account = SubjectAccount\\n) on $left.Computer == $right.Computer and $left.SubjectLogonId == $right.SubjectLogonId and $left.ProcessId == $right.ProcessId\\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, SubjectLogonId, ObjectName, Process, ProcessName, ProcessId, EventID\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"AAD Local Device Join Information and Transport Key Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts by the same process\\n to registry keys that provide information about an AAD joined or registered devices and Transport keys (tkpub / tkpriv).\\n This information can be used to export the Device Certificate (dkpub / dkpriv) and Transport key (tkpub/tkpriv).\\n These set of keys can be used to impersonate existing Azure AD joined devices.\\n This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable objects:\\n HKLM:\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\CloudDomainJoin (AAD joined devices)\\n HKCU:\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\WorkplaceJoin (AAD registered devices)\\n HKLM:\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Cryptography\\\\Ngc\\\\KeyTransportKey (Transport Key)\\n Make sure you set the SACL to propagate to its sub-keys. You can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml\\n Reference: https://o365blog.com/post/deviceidentity/\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/58fc0170-0877-4ea8-a9ff-d805e361cfae\",\"name\":\"58fc0170-0877-4ea8-a9ff-d805e361cfae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let schedule_lookback = 14d; \\nlet join_lookback = 1d; \\n// If you want to whitelist specific timezones include them in a list here\\nlet tz_whitelist = dynamic([]);\\nlet meetings = ( \\nZoomLogs \\n| where TimeGenerated \u003e= ago(schedule_lookback) \\n| where Event =~ \\\"meeting.created\\\" \\n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId) \\n| extend SchedTimezone = tostring(parse_json(MeetingEvents).Timezone)); \\nZoomLogs \\n| where TimeGenerated \u003e= ago(join_lookback) \\n| where Event =~ \\\"meeting.participant_joined\\\" \\n| extend JoinedTimeZone = tostring(parse_json(MeetingEvents).Timezone) \\n| extend MeetingName = tostring(parse_json(MeetingEvents).MeetingName) \\n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId) \\n| where JoinedTimeZone !in (tz_whitelist)\\n| join (meetings) on MeetingId \\n| where SchedTimezone != JoinedTimeZone \\n| project TimeGenerated, MeetingName, JoiningUser=payload_object_participant_user_name_s, JoinedTimeZone, SchedTimezone, MeetingScheduler=User1 \\n| extend timestamp = TimeGenerated, AccountCustomEntity = JoiningUser\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"PrivilegeEscalation\"],\"displayName\":\"User joining Zoom meeting from suspicious timezone\",\"description\":\"The alert shows users that join a Zoom meeting from a time zone other than the one the meeting was created in.\\nYou can also whitelist known good time zones in the tz_whitelist value using the tz database name format https://en.wikipedia.org/wiki/List_of_tz_database_time_zones\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a09a0b8e-30fe-4ebf-94a0-cffe50f579cd\",\"name\":\"a09a0b8e-30fe-4ebf-94a0-cffe50f579cd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where OperationName =~ \\\"Update user\\\"\\n | where Result =~ \\\"success\\\"\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | where TargetResources_modifiedProperties.displayName =~ \\\"TargetId.UserType\\\"\\n | extend UpdatingServicePrincipal = tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalId)\\n | extend UpdatingUserPrincipal = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend UpdatingUser = iif(isnotempty(UpdatingServicePrincipal), UpdatingServicePrincipal, UpdatingUserPrincipal)\\n | extend UpdatedUserPrincipalName = tostring(TargetResources.userPrincipalName)\\n | project-reorder TimeGenerated, UpdatedUserPrincipalName, UpdatingUser\\n | where parse_json(tostring(TargetResources_modifiedProperties.newValue)) =~ \\\"\\\\\\\"Member\\\\\\\"\\\" and parse_json(tostring(TargetResources_modifiedProperties.oldValue)) =~ \\\"\\\\\\\"Guest\\\\\\\"\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatingUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatedUserPrincipalName\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User State changed from Guest to Member\",\"description\":\"Detects when a guest account in a tenant is converted to a member of the tenant.\\n Monitoring guest accounts and the access they are provided is important to detect potential account abuse.\\n Accounts converted to members should be investigated to ensure the activity was legitimate.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b12b3dab-d973-45af-b07e-e29bb34d8db9\",\"name\":\"b12b3dab-d973-45af-b07e-e29bb34d8db9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal contains \\\"WindowsPowerShell\\\"\\n| extend Message = \\\"Windows PowerShell User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"DefenseEvasion\"],\"displayName\":\"Cisco Umbrella - Windows PowerShell User-Agent Detected\",\"description\":\"Rule helps to detect Powershell user-agent activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d722831e-88f5-4e25-b106-4ef6e29f8c13\",\"name\":\"d722831e-88f5-4e25-b106-4ef6e29f8c13\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"// a threshold can be enabled, see commented line below for PrevSeenCount\\nlet threshold = 2;\\nlet uploadOp = \u0027FileUploaded\u0027;\\n// Extensions that are interesting. Add/Remove to this list as you see fit\\nlet execExt = dynamic([\u0027exe\u0027, \u0027inf\u0027, \u0027gzip\u0027, \u0027cmd\u0027, \u0027bat\u0027]);\\nlet starttime = 8d;\\nlet endtime = 1d;\\nOfficeActivity | where TimeGenerated \u003e= ago(endtime)\\n// Limited to File Uploads due to potential noise, comment out the Operation statement below to include any operation type\\n// Additional, but potentially noisy operation types that include Uploads and Downloads can be included by adding the following - Operation contains \\\"upload\\\" or Operation contains \\\"download\\\"\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| project TimeGenerated, OfficeId, OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, UserAgent, Site_Url, SourceRelativeUrl, SourceFileName\\n| join kind= leftanti (\\nOfficeActivity | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| summarize SourceRelativeUrl = make_set(SourceRelativeUrl), UserId = make_set(UserId) , PrevSeenCount = count() by SourceFileName\\n// To exclude previous matches when only above a specific count, change threshold above and uncomment the line below\\n//| where PrevSeenCount \u003e threshold\\n| mvexpand SourceRelativeUrl, UserId\\n| extend SourceRelativeUrl = tostring(SourceRelativeUrl), UserId = tostring(UserId)\\n) on SourceFileName, SourceRelativeUrl, UserId \\n| extend SiteUrlUserFolder = tolower(split(Site_Url, \u0027/\u0027)[-2])\\n| extend UserIdUserFolderFormat = tolower(replace(\u0027@|\\\\\\\\.\u0027, \u0027_\u0027,UserId))\\n// identify when UserId is not a match to the specific site url personal folder reference\\n| extend UserIdDiffThanUserFolder = iff(Site_Url has \u0027/personal/\u0027 and SiteUrlUserFolder != UserIdUserFolderFormat, true , false ) \\n| summarize TimeGenerated = make_list(TimeGenerated), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), \\nUserAgents = make_list(UserAgent), OfficeIds = make_list(OfficeId), SourceRelativeUrls = make_list(SourceRelativeUrl), FileNames = make_list(SourceFileName)\\nby OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, Site_Url, SiteUrlUserFolder, UserIdUserFolderFormat, UserIdDiffThanUserFolder\\n| extend timestamp = StartTime, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"New executable via Office FileUploaded Operation\",\"description\":\"Identifies when executable file types are uploaded to Office services such as SharePoint and OneDrive.\\nList currently includes \u0027exe\u0027, \u0027inf\u0027, \u0027gzip\u0027, \u0027cmd\u0027, \u0027bat\u0027 file extensions.\\nAdditionally, identifies when a given user is uploading these files to another users workspace.\\nThis may be indication of a staging location for malware or other malicious activity.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69a45b05-71f5-45ca-8944-2e038747fb39\",\"name\":\"69a45b05-71f5-45ca-8944-2e038747fb39\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let endtime = 1d;\\nlet starttime = 8d;\\n// The threshold below excludes matching on RDP connection computer counts of 5 or more by a given account and IP in a given day. Change the threshold as needed.\\nlet threshold = 5;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n// Labeling the first RDP connection time, computer and ip\\n| extend FirstHop = TimeGenerated, FirstComputer = toupper(Computer), FirstIPAddress = IpAddress, Account = tolower(Account)\\n),\\n( WindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10 // Labeling the first RDP connection time, computer and ip\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend FirstHop = TimeGenerated, FirstComputer = toupper(Computer), FirstIPAddress = IpAddress, Account = tolower(Account)\\n))\\n| join kind=inner (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n// Labeling the second RDP connection time, computer and ip\\n| extend SecondHop = TimeGenerated, SecondComputer = toupper(Computer), SecondIPAddress = IpAddress, Account = tolower(Account)\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = toint(EventData.LogonType)\\n| where LogonType == 10 // Labeling the second RDP connection time, computer and ip\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend SecondHop = TimeGenerated, SecondComputer = toupper(Computer), SecondIPAddress = IpAddress, Account = tolower(Account)\\n))\\n) on Account\\n// Make sure that the first connection is after the second connection --\u003e SecondHop \u003e FirstHop\\n// Then identify only RDP to another computer from within the first RDP connection by only choosing matches where the Computer names do not match --\u003e FirstComputer != SecondComputer\\n// Then make sure the IPAddresses do not match by excluding connections from the same computers with first hop RDP connections to multiple computers --\u003e FirstIPAddress != SecondIPAddress\\n| where FirstComputer != SecondComputer and FirstIPAddress != SecondIPAddress and SecondHop \u003e FirstHop\\n// where the second hop occurs within 30 minutes of the first hop\\n| where SecondHop \u003c= FirstHop+30m\\n| distinct Account, FirstHop, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, SecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\\n// use left anti to exclude anything from the previous 7 days where the Account and IP has connected 5 or more computers.\\n| join kind=leftanti (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize makeset(Computer), ComputerCount = dcount(Computer) by bin(TimeGenerated, 1d), Account = tolower(Account), IpAddress\\n// Connection count to computer by same account and IP to exclude counts of 5 or more on a given day\\n| where ComputerCount \u003e= threshold\\n| mvexpand set_Computer\\n| extend Computer = toupper(set_Computer)\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10 \\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| summarize makeset(Computer), ComputerCount = dcount(Computer) by bin(TimeGenerated, 1d), Account = tolower(Account), IpAddress\\n// Connection count to computer by same account and IP to exclude counts of 5 or more on a given day\\n| where ComputerCount \u003e= threshold\\n| mvexpand set_Computer\\n| extend Computer = toupper(set_Computer)\\n))\\n) on Account, $left.SecondComputer == $right.Computer, $left.SecondIPAddress == $right.IpAddress\\n| summarize FirstHopFirstSeen = min(FirstHop), FirstHopLastSeen = max(FirstHop) by Account, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, \\nSecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\\n| extend timestamp = FirstHopFirstSeen, AccountCustomEntity = Account, HostCustomEntity = FirstComputer, IPCustomEntity = FirstIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"RDP Nesting\",\"description\":\"Identifies when an RDP connection is made to a first system and then an RDP connection is made from the first system\\nto another system with the same account within the 60 minutes. Additionally, if historically daily\\nRDP connections are indicated by the logged EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-10-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884c4957-70ea-4f57-80b9-1bca3890315b\",\"name\":\"884c4957-70ea-4f57-80b9-1bca3890315b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeBin = 10m;\\nlet failedThreshold = 100;\\nW3CIISLog\\n| where scStatus in (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n// Handling Exchange specific items in IIS logs to remove the unique log identifier in the URI\\n| extend csUriQuery = iff(csUriQuery startswith \\\"MailboxId=\\\", tostring(split(csUriQuery, \\\"\u0026\\\")[0]) , csUriQuery )\\n| extend csUriQuery = iff(csUriQuery startswith \\\"X-ARR-CACHE-HIT=\\\", strcat(tostring(split(csUriQuery, \\\"\u0026\\\")[0]),tostring(split(csUriQuery, \\\"\u0026\\\")[1])) , csUriQuery )\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of failed logons by a user\\n| summarize makeset(decodedUriQuery), makeset(cIP), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), csUserName, Computer, sIP\\n| where FailedConnectionsCount \u003e= failedThreshold\\n| project TimeGenerated, csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_cIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"High count of failed logons by a user\",\"description\":\"Identifies when 100 or more failed attempts by a given user in 10 minutes occur on the IIS Server.\\nThis could be indicative of attempted brute force based on known account information.\\nThis could also simply indicate a misconfigured service or device. \\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\"name\":\"7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"let WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet AC_Add = \\n(union isfuzzy=true \\n(SecurityEvent\\n// Event ID related to member addition.\\n| where EventID in (4728, 4732,4756) \\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountAdded \\\",OU\\\" *\\n| where isnotempty(AccountAdded)\\n| extend GroupAddedTo = TargetUserName, AddingAccount = Account \\n| extend AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, \\\"||\\\", GroupAddedTo, \\\"||\\\", AddingAccount )\\n| project AccountAdded_GroupAddedTo_AddingAccount, AccountAddedTime = TimeGenerated\\n),\\n(WindowsEvent\\n// Event ID related to member addition.\\n| where EventID in (4728, 4732,4756) \\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData.MemberName with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountAdded \\\",OU\\\" *\\n| where isnotempty(AccountAdded)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend AddingAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend GroupAddedTo = TargetUserName\\n| extend AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, \\\"||\\\", GroupAddedTo, \\\"||\\\", AddingAccount )\\n| project AccountAdded_GroupAddedTo_AddingAccount, AccountAddedTime = TimeGenerated\\n)\\n);\\nlet AC_Remove = \\n( union isfuzzy=true \\n(SecurityEvent\\n// Event IDs related to member removal.\\n| where EventID in (4729,4733,4757)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountRemoved \\\",OU\\\" * \\n| where isnotempty(AccountRemoved)\\n| extend GroupRemovedFrom = TargetUserName, RemovingAccount = Account\\n| extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, \\\"||\\\", GroupRemovedFrom, \\\"||\\\", RemovingAccount)\\n| project AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime = TimeGenerated, Computer, RemovedAccountId = tolower(AccountRemoved), \\nRemovedByUser = SubjectUserName, RemovedByUserLogonId = SubjectLogonId, GroupRemovedFrom = TargetUserName, TargetDomainName\\n),\\n(WindowsEvent\\n// Event IDs related to member removal.\\n| where EventID in (4729,4733,4757)\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData.MemberName with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountRemoved \\\",OU\\\" * \\n| where isnotempty(AccountRemoved)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend RemovingAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend GroupRemovedFrom = TargetUserName\\n| extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, \\\"||\\\", GroupRemovedFrom, \\\"||\\\", RemovingAccount)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| extend TargetDomainName = tostring(EventData.TargetDomainName)\\n| project AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime = TimeGenerated, Computer, RemovedAccountId = tolower(AccountRemoved), \\nRemovedByUser = SubjectUserName, RemovedByUserLogonId = SubjectLogonId, GroupRemovedFrom = TargetUserName, TargetDomainName\\n)); \\nAC_Add \\n| join kind= inner AC_Remove on $left.AccountAdded_GroupAddedTo_AddingAccount == $right.AccountRemoved_GroupRemovedFrom_RemovingAccount \\n| extend DurationinSecondAfter_Removed = datetime_diff (\u0027second\u0027, AccountRemovedTime, AccountAddedTime)\\n| where DurationinSecondAfter_Removed \u003e 0\\n| project-away AccountRemoved_GroupRemovedFrom_RemovingAccount\\n| extend timestamp = AccountAddedTime, AccountCustomEntity = RemovedAccountId, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Account added and removed from privileged groups\",\"description\":\"Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise.\u0027 \",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-04-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3df4a32-4805-4c6d-8699-f3c888af2f67\",\"name\":\"a3df4a32-4805-4c6d-8699-f3c888af2f67\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let Alert1 = \\nSecurityAlert\\n| where AlertName == \\\"Unfamiliar sign-in properties\\\"\\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\\\"User Account\\\"])\\n| extend Alert1Time = TimeGenerated\\n| extend Alert1 = AlertName\\n| extend Alert1Severity = AlertSeverity\\n;\\nlet Alert2 = \\nSecurityAlert\\n| where AlertName == \\\"Atypical travel\\\"\\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\\\"User Account\\\"])\\n| extend Alert2Time = TimeGenerated\\n| extend Alert2 = AlertName\\n| extend Alert2Severity = AlertSeverity\\n| extend CurrentLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[2].Location)).CountryCode), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).State), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).City))\\n| extend PreviousLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[3].Location)).CountryCode), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[3].Location)).State), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[3].Location)).City))\\n| extend CurrentIPAddress = tostring(parse_json(Entities)[2].Address)\\n| extend PreviousIPAddress = tostring(parse_json(Entities)[3].Address)\\n;\\nAlert1\\n| join kind=inner Alert2 on UserPrincipalName\\n| where abs(datetime_diff(\u0027minute\u0027, Alert1Time, Alert2Time)) \u003c=10\\n| extend TimeDelta = Alert1Time - Alert2Time\\n| project UserPrincipalName, Alert1, Alert1Time, Alert1Severity, Alert2, Alert2Time, Alert2Severity, TimeDelta, CurrentLocation, PreviousLocation, CurrentIPAddress, PreviousIPAddress\\n| extend AccountCustomEntity = UserPrincipalName\\n| extend IPCustomEntity = CurrentIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Correlate Unfamiliar sign-in properties and atypical travel alerts\",\"description\":\"The combination of an Unfamiliar sign-in properties alert and an Atypical travel alert about the same user within a +10m or -10m window is considered a high severity incident.\",\"lastUpdatedDateUTC\":\"2021-12-07T00:00:00Z\",\"createdDateUTC\":\"2020-09-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7564d76-ec6b-4519-a66b-fcc80c42332b\",\"name\":\"a7564d76-ec6b-4519-a66b-fcc80c42332b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet GroupAddition = (union isfuzzy=true \\n(SecurityEvent \\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group \\n| where EventID in (\\\"4728\\\", \\\"4732\\\", \\\"4756\\\") \\n| where AccountType =~ \\\"User\\\" and MemberName == \\\"-\\\"\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, GroupAddComputer = Computer, GroupAddTargetAccount = TargetAccount, \\nGroupAddTargetSid = TargetSid, GroupAddSubjectAccount = SubjectAccount, GroupAddSubjectUserSid = SubjectUserSid, GroupSid = MemberSid\\n),\\n(\\nWindowsEvent \\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group \\n| where EventID in (\\\"4728\\\", \\\"4732\\\", \\\"4756\\\") and not(EventData has \\\"S-1-5-32-555\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| extend MemberName = tostring(EventData.MemberName)\\n| where AccountType =~ \\\"User\\\" and MemberName == \\\"-\\\"\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend MemberSid = tostring(EventData.MemberSid)\\n| extend Activity= \\\"GroupAddActivity\\\"\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, GroupAddComputer = Computer, GroupAddTargetAccount = TargetAccount, \\nGroupAddTargetSid = TargetSid, GroupAddSubjectAccount = Account, GroupAddSubjectUserSid = SubjectUserSid, GroupSid = MemberSid\\n));\\nlet GroupCreated = (union isfuzzy=true \\n(SecurityEvent\\n// 4727 - A security-enabled global group was created\\n// 4731 - A security-enabled local group was created\\n// 4754 - A security-enabled universal group was created\\n| where EventID in (\\\"4727\\\", \\\"4731\\\", \\\"4754\\\")\\n| where AccountType =~ \\\"User\\\"\\n| project GroupCreateTime = TimeGenerated, GroupCreateEventID = EventID, GroupCreateActivity = Activity, GroupCreateComputer = Computer, GroupCreateTargetAccount = TargetAccount, \\nGroupCreateSubjectAccount = SubjectAccount, GroupCreateSubjectUserSid = SubjectUserSid, GroupSid = TargetSid\\n),\\n(WindowsEvent\\n// 4727 - A security-enabled global group was created\\n// 4731 - A security-enabled local group was created\\n// 4754 - A security-enabled universal group was created\\n| where EventID in (\\\"4727\\\", \\\"4731\\\", \\\"4754\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\", \\\"Machine\\\", iff(SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", iff(isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")))\\n| where AccountType =~ \\\"User\\\"\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend SubjectAccount = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName) \\n| extend TargetSid = tostring(EventData.TargetSid) \\n| extend Activity= \\\"GroupAddActivity\\\"\\n| project GroupCreateTime = TimeGenerated, GroupCreateEventID = EventID, GroupCreateActivity = Activity, GroupCreateComputer = Computer, GroupCreateTargetAccount = TargetAccount, \\nGroupCreateSubjectAccount = SubjectAccount, GroupCreateSubjectUserSid = SubjectUserSid, GroupSid = TargetSid\\n));\\nGroupCreated\\n| join (\\nGroupAddition\\n) on GroupSid \\n| extend timestamp = GroupCreateTime, AccountCustomEntity = GroupCreateSubjectAccount, HostCustomEntity = GroupCreateComputer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"GroupCreateSubjectUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Group created then added to built in domain local or global group\",\"description\":\"Identifies when a recently created Group was added to a privileged built in domain local group or global group such as the \\nEnterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\\nReferences: For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b443f22-9be9-4c35-ac70-a94757748439\",\"name\":\"3b443f22-9be9-4c35-ac70-a94757748439\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let files1 = dynamic([\\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\lsa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pc.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\Rar.exe\\\"]);\\nlet files2 = dynamic([\\\"svchost.exe\\\",\\\"wdmsvc.exe\\\"]);\\nlet FileHash1 = dynamic([\\\"43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\\\", \\\"ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\\\", \\\"010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77\\\", \\\"56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7\\\"]);\\nlet FileHash2 = dynamic([\\\"2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\\\", \\\"9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\\\", \\\"18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\\\"]);\\nDeviceProcessEvents\\n| where ( FolderPath has_any (files1) and SHA256 has_any (FileHash1)) or (FolderPath has_any (files2) and SHA256 has_any (FileHash2))\\n| extend DvcId = DeviceId\\n| join kind=leftouter (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| mv-expand todynamic(Entities)\\n| extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)\\n| where isnotempty(DvcId)\\n// Higher risk score are for Defender alerts related to threat actor\\n| extend AlertRiskScore = iif(ThreatName has_any (\\\"Backdoor:MSIL/ShellClient.A\\\", \\\"Backdoor:MSIL/ShellClient.A!dll\\\", \\\"Trojan:MSIL/Mimikatz.BA!MTB\\\"), 1.0, 0.5)\\n| project DvcId, AlertRiskScore) on DvcId\\n| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = AccountName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileName\"}]}],\"tactics\":[\"CredentialAccess\",\"Execution\"],\"displayName\":\"Dev-0228 File Path Hashes November 2021\",\"description\":\"This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.\\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-11-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2f561e20-d97b-4b13-b02d-18b34af6e87c\",\"name\":\"2f561e20-d97b-4b13-b02d-18b34af6e87c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet cmdList = dynamic([\\\"Set-CASMailbox\\\",\\\"ActiveSyncAllowedDeviceIDs\\\",\\\"add\\\"]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688\\n| where CommandLine has_all (cmdList)\\n| project Type, TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n( WindowsEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688\\n| where EventData has_all (cmdList)\\n| extend CommandLine = tostring(EventData.CommandLine) \\n| where CommandLine has_all (cmdList)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| project Type, TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where InitiatingProcessCommandLine has_all (cmdList)\\n| project Type, TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where CommandLine has_all (cmdList)\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| project Type, TimeGenerated, Computer, User, Process, ParentImage, CommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Email access via active sync\",\"description\":\"This query detects attempts to add attacker devices as allowed IDs for active sync using the Set-CASMailbox command.\\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\\n- Note that this query can be changed to use the KQL \\\"has_all\\\" operator, which hasn\u0027t yet been documented officially, but will be soon.\\n In short, \\\"has_all\\\" will only match when the referenced field has all strings in the list.\\n- Refer to Set-CASMailbox syntax: https://docs.microsoft.com/powershell/module/exchange/set-casmailbox?view=exchange-ps \",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-02-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\"name\":\"2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet TotalEventsThreshold = 5;\\nlet ExeList = dynamic([\\\"powershell.exe\\\",\\\"cmd.exe\\\",\\\"wmic.exe\\\",\\\"psexec.exe\\\",\\\"cacls.exe\\\",\\\"rundll.exe\\\"]);\\nlet TimeSeriesData =\\nSecurityEvent\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where Process in (ExeList)\\n| project TimeGenerated, Computer, AccountType, Account, Process\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by Process;\\nlet TimeSeriesAlerts = materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 1.5, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0\\n| project Process, TimeGenerated, Total, baseline, anomalies, score\\n| where Total \u003e TotalEventsThreshold);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\nSecurityEvent\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| summarize CommandlineCount = count() by bin(TimeGenerated, 1h), Process, CommandLine, Computer, Account\\n) on Process, TimeGenerated\\n| project AnomalyHour = TimeGenerated, Computer, Account, Process, CommandLine, CommandlineCount, Total, baseline, anomalies, score\\n| extend timestamp = AnomalyHour, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Process execution frequency anomaly\",\"description\":\"Identifies anomalous spike in frequency of executions of sensitive processes which are often leveraged as attack vectors.\\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\\nSudden increases in execution frequency of sensitive processes should be further investigated for malicious activity.\\nTune the values from 1.5 to 3 in series_decompose_anomalies for further outliers or based on custom threshold values for score.\",\"lastUpdatedDateUTC\":\"2022-03-07T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/694c91ee-d606-4ba9-928e-405a2dd0ff0f\",\"name\":\"694c91ee-d606-4ba9-928e-405a2dd0ff0f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"High\",\"query\":\"let queryperiod = 14d;\\nlet queryfrequency = 2h;\\nlet security_info_actions = dynamic([\\\"User registered security info\\\", \\\"User changed default security info\\\", \\\"User deleted security info\\\", \\\"Admin updated security info\\\", \\\"User reviewed security info\\\", \\\"Admin deleted security info\\\", \\\"Admin registered security info\\\"]);\\nlet VIPUsers = (\\n IdentityInfo\\n | where TimeGenerated \u003e ago(queryperiod)\\n | mv-expand AssignedRoles\\n | where AssignedRoles matches regex \u0027Admin\u0027\\n | summarize by tolower(AccountUPN));\\nAuditLogs\\n| where TimeGenerated \u003e ago(queryfrequency)\\n| where Category =~ \\\"UserManagement\\\"\\n| where ActivityDisplayName in (security_info_actions)\\n| extend Initiator = tostring(InitiatedBy.user.userPrincipalName)\\n| extend IP = tostring(InitiatedBy.user.ipAddress)\\n| extend Target = tolower(tostring(TargetResources[0].userPrincipalName))\\n| where Target in (VIPUsers)\\n// Uncomment the line below if you are experiencing high volumes of Target entities. If this is uncommented, the Target column will not be mapped to an entity.\\n//| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason, MaxSize=8), Targets=make_set(Target, MaxSize=256) by Initiator, IP, Result\\n// Comment out this line below, if line above is used.\\n| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason, MaxSize=8) by Initiator, IP, Result, Targets = Target\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Targets\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Initiator\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IP\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Authentication Methods Changed for Privileged Account\",\"description\":\"Identifies authentication methods being changed for a privileged account. This could be an indication of an attacker adding an auth method to the account so they can have continued access.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6267ce44-1e9d-471b-9f1e-ae76a6b7aa84\",\"name\":\"6267ce44-1e9d-471b-9f1e-ae76a6b7aa84\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityAlert\\n| where AlertName =~ \\\"mass download by a single user\\\"\\n| extend Extprop = parse_json(ExtendedProperties)\\n| extend Computer = iff(isnotempty(toupper(tostring(Extprop[\\\"Compromised Host\\\"]))), toupper(tostring(Extprop[\\\"Compromised Host\\\"])), tostring(parse_json(Entities)[0].HostName))\\n| extend Account = iff(isnotempty(tolower(tostring(Extprop[\\\"User Name\\\"]))), tolower(tostring(Extprop[\\\"User Name\\\"])), tolower(tostring(Extprop[\\\"user name\\\"])))\\n| extend IpAddress = tostring(parse_json(ExtendedProperties).[\\\"IpAddress\\\"]) \\n| project timestamp=TimeGenerated, AlertName, Computer, Account, IpAddress, ExtendedProperties\\n| join kind=inner\\n( \\nDeviceEvents\\n| where ActionType == \\\"PnpDeviceConnected\\\"\\n| extend parsed = parse_json(AdditionalFields)\\n| project DeviceId, DriveClass = tostring(parsed.ClassName), UsbDeviceId = tostring(parsed.DeviceId), ClassId = tostring(parsed.DeviceId), DeviceDescription = tostring(parsed.DeviceDescription), VendorIds = tostring(parsed.VendorIds), AccountDomain,AccountName,TimeGenerated, ActionType, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, Type\\n| where DriveClass == \u0027USB\u0027 and DeviceDescription == \u0027USB Mass Storage Device\u0027\\n) on $left.Account == $right.AccountName\\n| join kind=inner \\n(\\nDeviceFileEvents\\n| where FolderPath !startswith \\\"c\\\" and FolderPath !startswith @\\\"\\\\\\\"\\n) on DeviceId\\n| project TimeGenerated, ActionType, Computer, FileName, FileSize, IpAddress, InitiatingProcessCommandLine, InitiatingProcessFileName, Account\\n| extend timestamp = TimeGenerated, CompromisedEntity = Computer, AccountCustomEntity=Account, ProcessCustomEntity = InitiatingProcessFileName, IPCustomEntity=IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"Mass Download \u0026 copy to USB device by single user\",\"description\":\"This query looks for any mass download by a single user with possible file copy activity to a new USB drive. Malicious insiders may perform such activities that may cause harm to the organization. \\nThis query could also reveal unintentional insider that had no intention of malicious activity but their actions may impact an organizations security posture.\\nReference:https://docs.microsoft.com/defender-cloud-apps/policy-template-reference\",\"lastUpdatedDateUTC\":\"2022-05-04T00:00:00Z\",\"createdDateUTC\":\"2022-04-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\",\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3edb7215-250b-40c0-8b46-79093949242d\",\"name\":\"3edb7215-250b-40c0-8b46-79093949242d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetectionV2_CL\\n| where Severity_s == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\\n| where count_ \u003e= threshold\\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"High Number of Urgent Vulnerabilities Detected\",\"description\":\"This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.\",\"lastUpdatedDateUTC\":\"2021-12-08T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/492fbe35-cbac-4a8c-9059-826782e6915a\",\"name\":\"492fbe35-cbac-4a8c-9059-826782e6915a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where OperationName has_any (\\\"Update Application\\\", \\\"Update Service principal\\\")\\n | extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend UpdatedBy = iif(isnotempty(appName), appName, UPN)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | extend AppName = tostring(TargetResources[0].displayName)\\n | mv-expand mod_props\\n | extend Action = tostring(mod_props.displayName)\\n | where Action contains \\\"Url\\\"\\n | extend OldURL = tostring(mod_props.oldValue)\\n | extend NewURL = tostring(mod_props.newValue)\\n | project-reorder TimeGenerated, OperationName, Action, AppName, OldURL, NewURL, UpdatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatedBy\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"OldURL\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"NewURL\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Changes to Application Logout URL\",\"description\":\"Detects changes to an applications sign out URL.\\n Look for any modifications to a sign out URL. Blank entries or entries to non-existent locations would stop a user from terminating a session.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#logout-url-modified-or-removed\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\"name\":\"2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureActivity | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CallerIpAddress\\n| where AzureActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureActivity_TimeGenerated = arg_max(AzureActivity_TimeGenerated, *) by IndicatorId, CallerIpAddress\\n| project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CallerIpAddress, \\nCaller, OperationNameValue, ActivityStatusValue, CategoryValue, ResourceId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureActivity_TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureActivity\",\"description\":\"Identifies a match in AzureActivity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3174a9ec-d0ad-4152-8307-94ed04fa450a\",\"name\":\"3174a9ec-d0ad-4152-8307-94ed04fa450a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let SHA256Hash = \\\"1174fd03271f80f5e2a6435c72bdd0272a6e3a37049f6190abf125b216a83471\\\" ;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) \\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA265 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA256Hash) \\n| extend Account = UserName\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known ZINC related maldoc hash\",\"description\":\"Document hash used by ZINC in highly targeted spear phishing campaign.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\"name\":\"d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\" \\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed), LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\\n| where MFAUsed !~ \\\"Yes\\\" and LoginResult !~ \\\"Failure\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUsed, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"Login to AWS Management Console without MFA\",\"description\":\"Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.\\nYou can limit this detection to trigger for adminsitrative accounts if you do not have MFA enabled on all accounts.\\nThis is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used \\nand the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0ed0fe7c-af29-4990-af7f-bb5ccb231198\",\"name\":\"0ed0fe7c-af29-4990-af7f-bb5ccb231198\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"AuditLogs\\n | where Category =~ \\\"RoleManagement\\\"\\n | where OperationName =~ \\\"Update role setting in PIM\\\"\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | project-reorder TimeGenerated, OperationName, ResultReason, userPrincipalName, ipAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Changes to PIM Settings\",\"description\":\"PIM provides a key mechanism for assigning privileges to accounts, this query detects changes to PIM role settings.\\n Monitor these changes to ensure they are being made legitimately and don\u0027t confer more privileges than expected or reduce the security of a PIM elevation.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c805d9b1-97e7-4bc0-9172-67edb36273e4\",\"name\":\"c805d9b1-97e7-4bc0-9172-67edb36273e4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft 365 Insider Risk Management\",\"displayName\":\"(Private Preview) Create incidents based on Microsoft 365 Insider Risk Management\",\"description\":\"Create incidents based on all alerts generated in Microsoft 365 Insider Risk Management\",\"lastUpdatedDateUTC\":\"2021-05-13T00:00:00Z\",\"createdDateUTC\":\"2021-05-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeIRM\",\"dataTypes\":[\"SecurityAlert (OfficeIRM)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09551db0-e147-4a0c-9e7b-918f88847605\",\"name\":\"09551db0-e147-4a0c-9e7b-918f88847605\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.6.2\",\"severity\":\"High\",\"query\":\"let tokens = dynamic([\\\"SSL_HandShaking\\\", \\\"ASN2_TYPE_new\\\", \\\"sql_blob_open\\\", \\\"cmsSetLogHandlerTHR\\\", \\\"ntSystemInfo\\\", \\\"SetWebFilterString\\\", \\\"CleanupBrokerString\\\", \\\"glInitSampler\\\", \\\"deflateSuffix\\\", \\\"ntWindowsProc\\\"]);\\nlet DomainNames = dynamic([\u0027codevexillium.org\u0027, \u0027angeldonationblog.com\u0027, \u0027investbooking.de\u0027, \u0027krakenfolio.com\u0027]);\\nlet SHA256Hash = dynamic([\u002758a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495\u0027,\u0027e0e59bfc22876c170af65dcbf19f744ae560cc43b720b23b9d248f4505c02f3e\u0027,\u00273d3195697521973efe0097a320cbce0f0f98d29d50e044f4505e1fbc043e8cf9\u0027, \u00270a2d81164d524be7022ba8fd4e1e8e01bfd65407148569d172e2171b5cd76cd4\u0027, \u002796d7a93f6691303d39a9cc270b8814151dfec5683e12094537fd580afdf2e5fe\u0027,\u0027dc4cf164635db06b2a0b62d313dbd186350bca6fc88438617411a68df13ec83c\u0027, \u002746efd5179e43c9cbf07dcec22ce0d5527e2402655aee3afc016e5c260650284a\u0027, \u002795e42a94d4df1e7e472998f43b9879eb34aaa93f3705d7d3ef9e3b97349d7008\u0027, \u00279d5320e883264a80ea214077f44b1d4b22155446ad5083f4b27d2ab5bd127ef5\u0027, \u00279fd05063ad203581a126232ac68027ca731290d17bd43b5d3311e8153c893fe3\u0027, \u0027ada7e80c9d09f3efb39b729af238fcdf375383caaf0e9e0aed303931dc73b720\u0027, \u0027edb1597789c7ed784b85367a36440bf05267ac786efe5a4044ec23e490864cee\u0027, \u002733665ce1157ddb7cd7e905e3356b39245dfba17b7a658bdbf02b6968656b9998\u0027, \u00273ab770458577eb72bd6239fe97c35e7eb8816bce5a4b47da7bd0382622854f7c\u0027, \u0027b630ad8ffa11003693ce8431d2f1c6b8b126cd32b657a4bfa9c0dbe70b007d6c\u0027, \u002753f3e55c1217dafb8801af7087e7d68b605e2b6dde6368fceea14496c8a9f3e5\u0027, \u002799c95b5272c5b11093eed3ef2272e304b7a9311a22ff78caeb91632211fcb777\u0027, \u0027f21abadef52b4dbd01ad330efb28ef50f8205f57916a26daf5de02249c0f24ef\u0027, \u00272cbdea62e26d06080d114bbd922d6368807d7c6b950b1421d0aa030eca7e85da\u0027, \u0027079659fac6bd9a1ce28384e7e3a465be4380acade3b4a4a4f0e67fd0260e9447\u0027]);\\nlet SigNames = dynamic([\\\"Backdoor:Script/ComebackerCompile.A!dha\\\", \\\"Trojan:Win64/Comebacker.A!dha\\\", \\\"Trojan:Win64/Comebacker.A.gen!dha\\\", \\\"Trojan:Win64/Comebacker.B.gen!dha\\\", \\\"Trojan:Win32/Comebacker.C.gen!dha\\\", \\\"Trojan:Win32/Klackring.A!dha\\\", \\\"Trojan:Win32/Klackring.B!dha\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in~ (SHA256Hash) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n| project Type, TimeGenerated, Computer, Account, IPAddress, FileHash, DNSName\\n),\\n(_Im_Dns(domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend Type = \\\"imDns\\\", IPAddress = SrcIpAddr, Computer=Dvc\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(VMConnection\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| where isnotempty(Hashes)\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 * \\n| where SHA256 in~ (SHA256Hash) \\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = Hashes\\n| project Type, TimeGenerated, Computer, Account, FileHash\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (SHA256Hash)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (SHA256Hash)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl in~ (DomainNames)\\n| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName\\n| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl\\n),\\n(SecurityAlert\\n| where ProductName == \\\"Microsoft Defender Advanced Threat Protection\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where isnotempty(ThreatName)\\n| where ThreatName has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName) \\n| project Type, TimeGenerated, Computer\\n),\\n(DeviceProcessEvents\\n| where FileName =~ \\\"powershell.exe\\\" or FileName =~ \\\"rundll32.exe\\\"\\n| where (ProcessCommandLine has \\\"is64bitoperatingsystem\\\" and ProcessCommandLine has \\\"Debug\\\\\\\\Browse\\\") or (ProcessCommandLine has_any (tokens))\\n| extend Computer = DeviceName, Account = AccountName, CommandLine = ProcessCommandLine\\n| project Type, TimeGenerated, Computer, Account, CommandLine, FileName\\n),\\n(SecurityEvent\\n| where EventID == 4688\\n| where ProcessName has_any (\\\"powershell.exe\\\", \\\"rundll32.exe\\\")\\n| where (CommandLine has \\\"is64bitoperatingsystem\\\" and CommandLine has \\\"Debug\\\\\\\\Browse\\\") or (CommandLine has_any (tokens))\\n| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine \\n),\\n( WindowsEvent\\n| where EventID == 4688\\n| where EventData has_any (\\\"powershell.exe\\\", \\\"rundll32.exe\\\") and EventData has_any (tokens, \\\"Debug\\\\\\\\Browse\\\",\\\"is64bitoperatingsystem\\\" ) \\n| extend ProcessName = tostring(EventData.ProcessName)\\n| where ProcessName has_any (\\\"powershell.exe\\\", \\\"rundll32.exe\\\")\\n| extend CommandLine = tostring(EventData.CommandLine) \\n| where (CommandLine has \\\"is64bitoperatingsystem\\\" and CommandLine has \\\"Debug\\\\\\\\Browse\\\") or (CommandLine has_any (tokens))\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"Execution\"],\"displayName\":\"Known ZINC Comebacker and Klackring malware hashes\",\"description\":\"ZINC attacks against security researcher campaign malware hashes.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ce177b3-56b1-4f0e-b83e-27eed4cb0b16\",\"name\":\"4ce177b3-56b1-4f0e-b83e-27eed4cb0b16\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\n// exclude allowed users from query such as the ADO service\\nlet allowed_users = dynamic([\\\"Azure DevOps Service\\\"]);\\nunion\\n// Look for agents being added to a pool of a OS type not seen with that pool before\\n(AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName =~ \\\"Library.AgentAdded\\\"\\n| where ActorUPN !in (allowed_users)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| where isnotempty(OsDescription)\\n| extend OsDescription = tostring(split(OsDescription, \\\"#\\\", 0)[0])\\n| project AgentPoolName, OsDescription\\n| join kind=rightanti (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName == \\\"Library.AgentAdded\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| where isnotempty(OsDescription)\\n| extend OsDescription = tostring(split(OsDescription, \\\"#\\\", 0)[0])) on AgentPoolName, OsDescription),\\n// Look for users addeing agents to a pool that they have not added agents to before.\\n(AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| where ActorUPN !in (allowed_users)\\n| project AgentPoolName, ActorUPN\\n| join kind=rightanti (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName == \\\"Library.AgentAdded\\\"\\n| where ActorUPN !in (allowed_users)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n) on AgentPoolName, ActorUPN)\\n| extend AgentName = tostring(Data.AgentName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| extend SystemDetails = Data.SystemCapabilities\\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, AgentPoolName, AgentName, ActorUPN, IpAddress, UserAgent, OsDescription, SystemDetails, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"New Agent Added to Pool by New User or Added to a New OS Type.\",\"description\":\"As seen in attacks such as SolarWinds attackers can look to subvert a build process by controlling build servers. Azure DevOps uses agent pools to execute pipeline tasks. \\nAn attacker could insert compromised agents that they control into the pools in order to execute malicious code. This query looks for users adding agents to pools they have \\nnot added agents to before, or adding agents to a pool of an OS that has not been added to that pool before. This detection has potential for false positives so has a \\nconfigurable allow list to allow for certain users to be excluded from the logic.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/05b4bccd-dd12-423d-8de4-5a6fb526bb4f\",\"name\":\"05b4bccd-dd12-423d-8de4-5a6fb526bb4f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let known_processes = (\\n SecurityEvent\\n // If adjusting Query Period or Frequency update these\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where EventID == 4688\\n | where NewProcessName has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | summarize by Process);\\n SecurityEvent\\n // If adjusting Query Period or Frequency update these\\n | where TimeGenerated \u003e ago(1d)\\n | where EventID == 4688\\n | where NewProcessName has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | where Process !in (known_processes)\\n // This will likely apply to multiple hosts so summarize these data\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, NewProcessName, CommandLine, Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Execution\",\"LateralMovement\"],\"displayName\":\"New EXE deployed via Default Domain or Default Domain Controller Policies\",\"description\":\"This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice is that these policies should not be used for deployment of files.\\nA threat actor may use these policies to deploy files or scripts to all hosts in a domain.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c61ad0ac-ad68-4ebb-b41a-74296d3e0044\",\"name\":\"c61ad0ac-ad68-4ebb-b41a-74296d3e0044\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \\n| where TargetObject has (\\\"\\\\\\\\Control\\\\\\\\Session Manager\\\\\\\\AppCertDLLs\\\\\\\\\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Registry Persistence via AppCert DLL Modification\",\"description\":\"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. \\nDynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\ are loaded into every process that calls the ubiquitously used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec.\\nRef: https://attack.mitre.org/techniques/T1546/009/\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8ee967a2-a645-4832-85f4-72b635bcb3a6\",\"name\":\"8ee967a2-a645-4832-85f4-72b635bcb3a6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit the environment\\nlet signin_threshold = 5;\\n//Make a list of all IPs with failed signins to AAD above our threshold\\nlet aadFunc = (tableName:string){\\nlet suspicious_signins =\\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress !in (\u0027127.0.0.1\u0027, \u0027::1\u0027)\\n| summarize count() by IPAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(IPAddress);\\n//See if any of these IPs have sucessfully logged into *nix hosts\\nlet linux_logons =\\nSyslog\\n| where Facility contains \\\"auth\\\" and ProcessName != \\\"sudo\\\"\\n| where SyslogMessage has \\\"Accepted\\\"\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Computer, HostIP, IpAddress = SourceIP, SyslogMessage, Facility, ProcessName, Reason;\\n//See if any of these IPs have sucessfully logged into Windows hosts\\nlet win_logons = (union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4624\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| where IpAddress in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Account, AccountType, Computer, Activity, EventID, LogonProcessName, IpAddress, LogonTypeName, TargetUserSid, Reason\\n),\\n(WindowsEvent\\n| where EventID == 4624 and has_any_ipv4(EventData, toscalar(suspicious_signins))\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType in (10, 7, 3)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| where IpAddress != \\\"-\\\"\\n| where IpAddress in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| extend Activity = \\\"4624 - An account was successfully logged on.\\\"\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend AccountType =case(Account endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| extend LogonProcessName = tostring(EventData.LogonProcessName)\\n| project TimeGenerated, Account, AccountType, Computer, Activity, EventID, LogonProcessName, IpAddress, TargetUserSid, Reason\\n)\\n);\\nunion isfuzzy=true linux_logons,win_logons\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, IPCustomEntity = IpAddress, HostCustomEntity = Computer\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AzureAD logons but success logon to host\",\"description\":\"Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory.\\nUses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/46ac55ae-47b8-414a-8f94-89ccd1962178\",\"name\":\"46ac55ae-47b8-414a-8f94-89ccd1962178\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let queryperiod = 1d;\\nlet mode = \u0027Blocked\u0027;\\nlet successCode = dynamic([\u0027200\u0027, \u0027101\u0027,\u0027204\u0027, \u0027400\u0027,\u0027504\u0027,\u0027304\u0027,\u0027401\u0027,\u0027500\u0027]);\\nlet sessionBin = 30m;\\nAzureDiagnostics\\n| where TimeGenerated \u003e ago(queryperiod)\\n| where Category == \u0027ApplicationGatewayFirewallLog\u0027 and action_s == mode\\n| sort by hostname_s asc, clientIp_s asc, TimeGenerated asc\\n| extend SessionBlockedStarted = row_window_session(TimeGenerated, queryperiod, 10m, ((clientIp_s != prev(clientIp_s)) or (hostname_s != prev(hostname_s))))\\n| summarize SessionBlockedEnded = max(TimeGenerated), SessionBlockedCount = count() by hostname_s, clientIp_s, SessionBlockedStarted\\n| extend TimeKey = range(bin(SessionBlockedStarted, sessionBin), bin(SessionBlockedEnded, sessionBin), sessionBin)\\n| mv-expand TimeKey to typeof(datetime)\\n| join kind = inner(\\n AzureDiagnostics\\n | where TimeGenerated \u003e ago(queryperiod)\\n | where Category == \u0027ApplicationGatewayAccessLog\u0027 and (isempty(httpStatus_d) or httpStatus_d in (successCode))\\n | extend TimeKey = bin(TimeGenerated, sessionBin)\\n) on TimeKey, $left.hostname_s == $right.host_s, $left.clientIp_s == $right.clientIP_s\\n| where TimeGenerated between (SessionBlockedStarted..SessionBlockedEnded)\\n| extend\\n originalRequestUriWithArgs_s = column_ifexists(\\\"originalRequestUriWithArgs_s\\\", \\\"\\\"),\\n serverStatus_s = column_ifexists(\\\"serverStatus_s\\\", \\\"\\\")\\n| summarize\\n SuccessfulAccessCount = count(),\\n UserAgents = make_set(userAgent_s, 250),\\n RequestURIs = make_set(requestUri_s, 250),\\n OriginalRequestURIs = make_set(originalRequestUriWithArgs_s, 250),\\n SuccessCodes = make_set(httpStatus_d, 250),\\n SuccessCodes_BackendServer = make_set(serverStatus_s, 250),\\n take_any(SessionBlockedEnded, SessionBlockedCount)\\n by hostname_s, clientIp_s, SessionBlockedStarted\\n| where SessionBlockedCount \u003e SuccessfulAccessCount\\n| extend timestamp = SessionBlockedStarted, IPCustomEntity = clientIp_s\\n| extend BlockvsSuccessRatio = SessionBlockedCount/toreal(SuccessfulAccessCount)\\n| sort by BlockvsSuccessRatio desc, timestamp asc\\n| project-reorder SessionBlockedStarted, SessionBlockedEnded, hostname_s, clientIp_s, SessionBlockedCount, SuccessfulAccessCount, BlockvsSuccessRatio, SuccessCodes, RequestURIs, OriginalRequestURIs, UserAgents\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"A potentially malicious web request was executed against a web server\",\"description\":\"Detects unobstructed Web Application Firewall (WAF) activity in sessions where the WAF blocked incoming requests by computing the \\nratio between blocked requests and unobstructed WAF requests in these sessions (BlockvsSuccessRatio metric). A high ratio value for \\na given client IP and hostname calls for further investigation of the WAF data in that session, due to the significantly high number \\nof blocked requests and a few unobstructed logs which may be malicious but have passed undetected through the WAF. The successCode \\nvariable defines what the detection thinks is a successful status code, and should be altered to fit the environment.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2020-11-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d173248-439b-4741-8b37-f63ad0c896ae\",\"name\":\"4d173248-439b-4741-8b37-f63ad0c896ae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\n//This query uses sysmon data, sections that have - | where Source == \\\"Microsoft-Windows-Sysmon\\\" - may need to be updated with latest\\nWindowsEvent\\n| where EventID == \u00274688\u0027 and EventData has_any (process)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| where NewProcessName has_any (process)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n , Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n , NewProcessId = tostring(EventData.NewProcessId)\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027, -1)[-1]), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend FilePath = replace_string(NewProcessName, File, \u0027\u0027)\\n| project TimeGenerated, timestamp, File, AlertDetail, FilePath,Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileCustomEntity\"},{\"identifier\":\"Directory\",\"columnName\":\"FilePathCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashAlgo\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021\",\"description\":\"Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.\",\"lastUpdatedDateUTC\":\"2022-05-19T00:00:00Z\",\"createdDateUTC\":\"2022-02-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\"name\":\"7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\nOfficeActivity\\n| where Operation =~ \\\"New-InboxRule\\\"\\n| where Parameters has \\\"Deleted Items\\\" or Parameters has \\\"Junk Email\\\" or Parameters has \\\"DeleteMessage\\\"\\n| extend Events=todynamic(Parameters)\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords \u0027}\u0027*\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords \u0027}\u0027*\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords \u0027}\u0027*\\n| where SubjectContainsWords has_any (Keywords)\\n or BodyContainsWords has_any (Keywords)\\n or SubjectOrBodyContainsWords has_any (Keywords)\\n| extend ClientIPAddress = case( ClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), ClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))), ClientIP )\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\n| extend RuleDetail = case(OfficeObjectId contains \u0027/\u0027 , tostring(split(OfficeObjectId, \u0027/\u0027)[-1]) , tostring(split(OfficeObjectId, \u0027\\\\\\\\\u0027)[-1]))\\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation, UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIPAddress, AccountCustomEntity = UserId , HostCustomEntity = OriginatingServer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Malicious Inbox Rule\",\"description\":\"Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords. \\n This is done so as to limit ability to warn compromised users that they\u0027ve been compromised. Below is a sample query that tries to detect this.\\nReference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ef88eb96-861c-43a0-ab16-f3835a97c928\",\"name\":\"ef88eb96-861c-43a0-ab16-f3835a97c928\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let regexEmpire = @\\\"SetDelay|GetDelay|Set-LostLimit|Get-LostLimit|Set-Killdate|Get-Killdate|Set-WorkingHours|Get-WorkingHours|Get-Sysinfo|Add-Servers|Invoke-ShellCommand|Start-AgentJob|Update-Profile|Get-FilePart|Encrypt-Bytes|Decrypt-Bytes|Encode-Packet|Decode-Packet|Send-Message|Process-Packet|Process-Tasking|Get-Task|Start-Negotiate|Invoke-DllInjection|Invoke-ReflectivePEInjection|Invoke-Shellcode|Invoke-ShellcodeMSIL|Get-ChromeDump|Get-ClipboardContents|Get-IndexedItem|Get-Keystrokes|Invoke-Inveigh|Invoke-NetRipper|local:Invoke-PatchDll|Invoke-NinjaCopy|Get-Win32Types|Get-Win32Constants|Get-Win32Functions|Sub-SignedIntAsUnsigned|Add-SignedIntAsUnsigned|Compare-Val1GreaterThanVal2AsUInt|Convert-UIntToInt|Test-MemoryRangeValid|Write-BytesToMemory|Get-DelegateType|Get-ProcAddress|Enable-SeDebugPrivilege|Invoke-CreateRemoteThread|Get-ImageNtHeaders|Get-PEBasicInfo|Get-PEDetailedInfo|Import-DllInRemoteProcess|Get-RemoteProcAddress|Copy-Sections|Update-MemoryAddresses|Import-DllImports|Get-VirtualProtectValue|Update-MemoryProtectionFlags|Update-ExeFunctions|Copy-ArrayOfMemAddresses|Get-MemoryProcAddress|Invoke-MemoryLoadLibrary|Invoke-MemoryFreeLibrary|Out-Minidump|Get-VaultCredential|Invoke-DCSync|Translate-Name|Get-NetDomain|Get-NetForest|Get-NetForestDomain|Get-DomainSearcher|Get-NetComputer|Get-NetGroupMember|Get-NetUser|Invoke-Mimikatz|Invoke-PowerDump|Invoke-TokenManipulation|Exploit-JMXConsole|Exploit-JBoss|Invoke-Thunderstruck|Invoke-VoiceTroll|Set-WallPaper|Invoke-PsExec|Invoke-SSHCommand|Invoke-PSInject|Invoke-RunAs|Invoke-SendMail|Invoke-Rule|Get-OSVersion|Select-EmailItem|View-Email|Get-OutlookFolder|Get-EmailItems|Invoke-MailSearch|Get-SubFolders|Get-GlobalAddressList|Invoke-SearchGAL|Get-SMTPAddress|Disable-SecuritySettings|Reset-SecuritySettings|Get-OutlookInstance|New-HoneyHash|Set-MacAttribute|Invoke-PatchDll|Get-SecurityPackages|Install-SSP|Invoke-BackdoorLNK|New-ElevatedPersistenceOption|New-UserPersistenceOption|Add-Persistence|Invoke-CallbackIEX|Add-PSFirewallRules|Invoke-EventLoop|Invoke-PortBind|Invoke-DNSLoop|Invoke-PacketKnock|Invoke-CallbackLoop|Invoke-BypassUAC|Get-DecryptedCpassword|Get-GPPInnerFields|Invoke-WScriptBypassUAC|Get-ModifiableFile|Get-ServiceUnquoted|Get-ServiceFilePermission|Get-ServicePermission|Invoke-ServiceUserAdd|Invoke-ServiceCMD|Write-UserAddServiceBinary|Write-CMDServiceBinary|Write-ServiceEXE|Write-ServiceEXECMD|Restore-ServiceEXE|Invoke-ServiceStart|Invoke-ServiceStop|Invoke-ServiceEnable|Invoke-ServiceDisable|Get-ServiceDetail|Find-DLLHijack|Find-PathHijack|Write-HijackDll|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-VulnAutoRun|Get-VulnSchTask|Get-UnattendedInstallFile|Get-Webconfig|Get-ApplicationHost|Write-UserAddMSI|Invoke-AllChecks|Invoke-ThreadedFunction|Test-Login|Get-UserAgent|Test-Password|Get-ComputerDetails|Find-4648Logons|Find-4624Logons|Find-AppLockerLogs|Find-PSScriptsInPSAppLog|Find-RDPClientConnections|Get-SystemDNSServer|Invoke-Paranoia|Invoke-WinEnum{|Get-SPN|Invoke-ARPScan|Invoke-Portscan|Invoke-ReverseDNSLookup|Invoke-SMBScanner|New-InMemoryModule|Add-Win32Type|Export-PowerViewCSV|Get-MacAttribute|Copy-ClonedFile|Get-IPAddress|Convert-NameToSid|Convert-SidToName|Convert-NT4toCanonical|Get-Proxy|Get-PathAcl|Get-NameField|Convert-LDAPProperty|Get-NetDomainController|Add-NetUser|Add-NetGroupUser|Get-UserProperty|Find-UserField|Get-UserEvent|Get-ObjectAcl|Add-ObjectAcl|Invoke-ACLScanner|Get-GUIDMap|Get-ADObject|Set-ADObject|Get-ComputerProperty|Find-ComputerField|Get-NetOU|Get-NetSite|Get-NetSubnet|Get-DomainSID|Get-NetGroup|Get-NetFileServer|SplitPath|Get-DFSshare|Get-DFSshareV1|Get-DFSshareV2|Get-GptTmpl|Get-GroupsXML|Get-NetGPO|Get-NetGPOGroup|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Invoke-ImpersonateUser|Create-ProcessWithToken|Free-AllTokens|Enum-AllTokens|Invoke-RevertToSelf|Set-Speaker\\\\(\\\\$Volume\\\\){\\\\$wshShell|Local:Get-RandomString|Local:Invoke-PsExecCmd|Get-GPPPassword|Local:Inject-BypassStuff|Local:Invoke-CopyFile\\\\(\\\\$sSource,|ind-Fruit|New-IPv4Range|New-IPv4RangeFromCIDR|Parse-Hosts|Parse-ILHosts|Exclude-Hosts|Get-TopPort|Parse-Ports|Parse-IpPorts|Remove-Ports|Write-PortscanOut|Convert-SwitchtoBool|Get-ForeignUser|Get-ForeignGroup\\\";\\n(union isfuzzy=true\\n (SecurityEvent\\n| where EventID == 4688\\n//consider filtering on filename if perf issues occur\\n//where FileName in~ (\\\"powershell.exe\\\",\\\"powershell_ise.exe\\\",\\\"pwsh.exe\\\")\\n| where not(ParentProcessName has_any (\u0027gc_worker.exe\u0027, \u0027gc_service.exe\u0027))\\n| where CommandLine has \\\"-encodedCommand\\\"\\n| parse kind=regex flags=i CommandLine with * \\\"-EncodedCommand \\\" encodedCommand\\n| extend encodedCommand = iff(encodedCommand has \\\" \\\", tostring(split(encodedCommand, \\\" \\\")[0]), encodedCommand)\\n// Note: currently the base64_decode_tostring function is limited to supporting UTF8\\n| extend decodedCommand = translate(\u0027\\\\0\u0027,\u0027\u0027, base64_decode_tostring(substring(encodedCommand, 0, strlen(encodedCommand) - (strlen(encodedCommand) %8)))), encodedCommand, CommandLine , strlen(encodedCommand)\\n| extend EfectiveCommand = iff(isnotempty(encodedCommand), decodedCommand, CommandLine)\\n| where EfectiveCommand matches regex regexEmpire\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, EfectiveCommand, decodedCommand, encodedCommand, CommandLine, ParentProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(WindowsEvent\\n| where EventID == 4688 \\n| where EventData has_any (\\\"-encodedCommand\\\", \\\"powershell.exe\\\",\\\"powershell_ise.exe\\\",\\\"pwsh.exe\\\")\\n| where not(EventData has_any (\u0027gc_worker.exe\u0027, \u0027gc_service.exe\u0027))\\n//consider filtering on filename if perf issues occur\\n//extend NewProcessName = tostring(EventData.NewProcessName)\\n//extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n//FileName = Process\\n//where FileName in~ (\\\"powershell.exe\\\",\\\"powershell_ise.exe\\\",\\\"pwsh.exe\\\")\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where not(ParentProcessName has_any (\u0027gc_worker.exe\u0027, \u0027gc_service.exe\u0027))\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has \\\"-encodedCommand\\\"\\n| parse kind=regex flags=i CommandLine with * \\\"-EncodedCommand \\\" encodedCommand\\n| extend encodedCommand = iff(encodedCommand has \\\" \\\", tostring(split(encodedCommand, \\\" \\\")[0]), encodedCommand)\\n// Note: currently the base64_decode_tostring function is limited to supporting UTF8\\n| extend decodedCommand = translate(\u0027\\\\0\u0027,\u0027\u0027, base64_decode_tostring(substring(encodedCommand, 0, strlen(encodedCommand) - (strlen(encodedCommand) %8)))), encodedCommand, CommandLine , strlen(encodedCommand)\\n| extend EfectiveCommand = iff(isnotempty(encodedCommand), decodedCommand, CommandLine)\\n| where EfectiveCommand matches regex regexEmpire\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, EfectiveCommand, decodedCommand, encodedCommand, CommandLine, ParentProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"Powershell Empire cmdlets seen in command line\",\"description\":\"Identifies instances of PowerShell Empire cmdlets in powershell process command line data.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-01-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cda5928c-2c1e-4575-9dfa-07568bc27a4f\",\"name\":\"cda5928c-2c1e-4575-9dfa-07568bc27a4f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let lookback = 7d; \\nlet timeframe = 1h; \\nlet GlobalAdminsRemoved = AuditLogs \\n| where TimeGenerated \u003e ago(timeframe) \\n| where Category =~ \\\"RoleManagement\\\" \\n| where AADOperationType in (\\\"Unassign\\\", \\\"RemoveEligibleRole\\\") \\n| where ActivityDisplayName has_any (\\\"Remove member from role\\\", \\\"Remove eligible member from role\\\") \\n| mv-expand TargetResources \\n| mv-expand TargetResources.modifiedProperties \\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName) \\n| where displayName_ =~ \\\"Role.DisplayName\\\" \\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.oldValue))) \\n| where RoleName == \\\"Global Administrator\\\" // Add other Privileged role if applicable \\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName) \\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) \\n| where Initiator != \\\"MS-PIM\\\" // Filtering PIM events \\n| extend Target = tostring(TargetResources.userPrincipalName) \\n| summarize RemovedGlobalAdminTime = max(TimeGenerated), TargetAdmins = make_set(Target) by OperationName, RoleName, Initiator, Result; \\nlet GlobalAdminsAdded = AuditLogs \\n| where TimeGenerated \u003e ago(lookback) \\n| where Category =~ \\\"RoleManagement\\\" \\n| where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\") \\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\") and Result == \\\"success\\\" \\n| mv-expand TargetResources \\n| mv-expand TargetResources.modifiedProperties \\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName) \\n| where displayName_ =~ \\\"Role.DisplayName\\\" \\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue))) \\n| where RoleName == \\\"Global Administrator\\\" // Add other Privileged role if applicable \\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName) \\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) \\n| where Initiator != \\\"MS-PIM\\\" // Filtering PIM events \\n| extend Target = tostring(TargetResources.userPrincipalName) \\n| summarize AddedGlobalAdminTime = max(TimeGenerated) by OperationName, RoleName, Target, Initiator, Result \\n| extend AccountCustomEntity = Target; \\nGlobalAdminsAdded \\n| join kind= inner GlobalAdminsRemoved on $left.Target == $right.Initiator \\n| where AddedGlobalAdminTime \u003c RemovedGlobalAdminTime \\n| extend NoofAdminsRemoved = array_length(TargetAdmins) \\n| where NoofAdminsRemoved \u003e 1\\n| project AddedGlobalAdminTime, Initiator, Target, AccountCustomEntity, RemovedGlobalAdminTime, TargetAdmins, NoofAdminsRemoved\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Multiple admin membership removals from newly created admin.\",\"description\":\"This query detects when newly created Global admin removes multiple existing global admins which can be an attempt by adversaries to lock down organization and retain sole access. \\n Investigate reasoning and intention of multiple membership removal by new Global admins and take necessary actions accordingly.\",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2022-03-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/be52662c-3b23-435a-a6fa-f39bdfc849e6\",\"name\":\"be52662c-3b23-435a-a6fa-f39bdfc849e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetection_CL\\n| mv-expand todynamic(Detections_s)\\n| where Detections_s.Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\\n| where count_ \u003e= threshold\\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"High Number of Urgent Vulnerabilities Detected\",\"description\":\"This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/45b903c5-6f56-4969-af10-ae62ac709718\",\"name\":\"45b903c5-6f56-4969-af10-ae62ac709718\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count()\\nby Account = tolower(Account), Computer = toupper(Computer), IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n// use left anti to exclude anything from the previous 14 days that is not rare\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10 \\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend AccountType=case(Account endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| extend Activity=\\\"4624 - An account was successfully logged on.\\\"\\n| extend LogonTypeName=\\\"10 - RemoteInteractive\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count()\\nby Account = tolower(Account), Computer = toupper(Computer), IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n))\\n| join kind=leftanti (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where EventID == 4624\\n| summarize by Computer = toupper(Computer), IpAddress, Account = tolower(Account)\\n),\\n( WindowsEvent\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where EventID == 4624\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| summarize by Computer = toupper(Computer), IpAddress, Account = tolower(Account)\\n))\\n) on Account, Computer\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), ConnectionCount = sum(ConnectionCount)\\nby Account, Computer, IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Rare RDP Connections\",\"description\":\"Identifies when an RDP connection is new or rare related to any logon type by a given account today based on comparison with the previous 14 days.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2020-01-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a1080fc1-13d1-479b-8340-255f0290d96c\",\"name\":\"a1080fc1-13d1-479b-8340-255f0290d96c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where Result =~ \\\"success\\\"\\n | where OperationName =~ \u0027Update Application\u0027\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | where TargetResources_modifiedProperties.displayName =~ \\\"AppAddress\\\"\\n | extend Key = tostring(TargetResources_modifiedProperties.displayName)\\n | extend NewValue = TargetResources_modifiedProperties.newValue\\n | extend OldValue = TargetResources_modifiedProperties.oldValue\\n | where isnotempty(Key) and isnotempty(NewValue)\\n | project-reorder Key, NewValue, OldValue\\n | extend NewUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(NewValue))\\n | extend OldUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(OldValue))\\n | extend AddedUrls = set_difference(NewUrls, OldUrls)\\n | where array_length(AddedUrls) \u003e 0\\n | extend UserAgent = iif(tostring(AdditionalDetails[0].key) == \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), \\\"\\\")\\n | extend AddingUser = iif(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) , tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), \\\"\\\")\\n | extend AddingApp = iif(isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName)) , tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName), \\\"\\\")\\n | extend AddedBy = iif(isnotempty(AddingUser), AddingUser, AddingApp)\\n | project-away AddingApp, AddingUser\\n | extend AppDisplayName = tostring(TargetResources.displayName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | project-reorder TimeGenerated, AppDisplayName, AddedUrls, AddedBy, UserAgent, ipAddress\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"AddedUrls\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Application Redirect URL Update\",\"description\":\"Detects the redirect URL of an app being changed.\\n Applications associated with URLs not controlled by the organization can pose a security risk.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#application-configuration-changes\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e42e889a-caaf-4dbb-aec6-371b37d64298\",\"name\":\"e42e889a-caaf-4dbb-aec6-371b37d64298\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\")\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set != \\\"[]\\\"\\n| extend diff = set_difference(new_value_set, old_value_set)\\n| where isnotempty(diff)\\n| parse diff with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away diff, new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserOrApp\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT New access credential added to Application or Service Principal\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b79f6190-d104-4691-b7db-823e05980895\",\"name\":\"b79f6190-d104-4691-b7db-823e05980895\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\nOfficeActivity\\n| where OfficeWorkload =~ \\\"Exchange\\\"\\n| where Parameters has \\\"Deleted Items\\\" or Parameters has \\\"Junk Email\\\" or Parameters has \\\"DeleteMessage\\\"\\n| extend Events=todynamic(Parameters)\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords \u0027}\u0027*\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords \u0027}\u0027*\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords \u0027}\u0027*\\n| where SubjectContainsWords has_any (Keywords)\\n or BodyContainsWords has_any (Keywords)\\n or SubjectOrBodyContainsWords has_any (Keywords)\\n| extend ClientIPAddress = case( ClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), ClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))), ClientIP )\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\n| extend RuleDetail = case(OfficeObjectId contains \u0027/\u0027 , tostring(split(OfficeObjectId, \u0027/\u0027)[-1]) , tostring(split(OfficeObjectId, \u0027\\\\\\\\\u0027)[-1]))\\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"OriginatingServer\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIPAddress\"}]}],\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"NRT Malicious Inbox Rule\",\"description\":\"Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords.\\n This is done so as to limit ability to warn compromised users that they\u0027ve been compromised. Below is a sample query that tries to detect this.\\nReference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/\",\"lastUpdatedDateUTC\":\"2022-03-07T00:00:00Z\",\"createdDateUTC\":\"2020-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9fb2ee72-959f-4c2b-bc38-483affc539e4\",\"name\":\"9fb2ee72-959f-4c2b-bc38-483affc539e4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where Category == \\\"ApplicationManagement\\\"\\n | where OperationName has_any (\\\"Update Application\\\", \\\"Update Service principal\\\")\\n | extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend UpdatedBy = iif(isnotempty(appName), appName, UPN)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | extend AppName = tostring(TargetResources[0].displayName)\\n | mv-expand mod_props\\n | where mod_props.displayName has \\\"AppIdentifierUri\\\"\\n | extend OldURI = tostring(mod_props.oldValue)\\n | extend NewURI = tostring(mod_props.newValue)\\n | project-reorder TimeGenerated, OperationName, AppName, OldURI, NewURI, UpdatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatedBy\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"NewURI\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Application ID URI Changed\",\"description\":\"Detects changes to an Application ID URI.\\n Monitor these changes to make sure that they were authorized.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#appid-uri-added-modified-or-removed\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/faf1a6ff-53b5-4f92-8c55-4b20e9957594\",\"name\":\"faf1a6ff-53b5-4f92-8c55-4b20e9957594\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"SecurityEvent\\n// Look for specific Directory Service Changes and parse data\\n| where EventID == 5136\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion = array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value),TimeGenerated, EventID, Computer, Account, AccountType, EventSourceName, Activity, SubjectAccount)\\n// Where changes relate to Exchange OAB\\n| extend ObjectClass = column_ifexists(\\\"ObjectClass\\\", \\\"\\\")\\n| where ObjectClass =~ \\\"msExchOABVirtualDirectory\\\"\\n// Look for InternalHostName or ExternalHostName properties being changed\\n| extend AttributeLDAPDisplayName = column_ifexists(\\\"AttributeLDAPDisplayName\\\", \\\"\\\")\\n| where AttributeLDAPDisplayName in (\\\"msExchExternalHostName\\\", \\\"msExchInternalHostName\\\")\\n// Look for suspected webshell activity\\n| extend AttributeValue = column_ifexists(\\\"AttributeValue\\\", \\\"\\\")\\n| where AttributeValue has \\\"script\\\"\\n| project-rename LastSeen = TimeGenerated\\n| extend ObjectDN = column_ifexists(\\\"ObjectDN\\\", \\\"\\\")\\n| project-reorder LastSeen, Computer, Account, ObjectDN, AttributeLDAPDisplayName, AttributeValue\\n| extend timestamp = LastSeen, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange OAB Virtual Directory Attribute Containing Potential Webshell\",\"description\":\"This query uses Windows Event ID 5136 in order to detect potential webshell deployment by exploitation of CVE-2021-27065.\\nThis query looks for changes to the InternalHostName or ExternalHostName properties of Exchange OAB Virtual Directory objects in AD Directory Services\\nwhere the new objects contain potential webshell objects. Ref: https://aka.ms/ExchangeVulns\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b3cfc7c0-092c-481c-a55b-34a3979758cb\",\"name\":\"b3cfc7c0-092c-481c-a55b-34a3979758cb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft Cloud App Security\",\"displayName\":\"Create incidents based on Microsoft Cloud App Security alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Cloud Apps\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert (MCAS)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/eb68b129-5f17-4f56-bf6d-dde48d5e615a\",\"name\":\"eb68b129-5f17-4f56-bf6d-dde48d5e615a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| extend attachedMimeType = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where attachedMimeType == \u0027application/zip\u0027\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = DstUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Binary file in attachment\",\"description\":\"Detects when email received with binary file as attachment.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c0e84221-f240-4dd7-ab1e-37e034ea2a4e\",\"name\":\"c0e84221-f240-4dd7-ab1e-37e034ea2a4e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"union isfuzzy=true\\n(DeviceFileEvents\\n| where FolderPath endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated),\\n(WindowsEvent\\n| where EventID == 4663 and EventData has \\\"vmware-vmdmp.log\\\"\\n| extend ObjectName = tostring(EventData.ObjectName) \\n| where ObjectName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = Computer, timestamp=TimeGenerated),\\n(SecurityEvent\\n| where EventID == 4663\\n| where ObjectName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = Computer, timestamp=TimeGenerated),\\n(imFileEvent\\n| where TargetFileName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = DvcHostname, timestamp=TimeGenerated\\n)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"SUNSPOT log file creation\",\"description\":\"This query uses Microsoft Defender for Endpoint data and Windows Event Logs to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\\nMore details: \\n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \\n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5b6ae038-f66e-4f74-9315-df52fd492be4\",\"name\":\"5b6ae038-f66e-4f74-9315-df52fd492be4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"imProcess\\n | where CommandLine has_all (\\\"accepteula\\\", \\\"-s\\\", \\\"-r\\\", \\\"-q\\\")\\n | where Process !endswith \\\"sdelete.exe\\\"\\n | where CommandLine !has \\\"sdelete\\\"\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DvcHostname\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DvcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"}]}],\"tactics\":[\"DefenseEvasion\",\"Impact\"],\"displayName\":\"Potential re-named sdelete usage (ASIM Version)\",\"description\":\"This detection looks for command line parameters associated with the use of Sysinternals sdelete (https://docs.microsoft.com/sysinternals/downloads/sdelete) to delete multiple files on a host\u0027s C drive.\\nA threat actor may re-name the tool to avoid detection and then use it for destructive attacks on a host.\\nThis detection uses the ASIM imProcess parser, this will need to be deployed before use - https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8c8de3fa-6425-4623-9cd9-45de1dd0569a\",\"name\":\"8c8de3fa-6425-4623-9cd9-45de1dd0569a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let lookBack = 14d;\\nlet timeframe = 1d;\\nlet user_agents_list = Cisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(lookBack) and TimeGenerated \u003c ago(timeframe)\\n| summarize count() by HttpUserAgentOriginal\\n| summarize make_list(HttpUserAgentOriginal);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal !in (user_agents_list)\\n| extend Message = \\\"Rare User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Rare User Agent Detected\",\"description\":\"Rule helps to detect a rare user-agents indicating web browsing activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\"name\":\"02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let logonDiff = 10m;\\nlet aadFunc = (tableName:string){\\ntable(tableName) \\n| where ResultType == \\\"0\\\" \\n| where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\")\\n| project SuccessLogonTime = TimeGenerated, UserPrincipalName, SuccessIPAddress = IPAddress, AppDisplayName, SuccessIPBlock = strcat(split(IPAddress, \\\".\\\")[0], \\\".\\\", split(IPAddress, \\\".\\\")[1]), Type\\n| join kind= inner (\\n table(tableName)\\n | where ResultType !in (\\\"0\\\", \\\"50140\\\") \\n | where ResultDescription !~ \\\"Other\\\" \\n | where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\")\\n | project FailedLogonTime = TimeGenerated, UserPrincipalName, FailedIPAddress = IPAddress, AppDisplayName, ResultType, ResultDescription, Type\\n) on UserPrincipalName, AppDisplayName \\n| where SuccessLogonTime \u003c FailedLogonTime and FailedLogonTime - SuccessLogonTime \u003c= logonDiff and FailedIPAddress !startswith SuccessIPBlock\\n| summarize FailedLogonTime = max(FailedLogonTime), SuccessLogonTime = max(SuccessLogonTime) by UserPrincipalName, SuccessIPAddress, AppDisplayName, FailedIPAddress, ResultType, ResultDescription, Type\\n| extend timestamp = SuccessLogonTime\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SuccessIPAddress\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"FailedIPAddress\"}]}],\"tactics\":[\"CredentialAccess\",\"InitialAccess\"],\"displayName\":\"Successful logon from IP and failure from a different IP\",\"description\":\"Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP.\\nThis may indicate a malicious attempt at password guessing based on knowledge of the users account.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\"name\":\"9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.1.0\",\"severity\":\"Low\",\"query\":\"let tokens = dynamic([\\\"416\\\",\\\"208\\\",\\\"128\\\",\\\"120\\\",\\\"96\\\",\\\"80\\\",\\\"72\\\",\\\"64\\\",\\\"48\\\",\\\"44\\\",\\\"40\\\",\\\"g5\\\",\\\"gs5\\\",\\\"g4\\\",\\\"gs4\\\",\\\"nc12\\\",\\\"nc24\\\",\\\"nv12\\\"]);\\nlet operationList = dynamic([\\\"microsoft.compute/virtualmachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nAzureActivity\\n| where tolower(OperationNameValue) in (operationList)\\n| where ActivityStatusValue == \\\"Accepted\\\" \\n| where isnotempty(Properties)\\n| extend vmSize = tolower(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).hardwareProfile)).vmSize))\\n| where isnotempty(vmSize)\\n| where vmSize has_any (tokens) \\n| extend ComputerName = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).osProfile)).computerName)\\n| extend clientIpAddress = tostring(parse_json(HTTPRequest).clientIpAddress)\\n| project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Creation of expensive computes in Azure\",\"description\":\"Identifies the creation of large size/expensive VMs (GPU or with large no of virtual CPUs) in Azure.\\nAdversary may create new or update existing virtual machines sizes to evade defenses \\nor use it for cryptomining purposes.\\nFor Windows/Linux Vm Sizes - https://docs.microsoft.com/azure/virtual-machines/windows/sizes \\nAzure VM Naming Conventions - https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/78422ef2-62bf-48ca-9bab-72c69818a425\",\"name\":\"78422ef2-62bf-48ca-9bab-72c69818a425\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Low\",\"query\":\"let endtime = 1d;\\nlet starttime = 8d;\\nlet threshold = 2.0;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName)\\nby Account, IpAddress, AccountType, Activity, LogonTypeName),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 \\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend AccountType=case(Account endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| extend Activity=\\\"4624 - An account was successfully logged on.\\\"\\n| extend LogonTypeName=\\\"10 - RemoteInteractive\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName)\\nby Account, IpAddress, AccountType, Activity, LogonTypeName)\\n)\\n| join kind=inner (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize ComputerCountPrev7Days = dcount(Computer) by Account = tolower(Account), IpAddress\\n),\\n( WindowsEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = toint(EventData.LogonType)\\n| where LogonType == 10\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| summarize ComputerCountPrev7Days = dcount(Computer) by Account = tolower(Account), IpAddress)\\n)\\n) on Account, IpAddress\\n| extend Ratio = iff(isempty(ComputerCountPrev7Days), toreal(ComputerCountToday), ComputerCountToday / (ComputerCountPrev7Days * 1.0))\\n// Where the ratio of today to previous 7 days is more than double.\\n| where Ratio \u003e threshold\\n| project StartTimeUtc, EndTimeUtc, Account, IpAddress, ComputerSet, ComputerCountToday, ComputerCountPrev7Days, Ratio, AccountType, Activity, LogonTypeName, ProcessSet\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Multiple RDP connections from Single System\",\"description\":\"Identifies when an RDP connection is made to multiple systems and above the normal for the previous 7 days.\\nConnections from the same system with the same account within the same day.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-10-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d94d4a9-dc96-450a-9dea-4d4d4594199b\",\"name\":\"4d94d4a9-dc96-450a-9dea-4d4d4594199b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"SecurityNestedRecommendation\\n| where RemediationDescription has \u0027CVE-2021-38647\u0027\\n| parse ResourceDetails with * \u0027virtualMachines/\u0027 VirtualMAchine \u0027\\\"\u0027 *\\n| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId\\n| extend Timestamp = TimeGenerated, HostCustomEntity = VirtualMAchine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Execution\"],\"displayName\":\"Vulnerable Machines related to OMIGOD CVE-2021-38647\",\"description\":\"This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to OMIGOD CVE-2021-38647. OMI is the Linux equivalent of Windows WMI and \\n helps users manage configurations across remote and local environments. The query aims to find machines that have this OMI vulnerability (CVE-2021-38647).\\n Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).\\n Reference: https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure\\n Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d3980830-dd9d-40a5-911f-76b44dfdce16\",\"name\":\"d3980830-dd9d-40a5-911f-76b44dfdce16\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where AppDisplayName == \\\"GitHub.com\\\"\\n| where ResultType == 0\\n| summarize CountOfLocations = dcount(Location), Locations = make_set(Location), BurstStartTime = min(TimeGenerated), BurstEndTime = max(TimeGenerated) by UserPrincipalName, Type\\n| where CountOfLocations \u003e 1\\n| extend timestamp = BurstStartTime, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"GitHub Signin Burst from Multiple Locations\",\"description\":\"This alerts when there Signin burst from multiple locations in GitHub (AAD SSO).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/25a7f951-54b7-4cf5-9862-ebc04306c590\",\"name\":\"25a7f951-54b7-4cf5-9862-ebc04306c590\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let known_users = (AuditLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where OperationName has \\\"conditional access policy\\\"\\n | where Result =~ \\\"success\\\"\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | summarize by userPrincipalName);\\n AuditLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where OperationName has \\\"conditional access policy\\\"\\n | where Result =~ \\\"success\\\"\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend CAPolicyName = tostring(TargetResources[0].displayName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | where userPrincipalName !in (known_users)\\n | extend NewPolicyValues = TargetResources[0].modifiedProperties[0].newValue\\n | extend OldPolicyValues = TargetResources[0].modifiedProperties[0].oldValue\\n | project-reorder TimeGenerated, OperationName, CAPolicyName, userPrincipalName, ipAddress, NewPolicyValues, OldPolicyValues\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Conditional Access Policy Modified by New User\",\"description\":\"Detects a Conditional Access Policy being modified by a user who has not modified a policy in the last 14 days.\\n A threat actor may try to modify policies to weaken the security controls in place.\\n Investigate any change to ensure they are approved.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\"name\":\"70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"seoulhobi.biz\\\", \\\"reader.cash\\\", \\\"pieceview.club\\\", \\\"app-wallet.com\\\", \\\"bigwnet.com\\\", \\\"bitwoll.com\\\", \\\"cexrout.com\\\", \\\"change-pw.com\\\", \\\"checkprofie.com\\\", \\\"cloudwebappservice.com\\\", \\\"ctquast.com\\\", \\\"dataviewering.com\\\", \\\"day-post.com\\\", \\\"dialy-post.com\\\", \\\"documentviewingcom.com\\\", \\\"dovvn-mail.com\\\", \\\"down-error.com\\\", \\\"drivecheckingcom.com\\\", \\\"drog-service.com\\\", \\\"encodingmail.com\\\", \\\"filinvestment.com\\\", \\\"foldershareing.com\\\", \\\"golangapis.com\\\", \\\"hotrnall.com\\\", \\\"lh-logins.com\\\", \\\"login-use.com\\\", \\\"mail-down.com\\\", \\\"matmiho.com\\\", \\\"mihomat.com\\\", \\\"natwpersonal-online.com\\\", \\\"nidlogin.com\\\", \\\"nid-login.com\\\", \\\"nidlogon.com\\\", \\\"pw-change.com\\\", \\\"rnaii.com\\\", \\\"rnailm.com\\\", \\\"sec-live.com\\\", \\\"secrityprocessing.com\\\", \\\"securitedmode.com\\\", \\\"securytingmail.com\\\", \\\"set-login.com\\\", \\\"usrchecking.com\\\", \\\"com-serviceround.info\\\", \\\"mai1.info\\\", \\\"reviewer.mobi\\\", \\\"files-download.net\\\", \\\"fixcool.net\\\", \\\"hanrnaii.net\\\", \\\"office356-us.org\\\", \\\"smtper.org\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost \\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"THALLIUM domains included in DCU takedown\",\"description\":\"THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. \\n Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\\n References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ \",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2020-01-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\"name\":\"4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let OperationList = dynamic([\\\"Add member to role\\\",\\\"Add member to role in PIM requested (permanent)\\\"]);\\nlet PrivilegedGroups = dynamic([\\\"UserAccountAdmins\\\",\\\"PrivilegedRoleAdmins\\\",\\\"TenantAdmins\\\"]);\\nAuditLogs\\n//| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName in~ (OperationList)\\n| mv-expand TargetResources\\n| extend modProps = parse_json(TargetResources).modifiedProperties\\n| mv-expand bagexpansion=array modProps\\n| evaluate bag_unpack(modProps)\\n| extend displayName = column_ifexists(\\\"displayName\\\", \\\"NotAvailable\\\"), newValue = column_ifexists(\\\"newValue\\\", \\\"NotAvailable\\\")\\n| where displayName =~ \\\"Role.WellKnownObjectName\\\"\\n| extend DisplayName = displayName, GroupName = replace(\u0027\\\"\u0027,\u0027\u0027,newValue)\\n| extend initByApp = parse_json(InitiatedBy).app, initByUser = parse_json(InitiatedBy).user\\n| extend AppId = initByApp.appId, \\nInitiatedByDisplayName = case(isnotempty(initByApp.displayName), initByApp.displayName, isnotempty(initByUser.displayName), initByUser.displayName, \\\"not available\\\"),\\nServicePrincipalId = tostring(initByApp.servicePrincipalId),\\nServicePrincipalName = tostring(initByApp.servicePrincipalName),\\nUserId = initByUser.id,\\nUserIPAddress = initByUser.ipAddress,\\nUserRoles = initByUser.roles,\\nUserPrincipalName = tostring(initByUser.userPrincipalName),\\nTargetUserPrincipalName = tostring(TargetResources.userPrincipalName)\\n| where GroupName in~ (PrivilegedGroups)\\n// If you don\u0027t want to alert for operations from PIM, remove below filtering for MS-PIM.\\n//| where InitiatedByDisplayName != \\\"MS-PIM\\\"\\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, isnotempty(ServicePrincipalId), ServicePrincipalId, isnotempty(UserPrincipalName), UserPrincipalName, \\\"not available\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User added to Azure Active Directory Privileged Groups\",\"description\":\"This will alert when a user is added to any of the Privileged Groups.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\\nFor Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles\",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2020-07-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/50574fac-f8d1-4395-81c7-78a463ff0c52\",\"name\":\"50574fac-f8d1-4395-81c7-78a463ff0c52\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where AppId =~ \\\"1b730954-1685-4b74-9bfd-dac224a7b894\\\" // AppDisplayName IS Azure Active Directory PowerShell\\n| where TokenIssuerType =~ \\\"AzureAD\\\"\\n| where ResourceIdentity !in (\\\"00000002-0000-0000-c000-000000000000\\\", \\\"00000003-0000-0000-c000-000000000000\\\") // ResourceDisplayName IS NOT Windows Azure Active Directory OR Microsoft Graph\\n| extend Status = todynamic(Status)\\n| where Status.errorCode == 0 // Success\\n| project-reorder IPAddress, UserAgent, ResourceDisplayName, UserDisplayName, UserId, UserPrincipalName, Type\\n| order by TimeGenerated desc\\n// New entity mapping\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure Active Directory PowerShell accessing non-AAD resources\",\"description\":\"This will alert when a user or application signs in using Azure Active Directory PowerShell to access non-Active Directory resources, such as the Azure Key Vault, which may be undesired or unauthorized behavior.\\nFor capabilities and expected behavior of the Azure Active Directory PowerShell module, see: https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0.\\nFor further information on Azure Active Directory Signin activity reports, see: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins.\",\"lastUpdatedDateUTC\":\"2022-02-23T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cca3b4d9-ac39-4109-8b93-65bb284003e6\",\"name\":\"cca3b4d9-ac39-4109-8b93-65bb284003e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureActivity | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(Caller)\\n | extend Caller = tolower(Caller)\\n | where Caller matches regex emailregex\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.Caller\\n| where AzureActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureActivity_TimeGenerated = arg_max(AzureActivity_TimeGenerated, *) by IndicatorId, Caller\\n| project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, EmailSenderName, EmailRecipient, \\nEmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Caller, Level, CallerIpAddress, CategoryValue, OperationNameValue, ActivityStatusValue, \\nResourceGroup, SubscriptionId\\n| extend timestamp = AzureActivity_TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to AzureActivity\",\"description\":\"Identifies a match in AzureActivity table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9122a9cb-916b-4d98-a199-1b7b0af8d598\",\"name\":\"9122a9cb-916b-4d98-a199-1b7b0af8d598\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"beesweiserdog.com\\\", \\n \\\"bluehostfit.com\\\", \\n \\\"business-toys.com\\\", \\n \\\"cleanskycloud.com\\\", \\n \\\"cumberbat.com\\\", \\n \\\"czreadsecurity.com\\\", \\n \\\"dgtresorgouv.com\\\", \\n \\\"dimediamikedask.com\\\", \\n \\\"diresitioscon.com\\\", \\n \\\"elcolectador.com\\\", \\n \\\"elperuanos.org\\\", \\n \\\"eprotectioneu.com\\\", \\n \\\"fheacor.com\\\", \\n \\\"followthewaterdata.com\\\", \\n \\\"francevrteepress.com\\\", \\n \\\"futtuhy.com\\\", \\n \\\"gardienweb.com\\\", \\n \\\"heimflugaustr.com\\\", \\n \\\"ivpsers.com\\\", \\n \\\"jkeducation.org\\\", \\n \\\"micrlmb.com\\\", \\n \\\"muthesck.com\\\", \\n \\\"netscalertech.com\\\", \\n \\\"newgoldbalmap.com\\\", \\n \\\"news-laestrella.com\\\", \\n \\\"noticialif.com\\\", \\n \\\"opentanzanfoundation.com\\\", \\n \\\"optonlinepress.com\\\", \\n \\\"palazzochigi.com\\\", \\n \\\"pandemicacre.com\\\", \\n \\\"papa-ser.com\\\", \\n \\\"pekematclouds.com\\\", \\n \\\"pipcake.com\\\", \\n \\\"popularservicenter.com\\\", \\n \\\"projectsyndic.com\\\", \\n \\\"qsadtv.com\\\", \\n \\\"sankreal.com\\\", \\n \\\"scielope.com\\\", \\n \\\"seoamdcopywriting.com\\\", \\n \\\"slidenshare.com\\\", \\n \\\"somoswake.com\\\", \\n \\\"squarespacenow.com\\\", \\n \\\"subapostilla.com\\\", \\n \\\"suzukicycles.net\\\", \\n \\\"tatanotakeeps.com\\\", \\n \\\"tijuanazxc.com\\\", \\n \\\"transactioninfo.net\\\", \\n \\\"eurolabspro.com\\\", \\n \\\"adelluminate.com\\\", \\n \\\"headhunterblue.com\\\", \\n \\\"primenuesty.com\\\" \\n ]);\\nlet SHA256Hashes = dynamic ([\\\"02daf4544bcefb2de865d0b45fc406bee3630704be26a9d6da25c9abe906e7d2\\\", \\n \\\"0a45ec3da31838aa7f56e4cbe70d5b3b3809029f9159ff0235837e5b7a4cb34c\\\", \\n \\\"0d7965489810446ca7acc7a2160795b22e452a164261313c634a6529a0090a0c\\\", \\n \\\"10bb4e056fd19f2debe61d8fc5665434f56064a93ca0ec0bef946a4c3e098b95\\\", \\n \\\"12d914f24fe5501e09f5edf503820cc5fe8b763827a1c6d44cdb705e48651b21\\\", \\n \\\"1899f761123fedfeba0fee6a11f830a29cd3653bcdcf70380b72a05b921b4b49\\\", \\n \\\"22e68e366dd3323e5bb68161b0938da8e1331e4f1c1819c8e84a97e704d93844\\\", \\n \\\"259783405ec2cb37fdd8fd16304328edbb6a0703bc3d551eba252d9b450554ef\\\", \\n \\\"26debed09b1bbf24545e3b4501b799b66a0146d4020f882776465b5071e91822\\\", \\n \\\"35c5f22bb11f7dd7a2bb03808e0337cb7f9c0d96047b94c8afdab63efc0b9bb2\\\", \\n \\\"3ae2d9ffa4e53519e62cc0a75696f9023f9cce09b0a917f25699b48d0f7c4838\\\", \\n \\\"3bac2e459c69fcef8c1c93c18e5f4f3e3102d8d0f54a63e0650072aeb2a5fa65\\\", \\n \\\"3c0bf69f6faf85523d9e60d13218e77122b2adb0136ffebbad0f39f3e3eed4e6\\\", \\n \\\"3dc0001a11d54925d2591aec4ea296e64f1d4fdf17ff3343ddeea82e9bd5e4f1\\\", \\n \\\"3fd73af89e94af180b1fbf442bbfb7d7a6c4cf9043abd22ac0aa2f8149bafc90\\\", \\n \\\"6854df6aa0af46f7c77667c450796d5658b3058219158456e869ebd39a47d54b\\\", \\n \\\"6b79b807a66c786bd2e57d1c761fc7e69dd9f790ffab7ce74086c4115c9305ce\\\", \\n \\\"7944a86fbef6238d2a55c14c660c3a3d361c172f6b8fa490686cc8889b7a51a0\\\", \\n \\\"926904f7c0da13a6b8689c36dab9d20b3a2e6d32f212fca9e5f8cf2c6055333c\\\", \\n \\\"95e98c811ea9d212673d0e84046d6da94cbd9134284275195800278593594b5a\\\", \\n \\\"a142625512e5372a1728595be19dbee23eea50524b4827cb64ed5aaeaaa0270b\\\", \\n \\\"afe5e9145882e0b98a795468a4c0352f5b1ddb7b4a534783c9e8fc366914cf6a\\\", \\n \\\"b9027bad09a9f5c917cf0f811610438e46e42e5e984a8984b6d69206ceb74124\\\", \\n \\\"c132d59a3bf0099e0f9f5667daf7b65dba66780f4addd88f04eecae47d5d99fa\\\", \\n \\\"c9a5765561f52bbe34382ce06f4431f7ac65bafe786db5de89c29748cf371dda\\\", \\n \\\"ce0408f92635e42aadc99da3cc1cbc0044e63441129c597e7aa1d76bf2700c94\\\", \\n \\\"ce47bacc872516f91263f5e59441c54f14e9856cf213ca3128470217655fc5e6\\\", \\n \\\"d0fe4562970676e30a4be8cb4923dc9bfd1fca8178e8e7fea0f3f02e0c7435ce\\\", \\n \\\"d5b36648dc9828e69242b57aca91a0bb73296292bf987720c73fcd3d2becbae6\\\", \\n \\\"e72d142a2bc49572e2d99ed15827fc27c67fc0999e90d4bf1352b075f86a83ba\\\"\\n ]);\\nlet SigNames = dynamic([\\\"Backdoor:Win32/Leeson\\\", \\\"Trojan:Win32/Kechang\\\", \\\"Backdoor:Win32/Nightimp!dha\\\", \\\"Trojan:Win32/QuarkBandit.A!dha\\\", \\\"TrojanSpy:Win32/KeyLogger\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hashes) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(_Im_Dns(domain_has_any = DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(_Im_WebSession(url_has_any = DomainNames)\\n| extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n| extend IPAddress = SrcIpAddr\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA256Hashes) \\n| extend Account = UserName\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (SHA256Hashes)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (SHA256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl in~ (DomainNames)\\n| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName\\n| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl\\n),\\n(SecurityAlert\\n| where ProductName == \\\"Microsoft Defender Advanced Threat Protection\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where isnotempty(ThreatName)\\n| where ThreatName has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName)\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known NICKEL domains and hashes\",\"description\":\"IOC domains and hash values for tools and malware used by NICKEL. \\n Matches domain name, hash IOCs and M365 Defender sigs related to the NICKEL activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/720d12c6-a08c-44c4-b18f-2236412d59b0\",\"name\":\"720d12c6-a08c-44c4-b18f-2236412d59b0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"SecurityEvent\\n | where EventID == 4688\\n | where Process !~ \\\"sdelete.exe\\\"\\n | where CommandLine has_all (\\\"accepteula\\\", \\\"-r\\\", \\\"-s\\\", \\\"-q\\\", \\\"c:/\\\")\\n | where CommandLine !has (\\\"sdelete\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"DefenseEvasion\",\"Impact\"],\"displayName\":\"Potential re-named sdelete usage\",\"description\":\"This detection looks for command line parameters associated with the use of Sysinternals sdelete (https://docs.microsoft.com/sysinternals/downloads/sdelete) to delete multiple files on a host\u0027s C drive.\\nA threat actor may re-name the tool to avoid detection and then use it for destructive attacks on a host.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/009b9bae-23dd-43c4-bcb9-11c4ba7c784a\",\"name\":\"009b9bae-23dd-43c4-bcb9-11c4ba7c784a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where OperationName has \\\"Consent to application\\\"\\n | where Result =~ \\\"failure\\\"\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend userAgent = iif(AdditionalDetails[0].key == \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), tostring(AdditionalDetails[1].value))\\n | where isnotempty(TargetResources)\\n | extend AppName = tostring(TargetResources[0].displayName)\\n | mv-expand TargetResources[0].modifiedProperties\\n | extend TargetResources_0_modifiedProperties = columnifexists(\\\"TargetResources_0_modifiedProperties\\\", \u0027\u0027)\\n | where isnotempty(TargetResources_0_modifiedProperties)\\n | where TargetResources_0_modifiedProperties.displayName =~ \\\"MethodExecutionResult.\\\"\\n | extend FailureReason = tostring(parse_json(tostring(TargetResources_0_modifiedProperties.newValue)))\\n | where FailureReason contains \\\"Risky\\\"\\n | project-reorder TimeGenerated, OperationName, Result, AppName, FailureReason, userPrincipalName, userAgent, ipAddress\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"End-user consent stopped due to risk-based consent\",\"description\":\"Detects a user\u0027s consent to an OAuth application being blocked due to it being too risky.\\n These events should be investigated to understand why the user attempted to consent to the applicaiton and what other applicaitons they may have consented to.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#end-user-stopped-due-to-risk-based-consent\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e70fa6e0-796a-4e85-9420-98b17b0bb749\",\"name\":\"e70fa6e0-796a-4e85-9420-98b17b0bb749\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"DeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where ThreatName has \\\"Solorigate\\\"\\n| extend HostCustomEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.HostCustomEntity\\n| project TimeGenerated, DisplayName, ThreatName, CompromisedEntity, PublicIP, MachineGroup, AlertSeverity, Description, LoggedOnUsers, DeviceId, TenantId, HostCustomEntity\\n| extend timestamp = TimeGenerated, IPCustomEntity = PublicIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Solorigate Defender Detections\",\"description\":\"Surfaces any Defender Alert for Solorigate Events. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as \\n Device group, ip, logged on users etc. This way, the Microsoft Sentinel user can have all the pertinent device info in one view for all the the Solarigate Defender alerts.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9176b18f-a946-42c6-a2f6-0f6d17cd6a8a\",\"name\":\"9176b18f-a946-42c6-a2f6-0f6d17cd6a8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let triThreshold = 500;\\nlet querystarttime = 6h;\\nlet dgaLengthThreshold = 8;\\n// fetch the cisco umbrella top 1M domains\\nlet top1M = (externaldata (Position:int, Domain:string) [@\\\"http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip\\\"] with (format=\\\"csv\\\", zipPattern=\\\"*.csv\\\"));\\n// extract tri grams that are above our threshold - i.e. are common\\nlet triBaseline = top1M\\n | extend Domain = tolower(extract(\\\"([^.]*).{0,7}$\\\", 1, Domain))\\n | extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", Domain), extract_all(\\\"(...)\\\", substring(Domain, 1)), extract_all(\\\"(...)\\\", substring(Domain, 2)))\\n | mvexpand Trigram=AllTriGrams to typeof(string)\\n | summarize triCount=count() by Trigram\\n | sort by triCount desc\\n | where triCount \u003e triThreshold\\n | distinct Trigram;\\n// collect domain information from common security log, filter and extract the DGA candidate and its trigrams\\nlet allDataSummarized = _Im_WebSession \\n| where isnotempty(Url) \\n| extend Name = tolower(tostring(parse_url(Url)[\\\"Host\\\"]))\\n| summarize NameCount=count() by Name\\n| where Name has \\\".\\\"\\n| where Name !endswith \\\".home\\\" and Name !endswith \\\".lan\\\"\\n// extract DGA candidate\\n| extend DGADomain = extract(\\\"([^.]*).{0,7}$\\\", 1, Name)\\n| where strlen(DGADomain) \u003e dgaLengthThreshold\\n// throw out domains with number in them\\n| where DGADomain matches regex \\\"^[A-Za-z]{0,}$\\\"\\n// extract the tri grams from summarized data\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", DGADomain), extract_all(\\\"(...)\\\", substring(DGADomain, 1)), extract_all(\\\"(...)\\\", substring(DGADomain, 2)));\\n// throw out domains that have repeating tri\u0027s and/or \u003e=3 repeating letters\\nlet nonRepeatingTris = allDataSummarized\\n| join kind=leftanti\\n(\\n allDataSummarized\\n | mvexpand AllTriGrams\\n | summarize count() by tostring(AllTriGrams), DGADomain\\n | where count_ \u003e 1\\n | distinct DGADomain\\n)\\non DGADomain;\\n// find domains that do not have a common tri in the baseline\\nlet dataWithRareTris = nonRepeatingTris\\n| join kind=leftanti\\n(\\n nonRepeatingTris\\n | mvexpand AllTriGrams\\n | extend Trigram = tostring(AllTriGrams)\\n | distinct Trigram, DGADomain\\n | join kind=inner\\n (\\n triBaseline\\n )\\n on Trigram\\n | distinct DGADomain\\n)\\non DGADomain;\\ndataWithRareTris\\n// join DGAs back on connection data\\n| join kind=inner\\n(\\n _Im_WebSession\\n | where isnotempty(Url)\\n | extend Url = tolower(Url)\\n | summarize arg_max(TimeGenerated, EventVendor, SrcIpAddr) by Url\\n | extend Name=tostring(parse_url(Url)[\\\"Host\\\"])\\n | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) by Name, SrcIpAddr, Url\\n)\\non Name\\n| project StartTime, EndTime, Name, DGADomain, SrcIpAddr, Url, NameCount\",\"customDetails\":{\"DGAPattern\":\"DGADomain\",\"NameCount\":\"NameCount\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URL\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Potential communication from {{SrcIpAddr} with a Domain Generation Algorithm (DGA) based host {{Name}}\",\"alertDescriptionFormat\":\"A client with address {{SrcIpAddr}} communicated with host {{Name}} that have a domain name that might have been generated by a Domain Generation Algorithm (DGA), identified by the pattern {{DGADomain}}. DGAs are used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the top 1 million domain names to build a model of what normal domains look like and uses the model to identify domains that may have been randomly generated by an algorithm.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential communication with a Domain Generation Algorithm (DGA) based hostname (ASIM Web Session schema)\",\"description\":\"This rule identifies communication with hosts that have a domain name that might have been generated by a Domain Generation Algorithm (DGA). DGAs are used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the top 1 million domain names to build a model of what normal domains look like nad uses the model to identify domains that may have been randomly generated by an algorithm. You can modify the triThreshold and dgaLengthThreshold query parameters to change Analytic Rule sensitivity. The higher the numbers, the less noisy the rule is. \u003cbr\u003e\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f819c592-c5f9-4d5c-a79f-1e6819863533\",\"name\":\"f819c592-c5f9-4d5c-a79f-1e6819863533\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"// ADHealth Monitoring Agent Registry Key\\nlet aadHealthMonAgentRegKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Microsoft Online\\\\\\\\Reporting\\\\\\\\MonitoringAgent\\\";\\n// Filter out known processes\\nlet aadConnectHealthProcs = dynamic ([\\n \u0027Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.InsightsService.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.PshSurrogate.exe\u0027,\\n \u0027Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe\u0027,\\n \u0027Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.AadConnect.Health.AadSync.Host.exe\u0027,\\n \u0027Microsoft.Azure.ActiveDirectory.Synchronization.Upgrader.exe\u0027,\\n \u0027miiserver.exe\u0027\\n]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| where EventData has aadHealthMonAgentRegKey\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| extend ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),\\n ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\")\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend SubjectUserName = column_ifexists(\\\"SubjectUserName\\\", \\\"\\\"),\\n SubjectDomainName = column_ifexists(\\\"SubjectDomainName\\\", \\\"\\\"),\\n ProcessName = column_ifexists(\\\"ProcessName\\\", \\\"\\\")\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],\\n Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n(\\nWindowsEvent\\n| where EventID == \u00274656\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n (\\nWindowsEvent\\n| where EventID == \u00274663\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n)\\n)\\n// You can filter out potential machine accounts\\n//| where AccountType != \u0027Machine\u0027\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"Azure AD Health Monitoring Agent Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.\\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\\\\SOFTWARE\\\\Microsoft\\\\Microsoft Online\\\\Reporting\\\\MonitoringAgent.\\nYou can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_monitoring_agent.yml\\n\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/066395ac-ef91-4993-8bf6-25c61ab0ca5a\",\"name\":\"066395ac-ef91-4993-8bf6-25c61ab0ca5a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet file_path1 = (iocs | where Type =~ \\\"filepath1\\\" | project IoC);\\nlet file_path2 = (iocs | where Type =~ \\\"filepath2\\\" | project IoC);\\nlet file_path3 = (iocs | where Type =~ \\\"filepath3\\\" | project IoC);\\nlet reg_key = (iocs | where Type =~ \\\"regkey\\\" | project IoC);\\nWindowsEvent\\n| where EventID == 4688 and (EventData has_any (file_path1) or EventData has_any (file_path2) or EventData has_any (file_path3) or EventData has_any (\u0027reg add\u0027) or EventData has_any (reg_key) )\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where (CommandLine has_any (file_path1)) or\\n (CommandLine has_any (file_path3)) or\\n (CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) or \\n (NewProcessName has_any (file_path1)) or\\n (NewProcessName has_any (file_path3)) or\\n (ParentProcessName has_any (file_path1)) or \\n (ParentProcessName has_any (file_path3)) \\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend NewProcessId = tostring(EventData.NewProcessId)\\n| extend IPCustomEntity = tostring(EventData.IpAddress)\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, IPCustomEntity\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = \u0027SOURGUM IOC detected\u0027\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"SOURGUM Actor IOC - July 2021\",\"description\":\"Identifies a match across IOC\u0027s related to an actor tracked by Microsoft as SOURGUM\",\"lastUpdatedDateUTC\":\"2022-05-19T00:00:00Z\",\"createdDateUTC\":\"2022-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6116dc19-475a-4148-84b2-efe89c073e27\",\"name\":\"6116dc19-475a-4148-84b2-efe89c073e27\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetectionV2_CL\\n| extend Status = tostring(Status_s), Vulnerability = tostring(QID_s), Severity = tostring(Severity_s)\\n| where Status =~ \\\"New\\\" and Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(QID_s)\\n| where dcount_NetBios_s \u003e= threshold\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"tactics\":[\"InitialAccess\"],\"displayName\":\"New High Severity Vulnerability Detected Across Multiple Hosts\",\"description\":\"This creates an incident when a new high severity vulnerability is detected across multilple hosts\",\"lastUpdatedDateUTC\":\"2021-12-08T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\"name\":\"90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage), \\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage), \\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage), \\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \\\"200\\\"\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Squid proxy events for ToR proxies\",\"description\":\"Check for Squid proxy events associated with common ToR proxies. This query presumes the default squid log format is being used.\\nhttp://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-07-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70fc7201-f28e-4ba7-b9ea-c04b96701f13\",\"name\":\"70fc7201-f28e-4ba7-b9ea-c04b96701f13\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let OperationList = dynamic([\\\"Add member to role\\\",\\\"Add member to role in PIM requested (permanent)\\\"]);\\nlet PrivilegedGroups = dynamic([\\\"UserAccountAdmins\\\",\\\"PrivilegedRoleAdmins\\\",\\\"TenantAdmins\\\"]);\\nAuditLogs\\n//| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName in~ (OperationList)\\n| mv-expand TargetResources\\n| extend modProps = parse_json(TargetResources).modifiedProperties\\n| mv-expand bagexpansion=array modProps\\n| evaluate bag_unpack(modProps)\\n| extend displayName = column_ifexists(\\\"displayName\\\", \\\"NotAvailable\\\"), newValue = column_ifexists(\\\"newValue\\\", \\\"NotAvailable\\\")\\n| where displayName =~ \\\"Role.WellKnownObjectName\\\"\\n| extend DisplayName = displayName, GroupName = replace(\u0027\\\"\u0027,\u0027\u0027,newValue)\\n| extend initByApp = parse_json(InitiatedBy).app, initByUser = parse_json(InitiatedBy).user\\n| extend AppId = initByApp.appId,\\nInitiatedByDisplayName = case(isnotempty(initByApp.displayName), initByApp.displayName, isnotempty(initByUser.displayName), initByUser.displayName, \\\"not available\\\"),\\nServicePrincipalId = tostring(initByApp.servicePrincipalId),\\nServicePrincipalName = tostring(initByApp.servicePrincipalName),\\nUserId = initByUser.id,\\nUserIPAddress = initByUser.ipAddress,\\nUserRoles = initByUser.roles,\\nUserPrincipalName = tostring(initByUser.userPrincipalName),\\nTargetUserPrincipalName = tostring(TargetResources.userPrincipalName)\\n| where GroupName in~ (PrivilegedGroups)\\n// If you don\u0027t want to alert for operations from PIM, remove below filtering for MS-PIM.\\n//| where InitiatedByDisplayName != \\\"MS-PIM\\\"\\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName\\n| extend AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, isnotempty(ServicePrincipalId), ServicePrincipalId, isnotempty(UserPrincipalName), UserPrincipalName, \\\"not available\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"NRT User added to Azure Active Directory Privileged Groups\",\"description\":\"This will alert when a user is added to any of the Privileged Groups.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\\nFor Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles\",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2020-07-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5239248b-abfb-4c6a-8177-b104ade5db56\",\"name\":\"5239248b-abfb-4c6a-8177-b104ade5db56\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let RunCommandData = materialize ( AzureActivity\\n// Isolate run command actions\\n| where OperationNameValue == \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\\\"\\n// Confirm that the operation impacted a virtual machine\\n| where Authorization has \\\"virtualMachines\\\"\\n// Each runcommand operation consists of three events when successful, StartTimeed, Accepted (or Rejected), Successful (or Failed).\\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), max(CallerIpAddress), make_list(ActivityStatusValue) by CorrelationId, Authorization, Caller\\n// Limit to Run Command executions that Succeeded\\n| where list_ActivityStatusValue has \\\"Success\\\"\\n// Extract data from the Authorization field, allowing us to later extract the Caller (UPN) and CallerIpAddress\\n| extend Authorization_d = parse_json(Authorization)\\n| extend Scope = Authorization_d.scope\\n| extend Scope_s = split(Scope, \\\"/\\\")\\n| extend Subscription = tostring(Scope_s[2])\\n| extend VirtualMachineName = tostring(Scope_s[-1])\\n| project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress\\n| join kind=leftouter (\\n DeviceFileEvents\\n | where InitiatingProcessFileName == \\\"RunCommandExtension.exe\\\"\\n | extend VirtualMachineName = tostring(split(DeviceName, \\\".\\\")[0])\\n | project VirtualMachineName, PowershellFileCreatedTimestamp=TimeGenerated, FileName, FileSize, InitiatingProcessAccountName, InitiatingProcessAccountDomain, InitiatingProcessFolderPath, InitiatingProcessId\\n) on VirtualMachineName\\n// We need to filter by time sadly, this is the only way to link events\\n| where PowershellFileCreatedTimestamp between (StartTime .. EndTime)\\n| project StartTime, EndTime, PowershellFileCreatedTimestamp, VirtualMachineName, Caller, CallerIpAddress, FileName, FileSize, InitiatingProcessId, InitiatingProcessAccountDomain, InitiatingProcessFolderPath\\n| join kind=inner(\\n DeviceEvents\\n | extend VirtualMachineName = tostring(split(DeviceName, \\\".\\\")[0])\\n | where InitiatingProcessCommandLine has \\\"-File\\\"\\n // Extract the script name based on the structure used by the RunCommand extension\\n | extend PowershellFileName = extract(@\\\"\\\\-File\\\\s(script[0-9]{1,9}\\\\.ps1)\\\", 1, InitiatingProcessCommandLine)\\n // Discard results that didn\u0027t successfully extract, these are not run command related\\n | where isnotempty(PowershellFileName)\\n | extend PSCommand = tostring(parse_json(AdditionalFields).Command)\\n // The first execution of PowerShell will be the RunCommand script itself, we can discard this as it will break our hash later\\n | where PSCommand != PowershellFileName \\n // Now we normalise the cmdlets, we\u0027re aiming to hash them to find scripts using rare combinations\\n | extend PSCommand = toupper(PSCommand)\\n | order by PSCommand asc\\n | summarize PowershellExecStartTime=min(TimeGenerated), PowershellExecEnd=max(TimeGenerated), make_list(PSCommand) by PowershellFileName, InitiatingProcessCommandLine\\n) on $left.FileName == $right.PowershellFileName\\n| project StartTime, EndTime, PowershellFileCreatedTimestamp, PowershellExecStartTime, PowershellExecEnd, PowershellFileName, PowershellScriptCommands=list_PSCommand, Caller, CallerIpAddress, InitiatingProcessCommandLine, PowershellFileSize=FileSize, VirtualMachineName\\n| order by StartTime asc \\n// We generate the hash based on the cmdlets called and the size of the powershell script\\n| extend TempFingerprintString = strcat(PowershellScriptCommands, PowershellFileSize)\\n| extend ScriptFingerprintHash = hash_sha256(tostring(PowershellScriptCommands)));\\nlet totals = toscalar (RunCommandData\\n| summarize count());\\nlet hashTotals = RunCommandData\\n| summarize HashCount=count() by ScriptFingerprintHash;\\nRunCommandData\\n| join kind=leftouter (\\nhashTotals\\n) on ScriptFingerprintHash\\n// Calculate prevalence, while we don\u0027t need this, it may be useful for responders to know how rare this script is in relation to normal activity\\n| extend Prevalence = toreal(HashCount) / toreal(totals) * 100\\n// Where the hash was only ever seen once.\\n| where HashCount == 1\\n| extend timestamp = StartTime, IPCustomEntity=CallerIpAddress, AccountCustomEntity=Caller, HostCustomEntity=VirtualMachineName\\n| project timestamp, StartTime, EndTime, PowershellFileName, VirtualMachineName, Caller, CallerIpAddress, PowershellScriptCommands, PowershellFileSize, ScriptFingerprintHash, Prevalence, IPCustomEntity, AccountCustomEntity, HostCustomEntity\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"LateralMovement\",\"Execution\"],\"displayName\":\"Azure VM Run Command operations executing a unique PowerShell script\",\"description\":\"Identifies when Azure Run command is used to execute a PowerShell script on a VM that is unique.\\nThe uniqueness of the PowerShell script is determined by taking a combined hash of the cmdLets it imports\\nand the file size of the PowerShell script. Alerts from this detection indicate a unique PowerShell was executed\\nin your environment.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f15370f4-c6fa-42c5-9be4-1d308f40284e\",\"name\":\"f15370f4-c6fa-42c5-9be4-1d308f40284e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n OfficeActivity\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(ClientIP)\\n | extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]%]+)(%\\\\d+)?\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n | extend IPAddress = tostring(ClientIPValues[0])\\n // renaming time column so it is clear the log this came from\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.IPAddress\\n| where OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId\\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = OfficeActivity_TimeGenerated, IPCustomEntity = TI_ipEntity, AccountCustomEntity = UserId, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to OfficeActivity\",\"description\":\"Identifies a match in OfficeActivity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a4ce20ae-a2e4-4d50-b40d-d49f1353b6cc\",\"name\":\"a4ce20ae-a2e4-4d50-b40d-d49f1353b6cc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Extracts plaintext IPv4 addresses\\nlet ipv4_plaintext_extraction_regex = @\\\"((?:(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])(?:\\\\.)){3}(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]){1,3})\\\";\\n// Identified base64 encoded IPv4 addresses\\nlet ipv4_encoded_identification_regex = @\\\"\\\\=([a-zA-Z0-9\\\\/\\\\+]*(?:(?:MC|Au|wL|MS|Eu|xL|Mi|Iu|yL|My|Mu|zL|NC|Qu|0L|NS|Uu|1L|Ni|Yu|2L|Ny|cu|3L|OC|gu|4L|OS|ku|5L){1}[a-zA-Z0-9\\\\/\\\\+]{2,4}){3}[a-zA-Z0-9\\\\/\\\\+\\\\=]*)\\\";\\n// Extractes IPv4 addresses as hex values\\nlet ipv4_decoded_hex_extract = @\\\"((?:(?:61|62|63|64|65|66|67|68|69|6a|6b|6c|6d|6e|6f|70|71|72|73|74|75|76|77|78|79|7a|41|42|43|44|45|46|47|48|49|4a|4b|4c|4d|4e|4f|50|51|52|53|54|55|56|57|58|59|5a|2f|2b|3d),){7,15})\\\";\\nCommonSecurityLog\\n| where isnotempty(RequestURL)\\n// Identify requests with encoded IPv4 addresses\\n| where RequestURL matches regex ipv4_encoded_identification_regex\\n| project TimeGenerated, RequestURL\\n// Extract IP candidates in their base64 encoded format, significantly reducing the dataset\\n| extend extracted_encoded_ip_candidate = extract_all(ipv4_encoded_identification_regex, RequestURL)\\n// We could have more than one candidate, expand them out\\n| mv-expand extracted_encoded_ip_candidate to typeof(string)\\n| summarize Start=min(TimeGenerated), End=max(TimeGenerated), make_set(RequestURL) by extracted_encoded_ip_candidate\\n// Pad if we need to\\n| extend extracted_encoded_ip_candidate = iff(strlen(extracted_encoded_ip_candidate) % 2 == 0, extracted_encoded_ip_candidate, strcat(extracted_encoded_ip_candidate, \\\"=\\\"))\\n// Now decode the candidate to a long array, we cannot go straight to string as it cannot handle non-UTF8, we need to strip that first\\n| extend extracted_encoded_ip_candidate = tostring(base64_decode_toarray(extracted_encoded_ip_candidate))\\n// Extract the IP candidates from the array\\n| extend hex_extracted = extract_all(ipv4_decoded_hex_extract, extracted_encoded_ip_candidate)\\n// Expand, it\u0027s still possible that we might have more than 1 IP\\n| mv-expand hex_extracted\\n// Now we should have a clean string. We need to put it back into a dynamic array to convert back to a string.\\n| extend hex_extracted = trim_end(\\\",\\\", tostring(hex_extracted))\\n| extend hex_extracted = strcat(\\\"[\\\",hex_extracted,\\\"]\\\")\\n| extend hex_extracted = todynamic(hex_extracted)\\n| extend extracted_encoded_ip_candidate = todynamic(extracted_encoded_ip_candidate)\\n// Convert the array back into a string\\n| extend decoded_ip_candidate = make_string(hex_extracted)\\n| summarize by decoded_ip_candidate, tostring(set_RequestURL), Start, End\\n// Now the IP candidates will be in plaintext, extract the IPs using a regex\\n| extend ipmatch = extract_all(ipv4_plaintext_extraction_regex, decoded_ip_candidate)\\n// If it\u0027s not an IP, throw it out\\n| where isnotnull(ipmatch)\\n| mv-expand ipmatch to typeof(string)\\n// Join with DeviceNetworkEvents to find instances where an IP of a machine in our MDE estate sent it\u0027s IP in a base64 encoded string\\n| join (\\n DeviceNetworkEvents\\n | summarize make_set(DeviceId), make_set(DeviceName) by RemoteIP\\n) on $left.ipmatch == $right.RemoteIP\\n| project Start, End, IPmatch=ipmatch, RequestURL=set_RequestURL, DeviceNames=set_DeviceName, DeviceIds=set_DeviceId, RemoteIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPmatch\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceNames\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"IP address of Windows host encoded in web request\",\"description\":\"This detection will identify network requests in HTTP proxy data that contains Base64 encoded IP addresses. After identifying candidates the query\\njoins with DeviceNetworkEvents to idnetify any machine within the network using that IP address. Alerts indicate that the IP address of a machine\\nwithin your network was seen with it\u0027s IP address base64 encoded in an outbounf web request. This method of egressing the IP was seen used in POLONIUM\u0027s\\nRunningRAT tool, however the detection is generic.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cbf6ad48-fa5c-4bf7-b205-28dbadb91255\",\"name\":\"cbf6ad48-fa5c-4bf7-b205-28dbadb91255\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let procList = externaldata(Process:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Microsoft_Lolbas_Execution_Binaries.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nEvent\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n| parse EventData with * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027OriginalFileName\\\"\u003e\u0027 OriginalFileName \\\"\u003c\\\" *\\n| where OriginalFileName has_any (procList) and not (Image has_any (procList))\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027Hashes\\\"\u003e\u0027 Hashes \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description, OriginalFileName, CurrentDirectory, Hashes\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Windows Binaries Lolbins Renamed\",\"description\":\"This query detects the execution of renamed Windows binaries (Lolbins). This is a common technique used by adversaries to evade detection. \\nRef: https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/execution-of-renamed-lolbin.html\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3a9d5ede-2b9d-43a2-acc4-d272321ff77c\",\"name\":\"3a9d5ede-2b9d-43a2-acc4-d272321ff77c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 50;\\nlet aadFunc = (tableName:string){\\n // Failed Signins attempts with reasoning related to conditional access policies.\\n table(tableName)\\n | where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n | where ResultDescription has_any (\\\"conditional access\\\", \\\"CA\\\") or ResultType in (50005, 50131, 53000, 53001, 53002, 52003, 70044)\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt;\\nlet TimeSeriesAlerts = \\nallSignins\\n| make-series DailyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step 1d by UserPrincipalName\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(DailyCount, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand DailyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n// Filtering low count events per baselinethreshold\\n| where anomalies \u003e 0 and baseline \u003e baselinethreshold\\n| extend AnomalyHour = TimeGenerated\\n| project UserPrincipalName, AnomalyHour, TimeGenerated, DailyCount, baseline, anomalies, score;\\n// Filter the alerts for specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e startofday(ago(timeframe))\\n| join kind=inner ( \\n allSignins\\n | where TimeGenerated \u003e startofday(ago(timeframe))\\n // create a new column and round to hour\\n | extend DateHour = bin(TimeGenerated, 1h)\\n | summarize PartialFailedSignins = count(), LatestAnomalyTime = arg_max(TimeGenerated, *) by bin(TimeGenerated, 1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\\n) on UserPrincipalName, $left.AnomalyHour == $right.DateHour\\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, PartialFailedSignins, TotalFailedSignins = DailyCount, baseline, anomalies, score\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"User Accounts - Sign in Failure due to CA Spikes\",\"description\":\" Identifies spike in failed sign-ins from user accounts due to conditional access policied.\\nSpike is determined based on Time series anomaly which will look at historical baseline values.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b6d03b88-4d27-49a2-9c1c-29f1ad2842dc\",\"name\":\"b6d03b88-4d27-49a2-9c1c-29f1ad2842dc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let oneDriveCalls = dynamic([\u0027graph.microsoft.com/v1.0/me/drive/root:/Documents/data.txt:/content\u0027,\u0027graph.microsoft.com/v1.0/me/drive/root:/Documents/response.json:/content\u0027]);\\nlet oneDriveCallsRegex = dynamic([@\u0027graph\\\\.microsoft\\\\.com\\\\/v1\\\\.0\\\\/me\\\\/drive\\\\/root\\\\:\\\\/Uploaded\\\\/.*\\\\:\\\\/content\u0027,@\u0027graph\\\\.microsoft\\\\.com\\\\/v1\\\\.0\\\\/me\\\\/drive\\\\/root\\\\:\\\\/Downloaded\\\\/.*\\\\:\\\\/content\u0027]);\\nCommonSecurityLog\\n| where RequestURL has_any (oneDriveCalls) or RequestURL matches regex tostring(oneDriveCallsRegex[0]) or RequestURL matches regex tostring(oneDriveCallsRegex[1])\\n| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"SourceHostName\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"CreepyDrive URLs\",\"description\":\"CreepyDrive uses OneDrive for command and control. This detection identifies URLs specific to CreepyDrive.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/011c84d8-85f0-4370-b864-24c13455aa94\",\"name\":\"011c84d8-85f0-4370-b864-24c13455aa94\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityAlert\\n| extend Extprop = parse_json(ExtendedProperties)\\n| extend Computer = iff(isnotempty(toupper(tostring(Extprop[\\\"Compromised Host\\\"]))), toupper(tostring(Extprop[\\\"Compromised Host\\\"])), tostring(parse_json(Entities)[0].HostName))\\n| extend Account = iff(isnotempty(tolower(tostring(Extprop[\\\"User Name\\\"]))), tolower(tostring(Extprop[\\\"User Name\\\"])), tolower(tostring(Extprop[\\\"user name\\\"])))\\n| extend IpAddress = tostring(parse_json(ExtendedProperties).[\\\"IpAddress\\\"]) \\n| project TimeGenerated, AlertName, Computer, Account, IpAddress, ExtendedProperties\\n| extend timestamp = TimeGenerated, Account, MachineName = Computer, IpAddress\\n| join kind=inner\\n(\\nCoreAzureBackup\\n| where State =~ \\\"Deleted\\\"\\n| where OperationName =~ \\\"BackupItem\\\"\\n| extend data = split(BackupItemUniqueId, \\\";\\\")\\n| extend AzureLocation = data[0], VaultId=data[1], MachineName=data[2], DrivesBackedUp=data[3]\\n| project timestamp = TimeGenerated, AzureLocation, VaultId, tostring(MachineName), DrivesBackedUp, State, BackupItemUniqueId, _ResourceId, OperationName, BackupItemFriendlyName\\n)\\non MachineName\\n| project timestamp, AlertName, HostCustomEntity = MachineName, AccountCustomEntity = Account, ResourceCustomEntity = _ResourceId, IPCustomEntity = IpAddress, VaultId, AzureLocation, DrivesBackedUp, State, BackupItemUniqueId, OperationName, BackupItemFriendlyName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"CoreBackUp Deletion in correlation with other related security alerts\",\"description\":\"This query will help detect attackers attempt to delete backup containers in correlation with other alerts that could have triggered to help possibly reveal more details of attacker activity. \\nThough such an activity could be legitimate as part of business operation, some ransomware actors may perform such operation to cause interruption to regular business services.\",\"lastUpdatedDateUTC\":\"2021-11-05T00:00:00Z\",\"createdDateUTC\":\"2021-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1218175f-c534-421c-8070-5dcaabf28067\",\"name\":\"1218175f-c534-421c-8070-5dcaabf28067\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let threshold = 3; \\nZoomLogs \\n| where Event =~ \\\"chat_message.sent\\\" \\n| extend Channel = tostring(parse_json(ChatEvents).Channel) \\n| extend Message = tostring(parse_json(ChatEvents).Message) \\n| where Message matches regex \\\"http(s?):\\\\\\\\/\\\\\\\\/\\\" \\n| summarize Channels = makeset(Channel), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Message, User, UserId\\n| extend ChannelCount = arraylength(Channels) \\n| where ChannelCount \u003e threshold\\n| extend timestamp = StartTime, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"Suspicious link sharing pattern\",\"description\":\"Alerts in links that have been shared across multiple Zoom chat channels by the same user in a short space if time. \\nAdjust the threshold figure to change the number of channels a message needs to be posted in before an alert is raised.\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\"name\":\"0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"DNS events related to mining pools\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95a15f39-d9cc-4667-8cdd-58f3113691c9\",\"name\":\"95a15f39-d9cc-4667-8cdd-58f3113691c9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where EventID == 4688\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| join kind=rightanti (\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where EventID == 4688) on NewProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where EventID == 4688 and EventData has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| join kind=rightanti (\\nWindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventID == 4688 and EventData has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)) on NewProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM New UM Service Child Process\",\"description\":\"This query looks for new processes being spawned by the Exchange UM service where that process has not previously been observed before. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f845881e-2500-44dc-8ed7-b372af3e1e25\",\"name\":\"f845881e-2500-44dc-8ed7-b372af3e1e25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let short_uaLength = 5;\\nlet long_uaLength = 1000;\\nlet c_threshold = 100;\\nW3CIISLog \\n// Exclude local IPs as these create noise\\n| where cIP !startswith \\\"192.168.\\\" and cIP != \\\"::1\\\"\\n| where isnotempty(csUserAgent) and csUserAgent !in~ (\\\"-\\\", \\\"MSRPC\\\") and (string_size(csUserAgent) \u003c= short_uaLength or string_size(csUserAgent) \u003e= long_uaLength)\\n| extend csUserAgent_size = string_size(csUserAgent)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ConnectionCount = count() by Computer, sSiteName, sPort, csUserAgent, csUserAgent_size, csUserName , csMethod, csUriStem, sIP, cIP, scStatus, scSubStatus, scWin32Status\\n| where ConnectionCount \u003c c_threshold\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomalous User Agent connection attempt\",\"description\":\"Identifies connection attempts (success or fail) from clients with very short or very long User Agent strings and with less than 100 connection attempts.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\"name\":\"a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n SecurityAlert \\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\\n | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray\\n // Parsing relevant entity column to filter type account and creating new column by combining account and UPNSuffix\\n | extend Entitytype = tostring(parse_json(EntitiesDynamicArray).Type), EntityName = tostring(parse_json(EntitiesDynamicArray).Name),\\n EntityUPNSuffix = tostring(parse_json(EntitiesDynamicArray).UPNSuffix)\\n | where Entitytype =~ \\\"account\\\"\\n | extend EntityEmail = tolower(strcat(EntityName, \\\"@\\\", EntityUPNSuffix))\\n | where EntityEmail matches regex emailregex\\n | extend Alert_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.EntityEmail\\n| where Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\\n| project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, \\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, EntityEmail, AlertName, AlertType,\\nAlertSeverity, Entities, ProviderName, VendorName\\n| extend timestamp = Alert_TimeGenerated, AccountCustomEntity = EntityEmail, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SecurityAlert\",\"description\":\"Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c9b6d281-b96b-4763-b728-9a04b9fe1246\",\"name\":\"c9b6d281-b96b-4763-b728-9a04b9fe1246\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlCategory has_any (\u0027Dynamic and Residential\u0027, \u0027Personal VPN\u0027)\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"Exfiltration\"],\"displayName\":\"Cisco Umbrella - Connection to non-corporate private network\",\"description\":\"IP addresses of broadband links that usually indicates users attempting to access their home network, for example for a remote session to a home computer.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/631d02df-ab51-46c1-8d72-32d0cfec0720\",\"name\":\"631d02df-ab51-46c1-8d72-32d0cfec0720\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let excludeProcs = dynamic([@\\\"\\\\SolarWinds\\\\Orion\\\\APM\\\\APMServiceControl.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\ExportToPDFCmd.Exe\\\", @\\\"\\\\SolarWinds.Credentials\\\\SolarWinds.Credentials.Orion.WebApi.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Topology\\\\SolarWinds.Orion.Topology.Calculator.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Database-Maint.exe\\\", @\\\"\\\\SolarWinds.Orion.ApiPoller.Service\\\\SolarWinds.Orion.ApiPoller.Service.exe\\\", @\\\"\\\\Windows\\\\SysWOW64\\\\WerFault.exe\\\"]);\\nimProcessCreate\\n| where Process hassuffix \u0027solarwinds.businesslayerhost.exe\u0027\\n| where not(Process has_any (excludeProcs))\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = ActorUsername,\\n HostCustomEntity = User,\\n AlgorithmCustomEntity = \\\"MD5\\\",\\n FileHashCustomEntity = TargetProcessMD5 // Change to *hash* once implemented\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST suspicious SolarWinds child processes (Normalized Process Events)\",\"description\":\"Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0bd65651-1404-438b-8f63-eecddcec87b4\",\"name\":\"0bd65651-1404-438b-8f63-eecddcec87b4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\n// Adjust for a longer timeframe for identifying ADFS Servers\\nlet lookback = 6d;\\n// Identify ADFS Servers\\nlet ADFS_Servers = ( union isfuzzy=true\\n( Event\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n),\\n( SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and EventData has \\\"0x3e4\\\" and EventData has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| where SubjectLogonId != \\\"0x3e4\\\"\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n)\\n| distinct Computer);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == 4688\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where ParentProcessName has \u0027wmiprvse.exe\u0027\\n// Looking for rundll32.exe is based on intel from the blog linked in the description\\n// This can be commented out or altered to filter out known internal uses\\n| where CommandLine has_any (\u0027rundll32\u0027) \\n| project TimeGenerated, TargetAccount, CommandLine, Computer, Account, TargetLogonId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n// Search for recent logons to identify lateral movement\\n| join kind= inner\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventID == 4624 and LogonType == 3\\n| where Account !endswith \\\"$\\\"\\n| project TargetLogonId\\n) on TargetLogonId\\n),\\n(\\nWindowsEvent\\n| where EventID == 4688\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where EventData has \u0027wmiprvse.exe\u0027 and EventData has_any (\u0027rundll32\u0027) \\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where ParentProcessName has \u0027wmiprvse.exe\u0027\\n// Looking for rundll32.exe is based on intel from the blog linked in the description\\n// This can be commented out or altered to filter out known internal uses\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has_any (\u0027rundll32\u0027) \\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend Account = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend TargetLogonId = tostring(EventData.TargetLogonId)\\n| project TimeGenerated, TargetAccount, CommandLine, Computer, Account, TargetLogonId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n// Search for recent logons to identify lateral movement\\n| join kind= inner\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventID == 4624 \\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 3\\n| extend Account = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| where Account !endswith \\\"$\\\"\\n| extend TargetLogonId = tostring(EventData.TargetLogonId)\\n| project TargetLogonId\\n) on TargetLogonId\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n// Check for WMI Events\\n| where Computer in~ (ADFS_Servers) and EventID in (19, 20, 21)\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| project TimeGenerated, EventType, Image, Computer, UserName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = UserName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Gain Code Execution on ADFS Server via Remote WMI Execution\",\"description\":\"This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through remote WMI Execution.\\nIn order to use this query you need to be collecting Sysmon EventIDs 19, 20, and 21.\\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\\n Failed to resolve scalar expression named \\\"[@Name]\\\"\\nFor more on how WMI was used in Solorigate see https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/.\\nThe query contains some features from the following detections to look for potentially malicious ADFS activity. See them for more details.\\n- ADFS Key Export (Sysmon): https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSKeyExportSysmon.yaml\\n- ADFS DKM Master Key Export: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d71fc38-f249-454e-8479-0a358382ef9a\",\"name\":\"3d71fc38-f249-454e-8479-0a358382ef9a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"SecurityNestedRecommendation\\n| where RemediationDescription has \u0027CVE-2021-44228\u0027\\n| parse ResourceDetails with * \u0027virtualMachines/\u0027 VirtualMAchine \u0027\\\"\u0027 *\\n| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId\\n| extend Timestamp = TimeGenerated, HostCustomEntity = VirtualMAchine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Execution\"],\"displayName\":\"Vulnerable Machines related to log4j CVE-2021-44228\",\"description\":\"This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to log4j CVE-2021-44228. Log4j is an open-source Apache logging library that is used in \\n many Java-based applications. Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).\\n Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/\\n Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal\\n Reference: https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/how-defender-for-cloud-displays-machines-affected-by-log4j/ba-p/3037271\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\"name\":\"a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Security Center for IoT\",\"displayName\":\"Create incidents based on Microsoft Defender for IOT alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for IOT\",\"lastUpdatedDateUTC\":\"2019-12-24T00:00:00Z\",\"createdDateUTC\":\"2019-12-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"IoT\",\"dataTypes\":[\"SecurityAlert (ASC for IoT)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d2e8fd50-8d66-11ec-b909-0242ac120002\",\"name\":\"d2e8fd50-8d66-11ec-b909-0242ac120002\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID in (4624,4625) and LogonType in (10) and IpAddress in (\\\"::1\\\",\\\"127.0.0.1\\\")\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, TargetUserName, TargetLogonId, LogonType, IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential Remote Desktop Tunneling\",\"description\":\"This query detects remote desktop authentication attempts with a localhost source address which can indicate a tunneled login.\\nRef: https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling\",\"lastUpdatedDateUTC\":\"2022-02-15T00:00:00Z\",\"createdDateUTC\":\"2022-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c37711a4-5f44-4472-8afc-0679bc0ef966\",\"name\":\"c37711a4-5f44-4472-8afc-0679bc0ef966\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.1.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/FoggyWebIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type == \\\"sha256\\\" | project IoC);\\nlet FilePaths = (iocs | where Type =~ \\\"FilePath\\\" | project IoC);\\nlet POST_URI = (iocs | where Type =~ \\\"URI1\\\" | project IoC);\\nlet GET_URI = (iocs | where Type =~ \\\"URI2\\\" | project IoC);\\n//Include in the list below, the ADFS servers you know about in your environment. In the next part of the query, we will try to identify them for you if you have the telemetry.\\nlet ADFS_Servers1 = datatable(Computer:string)\\n[ \\\"\u003cADFS01\u003e.\u003cDOMAIN\u003e.\u003cCOM\u003e\\\",\\n\\\"\u003cADFS02\u003e.\u003cDOMAIN\u003e.\u003cCOM\u003e\\\"\\n];\\n// Automatically identify potential ADFS services in your environment by searching process event telemetry for \\\"Microsoft.IdentityServer.ServiceHost.exe\\\".\\nlet ADFS_Servers2 = \\n(union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n),\\n( WindowsEvent\\n| where EventID == 4688 and EventData has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\" and EventData has \\\"0x3e4\\\"\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| where ProcessName == \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| where SubjectLogonId != \\\"0x3e4\\\"\\n| distinct Computer\\n),\\n(DeviceProcessEvents\\n| where InitiatingProcessFileName == \u0027Microsoft.IdentityServer.ServiceHost.exe\u0027\\n| extend Computer = DeviceName\\n| distinct Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n)\\n);\\nlet ADFS_Servers =\\nADFS_Servers1\\n| union (ADFS_Servers2 | distinct Computer);\\n(union isfuzzy=true\\n(DeviceNetworkEvents\\n| where DeviceName in (ADFS_Servers)\\n| where isnotempty(InitiatingProcessSHA256) or isnotempty(InitiatingProcessFolderPath)\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or InitiatingProcessFolderPath has_any (FilePaths)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\" and EventID == \u00277\u0027\\n| where Computer in (ADFS_Servers)\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend ImageLoaded = EventDetail.[5].[\\\"#text\\\"], Hashes = EventDetail.[11].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| where ImageLoaded has_any (FilePaths) or SHA256 has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, ImageLoaded, EventID\\n| extend Type = strcat(Type,\\\":\\\",EventID, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\\\"#text\\\"] \\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceEvents\\n| where DeviceName in (ADFS_Servers)\\n| extend FilePath = strcat(FolderPath, \u0027\\\\\\\\\u0027, FileName)\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceFileEvents\\n| where DeviceName in (ADFS_Servers)\\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceImageLoadEvents\\n| where DeviceName in (ADFS_Servers)\\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where Computer in (ADFS_Servers)\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| where EventDetail has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\\\"#text\\\"] \\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(W3CIISLog \\n| where ( csMethod == \u0027GET\u0027 and csUriStem has_any (GET_URI)) or (csMethod == \u0027POST\u0027 and csUriStem has_any (POST_URI))\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), cIP_MethodCount = count() \\nby cIP, cIP_MethodCountType = \\\"Count of repeated entries, this is to reduce rowsets returned\\\", csMethod, \\ncsHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, csReferer\\n| extend timestamp = StartTime, IPCustomEntity = cIP, HostCustomEntity = csHost, AccountCustomEntity = csUserName\\n),\\n(imFileEvent\\n| where DvcHostname in (ADFS_Servers)\\n| where TargetFileSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"NOBELIUM IOCs related to FoggyWeb backdoor\",\"description\":\"Identifies a match across various data feeds for IOCs related to FoggyWeb backdoor by the threat actor NOBELIUM.\\n FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server.\\n It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server.\\n Reference: https://aka.ms/nobelium-foggy-web\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/61988db3-0565-49b5-b8e3-747195baac6e\",\"name\":\"61988db3-0565-49b5-b8e3-747195baac6e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let procList = dynamic([\\\"cmd.exe\\\",\\\"ftp.exe\\\",\\\"schtasks.exe\\\",\\\"powershell.exe\\\",\\\"rundll32.exe\\\",\\\"regsvr32.exe\\\",\\\"msiexec.exe\\\"]); \\nimProcessCreate\\n| where CommandLine has \\\"recycler\\\"\\n| where Process has_any (procList)\\n| extend FileName = tostring(split(Process, \u0027\\\\\\\\\u0027)[-1])\\n| where FileName in~ (procList)\\n| project StartTimeUtc = TimeGenerated, Dvc, User, Process, FileName, CommandLine, ActingProcessName, EventVendor, EventProduct\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Malware in the recycle bin (Normalized Process Events)\",\"description\":\"Identifies malware that has been hidden in the recycle bin.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-23T00:00:00Z\",\"createdDateUTC\":\"2021-06-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ec491363-5fe7-4eff-b68e-f42dcb76fcf6\",\"name\":\"ec491363-5fe7-4eff-b68e-f42dcb76fcf6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| project-away claimsJson\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Azure Active Directory Hybrid Health AD FS New Server\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.\\nA threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.\\nThis can be done programmatically via HTTP requests to Azure. More information in this blog: https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/32ffb19e-8ed8-40ed-87a0-1adb4746b7c4\",\"name\":\"32ffb19e-8ed8-40ed-87a0-1adb4746b7c4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"// Enter a reference list of malicious file artifacts\\nlet MaliciousFileArtifacts = dynamic ([\\\"lsass.dmp\\\",\\\"test.pwd\\\",\\\"lsremora.dll\\\",\\\"lsremora64.dll\\\",\\\"fgexec.exe\\\",\\\"pwdump\\\",\\\"kirbi\\\",\\\"wce_ccache\\\",\\\"wce_krbtkts\\\",\\\"wceaux.dll\\\",\\\"PwHashes\\\",\\\"SAM.out\\\",\\\"SECURITY.out\\\",\\\"SYSTEM.out\\\",\\\"NTDS.out\\\" \\\"DumpExt.dll\\\",\\\"DumpSvc.exe\\\",\\\"cachedump64.exe\\\",\\\"cachedump.exe\\\",\\\"pstgdump.exe\\\",\\\"servpw64.exe\\\",\\\"servpw.exe\\\",\\\"pwdump.exe\\\",\\\"fgdump-log\\\"]);\\nEvent\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==11\\n| parse EventData with * \u0027TargetFilename\\\"\u003e\u0027 TargetFilename \\\"\u003c\\\" *\\n| where TargetFilename has_any (MaliciousFileArtifacts)\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, Image, ProcessGuid, TargetFilename\",\"entityMappings\":[{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"TargetFilename\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"Image\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Credential Dumping Tools - File Artifacts\",\"description\":\"This query detects the creation of credential dumping tools files. Several credential dumping tools export files with hardcoded file names.\\nRef: https://jpcertcc.github.io/ToolAnalysisResultSheet/\",\"lastUpdatedDateUTC\":\"2022-04-22T00:00:00Z\",\"createdDateUTC\":\"2022-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"Event\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/983a6922-894d-413c-9f04-d7add0ecc307\",\"name\":\"983a6922-894d-413c-9f04-d7add0ecc307\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P10D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Medium\",\"query\":\"let referencestarttime = 10d;\\nlet referenceendtime = 1d;\\nlet threshold = 100;\\nlet nxDomainDnsEvents = (stime:datetime, etime:datetime) \\n {_Im_Dns(responsecodename=\u0027NXDOMAIN\u0027, starttime=stime, endtime=etime)\\n | where DnsQueryTypeName in (\\\"A\\\", \\\"AAAA\\\")\\n | where ipv4_is_match(\\\"127.0.0.1\\\", SrcIpAddr) == False\\n | where DnsQuery !contains \\\"/\\\" and DnsQuery contains \\\".\\\"};\\nnxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now())\\n | extend sld = tostring(split(DnsQuery, \\\".\\\")[-2])\\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld) by SrcIpAddr\\n | where dcount_sld \u003e threshold\\n // Filter out previously seen IPs\\n | join kind=leftanti (nxDomainDnsEvents (stime=ago(referencestarttime), etime=ago(referenceendtime))\\n | extend sld = tostring(split(DnsQuery, \\\".\\\")[-2])\\n | summarize dcount(sld) by SrcIpAddr\\n | where dcount_sld \u003e threshold ) on SrcIpAddr\\n// Pull out sample NXDomain responses for those remaining potentially infected IPs\\n| join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential DGA detected (ASIM DNS Schema)\",\"description\":\"Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains\\nwhere most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with \\nNXDomain records in prior 10-day baseline period).\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/18dbdc22-b69f-4109-9e39-723d9465f45f\",\"name\":\"18dbdc22-b69f-4109-9e39-723d9465f45f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet AVHits = (iocs | where Type =~ \\\"AVDetection\\\"| project IoC);\\nSecurityAlert\\n| where ProviderName == \u0027MDATP\u0027\\n| extend ThreatName_ = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where ThreatName_ has_any (AVHits)\\n| extend Directory = tostring(parse_json(Entities)[0].Directory), SHA256 = tostring(parse_json(tostring(parse_json(Entities)[0].FileHashes))[2].Value), FileName = tostring(parse_json(Entities)[0].Name), Hostname = tostring(parse_json(Entities)[6].FQDN)| extend AccountName = tostring(parse_json(tostring(parse_json(Entities)[6].LoggedOnUsers))[0].AccountName)\\n| project TimeGenerated, AlertName, ThreatName_, ProviderName, AlertSeverity, Description, RemediationSteps, ExtendedProperties, Entities, FileName,SHA256, Directory, Hostname, AccountName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Hostname , AccountCustomEntity = AccountName, FileHashCustomEntity = SHA256\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"ACTINIUM AV hits - Feb 2022\",\"description\":\"Identifies a match in the Security Alert table for MDATP hits related to the ACTINIUM actor\",\"lastUpdatedDateUTC\":\"2022-02-04T00:00:00Z\",\"createdDateUTC\":\"2022-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f6a51e2c-2d6a-4f92-a090-cfb002ca611f\",\"name\":\"f6a51e2c-2d6a-4f92-a090-cfb002ca611f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nlet disallowed_ext = dynamic([\u0027ps1\u0027, \u0027exe\u0027, \u0027vbs\u0027, \u0027js\u0027, \u0027scr\u0027]);\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| extend attachedExt = todynamic(MsgParts)[0][\u0027detectedExt\u0027]\\n| where attachedExt in (disallowed_ext)\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = DstUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Suspicious attachment\",\"description\":\"Detects when email contains suspicious attachment (file type).\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/707494a5-8e44-486b-90f8-155d1797a8eb\",\"name\":\"707494a5-8e44-486b-90f8-155d1797a8eb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let auditLookbackStart = 2d;\\nlet auditLookbackEnd = 1d;\\nAuditLogs\\n| where TimeGenerated \u003e= ago(auditLookbackStart)\\n| where OperationName =~ \\\"Consent to application\\\" \\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| extend targetResourceName = tostring(target.displayName)\\n| extend targetResourceID = tostring(target.id)\\n| extend targetResourceType = tostring(target.type)\\n| extend targetModifiedProp = TargetResources[0].modifiedProperties\\n| extend isAdminConsent = targetModifiedProp[0].newValue\\n| extend Consent_ServicePrincipalNames = targetModifiedProp[5].newValue\\n| extend Consent_Permissions = targetModifiedProp[4].newValue\\n| extend Consent_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend Consent_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| join ( \\nAuditLogs\\n| where TimeGenerated \u003e= ago(auditLookbackEnd)\\n| where OperationName =~ \\\"Add service principal credentials\\\"\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| extend targetResourceName = tostring(target.displayName)\\n| extend targetResourceID = tostring(target.id)\\n| extend targetModifiedProp = TargetResources[0].modifiedProperties\\n| extend Credential_KeyDescription = targetModifiedProp[0].newValue\\n| extend UpdatedProperties = targetModifiedProp[1].newValue\\n| extend Credential_ServicePrincipalNames = targetModifiedProp[2].newValue\\n| extend Credential_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend Credential_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n) on targetResourceName, targetResourceID\\n| extend TimeConsent = TimeGenerated, TimeCred = TimeGenerated1\\n| where TimeConsent \u003e TimeCred \\n| project TimeConsent, TimeCred, Consent_InitiatingUserOrApp, Credential_InitiatingUserOrApp, targetResourceName, targetResourceType, isAdminConsent, Consent_ServicePrincipalNames, Credential_ServicePrincipalNames, Consent_Permissions, Credential_KeyDescription, Consent_InitiatingIpAddress, Credential_InitiatingIpAddress\\n| extend timestamp = TimeConsent, AccountCustomEntity = Consent_InitiatingUserOrApp, IPCustomEntity = Consent_InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Credential added after admin consented to Application\",\"description\":\"This query will identify instances where Service Principal credentials were added to an application by one user after the application was granted admin consent rights by another user.\\n If a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\n Additional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow.\\n For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2021-02-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/11bda520-a965-4654-9a45-d09f372f71aa\",\"name\":\"11bda520-a965-4654-9a45-d09f372f71aa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"High\",\"query\":\"AzureActivity\\n// Isolate run command actions\\n| where OperationNameValue == \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\\\"\\n// Confirm that the operation impacted a virtual machine\\n| where Authorization has \\\"virtualMachines\\\"\\n// Each runcommand operation consists of three events when successful, Started, Accepted (or Rejected), Successful (or Failed).\\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), max(CallerIpAddress), make_list(ActivityStatusValue) by CorrelationId, Authorization, Caller\\n// Limit to Run Command executions that Succeeded\\n| where list_ActivityStatusValue has \\\"Success\\\"\\n// Extract data from the Authorization field\\n| extend Authorization_d = parse_json(Authorization)\\n| extend Scope = Authorization_d.scope\\n| extend Scope_s = split(Scope, \\\"/\\\")\\n| extend Subscription = tostring(Scope_s[2])\\n| extend VirtualMachineName = tostring(Scope_s[-1])\\n| project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress\\n// Create a join key using the Caller (UPN)\\n| extend joinkey = tolower(Caller)\\n// Join the Run Command actions to UEBA data\\n| join kind = inner (\\n BehaviorAnalytics\\n // We are specifically interested in unusual logins\\n | where EventSource == \\\"Azure AD\\\" and ActivityInsights.ActionUncommonlyPerformedByUser == \\\"True\\\"\\n | project UEBAEventTime=TimeGenerated, UEBAActionType=ActionType, UserPrincipalName, UEBASourceIPLocation=SourceIPLocation, UEBAActivityInsights=ActivityInsights, UEBAUsersInsights=UsersInsights\\n | where isnotempty(UserPrincipalName) and isnotempty(UEBASourceIPLocation)\\n | extend joinkey = tolower(UserPrincipalName)\\n) on joinkey\\n// Create a window around the UEBA event times, check to see if the Run Command action was performed within them\\n| extend UEBAWindowStart = UEBAEventTime - 1h, UEBAWindowEnd = UEBAEventTime + 6h\\n| where StartTime between (UEBAWindowStart .. UEBAWindowEnd)\\n| project StartTime, EndTime, Subscription, VirtualMachineName, Caller, CallerIpAddress, UEBAEventTime, UEBAActionType, UEBASourceIPLocation, UEBAActivityInsights, UEBAUsersInsights\\n| extend timestamp = StartTime, AccountCustomEntity=Caller, IPCustomEntity=CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"LateralMovement\",\"CredentialAccess\"],\"displayName\":\"Azure VM Run Command operation executed during suspicious login window\",\"description\":\"Identifies when the Azure Run Command operation is executed by a UserPrincipalName and IP Address \\nthat has resulted in a recent user entity behaviour alert.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3fe3c520-04f1-44b8-8398-782ed21435f8\",\"name\":\"3fe3c520-04f1-44b8-8398-782ed21435f8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Low\",\"query\":\"let torProxies=dynamic([\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\"]);\\n_Im_Dns(domain_has_any=torProxies)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"DNS events related to ToR proxies (ASIM DNS Schema)\",\"description\":\"Identifies IP addresses performing DNS lookups associated with common ToR proxies.\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d9938c3b-16f9-444d-bc22-ea9a9110e0fd\",\"name\":\"d9938c3b-16f9-444d-bc22-ea9a9110e0fd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Azure AD Connect Health Agent - cf6d7e68-f018-4e0a-a7b3-126e053fb88d\\n// Azure Active Directory Connect - cb1056e2-e479-49de-ae31-7812af012ed8\\nlet appList = dynamic([\u0027cf6d7e68-f018-4e0a-a7b3-126e053fb88d\u0027,\u0027cb1056e2-e479-49de-ae31-7812af012ed8\u0027]);\\nlet operationNamesList = dynamic([\u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027,\u0027Microsoft.ADHybridHealthService/services/delete\u0027]);\\nAzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue in~ (operationNamesList)\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| where AppId !in (appList)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS Suspicious Application\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to a suspicious application adding a server instance to an Azure AD Hybrid health AD FS service or deleting the AD FS service instance.\\nUsually the Azure AD Connect Health Agent application with ID cf6d7e68-f018-4e0a-a7b3-126e053fb88d is used to perform those operations.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9d0295ee-cb75-4f2c-9952-e5acfbb67036\",\"name\":\"9d0295ee-cb75-4f2c-9952-e5acfbb67036\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.0\",\"severity\":\"Informational\",\"query\":\"let timeframe = ago(1d);\\nAppServiceAntivirusScanAuditLogs\\n| where NumberOfInfectedFiles \u003e 0\\n| extend HostCustomEntity = _ResourceId, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"displayName\":\"AppServices AV Scan with Infected Files\",\"description\":\"Identifies if an AV scan finds infected files in Azure App Services.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b2199398-8942-4b8c-91a9-b0a707c5d147\",\"name\":\"b2199398-8942-4b8c-91a9-b0a707c5d147\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/HiveRansomwareJuly2022.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n(imFileEvent\\n| where TargetFileSHA256 has_any (sha256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceImageLoadEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Hive Ransomware IOC - July 2022\",\"description\":\"Identifies a hash match related to Hive Ransomware across various data sources.\",\"lastUpdatedDateUTC\":\"2022-07-05T00:00:00Z\",\"createdDateUTC\":\"2022-01-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1ff56009-db01-4615-8211-d4fda21da02d\",\"name\":\"1ff56009-db01-4615-8211-d4fda21da02d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where AADOperationType =~ \\\"Assign\\\"\\n| where ActivityDisplayName has_any (\\\"Add delegated permission grant\\\",\\\"Add app role assignment to service principal\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ has_any (\\\"AppRole.Value\\\",\\\"DelegatedPermissionGrant.Scope\\\")\\n| extend Permission = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where Permission has \\\"RoleManagement.ReadWrite.Directory\\\"\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n| extend Target = tostring(parse_json(tostring(TargetResources.modifiedProperties[4].newValue)))\\n| extend TargetId = iif(displayName_ =~ \u0027DelegatedPermissionGrant.Scope\u0027,\\n tostring(parse_json(tostring(TargetResources.modifiedProperties[2].newValue))),\\n tostring(parse_json(tostring(TargetResources.modifiedProperties[3].newValue))))\\n| summarize by bin(TimeGenerated, 1h), OperationName, Initiator, Target, TargetId, Result\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Initiator\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Target\"}]}],\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure AD Role Management Permission Grant\",\"description\":\"Identifies when the Microsoft Graph RoleManagement.ReadWrite.Directory (Delegated or Application) permission is granted to a service principal.\\nThis permission allows an application to read and manage the role-based access control (RBAC) settings for your company\u0027s directory.\\nAn adversary could use this permission to add an Azure AD object to an Admin directory role and escalate privileges.\\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions\\nRef : https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0\u0026tabs=http\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/71d374e0-1cf8-4e50-aecd-ab6c519795c2\",\"name\":\"71d374e0-1cf8-4e50-aecd-ab6c519795c2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"Pipelines.PipelineRetentionSettingChanged\\\"\\n| where Data.SettingName in (\\\"PurgeArtifacts\\\", \\\"PurgeRuns\\\")\\n| where Data.NewValue == 1 or Data.NewValue \u003c Data.OldValue/2\\n| project-reorder TimeGenerated, OperationName, ActorUPN, IpAddress, UserAgent, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Retention Reduced\",\"description\":\"AzureDevOps retains items such as run records and produced artifacts for a configurable amount of time. An attacker looking to reduce the footprint left by their malicious activity may look to reduce the retention time for artifacts and runs.\\nThis query will look for where retention has been reduced to the minimum level - 1, or reduced by more than half.\",\"lastUpdatedDateUTC\":\"2021-11-02T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/979c42dd-533e-4ede-b18b-31a84ba8b3d6\",\"name\":\"979c42dd-533e-4ede-b18b-31a84ba8b3d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \\n| where TargetObject has (\\\"HKLM\\\\\\\\System\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\DsrmAdminLogonBehavior\\\") and Details == \\\"DWORD (0x00000002)\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"DSRM Account Abuse\",\"description\":\"This query detects an abuse of the DSRM account in order to maintain persistence and access to the organization\u0027s Active Directory.\\nRef: https://adsecurity.org/?p=1785\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d82eb796-d1eb-43c8-a813-325ce3417cef\",\"name\":\"d82eb796-d1eb-43c8-a813-325ce3417cef\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(DeviceFileEvents\\n| where ActionType == \\\"FileCreated\\\"\\n| where FileName endswith \\\".h0lyenc\\\" or FolderPath == \\\"C:\\\\\\\\FOR_DECRYPT.html\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName), HostCustomEntity = DeviceName, Type, InitiatingProcessId, FileName, FolderPath, EventType = ActionType, Commandline = InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessSHA256, FileHashCustomEntity = SHA256\\n),\\n(imFileEvent\\n| where EventType == \\\"FileCreated\\\" \\n| where TargetFilePath endswith \\\".h0lyenc\\\" or TargetFilePath == \\\"C:\\\\\\\\FOR_DECRYPT.html\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname, DvcId, Type, EventType, FileHashCustomEntity = TargetFileSHA256, Hash, TargetFilePath, Commandline = ActingProcessCommandLine\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Dev-0530 File Extension Rename\",\"description\":\"Dev-0530 actors are known to encrypt the contents of the victims device as well as renaming the file extensions. This query looks for the creation of files with .h0lyenc extension or presence of ransom note.\",\"lastUpdatedDateUTC\":\"2022-07-14T00:00:00Z\",\"createdDateUTC\":\"2022-07-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ba144bf8-75b8-406f-9420-ed74397f9479\",\"name\":\"ba144bf8-75b8-406f-9420-ed74397f9479\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"//Set a threshold of failed AAD signins from an IP address within 1 day above which we want to deem those logins suspicious.\\nlet signin_threshold = 5; \\n//Make a list of IPs with AAD signin failures above our threshold.\\nlet aadFunc = (tableName:string){\\nlet suspicious_signins = \\n table(tableName)\\n //Looking for logon failure results\\n | where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n //Exclude localhost addresses to reduce the chance of FPs\\n | where IPAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n | summarize count() by IPAddress\\n | where count_ \u003e signin_threshold\\n | summarize make_set(IPAddress);\\n suspicious_signins\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet suspicious_signins = \\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize make_set(set_IPAddress);\\n//See if any of those IPs have sucessfully logged into PA VPNs during the same timeperiod\\nCommonSecurityLog\\n //Select only PA VPN sucessful logons\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"globalprotect\\\"\\n | where Message has \\\"GlobalProtect gateway user authentication succeeded\\\"\\n //Parse out the logon source IP from the Message field to match on\\n | extend SourceIP = extract(\\\"Login from: ([^,]+)\\\", 1, Message) \\n | where SourceIP in (suspicious_signins)\\n | extend Reason = \\\"Multiple failed AAD logins from SourceIP\\\"\\n //Parse out other useful information from Message field\\n | extend User = extract(\u0027User name: ([^,]+)\u0027, 1, Message) \\n | extend ClientOS = extract(\u0027Client OS version: ([^,\\\\\\\"]+)\u0027, 1, Message)\\n | extend Location = extract(\u0027Source region: ([^,]{2})\u0027,1, Message)\\n | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName\\n | extend AccountCustomEntity = User, IPCustomEntity = SourceIP, timestamp = TimeGenerated, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN\",\"description\":\"This query creates a list of IP addresses with a number failed login attempts to AAD \\nabove a set threshold. It then looks for any successful Palo Alto VPN logins from any\\nof these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-09-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/32555639-b639-4c2b-afda-c0ae0abefa55\",\"name\":\"32555639-b639-4c2b-afda-c0ae0abefa55\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"GetCallerIdentity\\\" and UserIdentityType =~ \\\"AssumedRole\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by SourceIpAddress, EventName, EventTypeName, UserIdentityType, UserIdentityAccountId, UserIdentityPrincipalid, \\nUserAgent, UserIdentityUserName, SessionMfaAuthenticated,AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTime, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\\n| sort by EndTime desc nulls last\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Monitor AWS Credential abuse or hijacking\",\"description\":\"Looking for GetCallerIdentity Events where the UserID Type is AssumedRole \\nAn attacker who has assumed the role of a legitimate account can call the GetCallerIdentity function to determine what account they are using.\\nA legitimate user using legitimate credentials would not need to call GetCallerIdentity since they should already know what account they are using.\\nMore Information: https://duo.com/decipher/trailblazer-hunts-compromised-credentials-in-aws\\nAWS STS GetCallerIdentity API: https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/53e936c6-6c30-4d12-8343-b8a0456e8429\",\"name\":\"53e936c6-6c30-4d12-8343-b8a0456e8429\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let SUNSPOT_Hashes = dynamic([\\\"c45c9bda8db1d470f1fd0dcc346dc449839eb5ce9a948c70369230af0b3ef168\\\", \\\"0819db19be479122c1d48743e644070a8dc9a1c852df9a8c0dc2343e904da389\\\"]);\\nunion isfuzzy=true(\\nDeviceEvents\\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes)),\\n(DeviceImageLoadEvents\\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes))\\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"SUNSPOT malware hashes\",\"description\":\"This query uses Microsoft Defender for Endpoint data to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\\nMore details: \\n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \\n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceImageLoadEvents\",\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fcb9d75c-c3c1-4910-8697-f136bfef2363\",\"name\":\"fcb9d75c-c3c1-4910-8697-f136bfef2363\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Low\",\"query\":\"let querystarttime = 2d;\\nlet queryendtime = 1d;\\nlet TimeDeltaThreshold = 10;\\nlet TotalEventsThreshold = 15;\\nlet PercentBeaconThreshold = 80;\\n_Im_NetworkSession(starttime=querystarttime, endtime=queryendtime)\\n| where not(ipv4_is_private(DstIpAddr))\\n| project TimeGenerated, SrcIpAddr, SrcPortNumber, DstIpAddr, DstPortNumber, DstBytes, SrcBytes\\n| sort by SrcIpAddr asc,TimeGenerated asc, DstIpAddr asc, DstPortNumber asc\\n| serialize\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSrcIpAddr = next(SrcIpAddr, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\u0027second\u0027,nextTimeGenerated,TimeGenerated)\\n| where SrcIpAddr == nextSrcIpAddr\\n//Whitelisting criteria/ threshold criteria\\n| where TimeDeltainSeconds \u003e TimeDeltaThreshold \\n| project TimeGenerated, TimeDeltainSeconds, SrcIpAddr, SrcPortNumber, DstIpAddr, DstPortNumber, DstBytes, SrcBytes\\n| summarize count(), sum(DstBytes), sum(SrcBytes), make_list(TimeDeltainSeconds) \\nby TimeDeltainSeconds, bin(TimeGenerated, 1h), SrcIpAddr, DstIpAddr, DstPortNumber\\n| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSrcBytes = sum(sum_SrcBytes), TotalDstBytes = sum(sum_DstBytes) \\nby bin(TimeGenerated, 1h), SrcIpAddr, DstIpAddr, DstPortNumber\\n| where TotalEvents \u003e TotalEventsThreshold \\n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\\n| where BeaconPercent \u003e PercentBeaconThreshold\",\"customDetails\":{\"DstPortNumber\":\"DstPortNumber\",\"FrequencyCount\":\"TotalSrcBytes\",\"FrequencyTime\":\"MostFrequentTimeDeltaCount\",\"TotalDstBytes\":\"TotalDstBytes\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DstIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Potential beaconing from {{SrcIpAddr}} to {{DstIpAddr}} over port {{DstPortNumber}}\",\"alertDescriptionFormat\":\"Potential beaconing pattern from a client at address {{SrcIpAddr}} to a server at address {{DstIpAddr}} over port {{DstPortNumber}} identified. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/). The recurring frequency, reported as FrequencyTime in the custom details, and the total transferred volume reported as TotalDstBytes in the custom details, can help to determine the significance of this incident.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential beaconing activity (ASIM Network Session schema)\",\"description\":\"This rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/).\\\\\u003cbr\u003e\u003cbr\u003e\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b8b8ba09-1e89-45a1-8bd7-691cd23bfa32\",\"name\":\"b8b8ba09-1e89-45a1-8bd7-691cd23bfa32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let query_frequency = 15m;\\nlet missing_period = 1h;\\n//Enter a reference list of hostnames for your DC servers\\nlet DCServersList = dynamic ([\\\"DC01.simulandlabs.com\\\",\\\"DC02.simulandlabs.com\\\"]);\\n//Alternatively, a Watchlist can be used\\n//let DCServersList = _GetWatchlist(\u0027HostName-DomainControllers\u0027) | project HostName;\\nHeartbeat\\n| summarize arg_max(TimeGenerated, *) by Computer\\n| where Computer in (DCServersList)\\n//You may specify the OS type of your Domain Controllers\\n//| where OSType == \u0027Windows\u0027\\n| where TimeGenerated between (ago(query_frequency + missing_period) .. ago(missing_period))\\n| project TimeGenerated, Computer, OSType, Version, ComputerEnvironment, Type, Solutions\\n| sort by TimeGenerated asc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Impact\",\"DefenseEvasion\"],\"displayName\":\"Missing Domain Controller Heartbeat\",\"description\":\"This detection will go over the heartbeats received from the agents of Domain Controllers over the last hour, and will create alerts if the last heartbeats were received an hour ago.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-11-23T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/737a2ce1-70a3-4968-9e90-3e6aca836abf\",\"name\":\"737a2ce1-70a3-4968-9e90-3e6aca836abf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MLBehaviorAnalytics\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous RDP Login Detections\",\"description\":\"This detection uses machine learning (ML) to identify anomalous Remote Desktop Protocol (RDP) login activity, based on Windows Security Event data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Microsoft Sentinel to build a profile of normal activity for your environment.\\t\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events)\\n\\nBy enabling this rule, you give Microsoft permission to copy ingested data outside of your Microsoft Sentinel workspace\u0027s geography as necessary for processing by the machine learning engine.\",\"lastUpdatedDateUTC\":\"2021-03-26T00:00:00Z\",\"createdDateUTC\":\"2020-04-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/85aca4d1-5d15-4001-abd9-acb86ca1786a\",\"name\":\"85aca4d1-5d15-4001-abd9-acb86ca1786a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n DnsEvents\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n //Extract domain patterns from syslog message\\n | where isnotempty(Name)\\n | extend parts = split(Name, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend DNS_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.Name\\n| where DNS_TimeGenerated \u003c ExpirationDateTime\\n| summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated , *) by IndicatorId, Name\\n| project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, Computer, ClientIP, Name, QueryType\\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = ClientIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to DnsEvents\",\"description\":\"Identifies a match in DnsEvents from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2022-02-15T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\"name\":\"5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n//Exclude local addresses, using the ipv4_is_private operator\\n| where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n W3CIISLog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(cIP)\\n //Exclude local addresses, using the ipv4_is_private operator\\n | where ipv4_is_private(cIP) == false and cIP !startswith \\\"fe80\\\" and cIP !startswith \\\"::\\\" and cIP !startswith \\\"127.\\\"\\n // renaming time column so it is clear the log this came from\\n | extend W3CIISLog_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.cIP\\n| where W3CIISLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize W3CIISLog_TimeGenerated = arg_max(W3CIISLog_TimeGenerated, *) by IndicatorId, cIP\\n| project W3CIISLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, sSiteName, cIP, sIP, sPort, csMethod, csUserName, scStatus, scSubStatus, scWin32Status,\\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = W3CIISLog_TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to W3CIISLog\",\"description\":\"Identifies a match in W3CIISLog from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-04-26T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d564ff12-8f53-41b8-8649-44f76b37b99f\",\"name\":\"d564ff12-8f53-41b8-8649-44f76b37b99f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// How many greater than Service Connections you want to view per build/release\\nlet ServiceConnectionThreshold = 4;\\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\\n[\\n//\\\"103\\\", \\\"Release\\\", \\\"ProjectA\\\",\\n//\\\"42\\\", \\\"Release\\\", \\\"ProjectB\\\",\\n//\\\"122\\\", \\\"Build\\\", \\\"ProjectB\\\"\\n];\\nAzureDevOpsAuditing\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| parse ScopeDisplayName with OrganizationName \u0027 (Organization)\u0027\\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) \\n by OrganizationName, tostring(DefId), tostring(Type), ProjectId, ProjectName\\n| where CurrentCount \u003e ServiceConnectionThreshold\\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\\n| extend link = iif(\\n Type == \\\"Build\\\", strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_build?definitionId=\u0027, DefId),\\n strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_release?_a=releases\u0026view=mine\u0026definitionId=\u0027, DefId))\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure DevOps Service Connection Abuse\",\"description\":\"Flags builds/releases that use a large number of service connections if they aren\u0027t manually in the allow list.\\nThis is to determine if someone is hijacking a build/release and adding many service connections in order to abuse \\nor dump credentials from service connections.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/01e8ffff-dc0c-43fe-aa22-d459c4204553\",\"name\":\"01e8ffff-dc0c-43fe-aa22-d459c4204553\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let discord=dynamic([\\\"cdn.discordapp.com\\\", \\\"media.discordapp.com\\\"]);\\n _Im_WebSession(url_has_any=discord, eventresult=\u0027Success\u0027)\\n | where Url has \\\"attachments\\\"\\n | extend DiscordServerId = extract(@\\\"\\\\/attachments\\\\/([0-9]+)\\\\/\\\", 1, Url)\\n | summarize dcount(Url), make_set(SrcUsername), make_set(SrcIpAddr), make_set(Url), min(TimeGenerated), max(TimeGenerated), make_set(EventResult) by DiscordServerId\\n | mv-expand set_SrcUsername to typeof(string), set_Url to typeof(string), set_EventResult to typeof(string), set_SrcIpAddr to typeof(string)\\n | summarize by DiscordServerId, dcount_Url, set_SrcUsername, min_TimeGenerated, max_TimeGenerated, set_EventResult, set_SrcIpAddr, set_Url\\n | project StartTime=min_TimeGenerated, EndTime=max_TimeGenerated, Result=set_EventResult, SourceUser=set_SrcUsername, SourceIP=set_SrcIpAddr, RequestURL=set_Url\\n | where RequestURL has_any (\\\".bin\\\",\\\".exe\\\",\\\".dll\\\",\\\".bin\\\",\\\".msi\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SourceUser\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Discord CDN Risky File Download (ASIM Web Session Schema)\",\"description\":\"Identifies callouts to Discord CDN addresses for risky file extensions. This detection will trigger when a callout for a risky file is made to a discord server that has only been seen once in your environment. Unique discord servers are identified using the server ID that is included in the request URL (DiscordServerId in query). Discord CDN has been used in multiple campaigns to download additional payloads.\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4e5914a4-2ccd-429d-a845-fa597f0bd8c5\",\"name\":\"4e5914a4-2ccd-429d-a845-fa597f0bd8c5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let Hive_threats = dynamic([\\\"Ransom:Win64/Hive\\\", \\\"Ransom:Win32/Hive\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (Hive_threats) or ThreatFamilyName in~ (Hive_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"AV detections related to Hive Ransomware\",\"description\":\"This query looks for Microsoft Defender AV detections related to Hive Ransomware . In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device,\\n this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\",\"lastUpdatedDateUTC\":\"2022-07-11T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\"name\":\"361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let szOperationNames = dynamic([\\\"microsoft.compute/virtualMachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nlet starttime = 7d;\\nlet endtime = 1d;\\nAzureActivity\\n| where TimeGenerated between (startofday(ago(starttime)) .. startofday(ago(endtime)))\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress)\\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(7d)), now(), 1d) \\nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatusValue), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationNameValue , Resource, ResourceGroup\\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\\n| where Slope \u003e 0.2\\n| join kind=leftsemi (\\n// Last day\u0027s activity is anomalous\\nAzureActivity\\n| where TimeGenerated \u003e= startofday(ago(endtime))\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress)\\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(1d)), now(), 1d) \\nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatusValue), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationNameValue , Resource, ResourceGroup\\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\\n| where Slope \u003e 0.2 \\n) on Caller, CallerIpAddress \\n| mvexpand todynamic(ActivityTimeStamp), todynamic(ActivityStatusValue), todynamic(OperationIds), todynamic(CorrelationId)\\n| extend timestamp = ActivityTimeStamp, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Suspicious number of resource creation or deployment activities\",\"description\":\"Indicates when an anomalous number of VM creations or deployment activities occur in Azure via the AzureActivity log.\\nThe anomaly detection identifies activities that have occurred both since the start of the day 1 day ago and the start of the day 7 days ago.\\nThe start of the day is considered 12am UTC time.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/050b9b3d-53d0-4364-a3da-1b678b8211ec\",\"name\":\"050b9b3d-53d0-4364-a3da-1b678b8211ec\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\")\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n// Uncomment below to not alert for PIM activations\\n//| where Initiator != \\\"MS-PIM\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| summarize by bin(TimeGenerated, 1h), OperationName, RoleName, Target, Initiator, Result\\n| extend AccountCustomEntity = Target\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Initiator\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User Assigned Privileged Role\",\"description\":\"Identifies when a new privileged role is assigned to a user. Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn\u0027t the responsibility of the account holder, investigate.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/48607a29-a26a-4abf-8078-a06dbdd174a4\",\"name\":\"48607a29-a26a-4abf-8078-a06dbdd174a4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let timeRange = 3d;\\nlet lookBack = 7d;\\nlet authenticationWindow = 20m;\\nlet authenticationThreshold = 5;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet failureCodes = dynamic([50053, 50126, 50055]); // invalid password, account is locked - too many sign ins, expired password\\nlet successCodes = dynamic([0, 50055, 50057, 50155, 50105, 50133, 50005, 50076, 50079, 50173, 50158, 50072, 50074, 53003, 53000, 53001, 50129]);\\n// Lookup up resolved identities from last 7 days\\nlet aadFunc = (tableName:string){\\nlet identityLookup = table(tableName)\\n| where TimeGenerated \u003e= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| where isnotempty(UserId)\\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName, Type;\\n// collect window threshold breaches\\ntable(tableName)\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(failureCodes)\\n| summarize FailedPrincipalCount = dcount(UserPrincipalName) by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName, Type\\n| where FailedPrincipalCount \u003e= authenticationThreshold\\n| summarize WindowThresholdBreaches = count() by IPAddress, Type\\n| join kind= inner (\\n// where we breached a threshold, join the details back on all failure data\\ntable(tableName)\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(failureCodes)\\n| extend LocationDetails = todynamic(LocationDetails)\\n| extend FullLocation = strcat(LocationDetails.countryOrRegion,\u0027|\u0027, LocationDetails.state, \u0027|\u0027, LocationDetails.city)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed), make_set(FullLocation), FailureCount = count() by IPAddress, AppDisplayName, UserPrincipalName, UserDisplayName, Identity, UserId, Type\\n// lookup any unresolved identities\\n| extend UnresolvedUserId = iff(Identity matches regex isGUID, UserId, \\\"\\\")\\n| join kind= leftouter (\\n identityLookup \\n) on $left.UnresolvedUserId==$right.UserId\\n| extend UserDisplayName=iff(isempty(lu_UserDisplayName), UserDisplayName, lu_UserDisplayName)\\n| extend UserPrincipalName=iff(isempty(lu_UserPrincipalName), UserPrincipalName, lu_UserPrincipalName)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), make_set(UserPrincipalName), make_set(UserDisplayName), make_set(set_ClientAppUsed), make_set(set_FullLocation), make_list(FailureCount) by IPAddress, AppDisplayName, Type\\n| extend FailedPrincipalCount = arraylength(set_UserPrincipalName)\\n) on IPAddress\\n| project IPAddress, StartTime, EndTime, TargetedApplication=AppDisplayName, FailedPrincipalCount, UserPrincipalNames=set_UserPrincipalName, UserDisplayNames=set_UserDisplayName, ClientAppsUsed=set_set_ClientAppUsed, Locations=set_set_FullLocation, FailureCountByPrincipal=list_FailureCount, WindowThresholdBreaches, Type\\n| join kind= inner (\\ntable(tableName) // get data on success vs. failure history for each IP\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(successCodes) or ResultType in(failureCodes) // success or failure types\\n| summarize GlobalSuccessPrincipalCount = dcountif(UserPrincipalName, (ResultType in(successCodes))), ResultTypeSuccesses = make_set_if(ResultType, (ResultType in(successCodes))), GlobalFailPrincipalCount = dcountif(UserPrincipalName, (ResultType in(failureCodes))), ResultTypeFailures = make_set_if(ResultType, (ResultType in(failureCodes))) by IPAddress, Type\\n| where GlobalFailPrincipalCount \u003e GlobalSuccessPrincipalCount // where the number of failed principals is greater than success - eliminates FPs from IPs who authenticate successfully alot and as a side effect have alot of failures\\n) on IPAddress\\n| project-away IPAddress1\\n| extend timestamp=StartTime, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Password spray attack against Azure AD application\",\"description\":\"Identifies evidence of password spray activity against Azure AD applications by looking for failures from multiple accounts from the same\\nIP address within a time window. If the number of accounts breaches the threshold just once, all failures from the IP address within the time range\\nare bought into the result. Details on whether there were successful authentications by the IP address within the time window are also included.\\nThis can be an indicator that an attack was successful.\\nThe default failure acccount threshold is 5, Default time window for failures is 20m and default look back window is 3 days\\nNote: Due to the number of possible accounts involved in a password spray it is not possible to map identities to a custom entity.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\"lastUpdatedDateUTC\":\"2022-02-16T00:00:00Z\",\"createdDateUTC\":\"2020-03-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\"name\":\"7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"154.223.45.38\\\",\\\"185.141.207.140\\\",\\\"185.234.73.19\\\",\\\"216.245.210.106\\\",\\\"51.91.48.210\\\",\\\"46.255.230.229\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n|extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account\\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DnsResponseName, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host, AccountCustomEntity=User\\n),\\n(_Im_WebSession (srcipaddr_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DstIpAddr, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(_Im_NetworkSession (srcipaddr_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DstIpAddr, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(_Im_NetworkSession (dstipaddr_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DstIpAddr, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(SigninLogs\\n| where isnotempty(IPAddress)\\n| where IPAddress in (IPList)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(AADNonInteractiveUserSignInLogs\\n| where isnotempty(IPAddress)\\n| where IPAddress in (IPList)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(W3CIISLog \\n| where isnotempty(cIP)\\n| where cIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(AzureActivity \\n| where isnotempty(CallerIpAddress)\\n| where CallerIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller\\n),\\n(\\nAWSCloudTrail\\n| where isnotempty(SourceIpAddress)\\n| where SourceIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known IRIDIUM IP\",\"description\":\"IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d7424fd9-abb3-4ded-a723-eebe023aaa0b\",\"name\":\"d7424fd9-abb3-4ded-a723-eebe023aaa0b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Administrative roles to look for, default is all admin roles\\nlet roles = dynamic([\\\"Administrator\\\", \\\"Admin\\\"]);\\n// The maximum distances between and invite and acceptance\\nlet maxTimeBetweenInviteAccept = 30min;\\n// The delta (minutes) between the invite being sent and the account being escalated\\nlet deltaBetweenInviteEscalation = 60;\\n// Collect external user invitations\\nlet invite = AuditLogs\\n| where Category =~ \\\"UserManagement\\\"\\n| where OperationName =~ \\\"Invite external user\\\"\\n| extend Target = tostring(TargetResources[0].[\\\"userPrincipalName\\\"])\\n| extend InviteInitiator = tostring(InitiatedBy.[\\\"user\\\"].[\\\"userPrincipalName\\\"])\\n| where isnotempty(InviteInitiator);\\n// Collect redeem events\\nlet redeem = AuditLogs\\n| where Category =~ \\\"UserManagement\\\"\\n| where OperationName =~ \\\"Redeem external user invite\\\"\\n| where Result =~ \\\"success\\\"\\n| extend Target = tostring(TargetResources[0].[\\\"displayName\\\"]) | extend Target = tostring(extract(@\\\"UPN\\\\:\\\\s(.+)\\\\,\\\\sEmail\\\",1,Target))\\n| where isnotempty(Target);\\n// Union the inivtation and redeem data then run the sequence_detect kusto plugin\\ninvite\\n| union redeem\\n| order by TimeGenerated\\n| project TimeGenerated, Target, InviteInitiator, OperationName, TenantId\\n| evaluate sequence_detect(TimeGenerated, maxTimeBetweenInviteAccept, maxTimeBetweenInviteAccept, invite=(OperationName has \\\"Invite external user\\\"), redeem=(OperationName has \\\"Redeem external user invite\\\"), Target)\\n| join (\\nAuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\")\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n// Limit to external accounts\\n| where TargetResources.userPrincipalName has \\\"EXT\\\"\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n// Perform check for admin roles\\n| where RoleName has_any(roles)\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n| where Initiator != \\\"MS-PIM\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| summarize by TimeGenerated, OperationName, RoleName, Target, Initiator, Result\\n) on Target\\n// Calculate delta between the invite and the account escalation\\n| extend delta = datetime_diff(\\\"minute\\\", TimeGenerated, invite_TimeGenerated)\\n| where delta \u003c= deltaBetweenInviteEscalation\\n| project InvitationTime=invite_TimeGenerated, RedeemTime=redeem_TimeGenerated, GrantTime=TimeGenerated, ExternalUser=Target, RoleGranted=RoleName, AdminInitiator=Initiator, MinsBetweenInviteAndEscalation=delta\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ExternalUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AdminInitiator\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"New External User Granted Admin\",\"description\":\"This query will detect instances where a newly invited external user is granted an administrative role. By default this query\\nwill alert on any granted administrative role, however this can be modified using the roles variable if false positives occur\\nin your environment. The maximum delta between invite and escalation to admin is 60 minues, this can be configured using the \\ndeltaBetweenInviteEscalation variable.\",\"lastUpdatedDateUTC\":\"2022-06-16T00:00:00Z\",\"createdDateUTC\":\"2022-06-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6bf1931-b1eb-448d-90b2-de118559c7ce\",\"name\":\"d6bf1931-b1eb-448d-90b2-de118559c7ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlCategory contains \u0027Adult Themes\u0027 or\\n UrlCategory contains \u0027Adware\u0027 or\\n UrlCategory contains \u0027Alcohol\u0027 or\\n UrlCategory contains \u0027Illegal Downloads\u0027 or\\n UrlCategory contains \u0027Drugs\u0027 or\\n UrlCategory contains \u0027Child Abuse Content\u0027 or\\n UrlCategory contains \u0027Hate/Discrimination\u0027 or\\n UrlCategory contains \u0027Nudity\u0027 or\\n UrlCategory contains \u0027Pornography\u0027 or\\n UrlCategory contains \u0027Proxy/Anonymizer\u0027 or\\n UrlCategory contains \u0027Sexuality\u0027 or\\n UrlCategory contains \u0027Tasteless\u0027 or\\n UrlCategory contains \u0027Terrorism\u0027 or\\n UrlCategory contains \u0027Web Spam\u0027 or\\n UrlCategory contains \u0027German Youth Protection\u0027 or\\n UrlCategory contains \u0027Illegal Activities\u0027 or\\n UrlCategory contains \u0027Lingerie/Bikini\u0027 or\\n UrlCategory contains \u0027Weapons\u0027\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"InitialAccess\"],\"displayName\":\"Cisco Umbrella - Request Allowed to harmful/malicious URI category\",\"description\":\"It is reccomended that these Categories shoud be blocked by policies because they provide harmful/malicious content..\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee55dc85-d2da-48c1-a6c0-3eaee62a8d56\",\"name\":\"ee55dc85-d2da-48c1-a6c0-3eaee62a8d56\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"// Add the environments expected username format regex below before deploying\\n let user_regex = \\\"\\\";\\n AuditLogs\\n | where OperationName =~ \\\"Add user\\\"\\n | where Result =~ \\\"success\\\"\\n | extend userAgent = tostring(AdditionalDetails[0].value)\\n | extend addingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend addingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend AddedBy = iif(isnotempty(addingUser), addingUser, addingApp)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | extend AddedUser = tostring(TargetResources[0].userPrincipalName)\\n | where AddedUser matches regex user_regex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedUser\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User Account Created Using Incorrect Naming Format\",\"description\":\"This query looks for accounts being created where the name does not match a defined pattern.\\n Attackers may attempt to add accounts as a means of establishing persistant access to an environment, looking for anomalies in created accounts may help identify illegitimately created accounts.\\n Created accounts should be investigated to ensure they were legitimated created.\\n The user_regex field in the query needs to be populated with the expected pattern for the environment before deployment.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#accounts-not-following-naming-policies\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\"name\":\"0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"let threshold = 20;\\nlet ReasontoSubStatus = datatable(SubStatus:string,Reason:string) [\\n\\\"0xC000005E\\\", \\\"There are currently no logon servers available to service the logon request.\\\",\\n\\\"0xC0000064\\\", \\\"User logon with misspelled or bad user account\\\", \\n\\\"0xC000006A\\\", \\\"User logon with misspelled or bad password\\\",\\n\\\"0xC000006D\\\", \\\"Bad user name or password\\\",\\n\\\"0xC000006E\\\", \\\"Unknown user name or bad password\\\",\\n\\\"0xC000006F\\\", \\\"User logon outside authorized hours\\\",\\n\\\"0xC0000070\\\", \\\"User logon from unauthorized workstation\\\",\\n\\\"0xC0000071\\\", \\\"User logon with expired password\\\",\\n\\\"0xC0000072\\\", \\\"User logon to account disabled by administrator\\\",\\n\\\"0xC00000DC\\\", \\\"Indicates the Sam Server was in the wrong state to perform the desired operation\\\",\\n\\\"0xC0000133\\\", \\\"Clocks between DC and other computer too far out of sync\\\",\\n\\\"0xC000015B\\\", \\\"The user has not been granted the requested logon type (aka logon right) at this machine\\\",\\n\\\"0xC000018C\\\", \\\"The logon request failed because the trust relationship between the primary domain and the trusted domain failed\\\",\\n\\\"0xC0000192\\\", \\\"An attempt was made to logon, but the Netlogon service was not started\\\",\\n\\\"0xC0000193\\\", \\\"User logon with expired account\\\",\\n\\\"0xC0000224\\\", \\\"User is required to change password at next logon\\\",\\n\\\"0xC0000225\\\", \\\"Evidently a bug in Windows and not a risk\\\",\\n\\\"0xC0000234\\\", \\\"User logon with account locked\\\",\\n\\\"0xC00002EE\\\", \\\"Failure Reason: An Error occurred during Logon\\\",\\n\\\"0xC0000413\\\", \\\"Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine\\\"\\n];\\n(union isfuzzy=true\\n(SecurityEvent \\n| where EventID == 4625\\n| where AccountType =~ \\\"User\\\"\\n| where SubStatus !=\u00270xc0000064\u0027 and Account !in (\u0027\\\\\\\\\u0027, \u0027-\\\\\\\\-\u0027)\\n// SubStatus \u00270xc0000064\u0027 signifies \u0027Account name does not exist\u0027\\n| extend ResourceId = column_ifexists(\\\"_ResourceId\\\", _ResourceId), SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", SourceComputerId)\\n| lookup ReasontoSubStatus on SubStatus\\n| extend coalesce(Reason, strcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), FailedLogonCount = count() by EventID, \\nActivity, Computer, Account, TargetAccount, TargetUserName, TargetDomainName, \\nLogonType, LogonTypeName, LogonProcessName, Status, SubStatus, Reason, ResourceId, SourceComputerId, WorkstationName, IpAddress\\n| where FailedLogonCount \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n(\\n(WindowsEvent \\n| where EventID == 4625 and not(EventData has \u00270xc0000064\u0027)\\n| extend TargetAccount = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend AccountType=case(EventData.TargetUserName endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType =~ \\\"User\\\"\\n| extend SubStatus = tostring(EventData.SubStatus)\\n| where SubStatus !=\u00270xc0000064\u0027 and TargetAccount !in (\u0027\\\\\\\\\u0027, \u0027-\\\\\\\\-\u0027)\\n// SubStatus \u00270xc0000064\u0027 signifies \u0027Account name does not exist\u0027\\n| extend ResourceId = column_ifexists(\\\"_ResourceId\\\", _ResourceId), SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", \\\"\\\")\\n| lookup ReasontoSubStatus on SubStatus\\n| extend coalesce(Reason, strcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n| extend Activity=\\\"4625 - An account failed to log on.\\\"\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend TargetDomainName = tostring(EventData.TargetDomainName)\\n| extend LogonType = tostring(EventData.LogonType)\\n| extend Status= tostring(EventData.Status)\\n| extend LogonProcessName = tostring(EventData.LogonProcessName)\\n| extend WorkstationName = tostring(EventData.WorkstationName)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend LogonTypeName=case(LogonType==2,\\\"2 - Interactive\\\", LogonType==3,\\\"3 - Network\\\", LogonType==4, \\\"4 - Batch\\\",LogonType==5, \\\"5 - Service\\\", LogonType==7, \\\"7 - Unlock\\\", LogonType==8, \\\"8 - NetworkCleartext\\\", LogonType==9, \\\"9 - NewCredentials\\\", LogonType==10, \\\"10 - RemoteInteractive\\\", LogonType==11, \\\"11 - CachedInteractive\\\",tostring(LogonType))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), FailedLogonCount = count() by EventID, \\nActivity, Computer, TargetAccount, TargetUserName, TargetDomainName, \\nLogonType, LogonTypeName, LogonProcessName, Status, SubStatus, Reason, ResourceId, SourceComputerId, WorkstationName, IpAddress\\n| where FailedLogonCount \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n)))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed logon attempts by valid accounts within 10 mins\",\"description\":\"Identifies when failed logon attempts are 20 or higher during a 10 minute period (2 failed logons per minute minimum) from valid account.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b9a44d7-c651-45ed-816c-eae583a6f2f1\",\"name\":\"3b9a44d7-c651-45ed-816c-eae583a6f2f1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\nlet historical_data =\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend variables = Data.Variables\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend UserKey = strcat(VariableGroupId, \\\"-\\\", ActorUserId)\\n| project UserKey;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend VariableGroupName = tostring(Data.VariableGroupName)\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend UserKey = strcat(VariableGroupId, \\\"-\\\", ActorUserId)\\n| where UserKey !in (historical_data)\\n| project-away UserKey\\n| project-reorder TimeGenerated, VariableGroupName, ActorUPN, IpAddress, UserAgent\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Build Variable Modified by New User.\",\"description\":\"Variables can be configured and used at any stage of the build process in Azure DevOps to inject values. An attacker with the required permissions could modify \\nor add to these variables to conduct malicious activity such as changing paths or remote endpoints called during the build. As variables are often changed by users, \\njust detecting these changes would have a high false positive rate. This detection looks for modifications to variable groups where that user has not been observed \\nmodifying them before.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8127962-7739-4211-a4a9-390a7a00e91f\",\"name\":\"f8127962-7739-4211-a4a9-390a7a00e91f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet lbperiod = 14d;\\nlet knownrecipients = ProofpointPOD\\n| where TimeGenerated \u003e ago(lbperiod)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where SrcUserUpn != \u0027\u0027\\n| where array_length(todynamic(DstUserUpn)) == 1\\n| summarize recipients = make_set(tostring(todynamic(DstUserUpn)[0])) by SrcUserUpn\\n| extend commcol = SrcUserUpn;\\nProofpointPOD\\n| where TimeGenerated between (ago(lbtime) .. now())\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| extend isProtected = todynamic(MsgParts)[0][\u0027isProtected\u0027]\\n| extend mimePgp = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where isProtected == \u0027true\u0027 or mimePgp == \u0027application/pgp-encrypted\u0027\\n| extend DstUserMail = tostring(todynamic(DstUserUpn)[0])\\n| extend commcol = tostring(todynamic(DstUserUpn)[0])\\n| join knownrecipients on commcol\\n| where recipients !contains DstUserMail\\n| project SrcUserUpn, DstUserMail\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple protected emails to unknown recipient\",\"description\":\"Detects when multiple protected messages where sent to early not seen recipient.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee1818ec-5f65-4991-b711-bcf2ab7e36c3\",\"name\":\"ee1818ec-5f65-4991-b711-bcf2ab7e36c3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlOriginal matches regex @\u0027\\\\Ahttp:\\\\/\\\\/\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}.*\u0027\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - URI contains IP address\",\"description\":\"Malware can use IP address to communicate with C2.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23005e87-2d3a-482b-b03d-edbebd1ae151\",\"name\":\"23005e87-2d3a-482b-b03d-edbebd1ae151\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let exchange_servers = (\\nW3CIISLog\\n| where TimeGenerated \u003e ago(14d)\\n| where sSiteName =~ \\\"Exchange Back End\\\"\\n| summarize by Computer);\\nW3CIISLog\\n| where TimeGenerated \u003e ago(1d)\\n| where Computer in (exchange_servers)\\n| where csUriQuery startswith \\\"t=\\\"\\n| project-reorder TimeGenerated, Computer, csUriStem, csUriQuery, csUserName, csUserAgent, cIP\\n| extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious Exchange Request\",\"description\":\"This query looks for suspicious request patterns to Exchange servers that fit a pattern observed by HAFNIUM actors.\\nThe same query can be run on HTTPProxy logs from on-premise hosted Exchange servers.\\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ac9e233e-44d4-45eb-b522-6e47445f6582\",\"name\":\"ac9e233e-44d4-45eb-b522-6e47445f6582\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"imRegistry\\n | where EventType in (\\\"RegistryValueSet\\\", \\\"RegistryKeyCreated\\\")\\n | where RegistryKey has \\\"Software\\\\\\\\Classes\\\\\\\\ms-settings\\\\\\\\shell\\\\\\\\open\\\\\\\\command\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)\\n | join (imProcess\\n | where Process endswith \\\"fodhelper.exe\\\"\\n | where ParentProcessName endswith \\\"cmd.exe\\\" or ParentProcessName endswith \\\"powershell.exe\\\" or ParentProcessName endswith \\\"powershell_ise.exe\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)) on TimeKey, Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DvcHostname\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DvcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Potential Fodhelper UAC Bypass (ASIM Version)\",\"description\":\"This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process within 1 hour - this can be tweaked as required.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\"name\":\"ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Office 365 Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Office 365 alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Office 365\",\"lastUpdatedDateUTC\":\"2020-09-01T00:00:00Z\",\"createdDateUTC\":\"2020-04-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert (OATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a333d8bf-22a3-4c55-a1e9-5f0a135c0253\",\"name\":\"a333d8bf-22a3-4c55-a1e9-5f0a135c0253\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let mde_threats = dynamic([\\\"Behavior:Win32/SuspAzureRequest.A\\\", \\\"Behavior:Win32/SuspAzureRequest.B\\\", \\\"Behavior:Win32/SuspAzureRequest.C\\\", \\\"Behavior:Win32/LaunchingSuspCMD.B\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (mde_threats) or ThreatFamilyName in~ (mde_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Microsoft Defender for Endpoint (MDE) signatures for Azure Synapse pipelines and Azure Data Factory\",\"description\":\"This query looks for Microsoft Defender for Endpoint detections related to the remote command execution attempts on Azure IR with Managed VNet or SHIR. \\nIn Microsoft Sentinel, the SecurityAlerts table includes the name of the impacted device. Additionally, this query joins the DeviceInfo table to connect other information such as device group, \\nIP address, signed in users, and others allowing analysts using Microsoft Sentinel to have more context related to the alert. \\nReference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29972 , \\nhttps://msrc-blog.microsoft.com/2022/05/09/vulnerability-mitigated-in-the-third-party-data-connector-used-in-azure-synapse-pipelines-and-azure-data-factory-cve-2022-29972\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5db427b2-f406-4274-b413-e9fcb29412f8\",\"name\":\"5db427b2-f406-4274-b413-e9fcb29412f8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where ActivityDisplayName =~\u0027Add member to role completed (PIM activation)\u0027\\n| where Result == \\\"failure\\\"\\n| extend Role = tostring(TargetResources[3].displayName)\\n| extend User = tostring(TargetResources[2].displayName)\\n| project-reorder TimeGenerated, User, Role, OperationName, Result, ResultDescription\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| extend IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"NRT PIM Elevation Request Rejected\",\"description\":\"Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/03e04c97-8cae-48b3-9d2f-4ab262e4ffff\",\"name\":\"03e04c97-8cae-48b3-9d2f-4ab262e4ffff\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]);\\nhttp_proxy_oab_CL\\n| where RawData contains \\\"Download failed and temporary file\\\"\\n| extend File = extract(\\\"([^\\\\\\\\\\\\\\\\]*)(\\\\\\\\\\\\\\\\[^\u0027]*)\\\",2,RawData)\\n| extend Extension = strcat(\\\".\\\",split(File, \\\".\\\")[-1])\\n| extend InteractiveFile = iif(Extension in (scriptExtensions), \\\"Yes\\\", \\\"No\\\")\\n// Uncomment the following line to alert only on interactive file download type\\n//| where InteractiveFile =~ \\\"Yes\\\"\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious File Downloads.\",\"description\":\"This query looks for messages related to file downloads of suspicious file types. This query uses the Exchange HttpProxy AOBGeneratorLog, you will need to onboard this log as a custom log under the table http_proxy_oab_CL before using this query. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d5b32cd4-2328-43da-ab47-cd289c1f5efc\",\"name\":\"d5b32cd4-2328-43da-ab47-cd289c1f5efc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\",\\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\",\\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\",\\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\",\\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\",\\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\",\\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\",\\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\",\\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\")\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"NRT DNS events related to mining pools\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/de58ee9e-b229-4252-8537-41a4c2f4045e\",\"name\":\"de58ee9e-b229-4252-8537-41a4c2f4045e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let file_ext_blocklist = dynamic([\u0027.ps1\u0027, \u0027.vbs\u0027, \u0027.bat\u0027, \u0027.scr\u0027]);\\nlet lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| extend file_ext = extract(@\u0027.*(\\\\.\\\\w+)$\u0027, 1, UrlOriginal)\\n| extend Filename = extract(@\u0027.*\\\\/*\\\\/(.*\\\\.\\\\w+)$\u0027, 1, UrlOriginal)\\n| where file_ext in (file_ext_blocklist)\\n| project TimeGenerated, SrcIpAddr, Identities, Filename\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Cisco Umbrella - Request to blocklisted file type\",\"description\":\"Detects request to potentially harmful file types (.ps1, .bat, .vbs, etc.).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\"name\":\"97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let LearningPeriod = 7d; \\nlet BinTime = 1h; \\nlet RunTime = 1h; \\nlet StartTime = 1h; \\nlet NumberOfStds = 3; \\nlet MinThreshold = 10.0; \\nlet EndRunTime = StartTime - RunTime; \\nlet EndLearningTime = StartTime + LearningPeriod;\\nlet aadFunc = (tableName:string){\\nlet GitHubFailedSSOLogins = (table(tableName) \\n| where AppDisplayName == \\\"GitHub.com\\\" \\n| where ResultType != 0); \\nGitHubFailedSSOLogins \\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime)) \\n| summarize FailedLoginsCountInBinTime = count() by UserPrincipalName, bin(TimeGenerated, BinTime), Type\\n| summarize AvgOfFailedLoginsInLearning = avg(FailedLoginsCountInBinTime), StdOfFailedLoginsInLearning = stdev(FailedLoginsCountInBinTime) by UserPrincipalName, Type\\n| extend LearningThreshold = max_of(AvgOfFailedLoginsInLearning + StdOfFailedLoginsInLearning * NumberOfStds, MinThreshold) \\n| join kind=innerunique ( \\n GitHubFailedSSOLogins \\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime)) \\n | summarize FailedLoginsCountInRunTime = count() by User = Identity, UserPrincipalName, bin(TimeGenerated, BinTime), Type\\n) on UserPrincipalName \\n| where FailedLoginsCountInRunTime \u003e LearningThreshold\\n| extend AccountCustomEntity = UserPrincipalName , timestamp = TimeGenerated\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute Force Attack against GitHub Account\",\"description\":\"Attackers who are trying to guess your users\u0027 passwords or use brute-force methods to get in. If your organization is using SSO with Azure Active Directory, authentication logs to GitHub.com will be generated. Using the following query can help you identify a sudden increase in failed logon attempt of users.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/12dcea64-bec2-41c9-9df2-9f28461b1295\",\"name\":\"12dcea64-bec2-41c9-9df2-9f28461b1295\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\n// Adjust for a longer timeframe for identifying ADFS Servers\\nlet lookback = 6d;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where NewProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n);\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where Account !endswith \\\"$\\\"\\n// Check for scheduled task events\\n| where EventID in (4697, 4698, 4699, 4700, 4701, 4702)\\n| extend EventDataParsed = parse_xml(EventData)\\n| extend SubjectLogonId = tostring(EventDataParsed.EventData.Data[3][\\\"#text\\\"])\\n// Check specifically for access to IPC$ share and PIPE\\\\svcctl and PIPE\\\\atsvc for Service Control Services and Schedule Control Services\\n| union (\\n SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n | where Account !endswith \\\"$\\\"\\n | where EventID == 5145\\n | where RelativeTargetName =~ \\\"svcctl\\\" or RelativeTargetName =~ \\\"atsvc\\\"\\n)\\n// Check for lateral movement\\n| join kind=inner\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Account !endswith \\\"$\\\"\\n| where EventID == 4624 and LogonType == 3\\n) on $left.SubjectLogonId == $right.TargetLogonId\\n| project TimeGenerated, Account, Computer, EventID, RelativeTargetName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task\",\"description\":\"This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through SMB and Remote Service or Scheduled Task.\",\"lastUpdatedDateUTC\":\"2022-01-30T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/155f40c6-610d-497d-85fc-3cf06ec13256\",\"name\":\"155f40c6-610d-497d-85fc-3cf06ec13256\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"yahoo-verification.org\\\",\\\"support-servics.com\\\",\\\"verification-live.com\\\",\\\"com-mailbox.com\\\",\\\"com-myaccuants.com\\\",\\\"notification-accountservice.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\\"verify-linkedin.net\\\", \\n\\\"yahoo-verification.net\\\",\\\"yahoo-verify.net\\\",\\\"outlook-verify.net\\\",\\\"com-users.net\\\",\\\"verifiy-account.net\\\",\\\"te1egram.net\\\",\\\"account-verifiy.net\\\",\\\"myaccount-services.net\\\",\\n\\\"com-identifier-servicelog.name\\\",\\\"microsoft-update.bid\\\",\\\"outlook-livecom.bid\\\",\\\"update-microsoft.bid\\\",\\\"documentsfilesharing.cloud\\\",\\\"com-microsoftonline.club\\\",\\n\\\"confirm-session-identifier.info\\\",\\\"session-management.info\\\",\\\"confirmation-service.info\\\",\\\"document-share.info\\\",\\\"broadcast-news.info\\\",\\\"customize-identity.info\\\",\\\"webemail.info\\\",\\n\\\"com-identifier-servicelog.info\\\",\\\"documentsharing.info\\\",\\\"notification-accountservice.info\\\",\\\"identifier-activities.info\\\",\\\"documentofficupdate.info\\\",\\\"recoveryusercustomer.info\\\",\\n\\\"serverbroadcast.info\\\",\\\"account-profile-users.info\\\",\\\"account-service-management.info\\\",\\\"accounts-manager.info\\\",\\\"activity-confirmation-service.info\\\",\\\"com-accountidentifier.info\\\",\\n\\\"com-privacy-help.info\\\",\\\"com-sessionidentifier.info\\\",\\\"com-useraccount.info\\\",\\\"confirmation-users-service.info\\\",\\\"confirm-identity.info\\\",\\\"confirm-session-identification.info\\\",\\n\\\"continue-session-identifier.info\\\",\\\"customer-recovery.info\\\",\\\"customers-activities.info\\\",\\\"elitemaildelivery.info\\\",\\\"email-delivery.info\\\",\\\"identify-user-session.info\\\",\\n\\\"message-serviceprovider.info\\\",\\\"notificationapp.info\\\",\\\"notification-manager.info\\\",\\\"recognized-activity.info\\\",\\\"recover-customers-service.info\\\",\\\"recovery-session-change.info\\\",\\n\\\"service-recovery-session.info\\\",\\\"service-session-continue.info\\\",\\\"session-mail-customers.info\\\",\\\"session-managment.info\\\",\\\"session-verify-user.info\\\",\\\"shop-sellwear.info\\\",\\n\\\"supportmailservice.info\\\",\\\"terms-service-notification.info\\\",\\\"user-activity-issues.info\\\",\\\"useridentity-confirm.info\\\",\\\"users-issue-services.info\\\",\\\"verify-user-session.info\\\",\\n\\\"login-gov.info\\\",\\\"notification-signal-agnecy.info\\\",\\\"notifications-center.info\\\",\\\"identifier-services-sessions.info\\\",\\\"customers-manager.info\\\",\\\"session-manager.info\\\",\\n\\\"customer-managers.info\\\",\\\"confirmation-recovery-options.info\\\",\\\"service-session-confirm.info\\\",\\\"session-recovery-options.info\\\",\\\"services-session-confirmation.info\\\",\\n\\\"notification-managers.info\\\",\\\"activities-services-notification.info\\\",\\\"activities-recovery-options.info\\\",\\\"activity-session-recovery.info\\\",\\\"customers-services.info\\\",\\n\\\"sessions-notification.info\\\",\\\"download-teamspeak.info\\\",\\\"services-issue-notification.info\\\",\\\"microsoft-upgrade.mobi\\\",\\\"broadcastnews.pro\\\",\\\"mobile-messengerplus.network\\\"]);\\nlet IPList = dynamic([\\\"51.91.200.147\\\"]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(SourceIP) and SourceIP in (IPList)) or (isnotempty(DestinationIP) and DestinationIP in (IPList)) \\nor (isnotempty(DNSName) and DNSName in~ (DomainNames)) or (isnotempty(DestinationHostName) and DestinationHostName in~ (DomainNames)) or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames) or RequestURLIP in (IPList))) \\nor (isnotempty(Message) and MessageIP in (IPList))\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURLIP in (IPList), \\\"RequestUrl\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP,IPMatch == \\\"Message\\\", MessageIP,\\nIPMatch == \\\"RequestUrl\\\", RequestURLIP,\\\"NoMatch\\\"), Account = SourceUserID, Host = DeviceName\\n),\\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\\n(_Im_WebSession(url_has_any=DomainNames)\\n| extend DestinationIPAddress = DstIpAddr, DNSName = tostring(parse_url(Url)[\\\"Host\\\"]), Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) or isnotempty(DNSName)\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or DNSName in~ (DomainNames)\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer),\\n(OfficeActivity\\n| extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPCustomEntity = SourceHost \\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Phosphorus group domains/IP\",\"description\":\"Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-10-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a1bddaf8-982b-4089-ba9e-6590dfcf80ea\",\"name\":\"a1bddaf8-982b-4089-ba9e-6590dfcf80ea\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let error403_count_threshold=200;\\n_Im_WebSession(eventresultdetails_in=\\\"403\\\")\\n| extend ParsedUrl=parse_url(Url)\\n| extend UrlHost=tostring(ParsedUrl[\\\"Host\\\"]), UrlSchema=tostring(ParsedUrl[\\\"Schema\\\"])\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = count(), Urls=makeset(Url) by UrlHost, SrcIpAddr\\n| where NumberOfErrors \u003e error403_count_threshold\\n| sort by NumberOfErrors desc\\n| extend Url=tostring(Urls[0])\",\"customDetails\":{\"NumberOfErrors\":\"NumberOfErrors\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URL\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Excessive number of HTTP authentication failures from {{SrcIpAddr}\",\"alertDescriptionFormat\":\"A client with address {{SrcIpAddr}} generated a large number of failed authentication HTTP requests. This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Persistence\",\"CredentialAccess\"],\"displayName\":\"Excessive number of HTTP authentication failures from a source (ASIM Web Session schema)\",\"description\":\"This rule identifies a source that repeatedly fails to authenticate to a web service (HTTP response code 403). This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.\u003cbr\u003e\u003cbr\u003e\\nThis rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutSIM) and supports any web session source that complies with ASIM. \",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2a09f8cb-deb7-4c40-b08b-9137667f1c0b\",\"name\":\"2a09f8cb-deb7-4c40-b08b-9137667f1c0b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n | where OperationName in (\\\"Add eligible member (permanent)\\\", \\\"Add eligible member (eligible)\\\")\\n | extend Role = tostring(TargetResources[0].displayName)\\n | where Role contains \\\"admin\\\"\\n | extend AddedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend AddedUser = tostring(TargetResources[2].userPrincipalName)\\n | project-reorder TimeGenerated, AddedUser, Role, AddedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedUser\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"User Added to Admin Role\",\"description\":\"Detects a user being added to a new privileged role. Monitor these additions to ensure the users are made eligible for these roles are intended to have these levels of access.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dc99e38c-f4e9-4837-94d7-353ac0b01a77\",\"name\":\"dc99e38c-f4e9-4837-94d7-353ac0b01a77\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let threshold = 10;\\n let default_ad_attributes = dynamic([\\\"LastDirSyncTime\\\", \\\"StsRefreshTokensValidFrom\\\", \\\"Included Updated Properties\\\", \\\"AccountEnabled\\\", \\\"Action Client Name\\\", \\\"SourceAnchor\\\"]);\\n AuditLogs\\n | where OperationName =~ \\\"Add user\\\"\\n | where Result =~ \\\"success\\\"\\n | extend properties = TargetResources[0].modifiedProperties\\n | mv-expand properties\\n | evaluate bag_unpack(properties)\\n | summarize count() by displayName, TenantId\\n | where displayName !in (default_ad_attributes)\\n | top threshold by count_ desc\\n | summarize make_set(displayName) by TenantId\\n | join kind=inner (AuditLogs\\n | where Result =~ \\\"success\\\"\\n | where OperationName =~ \\\"Add user\\\"\\n | extend CreatingUserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend CreatedUserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | extend AccountProperties = TargetResources[0].modifiedProperties\\n | mv-expand AccountProperties\\n | extend PropName = tostring(AccountProperties.displayName)) on TenantId\\n | summarize makeset(PropName) by TimeGenerated, CorrelationId, CreatedUserPrincipalName, CreatingUserPrincipalName, tostring(set_displayName)\\n | extend missing_props = set_difference(todynamic(set_displayName), set_PropName)\\n | where array_length(missing_props) \u003e 0\\n | join kind=innerunique (AuditLogs\\n | where Result =~ \\\"success\\\"\\n | where OperationName =~ \\\"Add user\\\"\\n | extend CreatedUserPrincipalName = tostring(TargetResources[0].userPrincipalName)) on CorrelationId, CreatedUserPrincipalName\\n | extend ExpectedProperties = set_displayName\\n | project-away set_displayName, set_PropName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CreatingUserPrincipalName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CreatedUserPrincipalName\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User account created without expected attributes defined\",\"description\":\"This query looks for accounts being created that do not have attributes populated that are commonly populated in the tenant.\\n Attackers may attempt to add accounts as a means of establishing persistant access to an environment, looking for anomalies in created accounts may help identify illegitimately created accounts.\\n Created accounts should be investigated to ensure they were legitimated created.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#accounts-not-following-naming-policies\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aa1eff90-29d4-49dc-a3ea-b65199f516db\",\"name\":\"aa1eff90-29d4-49dc-a3ea-b65199f516db\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Low\",\"query\":\"(union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4720\\n| where AccountType == \\\"User\\\"\\n| project CreatedUserTime = TimeGenerated, CreatedUserEventID = EventID, CreatedUserActivity = Activity, Computer = toupper(Computer), \\nCreatedUser = tolower(TargetAccount), CreatedUserSid = TargetSid, AccountUsedToCreateUser = strcat(SubjectAccount), SidofAccountUsedToCreateUser = SubjectUserSid\\n),\\n(WindowsEvent\\n| where EventID == 4720\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType == \\\"User\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend Activity=\\\"4720 - A user account was created.\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| project CreatedUserTime = TimeGenerated, CreatedUserEventID = EventID, CreatedUserActivity = Activity, Computer = toupper(Computer), \\nCreatedUser = tolower(TargetAccount), CreatedUserSid = TargetSid, AccountUsedToCreateUser = strcat(SubjectAccount), SidofAccountUsedToCreateUser = SubjectUserSid\\n))\\n| join ((union isfuzzy=true\\n(SecurityEvent \\n| where AccountType == \\\"User\\\"\\n// 4732 - A member was added to a security-enabled local group\\n| where EventID == 4732\\n// TargetSid is the builin Admins group: S-1-5-32-544\\n| where TargetSid == \\\"S-1-5-32-544\\\"\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, Computer = toupper(Computer), GroupName = tolower(TargetAccount), \\nGroupSid = TargetSid, AccountThatAddedUser = SubjectAccount, SIDofAccountThatAddedUser = SubjectUserSid, CreatedUserSid = MemberSid\\n),\\n( WindowsEvent \\n// 4732 - A member was added to a security-enabled local group\\n| where EventID == 4732 and EventData has \\\"S-1-5-32-544\\\"\\n//TargetSid is the builin Admins group: S-1-5-32-544\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType == \\\"User\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid == \\\"S-1-5-32-544\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend Activity=\\\"4732 - A member was added to a security-enabled local group.\\\"\\n| extend MemberSid = tostring(EventData.MemberSid)\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, Computer = toupper(Computer), GroupName = tolower(TargetAccount), \\nGroupSid = TargetSid, AccountThatAddedUser = SubjectAccount, SIDofAccountThatAddedUser = SubjectUserSid, CreatedUserSid = MemberSid)\\n))\\non CreatedUserSid\\n//Create User first, then the add to the group.\\n| project Computer, CreatedUserTime, CreatedUserEventID, CreatedUserActivity, CreatedUser, CreatedUserSid, GroupAddTime, GroupAddEventID, \\nGroupAddActivity, AccountUsedToCreateUser, GroupName, GroupSid, AccountThatAddedUser, SIDofAccountThatAddedUser \\n| extend timestamp = CreatedUserTime, AccountCustomEntity = CreatedUser, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"CreatedUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"New user created and added to the built-in administrators group\",\"description\":\"Identifies when a user account was created and then added to the builtin Administrators group in the same day.\\nThis should be monitored closely and all additions reviewed.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d23ed927-5be3-4902-a9c1-85f841eb4fa1\",\"name\":\"d23ed927-5be3-4902-a9c1-85f841eb4fa1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n DuoSecurityAuthentication_CL\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(access_device_ip_s)\\n // renaming time column so it is clear the log this came from\\n | extend Duo_TimeGenerated = isotimestamp_t\\n)\\non $left.TI_ipEntity == $right.access_device_ip_s\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Duo_TimeGenerated,\\nTI_ipEntity, user_name_s, factor_s, result_s, application_name_s, event_type_s, txid_g, user_key_s, access_device_ip_s, access_device_location_city_s, access_device_location_state_s, access_device_location_country_s\\n| extend timestamp = Duo_TimeGenerated, IPCustomEntity = access_device_ip_s, AccountCustomEntity = user_name_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Duo Security\",\"description\":\"Identifies a match in DuoSecurity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae\",\"name\":\"2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 4656\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, TargetAccount, Computer, EventSourceName, Channel, Task, Level, EventID, Activity, TargetLogonId, SourceComputerId, EventOriginId, Type, _ResourceId, TenantId, SourceSystem, ManagementGroupName, IpAddress, Account)\\n| extend ObjectServer = column_ifexists(\u0027ObjectServer\u0027, \\\"\\\"), ObjectType = column_ifexists(\u0027ObjectType\u0027, \\\"\\\"), ObjectName = column_ifexists(\u0027ObjectName\u0027, \\\"\\\")\\n| where isnotempty(ObjectServer) and isnotempty(ObjectType) and isnotempty(ObjectName)\\n| where ObjectServer =~ \\\"SC Manager\\\" and ObjectType =~ \\\"SERVICE OBJECT\\\" and ObjectName =~ \\\"HealthService\\\"\\n// Comment out the join below if the SACL only audits users that are part of the Network logon users, i.e. with user/group target pointing to \\\"NU.\\\"\\n| join kind=leftouter (\\n SecurityEvent\\n | where EventID == 4624\\n) on TargetLogonId\\n| project TimeGenerated, Computer, Account, TargetAccount, IpAddress,TargetLogonId, ObjectServer, ObjectType, ObjectName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Starting or Stopping HealthService to Avoid Detection\",\"description\":\"This query detects events where an actor is stopping or starting HealthService to disable telemetry collection/detection from the agent.\\n The query requires a SACL to audit for access request to the service.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-03-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bff093b2-500e-4ae5-bb49-a5b1423cbd5b\",\"name\":\"bff093b2-500e-4ae5-bb49-a5b1423cbd5b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n| where Operation =~ \\\"MemberAdded\\\"\\n| extend UPN = tostring(parse_json(Members)[0].UPN)\\n| where UPN contains (\\\"#EXT#\\\")\\n| project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName\\n| join (\\n OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n| where Operation =~ \\\"MemberRemoved\\\"\\n| extend UPN = tostring(parse_json(Members)[0].UPN)\\n| where UPN contains (\\\"#EXT#\\\")\\n| project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName\\n) on UPN\\n| where TimeDeleted \u003e TimeAdded\\n| project TimeAdded, TimeDeleted, UPN, UserWhoAdded, UserWhoDeleted, TeamName\\n| extend timestamp = TimeAdded, AccountCustomEntity = UPN\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"External user added and removed in short timeframe\",\"description\":\"This detection flags the occurances of external user accounts that are added to a Team and then removed within\\none hour.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9367dff0-941d-44e2-8875-cb48570c7add\",\"name\":\"9367dff0-941d-44e2-8875-cb48570c7add\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \\n| where TargetObject has \\\"\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_DLLs\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Registry Persistence via AppInit DLLs Modification\",\"description\":\"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. \\nDynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows or HKEY_LOCAL_MACHINE\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library.\\nRef: https://attack.mitre.org/techniques/T1546/010/\",\"lastUpdatedDateUTC\":\"2022-03-21T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8d537f3c-094f-430c-a588-8a87da36ee3a\",\"name\":\"8d537f3c-094f-430c-a588-8a87da36ee3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nlet user_agents=dynamic([\\n \u0027(hydra)\u0027,\\n \u0027 arachni/\u0027,\\n \u0027 BFAC \u0027,\\n \u0027 brutus \u0027,\\n \u0027 cgichk \u0027,\\n \u0027core-project/1.0\u0027,\\n \u0027 crimscanner/\u0027,\\n \u0027datacha0s\u0027,\\n \u0027dirbuster\u0027,\\n \u0027domino hunter\u0027,\\n \u0027dotdotpwn\u0027,\\n \u0027FHScan Core\u0027,\\n \u0027floodgate\u0027,\\n \u0027get-minimal\u0027,\\n \u0027gootkit auto-rooter scanner\u0027,\\n \u0027grendel-scan\u0027,\\n \u0027 inspath \u0027,\\n \u0027internet ninja\u0027,\\n \u0027jaascois\u0027,\\n \u0027 zmeu \u0027,\\n \u0027masscan\u0027,\\n \u0027 metis \u0027,\\n \u0027morfeus fucking scanner\u0027,\\n \u0027n-stealth\u0027,\\n \u0027nsauditor\u0027,\\n \u0027pmafind\u0027,\\n \u0027security scan\u0027,\\n \u0027springenwerk\u0027,\\n \u0027teh forest lobster\u0027,\\n \u0027toata dragostea\u0027,\\n \u0027 vega/\u0027,\\n \u0027voideye\u0027,\\n \u0027webshag\u0027,\\n \u0027webvulnscan\u0027,\\n \u0027 whcc/\u0027,\\n \u0027 Havij\u0027,\\n \u0027absinthe\u0027,\\n \u0027bsqlbf\u0027,\\n \u0027mysqloit\u0027,\\n \u0027pangolin\u0027,\\n \u0027sql power injector\u0027,\\n \u0027sqlmap\u0027,\\n \u0027sqlninja\u0027,\\n \u0027uil2pn\u0027,\\n \u0027ruler\u0027,\\n \u0027Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)\u0027\\n ]);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal has_any (user_agents)\\n| extend Message = \\\"Hack Tool User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Hack Tool User-Agent Detected\",\"description\":\"Detects suspicious user agent strings used by known hack tools\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/30c8b802-ace1-4408-bc29-4c5c5afb49e1\",\"name\":\"30c8b802-ace1-4408-bc29-4c5c5afb49e1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"imProcess\\n | where EventType =~ \\\"ProcessCreated\\\"\\n | where Process endswith \\\"svchost.exe\\\"\\n | where CommandLine has \\\"-k GPSvcGroup\\\" or CommandLine has \\\"-s gpsvc\\\"\\n | extend timekey = bin(TimeGenerated, 1m)\\n | project timekey, ActingProcessId, Dvc\\n | join kind=inner (imProcess\\n | where EventType =~ \\\"ProcessCreated\\\"\\n | where Process =~ \\\"sdelete.exe\\\" or CommandLine has \\\"sdelete\\\"\\n | where ActingProcessName endswith \\\"svchost.exe\\\"\\n | where CommandLine has_all (\\\"-s\\\", \\\"-r\\\")\\n | extend timekey = bin(TimeGenerated, 1m)\\n ) on $left.ActingProcessId == $right.ParentProcessId, timekey, Dvc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DvcIpAddr\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Sdelete deployed via GPO and run recursively (ASIM Version)\",\"description\":\"This query looks for the Sdelete process being run recursively after being deployed to a host via GPO. Attackers could use this technique to deploy Sdelete to multiple host and delete data on them.\\n This query uses the Advanced Security Information Model. Parsers will need to be deployed before use: https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84cccc86-5c11-4b3a-aca6-7c8f738ed0f7\",\"name\":\"84cccc86-5c11-4b3a-aca6-7c8f738ed0f7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where OperationName has_all (\\\"member to role\\\", \\\"add\\\")\\n | where Result =~ \\\"Success\\\"\\n | extend type_ = tostring(TargetResources[0].type)\\n | where type_ =~ \\\"ServicePrincipal\\\"\\n | where isnotempty(TargetResources)\\n | extend ServicePrincipal = tostring(TargetResources[0].displayName)\\n | extend SPID = tostring(TargetResources[0].id)\\n | mv-expand TargetResources[0].modifiedProperties\\n | extend TargetResources_0_modifiedProperties = columnifexists(\\\"TargetResources_0_modifiedProperties\\\", \u0027\u0027)\\n | where isnotempty(TargetResources_0_modifiedProperties)\\n | where TargetResources_0_modifiedProperties.displayName =~ \\\"Role.DisplayName\\\"\\n | extend TargetRole = parse_json(tostring(TargetResources_0_modifiedProperties.newValue))\\n | where TargetRole contains \\\"admin\\\"\\n | extend AddedByApp = iif(\\n isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName)),\\n tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName),\\n tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n )\\n | extend AddedByUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend AddedBy = iif(isnotempty(AddedByApp), AddedByApp, AddedByUser)\\n | extend IpAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | project-reorder TimeGenerated, ServicePrincipal, SPID, TargetRole, AddedBy, IpAddress\\n | project-away AddedByApp, AddedByUser\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"SPID\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Service Principal Assigned Privileged Role\",\"description\":\"Detects a privileged role being added to a Service Principal.\\n Ensure that any assignment to a Service Principal is valid and appropriate - Service Principals should not be assigned to very highly privileged roles such as Global Admin.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182\",\"name\":\"8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT5M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = ago(5m);\\nDuoSecurityTrustMonitor_CL\\n| where TimeGenerated \u003e= timeframe\\n| extend AccountCustomEntity = surfaced_auth_user_name_s, IPCustomEntity = surfaced_auth_access_device_ip_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Trust Monitor Event\",\"description\":\"This query identifies when a new trust monitor event is detected.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dcdf9bfc-c239-4764-a9f9-3612e6dff49c\",\"name\":\"dcdf9bfc-c239-4764-a9f9-3612e6dff49c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 6d;\\n// Adjust this to adjust the key export detection timeframe\\n//let timeframe = 1d;\\n// Start be identifying ADFS servers to reduce FP chance\\nlet ADFS_Servers = (\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\")\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| summarize by Computer);\\n// Look for ADFS servers where Named Pipes event are present\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| where Computer in~ (ADFS_Servers)\\n| extend RenderedDescription = tostring(split(RenderedDescription, \\\":\\\")[0])\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend RuleName = column_ifexists(\\\"RuleName\\\", \\\"\\\"),\\n TechniqueId = column_ifexists(\\\"TechniqueId\\\", \\\"\\\"),\\n TechniqueName = column_ifexists(\\\"TechniqueName\\\", \\\"\\\"),\\n Image = column_ifexists(\\\"Image\\\", \\\"\\\"),\\n PipeName = column_ifexists(\\\"PipeName\\\", \\\"\\\"),\\n EventType = column_ifexists(\\\"EventType\\\", \\\"\\\")\\n| parse RuleName with * \u0027technique_id=\u0027 TechniqueId \u0027,\u0027 * \u0027technique_name=\u0027 TechniqueName\\n// Look for Pipe related to querying the WID\\n| where PipeName == \\\"\\\\\\\\MICROSOFT##WID\\\\\\\\tsql\\\\\\\\query\\\"\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n// Exclude expected processes\\n| where process !in (\\\"Microsoft.IdentityServer.ServiceHost.exe\\\", \\\"Microsoft.Identity.Health.Adfs.PshSurrogate.exe\\\", \\\"AzureADConnect.exe\\\", \\\"Microsoft.Tri.Sensor.exe\\\", \\\"wsmprovhost.exe\\\",\\\"mmc.exe\\\", \\\"sqlservr.exe\\\")\\n| extend Operation = RenderedDescription\\n| project-reorder TimeGenerated, EventType, Operation, process, Image, Computer, UserName\\n| extend HostCustomEntity = Computer, AccountCustomEntity = UserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"ADFS Database Named Pipe Connection\",\"description\":\"This detection uses Sysmon telemetry to detect suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).\\nIn order to use this query you need to be collecting Sysmon EventIdD 18 (Pipe Connected).\\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\\nFailed to resolve scalar expression named \\\"[@Name]\",\"lastUpdatedDateUTC\":\"2021-11-23T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3617d76d-b15e-4c6f-985e-a1dac73c592d\",\"name\":\"3617d76d-b15e-4c6f-985e-a1dac73c592d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SigninLogs\\n| where ResultType == 500121\\n| extend additionalDetails_ = tostring(Status.additionalDetails)\\n| where additionalDetails_ =~ \\\"MFA denied; user declined the authentication\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"NRT MFA Rejected by User\",\"description\":\"Identifies occurrences where a user has rejected an MFA prompt. This could be an indicator that a threat actor has compromised the username and password of this user account and is using it to try and log into the account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-02-08T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5436f471-b03d-41cb-b333-65891f887c43\",\"name\":\"5436f471-b03d-41cb-b333-65891f887c43\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Informational\",\"query\":\"GitHubRepo\\n| where Action == \\\"vulnerabilityAlert\\\"\\n| project TimeGenerated, DismmisedAt, Reason, vulnerableManifestFilename, Description, Link, PublishedAt, Severity, Summary\",\"entityMappings\":[],\"displayName\":\"GitHub Security Vulnerability in Repository\",\"description\":\"This alerts when there is a new security vulnerability in a GitHub repository.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-10T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d82e1987-4356-4a7b-bc5e-064f29b143c0\",\"name\":\"d82e1987-4356-4a7b-bc5e-064f29b143c0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true \\n(SecurityEvent\\n| where EventID == 4688\\n| where Process =~ \u0027rundll32.exe\u0027 \\n| where CommandLine has_all (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n),\\n(WindowsEvent\\n| where EventID == 4688 and EventData has \u0027rundll32.exe\u0027 and EventData has_any (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process =~ \u0027rundll32.exe\u0027 \\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has_all (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName) \\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n) )\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"NOBELIUM - suspicious rundll32.exe execution of vbscript\",\"description\":\"This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/961b6a81-5c53-40b6-9800-4f661a8faea7\",\"name\":\"961b6a81-5c53-40b6-9800-4f661a8faea7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0586.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet Command_Line = (iocs | where Type =~ \\\"CommandLine\\\" | project IoC);\\n(union isfuzzy=true\\n(DeviceProcessEvents\\n| where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) or ( InitiatingProcessCommandLine has (\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and InitiatingProcessCommandLine has_any (Command_Line))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, AccountName, SHA256\\n| extend Account = AccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = case(InitiatingProcessSHA256 in (sha256Hashes), \\\"InitiatingProcessSHA256\\\", SHA256 in (sha256Hashes), \\\"SHA256\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = case(FileHash == \\\"InitiatingProcessSHA256\\\", InitiatingProcessSHA256, FileHash == \\\"SHA256\\\", SHA256, \\\"No Match\\\")\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has (@\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and CommandLine has_any (Command_Line))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, EventID\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n( CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n( imFileEvent\\n| where Hash in~ (sha256Hashes) or ( ActingProcessCommandLine has (\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and ActingProcessCommandLine has_any (Command_Line))\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) or ( CommandLine has (\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and CommandLine has_any (Command_Line)) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashAlgo\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"DEV-0586 Actor IOC - January 2022\",\"description\":\"Identifies a match across IOC\u0027s related to an actor tracked by Microsoft as DEV-0586\\n Refrence: https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2022-01-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/66c81ae2-1f89-4433-be00-2fbbd9ba5ebe\",\"name\":\"66c81ae2-1f89-4433-be00-2fbbd9ba5ebe\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MessageIP = extract(IPRegex, 0, Message)\\n | extend CS_ipEntity = iff(isnotempty(SourceIP), SourceIP, DestinationIP)\\n | extend CS_ipEntity = iff(isempty(CS_ipEntity) and isnotempty(MessageIP), MessageIP, CS_ipEntity)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CS_ipEntity\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, CS_ipEntity\\n| project CommonSecurityLog_TimeGenerated, SourceIP, DestinationIP, MessageIP, Message, DeviceVendor, DeviceProduct, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CS_ipEntity, LogSeverity, DeviceAction\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = CS_ipEntity\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to CommonSecurityLog\",\"description\":\"Identifies a match in CommonSecurityLog from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/17f23fbe-bb73-4324-8ecf-a18545a5dc26\",\"name\":\"17f23fbe-bb73-4324-8ecf-a18545a5dc26\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P3D\",\"queryPeriod\":\"P3D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 3d;\\n// Get Release Pipeline Creation Events and group by day\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineCreated\\\"\\n// Group by day\\n| extend timekey = bin(TimeGenerated, 1d)\\n| extend PipelineId = tostring(Data.PipelineId)\\n| extend PipelineName = tostring(Data.PipelineName)\\n// Rename some columns to make output clearer\\n| project-rename TimeCreated = TimeGenerated, CreatingUser = ActorUPN, CreatingUserAgent = UserAgent, CreatingIP = IpAddress\\n// Join with Release Pipeline Deletions where Pipeline ID is the same and deletion occurred on same day as creation\\n| join (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineDeleted\\\"\\n// Group by day\\n| extend timekey = bin(TimeGenerated, 1d)\\n| extend PipelineId = tostring(Data.PipelineId)\\n| extend PipelineName = tostring(Data.PipelineName)\\n// Rename some things to make the output clearer\\n| project-rename TimeDeleted = TimeGenerated, DeletingUser = ActorUPN, DeletingUserAgent = UserAgent, DeletingIP = IpAddress) on PipelineId, timekey\\n| project TimeCreated, TimeDeleted, PipelineName, PipelineId, CreatingUser, CreatingIP, CreatingUserAgent, DeletingUser, DeletingIP, DeletingUserAgent, ScopeDisplayName, ProjectName, Data, OperationName, OperationName1\\n| extend timestamp = TimeCreated, AccountCustomEntity = CreatingUser, IPCustomEntity = CreatingIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeletingUser\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DeletingIP\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Azure DevOps Pipeline Created and Deleted on the Same Day\",\"description\":\"An attacker with access to Azure DevOps could create a pipeline to inject artifacts used by other pipelines, \\nor to create a malicious software build that looks legitimate by using a pipeline that incorporates legitimate elements. \\nAn attacker would also likely want to cover their tracks once conducting such activity. This query looks for Pipelines \\ncreated and deleted within the same day, this is unlikely to be legitimate user activity in the majority of cases.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\"name\":\"83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":3,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let current = 1d;\\nlet auditLookback = 7d;\\n// Setting threshold to 3 as a default, change as needed. \\n// Any operation that has been initiated by a user or app more than 3 times in the past 7 days will be excluded\\nlet threshold = 3;\\n// Gather initial data from lookback period, excluding current, adjust current to more than a single day if no results\\nlet AuditTrail = AuditLogs | where TimeGenerated \u003e= ago(auditLookback) and TimeGenerated \u003c ago(current)\\n// 2 other operations that can be part of malicious activity in this situation are \\n// \\\"Add OAuth2PermissionGrant\\\" and \\\"Add service principal\\\", extend the filter below to capture these too\\n| where OperationName has \\\"Consent to application\\\"\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\n| summarize max(TimeGenerated), OperationCount = count() by OperationName, InitiatedBy, TargetResourceName\\n// only including operations by initiated by a user or app that is above the threshold so we produce only rare and has not occurred in last 7 days\\n| where OperationCount \u003e threshold\\n;\\n// Gather current period of audit data\\nlet RecentConsent = AuditLogs | where TimeGenerated \u003e= ago(current)\\n| where OperationName has \\\"Consent to application\\\"\\n| extend IpAddress = case(\\nisnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), \\nisnotempty(tostring(parse_json(tostring(InitiatedBy.app)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.app)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.app)).ipAddress),\\n\u0027Not Available\u0027)\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\n| parse TargetResources.[0].modifiedProperties with * \\\"ConsentType: \\\" ConsentType \\\"]\\\" *\\n| mv-expand AdditionalDetails\\n| extend UserAgent = iff(AdditionalDetails.key == \\\"User-Agent\\\",tostring(AdditionalDetails.value),\\\"\\\")\\n| project TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type;\\n// Exclude previously seen audit activity for \\\"Consent to application\\\" that was seen in the lookback period\\n// First for rare InitiatedBy\\nlet RareConsentBy = RecentConsent | join kind= leftanti AuditTrail on OperationName, InitiatedBy \\n| extend Reason = \\\"Previously unseen user consenting\\\";\\n// Second for rare TargetResourceName\\nlet RareConsentApp = RecentConsent | join kind= leftanti AuditTrail on OperationName, TargetResourceName\\n| extend Reason = \\\"Previously unseen app granted consent\\\";\\nRareConsentBy | union RareConsentApp\\n| summarize Reason = makeset(Reason) by TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatedBy, HostCustomEntity = TargetResourceName, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Rare application consent\",\"description\":\"This will alert when the \\\"Consent to application\\\" operation occurs by a user that has not done this operation before or rarely does this.\\nThis could indicate that permissions to access the listed Azure App were provided to a malicious actor. \\nConsent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events. \\nThis may help detect the Oauth2 attack that can be initiated by this publicly available tool - https://github.com/fireeye/PwnAuth\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-07-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69b7723c-2889-469f-8b55-a2d355ed9c87\",\"name\":\"69b7723c-2889-469f-8b55-a2d355ed9c87\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.3\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n DnsEvents\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where SubType =~ \\\"LookupQuery\\\" and isnotempty(IPAddresses)\\n | mv-expand SingleIP = split(IPAddresses, \\\", \\\") to typeof(string)\\n // renaming time column so it is clear the log this came from\\n | extend DNS_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SingleIP\\n| where DNS_TimeGenerated \u003c ExpirationDateTime\\n| summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated , *) by IndicatorId, SingleIP\\n| project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = DNS_TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to DnsEvents\",\"description\":\"Identifies a match in DnsEvents from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-06-27T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd\",\"name\":\"c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let args = dynamic([\\\"objectcategory\\\",\\\"domainlist\\\",\\\"dcmodes\\\",\\\"adinfo\\\",\\\"trustdmp\\\",\\\"computers_pwdnotreqd\\\",\\\"Domain Admins\\\", \\\"objectcategory=person\\\", \\\"objectcategory=computer\\\", \\\"objectcategory=*\\\",\\\"dclist\\\"]);\\nlet parentProcesses = dynamic([\\\"pwsh.exe\\\",\\\"powershell.exe\\\",\\\"cmd.exe\\\"]);\\nDeviceProcessEvents\\n//looks for execution from a shell\\n| where InitiatingProcessFileName in (parentProcesses)\\n// main filter\\n| where FileName =~ \\\"AdFind.exe\\\" or SHA256 == \\\"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\\\"\\n // AdFind common Flags to check for from various threat actor TTPs\\n or ProcessCommandLine has_any (args)\\n| extend AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, ProcessCustomEntity = InitiatingProcessFileName, CommandLineCustomEntity = ProcessCommandLine, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = SHA256\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"},{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLineCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Probable AdFind Recon Tool Usage\",\"description\":\"Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.\",\"lastUpdatedDateUTC\":\"2021-11-30T00:00:00Z\",\"createdDateUTC\":\"2021-04-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\"name\":\"b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n Syslog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // Extract URL from the Syslog message but only take messages that include URLs\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,SyslogMessage)\\n | where isnotempty(Url)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n) on Url\\n| where Syslog_TimeGenerated \u003c ExpirationDateTime\\n| summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, Url\\n| project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, Url, HostIP\\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to Syslog data\",\"description\":\"Identifies a match in Syslog data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/af435ca1-fb70-4de1-92c1-7435c48482a9\",\"name\":\"af435ca1-fb70-4de1-92c1-7435c48482a9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let admin_users = (IdentityInfo\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | where AssignedRoles contains \\\"admin\\\"\\n | summarize by tolower(AccountUPN));\\n let admin_asn = (SigninLogs\\n | where TimeGenerated between (ago(7d)..ago(1d))\\n | where tolower(UserPrincipalName) in (admin_users)\\n | summarize by AutonomousSystemNumber);\\n let admin_locations = (SigninLogs\\n | where TimeGenerated between (ago(7d)..ago(1d))\\n | where tolower(UserPrincipalName) in (admin_users)\\n | summarize by Location);\\n let admin_devices = (SigninLogs\\n | where TimeGenerated between (ago(7d)..ago(1d))\\n | where tolower(UserPrincipalName) in (admin_users)\\n | extend deviceId = tostring(DeviceDetail.deviceId)\\n | where isnotempty(deviceId)\\n | summarize by deviceId);\\n SigninLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType == 0\\n | where tolower(UserPrincipalName) in (admin_users)\\n | extend deviceId = tostring(DeviceDetail.deviceId)\\n | where AutonomousSystemNumber !in (admin_asn) and deviceId !in (admin_devices) and Location !in (admin_locations)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Authentications of Privileged Accounts Outside of Expected Controls\",\"description\":\"Detects when a privileged user account successfully authenticates from a location, device or ASN that another admin has not logged in from in the last 7 days.\\n Privileged accounts are a key target for threat actors, monitoring for logins from these accounts that deviate from normal activity can help identify compromised accounts.\\n Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a357535e-f722-4afe-b375-cff362b2b376\",\"name\":\"a357535e-f722-4afe-b375-cff362b2b376\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(OfficeActivity | where UserAgent != \\\"\\\"),\\n(OfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectory\\\", \\\"AzureActiveDirectoryStsLogon\\\")\\n| extend OperationName = Operation\\n| parse ExtendedProperties with * \u0027User-Agent\\\\\\\\\\\":\\\\\\\\\\\"\u0027 UserAgent2 \u0027\\\\\\\\\u0027 *\\n| parse ExtendedProperties with * \u0027UserAgent\\\", \\\"Value\\\": \\\"\u0027 UserAgent1 \u0027\\\"\u0027 *\\n| where isnotempty(UserAgent1) or isnotempty(UserAgent2)\\n| extend UserAgent = iff( RecordType == \u0027AzureActiveDirectoryStsLogon\u0027, UserAgent1, UserAgent2)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\\n),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"APPLICATIONGATEWAYS\\\" \\n| where OperationName =~ \\\"ApplicationGatewayAccess\\\" \\n| extend ClientIP = columnifexists(\\\"clientIP_s\\\", \\\"None\\\"), UserAgent = columnifexists(\\\"userAgent_s\\\", \\\"None\\\")\\n| where UserAgent != \u0027-\u0027\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, requestUri_s, httpMethod_s, host_s, requestQuery_s, Type\\n),\\n(\\nW3CIISLog\\n| where isnotempty(csUserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\\n),\\n(SigninLogs\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n)\\n)\\n// Likely artefact of hardcoding\\n| where UserAgent startswith \\\"User\\\" or UserAgent startswith \u0027\\\\\\\"\u0027\\n// Incorrect casing\\nor (UserAgent startswith \\\"Mozilla\\\" and not(UserAgent containscs \\\"Mozilla\\\"))\\n// Incorrect casing\\nor UserAgent containscs \\\"(Compatible;\\\"\\n// Missing MSIE version\\nor UserAgent matches regex @\\\"MSIE\\\\s?;\\\"\\n// Incorrect spacing around MSIE version\\nor UserAgent matches regex @\\\"MSIE(?:\\\\d|.{1,5}?\\\\d\\\\s;)\\\"\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CommandAndControl\",\"Execution\"],\"displayName\":\"Malformed user agent\",\"description\":\"Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware.\\nMalformed user agents can be an indication of such malware.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4acd3a04-2fad-4efc-8a4b-51476594cec4\",\"name\":\"4acd3a04-2fad-4efc-8a4b-51476594cec4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let triThreshold = 500;\\nlet startTime = 6h;\\nlet dgaLengthThreshold = 8;\\n// fetch the alexa top 1M domains\\nlet top1M = (externaldata (Position:int, Domain:string) [@\\\"http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip\\\"] with (format=\\\"csv\\\", zipPattern=\\\"*.csv\\\"));\\n// extract tri grams that are above our threshold - i.e. are common\\nlet triBaseline = top1M\\n| extend Domain = tolower(extract(\\\"([^.]*).{0,7}$\\\", 1, Domain))\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", Domain), extract_all(\\\"(...)\\\", substring(Domain, 1)), extract_all(\\\"(...)\\\", substring(Domain, 2)))\\n| mvexpand Trigram=AllTriGrams\\n| summarize triCount=count() by tostring(Trigram)\\n| sort by triCount desc\\n| where triCount \u003e triThreshold\\n| distinct Trigram;\\n// collect domain information from common security log, filter and extract the DGA candidate and its trigrams\\nlet allDataSummarized = CommonSecurityLog\\n| where TimeGenerated \u003e ago(startTime)\\n| where isnotempty(DestinationHostName)\\n| extend Name = tolower(DestinationHostName)\\n| distinct Name\\n| where Name has \\\".\\\"\\n| where Name !endswith \\\".home\\\" and Name !endswith \\\".lan\\\"\\n// extract DGA candidate\\n| extend DGADomain = extract(\\\"([^.]*).{0,7}$\\\", 1, Name)\\n| where strlen(DGADomain) \u003e dgaLengthThreshold\\n// throw out domains with number in them\\n| where DGADomain matches regex \\\"^[A-Za-z]{0,}$\\\"\\n// extract the tri grams from summarized data\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", DGADomain), extract_all(\\\"(...)\\\", substring(DGADomain, 1)), extract_all(\\\"(...)\\\", substring(DGADomain, 2)));\\n// throw out domains that have repeating tri\u0027s and/or \u003e=3 repeating letters\\nlet nonRepeatingTris = allDataSummarized\\n| join kind=leftanti\\n(\\n allDataSummarized\\n | mvexpand AllTriGrams\\n | summarize count() by tostring(AllTriGrams), DGADomain\\n | where count_ \u003e 1\\n | distinct DGADomain\\n)\\non DGADomain;\\n// find domains that do not have a common tri in the baseline\\nlet dataWithRareTris = nonRepeatingTris\\n| join kind=leftanti\\n(\\n nonRepeatingTris\\n | mvexpand AllTriGrams\\n | extend Trigram = tostring(AllTriGrams)\\n | distinct Trigram, DGADomain\\n | join kind=inner\\n (\\n triBaseline\\n )\\n on Trigram\\n | distinct DGADomain\\n)\\non DGADomain;\\ndataWithRareTris\\n// join DGAs back on connection data\\n| join kind=inner\\n(\\n CommonSecurityLog\\n | where TimeGenerated \u003e ago(startTime)\\n | where isnotempty(DestinationHostName)\\n | extend DestinationHostName = tolower(DestinationHostName)\\n | project-rename Name=DestinationHostName, DataSource=DeviceVendor\\n | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) by Name, SourceIP, DestinationIP, DataSource\\n)\\non Name\\n| project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, DataSource\\n| extend timestamp=StartTime, IPCustomEntity=SourceIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"Name\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Possible contact with a domain generated by a DGA\",\"description\":\"Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used\\nby malware to generate rendezvous points that are difficult to predict in advance. This detection uses the Alexa Top 1 million domain names to build a model\\nof what normal domains look like. It uses this to identify domains that may have been randomly generated by an algorithm.\\nThe triThreshold is set to 500 - increase this to report on domains that are less likely to have been randomly generated, decrease it for more likely.\\nThe start time and end time look back over 6 hours of data and the dgaLengthThreshold is set to 8 - meaning domains whose length is 8 or more are reported.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Barracuda\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aac495a9-feb1-446d-b08e-a1164a539452\",\"name\":\"aac495a9-feb1-446d-b08e-a1164a539452\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"ThreatIntelligenceIndicator\\n| where Action == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n GitHubAudit\\n | extend GitHubAudit_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.IPaddress\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, GitHubAudit_TimeGenerated, TI_ipEntity, IPaddress, Actor, Action, Country, OperationType, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = GitHubAudit_TimeGenerated, IPCustomEntity = IPaddress, AccountCustomEntity = Actor\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to GitHub_CL\",\"description\":\"Identifies a match in GitHub_CL table from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2cfc3c6e-f424-4b88-9cc9-c89f482d016a\",\"name\":\"2cfc3c6e-f424-4b88-9cc9-c89f482d016a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set == \\\"[]\\\"\\n| mv-expand new_value_set\\n| parse new_value_set with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"First access credential added to Application or Service Principal where no credential was present\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-02-11T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0dd422ee-e6af-4204-b219-f59ac172e4c6\",\"name\":\"0dd422ee-e6af-4204-b219-f59ac172e4c6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"ThreatIntelligence\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"Persistence\",\"LateralMovement\"],\"displayName\":\"(Preview) Microsoft Threat Intelligence Analytics\",\"description\":\"This rule generates an alert when a Microsoft Threat Intelligence Indicator gets matched with your event logs. The alerts are very high fidelity.\\n\\nNote : It is advised to turn off any custom alert rules which match the threat intelligence indicators with the same event logs matched by this analytics to prevent duplicate alerts.\",\"lastUpdatedDateUTC\":\"2021-07-28T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/074ce265-f684-41cd-af07-613c5f3e6d0d\",\"name\":\"074ce265-f684-41cd-af07-613c5f3e6d0d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"irf.services\\\",\\\"microsoft-onthehub.com\\\",\\\"msofficelab.com\\\",\\\"com-mailbox.com\\\",\\\"my-sharefile.com\\\",\\\"my-sharepoints.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\n\\\"onedrive-sharedfile.com\\\",\\\"onedrv-live.com\\\",\\\"transparencyinternational-my-sharepoint.com\\\",\\\"transparencyinternational-my-sharepoints.com\\\",\\\"soros-my-sharepoint.com\\\"]);\\n(union isfuzzy=true\\n (CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | extend Account = SourceUserID, Host = DeviceName, IPAddress = SourceIP\\n ),\\n (_Im_Dns(domain_has_any=DomainNames)\\n | extend IPAddress = SrcIpAddr, DNSName = DnsQuery, Host = Dvc),\\n (VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n | extend IPAddress = RemoteIp, Host = Computer\\n ),\\n (AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | extend DNSName = DestinationHost \\n | extend IPAddress = SourceHost\\n ),\\n (\\n _Im_WebSession(url_has_any=DomainNames)\\n | extend IPCustomEntity=IpAddr, HostCustomEntity=Hostname, AccoutCustomEntity=User\\n )\\n)\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = Account, HostCustomEntity = Host\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known STRONTIUM group domains - July 2019\",\"description\":\"Matches domain name IOCs related to Strontium group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2019-07-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a50766a7-0674-4ccb-8845-15dc55a80ba1\",\"name\":\"a50766a7-0674-4ccb-8845-15dc55a80ba1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n WireData | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(RemoteIP)\\n // renaming time column so it is clear the log this came from\\n | extend WireData_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIP\\n| where WireData_TimeGenerated \u003c ExpirationDateTime\\n| summarize WireData_TimeGenerated = arg_max(WireData_TimeGenerated, *) by IndicatorId, RemoteIP\\n| project WireData_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, LocalIP, RemoteIP, ProcessName, ApplicationProtocol, LocalPortNumber, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = WireData_TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to WireData\",\"description\":\"Identifies a match in WireData from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6d7214d9-4a28-44df-aafb-0910b9e6ae3e\",\"name\":\"6d7214d9-4a28-44df-aafb-0910b9e6ae3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Low\",\"query\":\"let match_window = 3m;\\nAzureActivity\\n| where ResourceGroup has \\\"cloud-shell\\\"\\n| where (OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/listKeys/action\\\") \\n| where ActivityStatusValue == \\\"Success\\\"\\n| extend TimeKey = bin(TimeGenerated, match_window), AzureIP = CallerIpAddress\\n| join kind = inner\\n(AzureActivity\\n| where ResourceGroup has \\\"cloud-shell\\\"\\n| where (OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/write\\\") \\n| extend TimeKey = bin(TimeGenerated, match_window), UserIP = CallerIpAddress\\n) on Caller, TimeKey\\n| summarize count() by TimeKey, Caller, ResourceGroup, SubscriptionId, TenantId, AzureIP, UserIP, HTTPRequest, Type, Properties, CategoryValue, OperationList = strcat(OperationNameValue, \u0027 , \u0027, OperationNameValue1)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"UserIP\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"New CloudShell User\",\"description\":\"Identifies when a user creates an Azure CloudShell for the first time.\\nMonitor this activity to ensure only expected user are using CloudShell\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5170c3c4-b8c9-485c-910d-a21d965ee181\",\"name\":\"5170c3c4-b8c9-485c-910d-a21d965ee181\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let queryfrequency = 30m;\\nlet accountthreshold = 10;\\nlet successCodes = dynamic([0, 50144]);\\nADFSSignInLogs\\n| extend IngestionTime = ingestion_time()\\n| where IngestionTime \u003e ago(queryfrequency)\\n| where not(todynamic(AuthenticationDetails)[0].authenticationMethod == \\\"Integrated Windows Authentication\\\")\\n| summarize\\n DistinctFailureCount = dcountif(UserPrincipalName, ResultType !in (successCodes)),\\n DistinctSuccessCount = dcountif(UserPrincipalName, ResultType in (successCodes)),\\n SuccessAccounts = make_set_if(UserPrincipalName, ResultType in (successCodes), 250),\\n arg_min(TimeGenerated, *)\\n by IPAddress\\n| where DistinctFailureCount \u003e DistinctSuccessCount and DistinctFailureCount \u003e= accountthreshold\\n//| extend SuccessAccounts = iff(array_length(SuccessAccounts) != 0, SuccessAccounts, dynamic([\\\"null\\\"]))\\n//| mv-expand SuccessAccounts\\n| project TimeGenerated, Category, OperationName, IPAddress, DistinctFailureCount, DistinctSuccessCount, SuccessAccounts, AuthenticationRequirement, ConditionalAccessStatus, IsInteractive, UserAgent, NetworkLocationDetails, DeviceDetail, TokenIssuerType, TokenIssuerName, ResourceIdentity\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Password spray attack against ADFSSignInLogs\",\"description\":\"Identifies evidence of password spray activity against Connect Health for AD FS sign-in events by looking for failures from multiple accounts from the same IP address within a time window.\\nReference: https://adfshelp.microsoft.com/References/ConnectHealthErrorCodeReference\",\"lastUpdatedDateUTC\":\"2022-05-04T00:00:00Z\",\"createdDateUTC\":\"2022-03-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"ADFSSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6d63efa6-7c25-4bd4-a486-aa6bf50fde8a\",\"name\":\"6d63efa6-7c25-4bd4-a486-aa6bf50fde8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// Add non-approved user principal names to the list below to search for their account creation/deletion activity\\n// ex: dynamic([\\\"UPN1\\\", \\\"upn123\\\"])\\nlet nonapproved_users = dynamic([]);\\nAuditLogs\\n| where OperationName == \\\"Add user\\\" or OperationName == \\\"Delete user\\\"\\n| where Result == \\\"success\\\"\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| where InitiatingUser has_any (nonapproved_users)\\n| project-reorder TimeGenerated, ResourceId, OperationName, InitiatingUser, TargetResources\\n| extend AccountCustomEntity = InitiatingUser, IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Account created or deleted by non-approved user\",\"description\":\"Identifies accounts that were created or deleted by a defined list of non-approved user principal names. Add to this list before running the query for accurate results.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/11b4c19d-2a79-4da3-af38-b067e1273dee\",\"name\":\"11b4c19d-2a79-4da3-af38-b067e1273dee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID in (17,18)\\n| where EventData has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend PipeName = column_ifexists(\\\"PipeName\\\", \\\"\\\")\\n| extend Account = UserName\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00275145\u0027\\n// %%4418 looks for presence of CreatePipeInstance value \\n| where AccessList has \u0027%%4418\u0027 \\n| where RelativeTargetName has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n),\\n(\\nWindowsEvent\\n| where EventID == \u00275145\u0027 and EventData has \u0027%%4418\u0027 and EventData has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027 \\n// %%4418 looks for presence of CreatePipeInstance value \\n| extend AccessList= tostring(EventData.AccessList)\\n| where AccessList has \u0027%%4418\u0027 \\n| extend RelativeTargetName= tostring(EventData.RelativeTargetName)\\n| where RelativeTargetName has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\"],\"displayName\":\"Solorigate Named Pipe\",\"description\":\"Identifies a match across various data feeds for named pipe IOCs related to the Solorigate incident.\\n For the sysmon events required for this detection, logging for Named Pipe Events needs to be configured in Sysmon config (Event ID 17 and Event ID 18)\\n Reference: https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2020-12-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\"name\":\"532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n Syslog\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n //Extract domain patterns from syslog message\\n | extend domain = extract(\\\"(([a-z0-9]+(-[a-z0-9]+)*\\\\\\\\.)+[a-z]{2,})\\\",1, tolower(SyslogMessage))\\n | where isnotempty(domain)\\n | extend parts = split(domain, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.domain\\n| where Syslog_TimeGenerated \u003c ExpirationDateTime\\n| summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, domain\\n| project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, domain, HostIP, Url\\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to Syslog\",\"description\":\"Identifies a match in Syslog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/19e01883-15d8-4eb6-a7a5-3276cd668388\",\"name\":\"19e01883-15d8-4eb6-a7a5-3276cd668388\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeBin = 1m;\\nlet failedThreshold = 20;\\nW3CIISLog\\n| where scStatus in (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of failed attempts from same client IP\\n| summarize makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\\n| where FailedConnectionsCount \u003e= failedThreshold\\n| project TimeGenerated, cIP, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"High count of failed attempts from same client IP\",\"description\":\"Identifies when 20 or more failed attempts from a given client IP in 1 minute occur on the IIS server.\\nThis could be indicative of an attempted brute force. This could also simply indicate a misconfigured service or device.\\nRecommendations: Validate that these are expected connections from the given Client IP. If the client IP is not recognized, \\npotentially block these connections at the edge device.\\nIf these are expected connections, verify the credentials are properly configured on the system, service, application or device \\nthat is associated with the client IP.\\nReferences:\\nIIS status code mapping: https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping: https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd78a122-d377-415a-afe9-f22e08d2112c\",\"name\":\"dd78a122-d377-415a-afe9-f22e08d2112c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Add other permissions to this list as needed\\n let permissions = dynamic([\\\"Mail.Read\\\", \\\"offline_access\\\", \\\"Files.Read\\\", \\\"Notes.Read\\\", \\\"ChannelMessage.Read\\\", \\\"Chat.Read\\\", \\\"TeamsActivity.Read\\\",\\n \\\"Group.Read\\\", \\\"EWS.AccessAsUser.All\\\", \\\"EAS.AccessAsUser.All\\\"]);\\n AuditLogs\\n | where OperationName =~ \\\"Add app role assignment to service principal\\\"\\n | mv-expand TargetResources[0].modifiedProperties\\n | extend TargetResources_0_modifiedProperties = columnifexists(\\\"TargetResources_0_modifiedProperties\\\", \u0027\u0027)\\n | where isnotempty(TargetResources_0_modifiedProperties)\\n | where TargetResources_0_modifiedProperties.displayName =~ \\\"AppRole.Value\\\" or TargetResources_0_modifiedProperties.displayName =~ \\\"DelegatedPermissionGrant.Scope\\\"\\n | extend Permissions = split((parse_json(tostring(TargetResources_0_modifiedProperties.newValue))), \\\" \\\")\\n | where Permissions has_any (permissions)\\n | summarize AddedPermissions=make_set(Permissions) by CorrelationId\\n | join kind=inner (AuditLogs\\n | where OperationName =~ \\\"Add app role assignment to service principal\\\") on CorrelationId\\n | extend InitiatedBy = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))\\n | extend ServicePrincipal = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[4].newValue)))\\n | extend SPID = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[6].newValue)))\\n | extend InitiatedBy = pack(\\\"User\\\", InitiatedBy, \\\"UA\\\", UserAgent, \\\"IPAddress\\\", IpAddress)\\n | mv-expand kind=array AddedPermissions\\n | summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), make_set(InitiatedBy), make_set(AddedPermissions) by SPID, ServicePrincipal\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ServicePrincipal\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"SPID\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Service Principal Assigned App Role With Sensitive Access\",\"description\":\"Detects a Service Principal being assigned an app role that has sensitive access such as Mail.Read.\\n A threat actor who compromises a Service Principal may assign it an app role to allow it to access sensitive data, or to perform other actions.\\n Ensure that any assignment to a Service Principal is valid and appropriate.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d9f28fdf-abc8-4f1a-a7e7-1aaec87a2fc5\",\"name\":\"d9f28fdf-abc8-4f1a-a7e7-1aaec87a2fc5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID == 4688\\n | where Process =~ \\\"svchost.exe\\\"\\n | where CommandLine has \\\"-k GPSvcGroup\\\" or CommandLine has \\\"-s gpsvc\\\"\\n | extend timekey = bin(TimeGenerated, 1m)\\n | project timekey, NewProcessId, Computer\\n | join kind=inner (SecurityEvent\\n | where EventID == 4688\\n | where Process =~ \\\"sdelete.exe\\\" or CommandLine has \\\"sdelete\\\"\\n | where ParentProcessName endswith \\\"svchost.exe\\\"\\n | where CommandLine has_all (\\\"-s\\\", \\\"-r\\\")\\n | extend newProcess = Process\\n | extend timekey = bin(TimeGenerated, 1m)\\n ) on $left.NewProcessId == $right.ProcessId, timekey, Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Sdelete deployed via GPO and run recursively\",\"description\":\"This query looks for the Sdelete process being run recursively after being deployed to a host via GPO. Attackers could use this technique to deploy Sdelete to multiple host and delete data on them.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5dd76a87-9f87-4576-bab3-268b0e2b338b\",\"name\":\"5dd76a87-9f87-4576-bab3-268b0e2b338b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 5;\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet historicalActivity =\\nOfficeActivity\\n| where TimeGenerated between(ago(starttime)..ago(endtime))\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| summarize historicalCount = count() by UserAgent, RecordType, Operation;\\nlet recentActivity = OfficeActivity\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where TimeGenerated \u003e ago(endtime)\\n| where isnotempty(UserAgent)\\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by UserAgent, RecordType, Operation;\\nlet RareUserAgent = recentActivity | join kind = leftanti (historicalActivity) on UserAgent\\n| order by recentCount desc, UserAgent\\n// More than 5 downloads/uploads from a new user agent today\\n| where recentCount \u003e threshold;\\nOfficeActivity \\n| where TimeGenerated \u003e ago(endtime) \\n| where RecordType =~ szSharePointFileOperation \\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| join kind= inner (RareUserAgent)\\non UserAgent, RecordType, Operation \\n| where Start_Time between(min_Start_Time .. max_Start_Time)\\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserAgent, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgentSeenCount = recentCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\\n| order by UserAgentSeenCount desc, UserAgent asc, Operation asc, UserId asc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"SharePointFileOperation via devices with previously unseen user agents\",\"description\":\"Identifies if the number of documents uploaded or downloaded from device(s) associated\\nwith a previously unseen user agent exceeds a threshold (default is 5).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f80d951a-eddc-4171-b9d0-d616bb83efdc\",\"name\":\"f80d951a-eddc-4171-b9d0-d616bb83efdc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where AADOperationType =~ \\\"Assign\\\"\\n| where ActivityDisplayName =~ \\\"Add app role assignment to service principal\\\"\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"AppRole.Value\\\"\\n| extend AppRole = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where AppRole has \\\"RoleManagement.ReadWrite.Directory\\\"\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n| extend Target = tostring(parse_json(tostring(TargetResources.modifiedProperties[4].newValue)))\\n| extend TargetId = tostring(parse_json(tostring(TargetResources.modifiedProperties[3].newValue)))\\n| project TimeGenerated, OperationName, Initiator, Target, TargetId, Result\\n| join kind=innerunique (\\n AuditLogs\\n | where LoggedByService =~ \\\"Core Directory\\\"\\n | where Category =~ \\\"RoleManagement\\\"\\n | where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\")\\n | where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n | where displayName_ =~ \\\"Role.DisplayName\\\"\\n | extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n | where RoleName contains \\\"Admin\\\"\\n | extend Initiator = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend InitiatorId = tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalId)\\n | extend TargetUser = tostring(TargetResources.userPrincipalName)\\n | extend Target = iif(isnotempty(TargetUser), TargetUser, tostring(TargetResources.displayName))\\n | extend TargetType = tostring(TargetResources.type)\\n | extend TargetId = tostring(TargetResources.id)\\n | project TimeGenerated, OperationName, RoleName, Initiator, InitiatorId, Target, TargetId, TargetType, Result\\n) on $left.TargetId == $right.InitiatorId\\n| extend TimeRoleMgGrant = TimeGenerated, TimeAdminPromo = TimeGenerated1, ServicePrincipal = Initiator1, ServicePrincipalId = InitiatorId,\\n TargetObject = Target1, TargetObjectId = TargetId1, TargetObjectType = TargetType\\n| where TimeRoleMgGrant \u003c TimeAdminPromo\\n| project TimeRoleMgGrant, TimeAdminPromo, RoleName, ServicePrincipal, ServicePrincipalId, TargetObject, TargetObjectId, TargetObjectType\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ServicePrincipal\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetObject\"}]}],\"tactics\":[\"PrivilegeEscalation\",\"Persistence\"],\"displayName\":\"Admin promotion after Role Management Application Permission Grant\",\"description\":\"This rule looks for a service principal being granted the Microsoft Graph RoleManagement.ReadWrite.Directory (application) permission before being used to add an Azure AD object or user account to an Admin directory role (i.e. Global Administrators).\\nThis is a known attack path that is usually abused when a service principal already has the AppRoleAssignment.ReadWrite.All permission granted. This permission Allows an app to manage permission grants for application permissions to any API.\\nA service principal can promote itself or other service principals to admin roles (i.e. Global Administrators). This would be considered a privilege escalation technique.\\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions, https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0\u0026tabs=http\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\"name\":\"79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let timeframe = 1h;\\nlet last1h = CommonSecurityLog \\n| where TimeGenerated \u003e= ago(timeframe)\\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend CurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend CurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend CumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize last1hCumTotal = sum(CumulativeTotal), last1hAvgRatePerSec = avg(CurrentAvgRatePerSec), last1hAvgBurstRatePerSec = avg(CurrentBurstRatePerSec) by DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlet prev6h = CommonSecurityLog \\n| where TimeGenerated between (ago(6h) .. ago(1h))\\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend prevCurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend prevCurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend prevCumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), prev6hCumTotal = sum(prevCumulativeTotal), prev6hAvgRatePerSec = avg(prevCurrentAvgRatePerSec), prev6hAvgBurstRatePerSec = avg(prevCurrentBurstRatePerSec) \\nby DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlast1h | join (\\n prev6h \\n) on DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate\\n| project StartTimeUtc, EndTimeUtc, DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate, last1hCumTotal, prev6hCumTotal, prev6hAvgCumTotal = prev6hCumTotal/6, last1hAvgRatePerSec, prev6hAvgRatePerSec, last1hAvgBurstRatePerSec, prev6hAvgBurstRatePerSec\\n// Select only events that indicate a doubling of the expected rate in the last hour over the previous 6 hours\\n| where last1hCumTotal \u003e 2*prev6hAvgCumTotal or last1hAvgRatePerSec \u003e 2*prev6hAvgRatePerSec or last1hAvgBurstRatePerSec \u003e 2*prev6hAvgBurstRatePerSec\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\",\"Impact\"],\"displayName\":\"Cisco ASA - average attack detection rate increase\",\"description\":\"This will help you determine if Cisco ASA devices are under heavier attack than normal over the last hour versus the previous 6 hours based on DeviceEventClassID 733100\\nReferences: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/826bb2f8-7894-4785-9a6b-a8a855d8366f\",\"name\":\"826bb2f8-7894-4785-9a6b-a8a855d8366f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let EventNameList = dynamic([\\\"AttachUserPolicy\\\",\\\"AttachRolePolicy\\\",\\\"AttachGroupPolicy\\\"]);\\nlet createPolicy = \\\"CreatePolicy\\\";\\nlet timeframe = 1d;\\nlet lookback = 14d;\\n// Creating Master table with all the events to use with materialize for better performance\\nlet EventInfo = AWSCloudTrail\\n| where TimeGenerated \u003e= ago(lookback)\\n| where EventName in (EventNameList) or EventName == createPolicy;\\n//Checking for Policy creation event with Full Admin Privileges since lookback period.\\nlet FullAdminPolicyEvents = materialize( EventInfo\\n| where TimeGenerated \u003e= ago(lookback)\\n| where EventName == createPolicy\\n| extend PolicyName = tostring(parse_json(RequestParameters).policyName)\\n| extend Statement = parse_json(tostring((parse_json(RequestParameters).policyDocument))).Statement\\n| mvexpand Statement\\n| extend Action = parse_json(Statement).Action , Effect = tostring(parse_json(Statement).Effect), Resource = tostring(parse_json(Statement).Resource)\\n| mvexpand Action\\n| extend Action = tostring(Action)\\n| where Effect =~ \\\"Allow\\\" and Action == \\\"*\\\" and Resource == \\\"*\\\"\\n| distinct TimeGenerated, EventName, PolicyName, SourceIpAddress, UserIdentityArn, UserIdentityUserName\\n| extend UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,\u0027/\u0027)[-1]))\\n| project-rename StartTime = TimeGenerated );\\nlet PolicyAttach = materialize( EventInfo\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventName in (EventNameList)\\n| extend PolicyName = tostring(split(tostring(parse_json(RequestParameters).policyArn),\\\"/\\\")[1])\\n| summarize AttachEventCount=count(), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventSource, EventName, UserIdentityType , UserIdentityArn, SourceIpAddress, UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,\u0027/\u0027)[-1])), PolicyName\\n| extend AttachEvent = pack(\\\"StartTime\\\", StartTime, \\\"EndTime\\\", EndTime, \\\"EventName\\\", EventName, \\\"UserIdentityType\\\", UserIdentityType, \\\"UserIdentityArn\\\", UserIdentityArn, \\\"SourceIpAddress\\\", SourceIpAddress, \\\"UserIdentityUserName\\\", UserIdentityUserName)\\n| project EventSource, PolicyName, AttachEvent, AttachEventCount\\n);\\n// Joining the list of PolicyNames and checking if it has been attached to any Roles/Users/Groups.\\n// These Roles/Users/Groups will be Privileged and can be used by adversaries as pivot point for privilege escalation via multiple ways.\\nFullAdminPolicyEvents\\n| join kind=leftouter\\n(\\n PolicyAttach\\n)\\non PolicyName\\n| project-away PolicyName1\\n| extend timestamp = StartTime, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Full Admin policy created and then attached to Roles, Users or Groups\",\"description\":\"Identity and Access Management (IAM) securely manages access to AWS services and resources. \\nIdentifies when a policy is created with Full Administrators Access (Allow-Action:*,Resource:*). \\nThis policy can be attached to role,user or group and may be used by an adversary to escalate a normal user privileges to an adminsitrative level.\\nAWS IAM Policy Grammar: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html\\nand AWS IAM API at https://docs.aws.amazon.com/IAM/latest/APIReference/API_Operations.html\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2020-04-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/34c5aff9-a8c2-4601-9654-c7e46342d03b\",\"name\":\"34c5aff9-a8c2-4601-9654-c7e46342d03b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 5;\\nlet aadFunc = (tableName:string){\\n IdentityInfo\\n | where TimeGenerated \u003e ago(starttime)\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | mv-expand AssignedRoles\\n | where AssignedRoles matches regex \u0027Admin\u0027\\n | summarize Roles = make_list(AssignedRoles) by AccountUPN = tolower(AccountUPN)\\n | join kind=inner (\\n table(tableName)\\n | where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n | where ResultType != 0\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n ) on $left.AccountUPN == $right.UserPrincipalName\\n | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, Roles = tostring(Roles)\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt;\\nlet TimeSeriesAlerts = \\n allSignins\\n | make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step 1h by UserPrincipalName, Roles\\n | extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, \u0027linefit\u0027)\\n | mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n // Filtering low count events per baselinethreshold\\n | where anomalies \u003e 0 and baseline \u003e baselinethreshold\\n | extend AnomalyHour = TimeGenerated\\n | project UserPrincipalName, Roles, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\n// Filter the alerts for specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e startofday(ago(timeframe))\\n| join kind=inner ( \\n allSignins\\n | where TimeGenerated \u003e startofday(ago(timeframe))\\n // create a new column and round to hour\\n | extend DateHour = bin(TimeGenerated, 1h)\\n | summarize PartialFailedSignins = count(), LatestAnomalyTime = arg_max(TimeGenerated, *) by bin(TimeGenerated, 1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, Roles, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\\n) on UserPrincipalName, $left.AnomalyHour == $right.DateHour\\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, Roles = todynamic(Roles), UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, PartialFailedSignins, TotalFailedSignins = HourlyCount, baseline, anomalies, score\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Privileged Accounts - Sign in Failure Spikes\",\"description\":\" Identifies spike in failed sign-ins from Privileged accounts. Privileged accounts list can be based on IdentityInfo UEBA table or built-in watchlist.\\nSpike is determined based on Time series anomaly which will look at historical baseline values.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor\",\"lastUpdatedDateUTC\":\"2022-01-25T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/106813db-679e-4382-a51b-1bfc463befc3\",\"name\":\"106813db-679e-4382-a51b-1bfc463befc3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n // Select on Palo Alto logs\\n | where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Select logs where URL data is populated\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url), extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | where isnotempty(PA_Url)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n) on $left.Url == $right.PA_Url\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, PA_Url\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, SourceIP, PA_Url, DeviceName\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to PaloAlto data\",\"description\":\"Identifies a match in PaloAlto data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884ead54-cb3f-4676-a1eb-b26532d6cbfd\",\"name\":\"884ead54-cb3f-4676-a1eb-b26532d6cbfd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let SensitiveOperationList = dynamic(\\n[\\\"VaultDelete\\\", \\\"KeyDelete\\\", \\\"SecretDelete\\\", \\\"SecretPurge\\\", \\\"KeyPurge\\\", \\\"SecretBackup\\\", \\\"KeyBackup\\\"]);\\nAzureDiagnostics\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in~ (SensitiveOperationList)\\n| summarize EventCount=count(), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIPMax\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"NRT Sensitive Azure Key Vault operations\",\"description\":\"Identifies when sensitive Azure Key Vault operations are used. This includes: VaultDelete, KeyDelete, SecretDelete, SecretPurge, KeyPurge, SecretBackup, KeyBackup.\\nAny Backup operations should match with expected scheduled backup activity.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95dc4ae3-e0f2-48bd-b996-cdd22b90f9af\",\"name\":\"95dc4ae3-e0f2-48bd-b996-cdd22b90f9af\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(\\nAuditLogs\\n| where OperationName =~ \\\"Set federation settings on domain\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName)\\n| mv-expand AdditionalDetails\\n),\\n(\\nAuditLogs\\n| where OperationName =~ \\\"Set domain authentication\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName), NewDomainValue=tostring(parse_json(modifiedProperties).newValue)\\n| where NewDomainValue has \\\"Federated\\\"\\n)\\n)\\n| extend UserAgent = iff(AdditionalDetails.key == \\\"User-Agent\\\",tostring(AdditionalDetails.value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Modified domain federation trust settings\",\"description\":\"This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ac891683-53c3-4f86-86b4-c361708e2b2b\",\"name\":\"ac891683-53c3-4f86-86b4-c361708e2b2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"// Allowlisted UPNs should likely stay empty\\nlet AllowlistedUpns = datatable(UPN:string)[\u0027foo@bar.com\u0027, \u0027test@foo.com\u0027];\\n// Operation Name parts that will alert\\nlet HasAnyBlocklist = datatable(OperationNamePart:string)[\u0027Security.\u0027,\u0027Project.\u0027,\u0027AuditLog.\u0027,\u0027Extension.\u0027];\\n// Distinct Operation Names that will flag\\nlet HasExactBlocklist = datatable(OperationName:string)[\u0027Group.UpdateGroupMembership.Add\u0027,\u0027Library.ServiceConnectionExecuted\u0027,\u0027Pipelines.PipelineModified\u0027,\\n\u0027Release.ReleasePipelineModified\u0027, \u0027Git.RefUpdatePoliciesBypassed\u0027];\\nAzureDevOpsAuditing\\n| where AuthenticationMechanism startswith \\\"PAT\\\" and (OperationName has_any (HasAnyBlocklist) or OperationName in (HasExactBlocklist))\\n and ActorUPN !in (AllowlistedUpns)\\n| project TimeGenerated, AuthenticationMechanism, ProjectName, ActorUPN, ActorDisplayName, IpAddress, UserAgent, OperationName, Details, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Impact\"],\"displayName\":\"Azure DevOps Personal Access Token (PAT) misuse\",\"description\":\"This Alert detects whenever a PAT is used in ways that PATs are not normally used. May require an allow list and baselining.\\nReference - https://docs.microsoft.com/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops\u0026tabs=preview-page\\nUse this query for baselining:\\nAzureDevOpsAuditing\\n| distinct OperationName\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-06-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/acfdee3f-b794-404a-aeba-ef6a1fa08ad1\",\"name\":\"acfdee3f-b794-404a-aeba-ef6a1fa08ad1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let lookback = 14d;\\nlet timewindow = 7d;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback)\\n| where OperationName =~ \\\"Library.AgentPoolCreated\\\"\\n| extend AgentCloudId = tostring(Data.AgentCloudId)\\n| extend PoolType = iif(isnotempty(AgentCloudId), \\\"Azure VMs\\\", \\\"Self Hosted\\\")\\n// Comment this line out to include cloud pools as well\\n| where PoolType == \\\"Self Hosted\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend AgentPoolId = tostring(Data.AgentPoolId)\\n| extend IsHosted = tostring(Data.IsHosted)\\n| extend IsLegacy = tostring(Data.IsLegacy)\\n| extend timekey = bin(TimeGenerated, timewindow)\\n// Join only with pools deleted in the same window\\n| join (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback)\\n| where OperationName =~ \\\"Library.AgentPoolDeleted\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend AgentPoolId = tostring(Data.AgentPoolId)\\n| extend timekey = bin(TimeGenerated, timewindow)) on AgentPoolId, timekey\\n| project-reorder TimeGenerated, ActorUPN, UserAgent, IpAddress, AuthenticationMechanism, OperationName, AgentPoolName, IsHosted, IsLegacy, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Agent Pool Created Then Deleted\",\"description\":\"As well as adding build agents to an existing pool to execute malicious activity within a pipeline, an attacker could create a complete new agent pool and use this for execution.\\nAzure DevOps allows for the creation of agent pools with Azure hosted infrastructure or self-hosted infrastructure. Given the additional customizability of self-hosted agents this \\ndetection focuses on the creation of new self-hosted pools. To further reduce false positive rates the detection looks for pools created and deleted relatively quickly (within 7 days by default), \\nas an attacker is likely to remove a malicious pool once used in order to reduce/remove evidence of their activity.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/26a3b261-b997-4374-94ea-6c37f67f4f39\",\"name\":\"26a3b261-b997-4374-94ea-6c37f67f4f39\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.5.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"asyspy256.ddns.net\\\",\\\"hotkillmail9sddcc.ddns.net\\\",\\\"rosaf112.ddns.net\\\",\\\"cvdfhjh1231.myftp.biz\\\",\\\"sz2016rose.ddns.net\\\",\\\"dffwescwer4325.myftp.biz\\\",\\\"cvdfhjh1231.ddns.net\\\"]);\\nlet SHA1Hash = dynamic ([\\\"53a44c2396d15c3a03723fa5e5db54cafd527635\\\", \\\"9c5e496921e3bc882dc40694f1dcc3746a75db19\\\", \\\"aeb573accfd95758550cf30bf04f389a92922844\\\", \\\"79ef78a797403a4ed1a616c68e07fff868a8650a\\\", \\\"4f6f38b4cec35e895d91c052b1f5a83d665c2196\\\", \\\"1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d\\\", \\\"e841a63e47361a572db9a7334af459ddca11347a\\\", \\\"c28f606df28a9bc8df75a4d5e5837fc5522dd34d\\\", \\\"2e94b305d6812a9f96e6781c888e48c7fb157b6b\\\", \\\"dd44133716b8a241957b912fa6a02efde3ce3025\\\", \\\"8793bf166cb89eb55f0593404e4e933ab605e803\\\", \\\"a39b57032dbb2335499a51e13470a7cd5d86b138\\\", \\\"41cc2b15c662bc001c0eb92f6cc222934f0beeea\\\", \\\"d209430d6af54792371174e70e27dd11d3def7a7\\\", \\\"1c6452026c56efd2c94cea7e0f671eb55515edb0\\\", \\\"c6b41d3afdcdcaf9f442bbe772f5da871801fd5a\\\", \\\"4923d460e22fbbf165bbbaba168e5a46b8157d9f\\\", \\\"f201504bd96e81d0d350c3a8332593ee1c9e09de\\\", \\\"ddd2db1127632a2a52943a2fe516a2e7d05d70d2\\\"]);\\nlet SHA256Hash = dynamic ([\\\"9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd\\\", \\\"7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b\\\", \\\"657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5\\\", \\\"2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29\\\", \\\"52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77\\\", \\\"a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3\\\", \\\"5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022\\\", \\\"6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883\\\", \\\"3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e\\\", \\\"1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7\\\", \\\"fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1\\\", \\\"7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c\\\", \\\"178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945\\\", \\\"51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9\\\", \\\"889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79\\\", \\\"332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf\\\", \\\"44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08\\\", \\\"63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef\\\", \\\"056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070\\\"]);\\nlet SigNames = dynamic([\\\"TrojanDropper:Win32/BlackMould.A!dha\\\", \\\"Trojan:Win32/BlackMould.B!dha\\\", \\\"Trojan:Win32/QuarkBandit.A!dha\\\", \\\"Trojan:Win32/Sidelod.A!dha\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n( _Im_Dns(domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA1=\u0027 SHA1 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA1Hash) \\n| extend Account = UserName\\n),\\n(SecurityAlert\\n| where ProductName == \\\"Microsoft Defender Advanced Threat Protection\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where isnotempty(ThreatName)\\n| where ThreatName has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName)\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known GALLIUM domains and hashes\",\"description\":\"GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. \\n Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\\n References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ \",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2019-12-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/52aec824-96c1-4a03-8e44-bb70532e6cea\",\"name\":\"52aec824-96c1-4a03-8e44-bb70532e6cea\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"SecurityEvent\\n| where EventID == 5136 and EventData contains \\\"\u003cData Name=\\\\\\\"ObjectDN\\\\\\\"\u003eCN=AdminSDHolder,CN=System\\\"\\n| parse EventData with * \u0027ObjectDN\\\"\u003e\u0027 ObjectDN \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, SubjectUserSid, SubjectLogonId, ObjectDN\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AdminSDHolder Modifications\",\"description\":\"This query detects modification in the AdminSDHolder in the Active Directory which could indicate an attempt for persistence. \\nAdminSDHolder Modification is a persistence technique in which an attacker abuses the SDProp process in Active Directory to establish a persistent backdoor to Active Directory.\\nThis query searches for the event id 5136 where the Object DN is AdminSDHolder.\\nRef: https://attack.stealthbits.com/adminsdholder-modification-ad-persistence\",\"lastUpdatedDateUTC\":\"2022-01-20T00:00:00Z\",\"createdDateUTC\":\"2021-12-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8540c842-5bbc-4a24-9fb2-a836c0e55a51\",\"name\":\"8540c842-5bbc-4a24-9fb2-a836c0e55a51\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where OperationName =~ \\\"Set federation settings on domain\\\" or OperationName =~ \\\"Set domain authentication\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName), NewDomainValue=tostring(parse_json(modifiedProperties).newValue)\\n| extend Federated = iif(OperationName =~ \\\"Set domain authentication\\\", iif(NewDomainValue has \\\"Federated\\\", True, False), True)\\n| where Federated == True\\n| mv-expand AdditionalDetails\\n| extend UserAgent = iff(AdditionalDetails.key == \\\"User-Agent\\\",tostring(AdditionalDetails.value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserOrApp\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"NRT Modified domain federation trust settings\",\"description\":\"This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/327cd4ed-ca42-454b-887c-54e1c91363c6\",\"name\":\"327cd4ed-ca42-454b-887c-54e1c91363c6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft Defender Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Endpoint alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Endpoint\",\"lastUpdatedDateUTC\":\"2019-10-24T00:00:00Z\",\"createdDateUTC\":\"2019-10-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\"name\":\"0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.1.1\",\"severity\":\"Low\",\"query\":\"let PerUserThreshold = 5;\\nlet TotalThreshold = 100;\\nlet action = dynamic([\\\"change\\\", \\\"changed\\\", \\\"reset\\\"]);\\nlet pWord = dynamic([\\\"password\\\", \\\"credentials\\\"]);\\nlet PasswordResetMultiDataSource =\\n(union isfuzzy=true\\n(//Password reset events\\n//4723: An attempt was made to change an account\u0027s password\\n//4724: An attempt was made to reset an accounts password\\nSecurityEvent\\n| where EventID in (\\\"4723\\\",\\\"4724\\\")\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName),\\n(//Password reset events\\n//4723: An attempt was made to change an account\u0027s password\\n//4724: An attempt was made to reset an accounts password\\nWindowsEvent\\n| where EventID in (\\\"4723\\\",\\\"4724\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName),\\n(//Azure Active Directory Password reset events\\nAuditLogs\\n| where OperationName has_any (pWord) and OperationName has_any (action) and Result =~ \\\"success\\\"\\n| extend AccountType = tostring(TargetResources[0].type), Account = tostring(TargetResources[0].userPrincipalName), \\nTargetUserName = tolower(tostring(TargetResources[0].displayName))\\n| project TimeGenerated, AccountType, Account, Computer = \\\"\\\", Type),\\n(//OfficeActive ActiveDirectory Password reset events\\nOfficeActivity\\n| where OfficeWorkload == \\\"AzureActiveDirectory\\\" \\n| where (ExtendedProperties has_any (pWord) or ModifiedProperties has_any (pWord)) and (ExtendedProperties has_any (action) or ModifiedProperties has_any (action))\\n| extend AccountType = UserType, Account = OfficeObjectId \\n| project TimeGenerated, AccountType, Account, Type, Computer = \\\"\\\"),\\n(// Unix syslog password reset events\\nSyslog\\n| where Facility in (\\\"auth\\\",\\\"authpriv\\\")\\n| where SyslogMessage has_any (pWord) and SyslogMessage has_any (action)\\n| extend AccountType = iif(SyslogMessage contains \\\"root\\\", \\\"Root\\\", \\\"Non-Root\\\")\\n| where SyslogMessage matches regex \\\".*password changed for.*\\\"\\n| parse SyslogMessage with * \\\"password changed for\\\" Account\\n| project TimeGenerated, AccountType, Account, Computer = HostName, Type)\\n);\\nlet pwrmd = PasswordResetMultiDataSource\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName;\\n(union isfuzzy=true \\n(pwrmd\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Computerlist = make_set(Computer, 25), AccountType = make_set(AccountType, 25), Computer = arg_max(Computer , TimeGenerated), TargetUserList = make_set(TargetUserName, 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), Total=count() by Account, Type\\n| where Total \u003e PerUserThreshold\\n| extend ResetPivot = \\\"PerUserReset\\\"), \\n(pwrmd\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerList = make_set(Computer, 25), AccountList = make_set(Account, 25), AccountType = make_set(AccountType, 25), Computer = arg_max(Computer , TimeGenerated), TargetUserList = make_set(TargetUserName, 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), Total=count() by Type\\n| where Total \u003e TotalThreshold\\n| extend ResetPivot = \\\"TotalUserReset\\\")\\n)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserName\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Multiple Password Reset by user\",\"description\":\"This query will determine multiple password resets by user across multiple data sources. \\nAccount manipulation including password reset may aid adversaries in maintaining access to credentials \\nand certain permission levels within an environment.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-09-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d804b39c-03a4-417c-a949-bdbf21fa3305\",\"name\":\"d804b39c-03a4-417c-a949-bdbf21fa3305\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.7.2\",\"severity\":\"Medium\",\"query\":\"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\\n[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet file_paths = (iocs | where Type =~ \\\"filepath\\\" | project IoC);\\nlet sha256s = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet ips = (iocs | where Type =~ \\\"ip\\\" | project IoC);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\" | project IoC);\\nlet dyndomains = todynamic(toscalar((domains | summarize make_set(IoC))));\\nunion isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4663\\n| where ObjectName in (file_paths)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(WindowsEvent\\n| where EventID == 4663 and EventData has_any (file_paths)\\n| extend ObjectName = tostring(EventData.ObjectName) \\n| where ObjectName in (file_paths)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName), \\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(imFileEvent\\n| where TargetFileName in (file_paths)\\n or\\n TargetFileSHA256 in (sha256s)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\\n),\\n(DeviceFileEvents\\n| where FolderPath in (file_paths)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 in (sha256s)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\\n),\\n (CommonSecurityLog\\n| where FileHash in (sha256s)\\n| extend timestamp = TimeGenerated\\n),\\n(Event // File iocs\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| where isnotempty(Hashes)\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 *\\n| where SHA256 in~ (sha256s)\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = Hashes\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where (SourceIP in (ips) or DestinationIP in (ips) or Message has_any (ips)) or (RequestURL has_any (domains))\\n| extend IPMatch = case(SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"Message\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\")\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(WireData\\n| where isnotempty(RemoteIP)\\n| where RemoteIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer\\n),\\n(W3CIISLog\\n| where isnotempty(cIP)\\n| where cIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(\\nWindowsFirewall\\n| where SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n),\\n(\\n _Im_NetworkSession(srcipaddr_has_any_prefix=ips) \\n | extend IPCustomEntity = SrcIpAddr, AccountCustomEntity= User, HostCustomEntity=Hostname\\n),\\n (\\n _Im_NetworkSession(dstipaddr_has_any_prefix=ips) \\n | extend IPCustomEntity = DstIpAddr, AccountCustomEntity= User, HostCustomEntity=Hostname\\n),\\n(_Im_Dns(domain_has_any=dyndomains)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\\n)\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange Server Vulnerabilities Disclosed March 2021 IoC Match\",\"description\":\"This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements.\\nRef: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-03-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog (Cisco)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog (F5)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09ec8fa2-b25f-4696-bfae-05a7b85d7b9e\",\"name\":\"09ec8fa2-b25f-4696-bfae-05a7b85d7b9e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT3H\",\"queryPeriod\":\"PT3H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"let timeframe = ago(3h);\\nlet threshold = 2;\\nimAuthentication\\n| where TimeGenerated \u003e timeframe\\n| where EventType==\u0027Logon\u0027 and EventResult==\u0027Success\u0027\\n| where isnotempty(SrcGeoCountry)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Vendors=make_set(EventVendor), Products=make_set(EventProduct)\\n , NumOfCountries = dcount(SrcGeoCountry)\\n by TargetUserId, TargetUsername, TargetUserType\\n| where NumOfCountries \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = TargetUsername\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"User login from different countries within 3 hours (Uses Authentication Normalization)\",\"description\":\"This query searches for successful user logins from different countries within 3 hours.\\n To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/67775878-7f8b-4380-ac54-115e1e828901\",\"name\":\"67775878-7f8b-4380-ac54-115e1e828901\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX=10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet IP_TI = (ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\\\"\\\")\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true);\\nlet TI_IP_List=IP_TI | summarize NIPs=dcount(TI_ipEntity), IP_List=make_set( TI_ipEntity) \\n| project IP_List=iff(NIPs \u003e HAS_ANY_MAX, dynamic([]), IP_List);\\n_Im_Dns(starttime=ago(dt_lookBack), response_has_any_prefix=todynamic(toscalar(TI_IP_List)))\\n | extend tilist = toscalar(TI_IP_List)\\n | mv-expand tilist\\n | extend SingleIP=tostring(tilist)\\n | project-away tilist\\n | where has_ipv4(DnsResponseName, SingleIP)\\n | extend DNS_TimeGenerated = TimeGenerated\\n| join IP_TI\\n on $left.SingleIP == $right.TI_ipEntity\\n| where DNS_TimeGenerated \u003e= TimeGenerated and DNS_TimeGenerated \u003c ExpirationDateTime\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated,\\nTI_ipEntity, Dvc, EventSubType, SrcIpAddr, DnsQuery, DnsResponseName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = DNS_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Dvc, URLCustomEntity = Url\",\"customDetails\":{\"LatestIndicatorTime\":\"LatestIndicatorTime\",\"Description\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"ExpirationDateTime\":\"ExpirationDateTime\",\"ConfidenceScore\":\"ConfidenceScore\",\"DNSRequestTime\":\"DNS_TimeGenerated\",\"SourceIPAddress\":\"SrcIpAddr\",\"SubType\":\"EventSubType\",\"DnsQuery\":\"DnsQuery\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map IP entity to Dns Events (ASIM DNS Schema)\",\"description\":\"Identifies a match in DNS events from any IP IOC from TI\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-27T00:00:00Z\",\"createdDateUTC\":\"2021-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\"name\":\"ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let ProcessCreationEvents=() {\\nlet processEvents=(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,\\nFileName = Process, CommandLine, ParentProcessName\\n),\\n(WindowsEvent\\n| where EventID==4688\\n| where EventData has \\\"TVqQAAMAAAAEAAA\\\"\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where isnotempty(CommandLine)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,\\nFileName = Process, CommandLine, ParentProcessName));\\nprocessEvents};\\nProcessCreationEvents\\n| where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Base64 encoded Windows process command-lines\",\"description\":\"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2018-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\"name\":\"90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Security Center\",\"severitiesFilter\":[\"Low\",\"Medium\",\"High\"],\"displayName\":\"Create incidents based on Microsoft Defender for Cloud\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Cloud\",\"lastUpdatedDateUTC\":\"2021-07-25T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert (ASC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d57c33a9-76b9-40e0-9dfa-ff0404546410\",\"name\":\"d57c33a9-76b9-40e0-9dfa-ff0404546410\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 0d;\\n// Adjust this to adjust detection timeframe\\n//let timeframe = 1d;\\n// Filter out other servers in the AD FS farm\\nlet ADFSServersList = dynamic([\\\"ADFS02.domain.com\\\",\\\"ADFS03.domain.com\\\"]);\\n// Start by identifying ADFS servers to reduce FP chance\\nlet ADFS_Servers = (\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| where Computer !in (ADFSServersList)\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\")\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| summarize by Computer\\n);\\n// Look for ADFS servers receiving connections over port 80\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where Computer in~ (ADFS_Servers)\\n| extend RenderedDescription = tostring(split(RenderedDescription, \\\":\\\")[0])\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, _ResourceId)\\n| extend RuleName = column_ifexists(\\\"RuleName\\\", \\\"\\\"), TechniqueId = column_ifexists(\\\"TechniqueId\\\", \\\"\\\"), TechniqueName = column_ifexists(\\\"TechniqueName\\\", \\\"\\\")\\n| parse RuleName with * \u0027technique_id=\u0027 TechniqueId \u0027,\u0027 * \u0027technique_name=\u0027 TechniqueName\\n| where EventID == 3\\n// Look for endpoints connecting to the AD FS server over port 80\\n| extend DestinationPort = column_ifexists(\\\"DestinationPort\\\", \\\"\\\"), Image = column_ifexists(\\\"Image\\\", \\\"\\\"), Initiated = column_ifexists(\\\"Initiated\\\", \\\"\\\"), SourceIp = column_ifexists(\\\"DestinationIp\\\", \\\"\\\"), DestinationIp = column_ifexists(\\\"DestinationIp\\\", \\\"\\\")\\n| where DestinationPort == 80\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n// Look for the System process receiving connections\\n| where process == \u0027System\u0027 and Initiated == \u0027false\u0027\\n| where DestinationIp !in (\u0027::1\u0027,\u00270:0:0:0:0:0:0:1\u0027)\\n| extend Operation = RenderedDescription\\n| project-reorder TimeGenerated, Operation, Image, Computer, UserName\\n| extend HostCustomEntity = Computer, AccountCustomEntity = UserName, IPCustomEntity = SourceIp\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"AD FS Remote HTTP Network Connection\",\"description\":\"This detection uses Sysmon events (NetworkConnect events) to detect incoming network traffic on port 80 on AD FS servers. This could be a sign of a threat actor\\ntrying to use replication services on the AD FS server to get its configuration settings and extract sensitive information such as AD FS certificates.\\nIn order to use this query you need to enable Sysmon telemetry on the AD FS Server.\\nReference: https://twitter.com/OTR_Community/status/1387038995016732672\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c1faf5e8-6958-11ec-90d6-0242ac120003\",\"name\":\"c1faf5e8-6958-11ec-90d6-0242ac120003\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 4720 and TargetUserName endswith \\\"$\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectUserName, SubjectUserSid, SubjectLogonId, TargetUserName, TargetSid\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectUserName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Fake computer account created\",\"description\":\"This query detects domain user accounts creation (event ID 4720) where the username ends with $. \\nAccounts that end with $ are normally domain computer accounts and when they are created the event ID 4741 is generated instead.\\nRef: https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights.html\",\"lastUpdatedDateUTC\":\"2022-01-19T00:00:00Z\",\"createdDateUTC\":\"2021-12-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/04384937-e927-4595-8f3c-89ff58ed231f\",\"name\":\"04384937-e927-4595-8f3c-89ff58ed231f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let IPs = dynamic ([\\\"199.249.230.\\\",\\\"185.220.101.\\\",\\\"23.129.64.\\\",\\\"109.70.100.\\\",\\\"185.220.102.\\\"]);\\nOfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != \u0027UserLoggedIn\u0027\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = ExtendedProperties.Value\\n| where ClientIP has_any (IPs)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts \u003e 2500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\"entityMappings\":[],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Possible STRONTIUM attempted credential harvesting - Sept 2020\",\"description\":\"Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.\\nReferences: https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7d7e20f8-3384-4b71-811c-f5e950e8306c\",\"name\":\"7d7e20f8-3384-4b71-811c-f5e950e8306c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where ActivityDisplayName =~\u0027Add member to role completed (PIM activation)\u0027\\n| where Result == \\\"failure\\\"\\n| extend Role = tostring(TargetResources[3].displayName)\\n| extend User = tostring(TargetResources[2].displayName)\\n| project-reorder TimeGenerated, User, Role, OperationName, Result, ResultDescription\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| extend AccountCustomEntity = User, IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"PIM Elevation Request Rejected\",\"description\":\"Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6852d9da-8015-4b95-8ecf-d9572ee0395d\",\"name\":\"6852d9da-8015-4b95-8ecf-d9572ee0395d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let queryfrequency = 1h;\\nlet wait_for_deletion = 10m;\\nlet account_created =\\n AuditLogs \\n | where ActivityDisplayName == \\\"Add service principal\\\"\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend creationTime = ActivityDateTime\\n | extend userPrincipalName_creator = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend ipAddress_creator = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\\nlet account_activity =\\n AADServicePrincipalSignInLogs\\n | extend Activities = pack(\\\"ActivityTime\\\", TimeGenerated ,\\\"IpAddress\\\", IPAddress, \\\"ResourceDisplayName\\\", ResourceDisplayName)\\n | extend AppID = AppId\\n | summarize make_list(Activities) by AppID;\\nlet account_deleted =\\n AuditLogs \\n | where OperationName == \\\"Remove service principal\\\"\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend deletionTime = ActivityDateTime\\n | extend userPrincipalName_deleter = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend ipAddress_deleter = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\\nlet account_credentials =\\n AuditLogs\\n | where OperationName has_all (\\\"Update application\\\", \\\"Certificates and secrets management\\\")\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend credentialCreationTime = ActivityDateTime;\\nlet roles_assigned =\\n AuditLogs\\n | where ActivityDisplayName == \\\"Add app role assignment to service principal\\\"\\n | extend AppID = tostring(TargetResources[1].displayName)\\n | extend AssignedRole = iff(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].displayName)==\\\"AppRole.Value\\\", tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue))),\\\"\\\")\\n | extend AssignedRoles = pack(\\\"Role\\\", AssignedRole)\\n | summarize make_list(AssignedRoles) by AppID;\\naccount_created\\n| where TimeGenerated between (ago(wait_for_deletion+queryfrequency)..ago(wait_for_deletion))\\n| join kind= inner (account_activity) on AppID\\n| join kind= inner (account_deleted) on AppID\\n| join kind= inner (account_credentials) on AppID\\n| join kind= inner (roles_assigned) on AppID\\n| where deletionTime - creationTime between (time(0s)..wait_for_deletion)\\n| extend AliveTime = deletionTime - creationTime\\n| project AADTenantId, AppID, creationTime, deletionTime, userPrincipalName_creator, userPrincipalName_deleter, ipAddress_creator, ipAddress_deleter, list_Activities, list_AssignedRoles, AliveTime\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName_creator\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName_deleter\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress_creator\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress_deleter\"}]}],\"tactics\":[\"CredentialAccess\",\"PrivilegeEscalation\",\"InitialAccess\"],\"displayName\":\"Suspicious Service Principal creation activity\",\"description\":\"This alert will detect creation of an SPN, permissions granted, credentials created, activity and deletion of the SPN in a time frame (default 10 minutes)\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\",\"AADServicePrincipalSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ec21493c-2684-4acd-9bc2-696dbad72426\",\"name\":\"ec21493c-2684-4acd-9bc2-696dbad72426\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation of extracted domains\\nlet list_tlds = ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e ago(ioc_lookBack)\\n | where isnotempty(DomainName)\\n | extend DomainName = tolower(DomainName)\\n | extend parts = split(DomainName, \u0027.\u0027)\\n | extend tld = parts[(array_length(parts)-1)]\\n | summarize count() by tostring(tld)\\n | summarize make_list(tld);\\n ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true\\n // Picking up only IOC\u0027s that contain the entities we want\\n | where isnotempty(DomainName)\\n // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n | join kind=innerunique (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n | where DeviceVendor =~ \u0027Palo Alto Networks\u0027\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | extend Domain = trim(@\\\"\\\"\\\"\\\",tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend parts = split(Domain, \u0027.\u0027)\\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\\n | where tld in~ (list_tlds)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n ) on $left.DomainName==$right.Domain\\n | where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, Domain\\n | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, \\n DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\\n | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to PaloAlto\",\"description\":\"Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/caf78b95-d886-4ac3-957a-a7a3691ff4ed\",\"name\":\"caf78b95-d886-4ac3-957a-a7a3691ff4ed\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Tarrask.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n(imFileEvent\\n| where TargetFileSHA256 has_any (sha256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceImageLoadEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Tarrask malware IOC - April 2022\",\"description\":\"Identifies a hash match related to Tarrask malware across various data sources.\\n Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/\",\"lastUpdatedDateUTC\":\"2022-04-12T00:00:00Z\",\"createdDateUTC\":\"2022-01-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2560515c-07d1-434e-87fb-ebe3af267760\",\"name\":\"2560515c-07d1-434e-87fb-ebe3af267760\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add delegated permission grant\\\",\\\"Add app role assignment to service principal\\\")\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend props = parse_json(tostring(TargetResources[0].modifiedProperties))\\n| mv-expand props\\n| extend UserAgent = tostring(AdditionalDetails[0].value)\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| extend UserIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| extend DisplayName = tostring(props.displayName)\\n| extend Permissions = tostring(parse_json(tostring(props.newValue)))\\n| where Permissions has_any (\\\"Mail.Read\\\", \\\"Mail.ReadWrite\\\")\\n| extend PermissionsAddedTo = tostring(TargetResources[0].displayName)\\n| extend Type = tostring(TargetResources[0].type)\\n| project-away props\\n| join kind=leftouter(\\n AuditLogs\\n | where ActivityDisplayName has \\\"Consent to application\\\"\\n | extend AppName = tostring(TargetResources[0].displayName)\\n | extend AppId = tostring(TargetResources[0].id)\\n | project AppName, AppId, CorrelationId) on CorrelationId\\n| project-reorder TimeGenerated, OperationName, InitiatingUser, UserIPAddress, UserAgent, PermissionsAddedTo, Permissions, AppName, AppId, CorrelationId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUser, IPCustomEntity = UserIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Mail.Read Permissions Granted to Application\",\"description\":\"This query look for applications that have been granted (Delegated or App/Role) permissions to Read Mail (Permissions field has Mail.Read) and subsequently has been consented to. This can help identify applications that have been abused to gain access to mailboxes.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532c1811-79ee-4d9f-8d4d-6304c840daa1\",\"name\":\"532c1811-79ee-4d9f-8d4d-6304c840daa1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Active Directory Identity Protection\",\"displayName\":\"Create incidents based on Azure Active Directory Identity Protection alerts\",\"description\":\"Create incidents based on all alerts generated in Azure Active Directory Identity Protection\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb616d82-108f-47d3-9dec-9652ea0d3bf6\",\"name\":\"bb616d82-108f-47d3-9dec-9652ea0d3bf6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let queryfrequency = 1h;\\nlet queryperiod = 1d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(queryfrequency)\\n| where OperationName =~ \\\"Delete user\\\"\\n//extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n| extend UserPrincipalName = extract(@\u0027([a-f0-9]{32})?(.*)\u0027, 2, tostring(TargetResources[0].userPrincipalName))\\n| extend DeletedByUser = tostring(InitiatedBy.user.userPrincipalName), DeletedByIPAddress = tostring(InitiatedBy.user.ipAddress)\\n| extend DeletedByApp = tostring(InitiatedBy.app.displayName)\\n| project Deletion_TimeGenerated = TimeGenerated, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, Deletion_AdditionalDetails = AdditionalDetails, Deletion_InitiatedBy = InitiatedBy, Deletion_TargetResources = TargetResources\\n| join kind=inner (\\n AuditLogs\\n | where TimeGenerated \u003e ago(queryperiod)\\n | where OperationName =~ \\\"Add user\\\"\\n | extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | project-rename Creation_TimeGenerated = TimeGenerated\\n) on UserPrincipalName\\n| extend TimeDelta = Deletion_TimeGenerated - Creation_TimeGenerated\\n| where TimeDelta between (time(0s) .. queryperiod)\\n| extend CreatedByUser = tostring(InitiatedBy.user.userPrincipalName), CreatedByIPAddress = tostring(InitiatedBy.user.ipAddress)\\n| extend CreatedByApp = tostring(InitiatedBy.app.displayName)\\n| project Creation_TimeGenerated, Deletion_TimeGenerated, TimeDelta, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, CreatedByUser, CreatedByIPAddress, CreatedByApp, Creation_AdditionalDetails = AdditionalDetails, Creation_InitiatedBy = InitiatedBy, Creation_TargetResources = TargetResources, Deletion_AdditionalDetails, Deletion_InitiatedBy, Deletion_TargetResources\\n| extend timestamp = Deletion_TimeGenerated, CustomAccountEntity = UserPrincipalName, IPCustomEntity = DeletedByIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CustomAccountEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Account Created and Deleted in Short Timeframe\",\"description\":\"Search for user principal name (UPN) events. Look for accounts created and then deleted in under 24 hours. Attackers may create an account for their use, and then remove the account when no longer needed.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-account\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a0907abe-6925-4d90-af2b-c7e89dc201a6\",\"name\":\"a0907abe-6925-4d90-af2b-c7e89dc201a6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P10D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 10d;\\nlet endtime = 1d;\\nlet threshold = 100;\\nlet nxDomainDnsEvents = DnsEvents \\n| where ResultCode == 3 \\n| where QueryType in (\\\"A\\\", \\\"AAAA\\\")\\n| where ipv4_is_match(\\\"127.0.0.1\\\", ClientIP) == False\\n| where Name !contains \\\"/\\\"\\n| where Name contains \\\".\\\";\\nnxDomainDnsEvents\\n| where TimeGenerated \u003e ago(endtime)\\n| extend sld = tostring(split(Name, \\\".\\\")[-2])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld) by ClientIP\\n| where dcount_sld \u003e threshold\\n// Filter out previously seen IPs\\n| join kind=leftanti (nxDomainDnsEvents\\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | extend sld = tostring(split(Name, \\\".\\\")[-2])\\n | summarize dcount(sld) by ClientIP\\n | where dcount_sld \u003e threshold ) on ClientIP\\n// Pull out sample NXDomain responses for those remaining potentially infected IPs\\n| join kind = inner (nxDomainDnsEvents | summarize by Name, ClientIP) on ClientIP\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(Name, 100) by ClientIP, dcount_sld\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential DGA detected\",\"description\":\"Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains\\nwhere most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with \\nNXDomain records in prior 10-day baseline period).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ef895ada-e8e8-4cf0-9313-b1ab67fab69f\",\"name\":\"ef895ada-e8e8-4cf0-9313-b1ab67fab69f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let known_locations =\\n union isfuzzy=True AADNonInteractiveUserSignInLogs, SigninLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where ResultType == 0\\n | summarize by Location;\\n union isfuzzy=True AADNonInteractiveUserSignInLogs, SigninLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType != 50126\\n | where Location !in (known_locations)\\n | extend LocationDetails_dynamic = column_ifexists(\\\"LocationDetails_dynamic\\\", \\\"\\\")\\n | extend DeviceDetail_dynamic = column_ifexists(\\\"DeviceDetail_dynamic\\\", \\\"\\\")\\n | extend LocationDetails = iif(isnotempty(LocationDetails_dynamic), LocationDetails_dynamic, parse_json(LocationDetails_string))\\n | extend DeviceDetail = iif(isnotempty(DeviceDetail_dynamic), DeviceDetail_dynamic, parse_json(DeviceDetail_string))\\n | extend City = tostring(LocationDetails.city)\\n | extend State = tostring(LocationDetails.state)\\n | extend Place = strcat(City, \\\" - \\\", State)\\n | extend DeviceId = tostring(DeviceDetail.deviceId)\\n | extend Result = strcat(tostring(ResultType), \\\" - \\\", ResultDescription)\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), make_set(Result), make_set(IPAddress), make_set(UserAgent), make_set(Place), make_set(DeviceId) by UserPrincipalName, Location, Category\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Authentication Attempt from New Country\",\"description\":\"Detects when there is a log in attempt from a country that has not seen a successful login in the previous 14 days.\\n Threat actors may attempt to authenticate with credentials from compromised accounts - monitoring attempts from anomalous locations may help identify these attempts.\\n Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\",\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9713e3c0-1410-468d-b79e-383448434b2d\",\"name\":\"9713e3c0-1410-468d-b79e-383448434b2d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n VMConnection\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend VMConnection_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIp\\n| where VMConnection_TimeGenerated \u003c ExpirationDateTime\\n| summarize VMConnection_TimeGenerated = arg_max(VMConnection_TimeGenerated, *) by IndicatorId, RemoteIp\\n| project VMConnection_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = VMConnection_TimeGenerated, IPCustomEntity = RemoteIp, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to VMConnection\",\"description\":\"Identifies a match in VMConnection from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/017e095a-94d8-430c-a047-e51a11fb737b\",\"name\":\"017e095a-94d8-430c-a047-e51a11fb737b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let domains =\\n SigninLogs\\n | where ResultType == 0\\n | extend domain = split(UserPrincipalName, \\\"@\\\")[1]\\n | extend domain = tostring(split(UserPrincipalName, \\\"@\\\")[1])\\n | summarize by tolower(tostring(domain));\\n AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where Result =~ \\\"success\\\"\\n | where OperationName =~ \u0027Update Application\u0027\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | where TargetResources_modifiedProperties.displayName =~ \\\"AppAddress\\\"\\n | extend Key = tostring(TargetResources_modifiedProperties.displayName)\\n | extend NewValue = TargetResources_modifiedProperties.newValue\\n | extend OldValue = TargetResources_modifiedProperties.oldValue\\n | where isnotempty(Key) and isnotempty(NewValue)\\n | project-reorder Key, NewValue, OldValue\\n | extend NewUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(NewValue))\\n | extend OldUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(OldValue))\\n | extend AddedUrls = set_difference(NewUrls, OldUrls)\\n | where array_length(AddedUrls) \u003e 0\\n | extend UserAgent = iif(tostring(AdditionalDetails[0].key) == \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), \\\"\\\")\\n | extend AddingUser = iif(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) , tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), \\\"\\\")\\n | extend AddingApp = iif(isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName)) , tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName), \\\"\\\")\\n | extend AddedBy = iif(isnotempty(AddingUser), AddingUser, AddingApp)\\n | project-away AddingApp, AddingUser\\n | extend AppDisplayName = tostring(TargetResources.displayName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | where isnotempty(AddedUrls)\\n | mv-expand AddedUrls\\n | extend Domain = extract(\\\"^(?:https?:\\\\\\\\/\\\\\\\\/)?(?:[^@\\\\\\\\/\\\\\\\\n]+@)?(?:www\\\\\\\\.)?([^:\\\\\\\\/?\\\\\\\\n]+)/\\\", 1, replace_string(tolower(tostring(AddedUrls)), \u0027\\\"\u0027, \\\"\\\"))\\n | where isnotempty(Domain)\\n | extend Domain = strcat(split(Domain, \\\".\\\")[-2], \\\".\\\", split(Domain, \\\".\\\")[-1])\\n | where Domain !in (domains)\\n | project-reorder TimeGenerated, AppDisplayName, AddedUrls, AddedBy, UserAgent, ipAddress\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"AddedUrls\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"URL Added to Application from Unknown Domain\",\"description\":\"Detects a URL being added to an application where the domain is not one that is associated with the tenant.\\n The query uses domains seen in sign in logs to determine if the domain is associated with the tenant.\\n Applications associated with URLs not controlled by the organization can pose a security risk.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#application-configuration-changes\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d\",\"name\":\"b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"//Collect the alert events\\nlet alertData = SecurityAlert \\n| where DisplayName has \\\"Potential malware uploaded to\\\" \\n| extend Entities = parse_json(Entities) \\n| mv-expand Entities;\\n//Parse the IP address data\\nlet ipData = alertData \\n| where Entities[\u0027Type\u0027] =~ \\\"ip\\\" \\n| extend AttackerIP = tostring(Entities[\u0027Address\u0027]), AttackerCountry = tostring(Entities[\u0027Location\u0027][\u0027CountryName\u0027]);\\n//Parse the file data\\nlet FileData = alertData \\n| where Entities[\u0027Type\u0027] =~ \\\"file\\\" \\n| extend MaliciousFileDirectory = tostring(Entities[\u0027Directory\u0027]), MaliciousFileName = tostring(Entities[\u0027Name\u0027]), MaliciousFileHashes = tostring(Entities[\u0027FileHashes\u0027]);\\n//Combine the File and IP data together\\nipData \\n| join (FileData) on VendorOriginalId \\n| summarize by TimeGenerated, AttackerIP, AttackerCountry, DisplayName, ResourceId, AlertType, MaliciousFileDirectory, MaliciousFileName, MaliciousFileHashes\\n//Create a type column so we can track if it was a File storage or blobl storage upload \\n| extend type = iff(DisplayName has \\\"file\\\", \\\"File\\\", \\\"Blob\\\") \\n| join (\\n union\\n StorageFileLogs, \\n StorageBlobLogs \\n //File upload operations \\n | where OperationName =~ \\\"PutBlob\\\" or OperationName =~ \\\"PutRange\\\"\\n //Parse out the uploader IP \\n | extend ClientIP = tostring(split(CallerIpAddress, \\\":\\\", 0)[0])\\n //Extract the filename from the Uri \\n | extend FileName = extract(@\\\"\\\\/([\\\\w\\\\-. ]+)\\\\?\\\", 1, Uri)\\n //Base64 decode the MD5 filehash, we will encounter non-ascii hex so string operations don\u0027t work\\n //We can work around this by making it an array then converting it to hex from an int \\n | extend base64Char = base64_decode_toarray(ResponseMd5) \\n | mv-expand base64Char \\n | extend hexChar = tohex(toint(base64Char))\\n | extend hexChar = iff(strlen(hexChar) \u003c 2, strcat(\\\"0\\\", hexChar), hexChar) \\n | extend SourceTable = iff(OperationName has \\\"range\\\", \\\"StorageFileLogs\\\", \\\"StorageBlobLogs\\\") \\n | summarize make_list(hexChar) by CorrelationId, ResponseMd5, FileName, AccountName, TimeGenerated, RequestBodySize, ClientIP, SourceTable \\n | extend Md5Hash = strcat_array(list_hexChar, \\\"\\\")\\n //Pack the file information the summarise into a ClientIP row \\n | extend p = pack(\\\"FileName\\\", FileName, \\\"FileSize\\\", RequestBodySize, \\\"Md5Hash\\\", Md5Hash, \\\"Time\\\", TimeGenerated, \\\"SourceTable\\\", SourceTable) \\n | summarize UploadedFileInfo=make_list(p), FilesUploaded=count() by ClientIP \\n | join kind=leftouter (\\n union\\n StorageFileLogs,\\n StorageBlobLogs \\n | where OperationName =~ \\\"DeleteFile\\\" or OperationName =~ \\\"DeleteBlob\\\" \\n | extend ClientIP = tostring(split(CallerIpAddress, \\\":\\\", 0)[0]) \\n | extend FileName = extract(@\\\"\\\\/([\\\\w\\\\-. ]+)\\\\?\\\", 1, Uri) \\n | extend SourceTable = iff(OperationName has \\\"range\\\", \\\"StorageFileLogs\\\", \\\"StorageBlobLogs\\\") \\n | extend p = pack(\\\"FileName\\\", FileName, \\\"Time\\\", TimeGenerated, \\\"SourceTable\\\", SourceTable) \\n | summarize DeletedFileInfo=make_list(p), FilesDeleted=count() by ClientIP\\n ) on ClientIP\\n ) on $left.AttackerIP == $right.ClientIP \\n| mvexpand UploadedFileInfo \\n| extend LinkedMaliciousFileName = UploadedFileInfo.FileName \\n| extend LinkedMaliciousFileHash = UploadedFileInfo.Md5Hash \\n| project AlertTimeGenerated = TimeGenerated, tostring(LinkedMaliciousFileName), tostring(LinkedMaliciousFileHash), AlertType, AttackerIP, AttackerCountry, MaliciousFileDirectory, MaliciousFileName, FilesUploaded, UploadedFileInfo \\n| extend FileHashCustomEntity = LinkedMaliciousFileName, HashAlgorithm = \\\"MD5\\\", IPCustomEntity = AttackerIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"Exfiltration\"],\"displayName\":\"Linked Malicious Storage Artifacts\",\"description\":\"An IP address which uploaded malicious content to an Azure Blob or File Storage container (triggering a malware alert) also uploaded additional files.\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2021-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c7cd6073-6d2c-4284-a5c8-da27605bdfde\",\"name\":\"c7cd6073-6d2c-4284-a5c8-da27605bdfde\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| where FilterModulesSpamScoresOverall == \u0027100\u0027\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - High risk message not discarded\",\"description\":\"Detects when email with high risk score was not rejected or discarded by filters.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\"name\":\"c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"let DomainNames = \\\"miniodaum.ml\\\";\\nlet SHA256Hash = dynamic ([\\\"53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0dfd44771762257\\\", \\\"0897c80df8b80b4c49bf1ccf876f5f782849608b830c3b5cb3ad212dc3e19eff\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName =~ DomainNames\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n (_Im_Dns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery \\n| extend IPAddress = SrcIpAddr, Computer = Dvc\\n), \\n(_Im_WebSession(url_has_any=DomainNames) \\n| extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n| extend IPAddress = SrcIpAddr, Account=User\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName =~ DomainNames\\n| extend IPAddress = RemoteIp\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known CERIUM domains and hashes\",\"description\":\"CERIUM malicious webserver and hash values for maldocs and malware. \\n Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/712fab52-2a7d-401e-a08c-ff939cc7c25e\",\"name\":\"712fab52-2a7d-401e-a08c-ff939cc7c25e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AuditLogs\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // Extract the URL that is contained within the JSON data\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\\\", 1,tostring(TargetResources))\\n | where isnotempty(Url)\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend TargetResourceDisplayName = tostring(TargetResources[0].displayName)\\n | extend Audit_TimeGenerated = TimeGenerated\\n) on Url\\n| where Audit_TimeGenerated \u003c ExpirationDateTime\\n| summarize Audit_TimeGenerated = arg_max(Audit_TimeGenerated, *) by IndicatorId, Url\\n| project Audit_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nOperationName, Identity, userPrincipalName, TargetResourceDisplayName, Url\\n| extend timestamp = Audit_TimeGenerated, AccountCustomEntity = userPrincipalName, HostCustomEntity = TargetResourceDisplayName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to AuditLogs\",\"description\":\"Identifies a match in AuditLogs from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ab4b6944-a20d-42ab-8b63-238426525801\",\"name\":\"ab4b6944-a20d-42ab-8b63-238426525801\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\nlet timeframe = 1h;\\nlet connections = VMConnection \\n | where TimeGenerated \u003e= ago(timeframe)\\n | extend DNSName = set_union(todynamic(RemoteDnsCanonicalNames),todynamic(RemoteDnsQuestions))\\n | mv-expand DNSName\\n | where isnotempty(DNSName)\\n | where DNSName has_any (domains)\\n | extend IPCustomEntity = RemoteIp\\n | summarize TimeGenerated = arg_min(TimeGenerated, *), requests = count() by IPCustomEntity, DNSName = tostring(DNSName), AgentId, Machine, Process;\\nlet processes = VMProcess\\n | where TimeGenerated \u003e= ago(timeframe)\\n | project AgentId, Machine, Process, UserName, UserDomain, ExecutablePath, CommandLine, FirstPid\\n | extend exePathArr = split(ExecutablePath, \\\"\\\\\\\\\\\")\\n | extend DirectoryName = array_strcat(array_slice(exePathArr, 0, array_length(exePathArr) - 2), \\\"\\\\\\\\\\\")\\n | extend Filename = array_strcat(array_slice(exePathArr, array_length(exePathArr) - 1, array_length(exePathArr)), \\\"\\\\\\\\\\\")\\n | project-away exePathArr;\\nlet computers = VMComputer\\n | where TimeGenerated \u003e= ago(timeframe)\\n | project HostCustomEntity = HostName, AzureResourceId = _ResourceId, AgentId, Machine;\\nconnections | join kind = inner (processes) on AgentId, Machine, Process\\n | join kind = inner (computers) on AgentId, Machine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"FirstPid\"},{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Directory\",\"columnName\":\"DirectoryName\"},{\"identifier\":\"Name\",\"columnName\":\"Filename\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Solorigate Domains Found in VM Insights\",\"description\":\"Identifies connections to Solorigate-related DNS records based on VM insights data\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMProcess\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMComputer\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\"name\":\"1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with failed Windows host logins above threshold\\nlet win_fails = \\nSecurityEvent\\n| where EventID == 4625\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| summarize count() by IpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_list(IpAddress);\\nlet wef_fails =\\nWindowsEvent\\n| where EventID == 4625\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType in (10, 7, 3)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| where IpAddress != \\\"-\\\"\\n| summarize count() by IpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_list(IpAddress);\\n//Make a list of IPs with failed *nix host logins above threshold\\nlet nix_fails = \\nSyslog\\n| where Facility contains \u0027auth\u0027 and ProcessName != \u0027sudo\u0027\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP != \\\"\\\" and SourceIP != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIP\\n| where count_ \u003e signin_threshold\\n| summarize make_list(SourceIP);\\n//See if any of the IPs with failed host logins hve had a sucessful Azure AD login\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (win_fails) or IPAddress in (nix_fails) or IPAddress in (wef_fails)\\n| extend Reason= \\\"Multiple failed host logins from IP address with successful Azure AD login\\\"\\n| extend timstamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, Type = Type\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed host logons but success logon to AzureAD\",\"description\":\"Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts.\\nUses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\"name\":\"28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"Medium\",\"query\":\"let timeRange = 24h;\\nlet failureCountThreshold = 5;\\nlet authenticationWindow = 20m;\\nlet aadFunc = (tableName:string){\\n table(tableName)\\n| where AppDisplayName has \\\"Azure Portal\\\"\\n| extend\\n DeviceDetail = todynamic(DeviceDetail),\\n //Status = todynamic(Status),\\n LocationDetails = todynamic(LocationDetails)\\n| extend\\n OS = tostring(DeviceDetail.operatingSystem),\\n Browser = tostring(DeviceDetail.browser),\\n //StatusCode = tostring(Status.errorCode),\\n //StatusDetails = tostring(Status.additionalDetails),\\n State = tostring(LocationDetails.state),\\n City = tostring(LocationDetails.city),\\n Region = tostring(LocationDetails.countryOrRegion)\\n// Split out failure versus non-failure types\\n| extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\") \\n// bin outcomes based on authenticationWindow\\n| summarize take_anyif(UserPrincipalName, not(UserPrincipalName matches regex @\\\"[a-f\\\\d]+\\\\-[a-f\\\\d]+\\\\-[a-f\\\\d]+\\\\-[a-f\\\\d]+\\\\-[a-f\\\\d]+\\\")),\\n take_anyif(UserDisplayName, isnotempty(UserDisplayName)), FailureOrSuccessCount = count() by FailureOrSuccess, UserId, UserDisplayName, AppDisplayName, IPAddress, Browser, OS, State, City, Region, Type, CorrelationId, bin(TimeGenerated, authenticationWindow), ResultType\\n// sort for sessionizing - by UserPrincipalName and time of the authentication outcome\\n| sort by UserPrincipalName asc, TimeGenerated asc\\n| serialize \\n// sessionize into failure groupings until either the account changes or there is a success\\n| extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, UserPrincipalName != prev(UserPrincipalName) or prev(FailureOrSuccess) == \\\"Success\\\")\\n// count the failures in each session\\n| summarize FailureCountBeforeSuccess=sumif(FailureOrSuccessCount, FailureOrSuccess == \\\"Failure\\\"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), makelist(FailureOrSuccess), IPAddress = make_set(IPAddress), make_set(Browser), make_set(City), make_set(State), make_set(Region), make_set(ResultType) by SessionStartedUtc, UserPrincipalName, CorrelationId, AppDisplayName, UserId, Type\\n// the session must not start with a success, and must end with one\\n| where array_index_of(list_FailureOrSuccess, \\\"Success\\\") != 0\\n| where array_index_of(list_FailureOrSuccess, \\\"Success\\\") == array_length(list_FailureOrSuccess) - 1\\n| project-away SessionStartedUtc, list_FailureOrSuccess\\n// where the number of failures before the success is above the threshold \\n| where FailureCountBeforeSuccess \u003e= failureCountThreshold \\n// expand out ip for entity assignment\\n| mv-expand IPAddress\\n| extend IPAddress = tostring(IPAddress)\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n};\\n let aadSignin = aadFunc(\\\"SigninLogs\\\");\\n let aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\n union isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against Azure Portal\",\"description\":\"Identifies evidence of brute force activity against Azure Portal by highlighting multiple authentication failures \\nand by a successful authentication within a given time window. \\nDefault Failure count is 5 and default Time Window is 20 minutes.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-04-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23de46ea-c425-4a77-b456-511ae4855d69\",\"name\":\"23de46ea-c425-4a77-b456-511ae4855d69\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\nlet SensitiveOperationList = dynamic([\\\"microsoft.compute/snapshots/write\\\", \\\"microsoft.network/networksecuritygroups/write\\\", \\\"microsoft.storage/storageaccounts/listkeys/action\\\"]);\\nlet SensitiveActivity = AzureActivity\\n| where OperationNameValue in~ (SensitiveOperationList) or OperationNameValue hassuffix \\\"listkeys/action\\\"\\n| where ActivityStatusValue =~ \\\"Success\\\";\\nSensitiveActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller, OperationNameValue\\n| where count_ \u003e= alertOperationThreshold\\n| join kind = rightanti ( \\nSensitiveActivity\\n| where TimeGenerated \u003e= ago(endtime)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CorrelationIds = makelist(CorrelationId), Resources = makelist(Resource), ResourceGroups = makelist(ResourceGroup), ResourceIds = makelist(ResourceId), ActivityCountByCallerIPAddress = count() \\nby CallerIpAddress, Caller, OperationNameValue\\n) on CallerIpAddress, Caller, OperationNameValue\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"Rare subscription-level operations in Azure\",\"description\":\"This query looks for a few sensitive subscription-level events based on Azure Activity Logs. \\n For example this monitors for the operation name \u0027Create or Update Snapshot\u0027 which is used for creating backups but could be misused by attackers \\n to dump hashes or extract sensitive information from the disk.\",\"lastUpdatedDateUTC\":\"2022-03-15T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84cf1d59-f620-4fee-b569-68daf7008b7b\",\"name\":\"84cf1d59-f620-4fee-b569-68daf7008b7b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetection_CL\\n| mv-expand todynamic(Detections_s)\\n| extend Status = tostring(Detections_s.Status), Vulnerability = tostring(Detections_s.Results), Severity = tostring(Detections_s.Severity)\\n| where Status =~ \\\"New\\\" and Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(Detections_s.QID)\\n| where dcount_NetBios_s \u003e= threshold\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"tactics\":[\"InitialAccess\"],\"displayName\":\"New High Severity Vulnerability Detected Across Multiple Hosts\",\"description\":\"This creates an incident when a new high severity vulnerability is detected across multilple hosts\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bc5ffe2a-84d6-48fe-bc7b-1055100469bc\",\"name\":\"bc5ffe2a-84d6-48fe-bc7b-1055100469bc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"let SunburstMD5=dynamic([\\\"b91ce2fa41029f6955bff20079468448\\\",\\\"02af7cec58b9a5da1c542b5a32151ba1\\\",\\\"2c4a910a1299cdae2a4e55988a2f102e\\\",\\\"846e27a652a5e1bfbd0ddd38a16dc865\\\",\\\"4f2eb62fa529c0283b28d05ddd311fae\\\"]);\\nlet SupernovaMD5=\\\"56ceb6d0011d87b6e4d7023d7ef85676\\\";\\nimFileEvent\\n| where TargetFileMD5 in(SunburstMD5) or TargetFileMD5 in(SupernovaMD5)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = User, \\n HostCustomEntity = DvcHostname,\\n FileHashCustomEntity = TargetFileMD5,\\n AlgorithmCustomEntity = \\\"MD5\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events)\",\"description\":\"Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in File Events\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimFileEvent)\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8cbc3215-fa58-4bd6-aaaa-f0029c351730\",\"name\":\"8cbc3215-fa58-4bd6-aaaa-f0029c351730\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let threatCategory=\\\"Cryptominer\\\";\\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\\n [ @\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\\\"] \\n with(format=\\\"csv\\\", ignoreFirstRecord=True));\\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet customUserAgents=toscalar(_GetWatchlist(\\\"UnusualUserAgents\\\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\\\"UserAgent\\\",\\\"\\\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet fullUAList = array_concat(knownUserAgents,customUserAgents);\\n_Im_WebSession(httpuseragent_has_any=fullUAList)\\n| summarize N_Events=count() by SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername\",\"customDetails\":{\"UserAgent\":\"HttpUserAgent\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"SrcUsername\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"The host {{SrcIpAddr}} is potentially running a crypto miner\",\"alertDescriptionFormat\":\"The host at address {{SrcIpAddr}} sent an HTTP request to the URL {{Url}} with the HTTP user agent header {{HttpUserAgent}}. This user agent is known to be used by crypto miners and indicates crypto mining activity on the client.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"A host is potentially running a crypto miner (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request with a user agent header known to belong to a crypto miner. This indicates a crypto miner may have infected the client machine.\u003cbr\u003eYou can add custom crypto mining indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).\u003cbr\u003e\u003cbr\u003e This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\"name\":\"24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"let EventCountThreshold = 25;\\n// To avoid any False Positives, filtering using AppId is recommended.\\n// For example the AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds \\n// to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\\n// The AppId 8cae6e77-e04e-42ce-b5cb-50d82bce26b1 has been added as it correspond to Microsoft Policy Insights Provider Data Plane performing VaultGet operations for policies checks.\\nlet Allowedappid = dynamic([\\\"509e4652-da8d-478d-a730-e9d4a1996ca4\\\",\\\"8cae6e77-e04e-42ce-b5cb-50d82bce26b1\\\"]);\\nlet OperationList = dynamic(\\n[\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nAzureDiagnostics\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList) \\n| summarize count() by identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, OperationName\\n| where count_ \u003e EventCountThreshold \\n| join (\\nAzureDiagnostics\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where OperationName in~ (OperationList) \\n) on identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g \\n| summarize EventCount=sum(count_), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\\n| extend timestamp = EndTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Mass secret retrieval from Azure Key Vault\",\"description\":\"Identifies mass secret retrieval from Azure Key Vault observed by a single user. \\nMass secret retrival crossing a certain threshold is an indication of credential dump operations or mis-configured applications. \\nYou can tweak the EventCountThreshold based on average count seen in your environment \\nand also filter any known sources (IP/Account) and useragent combinations based on historical analysis to further reduce noise\",\"lastUpdatedDateUTC\":\"2022-07-04T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b619d1f1-7f39-4c7e-bf9e-afbb46457997\",\"name\":\"b619d1f1-7f39-4c7e-bf9e-afbb46457997\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal contains \\\"XMRig\\\" or HttpUserAgentOriginal contains \\\"ccminer\\\"\\n| extend Message = \\\"Crypto Miner User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Crypto Miner User-Agent Detected\",\"description\":\"Detects suspicious user agent strings used by crypto miners in proxy logs.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd03057e-4347-4853-bf1e-2b2d21eb4e59\",\"name\":\"dd03057e-4347-4853-bf1e-2b2d21eb4e59\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\\"xmrget.com\\\",\\n\\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\\"supportxmr.com\\\",\\n\\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\\"gntl.co.uk\\\", \\\"semipool.com\\\",\\n\\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\",\\n\\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\\"extrmepool.org\\\", \\\"webcoin.me\\\",\\n\\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\",\\n\\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\",\\n\\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\",\\n\\\"shscrypto.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage),\\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage),\\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage),\\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \u0027200\u0027\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URL\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"NRT Squid proxy events related to mining pools\",\"description\":\"Checks for Squid proxy events in Syslog associated with common mining pools .This query presumes the default Squid log format is being used.\\n http://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-07-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2b701288-b428-4fb8-805e-e4372c574786\",\"name\":\"2b701288-b428-4fb8-805e-e4372c574786\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"//The bigger the window the better the data sample size, as we use IP prevalence, more sample data is better.\\n//The minimum number of countries that the account has been accessed from [default: 2]\\nlet minimumCountries = 2;\\n//The delta (%) between the largest in-use IP and the smallest [default: 95]\\nlet deltaThreshold = 95;\\n//The maximum (%) threshold that the country appears in login data [default: 10]\\nlet countryPrevalenceThreshold = 10;\\n//The time to project forward after the last login activity [default: 60min]\\nlet projectedEndTime = 60m;\\nlet queryfrequency = 1d;\\nlet queryperiod = 14d;\\nlet aadFunc = (tableName: string) {\\n // Get successful signins to Teams\\n let signinData =\\n table(tableName)\\n | where TimeGenerated \u003e ago(queryperiod)\\n | where AppDisplayName has \\\"Teams\\\" and ConditionalAccessStatus =~ \\\"success\\\"\\n | extend Country = tostring(todynamic(LocationDetails)[\u0027countryOrRegion\u0027])\\n | where isnotempty(Country) and isnotempty(IPAddress);\\n // Calculate prevalence of countries\\n let countryPrevalence =\\n signinData\\n | summarize CountCountrySignin = count() by Country\\n | extend TotalSignin = toscalar(signinData | summarize count())\\n | extend CountryPrevalence = toreal(CountCountrySignin) / toreal(TotalSignin) * 100;\\n // Count signins by user and IP address\\n let userIpSignin =\\n signinData\\n | summarize CountIPSignin = count(), Country = any(Country), ListSigninTimeGenerated = make_list(TimeGenerated) by IPAddress, UserPrincipalName;\\n // Calculate delta between the IP addresses with the most and minimum activity by user\\n let userIpDelta =\\n userIpSignin\\n | summarize MaxIPSignin = max(CountIPSignin), MinIPSignin = min(CountIPSignin), DistinctCountries = dcount(Country), make_set(Country) by UserPrincipalName\\n | extend UserIPDelta = toreal(MaxIPSignin - MinIPSignin) / toreal(MaxIPSignin) * 100;\\n // Collect Team operations the user account has performed within a time range of the suspicious signins\\n OfficeActivity\\n | where TimeGenerated \u003e ago(queryfrequency)\\n | where Operation in~ (\\\"TeamsAdminAction\\\", \\\"MemberAdded\\\", \\\"MemberRemoved\\\", \\\"MemberRoleChanged\\\", \\\"AppInstalled\\\", \\\"BotAddedToTeam\\\")\\n | project OperationTimeGenerated = TimeGenerated, UserId = tolower(UserId), Operation\\n | join kind = inner(\\n userIpDelta\\n // Check users with activity from distinct countries\\n | where DistinctCountries \u003e= minimumCountries\\n // Check users with high IP delta\\n | where UserIPDelta \u003e= deltaThreshold\\n // Add information about signins and countries\\n | join kind = leftouter userIpSignin on UserPrincipalName\\n | join kind = leftouter countryPrevalence on Country\\n // Check activity that comes from nonprevalent countries\\n | where CountryPrevalence \u003c countryPrevalenceThreshold\\n | project\\n UserPrincipalName,\\n SuspiciousIP = IPAddress,\\n UserIPDelta,\\n SuspiciousSigninCountry = Country,\\n SuspiciousCountryPrevalence = CountryPrevalence,\\n EventTimes = ListSigninTimeGenerated\\n ) on $left.UserId == $right.UserPrincipalName\\n // Check the signins occured 60 min before the Teams operations\\n | mv-expand SigninTimeGenerated = EventTimes\\n | extend SigninTimeGenerated = todatetime(SigninTimeGenerated)\\n | where OperationTimeGenerated between (SigninTimeGenerated .. (SigninTimeGenerated + projectedEndTime))\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize arg_max(SigninTimeGenerated, *) by UserPrincipalName, SuspiciousIP, OperationTimeGenerated\\n| summarize\\n ActivitySummary = make_bag(pack(tostring(SigninTimeGenerated), pack(\\\"Operation\\\", tostring(Operation), \\\"OperationTime\\\", OperationTimeGenerated)))\\n by UserPrincipalName, SuspiciousIP, SuspiciousSigninCountry, SuspiciousCountryPrevalence\\n| extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Anomalous login followed by Teams action\",\"description\":\"Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed.\\nQuery calculates IP usage Delta for each user account and selects accounts where a delta \u003e= 90% is observed between the most and least used IP.\\nTo further reduce results the query performs a prevalence check on the lowest used IP\u0027s country, only keeping IP\u0027s where the country is unusual for the tenant (dynamic ranges)\\nFinally the user accounts activity within Teams logs is checked for suspicious commands (modifying user privileges or admin actions) during the period the suspicious IP was active.\",\"lastUpdatedDateUTC\":\"2022-03-21T00:00:00Z\",\"createdDateUTC\":\"2020-06-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fa118b98-de46-4e94-87f9-8e6d5060b60b\",\"name\":\"fa118b98-de46-4e94-87f9-8e6d5060b60b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MLBehaviorAnalytics\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous SSH Login Detection\",\"description\":\"This detection uses machine learning (ML) to identify anomalous Secure Shell (SSH) login activity, based on syslog data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Microsoft Sentinel to build a profile of normal activity for your environment.\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-syslog#configure-the-syslog-connector-for-anomalous-ssh-login-detection)\\n\\nBy enabling this rule, you give Microsoft permission to copy ingested data outside of your Microsoft Sentinel workspace\u0027s geography as necessary for processing by the machine learning engine.\",\"lastUpdatedDateUTC\":\"2021-03-26T00:00:00Z\",\"createdDateUTC\":\"2019-08-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c094384d-7ea7-4091-83be-18706ecca981\",\"name\":\"c094384d-7ea7-4091-83be-18706ecca981\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Low\",\"query\":\"let minersDomains=dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\"]);\\n_Im_Dns(domain_has_any=minersDomains)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"DNS events related to mining pools (ASIM DNS Schema)\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/99d589fa-7337-40d7-91a0-c96d0c4fa437\",\"name\":\"99d589fa-7337-40d7-91a0-c96d0c4fa437\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let core_domains = (SigninLogs\\n | where TimeGenerated \u003e ago(7d)\\n | where ResultType == 0\\n | extend domain = tolower(split(UserPrincipalName, \\\"@\\\")[1])\\n | summarize by tostring(domain));\\n let alternative_domains = (SigninLogs\\n | where TimeGenerated \u003e ago(7d)\\n | where isnotempty(AlternateSignInName)\\n | where ResultType == 0\\n | extend domain = tolower(split(AlternateSignInName, \\\"@\\\")[1])\\n | summarize by tostring(domain));\\n AuditLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where OperationName =~ \\\"Add User\\\"\\n | extend AddingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend AddingSPN = tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName)\\n | extend AddedBy = iif(isnotempty(AddingUser), AddingUser, AddingSPN)\\n | extend UserAdded = tostring(TargetResources[0].userPrincipalName)\\n | extend Domain = tolower(split(UserAdded, \\\"@\\\")[1])\\n | where Domain !in (core_domains) and Domain !in (alternative_domains)\\n | project-away AddingUser\\n | project-reorder TimeGenerated, UserAdded, Domain, AddedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserAdded\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Account created from non-approved sources\",\"description\":\"This query looks for account being created from a domain that is not regularly seen in a tenant.\\n Attackers may attempt to add accounts from these sources as a means of establishing persistant access to an environment.\\n Created accounts should be investigated to ensure they were legitimated created.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\",\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/15ae38a2-2e29-48f7-883f-863fb25a5a06\",\"name\":\"15ae38a2-2e29-48f7-883f-863fb25a5a06\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 10;\\nDnsEvents \\n| where TimeGenerated \u003e ago(endtime)\\n| where Name contains \\\"in-addr.arpa\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(Name) by ClientIP\\n| where dcount_Name \u003e threshold\\n| project StartTimeUtc, EndTimeUtc, ClientIP , dcount_Name \\n| join kind=leftanti (DnsEvents \\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | where Name contains \\\"in-addr.arpa\\\" \\n | summarize dcount(Name) by ClientIP, bin(TimeGenerated, 1d)\\n | where dcount_Name \u003e threshold\\n | project ClientIP , dcount_Name \\n) on ClientIP\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Rare client observed with high reverse DNS lookup count\",\"description\":\"Identifies clients with a high reverse DNS counts which could be carrying out reconnaissance or discovery activity.\\nAlert is generated if the IP performing such reverse DNS lookups was not seen doing so in the preceding 7-day period.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\"name\":\"a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\n let ioc_lookBack = 14d;\\n ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true\\n | where isnotempty(FileHashValue)\\n | extend FileHashValue = toupper(FileHashValue)\\n // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n | join kind=innerunique ( union isfuzzy=true \\n (SecurityEvent | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where EventID in (\\\"8003\\\",\\\"8002\\\",\\\"8005\\\")\\n | where isnotempty(FileHash)\\n | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID, FileHash = toupper(FileHash)\\n ),\\n (WindowsEvent | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where EventID in (\\\"8003\\\",\\\"8002\\\",\\\"8005\\\")\\n | where isnotempty(EventData.FileHash)\\n | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID, FileHash = toupper(EventData.FileHash)\\n )\\n )\\n on $left.FileHashValue == $right.FileHash\\n | where SecurityEvent_TimeGenerated \u003c ExpirationDateTime\\n | summarize SecurityEvent_TimeGenerated = arg_max(SecurityEvent_TimeGenerated, *) by IndicatorId, FileHash\\n | project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\n Process, FileHash, Computer, Account, Event, FileHashValue, FileHashType\\n | extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Value\",\"columnName\":\"FileHashValue\"},{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map File Hash to Security Event\",\"description\":\"Identifies a match in Security Event data from any File Hash IOC from TI\",\"lastUpdatedDateUTC\":\"2022-07-07T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1bf6e165-5e32-420e-ab4f-0da8558a8be2\",\"name\":\"1bf6e165-5e32-420e-ab4f-0da8558a8be2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// How far back to look for events from\\nlet timeframe = 1d;\\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\\nlet time_window = 5m;\\n// Edit this to include build processes used\\nlet build_processes = dynamic([\\\"MSBuild.exe\\\", \\\"dotnet.exe\\\", \\\"VBCSCompiler.exe\\\"]);\\n// Include any processes that you want to allow to edit files during/around the build process\\nlet allow_list = dynamic([]);\\nDeviceProcessEvents\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where FileName has_any (build_processes)\\n| summarize by BuildParentProcess=InitiatingProcessFileName, BuildProcess=FileName, BuildAccount = AccountName, DeviceName, BuildCommand=ProcessCommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nDeviceFileEvents\\n| where TimeGenerated \u003e ago(timeframe)\\n| where InitiatingProcessFileName !in (allow_list)\\n| where ActionType == \\\"FileCreated\\\" or ActionType == \\\"FileModified\\\"\\n// Look for code files, edit this to include file extensions used in build.\\n| where FileName endswith \\\".cs\\\" or FileName endswith \\\".cpp\\\"\\n| summarize by FileEditParentProcess=InitiatingProcessParentFileName, FileEditAccount = InitiatingProcessAccountName, DeviceName, FileEdited=FileName, FileEditProcess=InitiatingProcessFileName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, DeviceName\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, DeviceName, BuildParentProcess, BuildProcess\\n| extend HostCustomEntity=DeviceName, timestamp=timekey\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Potential Build Process Compromise - MDE\",\"description\":\"The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process. This query uses Microsoft Defender for Endpoint telemetry.\\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\",\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/957cb240-f45d-4491-9ba5-93430a3c08be\",\"name\":\"957cb240-f45d-4491-9ba5-93430a3c08be\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"OfficeActivity\\n| where Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Add-MailboxFolderPermission\\\", \\\"Set-Mailbox\\\", \\\"New-ManagementRoleAssignment\\\", \\\"New-InboxRule\\\", \\\"Set-InboxRule\\\", \\\"Set-TransportRule\\\")\\nand not(UserId has_any (\u0027NT AUTHORITY\\\\\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\u0027, \u0027NT AUTHORITY\\\\\\\\SYSTEM (w3wp)\u0027, \u0027devilfish-applicationaccount\u0027) and Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Set-Mailbox\\\"))\\n| extend ClientIPOnly = tostring(extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?\u0027, dynamic([\\\"IPAddress\\\"]), ClientIP)[0][0])\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIPOnly\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"Collection\"],\"displayName\":\"Rare and potentially high-risk Office operations\",\"description\":\"Identifies Office operations that are typically rare and can provide capabilities useful to attackers.\",\"lastUpdatedDateUTC\":\"2022-05-24T00:00:00Z\",\"createdDateUTC\":\"2019-02-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2fc5d810-c9cc-491a-b564-841427ae0e50\",\"name\":\"2fc5d810-c9cc-491a-b564-841427ae0e50\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique ( \\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(TargetUserName)\\n//Normalizing the column to lower case for exact match with EmailSenderAddress column\\n| extend TargetUserName = tolower(TargetUserName)\\n// renaming timestamp column so it is clear the log this came from SecurityEvent table\\n| extend SecurityEvent_TimeGenerated = TimeGenerated\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(dt_lookBack) \\n| extend TargetUserName = tostring(EventData.TargetUserName) \\n| where isnotempty(TargetUserName)\\n//Normalizing the column to lower case for exact match with EmailSenderAddress column\\n| extend TargetUserName = tolower(TargetUserName)\\n// renaming timestamp column so it is clear the log this came from SecurityEvent table\\n| extend SecurityEvent_TimeGenerated = TimeGenerated\\n))\\n)\\non $left.EmailSenderAddress == $right.TargetUserName\\n| where SecurityEvent_TimeGenerated \u003c ExpirationDateTime\\n| summarize SecurityEvent_TimeGenerated = arg_max(SecurityEvent_TimeGenerated, *) by IndicatorId, TargetUserName\\n| project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Computer, EventID, TargetUserName, Activity, IpAddress, AccountType,\\nLogonTypeName, LogonProcessName, Status, SubStatus\\n| extend\\ntimestamp = SecurityEvent_TimeGenerated,\\nAccountCustomEntity = TargetUserName,\\nIPCustomEntity = IpAddress,\\nHostCustomEntity = Computer,\\nURLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SecurityEvent\",\"description\":\"Identifies a match in SecurityEvent table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/01f64465-b1ef-41ea-a7f5-31553a11ad43\",\"name\":\"01f64465-b1ef-41ea-a7f5-31553a11ad43\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let endpointData = \\n(union isfuzzy=true\\n(SecurityEvent\\n | where EventID == 4688\\n | extend shortFileName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n ),\\n (WindowsEvent\\n | where EventID == 4688\\n | extend NewProcessName = tostring(EventData.NewProcessName)\\n | extend shortFileName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n | extend TargetUserName = tostring(EventData.TargetUserName)\\n ));\\n// Correlate suspect executables seen in TrendMicro rule updates with similar activity on endpoints\\nCommonSecurityLog\\n| where DeviceVendor =~ \\\"Trend Micro\\\"\\n| where Activity =~ \\\"Deny List updated\\\" \\n| where RequestURL endswith \\\".exe\\\"\\n| project TimeGenerated, Activity , RequestURL , SourceIP, DestinationIP\\n| extend suspectExeName = tolower(tostring(split(RequestURL, \u0027/\u0027)[-1]))\\n| join (endpointData) on $left.suspectExeName == $right.shortFileName \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = TargetUserName, HostCustomEntity = Computer, URLCustomEntity = RequestURL\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Network endpoint to host executable correlation\",\"description\":\"Correlates blocked URLs hosting [malicious] executables with host endpoint data\\nto identify potential instances of executables of the same name having been recently run.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"TrendMicro\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5efb0cfd-063d-417a-803b-562eae5b0301\",\"name\":\"5efb0cfd-063d-417a-803b-562eae5b0301\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 6h;\\n// Ignore Build/Releases with less/equal this number\\nlet ServiceConnectionThreshold = 3;\\n// New Connections need to exhibit execution of more \\\"new\\\" connections than this number.\\nlet NewConnectionThreshold = 1;\\n// List of Builds/Releases to ignore in your space\\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\\n[\\n//\\\"103\\\", \\\"Release\\\", \\\"ProjectA\\\",\\n//\\\"42\\\", \\\"Release\\\", \\\"ProjectB\\\",\\n//\\\"122\\\", \\\"Build\\\", \\\"ProjectB\\\"\\n];\\nlet HistoricDefs = AzureDevOpsAuditing\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| summarize HistoricCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)) \\n by DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e= ago(endtime)\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| parse ScopeDisplayName with OrganizationName \u0027 (Organization)\u0027\\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) \\n by OrganizationName, DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN\\n| where CurrentCount \u003e ServiceConnectionThreshold\\n| join (HistoricDefs) on ProjectId, DefId, Type, ActorUPN\\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\\n| extend link = iff(\\nType == \\\"Build\\\", strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_build?definitionId=\u0027, DefId),\\nstrcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_release?_a=releases\u0026view=mine\u0026definitionId=\u0027, DefId))\\n| where CurrentCount \u003e= HistoricCount + NewConnectionThreshold\\n| project StartTime, OrganizationName, ProjectName, DefId, link, RecentDistinctServiceConnections = CurrentCount, HistoricDistinctServiceConnections = HistoricCount, \\n RecentConnections = ConnectionNames, HistoricConnections = ConnectionNames1, ActorUPN\\n| extend timestamp = StartTime, AccountCustomEntity = ActorUPN\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure DevOps Service Connection Addition/Abuse - Historic allow list\",\"description\":\"This detection builds an allow list of historic service connection use by Builds and Releases and compares to recent history, flagging growth of service connection use which are not manually included in the allow list and \\nnot historically included in the allow list Build/Release runs. This is to determine if someone is hijacking a build/release and adding many service connections in order to abuse or dump credentials from service connections.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3bd33158-3f0b-47e3-a50f-7c20a1b88038\",\"name\":\"3bd33158-3f0b-47e3-a50f-7c20a1b88038\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let SpringShell_threats = dynamic([\\\"Trojan:Python/SpringShellExpl\\\", \\\"Exploit:Python/SpringShell\\\", \\\"Backdoor:PHP/Remoteshell.V\\\", \\\"SpringShell\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (SpringShell_threats) or ThreatFamilyName in~ (SpringShell_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"AV detections related to SpringShell Vulnerability\",\"description\":\"This query looks for Microsoft Defender AV detections related to SpringShell Vulnerability. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, \\n this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\\n Reference: https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b4ceb583-4c44-4555-8ecf-39f572e827ba\",\"name\":\"b4ceb583-4c44-4555-8ecf-39f572e827ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 1.5;\\nlet percentthreshold = 50;\\n// Preparing the time series data aggregated hourly count of MailItemsAccessd Operation in the form of multi-value array to use with time series anomaly function.\\nlet TimeSeriesData =\\nOfficeActivity\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where OfficeWorkload=~ \\\"Exchange\\\" and Operation =~ \\\"MailItemsAccessed\\\" and ResultStatus =~ \\\"Succeeded\\\"\\n| project TimeGenerated, Operation, MailboxOwnerUPN\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe;\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0\\n| project TimeGenerated, Total, baseline, anomalies, score;\\n// Joining the flagged outlier from the previous step with the original dataset to present contextual information\\n// during the anomalyhour to analysts to conduct investigation or informed decisions.\\nTimeSeriesAlerts | where TimeGenerated \u003e ago(2d)\\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\\n| join (\\n OfficeActivity\\n | where TimeGenerated \u003e ago(2d)\\n | extend DateHour = bin(TimeGenerated, 1h)\\n | where OfficeWorkload=~ \\\"Exchange\\\" and Operation =~ \\\"MailItemsAccessed\\\" and ResultStatus =~ \\\"Succeeded\\\"\\n | summarize HourlyCount=count(), TimeGeneratedMax = arg_max(TimeGenerated, *), IPAdressList = make_set(Client_IPAddress), SourceIPMax= arg_max(Client_IPAddress, *), ClientInfoStringList= make_set(ClientInfoString) by MailboxOwnerUPN, Logon_Type, TenantId, UserType, TimeGenerated = bin(TimeGenerated, 1h) \\n | where HourlyCount \u003e 25 // Only considering operations with more than 25 hourly count to reduce False Positivies\\n | order by HourlyCount desc \\n) on TimeGenerated\\n| extend PercentofTotal = round(HourlyCount/Total, 2) * 100 \\n| where PercentofTotal \u003e percentthreshold // Filter Users with count of less than 5 percent of TotalEvents per Hour to remove FPs/ users with very low count of MailItemsAccessed events\\n| order by PercentofTotal desc \\n| project-reorder TimeGeneratedMax, Type, OfficeWorkload, Operation, UserId,SourceIPMax ,IPAdressList, ClientInfoStringList, HourlyCount, PercentofTotal, Total, baseline, score, anomalies\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"Exchange workflow MailItemsAccessed operation anomaly\",\"description\":\"Identifies anomalous increases in Exchange mail items accessed operations.\\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\\nSudden increases in execution frequency of sensitive actions should be further investigated for malicious activity.\\nManually change scorethreshold from 1.5 to 3 or higher to reduce the noise based on outliers flagged from the query criteria.\\nRead more about MailItemsAccessed- https://docs.microsoft.com/microsoft-365/compliance/advanced-audit?view=o365-worldwide#mailitemsaccessed\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/00cb180c-08a8-4e55-a276-63fb1442d5b5\",\"name\":\"00cb180c-08a8-4e55-a276-63fb1442d5b5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let cmdTokens0 = dynamic([\u0027vbscript\u0027,\u0027jscript\u0027]);\\nlet cmdTokens1 = dynamic([\u0027mshtml\u0027,\u0027RunHTMLApplication\u0027]);\\nlet cmdTokens2 = dynamic([\u0027Execute\u0027,\u0027CreateObject\u0027,\u0027RegRead\u0027,\u0027window.close\u0027]);\\n(union isfuzzy=true \\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(14d)\\n| where EventID == 4688\\n| where CommandLine has @\u0027\\\\Microsoft\\\\Windows\\\\CurrentVersion\u0027\\n| where not(CommandLine has_any (@\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\u0027, @\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\u0027))\\n// If you are receiving false positives, then it may help to make the query more strict by uncommenting one or both of the lines below to refine the matches\\n//| where CommandLine has_any (cmdTokens0)\\n//| where CommandLine has_all (cmdTokens1)\\n| where CommandLine has_all (cmdTokens2)\\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(14d)\\n| where EventID == 4688 and EventData has_all(cmdTokens2) and EventData has @\u0027\\\\Microsoft\\\\Windows\\\\CurrentVersion\u0027\\n| where not(EventData has_any (@\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\u0027, @\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\u0027))\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has @\u0027\\\\Microsoft\\\\Windows\\\\CurrentVersion\u0027\\n| where not(CommandLine has_any (@\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\u0027, @\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\u0027))\\n// If you are receiving false positives, then it may help to make the query more strict by uncommenting one or both of the lines below to refine the matches\\n//| where CommandLine has_any (cmdTokens0)\\n//| where CommandLine has_all (cmdTokens1)\\n| where CommandLine has_all (cmdTokens2)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend ParentProcessName = tostring(EventData.ParentProcessName) \\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"NOBELIUM - Script payload stored in Registry\",\"description\":\"This query idenifies when a process execution commandline indicates that a registry value is written to allow for later execution a malicious script\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3cc5ccd8-b416-4141-bb2d-4eba370e37a5\",\"name\":\"3cc5ccd8-b416-4141-bb2d-4eba370e37a5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let OMIVulnerabilityPatchVersion = \\\"OMIVulnerabilityPatchVersion:1.13.40-0\\\";\\nHeartbeat\\n| where Category == \\\"Direct Agent\\\"\\n| summarize arg_max(TimeGenerated,*) by Computer\\n| parse strcat(\\\"Version:\\\" , Version) with * \\\"Version:\\\" Major:long \\\".\\\"\\nMinor:long \\\".\\\" Patch:long \\\"-\\\" *\\n| parse OMIVulnerabilityPatchVersion with * \\\"OMIVulnerabilityPatchVersion:\\\"\\nOMIVersionMajor:long \\\".\\\" OMIVersionMinor:long \\\".\\\" OMIVersionPatch:long \\\"-\\\" *\\n| where Major \u003cOMIVersionMajor or (Major==OMIVersionMajor and Minor\\n\u003cOMIVersionMinor) or (Major==OMIVersionMajor and Minor==OMIVersionMinor and\\nPatch\u003cOMIVersionPatch) \\n| project Version, Major,Minor,Patch,\\nComputer,ComputerIP,OSType,OSName,ResourceId\",\"customDetails\":{\"HostIp\":\"ComputerIP\",\"OSType\":\"OSType\",\"OSName\":\"OSName\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"OMI Vulnerability Exploitation\",\"description\":\"Following the September 14th, 2021 release of three Elevation of Privilege\\n(EoP) vulnerabilities (CVE-2021-38645, CVE-2021-38649, CVE-2021-38648) and one\\nunauthenticated Remote Code Execution (RCE) vulnerability (CVE-2021-38647) in\\nthe Open Management Infrastructure (OMI) Framework.\\nThis detection validates that any OMS-agent that is reporting to the Microsoft\\nSentinel workspace is updated with the patch. The detection will go over the\\nheartbeats received from all agents over the last day and will create alert\\nfor those agents who are not updated.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-09-23T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c1c66f0b-5531-4a3e-a619-9d2f770ef730\",\"name\":\"c1c66f0b-5531-4a3e-a619-9d2f770ef730\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where OperationName =~ \\\"Add member to role completed (PIM activation)\\\"\\n | where Result =~ \\\"success\\\"\\n | extend ElevatedUser = tostring(TargetResources[2].userPrincipalName)\\n | extend displayName = tostring(TargetResources[0].displayName)\\n | extend displayName2 = tostring(TargetResources[3].displayName)\\n | extend ElevatedRole = iif(displayName =~ \\\"Member\\\", displayName2, displayName)\\n | join kind = rightanti (AuditLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where OperationName =~ \\\"Add member to role completed (PIM activation)\\\"\\n | where Result =~ \\\"success\\\"\\n | extend ElevatedUser = tostring(TargetResources[2].userPrincipalName)\\n | extend displayName = tostring(TargetResources[0].displayName)\\n | extend displayName2 = tostring(TargetResources[3].displayName)\\n | extend ElevatedRole = iif(displayName =~ \\\"Member\\\", displayName2, displayName)\\n | extend ElevatedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) on ElevatedRole, ElevatedUser\\n | project-reorder ElevatedUser, ElevatedRole, ResultReason,ElevatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ElevatedUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ElevatedBy\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Account Elevated to New Role\",\"description\":\"Detects an account that is elevated to a new role where that account has not had that role in the last 14 days.\\n Role elevations are a key mechanism for gaining permissions, monitoring which users have which roles, and for anomalies in those roles is useful for finding suspicious activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d0c82b7f-40b2-4180-a4d6-7aa0541b7599\",\"name\":\"d0c82b7f-40b2-4180-a4d6-7aa0541b7599\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let threshold = 3;\\nPulseConnectSecure\\n| where Messages contains \\\"Unauthenticated request url /dana-na/\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by Source_IP\\n| where count_ \u003e threshold\\n| extend timestamp = StartTime, IPCustomEntity = Source_IP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"PulseConnectSecure - CVE-2021-22893 Possible Pulse Connect Secure RCE Vulnerability Attack\",\"description\":\"This query identifies exploitation attempts using Pulse Connect Secure(PCS) vulnerability (CVE-2021-22893) to the VPN server\",\"lastUpdatedDateUTC\":\"2022-05-11T00:00:00Z\",\"createdDateUTC\":\"2022-05-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PulseConnectSecure\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bf0cde21-0c41-48f6-a40c-6b5bd71fa106\",\"name\":\"bf0cde21-0c41-48f6-a40c-6b5bd71fa106\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"AWSGuardDuty | extend tokens = split(ActivityType,\\\":\\\") | extend ThreatPurpose = tokens[0], tokens= split(tokens[1],\\\"/\\\") | extend ResourceTypeAffected = tokens[0], ThreatFamilyName= tokens[1] | extend UniqueFindingId = Id | extend AWSAcoundId = AccountId | project-away tokens,ActivityType, Id, AccountId | project-away TimeGenerated, TenantId, SchemaVersion, Region, Partition | extend Severity= iff(Severity between (7.0..8.9),\\\"High\\\",iff(Severity between (4.0..6.9), \\\"Medium\\\", iff(Severity between (1.0..3.9),\\\"Low\\\",\\\"Unknown\\\")))\",\"customDetails\":{\"ThreatPurpose\":\"ThreatPurpose\",\"ResourceTypeAffected\":\"ResourceTypeAffected\",\"UniqueFindingId\":\"UniqueFindingId\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Arn\"},{\"identifier\":\"ObjectGuid\",\"columnName\":\"AWSAcoundId\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"{{Title}}\",\"alertDescriptionFormat\":\"{{Description}}\",\"alertTacticsColumnName\":\"ThreatPurpose\",\"alertSeverityColumnName\":\"Severity\"},\"displayName\":\"AWS Guard Duty Alert\",\"description\":\"Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. This templates create an alert for each Amazon GuardDuty finding.\",\"lastUpdatedDateUTC\":\"2022-02-08T00:00:00Z\",\"createdDateUTC\":\"2021-11-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSGuardDuty\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b6685757-3ed1-4b05-a5bd-2cacadc86c2a\",\"name\":\"b6685757-3ed1-4b05-a5bd-2cacadc86c2a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"let UA_threats = dynamic([\\\"FoxBlade\\\", \\\"WhisperGate\\\", \\\"Lasainraw\\\", \\\"SonicVote\\\"]);\\n SecurityAlert\\n | where ProviderName == \\\"MDATP\\\"\\n | extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n | where ThreatFamilyName in (UA_threats)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"AV detections related to Ukraine threats\",\"description\":\"This query looks for Microsoft Defender AV detections for malware observed in relation to the war in Ukraine.\\n Ref: https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/ \",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cf3ede88-a429-493b-9108-3e46d3c741f7\",\"name\":\"cf3ede88-a429-493b-9108-3e46d3c741f7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let timeRange = 6h;\\nlet authenticationWindow = 1h;\\nlet authenticationThreshold = 5;\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeRange)\\n| where EventID == 4624 or EventID == 4625\\n| where IpAddress != \\\"-\\\" and isnotempty(Account)\\n| extend Outcome = iff(EventID == 4624, \\\"Success\\\", \\\"Failure\\\")\\n// bin outcomes into 5 minute windows to reduce the volume of data\\n| summarize OutcomeCount=count() by Account, IpAddress, Computer, Outcome, bin(TimeGenerated, 5m)\\n| project TimeGenerated, Account, IpAddress, Computer, Outcome, OutcomeCount\\n// sort ready for sessionizing - by account and time of the authentication outcome\\n| sort by Account asc, TimeGenerated asc\\n| serialize \\n// sessionize into failure groupings until either the account changes or there is a success\\n| extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, Account != prev(Account) or prev(Outcome) == \\\"Success\\\")\\n// count the failures in each session\\n| summarize FailureCountBeforeSuccess=sumif(OutcomeCount, Outcome == \\\"Failure\\\"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), makelist(Outcome), makeset(Computer), makeset(IpAddress) by SessionStartedUtc, Account\\n// the session must not start with a success, and must end with one\\n| where array_index_of(list_Outcome, \\\"Success\\\") != 0\\n| where array_index_of(list_Outcome, \\\"Success\\\") == array_length(list_Outcome) - 1\\n| project-away SessionStartedUtc, list_Outcome \\n// where the number of failures before the success is above the threshold \\n| where FailureCountBeforeSuccess \u003e= authenticationThreshold\\n// expand out ip and computer for customer entity assignment\\n| mvexpand set_IpAddress, set_Computer\\n| extend IpAddress = tostring(set_IpAddress), Computer = tostring(set_Computer)\\n| extend timestamp=StartTime, AccountCustomEntity=Account, HostCustomEntity=Computer, IPCustomEntity=IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"SecurityEvent - Multiple authentication failures followed by a success\",\"description\":\"Identifies accounts who have failed to logon to the domain multiple times in a row, followed by a successful authentication\\nwithin a short time frame. Multiple failed attempts followed by a success can be an indication of a brute force attempt or\\npossible mis-configuration of a service account within an environment.\\nThe lookback is set to 6h and the authentication window and threshold are set to 1h and 5, meaning we need to see a minimum\\nof 5 failures followed by a success for an account within 1 hour to surface an alert.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"name\":\"cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | where DNSName in~ (domains) or DestinationHostName has_any (domains) or RequestURL has_any(domains)\\n | extend AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName, IPCustomEntity = SourceIP\\n ),\\n(_Im_Dns (domain_has_any=domains)\\n | extend DNSName = DnsQuery\\n | extend IPCustomEntity = SrcIpAddr\\n ),\\n(VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n | where isnotempty(DNSName)\\n | where DNSName in~ (domains)\\n | extend IPCustomEntity = RemoteIp\\n ),\\n(DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl has_any (domains) \\n | extend DNSName = RemoteUrl\\n | extend IPCustomEntity = RemoteIP \\n | extend HostCustomEntity = DeviceName \\n ),\\n(AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (domains) \\n | extend DNSName = DestinationHost \\n | extend IPCustomEntity = SourceHost\\n ) \\n )\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Solorigate Network Beacon\",\"description\":\"Identifies a match across various data feeds for domains IOCs related to the Solorigate incident.\\n References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \\n https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2790795b-7dba-483e-853f-44aa0bc9c985\",\"name\":\"2790795b-7dba-483e-853f-44aa0bc9c985\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"CommonSecurityLog\\n| where DeviceProduct =~ \\\"Wazuh\\\"\\n| where Activity has \\\"Web server 400 error code.\\\"\\n| where Message has \\\"403\\\"\\n| extend HostName=substring(split(DeviceCustomString1,\\\")\\\")[0],1)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = dcount(SourceIP) by HostName, SourceIP\\n| where NumberOfErrors \u003e 400\\n| sort by NumberOfErrors desc\\n| extend timestamp = StartTime, HostCustomEntity = HostName, IPCustomEntity = SourceIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Wazuh - Large Number of Web errors from an IP\",\"description\":\"Identifies instances where Wazuh logged over 400 \u0027403\u0027 Web Errors from one IP Address. To onboard Wazuh data into Sentinel please view: https://github.com/wazuh/wazuh-documentation/blob/master/source/azure/monitoring%20activity.rst\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2020-04-21T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/78979d32-e63f-4740-b206-cfb300c735e0\",\"name\":\"78979d32-e63f-4740-b206-cfb300c735e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n ProofpointPOD \\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(SrcIpAddr)\\n | extend ProofpointPOD_TimeGenerated = TimeGenerated, ClientIP = SrcIpAddr\\n )\\non $left.TI_ipEntity == $right.ClientIP\\n| where ProofpointPOD_TimeGenerated \u003c ExpirationDateTime\\n| summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientIP\\n| project ProofpointPOD_TimeGenerated, SrcUserUpn, DstUserUpn, SrcIpAddr, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ClientIP\\n| extend timestamp = ProofpointPOD_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SrcUserUpn\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Exfiltration\",\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Email sender IP in TI list\",\"description\":\"Email sender IP in TI list.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_maillog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2b328487-162d-4034-b472-59f1d53684a1\",\"name\":\"2b328487-162d-4034-b472-59f1d53684a1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal == \u0027\u0027\\n| extend Message = \\\"Empty User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Empty User Agent Detected\",\"description\":\"Rule helps to detect empty and unusual user agent indicating web browsing activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\"name\":\"a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == 500121\\n| where Status has \\\"MFA Denied; user declined the authentication\\\" or Status has \\\"MFA denied; Phone App Reported Fraud\\\"\\n| extend Type = Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = ClientAppUsed\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Explicit MFA Deny\",\"description\":\"User explicitly denies MFA push, indicating that login was not expected and the account\u0027s password may be compromised.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-10-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8\",\"name\":\"f71aba3d-28fb-450b-b192-4e76a83015c8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Fusion\",\"properties\":{\"severity\":\"High\",\"tactics\":[\"Collection\",\"CommandAndControl\",\"CredentialAccess\",\"DefenseEvasion\",\"Discovery\",\"Execution\",\"Exfiltration\",\"Impact\",\"InitialAccess\",\"LateralMovement\",\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Advanced Multistage Attack Detection\",\"description\":\"Microsoft Sentinel uses Fusion, a correlation engine based on scalable machine learning algorithms, to automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.\\n\\nSince Fusion correlates multiple signals from various products to detect advanced multistage attacks, successful Fusion detections are presented as Fusion incidents on the Microsoft Sentinel Incidents page. This rule covers the following detections:\\n- Fusion for emerging threats\\n- Fusion for ransomware\\n- Scenario-based Fusion detections (122 scenarios)\\n\\nTo enable these detections, we recommend you configure the following data connectors for best results:\\n- Out-of-the-box anomaly detections\\n- Azure Active Directory Identity Protection\\n- Azure Defender\\n- Azure Defender for IoT\\n- Microsoft 365 Defender\\n- Microsoft Cloud App Security \\n- Microsoft Defender for Endpoint\\n- Microsoft Defender for Identity\\n- Microsoft Defender for Office 365\\n- Scheduled analytics rules, both built-in and those created by your security analysts. Analytics rules must contain kill-chain (tactics) and entity mapping information in order to be used by Fusion.\\n\\nFor the full description of each detection that is supported by Fusion, go to https://aka.ms/SentinelFusion.\",\"lastUpdatedDateUTC\":\"2021-06-09T00:00:00Z\",\"createdDateUTC\":\"2019-07-25T00:00:00Z\",\"status\":\"Installed\",\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/57c7e832-64eb-411f-8928-4133f01f4a25\",\"name\":\"57c7e832-64eb-411f-8928-4133f01f4a25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureDiagnostics\\n | where ResourceType =~ \\\"VAULTS\\\"\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend KeyVaultEvents_TimeGenerated = TimeGenerated, ClientIP = CallerIPAddress\\n)\\non $left.TI_ipEntity == $right.ClientIP\\n| where KeyVaultEvents_TimeGenerated \u003c ExpirationDateTime\\n| summarize KeyVaultEvents_TimeGenerated = arg_max(KeyVaultEvents_TimeGenerated, *) by IndicatorId, ClientIP\\n| project KeyVaultEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ClientIP, ResourceId, SubscriptionId, OperationName, ResultType, CorrelationId, id_s, clientInfo_s, httpStatusCode_d, identity_claim_appid_g, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\n| extend timestamp = KeyVaultEvents_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Azure Key Vault logs\",\"description\":\"Identifies a match in Azure Key Vault logsfrom any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f948a32f-226c-4116-bddd-d95e91d97eb9\",\"name\":\"f948a32f-226c-4116-bddd-d95e91d97eb9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"mailboxsettings\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"contacts.read\\\" and ConsentFull contains \\\"user.read\\\" and ConsentFull contains \\\"mail.read\\\" and ConsentFull contains \\\"notes.read.all\\\" and ConsentFull contains \\\"mailboxsettings.readwrite\\\" and ConsentFull contains \\\"Files.ReadWrite.All\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), \\\"\\\")\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Suspicious application consent similar to O365 Attack Toolkit\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\\nThe default permissions/scope for the MDSec O365 Attack toolkit are contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, and files.readwrite.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3c144f9-8051-47d4-ac29-ffb0c312c910\",\"name\":\"a3c144f9-8051-47d4-ac29-ffb0c312c910\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"let SunburstMD5=dynamic([\\\"b91ce2fa41029f6955bff20079468448\\\",\\\"02af7cec58b9a5da1c542b5a32151ba1\\\",\\\"2c4a910a1299cdae2a4e55988a2f102e\\\",\\\"846e27a652a5e1bfbd0ddd38a16dc865\\\",\\\"4f2eb62fa529c0283b28d05ddd311fae\\\"]);\\nlet SupernovaMD5=\\\"56ceb6d0011d87b6e4d7023d7ef85676\\\";\\nDeviceFileEvents\\n| where MD5 in(SunburstMD5) or MD5 in(SupernovaMD5)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n AlgorithmCustomEntity = \\\"MD5\\\",\\n FileHashCustomEntity = MD5\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"SUNBURST and SUPERNOVA backdoor hashes\",\"description\":\"Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in DeviceFileEvents\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/87210ca1-49a4-4a7d-bb4a-4988752f978c\",\"name\":\"87210ca1-49a4-4a7d-bb4a-4988752f978c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"// Get details of current Azure Ranges (note this URL updates regularly so will need to be manually updated over time)\\n// You may find the name of the new JSON here: https://www.microsoft.com/download/details.aspx?id=56519\\n// On the downloads page, click the \u0027details\u0027 button, and then replace just the filename in the URL below\\nlet azure_ranges = externaldata(changeNumber: string, cloud: string, values: dynamic)\\n[\\\"https://download.microsoft.com/download/7/1/D/71D86715-5596-4529-9B13-DA13A5DE5B63/ServiceTags_Public_20220321.json\\\"]\\nwith(format=\u0027multijson\u0027)\\n| mv-expand values\\n| mv-expand values.properties.addressPrefixes\\n| mv-expand values_properties_addressPrefixes\\n| summarize by tostring(values_properties_addressPrefixes);\\nSigninLogs\\n// Limiting to Azure Portal really reduces false positives and helps focus on potential admin activity\\n| where AppDisplayName =~ \\\"Azure Portal\\\"\\n// Only get logons where the IP address is in an Azure range\\n| evaluate ipv4_lookup(azure_ranges, IPAddress, values_properties_addressPrefixes)\\n// Limit to where the user is external to the tenant\\n| where HomeTenantId != ResourceTenantId\\n// Further limit it to just access to the current tenant (you can drop this if you wanted to look elsewhere as well but it helps reduce FPs)\\n| where ResourceTenantId == AADTenantId\\n| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), make_set(ResourceDisplayName) by UserPrincipalName, IPAddress, UserAgent, Location, HomeTenantId, ResourceTenantId\\n| extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure Portal Signin from another Azure Tenant\",\"description\":\"This query looks for sign in attempts to the Azure Portal where the user who is signing in from another Azure tenant,\\n and the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look\\n to pivot to other tenants leveraging cross-tenant delegated access in this manner.\",\"lastUpdatedDateUTC\":\"2022-03-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/29a29e5d-354e-4f5e-8321-8b39d25047bf\",\"name\":\"29a29e5d-354e-4f5e-8321-8b39d25047bf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"High\",\"query\":\"let files1 = dynamic([\\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\lsa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pc.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\Rar.exe\\\"]);\\nlet files2 = dynamic([\\\"svchost.exe\\\",\\\"wdmsvc.exe\\\"]);\\nlet FileHash1 = dynamic([\\\"43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\\\", \\\"ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\\\", \\\"010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77\\\", \\\"56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7\\\"]);\\nlet FileHash2 = dynamic([\\\"2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\\\", \\\"9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\\\", \\\"18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\\\"]);\\nimFileEvent\\n| where ((FilePath has_any (files1)) and (ActingProcessSHA256 has_any (FileHash1))) or ((FilePath has_any (files2)) and (ActingProcessSHA256 has_any (FileHash2)))\\n// Increase risk score if recent alerts for the host\\n| join kind=leftouter (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| mv-expand todynamic(Entities)\\n| extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)\\n| where isnotempty(DvcId)\\n// Higher risk score are for Defender alerts related to threat actor\\n| extend AlertRiskScore = iif(ThreatName has_any (\\\"Backdoor:MSIL/ShellClient.A\\\", \\\"Backdoor:MSIL/ShellClient.A!dll\\\", \\\"Trojan:MSIL/Mimikatz.BA!MTB\\\"), 1.0, 0.5)\\n| project DvcId, AlertRiskScore) on DvcId\\n| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = ActorUsername\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileName\"}]}],\"tactics\":[\"CredentialAccess\",\"Execution\"],\"displayName\":\"Dev-0228 File Path Hashes November 2021 (ASIM Version)\",\"description\":\"This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.\\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.\\n This query uses the Microsoft Sentinel Information Model - https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-11-18T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0dd2a343-4bf9-4c93-a547-adf3658ddaec\",\"name\":\"0dd2a343-4bf9-4c93-a547-adf3658ddaec\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let known_processes = (\\n imProcess\\n // Change these values if adjusting Query Frequency or Query Period\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where Process has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | summarize by Process);\\n imProcess\\n // Change these values if adjusting Query Frequency or Query Period\\n | where TimeGenerated \u003e ago(1d)\\n | where Process has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | where Process !in (known_processes)\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, CommandLine, DvcHostname\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DvcHostname\"}]}],\"tactics\":[\"Execution\",\"LateralMovement\"],\"displayName\":\"New EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version)\",\"description\":\"This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice is that these policies should not be used for deployment of files.\\n A threat actor may use these policies to deploy files or scripts to all hosts in a domain.\\n This query uses the ASIM parsers and will need them deployed before usage - https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/871ba14c-88ef-48aa-ad38-810f26760ca3\",\"name\":\"871ba14c-88ef-48aa-ad38-810f26760ca3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let queryfrequency = 1d;\\nlet queryperiod = 7d;\\nOfficeActivity\\n| where TimeGenerated \u003e ago(queryperiod)\\n| where OfficeWorkload =~ \\\"Exchange\\\"\\n//| where Operation in (\\\"Set-Mailbox\\\", \\\"New-InboxRule\\\", \\\"Set-InboxRule\\\")\\n| where Parameters has_any (\\\"ForwardTo\\\", \\\"RedirectTo\\\", \\\"ForwardingSmtpAddress\\\")\\n| mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))\\n| evaluate bag_unpack(ParsedParameters, columnsConflict=\u0027replace_source\u0027)\\n| extend DestinationMailAddress = tolower(case(\\n isnotempty(column_ifexists(\\\"ForwardTo\\\", \\\"\\\")), column_ifexists(\\\"ForwardTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"RedirectTo\\\", \\\"\\\")), column_ifexists(\\\"RedirectTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")), trim_start(@\\\"smtp:\\\", column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")),\\n \\\"\\\"))\\n| where isnotempty(DestinationMailAddress)\\n| mv-expand split(DestinationMailAddress, \\\";\\\")\\n| extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n| extend ClientIP = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1])\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId, 250), Ports = make_set(Port, 250), EventCount = count() by tostring(DestinationMailAddress), ClientIP\\n| where DistinctUserCount \u003e 1 and EndTime \u003e ago(queryfrequency)\\n| mv-expand UserId to typeof(string)\\n| extend timestamp = StartTime, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Multiple users email forwarded to same destination\",\"description\":\"Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination. \\nThis could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.\",\"lastUpdatedDateUTC\":\"2022-06-24T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a6c435a2-b1a0-466d-b730-9f8af69262e8\",\"name\":\"a6c435a2-b1a0-466d-b730-9f8af69262e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT20M\",\"queryPeriod\":\"PT20M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let failureCountThreshold = 10;\\nlet successCountThreshold = 1;\\n// let authenticationWindow = 20m; // Implicit in the analytic rule query period \\nimAuthentication\\n| summarize \\n StartTime = min(TimeGenerated), \\n EndTime = max(TimeGenerated), \\n IpAddresses = make_set (SrcDvcIpAddr, 100),\\n ReportedBy = make_set (strcat (EventVendor, \\\"/\\\", EventProduct), 100),\\n FailureCount = countif(EventResult==\u0027Failure\u0027),\\n SuccessCount = countif(EventResult==\u0027Success\u0027)\\n by \\n TargetUserId, TargetUsername, TargetUserType \\n| where FailureCount \u003e= failureCountThreshold and SuccessCount \u003e= successCountThreshold\\n| extend\\n IpAddresses = strcat_array(IpAddresses, \\\", \\\"), \\n ReportedBy = strcat_array(ReportedBy, \\\", \\\")\",\"customDetails\":{\"IpAddresses\":\"IpAddresses\",\"ReportedBy\":\"ReportedBy\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUsername\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against user credentials (Uses Authentication Normalization)\",\"description\":\"Identifies evidence of brute force activity against a user based on multiple authentication failures \\nand at least one successful authentication within a given time window. Note that the query does not enforce any sequence,\\nand does not require the successful authentication to occur last.\\nThe default failure threshold is 10, success threshold is 1, and the default time window is 20 minutes.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb8a3481-dd14-4e76-8dcc-bbec8776d695\",\"name\":\"bb8a3481-dd14-4e76-8dcc-bbec8776d695\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Medium\",\"query\":\"let DomainNames = dynamic([\u0027onetechcompany.com\u0027, \u0027reyweb.com\u0027, \u0027srfnetwork.org\u0027, \u0027sense4baby.fr\u0027, \u0027nikeoutletinc.org\u0027, \u0027megatoolkit.com\u0027]);\\nlet IPList = dynamic([\u0027185.225.69.69\u0027]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (DomainNames) or RequestURL has_any (DomainNames) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (DomainNames), \\\"RequestUrl\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(_Im_WebSession(url_has_any=DomainNames)\\n| extend DestinationIPAddress = DstIpAddr, DNSName = tostring(parse_url(Url)[\\\"Host\\\"]), Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (DomainNames)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer\\n),\\n(OfficeActivity\\n| where ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (DomainNames) or RemoteIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"NOBELIUM - Domain and IP IOCs - March 2021\",\"description\":\"Identifies a match across various data feeds for domains and IP IOCs related to NOBELIUM.\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\"name\":\"f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"// Replace these with the username or emails of your VIP users you wish to monitor for.\\nlet vips = dynamic([\u0027vip1@email.com\u0027,\u0027vip2@email.com\u0027]);\\n// Add users who are allowed to conduct these searches - this could be specific SOC team members\\nlet allowed_users = dynamic([]);\\nLAQueryLogs\\n| where QueryText has_any (vips) or QueryText has_any (\u0027_GetWatchlist(\\\"VIPUsers\\\")\u0027, \\\"_GetWatchlist(\u0027VIPUsers\u0027)\\\")\\n| where AADEmail !in (allowed_users)\\n| project TimeGenerated, AADEmail, RequestClientApp, QueryText, ResponseRowCount, RequestTarget\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AADEmail\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"RequestTarget\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Users searching for VIP user activity\",\"description\":\"This query monitors for users running Log Analytics queries that contain filters\\nfor specific, defined VIP user accounts or the VIPUser watchlist template.\\nUse this detection to alert for users specifically searching for activity of sensitive users.\",\"lastUpdatedDateUTC\":\"2021-11-11T00:00:00Z\",\"createdDateUTC\":\"2020-09-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/62085097-d113-459f-9ea7-30216f2ee6af\",\"name\":\"62085097-d113-459f-9ea7-30216f2ee6af\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P3D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let starttime = 3d;\\nlet SecEvents = materialize ( SecurityEvent | where TimeGenerated \u003e= ago(starttime)\\n| where EventID in (4722,4723) | where TargetUserName !endswith \\\"$\\\"\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, SubjectAccount, SubjectUserSid);\\nlet userEnable = SecEvents\\n| extend EventID4722Time = TimeGenerated\\n// 4722: User Account Enabled\\n| where EventID == 4722\\n| project Time_Event4722 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4722 = SubjectAccount, SubjectUserSid_Event4722 = SubjectUserSid, Activity_4722 = Activity, Computer_4722 = Computer;\\nlet userPwdSet = SecEvents\\n// 4723: Attempt made by user to set password\\n| where EventID == 4723\\n| project Time_Event4723 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4723 = SubjectAccount, SubjectUserSid_Event4723 = SubjectUserSid, Activity_4723 = Activity, Computer_4723 = Computer;\\nuserEnable | join kind=leftouter userPwdSet on TargetAccount, TargetSid\\n| extend PasswordSetAttemptDelta_Min = datetime_diff(\u0027minute\u0027, Time_Event4723, Time_Event4722)\\n| where PasswordSetAttemptDelta_Min \u003e 2880 or isempty(PasswordSetAttemptDelta_Min)\\n| project-away TargetAccount1, TargetSid1\\n| extend Reason = @\\\"User either has not yet attempted to set the initial password after account was enabled or it occurred after 48 hours\\\"\\n| order by Time_Event4722 asc \\n| extend timestamp = Time_Event4722, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer_4722\\n| project-reorder Time_Event4722, Time_Event4723, PasswordSetAttemptDelta_Min, TargetAccount, TargetSid\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AD user enabled and password not set within 48 hours\",\"description\":\"Identifies when an account is enabled with a default password and the password is not set by the user within 48 hours.\\nEffectively, there is an event 4722 indicating an account was enabled and within 48 hours, no event 4723 occurs which \\nindicates there was no attempt by the user to set the password. This will show any attempts (success or fail) that occur \\nafter 48 hours, which can indicate too long of a time period in setting the password to something that only the user knows.\\nIt is recommended that this time period is adjusted per your internal company policy.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f9949656-473f-4503-bf43-a9d9890f7d08\",\"name\":\"f9949656-473f-4503-bf43-a9d9890f7d08\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.3\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n//Exclude local addresses, using the ipv4_is_private operator\\n| where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AppServiceHTTPLogs | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(CIp)\\n | extend WebApp = split(_ResourceId, \u0027/\u0027)[8]\\n // renaming time column so it is clear the log this came from\\n | extend AppService_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CIp\\n| where AppService_TimeGenerated \u003c ExpirationDateTime\\n| summarize AppService_TimeGenerated = arg_max(AppService_TimeGenerated, *) by IndicatorId, CIp\\n| project AppService_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CsUsername, \\nWebApp = split(_ResourceId, \u0027/\u0027)[8], CIp, CsHost, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, _ResourceId\\n| extend timestamp = AppService_TimeGenerated, AccountCustomEntity = CsUsername, IPCustomEntity = CIp, URLCustomEntity = Url, HostCustomEntity = CsHost\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"_ResourceId\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AppServiceHTTPLogs\",\"description\":\"Identifies a match in AppServiceHTTPLogs from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-04-26T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8b3c49c-4087-499b-920f-0dcfaff0cbca\",\"name\":\"f8b3c49c-4087-499b-920f-0dcfaff0cbca\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"imProcessCreate\\n | where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n | where isnotempty(Process)\\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Dvc, ActorUsername, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\\n | extend timestamp = StartTimeUtc, AccountCustomEntity = ActorUsername, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Base64 encoded Windows process command-lines (Normalized Process Events)\",\"description\":\"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2018-09-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c3e5dbaa-a540-408c-8b36-68bdfb3df088\",\"name\":\"c3e5dbaa-a540-408c-8b36-68bdfb3df088\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID==4688\\n | where isnotempty(CommandLine)\\n | where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"NRT Base64 encoded Windows process command-lines\",\"description\":\"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2022-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0433c8a3-9aa6-4577-beef-2ea23be41137\",\"name\":\"0433c8a3-9aa6-4577-beef-2ea23be41137\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let admin_users = (IdentityInfo\\n | where TimeGenerated \u003e ago(2d)\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | where AssignedRoles contains \\\"admin\\\"\\n | summarize by tolower(AccountUPN));\\n AuditLogs\\n | where Category =~ \\\"RoleManagement\\\"\\n | where OperationName has \\\"Add eligible member\\\"\\n | extend userPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | where tolower(userPrincipalName) in (admin_users)\\n | extend Group = tostring(TargetResources[0].displayName)\\n | extend AddedTo = iif(isnotempty(userPrincipalName), userPrincipalName, Group)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend AddedBy = iif(isnotempty(appName), appName, UPN)\\n | mv-expand mod_props\\n | where mod_props.displayName == \\\"Role.DisplayName\\\"\\n | extend RoleAdded = tostring(parse_json(tostring(mod_props.newValue)))\\n | project-reorder TimeGenerated, OperationName, AddedTo, RoleAdded, AddedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Privileged Account Permissions Changed\",\"description\":\"Detects changes to permissions assigned to admin users. Threat actors may try and increase permission scope by adding additional roles to already privileged accounts.\\nReview any modifications to ensure they were made legitimately.\\nRef: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79566f41-df67-4e10-a703-c38a6213afd8\",\"name\":\"79566f41-df67-4e10-a703-c38a6213afd8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set != \\\"[]\\\"\\n| extend diff = set_difference(new_value_set, old_value_set)\\n| where isnotempty(diff)\\n| parse diff with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away diff, new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"New access credential added to Application or Service Principal\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/66276b14-32c5-4226-88e3-080dacc31ce1\",\"name\":\"66276b14-32c5-4226-88e3-080dacc31ce1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet AccountAllowList = dynamic([\u0027SYSTEM\u0027]);\\nlet SubCategoryList = dynamic([\\\"Logoff\\\", \\\"Account Lockout\\\", \\\"User Account Management\\\", \\\"Authorization Policy Change\\\"]); // Add any Category in the list to be allowed or disallowed\\nlet tokens = dynamic([\\\"clear\\\", \\\"remove\\\", \\\"success:disable\\\",\\\"failure:disable\\\"]); \\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n//| where Process =~ \\\"auditpol.exe\\\" \\n| where CommandLine has_any (tokens)\\n| where AccountType !~ \\\"Machine\\\" and Account !in~ (AccountAllowList)\\n| parse CommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n// | where InitiatingProcessFileName =~ \\\"auditpol.exe\\\" \\n| where InitiatingProcessCommandLine has_any (tokens)\\n| where AccountName !in~ (AccountAllowList)\\n| parse InitiatingProcessCommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n// | where OriginalFileName =~ \\\"auditpol.exe\\\"\\n| where CommandLine has_any (tokens)\\n| where User !in~ (AccountAllowList)\\n| parse CommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, Computer, User, Process, ParentImage, CommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Audit policy manipulation using auditpol utility\",\"description\":\"This detects attempt to manipulate audit policies using auditpol command.\\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\\nThe process name in each data source is commented out as an adversary could rename it. It is advisable to keep process name commented but \\nif the results show unrelated false positives, users may want to uncomment it.\\nRefer to auditpol syntax: https://docs.microsoft.com/windows-server/administration/windows-commands/auditpol \\nRefer to our M365 blog for details on use during the Solorigate attack:\\nhttps://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/18e6a87e-9d06-4a4e-8b59-3469cd49552d\",\"name\":\"18e6a87e-9d06-4a4e-8b59-3469cd49552d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true \\n(SecurityEvent \\n| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created. \\n| where ObjectServer == \u0027DS\u0027\\n| where OperationType == \u0027Object Access\u0027\\n//| where ObjectName contains \u0027\u003cGUID of ADFS Policy Store DKM Group object\u0027 This is unique to the domain. Check description for more details.\\n| where ObjectType contains \u00275cb41ed0-0e4c-11d0-a286-00aa003049e2\u0027 // Contact Class\\n| where Properties contains \u00278d3bca50-1d7e-11d0-a081-00aa006c33ed\u0027 // Picture Attribute - Ldap-Display-Name: thumbnailPhoto\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = SubjectAccount\\n),\\n( WindowsEvent \\n| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created. \\n| where EventData has_all(\u0027Object Access\u0027, \u00275cb41ed0-0e4c-11d0-a286-00aa003049e2\u0027,\u00278d3bca50-1d7e-11d0-a081-00aa006c33ed\u0027) \\n| extend ObjectServer = tostring(EventData.ObjectServer)\\n| where ObjectServer == \u0027DS\u0027\\n| extend OperationType = tostring(EventData.OperationType)\\n| where OperationType == \u0027Object Access\u0027\\n//| where ObjectName contains \u0027\u003cGUID of ADFS Policy Store DKM Group object\u0027 This is unique to the domain. Check description for more details.\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType contains \u00275cb41ed0-0e4c-11d0-a286-00aa003049e2\u0027 // Contact Class\\n| extend Properties = tostring(EventData.Properties)\\n| where Properties contains \u00278d3bca50-1d7e-11d0-a081-00aa006c33ed\u0027 // Picture Attribute - Ldap-Display-Name: thumbnailPhoto\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName), \\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend \\n timestamp = TimeGenerated,\\n HostCustomEntity = Computer,\\n AccountCustomEntity = SubjectAccount\\n),\\n(DeviceEvents\\n| where ActionType =~ \\\"LdapSearch\\\"\\n| where AdditionalFields.AttributeList contains \\\"thumbnailPhoto\\\"\\n| where AdditionalFields.DistinguishedName contains \\\"CN=ADFS,CN=Microsoft,CN=Program Data\\\" // Filter results to show only hits related to the ADFS AD container\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = InitiatingProcessAccountName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"ADFS DKM Master Key Export\",\"description\":\"Identifies an export of the ADFS DKM Master Key from Active Directory.\\nReferences: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \\nhttps://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1\\nTo understand further the details behind this detection, please review the details in the original PR and subequent PR update to this:\\nhttps://github.com/Azure/Azure-Sentinel/pull/1562#issue-551542469\\nhttps://github.com/Azure/Azure-Sentinel/pull/1512#issue-543053339\\n\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2391ce61-8c8d-41ac-9723-d945b2e90720\",\"name\":\"2391ce61-8c8d-41ac-9723-d945b2e90720\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"Low\",\"query\":\"let starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 0.333;\\nlet countlimit = 50;\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4625 and AccountType =~ \\\"User\\\"\\n| where IpAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), CountToday = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress, Process\\n| join kind=leftouter (\\n SecurityEvent \\n | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n | where EventID == 4625 and AccountType =~ \\\"User\\\"\\n | where IpAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n | summarize CountPrev7day = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n) on EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n| where CountToday \u003e= coalesce(CountPrev7day,0)*threshold and CountToday \u003e= countlimit\\n//SubStatus Codes are detailed here - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4625\\n| extend Reason = case(\\nSubStatus =~ \u00270xC000005E\u0027, \u0027There are currently no logon servers available to service the logon request.\u0027,\\nSubStatus =~ \u00270xC0000064\u0027, \u0027User logon with misspelled or bad user account\u0027,\\nSubStatus =~ \u00270xC000006A\u0027, \u0027User logon with misspelled or bad password\u0027, \\nSubStatus =~ \u00270xC000006D\u0027, \u0027Bad user name or password\u0027,\\nSubStatus =~ \u00270xC000006E\u0027, \u0027Unknown user name or bad password\u0027,\\nSubStatus =~ \u00270xC000006F\u0027, \u0027User logon outside authorized hours\u0027,\\nSubStatus =~ \u00270xC0000070\u0027, \u0027User logon from unauthorized workstation\u0027,\\nSubStatus =~ \u00270xC0000071\u0027, \u0027User logon with expired password\u0027,\\nSubStatus =~ \u00270xC0000072\u0027, \u0027User logon to account disabled by administrator\u0027,\\nSubStatus =~ \u00270xC00000DC\u0027, \u0027Indicates the Sam Server was in the wrong state to perform the desired operation\u0027, \\nSubStatus =~ \u00270xC0000133\u0027, \u0027Clocks between DC and other computer too far out of sync\u0027,\\nSubStatus =~ \u00270xC000015B\u0027, \u0027The user has not been granted the requested logon type (aka logon right) at this machine\u0027,\\nSubStatus =~ \u00270xC000018C\u0027, \u0027The logon request failed because the trust relationship between the primary domain and the trusted domain failed\u0027,\\nSubStatus =~ \u00270xC0000192\u0027, \u0027An attempt was made to logon, but the Netlogon service was not started\u0027,\\nSubStatus =~ \u00270xC0000193\u0027, \u0027User logon with expired account\u0027,\\nSubStatus =~ \u00270xC0000224\u0027, \u0027User is required to change password at next logon\u0027,\\nSubStatus =~ \u00270xC0000225\u0027, \u0027Evidently a bug in Windows and not a risk\u0027,\\nSubStatus =~ \u00270xC0000234\u0027, \u0027User logon with account locked\u0027,\\nSubStatus =~ \u00270xC00002EE\u0027, \u0027Failure Reason: An Error occurred during Logon\u0027,\\nSubStatus =~ \u00270xC0000413\u0027, \u0027Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine\u0027,\\nstrcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n| extend WorkstationName = iff(WorkstationName == \\\"-\\\" or isempty(WorkstationName), Computer , WorkstationName) \\n| project StartTime, EndTime, EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, Computer, WorkstationName, IpAddress, CountToday, CountPrev7day, Avg7Day = round(CountPrev7day*1.00/7,2), Process\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), Computer = make_set(Computer,128), IpAddressList = make_set(IpAddress,128), sum(CountToday), sum(CountPrev7day), avg(Avg7Day) \\nby EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, WorkstationName, Process\\n| order by sum_CountToday desc nulls last \\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = WorkstationName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"Process\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Excessive Windows logon failures\",\"description\":\"User has over 50 Windows logon failures today and at least 33% of the count of logon failures over the previous 7 days.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56f3f35c-3aca-4437-a1fb-b7a84dc4af00\",\"name\":\"56f3f35c-3aca-4437-a1fb-b7a84dc4af00\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID == 4657\\n | parse ObjectName with \\\"\\\\\\\\REGISTRY\\\\\\\\\\\" KeyPrefix \\\"\\\\\\\\\\\" RegistryKey\\n | project-reorder RegistryKey\\n | where RegistryKey has \\\"Software\\\\\\\\Classes\\\\\\\\ms-settings\\\\\\\\shell\\\\\\\\open\\\\\\\\command\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)\\n | join (\\n SecurityEvent\\n | where EventID == 4688\\n | where Process =~ \\\"fodhelper.exe\\\"\\n | where ParentProcessName endswith \\\"cmd.exe\\\" or ParentProcessName endswith \\\"powershell.exe\\\" or ParentProcessName endswith \\\"powershell_ise.exe\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)) on TimeKey, Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Potential Fodhelper UAC Bypass\",\"description\":\"This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process within 1 hour - this can be tweaked as required.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b93c5af-d20b-4236-b696-a28b8c51407f\",\"name\":\"4b93c5af-d20b-4236-b696-a28b8c51407f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1DT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\n (union isfuzzy=true\\n (SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+spanoftime)\\n// A user account was created\\n| where EventID == 4720\\n| where AccountType =~ \\\"User\\\"\\n| project creationTime = TimeGenerated, CreateEventID = EventID, CreateActivity = Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToCreate = SubjectAccount, SIDofAccountUsedToCreate = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e ago(timeframe+spanoftime)\\n// A user account was created\\n| where EventID == 4720\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType =~ \\\"User\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| extend Activity = \\\"4720 - A user account was created.\\\"\\n| extend TargetUserName = tostring(EventData.TargetUserName) \\n| project creationTime = TimeGenerated, CreateEventID = EventID, CreateActivity = Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToCreate = SubjectAccount, SIDofAccountUsedToCreate = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid \\n))\\n| join kind= inner (\\n (union isfuzzy=true\\n (SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n // A user account was deleted\\n | where EventID == 4726\\n| where AccountType == \\\"User\\\"\\n| project deletionTime = TimeGenerated, DeleteEventID = EventID, DeleteActivity = Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToDelete = SubjectAccount, SIDofAccountUsedToDelete = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n // A user account was deleted\\n| where EventID == 4726\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(SubjectAccount endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType == \\\"User\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| extend Activity = \\\"4726 - A user account was deleted.\\\"\\n| extend TargetUserName = tostring(EventData.TargetUserName) \\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| project deletionTime = TimeGenerated, DeleteEventID = EventID, DeleteActivity = Activity, Computer, TargetUserName, UserPrincipalName, AccountUsedToDelete = SubjectAccount, SIDofAccountUsedToDelete = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid))\\n) on Computer, TargetAccount\\n| where deletionTime - creationTime \u003c spanoftime\\n| extend TimeDelta = deletionTime - creationTime\\n| where tolong(TimeDelta) \u003e= threshold\\n| project TimeDelta, creationTime, CreateEventID, CreateActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToCreate, SIDofAccountUsedToCreate,\\ndeletionTime, DeleteEventID, DeleteActivity, AccountUsedToDelete, SIDofAccountUsedToDelete\\n| extend timestamp = creationTime, AccountCustomEntity = AccountUsedToCreate, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"SIDofAccountUsedToCreate\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account created and deleted within 10 mins\",\"description\":\"Identifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and\\nan adversary attempting to hide in the noise.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d7feb859-f03e-4e8d-8b21-617be0213b13\",\"name\":\"d7feb859-f03e-4e8d-8b21-617be0213b13\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let admin_users = (IdentityInfo\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | where AssignedRoles contains \\\"admin\\\"\\n | summarize by tolower(AccountUPN));\\n AuditLogs\\n | where OperationName =~ \\\"Admin registered security info\\\"\\n | where ResultReason =~ \\\"Admin registered temporary access pass method for user\\\"\\n | extend userPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | where tolower(userPrincipalName) in (admin_users)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Addition of a Temporary Access Pass to a Privileged Account\",\"description\":\"Detects when a Temporary Access Pass (TAP) is created for a Privileged Account.\\n A Temporary Access Pass is a time-limited passcode issued by an admin that satisfies strong authentication requirements and can be used to onboard other authentication methods, including Passwordless ones such as Microsoft Authenticator or even Windows Hello.\\n A threat actor could use a TAP to register a new authentication method to maintain persistance to an account.\\n Review any TAP creations to ensure they were used legitimately.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1399664f-9434-497c-9cde-42e4d74ae20e\",\"name\":\"1399664f-9434-497c-9cde-42e4d74ae20e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityAlert \\n| where AlertName == \\\"Impossible travel activity\\\"\\n| extend Extprop = parsejson(Entities)\\n| mv-expand Extprop\\n| extend Extprop = parsejson(Extprop)\\n| extend CmdLine = iff(Extprop[\u0027Type\u0027]==\\\"process\\\", Extprop[\u0027CommandLine\u0027], \u0027\u0027)\\n| extend File = iff(Extprop[\u0027Type\u0027]==\\\"file\\\", Extprop[\u0027Name\u0027], \u0027\u0027)\\n| extend Account = Extprop[\u0027Name\u0027]\\n| extend Domain = Extprop[\u0027UPNSuffix\u0027]\\n| extend Account = iif(isnotempty(Domain) and Extprop[\u0027Type\u0027]==\\\"account\\\", tolower(strcat(Account, \\\"@\\\", Domain)), iif(Extprop[\u0027Type\u0027]==\\\"account\\\", tolower(Account), \\\"\\\"))\\n| extend IpAddress = iff(Extprop[\\\"Type\\\"] == \\\"ip\\\",Extprop[\u0027Address\u0027], \u0027\u0027)\\n| extend Process = iff(isnotempty(CmdLine), CmdLine, File)\\n| project TimeGenerated,Account,IpAddress,CompromisedEntity,Description,ProviderName,ResourceId\\n| join kind=inner\\n(\\nOfficeActivity\\n| where Operation =~ \\\"Add-MailboxPermission\\\"\\n| extend value = tostring(parse_json(Parameters)[3].Value)\\n| where value contains \\\"FullAccess\\\"\\n| where ResultStatus == \\\"True\\\"\\n| project Parameters,TimeGenerated,value,RecordType,Operation,OrganizationId,UserType,UserKey,OfficeWorkload,ResultStatus,OfficeObjectId,UserId,ClientIP,ExternalAccess,OriginatingServer,OrganizationName,TenantId,ElevationTime,SourceSystem,OfficeId,OfficeTenantId,Type,SourceRecordId\\n) on $left.Account == $right.UserId\\n| join kind=inner\\n(\\nAuditLogs\\n| where ActivityDisplayName =~ \\\"Add eligible member to role in PIM requested (timebound)\\\"\\n| where AADOperationType =~ \\\"CreateRequestEligibleRole\\\"\\n| where TargetResources has_any (\\\"-PRIV\\\", \\\"Administrator\\\", \\\"Security\\\")\\n| extend BuiltinRole = tostring(parse_json(TargetResources[0].displayName))\\n| extend CustomGroup = tostring(parse_json(TargetResources[3].displayName))\\n| extend TargetAccount = tostring(parse_json(TargetResources[2].displayName))\\n| extend Initiatedby = Identity\\n| project TimeGenerated, ActivityDisplayName, AADOperationType, Initiatedby, TargetAccount, BuiltinRole, CustomGroup, LoggedByService, Result, ResourceId, Id\\n| sort by TimeGenerated desc\\n) on $left.UserId == $right.Initiatedby\\n| project AADOperationType, ActivityDisplayName,AccountCustomEntity=Initiatedby, Id,ResourceId,IPCustomEntity=IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"PrivilegeEscalation\"],\"displayName\":\"Detecting Impossible travel with mailbox permission tampering \u0026 Privilege Escalation attempt\",\"description\":\"This hunting query will alert on any Impossible travel activity in correlation with mailbox permission tampering followed by account being added to a PIM managed privileged group.\\nEnsure this impossible travel incident with increase of privileges is legitimate in your environment.\",\"lastUpdatedDateUTC\":\"2022-02-09T00:00:00Z\",\"createdDateUTC\":\"2022-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert (ASC)\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\"name\":\"4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([ \\\"AuthorizeSecurityGroupEgress\\\", \\\"AuthorizeSecurityGroupIngress\\\", \\\"RevokeSecurityGroupEgress\\\", \\\"RevokeSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \\nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion, \\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to AWS Security Group ingress and egress settings\",\"description\":\"A Security Group acts as a virtual firewall of an instance to control inbound and outbound traffic. \\n Hence, ingress and egress settings changes to AWS Security Group should be monitored as these can expose the enviornment to new attack vectors.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0914adab-90b5-47a3-a79f-7cdcac843aa7\",\"name\":\"0914adab-90b5-47a3-a79f-7cdcac843aa7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 5;\\n// To avoid any False Positives, filtering using AppId is recommended. For example the AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds \\n// to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\\nlet Allowedappid = dynamic([\\\"509e4652-da8d-478d-a730-e9d4a1996ca4\\\"]);\\nlet OperationList = dynamic(\\n[\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nlet TimeSeriesData = AzureDiagnostics\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList)\\n| project TimeGenerated, OperationName, Resource, CallerIPAddress\\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by Resource;\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| where baseline \u003e baselinethreshold // Filtering low count events per baselinethreshold\\n| project Resource, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated;\\n// Filter the alerts since specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\\n| join (\\nAzureDiagnostics\\n| where TimeGenerated \u003e ago(timeframe)\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList)\\n| summarize PerOperationCount=count(), LatestAnomalyTime = arg_max(TimeGenerated,*) by bin(TimeGenerated,1h), Resource, OperationName, id_s, CallerIPAddress, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, requestUri_s, clientInfo_s\\n) on Resource, TimeGenerated\\n| summarize EventCount=count(), OperationNameList = make_set(OperationName), RequestURLList = make_set(requestUri_s, 100), AccountList = make_set(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, 100), AccountMax = arg_max(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g,*) by Resource, id_s, clientInfo_s, LatestAnomalyTime\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = CallerIPAddress, AccountCustomEntity = AccountMax\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure Key Vault access TimeSeries anomaly\",\"description\":\"Indentifies a sudden increase in count of Azure Key Vault secret or vault access operations by CallerIPAddress. The query leverages a built-in KQL anomaly detection algorithm\\nto find large deviations from baseline Azure Key Vault access patterns. Any sudden increase in the count of Azure Key Vault accesses can be an\\nindication of adversary dumping credentials via automated methods. If you are seeing any noise, try filtering known source(IP/Account) and user-agent combinations.\\nTimeSeries Reference Blog: https://techcommunity.microsoft.com/t5/azure-sentinel/looking-for-unknown-anomalies-what-is-normal-time-series/ba-p/555052\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6a2e2ff4-5568-475e-bef2-b95f12b9367b\",\"name\":\"6a2e2ff4-5568-475e-bef2-b95f12b9367b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let FailureThreshold = 15;\\nimAuthentication\\n| where EventType== \u0027Logon\u0027 and EventResult== \u0027Failure\u0027\\n// reason: creds \\n| where EventResultDetails in (\u0027No such user or password\u0027, \u0027Incorrect password\u0027)\\n| summarize UserCount=dcount(TargetUserId), Vendors=make_set(EventVendor), Products=make_set(EventVendor)\\n , Users = make_set(TargetUserId,100) \\n by SrcDvcIpAddr, SrcGeoCountry, bin(TimeGenerated, 5m)\\n| where UserCount \u003e FailureThreshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcDvcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Potential Password Spray Attack (Uses Authentication Normalization)\",\"description\":\"This query searches for failed attempts to log in from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack\\n To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a5b3429d-f1da-42b9-883c-327ecb7b91ff\",\"name\":\"a5b3429d-f1da-42b9-883c-327ecb7b91ff\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityAlert \\n| where AlertName == \\\"Sign-in from an infected device\\\"\\n| extend Extprop = parsejson(Entities)\\n| mv-expand Extprop\\n| extend Extprop = parsejson(Extprop)\\n| extend CmdLine = iff(Extprop[\u0027Type\u0027]==\\\"process\\\", Extprop[\u0027CommandLine\u0027], \u0027\u0027)\\n| extend File = iff(Extprop[\u0027Type\u0027]==\\\"file\\\", Extprop[\u0027Name\u0027], \u0027\u0027)\\n| extend Account = Extprop[\u0027Name\u0027]\\n| extend Domain = Extprop[\u0027UPNSuffix\u0027]\\n| extend Account = iif(isnotempty(Domain) and Extprop[\u0027Type\u0027]==\\\"account\\\", tolower(strcat(Account, \\\"@\\\", Domain)), iif(Extprop[\u0027Type\u0027]==\\\"account\\\", tolower(Account), \\\"\\\"))\\n| extend IpAddress = iff(Extprop[\\\"Type\\\"] == \\\"ip\\\",Extprop[\u0027Address\u0027], \u0027\u0027)\\n| extend Process = iff(isnotempty(CmdLine), CmdLine, File)\\n| summarize count() by AlertName, AlertSeverity, CompromisedEntity, Account, IpAddress\\n| join kind=inner \\n(\\nAzureActivity\\n| where OperationNameValue hassuffix (\\\"/workspaces/computes/delete\\\")\\n| where ActivityStatusValue =~ \\\"Succeeded\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), OperationIds = makelist(OperationId), CorrelationIds = makelist(CorrelationId), Resources = makelist(Resource), ResourceGroups = makelist(ResourceGroup), ResourceIds = makelist(ResourceId), ActivityCountByCallerIPAddress = count() \\nby CallerIpAddress, Caller, OperationNameValue\\n) on $left. IpAddress == $right. CallerIpAddress\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Impact\"],\"displayName\":\"Workspace deletion attempt from an infected device\",\"description\":\"This hunting query will alert on any sign-ins from devices infected with malware in correlation with potential workspace deletion activity. \\nAttackers may attempt to delete workspaces containing compute instances after successful compromise to cause service unavailability to regular business operation.\",\"lastUpdatedDateUTC\":\"2022-04-11T00:00:00Z\",\"createdDateUTC\":\"2022-04-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8e267e91-6bda-4b3c-bf68-9f5cbdd103a3\",\"name\":\"8e267e91-6bda-4b3c-bf68-9f5cbdd103a3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"ZoomLogs\\n| where Event =~ \\\"account.settings_updated\\\" \\n| extend EnforceLogin = columnifexists(\\\"payload_object_settings_schedule_meeting_enfore_login_b\\\", \\\"\\\") \\n| extend EnforceLoginDomain = columnifexists(\\\"payload_object_settings_schedule_meeting_enfore_login_b\\\", \\\"\\\") \\n| extend GuestAlerts = columnifexists(\\\"payload_object_settings_in_meeting_alert_guest_join_b\\\", \\\"\\\") \\n| where EnforceLogin == \u0027false\u0027 or EnforceLoginDomain == \u0027false\u0027 or GuestAlerts == \u0027false\u0027 \\n| extend SettingChanged = case(EnforceLogin == \u0027false\u0027 and EnforceLoginDomain == \u0027false\u0027 and GuestAlerts == \u0027false\u0027, \\\"All settings changed\\\", \\n EnforceLogin == \u0027false\u0027 and EnforceLoginDomain == \u0027false\u0027, \\\"Enforced Logons and Restricted Domains Changed\\\", \\n EnforceLoginDomain == \u0027false\u0027 and GuestAlerts == \u0027false\u0027, \\\"Enforced Domains Changed\\\", \\n EnforceLoginDomain == \u0027false\u0027, \\\"Enfored Domains Changed\\\", \\n GuestAlerts == \u0027false\u0027, \\\"Guest Join Alerts Changed\\\", \\n EnforceLogin == \u0027false\u0027, \\\"Enforced Logins Changed\\\", \\n \\\"No Changes\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"External User Access Enabled\",\"description\":\"This alerts when the account setting is changed to allow either external domain access or anonymous access to meetings.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56b0a0cd-894e-4b38-a0a1-c41d9f96649a\",\"name\":\"56b0a0cd-894e-4b38-a0a1-c41d9f96649a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let lbtime = 1h;\\nlet tls_ciphers = dynamic([\u0027RC4-SHA\u0027, \u0027DES-CBC3-SHA\u0027]);\\nProofpointPOD\\n| where EventType == \u0027message\u0027\\n| where TlsCipher in (tls_ciphers)\\n| extend IpCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"ProofpointPOD - Weak ciphers\",\"description\":\"Detects when weak TLS ciphers are used.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/87890d78-3e05-43ec-9ab9-ba32f4e01250\",\"name\":\"87890d78-3e05-43ec-9ab9-ba32f4e01250\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.3\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n SecurityAlert\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n //Extract domain patterns from message\\n | extend domain = todynamic(dynamic_to_json(extract_all(@\\\"(((xn--)?[a-z0-9\\\\-]+\\\\.)+([a-z]+|(xn--[a-z0-9]+)))\\\", dynamic([1]), tolower(Entities))))\\n | mv-expand domain\\n | extend domain = tostring(domain[0])\\n | extend parts = split(domain, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\\n | extend EntitiesDynamicArray = parse_json(Entities)\\n | mv-apply EntitiesDynamicArray on\\n (summarize\\n HostName = take_anyif(tostring(EntitiesDynamicArray.HostName), EntitiesDynamicArray.Type == \\\"host\\\"),\\n IP_addr = take_anyif(tostring(EntitiesDynamicArray.Address), EntitiesDynamicArray.Type == \\\"ip\\\")\\n )\\n | extend Alert_TimeGenerated = TimeGenerated\\n | extend Alert_Description = Description\\n) on $left.DomainName==$right.domain\\n| where Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\\n| project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DomainName, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url, Entities\\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = HostName, IPCustomEntity = IP_addr, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to SecurityAlert\",\"description\":\"Identifies a match in SecurityAlert table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/88f453ff-7b9e-45bb-8c12-4058ca5e44ee\",\"name\":\"88f453ff-7b9e-45bb-8c12-4058ca5e44ee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS New Server\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.\\nA threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.\\nThis can be done programmatically via HTTP requests to Azure. More information in this blog: https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e1ce0eab-10d1-4aae-863f-9a383345ba88\",\"name\":\"e1ce0eab-10d1-4aae-863f-9a383345ba88\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let threshold = 15;\\nSyslog\\n| where SyslogMessage contains \\\"Failed password for invalid user\\\"\\n| where ProcessName =~ \\\"sshd\\\" \\n| parse kind=relaxed SyslogMessage with * \\\"invalid user\\\" user \\\" from \\\" ip \\\" port\\\" port \\\" ssh2\\\"\\n| project user, ip, port, SyslogMessage, EventTime\\n| summarize EventTimes = make_list(EventTime), PerHourCount = count() by ip, bin(EventTime, 4h), user\\n| where PerHourCount \u003e threshold\\n| mvexpand EventTimes\\n| extend EventTimes = tostring(EventTimes) \\n| summarize StartTimeUtc = min(EventTimes), EndTimeUtc = max(EventTimes), UserList = makeset(user), sum(PerHourCount) by IPAddress = ip\\n| extend UserList = tostring(UserList) \\n| extend timestamp = StartTimeUtc, IPCustomEntity = IPAddress, AccountCustomEntity = UserList\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"SSH - Potential Brute Force\",\"description\":\"Identifies an IP address that had 15 failed attempts to sign in via SSH in a 4 hour block during a 24 hour time period.\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-02-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/55073036-bb86-47d3-a85a-b113ac3d9396\",\"name\":\"55073036-bb86-47d3-a85a-b113ac3d9396\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let admins=(IdentityInfo\\n | where AssignedRoles contains \\\"admin\\\"\\n | summarize by tolower(AccountUPN));\\n let known_asns = (\\n SigninLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where ResultType == 0\\n | summarize by AutonomousSystemNumber);\\n SigninLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType == 0\\n | where tolower(UserPrincipalName) in (admins)\\n | where AutonomousSystemNumber !in (known_asns)\\n | project-reorder TimeGenerated, UserPrincipalName, UserAgent, IpAddress, AutonomousSystemNumber\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"UserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Privileged User Logon from new ASN\",\"description\":\"Detects a successful logon by a privileged account from an ASN not logged in from in the last 14 days.\\n Monitor these logons to ensure they are legitimate and identify if there are any similar sign ins.\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7b9df32-1367-402d-b385-882daf6e3020\",\"name\":\"a7b9df32-1367-402d-b385-882daf6e3020\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==10\\n| parse EventData with * \u0027TargetImage\\\"\u003e\u0027 TargetImage \\\"\u003c\\\" * \u0027GrantedAccess\\\"\u003e\u0027 GrantedAccess \\\"\u003c\\\" * \u0027CallTrace\\\"\u003e\u0027 CallTrace \\\"\u003c\\\" * \\n| where GrantedAccess == \\\"0x1FFFFF\\\" and TargetImage == \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\" and CallTrace has_any (\\\"dbghelp.dll\\\",\\\"dbgcore.dll\\\")\\n| parse EventData with * \u0027SourceProcessGUID\\\"\u003e\u0027 SourceProcessGUID \\\"\u003c\\\" * \u0027SourceImage\\\"\u003e\u0027 SourceImage \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, SourceProcessGUID, SourceImage, GrantedAccess, TargetImage, CallTrace\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"SourceImage\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Dumping LSASS Process Into a File\",\"description\":\"Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). \\nAfter a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. \\nThese credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement using Use Alternate Authentication Material. \\nAs well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.\\nRef: https://attack.mitre.org/techniques/T1003/001/\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/94749332-1ad9-49dd-a5ab-5ff2170788fc\",\"name\":\"94749332-1ad9-49dd-a5ab-5ff2170788fc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet file_path1 = (iocs | where Type =~ \\\"filepath1\\\" | project IoC);\\nlet file_path2 = (iocs | where Type =~ \\\"filepath2\\\" | project IoC);\\nlet file_path3 = (iocs | where Type =~ \\\"filepath3\\\" | project IoC);\\nlet reg_key = (iocs | where Type =~ \\\"regkey\\\" | project IoC);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (domains)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 *\\n| project TimeGenerated, Message, SourceUserID, RequestURL, DestinationHostName, Type, SourceIP, DestinationIP, DNSName\\n| extend Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SourceUserID, UrlCustomEntity = RequestURL , IPCustomEntity = DestinationIP, DNSCustomEntity = DNSName\\n),\\n(DnsEvents\\n| where Name in~ (domains)\\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DNSName = Name, Host = Computer , Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Host, DNSCustomEntity = DNSName, IPCustomEntity = IPAddresses\\n),\\n(VMConnection\\n| where RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, RemoteDnsCanonicalNames, ProcessName, SourceIp, DestinationIp, DestinationPort, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIp, HostCustomEntity = Computer, ProcessCustomEntity = ProcessName, DNSCustomEntity = DNSName, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"]), Image = EventDetail.[4].[\\\"#text\\\"]\\n| where Image has_any (file_path1) or Image has_any (file_path3)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, EventDetail, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), HostCustomEntity = Computer , IPCustomEntity = DestinationIP, Alert = \u0027SOURGUM IOC detected\u0027\\n), \\n(DeviceNetworkEvents\\n| where (RemoteUrl has_any (domains)) or (InitiatingProcessSHA256 in (sha256Hashes) and InitiatingProcessFolderPath has_any (file_path1)) or InitiatingProcessFolderPath has_any (file_path3)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, Alert = \u0027SOURGUM IOC detected\u0027, UrlCustomEntity =RemoteUrl\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"]\\n| where (SHA256 has_any (sha256Hashes) and Image has_any (file_path1)) or (Image has_any (file_path3)) or ( CommandLine has_any (file_path3)) or ( CommandLine has_any (file_path1)) or ( CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source), Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = SHA256\\n),\\n(DeviceRegistryEvents\\n| where RegistryKey has_any (reg_key) and RegistryValueData has_any (file_path2)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type \\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceProcessEvents\\n| where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3)) or ( InitiatingProcessCommandLine has \u0027reg add\u0027 and InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceFileEvents\\n| where (InitiatingProcessSHA256 has_any (sha256Hashes) and InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3)) or ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = RequestAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceEvents\\n| where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3)) or ( InitiatingProcessCommandLine has \u0027reg add\u0027 and InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend CommandLine = InitiatingProcessCommandLine, Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has_any (file_path1)) or ( CommandLine has_any (file_path3)) or ( CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) or (NewProcessName has_any (file_path1)) or (NewProcessName has_any (file_path3)) or (ParentProcessName has_any (file_path1)) or (ParentProcessName has_any (file_path3))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = \u0027SOURGUM IOC detected\u0027\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"SOURGUM Actor IOC - July 2021\",\"description\":\"Identifies a match across IOC\u0027s related to an actor tracked by Microsoft as SOURGUM\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-07-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceRegistryEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95407904-0131-4918-bc49-ebf282ce149a\",\"name\":\"95407904-0131-4918-bc49-ebf282ce149a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"135.125.147.170:80\\\",\\\"185.244.129.79:63047\\\",\\\"185.244.129.79:80\\\",\\\"45.80.149.108:63047\\\",\\\"45.80.149.108:80\\\",\\\"45.80.149.57:63047\\\",\\\"45.80.149.68:63047\\\",\\\"45.80.149.71:80\\\",\\\"185.244.129.109\\\",\\\"172.96.188.51\\\",\\\"51.83.246.73\\\"]); \\n(union isfuzzy=true \\n(CommonSecurityLog \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch \\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n), \\n(OfficeActivity \\n|extend SourceIPAddress = ClientIP, Account = UserId \\n| where SourceIPAddress in (IPList) \\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \\n), \\n(_Im_NetworkSession (srcipaddr_has_any_prefix=IPList)\\n | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Hostname, AccountCustomEntity=User\\n), \\n(_Im_NetworkSession (dstipaddr_has_any_prefix=IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = Hostname , AccountCustomEntity = User\\n), \\n(WireData \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer \\n), \\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known POLONIUM IP\",\"description\":\"Identifies a match across various data feeds for IP IOCs related to the POLONIUM activity group. \\n References: BLOGURL\u0027 \",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ed43bdb7-eaab-4ea4-be52-6951fcfa7e3b\",\"name\":\"ed43bdb7-eaab-4ea4-be52-6951fcfa7e3b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet TotalEventsThreshold = 25; \\nlet TimeSeriesData = \\nAzureActivity \\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where OperationNameValue endswith \\\"delete\\\" \\n| project TimeGenerated, Caller \\n| make-series Total = count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by Caller; \\nlet TimeSeriesAlerts = materialize(TimeSeriesData \\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 3, -1, \u0027linefit\u0027) \\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long) \\n| where anomalies \u003e 0 \\n| project Caller, TimeGenerated, Total, baseline, anomalies, score \\n| where Total \u003e TotalEventsThreshold and baseline \u003e 0 ); \\nTimeSeriesAlerts \\n| where TimeGenerated \u003e (ago(endtime)) \\n| project TimeGenerated, Caller \\n| join (AzureActivity \\n| where TimeGenerated \u003e (ago(endtime)) \\n| where OperationNameValue endswith \\\"delete\\\" \\n| summarize count(), make_set(OperationNameValue), make_set(Resource) by bin(TimeGenerated, 1h), Caller) on TimeGenerated, Caller \\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Mass Cloud resource deletions Time Series Anomaly\",\"description\":\"This query generates baseline pattern of cloud resource deletions by an user and generated anomaly \\nwhen any unusual spike is detected.\\nThese anomalies from unusual or privileged users could be an indication of cloud infrastructure \\ntake-down by an adversary \",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2022-03-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b6988c32-4f3b-4a45-8313-b46b33061a74\",\"name\":\"b6988c32-4f3b-4a45-8313-b46b33061a74\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set == \\\"[]\\\"\\n| mv-expand new_value_set\\n| parse new_value_set with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT First access credential added to Application or Service Principal where no credential was present\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-06-01T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba\",\"name\":\"fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let account_threshold = 5;\\nAADNonInteractiveUserSignInLogs\\n//| where ResultType == \\\"81016\\\"\\n| where ResultType startswith \\\"81\\\"\\n| summarize DistinctAccounts = dcount(UserPrincipalName), DistinctAddresses = make_set(IPAddress) by ResultType\\n| where DistinctAccounts \u003e account_threshold\\n| mv-expand IPAddress = DistinctAddresses\\n| extend IPAddress = tostring(IPAddress)\\n| join kind=leftouter (union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs) on IPAddress\\n| summarize\\n StartTime = min(TimeGenerated),\\n EndTime = max(TimeGenerated),\\n UserPrincipalName = make_set(UserPrincipalName),\\n UserAgent = make_set(UserAgent),\\n ResultDescription = take_any(ResultDescription),\\n ResultSignature = take_any(ResultSignature)\\n by IPAddress, Type, ResultType\\n| project Type, StartTime, EndTime, IPAddress, ResultType, ResultDescription, ResultSignature, UserPrincipalName, UserAgent = iff(array_length(UserAgent) == 1, UserAgent[0], UserAgent)\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Password spray attack against Azure AD Seamless SSO\",\"description\":\"This query detects when there is a spike in Azure AD Seamless SSO errors. They may not be caused by a Password Spray attack, but the cause of the errors might need to be investigated.\\nAzure AD only logs the requests that matched existing accounts, thus there might have been unlogged requests for non-existing accounts.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2022-03-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/825991eb-ea39-4590-9de2-ee97ef42eb93\",\"name\":\"825991eb-ea39-4590-9de2-ee97ef42eb93\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\n(union isfuzzy=true\\n(DeviceProcessEvents\\n| where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) or (ProcessCommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and ProcessCommandLine has (\u0027/tr \\\"wscript.exe\u0027) and ProcessCommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and ProcessCommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (ProcessCommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and ProcessCommandLine has (\u0027.wav\u0027) and ProcessCommandLine has (\u0027//e:VBScript //b\u0027) \\nor (ProcessCommandLine has_all (\\\"schtasks.exe\\\", \\\"create\\\", \\\"wscript\\\", \\\"e:vbscript\\\", \\\".wav\\\")))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessCommandLine, FolderPath, InitiatingProcessFolderPath, ProcessId, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, AccountName, SHA256, FileName\\n| extend Account = AccountName, Computer = DeviceName, FileHash = case(InitiatingProcessSHA256 in (sha256Hashes), \\\"InitiatingProcessSHA256\\\", SHA256 in (sha256Hashes), \\\"SHA256\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = FileName, FileHashCustomEntity = case(FileHash == \\\"InitiatingProcessSHA256\\\", InitiatingProcessSHA256, FileHash == \\\"SHA256\\\", SHA256, \\\"No Match\\\")\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where (CommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and CommandLine has (\u0027/tr \\\"wscript.exe\u0027) and CommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and CommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (CommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and CommandLine has (\u0027.wav\u0027) and CommandLine has (\u0027//e:VBScript //b\u0027))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, EventID\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n( CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n( imFileEvent\\n| where Hash in~ (sha256Hashes) or (ActingProcessCommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and ActingProcessCommandLine has (\u0027/tr \\\"wscript.exe\u0027) and ActingProcessCommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and ActingProcessCommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (ActingProcessCommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and ActingProcessCommandLine has (\u0027.wav\u0027) and ActingProcessCommandLine has (\u0027//e:VBScript //b\u0027) \\n or (ActingProcessCommandLine has_all (\\\"schtasks.exe\\\", \\\"create\\\", \\\"wscript\\\", \\\"e:vbscript\\\", \\\".wav\\\")))\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = Hash\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) or (CommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and CommandLine has (\u0027/tr \\\"wscript.exe\u0027) and CommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and CommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (CommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and CommandLine has (\u0027.wav\u0027) and CommandLine has (\u0027//e:VBScript //b\u0027) or (CommandLine has_all (\\\"schtasks.exe\\\", \\\"create\\\", \\\"wscript\\\", \\\"e:vbscript\\\", \\\".wav\\\")))\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n),\\n(DnsEvents\\n| where Name in~ (domains) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Computer \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress\\n),\\n(VMConnection\\n| where RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIp, File = ProcessName\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(DeviceNetworkEvents \\n| where isnotempty(RemoteUrl) \\n| where RemoteUrl in~ (domains) \\n| project Type, TimeGenerated, DeviceName, RemoteIP, RemoteUrl, InitiatingProcessAccountName\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, DNSName = RemoteUrl, IPCustomEntity = RemoteIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"ACTINIUM Actor IOCs - Feb 2022\",\"description\":\"Identifies a match across various data feeds for domains, hashes and commands related to an actor tracked by Microsoft as Actinium.\",\"lastUpdatedDateUTC\":\"2022-03-09T00:00:00Z\",\"createdDateUTC\":\"2022-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65360bb0-8986-4ade-a89d-af3cf44d28aa\",\"name\":\"65360bb0-8986-4ade-a89d-af3cf44d28aa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"CreateNetworkAclEntry\\\",\\\"CreateRoute\\\",\\\"CreateRouteTable\\\",\\\"CreateInternetGateway\\\",\\\"CreateNatGateway\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\",\"LateralMovement\"],\"displayName\":\"Changes to Amazon VPC settings\",\"description\":\"Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources\\nin a virtual network that you define.\\nThis identifies changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries,routes, routetable or Gateways.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\nand AWS VPC API Docs: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/OperationList-query-vpc.html\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2eb15bd-8a88-4b24-9281-e133edfba315\",\"name\":\"f2eb15bd-8a88-4b24-9281-e133edfba315\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet aadFunc = (tableName:string){\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n table(tableName) | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend Status = todynamic(Status), LocationDetails = todynamic(LocationDetails)\\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails), StatusReason = tostring(Status.failureReason)\\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n // renaming time column so it is clear the log this came from\\n | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type\\n)\\non $left.TI_ipEntity == $right.IPAddress\\n| where SigninLogs_TimeGenerated \u003c ExpirationDateTime\\n| summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, IPAddress\\n| project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDetails, StatusReason, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to SigninLogs\",\"description\":\"Identifies a match in SigninLogs from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6e715730-82c0-496c-983b-7a20c4590bd9\",\"name\":\"6e715730-82c0-496c-983b-7a20c4590bd9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let accountLookback = 3d;\\nlet requestLookback = 3d;\\nlet extraction_regex = @\\\"(?:\\\\?|\u0026)[a-zA-Z0-9\\\\%]*=([a-zA-Z0-9\\\\/\\\\+\\\\=]*)\\\";\\n// Collect account names and base64 encode them\\nDeviceEvents\\n| where TimeGenerated \u003e ago(accountLookback)\\n| summarize make_set(DeviceId), make_set(DeviceName) by InitiatingProcessAccountName\\n| where isnotempty(InitiatingProcessAccountName)\\n| extend base64_user = base64_encode_tostring(InitiatingProcessAccountName)\\n| join (\\n // Collect requests and extract base64 parameters\\n CommonSecurityLog\\n | where TimeGenerated \u003e ago(requestLookback)\\n | where isnotempty(RequestURL)\\n // Summarize early on the RequestURL\\n | summarize FirstRequest=min(TimeGenerated), LastRequest=max(TimeGenerated), NumberOfRequests=count() by RequestURL\\n | extend base64_candidate = extract_all(extraction_regex, RequestURL)\\n | mv-expand base64_candidate to typeof(string)\\n) on $left.base64_user == $right.base64_candidate\\n| project FirstRequest, LastRequest, NumberOfRequests, RequestURL, DeviceIds=set_DeviceId, DeviceNames=set_DeviceName, UserName=InitiatingProcessAccountName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceNames\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"UserName\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"Windows host username encoded in base64 web request\",\"description\":\"This detection will identify network requests in HTTP proxy data that contains Base64 encoded usernames from machines in the DeviceEvents table.\\nThis technique was seen usee by POLONIUM in their RunningRAT tool.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e4779bdc-397a-4b71-be28-59e6a1e1d16b\",\"name\":\"e4779bdc-397a-4b71-be28-59e6a1e1d16b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"ZoomLogs\\n| where Event =~ \\\"account.settings_updated\\\"\\n| extend NewE2ESetting = columnifexists(\\\"payload_object_settings_in_meeting_e2e_encryption_b\\\", \\\"\\\")\\n| extend OldE2ESetting = columnifexists(\\\"payload_old_object_settings_in_meeting_e2e_encryption_b\\\", \\\"\\\")\\n| where OldE2ESetting =~ \u0027false\u0027 and NewE2ESetting =~ \u0027true\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Discovery\"],\"displayName\":\"Zoom E2E Encryption Disabled\",\"description\":\"This alerts when end to end encryption is disabled for Zoom meetings.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/194dd92e-d6e7-4249-85a5-273350a7f5ce\",\"name\":\"194dd92e-d6e7-4249-85a5-273350a7f5ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\") \\n// Only admin or global-admin can disable audit logging\\n| where Operation =~ \\\"Set-AdminAuditLogConfig\\\" \\n| extend AdminAuditLogEnabledValue = tostring(parse_json(tostring(parse_json(tostring(array_slice(parse_json(Parameters),3,3)))[0])).Value)\\n| where AdminAuditLogEnabledValue =~ \\\"False\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP, ResultStatus, Parameters, AdminAuditLogEnabledValue\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Exchange AuditLog disabled\",\"description\":\"Identifies when the exchange audit logging has been disabled which may be an adversary attempt\\nto evade detection or avoid other defenses.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/218f60de-c269-457a-b882-9966632b9dc6\",\"name\":\"218f60de-c269-457a-b882-9966632b9dc6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| summarize dcount(Target) by bin(TimeGenerated, 1h)\\n| where dcount_Target \u003e 9\\n| join kind=rightsemi (AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| extend TimeWindow = bin(TimeGenerated, 1h)) on $left.TimeGenerated == $right.TimeWindow\\n| extend AccountCustomEntity = Target\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Bulk Changes to Privileged Account Permissions\",\"description\":\"Identifies when changes to multiple users permissions are changed at once. Investigate immediately if not a planned change. This setting could enable an attacker access to Azure subscriptions in your environment.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6e575295-a7e6-464c-8192-3e1d8fd6a990\",\"name\":\"6e575295-a7e6-464c-8192-3e1d8fd6a990\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.1\",\"severity\":\"High\",\"query\":\"let IPList = externaldata(IPAddress:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Log4j_IOC_List.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n//Network logs\\nlet CSlogSourceIP = CommonSecurityLog | summarize by IPAddress = SourceIP, Type;\\nlet CSlogDestIP = CommonSecurityLog | summarize by IPAddress = DestinationIP, Type;\\nlet CSlogMsgIP = CommonSecurityLog | extend MessageIP = extract(IPRegex, 0, Message) | summarize by IPAddress = MessageIP, Type;\\nlet DnsIP = DnsEvents | summarize by IPAddress = IPAddresses, Type;\\n// If you have enabled the imDNS and/or imNetworkSession normalization in your workspace, you can uncomment one or both below. Reference - https://docs.microsoft.com/azure/sentinel/normalization\\n//let imDnsIP = imDns (response_has_any_prefix=IPList) | summarize by IPAddress = ResponseName, Type;\\n//let imNetSessIP = imNetworkSession (dstipaddr_has_any_prefix=IPList) | summarize by IPAddress = DstIpAddr, Type;\\n//Cloud service logs\\nlet officeIP = OfficeActivity | summarize by IPAddress = ClientIP, Type;\\nlet signinIP = SigninLogs | summarize by IPAddress, Type;\\nlet nonintSigninIP = AADNonInteractiveUserSignInLogs | summarize by IPAddress, Type;\\nlet azureActIP = AzureActivity | summarize by IPAddress = CallerIpAddress, Type;\\nlet awsCtIP = AWSCloudTrail | summarize by IPAddress = SourceIpAddress, Type;\\n//Device logs\\nlet vmConnSourceIP = VMConnection | summarize by IPAddress = SourceIp, Type;\\nlet vmConnDestIP = VMConnection | summarize by IPAddress = DestinationIp, Type;\\nlet iisLogIP = W3CIISLog | summarize by IPAddress = cIP, Type;\\nlet devNetIP = DeviceNetworkEvents | summarize by IPAddress = RemoteIP, Type;\\n//need to parse to get IP\\nlet azureDiagIP = AzureDiagnostics | where ResourceType == \\\"AZUREFIREWALLS\\\" | where Category in (\\\"AzureFirewallApplicationRule\\\", \\\"AzureFirewallNetworkRule\\\") \\n| where msg_s has_any (IPList) | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action | summarize by IPAddress = DestinationHost, Type;\\nlet sysEvtIP = Event | where Source == \\\"Microsoft-Windows-Sysmon\\\" | where EventID == 3 | where EventData has_any (IPList) | extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"])\\n| where SourceIP in (IPList) or DestinationIP in (IPList) | extend IPAddress = iff(SourceIP in (IPList), SourceIP, DestinationIP) | summarize by IPAddress, Type;\\n// If you have enabled the imDNS and/or imNetworkSession normalization in your workdspace, you can uncomment below and include. Reference - https://docs.microsoft.com/azure/sentinel/normalization\\n//let ipsort = union isfuzzy=true CSlogDestIP, CSlogMsgIP, CSlogSourceIP, DnsIP, officeIP, signinIP, nonintSigninIP, azureActIP, awsCtIP, vmConnDestIP, vmConnSourceIP, azureDiagIP, sysEvtIP, imDnsIP, imNetSessIP\\n// If you uncomment above, then comment out the line below\\nlet ipsort = union isfuzzy=true CSlogDestIP, CSlogMsgIP, CSlogSourceIP, DnsIP, officeIP, signinIP, nonintSigninIP, azureActIP, awsCtIP, vmConnDestIP, vmConnSourceIP, azureDiagIP, sysEvtIP\\n| summarize by IPAddress\\n| where isnotempty(IPAddress) | where not(ipv4_is_private(IPAddress)) and IPAddress !in (\u00270.0.0.0\u0027,\u0027127.0.0.1\u0027);\\nlet ipMatch = ipsort | where IPAddress in (IPList);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (ipMatch) or DestinationIP in (ipMatch) or Message has_any (ipMatch)\\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, Type\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (ipMatch), \\\"SourceIP\\\", DestinationIP in (ipMatch), \\\"DestinationIP\\\", MessageIP in (ipMatch), \\\"Message\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"No Match\\\")\\n),\\n(OfficeActivity\\n| where ClientIP in (ipMatch)\\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, Type\\n| extend SourceIPAddress = ClientIP, Account = UserId\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account\\n),\\n(DnsEvents\\n| where IPAddresses has_any (ipMatch)\\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, Host = Computer\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (ipMatch) or DestinationIp in (ipMatch)\\n| project TimeGenerated, Computer, SourceIp, DestinationIp, Type\\n| extend IPMatch = case( SourceIp in (ipMatch), \\\"SourceIP\\\", DestinationIp in (ipMatch), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| where EventData has_any (ipMatch)\\n| project TimeGenerated, EventData, UserName, Computer, Type\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"])\\n| where SourceIP in (ipMatch) or DestinationIP in (ipMatch)\\n| extend IPMatch = case( SourceIP in (ipMatch), \\\"SourceIP\\\", DestinationIP in (ipMatch), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(SigninLogs\\n| where IPAddress in (ipMatch)\\n| project TimeGenerated, UserPrincipalName, IPAddress, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(AADNonInteractiveUserSignInLogs\\n| where IPAddress in (ipMatch)\\n| project TimeGenerated, UserPrincipalName, IPAddress, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(W3CIISLog\\n| where cIP in (ipMatch)\\n| project TimeGenerated, Computer, cIP, csUserName, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(AzureActivity\\n| where CallerIpAddress in (ipMatch)\\n| project TimeGenerated, CallerIpAddress, Caller, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller\\n),\\n(\\nAWSCloudTrail\\n| where SourceIpAddress in (ipMatch)\\n| project TimeGenerated, SourceIpAddress, UserIdentityUserName, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\\n), \\n( \\nDeviceNetworkEvents\\n| where RemoteIP in (ipMatch)\\n| where ActionType == \\\"InboundConnectionAccepted\\\"\\n| project TimeGenerated, RemoteIP, DeviceName, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category in (\\\"AzureFirewallApplicationRule\\\", \\\"AzureFirewallNetworkRule\\\")\\n| where msg_s has_any (ipMatch)\\n| project TimeGenerated, msg_s, Type\\n| parse msg_s with Protocol \u0027request from \u0027 SourceIP \u0027:\u0027 SourcePort \u0027to \u0027 DestinationIP \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where DestinationIP has_any (ipMatch)\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP\\n)\\n// If you have enabled the imDNS and/or imNetworkSession normalization in your workdspace, you can uncomment below and include. Reference - https://docs.microsoft.com/azure/sentinel/normalization\\n//,\\n//(imDns (response_has_any_prefix=IPList)\\n//| project TimeGenerated, ResponseName, SrcIpAddr, Type\\n//| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr\\n//| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n//),\\n//(imNetworkSession (dstipaddr_has_any_prefix=IPList)\\n//| project TimeGenerated, DstIpAddr, SrcIpAddr, Type\\n//| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = SrcIpAddr\\n//)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Log4j vulnerability exploit aka Log4Shell IP IOC\",\"description\":\"Identifies a match across various data feeds for IP IOCs related to the Log4j vulnerability exploit aka Log4Shell described in CVE-2021-44228. \\n References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228\u0027 \",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bda5a2bd-979b-4828-a91f-27c2a5048f7f\",\"name\":\"bda5a2bd-979b-4828-a91f-27c2a5048f7f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet msgthreshold = 3;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| extend attachedMimeType = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where attachedMimeType == \u0027application/zip\u0027\\n| summarize count() by SrcUserUpn, DstUserUpn\\n| where count_ \u003e msgthreshold\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple archived attachments to the same recipient\",\"description\":\"Detects when multiple emails where sent to the same recipient with large archived attachments.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1baaaf00-655f-4de9-8ff8-312e902cda71\",\"name\":\"1baaaf00-655f-4de9-8ff8-312e902cda71\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let known_locations = (\\n AADServicePrincipalSignInLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where ResultType == 0\\n | summarize by Location);\\n AADServicePrincipalSignInLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType != 50126\\n | where Location !in (known_locations)\\n | extend City = tostring(parse_json(LocationDetails).city)\\n | extend State = tostring(parse_json(LocationDetails).state)\\n | extend Place = strcat(City, \\\" - \\\", State)\\n | extend Result = strcat(tostring(ResultType), \\\" - \\\", ResultDescription)\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), make_set(Result), make_set(IPAddress), make_set(Place) by ServicePrincipalName, Location\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ServicePrincipalName\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Service Principal Authentication Attempt from New Country\",\"description\":\"Detects when there is a Service Principal login attempt from a country that has not seen a successful login in the previous 14 days.\\n Threat actors may attempt to authenticate with credentials from compromised accounts - monitoring attempts from anomalous locations may help identify these attempts.\\n Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADServicePrincipalSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/39198934-62a0-4781-8416-a81265c03fd6\",\"name\":\"39198934-62a0-4781-8416-a81265c03fd6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"user.read\\\" and ConsentFull contains \\\"offline_access\\\" and ConsentFull contains \\\"mail.readwrite\\\" and ConsentFull contains \\\"mail.send\\\" and ConsentFull contains \\\"files.read.all\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\")\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Suspicious application consent similar to PwnAuth\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the FireEye PwnAuth toolkit (https://github.com/fireeye/PwnAuth).\\nThe default permissions/scope for the PwnAuth toolkit are user.read, offline_access, mail.readwrite, mail.send, and files.read.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\"name\":\"fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let opList = OfficeActivity \\n| summarize by Operation\\n//| where Operation startswith \\\"Remove-\\\" or Operation startswith \\\"Disable-\\\"\\n| where Operation has_any (\\\"Remove\\\", \\\"Disable\\\")\\n| where Operation contains \\\"AntiPhish\\\" or Operation contains \\\"SafeAttachment\\\" or Operation contains \\\"SafeLinks\\\" or Operation contains \\\"Dlp\\\" or Operation contains \\\"Audit\\\"\\n| summarize make_set(Operation);\\nOfficeActivity\\n// Only admin or global-admin can disable/remove policy\\n| where RecordType =~ \\\"ExchangeAdmin\\\"\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\")\\n// Pass in interesting Operation list\\n| where Operation in~ (opList)\\n| extend ClientIPOnly = case( \\nClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), \\nClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))),\\nClientIP\\n) \\n| extend Port = case(\\nClientIP has \\\".\\\", (split(ClientIP,\\\":\\\")[1]),\\nClientIP has \\\"[\\\", tostring(split(ClientIP,\\\"]:\\\")[1]),\\nClientIP\\n)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP = ClientIPOnly, Port, ResultStatus, Parameters\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Office policy tampering\",\"description\":\"Identifies if any tampering is done to either auditlog, ATP Safelink, SafeAttachment, AntiPhish or Dlp policy. \\nAn adversary may use this technique to evade detection or avoid other policy based defenses.\\nReferences: https://docs.microsoft.com/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06a9b845-6a95-4432-a78b-83919b28c375\",\"name\":\"06a9b845-6a95-4432-a78b-83919b28c375\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":3,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet percentotalthreshold = 50;\\nlet TimeSeriesData = CommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| project TimeGenerated,SourceIP, DestinationIP, DeviceVendor\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor;\\n// Filtering specific records associated with spikes as outliers\\nlet TimeSeriesAlerts=materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend score = round(score,2), AnomalyHour = TimeGenerated\\n| project DeviceVendor,AnomalyHour, TimeGenerated, Total, baseline, anomalies, score);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\n// Join anomalies with Base Data to popalate associated records for investigation - Results sorted by score in descending order\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\n CommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| summarize HourlyCount = count(), TimeGeneratedMax = arg_max(TimeGenerated, *), DestinationIPlist = make_set(DestinationIP, 100), DestinationPortlist = make_set(DestinationPort, 100) by DeviceVendor, SourceIP, TimeGeneratedHour= bin(TimeGenerated, 1h)\\n| extend AnomalyHour = TimeGeneratedHour\\n) on AnomalyHour, DeviceVendor\\n| extend PercentTotal = round((HourlyCount / Total) * 100, 3)\\n| where PercentTotal \u003e percentotalthreshold\\n| project DeviceVendor , AnomalyHour, TimeGeneratedMax, SourceIP, DestinationIPlist, DestinationPortlist, HourlyCount, PercentTotal, Total, baseline, score, anomalies\\n| summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist, 100), DestinationPortlist = make_set(DestinationPortlist, 100) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies\\n| project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies\\n| extend timestamp= EndTimeUtc , IPCustomEntity = SourceIPMax\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"Time series anomaly detection for total volume of traffic\",\"description\":\"Identifies anamalous spikes in network traffic logs as compared to baseline or normal historical patterns.\\nThe query leverages a KQL built-in anomaly detection algorithm to find large deviations from baseline patterns.\\nSudden increases in network traffic volume may be an indication of data exfiltration attempts and should be investigated.\\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port traffic observed in the flagged anomaly hour.\\nThe source IP addresses which were sending less than percentotalthreshold of the total traffic have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Barracuda\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f110287e-1358-490d-8147-ed804b328514\",\"name\":\"f110287e-1358-490d-8147-ed804b328514\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AWSCloudTrail | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AWSCloudTrail_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SourceIpAddress\\n| where AWSCloudTrail_TimeGenerated \u003c ExpirationDateTime\\n| summarize AWSCloudTrail_TimeGenerated = arg_max(AWSCloudTrail_TimeGenerated, *) by IndicatorId, SourceIpAddress\\n| project AWSCloudTrail_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress,\\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AWSCloudTrail_TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AWSCloudTrail\",\"description\":\"Identifies a match in AWSCloudTrail from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7249500f-3038-4b83-8549-9cd8dfa2d498\",\"name\":\"7249500f-3038-4b83-8549-9cd8dfa2d498\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"de-ma.online\\\", \\\"g20saudi.000webhostapp.com\\\", \\\"ksat20.000webhostapp.com\\\"]);\\nlet EmailAddresses = dynamic([\\\"munichconference1962@gmail.com\\\",\\\"munichconference@outlook.de\\\", \\\"munichconference@outlook.com\\\", \\\"t20saudiarabia@gmail.com\\\", \\\"t20saudiarabia@hotmail.com\\\", \\\"t20saudiarabia@outlook.sa\\\"]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(DNSName) and DNSName has_any (DomainNames)) \\n or (isnotempty(DestinationHostName) and DestinationHostName has_any (DomainNames)) \\n or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames)))\\n| extend timestamp = TimeGenerated , AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\\n),\\n(DnsEvents \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| where DNSName has_any (DomainNames) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend timestamp = TimeGenerated , HostCustomEntity = Computer),\\n(SecurityAlert\\n| where ProviderName =~ \u0027OATP\u0027\\n| extend UPN = case(isnotempty(parse_json(Entities)[0].Upn), parse_json(Entities)[0].Upn, \\n isnotempty(parse_json(Entities)[1].Upn), parse_json(Entities)[1].Upn,\\n isnotempty(parse_json(Entities)[2].Upn), parse_json(Entities)[2].Upn,\\n isnotempty(parse_json(Entities)[3].Upn), parse_json(Entities)[3].Upn,\\n isnotempty(parse_json(Entities)[4].Upn), parse_json(Entities)[4].Upn,\\n isnotempty(parse_json(Entities)[5].Upn), parse_json(Entities)[5].Upn,\\n isnotempty(parse_json(Entities)[6].Upn), parse_json(Entities)[6].Upn,\\n isnotempty(parse_json(Entities)[7].Upn), parse_json(Entities)[7].Upn,\\n isnotempty(parse_json(Entities)[8].Upn), parse_json(Entities)[8].Upn,\\n parse_json(Entities)[9].Upn)\\n| where Entities has_any (EmailAddresses)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = tostring(UPN)),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"AZUREFIREWALLS\\\"\\n| where msg_s has_any (DomainNames)\\n| extend timestamp = TimeGenerated))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"InitialAccess\"],\"displayName\":\"Known PHOSPHORUS group domains/IP - October 2020\",\"description\":\"Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\\nReferences: \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog (Cisco)\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert (OATP)\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics (Azure Firewall)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5ef06767-b37c-4818-b035-47de950d0046\",\"name\":\"5ef06767-b37c-4818-b035-47de950d0046\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"// How far back to look for events from\\nlet timeframe = 1d;\\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\\nlet time_window = 5m;\\n// Edit this to include build processes used\\nlet build_processes = dynamic([\\\"MSBuild.exe\\\", \\\"dotnet.exe\\\", \\\"VBCSCompiler.exe\\\"]);\\n// Include any processes that you want to allow to edit files during/around the build process\\nlet allow_list = dynamic([\\\"\\\"]);\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where EventID == 4688\\n| where Process has_any (build_processes)\\n| summarize by BuildParentProcess=ParentProcessName, BuildProcess=Process, BuildAccount = Account, Computer, BuildCommand=CommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for file modifications to code file\\n| where EventID == 4663\\n| where Process !in (allow_list)\\n// Look for code files, edit this to include file extensions used in build.\\n| where ObjectName endswith \\\".cs\\\" or ObjectName endswith \\\".cpp\\\"\\n// 0x6 and 0x4 for file append, 0x100 for file replacements\\n| where AccessMask == \\\"0x6\\\" or AccessMask == \\\"0x4\\\" or AccessMask == \\\"0X100\\\"\\n| summarize by FileEditParentProcess=ParentProcessName, FileEditAccount = Account, Computer, FileEdited=ObjectName, FileEditProcess=ProcessName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, Computer\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, Computer, BuildParentProcess, BuildProcess\\n| extend HostCustomEntity=Computer, timestamp=timekey\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where EventID == 4688 and EventData has_any (build_processes)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process has_any (build_processes)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend CommandLine = tostring(EventData.CommandLine) \\n| summarize by BuildParentProcess=ParentProcessName, BuildProcess=Process, BuildAccount = Account, Computer, BuildCommand=CommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nWindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for file modifications to code file\\n| where EventID == 4663 and EventData has_any (\\\"0x6\\\", \\\"0x4\\\", \\\"0X100\\\") and EventData has_any (\\\".cs\\\", \\\".cpp\\\")\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (allow_list)\\n// Look for code files, edit this to include file extensions used in build.\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName endswith \\\".cs\\\" or ObjectName endswith \\\".cpp\\\"\\n// 0x6 and 0x4 for file append, 0x100 for file replacements\\n| extend AccessMask = tostring(EventData.AccessMask) \\n| where AccessMask == \\\"0x6\\\" or AccessMask == \\\"0x4\\\" or AccessMask == \\\"0X100\\\"\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| summarize by FileEditParentProcess=ParentProcessName, FileEditAccount = Account, Computer, FileEdited=ObjectName, FileEditProcess=ProcessName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, Computer\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, Computer, BuildParentProcess, BuildProcess\\n| extend HostCustomEntity=Computer, timestamp=timekey\\n))\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Potential Build Process Compromise\",\"description\":\"The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process.\\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\"name\":\"a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"DNS events related to ToR proxies\",\"description\":\"Identifies IP addresses performing DNS lookups associated with common ToR proxies.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/42436753-9944-4d70-801c-daaa4d19ddd2\",\"name\":\"42436753-9944-4d70-801c-daaa4d19ddd2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let threatCategory=\\\"Powershell\\\";\\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\\n [ @\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\\\"]\\n with(format=\\\"csv\\\", ignoreFirstRecord=True));\\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet customUserAgents=toscalar(_GetWatchlist(\\\"UnusualUserAgents\\\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\\\"UserAgent\\\",\\\"\\\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet fullUAList = array_concat(knownUserAgents,customUserAgents);\\n_Im_WebSession(httpuseragent_has_any=fullUAList)\\n| project SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername\",\"customDetails\":{\"UserAgent\":\"HttpUserAgent\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"SrcUsername\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Host {{SrcIpAddr}} is potentially running PowerShell\",\"alertDescriptionFormat\":\"The host at address {{SrcIpAddr}} sent an HTTP request to the URL {{Url}} with the HTTP user agent header {{HttpUserAgent}}. This user agent is known to be used by PoerShell and indicates suspicious activity on the host.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\",\"DefenseEvasion\"],\"displayName\":\"A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request with a user agent header known to belong PowerShell. \u003cbr\u003eYou can add custom Powershell indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).\u003cbr\u003e\u003cbr\u003e\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56fe0db0-6779-46fa-b3c5-006082a53064\",\"name\":\"56fe0db0-6779-46fa-b3c5-006082a53064\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let tokens = dynamic([\\\"416\\\",\\\"208\\\",\\\"128\\\",\\\"120\\\",\\\"96\\\",\\\"80\\\",\\\"72\\\",\\\"64\\\",\\\"48\\\",\\\"44\\\",\\\"40\\\",\\\"g5\\\",\\\"gs5\\\",\\\"g4\\\",\\\"gs4\\\",\\\"nc12\\\",\\\"nc24\\\",\\\"nv12\\\"]);\\nlet operationList = dynamic([\\\"microsoft.compute/virtualmachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nAzureActivity\\n| where tolower(OperationNameValue) in (operationList)\\n| where ActivityStatusValue == \\\"Accepted\\\" \\n| where isnotempty(Properties)\\n| extend vmSize = tolower(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).hardwareProfile)).vmSize))\\n| where isnotempty(vmSize)\\n| where vmSize has_any (tokens) \\n| extend ComputerName = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).osProfile)).computerName)\\n| extend clientIpAddress = tostring(parse_json(HTTPRequest).clientIpAddress)\\n| project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Creation of expensive computes in Azure\",\"description\":\"Identifies the creation of large size/expensive VMs (GPU or with large no of virtual CPUs) in Azure.\\nAdversary may create new or update existing virtual machines sizes to evade defenses \\nor use it for cryptomining purposes.\\nFor Windows/Linux Vm Sizes - https://docs.microsoft.com/azure/virtual-machines/windows/sizes \\nAzure VM Naming Conventions - https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions\",\"lastUpdatedDateUTC\":\"2022-03-31T00:00:00Z\",\"createdDateUTC\":\"2020-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5d33fc63-b83b-4913-b95e-94d13f0d379f\",\"name\":\"5d33fc63-b83b-4913-b95e-94d13f0d379f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet fileHashIndicators = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n| where isnotempty(FileHashValue);\\n// Handle matches against both lower case and uppercase versions of the hash:\\n(fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n| union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n )\\non $left.FileHashValue == $right.FileHash\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, FileHashValue\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nSourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction,\\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity, FileHashValue, FileHashType\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Value\",\"columnName\":\"FileHashValue\"},{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map File Hash to CommonSecurityLog Event\",\"description\":\"Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI\",\"lastUpdatedDateUTC\":\"2022-07-07T00:00:00Z\",\"createdDateUTC\":\"2019-08-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1f3b4dfd-21ff-4ed3-8e27-afc219e05c50\",\"name\":\"1f3b4dfd-21ff-4ed3-8e27-afc219e05c50\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where LoggedByService =~ \\\"PIM\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has \\\"Disable PIM Alert\\\"\\n| extend IpAddress = case(\\n isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), \\n isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.app)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.app)).ipAddress),\\n \u0027Not Available\u0027)\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName)), UserRoles = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| project InitiatedBy, ActivityDateTime, ActivityDisplayName, IpAddress, AADOperationType, AADTenantId, ResourceId, CorrelationId, Identity\\n| extend timestamp = ActivityDateTime, IPCustomEntity = IpAddress, AccountCustomEntity = tolower(InitiatedBy), ResourceCustomEntity = ResourceId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Detect PIM Alert Disabling activity\",\"description\":\"Privileged Identity Management (PIM) generates alerts when there is suspicious or unsafe activity in Azure Active Directory (Azure AD) organization. \\nThis query will help detect attackers attempts to disable in product PIM alerts which are associated with Azure MFA requirements and could indicate activation of privileged access\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d99cf5c3-d660-436c-895b-8a8f8448da23\",\"name\":\"d99cf5c3-d660-436c-895b-8a8f8448da23\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"SigninLogs\\n| where ResultType == 500121\\n| extend additionalDetails_ = tostring(Status.additionalDetails)\\n| where additionalDetails_ =~ \\\"MFA denied; user declined the authentication\\\"\\n| extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"AadUserId\",\"columnName\":\"UserId\"},{\"identifier\":\"AadTenantId\",\"columnName\":\"AADTenantId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"MFA Rejected by User\",\"description\":\"Identifies accurances where a user has rejected an MFA prompt. This could be an indicator that a threat actor has compromised the username and password of this user account and is using it to try and log into the account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d0aa8969-1bbe-4da3-9e76-09e5f67c9d85\",\"name\":\"d0aa8969-1bbe-4da3-9e76-09e5f67c9d85\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureDiagnostics\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where ResourceProvider == \u0027MICROSOFT.SQL\u0027\\n | where Category == \u0027SQLSecurityAuditEvents\u0027\\n | extend SQLSecurityAuditEvents_TimeGenerated = TimeGenerated\\n // projecting fields with column if exists as this is in AzureDiag and if the event is not in the table, then queries will fail due to event specific schemas\\n | extend ClientIP = column_ifexists(\\\"client_ip_s\\\", \\\"Not Available\\\"), Action = column_ifexists(\\\"action_name_s\\\", \\\"Not Available\\\"), \\n Application = column_ifexists(\\\"application_name_s\\\", \\\"Not Available\\\"), HostName = column_ifexists(\\\"host_name_s\\\", \\\"Not Available\\\")\\n)\\non $left.TI_ipEntity == $right.ClientIP\\n| where SQLSecurityAuditEvents_TimeGenerated \u003c ExpirationDateTime\\n| summarize SQLSecurityAuditEvents_TimeGenerated = arg_max(SQLSecurityAuditEvents_TimeGenerated, *) by IndicatorId, ClientIP\\n| project SQLSecurityAuditEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ResourceId, ClientIP, Action, Application, HostName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = SQLSecurityAuditEvents_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Azure SQL Security Audit Events\",\"description\":\"Identifies a match in SQLSecurityAuditEvents from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\"name\":\"4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n OfficeActivity | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(UserId)\\n | where UserId matches regex emailregex\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.UserId\\n| where OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, UserId\\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters\\n| extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to OfficeActivity\",\"description\":\"Identifies a match in OfficeActivity table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/44a555d8-ecee-4a25-95ce-055879b4b14b\",\"name\":\"44a555d8-ecee-4a25-95ce-055879b4b14b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeBin = 10m;\\nlet portThreshold = 30;\\nW3CIISLog\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of attempts by client IP on many ports\\n| summarize makeset(sPort), makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), ConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\\n| extend portCount = arraylength(set_sPort)\\n| where portCount \u003e= portThreshold\\n| project TimeGenerated, cIP, set_sPort, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, ConnectionsCount, portCount\\n| order by portCount\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"High count of connections by client IP on many ports\",\"description\":\"Identifies when 30 or more ports are used for a given client IP in 10 minutes occurring on the IIS server.\\nThis could be indicative of attempted port scanning or exploit attempt at internet facing web applications. \\nThis could also simply indicate a misconfigured service or device.\\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2de8abd6-a613-450e-95ed-08e503369fb3\",\"name\":\"2de8abd6-a613-450e-95ed-08e503369fb3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"AzureDiagnostics\\n| where details_data_s has \\\"jndi:\\\"\\n| parse details_data_s with * \u0027${\u0027 MaliciousCommand \u0027}\u0027 *\\n| extend EncodeCmd = iff(MaliciousCommand has \u0027Base64/\u0027, split(split(MaliciousCommand, \\\"Base64/\\\",1)[0], \\\"}\\\", 0)[0], \\\"\\\")\\n| extend EncodeCmd1 = iff(MaliciousCommand has \u0027base64/\u0027, split(split(MaliciousCommand, \\\"base64/\\\",1)[0], \\\"}\\\", 0)[0], \\\"\\\")\\n| extend CmdLine = iff( isnotempty(EncodeCmd), EncodeCmd, EncodeCmd1)\\n| extend DecodedCmdLine = base64_decode_tostring(tostring(CmdLine))\\n| extend DecodedCmdLine = iff( isnotempty(DecodedCmdLine), DecodedCmdLine, \\\"Unable to decode\\\")\\n| project TimeGenerated, Target=hostname_s, MaliciousHost = clientIp_s, MaliciousCommand, details_data_s, DecodedCmdLine, Message, ruleSetType_s, OperationName, SubscriptionId, details_message_s, details_file_s \\n| extend IPCustomEntity = MaliciousHost, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure WAF matching for Log4j vuln(CVE-2021-44228)\",\"description\":\"This query will alert on a positive pattern match by Azure WAF for CVE-2021-44228 log4j vulnerability exploitation attempt. If possible, it then decodes the malicious command for further analysis.\\n Refrence: https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-12-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/972c89fa-c969-4d12-932f-04d55d145299\",\"name\":\"972c89fa-c969-4d12-932f-04d55d145299\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"( union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| extend FileName = Process, ProcessCommandLine = CommandLine\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\n or ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(DeviceProcessEvents\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\nor ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1 \\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\"), ProcessCommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| extend FileName = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\n or ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"MSHTML vulnerability CVE-2021-40444 attack\",\"description\":\"This query detects attacks that exploit the CVE-2021-40444 MSHTML vulnerability using specially crafted Microsoft Office documents. \\n The detection searches for relevant files used in the attack along with regex matches in commnadline to look for pattern similar to : \\\".cpl:../../msword.inf\\\"\\n Refrence: https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ca74dc0-8352-4ac5-893c-73571cc78331\",\"name\":\"4ca74dc0-8352-4ac5-893c-73571cc78331\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let keywords = dynamic([\\\"secret\\\", \\\"secrets\\\", \\\"password\\\", \\\"PAT\\\", \\\"passwd\\\", \\\"pswd\\\", \\\"pwd\\\", \\\"cred\\\", \\\"creds\\\", \\\"credentials\\\", \\\"credential\\\", \\\"key\\\"]);\\nAzureDevOpsAuditing\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend Type = tostring(Data.Type)\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend VariableGroupName = tostring(Data.VariableGroupName)\\n| mv-expand Data.Variables\\n| where VariableGroupName has_any (keywords) or Data_Variables has_any (keywords)\\n| where Type != \\\"AzureKeyVault\\\"\\n| where Data_Variables !has \\\"IsSecret\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure DevOps Variable Secret Not Secured\",\"description\":\"Credentials used in the build process may be stored as Azure DevOps variables. To secure these variables they should be stored in KeyVault or marked as Secrets. \\nThis detection looks for new variables added with names that suggest they are credentials but where they are not set as Secrets or stored in KeyVault.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cc5780ce-3245-4bba-8bc1-e9048c2257ce\",\"name\":\"cc5780ce-3245-4bba-8bc1-e9048c2257ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where OperationName =~ \\\"Add owner to application\\\"\\n | extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend UpdatedBy = iif(isnotempty(appName), appName, UPN)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | extend AddedUser = TargetResources[0].userPrincipalName\\n | mv-expand mod_props\\n | where mod_props.displayName =~ \\\"Application.DisplayName\\\"\\n | extend AppName = tostring(parse_json(tostring(mod_props.newValue)))\\n | project-reorder TimeGenerated, OperationName, AppName, AddedUser, UpdatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatedBy\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedUser\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Changes to Application Ownership\",\"description\":\"Detects changes to the ownership of an appplicaiton.\\n Monitor these changes to make sure that they were authorized.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#new-owner\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/15049017-527f-4d3b-b011-b0e99e68ef45\",\"name\":\"15049017-527f-4d3b-b011-b0e99e68ef45\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let procList = externaldata(Process:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Microsoft_Lolbas_Execution_Binaries.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityEvent\\n| where EventID == 4688 and Process has_any (procList) and not (NewProcessName has (\\\"C:\\\\\\\\Windows\\\\\\\\\\\"))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, SubjectUserName, NewProcessName, Process, CommandLine\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectUserName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Windows Binaries Executed from Non-Default Directory\",\"description\":\"The query detects Windows binaries, that can be executed from a non-default directory (e.g. C:\\\\Windows\\\\, C:\\\\Windows\\\\System32 etc.). \\nRef: https://lolbas-project.github.io/\",\"lastUpdatedDateUTC\":\"2022-02-15T00:00:00Z\",\"createdDateUTC\":\"2022-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6\",\"name\":\"2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 0d;\\n// Adjust this to adjust detection timeframe\\n//let timeframe = 1d;\\n// SamAccountName of AD FS Service Account. Filter on the use of a specific AD FS user account\\n//let adfsuser = \u0027adfsadmin\u0027;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\n SecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe+lookback)\\n | where EventSourceName == \u0027AD FS Auditing\u0027\\n | distinct Computer\\n);\\nSecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n // A token of type \u0027http://schemas.microsoft.com/ws/2006/05/servicemodel/tokens/SecureConversation\u0027\\n // for relying party \u0027-\u0027 was successfully authenticated.\\n | where EventID == 412\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | extend InstanceId = tostring(EventData[0])\\n| join kind=inner\\n(\\n SecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n // Events to identify caller identity from event 412\\n | where EventID == 501\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | where tostring(EventData[1]) contains \u0027identity/claims/name\u0027\\n | extend InstanceId = tostring(EventData[0])\\n | extend ClaimsName = tostring(EventData[2])\\n // Filter on the use of a specific AD FS user account\\n //| where ClaimsName contains adfsuser\\n)\\non $left.InstanceId == $right.InstanceId\\n| join kind=inner\\n(\\n SecurityEvent\\n | where EventID == 5156\\n | where Computer in~ (ADFS_Servers)\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | mv-expand bagexpansion=array EventData\\n | evaluate bag_unpack(EventData)\\n | extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n | evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n | extend DestPort = column_ifexists(\\\"DestPort\\\", \\\"\\\"),\\n Direction = column_ifexists(\\\"Direction\\\", \\\"\\\"),\\n Application = column_ifexists(\\\"Application\\\", \\\"\\\"),\\n DestAddress = column_ifexists(\\\"DestAddress\\\", \\\"\\\"),\\n SourceAddress = column_ifexists(\\\"SourceAddress\\\", \\\"\\\"),\\n SourcePort = column_ifexists(\\\"SourcePort\\\", \\\"\\\")\\n // Look for inbound connections from endpoints on port 80\\n | where DestPort == 80 and Direction == \u0027%%14592\u0027 and Application == \u0027System\u0027\\n | where DestAddress !in (\u0027::1\u0027,\u00270:0:0:0:0:0:0:1\u0027) \\n)\\non $left.Computer == $right.Computer\\n| project TimeGenerated, Computer, ClaimsName, SourceAddress, SourcePort\\n| extend HostCustomEntity = Computer, AccountCustomEntity = ClaimsName, IPCustomEntity = SourceAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"AD FS Remote Auth Sync Connection\",\"description\":\"This detection uses Security events from the \\\"AD FS Auditing\\\" provider to detect suspicious authentication events on an AD FS server. The results then get\\ncorrelated with events from the Windows Filtering Platform (WFP) to detect suspicious incoming network traffic on port 80 on the AD FS server.\\nThis could be a sign of a threat actor trying to use replication services on the AD FS server to get its configuration settings and extract\\nsensitive information such as AD FS certificates.\\nIn order to use this query you need to enable AD FS auditing on the AD FS Server.\\nReference: https://twitter.com/OTR_Community/status/1387038995016732672\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-04-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d992b87b-eb49-4a9d-aa96-baacf9d26247\",\"name\":\"d992b87b-eb49-4a9d-aa96-baacf9d26247\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let IPList = dynamic([\\\"185.63.90.137\\\"]); \\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet sha256Hashes = \\ndynamic([\\\"53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441\\\",\\n\\\"c297e545b8f150cc5ff56dbb68dc74fe30a421d9d40f38f4a53083192697c44c\\\",\\n\\\"17921368901f23e0cad0d2fe4ce5694aebaf4727699ed0358117500701914d1b\\\",\\n\\\"198a2d42df010d838b4207f478d885ef36e3db13b1744d673e221b828c28bf77\\\",\\n\\\"71d7b48c2fdc7b57b104a7858a35165bbed21d2fa7e34828d6c1d50b2b33a1d0\\\",\\n\\\"601227d52c6e367e11b80240183d07d38bc11a88e844e8401fce17eb25e92ba8\\\",\\n\\\"63ff04bed4fdb120a9cb9b1ea7fd88e83f12fb01ab6a057088f8016e663b48d4\\\",\\n\\\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\\\",\\n\\\"e19b8be1b21c066d60725e550f8455f824065abbf1b43f7b2fe4fb338b241ffc\\\",\\n\\\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\\\"\\n]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", MessageIP in (IPList), \\\"Message\\\", \\\"NoMatch\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DeviceNetworkEvents\\n| where RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) \\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP\\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost) \\n| where SourceHost in (IPList) or DestinationHost in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(DeviceFileEvents\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n| where FileHash in (sha256Hashes)\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash\\n| extend timestamp = TimeGenerated, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 in~ (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(SecurityEvent\\n| where EventID == \u00274688\u0027\\n| where CommandLine has_any (IPList) \\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n(WindowsEvent\\n| where EventID == \u00274688\u0027 and has_any_ipv4(EventData, toscalar(IPList)) \\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| where NewProcessName in (IPList) \\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend NewProcessId = tostring(EventData.NewProcessId)\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021\",\"description\":\"Identifies a match across various data feeds for IP,hashes and IOCs related to Windows/ELF malware published by Black Lotus Labs\\nReference: \\nhttps://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders\\nhttps://github.com/ManuelBerrueta/YARA-rules/blob/master/BlackLotusLabs-WSLMalware/BLL_SneakyWSL.yar\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ce1e7025-866c-41f3-9b08-ec170e05e73e\",\"name\":\"ce1e7025-866c-41f3-9b08-ec170e05e73e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let SunburstURL=dynamic([\\\"panhardware.com\\\",\\\"databasegalore.com\\\",\\\"avsvmcloud.com\\\",\\\"freescanonline.com\\\",\\\"thedoccloud.com\\\",\\\"deftsecurity.com\\\"]);\\nDeviceNetworkEvents\\n| where ActionType == \\\"ConnectionSuccess\\\"\\n| where RemoteUrl in(SunburstURL)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n FileHashCustomEntity = InitiatingProcessMD5, \\n HashAlgorithm = \u0027MD5\u0027,\\n URLCustomEntity = RemoteUrl,\\n IPCustomEntity = RemoteIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"SUNBURST network beacons\",\"description\":\"Identifies SolarWinds SUNBURST domain beacon IOCs in DeviceNetworkEvents\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/baedfdf4-7cc8-45a1-81a9-065821628b83\",\"name\":\"baedfdf4-7cc8-45a1-81a9-065821628b83\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let runningRAT_parameters = dynamic([\u0027/ui/chk\u0027, \u0027mactok=\u0027, \u0027UsRnMe=\u0027, \u0027IlocalP=\u0027, \u0027kMnD=\u0027]);\\nCommonSecurityLog\\n| where RequestMethod == \\\"GET\\\"\\n| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication\\n| where RequestURL has_any (runningRAT_parameters)\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DestinationIP\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"SourceHostName\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"RunningRAT request parameters\",\"description\":\"This detection will alert when RunningRAT URI parameters or paths are detect in an HTTP request. Id the device blocked this communication\\npresence of this alert means the RunningRAT implant is likely still executing on the source host.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d8de9e6-263e-4845-8618-cd23a4f58b70\",\"name\":\"4d8de9e6-263e-4845-8618-cd23a4f58b70\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT3H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 3h;\\n// Add full UPN (user@domain.com) to Authorized Bypassers to ignore policy bypasses by certain authorized users\\nlet AuthorizedBypassers = dynamic([\u0027foo@baz.com\u0027, \u0027test@foo.com\u0027]);\\nlet historicBypassers = AzureDevOpsAuditing\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationName == \u0027Git.RefUpdatePoliciesBypassed\u0027\\n| distinct ActorUPN;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e= ago(endtime)\\n| where OperationName == \u0027Git.RefUpdatePoliciesBypassed\u0027\\n| where ActorUPN !in (historicBypassers) and ActorUPN !in (AuthorizedBypassers)\\n| parse ScopeDisplayName with OrganizationName \u0027(Organization)\u0027\\n| project TimeGenerated, ActorUPN, IpAddress, UserAgent, OrganizationName, ProjectName, RepoName = Data.RepoName, AlertDetails = Details, Branch = Data.Name, \\n BypassReason = Data.BypassReason, PRLink = strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_git/\u0027, Data.RepoName, \u0027/pullrequest/\u0027, Data.PullRequestId)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps Pull Request Policy Bypassing - Historic allow list\",\"description\":\"This detection builds an allow list of historic PR policy bypasses and compares to recent history, flagging pull request bypasses that are not manually in the allow list and not historically included in the allow list.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75bf9902-0789-47c1-a5d8-f57046aa72df\",\"name\":\"75bf9902-0789-47c1-a5d8-f57046aa72df\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let procList = externaldata(Process:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Microsoft_Lolbas_Execution_Binaries.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet ProcessCreationEvents=() {\\nlet processEvents=(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,\\nFileName = Process, CommandLine, ParentProcessName\\n),\\n(WindowsEvent\\n| where EventID==4688 and EventData has_any (procList) and EventData has \\\":\\\\\\\\recycler\\\"\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where isnotempty(CommandLine)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName) \\n| extend NewProcessName = tostring(EventData.NewProcessName) \\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,\\nFileName = Process, CommandLine, ParentProcessName\\n));\\nprocessEvents};\\nProcessCreationEvents \\n| where FileName in~ (procList)\\n| where CommandLine contains \\\":\\\\\\\\recycler\\\"\\n| project StartTimeUtc = TimeGenerated, Computer, Account, NewProcessName, FileName, CommandLine, ParentProcessName\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Malware in the recycle bin\",\"description\":\"The query detects Windows binaries, that can be used for executing malware, that have been hidden in the recycle bin. \\n The list of these binaries are sourced from https://lolbas-project.github.io/\\n References: https://azure.microsoft.com/blog/how-azure-security-center-helps-reveal-a-cyberattack/.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2018-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e2399891-383c-4caf-ae67-68a008b9f89e\",\"name\":\"e2399891-383c-4caf-ae67-68a008b9f89e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet IP_TI=ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\\\"NO_IP\\\")\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where TI_ipEntity != \\\"NO_IP\\\";\\nlet IP_TI_list=toscalar(IP_TI | summarize NIoCs=dcount(TI_ipEntity), IoCs=make_set( TI_ipEntity)\\n | project IoCs=iff(NIoCs \u003e HAS_ANY_MAX, dynamic([]), IoCs));\\nIP_TI\\n // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n | join kind=innerunique \\n (\\n union \\n (\\n _Im_NetworkSession (starttime=ago(dt_lookBack), dstipaddr_has_any_prefix=IP_TI_list)\\n | where isnotempty(SrcIpAddr)\\n // renaming time column so it is clear the log this came from\\n | extend imNWS_TimeGenerated = TimeGenerated, IoCIP=DstIpAddr, IoCIPDirection=\u0027Destination\u0027\\n ),\\n (\\n _Im_NetworkSession (starttime=ago(dt_lookBack), srcipaddr_has_any_prefix=IP_TI_list)\\n | where isnotempty(DstIpAddr)\\n // renaming time column so it is clear the log this came from\\n | extend imNWS_TimeGenerated = TimeGenerated, IoCIP=SrcIpAddr, IoCIPDirection=\u0027Source\u0027\\n )\\n)on $left.TI_ipEntity == $right.IoCIP\\n| where imNWS_TimeGenerated \u003c ExpirationDateTime\\n| summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, IoCIP, IoCIPDirection\\n| project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Dvc, SrcIpAddr, DstIpAddr, IoCIPDirection, IoCIP\",\"customDetails\":{\"EventTime\":\"imNWS_TimeGenerated\",\"IoCDescription\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"IoCExpirationTime\":\"ExpirationDateTime\",\"IoCConfidenceScore\":\"ConfidenceScore\",\"IoCIPDirection\":\"IoCIPDirection\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IoCIP\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"A network session {{IoCIPDirection}} address {{IoCIP}} matched an IoC.\",\"alertDescriptionFormat\":\"The {{IoCIPDirection}} address {{IoCIP}} of a network session matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blead for more information on the indicator.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map IP entity to Network Session Events (ASIM Network Session schema)\",\"description\":\"This rule identifies a match Network Sessions for which the source of destination IP address is a known IoC. \u003cbr\u003e\u003cbr\u003e\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2022-04-27T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\"name\":\"8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"AuthorizeDBSecurityGroupIngress\\\",\\\"CreateDBSecurityGroup\\\",\\\"DeleteDBSecurityGroup\\\",\\\"RevokeDBSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to internet facing AWS RDS Database instances\",\"description\":\"Amazon Relational Database Service (RDS) is scalable relational database in the cloud. \\nIf your organization have one or more AWS RDS Databases running, monitoring changes to especially internet facing AWS RDS (Relational Database Service) \\nOnce alerts triggered, validate if changes observed are authorized and adhere to change control policy. \\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255\\nand RDS API Reference Docs: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Operations.html\",\"lastUpdatedDateUTC\":\"2021-11-28T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6ee72a9e-2e54-459c-bc9a-9c09a6502a63\",\"name\":\"6ee72a9e-2e54-459c-bc9a-9c09a6502a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"216.24.185.74\\\", \\\"107.175.189.159\\\", \\\"192.210.132.102\\\", \\\"67.230.163.214\\\", \\n \\\"199.19.110.240\\\", \\\"107.148.130.176\\\", \\\"154.212.129.218\\\", \\\"172.86.75.54\\\", \\\"45.61.136.199\\\", \\n \\\"149.28.150.195\\\", \\\"108.61.214.194\\\", \\\"144.202.98.198\\\", \\\"149.28.84.98\\\", \\\"103.99.209.78\\\", \\n \\\"45.61.136.2\\\", \\\"176.122.162.149\\\", \\\"192.3.80.245\\\", \\\"149.28.23.32\\\", \\\"107.182.18.149\\\", \\\"107.174.45.134\\\", \\n \\\"149.248.18.104\\\", \\\"65.49.192.74\\\", \\\"156.255.2.154\\\", \\\"45.76.6.149\\\", \\\"8.9.11.130\\\", \\\"140.238.27.255\\\", \\n \\\"107.182.24.70\\\", \\\"176.122.188.254\\\", \\\"192.161.161.108\\\", \\\"64.64.234.24\\\", \\\"104.224.185.36\\\", \\n \\\"104.233.224.227\\\", \\\"104.36.69.105\\\", \\\"119.28.139.120\\\", \\\"161.117.39.130\\\", \\\"66.42.100.42\\\", \\\"45.76.31.159\\\", \\n \\\"149.248.8.134\\\", \\\"216.24.182.48\\\", \\\"66.42.103.222\\\", \\\"218.89.236.11\\\", \\\"180.150.227.249\\\", \\\"47.75.80.23\\\",\\n \\\"124.156.164.19\\\", \\\"149.248.62.83\\\", \\\"150.109.76.174\\\", \\\"222.209.187.207\\\", \\\"218.38.191.38\\\", \\n \\\"119.28.226.59\\\", \\\"66.42.98.220\\\", \\\"74.82.201.8\\\", \\\"173.242.122.198\\\", \\\"45.32.130.72\\\", \\\"89.35.178.10\\\", \\n \\\"89.43.60.113\\\"]); \\n(union isfuzzy=true \\n(CommonSecurityLog \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch \\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n), \\n(OfficeActivity \\n|extend SourceIPAddress = ClientIP, Account = UserId \\n| where SourceIPAddress in (IPList) \\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \\n), \\n(_Im_NetworkSession (srcipaddr_has_any_prefix=IPList)\\n | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Hostname, AccountCustomEntity=User\\n), \\n(_Im_NetworkSession (dstipaddr_has_any_prefix=IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = Hostname , AccountCustomEntity = User\\n), \\n(WireData \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer \\n), \\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Barium IP\",\"description\":\"Identifies a match across various data feeds for IP IOCs related to the Barium activity group. \\n References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer\u0027 \",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/595a10c9-91be-4abb-bbc7-ae9c57848bef\",\"name\":\"595a10c9-91be-4abb-bbc7-ae9c57848bef\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Low\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n//This query uses sysmon data, sections that have - | where Source == \\\"Microsoft-Windows-Sysmon\\\" - may need to be updated with latest\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, DNSName, Type\\n| extend MessageIP = extract(IPRegex, 0, Message), RequestIP = extract(IPRegex, 0, RequestURL)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL has_any (domains), \\\"RequestUrl\\\", \\\"NoMatch\\\"), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), Account = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) or Name in~ (domains) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Computer , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPEntity = DestinationIPAddress\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), File = ProcessName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"]), Image = tostring(EventDetail.[4].[\\\"#text\\\"])\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Image has_any (process)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, Account = UserName, Computer, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, File = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n| extend FilePath = replace_string(Image, File, \u0027\u0027)\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) \\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, AlertDetail = \u0027Chia crypto IOC detected\u0027, Type\\n| extend timestamp = TimeGenerated, IPEntity = ClientIP, Account = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (domains) or RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) or InitiatingProcessFileName has_any (process)\\n| project TimeGenerated, ActionType, DeviceId, Computer = DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPEntity = RemoteIP, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\"), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, Computer, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains) or ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPEntity = ClientIP, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPEntity = SourceHost, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| where EventDetail has_any (sha256Hashes) \\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = tostring(EventDetail.[4].[\\\"#text\\\"]), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath = replace_string(Image, File, \u0027\u0027)\\n),\\n(DeviceFileEvents\\n| where InitiatingProcessFolderPath has_any (process)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, Computer, Account, File = InitiatingProcessFileName, FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath = replace_string(InitiatingProcessFolderPath, File, \u0027\u0027)\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, AlertDetail = \u0027Chia crypto IOC detected\u0027, FileHashAlgo = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| project TimeGenerated, EventDetail, UserName, Computer, Type\\n| extend Image = tostring(EventDetail.[4].[\\\"#text\\\"]), CommandLine = tostring(EventDetail.[10].[\\\"#text\\\"]), Account = UserName, FileHash = tostring(EventDetail.[17].[\\\"#text\\\"]), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| where Image has_any (process)\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath= replace_string(Image, File, \u0027\u0027)\\n),\\n(DeviceEvents\\n| where InitiatingProcessFileName has_any (process) or InitiatingProcessSHA256 in~ (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, Computer, Account, File = InitiatingProcessFileName, FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath = replace_string(InitiatingProcessFolderPath, File, \u0027\u0027)\\n),\\n(SecurityEvent\\n| where EventID == \u00274688\u0027\\n| where NewProcessName has_any (process)\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027, -1)[-1]), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend FilePath = replace_string(NewProcessName, File, \u0027\u0027)\\n)\\n)\\n| extend AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPEntity, FileCustomEntity = File, FilePathCustomEntity = FilePath, FileHashCustomEntity = FileHash\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileCustomEntity\"},{\"identifier\":\"Directory\",\"columnName\":\"FilePathCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashAlgo\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021\",\"description\":\"Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.\",\"lastUpdatedDateUTC\":\"2021-12-08T00:00:00Z\",\"createdDateUTC\":\"2021-06-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd0a6029-ecef-4507-89c4-fc355ac52111\",\"name\":\"dd0a6029-ecef-4507-89c4-fc355ac52111\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation of extracted domains\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend DomainName = tolower(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | extend Domain = trim(@\\\"\\\"\\\"\\\",tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend parts = split(Domain, \u0027.\u0027)\\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\\n | where tld in~ (list_tlds)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n ) on $left.DomainName==$right.Domain\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, FileHashValue\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to CommonSecurityLog\",\"description\":\"Identifies a match in CommonSecurityLog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\"name\":\"6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"union isfuzzy=true \\n(\\n SecurityEvent\\n | where EventID == 4738\\n // 2089 value indicates the Don\u0027t Expire Password value has been set\\n | where UserAccountControl has \\\"%%2089\\\" \\n | extend Value_2089 = iff(UserAccountControl has \\\"%%2089\\\",\\\"\u0027Don\u0027t Expire Password\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n // 2050 indicates that the Password Not Required value is NOT set, this often shows up at the same time as a 2089 and is the recommended value. This value may not be in the event. \\n | extend Value_2050 = iff(UserAccountControl has \\\"%%2050\\\",\\\"\u0027Password Not Required\u0027 - Disabled\\\", \\\"Not Changed\\\")\\n // If value %%2082 is present in the 4738 event, this indicates the account has been configured to logon WITHOUT a password. Generally you should only see this value when an account is created and only in Event 4720: Account Creation Event. \\n | extend Value_2082 = iff(UserAccountControl has \\\"%%2082\\\",\\\"\u0027Password Not Required\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n | project StartTime = TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, AccountType, UserAccountControl, Value_2089, Value_2050, Value_2082, SubjectAccount\\n | extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer\\n ),\\n (\\n WindowsEvent\\n | where EventID == 4738 and EventData has \u00272089\u0027\\n // 2089 value indicates the Don\u0027t Expire Password value has been set\\n | extend UserAccountControl = tostring(EventData.UserAccountControl)\\n | where UserAccountControl has \\\"%%2089\\\" \\n | extend Value_2089 = iff(UserAccountControl has \\\"%%2089\\\",\\\"\u0027Don\u0027t Expire Password\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n // 2050 indicates that the Password Not Required value is NOT set, this often shows up at the same time as a 2089 and is the recommended value. This value may not be in the event. \\n | extend Value_2050 = iff(UserAccountControl has \\\"%%2050\\\",\\\"\u0027Password Not Required\u0027 - Disabled\\\", \\\"Not Changed\\\")\\n // If value %%2082 is present in the 4738 event, this indicates the account has been configured to logon WITHOUT a password. Generally you should only see this value when an account is created and only in Event 4720: Account Creation Event. \\n | extend Value_2082 = iff(UserAccountControl has \\\"%%2082\\\",\\\"\u0027Password Not Required\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n | extend Activity=\\\"4738 - A user account was changed.\\\"\\n | extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n | extend TargetSid = tostring(EventData.TargetSid)\\n | extend SubjectAccount = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n | extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n | extend AccountType=case(SubjectAccount endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n | project StartTime = TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, AccountType, UserAccountControl, Value_2089, Value_2050, Value_2082, SubjectAccount\\n | extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer\\n )\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AD account with Don\u0027t Expire Password\",\"description\":\"Identifies whenever a user account has the setting \\\"Password Never Expires\\\" in the user account properties selected.\\nThis is indicated in Security event 4738 in the EventData item labeled UserAccountControl with an included value of %%2089.\\n%%2089 resolves to \\\"Don\u0027t Expire Password - Enabled\\\".\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4e8238bd-ff4f-4126-a9f6-09b3b6801b3d\",\"name\":\"4e8238bd-ff4f-4126-a9f6-09b3b6801b3d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"AuditLog.StreamDisabledByUser\\\"\\n| extend StreamType = tostring(Data.ConsumerType)\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, StreamType\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Audit Stream Disabled\",\"description\":\"Azure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams \\nbefore conducting activity and then re-enabling the stream after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action \\nits unlikely to have a high false positive rate.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e2559891-383c-4caf-ae67-55a008b9f89e\",\"name\":\"e2559891-383c-4caf-ae67-55a008b9f89e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet IP_TI=ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\\\"NO_IP\\\")\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where TI_ipEntity != \\\"NO_IP\\\";\\nlet IP_TI_list=toscalar(IP_TI | summarize NIoCs= dcount(TI_ipEntity), IoCs=make_set(TI_ipEntity) \\n | project IoCs=iff(NIoCs \u003e HAS_ANY_MAX, dynamic([]), IoCs ) );\\nIP_TI\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n _Im_WebSession (starttime=ago(dt_lookBack), srcipaddr_has_any_prefix=IP_TI_list)\\n | where isnotempty(SrcIpAddr)\\n // renaming time column so it is clear the log this came from\\n | extend imNWS_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SrcIpAddr\\n| where imNWS_TimeGenerated \u003c ExpirationDateTime\\n| summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, DstIpAddr\\n| project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Dvc, SrcIpAddr, DstIpAddr\",\"customDetails\":{\"EventTime\":\"imNWS_TimeGenerated\",\"IoCDescription\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"IoCExpirationTime\":\"ExpirationDateTime\",\"IoCConfidenceScore\":\"ConfidenceScore\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DstIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"The IP {{SrcIpAddr}} of a web request to hostname {{domain}} matched an IoC\",\"alertDescriptionFormat\":\"The source address {{SrcIpAddr}} of a web request for URL {{Url}} matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blead for more information on the indicator.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map IP entity to Web Session Events (ASIM Web Session schema)\",\"description\":\"This rule identifies Web Sessions for which the source IP address is a known IoC. \u003cbr\u003e\u003cbr\u003eThis rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM.\",\"lastUpdatedDateUTC\":\"2022-03-15T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\"name\":\"c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"ApplySecurityGroupsToLoadBalancer\\\", \\\"SetSecurityGroups\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \\nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion,\\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to AWS Elastic Load Balancer security groups\",\"description\":\"Elastic Load Balancer distributes incoming traffic across multiple instances in multiple availability Zones. This increases the fault tolerance of your applications. \\n Unwanted changes to Elastic Load Balancer specific security groups could open your environment to attack and hence needs monitoring.\\n More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\n and https://aws.amazon.com/elasticloadbalancing/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bdf04f58-242b-4729-b376-577c4bdf5d3a\",\"name\":\"bdf04f58-242b-4729-b376-577c4bdf5d3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"imProcessCreate\\n| where Process hassuffix \u0027rundll32.exe\u0027\\n| where CommandLine has_any (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| project TimeGenerated, Dvc, User, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\\n| extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"NOBELIUM - suspicious rundll32.exe execution of vbscript (Normalized Process Events)\",\"description\":\"This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\\nReferences: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f30a47c1-65fb-42b1-a7f4-00941c12550b\",\"name\":\"f30a47c1-65fb-42b1-a7f4-00941c12550b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n SecurityAlert\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n // Extract URL from JSON data\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,Entities)\\n // We only want alerts that actually contain URL data\\n | where isnotempty(Url)\\n // Extract hostname from JSON data for entity mapping\\n | extend Compromised_Host = tostring(parse_json(ExtendedProperties).[\\\"Compromised Host\\\"])\\n | extend Alert_TimeGenerated = TimeGenerated\\n) on Url\\n| where Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\\n| project Alert_TimeGenerated, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, AlertName, AlertSeverity, Description, Url, Compromised_Host\\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = Compromised_Host, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to SecurityAlert data\",\"description\":\"Identifies a match in SecurityAlert data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\"name\":\"80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == 1102 and EventSourceName == \\\"Microsoft-Windows-Eventlog\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(\\nWindowsEvent\\n| where EventID == 1102 and Provider == \\\"Microsoft-Windows-Eventlog\\\" \\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend Activity= \\\"1102 - The audit log was cleared.\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Security Event log cleared\",\"description\":\"Checks for event id 1102 which indicates the security event log was cleared. \\nIt uses Event Source Name \\\"Microsoft-Windows-Eventlog\\\" to avoid generating false positives from other sources, like AD FS servers for instance.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\"name\":\"36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n OfficeActivity\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n //Extract the Url from a number of potential fields\\n | extend Url = iif(OfficeWorkload == \\\"AzureActiveDirectory\\\",extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\\\", 1,ModifiedProperties),tostring(parse_json(ModifiedProperties)[12].NewValue))\\n | where isnotempty(Url)\\n // Ensure we get a clean URL\\n | extend Url = tostring(split(Url, \u0027;\u0027)[0])\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n // Project a single user identity that we can use for entity mapping\\n | extend User = iif(isnotempty(UserId), UserId, iif(isnotempty(Actor), tostring(parse_json(Actor)[0].ID), tostring(parse_json(Parameters)[0].Value)))\\n) on Url\\n| where OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, Url\\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Operation, \\nUserType, OfficeWorkload, Parameters, Url, User\\n| extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = User, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to OfficeActivity data\",\"description\":\"Identifies a match in OfficeActivity data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f0be259a-34ac-4946-aa15-ca2b115d5feb\",\"name\":\"f0be259a-34ac-4946-aa15-ca2b115d5feb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let starttime = 2d;\\nlet endtime = 1d;\\nlet TimeDeltaThreshold = 25;\\nlet TotalEventsThreshold = 30;\\nlet MostFrequentTimeDeltaThreshold = 25;\\nlet PercentBeaconThreshold = 80;\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Palo Alto Networks\\\" and Activity == \\\"TRAFFIC\\\"\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where ipv4_is_private(DestinationIP)== false\\n| project TimeGenerated, DeviceName, SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, ReceivedBytes, SentBytes\\n| sort by SourceIP asc,TimeGenerated asc, DestinationIP asc, DestinationPort asc\\n| serialize\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\u0027second\u0027,nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP\\n//Whitelisting criteria/ threshold criteria\\n| where TimeDeltainSeconds \u003e TimeDeltaThreshold \\n| summarize count(), sum(ReceivedBytes), sum(SentBytes)\\nby TimeDeltainSeconds, bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSentBytes = sum(sum_SentBytes), TotalReceivedBytes = sum(sum_ReceivedBytes) \\nby bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| where TotalEvents \u003e TotalEventsThreshold and MostFrequentTimeDeltaCount \u003e MostFrequentTimeDeltaThreshold\\n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\\n| where BeaconPercent \u003e PercentBeaconThreshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Palo Alto - potential beaconing detected\",\"description\":\"Identifies beaconing patterns from Palo Alto Network traffic logs based on recurrent timedelta patterns. \\nThe query leverages various KQL functions to calculate time deltas and then compares it with total events observed in a day to find percentage of beaconing. \\nThis outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts.\\nReference Blog:\\nhttp://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/\\nhttps://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/detect-network-beaconing-via-intra-request-time-delta-patterns/ba-p/779586\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/14f6da04-2f96-44ee-9210-9ccc1be6401e\",\"name\":\"14f6da04-2f96-44ee-9210-9ccc1be6401e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName has \\\"Add member to role outside of PIM\\\"\\n or (LoggedByService == \\\"Core Directory\\\" and OperationName == \\\"Add member to role\\\" and Identity != \\\"MS-PIM\\\")\\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"NRT Privileged Role Assigned Outside PIM\",\"description\":\"Identifies a privileged role being assigned to a user outside of PIM\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-04-22T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f6502545-ae3a-4232-a8b0-79d87e5c98d7\",\"name\":\"f6502545-ae3a-4232-a8b0-79d87e5c98d7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \\n| where TargetObject==\\\"HKLM\\\\\\\\System\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\SecurityProviders\\\\\\\\WDigest\\\\\\\\UseLogonCredential\\\" and Details !=\\\"DWORD (0x00000000)\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"WDigest downgrade attack\",\"description\":\"When the WDigest Authentication protocol is enabled, plain text passwords are stored in the Local Security Authority Subsystem Service (LSASS) exposing them to theft. This setting will prevent WDigest from storing credentials in memory.\\nRef: https://www.stigviewer.com/stig/windows_7/2016-12-19/finding/V-72753\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2022-03-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\"name\":\"b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet UserAgentAll =\\n(union isfuzzy=true\\n(OfficeActivity\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\\n),\\n(\\nW3CIISLog\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(csUserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\\n))\\n// remove wordSize blocks of non-numeric hex characters prior to word extraction\\n| extend UserAgentNoHexAlphas = replace(\\\"([A-Fa-f]{4,})\\\", \\\"x\\\", UserAgent)\\n// once blocks of hex chars are removed, extract wordSize blocks of a-z\\n| extend Tokens = extract_all(\\\"([A-Za-z]{4,})\\\", UserAgentNoHexAlphas)\\n// concatenate extracted words to create a summarized user agent for baseline and comparison\\n| extend NormalizedUserAgent = strcat_array(Tokens, \\\"|\\\")\\n| project-away UserAgentNoHexAlphas, Tokens;\\nUserAgentAll\\n| where StartTime \u003e= ago(endtime)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), count() by UserAgent, NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n| join kind=leftanti\\n(\\nUserAgentAll\\n| where StartTime \u003c ago(endtime)\\n| summarize by NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n)\\non NormalizedUserAgent\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CommandAndControl\",\"Execution\"],\"displayName\":\"New UserAgent observed in last 24 hours\",\"description\":\"Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection\\nextracts words from user agents to build the baseline and determine rareity rather than perform a\\ndirect comparison. This avoids FPs caused by version numbers and other high entropy user agent components.\\nThese new UserAgents could be benign. However, in normally stable environments,\\nthese new UserAgents could provide a starting point for investigating malicious activity.\\nNote: W3CIISLog can be noisy depending on the environment, however OfficeActivity and AWSCloudTrail are\\nusually stable with low numbers of detections.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/155e9134-d5ad-4a6f-88f3-99c220040b66\",\"name\":\"155e9134-d5ad-4a6f-88f3-99c220040b66\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"// Set the lookback to determine if user has created pipelines before\\nlet timeback = 14d;\\n// Set the period for detections\\nlet timeframe = 1d;\\n// Get a list of previous Release Pipeline creators to exclude\\nlet releaseusers = AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName in (\\\"Release.ReleasePipelineCreated\\\", \\\"Release.ReleasePipelineModified\\\")\\n// We want to look for users performing actions in specific projects so we create this userscope object to match on\\n| extend UserScope = strcat(ActorUserId, \\\"-\\\", ProjectName)\\n| summarize by UserScope;\\n// Get Release Pipeline creations by new users\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineModified\\\"\\n| extend UserScope = strcat(ActorUserId, \\\"-\\\", ProjectName)\\n| where UserScope !in (releaseusers)\\n| extend ActorUPN = tolower(ActorUPN)\\n| project-away Id, ActivityId, ActorCUID, ScopeId, ProjectId, TenantId, SourceSystem, UserScope\\n// See if any of these users have Azure AD alerts associated with them in the same timeframe\\n| join kind = leftouter (\\nSecurityAlert\\n| where TimeGenerated \u003e ago(timeframe)\\n| where ProviderName == \\\"IPC\\\"\\n| extend AadUserId = tostring(parse_json(Entities)[0].AadUserId)\\n| summarize Alerts=count() by AadUserId) on $left.ActorUserId == $right.AadUserId\\n| extend Alerts = iif(isnotempty(Alerts), Alerts, 0)\\n// Uncomment the line below to only show results where the user as AADIdP alerts\\n//| where Alerts \u003e 0\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Pipeline modified by a new user.\",\"description\":\"There are several potential pipeline steps that could be modified by an attacker to inject malicious code into the build cycle. A likely attacker path is the modification to an existing pipeline that they have access to. \\nThis detection looks for users modifying a pipeline when they have not previously been observed modifying or creating that pipeline before. This query also joins events with data to Azure AD Identity Protection (AAD IdP) \\nin order to show if the user conducting the action has any associated AAD IdP alerts. You can also choose to filter this detection to only alert when the user also has AAD IdP alerts associated with them.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d023f64-8225-41a2-9570-2bd7c2c4535e\",\"name\":\"3d023f64-8225-41a2-9570-2bd7c2c4535e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1DT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+spanoftime)\\n// A user account was enabled\\n| where EventID == 4722\\n| where AccountType =~ \\\"User\\\"\\n| where TargetAccount !endswith \\\"$\\\"\\n| project EnableTime = TimeGenerated, EnableEventID = EventID, EnableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToEnable = SubjectAccount, SIDofAccountUsedToEnable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e ago(timeframe+spanoftime)\\n// A user account was enabled\\n| where EventID == 4722\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType =~ \\\"User\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| where TargetAccount !endswith \\\"$\\\"\\n| extend Activity=\\\"4722 - A user account was enabled.\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| project EnableTime = TimeGenerated, EnableEventID = EventID, EnableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToEnable = SubjectAccount, SIDofAccountUsedToEnable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n))\\n| join kind= inner (\\n (union isfuzzy=true\\n (SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n // A user account was disabled\\n | where EventID == 4725\\n| where AccountType =~ \\\"User\\\"\\n| project DisableTime = TimeGenerated, DisableEventID = EventID, DisableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToDisable = SubjectAccount, SIDofAccountUsedToDisable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n),\\n(WindowsEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n // A user account was disabled\\n | where EventID == 4725\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType =~ \\\"User\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| extend Activity = \\\"4725 - A user account was disabled.\\\"\\n| project DisableTime = TimeGenerated, DisableEventID = EventID, DisableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToDisable = SubjectAccount, SIDofAccountUsedToDisable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid))\\n) on Computer, TargetAccount\\n| where DisableTime - EnableTime \u003c spanoftime\\n| extend TimeDelta = DisableTime - EnableTime\\n| where tolong(TimeDelta) \u003e= threshold\\n| project TimeDelta, EnableTime, EnableEventID, EnableActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToEnable, SIDofAccountUsedToEnable, \\nDisableTime, DisableEventID, DisableActivity, AccountUsedToDisable, SIDofAccountUsedToDisable\\n| extend timestamp = EnableTime, AccountCustomEntity = AccountUsedToEnable, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"SIDofAccountUsedToEnable\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account enabled and disabled within 10 mins\",\"description\":\"Identifies when a user account is enabled and then disabled within 10 minutes. This can be an indication of compromise and\\nan adversary attempting to hide in the noise.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0625fcce-6d52-491e-8c68-1d9b801d25b9\",\"name\":\"0625fcce-6d52-491e-8c68-1d9b801d25b9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"Event\\n| where EventLog =~ \\\"Application\\\"\\n| where Source startswith \\\"MSExchange\\\"\\n| where EventLevelName =~ \\\"error\\\"\\n| where (RenderedDescription startswith \\\"Watson report\\\" and RenderedDescription contains \\\"umworkerprocess\\\" and RenderedDescription contains \\\"TextFormattingRunProperties\\\") or RenderedDescription startswith \\\"An unhandled exception occurred in a UM worker process\\\" or RenderedDescription startswith \\\"The Microsoft Exchange Unified Messaging service\\\" or RenderedDescription contains \\\"MSExchange Unified Messaging\\\"\\n| where RenderedDescription !contains \\\"System.OutOfMemoryException\\\"\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious UM Service Error\",\"description\":\"This query looks for errors that may indicate that an attacker is attempting to exploit a vulnerability in the service. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09c49590-4e9d-4da9-a34d-17222d0c9e7e\",\"name\":\"09c49590-4e9d-4da9-a34d-17222d0c9e7e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let default_file_ext_blocklist = dynamic([\u0027.ps1\u0027, \u0027.vbs\u0027, \u0027.bat\u0027, \u0027.scr\u0027]);\\nlet custom_file_ext_blocklist=toscalar(_GetWatchlist(\u0027RiskyFileTypes\u0027) | extend Extension=column_ifexists(\\\"Extension\\\",\\\"\\\") | where isnotempty(Extension) | summarize make_set(Extension));\\nlet file_ext_blocklist = array_concat(default_file_ext_blocklist, custom_file_ext_blocklist);\\n_Im_WebSession(url_has_any=file_ext_blocklist, eventresult=\u0027Success\u0027)\\n| extend requestedFileName=tostring(split(tostring(parse_url(Url)[\\\"Path\\\"]),\u0027/\u0027)[-1])\\n| extend requestedFileExt=extract(@(\\\\.\\\\w+)$,1,requestedFileName, typeof(string))\\n| where requestedFileExtension in (file_ext_blocklist)\\n| summarize LastAttemptTime=max(TimeGenerated), NumFailedAttempts=count() by SrcIpAddr, requestedFileName, Url\\n| extend IPCustomEntity = SrcIpAddr, UrlCustomEntity=Url\",\"customDetails\":{\"requestedFileName\":\"requestedFileName\",\"requestedFileExt\":\"requestedFileExt\",\"Username\":\"SrcUsername\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Client {{SrcIpAddr}} accessed a URL with potentially harmful extension {{requestedFileExt}}\",\"alertDescriptionFormat\":\"The client at address {{SrcIpAddr}} accessed the URL {{Url}} that has the extension {{requestedFileExt}}. Downloading a file with this extension may be harmful and may indicate malicious activity.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"InitialAccess\"],\"displayName\":\"A client made a web request to a potentially harmful file (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request to a URL that holds a file type, including .ps1, .bat, .vbs, and .scr that can be harmful if downloaded. This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM. To use this Analytics Rule, deploy the Advanced Security Information Model (ASIM).\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\"name\":\"ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(DestinationUserID)\\n // Filtering PAN Logs for specific event type to match relevant email entities\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"wildfire\\\" and ApplicationProtocol in (\\\"smtp\\\",\\\"pop3\\\")\\n | extend DestinationUserID = tolower(DestinationUserID)\\n | where DestinationUserID matches regex emailregex\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.DestinationUserID\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, DestinationUserID\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, EmailSenderName, EmailRecipient, \\nEmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction, SourceIP, SourcePort, \\nDestinationIP, DestinationPort, Protocol, ApplicationProtocol\\n| extend timestamp = CommonSecurityLog_TimeGenerated, AccountCustomEntity = DestinationUserID, IPCustomEntity = SourceIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to CommonSecurityLog\",\"description\":\"Identifies a match in CommonSecurityLog table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\"name\":\"7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let lookBack_long = 7d;\\nlet lookBack_med = 3d;\\nlet lookBack = 1d;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack_long))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n// Create time series \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_long)),now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n// Compute best fit line for each entry \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount) \\n// Chart the 3 most interesting lines \\n// A 0-value slope corresponds to an account being completely stable over time for a given Azure Active Directory application\\n| where Slope \u003e 0.3\\n| top 50 by Slope desc\\n| join kind = leftsemi (\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack_med))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_med)) ,now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount)\\n| where Slope \u003e 0.3\\n| top 50 by Slope desc\\n) on UserPrincipalName, AppDisplayName\\n| join kind = leftsemi (\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack)) ,now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount)\\n| where Slope \u003e 5\\n| top 50 by Slope desc\\n// Higher threshold requirement on last day anomaly\\n) on UserPrincipalName, AppDisplayName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomalous sign-in location by user account and authenticating application\",\"description\":\"This query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active \\nDirectory application and picks out the most anomalous change in location profile for a user within an \\nindividual application. An alert is generated for recent sign-ins that have location counts that are anomalous\\nover last day but also over the last 3-day and 7-day periods.\\nPlease note that on workspaces with larger volume of Signin data (~10M+ events a day) may timeout when using this default query time period.\\nIt is recommended that you test and tune this appropriately for the workspace.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1da9853f-3dea-4ea9-b7e5-26730da3d537\",\"name\":\"1da9853f-3dea-4ea9-b7e5-26730da3d537\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let PortScanThreshold = 50;\\n_Im_NetworkSession\\n| where ipv4_is_private(SrcIpAddr) == False\\n| summarize AttemptedPortsCount=dcount(DstPortNumber) by SrcIpAddr, bin(TimeGenerated, 5m)\\n| where AttemptedPortsCount \u003e PortScanThreshold\",\"customDetails\":{\"AttemptedPortsCount\":\"AttemptedPortsCount\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Potential port scan from {{SrcIpAddr}}\",\"alertDescriptionFormat\":\"A port scan has been performed from address {{SrcIpAddr}} over {{AttemptedPortsCount}} pots within 5 minutes. This may indicate that a [port scanner](https://en.wikipedia.org/wiki/Port_scanner) is trying to identify open ports in order to penetrate a system.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Discovery\"],\"displayName\":\"Port scan detected (ASIM Network Session schema)\",\"description\":\"This rule identifies a possible port scan, in which a single source tries to access a large number of different ports is a short time frame. This may indicate that a [port scanner](https://en.wikipedia.org/wiki/Port_scanner) is trying to identify open ports in order to penetrate a system.\u003cbr\u003e\u003cbr\u003e\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/eda260eb-f4a1-4379-ad98-452604da9b3e\",\"name\":\"eda260eb-f4a1-4379-ad98-452604da9b3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let eventsThreshold = 20;\\nCommonSecurityLog\\n| where isnotempty(RequestURL)\\n| project TimeGenerated, RequestURL, RequestMethod, SourceIP, SourceHostName\\n| evaluate sequence_detect(TimeGenerated, 5s, 8s, login=(RequestURL has \\\"login.microsoftonline.com/consumers/oauth2/v2.0/token\\\"), graph=(RequestURL has \\\"graph.microsoft.com/v1.0/me/drive/\\\"), SourceIP, SourceHostName)\\n| summarize Events=count() by SourceIP, SourceHostName\\n| where Events \u003e= eventsThreshold\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"SourceHostName\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"CreepyDrive request URL sequence\",\"description\":\"CreepyDrive uses OneDrive for command and control, however, it makes regular requests to predicatable paths.\\nThis detecton will alert when over 20 sequences are observed in a single day.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3533f74c-9207-4047-96e2-0eb9383be587\",\"name\":\"3533f74c-9207-4047-96e2-0eb9383be587\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"offline_access\\\" and ConsentFull contains \\\"Files.Read\\\" or ConsentFull contains \\\"Mail.Read\\\" or ConsentFull contains \\\"Notes.Read\\\" or ConsentFull contains \\\"ChannelMessage.Read\\\" or ConsentFull contains \\\"Chat.Read\\\" or ConsentFull contains \\\"TeamsActivity.Read\\\" or ConsentFull contains \\\"Group.Read\\\" or ConsentFull contains \\\"EWS.AccessAsUser.All\\\" or ConsentFull contains \\\"EAS.AccessAsUser.All\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))\\n| extend GrantUserAgent = tostring(iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\"))\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Suspicious application consent for offline access\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with offline access via OAuth.\\nOffline access will provide the Azure App with access to the listed resources without requiring two-factor authentication.\\nConsent to applications with offline access and read capabilities should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0ee2aafb-4500-4e36-bcb1-e90eec2f0b9b\",\"name\":\"0ee2aafb-4500-4e36-bcb1-e90eec2f0b9b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\"\\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed), LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\\n| where MFAUsed !~ \\\"Yes\\\" and LoginResult !~ \\\"Failure\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUsed, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent,\\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserIdentityUserName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"NRT Login to AWS Management Console without MFA\",\"description\":\"Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.\\nYou can limit this detection to trigger for administrative accounts if you do not have MFA enabled on all accounts.\\nThis is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used\\nand the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.\",\"lastUpdatedDateUTC\":\"2022-02-08T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/269435e3-1db8-4423-9dfc-9bf59997da1c\",\"name\":\"269435e3-1db8-4423-9dfc-9bf59997da1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName has \\\"Add member to role outside of PIM\\\"\\n or (LoggedByService == \\\"Core Directory\\\" and OperationName == \\\"Add member to role\\\" and Identity != \\\"MS-PIM\\\")\\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Privileged Role Assigned Outside PIM\",\"description\":\"Identifies a privileged role being assigned to a user outside of PIM\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2be4ef67-a93f-4d8a-981a-88158cb73abd\",\"name\":\"2be4ef67-a93f-4d8a-981a-88158cb73abd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet covidIndicators = (externaldata(TimeGenerated:datetime, FileHashValue:string, FileHashType: string, TlpLevel: string, Product: string, ThreatType: string, Description: string )\\n[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.csv\\\"] with (format=\\\"csv\\\"));\\nlet fileHashIndicators = covidIndicators\\n| where isnotempty(FileHashValue);\\n// Handle matches against both lower case and uppercase versions of the hash:\\n(fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n| union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack) \\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n )\\non $left.FileHashValue == $right.FileHash\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by FileHashValue\\n| project CommonSecurityLog_TimeGenerated, FileHashValue, FileHashType, Description, ThreatType, \\nSourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, \\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Value\",\"columnName\":\"FileHashValue\"},{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Microsoft COVID-19 file hash indicator matches\",\"description\":\"Identifies a match in CommonSecurityLog Event data from any FileHash published in the Microsoft COVID-19 Threat Intel Feed - as described at https://www.microsoft.com/security/blog/2020/05/14/open-sourcing-covid-threat-intelligence/\",\"lastUpdatedDateUTC\":\"2022-07-07T00:00:00Z\",\"createdDateUTC\":\"2019-08-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\"name\":\"5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"CommonSecurityLog\\n| where isnotempty(DestinationPort) and DeviceAction !in (\\\"reset-both\\\", \\\"deny\\\") \\n// filter out common usage ports. Add ports that are legitimate for your environment\\n| where DestinationPort !in (\\\"443\\\", \\\"53\\\", \\\"389\\\", \\\"80\\\", \\\"0\\\", \\\"880\\\", \\\"8888\\\", \\\"8080\\\")\\n| where ApplicationProtocol == \\\"incomplete\\\" \\n// filter out IANA ephemeral or negotiated ports as per https://en.wikipedia.org/wiki/Ephemeral_port\\n| where DestinationPort !between (toint(49512) .. toint(65535)) \\n| where Computer != \\\"\\\" \\n| where DestinationIP !startswith \\\"10.\\\"\\n| extend Reason = coalesce(\\n column_ifexists(\\\"Reason\\\", \\\"\\\"), \\n extract(\\\"reason=(.+?)(;|$)\\\", 1, AdditionalExtensions),\\n \\\"\\\"\\n )\\n// Filter out any graceful reset reasons of AGED OUT which occurs when a TCP session closes with a FIN due to aging out. \\n| where Reason !has \\\"aged-out\\\" \\n// Filter out any TCP FIN which occurs when a TCP FIN is used to gracefully close half or both sides of a connection.\\n| where Reason !has \\\"tcp-fin\\\" \\n// Uncomment one of the following where clauses to trigger on specific TCP reset reasons\\n// See Palo Alto article for details - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK\\n// TCP RST-server - Occurs when the server sends a TCP reset to the client\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-server\\\" \\n// TCP RST-client - Occurs when the client sends a TCP reset to the server\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-client\\\" \\n// Already performed\\n//| extend reason = tostring(split(AdditionalExtensions, \\\";\\\")[3])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, Reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction, DestinationIP\\n| where count_ \u003e= 10\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), makeset(DestinationIP), totalcount = sum(count_) by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, Reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Palo Alto - possible internal to external port scanning\",\"description\":\"Identifies a list of internal Source IPs (10.x.x.x Hosts) that have triggered 10 or more non-graceful tcp server resets from one or more Destination IPs which \\nresults in an \\\"ApplicationProtocol = incomplete\\\" designation. The server resets coupled with an \\\"Incomplete\\\" ApplicationProtocol designation can be an indication \\nof internal to external port scanning or probing attack. \\nReferences: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK and\\nhttps://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTaCAK\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/677da133-e487-4108-a150-5b926591a92b\",\"name\":\"677da133-e487-4108-a150-5b926591a92b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.5.1\",\"severity\":\"Medium\",\"query\":\"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\\n[@\\\"https://raw.githubusercontent.com/microsoft/mstic/master/Indicators/May21-NOBELIUM/May21NOBELIUMIoCs.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256s = (iocs | where Type =~ \\\"SHA256\\\"| project IoC);\\nlet ips = (iocs | where Type =~ \\\"IP\\\"| project IoC);\\nlet IPList = dynamic([\\\"192.99.221.77\\\",\\\"83.171.237.173\\\"]);\\nlet ips_list=toscalar(ips | summarize makeset(IoC));\\nlet full_ip_list= array_concat(ips_list, IPList);\\nlet domains = (iocs | where Type =~ \\\"Domain\\\"| project IoC);\\nlet domain_list=toscalar(domains | summarize make_set(IoC));\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet sha256Hashes = dynamic([\\\"2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252\\\",\\n\\\"d035d394a82ae1e44b25e273f99eae8e2369da828d6b6fdb95076fd3eb5de142\\\",\\n\\\"94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916\\\",\\n\\\"48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0\\\",\\n\\\"ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c\\\",\\n\\\"ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (domains) or RequestURL has_any (domains) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (domains), \\\"RequestUrl\\\", SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(_Im_Dns (domain_has_any=todynamic(domain_list))\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(_Im_Dns (response_has_any_prefix=todynamic(full_ip_list))\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or SourceIp in (ips) or DestinationIp in (ips) or RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", SourceIp in (ips), \\\"SourceIP\\\", DestinationIp in (ips), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer\\n),\\n(OfficeActivity\\n| where ClientIP in (IPList) or ClientIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n),\\n(_Im_NetworkSession(srcipaddr_has_any_prefix=full_ip_list)\\n | extend IPMatch = \\\"SourceIP\\\"\\n | extend timestamp = TimeGenerated, HostCustomEntity = Dvc , IPCustomEntity = SrcIpAddr //, AccountCustomEntity =User\\n),\\n(_Im_NetworkSession(dstipaddr_has_any_prefix=full_ip_list)\\n | extend IPMatch = \\\"DestinationIP\\\"\\n | extend timestamp = TimeGenerated, HostCustomEntity = Dvc , IPCustomEntity = DstIpAddr //, AccountCustomEntity =User\\n),\\n(_Im_WebSession(url_has_any=domains)\\n | extend timestamp=TimeGenerated, HostCustomEntity=Dvc , DNSName=tostring(parse_url(Url)[\\\"Host\\\"]), AccountCustomEntity=User\\n),\\n(_Im_WebSession(srcipaddr_has_any_prefix=full_ip_list)\\n | extend timestamp=TimeGenerated, HostCustomEntity=Dvc , DNSName=tostring(parse_url(Url)[\\\"Host\\\"]), AccountCustomEntity=User\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| where EventDetail has_any (sha256Hashes) or EventDetail has_any (sha256s)\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, FileHash\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (sha256Hashes) or SHA256 in~ (sha256s)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (sha256Hashes) or TargetFileSHA256 in~ (sha256s)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes) or FileHash in (sha256s)\\n| extend timestamp = TimeGenerated\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"tactics\":[\"CommandAndControl\",\"Execution\"],\"displayName\":\"NOBELIUM - Domain, Hash and IP IOCs - May 2021\",\"description\":\"Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM.\\nRef: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/35ce9aff-1708-45b8-a295-5e9a307f5f17\",\"name\":\"35ce9aff-1708-45b8-a295-5e9a307f5f17\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"Group.UpdateGroupMembership.Add\\\"\\n| where Details has_any (\\\"Project Administrators\\\", \\\"Project Collection Administrators\\\", \\\"Project Collection Service Accounts\\\", \\\"Build Administrator\\\")\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, AuthenticationMechanism, ScopeDisplayName\\n| extend timekey = bin(TimeGenerated, 1h)\\n| extend ActorUserId = tostring(Data.MemberId)\\n| project timekey, ActorUserId, AddingUser=ActorUPN, TimeAdded=TimeGenerated, PermissionGrantDetails = Details\\n// Get details of operations conducted by user soon after elevation of permissions\\n| join (AzureDevOpsAuditing\\n| extend ActorUserId = tostring(Data.MemberId)\\n| extend timekey = bin(TimeGenerated, 1h)) on timekey, ActorUserId\\n| summarize ActionsWhenAdded = make_set(OperationName) by ActorUPN, AddingUser, TimeAdded, PermissionGrantDetails, IpAddress, UserAgent\\n| extend timestamp = TimeAdded, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddingUser\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"New PA, PCA, or PCAS added to Azure DevOps\",\"description\":\"In order for an attacker to be able to conduct many potential attacks against Azure DevOps they will need to gain elevated permissions. \\nThis detection looks for users being granted key administrative permissions. If the principal of least privilege is applied, the number of \\nusers granted these permissions should be small. Note that permissions can also be granted via Azure AD groups and monitoring of these \\nshould also be conducted.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bf07ca9c-e408-443a-8939-6860a45a929e\",\"name\":\"bf07ca9c-e408-443a-8939-6860a45a929e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let allowed_publishers = dynamic([]);\\nAzureDevOpsAuditing\\n| where OperationName =~ \\\"Extension.Installed\\\"\\n| extend ExtensionName = tostring(Data.ExtensionName)\\n| extend PublisherName = tostring(Data.PublisherName)\\n| where PublisherName !in (allowed_publishers)\\n| project-reorder TimeGenerated, OperationName, ExtensionName, PublisherName, ActorUPN, IpAddress, UserAgent, ScopeDisplayName, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps New Extension Added\",\"description\":\"Extensions add additional features to Azure DevOps. An attacker could use a malicious extension to conduct malicious activity. \\nThis query looks for new extensions that are not from a configurable list of approved publishers.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65c78944-930b-4cae-bd79-c3664ae30ba7\",\"name\":\"65c78944-930b-4cae-bd79-c3664ae30ba7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(AuditLogs \\n| where OperationName =~ \\\"Disable Strong Authentication\\\"\\n| extend IPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) \\n| extend InitiatedByUser = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend Targetprop = todynamic(TargetResources)\\n| extend TargetUser = tostring(Targetprop[0].userPrincipalName) \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, InitiatedByUser , Operation = OperationName , CorrelationId, IPAddress, Category, Source = SourceSystem , AADTenantId, Type\\n),\\n(AWSCloudTrail\\n| where EventName in~ (\\\"DeactivateMFADevice\\\", \\\"DeleteVirtualMFADevice\\\") \\n| extend InstanceProfileName = tostring(parse_json(RequestParameters).InstanceProfileName)\\n| extend TargetUser = tostring(parse_json(RequestParameters).userName)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, Source = EventSource , Operation = EventName , TenantorInstance_Detail = InstanceProfileName, IPAddress = SourceIpAddress\\n)\\n)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"MFA disabled for a user\",\"description\":\"Multi-Factor Authentication (MFA) helps prevent credential compromise. This alert identifies when an attempt has been made to disable MFA for a user \",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4759ddb4-2daf-43cb-b34e-d85b85b4e4a5\",\"name\":\"4759ddb4-2daf-43cb-b34e-d85b85b4e4a5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\nlet parentprocess = (iocs | where Type =~ \\\"parentprocess\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or RequestURL has_any (IPList) or Message has_any (IPList)\\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, Type\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (IPList), \\\"RequestUrl\\\",\\\"NoMatch\\\"), AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, IPMatch == \\\"RequestUrl\\\", RequestURL, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer, ProcessCustomEntity = ProcessName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) \\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, AlertDetail = \u0027Dev-0322 IOC match\u0027, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, AlertDetail = \u0027Dev-0322 IOC match\u0027, UrlCustomEntity =RemoteUrl, ProcessCustomEntity = InitiatingProcessFileName\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\"), AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where SourceHost in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend ParentImage = EventDetail.[20].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where ( ParentImage has_any (parentprocess) and Image has_any (process))\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256,Image, ParentImage \\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceFileEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type, CommandLineIP\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash, IPCustomEntity = CommandLineIP\\n),\\n(DeviceEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, CommandLineIP\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash, IPCustomEntity = CommandLineIP\\n),\\n(DeviceProcessEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, CommandLineIP, AccountName\\n| extend Account = AccountName, Computer = DeviceName, IPAddress = CommandLineIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash, IPCustomEntity = IPAddress\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| extend CommandLineIP = extract(IPRegex, 0, CommandLine)\\n| where CommandLineIP in (IPList) or (NewProcessName has_any (process) and ParentProcessName has_any (parentprocess))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, CommandLine, CommandLineIP\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = \u0027Dev-0322 IOC match\u0027, IPCustomEntity = CommandLineIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"DEV-0322 Serv-U related IOCs - July 2021\",\"description\":\"Identifies a match across IOC\u0027s related to DEV-0322 targeting SolarWinds Serv-U software.\",\"lastUpdatedDateUTC\":\"2021-11-30T00:00:00Z\",\"createdDateUTC\":\"2021-06-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\"name\":\"d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let SensitiveOperationList = dynamic(\\n[\\\"VaultDelete\\\", \\\"KeyDelete\\\", \\\"SecretDelete\\\", \\\"SecretPurge\\\", \\\"KeyPurge\\\", \\\"SecretBackup\\\", \\\"KeyBackup\\\"]);\\nAzureDiagnostics\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\" \\n| where OperationName in~ (SensitiveOperationList) \\n| summarize EventCount=count(), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\\n| extend timestamp = StartTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Sensitive Azure Key Vault operations\",\"description\":\"Identifies when sensitive Azure Key Vault operations are used. This includes: VaultDelete, KeyDelete, SecretDelete, SecretPurge, KeyPurge, SecretBackup, KeyBackup. \\nAny Backup operations should match with expected scheduled backup activity.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4899-42cb-910c-5ffaf9d7997d\",\"name\":\"70b12a3b-4899-42cb-910c-5ffaf9d7997d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.6.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"0.ns1.dns-info.gq\\\", \\\"1.ns1.dns-info.gq\\\", \\\"10.ns1.dns-info.gq\\\", \\\"102.ns1.dns-info.gq\\\", \\n \\\"104.ns1.dns-info.gq\\\", \\\"11.ns1.dns-info.gq\\\", \\\"110.ns1.dns-info.gq\\\", \\\"115.ns1.dns-info.gq\\\", \\\"116.ns1.dns-info.gq\\\", \\n \\\"117.ns1.dns-info.gq\\\", \\\"118.ns1.dns-info.gq\\\", \\\"12.ns1.dns-info.gq\\\", \\\"120.ns1.dns-info.gq\\\", \\\"122.ns1.dns-info.gq\\\", \\n \\\"123.ns1.dns-info.gq\\\", \\\"128.ns1.dns-info.gq\\\", \\\"13.ns1.dns-info.gq\\\", \\\"134.ns1.dns-info.gq\\\", \\\"135.ns1.dns-info.gq\\\", \\n \\\"138.ns1.dns-info.gq\\\", \\\"14.ns1.dns-info.gq\\\", \\\"144.ns1.dns-info.gq\\\", \\\"15.ns1.dns-info.gq\\\", \\\"153.ns1.dns-info.gq\\\", \\n \\\"157.ns1.dns-info.gq\\\", \\\"16.ns1.dns-info.gq\\\", \\\"17.ns1.dns-info.gq\\\", \\\"18.ns1.dns-info.gq\\\", \\\"19.ns1.dns-info.gq\\\", \\n \\\"1a9604fa.ns1.feedsdns.com\\\", \\\"1c7606b6.ns1.steamappstore.com\\\", \\\"2.ns1.dns-info.gq\\\", \\\"20.ns1.dns-info.gq\\\", \\n \\\"201.ns1.dns-info.gq\\\", \\\"202.ns1.dns-info.gq\\\", \\\"204.ns1.dns-info.gq\\\", \\\"207.ns1.dns-info.gq\\\", \\\"21.ns1.dns-info.gq\\\", \\n \\\"210.ns1.dns-info.gq\\\", \\\"211.ns1.dns-info.gq\\\", \\\"216.ns1.dns-info.gq\\\", \\\"22.ns1.dns-info.gq\\\", \\\"220.ns1.dns-info.gq\\\", \\n \\\"223.ns1.dns-info.gq\\\", \\\"23.ns1.dns-info.gq\\\", \\\"24.ns1.dns-info.gq\\\", \\\"25.ns1.dns-info.gq\\\", \\\"26.ns1.dns-info.gq\\\", \\n \\\"27.ns1.dns-info.gq\\\", \\\"28.ns1.dns-info.gq\\\", \\\"29.ns1.dns-info.gq\\\", \\\"3.ns1.dns-info.gq\\\", \\\"30.ns1.dns-info.gq\\\", \\n \\\"31.ns1.dns-info.gq\\\", \\\"32.ns1.dns-info.gq\\\", \\\"33.ns1.dns-info.gq\\\", \\\"34.ns1.dns-info.gq\\\", \\\"35.ns1.dns-info.gq\\\", \\n \\\"36.ns1.dns-info.gq\\\", \\\"37.ns1.dns-info.gq\\\", \\\"39.ns1.dns-info.gq\\\", \\\"3d6fe4b2.ns1.steamappstore.com\\\", \\n \\\"4.ns1.dns-info.gq\\\", \\\"40.ns1.dns-info.gq\\\", \\\"42.ns1.dns-info.gq\\\", \\\"43.ns1.dns-info.gq\\\", \\\"44.ns1.dns-info.gq\\\", \\n \\\"45.ns1.dns-info.gq\\\", \\\"46.ns1.dns-info.gq\\\", \\\"48.ns1.dns-info.gq\\\", \\\"5.ns1.dns-info.gq\\\", \\\"50.ns1.dns-info.gq\\\", \\n \\\"50417.service.gstatic.dnset.com\\\", \\\"51.ns1.dns-info.gq\\\", \\\"52.ns1.dns-info.gq\\\", \\\"53.ns1.dns-info.gq\\\",\\n \\\"54.ns1.dns-info.gq\\\", \\\"55.ns1.dns-info.gq\\\", \\\"56.ns1.dns-info.gq\\\", \\\"57.ns1.dns-info.gq\\\", \\\"58.ns1.dns-info.gq\\\", \\n \\\"6.ns1.dns-info.gq\\\", \\\"60.ns1.dns-info.gq\\\", \\\"62.ns1.dns-info.gq\\\", \\\"63.ns1.dns-info.gq\\\", \\\"64.ns1.dns-info.gq\\\", \\n \\\"65.ns1.dns-info.gq\\\", \\\"67.ns1.dns-info.gq\\\", \\\"7.ns1.dns-info.gq\\\", \\\"70.ns1.dns-info.gq\\\", \\\"71.ns1.dns-info.gq\\\",\\n \\\"73.ns1.dns-info.gq\\\", \\\"77.ns1.dns-info.gq\\\", \\\"77075.service.gstatic.dnset.com\\\", \\\"7c1947fa.ns1.steamappstore.com\\\",\\n \\\"8.ns1.dns-info.gq\\\", \\\"81.ns1.dns-info.gq\\\", \\\"86.ns1.dns-info.gq\\\", \\\"87.ns1.dns-info.gq\\\", \\\"9.ns1.dns-info.gq\\\", \\n \\\"94343.service.gstatic.dnset.com\\\", \\\"9939.service.gstatic.dnset.com\\\", \\\"aa.ns.mircosoftdoc.com\\\", \\n \\\"aaa.feeds.api.ns1.feedsdns.com\\\", \\\"aaa.googlepublic.feeds.ns1.dns-info.gq\\\", \\n \\\"aaa.resolution.174547._get.cache.up.sourcedns.tk\\\", \\\"acc.microsoftonetravel.com\\\", \\n \\\"accounts.longmusic.com\\\", \\\"admin.dnstemplog.com\\\", \\\"agent.updatenai.com\\\", \\n \\\"alibaba.zzux.com\\\", \\\"api.feedsdns.com\\\", \\\"app.portomnail.com\\\", \\\"asia.updatenai.com\\\", \\n \\\"battllestategames.com\\\", \\\"bguha.serveuser.com\\\", \\\"binann-ce.com\\\", \\\"bing.dsmtp.com\\\", \\n \\\"blog.cdsend.xyz\\\", \\\"brives.minivineyapp.com\\\", \\\"bsbana.dynamic-dns.net\\\", \\n \\\"californiaforce.000webhostapp.com\\\", \\\"californiafroce.000webhostapp.com\\\", \\n \\\"cdn.freetcp.com\\\", \\\"cdsend.xyz\\\", \\\"cipla.zzux.com\\\", \\\"cloudfeeddns.com\\\", \\\"comcleanner.info\\\",\\n \\\"cs.microsoftsonline.net\\\", \\\"dns-info.gq\\\", \\\"dns05.cf\\\", \\\"dns22.ml\\\", \\\"dns224.com\\\", \\n \\\"dnsdist.org\\\", \\\"dnstemplog.com\\\", \\\"doc.mircosoftdoc.com\\\", \\\"dropdns.com\\\", \\n \\\"eshop.cdn.freetcp.com\\\", \\\"exchange.dumb1.com\\\", \\\"exchange.misecure.com\\\", \\\"exchange.mrbasic.com\\\",\\n \\\"facebookdocs.com\\\", \\\"facebookint.com\\\", \\\"facebookvi.com\\\", \\\"feed.ns1.dns-info.gq\\\", \\\"feedsdns.com\\\", \\n \\\"firejun.freeddns.com\\\", \\\"ftp.dns-info.dyndns.pro\\\", \\\"goallbandungtravel.com\\\", \\\"goodhk.azurewebsites.net\\\", \\n \\\"googlepublic.feed.ns1.dns-info.gq\\\", \\\"gp.spotifylite.cloud\\\", \\\"gskytop.com\\\", \\\"gstatic.dnset.com\\\", \\n \\\"gxxservice.com\\\", \\\"helpdesk.cdn.freetcp.com\\\", \\\"id.serveuser.com\\\", \\\"infestexe.com\\\", \\\"item.itemdb.com\\\",\\n \\\"m.mircosoftdoc.com\\\", \\\"mail.transferdkim.xyz\\\", \\\"mcafee.updatenai.com\\\", \\\"mecgjm.mircosoftdoc.com\\\",\\n \\\"microdocs.ga\\\", \\\"microsock.website\\\", \\\"microsocks.net\\\", \\\"microsoft.sendsmtp.com\\\", \\n \\\"microsoftbook.dns05.com\\\", \\\"microsoftcontactcenter.com\\\", \\\"microsoftdocs.dns05.com\\\", \\\"microsoftdocs.ml\\\", \\n \\\"microsoftonetravel.com\\\", \\\"microsoftonlines.net\\\", \\\"microsoftprod.com\\\", \\\"microsofts.dns1.us\\\", \\\"microsoftsonline.net\\\",\\n \\\"minivineyapp.com\\\", \\\"mircosoftdoc.com\\\", \\\"mircosoftdocs.com\\\", \\\"mlcrosoft.ninth.biz\\\", \\\"mlcrosoft.site\\\", \\n \\\"mm.portomnail.com\\\", \\\"msdnupdate.com\\\", \\\"msecdn.cloud\\\", \\\"mtnl1.dynamic-dns.net\\\", \\\"ns.gstatic.dnset.com\\\", \\n \\\"ns.microsoftprod.com\\\", \\\"ns.steamappstore.com\\\", \\\"ns1.cdn.freetcp.com\\\", \\\"ns1.comcleanner.info\\\", \\\"ns1.dns-info.gq\\\", \\n \\\"ns1.dns05.cf\\\", \\\"ns1.dnstemplog.com\\\", \\\"ns1.dropdns.com\\\", \\\"ns1.microsoftonetravel.com\\\", \\n \\\"ns1.microsoftonlines.net\\\", \\\"ns1.microsoftprod.com\\\", \\\"ns1.microsoftsonline.net\\\", \\\"ns1.mlcrosoft.site\\\", \\n \\\"ns1.teams.wikaba.com\\\", \\\"ns1.windowsdefende.com\\\", \\\"ns2.comcleanner.info\\\", \\\"ns2.dnstemplog.com\\\", \\n \\\"ns2.microsoftonetravel.com\\\", \\\"ns2.microsoftprod.com\\\", \\\"ns2.microsoftsonline.net\\\", \\\"ns2.mlcrosoft.site\\\", \\n \\\"ns2.windowsdefende.com\\\", \\\"ns3.microsoftprod.com\\\", \\\"ns3.mlcrosoft.site\\\", \\\"nutrition.mrbasic.com\\\", \\n \\\"nutrition.youdontcare.com\\\", \\\"online.mlcrosoft.site\\\", \\\"online.msdnupdate.com\\\", \\\"outlookservce.site\\\", \\n \\\"owa.jetos.com\\\", \\\"owa.otzo.com\\\", \\\"pornotime.co\\\", \\\"portomnail.com\\\", \\n \\\"post.1a0.066e063ac.7c1947fa.ns1.steamappstore.com\\\", \\\"pricingdmdk.com\\\", \\\"prod.microsoftprod.com\\\", \\n \\\"product.microsoftprod.com\\\", \\\"ptcl.yourtrap.com\\\", \\\"query.api.sourcedns.tk\\\", \\\"rb.itemdb.com\\\", \\\"redditcdn.com\\\", \\n \\\"rss.otzo.com\\\", \\\"secure.msdnupdate.com\\\", \\\"service.dns22.ml\\\", \\\"service.gstatic.dnset.com\\\", \\\"service04.dns04.com\\\", \\n \\\"settings.teams.wikaba.com\\\", \\\"sip.outlookservce.site\\\", \\\"sixindent.epizy.com\\\", \\\"soft.msdnupdate.com\\\", \\\"sourcedns.ml\\\", \\n \\\"sourcedns.tk\\\", \\\"sport.msdnupdate.com\\\", \\\"spotifylite.cloud\\\", \\\"static.misecure.com\\\", \\\"steamappstore.com\\\", \\n \\\"store.otzo.com\\\", \\\"survey.outlookservce.site\\\", \\\"team.itemdb.com\\\", \\\"temp221.com\\\", \\\"test.microsoftprod.com\\\", \\n \\\"thisisaaa.000webhostapp.com\\\", \\\"token.dns04.com\\\", \\\"token.dns05.com\\\", \\\"transferdkim.xyz\\\", \\n \\\"travelsanignacio.com\\\", \\\"update08.com\\\", \\\"updated08.com\\\", \\\"updatenai.com\\\", \\\"wantforspeed.com\\\",\\n \\\"web.mircosoftdoc.com\\\", \\\"webmail.pornotime.co\\\", \\\"webwhois.team.itemdb.com\\\", \\\"windowsdefende.com\\\", \\\"wnswindows.com\\\",\\n \\\"ashcrack.freetcp.com\\\", \\\"battllestategames.com\\\", \\\"binannce.com\\\", \\\"cdsend.xyz\\\", \\\"comcleanner.info\\\", \\\"microsock.website\\\", \\n \\\"microsocks.net\\\", \\\"microsoftsonline.net\\\", \\\"mlcrosoft.site\\\", \\\"notify.serveuser.com\\\", \\\"ns1.microsoftprod.com\\\", \\n \\\"ns2.microsoftprod.com\\\", \\\"pricingdmdk.com\\\", \\\"steamappstore.com\\\", \\\"update08.com\\\", \\\"wnswindows.com\\\", \\n \\\"youtube.dns05.com\\\", \\\"z1.zalofilescdn.com\\\", \\\"z2.zalofilescdn.com\\\", \\\"zalofilescdn.com\\\"]); \\n(union isfuzzy=true \\n (CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | where DNSName in~ (DomainNames) \\n | extend Account = SourceUserID, Computer = DeviceName, IPAddress = DestinationIP \\n ), \\n (_Im_Dns (domain_has_any=DomainNames)\\n | extend DNSName = DnsQuery \\n | extend IPAddress = SrcIpAddr, Computer = Dvc\\n ), \\n (_Im_WebSession (url_has_any=DomainNames)\\n | extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n | extend IPAddress = SrcIpAddr, Computer = Dvc\\n ), \\n (VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 * \\n | where isnotempty(DNSName) \\n | where DNSName in~ (DomainNames) \\n | extend IPAddress = RemoteIp \\n ), \\n ( \\n DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl in~ (DomainNames) \\n | extend IPAddress = RemoteIP \\n | extend Computer = DeviceName \\n ),\\n (AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (DomainNames) \\n | extend DNSName = DestinationHost \\n | extend IPAddress = SourceHost\\n ) \\n ) \\n | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Barium domains\",\"description\":\"Identifies a match across various data feeds for domains IOCs related to the Barium activity group.\\n References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bff058b2-500e-4ae5-bb49-a5b1423cbd5b\",\"name\":\"bff058b2-500e-4ae5-bb49-a5b1423cbd5b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let fileAccessThrehold = 10;\\nOfficeActivity\\n | where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n | where Operation =~ \\\"MemberAdded\\\"\\n | extend UPN = tostring(parse_json(Members)[0].UPN)\\n | where UPN contains (\\\"#EXT#\\\")\\n | project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName\\n | join kind = inner(\\n OfficeActivity\\n | where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n | where Operation =~ \\\"MemberRemoved\\\"\\n | extend UPN = tostring(parse_json(Members)[0].UPN)\\n | where UPN contains (\\\"#EXT#\\\")\\n | project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName\\n ) on UPN\\n | where TimeDeleted \u003e TimeAdded\\n | join kind=inner \\n (\\n OfficeActivity\\n | where RecordType == \\\"SharePointFileOperation\\\"\\n | where SourceRelativeUrl has \\\"Microsoft Teams Chat Files\\\"\\n | where Operation == \\\"FileUploaded\\\"\\n | join kind = inner \\n (\\n OfficeActivity\\n | where RecordType == \\\"SharePointFileOperation\\\"\\n | where Operation == \\\"FileAccessed\\\"\\n | where SourceRelativeUrl has \\\"Microsoft Teams Chat Files\\\"\\n | summarize FileAccessCount = count() by OfficeObjectId\\n | where FileAccessCount \u003e fileAccessThrehold\\n ) on $left.OfficeObjectId == $right.OfficeObjectId\\n )on $left.UPN == $right.UserId\\n | extend timestamp=TimeGenerated, AccountCustomEntity = UserWhoAdded\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Accessed files shared by temporary external user\",\"description\":\"This detection identifies an external user is added to a Team or Teams chat\\nand shares a files which is accessed by many users (\u003e10) and the users is removed within short period of time. This might be\\nan indicator of suspicious activity.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2020-08-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/610d3850-c26f-4f20-8d86-f10fdf2425f5\",\"name\":\"610d3850-c26f-4f20-8d86-f10fdf2425f5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"UpdateTrail\\\",\\\"DeleteTrail\\\",\\\"StopLogging\\\",\\\"DeleteFlowLogs\\\",\\\"DeleteEventBus\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Changes made to AWS CloudTrail logs\",\"description\":\"Attackers often try to hide their steps by deleting or stopping the collection of logs that could show their activity. \\nThis alert identifies any manipulation of AWS CloudTrail, Cloudwatch/EventBridge or VPC Flow logs.\\nMore Information: AWS CloudTrail API: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html\\nAWS Cloudwatch/Eventbridge API: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_Operations.html\\nAWS DelteteFlowLogs API : https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html \",\"lastUpdatedDateUTC\":\"2022-01-11T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3fbc20a4-04c4-464e-8fcb-6667f53e4987\",\"name\":\"3fbc20a4-04c4-464e-8fcb-6667f53e4987\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let failureCountThreshold = 5;\\nlet successCountThreshold = 1;\\nlet authenticationWindow = 20m;\\nSigninLogs\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\\n| where AppDisplayName =~ \\\"Windows Sign In\\\"\\n// Split out failure versus non-failure types\\n| extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = makeset(IPAddress), makeset(OS), makeset(Browser), makeset(City), \\nmakeset(ResultType), FailureCount = countif(FailureOrSuccess==\\\"Failure\\\"), SuccessCount = countif(FailureOrSuccess==\\\"Success\\\") \\nby bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName, AppDisplayName\\n| where FailureCount \u003e= failureCountThreshold and SuccessCount \u003e= successCountThreshold\\n| mvexpand IPAddress\\n| extend IPAddress = tostring(IPAddress)\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against a Cloud PC\",\"description\":\"Identifies evidence of brute force activity against a Windows 365 Cloud PC by highlighting multiple authentication failures and by a successful authentication within a given time window.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/173f8699-6af5-484a-8b06-8c47ba89b380\",\"name\":\"173f8699-6af5-484a-8b06-8c47ba89b380\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"// Adjust this value to change how many Teams should be deleted before including\\nlet max_delete_count = 3;\\n// Adjust this value to change the timewindow the query runs over\\n OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\" \\n| where Operation =~ \\\"TeamDeleted\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DeletedTeams = make_set(TeamName) by UserId\\n| where array_length(DeletedTeams) \u003e max_delete_count\\n| extend timestamp = StartTime, AccountCustomEntity = UserId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Multiple Teams deleted by a single user\",\"description\":\"This detection flags the occurrences of deleting multiple teams within an hour.\\nThis data is a part of Office 365 Connector in Microsoft Sentinel.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9f9c1e51-4fb1-4510-a675-c7c2fb32f47e\",\"name\":\"9f9c1e51-4fb1-4510-a675-c7c2fb32f47e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let knotweed_sigs = dynamic([\\\"JumplumpDropper\\\", \\\"Jumplump\\\", \\\"Corelump\\\", \\\"Medcerc\\\", \\\"SuspModuleLoad\\\", \\\"Mexlib\\\"]);\\n let mde_data = (DeviceInfo\\n | extend DeviceName = tolower(DeviceName)\\n | join kind=rightouter ( SecurityAlert\\n | where ProviderName =~ \\\"MDATP\\\"\\n | extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n | extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n | where ThreatFamilyName in~ (knotweed_sigs)\\n | extend CompromisedEntity = tolower(CompromisedEntity)\\n ) on $left.DeviceName == $right.CompromisedEntity);\\n let event_data = ( Event\\n | where EventID in (1006, 1009, 1116, 1119)\\n | extend ThreatData = parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_xml(EventData).DataItem)).EventData)).Data))\\n | mv-expand ThreatData\\n | where tostring(ThreatData.[\\\"@Name\\\"]) == \\\"Threat Name\\\"\\n | extend EventData = parse_xml(EventData)\\n | where tostring(ThreatData.[\\\"#text\\\"]) has_any (knotweed_sigs));\\n union mde_data, event_data\\n | extend ThreatName = iif(isnotempty(ThreatName), ThreatName, tostring(ThreatData.[\\\"#text\\\"]))\\n | extend ThreatFamilyName = iif(isnotempty(ThreatFamilyName), ThreatFamilyName, split(tostring(ThreatData.[\\\"#text\\\"]), \\\"/\\\")[-1])\\n | extend TimeGenerated = iif(isnotempty(TimeGenerated), TimeGenerated, TimeGenerated1)\\n | extend DeviceName = iif(isnotempty(DeviceName), DeviceName, Computer)\\n | project-reorder TimeGenerated, CompromisedEntity, ThreatName, ThreatFamilyName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceName\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"KNOTWEED AV Detection\",\"description\":\"This query looks for Microsoft Defender AV detections related to the KNOTWEED threat actor and the Corelump and Jumplump malware.\\n Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/\",\"lastUpdatedDateUTC\":\"2022-07-27T00:00:00Z\",\"createdDateUTC\":\"2022-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceInfo\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5f171045-88ab-4634-baae-a7b6509f483b\",\"name\":\"5f171045-88ab-4634-baae-a7b6509f483b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let Dev0530_threats = dynamic([\\\"Trojan:Win32/SiennaPurple.A\\\", \\\"Ransom:Win32/SiennaBlue.A\\\", \\\"Ransom:Win32/SiennaBlue.B\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (Dev0530_threats) or ThreatFamilyName in~ (Dev0530_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"AV detections related to Dev-0530 actors\",\"description\":\"This query looks for Microsoft Defender AV detections related to Dev-0530 actors. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, \\n this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\",\"lastUpdatedDateUTC\":\"2022-07-14T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbfbf530-506b-49a4-81ad-4030885a195c\",\"name\":\"fbfbf530-506b-49a4-81ad-4030885a195c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let alertTimeWindow = 1h;\\nlet logTimeWindow = 7d;\\n// Define script extensions that suit your web application environment - a sample are provided below\\nlet scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]); \\nlet alertData = materialize(SecurityAlert \\n| where TimeGenerated \u003e ago(alertTimeWindow) \\n| where ProviderName == \\\"MDATP\\\" \\n// Parse and expand the alert JSON \\n| extend alertData = parse_json(Entities) \\n| mvexpand alertData);\\nlet fileData = alertData\\n// Extract web script files from MDATP alerts - our malicious web scripts - candidate webshells\\n| where alertData.Type =~ \\\"file\\\" \\n| where alertData.Name has_any(scriptExtensions) \\n| extend FileName = tostring(alertData.Name), Directory = tostring(alertData.Directory);\\nlet hostData = alertData\\n// Extract server details from alerts and map to alert id\\n| where alertData.Type =~ \\\"host\\\"\\n| project HostName = tostring(alertData.HostName), DnsDomain = tostring(alertData.DnsDomain), SystemAlertId\\n| distinct HostName, DnsDomain, SystemAlertId;\\n// Join the files on their impacted servers\\nlet webshellData = fileData\\n| join kind=inner (hostData) on SystemAlertId \\n| project TimeGenerated, FileName, Directory, HostName, DnsDomain;\\nwebshellData\\n| join ( \\n// Find requests that were made to this file on the impacted server in the W3CIISLog table \\nW3CIISLog \\n| where TimeGenerated \u003e ago(logTimeWindow) \\n// Restrict to accesses to script extensions \\n| where csUriStem has_any(scriptExtensions)\\n| extend splitUriStem = split(csUriStem, \\\"/\\\") \\n| extend FileName = splitUriStem[-1], HostName = sComputerName\\n// Summarize potential attacker activity\\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), RequestUserAgents=make_set(csUserAgent), ReqestMethods=make_set(csMethod), RequestStatusCodes=make_set(scStatus), RequestCookies=make_set(csCookie), RequestReferers=make_set(csReferer), RequestQueryStrings=make_set(csUriQuery) by AttackerIP=cIP, SiteName=sSiteName, ShellLocation=csUriStem, tostring(FileName), HostName \\n) on FileName, HostName\\n| project StartTime, EndTime, AttackerIP, RequestUserAgents, HostName, SiteName, ShellLocation, ReqestMethods, RequestStatusCodes, RequestCookies, RequestReferers, RequestQueryStrings, RequestCount = count_\\n// Expose the attacker ip address as a custom entity\\n| extend timestamp=StartTime, IPCustomEntity = AttackerIP, HostCustomEntity = HostName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Malicious web application requests linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts\",\"description\":\"Takes Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts where web scripts are present in the evidence and correlates with requests made to those scripts\\nin the WCSIISLog to surface new alerts for potentially malicious web request activity.\\nThe lookback for alerts is set to 1h and the lookback for W3CIISLogs is set to 7d. A sample set of popular web script extensions\\nhas been provided in scriptExtensions that should be tailored to your environment.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-05-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5f0d80db-3415-4265-9d52-8466b7372e3a\",\"name\":\"5f0d80db-3415-4265-9d52-8466b7372e3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"AzureDevOpsAuditing\\n| where AuthenticationMechanism startswith \\\"PAT\\\"\\n// Look for useragents that include a redenring engine\\n| where UserAgent has_any (\\\"Gecko\\\", \\\"WebKit\\\", \\\"Presto\\\", \\\"Trident\\\", \\\"EdgeHTML\\\", \\\"Blink\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure DevOps PAT used with Browser.\",\"description\":\"Personal Access Tokens (PATs) are used as an alternate password to authenticate into Azure DevOps. PATs are intended for programmatic access use in code or applications. \\nThis can be prone to attacker theft if not adequately secured. This query looks for the use of a PAT in authentication but from a User Agent indicating a browser. \\nThis should not be normal activity and could be an indicator of an attacker using a stolen PAT.\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/86a036b2-3686-42eb-b417-909fc0867771\",\"name\":\"86a036b2-3686-42eb-b417-909fc0867771\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/delete\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS Service Delete\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.\\nA threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.\\nThe health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.\\nMore information in this blog https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\"name\":\"b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\nlet createRoleAssignmentActivity = AzureActivity\\n| where OperationNameValue =~ \\\"microsoft.authorization/roleassignments/write\\\";\\ncreateRoleAssignmentActivity \\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller\\n| where count_ \u003e= alertOperationThreshold\\n| join kind = rightanti ( \\ncreateRoleAssignmentActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = make_set(TimeGenerated), ActivityStatusValue = make_set(ActivityStatusValue), \\nOperationIds = make_set(OperationId), CorrelationId = make_set(CorrelationId), ActivityCountByCallerIPAddress = count() \\nby ResourceId, CallerIpAddress, Caller, OperationNameValue, Resource, ResourceGroup\\n) on CallerIpAddress, Caller\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Suspicious granting of permissions to an account\",\"description\":\"Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\"name\":\"9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let szOperationNames = dynamic([\\\"Microsoft.Compute/virtualMachines/write\\\", \\\"Microsoft.Resources/deployments/write\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet RareCaller = AzureActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationNameValue in~ (szOperationNames)\\n| project ResourceGroup, Caller, OperationNameValue, CallerIpAddress\\n| join kind=rightantisemi (\\nAzureActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityStatusValue = makeset(ActivityStatusValue), OperationIds = makeset(OperationId), CallerIpAddress = makeset(CallerIpAddress) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n) on Caller, ResourceGroup \\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress);\\nlet Counts = RareCaller | summarize ActivityCountByCaller = count() by Caller;\\nRareCaller | join kind= inner (Counts) on Caller | project-away Caller1\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = tostring(CallerIpAddress)\\n| sort by ActivityCountByCaller desc nulls last\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Suspicious Resource deployment\",\"description\":\"Identifies when a rare Resource and ResourceGroup deployment occurs by a previously unseen Caller.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4902eddb-34f7-44a8-ac94-8486366e9494\",\"name\":\"4902eddb-34f7-44a8-ac94-8486366e9494\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 5000;\\n_Im_NetworkSession(eventresult=\u0027Failure\u0027)\\n| summarize Count=count() by SrcIpAddr, bin(TimeGenerated,5m)\\n| where Count \u003e threshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr\",\"customDetails\":{\"NumberOfDenies\":\"Count\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Excessive number of failed connections from {{SrcIpAddr}}\",\"alertDescriptionFormat\":\"The client at address {{SrcIpAddr}} generated more than {{threshold}} failures over a 5 minutes time window, which may indicate malicious activity.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Impact\"],\"displayName\":\"Excessive number of failed connections from a single source (ASIM Network Session schema)\",\"description\":\"This rule identifies that a single source generates an excessive amount of failed connections. Modify the threshold to change the sensitivity of the rule: the higher the threshold, the less sensitive is the rule and less incidents will be generated.\u003cbr\u003e\u003cbr\u003e\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f7c3f5c8-71ea-49ff-b8b3-148f0e346291\",\"name\":\"f7c3f5c8-71ea-49ff-b8b3-148f0e346291\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let known_locations = (SigninLogs\\n | where TimeGenerated between(ago(7d)..ago(1d))\\n | where ResultType == 0\\n | extend LocationDetail = strcat(Location, \\\"-\\\", LocationDetails.state)\\n | summarize by LocationDetail);\\n let known_asn = (SigninLogs\\n | where TimeGenerated between(ago(7d)..ago(1d))\\n | where ResultType == 0\\n | summarize by AutonomousSystemNumber);\\n SigninLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType == 0\\n | where isempty(DeviceDetail.deviceId)\\n | where AuthenticationRequirement == \\\"singleFactorAuthentication\\\"\\n | extend LocationDetail = strcat(Location, \\\"-\\\", LocationDetails.state)\\n | where AutonomousSystemNumber !in (known_asn) and LocationDetail !in (known_locations)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"UserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomolous Single Factor Signin\",\"description\":\"Detects successful signins using single factor authentication where the device, location, and ASN are abnormal.\\n Single factor authentications pose an opportunity to access compromised accounts, investigate these for anomalous occurrencess.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\"name\":\"1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 1d;\\nlet endtime = 1h;\\nlet prev23hThreshold = 4;\\nlet prev1hThreshold = 15;\\nlet Kerbevent = (union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(starttime)\\n| where EventID == 4769\\n| parse EventData with * \u0027TicketEncryptionType\\\"\u003e\u0027 TicketEncryptionType \\\"\u003c\\\" *\\n| where TicketEncryptionType == \u00270x17\u0027\\n| parse EventData with * \u0027TicketOptions\\\"\u003e\u0027 TicketOptions \\\"\u003c\\\" *\\n| where TicketOptions == \u00270x40810000\u0027\\n| parse EventData with * \u0027Status\\\"\u003e\u0027 Status \\\"\u003c\\\" *\\n| where Status == \u00270x0\u0027\\n| parse EventData with * \u0027ServiceName\\\"\u003e\u0027 ServiceName \\\"\u003c\\\" *\\n| where ServiceName !contains \\\"$\\\" and ServiceName !contains \\\"krbtgt\\\" \\n| parse EventData with * \u0027TargetUserName\\\"\u003e\u0027 TargetUserName \\\"\u003c\\\" *\\n| where TargetUserName !contains \\\"$@\\\" and TargetUserName !contains ServiceName\\n| parse EventData with * \u0027IpAddress\\\"\u003e::ffff:\u0027 ClientIPAddress \\\"\u003c\\\" *\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e= ago(starttime)\\n| where EventID == 4769 and EventData has \u00270x17\u0027 and EventData has \u00270x40810000\u0027 and EventData has \u0027krbtgt\u0027\\n| extend TicketEncryptionType = tostring(EventData.TicketEncryptionType)\\n| where TicketEncryptionType == \u00270x17\u0027\\n| extend TicketOptions = tostring(EventData.TicketOptions)\\n| where TicketOptions == \u00270x40810000\u0027\\n| extend Status = tostring(EventData.Status)\\n| where Status == \u00270x0\u0027\\n| extend ServiceName = tostring(EventData.ServiceName)\\n| where ServiceName !contains \\\"$\\\" and ServiceName !contains \\\"krbtgt\\\"\\n| extend TargetUserName = tostring(EventData.TargetUserName) \\n| where TargetUserName !contains \\\"$@\\\" and TargetUserName !contains ServiceName\\n| extend ClientIPAddress = tostring(EventData.IpAddress) \\n));\\nlet Kerbevent23h = Kerbevent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| summarize ServiceNameCountPrev23h = dcount(ServiceName), ServiceNameSet23h = makeset(ServiceName) \\nby Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status\\n| where ServiceNameCountPrev23h \u003c prev23hThreshold;\\nlet Kerbevent1h = \\nKerbevent\\n| where TimeGenerated \u003e= ago(endtime)\\n| summarize min(TimeGenerated), max(TimeGenerated), ServiceNameCountPrev1h = dcount(ServiceName), ServiceNameSet1h = makeset(ServiceName) \\nby Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status;\\nKerbevent1h \\n| join kind=leftanti\\n(\\nKerbevent23h\\n) on TargetUserName, TargetDomainName\\n// Threshold value set above is based on testing, this value may need to be changed for your environment.\\n| where ServiceNameCountPrev1h \u003e prev1hThreshold\\n| project StartTimeUtc = min_TimeGenerated, EndTimeUtc = max_TimeGenerated, TargetUserName, Computer, ClientIPAddress, TicketOptions, \\nTicketEncryptionType, Status, ServiceNameCountPrev1h, ServiceNameSet1h, TargetDomainName\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = strcat(TargetDomainName,\\\"\\\\\\\\\\\", TargetUserName), HostCustomEntity = Computer, IPCustomEntity = ClientIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Potential Kerberoasting\",\"description\":\"A service principal name (SPN) is used to uniquely identify a service instance in a Windows environment. \\nEach SPN is usually associated with a service account. Organizations may have used service accounts with weak passwords in their environment. \\nAn attacker can try requesting Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC) which contains \\na hash of the Service account. This can then be used for offline cracking. This hunting query looks for accounts that are generating excessive \\nrequests to different resources within the last hour compared with the previous 24 hours. Normal users would not make an unusually large number \\nof request within a small time window. This is based on 4769 events which can be very noisy so environment based tweaking might be needed.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-04-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/508cef41-2cd8-4d40-a519-b04826a9085f\",\"name\":\"508cef41-2cd8-4d40-a519-b04826a9085f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 1102 and EventSourceName == \\\"Microsoft-Windows-Eventlog\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Security Event log cleared\",\"description\":\"Checks for event id 1102 which indicates the security event log was cleared.\\nIt uses Event Source Name \\\"Microsoft-Windows-Eventlog\\\" to avoid generating false positives from other sources, like AD FS servers for instance.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3ff0fffb-d963-40c0-b235-3404f915add7\",\"name\":\"3ff0fffb-d963-40c0-b235-3404f915add7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"GitHubAudit\\n| where Action == \\\"org.disable_two_factor_requirement\\\"\\n| project TimeGenerated, Action, Actor, Country, IPaddress, Repository\\n| extend AccountCustomEntity = Actor, IPCustomEntity = IPaddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"GitHub Two Factor Auth Disable\",\"description\":\"Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ce02935c-cc67-4b77-9b96-93d9947e119a\",\"name\":\"ce02935c-cc67-4b77-9b96-93d9947e119a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"acrobatrelay.com\\\", \\\"finconsult.cc\\\", \\\"realmetaldns.com\\\"]); \\n(union isfuzzy=true \\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where DNSName in~ (DomainNames) \\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = DestinationIP \\n), \\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery \\n| extend IPAddress = SrcIpAddr, Computer = Dvc\\n), \\n(_Im_WebSession (url_has_any=DomainNames)\\n| extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n| extend IPAddress = SrcIpAddr, Computer = Dvc\\n), \\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 * \\n| where isnotempty(DNSName) \\n| where DNSName in~ (DomainNames) \\n| extend IPAddress = RemoteIp \\n), \\n( \\n DeviceNetworkEvents \\n| where isnotempty(RemoteUrl) \\n| where RemoteUrl has_any (DomainNames) \\n| extend IPAddress = RemoteIP \\n| extend Computer = DeviceName \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n) \\n) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"KNOTWEED C2 Domains July 2022\",\"description\":\"This query looks for references to known KNOTWEED Domains in network logs.\\n This query was published July 2022.\\n Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/\",\"lastUpdatedDateUTC\":\"2022-07-27T00:00:00Z\",\"createdDateUTC\":\"2022-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/594c653d-719a-4c23-b028-36e3413e632e\",\"name\":\"594c653d-719a-4c23-b028-36e3413e632e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"GitHubAudit\\n| where Action == \\\"org.disable_two_factor_requirement\\\"\\n| project TimeGenerated, Action, Actor, Country, IPaddress, Repository\\n| extend AccountCustomEntity = Actor, IPCustomEntity = IPaddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT GitHub Two Factor Auth Disable\",\"description\":\"Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. \",\"lastUpdatedDateUTC\":\"2022-05-22T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/50cbf34a-4cdd-45d7-b3f5-8b53a1d0d14f\",\"name\":\"50cbf34a-4cdd-45d7-b3f5-8b53a1d0d14f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n| parse EventData with * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" *\\n| where ParentCommandLine == \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe -k DcomLaunch\\\" and CommandLine == \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe -Embedding\\\"\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Lateral Movement via DCOM\",\"description\":\"This query detects a fairly uncommon attack technique using the Windows Distributed Component Object Model (DCOM) to make a remote execution call to another computer system and gain lateral movement throughout the network.\\nRef: http://thenegative.zone/incident%20response/2017/02/04/MMC20.Application-Lateral-Movement-Analysis.html\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b1832f60-6c3d-4722-a0a5-3d564ee61a63\",\"name\":\"b1832f60-6c3d-4722-a0a5-3d564ee61a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet DOMAIN_TI=ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName);\\nlet DOMAIN_TI_list= todynamic(toscalar(DOMAIN_TI | summarize NIoCs = dcount(DomainName), Domains = make_set(DomainName) \\n | project Domains=iff(NIoCs \u003e HAS_ANY_MAX, dynamic([]), Domains) ));\\nDOMAIN_TI\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n _Im_WebSession(starttime=ago(dt_lookBack), url_has_any= DOMAIN_TI_list )\\n //Extract domain patterns from syslog message\\n | extend domain = tostring(parse_url(Url)[\\\"Host\\\"])\\n | where isnotempty(domain)\\n | extend tld = tostring(split(domain, \u0027.\u0027)[-1])\\n | extend Event_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.domain\\n| where Event_TimeGenerated \u003c ExpirationDateTime\\n| summarize Event_TimeGenerated = arg_max(Event_TimeGenerated , *) by IndicatorId, domain\\n| project Event_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, domain, SrcIpAddr, Url\",\"customDetails\":{\"EventTime\":\"Event_TimeGenerated\",\"IoCDescription\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"IoCExpirationTime\":\"ExpirationDateTime\",\"IoCConfidenceScore\":\"ConfidenceScore\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"A web request from {{SrcIpAddr}} to hostname {{domain}} matched an IoC\",\"alertDescriptionFormat\":\"A client with address {{SrcIpAddr}} requested the URL {{Url}}, whose hostname is a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blead for more information on the indicator.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map Domain entity to Web Session Events (ASIM Web Session schema)\",\"description\":\"This rule identifies Web Sessions for which the target URL hostname is a known IoC. \u003cbr\u003e\u003cbr\u003eThis rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutSIM) and supports any web session source that complies with ASIM.\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/643c2025-9604-47c5-833f-7b4b9378a1f5\",\"name\":\"643c2025-9604-47c5-833f-7b4b9378a1f5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit your environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with AAD signin failures above our threshold\\nlet aadFunc = (tableName:string){\\nlet Suspicious_signins = \\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n| summarize count() by IPAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(IPAddress);\\nSuspicious_signins\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet Suspicious_signins = \\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize make_set(set_IPAddress);\\n//See if any of those IPs have sucessfully logged into the AWS console\\nAWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \\n| where LoginResult =~ \\\"Success\\\"\\n| where SourceIpAddress in (Suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed)\\n| extend User = iif(isempty(UserIdentityUserName), UserIdentityType, UserIdentityUserName) \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Reason, LoginResult, EventTypeName, UserIdentityType, User, AWSRegion, SourceIpAddress, UserAgent, MFAUsed\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AzureAD logons but success logon to AWS Console\",\"description\":\"Identifies a list of IP addresses with a minimum number(defualt of 5) of failed logon attempts to Azure Active Directory.\\nUses that list to identify any successful AWS Console logons from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e\",\"name\":\"7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]);\\nunion isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4663\\n| where Process has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where ObjectName has_any (scriptExtensions)\\n| where AccessMask in (\u00270x2\u0027,\u00270x100\u0027, \u00270x10\u0027, \u00270x4\u0027)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n (WindowsEvent\\n| where EventID == 4663 and EventData has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\") and EventData has_any (scriptExtensions) \\n| where EventData has_any (\u00270x2\u0027,\u00270x100\u0027, \u00270x10\u0027, \u00270x4\u0027)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName has_any (scriptExtensions)\\n| extend AccessMask = tostring(EventData.AccessMask)\\n| where AccessMask in (\u00270x2\u0027,\u00270x100\u0027, \u00270x10\u0027, \u00270x4\u0027)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n(imFileEvent\\n| where EventType == \\\"FileCreated\\\"\\n| where ActingProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n and\\n TargetFileName has_any (scriptExtensions)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\\n),\\n(DeviceFileEvents\\n| where ActionType =~ \\\"FileCreated\\\"\\n| where InitiatingProcessFileName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where FileName has_any(scriptExtensions)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName, IPCustomEntity = RequestSourceIP)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingProcessAccountUpn\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM UM Service writing suspicious file\",\"description\":\"This query looks for the Exchange server UM process writing suspicious files that may be indicative of webshells.\\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d714ef62-1a56-4779-804f-91c4158e528d\",\"name\":\"d714ef62-1a56-4779-804f-91c4158e528d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let ImagesList = dynamic ([\\\"sethc.exe\\\",\\\"utilman.exe\\\",\\\"osk.exe\\\",\\\"Magnify.exe\\\",\\\"Narrator.exe\\\",\\\"DisplaySwitch.exe\\\",\\\"AtBroker.exe\\\"]); \\nlet OriginalFileNameList = dynamic ([\\\"sethc.exe\\\",\\\"utilman.exe\\\",\\\"osk.exe\\\",\\\"Magnify.exe\\\",\\\"Narrator.exe\\\",\\\"DisplaySwitch.exe\\\",\\\"AtBroker.exe\\\",\\\"SR.exe\\\",\\\"utilman2.exe\\\",\\\"ScreenMagnifier.exe\\\"]); \\nEvent\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n| parse EventData with * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027OriginalFileName\\\"\u003e\u0027 OriginalFileName \\\"\u003c\\\" *\\n| where Image has_any (ImagesList) and not (OriginalFileName has_any (OriginalFileNameList))\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027Hashes\\\"\u003e\u0027 Hashes \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description, OriginalFileName, CurrentDirectory, Hashes\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Modification of Accessibility Features\",\"description\":\"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\\n Two common accessibility programs are C:\\\\Windows\\\\System32\\\\sethc.exe, launched when the shift key is pressed five times and C:\\\\Windows\\\\System32\\\\utilman.exe, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as \\\"sticky keys\\\", and has been used by adversaries for unauthenticated access through a remote desktop login screen. [1]\\nRef: https://attack.mitre.org/techniques/T1546/008/\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\"name\":\"f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let threshold = 1;\\nAzureDiagnostics\\n | where OperationName in (\\\"AzureFirewallApplicationRuleLog\\\",\\\"AzureFirewallNetworkRuleLog\\\")\\n | extend msg_s_replaced0 = replace(@\\\"\\\\s\\\\s\\\",@\\\" \\\",msg_s)\\n | extend msg_s_replaced1 = replace(@\\\"\\\\.\\\\s\\\",@\\\" \\\",msg_s_replaced0)\\n | extend msg_a = split(msg_s_replaced1,\\\" \\\")\\n | extend srcAddr_a = split(msg_a[3],\\\":\\\") , destAddr_a = split(msg_a[5],\\\":\\\")\\n | extend protocol = tostring(msg_a[0]), srcIp = tostring(srcAddr_a[0]), srcPort = tostring(srcAddr_a[1]), destIp = tostring(destAddr_a[0]), destPort = tostring(destAddr_a[1]), action = tostring(msg_a[7])\\n | where action == \\\"Deny\\\"\\n | extend url = iff(destIp matches regex \\\"\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\",\\\"\\\",destIp)\\n | summarize StartTime = min(TimeGenerated), count() by srcIp, destIp, url, action, protocol\\n | where count_ \u003e= [\\\"threshold\\\"]\\n | extend timestamp = StartTime, URLCustomEntity = url, IPCustomEntity = srcIp\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Discovery\",\"LateralMovement\",\"CommandAndControl\"],\"displayName\":\"Several deny actions registered\",\"description\":\"Identifies attack pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-10-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b9d2eebc-5dcb-4888-8165-900db44443ab\",\"name\":\"b9d2eebc-5dcb-4888-8165-900db44443ab\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"// Enter a reference list of hostnames for your DC servers\\n//let DCServersList = dynamic ([\\\"DC01.simulandlabs.com\\\",\\\"DC02.simulandlabs.com\\\"]);\\nSecurityEvent\\n//| where Computer in (DCServersList)\\n| where EventID == 4662 and ObjectServer == \u0027DS\u0027\\n| where AccountType != \u0027Machine\u0027\\n| where Properties has \u00271131f6aa-9c07-11d1-f79f-00c04fc2dcd2\u0027 //DS-Replication-Get-Changes\\n or Properties has \u00271131f6ad-9c07-11d1-f79f-00c04fc2dcd2\u0027 //DS-Replication-Get-Changes-All\\n or Properties has \u002789e95b76-444d-4c62-991a-0facbeda640c\u0027 //DS-Replication-Get-Changes-In-Filtered-Set\\n| project TimeGenerated, Account, Activity, Properties, SubjectLogonId, Computer\\n| join kind=leftouter\\n(\\n SecurityEvent\\n //| where Computer in (DCServersList)\\n | where EventID == 4624 and LogonType == 3\\n | where AccountType != \u0027Machine\u0027\\n | project TargetLogonId, IpAddress\\n)\\non $left.SubjectLogonId == $right.TargetLogonId\\n| project-reorder TimeGenerated, Computer, Account, IpAddress\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, SourceAddress = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Non Domain Controller Active Directory Replication\",\"description\":\"This query detects potential attempts by non-computer accounts (non domain controllers) to retrieve/synchronize an active directory object leveraging directory replication services (DRS).\\nA Domain Controller (computer account) would usually be performing these actions in a domain environment. Another detection rule can be created to cover domain controllers accounts doing at rare times.\\nA domain user with privileged permissions to use directory replication services is rare. Ref: https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html\",\"lastUpdatedDateUTC\":\"2021-11-08T00:00:00Z\",\"createdDateUTC\":\"2021-05-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75297f62-10a8-4fc1-9b2a-12f25c6f05a7\",\"name\":\"75297f62-10a8-4fc1-9b2a-12f25c6f05a7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let domain_lookBack= 14d;\\nlet timeframe = 1d;\\nlet top_million_list = Cisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(domain_lookBack) and TimeGenerated \u003c ago(timeframe)\\n| extend Hostname = parse_url(UrlOriginal)[\\\"Host\\\"]\\n| summarize count() by tostring(Hostname)\\n| top 1000000 by count_\\n| summarize make_list(Hostname);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| extend Hostname = parse_url(UrlOriginal)[\\\"Host\\\"]\\n| where Hostname !in (top_million_list)\\n| extend Message = \\\"Connect to unpopular website (possible malicious payload delivery)\\\"\\n| project Message, SrcIpAddr, DstIpAddr,UrlOriginal, TimeGenerated\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Connection to Unpopular Website Detected\",\"description\":\"Detects first connection to an unpopular website (possible malicious payload delivery).\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/89a86f70-615f-4a79-9621-6f68c50f365f\",\"name\":\"89a86f70-615f-4a79-9621-6f68c50f365f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 7d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet HistThreshold = 25; \\nlet CurrThreshold = 10; \\nlet HistoricalThreats = CommonSecurityLog\\n| where isnotempty(SourceIP)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n| where Activity =~ \\\"THREAT\\\" and SimplifiedDeviceAction =~ \\\"alert\\\" \\n| where DeviceEventClassID in (\u0027spyware\u0027, \u0027scan\u0027, \u0027file\u0027, \u0027vulnerability\u0027, \u0027flood\u0027, \u0027packet\u0027, \u0027virus\u0027,\u0027wildfire\u0027, \u0027wildfire-virus\u0027)\\n| summarize TotalEvents = count(), ThreatTypes = make_set(DeviceEventClassID), DestinationIpList = make_set(DestinationIP), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by SourceIP, DeviceAction, DeviceVendor;\\nlet CurrentHourThreats = CommonSecurityLog\\n| where isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(timeframe)\\n| where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n| where Activity =~ \\\"THREAT\\\" and SimplifiedDeviceAction =~ \\\"alert\\\" \\n| where DeviceEventClassID in (\u0027spyware\u0027, \u0027scan\u0027, \u0027file\u0027, \u0027vulnerability\u0027, \u0027flood\u0027, \u0027packet\u0027, \u0027virus\u0027,\u0027wildfire\u0027, \u0027wildfire-virus\u0027)\\n| summarize TotalEvents = count(), ThreatTypes = make_set(DeviceEventClassID), DestinationIpList = make_set(DestinationIP), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by SourceIP, DeviceAction, DeviceProduct, DeviceVendor;\\nCurrentHourThreats \\n| where TotalEvents \u003c CurrThreshold\\n| join kind = leftanti (HistoricalThreats \\n| where TotalEvents \u003e HistThreshold) on SourceIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]}],\"tactics\":[\"Discovery\",\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"Palo Alto Threat signatures from Unusual IP addresses\",\"description\":\"Identifies Palo Alto Threat signatures from unusual IP addresses which are not historically seen. \\nThis detection is also leveraged and required for MDE and PAN Fusion scenario\\nhttps://docs.microsoft.com/Azure/sentinel/fusion-scenario-reference#network-request-to-tor-anonymization-service-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall\",\"lastUpdatedDateUTC\":\"2022-04-20T00:00:00Z\",\"createdDateUTC\":\"2022-03-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/35a0792a-1269-431e-ac93-7ae2980d4dde\",\"name\":\"35a0792a-1269-431e-ac93-7ae2980d4dde\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now() \\n| where Active == true\\n| where isnotempty(EmailSenderAddress)\\n| extend TI_emailEntity = EmailSenderAddress\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n ProofpointPOD \\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(SrcUserUpn)\\n | extend ProofpointPOD_TimeGenerated = TimeGenerated, ClientEmail = SrcUserUpn\\n\\n)\\non $left.TI_emailEntity == $right.ClientEmail\\n| where ProofpointPOD_TimeGenerated \u003c ExpirationDateTime\\n| summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientEmail\\n| project ProofpointPOD_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, ClientEmail\\n| extend timestamp = ProofpointPOD_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ClientEmail\"}]}],\"tactics\":[\"Exfiltration\",\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Email sender in TI list\",\"description\":\"Email sender in TI list.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_maillog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c3b11fb2-9201-4844-b7b9-6b7bf6d9b851\",\"name\":\"c3b11fb2-9201-4844-b7b9-6b7bf6d9b851\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Medium\",\"query\":\"let threshold = 200;\\n_Im_Dns(responsecodename=\u0027NXDOMAIN\u0027)\\n| where isnotempty(DnsResponseCodeName)\\n//| where DnsResponseCodeName =~ \\\"NXDOMAIN\\\"\\n| summarize count() by SrcIpAddr, bin(TimeGenerated,15m)\\n| where count_ \u003e threshold\\n| join kind=inner (_Im_Dns(responsecodename=\u0027NXDOMAIN\u0027)\\n ) on SrcIpAddr\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Excessive NXDOMAIN DNS Queries (ASIM DNS Schema)\",\"description\":\"This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. \\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a172107d-794c-48c0-bc26-d3349fe10b4d\",\"name\":\"a172107d-794c-48c0-bc26-d3349fe10b4d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Dev-0530_July2022.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\n(union isfuzzy=true \\n(DeviceProcessEvents\\n| where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) or ( InitiatingProcessCommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) \\nand InitiatingProcessCommandLine has (\u0027sc minute /mo 1 /F /ru system\u0027))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, AccountName, SHA256\\n| extend Account = AccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = case(InitiatingProcessSHA256 in (sha256Hashes), \\\"InitiatingProcessSHA256\\\", SHA256 in (sha256Hashes), \\\"SHA256\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = case(FileHash == \\\"InitiatingProcessSHA256\\\", InitiatingProcessSHA256, FileHash == \\\"SHA256\\\", SHA256, \\\"No Match\\\")\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) and CommandLine has (\u0027/sc minute /mo 1 /F /ru system\u0027))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, EventID, CommandLine\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n( imFileEvent\\n| where Hash in~ (sha256Hashes) or ( ActingProcessCommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) and ActingProcessCommandLine has (\u0027/sc minute /mo 1 /F /ru system\u0027))\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, FileHashCustomEntity = FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) or ( CommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) and CommandLine has (\u0027/sc minute /mo 1 /F /ru system\u0027)) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(EmailEvents\\n| where SenderFromAddress == \u0027H0lyGh0st@mail2tor.com\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = SenderIPv4, AccountCustomEntity = SenderFromAddress \\n),\\n(CommonSecurityLog \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) or FileHash in (sha256Hashes)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch , FileHash\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n), \\n(OfficeActivity \\n|extend SourceIPAddress = ClientIP, Account = UserId \\n| where SourceIPAddress in (IPList) \\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \\n),\\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Dev-0530 IOC - July 2022\",\"description\":\"Identifies a IOC match related to Dev-0530 actor across various data sources.\",\"lastUpdatedDateUTC\":\"2022-07-14T00:00:00Z\",\"createdDateUTC\":\"2022-07-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceProcessEvents\",\"DeviceNetworkEvents\",\"EmailEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/572e75ef-5147-49d9-9d65-13f2ed1e3a86\",\"name\":\"572e75ef-5147-49d9-9d65-13f2ed1e3a86\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let inviting_users = (AuditLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where OperationName =~ \\\"Invite external user\\\"\\n | where Result =~ \\\"success\\\"\\n | extend invitingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | where isnotempty(invitingUser)\\n | summarize by invitingUser);\\n AuditLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where OperationName =~ \\\"Invite external user\\\"\\n | where Result =~ \\\"success\\\"\\n | extend invitingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | where isnotempty(invitingUser) and invitingUser !in (inviting_users)\\n | extend invitedUserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"invitingUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"invitedUserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Guest Users Invited to Tenant by New Inviters\",\"description\":\"Detects when a Guest User is added by a user account that has not been seen adding a guest in the previous 14 days.\\n Monitoring guest accounts and the access they are provided is important to detect potential account abuse.\\n Accounts added should be investigated to ensure the activity was legitimate.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500415fb-bba7-4227-a08a-9857fb61b6a7\",\"name\":\"500415fb-bba7-4227-a08a-9857fb61b6a7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where OfficeWorkload == \\\"Exchange\\\"\\n| where Operation in~ (\\\"New-TransportRule\\\", \\\"Set-TransportRule\\\")\\n| mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))\\n| extend RuleName = case(\\n Operation =~ \\\"Set-TransportRule\\\", OfficeObjectId,\\n Operation =~ \\\"New-TransportRule\\\", ParsedParameters.Name,\\n \\\"Unknown\\\")\\n| mv-expand ExpandedParameters = todynamic(Parameters)\\n| where ExpandedParameters.Name in~ (\\\"BlindCopyTo\\\", \\\"RedirectMessageTo\\\") and isnotempty(ExpandedParameters.Value)\\n| extend RedirectTo = ExpandedParameters.Value\\n| extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n| project TimeGenerated, RedirectTo, IPAddress = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1]), UserId, Operation, RuleName, Parameters\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Mail redirect via ExO transport rule\",\"description\":\"Identifies when Exchange Online transport rule configured to forward emails.\\nThis could be an adversary mailbox configured to collect mail from multiple user accounts.\",\"lastUpdatedDateUTC\":\"2022-04-18T00:00:00Z\",\"createdDateUTC\":\"2020-05-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500c103a-0319-4d56-8e99-3cec8d860757\",\"name\":\"500c103a-0319-4d56-8e99-3cec8d860757\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == \\\"50057\\\" \\n| where ResultDescription == \\\"User account is disabled. The account has been disabled by an administrator.\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), disabledAccountLoginAttempts = count(), \\ndisabledAccountsTargeted = dcount(UserPrincipalName), applicationsTargeted = dcount(AppDisplayName), disabledAccountSet = make_set(UserPrincipalName), \\napplicationSet = make_set(AppDisplayName) by IPAddress, Type\\n| order by disabledAccountLoginAttempts desc\\n| join kind= leftouter (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n table(tableName)\\n | where ResultType == 0\\n | summarize successfulAccountSigninCount = dcount(UserPrincipalName), successfulAccountSigninSet = make_set(UserPrincipalName, 15) by IPAddress, Type\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount \u003c 100\\n) on IPAddress \\n// IPs from which attempts to authenticate as disabled user accounts originated, and had a non-zero success rate for some other account\\n| where isnotempty(successfulAccountSigninCount)\\n| project StartTime, EndTime, IPAddress, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\nsuccessfulAccountSigninCount, successfulAccountSigninSet, Type\\n| order by disabledAccountLoginAttempts\\n| extend timestamp = StartTime, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts and where that same IP has had successful signins from other accounts.\\nThis could indicate an attacker who obtained credentials for a list of accounts and is attempting to login with those accounts, some of which may have already been disabled.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"lastUpdatedDateUTC\":\"2021-10-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e7470b35-0128-4508-bfc9-e01cfb3c2eb7\",\"name\":\"e7470b35-0128-4508-bfc9-e01cfb3c2eb7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n | where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n | parse EventData with * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" *\\n | where ParentImage has \\\"svchost.exe\\\" and Image has \\\"rundll32.exe\\\" and CommandLine has \\\"{c08afd90-f2a1-11d1-8455-00a0c91f3880}\\\"\\n | parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Detecting Macro Invoking ShellBrowserWindow COM Objects\",\"description\":\"This query detects a macro invoking ShellBrowserWindow COM Objects evade naive parent/child Office detection rules.\\nRef: https://blog.menasec.net/2019/02/threat-hunting-doc-with-macro-invoking.html\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c2da1106-bfe4-4a63-bf14-5ab73130ccd5\",\"name\":\"c2da1106-bfe4-4a63-bf14-5ab73130ccd5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.0\",\"severity\":\"Informational\",\"query\":\"let timeframe = ago(1d);\\nAppServiceAntivirusScanAuditLogs\\n| where ScanStatus == \\\"Failed\\\"\\n| extend HostCustomEntity = _ResourceId, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"displayName\":\"AppServices AV Scan Failure\",\"description\":\"Identifies if an AV scan fails in Azure App Services.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\"name\":\"68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let User_Agents = dynamic ([\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70\\\", \\n\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.1 Safari/605.1.15\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\", \\n\\\"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\"]);\\nOfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != \u0027UserLoggedIn\u0027\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = todynamic(ExtendedProperties).Value\\n| where UserAgent =~ \\\"ms-office\\\" or UserAgent has_any (User_Agents)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts \u003e 500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\"entityMappings\":[],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Possible STRONTIUM attempted credential harvesting - Oct 2020\",\"description\":\"Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\"name\":\"e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let threshold = 15;\\n// Below pulls messages from syslog-authpriv logs where there was an authentication failure with an unknown user.\\n// IP address of system attempting logon is also extracted from the SyslogMessage field. Some of these messages\\n// are aggregated.\\nSyslog\\n| where Facility =~ \\\"authpriv\\\"\\n| where SyslogMessage has \\\"authentication failure\\\" and SyslogMessage has \\\" uid=0\\\"\\n| parse SyslogMessage with * \\\"rhost=\\\" RemoteIP\\n| project TimeGenerated, Computer, ProcessName, HostIP, RemoteIP, ProcessID\\n| join kind=innerunique (\\n // Below pulls messages from syslog-authpriv logs that show each instance an unknown user tried to logon. \\n Syslog \\n | where Facility =~ \\\"authpriv\\\"\\n | where SyslogMessage has \\\"user unknown\\\"\\n | project Computer, HostIP, ProcessID\\n ) on Computer, HostIP, ProcessID\\n// Count the number of failed logon attempts by External IP and internal machine\\n| summarize FirstLogonAttempt = min(TimeGenerated), LatestLogonAttempt = max(TimeGenerated), TotalLogonAttempts = count() by Computer, HostIP, RemoteIP\\n// Calculate the time between first and last logon attempt (AttemptPeriodLength)\\n| extend TimeBetweenLogonAttempts = LatestLogonAttempt - FirstLogonAttempt\\n| where TotalLogonAttempts \u003e= threshold\\n| project FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts, TotalLogonAttempts, SourceAddress = RemoteIP, DestinationHost = Computer, DestinationAddress = HostIP\\n| sort by DestinationHost asc nulls last\\n| extend timestamp = FirstLogonAttempt, HostCustomEntity = DestinationHost, IPCustomEntity = DestinationAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed logon attempts in authpriv\",\"description\":\"Identifies failed logon attempts from unknown users in Syslog authpriv logs. The unknown user means the account that tried to log in \\nisn\u0027t provisioned on the machine. A few hits could indicate someone attempting to access a machine they aren\u0027t authorized to access. \\nIf there are many of hits, especially from outside your network, it could indicate a brute force attack. \\nDefault threshold for logon attempts is 15.\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f041e01d-840d-43da-95c8-4188f6cef546\",\"name\":\"f041e01d-840d-43da-95c8-4188f6cef546\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let LearningPeriod = 7d;\\nlet RunTime = 1h;\\nlet StartTime = 1h;\\nlet EndRunTime = StartTime - RunTime;\\nlet EndLearningTime = StartTime + LearningPeriod;\\nlet GitHubCountryCodeLogs = (GitHubAudit\\n| where Country != \\\"\\\");\\n GitHubCountryCodeLogs\\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime))\\n| summarize makeset(Country) by Actor\\n| join kind=innerunique (\\n GitHubCountryCodeLogs\\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime))\\n | distinct Country, Actor, TimeGenerated\\n) on Actor \\n| where set_Country !contains Country\\n| extend AccountCustomEntity = Actor , timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"GitHub Activites from a New Country\",\"description\":\"Detect activities from a location that was not recently or was never visited by the user or by any user in your organization.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/40ba9493-4183-4eee-974f-87fe39c8f267\",\"name\":\"40ba9493-4183-4eee-974f-87fe39c8f267\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Identity alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Identity\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (AATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\"name\":\"4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 50;\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet historicalActivity =\\nOfficeActivity\\n| where TimeGenerated between(ago(starttime)..ago(endtime))\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| summarize historicalCount = count() by ClientIP, RecordType, Operation;\\nlet recentActivity = OfficeActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by ClientIP, RecordType, Operation;\\nlet RareIP = recentActivity | join kind= leftanti ( historicalActivity ) on ClientIP, RecordType, Operation\\n// More than 50 downloads/uploads from a new IP\\n| where recentCount \u003e threshold;\\nOfficeActivity \\n| where TimeGenerated \u003e= ago(endtime) \\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| join kind= inner (RareIP) on ClientIP, RecordType, Operation\\n| where Start_Time between(min_Start_Time .. max_Start_Time)\\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgent, IPSeenCount = recentCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\\n| order by IPSeenCount desc, ClientIP asc, Operation asc, UserId asc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"SharePointFileOperation via previously unseen IPs\",\"description\":\"Identifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses\\nexceeds a threshold (default is 50).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3073ac-7383-48a9-90a8-eb6716183a54\",\"name\":\"4a3073ac-7383-48a9-90a8-eb6716183a54\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let excludeProcs = dynamic([@\\\"\\\\SolarWinds\\\\Orion\\\\APM\\\\APMServiceControl.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\ExportToPDFCmd.Exe\\\", @\\\"\\\\SolarWinds.Credentials\\\\SolarWinds.Credentials.Orion.WebApi.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Topology\\\\SolarWinds.Orion.Topology.Calculator.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Database-Maint.exe\\\", @\\\"\\\\SolarWinds.Orion.ApiPoller.Service\\\\SolarWinds.Orion.ApiPoller.Service.exe\\\", @\\\"\\\\Windows\\\\SysWOW64\\\\WerFault.exe\\\"]);\\nDeviceProcessEvents\\n| where InitiatingProcessFileName =~ \\\"solarwinds.businesslayerhost.exe\\\"\\n| where not(FolderPath has_any (excludeProcs))\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n AlgorithmCustomEntity = \\\"MD5\\\",\\n FileHashCustomEntity = MD5\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST suspicious SolarWinds child processes\",\"description\":\"Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-02-01T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32\",\"name\":\"d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet msgthreshold = 3;\\nlet msgszthreshold = 3000000;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where NetworkBytes \u003e msgszthreshold\\n| summarize count() by SrcUserUpn, DstUserUpn\\n| where count_ \u003e msgthreshold\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple large emails to the same recipient\",\"description\":\"Detects when multiple emails with large size where sent to the same recipient.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6dd2629c-534b-4275-8201-d7968b4fa77e\",\"name\":\"6dd2629c-534b-4275-8201-d7968b4fa77e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"SecurityEvent\\n| where EventID == 4657\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, TargetAccount, Computer, EventSourceName, Channel, Task, Level, EventID, Activity, TargetLogonId, SourceComputerId, EventOriginId, Type, _ResourceId, TenantId, SourceSystem, ManagementGroupName, IpAddress, Account)\\n| extend ObjectName = column_ifexists(\u0027ObjectName\u0027, \\\"\\\"), OperationType = column_ifexists(\u0027OperationType\u0027, \\\"\\\"), ObjectValueName = column_ifexists(\u0027ObjectValueName\u0027, \\\"\\\")\\n| where ObjectName has \u0027Schedule\\\\\\\\TaskCache\\\\\\\\Tree\u0027 and ObjectValueName == \\\"SD\\\" and OperationType == \\\"%%1906\\\" // %%1906 - Registry value deleted\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Scheduled Task Hide\",\"description\":\"This query detects attempts by malware to hide the scheduled task by deleting the SD (Security Descriptor) value. Removal of SD value results in the scheduled task disappearing from schtasks /query and Task Scheduler.\\n The query requires auditing to be turned on for HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree registry hive as well as audit policy for registry auditing to be turned on.\\n Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/\\n Reference: https://4sysops.com/archives/audit-changes-in-the-windows-registry/\",\"lastUpdatedDateUTC\":\"2022-04-12T00:00:00Z\",\"createdDateUTC\":\"2022-04-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3f0c20d5-6228-48ef-92f3-9ff7822c1954\",\"name\":\"3f0c20d5-6228-48ef-92f3-9ff7822c1954\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let threatCategory=\\\"Hacking Tool\\\";\\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\\n [ @\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\\\"] \\n with(format=\\\"csv\\\", ignoreFirstRecord=True));\\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet customUserAgents=toscalar(_GetWatchlist(\\\"UnusualUserAgents\\\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\\\"UserAgent\\\",\\\"\\\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet fullUAList = array_concat(knownUserAgents,customUserAgents);\\n_Im_WebSession(httpuseragent_has_any=fullUAList)\\n| project SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername\",\"customDetails\":{\"UserAgent\":\"HttpUserAgent\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"SrcUsername\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Host {{SrcIpAddr}} is potentially running a hacking tool\",\"alertDescriptionFormat\":\"The host at address {{SrcIpAddr}} sent an HTTP request to the URL {{Url}} with the HTTP user agent header {{HttpUserAgent}}. This user agent is known to be used by a hacking tool and indicates suspicious activity on the host.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"A host is potentially running a hacking tool (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request with a user agent header known to belong to a hacking tool. This indicates a hacking tool is used on the host.\u003cbr\u003eYou can add custom hacking tool indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).\u003cbr\u003e\u003cbr\u003e\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/738702fd-0a66-42c7-8586-e30f0583f8fe\",\"name\":\"738702fd-0a66-42c7-8586-e30f0583f8fe\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"DeviceEvents\\n| where ActionType has \\\"ExploitGuardNonMicrosoftSignedBlocked\\\"\\n| where InitiatingProcessFileName contains \\\"svchost.exe\\\" and FileName contains \\\"NetSetupSvc.dll\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\nHostCustomEntity = DeviceName, FileHashCustomEntity = InitiatingProcessSHA1, FileHashType = \\\"SHA1\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"TEARDROP memory-only dropper\",\"description\":\"Identifies SolarWinds TEARDROP memory-only dropper IOCs in Window\u0027s defender Exploit Guard activity\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a4025a76-6490-4e6b-bb69-d02be4b03f07\",\"name\":\"a4025a76-6490-4e6b-bb69-d02be4b03f07\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureNetworkAnalytics_CL\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AzureNetworkAnalytics_CL_TimeGenerated = TimeGenerated\\n // NSG Flow Logs have additional information concat with Public IP, removing onlp Public IP\\n | extend PIPs = split(PublicIPs_s, \u0027|\u0027, 0)\\n | extend PIP = tostring(PIPs[0])\\n)\\non $left.TI_ipEntity == $right.PIP\\n| where AzureNetworkAnalytics_CL_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureNetworkAnalytics_CL_TimeGenerated = arg_max(AzureNetworkAnalytics_CL_TimeGenerated, *) by IndicatorId, PIP\\n// Set to alert on Allowed NSG Flows from TI Public IP IOC\\n| where FlowStatus_s == \\\"A\\\"\\n| project AzureNetworkAnalytics_CL_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, FlowDirection_s, FlowStatus_s, FlowType_s, SrcPublicIPs_s, DestPublicIPs_s, PublicIPs_s, L7Protocol_s, DestPort_d, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureNetworkAnalytics_CL_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)\",\"description\":\"Identifies a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI that was Allowed\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/968358d6-6af8-49bb-aaa4-187b3067fb95\",\"name\":\"968358d6-6af8-49bb-aaa4-187b3067fb95\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let successCodes = dynamic([200, 302, 401]);\\nW3CIISLog\\n| where scStatus has_any (successCodes)\\n| where ipv4_is_private(cIP) == False\\n| where csUriStem hasprefix \\\"/autodiscover/autodiscover.json\\\"\\n| project TimeGenerated, cIP, sIP, sSiteName, csUriStem, csUriQuery, Computer, csUserName, _ResourceId, FileUri\\n| where (csUriQuery !has \\\"Protocol\\\" and isnotempty(csUriQuery))\\nor (csUriQuery has_any(\\\"/mapi/\\\", \\\"powershell\\\"))\\nor (csUriQuery contains \\\"@\\\" and csUriQuery matches regex @\\\"\\\\.[a-zA-Z]{2,4}?(?:[a-zA-Z]{2,4}\\\\/)\\\")\\nor (csUriQuery contains \\\":\\\" and csUriQuery matches regex @\\\"\\\\:[0-9]{2,4}\\\\/\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP, AccountCustomEntity = csUserName, ResourceCustomEntity = _ResourceId, FileCustomEntity = FileUri\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange SSRF Autodiscover ProxyShell - Detection\",\"description\":\"This query looks for suspicious request patterns to Exchange servers that fit patterns recently\\nblogged about by PeterJson. This exploitation chain utilises an SSRF vulnerability in Exchange\\nwhich eventually allows the attacker to execute arbitrary Powershell on the server. In the example\\npowershell can be used to write an email to disk with an encoded attachment containing a shell.\\nReference: https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-09T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/999e9f5d-db4a-4b07-a206-29c4e667b7e8\",\"name\":\"999e9f5d-db4a-4b07-a206-29c4e667b7e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet DomainTIs= ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n // Picking up only IOC\u0027s that contain the entities we want\\n | where isnotempty(DomainName)\\n | where Active == true\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId;\\nlet Domains = DomainTIs | where isnotempty(DomainName) |summarize NDomains=dcount(DomainName), DomainsList=make_set(DomainName) \\n | project DomainList = iff(NDomains \u003e HAS_ANY_MAX, dynamic([]), DomainsList) ;\\nDomainTIs\\n | join (\\n _Im_Dns(starttime=ago(dt_lookBack), domain_has_any=toscalar(Domains))\\n | extend DNS_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.DnsQuery\\n| where DNS_TimeGenerated \u003c ExpirationDateTime\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, DnsQueryType\\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url\",\"customDetails\":{\"LatestIndicatorTime\":\"LatestIndicatorTime\",\"Description\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"ExpirationDateTime\":\"ExpirationDateTime\",\"ConfidenceScore\":\"ConfidenceScore\",\"DNSRequestTime\":\"DNS_TimeGenerated\",\"SourceIPAddress\":\"SrcIpAddr\",\"DnsQuery\":\"DnsQuery\",\"QueryType\":\"DnsQueryType\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map Domain entity to Dns Events (ASIM DNS Schema)\",\"description\":\"Identifies a match in DNS events from any Domain IOC from TI\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-27T00:00:00Z\",\"createdDateUTC\":\"2021-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2dd4a3a-ebac-4994-9499-1a859938c947\",\"name\":\"f2dd4a3a-ebac-4994-9499-1a859938c947\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet bytessentperhourthreshold = 10;\\nlet TimeSeriesData = (union isfuzzy=true\\n(\\nVMConnection\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\\n| extend SourceIP = SourceIp, DestinationIP = DestinationIp\\n| where ipv4_is_private(DestinationIP) == false\\n| extend DeviceVendor = \\\"VMConnection\\\"\\n| project TimeGenerated, BytesSent, DeviceVendor\\n| make-series TotalBytesSent=sum(BytesSent) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n),\\n(\\nCommonSecurityLog\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where ipv4_is_private(DestinationIP) == false\\n| project TimeGenerated, SentBytes, DeviceVendor\\n| make-series TotalBytesSent=sum(SentBytes) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n)\\n);\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(TotalBytesSent, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand TotalBytesSent to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| extend TotalBytesSentinMBperHour = round(((TotalBytesSent / 1024)/1024),2), baselinebytessentperHour = round(((baseline / 1024)/1024),2), score = round(score,2)\\n| project DeviceVendor, AnomalyHour, TimeGenerated, TotalBytesSentinMBperHour, baselinebytessentperHour, anomalies, score);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\n//Union of all BaseLogs aggregated per hour\\nlet BaseLogs = (union isfuzzy=true\\n(\\nCommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| where ipv4_is_private(DestinationIP) == false\\n| extend SentBytesinMB = ((SentBytes / 1024)/1024), ReceivedBytesinMB = ((ReceivedBytes / 1024)/1024)\\n| summarize HourlyCount = count(), TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort,100), TotalSentBytesinMB = sum(SentBytesinMB), TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| where TotalSentBytesinMB \u003e bytessentperhourthreshold\\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\\n| where Rank \u003c 10 // Selecting Top 10 records with Highest BytesSent in each Hour\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\\n),\\n(\\nVMConnection\\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend SourceIP = SourceIp, DestinationIP = DestinationIp\\n| where ipv4_is_private(DestinationIP) == false | extend DeviceVendor = \\\"VMConnection\\\"\\n| extend SentBytesinMB = ((BytesSent / 1024)/1024), ReceivedBytesinMB = ((BytesReceived / 1024)/1024)\\n| summarize HourlyCount = count(),TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort, 100), TotalSentBytesinMB = sum(SentBytesinMB),TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| where TotalSentBytesinMB \u003e bytessentperhourthreshold\\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\\n| where Rank \u003c 10 // Selecting Top 10 records with Highest BytesSent in each Hour\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\\n)\\n);\\n// Join against base logs to retrive records associated with the hour of anomoly\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\n BaseLogs | extend AnomalyHour = TimeGeneratedHour\\n) on DeviceVendor, AnomalyHour | sort by score desc\\n| project DeviceVendor, AnomalyHour,TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\\n| summarize EventCount = count(), StartTimeUtc= min(TimeGeneratedMax), EndTimeUtc= max(TimeGeneratedMax), SourceIPMax= arg_max(SourceIP,*), TotalBytesSentinMB = sum(TotalSentBytesinMB), TotalBytesReceivedinMB = sum(TotalReceivedBytesinMB), SourceIPList = make_set(SourceIP, 100), DestinationIPList = make_set(DestinationIPList, 100) by AnomalyHour,TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\\n| project DeviceVendor, AnomalyHour, StartTimeUtc, EndTimeUtc, SourceIPMax, SourceIPList, DestinationIPList, DestinationPortList, TotalBytesSentinMB, TotalBytesReceivedinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies, EventCount\\n| extend timestamp =EndTimeUtc, IPCustomEntity = SourceIPMax\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"Time series anomaly for data size transferred to public internet\",\"description\":\"Identifies anomalous data transfer to public networks. The query leverages built-in KQL anomaly detection algorithms that detects large deviations from a baseline pattern.\\nA sudden increase in data transferred to unknown public networks is an indication of data exfiltration attempts and should be investigated.\\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port bytes sent traffic observed in the flagged anomaly hour.\\nThe source IP addresses which were sending less than bytessentperhourthreshold have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06bbf969-fcbe-43fa-bac2-b2fa131d113a\",\"name\":\"06bbf969-fcbe-43fa-bac2-b2fa131d113a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"// ADHealth Monitoring Agent Registry Key\\nlet aadHealthMonAgentRegKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\MicrosoftOnline\\\\\\\\Reporting\\\\\\\\MonitoringAgent\\\";\\n// Filter out known processes\\nlet aadConnectHealthProcs = dynamic ([\\n \u0027Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.InsightsService.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.PshSurrogate.exe\u0027,\\n \u0027Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe\u0027,\\n \u0027Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.AadConnect.Health.AadSync.Host.exe\u0027,\\n \u0027Microsoft.Azure.ActiveDirectory.Synchronization.Upgrader.exe\u0027,\\n \u0027miiserver.exe\u0027\\n]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| where EventData has aadHealthMonAgentRegKey\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| extend ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),\\n ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\")\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend SubjectUserName = column_ifexists(\\\"SubjectUserName\\\", \\\"\\\"),\\n SubjectDomainName = column_ifexists(\\\"SubjectDomainName\\\", \\\"\\\"),\\n ProcessName = column_ifexists(\\\"ProcessName\\\", \\\"\\\")\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],\\n Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n ( WindowsEvent\\n| where EventID == \u00274656\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n( WindowsEvent\\n| where EventID == \u00274663\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n)\\n)\\n// You can filter out potential machine accounts\\n//| where AccountType != \u0027Machine\u0027\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"Azure AD Health Service Agents Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).\\nInformation from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).\\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\\\\SOFTWARE\\\\Microsoft\\\\ADHealthAgent.\\nMake sure you set the SACL to propagate to its sub-keys. You can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml\\n\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a35f2c18-1b97-458f-ad26-e033af18eb99\",\"name\":\"a35f2c18-1b97-458f-ad26-e033af18eb99\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.2\",\"severity\":\"Low\",\"query\":\"// For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups\\nlet WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nunion isfuzzy=true \\n(\\nSecurityEvent \\n// When MemberName contains \u0027-\u0027 this indicates addition of a group to a group\\n| where AccountType == \\\"User\\\" and MemberName != \\\"-\\\"\\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group\\n| where EventID in (4728, 4732, 4756) \\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| extend SimpleMemberName = substring(MemberName, 3, indexof_regex(MemberName, @\\\",OU|,CN\\\") - 3)\\n| project TimeGenerated, EventID, Activity, Computer, SimpleMemberName, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SimpleMemberName, HostCustomEntity = Computer\\n),\\n(\\nWindowsEvent \\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group\\n| where EventID in (4728, 4732, 4756) and not(EventData has \\\"S-1-5-32-555\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| extend MemberName = tostring(EventData.MemberName)\\n// When MemberName contains \u0027-\u0027 this indicates addition of a group to a group\\n| where AccountType == \\\"User\\\" and MemberName != \\\"-\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| extend SimpleMemberName = substring(MemberName, 3, indexof_regex(MemberName, @\\\",OU|,CN\\\") - 3)\\n| extend MemberSid = tostring(EventData.MemberSid)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend TargetDomainName = tostring(EventData.TargetDomainName)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| project TimeGenerated, EventID, Computer, SimpleMemberName, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SimpleMemberName, HostCustomEntity = Computer\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account added to built in domain local or global group\",\"description\":\"Identifies when a user account has been added to a privileged built in domain local group or global group \\nsuch as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2acc91c3-17c2-4388-938e-4eac2d5894e8\",\"name\":\"2acc91c3-17c2-4388-938e-4eac2d5894e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"W3CIISLog\\n| where csMethod == \u0027GET\u0027\\n| where isnotempty(csUriStem) and isnotempty(csUriQuery)\\n| where csUriStem contains \\\"logoimagehandler.ashx\\\"\\n| where csUriQuery contains \\\"codes\\\" and csUriQuery contains \\\"clazz\\\" and csUriQuery contains \\\"method\\\" and csUriQuery contains \\\"args\\\"\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"CommandAndControl\"],\"displayName\":\"SUPERNOVA webshell\",\"description\":\"Identifies SUPERNOVA webshell based on W3CIISLog data.\\n References:\\n - https://unit42.paloaltonetworks.com/solarstorm-supernova/\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-01-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/223db5c1-1bf8-47d8-8806-bed401b356a4\",\"name\":\"223db5c1-1bf8-47d8-8806-bed401b356a4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let timeRange = 1d;\\nlet lookBack = 7d;\\nlet threshold_Failed = 5;\\nlet threshold_FailedwithSingleIP = 20;\\nlet threshold_IPAddressCount = 2;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet aadFunc = (tableName:string){\\nlet azPortalSignins = materialize(table(tableName)\\n| where TimeGenerated \u003e= ago(lookBack)\\n// Azure Portal only\\n| where AppDisplayName =~ \\\"Azure Portal\\\")\\n;\\nlet successPortalSignins = azPortalSignins\\n| where TimeGenerated \u003e= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n// Tagging identities not resolved to friendly names\\n//| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n| distinct TimeGenerated, UserPrincipalName\\n;\\nlet failPortalSignins = azPortalSignins\\n| where TimeGenerated \u003e= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70044\\\", \\\"70043\\\")\\n// Tagging identities not resolved to friendly names\\n| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n;\\n// Verify there is no success for the same connection attempt after the fail\\nlet failnoSuccess = failPortalSignins | join kind= leftouter (\\n successPortalSignins \\n) on UserPrincipalName\\n| where TimeGenerated \u003e TimeGenerated1 or isempty(TimeGenerated1)\\n| project-away TimeGenerated1, UserPrincipalName1\\n;\\n// Lookup up resolved identities from last 7 days\\nlet identityLookup = azPortalSignins\\n| where TimeGenerated \u003e= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName;\\n// Join resolved names to unresolved list from portal signins\\nlet unresolvedNames = failnoSuccess | where Unresolved == true | join kind= inner (\\n identityLookup \\n) on UserId\\n| extend UserDisplayName = lu_UserDisplayName, UserPrincipalName = lu_UserPrincipalName\\n| project-away lu_UserDisplayName, lu_UserPrincipalName;\\n// Join Signins that had resolved names with list of unresolved that now have a resolved name\\nlet u_azPortalSignins = failnoSuccess | where Unresolved == false | union unresolvedNames;\\nu_azPortalSignins\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend Status = strcat(ResultType, \\\": \\\", ResultDescription), OS = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n| extend FullLocation = strcat(Region,\u0027|\u0027, State, \u0027|\u0027, City)\\n| summarize TimeGenerated = makelist(TimeGenerated), Status = makelist(Status), IPAddresses = makelist(IPAddress), IPAddressCount = dcount(IPAddress), FailedLogonCount = count()\\nby UserPrincipalName, UserId, UserDisplayName, AppDisplayName, Browser, OS, FullLocation, Type\\n| mvexpand TimeGenerated, IPAddresses, Status\\n| extend TimeGenerated = todatetime(tostring(TimeGenerated)), IPAddress = tostring(IPAddresses), Status = tostring(Status)\\n| project-away IPAddresses\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserPrincipalName, UserId, UserDisplayName, Status, FailedLogonCount, IPAddress, IPAddressCount, AppDisplayName, Browser, OS, FullLocation, Type\\n| where (IPAddressCount \u003e= threshold_IPAddressCount and FailedLogonCount \u003e= threshold_Failed) or FailedLogonCount \u003e= threshold_FailedwithSingleIP\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed login attempts to Azure Portal\",\"description\":\"Identifies failed login attempts in the Azure Active Directory SigninLogs to the Azure Portal. Many failed logon \\nattempts or some failed logon attempts from multiple IPs could indicate a potential brute force attack. \\nThe following are excluded due to success and non-failure results:\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n0 - successful logon\\n50125 - Sign-in was interrupted due to a password reset or password registration entry.\\n50140 - This error occurred due to \u0027Keep me signed in\u0027 interrupt when the user was signing-in.\",\"lastUpdatedDateUTC\":\"2022-04-21T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/acc4c247-aaf7-494b-b5da-17f18863878a\",\"name\":\"acc4c247-aaf7-494b-b5da-17f18863878a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"let queryfrequency = 1h;\\nlet queryperiod = 1d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(queryperiod)\\n| where OperationName in (\\\"Invite external user\\\", \\\"Bulk invite users - started (bulk)\\\", \\\"Invite external user with reset invitation status\\\")\\n| extend InitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\\n// Uncomment the following line to filter events where the inviting user was a guest user\\n//| where InitiatedBy has_any (\\\"live.com#\\\", \\\"#EXT#\\\")\\n| extend InvitedUser = TargetResources[0].userPrincipalName\\n| mv-expand UserToCompare = pack_array(InitiatedBy, InvitedUser) to typeof(string)\\n| where UserToCompare has_any (\\\"live.com#\\\", \\\"#EXT#\\\")\\n| extend\\n parsedUser = replace_string(tolower(iff(UserToCompare startswith \\\"live.com#\\\", tostring(split(UserToCompare, \\\"#\\\")[1]), tostring(split(UserToCompare, \\\"#EXT#\\\")[0]))), \\\"@\\\", \\\"_\\\"),\\n InvitationTime = TimeGenerated\\n| join (\\n (union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs)\\n | where TimeGenerated \u003e ago(queryfrequency)\\n | where UserType != \\\"Member\\\"\\n | where AppId has_any\\n (\\\"1b730954-1685-4b74-9bfd-dac224a7b894\\\",// Azure Active Directory PowerShell\\n \\\"04b07795-8ddb-461a-bbee-02f9e1bf7b46\\\",// Microsoft Azure CLI\\n \\\"1950a258-227b-4e31-a9cf-717495945fc2\\\",// Microsoft Azure PowerShell\\n \\\"a0c73c16-a7e3-4564-9a95-2bdf47383716\\\",// Microsoft Exchange Online Remote PowerShell\\n \\\"fb78d390-0c51-40cd-8e17-fdbfab77341b\\\",// Microsoft Exchange REST API Based Powershell\\n \\\"d1ddf0e4-d672-4dae-b554-9d5bdfd93547\\\",// Microsoft Intune PowerShell\\n \\\"9bc3ab49-b65d-410a-85ad-de819febfddc\\\",// Microsoft SharePoint Online Management Shell\\n \\\"12128f48-ec9e-42f0-b203-ea49fb6af367\\\",// MS Teams Powershell Cmdlets\\n \\\"23d8f6bd-1eb0-4cc2-a08c-7bf525c67bcd\\\",// Power BI PowerShell\\n \\\"31359c7f-bd7e-475c-86db-fdb8c937548e\\\",// PnP Management Shell\\n \\\"90f610bf-206d-4950-b61d-37fa6fd1b224\\\" // Aadrm Admin Powershell\\n )\\n | summarize arg_min(TimeGenerated, *) by UserPrincipalName\\n | extend\\n parsedUser = replace_string(UserPrincipalName, \\\"@\\\", \\\"_\\\"),\\n SigninTime = TimeGenerated\\n )\\n on parsedUser\\n| project InvitationTime, InitiatedBy, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, IPAddress, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InvitedUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatedBy\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\",\"Discovery\"],\"displayName\":\"External guest invitation followed by Azure AD PowerShell signin\",\"description\":\"By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests\\nusers, who have been invited or have invited recently, who also are logging via various PowerShell CLI.\\nRef : \u0027https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\"name\":\"3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let threshold = 1;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ConditionalAccessStatus == 1 or ConditionalAccessStatus =~ \\\"failure\\\"\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion) \\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend ConditionalAccessPolicies = todynamic(ConditionalAccessPolicies)\\n| extend ConditionalAccessPol0Name = tostring(ConditionalAccessPolicies[0].displayName)\\n| extend ConditionalAccessPol1Name = tostring(ConditionalAccessPolicies[1].displayName)\\n| extend ConditionalAccessPol2Name = tostring(ConditionalAccessPolicies[2].displayName)\\n| extend Status = strcat(StatusCode, \\\": \\\", ResultDescription) \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Status = make_list(Status), StatusDetails = make_list(StatusDetails), IPAddresses = make_list(IPAddress), IPAddressCount = dcount(IPAddress), CorrelationIds = make_list(CorrelationId) \\nby UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name, Type\\n| where IPAddressCount \u003e threshold and StatusDetails !has \\\"MFA successfully completed\\\"\\n| mvexpand IPAddresses, Status, StatusDetails, CorrelationIds\\n| extend Status = strcat(Status, \\\" \\\", StatusDetails)\\n| summarize IPAddresses = make_set(IPAddresses), Status = make_set(Status), CorrelationIds = make_set(CorrelationIds) \\nby StartTime, EndTime, UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name, IPAddressCount, Type\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = tostring(IPAddresses)\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Attempt to bypass conditional access rule in Azure AD\",\"description\":\"Identifies an attempt to Bypass conditional access rule(s) in Azure Active Directory.\\nThe ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access\\nor if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1).\\nReferences: \\nhttps://docs.microsoft.com/azure/active-directory/conditional-access/overview\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\nConditionalAccessStatus == 0 // Success\\nConditionalAccessStatus == 1 // Failure\\nConditionalAccessStatus == 2 // Not Applied\\nConditionalAccessStatus == 3 // unknown\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0b904747-1336-4363-8d84-df2710bfe5e7\",\"name\":\"0b904747-1336-4363-8d84-df2710bfe5e7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureDiagnostics\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where OperationName in (\\\"AzureFirewallApplicationRuleLog\\\", \\\"AzureFirewallNetworkRuleLog\\\")\\n | parse kind=regex flags=U msg_s with Protocol \u0027request from \u0027 SourceHost \u0027to \u0027 DestinationHost @\u0027\\\\.? Action: \u0027 Firewall_Action @\u0027\\\\.\u0027 Rest_msg\\n | extend SourceAddress = extract(@\u0027([\\\\.0-9]+)(:[\\\\.0-9]+)?\u0027, 1, SourceHost)\\n | extend DestinationAddress = extract(@\u0027([\\\\.0-9]+)(:[\\\\.0-9]+)?\u0027, 1, DestinationHost)\\n | extend RemoteIP = case(not(ipv4_is_private(DestinationAddress)), DestinationAddress, not(ipv4_is_private(SourceAddress)), SourceAddress, \\\"\\\")\\n // Traffic that involves a public address, and in case this is the source address then the traffic was not denied\\n | where isnotempty(RemoteIP)\\n | project-rename AzureFirewall_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIP\\n| where AzureFirewall_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureFirewall_TimeGenerated = arg_max(AzureFirewall_TimeGenerated, *) by IndicatorId, RemoteIP\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, AzureFirewall_TimeGenerated,\\nTI_ipEntity, Resource, Category, msg_s, SourceAddress, DestinationAddress, Firewall_Action, Protocol, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureFirewall_TimeGenerated, IPCustomEntity = TI_ipEntity, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureFirewall\",\"description\":\"Identifies a match in AzureFirewall (NetworkRule \u0026 ApplicationRule Logs) from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ebbb5c2-8802-11ec-a8a3-0242ac120002\",\"name\":\"4ebbb5c2-8802-11ec-a8a3-0242ac120002\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"// Enter a reference list of decoy users (usernames) \\\"Case Sensitive\\\"\\nlet MaliciousServiceArtifacts = dynamic ([\\\"fgexec\\\",\\\"cachedump\\\",\\\"mimikatz\\\",\\\"mimidrv\\\",\\\"wceservice\\\",\\\"pwdump\\\"]);\\nEvent\\n| where Source == \\\"Service Control Manager\\\" and EventID == 7045\\n| parse EventData with * \u0027ServiceName\\\"\u003e\u0027 ServiceName \\\"\u003c\\\" * \u0027ImagePath\\\"\u003e\u0027 ImagePath \\\"\u003c\\\" *\\n| where ServiceName has_any (MaliciousServiceArtifacts) or ImagePath has_any (MaliciousServiceArtifacts)\\n| parse EventData with * \u0027AccountName\\\"\u003e\u0027 AccountName \\\"\u003c\\\" *\\n|summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, ServiceName, ImagePath, AccountName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountName\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ImagePath\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Credential Dumping Tools - Service Installation\",\"description\":\"This query detects the installation of a Windows service that contains artifacts from credential dumping tools such as Mimikatz.\\nRef: https://blueteamblog.com/darkside-ransomware-operations-preventions-and-detections\",\"lastUpdatedDateUTC\":\"2022-04-22T00:00:00Z\",\"createdDateUTC\":\"2022-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"Event\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/adc32a33-1cd6-46f5-8801-e3ed8337885f\",\"name\":\"adc32a33-1cd6-46f5-8801-e3ed8337885f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// Add any known allowed sources and source locations to the filter below (the NuGet Gallery has been added here as an example).\\nlet allowed_sources = dynamic([\\\"NuGet Gallery\\\"]);\\nlet allowed_locations = dynamic([\\\"https://api.nuget.org/v3/index.json\\\"]);\\nAzureDevOpsAuditing\\n// Look for feeds created or modified at either the organization or project level\\n| where OperationName matches regex \\\"Artifacts.Feed.(Org|Project).Modify\\\"\\n| where Details has \\\"UpstreamSources, added\\\"\\n| extend FeedName = tostring(Data.FeedName)\\n| extend FeedId = tostring(Data.FeedId)\\n| extend UpstreamsAdded = Data.UpstreamsAdded\\n// As multiple feeds may be added expand these out\\n| mv-expand UpstreamsAdded\\n// Only focus on external feeds\\n| where UpstreamsAdded.UpstreamSourceType !~ \\\"internal\\\"\\n| extend SourceLocation = tostring(UpstreamsAdded.Location)\\n| extend SourceName = tostring(UpstreamsAdded.Name)\\n// Exclude sources and locations in the allow list\\n| where SourceLocation !in (allowed_locations) and SourceName !in (allowed_sources)\\n| extend SourceProtocol = tostring(UpstreamsAdded.Protocol)\\n| extend SourceStatus = tostring(UpstreamsAdded.Status)\\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, ProjectName, FeedName, SourceName, SourceLocation, SourceProtocol, ActorUPN, UserAgent, IpAddress\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"External Upstream Source Added to Azure DevOps Feed\",\"description\":\"The detection looks for new external sources added to an Azure DevOps feed. An allow list can be customized to explicitly allow known good sources. \\nAn attacker could look to add a malicious feed in order to inject malicious packages into a build pipeline.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/feb0a2fb-ae75-4343-8cbc-ed545f1da289\",\"name\":\"feb0a2fb-ae75-4343-8cbc-ed545f1da289\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let VIPUsers = (IdentityInfo\\n| where AssignedRoles contains \\\"Admin\\\"\\n| summarize by tolower(AccountUPN));\\nAuditLogs\\n| where Category =~ \\\"UserManagement\\\"\\n| where ActivityDisplayName =~ \\\"User registered security info\\\"\\n| where LoggedByService =~ \\\"Authentication Methods\\\"\\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| where AccountCustomEntity in (VIPUsers)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Authentication Method Changed for Privileged Account\",\"description\":\"Identifies authentication methods being changed for a privileged account. This could be an indicated of an attacker adding an auth method to the account so they can have continued access.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2937bc6b-7cda-4fba-b452-ea43ba8e835f\",\"name\":\"2937bc6b-7cda-4fba-b452-ea43ba8e835f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 5136 \\n| parse EventData with * \u0027ObjectClass\\\"\u003e\u0027 ObjectClass \\\"\u003c\\\" *\\n| parse EventData with * \u0027AttributeLDAPDisplayName\\\"\u003e\u0027 AttributeLDAPDisplayName \\\"\u003c\\\" *\\n| where ObjectClass == \\\"computer\\\" and AttributeLDAPDisplayName == \\\"msDS-AllowedToActOnBehalfOfOtherIdentity\\\"\\n| parse EventData with * \u0027ObjectDN\\\"\u003e\u0027 ObjectDN \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, SubjectUserSid, SubjectLogonId, ObjectDN, AttributeLDAPDisplayName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Possible Resource-Based Constrained Delegation Abuse\",\"description\":\"This query identifies Active Directory computer objects modifications that allow an adversary to abuse the Resource-based constrained delegation. \\nThis query checks for event id 5136 that the Object Class field is \\\"computer\\\" and the LDAP Display Name is \\\"msDS-AllowedToActOnBehalfOfOtherIdentity\\\" which is an indicator of Resource-based constrained delegation.\\nRef: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html\",\"lastUpdatedDateUTC\":\"2022-01-19T00:00:00Z\",\"createdDateUTC\":\"2022-01-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/89e6adbd-612c-4fbe-bc3d-32f81baf3b6c\",\"name\":\"89e6adbd-612c-4fbe-bc3d-32f81baf3b6c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT4H\",\"queryPeriod\":\"PT4H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// Change to true to monitor for Project Administrator adds to *any* project\\nlet MonitorAllProjects = false;\\n// If MonitorAllProjects is false, trigger only on Project Administrator add for the following projects\\nlet ProjectsToMonitor = dynamic([\u0027\u003cproject_X\u003e\u0027,\u0027\u003cproject_Y\u003e\u0027]);\\nAzureDevOpsAuditing\\n| where Area == \\\"Group\\\" and OperationName == \\\"Group.UpdateGroupMembership.Add\\\"\\n| where Details has \u0027Administrators\u0027\\n| where Details has \\\"was added as a member of group\\\" and (Details endswith \u0027\\\\\\\\Project Administrators\u0027 or Details endswith \u0027\\\\\\\\Project Collection Administrators\u0027)\\n| parse Details with AddedIdentity \u0027 was added as a member of group [\u0027 EntityName \u0027]\\\\\\\\\u0027 GroupName\\n| extend Level = iif(GroupName == \u0027Project Collection Administrators\u0027, \u0027Organization\u0027, \u0027Project\u0027), AddedIdentityId = Data.MemberId\\n| extend Severity = iif(Level == \u0027Organization\u0027, \u0027High\u0027, \u0027Medium\u0027), AlertDetails = strcat(\u0027At \u0027, TimeGenerated, \u0027 UTC \u0027, ActorUPN, \u0027/\u0027, ActorDisplayName, \u0027 added \u0027, AddedIdentity, \u0027 to the \u0027, EntityName, \u0027 \u0027, Level)\\n| where MonitorAllProjects == true or EntityName in (ProjectsToMonitor) or Level == \u0027Organization\u0027\\n| project TimeGenerated, Severity, Adder = ActorUPN, AddedIdentity, AddedIdentityId, AlertDetails, Level, EntityName, GroupName, ActorAuthType = AuthenticationMechanism, \\n ActorIpAddress = IpAddress, ActorUserAgent = UserAgent, RawDetails = Details\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Adder, IPCustomEntity = ActorIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps Administrator Group Monitoring\",\"description\":\"This detection monitors for additions to projects or project collection administration groups in an Azure DevOps Organization.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/473d57e6-f787-435c-a16b-b38b51fa9a4b\",\"name\":\"473d57e6-f787-435c-a16b-b38b51fa9a4b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"let servicelist = dynamic([\u0027Services\\\\\\\\HealthService\u0027, \u0027Services\\\\\\\\Sense\u0027, \u0027Services\\\\\\\\WinDefend\u0027, \u0027Services\\\\\\\\MsSecFlt\u0027, \u0027Services\\\\\\\\DiagTrack\u0027, \u0027Services\\\\\\\\SgrmBroker\u0027, \u0027Services\\\\\\\\SgrmAgent\u0027, \u0027Services\\\\\\\\AATPSensorUpdater\u0027 , \u0027Services\\\\\\\\AATPSensor\u0027, \u0027Services\\\\\\\\mpssvc\u0027]);\\nlet filename = dynamic([\\\"subinacl.exe\\\",\u0027SetACL.exe\u0027]);\\nlet parameters = dynamic ([\u0027/deny=SYSTEM\u0027, \u0027/deny=S-1-5-18\u0027, \u0027/grant=SYSTEM=r\u0027, \u0027/grant=S-1-5-18=r\u0027, \u0027n:SYSTEM;p:READ\u0027, \u0027n1:SYSTEM;ta:remtrst;w:dacl\u0027]);\\nlet FullAccess = dynamic([\u0027A;CI;KA;;;SY\u0027, \u0027A;ID;KA;;;SY\u0027, \u0027A;CIID;KA;;;SY\u0027]);\\nlet ReadAccess = dynamic([\u0027A;CI;KR;;;SY\u0027, \u0027A;ID;KR;;;SY\u0027, \u0027A;CIID;KR;;;SY\u0027]);\\nlet DenyAccess = dynamic([\u0027D;CI;KR;;;SY\u0027, \u0027D;ID;KR;;;SY\u0027, \u0027D;CIID;KR;;;SY\u0027]);\\nlet timeframe = 1d;\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4670\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName has_any (servicelist)\\n| parse EventData with * \u0027OldSd\\\"\u003e\u0027 OldSd \\\"\u003c\\\" *\\n| parse EventData with * \u0027NewSd\\\"\u003e\u0027 NewSd \\\"\u003c\\\" *\\n| extend Reason = case( (OldSd has \u0027;;;SY\u0027 and NewSd !has \u0027;;;SY\u0027), \u0027System Account is removed\u0027, (OldSd has_any (FullAccess) and NewSd has_any (ReadAccess)) , \u0027System permission has been changed to read from full access\u0027, (OldSd has_any (FullAccess) and NewSd has_any (DenyAccess)), \u0027System account has been given denied permission\u0027, \u0027None\u0027)\\n| project TimeGenerated, Computer, Account, ProcessName, ProcessId, ObjectName, EventData, Activity, HandleId, SubjectLogonId, OldSd, NewSd , Reason\\n),\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688\\n| extend ProcessName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ProcessName in~ (filename) \\n| where CommandLine has_any (servicelist) and CommandLine has_any (parameters)\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4670 and EventData has_any (servicelist) and EventData has \u0027Key\u0027\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName has_any (servicelist)\\n| extend OldSd = tostring(EventData.OldSd)\\n| extend NewSd = tostring(EventData.NewSd)\\n| extend Reason = case( (OldSd has \u0027;;;SY\u0027 and NewSd !has \u0027;;;SY\u0027), \u0027System Account is removed\u0027, (OldSd has_any (FullAccess) and NewSd has_any (ReadAccess)) , \u0027System permission has been changed to read from full access\u0027, (OldSd has_any (FullAccess) and NewSd has_any (DenyAccess)), \u0027System account has been given denied permission\u0027, \u0027None\u0027)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend ProcessId = tostring(EventData.ProcessId)\\n| extend Activity= \\\"4670 - Permissions on an object were changed.\\\"\\n| extend HandleId = tostring(EventData.HandleId)\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| project TimeGenerated, Computer, Account, ProcessName, ProcessId, ObjectName, EventData, Activity, HandleId, SubjectLogonId, OldSd, NewSd , Reason\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688 and EventData has_any (filename) and EventData has_any (servicelist) and EventData has_any (parameters)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend ProcessName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ProcessName in~ (filename) \\n| extend CommandLine = tostring(EventData.CommandLine) \\n| where CommandLine has_any (servicelist) and CommandLine has_any (parameters)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountDomain = tostring(EventData.AccountDomain)\\n| extend Activity=\\\"4688 - A new process has been created.\\\"\\n| extend EventSourceName=Provider\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where InitiatingProcessFileName in~ (filename) \\n| where InitiatingProcessCommandLine has_any(servicelist) and InitiatingProcessCommandLine has_any (parameters)\\n| extend Account = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName), Computer = DeviceName\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName = InitiatingProcessFileName, ProcessNameFullPath = FolderPath, Activity = ActionType, CommandLine = InitiatingProcessCommandLine, Type, InitiatingProcessParentFileName\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Security Service Registry ACL Modification\",\"description\":\"Identifies attempts to modify registry ACL to evade security solutions. In the Solorigate attack, the attackers were found modifying registry permissions so services.exe cannot access the relevant registry keys to start the service.\\n The detection leverages Security Event as well as MDE data to identify when specific security services registry permissions are modified. \\n Only some portions of this detection are related to Solorigate, it also includes coverage for some common tools that perform this activity. \\n Reference on guidance for enabling registry auditing:\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing-faq\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-registry\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4670\\n - For the event 4670 to be created the audit policy for the registry must have auditing enabled for Write DAC and/or Write Owner\\n - https://github.com/OTRF/Set-AuditRule \\n - https://docs.microsoft.com/dotnet/api/system.security.accesscontrol.registryrights?view=dotnet-plat-ext-5.0\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-01-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/29283b22-a1c0-4d16-b0a9-3460b655a46a\",\"name\":\"29283b22-a1c0-4d16-b0a9-3460b655a46a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let UserAgentString = dynamic ([\\\"${jndi:ldap:/\\\", \\\"${jndi:rmi:/\\\", \\\"${jndi:ldaps:/\\\", \\\"${jndi:dns:/\\\", \\\"${jndi:iiop:/\\\",\\\"${jndi:\\\",\\\"${jndi:nds:/\\\",\\\"${jndi:corba/\\\"]);\\nlet UARegexMinimalString=dynamic([\u0027{\u0027,\u0027%7b\u0027, \u0027%7B\u0027]);\\nlet UARegex = @\u0027(\\\\\\\\$|%24)(\\\\\\\\{|%7B)([^jJ]*[jJ])([^nN]*[nN])([^dD]*[dD])([^iI]*[iI])(:|%3A|\\\\\\\\$|%24|}|%7D)\u0027;\\n(union isfuzzy=true\\n(OfficeActivity\\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, Operation\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n),\\n(AzureDiagnostics\\n| where Category in (\\\"FrontdoorWebApplicationFirewallLog\\\", \\\"FrontdoorAccessLog\\\", \\\"ApplicationGatewayFirewallLog\\\", \\\"ApplicationGatewayAccessLog\\\")\\n| where userAgent_s has_any (UserAgentString) or userAgent_s matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = userAgent_s, SourceIP = clientIP_s, Type, host_s, requestUri_s, httpStatus_d\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, UrlCustomEntity = requestUri_s\\n),\\n(\\nW3CIISLog\\n| where csUserAgent has_any (UserAgentString) or csUserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP, UrlCustomEntity = csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventName\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n),\\n(SigninLogs\\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, Operation = OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n),\\n(AADNonInteractiveUserSignInLogs \\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, Operation = OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n),\\n(_Im_WebSession (httpuseragent_has_any=array_concat(UserAgentString,UARegexMinimalString))\\n| where HttpUserAgent has_any (UserAgentString) or HttpUserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by HttpUserAgent, SourceIP = SrcIpAddr, DstIpAddr, Account = SrcUsername, Url, Type\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP, UrlCustomEntity = Url\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"User agent search for log4j exploitation attempt\",\"description\":\"This query uses various log sources having user agent data to look for log4j CVE-2021-44228 exploitation attempt based on user agent pattern. Log4j is an open-source Apache logging library that is used in \\n many Java-based applications. The regex and the string matching look for the most common attacks. This might not be comprehensive to detect every possible user agent variation.\\n Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\"name\":\"3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let starttime = 1d;\\nlet TimeDeltaThresholdInSeconds = 60; // we ignore beacons diffs that fall below this threshold \\nlet TotalBeaconsThreshold = 4; // minimum number of beacons required in a session to surface a row\\nlet JitterTolerance = 0.2; // tolerance to jitter, e.g. - 0.2 = 20% jitter is tolerated either side of the periodicity\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Fortinet\\\"\\n| where TimeGenerated \u003e ago(starttime)\\n// eliminate bad data\\n| where isnotempty(SourceIP) and isnotempty(DestinationIP) and SourceIP != \\\"0.0.0.0\\\"\\n// filter out deny, close, rst and SNMP to reduce data volume\\n| where DeviceAction !in (\\\"close\\\", \\\"client-rst\\\", \\\"server-rst\\\", \\\"deny\\\") and DestinationPort != 161\\n// map input fields\\n| project TimeGenerated , SourceIP, DestinationIP, DestinationPort, ReceivedBytes, SentBytes, DeviceAction \\n// where destination IPs are public\\n| where ipv4_is_private(DestinationIP) == false\\n// sort into source-\u003edestination \u0027sessions\u0027\\n| sort by SourceIP asc, DestinationIP asc, DestinationPort asc, TimeGenerated asc\\n| serialize\\n// time diff the contact times between source and destination to get a list of deltas\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1), nextDestIP = next(DestinationIP, 1), nextDestPort = next(DestinationPort, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\\\"second\\\",nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP and DestinationIP == nextDestIP and DestinationPort == nextDestPort\\n// remove small time deltas below the set threshold\\n| where TimeDeltainSeconds \u003e TimeDeltaThresholdInSeconds\\n// summarize the deltas by source-\u003edestination\\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), sum(ReceivedBytes), sum(SentBytes), makelist(TimeDeltainSeconds), makeset(DeviceAction) by SourceIP, DestinationIP, DestinationPort\\n// get some statistical properties of the delta distribution and smooth any outliers (e.g. laptop shut overnight, working hours)\\n| extend series_stats(list_TimeDeltainSeconds), outliers=series_outliers(list_TimeDeltainSeconds)\\n// expand the deltas and the outliers\\n| mvexpand list_TimeDeltainSeconds to typeof(double), outliers to typeof(double)\\n// replace outliers with the average of the distribution\\n| extend list_TimeDeltainSeconds_normalized=iff(outliers \u003e 1.5 or outliers \u003c -1.5, series_stats_list_TimeDeltainSeconds_avg , list_TimeDeltainSeconds)\\n// summarize with the smoothed distribution\\n| summarize BeaconCount=count(), makelist(list_TimeDeltainSeconds), list_TimeDeltainSeconds_normalized=makelist(list_TimeDeltainSeconds_normalized), makeset(set_DeviceAction) by StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, sum_ReceivedBytes, sum_SentBytes\\n// get stats on the smoothed distribution\\n| extend series_stats(list_TimeDeltainSeconds_normalized)\\n// match jitter tolerance on smoothed distrib\\n| extend MaxJitter = (series_stats_list_TimeDeltainSeconds_normalized_avg*JitterTolerance)\\n| where series_stats_list_TimeDeltainSeconds_normalized_stdev \u003c MaxJitter\\n// where the minimum beacon threshold is satisfied and there was some data transfer\\n| where BeaconCount \u003e TotalBeaconsThreshold and (sum_SentBytes \u003e 0 or sum_ReceivedBytes \u003e 0)\\n// final projection\\n| project StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, BeaconCount, TimeDeltasInSeconds=list_list_TimeDeltainSeconds, Periodicity=series_stats_list_TimeDeltainSeconds_normalized_avg, ReceivedBytes=sum_ReceivedBytes, SentBytes=sum_SentBytes, Actions=set_set_DeviceAction\\n// where periodicity is order of magnitude larger than time delta threshold (eliminates FPs whose periodicity is close to the values we ignored)\\n| where Periodicity \u003e= (10*TimeDeltaThresholdInSeconds)\\n| extend timestamp = StartTime, IPCustomEntity = DestinationIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Fortinet - Beacon pattern detected\",\"description\":\"Identifies patterns in the time deltas of contacts between internal and external IPs in Fortinet network data that are consistent with beaconing.\\n Accounts for randomness (jitter) and seasonality such as working hours that may have been introduced into the beacon pattern.\\n The lookback is set to 1d, the minimum granularity in time deltas is set to 60 seconds and the minimum number of beacons required to emit a\\n detection is set to 4.\\n Increase the lookback period to capture beacons with larger periodicities.\\n The jitter tolerance is set to 0.2 - This means we account for an overall 20% deviation from the infered beacon periodicity. Seasonality is dealt with\\n automatically using series_outliers.\\n Note: In large environments it may be necessary to reduce the lookback period to get fast query times.\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2020-03-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80733eb7-35b2-45b6-b2b8-3c51df258206\",\"name\":\"80733eb7-35b2-45b6-b2b8-3c51df258206\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\\"xmrget.com\\\", \\n\\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\\"supportxmr.com\\\",\\n\\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\n\\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\n\\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\n\\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\n\\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\",\\n\\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\",\\n\\\"shscrypto.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage), \\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage), \\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage), \\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \u0027200\u0027\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Squid proxy events related to mining pools\",\"description\":\"Checks for Squid proxy events in Syslog associated with common mining pools .This query presumes the default Squid log format is being used. \\n http://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-07-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b05727d-a8d1-477d-bbdd-d957da96ac7b\",\"name\":\"3b05727d-a8d1-477d-bbdd-d957da96ac7b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where OfficeWorkload =~ \\\"Exchange\\\"\\n| where Parameters has_any (\\\"ForwardTo\\\", \\\"RedirectTo\\\", \\\"ForwardingSmtpAddress\\\")\\n| mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))\\n| evaluate bag_unpack(ParsedParameters, columnsConflict=\u0027replace_source\u0027)\\n| extend DestinationMailAddress = tolower(case(\\n isnotempty(column_ifexists(\\\"ForwardTo\\\", \\\"\\\")), column_ifexists(\\\"ForwardTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"RedirectTo\\\", \\\"\\\")), column_ifexists(\\\"RedirectTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")), trim_start(@\\\"smtp:\\\", column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")),\\n \\\"\\\"))\\n| where isnotempty(DestinationMailAddress)\\n| mv-expand split(DestinationMailAddress, \\\";\\\")\\n| extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n| extend ClientIP = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1])\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId, 250), Ports = make_set(Port, 250), EventCount = count() by tostring(DestinationMailAddress), ClientIP\\n| where DistinctUserCount \u003e 1\\n| mv-expand UserId to typeof(string)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"NRT Multiple users email forwarded to same destination\",\"description\":\"Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination.\\nThis could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.\",\"lastUpdatedDateUTC\":\"2022-06-24T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\"name\":\"75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 3;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == \\\"50057\\\"\\n| where ResultDescription =~ \\\"User account is disabled. The account has been disabled by an administrator.\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), applicationCount = dcount(AppDisplayName), \\napplicationSet = make_set(AppDisplayName), count() by UserPrincipalName, IPAddress, Type\\n| where applicationCount \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Attempts to sign in to disabled accounts\",\"description\":\"Identifies failed attempts to sign in to disabled accounts across multiple Azure Applications.\\nDefault threshold for Azure Applications attempted to sign in to is 3.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bfb1c90f-8006-4325-98be-c7fffbc254d6\",\"name\":\"bfb1c90f-8006-4325-98be-c7fffbc254d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let s_threshold = 30;\\nlet l_threshold = 3;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where OperationName =~ \\\"Sign-in activity\\\"\\n// Error codes that we want to look at as they are related to the use of incorrect password.\\n| where ResultType in (\\\"50126\\\", \\\"50053\\\" , \\\"50055\\\", \\\"50056\\\")\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend LocationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), LocationCount=dcount(LocationString), Location = make_set(LocationString), \\nIPAddress = make_set(IPAddress), IPAddressCount = dcount(IPAddress), AppDisplayName = make_set(AppDisplayName), ResultDescription = make_set(ResultDescription), \\nBrowser = make_set(Browser), OS = make_set(OS), SigninCount = count() by UserPrincipalName, Type \\n// Setting a generic threshold - Can be different for different environment\\n| where SigninCount \u003e s_threshold and LocationCount \u003e= l_threshold\\n| extend tostring(Location), tostring(IPAddress), tostring(AppDisplayName), tostring(ResultDescription), tostring(Browser), tostring(OS)\\n| distinct *\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Distributed Password cracking attempts in AzureAD\",\"description\":\"Identifies distributed password cracking attempts from the Azure Active Directory SigninLogs.\\nThe query looks for unusually high number of failed password attempts coming from multiple locations for a user account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50053 Account is locked because the user tried to sign in too many times with an incorrect user ID or password.\\n50055 Invalid password, entered expired password.\\n50056 Invalid or null password - Password does not exist in store for this user.\\n50126 Invalid username or password, or invalid on-premises username or password.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7ad4c32b-d0d2-411c-a0e8-b557afa12fce\",\"name\":\"7ad4c32b-d0d2-411c-a0e8-b557afa12fce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName\\n| where CommandLine contains \\\".decode(\u0027base64\u0027)\\\"\\n or CommandLine contains \\\"base64 --decode\\\"\\n or CommandLine contains \\\".decode64(\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"NRT Process executed from binary hidden in Base64 encoded file\",\"description\":\"Encoding malicious software is a technique used to obfuscate files from detection.\\nThe first CommandLine component is looking for Python decoding base64.\\nThe second CommandLine component is looking for Bash/sh command line base64 decoding.\\nThe third one is looking for Ruby decoding base64.\",\"lastUpdatedDateUTC\":\"2022-02-08T00:00:00Z\",\"createdDateUTC\":\"2019-01-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95002681-4ecb-4da3-9ece-26d7e5feaa33\",\"name\":\"95002681-4ecb-4da3-9ece-26d7e5feaa33\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"imAuthentication\\n| where EventResult ==\u0027Failure\u0027\\n| where EventResultDetails == \u0027User disabled\u0027\\n| summarize StartTime=min(EventStartTime), EndTime=max(EventEndTime), disabledAccountLoginAttempts = count()\\n , disabledAccountsTargeted = dcount(TargetUsername), disabledAccountSet = make_set(TargetUsername)\\n , applicationsTargeted = dcount(TargetAppName)\\n , applicationSet = make_set(TargetAppName) \\n by SrcDvcIpAddr, Type\\n| order by disabledAccountLoginAttempts desc\\n| join kind=leftouter \\n (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n imAuthentication\\n | where EventResult==\u0027Success\u0027\\n | summarize successfulAccountSigninCount = dcount(TargetUsername), successfulAccountSigninSet = makeset(TargetUsername, 15) by SrcDvcIpAddr, Type\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount \u003c 100\\n )\\n on SrcDvcIpAddr\\n| where isnotempty(successfulAccountSigninCount)\\n| project StartTime, EndTime, SrcDvcIpAddr, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\nsuccessfulAccountSigninCount, successfulAccountSigninSet, Type\\n| order by disabledAccountLoginAttempts\\n| extend timestamp = StartTime, IPCustomEntity = SrcDvcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-07-27T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\"name\":\"795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"CommonSecurityLog \\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID in (\\\"733101\\\",\\\"733102\\\",\\\"733103\\\",\\\"733104\\\",\\\"733105\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\",\"Impact\"],\"displayName\":\"Cisco ASA - threat detection message fired\",\"description\":\"Identifies when the Cisco ASA Threat Detection engine fired an alert based on malicious activity occurring on the network inicated by DeviceEventClassID 733101-733105\\nResources: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1785d372-b9fe-4283-96a6-3a1d83cabfd1\",\"name\":\"1785d372-b9fe-4283-96a6-3a1d83cabfd1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let Tarrask_threats = dynamic([\\\"HackTool:Win64/Tarrask!MS\\\", \\\"HackTool:Win64/Ligolo!MSR\\\", \\\"Behavior:Win32/ScheduledTaskHide.A\\\", \\\"Tarrask\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=rightouter ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (Tarrask_threats) or ThreatFamilyName in~ (Tarrask_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AV detections related to Tarrask malware\",\"description\":\"This query looks for Microsoft Defender AV detections related to Tarrask malware. In Microsoft Sentinel the SecurityAlerts table \\n includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. \\n This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\\n Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-04-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/157c0cfc-d76d-463b-8755-c781608cdc1a\",\"name\":\"157c0cfc-d76d-463b-8755-c781608cdc1a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\nCommonSecurityLog\\n| where DeviceVendor =~ \\\"Cisco\\\"\\n| where DeviceAction =~ \\\"denied\\\"\\n| where ipv4_is_private(SourceIP) == false\\n| summarize count() by SourceIP\\n| join (\\n // Successful signins from IPs blocked by the firewall solution are suspect\\n // Include fully successful sign-ins, but also ones that failed only at MFA stage\\n // as that supposes the password was sucessfully guessed.\\n table(tableName)\\n | where ResultType in (\\\"0\\\", \\\"50074\\\", \\\"50076\\\") \\n) on $left.SourceIP == $right.IPAddress\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Cisco - firewall block but success logon to Azure AD\",\"description\":\"Correlate IPs blocked by a Cisco firewall appliance with successful Azure Active Directory signins. \\nBecause the IP was blocked by the firewall, that same IP logging on successfully to AAD is potentially suspect\\nand could indicate credential compromise for the user account.\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2019-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/875d0eb1-883a-4191-bd0e-dbfdeb95a464\",\"name\":\"875d0eb1-883a-4191-bd0e-dbfdeb95a464\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 5136 \\n| parse EventData with * \u0027AttributeLDAPDisplayName\\\"\u003e\u0027 AttributeLDAPDisplayName \\\"\u003c\\\" *\\n| parse EventData with * \u0027ObjectClass\\\"\u003e\u0027 ObjectClass \\\"\u003c\\\" *\\n| where AttributeLDAPDisplayName == \\\"servicePrincipalName\\\" and ObjectClass == \\\"user\\\"\\n| parse EventData with * \u0027ObjectDN\\\"\u003e\u0027 ObjectDN \\\"\u003c\\\" *\\n| parse EventData with * \u0027AttributeValue\\\"\u003e\u0027 AttributeValue \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, ObjectDN, AttributeValue\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Service Principal Name (SPN) Assigned to User Account\",\"description\":\"This query identifies whether a Active Directory user object was assigned a service principal name which could indicate that an adversary is preparing for performing Kerberoasting. \\nThis query checks for event id 5136 that the Object Class field is \\\"user\\\" and the LDAP Display Name is \\\"servicePrincipalName\\\".\\nRef: https://thevivi.net/assets/docs/2019/theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf\",\"lastUpdatedDateUTC\":\"2022-02-02T00:00:00Z\",\"createdDateUTC\":\"2022-01-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/45076281-35ae-45e0-b443-c32aa0baf965\",\"name\":\"45076281-35ae-45e0-b443-c32aa0baf965\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"High\",\"query\":\"let args = dynamic([\\\"objectcategory\\\",\\\"domainlist\\\",\\\"dcmodes\\\",\\\"adinfo\\\",\\\"trustdmp\\\",\\\"computers_pwdnotreqd\\\",\\\"Domain Admins\\\", \\\"objectcategory=person\\\", \\\"objectcategory=computer\\\", \\\"objectcategory=*\\\",\\\"dclist\\\"]);\\nlet parentProcesses = dynamic([\\\"pwsh.exe\\\",\\\"powershell.exe\\\",\\\"cmd.exe\\\"]);\\nimProcessCreate\\n//looks for execution from a shell\\n| where ActingProcessName has_any (parentProcesses)\\n| extend ActingProcessFileName = tostring(split(ActingProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ActingProcessFileName in~ (parentProcesses)\\n// main filter\\n| where Process hassuffix \\\"AdFind.exe\\\" or TargetProcessSHA256 == \\\"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\\\"\\n // AdFind common Flags to check for from various threat actor TTPs\\n or CommandLine has_any (args)\\n| extend AccountCustomEntity = User, HostCustomEntity = Dvc, ProcessCustomEntity = ActingProcessName, CommandLineCustomEntity = CommandLine, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = TargetProcessSHA256\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"},{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLineCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Probable AdFind Recon Tool Usage (Normalized Process Events)\",\"description\":\"Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-06-09T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/910124df-913c-47e3-a7cd-29e1643fa55e\",\"name\":\"910124df-913c-47e3-a7cd-29e1643fa55e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with failed AWS console logins\\nlet aws_fails = AWSCloudTrail\\n| where EventName == \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \\n| where LoginResult != \\\"Success\\\"\\n| where SourceIpAddress != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(SourceIpAddress);\\n//See if any of those IPs have sucessfully logged into Azure AD.\\nSigninLogs\\n| where ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (aws_fails) \\n| extend Reason = \\\"Multiple failed AWS Console logins from IP address\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AWS Console logons but success logon to AzureAD\",\"description\":\"Identifies a list of IP addresses with a minimum numbe(default of 5) of failed logon attempts to AWS Console.\\nUses that list to identify any successful Azure Active Directory logons from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a779e2d5-9109-4f0a-a75e-f3d4f3c58560\",\"name\":\"a779e2d5-9109-4f0a-a75e-f3d4f3c58560\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let sha256Hashes = dynamic([\\\"78c255a98003a101fa5ba3f49c50c6922b52ede601edac5db036ab72efc57629\\\", \\\"0588f61dc7e4b24554cffe4ea56d043d8f6139d2569bc180d4a77cf75b68792f\\\", \\\"441a3810b9e89bae12eea285a63f92e98181e9fb9efd6c57ef6d265435484964\\\", \\\"cbae79f66f724e0fe1705d6b5db3cc8a4e89f6bdf4c37004aa1d45eeab26e84b\\\", \\\"fd6515a71530b8329e2c0104d0866c5c6f87546d4b44cc17bbb03e64663b11fc\\\", \\\"5d169e083faa73f2920c8593fb95f599dad93d34a6aa2b0f794be978e44c8206\\\", \\\"7f29b69eb1af1cc6c1998bad980640bfe779525fd5bb775bc36a0ce3789a8bfc\\\", \\\"02a59fe2c94151a08d75a692b550e66a8738eb47f0001234c600b562bf8c227d\\\", \\\"7f84bf6a016ca15e654fb5ebc36fd7407cb32c69a0335a32bfc36cb91e36184d\\\", \\\"afab2e77dc14831f1719e746042063a8ec107de0e9730249d5681d07f598e5ec\\\", \\\"894138dfeee756e366c65a197b4dbef8816406bc32697fac6621601debe17d53\\\", \\\"4611340fdade4e36f074f75294194b64dcf2ec0db00f3d958956b4b0d6586431\\\", \\\"c96ae21b4cf2e28eec222cfe6ca903c4767a068630a73eca58424f9a975c6b7d\\\", \\\"fa30be45c5c5a8f679b42ae85410f6099f66fe2b38eb7aa460bcc022babb41ca\\\", \\\"e64bea4032cf2694e85ede1745811e7585d3580821a00ae1b9123bb3d2d442d6\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n(imFileEvent\\n| where TargetFileSHA256 has_any (sha256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(Event\\n| where Source =~ \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceImageLoadEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"KNOTWEED File Hashes July 2022\",\"description\":\"This query looks for references to known KNOTWEED file hashes in various logs.\\n This query was published July 2022.\\n Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/\",\"lastUpdatedDateUTC\":\"2022-07-27T00:00:00Z\",\"createdDateUTC\":\"2022-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\",\"DeviceFileEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aedc5b33-2d7c-42cb-a692-f25ef637cbb1\",\"name\":\"aedc5b33-2d7c-42cb-a692-f25ef637cbb1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where array_length(todynamic(DstUserUpn)) == 1\\n| extend sender = extract(@\u0027\\\\A(.*?)@\u0027, 1, SrcUserUpn)\\n| extend sender_domain = extract(@\u0027@(.*)$\u0027, 1, SrcUserUpn)\\n| extend recipient = extract(@\u0027\\\\A(.*?)@\u0027, 1, tostring(todynamic(DstUserUpn)[0]))\\n| extend recipient_domain = extract(@\u0027@(.*)$\u0027, 1, tostring(todynamic(DstUserUpn)[0]))\\n| where sender =~ recipient\\n| where sender_domain != recipient_domain\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Possible data exfiltration to private email\",\"description\":\"Detects when sender sent email to the non-corporate domain and recipient\u0027s username is the same as sender\u0027s username.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\"name\":\"30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nlet aadFunc = (tableName:string){\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n table(tableName) | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(UserPrincipalName)\\n //Normalizing the column to lower case for exact match with EmailSenderAddress column\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n | where UserPrincipalName matches regex emailregex\\n | extend Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n // renaming timestamp column so it is clear the log this came from SigninLogs table\\n | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type\\n)\\non $left.EmailSenderAddress == $right.UserPrincipalName\\n| where SigninLogs_TimeGenerated \u003c ExpirationDateTime\\n| summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, UserPrincipalName\\n| project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, IPAddress, UserPrincipalName, AppDisplayName,\\nStatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, Type\\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SigninLogs\",\"description\":\"Identifies a match in SigninLogs table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6190dde-8fd2-456a-ac5b-0a32400b0464\",\"name\":\"d6190dde-8fd2-456a-ac5b-0a32400b0464\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let ProcessCreationEvents=() {\\nlet processEvents=(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName\\n),\\n(WindowsEvent\\n| where EventID==4688\\n| where EventData has_any (\\\".decode(\u0027base64\u0027)\\\", \\\"base64 --decode\\\", \\\".decode64(\\\" )\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where isnotempty(CommandLine)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend FileName=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, CommandLine, ParentProcessName\\n));\\nprocessEvents;\\n};\\nProcessCreationEvents \\n| where CommandLine contains \\\".decode(\u0027base64\u0027)\\\"\\n or CommandLine contains \\\"base64 --decode\\\"\\n or CommandLine contains \\\".decode64(\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), CountToday = count() by Computer, Account, AccountDomain, FileName, CommandLine, ParentProcessName \\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Process executed from binary hidden in Base64 encoded file\",\"description\":\"Encoding malicious software is a technique used to obfuscate files from detection. \\nThe first CommandLine component is looking for Python decoding base64. \\nThe second CommandLine component is looking for Bash/sh command line base64 decoding.\\nThe third one is looking for Ruby decoding base64.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-01-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a04cf847-a832-4c60-b687-b0b6147da219\",\"name\":\"a04cf847-a832-4c60-b687-b0b6147da219\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"45.63.52.41\\\",\\\"140.82.17.161\\\",\\\"207.148.101.95\\\",\\\"45.32.87.51\\\",\\\"66.42.98.156\\\",\\\"45.76.144.105\\\",\\\"217.163.28.35\\\",\\\"45.32.141.174\\\",\\\"149.28.165.249\\\",\\\"209.250.225.247\\\",\\\"45.63.100.115\\\",\\\"95.179.229.230\\\",\\\"209.250.233.247\\\",\\\"45.77.121.232\\\",\\\"45.76.175.65\\\",\\\"104.238.160.237\\\",\\\"45.77.181.97\\\",\\\"95.179.192.125\\\",\\\"149.28.93.184\\\",\\\"140.82.16.81\\\",\\\"45.76.173.103\\\",\\\"45.77.255.22\\\",\\\"45.32.11.71\\\",\\\"149.28.77.26\\\",\\\"45.32.54.50\\\",\\\"104.156.233.156\\\",\\\"45.32.21.118\\\",\\\"45.63.62.109\\\",\\\"45.77.244.202\\\",\\\"149.248.11.205\\\",\\\"104.238.190.244\\\"]);\\nlet IOCTerms = \\\"\\\\\\\\?lang=[/..]*/dev/cmdb/sslvpn_websession|/dana-na/jam/[/..]*home/webserver/htdocs/dana/html5acc/guacamole[/..]*etc/passwd\\\\\\\\?\\\";\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or has_any_ipv4 (Message, IPList)\\n| extend IPMatch = case(\\nSourceIP in (IPList), \\\"SourceIP\\\", \\nDestinationIP in (IPList), \\\"DestinationIP\\\",\\n\\\"Message\\\") \\n| where Message matches regex IOCTerms\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n| where isnotempty(UserAgent) and ClientIP in (IPList)\\n| where UserAgent contains \\\"ExchangeServicesClient/0.0.0.0\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP = ClientIP, Account = UserId, Type, RecordType, OfficeWorkload, UserAgent, OfficeObjectId, IPMatch = \\\"ClientIP\\\"\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Collection\"],\"displayName\":\"Known Manganese IP and UserAgent activity\",\"description\":\"Matches IP plus UserAgent IOCs in OfficeActivity data, along with IP plus Connection string information in the CommonSecurityLog data related to Manganese group activity.\\nReferences: \\nhttps://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/\\nhttps://fortiguard.com/psirt/FG-IR-18-384\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-10-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/74ed028d-e392-40b7-baef-e69627bf89d1\",\"name\":\"74ed028d-e392-40b7-baef-e69627bf89d1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"AuditLog.StreamDisabledByUser\\\"\\n| extend StreamType = tostring(Data.ConsumerType)\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, StreamType\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Azure DevOps Audit Stream Disabled\",\"description\":\"Azure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams \\n before conducting activity and then re-enabling the stream after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action \\n its unlikely to have a high false positive rate.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a356c8bd-c81d-428b-aa36-83be706be034\",\"name\":\"a356c8bd-c81d-428b-aa36-83be706be034\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// AADJoined or Register Device Registry Keys\\nlet aadJoinRoot = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet001\\\\\\\\Control\\\\\\\\CloudDomainJoin\\\\\\\\JoinInfo\\\\\\\\\\\";\\nlet aadRegisteredRoot = \\\"\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\WorkplaceJoin\\\";\\n// Transport Key Registry Key\\nlet keyTransportKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet001\\\\\\\\Control\\\\\\\\Cryptography\\\\\\\\Ngc\\\\\\\\KeyTransportKey\\\\\\\\\\\";\\n(union isfuzzy=true\\n(\\n// Access to Object Requested\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| where EventData contains aadJoinRoot or EventData contains aadRegisteredRoot\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName startswith aadJoinRoot and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n| extend ProcessId = column_ifexists(\\\"ProcessId\\\", \\\"\\\"), Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| join kind=innerunique (\\n SecurityEvent\\n | where EventID == \u00274656\u0027\\n | where EventData contains keyTransportKey\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | mv-expand bagexpansion=array EventData\\n | evaluate bag_unpack(EventData)\\n | extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n | evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n | extend ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\")\\n | where ObjectType == \u0027Key\u0027\\n | where ObjectName startswith keyTransportKey and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n | extend ProcessId = column_ifexists(\\\"ProcessId\\\", \\\"\\\"), Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n) on $left.Computer == $right.Computer and $left.SubjectLogonId == $right.SubjectLogonId and $left.ProcessId == $right.ProcessId\\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, SubjectLogonId, ObjectName, tostring(Process), ProcessName, ProcessId, EventID\\n),\\n// Accessing Object\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| where ObjectType == \u0027Key\u0027\\n| where (ObjectName startswith aadJoinRoot or ObjectName contains aadRegisteredRoot) and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n| extend Account = SubjectAccount\\n| join kind=innerunique (\\n SecurityEvent\\n | where EventID == \u00274663\u0027\\n | where ObjectType == \u0027Key\u0027\\n | where ObjectName contains keyTransportKey and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n | extend Account = SubjectAccount\\n) on $left.Computer == $right.Computer and $left.SubjectLogonId == $right.SubjectLogonId and $left.ProcessId == $right.ProcessId\\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, SubjectLogonId, ObjectName, Process, ProcessName, ProcessId, EventID\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"AAD Local Device Join Information and Transport Key Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts by the same process\\n to registry keys that provide information about an AAD joined or registered devices and Transport keys (tkpub / tkpriv).\\n This information can be used to export the Device Certificate (dkpub / dkpriv) and Transport key (tkpub/tkpriv).\\n These set of keys can be used to impersonate existing Azure AD joined devices.\\n This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable objects:\\n HKLM:\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\CloudDomainJoin (AAD joined devices)\\n HKCU:\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\WorkplaceJoin (AAD registered devices)\\n HKLM:\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Cryptography\\\\Ngc\\\\KeyTransportKey (Transport Key)\\n Make sure you set the SACL to propagate to its sub-keys. You can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml\\n Reference: https://o365blog.com/post/deviceidentity/\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/58fc0170-0877-4ea8-a9ff-d805e361cfae\",\"name\":\"58fc0170-0877-4ea8-a9ff-d805e361cfae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let schedule_lookback = 14d; \\nlet join_lookback = 1d; \\n// If you want to whitelist specific timezones include them in a list here\\nlet tz_whitelist = dynamic([]);\\nlet meetings = ( \\nZoomLogs \\n| where TimeGenerated \u003e= ago(schedule_lookback) \\n| where Event =~ \\\"meeting.created\\\" \\n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId) \\n| extend SchedTimezone = tostring(parse_json(MeetingEvents).Timezone)); \\nZoomLogs \\n| where TimeGenerated \u003e= ago(join_lookback) \\n| where Event =~ \\\"meeting.participant_joined\\\" \\n| extend JoinedTimeZone = tostring(parse_json(MeetingEvents).Timezone) \\n| extend MeetingName = tostring(parse_json(MeetingEvents).MeetingName) \\n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId) \\n| where JoinedTimeZone !in (tz_whitelist)\\n| join (meetings) on MeetingId \\n| where SchedTimezone != JoinedTimeZone \\n| project TimeGenerated, MeetingName, JoiningUser=payload_object_participant_user_name_s, JoinedTimeZone, SchedTimezone, MeetingScheduler=User1 \\n| extend timestamp = TimeGenerated, AccountCustomEntity = JoiningUser\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"PrivilegeEscalation\"],\"displayName\":\"User joining Zoom meeting from suspicious timezone\",\"description\":\"The alert shows users that join a Zoom meeting from a time zone other than the one the meeting was created in.\\nYou can also whitelist known good time zones in the tz_whitelist value using the tz database name format https://en.wikipedia.org/wiki/List_of_tz_database_time_zones\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a09a0b8e-30fe-4ebf-94a0-cffe50f579cd\",\"name\":\"a09a0b8e-30fe-4ebf-94a0-cffe50f579cd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where OperationName =~ \\\"Update user\\\"\\n | where Result =~ \\\"success\\\"\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | where TargetResources_modifiedProperties.displayName =~ \\\"TargetId.UserType\\\"\\n | extend UpdatingServicePrincipal = tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalId)\\n | extend UpdatingUserPrincipal = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend UpdatingUser = iif(isnotempty(UpdatingServicePrincipal), UpdatingServicePrincipal, UpdatingUserPrincipal)\\n | extend UpdatedUserPrincipalName = tostring(TargetResources.userPrincipalName)\\n | project-reorder TimeGenerated, UpdatedUserPrincipalName, UpdatingUser\\n | where parse_json(tostring(TargetResources_modifiedProperties.newValue)) =~ \\\"\\\\\\\"Member\\\\\\\"\\\" and parse_json(tostring(TargetResources_modifiedProperties.oldValue)) =~ \\\"\\\\\\\"Guest\\\\\\\"\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatingUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatedUserPrincipalName\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User State changed from Guest to Member\",\"description\":\"Detects when a guest account in a tenant is converted to a member of the tenant.\\n Monitoring guest accounts and the access they are provided is important to detect potential account abuse.\\n Accounts converted to members should be investigated to ensure the activity was legitimate.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b12b3dab-d973-45af-b07e-e29bb34d8db9\",\"name\":\"b12b3dab-d973-45af-b07e-e29bb34d8db9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal contains \\\"WindowsPowerShell\\\"\\n| extend Message = \\\"Windows PowerShell User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"DefenseEvasion\"],\"displayName\":\"Cisco Umbrella - Windows PowerShell User-Agent Detected\",\"description\":\"Rule helps to detect Powershell user-agent activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d722831e-88f5-4e25-b106-4ef6e29f8c13\",\"name\":\"d722831e-88f5-4e25-b106-4ef6e29f8c13\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"// a threshold can be enabled, see commented line below for PrevSeenCount\\nlet threshold = 2;\\nlet uploadOp = \u0027FileUploaded\u0027;\\n// Extensions that are interesting. Add/Remove to this list as you see fit\\nlet execExt = dynamic([\u0027exe\u0027, \u0027inf\u0027, \u0027gzip\u0027, \u0027cmd\u0027, \u0027bat\u0027]);\\nlet starttime = 8d;\\nlet endtime = 1d;\\nOfficeActivity | where TimeGenerated \u003e= ago(endtime)\\n// Limited to File Uploads due to potential noise, comment out the Operation statement below to include any operation type\\n// Additional, but potentially noisy operation types that include Uploads and Downloads can be included by adding the following - Operation contains \\\"upload\\\" or Operation contains \\\"download\\\"\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| project TimeGenerated, OfficeId, OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, UserAgent, Site_Url, SourceRelativeUrl, SourceFileName\\n| join kind= leftanti (\\nOfficeActivity | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| summarize SourceRelativeUrl = make_set(SourceRelativeUrl), UserId = make_set(UserId) , PrevSeenCount = count() by SourceFileName\\n// To exclude previous matches when only above a specific count, change threshold above and uncomment the line below\\n//| where PrevSeenCount \u003e threshold\\n| mvexpand SourceRelativeUrl, UserId\\n| extend SourceRelativeUrl = tostring(SourceRelativeUrl), UserId = tostring(UserId)\\n) on SourceFileName, SourceRelativeUrl, UserId \\n| extend SiteUrlUserFolder = tolower(split(Site_Url, \u0027/\u0027)[-2])\\n| extend UserIdUserFolderFormat = tolower(replace(\u0027@|\\\\\\\\.\u0027, \u0027_\u0027,UserId))\\n// identify when UserId is not a match to the specific site url personal folder reference\\n| extend UserIdDiffThanUserFolder = iff(Site_Url has \u0027/personal/\u0027 and SiteUrlUserFolder != UserIdUserFolderFormat, true , false ) \\n| summarize TimeGenerated = make_list(TimeGenerated), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), \\nUserAgents = make_list(UserAgent), OfficeIds = make_list(OfficeId), SourceRelativeUrls = make_list(SourceRelativeUrl), FileNames = make_list(SourceFileName)\\nby OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, Site_Url, SiteUrlUserFolder, UserIdUserFolderFormat, UserIdDiffThanUserFolder\\n| extend timestamp = StartTime, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"New executable via Office FileUploaded Operation\",\"description\":\"Identifies when executable file types are uploaded to Office services such as SharePoint and OneDrive.\\nList currently includes \u0027exe\u0027, \u0027inf\u0027, \u0027gzip\u0027, \u0027cmd\u0027, \u0027bat\u0027 file extensions.\\nAdditionally, identifies when a given user is uploading these files to another users workspace.\\nThis may be indication of a staging location for malware or other malicious activity.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69a45b05-71f5-45ca-8944-2e038747fb39\",\"name\":\"69a45b05-71f5-45ca-8944-2e038747fb39\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let endtime = 1d;\\nlet starttime = 8d;\\n// The threshold below excludes matching on RDP connection computer counts of 5 or more by a given account and IP in a given day. Change the threshold as needed.\\nlet threshold = 5;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n// Labeling the first RDP connection time, computer and ip\\n| extend FirstHop = TimeGenerated, FirstComputer = toupper(Computer), FirstIPAddress = IpAddress, Account = tolower(Account)\\n),\\n( WindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10 // Labeling the first RDP connection time, computer and ip\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend FirstHop = TimeGenerated, FirstComputer = toupper(Computer), FirstIPAddress = IpAddress, Account = tolower(Account)\\n))\\n| join kind=inner (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n// Labeling the second RDP connection time, computer and ip\\n| extend SecondHop = TimeGenerated, SecondComputer = toupper(Computer), SecondIPAddress = IpAddress, Account = tolower(Account)\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = toint(EventData.LogonType)\\n| where LogonType == 10 // Labeling the second RDP connection time, computer and ip\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend SecondHop = TimeGenerated, SecondComputer = toupper(Computer), SecondIPAddress = IpAddress, Account = tolower(Account)\\n))\\n) on Account\\n// Make sure that the first connection is after the second connection --\u003e SecondHop \u003e FirstHop\\n// Then identify only RDP to another computer from within the first RDP connection by only choosing matches where the Computer names do not match --\u003e FirstComputer != SecondComputer\\n// Then make sure the IPAddresses do not match by excluding connections from the same computers with first hop RDP connections to multiple computers --\u003e FirstIPAddress != SecondIPAddress\\n| where FirstComputer != SecondComputer and FirstIPAddress != SecondIPAddress and SecondHop \u003e FirstHop\\n// where the second hop occurs within 30 minutes of the first hop\\n| where SecondHop \u003c= FirstHop+30m\\n| distinct Account, FirstHop, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, SecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\\n// use left anti to exclude anything from the previous 7 days where the Account and IP has connected 5 or more computers.\\n| join kind=leftanti (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize makeset(Computer), ComputerCount = dcount(Computer) by bin(TimeGenerated, 1d), Account = tolower(Account), IpAddress\\n// Connection count to computer by same account and IP to exclude counts of 5 or more on a given day\\n| where ComputerCount \u003e= threshold\\n| mvexpand set_Computer\\n| extend Computer = toupper(set_Computer)\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10 \\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| summarize makeset(Computer), ComputerCount = dcount(Computer) by bin(TimeGenerated, 1d), Account = tolower(Account), IpAddress\\n// Connection count to computer by same account and IP to exclude counts of 5 or more on a given day\\n| where ComputerCount \u003e= threshold\\n| mvexpand set_Computer\\n| extend Computer = toupper(set_Computer)\\n))\\n) on Account, $left.SecondComputer == $right.Computer, $left.SecondIPAddress == $right.IpAddress\\n| summarize FirstHopFirstSeen = min(FirstHop), FirstHopLastSeen = max(FirstHop) by Account, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, \\nSecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\\n| extend timestamp = FirstHopFirstSeen, AccountCustomEntity = Account, HostCustomEntity = FirstComputer, IPCustomEntity = FirstIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"RDP Nesting\",\"description\":\"Identifies when an RDP connection is made to a first system and then an RDP connection is made from the first system\\nto another system with the same account within the 60 minutes. Additionally, if historically daily\\nRDP connections are indicated by the logged EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-10-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884c4957-70ea-4f57-80b9-1bca3890315b\",\"name\":\"884c4957-70ea-4f57-80b9-1bca3890315b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeBin = 10m;\\nlet failedThreshold = 100;\\nW3CIISLog\\n| where scStatus in (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n// Handling Exchange specific items in IIS logs to remove the unique log identifier in the URI\\n| extend csUriQuery = iff(csUriQuery startswith \\\"MailboxId=\\\", tostring(split(csUriQuery, \\\"\u0026\\\")[0]) , csUriQuery )\\n| extend csUriQuery = iff(csUriQuery startswith \\\"X-ARR-CACHE-HIT=\\\", strcat(tostring(split(csUriQuery, \\\"\u0026\\\")[0]),tostring(split(csUriQuery, \\\"\u0026\\\")[1])) , csUriQuery )\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of failed logons by a user\\n| summarize makeset(decodedUriQuery), makeset(cIP), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), csUserName, Computer, sIP\\n| where FailedConnectionsCount \u003e= failedThreshold\\n| project TimeGenerated, csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_cIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"High count of failed logons by a user\",\"description\":\"Identifies when 100 or more failed attempts by a given user in 10 minutes occur on the IIS Server.\\nThis could be indicative of attempted brute force based on known account information.\\nThis could also simply indicate a misconfigured service or device. \\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\"name\":\"7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"let WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet AC_Add = \\n(union isfuzzy=true \\n(SecurityEvent\\n// Event ID related to member addition.\\n| where EventID in (4728, 4732,4756) \\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountAdded \\\",OU\\\" *\\n| where isnotempty(AccountAdded)\\n| extend GroupAddedTo = TargetUserName, AddingAccount = Account \\n| extend AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, \\\"||\\\", GroupAddedTo, \\\"||\\\", AddingAccount )\\n| project AccountAdded_GroupAddedTo_AddingAccount, AccountAddedTime = TimeGenerated\\n),\\n(WindowsEvent\\n// Event ID related to member addition.\\n| where EventID in (4728, 4732,4756) \\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData.MemberName with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountAdded \\\",OU\\\" *\\n| where isnotempty(AccountAdded)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend AddingAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend GroupAddedTo = TargetUserName\\n| extend AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, \\\"||\\\", GroupAddedTo, \\\"||\\\", AddingAccount )\\n| project AccountAdded_GroupAddedTo_AddingAccount, AccountAddedTime = TimeGenerated\\n)\\n);\\nlet AC_Remove = \\n( union isfuzzy=true \\n(SecurityEvent\\n// Event IDs related to member removal.\\n| where EventID in (4729,4733,4757)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountRemoved \\\",OU\\\" * \\n| where isnotempty(AccountRemoved)\\n| extend GroupRemovedFrom = TargetUserName, RemovingAccount = Account\\n| extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, \\\"||\\\", GroupRemovedFrom, \\\"||\\\", RemovingAccount)\\n| project AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime = TimeGenerated, Computer, RemovedAccountId = tolower(AccountRemoved), \\nRemovedByUser = SubjectUserName, RemovedByUserLogonId = SubjectLogonId, GroupRemovedFrom = TargetUserName, TargetDomainName\\n),\\n(WindowsEvent\\n// Event IDs related to member removal.\\n| where EventID in (4729,4733,4757)\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData.MemberName with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountRemoved \\\",OU\\\" * \\n| where isnotempty(AccountRemoved)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend RemovingAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend GroupRemovedFrom = TargetUserName\\n| extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, \\\"||\\\", GroupRemovedFrom, \\\"||\\\", RemovingAccount)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| extend TargetDomainName = tostring(EventData.TargetDomainName)\\n| project AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime = TimeGenerated, Computer, RemovedAccountId = tolower(AccountRemoved), \\nRemovedByUser = SubjectUserName, RemovedByUserLogonId = SubjectLogonId, GroupRemovedFrom = TargetUserName, TargetDomainName\\n)); \\nAC_Add \\n| join kind= inner AC_Remove on $left.AccountAdded_GroupAddedTo_AddingAccount == $right.AccountRemoved_GroupRemovedFrom_RemovingAccount \\n| extend DurationinSecondAfter_Removed = datetime_diff (\u0027second\u0027, AccountRemovedTime, AccountAddedTime)\\n| where DurationinSecondAfter_Removed \u003e 0\\n| project-away AccountRemoved_GroupRemovedFrom_RemovingAccount\\n| extend timestamp = AccountAddedTime, AccountCustomEntity = RemovedAccountId, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Account added and removed from privileged groups\",\"description\":\"Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise.\u0027 \",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-04-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f68a5046-b7eb-4f69-9519-1e99708bb9e0\",\"name\":\"f68a5046-b7eb-4f69-9519-1e99708bb9e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"DeviceFileEvents\\n | where ActionType =~ \\\"FileCreated\\\"\\n | where FolderPath has \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\spool\\\\\\\\drivers\\\\\\\\color\\\\\\\\\\\" \\n | where FileName endswith \\\".exe\\\" or FileName endswith \\\".dll\\\"\",\"entityMappings\":[{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceName\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"PE file dropped in Color Profile Folder\",\"description\":\"This query looks for writes of PE files to C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\color\\\\.\\n This is a common directory used by malware, as well as some legitimate programs, and writes of PE files to the folder should be monitored.\\n Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/\",\"lastUpdatedDateUTC\":\"2022-07-26T00:00:00Z\",\"createdDateUTC\":\"2022-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3df4a32-4805-4c6d-8699-f3c888af2f67\",\"name\":\"a3df4a32-4805-4c6d-8699-f3c888af2f67\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let Alert1 = \\nSecurityAlert\\n| where AlertName == \\\"Unfamiliar sign-in properties\\\"\\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\\\"User Account\\\"])\\n| extend Alert1Time = TimeGenerated\\n| extend Alert1 = AlertName\\n| extend Alert1Severity = AlertSeverity\\n;\\nlet Alert2 = \\nSecurityAlert\\n| where AlertName == \\\"Atypical travel\\\"\\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\\\"User Account\\\"])\\n| extend Alert2Time = TimeGenerated\\n| extend Alert2 = AlertName\\n| extend Alert2Severity = AlertSeverity\\n| extend CurrentLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[2].Location)).CountryCode), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).State), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).City))\\n| extend PreviousLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[3].Location)).CountryCode), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[3].Location)).State), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[3].Location)).City))\\n| extend CurrentIPAddress = tostring(parse_json(Entities)[2].Address)\\n| extend PreviousIPAddress = tostring(parse_json(Entities)[3].Address)\\n;\\nAlert1\\n| join kind=inner Alert2 on UserPrincipalName\\n| where abs(datetime_diff(\u0027minute\u0027, Alert1Time, Alert2Time)) \u003c=10\\n| extend TimeDelta = Alert1Time - Alert2Time\\n| project UserPrincipalName, Alert1, Alert1Time, Alert1Severity, Alert2, Alert2Time, Alert2Severity, TimeDelta, CurrentLocation, PreviousLocation, CurrentIPAddress, PreviousIPAddress\\n| extend AccountCustomEntity = UserPrincipalName\\n| extend IPCustomEntity = CurrentIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Correlate Unfamiliar sign-in properties and atypical travel alerts\",\"description\":\"The combination of an Unfamiliar sign-in properties alert and an Atypical travel alert about the same user within a +10m or -10m window is considered a high severity incident.\",\"lastUpdatedDateUTC\":\"2021-12-07T00:00:00Z\",\"createdDateUTC\":\"2020-09-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ed8c9153-6f7a-4602-97b4-48c336b299e1\",\"name\":\"ed8c9153-6f7a-4602-97b4-48c336b299e1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let guids = dynamic([\\\"{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\\\",\\\"{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\\\",\\\"{4590f811-1d3a-11d0-891f-00aa004b2e24}\\\", \\\"{4de225bf-cf59-4cfc-85f7-68b90f185355}\\\", \\\"{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\\\"]);\\n let mde_data = DeviceRegistryEvents\\n | where ActionType =~ \\\"RegistryValueSet\\\"\\n | where RegistryKey contains \\\"HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Classes\\\\\\\\CLSID\\\"\\n | where RegistryKey has_any (guids)\\n | where RegistryValueData has \\\"System32\\\\\\\\spool\\\\\\\\drivers\\\\\\\\color\\\";\\n let event_data = SecurityEvent\\n | where EventID == 4657\\n | where ObjectName contains \\\"HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Classes\\\\\\\\CLSID\\\"\\n | where ObjectName has_any (guids)\\n | where NewValue has \\\"System32\\\\\\\\spool\\\\\\\\drivers\\\\\\\\color\\\"\\n | extend RegistryKey = ObjectName, RegistryValueData = NewValue, DeviceName=Computer, InitiatingProcessFileName = Process, InitiatingProcessAccountName=SubjectAccount;\\n union mde_data, event_data\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"RegistryKey\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceName\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"InitiatingProcessFileName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingProcessAccountName\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"COM Registry Key Modified to Point to File in Color Profile Folder\",\"description\":\"This query looks for changes to COM registry keys to point to files in C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\color\\\\.\\n This can be used to enable COM hijacking for persistence.\\n Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/\",\"lastUpdatedDateUTC\":\"2022-07-26T00:00:00Z\",\"createdDateUTC\":\"2022-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceRegistryEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7564d76-ec6b-4519-a66b-fcc80c42332b\",\"name\":\"a7564d76-ec6b-4519-a66b-fcc80c42332b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet GroupAddition = (union isfuzzy=true \\n(SecurityEvent \\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group \\n| where EventID in (\\\"4728\\\", \\\"4732\\\", \\\"4756\\\") \\n| where AccountType =~ \\\"User\\\" and MemberName == \\\"-\\\"\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, GroupAddComputer = Computer, GroupAddTargetAccount = TargetAccount, \\nGroupAddTargetSid = TargetSid, GroupAddSubjectAccount = SubjectAccount, GroupAddSubjectUserSid = SubjectUserSid, GroupSid = MemberSid\\n),\\n(\\nWindowsEvent \\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group \\n| where EventID in (\\\"4728\\\", \\\"4732\\\", \\\"4756\\\") and not(EventData has \\\"S-1-5-32-555\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| extend MemberName = tostring(EventData.MemberName)\\n| where AccountType =~ \\\"User\\\" and MemberName == \\\"-\\\"\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend MemberSid = tostring(EventData.MemberSid)\\n| extend Activity= \\\"GroupAddActivity\\\"\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, GroupAddComputer = Computer, GroupAddTargetAccount = TargetAccount, \\nGroupAddTargetSid = TargetSid, GroupAddSubjectAccount = Account, GroupAddSubjectUserSid = SubjectUserSid, GroupSid = MemberSid\\n));\\nlet GroupCreated = (union isfuzzy=true \\n(SecurityEvent\\n// 4727 - A security-enabled global group was created\\n// 4731 - A security-enabled local group was created\\n// 4754 - A security-enabled universal group was created\\n| where EventID in (\\\"4727\\\", \\\"4731\\\", \\\"4754\\\")\\n| where AccountType =~ \\\"User\\\"\\n| project GroupCreateTime = TimeGenerated, GroupCreateEventID = EventID, GroupCreateActivity = Activity, GroupCreateComputer = Computer, GroupCreateTargetAccount = TargetAccount, \\nGroupCreateSubjectAccount = SubjectAccount, GroupCreateSubjectUserSid = SubjectUserSid, GroupSid = TargetSid\\n),\\n(WindowsEvent\\n// 4727 - A security-enabled global group was created\\n// 4731 - A security-enabled local group was created\\n// 4754 - A security-enabled universal group was created\\n| where EventID in (\\\"4727\\\", \\\"4731\\\", \\\"4754\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\", \\\"Machine\\\", iff(SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", iff(isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")))\\n| where AccountType =~ \\\"User\\\"\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend SubjectAccount = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName) \\n| extend TargetSid = tostring(EventData.TargetSid) \\n| extend Activity= \\\"GroupAddActivity\\\"\\n| project GroupCreateTime = TimeGenerated, GroupCreateEventID = EventID, GroupCreateActivity = Activity, GroupCreateComputer = Computer, GroupCreateTargetAccount = TargetAccount, \\nGroupCreateSubjectAccount = SubjectAccount, GroupCreateSubjectUserSid = SubjectUserSid, GroupSid = TargetSid\\n));\\nGroupCreated\\n| join (\\nGroupAddition\\n) on GroupSid \\n| extend timestamp = GroupCreateTime, AccountCustomEntity = GroupCreateSubjectAccount, HostCustomEntity = GroupCreateComputer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"GroupCreateSubjectUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Group created then added to built in domain local or global group\",\"description\":\"Identifies when a recently created Group was added to a privileged built in domain local group or global group such as the \\nEnterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\\nReferences: For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b443f22-9be9-4c35-ac70-a94757748439\",\"name\":\"3b443f22-9be9-4c35-ac70-a94757748439\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let files1 = dynamic([\\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\lsa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pc.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\Rar.exe\\\"]);\\nlet files2 = dynamic([\\\"svchost.exe\\\",\\\"wdmsvc.exe\\\"]);\\nlet FileHash1 = dynamic([\\\"43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\\\", \\\"ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\\\", \\\"010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77\\\", \\\"56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7\\\"]);\\nlet FileHash2 = dynamic([\\\"2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\\\", \\\"9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\\\", \\\"18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\\\"]);\\nDeviceProcessEvents\\n| where ( FolderPath has_any (files1) and SHA256 has_any (FileHash1)) or (FolderPath has_any (files2) and SHA256 has_any (FileHash2))\\n| extend DvcId = DeviceId\\n| join kind=leftouter (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| mv-expand todynamic(Entities)\\n| extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)\\n| where isnotempty(DvcId)\\n// Higher risk score are for Defender alerts related to threat actor\\n| extend AlertRiskScore = iif(ThreatName has_any (\\\"Backdoor:MSIL/ShellClient.A\\\", \\\"Backdoor:MSIL/ShellClient.A!dll\\\", \\\"Trojan:MSIL/Mimikatz.BA!MTB\\\"), 1.0, 0.5)\\n| project DvcId, AlertRiskScore) on DvcId\\n| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = AccountName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileName\"}]}],\"tactics\":[\"CredentialAccess\",\"Execution\"],\"displayName\":\"Dev-0228 File Path Hashes November 2021\",\"description\":\"This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.\\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-11-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2f561e20-d97b-4b13-b02d-18b34af6e87c\",\"name\":\"2f561e20-d97b-4b13-b02d-18b34af6e87c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet cmdList = dynamic([\\\"Set-CASMailbox\\\",\\\"ActiveSyncAllowedDeviceIDs\\\",\\\"add\\\"]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688\\n| where CommandLine has_all (cmdList)\\n| project Type, TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n( WindowsEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688\\n| where EventData has_all (cmdList)\\n| extend CommandLine = tostring(EventData.CommandLine) \\n| where CommandLine has_all (cmdList)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| project Type, TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where InitiatingProcessCommandLine has_all (cmdList)\\n| project Type, TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where CommandLine has_all (cmdList)\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| project Type, TimeGenerated, Computer, User, Process, ParentImage, CommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Email access via active sync\",\"description\":\"This query detects attempts to add attacker devices as allowed IDs for active sync using the Set-CASMailbox command.\\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\\n- Note that this query can be changed to use the KQL \\\"has_all\\\" operator, which hasn\u0027t yet been documented officially, but will be soon.\\n In short, \\\"has_all\\\" will only match when the referenced field has all strings in the list.\\n- Refer to Set-CASMailbox syntax: https://docs.microsoft.com/powershell/module/exchange/set-casmailbox?view=exchange-ps \",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-02-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\"name\":\"2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet TotalEventsThreshold = 5;\\nlet ExeList = dynamic([\\\"powershell.exe\\\",\\\"cmd.exe\\\",\\\"wmic.exe\\\",\\\"psexec.exe\\\",\\\"cacls.exe\\\",\\\"rundll.exe\\\"]);\\nlet TimeSeriesData =\\nSecurityEvent\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where Process in (ExeList)\\n| project TimeGenerated, Computer, AccountType, Account, Process\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by Process;\\nlet TimeSeriesAlerts = materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 1.5, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0\\n| project Process, TimeGenerated, Total, baseline, anomalies, score\\n| where Total \u003e TotalEventsThreshold);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\nSecurityEvent\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| summarize CommandlineCount = count() by bin(TimeGenerated, 1h), Process, CommandLine, Computer, Account\\n) on Process, TimeGenerated\\n| project AnomalyHour = TimeGenerated, Computer, Account, Process, CommandLine, CommandlineCount, Total, baseline, anomalies, score\\n| extend timestamp = AnomalyHour, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Process execution frequency anomaly\",\"description\":\"Identifies anomalous spike in frequency of executions of sensitive processes which are often leveraged as attack vectors.\\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\\nSudden increases in execution frequency of sensitive processes should be further investigated for malicious activity.\\nTune the values from 1.5 to 3 in series_decompose_anomalies for further outliers or based on custom threshold values for score.\",\"lastUpdatedDateUTC\":\"2022-03-07T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/694c91ee-d606-4ba9-928e-405a2dd0ff0f\",\"name\":\"694c91ee-d606-4ba9-928e-405a2dd0ff0f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"High\",\"query\":\"let queryperiod = 14d;\\nlet queryfrequency = 2h;\\nlet security_info_actions = dynamic([\\\"User registered security info\\\", \\\"User changed default security info\\\", \\\"User deleted security info\\\", \\\"Admin updated security info\\\", \\\"User reviewed security info\\\", \\\"Admin deleted security info\\\", \\\"Admin registered security info\\\"]);\\nlet VIPUsers = (\\n IdentityInfo\\n | where TimeGenerated \u003e ago(queryperiod)\\n | mv-expand AssignedRoles\\n | where AssignedRoles matches regex \u0027Admin\u0027\\n | summarize by tolower(AccountUPN));\\nAuditLogs\\n| where TimeGenerated \u003e ago(queryfrequency)\\n| where Category =~ \\\"UserManagement\\\"\\n| where ActivityDisplayName in (security_info_actions)\\n| extend Initiator = tostring(InitiatedBy.user.userPrincipalName)\\n| extend IP = tostring(InitiatedBy.user.ipAddress)\\n| extend Target = tolower(tostring(TargetResources[0].userPrincipalName))\\n| where Target in (VIPUsers)\\n// Uncomment the line below if you are experiencing high volumes of Target entities. If this is uncommented, the Target column will not be mapped to an entity.\\n//| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason, MaxSize=8), Targets=make_set(Target, MaxSize=256) by Initiator, IP, Result\\n// Comment out this line below, if line above is used.\\n| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason, MaxSize=8) by Initiator, IP, Result, Targets = Target\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Targets\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Initiator\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IP\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Authentication Methods Changed for Privileged Account\",\"description\":\"Identifies authentication methods being changed for a privileged account. This could be an indication of an attacker adding an auth method to the account so they can have continued access.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6267ce44-1e9d-471b-9f1e-ae76a6b7aa84\",\"name\":\"6267ce44-1e9d-471b-9f1e-ae76a6b7aa84\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityAlert\\n| where AlertName =~ \\\"mass download by a single user\\\"\\n| extend Extprop = parse_json(ExtendedProperties)\\n| extend Computer = iff(isnotempty(toupper(tostring(Extprop[\\\"Compromised Host\\\"]))), toupper(tostring(Extprop[\\\"Compromised Host\\\"])), tostring(parse_json(Entities)[0].HostName))\\n| extend Account = iff(isnotempty(tolower(tostring(Extprop[\\\"User Name\\\"]))), tolower(tostring(Extprop[\\\"User Name\\\"])), tolower(tostring(Extprop[\\\"user name\\\"])))\\n| extend IpAddress = tostring(parse_json(ExtendedProperties).[\\\"IpAddress\\\"]) \\n| project timestamp=TimeGenerated, AlertName, Computer, Account, IpAddress, ExtendedProperties\\n| join kind=inner\\n( \\nDeviceEvents\\n| where ActionType == \\\"PnpDeviceConnected\\\"\\n| extend parsed = parse_json(AdditionalFields)\\n| project DeviceId, DriveClass = tostring(parsed.ClassName), UsbDeviceId = tostring(parsed.DeviceId), ClassId = tostring(parsed.DeviceId), DeviceDescription = tostring(parsed.DeviceDescription), VendorIds = tostring(parsed.VendorIds), AccountDomain,AccountName,TimeGenerated, ActionType, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, Type\\n| where DriveClass == \u0027USB\u0027 and DeviceDescription == \u0027USB Mass Storage Device\u0027\\n) on $left.Account == $right.AccountName\\n| join kind=inner \\n(\\nDeviceFileEvents\\n| where FolderPath !startswith \\\"c\\\" and FolderPath !startswith @\\\"\\\\\\\"\\n) on DeviceId\\n| project TimeGenerated, ActionType, Computer, FileName, FileSize, IpAddress, InitiatingProcessCommandLine, InitiatingProcessFileName, Account\\n| extend timestamp = TimeGenerated, CompromisedEntity = Computer, AccountCustomEntity=Account, ProcessCustomEntity = InitiatingProcessFileName, IPCustomEntity=IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"Mass Download \u0026 copy to USB device by single user\",\"description\":\"This query looks for any mass download by a single user with possible file copy activity to a new USB drive. Malicious insiders may perform such activities that may cause harm to the organization. \\nThis query could also reveal unintentional insider that had no intention of malicious activity but their actions may impact an organizations security posture.\\nReference:https://docs.microsoft.com/defender-cloud-apps/policy-template-reference\",\"lastUpdatedDateUTC\":\"2022-05-04T00:00:00Z\",\"createdDateUTC\":\"2022-04-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\",\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3edb7215-250b-40c0-8b46-79093949242d\",\"name\":\"3edb7215-250b-40c0-8b46-79093949242d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetectionV2_CL\\n| where Severity_s == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\\n| where count_ \u003e= threshold\\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"High Number of Urgent Vulnerabilities Detected\",\"description\":\"This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.\",\"lastUpdatedDateUTC\":\"2021-12-08T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/492fbe35-cbac-4a8c-9059-826782e6915a\",\"name\":\"492fbe35-cbac-4a8c-9059-826782e6915a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where OperationName has_any (\\\"Update Application\\\", \\\"Update Service principal\\\")\\n | extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend UpdatedBy = iif(isnotempty(appName), appName, UPN)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | extend AppName = tostring(TargetResources[0].displayName)\\n | mv-expand mod_props\\n | extend Action = tostring(mod_props.displayName)\\n | where Action contains \\\"Url\\\"\\n | extend OldURL = tostring(mod_props.oldValue)\\n | extend NewURL = tostring(mod_props.newValue)\\n | project-reorder TimeGenerated, OperationName, Action, AppName, OldURL, NewURL, UpdatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatedBy\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"OldURL\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"NewURL\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Changes to Application Logout URL\",\"description\":\"Detects changes to an applications sign out URL.\\n Look for any modifications to a sign out URL. Blank entries or entries to non-existent locations would stop a user from terminating a session.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#logout-url-modified-or-removed\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\"name\":\"2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureActivity | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CallerIpAddress\\n| where AzureActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureActivity_TimeGenerated = arg_max(AzureActivity_TimeGenerated, *) by IndicatorId, CallerIpAddress\\n| project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CallerIpAddress, \\nCaller, OperationNameValue, ActivityStatusValue, CategoryValue, ResourceId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureActivity_TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureActivity\",\"description\":\"Identifies a match in AzureActivity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3174a9ec-d0ad-4152-8307-94ed04fa450a\",\"name\":\"3174a9ec-d0ad-4152-8307-94ed04fa450a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let SHA256Hash = \\\"1174fd03271f80f5e2a6435c72bdd0272a6e3a37049f6190abf125b216a83471\\\" ;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) \\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA265 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA256Hash) \\n| extend Account = UserName\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known ZINC related maldoc hash\",\"description\":\"Document hash used by ZINC in highly targeted spear phishing campaign.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\"name\":\"d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\" \\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed), LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\\n| where MFAUsed !~ \\\"Yes\\\" and LoginResult !~ \\\"Failure\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUsed, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"Login to AWS Management Console without MFA\",\"description\":\"Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.\\nYou can limit this detection to trigger for adminsitrative accounts if you do not have MFA enabled on all accounts.\\nThis is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used \\nand the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0ed0fe7c-af29-4990-af7f-bb5ccb231198\",\"name\":\"0ed0fe7c-af29-4990-af7f-bb5ccb231198\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"AuditLogs\\n | where Category =~ \\\"RoleManagement\\\"\\n | where OperationName =~ \\\"Update role setting in PIM\\\"\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | project-reorder TimeGenerated, OperationName, ResultReason, userPrincipalName, ipAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Changes to PIM Settings\",\"description\":\"PIM provides a key mechanism for assigning privileges to accounts, this query detects changes to PIM role settings.\\n Monitor these changes to ensure they are being made legitimately and don\u0027t confer more privileges than expected or reduce the security of a PIM elevation.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c805d9b1-97e7-4bc0-9172-67edb36273e4\",\"name\":\"c805d9b1-97e7-4bc0-9172-67edb36273e4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft 365 Insider Risk Management\",\"displayName\":\"(Private Preview) Create incidents based on Microsoft 365 Insider Risk Management\",\"description\":\"Create incidents based on all alerts generated in Microsoft 365 Insider Risk Management\",\"lastUpdatedDateUTC\":\"2021-05-13T00:00:00Z\",\"createdDateUTC\":\"2021-05-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeIRM\",\"dataTypes\":[\"SecurityAlert (OfficeIRM)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09551db0-e147-4a0c-9e7b-918f88847605\",\"name\":\"09551db0-e147-4a0c-9e7b-918f88847605\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.6.2\",\"severity\":\"High\",\"query\":\"let tokens = dynamic([\\\"SSL_HandShaking\\\", \\\"ASN2_TYPE_new\\\", \\\"sql_blob_open\\\", \\\"cmsSetLogHandlerTHR\\\", \\\"ntSystemInfo\\\", \\\"SetWebFilterString\\\", \\\"CleanupBrokerString\\\", \\\"glInitSampler\\\", \\\"deflateSuffix\\\", \\\"ntWindowsProc\\\"]);\\nlet DomainNames = dynamic([\u0027codevexillium.org\u0027, \u0027angeldonationblog.com\u0027, \u0027investbooking.de\u0027, \u0027krakenfolio.com\u0027]);\\nlet SHA256Hash = dynamic([\u002758a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495\u0027,\u0027e0e59bfc22876c170af65dcbf19f744ae560cc43b720b23b9d248f4505c02f3e\u0027,\u00273d3195697521973efe0097a320cbce0f0f98d29d50e044f4505e1fbc043e8cf9\u0027, \u00270a2d81164d524be7022ba8fd4e1e8e01bfd65407148569d172e2171b5cd76cd4\u0027, \u002796d7a93f6691303d39a9cc270b8814151dfec5683e12094537fd580afdf2e5fe\u0027,\u0027dc4cf164635db06b2a0b62d313dbd186350bca6fc88438617411a68df13ec83c\u0027, \u002746efd5179e43c9cbf07dcec22ce0d5527e2402655aee3afc016e5c260650284a\u0027, \u002795e42a94d4df1e7e472998f43b9879eb34aaa93f3705d7d3ef9e3b97349d7008\u0027, \u00279d5320e883264a80ea214077f44b1d4b22155446ad5083f4b27d2ab5bd127ef5\u0027, \u00279fd05063ad203581a126232ac68027ca731290d17bd43b5d3311e8153c893fe3\u0027, \u0027ada7e80c9d09f3efb39b729af238fcdf375383caaf0e9e0aed303931dc73b720\u0027, \u0027edb1597789c7ed784b85367a36440bf05267ac786efe5a4044ec23e490864cee\u0027, \u002733665ce1157ddb7cd7e905e3356b39245dfba17b7a658bdbf02b6968656b9998\u0027, \u00273ab770458577eb72bd6239fe97c35e7eb8816bce5a4b47da7bd0382622854f7c\u0027, \u0027b630ad8ffa11003693ce8431d2f1c6b8b126cd32b657a4bfa9c0dbe70b007d6c\u0027, \u002753f3e55c1217dafb8801af7087e7d68b605e2b6dde6368fceea14496c8a9f3e5\u0027, \u002799c95b5272c5b11093eed3ef2272e304b7a9311a22ff78caeb91632211fcb777\u0027, \u0027f21abadef52b4dbd01ad330efb28ef50f8205f57916a26daf5de02249c0f24ef\u0027, \u00272cbdea62e26d06080d114bbd922d6368807d7c6b950b1421d0aa030eca7e85da\u0027, \u0027079659fac6bd9a1ce28384e7e3a465be4380acade3b4a4a4f0e67fd0260e9447\u0027]);\\nlet SigNames = dynamic([\\\"Backdoor:Script/ComebackerCompile.A!dha\\\", \\\"Trojan:Win64/Comebacker.A!dha\\\", \\\"Trojan:Win64/Comebacker.A.gen!dha\\\", \\\"Trojan:Win64/Comebacker.B.gen!dha\\\", \\\"Trojan:Win32/Comebacker.C.gen!dha\\\", \\\"Trojan:Win32/Klackring.A!dha\\\", \\\"Trojan:Win32/Klackring.B!dha\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in~ (SHA256Hash) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n| project Type, TimeGenerated, Computer, Account, IPAddress, FileHash, DNSName\\n),\\n(_Im_Dns(domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend Type = \\\"imDns\\\", IPAddress = SrcIpAddr, Computer=Dvc\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(VMConnection\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| where isnotempty(Hashes)\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 * \\n| where SHA256 in~ (SHA256Hash) \\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = Hashes\\n| project Type, TimeGenerated, Computer, Account, FileHash\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (SHA256Hash)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (SHA256Hash)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl in~ (DomainNames)\\n| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName\\n| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl\\n),\\n(SecurityAlert\\n| where ProductName == \\\"Microsoft Defender Advanced Threat Protection\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where isnotempty(ThreatName)\\n| where ThreatName has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName) \\n| project Type, TimeGenerated, Computer\\n),\\n(DeviceProcessEvents\\n| where FileName =~ \\\"powershell.exe\\\" or FileName =~ \\\"rundll32.exe\\\"\\n| where (ProcessCommandLine has \\\"is64bitoperatingsystem\\\" and ProcessCommandLine has \\\"Debug\\\\\\\\Browse\\\") or (ProcessCommandLine has_any (tokens))\\n| extend Computer = DeviceName, Account = AccountName, CommandLine = ProcessCommandLine\\n| project Type, TimeGenerated, Computer, Account, CommandLine, FileName\\n),\\n(SecurityEvent\\n| where EventID == 4688\\n| where ProcessName has_any (\\\"powershell.exe\\\", \\\"rundll32.exe\\\")\\n| where (CommandLine has \\\"is64bitoperatingsystem\\\" and CommandLine has \\\"Debug\\\\\\\\Browse\\\") or (CommandLine has_any (tokens))\\n| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine \\n),\\n( WindowsEvent\\n| where EventID == 4688\\n| where EventData has_any (\\\"powershell.exe\\\", \\\"rundll32.exe\\\") and EventData has_any (tokens, \\\"Debug\\\\\\\\Browse\\\",\\\"is64bitoperatingsystem\\\" ) \\n| extend ProcessName = tostring(EventData.ProcessName)\\n| where ProcessName has_any (\\\"powershell.exe\\\", \\\"rundll32.exe\\\")\\n| extend CommandLine = tostring(EventData.CommandLine) \\n| where (CommandLine has \\\"is64bitoperatingsystem\\\" and CommandLine has \\\"Debug\\\\\\\\Browse\\\") or (CommandLine has_any (tokens))\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"Execution\"],\"displayName\":\"Known ZINC Comebacker and Klackring malware hashes\",\"description\":\"ZINC attacks against security researcher campaign malware hashes.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ce177b3-56b1-4f0e-b83e-27eed4cb0b16\",\"name\":\"4ce177b3-56b1-4f0e-b83e-27eed4cb0b16\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\n// exclude allowed users from query such as the ADO service\\nlet allowed_users = dynamic([\\\"Azure DevOps Service\\\"]);\\nunion\\n// Look for agents being added to a pool of a OS type not seen with that pool before\\n(AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName =~ \\\"Library.AgentAdded\\\"\\n| where ActorUPN !in (allowed_users)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| where isnotempty(OsDescription)\\n| extend OsDescription = tostring(split(OsDescription, \\\"#\\\", 0)[0])\\n| project AgentPoolName, OsDescription\\n| join kind=rightanti (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName == \\\"Library.AgentAdded\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| where isnotempty(OsDescription)\\n| extend OsDescription = tostring(split(OsDescription, \\\"#\\\", 0)[0])) on AgentPoolName, OsDescription),\\n// Look for users addeing agents to a pool that they have not added agents to before.\\n(AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| where ActorUPN !in (allowed_users)\\n| project AgentPoolName, ActorUPN\\n| join kind=rightanti (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName == \\\"Library.AgentAdded\\\"\\n| where ActorUPN !in (allowed_users)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n) on AgentPoolName, ActorUPN)\\n| extend AgentName = tostring(Data.AgentName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| extend SystemDetails = Data.SystemCapabilities\\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, AgentPoolName, AgentName, ActorUPN, IpAddress, UserAgent, OsDescription, SystemDetails, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"New Agent Added to Pool by New User or Added to a New OS Type.\",\"description\":\"As seen in attacks such as SolarWinds attackers can look to subvert a build process by controlling build servers. Azure DevOps uses agent pools to execute pipeline tasks. \\nAn attacker could insert compromised agents that they control into the pools in order to execute malicious code. This query looks for users adding agents to pools they have \\nnot added agents to before, or adding agents to a pool of an OS that has not been added to that pool before. This detection has potential for false positives so has a \\nconfigurable allow list to allow for certain users to be excluded from the logic.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/05b4bccd-dd12-423d-8de4-5a6fb526bb4f\",\"name\":\"05b4bccd-dd12-423d-8de4-5a6fb526bb4f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let known_processes = (\\n SecurityEvent\\n // If adjusting Query Period or Frequency update these\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where EventID == 4688\\n | where NewProcessName has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | summarize by Process);\\n SecurityEvent\\n // If adjusting Query Period or Frequency update these\\n | where TimeGenerated \u003e ago(1d)\\n | where EventID == 4688\\n | where NewProcessName has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | where Process !in (known_processes)\\n // This will likely apply to multiple hosts so summarize these data\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, NewProcessName, CommandLine, Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Execution\",\"LateralMovement\"],\"displayName\":\"New EXE deployed via Default Domain or Default Domain Controller Policies\",\"description\":\"This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice is that these policies should not be used for deployment of files.\\nA threat actor may use these policies to deploy files or scripts to all hosts in a domain.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c61ad0ac-ad68-4ebb-b41a-74296d3e0044\",\"name\":\"c61ad0ac-ad68-4ebb-b41a-74296d3e0044\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \\n| where TargetObject has (\\\"\\\\\\\\Control\\\\\\\\Session Manager\\\\\\\\AppCertDLLs\\\\\\\\\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Registry Persistence via AppCert DLL Modification\",\"description\":\"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. \\nDynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\ are loaded into every process that calls the ubiquitously used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec.\\nRef: https://attack.mitre.org/techniques/T1546/009/\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8ee967a2-a645-4832-85f4-72b635bcb3a6\",\"name\":\"8ee967a2-a645-4832-85f4-72b635bcb3a6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit the environment\\nlet signin_threshold = 5;\\n//Make a list of all IPs with failed signins to AAD above our threshold\\nlet aadFunc = (tableName:string){\\nlet suspicious_signins =\\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress !in (\u0027127.0.0.1\u0027, \u0027::1\u0027)\\n| summarize count() by IPAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(IPAddress);\\n//See if any of these IPs have sucessfully logged into *nix hosts\\nlet linux_logons =\\nSyslog\\n| where Facility contains \\\"auth\\\" and ProcessName != \\\"sudo\\\"\\n| where SyslogMessage has \\\"Accepted\\\"\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Computer, HostIP, IpAddress = SourceIP, SyslogMessage, Facility, ProcessName, Reason;\\n//See if any of these IPs have sucessfully logged into Windows hosts\\nlet win_logons = (union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4624\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| where IpAddress in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Account, AccountType, Computer, Activity, EventID, LogonProcessName, IpAddress, LogonTypeName, TargetUserSid, Reason\\n),\\n(WindowsEvent\\n| where EventID == 4624 and has_any_ipv4(EventData, toscalar(suspicious_signins))\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType in (10, 7, 3)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| where IpAddress != \\\"-\\\"\\n| where IpAddress in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| extend Activity = \\\"4624 - An account was successfully logged on.\\\"\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend AccountType =case(Account endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| extend LogonProcessName = tostring(EventData.LogonProcessName)\\n| project TimeGenerated, Account, AccountType, Computer, Activity, EventID, LogonProcessName, IpAddress, TargetUserSid, Reason\\n)\\n);\\nunion isfuzzy=true linux_logons,win_logons\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, IPCustomEntity = IpAddress, HostCustomEntity = Computer\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AzureAD logons but success logon to host\",\"description\":\"Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory.\\nUses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/46ac55ae-47b8-414a-8f94-89ccd1962178\",\"name\":\"46ac55ae-47b8-414a-8f94-89ccd1962178\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let queryperiod = 1d;\\nlet mode = \u0027Blocked\u0027;\\nlet successCode = dynamic([\u0027200\u0027, \u0027101\u0027,\u0027204\u0027, \u0027400\u0027,\u0027504\u0027,\u0027304\u0027,\u0027401\u0027,\u0027500\u0027]);\\nlet sessionBin = 30m;\\nAzureDiagnostics\\n| where TimeGenerated \u003e ago(queryperiod)\\n| where Category == \u0027ApplicationGatewayFirewallLog\u0027 and action_s == mode\\n| sort by hostname_s asc, clientIp_s asc, TimeGenerated asc\\n| extend SessionBlockedStarted = row_window_session(TimeGenerated, queryperiod, 10m, ((clientIp_s != prev(clientIp_s)) or (hostname_s != prev(hostname_s))))\\n| summarize SessionBlockedEnded = max(TimeGenerated), SessionBlockedCount = count() by hostname_s, clientIp_s, SessionBlockedStarted\\n| extend TimeKey = range(bin(SessionBlockedStarted, sessionBin), bin(SessionBlockedEnded, sessionBin), sessionBin)\\n| mv-expand TimeKey to typeof(datetime)\\n| join kind = inner(\\n AzureDiagnostics\\n | where TimeGenerated \u003e ago(queryperiod)\\n | where Category == \u0027ApplicationGatewayAccessLog\u0027 and (isempty(httpStatus_d) or httpStatus_d in (successCode))\\n | extend TimeKey = bin(TimeGenerated, sessionBin)\\n) on TimeKey, $left.hostname_s == $right.host_s, $left.clientIp_s == $right.clientIP_s\\n| where TimeGenerated between (SessionBlockedStarted..SessionBlockedEnded)\\n| extend\\n originalRequestUriWithArgs_s = column_ifexists(\\\"originalRequestUriWithArgs_s\\\", \\\"\\\"),\\n serverStatus_s = column_ifexists(\\\"serverStatus_s\\\", \\\"\\\")\\n| summarize\\n SuccessfulAccessCount = count(),\\n UserAgents = make_set(userAgent_s, 250),\\n RequestURIs = make_set(requestUri_s, 250),\\n OriginalRequestURIs = make_set(originalRequestUriWithArgs_s, 250),\\n SuccessCodes = make_set(httpStatus_d, 250),\\n SuccessCodes_BackendServer = make_set(serverStatus_s, 250),\\n take_any(SessionBlockedEnded, SessionBlockedCount)\\n by hostname_s, clientIp_s, SessionBlockedStarted\\n| where SessionBlockedCount \u003e SuccessfulAccessCount\\n| extend timestamp = SessionBlockedStarted, IPCustomEntity = clientIp_s\\n| extend BlockvsSuccessRatio = SessionBlockedCount/toreal(SuccessfulAccessCount)\\n| sort by BlockvsSuccessRatio desc, timestamp asc\\n| project-reorder SessionBlockedStarted, SessionBlockedEnded, hostname_s, clientIp_s, SessionBlockedCount, SuccessfulAccessCount, BlockvsSuccessRatio, SuccessCodes, RequestURIs, OriginalRequestURIs, UserAgents\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"A potentially malicious web request was executed against a web server\",\"description\":\"Detects unobstructed Web Application Firewall (WAF) activity in sessions where the WAF blocked incoming requests by computing the \\nratio between blocked requests and unobstructed WAF requests in these sessions (BlockvsSuccessRatio metric). A high ratio value for \\na given client IP and hostname calls for further investigation of the WAF data in that session, due to the significantly high number \\nof blocked requests and a few unobstructed logs which may be malicious but have passed undetected through the WAF. The successCode \\nvariable defines what the detection thinks is a successful status code, and should be altered to fit the environment.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2020-11-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d173248-439b-4741-8b37-f63ad0c896ae\",\"name\":\"4d173248-439b-4741-8b37-f63ad0c896ae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\n//This query uses sysmon data, sections that have - | where Source == \\\"Microsoft-Windows-Sysmon\\\" - may need to be updated with latest\\nWindowsEvent\\n| where EventID == \u00274688\u0027 and EventData has_any (process)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| where NewProcessName has_any (process)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n , Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n , NewProcessId = tostring(EventData.NewProcessId)\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027, -1)[-1]), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend FilePath = replace_string(NewProcessName, File, \u0027\u0027)\\n| project TimeGenerated, timestamp, File, AlertDetail, FilePath,Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileCustomEntity\"},{\"identifier\":\"Directory\",\"columnName\":\"FilePathCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashAlgo\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021\",\"description\":\"Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.\",\"lastUpdatedDateUTC\":\"2022-05-19T00:00:00Z\",\"createdDateUTC\":\"2022-02-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\"name\":\"7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\nOfficeActivity\\n| where Operation =~ \\\"New-InboxRule\\\"\\n| where Parameters has \\\"Deleted Items\\\" or Parameters has \\\"Junk Email\\\" or Parameters has \\\"DeleteMessage\\\"\\n| extend Events=todynamic(Parameters)\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords \u0027}\u0027*\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords \u0027}\u0027*\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords \u0027}\u0027*\\n| where SubjectContainsWords has_any (Keywords)\\n or BodyContainsWords has_any (Keywords)\\n or SubjectOrBodyContainsWords has_any (Keywords)\\n| extend ClientIPAddress = case( ClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), ClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))), ClientIP )\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\n| extend RuleDetail = case(OfficeObjectId contains \u0027/\u0027 , tostring(split(OfficeObjectId, \u0027/\u0027)[-1]) , tostring(split(OfficeObjectId, \u0027\\\\\\\\\u0027)[-1]))\\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation, UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIPAddress, AccountCustomEntity = UserId , HostCustomEntity = OriginatingServer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Malicious Inbox Rule\",\"description\":\"Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords. \\n This is done so as to limit ability to warn compromised users that they\u0027ve been compromised. Below is a sample query that tries to detect this.\\nReference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ef88eb96-861c-43a0-ab16-f3835a97c928\",\"name\":\"ef88eb96-861c-43a0-ab16-f3835a97c928\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let regexEmpire = @\\\"SetDelay|GetDelay|Set-LostLimit|Get-LostLimit|Set-Killdate|Get-Killdate|Set-WorkingHours|Get-WorkingHours|Get-Sysinfo|Add-Servers|Invoke-ShellCommand|Start-AgentJob|Update-Profile|Get-FilePart|Encrypt-Bytes|Decrypt-Bytes|Encode-Packet|Decode-Packet|Send-Message|Process-Packet|Process-Tasking|Get-Task|Start-Negotiate|Invoke-DllInjection|Invoke-ReflectivePEInjection|Invoke-Shellcode|Invoke-ShellcodeMSIL|Get-ChromeDump|Get-ClipboardContents|Get-IndexedItem|Get-Keystrokes|Invoke-Inveigh|Invoke-NetRipper|local:Invoke-PatchDll|Invoke-NinjaCopy|Get-Win32Types|Get-Win32Constants|Get-Win32Functions|Sub-SignedIntAsUnsigned|Add-SignedIntAsUnsigned|Compare-Val1GreaterThanVal2AsUInt|Convert-UIntToInt|Test-MemoryRangeValid|Write-BytesToMemory|Get-DelegateType|Get-ProcAddress|Enable-SeDebugPrivilege|Invoke-CreateRemoteThread|Get-ImageNtHeaders|Get-PEBasicInfo|Get-PEDetailedInfo|Import-DllInRemoteProcess|Get-RemoteProcAddress|Copy-Sections|Update-MemoryAddresses|Import-DllImports|Get-VirtualProtectValue|Update-MemoryProtectionFlags|Update-ExeFunctions|Copy-ArrayOfMemAddresses|Get-MemoryProcAddress|Invoke-MemoryLoadLibrary|Invoke-MemoryFreeLibrary|Out-Minidump|Get-VaultCredential|Invoke-DCSync|Translate-Name|Get-NetDomain|Get-NetForest|Get-NetForestDomain|Get-DomainSearcher|Get-NetComputer|Get-NetGroupMember|Get-NetUser|Invoke-Mimikatz|Invoke-PowerDump|Invoke-TokenManipulation|Exploit-JMXConsole|Exploit-JBoss|Invoke-Thunderstruck|Invoke-VoiceTroll|Set-WallPaper|Invoke-PsExec|Invoke-SSHCommand|Invoke-PSInject|Invoke-RunAs|Invoke-SendMail|Invoke-Rule|Get-OSVersion|Select-EmailItem|View-Email|Get-OutlookFolder|Get-EmailItems|Invoke-MailSearch|Get-SubFolders|Get-GlobalAddressList|Invoke-SearchGAL|Get-SMTPAddress|Disable-SecuritySettings|Reset-SecuritySettings|Get-OutlookInstance|New-HoneyHash|Set-MacAttribute|Invoke-PatchDll|Get-SecurityPackages|Install-SSP|Invoke-BackdoorLNK|New-ElevatedPersistenceOption|New-UserPersistenceOption|Add-Persistence|Invoke-CallbackIEX|Add-PSFirewallRules|Invoke-EventLoop|Invoke-PortBind|Invoke-DNSLoop|Invoke-PacketKnock|Invoke-CallbackLoop|Invoke-BypassUAC|Get-DecryptedCpassword|Get-GPPInnerFields|Invoke-WScriptBypassUAC|Get-ModifiableFile|Get-ServiceUnquoted|Get-ServiceFilePermission|Get-ServicePermission|Invoke-ServiceUserAdd|Invoke-ServiceCMD|Write-UserAddServiceBinary|Write-CMDServiceBinary|Write-ServiceEXE|Write-ServiceEXECMD|Restore-ServiceEXE|Invoke-ServiceStart|Invoke-ServiceStop|Invoke-ServiceEnable|Invoke-ServiceDisable|Get-ServiceDetail|Find-DLLHijack|Find-PathHijack|Write-HijackDll|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-VulnAutoRun|Get-VulnSchTask|Get-UnattendedInstallFile|Get-Webconfig|Get-ApplicationHost|Write-UserAddMSI|Invoke-AllChecks|Invoke-ThreadedFunction|Test-Login|Get-UserAgent|Test-Password|Get-ComputerDetails|Find-4648Logons|Find-4624Logons|Find-AppLockerLogs|Find-PSScriptsInPSAppLog|Find-RDPClientConnections|Get-SystemDNSServer|Invoke-Paranoia|Invoke-WinEnum{|Get-SPN|Invoke-ARPScan|Invoke-Portscan|Invoke-ReverseDNSLookup|Invoke-SMBScanner|New-InMemoryModule|Add-Win32Type|Export-PowerViewCSV|Get-MacAttribute|Copy-ClonedFile|Get-IPAddress|Convert-NameToSid|Convert-SidToName|Convert-NT4toCanonical|Get-Proxy|Get-PathAcl|Get-NameField|Convert-LDAPProperty|Get-NetDomainController|Add-NetUser|Add-NetGroupUser|Get-UserProperty|Find-UserField|Get-UserEvent|Get-ObjectAcl|Add-ObjectAcl|Invoke-ACLScanner|Get-GUIDMap|Get-ADObject|Set-ADObject|Get-ComputerProperty|Find-ComputerField|Get-NetOU|Get-NetSite|Get-NetSubnet|Get-DomainSID|Get-NetGroup|Get-NetFileServer|SplitPath|Get-DFSshare|Get-DFSshareV1|Get-DFSshareV2|Get-GptTmpl|Get-GroupsXML|Get-NetGPO|Get-NetGPOGroup|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Invoke-ImpersonateUser|Create-ProcessWithToken|Free-AllTokens|Enum-AllTokens|Invoke-RevertToSelf|Set-Speaker\\\\(\\\\$Volume\\\\){\\\\$wshShell|Local:Get-RandomString|Local:Invoke-PsExecCmd|Get-GPPPassword|Local:Inject-BypassStuff|Local:Invoke-CopyFile\\\\(\\\\$sSource,|ind-Fruit|New-IPv4Range|New-IPv4RangeFromCIDR|Parse-Hosts|Parse-ILHosts|Exclude-Hosts|Get-TopPort|Parse-Ports|Parse-IpPorts|Remove-Ports|Write-PortscanOut|Convert-SwitchtoBool|Get-ForeignUser|Get-ForeignGroup\\\";\\n(union isfuzzy=true\\n (SecurityEvent\\n| where EventID == 4688\\n//consider filtering on filename if perf issues occur\\n//where FileName in~ (\\\"powershell.exe\\\",\\\"powershell_ise.exe\\\",\\\"pwsh.exe\\\")\\n| where not(ParentProcessName has_any (\u0027gc_worker.exe\u0027, \u0027gc_service.exe\u0027))\\n| where CommandLine has \\\"-encodedCommand\\\"\\n| parse kind=regex flags=i CommandLine with * \\\"-EncodedCommand \\\" encodedCommand\\n| extend encodedCommand = iff(encodedCommand has \\\" \\\", tostring(split(encodedCommand, \\\" \\\")[0]), encodedCommand)\\n// Note: currently the base64_decode_tostring function is limited to supporting UTF8\\n| extend decodedCommand = translate(\u0027\\\\0\u0027,\u0027\u0027, base64_decode_tostring(substring(encodedCommand, 0, strlen(encodedCommand) - (strlen(encodedCommand) %8)))), encodedCommand, CommandLine , strlen(encodedCommand)\\n| extend EfectiveCommand = iff(isnotempty(encodedCommand), decodedCommand, CommandLine)\\n| where EfectiveCommand matches regex regexEmpire\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, EfectiveCommand, decodedCommand, encodedCommand, CommandLine, ParentProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(WindowsEvent\\n| where EventID == 4688 \\n| where EventData has_any (\\\"-encodedCommand\\\", \\\"powershell.exe\\\",\\\"powershell_ise.exe\\\",\\\"pwsh.exe\\\")\\n| where not(EventData has_any (\u0027gc_worker.exe\u0027, \u0027gc_service.exe\u0027))\\n//consider filtering on filename if perf issues occur\\n//extend NewProcessName = tostring(EventData.NewProcessName)\\n//extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n//FileName = Process\\n//where FileName in~ (\\\"powershell.exe\\\",\\\"powershell_ise.exe\\\",\\\"pwsh.exe\\\")\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where not(ParentProcessName has_any (\u0027gc_worker.exe\u0027, \u0027gc_service.exe\u0027))\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has \\\"-encodedCommand\\\"\\n| parse kind=regex flags=i CommandLine with * \\\"-EncodedCommand \\\" encodedCommand\\n| extend encodedCommand = iff(encodedCommand has \\\" \\\", tostring(split(encodedCommand, \\\" \\\")[0]), encodedCommand)\\n// Note: currently the base64_decode_tostring function is limited to supporting UTF8\\n| extend decodedCommand = translate(\u0027\\\\0\u0027,\u0027\u0027, base64_decode_tostring(substring(encodedCommand, 0, strlen(encodedCommand) - (strlen(encodedCommand) %8)))), encodedCommand, CommandLine , strlen(encodedCommand)\\n| extend EfectiveCommand = iff(isnotempty(encodedCommand), decodedCommand, CommandLine)\\n| where EfectiveCommand matches regex regexEmpire\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, EfectiveCommand, decodedCommand, encodedCommand, CommandLine, ParentProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"Powershell Empire cmdlets seen in command line\",\"description\":\"Identifies instances of PowerShell Empire cmdlets in powershell process command line data.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-01-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cda5928c-2c1e-4575-9dfa-07568bc27a4f\",\"name\":\"cda5928c-2c1e-4575-9dfa-07568bc27a4f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let lookback = 7d; \\nlet timeframe = 1h; \\nlet GlobalAdminsRemoved = AuditLogs \\n| where TimeGenerated \u003e ago(timeframe) \\n| where Category =~ \\\"RoleManagement\\\" \\n| where AADOperationType in (\\\"Unassign\\\", \\\"RemoveEligibleRole\\\") \\n| where ActivityDisplayName has_any (\\\"Remove member from role\\\", \\\"Remove eligible member from role\\\") \\n| mv-expand TargetResources \\n| mv-expand TargetResources.modifiedProperties \\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName) \\n| where displayName_ =~ \\\"Role.DisplayName\\\" \\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.oldValue))) \\n| where RoleName == \\\"Global Administrator\\\" // Add other Privileged role if applicable \\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName) \\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) \\n| where Initiator != \\\"MS-PIM\\\" // Filtering PIM events \\n| extend Target = tostring(TargetResources.userPrincipalName) \\n| summarize RemovedGlobalAdminTime = max(TimeGenerated), TargetAdmins = make_set(Target) by OperationName, RoleName, Initiator, Result; \\nlet GlobalAdminsAdded = AuditLogs \\n| where TimeGenerated \u003e ago(lookback) \\n| where Category =~ \\\"RoleManagement\\\" \\n| where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\") \\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\") and Result == \\\"success\\\" \\n| mv-expand TargetResources \\n| mv-expand TargetResources.modifiedProperties \\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName) \\n| where displayName_ =~ \\\"Role.DisplayName\\\" \\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue))) \\n| where RoleName == \\\"Global Administrator\\\" // Add other Privileged role if applicable \\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName) \\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) \\n| where Initiator != \\\"MS-PIM\\\" // Filtering PIM events \\n| extend Target = tostring(TargetResources.userPrincipalName) \\n| summarize AddedGlobalAdminTime = max(TimeGenerated) by OperationName, RoleName, Target, Initiator, Result \\n| extend AccountCustomEntity = Target; \\nGlobalAdminsAdded \\n| join kind= inner GlobalAdminsRemoved on $left.Target == $right.Initiator \\n| where AddedGlobalAdminTime \u003c RemovedGlobalAdminTime \\n| extend NoofAdminsRemoved = array_length(TargetAdmins) \\n| where NoofAdminsRemoved \u003e 1\\n| project AddedGlobalAdminTime, Initiator, Target, AccountCustomEntity, RemovedGlobalAdminTime, TargetAdmins, NoofAdminsRemoved\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Multiple admin membership removals from newly created admin.\",\"description\":\"This query detects when newly created Global admin removes multiple existing global admins which can be an attempt by adversaries to lock down organization and retain sole access. \\n Investigate reasoning and intention of multiple membership removal by new Global admins and take necessary actions accordingly.\",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2022-03-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/be52662c-3b23-435a-a6fa-f39bdfc849e6\",\"name\":\"be52662c-3b23-435a-a6fa-f39bdfc849e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetection_CL\\n| mv-expand todynamic(Detections_s)\\n| where Detections_s.Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\\n| where count_ \u003e= threshold\\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"High Number of Urgent Vulnerabilities Detected\",\"description\":\"This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/45b903c5-6f56-4969-af10-ae62ac709718\",\"name\":\"45b903c5-6f56-4969-af10-ae62ac709718\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count()\\nby Account = tolower(Account), Computer = toupper(Computer), IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n// use left anti to exclude anything from the previous 14 days that is not rare\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10 \\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend AccountType=case(Account endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| extend Activity=\\\"4624 - An account was successfully logged on.\\\"\\n| extend LogonTypeName=\\\"10 - RemoteInteractive\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count()\\nby Account = tolower(Account), Computer = toupper(Computer), IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n))\\n| join kind=leftanti (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where EventID == 4624\\n| summarize by Computer = toupper(Computer), IpAddress, Account = tolower(Account)\\n),\\n( WindowsEvent\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where EventID == 4624\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| summarize by Computer = toupper(Computer), IpAddress, Account = tolower(Account)\\n))\\n) on Account, Computer\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), ConnectionCount = sum(ConnectionCount)\\nby Account, Computer, IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Rare RDP Connections\",\"description\":\"Identifies when an RDP connection is new or rare related to any logon type by a given account today based on comparison with the previous 14 days.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2020-01-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a1080fc1-13d1-479b-8340-255f0290d96c\",\"name\":\"a1080fc1-13d1-479b-8340-255f0290d96c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where Result =~ \\\"success\\\"\\n | where OperationName =~ \u0027Update Application\u0027\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | where TargetResources_modifiedProperties.displayName =~ \\\"AppAddress\\\"\\n | extend Key = tostring(TargetResources_modifiedProperties.displayName)\\n | extend NewValue = TargetResources_modifiedProperties.newValue\\n | extend OldValue = TargetResources_modifiedProperties.oldValue\\n | where isnotempty(Key) and isnotempty(NewValue)\\n | project-reorder Key, NewValue, OldValue\\n | extend NewUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(NewValue))\\n | extend OldUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(OldValue))\\n | extend AddedUrls = set_difference(NewUrls, OldUrls)\\n | where array_length(AddedUrls) \u003e 0\\n | extend UserAgent = iif(tostring(AdditionalDetails[0].key) == \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), \\\"\\\")\\n | extend AddingUser = iif(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) , tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), \\\"\\\")\\n | extend AddingApp = iif(isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName)) , tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName), \\\"\\\")\\n | extend AddedBy = iif(isnotempty(AddingUser), AddingUser, AddingApp)\\n | project-away AddingApp, AddingUser\\n | extend AppDisplayName = tostring(TargetResources.displayName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | project-reorder TimeGenerated, AppDisplayName, AddedUrls, AddedBy, UserAgent, ipAddress\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"AddedUrls\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Application Redirect URL Update\",\"description\":\"Detects the redirect URL of an app being changed.\\n Applications associated with URLs not controlled by the organization can pose a security risk.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#application-configuration-changes\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e42e889a-caaf-4dbb-aec6-371b37d64298\",\"name\":\"e42e889a-caaf-4dbb-aec6-371b37d64298\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\")\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set != \\\"[]\\\"\\n| extend diff = set_difference(new_value_set, old_value_set)\\n| where isnotempty(diff)\\n| parse diff with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away diff, new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserOrApp\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT New access credential added to Application or Service Principal\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b79f6190-d104-4691-b7db-823e05980895\",\"name\":\"b79f6190-d104-4691-b7db-823e05980895\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\nOfficeActivity\\n| where OfficeWorkload =~ \\\"Exchange\\\"\\n| where Parameters has \\\"Deleted Items\\\" or Parameters has \\\"Junk Email\\\" or Parameters has \\\"DeleteMessage\\\"\\n| extend Events=todynamic(Parameters)\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords \u0027}\u0027*\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords \u0027}\u0027*\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords \u0027}\u0027*\\n| where SubjectContainsWords has_any (Keywords)\\n or BodyContainsWords has_any (Keywords)\\n or SubjectOrBodyContainsWords has_any (Keywords)\\n| extend ClientIPAddress = case( ClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), ClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))), ClientIP )\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\n| extend RuleDetail = case(OfficeObjectId contains \u0027/\u0027 , tostring(split(OfficeObjectId, \u0027/\u0027)[-1]) , tostring(split(OfficeObjectId, \u0027\\\\\\\\\u0027)[-1]))\\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"OriginatingServer\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIPAddress\"}]}],\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"NRT Malicious Inbox Rule\",\"description\":\"Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords.\\n This is done so as to limit ability to warn compromised users that they\u0027ve been compromised. Below is a sample query that tries to detect this.\\nReference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/\",\"lastUpdatedDateUTC\":\"2022-03-07T00:00:00Z\",\"createdDateUTC\":\"2020-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9fb2ee72-959f-4c2b-bc38-483affc539e4\",\"name\":\"9fb2ee72-959f-4c2b-bc38-483affc539e4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where Category == \\\"ApplicationManagement\\\"\\n | where OperationName has_any (\\\"Update Application\\\", \\\"Update Service principal\\\")\\n | extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend UpdatedBy = iif(isnotempty(appName), appName, UPN)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | extend AppName = tostring(TargetResources[0].displayName)\\n | mv-expand mod_props\\n | where mod_props.displayName has \\\"AppIdentifierUri\\\"\\n | extend OldURI = tostring(mod_props.oldValue)\\n | extend NewURI = tostring(mod_props.newValue)\\n | project-reorder TimeGenerated, OperationName, AppName, OldURI, NewURI, UpdatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatedBy\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"NewURI\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Application ID URI Changed\",\"description\":\"Detects changes to an Application ID URI.\\n Monitor these changes to make sure that they were authorized.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#appid-uri-added-modified-or-removed\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/faf1a6ff-53b5-4f92-8c55-4b20e9957594\",\"name\":\"faf1a6ff-53b5-4f92-8c55-4b20e9957594\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"SecurityEvent\\n// Look for specific Directory Service Changes and parse data\\n| where EventID == 5136\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion = array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value),TimeGenerated, EventID, Computer, Account, AccountType, EventSourceName, Activity, SubjectAccount)\\n// Where changes relate to Exchange OAB\\n| extend ObjectClass = column_ifexists(\\\"ObjectClass\\\", \\\"\\\")\\n| where ObjectClass =~ \\\"msExchOABVirtualDirectory\\\"\\n// Look for InternalHostName or ExternalHostName properties being changed\\n| extend AttributeLDAPDisplayName = column_ifexists(\\\"AttributeLDAPDisplayName\\\", \\\"\\\")\\n| where AttributeLDAPDisplayName in (\\\"msExchExternalHostName\\\", \\\"msExchInternalHostName\\\")\\n// Look for suspected webshell activity\\n| extend AttributeValue = column_ifexists(\\\"AttributeValue\\\", \\\"\\\")\\n| where AttributeValue has \\\"script\\\"\\n| project-rename LastSeen = TimeGenerated\\n| extend ObjectDN = column_ifexists(\\\"ObjectDN\\\", \\\"\\\")\\n| project-reorder LastSeen, Computer, Account, ObjectDN, AttributeLDAPDisplayName, AttributeValue\\n| extend timestamp = LastSeen, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange OAB Virtual Directory Attribute Containing Potential Webshell\",\"description\":\"This query uses Windows Event ID 5136 in order to detect potential webshell deployment by exploitation of CVE-2021-27065.\\nThis query looks for changes to the InternalHostName or ExternalHostName properties of Exchange OAB Virtual Directory objects in AD Directory Services\\nwhere the new objects contain potential webshell objects. Ref: https://aka.ms/ExchangeVulns\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b3cfc7c0-092c-481c-a55b-34a3979758cb\",\"name\":\"b3cfc7c0-092c-481c-a55b-34a3979758cb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft Cloud App Security\",\"displayName\":\"Create incidents based on Microsoft Cloud App Security alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Cloud Apps\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert (MCAS)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/eb68b129-5f17-4f56-bf6d-dde48d5e615a\",\"name\":\"eb68b129-5f17-4f56-bf6d-dde48d5e615a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| extend attachedMimeType = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where attachedMimeType == \u0027application/zip\u0027\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = DstUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Binary file in attachment\",\"description\":\"Detects when email received with binary file as attachment.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c0e84221-f240-4dd7-ab1e-37e034ea2a4e\",\"name\":\"c0e84221-f240-4dd7-ab1e-37e034ea2a4e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"union isfuzzy=true\\n(DeviceFileEvents\\n| where FolderPath endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated),\\n(WindowsEvent\\n| where EventID == 4663 and EventData has \\\"vmware-vmdmp.log\\\"\\n| extend ObjectName = tostring(EventData.ObjectName) \\n| where ObjectName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = Computer, timestamp=TimeGenerated),\\n(SecurityEvent\\n| where EventID == 4663\\n| where ObjectName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = Computer, timestamp=TimeGenerated),\\n(imFileEvent\\n| where TargetFileName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = DvcHostname, timestamp=TimeGenerated\\n)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"SUNSPOT log file creation\",\"description\":\"This query uses Microsoft Defender for Endpoint data and Windows Event Logs to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\\nMore details: \\n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \\n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5b6ae038-f66e-4f74-9315-df52fd492be4\",\"name\":\"5b6ae038-f66e-4f74-9315-df52fd492be4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"imProcess\\n | where CommandLine has_all (\\\"accepteula\\\", \\\"-s\\\", \\\"-r\\\", \\\"-q\\\")\\n | where Process !endswith \\\"sdelete.exe\\\"\\n | where CommandLine !has \\\"sdelete\\\"\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DvcHostname\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DvcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"}]}],\"tactics\":[\"DefenseEvasion\",\"Impact\"],\"displayName\":\"Potential re-named sdelete usage (ASIM Version)\",\"description\":\"This detection looks for command line parameters associated with the use of Sysinternals sdelete (https://docs.microsoft.com/sysinternals/downloads/sdelete) to delete multiple files on a host\u0027s C drive.\\nA threat actor may re-name the tool to avoid detection and then use it for destructive attacks on a host.\\nThis detection uses the ASIM imProcess parser, this will need to be deployed before use - https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8c8de3fa-6425-4623-9cd9-45de1dd0569a\",\"name\":\"8c8de3fa-6425-4623-9cd9-45de1dd0569a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let lookBack = 14d;\\nlet timeframe = 1d;\\nlet user_agents_list = Cisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(lookBack) and TimeGenerated \u003c ago(timeframe)\\n| summarize count() by HttpUserAgentOriginal\\n| summarize make_list(HttpUserAgentOriginal);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal !in (user_agents_list)\\n| extend Message = \\\"Rare User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Rare User Agent Detected\",\"description\":\"Rule helps to detect a rare user-agents indicating web browsing activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\"name\":\"02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let logonDiff = 10m;\\nlet aadFunc = (tableName:string){\\ntable(tableName) \\n| where ResultType == \\\"0\\\" \\n| where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\")\\n| project SuccessLogonTime = TimeGenerated, UserPrincipalName, SuccessIPAddress = IPAddress, AppDisplayName, SuccessIPBlock = strcat(split(IPAddress, \\\".\\\")[0], \\\".\\\", split(IPAddress, \\\".\\\")[1]), Type\\n| join kind= inner (\\n table(tableName)\\n | where ResultType !in (\\\"0\\\", \\\"50140\\\") \\n | where ResultDescription !~ \\\"Other\\\" \\n | where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\")\\n | project FailedLogonTime = TimeGenerated, UserPrincipalName, FailedIPAddress = IPAddress, AppDisplayName, ResultType, ResultDescription, Type\\n) on UserPrincipalName, AppDisplayName \\n| where SuccessLogonTime \u003c FailedLogonTime and FailedLogonTime - SuccessLogonTime \u003c= logonDiff and FailedIPAddress !startswith SuccessIPBlock\\n| summarize FailedLogonTime = max(FailedLogonTime), SuccessLogonTime = max(SuccessLogonTime) by UserPrincipalName, SuccessIPAddress, AppDisplayName, FailedIPAddress, ResultType, ResultDescription, Type\\n| extend timestamp = SuccessLogonTime\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SuccessIPAddress\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"FailedIPAddress\"}]}],\"tactics\":[\"CredentialAccess\",\"InitialAccess\"],\"displayName\":\"Successful logon from IP and failure from a different IP\",\"description\":\"Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP.\\nThis may indicate a malicious attempt at password guessing based on knowledge of the users account.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\"name\":\"9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.1.0\",\"severity\":\"Low\",\"query\":\"let tokens = dynamic([\\\"416\\\",\\\"208\\\",\\\"128\\\",\\\"120\\\",\\\"96\\\",\\\"80\\\",\\\"72\\\",\\\"64\\\",\\\"48\\\",\\\"44\\\",\\\"40\\\",\\\"g5\\\",\\\"gs5\\\",\\\"g4\\\",\\\"gs4\\\",\\\"nc12\\\",\\\"nc24\\\",\\\"nv12\\\"]);\\nlet operationList = dynamic([\\\"microsoft.compute/virtualmachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nAzureActivity\\n| where tolower(OperationNameValue) in (operationList)\\n| where ActivityStatusValue == \\\"Accepted\\\" \\n| where isnotempty(Properties)\\n| extend vmSize = tolower(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).hardwareProfile)).vmSize))\\n| where isnotempty(vmSize)\\n| where vmSize has_any (tokens) \\n| extend ComputerName = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).osProfile)).computerName)\\n| extend clientIpAddress = tostring(parse_json(HTTPRequest).clientIpAddress)\\n| project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Creation of expensive computes in Azure\",\"description\":\"Identifies the creation of large size/expensive VMs (GPU or with large no of virtual CPUs) in Azure.\\nAdversary may create new or update existing virtual machines sizes to evade defenses \\nor use it for cryptomining purposes.\\nFor Windows/Linux Vm Sizes - https://docs.microsoft.com/azure/virtual-machines/windows/sizes \\nAzure VM Naming Conventions - https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/78422ef2-62bf-48ca-9bab-72c69818a425\",\"name\":\"78422ef2-62bf-48ca-9bab-72c69818a425\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Low\",\"query\":\"let endtime = 1d;\\nlet starttime = 8d;\\nlet threshold = 2.0;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName)\\nby Account, IpAddress, AccountType, Activity, LogonTypeName),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 \\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend AccountType=case(Account endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| extend Activity=\\\"4624 - An account was successfully logged on.\\\"\\n| extend LogonTypeName=\\\"10 - RemoteInteractive\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName)\\nby Account, IpAddress, AccountType, Activity, LogonTypeName)\\n)\\n| join kind=inner (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize ComputerCountPrev7Days = dcount(Computer) by Account = tolower(Account), IpAddress\\n),\\n( WindowsEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = toint(EventData.LogonType)\\n| where LogonType == 10\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| summarize ComputerCountPrev7Days = dcount(Computer) by Account = tolower(Account), IpAddress)\\n)\\n) on Account, IpAddress\\n| extend Ratio = iff(isempty(ComputerCountPrev7Days), toreal(ComputerCountToday), ComputerCountToday / (ComputerCountPrev7Days * 1.0))\\n// Where the ratio of today to previous 7 days is more than double.\\n| where Ratio \u003e threshold\\n| project StartTimeUtc, EndTimeUtc, Account, IpAddress, ComputerSet, ComputerCountToday, ComputerCountPrev7Days, Ratio, AccountType, Activity, LogonTypeName, ProcessSet\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Multiple RDP connections from Single System\",\"description\":\"Identifies when an RDP connection is made to multiple systems and above the normal for the previous 7 days.\\nConnections from the same system with the same account within the same day.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-10-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d94d4a9-dc96-450a-9dea-4d4d4594199b\",\"name\":\"4d94d4a9-dc96-450a-9dea-4d4d4594199b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"SecurityNestedRecommendation\\n| where RemediationDescription has \u0027CVE-2021-38647\u0027\\n| parse ResourceDetails with * \u0027virtualMachines/\u0027 VirtualMAchine \u0027\\\"\u0027 *\\n| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId\\n| extend Timestamp = TimeGenerated, HostCustomEntity = VirtualMAchine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Execution\"],\"displayName\":\"Vulnerable Machines related to OMIGOD CVE-2021-38647\",\"description\":\"This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to OMIGOD CVE-2021-38647. OMI is the Linux equivalent of Windows WMI and \\n helps users manage configurations across remote and local environments. The query aims to find machines that have this OMI vulnerability (CVE-2021-38647).\\n Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).\\n Reference: https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure\\n Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d3980830-dd9d-40a5-911f-76b44dfdce16\",\"name\":\"d3980830-dd9d-40a5-911f-76b44dfdce16\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where AppDisplayName == \\\"GitHub.com\\\"\\n| where ResultType == 0\\n| summarize CountOfLocations = dcount(Location), Locations = make_set(Location), BurstStartTime = min(TimeGenerated), BurstEndTime = max(TimeGenerated) by UserPrincipalName, Type\\n| where CountOfLocations \u003e 1\\n| extend timestamp = BurstStartTime, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"GitHub Signin Burst from Multiple Locations\",\"description\":\"This alerts when there Signin burst from multiple locations in GitHub (AAD SSO).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/25a7f951-54b7-4cf5-9862-ebc04306c590\",\"name\":\"25a7f951-54b7-4cf5-9862-ebc04306c590\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let known_users = (AuditLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where OperationName has \\\"conditional access policy\\\"\\n | where Result =~ \\\"success\\\"\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | summarize by userPrincipalName);\\n AuditLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where OperationName has \\\"conditional access policy\\\"\\n | where Result =~ \\\"success\\\"\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend CAPolicyName = tostring(TargetResources[0].displayName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | where userPrincipalName !in (known_users)\\n | extend NewPolicyValues = TargetResources[0].modifiedProperties[0].newValue\\n | extend OldPolicyValues = TargetResources[0].modifiedProperties[0].oldValue\\n | project-reorder TimeGenerated, OperationName, CAPolicyName, userPrincipalName, ipAddress, NewPolicyValues, OldPolicyValues\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Conditional Access Policy Modified by New User\",\"description\":\"Detects a Conditional Access Policy being modified by a user who has not modified a policy in the last 14 days.\\n A threat actor may try to modify policies to weaken the security controls in place.\\n Investigate any change to ensure they are approved.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\"name\":\"70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"seoulhobi.biz\\\", \\\"reader.cash\\\", \\\"pieceview.club\\\", \\\"app-wallet.com\\\", \\\"bigwnet.com\\\", \\\"bitwoll.com\\\", \\\"cexrout.com\\\", \\\"change-pw.com\\\", \\\"checkprofie.com\\\", \\\"cloudwebappservice.com\\\", \\\"ctquast.com\\\", \\\"dataviewering.com\\\", \\\"day-post.com\\\", \\\"dialy-post.com\\\", \\\"documentviewingcom.com\\\", \\\"dovvn-mail.com\\\", \\\"down-error.com\\\", \\\"drivecheckingcom.com\\\", \\\"drog-service.com\\\", \\\"encodingmail.com\\\", \\\"filinvestment.com\\\", \\\"foldershareing.com\\\", \\\"golangapis.com\\\", \\\"hotrnall.com\\\", \\\"lh-logins.com\\\", \\\"login-use.com\\\", \\\"mail-down.com\\\", \\\"matmiho.com\\\", \\\"mihomat.com\\\", \\\"natwpersonal-online.com\\\", \\\"nidlogin.com\\\", \\\"nid-login.com\\\", \\\"nidlogon.com\\\", \\\"pw-change.com\\\", \\\"rnaii.com\\\", \\\"rnailm.com\\\", \\\"sec-live.com\\\", \\\"secrityprocessing.com\\\", \\\"securitedmode.com\\\", \\\"securytingmail.com\\\", \\\"set-login.com\\\", \\\"usrchecking.com\\\", \\\"com-serviceround.info\\\", \\\"mai1.info\\\", \\\"reviewer.mobi\\\", \\\"files-download.net\\\", \\\"fixcool.net\\\", \\\"hanrnaii.net\\\", \\\"office356-us.org\\\", \\\"smtper.org\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost \\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"THALLIUM domains included in DCU takedown\",\"description\":\"THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. \\n Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\\n References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ \",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2020-01-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\"name\":\"4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let OperationList = dynamic([\\\"Add member to role\\\",\\\"Add member to role in PIM requested (permanent)\\\"]);\\nlet PrivilegedGroups = dynamic([\\\"UserAccountAdmins\\\",\\\"PrivilegedRoleAdmins\\\",\\\"TenantAdmins\\\"]);\\nAuditLogs\\n//| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName in~ (OperationList)\\n| mv-expand TargetResources\\n| extend modProps = parse_json(TargetResources).modifiedProperties\\n| mv-expand bagexpansion=array modProps\\n| evaluate bag_unpack(modProps)\\n| extend displayName = column_ifexists(\\\"displayName\\\", \\\"NotAvailable\\\"), newValue = column_ifexists(\\\"newValue\\\", \\\"NotAvailable\\\")\\n| where displayName =~ \\\"Role.WellKnownObjectName\\\"\\n| extend DisplayName = displayName, GroupName = replace(\u0027\\\"\u0027,\u0027\u0027,newValue)\\n| extend initByApp = parse_json(InitiatedBy).app, initByUser = parse_json(InitiatedBy).user\\n| extend AppId = initByApp.appId, \\nInitiatedByDisplayName = case(isnotempty(initByApp.displayName), initByApp.displayName, isnotempty(initByUser.displayName), initByUser.displayName, \\\"not available\\\"),\\nServicePrincipalId = tostring(initByApp.servicePrincipalId),\\nServicePrincipalName = tostring(initByApp.servicePrincipalName),\\nUserId = initByUser.id,\\nUserIPAddress = initByUser.ipAddress,\\nUserRoles = initByUser.roles,\\nUserPrincipalName = tostring(initByUser.userPrincipalName),\\nTargetUserPrincipalName = tostring(TargetResources.userPrincipalName)\\n| where GroupName in~ (PrivilegedGroups)\\n// If you don\u0027t want to alert for operations from PIM, remove below filtering for MS-PIM.\\n//| where InitiatedByDisplayName != \\\"MS-PIM\\\"\\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, isnotempty(ServicePrincipalId), ServicePrincipalId, isnotempty(UserPrincipalName), UserPrincipalName, \\\"not available\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User added to Azure Active Directory Privileged Groups\",\"description\":\"This will alert when a user is added to any of the Privileged Groups.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\\nFor Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles\",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2020-07-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/50574fac-f8d1-4395-81c7-78a463ff0c52\",\"name\":\"50574fac-f8d1-4395-81c7-78a463ff0c52\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where AppId =~ \\\"1b730954-1685-4b74-9bfd-dac224a7b894\\\" // AppDisplayName IS Azure Active Directory PowerShell\\n| where TokenIssuerType =~ \\\"AzureAD\\\"\\n| where ResourceIdentity !in (\\\"00000002-0000-0000-c000-000000000000\\\", \\\"00000003-0000-0000-c000-000000000000\\\") // ResourceDisplayName IS NOT Windows Azure Active Directory OR Microsoft Graph\\n| extend Status = todynamic(Status)\\n| where Status.errorCode == 0 // Success\\n| project-reorder IPAddress, UserAgent, ResourceDisplayName, UserDisplayName, UserId, UserPrincipalName, Type\\n| order by TimeGenerated desc\\n// New entity mapping\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure Active Directory PowerShell accessing non-AAD resources\",\"description\":\"This will alert when a user or application signs in using Azure Active Directory PowerShell to access non-Active Directory resources, such as the Azure Key Vault, which may be undesired or unauthorized behavior.\\nFor capabilities and expected behavior of the Azure Active Directory PowerShell module, see: https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0.\\nFor further information on Azure Active Directory Signin activity reports, see: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins.\",\"lastUpdatedDateUTC\":\"2022-02-23T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cca3b4d9-ac39-4109-8b93-65bb284003e6\",\"name\":\"cca3b4d9-ac39-4109-8b93-65bb284003e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureActivity | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(Caller)\\n | extend Caller = tolower(Caller)\\n | where Caller matches regex emailregex\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.Caller\\n| where AzureActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureActivity_TimeGenerated = arg_max(AzureActivity_TimeGenerated, *) by IndicatorId, Caller\\n| project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, EmailSenderName, EmailRecipient, \\nEmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Caller, Level, CallerIpAddress, CategoryValue, OperationNameValue, ActivityStatusValue, \\nResourceGroup, SubscriptionId\\n| extend timestamp = AzureActivity_TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to AzureActivity\",\"description\":\"Identifies a match in AzureActivity table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9122a9cb-916b-4d98-a199-1b7b0af8d598\",\"name\":\"9122a9cb-916b-4d98-a199-1b7b0af8d598\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"beesweiserdog.com\\\", \\n \\\"bluehostfit.com\\\", \\n \\\"business-toys.com\\\", \\n \\\"cleanskycloud.com\\\", \\n \\\"cumberbat.com\\\", \\n \\\"czreadsecurity.com\\\", \\n \\\"dgtresorgouv.com\\\", \\n \\\"dimediamikedask.com\\\", \\n \\\"diresitioscon.com\\\", \\n \\\"elcolectador.com\\\", \\n \\\"elperuanos.org\\\", \\n \\\"eprotectioneu.com\\\", \\n \\\"fheacor.com\\\", \\n \\\"followthewaterdata.com\\\", \\n \\\"francevrteepress.com\\\", \\n \\\"futtuhy.com\\\", \\n \\\"gardienweb.com\\\", \\n \\\"heimflugaustr.com\\\", \\n \\\"ivpsers.com\\\", \\n \\\"jkeducation.org\\\", \\n \\\"micrlmb.com\\\", \\n \\\"muthesck.com\\\", \\n \\\"netscalertech.com\\\", \\n \\\"newgoldbalmap.com\\\", \\n \\\"news-laestrella.com\\\", \\n \\\"noticialif.com\\\", \\n \\\"opentanzanfoundation.com\\\", \\n \\\"optonlinepress.com\\\", \\n \\\"palazzochigi.com\\\", \\n \\\"pandemicacre.com\\\", \\n \\\"papa-ser.com\\\", \\n \\\"pekematclouds.com\\\", \\n \\\"pipcake.com\\\", \\n \\\"popularservicenter.com\\\", \\n \\\"projectsyndic.com\\\", \\n \\\"qsadtv.com\\\", \\n \\\"sankreal.com\\\", \\n \\\"scielope.com\\\", \\n \\\"seoamdcopywriting.com\\\", \\n \\\"slidenshare.com\\\", \\n \\\"somoswake.com\\\", \\n \\\"squarespacenow.com\\\", \\n \\\"subapostilla.com\\\", \\n \\\"suzukicycles.net\\\", \\n \\\"tatanotakeeps.com\\\", \\n \\\"tijuanazxc.com\\\", \\n \\\"transactioninfo.net\\\", \\n \\\"eurolabspro.com\\\", \\n \\\"adelluminate.com\\\", \\n \\\"headhunterblue.com\\\", \\n \\\"primenuesty.com\\\" \\n ]);\\nlet SHA256Hashes = dynamic ([\\\"02daf4544bcefb2de865d0b45fc406bee3630704be26a9d6da25c9abe906e7d2\\\", \\n \\\"0a45ec3da31838aa7f56e4cbe70d5b3b3809029f9159ff0235837e5b7a4cb34c\\\", \\n \\\"0d7965489810446ca7acc7a2160795b22e452a164261313c634a6529a0090a0c\\\", \\n \\\"10bb4e056fd19f2debe61d8fc5665434f56064a93ca0ec0bef946a4c3e098b95\\\", \\n \\\"12d914f24fe5501e09f5edf503820cc5fe8b763827a1c6d44cdb705e48651b21\\\", \\n \\\"1899f761123fedfeba0fee6a11f830a29cd3653bcdcf70380b72a05b921b4b49\\\", \\n \\\"22e68e366dd3323e5bb68161b0938da8e1331e4f1c1819c8e84a97e704d93844\\\", \\n \\\"259783405ec2cb37fdd8fd16304328edbb6a0703bc3d551eba252d9b450554ef\\\", \\n \\\"26debed09b1bbf24545e3b4501b799b66a0146d4020f882776465b5071e91822\\\", \\n \\\"35c5f22bb11f7dd7a2bb03808e0337cb7f9c0d96047b94c8afdab63efc0b9bb2\\\", \\n \\\"3ae2d9ffa4e53519e62cc0a75696f9023f9cce09b0a917f25699b48d0f7c4838\\\", \\n \\\"3bac2e459c69fcef8c1c93c18e5f4f3e3102d8d0f54a63e0650072aeb2a5fa65\\\", \\n \\\"3c0bf69f6faf85523d9e60d13218e77122b2adb0136ffebbad0f39f3e3eed4e6\\\", \\n \\\"3dc0001a11d54925d2591aec4ea296e64f1d4fdf17ff3343ddeea82e9bd5e4f1\\\", \\n \\\"3fd73af89e94af180b1fbf442bbfb7d7a6c4cf9043abd22ac0aa2f8149bafc90\\\", \\n \\\"6854df6aa0af46f7c77667c450796d5658b3058219158456e869ebd39a47d54b\\\", \\n \\\"6b79b807a66c786bd2e57d1c761fc7e69dd9f790ffab7ce74086c4115c9305ce\\\", \\n \\\"7944a86fbef6238d2a55c14c660c3a3d361c172f6b8fa490686cc8889b7a51a0\\\", \\n \\\"926904f7c0da13a6b8689c36dab9d20b3a2e6d32f212fca9e5f8cf2c6055333c\\\", \\n \\\"95e98c811ea9d212673d0e84046d6da94cbd9134284275195800278593594b5a\\\", \\n \\\"a142625512e5372a1728595be19dbee23eea50524b4827cb64ed5aaeaaa0270b\\\", \\n \\\"afe5e9145882e0b98a795468a4c0352f5b1ddb7b4a534783c9e8fc366914cf6a\\\", \\n \\\"b9027bad09a9f5c917cf0f811610438e46e42e5e984a8984b6d69206ceb74124\\\", \\n \\\"c132d59a3bf0099e0f9f5667daf7b65dba66780f4addd88f04eecae47d5d99fa\\\", \\n \\\"c9a5765561f52bbe34382ce06f4431f7ac65bafe786db5de89c29748cf371dda\\\", \\n \\\"ce0408f92635e42aadc99da3cc1cbc0044e63441129c597e7aa1d76bf2700c94\\\", \\n \\\"ce47bacc872516f91263f5e59441c54f14e9856cf213ca3128470217655fc5e6\\\", \\n \\\"d0fe4562970676e30a4be8cb4923dc9bfd1fca8178e8e7fea0f3f02e0c7435ce\\\", \\n \\\"d5b36648dc9828e69242b57aca91a0bb73296292bf987720c73fcd3d2becbae6\\\", \\n \\\"e72d142a2bc49572e2d99ed15827fc27c67fc0999e90d4bf1352b075f86a83ba\\\"\\n ]);\\nlet SigNames = dynamic([\\\"Backdoor:Win32/Leeson\\\", \\\"Trojan:Win32/Kechang\\\", \\\"Backdoor:Win32/Nightimp!dha\\\", \\\"Trojan:Win32/QuarkBandit.A!dha\\\", \\\"TrojanSpy:Win32/KeyLogger\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hashes) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(_Im_Dns(domain_has_any = DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(_Im_WebSession(url_has_any = DomainNames)\\n| extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n| extend IPAddress = SrcIpAddr\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA256Hashes) \\n| extend Account = UserName\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (SHA256Hashes)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (SHA256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl in~ (DomainNames)\\n| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName\\n| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl\\n),\\n(SecurityAlert\\n| where ProductName == \\\"Microsoft Defender Advanced Threat Protection\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where isnotempty(ThreatName)\\n| where ThreatName has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName)\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known NICKEL domains and hashes\",\"description\":\"IOC domains and hash values for tools and malware used by NICKEL. \\n Matches domain name, hash IOCs and M365 Defender sigs related to the NICKEL activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/720d12c6-a08c-44c4-b18f-2236412d59b0\",\"name\":\"720d12c6-a08c-44c4-b18f-2236412d59b0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"SecurityEvent\\n | where EventID == 4688\\n | where Process !~ \\\"sdelete.exe\\\"\\n | where CommandLine has_all (\\\"accepteula\\\", \\\"-r\\\", \\\"-s\\\", \\\"-q\\\", \\\"c:/\\\")\\n | where CommandLine !has (\\\"sdelete\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"DefenseEvasion\",\"Impact\"],\"displayName\":\"Potential re-named sdelete usage\",\"description\":\"This detection looks for command line parameters associated with the use of Sysinternals sdelete (https://docs.microsoft.com/sysinternals/downloads/sdelete) to delete multiple files on a host\u0027s C drive.\\nA threat actor may re-name the tool to avoid detection and then use it for destructive attacks on a host.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/009b9bae-23dd-43c4-bcb9-11c4ba7c784a\",\"name\":\"009b9bae-23dd-43c4-bcb9-11c4ba7c784a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where OperationName has \\\"Consent to application\\\"\\n | where Result =~ \\\"failure\\\"\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend userAgent = iif(AdditionalDetails[0].key == \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), tostring(AdditionalDetails[1].value))\\n | where isnotempty(TargetResources)\\n | extend AppName = tostring(TargetResources[0].displayName)\\n | mv-expand TargetResources[0].modifiedProperties\\n | extend TargetResources_0_modifiedProperties = columnifexists(\\\"TargetResources_0_modifiedProperties\\\", \u0027\u0027)\\n | where isnotempty(TargetResources_0_modifiedProperties)\\n | where TargetResources_0_modifiedProperties.displayName =~ \\\"MethodExecutionResult.\\\"\\n | extend FailureReason = tostring(parse_json(tostring(TargetResources_0_modifiedProperties.newValue)))\\n | where FailureReason contains \\\"Risky\\\"\\n | project-reorder TimeGenerated, OperationName, Result, AppName, FailureReason, userPrincipalName, userAgent, ipAddress\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"End-user consent stopped due to risk-based consent\",\"description\":\"Detects a user\u0027s consent to an OAuth application being blocked due to it being too risky.\\n These events should be investigated to understand why the user attempted to consent to the applicaiton and what other applicaitons they may have consented to.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#end-user-stopped-due-to-risk-based-consent\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e70fa6e0-796a-4e85-9420-98b17b0bb749\",\"name\":\"e70fa6e0-796a-4e85-9420-98b17b0bb749\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"DeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where ThreatName has \\\"Solorigate\\\"\\n| extend HostCustomEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.HostCustomEntity\\n| project TimeGenerated, DisplayName, ThreatName, CompromisedEntity, PublicIP, MachineGroup, AlertSeverity, Description, LoggedOnUsers, DeviceId, TenantId, HostCustomEntity\\n| extend timestamp = TimeGenerated, IPCustomEntity = PublicIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Solorigate Defender Detections\",\"description\":\"Surfaces any Defender Alert for Solorigate Events. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as \\n Device group, ip, logged on users etc. This way, the Microsoft Sentinel user can have all the pertinent device info in one view for all the the Solarigate Defender alerts.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9176b18f-a946-42c6-a2f6-0f6d17cd6a8a\",\"name\":\"9176b18f-a946-42c6-a2f6-0f6d17cd6a8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let triThreshold = 500;\\nlet querystarttime = 6h;\\nlet dgaLengthThreshold = 8;\\n// fetch the cisco umbrella top 1M domains\\nlet top1M = (externaldata (Position:int, Domain:string) [@\\\"http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip\\\"] with (format=\\\"csv\\\", zipPattern=\\\"*.csv\\\"));\\n// extract tri grams that are above our threshold - i.e. are common\\nlet triBaseline = top1M\\n | extend Domain = tolower(extract(\\\"([^.]*).{0,7}$\\\", 1, Domain))\\n | extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", Domain), extract_all(\\\"(...)\\\", substring(Domain, 1)), extract_all(\\\"(...)\\\", substring(Domain, 2)))\\n | mvexpand Trigram=AllTriGrams to typeof(string)\\n | summarize triCount=count() by Trigram\\n | sort by triCount desc\\n | where triCount \u003e triThreshold\\n | distinct Trigram;\\n// collect domain information from common security log, filter and extract the DGA candidate and its trigrams\\nlet allDataSummarized = _Im_WebSession \\n| where isnotempty(Url) \\n| extend Name = tolower(tostring(parse_url(Url)[\\\"Host\\\"]))\\n| summarize NameCount=count() by Name\\n| where Name has \\\".\\\"\\n| where Name !endswith \\\".home\\\" and Name !endswith \\\".lan\\\"\\n// extract DGA candidate\\n| extend DGADomain = extract(\\\"([^.]*).{0,7}$\\\", 1, Name)\\n| where strlen(DGADomain) \u003e dgaLengthThreshold\\n// throw out domains with number in them\\n| where DGADomain matches regex \\\"^[A-Za-z]{0,}$\\\"\\n// extract the tri grams from summarized data\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", DGADomain), extract_all(\\\"(...)\\\", substring(DGADomain, 1)), extract_all(\\\"(...)\\\", substring(DGADomain, 2)));\\n// throw out domains that have repeating tri\u0027s and/or \u003e=3 repeating letters\\nlet nonRepeatingTris = allDataSummarized\\n| join kind=leftanti\\n(\\n allDataSummarized\\n | mvexpand AllTriGrams\\n | summarize count() by tostring(AllTriGrams), DGADomain\\n | where count_ \u003e 1\\n | distinct DGADomain\\n)\\non DGADomain;\\n// find domains that do not have a common tri in the baseline\\nlet dataWithRareTris = nonRepeatingTris\\n| join kind=leftanti\\n(\\n nonRepeatingTris\\n | mvexpand AllTriGrams\\n | extend Trigram = tostring(AllTriGrams)\\n | distinct Trigram, DGADomain\\n | join kind=inner\\n (\\n triBaseline\\n )\\n on Trigram\\n | distinct DGADomain\\n)\\non DGADomain;\\ndataWithRareTris\\n// join DGAs back on connection data\\n| join kind=inner\\n(\\n _Im_WebSession\\n | where isnotempty(Url)\\n | extend Url = tolower(Url)\\n | summarize arg_max(TimeGenerated, EventVendor, SrcIpAddr) by Url\\n | extend Name=tostring(parse_url(Url)[\\\"Host\\\"])\\n | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) by Name, SrcIpAddr, Url\\n)\\non Name\\n| project StartTime, EndTime, Name, DGADomain, SrcIpAddr, Url, NameCount\",\"customDetails\":{\"DGAPattern\":\"DGADomain\",\"NameCount\":\"NameCount\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URL\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Potential communication from {{SrcIpAddr} with a Domain Generation Algorithm (DGA) based host {{Name}}\",\"alertDescriptionFormat\":\"A client with address {{SrcIpAddr}} communicated with host {{Name}} that have a domain name that might have been generated by a Domain Generation Algorithm (DGA), identified by the pattern {{DGADomain}}. DGAs are used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the top 1 million domain names to build a model of what normal domains look like and uses the model to identify domains that may have been randomly generated by an algorithm.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential communication with a Domain Generation Algorithm (DGA) based hostname (ASIM Web Session schema)\",\"description\":\"This rule identifies communication with hosts that have a domain name that might have been generated by a Domain Generation Algorithm (DGA). DGAs are used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the top 1 million domain names to build a model of what normal domains look like nad uses the model to identify domains that may have been randomly generated by an algorithm. You can modify the triThreshold and dgaLengthThreshold query parameters to change Analytic Rule sensitivity. The higher the numbers, the less noisy the rule is. \u003cbr\u003e\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f819c592-c5f9-4d5c-a79f-1e6819863533\",\"name\":\"f819c592-c5f9-4d5c-a79f-1e6819863533\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"// ADHealth Monitoring Agent Registry Key\\nlet aadHealthMonAgentRegKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Microsoft Online\\\\\\\\Reporting\\\\\\\\MonitoringAgent\\\";\\n// Filter out known processes\\nlet aadConnectHealthProcs = dynamic ([\\n \u0027Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.InsightsService.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.PshSurrogate.exe\u0027,\\n \u0027Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe\u0027,\\n \u0027Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.AadConnect.Health.AadSync.Host.exe\u0027,\\n \u0027Microsoft.Azure.ActiveDirectory.Synchronization.Upgrader.exe\u0027,\\n \u0027miiserver.exe\u0027\\n]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| where EventData has aadHealthMonAgentRegKey\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| extend ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),\\n ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\")\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend SubjectUserName = column_ifexists(\\\"SubjectUserName\\\", \\\"\\\"),\\n SubjectDomainName = column_ifexists(\\\"SubjectDomainName\\\", \\\"\\\"),\\n ProcessName = column_ifexists(\\\"ProcessName\\\", \\\"\\\")\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],\\n Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n(\\nWindowsEvent\\n| where EventID == \u00274656\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n (\\nWindowsEvent\\n| where EventID == \u00274663\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n)\\n)\\n// You can filter out potential machine accounts\\n//| where AccountType != \u0027Machine\u0027\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"Azure AD Health Monitoring Agent Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.\\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\\\\SOFTWARE\\\\Microsoft\\\\Microsoft Online\\\\Reporting\\\\MonitoringAgent.\\nYou can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_monitoring_agent.yml\\n\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/066395ac-ef91-4993-8bf6-25c61ab0ca5a\",\"name\":\"066395ac-ef91-4993-8bf6-25c61ab0ca5a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet file_path1 = (iocs | where Type =~ \\\"filepath1\\\" | project IoC);\\nlet file_path2 = (iocs | where Type =~ \\\"filepath2\\\" | project IoC);\\nlet file_path3 = (iocs | where Type =~ \\\"filepath3\\\" | project IoC);\\nlet reg_key = (iocs | where Type =~ \\\"regkey\\\" | project IoC);\\nWindowsEvent\\n| where EventID == 4688 and (EventData has_any (file_path1) or EventData has_any (file_path2) or EventData has_any (file_path3) or EventData has_any (\u0027reg add\u0027) or EventData has_any (reg_key) )\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where (CommandLine has_any (file_path1)) or\\n (CommandLine has_any (file_path3)) or\\n (CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) or \\n (NewProcessName has_any (file_path1)) or\\n (NewProcessName has_any (file_path3)) or\\n (ParentProcessName has_any (file_path1)) or \\n (ParentProcessName has_any (file_path3)) \\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend NewProcessId = tostring(EventData.NewProcessId)\\n| extend IPCustomEntity = tostring(EventData.IpAddress)\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, IPCustomEntity\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = \u0027SOURGUM IOC detected\u0027\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"SOURGUM Actor IOC - July 2021\",\"description\":\"Identifies a match across IOC\u0027s related to an actor tracked by Microsoft as SOURGUM\",\"lastUpdatedDateUTC\":\"2022-05-19T00:00:00Z\",\"createdDateUTC\":\"2022-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6116dc19-475a-4148-84b2-efe89c073e27\",\"name\":\"6116dc19-475a-4148-84b2-efe89c073e27\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetectionV2_CL\\n| extend Status = tostring(Status_s), Vulnerability = tostring(QID_s), Severity = tostring(Severity_s)\\n| where Status =~ \\\"New\\\" and Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(QID_s)\\n| where dcount_NetBios_s \u003e= threshold\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"tactics\":[\"InitialAccess\"],\"displayName\":\"New High Severity Vulnerability Detected Across Multiple Hosts\",\"description\":\"This creates an incident when a new high severity vulnerability is detected across multilple hosts\",\"lastUpdatedDateUTC\":\"2021-12-08T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\"name\":\"90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage), \\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage), \\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage), \\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \\\"200\\\"\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Squid proxy events for ToR proxies\",\"description\":\"Check for Squid proxy events associated with common ToR proxies. This query presumes the default squid log format is being used.\\nhttp://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-07-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70fc7201-f28e-4ba7-b9ea-c04b96701f13\",\"name\":\"70fc7201-f28e-4ba7-b9ea-c04b96701f13\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let OperationList = dynamic([\\\"Add member to role\\\",\\\"Add member to role in PIM requested (permanent)\\\"]);\\nlet PrivilegedGroups = dynamic([\\\"UserAccountAdmins\\\",\\\"PrivilegedRoleAdmins\\\",\\\"TenantAdmins\\\"]);\\nAuditLogs\\n//| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName in~ (OperationList)\\n| mv-expand TargetResources\\n| extend modProps = parse_json(TargetResources).modifiedProperties\\n| mv-expand bagexpansion=array modProps\\n| evaluate bag_unpack(modProps)\\n| extend displayName = column_ifexists(\\\"displayName\\\", \\\"NotAvailable\\\"), newValue = column_ifexists(\\\"newValue\\\", \\\"NotAvailable\\\")\\n| where displayName =~ \\\"Role.WellKnownObjectName\\\"\\n| extend DisplayName = displayName, GroupName = replace(\u0027\\\"\u0027,\u0027\u0027,newValue)\\n| extend initByApp = parse_json(InitiatedBy).app, initByUser = parse_json(InitiatedBy).user\\n| extend AppId = initByApp.appId,\\nInitiatedByDisplayName = case(isnotempty(initByApp.displayName), initByApp.displayName, isnotempty(initByUser.displayName), initByUser.displayName, \\\"not available\\\"),\\nServicePrincipalId = tostring(initByApp.servicePrincipalId),\\nServicePrincipalName = tostring(initByApp.servicePrincipalName),\\nUserId = initByUser.id,\\nUserIPAddress = initByUser.ipAddress,\\nUserRoles = initByUser.roles,\\nUserPrincipalName = tostring(initByUser.userPrincipalName),\\nTargetUserPrincipalName = tostring(TargetResources.userPrincipalName)\\n| where GroupName in~ (PrivilegedGroups)\\n// If you don\u0027t want to alert for operations from PIM, remove below filtering for MS-PIM.\\n//| where InitiatedByDisplayName != \\\"MS-PIM\\\"\\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName\\n| extend AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, isnotempty(ServicePrincipalId), ServicePrincipalId, isnotempty(UserPrincipalName), UserPrincipalName, \\\"not available\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"NRT User added to Azure Active Directory Privileged Groups\",\"description\":\"This will alert when a user is added to any of the Privileged Groups.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\\nFor Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles\",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2020-07-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5239248b-abfb-4c6a-8177-b104ade5db56\",\"name\":\"5239248b-abfb-4c6a-8177-b104ade5db56\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let RunCommandData = materialize ( AzureActivity\\n// Isolate run command actions\\n| where OperationNameValue == \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\\\"\\n// Confirm that the operation impacted a virtual machine\\n| where Authorization has \\\"virtualMachines\\\"\\n// Each runcommand operation consists of three events when successful, StartTimeed, Accepted (or Rejected), Successful (or Failed).\\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), max(CallerIpAddress), make_list(ActivityStatusValue) by CorrelationId, Authorization, Caller\\n// Limit to Run Command executions that Succeeded\\n| where list_ActivityStatusValue has \\\"Success\\\"\\n// Extract data from the Authorization field, allowing us to later extract the Caller (UPN) and CallerIpAddress\\n| extend Authorization_d = parse_json(Authorization)\\n| extend Scope = Authorization_d.scope\\n| extend Scope_s = split(Scope, \\\"/\\\")\\n| extend Subscription = tostring(Scope_s[2])\\n| extend VirtualMachineName = tostring(Scope_s[-1])\\n| project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress\\n| join kind=leftouter (\\n DeviceFileEvents\\n | where InitiatingProcessFileName == \\\"RunCommandExtension.exe\\\"\\n | extend VirtualMachineName = tostring(split(DeviceName, \\\".\\\")[0])\\n | project VirtualMachineName, PowershellFileCreatedTimestamp=TimeGenerated, FileName, FileSize, InitiatingProcessAccountName, InitiatingProcessAccountDomain, InitiatingProcessFolderPath, InitiatingProcessId\\n) on VirtualMachineName\\n// We need to filter by time sadly, this is the only way to link events\\n| where PowershellFileCreatedTimestamp between (StartTime .. EndTime)\\n| project StartTime, EndTime, PowershellFileCreatedTimestamp, VirtualMachineName, Caller, CallerIpAddress, FileName, FileSize, InitiatingProcessId, InitiatingProcessAccountDomain, InitiatingProcessFolderPath\\n| join kind=inner(\\n DeviceEvents\\n | extend VirtualMachineName = tostring(split(DeviceName, \\\".\\\")[0])\\n | where InitiatingProcessCommandLine has \\\"-File\\\"\\n // Extract the script name based on the structure used by the RunCommand extension\\n | extend PowershellFileName = extract(@\\\"\\\\-File\\\\s(script[0-9]{1,9}\\\\.ps1)\\\", 1, InitiatingProcessCommandLine)\\n // Discard results that didn\u0027t successfully extract, these are not run command related\\n | where isnotempty(PowershellFileName)\\n | extend PSCommand = tostring(parse_json(AdditionalFields).Command)\\n // The first execution of PowerShell will be the RunCommand script itself, we can discard this as it will break our hash later\\n | where PSCommand != PowershellFileName \\n // Now we normalise the cmdlets, we\u0027re aiming to hash them to find scripts using rare combinations\\n | extend PSCommand = toupper(PSCommand)\\n | order by PSCommand asc\\n | summarize PowershellExecStartTime=min(TimeGenerated), PowershellExecEnd=max(TimeGenerated), make_list(PSCommand) by PowershellFileName, InitiatingProcessCommandLine\\n) on $left.FileName == $right.PowershellFileName\\n| project StartTime, EndTime, PowershellFileCreatedTimestamp, PowershellExecStartTime, PowershellExecEnd, PowershellFileName, PowershellScriptCommands=list_PSCommand, Caller, CallerIpAddress, InitiatingProcessCommandLine, PowershellFileSize=FileSize, VirtualMachineName\\n| order by StartTime asc \\n// We generate the hash based on the cmdlets called and the size of the powershell script\\n| extend TempFingerprintString = strcat(PowershellScriptCommands, PowershellFileSize)\\n| extend ScriptFingerprintHash = hash_sha256(tostring(PowershellScriptCommands)));\\nlet totals = toscalar (RunCommandData\\n| summarize count());\\nlet hashTotals = RunCommandData\\n| summarize HashCount=count() by ScriptFingerprintHash;\\nRunCommandData\\n| join kind=leftouter (\\nhashTotals\\n) on ScriptFingerprintHash\\n// Calculate prevalence, while we don\u0027t need this, it may be useful for responders to know how rare this script is in relation to normal activity\\n| extend Prevalence = toreal(HashCount) / toreal(totals) * 100\\n// Where the hash was only ever seen once.\\n| where HashCount == 1\\n| extend timestamp = StartTime, IPCustomEntity=CallerIpAddress, AccountCustomEntity=Caller, HostCustomEntity=VirtualMachineName\\n| project timestamp, StartTime, EndTime, PowershellFileName, VirtualMachineName, Caller, CallerIpAddress, PowershellScriptCommands, PowershellFileSize, ScriptFingerprintHash, Prevalence, IPCustomEntity, AccountCustomEntity, HostCustomEntity\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"LateralMovement\",\"Execution\"],\"displayName\":\"Azure VM Run Command operations executing a unique PowerShell script\",\"description\":\"Identifies when Azure Run command is used to execute a PowerShell script on a VM that is unique.\\nThe uniqueness of the PowerShell script is determined by taking a combined hash of the cmdLets it imports\\nand the file size of the PowerShell script. Alerts from this detection indicate a unique PowerShell was executed\\nin your environment.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f15370f4-c6fa-42c5-9be4-1d308f40284e\",\"name\":\"f15370f4-c6fa-42c5-9be4-1d308f40284e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n OfficeActivity\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(ClientIP)\\n | extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]%]+)(%\\\\d+)?\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n | extend IPAddress = tostring(ClientIPValues[0])\\n // renaming time column so it is clear the log this came from\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.IPAddress\\n| where OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId\\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = OfficeActivity_TimeGenerated, IPCustomEntity = TI_ipEntity, AccountCustomEntity = UserId, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to OfficeActivity\",\"description\":\"Identifies a match in OfficeActivity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a4ce20ae-a2e4-4d50-b40d-d49f1353b6cc\",\"name\":\"a4ce20ae-a2e4-4d50-b40d-d49f1353b6cc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Extracts plaintext IPv4 addresses\\nlet ipv4_plaintext_extraction_regex = @\\\"((?:(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])(?:\\\\.)){3}(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]){1,3})\\\";\\n// Identified base64 encoded IPv4 addresses\\nlet ipv4_encoded_identification_regex = @\\\"\\\\=([a-zA-Z0-9\\\\/\\\\+]*(?:(?:MC|Au|wL|MS|Eu|xL|Mi|Iu|yL|My|Mu|zL|NC|Qu|0L|NS|Uu|1L|Ni|Yu|2L|Ny|cu|3L|OC|gu|4L|OS|ku|5L){1}[a-zA-Z0-9\\\\/\\\\+]{2,4}){3}[a-zA-Z0-9\\\\/\\\\+\\\\=]*)\\\";\\n// Extractes IPv4 addresses as hex values\\nlet ipv4_decoded_hex_extract = @\\\"((?:(?:61|62|63|64|65|66|67|68|69|6a|6b|6c|6d|6e|6f|70|71|72|73|74|75|76|77|78|79|7a|41|42|43|44|45|46|47|48|49|4a|4b|4c|4d|4e|4f|50|51|52|53|54|55|56|57|58|59|5a|2f|2b|3d),){7,15})\\\";\\nCommonSecurityLog\\n| where isnotempty(RequestURL)\\n// Identify requests with encoded IPv4 addresses\\n| where RequestURL matches regex ipv4_encoded_identification_regex\\n| project TimeGenerated, RequestURL\\n// Extract IP candidates in their base64 encoded format, significantly reducing the dataset\\n| extend extracted_encoded_ip_candidate = extract_all(ipv4_encoded_identification_regex, RequestURL)\\n// We could have more than one candidate, expand them out\\n| mv-expand extracted_encoded_ip_candidate to typeof(string)\\n| summarize Start=min(TimeGenerated), End=max(TimeGenerated), make_set(RequestURL) by extracted_encoded_ip_candidate\\n// Pad if we need to\\n| extend extracted_encoded_ip_candidate = iff(strlen(extracted_encoded_ip_candidate) % 2 == 0, extracted_encoded_ip_candidate, strcat(extracted_encoded_ip_candidate, \\\"=\\\"))\\n// Now decode the candidate to a long array, we cannot go straight to string as it cannot handle non-UTF8, we need to strip that first\\n| extend extracted_encoded_ip_candidate = tostring(base64_decode_toarray(extracted_encoded_ip_candidate))\\n// Extract the IP candidates from the array\\n| extend hex_extracted = extract_all(ipv4_decoded_hex_extract, extracted_encoded_ip_candidate)\\n// Expand, it\u0027s still possible that we might have more than 1 IP\\n| mv-expand hex_extracted\\n// Now we should have a clean string. We need to put it back into a dynamic array to convert back to a string.\\n| extend hex_extracted = trim_end(\\\",\\\", tostring(hex_extracted))\\n| extend hex_extracted = strcat(\\\"[\\\",hex_extracted,\\\"]\\\")\\n| extend hex_extracted = todynamic(hex_extracted)\\n| extend extracted_encoded_ip_candidate = todynamic(extracted_encoded_ip_candidate)\\n// Convert the array back into a string\\n| extend decoded_ip_candidate = make_string(hex_extracted)\\n| summarize by decoded_ip_candidate, tostring(set_RequestURL), Start, End\\n// Now the IP candidates will be in plaintext, extract the IPs using a regex\\n| extend ipmatch = extract_all(ipv4_plaintext_extraction_regex, decoded_ip_candidate)\\n// If it\u0027s not an IP, throw it out\\n| where isnotnull(ipmatch)\\n| mv-expand ipmatch to typeof(string)\\n// Join with DeviceNetworkEvents to find instances where an IP of a machine in our MDE estate sent it\u0027s IP in a base64 encoded string\\n| join (\\n DeviceNetworkEvents\\n | summarize make_set(DeviceId), make_set(DeviceName) by RemoteIP\\n) on $left.ipmatch == $right.RemoteIP\\n| project Start, End, IPmatch=ipmatch, RequestURL=set_RequestURL, DeviceNames=set_DeviceName, DeviceIds=set_DeviceId, RemoteIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPmatch\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceNames\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"IP address of Windows host encoded in web request\",\"description\":\"This detection will identify network requests in HTTP proxy data that contains Base64 encoded IP addresses. After identifying candidates the query\\njoins with DeviceNetworkEvents to idnetify any machine within the network using that IP address. Alerts indicate that the IP address of a machine\\nwithin your network was seen with it\u0027s IP address base64 encoded in an outbounf web request. This method of egressing the IP was seen used in POLONIUM\u0027s\\nRunningRAT tool, however the detection is generic.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cbf6ad48-fa5c-4bf7-b205-28dbadb91255\",\"name\":\"cbf6ad48-fa5c-4bf7-b205-28dbadb91255\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let procList = externaldata(Process:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Microsoft_Lolbas_Execution_Binaries.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nEvent\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n| parse EventData with * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027OriginalFileName\\\"\u003e\u0027 OriginalFileName \\\"\u003c\\\" *\\n| where OriginalFileName has_any (procList) and not (Image has_any (procList))\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027Hashes\\\"\u003e\u0027 Hashes \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description, OriginalFileName, CurrentDirectory, Hashes\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Windows Binaries Lolbins Renamed\",\"description\":\"This query detects the execution of renamed Windows binaries (Lolbins). This is a common technique used by adversaries to evade detection. \\nRef: https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/execution-of-renamed-lolbin.html\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3a9d5ede-2b9d-43a2-acc4-d272321ff77c\",\"name\":\"3a9d5ede-2b9d-43a2-acc4-d272321ff77c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 50;\\nlet aadFunc = (tableName:string){\\n // Failed Signins attempts with reasoning related to conditional access policies.\\n table(tableName)\\n | where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n | where ResultDescription has_any (\\\"conditional access\\\", \\\"CA\\\") or ResultType in (50005, 50131, 53000, 53001, 53002, 52003, 70044)\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt;\\nlet TimeSeriesAlerts = \\nallSignins\\n| make-series DailyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step 1d by UserPrincipalName\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(DailyCount, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand DailyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n// Filtering low count events per baselinethreshold\\n| where anomalies \u003e 0 and baseline \u003e baselinethreshold\\n| extend AnomalyHour = TimeGenerated\\n| project UserPrincipalName, AnomalyHour, TimeGenerated, DailyCount, baseline, anomalies, score;\\n// Filter the alerts for specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e startofday(ago(timeframe))\\n| join kind=inner ( \\n allSignins\\n | where TimeGenerated \u003e startofday(ago(timeframe))\\n // create a new column and round to hour\\n | extend DateHour = bin(TimeGenerated, 1h)\\n | summarize PartialFailedSignins = count(), LatestAnomalyTime = arg_max(TimeGenerated, *) by bin(TimeGenerated, 1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\\n) on UserPrincipalName, $left.AnomalyHour == $right.DateHour\\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, PartialFailedSignins, TotalFailedSignins = DailyCount, baseline, anomalies, score\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"User Accounts - Sign in Failure due to CA Spikes\",\"description\":\" Identifies spike in failed sign-ins from user accounts due to conditional access policied.\\nSpike is determined based on Time series anomaly which will look at historical baseline values.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b6d03b88-4d27-49a2-9c1c-29f1ad2842dc\",\"name\":\"b6d03b88-4d27-49a2-9c1c-29f1ad2842dc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let oneDriveCalls = dynamic([\u0027graph.microsoft.com/v1.0/me/drive/root:/Documents/data.txt:/content\u0027,\u0027graph.microsoft.com/v1.0/me/drive/root:/Documents/response.json:/content\u0027]);\\nlet oneDriveCallsRegex = dynamic([@\u0027graph\\\\.microsoft\\\\.com\\\\/v1\\\\.0\\\\/me\\\\/drive\\\\/root\\\\:\\\\/Uploaded\\\\/.*\\\\:\\\\/content\u0027,@\u0027graph\\\\.microsoft\\\\.com\\\\/v1\\\\.0\\\\/me\\\\/drive\\\\/root\\\\:\\\\/Downloaded\\\\/.*\\\\:\\\\/content\u0027]);\\nCommonSecurityLog\\n| where RequestURL has_any (oneDriveCalls) or RequestURL matches regex tostring(oneDriveCallsRegex[0]) or RequestURL matches regex tostring(oneDriveCallsRegex[1])\\n| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"SourceHostName\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"CreepyDrive URLs\",\"description\":\"CreepyDrive uses OneDrive for command and control. This detection identifies URLs specific to CreepyDrive.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/011c84d8-85f0-4370-b864-24c13455aa94\",\"name\":\"011c84d8-85f0-4370-b864-24c13455aa94\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityAlert\\n| extend Extprop = parse_json(ExtendedProperties)\\n| extend Computer = iff(isnotempty(toupper(tostring(Extprop[\\\"Compromised Host\\\"]))), toupper(tostring(Extprop[\\\"Compromised Host\\\"])), tostring(parse_json(Entities)[0].HostName))\\n| extend Account = iff(isnotempty(tolower(tostring(Extprop[\\\"User Name\\\"]))), tolower(tostring(Extprop[\\\"User Name\\\"])), tolower(tostring(Extprop[\\\"user name\\\"])))\\n| extend IpAddress = tostring(parse_json(ExtendedProperties).[\\\"IpAddress\\\"]) \\n| project TimeGenerated, AlertName, Computer, Account, IpAddress, ExtendedProperties\\n| extend timestamp = TimeGenerated, Account, MachineName = Computer, IpAddress\\n| join kind=inner\\n(\\nCoreAzureBackup\\n| where State =~ \\\"Deleted\\\"\\n| where OperationName =~ \\\"BackupItem\\\"\\n| extend data = split(BackupItemUniqueId, \\\";\\\")\\n| extend AzureLocation = data[0], VaultId=data[1], MachineName=data[2], DrivesBackedUp=data[3]\\n| project timestamp = TimeGenerated, AzureLocation, VaultId, tostring(MachineName), DrivesBackedUp, State, BackupItemUniqueId, _ResourceId, OperationName, BackupItemFriendlyName\\n)\\non MachineName\\n| project timestamp, AlertName, HostCustomEntity = MachineName, AccountCustomEntity = Account, ResourceCustomEntity = _ResourceId, IPCustomEntity = IpAddress, VaultId, AzureLocation, DrivesBackedUp, State, BackupItemUniqueId, OperationName, BackupItemFriendlyName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"CoreBackUp Deletion in correlation with other related security alerts\",\"description\":\"This query will help detect attackers attempt to delete backup containers in correlation with other alerts that could have triggered to help possibly reveal more details of attacker activity. \\nThough such an activity could be legitimate as part of business operation, some ransomware actors may perform such operation to cause interruption to regular business services.\",\"lastUpdatedDateUTC\":\"2021-11-05T00:00:00Z\",\"createdDateUTC\":\"2021-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1218175f-c534-421c-8070-5dcaabf28067\",\"name\":\"1218175f-c534-421c-8070-5dcaabf28067\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let threshold = 3; \\nZoomLogs \\n| where Event =~ \\\"chat_message.sent\\\" \\n| extend Channel = tostring(parse_json(ChatEvents).Channel) \\n| extend Message = tostring(parse_json(ChatEvents).Message) \\n| where Message matches regex \\\"http(s?):\\\\\\\\/\\\\\\\\/\\\" \\n| summarize Channels = makeset(Channel), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Message, User, UserId\\n| extend ChannelCount = arraylength(Channels) \\n| where ChannelCount \u003e threshold\\n| extend timestamp = StartTime, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"Suspicious link sharing pattern\",\"description\":\"Alerts in links that have been shared across multiple Zoom chat channels by the same user in a short space if time. \\nAdjust the threshold figure to change the number of channels a message needs to be posted in before an alert is raised.\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\"name\":\"0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"DNS events related to mining pools\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95a15f39-d9cc-4667-8cdd-58f3113691c9\",\"name\":\"95a15f39-d9cc-4667-8cdd-58f3113691c9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where EventID == 4688\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| join kind=rightanti (\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where EventID == 4688) on NewProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where EventID == 4688 and EventData has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| join kind=rightanti (\\nWindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventID == 4688 and EventData has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)) on NewProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM New UM Service Child Process\",\"description\":\"This query looks for new processes being spawned by the Exchange UM service where that process has not previously been observed before. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f845881e-2500-44dc-8ed7-b372af3e1e25\",\"name\":\"f845881e-2500-44dc-8ed7-b372af3e1e25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let short_uaLength = 5;\\nlet long_uaLength = 1000;\\nlet c_threshold = 100;\\nW3CIISLog \\n// Exclude local IPs as these create noise\\n| where cIP !startswith \\\"192.168.\\\" and cIP != \\\"::1\\\"\\n| where isnotempty(csUserAgent) and csUserAgent !in~ (\\\"-\\\", \\\"MSRPC\\\") and (string_size(csUserAgent) \u003c= short_uaLength or string_size(csUserAgent) \u003e= long_uaLength)\\n| extend csUserAgent_size = string_size(csUserAgent)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ConnectionCount = count() by Computer, sSiteName, sPort, csUserAgent, csUserAgent_size, csUserName , csMethod, csUriStem, sIP, cIP, scStatus, scSubStatus, scWin32Status\\n| where ConnectionCount \u003c c_threshold\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomalous User Agent connection attempt\",\"description\":\"Identifies connection attempts (success or fail) from clients with very short or very long User Agent strings and with less than 100 connection attempts.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\"name\":\"a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n SecurityAlert \\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\\n | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray\\n // Parsing relevant entity column to filter type account and creating new column by combining account and UPNSuffix\\n | extend Entitytype = tostring(parse_json(EntitiesDynamicArray).Type), EntityName = tostring(parse_json(EntitiesDynamicArray).Name),\\n EntityUPNSuffix = tostring(parse_json(EntitiesDynamicArray).UPNSuffix)\\n | where Entitytype =~ \\\"account\\\"\\n | extend EntityEmail = tolower(strcat(EntityName, \\\"@\\\", EntityUPNSuffix))\\n | where EntityEmail matches regex emailregex\\n | extend Alert_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.EntityEmail\\n| where Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\\n| project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, \\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, EntityEmail, AlertName, AlertType,\\nAlertSeverity, Entities, ProviderName, VendorName\\n| extend timestamp = Alert_TimeGenerated, AccountCustomEntity = EntityEmail, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SecurityAlert\",\"description\":\"Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c9b6d281-b96b-4763-b728-9a04b9fe1246\",\"name\":\"c9b6d281-b96b-4763-b728-9a04b9fe1246\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlCategory has_any (\u0027Dynamic and Residential\u0027, \u0027Personal VPN\u0027)\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"Exfiltration\"],\"displayName\":\"Cisco Umbrella - Connection to non-corporate private network\",\"description\":\"IP addresses of broadband links that usually indicates users attempting to access their home network, for example for a remote session to a home computer.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/631d02df-ab51-46c1-8d72-32d0cfec0720\",\"name\":\"631d02df-ab51-46c1-8d72-32d0cfec0720\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let excludeProcs = dynamic([@\\\"\\\\SolarWinds\\\\Orion\\\\APM\\\\APMServiceControl.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\ExportToPDFCmd.Exe\\\", @\\\"\\\\SolarWinds.Credentials\\\\SolarWinds.Credentials.Orion.WebApi.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Topology\\\\SolarWinds.Orion.Topology.Calculator.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Database-Maint.exe\\\", @\\\"\\\\SolarWinds.Orion.ApiPoller.Service\\\\SolarWinds.Orion.ApiPoller.Service.exe\\\", @\\\"\\\\Windows\\\\SysWOW64\\\\WerFault.exe\\\"]);\\nimProcessCreate\\n| where Process hassuffix \u0027solarwinds.businesslayerhost.exe\u0027\\n| where not(Process has_any (excludeProcs))\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = ActorUsername,\\n HostCustomEntity = User,\\n AlgorithmCustomEntity = \\\"MD5\\\",\\n FileHashCustomEntity = TargetProcessMD5 // Change to *hash* once implemented\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST suspicious SolarWinds child processes (Normalized Process Events)\",\"description\":\"Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0bd65651-1404-438b-8f63-eecddcec87b4\",\"name\":\"0bd65651-1404-438b-8f63-eecddcec87b4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\n// Adjust for a longer timeframe for identifying ADFS Servers\\nlet lookback = 6d;\\n// Identify ADFS Servers\\nlet ADFS_Servers = ( union isfuzzy=true\\n( Event\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n),\\n( SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and EventData has \\\"0x3e4\\\" and EventData has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| where SubjectLogonId != \\\"0x3e4\\\"\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n)\\n| distinct Computer);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == 4688\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where ParentProcessName has \u0027wmiprvse.exe\u0027\\n// Looking for rundll32.exe is based on intel from the blog linked in the description\\n// This can be commented out or altered to filter out known internal uses\\n| where CommandLine has_any (\u0027rundll32\u0027) \\n| project TimeGenerated, TargetAccount, CommandLine, Computer, Account, TargetLogonId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n// Search for recent logons to identify lateral movement\\n| join kind= inner\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventID == 4624 and LogonType == 3\\n| where Account !endswith \\\"$\\\"\\n| project TargetLogonId\\n) on TargetLogonId\\n),\\n(\\nWindowsEvent\\n| where EventID == 4688\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where EventData has \u0027wmiprvse.exe\u0027 and EventData has_any (\u0027rundll32\u0027) \\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where ParentProcessName has \u0027wmiprvse.exe\u0027\\n// Looking for rundll32.exe is based on intel from the blog linked in the description\\n// This can be commented out or altered to filter out known internal uses\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has_any (\u0027rundll32\u0027) \\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend Account = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend TargetLogonId = tostring(EventData.TargetLogonId)\\n| project TimeGenerated, TargetAccount, CommandLine, Computer, Account, TargetLogonId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n// Search for recent logons to identify lateral movement\\n| join kind= inner\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventID == 4624 \\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 3\\n| extend Account = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| where Account !endswith \\\"$\\\"\\n| extend TargetLogonId = tostring(EventData.TargetLogonId)\\n| project TargetLogonId\\n) on TargetLogonId\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n// Check for WMI Events\\n| where Computer in~ (ADFS_Servers) and EventID in (19, 20, 21)\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| project TimeGenerated, EventType, Image, Computer, UserName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = UserName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Gain Code Execution on ADFS Server via Remote WMI Execution\",\"description\":\"This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through remote WMI Execution.\\nIn order to use this query you need to be collecting Sysmon EventIDs 19, 20, and 21.\\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\\n Failed to resolve scalar expression named \\\"[@Name]\\\"\\nFor more on how WMI was used in Solorigate see https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/.\\nThe query contains some features from the following detections to look for potentially malicious ADFS activity. See them for more details.\\n- ADFS Key Export (Sysmon): https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSKeyExportSysmon.yaml\\n- ADFS DKM Master Key Export: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d71fc38-f249-454e-8479-0a358382ef9a\",\"name\":\"3d71fc38-f249-454e-8479-0a358382ef9a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"SecurityNestedRecommendation\\n| where RemediationDescription has \u0027CVE-2021-44228\u0027\\n| parse ResourceDetails with * \u0027virtualMachines/\u0027 VirtualMAchine \u0027\\\"\u0027 *\\n| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId\\n| extend Timestamp = TimeGenerated, HostCustomEntity = VirtualMAchine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Execution\"],\"displayName\":\"Vulnerable Machines related to log4j CVE-2021-44228\",\"description\":\"This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to log4j CVE-2021-44228. Log4j is an open-source Apache logging library that is used in \\n many Java-based applications. Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).\\n Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/\\n Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal\\n Reference: https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/how-defender-for-cloud-displays-machines-affected-by-log4j/ba-p/3037271\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\"name\":\"a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Security Center for IoT\",\"displayName\":\"Create incidents based on Microsoft Defender for IOT alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for IOT\",\"lastUpdatedDateUTC\":\"2019-12-24T00:00:00Z\",\"createdDateUTC\":\"2019-12-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"IoT\",\"dataTypes\":[\"SecurityAlert (ASC for IoT)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d2e8fd50-8d66-11ec-b909-0242ac120002\",\"name\":\"d2e8fd50-8d66-11ec-b909-0242ac120002\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID in (4624,4625) and LogonType in (10) and IpAddress in (\\\"::1\\\",\\\"127.0.0.1\\\")\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, TargetUserName, TargetLogonId, LogonType, IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential Remote Desktop Tunneling\",\"description\":\"This query detects remote desktop authentication attempts with a localhost source address which can indicate a tunneled login.\\nRef: https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling\",\"lastUpdatedDateUTC\":\"2022-02-15T00:00:00Z\",\"createdDateUTC\":\"2022-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c37711a4-5f44-4472-8afc-0679bc0ef966\",\"name\":\"c37711a4-5f44-4472-8afc-0679bc0ef966\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.1.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/FoggyWebIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type == \\\"sha256\\\" | project IoC);\\nlet FilePaths = (iocs | where Type =~ \\\"FilePath\\\" | project IoC);\\nlet POST_URI = (iocs | where Type =~ \\\"URI1\\\" | project IoC);\\nlet GET_URI = (iocs | where Type =~ \\\"URI2\\\" | project IoC);\\n//Include in the list below, the ADFS servers you know about in your environment. In the next part of the query, we will try to identify them for you if you have the telemetry.\\nlet ADFS_Servers1 = datatable(Computer:string)\\n[ \\\"\u003cADFS01\u003e.\u003cDOMAIN\u003e.\u003cCOM\u003e\\\",\\n\\\"\u003cADFS02\u003e.\u003cDOMAIN\u003e.\u003cCOM\u003e\\\"\\n];\\n// Automatically identify potential ADFS services in your environment by searching process event telemetry for \\\"Microsoft.IdentityServer.ServiceHost.exe\\\".\\nlet ADFS_Servers2 = \\n(union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n),\\n( WindowsEvent\\n| where EventID == 4688 and EventData has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\" and EventData has \\\"0x3e4\\\"\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| where ProcessName == \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| where SubjectLogonId != \\\"0x3e4\\\"\\n| distinct Computer\\n),\\n(DeviceProcessEvents\\n| where InitiatingProcessFileName == \u0027Microsoft.IdentityServer.ServiceHost.exe\u0027\\n| extend Computer = DeviceName\\n| distinct Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n)\\n);\\nlet ADFS_Servers =\\nADFS_Servers1\\n| union (ADFS_Servers2 | distinct Computer);\\n(union isfuzzy=true\\n(DeviceNetworkEvents\\n| where DeviceName in (ADFS_Servers)\\n| where isnotempty(InitiatingProcessSHA256) or isnotempty(InitiatingProcessFolderPath)\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or InitiatingProcessFolderPath has_any (FilePaths)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\" and EventID == \u00277\u0027\\n| where Computer in (ADFS_Servers)\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend ImageLoaded = EventDetail.[5].[\\\"#text\\\"], Hashes = EventDetail.[11].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| where ImageLoaded has_any (FilePaths) or SHA256 has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, ImageLoaded, EventID\\n| extend Type = strcat(Type,\\\":\\\",EventID, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\\\"#text\\\"] \\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceEvents\\n| where DeviceName in (ADFS_Servers)\\n| extend FilePath = strcat(FolderPath, \u0027\\\\\\\\\u0027, FileName)\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceFileEvents\\n| where DeviceName in (ADFS_Servers)\\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceImageLoadEvents\\n| where DeviceName in (ADFS_Servers)\\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where Computer in (ADFS_Servers)\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| where EventDetail has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\\\"#text\\\"] \\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(W3CIISLog \\n| where ( csMethod == \u0027GET\u0027 and csUriStem has_any (GET_URI)) or (csMethod == \u0027POST\u0027 and csUriStem has_any (POST_URI))\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), cIP_MethodCount = count() \\nby cIP, cIP_MethodCountType = \\\"Count of repeated entries, this is to reduce rowsets returned\\\", csMethod, \\ncsHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, csReferer\\n| extend timestamp = StartTime, IPCustomEntity = cIP, HostCustomEntity = csHost, AccountCustomEntity = csUserName\\n),\\n(imFileEvent\\n| where DvcHostname in (ADFS_Servers)\\n| where TargetFileSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"NOBELIUM IOCs related to FoggyWeb backdoor\",\"description\":\"Identifies a match across various data feeds for IOCs related to FoggyWeb backdoor by the threat actor NOBELIUM.\\n FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server.\\n It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server.\\n Reference: https://aka.ms/nobelium-foggy-web\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/61988db3-0565-49b5-b8e3-747195baac6e\",\"name\":\"61988db3-0565-49b5-b8e3-747195baac6e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let procList = dynamic([\\\"cmd.exe\\\",\\\"ftp.exe\\\",\\\"schtasks.exe\\\",\\\"powershell.exe\\\",\\\"rundll32.exe\\\",\\\"regsvr32.exe\\\",\\\"msiexec.exe\\\"]); \\nimProcessCreate\\n| where CommandLine has \\\"recycler\\\"\\n| where Process has_any (procList)\\n| extend FileName = tostring(split(Process, \u0027\\\\\\\\\u0027)[-1])\\n| where FileName in~ (procList)\\n| project StartTimeUtc = TimeGenerated, Dvc, User, Process, FileName, CommandLine, ActingProcessName, EventVendor, EventProduct\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Malware in the recycle bin (Normalized Process Events)\",\"description\":\"Identifies malware that has been hidden in the recycle bin.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-23T00:00:00Z\",\"createdDateUTC\":\"2021-06-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ec491363-5fe7-4eff-b68e-f42dcb76fcf6\",\"name\":\"ec491363-5fe7-4eff-b68e-f42dcb76fcf6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| project-away claimsJson\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Azure Active Directory Hybrid Health AD FS New Server\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.\\nA threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.\\nThis can be done programmatically via HTTP requests to Azure. More information in this blog: https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/32ffb19e-8ed8-40ed-87a0-1adb4746b7c4\",\"name\":\"32ffb19e-8ed8-40ed-87a0-1adb4746b7c4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"// Enter a reference list of malicious file artifacts\\nlet MaliciousFileArtifacts = dynamic ([\\\"lsass.dmp\\\",\\\"test.pwd\\\",\\\"lsremora.dll\\\",\\\"lsremora64.dll\\\",\\\"fgexec.exe\\\",\\\"pwdump\\\",\\\"kirbi\\\",\\\"wce_ccache\\\",\\\"wce_krbtkts\\\",\\\"wceaux.dll\\\",\\\"PwHashes\\\",\\\"SAM.out\\\",\\\"SECURITY.out\\\",\\\"SYSTEM.out\\\",\\\"NTDS.out\\\" \\\"DumpExt.dll\\\",\\\"DumpSvc.exe\\\",\\\"cachedump64.exe\\\",\\\"cachedump.exe\\\",\\\"pstgdump.exe\\\",\\\"servpw64.exe\\\",\\\"servpw.exe\\\",\\\"pwdump.exe\\\",\\\"fgdump-log\\\"]);\\nEvent\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==11\\n| parse EventData with * \u0027TargetFilename\\\"\u003e\u0027 TargetFilename \\\"\u003c\\\" *\\n| where TargetFilename has_any (MaliciousFileArtifacts)\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, Image, ProcessGuid, TargetFilename\",\"entityMappings\":[{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"TargetFilename\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"Image\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Credential Dumping Tools - File Artifacts\",\"description\":\"This query detects the creation of credential dumping tools files. Several credential dumping tools export files with hardcoded file names.\\nRef: https://jpcertcc.github.io/ToolAnalysisResultSheet/\",\"lastUpdatedDateUTC\":\"2022-04-22T00:00:00Z\",\"createdDateUTC\":\"2022-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"Event\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/983a6922-894d-413c-9f04-d7add0ecc307\",\"name\":\"983a6922-894d-413c-9f04-d7add0ecc307\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P10D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Medium\",\"query\":\"let referencestarttime = 10d;\\nlet referenceendtime = 1d;\\nlet threshold = 100;\\nlet nxDomainDnsEvents = (stime:datetime, etime:datetime) \\n {_Im_Dns(responsecodename=\u0027NXDOMAIN\u0027, starttime=stime, endtime=etime)\\n | where DnsQueryTypeName in (\\\"A\\\", \\\"AAAA\\\")\\n | where ipv4_is_match(\\\"127.0.0.1\\\", SrcIpAddr) == False\\n | where DnsQuery !contains \\\"/\\\" and DnsQuery contains \\\".\\\"};\\nnxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now())\\n | extend sld = tostring(split(DnsQuery, \\\".\\\")[-2])\\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld) by SrcIpAddr\\n | where dcount_sld \u003e threshold\\n // Filter out previously seen IPs\\n | join kind=leftanti (nxDomainDnsEvents (stime=ago(referencestarttime), etime=ago(referenceendtime))\\n | extend sld = tostring(split(DnsQuery, \\\".\\\")[-2])\\n | summarize dcount(sld) by SrcIpAddr\\n | where dcount_sld \u003e threshold ) on SrcIpAddr\\n// Pull out sample NXDomain responses for those remaining potentially infected IPs\\n| join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential DGA detected (ASIM DNS Schema)\",\"description\":\"Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains\\nwhere most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with \\nNXDomain records in prior 10-day baseline period).\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/18dbdc22-b69f-4109-9e39-723d9465f45f\",\"name\":\"18dbdc22-b69f-4109-9e39-723d9465f45f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet AVHits = (iocs | where Type =~ \\\"AVDetection\\\"| project IoC);\\nSecurityAlert\\n| where ProviderName == \u0027MDATP\u0027\\n| extend ThreatName_ = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where ThreatName_ has_any (AVHits)\\n| extend Directory = tostring(parse_json(Entities)[0].Directory), SHA256 = tostring(parse_json(tostring(parse_json(Entities)[0].FileHashes))[2].Value), FileName = tostring(parse_json(Entities)[0].Name), Hostname = tostring(parse_json(Entities)[6].FQDN)| extend AccountName = tostring(parse_json(tostring(parse_json(Entities)[6].LoggedOnUsers))[0].AccountName)\\n| project TimeGenerated, AlertName, ThreatName_, ProviderName, AlertSeverity, Description, RemediationSteps, ExtendedProperties, Entities, FileName,SHA256, Directory, Hostname, AccountName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Hostname , AccountCustomEntity = AccountName, FileHashCustomEntity = SHA256\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"ACTINIUM AV hits - Feb 2022\",\"description\":\"Identifies a match in the Security Alert table for MDATP hits related to the ACTINIUM actor\",\"lastUpdatedDateUTC\":\"2022-02-04T00:00:00Z\",\"createdDateUTC\":\"2022-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f6a51e2c-2d6a-4f92-a090-cfb002ca611f\",\"name\":\"f6a51e2c-2d6a-4f92-a090-cfb002ca611f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nlet disallowed_ext = dynamic([\u0027ps1\u0027, \u0027exe\u0027, \u0027vbs\u0027, \u0027js\u0027, \u0027scr\u0027]);\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| extend attachedExt = todynamic(MsgParts)[0][\u0027detectedExt\u0027]\\n| where attachedExt in (disallowed_ext)\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = DstUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Suspicious attachment\",\"description\":\"Detects when email contains suspicious attachment (file type).\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/707494a5-8e44-486b-90f8-155d1797a8eb\",\"name\":\"707494a5-8e44-486b-90f8-155d1797a8eb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let auditLookbackStart = 2d;\\nlet auditLookbackEnd = 1d;\\nAuditLogs\\n| where TimeGenerated \u003e= ago(auditLookbackStart)\\n| where OperationName =~ \\\"Consent to application\\\" \\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| extend targetResourceName = tostring(target.displayName)\\n| extend targetResourceID = tostring(target.id)\\n| extend targetResourceType = tostring(target.type)\\n| extend targetModifiedProp = TargetResources[0].modifiedProperties\\n| extend isAdminConsent = targetModifiedProp[0].newValue\\n| extend Consent_ServicePrincipalNames = targetModifiedProp[5].newValue\\n| extend Consent_Permissions = targetModifiedProp[4].newValue\\n| extend Consent_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend Consent_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| join ( \\nAuditLogs\\n| where TimeGenerated \u003e= ago(auditLookbackEnd)\\n| where OperationName =~ \\\"Add service principal credentials\\\"\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| extend targetResourceName = tostring(target.displayName)\\n| extend targetResourceID = tostring(target.id)\\n| extend targetModifiedProp = TargetResources[0].modifiedProperties\\n| extend Credential_KeyDescription = targetModifiedProp[0].newValue\\n| extend UpdatedProperties = targetModifiedProp[1].newValue\\n| extend Credential_ServicePrincipalNames = targetModifiedProp[2].newValue\\n| extend Credential_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend Credential_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n) on targetResourceName, targetResourceID\\n| extend TimeConsent = TimeGenerated, TimeCred = TimeGenerated1\\n| where TimeConsent \u003e TimeCred \\n| project TimeConsent, TimeCred, Consent_InitiatingUserOrApp, Credential_InitiatingUserOrApp, targetResourceName, targetResourceType, isAdminConsent, Consent_ServicePrincipalNames, Credential_ServicePrincipalNames, Consent_Permissions, Credential_KeyDescription, Consent_InitiatingIpAddress, Credential_InitiatingIpAddress\\n| extend timestamp = TimeConsent, AccountCustomEntity = Consent_InitiatingUserOrApp, IPCustomEntity = Consent_InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Credential added after admin consented to Application\",\"description\":\"This query will identify instances where Service Principal credentials were added to an application by one user after the application was granted admin consent rights by another user.\\n If a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\n Additional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow.\\n For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2021-02-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/11bda520-a965-4654-9a45-d09f372f71aa\",\"name\":\"11bda520-a965-4654-9a45-d09f372f71aa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"High\",\"query\":\"AzureActivity\\n// Isolate run command actions\\n| where OperationNameValue == \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\\\"\\n// Confirm that the operation impacted a virtual machine\\n| where Authorization has \\\"virtualMachines\\\"\\n// Each runcommand operation consists of three events when successful, Started, Accepted (or Rejected), Successful (or Failed).\\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), max(CallerIpAddress), make_list(ActivityStatusValue) by CorrelationId, Authorization, Caller\\n// Limit to Run Command executions that Succeeded\\n| where list_ActivityStatusValue has \\\"Success\\\"\\n// Extract data from the Authorization field\\n| extend Authorization_d = parse_json(Authorization)\\n| extend Scope = Authorization_d.scope\\n| extend Scope_s = split(Scope, \\\"/\\\")\\n| extend Subscription = tostring(Scope_s[2])\\n| extend VirtualMachineName = tostring(Scope_s[-1])\\n| project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress\\n// Create a join key using the Caller (UPN)\\n| extend joinkey = tolower(Caller)\\n// Join the Run Command actions to UEBA data\\n| join kind = inner (\\n BehaviorAnalytics\\n // We are specifically interested in unusual logins\\n | where EventSource == \\\"Azure AD\\\" and ActivityInsights.ActionUncommonlyPerformedByUser == \\\"True\\\"\\n | project UEBAEventTime=TimeGenerated, UEBAActionType=ActionType, UserPrincipalName, UEBASourceIPLocation=SourceIPLocation, UEBAActivityInsights=ActivityInsights, UEBAUsersInsights=UsersInsights\\n | where isnotempty(UserPrincipalName) and isnotempty(UEBASourceIPLocation)\\n | extend joinkey = tolower(UserPrincipalName)\\n) on joinkey\\n// Create a window around the UEBA event times, check to see if the Run Command action was performed within them\\n| extend UEBAWindowStart = UEBAEventTime - 1h, UEBAWindowEnd = UEBAEventTime + 6h\\n| where StartTime between (UEBAWindowStart .. UEBAWindowEnd)\\n| project StartTime, EndTime, Subscription, VirtualMachineName, Caller, CallerIpAddress, UEBAEventTime, UEBAActionType, UEBASourceIPLocation, UEBAActivityInsights, UEBAUsersInsights\\n| extend timestamp = StartTime, AccountCustomEntity=Caller, IPCustomEntity=CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"LateralMovement\",\"CredentialAccess\"],\"displayName\":\"Azure VM Run Command operation executed during suspicious login window\",\"description\":\"Identifies when the Azure Run Command operation is executed by a UserPrincipalName and IP Address \\nthat has resulted in a recent user entity behaviour alert.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3fe3c520-04f1-44b8-8398-782ed21435f8\",\"name\":\"3fe3c520-04f1-44b8-8398-782ed21435f8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Low\",\"query\":\"let torProxies=dynamic([\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\"]);\\n_Im_Dns(domain_has_any=torProxies)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"DNS events related to ToR proxies (ASIM DNS Schema)\",\"description\":\"Identifies IP addresses performing DNS lookups associated with common ToR proxies.\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d9938c3b-16f9-444d-bc22-ea9a9110e0fd\",\"name\":\"d9938c3b-16f9-444d-bc22-ea9a9110e0fd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Azure AD Connect Health Agent - cf6d7e68-f018-4e0a-a7b3-126e053fb88d\\n// Azure Active Directory Connect - cb1056e2-e479-49de-ae31-7812af012ed8\\nlet appList = dynamic([\u0027cf6d7e68-f018-4e0a-a7b3-126e053fb88d\u0027,\u0027cb1056e2-e479-49de-ae31-7812af012ed8\u0027]);\\nlet operationNamesList = dynamic([\u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027,\u0027Microsoft.ADHybridHealthService/services/delete\u0027]);\\nAzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue in~ (operationNamesList)\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| where AppId !in (appList)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS Suspicious Application\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to a suspicious application adding a server instance to an Azure AD Hybrid health AD FS service or deleting the AD FS service instance.\\nUsually the Azure AD Connect Health Agent application with ID cf6d7e68-f018-4e0a-a7b3-126e053fb88d is used to perform those operations.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9d0295ee-cb75-4f2c-9952-e5acfbb67036\",\"name\":\"9d0295ee-cb75-4f2c-9952-e5acfbb67036\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.0\",\"severity\":\"Informational\",\"query\":\"let timeframe = ago(1d);\\nAppServiceAntivirusScanAuditLogs\\n| where NumberOfInfectedFiles \u003e 0\\n| extend HostCustomEntity = _ResourceId, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"displayName\":\"AppServices AV Scan with Infected Files\",\"description\":\"Identifies if an AV scan finds infected files in Azure App Services.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b2199398-8942-4b8c-91a9-b0a707c5d147\",\"name\":\"b2199398-8942-4b8c-91a9-b0a707c5d147\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/HiveRansomwareJuly2022.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n(imFileEvent\\n| where TargetFileSHA256 has_any (sha256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceImageLoadEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Hive Ransomware IOC - July 2022\",\"description\":\"Identifies a hash match related to Hive Ransomware across various data sources.\",\"lastUpdatedDateUTC\":\"2022-07-05T00:00:00Z\",\"createdDateUTC\":\"2022-01-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1ff56009-db01-4615-8211-d4fda21da02d\",\"name\":\"1ff56009-db01-4615-8211-d4fda21da02d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where AADOperationType =~ \\\"Assign\\\"\\n| where ActivityDisplayName has_any (\\\"Add delegated permission grant\\\",\\\"Add app role assignment to service principal\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ has_any (\\\"AppRole.Value\\\",\\\"DelegatedPermissionGrant.Scope\\\")\\n| extend Permission = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where Permission has \\\"RoleManagement.ReadWrite.Directory\\\"\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n| extend Target = tostring(parse_json(tostring(TargetResources.modifiedProperties[4].newValue)))\\n| extend TargetId = iif(displayName_ =~ \u0027DelegatedPermissionGrant.Scope\u0027,\\n tostring(parse_json(tostring(TargetResources.modifiedProperties[2].newValue))),\\n tostring(parse_json(tostring(TargetResources.modifiedProperties[3].newValue))))\\n| summarize by bin(TimeGenerated, 1h), OperationName, Initiator, Target, TargetId, Result\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Initiator\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Target\"}]}],\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure AD Role Management Permission Grant\",\"description\":\"Identifies when the Microsoft Graph RoleManagement.ReadWrite.Directory (Delegated or Application) permission is granted to a service principal.\\nThis permission allows an application to read and manage the role-based access control (RBAC) settings for your company\u0027s directory.\\nAn adversary could use this permission to add an Azure AD object to an Admin directory role and escalate privileges.\\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions\\nRef : https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0\u0026tabs=http\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/71d374e0-1cf8-4e50-aecd-ab6c519795c2\",\"name\":\"71d374e0-1cf8-4e50-aecd-ab6c519795c2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"Pipelines.PipelineRetentionSettingChanged\\\"\\n| where Data.SettingName in (\\\"PurgeArtifacts\\\", \\\"PurgeRuns\\\")\\n| where Data.NewValue == 1 or Data.NewValue \u003c Data.OldValue/2\\n| project-reorder TimeGenerated, OperationName, ActorUPN, IpAddress, UserAgent, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Retention Reduced\",\"description\":\"AzureDevOps retains items such as run records and produced artifacts for a configurable amount of time. An attacker looking to reduce the footprint left by their malicious activity may look to reduce the retention time for artifacts and runs.\\nThis query will look for where retention has been reduced to the minimum level - 1, or reduced by more than half.\",\"lastUpdatedDateUTC\":\"2021-11-02T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/979c42dd-533e-4ede-b18b-31a84ba8b3d6\",\"name\":\"979c42dd-533e-4ede-b18b-31a84ba8b3d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \\n| where TargetObject has (\\\"HKLM\\\\\\\\System\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\DsrmAdminLogonBehavior\\\") and Details == \\\"DWORD (0x00000002)\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"DSRM Account Abuse\",\"description\":\"This query detects an abuse of the DSRM account in order to maintain persistence and access to the organization\u0027s Active Directory.\\nRef: https://adsecurity.org/?p=1785\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d82eb796-d1eb-43c8-a813-325ce3417cef\",\"name\":\"d82eb796-d1eb-43c8-a813-325ce3417cef\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(DeviceFileEvents\\n| where ActionType == \\\"FileCreated\\\"\\n| where FileName endswith \\\".h0lyenc\\\" or FolderPath == \\\"C:\\\\\\\\FOR_DECRYPT.html\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName), HostCustomEntity = DeviceName, Type, InitiatingProcessId, FileName, FolderPath, EventType = ActionType, Commandline = InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessSHA256, FileHashCustomEntity = SHA256\\n),\\n(imFileEvent\\n| where EventType == \\\"FileCreated\\\" \\n| where TargetFilePath endswith \\\".h0lyenc\\\" or TargetFilePath == \\\"C:\\\\\\\\FOR_DECRYPT.html\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname, DvcId, Type, EventType, FileHashCustomEntity = TargetFileSHA256, Hash, TargetFilePath, Commandline = ActingProcessCommandLine\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Dev-0530 File Extension Rename\",\"description\":\"Dev-0530 actors are known to encrypt the contents of the victims device as well as renaming the file extensions. This query looks for the creation of files with .h0lyenc extension or presence of ransom note.\",\"lastUpdatedDateUTC\":\"2022-07-14T00:00:00Z\",\"createdDateUTC\":\"2022-07-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ba144bf8-75b8-406f-9420-ed74397f9479\",\"name\":\"ba144bf8-75b8-406f-9420-ed74397f9479\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"//Set a threshold of failed AAD signins from an IP address within 1 day above which we want to deem those logins suspicious.\\nlet signin_threshold = 5; \\n//Make a list of IPs with AAD signin failures above our threshold.\\nlet aadFunc = (tableName:string){\\nlet suspicious_signins = \\n table(tableName)\\n //Looking for logon failure results\\n | where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n //Exclude localhost addresses to reduce the chance of FPs\\n | where IPAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n | summarize count() by IPAddress\\n | where count_ \u003e signin_threshold\\n | summarize make_set(IPAddress);\\n suspicious_signins\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet suspicious_signins = \\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize make_set(set_IPAddress);\\n//See if any of those IPs have sucessfully logged into PA VPNs during the same timeperiod\\nCommonSecurityLog\\n //Select only PA VPN sucessful logons\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"globalprotect\\\"\\n | where Message has \\\"GlobalProtect gateway user authentication succeeded\\\"\\n //Parse out the logon source IP from the Message field to match on\\n | extend SourceIP = extract(\\\"Login from: ([^,]+)\\\", 1, Message) \\n | where SourceIP in (suspicious_signins)\\n | extend Reason = \\\"Multiple failed AAD logins from SourceIP\\\"\\n //Parse out other useful information from Message field\\n | extend User = extract(\u0027User name: ([^,]+)\u0027, 1, Message) \\n | extend ClientOS = extract(\u0027Client OS version: ([^,\\\\\\\"]+)\u0027, 1, Message)\\n | extend Location = extract(\u0027Source region: ([^,]{2})\u0027,1, Message)\\n | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName\\n | extend AccountCustomEntity = User, IPCustomEntity = SourceIP, timestamp = TimeGenerated, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN\",\"description\":\"This query creates a list of IP addresses with a number failed login attempts to AAD \\nabove a set threshold. It then looks for any successful Palo Alto VPN logins from any\\nof these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-09-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/32555639-b639-4c2b-afda-c0ae0abefa55\",\"name\":\"32555639-b639-4c2b-afda-c0ae0abefa55\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"GetCallerIdentity\\\" and UserIdentityType =~ \\\"AssumedRole\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by SourceIpAddress, EventName, EventTypeName, UserIdentityType, UserIdentityAccountId, UserIdentityPrincipalid, \\nUserAgent, UserIdentityUserName, SessionMfaAuthenticated,AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTime, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\\n| sort by EndTime desc nulls last\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Monitor AWS Credential abuse or hijacking\",\"description\":\"Looking for GetCallerIdentity Events where the UserID Type is AssumedRole \\nAn attacker who has assumed the role of a legitimate account can call the GetCallerIdentity function to determine what account they are using.\\nA legitimate user using legitimate credentials would not need to call GetCallerIdentity since they should already know what account they are using.\\nMore Information: https://duo.com/decipher/trailblazer-hunts-compromised-credentials-in-aws\\nAWS STS GetCallerIdentity API: https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/53e936c6-6c30-4d12-8343-b8a0456e8429\",\"name\":\"53e936c6-6c30-4d12-8343-b8a0456e8429\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let SUNSPOT_Hashes = dynamic([\\\"c45c9bda8db1d470f1fd0dcc346dc449839eb5ce9a948c70369230af0b3ef168\\\", \\\"0819db19be479122c1d48743e644070a8dc9a1c852df9a8c0dc2343e904da389\\\"]);\\nunion isfuzzy=true(\\nDeviceEvents\\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes)),\\n(DeviceImageLoadEvents\\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes))\\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"SUNSPOT malware hashes\",\"description\":\"This query uses Microsoft Defender for Endpoint data to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\\nMore details: \\n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \\n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceImageLoadEvents\",\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fcb9d75c-c3c1-4910-8697-f136bfef2363\",\"name\":\"fcb9d75c-c3c1-4910-8697-f136bfef2363\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Low\",\"query\":\"let querystarttime = 2d;\\nlet queryendtime = 1d;\\nlet TimeDeltaThreshold = 10;\\nlet TotalEventsThreshold = 15;\\nlet PercentBeaconThreshold = 80;\\n_Im_NetworkSession(starttime=querystarttime, endtime=queryendtime)\\n| where not(ipv4_is_private(DstIpAddr))\\n| project TimeGenerated, SrcIpAddr, SrcPortNumber, DstIpAddr, DstPortNumber, DstBytes, SrcBytes\\n| sort by SrcIpAddr asc,TimeGenerated asc, DstIpAddr asc, DstPortNumber asc\\n| serialize\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSrcIpAddr = next(SrcIpAddr, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\u0027second\u0027,nextTimeGenerated,TimeGenerated)\\n| where SrcIpAddr == nextSrcIpAddr\\n//Whitelisting criteria/ threshold criteria\\n| where TimeDeltainSeconds \u003e TimeDeltaThreshold \\n| project TimeGenerated, TimeDeltainSeconds, SrcIpAddr, SrcPortNumber, DstIpAddr, DstPortNumber, DstBytes, SrcBytes\\n| summarize count(), sum(DstBytes), sum(SrcBytes), make_list(TimeDeltainSeconds) \\nby TimeDeltainSeconds, bin(TimeGenerated, 1h), SrcIpAddr, DstIpAddr, DstPortNumber\\n| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSrcBytes = sum(sum_SrcBytes), TotalDstBytes = sum(sum_DstBytes) \\nby bin(TimeGenerated, 1h), SrcIpAddr, DstIpAddr, DstPortNumber\\n| where TotalEvents \u003e TotalEventsThreshold \\n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\\n| where BeaconPercent \u003e PercentBeaconThreshold\",\"customDetails\":{\"DstPortNumber\":\"DstPortNumber\",\"FrequencyCount\":\"TotalSrcBytes\",\"FrequencyTime\":\"MostFrequentTimeDeltaCount\",\"TotalDstBytes\":\"TotalDstBytes\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DstIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Potential beaconing from {{SrcIpAddr}} to {{DstIpAddr}} over port {{DstPortNumber}}\",\"alertDescriptionFormat\":\"Potential beaconing pattern from a client at address {{SrcIpAddr}} to a server at address {{DstIpAddr}} over port {{DstPortNumber}} identified. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/). The recurring frequency, reported as FrequencyTime in the custom details, and the total transferred volume reported as TotalDstBytes in the custom details, can help to determine the significance of this incident.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential beaconing activity (ASIM Network Session schema)\",\"description\":\"This rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/).\\\\\u003cbr\u003e\u003cbr\u003e\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b8b8ba09-1e89-45a1-8bd7-691cd23bfa32\",\"name\":\"b8b8ba09-1e89-45a1-8bd7-691cd23bfa32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let query_frequency = 15m;\\nlet missing_period = 1h;\\n//Enter a reference list of hostnames for your DC servers\\nlet DCServersList = dynamic ([\\\"DC01.simulandlabs.com\\\",\\\"DC02.simulandlabs.com\\\"]);\\n//Alternatively, a Watchlist can be used\\n//let DCServersList = _GetWatchlist(\u0027HostName-DomainControllers\u0027) | project HostName;\\nHeartbeat\\n| summarize arg_max(TimeGenerated, *) by Computer\\n| where Computer in (DCServersList)\\n//You may specify the OS type of your Domain Controllers\\n//| where OSType == \u0027Windows\u0027\\n| where TimeGenerated between (ago(query_frequency + missing_period) .. ago(missing_period))\\n| project TimeGenerated, Computer, OSType, Version, ComputerEnvironment, Type, Solutions\\n| sort by TimeGenerated asc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Impact\",\"DefenseEvasion\"],\"displayName\":\"Missing Domain Controller Heartbeat\",\"description\":\"This detection will go over the heartbeats received from the agents of Domain Controllers over the last hour, and will create alerts if the last heartbeats were received an hour ago.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-11-23T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/737a2ce1-70a3-4968-9e90-3e6aca836abf\",\"name\":\"737a2ce1-70a3-4968-9e90-3e6aca836abf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MLBehaviorAnalytics\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous RDP Login Detections\",\"description\":\"This detection uses machine learning (ML) to identify anomalous Remote Desktop Protocol (RDP) login activity, based on Windows Security Event data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Microsoft Sentinel to build a profile of normal activity for your environment.\\t\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events)\\n\\nBy enabling this rule, you give Microsoft permission to copy ingested data outside of your Microsoft Sentinel workspace\u0027s geography as necessary for processing by the machine learning engine.\",\"lastUpdatedDateUTC\":\"2021-03-26T00:00:00Z\",\"createdDateUTC\":\"2020-04-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/85aca4d1-5d15-4001-abd9-acb86ca1786a\",\"name\":\"85aca4d1-5d15-4001-abd9-acb86ca1786a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n DnsEvents\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n //Extract domain patterns from syslog message\\n | where isnotempty(Name)\\n | extend parts = split(Name, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend DNS_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.Name\\n| where DNS_TimeGenerated \u003c ExpirationDateTime\\n| summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated , *) by IndicatorId, Name\\n| project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, Computer, ClientIP, Name, QueryType\\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = ClientIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to DnsEvents\",\"description\":\"Identifies a match in DnsEvents from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2022-02-15T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\"name\":\"5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n//Exclude local addresses, using the ipv4_is_private operator\\n| where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n W3CIISLog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(cIP)\\n //Exclude local addresses, using the ipv4_is_private operator\\n | where ipv4_is_private(cIP) == false and cIP !startswith \\\"fe80\\\" and cIP !startswith \\\"::\\\" and cIP !startswith \\\"127.\\\"\\n // renaming time column so it is clear the log this came from\\n | extend W3CIISLog_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.cIP\\n| where W3CIISLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize W3CIISLog_TimeGenerated = arg_max(W3CIISLog_TimeGenerated, *) by IndicatorId, cIP\\n| project W3CIISLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, sSiteName, cIP, sIP, sPort, csMethod, csUserName, scStatus, scSubStatus, scWin32Status,\\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = W3CIISLog_TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to W3CIISLog\",\"description\":\"Identifies a match in W3CIISLog from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-04-26T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d564ff12-8f53-41b8-8649-44f76b37b99f\",\"name\":\"d564ff12-8f53-41b8-8649-44f76b37b99f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// How many greater than Service Connections you want to view per build/release\\nlet ServiceConnectionThreshold = 4;\\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\\n[\\n//\\\"103\\\", \\\"Release\\\", \\\"ProjectA\\\",\\n//\\\"42\\\", \\\"Release\\\", \\\"ProjectB\\\",\\n//\\\"122\\\", \\\"Build\\\", \\\"ProjectB\\\"\\n];\\nAzureDevOpsAuditing\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| parse ScopeDisplayName with OrganizationName \u0027 (Organization)\u0027\\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) \\n by OrganizationName, tostring(DefId), tostring(Type), ProjectId, ProjectName\\n| where CurrentCount \u003e ServiceConnectionThreshold\\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\\n| extend link = iif(\\n Type == \\\"Build\\\", strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_build?definitionId=\u0027, DefId),\\n strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_release?_a=releases\u0026view=mine\u0026definitionId=\u0027, DefId))\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure DevOps Service Connection Abuse\",\"description\":\"Flags builds/releases that use a large number of service connections if they aren\u0027t manually in the allow list.\\nThis is to determine if someone is hijacking a build/release and adding many service connections in order to abuse \\nor dump credentials from service connections.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/01e8ffff-dc0c-43fe-aa22-d459c4204553\",\"name\":\"01e8ffff-dc0c-43fe-aa22-d459c4204553\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let discord=dynamic([\\\"cdn.discordapp.com\\\", \\\"media.discordapp.com\\\"]);\\n _Im_WebSession(url_has_any=discord, eventresult=\u0027Success\u0027)\\n | where Url has \\\"attachments\\\"\\n | extend DiscordServerId = extract(@\\\"\\\\/attachments\\\\/([0-9]+)\\\\/\\\", 1, Url)\\n | summarize dcount(Url), make_set(SrcUsername), make_set(SrcIpAddr), make_set(Url), min(TimeGenerated), max(TimeGenerated), make_set(EventResult) by DiscordServerId\\n | mv-expand set_SrcUsername to typeof(string), set_Url to typeof(string), set_EventResult to typeof(string), set_SrcIpAddr to typeof(string)\\n | summarize by DiscordServerId, dcount_Url, set_SrcUsername, min_TimeGenerated, max_TimeGenerated, set_EventResult, set_SrcIpAddr, set_Url\\n | project StartTime=min_TimeGenerated, EndTime=max_TimeGenerated, Result=set_EventResult, SourceUser=set_SrcUsername, SourceIP=set_SrcIpAddr, RequestURL=set_Url\\n | where RequestURL has_any (\\\".bin\\\",\\\".exe\\\",\\\".dll\\\",\\\".bin\\\",\\\".msi\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SourceUser\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Discord CDN Risky File Download (ASIM Web Session Schema)\",\"description\":\"Identifies callouts to Discord CDN addresses for risky file extensions. This detection will trigger when a callout for a risky file is made to a discord server that has only been seen once in your environment. Unique discord servers are identified using the server ID that is included in the request URL (DiscordServerId in query). Discord CDN has been used in multiple campaigns to download additional payloads.\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4e5914a4-2ccd-429d-a845-fa597f0bd8c5\",\"name\":\"4e5914a4-2ccd-429d-a845-fa597f0bd8c5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let Hive_threats = dynamic([\\\"Ransom:Win64/Hive\\\", \\\"Ransom:Win32/Hive\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (Hive_threats) or ThreatFamilyName in~ (Hive_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"AV detections related to Hive Ransomware\",\"description\":\"This query looks for Microsoft Defender AV detections related to Hive Ransomware . In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device,\\n this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\",\"lastUpdatedDateUTC\":\"2022-07-11T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\"name\":\"361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let szOperationNames = dynamic([\\\"microsoft.compute/virtualMachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nlet starttime = 7d;\\nlet endtime = 1d;\\nAzureActivity\\n| where TimeGenerated between (startofday(ago(starttime)) .. startofday(ago(endtime)))\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress)\\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(7d)), now(), 1d) \\nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatusValue), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationNameValue , Resource, ResourceGroup\\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\\n| where Slope \u003e 0.2\\n| join kind=leftsemi (\\n// Last day\u0027s activity is anomalous\\nAzureActivity\\n| where TimeGenerated \u003e= startofday(ago(endtime))\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress)\\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(1d)), now(), 1d) \\nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatusValue), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationNameValue , Resource, ResourceGroup\\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\\n| where Slope \u003e 0.2 \\n) on Caller, CallerIpAddress \\n| mvexpand todynamic(ActivityTimeStamp), todynamic(ActivityStatusValue), todynamic(OperationIds), todynamic(CorrelationId)\\n| extend timestamp = ActivityTimeStamp, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Suspicious number of resource creation or deployment activities\",\"description\":\"Indicates when an anomalous number of VM creations or deployment activities occur in Azure via the AzureActivity log.\\nThe anomaly detection identifies activities that have occurred both since the start of the day 1 day ago and the start of the day 7 days ago.\\nThe start of the day is considered 12am UTC time.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/050b9b3d-53d0-4364-a3da-1b678b8211ec\",\"name\":\"050b9b3d-53d0-4364-a3da-1b678b8211ec\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\")\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n// Uncomment below to not alert for PIM activations\\n//| where Initiator != \\\"MS-PIM\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| summarize by bin(TimeGenerated, 1h), OperationName, RoleName, Target, Initiator, Result\\n| extend AccountCustomEntity = Target\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Initiator\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User Assigned Privileged Role\",\"description\":\"Identifies when a new privileged role is assigned to a user. Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn\u0027t the responsibility of the account holder, investigate.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/48607a29-a26a-4abf-8078-a06dbdd174a4\",\"name\":\"48607a29-a26a-4abf-8078-a06dbdd174a4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let timeRange = 3d;\\nlet lookBack = 7d;\\nlet authenticationWindow = 20m;\\nlet authenticationThreshold = 5;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet failureCodes = dynamic([50053, 50126, 50055]); // invalid password, account is locked - too many sign ins, expired password\\nlet successCodes = dynamic([0, 50055, 50057, 50155, 50105, 50133, 50005, 50076, 50079, 50173, 50158, 50072, 50074, 53003, 53000, 53001, 50129]);\\n// Lookup up resolved identities from last 7 days\\nlet aadFunc = (tableName:string){\\nlet identityLookup = table(tableName)\\n| where TimeGenerated \u003e= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| where isnotempty(UserId)\\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName, Type;\\n// collect window threshold breaches\\ntable(tableName)\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(failureCodes)\\n| summarize FailedPrincipalCount = dcount(UserPrincipalName) by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName, Type\\n| where FailedPrincipalCount \u003e= authenticationThreshold\\n| summarize WindowThresholdBreaches = count() by IPAddress, Type\\n| join kind= inner (\\n// where we breached a threshold, join the details back on all failure data\\ntable(tableName)\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(failureCodes)\\n| extend LocationDetails = todynamic(LocationDetails)\\n| extend FullLocation = strcat(LocationDetails.countryOrRegion,\u0027|\u0027, LocationDetails.state, \u0027|\u0027, LocationDetails.city)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed), make_set(FullLocation), FailureCount = count() by IPAddress, AppDisplayName, UserPrincipalName, UserDisplayName, Identity, UserId, Type\\n// lookup any unresolved identities\\n| extend UnresolvedUserId = iff(Identity matches regex isGUID, UserId, \\\"\\\")\\n| join kind= leftouter (\\n identityLookup \\n) on $left.UnresolvedUserId==$right.UserId\\n| extend UserDisplayName=iff(isempty(lu_UserDisplayName), UserDisplayName, lu_UserDisplayName)\\n| extend UserPrincipalName=iff(isempty(lu_UserPrincipalName), UserPrincipalName, lu_UserPrincipalName)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), make_set(UserPrincipalName), make_set(UserDisplayName), make_set(set_ClientAppUsed), make_set(set_FullLocation), make_list(FailureCount) by IPAddress, AppDisplayName, Type\\n| extend FailedPrincipalCount = arraylength(set_UserPrincipalName)\\n) on IPAddress\\n| project IPAddress, StartTime, EndTime, TargetedApplication=AppDisplayName, FailedPrincipalCount, UserPrincipalNames=set_UserPrincipalName, UserDisplayNames=set_UserDisplayName, ClientAppsUsed=set_set_ClientAppUsed, Locations=set_set_FullLocation, FailureCountByPrincipal=list_FailureCount, WindowThresholdBreaches, Type\\n| join kind= inner (\\ntable(tableName) // get data on success vs. failure history for each IP\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(successCodes) or ResultType in(failureCodes) // success or failure types\\n| summarize GlobalSuccessPrincipalCount = dcountif(UserPrincipalName, (ResultType in(successCodes))), ResultTypeSuccesses = make_set_if(ResultType, (ResultType in(successCodes))), GlobalFailPrincipalCount = dcountif(UserPrincipalName, (ResultType in(failureCodes))), ResultTypeFailures = make_set_if(ResultType, (ResultType in(failureCodes))) by IPAddress, Type\\n| where GlobalFailPrincipalCount \u003e GlobalSuccessPrincipalCount // where the number of failed principals is greater than success - eliminates FPs from IPs who authenticate successfully alot and as a side effect have alot of failures\\n) on IPAddress\\n| project-away IPAddress1\\n| extend timestamp=StartTime, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Password spray attack against Azure AD application\",\"description\":\"Identifies evidence of password spray activity against Azure AD applications by looking for failures from multiple accounts from the same\\nIP address within a time window. If the number of accounts breaches the threshold just once, all failures from the IP address within the time range\\nare bought into the result. Details on whether there were successful authentications by the IP address within the time window are also included.\\nThis can be an indicator that an attack was successful.\\nThe default failure acccount threshold is 5, Default time window for failures is 20m and default look back window is 3 days\\nNote: Due to the number of possible accounts involved in a password spray it is not possible to map identities to a custom entity.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\"lastUpdatedDateUTC\":\"2022-02-16T00:00:00Z\",\"createdDateUTC\":\"2020-03-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\"name\":\"7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"154.223.45.38\\\",\\\"185.141.207.140\\\",\\\"185.234.73.19\\\",\\\"216.245.210.106\\\",\\\"51.91.48.210\\\",\\\"46.255.230.229\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n|extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account\\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DnsResponseName, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host, AccountCustomEntity=User\\n),\\n(_Im_WebSession (srcipaddr_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DstIpAddr, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(_Im_NetworkSession (srcipaddr_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DstIpAddr, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(_Im_NetworkSession (dstipaddr_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DstIpAddr, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(SigninLogs\\n| where isnotempty(IPAddress)\\n| where IPAddress in (IPList)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(AADNonInteractiveUserSignInLogs\\n| where isnotempty(IPAddress)\\n| where IPAddress in (IPList)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(W3CIISLog \\n| where isnotempty(cIP)\\n| where cIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(AzureActivity \\n| where isnotempty(CallerIpAddress)\\n| where CallerIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller\\n),\\n(\\nAWSCloudTrail\\n| where isnotempty(SourceIpAddress)\\n| where SourceIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known IRIDIUM IP\",\"description\":\"IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d7424fd9-abb3-4ded-a723-eebe023aaa0b\",\"name\":\"d7424fd9-abb3-4ded-a723-eebe023aaa0b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Administrative roles to look for, default is all admin roles\\nlet roles = dynamic([\\\"Administrator\\\", \\\"Admin\\\"]);\\n// The maximum distances between and invite and acceptance\\nlet maxTimeBetweenInviteAccept = 30min;\\n// The delta (minutes) between the invite being sent and the account being escalated\\nlet deltaBetweenInviteEscalation = 60;\\n// Collect external user invitations\\nlet invite = AuditLogs\\n| where Category =~ \\\"UserManagement\\\"\\n| where OperationName =~ \\\"Invite external user\\\"\\n| extend Target = tostring(TargetResources[0].[\\\"userPrincipalName\\\"])\\n| extend InviteInitiator = tostring(InitiatedBy.[\\\"user\\\"].[\\\"userPrincipalName\\\"])\\n| where isnotempty(InviteInitiator);\\n// Collect redeem events\\nlet redeem = AuditLogs\\n| where Category =~ \\\"UserManagement\\\"\\n| where OperationName =~ \\\"Redeem external user invite\\\"\\n| where Result =~ \\\"success\\\"\\n| extend Target = tostring(TargetResources[0].[\\\"displayName\\\"]) | extend Target = tostring(extract(@\\\"UPN\\\\:\\\\s(.+)\\\\,\\\\sEmail\\\",1,Target))\\n| where isnotempty(Target);\\n// Union the inivtation and redeem data then run the sequence_detect kusto plugin\\ninvite\\n| union redeem\\n| order by TimeGenerated\\n| project TimeGenerated, Target, InviteInitiator, OperationName, TenantId\\n| evaluate sequence_detect(TimeGenerated, maxTimeBetweenInviteAccept, maxTimeBetweenInviteAccept, invite=(OperationName has \\\"Invite external user\\\"), redeem=(OperationName has \\\"Redeem external user invite\\\"), Target)\\n| join (\\nAuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\")\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n// Limit to external accounts\\n| where TargetResources.userPrincipalName has \\\"EXT\\\"\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n// Perform check for admin roles\\n| where RoleName has_any(roles)\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n| where Initiator != \\\"MS-PIM\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| summarize by TimeGenerated, OperationName, RoleName, Target, Initiator, Result\\n) on Target\\n// Calculate delta between the invite and the account escalation\\n| extend delta = datetime_diff(\\\"minute\\\", TimeGenerated, invite_TimeGenerated)\\n| where delta \u003c= deltaBetweenInviteEscalation\\n| project InvitationTime=invite_TimeGenerated, RedeemTime=redeem_TimeGenerated, GrantTime=TimeGenerated, ExternalUser=Target, RoleGranted=RoleName, AdminInitiator=Initiator, MinsBetweenInviteAndEscalation=delta\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ExternalUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AdminInitiator\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"New External User Granted Admin\",\"description\":\"This query will detect instances where a newly invited external user is granted an administrative role. By default this query\\nwill alert on any granted administrative role, however this can be modified using the roles variable if false positives occur\\nin your environment. The maximum delta between invite and escalation to admin is 60 minues, this can be configured using the \\ndeltaBetweenInviteEscalation variable.\",\"lastUpdatedDateUTC\":\"2022-06-16T00:00:00Z\",\"createdDateUTC\":\"2022-06-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6bf1931-b1eb-448d-90b2-de118559c7ce\",\"name\":\"d6bf1931-b1eb-448d-90b2-de118559c7ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlCategory contains \u0027Adult Themes\u0027 or\\n UrlCategory contains \u0027Adware\u0027 or\\n UrlCategory contains \u0027Alcohol\u0027 or\\n UrlCategory contains \u0027Illegal Downloads\u0027 or\\n UrlCategory contains \u0027Drugs\u0027 or\\n UrlCategory contains \u0027Child Abuse Content\u0027 or\\n UrlCategory contains \u0027Hate/Discrimination\u0027 or\\n UrlCategory contains \u0027Nudity\u0027 or\\n UrlCategory contains \u0027Pornography\u0027 or\\n UrlCategory contains \u0027Proxy/Anonymizer\u0027 or\\n UrlCategory contains \u0027Sexuality\u0027 or\\n UrlCategory contains \u0027Tasteless\u0027 or\\n UrlCategory contains \u0027Terrorism\u0027 or\\n UrlCategory contains \u0027Web Spam\u0027 or\\n UrlCategory contains \u0027German Youth Protection\u0027 or\\n UrlCategory contains \u0027Illegal Activities\u0027 or\\n UrlCategory contains \u0027Lingerie/Bikini\u0027 or\\n UrlCategory contains \u0027Weapons\u0027\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"InitialAccess\"],\"displayName\":\"Cisco Umbrella - Request Allowed to harmful/malicious URI category\",\"description\":\"It is reccomended that these Categories shoud be blocked by policies because they provide harmful/malicious content..\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee55dc85-d2da-48c1-a6c0-3eaee62a8d56\",\"name\":\"ee55dc85-d2da-48c1-a6c0-3eaee62a8d56\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"// Add the environments expected username format regex below before deploying\\n let user_regex = \\\"\\\";\\n AuditLogs\\n | where OperationName =~ \\\"Add user\\\"\\n | where Result =~ \\\"success\\\"\\n | extend userAgent = tostring(AdditionalDetails[0].value)\\n | extend addingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend addingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend AddedBy = iif(isnotempty(addingUser), addingUser, addingApp)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | extend AddedUser = tostring(TargetResources[0].userPrincipalName)\\n | where AddedUser matches regex user_regex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedUser\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User Account Created Using Incorrect Naming Format\",\"description\":\"This query looks for accounts being created where the name does not match a defined pattern.\\n Attackers may attempt to add accounts as a means of establishing persistant access to an environment, looking for anomalies in created accounts may help identify illegitimately created accounts.\\n Created accounts should be investigated to ensure they were legitimated created.\\n The user_regex field in the query needs to be populated with the expected pattern for the environment before deployment.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#accounts-not-following-naming-policies\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\"name\":\"0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"let threshold = 20;\\nlet ReasontoSubStatus = datatable(SubStatus:string,Reason:string) [\\n\\\"0xC000005E\\\", \\\"There are currently no logon servers available to service the logon request.\\\",\\n\\\"0xC0000064\\\", \\\"User logon with misspelled or bad user account\\\", \\n\\\"0xC000006A\\\", \\\"User logon with misspelled or bad password\\\",\\n\\\"0xC000006D\\\", \\\"Bad user name or password\\\",\\n\\\"0xC000006E\\\", \\\"Unknown user name or bad password\\\",\\n\\\"0xC000006F\\\", \\\"User logon outside authorized hours\\\",\\n\\\"0xC0000070\\\", \\\"User logon from unauthorized workstation\\\",\\n\\\"0xC0000071\\\", \\\"User logon with expired password\\\",\\n\\\"0xC0000072\\\", \\\"User logon to account disabled by administrator\\\",\\n\\\"0xC00000DC\\\", \\\"Indicates the Sam Server was in the wrong state to perform the desired operation\\\",\\n\\\"0xC0000133\\\", \\\"Clocks between DC and other computer too far out of sync\\\",\\n\\\"0xC000015B\\\", \\\"The user has not been granted the requested logon type (aka logon right) at this machine\\\",\\n\\\"0xC000018C\\\", \\\"The logon request failed because the trust relationship between the primary domain and the trusted domain failed\\\",\\n\\\"0xC0000192\\\", \\\"An attempt was made to logon, but the Netlogon service was not started\\\",\\n\\\"0xC0000193\\\", \\\"User logon with expired account\\\",\\n\\\"0xC0000224\\\", \\\"User is required to change password at next logon\\\",\\n\\\"0xC0000225\\\", \\\"Evidently a bug in Windows and not a risk\\\",\\n\\\"0xC0000234\\\", \\\"User logon with account locked\\\",\\n\\\"0xC00002EE\\\", \\\"Failure Reason: An Error occurred during Logon\\\",\\n\\\"0xC0000413\\\", \\\"Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine\\\"\\n];\\n(union isfuzzy=true\\n(SecurityEvent \\n| where EventID == 4625\\n| where AccountType =~ \\\"User\\\"\\n| where SubStatus !=\u00270xc0000064\u0027 and Account !in (\u0027\\\\\\\\\u0027, \u0027-\\\\\\\\-\u0027)\\n// SubStatus \u00270xc0000064\u0027 signifies \u0027Account name does not exist\u0027\\n| extend ResourceId = column_ifexists(\\\"_ResourceId\\\", _ResourceId), SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", SourceComputerId)\\n| lookup ReasontoSubStatus on SubStatus\\n| extend coalesce(Reason, strcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), FailedLogonCount = count() by EventID, \\nActivity, Computer, Account, TargetAccount, TargetUserName, TargetDomainName, \\nLogonType, LogonTypeName, LogonProcessName, Status, SubStatus, Reason, ResourceId, SourceComputerId, WorkstationName, IpAddress\\n| where FailedLogonCount \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n(\\n(WindowsEvent \\n| where EventID == 4625 and not(EventData has \u00270xc0000064\u0027)\\n| extend TargetAccount = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend AccountType=case(EventData.TargetUserName endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType =~ \\\"User\\\"\\n| extend SubStatus = tostring(EventData.SubStatus)\\n| where SubStatus !=\u00270xc0000064\u0027 and TargetAccount !in (\u0027\\\\\\\\\u0027, \u0027-\\\\\\\\-\u0027)\\n// SubStatus \u00270xc0000064\u0027 signifies \u0027Account name does not exist\u0027\\n| extend ResourceId = column_ifexists(\\\"_ResourceId\\\", _ResourceId), SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", \\\"\\\")\\n| lookup ReasontoSubStatus on SubStatus\\n| extend coalesce(Reason, strcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n| extend Activity=\\\"4625 - An account failed to log on.\\\"\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend TargetDomainName = tostring(EventData.TargetDomainName)\\n| extend LogonType = tostring(EventData.LogonType)\\n| extend Status= tostring(EventData.Status)\\n| extend LogonProcessName = tostring(EventData.LogonProcessName)\\n| extend WorkstationName = tostring(EventData.WorkstationName)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend LogonTypeName=case(LogonType==2,\\\"2 - Interactive\\\", LogonType==3,\\\"3 - Network\\\", LogonType==4, \\\"4 - Batch\\\",LogonType==5, \\\"5 - Service\\\", LogonType==7, \\\"7 - Unlock\\\", LogonType==8, \\\"8 - NetworkCleartext\\\", LogonType==9, \\\"9 - NewCredentials\\\", LogonType==10, \\\"10 - RemoteInteractive\\\", LogonType==11, \\\"11 - CachedInteractive\\\",tostring(LogonType))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), FailedLogonCount = count() by EventID, \\nActivity, Computer, TargetAccount, TargetUserName, TargetDomainName, \\nLogonType, LogonTypeName, LogonProcessName, Status, SubStatus, Reason, ResourceId, SourceComputerId, WorkstationName, IpAddress\\n| where FailedLogonCount \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n)))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed logon attempts by valid accounts within 10 mins\",\"description\":\"Identifies when failed logon attempts are 20 or higher during a 10 minute period (2 failed logons per minute minimum) from valid account.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b9a44d7-c651-45ed-816c-eae583a6f2f1\",\"name\":\"3b9a44d7-c651-45ed-816c-eae583a6f2f1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\nlet historical_data =\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend variables = Data.Variables\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend UserKey = strcat(VariableGroupId, \\\"-\\\", ActorUserId)\\n| project UserKey;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend VariableGroupName = tostring(Data.VariableGroupName)\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend UserKey = strcat(VariableGroupId, \\\"-\\\", ActorUserId)\\n| where UserKey !in (historical_data)\\n| project-away UserKey\\n| project-reorder TimeGenerated, VariableGroupName, ActorUPN, IpAddress, UserAgent\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Build Variable Modified by New User.\",\"description\":\"Variables can be configured and used at any stage of the build process in Azure DevOps to inject values. An attacker with the required permissions could modify \\nor add to these variables to conduct malicious activity such as changing paths or remote endpoints called during the build. As variables are often changed by users, \\njust detecting these changes would have a high false positive rate. This detection looks for modifications to variable groups where that user has not been observed \\nmodifying them before.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8127962-7739-4211-a4a9-390a7a00e91f\",\"name\":\"f8127962-7739-4211-a4a9-390a7a00e91f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet lbperiod = 14d;\\nlet knownrecipients = ProofpointPOD\\n| where TimeGenerated \u003e ago(lbperiod)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where SrcUserUpn != \u0027\u0027\\n| where array_length(todynamic(DstUserUpn)) == 1\\n| summarize recipients = make_set(tostring(todynamic(DstUserUpn)[0])) by SrcUserUpn\\n| extend commcol = SrcUserUpn;\\nProofpointPOD\\n| where TimeGenerated between (ago(lbtime) .. now())\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| extend isProtected = todynamic(MsgParts)[0][\u0027isProtected\u0027]\\n| extend mimePgp = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where isProtected == \u0027true\u0027 or mimePgp == \u0027application/pgp-encrypted\u0027\\n| extend DstUserMail = tostring(todynamic(DstUserUpn)[0])\\n| extend commcol = tostring(todynamic(DstUserUpn)[0])\\n| join knownrecipients on commcol\\n| where recipients !contains DstUserMail\\n| project SrcUserUpn, DstUserMail\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple protected emails to unknown recipient\",\"description\":\"Detects when multiple protected messages where sent to early not seen recipient.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee1818ec-5f65-4991-b711-bcf2ab7e36c3\",\"name\":\"ee1818ec-5f65-4991-b711-bcf2ab7e36c3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlOriginal matches regex @\u0027\\\\Ahttp:\\\\/\\\\/\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}.*\u0027\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - URI contains IP address\",\"description\":\"Malware can use IP address to communicate with C2.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23005e87-2d3a-482b-b03d-edbebd1ae151\",\"name\":\"23005e87-2d3a-482b-b03d-edbebd1ae151\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let exchange_servers = (\\nW3CIISLog\\n| where TimeGenerated \u003e ago(14d)\\n| where sSiteName =~ \\\"Exchange Back End\\\"\\n| summarize by Computer);\\nW3CIISLog\\n| where TimeGenerated \u003e ago(1d)\\n| where Computer in (exchange_servers)\\n| where csUriQuery startswith \\\"t=\\\"\\n| project-reorder TimeGenerated, Computer, csUriStem, csUriQuery, csUserName, csUserAgent, cIP\\n| extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious Exchange Request\",\"description\":\"This query looks for suspicious request patterns to Exchange servers that fit a pattern observed by HAFNIUM actors.\\nThe same query can be run on HTTPProxy logs from on-premise hosted Exchange servers.\\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ac9e233e-44d4-45eb-b522-6e47445f6582\",\"name\":\"ac9e233e-44d4-45eb-b522-6e47445f6582\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"imRegistry\\n | where EventType in (\\\"RegistryValueSet\\\", \\\"RegistryKeyCreated\\\")\\n | where RegistryKey has \\\"Software\\\\\\\\Classes\\\\\\\\ms-settings\\\\\\\\shell\\\\\\\\open\\\\\\\\command\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)\\n | join (imProcess\\n | where Process endswith \\\"fodhelper.exe\\\"\\n | where ParentProcessName endswith \\\"cmd.exe\\\" or ParentProcessName endswith \\\"powershell.exe\\\" or ParentProcessName endswith \\\"powershell_ise.exe\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)) on TimeKey, Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DvcHostname\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DvcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Potential Fodhelper UAC Bypass (ASIM Version)\",\"description\":\"This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process within 1 hour - this can be tweaked as required.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\"name\":\"ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Office 365 Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Office 365 alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Office 365\",\"lastUpdatedDateUTC\":\"2020-09-01T00:00:00Z\",\"createdDateUTC\":\"2020-04-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert (OATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a333d8bf-22a3-4c55-a1e9-5f0a135c0253\",\"name\":\"a333d8bf-22a3-4c55-a1e9-5f0a135c0253\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let mde_threats = dynamic([\\\"Behavior:Win32/SuspAzureRequest.A\\\", \\\"Behavior:Win32/SuspAzureRequest.B\\\", \\\"Behavior:Win32/SuspAzureRequest.C\\\", \\\"Behavior:Win32/LaunchingSuspCMD.B\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (mde_threats) or ThreatFamilyName in~ (mde_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Microsoft Defender for Endpoint (MDE) signatures for Azure Synapse pipelines and Azure Data Factory\",\"description\":\"This query looks for Microsoft Defender for Endpoint detections related to the remote command execution attempts on Azure IR with Managed VNet or SHIR. \\nIn Microsoft Sentinel, the SecurityAlerts table includes the name of the impacted device. Additionally, this query joins the DeviceInfo table to connect other information such as device group, \\nIP address, signed in users, and others allowing analysts using Microsoft Sentinel to have more context related to the alert. \\nReference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29972 , \\nhttps://msrc-blog.microsoft.com/2022/05/09/vulnerability-mitigated-in-the-third-party-data-connector-used-in-azure-synapse-pipelines-and-azure-data-factory-cve-2022-29972\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5db427b2-f406-4274-b413-e9fcb29412f8\",\"name\":\"5db427b2-f406-4274-b413-e9fcb29412f8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where ActivityDisplayName =~\u0027Add member to role completed (PIM activation)\u0027\\n| where Result == \\\"failure\\\"\\n| extend Role = tostring(TargetResources[3].displayName)\\n| extend User = tostring(TargetResources[2].displayName)\\n| project-reorder TimeGenerated, User, Role, OperationName, Result, ResultDescription\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| extend IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"NRT PIM Elevation Request Rejected\",\"description\":\"Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/03e04c97-8cae-48b3-9d2f-4ab262e4ffff\",\"name\":\"03e04c97-8cae-48b3-9d2f-4ab262e4ffff\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]);\\nhttp_proxy_oab_CL\\n| where RawData contains \\\"Download failed and temporary file\\\"\\n| extend File = extract(\\\"([^\\\\\\\\\\\\\\\\]*)(\\\\\\\\\\\\\\\\[^\u0027]*)\\\",2,RawData)\\n| extend Extension = strcat(\\\".\\\",split(File, \\\".\\\")[-1])\\n| extend InteractiveFile = iif(Extension in (scriptExtensions), \\\"Yes\\\", \\\"No\\\")\\n// Uncomment the following line to alert only on interactive file download type\\n//| where InteractiveFile =~ \\\"Yes\\\"\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious File Downloads.\",\"description\":\"This query looks for messages related to file downloads of suspicious file types. This query uses the Exchange HttpProxy AOBGeneratorLog, you will need to onboard this log as a custom log under the table http_proxy_oab_CL before using this query. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d5b32cd4-2328-43da-ab47-cd289c1f5efc\",\"name\":\"d5b32cd4-2328-43da-ab47-cd289c1f5efc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\",\\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\",\\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\",\\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\",\\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\",\\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\",\\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\",\\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\",\\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\")\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"NRT DNS events related to mining pools\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/de58ee9e-b229-4252-8537-41a4c2f4045e\",\"name\":\"de58ee9e-b229-4252-8537-41a4c2f4045e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let file_ext_blocklist = dynamic([\u0027.ps1\u0027, \u0027.vbs\u0027, \u0027.bat\u0027, \u0027.scr\u0027]);\\nlet lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| extend file_ext = extract(@\u0027.*(\\\\.\\\\w+)$\u0027, 1, UrlOriginal)\\n| extend Filename = extract(@\u0027.*\\\\/*\\\\/(.*\\\\.\\\\w+)$\u0027, 1, UrlOriginal)\\n| where file_ext in (file_ext_blocklist)\\n| project TimeGenerated, SrcIpAddr, Identities, Filename\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Cisco Umbrella - Request to blocklisted file type\",\"description\":\"Detects request to potentially harmful file types (.ps1, .bat, .vbs, etc.).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\"name\":\"97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let LearningPeriod = 7d; \\nlet BinTime = 1h; \\nlet RunTime = 1h; \\nlet StartTime = 1h; \\nlet NumberOfStds = 3; \\nlet MinThreshold = 10.0; \\nlet EndRunTime = StartTime - RunTime; \\nlet EndLearningTime = StartTime + LearningPeriod;\\nlet aadFunc = (tableName:string){\\nlet GitHubFailedSSOLogins = (table(tableName) \\n| where AppDisplayName == \\\"GitHub.com\\\" \\n| where ResultType != 0); \\nGitHubFailedSSOLogins \\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime)) \\n| summarize FailedLoginsCountInBinTime = count() by UserPrincipalName, bin(TimeGenerated, BinTime), Type\\n| summarize AvgOfFailedLoginsInLearning = avg(FailedLoginsCountInBinTime), StdOfFailedLoginsInLearning = stdev(FailedLoginsCountInBinTime) by UserPrincipalName, Type\\n| extend LearningThreshold = max_of(AvgOfFailedLoginsInLearning + StdOfFailedLoginsInLearning * NumberOfStds, MinThreshold) \\n| join kind=innerunique ( \\n GitHubFailedSSOLogins \\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime)) \\n | summarize FailedLoginsCountInRunTime = count() by User = Identity, UserPrincipalName, bin(TimeGenerated, BinTime), Type\\n) on UserPrincipalName \\n| where FailedLoginsCountInRunTime \u003e LearningThreshold\\n| extend AccountCustomEntity = UserPrincipalName , timestamp = TimeGenerated\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute Force Attack against GitHub Account\",\"description\":\"Attackers who are trying to guess your users\u0027 passwords or use brute-force methods to get in. If your organization is using SSO with Azure Active Directory, authentication logs to GitHub.com will be generated. Using the following query can help you identify a sudden increase in failed logon attempt of users.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/12dcea64-bec2-41c9-9df2-9f28461b1295\",\"name\":\"12dcea64-bec2-41c9-9df2-9f28461b1295\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\n// Adjust for a longer timeframe for identifying ADFS Servers\\nlet lookback = 6d;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where NewProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n);\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where Account !endswith \\\"$\\\"\\n// Check for scheduled task events\\n| where EventID in (4697, 4698, 4699, 4700, 4701, 4702)\\n| extend EventDataParsed = parse_xml(EventData)\\n| extend SubjectLogonId = tostring(EventDataParsed.EventData.Data[3][\\\"#text\\\"])\\n// Check specifically for access to IPC$ share and PIPE\\\\svcctl and PIPE\\\\atsvc for Service Control Services and Schedule Control Services\\n| union (\\n SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n | where Account !endswith \\\"$\\\"\\n | where EventID == 5145\\n | where RelativeTargetName =~ \\\"svcctl\\\" or RelativeTargetName =~ \\\"atsvc\\\"\\n)\\n// Check for lateral movement\\n| join kind=inner\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Account !endswith \\\"$\\\"\\n| where EventID == 4624 and LogonType == 3\\n) on $left.SubjectLogonId == $right.TargetLogonId\\n| project TimeGenerated, Account, Computer, EventID, RelativeTargetName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task\",\"description\":\"This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through SMB and Remote Service or Scheduled Task.\",\"lastUpdatedDateUTC\":\"2022-01-30T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/155f40c6-610d-497d-85fc-3cf06ec13256\",\"name\":\"155f40c6-610d-497d-85fc-3cf06ec13256\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"yahoo-verification.org\\\",\\\"support-servics.com\\\",\\\"verification-live.com\\\",\\\"com-mailbox.com\\\",\\\"com-myaccuants.com\\\",\\\"notification-accountservice.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\\"verify-linkedin.net\\\", \\n\\\"yahoo-verification.net\\\",\\\"yahoo-verify.net\\\",\\\"outlook-verify.net\\\",\\\"com-users.net\\\",\\\"verifiy-account.net\\\",\\\"te1egram.net\\\",\\\"account-verifiy.net\\\",\\\"myaccount-services.net\\\",\\n\\\"com-identifier-servicelog.name\\\",\\\"microsoft-update.bid\\\",\\\"outlook-livecom.bid\\\",\\\"update-microsoft.bid\\\",\\\"documentsfilesharing.cloud\\\",\\\"com-microsoftonline.club\\\",\\n\\\"confirm-session-identifier.info\\\",\\\"session-management.info\\\",\\\"confirmation-service.info\\\",\\\"document-share.info\\\",\\\"broadcast-news.info\\\",\\\"customize-identity.info\\\",\\\"webemail.info\\\",\\n\\\"com-identifier-servicelog.info\\\",\\\"documentsharing.info\\\",\\\"notification-accountservice.info\\\",\\\"identifier-activities.info\\\",\\\"documentofficupdate.info\\\",\\\"recoveryusercustomer.info\\\",\\n\\\"serverbroadcast.info\\\",\\\"account-profile-users.info\\\",\\\"account-service-management.info\\\",\\\"accounts-manager.info\\\",\\\"activity-confirmation-service.info\\\",\\\"com-accountidentifier.info\\\",\\n\\\"com-privacy-help.info\\\",\\\"com-sessionidentifier.info\\\",\\\"com-useraccount.info\\\",\\\"confirmation-users-service.info\\\",\\\"confirm-identity.info\\\",\\\"confirm-session-identification.info\\\",\\n\\\"continue-session-identifier.info\\\",\\\"customer-recovery.info\\\",\\\"customers-activities.info\\\",\\\"elitemaildelivery.info\\\",\\\"email-delivery.info\\\",\\\"identify-user-session.info\\\",\\n\\\"message-serviceprovider.info\\\",\\\"notificationapp.info\\\",\\\"notification-manager.info\\\",\\\"recognized-activity.info\\\",\\\"recover-customers-service.info\\\",\\\"recovery-session-change.info\\\",\\n\\\"service-recovery-session.info\\\",\\\"service-session-continue.info\\\",\\\"session-mail-customers.info\\\",\\\"session-managment.info\\\",\\\"session-verify-user.info\\\",\\\"shop-sellwear.info\\\",\\n\\\"supportmailservice.info\\\",\\\"terms-service-notification.info\\\",\\\"user-activity-issues.info\\\",\\\"useridentity-confirm.info\\\",\\\"users-issue-services.info\\\",\\\"verify-user-session.info\\\",\\n\\\"login-gov.info\\\",\\\"notification-signal-agnecy.info\\\",\\\"notifications-center.info\\\",\\\"identifier-services-sessions.info\\\",\\\"customers-manager.info\\\",\\\"session-manager.info\\\",\\n\\\"customer-managers.info\\\",\\\"confirmation-recovery-options.info\\\",\\\"service-session-confirm.info\\\",\\\"session-recovery-options.info\\\",\\\"services-session-confirmation.info\\\",\\n\\\"notification-managers.info\\\",\\\"activities-services-notification.info\\\",\\\"activities-recovery-options.info\\\",\\\"activity-session-recovery.info\\\",\\\"customers-services.info\\\",\\n\\\"sessions-notification.info\\\",\\\"download-teamspeak.info\\\",\\\"services-issue-notification.info\\\",\\\"microsoft-upgrade.mobi\\\",\\\"broadcastnews.pro\\\",\\\"mobile-messengerplus.network\\\"]);\\nlet IPList = dynamic([\\\"51.91.200.147\\\"]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(SourceIP) and SourceIP in (IPList)) or (isnotempty(DestinationIP) and DestinationIP in (IPList)) \\nor (isnotempty(DNSName) and DNSName in~ (DomainNames)) or (isnotempty(DestinationHostName) and DestinationHostName in~ (DomainNames)) or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames) or RequestURLIP in (IPList))) \\nor (isnotempty(Message) and MessageIP in (IPList))\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURLIP in (IPList), \\\"RequestUrl\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP,IPMatch == \\\"Message\\\", MessageIP,\\nIPMatch == \\\"RequestUrl\\\", RequestURLIP,\\\"NoMatch\\\"), Account = SourceUserID, Host = DeviceName\\n),\\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\\n(_Im_WebSession(url_has_any=DomainNames)\\n| extend DestinationIPAddress = DstIpAddr, DNSName = tostring(parse_url(Url)[\\\"Host\\\"]), Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) or isnotempty(DNSName)\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or DNSName in~ (DomainNames)\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer),\\n(OfficeActivity\\n| extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPCustomEntity = SourceHost \\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Phosphorus group domains/IP\",\"description\":\"Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-10-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a1bddaf8-982b-4089-ba9e-6590dfcf80ea\",\"name\":\"a1bddaf8-982b-4089-ba9e-6590dfcf80ea\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let error403_count_threshold=200;\\n_Im_WebSession(eventresultdetails_in=\\\"403\\\")\\n| extend ParsedUrl=parse_url(Url)\\n| extend UrlHost=tostring(ParsedUrl[\\\"Host\\\"]), UrlSchema=tostring(ParsedUrl[\\\"Schema\\\"])\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = count(), Urls=makeset(Url) by UrlHost, SrcIpAddr\\n| where NumberOfErrors \u003e error403_count_threshold\\n| sort by NumberOfErrors desc\\n| extend Url=tostring(Urls[0])\",\"customDetails\":{\"NumberOfErrors\":\"NumberOfErrors\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URL\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Excessive number of HTTP authentication failures from {{SrcIpAddr}\",\"alertDescriptionFormat\":\"A client with address {{SrcIpAddr}} generated a large number of failed authentication HTTP requests. This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Persistence\",\"CredentialAccess\"],\"displayName\":\"Excessive number of HTTP authentication failures from a source (ASIM Web Session schema)\",\"description\":\"This rule identifies a source that repeatedly fails to authenticate to a web service (HTTP response code 403). This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.\u003cbr\u003e\u003cbr\u003e\\nThis rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutSIM) and supports any web session source that complies with ASIM. \",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2a09f8cb-deb7-4c40-b08b-9137667f1c0b\",\"name\":\"2a09f8cb-deb7-4c40-b08b-9137667f1c0b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n | where OperationName in (\\\"Add eligible member (permanent)\\\", \\\"Add eligible member (eligible)\\\")\\n | extend Role = tostring(TargetResources[0].displayName)\\n | where Role contains \\\"admin\\\"\\n | extend AddedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend AddedUser = tostring(TargetResources[2].userPrincipalName)\\n | project-reorder TimeGenerated, AddedUser, Role, AddedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedUser\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"User Added to Admin Role\",\"description\":\"Detects a user being added to a new privileged role. Monitor these additions to ensure the users are made eligible for these roles are intended to have these levels of access.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dc99e38c-f4e9-4837-94d7-353ac0b01a77\",\"name\":\"dc99e38c-f4e9-4837-94d7-353ac0b01a77\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let threshold = 10;\\n let default_ad_attributes = dynamic([\\\"LastDirSyncTime\\\", \\\"StsRefreshTokensValidFrom\\\", \\\"Included Updated Properties\\\", \\\"AccountEnabled\\\", \\\"Action Client Name\\\", \\\"SourceAnchor\\\"]);\\n AuditLogs\\n | where OperationName =~ \\\"Add user\\\"\\n | where Result =~ \\\"success\\\"\\n | extend properties = TargetResources[0].modifiedProperties\\n | mv-expand properties\\n | evaluate bag_unpack(properties)\\n | summarize count() by displayName, TenantId\\n | where displayName !in (default_ad_attributes)\\n | top threshold by count_ desc\\n | summarize make_set(displayName) by TenantId\\n | join kind=inner (AuditLogs\\n | where Result =~ \\\"success\\\"\\n | where OperationName =~ \\\"Add user\\\"\\n | extend CreatingUserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend CreatedUserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | extend AccountProperties = TargetResources[0].modifiedProperties\\n | mv-expand AccountProperties\\n | extend PropName = tostring(AccountProperties.displayName)) on TenantId\\n | summarize makeset(PropName) by TimeGenerated, CorrelationId, CreatedUserPrincipalName, CreatingUserPrincipalName, tostring(set_displayName)\\n | extend missing_props = set_difference(todynamic(set_displayName), set_PropName)\\n | where array_length(missing_props) \u003e 0\\n | join kind=innerunique (AuditLogs\\n | where Result =~ \\\"success\\\"\\n | where OperationName =~ \\\"Add user\\\"\\n | extend CreatedUserPrincipalName = tostring(TargetResources[0].userPrincipalName)) on CorrelationId, CreatedUserPrincipalName\\n | extend ExpectedProperties = set_displayName\\n | project-away set_displayName, set_PropName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CreatingUserPrincipalName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CreatedUserPrincipalName\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User account created without expected attributes defined\",\"description\":\"This query looks for accounts being created that do not have attributes populated that are commonly populated in the tenant.\\n Attackers may attempt to add accounts as a means of establishing persistant access to an environment, looking for anomalies in created accounts may help identify illegitimately created accounts.\\n Created accounts should be investigated to ensure they were legitimated created.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#accounts-not-following-naming-policies\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aa1eff90-29d4-49dc-a3ea-b65199f516db\",\"name\":\"aa1eff90-29d4-49dc-a3ea-b65199f516db\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Low\",\"query\":\"(union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4720\\n| where AccountType == \\\"User\\\"\\n| project CreatedUserTime = TimeGenerated, CreatedUserEventID = EventID, CreatedUserActivity = Activity, Computer = toupper(Computer), \\nCreatedUser = tolower(TargetAccount), CreatedUserSid = TargetSid, AccountUsedToCreateUser = strcat(SubjectAccount), SidofAccountUsedToCreateUser = SubjectUserSid\\n),\\n(WindowsEvent\\n| where EventID == 4720\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType == \\\"User\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend Activity=\\\"4720 - A user account was created.\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| project CreatedUserTime = TimeGenerated, CreatedUserEventID = EventID, CreatedUserActivity = Activity, Computer = toupper(Computer), \\nCreatedUser = tolower(TargetAccount), CreatedUserSid = TargetSid, AccountUsedToCreateUser = strcat(SubjectAccount), SidofAccountUsedToCreateUser = SubjectUserSid\\n))\\n| join ((union isfuzzy=true\\n(SecurityEvent \\n| where AccountType == \\\"User\\\"\\n// 4732 - A member was added to a security-enabled local group\\n| where EventID == 4732\\n// TargetSid is the builin Admins group: S-1-5-32-544\\n| where TargetSid == \\\"S-1-5-32-544\\\"\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, Computer = toupper(Computer), GroupName = tolower(TargetAccount), \\nGroupSid = TargetSid, AccountThatAddedUser = SubjectAccount, SIDofAccountThatAddedUser = SubjectUserSid, CreatedUserSid = MemberSid\\n),\\n( WindowsEvent \\n// 4732 - A member was added to a security-enabled local group\\n| where EventID == 4732 and EventData has \\\"S-1-5-32-544\\\"\\n//TargetSid is the builin Admins group: S-1-5-32-544\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType == \\\"User\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid == \\\"S-1-5-32-544\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend Activity=\\\"4732 - A member was added to a security-enabled local group.\\\"\\n| extend MemberSid = tostring(EventData.MemberSid)\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, Computer = toupper(Computer), GroupName = tolower(TargetAccount), \\nGroupSid = TargetSid, AccountThatAddedUser = SubjectAccount, SIDofAccountThatAddedUser = SubjectUserSid, CreatedUserSid = MemberSid)\\n))\\non CreatedUserSid\\n//Create User first, then the add to the group.\\n| project Computer, CreatedUserTime, CreatedUserEventID, CreatedUserActivity, CreatedUser, CreatedUserSid, GroupAddTime, GroupAddEventID, \\nGroupAddActivity, AccountUsedToCreateUser, GroupName, GroupSid, AccountThatAddedUser, SIDofAccountThatAddedUser \\n| extend timestamp = CreatedUserTime, AccountCustomEntity = CreatedUser, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"CreatedUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"New user created and added to the built-in administrators group\",\"description\":\"Identifies when a user account was created and then added to the builtin Administrators group in the same day.\\nThis should be monitored closely and all additions reviewed.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d23ed927-5be3-4902-a9c1-85f841eb4fa1\",\"name\":\"d23ed927-5be3-4902-a9c1-85f841eb4fa1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n DuoSecurityAuthentication_CL\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(access_device_ip_s)\\n // renaming time column so it is clear the log this came from\\n | extend Duo_TimeGenerated = isotimestamp_t\\n)\\non $left.TI_ipEntity == $right.access_device_ip_s\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Duo_TimeGenerated,\\nTI_ipEntity, user_name_s, factor_s, result_s, application_name_s, event_type_s, txid_g, user_key_s, access_device_ip_s, access_device_location_city_s, access_device_location_state_s, access_device_location_country_s\\n| extend timestamp = Duo_TimeGenerated, IPCustomEntity = access_device_ip_s, AccountCustomEntity = user_name_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Duo Security\",\"description\":\"Identifies a match in DuoSecurity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae\",\"name\":\"2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 4656\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, TargetAccount, Computer, EventSourceName, Channel, Task, Level, EventID, Activity, TargetLogonId, SourceComputerId, EventOriginId, Type, _ResourceId, TenantId, SourceSystem, ManagementGroupName, IpAddress, Account)\\n| extend ObjectServer = column_ifexists(\u0027ObjectServer\u0027, \\\"\\\"), ObjectType = column_ifexists(\u0027ObjectType\u0027, \\\"\\\"), ObjectName = column_ifexists(\u0027ObjectName\u0027, \\\"\\\")\\n| where isnotempty(ObjectServer) and isnotempty(ObjectType) and isnotempty(ObjectName)\\n| where ObjectServer =~ \\\"SC Manager\\\" and ObjectType =~ \\\"SERVICE OBJECT\\\" and ObjectName =~ \\\"HealthService\\\"\\n// Comment out the join below if the SACL only audits users that are part of the Network logon users, i.e. with user/group target pointing to \\\"NU.\\\"\\n| join kind=leftouter (\\n SecurityEvent\\n | where EventID == 4624\\n) on TargetLogonId\\n| project TimeGenerated, Computer, Account, TargetAccount, IpAddress,TargetLogonId, ObjectServer, ObjectType, ObjectName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Starting or Stopping HealthService to Avoid Detection\",\"description\":\"This query detects events where an actor is stopping or starting HealthService to disable telemetry collection/detection from the agent.\\n The query requires a SACL to audit for access request to the service.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-03-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bff093b2-500e-4ae5-bb49-a5b1423cbd5b\",\"name\":\"bff093b2-500e-4ae5-bb49-a5b1423cbd5b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n| where Operation =~ \\\"MemberAdded\\\"\\n| extend UPN = tostring(parse_json(Members)[0].UPN)\\n| where UPN contains (\\\"#EXT#\\\")\\n| project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName\\n| join (\\n OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n| where Operation =~ \\\"MemberRemoved\\\"\\n| extend UPN = tostring(parse_json(Members)[0].UPN)\\n| where UPN contains (\\\"#EXT#\\\")\\n| project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName\\n) on UPN\\n| where TimeDeleted \u003e TimeAdded\\n| project TimeAdded, TimeDeleted, UPN, UserWhoAdded, UserWhoDeleted, TeamName\\n| extend timestamp = TimeAdded, AccountCustomEntity = UPN\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"External user added and removed in short timeframe\",\"description\":\"This detection flags the occurances of external user accounts that are added to a Team and then removed within\\none hour.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9367dff0-941d-44e2-8875-cb48570c7add\",\"name\":\"9367dff0-941d-44e2-8875-cb48570c7add\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \\n| where TargetObject has \\\"\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_DLLs\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Registry Persistence via AppInit DLLs Modification\",\"description\":\"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. \\nDynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows or HKEY_LOCAL_MACHINE\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library.\\nRef: https://attack.mitre.org/techniques/T1546/010/\",\"lastUpdatedDateUTC\":\"2022-03-21T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8d537f3c-094f-430c-a588-8a87da36ee3a\",\"name\":\"8d537f3c-094f-430c-a588-8a87da36ee3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nlet user_agents=dynamic([\\n \u0027(hydra)\u0027,\\n \u0027 arachni/\u0027,\\n \u0027 BFAC \u0027,\\n \u0027 brutus \u0027,\\n \u0027 cgichk \u0027,\\n \u0027core-project/1.0\u0027,\\n \u0027 crimscanner/\u0027,\\n \u0027datacha0s\u0027,\\n \u0027dirbuster\u0027,\\n \u0027domino hunter\u0027,\\n \u0027dotdotpwn\u0027,\\n \u0027FHScan Core\u0027,\\n \u0027floodgate\u0027,\\n \u0027get-minimal\u0027,\\n \u0027gootkit auto-rooter scanner\u0027,\\n \u0027grendel-scan\u0027,\\n \u0027 inspath \u0027,\\n \u0027internet ninja\u0027,\\n \u0027jaascois\u0027,\\n \u0027 zmeu \u0027,\\n \u0027masscan\u0027,\\n \u0027 metis \u0027,\\n \u0027morfeus fucking scanner\u0027,\\n \u0027n-stealth\u0027,\\n \u0027nsauditor\u0027,\\n \u0027pmafind\u0027,\\n \u0027security scan\u0027,\\n \u0027springenwerk\u0027,\\n \u0027teh forest lobster\u0027,\\n \u0027toata dragostea\u0027,\\n \u0027 vega/\u0027,\\n \u0027voideye\u0027,\\n \u0027webshag\u0027,\\n \u0027webvulnscan\u0027,\\n \u0027 whcc/\u0027,\\n \u0027 Havij\u0027,\\n \u0027absinthe\u0027,\\n \u0027bsqlbf\u0027,\\n \u0027mysqloit\u0027,\\n \u0027pangolin\u0027,\\n \u0027sql power injector\u0027,\\n \u0027sqlmap\u0027,\\n \u0027sqlninja\u0027,\\n \u0027uil2pn\u0027,\\n \u0027ruler\u0027,\\n \u0027Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)\u0027\\n ]);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal has_any (user_agents)\\n| extend Message = \\\"Hack Tool User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Hack Tool User-Agent Detected\",\"description\":\"Detects suspicious user agent strings used by known hack tools\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/30c8b802-ace1-4408-bc29-4c5c5afb49e1\",\"name\":\"30c8b802-ace1-4408-bc29-4c5c5afb49e1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"imProcess\\n | where EventType =~ \\\"ProcessCreated\\\"\\n | where Process endswith \\\"svchost.exe\\\"\\n | where CommandLine has \\\"-k GPSvcGroup\\\" or CommandLine has \\\"-s gpsvc\\\"\\n | extend timekey = bin(TimeGenerated, 1m)\\n | project timekey, ActingProcessId, Dvc\\n | join kind=inner (imProcess\\n | where EventType =~ \\\"ProcessCreated\\\"\\n | where Process =~ \\\"sdelete.exe\\\" or CommandLine has \\\"sdelete\\\"\\n | where ActingProcessName endswith \\\"svchost.exe\\\"\\n | where CommandLine has_all (\\\"-s\\\", \\\"-r\\\")\\n | extend timekey = bin(TimeGenerated, 1m)\\n ) on $left.ActingProcessId == $right.ParentProcessId, timekey, Dvc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DvcIpAddr\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Sdelete deployed via GPO and run recursively (ASIM Version)\",\"description\":\"This query looks for the Sdelete process being run recursively after being deployed to a host via GPO. Attackers could use this technique to deploy Sdelete to multiple host and delete data on them.\\n This query uses the Advanced Security Information Model. Parsers will need to be deployed before use: https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84cccc86-5c11-4b3a-aca6-7c8f738ed0f7\",\"name\":\"84cccc86-5c11-4b3a-aca6-7c8f738ed0f7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where OperationName has_all (\\\"member to role\\\", \\\"add\\\")\\n | where Result =~ \\\"Success\\\"\\n | extend type_ = tostring(TargetResources[0].type)\\n | where type_ =~ \\\"ServicePrincipal\\\"\\n | where isnotempty(TargetResources)\\n | extend ServicePrincipal = tostring(TargetResources[0].displayName)\\n | extend SPID = tostring(TargetResources[0].id)\\n | mv-expand TargetResources[0].modifiedProperties\\n | extend TargetResources_0_modifiedProperties = columnifexists(\\\"TargetResources_0_modifiedProperties\\\", \u0027\u0027)\\n | where isnotempty(TargetResources_0_modifiedProperties)\\n | where TargetResources_0_modifiedProperties.displayName =~ \\\"Role.DisplayName\\\"\\n | extend TargetRole = parse_json(tostring(TargetResources_0_modifiedProperties.newValue))\\n | where TargetRole contains \\\"admin\\\"\\n | extend AddedByApp = iif(\\n isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName)),\\n tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName),\\n tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n )\\n | extend AddedByUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend AddedBy = iif(isnotempty(AddedByApp), AddedByApp, AddedByUser)\\n | extend IpAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | project-reorder TimeGenerated, ServicePrincipal, SPID, TargetRole, AddedBy, IpAddress\\n | project-away AddedByApp, AddedByUser\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"SPID\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Service Principal Assigned Privileged Role\",\"description\":\"Detects a privileged role being added to a Service Principal.\\n Ensure that any assignment to a Service Principal is valid and appropriate - Service Principals should not be assigned to very highly privileged roles such as Global Admin.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182\",\"name\":\"8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT5M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = ago(5m);\\nDuoSecurityTrustMonitor_CL\\n| where TimeGenerated \u003e= timeframe\\n| extend AccountCustomEntity = surfaced_auth_user_name_s, IPCustomEntity = surfaced_auth_access_device_ip_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Trust Monitor Event\",\"description\":\"This query identifies when a new trust monitor event is detected.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dcdf9bfc-c239-4764-a9f9-3612e6dff49c\",\"name\":\"dcdf9bfc-c239-4764-a9f9-3612e6dff49c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 6d;\\n// Adjust this to adjust the key export detection timeframe\\n//let timeframe = 1d;\\n// Start be identifying ADFS servers to reduce FP chance\\nlet ADFS_Servers = (\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\")\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| summarize by Computer);\\n// Look for ADFS servers where Named Pipes event are present\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| where Computer in~ (ADFS_Servers)\\n| extend RenderedDescription = tostring(split(RenderedDescription, \\\":\\\")[0])\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend RuleName = column_ifexists(\\\"RuleName\\\", \\\"\\\"),\\n TechniqueId = column_ifexists(\\\"TechniqueId\\\", \\\"\\\"),\\n TechniqueName = column_ifexists(\\\"TechniqueName\\\", \\\"\\\"),\\n Image = column_ifexists(\\\"Image\\\", \\\"\\\"),\\n PipeName = column_ifexists(\\\"PipeName\\\", \\\"\\\"),\\n EventType = column_ifexists(\\\"EventType\\\", \\\"\\\")\\n| parse RuleName with * \u0027technique_id=\u0027 TechniqueId \u0027,\u0027 * \u0027technique_name=\u0027 TechniqueName\\n// Look for Pipe related to querying the WID\\n| where PipeName == \\\"\\\\\\\\MICROSOFT##WID\\\\\\\\tsql\\\\\\\\query\\\"\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n// Exclude expected processes\\n| where process !in (\\\"Microsoft.IdentityServer.ServiceHost.exe\\\", \\\"Microsoft.Identity.Health.Adfs.PshSurrogate.exe\\\", \\\"AzureADConnect.exe\\\", \\\"Microsoft.Tri.Sensor.exe\\\", \\\"wsmprovhost.exe\\\",\\\"mmc.exe\\\", \\\"sqlservr.exe\\\")\\n| extend Operation = RenderedDescription\\n| project-reorder TimeGenerated, EventType, Operation, process, Image, Computer, UserName\\n| extend HostCustomEntity = Computer, AccountCustomEntity = UserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"ADFS Database Named Pipe Connection\",\"description\":\"This detection uses Sysmon telemetry to detect suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).\\nIn order to use this query you need to be collecting Sysmon EventIdD 18 (Pipe Connected).\\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\\nFailed to resolve scalar expression named \\\"[@Name]\",\"lastUpdatedDateUTC\":\"2021-11-23T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3617d76d-b15e-4c6f-985e-a1dac73c592d\",\"name\":\"3617d76d-b15e-4c6f-985e-a1dac73c592d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SigninLogs\\n| where ResultType == 500121\\n| extend additionalDetails_ = tostring(Status.additionalDetails)\\n| where additionalDetails_ =~ \\\"MFA denied; user declined the authentication\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"NRT MFA Rejected by User\",\"description\":\"Identifies occurrences where a user has rejected an MFA prompt. This could be an indicator that a threat actor has compromised the username and password of this user account and is using it to try and log into the account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-02-08T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5436f471-b03d-41cb-b333-65891f887c43\",\"name\":\"5436f471-b03d-41cb-b333-65891f887c43\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Informational\",\"query\":\"GitHubRepo\\n| where Action == \\\"vulnerabilityAlert\\\"\\n| project TimeGenerated, DismmisedAt, Reason, vulnerableManifestFilename, Description, Link, PublishedAt, Severity, Summary\",\"entityMappings\":[],\"displayName\":\"GitHub Security Vulnerability in Repository\",\"description\":\"This alerts when there is a new security vulnerability in a GitHub repository.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-10T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d82e1987-4356-4a7b-bc5e-064f29b143c0\",\"name\":\"d82e1987-4356-4a7b-bc5e-064f29b143c0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true \\n(SecurityEvent\\n| where EventID == 4688\\n| where Process =~ \u0027rundll32.exe\u0027 \\n| where CommandLine has_all (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n),\\n(WindowsEvent\\n| where EventID == 4688 and EventData has \u0027rundll32.exe\u0027 and EventData has_any (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process =~ \u0027rundll32.exe\u0027 \\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has_all (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName) \\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n) )\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"NOBELIUM - suspicious rundll32.exe execution of vbscript\",\"description\":\"This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/961b6a81-5c53-40b6-9800-4f661a8faea7\",\"name\":\"961b6a81-5c53-40b6-9800-4f661a8faea7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0586.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet Command_Line = (iocs | where Type =~ \\\"CommandLine\\\" | project IoC);\\n(union isfuzzy=true\\n(DeviceProcessEvents\\n| where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) or ( InitiatingProcessCommandLine has (\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and InitiatingProcessCommandLine has_any (Command_Line))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, AccountName, SHA256\\n| extend Account = AccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = case(InitiatingProcessSHA256 in (sha256Hashes), \\\"InitiatingProcessSHA256\\\", SHA256 in (sha256Hashes), \\\"SHA256\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = case(FileHash == \\\"InitiatingProcessSHA256\\\", InitiatingProcessSHA256, FileHash == \\\"SHA256\\\", SHA256, \\\"No Match\\\")\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has (@\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and CommandLine has_any (Command_Line))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, EventID\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n( CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n( imFileEvent\\n| where Hash in~ (sha256Hashes) or ( ActingProcessCommandLine has (\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and ActingProcessCommandLine has_any (Command_Line))\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) or ( CommandLine has (\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and CommandLine has_any (Command_Line)) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashAlgo\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"DEV-0586 Actor IOC - January 2022\",\"description\":\"Identifies a match across IOC\u0027s related to an actor tracked by Microsoft as DEV-0586\\n Refrence: https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2022-01-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/66c81ae2-1f89-4433-be00-2fbbd9ba5ebe\",\"name\":\"66c81ae2-1f89-4433-be00-2fbbd9ba5ebe\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MessageIP = extract(IPRegex, 0, Message)\\n | extend CS_ipEntity = iff(isnotempty(SourceIP), SourceIP, DestinationIP)\\n | extend CS_ipEntity = iff(isempty(CS_ipEntity) and isnotempty(MessageIP), MessageIP, CS_ipEntity)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CS_ipEntity\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, CS_ipEntity\\n| project CommonSecurityLog_TimeGenerated, SourceIP, DestinationIP, MessageIP, Message, DeviceVendor, DeviceProduct, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CS_ipEntity, LogSeverity, DeviceAction\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = CS_ipEntity\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to CommonSecurityLog\",\"description\":\"Identifies a match in CommonSecurityLog from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/17f23fbe-bb73-4324-8ecf-a18545a5dc26\",\"name\":\"17f23fbe-bb73-4324-8ecf-a18545a5dc26\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P3D\",\"queryPeriod\":\"P3D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 3d;\\n// Get Release Pipeline Creation Events and group by day\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineCreated\\\"\\n// Group by day\\n| extend timekey = bin(TimeGenerated, 1d)\\n| extend PipelineId = tostring(Data.PipelineId)\\n| extend PipelineName = tostring(Data.PipelineName)\\n// Rename some columns to make output clearer\\n| project-rename TimeCreated = TimeGenerated, CreatingUser = ActorUPN, CreatingUserAgent = UserAgent, CreatingIP = IpAddress\\n// Join with Release Pipeline Deletions where Pipeline ID is the same and deletion occurred on same day as creation\\n| join (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineDeleted\\\"\\n// Group by day\\n| extend timekey = bin(TimeGenerated, 1d)\\n| extend PipelineId = tostring(Data.PipelineId)\\n| extend PipelineName = tostring(Data.PipelineName)\\n// Rename some things to make the output clearer\\n| project-rename TimeDeleted = TimeGenerated, DeletingUser = ActorUPN, DeletingUserAgent = UserAgent, DeletingIP = IpAddress) on PipelineId, timekey\\n| project TimeCreated, TimeDeleted, PipelineName, PipelineId, CreatingUser, CreatingIP, CreatingUserAgent, DeletingUser, DeletingIP, DeletingUserAgent, ScopeDisplayName, ProjectName, Data, OperationName, OperationName1\\n| extend timestamp = TimeCreated, AccountCustomEntity = CreatingUser, IPCustomEntity = CreatingIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeletingUser\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DeletingIP\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Azure DevOps Pipeline Created and Deleted on the Same Day\",\"description\":\"An attacker with access to Azure DevOps could create a pipeline to inject artifacts used by other pipelines, \\nor to create a malicious software build that looks legitimate by using a pipeline that incorporates legitimate elements. \\nAn attacker would also likely want to cover their tracks once conducting such activity. This query looks for Pipelines \\ncreated and deleted within the same day, this is unlikely to be legitimate user activity in the majority of cases.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\"name\":\"83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":3,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let current = 1d;\\nlet auditLookback = 7d;\\n// Setting threshold to 3 as a default, change as needed. \\n// Any operation that has been initiated by a user or app more than 3 times in the past 7 days will be excluded\\nlet threshold = 3;\\n// Gather initial data from lookback period, excluding current, adjust current to more than a single day if no results\\nlet AuditTrail = AuditLogs | where TimeGenerated \u003e= ago(auditLookback) and TimeGenerated \u003c ago(current)\\n// 2 other operations that can be part of malicious activity in this situation are \\n// \\\"Add OAuth2PermissionGrant\\\" and \\\"Add service principal\\\", extend the filter below to capture these too\\n| where OperationName has \\\"Consent to application\\\"\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\n| summarize max(TimeGenerated), OperationCount = count() by OperationName, InitiatedBy, TargetResourceName\\n// only including operations by initiated by a user or app that is above the threshold so we produce only rare and has not occurred in last 7 days\\n| where OperationCount \u003e threshold\\n;\\n// Gather current period of audit data\\nlet RecentConsent = AuditLogs | where TimeGenerated \u003e= ago(current)\\n| where OperationName has \\\"Consent to application\\\"\\n| extend IpAddress = case(\\nisnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), \\nisnotempty(tostring(parse_json(tostring(InitiatedBy.app)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.app)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.app)).ipAddress),\\n\u0027Not Available\u0027)\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\n| parse TargetResources.[0].modifiedProperties with * \\\"ConsentType: \\\" ConsentType \\\"]\\\" *\\n| mv-expand AdditionalDetails\\n| extend UserAgent = iff(AdditionalDetails.key == \\\"User-Agent\\\",tostring(AdditionalDetails.value),\\\"\\\")\\n| project TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type;\\n// Exclude previously seen audit activity for \\\"Consent to application\\\" that was seen in the lookback period\\n// First for rare InitiatedBy\\nlet RareConsentBy = RecentConsent | join kind= leftanti AuditTrail on OperationName, InitiatedBy \\n| extend Reason = \\\"Previously unseen user consenting\\\";\\n// Second for rare TargetResourceName\\nlet RareConsentApp = RecentConsent | join kind= leftanti AuditTrail on OperationName, TargetResourceName\\n| extend Reason = \\\"Previously unseen app granted consent\\\";\\nRareConsentBy | union RareConsentApp\\n| summarize Reason = makeset(Reason) by TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatedBy, HostCustomEntity = TargetResourceName, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Rare application consent\",\"description\":\"This will alert when the \\\"Consent to application\\\" operation occurs by a user that has not done this operation before or rarely does this.\\nThis could indicate that permissions to access the listed Azure App were provided to a malicious actor. \\nConsent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events. \\nThis may help detect the Oauth2 attack that can be initiated by this publicly available tool - https://github.com/fireeye/PwnAuth\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-07-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69b7723c-2889-469f-8b55-a2d355ed9c87\",\"name\":\"69b7723c-2889-469f-8b55-a2d355ed9c87\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.3\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n DnsEvents\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where SubType =~ \\\"LookupQuery\\\" and isnotempty(IPAddresses)\\n | mv-expand SingleIP = split(IPAddresses, \\\", \\\") to typeof(string)\\n // renaming time column so it is clear the log this came from\\n | extend DNS_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SingleIP\\n| where DNS_TimeGenerated \u003c ExpirationDateTime\\n| summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated , *) by IndicatorId, SingleIP\\n| project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = DNS_TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to DnsEvents\",\"description\":\"Identifies a match in DnsEvents from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-06-27T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd\",\"name\":\"c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let args = dynamic([\\\"objectcategory\\\",\\\"domainlist\\\",\\\"dcmodes\\\",\\\"adinfo\\\",\\\"trustdmp\\\",\\\"computers_pwdnotreqd\\\",\\\"Domain Admins\\\", \\\"objectcategory=person\\\", \\\"objectcategory=computer\\\", \\\"objectcategory=*\\\",\\\"dclist\\\"]);\\nlet parentProcesses = dynamic([\\\"pwsh.exe\\\",\\\"powershell.exe\\\",\\\"cmd.exe\\\"]);\\nDeviceProcessEvents\\n//looks for execution from a shell\\n| where InitiatingProcessFileName in (parentProcesses)\\n// main filter\\n| where FileName =~ \\\"AdFind.exe\\\" or SHA256 == \\\"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\\\"\\n // AdFind common Flags to check for from various threat actor TTPs\\n or ProcessCommandLine has_any (args)\\n| extend AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, ProcessCustomEntity = InitiatingProcessFileName, CommandLineCustomEntity = ProcessCommandLine, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = SHA256\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"},{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLineCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Probable AdFind Recon Tool Usage\",\"description\":\"Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.\",\"lastUpdatedDateUTC\":\"2021-11-30T00:00:00Z\",\"createdDateUTC\":\"2021-04-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\"name\":\"b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n Syslog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // Extract URL from the Syslog message but only take messages that include URLs\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,SyslogMessage)\\n | where isnotempty(Url)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n) on Url\\n| where Syslog_TimeGenerated \u003c ExpirationDateTime\\n| summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, Url\\n| project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, Url, HostIP\\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to Syslog data\",\"description\":\"Identifies a match in Syslog data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/af435ca1-fb70-4de1-92c1-7435c48482a9\",\"name\":\"af435ca1-fb70-4de1-92c1-7435c48482a9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let admin_users = (IdentityInfo\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | where AssignedRoles contains \\\"admin\\\"\\n | summarize by tolower(AccountUPN));\\n let admin_asn = (SigninLogs\\n | where TimeGenerated between (ago(7d)..ago(1d))\\n | where tolower(UserPrincipalName) in (admin_users)\\n | summarize by AutonomousSystemNumber);\\n let admin_locations = (SigninLogs\\n | where TimeGenerated between (ago(7d)..ago(1d))\\n | where tolower(UserPrincipalName) in (admin_users)\\n | summarize by Location);\\n let admin_devices = (SigninLogs\\n | where TimeGenerated between (ago(7d)..ago(1d))\\n | where tolower(UserPrincipalName) in (admin_users)\\n | extend deviceId = tostring(DeviceDetail.deviceId)\\n | where isnotempty(deviceId)\\n | summarize by deviceId);\\n SigninLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType == 0\\n | where tolower(UserPrincipalName) in (admin_users)\\n | extend deviceId = tostring(DeviceDetail.deviceId)\\n | where AutonomousSystemNumber !in (admin_asn) and deviceId !in (admin_devices) and Location !in (admin_locations)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Authentications of Privileged Accounts Outside of Expected Controls\",\"description\":\"Detects when a privileged user account successfully authenticates from a location, device or ASN that another admin has not logged in from in the last 7 days.\\n Privileged accounts are a key target for threat actors, monitoring for logins from these accounts that deviate from normal activity can help identify compromised accounts.\\n Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a357535e-f722-4afe-b375-cff362b2b376\",\"name\":\"a357535e-f722-4afe-b375-cff362b2b376\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(OfficeActivity | where UserAgent != \\\"\\\"),\\n(OfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectory\\\", \\\"AzureActiveDirectoryStsLogon\\\")\\n| extend OperationName = Operation\\n| parse ExtendedProperties with * \u0027User-Agent\\\\\\\\\\\":\\\\\\\\\\\"\u0027 UserAgent2 \u0027\\\\\\\\\u0027 *\\n| parse ExtendedProperties with * \u0027UserAgent\\\", \\\"Value\\\": \\\"\u0027 UserAgent1 \u0027\\\"\u0027 *\\n| where isnotempty(UserAgent1) or isnotempty(UserAgent2)\\n| extend UserAgent = iff( RecordType == \u0027AzureActiveDirectoryStsLogon\u0027, UserAgent1, UserAgent2)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\\n),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"APPLICATIONGATEWAYS\\\" \\n| where OperationName =~ \\\"ApplicationGatewayAccess\\\" \\n| extend ClientIP = columnifexists(\\\"clientIP_s\\\", \\\"None\\\"), UserAgent = columnifexists(\\\"userAgent_s\\\", \\\"None\\\")\\n| where UserAgent != \u0027-\u0027\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, requestUri_s, httpMethod_s, host_s, requestQuery_s, Type\\n),\\n(\\nW3CIISLog\\n| where isnotempty(csUserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\\n),\\n(SigninLogs\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n)\\n)\\n// Likely artefact of hardcoding\\n| where UserAgent startswith \\\"User\\\" or UserAgent startswith \u0027\\\\\\\"\u0027\\n// Incorrect casing\\nor (UserAgent startswith \\\"Mozilla\\\" and not(UserAgent containscs \\\"Mozilla\\\"))\\n// Incorrect casing\\nor UserAgent containscs \\\"(Compatible;\\\"\\n// Missing MSIE version\\nor UserAgent matches regex @\\\"MSIE\\\\s?;\\\"\\n// Incorrect spacing around MSIE version\\nor UserAgent matches regex @\\\"MSIE(?:\\\\d|.{1,5}?\\\\d\\\\s;)\\\"\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CommandAndControl\",\"Execution\"],\"displayName\":\"Malformed user agent\",\"description\":\"Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware.\\nMalformed user agents can be an indication of such malware.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4acd3a04-2fad-4efc-8a4b-51476594cec4\",\"name\":\"4acd3a04-2fad-4efc-8a4b-51476594cec4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let triThreshold = 500;\\nlet startTime = 6h;\\nlet dgaLengthThreshold = 8;\\n// fetch the alexa top 1M domains\\nlet top1M = (externaldata (Position:int, Domain:string) [@\\\"http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip\\\"] with (format=\\\"csv\\\", zipPattern=\\\"*.csv\\\"));\\n// extract tri grams that are above our threshold - i.e. are common\\nlet triBaseline = top1M\\n| extend Domain = tolower(extract(\\\"([^.]*).{0,7}$\\\", 1, Domain))\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", Domain), extract_all(\\\"(...)\\\", substring(Domain, 1)), extract_all(\\\"(...)\\\", substring(Domain, 2)))\\n| mvexpand Trigram=AllTriGrams\\n| summarize triCount=count() by tostring(Trigram)\\n| sort by triCount desc\\n| where triCount \u003e triThreshold\\n| distinct Trigram;\\n// collect domain information from common security log, filter and extract the DGA candidate and its trigrams\\nlet allDataSummarized = CommonSecurityLog\\n| where TimeGenerated \u003e ago(startTime)\\n| where isnotempty(DestinationHostName)\\n| extend Name = tolower(DestinationHostName)\\n| distinct Name\\n| where Name has \\\".\\\"\\n| where Name !endswith \\\".home\\\" and Name !endswith \\\".lan\\\"\\n// extract DGA candidate\\n| extend DGADomain = extract(\\\"([^.]*).{0,7}$\\\", 1, Name)\\n| where strlen(DGADomain) \u003e dgaLengthThreshold\\n// throw out domains with number in them\\n| where DGADomain matches regex \\\"^[A-Za-z]{0,}$\\\"\\n// extract the tri grams from summarized data\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", DGADomain), extract_all(\\\"(...)\\\", substring(DGADomain, 1)), extract_all(\\\"(...)\\\", substring(DGADomain, 2)));\\n// throw out domains that have repeating tri\u0027s and/or \u003e=3 repeating letters\\nlet nonRepeatingTris = allDataSummarized\\n| join kind=leftanti\\n(\\n allDataSummarized\\n | mvexpand AllTriGrams\\n | summarize count() by tostring(AllTriGrams), DGADomain\\n | where count_ \u003e 1\\n | distinct DGADomain\\n)\\non DGADomain;\\n// find domains that do not have a common tri in the baseline\\nlet dataWithRareTris = nonRepeatingTris\\n| join kind=leftanti\\n(\\n nonRepeatingTris\\n | mvexpand AllTriGrams\\n | extend Trigram = tostring(AllTriGrams)\\n | distinct Trigram, DGADomain\\n | join kind=inner\\n (\\n triBaseline\\n )\\n on Trigram\\n | distinct DGADomain\\n)\\non DGADomain;\\ndataWithRareTris\\n// join DGAs back on connection data\\n| join kind=inner\\n(\\n CommonSecurityLog\\n | where TimeGenerated \u003e ago(startTime)\\n | where isnotempty(DestinationHostName)\\n | extend DestinationHostName = tolower(DestinationHostName)\\n | project-rename Name=DestinationHostName, DataSource=DeviceVendor\\n | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) by Name, SourceIP, DestinationIP, DataSource\\n)\\non Name\\n| project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, DataSource\\n| extend timestamp=StartTime, IPCustomEntity=SourceIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"Name\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Possible contact with a domain generated by a DGA\",\"description\":\"Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used\\nby malware to generate rendezvous points that are difficult to predict in advance. This detection uses the Alexa Top 1 million domain names to build a model\\nof what normal domains look like. It uses this to identify domains that may have been randomly generated by an algorithm.\\nThe triThreshold is set to 500 - increase this to report on domains that are less likely to have been randomly generated, decrease it for more likely.\\nThe start time and end time look back over 6 hours of data and the dgaLengthThreshold is set to 8 - meaning domains whose length is 8 or more are reported.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Barracuda\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aac495a9-feb1-446d-b08e-a1164a539452\",\"name\":\"aac495a9-feb1-446d-b08e-a1164a539452\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"ThreatIntelligenceIndicator\\n| where Action == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n GitHubAudit\\n | extend GitHubAudit_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.IPaddress\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, GitHubAudit_TimeGenerated, TI_ipEntity, IPaddress, Actor, Action, Country, OperationType, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = GitHubAudit_TimeGenerated, IPCustomEntity = IPaddress, AccountCustomEntity = Actor\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to GitHub_CL\",\"description\":\"Identifies a match in GitHub_CL table from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2cfc3c6e-f424-4b88-9cc9-c89f482d016a\",\"name\":\"2cfc3c6e-f424-4b88-9cc9-c89f482d016a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set == \\\"[]\\\"\\n| mv-expand new_value_set\\n| parse new_value_set with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"First access credential added to Application or Service Principal where no credential was present\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-02-11T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0dd422ee-e6af-4204-b219-f59ac172e4c6\",\"name\":\"0dd422ee-e6af-4204-b219-f59ac172e4c6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"ThreatIntelligence\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"Persistence\",\"LateralMovement\"],\"displayName\":\"(Preview) Microsoft Threat Intelligence Analytics\",\"description\":\"This rule generates an alert when a Microsoft Threat Intelligence Indicator gets matched with your event logs. The alerts are very high fidelity.\\n\\nNote : It is advised to turn off any custom alert rules which match the threat intelligence indicators with the same event logs matched by this analytics to prevent duplicate alerts.\",\"lastUpdatedDateUTC\":\"2021-07-28T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/074ce265-f684-41cd-af07-613c5f3e6d0d\",\"name\":\"074ce265-f684-41cd-af07-613c5f3e6d0d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"irf.services\\\",\\\"microsoft-onthehub.com\\\",\\\"msofficelab.com\\\",\\\"com-mailbox.com\\\",\\\"my-sharefile.com\\\",\\\"my-sharepoints.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\n\\\"onedrive-sharedfile.com\\\",\\\"onedrv-live.com\\\",\\\"transparencyinternational-my-sharepoint.com\\\",\\\"transparencyinternational-my-sharepoints.com\\\",\\\"soros-my-sharepoint.com\\\"]);\\n(union isfuzzy=true\\n (CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | extend Account = SourceUserID, Host = DeviceName, IPAddress = SourceIP\\n ),\\n (_Im_Dns(domain_has_any=DomainNames)\\n | extend IPAddress = SrcIpAddr, DNSName = DnsQuery, Host = Dvc),\\n (VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n | extend IPAddress = RemoteIp, Host = Computer\\n ),\\n (AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | extend DNSName = DestinationHost \\n | extend IPAddress = SourceHost\\n ),\\n (\\n _Im_WebSession(url_has_any=DomainNames)\\n | extend IPCustomEntity=IpAddr, HostCustomEntity=Hostname, AccoutCustomEntity=User\\n )\\n)\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = Account, HostCustomEntity = Host\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known STRONTIUM group domains - July 2019\",\"description\":\"Matches domain name IOCs related to Strontium group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2019-07-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a50766a7-0674-4ccb-8845-15dc55a80ba1\",\"name\":\"a50766a7-0674-4ccb-8845-15dc55a80ba1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n WireData | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(RemoteIP)\\n // renaming time column so it is clear the log this came from\\n | extend WireData_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIP\\n| where WireData_TimeGenerated \u003c ExpirationDateTime\\n| summarize WireData_TimeGenerated = arg_max(WireData_TimeGenerated, *) by IndicatorId, RemoteIP\\n| project WireData_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, LocalIP, RemoteIP, ProcessName, ApplicationProtocol, LocalPortNumber, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = WireData_TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to WireData\",\"description\":\"Identifies a match in WireData from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6d7214d9-4a28-44df-aafb-0910b9e6ae3e\",\"name\":\"6d7214d9-4a28-44df-aafb-0910b9e6ae3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Low\",\"query\":\"let match_window = 3m;\\nAzureActivity\\n| where ResourceGroup has \\\"cloud-shell\\\"\\n| where (OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/listKeys/action\\\") \\n| where ActivityStatusValue == \\\"Success\\\"\\n| extend TimeKey = bin(TimeGenerated, match_window), AzureIP = CallerIpAddress\\n| join kind = inner\\n(AzureActivity\\n| where ResourceGroup has \\\"cloud-shell\\\"\\n| where (OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/write\\\") \\n| extend TimeKey = bin(TimeGenerated, match_window), UserIP = CallerIpAddress\\n) on Caller, TimeKey\\n| summarize count() by TimeKey, Caller, ResourceGroup, SubscriptionId, TenantId, AzureIP, UserIP, HTTPRequest, Type, Properties, CategoryValue, OperationList = strcat(OperationNameValue, \u0027 , \u0027, OperationNameValue1)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"UserIP\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"New CloudShell User\",\"description\":\"Identifies when a user creates an Azure CloudShell for the first time.\\nMonitor this activity to ensure only expected user are using CloudShell\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5170c3c4-b8c9-485c-910d-a21d965ee181\",\"name\":\"5170c3c4-b8c9-485c-910d-a21d965ee181\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let queryfrequency = 30m;\\nlet accountthreshold = 10;\\nlet successCodes = dynamic([0, 50144]);\\nADFSSignInLogs\\n| extend IngestionTime = ingestion_time()\\n| where IngestionTime \u003e ago(queryfrequency)\\n| where not(todynamic(AuthenticationDetails)[0].authenticationMethod == \\\"Integrated Windows Authentication\\\")\\n| summarize\\n DistinctFailureCount = dcountif(UserPrincipalName, ResultType !in (successCodes)),\\n DistinctSuccessCount = dcountif(UserPrincipalName, ResultType in (successCodes)),\\n SuccessAccounts = make_set_if(UserPrincipalName, ResultType in (successCodes), 250),\\n arg_min(TimeGenerated, *)\\n by IPAddress\\n| where DistinctFailureCount \u003e DistinctSuccessCount and DistinctFailureCount \u003e= accountthreshold\\n//| extend SuccessAccounts = iff(array_length(SuccessAccounts) != 0, SuccessAccounts, dynamic([\\\"null\\\"]))\\n//| mv-expand SuccessAccounts\\n| project TimeGenerated, Category, OperationName, IPAddress, DistinctFailureCount, DistinctSuccessCount, SuccessAccounts, AuthenticationRequirement, ConditionalAccessStatus, IsInteractive, UserAgent, NetworkLocationDetails, DeviceDetail, TokenIssuerType, TokenIssuerName, ResourceIdentity\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Password spray attack against ADFSSignInLogs\",\"description\":\"Identifies evidence of password spray activity against Connect Health for AD FS sign-in events by looking for failures from multiple accounts from the same IP address within a time window.\\nReference: https://adfshelp.microsoft.com/References/ConnectHealthErrorCodeReference\",\"lastUpdatedDateUTC\":\"2022-05-04T00:00:00Z\",\"createdDateUTC\":\"2022-03-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"ADFSSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6d63efa6-7c25-4bd4-a486-aa6bf50fde8a\",\"name\":\"6d63efa6-7c25-4bd4-a486-aa6bf50fde8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// Add non-approved user principal names to the list below to search for their account creation/deletion activity\\n// ex: dynamic([\\\"UPN1\\\", \\\"upn123\\\"])\\nlet nonapproved_users = dynamic([]);\\nAuditLogs\\n| where OperationName == \\\"Add user\\\" or OperationName == \\\"Delete user\\\"\\n| where Result == \\\"success\\\"\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| where InitiatingUser has_any (nonapproved_users)\\n| project-reorder TimeGenerated, ResourceId, OperationName, InitiatingUser, TargetResources\\n| extend AccountCustomEntity = InitiatingUser, IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Account created or deleted by non-approved user\",\"description\":\"Identifies accounts that were created or deleted by a defined list of non-approved user principal names. Add to this list before running the query for accurate results.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/11b4c19d-2a79-4da3-af38-b067e1273dee\",\"name\":\"11b4c19d-2a79-4da3-af38-b067e1273dee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID in (17,18)\\n| where EventData has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend PipeName = column_ifexists(\\\"PipeName\\\", \\\"\\\")\\n| extend Account = UserName\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00275145\u0027\\n// %%4418 looks for presence of CreatePipeInstance value \\n| where AccessList has \u0027%%4418\u0027 \\n| where RelativeTargetName has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n),\\n(\\nWindowsEvent\\n| where EventID == \u00275145\u0027 and EventData has \u0027%%4418\u0027 and EventData has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027 \\n// %%4418 looks for presence of CreatePipeInstance value \\n| extend AccessList= tostring(EventData.AccessList)\\n| where AccessList has \u0027%%4418\u0027 \\n| extend RelativeTargetName= tostring(EventData.RelativeTargetName)\\n| where RelativeTargetName has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\"],\"displayName\":\"Solorigate Named Pipe\",\"description\":\"Identifies a match across various data feeds for named pipe IOCs related to the Solorigate incident.\\n For the sysmon events required for this detection, logging for Named Pipe Events needs to be configured in Sysmon config (Event ID 17 and Event ID 18)\\n Reference: https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2020-12-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\"name\":\"532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n Syslog\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n //Extract domain patterns from syslog message\\n | extend domain = extract(\\\"(([a-z0-9]+(-[a-z0-9]+)*\\\\\\\\.)+[a-z]{2,})\\\",1, tolower(SyslogMessage))\\n | where isnotempty(domain)\\n | extend parts = split(domain, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.domain\\n| where Syslog_TimeGenerated \u003c ExpirationDateTime\\n| summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, domain\\n| project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, domain, HostIP, Url\\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to Syslog\",\"description\":\"Identifies a match in Syslog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/19e01883-15d8-4eb6-a7a5-3276cd668388\",\"name\":\"19e01883-15d8-4eb6-a7a5-3276cd668388\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeBin = 1m;\\nlet failedThreshold = 20;\\nW3CIISLog\\n| where scStatus in (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of failed attempts from same client IP\\n| summarize makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\\n| where FailedConnectionsCount \u003e= failedThreshold\\n| project TimeGenerated, cIP, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"High count of failed attempts from same client IP\",\"description\":\"Identifies when 20 or more failed attempts from a given client IP in 1 minute occur on the IIS server.\\nThis could be indicative of an attempted brute force. This could also simply indicate a misconfigured service or device.\\nRecommendations: Validate that these are expected connections from the given Client IP. If the client IP is not recognized, \\npotentially block these connections at the edge device.\\nIf these are expected connections, verify the credentials are properly configured on the system, service, application or device \\nthat is associated with the client IP.\\nReferences:\\nIIS status code mapping: https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping: https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd78a122-d377-415a-afe9-f22e08d2112c\",\"name\":\"dd78a122-d377-415a-afe9-f22e08d2112c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Add other permissions to this list as needed\\n let permissions = dynamic([\\\"Mail.Read\\\", \\\"offline_access\\\", \\\"Files.Read\\\", \\\"Notes.Read\\\", \\\"ChannelMessage.Read\\\", \\\"Chat.Read\\\", \\\"TeamsActivity.Read\\\",\\n \\\"Group.Read\\\", \\\"EWS.AccessAsUser.All\\\", \\\"EAS.AccessAsUser.All\\\"]);\\n AuditLogs\\n | where OperationName =~ \\\"Add app role assignment to service principal\\\"\\n | mv-expand TargetResources[0].modifiedProperties\\n | extend TargetResources_0_modifiedProperties = columnifexists(\\\"TargetResources_0_modifiedProperties\\\", \u0027\u0027)\\n | where isnotempty(TargetResources_0_modifiedProperties)\\n | where TargetResources_0_modifiedProperties.displayName =~ \\\"AppRole.Value\\\" or TargetResources_0_modifiedProperties.displayName =~ \\\"DelegatedPermissionGrant.Scope\\\"\\n | extend Permissions = split((parse_json(tostring(TargetResources_0_modifiedProperties.newValue))), \\\" \\\")\\n | where Permissions has_any (permissions)\\n | summarize AddedPermissions=make_set(Permissions) by CorrelationId\\n | join kind=inner (AuditLogs\\n | where OperationName =~ \\\"Add app role assignment to service principal\\\") on CorrelationId\\n | extend InitiatedBy = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))\\n | extend ServicePrincipal = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[4].newValue)))\\n | extend SPID = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[6].newValue)))\\n | extend InitiatedBy = pack(\\\"User\\\", InitiatedBy, \\\"UA\\\", UserAgent, \\\"IPAddress\\\", IpAddress)\\n | mv-expand kind=array AddedPermissions\\n | summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), make_set(InitiatedBy), make_set(AddedPermissions) by SPID, ServicePrincipal\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ServicePrincipal\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"SPID\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Service Principal Assigned App Role With Sensitive Access\",\"description\":\"Detects a Service Principal being assigned an app role that has sensitive access such as Mail.Read.\\n A threat actor who compromises a Service Principal may assign it an app role to allow it to access sensitive data, or to perform other actions.\\n Ensure that any assignment to a Service Principal is valid and appropriate.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d9f28fdf-abc8-4f1a-a7e7-1aaec87a2fc5\",\"name\":\"d9f28fdf-abc8-4f1a-a7e7-1aaec87a2fc5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID == 4688\\n | where Process =~ \\\"svchost.exe\\\"\\n | where CommandLine has \\\"-k GPSvcGroup\\\" or CommandLine has \\\"-s gpsvc\\\"\\n | extend timekey = bin(TimeGenerated, 1m)\\n | project timekey, NewProcessId, Computer\\n | join kind=inner (SecurityEvent\\n | where EventID == 4688\\n | where Process =~ \\\"sdelete.exe\\\" or CommandLine has \\\"sdelete\\\"\\n | where ParentProcessName endswith \\\"svchost.exe\\\"\\n | where CommandLine has_all (\\\"-s\\\", \\\"-r\\\")\\n | extend newProcess = Process\\n | extend timekey = bin(TimeGenerated, 1m)\\n ) on $left.NewProcessId == $right.ProcessId, timekey, Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Sdelete deployed via GPO and run recursively\",\"description\":\"This query looks for the Sdelete process being run recursively after being deployed to a host via GPO. Attackers could use this technique to deploy Sdelete to multiple host and delete data on them.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5dd76a87-9f87-4576-bab3-268b0e2b338b\",\"name\":\"5dd76a87-9f87-4576-bab3-268b0e2b338b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 5;\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet historicalActivity =\\nOfficeActivity\\n| where TimeGenerated between(ago(starttime)..ago(endtime))\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| summarize historicalCount = count() by UserAgent, RecordType, Operation;\\nlet recentActivity = OfficeActivity\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where TimeGenerated \u003e ago(endtime)\\n| where isnotempty(UserAgent)\\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by UserAgent, RecordType, Operation;\\nlet RareUserAgent = recentActivity | join kind = leftanti (historicalActivity) on UserAgent\\n| order by recentCount desc, UserAgent\\n// More than 5 downloads/uploads from a new user agent today\\n| where recentCount \u003e threshold;\\nOfficeActivity \\n| where TimeGenerated \u003e ago(endtime) \\n| where RecordType =~ szSharePointFileOperation \\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| join kind= inner (RareUserAgent)\\non UserAgent, RecordType, Operation \\n| where Start_Time between(min_Start_Time .. max_Start_Time)\\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserAgent, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgentSeenCount = recentCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\\n| order by UserAgentSeenCount desc, UserAgent asc, Operation asc, UserId asc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"SharePointFileOperation via devices with previously unseen user agents\",\"description\":\"Identifies if the number of documents uploaded or downloaded from device(s) associated\\nwith a previously unseen user agent exceeds a threshold (default is 5).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f80d951a-eddc-4171-b9d0-d616bb83efdc\",\"name\":\"f80d951a-eddc-4171-b9d0-d616bb83efdc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where AADOperationType =~ \\\"Assign\\\"\\n| where ActivityDisplayName =~ \\\"Add app role assignment to service principal\\\"\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"AppRole.Value\\\"\\n| extend AppRole = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where AppRole has \\\"RoleManagement.ReadWrite.Directory\\\"\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n| extend Target = tostring(parse_json(tostring(TargetResources.modifiedProperties[4].newValue)))\\n| extend TargetId = tostring(parse_json(tostring(TargetResources.modifiedProperties[3].newValue)))\\n| project TimeGenerated, OperationName, Initiator, Target, TargetId, Result\\n| join kind=innerunique (\\n AuditLogs\\n | where LoggedByService =~ \\\"Core Directory\\\"\\n | where Category =~ \\\"RoleManagement\\\"\\n | where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\")\\n | where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n | where displayName_ =~ \\\"Role.DisplayName\\\"\\n | extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n | where RoleName contains \\\"Admin\\\"\\n | extend Initiator = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend InitiatorId = tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalId)\\n | extend TargetUser = tostring(TargetResources.userPrincipalName)\\n | extend Target = iif(isnotempty(TargetUser), TargetUser, tostring(TargetResources.displayName))\\n | extend TargetType = tostring(TargetResources.type)\\n | extend TargetId = tostring(TargetResources.id)\\n | project TimeGenerated, OperationName, RoleName, Initiator, InitiatorId, Target, TargetId, TargetType, Result\\n) on $left.TargetId == $right.InitiatorId\\n| extend TimeRoleMgGrant = TimeGenerated, TimeAdminPromo = TimeGenerated1, ServicePrincipal = Initiator1, ServicePrincipalId = InitiatorId,\\n TargetObject = Target1, TargetObjectId = TargetId1, TargetObjectType = TargetType\\n| where TimeRoleMgGrant \u003c TimeAdminPromo\\n| project TimeRoleMgGrant, TimeAdminPromo, RoleName, ServicePrincipal, ServicePrincipalId, TargetObject, TargetObjectId, TargetObjectType\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ServicePrincipal\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetObject\"}]}],\"tactics\":[\"PrivilegeEscalation\",\"Persistence\"],\"displayName\":\"Admin promotion after Role Management Application Permission Grant\",\"description\":\"This rule looks for a service principal being granted the Microsoft Graph RoleManagement.ReadWrite.Directory (application) permission before being used to add an Azure AD object or user account to an Admin directory role (i.e. Global Administrators).\\nThis is a known attack path that is usually abused when a service principal already has the AppRoleAssignment.ReadWrite.All permission granted. This permission Allows an app to manage permission grants for application permissions to any API.\\nA service principal can promote itself or other service principals to admin roles (i.e. Global Administrators). This would be considered a privilege escalation technique.\\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions, https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0\u0026tabs=http\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\"name\":\"79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let timeframe = 1h;\\nlet last1h = CommonSecurityLog \\n| where TimeGenerated \u003e= ago(timeframe)\\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend CurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend CurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend CumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize last1hCumTotal = sum(CumulativeTotal), last1hAvgRatePerSec = avg(CurrentAvgRatePerSec), last1hAvgBurstRatePerSec = avg(CurrentBurstRatePerSec) by DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlet prev6h = CommonSecurityLog \\n| where TimeGenerated between (ago(6h) .. ago(1h))\\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend prevCurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend prevCurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend prevCumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), prev6hCumTotal = sum(prevCumulativeTotal), prev6hAvgRatePerSec = avg(prevCurrentAvgRatePerSec), prev6hAvgBurstRatePerSec = avg(prevCurrentBurstRatePerSec) \\nby DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlast1h | join (\\n prev6h \\n) on DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate\\n| project StartTimeUtc, EndTimeUtc, DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate, last1hCumTotal, prev6hCumTotal, prev6hAvgCumTotal = prev6hCumTotal/6, last1hAvgRatePerSec, prev6hAvgRatePerSec, last1hAvgBurstRatePerSec, prev6hAvgBurstRatePerSec\\n// Select only events that indicate a doubling of the expected rate in the last hour over the previous 6 hours\\n| where last1hCumTotal \u003e 2*prev6hAvgCumTotal or last1hAvgRatePerSec \u003e 2*prev6hAvgRatePerSec or last1hAvgBurstRatePerSec \u003e 2*prev6hAvgBurstRatePerSec\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\",\"Impact\"],\"displayName\":\"Cisco ASA - average attack detection rate increase\",\"description\":\"This will help you determine if Cisco ASA devices are under heavier attack than normal over the last hour versus the previous 6 hours based on DeviceEventClassID 733100\\nReferences: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/826bb2f8-7894-4785-9a6b-a8a855d8366f\",\"name\":\"826bb2f8-7894-4785-9a6b-a8a855d8366f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let EventNameList = dynamic([\\\"AttachUserPolicy\\\",\\\"AttachRolePolicy\\\",\\\"AttachGroupPolicy\\\"]);\\nlet createPolicy = \\\"CreatePolicy\\\";\\nlet timeframe = 1d;\\nlet lookback = 14d;\\n// Creating Master table with all the events to use with materialize for better performance\\nlet EventInfo = AWSCloudTrail\\n| where TimeGenerated \u003e= ago(lookback)\\n| where EventName in (EventNameList) or EventName == createPolicy;\\n//Checking for Policy creation event with Full Admin Privileges since lookback period.\\nlet FullAdminPolicyEvents = materialize( EventInfo\\n| where TimeGenerated \u003e= ago(lookback)\\n| where EventName == createPolicy\\n| extend PolicyName = tostring(parse_json(RequestParameters).policyName)\\n| extend Statement = parse_json(tostring((parse_json(RequestParameters).policyDocument))).Statement\\n| mvexpand Statement\\n| extend Action = parse_json(Statement).Action , Effect = tostring(parse_json(Statement).Effect), Resource = tostring(parse_json(Statement).Resource)\\n| mvexpand Action\\n| extend Action = tostring(Action)\\n| where Effect =~ \\\"Allow\\\" and Action == \\\"*\\\" and Resource == \\\"*\\\"\\n| distinct TimeGenerated, EventName, PolicyName, SourceIpAddress, UserIdentityArn, UserIdentityUserName\\n| extend UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,\u0027/\u0027)[-1]))\\n| project-rename StartTime = TimeGenerated );\\nlet PolicyAttach = materialize( EventInfo\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventName in (EventNameList)\\n| extend PolicyName = tostring(split(tostring(parse_json(RequestParameters).policyArn),\\\"/\\\")[1])\\n| summarize AttachEventCount=count(), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventSource, EventName, UserIdentityType , UserIdentityArn, SourceIpAddress, UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,\u0027/\u0027)[-1])), PolicyName\\n| extend AttachEvent = pack(\\\"StartTime\\\", StartTime, \\\"EndTime\\\", EndTime, \\\"EventName\\\", EventName, \\\"UserIdentityType\\\", UserIdentityType, \\\"UserIdentityArn\\\", UserIdentityArn, \\\"SourceIpAddress\\\", SourceIpAddress, \\\"UserIdentityUserName\\\", UserIdentityUserName)\\n| project EventSource, PolicyName, AttachEvent, AttachEventCount\\n);\\n// Joining the list of PolicyNames and checking if it has been attached to any Roles/Users/Groups.\\n// These Roles/Users/Groups will be Privileged and can be used by adversaries as pivot point for privilege escalation via multiple ways.\\nFullAdminPolicyEvents\\n| join kind=leftouter\\n(\\n PolicyAttach\\n)\\non PolicyName\\n| project-away PolicyName1\\n| extend timestamp = StartTime, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Full Admin policy created and then attached to Roles, Users or Groups\",\"description\":\"Identity and Access Management (IAM) securely manages access to AWS services and resources. \\nIdentifies when a policy is created with Full Administrators Access (Allow-Action:*,Resource:*). \\nThis policy can be attached to role,user or group and may be used by an adversary to escalate a normal user privileges to an adminsitrative level.\\nAWS IAM Policy Grammar: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html\\nand AWS IAM API at https://docs.aws.amazon.com/IAM/latest/APIReference/API_Operations.html\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2020-04-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/34c5aff9-a8c2-4601-9654-c7e46342d03b\",\"name\":\"34c5aff9-a8c2-4601-9654-c7e46342d03b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 5;\\nlet aadFunc = (tableName:string){\\n IdentityInfo\\n | where TimeGenerated \u003e ago(starttime)\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | mv-expand AssignedRoles\\n | where AssignedRoles matches regex \u0027Admin\u0027\\n | summarize Roles = make_list(AssignedRoles) by AccountUPN = tolower(AccountUPN)\\n | join kind=inner (\\n table(tableName)\\n | where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n | where ResultType != 0\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n ) on $left.AccountUPN == $right.UserPrincipalName\\n | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, Roles = tostring(Roles)\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt;\\nlet TimeSeriesAlerts = \\n allSignins\\n | make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step 1h by UserPrincipalName, Roles\\n | extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, \u0027linefit\u0027)\\n | mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n // Filtering low count events per baselinethreshold\\n | where anomalies \u003e 0 and baseline \u003e baselinethreshold\\n | extend AnomalyHour = TimeGenerated\\n | project UserPrincipalName, Roles, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\n// Filter the alerts for specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e startofday(ago(timeframe))\\n| join kind=inner ( \\n allSignins\\n | where TimeGenerated \u003e startofday(ago(timeframe))\\n // create a new column and round to hour\\n | extend DateHour = bin(TimeGenerated, 1h)\\n | summarize PartialFailedSignins = count(), LatestAnomalyTime = arg_max(TimeGenerated, *) by bin(TimeGenerated, 1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, Roles, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\\n) on UserPrincipalName, $left.AnomalyHour == $right.DateHour\\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, Roles = todynamic(Roles), UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, PartialFailedSignins, TotalFailedSignins = HourlyCount, baseline, anomalies, score\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Privileged Accounts - Sign in Failure Spikes\",\"description\":\" Identifies spike in failed sign-ins from Privileged accounts. Privileged accounts list can be based on IdentityInfo UEBA table or built-in watchlist.\\nSpike is determined based on Time series anomaly which will look at historical baseline values.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor\",\"lastUpdatedDateUTC\":\"2022-01-25T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/106813db-679e-4382-a51b-1bfc463befc3\",\"name\":\"106813db-679e-4382-a51b-1bfc463befc3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n // Select on Palo Alto logs\\n | where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Select logs where URL data is populated\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url), extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | where isnotempty(PA_Url)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n) on $left.Url == $right.PA_Url\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, PA_Url\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, SourceIP, PA_Url, DeviceName\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to PaloAlto data\",\"description\":\"Identifies a match in PaloAlto data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884ead54-cb3f-4676-a1eb-b26532d6cbfd\",\"name\":\"884ead54-cb3f-4676-a1eb-b26532d6cbfd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let SensitiveOperationList = dynamic(\\n[\\\"VaultDelete\\\", \\\"KeyDelete\\\", \\\"SecretDelete\\\", \\\"SecretPurge\\\", \\\"KeyPurge\\\", \\\"SecretBackup\\\", \\\"KeyBackup\\\"]);\\nAzureDiagnostics\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in~ (SensitiveOperationList)\\n| summarize EventCount=count(), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIPMax\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"NRT Sensitive Azure Key Vault operations\",\"description\":\"Identifies when sensitive Azure Key Vault operations are used. This includes: VaultDelete, KeyDelete, SecretDelete, SecretPurge, KeyPurge, SecretBackup, KeyBackup.\\nAny Backup operations should match with expected scheduled backup activity.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95dc4ae3-e0f2-48bd-b996-cdd22b90f9af\",\"name\":\"95dc4ae3-e0f2-48bd-b996-cdd22b90f9af\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(\\nAuditLogs\\n| where OperationName =~ \\\"Set federation settings on domain\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName)\\n| mv-expand AdditionalDetails\\n),\\n(\\nAuditLogs\\n| where OperationName =~ \\\"Set domain authentication\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName), NewDomainValue=tostring(parse_json(modifiedProperties).newValue)\\n| where NewDomainValue has \\\"Federated\\\"\\n)\\n)\\n| extend UserAgent = iff(AdditionalDetails.key == \\\"User-Agent\\\",tostring(AdditionalDetails.value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Modified domain federation trust settings\",\"description\":\"This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ac891683-53c3-4f86-86b4-c361708e2b2b\",\"name\":\"ac891683-53c3-4f86-86b4-c361708e2b2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"// Allowlisted UPNs should likely stay empty\\nlet AllowlistedUpns = datatable(UPN:string)[\u0027foo@bar.com\u0027, \u0027test@foo.com\u0027];\\n// Operation Name parts that will alert\\nlet HasAnyBlocklist = datatable(OperationNamePart:string)[\u0027Security.\u0027,\u0027Project.\u0027,\u0027AuditLog.\u0027,\u0027Extension.\u0027];\\n// Distinct Operation Names that will flag\\nlet HasExactBlocklist = datatable(OperationName:string)[\u0027Group.UpdateGroupMembership.Add\u0027,\u0027Library.ServiceConnectionExecuted\u0027,\u0027Pipelines.PipelineModified\u0027,\\n\u0027Release.ReleasePipelineModified\u0027, \u0027Git.RefUpdatePoliciesBypassed\u0027];\\nAzureDevOpsAuditing\\n| where AuthenticationMechanism startswith \\\"PAT\\\" and (OperationName has_any (HasAnyBlocklist) or OperationName in (HasExactBlocklist))\\n and ActorUPN !in (AllowlistedUpns)\\n| project TimeGenerated, AuthenticationMechanism, ProjectName, ActorUPN, ActorDisplayName, IpAddress, UserAgent, OperationName, Details, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Impact\"],\"displayName\":\"Azure DevOps Personal Access Token (PAT) misuse\",\"description\":\"This Alert detects whenever a PAT is used in ways that PATs are not normally used. May require an allow list and baselining.\\nReference - https://docs.microsoft.com/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops\u0026tabs=preview-page\\nUse this query for baselining:\\nAzureDevOpsAuditing\\n| distinct OperationName\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-06-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/acfdee3f-b794-404a-aeba-ef6a1fa08ad1\",\"name\":\"acfdee3f-b794-404a-aeba-ef6a1fa08ad1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let lookback = 14d;\\nlet timewindow = 7d;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback)\\n| where OperationName =~ \\\"Library.AgentPoolCreated\\\"\\n| extend AgentCloudId = tostring(Data.AgentCloudId)\\n| extend PoolType = iif(isnotempty(AgentCloudId), \\\"Azure VMs\\\", \\\"Self Hosted\\\")\\n// Comment this line out to include cloud pools as well\\n| where PoolType == \\\"Self Hosted\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend AgentPoolId = tostring(Data.AgentPoolId)\\n| extend IsHosted = tostring(Data.IsHosted)\\n| extend IsLegacy = tostring(Data.IsLegacy)\\n| extend timekey = bin(TimeGenerated, timewindow)\\n// Join only with pools deleted in the same window\\n| join (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback)\\n| where OperationName =~ \\\"Library.AgentPoolDeleted\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend AgentPoolId = tostring(Data.AgentPoolId)\\n| extend timekey = bin(TimeGenerated, timewindow)) on AgentPoolId, timekey\\n| project-reorder TimeGenerated, ActorUPN, UserAgent, IpAddress, AuthenticationMechanism, OperationName, AgentPoolName, IsHosted, IsLegacy, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Agent Pool Created Then Deleted\",\"description\":\"As well as adding build agents to an existing pool to execute malicious activity within a pipeline, an attacker could create a complete new agent pool and use this for execution.\\nAzure DevOps allows for the creation of agent pools with Azure hosted infrastructure or self-hosted infrastructure. Given the additional customizability of self-hosted agents this \\ndetection focuses on the creation of new self-hosted pools. To further reduce false positive rates the detection looks for pools created and deleted relatively quickly (within 7 days by default), \\nas an attacker is likely to remove a malicious pool once used in order to reduce/remove evidence of their activity.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/26a3b261-b997-4374-94ea-6c37f67f4f39\",\"name\":\"26a3b261-b997-4374-94ea-6c37f67f4f39\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.5.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"asyspy256.ddns.net\\\",\\\"hotkillmail9sddcc.ddns.net\\\",\\\"rosaf112.ddns.net\\\",\\\"cvdfhjh1231.myftp.biz\\\",\\\"sz2016rose.ddns.net\\\",\\\"dffwescwer4325.myftp.biz\\\",\\\"cvdfhjh1231.ddns.net\\\"]);\\nlet SHA1Hash = dynamic ([\\\"53a44c2396d15c3a03723fa5e5db54cafd527635\\\", \\\"9c5e496921e3bc882dc40694f1dcc3746a75db19\\\", \\\"aeb573accfd95758550cf30bf04f389a92922844\\\", \\\"79ef78a797403a4ed1a616c68e07fff868a8650a\\\", \\\"4f6f38b4cec35e895d91c052b1f5a83d665c2196\\\", \\\"1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d\\\", \\\"e841a63e47361a572db9a7334af459ddca11347a\\\", \\\"c28f606df28a9bc8df75a4d5e5837fc5522dd34d\\\", \\\"2e94b305d6812a9f96e6781c888e48c7fb157b6b\\\", \\\"dd44133716b8a241957b912fa6a02efde3ce3025\\\", \\\"8793bf166cb89eb55f0593404e4e933ab605e803\\\", \\\"a39b57032dbb2335499a51e13470a7cd5d86b138\\\", \\\"41cc2b15c662bc001c0eb92f6cc222934f0beeea\\\", \\\"d209430d6af54792371174e70e27dd11d3def7a7\\\", \\\"1c6452026c56efd2c94cea7e0f671eb55515edb0\\\", \\\"c6b41d3afdcdcaf9f442bbe772f5da871801fd5a\\\", \\\"4923d460e22fbbf165bbbaba168e5a46b8157d9f\\\", \\\"f201504bd96e81d0d350c3a8332593ee1c9e09de\\\", \\\"ddd2db1127632a2a52943a2fe516a2e7d05d70d2\\\"]);\\nlet SHA256Hash = dynamic ([\\\"9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd\\\", \\\"7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b\\\", \\\"657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5\\\", \\\"2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29\\\", \\\"52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77\\\", \\\"a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3\\\", \\\"5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022\\\", \\\"6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883\\\", \\\"3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e\\\", \\\"1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7\\\", \\\"fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1\\\", \\\"7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c\\\", \\\"178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945\\\", \\\"51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9\\\", \\\"889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79\\\", \\\"332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf\\\", \\\"44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08\\\", \\\"63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef\\\", \\\"056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070\\\"]);\\nlet SigNames = dynamic([\\\"TrojanDropper:Win32/BlackMould.A!dha\\\", \\\"Trojan:Win32/BlackMould.B!dha\\\", \\\"Trojan:Win32/QuarkBandit.A!dha\\\", \\\"Trojan:Win32/Sidelod.A!dha\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n( _Im_Dns(domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA1=\u0027 SHA1 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA1Hash) \\n| extend Account = UserName\\n),\\n(SecurityAlert\\n| where ProductName == \\\"Microsoft Defender Advanced Threat Protection\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where isnotempty(ThreatName)\\n| where ThreatName has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName)\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known GALLIUM domains and hashes\",\"description\":\"GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. \\n Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\\n References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ \",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2019-12-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/52aec824-96c1-4a03-8e44-bb70532e6cea\",\"name\":\"52aec824-96c1-4a03-8e44-bb70532e6cea\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"SecurityEvent\\n| where EventID == 5136 and EventData contains \\\"\u003cData Name=\\\\\\\"ObjectDN\\\\\\\"\u003eCN=AdminSDHolder,CN=System\\\"\\n| parse EventData with * \u0027ObjectDN\\\"\u003e\u0027 ObjectDN \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, SubjectUserSid, SubjectLogonId, ObjectDN\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AdminSDHolder Modifications\",\"description\":\"This query detects modification in the AdminSDHolder in the Active Directory which could indicate an attempt for persistence. \\nAdminSDHolder Modification is a persistence technique in which an attacker abuses the SDProp process in Active Directory to establish a persistent backdoor to Active Directory.\\nThis query searches for the event id 5136 where the Object DN is AdminSDHolder.\\nRef: https://attack.stealthbits.com/adminsdholder-modification-ad-persistence\",\"lastUpdatedDateUTC\":\"2022-01-20T00:00:00Z\",\"createdDateUTC\":\"2021-12-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8540c842-5bbc-4a24-9fb2-a836c0e55a51\",\"name\":\"8540c842-5bbc-4a24-9fb2-a836c0e55a51\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where OperationName =~ \\\"Set federation settings on domain\\\" or OperationName =~ \\\"Set domain authentication\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName), NewDomainValue=tostring(parse_json(modifiedProperties).newValue)\\n| extend Federated = iif(OperationName =~ \\\"Set domain authentication\\\", iif(NewDomainValue has \\\"Federated\\\", True, False), True)\\n| where Federated == True\\n| mv-expand AdditionalDetails\\n| extend UserAgent = iff(AdditionalDetails.key == \\\"User-Agent\\\",tostring(AdditionalDetails.value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserOrApp\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"NRT Modified domain federation trust settings\",\"description\":\"This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/327cd4ed-ca42-454b-887c-54e1c91363c6\",\"name\":\"327cd4ed-ca42-454b-887c-54e1c91363c6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft Defender Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Endpoint alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Endpoint\",\"lastUpdatedDateUTC\":\"2019-10-24T00:00:00Z\",\"createdDateUTC\":\"2019-10-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\"name\":\"0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.1.1\",\"severity\":\"Low\",\"query\":\"let PerUserThreshold = 5;\\nlet TotalThreshold = 100;\\nlet action = dynamic([\\\"change\\\", \\\"changed\\\", \\\"reset\\\"]);\\nlet pWord = dynamic([\\\"password\\\", \\\"credentials\\\"]);\\nlet PasswordResetMultiDataSource =\\n(union isfuzzy=true\\n(//Password reset events\\n//4723: An attempt was made to change an account\u0027s password\\n//4724: An attempt was made to reset an accounts password\\nSecurityEvent\\n| where EventID in (\\\"4723\\\",\\\"4724\\\")\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName),\\n(//Password reset events\\n//4723: An attempt was made to change an account\u0027s password\\n//4724: An attempt was made to reset an accounts password\\nWindowsEvent\\n| where EventID in (\\\"4723\\\",\\\"4724\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName),\\n(//Azure Active Directory Password reset events\\nAuditLogs\\n| where OperationName has_any (pWord) and OperationName has_any (action) and Result =~ \\\"success\\\"\\n| extend AccountType = tostring(TargetResources[0].type), Account = tostring(TargetResources[0].userPrincipalName), \\nTargetUserName = tolower(tostring(TargetResources[0].displayName))\\n| project TimeGenerated, AccountType, Account, Computer = \\\"\\\", Type),\\n(//OfficeActive ActiveDirectory Password reset events\\nOfficeActivity\\n| where OfficeWorkload == \\\"AzureActiveDirectory\\\" \\n| where (ExtendedProperties has_any (pWord) or ModifiedProperties has_any (pWord)) and (ExtendedProperties has_any (action) or ModifiedProperties has_any (action))\\n| extend AccountType = UserType, Account = OfficeObjectId \\n| project TimeGenerated, AccountType, Account, Type, Computer = \\\"\\\"),\\n(// Unix syslog password reset events\\nSyslog\\n| where Facility in (\\\"auth\\\",\\\"authpriv\\\")\\n| where SyslogMessage has_any (pWord) and SyslogMessage has_any (action)\\n| extend AccountType = iif(SyslogMessage contains \\\"root\\\", \\\"Root\\\", \\\"Non-Root\\\")\\n| where SyslogMessage matches regex \\\".*password changed for.*\\\"\\n| parse SyslogMessage with * \\\"password changed for\\\" Account\\n| project TimeGenerated, AccountType, Account, Computer = HostName, Type)\\n);\\nlet pwrmd = PasswordResetMultiDataSource\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName;\\n(union isfuzzy=true \\n(pwrmd\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Computerlist = make_set(Computer, 25), AccountType = make_set(AccountType, 25), Computer = arg_max(Computer , TimeGenerated), TargetUserList = make_set(TargetUserName, 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), Total=count() by Account, Type\\n| where Total \u003e PerUserThreshold\\n| extend ResetPivot = \\\"PerUserReset\\\"), \\n(pwrmd\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerList = make_set(Computer, 25), AccountList = make_set(Account, 25), AccountType = make_set(AccountType, 25), Computer = arg_max(Computer , TimeGenerated), TargetUserList = make_set(TargetUserName, 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), Total=count() by Type\\n| where Total \u003e TotalThreshold\\n| extend ResetPivot = \\\"TotalUserReset\\\")\\n)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserName\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Multiple Password Reset by user\",\"description\":\"This query will determine multiple password resets by user across multiple data sources. \\nAccount manipulation including password reset may aid adversaries in maintaining access to credentials \\nand certain permission levels within an environment.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-09-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d804b39c-03a4-417c-a949-bdbf21fa3305\",\"name\":\"d804b39c-03a4-417c-a949-bdbf21fa3305\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.7.2\",\"severity\":\"Medium\",\"query\":\"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\\n[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet file_paths = (iocs | where Type =~ \\\"filepath\\\" | project IoC);\\nlet sha256s = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet ips = (iocs | where Type =~ \\\"ip\\\" | project IoC);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\" | project IoC);\\nlet dyndomains = todynamic(toscalar((domains | summarize make_set(IoC))));\\nunion isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4663\\n| where ObjectName in (file_paths)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(WindowsEvent\\n| where EventID == 4663 and EventData has_any (file_paths)\\n| extend ObjectName = tostring(EventData.ObjectName) \\n| where ObjectName in (file_paths)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName), \\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(imFileEvent\\n| where TargetFileName in (file_paths)\\n or\\n TargetFileSHA256 in (sha256s)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\\n),\\n(DeviceFileEvents\\n| where FolderPath in (file_paths)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 in (sha256s)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\\n),\\n (CommonSecurityLog\\n| where FileHash in (sha256s)\\n| extend timestamp = TimeGenerated\\n),\\n(Event // File iocs\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| where isnotempty(Hashes)\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 *\\n| where SHA256 in~ (sha256s)\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = Hashes\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where (SourceIP in (ips) or DestinationIP in (ips) or Message has_any (ips)) or (RequestURL has_any (domains))\\n| extend IPMatch = case(SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"Message\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\")\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(WireData\\n| where isnotempty(RemoteIP)\\n| where RemoteIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer\\n),\\n(W3CIISLog\\n| where isnotempty(cIP)\\n| where cIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(\\nWindowsFirewall\\n| where SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n),\\n(\\n _Im_NetworkSession(srcipaddr_has_any_prefix=ips) \\n | extend IPCustomEntity = SrcIpAddr, AccountCustomEntity= User, HostCustomEntity=Hostname\\n),\\n (\\n _Im_NetworkSession(dstipaddr_has_any_prefix=ips) \\n | extend IPCustomEntity = DstIpAddr, AccountCustomEntity= User, HostCustomEntity=Hostname\\n),\\n(_Im_Dns(domain_has_any=dyndomains)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\\n)\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange Server Vulnerabilities Disclosed March 2021 IoC Match\",\"description\":\"This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements.\\nRef: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-03-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog (Cisco)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog (F5)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09ec8fa2-b25f-4696-bfae-05a7b85d7b9e\",\"name\":\"09ec8fa2-b25f-4696-bfae-05a7b85d7b9e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT3H\",\"queryPeriod\":\"PT3H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"let timeframe = ago(3h);\\nlet threshold = 2;\\nimAuthentication\\n| where TimeGenerated \u003e timeframe\\n| where EventType==\u0027Logon\u0027 and EventResult==\u0027Success\u0027\\n| where isnotempty(SrcGeoCountry)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Vendors=make_set(EventVendor), Products=make_set(EventProduct)\\n , NumOfCountries = dcount(SrcGeoCountry)\\n by TargetUserId, TargetUsername, TargetUserType\\n| where NumOfCountries \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = TargetUsername\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"User login from different countries within 3 hours (Uses Authentication Normalization)\",\"description\":\"This query searches for successful user logins from different countries within 3 hours.\\n To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/67775878-7f8b-4380-ac54-115e1e828901\",\"name\":\"67775878-7f8b-4380-ac54-115e1e828901\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX=10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet IP_TI = (ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\\\"\\\")\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true);\\nlet TI_IP_List=IP_TI | summarize NIPs=dcount(TI_ipEntity), IP_List=make_set( TI_ipEntity) \\n| project IP_List=iff(NIPs \u003e HAS_ANY_MAX, dynamic([]), IP_List);\\n_Im_Dns(starttime=ago(dt_lookBack), response_has_any_prefix=todynamic(toscalar(TI_IP_List)))\\n | extend tilist = toscalar(TI_IP_List)\\n | mv-expand tilist\\n | extend SingleIP=tostring(tilist)\\n | project-away tilist\\n | where has_ipv4(DnsResponseName, SingleIP)\\n | extend DNS_TimeGenerated = TimeGenerated\\n| join IP_TI\\n on $left.SingleIP == $right.TI_ipEntity\\n| where DNS_TimeGenerated \u003e= TimeGenerated and DNS_TimeGenerated \u003c ExpirationDateTime\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated,\\nTI_ipEntity, Dvc, EventSubType, SrcIpAddr, DnsQuery, DnsResponseName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = DNS_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Dvc, URLCustomEntity = Url\",\"customDetails\":{\"LatestIndicatorTime\":\"LatestIndicatorTime\",\"Description\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"ExpirationDateTime\":\"ExpirationDateTime\",\"ConfidenceScore\":\"ConfidenceScore\",\"DNSRequestTime\":\"DNS_TimeGenerated\",\"SourceIPAddress\":\"SrcIpAddr\",\"SubType\":\"EventSubType\",\"DnsQuery\":\"DnsQuery\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map IP entity to Dns Events (ASIM DNS Schema)\",\"description\":\"Identifies a match in DNS events from any IP IOC from TI\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-27T00:00:00Z\",\"createdDateUTC\":\"2021-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\"name\":\"ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let ProcessCreationEvents=() {\\nlet processEvents=(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,\\nFileName = Process, CommandLine, ParentProcessName\\n),\\n(WindowsEvent\\n| where EventID==4688\\n| where EventData has \\\"TVqQAAMAAAAEAAA\\\"\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where isnotempty(CommandLine)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,\\nFileName = Process, CommandLine, ParentProcessName));\\nprocessEvents};\\nProcessCreationEvents\\n| where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Base64 encoded Windows process command-lines\",\"description\":\"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2018-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\"name\":\"90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Security Center\",\"severitiesFilter\":[\"Low\",\"Medium\",\"High\"],\"displayName\":\"Create incidents based on Microsoft Defender for Cloud\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Cloud\",\"lastUpdatedDateUTC\":\"2021-07-25T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert (ASC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d57c33a9-76b9-40e0-9dfa-ff0404546410\",\"name\":\"d57c33a9-76b9-40e0-9dfa-ff0404546410\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 0d;\\n// Adjust this to adjust detection timeframe\\n//let timeframe = 1d;\\n// Filter out other servers in the AD FS farm\\nlet ADFSServersList = dynamic([\\\"ADFS02.domain.com\\\",\\\"ADFS03.domain.com\\\"]);\\n// Start by identifying ADFS servers to reduce FP chance\\nlet ADFS_Servers = (\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| where Computer !in (ADFSServersList)\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\")\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| summarize by Computer\\n);\\n// Look for ADFS servers receiving connections over port 80\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where Computer in~ (ADFS_Servers)\\n| extend RenderedDescription = tostring(split(RenderedDescription, \\\":\\\")[0])\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, _ResourceId)\\n| extend RuleName = column_ifexists(\\\"RuleName\\\", \\\"\\\"), TechniqueId = column_ifexists(\\\"TechniqueId\\\", \\\"\\\"), TechniqueName = column_ifexists(\\\"TechniqueName\\\", \\\"\\\")\\n| parse RuleName with * \u0027technique_id=\u0027 TechniqueId \u0027,\u0027 * \u0027technique_name=\u0027 TechniqueName\\n| where EventID == 3\\n// Look for endpoints connecting to the AD FS server over port 80\\n| extend DestinationPort = column_ifexists(\\\"DestinationPort\\\", \\\"\\\"), Image = column_ifexists(\\\"Image\\\", \\\"\\\"), Initiated = column_ifexists(\\\"Initiated\\\", \\\"\\\"), SourceIp = column_ifexists(\\\"DestinationIp\\\", \\\"\\\"), DestinationIp = column_ifexists(\\\"DestinationIp\\\", \\\"\\\")\\n| where DestinationPort == 80\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n// Look for the System process receiving connections\\n| where process == \u0027System\u0027 and Initiated == \u0027false\u0027\\n| where DestinationIp !in (\u0027::1\u0027,\u00270:0:0:0:0:0:0:1\u0027)\\n| extend Operation = RenderedDescription\\n| project-reorder TimeGenerated, Operation, Image, Computer, UserName\\n| extend HostCustomEntity = Computer, AccountCustomEntity = UserName, IPCustomEntity = SourceIp\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"AD FS Remote HTTP Network Connection\",\"description\":\"This detection uses Sysmon events (NetworkConnect events) to detect incoming network traffic on port 80 on AD FS servers. This could be a sign of a threat actor\\ntrying to use replication services on the AD FS server to get its configuration settings and extract sensitive information such as AD FS certificates.\\nIn order to use this query you need to enable Sysmon telemetry on the AD FS Server.\\nReference: https://twitter.com/OTR_Community/status/1387038995016732672\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c1faf5e8-6958-11ec-90d6-0242ac120003\",\"name\":\"c1faf5e8-6958-11ec-90d6-0242ac120003\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 4720 and TargetUserName endswith \\\"$\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectUserName, SubjectUserSid, SubjectLogonId, TargetUserName, TargetSid\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectUserName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Fake computer account created\",\"description\":\"This query detects domain user accounts creation (event ID 4720) where the username ends with $. \\nAccounts that end with $ are normally domain computer accounts and when they are created the event ID 4741 is generated instead.\\nRef: https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights.html\",\"lastUpdatedDateUTC\":\"2022-01-19T00:00:00Z\",\"createdDateUTC\":\"2021-12-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/04384937-e927-4595-8f3c-89ff58ed231f\",\"name\":\"04384937-e927-4595-8f3c-89ff58ed231f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let IPs = dynamic ([\\\"199.249.230.\\\",\\\"185.220.101.\\\",\\\"23.129.64.\\\",\\\"109.70.100.\\\",\\\"185.220.102.\\\"]);\\nOfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != \u0027UserLoggedIn\u0027\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = ExtendedProperties.Value\\n| where ClientIP has_any (IPs)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts \u003e 2500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\"entityMappings\":[],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Possible STRONTIUM attempted credential harvesting - Sept 2020\",\"description\":\"Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.\\nReferences: https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7d7e20f8-3384-4b71-811c-f5e950e8306c\",\"name\":\"7d7e20f8-3384-4b71-811c-f5e950e8306c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where ActivityDisplayName =~\u0027Add member to role completed (PIM activation)\u0027\\n| where Result == \\\"failure\\\"\\n| extend Role = tostring(TargetResources[3].displayName)\\n| extend User = tostring(TargetResources[2].displayName)\\n| project-reorder TimeGenerated, User, Role, OperationName, Result, ResultDescription\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| extend AccountCustomEntity = User, IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"PIM Elevation Request Rejected\",\"description\":\"Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6852d9da-8015-4b95-8ecf-d9572ee0395d\",\"name\":\"6852d9da-8015-4b95-8ecf-d9572ee0395d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let queryfrequency = 1h;\\nlet wait_for_deletion = 10m;\\nlet account_created =\\n AuditLogs \\n | where ActivityDisplayName == \\\"Add service principal\\\"\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend creationTime = ActivityDateTime\\n | extend userPrincipalName_creator = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend ipAddress_creator = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\\nlet account_activity =\\n AADServicePrincipalSignInLogs\\n | extend Activities = pack(\\\"ActivityTime\\\", TimeGenerated ,\\\"IpAddress\\\", IPAddress, \\\"ResourceDisplayName\\\", ResourceDisplayName)\\n | extend AppID = AppId\\n | summarize make_list(Activities) by AppID;\\nlet account_deleted =\\n AuditLogs \\n | where OperationName == \\\"Remove service principal\\\"\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend deletionTime = ActivityDateTime\\n | extend userPrincipalName_deleter = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend ipAddress_deleter = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\\nlet account_credentials =\\n AuditLogs\\n | where OperationName has_all (\\\"Update application\\\", \\\"Certificates and secrets management\\\")\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend credentialCreationTime = ActivityDateTime;\\nlet roles_assigned =\\n AuditLogs\\n | where ActivityDisplayName == \\\"Add app role assignment to service principal\\\"\\n | extend AppID = tostring(TargetResources[1].displayName)\\n | extend AssignedRole = iff(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].displayName)==\\\"AppRole.Value\\\", tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue))),\\\"\\\")\\n | extend AssignedRoles = pack(\\\"Role\\\", AssignedRole)\\n | summarize make_list(AssignedRoles) by AppID;\\naccount_created\\n| where TimeGenerated between (ago(wait_for_deletion+queryfrequency)..ago(wait_for_deletion))\\n| join kind= inner (account_activity) on AppID\\n| join kind= inner (account_deleted) on AppID\\n| join kind= inner (account_credentials) on AppID\\n| join kind= inner (roles_assigned) on AppID\\n| where deletionTime - creationTime between (time(0s)..wait_for_deletion)\\n| extend AliveTime = deletionTime - creationTime\\n| project AADTenantId, AppID, creationTime, deletionTime, userPrincipalName_creator, userPrincipalName_deleter, ipAddress_creator, ipAddress_deleter, list_Activities, list_AssignedRoles, AliveTime\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName_creator\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName_deleter\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress_creator\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress_deleter\"}]}],\"tactics\":[\"CredentialAccess\",\"PrivilegeEscalation\",\"InitialAccess\"],\"displayName\":\"Suspicious Service Principal creation activity\",\"description\":\"This alert will detect creation of an SPN, permissions granted, credentials created, activity and deletion of the SPN in a time frame (default 10 minutes)\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\",\"AADServicePrincipalSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ec21493c-2684-4acd-9bc2-696dbad72426\",\"name\":\"ec21493c-2684-4acd-9bc2-696dbad72426\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation of extracted domains\\nlet list_tlds = ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e ago(ioc_lookBack)\\n | where isnotempty(DomainName)\\n | extend DomainName = tolower(DomainName)\\n | extend parts = split(DomainName, \u0027.\u0027)\\n | extend tld = parts[(array_length(parts)-1)]\\n | summarize count() by tostring(tld)\\n | summarize make_list(tld);\\n ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true\\n // Picking up only IOC\u0027s that contain the entities we want\\n | where isnotempty(DomainName)\\n // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n | join kind=innerunique (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n | where DeviceVendor =~ \u0027Palo Alto Networks\u0027\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | extend Domain = trim(@\\\"\\\"\\\"\\\",tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend parts = split(Domain, \u0027.\u0027)\\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\\n | where tld in~ (list_tlds)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n ) on $left.DomainName==$right.Domain\\n | where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, Domain\\n | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, \\n DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\\n | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to PaloAlto\",\"description\":\"Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/caf78b95-d886-4ac3-957a-a7a3691ff4ed\",\"name\":\"caf78b95-d886-4ac3-957a-a7a3691ff4ed\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Tarrask.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n(imFileEvent\\n| where TargetFileSHA256 has_any (sha256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceImageLoadEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Tarrask malware IOC - April 2022\",\"description\":\"Identifies a hash match related to Tarrask malware across various data sources.\\n Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/\",\"lastUpdatedDateUTC\":\"2022-04-12T00:00:00Z\",\"createdDateUTC\":\"2022-01-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2560515c-07d1-434e-87fb-ebe3af267760\",\"name\":\"2560515c-07d1-434e-87fb-ebe3af267760\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add delegated permission grant\\\",\\\"Add app role assignment to service principal\\\")\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend props = parse_json(tostring(TargetResources[0].modifiedProperties))\\n| mv-expand props\\n| extend UserAgent = tostring(AdditionalDetails[0].value)\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| extend UserIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| extend DisplayName = tostring(props.displayName)\\n| extend Permissions = tostring(parse_json(tostring(props.newValue)))\\n| where Permissions has_any (\\\"Mail.Read\\\", \\\"Mail.ReadWrite\\\")\\n| extend PermissionsAddedTo = tostring(TargetResources[0].displayName)\\n| extend Type = tostring(TargetResources[0].type)\\n| project-away props\\n| join kind=leftouter(\\n AuditLogs\\n | where ActivityDisplayName has \\\"Consent to application\\\"\\n | extend AppName = tostring(TargetResources[0].displayName)\\n | extend AppId = tostring(TargetResources[0].id)\\n | project AppName, AppId, CorrelationId) on CorrelationId\\n| project-reorder TimeGenerated, OperationName, InitiatingUser, UserIPAddress, UserAgent, PermissionsAddedTo, Permissions, AppName, AppId, CorrelationId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUser, IPCustomEntity = UserIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Mail.Read Permissions Granted to Application\",\"description\":\"This query look for applications that have been granted (Delegated or App/Role) permissions to Read Mail (Permissions field has Mail.Read) and subsequently has been consented to. This can help identify applications that have been abused to gain access to mailboxes.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532c1811-79ee-4d9f-8d4d-6304c840daa1\",\"name\":\"532c1811-79ee-4d9f-8d4d-6304c840daa1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Active Directory Identity Protection\",\"displayName\":\"Create incidents based on Azure Active Directory Identity Protection alerts\",\"description\":\"Create incidents based on all alerts generated in Azure Active Directory Identity Protection\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb616d82-108f-47d3-9dec-9652ea0d3bf6\",\"name\":\"bb616d82-108f-47d3-9dec-9652ea0d3bf6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let queryfrequency = 1h;\\nlet queryperiod = 1d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(queryfrequency)\\n| where OperationName =~ \\\"Delete user\\\"\\n//extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n| extend UserPrincipalName = extract(@\u0027([a-f0-9]{32})?(.*)\u0027, 2, tostring(TargetResources[0].userPrincipalName))\\n| extend DeletedByUser = tostring(InitiatedBy.user.userPrincipalName), DeletedByIPAddress = tostring(InitiatedBy.user.ipAddress)\\n| extend DeletedByApp = tostring(InitiatedBy.app.displayName)\\n| project Deletion_TimeGenerated = TimeGenerated, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, Deletion_AdditionalDetails = AdditionalDetails, Deletion_InitiatedBy = InitiatedBy, Deletion_TargetResources = TargetResources\\n| join kind=inner (\\n AuditLogs\\n | where TimeGenerated \u003e ago(queryperiod)\\n | where OperationName =~ \\\"Add user\\\"\\n | extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | project-rename Creation_TimeGenerated = TimeGenerated\\n) on UserPrincipalName\\n| extend TimeDelta = Deletion_TimeGenerated - Creation_TimeGenerated\\n| where TimeDelta between (time(0s) .. queryperiod)\\n| extend CreatedByUser = tostring(InitiatedBy.user.userPrincipalName), CreatedByIPAddress = tostring(InitiatedBy.user.ipAddress)\\n| extend CreatedByApp = tostring(InitiatedBy.app.displayName)\\n| project Creation_TimeGenerated, Deletion_TimeGenerated, TimeDelta, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, CreatedByUser, CreatedByIPAddress, CreatedByApp, Creation_AdditionalDetails = AdditionalDetails, Creation_InitiatedBy = InitiatedBy, Creation_TargetResources = TargetResources, Deletion_AdditionalDetails, Deletion_InitiatedBy, Deletion_TargetResources\\n| extend timestamp = Deletion_TimeGenerated, CustomAccountEntity = UserPrincipalName, IPCustomEntity = DeletedByIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CustomAccountEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Account Created and Deleted in Short Timeframe\",\"description\":\"Search for user principal name (UPN) events. Look for accounts created and then deleted in under 24 hours. Attackers may create an account for their use, and then remove the account when no longer needed.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-account\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a0907abe-6925-4d90-af2b-c7e89dc201a6\",\"name\":\"a0907abe-6925-4d90-af2b-c7e89dc201a6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P10D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 10d;\\nlet endtime = 1d;\\nlet threshold = 100;\\nlet nxDomainDnsEvents = DnsEvents \\n| where ResultCode == 3 \\n| where QueryType in (\\\"A\\\", \\\"AAAA\\\")\\n| where ipv4_is_match(\\\"127.0.0.1\\\", ClientIP) == False\\n| where Name !contains \\\"/\\\"\\n| where Name contains \\\".\\\";\\nnxDomainDnsEvents\\n| where TimeGenerated \u003e ago(endtime)\\n| extend sld = tostring(split(Name, \\\".\\\")[-2])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld) by ClientIP\\n| where dcount_sld \u003e threshold\\n// Filter out previously seen IPs\\n| join kind=leftanti (nxDomainDnsEvents\\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | extend sld = tostring(split(Name, \\\".\\\")[-2])\\n | summarize dcount(sld) by ClientIP\\n | where dcount_sld \u003e threshold ) on ClientIP\\n// Pull out sample NXDomain responses for those remaining potentially infected IPs\\n| join kind = inner (nxDomainDnsEvents | summarize by Name, ClientIP) on ClientIP\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(Name, 100) by ClientIP, dcount_sld\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential DGA detected\",\"description\":\"Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains\\nwhere most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with \\nNXDomain records in prior 10-day baseline period).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ef895ada-e8e8-4cf0-9313-b1ab67fab69f\",\"name\":\"ef895ada-e8e8-4cf0-9313-b1ab67fab69f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let known_locations =\\n union isfuzzy=True AADNonInteractiveUserSignInLogs, SigninLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where ResultType == 0\\n | summarize by Location;\\n union isfuzzy=True AADNonInteractiveUserSignInLogs, SigninLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType != 50126\\n | where Location !in (known_locations)\\n | extend LocationDetails_dynamic = column_ifexists(\\\"LocationDetails_dynamic\\\", \\\"\\\")\\n | extend DeviceDetail_dynamic = column_ifexists(\\\"DeviceDetail_dynamic\\\", \\\"\\\")\\n | extend LocationDetails = iif(isnotempty(LocationDetails_dynamic), LocationDetails_dynamic, parse_json(LocationDetails_string))\\n | extend DeviceDetail = iif(isnotempty(DeviceDetail_dynamic), DeviceDetail_dynamic, parse_json(DeviceDetail_string))\\n | extend City = tostring(LocationDetails.city)\\n | extend State = tostring(LocationDetails.state)\\n | extend Place = strcat(City, \\\" - \\\", State)\\n | extend DeviceId = tostring(DeviceDetail.deviceId)\\n | extend Result = strcat(tostring(ResultType), \\\" - \\\", ResultDescription)\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), make_set(Result), make_set(IPAddress), make_set(UserAgent), make_set(Place), make_set(DeviceId) by UserPrincipalName, Location, Category\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Authentication Attempt from New Country\",\"description\":\"Detects when there is a log in attempt from a country that has not seen a successful login in the previous 14 days.\\n Threat actors may attempt to authenticate with credentials from compromised accounts - monitoring attempts from anomalous locations may help identify these attempts.\\n Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\",\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9713e3c0-1410-468d-b79e-383448434b2d\",\"name\":\"9713e3c0-1410-468d-b79e-383448434b2d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n VMConnection\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend VMConnection_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIp\\n| where VMConnection_TimeGenerated \u003c ExpirationDateTime\\n| summarize VMConnection_TimeGenerated = arg_max(VMConnection_TimeGenerated, *) by IndicatorId, RemoteIp\\n| project VMConnection_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = VMConnection_TimeGenerated, IPCustomEntity = RemoteIp, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to VMConnection\",\"description\":\"Identifies a match in VMConnection from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/017e095a-94d8-430c-a047-e51a11fb737b\",\"name\":\"017e095a-94d8-430c-a047-e51a11fb737b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let domains =\\n SigninLogs\\n | where ResultType == 0\\n | extend domain = split(UserPrincipalName, \\\"@\\\")[1]\\n | extend domain = tostring(split(UserPrincipalName, \\\"@\\\")[1])\\n | summarize by tolower(tostring(domain));\\n AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where Result =~ \\\"success\\\"\\n | where OperationName =~ \u0027Update Application\u0027\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | where TargetResources_modifiedProperties.displayName =~ \\\"AppAddress\\\"\\n | extend Key = tostring(TargetResources_modifiedProperties.displayName)\\n | extend NewValue = TargetResources_modifiedProperties.newValue\\n | extend OldValue = TargetResources_modifiedProperties.oldValue\\n | where isnotempty(Key) and isnotempty(NewValue)\\n | project-reorder Key, NewValue, OldValue\\n | extend NewUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(NewValue))\\n | extend OldUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(OldValue))\\n | extend AddedUrls = set_difference(NewUrls, OldUrls)\\n | where array_length(AddedUrls) \u003e 0\\n | extend UserAgent = iif(tostring(AdditionalDetails[0].key) == \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), \\\"\\\")\\n | extend AddingUser = iif(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) , tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), \\\"\\\")\\n | extend AddingApp = iif(isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName)) , tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName), \\\"\\\")\\n | extend AddedBy = iif(isnotempty(AddingUser), AddingUser, AddingApp)\\n | project-away AddingApp, AddingUser\\n | extend AppDisplayName = tostring(TargetResources.displayName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | where isnotempty(AddedUrls)\\n | mv-expand AddedUrls\\n | extend Domain = extract(\\\"^(?:https?:\\\\\\\\/\\\\\\\\/)?(?:[^@\\\\\\\\/\\\\\\\\n]+@)?(?:www\\\\\\\\.)?([^:\\\\\\\\/?\\\\\\\\n]+)/\\\", 1, replace_string(tolower(tostring(AddedUrls)), \u0027\\\"\u0027, \\\"\\\"))\\n | where isnotempty(Domain)\\n | extend Domain = strcat(split(Domain, \\\".\\\")[-2], \\\".\\\", split(Domain, \\\".\\\")[-1])\\n | where Domain !in (domains)\\n | project-reorder TimeGenerated, AppDisplayName, AddedUrls, AddedBy, UserAgent, ipAddress\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"AddedUrls\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"URL Added to Application from Unknown Domain\",\"description\":\"Detects a URL being added to an application where the domain is not one that is associated with the tenant.\\n The query uses domains seen in sign in logs to determine if the domain is associated with the tenant.\\n Applications associated with URLs not controlled by the organization can pose a security risk.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#application-configuration-changes\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d\",\"name\":\"b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"//Collect the alert events\\nlet alertData = SecurityAlert \\n| where DisplayName has \\\"Potential malware uploaded to\\\" \\n| extend Entities = parse_json(Entities) \\n| mv-expand Entities;\\n//Parse the IP address data\\nlet ipData = alertData \\n| where Entities[\u0027Type\u0027] =~ \\\"ip\\\" \\n| extend AttackerIP = tostring(Entities[\u0027Address\u0027]), AttackerCountry = tostring(Entities[\u0027Location\u0027][\u0027CountryName\u0027]);\\n//Parse the file data\\nlet FileData = alertData \\n| where Entities[\u0027Type\u0027] =~ \\\"file\\\" \\n| extend MaliciousFileDirectory = tostring(Entities[\u0027Directory\u0027]), MaliciousFileName = tostring(Entities[\u0027Name\u0027]), MaliciousFileHashes = tostring(Entities[\u0027FileHashes\u0027]);\\n//Combine the File and IP data together\\nipData \\n| join (FileData) on VendorOriginalId \\n| summarize by TimeGenerated, AttackerIP, AttackerCountry, DisplayName, ResourceId, AlertType, MaliciousFileDirectory, MaliciousFileName, MaliciousFileHashes\\n//Create a type column so we can track if it was a File storage or blobl storage upload \\n| extend type = iff(DisplayName has \\\"file\\\", \\\"File\\\", \\\"Blob\\\") \\n| join (\\n union\\n StorageFileLogs, \\n StorageBlobLogs \\n //File upload operations \\n | where OperationName =~ \\\"PutBlob\\\" or OperationName =~ \\\"PutRange\\\"\\n //Parse out the uploader IP \\n | extend ClientIP = tostring(split(CallerIpAddress, \\\":\\\", 0)[0])\\n //Extract the filename from the Uri \\n | extend FileName = extract(@\\\"\\\\/([\\\\w\\\\-. ]+)\\\\?\\\", 1, Uri)\\n //Base64 decode the MD5 filehash, we will encounter non-ascii hex so string operations don\u0027t work\\n //We can work around this by making it an array then converting it to hex from an int \\n | extend base64Char = base64_decode_toarray(ResponseMd5) \\n | mv-expand base64Char \\n | extend hexChar = tohex(toint(base64Char))\\n | extend hexChar = iff(strlen(hexChar) \u003c 2, strcat(\\\"0\\\", hexChar), hexChar) \\n | extend SourceTable = iff(OperationName has \\\"range\\\", \\\"StorageFileLogs\\\", \\\"StorageBlobLogs\\\") \\n | summarize make_list(hexChar) by CorrelationId, ResponseMd5, FileName, AccountName, TimeGenerated, RequestBodySize, ClientIP, SourceTable \\n | extend Md5Hash = strcat_array(list_hexChar, \\\"\\\")\\n //Pack the file information the summarise into a ClientIP row \\n | extend p = pack(\\\"FileName\\\", FileName, \\\"FileSize\\\", RequestBodySize, \\\"Md5Hash\\\", Md5Hash, \\\"Time\\\", TimeGenerated, \\\"SourceTable\\\", SourceTable) \\n | summarize UploadedFileInfo=make_list(p), FilesUploaded=count() by ClientIP \\n | join kind=leftouter (\\n union\\n StorageFileLogs,\\n StorageBlobLogs \\n | where OperationName =~ \\\"DeleteFile\\\" or OperationName =~ \\\"DeleteBlob\\\" \\n | extend ClientIP = tostring(split(CallerIpAddress, \\\":\\\", 0)[0]) \\n | extend FileName = extract(@\\\"\\\\/([\\\\w\\\\-. ]+)\\\\?\\\", 1, Uri) \\n | extend SourceTable = iff(OperationName has \\\"range\\\", \\\"StorageFileLogs\\\", \\\"StorageBlobLogs\\\") \\n | extend p = pack(\\\"FileName\\\", FileName, \\\"Time\\\", TimeGenerated, \\\"SourceTable\\\", SourceTable) \\n | summarize DeletedFileInfo=make_list(p), FilesDeleted=count() by ClientIP\\n ) on ClientIP\\n ) on $left.AttackerIP == $right.ClientIP \\n| mvexpand UploadedFileInfo \\n| extend LinkedMaliciousFileName = UploadedFileInfo.FileName \\n| extend LinkedMaliciousFileHash = UploadedFileInfo.Md5Hash \\n| project AlertTimeGenerated = TimeGenerated, tostring(LinkedMaliciousFileName), tostring(LinkedMaliciousFileHash), AlertType, AttackerIP, AttackerCountry, MaliciousFileDirectory, MaliciousFileName, FilesUploaded, UploadedFileInfo \\n| extend FileHashCustomEntity = LinkedMaliciousFileName, HashAlgorithm = \\\"MD5\\\", IPCustomEntity = AttackerIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"Exfiltration\"],\"displayName\":\"Linked Malicious Storage Artifacts\",\"description\":\"An IP address which uploaded malicious content to an Azure Blob or File Storage container (triggering a malware alert) also uploaded additional files.\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2021-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c7cd6073-6d2c-4284-a5c8-da27605bdfde\",\"name\":\"c7cd6073-6d2c-4284-a5c8-da27605bdfde\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| where FilterModulesSpamScoresOverall == \u0027100\u0027\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - High risk message not discarded\",\"description\":\"Detects when email with high risk score was not rejected or discarded by filters.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\"name\":\"c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"let DomainNames = \\\"miniodaum.ml\\\";\\nlet SHA256Hash = dynamic ([\\\"53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0dfd44771762257\\\", \\\"0897c80df8b80b4c49bf1ccf876f5f782849608b830c3b5cb3ad212dc3e19eff\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName =~ DomainNames\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n (_Im_Dns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery \\n| extend IPAddress = SrcIpAddr, Computer = Dvc\\n), \\n(_Im_WebSession(url_has_any=DomainNames) \\n| extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n| extend IPAddress = SrcIpAddr, Account=User\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName =~ DomainNames\\n| extend IPAddress = RemoteIp\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known CERIUM domains and hashes\",\"description\":\"CERIUM malicious webserver and hash values for maldocs and malware. \\n Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/712fab52-2a7d-401e-a08c-ff939cc7c25e\",\"name\":\"712fab52-2a7d-401e-a08c-ff939cc7c25e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AuditLogs\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // Extract the URL that is contained within the JSON data\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\\\", 1,tostring(TargetResources))\\n | where isnotempty(Url)\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend TargetResourceDisplayName = tostring(TargetResources[0].displayName)\\n | extend Audit_TimeGenerated = TimeGenerated\\n) on Url\\n| where Audit_TimeGenerated \u003c ExpirationDateTime\\n| summarize Audit_TimeGenerated = arg_max(Audit_TimeGenerated, *) by IndicatorId, Url\\n| project Audit_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nOperationName, Identity, userPrincipalName, TargetResourceDisplayName, Url\\n| extend timestamp = Audit_TimeGenerated, AccountCustomEntity = userPrincipalName, HostCustomEntity = TargetResourceDisplayName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to AuditLogs\",\"description\":\"Identifies a match in AuditLogs from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ab4b6944-a20d-42ab-8b63-238426525801\",\"name\":\"ab4b6944-a20d-42ab-8b63-238426525801\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\nlet timeframe = 1h;\\nlet connections = VMConnection \\n | where TimeGenerated \u003e= ago(timeframe)\\n | extend DNSName = set_union(todynamic(RemoteDnsCanonicalNames),todynamic(RemoteDnsQuestions))\\n | mv-expand DNSName\\n | where isnotempty(DNSName)\\n | where DNSName has_any (domains)\\n | extend IPCustomEntity = RemoteIp\\n | summarize TimeGenerated = arg_min(TimeGenerated, *), requests = count() by IPCustomEntity, DNSName = tostring(DNSName), AgentId, Machine, Process;\\nlet processes = VMProcess\\n | where TimeGenerated \u003e= ago(timeframe)\\n | project AgentId, Machine, Process, UserName, UserDomain, ExecutablePath, CommandLine, FirstPid\\n | extend exePathArr = split(ExecutablePath, \\\"\\\\\\\\\\\")\\n | extend DirectoryName = array_strcat(array_slice(exePathArr, 0, array_length(exePathArr) - 2), \\\"\\\\\\\\\\\")\\n | extend Filename = array_strcat(array_slice(exePathArr, array_length(exePathArr) - 1, array_length(exePathArr)), \\\"\\\\\\\\\\\")\\n | project-away exePathArr;\\nlet computers = VMComputer\\n | where TimeGenerated \u003e= ago(timeframe)\\n | project HostCustomEntity = HostName, AzureResourceId = _ResourceId, AgentId, Machine;\\nconnections | join kind = inner (processes) on AgentId, Machine, Process\\n | join kind = inner (computers) on AgentId, Machine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"FirstPid\"},{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Directory\",\"columnName\":\"DirectoryName\"},{\"identifier\":\"Name\",\"columnName\":\"Filename\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Solorigate Domains Found in VM Insights\",\"description\":\"Identifies connections to Solorigate-related DNS records based on VM insights data\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMProcess\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMComputer\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\"name\":\"1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with failed Windows host logins above threshold\\nlet win_fails = \\nSecurityEvent\\n| where EventID == 4625\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| summarize count() by IpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_list(IpAddress);\\nlet wef_fails =\\nWindowsEvent\\n| where EventID == 4625\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType in (10, 7, 3)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| where IpAddress != \\\"-\\\"\\n| summarize count() by IpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_list(IpAddress);\\n//Make a list of IPs with failed *nix host logins above threshold\\nlet nix_fails = \\nSyslog\\n| where Facility contains \u0027auth\u0027 and ProcessName != \u0027sudo\u0027\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP != \\\"\\\" and SourceIP != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIP\\n| where count_ \u003e signin_threshold\\n| summarize make_list(SourceIP);\\n//See if any of the IPs with failed host logins hve had a sucessful Azure AD login\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (win_fails) or IPAddress in (nix_fails) or IPAddress in (wef_fails)\\n| extend Reason= \\\"Multiple failed host logins from IP address with successful Azure AD login\\\"\\n| extend timstamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, Type = Type\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed host logons but success logon to AzureAD\",\"description\":\"Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts.\\nUses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\"name\":\"28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"Medium\",\"query\":\"let timeRange = 24h;\\nlet failureCountThreshold = 5;\\nlet authenticationWindow = 20m;\\nlet aadFunc = (tableName:string){\\n table(tableName)\\n| where AppDisplayName has \\\"Azure Portal\\\"\\n| extend\\n DeviceDetail = todynamic(DeviceDetail),\\n //Status = todynamic(Status),\\n LocationDetails = todynamic(LocationDetails)\\n| extend\\n OS = tostring(DeviceDetail.operatingSystem),\\n Browser = tostring(DeviceDetail.browser),\\n //StatusCode = tostring(Status.errorCode),\\n //StatusDetails = tostring(Status.additionalDetails),\\n State = tostring(LocationDetails.state),\\n City = tostring(LocationDetails.city),\\n Region = tostring(LocationDetails.countryOrRegion)\\n// Split out failure versus non-failure types\\n| extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\") \\n// bin outcomes based on authenticationWindow\\n| summarize take_anyif(UserPrincipalName, not(UserPrincipalName matches regex @\\\"[a-f\\\\d]+\\\\-[a-f\\\\d]+\\\\-[a-f\\\\d]+\\\\-[a-f\\\\d]+\\\\-[a-f\\\\d]+\\\")),\\n take_anyif(UserDisplayName, isnotempty(UserDisplayName)), FailureOrSuccessCount = count() by FailureOrSuccess, UserId, UserDisplayName, AppDisplayName, IPAddress, Browser, OS, State, City, Region, Type, CorrelationId, bin(TimeGenerated, authenticationWindow), ResultType\\n// sort for sessionizing - by UserPrincipalName and time of the authentication outcome\\n| sort by UserPrincipalName asc, TimeGenerated asc\\n| serialize \\n// sessionize into failure groupings until either the account changes or there is a success\\n| extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, UserPrincipalName != prev(UserPrincipalName) or prev(FailureOrSuccess) == \\\"Success\\\")\\n// count the failures in each session\\n| summarize FailureCountBeforeSuccess=sumif(FailureOrSuccessCount, FailureOrSuccess == \\\"Failure\\\"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), makelist(FailureOrSuccess), IPAddress = make_set(IPAddress), make_set(Browser), make_set(City), make_set(State), make_set(Region), make_set(ResultType) by SessionStartedUtc, UserPrincipalName, CorrelationId, AppDisplayName, UserId, Type\\n// the session must not start with a success, and must end with one\\n| where array_index_of(list_FailureOrSuccess, \\\"Success\\\") != 0\\n| where array_index_of(list_FailureOrSuccess, \\\"Success\\\") == array_length(list_FailureOrSuccess) - 1\\n| project-away SessionStartedUtc, list_FailureOrSuccess\\n// where the number of failures before the success is above the threshold \\n| where FailureCountBeforeSuccess \u003e= failureCountThreshold \\n// expand out ip for entity assignment\\n| mv-expand IPAddress\\n| extend IPAddress = tostring(IPAddress)\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n};\\n let aadSignin = aadFunc(\\\"SigninLogs\\\");\\n let aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\n union isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against Azure Portal\",\"description\":\"Identifies evidence of brute force activity against Azure Portal by highlighting multiple authentication failures \\nand by a successful authentication within a given time window. \\nDefault Failure count is 5 and default Time Window is 20 minutes.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-04-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23de46ea-c425-4a77-b456-511ae4855d69\",\"name\":\"23de46ea-c425-4a77-b456-511ae4855d69\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\nlet SensitiveOperationList = dynamic([\\\"microsoft.compute/snapshots/write\\\", \\\"microsoft.network/networksecuritygroups/write\\\", \\\"microsoft.storage/storageaccounts/listkeys/action\\\"]);\\nlet SensitiveActivity = AzureActivity\\n| where OperationNameValue in~ (SensitiveOperationList) or OperationNameValue hassuffix \\\"listkeys/action\\\"\\n| where ActivityStatusValue =~ \\\"Success\\\";\\nSensitiveActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller, OperationNameValue\\n| where count_ \u003e= alertOperationThreshold\\n| join kind = rightanti ( \\nSensitiveActivity\\n| where TimeGenerated \u003e= ago(endtime)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CorrelationIds = makelist(CorrelationId), Resources = makelist(Resource), ResourceGroups = makelist(ResourceGroup), ResourceIds = makelist(ResourceId), ActivityCountByCallerIPAddress = count() \\nby CallerIpAddress, Caller, OperationNameValue\\n) on CallerIpAddress, Caller, OperationNameValue\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"Rare subscription-level operations in Azure\",\"description\":\"This query looks for a few sensitive subscription-level events based on Azure Activity Logs. \\n For example this monitors for the operation name \u0027Create or Update Snapshot\u0027 which is used for creating backups but could be misused by attackers \\n to dump hashes or extract sensitive information from the disk.\",\"lastUpdatedDateUTC\":\"2022-03-15T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84cf1d59-f620-4fee-b569-68daf7008b7b\",\"name\":\"84cf1d59-f620-4fee-b569-68daf7008b7b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetection_CL\\n| mv-expand todynamic(Detections_s)\\n| extend Status = tostring(Detections_s.Status), Vulnerability = tostring(Detections_s.Results), Severity = tostring(Detections_s.Severity)\\n| where Status =~ \\\"New\\\" and Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(Detections_s.QID)\\n| where dcount_NetBios_s \u003e= threshold\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"tactics\":[\"InitialAccess\"],\"displayName\":\"New High Severity Vulnerability Detected Across Multiple Hosts\",\"description\":\"This creates an incident when a new high severity vulnerability is detected across multilple hosts\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bc5ffe2a-84d6-48fe-bc7b-1055100469bc\",\"name\":\"bc5ffe2a-84d6-48fe-bc7b-1055100469bc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"let SunburstMD5=dynamic([\\\"b91ce2fa41029f6955bff20079468448\\\",\\\"02af7cec58b9a5da1c542b5a32151ba1\\\",\\\"2c4a910a1299cdae2a4e55988a2f102e\\\",\\\"846e27a652a5e1bfbd0ddd38a16dc865\\\",\\\"4f2eb62fa529c0283b28d05ddd311fae\\\"]);\\nlet SupernovaMD5=\\\"56ceb6d0011d87b6e4d7023d7ef85676\\\";\\nimFileEvent\\n| where TargetFileMD5 in(SunburstMD5) or TargetFileMD5 in(SupernovaMD5)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = User, \\n HostCustomEntity = DvcHostname,\\n FileHashCustomEntity = TargetFileMD5,\\n AlgorithmCustomEntity = \\\"MD5\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events)\",\"description\":\"Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in File Events\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimFileEvent)\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8cbc3215-fa58-4bd6-aaaa-f0029c351730\",\"name\":\"8cbc3215-fa58-4bd6-aaaa-f0029c351730\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let threatCategory=\\\"Cryptominer\\\";\\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\\n [ @\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\\\"] \\n with(format=\\\"csv\\\", ignoreFirstRecord=True));\\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet customUserAgents=toscalar(_GetWatchlist(\\\"UnusualUserAgents\\\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\\\"UserAgent\\\",\\\"\\\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet fullUAList = array_concat(knownUserAgents,customUserAgents);\\n_Im_WebSession(httpuseragent_has_any=fullUAList)\\n| summarize N_Events=count() by SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername\",\"customDetails\":{\"UserAgent\":\"HttpUserAgent\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"SrcUsername\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"The host {{SrcIpAddr}} is potentially running a crypto miner\",\"alertDescriptionFormat\":\"The host at address {{SrcIpAddr}} sent an HTTP request to the URL {{Url}} with the HTTP user agent header {{HttpUserAgent}}. This user agent is known to be used by crypto miners and indicates crypto mining activity on the client.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"A host is potentially running a crypto miner (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request with a user agent header known to belong to a crypto miner. This indicates a crypto miner may have infected the client machine.\u003cbr\u003eYou can add custom crypto mining indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).\u003cbr\u003e\u003cbr\u003e This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\"name\":\"24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"let EventCountThreshold = 25;\\n// To avoid any False Positives, filtering using AppId is recommended.\\n// For example the AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds \\n// to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\\n// The AppId 8cae6e77-e04e-42ce-b5cb-50d82bce26b1 has been added as it correspond to Microsoft Policy Insights Provider Data Plane performing VaultGet operations for policies checks.\\nlet Allowedappid = dynamic([\\\"509e4652-da8d-478d-a730-e9d4a1996ca4\\\",\\\"8cae6e77-e04e-42ce-b5cb-50d82bce26b1\\\"]);\\nlet OperationList = dynamic(\\n[\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nAzureDiagnostics\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList) \\n| summarize count() by identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, OperationName\\n| where count_ \u003e EventCountThreshold \\n| join (\\nAzureDiagnostics\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where OperationName in~ (OperationList) \\n) on identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g \\n| summarize EventCount=sum(count_), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\\n| extend timestamp = EndTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Mass secret retrieval from Azure Key Vault\",\"description\":\"Identifies mass secret retrieval from Azure Key Vault observed by a single user. \\nMass secret retrival crossing a certain threshold is an indication of credential dump operations or mis-configured applications. \\nYou can tweak the EventCountThreshold based on average count seen in your environment \\nand also filter any known sources (IP/Account) and useragent combinations based on historical analysis to further reduce noise\",\"lastUpdatedDateUTC\":\"2022-07-04T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b619d1f1-7f39-4c7e-bf9e-afbb46457997\",\"name\":\"b619d1f1-7f39-4c7e-bf9e-afbb46457997\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal contains \\\"XMRig\\\" or HttpUserAgentOriginal contains \\\"ccminer\\\"\\n| extend Message = \\\"Crypto Miner User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Crypto Miner User-Agent Detected\",\"description\":\"Detects suspicious user agent strings used by crypto miners in proxy logs.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd03057e-4347-4853-bf1e-2b2d21eb4e59\",\"name\":\"dd03057e-4347-4853-bf1e-2b2d21eb4e59\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\\"xmrget.com\\\",\\n\\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\\"supportxmr.com\\\",\\n\\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\\"gntl.co.uk\\\", \\\"semipool.com\\\",\\n\\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\",\\n\\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\\"extrmepool.org\\\", \\\"webcoin.me\\\",\\n\\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\",\\n\\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\",\\n\\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\",\\n\\\"shscrypto.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage),\\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage),\\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage),\\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \u0027200\u0027\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URL\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"NRT Squid proxy events related to mining pools\",\"description\":\"Checks for Squid proxy events in Syslog associated with common mining pools .This query presumes the default Squid log format is being used.\\n http://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-07-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2b701288-b428-4fb8-805e-e4372c574786\",\"name\":\"2b701288-b428-4fb8-805e-e4372c574786\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"//The bigger the window the better the data sample size, as we use IP prevalence, more sample data is better.\\n//The minimum number of countries that the account has been accessed from [default: 2]\\nlet minimumCountries = 2;\\n//The delta (%) between the largest in-use IP and the smallest [default: 95]\\nlet deltaThreshold = 95;\\n//The maximum (%) threshold that the country appears in login data [default: 10]\\nlet countryPrevalenceThreshold = 10;\\n//The time to project forward after the last login activity [default: 60min]\\nlet projectedEndTime = 60m;\\nlet queryfrequency = 1d;\\nlet queryperiod = 14d;\\nlet aadFunc = (tableName: string) {\\n // Get successful signins to Teams\\n let signinData =\\n table(tableName)\\n | where TimeGenerated \u003e ago(queryperiod)\\n | where AppDisplayName has \\\"Teams\\\" and ConditionalAccessStatus =~ \\\"success\\\"\\n | extend Country = tostring(todynamic(LocationDetails)[\u0027countryOrRegion\u0027])\\n | where isnotempty(Country) and isnotempty(IPAddress);\\n // Calculate prevalence of countries\\n let countryPrevalence =\\n signinData\\n | summarize CountCountrySignin = count() by Country\\n | extend TotalSignin = toscalar(signinData | summarize count())\\n | extend CountryPrevalence = toreal(CountCountrySignin) / toreal(TotalSignin) * 100;\\n // Count signins by user and IP address\\n let userIpSignin =\\n signinData\\n | summarize CountIPSignin = count(), Country = any(Country), ListSigninTimeGenerated = make_list(TimeGenerated) by IPAddress, UserPrincipalName;\\n // Calculate delta between the IP addresses with the most and minimum activity by user\\n let userIpDelta =\\n userIpSignin\\n | summarize MaxIPSignin = max(CountIPSignin), MinIPSignin = min(CountIPSignin), DistinctCountries = dcount(Country), make_set(Country) by UserPrincipalName\\n | extend UserIPDelta = toreal(MaxIPSignin - MinIPSignin) / toreal(MaxIPSignin) * 100;\\n // Collect Team operations the user account has performed within a time range of the suspicious signins\\n OfficeActivity\\n | where TimeGenerated \u003e ago(queryfrequency)\\n | where Operation in~ (\\\"TeamsAdminAction\\\", \\\"MemberAdded\\\", \\\"MemberRemoved\\\", \\\"MemberRoleChanged\\\", \\\"AppInstalled\\\", \\\"BotAddedToTeam\\\")\\n | project OperationTimeGenerated = TimeGenerated, UserId = tolower(UserId), Operation\\n | join kind = inner(\\n userIpDelta\\n // Check users with activity from distinct countries\\n | where DistinctCountries \u003e= minimumCountries\\n // Check users with high IP delta\\n | where UserIPDelta \u003e= deltaThreshold\\n // Add information about signins and countries\\n | join kind = leftouter userIpSignin on UserPrincipalName\\n | join kind = leftouter countryPrevalence on Country\\n // Check activity that comes from nonprevalent countries\\n | where CountryPrevalence \u003c countryPrevalenceThreshold\\n | project\\n UserPrincipalName,\\n SuspiciousIP = IPAddress,\\n UserIPDelta,\\n SuspiciousSigninCountry = Country,\\n SuspiciousCountryPrevalence = CountryPrevalence,\\n EventTimes = ListSigninTimeGenerated\\n ) on $left.UserId == $right.UserPrincipalName\\n // Check the signins occured 60 min before the Teams operations\\n | mv-expand SigninTimeGenerated = EventTimes\\n | extend SigninTimeGenerated = todatetime(SigninTimeGenerated)\\n | where OperationTimeGenerated between (SigninTimeGenerated .. (SigninTimeGenerated + projectedEndTime))\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize arg_max(SigninTimeGenerated, *) by UserPrincipalName, SuspiciousIP, OperationTimeGenerated\\n| summarize\\n ActivitySummary = make_bag(pack(tostring(SigninTimeGenerated), pack(\\\"Operation\\\", tostring(Operation), \\\"OperationTime\\\", OperationTimeGenerated)))\\n by UserPrincipalName, SuspiciousIP, SuspiciousSigninCountry, SuspiciousCountryPrevalence\\n| extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Anomalous login followed by Teams action\",\"description\":\"Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed.\\nQuery calculates IP usage Delta for each user account and selects accounts where a delta \u003e= 90% is observed between the most and least used IP.\\nTo further reduce results the query performs a prevalence check on the lowest used IP\u0027s country, only keeping IP\u0027s where the country is unusual for the tenant (dynamic ranges)\\nFinally the user accounts activity within Teams logs is checked for suspicious commands (modifying user privileges or admin actions) during the period the suspicious IP was active.\",\"lastUpdatedDateUTC\":\"2022-03-21T00:00:00Z\",\"createdDateUTC\":\"2020-06-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fa118b98-de46-4e94-87f9-8e6d5060b60b\",\"name\":\"fa118b98-de46-4e94-87f9-8e6d5060b60b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MLBehaviorAnalytics\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous SSH Login Detection\",\"description\":\"This detection uses machine learning (ML) to identify anomalous Secure Shell (SSH) login activity, based on syslog data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Microsoft Sentinel to build a profile of normal activity for your environment.\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-syslog#configure-the-syslog-connector-for-anomalous-ssh-login-detection)\\n\\nBy enabling this rule, you give Microsoft permission to copy ingested data outside of your Microsoft Sentinel workspace\u0027s geography as necessary for processing by the machine learning engine.\",\"lastUpdatedDateUTC\":\"2021-03-26T00:00:00Z\",\"createdDateUTC\":\"2019-08-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c094384d-7ea7-4091-83be-18706ecca981\",\"name\":\"c094384d-7ea7-4091-83be-18706ecca981\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Low\",\"query\":\"let minersDomains=dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\"]);\\n_Im_Dns(domain_has_any=minersDomains)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"DNS events related to mining pools (ASIM DNS Schema)\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/99d589fa-7337-40d7-91a0-c96d0c4fa437\",\"name\":\"99d589fa-7337-40d7-91a0-c96d0c4fa437\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let core_domains = (SigninLogs\\n | where TimeGenerated \u003e ago(7d)\\n | where ResultType == 0\\n | extend domain = tolower(split(UserPrincipalName, \\\"@\\\")[1])\\n | summarize by tostring(domain));\\n let alternative_domains = (SigninLogs\\n | where TimeGenerated \u003e ago(7d)\\n | where isnotempty(AlternateSignInName)\\n | where ResultType == 0\\n | extend domain = tolower(split(AlternateSignInName, \\\"@\\\")[1])\\n | summarize by tostring(domain));\\n AuditLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where OperationName =~ \\\"Add User\\\"\\n | extend AddingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend AddingSPN = tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName)\\n | extend AddedBy = iif(isnotempty(AddingUser), AddingUser, AddingSPN)\\n | extend UserAdded = tostring(TargetResources[0].userPrincipalName)\\n | extend Domain = tolower(split(UserAdded, \\\"@\\\")[1])\\n | where Domain !in (core_domains) and Domain !in (alternative_domains)\\n | project-away AddingUser\\n | project-reorder TimeGenerated, UserAdded, Domain, AddedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserAdded\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Account created from non-approved sources\",\"description\":\"This query looks for account being created from a domain that is not regularly seen in a tenant.\\n Attackers may attempt to add accounts from these sources as a means of establishing persistant access to an environment.\\n Created accounts should be investigated to ensure they were legitimated created.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\",\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/15ae38a2-2e29-48f7-883f-863fb25a5a06\",\"name\":\"15ae38a2-2e29-48f7-883f-863fb25a5a06\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 10;\\nDnsEvents \\n| where TimeGenerated \u003e ago(endtime)\\n| where Name contains \\\"in-addr.arpa\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(Name) by ClientIP\\n| where dcount_Name \u003e threshold\\n| project StartTimeUtc, EndTimeUtc, ClientIP , dcount_Name \\n| join kind=leftanti (DnsEvents \\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | where Name contains \\\"in-addr.arpa\\\" \\n | summarize dcount(Name) by ClientIP, bin(TimeGenerated, 1d)\\n | where dcount_Name \u003e threshold\\n | project ClientIP , dcount_Name \\n) on ClientIP\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Rare client observed with high reverse DNS lookup count\",\"description\":\"Identifies clients with a high reverse DNS counts which could be carrying out reconnaissance or discovery activity.\\nAlert is generated if the IP performing such reverse DNS lookups was not seen doing so in the preceding 7-day period.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\"name\":\"a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\n let ioc_lookBack = 14d;\\n ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true\\n | where isnotempty(FileHashValue)\\n | extend FileHashValue = toupper(FileHashValue)\\n // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n | join kind=innerunique ( union isfuzzy=true \\n (SecurityEvent | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where EventID in (\\\"8003\\\",\\\"8002\\\",\\\"8005\\\")\\n | where isnotempty(FileHash)\\n | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID, FileHash = toupper(FileHash)\\n ),\\n (WindowsEvent | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where EventID in (\\\"8003\\\",\\\"8002\\\",\\\"8005\\\")\\n | where isnotempty(EventData.FileHash)\\n | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID, FileHash = toupper(EventData.FileHash)\\n )\\n )\\n on $left.FileHashValue == $right.FileHash\\n | where SecurityEvent_TimeGenerated \u003c ExpirationDateTime\\n | summarize SecurityEvent_TimeGenerated = arg_max(SecurityEvent_TimeGenerated, *) by IndicatorId, FileHash\\n | project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\n Process, FileHash, Computer, Account, Event, FileHashValue, FileHashType\\n | extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Value\",\"columnName\":\"FileHashValue\"},{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map File Hash to Security Event\",\"description\":\"Identifies a match in Security Event data from any File Hash IOC from TI\",\"lastUpdatedDateUTC\":\"2022-07-07T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1bf6e165-5e32-420e-ab4f-0da8558a8be2\",\"name\":\"1bf6e165-5e32-420e-ab4f-0da8558a8be2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// How far back to look for events from\\nlet timeframe = 1d;\\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\\nlet time_window = 5m;\\n// Edit this to include build processes used\\nlet build_processes = dynamic([\\\"MSBuild.exe\\\", \\\"dotnet.exe\\\", \\\"VBCSCompiler.exe\\\"]);\\n// Include any processes that you want to allow to edit files during/around the build process\\nlet allow_list = dynamic([]);\\nDeviceProcessEvents\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where FileName has_any (build_processes)\\n| summarize by BuildParentProcess=InitiatingProcessFileName, BuildProcess=FileName, BuildAccount = AccountName, DeviceName, BuildCommand=ProcessCommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nDeviceFileEvents\\n| where TimeGenerated \u003e ago(timeframe)\\n| where InitiatingProcessFileName !in (allow_list)\\n| where ActionType == \\\"FileCreated\\\" or ActionType == \\\"FileModified\\\"\\n// Look for code files, edit this to include file extensions used in build.\\n| where FileName endswith \\\".cs\\\" or FileName endswith \\\".cpp\\\"\\n| summarize by FileEditParentProcess=InitiatingProcessParentFileName, FileEditAccount = InitiatingProcessAccountName, DeviceName, FileEdited=FileName, FileEditProcess=InitiatingProcessFileName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, DeviceName\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, DeviceName, BuildParentProcess, BuildProcess\\n| extend HostCustomEntity=DeviceName, timestamp=timekey\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Potential Build Process Compromise - MDE\",\"description\":\"The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process. This query uses Microsoft Defender for Endpoint telemetry.\\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\",\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/957cb240-f45d-4491-9ba5-93430a3c08be\",\"name\":\"957cb240-f45d-4491-9ba5-93430a3c08be\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"OfficeActivity\\n| where Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Add-MailboxFolderPermission\\\", \\\"Set-Mailbox\\\", \\\"New-ManagementRoleAssignment\\\", \\\"New-InboxRule\\\", \\\"Set-InboxRule\\\", \\\"Set-TransportRule\\\")\\nand not(UserId has_any (\u0027NT AUTHORITY\\\\\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\u0027, \u0027NT AUTHORITY\\\\\\\\SYSTEM (w3wp)\u0027, \u0027devilfish-applicationaccount\u0027) and Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Set-Mailbox\\\"))\\n| extend ClientIPOnly = tostring(extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?\u0027, dynamic([\\\"IPAddress\\\"]), ClientIP)[0][0])\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIPOnly\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"Collection\"],\"displayName\":\"Rare and potentially high-risk Office operations\",\"description\":\"Identifies Office operations that are typically rare and can provide capabilities useful to attackers.\",\"lastUpdatedDateUTC\":\"2022-05-24T00:00:00Z\",\"createdDateUTC\":\"2019-02-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2fc5d810-c9cc-491a-b564-841427ae0e50\",\"name\":\"2fc5d810-c9cc-491a-b564-841427ae0e50\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique ( \\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(TargetUserName)\\n//Normalizing the column to lower case for exact match with EmailSenderAddress column\\n| extend TargetUserName = tolower(TargetUserName)\\n// renaming timestamp column so it is clear the log this came from SecurityEvent table\\n| extend SecurityEvent_TimeGenerated = TimeGenerated\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(dt_lookBack) \\n| extend TargetUserName = tostring(EventData.TargetUserName) \\n| where isnotempty(TargetUserName)\\n//Normalizing the column to lower case for exact match with EmailSenderAddress column\\n| extend TargetUserName = tolower(TargetUserName)\\n// renaming timestamp column so it is clear the log this came from SecurityEvent table\\n| extend SecurityEvent_TimeGenerated = TimeGenerated\\n))\\n)\\non $left.EmailSenderAddress == $right.TargetUserName\\n| where SecurityEvent_TimeGenerated \u003c ExpirationDateTime\\n| summarize SecurityEvent_TimeGenerated = arg_max(SecurityEvent_TimeGenerated, *) by IndicatorId, TargetUserName\\n| project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Computer, EventID, TargetUserName, Activity, IpAddress, AccountType,\\nLogonTypeName, LogonProcessName, Status, SubStatus\\n| extend\\ntimestamp = SecurityEvent_TimeGenerated,\\nAccountCustomEntity = TargetUserName,\\nIPCustomEntity = IpAddress,\\nHostCustomEntity = Computer,\\nURLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SecurityEvent\",\"description\":\"Identifies a match in SecurityEvent table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/01f64465-b1ef-41ea-a7f5-31553a11ad43\",\"name\":\"01f64465-b1ef-41ea-a7f5-31553a11ad43\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let endpointData = \\n(union isfuzzy=true\\n(SecurityEvent\\n | where EventID == 4688\\n | extend shortFileName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n ),\\n (WindowsEvent\\n | where EventID == 4688\\n | extend NewProcessName = tostring(EventData.NewProcessName)\\n | extend shortFileName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n | extend TargetUserName = tostring(EventData.TargetUserName)\\n ));\\n// Correlate suspect executables seen in TrendMicro rule updates with similar activity on endpoints\\nCommonSecurityLog\\n| where DeviceVendor =~ \\\"Trend Micro\\\"\\n| where Activity =~ \\\"Deny List updated\\\" \\n| where RequestURL endswith \\\".exe\\\"\\n| project TimeGenerated, Activity , RequestURL , SourceIP, DestinationIP\\n| extend suspectExeName = tolower(tostring(split(RequestURL, \u0027/\u0027)[-1]))\\n| join (endpointData) on $left.suspectExeName == $right.shortFileName \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = TargetUserName, HostCustomEntity = Computer, URLCustomEntity = RequestURL\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Network endpoint to host executable correlation\",\"description\":\"Correlates blocked URLs hosting [malicious] executables with host endpoint data\\nto identify potential instances of executables of the same name having been recently run.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"TrendMicro\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5efb0cfd-063d-417a-803b-562eae5b0301\",\"name\":\"5efb0cfd-063d-417a-803b-562eae5b0301\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 6h;\\n// Ignore Build/Releases with less/equal this number\\nlet ServiceConnectionThreshold = 3;\\n// New Connections need to exhibit execution of more \\\"new\\\" connections than this number.\\nlet NewConnectionThreshold = 1;\\n// List of Builds/Releases to ignore in your space\\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\\n[\\n//\\\"103\\\", \\\"Release\\\", \\\"ProjectA\\\",\\n//\\\"42\\\", \\\"Release\\\", \\\"ProjectB\\\",\\n//\\\"122\\\", \\\"Build\\\", \\\"ProjectB\\\"\\n];\\nlet HistoricDefs = AzureDevOpsAuditing\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| summarize HistoricCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)) \\n by DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e= ago(endtime)\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| parse ScopeDisplayName with OrganizationName \u0027 (Organization)\u0027\\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) \\n by OrganizationName, DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN\\n| where CurrentCount \u003e ServiceConnectionThreshold\\n| join (HistoricDefs) on ProjectId, DefId, Type, ActorUPN\\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\\n| extend link = iff(\\nType == \\\"Build\\\", strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_build?definitionId=\u0027, DefId),\\nstrcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_release?_a=releases\u0026view=mine\u0026definitionId=\u0027, DefId))\\n| where CurrentCount \u003e= HistoricCount + NewConnectionThreshold\\n| project StartTime, OrganizationName, ProjectName, DefId, link, RecentDistinctServiceConnections = CurrentCount, HistoricDistinctServiceConnections = HistoricCount, \\n RecentConnections = ConnectionNames, HistoricConnections = ConnectionNames1, ActorUPN\\n| extend timestamp = StartTime, AccountCustomEntity = ActorUPN\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure DevOps Service Connection Addition/Abuse - Historic allow list\",\"description\":\"This detection builds an allow list of historic service connection use by Builds and Releases and compares to recent history, flagging growth of service connection use which are not manually included in the allow list and \\nnot historically included in the allow list Build/Release runs. This is to determine if someone is hijacking a build/release and adding many service connections in order to abuse or dump credentials from service connections.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3bd33158-3f0b-47e3-a50f-7c20a1b88038\",\"name\":\"3bd33158-3f0b-47e3-a50f-7c20a1b88038\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let SpringShell_threats = dynamic([\\\"Trojan:Python/SpringShellExpl\\\", \\\"Exploit:Python/SpringShell\\\", \\\"Backdoor:PHP/Remoteshell.V\\\", \\\"SpringShell\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (SpringShell_threats) or ThreatFamilyName in~ (SpringShell_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"AV detections related to SpringShell Vulnerability\",\"description\":\"This query looks for Microsoft Defender AV detections related to SpringShell Vulnerability. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, \\n this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\\n Reference: https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b4ceb583-4c44-4555-8ecf-39f572e827ba\",\"name\":\"b4ceb583-4c44-4555-8ecf-39f572e827ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 1.5;\\nlet percentthreshold = 50;\\n// Preparing the time series data aggregated hourly count of MailItemsAccessd Operation in the form of multi-value array to use with time series anomaly function.\\nlet TimeSeriesData =\\nOfficeActivity\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where OfficeWorkload=~ \\\"Exchange\\\" and Operation =~ \\\"MailItemsAccessed\\\" and ResultStatus =~ \\\"Succeeded\\\"\\n| project TimeGenerated, Operation, MailboxOwnerUPN\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe;\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0\\n| project TimeGenerated, Total, baseline, anomalies, score;\\n// Joining the flagged outlier from the previous step with the original dataset to present contextual information\\n// during the anomalyhour to analysts to conduct investigation or informed decisions.\\nTimeSeriesAlerts | where TimeGenerated \u003e ago(2d)\\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\\n| join (\\n OfficeActivity\\n | where TimeGenerated \u003e ago(2d)\\n | extend DateHour = bin(TimeGenerated, 1h)\\n | where OfficeWorkload=~ \\\"Exchange\\\" and Operation =~ \\\"MailItemsAccessed\\\" and ResultStatus =~ \\\"Succeeded\\\"\\n | summarize HourlyCount=count(), TimeGeneratedMax = arg_max(TimeGenerated, *), IPAdressList = make_set(Client_IPAddress), SourceIPMax= arg_max(Client_IPAddress, *), ClientInfoStringList= make_set(ClientInfoString) by MailboxOwnerUPN, Logon_Type, TenantId, UserType, TimeGenerated = bin(TimeGenerated, 1h) \\n | where HourlyCount \u003e 25 // Only considering operations with more than 25 hourly count to reduce False Positivies\\n | order by HourlyCount desc \\n) on TimeGenerated\\n| extend PercentofTotal = round(HourlyCount/Total, 2) * 100 \\n| where PercentofTotal \u003e percentthreshold // Filter Users with count of less than 5 percent of TotalEvents per Hour to remove FPs/ users with very low count of MailItemsAccessed events\\n| order by PercentofTotal desc \\n| project-reorder TimeGeneratedMax, Type, OfficeWorkload, Operation, UserId,SourceIPMax ,IPAdressList, ClientInfoStringList, HourlyCount, PercentofTotal, Total, baseline, score, anomalies\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"Exchange workflow MailItemsAccessed operation anomaly\",\"description\":\"Identifies anomalous increases in Exchange mail items accessed operations.\\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\\nSudden increases in execution frequency of sensitive actions should be further investigated for malicious activity.\\nManually change scorethreshold from 1.5 to 3 or higher to reduce the noise based on outliers flagged from the query criteria.\\nRead more about MailItemsAccessed- https://docs.microsoft.com/microsoft-365/compliance/advanced-audit?view=o365-worldwide#mailitemsaccessed\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/00cb180c-08a8-4e55-a276-63fb1442d5b5\",\"name\":\"00cb180c-08a8-4e55-a276-63fb1442d5b5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let cmdTokens0 = dynamic([\u0027vbscript\u0027,\u0027jscript\u0027]);\\nlet cmdTokens1 = dynamic([\u0027mshtml\u0027,\u0027RunHTMLApplication\u0027]);\\nlet cmdTokens2 = dynamic([\u0027Execute\u0027,\u0027CreateObject\u0027,\u0027RegRead\u0027,\u0027window.close\u0027]);\\n(union isfuzzy=true \\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(14d)\\n| where EventID == 4688\\n| where CommandLine has @\u0027\\\\Microsoft\\\\Windows\\\\CurrentVersion\u0027\\n| where not(CommandLine has_any (@\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\u0027, @\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\u0027))\\n// If you are receiving false positives, then it may help to make the query more strict by uncommenting one or both of the lines below to refine the matches\\n//| where CommandLine has_any (cmdTokens0)\\n//| where CommandLine has_all (cmdTokens1)\\n| where CommandLine has_all (cmdTokens2)\\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(14d)\\n| where EventID == 4688 and EventData has_all(cmdTokens2) and EventData has @\u0027\\\\Microsoft\\\\Windows\\\\CurrentVersion\u0027\\n| where not(EventData has_any (@\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\u0027, @\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\u0027))\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has @\u0027\\\\Microsoft\\\\Windows\\\\CurrentVersion\u0027\\n| where not(CommandLine has_any (@\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\u0027, @\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\u0027))\\n// If you are receiving false positives, then it may help to make the query more strict by uncommenting one or both of the lines below to refine the matches\\n//| where CommandLine has_any (cmdTokens0)\\n//| where CommandLine has_all (cmdTokens1)\\n| where CommandLine has_all (cmdTokens2)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend ParentProcessName = tostring(EventData.ParentProcessName) \\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"NOBELIUM - Script payload stored in Registry\",\"description\":\"This query idenifies when a process execution commandline indicates that a registry value is written to allow for later execution a malicious script\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3cc5ccd8-b416-4141-bb2d-4eba370e37a5\",\"name\":\"3cc5ccd8-b416-4141-bb2d-4eba370e37a5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let OMIVulnerabilityPatchVersion = \\\"OMIVulnerabilityPatchVersion:1.13.40-0\\\";\\nHeartbeat\\n| where Category == \\\"Direct Agent\\\"\\n| summarize arg_max(TimeGenerated,*) by Computer\\n| parse strcat(\\\"Version:\\\" , Version) with * \\\"Version:\\\" Major:long \\\".\\\"\\nMinor:long \\\".\\\" Patch:long \\\"-\\\" *\\n| parse OMIVulnerabilityPatchVersion with * \\\"OMIVulnerabilityPatchVersion:\\\"\\nOMIVersionMajor:long \\\".\\\" OMIVersionMinor:long \\\".\\\" OMIVersionPatch:long \\\"-\\\" *\\n| where Major \u003cOMIVersionMajor or (Major==OMIVersionMajor and Minor\\n\u003cOMIVersionMinor) or (Major==OMIVersionMajor and Minor==OMIVersionMinor and\\nPatch\u003cOMIVersionPatch) \\n| project Version, Major,Minor,Patch,\\nComputer,ComputerIP,OSType,OSName,ResourceId\",\"customDetails\":{\"HostIp\":\"ComputerIP\",\"OSType\":\"OSType\",\"OSName\":\"OSName\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"OMI Vulnerability Exploitation\",\"description\":\"Following the September 14th, 2021 release of three Elevation of Privilege\\n(EoP) vulnerabilities (CVE-2021-38645, CVE-2021-38649, CVE-2021-38648) and one\\nunauthenticated Remote Code Execution (RCE) vulnerability (CVE-2021-38647) in\\nthe Open Management Infrastructure (OMI) Framework.\\nThis detection validates that any OMS-agent that is reporting to the Microsoft\\nSentinel workspace is updated with the patch. The detection will go over the\\nheartbeats received from all agents over the last day and will create alert\\nfor those agents who are not updated.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-09-23T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c1c66f0b-5531-4a3e-a619-9d2f770ef730\",\"name\":\"c1c66f0b-5531-4a3e-a619-9d2f770ef730\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where OperationName =~ \\\"Add member to role completed (PIM activation)\\\"\\n | where Result =~ \\\"success\\\"\\n | extend ElevatedUser = tostring(TargetResources[2].userPrincipalName)\\n | extend displayName = tostring(TargetResources[0].displayName)\\n | extend displayName2 = tostring(TargetResources[3].displayName)\\n | extend ElevatedRole = iif(displayName =~ \\\"Member\\\", displayName2, displayName)\\n | join kind = rightanti (AuditLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where OperationName =~ \\\"Add member to role completed (PIM activation)\\\"\\n | where Result =~ \\\"success\\\"\\n | extend ElevatedUser = tostring(TargetResources[2].userPrincipalName)\\n | extend displayName = tostring(TargetResources[0].displayName)\\n | extend displayName2 = tostring(TargetResources[3].displayName)\\n | extend ElevatedRole = iif(displayName =~ \\\"Member\\\", displayName2, displayName)\\n | extend ElevatedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) on ElevatedRole, ElevatedUser\\n | project-reorder ElevatedUser, ElevatedRole, ResultReason,ElevatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ElevatedUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ElevatedBy\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Account Elevated to New Role\",\"description\":\"Detects an account that is elevated to a new role where that account has not had that role in the last 14 days.\\n Role elevations are a key mechanism for gaining permissions, monitoring which users have which roles, and for anomalies in those roles is useful for finding suspicious activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d0c82b7f-40b2-4180-a4d6-7aa0541b7599\",\"name\":\"d0c82b7f-40b2-4180-a4d6-7aa0541b7599\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let threshold = 3;\\nPulseConnectSecure\\n| where Messages contains \\\"Unauthenticated request url /dana-na/\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by Source_IP\\n| where count_ \u003e threshold\\n| extend timestamp = StartTime, IPCustomEntity = Source_IP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"PulseConnectSecure - CVE-2021-22893 Possible Pulse Connect Secure RCE Vulnerability Attack\",\"description\":\"This query identifies exploitation attempts using Pulse Connect Secure(PCS) vulnerability (CVE-2021-22893) to the VPN server\",\"lastUpdatedDateUTC\":\"2022-05-11T00:00:00Z\",\"createdDateUTC\":\"2022-05-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PulseConnectSecure\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bf0cde21-0c41-48f6-a40c-6b5bd71fa106\",\"name\":\"bf0cde21-0c41-48f6-a40c-6b5bd71fa106\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"AWSGuardDuty | extend tokens = split(ActivityType,\\\":\\\") | extend ThreatPurpose = tokens[0], tokens= split(tokens[1],\\\"/\\\") | extend ResourceTypeAffected = tokens[0], ThreatFamilyName= tokens[1] | extend UniqueFindingId = Id | extend AWSAcoundId = AccountId | project-away tokens,ActivityType, Id, AccountId | project-away TimeGenerated, TenantId, SchemaVersion, Region, Partition | extend Severity= iff(Severity between (7.0..8.9),\\\"High\\\",iff(Severity between (4.0..6.9), \\\"Medium\\\", iff(Severity between (1.0..3.9),\\\"Low\\\",\\\"Unknown\\\")))\",\"customDetails\":{\"ThreatPurpose\":\"ThreatPurpose\",\"ResourceTypeAffected\":\"ResourceTypeAffected\",\"UniqueFindingId\":\"UniqueFindingId\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Arn\"},{\"identifier\":\"ObjectGuid\",\"columnName\":\"AWSAcoundId\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"{{Title}}\",\"alertDescriptionFormat\":\"{{Description}}\",\"alertTacticsColumnName\":\"ThreatPurpose\",\"alertSeverityColumnName\":\"Severity\"},\"displayName\":\"AWS Guard Duty Alert\",\"description\":\"Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. This templates create an alert for each Amazon GuardDuty finding.\",\"lastUpdatedDateUTC\":\"2022-02-08T00:00:00Z\",\"createdDateUTC\":\"2021-11-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSGuardDuty\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b6685757-3ed1-4b05-a5bd-2cacadc86c2a\",\"name\":\"b6685757-3ed1-4b05-a5bd-2cacadc86c2a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"let UA_threats = dynamic([\\\"FoxBlade\\\", \\\"WhisperGate\\\", \\\"Lasainraw\\\", \\\"SonicVote\\\"]);\\n SecurityAlert\\n | where ProviderName == \\\"MDATP\\\"\\n | extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n | where ThreatFamilyName in (UA_threats)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"AV detections related to Ukraine threats\",\"description\":\"This query looks for Microsoft Defender AV detections for malware observed in relation to the war in Ukraine.\\n Ref: https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/ \",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cf3ede88-a429-493b-9108-3e46d3c741f7\",\"name\":\"cf3ede88-a429-493b-9108-3e46d3c741f7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let timeRange = 6h;\\nlet authenticationWindow = 1h;\\nlet authenticationThreshold = 5;\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeRange)\\n| where EventID == 4624 or EventID == 4625\\n| where IpAddress != \\\"-\\\" and isnotempty(Account)\\n| extend Outcome = iff(EventID == 4624, \\\"Success\\\", \\\"Failure\\\")\\n// bin outcomes into 5 minute windows to reduce the volume of data\\n| summarize OutcomeCount=count() by Account, IpAddress, Computer, Outcome, bin(TimeGenerated, 5m)\\n| project TimeGenerated, Account, IpAddress, Computer, Outcome, OutcomeCount\\n// sort ready for sessionizing - by account and time of the authentication outcome\\n| sort by Account asc, TimeGenerated asc\\n| serialize \\n// sessionize into failure groupings until either the account changes or there is a success\\n| extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, Account != prev(Account) or prev(Outcome) == \\\"Success\\\")\\n// count the failures in each session\\n| summarize FailureCountBeforeSuccess=sumif(OutcomeCount, Outcome == \\\"Failure\\\"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), makelist(Outcome), makeset(Computer), makeset(IpAddress) by SessionStartedUtc, Account\\n// the session must not start with a success, and must end with one\\n| where array_index_of(list_Outcome, \\\"Success\\\") != 0\\n| where array_index_of(list_Outcome, \\\"Success\\\") == array_length(list_Outcome) - 1\\n| project-away SessionStartedUtc, list_Outcome \\n// where the number of failures before the success is above the threshold \\n| where FailureCountBeforeSuccess \u003e= authenticationThreshold\\n// expand out ip and computer for customer entity assignment\\n| mvexpand set_IpAddress, set_Computer\\n| extend IpAddress = tostring(set_IpAddress), Computer = tostring(set_Computer)\\n| extend timestamp=StartTime, AccountCustomEntity=Account, HostCustomEntity=Computer, IPCustomEntity=IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"SecurityEvent - Multiple authentication failures followed by a success\",\"description\":\"Identifies accounts who have failed to logon to the domain multiple times in a row, followed by a successful authentication\\nwithin a short time frame. Multiple failed attempts followed by a success can be an indication of a brute force attempt or\\npossible mis-configuration of a service account within an environment.\\nThe lookback is set to 6h and the authentication window and threshold are set to 1h and 5, meaning we need to see a minimum\\nof 5 failures followed by a success for an account within 1 hour to surface an alert.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"name\":\"cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | where DNSName in~ (domains) or DestinationHostName has_any (domains) or RequestURL has_any(domains)\\n | extend AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName, IPCustomEntity = SourceIP\\n ),\\n(_Im_Dns (domain_has_any=domains)\\n | extend DNSName = DnsQuery\\n | extend IPCustomEntity = SrcIpAddr\\n ),\\n(VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n | where isnotempty(DNSName)\\n | where DNSName in~ (domains)\\n | extend IPCustomEntity = RemoteIp\\n ),\\n(DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl has_any (domains) \\n | extend DNSName = RemoteUrl\\n | extend IPCustomEntity = RemoteIP \\n | extend HostCustomEntity = DeviceName \\n ),\\n(AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (domains) \\n | extend DNSName = DestinationHost \\n | extend IPCustomEntity = SourceHost\\n ) \\n )\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Solorigate Network Beacon\",\"description\":\"Identifies a match across various data feeds for domains IOCs related to the Solorigate incident.\\n References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \\n https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2790795b-7dba-483e-853f-44aa0bc9c985\",\"name\":\"2790795b-7dba-483e-853f-44aa0bc9c985\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"CommonSecurityLog\\n| where DeviceProduct =~ \\\"Wazuh\\\"\\n| where Activity has \\\"Web server 400 error code.\\\"\\n| where Message has \\\"403\\\"\\n| extend HostName=substring(split(DeviceCustomString1,\\\")\\\")[0],1)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = dcount(SourceIP) by HostName, SourceIP\\n| where NumberOfErrors \u003e 400\\n| sort by NumberOfErrors desc\\n| extend timestamp = StartTime, HostCustomEntity = HostName, IPCustomEntity = SourceIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Wazuh - Large Number of Web errors from an IP\",\"description\":\"Identifies instances where Wazuh logged over 400 \u0027403\u0027 Web Errors from one IP Address. To onboard Wazuh data into Sentinel please view: https://github.com/wazuh/wazuh-documentation/blob/master/source/azure/monitoring%20activity.rst\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2020-04-21T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/78979d32-e63f-4740-b206-cfb300c735e0\",\"name\":\"78979d32-e63f-4740-b206-cfb300c735e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n ProofpointPOD \\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(SrcIpAddr)\\n | extend ProofpointPOD_TimeGenerated = TimeGenerated, ClientIP = SrcIpAddr\\n )\\non $left.TI_ipEntity == $right.ClientIP\\n| where ProofpointPOD_TimeGenerated \u003c ExpirationDateTime\\n| summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientIP\\n| project ProofpointPOD_TimeGenerated, SrcUserUpn, DstUserUpn, SrcIpAddr, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ClientIP\\n| extend timestamp = ProofpointPOD_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SrcUserUpn\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Exfiltration\",\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Email sender IP in TI list\",\"description\":\"Email sender IP in TI list.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_maillog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2b328487-162d-4034-b472-59f1d53684a1\",\"name\":\"2b328487-162d-4034-b472-59f1d53684a1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal == \u0027\u0027\\n| extend Message = \\\"Empty User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Empty User Agent Detected\",\"description\":\"Rule helps to detect empty and unusual user agent indicating web browsing activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\"name\":\"a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == 500121\\n| where Status has \\\"MFA Denied; user declined the authentication\\\" or Status has \\\"MFA denied; Phone App Reported Fraud\\\"\\n| extend Type = Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = ClientAppUsed\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Explicit MFA Deny\",\"description\":\"User explicitly denies MFA push, indicating that login was not expected and the account\u0027s password may be compromised.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-10-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}}]}", "isContentBase64": false } }, - "Get-AzSentinelAlertRuleTemplate+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRuleTemplates?api-version=2021-09-01-preview+1": { + "Get-AzSentinelAlertRuleTemplate+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRuleTemplates?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRuleTemplates?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRuleTemplates?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "169" ], - "x-ms-client-request-id": [ "5b92aa6d-da0f-4b1d-9b90-36cad7f5979f" ], + "x-ms-unique-id": [ "167" ], + "x-ms-client-request-id": [ "50570555-a2dc-4673-82d4-63bb14c21c38" ], "CommandName": [ "Get-AzSentinelAlertRuleTemplate" ], "FullCommandName": [ "Get-AzSentinelAlertRuleTemplate_List" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -65,31 +65,31 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-reads": [ "11990" ], - "x-ms-request-id": [ "f00eebfd-9c8d-4b60-96d5-c24811810852" ], - "x-ms-correlation-request-id": [ "f00eebfd-9c8d-4b60-96d5-c24811810852" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183106Z:f00eebfd-9c8d-4b60-96d5-c24811810852" ], + "x-ms-request-id": [ "01b797f8-b581-4872-9e02-52a84481e967" ], + "x-ms-correlation-request-id": [ "01b797f8-b581-4872-9e02-52a84481e967" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160654Z:01b797f8-b581-4872-9e02-52a84481e967" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:31:06 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:06:54 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1418736" ], + "Content-Length": [ "1435342" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8\",\"name\":\"f71aba3d-28fb-450b-b192-4e76a83015c8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Fusion\",\"properties\":{\"severity\":\"High\",\"tactics\":[\"Collection\",\"CommandAndControl\",\"CredentialAccess\",\"DefenseEvasion\",\"Discovery\",\"Execution\",\"Exfiltration\",\"Impact\",\"InitialAccess\",\"LateralMovement\",\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Advanced Multistage Attack Detection\",\"description\":\"Microsoft Sentinel uses Fusion, a correlation engine based on scalable machine learning algorithms, to automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.\\n\\nSince Fusion correlates multiple signals from various products to detect advanced multistage attacks, successful Fusion detections are presented as Fusion incidents on the Microsoft Sentinel Incidents page. This rule covers the following detections:\\n- Fusion for emerging threats\\n- Fusion for ransomware\\n- Scenario-based Fusion detections (122 scenarios)\\n\\nTo enable these detections, we recommend you configure the following data connectors for best results:\\n- Out-of-the-box anomaly detections\\n- Azure Active Directory Identity Protection\\n- Azure Defender\\n- Azure Defender for IoT\\n- Microsoft 365 Defender\\n- Microsoft Cloud App Security \\n- Microsoft Defender for Endpoint\\n- Microsoft Defender for Identity\\n- Microsoft Defender for Office 365\\n- Scheduled analytics rules, both built-in and those created by your security analysts. Analytics rules must contain kill-chain (tactics) and entity mapping information in order to be used by Fusion.\\n\\nFor the full description of each detection that is supported by Fusion, go to https://aka.ms/SentinelFusion.\",\"lastUpdatedDateUTC\":\"2021-06-09T00:00:00Z\",\"createdDateUTC\":\"2019-07-25T00:00:00Z\",\"status\":\"Installed\",\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/57c7e832-64eb-411f-8928-4133f01f4a25\",\"name\":\"57c7e832-64eb-411f-8928-4133f01f4a25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureDiagnostics\\n | where ResourceType =~ \\\"VAULTS\\\"\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend KeyVaultEvents_TimeGenerated = TimeGenerated, ClientIP = CallerIPAddress\\n)\\non $left.TI_ipEntity == $right.ClientIP\\n| where KeyVaultEvents_TimeGenerated \u003c ExpirationDateTime\\n| summarize KeyVaultEvents_TimeGenerated = arg_max(KeyVaultEvents_TimeGenerated, *) by IndicatorId, ClientIP\\n| project KeyVaultEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ClientIP, ResourceId, SubscriptionId, OperationName, ResultType, CorrelationId, id_s, clientInfo_s, httpStatusCode_d, identity_claim_appid_g, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\n| extend timestamp = KeyVaultEvents_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Azure Key Vault logs\",\"description\":\"Identifies a match in Azure Key Vault logsfrom any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f948a32f-226c-4116-bddd-d95e91d97eb9\",\"name\":\"f948a32f-226c-4116-bddd-d95e91d97eb9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"mailboxsettings\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"contacts.read\\\" and ConsentFull contains \\\"user.read\\\" and ConsentFull contains \\\"mail.read\\\" and ConsentFull contains \\\"notes.read.all\\\" and ConsentFull contains \\\"mailboxsettings.readwrite\\\" and ConsentFull contains \\\"Files.ReadWrite.All\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), \\\"\\\")\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Suspicious application consent similar to O365 Attack Toolkit\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\\nThe default permissions/scope for the MDSec O365 Attack toolkit are contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, and files.readwrite.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3c144f9-8051-47d4-ac29-ffb0c312c910\",\"name\":\"a3c144f9-8051-47d4-ac29-ffb0c312c910\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"let SunburstMD5=dynamic([\\\"b91ce2fa41029f6955bff20079468448\\\",\\\"02af7cec58b9a5da1c542b5a32151ba1\\\",\\\"2c4a910a1299cdae2a4e55988a2f102e\\\",\\\"846e27a652a5e1bfbd0ddd38a16dc865\\\",\\\"4f2eb62fa529c0283b28d05ddd311fae\\\"]);\\nlet SupernovaMD5=\\\"56ceb6d0011d87b6e4d7023d7ef85676\\\";\\nDeviceFileEvents\\n| where MD5 in(SunburstMD5) or MD5 in(SupernovaMD5)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n AlgorithmCustomEntity = \\\"MD5\\\",\\n FileHashCustomEntity = MD5\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"SUNBURST and SUPERNOVA backdoor hashes\",\"description\":\"Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in DeviceFileEvents\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/87210ca1-49a4-4a7d-bb4a-4988752f978c\",\"name\":\"87210ca1-49a4-4a7d-bb4a-4988752f978c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"// Get details of current Azure Ranges (note this URL updates regularly so will need to be manually updated over time)\\n// You may find the name of the new JSON here: https://www.microsoft.com/download/details.aspx?id=56519\\n// On the downloads page, click the \u0027details\u0027 button, and then replace just the filename in the URL below\\nlet azure_ranges = externaldata(changeNumber: string, cloud: string, values: dynamic)\\n[\\\"https://download.microsoft.com/download/7/1/D/71D86715-5596-4529-9B13-DA13A5DE5B63/ServiceTags_Public_20220321.json\\\"]\\nwith(format=\u0027multijson\u0027)\\n| mv-expand values\\n| mv-expand values.properties.addressPrefixes\\n| mv-expand values_properties_addressPrefixes\\n| summarize by tostring(values_properties_addressPrefixes);\\nSigninLogs\\n// Limiting to Azure Portal really reduces false positives and helps focus on potential admin activity\\n| where AppDisplayName =~ \\\"Azure Portal\\\"\\n// Only get logons where the IP address is in an Azure range\\n| evaluate ipv4_lookup(azure_ranges, IPAddress, values_properties_addressPrefixes)\\n// Limit to where the user is external to the tenant\\n| where HomeTenantId != ResourceTenantId\\n// Further limit it to just access to the current tenant (you can drop this if you wanted to look elsewhere as well but it helps reduce FPs)\\n| where ResourceTenantId == AADTenantId\\n| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), make_set(ResourceDisplayName) by UserPrincipalName, IPAddress, UserAgent, Location, HomeTenantId, ResourceTenantId\\n| extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure Portal Signin from another Azure Tenant\",\"description\":\"This query looks for sign in attempts to the Azure Portal where the user who is signing in from another Azure tenant,\\n and the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look\\n to pivot to other tenants leveraging cross-tenant delegated access in this manner.\",\"lastUpdatedDateUTC\":\"2022-03-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/29a29e5d-354e-4f5e-8321-8b39d25047bf\",\"name\":\"29a29e5d-354e-4f5e-8321-8b39d25047bf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"High\",\"query\":\"let files1 = dynamic([\\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\lsa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pc.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\Rar.exe\\\"]);\\nlet files2 = dynamic([\\\"svchost.exe\\\",\\\"wdmsvc.exe\\\"]);\\nlet FileHash1 = dynamic([\\\"43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\\\", \\\"ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\\\", \\\"010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77\\\", \\\"56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7\\\"]);\\nlet FileHash2 = dynamic([\\\"2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\\\", \\\"9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\\\", \\\"18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\\\"]);\\nimFileEvent\\n| where ((FilePath has_any (files1)) and (ActingProcessSHA256 has_any (FileHash1))) or ((FilePath has_any (files2)) and (ActingProcessSHA256 has_any (FileHash2)))\\n// Increase risk score if recent alerts for the host\\n| join kind=leftouter (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| mv-expand todynamic(Entities)\\n| extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)\\n| where isnotempty(DvcId)\\n// Higher risk score are for Defender alerts related to threat actor\\n| extend AlertRiskScore = iif(ThreatName has_any (\\\"Backdoor:MSIL/ShellClient.A\\\", \\\"Backdoor:MSIL/ShellClient.A!dll\\\", \\\"Trojan:MSIL/Mimikatz.BA!MTB\\\"), 1.0, 0.5)\\n| project DvcId, AlertRiskScore) on DvcId\\n| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = ActorUsername\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileName\"}]}],\"tactics\":[\"CredentialAccess\",\"Execution\"],\"displayName\":\"Dev-0228 File Path Hashes November 2021 (ASIM Version)\",\"description\":\"This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.\\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.\\n This query uses the Microsoft Sentinel Information Model - https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-11-18T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0dd2a343-4bf9-4c93-a547-adf3658ddaec\",\"name\":\"0dd2a343-4bf9-4c93-a547-adf3658ddaec\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let known_processes = (\\n imProcess\\n // Change these values if adjusting Query Frequency or Query Period\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where Process has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | summarize by Process);\\n imProcess\\n // Change these values if adjusting Query Frequency or Query Period\\n | where TimeGenerated \u003e ago(1d)\\n | where Process has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | where Process !in (known_processes)\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, CommandLine, DvcHostname\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DvcHostname\"}]}],\"tactics\":[\"Execution\",\"LateralMovement\"],\"displayName\":\"New EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version)\",\"description\":\"This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice is that these policies should not be used for deployment of files.\\n A threat actor may use these policies to deploy files or scripts to all hosts in a domain.\\n This query uses the ASIM parsers and will need them deployed before usage - https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/871ba14c-88ef-48aa-ad38-810f26760ca3\",\"name\":\"871ba14c-88ef-48aa-ad38-810f26760ca3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let queryfrequency = 1d;\\nlet queryperiod = 7d;\\nOfficeActivity\\n| where TimeGenerated \u003e ago(queryperiod)\\n| where OfficeWorkload =~ \\\"Exchange\\\"\\n//| where Operation in (\\\"Set-Mailbox\\\", \\\"New-InboxRule\\\", \\\"Set-InboxRule\\\")\\n| where Parameters has_any (\\\"ForwardTo\\\", \\\"RedirectTo\\\", \\\"ForwardingSmtpAddress\\\")\\n| mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))\\n| evaluate bag_unpack(ParsedParameters, columnsConflict=\u0027replace_source\u0027)\\n| extend DestinationMailAddress = tolower(case(\\n isnotempty(column_ifexists(\\\"ForwardTo\\\", \\\"\\\")), column_ifexists(\\\"ForwardTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"RedirectTo\\\", \\\"\\\")), column_ifexists(\\\"RedirectTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")), trim_start(@\\\"smtp:\\\", column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")),\\n \\\"\\\"))\\n| where isnotempty(DestinationMailAddress)\\n| mv-expand split(DestinationMailAddress, \\\";\\\")\\n| extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n| extend ClientIP = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1])\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId, 250), Ports = make_set(Port, 250), EventCount = count() by tostring(DestinationMailAddress), ClientIP\\n| where DistinctUserCount \u003e 1 and EndTime \u003e ago(queryfrequency)\\n| mv-expand UserId to typeof(string)\\n| extend timestamp = StartTime, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Multiple users email forwarded to same destination\",\"description\":\"Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination. \\nThis could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.\",\"lastUpdatedDateUTC\":\"2022-06-24T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a6c435a2-b1a0-466d-b730-9f8af69262e8\",\"name\":\"a6c435a2-b1a0-466d-b730-9f8af69262e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT20M\",\"queryPeriod\":\"PT20M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let failureCountThreshold = 10;\\nlet successCountThreshold = 1;\\n// let authenticationWindow = 20m; // Implicit in the analytic rule query period \\nimAuthentication\\n| summarize \\n StartTime = min(TimeGenerated), \\n EndTime = max(TimeGenerated), \\n IpAddresses = make_set (SrcDvcIpAddr, 100),\\n ReportedBy = make_set (strcat (EventVendor, \\\"/\\\", EventProduct), 100),\\n FailureCount = countif(EventResult==\u0027Failure\u0027),\\n SuccessCount = countif(EventResult==\u0027Success\u0027)\\n by \\n TargetUserId, TargetUsername, TargetUserType \\n| where FailureCount \u003e= failureCountThreshold and SuccessCount \u003e= successCountThreshold\\n| extend\\n IpAddresses = strcat_array(IpAddresses, \\\", \\\"), \\n ReportedBy = strcat_array(ReportedBy, \\\", \\\")\",\"customDetails\":{\"IpAddresses\":\"IpAddresses\",\"ReportedBy\":\"ReportedBy\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUsername\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against user credentials (Uses Authentication Normalization)\",\"description\":\"Identifies evidence of brute force activity against a user based on multiple authentication failures \\nand at least one successful authentication within a given time window. Note that the query does not enforce any sequence,\\nand does not require the successful authentication to occur last.\\nThe default failure threshold is 10, success threshold is 1, and the default time window is 20 minutes.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb8a3481-dd14-4e76-8dcc-bbec8776d695\",\"name\":\"bb8a3481-dd14-4e76-8dcc-bbec8776d695\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Medium\",\"query\":\"let DomainNames = dynamic([\u0027onetechcompany.com\u0027, \u0027reyweb.com\u0027, \u0027srfnetwork.org\u0027, \u0027sense4baby.fr\u0027, \u0027nikeoutletinc.org\u0027, \u0027megatoolkit.com\u0027]);\\nlet IPList = dynamic([\u0027185.225.69.69\u0027]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (DomainNames) or RequestURL has_any (DomainNames) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (DomainNames), \\\"RequestUrl\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(_Im_WebSession(url_has_any=DomainNames)\\n| extend DestinationIPAddress = DstIpAddr, DNSName = tostring(parse_url(Url)[\\\"Host\\\"]), Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (DomainNames)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer\\n),\\n(OfficeActivity\\n| where ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (DomainNames) or RemoteIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"NOBELIUM - Domain and IP IOCs - March 2021\",\"description\":\"Identifies a match across various data feeds for domains and IP IOCs related to NOBELIUM.\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\"name\":\"f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"// Replace these with the username or emails of your VIP users you wish to monitor for.\\nlet vips = dynamic([\u0027vip1@email.com\u0027,\u0027vip2@email.com\u0027]);\\n// Add users who are allowed to conduct these searches - this could be specific SOC team members\\nlet allowed_users = dynamic([]);\\nLAQueryLogs\\n| where QueryText has_any (vips) or QueryText has_any (\u0027_GetWatchlist(\\\"VIPUsers\\\")\u0027, \\\"_GetWatchlist(\u0027VIPUsers\u0027)\\\")\\n| where AADEmail !in (allowed_users)\\n| project TimeGenerated, AADEmail, RequestClientApp, QueryText, ResponseRowCount, RequestTarget\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AADEmail\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"RequestTarget\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Users searching for VIP user activity\",\"description\":\"This query monitors for users running Log Analytics queries that contain filters\\nfor specific, defined VIP user accounts or the VIPUser watchlist template.\\nUse this detection to alert for users specifically searching for activity of sensitive users.\",\"lastUpdatedDateUTC\":\"2021-11-11T00:00:00Z\",\"createdDateUTC\":\"2020-09-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/62085097-d113-459f-9ea7-30216f2ee6af\",\"name\":\"62085097-d113-459f-9ea7-30216f2ee6af\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P3D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let starttime = 3d;\\nlet SecEvents = materialize ( SecurityEvent | where TimeGenerated \u003e= ago(starttime)\\n| where EventID in (4722,4723) | where TargetUserName !endswith \\\"$\\\"\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, SubjectAccount, SubjectUserSid);\\nlet userEnable = SecEvents\\n| extend EventID4722Time = TimeGenerated\\n// 4722: User Account Enabled\\n| where EventID == 4722\\n| project Time_Event4722 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4722 = SubjectAccount, SubjectUserSid_Event4722 = SubjectUserSid, Activity_4722 = Activity, Computer_4722 = Computer;\\nlet userPwdSet = SecEvents\\n// 4723: Attempt made by user to set password\\n| where EventID == 4723\\n| project Time_Event4723 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4723 = SubjectAccount, SubjectUserSid_Event4723 = SubjectUserSid, Activity_4723 = Activity, Computer_4723 = Computer;\\nuserEnable | join kind=leftouter userPwdSet on TargetAccount, TargetSid\\n| extend PasswordSetAttemptDelta_Min = datetime_diff(\u0027minute\u0027, Time_Event4723, Time_Event4722)\\n| where PasswordSetAttemptDelta_Min \u003e 2880 or isempty(PasswordSetAttemptDelta_Min)\\n| project-away TargetAccount1, TargetSid1\\n| extend Reason = @\\\"User either has not yet attempted to set the initial password after account was enabled or it occurred after 48 hours\\\"\\n| order by Time_Event4722 asc \\n| extend timestamp = Time_Event4722, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer_4722\\n| project-reorder Time_Event4722, Time_Event4723, PasswordSetAttemptDelta_Min, TargetAccount, TargetSid\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AD user enabled and password not set within 48 hours\",\"description\":\"Identifies when an account is enabled with a default password and the password is not set by the user within 48 hours.\\nEffectively, there is an event 4722 indicating an account was enabled and within 48 hours, no event 4723 occurs which \\nindicates there was no attempt by the user to set the password. This will show any attempts (success or fail) that occur \\nafter 48 hours, which can indicate too long of a time period in setting the password to something that only the user knows.\\nIt is recommended that this time period is adjusted per your internal company policy.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f9949656-473f-4503-bf43-a9d9890f7d08\",\"name\":\"f9949656-473f-4503-bf43-a9d9890f7d08\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.3\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n//Exclude local addresses, using the ipv4_is_private operator\\n| where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AppServiceHTTPLogs | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(CIp)\\n | extend WebApp = split(_ResourceId, \u0027/\u0027)[8]\\n // renaming time column so it is clear the log this came from\\n | extend AppService_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CIp\\n| where AppService_TimeGenerated \u003c ExpirationDateTime\\n| summarize AppService_TimeGenerated = arg_max(AppService_TimeGenerated, *) by IndicatorId, CIp\\n| project AppService_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CsUsername, \\nWebApp = split(_ResourceId, \u0027/\u0027)[8], CIp, CsHost, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, _ResourceId\\n| extend timestamp = AppService_TimeGenerated, AccountCustomEntity = CsUsername, IPCustomEntity = CIp, URLCustomEntity = Url, HostCustomEntity = CsHost\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"_ResourceId\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AppServiceHTTPLogs\",\"description\":\"Identifies a match in AppServiceHTTPLogs from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-04-26T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8b3c49c-4087-499b-920f-0dcfaff0cbca\",\"name\":\"f8b3c49c-4087-499b-920f-0dcfaff0cbca\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"imProcessCreate\\n | where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n | where isnotempty(Process)\\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Dvc, ActorUsername, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\\n | extend timestamp = StartTimeUtc, AccountCustomEntity = ActorUsername, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Base64 encoded Windows process command-lines (Normalized Process Events)\",\"description\":\"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2018-09-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c3e5dbaa-a540-408c-8b36-68bdfb3df088\",\"name\":\"c3e5dbaa-a540-408c-8b36-68bdfb3df088\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID==4688\\n | where isnotempty(CommandLine)\\n | where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"NRT Base64 encoded Windows process command-lines\",\"description\":\"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2022-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0433c8a3-9aa6-4577-beef-2ea23be41137\",\"name\":\"0433c8a3-9aa6-4577-beef-2ea23be41137\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let admin_users = (IdentityInfo\\n | where TimeGenerated \u003e ago(2d)\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | where AssignedRoles contains \\\"admin\\\"\\n | summarize by tolower(AccountUPN));\\n AuditLogs\\n | where Category =~ \\\"RoleManagement\\\"\\n | where OperationName has \\\"Add eligible member\\\"\\n | extend userPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | where tolower(userPrincipalName) in (admin_users)\\n | extend Group = tostring(TargetResources[0].displayName)\\n | extend AddedTo = iif(isnotempty(userPrincipalName), userPrincipalName, Group)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend AddedBy = iif(isnotempty(appName), appName, UPN)\\n | mv-expand mod_props\\n | where mod_props.displayName == \\\"Role.DisplayName\\\"\\n | extend RoleAdded = tostring(parse_json(tostring(mod_props.newValue)))\\n | project-reorder TimeGenerated, OperationName, AddedTo, RoleAdded, AddedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Privileged Account Permissions Changed\",\"description\":\"Detects changes to permissions assigned to admin users. Threat actors may try and increase permission scope by adding additional roles to already privileged accounts.\\nReview any modifications to ensure they were made legitimately.\\nRef: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79566f41-df67-4e10-a703-c38a6213afd8\",\"name\":\"79566f41-df67-4e10-a703-c38a6213afd8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set != \\\"[]\\\"\\n| extend diff = set_difference(new_value_set, old_value_set)\\n| where isnotempty(diff)\\n| parse diff with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away diff, new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"New access credential added to Application or Service Principal\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/66276b14-32c5-4226-88e3-080dacc31ce1\",\"name\":\"66276b14-32c5-4226-88e3-080dacc31ce1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet AccountAllowList = dynamic([\u0027SYSTEM\u0027]);\\nlet SubCategoryList = dynamic([\\\"Logoff\\\", \\\"Account Lockout\\\", \\\"User Account Management\\\", \\\"Authorization Policy Change\\\"]); // Add any Category in the list to be allowed or disallowed\\nlet tokens = dynamic([\\\"clear\\\", \\\"remove\\\", \\\"success:disable\\\",\\\"failure:disable\\\"]); \\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n//| where Process =~ \\\"auditpol.exe\\\" \\n| where CommandLine has_any (tokens)\\n| where AccountType !~ \\\"Machine\\\" and Account !in~ (AccountAllowList)\\n| parse CommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n// | where InitiatingProcessFileName =~ \\\"auditpol.exe\\\" \\n| where InitiatingProcessCommandLine has_any (tokens)\\n| where AccountName !in~ (AccountAllowList)\\n| parse InitiatingProcessCommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n// | where OriginalFileName =~ \\\"auditpol.exe\\\"\\n| where CommandLine has_any (tokens)\\n| where User !in~ (AccountAllowList)\\n| parse CommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, Computer, User, Process, ParentImage, CommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Audit policy manipulation using auditpol utility\",\"description\":\"This detects attempt to manipulate audit policies using auditpol command.\\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\\nThe process name in each data source is commented out as an adversary could rename it. It is advisable to keep process name commented but \\nif the results show unrelated false positives, users may want to uncomment it.\\nRefer to auditpol syntax: https://docs.microsoft.com/windows-server/administration/windows-commands/auditpol \\nRefer to our M365 blog for details on use during the Solorigate attack:\\nhttps://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/18e6a87e-9d06-4a4e-8b59-3469cd49552d\",\"name\":\"18e6a87e-9d06-4a4e-8b59-3469cd49552d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true \\n(SecurityEvent \\n| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created. \\n| where ObjectServer == \u0027DS\u0027\\n| where OperationType == \u0027Object Access\u0027\\n//| where ObjectName contains \u0027\u003cGUID of ADFS Policy Store DKM Group object\u0027 This is unique to the domain. Check description for more details.\\n| where ObjectType contains \u00275cb41ed0-0e4c-11d0-a286-00aa003049e2\u0027 // Contact Class\\n| where Properties contains \u00278d3bca50-1d7e-11d0-a081-00aa006c33ed\u0027 // Picture Attribute - Ldap-Display-Name: thumbnailPhoto\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = SubjectAccount\\n),\\n( WindowsEvent \\n| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created. \\n| where EventData has_all(\u0027Object Access\u0027, \u00275cb41ed0-0e4c-11d0-a286-00aa003049e2\u0027,\u00278d3bca50-1d7e-11d0-a081-00aa006c33ed\u0027) \\n| extend ObjectServer = tostring(EventData.ObjectServer)\\n| where ObjectServer == \u0027DS\u0027\\n| extend OperationType = tostring(EventData.OperationType)\\n| where OperationType == \u0027Object Access\u0027\\n//| where ObjectName contains \u0027\u003cGUID of ADFS Policy Store DKM Group object\u0027 This is unique to the domain. Check description for more details.\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType contains \u00275cb41ed0-0e4c-11d0-a286-00aa003049e2\u0027 // Contact Class\\n| extend Properties = tostring(EventData.Properties)\\n| where Properties contains \u00278d3bca50-1d7e-11d0-a081-00aa006c33ed\u0027 // Picture Attribute - Ldap-Display-Name: thumbnailPhoto\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName), \\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend \\n timestamp = TimeGenerated,\\n HostCustomEntity = Computer,\\n AccountCustomEntity = SubjectAccount\\n),\\n(DeviceEvents\\n| where ActionType =~ \\\"LdapSearch\\\"\\n| where AdditionalFields.AttributeList contains \\\"thumbnailPhoto\\\"\\n| where AdditionalFields.DistinguishedName contains \\\"CN=ADFS,CN=Microsoft,CN=Program Data\\\" // Filter results to show only hits related to the ADFS AD container\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = InitiatingProcessAccountName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"ADFS DKM Master Key Export\",\"description\":\"Identifies an export of the ADFS DKM Master Key from Active Directory.\\nReferences: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \\nhttps://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1\\nTo understand further the details behind this detection, please review the details in the original PR and subequent PR update to this:\\nhttps://github.com/Azure/Azure-Sentinel/pull/1562#issue-551542469\\nhttps://github.com/Azure/Azure-Sentinel/pull/1512#issue-543053339\\n\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2391ce61-8c8d-41ac-9723-d945b2e90720\",\"name\":\"2391ce61-8c8d-41ac-9723-d945b2e90720\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"Low\",\"query\":\"let starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 0.333;\\nlet countlimit = 50;\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4625 and AccountType =~ \\\"User\\\"\\n| where IpAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), CountToday = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress, Process\\n| join kind=leftouter (\\n SecurityEvent \\n | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n | where EventID == 4625 and AccountType =~ \\\"User\\\"\\n | where IpAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n | summarize CountPrev7day = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n) on EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n| where CountToday \u003e= coalesce(CountPrev7day,0)*threshold and CountToday \u003e= countlimit\\n//SubStatus Codes are detailed here - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4625\\n| extend Reason = case(\\nSubStatus =~ \u00270xC000005E\u0027, \u0027There are currently no logon servers available to service the logon request.\u0027,\\nSubStatus =~ \u00270xC0000064\u0027, \u0027User logon with misspelled or bad user account\u0027,\\nSubStatus =~ \u00270xC000006A\u0027, \u0027User logon with misspelled or bad password\u0027, \\nSubStatus =~ \u00270xC000006D\u0027, \u0027Bad user name or password\u0027,\\nSubStatus =~ \u00270xC000006E\u0027, \u0027Unknown user name or bad password\u0027,\\nSubStatus =~ \u00270xC000006F\u0027, \u0027User logon outside authorized hours\u0027,\\nSubStatus =~ \u00270xC0000070\u0027, \u0027User logon from unauthorized workstation\u0027,\\nSubStatus =~ \u00270xC0000071\u0027, \u0027User logon with expired password\u0027,\\nSubStatus =~ \u00270xC0000072\u0027, \u0027User logon to account disabled by administrator\u0027,\\nSubStatus =~ \u00270xC00000DC\u0027, \u0027Indicates the Sam Server was in the wrong state to perform the desired operation\u0027, \\nSubStatus =~ \u00270xC0000133\u0027, \u0027Clocks between DC and other computer too far out of sync\u0027,\\nSubStatus =~ \u00270xC000015B\u0027, \u0027The user has not been granted the requested logon type (aka logon right) at this machine\u0027,\\nSubStatus =~ \u00270xC000018C\u0027, \u0027The logon request failed because the trust relationship between the primary domain and the trusted domain failed\u0027,\\nSubStatus =~ \u00270xC0000192\u0027, \u0027An attempt was made to logon, but the Netlogon service was not started\u0027,\\nSubStatus =~ \u00270xC0000193\u0027, \u0027User logon with expired account\u0027,\\nSubStatus =~ \u00270xC0000224\u0027, \u0027User is required to change password at next logon\u0027,\\nSubStatus =~ \u00270xC0000225\u0027, \u0027Evidently a bug in Windows and not a risk\u0027,\\nSubStatus =~ \u00270xC0000234\u0027, \u0027User logon with account locked\u0027,\\nSubStatus =~ \u00270xC00002EE\u0027, \u0027Failure Reason: An Error occurred during Logon\u0027,\\nSubStatus =~ \u00270xC0000413\u0027, \u0027Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine\u0027,\\nstrcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n| extend WorkstationName = iff(WorkstationName == \\\"-\\\" or isempty(WorkstationName), Computer , WorkstationName) \\n| project StartTime, EndTime, EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, Computer, WorkstationName, IpAddress, CountToday, CountPrev7day, Avg7Day = round(CountPrev7day*1.00/7,2), Process\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), Computer = make_set(Computer,128), IpAddressList = make_set(IpAddress,128), sum(CountToday), sum(CountPrev7day), avg(Avg7Day) \\nby EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, WorkstationName, Process\\n| order by sum_CountToday desc nulls last \\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = WorkstationName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"Process\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Excessive Windows logon failures\",\"description\":\"User has over 50 Windows logon failures today and at least 33% of the count of logon failures over the previous 7 days.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56f3f35c-3aca-4437-a1fb-b7a84dc4af00\",\"name\":\"56f3f35c-3aca-4437-a1fb-b7a84dc4af00\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID == 4657\\n | parse ObjectName with \\\"\\\\\\\\REGISTRY\\\\\\\\\\\" KeyPrefix \\\"\\\\\\\\\\\" RegistryKey\\n | project-reorder RegistryKey\\n | where RegistryKey has \\\"Software\\\\\\\\Classes\\\\\\\\ms-settings\\\\\\\\shell\\\\\\\\open\\\\\\\\command\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)\\n | join (\\n SecurityEvent\\n | where EventID == 4688\\n | where Process =~ \\\"fodhelper.exe\\\"\\n | where ParentProcessName endswith \\\"cmd.exe\\\" or ParentProcessName endswith \\\"powershell.exe\\\" or ParentProcessName endswith \\\"powershell_ise.exe\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)) on TimeKey, Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Potential Fodhelper UAC Bypass\",\"description\":\"This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process within 1 hour - this can be tweaked as required.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b93c5af-d20b-4236-b696-a28b8c51407f\",\"name\":\"4b93c5af-d20b-4236-b696-a28b8c51407f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1DT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\n (union isfuzzy=true\\n (SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+spanoftime)\\n// A user account was created\\n| where EventID == 4720\\n| where AccountType =~ \\\"User\\\"\\n| project creationTime = TimeGenerated, CreateEventID = EventID, CreateActivity = Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToCreate = SubjectAccount, SIDofAccountUsedToCreate = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e ago(timeframe+spanoftime)\\n// A user account was created\\n| where EventID == 4720\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType =~ \\\"User\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| extend Activity = \\\"4720 - A user account was created.\\\"\\n| extend TargetUserName = tostring(EventData.TargetUserName) \\n| project creationTime = TimeGenerated, CreateEventID = EventID, CreateActivity = Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToCreate = SubjectAccount, SIDofAccountUsedToCreate = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid \\n))\\n| join kind= inner (\\n (union isfuzzy=true\\n (SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n // A user account was deleted\\n | where EventID == 4726\\n| where AccountType == \\\"User\\\"\\n| project deletionTime = TimeGenerated, DeleteEventID = EventID, DeleteActivity = Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToDelete = SubjectAccount, SIDofAccountUsedToDelete = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n // A user account was deleted\\n| where EventID == 4726\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(SubjectAccount endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType == \\\"User\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| extend Activity = \\\"4726 - A user account was deleted.\\\"\\n| extend TargetUserName = tostring(EventData.TargetUserName) \\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| project deletionTime = TimeGenerated, DeleteEventID = EventID, DeleteActivity = Activity, Computer, TargetUserName, UserPrincipalName, AccountUsedToDelete = SubjectAccount, SIDofAccountUsedToDelete = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid))\\n) on Computer, TargetAccount\\n| where deletionTime - creationTime \u003c spanoftime\\n| extend TimeDelta = deletionTime - creationTime\\n| where tolong(TimeDelta) \u003e= threshold\\n| project TimeDelta, creationTime, CreateEventID, CreateActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToCreate, SIDofAccountUsedToCreate,\\ndeletionTime, DeleteEventID, DeleteActivity, AccountUsedToDelete, SIDofAccountUsedToDelete\\n| extend timestamp = creationTime, AccountCustomEntity = AccountUsedToCreate, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"SIDofAccountUsedToCreate\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account created and deleted within 10 mins\",\"description\":\"Identifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and\\nan adversary attempting to hide in the noise.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d7feb859-f03e-4e8d-8b21-617be0213b13\",\"name\":\"d7feb859-f03e-4e8d-8b21-617be0213b13\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let admin_users = (IdentityInfo\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | where AssignedRoles contains \\\"admin\\\"\\n | summarize by tolower(AccountUPN));\\n AuditLogs\\n | where OperationName =~ \\\"Admin registered security info\\\"\\n | where ResultReason =~ \\\"Admin registered temporary access pass method for user\\\"\\n | extend userPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | where tolower(userPrincipalName) in (admin_users)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Addition of a Temporary Access Pass to a Privileged Account\",\"description\":\"Detects when a Temporary Access Pass (TAP) is created for a Privileged Account.\\n A Temporary Access Pass is a time-limited passcode issued by an admin that satisfies strong authentication requirements and can be used to onboard other authentication methods, including Passwordless ones such as Microsoft Authenticator or even Windows Hello.\\n A threat actor could use a TAP to register a new authentication method to maintain persistance to an account.\\n Review any TAP creations to ensure they were used legitimately.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1399664f-9434-497c-9cde-42e4d74ae20e\",\"name\":\"1399664f-9434-497c-9cde-42e4d74ae20e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityAlert \\n| where AlertName == \\\"Impossible travel activity\\\"\\n| extend Extprop = parsejson(Entities)\\n| mv-expand Extprop\\n| extend Extprop = parsejson(Extprop)\\n| extend CmdLine = iff(Extprop[\u0027Type\u0027]==\\\"process\\\", Extprop[\u0027CommandLine\u0027], \u0027\u0027)\\n| extend File = iff(Extprop[\u0027Type\u0027]==\\\"file\\\", Extprop[\u0027Name\u0027], \u0027\u0027)\\n| extend Account = Extprop[\u0027Name\u0027]\\n| extend Domain = Extprop[\u0027UPNSuffix\u0027]\\n| extend Account = iif(isnotempty(Domain) and Extprop[\u0027Type\u0027]==\\\"account\\\", tolower(strcat(Account, \\\"@\\\", Domain)), iif(Extprop[\u0027Type\u0027]==\\\"account\\\", tolower(Account), \\\"\\\"))\\n| extend IpAddress = iff(Extprop[\\\"Type\\\"] == \\\"ip\\\",Extprop[\u0027Address\u0027], \u0027\u0027)\\n| extend Process = iff(isnotempty(CmdLine), CmdLine, File)\\n| project TimeGenerated,Account,IpAddress,CompromisedEntity,Description,ProviderName,ResourceId\\n| join kind=inner\\n(\\nOfficeActivity\\n| where Operation =~ \\\"Add-MailboxPermission\\\"\\n| extend value = tostring(parse_json(Parameters)[3].Value)\\n| where value contains \\\"FullAccess\\\"\\n| where ResultStatus == \\\"True\\\"\\n| project Parameters,TimeGenerated,value,RecordType,Operation,OrganizationId,UserType,UserKey,OfficeWorkload,ResultStatus,OfficeObjectId,UserId,ClientIP,ExternalAccess,OriginatingServer,OrganizationName,TenantId,ElevationTime,SourceSystem,OfficeId,OfficeTenantId,Type,SourceRecordId\\n) on $left.Account == $right.UserId\\n| join kind=inner\\n(\\nAuditLogs\\n| where ActivityDisplayName =~ \\\"Add eligible member to role in PIM requested (timebound)\\\"\\n| where AADOperationType =~ \\\"CreateRequestEligibleRole\\\"\\n| where TargetResources has_any (\\\"-PRIV\\\", \\\"Administrator\\\", \\\"Security\\\")\\n| extend BuiltinRole = tostring(parse_json(TargetResources[0].displayName))\\n| extend CustomGroup = tostring(parse_json(TargetResources[3].displayName))\\n| extend TargetAccount = tostring(parse_json(TargetResources[2].displayName))\\n| extend Initiatedby = Identity\\n| project TimeGenerated, ActivityDisplayName, AADOperationType, Initiatedby, TargetAccount, BuiltinRole, CustomGroup, LoggedByService, Result, ResourceId, Id\\n| sort by TimeGenerated desc\\n) on $left.UserId == $right.Initiatedby\\n| project AADOperationType, ActivityDisplayName,AccountCustomEntity=Initiatedby, Id,ResourceId,IPCustomEntity=IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"PrivilegeEscalation\"],\"displayName\":\"Detecting Impossible travel with mailbox permission tampering \u0026 Privilege Escalation attempt\",\"description\":\"This hunting query will alert on any Impossible travel activity in correlation with mailbox permission tampering followed by account being added to a PIM managed privileged group.\\nEnsure this impossible travel incident with increase of privileges is legitimate in your environment.\",\"lastUpdatedDateUTC\":\"2022-02-09T00:00:00Z\",\"createdDateUTC\":\"2022-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert (ASC)\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\"name\":\"4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([ \\\"AuthorizeSecurityGroupEgress\\\", \\\"AuthorizeSecurityGroupIngress\\\", \\\"RevokeSecurityGroupEgress\\\", \\\"RevokeSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \\nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion, \\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to AWS Security Group ingress and egress settings\",\"description\":\"A Security Group acts as a virtual firewall of an instance to control inbound and outbound traffic. \\n Hence, ingress and egress settings changes to AWS Security Group should be monitored as these can expose the enviornment to new attack vectors.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0914adab-90b5-47a3-a79f-7cdcac843aa7\",\"name\":\"0914adab-90b5-47a3-a79f-7cdcac843aa7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 5;\\n// To avoid any False Positives, filtering using AppId is recommended. For example the AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds \\n// to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\\nlet Allowedappid = dynamic([\\\"509e4652-da8d-478d-a730-e9d4a1996ca4\\\"]);\\nlet OperationList = dynamic(\\n[\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nlet TimeSeriesData = AzureDiagnostics\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList)\\n| project TimeGenerated, OperationName, Resource, CallerIPAddress\\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by Resource;\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| where baseline \u003e baselinethreshold // Filtering low count events per baselinethreshold\\n| project Resource, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated;\\n// Filter the alerts since specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\\n| join (\\nAzureDiagnostics\\n| where TimeGenerated \u003e ago(timeframe)\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList)\\n| summarize PerOperationCount=count(), LatestAnomalyTime = arg_max(TimeGenerated,*) by bin(TimeGenerated,1h), Resource, OperationName, id_s, CallerIPAddress, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, requestUri_s, clientInfo_s\\n) on Resource, TimeGenerated\\n| summarize EventCount=count(), OperationNameList = make_set(OperationName), RequestURLList = make_set(requestUri_s, 100), AccountList = make_set(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, 100), AccountMax = arg_max(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g,*) by Resource, id_s, clientInfo_s, LatestAnomalyTime\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = CallerIPAddress, AccountCustomEntity = AccountMax\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure Key Vault access TimeSeries anomaly\",\"description\":\"Indentifies a sudden increase in count of Azure Key Vault secret or vault access operations by CallerIPAddress. The query leverages a built-in KQL anomaly detection algorithm\\nto find large deviations from baseline Azure Key Vault access patterns. Any sudden increase in the count of Azure Key Vault accesses can be an\\nindication of adversary dumping credentials via automated methods. If you are seeing any noise, try filtering known source(IP/Account) and user-agent combinations.\\nTimeSeries Reference Blog: https://techcommunity.microsoft.com/t5/azure-sentinel/looking-for-unknown-anomalies-what-is-normal-time-series/ba-p/555052\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6a2e2ff4-5568-475e-bef2-b95f12b9367b\",\"name\":\"6a2e2ff4-5568-475e-bef2-b95f12b9367b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let FailureThreshold = 15;\\nimAuthentication\\n| where EventType== \u0027Logon\u0027 and EventResult== \u0027Failure\u0027\\n// reason: creds \\n| where EventResultDetails in (\u0027No such user or password\u0027, \u0027Incorrect password\u0027)\\n| summarize UserCount=dcount(TargetUserId), Vendors=make_set(EventVendor), Products=make_set(EventVendor)\\n , Users = make_set(TargetUserId,100) \\n by SrcDvcIpAddr, SrcGeoCountry, bin(TimeGenerated, 5m)\\n| where UserCount \u003e FailureThreshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcDvcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Potential Password Spray Attack (Uses Authentication Normalization)\",\"description\":\"This query searches for failed attempts to log in from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack\\n To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a5b3429d-f1da-42b9-883c-327ecb7b91ff\",\"name\":\"a5b3429d-f1da-42b9-883c-327ecb7b91ff\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityAlert \\n| where AlertName == \\\"Sign-in from an infected device\\\"\\n| extend Extprop = parsejson(Entities)\\n| mv-expand Extprop\\n| extend Extprop = parsejson(Extprop)\\n| extend CmdLine = iff(Extprop[\u0027Type\u0027]==\\\"process\\\", Extprop[\u0027CommandLine\u0027], \u0027\u0027)\\n| extend File = iff(Extprop[\u0027Type\u0027]==\\\"file\\\", Extprop[\u0027Name\u0027], \u0027\u0027)\\n| extend Account = Extprop[\u0027Name\u0027]\\n| extend Domain = Extprop[\u0027UPNSuffix\u0027]\\n| extend Account = iif(isnotempty(Domain) and Extprop[\u0027Type\u0027]==\\\"account\\\", tolower(strcat(Account, \\\"@\\\", Domain)), iif(Extprop[\u0027Type\u0027]==\\\"account\\\", tolower(Account), \\\"\\\"))\\n| extend IpAddress = iff(Extprop[\\\"Type\\\"] == \\\"ip\\\",Extprop[\u0027Address\u0027], \u0027\u0027)\\n| extend Process = iff(isnotempty(CmdLine), CmdLine, File)\\n| summarize count() by AlertName, AlertSeverity, CompromisedEntity, Account, IpAddress\\n| join kind=inner \\n(\\nAzureActivity\\n| where OperationNameValue hassuffix (\\\"/workspaces/computes/delete\\\")\\n| where ActivityStatusValue =~ \\\"Succeeded\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), OperationIds = makelist(OperationId), CorrelationIds = makelist(CorrelationId), Resources = makelist(Resource), ResourceGroups = makelist(ResourceGroup), ResourceIds = makelist(ResourceId), ActivityCountByCallerIPAddress = count() \\nby CallerIpAddress, Caller, OperationNameValue\\n) on $left. IpAddress == $right. CallerIpAddress\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Impact\"],\"displayName\":\"Workspace deletion attempt from an infected device\",\"description\":\"This hunting query will alert on any sign-ins from devices infected with malware in correlation with potential workspace deletion activity. \\nAttackers may attempt to delete workspaces containing compute instances after successful compromise to cause service unavailability to regular business operation.\",\"lastUpdatedDateUTC\":\"2022-04-11T00:00:00Z\",\"createdDateUTC\":\"2022-04-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8e267e91-6bda-4b3c-bf68-9f5cbdd103a3\",\"name\":\"8e267e91-6bda-4b3c-bf68-9f5cbdd103a3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"ZoomLogs\\n| where Event =~ \\\"account.settings_updated\\\" \\n| extend EnforceLogin = columnifexists(\\\"payload_object_settings_schedule_meeting_enfore_login_b\\\", \\\"\\\") \\n| extend EnforceLoginDomain = columnifexists(\\\"payload_object_settings_schedule_meeting_enfore_login_b\\\", \\\"\\\") \\n| extend GuestAlerts = columnifexists(\\\"payload_object_settings_in_meeting_alert_guest_join_b\\\", \\\"\\\") \\n| where EnforceLogin == \u0027false\u0027 or EnforceLoginDomain == \u0027false\u0027 or GuestAlerts == \u0027false\u0027 \\n| extend SettingChanged = case(EnforceLogin == \u0027false\u0027 and EnforceLoginDomain == \u0027false\u0027 and GuestAlerts == \u0027false\u0027, \\\"All settings changed\\\", \\n EnforceLogin == \u0027false\u0027 and EnforceLoginDomain == \u0027false\u0027, \\\"Enforced Logons and Restricted Domains Changed\\\", \\n EnforceLoginDomain == \u0027false\u0027 and GuestAlerts == \u0027false\u0027, \\\"Enforced Domains Changed\\\", \\n EnforceLoginDomain == \u0027false\u0027, \\\"Enfored Domains Changed\\\", \\n GuestAlerts == \u0027false\u0027, \\\"Guest Join Alerts Changed\\\", \\n EnforceLogin == \u0027false\u0027, \\\"Enforced Logins Changed\\\", \\n \\\"No Changes\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"External User Access Enabled\",\"description\":\"This alerts when the account setting is changed to allow either external domain access or anonymous access to meetings.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56b0a0cd-894e-4b38-a0a1-c41d9f96649a\",\"name\":\"56b0a0cd-894e-4b38-a0a1-c41d9f96649a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let lbtime = 1h;\\nlet tls_ciphers = dynamic([\u0027RC4-SHA\u0027, \u0027DES-CBC3-SHA\u0027]);\\nProofpointPOD\\n| where EventType == \u0027message\u0027\\n| where TlsCipher in (tls_ciphers)\\n| extend IpCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"ProofpointPOD - Weak ciphers\",\"description\":\"Detects when weak TLS ciphers are used.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/87890d78-3e05-43ec-9ab9-ba32f4e01250\",\"name\":\"87890d78-3e05-43ec-9ab9-ba32f4e01250\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.3\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n SecurityAlert\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n //Extract domain patterns from message\\n | extend domain = todynamic(dynamic_to_json(extract_all(@\\\"(((xn--)?[a-z0-9\\\\-]+\\\\.)+([a-z]+|(xn--[a-z0-9]+)))\\\", dynamic([1]), tolower(Entities))))\\n | mv-expand domain\\n | extend domain = tostring(domain[0])\\n | extend parts = split(domain, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\\n | extend EntitiesDynamicArray = parse_json(Entities)\\n | mv-apply EntitiesDynamicArray on\\n (summarize\\n HostName = take_anyif(tostring(EntitiesDynamicArray.HostName), EntitiesDynamicArray.Type == \\\"host\\\"),\\n IP_addr = take_anyif(tostring(EntitiesDynamicArray.Address), EntitiesDynamicArray.Type == \\\"ip\\\")\\n )\\n | extend Alert_TimeGenerated = TimeGenerated\\n | extend Alert_Description = Description\\n) on $left.DomainName==$right.domain\\n| where Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\\n| project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DomainName, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url, Entities\\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = HostName, IPCustomEntity = IP_addr, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to SecurityAlert\",\"description\":\"Identifies a match in SecurityAlert table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/88f453ff-7b9e-45bb-8c12-4058ca5e44ee\",\"name\":\"88f453ff-7b9e-45bb-8c12-4058ca5e44ee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS New Server\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.\\nA threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.\\nThis can be done programmatically via HTTP requests to Azure. More information in this blog: https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e1ce0eab-10d1-4aae-863f-9a383345ba88\",\"name\":\"e1ce0eab-10d1-4aae-863f-9a383345ba88\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let threshold = 15;\\nSyslog\\n| where SyslogMessage contains \\\"Failed password for invalid user\\\"\\n| where ProcessName =~ \\\"sshd\\\" \\n| parse kind=relaxed SyslogMessage with * \\\"invalid user\\\" user \\\" from \\\" ip \\\" port\\\" port \\\" ssh2\\\"\\n| project user, ip, port, SyslogMessage, EventTime\\n| summarize EventTimes = make_list(EventTime), PerHourCount = count() by ip, bin(EventTime, 4h), user\\n| where PerHourCount \u003e threshold\\n| mvexpand EventTimes\\n| extend EventTimes = tostring(EventTimes) \\n| summarize StartTimeUtc = min(EventTimes), EndTimeUtc = max(EventTimes), UserList = makeset(user), sum(PerHourCount) by IPAddress = ip\\n| extend UserList = tostring(UserList) \\n| extend timestamp = StartTimeUtc, IPCustomEntity = IPAddress, AccountCustomEntity = UserList\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"SSH - Potential Brute Force\",\"description\":\"Identifies an IP address that had 15 failed attempts to sign in via SSH in a 4 hour block during a 24 hour time period.\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-02-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/55073036-bb86-47d3-a85a-b113ac3d9396\",\"name\":\"55073036-bb86-47d3-a85a-b113ac3d9396\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let admins=(IdentityInfo\\n | where AssignedRoles contains \\\"admin\\\"\\n | summarize by tolower(AccountUPN));\\n let known_asns = (\\n SigninLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where ResultType == 0\\n | summarize by AutonomousSystemNumber);\\n SigninLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType == 0\\n | where tolower(UserPrincipalName) in (admins)\\n | where AutonomousSystemNumber !in (known_asns)\\n | project-reorder TimeGenerated, UserPrincipalName, UserAgent, IpAddress, AutonomousSystemNumber\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"UserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Privileged User Logon from new ASN\",\"description\":\"Detects a successful logon by a privileged account from an ASN not logged in from in the last 14 days.\\n Monitor these logons to ensure they are legitimate and identify if there are any similar sign ins.\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7b9df32-1367-402d-b385-882daf6e3020\",\"name\":\"a7b9df32-1367-402d-b385-882daf6e3020\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==10\\n| parse EventData with * \u0027TargetImage\\\"\u003e\u0027 TargetImage \\\"\u003c\\\" * \u0027GrantedAccess\\\"\u003e\u0027 GrantedAccess \\\"\u003c\\\" * \u0027CallTrace\\\"\u003e\u0027 CallTrace \\\"\u003c\\\" * \\n| where GrantedAccess == \\\"0x1FFFFF\\\" and TargetImage == \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\" and CallTrace has_any (\\\"dbghelp.dll\\\",\\\"dbgcore.dll\\\")\\n| parse EventData with * \u0027SourceProcessGUID\\\"\u003e\u0027 SourceProcessGUID \\\"\u003c\\\" * \u0027SourceImage\\\"\u003e\u0027 SourceImage \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, SourceProcessGUID, SourceImage, GrantedAccess, TargetImage, CallTrace\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"SourceImage\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Dumping LSASS Process Into a File\",\"description\":\"Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). \\nAfter a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. \\nThese credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement using Use Alternate Authentication Material. \\nAs well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.\\nRef: https://attack.mitre.org/techniques/T1003/001/\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/94749332-1ad9-49dd-a5ab-5ff2170788fc\",\"name\":\"94749332-1ad9-49dd-a5ab-5ff2170788fc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet file_path1 = (iocs | where Type =~ \\\"filepath1\\\" | project IoC);\\nlet file_path2 = (iocs | where Type =~ \\\"filepath2\\\" | project IoC);\\nlet file_path3 = (iocs | where Type =~ \\\"filepath3\\\" | project IoC);\\nlet reg_key = (iocs | where Type =~ \\\"regkey\\\" | project IoC);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (domains)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 *\\n| project TimeGenerated, Message, SourceUserID, RequestURL, DestinationHostName, Type, SourceIP, DestinationIP, DNSName\\n| extend Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SourceUserID, UrlCustomEntity = RequestURL , IPCustomEntity = DestinationIP, DNSCustomEntity = DNSName\\n),\\n(DnsEvents\\n| where Name in~ (domains)\\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DNSName = Name, Host = Computer , Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Host, DNSCustomEntity = DNSName, IPCustomEntity = IPAddresses\\n),\\n(VMConnection\\n| where RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, RemoteDnsCanonicalNames, ProcessName, SourceIp, DestinationIp, DestinationPort, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIp, HostCustomEntity = Computer, ProcessCustomEntity = ProcessName, DNSCustomEntity = DNSName, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"]), Image = EventDetail.[4].[\\\"#text\\\"]\\n| where Image has_any (file_path1) or Image has_any (file_path3)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, EventDetail, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), HostCustomEntity = Computer , IPCustomEntity = DestinationIP, Alert = \u0027SOURGUM IOC detected\u0027\\n), \\n(DeviceNetworkEvents\\n| where (RemoteUrl has_any (domains)) or (InitiatingProcessSHA256 in (sha256Hashes) and InitiatingProcessFolderPath has_any (file_path1)) or InitiatingProcessFolderPath has_any (file_path3)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, Alert = \u0027SOURGUM IOC detected\u0027, UrlCustomEntity =RemoteUrl\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"]\\n| where (SHA256 has_any (sha256Hashes) and Image has_any (file_path1)) or (Image has_any (file_path3)) or ( CommandLine has_any (file_path3)) or ( CommandLine has_any (file_path1)) or ( CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source), Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = SHA256\\n),\\n(DeviceRegistryEvents\\n| where RegistryKey has_any (reg_key) and RegistryValueData has_any (file_path2)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type \\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceProcessEvents\\n| where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3)) or ( InitiatingProcessCommandLine has \u0027reg add\u0027 and InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceFileEvents\\n| where (InitiatingProcessSHA256 has_any (sha256Hashes) and InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3)) or ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = RequestAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceEvents\\n| where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3)) or ( InitiatingProcessCommandLine has \u0027reg add\u0027 and InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend CommandLine = InitiatingProcessCommandLine, Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has_any (file_path1)) or ( CommandLine has_any (file_path3)) or ( CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) or (NewProcessName has_any (file_path1)) or (NewProcessName has_any (file_path3)) or (ParentProcessName has_any (file_path1)) or (ParentProcessName has_any (file_path3))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = \u0027SOURGUM IOC detected\u0027\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"SOURGUM Actor IOC - July 2021\",\"description\":\"Identifies a match across IOC\u0027s related to an actor tracked by Microsoft as SOURGUM\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-07-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceRegistryEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95407904-0131-4918-bc49-ebf282ce149a\",\"name\":\"95407904-0131-4918-bc49-ebf282ce149a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"135.125.147.170:80\\\",\\\"185.244.129.79:63047\\\",\\\"185.244.129.79:80\\\",\\\"45.80.149.108:63047\\\",\\\"45.80.149.108:80\\\",\\\"45.80.149.57:63047\\\",\\\"45.80.149.68:63047\\\",\\\"45.80.149.71:80\\\",\\\"185.244.129.109\\\",\\\"172.96.188.51\\\",\\\"51.83.246.73\\\"]); \\n(union isfuzzy=true \\n(CommonSecurityLog \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch \\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n), \\n(OfficeActivity \\n|extend SourceIPAddress = ClientIP, Account = UserId \\n| where SourceIPAddress in (IPList) \\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \\n), \\n(_Im_NetworkSession (srcipaddr_has_any_prefix=IPList)\\n | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Hostname, AccountCustomEntity=User\\n), \\n(_Im_NetworkSession (dstipaddr_has_any_prefix=IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = Hostname , AccountCustomEntity = User\\n), \\n(WireData \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer \\n), \\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known POLONIUM IP\",\"description\":\"Identifies a match across various data feeds for IP IOCs related to the POLONIUM activity group. \\n References: BLOGURL\u0027 \",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ed43bdb7-eaab-4ea4-be52-6951fcfa7e3b\",\"name\":\"ed43bdb7-eaab-4ea4-be52-6951fcfa7e3b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet TotalEventsThreshold = 25; \\nlet TimeSeriesData = \\nAzureActivity \\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where OperationNameValue endswith \\\"delete\\\" \\n| project TimeGenerated, Caller \\n| make-series Total = count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by Caller; \\nlet TimeSeriesAlerts = materialize(TimeSeriesData \\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 3, -1, \u0027linefit\u0027) \\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long) \\n| where anomalies \u003e 0 \\n| project Caller, TimeGenerated, Total, baseline, anomalies, score \\n| where Total \u003e TotalEventsThreshold and baseline \u003e 0 ); \\nTimeSeriesAlerts \\n| where TimeGenerated \u003e (ago(endtime)) \\n| project TimeGenerated, Caller \\n| join (AzureActivity \\n| where TimeGenerated \u003e (ago(endtime)) \\n| where OperationNameValue endswith \\\"delete\\\" \\n| summarize count(), make_set(OperationNameValue), make_set(Resource) by bin(TimeGenerated, 1h), Caller) on TimeGenerated, Caller \\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Mass Cloud resource deletions Time Series Anomaly\",\"description\":\"This query generates baseline pattern of cloud resource deletions by an user and generated anomaly \\nwhen any unusual spike is detected.\\nThese anomalies from unusual or privileged users could be an indication of cloud infrastructure \\ntake-down by an adversary \",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2022-03-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b6988c32-4f3b-4a45-8313-b46b33061a74\",\"name\":\"b6988c32-4f3b-4a45-8313-b46b33061a74\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set == \\\"[]\\\"\\n| mv-expand new_value_set\\n| parse new_value_set with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT First access credential added to Application or Service Principal where no credential was present\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-06-01T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba\",\"name\":\"fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let account_threshold = 5;\\nAADNonInteractiveUserSignInLogs\\n//| where ResultType == \\\"81016\\\"\\n| where ResultType startswith \\\"81\\\"\\n| summarize DistinctAccounts = dcount(UserPrincipalName), DistinctAddresses = make_set(IPAddress) by ResultType\\n| where DistinctAccounts \u003e account_threshold\\n| mv-expand IPAddress = DistinctAddresses\\n| extend IPAddress = tostring(IPAddress)\\n| join kind=leftouter (union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs) on IPAddress\\n| summarize\\n StartTime = min(TimeGenerated),\\n EndTime = max(TimeGenerated),\\n UserPrincipalName = make_set(UserPrincipalName),\\n UserAgent = make_set(UserAgent),\\n ResultDescription = take_any(ResultDescription),\\n ResultSignature = take_any(ResultSignature)\\n by IPAddress, Type, ResultType\\n| project Type, StartTime, EndTime, IPAddress, ResultType, ResultDescription, ResultSignature, UserPrincipalName, UserAgent = iff(array_length(UserAgent) == 1, UserAgent[0], UserAgent)\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Password spray attack against Azure AD Seamless SSO\",\"description\":\"This query detects when there is a spike in Azure AD Seamless SSO errors. They may not be caused by a Password Spray attack, but the cause of the errors might need to be investigated.\\nAzure AD only logs the requests that matched existing accounts, thus there might have been unlogged requests for non-existing accounts.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2022-03-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/825991eb-ea39-4590-9de2-ee97ef42eb93\",\"name\":\"825991eb-ea39-4590-9de2-ee97ef42eb93\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\n(union isfuzzy=true\\n(DeviceProcessEvents\\n| where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) or (ProcessCommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and ProcessCommandLine has (\u0027/tr \\\"wscript.exe\u0027) and ProcessCommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and ProcessCommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (ProcessCommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and ProcessCommandLine has (\u0027.wav\u0027) and ProcessCommandLine has (\u0027//e:VBScript //b\u0027) \\nor (ProcessCommandLine has_all (\\\"schtasks.exe\\\", \\\"create\\\", \\\"wscript\\\", \\\"e:vbscript\\\", \\\".wav\\\")))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessCommandLine, FolderPath, InitiatingProcessFolderPath, ProcessId, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, AccountName, SHA256, FileName\\n| extend Account = AccountName, Computer = DeviceName, FileHash = case(InitiatingProcessSHA256 in (sha256Hashes), \\\"InitiatingProcessSHA256\\\", SHA256 in (sha256Hashes), \\\"SHA256\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = FileName, FileHashCustomEntity = case(FileHash == \\\"InitiatingProcessSHA256\\\", InitiatingProcessSHA256, FileHash == \\\"SHA256\\\", SHA256, \\\"No Match\\\")\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where (CommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and CommandLine has (\u0027/tr \\\"wscript.exe\u0027) and CommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and CommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (CommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and CommandLine has (\u0027.wav\u0027) and CommandLine has (\u0027//e:VBScript //b\u0027))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, EventID\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n( CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n( imFileEvent\\n| where Hash in~ (sha256Hashes) or (ActingProcessCommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and ActingProcessCommandLine has (\u0027/tr \\\"wscript.exe\u0027) and ActingProcessCommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and ActingProcessCommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (ActingProcessCommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and ActingProcessCommandLine has (\u0027.wav\u0027) and ActingProcessCommandLine has (\u0027//e:VBScript //b\u0027) \\n or (ActingProcessCommandLine has_all (\\\"schtasks.exe\\\", \\\"create\\\", \\\"wscript\\\", \\\"e:vbscript\\\", \\\".wav\\\")))\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = Hash\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) or (CommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and CommandLine has (\u0027/tr \\\"wscript.exe\u0027) and CommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and CommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (CommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and CommandLine has (\u0027.wav\u0027) and CommandLine has (\u0027//e:VBScript //b\u0027) or (CommandLine has_all (\\\"schtasks.exe\\\", \\\"create\\\", \\\"wscript\\\", \\\"e:vbscript\\\", \\\".wav\\\")))\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n),\\n(DnsEvents\\n| where Name in~ (domains) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Computer \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress\\n),\\n(VMConnection\\n| where RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIp, File = ProcessName\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(DeviceNetworkEvents \\n| where isnotempty(RemoteUrl) \\n| where RemoteUrl in~ (domains) \\n| project Type, TimeGenerated, DeviceName, RemoteIP, RemoteUrl, InitiatingProcessAccountName\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, DNSName = RemoteUrl, IPCustomEntity = RemoteIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"ACTINIUM Actor IOCs - Feb 2022\",\"description\":\"Identifies a match across various data feeds for domains, hashes and commands related to an actor tracked by Microsoft as Actinium.\",\"lastUpdatedDateUTC\":\"2022-03-09T00:00:00Z\",\"createdDateUTC\":\"2022-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65360bb0-8986-4ade-a89d-af3cf44d28aa\",\"name\":\"65360bb0-8986-4ade-a89d-af3cf44d28aa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"CreateNetworkAclEntry\\\",\\\"CreateRoute\\\",\\\"CreateRouteTable\\\",\\\"CreateInternetGateway\\\",\\\"CreateNatGateway\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\",\"LateralMovement\"],\"displayName\":\"Changes to Amazon VPC settings\",\"description\":\"Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources\\nin a virtual network that you define.\\nThis identifies changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries,routes, routetable or Gateways.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\nand AWS VPC API Docs: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/OperationList-query-vpc.html\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2eb15bd-8a88-4b24-9281-e133edfba315\",\"name\":\"f2eb15bd-8a88-4b24-9281-e133edfba315\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet aadFunc = (tableName:string){\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n table(tableName) | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend Status = todynamic(Status), LocationDetails = todynamic(LocationDetails)\\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails), StatusReason = tostring(Status.failureReason)\\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n // renaming time column so it is clear the log this came from\\n | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type\\n)\\non $left.TI_ipEntity == $right.IPAddress\\n| where SigninLogs_TimeGenerated \u003c ExpirationDateTime\\n| summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, IPAddress\\n| project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDetails, StatusReason, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to SigninLogs\",\"description\":\"Identifies a match in SigninLogs from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6e715730-82c0-496c-983b-7a20c4590bd9\",\"name\":\"6e715730-82c0-496c-983b-7a20c4590bd9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let accountLookback = 3d;\\nlet requestLookback = 3d;\\nlet extraction_regex = @\\\"(?:\\\\?|\u0026)[a-zA-Z0-9\\\\%]*=([a-zA-Z0-9\\\\/\\\\+\\\\=]*)\\\";\\n// Collect account names and base64 encode them\\nDeviceEvents\\n| where TimeGenerated \u003e ago(accountLookback)\\n| summarize make_set(DeviceId), make_set(DeviceName) by InitiatingProcessAccountName\\n| where isnotempty(InitiatingProcessAccountName)\\n| extend base64_user = base64_encode_tostring(InitiatingProcessAccountName)\\n| join (\\n // Collect requests and extract base64 parameters\\n CommonSecurityLog\\n | where TimeGenerated \u003e ago(requestLookback)\\n | where isnotempty(RequestURL)\\n // Summarize early on the RequestURL\\n | summarize FirstRequest=min(TimeGenerated), LastRequest=max(TimeGenerated), NumberOfRequests=count() by RequestURL\\n | extend base64_candidate = extract_all(extraction_regex, RequestURL)\\n | mv-expand base64_candidate to typeof(string)\\n) on $left.base64_user == $right.base64_candidate\\n| project FirstRequest, LastRequest, NumberOfRequests, RequestURL, DeviceIds=set_DeviceId, DeviceNames=set_DeviceName, UserName=InitiatingProcessAccountName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceNames\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"UserName\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"Windows host username encoded in base64 web request\",\"description\":\"This detection will identify network requests in HTTP proxy data that contains Base64 encoded usernames from machines in the DeviceEvents table.\\nThis technique was seen usee by POLONIUM in their RunningRAT tool.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e4779bdc-397a-4b71-be28-59e6a1e1d16b\",\"name\":\"e4779bdc-397a-4b71-be28-59e6a1e1d16b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"ZoomLogs\\n| where Event =~ \\\"account.settings_updated\\\"\\n| extend NewE2ESetting = columnifexists(\\\"payload_object_settings_in_meeting_e2e_encryption_b\\\", \\\"\\\")\\n| extend OldE2ESetting = columnifexists(\\\"payload_old_object_settings_in_meeting_e2e_encryption_b\\\", \\\"\\\")\\n| where OldE2ESetting =~ \u0027false\u0027 and NewE2ESetting =~ \u0027true\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Discovery\"],\"displayName\":\"Zoom E2E Encryption Disabled\",\"description\":\"This alerts when end to end encryption is disabled for Zoom meetings.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/194dd92e-d6e7-4249-85a5-273350a7f5ce\",\"name\":\"194dd92e-d6e7-4249-85a5-273350a7f5ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\") \\n// Only admin or global-admin can disable audit logging\\n| where Operation =~ \\\"Set-AdminAuditLogConfig\\\" \\n| extend AdminAuditLogEnabledValue = tostring(parse_json(tostring(parse_json(tostring(array_slice(parse_json(Parameters),3,3)))[0])).Value)\\n| where AdminAuditLogEnabledValue =~ \\\"False\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP, ResultStatus, Parameters, AdminAuditLogEnabledValue\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Exchange AuditLog disabled\",\"description\":\"Identifies when the exchange audit logging has been disabled which may be an adversary attempt\\nto evade detection or avoid other defenses.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/218f60de-c269-457a-b882-9966632b9dc6\",\"name\":\"218f60de-c269-457a-b882-9966632b9dc6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| summarize dcount(Target) by bin(TimeGenerated, 1h)\\n| where dcount_Target \u003e 9\\n| join kind=rightsemi (AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| extend TimeWindow = bin(TimeGenerated, 1h)) on $left.TimeGenerated == $right.TimeWindow\\n| extend AccountCustomEntity = Target\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Bulk Changes to Privileged Account Permissions\",\"description\":\"Identifies when changes to multiple users permissions are changed at once. Investigate immediately if not a planned change. This setting could enable an attacker access to Azure subscriptions in your environment.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6e575295-a7e6-464c-8192-3e1d8fd6a990\",\"name\":\"6e575295-a7e6-464c-8192-3e1d8fd6a990\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.1\",\"severity\":\"High\",\"query\":\"let IPList = externaldata(IPAddress:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Log4j_IOC_List.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n//Network logs\\nlet CSlogSourceIP = CommonSecurityLog | summarize by IPAddress = SourceIP, Type;\\nlet CSlogDestIP = CommonSecurityLog | summarize by IPAddress = DestinationIP, Type;\\nlet CSlogMsgIP = CommonSecurityLog | extend MessageIP = extract(IPRegex, 0, Message) | summarize by IPAddress = MessageIP, Type;\\nlet DnsIP = DnsEvents | summarize by IPAddress = IPAddresses, Type;\\n// If you have enabled the imDNS and/or imNetworkSession normalization in your workspace, you can uncomment one or both below. Reference - https://docs.microsoft.com/azure/sentinel/normalization\\n//let imDnsIP = imDns (response_has_any_prefix=IPList) | summarize by IPAddress = ResponseName, Type;\\n//let imNetSessIP = imNetworkSession (dstipaddr_has_any_prefix=IPList) | summarize by IPAddress = DstIpAddr, Type;\\n//Cloud service logs\\nlet officeIP = OfficeActivity | summarize by IPAddress = ClientIP, Type;\\nlet signinIP = SigninLogs | summarize by IPAddress, Type;\\nlet nonintSigninIP = AADNonInteractiveUserSignInLogs | summarize by IPAddress, Type;\\nlet azureActIP = AzureActivity | summarize by IPAddress = CallerIpAddress, Type;\\nlet awsCtIP = AWSCloudTrail | summarize by IPAddress = SourceIpAddress, Type;\\n//Device logs\\nlet vmConnSourceIP = VMConnection | summarize by IPAddress = SourceIp, Type;\\nlet vmConnDestIP = VMConnection | summarize by IPAddress = DestinationIp, Type;\\nlet iisLogIP = W3CIISLog | summarize by IPAddress = cIP, Type;\\nlet devNetIP = DeviceNetworkEvents | summarize by IPAddress = RemoteIP, Type;\\n//need to parse to get IP\\nlet azureDiagIP = AzureDiagnostics | where ResourceType == \\\"AZUREFIREWALLS\\\" | where Category in (\\\"AzureFirewallApplicationRule\\\", \\\"AzureFirewallNetworkRule\\\") \\n| where msg_s has_any (IPList) | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action | summarize by IPAddress = DestinationHost, Type;\\nlet sysEvtIP = Event | where Source == \\\"Microsoft-Windows-Sysmon\\\" | where EventID == 3 | where EventData has_any (IPList) | extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"])\\n| where SourceIP in (IPList) or DestinationIP in (IPList) | extend IPAddress = iff(SourceIP in (IPList), SourceIP, DestinationIP) | summarize by IPAddress, Type;\\n// If you have enabled the imDNS and/or imNetworkSession normalization in your workdspace, you can uncomment below and include. Reference - https://docs.microsoft.com/azure/sentinel/normalization\\n//let ipsort = union isfuzzy=true CSlogDestIP, CSlogMsgIP, CSlogSourceIP, DnsIP, officeIP, signinIP, nonintSigninIP, azureActIP, awsCtIP, vmConnDestIP, vmConnSourceIP, azureDiagIP, sysEvtIP, imDnsIP, imNetSessIP\\n// If you uncomment above, then comment out the line below\\nlet ipsort = union isfuzzy=true CSlogDestIP, CSlogMsgIP, CSlogSourceIP, DnsIP, officeIP, signinIP, nonintSigninIP, azureActIP, awsCtIP, vmConnDestIP, vmConnSourceIP, azureDiagIP, sysEvtIP\\n| summarize by IPAddress\\n| where isnotempty(IPAddress) | where not(ipv4_is_private(IPAddress)) and IPAddress !in (\u00270.0.0.0\u0027,\u0027127.0.0.1\u0027);\\nlet ipMatch = ipsort | where IPAddress in (IPList);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (ipMatch) or DestinationIP in (ipMatch) or Message has_any (ipMatch)\\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, Type\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (ipMatch), \\\"SourceIP\\\", DestinationIP in (ipMatch), \\\"DestinationIP\\\", MessageIP in (ipMatch), \\\"Message\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"No Match\\\")\\n),\\n(OfficeActivity\\n| where ClientIP in (ipMatch)\\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, Type\\n| extend SourceIPAddress = ClientIP, Account = UserId\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account\\n),\\n(DnsEvents\\n| where IPAddresses has_any (ipMatch)\\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, Host = Computer\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (ipMatch) or DestinationIp in (ipMatch)\\n| project TimeGenerated, Computer, SourceIp, DestinationIp, Type\\n| extend IPMatch = case( SourceIp in (ipMatch), \\\"SourceIP\\\", DestinationIp in (ipMatch), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| where EventData has_any (ipMatch)\\n| project TimeGenerated, EventData, UserName, Computer, Type\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"])\\n| where SourceIP in (ipMatch) or DestinationIP in (ipMatch)\\n| extend IPMatch = case( SourceIP in (ipMatch), \\\"SourceIP\\\", DestinationIP in (ipMatch), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(SigninLogs\\n| where IPAddress in (ipMatch)\\n| project TimeGenerated, UserPrincipalName, IPAddress, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(AADNonInteractiveUserSignInLogs\\n| where IPAddress in (ipMatch)\\n| project TimeGenerated, UserPrincipalName, IPAddress, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(W3CIISLog\\n| where cIP in (ipMatch)\\n| project TimeGenerated, Computer, cIP, csUserName, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(AzureActivity\\n| where CallerIpAddress in (ipMatch)\\n| project TimeGenerated, CallerIpAddress, Caller, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller\\n),\\n(\\nAWSCloudTrail\\n| where SourceIpAddress in (ipMatch)\\n| project TimeGenerated, SourceIpAddress, UserIdentityUserName, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\\n), \\n( \\nDeviceNetworkEvents\\n| where RemoteIP in (ipMatch)\\n| where ActionType == \\\"InboundConnectionAccepted\\\"\\n| project TimeGenerated, RemoteIP, DeviceName, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category in (\\\"AzureFirewallApplicationRule\\\", \\\"AzureFirewallNetworkRule\\\")\\n| where msg_s has_any (ipMatch)\\n| project TimeGenerated, msg_s, Type\\n| parse msg_s with Protocol \u0027request from \u0027 SourceIP \u0027:\u0027 SourcePort \u0027to \u0027 DestinationIP \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where DestinationIP has_any (ipMatch)\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP\\n)\\n// If you have enabled the imDNS and/or imNetworkSession normalization in your workdspace, you can uncomment below and include. Reference - https://docs.microsoft.com/azure/sentinel/normalization\\n//,\\n//(imDns (response_has_any_prefix=IPList)\\n//| project TimeGenerated, ResponseName, SrcIpAddr, Type\\n//| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr\\n//| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n//),\\n//(imNetworkSession (dstipaddr_has_any_prefix=IPList)\\n//| project TimeGenerated, DstIpAddr, SrcIpAddr, Type\\n//| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = SrcIpAddr\\n//)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Log4j vulnerability exploit aka Log4Shell IP IOC\",\"description\":\"Identifies a match across various data feeds for IP IOCs related to the Log4j vulnerability exploit aka Log4Shell described in CVE-2021-44228. \\n References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228\u0027 \",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bda5a2bd-979b-4828-a91f-27c2a5048f7f\",\"name\":\"bda5a2bd-979b-4828-a91f-27c2a5048f7f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet msgthreshold = 3;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| extend attachedMimeType = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where attachedMimeType == \u0027application/zip\u0027\\n| summarize count() by SrcUserUpn, DstUserUpn\\n| where count_ \u003e msgthreshold\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple archived attachments to the same recipient\",\"description\":\"Detects when multiple emails where sent to the same recipient with large archived attachments.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1baaaf00-655f-4de9-8ff8-312e902cda71\",\"name\":\"1baaaf00-655f-4de9-8ff8-312e902cda71\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let known_locations = (\\n AADServicePrincipalSignInLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where ResultType == 0\\n | summarize by Location);\\n AADServicePrincipalSignInLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType != 50126\\n | where Location !in (known_locations)\\n | extend City = tostring(parse_json(LocationDetails).city)\\n | extend State = tostring(parse_json(LocationDetails).state)\\n | extend Place = strcat(City, \\\" - \\\", State)\\n | extend Result = strcat(tostring(ResultType), \\\" - \\\", ResultDescription)\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), make_set(Result), make_set(IPAddress), make_set(Place) by ServicePrincipalName, Location\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ServicePrincipalName\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Service Principal Authentication Attempt from New Country\",\"description\":\"Detects when there is a Service Principal login attempt from a country that has not seen a successful login in the previous 14 days.\\n Threat actors may attempt to authenticate with credentials from compromised accounts - monitoring attempts from anomalous locations may help identify these attempts.\\n Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADServicePrincipalSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/39198934-62a0-4781-8416-a81265c03fd6\",\"name\":\"39198934-62a0-4781-8416-a81265c03fd6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"user.read\\\" and ConsentFull contains \\\"offline_access\\\" and ConsentFull contains \\\"mail.readwrite\\\" and ConsentFull contains \\\"mail.send\\\" and ConsentFull contains \\\"files.read.all\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\")\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Suspicious application consent similar to PwnAuth\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the FireEye PwnAuth toolkit (https://github.com/fireeye/PwnAuth).\\nThe default permissions/scope for the PwnAuth toolkit are user.read, offline_access, mail.readwrite, mail.send, and files.read.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\"name\":\"fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let opList = OfficeActivity \\n| summarize by Operation\\n//| where Operation startswith \\\"Remove-\\\" or Operation startswith \\\"Disable-\\\"\\n| where Operation has_any (\\\"Remove\\\", \\\"Disable\\\")\\n| where Operation contains \\\"AntiPhish\\\" or Operation contains \\\"SafeAttachment\\\" or Operation contains \\\"SafeLinks\\\" or Operation contains \\\"Dlp\\\" or Operation contains \\\"Audit\\\"\\n| summarize make_set(Operation);\\nOfficeActivity\\n// Only admin or global-admin can disable/remove policy\\n| where RecordType =~ \\\"ExchangeAdmin\\\"\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\")\\n// Pass in interesting Operation list\\n| where Operation in~ (opList)\\n| extend ClientIPOnly = case( \\nClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), \\nClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))),\\nClientIP\\n) \\n| extend Port = case(\\nClientIP has \\\".\\\", (split(ClientIP,\\\":\\\")[1]),\\nClientIP has \\\"[\\\", tostring(split(ClientIP,\\\"]:\\\")[1]),\\nClientIP\\n)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP = ClientIPOnly, Port, ResultStatus, Parameters\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Office policy tampering\",\"description\":\"Identifies if any tampering is done to either auditlog, ATP Safelink, SafeAttachment, AntiPhish or Dlp policy. \\nAn adversary may use this technique to evade detection or avoid other policy based defenses.\\nReferences: https://docs.microsoft.com/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06a9b845-6a95-4432-a78b-83919b28c375\",\"name\":\"06a9b845-6a95-4432-a78b-83919b28c375\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":3,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet percentotalthreshold = 50;\\nlet TimeSeriesData = CommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| project TimeGenerated,SourceIP, DestinationIP, DeviceVendor\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor;\\n// Filtering specific records associated with spikes as outliers\\nlet TimeSeriesAlerts=materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend score = round(score,2), AnomalyHour = TimeGenerated\\n| project DeviceVendor,AnomalyHour, TimeGenerated, Total, baseline, anomalies, score);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\n// Join anomalies with Base Data to popalate associated records for investigation - Results sorted by score in descending order\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\n CommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| summarize HourlyCount = count(), TimeGeneratedMax = arg_max(TimeGenerated, *), DestinationIPlist = make_set(DestinationIP, 100), DestinationPortlist = make_set(DestinationPort, 100) by DeviceVendor, SourceIP, TimeGeneratedHour= bin(TimeGenerated, 1h)\\n| extend AnomalyHour = TimeGeneratedHour\\n) on AnomalyHour, DeviceVendor\\n| extend PercentTotal = round((HourlyCount / Total) * 100, 3)\\n| where PercentTotal \u003e percentotalthreshold\\n| project DeviceVendor , AnomalyHour, TimeGeneratedMax, SourceIP, DestinationIPlist, DestinationPortlist, HourlyCount, PercentTotal, Total, baseline, score, anomalies\\n| summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist, 100), DestinationPortlist = make_set(DestinationPortlist, 100) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies\\n| project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies\\n| extend timestamp= EndTimeUtc , IPCustomEntity = SourceIPMax\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"Time series anomaly detection for total volume of traffic\",\"description\":\"Identifies anamalous spikes in network traffic logs as compared to baseline or normal historical patterns.\\nThe query leverages a KQL built-in anomaly detection algorithm to find large deviations from baseline patterns.\\nSudden increases in network traffic volume may be an indication of data exfiltration attempts and should be investigated.\\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port traffic observed in the flagged anomaly hour.\\nThe source IP addresses which were sending less than percentotalthreshold of the total traffic have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Barracuda\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f110287e-1358-490d-8147-ed804b328514\",\"name\":\"f110287e-1358-490d-8147-ed804b328514\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AWSCloudTrail | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AWSCloudTrail_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SourceIpAddress\\n| where AWSCloudTrail_TimeGenerated \u003c ExpirationDateTime\\n| summarize AWSCloudTrail_TimeGenerated = arg_max(AWSCloudTrail_TimeGenerated, *) by IndicatorId, SourceIpAddress\\n| project AWSCloudTrail_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress,\\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AWSCloudTrail_TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AWSCloudTrail\",\"description\":\"Identifies a match in AWSCloudTrail from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7249500f-3038-4b83-8549-9cd8dfa2d498\",\"name\":\"7249500f-3038-4b83-8549-9cd8dfa2d498\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"de-ma.online\\\", \\\"g20saudi.000webhostapp.com\\\", \\\"ksat20.000webhostapp.com\\\"]);\\nlet EmailAddresses = dynamic([\\\"munichconference1962@gmail.com\\\",\\\"munichconference@outlook.de\\\", \\\"munichconference@outlook.com\\\", \\\"t20saudiarabia@gmail.com\\\", \\\"t20saudiarabia@hotmail.com\\\", \\\"t20saudiarabia@outlook.sa\\\"]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(DNSName) and DNSName has_any (DomainNames)) \\n or (isnotempty(DestinationHostName) and DestinationHostName has_any (DomainNames)) \\n or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames)))\\n| extend timestamp = TimeGenerated , AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\\n),\\n(DnsEvents \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| where DNSName has_any (DomainNames) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend timestamp = TimeGenerated , HostCustomEntity = Computer),\\n(SecurityAlert\\n| where ProviderName =~ \u0027OATP\u0027\\n| extend UPN = case(isnotempty(parse_json(Entities)[0].Upn), parse_json(Entities)[0].Upn, \\n isnotempty(parse_json(Entities)[1].Upn), parse_json(Entities)[1].Upn,\\n isnotempty(parse_json(Entities)[2].Upn), parse_json(Entities)[2].Upn,\\n isnotempty(parse_json(Entities)[3].Upn), parse_json(Entities)[3].Upn,\\n isnotempty(parse_json(Entities)[4].Upn), parse_json(Entities)[4].Upn,\\n isnotempty(parse_json(Entities)[5].Upn), parse_json(Entities)[5].Upn,\\n isnotempty(parse_json(Entities)[6].Upn), parse_json(Entities)[6].Upn,\\n isnotempty(parse_json(Entities)[7].Upn), parse_json(Entities)[7].Upn,\\n isnotempty(parse_json(Entities)[8].Upn), parse_json(Entities)[8].Upn,\\n parse_json(Entities)[9].Upn)\\n| where Entities has_any (EmailAddresses)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = tostring(UPN)),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"AZUREFIREWALLS\\\"\\n| where msg_s has_any (DomainNames)\\n| extend timestamp = TimeGenerated))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"InitialAccess\"],\"displayName\":\"Known PHOSPHORUS group domains/IP - October 2020\",\"description\":\"Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\\nReferences: \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog (Cisco)\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert (OATP)\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics (Azure Firewall)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5ef06767-b37c-4818-b035-47de950d0046\",\"name\":\"5ef06767-b37c-4818-b035-47de950d0046\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"// How far back to look for events from\\nlet timeframe = 1d;\\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\\nlet time_window = 5m;\\n// Edit this to include build processes used\\nlet build_processes = dynamic([\\\"MSBuild.exe\\\", \\\"dotnet.exe\\\", \\\"VBCSCompiler.exe\\\"]);\\n// Include any processes that you want to allow to edit files during/around the build process\\nlet allow_list = dynamic([\\\"\\\"]);\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where EventID == 4688\\n| where Process has_any (build_processes)\\n| summarize by BuildParentProcess=ParentProcessName, BuildProcess=Process, BuildAccount = Account, Computer, BuildCommand=CommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for file modifications to code file\\n| where EventID == 4663\\n| where Process !in (allow_list)\\n// Look for code files, edit this to include file extensions used in build.\\n| where ObjectName endswith \\\".cs\\\" or ObjectName endswith \\\".cpp\\\"\\n// 0x6 and 0x4 for file append, 0x100 for file replacements\\n| where AccessMask == \\\"0x6\\\" or AccessMask == \\\"0x4\\\" or AccessMask == \\\"0X100\\\"\\n| summarize by FileEditParentProcess=ParentProcessName, FileEditAccount = Account, Computer, FileEdited=ObjectName, FileEditProcess=ProcessName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, Computer\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, Computer, BuildParentProcess, BuildProcess\\n| extend HostCustomEntity=Computer, timestamp=timekey\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where EventID == 4688 and EventData has_any (build_processes)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process has_any (build_processes)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend CommandLine = tostring(EventData.CommandLine) \\n| summarize by BuildParentProcess=ParentProcessName, BuildProcess=Process, BuildAccount = Account, Computer, BuildCommand=CommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nWindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for file modifications to code file\\n| where EventID == 4663 and EventData has_any (\\\"0x6\\\", \\\"0x4\\\", \\\"0X100\\\") and EventData has_any (\\\".cs\\\", \\\".cpp\\\")\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (allow_list)\\n// Look for code files, edit this to include file extensions used in build.\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName endswith \\\".cs\\\" or ObjectName endswith \\\".cpp\\\"\\n// 0x6 and 0x4 for file append, 0x100 for file replacements\\n| extend AccessMask = tostring(EventData.AccessMask) \\n| where AccessMask == \\\"0x6\\\" or AccessMask == \\\"0x4\\\" or AccessMask == \\\"0X100\\\"\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| summarize by FileEditParentProcess=ParentProcessName, FileEditAccount = Account, Computer, FileEdited=ObjectName, FileEditProcess=ProcessName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, Computer\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, Computer, BuildParentProcess, BuildProcess\\n| extend HostCustomEntity=Computer, timestamp=timekey\\n))\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Potential Build Process Compromise\",\"description\":\"The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process.\\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\"name\":\"a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"DNS events related to ToR proxies\",\"description\":\"Identifies IP addresses performing DNS lookups associated with common ToR proxies.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/42436753-9944-4d70-801c-daaa4d19ddd2\",\"name\":\"42436753-9944-4d70-801c-daaa4d19ddd2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let threatCategory=\\\"Powershell\\\";\\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\\n [ @\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\\\"]\\n with(format=\\\"csv\\\", ignoreFirstRecord=True));\\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet customUserAgents=toscalar(_GetWatchlist(\\\"UnusualUserAgents\\\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\\\"UserAgent\\\",\\\"\\\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet fullUAList = array_concat(knownUserAgents,customUserAgents);\\n_Im_WebSession(httpuseragent_has_any=fullUAList)\\n| project SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername\",\"customDetails\":{\"UserAgent\":\"HttpUserAgent\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"SrcUsername\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Host {{SrcIpAddr}} is potentially running PowerShell\",\"alertDescriptionFormat\":\"The host at address {{SrcIpAddr}} sent an HTTP request to the URL {{Url}} with the HTTP user agent header {{HttpUserAgent}}. This user agent is known to be used by PoerShell and indicates suspicious activity on the host.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\",\"DefenseEvasion\"],\"displayName\":\"A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request with a user agent header known to belong PowerShell. \u003cbr\u003eYou can add custom Powershell indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).\u003cbr\u003e\u003cbr\u003e\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56fe0db0-6779-46fa-b3c5-006082a53064\",\"name\":\"56fe0db0-6779-46fa-b3c5-006082a53064\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let tokens = dynamic([\\\"416\\\",\\\"208\\\",\\\"128\\\",\\\"120\\\",\\\"96\\\",\\\"80\\\",\\\"72\\\",\\\"64\\\",\\\"48\\\",\\\"44\\\",\\\"40\\\",\\\"g5\\\",\\\"gs5\\\",\\\"g4\\\",\\\"gs4\\\",\\\"nc12\\\",\\\"nc24\\\",\\\"nv12\\\"]);\\nlet operationList = dynamic([\\\"microsoft.compute/virtualmachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nAzureActivity\\n| where tolower(OperationNameValue) in (operationList)\\n| where ActivityStatusValue == \\\"Accepted\\\" \\n| where isnotempty(Properties)\\n| extend vmSize = tolower(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).hardwareProfile)).vmSize))\\n| where isnotempty(vmSize)\\n| where vmSize has_any (tokens) \\n| extend ComputerName = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).osProfile)).computerName)\\n| extend clientIpAddress = tostring(parse_json(HTTPRequest).clientIpAddress)\\n| project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Creation of expensive computes in Azure\",\"description\":\"Identifies the creation of large size/expensive VMs (GPU or with large no of virtual CPUs) in Azure.\\nAdversary may create new or update existing virtual machines sizes to evade defenses \\nor use it for cryptomining purposes.\\nFor Windows/Linux Vm Sizes - https://docs.microsoft.com/azure/virtual-machines/windows/sizes \\nAzure VM Naming Conventions - https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions\",\"lastUpdatedDateUTC\":\"2022-03-31T00:00:00Z\",\"createdDateUTC\":\"2020-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5d33fc63-b83b-4913-b95e-94d13f0d379f\",\"name\":\"5d33fc63-b83b-4913-b95e-94d13f0d379f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet fileHashIndicators = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n| where isnotempty(FileHashValue);\\n// Handle matches against both lower case and uppercase versions of the hash:\\n(fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n| union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n )\\non $left.FileHashValue == $right.FileHash\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, FileHashValue\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nSourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction,\\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity, FileHashValue, FileHashType\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Value\",\"columnName\":\"FileHashValue\"},{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map File Hash to CommonSecurityLog Event\",\"description\":\"Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI\",\"lastUpdatedDateUTC\":\"2022-07-07T00:00:00Z\",\"createdDateUTC\":\"2019-08-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1f3b4dfd-21ff-4ed3-8e27-afc219e05c50\",\"name\":\"1f3b4dfd-21ff-4ed3-8e27-afc219e05c50\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where LoggedByService =~ \\\"PIM\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has \\\"Disable PIM Alert\\\"\\n| extend IpAddress = case(\\n isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), \\n isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.app)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.app)).ipAddress),\\n \u0027Not Available\u0027)\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName)), UserRoles = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| project InitiatedBy, ActivityDateTime, ActivityDisplayName, IpAddress, AADOperationType, AADTenantId, ResourceId, CorrelationId, Identity\\n| extend timestamp = ActivityDateTime, IPCustomEntity = IpAddress, AccountCustomEntity = tolower(InitiatedBy), ResourceCustomEntity = ResourceId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Detect PIM Alert Disabling activity\",\"description\":\"Privileged Identity Management (PIM) generates alerts when there is suspicious or unsafe activity in Azure Active Directory (Azure AD) organization. \\nThis query will help detect attackers attempts to disable in product PIM alerts which are associated with Azure MFA requirements and could indicate activation of privileged access\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d99cf5c3-d660-436c-895b-8a8f8448da23\",\"name\":\"d99cf5c3-d660-436c-895b-8a8f8448da23\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"SigninLogs\\n| where ResultType == 500121\\n| extend additionalDetails_ = tostring(Status.additionalDetails)\\n| where additionalDetails_ =~ \\\"MFA denied; user declined the authentication\\\"\\n| extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"AadUserId\",\"columnName\":\"UserId\"},{\"identifier\":\"AadTenantId\",\"columnName\":\"AADTenantId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"MFA Rejected by User\",\"description\":\"Identifies accurances where a user has rejected an MFA prompt. This could be an indicator that a threat actor has compromised the username and password of this user account and is using it to try and log into the account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d0aa8969-1bbe-4da3-9e76-09e5f67c9d85\",\"name\":\"d0aa8969-1bbe-4da3-9e76-09e5f67c9d85\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureDiagnostics\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where ResourceProvider == \u0027MICROSOFT.SQL\u0027\\n | where Category == \u0027SQLSecurityAuditEvents\u0027\\n | extend SQLSecurityAuditEvents_TimeGenerated = TimeGenerated\\n // projecting fields with column if exists as this is in AzureDiag and if the event is not in the table, then queries will fail due to event specific schemas\\n | extend ClientIP = column_ifexists(\\\"client_ip_s\\\", \\\"Not Available\\\"), Action = column_ifexists(\\\"action_name_s\\\", \\\"Not Available\\\"), \\n Application = column_ifexists(\\\"application_name_s\\\", \\\"Not Available\\\"), HostName = column_ifexists(\\\"host_name_s\\\", \\\"Not Available\\\")\\n)\\non $left.TI_ipEntity == $right.ClientIP\\n| where SQLSecurityAuditEvents_TimeGenerated \u003c ExpirationDateTime\\n| summarize SQLSecurityAuditEvents_TimeGenerated = arg_max(SQLSecurityAuditEvents_TimeGenerated, *) by IndicatorId, ClientIP\\n| project SQLSecurityAuditEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ResourceId, ClientIP, Action, Application, HostName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = SQLSecurityAuditEvents_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Azure SQL Security Audit Events\",\"description\":\"Identifies a match in SQLSecurityAuditEvents from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\"name\":\"4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n OfficeActivity | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(UserId)\\n | where UserId matches regex emailregex\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.UserId\\n| where OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, UserId\\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters\\n| extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to OfficeActivity\",\"description\":\"Identifies a match in OfficeActivity table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/44a555d8-ecee-4a25-95ce-055879b4b14b\",\"name\":\"44a555d8-ecee-4a25-95ce-055879b4b14b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeBin = 10m;\\nlet portThreshold = 30;\\nW3CIISLog\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of attempts by client IP on many ports\\n| summarize makeset(sPort), makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), ConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\\n| extend portCount = arraylength(set_sPort)\\n| where portCount \u003e= portThreshold\\n| project TimeGenerated, cIP, set_sPort, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, ConnectionsCount, portCount\\n| order by portCount\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"High count of connections by client IP on many ports\",\"description\":\"Identifies when 30 or more ports are used for a given client IP in 10 minutes occurring on the IIS server.\\nThis could be indicative of attempted port scanning or exploit attempt at internet facing web applications. \\nThis could also simply indicate a misconfigured service or device.\\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2de8abd6-a613-450e-95ed-08e503369fb3\",\"name\":\"2de8abd6-a613-450e-95ed-08e503369fb3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"AzureDiagnostics\\n| where details_data_s has \\\"jndi:\\\"\\n| parse details_data_s with * \u0027${\u0027 MaliciousCommand \u0027}\u0027 *\\n| extend EncodeCmd = iff(MaliciousCommand has \u0027Base64/\u0027, split(split(MaliciousCommand, \\\"Base64/\\\",1)[0], \\\"}\\\", 0)[0], \\\"\\\")\\n| extend EncodeCmd1 = iff(MaliciousCommand has \u0027base64/\u0027, split(split(MaliciousCommand, \\\"base64/\\\",1)[0], \\\"}\\\", 0)[0], \\\"\\\")\\n| extend CmdLine = iff( isnotempty(EncodeCmd), EncodeCmd, EncodeCmd1)\\n| extend DecodedCmdLine = base64_decode_tostring(tostring(CmdLine))\\n| extend DecodedCmdLine = iff( isnotempty(DecodedCmdLine), DecodedCmdLine, \\\"Unable to decode\\\")\\n| project TimeGenerated, Target=hostname_s, MaliciousHost = clientIp_s, MaliciousCommand, details_data_s, DecodedCmdLine, Message, ruleSetType_s, OperationName, SubscriptionId, details_message_s, details_file_s \\n| extend IPCustomEntity = MaliciousHost, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure WAF matching for Log4j vuln(CVE-2021-44228)\",\"description\":\"This query will alert on a positive pattern match by Azure WAF for CVE-2021-44228 log4j vulnerability exploitation attempt. If possible, it then decodes the malicious command for further analysis.\\n Refrence: https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-12-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/972c89fa-c969-4d12-932f-04d55d145299\",\"name\":\"972c89fa-c969-4d12-932f-04d55d145299\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"( union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| extend FileName = Process, ProcessCommandLine = CommandLine\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\n or ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(DeviceProcessEvents\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\nor ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1 \\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\"), ProcessCommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| extend FileName = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\n or ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"MSHTML vulnerability CVE-2021-40444 attack\",\"description\":\"This query detects attacks that exploit the CVE-2021-40444 MSHTML vulnerability using specially crafted Microsoft Office documents. \\n The detection searches for relevant files used in the attack along with regex matches in commnadline to look for pattern similar to : \\\".cpl:../../msword.inf\\\"\\n Refrence: https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ca74dc0-8352-4ac5-893c-73571cc78331\",\"name\":\"4ca74dc0-8352-4ac5-893c-73571cc78331\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let keywords = dynamic([\\\"secret\\\", \\\"secrets\\\", \\\"password\\\", \\\"PAT\\\", \\\"passwd\\\", \\\"pswd\\\", \\\"pwd\\\", \\\"cred\\\", \\\"creds\\\", \\\"credentials\\\", \\\"credential\\\", \\\"key\\\"]);\\nAzureDevOpsAuditing\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend Type = tostring(Data.Type)\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend VariableGroupName = tostring(Data.VariableGroupName)\\n| mv-expand Data.Variables\\n| where VariableGroupName has_any (keywords) or Data_Variables has_any (keywords)\\n| where Type != \\\"AzureKeyVault\\\"\\n| where Data_Variables !has \\\"IsSecret\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure DevOps Variable Secret Not Secured\",\"description\":\"Credentials used in the build process may be stored as Azure DevOps variables. To secure these variables they should be stored in KeyVault or marked as Secrets. \\nThis detection looks for new variables added with names that suggest they are credentials but where they are not set as Secrets or stored in KeyVault.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cc5780ce-3245-4bba-8bc1-e9048c2257ce\",\"name\":\"cc5780ce-3245-4bba-8bc1-e9048c2257ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where OperationName =~ \\\"Add owner to application\\\"\\n | extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend UpdatedBy = iif(isnotempty(appName), appName, UPN)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | extend AddedUser = TargetResources[0].userPrincipalName\\n | mv-expand mod_props\\n | where mod_props.displayName =~ \\\"Application.DisplayName\\\"\\n | extend AppName = tostring(parse_json(tostring(mod_props.newValue)))\\n | project-reorder TimeGenerated, OperationName, AppName, AddedUser, UpdatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatedBy\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedUser\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Changes to Application Ownership\",\"description\":\"Detects changes to the ownership of an appplicaiton.\\n Monitor these changes to make sure that they were authorized.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#new-owner\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/15049017-527f-4d3b-b011-b0e99e68ef45\",\"name\":\"15049017-527f-4d3b-b011-b0e99e68ef45\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let procList = externaldata(Process:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Microsoft_Lolbas_Execution_Binaries.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityEvent\\n| where EventID == 4688 and Process has_any (procList) and not (NewProcessName has (\\\"C:\\\\\\\\Windows\\\\\\\\\\\"))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, SubjectUserName, NewProcessName, Process, CommandLine\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectUserName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Windows Binaries Executed from Non-Default Directory\",\"description\":\"The query detects Windows binaries, that can be executed from a non-default directory (e.g. C:\\\\Windows\\\\, C:\\\\Windows\\\\System32 etc.). \\nRef: https://lolbas-project.github.io/\",\"lastUpdatedDateUTC\":\"2022-02-15T00:00:00Z\",\"createdDateUTC\":\"2022-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6\",\"name\":\"2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 0d;\\n// Adjust this to adjust detection timeframe\\n//let timeframe = 1d;\\n// SamAccountName of AD FS Service Account. Filter on the use of a specific AD FS user account\\n//let adfsuser = \u0027adfsadmin\u0027;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\n SecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe+lookback)\\n | where EventSourceName == \u0027AD FS Auditing\u0027\\n | distinct Computer\\n);\\nSecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n // A token of type \u0027http://schemas.microsoft.com/ws/2006/05/servicemodel/tokens/SecureConversation\u0027\\n // for relying party \u0027-\u0027 was successfully authenticated.\\n | where EventID == 412\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | extend InstanceId = tostring(EventData[0])\\n| join kind=inner\\n(\\n SecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n // Events to identify caller identity from event 412\\n | where EventID == 501\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | where tostring(EventData[1]) contains \u0027identity/claims/name\u0027\\n | extend InstanceId = tostring(EventData[0])\\n | extend ClaimsName = tostring(EventData[2])\\n // Filter on the use of a specific AD FS user account\\n //| where ClaimsName contains adfsuser\\n)\\non $left.InstanceId == $right.InstanceId\\n| join kind=inner\\n(\\n SecurityEvent\\n | where EventID == 5156\\n | where Computer in~ (ADFS_Servers)\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | mv-expand bagexpansion=array EventData\\n | evaluate bag_unpack(EventData)\\n | extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n | evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n | extend DestPort = column_ifexists(\\\"DestPort\\\", \\\"\\\"),\\n Direction = column_ifexists(\\\"Direction\\\", \\\"\\\"),\\n Application = column_ifexists(\\\"Application\\\", \\\"\\\"),\\n DestAddress = column_ifexists(\\\"DestAddress\\\", \\\"\\\"),\\n SourceAddress = column_ifexists(\\\"SourceAddress\\\", \\\"\\\"),\\n SourcePort = column_ifexists(\\\"SourcePort\\\", \\\"\\\")\\n // Look for inbound connections from endpoints on port 80\\n | where DestPort == 80 and Direction == \u0027%%14592\u0027 and Application == \u0027System\u0027\\n | where DestAddress !in (\u0027::1\u0027,\u00270:0:0:0:0:0:0:1\u0027) \\n)\\non $left.Computer == $right.Computer\\n| project TimeGenerated, Computer, ClaimsName, SourceAddress, SourcePort\\n| extend HostCustomEntity = Computer, AccountCustomEntity = ClaimsName, IPCustomEntity = SourceAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"AD FS Remote Auth Sync Connection\",\"description\":\"This detection uses Security events from the \\\"AD FS Auditing\\\" provider to detect suspicious authentication events on an AD FS server. The results then get\\ncorrelated with events from the Windows Filtering Platform (WFP) to detect suspicious incoming network traffic on port 80 on the AD FS server.\\nThis could be a sign of a threat actor trying to use replication services on the AD FS server to get its configuration settings and extract\\nsensitive information such as AD FS certificates.\\nIn order to use this query you need to enable AD FS auditing on the AD FS Server.\\nReference: https://twitter.com/OTR_Community/status/1387038995016732672\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-04-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d992b87b-eb49-4a9d-aa96-baacf9d26247\",\"name\":\"d992b87b-eb49-4a9d-aa96-baacf9d26247\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let IPList = dynamic([\\\"185.63.90.137\\\"]); \\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet sha256Hashes = \\ndynamic([\\\"53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441\\\",\\n\\\"c297e545b8f150cc5ff56dbb68dc74fe30a421d9d40f38f4a53083192697c44c\\\",\\n\\\"17921368901f23e0cad0d2fe4ce5694aebaf4727699ed0358117500701914d1b\\\",\\n\\\"198a2d42df010d838b4207f478d885ef36e3db13b1744d673e221b828c28bf77\\\",\\n\\\"71d7b48c2fdc7b57b104a7858a35165bbed21d2fa7e34828d6c1d50b2b33a1d0\\\",\\n\\\"601227d52c6e367e11b80240183d07d38bc11a88e844e8401fce17eb25e92ba8\\\",\\n\\\"63ff04bed4fdb120a9cb9b1ea7fd88e83f12fb01ab6a057088f8016e663b48d4\\\",\\n\\\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\\\",\\n\\\"e19b8be1b21c066d60725e550f8455f824065abbf1b43f7b2fe4fb338b241ffc\\\",\\n\\\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\\\"\\n]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", MessageIP in (IPList), \\\"Message\\\", \\\"NoMatch\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DeviceNetworkEvents\\n| where RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) \\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP\\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost) \\n| where SourceHost in (IPList) or DestinationHost in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(DeviceFileEvents\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n| where FileHash in (sha256Hashes)\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash\\n| extend timestamp = TimeGenerated, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 in~ (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(SecurityEvent\\n| where EventID == \u00274688\u0027\\n| where CommandLine has_any (IPList) \\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n(WindowsEvent\\n| where EventID == \u00274688\u0027 and has_any_ipv4(EventData, toscalar(IPList)) \\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| where NewProcessName in (IPList) \\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend NewProcessId = tostring(EventData.NewProcessId)\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021\",\"description\":\"Identifies a match across various data feeds for IP,hashes and IOCs related to Windows/ELF malware published by Black Lotus Labs\\nReference: \\nhttps://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders\\nhttps://github.com/ManuelBerrueta/YARA-rules/blob/master/BlackLotusLabs-WSLMalware/BLL_SneakyWSL.yar\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ce1e7025-866c-41f3-9b08-ec170e05e73e\",\"name\":\"ce1e7025-866c-41f3-9b08-ec170e05e73e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let SunburstURL=dynamic([\\\"panhardware.com\\\",\\\"databasegalore.com\\\",\\\"avsvmcloud.com\\\",\\\"freescanonline.com\\\",\\\"thedoccloud.com\\\",\\\"deftsecurity.com\\\"]);\\nDeviceNetworkEvents\\n| where ActionType == \\\"ConnectionSuccess\\\"\\n| where RemoteUrl in(SunburstURL)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n FileHashCustomEntity = InitiatingProcessMD5, \\n HashAlgorithm = \u0027MD5\u0027,\\n URLCustomEntity = RemoteUrl,\\n IPCustomEntity = RemoteIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"SUNBURST network beacons\",\"description\":\"Identifies SolarWinds SUNBURST domain beacon IOCs in DeviceNetworkEvents\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/baedfdf4-7cc8-45a1-81a9-065821628b83\",\"name\":\"baedfdf4-7cc8-45a1-81a9-065821628b83\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let runningRAT_parameters = dynamic([\u0027/ui/chk\u0027, \u0027mactok=\u0027, \u0027UsRnMe=\u0027, \u0027IlocalP=\u0027, \u0027kMnD=\u0027]);\\nCommonSecurityLog\\n| where RequestMethod == \\\"GET\\\"\\n| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication\\n| where RequestURL has_any (runningRAT_parameters)\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DestinationIP\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"SourceHostName\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"RunningRAT request parameters\",\"description\":\"This detection will alert when RunningRAT URI parameters or paths are detect in an HTTP request. Id the device blocked this communication\\npresence of this alert means the RunningRAT implant is likely still executing on the source host.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d8de9e6-263e-4845-8618-cd23a4f58b70\",\"name\":\"4d8de9e6-263e-4845-8618-cd23a4f58b70\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT3H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 3h;\\n// Add full UPN (user@domain.com) to Authorized Bypassers to ignore policy bypasses by certain authorized users\\nlet AuthorizedBypassers = dynamic([\u0027foo@baz.com\u0027, \u0027test@foo.com\u0027]);\\nlet historicBypassers = AzureDevOpsAuditing\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationName == \u0027Git.RefUpdatePoliciesBypassed\u0027\\n| distinct ActorUPN;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e= ago(endtime)\\n| where OperationName == \u0027Git.RefUpdatePoliciesBypassed\u0027\\n| where ActorUPN !in (historicBypassers) and ActorUPN !in (AuthorizedBypassers)\\n| parse ScopeDisplayName with OrganizationName \u0027(Organization)\u0027\\n| project TimeGenerated, ActorUPN, IpAddress, UserAgent, OrganizationName, ProjectName, RepoName = Data.RepoName, AlertDetails = Details, Branch = Data.Name, \\n BypassReason = Data.BypassReason, PRLink = strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_git/\u0027, Data.RepoName, \u0027/pullrequest/\u0027, Data.PullRequestId)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps Pull Request Policy Bypassing - Historic allow list\",\"description\":\"This detection builds an allow list of historic PR policy bypasses and compares to recent history, flagging pull request bypasses that are not manually in the allow list and not historically included in the allow list.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75bf9902-0789-47c1-a5d8-f57046aa72df\",\"name\":\"75bf9902-0789-47c1-a5d8-f57046aa72df\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let procList = externaldata(Process:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Microsoft_Lolbas_Execution_Binaries.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet ProcessCreationEvents=() {\\nlet processEvents=(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,\\nFileName = Process, CommandLine, ParentProcessName\\n),\\n(WindowsEvent\\n| where EventID==4688 and EventData has_any (procList) and EventData has \\\":\\\\\\\\recycler\\\"\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where isnotempty(CommandLine)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName) \\n| extend NewProcessName = tostring(EventData.NewProcessName) \\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,\\nFileName = Process, CommandLine, ParentProcessName\\n));\\nprocessEvents};\\nProcessCreationEvents \\n| where FileName in~ (procList)\\n| where CommandLine contains \\\":\\\\\\\\recycler\\\"\\n| project StartTimeUtc = TimeGenerated, Computer, Account, NewProcessName, FileName, CommandLine, ParentProcessName\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Malware in the recycle bin\",\"description\":\"The query detects Windows binaries, that can be used for executing malware, that have been hidden in the recycle bin. \\n The list of these binaries are sourced from https://lolbas-project.github.io/\\n References: https://azure.microsoft.com/blog/how-azure-security-center-helps-reveal-a-cyberattack/.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2018-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e2399891-383c-4caf-ae67-68a008b9f89e\",\"name\":\"e2399891-383c-4caf-ae67-68a008b9f89e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet IP_TI=ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\\\"NO_IP\\\")\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where TI_ipEntity != \\\"NO_IP\\\";\\nlet IP_TI_list=toscalar(IP_TI | summarize NIoCs=dcount(TI_ipEntity), IoCs=make_set( TI_ipEntity)\\n | project IoCs=iff(NIoCs \u003e HAS_ANY_MAX, dynamic([]), IoCs));\\nIP_TI\\n // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n | join kind=innerunique \\n (\\n union \\n (\\n _Im_NetworkSession (starttime=ago(dt_lookBack), dstipaddr_has_any_prefix=IP_TI_list)\\n | where isnotempty(SrcIpAddr)\\n // renaming time column so it is clear the log this came from\\n | extend imNWS_TimeGenerated = TimeGenerated, IoCIP=DstIpAddr, IoCIPDirection=\u0027Destination\u0027\\n ),\\n (\\n _Im_NetworkSession (starttime=ago(dt_lookBack), srcipaddr_has_any_prefix=IP_TI_list)\\n | where isnotempty(DstIpAddr)\\n // renaming time column so it is clear the log this came from\\n | extend imNWS_TimeGenerated = TimeGenerated, IoCIP=SrcIpAddr, IoCIPDirection=\u0027Source\u0027\\n )\\n)on $left.TI_ipEntity == $right.IoCIP\\n| where imNWS_TimeGenerated \u003c ExpirationDateTime\\n| summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, IoCIP, IoCIPDirection\\n| project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Dvc, SrcIpAddr, DstIpAddr, IoCIPDirection, IoCIP\",\"customDetails\":{\"EventTime\":\"imNWS_TimeGenerated\",\"IoCDescription\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"IoCExpirationTime\":\"ExpirationDateTime\",\"IoCConfidenceScore\":\"ConfidenceScore\",\"IoCIPDirection\":\"IoCIPDirection\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IoCIP\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"A network session {{IoCIPDirection}} address {{IoCIP}} matched an IoC.\",\"alertDescriptionFormat\":\"The {{IoCIPDirection}} address {{IoCIP}} of a network session matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blead for more information on the indicator.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map IP entity to Network Session Events (ASIM Network Session schema)\",\"description\":\"This rule identifies a match Network Sessions for which the source of destination IP address is a known IoC. \u003cbr\u003e\u003cbr\u003e\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2022-04-27T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\"name\":\"8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"AuthorizeDBSecurityGroupIngress\\\",\\\"CreateDBSecurityGroup\\\",\\\"DeleteDBSecurityGroup\\\",\\\"RevokeDBSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to internet facing AWS RDS Database instances\",\"description\":\"Amazon Relational Database Service (RDS) is scalable relational database in the cloud. \\nIf your organization have one or more AWS RDS Databases running, monitoring changes to especially internet facing AWS RDS (Relational Database Service) \\nOnce alerts triggered, validate if changes observed are authorized and adhere to change control policy. \\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255\\nand RDS API Reference Docs: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Operations.html\",\"lastUpdatedDateUTC\":\"2021-11-28T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6ee72a9e-2e54-459c-bc9a-9c09a6502a63\",\"name\":\"6ee72a9e-2e54-459c-bc9a-9c09a6502a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"216.24.185.74\\\", \\\"107.175.189.159\\\", \\\"192.210.132.102\\\", \\\"67.230.163.214\\\", \\n \\\"199.19.110.240\\\", \\\"107.148.130.176\\\", \\\"154.212.129.218\\\", \\\"172.86.75.54\\\", \\\"45.61.136.199\\\", \\n \\\"149.28.150.195\\\", \\\"108.61.214.194\\\", \\\"144.202.98.198\\\", \\\"149.28.84.98\\\", \\\"103.99.209.78\\\", \\n \\\"45.61.136.2\\\", \\\"176.122.162.149\\\", \\\"192.3.80.245\\\", \\\"149.28.23.32\\\", \\\"107.182.18.149\\\", \\\"107.174.45.134\\\", \\n \\\"149.248.18.104\\\", \\\"65.49.192.74\\\", \\\"156.255.2.154\\\", \\\"45.76.6.149\\\", \\\"8.9.11.130\\\", \\\"140.238.27.255\\\", \\n \\\"107.182.24.70\\\", \\\"176.122.188.254\\\", \\\"192.161.161.108\\\", \\\"64.64.234.24\\\", \\\"104.224.185.36\\\", \\n \\\"104.233.224.227\\\", \\\"104.36.69.105\\\", \\\"119.28.139.120\\\", \\\"161.117.39.130\\\", \\\"66.42.100.42\\\", \\\"45.76.31.159\\\", \\n \\\"149.248.8.134\\\", \\\"216.24.182.48\\\", \\\"66.42.103.222\\\", \\\"218.89.236.11\\\", \\\"180.150.227.249\\\", \\\"47.75.80.23\\\",\\n \\\"124.156.164.19\\\", \\\"149.248.62.83\\\", \\\"150.109.76.174\\\", \\\"222.209.187.207\\\", \\\"218.38.191.38\\\", \\n \\\"119.28.226.59\\\", \\\"66.42.98.220\\\", \\\"74.82.201.8\\\", \\\"173.242.122.198\\\", \\\"45.32.130.72\\\", \\\"89.35.178.10\\\", \\n \\\"89.43.60.113\\\"]); \\n(union isfuzzy=true \\n(CommonSecurityLog \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch \\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n), \\n(OfficeActivity \\n|extend SourceIPAddress = ClientIP, Account = UserId \\n| where SourceIPAddress in (IPList) \\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \\n), \\n(_Im_NetworkSession (srcipaddr_has_any_prefix=IPList)\\n | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Hostname, AccountCustomEntity=User\\n), \\n(_Im_NetworkSession (dstipaddr_has_any_prefix=IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = Hostname , AccountCustomEntity = User\\n), \\n(WireData \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer \\n), \\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Barium IP\",\"description\":\"Identifies a match across various data feeds for IP IOCs related to the Barium activity group. \\n References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer\u0027 \",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/595a10c9-91be-4abb-bbc7-ae9c57848bef\",\"name\":\"595a10c9-91be-4abb-bbc7-ae9c57848bef\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Low\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n//This query uses sysmon data, sections that have - | where Source == \\\"Microsoft-Windows-Sysmon\\\" - may need to be updated with latest\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, DNSName, Type\\n| extend MessageIP = extract(IPRegex, 0, Message), RequestIP = extract(IPRegex, 0, RequestURL)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL has_any (domains), \\\"RequestUrl\\\", \\\"NoMatch\\\"), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), Account = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) or Name in~ (domains) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Computer , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPEntity = DestinationIPAddress\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), File = ProcessName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"]), Image = tostring(EventDetail.[4].[\\\"#text\\\"])\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Image has_any (process)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, Account = UserName, Computer, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, File = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n| extend FilePath = replace_string(Image, File, \u0027\u0027)\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) \\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, AlertDetail = \u0027Chia crypto IOC detected\u0027, Type\\n| extend timestamp = TimeGenerated, IPEntity = ClientIP, Account = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (domains) or RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) or InitiatingProcessFileName has_any (process)\\n| project TimeGenerated, ActionType, DeviceId, Computer = DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPEntity = RemoteIP, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\"), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, Computer, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains) or ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPEntity = ClientIP, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPEntity = SourceHost, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| where EventDetail has_any (sha256Hashes) \\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = tostring(EventDetail.[4].[\\\"#text\\\"]), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath = replace_string(Image, File, \u0027\u0027)\\n),\\n(DeviceFileEvents\\n| where InitiatingProcessFolderPath has_any (process)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, Computer, Account, File = InitiatingProcessFileName, FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath = replace_string(InitiatingProcessFolderPath, File, \u0027\u0027)\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, AlertDetail = \u0027Chia crypto IOC detected\u0027, FileHashAlgo = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| project TimeGenerated, EventDetail, UserName, Computer, Type\\n| extend Image = tostring(EventDetail.[4].[\\\"#text\\\"]), CommandLine = tostring(EventDetail.[10].[\\\"#text\\\"]), Account = UserName, FileHash = tostring(EventDetail.[17].[\\\"#text\\\"]), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| where Image has_any (process)\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath= replace_string(Image, File, \u0027\u0027)\\n),\\n(DeviceEvents\\n| where InitiatingProcessFileName has_any (process) or InitiatingProcessSHA256 in~ (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, Computer, Account, File = InitiatingProcessFileName, FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath = replace_string(InitiatingProcessFolderPath, File, \u0027\u0027)\\n),\\n(SecurityEvent\\n| where EventID == \u00274688\u0027\\n| where NewProcessName has_any (process)\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027, -1)[-1]), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend FilePath = replace_string(NewProcessName, File, \u0027\u0027)\\n)\\n)\\n| extend AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPEntity, FileCustomEntity = File, FilePathCustomEntity = FilePath, FileHashCustomEntity = FileHash\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileCustomEntity\"},{\"identifier\":\"Directory\",\"columnName\":\"FilePathCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashAlgo\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021\",\"description\":\"Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.\",\"lastUpdatedDateUTC\":\"2021-12-08T00:00:00Z\",\"createdDateUTC\":\"2021-06-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd0a6029-ecef-4507-89c4-fc355ac52111\",\"name\":\"dd0a6029-ecef-4507-89c4-fc355ac52111\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation of extracted domains\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend DomainName = tolower(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | extend Domain = trim(@\\\"\\\"\\\"\\\",tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend parts = split(Domain, \u0027.\u0027)\\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\\n | where tld in~ (list_tlds)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n ) on $left.DomainName==$right.Domain\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, FileHashValue\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to CommonSecurityLog\",\"description\":\"Identifies a match in CommonSecurityLog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\"name\":\"6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"union isfuzzy=true \\n(\\n SecurityEvent\\n | where EventID == 4738\\n // 2089 value indicates the Don\u0027t Expire Password value has been set\\n | where UserAccountControl has \\\"%%2089\\\" \\n | extend Value_2089 = iff(UserAccountControl has \\\"%%2089\\\",\\\"\u0027Don\u0027t Expire Password\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n // 2050 indicates that the Password Not Required value is NOT set, this often shows up at the same time as a 2089 and is the recommended value. This value may not be in the event. \\n | extend Value_2050 = iff(UserAccountControl has \\\"%%2050\\\",\\\"\u0027Password Not Required\u0027 - Disabled\\\", \\\"Not Changed\\\")\\n // If value %%2082 is present in the 4738 event, this indicates the account has been configured to logon WITHOUT a password. Generally you should only see this value when an account is created and only in Event 4720: Account Creation Event. \\n | extend Value_2082 = iff(UserAccountControl has \\\"%%2082\\\",\\\"\u0027Password Not Required\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n | project StartTime = TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, AccountType, UserAccountControl, Value_2089, Value_2050, Value_2082, SubjectAccount\\n | extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer\\n ),\\n (\\n WindowsEvent\\n | where EventID == 4738 and EventData has \u00272089\u0027\\n // 2089 value indicates the Don\u0027t Expire Password value has been set\\n | extend UserAccountControl = tostring(EventData.UserAccountControl)\\n | where UserAccountControl has \\\"%%2089\\\" \\n | extend Value_2089 = iff(UserAccountControl has \\\"%%2089\\\",\\\"\u0027Don\u0027t Expire Password\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n // 2050 indicates that the Password Not Required value is NOT set, this often shows up at the same time as a 2089 and is the recommended value. This value may not be in the event. \\n | extend Value_2050 = iff(UserAccountControl has \\\"%%2050\\\",\\\"\u0027Password Not Required\u0027 - Disabled\\\", \\\"Not Changed\\\")\\n // If value %%2082 is present in the 4738 event, this indicates the account has been configured to logon WITHOUT a password. Generally you should only see this value when an account is created and only in Event 4720: Account Creation Event. \\n | extend Value_2082 = iff(UserAccountControl has \\\"%%2082\\\",\\\"\u0027Password Not Required\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n | extend Activity=\\\"4738 - A user account was changed.\\\"\\n | extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n | extend TargetSid = tostring(EventData.TargetSid)\\n | extend SubjectAccount = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n | extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n | extend AccountType=case(SubjectAccount endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n | project StartTime = TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, AccountType, UserAccountControl, Value_2089, Value_2050, Value_2082, SubjectAccount\\n | extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer\\n )\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AD account with Don\u0027t Expire Password\",\"description\":\"Identifies whenever a user account has the setting \\\"Password Never Expires\\\" in the user account properties selected.\\nThis is indicated in Security event 4738 in the EventData item labeled UserAccountControl with an included value of %%2089.\\n%%2089 resolves to \\\"Don\u0027t Expire Password - Enabled\\\".\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4e8238bd-ff4f-4126-a9f6-09b3b6801b3d\",\"name\":\"4e8238bd-ff4f-4126-a9f6-09b3b6801b3d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"AuditLog.StreamDisabledByUser\\\"\\n| extend StreamType = tostring(Data.ConsumerType)\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, StreamType\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Audit Stream Disabled\",\"description\":\"Azure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams \\nbefore conducting activity and then re-enabling the stream after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action \\nits unlikely to have a high false positive rate.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e2559891-383c-4caf-ae67-55a008b9f89e\",\"name\":\"e2559891-383c-4caf-ae67-55a008b9f89e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet IP_TI=ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\\\"NO_IP\\\")\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where TI_ipEntity != \\\"NO_IP\\\";\\nlet IP_TI_list=toscalar(IP_TI | summarize NIoCs= dcount(TI_ipEntity), IoCs=make_set(TI_ipEntity) \\n | project IoCs=iff(NIoCs \u003e HAS_ANY_MAX, dynamic([]), IoCs ) );\\nIP_TI\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n _Im_WebSession (starttime=ago(dt_lookBack), srcipaddr_has_any_prefix=IP_TI_list)\\n | where isnotempty(SrcIpAddr)\\n // renaming time column so it is clear the log this came from\\n | extend imNWS_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SrcIpAddr\\n| where imNWS_TimeGenerated \u003c ExpirationDateTime\\n| summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, DstIpAddr\\n| project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Dvc, SrcIpAddr, DstIpAddr\",\"customDetails\":{\"EventTime\":\"imNWS_TimeGenerated\",\"IoCDescription\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"IoCExpirationTime\":\"ExpirationDateTime\",\"IoCConfidenceScore\":\"ConfidenceScore\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DstIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"The IP {{SrcIpAddr}} of a web request to hostname {{domain}} matched an IoC\",\"alertDescriptionFormat\":\"The source address {{SrcIpAddr}} of a web request for URL {{Url}} matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blead for more information on the indicator.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map IP entity to Web Session Events (ASIM Web Session schema)\",\"description\":\"This rule identifies Web Sessions for which the source IP address is a known IoC. \u003cbr\u003e\u003cbr\u003eThis rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM.\",\"lastUpdatedDateUTC\":\"2022-03-15T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\"name\":\"c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"ApplySecurityGroupsToLoadBalancer\\\", \\\"SetSecurityGroups\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \\nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion,\\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to AWS Elastic Load Balancer security groups\",\"description\":\"Elastic Load Balancer distributes incoming traffic across multiple instances in multiple availability Zones. This increases the fault tolerance of your applications. \\n Unwanted changes to Elastic Load Balancer specific security groups could open your environment to attack and hence needs monitoring.\\n More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\n and https://aws.amazon.com/elasticloadbalancing/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bdf04f58-242b-4729-b376-577c4bdf5d3a\",\"name\":\"bdf04f58-242b-4729-b376-577c4bdf5d3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"imProcessCreate\\n| where Process hassuffix \u0027rundll32.exe\u0027\\n| where CommandLine has_any (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| project TimeGenerated, Dvc, User, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\\n| extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"NOBELIUM - suspicious rundll32.exe execution of vbscript (Normalized Process Events)\",\"description\":\"This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\\nReferences: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f30a47c1-65fb-42b1-a7f4-00941c12550b\",\"name\":\"f30a47c1-65fb-42b1-a7f4-00941c12550b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n SecurityAlert\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n // Extract URL from JSON data\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,Entities)\\n // We only want alerts that actually contain URL data\\n | where isnotempty(Url)\\n // Extract hostname from JSON data for entity mapping\\n | extend Compromised_Host = tostring(parse_json(ExtendedProperties).[\\\"Compromised Host\\\"])\\n | extend Alert_TimeGenerated = TimeGenerated\\n) on Url\\n| where Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\\n| project Alert_TimeGenerated, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, AlertName, AlertSeverity, Description, Url, Compromised_Host\\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = Compromised_Host, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to SecurityAlert data\",\"description\":\"Identifies a match in SecurityAlert data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\"name\":\"80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == 1102 and EventSourceName == \\\"Microsoft-Windows-Eventlog\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(\\nWindowsEvent\\n| where EventID == 1102 and Provider == \\\"Microsoft-Windows-Eventlog\\\" \\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend Activity= \\\"1102 - The audit log was cleared.\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Security Event log cleared\",\"description\":\"Checks for event id 1102 which indicates the security event log was cleared. \\nIt uses Event Source Name \\\"Microsoft-Windows-Eventlog\\\" to avoid generating false positives from other sources, like AD FS servers for instance.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\"name\":\"36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n OfficeActivity\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n //Extract the Url from a number of potential fields\\n | extend Url = iif(OfficeWorkload == \\\"AzureActiveDirectory\\\",extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\\\", 1,ModifiedProperties),tostring(parse_json(ModifiedProperties)[12].NewValue))\\n | where isnotempty(Url)\\n // Ensure we get a clean URL\\n | extend Url = tostring(split(Url, \u0027;\u0027)[0])\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n // Project a single user identity that we can use for entity mapping\\n | extend User = iif(isnotempty(UserId), UserId, iif(isnotempty(Actor), tostring(parse_json(Actor)[0].ID), tostring(parse_json(Parameters)[0].Value)))\\n) on Url\\n| where OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, Url\\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Operation, \\nUserType, OfficeWorkload, Parameters, Url, User\\n| extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = User, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to OfficeActivity data\",\"description\":\"Identifies a match in OfficeActivity data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f0be259a-34ac-4946-aa15-ca2b115d5feb\",\"name\":\"f0be259a-34ac-4946-aa15-ca2b115d5feb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let starttime = 2d;\\nlet endtime = 1d;\\nlet TimeDeltaThreshold = 25;\\nlet TotalEventsThreshold = 30;\\nlet MostFrequentTimeDeltaThreshold = 25;\\nlet PercentBeaconThreshold = 80;\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Palo Alto Networks\\\" and Activity == \\\"TRAFFIC\\\"\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where ipv4_is_private(DestinationIP)== false\\n| project TimeGenerated, DeviceName, SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, ReceivedBytes, SentBytes\\n| sort by SourceIP asc,TimeGenerated asc, DestinationIP asc, DestinationPort asc\\n| serialize\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\u0027second\u0027,nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP\\n//Whitelisting criteria/ threshold criteria\\n| where TimeDeltainSeconds \u003e TimeDeltaThreshold \\n| summarize count(), sum(ReceivedBytes), sum(SentBytes)\\nby TimeDeltainSeconds, bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSentBytes = sum(sum_SentBytes), TotalReceivedBytes = sum(sum_ReceivedBytes) \\nby bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| where TotalEvents \u003e TotalEventsThreshold and MostFrequentTimeDeltaCount \u003e MostFrequentTimeDeltaThreshold\\n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\\n| where BeaconPercent \u003e PercentBeaconThreshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Palo Alto - potential beaconing detected\",\"description\":\"Identifies beaconing patterns from Palo Alto Network traffic logs based on recurrent timedelta patterns. \\nThe query leverages various KQL functions to calculate time deltas and then compares it with total events observed in a day to find percentage of beaconing. \\nThis outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts.\\nReference Blog:\\nhttp://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/\\nhttps://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/detect-network-beaconing-via-intra-request-time-delta-patterns/ba-p/779586\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/14f6da04-2f96-44ee-9210-9ccc1be6401e\",\"name\":\"14f6da04-2f96-44ee-9210-9ccc1be6401e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName has \\\"Add member to role outside of PIM\\\"\\n or (LoggedByService == \\\"Core Directory\\\" and OperationName == \\\"Add member to role\\\" and Identity != \\\"MS-PIM\\\")\\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"NRT Privileged Role Assigned Outside PIM\",\"description\":\"Identifies a privileged role being assigned to a user outside of PIM\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-04-22T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f6502545-ae3a-4232-a8b0-79d87e5c98d7\",\"name\":\"f6502545-ae3a-4232-a8b0-79d87e5c98d7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \\n| where TargetObject==\\\"HKLM\\\\\\\\System\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\SecurityProviders\\\\\\\\WDigest\\\\\\\\UseLogonCredential\\\" and Details !=\\\"DWORD (0x00000000)\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"WDigest downgrade attack\",\"description\":\"When the WDigest Authentication protocol is enabled, plain text passwords are stored in the Local Security Authority Subsystem Service (LSASS) exposing them to theft. This setting will prevent WDigest from storing credentials in memory.\\nRef: https://www.stigviewer.com/stig/windows_7/2016-12-19/finding/V-72753\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2022-03-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\"name\":\"b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet UserAgentAll =\\n(union isfuzzy=true\\n(OfficeActivity\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\\n),\\n(\\nW3CIISLog\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(csUserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\\n))\\n// remove wordSize blocks of non-numeric hex characters prior to word extraction\\n| extend UserAgentNoHexAlphas = replace(\\\"([A-Fa-f]{4,})\\\", \\\"x\\\", UserAgent)\\n// once blocks of hex chars are removed, extract wordSize blocks of a-z\\n| extend Tokens = extract_all(\\\"([A-Za-z]{4,})\\\", UserAgentNoHexAlphas)\\n// concatenate extracted words to create a summarized user agent for baseline and comparison\\n| extend NormalizedUserAgent = strcat_array(Tokens, \\\"|\\\")\\n| project-away UserAgentNoHexAlphas, Tokens;\\nUserAgentAll\\n| where StartTime \u003e= ago(endtime)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), count() by UserAgent, NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n| join kind=leftanti\\n(\\nUserAgentAll\\n| where StartTime \u003c ago(endtime)\\n| summarize by NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n)\\non NormalizedUserAgent\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CommandAndControl\",\"Execution\"],\"displayName\":\"New UserAgent observed in last 24 hours\",\"description\":\"Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection\\nextracts words from user agents to build the baseline and determine rareity rather than perform a\\ndirect comparison. This avoids FPs caused by version numbers and other high entropy user agent components.\\nThese new UserAgents could be benign. However, in normally stable environments,\\nthese new UserAgents could provide a starting point for investigating malicious activity.\\nNote: W3CIISLog can be noisy depending on the environment, however OfficeActivity and AWSCloudTrail are\\nusually stable with low numbers of detections.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/155e9134-d5ad-4a6f-88f3-99c220040b66\",\"name\":\"155e9134-d5ad-4a6f-88f3-99c220040b66\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"// Set the lookback to determine if user has created pipelines before\\nlet timeback = 14d;\\n// Set the period for detections\\nlet timeframe = 1d;\\n// Get a list of previous Release Pipeline creators to exclude\\nlet releaseusers = AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName in (\\\"Release.ReleasePipelineCreated\\\", \\\"Release.ReleasePipelineModified\\\")\\n// We want to look for users performing actions in specific projects so we create this userscope object to match on\\n| extend UserScope = strcat(ActorUserId, \\\"-\\\", ProjectName)\\n| summarize by UserScope;\\n// Get Release Pipeline creations by new users\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineModified\\\"\\n| extend UserScope = strcat(ActorUserId, \\\"-\\\", ProjectName)\\n| where UserScope !in (releaseusers)\\n| extend ActorUPN = tolower(ActorUPN)\\n| project-away Id, ActivityId, ActorCUID, ScopeId, ProjectId, TenantId, SourceSystem, UserScope\\n// See if any of these users have Azure AD alerts associated with them in the same timeframe\\n| join kind = leftouter (\\nSecurityAlert\\n| where TimeGenerated \u003e ago(timeframe)\\n| where ProviderName == \\\"IPC\\\"\\n| extend AadUserId = tostring(parse_json(Entities)[0].AadUserId)\\n| summarize Alerts=count() by AadUserId) on $left.ActorUserId == $right.AadUserId\\n| extend Alerts = iif(isnotempty(Alerts), Alerts, 0)\\n// Uncomment the line below to only show results where the user as AADIdP alerts\\n//| where Alerts \u003e 0\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Pipeline modified by a new user.\",\"description\":\"There are several potential pipeline steps that could be modified by an attacker to inject malicious code into the build cycle. A likely attacker path is the modification to an existing pipeline that they have access to. \\nThis detection looks for users modifying a pipeline when they have not previously been observed modifying or creating that pipeline before. This query also joins events with data to Azure AD Identity Protection (AAD IdP) \\nin order to show if the user conducting the action has any associated AAD IdP alerts. You can also choose to filter this detection to only alert when the user also has AAD IdP alerts associated with them.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d023f64-8225-41a2-9570-2bd7c2c4535e\",\"name\":\"3d023f64-8225-41a2-9570-2bd7c2c4535e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1DT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+spanoftime)\\n// A user account was enabled\\n| where EventID == 4722\\n| where AccountType =~ \\\"User\\\"\\n| where TargetAccount !endswith \\\"$\\\"\\n| project EnableTime = TimeGenerated, EnableEventID = EventID, EnableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToEnable = SubjectAccount, SIDofAccountUsedToEnable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e ago(timeframe+spanoftime)\\n// A user account was enabled\\n| where EventID == 4722\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType =~ \\\"User\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| where TargetAccount !endswith \\\"$\\\"\\n| extend Activity=\\\"4722 - A user account was enabled.\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| project EnableTime = TimeGenerated, EnableEventID = EventID, EnableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToEnable = SubjectAccount, SIDofAccountUsedToEnable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n))\\n| join kind= inner (\\n (union isfuzzy=true\\n (SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n // A user account was disabled\\n | where EventID == 4725\\n| where AccountType =~ \\\"User\\\"\\n| project DisableTime = TimeGenerated, DisableEventID = EventID, DisableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToDisable = SubjectAccount, SIDofAccountUsedToDisable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n),\\n(WindowsEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n // A user account was disabled\\n | where EventID == 4725\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType =~ \\\"User\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| extend Activity = \\\"4725 - A user account was disabled.\\\"\\n| project DisableTime = TimeGenerated, DisableEventID = EventID, DisableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToDisable = SubjectAccount, SIDofAccountUsedToDisable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid))\\n) on Computer, TargetAccount\\n| where DisableTime - EnableTime \u003c spanoftime\\n| extend TimeDelta = DisableTime - EnableTime\\n| where tolong(TimeDelta) \u003e= threshold\\n| project TimeDelta, EnableTime, EnableEventID, EnableActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToEnable, SIDofAccountUsedToEnable, \\nDisableTime, DisableEventID, DisableActivity, AccountUsedToDisable, SIDofAccountUsedToDisable\\n| extend timestamp = EnableTime, AccountCustomEntity = AccountUsedToEnable, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"SIDofAccountUsedToEnable\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account enabled and disabled within 10 mins\",\"description\":\"Identifies when a user account is enabled and then disabled within 10 minutes. This can be an indication of compromise and\\nan adversary attempting to hide in the noise.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0625fcce-6d52-491e-8c68-1d9b801d25b9\",\"name\":\"0625fcce-6d52-491e-8c68-1d9b801d25b9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"Event\\n| where EventLog =~ \\\"Application\\\"\\n| where Source startswith \\\"MSExchange\\\"\\n| where EventLevelName =~ \\\"error\\\"\\n| where (RenderedDescription startswith \\\"Watson report\\\" and RenderedDescription contains \\\"umworkerprocess\\\" and RenderedDescription contains \\\"TextFormattingRunProperties\\\") or RenderedDescription startswith \\\"An unhandled exception occurred in a UM worker process\\\" or RenderedDescription startswith \\\"The Microsoft Exchange Unified Messaging service\\\" or RenderedDescription contains \\\"MSExchange Unified Messaging\\\"\\n| where RenderedDescription !contains \\\"System.OutOfMemoryException\\\"\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious UM Service Error\",\"description\":\"This query looks for errors that may indicate that an attacker is attempting to exploit a vulnerability in the service. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09c49590-4e9d-4da9-a34d-17222d0c9e7e\",\"name\":\"09c49590-4e9d-4da9-a34d-17222d0c9e7e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let default_file_ext_blocklist = dynamic([\u0027.ps1\u0027, \u0027.vbs\u0027, \u0027.bat\u0027, \u0027.scr\u0027]);\\nlet custom_file_ext_blocklist=toscalar(_GetWatchlist(\u0027RiskyFileTypes\u0027) | extend Extension=column_ifexists(\\\"Extension\\\",\\\"\\\") | where isnotempty(Extension) | summarize make_set(Extension));\\nlet file_ext_blocklist = array_concat(default_file_ext_blocklist, custom_file_ext_blocklist);\\n_Im_WebSession(url_has_any=file_ext_blocklist, eventresult=\u0027Success\u0027)\\n| extend requestedFileName=tostring(split(tostring(parse_url(Url)[\\\"Path\\\"]),\u0027/\u0027)[-1])\\n| extend requestedFileExt=extract(@(\\\\.\\\\w+)$,1,requestedFileName, typeof(string))\\n| where requestedFileExtension in (file_ext_blocklist)\\n| summarize LastAttemptTime=max(TimeGenerated), NumFailedAttempts=count() by SrcIpAddr, requestedFileName, Url\\n| extend IPCustomEntity = SrcIpAddr, UrlCustomEntity=Url\",\"customDetails\":{\"requestedFileName\":\"requestedFileName\",\"requestedFileExt\":\"requestedFileExt\",\"Username\":\"SrcUsername\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Client {{SrcIpAddr}} accessed a URL with potentially harmful extension {{requestedFileExt}}\",\"alertDescriptionFormat\":\"The client at address {{SrcIpAddr}} accessed the URL {{Url}} that has the extension {{requestedFileExt}}. Downloading a file with this extension may be harmful and may indicate malicious activity.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"InitialAccess\"],\"displayName\":\"A client made a web request to a potentially harmful file (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request to a URL that holds a file type, including .ps1, .bat, .vbs, and .scr that can be harmful if downloaded. This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM. To use this Analytics Rule, deploy the Advanced Security Information Model (ASIM).\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\"name\":\"ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(DestinationUserID)\\n // Filtering PAN Logs for specific event type to match relevant email entities\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"wildfire\\\" and ApplicationProtocol in (\\\"smtp\\\",\\\"pop3\\\")\\n | extend DestinationUserID = tolower(DestinationUserID)\\n | where DestinationUserID matches regex emailregex\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.DestinationUserID\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, DestinationUserID\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, EmailSenderName, EmailRecipient, \\nEmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction, SourceIP, SourcePort, \\nDestinationIP, DestinationPort, Protocol, ApplicationProtocol\\n| extend timestamp = CommonSecurityLog_TimeGenerated, AccountCustomEntity = DestinationUserID, IPCustomEntity = SourceIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to CommonSecurityLog\",\"description\":\"Identifies a match in CommonSecurityLog table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\"name\":\"7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let lookBack_long = 7d;\\nlet lookBack_med = 3d;\\nlet lookBack = 1d;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack_long))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n// Create time series \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_long)),now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n// Compute best fit line for each entry \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount) \\n// Chart the 3 most interesting lines \\n// A 0-value slope corresponds to an account being completely stable over time for a given Azure Active Directory application\\n| where Slope \u003e 0.3\\n| top 50 by Slope desc\\n| join kind = leftsemi (\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack_med))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_med)) ,now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount)\\n| where Slope \u003e 0.3\\n| top 50 by Slope desc\\n) on UserPrincipalName, AppDisplayName\\n| join kind = leftsemi (\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack)) ,now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount)\\n| where Slope \u003e 5\\n| top 50 by Slope desc\\n// Higher threshold requirement on last day anomaly\\n) on UserPrincipalName, AppDisplayName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomalous sign-in location by user account and authenticating application\",\"description\":\"This query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active \\nDirectory application and picks out the most anomalous change in location profile for a user within an \\nindividual application. An alert is generated for recent sign-ins that have location counts that are anomalous\\nover last day but also over the last 3-day and 7-day periods.\\nPlease note that on workspaces with larger volume of Signin data (~10M+ events a day) may timeout when using this default query time period.\\nIt is recommended that you test and tune this appropriately for the workspace.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1da9853f-3dea-4ea9-b7e5-26730da3d537\",\"name\":\"1da9853f-3dea-4ea9-b7e5-26730da3d537\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let PortScanThreshold = 50;\\n_Im_NetworkSession\\n| where ipv4_is_private(SrcIpAddr) == False\\n| summarize AttemptedPortsCount=dcount(DstPortNumber) by SrcIpAddr, bin(TimeGenerated, 5m)\\n| where AttemptedPortsCount \u003e PortScanThreshold\",\"customDetails\":{\"AttemptedPortsCount\":\"AttemptedPortsCount\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Potential port scan from {{SrcIpAddr}}\",\"alertDescriptionFormat\":\"A port scan has been performed from address {{SrcIpAddr}} over {{AttemptedPortsCount}} pots within 5 minutes. This may indicate that a [port scanner](https://en.wikipedia.org/wiki/Port_scanner) is trying to identify open ports in order to penetrate a system.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Discovery\"],\"displayName\":\"Port scan detected (ASIM Network Session schema)\",\"description\":\"This rule identifies a possible port scan, in which a single source tries to access a large number of different ports is a short time frame. This may indicate that a [port scanner](https://en.wikipedia.org/wiki/Port_scanner) is trying to identify open ports in order to penetrate a system.\u003cbr\u003e\u003cbr\u003e\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/eda260eb-f4a1-4379-ad98-452604da9b3e\",\"name\":\"eda260eb-f4a1-4379-ad98-452604da9b3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let eventsThreshold = 20;\\nCommonSecurityLog\\n| where isnotempty(RequestURL)\\n| project TimeGenerated, RequestURL, RequestMethod, SourceIP, SourceHostName\\n| evaluate sequence_detect(TimeGenerated, 5s, 8s, login=(RequestURL has \\\"login.microsoftonline.com/consumers/oauth2/v2.0/token\\\"), graph=(RequestURL has \\\"graph.microsoft.com/v1.0/me/drive/\\\"), SourceIP, SourceHostName)\\n| summarize Events=count() by SourceIP, SourceHostName\\n| where Events \u003e= eventsThreshold\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"SourceHostName\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"CreepyDrive request URL sequence\",\"description\":\"CreepyDrive uses OneDrive for command and control, however, it makes regular requests to predicatable paths.\\nThis detecton will alert when over 20 sequences are observed in a single day.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3533f74c-9207-4047-96e2-0eb9383be587\",\"name\":\"3533f74c-9207-4047-96e2-0eb9383be587\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"offline_access\\\" and ConsentFull contains \\\"Files.Read\\\" or ConsentFull contains \\\"Mail.Read\\\" or ConsentFull contains \\\"Notes.Read\\\" or ConsentFull contains \\\"ChannelMessage.Read\\\" or ConsentFull contains \\\"Chat.Read\\\" or ConsentFull contains \\\"TeamsActivity.Read\\\" or ConsentFull contains \\\"Group.Read\\\" or ConsentFull contains \\\"EWS.AccessAsUser.All\\\" or ConsentFull contains \\\"EAS.AccessAsUser.All\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))\\n| extend GrantUserAgent = tostring(iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\"))\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Suspicious application consent for offline access\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with offline access via OAuth.\\nOffline access will provide the Azure App with access to the listed resources without requiring two-factor authentication.\\nConsent to applications with offline access and read capabilities should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0ee2aafb-4500-4e36-bcb1-e90eec2f0b9b\",\"name\":\"0ee2aafb-4500-4e36-bcb1-e90eec2f0b9b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\"\\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed), LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\\n| where MFAUsed !~ \\\"Yes\\\" and LoginResult !~ \\\"Failure\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUsed, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent,\\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserIdentityUserName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"NRT Login to AWS Management Console without MFA\",\"description\":\"Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.\\nYou can limit this detection to trigger for administrative accounts if you do not have MFA enabled on all accounts.\\nThis is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used\\nand the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.\",\"lastUpdatedDateUTC\":\"2022-02-08T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/269435e3-1db8-4423-9dfc-9bf59997da1c\",\"name\":\"269435e3-1db8-4423-9dfc-9bf59997da1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName has \\\"Add member to role outside of PIM\\\"\\n or (LoggedByService == \\\"Core Directory\\\" and OperationName == \\\"Add member to role\\\" and Identity != \\\"MS-PIM\\\")\\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Privileged Role Assigned Outside PIM\",\"description\":\"Identifies a privileged role being assigned to a user outside of PIM\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2be4ef67-a93f-4d8a-981a-88158cb73abd\",\"name\":\"2be4ef67-a93f-4d8a-981a-88158cb73abd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet covidIndicators = (externaldata(TimeGenerated:datetime, FileHashValue:string, FileHashType: string, TlpLevel: string, Product: string, ThreatType: string, Description: string )\\n[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.csv\\\"] with (format=\\\"csv\\\"));\\nlet fileHashIndicators = covidIndicators\\n| where isnotempty(FileHashValue);\\n// Handle matches against both lower case and uppercase versions of the hash:\\n(fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n| union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack) \\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n )\\non $left.FileHashValue == $right.FileHash\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by FileHashValue\\n| project CommonSecurityLog_TimeGenerated, FileHashValue, FileHashType, Description, ThreatType, \\nSourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, \\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Value\",\"columnName\":\"FileHashValue\"},{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Microsoft COVID-19 file hash indicator matches\",\"description\":\"Identifies a match in CommonSecurityLog Event data from any FileHash published in the Microsoft COVID-19 Threat Intel Feed - as described at https://www.microsoft.com/security/blog/2020/05/14/open-sourcing-covid-threat-intelligence/\",\"lastUpdatedDateUTC\":\"2022-07-07T00:00:00Z\",\"createdDateUTC\":\"2019-08-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\"name\":\"5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"CommonSecurityLog\\n| where isnotempty(DestinationPort) and DeviceAction !in (\\\"reset-both\\\", \\\"deny\\\") \\n// filter out common usage ports. Add ports that are legitimate for your environment\\n| where DestinationPort !in (\\\"443\\\", \\\"53\\\", \\\"389\\\", \\\"80\\\", \\\"0\\\", \\\"880\\\", \\\"8888\\\", \\\"8080\\\")\\n| where ApplicationProtocol == \\\"incomplete\\\" \\n// filter out IANA ephemeral or negotiated ports as per https://en.wikipedia.org/wiki/Ephemeral_port\\n| where DestinationPort !between (toint(49512) .. toint(65535)) \\n| where Computer != \\\"\\\" \\n| where DestinationIP !startswith \\\"10.\\\"\\n| extend Reason = coalesce(\\n column_ifexists(\\\"Reason\\\", \\\"\\\"), \\n extract(\\\"reason=(.+?)(;|$)\\\", 1, AdditionalExtensions),\\n \\\"\\\"\\n )\\n// Filter out any graceful reset reasons of AGED OUT which occurs when a TCP session closes with a FIN due to aging out. \\n| where Reason !has \\\"aged-out\\\" \\n// Filter out any TCP FIN which occurs when a TCP FIN is used to gracefully close half or both sides of a connection.\\n| where Reason !has \\\"tcp-fin\\\" \\n// Uncomment one of the following where clauses to trigger on specific TCP reset reasons\\n// See Palo Alto article for details - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK\\n// TCP RST-server - Occurs when the server sends a TCP reset to the client\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-server\\\" \\n// TCP RST-client - Occurs when the client sends a TCP reset to the server\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-client\\\" \\n// Already performed\\n//| extend reason = tostring(split(AdditionalExtensions, \\\";\\\")[3])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, Reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction, DestinationIP\\n| where count_ \u003e= 10\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), makeset(DestinationIP), totalcount = sum(count_) by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, Reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Palo Alto - possible internal to external port scanning\",\"description\":\"Identifies a list of internal Source IPs (10.x.x.x Hosts) that have triggered 10 or more non-graceful tcp server resets from one or more Destination IPs which \\nresults in an \\\"ApplicationProtocol = incomplete\\\" designation. The server resets coupled with an \\\"Incomplete\\\" ApplicationProtocol designation can be an indication \\nof internal to external port scanning or probing attack. \\nReferences: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK and\\nhttps://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTaCAK\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/677da133-e487-4108-a150-5b926591a92b\",\"name\":\"677da133-e487-4108-a150-5b926591a92b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.5.1\",\"severity\":\"Medium\",\"query\":\"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\\n[@\\\"https://raw.githubusercontent.com/microsoft/mstic/master/Indicators/May21-NOBELIUM/May21NOBELIUMIoCs.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256s = (iocs | where Type =~ \\\"SHA256\\\"| project IoC);\\nlet ips = (iocs | where Type =~ \\\"IP\\\"| project IoC);\\nlet IPList = dynamic([\\\"192.99.221.77\\\",\\\"83.171.237.173\\\"]);\\nlet ips_list=toscalar(ips | summarize makeset(IoC));\\nlet full_ip_list= array_concat(ips_list, IPList);\\nlet domains = (iocs | where Type =~ \\\"Domain\\\"| project IoC);\\nlet domain_list=toscalar(domains | summarize make_set(IoC));\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet sha256Hashes = dynamic([\\\"2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252\\\",\\n\\\"d035d394a82ae1e44b25e273f99eae8e2369da828d6b6fdb95076fd3eb5de142\\\",\\n\\\"94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916\\\",\\n\\\"48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0\\\",\\n\\\"ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c\\\",\\n\\\"ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (domains) or RequestURL has_any (domains) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (domains), \\\"RequestUrl\\\", SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(_Im_Dns (domain_has_any=todynamic(domain_list))\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(_Im_Dns (response_has_any_prefix=todynamic(full_ip_list))\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or SourceIp in (ips) or DestinationIp in (ips) or RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", SourceIp in (ips), \\\"SourceIP\\\", DestinationIp in (ips), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer\\n),\\n(OfficeActivity\\n| where ClientIP in (IPList) or ClientIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n),\\n(_Im_NetworkSession(srcipaddr_has_any_prefix=full_ip_list)\\n | extend IPMatch = \\\"SourceIP\\\"\\n | extend timestamp = TimeGenerated, HostCustomEntity = Dvc , IPCustomEntity = SrcIpAddr //, AccountCustomEntity =User\\n),\\n(_Im_NetworkSession(dstipaddr_has_any_prefix=full_ip_list)\\n | extend IPMatch = \\\"DestinationIP\\\"\\n | extend timestamp = TimeGenerated, HostCustomEntity = Dvc , IPCustomEntity = DstIpAddr //, AccountCustomEntity =User\\n),\\n(_Im_WebSession(url_has_any=domains)\\n | extend timestamp=TimeGenerated, HostCustomEntity=Dvc , DNSName=tostring(parse_url(Url)[\\\"Host\\\"]), AccountCustomEntity=User\\n),\\n(_Im_WebSession(srcipaddr_has_any_prefix=full_ip_list)\\n | extend timestamp=TimeGenerated, HostCustomEntity=Dvc , DNSName=tostring(parse_url(Url)[\\\"Host\\\"]), AccountCustomEntity=User\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| where EventDetail has_any (sha256Hashes) or EventDetail has_any (sha256s)\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, FileHash\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (sha256Hashes) or SHA256 in~ (sha256s)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (sha256Hashes) or TargetFileSHA256 in~ (sha256s)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes) or FileHash in (sha256s)\\n| extend timestamp = TimeGenerated\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"tactics\":[\"CommandAndControl\",\"Execution\"],\"displayName\":\"NOBELIUM - Domain, Hash and IP IOCs - May 2021\",\"description\":\"Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM.\\nRef: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/35ce9aff-1708-45b8-a295-5e9a307f5f17\",\"name\":\"35ce9aff-1708-45b8-a295-5e9a307f5f17\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"Group.UpdateGroupMembership.Add\\\"\\n| where Details has_any (\\\"Project Administrators\\\", \\\"Project Collection Administrators\\\", \\\"Project Collection Service Accounts\\\", \\\"Build Administrator\\\")\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, AuthenticationMechanism, ScopeDisplayName\\n| extend timekey = bin(TimeGenerated, 1h)\\n| extend ActorUserId = tostring(Data.MemberId)\\n| project timekey, ActorUserId, AddingUser=ActorUPN, TimeAdded=TimeGenerated, PermissionGrantDetails = Details\\n// Get details of operations conducted by user soon after elevation of permissions\\n| join (AzureDevOpsAuditing\\n| extend ActorUserId = tostring(Data.MemberId)\\n| extend timekey = bin(TimeGenerated, 1h)) on timekey, ActorUserId\\n| summarize ActionsWhenAdded = make_set(OperationName) by ActorUPN, AddingUser, TimeAdded, PermissionGrantDetails, IpAddress, UserAgent\\n| extend timestamp = TimeAdded, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddingUser\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"New PA, PCA, or PCAS added to Azure DevOps\",\"description\":\"In order for an attacker to be able to conduct many potential attacks against Azure DevOps they will need to gain elevated permissions. \\nThis detection looks for users being granted key administrative permissions. If the principal of least privilege is applied, the number of \\nusers granted these permissions should be small. Note that permissions can also be granted via Azure AD groups and monitoring of these \\nshould also be conducted.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bf07ca9c-e408-443a-8939-6860a45a929e\",\"name\":\"bf07ca9c-e408-443a-8939-6860a45a929e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let allowed_publishers = dynamic([]);\\nAzureDevOpsAuditing\\n| where OperationName =~ \\\"Extension.Installed\\\"\\n| extend ExtensionName = tostring(Data.ExtensionName)\\n| extend PublisherName = tostring(Data.PublisherName)\\n| where PublisherName !in (allowed_publishers)\\n| project-reorder TimeGenerated, OperationName, ExtensionName, PublisherName, ActorUPN, IpAddress, UserAgent, ScopeDisplayName, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps New Extension Added\",\"description\":\"Extensions add additional features to Azure DevOps. An attacker could use a malicious extension to conduct malicious activity. \\nThis query looks for new extensions that are not from a configurable list of approved publishers.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65c78944-930b-4cae-bd79-c3664ae30ba7\",\"name\":\"65c78944-930b-4cae-bd79-c3664ae30ba7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(AuditLogs \\n| where OperationName =~ \\\"Disable Strong Authentication\\\"\\n| extend IPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) \\n| extend InitiatedByUser = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend Targetprop = todynamic(TargetResources)\\n| extend TargetUser = tostring(Targetprop[0].userPrincipalName) \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, InitiatedByUser , Operation = OperationName , CorrelationId, IPAddress, Category, Source = SourceSystem , AADTenantId, Type\\n),\\n(AWSCloudTrail\\n| where EventName in~ (\\\"DeactivateMFADevice\\\", \\\"DeleteVirtualMFADevice\\\") \\n| extend InstanceProfileName = tostring(parse_json(RequestParameters).InstanceProfileName)\\n| extend TargetUser = tostring(parse_json(RequestParameters).userName)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, Source = EventSource , Operation = EventName , TenantorInstance_Detail = InstanceProfileName, IPAddress = SourceIpAddress\\n)\\n)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"MFA disabled for a user\",\"description\":\"Multi-Factor Authentication (MFA) helps prevent credential compromise. This alert identifies when an attempt has been made to disable MFA for a user \",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4759ddb4-2daf-43cb-b34e-d85b85b4e4a5\",\"name\":\"4759ddb4-2daf-43cb-b34e-d85b85b4e4a5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\nlet parentprocess = (iocs | where Type =~ \\\"parentprocess\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or RequestURL has_any (IPList) or Message has_any (IPList)\\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, Type\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (IPList), \\\"RequestUrl\\\",\\\"NoMatch\\\"), AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, IPMatch == \\\"RequestUrl\\\", RequestURL, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer, ProcessCustomEntity = ProcessName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) \\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, AlertDetail = \u0027Dev-0322 IOC match\u0027, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, AlertDetail = \u0027Dev-0322 IOC match\u0027, UrlCustomEntity =RemoteUrl, ProcessCustomEntity = InitiatingProcessFileName\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\"), AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where SourceHost in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend ParentImage = EventDetail.[20].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where ( ParentImage has_any (parentprocess) and Image has_any (process))\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256,Image, ParentImage \\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceFileEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type, CommandLineIP\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash, IPCustomEntity = CommandLineIP\\n),\\n(DeviceEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, CommandLineIP\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash, IPCustomEntity = CommandLineIP\\n),\\n(DeviceProcessEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, CommandLineIP, AccountName\\n| extend Account = AccountName, Computer = DeviceName, IPAddress = CommandLineIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash, IPCustomEntity = IPAddress\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| extend CommandLineIP = extract(IPRegex, 0, CommandLine)\\n| where CommandLineIP in (IPList) or (NewProcessName has_any (process) and ParentProcessName has_any (parentprocess))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, CommandLine, CommandLineIP\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = \u0027Dev-0322 IOC match\u0027, IPCustomEntity = CommandLineIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"DEV-0322 Serv-U related IOCs - July 2021\",\"description\":\"Identifies a match across IOC\u0027s related to DEV-0322 targeting SolarWinds Serv-U software.\",\"lastUpdatedDateUTC\":\"2021-11-30T00:00:00Z\",\"createdDateUTC\":\"2021-06-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\"name\":\"d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let SensitiveOperationList = dynamic(\\n[\\\"VaultDelete\\\", \\\"KeyDelete\\\", \\\"SecretDelete\\\", \\\"SecretPurge\\\", \\\"KeyPurge\\\", \\\"SecretBackup\\\", \\\"KeyBackup\\\"]);\\nAzureDiagnostics\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\" \\n| where OperationName in~ (SensitiveOperationList) \\n| summarize EventCount=count(), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\\n| extend timestamp = StartTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Sensitive Azure Key Vault operations\",\"description\":\"Identifies when sensitive Azure Key Vault operations are used. This includes: VaultDelete, KeyDelete, SecretDelete, SecretPurge, KeyPurge, SecretBackup, KeyBackup. \\nAny Backup operations should match with expected scheduled backup activity.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4899-42cb-910c-5ffaf9d7997d\",\"name\":\"70b12a3b-4899-42cb-910c-5ffaf9d7997d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.6.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"0.ns1.dns-info.gq\\\", \\\"1.ns1.dns-info.gq\\\", \\\"10.ns1.dns-info.gq\\\", \\\"102.ns1.dns-info.gq\\\", \\n \\\"104.ns1.dns-info.gq\\\", \\\"11.ns1.dns-info.gq\\\", \\\"110.ns1.dns-info.gq\\\", \\\"115.ns1.dns-info.gq\\\", \\\"116.ns1.dns-info.gq\\\", \\n \\\"117.ns1.dns-info.gq\\\", \\\"118.ns1.dns-info.gq\\\", \\\"12.ns1.dns-info.gq\\\", \\\"120.ns1.dns-info.gq\\\", \\\"122.ns1.dns-info.gq\\\", \\n \\\"123.ns1.dns-info.gq\\\", \\\"128.ns1.dns-info.gq\\\", \\\"13.ns1.dns-info.gq\\\", \\\"134.ns1.dns-info.gq\\\", \\\"135.ns1.dns-info.gq\\\", \\n \\\"138.ns1.dns-info.gq\\\", \\\"14.ns1.dns-info.gq\\\", \\\"144.ns1.dns-info.gq\\\", \\\"15.ns1.dns-info.gq\\\", \\\"153.ns1.dns-info.gq\\\", \\n \\\"157.ns1.dns-info.gq\\\", \\\"16.ns1.dns-info.gq\\\", \\\"17.ns1.dns-info.gq\\\", \\\"18.ns1.dns-info.gq\\\", \\\"19.ns1.dns-info.gq\\\", \\n \\\"1a9604fa.ns1.feedsdns.com\\\", \\\"1c7606b6.ns1.steamappstore.com\\\", \\\"2.ns1.dns-info.gq\\\", \\\"20.ns1.dns-info.gq\\\", \\n \\\"201.ns1.dns-info.gq\\\", \\\"202.ns1.dns-info.gq\\\", \\\"204.ns1.dns-info.gq\\\", \\\"207.ns1.dns-info.gq\\\", \\\"21.ns1.dns-info.gq\\\", \\n \\\"210.ns1.dns-info.gq\\\", \\\"211.ns1.dns-info.gq\\\", \\\"216.ns1.dns-info.gq\\\", \\\"22.ns1.dns-info.gq\\\", \\\"220.ns1.dns-info.gq\\\", \\n \\\"223.ns1.dns-info.gq\\\", \\\"23.ns1.dns-info.gq\\\", \\\"24.ns1.dns-info.gq\\\", \\\"25.ns1.dns-info.gq\\\", \\\"26.ns1.dns-info.gq\\\", \\n \\\"27.ns1.dns-info.gq\\\", \\\"28.ns1.dns-info.gq\\\", \\\"29.ns1.dns-info.gq\\\", \\\"3.ns1.dns-info.gq\\\", \\\"30.ns1.dns-info.gq\\\", \\n \\\"31.ns1.dns-info.gq\\\", \\\"32.ns1.dns-info.gq\\\", \\\"33.ns1.dns-info.gq\\\", \\\"34.ns1.dns-info.gq\\\", \\\"35.ns1.dns-info.gq\\\", \\n \\\"36.ns1.dns-info.gq\\\", \\\"37.ns1.dns-info.gq\\\", \\\"39.ns1.dns-info.gq\\\", \\\"3d6fe4b2.ns1.steamappstore.com\\\", \\n \\\"4.ns1.dns-info.gq\\\", \\\"40.ns1.dns-info.gq\\\", \\\"42.ns1.dns-info.gq\\\", \\\"43.ns1.dns-info.gq\\\", \\\"44.ns1.dns-info.gq\\\", \\n \\\"45.ns1.dns-info.gq\\\", \\\"46.ns1.dns-info.gq\\\", \\\"48.ns1.dns-info.gq\\\", \\\"5.ns1.dns-info.gq\\\", \\\"50.ns1.dns-info.gq\\\", \\n \\\"50417.service.gstatic.dnset.com\\\", \\\"51.ns1.dns-info.gq\\\", \\\"52.ns1.dns-info.gq\\\", \\\"53.ns1.dns-info.gq\\\",\\n \\\"54.ns1.dns-info.gq\\\", \\\"55.ns1.dns-info.gq\\\", \\\"56.ns1.dns-info.gq\\\", \\\"57.ns1.dns-info.gq\\\", \\\"58.ns1.dns-info.gq\\\", \\n \\\"6.ns1.dns-info.gq\\\", \\\"60.ns1.dns-info.gq\\\", \\\"62.ns1.dns-info.gq\\\", \\\"63.ns1.dns-info.gq\\\", \\\"64.ns1.dns-info.gq\\\", \\n \\\"65.ns1.dns-info.gq\\\", \\\"67.ns1.dns-info.gq\\\", \\\"7.ns1.dns-info.gq\\\", \\\"70.ns1.dns-info.gq\\\", \\\"71.ns1.dns-info.gq\\\",\\n \\\"73.ns1.dns-info.gq\\\", \\\"77.ns1.dns-info.gq\\\", \\\"77075.service.gstatic.dnset.com\\\", \\\"7c1947fa.ns1.steamappstore.com\\\",\\n \\\"8.ns1.dns-info.gq\\\", \\\"81.ns1.dns-info.gq\\\", \\\"86.ns1.dns-info.gq\\\", \\\"87.ns1.dns-info.gq\\\", \\\"9.ns1.dns-info.gq\\\", \\n \\\"94343.service.gstatic.dnset.com\\\", \\\"9939.service.gstatic.dnset.com\\\", \\\"aa.ns.mircosoftdoc.com\\\", \\n \\\"aaa.feeds.api.ns1.feedsdns.com\\\", \\\"aaa.googlepublic.feeds.ns1.dns-info.gq\\\", \\n \\\"aaa.resolution.174547._get.cache.up.sourcedns.tk\\\", \\\"acc.microsoftonetravel.com\\\", \\n \\\"accounts.longmusic.com\\\", \\\"admin.dnstemplog.com\\\", \\\"agent.updatenai.com\\\", \\n \\\"alibaba.zzux.com\\\", \\\"api.feedsdns.com\\\", \\\"app.portomnail.com\\\", \\\"asia.updatenai.com\\\", \\n \\\"battllestategames.com\\\", \\\"bguha.serveuser.com\\\", \\\"binann-ce.com\\\", \\\"bing.dsmtp.com\\\", \\n \\\"blog.cdsend.xyz\\\", \\\"brives.minivineyapp.com\\\", \\\"bsbana.dynamic-dns.net\\\", \\n \\\"californiaforce.000webhostapp.com\\\", \\\"californiafroce.000webhostapp.com\\\", \\n \\\"cdn.freetcp.com\\\", \\\"cdsend.xyz\\\", \\\"cipla.zzux.com\\\", \\\"cloudfeeddns.com\\\", \\\"comcleanner.info\\\",\\n \\\"cs.microsoftsonline.net\\\", \\\"dns-info.gq\\\", \\\"dns05.cf\\\", \\\"dns22.ml\\\", \\\"dns224.com\\\", \\n \\\"dnsdist.org\\\", \\\"dnstemplog.com\\\", \\\"doc.mircosoftdoc.com\\\", \\\"dropdns.com\\\", \\n \\\"eshop.cdn.freetcp.com\\\", \\\"exchange.dumb1.com\\\", \\\"exchange.misecure.com\\\", \\\"exchange.mrbasic.com\\\",\\n \\\"facebookdocs.com\\\", \\\"facebookint.com\\\", \\\"facebookvi.com\\\", \\\"feed.ns1.dns-info.gq\\\", \\\"feedsdns.com\\\", \\n \\\"firejun.freeddns.com\\\", \\\"ftp.dns-info.dyndns.pro\\\", \\\"goallbandungtravel.com\\\", \\\"goodhk.azurewebsites.net\\\", \\n \\\"googlepublic.feed.ns1.dns-info.gq\\\", \\\"gp.spotifylite.cloud\\\", \\\"gskytop.com\\\", \\\"gstatic.dnset.com\\\", \\n \\\"gxxservice.com\\\", \\\"helpdesk.cdn.freetcp.com\\\", \\\"id.serveuser.com\\\", \\\"infestexe.com\\\", \\\"item.itemdb.com\\\",\\n \\\"m.mircosoftdoc.com\\\", \\\"mail.transferdkim.xyz\\\", \\\"mcafee.updatenai.com\\\", \\\"mecgjm.mircosoftdoc.com\\\",\\n \\\"microdocs.ga\\\", \\\"microsock.website\\\", \\\"microsocks.net\\\", \\\"microsoft.sendsmtp.com\\\", \\n \\\"microsoftbook.dns05.com\\\", \\\"microsoftcontactcenter.com\\\", \\\"microsoftdocs.dns05.com\\\", \\\"microsoftdocs.ml\\\", \\n \\\"microsoftonetravel.com\\\", \\\"microsoftonlines.net\\\", \\\"microsoftprod.com\\\", \\\"microsofts.dns1.us\\\", \\\"microsoftsonline.net\\\",\\n \\\"minivineyapp.com\\\", \\\"mircosoftdoc.com\\\", \\\"mircosoftdocs.com\\\", \\\"mlcrosoft.ninth.biz\\\", \\\"mlcrosoft.site\\\", \\n \\\"mm.portomnail.com\\\", \\\"msdnupdate.com\\\", \\\"msecdn.cloud\\\", \\\"mtnl1.dynamic-dns.net\\\", \\\"ns.gstatic.dnset.com\\\", \\n \\\"ns.microsoftprod.com\\\", \\\"ns.steamappstore.com\\\", \\\"ns1.cdn.freetcp.com\\\", \\\"ns1.comcleanner.info\\\", \\\"ns1.dns-info.gq\\\", \\n \\\"ns1.dns05.cf\\\", \\\"ns1.dnstemplog.com\\\", \\\"ns1.dropdns.com\\\", \\\"ns1.microsoftonetravel.com\\\", \\n \\\"ns1.microsoftonlines.net\\\", \\\"ns1.microsoftprod.com\\\", \\\"ns1.microsoftsonline.net\\\", \\\"ns1.mlcrosoft.site\\\", \\n \\\"ns1.teams.wikaba.com\\\", \\\"ns1.windowsdefende.com\\\", \\\"ns2.comcleanner.info\\\", \\\"ns2.dnstemplog.com\\\", \\n \\\"ns2.microsoftonetravel.com\\\", \\\"ns2.microsoftprod.com\\\", \\\"ns2.microsoftsonline.net\\\", \\\"ns2.mlcrosoft.site\\\", \\n \\\"ns2.windowsdefende.com\\\", \\\"ns3.microsoftprod.com\\\", \\\"ns3.mlcrosoft.site\\\", \\\"nutrition.mrbasic.com\\\", \\n \\\"nutrition.youdontcare.com\\\", \\\"online.mlcrosoft.site\\\", \\\"online.msdnupdate.com\\\", \\\"outlookservce.site\\\", \\n \\\"owa.jetos.com\\\", \\\"owa.otzo.com\\\", \\\"pornotime.co\\\", \\\"portomnail.com\\\", \\n \\\"post.1a0.066e063ac.7c1947fa.ns1.steamappstore.com\\\", \\\"pricingdmdk.com\\\", \\\"prod.microsoftprod.com\\\", \\n \\\"product.microsoftprod.com\\\", \\\"ptcl.yourtrap.com\\\", \\\"query.api.sourcedns.tk\\\", \\\"rb.itemdb.com\\\", \\\"redditcdn.com\\\", \\n \\\"rss.otzo.com\\\", \\\"secure.msdnupdate.com\\\", \\\"service.dns22.ml\\\", \\\"service.gstatic.dnset.com\\\", \\\"service04.dns04.com\\\", \\n \\\"settings.teams.wikaba.com\\\", \\\"sip.outlookservce.site\\\", \\\"sixindent.epizy.com\\\", \\\"soft.msdnupdate.com\\\", \\\"sourcedns.ml\\\", \\n \\\"sourcedns.tk\\\", \\\"sport.msdnupdate.com\\\", \\\"spotifylite.cloud\\\", \\\"static.misecure.com\\\", \\\"steamappstore.com\\\", \\n \\\"store.otzo.com\\\", \\\"survey.outlookservce.site\\\", \\\"team.itemdb.com\\\", \\\"temp221.com\\\", \\\"test.microsoftprod.com\\\", \\n \\\"thisisaaa.000webhostapp.com\\\", \\\"token.dns04.com\\\", \\\"token.dns05.com\\\", \\\"transferdkim.xyz\\\", \\n \\\"travelsanignacio.com\\\", \\\"update08.com\\\", \\\"updated08.com\\\", \\\"updatenai.com\\\", \\\"wantforspeed.com\\\",\\n \\\"web.mircosoftdoc.com\\\", \\\"webmail.pornotime.co\\\", \\\"webwhois.team.itemdb.com\\\", \\\"windowsdefende.com\\\", \\\"wnswindows.com\\\",\\n \\\"ashcrack.freetcp.com\\\", \\\"battllestategames.com\\\", \\\"binannce.com\\\", \\\"cdsend.xyz\\\", \\\"comcleanner.info\\\", \\\"microsock.website\\\", \\n \\\"microsocks.net\\\", \\\"microsoftsonline.net\\\", \\\"mlcrosoft.site\\\", \\\"notify.serveuser.com\\\", \\\"ns1.microsoftprod.com\\\", \\n \\\"ns2.microsoftprod.com\\\", \\\"pricingdmdk.com\\\", \\\"steamappstore.com\\\", \\\"update08.com\\\", \\\"wnswindows.com\\\", \\n \\\"youtube.dns05.com\\\", \\\"z1.zalofilescdn.com\\\", \\\"z2.zalofilescdn.com\\\", \\\"zalofilescdn.com\\\"]); \\n(union isfuzzy=true \\n (CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | where DNSName in~ (DomainNames) \\n | extend Account = SourceUserID, Computer = DeviceName, IPAddress = DestinationIP \\n ), \\n (_Im_Dns (domain_has_any=DomainNames)\\n | extend DNSName = DnsQuery \\n | extend IPAddress = SrcIpAddr, Computer = Dvc\\n ), \\n (_Im_WebSession (url_has_any=DomainNames)\\n | extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n | extend IPAddress = SrcIpAddr, Computer = Dvc\\n ), \\n (VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 * \\n | where isnotempty(DNSName) \\n | where DNSName in~ (DomainNames) \\n | extend IPAddress = RemoteIp \\n ), \\n ( \\n DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl in~ (DomainNames) \\n | extend IPAddress = RemoteIP \\n | extend Computer = DeviceName \\n ),\\n (AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (DomainNames) \\n | extend DNSName = DestinationHost \\n | extend IPAddress = SourceHost\\n ) \\n ) \\n | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Barium domains\",\"description\":\"Identifies a match across various data feeds for domains IOCs related to the Barium activity group.\\n References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bff058b2-500e-4ae5-bb49-a5b1423cbd5b\",\"name\":\"bff058b2-500e-4ae5-bb49-a5b1423cbd5b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let fileAccessThrehold = 10;\\nOfficeActivity\\n | where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n | where Operation =~ \\\"MemberAdded\\\"\\n | extend UPN = tostring(parse_json(Members)[0].UPN)\\n | where UPN contains (\\\"#EXT#\\\")\\n | project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName\\n | join kind = inner(\\n OfficeActivity\\n | where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n | where Operation =~ \\\"MemberRemoved\\\"\\n | extend UPN = tostring(parse_json(Members)[0].UPN)\\n | where UPN contains (\\\"#EXT#\\\")\\n | project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName\\n ) on UPN\\n | where TimeDeleted \u003e TimeAdded\\n | join kind=inner \\n (\\n OfficeActivity\\n | where RecordType == \\\"SharePointFileOperation\\\"\\n | where SourceRelativeUrl has \\\"Microsoft Teams Chat Files\\\"\\n | where Operation == \\\"FileUploaded\\\"\\n | join kind = inner \\n (\\n OfficeActivity\\n | where RecordType == \\\"SharePointFileOperation\\\"\\n | where Operation == \\\"FileAccessed\\\"\\n | where SourceRelativeUrl has \\\"Microsoft Teams Chat Files\\\"\\n | summarize FileAccessCount = count() by OfficeObjectId\\n | where FileAccessCount \u003e fileAccessThrehold\\n ) on $left.OfficeObjectId == $right.OfficeObjectId\\n )on $left.UPN == $right.UserId\\n | extend timestamp=TimeGenerated, AccountCustomEntity = UserWhoAdded\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Accessed files shared by temporary external user\",\"description\":\"This detection identifies an external user is added to a Team or Teams chat\\nand shares a files which is accessed by many users (\u003e10) and the users is removed within short period of time. This might be\\nan indicator of suspicious activity.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2020-08-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/610d3850-c26f-4f20-8d86-f10fdf2425f5\",\"name\":\"610d3850-c26f-4f20-8d86-f10fdf2425f5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"UpdateTrail\\\",\\\"DeleteTrail\\\",\\\"StopLogging\\\",\\\"DeleteFlowLogs\\\",\\\"DeleteEventBus\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Changes made to AWS CloudTrail logs\",\"description\":\"Attackers often try to hide their steps by deleting or stopping the collection of logs that could show their activity. \\nThis alert identifies any manipulation of AWS CloudTrail, Cloudwatch/EventBridge or VPC Flow logs.\\nMore Information: AWS CloudTrail API: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html\\nAWS Cloudwatch/Eventbridge API: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_Operations.html\\nAWS DelteteFlowLogs API : https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html \",\"lastUpdatedDateUTC\":\"2022-01-11T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3fbc20a4-04c4-464e-8fcb-6667f53e4987\",\"name\":\"3fbc20a4-04c4-464e-8fcb-6667f53e4987\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let failureCountThreshold = 5;\\nlet successCountThreshold = 1;\\nlet authenticationWindow = 20m;\\nSigninLogs\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\\n| where AppDisplayName =~ \\\"Windows Sign In\\\"\\n// Split out failure versus non-failure types\\n| extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = makeset(IPAddress), makeset(OS), makeset(Browser), makeset(City), \\nmakeset(ResultType), FailureCount = countif(FailureOrSuccess==\\\"Failure\\\"), SuccessCount = countif(FailureOrSuccess==\\\"Success\\\") \\nby bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName, AppDisplayName\\n| where FailureCount \u003e= failureCountThreshold and SuccessCount \u003e= successCountThreshold\\n| mvexpand IPAddress\\n| extend IPAddress = tostring(IPAddress)\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against a Cloud PC\",\"description\":\"Identifies evidence of brute force activity against a Windows 365 Cloud PC by highlighting multiple authentication failures and by a successful authentication within a given time window.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/173f8699-6af5-484a-8b06-8c47ba89b380\",\"name\":\"173f8699-6af5-484a-8b06-8c47ba89b380\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"// Adjust this value to change how many Teams should be deleted before including\\nlet max_delete_count = 3;\\n// Adjust this value to change the timewindow the query runs over\\n OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\" \\n| where Operation =~ \\\"TeamDeleted\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DeletedTeams = make_set(TeamName) by UserId\\n| where array_length(DeletedTeams) \u003e max_delete_count\\n| extend timestamp = StartTime, AccountCustomEntity = UserId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Multiple Teams deleted by a single user\",\"description\":\"This detection flags the occurrences of deleting multiple teams within an hour.\\nThis data is a part of Office 365 Connector in Microsoft Sentinel.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5f171045-88ab-4634-baae-a7b6509f483b\",\"name\":\"5f171045-88ab-4634-baae-a7b6509f483b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let Dev0530_threats = dynamic([\\\"Trojan:Win32/SiennaPurple.A\\\", \\\"Ransom:Win32/SiennaBlue.A\\\", \\\"Ransom:Win32/SiennaBlue.B\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (Dev0530_threats) or ThreatFamilyName in~ (Dev0530_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"AV detections related to Dev-0530 actors\",\"description\":\"This query looks for Microsoft Defender AV detections related to Dev-0530 actors. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, \\n this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\",\"lastUpdatedDateUTC\":\"2022-07-14T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbfbf530-506b-49a4-81ad-4030885a195c\",\"name\":\"fbfbf530-506b-49a4-81ad-4030885a195c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let alertTimeWindow = 1h;\\nlet logTimeWindow = 7d;\\n// Define script extensions that suit your web application environment - a sample are provided below\\nlet scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]); \\nlet alertData = materialize(SecurityAlert \\n| where TimeGenerated \u003e ago(alertTimeWindow) \\n| where ProviderName == \\\"MDATP\\\" \\n// Parse and expand the alert JSON \\n| extend alertData = parse_json(Entities) \\n| mvexpand alertData);\\nlet fileData = alertData\\n// Extract web script files from MDATP alerts - our malicious web scripts - candidate webshells\\n| where alertData.Type =~ \\\"file\\\" \\n| where alertData.Name has_any(scriptExtensions) \\n| extend FileName = tostring(alertData.Name), Directory = tostring(alertData.Directory);\\nlet hostData = alertData\\n// Extract server details from alerts and map to alert id\\n| where alertData.Type =~ \\\"host\\\"\\n| project HostName = tostring(alertData.HostName), DnsDomain = tostring(alertData.DnsDomain), SystemAlertId\\n| distinct HostName, DnsDomain, SystemAlertId;\\n// Join the files on their impacted servers\\nlet webshellData = fileData\\n| join kind=inner (hostData) on SystemAlertId \\n| project TimeGenerated, FileName, Directory, HostName, DnsDomain;\\nwebshellData\\n| join ( \\n// Find requests that were made to this file on the impacted server in the W3CIISLog table \\nW3CIISLog \\n| where TimeGenerated \u003e ago(logTimeWindow) \\n// Restrict to accesses to script extensions \\n| where csUriStem has_any(scriptExtensions)\\n| extend splitUriStem = split(csUriStem, \\\"/\\\") \\n| extend FileName = splitUriStem[-1], HostName = sComputerName\\n// Summarize potential attacker activity\\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), RequestUserAgents=make_set(csUserAgent), ReqestMethods=make_set(csMethod), RequestStatusCodes=make_set(scStatus), RequestCookies=make_set(csCookie), RequestReferers=make_set(csReferer), RequestQueryStrings=make_set(csUriQuery) by AttackerIP=cIP, SiteName=sSiteName, ShellLocation=csUriStem, tostring(FileName), HostName \\n) on FileName, HostName\\n| project StartTime, EndTime, AttackerIP, RequestUserAgents, HostName, SiteName, ShellLocation, ReqestMethods, RequestStatusCodes, RequestCookies, RequestReferers, RequestQueryStrings, RequestCount = count_\\n// Expose the attacker ip address as a custom entity\\n| extend timestamp=StartTime, IPCustomEntity = AttackerIP, HostCustomEntity = HostName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Malicious web application requests linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts\",\"description\":\"Takes Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts where web scripts are present in the evidence and correlates with requests made to those scripts\\nin the WCSIISLog to surface new alerts for potentially malicious web request activity.\\nThe lookback for alerts is set to 1h and the lookback for W3CIISLogs is set to 7d. A sample set of popular web script extensions\\nhas been provided in scriptExtensions that should be tailored to your environment.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-05-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5f0d80db-3415-4265-9d52-8466b7372e3a\",\"name\":\"5f0d80db-3415-4265-9d52-8466b7372e3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"AzureDevOpsAuditing\\n| where AuthenticationMechanism startswith \\\"PAT\\\"\\n// Look for useragents that include a redenring engine\\n| where UserAgent has_any (\\\"Gecko\\\", \\\"WebKit\\\", \\\"Presto\\\", \\\"Trident\\\", \\\"EdgeHTML\\\", \\\"Blink\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure DevOps PAT used with Browser.\",\"description\":\"Personal Access Tokens (PATs) are used as an alternate password to authenticate into Azure DevOps. PATs are intended for programmatic access use in code or applications. \\nThis can be prone to attacker theft if not adequately secured. This query looks for the use of a PAT in authentication but from a User Agent indicating a browser. \\nThis should not be normal activity and could be an indicator of an attacker using a stolen PAT.\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/86a036b2-3686-42eb-b417-909fc0867771\",\"name\":\"86a036b2-3686-42eb-b417-909fc0867771\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/delete\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS Service Delete\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.\\nA threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.\\nThe health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.\\nMore information in this blog https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\"name\":\"b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\nlet createRoleAssignmentActivity = AzureActivity\\n| where OperationNameValue =~ \\\"microsoft.authorization/roleassignments/write\\\";\\ncreateRoleAssignmentActivity \\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller\\n| where count_ \u003e= alertOperationThreshold\\n| join kind = rightanti ( \\ncreateRoleAssignmentActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = make_set(TimeGenerated), ActivityStatusValue = make_set(ActivityStatusValue), \\nOperationIds = make_set(OperationId), CorrelationId = make_set(CorrelationId), ActivityCountByCallerIPAddress = count() \\nby ResourceId, CallerIpAddress, Caller, OperationNameValue, Resource, ResourceGroup\\n) on CallerIpAddress, Caller\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Suspicious granting of permissions to an account\",\"description\":\"Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\"name\":\"9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let szOperationNames = dynamic([\\\"Microsoft.Compute/virtualMachines/write\\\", \\\"Microsoft.Resources/deployments/write\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet RareCaller = AzureActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationNameValue in~ (szOperationNames)\\n| project ResourceGroup, Caller, OperationNameValue, CallerIpAddress\\n| join kind=rightantisemi (\\nAzureActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityStatusValue = makeset(ActivityStatusValue), OperationIds = makeset(OperationId), CallerIpAddress = makeset(CallerIpAddress) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n) on Caller, ResourceGroup \\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress);\\nlet Counts = RareCaller | summarize ActivityCountByCaller = count() by Caller;\\nRareCaller | join kind= inner (Counts) on Caller | project-away Caller1\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = tostring(CallerIpAddress)\\n| sort by ActivityCountByCaller desc nulls last\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Suspicious Resource deployment\",\"description\":\"Identifies when a rare Resource and ResourceGroup deployment occurs by a previously unseen Caller.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4902eddb-34f7-44a8-ac94-8486366e9494\",\"name\":\"4902eddb-34f7-44a8-ac94-8486366e9494\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 5000;\\n_Im_NetworkSession(eventresult=\u0027Failure\u0027)\\n| summarize Count=count() by SrcIpAddr, bin(TimeGenerated,5m)\\n| where Count \u003e threshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr\",\"customDetails\":{\"NumberOfDenies\":\"Count\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Excessive number of failed connections from {{SrcIpAddr}}\",\"alertDescriptionFormat\":\"The client at address {{SrcIpAddr}} generated more than {{threshold}} failures over a 5 minutes time window, which may indicate malicious activity.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Impact\"],\"displayName\":\"Excessive number of failed connections from a single source (ASIM Network Session schema)\",\"description\":\"This rule identifies that a single source generates an excessive amount of failed connections. Modify the threshold to change the sensitivity of the rule: the higher the threshold, the less sensitive is the rule and less incidents will be generated.\u003cbr\u003e\u003cbr\u003e\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f7c3f5c8-71ea-49ff-b8b3-148f0e346291\",\"name\":\"f7c3f5c8-71ea-49ff-b8b3-148f0e346291\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let known_locations = (SigninLogs\\n | where TimeGenerated between(ago(7d)..ago(1d))\\n | where ResultType == 0\\n | extend LocationDetail = strcat(Location, \\\"-\\\", LocationDetails.state)\\n | summarize by LocationDetail);\\n let known_asn = (SigninLogs\\n | where TimeGenerated between(ago(7d)..ago(1d))\\n | where ResultType == 0\\n | summarize by AutonomousSystemNumber);\\n SigninLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType == 0\\n | where isempty(DeviceDetail.deviceId)\\n | where AuthenticationRequirement == \\\"singleFactorAuthentication\\\"\\n | extend LocationDetail = strcat(Location, \\\"-\\\", LocationDetails.state)\\n | where AutonomousSystemNumber !in (known_asn) and LocationDetail !in (known_locations)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"UserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomolous Single Factor Signin\",\"description\":\"Detects successful signins using single factor authentication where the device, location, and ASN are abnormal.\\n Single factor authentications pose an opportunity to access compromised accounts, investigate these for anomalous occurrencess.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\"name\":\"1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 1d;\\nlet endtime = 1h;\\nlet prev23hThreshold = 4;\\nlet prev1hThreshold = 15;\\nlet Kerbevent = (union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(starttime)\\n| where EventID == 4769\\n| parse EventData with * \u0027TicketEncryptionType\\\"\u003e\u0027 TicketEncryptionType \\\"\u003c\\\" *\\n| where TicketEncryptionType == \u00270x17\u0027\\n| parse EventData with * \u0027TicketOptions\\\"\u003e\u0027 TicketOptions \\\"\u003c\\\" *\\n| where TicketOptions == \u00270x40810000\u0027\\n| parse EventData with * \u0027Status\\\"\u003e\u0027 Status \\\"\u003c\\\" *\\n| where Status == \u00270x0\u0027\\n| parse EventData with * \u0027ServiceName\\\"\u003e\u0027 ServiceName \\\"\u003c\\\" *\\n| where ServiceName !contains \\\"$\\\" and ServiceName !contains \\\"krbtgt\\\" \\n| parse EventData with * \u0027TargetUserName\\\"\u003e\u0027 TargetUserName \\\"\u003c\\\" *\\n| where TargetUserName !contains \\\"$@\\\" and TargetUserName !contains ServiceName\\n| parse EventData with * \u0027IpAddress\\\"\u003e::ffff:\u0027 ClientIPAddress \\\"\u003c\\\" *\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e= ago(starttime)\\n| where EventID == 4769 and EventData has \u00270x17\u0027 and EventData has \u00270x40810000\u0027 and EventData has \u0027krbtgt\u0027\\n| extend TicketEncryptionType = tostring(EventData.TicketEncryptionType)\\n| where TicketEncryptionType == \u00270x17\u0027\\n| extend TicketOptions = tostring(EventData.TicketOptions)\\n| where TicketOptions == \u00270x40810000\u0027\\n| extend Status = tostring(EventData.Status)\\n| where Status == \u00270x0\u0027\\n| extend ServiceName = tostring(EventData.ServiceName)\\n| where ServiceName !contains \\\"$\\\" and ServiceName !contains \\\"krbtgt\\\"\\n| extend TargetUserName = tostring(EventData.TargetUserName) \\n| where TargetUserName !contains \\\"$@\\\" and TargetUserName !contains ServiceName\\n| extend ClientIPAddress = tostring(EventData.IpAddress) \\n));\\nlet Kerbevent23h = Kerbevent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| summarize ServiceNameCountPrev23h = dcount(ServiceName), ServiceNameSet23h = makeset(ServiceName) \\nby Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status\\n| where ServiceNameCountPrev23h \u003c prev23hThreshold;\\nlet Kerbevent1h = \\nKerbevent\\n| where TimeGenerated \u003e= ago(endtime)\\n| summarize min(TimeGenerated), max(TimeGenerated), ServiceNameCountPrev1h = dcount(ServiceName), ServiceNameSet1h = makeset(ServiceName) \\nby Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status;\\nKerbevent1h \\n| join kind=leftanti\\n(\\nKerbevent23h\\n) on TargetUserName, TargetDomainName\\n// Threshold value set above is based on testing, this value may need to be changed for your environment.\\n| where ServiceNameCountPrev1h \u003e prev1hThreshold\\n| project StartTimeUtc = min_TimeGenerated, EndTimeUtc = max_TimeGenerated, TargetUserName, Computer, ClientIPAddress, TicketOptions, \\nTicketEncryptionType, Status, ServiceNameCountPrev1h, ServiceNameSet1h, TargetDomainName\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = strcat(TargetDomainName,\\\"\\\\\\\\\\\", TargetUserName), HostCustomEntity = Computer, IPCustomEntity = ClientIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Potential Kerberoasting\",\"description\":\"A service principal name (SPN) is used to uniquely identify a service instance in a Windows environment. \\nEach SPN is usually associated with a service account. Organizations may have used service accounts with weak passwords in their environment. \\nAn attacker can try requesting Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC) which contains \\na hash of the Service account. This can then be used for offline cracking. This hunting query looks for accounts that are generating excessive \\nrequests to different resources within the last hour compared with the previous 24 hours. Normal users would not make an unusually large number \\nof request within a small time window. This is based on 4769 events which can be very noisy so environment based tweaking might be needed.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-04-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/508cef41-2cd8-4d40-a519-b04826a9085f\",\"name\":\"508cef41-2cd8-4d40-a519-b04826a9085f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 1102 and EventSourceName == \\\"Microsoft-Windows-Eventlog\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Security Event log cleared\",\"description\":\"Checks for event id 1102 which indicates the security event log was cleared.\\nIt uses Event Source Name \\\"Microsoft-Windows-Eventlog\\\" to avoid generating false positives from other sources, like AD FS servers for instance.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3ff0fffb-d963-40c0-b235-3404f915add7\",\"name\":\"3ff0fffb-d963-40c0-b235-3404f915add7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"GitHubAudit\\n| where Action == \\\"org.disable_two_factor_requirement\\\"\\n| project TimeGenerated, Action, Actor, Country, IPaddress, Repository\\n| extend AccountCustomEntity = Actor, IPCustomEntity = IPaddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"GitHub Two Factor Auth Disable\",\"description\":\"Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/594c653d-719a-4c23-b028-36e3413e632e\",\"name\":\"594c653d-719a-4c23-b028-36e3413e632e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"GitHubAudit\\n| where Action == \\\"org.disable_two_factor_requirement\\\"\\n| project TimeGenerated, Action, Actor, Country, IPaddress, Repository\\n| extend AccountCustomEntity = Actor, IPCustomEntity = IPaddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT GitHub Two Factor Auth Disable\",\"description\":\"Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. \",\"lastUpdatedDateUTC\":\"2022-05-22T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/50cbf34a-4cdd-45d7-b3f5-8b53a1d0d14f\",\"name\":\"50cbf34a-4cdd-45d7-b3f5-8b53a1d0d14f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n| parse EventData with * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" *\\n| where ParentCommandLine == \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe -k DcomLaunch\\\" and CommandLine == \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe -Embedding\\\"\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Lateral Movement via DCOM\",\"description\":\"This query detects a fairly uncommon attack technique using the Windows Distributed Component Object Model (DCOM) to make a remote execution call to another computer system and gain lateral movement throughout the network.\\nRef: http://thenegative.zone/incident%20response/2017/02/04/MMC20.Application-Lateral-Movement-Analysis.html\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b1832f60-6c3d-4722-a0a5-3d564ee61a63\",\"name\":\"b1832f60-6c3d-4722-a0a5-3d564ee61a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet DOMAIN_TI=ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName);\\nlet DOMAIN_TI_list= todynamic(toscalar(DOMAIN_TI | summarize NIoCs = dcount(DomainName), Domains = make_set(DomainName) \\n | project Domains=iff(NIoCs \u003e HAS_ANY_MAX, dynamic([]), Domains) ));\\nDOMAIN_TI\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n _Im_WebSession(starttime=ago(dt_lookBack), url_has_any= DOMAIN_TI_list )\\n //Extract domain patterns from syslog message\\n | extend domain = tostring(parse_url(Url)[\\\"Host\\\"])\\n | where isnotempty(domain)\\n | extend tld = tostring(split(domain, \u0027.\u0027)[-1])\\n | extend Event_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.domain\\n| where Event_TimeGenerated \u003c ExpirationDateTime\\n| summarize Event_TimeGenerated = arg_max(Event_TimeGenerated , *) by IndicatorId, domain\\n| project Event_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, domain, SrcIpAddr, Url\",\"customDetails\":{\"EventTime\":\"Event_TimeGenerated\",\"IoCDescription\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"IoCExpirationTime\":\"ExpirationDateTime\",\"IoCConfidenceScore\":\"ConfidenceScore\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"A web request from {{SrcIpAddr}} to hostname {{domain}} matched an IoC\",\"alertDescriptionFormat\":\"A client with address {{SrcIpAddr}} requested the URL {{Url}}, whose hostname is a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blead for more information on the indicator.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map Domain entity to Web Session Events (ASIM Web Session schema)\",\"description\":\"This rule identifies Web Sessions for which the target URL hostname is a known IoC. \u003cbr\u003e\u003cbr\u003eThis rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutSIM) and supports any web session source that complies with ASIM.\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/643c2025-9604-47c5-833f-7b4b9378a1f5\",\"name\":\"643c2025-9604-47c5-833f-7b4b9378a1f5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit your environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with AAD signin failures above our threshold\\nlet aadFunc = (tableName:string){\\nlet Suspicious_signins = \\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n| summarize count() by IPAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(IPAddress);\\nSuspicious_signins\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet Suspicious_signins = \\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize make_set(set_IPAddress);\\n//See if any of those IPs have sucessfully logged into the AWS console\\nAWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \\n| where LoginResult =~ \\\"Success\\\"\\n| where SourceIpAddress in (Suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed)\\n| extend User = iif(isempty(UserIdentityUserName), UserIdentityType, UserIdentityUserName) \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Reason, LoginResult, EventTypeName, UserIdentityType, User, AWSRegion, SourceIpAddress, UserAgent, MFAUsed\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AzureAD logons but success logon to AWS Console\",\"description\":\"Identifies a list of IP addresses with a minimum number(defualt of 5) of failed logon attempts to Azure Active Directory.\\nUses that list to identify any successful AWS Console logons from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e\",\"name\":\"7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]);\\nunion isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4663\\n| where Process has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where ObjectName has_any (scriptExtensions)\\n| where AccessMask in (\u00270x2\u0027,\u00270x100\u0027, \u00270x10\u0027, \u00270x4\u0027)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n (WindowsEvent\\n| where EventID == 4663 and EventData has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\") and EventData has_any (scriptExtensions) \\n| where EventData has_any (\u00270x2\u0027,\u00270x100\u0027, \u00270x10\u0027, \u00270x4\u0027)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName has_any (scriptExtensions)\\n| extend AccessMask = tostring(EventData.AccessMask)\\n| where AccessMask in (\u00270x2\u0027,\u00270x100\u0027, \u00270x10\u0027, \u00270x4\u0027)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n(imFileEvent\\n| where EventType == \\\"FileCreated\\\"\\n| where ActingProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n and\\n TargetFileName has_any (scriptExtensions)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\\n),\\n(DeviceFileEvents\\n| where ActionType =~ \\\"FileCreated\\\"\\n| where InitiatingProcessFileName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where FileName has_any(scriptExtensions)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName, IPCustomEntity = RequestSourceIP)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingProcessAccountUpn\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM UM Service writing suspicious file\",\"description\":\"This query looks for the Exchange server UM process writing suspicious files that may be indicative of webshells.\\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d714ef62-1a56-4779-804f-91c4158e528d\",\"name\":\"d714ef62-1a56-4779-804f-91c4158e528d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let ImagesList = dynamic ([\\\"sethc.exe\\\",\\\"utilman.exe\\\",\\\"osk.exe\\\",\\\"Magnify.exe\\\",\\\"Narrator.exe\\\",\\\"DisplaySwitch.exe\\\",\\\"AtBroker.exe\\\"]); \\nlet OriginalFileNameList = dynamic ([\\\"sethc.exe\\\",\\\"utilman.exe\\\",\\\"osk.exe\\\",\\\"Magnify.exe\\\",\\\"Narrator.exe\\\",\\\"DisplaySwitch.exe\\\",\\\"AtBroker.exe\\\",\\\"SR.exe\\\",\\\"utilman2.exe\\\",\\\"ScreenMagnifier.exe\\\"]); \\nEvent\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n| parse EventData with * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027OriginalFileName\\\"\u003e\u0027 OriginalFileName \\\"\u003c\\\" *\\n| where Image has_any (ImagesList) and not (OriginalFileName has_any (OriginalFileNameList))\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027Hashes\\\"\u003e\u0027 Hashes \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description, OriginalFileName, CurrentDirectory, Hashes\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Modification of Accessibility Features\",\"description\":\"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\\n Two common accessibility programs are C:\\\\Windows\\\\System32\\\\sethc.exe, launched when the shift key is pressed five times and C:\\\\Windows\\\\System32\\\\utilman.exe, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as \\\"sticky keys\\\", and has been used by adversaries for unauthenticated access through a remote desktop login screen. [1]\\nRef: https://attack.mitre.org/techniques/T1546/008/\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\"name\":\"f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let threshold = 1;\\nAzureDiagnostics\\n | where OperationName in (\\\"AzureFirewallApplicationRuleLog\\\",\\\"AzureFirewallNetworkRuleLog\\\")\\n | extend msg_s_replaced0 = replace(@\\\"\\\\s\\\\s\\\",@\\\" \\\",msg_s)\\n | extend msg_s_replaced1 = replace(@\\\"\\\\.\\\\s\\\",@\\\" \\\",msg_s_replaced0)\\n | extend msg_a = split(msg_s_replaced1,\\\" \\\")\\n | extend srcAddr_a = split(msg_a[3],\\\":\\\") , destAddr_a = split(msg_a[5],\\\":\\\")\\n | extend protocol = tostring(msg_a[0]), srcIp = tostring(srcAddr_a[0]), srcPort = tostring(srcAddr_a[1]), destIp = tostring(destAddr_a[0]), destPort = tostring(destAddr_a[1]), action = tostring(msg_a[7])\\n | where action == \\\"Deny\\\"\\n | extend url = iff(destIp matches regex \\\"\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\",\\\"\\\",destIp)\\n | summarize StartTime = min(TimeGenerated), count() by srcIp, destIp, url, action, protocol\\n | where count_ \u003e= [\\\"threshold\\\"]\\n | extend timestamp = StartTime, URLCustomEntity = url, IPCustomEntity = srcIp\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Discovery\",\"LateralMovement\",\"CommandAndControl\"],\"displayName\":\"Several deny actions registered\",\"description\":\"Identifies attack pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-10-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b9d2eebc-5dcb-4888-8165-900db44443ab\",\"name\":\"b9d2eebc-5dcb-4888-8165-900db44443ab\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"// Enter a reference list of hostnames for your DC servers\\n//let DCServersList = dynamic ([\\\"DC01.simulandlabs.com\\\",\\\"DC02.simulandlabs.com\\\"]);\\nSecurityEvent\\n//| where Computer in (DCServersList)\\n| where EventID == 4662 and ObjectServer == \u0027DS\u0027\\n| where AccountType != \u0027Machine\u0027\\n| where Properties has \u00271131f6aa-9c07-11d1-f79f-00c04fc2dcd2\u0027 //DS-Replication-Get-Changes\\n or Properties has \u00271131f6ad-9c07-11d1-f79f-00c04fc2dcd2\u0027 //DS-Replication-Get-Changes-All\\n or Properties has \u002789e95b76-444d-4c62-991a-0facbeda640c\u0027 //DS-Replication-Get-Changes-In-Filtered-Set\\n| project TimeGenerated, Account, Activity, Properties, SubjectLogonId, Computer\\n| join kind=leftouter\\n(\\n SecurityEvent\\n //| where Computer in (DCServersList)\\n | where EventID == 4624 and LogonType == 3\\n | where AccountType != \u0027Machine\u0027\\n | project TargetLogonId, IpAddress\\n)\\non $left.SubjectLogonId == $right.TargetLogonId\\n| project-reorder TimeGenerated, Computer, Account, IpAddress\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, SourceAddress = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Non Domain Controller Active Directory Replication\",\"description\":\"This query detects potential attempts by non-computer accounts (non domain controllers) to retrieve/synchronize an active directory object leveraging directory replication services (DRS).\\nA Domain Controller (computer account) would usually be performing these actions in a domain environment. Another detection rule can be created to cover domain controllers accounts doing at rare times.\\nA domain user with privileged permissions to use directory replication services is rare. Ref: https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html\",\"lastUpdatedDateUTC\":\"2021-11-08T00:00:00Z\",\"createdDateUTC\":\"2021-05-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75297f62-10a8-4fc1-9b2a-12f25c6f05a7\",\"name\":\"75297f62-10a8-4fc1-9b2a-12f25c6f05a7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let domain_lookBack= 14d;\\nlet timeframe = 1d;\\nlet top_million_list = Cisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(domain_lookBack) and TimeGenerated \u003c ago(timeframe)\\n| extend Hostname = parse_url(UrlOriginal)[\\\"Host\\\"]\\n| summarize count() by tostring(Hostname)\\n| top 1000000 by count_\\n| summarize make_list(Hostname);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| extend Hostname = parse_url(UrlOriginal)[\\\"Host\\\"]\\n| where Hostname !in (top_million_list)\\n| extend Message = \\\"Connect to unpopular website (possible malicious payload delivery)\\\"\\n| project Message, SrcIpAddr, DstIpAddr,UrlOriginal, TimeGenerated\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Connection to Unpopular Website Detected\",\"description\":\"Detects first connection to an unpopular website (possible malicious payload delivery).\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/89a86f70-615f-4a79-9621-6f68c50f365f\",\"name\":\"89a86f70-615f-4a79-9621-6f68c50f365f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 7d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet HistThreshold = 25; \\nlet CurrThreshold = 10; \\nlet HistoricalThreats = CommonSecurityLog\\n| where isnotempty(SourceIP)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n| where Activity =~ \\\"THREAT\\\" and SimplifiedDeviceAction =~ \\\"alert\\\" \\n| where DeviceEventClassID in (\u0027spyware\u0027, \u0027scan\u0027, \u0027file\u0027, \u0027vulnerability\u0027, \u0027flood\u0027, \u0027packet\u0027, \u0027virus\u0027,\u0027wildfire\u0027, \u0027wildfire-virus\u0027)\\n| summarize TotalEvents = count(), ThreatTypes = make_set(DeviceEventClassID), DestinationIpList = make_set(DestinationIP), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by SourceIP, DeviceAction, DeviceVendor;\\nlet CurrentHourThreats = CommonSecurityLog\\n| where isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(timeframe)\\n| where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n| where Activity =~ \\\"THREAT\\\" and SimplifiedDeviceAction =~ \\\"alert\\\" \\n| where DeviceEventClassID in (\u0027spyware\u0027, \u0027scan\u0027, \u0027file\u0027, \u0027vulnerability\u0027, \u0027flood\u0027, \u0027packet\u0027, \u0027virus\u0027,\u0027wildfire\u0027, \u0027wildfire-virus\u0027)\\n| summarize TotalEvents = count(), ThreatTypes = make_set(DeviceEventClassID), DestinationIpList = make_set(DestinationIP), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by SourceIP, DeviceAction, DeviceProduct, DeviceVendor;\\nCurrentHourThreats \\n| where TotalEvents \u003c CurrThreshold\\n| join kind = leftanti (HistoricalThreats \\n| where TotalEvents \u003e HistThreshold) on SourceIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]}],\"tactics\":[\"Discovery\",\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"Palo Alto Threat signatures from Unusual IP addresses\",\"description\":\"Identifies Palo Alto Threat signatures from unusual IP addresses which are not historically seen. \\nThis detection is also leveraged and required for MDE and PAN Fusion scenario\\nhttps://docs.microsoft.com/Azure/sentinel/fusion-scenario-reference#network-request-to-tor-anonymization-service-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall\",\"lastUpdatedDateUTC\":\"2022-04-20T00:00:00Z\",\"createdDateUTC\":\"2022-03-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/35a0792a-1269-431e-ac93-7ae2980d4dde\",\"name\":\"35a0792a-1269-431e-ac93-7ae2980d4dde\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now() \\n| where Active == true\\n| where isnotempty(EmailSenderAddress)\\n| extend TI_emailEntity = EmailSenderAddress\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n ProofpointPOD \\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(SrcUserUpn)\\n | extend ProofpointPOD_TimeGenerated = TimeGenerated, ClientEmail = SrcUserUpn\\n\\n)\\non $left.TI_emailEntity == $right.ClientEmail\\n| where ProofpointPOD_TimeGenerated \u003c ExpirationDateTime\\n| summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientEmail\\n| project ProofpointPOD_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, ClientEmail\\n| extend timestamp = ProofpointPOD_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ClientEmail\"}]}],\"tactics\":[\"Exfiltration\",\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Email sender in TI list\",\"description\":\"Email sender in TI list.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_maillog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c3b11fb2-9201-4844-b7b9-6b7bf6d9b851\",\"name\":\"c3b11fb2-9201-4844-b7b9-6b7bf6d9b851\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Medium\",\"query\":\"let threshold = 200;\\n_Im_Dns(responsecodename=\u0027NXDOMAIN\u0027)\\n| where isnotempty(DnsResponseCodeName)\\n//| where DnsResponseCodeName =~ \\\"NXDOMAIN\\\"\\n| summarize count() by SrcIpAddr, bin(TimeGenerated,15m)\\n| where count_ \u003e threshold\\n| join kind=inner (_Im_Dns(responsecodename=\u0027NXDOMAIN\u0027)\\n ) on SrcIpAddr\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Excessive NXDOMAIN DNS Queries (ASIM DNS Schema)\",\"description\":\"This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. \\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a172107d-794c-48c0-bc26-d3349fe10b4d\",\"name\":\"a172107d-794c-48c0-bc26-d3349fe10b4d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Dev-0530_July2022.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\n(union isfuzzy=true \\n(DeviceProcessEvents\\n| where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) or ( InitiatingProcessCommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) \\nand InitiatingProcessCommandLine has (\u0027sc minute /mo 1 /F /ru system\u0027))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, AccountName, SHA256\\n| extend Account = AccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = case(InitiatingProcessSHA256 in (sha256Hashes), \\\"InitiatingProcessSHA256\\\", SHA256 in (sha256Hashes), \\\"SHA256\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = case(FileHash == \\\"InitiatingProcessSHA256\\\", InitiatingProcessSHA256, FileHash == \\\"SHA256\\\", SHA256, \\\"No Match\\\")\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) and CommandLine has (\u0027/sc minute /mo 1 /F /ru system\u0027))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, EventID, CommandLine\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n( imFileEvent\\n| where Hash in~ (sha256Hashes) or ( ActingProcessCommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) and ActingProcessCommandLine has (\u0027/sc minute /mo 1 /F /ru system\u0027))\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, FileHashCustomEntity = FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) or ( CommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) and CommandLine has (\u0027/sc minute /mo 1 /F /ru system\u0027)) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(EmailEvents\\n| where SenderFromAddress == \u0027H0lyGh0st@mail2tor.com\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = SenderIPv4, AccountCustomEntity = SenderFromAddress \\n),\\n(CommonSecurityLog \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) or FileHash in (sha256Hashes)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch , FileHash\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n), \\n(OfficeActivity \\n|extend SourceIPAddress = ClientIP, Account = UserId \\n| where SourceIPAddress in (IPList) \\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \\n),\\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Dev-0530 IOC - July 2022\",\"description\":\"Identifies a IOC match related to Dev-0530 actor across various data sources.\",\"lastUpdatedDateUTC\":\"2022-07-14T00:00:00Z\",\"createdDateUTC\":\"2022-07-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceProcessEvents\",\"DeviceNetworkEvents\",\"EmailEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/572e75ef-5147-49d9-9d65-13f2ed1e3a86\",\"name\":\"572e75ef-5147-49d9-9d65-13f2ed1e3a86\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let inviting_users = (AuditLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where OperationName =~ \\\"Invite external user\\\"\\n | where Result =~ \\\"success\\\"\\n | extend invitingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | where isnotempty(invitingUser)\\n | summarize by invitingUser);\\n AuditLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where OperationName =~ \\\"Invite external user\\\"\\n | where Result =~ \\\"success\\\"\\n | extend invitingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | where isnotempty(invitingUser) and invitingUser !in (inviting_users)\\n | extend invitedUserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"invitingUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"invitedUserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Guest Users Invited to Tenant by New Inviters\",\"description\":\"Detects when a Guest User is added by a user account that has not been seen adding a guest in the previous 14 days.\\n Monitoring guest accounts and the access they are provided is important to detect potential account abuse.\\n Accounts added should be investigated to ensure the activity was legitimate.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500415fb-bba7-4227-a08a-9857fb61b6a7\",\"name\":\"500415fb-bba7-4227-a08a-9857fb61b6a7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where OfficeWorkload == \\\"Exchange\\\"\\n| where Operation in~ (\\\"New-TransportRule\\\", \\\"Set-TransportRule\\\")\\n| mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))\\n| extend RuleName = case(\\n Operation =~ \\\"Set-TransportRule\\\", OfficeObjectId,\\n Operation =~ \\\"New-TransportRule\\\", ParsedParameters.Name,\\n \\\"Unknown\\\")\\n| mv-expand ExpandedParameters = todynamic(Parameters)\\n| where ExpandedParameters.Name in~ (\\\"BlindCopyTo\\\", \\\"RedirectMessageTo\\\") and isnotempty(ExpandedParameters.Value)\\n| extend RedirectTo = ExpandedParameters.Value\\n| extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n| project TimeGenerated, RedirectTo, IPAddress = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1]), UserId, Operation, RuleName, Parameters\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Mail redirect via ExO transport rule\",\"description\":\"Identifies when Exchange Online transport rule configured to forward emails.\\nThis could be an adversary mailbox configured to collect mail from multiple user accounts.\",\"lastUpdatedDateUTC\":\"2022-04-18T00:00:00Z\",\"createdDateUTC\":\"2020-05-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500c103a-0319-4d56-8e99-3cec8d860757\",\"name\":\"500c103a-0319-4d56-8e99-3cec8d860757\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == \\\"50057\\\" \\n| where ResultDescription == \\\"User account is disabled. The account has been disabled by an administrator.\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), disabledAccountLoginAttempts = count(), \\ndisabledAccountsTargeted = dcount(UserPrincipalName), applicationsTargeted = dcount(AppDisplayName), disabledAccountSet = make_set(UserPrincipalName), \\napplicationSet = make_set(AppDisplayName) by IPAddress, Type\\n| order by disabledAccountLoginAttempts desc\\n| join kind= leftouter (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n table(tableName)\\n | where ResultType == 0\\n | summarize successfulAccountSigninCount = dcount(UserPrincipalName), successfulAccountSigninSet = make_set(UserPrincipalName, 15) by IPAddress, Type\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount \u003c 100\\n) on IPAddress \\n// IPs from which attempts to authenticate as disabled user accounts originated, and had a non-zero success rate for some other account\\n| where isnotempty(successfulAccountSigninCount)\\n| project StartTime, EndTime, IPAddress, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\nsuccessfulAccountSigninCount, successfulAccountSigninSet, Type\\n| order by disabledAccountLoginAttempts\\n| extend timestamp = StartTime, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts and where that same IP has had successful signins from other accounts.\\nThis could indicate an attacker who obtained credentials for a list of accounts and is attempting to login with those accounts, some of which may have already been disabled.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"lastUpdatedDateUTC\":\"2021-10-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e7470b35-0128-4508-bfc9-e01cfb3c2eb7\",\"name\":\"e7470b35-0128-4508-bfc9-e01cfb3c2eb7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n | where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n | parse EventData with * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" *\\n | where ParentImage has \\\"svchost.exe\\\" and Image has \\\"rundll32.exe\\\" and CommandLine has \\\"{c08afd90-f2a1-11d1-8455-00a0c91f3880}\\\"\\n | parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Detecting Macro Invoking ShellBrowserWindow COM Objects\",\"description\":\"This query detects a macro invoking ShellBrowserWindow COM Objects evade naive parent/child Office detection rules.\\nRef: https://blog.menasec.net/2019/02/threat-hunting-doc-with-macro-invoking.html\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c2da1106-bfe4-4a63-bf14-5ab73130ccd5\",\"name\":\"c2da1106-bfe4-4a63-bf14-5ab73130ccd5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.0\",\"severity\":\"Informational\",\"query\":\"let timeframe = ago(1d);\\nAppServiceAntivirusScanAuditLogs\\n| where ScanStatus == \\\"Failed\\\"\\n| extend HostCustomEntity = _ResourceId, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"displayName\":\"AppServices AV Scan Failure\",\"description\":\"Identifies if an AV scan fails in Azure App Services.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\"name\":\"68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let User_Agents = dynamic ([\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70\\\", \\n\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.1 Safari/605.1.15\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\", \\n\\\"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\"]);\\nOfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != \u0027UserLoggedIn\u0027\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = todynamic(ExtendedProperties).Value\\n| where UserAgent =~ \\\"ms-office\\\" or UserAgent has_any (User_Agents)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts \u003e 500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\"entityMappings\":[],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Possible STRONTIUM attempted credential harvesting - Oct 2020\",\"description\":\"Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\"name\":\"e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let threshold = 15;\\n// Below pulls messages from syslog-authpriv logs where there was an authentication failure with an unknown user.\\n// IP address of system attempting logon is also extracted from the SyslogMessage field. Some of these messages\\n// are aggregated.\\nSyslog\\n| where Facility =~ \\\"authpriv\\\"\\n| where SyslogMessage has \\\"authentication failure\\\" and SyslogMessage has \\\" uid=0\\\"\\n| parse SyslogMessage with * \\\"rhost=\\\" RemoteIP\\n| project TimeGenerated, Computer, ProcessName, HostIP, RemoteIP, ProcessID\\n| join kind=innerunique (\\n // Below pulls messages from syslog-authpriv logs that show each instance an unknown user tried to logon. \\n Syslog \\n | where Facility =~ \\\"authpriv\\\"\\n | where SyslogMessage has \\\"user unknown\\\"\\n | project Computer, HostIP, ProcessID\\n ) on Computer, HostIP, ProcessID\\n// Count the number of failed logon attempts by External IP and internal machine\\n| summarize FirstLogonAttempt = min(TimeGenerated), LatestLogonAttempt = max(TimeGenerated), TotalLogonAttempts = count() by Computer, HostIP, RemoteIP\\n// Calculate the time between first and last logon attempt (AttemptPeriodLength)\\n| extend TimeBetweenLogonAttempts = LatestLogonAttempt - FirstLogonAttempt\\n| where TotalLogonAttempts \u003e= threshold\\n| project FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts, TotalLogonAttempts, SourceAddress = RemoteIP, DestinationHost = Computer, DestinationAddress = HostIP\\n| sort by DestinationHost asc nulls last\\n| extend timestamp = FirstLogonAttempt, HostCustomEntity = DestinationHost, IPCustomEntity = DestinationAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed logon attempts in authpriv\",\"description\":\"Identifies failed logon attempts from unknown users in Syslog authpriv logs. The unknown user means the account that tried to log in \\nisn\u0027t provisioned on the machine. A few hits could indicate someone attempting to access a machine they aren\u0027t authorized to access. \\nIf there are many of hits, especially from outside your network, it could indicate a brute force attack. \\nDefault threshold for logon attempts is 15.\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f041e01d-840d-43da-95c8-4188f6cef546\",\"name\":\"f041e01d-840d-43da-95c8-4188f6cef546\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let LearningPeriod = 7d;\\nlet RunTime = 1h;\\nlet StartTime = 1h;\\nlet EndRunTime = StartTime - RunTime;\\nlet EndLearningTime = StartTime + LearningPeriod;\\nlet GitHubCountryCodeLogs = (GitHubAudit\\n| where Country != \\\"\\\");\\n GitHubCountryCodeLogs\\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime))\\n| summarize makeset(Country) by Actor\\n| join kind=innerunique (\\n GitHubCountryCodeLogs\\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime))\\n | distinct Country, Actor, TimeGenerated\\n) on Actor \\n| where set_Country !contains Country\\n| extend AccountCustomEntity = Actor , timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"GitHub Activites from a New Country\",\"description\":\"Detect activities from a location that was not recently or was never visited by the user or by any user in your organization.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/40ba9493-4183-4eee-974f-87fe39c8f267\",\"name\":\"40ba9493-4183-4eee-974f-87fe39c8f267\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Identity alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Identity\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (AATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\"name\":\"4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 50;\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet historicalActivity =\\nOfficeActivity\\n| where TimeGenerated between(ago(starttime)..ago(endtime))\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| summarize historicalCount = count() by ClientIP, RecordType, Operation;\\nlet recentActivity = OfficeActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by ClientIP, RecordType, Operation;\\nlet RareIP = recentActivity | join kind= leftanti ( historicalActivity ) on ClientIP, RecordType, Operation\\n// More than 50 downloads/uploads from a new IP\\n| where recentCount \u003e threshold;\\nOfficeActivity \\n| where TimeGenerated \u003e= ago(endtime) \\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| join kind= inner (RareIP) on ClientIP, RecordType, Operation\\n| where Start_Time between(min_Start_Time .. max_Start_Time)\\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgent, IPSeenCount = recentCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\\n| order by IPSeenCount desc, ClientIP asc, Operation asc, UserId asc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"SharePointFileOperation via previously unseen IPs\",\"description\":\"Identifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses\\nexceeds a threshold (default is 50).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3073ac-7383-48a9-90a8-eb6716183a54\",\"name\":\"4a3073ac-7383-48a9-90a8-eb6716183a54\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let excludeProcs = dynamic([@\\\"\\\\SolarWinds\\\\Orion\\\\APM\\\\APMServiceControl.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\ExportToPDFCmd.Exe\\\", @\\\"\\\\SolarWinds.Credentials\\\\SolarWinds.Credentials.Orion.WebApi.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Topology\\\\SolarWinds.Orion.Topology.Calculator.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Database-Maint.exe\\\", @\\\"\\\\SolarWinds.Orion.ApiPoller.Service\\\\SolarWinds.Orion.ApiPoller.Service.exe\\\", @\\\"\\\\Windows\\\\SysWOW64\\\\WerFault.exe\\\"]);\\nDeviceProcessEvents\\n| where InitiatingProcessFileName =~ \\\"solarwinds.businesslayerhost.exe\\\"\\n| where not(FolderPath has_any (excludeProcs))\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n AlgorithmCustomEntity = \\\"MD5\\\",\\n FileHashCustomEntity = MD5\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST suspicious SolarWinds child processes\",\"description\":\"Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-02-01T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32\",\"name\":\"d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet msgthreshold = 3;\\nlet msgszthreshold = 3000000;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where NetworkBytes \u003e msgszthreshold\\n| summarize count() by SrcUserUpn, DstUserUpn\\n| where count_ \u003e msgthreshold\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple large emails to the same recipient\",\"description\":\"Detects when multiple emails with large size where sent to the same recipient.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6dd2629c-534b-4275-8201-d7968b4fa77e\",\"name\":\"6dd2629c-534b-4275-8201-d7968b4fa77e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"SecurityEvent\\n| where EventID == 4657\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, TargetAccount, Computer, EventSourceName, Channel, Task, Level, EventID, Activity, TargetLogonId, SourceComputerId, EventOriginId, Type, _ResourceId, TenantId, SourceSystem, ManagementGroupName, IpAddress, Account)\\n| extend ObjectName = column_ifexists(\u0027ObjectName\u0027, \\\"\\\"), OperationType = column_ifexists(\u0027OperationType\u0027, \\\"\\\"), ObjectValueName = column_ifexists(\u0027ObjectValueName\u0027, \\\"\\\")\\n| where ObjectName has \u0027Schedule\\\\\\\\TaskCache\\\\\\\\Tree\u0027 and ObjectValueName == \\\"SD\\\" and OperationType == \\\"%%1906\\\" // %%1906 - Registry value deleted\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Scheduled Task Hide\",\"description\":\"This query detects attempts by malware to hide the scheduled task by deleting the SD (Security Descriptor) value. Removal of SD value results in the scheduled task disappearing from schtasks /query and Task Scheduler.\\n The query requires auditing to be turned on for HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree registry hive as well as audit policy for registry auditing to be turned on.\\n Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/\\n Reference: https://4sysops.com/archives/audit-changes-in-the-windows-registry/\",\"lastUpdatedDateUTC\":\"2022-04-12T00:00:00Z\",\"createdDateUTC\":\"2022-04-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3f0c20d5-6228-48ef-92f3-9ff7822c1954\",\"name\":\"3f0c20d5-6228-48ef-92f3-9ff7822c1954\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let threatCategory=\\\"Hacking Tool\\\";\\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\\n [ @\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\\\"] \\n with(format=\\\"csv\\\", ignoreFirstRecord=True));\\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet customUserAgents=toscalar(_GetWatchlist(\\\"UnusualUserAgents\\\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\\\"UserAgent\\\",\\\"\\\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet fullUAList = array_concat(knownUserAgents,customUserAgents);\\n_Im_WebSession(httpuseragent_has_any=fullUAList)\\n| project SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername\",\"customDetails\":{\"UserAgent\":\"HttpUserAgent\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"SrcUsername\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Host {{SrcIpAddr}} is potentially running a hacking tool\",\"alertDescriptionFormat\":\"The host at address {{SrcIpAddr}} sent an HTTP request to the URL {{Url}} with the HTTP user agent header {{HttpUserAgent}}. This user agent is known to be used by a hacking tool and indicates suspicious activity on the host.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"A host is potentially running a hacking tool (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request with a user agent header known to belong to a hacking tool. This indicates a hacking tool is used on the host.\u003cbr\u003eYou can add custom hacking tool indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).\u003cbr\u003e\u003cbr\u003e\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/738702fd-0a66-42c7-8586-e30f0583f8fe\",\"name\":\"738702fd-0a66-42c7-8586-e30f0583f8fe\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"DeviceEvents\\n| where ActionType has \\\"ExploitGuardNonMicrosoftSignedBlocked\\\"\\n| where InitiatingProcessFileName contains \\\"svchost.exe\\\" and FileName contains \\\"NetSetupSvc.dll\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\nHostCustomEntity = DeviceName, FileHashCustomEntity = InitiatingProcessSHA1, FileHashType = \\\"SHA1\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"TEARDROP memory-only dropper\",\"description\":\"Identifies SolarWinds TEARDROP memory-only dropper IOCs in Window\u0027s defender Exploit Guard activity\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a4025a76-6490-4e6b-bb69-d02be4b03f07\",\"name\":\"a4025a76-6490-4e6b-bb69-d02be4b03f07\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureNetworkAnalytics_CL\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AzureNetworkAnalytics_CL_TimeGenerated = TimeGenerated\\n // NSG Flow Logs have additional information concat with Public IP, removing onlp Public IP\\n | extend PIPs = split(PublicIPs_s, \u0027|\u0027, 0)\\n | extend PIP = tostring(PIPs[0])\\n)\\non $left.TI_ipEntity == $right.PIP\\n| where AzureNetworkAnalytics_CL_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureNetworkAnalytics_CL_TimeGenerated = arg_max(AzureNetworkAnalytics_CL_TimeGenerated, *) by IndicatorId, PIP\\n// Set to alert on Allowed NSG Flows from TI Public IP IOC\\n| where FlowStatus_s == \\\"A\\\"\\n| project AzureNetworkAnalytics_CL_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, FlowDirection_s, FlowStatus_s, FlowType_s, SrcPublicIPs_s, DestPublicIPs_s, PublicIPs_s, L7Protocol_s, DestPort_d, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureNetworkAnalytics_CL_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)\",\"description\":\"Identifies a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI that was Allowed\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/968358d6-6af8-49bb-aaa4-187b3067fb95\",\"name\":\"968358d6-6af8-49bb-aaa4-187b3067fb95\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let successCodes = dynamic([200, 302, 401]);\\nW3CIISLog\\n| where scStatus has_any (successCodes)\\n| where ipv4_is_private(cIP) == False\\n| where csUriStem hasprefix \\\"/autodiscover/autodiscover.json\\\"\\n| project TimeGenerated, cIP, sIP, sSiteName, csUriStem, csUriQuery, Computer, csUserName, _ResourceId, FileUri\\n| where (csUriQuery !has \\\"Protocol\\\" and isnotempty(csUriQuery))\\nor (csUriQuery has_any(\\\"/mapi/\\\", \\\"powershell\\\"))\\nor (csUriQuery contains \\\"@\\\" and csUriQuery matches regex @\\\"\\\\.[a-zA-Z]{2,4}?(?:[a-zA-Z]{2,4}\\\\/)\\\")\\nor (csUriQuery contains \\\":\\\" and csUriQuery matches regex @\\\"\\\\:[0-9]{2,4}\\\\/\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP, AccountCustomEntity = csUserName, ResourceCustomEntity = _ResourceId, FileCustomEntity = FileUri\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange SSRF Autodiscover ProxyShell - Detection\",\"description\":\"This query looks for suspicious request patterns to Exchange servers that fit patterns recently\\nblogged about by PeterJson. This exploitation chain utilises an SSRF vulnerability in Exchange\\nwhich eventually allows the attacker to execute arbitrary Powershell on the server. In the example\\npowershell can be used to write an email to disk with an encoded attachment containing a shell.\\nReference: https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-09T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/999e9f5d-db4a-4b07-a206-29c4e667b7e8\",\"name\":\"999e9f5d-db4a-4b07-a206-29c4e667b7e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet DomainTIs= ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n // Picking up only IOC\u0027s that contain the entities we want\\n | where isnotempty(DomainName)\\n | where Active == true\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId;\\nlet Domains = DomainTIs | where isnotempty(DomainName) |summarize NDomains=dcount(DomainName), DomainsList=make_set(DomainName) \\n | project DomainList = iff(NDomains \u003e HAS_ANY_MAX, dynamic([]), DomainsList) ;\\nDomainTIs\\n | join (\\n _Im_Dns(starttime=ago(dt_lookBack), domain_has_any=toscalar(Domains))\\n | extend DNS_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.DnsQuery\\n| where DNS_TimeGenerated \u003c ExpirationDateTime\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, DnsQueryType\\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url\",\"customDetails\":{\"LatestIndicatorTime\":\"LatestIndicatorTime\",\"Description\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"ExpirationDateTime\":\"ExpirationDateTime\",\"ConfidenceScore\":\"ConfidenceScore\",\"DNSRequestTime\":\"DNS_TimeGenerated\",\"SourceIPAddress\":\"SrcIpAddr\",\"DnsQuery\":\"DnsQuery\",\"QueryType\":\"DnsQueryType\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map Domain entity to Dns Events (ASIM DNS Schema)\",\"description\":\"Identifies a match in DNS events from any Domain IOC from TI\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-27T00:00:00Z\",\"createdDateUTC\":\"2021-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2dd4a3a-ebac-4994-9499-1a859938c947\",\"name\":\"f2dd4a3a-ebac-4994-9499-1a859938c947\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet bytessentperhourthreshold = 10;\\nlet TimeSeriesData = (union isfuzzy=true\\n(\\nVMConnection\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\\n| extend SourceIP = SourceIp, DestinationIP = DestinationIp\\n| where ipv4_is_private(DestinationIP) == false\\n| extend DeviceVendor = \\\"VMConnection\\\"\\n| project TimeGenerated, BytesSent, DeviceVendor\\n| make-series TotalBytesSent=sum(BytesSent) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n),\\n(\\nCommonSecurityLog\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where ipv4_is_private(DestinationIP) == false\\n| project TimeGenerated, SentBytes, DeviceVendor\\n| make-series TotalBytesSent=sum(SentBytes) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n)\\n);\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(TotalBytesSent, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand TotalBytesSent to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| extend TotalBytesSentinMBperHour = round(((TotalBytesSent / 1024)/1024),2), baselinebytessentperHour = round(((baseline / 1024)/1024),2), score = round(score,2)\\n| project DeviceVendor, AnomalyHour, TimeGenerated, TotalBytesSentinMBperHour, baselinebytessentperHour, anomalies, score);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\n//Union of all BaseLogs aggregated per hour\\nlet BaseLogs = (union isfuzzy=true\\n(\\nCommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| where ipv4_is_private(DestinationIP) == false\\n| extend SentBytesinMB = ((SentBytes / 1024)/1024), ReceivedBytesinMB = ((ReceivedBytes / 1024)/1024)\\n| summarize HourlyCount = count(), TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort,100), TotalSentBytesinMB = sum(SentBytesinMB), TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| where TotalSentBytesinMB \u003e bytessentperhourthreshold\\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\\n| where Rank \u003c 10 // Selecting Top 10 records with Highest BytesSent in each Hour\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\\n),\\n(\\nVMConnection\\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend SourceIP = SourceIp, DestinationIP = DestinationIp\\n| where ipv4_is_private(DestinationIP) == false | extend DeviceVendor = \\\"VMConnection\\\"\\n| extend SentBytesinMB = ((BytesSent / 1024)/1024), ReceivedBytesinMB = ((BytesReceived / 1024)/1024)\\n| summarize HourlyCount = count(),TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort, 100), TotalSentBytesinMB = sum(SentBytesinMB),TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| where TotalSentBytesinMB \u003e bytessentperhourthreshold\\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\\n| where Rank \u003c 10 // Selecting Top 10 records with Highest BytesSent in each Hour\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\\n)\\n);\\n// Join against base logs to retrive records associated with the hour of anomoly\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\n BaseLogs | extend AnomalyHour = TimeGeneratedHour\\n) on DeviceVendor, AnomalyHour | sort by score desc\\n| project DeviceVendor, AnomalyHour,TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\\n| summarize EventCount = count(), StartTimeUtc= min(TimeGeneratedMax), EndTimeUtc= max(TimeGeneratedMax), SourceIPMax= arg_max(SourceIP,*), TotalBytesSentinMB = sum(TotalSentBytesinMB), TotalBytesReceivedinMB = sum(TotalReceivedBytesinMB), SourceIPList = make_set(SourceIP, 100), DestinationIPList = make_set(DestinationIPList, 100) by AnomalyHour,TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\\n| project DeviceVendor, AnomalyHour, StartTimeUtc, EndTimeUtc, SourceIPMax, SourceIPList, DestinationIPList, DestinationPortList, TotalBytesSentinMB, TotalBytesReceivedinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies, EventCount\\n| extend timestamp =EndTimeUtc, IPCustomEntity = SourceIPMax\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"Time series anomaly for data size transferred to public internet\",\"description\":\"Identifies anomalous data transfer to public networks. The query leverages built-in KQL anomaly detection algorithms that detects large deviations from a baseline pattern.\\nA sudden increase in data transferred to unknown public networks is an indication of data exfiltration attempts and should be investigated.\\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port bytes sent traffic observed in the flagged anomaly hour.\\nThe source IP addresses which were sending less than bytessentperhourthreshold have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06bbf969-fcbe-43fa-bac2-b2fa131d113a\",\"name\":\"06bbf969-fcbe-43fa-bac2-b2fa131d113a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"// ADHealth Monitoring Agent Registry Key\\nlet aadHealthMonAgentRegKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\MicrosoftOnline\\\\\\\\Reporting\\\\\\\\MonitoringAgent\\\";\\n// Filter out known processes\\nlet aadConnectHealthProcs = dynamic ([\\n \u0027Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.InsightsService.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.PshSurrogate.exe\u0027,\\n \u0027Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe\u0027,\\n \u0027Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.AadConnect.Health.AadSync.Host.exe\u0027,\\n \u0027Microsoft.Azure.ActiveDirectory.Synchronization.Upgrader.exe\u0027,\\n \u0027miiserver.exe\u0027\\n]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| where EventData has aadHealthMonAgentRegKey\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| extend ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),\\n ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\")\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend SubjectUserName = column_ifexists(\\\"SubjectUserName\\\", \\\"\\\"),\\n SubjectDomainName = column_ifexists(\\\"SubjectDomainName\\\", \\\"\\\"),\\n ProcessName = column_ifexists(\\\"ProcessName\\\", \\\"\\\")\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],\\n Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n ( WindowsEvent\\n| where EventID == \u00274656\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n( WindowsEvent\\n| where EventID == \u00274663\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n)\\n)\\n// You can filter out potential machine accounts\\n//| where AccountType != \u0027Machine\u0027\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"Azure AD Health Service Agents Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).\\nInformation from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).\\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\\\\SOFTWARE\\\\Microsoft\\\\ADHealthAgent.\\nMake sure you set the SACL to propagate to its sub-keys. You can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml\\n\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a35f2c18-1b97-458f-ad26-e033af18eb99\",\"name\":\"a35f2c18-1b97-458f-ad26-e033af18eb99\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.2\",\"severity\":\"Low\",\"query\":\"// For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups\\nlet WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nunion isfuzzy=true \\n(\\nSecurityEvent \\n// When MemberName contains \u0027-\u0027 this indicates addition of a group to a group\\n| where AccountType == \\\"User\\\" and MemberName != \\\"-\\\"\\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group\\n| where EventID in (4728, 4732, 4756) \\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| extend SimpleMemberName = substring(MemberName, 3, indexof_regex(MemberName, @\\\",OU|,CN\\\") - 3)\\n| project TimeGenerated, EventID, Activity, Computer, SimpleMemberName, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SimpleMemberName, HostCustomEntity = Computer\\n),\\n(\\nWindowsEvent \\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group\\n| where EventID in (4728, 4732, 4756) and not(EventData has \\\"S-1-5-32-555\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| extend MemberName = tostring(EventData.MemberName)\\n// When MemberName contains \u0027-\u0027 this indicates addition of a group to a group\\n| where AccountType == \\\"User\\\" and MemberName != \\\"-\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| extend SimpleMemberName = substring(MemberName, 3, indexof_regex(MemberName, @\\\",OU|,CN\\\") - 3)\\n| extend MemberSid = tostring(EventData.MemberSid)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend TargetDomainName = tostring(EventData.TargetDomainName)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| project TimeGenerated, EventID, Computer, SimpleMemberName, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SimpleMemberName, HostCustomEntity = Computer\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account added to built in domain local or global group\",\"description\":\"Identifies when a user account has been added to a privileged built in domain local group or global group \\nsuch as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2acc91c3-17c2-4388-938e-4eac2d5894e8\",\"name\":\"2acc91c3-17c2-4388-938e-4eac2d5894e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"W3CIISLog\\n| where csMethod == \u0027GET\u0027\\n| where isnotempty(csUriStem) and isnotempty(csUriQuery)\\n| where csUriStem contains \\\"logoimagehandler.ashx\\\"\\n| where csUriQuery contains \\\"codes\\\" and csUriQuery contains \\\"clazz\\\" and csUriQuery contains \\\"method\\\" and csUriQuery contains \\\"args\\\"\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"CommandAndControl\"],\"displayName\":\"SUPERNOVA webshell\",\"description\":\"Identifies SUPERNOVA webshell based on W3CIISLog data.\\n References:\\n - https://unit42.paloaltonetworks.com/solarstorm-supernova/\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-01-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/223db5c1-1bf8-47d8-8806-bed401b356a4\",\"name\":\"223db5c1-1bf8-47d8-8806-bed401b356a4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let timeRange = 1d;\\nlet lookBack = 7d;\\nlet threshold_Failed = 5;\\nlet threshold_FailedwithSingleIP = 20;\\nlet threshold_IPAddressCount = 2;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet aadFunc = (tableName:string){\\nlet azPortalSignins = materialize(table(tableName)\\n| where TimeGenerated \u003e= ago(lookBack)\\n// Azure Portal only\\n| where AppDisplayName =~ \\\"Azure Portal\\\")\\n;\\nlet successPortalSignins = azPortalSignins\\n| where TimeGenerated \u003e= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n// Tagging identities not resolved to friendly names\\n//| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n| distinct TimeGenerated, UserPrincipalName\\n;\\nlet failPortalSignins = azPortalSignins\\n| where TimeGenerated \u003e= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70044\\\", \\\"70043\\\")\\n// Tagging identities not resolved to friendly names\\n| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n;\\n// Verify there is no success for the same connection attempt after the fail\\nlet failnoSuccess = failPortalSignins | join kind= leftouter (\\n successPortalSignins \\n) on UserPrincipalName\\n| where TimeGenerated \u003e TimeGenerated1 or isempty(TimeGenerated1)\\n| project-away TimeGenerated1, UserPrincipalName1\\n;\\n// Lookup up resolved identities from last 7 days\\nlet identityLookup = azPortalSignins\\n| where TimeGenerated \u003e= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName;\\n// Join resolved names to unresolved list from portal signins\\nlet unresolvedNames = failnoSuccess | where Unresolved == true | join kind= inner (\\n identityLookup \\n) on UserId\\n| extend UserDisplayName = lu_UserDisplayName, UserPrincipalName = lu_UserPrincipalName\\n| project-away lu_UserDisplayName, lu_UserPrincipalName;\\n// Join Signins that had resolved names with list of unresolved that now have a resolved name\\nlet u_azPortalSignins = failnoSuccess | where Unresolved == false | union unresolvedNames;\\nu_azPortalSignins\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend Status = strcat(ResultType, \\\": \\\", ResultDescription), OS = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n| extend FullLocation = strcat(Region,\u0027|\u0027, State, \u0027|\u0027, City)\\n| summarize TimeGenerated = makelist(TimeGenerated), Status = makelist(Status), IPAddresses = makelist(IPAddress), IPAddressCount = dcount(IPAddress), FailedLogonCount = count()\\nby UserPrincipalName, UserId, UserDisplayName, AppDisplayName, Browser, OS, FullLocation, Type\\n| mvexpand TimeGenerated, IPAddresses, Status\\n| extend TimeGenerated = todatetime(tostring(TimeGenerated)), IPAddress = tostring(IPAddresses), Status = tostring(Status)\\n| project-away IPAddresses\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserPrincipalName, UserId, UserDisplayName, Status, FailedLogonCount, IPAddress, IPAddressCount, AppDisplayName, Browser, OS, FullLocation, Type\\n| where (IPAddressCount \u003e= threshold_IPAddressCount and FailedLogonCount \u003e= threshold_Failed) or FailedLogonCount \u003e= threshold_FailedwithSingleIP\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed login attempts to Azure Portal\",\"description\":\"Identifies failed login attempts in the Azure Active Directory SigninLogs to the Azure Portal. Many failed logon \\nattempts or some failed logon attempts from multiple IPs could indicate a potential brute force attack. \\nThe following are excluded due to success and non-failure results:\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n0 - successful logon\\n50125 - Sign-in was interrupted due to a password reset or password registration entry.\\n50140 - This error occurred due to \u0027Keep me signed in\u0027 interrupt when the user was signing-in.\",\"lastUpdatedDateUTC\":\"2022-04-21T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/acc4c247-aaf7-494b-b5da-17f18863878a\",\"name\":\"acc4c247-aaf7-494b-b5da-17f18863878a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"let queryfrequency = 1h;\\nlet queryperiod = 1d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(queryperiod)\\n| where OperationName in (\\\"Invite external user\\\", \\\"Bulk invite users - started (bulk)\\\", \\\"Invite external user with reset invitation status\\\")\\n| extend InitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\\n// Uncomment the following line to filter events where the inviting user was a guest user\\n//| where InitiatedBy has_any (\\\"live.com#\\\", \\\"#EXT#\\\")\\n| extend InvitedUser = TargetResources[0].userPrincipalName\\n| mv-expand UserToCompare = pack_array(InitiatedBy, InvitedUser) to typeof(string)\\n| where UserToCompare has_any (\\\"live.com#\\\", \\\"#EXT#\\\")\\n| extend\\n parsedUser = replace_string(tolower(iff(UserToCompare startswith \\\"live.com#\\\", tostring(split(UserToCompare, \\\"#\\\")[1]), tostring(split(UserToCompare, \\\"#EXT#\\\")[0]))), \\\"@\\\", \\\"_\\\"),\\n InvitationTime = TimeGenerated\\n| join (\\n (union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs)\\n | where TimeGenerated \u003e ago(queryfrequency)\\n | where UserType != \\\"Member\\\"\\n | where AppId has_any\\n (\\\"1b730954-1685-4b74-9bfd-dac224a7b894\\\",// Azure Active Directory PowerShell\\n \\\"04b07795-8ddb-461a-bbee-02f9e1bf7b46\\\",// Microsoft Azure CLI\\n \\\"1950a258-227b-4e31-a9cf-717495945fc2\\\",// Microsoft Azure PowerShell\\n \\\"a0c73c16-a7e3-4564-9a95-2bdf47383716\\\",// Microsoft Exchange Online Remote PowerShell\\n \\\"fb78d390-0c51-40cd-8e17-fdbfab77341b\\\",// Microsoft Exchange REST API Based Powershell\\n \\\"d1ddf0e4-d672-4dae-b554-9d5bdfd93547\\\",// Microsoft Intune PowerShell\\n \\\"9bc3ab49-b65d-410a-85ad-de819febfddc\\\",// Microsoft SharePoint Online Management Shell\\n \\\"12128f48-ec9e-42f0-b203-ea49fb6af367\\\",// MS Teams Powershell Cmdlets\\n \\\"23d8f6bd-1eb0-4cc2-a08c-7bf525c67bcd\\\",// Power BI PowerShell\\n \\\"31359c7f-bd7e-475c-86db-fdb8c937548e\\\",// PnP Management Shell\\n \\\"90f610bf-206d-4950-b61d-37fa6fd1b224\\\" // Aadrm Admin Powershell\\n )\\n | summarize arg_min(TimeGenerated, *) by UserPrincipalName\\n | extend\\n parsedUser = replace_string(UserPrincipalName, \\\"@\\\", \\\"_\\\"),\\n SigninTime = TimeGenerated\\n )\\n on parsedUser\\n| project InvitationTime, InitiatedBy, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, IPAddress, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InvitedUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatedBy\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\",\"Discovery\"],\"displayName\":\"External guest invitation followed by Azure AD PowerShell signin\",\"description\":\"By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests\\nusers, who have been invited or have invited recently, who also are logging via various PowerShell CLI.\\nRef : \u0027https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\"name\":\"3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let threshold = 1;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ConditionalAccessStatus == 1 or ConditionalAccessStatus =~ \\\"failure\\\"\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion) \\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend ConditionalAccessPolicies = todynamic(ConditionalAccessPolicies)\\n| extend ConditionalAccessPol0Name = tostring(ConditionalAccessPolicies[0].displayName)\\n| extend ConditionalAccessPol1Name = tostring(ConditionalAccessPolicies[1].displayName)\\n| extend ConditionalAccessPol2Name = tostring(ConditionalAccessPolicies[2].displayName)\\n| extend Status = strcat(StatusCode, \\\": \\\", ResultDescription) \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Status = make_list(Status), StatusDetails = make_list(StatusDetails), IPAddresses = make_list(IPAddress), IPAddressCount = dcount(IPAddress), CorrelationIds = make_list(CorrelationId) \\nby UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name, Type\\n| where IPAddressCount \u003e threshold and StatusDetails !has \\\"MFA successfully completed\\\"\\n| mvexpand IPAddresses, Status, StatusDetails, CorrelationIds\\n| extend Status = strcat(Status, \\\" \\\", StatusDetails)\\n| summarize IPAddresses = make_set(IPAddresses), Status = make_set(Status), CorrelationIds = make_set(CorrelationIds) \\nby StartTime, EndTime, UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name, IPAddressCount, Type\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = tostring(IPAddresses)\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Attempt to bypass conditional access rule in Azure AD\",\"description\":\"Identifies an attempt to Bypass conditional access rule(s) in Azure Active Directory.\\nThe ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access\\nor if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1).\\nReferences: \\nhttps://docs.microsoft.com/azure/active-directory/conditional-access/overview\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\nConditionalAccessStatus == 0 // Success\\nConditionalAccessStatus == 1 // Failure\\nConditionalAccessStatus == 2 // Not Applied\\nConditionalAccessStatus == 3 // unknown\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0b904747-1336-4363-8d84-df2710bfe5e7\",\"name\":\"0b904747-1336-4363-8d84-df2710bfe5e7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureDiagnostics\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where OperationName in (\\\"AzureFirewallApplicationRuleLog\\\", \\\"AzureFirewallNetworkRuleLog\\\")\\n | parse kind=regex flags=U msg_s with Protocol \u0027request from \u0027 SourceHost \u0027to \u0027 DestinationHost @\u0027\\\\.? Action: \u0027 Firewall_Action @\u0027\\\\.\u0027 Rest_msg\\n | extend SourceAddress = extract(@\u0027([\\\\.0-9]+)(:[\\\\.0-9]+)?\u0027, 1, SourceHost)\\n | extend DestinationAddress = extract(@\u0027([\\\\.0-9]+)(:[\\\\.0-9]+)?\u0027, 1, DestinationHost)\\n | extend RemoteIP = case(not(ipv4_is_private(DestinationAddress)), DestinationAddress, not(ipv4_is_private(SourceAddress)), SourceAddress, \\\"\\\")\\n // Traffic that involves a public address, and in case this is the source address then the traffic was not denied\\n | where isnotempty(RemoteIP)\\n | project-rename AzureFirewall_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIP\\n| where AzureFirewall_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureFirewall_TimeGenerated = arg_max(AzureFirewall_TimeGenerated, *) by IndicatorId, RemoteIP\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, AzureFirewall_TimeGenerated,\\nTI_ipEntity, Resource, Category, msg_s, SourceAddress, DestinationAddress, Firewall_Action, Protocol, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureFirewall_TimeGenerated, IPCustomEntity = TI_ipEntity, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureFirewall\",\"description\":\"Identifies a match in AzureFirewall (NetworkRule \u0026 ApplicationRule Logs) from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ebbb5c2-8802-11ec-a8a3-0242ac120002\",\"name\":\"4ebbb5c2-8802-11ec-a8a3-0242ac120002\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"// Enter a reference list of decoy users (usernames) \\\"Case Sensitive\\\"\\nlet MaliciousServiceArtifacts = dynamic ([\\\"fgexec\\\",\\\"cachedump\\\",\\\"mimikatz\\\",\\\"mimidrv\\\",\\\"wceservice\\\",\\\"pwdump\\\"]);\\nEvent\\n| where Source == \\\"Service Control Manager\\\" and EventID == 7045\\n| parse EventData with * \u0027ServiceName\\\"\u003e\u0027 ServiceName \\\"\u003c\\\" * \u0027ImagePath\\\"\u003e\u0027 ImagePath \\\"\u003c\\\" *\\n| where ServiceName has_any (MaliciousServiceArtifacts) or ImagePath has_any (MaliciousServiceArtifacts)\\n| parse EventData with * \u0027AccountName\\\"\u003e\u0027 AccountName \\\"\u003c\\\" *\\n|summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, ServiceName, ImagePath, AccountName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountName\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ImagePath\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Credential Dumping Tools - Service Installation\",\"description\":\"This query detects the installation of a Windows service that contains artifacts from credential dumping tools such as Mimikatz.\\nRef: https://blueteamblog.com/darkside-ransomware-operations-preventions-and-detections\",\"lastUpdatedDateUTC\":\"2022-04-22T00:00:00Z\",\"createdDateUTC\":\"2022-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"Event\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/adc32a33-1cd6-46f5-8801-e3ed8337885f\",\"name\":\"adc32a33-1cd6-46f5-8801-e3ed8337885f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// Add any known allowed sources and source locations to the filter below (the NuGet Gallery has been added here as an example).\\nlet allowed_sources = dynamic([\\\"NuGet Gallery\\\"]);\\nlet allowed_locations = dynamic([\\\"https://api.nuget.org/v3/index.json\\\"]);\\nAzureDevOpsAuditing\\n// Look for feeds created or modified at either the organization or project level\\n| where OperationName matches regex \\\"Artifacts.Feed.(Org|Project).Modify\\\"\\n| where Details has \\\"UpstreamSources, added\\\"\\n| extend FeedName = tostring(Data.FeedName)\\n| extend FeedId = tostring(Data.FeedId)\\n| extend UpstreamsAdded = Data.UpstreamsAdded\\n// As multiple feeds may be added expand these out\\n| mv-expand UpstreamsAdded\\n// Only focus on external feeds\\n| where UpstreamsAdded.UpstreamSourceType !~ \\\"internal\\\"\\n| extend SourceLocation = tostring(UpstreamsAdded.Location)\\n| extend SourceName = tostring(UpstreamsAdded.Name)\\n// Exclude sources and locations in the allow list\\n| where SourceLocation !in (allowed_locations) and SourceName !in (allowed_sources)\\n| extend SourceProtocol = tostring(UpstreamsAdded.Protocol)\\n| extend SourceStatus = tostring(UpstreamsAdded.Status)\\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, ProjectName, FeedName, SourceName, SourceLocation, SourceProtocol, ActorUPN, UserAgent, IpAddress\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"External Upstream Source Added to Azure DevOps Feed\",\"description\":\"The detection looks for new external sources added to an Azure DevOps feed. An allow list can be customized to explicitly allow known good sources. \\nAn attacker could look to add a malicious feed in order to inject malicious packages into a build pipeline.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/feb0a2fb-ae75-4343-8cbc-ed545f1da289\",\"name\":\"feb0a2fb-ae75-4343-8cbc-ed545f1da289\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let VIPUsers = (IdentityInfo\\n| where AssignedRoles contains \\\"Admin\\\"\\n| summarize by tolower(AccountUPN));\\nAuditLogs\\n| where Category =~ \\\"UserManagement\\\"\\n| where ActivityDisplayName =~ \\\"User registered security info\\\"\\n| where LoggedByService =~ \\\"Authentication Methods\\\"\\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| where AccountCustomEntity in (VIPUsers)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Authentication Method Changed for Privileged Account\",\"description\":\"Identifies authentication methods being changed for a privileged account. This could be an indicated of an attacker adding an auth method to the account so they can have continued access.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2937bc6b-7cda-4fba-b452-ea43ba8e835f\",\"name\":\"2937bc6b-7cda-4fba-b452-ea43ba8e835f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 5136 \\n| parse EventData with * \u0027ObjectClass\\\"\u003e\u0027 ObjectClass \\\"\u003c\\\" *\\n| parse EventData with * \u0027AttributeLDAPDisplayName\\\"\u003e\u0027 AttributeLDAPDisplayName \\\"\u003c\\\" *\\n| where ObjectClass == \\\"computer\\\" and AttributeLDAPDisplayName == \\\"msDS-AllowedToActOnBehalfOfOtherIdentity\\\"\\n| parse EventData with * \u0027ObjectDN\\\"\u003e\u0027 ObjectDN \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, SubjectUserSid, SubjectLogonId, ObjectDN, AttributeLDAPDisplayName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Possible Resource-Based Constrained Delegation Abuse\",\"description\":\"This query identifies Active Directory computer objects modifications that allow an adversary to abuse the Resource-based constrained delegation. \\nThis query checks for event id 5136 that the Object Class field is \\\"computer\\\" and the LDAP Display Name is \\\"msDS-AllowedToActOnBehalfOfOtherIdentity\\\" which is an indicator of Resource-based constrained delegation.\\nRef: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html\",\"lastUpdatedDateUTC\":\"2022-01-19T00:00:00Z\",\"createdDateUTC\":\"2022-01-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/89e6adbd-612c-4fbe-bc3d-32f81baf3b6c\",\"name\":\"89e6adbd-612c-4fbe-bc3d-32f81baf3b6c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT4H\",\"queryPeriod\":\"PT4H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// Change to true to monitor for Project Administrator adds to *any* project\\nlet MonitorAllProjects = false;\\n// If MonitorAllProjects is false, trigger only on Project Administrator add for the following projects\\nlet ProjectsToMonitor = dynamic([\u0027\u003cproject_X\u003e\u0027,\u0027\u003cproject_Y\u003e\u0027]);\\nAzureDevOpsAuditing\\n| where Area == \\\"Group\\\" and OperationName == \\\"Group.UpdateGroupMembership.Add\\\"\\n| where Details has \u0027Administrators\u0027\\n| where Details has \\\"was added as a member of group\\\" and (Details endswith \u0027\\\\\\\\Project Administrators\u0027 or Details endswith \u0027\\\\\\\\Project Collection Administrators\u0027)\\n| parse Details with AddedIdentity \u0027 was added as a member of group [\u0027 EntityName \u0027]\\\\\\\\\u0027 GroupName\\n| extend Level = iif(GroupName == \u0027Project Collection Administrators\u0027, \u0027Organization\u0027, \u0027Project\u0027), AddedIdentityId = Data.MemberId\\n| extend Severity = iif(Level == \u0027Organization\u0027, \u0027High\u0027, \u0027Medium\u0027), AlertDetails = strcat(\u0027At \u0027, TimeGenerated, \u0027 UTC \u0027, ActorUPN, \u0027/\u0027, ActorDisplayName, \u0027 added \u0027, AddedIdentity, \u0027 to the \u0027, EntityName, \u0027 \u0027, Level)\\n| where MonitorAllProjects == true or EntityName in (ProjectsToMonitor) or Level == \u0027Organization\u0027\\n| project TimeGenerated, Severity, Adder = ActorUPN, AddedIdentity, AddedIdentityId, AlertDetails, Level, EntityName, GroupName, ActorAuthType = AuthenticationMechanism, \\n ActorIpAddress = IpAddress, ActorUserAgent = UserAgent, RawDetails = Details\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Adder, IPCustomEntity = ActorIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps Administrator Group Monitoring\",\"description\":\"This detection monitors for additions to projects or project collection administration groups in an Azure DevOps Organization.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/473d57e6-f787-435c-a16b-b38b51fa9a4b\",\"name\":\"473d57e6-f787-435c-a16b-b38b51fa9a4b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"let servicelist = dynamic([\u0027Services\\\\\\\\HealthService\u0027, \u0027Services\\\\\\\\Sense\u0027, \u0027Services\\\\\\\\WinDefend\u0027, \u0027Services\\\\\\\\MsSecFlt\u0027, \u0027Services\\\\\\\\DiagTrack\u0027, \u0027Services\\\\\\\\SgrmBroker\u0027, \u0027Services\\\\\\\\SgrmAgent\u0027, \u0027Services\\\\\\\\AATPSensorUpdater\u0027 , \u0027Services\\\\\\\\AATPSensor\u0027, \u0027Services\\\\\\\\mpssvc\u0027]);\\nlet filename = dynamic([\\\"subinacl.exe\\\",\u0027SetACL.exe\u0027]);\\nlet parameters = dynamic ([\u0027/deny=SYSTEM\u0027, \u0027/deny=S-1-5-18\u0027, \u0027/grant=SYSTEM=r\u0027, \u0027/grant=S-1-5-18=r\u0027, \u0027n:SYSTEM;p:READ\u0027, \u0027n1:SYSTEM;ta:remtrst;w:dacl\u0027]);\\nlet FullAccess = dynamic([\u0027A;CI;KA;;;SY\u0027, \u0027A;ID;KA;;;SY\u0027, \u0027A;CIID;KA;;;SY\u0027]);\\nlet ReadAccess = dynamic([\u0027A;CI;KR;;;SY\u0027, \u0027A;ID;KR;;;SY\u0027, \u0027A;CIID;KR;;;SY\u0027]);\\nlet DenyAccess = dynamic([\u0027D;CI;KR;;;SY\u0027, \u0027D;ID;KR;;;SY\u0027, \u0027D;CIID;KR;;;SY\u0027]);\\nlet timeframe = 1d;\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4670\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName has_any (servicelist)\\n| parse EventData with * \u0027OldSd\\\"\u003e\u0027 OldSd \\\"\u003c\\\" *\\n| parse EventData with * \u0027NewSd\\\"\u003e\u0027 NewSd \\\"\u003c\\\" *\\n| extend Reason = case( (OldSd has \u0027;;;SY\u0027 and NewSd !has \u0027;;;SY\u0027), \u0027System Account is removed\u0027, (OldSd has_any (FullAccess) and NewSd has_any (ReadAccess)) , \u0027System permission has been changed to read from full access\u0027, (OldSd has_any (FullAccess) and NewSd has_any (DenyAccess)), \u0027System account has been given denied permission\u0027, \u0027None\u0027)\\n| project TimeGenerated, Computer, Account, ProcessName, ProcessId, ObjectName, EventData, Activity, HandleId, SubjectLogonId, OldSd, NewSd , Reason\\n),\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688\\n| extend ProcessName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ProcessName in~ (filename) \\n| where CommandLine has_any (servicelist) and CommandLine has_any (parameters)\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4670 and EventData has_any (servicelist) and EventData has \u0027Key\u0027\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName has_any (servicelist)\\n| extend OldSd = tostring(EventData.OldSd)\\n| extend NewSd = tostring(EventData.NewSd)\\n| extend Reason = case( (OldSd has \u0027;;;SY\u0027 and NewSd !has \u0027;;;SY\u0027), \u0027System Account is removed\u0027, (OldSd has_any (FullAccess) and NewSd has_any (ReadAccess)) , \u0027System permission has been changed to read from full access\u0027, (OldSd has_any (FullAccess) and NewSd has_any (DenyAccess)), \u0027System account has been given denied permission\u0027, \u0027None\u0027)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend ProcessId = tostring(EventData.ProcessId)\\n| extend Activity= \\\"4670 - Permissions on an object were changed.\\\"\\n| extend HandleId = tostring(EventData.HandleId)\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| project TimeGenerated, Computer, Account, ProcessName, ProcessId, ObjectName, EventData, Activity, HandleId, SubjectLogonId, OldSd, NewSd , Reason\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688 and EventData has_any (filename) and EventData has_any (servicelist) and EventData has_any (parameters)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend ProcessName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ProcessName in~ (filename) \\n| extend CommandLine = tostring(EventData.CommandLine) \\n| where CommandLine has_any (servicelist) and CommandLine has_any (parameters)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountDomain = tostring(EventData.AccountDomain)\\n| extend Activity=\\\"4688 - A new process has been created.\\\"\\n| extend EventSourceName=Provider\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where InitiatingProcessFileName in~ (filename) \\n| where InitiatingProcessCommandLine has_any(servicelist) and InitiatingProcessCommandLine has_any (parameters)\\n| extend Account = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName), Computer = DeviceName\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName = InitiatingProcessFileName, ProcessNameFullPath = FolderPath, Activity = ActionType, CommandLine = InitiatingProcessCommandLine, Type, InitiatingProcessParentFileName\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Security Service Registry ACL Modification\",\"description\":\"Identifies attempts to modify registry ACL to evade security solutions. In the Solorigate attack, the attackers were found modifying registry permissions so services.exe cannot access the relevant registry keys to start the service.\\n The detection leverages Security Event as well as MDE data to identify when specific security services registry permissions are modified. \\n Only some portions of this detection are related to Solorigate, it also includes coverage for some common tools that perform this activity. \\n Reference on guidance for enabling registry auditing:\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing-faq\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-registry\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4670\\n - For the event 4670 to be created the audit policy for the registry must have auditing enabled for Write DAC and/or Write Owner\\n - https://github.com/OTRF/Set-AuditRule \\n - https://docs.microsoft.com/dotnet/api/system.security.accesscontrol.registryrights?view=dotnet-plat-ext-5.0\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-01-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/29283b22-a1c0-4d16-b0a9-3460b655a46a\",\"name\":\"29283b22-a1c0-4d16-b0a9-3460b655a46a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let UserAgentString = dynamic ([\\\"${jndi:ldap:/\\\", \\\"${jndi:rmi:/\\\", \\\"${jndi:ldaps:/\\\", \\\"${jndi:dns:/\\\", \\\"${jndi:iiop:/\\\",\\\"${jndi:\\\",\\\"${jndi:nds:/\\\",\\\"${jndi:corba/\\\"]);\\nlet UARegexMinimalString=dynamic([\u0027{\u0027,\u0027%7b\u0027, \u0027%7B\u0027]);\\nlet UARegex = @\u0027(\\\\\\\\$|%24)(\\\\\\\\{|%7B)([^jJ]*[jJ])([^nN]*[nN])([^dD]*[dD])([^iI]*[iI])(:|%3A|\\\\\\\\$|%24|}|%7D)\u0027;\\n(union isfuzzy=true\\n(OfficeActivity\\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, Operation\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n),\\n(AzureDiagnostics\\n| where Category in (\\\"FrontdoorWebApplicationFirewallLog\\\", \\\"FrontdoorAccessLog\\\", \\\"ApplicationGatewayFirewallLog\\\", \\\"ApplicationGatewayAccessLog\\\")\\n| where userAgent_s has_any (UserAgentString) or userAgent_s matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = userAgent_s, SourceIP = clientIP_s, Type, host_s, requestUri_s, httpStatus_d\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, UrlCustomEntity = requestUri_s\\n),\\n(\\nW3CIISLog\\n| where csUserAgent has_any (UserAgentString) or csUserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP, UrlCustomEntity = csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventName\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n),\\n(SigninLogs\\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, Operation = OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n),\\n(AADNonInteractiveUserSignInLogs \\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, Operation = OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n),\\n(_Im_WebSession (httpuseragent_has_any=array_concat(UserAgentString,UARegexMinimalString))\\n| where HttpUserAgent has_any (UserAgentString) or HttpUserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by HttpUserAgent, SourceIP = SrcIpAddr, DstIpAddr, Account = SrcUsername, Url, Type\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP, UrlCustomEntity = Url\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"User agent search for log4j exploitation attempt\",\"description\":\"This query uses various log sources having user agent data to look for log4j CVE-2021-44228 exploitation attempt based on user agent pattern. Log4j is an open-source Apache logging library that is used in \\n many Java-based applications. The regex and the string matching look for the most common attacks. This might not be comprehensive to detect every possible user agent variation.\\n Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\"name\":\"3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let starttime = 1d;\\nlet TimeDeltaThresholdInSeconds = 60; // we ignore beacons diffs that fall below this threshold \\nlet TotalBeaconsThreshold = 4; // minimum number of beacons required in a session to surface a row\\nlet JitterTolerance = 0.2; // tolerance to jitter, e.g. - 0.2 = 20% jitter is tolerated either side of the periodicity\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Fortinet\\\"\\n| where TimeGenerated \u003e ago(starttime)\\n// eliminate bad data\\n| where isnotempty(SourceIP) and isnotempty(DestinationIP) and SourceIP != \\\"0.0.0.0\\\"\\n// filter out deny, close, rst and SNMP to reduce data volume\\n| where DeviceAction !in (\\\"close\\\", \\\"client-rst\\\", \\\"server-rst\\\", \\\"deny\\\") and DestinationPort != 161\\n// map input fields\\n| project TimeGenerated , SourceIP, DestinationIP, DestinationPort, ReceivedBytes, SentBytes, DeviceAction \\n// where destination IPs are public\\n| where ipv4_is_private(DestinationIP) == false\\n// sort into source-\u003edestination \u0027sessions\u0027\\n| sort by SourceIP asc, DestinationIP asc, DestinationPort asc, TimeGenerated asc\\n| serialize\\n// time diff the contact times between source and destination to get a list of deltas\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1), nextDestIP = next(DestinationIP, 1), nextDestPort = next(DestinationPort, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\\\"second\\\",nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP and DestinationIP == nextDestIP and DestinationPort == nextDestPort\\n// remove small time deltas below the set threshold\\n| where TimeDeltainSeconds \u003e TimeDeltaThresholdInSeconds\\n// summarize the deltas by source-\u003edestination\\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), sum(ReceivedBytes), sum(SentBytes), makelist(TimeDeltainSeconds), makeset(DeviceAction) by SourceIP, DestinationIP, DestinationPort\\n// get some statistical properties of the delta distribution and smooth any outliers (e.g. laptop shut overnight, working hours)\\n| extend series_stats(list_TimeDeltainSeconds), outliers=series_outliers(list_TimeDeltainSeconds)\\n// expand the deltas and the outliers\\n| mvexpand list_TimeDeltainSeconds to typeof(double), outliers to typeof(double)\\n// replace outliers with the average of the distribution\\n| extend list_TimeDeltainSeconds_normalized=iff(outliers \u003e 1.5 or outliers \u003c -1.5, series_stats_list_TimeDeltainSeconds_avg , list_TimeDeltainSeconds)\\n// summarize with the smoothed distribution\\n| summarize BeaconCount=count(), makelist(list_TimeDeltainSeconds), list_TimeDeltainSeconds_normalized=makelist(list_TimeDeltainSeconds_normalized), makeset(set_DeviceAction) by StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, sum_ReceivedBytes, sum_SentBytes\\n// get stats on the smoothed distribution\\n| extend series_stats(list_TimeDeltainSeconds_normalized)\\n// match jitter tolerance on smoothed distrib\\n| extend MaxJitter = (series_stats_list_TimeDeltainSeconds_normalized_avg*JitterTolerance)\\n| where series_stats_list_TimeDeltainSeconds_normalized_stdev \u003c MaxJitter\\n// where the minimum beacon threshold is satisfied and there was some data transfer\\n| where BeaconCount \u003e TotalBeaconsThreshold and (sum_SentBytes \u003e 0 or sum_ReceivedBytes \u003e 0)\\n// final projection\\n| project StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, BeaconCount, TimeDeltasInSeconds=list_list_TimeDeltainSeconds, Periodicity=series_stats_list_TimeDeltainSeconds_normalized_avg, ReceivedBytes=sum_ReceivedBytes, SentBytes=sum_SentBytes, Actions=set_set_DeviceAction\\n// where periodicity is order of magnitude larger than time delta threshold (eliminates FPs whose periodicity is close to the values we ignored)\\n| where Periodicity \u003e= (10*TimeDeltaThresholdInSeconds)\\n| extend timestamp = StartTime, IPCustomEntity = DestinationIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Fortinet - Beacon pattern detected\",\"description\":\"Identifies patterns in the time deltas of contacts between internal and external IPs in Fortinet network data that are consistent with beaconing.\\n Accounts for randomness (jitter) and seasonality such as working hours that may have been introduced into the beacon pattern.\\n The lookback is set to 1d, the minimum granularity in time deltas is set to 60 seconds and the minimum number of beacons required to emit a\\n detection is set to 4.\\n Increase the lookback period to capture beacons with larger periodicities.\\n The jitter tolerance is set to 0.2 - This means we account for an overall 20% deviation from the infered beacon periodicity. Seasonality is dealt with\\n automatically using series_outliers.\\n Note: In large environments it may be necessary to reduce the lookback period to get fast query times.\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2020-03-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80733eb7-35b2-45b6-b2b8-3c51df258206\",\"name\":\"80733eb7-35b2-45b6-b2b8-3c51df258206\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\\"xmrget.com\\\", \\n\\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\\"supportxmr.com\\\",\\n\\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\n\\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\n\\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\n\\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\n\\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\",\\n\\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\",\\n\\\"shscrypto.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage), \\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage), \\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage), \\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \u0027200\u0027\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Squid proxy events related to mining pools\",\"description\":\"Checks for Squid proxy events in Syslog associated with common mining pools .This query presumes the default Squid log format is being used. \\n http://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-07-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b05727d-a8d1-477d-bbdd-d957da96ac7b\",\"name\":\"3b05727d-a8d1-477d-bbdd-d957da96ac7b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where OfficeWorkload =~ \\\"Exchange\\\"\\n| where Parameters has_any (\\\"ForwardTo\\\", \\\"RedirectTo\\\", \\\"ForwardingSmtpAddress\\\")\\n| mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))\\n| evaluate bag_unpack(ParsedParameters, columnsConflict=\u0027replace_source\u0027)\\n| extend DestinationMailAddress = tolower(case(\\n isnotempty(column_ifexists(\\\"ForwardTo\\\", \\\"\\\")), column_ifexists(\\\"ForwardTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"RedirectTo\\\", \\\"\\\")), column_ifexists(\\\"RedirectTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")), trim_start(@\\\"smtp:\\\", column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")),\\n \\\"\\\"))\\n| where isnotempty(DestinationMailAddress)\\n| mv-expand split(DestinationMailAddress, \\\";\\\")\\n| extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n| extend ClientIP = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1])\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId, 250), Ports = make_set(Port, 250), EventCount = count() by tostring(DestinationMailAddress), ClientIP\\n| where DistinctUserCount \u003e 1\\n| mv-expand UserId to typeof(string)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"NRT Multiple users email forwarded to same destination\",\"description\":\"Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination.\\nThis could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.\",\"lastUpdatedDateUTC\":\"2022-06-24T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\"name\":\"75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 3;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == \\\"50057\\\"\\n| where ResultDescription =~ \\\"User account is disabled. The account has been disabled by an administrator.\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), applicationCount = dcount(AppDisplayName), \\napplicationSet = make_set(AppDisplayName), count() by UserPrincipalName, IPAddress, Type\\n| where applicationCount \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Attempts to sign in to disabled accounts\",\"description\":\"Identifies failed attempts to sign in to disabled accounts across multiple Azure Applications.\\nDefault threshold for Azure Applications attempted to sign in to is 3.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bfb1c90f-8006-4325-98be-c7fffbc254d6\",\"name\":\"bfb1c90f-8006-4325-98be-c7fffbc254d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let s_threshold = 30;\\nlet l_threshold = 3;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where OperationName =~ \\\"Sign-in activity\\\"\\n// Error codes that we want to look at as they are related to the use of incorrect password.\\n| where ResultType in (\\\"50126\\\", \\\"50053\\\" , \\\"50055\\\", \\\"50056\\\")\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend LocationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), LocationCount=dcount(LocationString), Location = make_set(LocationString), \\nIPAddress = make_set(IPAddress), IPAddressCount = dcount(IPAddress), AppDisplayName = make_set(AppDisplayName), ResultDescription = make_set(ResultDescription), \\nBrowser = make_set(Browser), OS = make_set(OS), SigninCount = count() by UserPrincipalName, Type \\n// Setting a generic threshold - Can be different for different environment\\n| where SigninCount \u003e s_threshold and LocationCount \u003e= l_threshold\\n| extend tostring(Location), tostring(IPAddress), tostring(AppDisplayName), tostring(ResultDescription), tostring(Browser), tostring(OS)\\n| distinct *\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Distributed Password cracking attempts in AzureAD\",\"description\":\"Identifies distributed password cracking attempts from the Azure Active Directory SigninLogs.\\nThe query looks for unusually high number of failed password attempts coming from multiple locations for a user account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50053 Account is locked because the user tried to sign in too many times with an incorrect user ID or password.\\n50055 Invalid password, entered expired password.\\n50056 Invalid or null password - Password does not exist in store for this user.\\n50126 Invalid username or password, or invalid on-premises username or password.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7ad4c32b-d0d2-411c-a0e8-b557afa12fce\",\"name\":\"7ad4c32b-d0d2-411c-a0e8-b557afa12fce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName\\n| where CommandLine contains \\\".decode(\u0027base64\u0027)\\\"\\n or CommandLine contains \\\"base64 --decode\\\"\\n or CommandLine contains \\\".decode64(\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"NRT Process executed from binary hidden in Base64 encoded file\",\"description\":\"Encoding malicious software is a technique used to obfuscate files from detection.\\nThe first CommandLine component is looking for Python decoding base64.\\nThe second CommandLine component is looking for Bash/sh command line base64 decoding.\\nThe third one is looking for Ruby decoding base64.\",\"lastUpdatedDateUTC\":\"2022-02-08T00:00:00Z\",\"createdDateUTC\":\"2019-01-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95002681-4ecb-4da3-9ece-26d7e5feaa33\",\"name\":\"95002681-4ecb-4da3-9ece-26d7e5feaa33\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"imAuthentication\\n| where EventResult ==\u0027Failure\u0027\\n| where EventResultDetails == \u0027User disabled\u0027\\n| summarize StartTime=min(EventStartTime), EndTime=max(EventEndTime), disabledAccountLoginAttempts = count()\\n , disabledAccountsTargeted = dcount(TargetUsername), disabledAccountSet = make_set(TargetUsername)\\n , applicationsTargeted = dcount(TargetAppName)\\n , applicationSet = make_set(TargetAppName) \\n by SrcDvcIpAddr, Type\\n| order by disabledAccountLoginAttempts desc\\n| join kind=leftouter \\n (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n imAuthentication\\n | where EventResult==\u0027Success\u0027\\n | summarize successfulAccountSigninCount = dcount(TargetUsername), successfulAccountSigninSet = makeset(TargetUsername, 15) by SrcDvcIpAddr, Type\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount \u003c 100\\n )\\n on SrcDvcIpAddr\\n| where isnotempty(successfulAccountSigninCount)\\n| project StartTime, EndTime, SrcDvcIpAddr, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\nsuccessfulAccountSigninCount, successfulAccountSigninSet, Type\\n| order by disabledAccountLoginAttempts\\n| extend timestamp = StartTime, IPCustomEntity = SrcDvcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-07-27T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\"name\":\"795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"CommonSecurityLog \\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID in (\\\"733101\\\",\\\"733102\\\",\\\"733103\\\",\\\"733104\\\",\\\"733105\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\",\"Impact\"],\"displayName\":\"Cisco ASA - threat detection message fired\",\"description\":\"Identifies when the Cisco ASA Threat Detection engine fired an alert based on malicious activity occurring on the network inicated by DeviceEventClassID 733101-733105\\nResources: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1785d372-b9fe-4283-96a6-3a1d83cabfd1\",\"name\":\"1785d372-b9fe-4283-96a6-3a1d83cabfd1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let Tarrask_threats = dynamic([\\\"HackTool:Win64/Tarrask!MS\\\", \\\"HackTool:Win64/Ligolo!MSR\\\", \\\"Behavior:Win32/ScheduledTaskHide.A\\\", \\\"Tarrask\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=rightouter ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (Tarrask_threats) or ThreatFamilyName in~ (Tarrask_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AV detections related to Tarrask malware\",\"description\":\"This query looks for Microsoft Defender AV detections related to Tarrask malware. In Microsoft Sentinel the SecurityAlerts table \\n includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. \\n This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\\n Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-04-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/157c0cfc-d76d-463b-8755-c781608cdc1a\",\"name\":\"157c0cfc-d76d-463b-8755-c781608cdc1a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\nCommonSecurityLog\\n| where DeviceVendor =~ \\\"Cisco\\\"\\n| where DeviceAction =~ \\\"denied\\\"\\n| where ipv4_is_private(SourceIP) == false\\n| summarize count() by SourceIP\\n| join (\\n // Successful signins from IPs blocked by the firewall solution are suspect\\n // Include fully successful sign-ins, but also ones that failed only at MFA stage\\n // as that supposes the password was sucessfully guessed.\\n table(tableName)\\n | where ResultType in (\\\"0\\\", \\\"50074\\\", \\\"50076\\\") \\n) on $left.SourceIP == $right.IPAddress\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Cisco - firewall block but success logon to Azure AD\",\"description\":\"Correlate IPs blocked by a Cisco firewall appliance with successful Azure Active Directory signins. \\nBecause the IP was blocked by the firewall, that same IP logging on successfully to AAD is potentially suspect\\nand could indicate credential compromise for the user account.\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2019-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/875d0eb1-883a-4191-bd0e-dbfdeb95a464\",\"name\":\"875d0eb1-883a-4191-bd0e-dbfdeb95a464\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 5136 \\n| parse EventData with * \u0027AttributeLDAPDisplayName\\\"\u003e\u0027 AttributeLDAPDisplayName \\\"\u003c\\\" *\\n| parse EventData with * \u0027ObjectClass\\\"\u003e\u0027 ObjectClass \\\"\u003c\\\" *\\n| where AttributeLDAPDisplayName == \\\"servicePrincipalName\\\" and ObjectClass == \\\"user\\\"\\n| parse EventData with * \u0027ObjectDN\\\"\u003e\u0027 ObjectDN \\\"\u003c\\\" *\\n| parse EventData with * \u0027AttributeValue\\\"\u003e\u0027 AttributeValue \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, ObjectDN, AttributeValue\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Service Principal Name (SPN) Assigned to User Account\",\"description\":\"This query identifies whether a Active Directory user object was assigned a service principal name which could indicate that an adversary is preparing for performing Kerberoasting. \\nThis query checks for event id 5136 that the Object Class field is \\\"user\\\" and the LDAP Display Name is \\\"servicePrincipalName\\\".\\nRef: https://thevivi.net/assets/docs/2019/theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf\",\"lastUpdatedDateUTC\":\"2022-02-02T00:00:00Z\",\"createdDateUTC\":\"2022-01-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/45076281-35ae-45e0-b443-c32aa0baf965\",\"name\":\"45076281-35ae-45e0-b443-c32aa0baf965\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"High\",\"query\":\"let args = dynamic([\\\"objectcategory\\\",\\\"domainlist\\\",\\\"dcmodes\\\",\\\"adinfo\\\",\\\"trustdmp\\\",\\\"computers_pwdnotreqd\\\",\\\"Domain Admins\\\", \\\"objectcategory=person\\\", \\\"objectcategory=computer\\\", \\\"objectcategory=*\\\",\\\"dclist\\\"]);\\nlet parentProcesses = dynamic([\\\"pwsh.exe\\\",\\\"powershell.exe\\\",\\\"cmd.exe\\\"]);\\nimProcessCreate\\n//looks for execution from a shell\\n| where ActingProcessName has_any (parentProcesses)\\n| extend ActingProcessFileName = tostring(split(ActingProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ActingProcessFileName in~ (parentProcesses)\\n// main filter\\n| where Process hassuffix \\\"AdFind.exe\\\" or TargetProcessSHA256 == \\\"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\\\"\\n // AdFind common Flags to check for from various threat actor TTPs\\n or CommandLine has_any (args)\\n| extend AccountCustomEntity = User, HostCustomEntity = Dvc, ProcessCustomEntity = ActingProcessName, CommandLineCustomEntity = CommandLine, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = TargetProcessSHA256\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"},{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLineCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Probable AdFind Recon Tool Usage (Normalized Process Events)\",\"description\":\"Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-06-09T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/910124df-913c-47e3-a7cd-29e1643fa55e\",\"name\":\"910124df-913c-47e3-a7cd-29e1643fa55e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with failed AWS console logins\\nlet aws_fails = AWSCloudTrail\\n| where EventName == \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \\n| where LoginResult != \\\"Success\\\"\\n| where SourceIpAddress != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(SourceIpAddress);\\n//See if any of those IPs have sucessfully logged into Azure AD.\\nSigninLogs\\n| where ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (aws_fails) \\n| extend Reason = \\\"Multiple failed AWS Console logins from IP address\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AWS Console logons but success logon to AzureAD\",\"description\":\"Identifies a list of IP addresses with a minimum numbe(default of 5) of failed logon attempts to AWS Console.\\nUses that list to identify any successful Azure Active Directory logons from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aedc5b33-2d7c-42cb-a692-f25ef637cbb1\",\"name\":\"aedc5b33-2d7c-42cb-a692-f25ef637cbb1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where array_length(todynamic(DstUserUpn)) == 1\\n| extend sender = extract(@\u0027\\\\A(.*?)@\u0027, 1, SrcUserUpn)\\n| extend sender_domain = extract(@\u0027@(.*)$\u0027, 1, SrcUserUpn)\\n| extend recipient = extract(@\u0027\\\\A(.*?)@\u0027, 1, tostring(todynamic(DstUserUpn)[0]))\\n| extend recipient_domain = extract(@\u0027@(.*)$\u0027, 1, tostring(todynamic(DstUserUpn)[0]))\\n| where sender =~ recipient\\n| where sender_domain != recipient_domain\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Possible data exfiltration to private email\",\"description\":\"Detects when sender sent email to the non-corporate domain and recipient\u0027s username is the same as sender\u0027s username.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\"name\":\"30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nlet aadFunc = (tableName:string){\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n table(tableName) | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(UserPrincipalName)\\n //Normalizing the column to lower case for exact match with EmailSenderAddress column\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n | where UserPrincipalName matches regex emailregex\\n | extend Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n // renaming timestamp column so it is clear the log this came from SigninLogs table\\n | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type\\n)\\non $left.EmailSenderAddress == $right.UserPrincipalName\\n| where SigninLogs_TimeGenerated \u003c ExpirationDateTime\\n| summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, UserPrincipalName\\n| project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, IPAddress, UserPrincipalName, AppDisplayName,\\nStatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, Type\\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SigninLogs\",\"description\":\"Identifies a match in SigninLogs table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6190dde-8fd2-456a-ac5b-0a32400b0464\",\"name\":\"d6190dde-8fd2-456a-ac5b-0a32400b0464\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let ProcessCreationEvents=() {\\nlet processEvents=(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName\\n),\\n(WindowsEvent\\n| where EventID==4688\\n| where EventData has_any (\\\".decode(\u0027base64\u0027)\\\", \\\"base64 --decode\\\", \\\".decode64(\\\" )\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where isnotempty(CommandLine)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend FileName=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, CommandLine, ParentProcessName\\n));\\nprocessEvents;\\n};\\nProcessCreationEvents \\n| where CommandLine contains \\\".decode(\u0027base64\u0027)\\\"\\n or CommandLine contains \\\"base64 --decode\\\"\\n or CommandLine contains \\\".decode64(\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), CountToday = count() by Computer, Account, AccountDomain, FileName, CommandLine, ParentProcessName \\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Process executed from binary hidden in Base64 encoded file\",\"description\":\"Encoding malicious software is a technique used to obfuscate files from detection. \\nThe first CommandLine component is looking for Python decoding base64. \\nThe second CommandLine component is looking for Bash/sh command line base64 decoding.\\nThe third one is looking for Ruby decoding base64.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-01-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a04cf847-a832-4c60-b687-b0b6147da219\",\"name\":\"a04cf847-a832-4c60-b687-b0b6147da219\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"45.63.52.41\\\",\\\"140.82.17.161\\\",\\\"207.148.101.95\\\",\\\"45.32.87.51\\\",\\\"66.42.98.156\\\",\\\"45.76.144.105\\\",\\\"217.163.28.35\\\",\\\"45.32.141.174\\\",\\\"149.28.165.249\\\",\\\"209.250.225.247\\\",\\\"45.63.100.115\\\",\\\"95.179.229.230\\\",\\\"209.250.233.247\\\",\\\"45.77.121.232\\\",\\\"45.76.175.65\\\",\\\"104.238.160.237\\\",\\\"45.77.181.97\\\",\\\"95.179.192.125\\\",\\\"149.28.93.184\\\",\\\"140.82.16.81\\\",\\\"45.76.173.103\\\",\\\"45.77.255.22\\\",\\\"45.32.11.71\\\",\\\"149.28.77.26\\\",\\\"45.32.54.50\\\",\\\"104.156.233.156\\\",\\\"45.32.21.118\\\",\\\"45.63.62.109\\\",\\\"45.77.244.202\\\",\\\"149.248.11.205\\\",\\\"104.238.190.244\\\"]);\\nlet IOCTerms = \\\"\\\\\\\\?lang=[/..]*/dev/cmdb/sslvpn_websession|/dana-na/jam/[/..]*home/webserver/htdocs/dana/html5acc/guacamole[/..]*etc/passwd\\\\\\\\?\\\";\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or has_any_ipv4 (Message, IPList)\\n| extend IPMatch = case(\\nSourceIP in (IPList), \\\"SourceIP\\\", \\nDestinationIP in (IPList), \\\"DestinationIP\\\",\\n\\\"Message\\\") \\n| where Message matches regex IOCTerms\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n| where isnotempty(UserAgent) and ClientIP in (IPList)\\n| where UserAgent contains \\\"ExchangeServicesClient/0.0.0.0\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP = ClientIP, Account = UserId, Type, RecordType, OfficeWorkload, UserAgent, OfficeObjectId, IPMatch = \\\"ClientIP\\\"\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Collection\"],\"displayName\":\"Known Manganese IP and UserAgent activity\",\"description\":\"Matches IP plus UserAgent IOCs in OfficeActivity data, along with IP plus Connection string information in the CommonSecurityLog data related to Manganese group activity.\\nReferences: \\nhttps://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/\\nhttps://fortiguard.com/psirt/FG-IR-18-384\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-10-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/74ed028d-e392-40b7-baef-e69627bf89d1\",\"name\":\"74ed028d-e392-40b7-baef-e69627bf89d1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"AuditLog.StreamDisabledByUser\\\"\\n| extend StreamType = tostring(Data.ConsumerType)\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, StreamType\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Azure DevOps Audit Stream Disabled\",\"description\":\"Azure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams \\n before conducting activity and then re-enabling the stream after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action \\n its unlikely to have a high false positive rate.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a356c8bd-c81d-428b-aa36-83be706be034\",\"name\":\"a356c8bd-c81d-428b-aa36-83be706be034\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// AADJoined or Register Device Registry Keys\\nlet aadJoinRoot = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet001\\\\\\\\Control\\\\\\\\CloudDomainJoin\\\\\\\\JoinInfo\\\\\\\\\\\";\\nlet aadRegisteredRoot = \\\"\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\WorkplaceJoin\\\";\\n// Transport Key Registry Key\\nlet keyTransportKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet001\\\\\\\\Control\\\\\\\\Cryptography\\\\\\\\Ngc\\\\\\\\KeyTransportKey\\\\\\\\\\\";\\n(union isfuzzy=true\\n(\\n// Access to Object Requested\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| where EventData contains aadJoinRoot or EventData contains aadRegisteredRoot\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName startswith aadJoinRoot and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n| extend ProcessId = column_ifexists(\\\"ProcessId\\\", \\\"\\\"), Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| join kind=innerunique (\\n SecurityEvent\\n | where EventID == \u00274656\u0027\\n | where EventData contains keyTransportKey\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | mv-expand bagexpansion=array EventData\\n | evaluate bag_unpack(EventData)\\n | extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n | evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n | extend ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\")\\n | where ObjectType == \u0027Key\u0027\\n | where ObjectName startswith keyTransportKey and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n | extend ProcessId = column_ifexists(\\\"ProcessId\\\", \\\"\\\"), Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n) on $left.Computer == $right.Computer and $left.SubjectLogonId == $right.SubjectLogonId and $left.ProcessId == $right.ProcessId\\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, SubjectLogonId, ObjectName, tostring(Process), ProcessName, ProcessId, EventID\\n),\\n// Accessing Object\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| where ObjectType == \u0027Key\u0027\\n| where (ObjectName startswith aadJoinRoot or ObjectName contains aadRegisteredRoot) and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n| extend Account = SubjectAccount\\n| join kind=innerunique (\\n SecurityEvent\\n | where EventID == \u00274663\u0027\\n | where ObjectType == \u0027Key\u0027\\n | where ObjectName contains keyTransportKey and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n | extend Account = SubjectAccount\\n) on $left.Computer == $right.Computer and $left.SubjectLogonId == $right.SubjectLogonId and $left.ProcessId == $right.ProcessId\\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, SubjectLogonId, ObjectName, Process, ProcessName, ProcessId, EventID\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"AAD Local Device Join Information and Transport Key Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts by the same process\\n to registry keys that provide information about an AAD joined or registered devices and Transport keys (tkpub / tkpriv).\\n This information can be used to export the Device Certificate (dkpub / dkpriv) and Transport key (tkpub/tkpriv).\\n These set of keys can be used to impersonate existing Azure AD joined devices.\\n This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable objects:\\n HKLM:\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\CloudDomainJoin (AAD joined devices)\\n HKCU:\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\WorkplaceJoin (AAD registered devices)\\n HKLM:\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Cryptography\\\\Ngc\\\\KeyTransportKey (Transport Key)\\n Make sure you set the SACL to propagate to its sub-keys. You can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml\\n Reference: https://o365blog.com/post/deviceidentity/\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/58fc0170-0877-4ea8-a9ff-d805e361cfae\",\"name\":\"58fc0170-0877-4ea8-a9ff-d805e361cfae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let schedule_lookback = 14d; \\nlet join_lookback = 1d; \\n// If you want to whitelist specific timezones include them in a list here\\nlet tz_whitelist = dynamic([]);\\nlet meetings = ( \\nZoomLogs \\n| where TimeGenerated \u003e= ago(schedule_lookback) \\n| where Event =~ \\\"meeting.created\\\" \\n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId) \\n| extend SchedTimezone = tostring(parse_json(MeetingEvents).Timezone)); \\nZoomLogs \\n| where TimeGenerated \u003e= ago(join_lookback) \\n| where Event =~ \\\"meeting.participant_joined\\\" \\n| extend JoinedTimeZone = tostring(parse_json(MeetingEvents).Timezone) \\n| extend MeetingName = tostring(parse_json(MeetingEvents).MeetingName) \\n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId) \\n| where JoinedTimeZone !in (tz_whitelist)\\n| join (meetings) on MeetingId \\n| where SchedTimezone != JoinedTimeZone \\n| project TimeGenerated, MeetingName, JoiningUser=payload_object_participant_user_name_s, JoinedTimeZone, SchedTimezone, MeetingScheduler=User1 \\n| extend timestamp = TimeGenerated, AccountCustomEntity = JoiningUser\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"PrivilegeEscalation\"],\"displayName\":\"User joining Zoom meeting from suspicious timezone\",\"description\":\"The alert shows users that join a Zoom meeting from a time zone other than the one the meeting was created in.\\nYou can also whitelist known good time zones in the tz_whitelist value using the tz database name format https://en.wikipedia.org/wiki/List_of_tz_database_time_zones\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a09a0b8e-30fe-4ebf-94a0-cffe50f579cd\",\"name\":\"a09a0b8e-30fe-4ebf-94a0-cffe50f579cd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where OperationName =~ \\\"Update user\\\"\\n | where Result =~ \\\"success\\\"\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | where TargetResources_modifiedProperties.displayName =~ \\\"TargetId.UserType\\\"\\n | extend UpdatingServicePrincipal = tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalId)\\n | extend UpdatingUserPrincipal = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend UpdatingUser = iif(isnotempty(UpdatingServicePrincipal), UpdatingServicePrincipal, UpdatingUserPrincipal)\\n | extend UpdatedUserPrincipalName = tostring(TargetResources.userPrincipalName)\\n | project-reorder TimeGenerated, UpdatedUserPrincipalName, UpdatingUser\\n | where parse_json(tostring(TargetResources_modifiedProperties.newValue)) =~ \\\"\\\\\\\"Member\\\\\\\"\\\" and parse_json(tostring(TargetResources_modifiedProperties.oldValue)) =~ \\\"\\\\\\\"Guest\\\\\\\"\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatingUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatedUserPrincipalName\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User State changed from Guest to Member\",\"description\":\"Detects when a guest account in a tenant is converted to a member of the tenant.\\n Monitoring guest accounts and the access they are provided is important to detect potential account abuse.\\n Accounts converted to members should be investigated to ensure the activity was legitimate.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b12b3dab-d973-45af-b07e-e29bb34d8db9\",\"name\":\"b12b3dab-d973-45af-b07e-e29bb34d8db9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal contains \\\"WindowsPowerShell\\\"\\n| extend Message = \\\"Windows PowerShell User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"DefenseEvasion\"],\"displayName\":\"Cisco Umbrella - Windows PowerShell User-Agent Detected\",\"description\":\"Rule helps to detect Powershell user-agent activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d722831e-88f5-4e25-b106-4ef6e29f8c13\",\"name\":\"d722831e-88f5-4e25-b106-4ef6e29f8c13\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"// a threshold can be enabled, see commented line below for PrevSeenCount\\nlet threshold = 2;\\nlet uploadOp = \u0027FileUploaded\u0027;\\n// Extensions that are interesting. Add/Remove to this list as you see fit\\nlet execExt = dynamic([\u0027exe\u0027, \u0027inf\u0027, \u0027gzip\u0027, \u0027cmd\u0027, \u0027bat\u0027]);\\nlet starttime = 8d;\\nlet endtime = 1d;\\nOfficeActivity | where TimeGenerated \u003e= ago(endtime)\\n// Limited to File Uploads due to potential noise, comment out the Operation statement below to include any operation type\\n// Additional, but potentially noisy operation types that include Uploads and Downloads can be included by adding the following - Operation contains \\\"upload\\\" or Operation contains \\\"download\\\"\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| project TimeGenerated, OfficeId, OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, UserAgent, Site_Url, SourceRelativeUrl, SourceFileName\\n| join kind= leftanti (\\nOfficeActivity | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| summarize SourceRelativeUrl = make_set(SourceRelativeUrl), UserId = make_set(UserId) , PrevSeenCount = count() by SourceFileName\\n// To exclude previous matches when only above a specific count, change threshold above and uncomment the line below\\n//| where PrevSeenCount \u003e threshold\\n| mvexpand SourceRelativeUrl, UserId\\n| extend SourceRelativeUrl = tostring(SourceRelativeUrl), UserId = tostring(UserId)\\n) on SourceFileName, SourceRelativeUrl, UserId \\n| extend SiteUrlUserFolder = tolower(split(Site_Url, \u0027/\u0027)[-2])\\n| extend UserIdUserFolderFormat = tolower(replace(\u0027@|\\\\\\\\.\u0027, \u0027_\u0027,UserId))\\n// identify when UserId is not a match to the specific site url personal folder reference\\n| extend UserIdDiffThanUserFolder = iff(Site_Url has \u0027/personal/\u0027 and SiteUrlUserFolder != UserIdUserFolderFormat, true , false ) \\n| summarize TimeGenerated = make_list(TimeGenerated), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), \\nUserAgents = make_list(UserAgent), OfficeIds = make_list(OfficeId), SourceRelativeUrls = make_list(SourceRelativeUrl), FileNames = make_list(SourceFileName)\\nby OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, Site_Url, SiteUrlUserFolder, UserIdUserFolderFormat, UserIdDiffThanUserFolder\\n| extend timestamp = StartTime, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"New executable via Office FileUploaded Operation\",\"description\":\"Identifies when executable file types are uploaded to Office services such as SharePoint and OneDrive.\\nList currently includes \u0027exe\u0027, \u0027inf\u0027, \u0027gzip\u0027, \u0027cmd\u0027, \u0027bat\u0027 file extensions.\\nAdditionally, identifies when a given user is uploading these files to another users workspace.\\nThis may be indication of a staging location for malware or other malicious activity.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69a45b05-71f5-45ca-8944-2e038747fb39\",\"name\":\"69a45b05-71f5-45ca-8944-2e038747fb39\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let endtime = 1d;\\nlet starttime = 8d;\\n// The threshold below excludes matching on RDP connection computer counts of 5 or more by a given account and IP in a given day. Change the threshold as needed.\\nlet threshold = 5;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n// Labeling the first RDP connection time, computer and ip\\n| extend FirstHop = TimeGenerated, FirstComputer = toupper(Computer), FirstIPAddress = IpAddress, Account = tolower(Account)\\n),\\n( WindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10 // Labeling the first RDP connection time, computer and ip\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend FirstHop = TimeGenerated, FirstComputer = toupper(Computer), FirstIPAddress = IpAddress, Account = tolower(Account)\\n))\\n| join kind=inner (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n// Labeling the second RDP connection time, computer and ip\\n| extend SecondHop = TimeGenerated, SecondComputer = toupper(Computer), SecondIPAddress = IpAddress, Account = tolower(Account)\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = toint(EventData.LogonType)\\n| where LogonType == 10 // Labeling the second RDP connection time, computer and ip\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend SecondHop = TimeGenerated, SecondComputer = toupper(Computer), SecondIPAddress = IpAddress, Account = tolower(Account)\\n))\\n) on Account\\n// Make sure that the first connection is after the second connection --\u003e SecondHop \u003e FirstHop\\n// Then identify only RDP to another computer from within the first RDP connection by only choosing matches where the Computer names do not match --\u003e FirstComputer != SecondComputer\\n// Then make sure the IPAddresses do not match by excluding connections from the same computers with first hop RDP connections to multiple computers --\u003e FirstIPAddress != SecondIPAddress\\n| where FirstComputer != SecondComputer and FirstIPAddress != SecondIPAddress and SecondHop \u003e FirstHop\\n// where the second hop occurs within 30 minutes of the first hop\\n| where SecondHop \u003c= FirstHop+30m\\n| distinct Account, FirstHop, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, SecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\\n// use left anti to exclude anything from the previous 7 days where the Account and IP has connected 5 or more computers.\\n| join kind=leftanti (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize makeset(Computer), ComputerCount = dcount(Computer) by bin(TimeGenerated, 1d), Account = tolower(Account), IpAddress\\n// Connection count to computer by same account and IP to exclude counts of 5 or more on a given day\\n| where ComputerCount \u003e= threshold\\n| mvexpand set_Computer\\n| extend Computer = toupper(set_Computer)\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10 \\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| summarize makeset(Computer), ComputerCount = dcount(Computer) by bin(TimeGenerated, 1d), Account = tolower(Account), IpAddress\\n// Connection count to computer by same account and IP to exclude counts of 5 or more on a given day\\n| where ComputerCount \u003e= threshold\\n| mvexpand set_Computer\\n| extend Computer = toupper(set_Computer)\\n))\\n) on Account, $left.SecondComputer == $right.Computer, $left.SecondIPAddress == $right.IpAddress\\n| summarize FirstHopFirstSeen = min(FirstHop), FirstHopLastSeen = max(FirstHop) by Account, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, \\nSecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\\n| extend timestamp = FirstHopFirstSeen, AccountCustomEntity = Account, HostCustomEntity = FirstComputer, IPCustomEntity = FirstIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"RDP Nesting\",\"description\":\"Identifies when an RDP connection is made to a first system and then an RDP connection is made from the first system\\nto another system with the same account within the 60 minutes. Additionally, if historically daily\\nRDP connections are indicated by the logged EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-10-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884c4957-70ea-4f57-80b9-1bca3890315b\",\"name\":\"884c4957-70ea-4f57-80b9-1bca3890315b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeBin = 10m;\\nlet failedThreshold = 100;\\nW3CIISLog\\n| where scStatus in (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n// Handling Exchange specific items in IIS logs to remove the unique log identifier in the URI\\n| extend csUriQuery = iff(csUriQuery startswith \\\"MailboxId=\\\", tostring(split(csUriQuery, \\\"\u0026\\\")[0]) , csUriQuery )\\n| extend csUriQuery = iff(csUriQuery startswith \\\"X-ARR-CACHE-HIT=\\\", strcat(tostring(split(csUriQuery, \\\"\u0026\\\")[0]),tostring(split(csUriQuery, \\\"\u0026\\\")[1])) , csUriQuery )\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of failed logons by a user\\n| summarize makeset(decodedUriQuery), makeset(cIP), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), csUserName, Computer, sIP\\n| where FailedConnectionsCount \u003e= failedThreshold\\n| project TimeGenerated, csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_cIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"High count of failed logons by a user\",\"description\":\"Identifies when 100 or more failed attempts by a given user in 10 minutes occur on the IIS Server.\\nThis could be indicative of attempted brute force based on known account information.\\nThis could also simply indicate a misconfigured service or device. \\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\"name\":\"7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"let WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet AC_Add = \\n(union isfuzzy=true \\n(SecurityEvent\\n// Event ID related to member addition.\\n| where EventID in (4728, 4732,4756) \\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountAdded \\\",OU\\\" *\\n| where isnotempty(AccountAdded)\\n| extend GroupAddedTo = TargetUserName, AddingAccount = Account \\n| extend AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, \\\"||\\\", GroupAddedTo, \\\"||\\\", AddingAccount )\\n| project AccountAdded_GroupAddedTo_AddingAccount, AccountAddedTime = TimeGenerated\\n),\\n(WindowsEvent\\n// Event ID related to member addition.\\n| where EventID in (4728, 4732,4756) \\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData.MemberName with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountAdded \\\",OU\\\" *\\n| where isnotempty(AccountAdded)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend AddingAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend GroupAddedTo = TargetUserName\\n| extend AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, \\\"||\\\", GroupAddedTo, \\\"||\\\", AddingAccount )\\n| project AccountAdded_GroupAddedTo_AddingAccount, AccountAddedTime = TimeGenerated\\n)\\n);\\nlet AC_Remove = \\n( union isfuzzy=true \\n(SecurityEvent\\n// Event IDs related to member removal.\\n| where EventID in (4729,4733,4757)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountRemoved \\\",OU\\\" * \\n| where isnotempty(AccountRemoved)\\n| extend GroupRemovedFrom = TargetUserName, RemovingAccount = Account\\n| extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, \\\"||\\\", GroupRemovedFrom, \\\"||\\\", RemovingAccount)\\n| project AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime = TimeGenerated, Computer, RemovedAccountId = tolower(AccountRemoved), \\nRemovedByUser = SubjectUserName, RemovedByUserLogonId = SubjectLogonId, GroupRemovedFrom = TargetUserName, TargetDomainName\\n),\\n(WindowsEvent\\n// Event IDs related to member removal.\\n| where EventID in (4729,4733,4757)\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData.MemberName with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountRemoved \\\",OU\\\" * \\n| where isnotempty(AccountRemoved)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend RemovingAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend GroupRemovedFrom = TargetUserName\\n| extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, \\\"||\\\", GroupRemovedFrom, \\\"||\\\", RemovingAccount)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| extend TargetDomainName = tostring(EventData.TargetDomainName)\\n| project AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime = TimeGenerated, Computer, RemovedAccountId = tolower(AccountRemoved), \\nRemovedByUser = SubjectUserName, RemovedByUserLogonId = SubjectLogonId, GroupRemovedFrom = TargetUserName, TargetDomainName\\n)); \\nAC_Add \\n| join kind= inner AC_Remove on $left.AccountAdded_GroupAddedTo_AddingAccount == $right.AccountRemoved_GroupRemovedFrom_RemovingAccount \\n| extend DurationinSecondAfter_Removed = datetime_diff (\u0027second\u0027, AccountRemovedTime, AccountAddedTime)\\n| where DurationinSecondAfter_Removed \u003e 0\\n| project-away AccountRemoved_GroupRemovedFrom_RemovingAccount\\n| extend timestamp = AccountAddedTime, AccountCustomEntity = RemovedAccountId, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Account added and removed from privileged groups\",\"description\":\"Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise.\u0027 \",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-04-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3df4a32-4805-4c6d-8699-f3c888af2f67\",\"name\":\"a3df4a32-4805-4c6d-8699-f3c888af2f67\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let Alert1 = \\nSecurityAlert\\n| where AlertName == \\\"Unfamiliar sign-in properties\\\"\\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\\\"User Account\\\"])\\n| extend Alert1Time = TimeGenerated\\n| extend Alert1 = AlertName\\n| extend Alert1Severity = AlertSeverity\\n;\\nlet Alert2 = \\nSecurityAlert\\n| where AlertName == \\\"Atypical travel\\\"\\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\\\"User Account\\\"])\\n| extend Alert2Time = TimeGenerated\\n| extend Alert2 = AlertName\\n| extend Alert2Severity = AlertSeverity\\n| extend CurrentLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[2].Location)).CountryCode), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).State), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).City))\\n| extend PreviousLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[3].Location)).CountryCode), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[3].Location)).State), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[3].Location)).City))\\n| extend CurrentIPAddress = tostring(parse_json(Entities)[2].Address)\\n| extend PreviousIPAddress = tostring(parse_json(Entities)[3].Address)\\n;\\nAlert1\\n| join kind=inner Alert2 on UserPrincipalName\\n| where abs(datetime_diff(\u0027minute\u0027, Alert1Time, Alert2Time)) \u003c=10\\n| extend TimeDelta = Alert1Time - Alert2Time\\n| project UserPrincipalName, Alert1, Alert1Time, Alert1Severity, Alert2, Alert2Time, Alert2Severity, TimeDelta, CurrentLocation, PreviousLocation, CurrentIPAddress, PreviousIPAddress\\n| extend AccountCustomEntity = UserPrincipalName\\n| extend IPCustomEntity = CurrentIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Correlate Unfamiliar sign-in properties and atypical travel alerts\",\"description\":\"The combination of an Unfamiliar sign-in properties alert and an Atypical travel alert about the same user within a +10m or -10m window is considered a high severity incident.\",\"lastUpdatedDateUTC\":\"2021-12-07T00:00:00Z\",\"createdDateUTC\":\"2020-09-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7564d76-ec6b-4519-a66b-fcc80c42332b\",\"name\":\"a7564d76-ec6b-4519-a66b-fcc80c42332b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet GroupAddition = (union isfuzzy=true \\n(SecurityEvent \\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group \\n| where EventID in (\\\"4728\\\", \\\"4732\\\", \\\"4756\\\") \\n| where AccountType =~ \\\"User\\\" and MemberName == \\\"-\\\"\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, GroupAddComputer = Computer, GroupAddTargetAccount = TargetAccount, \\nGroupAddTargetSid = TargetSid, GroupAddSubjectAccount = SubjectAccount, GroupAddSubjectUserSid = SubjectUserSid, GroupSid = MemberSid\\n),\\n(\\nWindowsEvent \\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group \\n| where EventID in (\\\"4728\\\", \\\"4732\\\", \\\"4756\\\") and not(EventData has \\\"S-1-5-32-555\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| extend MemberName = tostring(EventData.MemberName)\\n| where AccountType =~ \\\"User\\\" and MemberName == \\\"-\\\"\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend MemberSid = tostring(EventData.MemberSid)\\n| extend Activity= \\\"GroupAddActivity\\\"\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, GroupAddComputer = Computer, GroupAddTargetAccount = TargetAccount, \\nGroupAddTargetSid = TargetSid, GroupAddSubjectAccount = Account, GroupAddSubjectUserSid = SubjectUserSid, GroupSid = MemberSid\\n));\\nlet GroupCreated = (union isfuzzy=true \\n(SecurityEvent\\n// 4727 - A security-enabled global group was created\\n// 4731 - A security-enabled local group was created\\n// 4754 - A security-enabled universal group was created\\n| where EventID in (\\\"4727\\\", \\\"4731\\\", \\\"4754\\\")\\n| where AccountType =~ \\\"User\\\"\\n| project GroupCreateTime = TimeGenerated, GroupCreateEventID = EventID, GroupCreateActivity = Activity, GroupCreateComputer = Computer, GroupCreateTargetAccount = TargetAccount, \\nGroupCreateSubjectAccount = SubjectAccount, GroupCreateSubjectUserSid = SubjectUserSid, GroupSid = TargetSid\\n),\\n(WindowsEvent\\n// 4727 - A security-enabled global group was created\\n// 4731 - A security-enabled local group was created\\n// 4754 - A security-enabled universal group was created\\n| where EventID in (\\\"4727\\\", \\\"4731\\\", \\\"4754\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\", \\\"Machine\\\", iff(SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", iff(isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")))\\n| where AccountType =~ \\\"User\\\"\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend SubjectAccount = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName) \\n| extend TargetSid = tostring(EventData.TargetSid) \\n| extend Activity= \\\"GroupAddActivity\\\"\\n| project GroupCreateTime = TimeGenerated, GroupCreateEventID = EventID, GroupCreateActivity = Activity, GroupCreateComputer = Computer, GroupCreateTargetAccount = TargetAccount, \\nGroupCreateSubjectAccount = SubjectAccount, GroupCreateSubjectUserSid = SubjectUserSid, GroupSid = TargetSid\\n));\\nGroupCreated\\n| join (\\nGroupAddition\\n) on GroupSid \\n| extend timestamp = GroupCreateTime, AccountCustomEntity = GroupCreateSubjectAccount, HostCustomEntity = GroupCreateComputer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"GroupCreateSubjectUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Group created then added to built in domain local or global group\",\"description\":\"Identifies when a recently created Group was added to a privileged built in domain local group or global group such as the \\nEnterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\\nReferences: For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b443f22-9be9-4c35-ac70-a94757748439\",\"name\":\"3b443f22-9be9-4c35-ac70-a94757748439\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let files1 = dynamic([\\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\lsa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pc.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\Rar.exe\\\"]);\\nlet files2 = dynamic([\\\"svchost.exe\\\",\\\"wdmsvc.exe\\\"]);\\nlet FileHash1 = dynamic([\\\"43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\\\", \\\"ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\\\", \\\"010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77\\\", \\\"56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7\\\"]);\\nlet FileHash2 = dynamic([\\\"2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\\\", \\\"9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\\\", \\\"18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\\\"]);\\nDeviceProcessEvents\\n| where ( FolderPath has_any (files1) and SHA256 has_any (FileHash1)) or (FolderPath has_any (files2) and SHA256 has_any (FileHash2))\\n| extend DvcId = DeviceId\\n| join kind=leftouter (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| mv-expand todynamic(Entities)\\n| extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)\\n| where isnotempty(DvcId)\\n// Higher risk score are for Defender alerts related to threat actor\\n| extend AlertRiskScore = iif(ThreatName has_any (\\\"Backdoor:MSIL/ShellClient.A\\\", \\\"Backdoor:MSIL/ShellClient.A!dll\\\", \\\"Trojan:MSIL/Mimikatz.BA!MTB\\\"), 1.0, 0.5)\\n| project DvcId, AlertRiskScore) on DvcId\\n| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = AccountName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileName\"}]}],\"tactics\":[\"CredentialAccess\",\"Execution\"],\"displayName\":\"Dev-0228 File Path Hashes November 2021\",\"description\":\"This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.\\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-11-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2f561e20-d97b-4b13-b02d-18b34af6e87c\",\"name\":\"2f561e20-d97b-4b13-b02d-18b34af6e87c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet cmdList = dynamic([\\\"Set-CASMailbox\\\",\\\"ActiveSyncAllowedDeviceIDs\\\",\\\"add\\\"]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688\\n| where CommandLine has_all (cmdList)\\n| project Type, TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n( WindowsEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688\\n| where EventData has_all (cmdList)\\n| extend CommandLine = tostring(EventData.CommandLine) \\n| where CommandLine has_all (cmdList)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| project Type, TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where InitiatingProcessCommandLine has_all (cmdList)\\n| project Type, TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where CommandLine has_all (cmdList)\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| project Type, TimeGenerated, Computer, User, Process, ParentImage, CommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Email access via active sync\",\"description\":\"This query detects attempts to add attacker devices as allowed IDs for active sync using the Set-CASMailbox command.\\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\\n- Note that this query can be changed to use the KQL \\\"has_all\\\" operator, which hasn\u0027t yet been documented officially, but will be soon.\\n In short, \\\"has_all\\\" will only match when the referenced field has all strings in the list.\\n- Refer to Set-CASMailbox syntax: https://docs.microsoft.com/powershell/module/exchange/set-casmailbox?view=exchange-ps \",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-02-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\"name\":\"2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet TotalEventsThreshold = 5;\\nlet ExeList = dynamic([\\\"powershell.exe\\\",\\\"cmd.exe\\\",\\\"wmic.exe\\\",\\\"psexec.exe\\\",\\\"cacls.exe\\\",\\\"rundll.exe\\\"]);\\nlet TimeSeriesData =\\nSecurityEvent\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where Process in (ExeList)\\n| project TimeGenerated, Computer, AccountType, Account, Process\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by Process;\\nlet TimeSeriesAlerts = materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 1.5, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0\\n| project Process, TimeGenerated, Total, baseline, anomalies, score\\n| where Total \u003e TotalEventsThreshold);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\nSecurityEvent\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| summarize CommandlineCount = count() by bin(TimeGenerated, 1h), Process, CommandLine, Computer, Account\\n) on Process, TimeGenerated\\n| project AnomalyHour = TimeGenerated, Computer, Account, Process, CommandLine, CommandlineCount, Total, baseline, anomalies, score\\n| extend timestamp = AnomalyHour, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Process execution frequency anomaly\",\"description\":\"Identifies anomalous spike in frequency of executions of sensitive processes which are often leveraged as attack vectors.\\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\\nSudden increases in execution frequency of sensitive processes should be further investigated for malicious activity.\\nTune the values from 1.5 to 3 in series_decompose_anomalies for further outliers or based on custom threshold values for score.\",\"lastUpdatedDateUTC\":\"2022-03-07T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/694c91ee-d606-4ba9-928e-405a2dd0ff0f\",\"name\":\"694c91ee-d606-4ba9-928e-405a2dd0ff0f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"High\",\"query\":\"let queryperiod = 14d;\\nlet queryfrequency = 2h;\\nlet security_info_actions = dynamic([\\\"User registered security info\\\", \\\"User changed default security info\\\", \\\"User deleted security info\\\", \\\"Admin updated security info\\\", \\\"User reviewed security info\\\", \\\"Admin deleted security info\\\", \\\"Admin registered security info\\\"]);\\nlet VIPUsers = (\\n IdentityInfo\\n | where TimeGenerated \u003e ago(queryperiod)\\n | mv-expand AssignedRoles\\n | where AssignedRoles matches regex \u0027Admin\u0027\\n | summarize by tolower(AccountUPN));\\nAuditLogs\\n| where TimeGenerated \u003e ago(queryfrequency)\\n| where Category =~ \\\"UserManagement\\\"\\n| where ActivityDisplayName in (security_info_actions)\\n| extend Initiator = tostring(InitiatedBy.user.userPrincipalName)\\n| extend IP = tostring(InitiatedBy.user.ipAddress)\\n| extend Target = tolower(tostring(TargetResources[0].userPrincipalName))\\n| where Target in (VIPUsers)\\n// Uncomment the line below if you are experiencing high volumes of Target entities. If this is uncommented, the Target column will not be mapped to an entity.\\n//| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason, MaxSize=8), Targets=make_set(Target, MaxSize=256) by Initiator, IP, Result\\n// Comment out this line below, if line above is used.\\n| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason, MaxSize=8) by Initiator, IP, Result, Targets = Target\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Targets\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Initiator\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IP\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Authentication Methods Changed for Privileged Account\",\"description\":\"Identifies authentication methods being changed for a privileged account. This could be an indication of an attacker adding an auth method to the account so they can have continued access.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6267ce44-1e9d-471b-9f1e-ae76a6b7aa84\",\"name\":\"6267ce44-1e9d-471b-9f1e-ae76a6b7aa84\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityAlert\\n| where AlertName =~ \\\"mass download by a single user\\\"\\n| extend Extprop = parse_json(ExtendedProperties)\\n| extend Computer = iff(isnotempty(toupper(tostring(Extprop[\\\"Compromised Host\\\"]))), toupper(tostring(Extprop[\\\"Compromised Host\\\"])), tostring(parse_json(Entities)[0].HostName))\\n| extend Account = iff(isnotempty(tolower(tostring(Extprop[\\\"User Name\\\"]))), tolower(tostring(Extprop[\\\"User Name\\\"])), tolower(tostring(Extprop[\\\"user name\\\"])))\\n| extend IpAddress = tostring(parse_json(ExtendedProperties).[\\\"IpAddress\\\"]) \\n| project timestamp=TimeGenerated, AlertName, Computer, Account, IpAddress, ExtendedProperties\\n| join kind=inner\\n( \\nDeviceEvents\\n| where ActionType == \\\"PnpDeviceConnected\\\"\\n| extend parsed = parse_json(AdditionalFields)\\n| project DeviceId, DriveClass = tostring(parsed.ClassName), UsbDeviceId = tostring(parsed.DeviceId), ClassId = tostring(parsed.DeviceId), DeviceDescription = tostring(parsed.DeviceDescription), VendorIds = tostring(parsed.VendorIds), AccountDomain,AccountName,TimeGenerated, ActionType, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, Type\\n| where DriveClass == \u0027USB\u0027 and DeviceDescription == \u0027USB Mass Storage Device\u0027\\n) on $left.Account == $right.AccountName\\n| join kind=inner \\n(\\nDeviceFileEvents\\n| where FolderPath !startswith \\\"c\\\" and FolderPath !startswith @\\\"\\\\\\\"\\n) on DeviceId\\n| project TimeGenerated, ActionType, Computer, FileName, FileSize, IpAddress, InitiatingProcessCommandLine, InitiatingProcessFileName, Account\\n| extend timestamp = TimeGenerated, CompromisedEntity = Computer, AccountCustomEntity=Account, ProcessCustomEntity = InitiatingProcessFileName, IPCustomEntity=IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"Mass Download \u0026 copy to USB device by single user\",\"description\":\"This query looks for any mass download by a single user with possible file copy activity to a new USB drive. Malicious insiders may perform such activities that may cause harm to the organization. \\nThis query could also reveal unintentional insider that had no intention of malicious activity but their actions may impact an organizations security posture.\\nReference:https://docs.microsoft.com/defender-cloud-apps/policy-template-reference\",\"lastUpdatedDateUTC\":\"2022-05-04T00:00:00Z\",\"createdDateUTC\":\"2022-04-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\",\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3edb7215-250b-40c0-8b46-79093949242d\",\"name\":\"3edb7215-250b-40c0-8b46-79093949242d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetectionV2_CL\\n| where Severity_s == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\\n| where count_ \u003e= threshold\\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"High Number of Urgent Vulnerabilities Detected\",\"description\":\"This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.\",\"lastUpdatedDateUTC\":\"2021-12-08T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/492fbe35-cbac-4a8c-9059-826782e6915a\",\"name\":\"492fbe35-cbac-4a8c-9059-826782e6915a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where OperationName has_any (\\\"Update Application\\\", \\\"Update Service principal\\\")\\n | extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend UpdatedBy = iif(isnotempty(appName), appName, UPN)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | extend AppName = tostring(TargetResources[0].displayName)\\n | mv-expand mod_props\\n | extend Action = tostring(mod_props.displayName)\\n | where Action contains \\\"Url\\\"\\n | extend OldURL = tostring(mod_props.oldValue)\\n | extend NewURL = tostring(mod_props.newValue)\\n | project-reorder TimeGenerated, OperationName, Action, AppName, OldURL, NewURL, UpdatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatedBy\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"OldURL\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"NewURL\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Changes to Application Logout URL\",\"description\":\"Detects changes to an applications sign out URL.\\n Look for any modifications to a sign out URL. Blank entries or entries to non-existent locations would stop a user from terminating a session.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#logout-url-modified-or-removed\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\"name\":\"2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureActivity | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CallerIpAddress\\n| where AzureActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureActivity_TimeGenerated = arg_max(AzureActivity_TimeGenerated, *) by IndicatorId, CallerIpAddress\\n| project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CallerIpAddress, \\nCaller, OperationNameValue, ActivityStatusValue, CategoryValue, ResourceId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureActivity_TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureActivity\",\"description\":\"Identifies a match in AzureActivity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3174a9ec-d0ad-4152-8307-94ed04fa450a\",\"name\":\"3174a9ec-d0ad-4152-8307-94ed04fa450a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let SHA256Hash = \\\"1174fd03271f80f5e2a6435c72bdd0272a6e3a37049f6190abf125b216a83471\\\" ;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) \\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA265 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA256Hash) \\n| extend Account = UserName\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known ZINC related maldoc hash\",\"description\":\"Document hash used by ZINC in highly targeted spear phishing campaign.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\"name\":\"d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\" \\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed), LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\\n| where MFAUsed !~ \\\"Yes\\\" and LoginResult !~ \\\"Failure\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUsed, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"Login to AWS Management Console without MFA\",\"description\":\"Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.\\nYou can limit this detection to trigger for adminsitrative accounts if you do not have MFA enabled on all accounts.\\nThis is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used \\nand the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0ed0fe7c-af29-4990-af7f-bb5ccb231198\",\"name\":\"0ed0fe7c-af29-4990-af7f-bb5ccb231198\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"AuditLogs\\n | where Category =~ \\\"RoleManagement\\\"\\n | where OperationName =~ \\\"Update role setting in PIM\\\"\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | project-reorder TimeGenerated, OperationName, ResultReason, userPrincipalName, ipAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Changes to PIM Settings\",\"description\":\"PIM provides a key mechanism for assigning privileges to accounts, this query detects changes to PIM role settings.\\n Monitor these changes to ensure they are being made legitimately and don\u0027t confer more privileges than expected or reduce the security of a PIM elevation.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c805d9b1-97e7-4bc0-9172-67edb36273e4\",\"name\":\"c805d9b1-97e7-4bc0-9172-67edb36273e4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft 365 Insider Risk Management\",\"displayName\":\"(Private Preview) Create incidents based on Microsoft 365 Insider Risk Management\",\"description\":\"Create incidents based on all alerts generated in Microsoft 365 Insider Risk Management\",\"lastUpdatedDateUTC\":\"2021-05-13T00:00:00Z\",\"createdDateUTC\":\"2021-05-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeIRM\",\"dataTypes\":[\"SecurityAlert (OfficeIRM)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09551db0-e147-4a0c-9e7b-918f88847605\",\"name\":\"09551db0-e147-4a0c-9e7b-918f88847605\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.6.2\",\"severity\":\"High\",\"query\":\"let tokens = dynamic([\\\"SSL_HandShaking\\\", \\\"ASN2_TYPE_new\\\", \\\"sql_blob_open\\\", \\\"cmsSetLogHandlerTHR\\\", \\\"ntSystemInfo\\\", \\\"SetWebFilterString\\\", \\\"CleanupBrokerString\\\", \\\"glInitSampler\\\", \\\"deflateSuffix\\\", \\\"ntWindowsProc\\\"]);\\nlet DomainNames = dynamic([\u0027codevexillium.org\u0027, \u0027angeldonationblog.com\u0027, \u0027investbooking.de\u0027, \u0027krakenfolio.com\u0027]);\\nlet SHA256Hash = dynamic([\u002758a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495\u0027,\u0027e0e59bfc22876c170af65dcbf19f744ae560cc43b720b23b9d248f4505c02f3e\u0027,\u00273d3195697521973efe0097a320cbce0f0f98d29d50e044f4505e1fbc043e8cf9\u0027, \u00270a2d81164d524be7022ba8fd4e1e8e01bfd65407148569d172e2171b5cd76cd4\u0027, \u002796d7a93f6691303d39a9cc270b8814151dfec5683e12094537fd580afdf2e5fe\u0027,\u0027dc4cf164635db06b2a0b62d313dbd186350bca6fc88438617411a68df13ec83c\u0027, \u002746efd5179e43c9cbf07dcec22ce0d5527e2402655aee3afc016e5c260650284a\u0027, \u002795e42a94d4df1e7e472998f43b9879eb34aaa93f3705d7d3ef9e3b97349d7008\u0027, \u00279d5320e883264a80ea214077f44b1d4b22155446ad5083f4b27d2ab5bd127ef5\u0027, \u00279fd05063ad203581a126232ac68027ca731290d17bd43b5d3311e8153c893fe3\u0027, \u0027ada7e80c9d09f3efb39b729af238fcdf375383caaf0e9e0aed303931dc73b720\u0027, \u0027edb1597789c7ed784b85367a36440bf05267ac786efe5a4044ec23e490864cee\u0027, \u002733665ce1157ddb7cd7e905e3356b39245dfba17b7a658bdbf02b6968656b9998\u0027, \u00273ab770458577eb72bd6239fe97c35e7eb8816bce5a4b47da7bd0382622854f7c\u0027, \u0027b630ad8ffa11003693ce8431d2f1c6b8b126cd32b657a4bfa9c0dbe70b007d6c\u0027, \u002753f3e55c1217dafb8801af7087e7d68b605e2b6dde6368fceea14496c8a9f3e5\u0027, \u002799c95b5272c5b11093eed3ef2272e304b7a9311a22ff78caeb91632211fcb777\u0027, \u0027f21abadef52b4dbd01ad330efb28ef50f8205f57916a26daf5de02249c0f24ef\u0027, \u00272cbdea62e26d06080d114bbd922d6368807d7c6b950b1421d0aa030eca7e85da\u0027, \u0027079659fac6bd9a1ce28384e7e3a465be4380acade3b4a4a4f0e67fd0260e9447\u0027]);\\nlet SigNames = dynamic([\\\"Backdoor:Script/ComebackerCompile.A!dha\\\", \\\"Trojan:Win64/Comebacker.A!dha\\\", \\\"Trojan:Win64/Comebacker.A.gen!dha\\\", \\\"Trojan:Win64/Comebacker.B.gen!dha\\\", \\\"Trojan:Win32/Comebacker.C.gen!dha\\\", \\\"Trojan:Win32/Klackring.A!dha\\\", \\\"Trojan:Win32/Klackring.B!dha\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in~ (SHA256Hash) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n| project Type, TimeGenerated, Computer, Account, IPAddress, FileHash, DNSName\\n),\\n(_Im_Dns(domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend Type = \\\"imDns\\\", IPAddress = SrcIpAddr, Computer=Dvc\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(VMConnection\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| where isnotempty(Hashes)\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 * \\n| where SHA256 in~ (SHA256Hash) \\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = Hashes\\n| project Type, TimeGenerated, Computer, Account, FileHash\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (SHA256Hash)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (SHA256Hash)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl in~ (DomainNames)\\n| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName\\n| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl\\n),\\n(SecurityAlert\\n| where ProductName == \\\"Microsoft Defender Advanced Threat Protection\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where isnotempty(ThreatName)\\n| where ThreatName has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName) \\n| project Type, TimeGenerated, Computer\\n),\\n(DeviceProcessEvents\\n| where FileName =~ \\\"powershell.exe\\\" or FileName =~ \\\"rundll32.exe\\\"\\n| where (ProcessCommandLine has \\\"is64bitoperatingsystem\\\" and ProcessCommandLine has \\\"Debug\\\\\\\\Browse\\\") or (ProcessCommandLine has_any (tokens))\\n| extend Computer = DeviceName, Account = AccountName, CommandLine = ProcessCommandLine\\n| project Type, TimeGenerated, Computer, Account, CommandLine, FileName\\n),\\n(SecurityEvent\\n| where EventID == 4688\\n| where ProcessName has_any (\\\"powershell.exe\\\", \\\"rundll32.exe\\\")\\n| where (CommandLine has \\\"is64bitoperatingsystem\\\" and CommandLine has \\\"Debug\\\\\\\\Browse\\\") or (CommandLine has_any (tokens))\\n| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine \\n),\\n( WindowsEvent\\n| where EventID == 4688\\n| where EventData has_any (\\\"powershell.exe\\\", \\\"rundll32.exe\\\") and EventData has_any (tokens, \\\"Debug\\\\\\\\Browse\\\",\\\"is64bitoperatingsystem\\\" ) \\n| extend ProcessName = tostring(EventData.ProcessName)\\n| where ProcessName has_any (\\\"powershell.exe\\\", \\\"rundll32.exe\\\")\\n| extend CommandLine = tostring(EventData.CommandLine) \\n| where (CommandLine has \\\"is64bitoperatingsystem\\\" and CommandLine has \\\"Debug\\\\\\\\Browse\\\") or (CommandLine has_any (tokens))\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"Execution\"],\"displayName\":\"Known ZINC Comebacker and Klackring malware hashes\",\"description\":\"ZINC attacks against security researcher campaign malware hashes.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ce177b3-56b1-4f0e-b83e-27eed4cb0b16\",\"name\":\"4ce177b3-56b1-4f0e-b83e-27eed4cb0b16\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\n// exclude allowed users from query such as the ADO service\\nlet allowed_users = dynamic([\\\"Azure DevOps Service\\\"]);\\nunion\\n// Look for agents being added to a pool of a OS type not seen with that pool before\\n(AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName =~ \\\"Library.AgentAdded\\\"\\n| where ActorUPN !in (allowed_users)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| where isnotempty(OsDescription)\\n| extend OsDescription = tostring(split(OsDescription, \\\"#\\\", 0)[0])\\n| project AgentPoolName, OsDescription\\n| join kind=rightanti (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName == \\\"Library.AgentAdded\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| where isnotempty(OsDescription)\\n| extend OsDescription = tostring(split(OsDescription, \\\"#\\\", 0)[0])) on AgentPoolName, OsDescription),\\n// Look for users addeing agents to a pool that they have not added agents to before.\\n(AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| where ActorUPN !in (allowed_users)\\n| project AgentPoolName, ActorUPN\\n| join kind=rightanti (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName == \\\"Library.AgentAdded\\\"\\n| where ActorUPN !in (allowed_users)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n) on AgentPoolName, ActorUPN)\\n| extend AgentName = tostring(Data.AgentName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| extend SystemDetails = Data.SystemCapabilities\\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, AgentPoolName, AgentName, ActorUPN, IpAddress, UserAgent, OsDescription, SystemDetails, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"New Agent Added to Pool by New User or Added to a New OS Type.\",\"description\":\"As seen in attacks such as SolarWinds attackers can look to subvert a build process by controlling build servers. Azure DevOps uses agent pools to execute pipeline tasks. \\nAn attacker could insert compromised agents that they control into the pools in order to execute malicious code. This query looks for users adding agents to pools they have \\nnot added agents to before, or adding agents to a pool of an OS that has not been added to that pool before. This detection has potential for false positives so has a \\nconfigurable allow list to allow for certain users to be excluded from the logic.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/05b4bccd-dd12-423d-8de4-5a6fb526bb4f\",\"name\":\"05b4bccd-dd12-423d-8de4-5a6fb526bb4f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let known_processes = (\\n SecurityEvent\\n // If adjusting Query Period or Frequency update these\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where EventID == 4688\\n | where NewProcessName has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | summarize by Process);\\n SecurityEvent\\n // If adjusting Query Period or Frequency update these\\n | where TimeGenerated \u003e ago(1d)\\n | where EventID == 4688\\n | where NewProcessName has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | where Process !in (known_processes)\\n // This will likely apply to multiple hosts so summarize these data\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, NewProcessName, CommandLine, Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Execution\",\"LateralMovement\"],\"displayName\":\"New EXE deployed via Default Domain or Default Domain Controller Policies\",\"description\":\"This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice is that these policies should not be used for deployment of files.\\nA threat actor may use these policies to deploy files or scripts to all hosts in a domain.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c61ad0ac-ad68-4ebb-b41a-74296d3e0044\",\"name\":\"c61ad0ac-ad68-4ebb-b41a-74296d3e0044\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \\n| where TargetObject has (\\\"\\\\\\\\Control\\\\\\\\Session Manager\\\\\\\\AppCertDLLs\\\\\\\\\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Registry Persistence via AppCert DLL Modification\",\"description\":\"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. \\nDynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\ are loaded into every process that calls the ubiquitously used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec.\\nRef: https://attack.mitre.org/techniques/T1546/009/\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8ee967a2-a645-4832-85f4-72b635bcb3a6\",\"name\":\"8ee967a2-a645-4832-85f4-72b635bcb3a6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit the environment\\nlet signin_threshold = 5;\\n//Make a list of all IPs with failed signins to AAD above our threshold\\nlet aadFunc = (tableName:string){\\nlet suspicious_signins =\\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress !in (\u0027127.0.0.1\u0027, \u0027::1\u0027)\\n| summarize count() by IPAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(IPAddress);\\n//See if any of these IPs have sucessfully logged into *nix hosts\\nlet linux_logons =\\nSyslog\\n| where Facility contains \\\"auth\\\" and ProcessName != \\\"sudo\\\"\\n| where SyslogMessage has \\\"Accepted\\\"\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Computer, HostIP, IpAddress = SourceIP, SyslogMessage, Facility, ProcessName, Reason;\\n//See if any of these IPs have sucessfully logged into Windows hosts\\nlet win_logons = (union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4624\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| where IpAddress in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Account, AccountType, Computer, Activity, EventID, LogonProcessName, IpAddress, LogonTypeName, TargetUserSid, Reason\\n),\\n(WindowsEvent\\n| where EventID == 4624 and has_any_ipv4(EventData, toscalar(suspicious_signins))\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType in (10, 7, 3)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| where IpAddress != \\\"-\\\"\\n| where IpAddress in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| extend Activity = \\\"4624 - An account was successfully logged on.\\\"\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend AccountType =case(Account endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| extend LogonProcessName = tostring(EventData.LogonProcessName)\\n| project TimeGenerated, Account, AccountType, Computer, Activity, EventID, LogonProcessName, IpAddress, TargetUserSid, Reason\\n)\\n);\\nunion isfuzzy=true linux_logons,win_logons\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, IPCustomEntity = IpAddress, HostCustomEntity = Computer\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AzureAD logons but success logon to host\",\"description\":\"Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory.\\nUses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/46ac55ae-47b8-414a-8f94-89ccd1962178\",\"name\":\"46ac55ae-47b8-414a-8f94-89ccd1962178\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let queryperiod = 1d;\\nlet mode = \u0027Blocked\u0027;\\nlet successCode = dynamic([\u0027200\u0027, \u0027101\u0027,\u0027204\u0027, \u0027400\u0027,\u0027504\u0027,\u0027304\u0027,\u0027401\u0027,\u0027500\u0027]);\\nlet sessionBin = 30m;\\nAzureDiagnostics\\n| where TimeGenerated \u003e ago(queryperiod)\\n| where Category == \u0027ApplicationGatewayFirewallLog\u0027 and action_s == mode\\n| sort by hostname_s asc, clientIp_s asc, TimeGenerated asc\\n| extend SessionBlockedStarted = row_window_session(TimeGenerated, queryperiod, 10m, ((clientIp_s != prev(clientIp_s)) or (hostname_s != prev(hostname_s))))\\n| summarize SessionBlockedEnded = max(TimeGenerated), SessionBlockedCount = count() by hostname_s, clientIp_s, SessionBlockedStarted\\n| extend TimeKey = range(bin(SessionBlockedStarted, sessionBin), bin(SessionBlockedEnded, sessionBin), sessionBin)\\n| mv-expand TimeKey to typeof(datetime)\\n| join kind = inner(\\n AzureDiagnostics\\n | where TimeGenerated \u003e ago(queryperiod)\\n | where Category == \u0027ApplicationGatewayAccessLog\u0027 and (isempty(httpStatus_d) or httpStatus_d in (successCode))\\n | extend TimeKey = bin(TimeGenerated, sessionBin)\\n) on TimeKey, $left.hostname_s == $right.host_s, $left.clientIp_s == $right.clientIP_s\\n| where TimeGenerated between (SessionBlockedStarted..SessionBlockedEnded)\\n| extend\\n originalRequestUriWithArgs_s = column_ifexists(\\\"originalRequestUriWithArgs_s\\\", \\\"\\\"),\\n serverStatus_s = column_ifexists(\\\"serverStatus_s\\\", \\\"\\\")\\n| summarize\\n SuccessfulAccessCount = count(),\\n UserAgents = make_set(userAgent_s, 250),\\n RequestURIs = make_set(requestUri_s, 250),\\n OriginalRequestURIs = make_set(originalRequestUriWithArgs_s, 250),\\n SuccessCodes = make_set(httpStatus_d, 250),\\n SuccessCodes_BackendServer = make_set(serverStatus_s, 250),\\n take_any(SessionBlockedEnded, SessionBlockedCount)\\n by hostname_s, clientIp_s, SessionBlockedStarted\\n| where SessionBlockedCount \u003e SuccessfulAccessCount\\n| extend timestamp = SessionBlockedStarted, IPCustomEntity = clientIp_s\\n| extend BlockvsSuccessRatio = SessionBlockedCount/toreal(SuccessfulAccessCount)\\n| sort by BlockvsSuccessRatio desc, timestamp asc\\n| project-reorder SessionBlockedStarted, SessionBlockedEnded, hostname_s, clientIp_s, SessionBlockedCount, SuccessfulAccessCount, BlockvsSuccessRatio, SuccessCodes, RequestURIs, OriginalRequestURIs, UserAgents\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"A potentially malicious web request was executed against a web server\",\"description\":\"Detects unobstructed Web Application Firewall (WAF) activity in sessions where the WAF blocked incoming requests by computing the \\nratio between blocked requests and unobstructed WAF requests in these sessions (BlockvsSuccessRatio metric). A high ratio value for \\na given client IP and hostname calls for further investigation of the WAF data in that session, due to the significantly high number \\nof blocked requests and a few unobstructed logs which may be malicious but have passed undetected through the WAF. The successCode \\nvariable defines what the detection thinks is a successful status code, and should be altered to fit the environment.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2020-11-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d173248-439b-4741-8b37-f63ad0c896ae\",\"name\":\"4d173248-439b-4741-8b37-f63ad0c896ae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\n//This query uses sysmon data, sections that have - | where Source == \\\"Microsoft-Windows-Sysmon\\\" - may need to be updated with latest\\nWindowsEvent\\n| where EventID == \u00274688\u0027 and EventData has_any (process)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| where NewProcessName has_any (process)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n , Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n , NewProcessId = tostring(EventData.NewProcessId)\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027, -1)[-1]), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend FilePath = replace_string(NewProcessName, File, \u0027\u0027)\\n| project TimeGenerated, timestamp, File, AlertDetail, FilePath,Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileCustomEntity\"},{\"identifier\":\"Directory\",\"columnName\":\"FilePathCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashAlgo\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021\",\"description\":\"Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.\",\"lastUpdatedDateUTC\":\"2022-05-19T00:00:00Z\",\"createdDateUTC\":\"2022-02-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\"name\":\"7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\nOfficeActivity\\n| where Operation =~ \\\"New-InboxRule\\\"\\n| where Parameters has \\\"Deleted Items\\\" or Parameters has \\\"Junk Email\\\" or Parameters has \\\"DeleteMessage\\\"\\n| extend Events=todynamic(Parameters)\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords \u0027}\u0027*\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords \u0027}\u0027*\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords \u0027}\u0027*\\n| where SubjectContainsWords has_any (Keywords)\\n or BodyContainsWords has_any (Keywords)\\n or SubjectOrBodyContainsWords has_any (Keywords)\\n| extend ClientIPAddress = case( ClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), ClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))), ClientIP )\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\n| extend RuleDetail = case(OfficeObjectId contains \u0027/\u0027 , tostring(split(OfficeObjectId, \u0027/\u0027)[-1]) , tostring(split(OfficeObjectId, \u0027\\\\\\\\\u0027)[-1]))\\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation, UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIPAddress, AccountCustomEntity = UserId , HostCustomEntity = OriginatingServer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Malicious Inbox Rule\",\"description\":\"Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords. \\n This is done so as to limit ability to warn compromised users that they\u0027ve been compromised. Below is a sample query that tries to detect this.\\nReference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ef88eb96-861c-43a0-ab16-f3835a97c928\",\"name\":\"ef88eb96-861c-43a0-ab16-f3835a97c928\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let regexEmpire = @\\\"SetDelay|GetDelay|Set-LostLimit|Get-LostLimit|Set-Killdate|Get-Killdate|Set-WorkingHours|Get-WorkingHours|Get-Sysinfo|Add-Servers|Invoke-ShellCommand|Start-AgentJob|Update-Profile|Get-FilePart|Encrypt-Bytes|Decrypt-Bytes|Encode-Packet|Decode-Packet|Send-Message|Process-Packet|Process-Tasking|Get-Task|Start-Negotiate|Invoke-DllInjection|Invoke-ReflectivePEInjection|Invoke-Shellcode|Invoke-ShellcodeMSIL|Get-ChromeDump|Get-ClipboardContents|Get-IndexedItem|Get-Keystrokes|Invoke-Inveigh|Invoke-NetRipper|local:Invoke-PatchDll|Invoke-NinjaCopy|Get-Win32Types|Get-Win32Constants|Get-Win32Functions|Sub-SignedIntAsUnsigned|Add-SignedIntAsUnsigned|Compare-Val1GreaterThanVal2AsUInt|Convert-UIntToInt|Test-MemoryRangeValid|Write-BytesToMemory|Get-DelegateType|Get-ProcAddress|Enable-SeDebugPrivilege|Invoke-CreateRemoteThread|Get-ImageNtHeaders|Get-PEBasicInfo|Get-PEDetailedInfo|Import-DllInRemoteProcess|Get-RemoteProcAddress|Copy-Sections|Update-MemoryAddresses|Import-DllImports|Get-VirtualProtectValue|Update-MemoryProtectionFlags|Update-ExeFunctions|Copy-ArrayOfMemAddresses|Get-MemoryProcAddress|Invoke-MemoryLoadLibrary|Invoke-MemoryFreeLibrary|Out-Minidump|Get-VaultCredential|Invoke-DCSync|Translate-Name|Get-NetDomain|Get-NetForest|Get-NetForestDomain|Get-DomainSearcher|Get-NetComputer|Get-NetGroupMember|Get-NetUser|Invoke-Mimikatz|Invoke-PowerDump|Invoke-TokenManipulation|Exploit-JMXConsole|Exploit-JBoss|Invoke-Thunderstruck|Invoke-VoiceTroll|Set-WallPaper|Invoke-PsExec|Invoke-SSHCommand|Invoke-PSInject|Invoke-RunAs|Invoke-SendMail|Invoke-Rule|Get-OSVersion|Select-EmailItem|View-Email|Get-OutlookFolder|Get-EmailItems|Invoke-MailSearch|Get-SubFolders|Get-GlobalAddressList|Invoke-SearchGAL|Get-SMTPAddress|Disable-SecuritySettings|Reset-SecuritySettings|Get-OutlookInstance|New-HoneyHash|Set-MacAttribute|Invoke-PatchDll|Get-SecurityPackages|Install-SSP|Invoke-BackdoorLNK|New-ElevatedPersistenceOption|New-UserPersistenceOption|Add-Persistence|Invoke-CallbackIEX|Add-PSFirewallRules|Invoke-EventLoop|Invoke-PortBind|Invoke-DNSLoop|Invoke-PacketKnock|Invoke-CallbackLoop|Invoke-BypassUAC|Get-DecryptedCpassword|Get-GPPInnerFields|Invoke-WScriptBypassUAC|Get-ModifiableFile|Get-ServiceUnquoted|Get-ServiceFilePermission|Get-ServicePermission|Invoke-ServiceUserAdd|Invoke-ServiceCMD|Write-UserAddServiceBinary|Write-CMDServiceBinary|Write-ServiceEXE|Write-ServiceEXECMD|Restore-ServiceEXE|Invoke-ServiceStart|Invoke-ServiceStop|Invoke-ServiceEnable|Invoke-ServiceDisable|Get-ServiceDetail|Find-DLLHijack|Find-PathHijack|Write-HijackDll|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-VulnAutoRun|Get-VulnSchTask|Get-UnattendedInstallFile|Get-Webconfig|Get-ApplicationHost|Write-UserAddMSI|Invoke-AllChecks|Invoke-ThreadedFunction|Test-Login|Get-UserAgent|Test-Password|Get-ComputerDetails|Find-4648Logons|Find-4624Logons|Find-AppLockerLogs|Find-PSScriptsInPSAppLog|Find-RDPClientConnections|Get-SystemDNSServer|Invoke-Paranoia|Invoke-WinEnum{|Get-SPN|Invoke-ARPScan|Invoke-Portscan|Invoke-ReverseDNSLookup|Invoke-SMBScanner|New-InMemoryModule|Add-Win32Type|Export-PowerViewCSV|Get-MacAttribute|Copy-ClonedFile|Get-IPAddress|Convert-NameToSid|Convert-SidToName|Convert-NT4toCanonical|Get-Proxy|Get-PathAcl|Get-NameField|Convert-LDAPProperty|Get-NetDomainController|Add-NetUser|Add-NetGroupUser|Get-UserProperty|Find-UserField|Get-UserEvent|Get-ObjectAcl|Add-ObjectAcl|Invoke-ACLScanner|Get-GUIDMap|Get-ADObject|Set-ADObject|Get-ComputerProperty|Find-ComputerField|Get-NetOU|Get-NetSite|Get-NetSubnet|Get-DomainSID|Get-NetGroup|Get-NetFileServer|SplitPath|Get-DFSshare|Get-DFSshareV1|Get-DFSshareV2|Get-GptTmpl|Get-GroupsXML|Get-NetGPO|Get-NetGPOGroup|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Invoke-ImpersonateUser|Create-ProcessWithToken|Free-AllTokens|Enum-AllTokens|Invoke-RevertToSelf|Set-Speaker\\\\(\\\\$Volume\\\\){\\\\$wshShell|Local:Get-RandomString|Local:Invoke-PsExecCmd|Get-GPPPassword|Local:Inject-BypassStuff|Local:Invoke-CopyFile\\\\(\\\\$sSource,|ind-Fruit|New-IPv4Range|New-IPv4RangeFromCIDR|Parse-Hosts|Parse-ILHosts|Exclude-Hosts|Get-TopPort|Parse-Ports|Parse-IpPorts|Remove-Ports|Write-PortscanOut|Convert-SwitchtoBool|Get-ForeignUser|Get-ForeignGroup\\\";\\n(union isfuzzy=true\\n (SecurityEvent\\n| where EventID == 4688\\n//consider filtering on filename if perf issues occur\\n//where FileName in~ (\\\"powershell.exe\\\",\\\"powershell_ise.exe\\\",\\\"pwsh.exe\\\")\\n| where not(ParentProcessName has_any (\u0027gc_worker.exe\u0027, \u0027gc_service.exe\u0027))\\n| where CommandLine has \\\"-encodedCommand\\\"\\n| parse kind=regex flags=i CommandLine with * \\\"-EncodedCommand \\\" encodedCommand\\n| extend encodedCommand = iff(encodedCommand has \\\" \\\", tostring(split(encodedCommand, \\\" \\\")[0]), encodedCommand)\\n// Note: currently the base64_decode_tostring function is limited to supporting UTF8\\n| extend decodedCommand = translate(\u0027\\\\0\u0027,\u0027\u0027, base64_decode_tostring(substring(encodedCommand, 0, strlen(encodedCommand) - (strlen(encodedCommand) %8)))), encodedCommand, CommandLine , strlen(encodedCommand)\\n| extend EfectiveCommand = iff(isnotempty(encodedCommand), decodedCommand, CommandLine)\\n| where EfectiveCommand matches regex regexEmpire\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, EfectiveCommand, decodedCommand, encodedCommand, CommandLine, ParentProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(WindowsEvent\\n| where EventID == 4688 \\n| where EventData has_any (\\\"-encodedCommand\\\", \\\"powershell.exe\\\",\\\"powershell_ise.exe\\\",\\\"pwsh.exe\\\")\\n| where not(EventData has_any (\u0027gc_worker.exe\u0027, \u0027gc_service.exe\u0027))\\n//consider filtering on filename if perf issues occur\\n//extend NewProcessName = tostring(EventData.NewProcessName)\\n//extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n//FileName = Process\\n//where FileName in~ (\\\"powershell.exe\\\",\\\"powershell_ise.exe\\\",\\\"pwsh.exe\\\")\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where not(ParentProcessName has_any (\u0027gc_worker.exe\u0027, \u0027gc_service.exe\u0027))\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has \\\"-encodedCommand\\\"\\n| parse kind=regex flags=i CommandLine with * \\\"-EncodedCommand \\\" encodedCommand\\n| extend encodedCommand = iff(encodedCommand has \\\" \\\", tostring(split(encodedCommand, \\\" \\\")[0]), encodedCommand)\\n// Note: currently the base64_decode_tostring function is limited to supporting UTF8\\n| extend decodedCommand = translate(\u0027\\\\0\u0027,\u0027\u0027, base64_decode_tostring(substring(encodedCommand, 0, strlen(encodedCommand) - (strlen(encodedCommand) %8)))), encodedCommand, CommandLine , strlen(encodedCommand)\\n| extend EfectiveCommand = iff(isnotempty(encodedCommand), decodedCommand, CommandLine)\\n| where EfectiveCommand matches regex regexEmpire\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, EfectiveCommand, decodedCommand, encodedCommand, CommandLine, ParentProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"Powershell Empire cmdlets seen in command line\",\"description\":\"Identifies instances of PowerShell Empire cmdlets in powershell process command line data.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-01-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cda5928c-2c1e-4575-9dfa-07568bc27a4f\",\"name\":\"cda5928c-2c1e-4575-9dfa-07568bc27a4f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let lookback = 7d; \\nlet timeframe = 1h; \\nlet GlobalAdminsRemoved = AuditLogs \\n| where TimeGenerated \u003e ago(timeframe) \\n| where Category =~ \\\"RoleManagement\\\" \\n| where AADOperationType in (\\\"Unassign\\\", \\\"RemoveEligibleRole\\\") \\n| where ActivityDisplayName has_any (\\\"Remove member from role\\\", \\\"Remove eligible member from role\\\") \\n| mv-expand TargetResources \\n| mv-expand TargetResources.modifiedProperties \\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName) \\n| where displayName_ =~ \\\"Role.DisplayName\\\" \\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.oldValue))) \\n| where RoleName == \\\"Global Administrator\\\" // Add other Privileged role if applicable \\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName) \\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) \\n| where Initiator != \\\"MS-PIM\\\" // Filtering PIM events \\n| extend Target = tostring(TargetResources.userPrincipalName) \\n| summarize RemovedGlobalAdminTime = max(TimeGenerated), TargetAdmins = make_set(Target) by OperationName, RoleName, Initiator, Result; \\nlet GlobalAdminsAdded = AuditLogs \\n| where TimeGenerated \u003e ago(lookback) \\n| where Category =~ \\\"RoleManagement\\\" \\n| where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\") \\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\") and Result == \\\"success\\\" \\n| mv-expand TargetResources \\n| mv-expand TargetResources.modifiedProperties \\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName) \\n| where displayName_ =~ \\\"Role.DisplayName\\\" \\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue))) \\n| where RoleName == \\\"Global Administrator\\\" // Add other Privileged role if applicable \\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName) \\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) \\n| where Initiator != \\\"MS-PIM\\\" // Filtering PIM events \\n| extend Target = tostring(TargetResources.userPrincipalName) \\n| summarize AddedGlobalAdminTime = max(TimeGenerated) by OperationName, RoleName, Target, Initiator, Result \\n| extend AccountCustomEntity = Target; \\nGlobalAdminsAdded \\n| join kind= inner GlobalAdminsRemoved on $left.Target == $right.Initiator \\n| where AddedGlobalAdminTime \u003c RemovedGlobalAdminTime \\n| extend NoofAdminsRemoved = array_length(TargetAdmins) \\n| where NoofAdminsRemoved \u003e 1\\n| project AddedGlobalAdminTime, Initiator, Target, AccountCustomEntity, RemovedGlobalAdminTime, TargetAdmins, NoofAdminsRemoved\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Multiple admin membership removals from newly created admin.\",\"description\":\"This query detects when newly created Global admin removes multiple existing global admins which can be an attempt by adversaries to lock down organization and retain sole access. \\n Investigate reasoning and intention of multiple membership removal by new Global admins and take necessary actions accordingly.\",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2022-03-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/be52662c-3b23-435a-a6fa-f39bdfc849e6\",\"name\":\"be52662c-3b23-435a-a6fa-f39bdfc849e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetection_CL\\n| mv-expand todynamic(Detections_s)\\n| where Detections_s.Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\\n| where count_ \u003e= threshold\\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"High Number of Urgent Vulnerabilities Detected\",\"description\":\"This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/45b903c5-6f56-4969-af10-ae62ac709718\",\"name\":\"45b903c5-6f56-4969-af10-ae62ac709718\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count()\\nby Account = tolower(Account), Computer = toupper(Computer), IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n// use left anti to exclude anything from the previous 14 days that is not rare\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10 \\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend AccountType=case(Account endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| extend Activity=\\\"4624 - An account was successfully logged on.\\\"\\n| extend LogonTypeName=\\\"10 - RemoteInteractive\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count()\\nby Account = tolower(Account), Computer = toupper(Computer), IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n))\\n| join kind=leftanti (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where EventID == 4624\\n| summarize by Computer = toupper(Computer), IpAddress, Account = tolower(Account)\\n),\\n( WindowsEvent\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where EventID == 4624\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| summarize by Computer = toupper(Computer), IpAddress, Account = tolower(Account)\\n))\\n) on Account, Computer\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), ConnectionCount = sum(ConnectionCount)\\nby Account, Computer, IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Rare RDP Connections\",\"description\":\"Identifies when an RDP connection is new or rare related to any logon type by a given account today based on comparison with the previous 14 days.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2020-01-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a1080fc1-13d1-479b-8340-255f0290d96c\",\"name\":\"a1080fc1-13d1-479b-8340-255f0290d96c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where Result =~ \\\"success\\\"\\n | where OperationName =~ \u0027Update Application\u0027\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | where TargetResources_modifiedProperties.displayName =~ \\\"AppAddress\\\"\\n | extend Key = tostring(TargetResources_modifiedProperties.displayName)\\n | extend NewValue = TargetResources_modifiedProperties.newValue\\n | extend OldValue = TargetResources_modifiedProperties.oldValue\\n | where isnotempty(Key) and isnotempty(NewValue)\\n | project-reorder Key, NewValue, OldValue\\n | extend NewUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(NewValue))\\n | extend OldUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(OldValue))\\n | extend AddedUrls = set_difference(NewUrls, OldUrls)\\n | where array_length(AddedUrls) \u003e 0\\n | extend UserAgent = iif(tostring(AdditionalDetails[0].key) == \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), \\\"\\\")\\n | extend AddingUser = iif(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) , tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), \\\"\\\")\\n | extend AddingApp = iif(isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName)) , tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName), \\\"\\\")\\n | extend AddedBy = iif(isnotempty(AddingUser), AddingUser, AddingApp)\\n | project-away AddingApp, AddingUser\\n | extend AppDisplayName = tostring(TargetResources.displayName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | project-reorder TimeGenerated, AppDisplayName, AddedUrls, AddedBy, UserAgent, ipAddress\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"AddedUrls\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Application Redirect URL Update\",\"description\":\"Detects the redirect URL of an app being changed.\\n Applications associated with URLs not controlled by the organization can pose a security risk.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#application-configuration-changes\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e42e889a-caaf-4dbb-aec6-371b37d64298\",\"name\":\"e42e889a-caaf-4dbb-aec6-371b37d64298\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\")\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set != \\\"[]\\\"\\n| extend diff = set_difference(new_value_set, old_value_set)\\n| where isnotempty(diff)\\n| parse diff with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away diff, new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserOrApp\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT New access credential added to Application or Service Principal\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b79f6190-d104-4691-b7db-823e05980895\",\"name\":\"b79f6190-d104-4691-b7db-823e05980895\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\nOfficeActivity\\n| where OfficeWorkload =~ \\\"Exchange\\\"\\n| where Parameters has \\\"Deleted Items\\\" or Parameters has \\\"Junk Email\\\" or Parameters has \\\"DeleteMessage\\\"\\n| extend Events=todynamic(Parameters)\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords \u0027}\u0027*\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords \u0027}\u0027*\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords \u0027}\u0027*\\n| where SubjectContainsWords has_any (Keywords)\\n or BodyContainsWords has_any (Keywords)\\n or SubjectOrBodyContainsWords has_any (Keywords)\\n| extend ClientIPAddress = case( ClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), ClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))), ClientIP )\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\n| extend RuleDetail = case(OfficeObjectId contains \u0027/\u0027 , tostring(split(OfficeObjectId, \u0027/\u0027)[-1]) , tostring(split(OfficeObjectId, \u0027\\\\\\\\\u0027)[-1]))\\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"OriginatingServer\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIPAddress\"}]}],\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"NRT Malicious Inbox Rule\",\"description\":\"Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords.\\n This is done so as to limit ability to warn compromised users that they\u0027ve been compromised. Below is a sample query that tries to detect this.\\nReference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/\",\"lastUpdatedDateUTC\":\"2022-03-07T00:00:00Z\",\"createdDateUTC\":\"2020-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9fb2ee72-959f-4c2b-bc38-483affc539e4\",\"name\":\"9fb2ee72-959f-4c2b-bc38-483affc539e4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where Category == \\\"ApplicationManagement\\\"\\n | where OperationName has_any (\\\"Update Application\\\", \\\"Update Service principal\\\")\\n | extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend UpdatedBy = iif(isnotempty(appName), appName, UPN)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | extend AppName = tostring(TargetResources[0].displayName)\\n | mv-expand mod_props\\n | where mod_props.displayName has \\\"AppIdentifierUri\\\"\\n | extend OldURI = tostring(mod_props.oldValue)\\n | extend NewURI = tostring(mod_props.newValue)\\n | project-reorder TimeGenerated, OperationName, AppName, OldURI, NewURI, UpdatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatedBy\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"NewURI\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Application ID URI Changed\",\"description\":\"Detects changes to an Application ID URI.\\n Monitor these changes to make sure that they were authorized.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#appid-uri-added-modified-or-removed\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/faf1a6ff-53b5-4f92-8c55-4b20e9957594\",\"name\":\"faf1a6ff-53b5-4f92-8c55-4b20e9957594\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"SecurityEvent\\n// Look for specific Directory Service Changes and parse data\\n| where EventID == 5136\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion = array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value),TimeGenerated, EventID, Computer, Account, AccountType, EventSourceName, Activity, SubjectAccount)\\n// Where changes relate to Exchange OAB\\n| extend ObjectClass = column_ifexists(\\\"ObjectClass\\\", \\\"\\\")\\n| where ObjectClass =~ \\\"msExchOABVirtualDirectory\\\"\\n// Look for InternalHostName or ExternalHostName properties being changed\\n| extend AttributeLDAPDisplayName = column_ifexists(\\\"AttributeLDAPDisplayName\\\", \\\"\\\")\\n| where AttributeLDAPDisplayName in (\\\"msExchExternalHostName\\\", \\\"msExchInternalHostName\\\")\\n// Look for suspected webshell activity\\n| extend AttributeValue = column_ifexists(\\\"AttributeValue\\\", \\\"\\\")\\n| where AttributeValue has \\\"script\\\"\\n| project-rename LastSeen = TimeGenerated\\n| extend ObjectDN = column_ifexists(\\\"ObjectDN\\\", \\\"\\\")\\n| project-reorder LastSeen, Computer, Account, ObjectDN, AttributeLDAPDisplayName, AttributeValue\\n| extend timestamp = LastSeen, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange OAB Virtual Directory Attribute Containing Potential Webshell\",\"description\":\"This query uses Windows Event ID 5136 in order to detect potential webshell deployment by exploitation of CVE-2021-27065.\\nThis query looks for changes to the InternalHostName or ExternalHostName properties of Exchange OAB Virtual Directory objects in AD Directory Services\\nwhere the new objects contain potential webshell objects. Ref: https://aka.ms/ExchangeVulns\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b3cfc7c0-092c-481c-a55b-34a3979758cb\",\"name\":\"b3cfc7c0-092c-481c-a55b-34a3979758cb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft Cloud App Security\",\"displayName\":\"Create incidents based on Microsoft Cloud App Security alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Cloud Apps\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert (MCAS)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/eb68b129-5f17-4f56-bf6d-dde48d5e615a\",\"name\":\"eb68b129-5f17-4f56-bf6d-dde48d5e615a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| extend attachedMimeType = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where attachedMimeType == \u0027application/zip\u0027\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = DstUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Binary file in attachment\",\"description\":\"Detects when email received with binary file as attachment.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c0e84221-f240-4dd7-ab1e-37e034ea2a4e\",\"name\":\"c0e84221-f240-4dd7-ab1e-37e034ea2a4e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"union isfuzzy=true\\n(DeviceFileEvents\\n| where FolderPath endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated),\\n(WindowsEvent\\n| where EventID == 4663 and EventData has \\\"vmware-vmdmp.log\\\"\\n| extend ObjectName = tostring(EventData.ObjectName) \\n| where ObjectName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = Computer, timestamp=TimeGenerated),\\n(SecurityEvent\\n| where EventID == 4663\\n| where ObjectName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = Computer, timestamp=TimeGenerated),\\n(imFileEvent\\n| where TargetFileName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = DvcHostname, timestamp=TimeGenerated\\n)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"SUNSPOT log file creation\",\"description\":\"This query uses Microsoft Defender for Endpoint data and Windows Event Logs to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\\nMore details: \\n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \\n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5b6ae038-f66e-4f74-9315-df52fd492be4\",\"name\":\"5b6ae038-f66e-4f74-9315-df52fd492be4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"imProcess\\n | where CommandLine has_all (\\\"accepteula\\\", \\\"-s\\\", \\\"-r\\\", \\\"-q\\\")\\n | where Process !endswith \\\"sdelete.exe\\\"\\n | where CommandLine !has \\\"sdelete\\\"\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DvcHostname\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DvcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"}]}],\"tactics\":[\"DefenseEvasion\",\"Impact\"],\"displayName\":\"Potential re-named sdelete usage (ASIM Version)\",\"description\":\"This detection looks for command line parameters associated with the use of Sysinternals sdelete (https://docs.microsoft.com/sysinternals/downloads/sdelete) to delete multiple files on a host\u0027s C drive.\\nA threat actor may re-name the tool to avoid detection and then use it for destructive attacks on a host.\\nThis detection uses the ASIM imProcess parser, this will need to be deployed before use - https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8c8de3fa-6425-4623-9cd9-45de1dd0569a\",\"name\":\"8c8de3fa-6425-4623-9cd9-45de1dd0569a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let lookBack = 14d;\\nlet timeframe = 1d;\\nlet user_agents_list = Cisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(lookBack) and TimeGenerated \u003c ago(timeframe)\\n| summarize count() by HttpUserAgentOriginal\\n| summarize make_list(HttpUserAgentOriginal);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal !in (user_agents_list)\\n| extend Message = \\\"Rare User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Rare User Agent Detected\",\"description\":\"Rule helps to detect a rare user-agents indicating web browsing activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\"name\":\"02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let logonDiff = 10m;\\nlet aadFunc = (tableName:string){\\ntable(tableName) \\n| where ResultType == \\\"0\\\" \\n| where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\")\\n| project SuccessLogonTime = TimeGenerated, UserPrincipalName, SuccessIPAddress = IPAddress, AppDisplayName, SuccessIPBlock = strcat(split(IPAddress, \\\".\\\")[0], \\\".\\\", split(IPAddress, \\\".\\\")[1]), Type\\n| join kind= inner (\\n table(tableName)\\n | where ResultType !in (\\\"0\\\", \\\"50140\\\") \\n | where ResultDescription !~ \\\"Other\\\" \\n | where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\")\\n | project FailedLogonTime = TimeGenerated, UserPrincipalName, FailedIPAddress = IPAddress, AppDisplayName, ResultType, ResultDescription, Type\\n) on UserPrincipalName, AppDisplayName \\n| where SuccessLogonTime \u003c FailedLogonTime and FailedLogonTime - SuccessLogonTime \u003c= logonDiff and FailedIPAddress !startswith SuccessIPBlock\\n| summarize FailedLogonTime = max(FailedLogonTime), SuccessLogonTime = max(SuccessLogonTime) by UserPrincipalName, SuccessIPAddress, AppDisplayName, FailedIPAddress, ResultType, ResultDescription, Type\\n| extend timestamp = SuccessLogonTime\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SuccessIPAddress\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"FailedIPAddress\"}]}],\"tactics\":[\"CredentialAccess\",\"InitialAccess\"],\"displayName\":\"Successful logon from IP and failure from a different IP\",\"description\":\"Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP.\\nThis may indicate a malicious attempt at password guessing based on knowledge of the users account.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\"name\":\"9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.1.0\",\"severity\":\"Low\",\"query\":\"let tokens = dynamic([\\\"416\\\",\\\"208\\\",\\\"128\\\",\\\"120\\\",\\\"96\\\",\\\"80\\\",\\\"72\\\",\\\"64\\\",\\\"48\\\",\\\"44\\\",\\\"40\\\",\\\"g5\\\",\\\"gs5\\\",\\\"g4\\\",\\\"gs4\\\",\\\"nc12\\\",\\\"nc24\\\",\\\"nv12\\\"]);\\nlet operationList = dynamic([\\\"microsoft.compute/virtualmachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nAzureActivity\\n| where tolower(OperationNameValue) in (operationList)\\n| where ActivityStatusValue == \\\"Accepted\\\" \\n| where isnotempty(Properties)\\n| extend vmSize = tolower(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).hardwareProfile)).vmSize))\\n| where isnotempty(vmSize)\\n| where vmSize has_any (tokens) \\n| extend ComputerName = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).osProfile)).computerName)\\n| extend clientIpAddress = tostring(parse_json(HTTPRequest).clientIpAddress)\\n| project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Creation of expensive computes in Azure\",\"description\":\"Identifies the creation of large size/expensive VMs (GPU or with large no of virtual CPUs) in Azure.\\nAdversary may create new or update existing virtual machines sizes to evade defenses \\nor use it for cryptomining purposes.\\nFor Windows/Linux Vm Sizes - https://docs.microsoft.com/azure/virtual-machines/windows/sizes \\nAzure VM Naming Conventions - https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/78422ef2-62bf-48ca-9bab-72c69818a425\",\"name\":\"78422ef2-62bf-48ca-9bab-72c69818a425\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Low\",\"query\":\"let endtime = 1d;\\nlet starttime = 8d;\\nlet threshold = 2.0;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName)\\nby Account, IpAddress, AccountType, Activity, LogonTypeName),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 \\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend AccountType=case(Account endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| extend Activity=\\\"4624 - An account was successfully logged on.\\\"\\n| extend LogonTypeName=\\\"10 - RemoteInteractive\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName)\\nby Account, IpAddress, AccountType, Activity, LogonTypeName)\\n)\\n| join kind=inner (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize ComputerCountPrev7Days = dcount(Computer) by Account = tolower(Account), IpAddress\\n),\\n( WindowsEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = toint(EventData.LogonType)\\n| where LogonType == 10\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| summarize ComputerCountPrev7Days = dcount(Computer) by Account = tolower(Account), IpAddress)\\n)\\n) on Account, IpAddress\\n| extend Ratio = iff(isempty(ComputerCountPrev7Days), toreal(ComputerCountToday), ComputerCountToday / (ComputerCountPrev7Days * 1.0))\\n// Where the ratio of today to previous 7 days is more than double.\\n| where Ratio \u003e threshold\\n| project StartTimeUtc, EndTimeUtc, Account, IpAddress, ComputerSet, ComputerCountToday, ComputerCountPrev7Days, Ratio, AccountType, Activity, LogonTypeName, ProcessSet\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Multiple RDP connections from Single System\",\"description\":\"Identifies when an RDP connection is made to multiple systems and above the normal for the previous 7 days.\\nConnections from the same system with the same account within the same day.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-10-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d94d4a9-dc96-450a-9dea-4d4d4594199b\",\"name\":\"4d94d4a9-dc96-450a-9dea-4d4d4594199b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"SecurityNestedRecommendation\\n| where RemediationDescription has \u0027CVE-2021-38647\u0027\\n| parse ResourceDetails with * \u0027virtualMachines/\u0027 VirtualMAchine \u0027\\\"\u0027 *\\n| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId\\n| extend Timestamp = TimeGenerated, HostCustomEntity = VirtualMAchine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Execution\"],\"displayName\":\"Vulnerable Machines related to OMIGOD CVE-2021-38647\",\"description\":\"This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to OMIGOD CVE-2021-38647. OMI is the Linux equivalent of Windows WMI and \\n helps users manage configurations across remote and local environments. The query aims to find machines that have this OMI vulnerability (CVE-2021-38647).\\n Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).\\n Reference: https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure\\n Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d3980830-dd9d-40a5-911f-76b44dfdce16\",\"name\":\"d3980830-dd9d-40a5-911f-76b44dfdce16\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where AppDisplayName == \\\"GitHub.com\\\"\\n| where ResultType == 0\\n| summarize CountOfLocations = dcount(Location), Locations = make_set(Location), BurstStartTime = min(TimeGenerated), BurstEndTime = max(TimeGenerated) by UserPrincipalName, Type\\n| where CountOfLocations \u003e 1\\n| extend timestamp = BurstStartTime, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"GitHub Signin Burst from Multiple Locations\",\"description\":\"This alerts when there Signin burst from multiple locations in GitHub (AAD SSO).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/25a7f951-54b7-4cf5-9862-ebc04306c590\",\"name\":\"25a7f951-54b7-4cf5-9862-ebc04306c590\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let known_users = (AuditLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where OperationName has \\\"conditional access policy\\\"\\n | where Result =~ \\\"success\\\"\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | summarize by userPrincipalName);\\n AuditLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where OperationName has \\\"conditional access policy\\\"\\n | where Result =~ \\\"success\\\"\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend CAPolicyName = tostring(TargetResources[0].displayName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | where userPrincipalName !in (known_users)\\n | extend NewPolicyValues = TargetResources[0].modifiedProperties[0].newValue\\n | extend OldPolicyValues = TargetResources[0].modifiedProperties[0].oldValue\\n | project-reorder TimeGenerated, OperationName, CAPolicyName, userPrincipalName, ipAddress, NewPolicyValues, OldPolicyValues\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Conditional Access Policy Modified by New User\",\"description\":\"Detects a Conditional Access Policy being modified by a user who has not modified a policy in the last 14 days.\\n A threat actor may try to modify policies to weaken the security controls in place.\\n Investigate any change to ensure they are approved.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\"name\":\"70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"seoulhobi.biz\\\", \\\"reader.cash\\\", \\\"pieceview.club\\\", \\\"app-wallet.com\\\", \\\"bigwnet.com\\\", \\\"bitwoll.com\\\", \\\"cexrout.com\\\", \\\"change-pw.com\\\", \\\"checkprofie.com\\\", \\\"cloudwebappservice.com\\\", \\\"ctquast.com\\\", \\\"dataviewering.com\\\", \\\"day-post.com\\\", \\\"dialy-post.com\\\", \\\"documentviewingcom.com\\\", \\\"dovvn-mail.com\\\", \\\"down-error.com\\\", \\\"drivecheckingcom.com\\\", \\\"drog-service.com\\\", \\\"encodingmail.com\\\", \\\"filinvestment.com\\\", \\\"foldershareing.com\\\", \\\"golangapis.com\\\", \\\"hotrnall.com\\\", \\\"lh-logins.com\\\", \\\"login-use.com\\\", \\\"mail-down.com\\\", \\\"matmiho.com\\\", \\\"mihomat.com\\\", \\\"natwpersonal-online.com\\\", \\\"nidlogin.com\\\", \\\"nid-login.com\\\", \\\"nidlogon.com\\\", \\\"pw-change.com\\\", \\\"rnaii.com\\\", \\\"rnailm.com\\\", \\\"sec-live.com\\\", \\\"secrityprocessing.com\\\", \\\"securitedmode.com\\\", \\\"securytingmail.com\\\", \\\"set-login.com\\\", \\\"usrchecking.com\\\", \\\"com-serviceround.info\\\", \\\"mai1.info\\\", \\\"reviewer.mobi\\\", \\\"files-download.net\\\", \\\"fixcool.net\\\", \\\"hanrnaii.net\\\", \\\"office356-us.org\\\", \\\"smtper.org\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost \\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"THALLIUM domains included in DCU takedown\",\"description\":\"THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. \\n Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\\n References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ \",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2020-01-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\"name\":\"4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let OperationList = dynamic([\\\"Add member to role\\\",\\\"Add member to role in PIM requested (permanent)\\\"]);\\nlet PrivilegedGroups = dynamic([\\\"UserAccountAdmins\\\",\\\"PrivilegedRoleAdmins\\\",\\\"TenantAdmins\\\"]);\\nAuditLogs\\n//| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName in~ (OperationList)\\n| mv-expand TargetResources\\n| extend modProps = parse_json(TargetResources).modifiedProperties\\n| mv-expand bagexpansion=array modProps\\n| evaluate bag_unpack(modProps)\\n| extend displayName = column_ifexists(\\\"displayName\\\", \\\"NotAvailable\\\"), newValue = column_ifexists(\\\"newValue\\\", \\\"NotAvailable\\\")\\n| where displayName =~ \\\"Role.WellKnownObjectName\\\"\\n| extend DisplayName = displayName, GroupName = replace(\u0027\\\"\u0027,\u0027\u0027,newValue)\\n| extend initByApp = parse_json(InitiatedBy).app, initByUser = parse_json(InitiatedBy).user\\n| extend AppId = initByApp.appId, \\nInitiatedByDisplayName = case(isnotempty(initByApp.displayName), initByApp.displayName, isnotempty(initByUser.displayName), initByUser.displayName, \\\"not available\\\"),\\nServicePrincipalId = tostring(initByApp.servicePrincipalId),\\nServicePrincipalName = tostring(initByApp.servicePrincipalName),\\nUserId = initByUser.id,\\nUserIPAddress = initByUser.ipAddress,\\nUserRoles = initByUser.roles,\\nUserPrincipalName = tostring(initByUser.userPrincipalName),\\nTargetUserPrincipalName = tostring(TargetResources.userPrincipalName)\\n| where GroupName in~ (PrivilegedGroups)\\n// If you don\u0027t want to alert for operations from PIM, remove below filtering for MS-PIM.\\n//| where InitiatedByDisplayName != \\\"MS-PIM\\\"\\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, isnotempty(ServicePrincipalId), ServicePrincipalId, isnotempty(UserPrincipalName), UserPrincipalName, \\\"not available\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User added to Azure Active Directory Privileged Groups\",\"description\":\"This will alert when a user is added to any of the Privileged Groups.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\\nFor Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles\",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2020-07-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/50574fac-f8d1-4395-81c7-78a463ff0c52\",\"name\":\"50574fac-f8d1-4395-81c7-78a463ff0c52\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where AppId =~ \\\"1b730954-1685-4b74-9bfd-dac224a7b894\\\" // AppDisplayName IS Azure Active Directory PowerShell\\n| where TokenIssuerType =~ \\\"AzureAD\\\"\\n| where ResourceIdentity !in (\\\"00000002-0000-0000-c000-000000000000\\\", \\\"00000003-0000-0000-c000-000000000000\\\") // ResourceDisplayName IS NOT Windows Azure Active Directory OR Microsoft Graph\\n| extend Status = todynamic(Status)\\n| where Status.errorCode == 0 // Success\\n| project-reorder IPAddress, UserAgent, ResourceDisplayName, UserDisplayName, UserId, UserPrincipalName, Type\\n| order by TimeGenerated desc\\n// New entity mapping\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure Active Directory PowerShell accessing non-AAD resources\",\"description\":\"This will alert when a user or application signs in using Azure Active Directory PowerShell to access non-Active Directory resources, such as the Azure Key Vault, which may be undesired or unauthorized behavior.\\nFor capabilities and expected behavior of the Azure Active Directory PowerShell module, see: https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0.\\nFor further information on Azure Active Directory Signin activity reports, see: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins.\",\"lastUpdatedDateUTC\":\"2022-02-23T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cca3b4d9-ac39-4109-8b93-65bb284003e6\",\"name\":\"cca3b4d9-ac39-4109-8b93-65bb284003e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureActivity | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(Caller)\\n | extend Caller = tolower(Caller)\\n | where Caller matches regex emailregex\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.Caller\\n| where AzureActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureActivity_TimeGenerated = arg_max(AzureActivity_TimeGenerated, *) by IndicatorId, Caller\\n| project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, EmailSenderName, EmailRecipient, \\nEmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Caller, Level, CallerIpAddress, CategoryValue, OperationNameValue, ActivityStatusValue, \\nResourceGroup, SubscriptionId\\n| extend timestamp = AzureActivity_TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to AzureActivity\",\"description\":\"Identifies a match in AzureActivity table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9122a9cb-916b-4d98-a199-1b7b0af8d598\",\"name\":\"9122a9cb-916b-4d98-a199-1b7b0af8d598\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"beesweiserdog.com\\\", \\n \\\"bluehostfit.com\\\", \\n \\\"business-toys.com\\\", \\n \\\"cleanskycloud.com\\\", \\n \\\"cumberbat.com\\\", \\n \\\"czreadsecurity.com\\\", \\n \\\"dgtresorgouv.com\\\", \\n \\\"dimediamikedask.com\\\", \\n \\\"diresitioscon.com\\\", \\n \\\"elcolectador.com\\\", \\n \\\"elperuanos.org\\\", \\n \\\"eprotectioneu.com\\\", \\n \\\"fheacor.com\\\", \\n \\\"followthewaterdata.com\\\", \\n \\\"francevrteepress.com\\\", \\n \\\"futtuhy.com\\\", \\n \\\"gardienweb.com\\\", \\n \\\"heimflugaustr.com\\\", \\n \\\"ivpsers.com\\\", \\n \\\"jkeducation.org\\\", \\n \\\"micrlmb.com\\\", \\n \\\"muthesck.com\\\", \\n \\\"netscalertech.com\\\", \\n \\\"newgoldbalmap.com\\\", \\n \\\"news-laestrella.com\\\", \\n \\\"noticialif.com\\\", \\n \\\"opentanzanfoundation.com\\\", \\n \\\"optonlinepress.com\\\", \\n \\\"palazzochigi.com\\\", \\n \\\"pandemicacre.com\\\", \\n \\\"papa-ser.com\\\", \\n \\\"pekematclouds.com\\\", \\n \\\"pipcake.com\\\", \\n \\\"popularservicenter.com\\\", \\n \\\"projectsyndic.com\\\", \\n \\\"qsadtv.com\\\", \\n \\\"sankreal.com\\\", \\n \\\"scielope.com\\\", \\n \\\"seoamdcopywriting.com\\\", \\n \\\"slidenshare.com\\\", \\n \\\"somoswake.com\\\", \\n \\\"squarespacenow.com\\\", \\n \\\"subapostilla.com\\\", \\n \\\"suzukicycles.net\\\", \\n \\\"tatanotakeeps.com\\\", \\n \\\"tijuanazxc.com\\\", \\n \\\"transactioninfo.net\\\", \\n \\\"eurolabspro.com\\\", \\n \\\"adelluminate.com\\\", \\n \\\"headhunterblue.com\\\", \\n \\\"primenuesty.com\\\" \\n ]);\\nlet SHA256Hashes = dynamic ([\\\"02daf4544bcefb2de865d0b45fc406bee3630704be26a9d6da25c9abe906e7d2\\\", \\n \\\"0a45ec3da31838aa7f56e4cbe70d5b3b3809029f9159ff0235837e5b7a4cb34c\\\", \\n \\\"0d7965489810446ca7acc7a2160795b22e452a164261313c634a6529a0090a0c\\\", \\n \\\"10bb4e056fd19f2debe61d8fc5665434f56064a93ca0ec0bef946a4c3e098b95\\\", \\n \\\"12d914f24fe5501e09f5edf503820cc5fe8b763827a1c6d44cdb705e48651b21\\\", \\n \\\"1899f761123fedfeba0fee6a11f830a29cd3653bcdcf70380b72a05b921b4b49\\\", \\n \\\"22e68e366dd3323e5bb68161b0938da8e1331e4f1c1819c8e84a97e704d93844\\\", \\n \\\"259783405ec2cb37fdd8fd16304328edbb6a0703bc3d551eba252d9b450554ef\\\", \\n \\\"26debed09b1bbf24545e3b4501b799b66a0146d4020f882776465b5071e91822\\\", \\n \\\"35c5f22bb11f7dd7a2bb03808e0337cb7f9c0d96047b94c8afdab63efc0b9bb2\\\", \\n \\\"3ae2d9ffa4e53519e62cc0a75696f9023f9cce09b0a917f25699b48d0f7c4838\\\", \\n \\\"3bac2e459c69fcef8c1c93c18e5f4f3e3102d8d0f54a63e0650072aeb2a5fa65\\\", \\n \\\"3c0bf69f6faf85523d9e60d13218e77122b2adb0136ffebbad0f39f3e3eed4e6\\\", \\n \\\"3dc0001a11d54925d2591aec4ea296e64f1d4fdf17ff3343ddeea82e9bd5e4f1\\\", \\n \\\"3fd73af89e94af180b1fbf442bbfb7d7a6c4cf9043abd22ac0aa2f8149bafc90\\\", \\n \\\"6854df6aa0af46f7c77667c450796d5658b3058219158456e869ebd39a47d54b\\\", \\n \\\"6b79b807a66c786bd2e57d1c761fc7e69dd9f790ffab7ce74086c4115c9305ce\\\", \\n \\\"7944a86fbef6238d2a55c14c660c3a3d361c172f6b8fa490686cc8889b7a51a0\\\", \\n \\\"926904f7c0da13a6b8689c36dab9d20b3a2e6d32f212fca9e5f8cf2c6055333c\\\", \\n \\\"95e98c811ea9d212673d0e84046d6da94cbd9134284275195800278593594b5a\\\", \\n \\\"a142625512e5372a1728595be19dbee23eea50524b4827cb64ed5aaeaaa0270b\\\", \\n \\\"afe5e9145882e0b98a795468a4c0352f5b1ddb7b4a534783c9e8fc366914cf6a\\\", \\n \\\"b9027bad09a9f5c917cf0f811610438e46e42e5e984a8984b6d69206ceb74124\\\", \\n \\\"c132d59a3bf0099e0f9f5667daf7b65dba66780f4addd88f04eecae47d5d99fa\\\", \\n \\\"c9a5765561f52bbe34382ce06f4431f7ac65bafe786db5de89c29748cf371dda\\\", \\n \\\"ce0408f92635e42aadc99da3cc1cbc0044e63441129c597e7aa1d76bf2700c94\\\", \\n \\\"ce47bacc872516f91263f5e59441c54f14e9856cf213ca3128470217655fc5e6\\\", \\n \\\"d0fe4562970676e30a4be8cb4923dc9bfd1fca8178e8e7fea0f3f02e0c7435ce\\\", \\n \\\"d5b36648dc9828e69242b57aca91a0bb73296292bf987720c73fcd3d2becbae6\\\", \\n \\\"e72d142a2bc49572e2d99ed15827fc27c67fc0999e90d4bf1352b075f86a83ba\\\"\\n ]);\\nlet SigNames = dynamic([\\\"Backdoor:Win32/Leeson\\\", \\\"Trojan:Win32/Kechang\\\", \\\"Backdoor:Win32/Nightimp!dha\\\", \\\"Trojan:Win32/QuarkBandit.A!dha\\\", \\\"TrojanSpy:Win32/KeyLogger\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hashes) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(_Im_Dns(domain_has_any = DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(_Im_WebSession(url_has_any = DomainNames)\\n| extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n| extend IPAddress = SrcIpAddr\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA256Hashes) \\n| extend Account = UserName\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (SHA256Hashes)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (SHA256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl in~ (DomainNames)\\n| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName\\n| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl\\n),\\n(SecurityAlert\\n| where ProductName == \\\"Microsoft Defender Advanced Threat Protection\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where isnotempty(ThreatName)\\n| where ThreatName has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName)\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known NICKEL domains and hashes\",\"description\":\"IOC domains and hash values for tools and malware used by NICKEL. \\n Matches domain name, hash IOCs and M365 Defender sigs related to the NICKEL activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/720d12c6-a08c-44c4-b18f-2236412d59b0\",\"name\":\"720d12c6-a08c-44c4-b18f-2236412d59b0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"SecurityEvent\\n | where EventID == 4688\\n | where Process !~ \\\"sdelete.exe\\\"\\n | where CommandLine has_all (\\\"accepteula\\\", \\\"-r\\\", \\\"-s\\\", \\\"-q\\\", \\\"c:/\\\")\\n | where CommandLine !has (\\\"sdelete\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"DefenseEvasion\",\"Impact\"],\"displayName\":\"Potential re-named sdelete usage\",\"description\":\"This detection looks for command line parameters associated with the use of Sysinternals sdelete (https://docs.microsoft.com/sysinternals/downloads/sdelete) to delete multiple files on a host\u0027s C drive.\\nA threat actor may re-name the tool to avoid detection and then use it for destructive attacks on a host.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/009b9bae-23dd-43c4-bcb9-11c4ba7c784a\",\"name\":\"009b9bae-23dd-43c4-bcb9-11c4ba7c784a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where OperationName has \\\"Consent to application\\\"\\n | where Result =~ \\\"failure\\\"\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend userAgent = iif(AdditionalDetails[0].key == \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), tostring(AdditionalDetails[1].value))\\n | where isnotempty(TargetResources)\\n | extend AppName = tostring(TargetResources[0].displayName)\\n | mv-expand TargetResources[0].modifiedProperties\\n | extend TargetResources_0_modifiedProperties = columnifexists(\\\"TargetResources_0_modifiedProperties\\\", \u0027\u0027)\\n | where isnotempty(TargetResources_0_modifiedProperties)\\n | where TargetResources_0_modifiedProperties.displayName =~ \\\"MethodExecutionResult.\\\"\\n | extend FailureReason = tostring(parse_json(tostring(TargetResources_0_modifiedProperties.newValue)))\\n | where FailureReason contains \\\"Risky\\\"\\n | project-reorder TimeGenerated, OperationName, Result, AppName, FailureReason, userPrincipalName, userAgent, ipAddress\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"End-user consent stopped due to risk-based consent\",\"description\":\"Detects a user\u0027s consent to an OAuth application being blocked due to it being too risky.\\n These events should be investigated to understand why the user attempted to consent to the applicaiton and what other applicaitons they may have consented to.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#end-user-stopped-due-to-risk-based-consent\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e70fa6e0-796a-4e85-9420-98b17b0bb749\",\"name\":\"e70fa6e0-796a-4e85-9420-98b17b0bb749\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"DeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where ThreatName has \\\"Solorigate\\\"\\n| extend HostCustomEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.HostCustomEntity\\n| project TimeGenerated, DisplayName, ThreatName, CompromisedEntity, PublicIP, MachineGroup, AlertSeverity, Description, LoggedOnUsers, DeviceId, TenantId, HostCustomEntity\\n| extend timestamp = TimeGenerated, IPCustomEntity = PublicIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Solorigate Defender Detections\",\"description\":\"Surfaces any Defender Alert for Solorigate Events. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as \\n Device group, ip, logged on users etc. This way, the Microsoft Sentinel user can have all the pertinent device info in one view for all the the Solarigate Defender alerts.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9176b18f-a946-42c6-a2f6-0f6d17cd6a8a\",\"name\":\"9176b18f-a946-42c6-a2f6-0f6d17cd6a8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let triThreshold = 500;\\nlet querystarttime = 6h;\\nlet dgaLengthThreshold = 8;\\n// fetch the cisco umbrella top 1M domains\\nlet top1M = (externaldata (Position:int, Domain:string) [@\\\"http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip\\\"] with (format=\\\"csv\\\", zipPattern=\\\"*.csv\\\"));\\n// extract tri grams that are above our threshold - i.e. are common\\nlet triBaseline = top1M\\n | extend Domain = tolower(extract(\\\"([^.]*).{0,7}$\\\", 1, Domain))\\n | extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", Domain), extract_all(\\\"(...)\\\", substring(Domain, 1)), extract_all(\\\"(...)\\\", substring(Domain, 2)))\\n | mvexpand Trigram=AllTriGrams to typeof(string)\\n | summarize triCount=count() by Trigram\\n | sort by triCount desc\\n | where triCount \u003e triThreshold\\n | distinct Trigram;\\n// collect domain information from common security log, filter and extract the DGA candidate and its trigrams\\nlet allDataSummarized = _Im_WebSession \\n| where isnotempty(Url) \\n| extend Name = tolower(tostring(parse_url(Url)[\\\"Host\\\"]))\\n| summarize NameCount=count() by Name\\n| where Name has \\\".\\\"\\n| where Name !endswith \\\".home\\\" and Name !endswith \\\".lan\\\"\\n// extract DGA candidate\\n| extend DGADomain = extract(\\\"([^.]*).{0,7}$\\\", 1, Name)\\n| where strlen(DGADomain) \u003e dgaLengthThreshold\\n// throw out domains with number in them\\n| where DGADomain matches regex \\\"^[A-Za-z]{0,}$\\\"\\n// extract the tri grams from summarized data\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", DGADomain), extract_all(\\\"(...)\\\", substring(DGADomain, 1)), extract_all(\\\"(...)\\\", substring(DGADomain, 2)));\\n// throw out domains that have repeating tri\u0027s and/or \u003e=3 repeating letters\\nlet nonRepeatingTris = allDataSummarized\\n| join kind=leftanti\\n(\\n allDataSummarized\\n | mvexpand AllTriGrams\\n | summarize count() by tostring(AllTriGrams), DGADomain\\n | where count_ \u003e 1\\n | distinct DGADomain\\n)\\non DGADomain;\\n// find domains that do not have a common tri in the baseline\\nlet dataWithRareTris = nonRepeatingTris\\n| join kind=leftanti\\n(\\n nonRepeatingTris\\n | mvexpand AllTriGrams\\n | extend Trigram = tostring(AllTriGrams)\\n | distinct Trigram, DGADomain\\n | join kind=inner\\n (\\n triBaseline\\n )\\n on Trigram\\n | distinct DGADomain\\n)\\non DGADomain;\\ndataWithRareTris\\n// join DGAs back on connection data\\n| join kind=inner\\n(\\n _Im_WebSession\\n | where isnotempty(Url)\\n | extend Url = tolower(Url)\\n | summarize arg_max(TimeGenerated, EventVendor, SrcIpAddr) by Url\\n | extend Name=tostring(parse_url(Url)[\\\"Host\\\"])\\n | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) by Name, SrcIpAddr, Url\\n)\\non Name\\n| project StartTime, EndTime, Name, DGADomain, SrcIpAddr, Url, NameCount\",\"customDetails\":{\"DGAPattern\":\"DGADomain\",\"NameCount\":\"NameCount\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URL\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Potential communication from {{SrcIpAddr} with a Domain Generation Algorithm (DGA) based host {{Name}}\",\"alertDescriptionFormat\":\"A client with address {{SrcIpAddr}} communicated with host {{Name}} that have a domain name that might have been generated by a Domain Generation Algorithm (DGA), identified by the pattern {{DGADomain}}. DGAs are used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the top 1 million domain names to build a model of what normal domains look like and uses the model to identify domains that may have been randomly generated by an algorithm.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential communication with a Domain Generation Algorithm (DGA) based hostname (ASIM Web Session schema)\",\"description\":\"This rule identifies communication with hosts that have a domain name that might have been generated by a Domain Generation Algorithm (DGA). DGAs are used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the top 1 million domain names to build a model of what normal domains look like nad uses the model to identify domains that may have been randomly generated by an algorithm. You can modify the triThreshold and dgaLengthThreshold query parameters to change Analytic Rule sensitivity. The higher the numbers, the less noisy the rule is. \u003cbr\u003e\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f819c592-c5f9-4d5c-a79f-1e6819863533\",\"name\":\"f819c592-c5f9-4d5c-a79f-1e6819863533\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"// ADHealth Monitoring Agent Registry Key\\nlet aadHealthMonAgentRegKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Microsoft Online\\\\\\\\Reporting\\\\\\\\MonitoringAgent\\\";\\n// Filter out known processes\\nlet aadConnectHealthProcs = dynamic ([\\n \u0027Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.InsightsService.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.PshSurrogate.exe\u0027,\\n \u0027Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe\u0027,\\n \u0027Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.AadConnect.Health.AadSync.Host.exe\u0027,\\n \u0027Microsoft.Azure.ActiveDirectory.Synchronization.Upgrader.exe\u0027,\\n \u0027miiserver.exe\u0027\\n]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| where EventData has aadHealthMonAgentRegKey\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| extend ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),\\n ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\")\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend SubjectUserName = column_ifexists(\\\"SubjectUserName\\\", \\\"\\\"),\\n SubjectDomainName = column_ifexists(\\\"SubjectDomainName\\\", \\\"\\\"),\\n ProcessName = column_ifexists(\\\"ProcessName\\\", \\\"\\\")\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],\\n Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n(\\nWindowsEvent\\n| where EventID == \u00274656\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n (\\nWindowsEvent\\n| where EventID == \u00274663\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n)\\n)\\n// You can filter out potential machine accounts\\n//| where AccountType != \u0027Machine\u0027\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"Azure AD Health Monitoring Agent Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.\\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\\\\SOFTWARE\\\\Microsoft\\\\Microsoft Online\\\\Reporting\\\\MonitoringAgent.\\nYou can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_monitoring_agent.yml\\n\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/066395ac-ef91-4993-8bf6-25c61ab0ca5a\",\"name\":\"066395ac-ef91-4993-8bf6-25c61ab0ca5a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet file_path1 = (iocs | where Type =~ \\\"filepath1\\\" | project IoC);\\nlet file_path2 = (iocs | where Type =~ \\\"filepath2\\\" | project IoC);\\nlet file_path3 = (iocs | where Type =~ \\\"filepath3\\\" | project IoC);\\nlet reg_key = (iocs | where Type =~ \\\"regkey\\\" | project IoC);\\nWindowsEvent\\n| where EventID == 4688 and (EventData has_any (file_path1) or EventData has_any (file_path2) or EventData has_any (file_path3) or EventData has_any (\u0027reg add\u0027) or EventData has_any (reg_key) )\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where (CommandLine has_any (file_path1)) or\\n (CommandLine has_any (file_path3)) or\\n (CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) or \\n (NewProcessName has_any (file_path1)) or\\n (NewProcessName has_any (file_path3)) or\\n (ParentProcessName has_any (file_path1)) or \\n (ParentProcessName has_any (file_path3)) \\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend NewProcessId = tostring(EventData.NewProcessId)\\n| extend IPCustomEntity = tostring(EventData.IpAddress)\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, IPCustomEntity\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = \u0027SOURGUM IOC detected\u0027\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"SOURGUM Actor IOC - July 2021\",\"description\":\"Identifies a match across IOC\u0027s related to an actor tracked by Microsoft as SOURGUM\",\"lastUpdatedDateUTC\":\"2022-05-19T00:00:00Z\",\"createdDateUTC\":\"2022-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6116dc19-475a-4148-84b2-efe89c073e27\",\"name\":\"6116dc19-475a-4148-84b2-efe89c073e27\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetectionV2_CL\\n| extend Status = tostring(Status_s), Vulnerability = tostring(QID_s), Severity = tostring(Severity_s)\\n| where Status =~ \\\"New\\\" and Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(QID_s)\\n| where dcount_NetBios_s \u003e= threshold\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"tactics\":[\"InitialAccess\"],\"displayName\":\"New High Severity Vulnerability Detected Across Multiple Hosts\",\"description\":\"This creates an incident when a new high severity vulnerability is detected across multilple hosts\",\"lastUpdatedDateUTC\":\"2021-12-08T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\"name\":\"90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage), \\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage), \\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage), \\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \\\"200\\\"\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Squid proxy events for ToR proxies\",\"description\":\"Check for Squid proxy events associated with common ToR proxies. This query presumes the default squid log format is being used.\\nhttp://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-07-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70fc7201-f28e-4ba7-b9ea-c04b96701f13\",\"name\":\"70fc7201-f28e-4ba7-b9ea-c04b96701f13\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let OperationList = dynamic([\\\"Add member to role\\\",\\\"Add member to role in PIM requested (permanent)\\\"]);\\nlet PrivilegedGroups = dynamic([\\\"UserAccountAdmins\\\",\\\"PrivilegedRoleAdmins\\\",\\\"TenantAdmins\\\"]);\\nAuditLogs\\n//| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName in~ (OperationList)\\n| mv-expand TargetResources\\n| extend modProps = parse_json(TargetResources).modifiedProperties\\n| mv-expand bagexpansion=array modProps\\n| evaluate bag_unpack(modProps)\\n| extend displayName = column_ifexists(\\\"displayName\\\", \\\"NotAvailable\\\"), newValue = column_ifexists(\\\"newValue\\\", \\\"NotAvailable\\\")\\n| where displayName =~ \\\"Role.WellKnownObjectName\\\"\\n| extend DisplayName = displayName, GroupName = replace(\u0027\\\"\u0027,\u0027\u0027,newValue)\\n| extend initByApp = parse_json(InitiatedBy).app, initByUser = parse_json(InitiatedBy).user\\n| extend AppId = initByApp.appId,\\nInitiatedByDisplayName = case(isnotempty(initByApp.displayName), initByApp.displayName, isnotempty(initByUser.displayName), initByUser.displayName, \\\"not available\\\"),\\nServicePrincipalId = tostring(initByApp.servicePrincipalId),\\nServicePrincipalName = tostring(initByApp.servicePrincipalName),\\nUserId = initByUser.id,\\nUserIPAddress = initByUser.ipAddress,\\nUserRoles = initByUser.roles,\\nUserPrincipalName = tostring(initByUser.userPrincipalName),\\nTargetUserPrincipalName = tostring(TargetResources.userPrincipalName)\\n| where GroupName in~ (PrivilegedGroups)\\n// If you don\u0027t want to alert for operations from PIM, remove below filtering for MS-PIM.\\n//| where InitiatedByDisplayName != \\\"MS-PIM\\\"\\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName\\n| extend AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, isnotempty(ServicePrincipalId), ServicePrincipalId, isnotempty(UserPrincipalName), UserPrincipalName, \\\"not available\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"NRT User added to Azure Active Directory Privileged Groups\",\"description\":\"This will alert when a user is added to any of the Privileged Groups.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\\nFor Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles\",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2020-07-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5239248b-abfb-4c6a-8177-b104ade5db56\",\"name\":\"5239248b-abfb-4c6a-8177-b104ade5db56\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let RunCommandData = materialize ( AzureActivity\\n// Isolate run command actions\\n| where OperationNameValue == \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\\\"\\n// Confirm that the operation impacted a virtual machine\\n| where Authorization has \\\"virtualMachines\\\"\\n// Each runcommand operation consists of three events when successful, StartTimeed, Accepted (or Rejected), Successful (or Failed).\\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), max(CallerIpAddress), make_list(ActivityStatusValue) by CorrelationId, Authorization, Caller\\n// Limit to Run Command executions that Succeeded\\n| where list_ActivityStatusValue has \\\"Success\\\"\\n// Extract data from the Authorization field, allowing us to later extract the Caller (UPN) and CallerIpAddress\\n| extend Authorization_d = parse_json(Authorization)\\n| extend Scope = Authorization_d.scope\\n| extend Scope_s = split(Scope, \\\"/\\\")\\n| extend Subscription = tostring(Scope_s[2])\\n| extend VirtualMachineName = tostring(Scope_s[-1])\\n| project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress\\n| join kind=leftouter (\\n DeviceFileEvents\\n | where InitiatingProcessFileName == \\\"RunCommandExtension.exe\\\"\\n | extend VirtualMachineName = tostring(split(DeviceName, \\\".\\\")[0])\\n | project VirtualMachineName, PowershellFileCreatedTimestamp=TimeGenerated, FileName, FileSize, InitiatingProcessAccountName, InitiatingProcessAccountDomain, InitiatingProcessFolderPath, InitiatingProcessId\\n) on VirtualMachineName\\n// We need to filter by time sadly, this is the only way to link events\\n| where PowershellFileCreatedTimestamp between (StartTime .. EndTime)\\n| project StartTime, EndTime, PowershellFileCreatedTimestamp, VirtualMachineName, Caller, CallerIpAddress, FileName, FileSize, InitiatingProcessId, InitiatingProcessAccountDomain, InitiatingProcessFolderPath\\n| join kind=inner(\\n DeviceEvents\\n | extend VirtualMachineName = tostring(split(DeviceName, \\\".\\\")[0])\\n | where InitiatingProcessCommandLine has \\\"-File\\\"\\n // Extract the script name based on the structure used by the RunCommand extension\\n | extend PowershellFileName = extract(@\\\"\\\\-File\\\\s(script[0-9]{1,9}\\\\.ps1)\\\", 1, InitiatingProcessCommandLine)\\n // Discard results that didn\u0027t successfully extract, these are not run command related\\n | where isnotempty(PowershellFileName)\\n | extend PSCommand = tostring(parse_json(AdditionalFields).Command)\\n // The first execution of PowerShell will be the RunCommand script itself, we can discard this as it will break our hash later\\n | where PSCommand != PowershellFileName \\n // Now we normalise the cmdlets, we\u0027re aiming to hash them to find scripts using rare combinations\\n | extend PSCommand = toupper(PSCommand)\\n | order by PSCommand asc\\n | summarize PowershellExecStartTime=min(TimeGenerated), PowershellExecEnd=max(TimeGenerated), make_list(PSCommand) by PowershellFileName, InitiatingProcessCommandLine\\n) on $left.FileName == $right.PowershellFileName\\n| project StartTime, EndTime, PowershellFileCreatedTimestamp, PowershellExecStartTime, PowershellExecEnd, PowershellFileName, PowershellScriptCommands=list_PSCommand, Caller, CallerIpAddress, InitiatingProcessCommandLine, PowershellFileSize=FileSize, VirtualMachineName\\n| order by StartTime asc \\n// We generate the hash based on the cmdlets called and the size of the powershell script\\n| extend TempFingerprintString = strcat(PowershellScriptCommands, PowershellFileSize)\\n| extend ScriptFingerprintHash = hash_sha256(tostring(PowershellScriptCommands)));\\nlet totals = toscalar (RunCommandData\\n| summarize count());\\nlet hashTotals = RunCommandData\\n| summarize HashCount=count() by ScriptFingerprintHash;\\nRunCommandData\\n| join kind=leftouter (\\nhashTotals\\n) on ScriptFingerprintHash\\n// Calculate prevalence, while we don\u0027t need this, it may be useful for responders to know how rare this script is in relation to normal activity\\n| extend Prevalence = toreal(HashCount) / toreal(totals) * 100\\n// Where the hash was only ever seen once.\\n| where HashCount == 1\\n| extend timestamp = StartTime, IPCustomEntity=CallerIpAddress, AccountCustomEntity=Caller, HostCustomEntity=VirtualMachineName\\n| project timestamp, StartTime, EndTime, PowershellFileName, VirtualMachineName, Caller, CallerIpAddress, PowershellScriptCommands, PowershellFileSize, ScriptFingerprintHash, Prevalence, IPCustomEntity, AccountCustomEntity, HostCustomEntity\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"LateralMovement\",\"Execution\"],\"displayName\":\"Azure VM Run Command operations executing a unique PowerShell script\",\"description\":\"Identifies when Azure Run command is used to execute a PowerShell script on a VM that is unique.\\nThe uniqueness of the PowerShell script is determined by taking a combined hash of the cmdLets it imports\\nand the file size of the PowerShell script. Alerts from this detection indicate a unique PowerShell was executed\\nin your environment.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f15370f4-c6fa-42c5-9be4-1d308f40284e\",\"name\":\"f15370f4-c6fa-42c5-9be4-1d308f40284e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n OfficeActivity\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(ClientIP)\\n | extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]%]+)(%\\\\d+)?\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n | extend IPAddress = tostring(ClientIPValues[0])\\n // renaming time column so it is clear the log this came from\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.IPAddress\\n| where OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId\\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = OfficeActivity_TimeGenerated, IPCustomEntity = TI_ipEntity, AccountCustomEntity = UserId, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to OfficeActivity\",\"description\":\"Identifies a match in OfficeActivity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a4ce20ae-a2e4-4d50-b40d-d49f1353b6cc\",\"name\":\"a4ce20ae-a2e4-4d50-b40d-d49f1353b6cc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Extracts plaintext IPv4 addresses\\nlet ipv4_plaintext_extraction_regex = @\\\"((?:(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])(?:\\\\.)){3}(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]){1,3})\\\";\\n// Identified base64 encoded IPv4 addresses\\nlet ipv4_encoded_identification_regex = @\\\"\\\\=([a-zA-Z0-9\\\\/\\\\+]*(?:(?:MC|Au|wL|MS|Eu|xL|Mi|Iu|yL|My|Mu|zL|NC|Qu|0L|NS|Uu|1L|Ni|Yu|2L|Ny|cu|3L|OC|gu|4L|OS|ku|5L){1}[a-zA-Z0-9\\\\/\\\\+]{2,4}){3}[a-zA-Z0-9\\\\/\\\\+\\\\=]*)\\\";\\n// Extractes IPv4 addresses as hex values\\nlet ipv4_decoded_hex_extract = @\\\"((?:(?:61|62|63|64|65|66|67|68|69|6a|6b|6c|6d|6e|6f|70|71|72|73|74|75|76|77|78|79|7a|41|42|43|44|45|46|47|48|49|4a|4b|4c|4d|4e|4f|50|51|52|53|54|55|56|57|58|59|5a|2f|2b|3d),){7,15})\\\";\\nCommonSecurityLog\\n| where isnotempty(RequestURL)\\n// Identify requests with encoded IPv4 addresses\\n| where RequestURL matches regex ipv4_encoded_identification_regex\\n| project TimeGenerated, RequestURL\\n// Extract IP candidates in their base64 encoded format, significantly reducing the dataset\\n| extend extracted_encoded_ip_candidate = extract_all(ipv4_encoded_identification_regex, RequestURL)\\n// We could have more than one candidate, expand them out\\n| mv-expand extracted_encoded_ip_candidate to typeof(string)\\n| summarize Start=min(TimeGenerated), End=max(TimeGenerated), make_set(RequestURL) by extracted_encoded_ip_candidate\\n// Pad if we need to\\n| extend extracted_encoded_ip_candidate = iff(strlen(extracted_encoded_ip_candidate) % 2 == 0, extracted_encoded_ip_candidate, strcat(extracted_encoded_ip_candidate, \\\"=\\\"))\\n// Now decode the candidate to a long array, we cannot go straight to string as it cannot handle non-UTF8, we need to strip that first\\n| extend extracted_encoded_ip_candidate = tostring(base64_decode_toarray(extracted_encoded_ip_candidate))\\n// Extract the IP candidates from the array\\n| extend hex_extracted = extract_all(ipv4_decoded_hex_extract, extracted_encoded_ip_candidate)\\n// Expand, it\u0027s still possible that we might have more than 1 IP\\n| mv-expand hex_extracted\\n// Now we should have a clean string. We need to put it back into a dynamic array to convert back to a string.\\n| extend hex_extracted = trim_end(\\\",\\\", tostring(hex_extracted))\\n| extend hex_extracted = strcat(\\\"[\\\",hex_extracted,\\\"]\\\")\\n| extend hex_extracted = todynamic(hex_extracted)\\n| extend extracted_encoded_ip_candidate = todynamic(extracted_encoded_ip_candidate)\\n// Convert the array back into a string\\n| extend decoded_ip_candidate = make_string(hex_extracted)\\n| summarize by decoded_ip_candidate, tostring(set_RequestURL), Start, End\\n// Now the IP candidates will be in plaintext, extract the IPs using a regex\\n| extend ipmatch = extract_all(ipv4_plaintext_extraction_regex, decoded_ip_candidate)\\n// If it\u0027s not an IP, throw it out\\n| where isnotnull(ipmatch)\\n| mv-expand ipmatch to typeof(string)\\n// Join with DeviceNetworkEvents to find instances where an IP of a machine in our MDE estate sent it\u0027s IP in a base64 encoded string\\n| join (\\n DeviceNetworkEvents\\n | summarize make_set(DeviceId), make_set(DeviceName) by RemoteIP\\n) on $left.ipmatch == $right.RemoteIP\\n| project Start, End, IPmatch=ipmatch, RequestURL=set_RequestURL, DeviceNames=set_DeviceName, DeviceIds=set_DeviceId, RemoteIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPmatch\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceNames\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"IP address of Windows host encoded in web request\",\"description\":\"This detection will identify network requests in HTTP proxy data that contains Base64 encoded IP addresses. After identifying candidates the query\\njoins with DeviceNetworkEvents to idnetify any machine within the network using that IP address. Alerts indicate that the IP address of a machine\\nwithin your network was seen with it\u0027s IP address base64 encoded in an outbounf web request. This method of egressing the IP was seen used in POLONIUM\u0027s\\nRunningRAT tool, however the detection is generic.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cbf6ad48-fa5c-4bf7-b205-28dbadb91255\",\"name\":\"cbf6ad48-fa5c-4bf7-b205-28dbadb91255\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let procList = externaldata(Process:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Microsoft_Lolbas_Execution_Binaries.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nEvent\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n| parse EventData with * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027OriginalFileName\\\"\u003e\u0027 OriginalFileName \\\"\u003c\\\" *\\n| where OriginalFileName has_any (procList) and not (Image has_any (procList))\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027Hashes\\\"\u003e\u0027 Hashes \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description, OriginalFileName, CurrentDirectory, Hashes\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Windows Binaries Lolbins Renamed\",\"description\":\"This query detects the execution of renamed Windows binaries (Lolbins). This is a common technique used by adversaries to evade detection. \\nRef: https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/execution-of-renamed-lolbin.html\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3a9d5ede-2b9d-43a2-acc4-d272321ff77c\",\"name\":\"3a9d5ede-2b9d-43a2-acc4-d272321ff77c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 50;\\nlet aadFunc = (tableName:string){\\n // Failed Signins attempts with reasoning related to conditional access policies.\\n table(tableName)\\n | where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n | where ResultDescription has_any (\\\"conditional access\\\", \\\"CA\\\") or ResultType in (50005, 50131, 53000, 53001, 53002, 52003, 70044)\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt;\\nlet TimeSeriesAlerts = \\nallSignins\\n| make-series DailyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step 1d by UserPrincipalName\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(DailyCount, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand DailyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n// Filtering low count events per baselinethreshold\\n| where anomalies \u003e 0 and baseline \u003e baselinethreshold\\n| extend AnomalyHour = TimeGenerated\\n| project UserPrincipalName, AnomalyHour, TimeGenerated, DailyCount, baseline, anomalies, score;\\n// Filter the alerts for specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e startofday(ago(timeframe))\\n| join kind=inner ( \\n allSignins\\n | where TimeGenerated \u003e startofday(ago(timeframe))\\n // create a new column and round to hour\\n | extend DateHour = bin(TimeGenerated, 1h)\\n | summarize PartialFailedSignins = count(), LatestAnomalyTime = arg_max(TimeGenerated, *) by bin(TimeGenerated, 1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\\n) on UserPrincipalName, $left.AnomalyHour == $right.DateHour\\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, PartialFailedSignins, TotalFailedSignins = DailyCount, baseline, anomalies, score\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"User Accounts - Sign in Failure due to CA Spikes\",\"description\":\" Identifies spike in failed sign-ins from user accounts due to conditional access policied.\\nSpike is determined based on Time series anomaly which will look at historical baseline values.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b6d03b88-4d27-49a2-9c1c-29f1ad2842dc\",\"name\":\"b6d03b88-4d27-49a2-9c1c-29f1ad2842dc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let oneDriveCalls = dynamic([\u0027graph.microsoft.com/v1.0/me/drive/root:/Documents/data.txt:/content\u0027,\u0027graph.microsoft.com/v1.0/me/drive/root:/Documents/response.json:/content\u0027]);\\nlet oneDriveCallsRegex = dynamic([@\u0027graph\\\\.microsoft\\\\.com\\\\/v1\\\\.0\\\\/me\\\\/drive\\\\/root\\\\:\\\\/Uploaded\\\\/.*\\\\:\\\\/content\u0027,@\u0027graph\\\\.microsoft\\\\.com\\\\/v1\\\\.0\\\\/me\\\\/drive\\\\/root\\\\:\\\\/Downloaded\\\\/.*\\\\:\\\\/content\u0027]);\\nCommonSecurityLog\\n| where RequestURL has_any (oneDriveCalls) or RequestURL matches regex tostring(oneDriveCallsRegex[0]) or RequestURL matches regex tostring(oneDriveCallsRegex[1])\\n| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"SourceHostName\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"CreepyDrive URLs\",\"description\":\"CreepyDrive uses OneDrive for command and control. This detection identifies URLs specific to CreepyDrive.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/011c84d8-85f0-4370-b864-24c13455aa94\",\"name\":\"011c84d8-85f0-4370-b864-24c13455aa94\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityAlert\\n| extend Extprop = parse_json(ExtendedProperties)\\n| extend Computer = iff(isnotempty(toupper(tostring(Extprop[\\\"Compromised Host\\\"]))), toupper(tostring(Extprop[\\\"Compromised Host\\\"])), tostring(parse_json(Entities)[0].HostName))\\n| extend Account = iff(isnotempty(tolower(tostring(Extprop[\\\"User Name\\\"]))), tolower(tostring(Extprop[\\\"User Name\\\"])), tolower(tostring(Extprop[\\\"user name\\\"])))\\n| extend IpAddress = tostring(parse_json(ExtendedProperties).[\\\"IpAddress\\\"]) \\n| project TimeGenerated, AlertName, Computer, Account, IpAddress, ExtendedProperties\\n| extend timestamp = TimeGenerated, Account, MachineName = Computer, IpAddress\\n| join kind=inner\\n(\\nCoreAzureBackup\\n| where State =~ \\\"Deleted\\\"\\n| where OperationName =~ \\\"BackupItem\\\"\\n| extend data = split(BackupItemUniqueId, \\\";\\\")\\n| extend AzureLocation = data[0], VaultId=data[1], MachineName=data[2], DrivesBackedUp=data[3]\\n| project timestamp = TimeGenerated, AzureLocation, VaultId, tostring(MachineName), DrivesBackedUp, State, BackupItemUniqueId, _ResourceId, OperationName, BackupItemFriendlyName\\n)\\non MachineName\\n| project timestamp, AlertName, HostCustomEntity = MachineName, AccountCustomEntity = Account, ResourceCustomEntity = _ResourceId, IPCustomEntity = IpAddress, VaultId, AzureLocation, DrivesBackedUp, State, BackupItemUniqueId, OperationName, BackupItemFriendlyName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"CoreBackUp Deletion in correlation with other related security alerts\",\"description\":\"This query will help detect attackers attempt to delete backup containers in correlation with other alerts that could have triggered to help possibly reveal more details of attacker activity. \\nThough such an activity could be legitimate as part of business operation, some ransomware actors may perform such operation to cause interruption to regular business services.\",\"lastUpdatedDateUTC\":\"2021-11-05T00:00:00Z\",\"createdDateUTC\":\"2021-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1218175f-c534-421c-8070-5dcaabf28067\",\"name\":\"1218175f-c534-421c-8070-5dcaabf28067\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let threshold = 3; \\nZoomLogs \\n| where Event =~ \\\"chat_message.sent\\\" \\n| extend Channel = tostring(parse_json(ChatEvents).Channel) \\n| extend Message = tostring(parse_json(ChatEvents).Message) \\n| where Message matches regex \\\"http(s?):\\\\\\\\/\\\\\\\\/\\\" \\n| summarize Channels = makeset(Channel), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Message, User, UserId\\n| extend ChannelCount = arraylength(Channels) \\n| where ChannelCount \u003e threshold\\n| extend timestamp = StartTime, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"Suspicious link sharing pattern\",\"description\":\"Alerts in links that have been shared across multiple Zoom chat channels by the same user in a short space if time. \\nAdjust the threshold figure to change the number of channels a message needs to be posted in before an alert is raised.\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\"name\":\"0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"DNS events related to mining pools\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95a15f39-d9cc-4667-8cdd-58f3113691c9\",\"name\":\"95a15f39-d9cc-4667-8cdd-58f3113691c9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where EventID == 4688\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| join kind=rightanti (\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where EventID == 4688) on NewProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where EventID == 4688 and EventData has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| join kind=rightanti (\\nWindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventID == 4688 and EventData has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)) on NewProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM New UM Service Child Process\",\"description\":\"This query looks for new processes being spawned by the Exchange UM service where that process has not previously been observed before. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f845881e-2500-44dc-8ed7-b372af3e1e25\",\"name\":\"f845881e-2500-44dc-8ed7-b372af3e1e25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let short_uaLength = 5;\\nlet long_uaLength = 1000;\\nlet c_threshold = 100;\\nW3CIISLog \\n// Exclude local IPs as these create noise\\n| where cIP !startswith \\\"192.168.\\\" and cIP != \\\"::1\\\"\\n| where isnotempty(csUserAgent) and csUserAgent !in~ (\\\"-\\\", \\\"MSRPC\\\") and (string_size(csUserAgent) \u003c= short_uaLength or string_size(csUserAgent) \u003e= long_uaLength)\\n| extend csUserAgent_size = string_size(csUserAgent)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ConnectionCount = count() by Computer, sSiteName, sPort, csUserAgent, csUserAgent_size, csUserName , csMethod, csUriStem, sIP, cIP, scStatus, scSubStatus, scWin32Status\\n| where ConnectionCount \u003c c_threshold\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomalous User Agent connection attempt\",\"description\":\"Identifies connection attempts (success or fail) from clients with very short or very long User Agent strings and with less than 100 connection attempts.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\"name\":\"a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n SecurityAlert \\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\\n | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray\\n // Parsing relevant entity column to filter type account and creating new column by combining account and UPNSuffix\\n | extend Entitytype = tostring(parse_json(EntitiesDynamicArray).Type), EntityName = tostring(parse_json(EntitiesDynamicArray).Name),\\n EntityUPNSuffix = tostring(parse_json(EntitiesDynamicArray).UPNSuffix)\\n | where Entitytype =~ \\\"account\\\"\\n | extend EntityEmail = tolower(strcat(EntityName, \\\"@\\\", EntityUPNSuffix))\\n | where EntityEmail matches regex emailregex\\n | extend Alert_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.EntityEmail\\n| where Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\\n| project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, \\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, EntityEmail, AlertName, AlertType,\\nAlertSeverity, Entities, ProviderName, VendorName\\n| extend timestamp = Alert_TimeGenerated, AccountCustomEntity = EntityEmail, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SecurityAlert\",\"description\":\"Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c9b6d281-b96b-4763-b728-9a04b9fe1246\",\"name\":\"c9b6d281-b96b-4763-b728-9a04b9fe1246\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlCategory has_any (\u0027Dynamic and Residential\u0027, \u0027Personal VPN\u0027)\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"Exfiltration\"],\"displayName\":\"Cisco Umbrella - Connection to non-corporate private network\",\"description\":\"IP addresses of broadband links that usually indicates users attempting to access their home network, for example for a remote session to a home computer.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/631d02df-ab51-46c1-8d72-32d0cfec0720\",\"name\":\"631d02df-ab51-46c1-8d72-32d0cfec0720\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let excludeProcs = dynamic([@\\\"\\\\SolarWinds\\\\Orion\\\\APM\\\\APMServiceControl.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\ExportToPDFCmd.Exe\\\", @\\\"\\\\SolarWinds.Credentials\\\\SolarWinds.Credentials.Orion.WebApi.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Topology\\\\SolarWinds.Orion.Topology.Calculator.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Database-Maint.exe\\\", @\\\"\\\\SolarWinds.Orion.ApiPoller.Service\\\\SolarWinds.Orion.ApiPoller.Service.exe\\\", @\\\"\\\\Windows\\\\SysWOW64\\\\WerFault.exe\\\"]);\\nimProcessCreate\\n| where Process hassuffix \u0027solarwinds.businesslayerhost.exe\u0027\\n| where not(Process has_any (excludeProcs))\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = ActorUsername,\\n HostCustomEntity = User,\\n AlgorithmCustomEntity = \\\"MD5\\\",\\n FileHashCustomEntity = TargetProcessMD5 // Change to *hash* once implemented\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST suspicious SolarWinds child processes (Normalized Process Events)\",\"description\":\"Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0bd65651-1404-438b-8f63-eecddcec87b4\",\"name\":\"0bd65651-1404-438b-8f63-eecddcec87b4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\n// Adjust for a longer timeframe for identifying ADFS Servers\\nlet lookback = 6d;\\n// Identify ADFS Servers\\nlet ADFS_Servers = ( union isfuzzy=true\\n( Event\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n),\\n( SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and EventData has \\\"0x3e4\\\" and EventData has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| where SubjectLogonId != \\\"0x3e4\\\"\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n)\\n| distinct Computer);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == 4688\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where ParentProcessName has \u0027wmiprvse.exe\u0027\\n// Looking for rundll32.exe is based on intel from the blog linked in the description\\n// This can be commented out or altered to filter out known internal uses\\n| where CommandLine has_any (\u0027rundll32\u0027) \\n| project TimeGenerated, TargetAccount, CommandLine, Computer, Account, TargetLogonId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n// Search for recent logons to identify lateral movement\\n| join kind= inner\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventID == 4624 and LogonType == 3\\n| where Account !endswith \\\"$\\\"\\n| project TargetLogonId\\n) on TargetLogonId\\n),\\n(\\nWindowsEvent\\n| where EventID == 4688\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where EventData has \u0027wmiprvse.exe\u0027 and EventData has_any (\u0027rundll32\u0027) \\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where ParentProcessName has \u0027wmiprvse.exe\u0027\\n// Looking for rundll32.exe is based on intel from the blog linked in the description\\n// This can be commented out or altered to filter out known internal uses\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has_any (\u0027rundll32\u0027) \\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend Account = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend TargetLogonId = tostring(EventData.TargetLogonId)\\n| project TimeGenerated, TargetAccount, CommandLine, Computer, Account, TargetLogonId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n// Search for recent logons to identify lateral movement\\n| join kind= inner\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventID == 4624 \\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 3\\n| extend Account = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| where Account !endswith \\\"$\\\"\\n| extend TargetLogonId = tostring(EventData.TargetLogonId)\\n| project TargetLogonId\\n) on TargetLogonId\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n// Check for WMI Events\\n| where Computer in~ (ADFS_Servers) and EventID in (19, 20, 21)\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| project TimeGenerated, EventType, Image, Computer, UserName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = UserName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Gain Code Execution on ADFS Server via Remote WMI Execution\",\"description\":\"This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through remote WMI Execution.\\nIn order to use this query you need to be collecting Sysmon EventIDs 19, 20, and 21.\\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\\n Failed to resolve scalar expression named \\\"[@Name]\\\"\\nFor more on how WMI was used in Solorigate see https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/.\\nThe query contains some features from the following detections to look for potentially malicious ADFS activity. See them for more details.\\n- ADFS Key Export (Sysmon): https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSKeyExportSysmon.yaml\\n- ADFS DKM Master Key Export: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d71fc38-f249-454e-8479-0a358382ef9a\",\"name\":\"3d71fc38-f249-454e-8479-0a358382ef9a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"SecurityNestedRecommendation\\n| where RemediationDescription has \u0027CVE-2021-44228\u0027\\n| parse ResourceDetails with * \u0027virtualMachines/\u0027 VirtualMAchine \u0027\\\"\u0027 *\\n| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId\\n| extend Timestamp = TimeGenerated, HostCustomEntity = VirtualMAchine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Execution\"],\"displayName\":\"Vulnerable Machines related to log4j CVE-2021-44228\",\"description\":\"This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to log4j CVE-2021-44228. Log4j is an open-source Apache logging library that is used in \\n many Java-based applications. Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).\\n Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/\\n Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal\\n Reference: https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/how-defender-for-cloud-displays-machines-affected-by-log4j/ba-p/3037271\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\"name\":\"a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Security Center for IoT\",\"displayName\":\"Create incidents based on Microsoft Defender for IOT alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for IOT\",\"lastUpdatedDateUTC\":\"2019-12-24T00:00:00Z\",\"createdDateUTC\":\"2019-12-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"IoT\",\"dataTypes\":[\"SecurityAlert (ASC for IoT)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d2e8fd50-8d66-11ec-b909-0242ac120002\",\"name\":\"d2e8fd50-8d66-11ec-b909-0242ac120002\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID in (4624,4625) and LogonType in (10) and IpAddress in (\\\"::1\\\",\\\"127.0.0.1\\\")\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, TargetUserName, TargetLogonId, LogonType, IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential Remote Desktop Tunneling\",\"description\":\"This query detects remote desktop authentication attempts with a localhost source address which can indicate a tunneled login.\\nRef: https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling\",\"lastUpdatedDateUTC\":\"2022-02-15T00:00:00Z\",\"createdDateUTC\":\"2022-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c37711a4-5f44-4472-8afc-0679bc0ef966\",\"name\":\"c37711a4-5f44-4472-8afc-0679bc0ef966\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.1.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/FoggyWebIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type == \\\"sha256\\\" | project IoC);\\nlet FilePaths = (iocs | where Type =~ \\\"FilePath\\\" | project IoC);\\nlet POST_URI = (iocs | where Type =~ \\\"URI1\\\" | project IoC);\\nlet GET_URI = (iocs | where Type =~ \\\"URI2\\\" | project IoC);\\n//Include in the list below, the ADFS servers you know about in your environment. In the next part of the query, we will try to identify them for you if you have the telemetry.\\nlet ADFS_Servers1 = datatable(Computer:string)\\n[ \\\"\u003cADFS01\u003e.\u003cDOMAIN\u003e.\u003cCOM\u003e\\\",\\n\\\"\u003cADFS02\u003e.\u003cDOMAIN\u003e.\u003cCOM\u003e\\\"\\n];\\n// Automatically identify potential ADFS services in your environment by searching process event telemetry for \\\"Microsoft.IdentityServer.ServiceHost.exe\\\".\\nlet ADFS_Servers2 = \\n(union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n),\\n( WindowsEvent\\n| where EventID == 4688 and EventData has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\" and EventData has \\\"0x3e4\\\"\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| where ProcessName == \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| where SubjectLogonId != \\\"0x3e4\\\"\\n| distinct Computer\\n),\\n(DeviceProcessEvents\\n| where InitiatingProcessFileName == \u0027Microsoft.IdentityServer.ServiceHost.exe\u0027\\n| extend Computer = DeviceName\\n| distinct Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n)\\n);\\nlet ADFS_Servers =\\nADFS_Servers1\\n| union (ADFS_Servers2 | distinct Computer);\\n(union isfuzzy=true\\n(DeviceNetworkEvents\\n| where DeviceName in (ADFS_Servers)\\n| where isnotempty(InitiatingProcessSHA256) or isnotempty(InitiatingProcessFolderPath)\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or InitiatingProcessFolderPath has_any (FilePaths)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\" and EventID == \u00277\u0027\\n| where Computer in (ADFS_Servers)\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend ImageLoaded = EventDetail.[5].[\\\"#text\\\"], Hashes = EventDetail.[11].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| where ImageLoaded has_any (FilePaths) or SHA256 has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, ImageLoaded, EventID\\n| extend Type = strcat(Type,\\\":\\\",EventID, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\\\"#text\\\"] \\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceEvents\\n| where DeviceName in (ADFS_Servers)\\n| extend FilePath = strcat(FolderPath, \u0027\\\\\\\\\u0027, FileName)\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceFileEvents\\n| where DeviceName in (ADFS_Servers)\\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceImageLoadEvents\\n| where DeviceName in (ADFS_Servers)\\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where Computer in (ADFS_Servers)\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| where EventDetail has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\\\"#text\\\"] \\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(W3CIISLog \\n| where ( csMethod == \u0027GET\u0027 and csUriStem has_any (GET_URI)) or (csMethod == \u0027POST\u0027 and csUriStem has_any (POST_URI))\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), cIP_MethodCount = count() \\nby cIP, cIP_MethodCountType = \\\"Count of repeated entries, this is to reduce rowsets returned\\\", csMethod, \\ncsHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, csReferer\\n| extend timestamp = StartTime, IPCustomEntity = cIP, HostCustomEntity = csHost, AccountCustomEntity = csUserName\\n),\\n(imFileEvent\\n| where DvcHostname in (ADFS_Servers)\\n| where TargetFileSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"NOBELIUM IOCs related to FoggyWeb backdoor\",\"description\":\"Identifies a match across various data feeds for IOCs related to FoggyWeb backdoor by the threat actor NOBELIUM.\\n FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server.\\n It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server.\\n Reference: https://aka.ms/nobelium-foggy-web\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/61988db3-0565-49b5-b8e3-747195baac6e\",\"name\":\"61988db3-0565-49b5-b8e3-747195baac6e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let procList = dynamic([\\\"cmd.exe\\\",\\\"ftp.exe\\\",\\\"schtasks.exe\\\",\\\"powershell.exe\\\",\\\"rundll32.exe\\\",\\\"regsvr32.exe\\\",\\\"msiexec.exe\\\"]); \\nimProcessCreate\\n| where CommandLine has \\\"recycler\\\"\\n| where Process has_any (procList)\\n| extend FileName = tostring(split(Process, \u0027\\\\\\\\\u0027)[-1])\\n| where FileName in~ (procList)\\n| project StartTimeUtc = TimeGenerated, Dvc, User, Process, FileName, CommandLine, ActingProcessName, EventVendor, EventProduct\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Malware in the recycle bin (Normalized Process Events)\",\"description\":\"Identifies malware that has been hidden in the recycle bin.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-23T00:00:00Z\",\"createdDateUTC\":\"2021-06-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ec491363-5fe7-4eff-b68e-f42dcb76fcf6\",\"name\":\"ec491363-5fe7-4eff-b68e-f42dcb76fcf6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| project-away claimsJson\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Azure Active Directory Hybrid Health AD FS New Server\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.\\nA threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.\\nThis can be done programmatically via HTTP requests to Azure. More information in this blog: https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/32ffb19e-8ed8-40ed-87a0-1adb4746b7c4\",\"name\":\"32ffb19e-8ed8-40ed-87a0-1adb4746b7c4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"// Enter a reference list of malicious file artifacts\\nlet MaliciousFileArtifacts = dynamic ([\\\"lsass.dmp\\\",\\\"test.pwd\\\",\\\"lsremora.dll\\\",\\\"lsremora64.dll\\\",\\\"fgexec.exe\\\",\\\"pwdump\\\",\\\"kirbi\\\",\\\"wce_ccache\\\",\\\"wce_krbtkts\\\",\\\"wceaux.dll\\\",\\\"PwHashes\\\",\\\"SAM.out\\\",\\\"SECURITY.out\\\",\\\"SYSTEM.out\\\",\\\"NTDS.out\\\" \\\"DumpExt.dll\\\",\\\"DumpSvc.exe\\\",\\\"cachedump64.exe\\\",\\\"cachedump.exe\\\",\\\"pstgdump.exe\\\",\\\"servpw64.exe\\\",\\\"servpw.exe\\\",\\\"pwdump.exe\\\",\\\"fgdump-log\\\"]);\\nEvent\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==11\\n| parse EventData with * \u0027TargetFilename\\\"\u003e\u0027 TargetFilename \\\"\u003c\\\" *\\n| where TargetFilename has_any (MaliciousFileArtifacts)\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, Image, ProcessGuid, TargetFilename\",\"entityMappings\":[{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"TargetFilename\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"Image\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Credential Dumping Tools - File Artifacts\",\"description\":\"This query detects the creation of credential dumping tools files. Several credential dumping tools export files with hardcoded file names.\\nRef: https://jpcertcc.github.io/ToolAnalysisResultSheet/\",\"lastUpdatedDateUTC\":\"2022-04-22T00:00:00Z\",\"createdDateUTC\":\"2022-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"Event\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/983a6922-894d-413c-9f04-d7add0ecc307\",\"name\":\"983a6922-894d-413c-9f04-d7add0ecc307\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P10D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Medium\",\"query\":\"let referencestarttime = 10d;\\nlet referenceendtime = 1d;\\nlet threshold = 100;\\nlet nxDomainDnsEvents = (stime:datetime, etime:datetime) \\n {_Im_Dns(responsecodename=\u0027NXDOMAIN\u0027, starttime=stime, endtime=etime)\\n | where DnsQueryTypeName in (\\\"A\\\", \\\"AAAA\\\")\\n | where ipv4_is_match(\\\"127.0.0.1\\\", SrcIpAddr) == False\\n | where DnsQuery !contains \\\"/\\\" and DnsQuery contains \\\".\\\"};\\nnxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now())\\n | extend sld = tostring(split(DnsQuery, \\\".\\\")[-2])\\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld) by SrcIpAddr\\n | where dcount_sld \u003e threshold\\n // Filter out previously seen IPs\\n | join kind=leftanti (nxDomainDnsEvents (stime=ago(referencestarttime), etime=ago(referenceendtime))\\n | extend sld = tostring(split(DnsQuery, \\\".\\\")[-2])\\n | summarize dcount(sld) by SrcIpAddr\\n | where dcount_sld \u003e threshold ) on SrcIpAddr\\n// Pull out sample NXDomain responses for those remaining potentially infected IPs\\n| join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential DGA detected (ASIM DNS Schema)\",\"description\":\"Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains\\nwhere most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with \\nNXDomain records in prior 10-day baseline period).\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/18dbdc22-b69f-4109-9e39-723d9465f45f\",\"name\":\"18dbdc22-b69f-4109-9e39-723d9465f45f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet AVHits = (iocs | where Type =~ \\\"AVDetection\\\"| project IoC);\\nSecurityAlert\\n| where ProviderName == \u0027MDATP\u0027\\n| extend ThreatName_ = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where ThreatName_ has_any (AVHits)\\n| extend Directory = tostring(parse_json(Entities)[0].Directory), SHA256 = tostring(parse_json(tostring(parse_json(Entities)[0].FileHashes))[2].Value), FileName = tostring(parse_json(Entities)[0].Name), Hostname = tostring(parse_json(Entities)[6].FQDN)| extend AccountName = tostring(parse_json(tostring(parse_json(Entities)[6].LoggedOnUsers))[0].AccountName)\\n| project TimeGenerated, AlertName, ThreatName_, ProviderName, AlertSeverity, Description, RemediationSteps, ExtendedProperties, Entities, FileName,SHA256, Directory, Hostname, AccountName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Hostname , AccountCustomEntity = AccountName, FileHashCustomEntity = SHA256\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"ACTINIUM AV hits - Feb 2022\",\"description\":\"Identifies a match in the Security Alert table for MDATP hits related to the ACTINIUM actor\",\"lastUpdatedDateUTC\":\"2022-02-04T00:00:00Z\",\"createdDateUTC\":\"2022-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f6a51e2c-2d6a-4f92-a090-cfb002ca611f\",\"name\":\"f6a51e2c-2d6a-4f92-a090-cfb002ca611f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nlet disallowed_ext = dynamic([\u0027ps1\u0027, \u0027exe\u0027, \u0027vbs\u0027, \u0027js\u0027, \u0027scr\u0027]);\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| extend attachedExt = todynamic(MsgParts)[0][\u0027detectedExt\u0027]\\n| where attachedExt in (disallowed_ext)\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = DstUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Suspicious attachment\",\"description\":\"Detects when email contains suspicious attachment (file type).\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/707494a5-8e44-486b-90f8-155d1797a8eb\",\"name\":\"707494a5-8e44-486b-90f8-155d1797a8eb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let auditLookbackStart = 2d;\\nlet auditLookbackEnd = 1d;\\nAuditLogs\\n| where TimeGenerated \u003e= ago(auditLookbackStart)\\n| where OperationName =~ \\\"Consent to application\\\" \\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| extend targetResourceName = tostring(target.displayName)\\n| extend targetResourceID = tostring(target.id)\\n| extend targetResourceType = tostring(target.type)\\n| extend targetModifiedProp = TargetResources[0].modifiedProperties\\n| extend isAdminConsent = targetModifiedProp[0].newValue\\n| extend Consent_ServicePrincipalNames = targetModifiedProp[5].newValue\\n| extend Consent_Permissions = targetModifiedProp[4].newValue\\n| extend Consent_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend Consent_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| join ( \\nAuditLogs\\n| where TimeGenerated \u003e= ago(auditLookbackEnd)\\n| where OperationName =~ \\\"Add service principal credentials\\\"\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| extend targetResourceName = tostring(target.displayName)\\n| extend targetResourceID = tostring(target.id)\\n| extend targetModifiedProp = TargetResources[0].modifiedProperties\\n| extend Credential_KeyDescription = targetModifiedProp[0].newValue\\n| extend UpdatedProperties = targetModifiedProp[1].newValue\\n| extend Credential_ServicePrincipalNames = targetModifiedProp[2].newValue\\n| extend Credential_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend Credential_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n) on targetResourceName, targetResourceID\\n| extend TimeConsent = TimeGenerated, TimeCred = TimeGenerated1\\n| where TimeConsent \u003e TimeCred \\n| project TimeConsent, TimeCred, Consent_InitiatingUserOrApp, Credential_InitiatingUserOrApp, targetResourceName, targetResourceType, isAdminConsent, Consent_ServicePrincipalNames, Credential_ServicePrincipalNames, Consent_Permissions, Credential_KeyDescription, Consent_InitiatingIpAddress, Credential_InitiatingIpAddress\\n| extend timestamp = TimeConsent, AccountCustomEntity = Consent_InitiatingUserOrApp, IPCustomEntity = Consent_InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Credential added after admin consented to Application\",\"description\":\"This query will identify instances where Service Principal credentials were added to an application by one user after the application was granted admin consent rights by another user.\\n If a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\n Additional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow.\\n For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2021-02-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/11bda520-a965-4654-9a45-d09f372f71aa\",\"name\":\"11bda520-a965-4654-9a45-d09f372f71aa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"High\",\"query\":\"AzureActivity\\n// Isolate run command actions\\n| where OperationNameValue == \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\\\"\\n// Confirm that the operation impacted a virtual machine\\n| where Authorization has \\\"virtualMachines\\\"\\n// Each runcommand operation consists of three events when successful, Started, Accepted (or Rejected), Successful (or Failed).\\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), max(CallerIpAddress), make_list(ActivityStatusValue) by CorrelationId, Authorization, Caller\\n// Limit to Run Command executions that Succeeded\\n| where list_ActivityStatusValue has \\\"Success\\\"\\n// Extract data from the Authorization field\\n| extend Authorization_d = parse_json(Authorization)\\n| extend Scope = Authorization_d.scope\\n| extend Scope_s = split(Scope, \\\"/\\\")\\n| extend Subscription = tostring(Scope_s[2])\\n| extend VirtualMachineName = tostring(Scope_s[-1])\\n| project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress\\n// Create a join key using the Caller (UPN)\\n| extend joinkey = tolower(Caller)\\n// Join the Run Command actions to UEBA data\\n| join kind = inner (\\n BehaviorAnalytics\\n // We are specifically interested in unusual logins\\n | where EventSource == \\\"Azure AD\\\" and ActivityInsights.ActionUncommonlyPerformedByUser == \\\"True\\\"\\n | project UEBAEventTime=TimeGenerated, UEBAActionType=ActionType, UserPrincipalName, UEBASourceIPLocation=SourceIPLocation, UEBAActivityInsights=ActivityInsights, UEBAUsersInsights=UsersInsights\\n | where isnotempty(UserPrincipalName) and isnotempty(UEBASourceIPLocation)\\n | extend joinkey = tolower(UserPrincipalName)\\n) on joinkey\\n// Create a window around the UEBA event times, check to see if the Run Command action was performed within them\\n| extend UEBAWindowStart = UEBAEventTime - 1h, UEBAWindowEnd = UEBAEventTime + 6h\\n| where StartTime between (UEBAWindowStart .. UEBAWindowEnd)\\n| project StartTime, EndTime, Subscription, VirtualMachineName, Caller, CallerIpAddress, UEBAEventTime, UEBAActionType, UEBASourceIPLocation, UEBAActivityInsights, UEBAUsersInsights\\n| extend timestamp = StartTime, AccountCustomEntity=Caller, IPCustomEntity=CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"LateralMovement\",\"CredentialAccess\"],\"displayName\":\"Azure VM Run Command operation executed during suspicious login window\",\"description\":\"Identifies when the Azure Run Command operation is executed by a UserPrincipalName and IP Address \\nthat has resulted in a recent user entity behaviour alert.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3fe3c520-04f1-44b8-8398-782ed21435f8\",\"name\":\"3fe3c520-04f1-44b8-8398-782ed21435f8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Low\",\"query\":\"let torProxies=dynamic([\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\"]);\\n_Im_Dns(domain_has_any=torProxies)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"DNS events related to ToR proxies (ASIM DNS Schema)\",\"description\":\"Identifies IP addresses performing DNS lookups associated with common ToR proxies.\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d9938c3b-16f9-444d-bc22-ea9a9110e0fd\",\"name\":\"d9938c3b-16f9-444d-bc22-ea9a9110e0fd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Azure AD Connect Health Agent - cf6d7e68-f018-4e0a-a7b3-126e053fb88d\\n// Azure Active Directory Connect - cb1056e2-e479-49de-ae31-7812af012ed8\\nlet appList = dynamic([\u0027cf6d7e68-f018-4e0a-a7b3-126e053fb88d\u0027,\u0027cb1056e2-e479-49de-ae31-7812af012ed8\u0027]);\\nlet operationNamesList = dynamic([\u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027,\u0027Microsoft.ADHybridHealthService/services/delete\u0027]);\\nAzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue in~ (operationNamesList)\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| where AppId !in (appList)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS Suspicious Application\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to a suspicious application adding a server instance to an Azure AD Hybrid health AD FS service or deleting the AD FS service instance.\\nUsually the Azure AD Connect Health Agent application with ID cf6d7e68-f018-4e0a-a7b3-126e053fb88d is used to perform those operations.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9d0295ee-cb75-4f2c-9952-e5acfbb67036\",\"name\":\"9d0295ee-cb75-4f2c-9952-e5acfbb67036\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.0\",\"severity\":\"Informational\",\"query\":\"let timeframe = ago(1d);\\nAppServiceAntivirusScanAuditLogs\\n| where NumberOfInfectedFiles \u003e 0\\n| extend HostCustomEntity = _ResourceId, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"displayName\":\"AppServices AV Scan with Infected Files\",\"description\":\"Identifies if an AV scan finds infected files in Azure App Services.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b2199398-8942-4b8c-91a9-b0a707c5d147\",\"name\":\"b2199398-8942-4b8c-91a9-b0a707c5d147\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/HiveRansomwareJuly2022.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n(imFileEvent\\n| where TargetFileSHA256 has_any (sha256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceImageLoadEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Hive Ransomware IOC - July 2022\",\"description\":\"Identifies a hash match related to Hive Ransomware across various data sources.\",\"lastUpdatedDateUTC\":\"2022-07-05T00:00:00Z\",\"createdDateUTC\":\"2022-01-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1ff56009-db01-4615-8211-d4fda21da02d\",\"name\":\"1ff56009-db01-4615-8211-d4fda21da02d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where AADOperationType =~ \\\"Assign\\\"\\n| where ActivityDisplayName has_any (\\\"Add delegated permission grant\\\",\\\"Add app role assignment to service principal\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ has_any (\\\"AppRole.Value\\\",\\\"DelegatedPermissionGrant.Scope\\\")\\n| extend Permission = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where Permission has \\\"RoleManagement.ReadWrite.Directory\\\"\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n| extend Target = tostring(parse_json(tostring(TargetResources.modifiedProperties[4].newValue)))\\n| extend TargetId = iif(displayName_ =~ \u0027DelegatedPermissionGrant.Scope\u0027,\\n tostring(parse_json(tostring(TargetResources.modifiedProperties[2].newValue))),\\n tostring(parse_json(tostring(TargetResources.modifiedProperties[3].newValue))))\\n| summarize by bin(TimeGenerated, 1h), OperationName, Initiator, Target, TargetId, Result\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Initiator\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Target\"}]}],\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure AD Role Management Permission Grant\",\"description\":\"Identifies when the Microsoft Graph RoleManagement.ReadWrite.Directory (Delegated or Application) permission is granted to a service principal.\\nThis permission allows an application to read and manage the role-based access control (RBAC) settings for your company\u0027s directory.\\nAn adversary could use this permission to add an Azure AD object to an Admin directory role and escalate privileges.\\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions\\nRef : https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0\u0026tabs=http\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/71d374e0-1cf8-4e50-aecd-ab6c519795c2\",\"name\":\"71d374e0-1cf8-4e50-aecd-ab6c519795c2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"Pipelines.PipelineRetentionSettingChanged\\\"\\n| where Data.SettingName in (\\\"PurgeArtifacts\\\", \\\"PurgeRuns\\\")\\n| where Data.NewValue == 1 or Data.NewValue \u003c Data.OldValue/2\\n| project-reorder TimeGenerated, OperationName, ActorUPN, IpAddress, UserAgent, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Retention Reduced\",\"description\":\"AzureDevOps retains items such as run records and produced artifacts for a configurable amount of time. An attacker looking to reduce the footprint left by their malicious activity may look to reduce the retention time for artifacts and runs.\\nThis query will look for where retention has been reduced to the minimum level - 1, or reduced by more than half.\",\"lastUpdatedDateUTC\":\"2021-11-02T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/979c42dd-533e-4ede-b18b-31a84ba8b3d6\",\"name\":\"979c42dd-533e-4ede-b18b-31a84ba8b3d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \\n| where TargetObject has (\\\"HKLM\\\\\\\\System\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\DsrmAdminLogonBehavior\\\") and Details == \\\"DWORD (0x00000002)\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"DSRM Account Abuse\",\"description\":\"This query detects an abuse of the DSRM account in order to maintain persistence and access to the organization\u0027s Active Directory.\\nRef: https://adsecurity.org/?p=1785\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d82eb796-d1eb-43c8-a813-325ce3417cef\",\"name\":\"d82eb796-d1eb-43c8-a813-325ce3417cef\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(DeviceFileEvents\\n| where ActionType == \\\"FileCreated\\\"\\n| where FileName endswith \\\".h0lyenc\\\" or FolderPath == \\\"C:\\\\\\\\FOR_DECRYPT.html\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName), HostCustomEntity = DeviceName, Type, InitiatingProcessId, FileName, FolderPath, EventType = ActionType, Commandline = InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessSHA256, FileHashCustomEntity = SHA256\\n),\\n(imFileEvent\\n| where EventType == \\\"FileCreated\\\" \\n| where TargetFilePath endswith \\\".h0lyenc\\\" or TargetFilePath == \\\"C:\\\\\\\\FOR_DECRYPT.html\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname, DvcId, Type, EventType, FileHashCustomEntity = TargetFileSHA256, Hash, TargetFilePath, Commandline = ActingProcessCommandLine\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Dev-0530 File Extension Rename\",\"description\":\"Dev-0530 actors are known to encrypt the contents of the victims device as well as renaming the file extensions. This query looks for the creation of files with .h0lyenc extension or presence of ransom note.\",\"lastUpdatedDateUTC\":\"2022-07-14T00:00:00Z\",\"createdDateUTC\":\"2022-07-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ba144bf8-75b8-406f-9420-ed74397f9479\",\"name\":\"ba144bf8-75b8-406f-9420-ed74397f9479\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"//Set a threshold of failed AAD signins from an IP address within 1 day above which we want to deem those logins suspicious.\\nlet signin_threshold = 5; \\n//Make a list of IPs with AAD signin failures above our threshold.\\nlet aadFunc = (tableName:string){\\nlet suspicious_signins = \\n table(tableName)\\n //Looking for logon failure results\\n | where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n //Exclude localhost addresses to reduce the chance of FPs\\n | where IPAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n | summarize count() by IPAddress\\n | where count_ \u003e signin_threshold\\n | summarize make_set(IPAddress);\\n suspicious_signins\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet suspicious_signins = \\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize make_set(set_IPAddress);\\n//See if any of those IPs have sucessfully logged into PA VPNs during the same timeperiod\\nCommonSecurityLog\\n //Select only PA VPN sucessful logons\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"globalprotect\\\"\\n | where Message has \\\"GlobalProtect gateway user authentication succeeded\\\"\\n //Parse out the logon source IP from the Message field to match on\\n | extend SourceIP = extract(\\\"Login from: ([^,]+)\\\", 1, Message) \\n | where SourceIP in (suspicious_signins)\\n | extend Reason = \\\"Multiple failed AAD logins from SourceIP\\\"\\n //Parse out other useful information from Message field\\n | extend User = extract(\u0027User name: ([^,]+)\u0027, 1, Message) \\n | extend ClientOS = extract(\u0027Client OS version: ([^,\\\\\\\"]+)\u0027, 1, Message)\\n | extend Location = extract(\u0027Source region: ([^,]{2})\u0027,1, Message)\\n | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName\\n | extend AccountCustomEntity = User, IPCustomEntity = SourceIP, timestamp = TimeGenerated, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN\",\"description\":\"This query creates a list of IP addresses with a number failed login attempts to AAD \\nabove a set threshold. It then looks for any successful Palo Alto VPN logins from any\\nof these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-09-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/32555639-b639-4c2b-afda-c0ae0abefa55\",\"name\":\"32555639-b639-4c2b-afda-c0ae0abefa55\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"GetCallerIdentity\\\" and UserIdentityType =~ \\\"AssumedRole\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by SourceIpAddress, EventName, EventTypeName, UserIdentityType, UserIdentityAccountId, UserIdentityPrincipalid, \\nUserAgent, UserIdentityUserName, SessionMfaAuthenticated,AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTime, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\\n| sort by EndTime desc nulls last\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Monitor AWS Credential abuse or hijacking\",\"description\":\"Looking for GetCallerIdentity Events where the UserID Type is AssumedRole \\nAn attacker who has assumed the role of a legitimate account can call the GetCallerIdentity function to determine what account they are using.\\nA legitimate user using legitimate credentials would not need to call GetCallerIdentity since they should already know what account they are using.\\nMore Information: https://duo.com/decipher/trailblazer-hunts-compromised-credentials-in-aws\\nAWS STS GetCallerIdentity API: https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/53e936c6-6c30-4d12-8343-b8a0456e8429\",\"name\":\"53e936c6-6c30-4d12-8343-b8a0456e8429\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let SUNSPOT_Hashes = dynamic([\\\"c45c9bda8db1d470f1fd0dcc346dc449839eb5ce9a948c70369230af0b3ef168\\\", \\\"0819db19be479122c1d48743e644070a8dc9a1c852df9a8c0dc2343e904da389\\\"]);\\nunion isfuzzy=true(\\nDeviceEvents\\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes)),\\n(DeviceImageLoadEvents\\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes))\\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"SUNSPOT malware hashes\",\"description\":\"This query uses Microsoft Defender for Endpoint data to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\\nMore details: \\n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \\n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceImageLoadEvents\",\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fcb9d75c-c3c1-4910-8697-f136bfef2363\",\"name\":\"fcb9d75c-c3c1-4910-8697-f136bfef2363\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Low\",\"query\":\"let querystarttime = 2d;\\nlet queryendtime = 1d;\\nlet TimeDeltaThreshold = 10;\\nlet TotalEventsThreshold = 15;\\nlet PercentBeaconThreshold = 80;\\n_Im_NetworkSession(starttime=querystarttime, endtime=queryendtime)\\n| where not(ipv4_is_private(DstIpAddr))\\n| project TimeGenerated, SrcIpAddr, SrcPortNumber, DstIpAddr, DstPortNumber, DstBytes, SrcBytes\\n| sort by SrcIpAddr asc,TimeGenerated asc, DstIpAddr asc, DstPortNumber asc\\n| serialize\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSrcIpAddr = next(SrcIpAddr, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\u0027second\u0027,nextTimeGenerated,TimeGenerated)\\n| where SrcIpAddr == nextSrcIpAddr\\n//Whitelisting criteria/ threshold criteria\\n| where TimeDeltainSeconds \u003e TimeDeltaThreshold \\n| project TimeGenerated, TimeDeltainSeconds, SrcIpAddr, SrcPortNumber, DstIpAddr, DstPortNumber, DstBytes, SrcBytes\\n| summarize count(), sum(DstBytes), sum(SrcBytes), make_list(TimeDeltainSeconds) \\nby TimeDeltainSeconds, bin(TimeGenerated, 1h), SrcIpAddr, DstIpAddr, DstPortNumber\\n| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSrcBytes = sum(sum_SrcBytes), TotalDstBytes = sum(sum_DstBytes) \\nby bin(TimeGenerated, 1h), SrcIpAddr, DstIpAddr, DstPortNumber\\n| where TotalEvents \u003e TotalEventsThreshold \\n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\\n| where BeaconPercent \u003e PercentBeaconThreshold\",\"customDetails\":{\"DstPortNumber\":\"DstPortNumber\",\"FrequencyCount\":\"TotalSrcBytes\",\"FrequencyTime\":\"MostFrequentTimeDeltaCount\",\"TotalDstBytes\":\"TotalDstBytes\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DstIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Potential beaconing from {{SrcIpAddr}} to {{DstIpAddr}} over port {{DstPortNumber}}\",\"alertDescriptionFormat\":\"Potential beaconing pattern from a client at address {{SrcIpAddr}} to a server at address {{DstIpAddr}} over port {{DstPortNumber}} identified. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/). The recurring frequency, reported as FrequencyTime in the custom details, and the total transferred volume reported as TotalDstBytes in the custom details, can help to determine the significance of this incident.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential beaconing activity (ASIM Network Session schema)\",\"description\":\"This rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/).\\\\\u003cbr\u003e\u003cbr\u003e\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b8b8ba09-1e89-45a1-8bd7-691cd23bfa32\",\"name\":\"b8b8ba09-1e89-45a1-8bd7-691cd23bfa32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let query_frequency = 15m;\\nlet missing_period = 1h;\\n//Enter a reference list of hostnames for your DC servers\\nlet DCServersList = dynamic ([\\\"DC01.simulandlabs.com\\\",\\\"DC02.simulandlabs.com\\\"]);\\n//Alternatively, a Watchlist can be used\\n//let DCServersList = _GetWatchlist(\u0027HostName-DomainControllers\u0027) | project HostName;\\nHeartbeat\\n| summarize arg_max(TimeGenerated, *) by Computer\\n| where Computer in (DCServersList)\\n//You may specify the OS type of your Domain Controllers\\n//| where OSType == \u0027Windows\u0027\\n| where TimeGenerated between (ago(query_frequency + missing_period) .. ago(missing_period))\\n| project TimeGenerated, Computer, OSType, Version, ComputerEnvironment, Type, Solutions\\n| sort by TimeGenerated asc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Impact\",\"DefenseEvasion\"],\"displayName\":\"Missing Domain Controller Heartbeat\",\"description\":\"This detection will go over the heartbeats received from the agents of Domain Controllers over the last hour, and will create alerts if the last heartbeats were received an hour ago.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-11-23T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/737a2ce1-70a3-4968-9e90-3e6aca836abf\",\"name\":\"737a2ce1-70a3-4968-9e90-3e6aca836abf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MLBehaviorAnalytics\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous RDP Login Detections\",\"description\":\"This detection uses machine learning (ML) to identify anomalous Remote Desktop Protocol (RDP) login activity, based on Windows Security Event data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Microsoft Sentinel to build a profile of normal activity for your environment.\\t\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events)\\n\\nBy enabling this rule, you give Microsoft permission to copy ingested data outside of your Microsoft Sentinel workspace\u0027s geography as necessary for processing by the machine learning engine.\",\"lastUpdatedDateUTC\":\"2021-03-26T00:00:00Z\",\"createdDateUTC\":\"2020-04-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/85aca4d1-5d15-4001-abd9-acb86ca1786a\",\"name\":\"85aca4d1-5d15-4001-abd9-acb86ca1786a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n DnsEvents\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n //Extract domain patterns from syslog message\\n | where isnotempty(Name)\\n | extend parts = split(Name, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend DNS_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.Name\\n| where DNS_TimeGenerated \u003c ExpirationDateTime\\n| summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated , *) by IndicatorId, Name\\n| project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, Computer, ClientIP, Name, QueryType\\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = ClientIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to DnsEvents\",\"description\":\"Identifies a match in DnsEvents from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2022-02-15T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\"name\":\"5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n//Exclude local addresses, using the ipv4_is_private operator\\n| where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n W3CIISLog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(cIP)\\n //Exclude local addresses, using the ipv4_is_private operator\\n | where ipv4_is_private(cIP) == false and cIP !startswith \\\"fe80\\\" and cIP !startswith \\\"::\\\" and cIP !startswith \\\"127.\\\"\\n // renaming time column so it is clear the log this came from\\n | extend W3CIISLog_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.cIP\\n| where W3CIISLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize W3CIISLog_TimeGenerated = arg_max(W3CIISLog_TimeGenerated, *) by IndicatorId, cIP\\n| project W3CIISLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, sSiteName, cIP, sIP, sPort, csMethod, csUserName, scStatus, scSubStatus, scWin32Status,\\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = W3CIISLog_TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to W3CIISLog\",\"description\":\"Identifies a match in W3CIISLog from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-04-26T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d564ff12-8f53-41b8-8649-44f76b37b99f\",\"name\":\"d564ff12-8f53-41b8-8649-44f76b37b99f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// How many greater than Service Connections you want to view per build/release\\nlet ServiceConnectionThreshold = 4;\\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\\n[\\n//\\\"103\\\", \\\"Release\\\", \\\"ProjectA\\\",\\n//\\\"42\\\", \\\"Release\\\", \\\"ProjectB\\\",\\n//\\\"122\\\", \\\"Build\\\", \\\"ProjectB\\\"\\n];\\nAzureDevOpsAuditing\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| parse ScopeDisplayName with OrganizationName \u0027 (Organization)\u0027\\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) \\n by OrganizationName, tostring(DefId), tostring(Type), ProjectId, ProjectName\\n| where CurrentCount \u003e ServiceConnectionThreshold\\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\\n| extend link = iif(\\n Type == \\\"Build\\\", strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_build?definitionId=\u0027, DefId),\\n strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_release?_a=releases\u0026view=mine\u0026definitionId=\u0027, DefId))\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure DevOps Service Connection Abuse\",\"description\":\"Flags builds/releases that use a large number of service connections if they aren\u0027t manually in the allow list.\\nThis is to determine if someone is hijacking a build/release and adding many service connections in order to abuse \\nor dump credentials from service connections.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/01e8ffff-dc0c-43fe-aa22-d459c4204553\",\"name\":\"01e8ffff-dc0c-43fe-aa22-d459c4204553\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let discord=dynamic([\\\"cdn.discordapp.com\\\", \\\"media.discordapp.com\\\"]);\\n _Im_WebSession(url_has_any=discord, eventresult=\u0027Success\u0027)\\n | where Url has \\\"attachments\\\"\\n | extend DiscordServerId = extract(@\\\"\\\\/attachments\\\\/([0-9]+)\\\\/\\\", 1, Url)\\n | summarize dcount(Url), make_set(SrcUsername), make_set(SrcIpAddr), make_set(Url), min(TimeGenerated), max(TimeGenerated), make_set(EventResult) by DiscordServerId\\n | mv-expand set_SrcUsername to typeof(string), set_Url to typeof(string), set_EventResult to typeof(string), set_SrcIpAddr to typeof(string)\\n | summarize by DiscordServerId, dcount_Url, set_SrcUsername, min_TimeGenerated, max_TimeGenerated, set_EventResult, set_SrcIpAddr, set_Url\\n | project StartTime=min_TimeGenerated, EndTime=max_TimeGenerated, Result=set_EventResult, SourceUser=set_SrcUsername, SourceIP=set_SrcIpAddr, RequestURL=set_Url\\n | where RequestURL has_any (\\\".bin\\\",\\\".exe\\\",\\\".dll\\\",\\\".bin\\\",\\\".msi\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SourceUser\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Discord CDN Risky File Download (ASIM Web Session Schema)\",\"description\":\"Identifies callouts to Discord CDN addresses for risky file extensions. This detection will trigger when a callout for a risky file is made to a discord server that has only been seen once in your environment. Unique discord servers are identified using the server ID that is included in the request URL (DiscordServerId in query). Discord CDN has been used in multiple campaigns to download additional payloads.\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4e5914a4-2ccd-429d-a845-fa597f0bd8c5\",\"name\":\"4e5914a4-2ccd-429d-a845-fa597f0bd8c5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let Hive_threats = dynamic([\\\"Ransom:Win64/Hive\\\", \\\"Ransom:Win32/Hive\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (Hive_threats) or ThreatFamilyName in~ (Hive_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"AV detections related to Hive Ransomware\",\"description\":\"This query looks for Microsoft Defender AV detections related to Hive Ransomware . In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device,\\n this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\",\"lastUpdatedDateUTC\":\"2022-07-11T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\"name\":\"361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let szOperationNames = dynamic([\\\"microsoft.compute/virtualMachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nlet starttime = 7d;\\nlet endtime = 1d;\\nAzureActivity\\n| where TimeGenerated between (startofday(ago(starttime)) .. startofday(ago(endtime)))\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress)\\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(7d)), now(), 1d) \\nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatusValue), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationNameValue , Resource, ResourceGroup\\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\\n| where Slope \u003e 0.2\\n| join kind=leftsemi (\\n// Last day\u0027s activity is anomalous\\nAzureActivity\\n| where TimeGenerated \u003e= startofday(ago(endtime))\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress)\\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(1d)), now(), 1d) \\nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatusValue), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationNameValue , Resource, ResourceGroup\\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\\n| where Slope \u003e 0.2 \\n) on Caller, CallerIpAddress \\n| mvexpand todynamic(ActivityTimeStamp), todynamic(ActivityStatusValue), todynamic(OperationIds), todynamic(CorrelationId)\\n| extend timestamp = ActivityTimeStamp, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Suspicious number of resource creation or deployment activities\",\"description\":\"Indicates when an anomalous number of VM creations or deployment activities occur in Azure via the AzureActivity log.\\nThe anomaly detection identifies activities that have occurred both since the start of the day 1 day ago and the start of the day 7 days ago.\\nThe start of the day is considered 12am UTC time.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/050b9b3d-53d0-4364-a3da-1b678b8211ec\",\"name\":\"050b9b3d-53d0-4364-a3da-1b678b8211ec\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\")\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n// Uncomment below to not alert for PIM activations\\n//| where Initiator != \\\"MS-PIM\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| summarize by bin(TimeGenerated, 1h), OperationName, RoleName, Target, Initiator, Result\\n| extend AccountCustomEntity = Target\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Initiator\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User Assigned Privileged Role\",\"description\":\"Identifies when a new privileged role is assigned to a user. Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn\u0027t the responsibility of the account holder, investigate.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/48607a29-a26a-4abf-8078-a06dbdd174a4\",\"name\":\"48607a29-a26a-4abf-8078-a06dbdd174a4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let timeRange = 3d;\\nlet lookBack = 7d;\\nlet authenticationWindow = 20m;\\nlet authenticationThreshold = 5;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet failureCodes = dynamic([50053, 50126, 50055]); // invalid password, account is locked - too many sign ins, expired password\\nlet successCodes = dynamic([0, 50055, 50057, 50155, 50105, 50133, 50005, 50076, 50079, 50173, 50158, 50072, 50074, 53003, 53000, 53001, 50129]);\\n// Lookup up resolved identities from last 7 days\\nlet aadFunc = (tableName:string){\\nlet identityLookup = table(tableName)\\n| where TimeGenerated \u003e= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| where isnotempty(UserId)\\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName, Type;\\n// collect window threshold breaches\\ntable(tableName)\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(failureCodes)\\n| summarize FailedPrincipalCount = dcount(UserPrincipalName) by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName, Type\\n| where FailedPrincipalCount \u003e= authenticationThreshold\\n| summarize WindowThresholdBreaches = count() by IPAddress, Type\\n| join kind= inner (\\n// where we breached a threshold, join the details back on all failure data\\ntable(tableName)\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(failureCodes)\\n| extend LocationDetails = todynamic(LocationDetails)\\n| extend FullLocation = strcat(LocationDetails.countryOrRegion,\u0027|\u0027, LocationDetails.state, \u0027|\u0027, LocationDetails.city)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed), make_set(FullLocation), FailureCount = count() by IPAddress, AppDisplayName, UserPrincipalName, UserDisplayName, Identity, UserId, Type\\n// lookup any unresolved identities\\n| extend UnresolvedUserId = iff(Identity matches regex isGUID, UserId, \\\"\\\")\\n| join kind= leftouter (\\n identityLookup \\n) on $left.UnresolvedUserId==$right.UserId\\n| extend UserDisplayName=iff(isempty(lu_UserDisplayName), UserDisplayName, lu_UserDisplayName)\\n| extend UserPrincipalName=iff(isempty(lu_UserPrincipalName), UserPrincipalName, lu_UserPrincipalName)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), make_set(UserPrincipalName), make_set(UserDisplayName), make_set(set_ClientAppUsed), make_set(set_FullLocation), make_list(FailureCount) by IPAddress, AppDisplayName, Type\\n| extend FailedPrincipalCount = arraylength(set_UserPrincipalName)\\n) on IPAddress\\n| project IPAddress, StartTime, EndTime, TargetedApplication=AppDisplayName, FailedPrincipalCount, UserPrincipalNames=set_UserPrincipalName, UserDisplayNames=set_UserDisplayName, ClientAppsUsed=set_set_ClientAppUsed, Locations=set_set_FullLocation, FailureCountByPrincipal=list_FailureCount, WindowThresholdBreaches, Type\\n| join kind= inner (\\ntable(tableName) // get data on success vs. failure history for each IP\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(successCodes) or ResultType in(failureCodes) // success or failure types\\n| summarize GlobalSuccessPrincipalCount = dcountif(UserPrincipalName, (ResultType in(successCodes))), ResultTypeSuccesses = make_set_if(ResultType, (ResultType in(successCodes))), GlobalFailPrincipalCount = dcountif(UserPrincipalName, (ResultType in(failureCodes))), ResultTypeFailures = make_set_if(ResultType, (ResultType in(failureCodes))) by IPAddress, Type\\n| where GlobalFailPrincipalCount \u003e GlobalSuccessPrincipalCount // where the number of failed principals is greater than success - eliminates FPs from IPs who authenticate successfully alot and as a side effect have alot of failures\\n) on IPAddress\\n| project-away IPAddress1\\n| extend timestamp=StartTime, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Password spray attack against Azure AD application\",\"description\":\"Identifies evidence of password spray activity against Azure AD applications by looking for failures from multiple accounts from the same\\nIP address within a time window. If the number of accounts breaches the threshold just once, all failures from the IP address within the time range\\nare bought into the result. Details on whether there were successful authentications by the IP address within the time window are also included.\\nThis can be an indicator that an attack was successful.\\nThe default failure acccount threshold is 5, Default time window for failures is 20m and default look back window is 3 days\\nNote: Due to the number of possible accounts involved in a password spray it is not possible to map identities to a custom entity.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\"lastUpdatedDateUTC\":\"2022-02-16T00:00:00Z\",\"createdDateUTC\":\"2020-03-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\"name\":\"7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"154.223.45.38\\\",\\\"185.141.207.140\\\",\\\"185.234.73.19\\\",\\\"216.245.210.106\\\",\\\"51.91.48.210\\\",\\\"46.255.230.229\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n|extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account\\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DnsResponseName, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host, AccountCustomEntity=User\\n),\\n(_Im_WebSession (srcipaddr_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DstIpAddr, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(_Im_NetworkSession (srcipaddr_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DstIpAddr, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(_Im_NetworkSession (dstipaddr_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DstIpAddr, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(SigninLogs\\n| where isnotempty(IPAddress)\\n| where IPAddress in (IPList)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(AADNonInteractiveUserSignInLogs\\n| where isnotempty(IPAddress)\\n| where IPAddress in (IPList)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(W3CIISLog \\n| where isnotempty(cIP)\\n| where cIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(AzureActivity \\n| where isnotempty(CallerIpAddress)\\n| where CallerIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller\\n),\\n(\\nAWSCloudTrail\\n| where isnotempty(SourceIpAddress)\\n| where SourceIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known IRIDIUM IP\",\"description\":\"IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d7424fd9-abb3-4ded-a723-eebe023aaa0b\",\"name\":\"d7424fd9-abb3-4ded-a723-eebe023aaa0b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Administrative roles to look for, default is all admin roles\\nlet roles = dynamic([\\\"Administrator\\\", \\\"Admin\\\"]);\\n// The maximum distances between and invite and acceptance\\nlet maxTimeBetweenInviteAccept = 30min;\\n// The delta (minutes) between the invite being sent and the account being escalated\\nlet deltaBetweenInviteEscalation = 60;\\n// Collect external user invitations\\nlet invite = AuditLogs\\n| where Category =~ \\\"UserManagement\\\"\\n| where OperationName =~ \\\"Invite external user\\\"\\n| extend Target = tostring(TargetResources[0].[\\\"userPrincipalName\\\"])\\n| extend InviteInitiator = tostring(InitiatedBy.[\\\"user\\\"].[\\\"userPrincipalName\\\"])\\n| where isnotempty(InviteInitiator);\\n// Collect redeem events\\nlet redeem = AuditLogs\\n| where Category =~ \\\"UserManagement\\\"\\n| where OperationName =~ \\\"Redeem external user invite\\\"\\n| where Result =~ \\\"success\\\"\\n| extend Target = tostring(TargetResources[0].[\\\"displayName\\\"]) | extend Target = tostring(extract(@\\\"UPN\\\\:\\\\s(.+)\\\\,\\\\sEmail\\\",1,Target))\\n| where isnotempty(Target);\\n// Union the inivtation and redeem data then run the sequence_detect kusto plugin\\ninvite\\n| union redeem\\n| order by TimeGenerated\\n| project TimeGenerated, Target, InviteInitiator, OperationName, TenantId\\n| evaluate sequence_detect(TimeGenerated, maxTimeBetweenInviteAccept, maxTimeBetweenInviteAccept, invite=(OperationName has \\\"Invite external user\\\"), redeem=(OperationName has \\\"Redeem external user invite\\\"), Target)\\n| join (\\nAuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\")\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n// Limit to external accounts\\n| where TargetResources.userPrincipalName has \\\"EXT\\\"\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n// Perform check for admin roles\\n| where RoleName has_any(roles)\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n| where Initiator != \\\"MS-PIM\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| summarize by TimeGenerated, OperationName, RoleName, Target, Initiator, Result\\n) on Target\\n// Calculate delta between the invite and the account escalation\\n| extend delta = datetime_diff(\\\"minute\\\", TimeGenerated, invite_TimeGenerated)\\n| where delta \u003c= deltaBetweenInviteEscalation\\n| project InvitationTime=invite_TimeGenerated, RedeemTime=redeem_TimeGenerated, GrantTime=TimeGenerated, ExternalUser=Target, RoleGranted=RoleName, AdminInitiator=Initiator, MinsBetweenInviteAndEscalation=delta\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ExternalUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AdminInitiator\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"New External User Granted Admin\",\"description\":\"This query will detect instances where a newly invited external user is granted an administrative role. By default this query\\nwill alert on any granted administrative role, however this can be modified using the roles variable if false positives occur\\nin your environment. The maximum delta between invite and escalation to admin is 60 minues, this can be configured using the \\ndeltaBetweenInviteEscalation variable.\",\"lastUpdatedDateUTC\":\"2022-06-16T00:00:00Z\",\"createdDateUTC\":\"2022-06-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6bf1931-b1eb-448d-90b2-de118559c7ce\",\"name\":\"d6bf1931-b1eb-448d-90b2-de118559c7ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlCategory contains \u0027Adult Themes\u0027 or\\n UrlCategory contains \u0027Adware\u0027 or\\n UrlCategory contains \u0027Alcohol\u0027 or\\n UrlCategory contains \u0027Illegal Downloads\u0027 or\\n UrlCategory contains \u0027Drugs\u0027 or\\n UrlCategory contains \u0027Child Abuse Content\u0027 or\\n UrlCategory contains \u0027Hate/Discrimination\u0027 or\\n UrlCategory contains \u0027Nudity\u0027 or\\n UrlCategory contains \u0027Pornography\u0027 or\\n UrlCategory contains \u0027Proxy/Anonymizer\u0027 or\\n UrlCategory contains \u0027Sexuality\u0027 or\\n UrlCategory contains \u0027Tasteless\u0027 or\\n UrlCategory contains \u0027Terrorism\u0027 or\\n UrlCategory contains \u0027Web Spam\u0027 or\\n UrlCategory contains \u0027German Youth Protection\u0027 or\\n UrlCategory contains \u0027Illegal Activities\u0027 or\\n UrlCategory contains \u0027Lingerie/Bikini\u0027 or\\n UrlCategory contains \u0027Weapons\u0027\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"InitialAccess\"],\"displayName\":\"Cisco Umbrella - Request Allowed to harmful/malicious URI category\",\"description\":\"It is reccomended that these Categories shoud be blocked by policies because they provide harmful/malicious content..\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee55dc85-d2da-48c1-a6c0-3eaee62a8d56\",\"name\":\"ee55dc85-d2da-48c1-a6c0-3eaee62a8d56\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"// Add the environments expected username format regex below before deploying\\n let user_regex = \\\"\\\";\\n AuditLogs\\n | where OperationName =~ \\\"Add user\\\"\\n | where Result =~ \\\"success\\\"\\n | extend userAgent = tostring(AdditionalDetails[0].value)\\n | extend addingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend addingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend AddedBy = iif(isnotempty(addingUser), addingUser, addingApp)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | extend AddedUser = tostring(TargetResources[0].userPrincipalName)\\n | where AddedUser matches regex user_regex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedUser\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User Account Created Using Incorrect Naming Format\",\"description\":\"This query looks for accounts being created where the name does not match a defined pattern.\\n Attackers may attempt to add accounts as a means of establishing persistant access to an environment, looking for anomalies in created accounts may help identify illegitimately created accounts.\\n Created accounts should be investigated to ensure they were legitimated created.\\n The user_regex field in the query needs to be populated with the expected pattern for the environment before deployment.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#accounts-not-following-naming-policies\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\"name\":\"0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"let threshold = 20;\\nlet ReasontoSubStatus = datatable(SubStatus:string,Reason:string) [\\n\\\"0xC000005E\\\", \\\"There are currently no logon servers available to service the logon request.\\\",\\n\\\"0xC0000064\\\", \\\"User logon with misspelled or bad user account\\\", \\n\\\"0xC000006A\\\", \\\"User logon with misspelled or bad password\\\",\\n\\\"0xC000006D\\\", \\\"Bad user name or password\\\",\\n\\\"0xC000006E\\\", \\\"Unknown user name or bad password\\\",\\n\\\"0xC000006F\\\", \\\"User logon outside authorized hours\\\",\\n\\\"0xC0000070\\\", \\\"User logon from unauthorized workstation\\\",\\n\\\"0xC0000071\\\", \\\"User logon with expired password\\\",\\n\\\"0xC0000072\\\", \\\"User logon to account disabled by administrator\\\",\\n\\\"0xC00000DC\\\", \\\"Indicates the Sam Server was in the wrong state to perform the desired operation\\\",\\n\\\"0xC0000133\\\", \\\"Clocks between DC and other computer too far out of sync\\\",\\n\\\"0xC000015B\\\", \\\"The user has not been granted the requested logon type (aka logon right) at this machine\\\",\\n\\\"0xC000018C\\\", \\\"The logon request failed because the trust relationship between the primary domain and the trusted domain failed\\\",\\n\\\"0xC0000192\\\", \\\"An attempt was made to logon, but the Netlogon service was not started\\\",\\n\\\"0xC0000193\\\", \\\"User logon with expired account\\\",\\n\\\"0xC0000224\\\", \\\"User is required to change password at next logon\\\",\\n\\\"0xC0000225\\\", \\\"Evidently a bug in Windows and not a risk\\\",\\n\\\"0xC0000234\\\", \\\"User logon with account locked\\\",\\n\\\"0xC00002EE\\\", \\\"Failure Reason: An Error occurred during Logon\\\",\\n\\\"0xC0000413\\\", \\\"Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine\\\"\\n];\\n(union isfuzzy=true\\n(SecurityEvent \\n| where EventID == 4625\\n| where AccountType =~ \\\"User\\\"\\n| where SubStatus !=\u00270xc0000064\u0027 and Account !in (\u0027\\\\\\\\\u0027, \u0027-\\\\\\\\-\u0027)\\n// SubStatus \u00270xc0000064\u0027 signifies \u0027Account name does not exist\u0027\\n| extend ResourceId = column_ifexists(\\\"_ResourceId\\\", _ResourceId), SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", SourceComputerId)\\n| lookup ReasontoSubStatus on SubStatus\\n| extend coalesce(Reason, strcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), FailedLogonCount = count() by EventID, \\nActivity, Computer, Account, TargetAccount, TargetUserName, TargetDomainName, \\nLogonType, LogonTypeName, LogonProcessName, Status, SubStatus, Reason, ResourceId, SourceComputerId, WorkstationName, IpAddress\\n| where FailedLogonCount \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n(\\n(WindowsEvent \\n| where EventID == 4625 and not(EventData has \u00270xc0000064\u0027)\\n| extend TargetAccount = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend AccountType=case(EventData.TargetUserName endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType =~ \\\"User\\\"\\n| extend SubStatus = tostring(EventData.SubStatus)\\n| where SubStatus !=\u00270xc0000064\u0027 and TargetAccount !in (\u0027\\\\\\\\\u0027, \u0027-\\\\\\\\-\u0027)\\n// SubStatus \u00270xc0000064\u0027 signifies \u0027Account name does not exist\u0027\\n| extend ResourceId = column_ifexists(\\\"_ResourceId\\\", _ResourceId), SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", \\\"\\\")\\n| lookup ReasontoSubStatus on SubStatus\\n| extend coalesce(Reason, strcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n| extend Activity=\\\"4625 - An account failed to log on.\\\"\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend TargetDomainName = tostring(EventData.TargetDomainName)\\n| extend LogonType = tostring(EventData.LogonType)\\n| extend Status= tostring(EventData.Status)\\n| extend LogonProcessName = tostring(EventData.LogonProcessName)\\n| extend WorkstationName = tostring(EventData.WorkstationName)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend LogonTypeName=case(LogonType==2,\\\"2 - Interactive\\\", LogonType==3,\\\"3 - Network\\\", LogonType==4, \\\"4 - Batch\\\",LogonType==5, \\\"5 - Service\\\", LogonType==7, \\\"7 - Unlock\\\", LogonType==8, \\\"8 - NetworkCleartext\\\", LogonType==9, \\\"9 - NewCredentials\\\", LogonType==10, \\\"10 - RemoteInteractive\\\", LogonType==11, \\\"11 - CachedInteractive\\\",tostring(LogonType))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), FailedLogonCount = count() by EventID, \\nActivity, Computer, TargetAccount, TargetUserName, TargetDomainName, \\nLogonType, LogonTypeName, LogonProcessName, Status, SubStatus, Reason, ResourceId, SourceComputerId, WorkstationName, IpAddress\\n| where FailedLogonCount \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n)))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed logon attempts by valid accounts within 10 mins\",\"description\":\"Identifies when failed logon attempts are 20 or higher during a 10 minute period (2 failed logons per minute minimum) from valid account.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b9a44d7-c651-45ed-816c-eae583a6f2f1\",\"name\":\"3b9a44d7-c651-45ed-816c-eae583a6f2f1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\nlet historical_data =\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend variables = Data.Variables\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend UserKey = strcat(VariableGroupId, \\\"-\\\", ActorUserId)\\n| project UserKey;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend VariableGroupName = tostring(Data.VariableGroupName)\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend UserKey = strcat(VariableGroupId, \\\"-\\\", ActorUserId)\\n| where UserKey !in (historical_data)\\n| project-away UserKey\\n| project-reorder TimeGenerated, VariableGroupName, ActorUPN, IpAddress, UserAgent\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Build Variable Modified by New User.\",\"description\":\"Variables can be configured and used at any stage of the build process in Azure DevOps to inject values. An attacker with the required permissions could modify \\nor add to these variables to conduct malicious activity such as changing paths or remote endpoints called during the build. As variables are often changed by users, \\njust detecting these changes would have a high false positive rate. This detection looks for modifications to variable groups where that user has not been observed \\nmodifying them before.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8127962-7739-4211-a4a9-390a7a00e91f\",\"name\":\"f8127962-7739-4211-a4a9-390a7a00e91f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet lbperiod = 14d;\\nlet knownrecipients = ProofpointPOD\\n| where TimeGenerated \u003e ago(lbperiod)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where SrcUserUpn != \u0027\u0027\\n| where array_length(todynamic(DstUserUpn)) == 1\\n| summarize recipients = make_set(tostring(todynamic(DstUserUpn)[0])) by SrcUserUpn\\n| extend commcol = SrcUserUpn;\\nProofpointPOD\\n| where TimeGenerated between (ago(lbtime) .. now())\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| extend isProtected = todynamic(MsgParts)[0][\u0027isProtected\u0027]\\n| extend mimePgp = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where isProtected == \u0027true\u0027 or mimePgp == \u0027application/pgp-encrypted\u0027\\n| extend DstUserMail = tostring(todynamic(DstUserUpn)[0])\\n| extend commcol = tostring(todynamic(DstUserUpn)[0])\\n| join knownrecipients on commcol\\n| where recipients !contains DstUserMail\\n| project SrcUserUpn, DstUserMail\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple protected emails to unknown recipient\",\"description\":\"Detects when multiple protected messages where sent to early not seen recipient.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee1818ec-5f65-4991-b711-bcf2ab7e36c3\",\"name\":\"ee1818ec-5f65-4991-b711-bcf2ab7e36c3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlOriginal matches regex @\u0027\\\\Ahttp:\\\\/\\\\/\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}.*\u0027\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - URI contains IP address\",\"description\":\"Malware can use IP address to communicate with C2.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23005e87-2d3a-482b-b03d-edbebd1ae151\",\"name\":\"23005e87-2d3a-482b-b03d-edbebd1ae151\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let exchange_servers = (\\nW3CIISLog\\n| where TimeGenerated \u003e ago(14d)\\n| where sSiteName =~ \\\"Exchange Back End\\\"\\n| summarize by Computer);\\nW3CIISLog\\n| where TimeGenerated \u003e ago(1d)\\n| where Computer in (exchange_servers)\\n| where csUriQuery startswith \\\"t=\\\"\\n| project-reorder TimeGenerated, Computer, csUriStem, csUriQuery, csUserName, csUserAgent, cIP\\n| extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious Exchange Request\",\"description\":\"This query looks for suspicious request patterns to Exchange servers that fit a pattern observed by HAFNIUM actors.\\nThe same query can be run on HTTPProxy logs from on-premise hosted Exchange servers.\\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ac9e233e-44d4-45eb-b522-6e47445f6582\",\"name\":\"ac9e233e-44d4-45eb-b522-6e47445f6582\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"imRegistry\\n | where EventType in (\\\"RegistryValueSet\\\", \\\"RegistryKeyCreated\\\")\\n | where RegistryKey has \\\"Software\\\\\\\\Classes\\\\\\\\ms-settings\\\\\\\\shell\\\\\\\\open\\\\\\\\command\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)\\n | join (imProcess\\n | where Process endswith \\\"fodhelper.exe\\\"\\n | where ParentProcessName endswith \\\"cmd.exe\\\" or ParentProcessName endswith \\\"powershell.exe\\\" or ParentProcessName endswith \\\"powershell_ise.exe\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)) on TimeKey, Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DvcHostname\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DvcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Potential Fodhelper UAC Bypass (ASIM Version)\",\"description\":\"This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process within 1 hour - this can be tweaked as required.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\"name\":\"ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Office 365 Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Office 365 alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Office 365\",\"lastUpdatedDateUTC\":\"2020-09-01T00:00:00Z\",\"createdDateUTC\":\"2020-04-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert (OATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a333d8bf-22a3-4c55-a1e9-5f0a135c0253\",\"name\":\"a333d8bf-22a3-4c55-a1e9-5f0a135c0253\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let mde_threats = dynamic([\\\"Behavior:Win32/SuspAzureRequest.A\\\", \\\"Behavior:Win32/SuspAzureRequest.B\\\", \\\"Behavior:Win32/SuspAzureRequest.C\\\", \\\"Behavior:Win32/LaunchingSuspCMD.B\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (mde_threats) or ThreatFamilyName in~ (mde_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Microsoft Defender for Endpoint (MDE) signatures for Azure Synapse pipelines and Azure Data Factory\",\"description\":\"This query looks for Microsoft Defender for Endpoint detections related to the remote command execution attempts on Azure IR with Managed VNet or SHIR. \\nIn Microsoft Sentinel, the SecurityAlerts table includes the name of the impacted device. Additionally, this query joins the DeviceInfo table to connect other information such as device group, \\nIP address, signed in users, and others allowing analysts using Microsoft Sentinel to have more context related to the alert. \\nReference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29972 , \\nhttps://msrc-blog.microsoft.com/2022/05/09/vulnerability-mitigated-in-the-third-party-data-connector-used-in-azure-synapse-pipelines-and-azure-data-factory-cve-2022-29972\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5db427b2-f406-4274-b413-e9fcb29412f8\",\"name\":\"5db427b2-f406-4274-b413-e9fcb29412f8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where ActivityDisplayName =~\u0027Add member to role completed (PIM activation)\u0027\\n| where Result == \\\"failure\\\"\\n| extend Role = tostring(TargetResources[3].displayName)\\n| extend User = tostring(TargetResources[2].displayName)\\n| project-reorder TimeGenerated, User, Role, OperationName, Result, ResultDescription\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| extend IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"NRT PIM Elevation Request Rejected\",\"description\":\"Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/03e04c97-8cae-48b3-9d2f-4ab262e4ffff\",\"name\":\"03e04c97-8cae-48b3-9d2f-4ab262e4ffff\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]);\\nhttp_proxy_oab_CL\\n| where RawData contains \\\"Download failed and temporary file\\\"\\n| extend File = extract(\\\"([^\\\\\\\\\\\\\\\\]*)(\\\\\\\\\\\\\\\\[^\u0027]*)\\\",2,RawData)\\n| extend Extension = strcat(\\\".\\\",split(File, \\\".\\\")[-1])\\n| extend InteractiveFile = iif(Extension in (scriptExtensions), \\\"Yes\\\", \\\"No\\\")\\n// Uncomment the following line to alert only on interactive file download type\\n//| where InteractiveFile =~ \\\"Yes\\\"\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious File Downloads.\",\"description\":\"This query looks for messages related to file downloads of suspicious file types. This query uses the Exchange HttpProxy AOBGeneratorLog, you will need to onboard this log as a custom log under the table http_proxy_oab_CL before using this query. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d5b32cd4-2328-43da-ab47-cd289c1f5efc\",\"name\":\"d5b32cd4-2328-43da-ab47-cd289c1f5efc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\",\\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\",\\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\",\\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\",\\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\",\\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\",\\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\",\\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\",\\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\")\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"NRT DNS events related to mining pools\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/de58ee9e-b229-4252-8537-41a4c2f4045e\",\"name\":\"de58ee9e-b229-4252-8537-41a4c2f4045e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let file_ext_blocklist = dynamic([\u0027.ps1\u0027, \u0027.vbs\u0027, \u0027.bat\u0027, \u0027.scr\u0027]);\\nlet lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| extend file_ext = extract(@\u0027.*(\\\\.\\\\w+)$\u0027, 1, UrlOriginal)\\n| extend Filename = extract(@\u0027.*\\\\/*\\\\/(.*\\\\.\\\\w+)$\u0027, 1, UrlOriginal)\\n| where file_ext in (file_ext_blocklist)\\n| project TimeGenerated, SrcIpAddr, Identities, Filename\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Cisco Umbrella - Request to blocklisted file type\",\"description\":\"Detects request to potentially harmful file types (.ps1, .bat, .vbs, etc.).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\"name\":\"97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let LearningPeriod = 7d; \\nlet BinTime = 1h; \\nlet RunTime = 1h; \\nlet StartTime = 1h; \\nlet NumberOfStds = 3; \\nlet MinThreshold = 10.0; \\nlet EndRunTime = StartTime - RunTime; \\nlet EndLearningTime = StartTime + LearningPeriod;\\nlet aadFunc = (tableName:string){\\nlet GitHubFailedSSOLogins = (table(tableName) \\n| where AppDisplayName == \\\"GitHub.com\\\" \\n| where ResultType != 0); \\nGitHubFailedSSOLogins \\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime)) \\n| summarize FailedLoginsCountInBinTime = count() by UserPrincipalName, bin(TimeGenerated, BinTime), Type\\n| summarize AvgOfFailedLoginsInLearning = avg(FailedLoginsCountInBinTime), StdOfFailedLoginsInLearning = stdev(FailedLoginsCountInBinTime) by UserPrincipalName, Type\\n| extend LearningThreshold = max_of(AvgOfFailedLoginsInLearning + StdOfFailedLoginsInLearning * NumberOfStds, MinThreshold) \\n| join kind=innerunique ( \\n GitHubFailedSSOLogins \\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime)) \\n | summarize FailedLoginsCountInRunTime = count() by User = Identity, UserPrincipalName, bin(TimeGenerated, BinTime), Type\\n) on UserPrincipalName \\n| where FailedLoginsCountInRunTime \u003e LearningThreshold\\n| extend AccountCustomEntity = UserPrincipalName , timestamp = TimeGenerated\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute Force Attack against GitHub Account\",\"description\":\"Attackers who are trying to guess your users\u0027 passwords or use brute-force methods to get in. If your organization is using SSO with Azure Active Directory, authentication logs to GitHub.com will be generated. Using the following query can help you identify a sudden increase in failed logon attempt of users.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/12dcea64-bec2-41c9-9df2-9f28461b1295\",\"name\":\"12dcea64-bec2-41c9-9df2-9f28461b1295\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\n// Adjust for a longer timeframe for identifying ADFS Servers\\nlet lookback = 6d;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where NewProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n);\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where Account !endswith \\\"$\\\"\\n// Check for scheduled task events\\n| where EventID in (4697, 4698, 4699, 4700, 4701, 4702)\\n| extend EventDataParsed = parse_xml(EventData)\\n| extend SubjectLogonId = tostring(EventDataParsed.EventData.Data[3][\\\"#text\\\"])\\n// Check specifically for access to IPC$ share and PIPE\\\\svcctl and PIPE\\\\atsvc for Service Control Services and Schedule Control Services\\n| union (\\n SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n | where Account !endswith \\\"$\\\"\\n | where EventID == 5145\\n | where RelativeTargetName =~ \\\"svcctl\\\" or RelativeTargetName =~ \\\"atsvc\\\"\\n)\\n// Check for lateral movement\\n| join kind=inner\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Account !endswith \\\"$\\\"\\n| where EventID == 4624 and LogonType == 3\\n) on $left.SubjectLogonId == $right.TargetLogonId\\n| project TimeGenerated, Account, Computer, EventID, RelativeTargetName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task\",\"description\":\"This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through SMB and Remote Service or Scheduled Task.\",\"lastUpdatedDateUTC\":\"2022-01-30T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/155f40c6-610d-497d-85fc-3cf06ec13256\",\"name\":\"155f40c6-610d-497d-85fc-3cf06ec13256\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"yahoo-verification.org\\\",\\\"support-servics.com\\\",\\\"verification-live.com\\\",\\\"com-mailbox.com\\\",\\\"com-myaccuants.com\\\",\\\"notification-accountservice.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\\"verify-linkedin.net\\\", \\n\\\"yahoo-verification.net\\\",\\\"yahoo-verify.net\\\",\\\"outlook-verify.net\\\",\\\"com-users.net\\\",\\\"verifiy-account.net\\\",\\\"te1egram.net\\\",\\\"account-verifiy.net\\\",\\\"myaccount-services.net\\\",\\n\\\"com-identifier-servicelog.name\\\",\\\"microsoft-update.bid\\\",\\\"outlook-livecom.bid\\\",\\\"update-microsoft.bid\\\",\\\"documentsfilesharing.cloud\\\",\\\"com-microsoftonline.club\\\",\\n\\\"confirm-session-identifier.info\\\",\\\"session-management.info\\\",\\\"confirmation-service.info\\\",\\\"document-share.info\\\",\\\"broadcast-news.info\\\",\\\"customize-identity.info\\\",\\\"webemail.info\\\",\\n\\\"com-identifier-servicelog.info\\\",\\\"documentsharing.info\\\",\\\"notification-accountservice.info\\\",\\\"identifier-activities.info\\\",\\\"documentofficupdate.info\\\",\\\"recoveryusercustomer.info\\\",\\n\\\"serverbroadcast.info\\\",\\\"account-profile-users.info\\\",\\\"account-service-management.info\\\",\\\"accounts-manager.info\\\",\\\"activity-confirmation-service.info\\\",\\\"com-accountidentifier.info\\\",\\n\\\"com-privacy-help.info\\\",\\\"com-sessionidentifier.info\\\",\\\"com-useraccount.info\\\",\\\"confirmation-users-service.info\\\",\\\"confirm-identity.info\\\",\\\"confirm-session-identification.info\\\",\\n\\\"continue-session-identifier.info\\\",\\\"customer-recovery.info\\\",\\\"customers-activities.info\\\",\\\"elitemaildelivery.info\\\",\\\"email-delivery.info\\\",\\\"identify-user-session.info\\\",\\n\\\"message-serviceprovider.info\\\",\\\"notificationapp.info\\\",\\\"notification-manager.info\\\",\\\"recognized-activity.info\\\",\\\"recover-customers-service.info\\\",\\\"recovery-session-change.info\\\",\\n\\\"service-recovery-session.info\\\",\\\"service-session-continue.info\\\",\\\"session-mail-customers.info\\\",\\\"session-managment.info\\\",\\\"session-verify-user.info\\\",\\\"shop-sellwear.info\\\",\\n\\\"supportmailservice.info\\\",\\\"terms-service-notification.info\\\",\\\"user-activity-issues.info\\\",\\\"useridentity-confirm.info\\\",\\\"users-issue-services.info\\\",\\\"verify-user-session.info\\\",\\n\\\"login-gov.info\\\",\\\"notification-signal-agnecy.info\\\",\\\"notifications-center.info\\\",\\\"identifier-services-sessions.info\\\",\\\"customers-manager.info\\\",\\\"session-manager.info\\\",\\n\\\"customer-managers.info\\\",\\\"confirmation-recovery-options.info\\\",\\\"service-session-confirm.info\\\",\\\"session-recovery-options.info\\\",\\\"services-session-confirmation.info\\\",\\n\\\"notification-managers.info\\\",\\\"activities-services-notification.info\\\",\\\"activities-recovery-options.info\\\",\\\"activity-session-recovery.info\\\",\\\"customers-services.info\\\",\\n\\\"sessions-notification.info\\\",\\\"download-teamspeak.info\\\",\\\"services-issue-notification.info\\\",\\\"microsoft-upgrade.mobi\\\",\\\"broadcastnews.pro\\\",\\\"mobile-messengerplus.network\\\"]);\\nlet IPList = dynamic([\\\"51.91.200.147\\\"]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(SourceIP) and SourceIP in (IPList)) or (isnotempty(DestinationIP) and DestinationIP in (IPList)) \\nor (isnotempty(DNSName) and DNSName in~ (DomainNames)) or (isnotempty(DestinationHostName) and DestinationHostName in~ (DomainNames)) or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames) or RequestURLIP in (IPList))) \\nor (isnotempty(Message) and MessageIP in (IPList))\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURLIP in (IPList), \\\"RequestUrl\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP,IPMatch == \\\"Message\\\", MessageIP,\\nIPMatch == \\\"RequestUrl\\\", RequestURLIP,\\\"NoMatch\\\"), Account = SourceUserID, Host = DeviceName\\n),\\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\\n(_Im_WebSession(url_has_any=DomainNames)\\n| extend DestinationIPAddress = DstIpAddr, DNSName = tostring(parse_url(Url)[\\\"Host\\\"]), Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) or isnotempty(DNSName)\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or DNSName in~ (DomainNames)\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer),\\n(OfficeActivity\\n| extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPCustomEntity = SourceHost \\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Phosphorus group domains/IP\",\"description\":\"Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-10-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a1bddaf8-982b-4089-ba9e-6590dfcf80ea\",\"name\":\"a1bddaf8-982b-4089-ba9e-6590dfcf80ea\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let error403_count_threshold=200;\\n_Im_WebSession(eventresultdetails_in=\\\"403\\\")\\n| extend ParsedUrl=parse_url(Url)\\n| extend UrlHost=tostring(ParsedUrl[\\\"Host\\\"]), UrlSchema=tostring(ParsedUrl[\\\"Schema\\\"])\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = count(), Urls=makeset(Url) by UrlHost, SrcIpAddr\\n| where NumberOfErrors \u003e error403_count_threshold\\n| sort by NumberOfErrors desc\\n| extend Url=tostring(Urls[0])\",\"customDetails\":{\"NumberOfErrors\":\"NumberOfErrors\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URL\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Excessive number of HTTP authentication failures from {{SrcIpAddr}\",\"alertDescriptionFormat\":\"A client with address {{SrcIpAddr}} generated a large number of failed authentication HTTP requests. This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Persistence\",\"CredentialAccess\"],\"displayName\":\"Excessive number of HTTP authentication failures from a source (ASIM Web Session schema)\",\"description\":\"This rule identifies a source that repeatedly fails to authenticate to a web service (HTTP response code 403). This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.\u003cbr\u003e\u003cbr\u003e\\nThis rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutSIM) and supports any web session source that complies with ASIM. \",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2a09f8cb-deb7-4c40-b08b-9137667f1c0b\",\"name\":\"2a09f8cb-deb7-4c40-b08b-9137667f1c0b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n | where OperationName in (\\\"Add eligible member (permanent)\\\", \\\"Add eligible member (eligible)\\\")\\n | extend Role = tostring(TargetResources[0].displayName)\\n | where Role contains \\\"admin\\\"\\n | extend AddedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend AddedUser = tostring(TargetResources[2].userPrincipalName)\\n | project-reorder TimeGenerated, AddedUser, Role, AddedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedUser\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"User Added to Admin Role\",\"description\":\"Detects a user being added to a new privileged role. Monitor these additions to ensure the users are made eligible for these roles are intended to have these levels of access.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dc99e38c-f4e9-4837-94d7-353ac0b01a77\",\"name\":\"dc99e38c-f4e9-4837-94d7-353ac0b01a77\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let threshold = 10;\\n let default_ad_attributes = dynamic([\\\"LastDirSyncTime\\\", \\\"StsRefreshTokensValidFrom\\\", \\\"Included Updated Properties\\\", \\\"AccountEnabled\\\", \\\"Action Client Name\\\", \\\"SourceAnchor\\\"]);\\n AuditLogs\\n | where OperationName =~ \\\"Add user\\\"\\n | where Result =~ \\\"success\\\"\\n | extend properties = TargetResources[0].modifiedProperties\\n | mv-expand properties\\n | evaluate bag_unpack(properties)\\n | summarize count() by displayName, TenantId\\n | where displayName !in (default_ad_attributes)\\n | top threshold by count_ desc\\n | summarize make_set(displayName) by TenantId\\n | join kind=inner (AuditLogs\\n | where Result =~ \\\"success\\\"\\n | where OperationName =~ \\\"Add user\\\"\\n | extend CreatingUserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend CreatedUserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | extend AccountProperties = TargetResources[0].modifiedProperties\\n | mv-expand AccountProperties\\n | extend PropName = tostring(AccountProperties.displayName)) on TenantId\\n | summarize makeset(PropName) by TimeGenerated, CorrelationId, CreatedUserPrincipalName, CreatingUserPrincipalName, tostring(set_displayName)\\n | extend missing_props = set_difference(todynamic(set_displayName), set_PropName)\\n | where array_length(missing_props) \u003e 0\\n | join kind=innerunique (AuditLogs\\n | where Result =~ \\\"success\\\"\\n | where OperationName =~ \\\"Add user\\\"\\n | extend CreatedUserPrincipalName = tostring(TargetResources[0].userPrincipalName)) on CorrelationId, CreatedUserPrincipalName\\n | extend ExpectedProperties = set_displayName\\n | project-away set_displayName, set_PropName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CreatingUserPrincipalName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CreatedUserPrincipalName\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User account created without expected attributes defined\",\"description\":\"This query looks for accounts being created that do not have attributes populated that are commonly populated in the tenant.\\n Attackers may attempt to add accounts as a means of establishing persistant access to an environment, looking for anomalies in created accounts may help identify illegitimately created accounts.\\n Created accounts should be investigated to ensure they were legitimated created.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#accounts-not-following-naming-policies\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aa1eff90-29d4-49dc-a3ea-b65199f516db\",\"name\":\"aa1eff90-29d4-49dc-a3ea-b65199f516db\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Low\",\"query\":\"(union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4720\\n| where AccountType == \\\"User\\\"\\n| project CreatedUserTime = TimeGenerated, CreatedUserEventID = EventID, CreatedUserActivity = Activity, Computer = toupper(Computer), \\nCreatedUser = tolower(TargetAccount), CreatedUserSid = TargetSid, AccountUsedToCreateUser = strcat(SubjectAccount), SidofAccountUsedToCreateUser = SubjectUserSid\\n),\\n(WindowsEvent\\n| where EventID == 4720\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType == \\\"User\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend Activity=\\\"4720 - A user account was created.\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| project CreatedUserTime = TimeGenerated, CreatedUserEventID = EventID, CreatedUserActivity = Activity, Computer = toupper(Computer), \\nCreatedUser = tolower(TargetAccount), CreatedUserSid = TargetSid, AccountUsedToCreateUser = strcat(SubjectAccount), SidofAccountUsedToCreateUser = SubjectUserSid\\n))\\n| join ((union isfuzzy=true\\n(SecurityEvent \\n| where AccountType == \\\"User\\\"\\n// 4732 - A member was added to a security-enabled local group\\n| where EventID == 4732\\n// TargetSid is the builin Admins group: S-1-5-32-544\\n| where TargetSid == \\\"S-1-5-32-544\\\"\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, Computer = toupper(Computer), GroupName = tolower(TargetAccount), \\nGroupSid = TargetSid, AccountThatAddedUser = SubjectAccount, SIDofAccountThatAddedUser = SubjectUserSid, CreatedUserSid = MemberSid\\n),\\n( WindowsEvent \\n// 4732 - A member was added to a security-enabled local group\\n| where EventID == 4732 and EventData has \\\"S-1-5-32-544\\\"\\n//TargetSid is the builin Admins group: S-1-5-32-544\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType == \\\"User\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid == \\\"S-1-5-32-544\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend Activity=\\\"4732 - A member was added to a security-enabled local group.\\\"\\n| extend MemberSid = tostring(EventData.MemberSid)\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, Computer = toupper(Computer), GroupName = tolower(TargetAccount), \\nGroupSid = TargetSid, AccountThatAddedUser = SubjectAccount, SIDofAccountThatAddedUser = SubjectUserSid, CreatedUserSid = MemberSid)\\n))\\non CreatedUserSid\\n//Create User first, then the add to the group.\\n| project Computer, CreatedUserTime, CreatedUserEventID, CreatedUserActivity, CreatedUser, CreatedUserSid, GroupAddTime, GroupAddEventID, \\nGroupAddActivity, AccountUsedToCreateUser, GroupName, GroupSid, AccountThatAddedUser, SIDofAccountThatAddedUser \\n| extend timestamp = CreatedUserTime, AccountCustomEntity = CreatedUser, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"CreatedUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"New user created and added to the built-in administrators group\",\"description\":\"Identifies when a user account was created and then added to the builtin Administrators group in the same day.\\nThis should be monitored closely and all additions reviewed.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d23ed927-5be3-4902-a9c1-85f841eb4fa1\",\"name\":\"d23ed927-5be3-4902-a9c1-85f841eb4fa1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n DuoSecurityAuthentication_CL\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(access_device_ip_s)\\n // renaming time column so it is clear the log this came from\\n | extend Duo_TimeGenerated = isotimestamp_t\\n)\\non $left.TI_ipEntity == $right.access_device_ip_s\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Duo_TimeGenerated,\\nTI_ipEntity, user_name_s, factor_s, result_s, application_name_s, event_type_s, txid_g, user_key_s, access_device_ip_s, access_device_location_city_s, access_device_location_state_s, access_device_location_country_s\\n| extend timestamp = Duo_TimeGenerated, IPCustomEntity = access_device_ip_s, AccountCustomEntity = user_name_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Duo Security\",\"description\":\"Identifies a match in DuoSecurity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae\",\"name\":\"2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 4656\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, TargetAccount, Computer, EventSourceName, Channel, Task, Level, EventID, Activity, TargetLogonId, SourceComputerId, EventOriginId, Type, _ResourceId, TenantId, SourceSystem, ManagementGroupName, IpAddress, Account)\\n| extend ObjectServer = column_ifexists(\u0027ObjectServer\u0027, \\\"\\\"), ObjectType = column_ifexists(\u0027ObjectType\u0027, \\\"\\\"), ObjectName = column_ifexists(\u0027ObjectName\u0027, \\\"\\\")\\n| where isnotempty(ObjectServer) and isnotempty(ObjectType) and isnotempty(ObjectName)\\n| where ObjectServer =~ \\\"SC Manager\\\" and ObjectType =~ \\\"SERVICE OBJECT\\\" and ObjectName =~ \\\"HealthService\\\"\\n// Comment out the join below if the SACL only audits users that are part of the Network logon users, i.e. with user/group target pointing to \\\"NU.\\\"\\n| join kind=leftouter (\\n SecurityEvent\\n | where EventID == 4624\\n) on TargetLogonId\\n| project TimeGenerated, Computer, Account, TargetAccount, IpAddress,TargetLogonId, ObjectServer, ObjectType, ObjectName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Starting or Stopping HealthService to Avoid Detection\",\"description\":\"This query detects events where an actor is stopping or starting HealthService to disable telemetry collection/detection from the agent.\\n The query requires a SACL to audit for access request to the service.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-03-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bff093b2-500e-4ae5-bb49-a5b1423cbd5b\",\"name\":\"bff093b2-500e-4ae5-bb49-a5b1423cbd5b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n| where Operation =~ \\\"MemberAdded\\\"\\n| extend UPN = tostring(parse_json(Members)[0].UPN)\\n| where UPN contains (\\\"#EXT#\\\")\\n| project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName\\n| join (\\n OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n| where Operation =~ \\\"MemberRemoved\\\"\\n| extend UPN = tostring(parse_json(Members)[0].UPN)\\n| where UPN contains (\\\"#EXT#\\\")\\n| project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName\\n) on UPN\\n| where TimeDeleted \u003e TimeAdded\\n| project TimeAdded, TimeDeleted, UPN, UserWhoAdded, UserWhoDeleted, TeamName\\n| extend timestamp = TimeAdded, AccountCustomEntity = UPN\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"External user added and removed in short timeframe\",\"description\":\"This detection flags the occurances of external user accounts that are added to a Team and then removed within\\none hour.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9367dff0-941d-44e2-8875-cb48570c7add\",\"name\":\"9367dff0-941d-44e2-8875-cb48570c7add\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \\n| where TargetObject has \\\"\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_DLLs\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Registry Persistence via AppInit DLLs Modification\",\"description\":\"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. \\nDynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows or HKEY_LOCAL_MACHINE\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library.\\nRef: https://attack.mitre.org/techniques/T1546/010/\",\"lastUpdatedDateUTC\":\"2022-03-21T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8d537f3c-094f-430c-a588-8a87da36ee3a\",\"name\":\"8d537f3c-094f-430c-a588-8a87da36ee3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nlet user_agents=dynamic([\\n \u0027(hydra)\u0027,\\n \u0027 arachni/\u0027,\\n \u0027 BFAC \u0027,\\n \u0027 brutus \u0027,\\n \u0027 cgichk \u0027,\\n \u0027core-project/1.0\u0027,\\n \u0027 crimscanner/\u0027,\\n \u0027datacha0s\u0027,\\n \u0027dirbuster\u0027,\\n \u0027domino hunter\u0027,\\n \u0027dotdotpwn\u0027,\\n \u0027FHScan Core\u0027,\\n \u0027floodgate\u0027,\\n \u0027get-minimal\u0027,\\n \u0027gootkit auto-rooter scanner\u0027,\\n \u0027grendel-scan\u0027,\\n \u0027 inspath \u0027,\\n \u0027internet ninja\u0027,\\n \u0027jaascois\u0027,\\n \u0027 zmeu \u0027,\\n \u0027masscan\u0027,\\n \u0027 metis \u0027,\\n \u0027morfeus fucking scanner\u0027,\\n \u0027n-stealth\u0027,\\n \u0027nsauditor\u0027,\\n \u0027pmafind\u0027,\\n \u0027security scan\u0027,\\n \u0027springenwerk\u0027,\\n \u0027teh forest lobster\u0027,\\n \u0027toata dragostea\u0027,\\n \u0027 vega/\u0027,\\n \u0027voideye\u0027,\\n \u0027webshag\u0027,\\n \u0027webvulnscan\u0027,\\n \u0027 whcc/\u0027,\\n \u0027 Havij\u0027,\\n \u0027absinthe\u0027,\\n \u0027bsqlbf\u0027,\\n \u0027mysqloit\u0027,\\n \u0027pangolin\u0027,\\n \u0027sql power injector\u0027,\\n \u0027sqlmap\u0027,\\n \u0027sqlninja\u0027,\\n \u0027uil2pn\u0027,\\n \u0027ruler\u0027,\\n \u0027Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)\u0027\\n ]);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal has_any (user_agents)\\n| extend Message = \\\"Hack Tool User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Hack Tool User-Agent Detected\",\"description\":\"Detects suspicious user agent strings used by known hack tools\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/30c8b802-ace1-4408-bc29-4c5c5afb49e1\",\"name\":\"30c8b802-ace1-4408-bc29-4c5c5afb49e1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"imProcess\\n | where EventType =~ \\\"ProcessCreated\\\"\\n | where Process endswith \\\"svchost.exe\\\"\\n | where CommandLine has \\\"-k GPSvcGroup\\\" or CommandLine has \\\"-s gpsvc\\\"\\n | extend timekey = bin(TimeGenerated, 1m)\\n | project timekey, ActingProcessId, Dvc\\n | join kind=inner (imProcess\\n | where EventType =~ \\\"ProcessCreated\\\"\\n | where Process =~ \\\"sdelete.exe\\\" or CommandLine has \\\"sdelete\\\"\\n | where ActingProcessName endswith \\\"svchost.exe\\\"\\n | where CommandLine has_all (\\\"-s\\\", \\\"-r\\\")\\n | extend timekey = bin(TimeGenerated, 1m)\\n ) on $left.ActingProcessId == $right.ParentProcessId, timekey, Dvc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DvcIpAddr\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Sdelete deployed via GPO and run recursively (ASIM Version)\",\"description\":\"This query looks for the Sdelete process being run recursively after being deployed to a host via GPO. Attackers could use this technique to deploy Sdelete to multiple host and delete data on them.\\n This query uses the Advanced Security Information Model. Parsers will need to be deployed before use: https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84cccc86-5c11-4b3a-aca6-7c8f738ed0f7\",\"name\":\"84cccc86-5c11-4b3a-aca6-7c8f738ed0f7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where OperationName has_all (\\\"member to role\\\", \\\"add\\\")\\n | where Result =~ \\\"Success\\\"\\n | extend type_ = tostring(TargetResources[0].type)\\n | where type_ =~ \\\"ServicePrincipal\\\"\\n | where isnotempty(TargetResources)\\n | extend ServicePrincipal = tostring(TargetResources[0].displayName)\\n | extend SPID = tostring(TargetResources[0].id)\\n | mv-expand TargetResources[0].modifiedProperties\\n | extend TargetResources_0_modifiedProperties = columnifexists(\\\"TargetResources_0_modifiedProperties\\\", \u0027\u0027)\\n | where isnotempty(TargetResources_0_modifiedProperties)\\n | where TargetResources_0_modifiedProperties.displayName =~ \\\"Role.DisplayName\\\"\\n | extend TargetRole = parse_json(tostring(TargetResources_0_modifiedProperties.newValue))\\n | where TargetRole contains \\\"admin\\\"\\n | extend AddedByApp = iif(\\n isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName)),\\n tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName),\\n tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n )\\n | extend AddedByUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend AddedBy = iif(isnotempty(AddedByApp), AddedByApp, AddedByUser)\\n | extend IpAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | project-reorder TimeGenerated, ServicePrincipal, SPID, TargetRole, AddedBy, IpAddress\\n | project-away AddedByApp, AddedByUser\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"SPID\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Service Principal Assigned Privileged Role\",\"description\":\"Detects a privileged role being added to a Service Principal.\\n Ensure that any assignment to a Service Principal is valid and appropriate - Service Principals should not be assigned to very highly privileged roles such as Global Admin.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182\",\"name\":\"8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT5M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = ago(5m);\\nDuoSecurityTrustMonitor_CL\\n| where TimeGenerated \u003e= timeframe\\n| extend AccountCustomEntity = surfaced_auth_user_name_s, IPCustomEntity = surfaced_auth_access_device_ip_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Trust Monitor Event\",\"description\":\"This query identifies when a new trust monitor event is detected.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dcdf9bfc-c239-4764-a9f9-3612e6dff49c\",\"name\":\"dcdf9bfc-c239-4764-a9f9-3612e6dff49c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 6d;\\n// Adjust this to adjust the key export detection timeframe\\n//let timeframe = 1d;\\n// Start be identifying ADFS servers to reduce FP chance\\nlet ADFS_Servers = (\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\")\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| summarize by Computer);\\n// Look for ADFS servers where Named Pipes event are present\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| where Computer in~ (ADFS_Servers)\\n| extend RenderedDescription = tostring(split(RenderedDescription, \\\":\\\")[0])\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend RuleName = column_ifexists(\\\"RuleName\\\", \\\"\\\"),\\n TechniqueId = column_ifexists(\\\"TechniqueId\\\", \\\"\\\"),\\n TechniqueName = column_ifexists(\\\"TechniqueName\\\", \\\"\\\"),\\n Image = column_ifexists(\\\"Image\\\", \\\"\\\"),\\n PipeName = column_ifexists(\\\"PipeName\\\", \\\"\\\"),\\n EventType = column_ifexists(\\\"EventType\\\", \\\"\\\")\\n| parse RuleName with * \u0027technique_id=\u0027 TechniqueId \u0027,\u0027 * \u0027technique_name=\u0027 TechniqueName\\n// Look for Pipe related to querying the WID\\n| where PipeName == \\\"\\\\\\\\MICROSOFT##WID\\\\\\\\tsql\\\\\\\\query\\\"\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n// Exclude expected processes\\n| where process !in (\\\"Microsoft.IdentityServer.ServiceHost.exe\\\", \\\"Microsoft.Identity.Health.Adfs.PshSurrogate.exe\\\", \\\"AzureADConnect.exe\\\", \\\"Microsoft.Tri.Sensor.exe\\\", \\\"wsmprovhost.exe\\\",\\\"mmc.exe\\\", \\\"sqlservr.exe\\\")\\n| extend Operation = RenderedDescription\\n| project-reorder TimeGenerated, EventType, Operation, process, Image, Computer, UserName\\n| extend HostCustomEntity = Computer, AccountCustomEntity = UserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"ADFS Database Named Pipe Connection\",\"description\":\"This detection uses Sysmon telemetry to detect suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).\\nIn order to use this query you need to be collecting Sysmon EventIdD 18 (Pipe Connected).\\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\\nFailed to resolve scalar expression named \\\"[@Name]\",\"lastUpdatedDateUTC\":\"2021-11-23T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3617d76d-b15e-4c6f-985e-a1dac73c592d\",\"name\":\"3617d76d-b15e-4c6f-985e-a1dac73c592d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SigninLogs\\n| where ResultType == 500121\\n| extend additionalDetails_ = tostring(Status.additionalDetails)\\n| where additionalDetails_ =~ \\\"MFA denied; user declined the authentication\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"NRT MFA Rejected by User\",\"description\":\"Identifies occurrences where a user has rejected an MFA prompt. This could be an indicator that a threat actor has compromised the username and password of this user account and is using it to try and log into the account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-02-08T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5436f471-b03d-41cb-b333-65891f887c43\",\"name\":\"5436f471-b03d-41cb-b333-65891f887c43\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Informational\",\"query\":\"GitHubRepo\\n| where Action == \\\"vulnerabilityAlert\\\"\\n| project TimeGenerated, DismmisedAt, Reason, vulnerableManifestFilename, Description, Link, PublishedAt, Severity, Summary\",\"entityMappings\":[],\"displayName\":\"GitHub Security Vulnerability in Repository\",\"description\":\"This alerts when there is a new security vulnerability in a GitHub repository.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-10T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d82e1987-4356-4a7b-bc5e-064f29b143c0\",\"name\":\"d82e1987-4356-4a7b-bc5e-064f29b143c0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true \\n(SecurityEvent\\n| where EventID == 4688\\n| where Process =~ \u0027rundll32.exe\u0027 \\n| where CommandLine has_all (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n),\\n(WindowsEvent\\n| where EventID == 4688 and EventData has \u0027rundll32.exe\u0027 and EventData has_any (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process =~ \u0027rundll32.exe\u0027 \\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has_all (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName) \\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n) )\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"NOBELIUM - suspicious rundll32.exe execution of vbscript\",\"description\":\"This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/961b6a81-5c53-40b6-9800-4f661a8faea7\",\"name\":\"961b6a81-5c53-40b6-9800-4f661a8faea7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0586.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet Command_Line = (iocs | where Type =~ \\\"CommandLine\\\" | project IoC);\\n(union isfuzzy=true\\n(DeviceProcessEvents\\n| where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) or ( InitiatingProcessCommandLine has (\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and InitiatingProcessCommandLine has_any (Command_Line))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, AccountName, SHA256\\n| extend Account = AccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = case(InitiatingProcessSHA256 in (sha256Hashes), \\\"InitiatingProcessSHA256\\\", SHA256 in (sha256Hashes), \\\"SHA256\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = case(FileHash == \\\"InitiatingProcessSHA256\\\", InitiatingProcessSHA256, FileHash == \\\"SHA256\\\", SHA256, \\\"No Match\\\")\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has (@\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and CommandLine has_any (Command_Line))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, EventID\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n( CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n( imFileEvent\\n| where Hash in~ (sha256Hashes) or ( ActingProcessCommandLine has (\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and ActingProcessCommandLine has_any (Command_Line))\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) or ( CommandLine has (\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and CommandLine has_any (Command_Line)) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashAlgo\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"DEV-0586 Actor IOC - January 2022\",\"description\":\"Identifies a match across IOC\u0027s related to an actor tracked by Microsoft as DEV-0586\\n Refrence: https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2022-01-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/66c81ae2-1f89-4433-be00-2fbbd9ba5ebe\",\"name\":\"66c81ae2-1f89-4433-be00-2fbbd9ba5ebe\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MessageIP = extract(IPRegex, 0, Message)\\n | extend CS_ipEntity = iff(isnotempty(SourceIP), SourceIP, DestinationIP)\\n | extend CS_ipEntity = iff(isempty(CS_ipEntity) and isnotempty(MessageIP), MessageIP, CS_ipEntity)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CS_ipEntity\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, CS_ipEntity\\n| project CommonSecurityLog_TimeGenerated, SourceIP, DestinationIP, MessageIP, Message, DeviceVendor, DeviceProduct, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CS_ipEntity, LogSeverity, DeviceAction\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = CS_ipEntity\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to CommonSecurityLog\",\"description\":\"Identifies a match in CommonSecurityLog from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/17f23fbe-bb73-4324-8ecf-a18545a5dc26\",\"name\":\"17f23fbe-bb73-4324-8ecf-a18545a5dc26\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P3D\",\"queryPeriod\":\"P3D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 3d;\\n// Get Release Pipeline Creation Events and group by day\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineCreated\\\"\\n// Group by day\\n| extend timekey = bin(TimeGenerated, 1d)\\n| extend PipelineId = tostring(Data.PipelineId)\\n| extend PipelineName = tostring(Data.PipelineName)\\n// Rename some columns to make output clearer\\n| project-rename TimeCreated = TimeGenerated, CreatingUser = ActorUPN, CreatingUserAgent = UserAgent, CreatingIP = IpAddress\\n// Join with Release Pipeline Deletions where Pipeline ID is the same and deletion occurred on same day as creation\\n| join (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineDeleted\\\"\\n// Group by day\\n| extend timekey = bin(TimeGenerated, 1d)\\n| extend PipelineId = tostring(Data.PipelineId)\\n| extend PipelineName = tostring(Data.PipelineName)\\n// Rename some things to make the output clearer\\n| project-rename TimeDeleted = TimeGenerated, DeletingUser = ActorUPN, DeletingUserAgent = UserAgent, DeletingIP = IpAddress) on PipelineId, timekey\\n| project TimeCreated, TimeDeleted, PipelineName, PipelineId, CreatingUser, CreatingIP, CreatingUserAgent, DeletingUser, DeletingIP, DeletingUserAgent, ScopeDisplayName, ProjectName, Data, OperationName, OperationName1\\n| extend timestamp = TimeCreated, AccountCustomEntity = CreatingUser, IPCustomEntity = CreatingIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeletingUser\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DeletingIP\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Azure DevOps Pipeline Created and Deleted on the Same Day\",\"description\":\"An attacker with access to Azure DevOps could create a pipeline to inject artifacts used by other pipelines, \\nor to create a malicious software build that looks legitimate by using a pipeline that incorporates legitimate elements. \\nAn attacker would also likely want to cover their tracks once conducting such activity. This query looks for Pipelines \\ncreated and deleted within the same day, this is unlikely to be legitimate user activity in the majority of cases.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\"name\":\"83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":3,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let current = 1d;\\nlet auditLookback = 7d;\\n// Setting threshold to 3 as a default, change as needed. \\n// Any operation that has been initiated by a user or app more than 3 times in the past 7 days will be excluded\\nlet threshold = 3;\\n// Gather initial data from lookback period, excluding current, adjust current to more than a single day if no results\\nlet AuditTrail = AuditLogs | where TimeGenerated \u003e= ago(auditLookback) and TimeGenerated \u003c ago(current)\\n// 2 other operations that can be part of malicious activity in this situation are \\n// \\\"Add OAuth2PermissionGrant\\\" and \\\"Add service principal\\\", extend the filter below to capture these too\\n| where OperationName has \\\"Consent to application\\\"\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\n| summarize max(TimeGenerated), OperationCount = count() by OperationName, InitiatedBy, TargetResourceName\\n// only including operations by initiated by a user or app that is above the threshold so we produce only rare and has not occurred in last 7 days\\n| where OperationCount \u003e threshold\\n;\\n// Gather current period of audit data\\nlet RecentConsent = AuditLogs | where TimeGenerated \u003e= ago(current)\\n| where OperationName has \\\"Consent to application\\\"\\n| extend IpAddress = case(\\nisnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), \\nisnotempty(tostring(parse_json(tostring(InitiatedBy.app)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.app)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.app)).ipAddress),\\n\u0027Not Available\u0027)\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\n| parse TargetResources.[0].modifiedProperties with * \\\"ConsentType: \\\" ConsentType \\\"]\\\" *\\n| mv-expand AdditionalDetails\\n| extend UserAgent = iff(AdditionalDetails.key == \\\"User-Agent\\\",tostring(AdditionalDetails.value),\\\"\\\")\\n| project TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type;\\n// Exclude previously seen audit activity for \\\"Consent to application\\\" that was seen in the lookback period\\n// First for rare InitiatedBy\\nlet RareConsentBy = RecentConsent | join kind= leftanti AuditTrail on OperationName, InitiatedBy \\n| extend Reason = \\\"Previously unseen user consenting\\\";\\n// Second for rare TargetResourceName\\nlet RareConsentApp = RecentConsent | join kind= leftanti AuditTrail on OperationName, TargetResourceName\\n| extend Reason = \\\"Previously unseen app granted consent\\\";\\nRareConsentBy | union RareConsentApp\\n| summarize Reason = makeset(Reason) by TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatedBy, HostCustomEntity = TargetResourceName, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Rare application consent\",\"description\":\"This will alert when the \\\"Consent to application\\\" operation occurs by a user that has not done this operation before or rarely does this.\\nThis could indicate that permissions to access the listed Azure App were provided to a malicious actor. \\nConsent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events. \\nThis may help detect the Oauth2 attack that can be initiated by this publicly available tool - https://github.com/fireeye/PwnAuth\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-07-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69b7723c-2889-469f-8b55-a2d355ed9c87\",\"name\":\"69b7723c-2889-469f-8b55-a2d355ed9c87\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.3\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n DnsEvents\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where SubType =~ \\\"LookupQuery\\\" and isnotempty(IPAddresses)\\n | mv-expand SingleIP = split(IPAddresses, \\\", \\\") to typeof(string)\\n // renaming time column so it is clear the log this came from\\n | extend DNS_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SingleIP\\n| where DNS_TimeGenerated \u003c ExpirationDateTime\\n| summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated , *) by IndicatorId, SingleIP\\n| project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = DNS_TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to DnsEvents\",\"description\":\"Identifies a match in DnsEvents from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-06-27T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd\",\"name\":\"c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let args = dynamic([\\\"objectcategory\\\",\\\"domainlist\\\",\\\"dcmodes\\\",\\\"adinfo\\\",\\\"trustdmp\\\",\\\"computers_pwdnotreqd\\\",\\\"Domain Admins\\\", \\\"objectcategory=person\\\", \\\"objectcategory=computer\\\", \\\"objectcategory=*\\\",\\\"dclist\\\"]);\\nlet parentProcesses = dynamic([\\\"pwsh.exe\\\",\\\"powershell.exe\\\",\\\"cmd.exe\\\"]);\\nDeviceProcessEvents\\n//looks for execution from a shell\\n| where InitiatingProcessFileName in (parentProcesses)\\n// main filter\\n| where FileName =~ \\\"AdFind.exe\\\" or SHA256 == \\\"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\\\"\\n // AdFind common Flags to check for from various threat actor TTPs\\n or ProcessCommandLine has_any (args)\\n| extend AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, ProcessCustomEntity = InitiatingProcessFileName, CommandLineCustomEntity = ProcessCommandLine, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = SHA256\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"},{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLineCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Probable AdFind Recon Tool Usage\",\"description\":\"Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.\",\"lastUpdatedDateUTC\":\"2021-11-30T00:00:00Z\",\"createdDateUTC\":\"2021-04-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\"name\":\"b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n Syslog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // Extract URL from the Syslog message but only take messages that include URLs\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,SyslogMessage)\\n | where isnotempty(Url)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n) on Url\\n| where Syslog_TimeGenerated \u003c ExpirationDateTime\\n| summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, Url\\n| project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, Url, HostIP\\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to Syslog data\",\"description\":\"Identifies a match in Syslog data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/af435ca1-fb70-4de1-92c1-7435c48482a9\",\"name\":\"af435ca1-fb70-4de1-92c1-7435c48482a9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let admin_users = (IdentityInfo\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | where AssignedRoles contains \\\"admin\\\"\\n | summarize by tolower(AccountUPN));\\n let admin_asn = (SigninLogs\\n | where TimeGenerated between (ago(7d)..ago(1d))\\n | where tolower(UserPrincipalName) in (admin_users)\\n | summarize by AutonomousSystemNumber);\\n let admin_locations = (SigninLogs\\n | where TimeGenerated between (ago(7d)..ago(1d))\\n | where tolower(UserPrincipalName) in (admin_users)\\n | summarize by Location);\\n let admin_devices = (SigninLogs\\n | where TimeGenerated between (ago(7d)..ago(1d))\\n | where tolower(UserPrincipalName) in (admin_users)\\n | extend deviceId = tostring(DeviceDetail.deviceId)\\n | where isnotempty(deviceId)\\n | summarize by deviceId);\\n SigninLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType == 0\\n | where tolower(UserPrincipalName) in (admin_users)\\n | extend deviceId = tostring(DeviceDetail.deviceId)\\n | where AutonomousSystemNumber !in (admin_asn) and deviceId !in (admin_devices) and Location !in (admin_locations)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Authentications of Privileged Accounts Outside of Expected Controls\",\"description\":\"Detects when a privileged user account successfully authenticates from a location, device or ASN that another admin has not logged in from in the last 7 days.\\n Privileged accounts are a key target for threat actors, monitoring for logins from these accounts that deviate from normal activity can help identify compromised accounts.\\n Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a357535e-f722-4afe-b375-cff362b2b376\",\"name\":\"a357535e-f722-4afe-b375-cff362b2b376\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(OfficeActivity | where UserAgent != \\\"\\\"),\\n(OfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectory\\\", \\\"AzureActiveDirectoryStsLogon\\\")\\n| extend OperationName = Operation\\n| parse ExtendedProperties with * \u0027User-Agent\\\\\\\\\\\":\\\\\\\\\\\"\u0027 UserAgent2 \u0027\\\\\\\\\u0027 *\\n| parse ExtendedProperties with * \u0027UserAgent\\\", \\\"Value\\\": \\\"\u0027 UserAgent1 \u0027\\\"\u0027 *\\n| where isnotempty(UserAgent1) or isnotempty(UserAgent2)\\n| extend UserAgent = iff( RecordType == \u0027AzureActiveDirectoryStsLogon\u0027, UserAgent1, UserAgent2)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\\n),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"APPLICATIONGATEWAYS\\\" \\n| where OperationName =~ \\\"ApplicationGatewayAccess\\\" \\n| extend ClientIP = columnifexists(\\\"clientIP_s\\\", \\\"None\\\"), UserAgent = columnifexists(\\\"userAgent_s\\\", \\\"None\\\")\\n| where UserAgent != \u0027-\u0027\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, requestUri_s, httpMethod_s, host_s, requestQuery_s, Type\\n),\\n(\\nW3CIISLog\\n| where isnotempty(csUserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\\n),\\n(SigninLogs\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n)\\n)\\n// Likely artefact of hardcoding\\n| where UserAgent startswith \\\"User\\\" or UserAgent startswith \u0027\\\\\\\"\u0027\\n// Incorrect casing\\nor (UserAgent startswith \\\"Mozilla\\\" and not(UserAgent containscs \\\"Mozilla\\\"))\\n// Incorrect casing\\nor UserAgent containscs \\\"(Compatible;\\\"\\n// Missing MSIE version\\nor UserAgent matches regex @\\\"MSIE\\\\s?;\\\"\\n// Incorrect spacing around MSIE version\\nor UserAgent matches regex @\\\"MSIE(?:\\\\d|.{1,5}?\\\\d\\\\s;)\\\"\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CommandAndControl\",\"Execution\"],\"displayName\":\"Malformed user agent\",\"description\":\"Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware.\\nMalformed user agents can be an indication of such malware.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4acd3a04-2fad-4efc-8a4b-51476594cec4\",\"name\":\"4acd3a04-2fad-4efc-8a4b-51476594cec4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let triThreshold = 500;\\nlet startTime = 6h;\\nlet dgaLengthThreshold = 8;\\n// fetch the alexa top 1M domains\\nlet top1M = (externaldata (Position:int, Domain:string) [@\\\"http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip\\\"] with (format=\\\"csv\\\", zipPattern=\\\"*.csv\\\"));\\n// extract tri grams that are above our threshold - i.e. are common\\nlet triBaseline = top1M\\n| extend Domain = tolower(extract(\\\"([^.]*).{0,7}$\\\", 1, Domain))\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", Domain), extract_all(\\\"(...)\\\", substring(Domain, 1)), extract_all(\\\"(...)\\\", substring(Domain, 2)))\\n| mvexpand Trigram=AllTriGrams\\n| summarize triCount=count() by tostring(Trigram)\\n| sort by triCount desc\\n| where triCount \u003e triThreshold\\n| distinct Trigram;\\n// collect domain information from common security log, filter and extract the DGA candidate and its trigrams\\nlet allDataSummarized = CommonSecurityLog\\n| where TimeGenerated \u003e ago(startTime)\\n| where isnotempty(DestinationHostName)\\n| extend Name = tolower(DestinationHostName)\\n| distinct Name\\n| where Name has \\\".\\\"\\n| where Name !endswith \\\".home\\\" and Name !endswith \\\".lan\\\"\\n// extract DGA candidate\\n| extend DGADomain = extract(\\\"([^.]*).{0,7}$\\\", 1, Name)\\n| where strlen(DGADomain) \u003e dgaLengthThreshold\\n// throw out domains with number in them\\n| where DGADomain matches regex \\\"^[A-Za-z]{0,}$\\\"\\n// extract the tri grams from summarized data\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", DGADomain), extract_all(\\\"(...)\\\", substring(DGADomain, 1)), extract_all(\\\"(...)\\\", substring(DGADomain, 2)));\\n// throw out domains that have repeating tri\u0027s and/or \u003e=3 repeating letters\\nlet nonRepeatingTris = allDataSummarized\\n| join kind=leftanti\\n(\\n allDataSummarized\\n | mvexpand AllTriGrams\\n | summarize count() by tostring(AllTriGrams), DGADomain\\n | where count_ \u003e 1\\n | distinct DGADomain\\n)\\non DGADomain;\\n// find domains that do not have a common tri in the baseline\\nlet dataWithRareTris = nonRepeatingTris\\n| join kind=leftanti\\n(\\n nonRepeatingTris\\n | mvexpand AllTriGrams\\n | extend Trigram = tostring(AllTriGrams)\\n | distinct Trigram, DGADomain\\n | join kind=inner\\n (\\n triBaseline\\n )\\n on Trigram\\n | distinct DGADomain\\n)\\non DGADomain;\\ndataWithRareTris\\n// join DGAs back on connection data\\n| join kind=inner\\n(\\n CommonSecurityLog\\n | where TimeGenerated \u003e ago(startTime)\\n | where isnotempty(DestinationHostName)\\n | extend DestinationHostName = tolower(DestinationHostName)\\n | project-rename Name=DestinationHostName, DataSource=DeviceVendor\\n | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) by Name, SourceIP, DestinationIP, DataSource\\n)\\non Name\\n| project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, DataSource\\n| extend timestamp=StartTime, IPCustomEntity=SourceIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"Name\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Possible contact with a domain generated by a DGA\",\"description\":\"Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used\\nby malware to generate rendezvous points that are difficult to predict in advance. This detection uses the Alexa Top 1 million domain names to build a model\\nof what normal domains look like. It uses this to identify domains that may have been randomly generated by an algorithm.\\nThe triThreshold is set to 500 - increase this to report on domains that are less likely to have been randomly generated, decrease it for more likely.\\nThe start time and end time look back over 6 hours of data and the dgaLengthThreshold is set to 8 - meaning domains whose length is 8 or more are reported.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Barracuda\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aac495a9-feb1-446d-b08e-a1164a539452\",\"name\":\"aac495a9-feb1-446d-b08e-a1164a539452\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"ThreatIntelligenceIndicator\\n| where Action == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n GitHubAudit\\n | extend GitHubAudit_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.IPaddress\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, GitHubAudit_TimeGenerated, TI_ipEntity, IPaddress, Actor, Action, Country, OperationType, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = GitHubAudit_TimeGenerated, IPCustomEntity = IPaddress, AccountCustomEntity = Actor\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to GitHub_CL\",\"description\":\"Identifies a match in GitHub_CL table from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2cfc3c6e-f424-4b88-9cc9-c89f482d016a\",\"name\":\"2cfc3c6e-f424-4b88-9cc9-c89f482d016a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set == \\\"[]\\\"\\n| mv-expand new_value_set\\n| parse new_value_set with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"First access credential added to Application or Service Principal where no credential was present\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-02-11T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0dd422ee-e6af-4204-b219-f59ac172e4c6\",\"name\":\"0dd422ee-e6af-4204-b219-f59ac172e4c6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"ThreatIntelligence\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"Persistence\",\"LateralMovement\"],\"displayName\":\"(Preview) Microsoft Threat Intelligence Analytics\",\"description\":\"This rule generates an alert when a Microsoft Threat Intelligence Indicator gets matched with your event logs. The alerts are very high fidelity.\\n\\nNote : It is advised to turn off any custom alert rules which match the threat intelligence indicators with the same event logs matched by this analytics to prevent duplicate alerts.\",\"lastUpdatedDateUTC\":\"2021-07-28T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/074ce265-f684-41cd-af07-613c5f3e6d0d\",\"name\":\"074ce265-f684-41cd-af07-613c5f3e6d0d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"irf.services\\\",\\\"microsoft-onthehub.com\\\",\\\"msofficelab.com\\\",\\\"com-mailbox.com\\\",\\\"my-sharefile.com\\\",\\\"my-sharepoints.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\n\\\"onedrive-sharedfile.com\\\",\\\"onedrv-live.com\\\",\\\"transparencyinternational-my-sharepoint.com\\\",\\\"transparencyinternational-my-sharepoints.com\\\",\\\"soros-my-sharepoint.com\\\"]);\\n(union isfuzzy=true\\n (CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | extend Account = SourceUserID, Host = DeviceName, IPAddress = SourceIP\\n ),\\n (_Im_Dns(domain_has_any=DomainNames)\\n | extend IPAddress = SrcIpAddr, DNSName = DnsQuery, Host = Dvc),\\n (VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n | extend IPAddress = RemoteIp, Host = Computer\\n ),\\n (AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | extend DNSName = DestinationHost \\n | extend IPAddress = SourceHost\\n ),\\n (\\n _Im_WebSession(url_has_any=DomainNames)\\n | extend IPCustomEntity=IpAddr, HostCustomEntity=Hostname, AccoutCustomEntity=User\\n )\\n)\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = Account, HostCustomEntity = Host\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known STRONTIUM group domains - July 2019\",\"description\":\"Matches domain name IOCs related to Strontium group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2019-07-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a50766a7-0674-4ccb-8845-15dc55a80ba1\",\"name\":\"a50766a7-0674-4ccb-8845-15dc55a80ba1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n WireData | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(RemoteIP)\\n // renaming time column so it is clear the log this came from\\n | extend WireData_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIP\\n| where WireData_TimeGenerated \u003c ExpirationDateTime\\n| summarize WireData_TimeGenerated = arg_max(WireData_TimeGenerated, *) by IndicatorId, RemoteIP\\n| project WireData_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, LocalIP, RemoteIP, ProcessName, ApplicationProtocol, LocalPortNumber, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = WireData_TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to WireData\",\"description\":\"Identifies a match in WireData from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6d7214d9-4a28-44df-aafb-0910b9e6ae3e\",\"name\":\"6d7214d9-4a28-44df-aafb-0910b9e6ae3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Low\",\"query\":\"let match_window = 3m;\\nAzureActivity\\n| where ResourceGroup has \\\"cloud-shell\\\"\\n| where (OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/listKeys/action\\\") \\n| where ActivityStatusValue == \\\"Success\\\"\\n| extend TimeKey = bin(TimeGenerated, match_window), AzureIP = CallerIpAddress\\n| join kind = inner\\n(AzureActivity\\n| where ResourceGroup has \\\"cloud-shell\\\"\\n| where (OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/write\\\") \\n| extend TimeKey = bin(TimeGenerated, match_window), UserIP = CallerIpAddress\\n) on Caller, TimeKey\\n| summarize count() by TimeKey, Caller, ResourceGroup, SubscriptionId, TenantId, AzureIP, UserIP, HTTPRequest, Type, Properties, CategoryValue, OperationList = strcat(OperationNameValue, \u0027 , \u0027, OperationNameValue1)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"UserIP\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"New CloudShell User\",\"description\":\"Identifies when a user creates an Azure CloudShell for the first time.\\nMonitor this activity to ensure only expected user are using CloudShell\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5170c3c4-b8c9-485c-910d-a21d965ee181\",\"name\":\"5170c3c4-b8c9-485c-910d-a21d965ee181\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let queryfrequency = 30m;\\nlet accountthreshold = 10;\\nlet successCodes = dynamic([0, 50144]);\\nADFSSignInLogs\\n| extend IngestionTime = ingestion_time()\\n| where IngestionTime \u003e ago(queryfrequency)\\n| where not(todynamic(AuthenticationDetails)[0].authenticationMethod == \\\"Integrated Windows Authentication\\\")\\n| summarize\\n DistinctFailureCount = dcountif(UserPrincipalName, ResultType !in (successCodes)),\\n DistinctSuccessCount = dcountif(UserPrincipalName, ResultType in (successCodes)),\\n SuccessAccounts = make_set_if(UserPrincipalName, ResultType in (successCodes), 250),\\n arg_min(TimeGenerated, *)\\n by IPAddress\\n| where DistinctFailureCount \u003e DistinctSuccessCount and DistinctFailureCount \u003e= accountthreshold\\n//| extend SuccessAccounts = iff(array_length(SuccessAccounts) != 0, SuccessAccounts, dynamic([\\\"null\\\"]))\\n//| mv-expand SuccessAccounts\\n| project TimeGenerated, Category, OperationName, IPAddress, DistinctFailureCount, DistinctSuccessCount, SuccessAccounts, AuthenticationRequirement, ConditionalAccessStatus, IsInteractive, UserAgent, NetworkLocationDetails, DeviceDetail, TokenIssuerType, TokenIssuerName, ResourceIdentity\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Password spray attack against ADFSSignInLogs\",\"description\":\"Identifies evidence of password spray activity against Connect Health for AD FS sign-in events by looking for failures from multiple accounts from the same IP address within a time window.\\nReference: https://adfshelp.microsoft.com/References/ConnectHealthErrorCodeReference\",\"lastUpdatedDateUTC\":\"2022-05-04T00:00:00Z\",\"createdDateUTC\":\"2022-03-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"ADFSSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6d63efa6-7c25-4bd4-a486-aa6bf50fde8a\",\"name\":\"6d63efa6-7c25-4bd4-a486-aa6bf50fde8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// Add non-approved user principal names to the list below to search for their account creation/deletion activity\\n// ex: dynamic([\\\"UPN1\\\", \\\"upn123\\\"])\\nlet nonapproved_users = dynamic([]);\\nAuditLogs\\n| where OperationName == \\\"Add user\\\" or OperationName == \\\"Delete user\\\"\\n| where Result == \\\"success\\\"\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| where InitiatingUser has_any (nonapproved_users)\\n| project-reorder TimeGenerated, ResourceId, OperationName, InitiatingUser, TargetResources\\n| extend AccountCustomEntity = InitiatingUser, IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Account created or deleted by non-approved user\",\"description\":\"Identifies accounts that were created or deleted by a defined list of non-approved user principal names. Add to this list before running the query for accurate results.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/11b4c19d-2a79-4da3-af38-b067e1273dee\",\"name\":\"11b4c19d-2a79-4da3-af38-b067e1273dee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID in (17,18)\\n| where EventData has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend PipeName = column_ifexists(\\\"PipeName\\\", \\\"\\\")\\n| extend Account = UserName\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00275145\u0027\\n// %%4418 looks for presence of CreatePipeInstance value \\n| where AccessList has \u0027%%4418\u0027 \\n| where RelativeTargetName has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n),\\n(\\nWindowsEvent\\n| where EventID == \u00275145\u0027 and EventData has \u0027%%4418\u0027 and EventData has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027 \\n// %%4418 looks for presence of CreatePipeInstance value \\n| extend AccessList= tostring(EventData.AccessList)\\n| where AccessList has \u0027%%4418\u0027 \\n| extend RelativeTargetName= tostring(EventData.RelativeTargetName)\\n| where RelativeTargetName has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\"],\"displayName\":\"Solorigate Named Pipe\",\"description\":\"Identifies a match across various data feeds for named pipe IOCs related to the Solorigate incident.\\n For the sysmon events required for this detection, logging for Named Pipe Events needs to be configured in Sysmon config (Event ID 17 and Event ID 18)\\n Reference: https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2020-12-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\"name\":\"532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n Syslog\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n //Extract domain patterns from syslog message\\n | extend domain = extract(\\\"(([a-z0-9]+(-[a-z0-9]+)*\\\\\\\\.)+[a-z]{2,})\\\",1, tolower(SyslogMessage))\\n | where isnotempty(domain)\\n | extend parts = split(domain, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.domain\\n| where Syslog_TimeGenerated \u003c ExpirationDateTime\\n| summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, domain\\n| project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, domain, HostIP, Url\\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to Syslog\",\"description\":\"Identifies a match in Syslog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/19e01883-15d8-4eb6-a7a5-3276cd668388\",\"name\":\"19e01883-15d8-4eb6-a7a5-3276cd668388\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeBin = 1m;\\nlet failedThreshold = 20;\\nW3CIISLog\\n| where scStatus in (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of failed attempts from same client IP\\n| summarize makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\\n| where FailedConnectionsCount \u003e= failedThreshold\\n| project TimeGenerated, cIP, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"High count of failed attempts from same client IP\",\"description\":\"Identifies when 20 or more failed attempts from a given client IP in 1 minute occur on the IIS server.\\nThis could be indicative of an attempted brute force. This could also simply indicate a misconfigured service or device.\\nRecommendations: Validate that these are expected connections from the given Client IP. If the client IP is not recognized, \\npotentially block these connections at the edge device.\\nIf these are expected connections, verify the credentials are properly configured on the system, service, application or device \\nthat is associated with the client IP.\\nReferences:\\nIIS status code mapping: https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping: https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd78a122-d377-415a-afe9-f22e08d2112c\",\"name\":\"dd78a122-d377-415a-afe9-f22e08d2112c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Add other permissions to this list as needed\\n let permissions = dynamic([\\\"Mail.Read\\\", \\\"offline_access\\\", \\\"Files.Read\\\", \\\"Notes.Read\\\", \\\"ChannelMessage.Read\\\", \\\"Chat.Read\\\", \\\"TeamsActivity.Read\\\",\\n \\\"Group.Read\\\", \\\"EWS.AccessAsUser.All\\\", \\\"EAS.AccessAsUser.All\\\"]);\\n AuditLogs\\n | where OperationName =~ \\\"Add app role assignment to service principal\\\"\\n | mv-expand TargetResources[0].modifiedProperties\\n | extend TargetResources_0_modifiedProperties = columnifexists(\\\"TargetResources_0_modifiedProperties\\\", \u0027\u0027)\\n | where isnotempty(TargetResources_0_modifiedProperties)\\n | where TargetResources_0_modifiedProperties.displayName =~ \\\"AppRole.Value\\\" or TargetResources_0_modifiedProperties.displayName =~ \\\"DelegatedPermissionGrant.Scope\\\"\\n | extend Permissions = split((parse_json(tostring(TargetResources_0_modifiedProperties.newValue))), \\\" \\\")\\n | where Permissions has_any (permissions)\\n | summarize AddedPermissions=make_set(Permissions) by CorrelationId\\n | join kind=inner (AuditLogs\\n | where OperationName =~ \\\"Add app role assignment to service principal\\\") on CorrelationId\\n | extend InitiatedBy = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))\\n | extend ServicePrincipal = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[4].newValue)))\\n | extend SPID = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[6].newValue)))\\n | extend InitiatedBy = pack(\\\"User\\\", InitiatedBy, \\\"UA\\\", UserAgent, \\\"IPAddress\\\", IpAddress)\\n | mv-expand kind=array AddedPermissions\\n | summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), make_set(InitiatedBy), make_set(AddedPermissions) by SPID, ServicePrincipal\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ServicePrincipal\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"SPID\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Service Principal Assigned App Role With Sensitive Access\",\"description\":\"Detects a Service Principal being assigned an app role that has sensitive access such as Mail.Read.\\n A threat actor who compromises a Service Principal may assign it an app role to allow it to access sensitive data, or to perform other actions.\\n Ensure that any assignment to a Service Principal is valid and appropriate.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d9f28fdf-abc8-4f1a-a7e7-1aaec87a2fc5\",\"name\":\"d9f28fdf-abc8-4f1a-a7e7-1aaec87a2fc5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID == 4688\\n | where Process =~ \\\"svchost.exe\\\"\\n | where CommandLine has \\\"-k GPSvcGroup\\\" or CommandLine has \\\"-s gpsvc\\\"\\n | extend timekey = bin(TimeGenerated, 1m)\\n | project timekey, NewProcessId, Computer\\n | join kind=inner (SecurityEvent\\n | where EventID == 4688\\n | where Process =~ \\\"sdelete.exe\\\" or CommandLine has \\\"sdelete\\\"\\n | where ParentProcessName endswith \\\"svchost.exe\\\"\\n | where CommandLine has_all (\\\"-s\\\", \\\"-r\\\")\\n | extend newProcess = Process\\n | extend timekey = bin(TimeGenerated, 1m)\\n ) on $left.NewProcessId == $right.ProcessId, timekey, Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Sdelete deployed via GPO and run recursively\",\"description\":\"This query looks for the Sdelete process being run recursively after being deployed to a host via GPO. Attackers could use this technique to deploy Sdelete to multiple host and delete data on them.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5dd76a87-9f87-4576-bab3-268b0e2b338b\",\"name\":\"5dd76a87-9f87-4576-bab3-268b0e2b338b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 5;\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet historicalActivity =\\nOfficeActivity\\n| where TimeGenerated between(ago(starttime)..ago(endtime))\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| summarize historicalCount = count() by UserAgent, RecordType, Operation;\\nlet recentActivity = OfficeActivity\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where TimeGenerated \u003e ago(endtime)\\n| where isnotempty(UserAgent)\\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by UserAgent, RecordType, Operation;\\nlet RareUserAgent = recentActivity | join kind = leftanti (historicalActivity) on UserAgent\\n| order by recentCount desc, UserAgent\\n// More than 5 downloads/uploads from a new user agent today\\n| where recentCount \u003e threshold;\\nOfficeActivity \\n| where TimeGenerated \u003e ago(endtime) \\n| where RecordType =~ szSharePointFileOperation \\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| join kind= inner (RareUserAgent)\\non UserAgent, RecordType, Operation \\n| where Start_Time between(min_Start_Time .. max_Start_Time)\\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserAgent, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgentSeenCount = recentCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\\n| order by UserAgentSeenCount desc, UserAgent asc, Operation asc, UserId asc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"SharePointFileOperation via devices with previously unseen user agents\",\"description\":\"Identifies if the number of documents uploaded or downloaded from device(s) associated\\nwith a previously unseen user agent exceeds a threshold (default is 5).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f80d951a-eddc-4171-b9d0-d616bb83efdc\",\"name\":\"f80d951a-eddc-4171-b9d0-d616bb83efdc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where AADOperationType =~ \\\"Assign\\\"\\n| where ActivityDisplayName =~ \\\"Add app role assignment to service principal\\\"\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"AppRole.Value\\\"\\n| extend AppRole = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where AppRole has \\\"RoleManagement.ReadWrite.Directory\\\"\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n| extend Target = tostring(parse_json(tostring(TargetResources.modifiedProperties[4].newValue)))\\n| extend TargetId = tostring(parse_json(tostring(TargetResources.modifiedProperties[3].newValue)))\\n| project TimeGenerated, OperationName, Initiator, Target, TargetId, Result\\n| join kind=innerunique (\\n AuditLogs\\n | where LoggedByService =~ \\\"Core Directory\\\"\\n | where Category =~ \\\"RoleManagement\\\"\\n | where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\")\\n | where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n | where displayName_ =~ \\\"Role.DisplayName\\\"\\n | extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n | where RoleName contains \\\"Admin\\\"\\n | extend Initiator = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend InitiatorId = tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalId)\\n | extend TargetUser = tostring(TargetResources.userPrincipalName)\\n | extend Target = iif(isnotempty(TargetUser), TargetUser, tostring(TargetResources.displayName))\\n | extend TargetType = tostring(TargetResources.type)\\n | extend TargetId = tostring(TargetResources.id)\\n | project TimeGenerated, OperationName, RoleName, Initiator, InitiatorId, Target, TargetId, TargetType, Result\\n) on $left.TargetId == $right.InitiatorId\\n| extend TimeRoleMgGrant = TimeGenerated, TimeAdminPromo = TimeGenerated1, ServicePrincipal = Initiator1, ServicePrincipalId = InitiatorId,\\n TargetObject = Target1, TargetObjectId = TargetId1, TargetObjectType = TargetType\\n| where TimeRoleMgGrant \u003c TimeAdminPromo\\n| project TimeRoleMgGrant, TimeAdminPromo, RoleName, ServicePrincipal, ServicePrincipalId, TargetObject, TargetObjectId, TargetObjectType\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ServicePrincipal\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetObject\"}]}],\"tactics\":[\"PrivilegeEscalation\",\"Persistence\"],\"displayName\":\"Admin promotion after Role Management Application Permission Grant\",\"description\":\"This rule looks for a service principal being granted the Microsoft Graph RoleManagement.ReadWrite.Directory (application) permission before being used to add an Azure AD object or user account to an Admin directory role (i.e. Global Administrators).\\nThis is a known attack path that is usually abused when a service principal already has the AppRoleAssignment.ReadWrite.All permission granted. This permission Allows an app to manage permission grants for application permissions to any API.\\nA service principal can promote itself or other service principals to admin roles (i.e. Global Administrators). This would be considered a privilege escalation technique.\\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions, https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0\u0026tabs=http\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\"name\":\"79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let timeframe = 1h;\\nlet last1h = CommonSecurityLog \\n| where TimeGenerated \u003e= ago(timeframe)\\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend CurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend CurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend CumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize last1hCumTotal = sum(CumulativeTotal), last1hAvgRatePerSec = avg(CurrentAvgRatePerSec), last1hAvgBurstRatePerSec = avg(CurrentBurstRatePerSec) by DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlet prev6h = CommonSecurityLog \\n| where TimeGenerated between (ago(6h) .. ago(1h))\\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend prevCurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend prevCurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend prevCumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), prev6hCumTotal = sum(prevCumulativeTotal), prev6hAvgRatePerSec = avg(prevCurrentAvgRatePerSec), prev6hAvgBurstRatePerSec = avg(prevCurrentBurstRatePerSec) \\nby DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlast1h | join (\\n prev6h \\n) on DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate\\n| project StartTimeUtc, EndTimeUtc, DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate, last1hCumTotal, prev6hCumTotal, prev6hAvgCumTotal = prev6hCumTotal/6, last1hAvgRatePerSec, prev6hAvgRatePerSec, last1hAvgBurstRatePerSec, prev6hAvgBurstRatePerSec\\n// Select only events that indicate a doubling of the expected rate in the last hour over the previous 6 hours\\n| where last1hCumTotal \u003e 2*prev6hAvgCumTotal or last1hAvgRatePerSec \u003e 2*prev6hAvgRatePerSec or last1hAvgBurstRatePerSec \u003e 2*prev6hAvgBurstRatePerSec\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\",\"Impact\"],\"displayName\":\"Cisco ASA - average attack detection rate increase\",\"description\":\"This will help you determine if Cisco ASA devices are under heavier attack than normal over the last hour versus the previous 6 hours based on DeviceEventClassID 733100\\nReferences: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/826bb2f8-7894-4785-9a6b-a8a855d8366f\",\"name\":\"826bb2f8-7894-4785-9a6b-a8a855d8366f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let EventNameList = dynamic([\\\"AttachUserPolicy\\\",\\\"AttachRolePolicy\\\",\\\"AttachGroupPolicy\\\"]);\\nlet createPolicy = \\\"CreatePolicy\\\";\\nlet timeframe = 1d;\\nlet lookback = 14d;\\n// Creating Master table with all the events to use with materialize for better performance\\nlet EventInfo = AWSCloudTrail\\n| where TimeGenerated \u003e= ago(lookback)\\n| where EventName in (EventNameList) or EventName == createPolicy;\\n//Checking for Policy creation event with Full Admin Privileges since lookback period.\\nlet FullAdminPolicyEvents = materialize( EventInfo\\n| where TimeGenerated \u003e= ago(lookback)\\n| where EventName == createPolicy\\n| extend PolicyName = tostring(parse_json(RequestParameters).policyName)\\n| extend Statement = parse_json(tostring((parse_json(RequestParameters).policyDocument))).Statement\\n| mvexpand Statement\\n| extend Action = parse_json(Statement).Action , Effect = tostring(parse_json(Statement).Effect), Resource = tostring(parse_json(Statement).Resource)\\n| mvexpand Action\\n| extend Action = tostring(Action)\\n| where Effect =~ \\\"Allow\\\" and Action == \\\"*\\\" and Resource == \\\"*\\\"\\n| distinct TimeGenerated, EventName, PolicyName, SourceIpAddress, UserIdentityArn, UserIdentityUserName\\n| extend UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,\u0027/\u0027)[-1]))\\n| project-rename StartTime = TimeGenerated );\\nlet PolicyAttach = materialize( EventInfo\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventName in (EventNameList)\\n| extend PolicyName = tostring(split(tostring(parse_json(RequestParameters).policyArn),\\\"/\\\")[1])\\n| summarize AttachEventCount=count(), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventSource, EventName, UserIdentityType , UserIdentityArn, SourceIpAddress, UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,\u0027/\u0027)[-1])), PolicyName\\n| extend AttachEvent = pack(\\\"StartTime\\\", StartTime, \\\"EndTime\\\", EndTime, \\\"EventName\\\", EventName, \\\"UserIdentityType\\\", UserIdentityType, \\\"UserIdentityArn\\\", UserIdentityArn, \\\"SourceIpAddress\\\", SourceIpAddress, \\\"UserIdentityUserName\\\", UserIdentityUserName)\\n| project EventSource, PolicyName, AttachEvent, AttachEventCount\\n);\\n// Joining the list of PolicyNames and checking if it has been attached to any Roles/Users/Groups.\\n// These Roles/Users/Groups will be Privileged and can be used by adversaries as pivot point for privilege escalation via multiple ways.\\nFullAdminPolicyEvents\\n| join kind=leftouter\\n(\\n PolicyAttach\\n)\\non PolicyName\\n| project-away PolicyName1\\n| extend timestamp = StartTime, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Full Admin policy created and then attached to Roles, Users or Groups\",\"description\":\"Identity and Access Management (IAM) securely manages access to AWS services and resources. \\nIdentifies when a policy is created with Full Administrators Access (Allow-Action:*,Resource:*). \\nThis policy can be attached to role,user or group and may be used by an adversary to escalate a normal user privileges to an adminsitrative level.\\nAWS IAM Policy Grammar: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html\\nand AWS IAM API at https://docs.aws.amazon.com/IAM/latest/APIReference/API_Operations.html\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2020-04-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/34c5aff9-a8c2-4601-9654-c7e46342d03b\",\"name\":\"34c5aff9-a8c2-4601-9654-c7e46342d03b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 5;\\nlet aadFunc = (tableName:string){\\n IdentityInfo\\n | where TimeGenerated \u003e ago(starttime)\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | mv-expand AssignedRoles\\n | where AssignedRoles matches regex \u0027Admin\u0027\\n | summarize Roles = make_list(AssignedRoles) by AccountUPN = tolower(AccountUPN)\\n | join kind=inner (\\n table(tableName)\\n | where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n | where ResultType != 0\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n ) on $left.AccountUPN == $right.UserPrincipalName\\n | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, Roles = tostring(Roles)\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt;\\nlet TimeSeriesAlerts = \\n allSignins\\n | make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step 1h by UserPrincipalName, Roles\\n | extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, \u0027linefit\u0027)\\n | mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n // Filtering low count events per baselinethreshold\\n | where anomalies \u003e 0 and baseline \u003e baselinethreshold\\n | extend AnomalyHour = TimeGenerated\\n | project UserPrincipalName, Roles, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\n// Filter the alerts for specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e startofday(ago(timeframe))\\n| join kind=inner ( \\n allSignins\\n | where TimeGenerated \u003e startofday(ago(timeframe))\\n // create a new column and round to hour\\n | extend DateHour = bin(TimeGenerated, 1h)\\n | summarize PartialFailedSignins = count(), LatestAnomalyTime = arg_max(TimeGenerated, *) by bin(TimeGenerated, 1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, Roles, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\\n) on UserPrincipalName, $left.AnomalyHour == $right.DateHour\\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, Roles = todynamic(Roles), UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, PartialFailedSignins, TotalFailedSignins = HourlyCount, baseline, anomalies, score\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Privileged Accounts - Sign in Failure Spikes\",\"description\":\" Identifies spike in failed sign-ins from Privileged accounts. Privileged accounts list can be based on IdentityInfo UEBA table or built-in watchlist.\\nSpike is determined based on Time series anomaly which will look at historical baseline values.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor\",\"lastUpdatedDateUTC\":\"2022-01-25T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/106813db-679e-4382-a51b-1bfc463befc3\",\"name\":\"106813db-679e-4382-a51b-1bfc463befc3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n // Select on Palo Alto logs\\n | where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Select logs where URL data is populated\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url), extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | where isnotempty(PA_Url)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n) on $left.Url == $right.PA_Url\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, PA_Url\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, SourceIP, PA_Url, DeviceName\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to PaloAlto data\",\"description\":\"Identifies a match in PaloAlto data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884ead54-cb3f-4676-a1eb-b26532d6cbfd\",\"name\":\"884ead54-cb3f-4676-a1eb-b26532d6cbfd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let SensitiveOperationList = dynamic(\\n[\\\"VaultDelete\\\", \\\"KeyDelete\\\", \\\"SecretDelete\\\", \\\"SecretPurge\\\", \\\"KeyPurge\\\", \\\"SecretBackup\\\", \\\"KeyBackup\\\"]);\\nAzureDiagnostics\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in~ (SensitiveOperationList)\\n| summarize EventCount=count(), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIPMax\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"NRT Sensitive Azure Key Vault operations\",\"description\":\"Identifies when sensitive Azure Key Vault operations are used. This includes: VaultDelete, KeyDelete, SecretDelete, SecretPurge, KeyPurge, SecretBackup, KeyBackup.\\nAny Backup operations should match with expected scheduled backup activity.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95dc4ae3-e0f2-48bd-b996-cdd22b90f9af\",\"name\":\"95dc4ae3-e0f2-48bd-b996-cdd22b90f9af\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(\\nAuditLogs\\n| where OperationName =~ \\\"Set federation settings on domain\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName)\\n| mv-expand AdditionalDetails\\n),\\n(\\nAuditLogs\\n| where OperationName =~ \\\"Set domain authentication\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName), NewDomainValue=tostring(parse_json(modifiedProperties).newValue)\\n| where NewDomainValue has \\\"Federated\\\"\\n)\\n)\\n| extend UserAgent = iff(AdditionalDetails.key == \\\"User-Agent\\\",tostring(AdditionalDetails.value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Modified domain federation trust settings\",\"description\":\"This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ac891683-53c3-4f86-86b4-c361708e2b2b\",\"name\":\"ac891683-53c3-4f86-86b4-c361708e2b2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"// Allowlisted UPNs should likely stay empty\\nlet AllowlistedUpns = datatable(UPN:string)[\u0027foo@bar.com\u0027, \u0027test@foo.com\u0027];\\n// Operation Name parts that will alert\\nlet HasAnyBlocklist = datatable(OperationNamePart:string)[\u0027Security.\u0027,\u0027Project.\u0027,\u0027AuditLog.\u0027,\u0027Extension.\u0027];\\n// Distinct Operation Names that will flag\\nlet HasExactBlocklist = datatable(OperationName:string)[\u0027Group.UpdateGroupMembership.Add\u0027,\u0027Library.ServiceConnectionExecuted\u0027,\u0027Pipelines.PipelineModified\u0027,\\n\u0027Release.ReleasePipelineModified\u0027, \u0027Git.RefUpdatePoliciesBypassed\u0027];\\nAzureDevOpsAuditing\\n| where AuthenticationMechanism startswith \\\"PAT\\\" and (OperationName has_any (HasAnyBlocklist) or OperationName in (HasExactBlocklist))\\n and ActorUPN !in (AllowlistedUpns)\\n| project TimeGenerated, AuthenticationMechanism, ProjectName, ActorUPN, ActorDisplayName, IpAddress, UserAgent, OperationName, Details, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Impact\"],\"displayName\":\"Azure DevOps Personal Access Token (PAT) misuse\",\"description\":\"This Alert detects whenever a PAT is used in ways that PATs are not normally used. May require an allow list and baselining.\\nReference - https://docs.microsoft.com/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops\u0026tabs=preview-page\\nUse this query for baselining:\\nAzureDevOpsAuditing\\n| distinct OperationName\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-06-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/acfdee3f-b794-404a-aeba-ef6a1fa08ad1\",\"name\":\"acfdee3f-b794-404a-aeba-ef6a1fa08ad1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let lookback = 14d;\\nlet timewindow = 7d;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback)\\n| where OperationName =~ \\\"Library.AgentPoolCreated\\\"\\n| extend AgentCloudId = tostring(Data.AgentCloudId)\\n| extend PoolType = iif(isnotempty(AgentCloudId), \\\"Azure VMs\\\", \\\"Self Hosted\\\")\\n// Comment this line out to include cloud pools as well\\n| where PoolType == \\\"Self Hosted\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend AgentPoolId = tostring(Data.AgentPoolId)\\n| extend IsHosted = tostring(Data.IsHosted)\\n| extend IsLegacy = tostring(Data.IsLegacy)\\n| extend timekey = bin(TimeGenerated, timewindow)\\n// Join only with pools deleted in the same window\\n| join (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback)\\n| where OperationName =~ \\\"Library.AgentPoolDeleted\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend AgentPoolId = tostring(Data.AgentPoolId)\\n| extend timekey = bin(TimeGenerated, timewindow)) on AgentPoolId, timekey\\n| project-reorder TimeGenerated, ActorUPN, UserAgent, IpAddress, AuthenticationMechanism, OperationName, AgentPoolName, IsHosted, IsLegacy, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Agent Pool Created Then Deleted\",\"description\":\"As well as adding build agents to an existing pool to execute malicious activity within a pipeline, an attacker could create a complete new agent pool and use this for execution.\\nAzure DevOps allows for the creation of agent pools with Azure hosted infrastructure or self-hosted infrastructure. Given the additional customizability of self-hosted agents this \\ndetection focuses on the creation of new self-hosted pools. To further reduce false positive rates the detection looks for pools created and deleted relatively quickly (within 7 days by default), \\nas an attacker is likely to remove a malicious pool once used in order to reduce/remove evidence of their activity.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/26a3b261-b997-4374-94ea-6c37f67f4f39\",\"name\":\"26a3b261-b997-4374-94ea-6c37f67f4f39\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.5.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"asyspy256.ddns.net\\\",\\\"hotkillmail9sddcc.ddns.net\\\",\\\"rosaf112.ddns.net\\\",\\\"cvdfhjh1231.myftp.biz\\\",\\\"sz2016rose.ddns.net\\\",\\\"dffwescwer4325.myftp.biz\\\",\\\"cvdfhjh1231.ddns.net\\\"]);\\nlet SHA1Hash = dynamic ([\\\"53a44c2396d15c3a03723fa5e5db54cafd527635\\\", \\\"9c5e496921e3bc882dc40694f1dcc3746a75db19\\\", \\\"aeb573accfd95758550cf30bf04f389a92922844\\\", \\\"79ef78a797403a4ed1a616c68e07fff868a8650a\\\", \\\"4f6f38b4cec35e895d91c052b1f5a83d665c2196\\\", \\\"1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d\\\", \\\"e841a63e47361a572db9a7334af459ddca11347a\\\", \\\"c28f606df28a9bc8df75a4d5e5837fc5522dd34d\\\", \\\"2e94b305d6812a9f96e6781c888e48c7fb157b6b\\\", \\\"dd44133716b8a241957b912fa6a02efde3ce3025\\\", \\\"8793bf166cb89eb55f0593404e4e933ab605e803\\\", \\\"a39b57032dbb2335499a51e13470a7cd5d86b138\\\", \\\"41cc2b15c662bc001c0eb92f6cc222934f0beeea\\\", \\\"d209430d6af54792371174e70e27dd11d3def7a7\\\", \\\"1c6452026c56efd2c94cea7e0f671eb55515edb0\\\", \\\"c6b41d3afdcdcaf9f442bbe772f5da871801fd5a\\\", \\\"4923d460e22fbbf165bbbaba168e5a46b8157d9f\\\", \\\"f201504bd96e81d0d350c3a8332593ee1c9e09de\\\", \\\"ddd2db1127632a2a52943a2fe516a2e7d05d70d2\\\"]);\\nlet SHA256Hash = dynamic ([\\\"9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd\\\", \\\"7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b\\\", \\\"657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5\\\", \\\"2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29\\\", \\\"52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77\\\", \\\"a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3\\\", \\\"5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022\\\", \\\"6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883\\\", \\\"3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e\\\", \\\"1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7\\\", \\\"fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1\\\", \\\"7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c\\\", \\\"178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945\\\", \\\"51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9\\\", \\\"889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79\\\", \\\"332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf\\\", \\\"44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08\\\", \\\"63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef\\\", \\\"056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070\\\"]);\\nlet SigNames = dynamic([\\\"TrojanDropper:Win32/BlackMould.A!dha\\\", \\\"Trojan:Win32/BlackMould.B!dha\\\", \\\"Trojan:Win32/QuarkBandit.A!dha\\\", \\\"Trojan:Win32/Sidelod.A!dha\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n( _Im_Dns(domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA1=\u0027 SHA1 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA1Hash) \\n| extend Account = UserName\\n),\\n(SecurityAlert\\n| where ProductName == \\\"Microsoft Defender Advanced Threat Protection\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where isnotempty(ThreatName)\\n| where ThreatName has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName)\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known GALLIUM domains and hashes\",\"description\":\"GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. \\n Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\\n References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ \",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2019-12-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/52aec824-96c1-4a03-8e44-bb70532e6cea\",\"name\":\"52aec824-96c1-4a03-8e44-bb70532e6cea\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"SecurityEvent\\n| where EventID == 5136 and EventData contains \\\"\u003cData Name=\\\\\\\"ObjectDN\\\\\\\"\u003eCN=AdminSDHolder,CN=System\\\"\\n| parse EventData with * \u0027ObjectDN\\\"\u003e\u0027 ObjectDN \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, SubjectUserSid, SubjectLogonId, ObjectDN\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AdminSDHolder Modifications\",\"description\":\"This query detects modification in the AdminSDHolder in the Active Directory which could indicate an attempt for persistence. \\nAdminSDHolder Modification is a persistence technique in which an attacker abuses the SDProp process in Active Directory to establish a persistent backdoor to Active Directory.\\nThis query searches for the event id 5136 where the Object DN is AdminSDHolder.\\nRef: https://attack.stealthbits.com/adminsdholder-modification-ad-persistence\",\"lastUpdatedDateUTC\":\"2022-01-20T00:00:00Z\",\"createdDateUTC\":\"2021-12-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8540c842-5bbc-4a24-9fb2-a836c0e55a51\",\"name\":\"8540c842-5bbc-4a24-9fb2-a836c0e55a51\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where OperationName =~ \\\"Set federation settings on domain\\\" or OperationName =~ \\\"Set domain authentication\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName), NewDomainValue=tostring(parse_json(modifiedProperties).newValue)\\n| extend Federated = iif(OperationName =~ \\\"Set domain authentication\\\", iif(NewDomainValue has \\\"Federated\\\", True, False), True)\\n| where Federated == True\\n| mv-expand AdditionalDetails\\n| extend UserAgent = iff(AdditionalDetails.key == \\\"User-Agent\\\",tostring(AdditionalDetails.value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserOrApp\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"NRT Modified domain federation trust settings\",\"description\":\"This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/327cd4ed-ca42-454b-887c-54e1c91363c6\",\"name\":\"327cd4ed-ca42-454b-887c-54e1c91363c6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft Defender Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Endpoint alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Endpoint\",\"lastUpdatedDateUTC\":\"2019-10-24T00:00:00Z\",\"createdDateUTC\":\"2019-10-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\"name\":\"0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.1.1\",\"severity\":\"Low\",\"query\":\"let PerUserThreshold = 5;\\nlet TotalThreshold = 100;\\nlet action = dynamic([\\\"change\\\", \\\"changed\\\", \\\"reset\\\"]);\\nlet pWord = dynamic([\\\"password\\\", \\\"credentials\\\"]);\\nlet PasswordResetMultiDataSource =\\n(union isfuzzy=true\\n(//Password reset events\\n//4723: An attempt was made to change an account\u0027s password\\n//4724: An attempt was made to reset an accounts password\\nSecurityEvent\\n| where EventID in (\\\"4723\\\",\\\"4724\\\")\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName),\\n(//Password reset events\\n//4723: An attempt was made to change an account\u0027s password\\n//4724: An attempt was made to reset an accounts password\\nWindowsEvent\\n| where EventID in (\\\"4723\\\",\\\"4724\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName),\\n(//Azure Active Directory Password reset events\\nAuditLogs\\n| where OperationName has_any (pWord) and OperationName has_any (action) and Result =~ \\\"success\\\"\\n| extend AccountType = tostring(TargetResources[0].type), Account = tostring(TargetResources[0].userPrincipalName), \\nTargetUserName = tolower(tostring(TargetResources[0].displayName))\\n| project TimeGenerated, AccountType, Account, Computer = \\\"\\\", Type),\\n(//OfficeActive ActiveDirectory Password reset events\\nOfficeActivity\\n| where OfficeWorkload == \\\"AzureActiveDirectory\\\" \\n| where (ExtendedProperties has_any (pWord) or ModifiedProperties has_any (pWord)) and (ExtendedProperties has_any (action) or ModifiedProperties has_any (action))\\n| extend AccountType = UserType, Account = OfficeObjectId \\n| project TimeGenerated, AccountType, Account, Type, Computer = \\\"\\\"),\\n(// Unix syslog password reset events\\nSyslog\\n| where Facility in (\\\"auth\\\",\\\"authpriv\\\")\\n| where SyslogMessage has_any (pWord) and SyslogMessage has_any (action)\\n| extend AccountType = iif(SyslogMessage contains \\\"root\\\", \\\"Root\\\", \\\"Non-Root\\\")\\n| where SyslogMessage matches regex \\\".*password changed for.*\\\"\\n| parse SyslogMessage with * \\\"password changed for\\\" Account\\n| project TimeGenerated, AccountType, Account, Computer = HostName, Type)\\n);\\nlet pwrmd = PasswordResetMultiDataSource\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName;\\n(union isfuzzy=true \\n(pwrmd\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Computerlist = make_set(Computer, 25), AccountType = make_set(AccountType, 25), Computer = arg_max(Computer , TimeGenerated), TargetUserList = make_set(TargetUserName, 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), Total=count() by Account, Type\\n| where Total \u003e PerUserThreshold\\n| extend ResetPivot = \\\"PerUserReset\\\"), \\n(pwrmd\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerList = make_set(Computer, 25), AccountList = make_set(Account, 25), AccountType = make_set(AccountType, 25), Computer = arg_max(Computer , TimeGenerated), TargetUserList = make_set(TargetUserName, 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), Total=count() by Type\\n| where Total \u003e TotalThreshold\\n| extend ResetPivot = \\\"TotalUserReset\\\")\\n)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserName\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Multiple Password Reset by user\",\"description\":\"This query will determine multiple password resets by user across multiple data sources. \\nAccount manipulation including password reset may aid adversaries in maintaining access to credentials \\nand certain permission levels within an environment.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-09-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d804b39c-03a4-417c-a949-bdbf21fa3305\",\"name\":\"d804b39c-03a4-417c-a949-bdbf21fa3305\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.7.2\",\"severity\":\"Medium\",\"query\":\"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\\n[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet file_paths = (iocs | where Type =~ \\\"filepath\\\" | project IoC);\\nlet sha256s = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet ips = (iocs | where Type =~ \\\"ip\\\" | project IoC);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\" | project IoC);\\nlet dyndomains = todynamic(toscalar((domains | summarize make_set(IoC))));\\nunion isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4663\\n| where ObjectName in (file_paths)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(WindowsEvent\\n| where EventID == 4663 and EventData has_any (file_paths)\\n| extend ObjectName = tostring(EventData.ObjectName) \\n| where ObjectName in (file_paths)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName), \\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(imFileEvent\\n| where TargetFileName in (file_paths)\\n or\\n TargetFileSHA256 in (sha256s)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\\n),\\n(DeviceFileEvents\\n| where FolderPath in (file_paths)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 in (sha256s)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\\n),\\n (CommonSecurityLog\\n| where FileHash in (sha256s)\\n| extend timestamp = TimeGenerated\\n),\\n(Event // File iocs\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| where isnotempty(Hashes)\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 *\\n| where SHA256 in~ (sha256s)\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = Hashes\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where (SourceIP in (ips) or DestinationIP in (ips) or Message has_any (ips)) or (RequestURL has_any (domains))\\n| extend IPMatch = case(SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"Message\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\")\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(WireData\\n| where isnotempty(RemoteIP)\\n| where RemoteIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer\\n),\\n(W3CIISLog\\n| where isnotempty(cIP)\\n| where cIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(\\nWindowsFirewall\\n| where SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n),\\n(\\n _Im_NetworkSession(srcipaddr_has_any_prefix=ips) \\n | extend IPCustomEntity = SrcIpAddr, AccountCustomEntity= User, HostCustomEntity=Hostname\\n),\\n (\\n _Im_NetworkSession(dstipaddr_has_any_prefix=ips) \\n | extend IPCustomEntity = DstIpAddr, AccountCustomEntity= User, HostCustomEntity=Hostname\\n),\\n(_Im_Dns(domain_has_any=dyndomains)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\\n)\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange Server Vulnerabilities Disclosed March 2021 IoC Match\",\"description\":\"This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements.\\nRef: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-03-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog (Cisco)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog (F5)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09ec8fa2-b25f-4696-bfae-05a7b85d7b9e\",\"name\":\"09ec8fa2-b25f-4696-bfae-05a7b85d7b9e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT3H\",\"queryPeriod\":\"PT3H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"let timeframe = ago(3h);\\nlet threshold = 2;\\nimAuthentication\\n| where TimeGenerated \u003e timeframe\\n| where EventType==\u0027Logon\u0027 and EventResult==\u0027Success\u0027\\n| where isnotempty(SrcGeoCountry)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Vendors=make_set(EventVendor), Products=make_set(EventProduct)\\n , NumOfCountries = dcount(SrcGeoCountry)\\n by TargetUserId, TargetUsername, TargetUserType\\n| where NumOfCountries \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = TargetUsername\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"User login from different countries within 3 hours (Uses Authentication Normalization)\",\"description\":\"This query searches for successful user logins from different countries within 3 hours.\\n To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/67775878-7f8b-4380-ac54-115e1e828901\",\"name\":\"67775878-7f8b-4380-ac54-115e1e828901\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX=10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet IP_TI = (ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\\\"\\\")\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true);\\nlet TI_IP_List=IP_TI | summarize NIPs=dcount(TI_ipEntity), IP_List=make_set( TI_ipEntity) \\n| project IP_List=iff(NIPs \u003e HAS_ANY_MAX, dynamic([]), IP_List);\\n_Im_Dns(starttime=ago(dt_lookBack), response_has_any_prefix=todynamic(toscalar(TI_IP_List)))\\n | extend tilist = toscalar(TI_IP_List)\\n | mv-expand tilist\\n | extend SingleIP=tostring(tilist)\\n | project-away tilist\\n | where has_ipv4(DnsResponseName, SingleIP)\\n | extend DNS_TimeGenerated = TimeGenerated\\n| join IP_TI\\n on $left.SingleIP == $right.TI_ipEntity\\n| where DNS_TimeGenerated \u003e= TimeGenerated and DNS_TimeGenerated \u003c ExpirationDateTime\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated,\\nTI_ipEntity, Dvc, EventSubType, SrcIpAddr, DnsQuery, DnsResponseName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = DNS_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Dvc, URLCustomEntity = Url\",\"customDetails\":{\"LatestIndicatorTime\":\"LatestIndicatorTime\",\"Description\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"ExpirationDateTime\":\"ExpirationDateTime\",\"ConfidenceScore\":\"ConfidenceScore\",\"DNSRequestTime\":\"DNS_TimeGenerated\",\"SourceIPAddress\":\"SrcIpAddr\",\"SubType\":\"EventSubType\",\"DnsQuery\":\"DnsQuery\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map IP entity to Dns Events (ASIM DNS Schema)\",\"description\":\"Identifies a match in DNS events from any IP IOC from TI\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-27T00:00:00Z\",\"createdDateUTC\":\"2021-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\"name\":\"ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let ProcessCreationEvents=() {\\nlet processEvents=(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,\\nFileName = Process, CommandLine, ParentProcessName\\n),\\n(WindowsEvent\\n| where EventID==4688\\n| where EventData has \\\"TVqQAAMAAAAEAAA\\\"\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where isnotempty(CommandLine)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,\\nFileName = Process, CommandLine, ParentProcessName));\\nprocessEvents};\\nProcessCreationEvents\\n| where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Base64 encoded Windows process command-lines\",\"description\":\"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2018-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\"name\":\"90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Security Center\",\"severitiesFilter\":[\"Low\",\"Medium\",\"High\"],\"displayName\":\"Create incidents based on Microsoft Defender for Cloud\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Cloud\",\"lastUpdatedDateUTC\":\"2021-07-25T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert (ASC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d57c33a9-76b9-40e0-9dfa-ff0404546410\",\"name\":\"d57c33a9-76b9-40e0-9dfa-ff0404546410\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 0d;\\n// Adjust this to adjust detection timeframe\\n//let timeframe = 1d;\\n// Filter out other servers in the AD FS farm\\nlet ADFSServersList = dynamic([\\\"ADFS02.domain.com\\\",\\\"ADFS03.domain.com\\\"]);\\n// Start by identifying ADFS servers to reduce FP chance\\nlet ADFS_Servers = (\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| where Computer !in (ADFSServersList)\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\")\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| summarize by Computer\\n);\\n// Look for ADFS servers receiving connections over port 80\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where Computer in~ (ADFS_Servers)\\n| extend RenderedDescription = tostring(split(RenderedDescription, \\\":\\\")[0])\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, _ResourceId)\\n| extend RuleName = column_ifexists(\\\"RuleName\\\", \\\"\\\"), TechniqueId = column_ifexists(\\\"TechniqueId\\\", \\\"\\\"), TechniqueName = column_ifexists(\\\"TechniqueName\\\", \\\"\\\")\\n| parse RuleName with * \u0027technique_id=\u0027 TechniqueId \u0027,\u0027 * \u0027technique_name=\u0027 TechniqueName\\n| where EventID == 3\\n// Look for endpoints connecting to the AD FS server over port 80\\n| extend DestinationPort = column_ifexists(\\\"DestinationPort\\\", \\\"\\\"), Image = column_ifexists(\\\"Image\\\", \\\"\\\"), Initiated = column_ifexists(\\\"Initiated\\\", \\\"\\\"), SourceIp = column_ifexists(\\\"DestinationIp\\\", \\\"\\\"), DestinationIp = column_ifexists(\\\"DestinationIp\\\", \\\"\\\")\\n| where DestinationPort == 80\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n// Look for the System process receiving connections\\n| where process == \u0027System\u0027 and Initiated == \u0027false\u0027\\n| where DestinationIp !in (\u0027::1\u0027,\u00270:0:0:0:0:0:0:1\u0027)\\n| extend Operation = RenderedDescription\\n| project-reorder TimeGenerated, Operation, Image, Computer, UserName\\n| extend HostCustomEntity = Computer, AccountCustomEntity = UserName, IPCustomEntity = SourceIp\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"AD FS Remote HTTP Network Connection\",\"description\":\"This detection uses Sysmon events (NetworkConnect events) to detect incoming network traffic on port 80 on AD FS servers. This could be a sign of a threat actor\\ntrying to use replication services on the AD FS server to get its configuration settings and extract sensitive information such as AD FS certificates.\\nIn order to use this query you need to enable Sysmon telemetry on the AD FS Server.\\nReference: https://twitter.com/OTR_Community/status/1387038995016732672\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c1faf5e8-6958-11ec-90d6-0242ac120003\",\"name\":\"c1faf5e8-6958-11ec-90d6-0242ac120003\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 4720 and TargetUserName endswith \\\"$\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectUserName, SubjectUserSid, SubjectLogonId, TargetUserName, TargetSid\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectUserName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Fake computer account created\",\"description\":\"This query detects domain user accounts creation (event ID 4720) where the username ends with $. \\nAccounts that end with $ are normally domain computer accounts and when they are created the event ID 4741 is generated instead.\\nRef: https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights.html\",\"lastUpdatedDateUTC\":\"2022-01-19T00:00:00Z\",\"createdDateUTC\":\"2021-12-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/04384937-e927-4595-8f3c-89ff58ed231f\",\"name\":\"04384937-e927-4595-8f3c-89ff58ed231f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let IPs = dynamic ([\\\"199.249.230.\\\",\\\"185.220.101.\\\",\\\"23.129.64.\\\",\\\"109.70.100.\\\",\\\"185.220.102.\\\"]);\\nOfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != \u0027UserLoggedIn\u0027\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = ExtendedProperties.Value\\n| where ClientIP has_any (IPs)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts \u003e 2500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\"entityMappings\":[],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Possible STRONTIUM attempted credential harvesting - Sept 2020\",\"description\":\"Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.\\nReferences: https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7d7e20f8-3384-4b71-811c-f5e950e8306c\",\"name\":\"7d7e20f8-3384-4b71-811c-f5e950e8306c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where ActivityDisplayName =~\u0027Add member to role completed (PIM activation)\u0027\\n| where Result == \\\"failure\\\"\\n| extend Role = tostring(TargetResources[3].displayName)\\n| extend User = tostring(TargetResources[2].displayName)\\n| project-reorder TimeGenerated, User, Role, OperationName, Result, ResultDescription\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| extend AccountCustomEntity = User, IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"PIM Elevation Request Rejected\",\"description\":\"Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6852d9da-8015-4b95-8ecf-d9572ee0395d\",\"name\":\"6852d9da-8015-4b95-8ecf-d9572ee0395d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let queryfrequency = 1h;\\nlet wait_for_deletion = 10m;\\nlet account_created =\\n AuditLogs \\n | where ActivityDisplayName == \\\"Add service principal\\\"\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend creationTime = ActivityDateTime\\n | extend userPrincipalName_creator = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend ipAddress_creator = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\\nlet account_activity =\\n AADServicePrincipalSignInLogs\\n | extend Activities = pack(\\\"ActivityTime\\\", TimeGenerated ,\\\"IpAddress\\\", IPAddress, \\\"ResourceDisplayName\\\", ResourceDisplayName)\\n | extend AppID = AppId\\n | summarize make_list(Activities) by AppID;\\nlet account_deleted =\\n AuditLogs \\n | where OperationName == \\\"Remove service principal\\\"\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend deletionTime = ActivityDateTime\\n | extend userPrincipalName_deleter = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend ipAddress_deleter = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\\nlet account_credentials =\\n AuditLogs\\n | where OperationName has_all (\\\"Update application\\\", \\\"Certificates and secrets management\\\")\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend credentialCreationTime = ActivityDateTime;\\nlet roles_assigned =\\n AuditLogs\\n | where ActivityDisplayName == \\\"Add app role assignment to service principal\\\"\\n | extend AppID = tostring(TargetResources[1].displayName)\\n | extend AssignedRole = iff(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].displayName)==\\\"AppRole.Value\\\", tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue))),\\\"\\\")\\n | extend AssignedRoles = pack(\\\"Role\\\", AssignedRole)\\n | summarize make_list(AssignedRoles) by AppID;\\naccount_created\\n| where TimeGenerated between (ago(wait_for_deletion+queryfrequency)..ago(wait_for_deletion))\\n| join kind= inner (account_activity) on AppID\\n| join kind= inner (account_deleted) on AppID\\n| join kind= inner (account_credentials) on AppID\\n| join kind= inner (roles_assigned) on AppID\\n| where deletionTime - creationTime between (time(0s)..wait_for_deletion)\\n| extend AliveTime = deletionTime - creationTime\\n| project AADTenantId, AppID, creationTime, deletionTime, userPrincipalName_creator, userPrincipalName_deleter, ipAddress_creator, ipAddress_deleter, list_Activities, list_AssignedRoles, AliveTime\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName_creator\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName_deleter\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress_creator\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress_deleter\"}]}],\"tactics\":[\"CredentialAccess\",\"PrivilegeEscalation\",\"InitialAccess\"],\"displayName\":\"Suspicious Service Principal creation activity\",\"description\":\"This alert will detect creation of an SPN, permissions granted, credentials created, activity and deletion of the SPN in a time frame (default 10 minutes)\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\",\"AADServicePrincipalSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ec21493c-2684-4acd-9bc2-696dbad72426\",\"name\":\"ec21493c-2684-4acd-9bc2-696dbad72426\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation of extracted domains\\nlet list_tlds = ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e ago(ioc_lookBack)\\n | where isnotempty(DomainName)\\n | extend DomainName = tolower(DomainName)\\n | extend parts = split(DomainName, \u0027.\u0027)\\n | extend tld = parts[(array_length(parts)-1)]\\n | summarize count() by tostring(tld)\\n | summarize make_list(tld);\\n ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true\\n // Picking up only IOC\u0027s that contain the entities we want\\n | where isnotempty(DomainName)\\n // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n | join kind=innerunique (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n | where DeviceVendor =~ \u0027Palo Alto Networks\u0027\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | extend Domain = trim(@\\\"\\\"\\\"\\\",tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend parts = split(Domain, \u0027.\u0027)\\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\\n | where tld in~ (list_tlds)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n ) on $left.DomainName==$right.Domain\\n | where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, Domain\\n | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, \\n DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\\n | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to PaloAlto\",\"description\":\"Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/caf78b95-d886-4ac3-957a-a7a3691ff4ed\",\"name\":\"caf78b95-d886-4ac3-957a-a7a3691ff4ed\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Tarrask.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n(imFileEvent\\n| where TargetFileSHA256 has_any (sha256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceImageLoadEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Tarrask malware IOC - April 2022\",\"description\":\"Identifies a hash match related to Tarrask malware across various data sources.\\n Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/\",\"lastUpdatedDateUTC\":\"2022-04-12T00:00:00Z\",\"createdDateUTC\":\"2022-01-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2560515c-07d1-434e-87fb-ebe3af267760\",\"name\":\"2560515c-07d1-434e-87fb-ebe3af267760\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add delegated permission grant\\\",\\\"Add app role assignment to service principal\\\")\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend props = parse_json(tostring(TargetResources[0].modifiedProperties))\\n| mv-expand props\\n| extend UserAgent = tostring(AdditionalDetails[0].value)\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| extend UserIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| extend DisplayName = tostring(props.displayName)\\n| extend Permissions = tostring(parse_json(tostring(props.newValue)))\\n| where Permissions has_any (\\\"Mail.Read\\\", \\\"Mail.ReadWrite\\\")\\n| extend PermissionsAddedTo = tostring(TargetResources[0].displayName)\\n| extend Type = tostring(TargetResources[0].type)\\n| project-away props\\n| join kind=leftouter(\\n AuditLogs\\n | where ActivityDisplayName has \\\"Consent to application\\\"\\n | extend AppName = tostring(TargetResources[0].displayName)\\n | extend AppId = tostring(TargetResources[0].id)\\n | project AppName, AppId, CorrelationId) on CorrelationId\\n| project-reorder TimeGenerated, OperationName, InitiatingUser, UserIPAddress, UserAgent, PermissionsAddedTo, Permissions, AppName, AppId, CorrelationId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUser, IPCustomEntity = UserIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Mail.Read Permissions Granted to Application\",\"description\":\"This query look for applications that have been granted (Delegated or App/Role) permissions to Read Mail (Permissions field has Mail.Read) and subsequently has been consented to. This can help identify applications that have been abused to gain access to mailboxes.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532c1811-79ee-4d9f-8d4d-6304c840daa1\",\"name\":\"532c1811-79ee-4d9f-8d4d-6304c840daa1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Active Directory Identity Protection\",\"displayName\":\"Create incidents based on Azure Active Directory Identity Protection alerts\",\"description\":\"Create incidents based on all alerts generated in Azure Active Directory Identity Protection\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb616d82-108f-47d3-9dec-9652ea0d3bf6\",\"name\":\"bb616d82-108f-47d3-9dec-9652ea0d3bf6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let queryfrequency = 1h;\\nlet queryperiod = 1d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(queryfrequency)\\n| where OperationName =~ \\\"Delete user\\\"\\n//extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n| extend UserPrincipalName = extract(@\u0027([a-f0-9]{32})?(.*)\u0027, 2, tostring(TargetResources[0].userPrincipalName))\\n| extend DeletedByUser = tostring(InitiatedBy.user.userPrincipalName), DeletedByIPAddress = tostring(InitiatedBy.user.ipAddress)\\n| extend DeletedByApp = tostring(InitiatedBy.app.displayName)\\n| project Deletion_TimeGenerated = TimeGenerated, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, Deletion_AdditionalDetails = AdditionalDetails, Deletion_InitiatedBy = InitiatedBy, Deletion_TargetResources = TargetResources\\n| join kind=inner (\\n AuditLogs\\n | where TimeGenerated \u003e ago(queryperiod)\\n | where OperationName =~ \\\"Add user\\\"\\n | extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | project-rename Creation_TimeGenerated = TimeGenerated\\n) on UserPrincipalName\\n| extend TimeDelta = Deletion_TimeGenerated - Creation_TimeGenerated\\n| where TimeDelta between (time(0s) .. queryperiod)\\n| extend CreatedByUser = tostring(InitiatedBy.user.userPrincipalName), CreatedByIPAddress = tostring(InitiatedBy.user.ipAddress)\\n| extend CreatedByApp = tostring(InitiatedBy.app.displayName)\\n| project Creation_TimeGenerated, Deletion_TimeGenerated, TimeDelta, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, CreatedByUser, CreatedByIPAddress, CreatedByApp, Creation_AdditionalDetails = AdditionalDetails, Creation_InitiatedBy = InitiatedBy, Creation_TargetResources = TargetResources, Deletion_AdditionalDetails, Deletion_InitiatedBy, Deletion_TargetResources\\n| extend timestamp = Deletion_TimeGenerated, CustomAccountEntity = UserPrincipalName, IPCustomEntity = DeletedByIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CustomAccountEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Account Created and Deleted in Short Timeframe\",\"description\":\"Search for user principal name (UPN) events. Look for accounts created and then deleted in under 24 hours. Attackers may create an account for their use, and then remove the account when no longer needed.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-account\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a0907abe-6925-4d90-af2b-c7e89dc201a6\",\"name\":\"a0907abe-6925-4d90-af2b-c7e89dc201a6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P10D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 10d;\\nlet endtime = 1d;\\nlet threshold = 100;\\nlet nxDomainDnsEvents = DnsEvents \\n| where ResultCode == 3 \\n| where QueryType in (\\\"A\\\", \\\"AAAA\\\")\\n| where ipv4_is_match(\\\"127.0.0.1\\\", ClientIP) == False\\n| where Name !contains \\\"/\\\"\\n| where Name contains \\\".\\\";\\nnxDomainDnsEvents\\n| where TimeGenerated \u003e ago(endtime)\\n| extend sld = tostring(split(Name, \\\".\\\")[-2])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld) by ClientIP\\n| where dcount_sld \u003e threshold\\n// Filter out previously seen IPs\\n| join kind=leftanti (nxDomainDnsEvents\\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | extend sld = tostring(split(Name, \\\".\\\")[-2])\\n | summarize dcount(sld) by ClientIP\\n | where dcount_sld \u003e threshold ) on ClientIP\\n// Pull out sample NXDomain responses for those remaining potentially infected IPs\\n| join kind = inner (nxDomainDnsEvents | summarize by Name, ClientIP) on ClientIP\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(Name, 100) by ClientIP, dcount_sld\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential DGA detected\",\"description\":\"Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains\\nwhere most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with \\nNXDomain records in prior 10-day baseline period).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ef895ada-e8e8-4cf0-9313-b1ab67fab69f\",\"name\":\"ef895ada-e8e8-4cf0-9313-b1ab67fab69f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let known_locations =\\n union isfuzzy=True AADNonInteractiveUserSignInLogs, SigninLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where ResultType == 0\\n | summarize by Location;\\n union isfuzzy=True AADNonInteractiveUserSignInLogs, SigninLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType != 50126\\n | where Location !in (known_locations)\\n | extend LocationDetails_dynamic = column_ifexists(\\\"LocationDetails_dynamic\\\", \\\"\\\")\\n | extend DeviceDetail_dynamic = column_ifexists(\\\"DeviceDetail_dynamic\\\", \\\"\\\")\\n | extend LocationDetails = iif(isnotempty(LocationDetails_dynamic), LocationDetails_dynamic, parse_json(LocationDetails_string))\\n | extend DeviceDetail = iif(isnotempty(DeviceDetail_dynamic), DeviceDetail_dynamic, parse_json(DeviceDetail_string))\\n | extend City = tostring(LocationDetails.city)\\n | extend State = tostring(LocationDetails.state)\\n | extend Place = strcat(City, \\\" - \\\", State)\\n | extend DeviceId = tostring(DeviceDetail.deviceId)\\n | extend Result = strcat(tostring(ResultType), \\\" - \\\", ResultDescription)\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), make_set(Result), make_set(IPAddress), make_set(UserAgent), make_set(Place), make_set(DeviceId) by UserPrincipalName, Location, Category\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Authentication Attempt from New Country\",\"description\":\"Detects when there is a log in attempt from a country that has not seen a successful login in the previous 14 days.\\n Threat actors may attempt to authenticate with credentials from compromised accounts - monitoring attempts from anomalous locations may help identify these attempts.\\n Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\",\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9713e3c0-1410-468d-b79e-383448434b2d\",\"name\":\"9713e3c0-1410-468d-b79e-383448434b2d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n VMConnection\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend VMConnection_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIp\\n| where VMConnection_TimeGenerated \u003c ExpirationDateTime\\n| summarize VMConnection_TimeGenerated = arg_max(VMConnection_TimeGenerated, *) by IndicatorId, RemoteIp\\n| project VMConnection_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = VMConnection_TimeGenerated, IPCustomEntity = RemoteIp, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to VMConnection\",\"description\":\"Identifies a match in VMConnection from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/017e095a-94d8-430c-a047-e51a11fb737b\",\"name\":\"017e095a-94d8-430c-a047-e51a11fb737b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let domains =\\n SigninLogs\\n | where ResultType == 0\\n | extend domain = split(UserPrincipalName, \\\"@\\\")[1]\\n | extend domain = tostring(split(UserPrincipalName, \\\"@\\\")[1])\\n | summarize by tolower(tostring(domain));\\n AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where Result =~ \\\"success\\\"\\n | where OperationName =~ \u0027Update Application\u0027\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | where TargetResources_modifiedProperties.displayName =~ \\\"AppAddress\\\"\\n | extend Key = tostring(TargetResources_modifiedProperties.displayName)\\n | extend NewValue = TargetResources_modifiedProperties.newValue\\n | extend OldValue = TargetResources_modifiedProperties.oldValue\\n | where isnotempty(Key) and isnotempty(NewValue)\\n | project-reorder Key, NewValue, OldValue\\n | extend NewUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(NewValue))\\n | extend OldUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(OldValue))\\n | extend AddedUrls = set_difference(NewUrls, OldUrls)\\n | where array_length(AddedUrls) \u003e 0\\n | extend UserAgent = iif(tostring(AdditionalDetails[0].key) == \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), \\\"\\\")\\n | extend AddingUser = iif(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) , tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), \\\"\\\")\\n | extend AddingApp = iif(isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName)) , tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName), \\\"\\\")\\n | extend AddedBy = iif(isnotempty(AddingUser), AddingUser, AddingApp)\\n | project-away AddingApp, AddingUser\\n | extend AppDisplayName = tostring(TargetResources.displayName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | where isnotempty(AddedUrls)\\n | mv-expand AddedUrls\\n | extend Domain = extract(\\\"^(?:https?:\\\\\\\\/\\\\\\\\/)?(?:[^@\\\\\\\\/\\\\\\\\n]+@)?(?:www\\\\\\\\.)?([^:\\\\\\\\/?\\\\\\\\n]+)/\\\", 1, replace_string(tolower(tostring(AddedUrls)), \u0027\\\"\u0027, \\\"\\\"))\\n | where isnotempty(Domain)\\n | extend Domain = strcat(split(Domain, \\\".\\\")[-2], \\\".\\\", split(Domain, \\\".\\\")[-1])\\n | where Domain !in (domains)\\n | project-reorder TimeGenerated, AppDisplayName, AddedUrls, AddedBy, UserAgent, ipAddress\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"AddedUrls\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"URL Added to Application from Unknown Domain\",\"description\":\"Detects a URL being added to an application where the domain is not one that is associated with the tenant.\\n The query uses domains seen in sign in logs to determine if the domain is associated with the tenant.\\n Applications associated with URLs not controlled by the organization can pose a security risk.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#application-configuration-changes\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d\",\"name\":\"b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"//Collect the alert events\\nlet alertData = SecurityAlert \\n| where DisplayName has \\\"Potential malware uploaded to\\\" \\n| extend Entities = parse_json(Entities) \\n| mv-expand Entities;\\n//Parse the IP address data\\nlet ipData = alertData \\n| where Entities[\u0027Type\u0027] =~ \\\"ip\\\" \\n| extend AttackerIP = tostring(Entities[\u0027Address\u0027]), AttackerCountry = tostring(Entities[\u0027Location\u0027][\u0027CountryName\u0027]);\\n//Parse the file data\\nlet FileData = alertData \\n| where Entities[\u0027Type\u0027] =~ \\\"file\\\" \\n| extend MaliciousFileDirectory = tostring(Entities[\u0027Directory\u0027]), MaliciousFileName = tostring(Entities[\u0027Name\u0027]), MaliciousFileHashes = tostring(Entities[\u0027FileHashes\u0027]);\\n//Combine the File and IP data together\\nipData \\n| join (FileData) on VendorOriginalId \\n| summarize by TimeGenerated, AttackerIP, AttackerCountry, DisplayName, ResourceId, AlertType, MaliciousFileDirectory, MaliciousFileName, MaliciousFileHashes\\n//Create a type column so we can track if it was a File storage or blobl storage upload \\n| extend type = iff(DisplayName has \\\"file\\\", \\\"File\\\", \\\"Blob\\\") \\n| join (\\n union\\n StorageFileLogs, \\n StorageBlobLogs \\n //File upload operations \\n | where OperationName =~ \\\"PutBlob\\\" or OperationName =~ \\\"PutRange\\\"\\n //Parse out the uploader IP \\n | extend ClientIP = tostring(split(CallerIpAddress, \\\":\\\", 0)[0])\\n //Extract the filename from the Uri \\n | extend FileName = extract(@\\\"\\\\/([\\\\w\\\\-. ]+)\\\\?\\\", 1, Uri)\\n //Base64 decode the MD5 filehash, we will encounter non-ascii hex so string operations don\u0027t work\\n //We can work around this by making it an array then converting it to hex from an int \\n | extend base64Char = base64_decode_toarray(ResponseMd5) \\n | mv-expand base64Char \\n | extend hexChar = tohex(toint(base64Char))\\n | extend hexChar = iff(strlen(hexChar) \u003c 2, strcat(\\\"0\\\", hexChar), hexChar) \\n | extend SourceTable = iff(OperationName has \\\"range\\\", \\\"StorageFileLogs\\\", \\\"StorageBlobLogs\\\") \\n | summarize make_list(hexChar) by CorrelationId, ResponseMd5, FileName, AccountName, TimeGenerated, RequestBodySize, ClientIP, SourceTable \\n | extend Md5Hash = strcat_array(list_hexChar, \\\"\\\")\\n //Pack the file information the summarise into a ClientIP row \\n | extend p = pack(\\\"FileName\\\", FileName, \\\"FileSize\\\", RequestBodySize, \\\"Md5Hash\\\", Md5Hash, \\\"Time\\\", TimeGenerated, \\\"SourceTable\\\", SourceTable) \\n | summarize UploadedFileInfo=make_list(p), FilesUploaded=count() by ClientIP \\n | join kind=leftouter (\\n union\\n StorageFileLogs,\\n StorageBlobLogs \\n | where OperationName =~ \\\"DeleteFile\\\" or OperationName =~ \\\"DeleteBlob\\\" \\n | extend ClientIP = tostring(split(CallerIpAddress, \\\":\\\", 0)[0]) \\n | extend FileName = extract(@\\\"\\\\/([\\\\w\\\\-. ]+)\\\\?\\\", 1, Uri) \\n | extend SourceTable = iff(OperationName has \\\"range\\\", \\\"StorageFileLogs\\\", \\\"StorageBlobLogs\\\") \\n | extend p = pack(\\\"FileName\\\", FileName, \\\"Time\\\", TimeGenerated, \\\"SourceTable\\\", SourceTable) \\n | summarize DeletedFileInfo=make_list(p), FilesDeleted=count() by ClientIP\\n ) on ClientIP\\n ) on $left.AttackerIP == $right.ClientIP \\n| mvexpand UploadedFileInfo \\n| extend LinkedMaliciousFileName = UploadedFileInfo.FileName \\n| extend LinkedMaliciousFileHash = UploadedFileInfo.Md5Hash \\n| project AlertTimeGenerated = TimeGenerated, tostring(LinkedMaliciousFileName), tostring(LinkedMaliciousFileHash), AlertType, AttackerIP, AttackerCountry, MaliciousFileDirectory, MaliciousFileName, FilesUploaded, UploadedFileInfo \\n| extend FileHashCustomEntity = LinkedMaliciousFileName, HashAlgorithm = \\\"MD5\\\", IPCustomEntity = AttackerIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"Exfiltration\"],\"displayName\":\"Linked Malicious Storage Artifacts\",\"description\":\"An IP address which uploaded malicious content to an Azure Blob or File Storage container (triggering a malware alert) also uploaded additional files.\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2021-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c7cd6073-6d2c-4284-a5c8-da27605bdfde\",\"name\":\"c7cd6073-6d2c-4284-a5c8-da27605bdfde\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| where FilterModulesSpamScoresOverall == \u0027100\u0027\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - High risk message not discarded\",\"description\":\"Detects when email with high risk score was not rejected or discarded by filters.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\"name\":\"c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"let DomainNames = \\\"miniodaum.ml\\\";\\nlet SHA256Hash = dynamic ([\\\"53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0dfd44771762257\\\", \\\"0897c80df8b80b4c49bf1ccf876f5f782849608b830c3b5cb3ad212dc3e19eff\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName =~ DomainNames\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n (_Im_Dns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery \\n| extend IPAddress = SrcIpAddr, Computer = Dvc\\n), \\n(_Im_WebSession(url_has_any=DomainNames) \\n| extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n| extend IPAddress = SrcIpAddr, Account=User\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName =~ DomainNames\\n| extend IPAddress = RemoteIp\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known CERIUM domains and hashes\",\"description\":\"CERIUM malicious webserver and hash values for maldocs and malware. \\n Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/712fab52-2a7d-401e-a08c-ff939cc7c25e\",\"name\":\"712fab52-2a7d-401e-a08c-ff939cc7c25e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AuditLogs\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // Extract the URL that is contained within the JSON data\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\\\", 1,tostring(TargetResources))\\n | where isnotempty(Url)\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend TargetResourceDisplayName = tostring(TargetResources[0].displayName)\\n | extend Audit_TimeGenerated = TimeGenerated\\n) on Url\\n| where Audit_TimeGenerated \u003c ExpirationDateTime\\n| summarize Audit_TimeGenerated = arg_max(Audit_TimeGenerated, *) by IndicatorId, Url\\n| project Audit_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nOperationName, Identity, userPrincipalName, TargetResourceDisplayName, Url\\n| extend timestamp = Audit_TimeGenerated, AccountCustomEntity = userPrincipalName, HostCustomEntity = TargetResourceDisplayName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to AuditLogs\",\"description\":\"Identifies a match in AuditLogs from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ab4b6944-a20d-42ab-8b63-238426525801\",\"name\":\"ab4b6944-a20d-42ab-8b63-238426525801\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\nlet timeframe = 1h;\\nlet connections = VMConnection \\n | where TimeGenerated \u003e= ago(timeframe)\\n | extend DNSName = set_union(todynamic(RemoteDnsCanonicalNames),todynamic(RemoteDnsQuestions))\\n | mv-expand DNSName\\n | where isnotempty(DNSName)\\n | where DNSName has_any (domains)\\n | extend IPCustomEntity = RemoteIp\\n | summarize TimeGenerated = arg_min(TimeGenerated, *), requests = count() by IPCustomEntity, DNSName = tostring(DNSName), AgentId, Machine, Process;\\nlet processes = VMProcess\\n | where TimeGenerated \u003e= ago(timeframe)\\n | project AgentId, Machine, Process, UserName, UserDomain, ExecutablePath, CommandLine, FirstPid\\n | extend exePathArr = split(ExecutablePath, \\\"\\\\\\\\\\\")\\n | extend DirectoryName = array_strcat(array_slice(exePathArr, 0, array_length(exePathArr) - 2), \\\"\\\\\\\\\\\")\\n | extend Filename = array_strcat(array_slice(exePathArr, array_length(exePathArr) - 1, array_length(exePathArr)), \\\"\\\\\\\\\\\")\\n | project-away exePathArr;\\nlet computers = VMComputer\\n | where TimeGenerated \u003e= ago(timeframe)\\n | project HostCustomEntity = HostName, AzureResourceId = _ResourceId, AgentId, Machine;\\nconnections | join kind = inner (processes) on AgentId, Machine, Process\\n | join kind = inner (computers) on AgentId, Machine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"FirstPid\"},{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Directory\",\"columnName\":\"DirectoryName\"},{\"identifier\":\"Name\",\"columnName\":\"Filename\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Solorigate Domains Found in VM Insights\",\"description\":\"Identifies connections to Solorigate-related DNS records based on VM insights data\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMProcess\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMComputer\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\"name\":\"1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with failed Windows host logins above threshold\\nlet win_fails = \\nSecurityEvent\\n| where EventID == 4625\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| summarize count() by IpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_list(IpAddress);\\nlet wef_fails =\\nWindowsEvent\\n| where EventID == 4625\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType in (10, 7, 3)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| where IpAddress != \\\"-\\\"\\n| summarize count() by IpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_list(IpAddress);\\n//Make a list of IPs with failed *nix host logins above threshold\\nlet nix_fails = \\nSyslog\\n| where Facility contains \u0027auth\u0027 and ProcessName != \u0027sudo\u0027\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP != \\\"\\\" and SourceIP != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIP\\n| where count_ \u003e signin_threshold\\n| summarize make_list(SourceIP);\\n//See if any of the IPs with failed host logins hve had a sucessful Azure AD login\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (win_fails) or IPAddress in (nix_fails) or IPAddress in (wef_fails)\\n| extend Reason= \\\"Multiple failed host logins from IP address with successful Azure AD login\\\"\\n| extend timstamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, Type = Type\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed host logons but success logon to AzureAD\",\"description\":\"Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts.\\nUses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\"name\":\"28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"Medium\",\"query\":\"let timeRange = 24h;\\nlet failureCountThreshold = 5;\\nlet authenticationWindow = 20m;\\nlet aadFunc = (tableName:string){\\n table(tableName)\\n| where AppDisplayName has \\\"Azure Portal\\\"\\n| extend\\n DeviceDetail = todynamic(DeviceDetail),\\n //Status = todynamic(Status),\\n LocationDetails = todynamic(LocationDetails)\\n| extend\\n OS = tostring(DeviceDetail.operatingSystem),\\n Browser = tostring(DeviceDetail.browser),\\n //StatusCode = tostring(Status.errorCode),\\n //StatusDetails = tostring(Status.additionalDetails),\\n State = tostring(LocationDetails.state),\\n City = tostring(LocationDetails.city),\\n Region = tostring(LocationDetails.countryOrRegion)\\n// Split out failure versus non-failure types\\n| extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\") \\n// bin outcomes based on authenticationWindow\\n| summarize take_anyif(UserPrincipalName, not(UserPrincipalName matches regex @\\\"[a-f\\\\d]+\\\\-[a-f\\\\d]+\\\\-[a-f\\\\d]+\\\\-[a-f\\\\d]+\\\\-[a-f\\\\d]+\\\")),\\n take_anyif(UserDisplayName, isnotempty(UserDisplayName)), FailureOrSuccessCount = count() by FailureOrSuccess, UserId, UserDisplayName, AppDisplayName, IPAddress, Browser, OS, State, City, Region, Type, CorrelationId, bin(TimeGenerated, authenticationWindow), ResultType\\n// sort for sessionizing - by UserPrincipalName and time of the authentication outcome\\n| sort by UserPrincipalName asc, TimeGenerated asc\\n| serialize \\n// sessionize into failure groupings until either the account changes or there is a success\\n| extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, UserPrincipalName != prev(UserPrincipalName) or prev(FailureOrSuccess) == \\\"Success\\\")\\n// count the failures in each session\\n| summarize FailureCountBeforeSuccess=sumif(FailureOrSuccessCount, FailureOrSuccess == \\\"Failure\\\"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), makelist(FailureOrSuccess), IPAddress = make_set(IPAddress), make_set(Browser), make_set(City), make_set(State), make_set(Region), make_set(ResultType) by SessionStartedUtc, UserPrincipalName, CorrelationId, AppDisplayName, UserId, Type\\n// the session must not start with a success, and must end with one\\n| where array_index_of(list_FailureOrSuccess, \\\"Success\\\") != 0\\n| where array_index_of(list_FailureOrSuccess, \\\"Success\\\") == array_length(list_FailureOrSuccess) - 1\\n| project-away SessionStartedUtc, list_FailureOrSuccess\\n// where the number of failures before the success is above the threshold \\n| where FailureCountBeforeSuccess \u003e= failureCountThreshold \\n// expand out ip for entity assignment\\n| mv-expand IPAddress\\n| extend IPAddress = tostring(IPAddress)\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n};\\n let aadSignin = aadFunc(\\\"SigninLogs\\\");\\n let aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\n union isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against Azure Portal\",\"description\":\"Identifies evidence of brute force activity against Azure Portal by highlighting multiple authentication failures \\nand by a successful authentication within a given time window. \\nDefault Failure count is 5 and default Time Window is 20 minutes.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-04-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23de46ea-c425-4a77-b456-511ae4855d69\",\"name\":\"23de46ea-c425-4a77-b456-511ae4855d69\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\nlet SensitiveOperationList = dynamic([\\\"microsoft.compute/snapshots/write\\\", \\\"microsoft.network/networksecuritygroups/write\\\", \\\"microsoft.storage/storageaccounts/listkeys/action\\\"]);\\nlet SensitiveActivity = AzureActivity\\n| where OperationNameValue in~ (SensitiveOperationList) or OperationNameValue hassuffix \\\"listkeys/action\\\"\\n| where ActivityStatusValue =~ \\\"Success\\\";\\nSensitiveActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller, OperationNameValue\\n| where count_ \u003e= alertOperationThreshold\\n| join kind = rightanti ( \\nSensitiveActivity\\n| where TimeGenerated \u003e= ago(endtime)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CorrelationIds = makelist(CorrelationId), Resources = makelist(Resource), ResourceGroups = makelist(ResourceGroup), ResourceIds = makelist(ResourceId), ActivityCountByCallerIPAddress = count() \\nby CallerIpAddress, Caller, OperationNameValue\\n) on CallerIpAddress, Caller, OperationNameValue\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"Rare subscription-level operations in Azure\",\"description\":\"This query looks for a few sensitive subscription-level events based on Azure Activity Logs. \\n For example this monitors for the operation name \u0027Create or Update Snapshot\u0027 which is used for creating backups but could be misused by attackers \\n to dump hashes or extract sensitive information from the disk.\",\"lastUpdatedDateUTC\":\"2022-03-15T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84cf1d59-f620-4fee-b569-68daf7008b7b\",\"name\":\"84cf1d59-f620-4fee-b569-68daf7008b7b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetection_CL\\n| mv-expand todynamic(Detections_s)\\n| extend Status = tostring(Detections_s.Status), Vulnerability = tostring(Detections_s.Results), Severity = tostring(Detections_s.Severity)\\n| where Status =~ \\\"New\\\" and Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(Detections_s.QID)\\n| where dcount_NetBios_s \u003e= threshold\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"tactics\":[\"InitialAccess\"],\"displayName\":\"New High Severity Vulnerability Detected Across Multiple Hosts\",\"description\":\"This creates an incident when a new high severity vulnerability is detected across multilple hosts\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bc5ffe2a-84d6-48fe-bc7b-1055100469bc\",\"name\":\"bc5ffe2a-84d6-48fe-bc7b-1055100469bc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"let SunburstMD5=dynamic([\\\"b91ce2fa41029f6955bff20079468448\\\",\\\"02af7cec58b9a5da1c542b5a32151ba1\\\",\\\"2c4a910a1299cdae2a4e55988a2f102e\\\",\\\"846e27a652a5e1bfbd0ddd38a16dc865\\\",\\\"4f2eb62fa529c0283b28d05ddd311fae\\\"]);\\nlet SupernovaMD5=\\\"56ceb6d0011d87b6e4d7023d7ef85676\\\";\\nimFileEvent\\n| where TargetFileMD5 in(SunburstMD5) or TargetFileMD5 in(SupernovaMD5)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = User, \\n HostCustomEntity = DvcHostname,\\n FileHashCustomEntity = TargetFileMD5,\\n AlgorithmCustomEntity = \\\"MD5\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events)\",\"description\":\"Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in File Events\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimFileEvent)\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8cbc3215-fa58-4bd6-aaaa-f0029c351730\",\"name\":\"8cbc3215-fa58-4bd6-aaaa-f0029c351730\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let threatCategory=\\\"Cryptominer\\\";\\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\\n [ @\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\\\"] \\n with(format=\\\"csv\\\", ignoreFirstRecord=True));\\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet customUserAgents=toscalar(_GetWatchlist(\\\"UnusualUserAgents\\\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\\\"UserAgent\\\",\\\"\\\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet fullUAList = array_concat(knownUserAgents,customUserAgents);\\n_Im_WebSession(httpuseragent_has_any=fullUAList)\\n| summarize N_Events=count() by SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername\",\"customDetails\":{\"UserAgent\":\"HttpUserAgent\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"SrcUsername\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"The host {{SrcIpAddr}} is potentially running a crypto miner\",\"alertDescriptionFormat\":\"The host at address {{SrcIpAddr}} sent an HTTP request to the URL {{Url}} with the HTTP user agent header {{HttpUserAgent}}. This user agent is known to be used by crypto miners and indicates crypto mining activity on the client.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"A host is potentially running a crypto miner (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request with a user agent header known to belong to a crypto miner. This indicates a crypto miner may have infected the client machine.\u003cbr\u003eYou can add custom crypto mining indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).\u003cbr\u003e\u003cbr\u003e This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\"name\":\"24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"let EventCountThreshold = 25;\\n// To avoid any False Positives, filtering using AppId is recommended.\\n// For example the AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds \\n// to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\\n// The AppId 8cae6e77-e04e-42ce-b5cb-50d82bce26b1 has been added as it correspond to Microsoft Policy Insights Provider Data Plane performing VaultGet operations for policies checks.\\nlet Allowedappid = dynamic([\\\"509e4652-da8d-478d-a730-e9d4a1996ca4\\\",\\\"8cae6e77-e04e-42ce-b5cb-50d82bce26b1\\\"]);\\nlet OperationList = dynamic(\\n[\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nAzureDiagnostics\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList) \\n| summarize count() by identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, OperationName\\n| where count_ \u003e EventCountThreshold \\n| join (\\nAzureDiagnostics\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where OperationName in~ (OperationList) \\n) on identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g \\n| summarize EventCount=sum(count_), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\\n| extend timestamp = EndTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Mass secret retrieval from Azure Key Vault\",\"description\":\"Identifies mass secret retrieval from Azure Key Vault observed by a single user. \\nMass secret retrival crossing a certain threshold is an indication of credential dump operations or mis-configured applications. \\nYou can tweak the EventCountThreshold based on average count seen in your environment \\nand also filter any known sources (IP/Account) and useragent combinations based on historical analysis to further reduce noise\",\"lastUpdatedDateUTC\":\"2022-07-04T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b619d1f1-7f39-4c7e-bf9e-afbb46457997\",\"name\":\"b619d1f1-7f39-4c7e-bf9e-afbb46457997\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal contains \\\"XMRig\\\" or HttpUserAgentOriginal contains \\\"ccminer\\\"\\n| extend Message = \\\"Crypto Miner User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Crypto Miner User-Agent Detected\",\"description\":\"Detects suspicious user agent strings used by crypto miners in proxy logs.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd03057e-4347-4853-bf1e-2b2d21eb4e59\",\"name\":\"dd03057e-4347-4853-bf1e-2b2d21eb4e59\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\\"xmrget.com\\\",\\n\\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\\"supportxmr.com\\\",\\n\\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\\"gntl.co.uk\\\", \\\"semipool.com\\\",\\n\\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\",\\n\\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\\"extrmepool.org\\\", \\\"webcoin.me\\\",\\n\\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\",\\n\\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\",\\n\\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\",\\n\\\"shscrypto.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage),\\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage),\\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage),\\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \u0027200\u0027\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URL\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"NRT Squid proxy events related to mining pools\",\"description\":\"Checks for Squid proxy events in Syslog associated with common mining pools .This query presumes the default Squid log format is being used.\\n http://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-07-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2b701288-b428-4fb8-805e-e4372c574786\",\"name\":\"2b701288-b428-4fb8-805e-e4372c574786\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"//The bigger the window the better the data sample size, as we use IP prevalence, more sample data is better.\\n//The minimum number of countries that the account has been accessed from [default: 2]\\nlet minimumCountries = 2;\\n//The delta (%) between the largest in-use IP and the smallest [default: 95]\\nlet deltaThreshold = 95;\\n//The maximum (%) threshold that the country appears in login data [default: 10]\\nlet countryPrevalenceThreshold = 10;\\n//The time to project forward after the last login activity [default: 60min]\\nlet projectedEndTime = 60m;\\nlet queryfrequency = 1d;\\nlet queryperiod = 14d;\\nlet aadFunc = (tableName: string) {\\n // Get successful signins to Teams\\n let signinData =\\n table(tableName)\\n | where TimeGenerated \u003e ago(queryperiod)\\n | where AppDisplayName has \\\"Teams\\\" and ConditionalAccessStatus =~ \\\"success\\\"\\n | extend Country = tostring(todynamic(LocationDetails)[\u0027countryOrRegion\u0027])\\n | where isnotempty(Country) and isnotempty(IPAddress);\\n // Calculate prevalence of countries\\n let countryPrevalence =\\n signinData\\n | summarize CountCountrySignin = count() by Country\\n | extend TotalSignin = toscalar(signinData | summarize count())\\n | extend CountryPrevalence = toreal(CountCountrySignin) / toreal(TotalSignin) * 100;\\n // Count signins by user and IP address\\n let userIpSignin =\\n signinData\\n | summarize CountIPSignin = count(), Country = any(Country), ListSigninTimeGenerated = make_list(TimeGenerated) by IPAddress, UserPrincipalName;\\n // Calculate delta between the IP addresses with the most and minimum activity by user\\n let userIpDelta =\\n userIpSignin\\n | summarize MaxIPSignin = max(CountIPSignin), MinIPSignin = min(CountIPSignin), DistinctCountries = dcount(Country), make_set(Country) by UserPrincipalName\\n | extend UserIPDelta = toreal(MaxIPSignin - MinIPSignin) / toreal(MaxIPSignin) * 100;\\n // Collect Team operations the user account has performed within a time range of the suspicious signins\\n OfficeActivity\\n | where TimeGenerated \u003e ago(queryfrequency)\\n | where Operation in~ (\\\"TeamsAdminAction\\\", \\\"MemberAdded\\\", \\\"MemberRemoved\\\", \\\"MemberRoleChanged\\\", \\\"AppInstalled\\\", \\\"BotAddedToTeam\\\")\\n | project OperationTimeGenerated = TimeGenerated, UserId = tolower(UserId), Operation\\n | join kind = inner(\\n userIpDelta\\n // Check users with activity from distinct countries\\n | where DistinctCountries \u003e= minimumCountries\\n // Check users with high IP delta\\n | where UserIPDelta \u003e= deltaThreshold\\n // Add information about signins and countries\\n | join kind = leftouter userIpSignin on UserPrincipalName\\n | join kind = leftouter countryPrevalence on Country\\n // Check activity that comes from nonprevalent countries\\n | where CountryPrevalence \u003c countryPrevalenceThreshold\\n | project\\n UserPrincipalName,\\n SuspiciousIP = IPAddress,\\n UserIPDelta,\\n SuspiciousSigninCountry = Country,\\n SuspiciousCountryPrevalence = CountryPrevalence,\\n EventTimes = ListSigninTimeGenerated\\n ) on $left.UserId == $right.UserPrincipalName\\n // Check the signins occured 60 min before the Teams operations\\n | mv-expand SigninTimeGenerated = EventTimes\\n | extend SigninTimeGenerated = todatetime(SigninTimeGenerated)\\n | where OperationTimeGenerated between (SigninTimeGenerated .. (SigninTimeGenerated + projectedEndTime))\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize arg_max(SigninTimeGenerated, *) by UserPrincipalName, SuspiciousIP, OperationTimeGenerated\\n| summarize\\n ActivitySummary = make_bag(pack(tostring(SigninTimeGenerated), pack(\\\"Operation\\\", tostring(Operation), \\\"OperationTime\\\", OperationTimeGenerated)))\\n by UserPrincipalName, SuspiciousIP, SuspiciousSigninCountry, SuspiciousCountryPrevalence\\n| extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Anomalous login followed by Teams action\",\"description\":\"Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed.\\nQuery calculates IP usage Delta for each user account and selects accounts where a delta \u003e= 90% is observed between the most and least used IP.\\nTo further reduce results the query performs a prevalence check on the lowest used IP\u0027s country, only keeping IP\u0027s where the country is unusual for the tenant (dynamic ranges)\\nFinally the user accounts activity within Teams logs is checked for suspicious commands (modifying user privileges or admin actions) during the period the suspicious IP was active.\",\"lastUpdatedDateUTC\":\"2022-03-21T00:00:00Z\",\"createdDateUTC\":\"2020-06-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fa118b98-de46-4e94-87f9-8e6d5060b60b\",\"name\":\"fa118b98-de46-4e94-87f9-8e6d5060b60b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MLBehaviorAnalytics\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous SSH Login Detection\",\"description\":\"This detection uses machine learning (ML) to identify anomalous Secure Shell (SSH) login activity, based on syslog data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Microsoft Sentinel to build a profile of normal activity for your environment.\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-syslog#configure-the-syslog-connector-for-anomalous-ssh-login-detection)\\n\\nBy enabling this rule, you give Microsoft permission to copy ingested data outside of your Microsoft Sentinel workspace\u0027s geography as necessary for processing by the machine learning engine.\",\"lastUpdatedDateUTC\":\"2021-03-26T00:00:00Z\",\"createdDateUTC\":\"2019-08-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c094384d-7ea7-4091-83be-18706ecca981\",\"name\":\"c094384d-7ea7-4091-83be-18706ecca981\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Low\",\"query\":\"let minersDomains=dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\"]);\\n_Im_Dns(domain_has_any=minersDomains)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"DNS events related to mining pools (ASIM DNS Schema)\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/99d589fa-7337-40d7-91a0-c96d0c4fa437\",\"name\":\"99d589fa-7337-40d7-91a0-c96d0c4fa437\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let core_domains = (SigninLogs\\n | where TimeGenerated \u003e ago(7d)\\n | where ResultType == 0\\n | extend domain = tolower(split(UserPrincipalName, \\\"@\\\")[1])\\n | summarize by tostring(domain));\\n let alternative_domains = (SigninLogs\\n | where TimeGenerated \u003e ago(7d)\\n | where isnotempty(AlternateSignInName)\\n | where ResultType == 0\\n | extend domain = tolower(split(AlternateSignInName, \\\"@\\\")[1])\\n | summarize by tostring(domain));\\n AuditLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where OperationName =~ \\\"Add User\\\"\\n | extend AddingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend AddingSPN = tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName)\\n | extend AddedBy = iif(isnotempty(AddingUser), AddingUser, AddingSPN)\\n | extend UserAdded = tostring(TargetResources[0].userPrincipalName)\\n | extend Domain = tolower(split(UserAdded, \\\"@\\\")[1])\\n | where Domain !in (core_domains) and Domain !in (alternative_domains)\\n | project-away AddingUser\\n | project-reorder TimeGenerated, UserAdded, Domain, AddedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserAdded\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Account created from non-approved sources\",\"description\":\"This query looks for account being created from a domain that is not regularly seen in a tenant.\\n Attackers may attempt to add accounts from these sources as a means of establishing persistant access to an environment.\\n Created accounts should be investigated to ensure they were legitimated created.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\",\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/15ae38a2-2e29-48f7-883f-863fb25a5a06\",\"name\":\"15ae38a2-2e29-48f7-883f-863fb25a5a06\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 10;\\nDnsEvents \\n| where TimeGenerated \u003e ago(endtime)\\n| where Name contains \\\"in-addr.arpa\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(Name) by ClientIP\\n| where dcount_Name \u003e threshold\\n| project StartTimeUtc, EndTimeUtc, ClientIP , dcount_Name \\n| join kind=leftanti (DnsEvents \\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | where Name contains \\\"in-addr.arpa\\\" \\n | summarize dcount(Name) by ClientIP, bin(TimeGenerated, 1d)\\n | where dcount_Name \u003e threshold\\n | project ClientIP , dcount_Name \\n) on ClientIP\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Rare client observed with high reverse DNS lookup count\",\"description\":\"Identifies clients with a high reverse DNS counts which could be carrying out reconnaissance or discovery activity.\\nAlert is generated if the IP performing such reverse DNS lookups was not seen doing so in the preceding 7-day period.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\"name\":\"a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\n let ioc_lookBack = 14d;\\n ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true\\n | where isnotempty(FileHashValue)\\n | extend FileHashValue = toupper(FileHashValue)\\n // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n | join kind=innerunique ( union isfuzzy=true \\n (SecurityEvent | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where EventID in (\\\"8003\\\",\\\"8002\\\",\\\"8005\\\")\\n | where isnotempty(FileHash)\\n | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID, FileHash = toupper(FileHash)\\n ),\\n (WindowsEvent | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where EventID in (\\\"8003\\\",\\\"8002\\\",\\\"8005\\\")\\n | where isnotempty(EventData.FileHash)\\n | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID, FileHash = toupper(EventData.FileHash)\\n )\\n )\\n on $left.FileHashValue == $right.FileHash\\n | where SecurityEvent_TimeGenerated \u003c ExpirationDateTime\\n | summarize SecurityEvent_TimeGenerated = arg_max(SecurityEvent_TimeGenerated, *) by IndicatorId, FileHash\\n | project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\n Process, FileHash, Computer, Account, Event, FileHashValue, FileHashType\\n | extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Value\",\"columnName\":\"FileHashValue\"},{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map File Hash to Security Event\",\"description\":\"Identifies a match in Security Event data from any File Hash IOC from TI\",\"lastUpdatedDateUTC\":\"2022-07-07T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1bf6e165-5e32-420e-ab4f-0da8558a8be2\",\"name\":\"1bf6e165-5e32-420e-ab4f-0da8558a8be2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// How far back to look for events from\\nlet timeframe = 1d;\\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\\nlet time_window = 5m;\\n// Edit this to include build processes used\\nlet build_processes = dynamic([\\\"MSBuild.exe\\\", \\\"dotnet.exe\\\", \\\"VBCSCompiler.exe\\\"]);\\n// Include any processes that you want to allow to edit files during/around the build process\\nlet allow_list = dynamic([]);\\nDeviceProcessEvents\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where FileName has_any (build_processes)\\n| summarize by BuildParentProcess=InitiatingProcessFileName, BuildProcess=FileName, BuildAccount = AccountName, DeviceName, BuildCommand=ProcessCommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nDeviceFileEvents\\n| where TimeGenerated \u003e ago(timeframe)\\n| where InitiatingProcessFileName !in (allow_list)\\n| where ActionType == \\\"FileCreated\\\" or ActionType == \\\"FileModified\\\"\\n// Look for code files, edit this to include file extensions used in build.\\n| where FileName endswith \\\".cs\\\" or FileName endswith \\\".cpp\\\"\\n| summarize by FileEditParentProcess=InitiatingProcessParentFileName, FileEditAccount = InitiatingProcessAccountName, DeviceName, FileEdited=FileName, FileEditProcess=InitiatingProcessFileName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, DeviceName\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, DeviceName, BuildParentProcess, BuildProcess\\n| extend HostCustomEntity=DeviceName, timestamp=timekey\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Potential Build Process Compromise - MDE\",\"description\":\"The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process. This query uses Microsoft Defender for Endpoint telemetry.\\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\",\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/957cb240-f45d-4491-9ba5-93430a3c08be\",\"name\":\"957cb240-f45d-4491-9ba5-93430a3c08be\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"OfficeActivity\\n| where Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Add-MailboxFolderPermission\\\", \\\"Set-Mailbox\\\", \\\"New-ManagementRoleAssignment\\\", \\\"New-InboxRule\\\", \\\"Set-InboxRule\\\", \\\"Set-TransportRule\\\")\\nand not(UserId has_any (\u0027NT AUTHORITY\\\\\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\u0027, \u0027NT AUTHORITY\\\\\\\\SYSTEM (w3wp)\u0027, \u0027devilfish-applicationaccount\u0027) and Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Set-Mailbox\\\"))\\n| extend ClientIPOnly = tostring(extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?\u0027, dynamic([\\\"IPAddress\\\"]), ClientIP)[0][0])\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIPOnly\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"Collection\"],\"displayName\":\"Rare and potentially high-risk Office operations\",\"description\":\"Identifies Office operations that are typically rare and can provide capabilities useful to attackers.\",\"lastUpdatedDateUTC\":\"2022-05-24T00:00:00Z\",\"createdDateUTC\":\"2019-02-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2fc5d810-c9cc-491a-b564-841427ae0e50\",\"name\":\"2fc5d810-c9cc-491a-b564-841427ae0e50\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique ( \\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(TargetUserName)\\n//Normalizing the column to lower case for exact match with EmailSenderAddress column\\n| extend TargetUserName = tolower(TargetUserName)\\n// renaming timestamp column so it is clear the log this came from SecurityEvent table\\n| extend SecurityEvent_TimeGenerated = TimeGenerated\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(dt_lookBack) \\n| extend TargetUserName = tostring(EventData.TargetUserName) \\n| where isnotempty(TargetUserName)\\n//Normalizing the column to lower case for exact match with EmailSenderAddress column\\n| extend TargetUserName = tolower(TargetUserName)\\n// renaming timestamp column so it is clear the log this came from SecurityEvent table\\n| extend SecurityEvent_TimeGenerated = TimeGenerated\\n))\\n)\\non $left.EmailSenderAddress == $right.TargetUserName\\n| where SecurityEvent_TimeGenerated \u003c ExpirationDateTime\\n| summarize SecurityEvent_TimeGenerated = arg_max(SecurityEvent_TimeGenerated, *) by IndicatorId, TargetUserName\\n| project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Computer, EventID, TargetUserName, Activity, IpAddress, AccountType,\\nLogonTypeName, LogonProcessName, Status, SubStatus\\n| extend\\ntimestamp = SecurityEvent_TimeGenerated,\\nAccountCustomEntity = TargetUserName,\\nIPCustomEntity = IpAddress,\\nHostCustomEntity = Computer,\\nURLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SecurityEvent\",\"description\":\"Identifies a match in SecurityEvent table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/01f64465-b1ef-41ea-a7f5-31553a11ad43\",\"name\":\"01f64465-b1ef-41ea-a7f5-31553a11ad43\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let endpointData = \\n(union isfuzzy=true\\n(SecurityEvent\\n | where EventID == 4688\\n | extend shortFileName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n ),\\n (WindowsEvent\\n | where EventID == 4688\\n | extend NewProcessName = tostring(EventData.NewProcessName)\\n | extend shortFileName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n | extend TargetUserName = tostring(EventData.TargetUserName)\\n ));\\n// Correlate suspect executables seen in TrendMicro rule updates with similar activity on endpoints\\nCommonSecurityLog\\n| where DeviceVendor =~ \\\"Trend Micro\\\"\\n| where Activity =~ \\\"Deny List updated\\\" \\n| where RequestURL endswith \\\".exe\\\"\\n| project TimeGenerated, Activity , RequestURL , SourceIP, DestinationIP\\n| extend suspectExeName = tolower(tostring(split(RequestURL, \u0027/\u0027)[-1]))\\n| join (endpointData) on $left.suspectExeName == $right.shortFileName \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = TargetUserName, HostCustomEntity = Computer, URLCustomEntity = RequestURL\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Network endpoint to host executable correlation\",\"description\":\"Correlates blocked URLs hosting [malicious] executables with host endpoint data\\nto identify potential instances of executables of the same name having been recently run.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"TrendMicro\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5efb0cfd-063d-417a-803b-562eae5b0301\",\"name\":\"5efb0cfd-063d-417a-803b-562eae5b0301\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 6h;\\n// Ignore Build/Releases with less/equal this number\\nlet ServiceConnectionThreshold = 3;\\n// New Connections need to exhibit execution of more \\\"new\\\" connections than this number.\\nlet NewConnectionThreshold = 1;\\n// List of Builds/Releases to ignore in your space\\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\\n[\\n//\\\"103\\\", \\\"Release\\\", \\\"ProjectA\\\",\\n//\\\"42\\\", \\\"Release\\\", \\\"ProjectB\\\",\\n//\\\"122\\\", \\\"Build\\\", \\\"ProjectB\\\"\\n];\\nlet HistoricDefs = AzureDevOpsAuditing\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| summarize HistoricCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)) \\n by DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e= ago(endtime)\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| parse ScopeDisplayName with OrganizationName \u0027 (Organization)\u0027\\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) \\n by OrganizationName, DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN\\n| where CurrentCount \u003e ServiceConnectionThreshold\\n| join (HistoricDefs) on ProjectId, DefId, Type, ActorUPN\\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\\n| extend link = iff(\\nType == \\\"Build\\\", strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_build?definitionId=\u0027, DefId),\\nstrcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_release?_a=releases\u0026view=mine\u0026definitionId=\u0027, DefId))\\n| where CurrentCount \u003e= HistoricCount + NewConnectionThreshold\\n| project StartTime, OrganizationName, ProjectName, DefId, link, RecentDistinctServiceConnections = CurrentCount, HistoricDistinctServiceConnections = HistoricCount, \\n RecentConnections = ConnectionNames, HistoricConnections = ConnectionNames1, ActorUPN\\n| extend timestamp = StartTime, AccountCustomEntity = ActorUPN\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure DevOps Service Connection Addition/Abuse - Historic allow list\",\"description\":\"This detection builds an allow list of historic service connection use by Builds and Releases and compares to recent history, flagging growth of service connection use which are not manually included in the allow list and \\nnot historically included in the allow list Build/Release runs. This is to determine if someone is hijacking a build/release and adding many service connections in order to abuse or dump credentials from service connections.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3bd33158-3f0b-47e3-a50f-7c20a1b88038\",\"name\":\"3bd33158-3f0b-47e3-a50f-7c20a1b88038\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let SpringShell_threats = dynamic([\\\"Trojan:Python/SpringShellExpl\\\", \\\"Exploit:Python/SpringShell\\\", \\\"Backdoor:PHP/Remoteshell.V\\\", \\\"SpringShell\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (SpringShell_threats) or ThreatFamilyName in~ (SpringShell_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"AV detections related to SpringShell Vulnerability\",\"description\":\"This query looks for Microsoft Defender AV detections related to SpringShell Vulnerability. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, \\n this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\\n Reference: https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b4ceb583-4c44-4555-8ecf-39f572e827ba\",\"name\":\"b4ceb583-4c44-4555-8ecf-39f572e827ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 1.5;\\nlet percentthreshold = 50;\\n// Preparing the time series data aggregated hourly count of MailItemsAccessd Operation in the form of multi-value array to use with time series anomaly function.\\nlet TimeSeriesData =\\nOfficeActivity\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where OfficeWorkload=~ \\\"Exchange\\\" and Operation =~ \\\"MailItemsAccessed\\\" and ResultStatus =~ \\\"Succeeded\\\"\\n| project TimeGenerated, Operation, MailboxOwnerUPN\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe;\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0\\n| project TimeGenerated, Total, baseline, anomalies, score;\\n// Joining the flagged outlier from the previous step with the original dataset to present contextual information\\n// during the anomalyhour to analysts to conduct investigation or informed decisions.\\nTimeSeriesAlerts | where TimeGenerated \u003e ago(2d)\\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\\n| join (\\n OfficeActivity\\n | where TimeGenerated \u003e ago(2d)\\n | extend DateHour = bin(TimeGenerated, 1h)\\n | where OfficeWorkload=~ \\\"Exchange\\\" and Operation =~ \\\"MailItemsAccessed\\\" and ResultStatus =~ \\\"Succeeded\\\"\\n | summarize HourlyCount=count(), TimeGeneratedMax = arg_max(TimeGenerated, *), IPAdressList = make_set(Client_IPAddress), SourceIPMax= arg_max(Client_IPAddress, *), ClientInfoStringList= make_set(ClientInfoString) by MailboxOwnerUPN, Logon_Type, TenantId, UserType, TimeGenerated = bin(TimeGenerated, 1h) \\n | where HourlyCount \u003e 25 // Only considering operations with more than 25 hourly count to reduce False Positivies\\n | order by HourlyCount desc \\n) on TimeGenerated\\n| extend PercentofTotal = round(HourlyCount/Total, 2) * 100 \\n| where PercentofTotal \u003e percentthreshold // Filter Users with count of less than 5 percent of TotalEvents per Hour to remove FPs/ users with very low count of MailItemsAccessed events\\n| order by PercentofTotal desc \\n| project-reorder TimeGeneratedMax, Type, OfficeWorkload, Operation, UserId,SourceIPMax ,IPAdressList, ClientInfoStringList, HourlyCount, PercentofTotal, Total, baseline, score, anomalies\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"Exchange workflow MailItemsAccessed operation anomaly\",\"description\":\"Identifies anomalous increases in Exchange mail items accessed operations.\\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\\nSudden increases in execution frequency of sensitive actions should be further investigated for malicious activity.\\nManually change scorethreshold from 1.5 to 3 or higher to reduce the noise based on outliers flagged from the query criteria.\\nRead more about MailItemsAccessed- https://docs.microsoft.com/microsoft-365/compliance/advanced-audit?view=o365-worldwide#mailitemsaccessed\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/00cb180c-08a8-4e55-a276-63fb1442d5b5\",\"name\":\"00cb180c-08a8-4e55-a276-63fb1442d5b5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let cmdTokens0 = dynamic([\u0027vbscript\u0027,\u0027jscript\u0027]);\\nlet cmdTokens1 = dynamic([\u0027mshtml\u0027,\u0027RunHTMLApplication\u0027]);\\nlet cmdTokens2 = dynamic([\u0027Execute\u0027,\u0027CreateObject\u0027,\u0027RegRead\u0027,\u0027window.close\u0027]);\\n(union isfuzzy=true \\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(14d)\\n| where EventID == 4688\\n| where CommandLine has @\u0027\\\\Microsoft\\\\Windows\\\\CurrentVersion\u0027\\n| where not(CommandLine has_any (@\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\u0027, @\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\u0027))\\n// If you are receiving false positives, then it may help to make the query more strict by uncommenting one or both of the lines below to refine the matches\\n//| where CommandLine has_any (cmdTokens0)\\n//| where CommandLine has_all (cmdTokens1)\\n| where CommandLine has_all (cmdTokens2)\\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(14d)\\n| where EventID == 4688 and EventData has_all(cmdTokens2) and EventData has @\u0027\\\\Microsoft\\\\Windows\\\\CurrentVersion\u0027\\n| where not(EventData has_any (@\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\u0027, @\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\u0027))\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has @\u0027\\\\Microsoft\\\\Windows\\\\CurrentVersion\u0027\\n| where not(CommandLine has_any (@\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\u0027, @\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\u0027))\\n// If you are receiving false positives, then it may help to make the query more strict by uncommenting one or both of the lines below to refine the matches\\n//| where CommandLine has_any (cmdTokens0)\\n//| where CommandLine has_all (cmdTokens1)\\n| where CommandLine has_all (cmdTokens2)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend ParentProcessName = tostring(EventData.ParentProcessName) \\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"NOBELIUM - Script payload stored in Registry\",\"description\":\"This query idenifies when a process execution commandline indicates that a registry value is written to allow for later execution a malicious script\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3cc5ccd8-b416-4141-bb2d-4eba370e37a5\",\"name\":\"3cc5ccd8-b416-4141-bb2d-4eba370e37a5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let OMIVulnerabilityPatchVersion = \\\"OMIVulnerabilityPatchVersion:1.13.40-0\\\";\\nHeartbeat\\n| where Category == \\\"Direct Agent\\\"\\n| summarize arg_max(TimeGenerated,*) by Computer\\n| parse strcat(\\\"Version:\\\" , Version) with * \\\"Version:\\\" Major:long \\\".\\\"\\nMinor:long \\\".\\\" Patch:long \\\"-\\\" *\\n| parse OMIVulnerabilityPatchVersion with * \\\"OMIVulnerabilityPatchVersion:\\\"\\nOMIVersionMajor:long \\\".\\\" OMIVersionMinor:long \\\".\\\" OMIVersionPatch:long \\\"-\\\" *\\n| where Major \u003cOMIVersionMajor or (Major==OMIVersionMajor and Minor\\n\u003cOMIVersionMinor) or (Major==OMIVersionMajor and Minor==OMIVersionMinor and\\nPatch\u003cOMIVersionPatch) \\n| project Version, Major,Minor,Patch,\\nComputer,ComputerIP,OSType,OSName,ResourceId\",\"customDetails\":{\"HostIp\":\"ComputerIP\",\"OSType\":\"OSType\",\"OSName\":\"OSName\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"OMI Vulnerability Exploitation\",\"description\":\"Following the September 14th, 2021 release of three Elevation of Privilege\\n(EoP) vulnerabilities (CVE-2021-38645, CVE-2021-38649, CVE-2021-38648) and one\\nunauthenticated Remote Code Execution (RCE) vulnerability (CVE-2021-38647) in\\nthe Open Management Infrastructure (OMI) Framework.\\nThis detection validates that any OMS-agent that is reporting to the Microsoft\\nSentinel workspace is updated with the patch. The detection will go over the\\nheartbeats received from all agents over the last day and will create alert\\nfor those agents who are not updated.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-09-23T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c1c66f0b-5531-4a3e-a619-9d2f770ef730\",\"name\":\"c1c66f0b-5531-4a3e-a619-9d2f770ef730\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where OperationName =~ \\\"Add member to role completed (PIM activation)\\\"\\n | where Result =~ \\\"success\\\"\\n | extend ElevatedUser = tostring(TargetResources[2].userPrincipalName)\\n | extend displayName = tostring(TargetResources[0].displayName)\\n | extend displayName2 = tostring(TargetResources[3].displayName)\\n | extend ElevatedRole = iif(displayName =~ \\\"Member\\\", displayName2, displayName)\\n | join kind = rightanti (AuditLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where OperationName =~ \\\"Add member to role completed (PIM activation)\\\"\\n | where Result =~ \\\"success\\\"\\n | extend ElevatedUser = tostring(TargetResources[2].userPrincipalName)\\n | extend displayName = tostring(TargetResources[0].displayName)\\n | extend displayName2 = tostring(TargetResources[3].displayName)\\n | extend ElevatedRole = iif(displayName =~ \\\"Member\\\", displayName2, displayName)\\n | extend ElevatedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) on ElevatedRole, ElevatedUser\\n | project-reorder ElevatedUser, ElevatedRole, ResultReason,ElevatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ElevatedUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ElevatedBy\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Account Elevated to New Role\",\"description\":\"Detects an account that is elevated to a new role where that account has not had that role in the last 14 days.\\n Role elevations are a key mechanism for gaining permissions, monitoring which users have which roles, and for anomalies in those roles is useful for finding suspicious activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d0c82b7f-40b2-4180-a4d6-7aa0541b7599\",\"name\":\"d0c82b7f-40b2-4180-a4d6-7aa0541b7599\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let threshold = 3;\\nPulseConnectSecure\\n| where Messages contains \\\"Unauthenticated request url /dana-na/\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by Source_IP\\n| where count_ \u003e threshold\\n| extend timestamp = StartTime, IPCustomEntity = Source_IP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"PulseConnectSecure - CVE-2021-22893 Possible Pulse Connect Secure RCE Vulnerability Attack\",\"description\":\"This query identifies exploitation attempts using Pulse Connect Secure(PCS) vulnerability (CVE-2021-22893) to the VPN server\",\"lastUpdatedDateUTC\":\"2022-05-11T00:00:00Z\",\"createdDateUTC\":\"2022-05-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PulseConnectSecure\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bf0cde21-0c41-48f6-a40c-6b5bd71fa106\",\"name\":\"bf0cde21-0c41-48f6-a40c-6b5bd71fa106\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"AWSGuardDuty | extend tokens = split(ActivityType,\\\":\\\") | extend ThreatPurpose = tokens[0], tokens= split(tokens[1],\\\"/\\\") | extend ResourceTypeAffected = tokens[0], ThreatFamilyName= tokens[1] | extend UniqueFindingId = Id | extend AWSAcoundId = AccountId | project-away tokens,ActivityType, Id, AccountId | project-away TimeGenerated, TenantId, SchemaVersion, Region, Partition | extend Severity= iff(Severity between (7.0..8.9),\\\"High\\\",iff(Severity between (4.0..6.9), \\\"Medium\\\", iff(Severity between (1.0..3.9),\\\"Low\\\",\\\"Unknown\\\")))\",\"customDetails\":{\"ThreatPurpose\":\"ThreatPurpose\",\"ResourceTypeAffected\":\"ResourceTypeAffected\",\"UniqueFindingId\":\"UniqueFindingId\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Arn\"},{\"identifier\":\"ObjectGuid\",\"columnName\":\"AWSAcoundId\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"{{Title}}\",\"alertDescriptionFormat\":\"{{Description}}\",\"alertTacticsColumnName\":\"ThreatPurpose\",\"alertSeverityColumnName\":\"Severity\"},\"displayName\":\"AWS Guard Duty Alert\",\"description\":\"Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. This templates create an alert for each Amazon GuardDuty finding.\",\"lastUpdatedDateUTC\":\"2022-02-08T00:00:00Z\",\"createdDateUTC\":\"2021-11-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSGuardDuty\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b6685757-3ed1-4b05-a5bd-2cacadc86c2a\",\"name\":\"b6685757-3ed1-4b05-a5bd-2cacadc86c2a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"let UA_threats = dynamic([\\\"FoxBlade\\\", \\\"WhisperGate\\\", \\\"Lasainraw\\\", \\\"SonicVote\\\"]);\\n SecurityAlert\\n | where ProviderName == \\\"MDATP\\\"\\n | extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n | where ThreatFamilyName in (UA_threats)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"AV detections related to Ukraine threats\",\"description\":\"This query looks for Microsoft Defender AV detections for malware observed in relation to the war in Ukraine.\\n Ref: https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/ \",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cf3ede88-a429-493b-9108-3e46d3c741f7\",\"name\":\"cf3ede88-a429-493b-9108-3e46d3c741f7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let timeRange = 6h;\\nlet authenticationWindow = 1h;\\nlet authenticationThreshold = 5;\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeRange)\\n| where EventID == 4624 or EventID == 4625\\n| where IpAddress != \\\"-\\\" and isnotempty(Account)\\n| extend Outcome = iff(EventID == 4624, \\\"Success\\\", \\\"Failure\\\")\\n// bin outcomes into 5 minute windows to reduce the volume of data\\n| summarize OutcomeCount=count() by Account, IpAddress, Computer, Outcome, bin(TimeGenerated, 5m)\\n| project TimeGenerated, Account, IpAddress, Computer, Outcome, OutcomeCount\\n// sort ready for sessionizing - by account and time of the authentication outcome\\n| sort by Account asc, TimeGenerated asc\\n| serialize \\n// sessionize into failure groupings until either the account changes or there is a success\\n| extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, Account != prev(Account) or prev(Outcome) == \\\"Success\\\")\\n// count the failures in each session\\n| summarize FailureCountBeforeSuccess=sumif(OutcomeCount, Outcome == \\\"Failure\\\"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), makelist(Outcome), makeset(Computer), makeset(IpAddress) by SessionStartedUtc, Account\\n// the session must not start with a success, and must end with one\\n| where array_index_of(list_Outcome, \\\"Success\\\") != 0\\n| where array_index_of(list_Outcome, \\\"Success\\\") == array_length(list_Outcome) - 1\\n| project-away SessionStartedUtc, list_Outcome \\n// where the number of failures before the success is above the threshold \\n| where FailureCountBeforeSuccess \u003e= authenticationThreshold\\n// expand out ip and computer for customer entity assignment\\n| mvexpand set_IpAddress, set_Computer\\n| extend IpAddress = tostring(set_IpAddress), Computer = tostring(set_Computer)\\n| extend timestamp=StartTime, AccountCustomEntity=Account, HostCustomEntity=Computer, IPCustomEntity=IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"SecurityEvent - Multiple authentication failures followed by a success\",\"description\":\"Identifies accounts who have failed to logon to the domain multiple times in a row, followed by a successful authentication\\nwithin a short time frame. Multiple failed attempts followed by a success can be an indication of a brute force attempt or\\npossible mis-configuration of a service account within an environment.\\nThe lookback is set to 6h and the authentication window and threshold are set to 1h and 5, meaning we need to see a minimum\\nof 5 failures followed by a success for an account within 1 hour to surface an alert.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"name\":\"cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | where DNSName in~ (domains) or DestinationHostName has_any (domains) or RequestURL has_any(domains)\\n | extend AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName, IPCustomEntity = SourceIP\\n ),\\n(_Im_Dns (domain_has_any=domains)\\n | extend DNSName = DnsQuery\\n | extend IPCustomEntity = SrcIpAddr\\n ),\\n(VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n | where isnotempty(DNSName)\\n | where DNSName in~ (domains)\\n | extend IPCustomEntity = RemoteIp\\n ),\\n(DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl has_any (domains) \\n | extend DNSName = RemoteUrl\\n | extend IPCustomEntity = RemoteIP \\n | extend HostCustomEntity = DeviceName \\n ),\\n(AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (domains) \\n | extend DNSName = DestinationHost \\n | extend IPCustomEntity = SourceHost\\n ) \\n )\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Solorigate Network Beacon\",\"description\":\"Identifies a match across various data feeds for domains IOCs related to the Solorigate incident.\\n References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \\n https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2790795b-7dba-483e-853f-44aa0bc9c985\",\"name\":\"2790795b-7dba-483e-853f-44aa0bc9c985\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"CommonSecurityLog\\n| where DeviceProduct =~ \\\"Wazuh\\\"\\n| where Activity has \\\"Web server 400 error code.\\\"\\n| where Message has \\\"403\\\"\\n| extend HostName=substring(split(DeviceCustomString1,\\\")\\\")[0],1)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = dcount(SourceIP) by HostName, SourceIP\\n| where NumberOfErrors \u003e 400\\n| sort by NumberOfErrors desc\\n| extend timestamp = StartTime, HostCustomEntity = HostName, IPCustomEntity = SourceIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Wazuh - Large Number of Web errors from an IP\",\"description\":\"Identifies instances where Wazuh logged over 400 \u0027403\u0027 Web Errors from one IP Address. To onboard Wazuh data into Sentinel please view: https://github.com/wazuh/wazuh-documentation/blob/master/source/azure/monitoring%20activity.rst\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2020-04-21T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/78979d32-e63f-4740-b206-cfb300c735e0\",\"name\":\"78979d32-e63f-4740-b206-cfb300c735e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n ProofpointPOD \\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(SrcIpAddr)\\n | extend ProofpointPOD_TimeGenerated = TimeGenerated, ClientIP = SrcIpAddr\\n )\\non $left.TI_ipEntity == $right.ClientIP\\n| where ProofpointPOD_TimeGenerated \u003c ExpirationDateTime\\n| summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientIP\\n| project ProofpointPOD_TimeGenerated, SrcUserUpn, DstUserUpn, SrcIpAddr, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ClientIP\\n| extend timestamp = ProofpointPOD_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SrcUserUpn\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Exfiltration\",\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Email sender IP in TI list\",\"description\":\"Email sender IP in TI list.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_maillog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2b328487-162d-4034-b472-59f1d53684a1\",\"name\":\"2b328487-162d-4034-b472-59f1d53684a1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal == \u0027\u0027\\n| extend Message = \\\"Empty User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Empty User Agent Detected\",\"description\":\"Rule helps to detect empty and unusual user agent indicating web browsing activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\"name\":\"a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == 500121\\n| where Status has \\\"MFA Denied; user declined the authentication\\\" or Status has \\\"MFA denied; Phone App Reported Fraud\\\"\\n| extend Type = Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = ClientAppUsed\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Explicit MFA Deny\",\"description\":\"User explicitly denies MFA push, indicating that login was not expected and the account\u0027s password may be compromised.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-10-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8\",\"name\":\"f71aba3d-28fb-450b-b192-4e76a83015c8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Fusion\",\"properties\":{\"severity\":\"High\",\"tactics\":[\"Collection\",\"CommandAndControl\",\"CredentialAccess\",\"DefenseEvasion\",\"Discovery\",\"Execution\",\"Exfiltration\",\"Impact\",\"InitialAccess\",\"LateralMovement\",\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Advanced Multistage Attack Detection\",\"description\":\"Microsoft Sentinel uses Fusion, a correlation engine based on scalable machine learning algorithms, to automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.\\n\\nSince Fusion correlates multiple signals from various products to detect advanced multistage attacks, successful Fusion detections are presented as Fusion incidents on the Microsoft Sentinel Incidents page. This rule covers the following detections:\\n- Fusion for emerging threats\\n- Fusion for ransomware\\n- Scenario-based Fusion detections (122 scenarios)\\n\\nTo enable these detections, we recommend you configure the following data connectors for best results:\\n- Out-of-the-box anomaly detections\\n- Azure Active Directory Identity Protection\\n- Azure Defender\\n- Azure Defender for IoT\\n- Microsoft 365 Defender\\n- Microsoft Cloud App Security \\n- Microsoft Defender for Endpoint\\n- Microsoft Defender for Identity\\n- Microsoft Defender for Office 365\\n- Scheduled analytics rules, both built-in and those created by your security analysts. Analytics rules must contain kill-chain (tactics) and entity mapping information in order to be used by Fusion.\\n\\nFor the full description of each detection that is supported by Fusion, go to https://aka.ms/SentinelFusion.\",\"lastUpdatedDateUTC\":\"2021-06-09T00:00:00Z\",\"createdDateUTC\":\"2019-07-25T00:00:00Z\",\"status\":\"Installed\",\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/57c7e832-64eb-411f-8928-4133f01f4a25\",\"name\":\"57c7e832-64eb-411f-8928-4133f01f4a25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureDiagnostics\\n | where ResourceType =~ \\\"VAULTS\\\"\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend KeyVaultEvents_TimeGenerated = TimeGenerated, ClientIP = CallerIPAddress\\n)\\non $left.TI_ipEntity == $right.ClientIP\\n| where KeyVaultEvents_TimeGenerated \u003c ExpirationDateTime\\n| summarize KeyVaultEvents_TimeGenerated = arg_max(KeyVaultEvents_TimeGenerated, *) by IndicatorId, ClientIP\\n| project KeyVaultEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ClientIP, ResourceId, SubscriptionId, OperationName, ResultType, CorrelationId, id_s, clientInfo_s, httpStatusCode_d, identity_claim_appid_g, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\n| extend timestamp = KeyVaultEvents_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Azure Key Vault logs\",\"description\":\"Identifies a match in Azure Key Vault logsfrom any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f948a32f-226c-4116-bddd-d95e91d97eb9\",\"name\":\"f948a32f-226c-4116-bddd-d95e91d97eb9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"mailboxsettings\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"contacts.read\\\" and ConsentFull contains \\\"user.read\\\" and ConsentFull contains \\\"mail.read\\\" and ConsentFull contains \\\"notes.read.all\\\" and ConsentFull contains \\\"mailboxsettings.readwrite\\\" and ConsentFull contains \\\"Files.ReadWrite.All\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), \\\"\\\")\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Suspicious application consent similar to O365 Attack Toolkit\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\\nThe default permissions/scope for the MDSec O365 Attack toolkit are contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, and files.readwrite.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3c144f9-8051-47d4-ac29-ffb0c312c910\",\"name\":\"a3c144f9-8051-47d4-ac29-ffb0c312c910\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"let SunburstMD5=dynamic([\\\"b91ce2fa41029f6955bff20079468448\\\",\\\"02af7cec58b9a5da1c542b5a32151ba1\\\",\\\"2c4a910a1299cdae2a4e55988a2f102e\\\",\\\"846e27a652a5e1bfbd0ddd38a16dc865\\\",\\\"4f2eb62fa529c0283b28d05ddd311fae\\\"]);\\nlet SupernovaMD5=\\\"56ceb6d0011d87b6e4d7023d7ef85676\\\";\\nDeviceFileEvents\\n| where MD5 in(SunburstMD5) or MD5 in(SupernovaMD5)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n AlgorithmCustomEntity = \\\"MD5\\\",\\n FileHashCustomEntity = MD5\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"SUNBURST and SUPERNOVA backdoor hashes\",\"description\":\"Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in DeviceFileEvents\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/87210ca1-49a4-4a7d-bb4a-4988752f978c\",\"name\":\"87210ca1-49a4-4a7d-bb4a-4988752f978c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"// Get details of current Azure Ranges (note this URL updates regularly so will need to be manually updated over time)\\n// You may find the name of the new JSON here: https://www.microsoft.com/download/details.aspx?id=56519\\n// On the downloads page, click the \u0027details\u0027 button, and then replace just the filename in the URL below\\nlet azure_ranges = externaldata(changeNumber: string, cloud: string, values: dynamic)\\n[\\\"https://download.microsoft.com/download/7/1/D/71D86715-5596-4529-9B13-DA13A5DE5B63/ServiceTags_Public_20220321.json\\\"]\\nwith(format=\u0027multijson\u0027)\\n| mv-expand values\\n| mv-expand values.properties.addressPrefixes\\n| mv-expand values_properties_addressPrefixes\\n| summarize by tostring(values_properties_addressPrefixes);\\nSigninLogs\\n// Limiting to Azure Portal really reduces false positives and helps focus on potential admin activity\\n| where AppDisplayName =~ \\\"Azure Portal\\\"\\n// Only get logons where the IP address is in an Azure range\\n| evaluate ipv4_lookup(azure_ranges, IPAddress, values_properties_addressPrefixes)\\n// Limit to where the user is external to the tenant\\n| where HomeTenantId != ResourceTenantId\\n// Further limit it to just access to the current tenant (you can drop this if you wanted to look elsewhere as well but it helps reduce FPs)\\n| where ResourceTenantId == AADTenantId\\n| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), make_set(ResourceDisplayName) by UserPrincipalName, IPAddress, UserAgent, Location, HomeTenantId, ResourceTenantId\\n| extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure Portal Signin from another Azure Tenant\",\"description\":\"This query looks for sign in attempts to the Azure Portal where the user who is signing in from another Azure tenant,\\n and the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look\\n to pivot to other tenants leveraging cross-tenant delegated access in this manner.\",\"lastUpdatedDateUTC\":\"2022-03-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/29a29e5d-354e-4f5e-8321-8b39d25047bf\",\"name\":\"29a29e5d-354e-4f5e-8321-8b39d25047bf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"High\",\"query\":\"let files1 = dynamic([\\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\lsa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pc.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\Rar.exe\\\"]);\\nlet files2 = dynamic([\\\"svchost.exe\\\",\\\"wdmsvc.exe\\\"]);\\nlet FileHash1 = dynamic([\\\"43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\\\", \\\"ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\\\", \\\"010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77\\\", \\\"56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7\\\"]);\\nlet FileHash2 = dynamic([\\\"2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\\\", \\\"9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\\\", \\\"18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\\\"]);\\nimFileEvent\\n| where ((FilePath has_any (files1)) and (ActingProcessSHA256 has_any (FileHash1))) or ((FilePath has_any (files2)) and (ActingProcessSHA256 has_any (FileHash2)))\\n// Increase risk score if recent alerts for the host\\n| join kind=leftouter (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| mv-expand todynamic(Entities)\\n| extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)\\n| where isnotempty(DvcId)\\n// Higher risk score are for Defender alerts related to threat actor\\n| extend AlertRiskScore = iif(ThreatName has_any (\\\"Backdoor:MSIL/ShellClient.A\\\", \\\"Backdoor:MSIL/ShellClient.A!dll\\\", \\\"Trojan:MSIL/Mimikatz.BA!MTB\\\"), 1.0, 0.5)\\n| project DvcId, AlertRiskScore) on DvcId\\n| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = ActorUsername\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileName\"}]}],\"tactics\":[\"CredentialAccess\",\"Execution\"],\"displayName\":\"Dev-0228 File Path Hashes November 2021 (ASIM Version)\",\"description\":\"This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.\\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.\\n This query uses the Microsoft Sentinel Information Model - https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-11-18T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0dd2a343-4bf9-4c93-a547-adf3658ddaec\",\"name\":\"0dd2a343-4bf9-4c93-a547-adf3658ddaec\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let known_processes = (\\n imProcess\\n // Change these values if adjusting Query Frequency or Query Period\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where Process has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | summarize by Process);\\n imProcess\\n // Change these values if adjusting Query Frequency or Query Period\\n | where TimeGenerated \u003e ago(1d)\\n | where Process has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | where Process !in (known_processes)\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, CommandLine, DvcHostname\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DvcHostname\"}]}],\"tactics\":[\"Execution\",\"LateralMovement\"],\"displayName\":\"New EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version)\",\"description\":\"This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice is that these policies should not be used for deployment of files.\\n A threat actor may use these policies to deploy files or scripts to all hosts in a domain.\\n This query uses the ASIM parsers and will need them deployed before usage - https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/871ba14c-88ef-48aa-ad38-810f26760ca3\",\"name\":\"871ba14c-88ef-48aa-ad38-810f26760ca3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let queryfrequency = 1d;\\nlet queryperiod = 7d;\\nOfficeActivity\\n| where TimeGenerated \u003e ago(queryperiod)\\n| where OfficeWorkload =~ \\\"Exchange\\\"\\n//| where Operation in (\\\"Set-Mailbox\\\", \\\"New-InboxRule\\\", \\\"Set-InboxRule\\\")\\n| where Parameters has_any (\\\"ForwardTo\\\", \\\"RedirectTo\\\", \\\"ForwardingSmtpAddress\\\")\\n| mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))\\n| evaluate bag_unpack(ParsedParameters, columnsConflict=\u0027replace_source\u0027)\\n| extend DestinationMailAddress = tolower(case(\\n isnotempty(column_ifexists(\\\"ForwardTo\\\", \\\"\\\")), column_ifexists(\\\"ForwardTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"RedirectTo\\\", \\\"\\\")), column_ifexists(\\\"RedirectTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")), trim_start(@\\\"smtp:\\\", column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")),\\n \\\"\\\"))\\n| where isnotempty(DestinationMailAddress)\\n| mv-expand split(DestinationMailAddress, \\\";\\\")\\n| extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n| extend ClientIP = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1])\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId, 250), Ports = make_set(Port, 250), EventCount = count() by tostring(DestinationMailAddress), ClientIP\\n| where DistinctUserCount \u003e 1 and EndTime \u003e ago(queryfrequency)\\n| mv-expand UserId to typeof(string)\\n| extend timestamp = StartTime, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Multiple users email forwarded to same destination\",\"description\":\"Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination. \\nThis could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.\",\"lastUpdatedDateUTC\":\"2022-06-24T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a6c435a2-b1a0-466d-b730-9f8af69262e8\",\"name\":\"a6c435a2-b1a0-466d-b730-9f8af69262e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT20M\",\"queryPeriod\":\"PT20M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let failureCountThreshold = 10;\\nlet successCountThreshold = 1;\\n// let authenticationWindow = 20m; // Implicit in the analytic rule query period \\nimAuthentication\\n| summarize \\n StartTime = min(TimeGenerated), \\n EndTime = max(TimeGenerated), \\n IpAddresses = make_set (SrcDvcIpAddr, 100),\\n ReportedBy = make_set (strcat (EventVendor, \\\"/\\\", EventProduct), 100),\\n FailureCount = countif(EventResult==\u0027Failure\u0027),\\n SuccessCount = countif(EventResult==\u0027Success\u0027)\\n by \\n TargetUserId, TargetUsername, TargetUserType \\n| where FailureCount \u003e= failureCountThreshold and SuccessCount \u003e= successCountThreshold\\n| extend\\n IpAddresses = strcat_array(IpAddresses, \\\", \\\"), \\n ReportedBy = strcat_array(ReportedBy, \\\", \\\")\",\"customDetails\":{\"IpAddresses\":\"IpAddresses\",\"ReportedBy\":\"ReportedBy\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUsername\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against user credentials (Uses Authentication Normalization)\",\"description\":\"Identifies evidence of brute force activity against a user based on multiple authentication failures \\nand at least one successful authentication within a given time window. Note that the query does not enforce any sequence,\\nand does not require the successful authentication to occur last.\\nThe default failure threshold is 10, success threshold is 1, and the default time window is 20 minutes.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb8a3481-dd14-4e76-8dcc-bbec8776d695\",\"name\":\"bb8a3481-dd14-4e76-8dcc-bbec8776d695\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Medium\",\"query\":\"let DomainNames = dynamic([\u0027onetechcompany.com\u0027, \u0027reyweb.com\u0027, \u0027srfnetwork.org\u0027, \u0027sense4baby.fr\u0027, \u0027nikeoutletinc.org\u0027, \u0027megatoolkit.com\u0027]);\\nlet IPList = dynamic([\u0027185.225.69.69\u0027]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (DomainNames) or RequestURL has_any (DomainNames) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (DomainNames), \\\"RequestUrl\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(_Im_WebSession(url_has_any=DomainNames)\\n| extend DestinationIPAddress = DstIpAddr, DNSName = tostring(parse_url(Url)[\\\"Host\\\"]), Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (DomainNames)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer\\n),\\n(OfficeActivity\\n| where ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (DomainNames) or RemoteIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"NOBELIUM - Domain and IP IOCs - March 2021\",\"description\":\"Identifies a match across various data feeds for domains and IP IOCs related to NOBELIUM.\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\"name\":\"f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"// Replace these with the username or emails of your VIP users you wish to monitor for.\\nlet vips = dynamic([\u0027vip1@email.com\u0027,\u0027vip2@email.com\u0027]);\\n// Add users who are allowed to conduct these searches - this could be specific SOC team members\\nlet allowed_users = dynamic([]);\\nLAQueryLogs\\n| where QueryText has_any (vips) or QueryText has_any (\u0027_GetWatchlist(\\\"VIPUsers\\\")\u0027, \\\"_GetWatchlist(\u0027VIPUsers\u0027)\\\")\\n| where AADEmail !in (allowed_users)\\n| project TimeGenerated, AADEmail, RequestClientApp, QueryText, ResponseRowCount, RequestTarget\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AADEmail\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"RequestTarget\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Users searching for VIP user activity\",\"description\":\"This query monitors for users running Log Analytics queries that contain filters\\nfor specific, defined VIP user accounts or the VIPUser watchlist template.\\nUse this detection to alert for users specifically searching for activity of sensitive users.\",\"lastUpdatedDateUTC\":\"2021-11-11T00:00:00Z\",\"createdDateUTC\":\"2020-09-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/62085097-d113-459f-9ea7-30216f2ee6af\",\"name\":\"62085097-d113-459f-9ea7-30216f2ee6af\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P3D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let starttime = 3d;\\nlet SecEvents = materialize ( SecurityEvent | where TimeGenerated \u003e= ago(starttime)\\n| where EventID in (4722,4723) | where TargetUserName !endswith \\\"$\\\"\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, SubjectAccount, SubjectUserSid);\\nlet userEnable = SecEvents\\n| extend EventID4722Time = TimeGenerated\\n// 4722: User Account Enabled\\n| where EventID == 4722\\n| project Time_Event4722 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4722 = SubjectAccount, SubjectUserSid_Event4722 = SubjectUserSid, Activity_4722 = Activity, Computer_4722 = Computer;\\nlet userPwdSet = SecEvents\\n// 4723: Attempt made by user to set password\\n| where EventID == 4723\\n| project Time_Event4723 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4723 = SubjectAccount, SubjectUserSid_Event4723 = SubjectUserSid, Activity_4723 = Activity, Computer_4723 = Computer;\\nuserEnable | join kind=leftouter userPwdSet on TargetAccount, TargetSid\\n| extend PasswordSetAttemptDelta_Min = datetime_diff(\u0027minute\u0027, Time_Event4723, Time_Event4722)\\n| where PasswordSetAttemptDelta_Min \u003e 2880 or isempty(PasswordSetAttemptDelta_Min)\\n| project-away TargetAccount1, TargetSid1\\n| extend Reason = @\\\"User either has not yet attempted to set the initial password after account was enabled or it occurred after 48 hours\\\"\\n| order by Time_Event4722 asc \\n| extend timestamp = Time_Event4722, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer_4722\\n| project-reorder Time_Event4722, Time_Event4723, PasswordSetAttemptDelta_Min, TargetAccount, TargetSid\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AD user enabled and password not set within 48 hours\",\"description\":\"Identifies when an account is enabled with a default password and the password is not set by the user within 48 hours.\\nEffectively, there is an event 4722 indicating an account was enabled and within 48 hours, no event 4723 occurs which \\nindicates there was no attempt by the user to set the password. This will show any attempts (success or fail) that occur \\nafter 48 hours, which can indicate too long of a time period in setting the password to something that only the user knows.\\nIt is recommended that this time period is adjusted per your internal company policy.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f9949656-473f-4503-bf43-a9d9890f7d08\",\"name\":\"f9949656-473f-4503-bf43-a9d9890f7d08\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.3\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n//Exclude local addresses, using the ipv4_is_private operator\\n| where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AppServiceHTTPLogs | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(CIp)\\n | extend WebApp = split(_ResourceId, \u0027/\u0027)[8]\\n // renaming time column so it is clear the log this came from\\n | extend AppService_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CIp\\n| where AppService_TimeGenerated \u003c ExpirationDateTime\\n| summarize AppService_TimeGenerated = arg_max(AppService_TimeGenerated, *) by IndicatorId, CIp\\n| project AppService_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CsUsername, \\nWebApp = split(_ResourceId, \u0027/\u0027)[8], CIp, CsHost, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, _ResourceId\\n| extend timestamp = AppService_TimeGenerated, AccountCustomEntity = CsUsername, IPCustomEntity = CIp, URLCustomEntity = Url, HostCustomEntity = CsHost\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"_ResourceId\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AppServiceHTTPLogs\",\"description\":\"Identifies a match in AppServiceHTTPLogs from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-04-26T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8b3c49c-4087-499b-920f-0dcfaff0cbca\",\"name\":\"f8b3c49c-4087-499b-920f-0dcfaff0cbca\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"imProcessCreate\\n | where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n | where isnotempty(Process)\\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Dvc, ActorUsername, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\\n | extend timestamp = StartTimeUtc, AccountCustomEntity = ActorUsername, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Base64 encoded Windows process command-lines (Normalized Process Events)\",\"description\":\"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2018-09-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c3e5dbaa-a540-408c-8b36-68bdfb3df088\",\"name\":\"c3e5dbaa-a540-408c-8b36-68bdfb3df088\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID==4688\\n | where isnotempty(CommandLine)\\n | where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"NRT Base64 encoded Windows process command-lines\",\"description\":\"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2022-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0433c8a3-9aa6-4577-beef-2ea23be41137\",\"name\":\"0433c8a3-9aa6-4577-beef-2ea23be41137\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let admin_users = (IdentityInfo\\n | where TimeGenerated \u003e ago(2d)\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | where AssignedRoles contains \\\"admin\\\"\\n | summarize by tolower(AccountUPN));\\n AuditLogs\\n | where Category =~ \\\"RoleManagement\\\"\\n | where OperationName has \\\"Add eligible member\\\"\\n | extend userPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | where tolower(userPrincipalName) in (admin_users)\\n | extend Group = tostring(TargetResources[0].displayName)\\n | extend AddedTo = iif(isnotempty(userPrincipalName), userPrincipalName, Group)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend AddedBy = iif(isnotempty(appName), appName, UPN)\\n | mv-expand mod_props\\n | where mod_props.displayName == \\\"Role.DisplayName\\\"\\n | extend RoleAdded = tostring(parse_json(tostring(mod_props.newValue)))\\n | project-reorder TimeGenerated, OperationName, AddedTo, RoleAdded, AddedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Privileged Account Permissions Changed\",\"description\":\"Detects changes to permissions assigned to admin users. Threat actors may try and increase permission scope by adding additional roles to already privileged accounts.\\nReview any modifications to ensure they were made legitimately.\\nRef: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79566f41-df67-4e10-a703-c38a6213afd8\",\"name\":\"79566f41-df67-4e10-a703-c38a6213afd8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set != \\\"[]\\\"\\n| extend diff = set_difference(new_value_set, old_value_set)\\n| where isnotempty(diff)\\n| parse diff with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away diff, new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"New access credential added to Application or Service Principal\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/66276b14-32c5-4226-88e3-080dacc31ce1\",\"name\":\"66276b14-32c5-4226-88e3-080dacc31ce1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet AccountAllowList = dynamic([\u0027SYSTEM\u0027]);\\nlet SubCategoryList = dynamic([\\\"Logoff\\\", \\\"Account Lockout\\\", \\\"User Account Management\\\", \\\"Authorization Policy Change\\\"]); // Add any Category in the list to be allowed or disallowed\\nlet tokens = dynamic([\\\"clear\\\", \\\"remove\\\", \\\"success:disable\\\",\\\"failure:disable\\\"]); \\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n//| where Process =~ \\\"auditpol.exe\\\" \\n| where CommandLine has_any (tokens)\\n| where AccountType !~ \\\"Machine\\\" and Account !in~ (AccountAllowList)\\n| parse CommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n// | where InitiatingProcessFileName =~ \\\"auditpol.exe\\\" \\n| where InitiatingProcessCommandLine has_any (tokens)\\n| where AccountName !in~ (AccountAllowList)\\n| parse InitiatingProcessCommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n// | where OriginalFileName =~ \\\"auditpol.exe\\\"\\n| where CommandLine has_any (tokens)\\n| where User !in~ (AccountAllowList)\\n| parse CommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, Computer, User, Process, ParentImage, CommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Audit policy manipulation using auditpol utility\",\"description\":\"This detects attempt to manipulate audit policies using auditpol command.\\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\\nThe process name in each data source is commented out as an adversary could rename it. It is advisable to keep process name commented but \\nif the results show unrelated false positives, users may want to uncomment it.\\nRefer to auditpol syntax: https://docs.microsoft.com/windows-server/administration/windows-commands/auditpol \\nRefer to our M365 blog for details on use during the Solorigate attack:\\nhttps://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/18e6a87e-9d06-4a4e-8b59-3469cd49552d\",\"name\":\"18e6a87e-9d06-4a4e-8b59-3469cd49552d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true \\n(SecurityEvent \\n| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created. \\n| where ObjectServer == \u0027DS\u0027\\n| where OperationType == \u0027Object Access\u0027\\n//| where ObjectName contains \u0027\u003cGUID of ADFS Policy Store DKM Group object\u0027 This is unique to the domain. Check description for more details.\\n| where ObjectType contains \u00275cb41ed0-0e4c-11d0-a286-00aa003049e2\u0027 // Contact Class\\n| where Properties contains \u00278d3bca50-1d7e-11d0-a081-00aa006c33ed\u0027 // Picture Attribute - Ldap-Display-Name: thumbnailPhoto\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = SubjectAccount\\n),\\n( WindowsEvent \\n| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created. \\n| where EventData has_all(\u0027Object Access\u0027, \u00275cb41ed0-0e4c-11d0-a286-00aa003049e2\u0027,\u00278d3bca50-1d7e-11d0-a081-00aa006c33ed\u0027) \\n| extend ObjectServer = tostring(EventData.ObjectServer)\\n| where ObjectServer == \u0027DS\u0027\\n| extend OperationType = tostring(EventData.OperationType)\\n| where OperationType == \u0027Object Access\u0027\\n//| where ObjectName contains \u0027\u003cGUID of ADFS Policy Store DKM Group object\u0027 This is unique to the domain. Check description for more details.\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType contains \u00275cb41ed0-0e4c-11d0-a286-00aa003049e2\u0027 // Contact Class\\n| extend Properties = tostring(EventData.Properties)\\n| where Properties contains \u00278d3bca50-1d7e-11d0-a081-00aa006c33ed\u0027 // Picture Attribute - Ldap-Display-Name: thumbnailPhoto\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName), \\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend \\n timestamp = TimeGenerated,\\n HostCustomEntity = Computer,\\n AccountCustomEntity = SubjectAccount\\n),\\n(DeviceEvents\\n| where ActionType =~ \\\"LdapSearch\\\"\\n| where AdditionalFields.AttributeList contains \\\"thumbnailPhoto\\\"\\n| where AdditionalFields.DistinguishedName contains \\\"CN=ADFS,CN=Microsoft,CN=Program Data\\\" // Filter results to show only hits related to the ADFS AD container\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = InitiatingProcessAccountName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"ADFS DKM Master Key Export\",\"description\":\"Identifies an export of the ADFS DKM Master Key from Active Directory.\\nReferences: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \\nhttps://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1\\nTo understand further the details behind this detection, please review the details in the original PR and subequent PR update to this:\\nhttps://github.com/Azure/Azure-Sentinel/pull/1562#issue-551542469\\nhttps://github.com/Azure/Azure-Sentinel/pull/1512#issue-543053339\\n\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2391ce61-8c8d-41ac-9723-d945b2e90720\",\"name\":\"2391ce61-8c8d-41ac-9723-d945b2e90720\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"Low\",\"query\":\"let starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 0.333;\\nlet countlimit = 50;\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4625 and AccountType =~ \\\"User\\\"\\n| where IpAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), CountToday = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress, Process\\n| join kind=leftouter (\\n SecurityEvent \\n | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n | where EventID == 4625 and AccountType =~ \\\"User\\\"\\n | where IpAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n | summarize CountPrev7day = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n) on EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n| where CountToday \u003e= coalesce(CountPrev7day,0)*threshold and CountToday \u003e= countlimit\\n//SubStatus Codes are detailed here - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4625\\n| extend Reason = case(\\nSubStatus =~ \u00270xC000005E\u0027, \u0027There are currently no logon servers available to service the logon request.\u0027,\\nSubStatus =~ \u00270xC0000064\u0027, \u0027User logon with misspelled or bad user account\u0027,\\nSubStatus =~ \u00270xC000006A\u0027, \u0027User logon with misspelled or bad password\u0027, \\nSubStatus =~ \u00270xC000006D\u0027, \u0027Bad user name or password\u0027,\\nSubStatus =~ \u00270xC000006E\u0027, \u0027Unknown user name or bad password\u0027,\\nSubStatus =~ \u00270xC000006F\u0027, \u0027User logon outside authorized hours\u0027,\\nSubStatus =~ \u00270xC0000070\u0027, \u0027User logon from unauthorized workstation\u0027,\\nSubStatus =~ \u00270xC0000071\u0027, \u0027User logon with expired password\u0027,\\nSubStatus =~ \u00270xC0000072\u0027, \u0027User logon to account disabled by administrator\u0027,\\nSubStatus =~ \u00270xC00000DC\u0027, \u0027Indicates the Sam Server was in the wrong state to perform the desired operation\u0027, \\nSubStatus =~ \u00270xC0000133\u0027, \u0027Clocks between DC and other computer too far out of sync\u0027,\\nSubStatus =~ \u00270xC000015B\u0027, \u0027The user has not been granted the requested logon type (aka logon right) at this machine\u0027,\\nSubStatus =~ \u00270xC000018C\u0027, \u0027The logon request failed because the trust relationship between the primary domain and the trusted domain failed\u0027,\\nSubStatus =~ \u00270xC0000192\u0027, \u0027An attempt was made to logon, but the Netlogon service was not started\u0027,\\nSubStatus =~ \u00270xC0000193\u0027, \u0027User logon with expired account\u0027,\\nSubStatus =~ \u00270xC0000224\u0027, \u0027User is required to change password at next logon\u0027,\\nSubStatus =~ \u00270xC0000225\u0027, \u0027Evidently a bug in Windows and not a risk\u0027,\\nSubStatus =~ \u00270xC0000234\u0027, \u0027User logon with account locked\u0027,\\nSubStatus =~ \u00270xC00002EE\u0027, \u0027Failure Reason: An Error occurred during Logon\u0027,\\nSubStatus =~ \u00270xC0000413\u0027, \u0027Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine\u0027,\\nstrcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n| extend WorkstationName = iff(WorkstationName == \\\"-\\\" or isempty(WorkstationName), Computer , WorkstationName) \\n| project StartTime, EndTime, EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, Computer, WorkstationName, IpAddress, CountToday, CountPrev7day, Avg7Day = round(CountPrev7day*1.00/7,2), Process\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), Computer = make_set(Computer,128), IpAddressList = make_set(IpAddress,128), sum(CountToday), sum(CountPrev7day), avg(Avg7Day) \\nby EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, WorkstationName, Process\\n| order by sum_CountToday desc nulls last \\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = WorkstationName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"Process\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Excessive Windows logon failures\",\"description\":\"User has over 50 Windows logon failures today and at least 33% of the count of logon failures over the previous 7 days.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56f3f35c-3aca-4437-a1fb-b7a84dc4af00\",\"name\":\"56f3f35c-3aca-4437-a1fb-b7a84dc4af00\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID == 4657\\n | parse ObjectName with \\\"\\\\\\\\REGISTRY\\\\\\\\\\\" KeyPrefix \\\"\\\\\\\\\\\" RegistryKey\\n | project-reorder RegistryKey\\n | where RegistryKey has \\\"Software\\\\\\\\Classes\\\\\\\\ms-settings\\\\\\\\shell\\\\\\\\open\\\\\\\\command\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)\\n | join (\\n SecurityEvent\\n | where EventID == 4688\\n | where Process =~ \\\"fodhelper.exe\\\"\\n | where ParentProcessName endswith \\\"cmd.exe\\\" or ParentProcessName endswith \\\"powershell.exe\\\" or ParentProcessName endswith \\\"powershell_ise.exe\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)) on TimeKey, Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Potential Fodhelper UAC Bypass\",\"description\":\"This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process within 1 hour - this can be tweaked as required.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b93c5af-d20b-4236-b696-a28b8c51407f\",\"name\":\"4b93c5af-d20b-4236-b696-a28b8c51407f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1DT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\n (union isfuzzy=true\\n (SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+spanoftime)\\n// A user account was created\\n| where EventID == 4720\\n| where AccountType =~ \\\"User\\\"\\n| project creationTime = TimeGenerated, CreateEventID = EventID, CreateActivity = Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToCreate = SubjectAccount, SIDofAccountUsedToCreate = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e ago(timeframe+spanoftime)\\n// A user account was created\\n| where EventID == 4720\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType =~ \\\"User\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| extend Activity = \\\"4720 - A user account was created.\\\"\\n| extend TargetUserName = tostring(EventData.TargetUserName) \\n| project creationTime = TimeGenerated, CreateEventID = EventID, CreateActivity = Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToCreate = SubjectAccount, SIDofAccountUsedToCreate = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid \\n))\\n| join kind= inner (\\n (union isfuzzy=true\\n (SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n // A user account was deleted\\n | where EventID == 4726\\n| where AccountType == \\\"User\\\"\\n| project deletionTime = TimeGenerated, DeleteEventID = EventID, DeleteActivity = Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToDelete = SubjectAccount, SIDofAccountUsedToDelete = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n // A user account was deleted\\n| where EventID == 4726\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(SubjectAccount endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType == \\\"User\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| extend Activity = \\\"4726 - A user account was deleted.\\\"\\n| extend TargetUserName = tostring(EventData.TargetUserName) \\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| project deletionTime = TimeGenerated, DeleteEventID = EventID, DeleteActivity = Activity, Computer, TargetUserName, UserPrincipalName, AccountUsedToDelete = SubjectAccount, SIDofAccountUsedToDelete = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid))\\n) on Computer, TargetAccount\\n| where deletionTime - creationTime \u003c spanoftime\\n| extend TimeDelta = deletionTime - creationTime\\n| where tolong(TimeDelta) \u003e= threshold\\n| project TimeDelta, creationTime, CreateEventID, CreateActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToCreate, SIDofAccountUsedToCreate,\\ndeletionTime, DeleteEventID, DeleteActivity, AccountUsedToDelete, SIDofAccountUsedToDelete\\n| extend timestamp = creationTime, AccountCustomEntity = AccountUsedToCreate, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"SIDofAccountUsedToCreate\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account created and deleted within 10 mins\",\"description\":\"Identifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and\\nan adversary attempting to hide in the noise.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d7feb859-f03e-4e8d-8b21-617be0213b13\",\"name\":\"d7feb859-f03e-4e8d-8b21-617be0213b13\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let admin_users = (IdentityInfo\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | where AssignedRoles contains \\\"admin\\\"\\n | summarize by tolower(AccountUPN));\\n AuditLogs\\n | where OperationName =~ \\\"Admin registered security info\\\"\\n | where ResultReason =~ \\\"Admin registered temporary access pass method for user\\\"\\n | extend userPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | where tolower(userPrincipalName) in (admin_users)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Addition of a Temporary Access Pass to a Privileged Account\",\"description\":\"Detects when a Temporary Access Pass (TAP) is created for a Privileged Account.\\n A Temporary Access Pass is a time-limited passcode issued by an admin that satisfies strong authentication requirements and can be used to onboard other authentication methods, including Passwordless ones such as Microsoft Authenticator or even Windows Hello.\\n A threat actor could use a TAP to register a new authentication method to maintain persistance to an account.\\n Review any TAP creations to ensure they were used legitimately.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1399664f-9434-497c-9cde-42e4d74ae20e\",\"name\":\"1399664f-9434-497c-9cde-42e4d74ae20e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityAlert \\n| where AlertName == \\\"Impossible travel activity\\\"\\n| extend Extprop = parsejson(Entities)\\n| mv-expand Extprop\\n| extend Extprop = parsejson(Extprop)\\n| extend CmdLine = iff(Extprop[\u0027Type\u0027]==\\\"process\\\", Extprop[\u0027CommandLine\u0027], \u0027\u0027)\\n| extend File = iff(Extprop[\u0027Type\u0027]==\\\"file\\\", Extprop[\u0027Name\u0027], \u0027\u0027)\\n| extend Account = Extprop[\u0027Name\u0027]\\n| extend Domain = Extprop[\u0027UPNSuffix\u0027]\\n| extend Account = iif(isnotempty(Domain) and Extprop[\u0027Type\u0027]==\\\"account\\\", tolower(strcat(Account, \\\"@\\\", Domain)), iif(Extprop[\u0027Type\u0027]==\\\"account\\\", tolower(Account), \\\"\\\"))\\n| extend IpAddress = iff(Extprop[\\\"Type\\\"] == \\\"ip\\\",Extprop[\u0027Address\u0027], \u0027\u0027)\\n| extend Process = iff(isnotempty(CmdLine), CmdLine, File)\\n| project TimeGenerated,Account,IpAddress,CompromisedEntity,Description,ProviderName,ResourceId\\n| join kind=inner\\n(\\nOfficeActivity\\n| where Operation =~ \\\"Add-MailboxPermission\\\"\\n| extend value = tostring(parse_json(Parameters)[3].Value)\\n| where value contains \\\"FullAccess\\\"\\n| where ResultStatus == \\\"True\\\"\\n| project Parameters,TimeGenerated,value,RecordType,Operation,OrganizationId,UserType,UserKey,OfficeWorkload,ResultStatus,OfficeObjectId,UserId,ClientIP,ExternalAccess,OriginatingServer,OrganizationName,TenantId,ElevationTime,SourceSystem,OfficeId,OfficeTenantId,Type,SourceRecordId\\n) on $left.Account == $right.UserId\\n| join kind=inner\\n(\\nAuditLogs\\n| where ActivityDisplayName =~ \\\"Add eligible member to role in PIM requested (timebound)\\\"\\n| where AADOperationType =~ \\\"CreateRequestEligibleRole\\\"\\n| where TargetResources has_any (\\\"-PRIV\\\", \\\"Administrator\\\", \\\"Security\\\")\\n| extend BuiltinRole = tostring(parse_json(TargetResources[0].displayName))\\n| extend CustomGroup = tostring(parse_json(TargetResources[3].displayName))\\n| extend TargetAccount = tostring(parse_json(TargetResources[2].displayName))\\n| extend Initiatedby = Identity\\n| project TimeGenerated, ActivityDisplayName, AADOperationType, Initiatedby, TargetAccount, BuiltinRole, CustomGroup, LoggedByService, Result, ResourceId, Id\\n| sort by TimeGenerated desc\\n) on $left.UserId == $right.Initiatedby\\n| project AADOperationType, ActivityDisplayName,AccountCustomEntity=Initiatedby, Id,ResourceId,IPCustomEntity=IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"PrivilegeEscalation\"],\"displayName\":\"Detecting Impossible travel with mailbox permission tampering \u0026 Privilege Escalation attempt\",\"description\":\"This hunting query will alert on any Impossible travel activity in correlation with mailbox permission tampering followed by account being added to a PIM managed privileged group.\\nEnsure this impossible travel incident with increase of privileges is legitimate in your environment.\",\"lastUpdatedDateUTC\":\"2022-02-09T00:00:00Z\",\"createdDateUTC\":\"2022-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert (ASC)\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\"name\":\"4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([ \\\"AuthorizeSecurityGroupEgress\\\", \\\"AuthorizeSecurityGroupIngress\\\", \\\"RevokeSecurityGroupEgress\\\", \\\"RevokeSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \\nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion, \\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to AWS Security Group ingress and egress settings\",\"description\":\"A Security Group acts as a virtual firewall of an instance to control inbound and outbound traffic. \\n Hence, ingress and egress settings changes to AWS Security Group should be monitored as these can expose the enviornment to new attack vectors.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0914adab-90b5-47a3-a79f-7cdcac843aa7\",\"name\":\"0914adab-90b5-47a3-a79f-7cdcac843aa7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 5;\\n// To avoid any False Positives, filtering using AppId is recommended. For example the AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds \\n// to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\\nlet Allowedappid = dynamic([\\\"509e4652-da8d-478d-a730-e9d4a1996ca4\\\"]);\\nlet OperationList = dynamic(\\n[\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nlet TimeSeriesData = AzureDiagnostics\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList)\\n| project TimeGenerated, OperationName, Resource, CallerIPAddress\\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by Resource;\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| where baseline \u003e baselinethreshold // Filtering low count events per baselinethreshold\\n| project Resource, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated;\\n// Filter the alerts since specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\\n| join (\\nAzureDiagnostics\\n| where TimeGenerated \u003e ago(timeframe)\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList)\\n| summarize PerOperationCount=count(), LatestAnomalyTime = arg_max(TimeGenerated,*) by bin(TimeGenerated,1h), Resource, OperationName, id_s, CallerIPAddress, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, requestUri_s, clientInfo_s\\n) on Resource, TimeGenerated\\n| summarize EventCount=count(), OperationNameList = make_set(OperationName), RequestURLList = make_set(requestUri_s, 100), AccountList = make_set(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, 100), AccountMax = arg_max(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g,*) by Resource, id_s, clientInfo_s, LatestAnomalyTime\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = CallerIPAddress, AccountCustomEntity = AccountMax\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure Key Vault access TimeSeries anomaly\",\"description\":\"Indentifies a sudden increase in count of Azure Key Vault secret or vault access operations by CallerIPAddress. The query leverages a built-in KQL anomaly detection algorithm\\nto find large deviations from baseline Azure Key Vault access patterns. Any sudden increase in the count of Azure Key Vault accesses can be an\\nindication of adversary dumping credentials via automated methods. If you are seeing any noise, try filtering known source(IP/Account) and user-agent combinations.\\nTimeSeries Reference Blog: https://techcommunity.microsoft.com/t5/azure-sentinel/looking-for-unknown-anomalies-what-is-normal-time-series/ba-p/555052\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6a2e2ff4-5568-475e-bef2-b95f12b9367b\",\"name\":\"6a2e2ff4-5568-475e-bef2-b95f12b9367b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let FailureThreshold = 15;\\nimAuthentication\\n| where EventType== \u0027Logon\u0027 and EventResult== \u0027Failure\u0027\\n// reason: creds \\n| where EventResultDetails in (\u0027No such user or password\u0027, \u0027Incorrect password\u0027)\\n| summarize UserCount=dcount(TargetUserId), Vendors=make_set(EventVendor), Products=make_set(EventVendor)\\n , Users = make_set(TargetUserId,100) \\n by SrcDvcIpAddr, SrcGeoCountry, bin(TimeGenerated, 5m)\\n| where UserCount \u003e FailureThreshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcDvcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Potential Password Spray Attack (Uses Authentication Normalization)\",\"description\":\"This query searches for failed attempts to log in from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack\\n To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a5b3429d-f1da-42b9-883c-327ecb7b91ff\",\"name\":\"a5b3429d-f1da-42b9-883c-327ecb7b91ff\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityAlert \\n| where AlertName == \\\"Sign-in from an infected device\\\"\\n| extend Extprop = parsejson(Entities)\\n| mv-expand Extprop\\n| extend Extprop = parsejson(Extprop)\\n| extend CmdLine = iff(Extprop[\u0027Type\u0027]==\\\"process\\\", Extprop[\u0027CommandLine\u0027], \u0027\u0027)\\n| extend File = iff(Extprop[\u0027Type\u0027]==\\\"file\\\", Extprop[\u0027Name\u0027], \u0027\u0027)\\n| extend Account = Extprop[\u0027Name\u0027]\\n| extend Domain = Extprop[\u0027UPNSuffix\u0027]\\n| extend Account = iif(isnotempty(Domain) and Extprop[\u0027Type\u0027]==\\\"account\\\", tolower(strcat(Account, \\\"@\\\", Domain)), iif(Extprop[\u0027Type\u0027]==\\\"account\\\", tolower(Account), \\\"\\\"))\\n| extend IpAddress = iff(Extprop[\\\"Type\\\"] == \\\"ip\\\",Extprop[\u0027Address\u0027], \u0027\u0027)\\n| extend Process = iff(isnotempty(CmdLine), CmdLine, File)\\n| summarize count() by AlertName, AlertSeverity, CompromisedEntity, Account, IpAddress\\n| join kind=inner \\n(\\nAzureActivity\\n| where OperationNameValue hassuffix (\\\"/workspaces/computes/delete\\\")\\n| where ActivityStatusValue =~ \\\"Succeeded\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), OperationIds = makelist(OperationId), CorrelationIds = makelist(CorrelationId), Resources = makelist(Resource), ResourceGroups = makelist(ResourceGroup), ResourceIds = makelist(ResourceId), ActivityCountByCallerIPAddress = count() \\nby CallerIpAddress, Caller, OperationNameValue\\n) on $left. IpAddress == $right. CallerIpAddress\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Impact\"],\"displayName\":\"Workspace deletion attempt from an infected device\",\"description\":\"This hunting query will alert on any sign-ins from devices infected with malware in correlation with potential workspace deletion activity. \\nAttackers may attempt to delete workspaces containing compute instances after successful compromise to cause service unavailability to regular business operation.\",\"lastUpdatedDateUTC\":\"2022-04-11T00:00:00Z\",\"createdDateUTC\":\"2022-04-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8e267e91-6bda-4b3c-bf68-9f5cbdd103a3\",\"name\":\"8e267e91-6bda-4b3c-bf68-9f5cbdd103a3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"ZoomLogs\\n| where Event =~ \\\"account.settings_updated\\\" \\n| extend EnforceLogin = columnifexists(\\\"payload_object_settings_schedule_meeting_enfore_login_b\\\", \\\"\\\") \\n| extend EnforceLoginDomain = columnifexists(\\\"payload_object_settings_schedule_meeting_enfore_login_b\\\", \\\"\\\") \\n| extend GuestAlerts = columnifexists(\\\"payload_object_settings_in_meeting_alert_guest_join_b\\\", \\\"\\\") \\n| where EnforceLogin == \u0027false\u0027 or EnforceLoginDomain == \u0027false\u0027 or GuestAlerts == \u0027false\u0027 \\n| extend SettingChanged = case(EnforceLogin == \u0027false\u0027 and EnforceLoginDomain == \u0027false\u0027 and GuestAlerts == \u0027false\u0027, \\\"All settings changed\\\", \\n EnforceLogin == \u0027false\u0027 and EnforceLoginDomain == \u0027false\u0027, \\\"Enforced Logons and Restricted Domains Changed\\\", \\n EnforceLoginDomain == \u0027false\u0027 and GuestAlerts == \u0027false\u0027, \\\"Enforced Domains Changed\\\", \\n EnforceLoginDomain == \u0027false\u0027, \\\"Enfored Domains Changed\\\", \\n GuestAlerts == \u0027false\u0027, \\\"Guest Join Alerts Changed\\\", \\n EnforceLogin == \u0027false\u0027, \\\"Enforced Logins Changed\\\", \\n \\\"No Changes\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"External User Access Enabled\",\"description\":\"This alerts when the account setting is changed to allow either external domain access or anonymous access to meetings.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56b0a0cd-894e-4b38-a0a1-c41d9f96649a\",\"name\":\"56b0a0cd-894e-4b38-a0a1-c41d9f96649a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let lbtime = 1h;\\nlet tls_ciphers = dynamic([\u0027RC4-SHA\u0027, \u0027DES-CBC3-SHA\u0027]);\\nProofpointPOD\\n| where EventType == \u0027message\u0027\\n| where TlsCipher in (tls_ciphers)\\n| extend IpCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"ProofpointPOD - Weak ciphers\",\"description\":\"Detects when weak TLS ciphers are used.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/87890d78-3e05-43ec-9ab9-ba32f4e01250\",\"name\":\"87890d78-3e05-43ec-9ab9-ba32f4e01250\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.3\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n SecurityAlert\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n //Extract domain patterns from message\\n | extend domain = todynamic(dynamic_to_json(extract_all(@\\\"(((xn--)?[a-z0-9\\\\-]+\\\\.)+([a-z]+|(xn--[a-z0-9]+)))\\\", dynamic([1]), tolower(Entities))))\\n | mv-expand domain\\n | extend domain = tostring(domain[0])\\n | extend parts = split(domain, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\\n | extend EntitiesDynamicArray = parse_json(Entities)\\n | mv-apply EntitiesDynamicArray on\\n (summarize\\n HostName = take_anyif(tostring(EntitiesDynamicArray.HostName), EntitiesDynamicArray.Type == \\\"host\\\"),\\n IP_addr = take_anyif(tostring(EntitiesDynamicArray.Address), EntitiesDynamicArray.Type == \\\"ip\\\")\\n )\\n | extend Alert_TimeGenerated = TimeGenerated\\n | extend Alert_Description = Description\\n) on $left.DomainName==$right.domain\\n| where Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\\n| project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DomainName, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url, Entities\\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = HostName, IPCustomEntity = IP_addr, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to SecurityAlert\",\"description\":\"Identifies a match in SecurityAlert table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/88f453ff-7b9e-45bb-8c12-4058ca5e44ee\",\"name\":\"88f453ff-7b9e-45bb-8c12-4058ca5e44ee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS New Server\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.\\nA threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.\\nThis can be done programmatically via HTTP requests to Azure. More information in this blog: https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e1ce0eab-10d1-4aae-863f-9a383345ba88\",\"name\":\"e1ce0eab-10d1-4aae-863f-9a383345ba88\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let threshold = 15;\\nSyslog\\n| where SyslogMessage contains \\\"Failed password for invalid user\\\"\\n| where ProcessName =~ \\\"sshd\\\" \\n| parse kind=relaxed SyslogMessage with * \\\"invalid user\\\" user \\\" from \\\" ip \\\" port\\\" port \\\" ssh2\\\"\\n| project user, ip, port, SyslogMessage, EventTime\\n| summarize EventTimes = make_list(EventTime), PerHourCount = count() by ip, bin(EventTime, 4h), user\\n| where PerHourCount \u003e threshold\\n| mvexpand EventTimes\\n| extend EventTimes = tostring(EventTimes) \\n| summarize StartTimeUtc = min(EventTimes), EndTimeUtc = max(EventTimes), UserList = makeset(user), sum(PerHourCount) by IPAddress = ip\\n| extend UserList = tostring(UserList) \\n| extend timestamp = StartTimeUtc, IPCustomEntity = IPAddress, AccountCustomEntity = UserList\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"SSH - Potential Brute Force\",\"description\":\"Identifies an IP address that had 15 failed attempts to sign in via SSH in a 4 hour block during a 24 hour time period.\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-02-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/55073036-bb86-47d3-a85a-b113ac3d9396\",\"name\":\"55073036-bb86-47d3-a85a-b113ac3d9396\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let admins=(IdentityInfo\\n | where AssignedRoles contains \\\"admin\\\"\\n | summarize by tolower(AccountUPN));\\n let known_asns = (\\n SigninLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where ResultType == 0\\n | summarize by AutonomousSystemNumber);\\n SigninLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType == 0\\n | where tolower(UserPrincipalName) in (admins)\\n | where AutonomousSystemNumber !in (known_asns)\\n | project-reorder TimeGenerated, UserPrincipalName, UserAgent, IpAddress, AutonomousSystemNumber\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"UserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Privileged User Logon from new ASN\",\"description\":\"Detects a successful logon by a privileged account from an ASN not logged in from in the last 14 days.\\n Monitor these logons to ensure they are legitimate and identify if there are any similar sign ins.\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7b9df32-1367-402d-b385-882daf6e3020\",\"name\":\"a7b9df32-1367-402d-b385-882daf6e3020\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==10\\n| parse EventData with * \u0027TargetImage\\\"\u003e\u0027 TargetImage \\\"\u003c\\\" * \u0027GrantedAccess\\\"\u003e\u0027 GrantedAccess \\\"\u003c\\\" * \u0027CallTrace\\\"\u003e\u0027 CallTrace \\\"\u003c\\\" * \\n| where GrantedAccess == \\\"0x1FFFFF\\\" and TargetImage == \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\" and CallTrace has_any (\\\"dbghelp.dll\\\",\\\"dbgcore.dll\\\")\\n| parse EventData with * \u0027SourceProcessGUID\\\"\u003e\u0027 SourceProcessGUID \\\"\u003c\\\" * \u0027SourceImage\\\"\u003e\u0027 SourceImage \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, SourceProcessGUID, SourceImage, GrantedAccess, TargetImage, CallTrace\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"SourceImage\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Dumping LSASS Process Into a File\",\"description\":\"Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). \\nAfter a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. \\nThese credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement using Use Alternate Authentication Material. \\nAs well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.\\nRef: https://attack.mitre.org/techniques/T1003/001/\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/94749332-1ad9-49dd-a5ab-5ff2170788fc\",\"name\":\"94749332-1ad9-49dd-a5ab-5ff2170788fc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet file_path1 = (iocs | where Type =~ \\\"filepath1\\\" | project IoC);\\nlet file_path2 = (iocs | where Type =~ \\\"filepath2\\\" | project IoC);\\nlet file_path3 = (iocs | where Type =~ \\\"filepath3\\\" | project IoC);\\nlet reg_key = (iocs | where Type =~ \\\"regkey\\\" | project IoC);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (domains)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 *\\n| project TimeGenerated, Message, SourceUserID, RequestURL, DestinationHostName, Type, SourceIP, DestinationIP, DNSName\\n| extend Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SourceUserID, UrlCustomEntity = RequestURL , IPCustomEntity = DestinationIP, DNSCustomEntity = DNSName\\n),\\n(DnsEvents\\n| where Name in~ (domains)\\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DNSName = Name, Host = Computer , Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Host, DNSCustomEntity = DNSName, IPCustomEntity = IPAddresses\\n),\\n(VMConnection\\n| where RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, RemoteDnsCanonicalNames, ProcessName, SourceIp, DestinationIp, DestinationPort, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIp, HostCustomEntity = Computer, ProcessCustomEntity = ProcessName, DNSCustomEntity = DNSName, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"]), Image = EventDetail.[4].[\\\"#text\\\"]\\n| where Image has_any (file_path1) or Image has_any (file_path3)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, EventDetail, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), HostCustomEntity = Computer , IPCustomEntity = DestinationIP, Alert = \u0027SOURGUM IOC detected\u0027\\n), \\n(DeviceNetworkEvents\\n| where (RemoteUrl has_any (domains)) or (InitiatingProcessSHA256 in (sha256Hashes) and InitiatingProcessFolderPath has_any (file_path1)) or InitiatingProcessFolderPath has_any (file_path3)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, Alert = \u0027SOURGUM IOC detected\u0027, UrlCustomEntity =RemoteUrl\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"]\\n| where (SHA256 has_any (sha256Hashes) and Image has_any (file_path1)) or (Image has_any (file_path3)) or ( CommandLine has_any (file_path3)) or ( CommandLine has_any (file_path1)) or ( CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source), Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = SHA256\\n),\\n(DeviceRegistryEvents\\n| where RegistryKey has_any (reg_key) and RegistryValueData has_any (file_path2)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type \\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceProcessEvents\\n| where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3)) or ( InitiatingProcessCommandLine has \u0027reg add\u0027 and InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceFileEvents\\n| where (InitiatingProcessSHA256 has_any (sha256Hashes) and InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3)) or ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = RequestAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceEvents\\n| where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3)) or ( InitiatingProcessCommandLine has \u0027reg add\u0027 and InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend CommandLine = InitiatingProcessCommandLine, Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has_any (file_path1)) or ( CommandLine has_any (file_path3)) or ( CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) or (NewProcessName has_any (file_path1)) or (NewProcessName has_any (file_path3)) or (ParentProcessName has_any (file_path1)) or (ParentProcessName has_any (file_path3))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = \u0027SOURGUM IOC detected\u0027\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"SOURGUM Actor IOC - July 2021\",\"description\":\"Identifies a match across IOC\u0027s related to an actor tracked by Microsoft as SOURGUM\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-07-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceRegistryEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95407904-0131-4918-bc49-ebf282ce149a\",\"name\":\"95407904-0131-4918-bc49-ebf282ce149a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"135.125.147.170:80\\\",\\\"185.244.129.79:63047\\\",\\\"185.244.129.79:80\\\",\\\"45.80.149.108:63047\\\",\\\"45.80.149.108:80\\\",\\\"45.80.149.57:63047\\\",\\\"45.80.149.68:63047\\\",\\\"45.80.149.71:80\\\",\\\"185.244.129.109\\\",\\\"172.96.188.51\\\",\\\"51.83.246.73\\\"]); \\n(union isfuzzy=true \\n(CommonSecurityLog \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch \\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n), \\n(OfficeActivity \\n|extend SourceIPAddress = ClientIP, Account = UserId \\n| where SourceIPAddress in (IPList) \\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \\n), \\n(_Im_NetworkSession (srcipaddr_has_any_prefix=IPList)\\n | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Hostname, AccountCustomEntity=User\\n), \\n(_Im_NetworkSession (dstipaddr_has_any_prefix=IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = Hostname , AccountCustomEntity = User\\n), \\n(WireData \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer \\n), \\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known POLONIUM IP\",\"description\":\"Identifies a match across various data feeds for IP IOCs related to the POLONIUM activity group. \\n References: BLOGURL\u0027 \",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ed43bdb7-eaab-4ea4-be52-6951fcfa7e3b\",\"name\":\"ed43bdb7-eaab-4ea4-be52-6951fcfa7e3b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet TotalEventsThreshold = 25; \\nlet TimeSeriesData = \\nAzureActivity \\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where OperationNameValue endswith \\\"delete\\\" \\n| project TimeGenerated, Caller \\n| make-series Total = count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by Caller; \\nlet TimeSeriesAlerts = materialize(TimeSeriesData \\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 3, -1, \u0027linefit\u0027) \\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long) \\n| where anomalies \u003e 0 \\n| project Caller, TimeGenerated, Total, baseline, anomalies, score \\n| where Total \u003e TotalEventsThreshold and baseline \u003e 0 ); \\nTimeSeriesAlerts \\n| where TimeGenerated \u003e (ago(endtime)) \\n| project TimeGenerated, Caller \\n| join (AzureActivity \\n| where TimeGenerated \u003e (ago(endtime)) \\n| where OperationNameValue endswith \\\"delete\\\" \\n| summarize count(), make_set(OperationNameValue), make_set(Resource) by bin(TimeGenerated, 1h), Caller) on TimeGenerated, Caller \\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Mass Cloud resource deletions Time Series Anomaly\",\"description\":\"This query generates baseline pattern of cloud resource deletions by an user and generated anomaly \\nwhen any unusual spike is detected.\\nThese anomalies from unusual or privileged users could be an indication of cloud infrastructure \\ntake-down by an adversary \",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2022-03-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b6988c32-4f3b-4a45-8313-b46b33061a74\",\"name\":\"b6988c32-4f3b-4a45-8313-b46b33061a74\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set == \\\"[]\\\"\\n| mv-expand new_value_set\\n| parse new_value_set with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT First access credential added to Application or Service Principal where no credential was present\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-06-01T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba\",\"name\":\"fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let account_threshold = 5;\\nAADNonInteractiveUserSignInLogs\\n//| where ResultType == \\\"81016\\\"\\n| where ResultType startswith \\\"81\\\"\\n| summarize DistinctAccounts = dcount(UserPrincipalName), DistinctAddresses = make_set(IPAddress) by ResultType\\n| where DistinctAccounts \u003e account_threshold\\n| mv-expand IPAddress = DistinctAddresses\\n| extend IPAddress = tostring(IPAddress)\\n| join kind=leftouter (union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs) on IPAddress\\n| summarize\\n StartTime = min(TimeGenerated),\\n EndTime = max(TimeGenerated),\\n UserPrincipalName = make_set(UserPrincipalName),\\n UserAgent = make_set(UserAgent),\\n ResultDescription = take_any(ResultDescription),\\n ResultSignature = take_any(ResultSignature)\\n by IPAddress, Type, ResultType\\n| project Type, StartTime, EndTime, IPAddress, ResultType, ResultDescription, ResultSignature, UserPrincipalName, UserAgent = iff(array_length(UserAgent) == 1, UserAgent[0], UserAgent)\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Password spray attack against Azure AD Seamless SSO\",\"description\":\"This query detects when there is a spike in Azure AD Seamless SSO errors. They may not be caused by a Password Spray attack, but the cause of the errors might need to be investigated.\\nAzure AD only logs the requests that matched existing accounts, thus there might have been unlogged requests for non-existing accounts.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2022-03-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/825991eb-ea39-4590-9de2-ee97ef42eb93\",\"name\":\"825991eb-ea39-4590-9de2-ee97ef42eb93\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\n(union isfuzzy=true\\n(DeviceProcessEvents\\n| where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) or (ProcessCommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and ProcessCommandLine has (\u0027/tr \\\"wscript.exe\u0027) and ProcessCommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and ProcessCommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (ProcessCommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and ProcessCommandLine has (\u0027.wav\u0027) and ProcessCommandLine has (\u0027//e:VBScript //b\u0027) \\nor (ProcessCommandLine has_all (\\\"schtasks.exe\\\", \\\"create\\\", \\\"wscript\\\", \\\"e:vbscript\\\", \\\".wav\\\")))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessCommandLine, FolderPath, InitiatingProcessFolderPath, ProcessId, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, AccountName, SHA256, FileName\\n| extend Account = AccountName, Computer = DeviceName, FileHash = case(InitiatingProcessSHA256 in (sha256Hashes), \\\"InitiatingProcessSHA256\\\", SHA256 in (sha256Hashes), \\\"SHA256\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = FileName, FileHashCustomEntity = case(FileHash == \\\"InitiatingProcessSHA256\\\", InitiatingProcessSHA256, FileHash == \\\"SHA256\\\", SHA256, \\\"No Match\\\")\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where (CommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and CommandLine has (\u0027/tr \\\"wscript.exe\u0027) and CommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and CommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (CommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and CommandLine has (\u0027.wav\u0027) and CommandLine has (\u0027//e:VBScript //b\u0027))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, EventID\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n( CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n( imFileEvent\\n| where Hash in~ (sha256Hashes) or (ActingProcessCommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and ActingProcessCommandLine has (\u0027/tr \\\"wscript.exe\u0027) and ActingProcessCommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and ActingProcessCommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (ActingProcessCommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and ActingProcessCommandLine has (\u0027.wav\u0027) and ActingProcessCommandLine has (\u0027//e:VBScript //b\u0027) \\n or (ActingProcessCommandLine has_all (\\\"schtasks.exe\\\", \\\"create\\\", \\\"wscript\\\", \\\"e:vbscript\\\", \\\".wav\\\")))\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = Hash\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) or (CommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and CommandLine has (\u0027/tr \\\"wscript.exe\u0027) and CommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and CommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (CommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and CommandLine has (\u0027.wav\u0027) and CommandLine has (\u0027//e:VBScript //b\u0027) or (CommandLine has_all (\\\"schtasks.exe\\\", \\\"create\\\", \\\"wscript\\\", \\\"e:vbscript\\\", \\\".wav\\\")))\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n),\\n(DnsEvents\\n| where Name in~ (domains) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Computer \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress\\n),\\n(VMConnection\\n| where RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIp, File = ProcessName\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(DeviceNetworkEvents \\n| where isnotempty(RemoteUrl) \\n| where RemoteUrl in~ (domains) \\n| project Type, TimeGenerated, DeviceName, RemoteIP, RemoteUrl, InitiatingProcessAccountName\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, DNSName = RemoteUrl, IPCustomEntity = RemoteIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"ACTINIUM Actor IOCs - Feb 2022\",\"description\":\"Identifies a match across various data feeds for domains, hashes and commands related to an actor tracked by Microsoft as Actinium.\",\"lastUpdatedDateUTC\":\"2022-03-09T00:00:00Z\",\"createdDateUTC\":\"2022-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65360bb0-8986-4ade-a89d-af3cf44d28aa\",\"name\":\"65360bb0-8986-4ade-a89d-af3cf44d28aa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"CreateNetworkAclEntry\\\",\\\"CreateRoute\\\",\\\"CreateRouteTable\\\",\\\"CreateInternetGateway\\\",\\\"CreateNatGateway\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\",\"LateralMovement\"],\"displayName\":\"Changes to Amazon VPC settings\",\"description\":\"Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources\\nin a virtual network that you define.\\nThis identifies changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries,routes, routetable or Gateways.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\nand AWS VPC API Docs: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/OperationList-query-vpc.html\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2eb15bd-8a88-4b24-9281-e133edfba315\",\"name\":\"f2eb15bd-8a88-4b24-9281-e133edfba315\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet aadFunc = (tableName:string){\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n table(tableName) | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend Status = todynamic(Status), LocationDetails = todynamic(LocationDetails)\\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails), StatusReason = tostring(Status.failureReason)\\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n // renaming time column so it is clear the log this came from\\n | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type\\n)\\non $left.TI_ipEntity == $right.IPAddress\\n| where SigninLogs_TimeGenerated \u003c ExpirationDateTime\\n| summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, IPAddress\\n| project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDetails, StatusReason, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to SigninLogs\",\"description\":\"Identifies a match in SigninLogs from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6e715730-82c0-496c-983b-7a20c4590bd9\",\"name\":\"6e715730-82c0-496c-983b-7a20c4590bd9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let accountLookback = 3d;\\nlet requestLookback = 3d;\\nlet extraction_regex = @\\\"(?:\\\\?|\u0026)[a-zA-Z0-9\\\\%]*=([a-zA-Z0-9\\\\/\\\\+\\\\=]*)\\\";\\n// Collect account names and base64 encode them\\nDeviceEvents\\n| where TimeGenerated \u003e ago(accountLookback)\\n| summarize make_set(DeviceId), make_set(DeviceName) by InitiatingProcessAccountName\\n| where isnotempty(InitiatingProcessAccountName)\\n| extend base64_user = base64_encode_tostring(InitiatingProcessAccountName)\\n| join (\\n // Collect requests and extract base64 parameters\\n CommonSecurityLog\\n | where TimeGenerated \u003e ago(requestLookback)\\n | where isnotempty(RequestURL)\\n // Summarize early on the RequestURL\\n | summarize FirstRequest=min(TimeGenerated), LastRequest=max(TimeGenerated), NumberOfRequests=count() by RequestURL\\n | extend base64_candidate = extract_all(extraction_regex, RequestURL)\\n | mv-expand base64_candidate to typeof(string)\\n) on $left.base64_user == $right.base64_candidate\\n| project FirstRequest, LastRequest, NumberOfRequests, RequestURL, DeviceIds=set_DeviceId, DeviceNames=set_DeviceName, UserName=InitiatingProcessAccountName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceNames\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"UserName\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"Windows host username encoded in base64 web request\",\"description\":\"This detection will identify network requests in HTTP proxy data that contains Base64 encoded usernames from machines in the DeviceEvents table.\\nThis technique was seen usee by POLONIUM in their RunningRAT tool.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e4779bdc-397a-4b71-be28-59e6a1e1d16b\",\"name\":\"e4779bdc-397a-4b71-be28-59e6a1e1d16b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"ZoomLogs\\n| where Event =~ \\\"account.settings_updated\\\"\\n| extend NewE2ESetting = columnifexists(\\\"payload_object_settings_in_meeting_e2e_encryption_b\\\", \\\"\\\")\\n| extend OldE2ESetting = columnifexists(\\\"payload_old_object_settings_in_meeting_e2e_encryption_b\\\", \\\"\\\")\\n| where OldE2ESetting =~ \u0027false\u0027 and NewE2ESetting =~ \u0027true\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Discovery\"],\"displayName\":\"Zoom E2E Encryption Disabled\",\"description\":\"This alerts when end to end encryption is disabled for Zoom meetings.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/194dd92e-d6e7-4249-85a5-273350a7f5ce\",\"name\":\"194dd92e-d6e7-4249-85a5-273350a7f5ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\") \\n// Only admin or global-admin can disable audit logging\\n| where Operation =~ \\\"Set-AdminAuditLogConfig\\\" \\n| extend AdminAuditLogEnabledValue = tostring(parse_json(tostring(parse_json(tostring(array_slice(parse_json(Parameters),3,3)))[0])).Value)\\n| where AdminAuditLogEnabledValue =~ \\\"False\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP, ResultStatus, Parameters, AdminAuditLogEnabledValue\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Exchange AuditLog disabled\",\"description\":\"Identifies when the exchange audit logging has been disabled which may be an adversary attempt\\nto evade detection or avoid other defenses.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/218f60de-c269-457a-b882-9966632b9dc6\",\"name\":\"218f60de-c269-457a-b882-9966632b9dc6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| summarize dcount(Target) by bin(TimeGenerated, 1h)\\n| where dcount_Target \u003e 9\\n| join kind=rightsemi (AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| extend TimeWindow = bin(TimeGenerated, 1h)) on $left.TimeGenerated == $right.TimeWindow\\n| extend AccountCustomEntity = Target\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Bulk Changes to Privileged Account Permissions\",\"description\":\"Identifies when changes to multiple users permissions are changed at once. Investigate immediately if not a planned change. This setting could enable an attacker access to Azure subscriptions in your environment.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6e575295-a7e6-464c-8192-3e1d8fd6a990\",\"name\":\"6e575295-a7e6-464c-8192-3e1d8fd6a990\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.1\",\"severity\":\"High\",\"query\":\"let IPList = externaldata(IPAddress:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Log4j_IOC_List.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n//Network logs\\nlet CSlogSourceIP = CommonSecurityLog | summarize by IPAddress = SourceIP, Type;\\nlet CSlogDestIP = CommonSecurityLog | summarize by IPAddress = DestinationIP, Type;\\nlet CSlogMsgIP = CommonSecurityLog | extend MessageIP = extract(IPRegex, 0, Message) | summarize by IPAddress = MessageIP, Type;\\nlet DnsIP = DnsEvents | summarize by IPAddress = IPAddresses, Type;\\n// If you have enabled the imDNS and/or imNetworkSession normalization in your workspace, you can uncomment one or both below. Reference - https://docs.microsoft.com/azure/sentinel/normalization\\n//let imDnsIP = imDns (response_has_any_prefix=IPList) | summarize by IPAddress = ResponseName, Type;\\n//let imNetSessIP = imNetworkSession (dstipaddr_has_any_prefix=IPList) | summarize by IPAddress = DstIpAddr, Type;\\n//Cloud service logs\\nlet officeIP = OfficeActivity | summarize by IPAddress = ClientIP, Type;\\nlet signinIP = SigninLogs | summarize by IPAddress, Type;\\nlet nonintSigninIP = AADNonInteractiveUserSignInLogs | summarize by IPAddress, Type;\\nlet azureActIP = AzureActivity | summarize by IPAddress = CallerIpAddress, Type;\\nlet awsCtIP = AWSCloudTrail | summarize by IPAddress = SourceIpAddress, Type;\\n//Device logs\\nlet vmConnSourceIP = VMConnection | summarize by IPAddress = SourceIp, Type;\\nlet vmConnDestIP = VMConnection | summarize by IPAddress = DestinationIp, Type;\\nlet iisLogIP = W3CIISLog | summarize by IPAddress = cIP, Type;\\nlet devNetIP = DeviceNetworkEvents | summarize by IPAddress = RemoteIP, Type;\\n//need to parse to get IP\\nlet azureDiagIP = AzureDiagnostics | where ResourceType == \\\"AZUREFIREWALLS\\\" | where Category in (\\\"AzureFirewallApplicationRule\\\", \\\"AzureFirewallNetworkRule\\\") \\n| where msg_s has_any (IPList) | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action | summarize by IPAddress = DestinationHost, Type;\\nlet sysEvtIP = Event | where Source == \\\"Microsoft-Windows-Sysmon\\\" | where EventID == 3 | where EventData has_any (IPList) | extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"])\\n| where SourceIP in (IPList) or DestinationIP in (IPList) | extend IPAddress = iff(SourceIP in (IPList), SourceIP, DestinationIP) | summarize by IPAddress, Type;\\n// If you have enabled the imDNS and/or imNetworkSession normalization in your workdspace, you can uncomment below and include. Reference - https://docs.microsoft.com/azure/sentinel/normalization\\n//let ipsort = union isfuzzy=true CSlogDestIP, CSlogMsgIP, CSlogSourceIP, DnsIP, officeIP, signinIP, nonintSigninIP, azureActIP, awsCtIP, vmConnDestIP, vmConnSourceIP, azureDiagIP, sysEvtIP, imDnsIP, imNetSessIP\\n// If you uncomment above, then comment out the line below\\nlet ipsort = union isfuzzy=true CSlogDestIP, CSlogMsgIP, CSlogSourceIP, DnsIP, officeIP, signinIP, nonintSigninIP, azureActIP, awsCtIP, vmConnDestIP, vmConnSourceIP, azureDiagIP, sysEvtIP\\n| summarize by IPAddress\\n| where isnotempty(IPAddress) | where not(ipv4_is_private(IPAddress)) and IPAddress !in (\u00270.0.0.0\u0027,\u0027127.0.0.1\u0027);\\nlet ipMatch = ipsort | where IPAddress in (IPList);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (ipMatch) or DestinationIP in (ipMatch) or Message has_any (ipMatch)\\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, Type\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (ipMatch), \\\"SourceIP\\\", DestinationIP in (ipMatch), \\\"DestinationIP\\\", MessageIP in (ipMatch), \\\"Message\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"No Match\\\")\\n),\\n(OfficeActivity\\n| where ClientIP in (ipMatch)\\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, Type\\n| extend SourceIPAddress = ClientIP, Account = UserId\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account\\n),\\n(DnsEvents\\n| where IPAddresses has_any (ipMatch)\\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, Host = Computer\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (ipMatch) or DestinationIp in (ipMatch)\\n| project TimeGenerated, Computer, SourceIp, DestinationIp, Type\\n| extend IPMatch = case( SourceIp in (ipMatch), \\\"SourceIP\\\", DestinationIp in (ipMatch), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| where EventData has_any (ipMatch)\\n| project TimeGenerated, EventData, UserName, Computer, Type\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"])\\n| where SourceIP in (ipMatch) or DestinationIP in (ipMatch)\\n| extend IPMatch = case( SourceIP in (ipMatch), \\\"SourceIP\\\", DestinationIP in (ipMatch), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(SigninLogs\\n| where IPAddress in (ipMatch)\\n| project TimeGenerated, UserPrincipalName, IPAddress, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(AADNonInteractiveUserSignInLogs\\n| where IPAddress in (ipMatch)\\n| project TimeGenerated, UserPrincipalName, IPAddress, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(W3CIISLog\\n| where cIP in (ipMatch)\\n| project TimeGenerated, Computer, cIP, csUserName, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(AzureActivity\\n| where CallerIpAddress in (ipMatch)\\n| project TimeGenerated, CallerIpAddress, Caller, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller\\n),\\n(\\nAWSCloudTrail\\n| where SourceIpAddress in (ipMatch)\\n| project TimeGenerated, SourceIpAddress, UserIdentityUserName, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\\n), \\n( \\nDeviceNetworkEvents\\n| where RemoteIP in (ipMatch)\\n| where ActionType == \\\"InboundConnectionAccepted\\\"\\n| project TimeGenerated, RemoteIP, DeviceName, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category in (\\\"AzureFirewallApplicationRule\\\", \\\"AzureFirewallNetworkRule\\\")\\n| where msg_s has_any (ipMatch)\\n| project TimeGenerated, msg_s, Type\\n| parse msg_s with Protocol \u0027request from \u0027 SourceIP \u0027:\u0027 SourcePort \u0027to \u0027 DestinationIP \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where DestinationIP has_any (ipMatch)\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP\\n)\\n// If you have enabled the imDNS and/or imNetworkSession normalization in your workdspace, you can uncomment below and include. Reference - https://docs.microsoft.com/azure/sentinel/normalization\\n//,\\n//(imDns (response_has_any_prefix=IPList)\\n//| project TimeGenerated, ResponseName, SrcIpAddr, Type\\n//| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr\\n//| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n//),\\n//(imNetworkSession (dstipaddr_has_any_prefix=IPList)\\n//| project TimeGenerated, DstIpAddr, SrcIpAddr, Type\\n//| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = SrcIpAddr\\n//)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Log4j vulnerability exploit aka Log4Shell IP IOC\",\"description\":\"Identifies a match across various data feeds for IP IOCs related to the Log4j vulnerability exploit aka Log4Shell described in CVE-2021-44228. \\n References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228\u0027 \",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bda5a2bd-979b-4828-a91f-27c2a5048f7f\",\"name\":\"bda5a2bd-979b-4828-a91f-27c2a5048f7f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet msgthreshold = 3;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| extend attachedMimeType = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where attachedMimeType == \u0027application/zip\u0027\\n| summarize count() by SrcUserUpn, DstUserUpn\\n| where count_ \u003e msgthreshold\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple archived attachments to the same recipient\",\"description\":\"Detects when multiple emails where sent to the same recipient with large archived attachments.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1baaaf00-655f-4de9-8ff8-312e902cda71\",\"name\":\"1baaaf00-655f-4de9-8ff8-312e902cda71\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let known_locations = (\\n AADServicePrincipalSignInLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where ResultType == 0\\n | summarize by Location);\\n AADServicePrincipalSignInLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType != 50126\\n | where Location !in (known_locations)\\n | extend City = tostring(parse_json(LocationDetails).city)\\n | extend State = tostring(parse_json(LocationDetails).state)\\n | extend Place = strcat(City, \\\" - \\\", State)\\n | extend Result = strcat(tostring(ResultType), \\\" - \\\", ResultDescription)\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), make_set(Result), make_set(IPAddress), make_set(Place) by ServicePrincipalName, Location\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ServicePrincipalName\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Service Principal Authentication Attempt from New Country\",\"description\":\"Detects when there is a Service Principal login attempt from a country that has not seen a successful login in the previous 14 days.\\n Threat actors may attempt to authenticate with credentials from compromised accounts - monitoring attempts from anomalous locations may help identify these attempts.\\n Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADServicePrincipalSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/39198934-62a0-4781-8416-a81265c03fd6\",\"name\":\"39198934-62a0-4781-8416-a81265c03fd6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"user.read\\\" and ConsentFull contains \\\"offline_access\\\" and ConsentFull contains \\\"mail.readwrite\\\" and ConsentFull contains \\\"mail.send\\\" and ConsentFull contains \\\"files.read.all\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\")\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Suspicious application consent similar to PwnAuth\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the FireEye PwnAuth toolkit (https://github.com/fireeye/PwnAuth).\\nThe default permissions/scope for the PwnAuth toolkit are user.read, offline_access, mail.readwrite, mail.send, and files.read.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\"name\":\"fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let opList = OfficeActivity \\n| summarize by Operation\\n//| where Operation startswith \\\"Remove-\\\" or Operation startswith \\\"Disable-\\\"\\n| where Operation has_any (\\\"Remove\\\", \\\"Disable\\\")\\n| where Operation contains \\\"AntiPhish\\\" or Operation contains \\\"SafeAttachment\\\" or Operation contains \\\"SafeLinks\\\" or Operation contains \\\"Dlp\\\" or Operation contains \\\"Audit\\\"\\n| summarize make_set(Operation);\\nOfficeActivity\\n// Only admin or global-admin can disable/remove policy\\n| where RecordType =~ \\\"ExchangeAdmin\\\"\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\")\\n// Pass in interesting Operation list\\n| where Operation in~ (opList)\\n| extend ClientIPOnly = case( \\nClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), \\nClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))),\\nClientIP\\n) \\n| extend Port = case(\\nClientIP has \\\".\\\", (split(ClientIP,\\\":\\\")[1]),\\nClientIP has \\\"[\\\", tostring(split(ClientIP,\\\"]:\\\")[1]),\\nClientIP\\n)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP = ClientIPOnly, Port, ResultStatus, Parameters\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Office policy tampering\",\"description\":\"Identifies if any tampering is done to either auditlog, ATP Safelink, SafeAttachment, AntiPhish or Dlp policy. \\nAn adversary may use this technique to evade detection or avoid other policy based defenses.\\nReferences: https://docs.microsoft.com/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06a9b845-6a95-4432-a78b-83919b28c375\",\"name\":\"06a9b845-6a95-4432-a78b-83919b28c375\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":3,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet percentotalthreshold = 50;\\nlet TimeSeriesData = CommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| project TimeGenerated,SourceIP, DestinationIP, DeviceVendor\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor;\\n// Filtering specific records associated with spikes as outliers\\nlet TimeSeriesAlerts=materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend score = round(score,2), AnomalyHour = TimeGenerated\\n| project DeviceVendor,AnomalyHour, TimeGenerated, Total, baseline, anomalies, score);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\n// Join anomalies with Base Data to popalate associated records for investigation - Results sorted by score in descending order\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\n CommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| summarize HourlyCount = count(), TimeGeneratedMax = arg_max(TimeGenerated, *), DestinationIPlist = make_set(DestinationIP, 100), DestinationPortlist = make_set(DestinationPort, 100) by DeviceVendor, SourceIP, TimeGeneratedHour= bin(TimeGenerated, 1h)\\n| extend AnomalyHour = TimeGeneratedHour\\n) on AnomalyHour, DeviceVendor\\n| extend PercentTotal = round((HourlyCount / Total) * 100, 3)\\n| where PercentTotal \u003e percentotalthreshold\\n| project DeviceVendor , AnomalyHour, TimeGeneratedMax, SourceIP, DestinationIPlist, DestinationPortlist, HourlyCount, PercentTotal, Total, baseline, score, anomalies\\n| summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist, 100), DestinationPortlist = make_set(DestinationPortlist, 100) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies\\n| project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies\\n| extend timestamp= EndTimeUtc , IPCustomEntity = SourceIPMax\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"Time series anomaly detection for total volume of traffic\",\"description\":\"Identifies anamalous spikes in network traffic logs as compared to baseline or normal historical patterns.\\nThe query leverages a KQL built-in anomaly detection algorithm to find large deviations from baseline patterns.\\nSudden increases in network traffic volume may be an indication of data exfiltration attempts and should be investigated.\\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port traffic observed in the flagged anomaly hour.\\nThe source IP addresses which were sending less than percentotalthreshold of the total traffic have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Barracuda\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f110287e-1358-490d-8147-ed804b328514\",\"name\":\"f110287e-1358-490d-8147-ed804b328514\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AWSCloudTrail | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AWSCloudTrail_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SourceIpAddress\\n| where AWSCloudTrail_TimeGenerated \u003c ExpirationDateTime\\n| summarize AWSCloudTrail_TimeGenerated = arg_max(AWSCloudTrail_TimeGenerated, *) by IndicatorId, SourceIpAddress\\n| project AWSCloudTrail_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress,\\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AWSCloudTrail_TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AWSCloudTrail\",\"description\":\"Identifies a match in AWSCloudTrail from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7249500f-3038-4b83-8549-9cd8dfa2d498\",\"name\":\"7249500f-3038-4b83-8549-9cd8dfa2d498\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"de-ma.online\\\", \\\"g20saudi.000webhostapp.com\\\", \\\"ksat20.000webhostapp.com\\\"]);\\nlet EmailAddresses = dynamic([\\\"munichconference1962@gmail.com\\\",\\\"munichconference@outlook.de\\\", \\\"munichconference@outlook.com\\\", \\\"t20saudiarabia@gmail.com\\\", \\\"t20saudiarabia@hotmail.com\\\", \\\"t20saudiarabia@outlook.sa\\\"]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(DNSName) and DNSName has_any (DomainNames)) \\n or (isnotempty(DestinationHostName) and DestinationHostName has_any (DomainNames)) \\n or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames)))\\n| extend timestamp = TimeGenerated , AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\\n),\\n(DnsEvents \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| where DNSName has_any (DomainNames) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend timestamp = TimeGenerated , HostCustomEntity = Computer),\\n(SecurityAlert\\n| where ProviderName =~ \u0027OATP\u0027\\n| extend UPN = case(isnotempty(parse_json(Entities)[0].Upn), parse_json(Entities)[0].Upn, \\n isnotempty(parse_json(Entities)[1].Upn), parse_json(Entities)[1].Upn,\\n isnotempty(parse_json(Entities)[2].Upn), parse_json(Entities)[2].Upn,\\n isnotempty(parse_json(Entities)[3].Upn), parse_json(Entities)[3].Upn,\\n isnotempty(parse_json(Entities)[4].Upn), parse_json(Entities)[4].Upn,\\n isnotempty(parse_json(Entities)[5].Upn), parse_json(Entities)[5].Upn,\\n isnotempty(parse_json(Entities)[6].Upn), parse_json(Entities)[6].Upn,\\n isnotempty(parse_json(Entities)[7].Upn), parse_json(Entities)[7].Upn,\\n isnotempty(parse_json(Entities)[8].Upn), parse_json(Entities)[8].Upn,\\n parse_json(Entities)[9].Upn)\\n| where Entities has_any (EmailAddresses)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = tostring(UPN)),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"AZUREFIREWALLS\\\"\\n| where msg_s has_any (DomainNames)\\n| extend timestamp = TimeGenerated))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"InitialAccess\"],\"displayName\":\"Known PHOSPHORUS group domains/IP - October 2020\",\"description\":\"Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\\nReferences: \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog (Cisco)\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert (OATP)\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics (Azure Firewall)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5ef06767-b37c-4818-b035-47de950d0046\",\"name\":\"5ef06767-b37c-4818-b035-47de950d0046\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"// How far back to look for events from\\nlet timeframe = 1d;\\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\\nlet time_window = 5m;\\n// Edit this to include build processes used\\nlet build_processes = dynamic([\\\"MSBuild.exe\\\", \\\"dotnet.exe\\\", \\\"VBCSCompiler.exe\\\"]);\\n// Include any processes that you want to allow to edit files during/around the build process\\nlet allow_list = dynamic([\\\"\\\"]);\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where EventID == 4688\\n| where Process has_any (build_processes)\\n| summarize by BuildParentProcess=ParentProcessName, BuildProcess=Process, BuildAccount = Account, Computer, BuildCommand=CommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for file modifications to code file\\n| where EventID == 4663\\n| where Process !in (allow_list)\\n// Look for code files, edit this to include file extensions used in build.\\n| where ObjectName endswith \\\".cs\\\" or ObjectName endswith \\\".cpp\\\"\\n// 0x6 and 0x4 for file append, 0x100 for file replacements\\n| where AccessMask == \\\"0x6\\\" or AccessMask == \\\"0x4\\\" or AccessMask == \\\"0X100\\\"\\n| summarize by FileEditParentProcess=ParentProcessName, FileEditAccount = Account, Computer, FileEdited=ObjectName, FileEditProcess=ProcessName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, Computer\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, Computer, BuildParentProcess, BuildProcess\\n| extend HostCustomEntity=Computer, timestamp=timekey\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where EventID == 4688 and EventData has_any (build_processes)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process has_any (build_processes)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend CommandLine = tostring(EventData.CommandLine) \\n| summarize by BuildParentProcess=ParentProcessName, BuildProcess=Process, BuildAccount = Account, Computer, BuildCommand=CommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nWindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for file modifications to code file\\n| where EventID == 4663 and EventData has_any (\\\"0x6\\\", \\\"0x4\\\", \\\"0X100\\\") and EventData has_any (\\\".cs\\\", \\\".cpp\\\")\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (allow_list)\\n// Look for code files, edit this to include file extensions used in build.\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName endswith \\\".cs\\\" or ObjectName endswith \\\".cpp\\\"\\n// 0x6 and 0x4 for file append, 0x100 for file replacements\\n| extend AccessMask = tostring(EventData.AccessMask) \\n| where AccessMask == \\\"0x6\\\" or AccessMask == \\\"0x4\\\" or AccessMask == \\\"0X100\\\"\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| summarize by FileEditParentProcess=ParentProcessName, FileEditAccount = Account, Computer, FileEdited=ObjectName, FileEditProcess=ProcessName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, Computer\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, Computer, BuildParentProcess, BuildProcess\\n| extend HostCustomEntity=Computer, timestamp=timekey\\n))\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Potential Build Process Compromise\",\"description\":\"The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process.\\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\"name\":\"a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"DNS events related to ToR proxies\",\"description\":\"Identifies IP addresses performing DNS lookups associated with common ToR proxies.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/42436753-9944-4d70-801c-daaa4d19ddd2\",\"name\":\"42436753-9944-4d70-801c-daaa4d19ddd2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let threatCategory=\\\"Powershell\\\";\\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\\n [ @\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\\\"]\\n with(format=\\\"csv\\\", ignoreFirstRecord=True));\\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet customUserAgents=toscalar(_GetWatchlist(\\\"UnusualUserAgents\\\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\\\"UserAgent\\\",\\\"\\\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet fullUAList = array_concat(knownUserAgents,customUserAgents);\\n_Im_WebSession(httpuseragent_has_any=fullUAList)\\n| project SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername\",\"customDetails\":{\"UserAgent\":\"HttpUserAgent\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"SrcUsername\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Host {{SrcIpAddr}} is potentially running PowerShell\",\"alertDescriptionFormat\":\"The host at address {{SrcIpAddr}} sent an HTTP request to the URL {{Url}} with the HTTP user agent header {{HttpUserAgent}}. This user agent is known to be used by PoerShell and indicates suspicious activity on the host.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\",\"DefenseEvasion\"],\"displayName\":\"A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request with a user agent header known to belong PowerShell. \u003cbr\u003eYou can add custom Powershell indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).\u003cbr\u003e\u003cbr\u003e\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56fe0db0-6779-46fa-b3c5-006082a53064\",\"name\":\"56fe0db0-6779-46fa-b3c5-006082a53064\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let tokens = dynamic([\\\"416\\\",\\\"208\\\",\\\"128\\\",\\\"120\\\",\\\"96\\\",\\\"80\\\",\\\"72\\\",\\\"64\\\",\\\"48\\\",\\\"44\\\",\\\"40\\\",\\\"g5\\\",\\\"gs5\\\",\\\"g4\\\",\\\"gs4\\\",\\\"nc12\\\",\\\"nc24\\\",\\\"nv12\\\"]);\\nlet operationList = dynamic([\\\"microsoft.compute/virtualmachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nAzureActivity\\n| where tolower(OperationNameValue) in (operationList)\\n| where ActivityStatusValue == \\\"Accepted\\\" \\n| where isnotempty(Properties)\\n| extend vmSize = tolower(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).hardwareProfile)).vmSize))\\n| where isnotempty(vmSize)\\n| where vmSize has_any (tokens) \\n| extend ComputerName = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).osProfile)).computerName)\\n| extend clientIpAddress = tostring(parse_json(HTTPRequest).clientIpAddress)\\n| project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Creation of expensive computes in Azure\",\"description\":\"Identifies the creation of large size/expensive VMs (GPU or with large no of virtual CPUs) in Azure.\\nAdversary may create new or update existing virtual machines sizes to evade defenses \\nor use it for cryptomining purposes.\\nFor Windows/Linux Vm Sizes - https://docs.microsoft.com/azure/virtual-machines/windows/sizes \\nAzure VM Naming Conventions - https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions\",\"lastUpdatedDateUTC\":\"2022-03-31T00:00:00Z\",\"createdDateUTC\":\"2020-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5d33fc63-b83b-4913-b95e-94d13f0d379f\",\"name\":\"5d33fc63-b83b-4913-b95e-94d13f0d379f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet fileHashIndicators = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n| where isnotempty(FileHashValue);\\n// Handle matches against both lower case and uppercase versions of the hash:\\n(fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n| union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n )\\non $left.FileHashValue == $right.FileHash\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, FileHashValue\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nSourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction,\\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity, FileHashValue, FileHashType\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Value\",\"columnName\":\"FileHashValue\"},{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map File Hash to CommonSecurityLog Event\",\"description\":\"Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI\",\"lastUpdatedDateUTC\":\"2022-07-07T00:00:00Z\",\"createdDateUTC\":\"2019-08-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1f3b4dfd-21ff-4ed3-8e27-afc219e05c50\",\"name\":\"1f3b4dfd-21ff-4ed3-8e27-afc219e05c50\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where LoggedByService =~ \\\"PIM\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has \\\"Disable PIM Alert\\\"\\n| extend IpAddress = case(\\n isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), \\n isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.app)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.app)).ipAddress),\\n \u0027Not Available\u0027)\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName)), UserRoles = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| project InitiatedBy, ActivityDateTime, ActivityDisplayName, IpAddress, AADOperationType, AADTenantId, ResourceId, CorrelationId, Identity\\n| extend timestamp = ActivityDateTime, IPCustomEntity = IpAddress, AccountCustomEntity = tolower(InitiatedBy), ResourceCustomEntity = ResourceId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Detect PIM Alert Disabling activity\",\"description\":\"Privileged Identity Management (PIM) generates alerts when there is suspicious or unsafe activity in Azure Active Directory (Azure AD) organization. \\nThis query will help detect attackers attempts to disable in product PIM alerts which are associated with Azure MFA requirements and could indicate activation of privileged access\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d99cf5c3-d660-436c-895b-8a8f8448da23\",\"name\":\"d99cf5c3-d660-436c-895b-8a8f8448da23\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"SigninLogs\\n| where ResultType == 500121\\n| extend additionalDetails_ = tostring(Status.additionalDetails)\\n| where additionalDetails_ =~ \\\"MFA denied; user declined the authentication\\\"\\n| extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"AadUserId\",\"columnName\":\"UserId\"},{\"identifier\":\"AadTenantId\",\"columnName\":\"AADTenantId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"MFA Rejected by User\",\"description\":\"Identifies accurances where a user has rejected an MFA prompt. This could be an indicator that a threat actor has compromised the username and password of this user account and is using it to try and log into the account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d0aa8969-1bbe-4da3-9e76-09e5f67c9d85\",\"name\":\"d0aa8969-1bbe-4da3-9e76-09e5f67c9d85\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureDiagnostics\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where ResourceProvider == \u0027MICROSOFT.SQL\u0027\\n | where Category == \u0027SQLSecurityAuditEvents\u0027\\n | extend SQLSecurityAuditEvents_TimeGenerated = TimeGenerated\\n // projecting fields with column if exists as this is in AzureDiag and if the event is not in the table, then queries will fail due to event specific schemas\\n | extend ClientIP = column_ifexists(\\\"client_ip_s\\\", \\\"Not Available\\\"), Action = column_ifexists(\\\"action_name_s\\\", \\\"Not Available\\\"), \\n Application = column_ifexists(\\\"application_name_s\\\", \\\"Not Available\\\"), HostName = column_ifexists(\\\"host_name_s\\\", \\\"Not Available\\\")\\n)\\non $left.TI_ipEntity == $right.ClientIP\\n| where SQLSecurityAuditEvents_TimeGenerated \u003c ExpirationDateTime\\n| summarize SQLSecurityAuditEvents_TimeGenerated = arg_max(SQLSecurityAuditEvents_TimeGenerated, *) by IndicatorId, ClientIP\\n| project SQLSecurityAuditEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ResourceId, ClientIP, Action, Application, HostName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = SQLSecurityAuditEvents_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Azure SQL Security Audit Events\",\"description\":\"Identifies a match in SQLSecurityAuditEvents from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\"name\":\"4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n OfficeActivity | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(UserId)\\n | where UserId matches regex emailregex\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.UserId\\n| where OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, UserId\\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters\\n| extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to OfficeActivity\",\"description\":\"Identifies a match in OfficeActivity table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/44a555d8-ecee-4a25-95ce-055879b4b14b\",\"name\":\"44a555d8-ecee-4a25-95ce-055879b4b14b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeBin = 10m;\\nlet portThreshold = 30;\\nW3CIISLog\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of attempts by client IP on many ports\\n| summarize makeset(sPort), makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), ConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\\n| extend portCount = arraylength(set_sPort)\\n| where portCount \u003e= portThreshold\\n| project TimeGenerated, cIP, set_sPort, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, ConnectionsCount, portCount\\n| order by portCount\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"High count of connections by client IP on many ports\",\"description\":\"Identifies when 30 or more ports are used for a given client IP in 10 minutes occurring on the IIS server.\\nThis could be indicative of attempted port scanning or exploit attempt at internet facing web applications. \\nThis could also simply indicate a misconfigured service or device.\\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2de8abd6-a613-450e-95ed-08e503369fb3\",\"name\":\"2de8abd6-a613-450e-95ed-08e503369fb3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"AzureDiagnostics\\n| where details_data_s has \\\"jndi:\\\"\\n| parse details_data_s with * \u0027${\u0027 MaliciousCommand \u0027}\u0027 *\\n| extend EncodeCmd = iff(MaliciousCommand has \u0027Base64/\u0027, split(split(MaliciousCommand, \\\"Base64/\\\",1)[0], \\\"}\\\", 0)[0], \\\"\\\")\\n| extend EncodeCmd1 = iff(MaliciousCommand has \u0027base64/\u0027, split(split(MaliciousCommand, \\\"base64/\\\",1)[0], \\\"}\\\", 0)[0], \\\"\\\")\\n| extend CmdLine = iff( isnotempty(EncodeCmd), EncodeCmd, EncodeCmd1)\\n| extend DecodedCmdLine = base64_decode_tostring(tostring(CmdLine))\\n| extend DecodedCmdLine = iff( isnotempty(DecodedCmdLine), DecodedCmdLine, \\\"Unable to decode\\\")\\n| project TimeGenerated, Target=hostname_s, MaliciousHost = clientIp_s, MaliciousCommand, details_data_s, DecodedCmdLine, Message, ruleSetType_s, OperationName, SubscriptionId, details_message_s, details_file_s \\n| extend IPCustomEntity = MaliciousHost, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure WAF matching for Log4j vuln(CVE-2021-44228)\",\"description\":\"This query will alert on a positive pattern match by Azure WAF for CVE-2021-44228 log4j vulnerability exploitation attempt. If possible, it then decodes the malicious command for further analysis.\\n Refrence: https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-12-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/972c89fa-c969-4d12-932f-04d55d145299\",\"name\":\"972c89fa-c969-4d12-932f-04d55d145299\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"( union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| extend FileName = Process, ProcessCommandLine = CommandLine\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\n or ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(DeviceProcessEvents\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\nor ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1 \\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\"), ProcessCommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| extend FileName = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\n or ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"MSHTML vulnerability CVE-2021-40444 attack\",\"description\":\"This query detects attacks that exploit the CVE-2021-40444 MSHTML vulnerability using specially crafted Microsoft Office documents. \\n The detection searches for relevant files used in the attack along with regex matches in commnadline to look for pattern similar to : \\\".cpl:../../msword.inf\\\"\\n Refrence: https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ca74dc0-8352-4ac5-893c-73571cc78331\",\"name\":\"4ca74dc0-8352-4ac5-893c-73571cc78331\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let keywords = dynamic([\\\"secret\\\", \\\"secrets\\\", \\\"password\\\", \\\"PAT\\\", \\\"passwd\\\", \\\"pswd\\\", \\\"pwd\\\", \\\"cred\\\", \\\"creds\\\", \\\"credentials\\\", \\\"credential\\\", \\\"key\\\"]);\\nAzureDevOpsAuditing\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend Type = tostring(Data.Type)\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend VariableGroupName = tostring(Data.VariableGroupName)\\n| mv-expand Data.Variables\\n| where VariableGroupName has_any (keywords) or Data_Variables has_any (keywords)\\n| where Type != \\\"AzureKeyVault\\\"\\n| where Data_Variables !has \\\"IsSecret\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure DevOps Variable Secret Not Secured\",\"description\":\"Credentials used in the build process may be stored as Azure DevOps variables. To secure these variables they should be stored in KeyVault or marked as Secrets. \\nThis detection looks for new variables added with names that suggest they are credentials but where they are not set as Secrets or stored in KeyVault.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cc5780ce-3245-4bba-8bc1-e9048c2257ce\",\"name\":\"cc5780ce-3245-4bba-8bc1-e9048c2257ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where OperationName =~ \\\"Add owner to application\\\"\\n | extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend UpdatedBy = iif(isnotempty(appName), appName, UPN)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | extend AddedUser = TargetResources[0].userPrincipalName\\n | mv-expand mod_props\\n | where mod_props.displayName =~ \\\"Application.DisplayName\\\"\\n | extend AppName = tostring(parse_json(tostring(mod_props.newValue)))\\n | project-reorder TimeGenerated, OperationName, AppName, AddedUser, UpdatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatedBy\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedUser\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Changes to Application Ownership\",\"description\":\"Detects changes to the ownership of an appplicaiton.\\n Monitor these changes to make sure that they were authorized.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#new-owner\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/15049017-527f-4d3b-b011-b0e99e68ef45\",\"name\":\"15049017-527f-4d3b-b011-b0e99e68ef45\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let procList = externaldata(Process:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Microsoft_Lolbas_Execution_Binaries.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityEvent\\n| where EventID == 4688 and Process has_any (procList) and not (NewProcessName has (\\\"C:\\\\\\\\Windows\\\\\\\\\\\"))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, SubjectUserName, NewProcessName, Process, CommandLine\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectUserName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Windows Binaries Executed from Non-Default Directory\",\"description\":\"The query detects Windows binaries, that can be executed from a non-default directory (e.g. C:\\\\Windows\\\\, C:\\\\Windows\\\\System32 etc.). \\nRef: https://lolbas-project.github.io/\",\"lastUpdatedDateUTC\":\"2022-02-15T00:00:00Z\",\"createdDateUTC\":\"2022-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6\",\"name\":\"2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 0d;\\n// Adjust this to adjust detection timeframe\\n//let timeframe = 1d;\\n// SamAccountName of AD FS Service Account. Filter on the use of a specific AD FS user account\\n//let adfsuser = \u0027adfsadmin\u0027;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\n SecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe+lookback)\\n | where EventSourceName == \u0027AD FS Auditing\u0027\\n | distinct Computer\\n);\\nSecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n // A token of type \u0027http://schemas.microsoft.com/ws/2006/05/servicemodel/tokens/SecureConversation\u0027\\n // for relying party \u0027-\u0027 was successfully authenticated.\\n | where EventID == 412\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | extend InstanceId = tostring(EventData[0])\\n| join kind=inner\\n(\\n SecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n // Events to identify caller identity from event 412\\n | where EventID == 501\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | where tostring(EventData[1]) contains \u0027identity/claims/name\u0027\\n | extend InstanceId = tostring(EventData[0])\\n | extend ClaimsName = tostring(EventData[2])\\n // Filter on the use of a specific AD FS user account\\n //| where ClaimsName contains adfsuser\\n)\\non $left.InstanceId == $right.InstanceId\\n| join kind=inner\\n(\\n SecurityEvent\\n | where EventID == 5156\\n | where Computer in~ (ADFS_Servers)\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | mv-expand bagexpansion=array EventData\\n | evaluate bag_unpack(EventData)\\n | extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n | evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n | extend DestPort = column_ifexists(\\\"DestPort\\\", \\\"\\\"),\\n Direction = column_ifexists(\\\"Direction\\\", \\\"\\\"),\\n Application = column_ifexists(\\\"Application\\\", \\\"\\\"),\\n DestAddress = column_ifexists(\\\"DestAddress\\\", \\\"\\\"),\\n SourceAddress = column_ifexists(\\\"SourceAddress\\\", \\\"\\\"),\\n SourcePort = column_ifexists(\\\"SourcePort\\\", \\\"\\\")\\n // Look for inbound connections from endpoints on port 80\\n | where DestPort == 80 and Direction == \u0027%%14592\u0027 and Application == \u0027System\u0027\\n | where DestAddress !in (\u0027::1\u0027,\u00270:0:0:0:0:0:0:1\u0027) \\n)\\non $left.Computer == $right.Computer\\n| project TimeGenerated, Computer, ClaimsName, SourceAddress, SourcePort\\n| extend HostCustomEntity = Computer, AccountCustomEntity = ClaimsName, IPCustomEntity = SourceAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"AD FS Remote Auth Sync Connection\",\"description\":\"This detection uses Security events from the \\\"AD FS Auditing\\\" provider to detect suspicious authentication events on an AD FS server. The results then get\\ncorrelated with events from the Windows Filtering Platform (WFP) to detect suspicious incoming network traffic on port 80 on the AD FS server.\\nThis could be a sign of a threat actor trying to use replication services on the AD FS server to get its configuration settings and extract\\nsensitive information such as AD FS certificates.\\nIn order to use this query you need to enable AD FS auditing on the AD FS Server.\\nReference: https://twitter.com/OTR_Community/status/1387038995016732672\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-04-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d992b87b-eb49-4a9d-aa96-baacf9d26247\",\"name\":\"d992b87b-eb49-4a9d-aa96-baacf9d26247\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let IPList = dynamic([\\\"185.63.90.137\\\"]); \\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet sha256Hashes = \\ndynamic([\\\"53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441\\\",\\n\\\"c297e545b8f150cc5ff56dbb68dc74fe30a421d9d40f38f4a53083192697c44c\\\",\\n\\\"17921368901f23e0cad0d2fe4ce5694aebaf4727699ed0358117500701914d1b\\\",\\n\\\"198a2d42df010d838b4207f478d885ef36e3db13b1744d673e221b828c28bf77\\\",\\n\\\"71d7b48c2fdc7b57b104a7858a35165bbed21d2fa7e34828d6c1d50b2b33a1d0\\\",\\n\\\"601227d52c6e367e11b80240183d07d38bc11a88e844e8401fce17eb25e92ba8\\\",\\n\\\"63ff04bed4fdb120a9cb9b1ea7fd88e83f12fb01ab6a057088f8016e663b48d4\\\",\\n\\\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\\\",\\n\\\"e19b8be1b21c066d60725e550f8455f824065abbf1b43f7b2fe4fb338b241ffc\\\",\\n\\\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\\\"\\n]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", MessageIP in (IPList), \\\"Message\\\", \\\"NoMatch\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DeviceNetworkEvents\\n| where RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) \\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP\\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost) \\n| where SourceHost in (IPList) or DestinationHost in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(DeviceFileEvents\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n| where FileHash in (sha256Hashes)\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash\\n| extend timestamp = TimeGenerated, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 in~ (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(SecurityEvent\\n| where EventID == \u00274688\u0027\\n| where CommandLine has_any (IPList) \\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n(WindowsEvent\\n| where EventID == \u00274688\u0027 and has_any_ipv4(EventData, toscalar(IPList)) \\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| where NewProcessName in (IPList) \\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend NewProcessId = tostring(EventData.NewProcessId)\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021\",\"description\":\"Identifies a match across various data feeds for IP,hashes and IOCs related to Windows/ELF malware published by Black Lotus Labs\\nReference: \\nhttps://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders\\nhttps://github.com/ManuelBerrueta/YARA-rules/blob/master/BlackLotusLabs-WSLMalware/BLL_SneakyWSL.yar\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ce1e7025-866c-41f3-9b08-ec170e05e73e\",\"name\":\"ce1e7025-866c-41f3-9b08-ec170e05e73e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let SunburstURL=dynamic([\\\"panhardware.com\\\",\\\"databasegalore.com\\\",\\\"avsvmcloud.com\\\",\\\"freescanonline.com\\\",\\\"thedoccloud.com\\\",\\\"deftsecurity.com\\\"]);\\nDeviceNetworkEvents\\n| where ActionType == \\\"ConnectionSuccess\\\"\\n| where RemoteUrl in(SunburstURL)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n FileHashCustomEntity = InitiatingProcessMD5, \\n HashAlgorithm = \u0027MD5\u0027,\\n URLCustomEntity = RemoteUrl,\\n IPCustomEntity = RemoteIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"SUNBURST network beacons\",\"description\":\"Identifies SolarWinds SUNBURST domain beacon IOCs in DeviceNetworkEvents\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/baedfdf4-7cc8-45a1-81a9-065821628b83\",\"name\":\"baedfdf4-7cc8-45a1-81a9-065821628b83\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let runningRAT_parameters = dynamic([\u0027/ui/chk\u0027, \u0027mactok=\u0027, \u0027UsRnMe=\u0027, \u0027IlocalP=\u0027, \u0027kMnD=\u0027]);\\nCommonSecurityLog\\n| where RequestMethod == \\\"GET\\\"\\n| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication\\n| where RequestURL has_any (runningRAT_parameters)\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DestinationIP\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"SourceHostName\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"RunningRAT request parameters\",\"description\":\"This detection will alert when RunningRAT URI parameters or paths are detect in an HTTP request. Id the device blocked this communication\\npresence of this alert means the RunningRAT implant is likely still executing on the source host.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d8de9e6-263e-4845-8618-cd23a4f58b70\",\"name\":\"4d8de9e6-263e-4845-8618-cd23a4f58b70\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT3H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 3h;\\n// Add full UPN (user@domain.com) to Authorized Bypassers to ignore policy bypasses by certain authorized users\\nlet AuthorizedBypassers = dynamic([\u0027foo@baz.com\u0027, \u0027test@foo.com\u0027]);\\nlet historicBypassers = AzureDevOpsAuditing\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationName == \u0027Git.RefUpdatePoliciesBypassed\u0027\\n| distinct ActorUPN;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e= ago(endtime)\\n| where OperationName == \u0027Git.RefUpdatePoliciesBypassed\u0027\\n| where ActorUPN !in (historicBypassers) and ActorUPN !in (AuthorizedBypassers)\\n| parse ScopeDisplayName with OrganizationName \u0027(Organization)\u0027\\n| project TimeGenerated, ActorUPN, IpAddress, UserAgent, OrganizationName, ProjectName, RepoName = Data.RepoName, AlertDetails = Details, Branch = Data.Name, \\n BypassReason = Data.BypassReason, PRLink = strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_git/\u0027, Data.RepoName, \u0027/pullrequest/\u0027, Data.PullRequestId)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps Pull Request Policy Bypassing - Historic allow list\",\"description\":\"This detection builds an allow list of historic PR policy bypasses and compares to recent history, flagging pull request bypasses that are not manually in the allow list and not historically included in the allow list.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75bf9902-0789-47c1-a5d8-f57046aa72df\",\"name\":\"75bf9902-0789-47c1-a5d8-f57046aa72df\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let procList = externaldata(Process:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Microsoft_Lolbas_Execution_Binaries.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet ProcessCreationEvents=() {\\nlet processEvents=(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,\\nFileName = Process, CommandLine, ParentProcessName\\n),\\n(WindowsEvent\\n| where EventID==4688 and EventData has_any (procList) and EventData has \\\":\\\\\\\\recycler\\\"\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where isnotempty(CommandLine)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName) \\n| extend NewProcessName = tostring(EventData.NewProcessName) \\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,\\nFileName = Process, CommandLine, ParentProcessName\\n));\\nprocessEvents};\\nProcessCreationEvents \\n| where FileName in~ (procList)\\n| where CommandLine contains \\\":\\\\\\\\recycler\\\"\\n| project StartTimeUtc = TimeGenerated, Computer, Account, NewProcessName, FileName, CommandLine, ParentProcessName\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Malware in the recycle bin\",\"description\":\"The query detects Windows binaries, that can be used for executing malware, that have been hidden in the recycle bin. \\n The list of these binaries are sourced from https://lolbas-project.github.io/\\n References: https://azure.microsoft.com/blog/how-azure-security-center-helps-reveal-a-cyberattack/.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2018-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e2399891-383c-4caf-ae67-68a008b9f89e\",\"name\":\"e2399891-383c-4caf-ae67-68a008b9f89e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet IP_TI=ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\\\"NO_IP\\\")\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where TI_ipEntity != \\\"NO_IP\\\";\\nlet IP_TI_list=toscalar(IP_TI | summarize NIoCs=dcount(TI_ipEntity), IoCs=make_set( TI_ipEntity)\\n | project IoCs=iff(NIoCs \u003e HAS_ANY_MAX, dynamic([]), IoCs));\\nIP_TI\\n // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n | join kind=innerunique \\n (\\n union \\n (\\n _Im_NetworkSession (starttime=ago(dt_lookBack), dstipaddr_has_any_prefix=IP_TI_list)\\n | where isnotempty(SrcIpAddr)\\n // renaming time column so it is clear the log this came from\\n | extend imNWS_TimeGenerated = TimeGenerated, IoCIP=DstIpAddr, IoCIPDirection=\u0027Destination\u0027\\n ),\\n (\\n _Im_NetworkSession (starttime=ago(dt_lookBack), srcipaddr_has_any_prefix=IP_TI_list)\\n | where isnotempty(DstIpAddr)\\n // renaming time column so it is clear the log this came from\\n | extend imNWS_TimeGenerated = TimeGenerated, IoCIP=SrcIpAddr, IoCIPDirection=\u0027Source\u0027\\n )\\n)on $left.TI_ipEntity == $right.IoCIP\\n| where imNWS_TimeGenerated \u003c ExpirationDateTime\\n| summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, IoCIP, IoCIPDirection\\n| project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Dvc, SrcIpAddr, DstIpAddr, IoCIPDirection, IoCIP\",\"customDetails\":{\"EventTime\":\"imNWS_TimeGenerated\",\"IoCDescription\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"IoCExpirationTime\":\"ExpirationDateTime\",\"IoCConfidenceScore\":\"ConfidenceScore\",\"IoCIPDirection\":\"IoCIPDirection\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IoCIP\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"A network session {{IoCIPDirection}} address {{IoCIP}} matched an IoC.\",\"alertDescriptionFormat\":\"The {{IoCIPDirection}} address {{IoCIP}} of a network session matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blead for more information on the indicator.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map IP entity to Network Session Events (ASIM Network Session schema)\",\"description\":\"This rule identifies a match Network Sessions for which the source of destination IP address is a known IoC. \u003cbr\u003e\u003cbr\u003e\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2022-04-27T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\"name\":\"8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"AuthorizeDBSecurityGroupIngress\\\",\\\"CreateDBSecurityGroup\\\",\\\"DeleteDBSecurityGroup\\\",\\\"RevokeDBSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to internet facing AWS RDS Database instances\",\"description\":\"Amazon Relational Database Service (RDS) is scalable relational database in the cloud. \\nIf your organization have one or more AWS RDS Databases running, monitoring changes to especially internet facing AWS RDS (Relational Database Service) \\nOnce alerts triggered, validate if changes observed are authorized and adhere to change control policy. \\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255\\nand RDS API Reference Docs: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Operations.html\",\"lastUpdatedDateUTC\":\"2021-11-28T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6ee72a9e-2e54-459c-bc9a-9c09a6502a63\",\"name\":\"6ee72a9e-2e54-459c-bc9a-9c09a6502a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"216.24.185.74\\\", \\\"107.175.189.159\\\", \\\"192.210.132.102\\\", \\\"67.230.163.214\\\", \\n \\\"199.19.110.240\\\", \\\"107.148.130.176\\\", \\\"154.212.129.218\\\", \\\"172.86.75.54\\\", \\\"45.61.136.199\\\", \\n \\\"149.28.150.195\\\", \\\"108.61.214.194\\\", \\\"144.202.98.198\\\", \\\"149.28.84.98\\\", \\\"103.99.209.78\\\", \\n \\\"45.61.136.2\\\", \\\"176.122.162.149\\\", \\\"192.3.80.245\\\", \\\"149.28.23.32\\\", \\\"107.182.18.149\\\", \\\"107.174.45.134\\\", \\n \\\"149.248.18.104\\\", \\\"65.49.192.74\\\", \\\"156.255.2.154\\\", \\\"45.76.6.149\\\", \\\"8.9.11.130\\\", \\\"140.238.27.255\\\", \\n \\\"107.182.24.70\\\", \\\"176.122.188.254\\\", \\\"192.161.161.108\\\", \\\"64.64.234.24\\\", \\\"104.224.185.36\\\", \\n \\\"104.233.224.227\\\", \\\"104.36.69.105\\\", \\\"119.28.139.120\\\", \\\"161.117.39.130\\\", \\\"66.42.100.42\\\", \\\"45.76.31.159\\\", \\n \\\"149.248.8.134\\\", \\\"216.24.182.48\\\", \\\"66.42.103.222\\\", \\\"218.89.236.11\\\", \\\"180.150.227.249\\\", \\\"47.75.80.23\\\",\\n \\\"124.156.164.19\\\", \\\"149.248.62.83\\\", \\\"150.109.76.174\\\", \\\"222.209.187.207\\\", \\\"218.38.191.38\\\", \\n \\\"119.28.226.59\\\", \\\"66.42.98.220\\\", \\\"74.82.201.8\\\", \\\"173.242.122.198\\\", \\\"45.32.130.72\\\", \\\"89.35.178.10\\\", \\n \\\"89.43.60.113\\\"]); \\n(union isfuzzy=true \\n(CommonSecurityLog \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch \\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n), \\n(OfficeActivity \\n|extend SourceIPAddress = ClientIP, Account = UserId \\n| where SourceIPAddress in (IPList) \\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \\n), \\n(_Im_NetworkSession (srcipaddr_has_any_prefix=IPList)\\n | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Hostname, AccountCustomEntity=User\\n), \\n(_Im_NetworkSession (dstipaddr_has_any_prefix=IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = Hostname , AccountCustomEntity = User\\n), \\n(WireData \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer \\n), \\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Barium IP\",\"description\":\"Identifies a match across various data feeds for IP IOCs related to the Barium activity group. \\n References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer\u0027 \",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/595a10c9-91be-4abb-bbc7-ae9c57848bef\",\"name\":\"595a10c9-91be-4abb-bbc7-ae9c57848bef\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Low\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n//This query uses sysmon data, sections that have - | where Source == \\\"Microsoft-Windows-Sysmon\\\" - may need to be updated with latest\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, DNSName, Type\\n| extend MessageIP = extract(IPRegex, 0, Message), RequestIP = extract(IPRegex, 0, RequestURL)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL has_any (domains), \\\"RequestUrl\\\", \\\"NoMatch\\\"), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), Account = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) or Name in~ (domains) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Computer , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPEntity = DestinationIPAddress\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), File = ProcessName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"]), Image = tostring(EventDetail.[4].[\\\"#text\\\"])\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Image has_any (process)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, Account = UserName, Computer, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, File = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n| extend FilePath = replace_string(Image, File, \u0027\u0027)\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) \\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, AlertDetail = \u0027Chia crypto IOC detected\u0027, Type\\n| extend timestamp = TimeGenerated, IPEntity = ClientIP, Account = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (domains) or RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) or InitiatingProcessFileName has_any (process)\\n| project TimeGenerated, ActionType, DeviceId, Computer = DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPEntity = RemoteIP, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\"), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, Computer, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains) or ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPEntity = ClientIP, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPEntity = SourceHost, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| where EventDetail has_any (sha256Hashes) \\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = tostring(EventDetail.[4].[\\\"#text\\\"]), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath = replace_string(Image, File, \u0027\u0027)\\n),\\n(DeviceFileEvents\\n| where InitiatingProcessFolderPath has_any (process)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, Computer, Account, File = InitiatingProcessFileName, FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath = replace_string(InitiatingProcessFolderPath, File, \u0027\u0027)\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, AlertDetail = \u0027Chia crypto IOC detected\u0027, FileHashAlgo = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| project TimeGenerated, EventDetail, UserName, Computer, Type\\n| extend Image = tostring(EventDetail.[4].[\\\"#text\\\"]), CommandLine = tostring(EventDetail.[10].[\\\"#text\\\"]), Account = UserName, FileHash = tostring(EventDetail.[17].[\\\"#text\\\"]), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| where Image has_any (process)\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath= replace_string(Image, File, \u0027\u0027)\\n),\\n(DeviceEvents\\n| where InitiatingProcessFileName has_any (process) or InitiatingProcessSHA256 in~ (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, Computer, Account, File = InitiatingProcessFileName, FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath = replace_string(InitiatingProcessFolderPath, File, \u0027\u0027)\\n),\\n(SecurityEvent\\n| where EventID == \u00274688\u0027\\n| where NewProcessName has_any (process)\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027, -1)[-1]), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend FilePath = replace_string(NewProcessName, File, \u0027\u0027)\\n)\\n)\\n| extend AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPEntity, FileCustomEntity = File, FilePathCustomEntity = FilePath, FileHashCustomEntity = FileHash\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileCustomEntity\"},{\"identifier\":\"Directory\",\"columnName\":\"FilePathCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashAlgo\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021\",\"description\":\"Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.\",\"lastUpdatedDateUTC\":\"2021-12-08T00:00:00Z\",\"createdDateUTC\":\"2021-06-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd0a6029-ecef-4507-89c4-fc355ac52111\",\"name\":\"dd0a6029-ecef-4507-89c4-fc355ac52111\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation of extracted domains\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend DomainName = tolower(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | extend Domain = trim(@\\\"\\\"\\\"\\\",tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend parts = split(Domain, \u0027.\u0027)\\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\\n | where tld in~ (list_tlds)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n ) on $left.DomainName==$right.Domain\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, FileHashValue\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to CommonSecurityLog\",\"description\":\"Identifies a match in CommonSecurityLog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\"name\":\"6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"union isfuzzy=true \\n(\\n SecurityEvent\\n | where EventID == 4738\\n // 2089 value indicates the Don\u0027t Expire Password value has been set\\n | where UserAccountControl has \\\"%%2089\\\" \\n | extend Value_2089 = iff(UserAccountControl has \\\"%%2089\\\",\\\"\u0027Don\u0027t Expire Password\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n // 2050 indicates that the Password Not Required value is NOT set, this often shows up at the same time as a 2089 and is the recommended value. This value may not be in the event. \\n | extend Value_2050 = iff(UserAccountControl has \\\"%%2050\\\",\\\"\u0027Password Not Required\u0027 - Disabled\\\", \\\"Not Changed\\\")\\n // If value %%2082 is present in the 4738 event, this indicates the account has been configured to logon WITHOUT a password. Generally you should only see this value when an account is created and only in Event 4720: Account Creation Event. \\n | extend Value_2082 = iff(UserAccountControl has \\\"%%2082\\\",\\\"\u0027Password Not Required\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n | project StartTime = TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, AccountType, UserAccountControl, Value_2089, Value_2050, Value_2082, SubjectAccount\\n | extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer\\n ),\\n (\\n WindowsEvent\\n | where EventID == 4738 and EventData has \u00272089\u0027\\n // 2089 value indicates the Don\u0027t Expire Password value has been set\\n | extend UserAccountControl = tostring(EventData.UserAccountControl)\\n | where UserAccountControl has \\\"%%2089\\\" \\n | extend Value_2089 = iff(UserAccountControl has \\\"%%2089\\\",\\\"\u0027Don\u0027t Expire Password\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n // 2050 indicates that the Password Not Required value is NOT set, this often shows up at the same time as a 2089 and is the recommended value. This value may not be in the event. \\n | extend Value_2050 = iff(UserAccountControl has \\\"%%2050\\\",\\\"\u0027Password Not Required\u0027 - Disabled\\\", \\\"Not Changed\\\")\\n // If value %%2082 is present in the 4738 event, this indicates the account has been configured to logon WITHOUT a password. Generally you should only see this value when an account is created and only in Event 4720: Account Creation Event. \\n | extend Value_2082 = iff(UserAccountControl has \\\"%%2082\\\",\\\"\u0027Password Not Required\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n | extend Activity=\\\"4738 - A user account was changed.\\\"\\n | extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n | extend TargetSid = tostring(EventData.TargetSid)\\n | extend SubjectAccount = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n | extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n | extend AccountType=case(SubjectAccount endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n | project StartTime = TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, AccountType, UserAccountControl, Value_2089, Value_2050, Value_2082, SubjectAccount\\n | extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer\\n )\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AD account with Don\u0027t Expire Password\",\"description\":\"Identifies whenever a user account has the setting \\\"Password Never Expires\\\" in the user account properties selected.\\nThis is indicated in Security event 4738 in the EventData item labeled UserAccountControl with an included value of %%2089.\\n%%2089 resolves to \\\"Don\u0027t Expire Password - Enabled\\\".\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4e8238bd-ff4f-4126-a9f6-09b3b6801b3d\",\"name\":\"4e8238bd-ff4f-4126-a9f6-09b3b6801b3d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"AuditLog.StreamDisabledByUser\\\"\\n| extend StreamType = tostring(Data.ConsumerType)\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, StreamType\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Audit Stream Disabled\",\"description\":\"Azure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams \\nbefore conducting activity and then re-enabling the stream after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action \\nits unlikely to have a high false positive rate.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e2559891-383c-4caf-ae67-55a008b9f89e\",\"name\":\"e2559891-383c-4caf-ae67-55a008b9f89e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet IP_TI=ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\\\"NO_IP\\\")\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where TI_ipEntity != \\\"NO_IP\\\";\\nlet IP_TI_list=toscalar(IP_TI | summarize NIoCs= dcount(TI_ipEntity), IoCs=make_set(TI_ipEntity) \\n | project IoCs=iff(NIoCs \u003e HAS_ANY_MAX, dynamic([]), IoCs ) );\\nIP_TI\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n _Im_WebSession (starttime=ago(dt_lookBack), srcipaddr_has_any_prefix=IP_TI_list)\\n | where isnotempty(SrcIpAddr)\\n // renaming time column so it is clear the log this came from\\n | extend imNWS_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SrcIpAddr\\n| where imNWS_TimeGenerated \u003c ExpirationDateTime\\n| summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, DstIpAddr\\n| project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Dvc, SrcIpAddr, DstIpAddr\",\"customDetails\":{\"EventTime\":\"imNWS_TimeGenerated\",\"IoCDescription\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"IoCExpirationTime\":\"ExpirationDateTime\",\"IoCConfidenceScore\":\"ConfidenceScore\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DstIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"The IP {{SrcIpAddr}} of a web request to hostname {{domain}} matched an IoC\",\"alertDescriptionFormat\":\"The source address {{SrcIpAddr}} of a web request for URL {{Url}} matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blead for more information on the indicator.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map IP entity to Web Session Events (ASIM Web Session schema)\",\"description\":\"This rule identifies Web Sessions for which the source IP address is a known IoC. \u003cbr\u003e\u003cbr\u003eThis rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM.\",\"lastUpdatedDateUTC\":\"2022-03-15T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\"name\":\"c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"ApplySecurityGroupsToLoadBalancer\\\", \\\"SetSecurityGroups\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \\nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion,\\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to AWS Elastic Load Balancer security groups\",\"description\":\"Elastic Load Balancer distributes incoming traffic across multiple instances in multiple availability Zones. This increases the fault tolerance of your applications. \\n Unwanted changes to Elastic Load Balancer specific security groups could open your environment to attack and hence needs monitoring.\\n More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\n and https://aws.amazon.com/elasticloadbalancing/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bdf04f58-242b-4729-b376-577c4bdf5d3a\",\"name\":\"bdf04f58-242b-4729-b376-577c4bdf5d3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"imProcessCreate\\n| where Process hassuffix \u0027rundll32.exe\u0027\\n| where CommandLine has_any (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| project TimeGenerated, Dvc, User, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\\n| extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"NOBELIUM - suspicious rundll32.exe execution of vbscript (Normalized Process Events)\",\"description\":\"This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\\nReferences: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f30a47c1-65fb-42b1-a7f4-00941c12550b\",\"name\":\"f30a47c1-65fb-42b1-a7f4-00941c12550b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n SecurityAlert\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n // Extract URL from JSON data\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,Entities)\\n // We only want alerts that actually contain URL data\\n | where isnotempty(Url)\\n // Extract hostname from JSON data for entity mapping\\n | extend Compromised_Host = tostring(parse_json(ExtendedProperties).[\\\"Compromised Host\\\"])\\n | extend Alert_TimeGenerated = TimeGenerated\\n) on Url\\n| where Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\\n| project Alert_TimeGenerated, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, AlertName, AlertSeverity, Description, Url, Compromised_Host\\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = Compromised_Host, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to SecurityAlert data\",\"description\":\"Identifies a match in SecurityAlert data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\"name\":\"80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == 1102 and EventSourceName == \\\"Microsoft-Windows-Eventlog\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(\\nWindowsEvent\\n| where EventID == 1102 and Provider == \\\"Microsoft-Windows-Eventlog\\\" \\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend Activity= \\\"1102 - The audit log was cleared.\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Security Event log cleared\",\"description\":\"Checks for event id 1102 which indicates the security event log was cleared. \\nIt uses Event Source Name \\\"Microsoft-Windows-Eventlog\\\" to avoid generating false positives from other sources, like AD FS servers for instance.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\"name\":\"36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n OfficeActivity\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n //Extract the Url from a number of potential fields\\n | extend Url = iif(OfficeWorkload == \\\"AzureActiveDirectory\\\",extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\\\", 1,ModifiedProperties),tostring(parse_json(ModifiedProperties)[12].NewValue))\\n | where isnotempty(Url)\\n // Ensure we get a clean URL\\n | extend Url = tostring(split(Url, \u0027;\u0027)[0])\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n // Project a single user identity that we can use for entity mapping\\n | extend User = iif(isnotempty(UserId), UserId, iif(isnotempty(Actor), tostring(parse_json(Actor)[0].ID), tostring(parse_json(Parameters)[0].Value)))\\n) on Url\\n| where OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, Url\\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Operation, \\nUserType, OfficeWorkload, Parameters, Url, User\\n| extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = User, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to OfficeActivity data\",\"description\":\"Identifies a match in OfficeActivity data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f0be259a-34ac-4946-aa15-ca2b115d5feb\",\"name\":\"f0be259a-34ac-4946-aa15-ca2b115d5feb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let starttime = 2d;\\nlet endtime = 1d;\\nlet TimeDeltaThreshold = 25;\\nlet TotalEventsThreshold = 30;\\nlet MostFrequentTimeDeltaThreshold = 25;\\nlet PercentBeaconThreshold = 80;\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Palo Alto Networks\\\" and Activity == \\\"TRAFFIC\\\"\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where ipv4_is_private(DestinationIP)== false\\n| project TimeGenerated, DeviceName, SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, ReceivedBytes, SentBytes\\n| sort by SourceIP asc,TimeGenerated asc, DestinationIP asc, DestinationPort asc\\n| serialize\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\u0027second\u0027,nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP\\n//Whitelisting criteria/ threshold criteria\\n| where TimeDeltainSeconds \u003e TimeDeltaThreshold \\n| summarize count(), sum(ReceivedBytes), sum(SentBytes)\\nby TimeDeltainSeconds, bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSentBytes = sum(sum_SentBytes), TotalReceivedBytes = sum(sum_ReceivedBytes) \\nby bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| where TotalEvents \u003e TotalEventsThreshold and MostFrequentTimeDeltaCount \u003e MostFrequentTimeDeltaThreshold\\n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\\n| where BeaconPercent \u003e PercentBeaconThreshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Palo Alto - potential beaconing detected\",\"description\":\"Identifies beaconing patterns from Palo Alto Network traffic logs based on recurrent timedelta patterns. \\nThe query leverages various KQL functions to calculate time deltas and then compares it with total events observed in a day to find percentage of beaconing. \\nThis outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts.\\nReference Blog:\\nhttp://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/\\nhttps://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/detect-network-beaconing-via-intra-request-time-delta-patterns/ba-p/779586\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/14f6da04-2f96-44ee-9210-9ccc1be6401e\",\"name\":\"14f6da04-2f96-44ee-9210-9ccc1be6401e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName has \\\"Add member to role outside of PIM\\\"\\n or (LoggedByService == \\\"Core Directory\\\" and OperationName == \\\"Add member to role\\\" and Identity != \\\"MS-PIM\\\")\\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"NRT Privileged Role Assigned Outside PIM\",\"description\":\"Identifies a privileged role being assigned to a user outside of PIM\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-04-22T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f6502545-ae3a-4232-a8b0-79d87e5c98d7\",\"name\":\"f6502545-ae3a-4232-a8b0-79d87e5c98d7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \\n| where TargetObject==\\\"HKLM\\\\\\\\System\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\SecurityProviders\\\\\\\\WDigest\\\\\\\\UseLogonCredential\\\" and Details !=\\\"DWORD (0x00000000)\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"WDigest downgrade attack\",\"description\":\"When the WDigest Authentication protocol is enabled, plain text passwords are stored in the Local Security Authority Subsystem Service (LSASS) exposing them to theft. This setting will prevent WDigest from storing credentials in memory.\\nRef: https://www.stigviewer.com/stig/windows_7/2016-12-19/finding/V-72753\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2022-03-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\"name\":\"b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet UserAgentAll =\\n(union isfuzzy=true\\n(OfficeActivity\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\\n),\\n(\\nW3CIISLog\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(csUserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\\n))\\n// remove wordSize blocks of non-numeric hex characters prior to word extraction\\n| extend UserAgentNoHexAlphas = replace(\\\"([A-Fa-f]{4,})\\\", \\\"x\\\", UserAgent)\\n// once blocks of hex chars are removed, extract wordSize blocks of a-z\\n| extend Tokens = extract_all(\\\"([A-Za-z]{4,})\\\", UserAgentNoHexAlphas)\\n// concatenate extracted words to create a summarized user agent for baseline and comparison\\n| extend NormalizedUserAgent = strcat_array(Tokens, \\\"|\\\")\\n| project-away UserAgentNoHexAlphas, Tokens;\\nUserAgentAll\\n| where StartTime \u003e= ago(endtime)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), count() by UserAgent, NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n| join kind=leftanti\\n(\\nUserAgentAll\\n| where StartTime \u003c ago(endtime)\\n| summarize by NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n)\\non NormalizedUserAgent\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CommandAndControl\",\"Execution\"],\"displayName\":\"New UserAgent observed in last 24 hours\",\"description\":\"Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection\\nextracts words from user agents to build the baseline and determine rareity rather than perform a\\ndirect comparison. This avoids FPs caused by version numbers and other high entropy user agent components.\\nThese new UserAgents could be benign. However, in normally stable environments,\\nthese new UserAgents could provide a starting point for investigating malicious activity.\\nNote: W3CIISLog can be noisy depending on the environment, however OfficeActivity and AWSCloudTrail are\\nusually stable with low numbers of detections.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/155e9134-d5ad-4a6f-88f3-99c220040b66\",\"name\":\"155e9134-d5ad-4a6f-88f3-99c220040b66\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"// Set the lookback to determine if user has created pipelines before\\nlet timeback = 14d;\\n// Set the period for detections\\nlet timeframe = 1d;\\n// Get a list of previous Release Pipeline creators to exclude\\nlet releaseusers = AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName in (\\\"Release.ReleasePipelineCreated\\\", \\\"Release.ReleasePipelineModified\\\")\\n// We want to look for users performing actions in specific projects so we create this userscope object to match on\\n| extend UserScope = strcat(ActorUserId, \\\"-\\\", ProjectName)\\n| summarize by UserScope;\\n// Get Release Pipeline creations by new users\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineModified\\\"\\n| extend UserScope = strcat(ActorUserId, \\\"-\\\", ProjectName)\\n| where UserScope !in (releaseusers)\\n| extend ActorUPN = tolower(ActorUPN)\\n| project-away Id, ActivityId, ActorCUID, ScopeId, ProjectId, TenantId, SourceSystem, UserScope\\n// See if any of these users have Azure AD alerts associated with them in the same timeframe\\n| join kind = leftouter (\\nSecurityAlert\\n| where TimeGenerated \u003e ago(timeframe)\\n| where ProviderName == \\\"IPC\\\"\\n| extend AadUserId = tostring(parse_json(Entities)[0].AadUserId)\\n| summarize Alerts=count() by AadUserId) on $left.ActorUserId == $right.AadUserId\\n| extend Alerts = iif(isnotempty(Alerts), Alerts, 0)\\n// Uncomment the line below to only show results where the user as AADIdP alerts\\n//| where Alerts \u003e 0\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Pipeline modified by a new user.\",\"description\":\"There are several potential pipeline steps that could be modified by an attacker to inject malicious code into the build cycle. A likely attacker path is the modification to an existing pipeline that they have access to. \\nThis detection looks for users modifying a pipeline when they have not previously been observed modifying or creating that pipeline before. This query also joins events with data to Azure AD Identity Protection (AAD IdP) \\nin order to show if the user conducting the action has any associated AAD IdP alerts. You can also choose to filter this detection to only alert when the user also has AAD IdP alerts associated with them.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d023f64-8225-41a2-9570-2bd7c2c4535e\",\"name\":\"3d023f64-8225-41a2-9570-2bd7c2c4535e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1DT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+spanoftime)\\n// A user account was enabled\\n| where EventID == 4722\\n| where AccountType =~ \\\"User\\\"\\n| where TargetAccount !endswith \\\"$\\\"\\n| project EnableTime = TimeGenerated, EnableEventID = EventID, EnableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToEnable = SubjectAccount, SIDofAccountUsedToEnable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e ago(timeframe+spanoftime)\\n// A user account was enabled\\n| where EventID == 4722\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType =~ \\\"User\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| where TargetAccount !endswith \\\"$\\\"\\n| extend Activity=\\\"4722 - A user account was enabled.\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| project EnableTime = TimeGenerated, EnableEventID = EventID, EnableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToEnable = SubjectAccount, SIDofAccountUsedToEnable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n))\\n| join kind= inner (\\n (union isfuzzy=true\\n (SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n // A user account was disabled\\n | where EventID == 4725\\n| where AccountType =~ \\\"User\\\"\\n| project DisableTime = TimeGenerated, DisableEventID = EventID, DisableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToDisable = SubjectAccount, SIDofAccountUsedToDisable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n),\\n(WindowsEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n // A user account was disabled\\n | where EventID == 4725\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType =~ \\\"User\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| extend Activity = \\\"4725 - A user account was disabled.\\\"\\n| project DisableTime = TimeGenerated, DisableEventID = EventID, DisableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToDisable = SubjectAccount, SIDofAccountUsedToDisable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid))\\n) on Computer, TargetAccount\\n| where DisableTime - EnableTime \u003c spanoftime\\n| extend TimeDelta = DisableTime - EnableTime\\n| where tolong(TimeDelta) \u003e= threshold\\n| project TimeDelta, EnableTime, EnableEventID, EnableActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToEnable, SIDofAccountUsedToEnable, \\nDisableTime, DisableEventID, DisableActivity, AccountUsedToDisable, SIDofAccountUsedToDisable\\n| extend timestamp = EnableTime, AccountCustomEntity = AccountUsedToEnable, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"SIDofAccountUsedToEnable\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account enabled and disabled within 10 mins\",\"description\":\"Identifies when a user account is enabled and then disabled within 10 minutes. This can be an indication of compromise and\\nan adversary attempting to hide in the noise.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0625fcce-6d52-491e-8c68-1d9b801d25b9\",\"name\":\"0625fcce-6d52-491e-8c68-1d9b801d25b9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"Event\\n| where EventLog =~ \\\"Application\\\"\\n| where Source startswith \\\"MSExchange\\\"\\n| where EventLevelName =~ \\\"error\\\"\\n| where (RenderedDescription startswith \\\"Watson report\\\" and RenderedDescription contains \\\"umworkerprocess\\\" and RenderedDescription contains \\\"TextFormattingRunProperties\\\") or RenderedDescription startswith \\\"An unhandled exception occurred in a UM worker process\\\" or RenderedDescription startswith \\\"The Microsoft Exchange Unified Messaging service\\\" or RenderedDescription contains \\\"MSExchange Unified Messaging\\\"\\n| where RenderedDescription !contains \\\"System.OutOfMemoryException\\\"\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious UM Service Error\",\"description\":\"This query looks for errors that may indicate that an attacker is attempting to exploit a vulnerability in the service. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09c49590-4e9d-4da9-a34d-17222d0c9e7e\",\"name\":\"09c49590-4e9d-4da9-a34d-17222d0c9e7e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let default_file_ext_blocklist = dynamic([\u0027.ps1\u0027, \u0027.vbs\u0027, \u0027.bat\u0027, \u0027.scr\u0027]);\\nlet custom_file_ext_blocklist=toscalar(_GetWatchlist(\u0027RiskyFileTypes\u0027) | extend Extension=column_ifexists(\\\"Extension\\\",\\\"\\\") | where isnotempty(Extension) | summarize make_set(Extension));\\nlet file_ext_blocklist = array_concat(default_file_ext_blocklist, custom_file_ext_blocklist);\\n_Im_WebSession(url_has_any=file_ext_blocklist, eventresult=\u0027Success\u0027)\\n| extend requestedFileName=tostring(split(tostring(parse_url(Url)[\\\"Path\\\"]),\u0027/\u0027)[-1])\\n| extend requestedFileExt=extract(@(\\\\.\\\\w+)$,1,requestedFileName, typeof(string))\\n| where requestedFileExtension in (file_ext_blocklist)\\n| summarize LastAttemptTime=max(TimeGenerated), NumFailedAttempts=count() by SrcIpAddr, requestedFileName, Url\\n| extend IPCustomEntity = SrcIpAddr, UrlCustomEntity=Url\",\"customDetails\":{\"requestedFileName\":\"requestedFileName\",\"requestedFileExt\":\"requestedFileExt\",\"Username\":\"SrcUsername\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Client {{SrcIpAddr}} accessed a URL with potentially harmful extension {{requestedFileExt}}\",\"alertDescriptionFormat\":\"The client at address {{SrcIpAddr}} accessed the URL {{Url}} that has the extension {{requestedFileExt}}. Downloading a file with this extension may be harmful and may indicate malicious activity.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"InitialAccess\"],\"displayName\":\"A client made a web request to a potentially harmful file (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request to a URL that holds a file type, including .ps1, .bat, .vbs, and .scr that can be harmful if downloaded. This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM. To use this Analytics Rule, deploy the Advanced Security Information Model (ASIM).\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\"name\":\"ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(DestinationUserID)\\n // Filtering PAN Logs for specific event type to match relevant email entities\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"wildfire\\\" and ApplicationProtocol in (\\\"smtp\\\",\\\"pop3\\\")\\n | extend DestinationUserID = tolower(DestinationUserID)\\n | where DestinationUserID matches regex emailregex\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.DestinationUserID\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, DestinationUserID\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, EmailSenderName, EmailRecipient, \\nEmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction, SourceIP, SourcePort, \\nDestinationIP, DestinationPort, Protocol, ApplicationProtocol\\n| extend timestamp = CommonSecurityLog_TimeGenerated, AccountCustomEntity = DestinationUserID, IPCustomEntity = SourceIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to CommonSecurityLog\",\"description\":\"Identifies a match in CommonSecurityLog table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\"name\":\"7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let lookBack_long = 7d;\\nlet lookBack_med = 3d;\\nlet lookBack = 1d;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack_long))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n// Create time series \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_long)),now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n// Compute best fit line for each entry \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount) \\n// Chart the 3 most interesting lines \\n// A 0-value slope corresponds to an account being completely stable over time for a given Azure Active Directory application\\n| where Slope \u003e 0.3\\n| top 50 by Slope desc\\n| join kind = leftsemi (\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack_med))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_med)) ,now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount)\\n| where Slope \u003e 0.3\\n| top 50 by Slope desc\\n) on UserPrincipalName, AppDisplayName\\n| join kind = leftsemi (\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack)) ,now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount)\\n| where Slope \u003e 5\\n| top 50 by Slope desc\\n// Higher threshold requirement on last day anomaly\\n) on UserPrincipalName, AppDisplayName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomalous sign-in location by user account and authenticating application\",\"description\":\"This query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active \\nDirectory application and picks out the most anomalous change in location profile for a user within an \\nindividual application. An alert is generated for recent sign-ins that have location counts that are anomalous\\nover last day but also over the last 3-day and 7-day periods.\\nPlease note that on workspaces with larger volume of Signin data (~10M+ events a day) may timeout when using this default query time period.\\nIt is recommended that you test and tune this appropriately for the workspace.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1da9853f-3dea-4ea9-b7e5-26730da3d537\",\"name\":\"1da9853f-3dea-4ea9-b7e5-26730da3d537\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let PortScanThreshold = 50;\\n_Im_NetworkSession\\n| where ipv4_is_private(SrcIpAddr) == False\\n| summarize AttemptedPortsCount=dcount(DstPortNumber) by SrcIpAddr, bin(TimeGenerated, 5m)\\n| where AttemptedPortsCount \u003e PortScanThreshold\",\"customDetails\":{\"AttemptedPortsCount\":\"AttemptedPortsCount\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Potential port scan from {{SrcIpAddr}}\",\"alertDescriptionFormat\":\"A port scan has been performed from address {{SrcIpAddr}} over {{AttemptedPortsCount}} pots within 5 minutes. This may indicate that a [port scanner](https://en.wikipedia.org/wiki/Port_scanner) is trying to identify open ports in order to penetrate a system.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Discovery\"],\"displayName\":\"Port scan detected (ASIM Network Session schema)\",\"description\":\"This rule identifies a possible port scan, in which a single source tries to access a large number of different ports is a short time frame. This may indicate that a [port scanner](https://en.wikipedia.org/wiki/Port_scanner) is trying to identify open ports in order to penetrate a system.\u003cbr\u003e\u003cbr\u003e\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/eda260eb-f4a1-4379-ad98-452604da9b3e\",\"name\":\"eda260eb-f4a1-4379-ad98-452604da9b3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let eventsThreshold = 20;\\nCommonSecurityLog\\n| where isnotempty(RequestURL)\\n| project TimeGenerated, RequestURL, RequestMethod, SourceIP, SourceHostName\\n| evaluate sequence_detect(TimeGenerated, 5s, 8s, login=(RequestURL has \\\"login.microsoftonline.com/consumers/oauth2/v2.0/token\\\"), graph=(RequestURL has \\\"graph.microsoft.com/v1.0/me/drive/\\\"), SourceIP, SourceHostName)\\n| summarize Events=count() by SourceIP, SourceHostName\\n| where Events \u003e= eventsThreshold\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"SourceHostName\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"CreepyDrive request URL sequence\",\"description\":\"CreepyDrive uses OneDrive for command and control, however, it makes regular requests to predicatable paths.\\nThis detecton will alert when over 20 sequences are observed in a single day.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3533f74c-9207-4047-96e2-0eb9383be587\",\"name\":\"3533f74c-9207-4047-96e2-0eb9383be587\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"offline_access\\\" and ConsentFull contains \\\"Files.Read\\\" or ConsentFull contains \\\"Mail.Read\\\" or ConsentFull contains \\\"Notes.Read\\\" or ConsentFull contains \\\"ChannelMessage.Read\\\" or ConsentFull contains \\\"Chat.Read\\\" or ConsentFull contains \\\"TeamsActivity.Read\\\" or ConsentFull contains \\\"Group.Read\\\" or ConsentFull contains \\\"EWS.AccessAsUser.All\\\" or ConsentFull contains \\\"EAS.AccessAsUser.All\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))\\n| extend GrantUserAgent = tostring(iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\"))\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Suspicious application consent for offline access\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with offline access via OAuth.\\nOffline access will provide the Azure App with access to the listed resources without requiring two-factor authentication.\\nConsent to applications with offline access and read capabilities should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0ee2aafb-4500-4e36-bcb1-e90eec2f0b9b\",\"name\":\"0ee2aafb-4500-4e36-bcb1-e90eec2f0b9b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\"\\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed), LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\\n| where MFAUsed !~ \\\"Yes\\\" and LoginResult !~ \\\"Failure\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUsed, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent,\\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserIdentityUserName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"NRT Login to AWS Management Console without MFA\",\"description\":\"Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.\\nYou can limit this detection to trigger for administrative accounts if you do not have MFA enabled on all accounts.\\nThis is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used\\nand the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.\",\"lastUpdatedDateUTC\":\"2022-02-08T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/269435e3-1db8-4423-9dfc-9bf59997da1c\",\"name\":\"269435e3-1db8-4423-9dfc-9bf59997da1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName has \\\"Add member to role outside of PIM\\\"\\n or (LoggedByService == \\\"Core Directory\\\" and OperationName == \\\"Add member to role\\\" and Identity != \\\"MS-PIM\\\")\\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Privileged Role Assigned Outside PIM\",\"description\":\"Identifies a privileged role being assigned to a user outside of PIM\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2be4ef67-a93f-4d8a-981a-88158cb73abd\",\"name\":\"2be4ef67-a93f-4d8a-981a-88158cb73abd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet covidIndicators = (externaldata(TimeGenerated:datetime, FileHashValue:string, FileHashType: string, TlpLevel: string, Product: string, ThreatType: string, Description: string )\\n[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.csv\\\"] with (format=\\\"csv\\\"));\\nlet fileHashIndicators = covidIndicators\\n| where isnotempty(FileHashValue);\\n// Handle matches against both lower case and uppercase versions of the hash:\\n(fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n| union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack) \\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n )\\non $left.FileHashValue == $right.FileHash\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by FileHashValue\\n| project CommonSecurityLog_TimeGenerated, FileHashValue, FileHashType, Description, ThreatType, \\nSourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, \\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Value\",\"columnName\":\"FileHashValue\"},{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Microsoft COVID-19 file hash indicator matches\",\"description\":\"Identifies a match in CommonSecurityLog Event data from any FileHash published in the Microsoft COVID-19 Threat Intel Feed - as described at https://www.microsoft.com/security/blog/2020/05/14/open-sourcing-covid-threat-intelligence/\",\"lastUpdatedDateUTC\":\"2022-07-07T00:00:00Z\",\"createdDateUTC\":\"2019-08-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\"name\":\"5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"CommonSecurityLog\\n| where isnotempty(DestinationPort) and DeviceAction !in (\\\"reset-both\\\", \\\"deny\\\") \\n// filter out common usage ports. Add ports that are legitimate for your environment\\n| where DestinationPort !in (\\\"443\\\", \\\"53\\\", \\\"389\\\", \\\"80\\\", \\\"0\\\", \\\"880\\\", \\\"8888\\\", \\\"8080\\\")\\n| where ApplicationProtocol == \\\"incomplete\\\" \\n// filter out IANA ephemeral or negotiated ports as per https://en.wikipedia.org/wiki/Ephemeral_port\\n| where DestinationPort !between (toint(49512) .. toint(65535)) \\n| where Computer != \\\"\\\" \\n| where DestinationIP !startswith \\\"10.\\\"\\n| extend Reason = coalesce(\\n column_ifexists(\\\"Reason\\\", \\\"\\\"), \\n extract(\\\"reason=(.+?)(;|$)\\\", 1, AdditionalExtensions),\\n \\\"\\\"\\n )\\n// Filter out any graceful reset reasons of AGED OUT which occurs when a TCP session closes with a FIN due to aging out. \\n| where Reason !has \\\"aged-out\\\" \\n// Filter out any TCP FIN which occurs when a TCP FIN is used to gracefully close half or both sides of a connection.\\n| where Reason !has \\\"tcp-fin\\\" \\n// Uncomment one of the following where clauses to trigger on specific TCP reset reasons\\n// See Palo Alto article for details - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK\\n// TCP RST-server - Occurs when the server sends a TCP reset to the client\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-server\\\" \\n// TCP RST-client - Occurs when the client sends a TCP reset to the server\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-client\\\" \\n// Already performed\\n//| extend reason = tostring(split(AdditionalExtensions, \\\";\\\")[3])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, Reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction, DestinationIP\\n| where count_ \u003e= 10\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), makeset(DestinationIP), totalcount = sum(count_) by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, Reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Palo Alto - possible internal to external port scanning\",\"description\":\"Identifies a list of internal Source IPs (10.x.x.x Hosts) that have triggered 10 or more non-graceful tcp server resets from one or more Destination IPs which \\nresults in an \\\"ApplicationProtocol = incomplete\\\" designation. The server resets coupled with an \\\"Incomplete\\\" ApplicationProtocol designation can be an indication \\nof internal to external port scanning or probing attack. \\nReferences: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK and\\nhttps://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTaCAK\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/677da133-e487-4108-a150-5b926591a92b\",\"name\":\"677da133-e487-4108-a150-5b926591a92b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.5.1\",\"severity\":\"Medium\",\"query\":\"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\\n[@\\\"https://raw.githubusercontent.com/microsoft/mstic/master/Indicators/May21-NOBELIUM/May21NOBELIUMIoCs.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256s = (iocs | where Type =~ \\\"SHA256\\\"| project IoC);\\nlet ips = (iocs | where Type =~ \\\"IP\\\"| project IoC);\\nlet IPList = dynamic([\\\"192.99.221.77\\\",\\\"83.171.237.173\\\"]);\\nlet ips_list=toscalar(ips | summarize makeset(IoC));\\nlet full_ip_list= array_concat(ips_list, IPList);\\nlet domains = (iocs | where Type =~ \\\"Domain\\\"| project IoC);\\nlet domain_list=toscalar(domains | summarize make_set(IoC));\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet sha256Hashes = dynamic([\\\"2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252\\\",\\n\\\"d035d394a82ae1e44b25e273f99eae8e2369da828d6b6fdb95076fd3eb5de142\\\",\\n\\\"94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916\\\",\\n\\\"48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0\\\",\\n\\\"ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c\\\",\\n\\\"ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (domains) or RequestURL has_any (domains) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (domains), \\\"RequestUrl\\\", SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(_Im_Dns (domain_has_any=todynamic(domain_list))\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(_Im_Dns (response_has_any_prefix=todynamic(full_ip_list))\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or SourceIp in (ips) or DestinationIp in (ips) or RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", SourceIp in (ips), \\\"SourceIP\\\", DestinationIp in (ips), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer\\n),\\n(OfficeActivity\\n| where ClientIP in (IPList) or ClientIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n),\\n(_Im_NetworkSession(srcipaddr_has_any_prefix=full_ip_list)\\n | extend IPMatch = \\\"SourceIP\\\"\\n | extend timestamp = TimeGenerated, HostCustomEntity = Dvc , IPCustomEntity = SrcIpAddr //, AccountCustomEntity =User\\n),\\n(_Im_NetworkSession(dstipaddr_has_any_prefix=full_ip_list)\\n | extend IPMatch = \\\"DestinationIP\\\"\\n | extend timestamp = TimeGenerated, HostCustomEntity = Dvc , IPCustomEntity = DstIpAddr //, AccountCustomEntity =User\\n),\\n(_Im_WebSession(url_has_any=domains)\\n | extend timestamp=TimeGenerated, HostCustomEntity=Dvc , DNSName=tostring(parse_url(Url)[\\\"Host\\\"]), AccountCustomEntity=User\\n),\\n(_Im_WebSession(srcipaddr_has_any_prefix=full_ip_list)\\n | extend timestamp=TimeGenerated, HostCustomEntity=Dvc , DNSName=tostring(parse_url(Url)[\\\"Host\\\"]), AccountCustomEntity=User\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| where EventDetail has_any (sha256Hashes) or EventDetail has_any (sha256s)\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, FileHash\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (sha256Hashes) or SHA256 in~ (sha256s)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (sha256Hashes) or TargetFileSHA256 in~ (sha256s)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes) or FileHash in (sha256s)\\n| extend timestamp = TimeGenerated\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"tactics\":[\"CommandAndControl\",\"Execution\"],\"displayName\":\"NOBELIUM - Domain, Hash and IP IOCs - May 2021\",\"description\":\"Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM.\\nRef: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/35ce9aff-1708-45b8-a295-5e9a307f5f17\",\"name\":\"35ce9aff-1708-45b8-a295-5e9a307f5f17\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"Group.UpdateGroupMembership.Add\\\"\\n| where Details has_any (\\\"Project Administrators\\\", \\\"Project Collection Administrators\\\", \\\"Project Collection Service Accounts\\\", \\\"Build Administrator\\\")\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, AuthenticationMechanism, ScopeDisplayName\\n| extend timekey = bin(TimeGenerated, 1h)\\n| extend ActorUserId = tostring(Data.MemberId)\\n| project timekey, ActorUserId, AddingUser=ActorUPN, TimeAdded=TimeGenerated, PermissionGrantDetails = Details\\n// Get details of operations conducted by user soon after elevation of permissions\\n| join (AzureDevOpsAuditing\\n| extend ActorUserId = tostring(Data.MemberId)\\n| extend timekey = bin(TimeGenerated, 1h)) on timekey, ActorUserId\\n| summarize ActionsWhenAdded = make_set(OperationName) by ActorUPN, AddingUser, TimeAdded, PermissionGrantDetails, IpAddress, UserAgent\\n| extend timestamp = TimeAdded, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddingUser\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"New PA, PCA, or PCAS added to Azure DevOps\",\"description\":\"In order for an attacker to be able to conduct many potential attacks against Azure DevOps they will need to gain elevated permissions. \\nThis detection looks for users being granted key administrative permissions. If the principal of least privilege is applied, the number of \\nusers granted these permissions should be small. Note that permissions can also be granted via Azure AD groups and monitoring of these \\nshould also be conducted.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bf07ca9c-e408-443a-8939-6860a45a929e\",\"name\":\"bf07ca9c-e408-443a-8939-6860a45a929e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let allowed_publishers = dynamic([]);\\nAzureDevOpsAuditing\\n| where OperationName =~ \\\"Extension.Installed\\\"\\n| extend ExtensionName = tostring(Data.ExtensionName)\\n| extend PublisherName = tostring(Data.PublisherName)\\n| where PublisherName !in (allowed_publishers)\\n| project-reorder TimeGenerated, OperationName, ExtensionName, PublisherName, ActorUPN, IpAddress, UserAgent, ScopeDisplayName, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps New Extension Added\",\"description\":\"Extensions add additional features to Azure DevOps. An attacker could use a malicious extension to conduct malicious activity. \\nThis query looks for new extensions that are not from a configurable list of approved publishers.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65c78944-930b-4cae-bd79-c3664ae30ba7\",\"name\":\"65c78944-930b-4cae-bd79-c3664ae30ba7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(AuditLogs \\n| where OperationName =~ \\\"Disable Strong Authentication\\\"\\n| extend IPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) \\n| extend InitiatedByUser = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend Targetprop = todynamic(TargetResources)\\n| extend TargetUser = tostring(Targetprop[0].userPrincipalName) \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, InitiatedByUser , Operation = OperationName , CorrelationId, IPAddress, Category, Source = SourceSystem , AADTenantId, Type\\n),\\n(AWSCloudTrail\\n| where EventName in~ (\\\"DeactivateMFADevice\\\", \\\"DeleteVirtualMFADevice\\\") \\n| extend InstanceProfileName = tostring(parse_json(RequestParameters).InstanceProfileName)\\n| extend TargetUser = tostring(parse_json(RequestParameters).userName)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, Source = EventSource , Operation = EventName , TenantorInstance_Detail = InstanceProfileName, IPAddress = SourceIpAddress\\n)\\n)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"MFA disabled for a user\",\"description\":\"Multi-Factor Authentication (MFA) helps prevent credential compromise. This alert identifies when an attempt has been made to disable MFA for a user \",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4759ddb4-2daf-43cb-b34e-d85b85b4e4a5\",\"name\":\"4759ddb4-2daf-43cb-b34e-d85b85b4e4a5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\nlet parentprocess = (iocs | where Type =~ \\\"parentprocess\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or RequestURL has_any (IPList) or Message has_any (IPList)\\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, Type\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (IPList), \\\"RequestUrl\\\",\\\"NoMatch\\\"), AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, IPMatch == \\\"RequestUrl\\\", RequestURL, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer, ProcessCustomEntity = ProcessName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) \\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, AlertDetail = \u0027Dev-0322 IOC match\u0027, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, AlertDetail = \u0027Dev-0322 IOC match\u0027, UrlCustomEntity =RemoteUrl, ProcessCustomEntity = InitiatingProcessFileName\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\"), AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where SourceHost in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend ParentImage = EventDetail.[20].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where ( ParentImage has_any (parentprocess) and Image has_any (process))\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256,Image, ParentImage \\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceFileEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type, CommandLineIP\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash, IPCustomEntity = CommandLineIP\\n),\\n(DeviceEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, CommandLineIP\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash, IPCustomEntity = CommandLineIP\\n),\\n(DeviceProcessEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, CommandLineIP, AccountName\\n| extend Account = AccountName, Computer = DeviceName, IPAddress = CommandLineIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash, IPCustomEntity = IPAddress\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| extend CommandLineIP = extract(IPRegex, 0, CommandLine)\\n| where CommandLineIP in (IPList) or (NewProcessName has_any (process) and ParentProcessName has_any (parentprocess))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, CommandLine, CommandLineIP\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = \u0027Dev-0322 IOC match\u0027, IPCustomEntity = CommandLineIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"DEV-0322 Serv-U related IOCs - July 2021\",\"description\":\"Identifies a match across IOC\u0027s related to DEV-0322 targeting SolarWinds Serv-U software.\",\"lastUpdatedDateUTC\":\"2021-11-30T00:00:00Z\",\"createdDateUTC\":\"2021-06-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\"name\":\"d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let SensitiveOperationList = dynamic(\\n[\\\"VaultDelete\\\", \\\"KeyDelete\\\", \\\"SecretDelete\\\", \\\"SecretPurge\\\", \\\"KeyPurge\\\", \\\"SecretBackup\\\", \\\"KeyBackup\\\"]);\\nAzureDiagnostics\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\" \\n| where OperationName in~ (SensitiveOperationList) \\n| summarize EventCount=count(), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\\n| extend timestamp = StartTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Sensitive Azure Key Vault operations\",\"description\":\"Identifies when sensitive Azure Key Vault operations are used. This includes: VaultDelete, KeyDelete, SecretDelete, SecretPurge, KeyPurge, SecretBackup, KeyBackup. \\nAny Backup operations should match with expected scheduled backup activity.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4899-42cb-910c-5ffaf9d7997d\",\"name\":\"70b12a3b-4899-42cb-910c-5ffaf9d7997d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.6.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"0.ns1.dns-info.gq\\\", \\\"1.ns1.dns-info.gq\\\", \\\"10.ns1.dns-info.gq\\\", \\\"102.ns1.dns-info.gq\\\", \\n \\\"104.ns1.dns-info.gq\\\", \\\"11.ns1.dns-info.gq\\\", \\\"110.ns1.dns-info.gq\\\", \\\"115.ns1.dns-info.gq\\\", \\\"116.ns1.dns-info.gq\\\", \\n \\\"117.ns1.dns-info.gq\\\", \\\"118.ns1.dns-info.gq\\\", \\\"12.ns1.dns-info.gq\\\", \\\"120.ns1.dns-info.gq\\\", \\\"122.ns1.dns-info.gq\\\", \\n \\\"123.ns1.dns-info.gq\\\", \\\"128.ns1.dns-info.gq\\\", \\\"13.ns1.dns-info.gq\\\", \\\"134.ns1.dns-info.gq\\\", \\\"135.ns1.dns-info.gq\\\", \\n \\\"138.ns1.dns-info.gq\\\", \\\"14.ns1.dns-info.gq\\\", \\\"144.ns1.dns-info.gq\\\", \\\"15.ns1.dns-info.gq\\\", \\\"153.ns1.dns-info.gq\\\", \\n \\\"157.ns1.dns-info.gq\\\", \\\"16.ns1.dns-info.gq\\\", \\\"17.ns1.dns-info.gq\\\", \\\"18.ns1.dns-info.gq\\\", \\\"19.ns1.dns-info.gq\\\", \\n \\\"1a9604fa.ns1.feedsdns.com\\\", \\\"1c7606b6.ns1.steamappstore.com\\\", \\\"2.ns1.dns-info.gq\\\", \\\"20.ns1.dns-info.gq\\\", \\n \\\"201.ns1.dns-info.gq\\\", \\\"202.ns1.dns-info.gq\\\", \\\"204.ns1.dns-info.gq\\\", \\\"207.ns1.dns-info.gq\\\", \\\"21.ns1.dns-info.gq\\\", \\n \\\"210.ns1.dns-info.gq\\\", \\\"211.ns1.dns-info.gq\\\", \\\"216.ns1.dns-info.gq\\\", \\\"22.ns1.dns-info.gq\\\", \\\"220.ns1.dns-info.gq\\\", \\n \\\"223.ns1.dns-info.gq\\\", \\\"23.ns1.dns-info.gq\\\", \\\"24.ns1.dns-info.gq\\\", \\\"25.ns1.dns-info.gq\\\", \\\"26.ns1.dns-info.gq\\\", \\n \\\"27.ns1.dns-info.gq\\\", \\\"28.ns1.dns-info.gq\\\", \\\"29.ns1.dns-info.gq\\\", \\\"3.ns1.dns-info.gq\\\", \\\"30.ns1.dns-info.gq\\\", \\n \\\"31.ns1.dns-info.gq\\\", \\\"32.ns1.dns-info.gq\\\", \\\"33.ns1.dns-info.gq\\\", \\\"34.ns1.dns-info.gq\\\", \\\"35.ns1.dns-info.gq\\\", \\n \\\"36.ns1.dns-info.gq\\\", \\\"37.ns1.dns-info.gq\\\", \\\"39.ns1.dns-info.gq\\\", \\\"3d6fe4b2.ns1.steamappstore.com\\\", \\n \\\"4.ns1.dns-info.gq\\\", \\\"40.ns1.dns-info.gq\\\", \\\"42.ns1.dns-info.gq\\\", \\\"43.ns1.dns-info.gq\\\", \\\"44.ns1.dns-info.gq\\\", \\n \\\"45.ns1.dns-info.gq\\\", \\\"46.ns1.dns-info.gq\\\", \\\"48.ns1.dns-info.gq\\\", \\\"5.ns1.dns-info.gq\\\", \\\"50.ns1.dns-info.gq\\\", \\n \\\"50417.service.gstatic.dnset.com\\\", \\\"51.ns1.dns-info.gq\\\", \\\"52.ns1.dns-info.gq\\\", \\\"53.ns1.dns-info.gq\\\",\\n \\\"54.ns1.dns-info.gq\\\", \\\"55.ns1.dns-info.gq\\\", \\\"56.ns1.dns-info.gq\\\", \\\"57.ns1.dns-info.gq\\\", \\\"58.ns1.dns-info.gq\\\", \\n \\\"6.ns1.dns-info.gq\\\", \\\"60.ns1.dns-info.gq\\\", \\\"62.ns1.dns-info.gq\\\", \\\"63.ns1.dns-info.gq\\\", \\\"64.ns1.dns-info.gq\\\", \\n \\\"65.ns1.dns-info.gq\\\", \\\"67.ns1.dns-info.gq\\\", \\\"7.ns1.dns-info.gq\\\", \\\"70.ns1.dns-info.gq\\\", \\\"71.ns1.dns-info.gq\\\",\\n \\\"73.ns1.dns-info.gq\\\", \\\"77.ns1.dns-info.gq\\\", \\\"77075.service.gstatic.dnset.com\\\", \\\"7c1947fa.ns1.steamappstore.com\\\",\\n \\\"8.ns1.dns-info.gq\\\", \\\"81.ns1.dns-info.gq\\\", \\\"86.ns1.dns-info.gq\\\", \\\"87.ns1.dns-info.gq\\\", \\\"9.ns1.dns-info.gq\\\", \\n \\\"94343.service.gstatic.dnset.com\\\", \\\"9939.service.gstatic.dnset.com\\\", \\\"aa.ns.mircosoftdoc.com\\\", \\n \\\"aaa.feeds.api.ns1.feedsdns.com\\\", \\\"aaa.googlepublic.feeds.ns1.dns-info.gq\\\", \\n \\\"aaa.resolution.174547._get.cache.up.sourcedns.tk\\\", \\\"acc.microsoftonetravel.com\\\", \\n \\\"accounts.longmusic.com\\\", \\\"admin.dnstemplog.com\\\", \\\"agent.updatenai.com\\\", \\n \\\"alibaba.zzux.com\\\", \\\"api.feedsdns.com\\\", \\\"app.portomnail.com\\\", \\\"asia.updatenai.com\\\", \\n \\\"battllestategames.com\\\", \\\"bguha.serveuser.com\\\", \\\"binann-ce.com\\\", \\\"bing.dsmtp.com\\\", \\n \\\"blog.cdsend.xyz\\\", \\\"brives.minivineyapp.com\\\", \\\"bsbana.dynamic-dns.net\\\", \\n \\\"californiaforce.000webhostapp.com\\\", \\\"californiafroce.000webhostapp.com\\\", \\n \\\"cdn.freetcp.com\\\", \\\"cdsend.xyz\\\", \\\"cipla.zzux.com\\\", \\\"cloudfeeddns.com\\\", \\\"comcleanner.info\\\",\\n \\\"cs.microsoftsonline.net\\\", \\\"dns-info.gq\\\", \\\"dns05.cf\\\", \\\"dns22.ml\\\", \\\"dns224.com\\\", \\n \\\"dnsdist.org\\\", \\\"dnstemplog.com\\\", \\\"doc.mircosoftdoc.com\\\", \\\"dropdns.com\\\", \\n \\\"eshop.cdn.freetcp.com\\\", \\\"exchange.dumb1.com\\\", \\\"exchange.misecure.com\\\", \\\"exchange.mrbasic.com\\\",\\n \\\"facebookdocs.com\\\", \\\"facebookint.com\\\", \\\"facebookvi.com\\\", \\\"feed.ns1.dns-info.gq\\\", \\\"feedsdns.com\\\", \\n \\\"firejun.freeddns.com\\\", \\\"ftp.dns-info.dyndns.pro\\\", \\\"goallbandungtravel.com\\\", \\\"goodhk.azurewebsites.net\\\", \\n \\\"googlepublic.feed.ns1.dns-info.gq\\\", \\\"gp.spotifylite.cloud\\\", \\\"gskytop.com\\\", \\\"gstatic.dnset.com\\\", \\n \\\"gxxservice.com\\\", \\\"helpdesk.cdn.freetcp.com\\\", \\\"id.serveuser.com\\\", \\\"infestexe.com\\\", \\\"item.itemdb.com\\\",\\n \\\"m.mircosoftdoc.com\\\", \\\"mail.transferdkim.xyz\\\", \\\"mcafee.updatenai.com\\\", \\\"mecgjm.mircosoftdoc.com\\\",\\n \\\"microdocs.ga\\\", \\\"microsock.website\\\", \\\"microsocks.net\\\", \\\"microsoft.sendsmtp.com\\\", \\n \\\"microsoftbook.dns05.com\\\", \\\"microsoftcontactcenter.com\\\", \\\"microsoftdocs.dns05.com\\\", \\\"microsoftdocs.ml\\\", \\n \\\"microsoftonetravel.com\\\", \\\"microsoftonlines.net\\\", \\\"microsoftprod.com\\\", \\\"microsofts.dns1.us\\\", \\\"microsoftsonline.net\\\",\\n \\\"minivineyapp.com\\\", \\\"mircosoftdoc.com\\\", \\\"mircosoftdocs.com\\\", \\\"mlcrosoft.ninth.biz\\\", \\\"mlcrosoft.site\\\", \\n \\\"mm.portomnail.com\\\", \\\"msdnupdate.com\\\", \\\"msecdn.cloud\\\", \\\"mtnl1.dynamic-dns.net\\\", \\\"ns.gstatic.dnset.com\\\", \\n \\\"ns.microsoftprod.com\\\", \\\"ns.steamappstore.com\\\", \\\"ns1.cdn.freetcp.com\\\", \\\"ns1.comcleanner.info\\\", \\\"ns1.dns-info.gq\\\", \\n \\\"ns1.dns05.cf\\\", \\\"ns1.dnstemplog.com\\\", \\\"ns1.dropdns.com\\\", \\\"ns1.microsoftonetravel.com\\\", \\n \\\"ns1.microsoftonlines.net\\\", \\\"ns1.microsoftprod.com\\\", \\\"ns1.microsoftsonline.net\\\", \\\"ns1.mlcrosoft.site\\\", \\n \\\"ns1.teams.wikaba.com\\\", \\\"ns1.windowsdefende.com\\\", \\\"ns2.comcleanner.info\\\", \\\"ns2.dnstemplog.com\\\", \\n \\\"ns2.microsoftonetravel.com\\\", \\\"ns2.microsoftprod.com\\\", \\\"ns2.microsoftsonline.net\\\", \\\"ns2.mlcrosoft.site\\\", \\n \\\"ns2.windowsdefende.com\\\", \\\"ns3.microsoftprod.com\\\", \\\"ns3.mlcrosoft.site\\\", \\\"nutrition.mrbasic.com\\\", \\n \\\"nutrition.youdontcare.com\\\", \\\"online.mlcrosoft.site\\\", \\\"online.msdnupdate.com\\\", \\\"outlookservce.site\\\", \\n \\\"owa.jetos.com\\\", \\\"owa.otzo.com\\\", \\\"pornotime.co\\\", \\\"portomnail.com\\\", \\n \\\"post.1a0.066e063ac.7c1947fa.ns1.steamappstore.com\\\", \\\"pricingdmdk.com\\\", \\\"prod.microsoftprod.com\\\", \\n \\\"product.microsoftprod.com\\\", \\\"ptcl.yourtrap.com\\\", \\\"query.api.sourcedns.tk\\\", \\\"rb.itemdb.com\\\", \\\"redditcdn.com\\\", \\n \\\"rss.otzo.com\\\", \\\"secure.msdnupdate.com\\\", \\\"service.dns22.ml\\\", \\\"service.gstatic.dnset.com\\\", \\\"service04.dns04.com\\\", \\n \\\"settings.teams.wikaba.com\\\", \\\"sip.outlookservce.site\\\", \\\"sixindent.epizy.com\\\", \\\"soft.msdnupdate.com\\\", \\\"sourcedns.ml\\\", \\n \\\"sourcedns.tk\\\", \\\"sport.msdnupdate.com\\\", \\\"spotifylite.cloud\\\", \\\"static.misecure.com\\\", \\\"steamappstore.com\\\", \\n \\\"store.otzo.com\\\", \\\"survey.outlookservce.site\\\", \\\"team.itemdb.com\\\", \\\"temp221.com\\\", \\\"test.microsoftprod.com\\\", \\n \\\"thisisaaa.000webhostapp.com\\\", \\\"token.dns04.com\\\", \\\"token.dns05.com\\\", \\\"transferdkim.xyz\\\", \\n \\\"travelsanignacio.com\\\", \\\"update08.com\\\", \\\"updated08.com\\\", \\\"updatenai.com\\\", \\\"wantforspeed.com\\\",\\n \\\"web.mircosoftdoc.com\\\", \\\"webmail.pornotime.co\\\", \\\"webwhois.team.itemdb.com\\\", \\\"windowsdefende.com\\\", \\\"wnswindows.com\\\",\\n \\\"ashcrack.freetcp.com\\\", \\\"battllestategames.com\\\", \\\"binannce.com\\\", \\\"cdsend.xyz\\\", \\\"comcleanner.info\\\", \\\"microsock.website\\\", \\n \\\"microsocks.net\\\", \\\"microsoftsonline.net\\\", \\\"mlcrosoft.site\\\", \\\"notify.serveuser.com\\\", \\\"ns1.microsoftprod.com\\\", \\n \\\"ns2.microsoftprod.com\\\", \\\"pricingdmdk.com\\\", \\\"steamappstore.com\\\", \\\"update08.com\\\", \\\"wnswindows.com\\\", \\n \\\"youtube.dns05.com\\\", \\\"z1.zalofilescdn.com\\\", \\\"z2.zalofilescdn.com\\\", \\\"zalofilescdn.com\\\"]); \\n(union isfuzzy=true \\n (CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | where DNSName in~ (DomainNames) \\n | extend Account = SourceUserID, Computer = DeviceName, IPAddress = DestinationIP \\n ), \\n (_Im_Dns (domain_has_any=DomainNames)\\n | extend DNSName = DnsQuery \\n | extend IPAddress = SrcIpAddr, Computer = Dvc\\n ), \\n (_Im_WebSession (url_has_any=DomainNames)\\n | extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n | extend IPAddress = SrcIpAddr, Computer = Dvc\\n ), \\n (VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 * \\n | where isnotempty(DNSName) \\n | where DNSName in~ (DomainNames) \\n | extend IPAddress = RemoteIp \\n ), \\n ( \\n DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl in~ (DomainNames) \\n | extend IPAddress = RemoteIP \\n | extend Computer = DeviceName \\n ),\\n (AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (DomainNames) \\n | extend DNSName = DestinationHost \\n | extend IPAddress = SourceHost\\n ) \\n ) \\n | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Barium domains\",\"description\":\"Identifies a match across various data feeds for domains IOCs related to the Barium activity group.\\n References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bff058b2-500e-4ae5-bb49-a5b1423cbd5b\",\"name\":\"bff058b2-500e-4ae5-bb49-a5b1423cbd5b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let fileAccessThrehold = 10;\\nOfficeActivity\\n | where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n | where Operation =~ \\\"MemberAdded\\\"\\n | extend UPN = tostring(parse_json(Members)[0].UPN)\\n | where UPN contains (\\\"#EXT#\\\")\\n | project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName\\n | join kind = inner(\\n OfficeActivity\\n | where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n | where Operation =~ \\\"MemberRemoved\\\"\\n | extend UPN = tostring(parse_json(Members)[0].UPN)\\n | where UPN contains (\\\"#EXT#\\\")\\n | project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName\\n ) on UPN\\n | where TimeDeleted \u003e TimeAdded\\n | join kind=inner \\n (\\n OfficeActivity\\n | where RecordType == \\\"SharePointFileOperation\\\"\\n | where SourceRelativeUrl has \\\"Microsoft Teams Chat Files\\\"\\n | where Operation == \\\"FileUploaded\\\"\\n | join kind = inner \\n (\\n OfficeActivity\\n | where RecordType == \\\"SharePointFileOperation\\\"\\n | where Operation == \\\"FileAccessed\\\"\\n | where SourceRelativeUrl has \\\"Microsoft Teams Chat Files\\\"\\n | summarize FileAccessCount = count() by OfficeObjectId\\n | where FileAccessCount \u003e fileAccessThrehold\\n ) on $left.OfficeObjectId == $right.OfficeObjectId\\n )on $left.UPN == $right.UserId\\n | extend timestamp=TimeGenerated, AccountCustomEntity = UserWhoAdded\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Accessed files shared by temporary external user\",\"description\":\"This detection identifies an external user is added to a Team or Teams chat\\nand shares a files which is accessed by many users (\u003e10) and the users is removed within short period of time. This might be\\nan indicator of suspicious activity.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2020-08-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/610d3850-c26f-4f20-8d86-f10fdf2425f5\",\"name\":\"610d3850-c26f-4f20-8d86-f10fdf2425f5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"UpdateTrail\\\",\\\"DeleteTrail\\\",\\\"StopLogging\\\",\\\"DeleteFlowLogs\\\",\\\"DeleteEventBus\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Changes made to AWS CloudTrail logs\",\"description\":\"Attackers often try to hide their steps by deleting or stopping the collection of logs that could show their activity. \\nThis alert identifies any manipulation of AWS CloudTrail, Cloudwatch/EventBridge or VPC Flow logs.\\nMore Information: AWS CloudTrail API: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html\\nAWS Cloudwatch/Eventbridge API: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_Operations.html\\nAWS DelteteFlowLogs API : https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html \",\"lastUpdatedDateUTC\":\"2022-01-11T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3fbc20a4-04c4-464e-8fcb-6667f53e4987\",\"name\":\"3fbc20a4-04c4-464e-8fcb-6667f53e4987\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let failureCountThreshold = 5;\\nlet successCountThreshold = 1;\\nlet authenticationWindow = 20m;\\nSigninLogs\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\\n| where AppDisplayName =~ \\\"Windows Sign In\\\"\\n// Split out failure versus non-failure types\\n| extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = makeset(IPAddress), makeset(OS), makeset(Browser), makeset(City), \\nmakeset(ResultType), FailureCount = countif(FailureOrSuccess==\\\"Failure\\\"), SuccessCount = countif(FailureOrSuccess==\\\"Success\\\") \\nby bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName, AppDisplayName\\n| where FailureCount \u003e= failureCountThreshold and SuccessCount \u003e= successCountThreshold\\n| mvexpand IPAddress\\n| extend IPAddress = tostring(IPAddress)\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against a Cloud PC\",\"description\":\"Identifies evidence of brute force activity against a Windows 365 Cloud PC by highlighting multiple authentication failures and by a successful authentication within a given time window.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/173f8699-6af5-484a-8b06-8c47ba89b380\",\"name\":\"173f8699-6af5-484a-8b06-8c47ba89b380\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"// Adjust this value to change how many Teams should be deleted before including\\nlet max_delete_count = 3;\\n// Adjust this value to change the timewindow the query runs over\\n OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\" \\n| where Operation =~ \\\"TeamDeleted\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DeletedTeams = make_set(TeamName) by UserId\\n| where array_length(DeletedTeams) \u003e max_delete_count\\n| extend timestamp = StartTime, AccountCustomEntity = UserId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Multiple Teams deleted by a single user\",\"description\":\"This detection flags the occurrences of deleting multiple teams within an hour.\\nThis data is a part of Office 365 Connector in Microsoft Sentinel.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9f9c1e51-4fb1-4510-a675-c7c2fb32f47e\",\"name\":\"9f9c1e51-4fb1-4510-a675-c7c2fb32f47e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let knotweed_sigs = dynamic([\\\"JumplumpDropper\\\", \\\"Jumplump\\\", \\\"Corelump\\\", \\\"Medcerc\\\", \\\"SuspModuleLoad\\\", \\\"Mexlib\\\"]);\\n let mde_data = (DeviceInfo\\n | extend DeviceName = tolower(DeviceName)\\n | join kind=rightouter ( SecurityAlert\\n | where ProviderName =~ \\\"MDATP\\\"\\n | extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n | extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n | where ThreatFamilyName in~ (knotweed_sigs)\\n | extend CompromisedEntity = tolower(CompromisedEntity)\\n ) on $left.DeviceName == $right.CompromisedEntity);\\n let event_data = ( Event\\n | where EventID in (1006, 1009, 1116, 1119)\\n | extend ThreatData = parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_xml(EventData).DataItem)).EventData)).Data))\\n | mv-expand ThreatData\\n | where tostring(ThreatData.[\\\"@Name\\\"]) == \\\"Threat Name\\\"\\n | extend EventData = parse_xml(EventData)\\n | where tostring(ThreatData.[\\\"#text\\\"]) has_any (knotweed_sigs));\\n union mde_data, event_data\\n | extend ThreatName = iif(isnotempty(ThreatName), ThreatName, tostring(ThreatData.[\\\"#text\\\"]))\\n | extend ThreatFamilyName = iif(isnotempty(ThreatFamilyName), ThreatFamilyName, split(tostring(ThreatData.[\\\"#text\\\"]), \\\"/\\\")[-1])\\n | extend TimeGenerated = iif(isnotempty(TimeGenerated), TimeGenerated, TimeGenerated1)\\n | extend DeviceName = iif(isnotempty(DeviceName), DeviceName, Computer)\\n | project-reorder TimeGenerated, CompromisedEntity, ThreatName, ThreatFamilyName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceName\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"KNOTWEED AV Detection\",\"description\":\"This query looks for Microsoft Defender AV detections related to the KNOTWEED threat actor and the Corelump and Jumplump malware.\\n Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/\",\"lastUpdatedDateUTC\":\"2022-07-27T00:00:00Z\",\"createdDateUTC\":\"2022-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceInfo\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5f171045-88ab-4634-baae-a7b6509f483b\",\"name\":\"5f171045-88ab-4634-baae-a7b6509f483b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let Dev0530_threats = dynamic([\\\"Trojan:Win32/SiennaPurple.A\\\", \\\"Ransom:Win32/SiennaBlue.A\\\", \\\"Ransom:Win32/SiennaBlue.B\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (Dev0530_threats) or ThreatFamilyName in~ (Dev0530_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"AV detections related to Dev-0530 actors\",\"description\":\"This query looks for Microsoft Defender AV detections related to Dev-0530 actors. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, \\n this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\",\"lastUpdatedDateUTC\":\"2022-07-14T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbfbf530-506b-49a4-81ad-4030885a195c\",\"name\":\"fbfbf530-506b-49a4-81ad-4030885a195c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let alertTimeWindow = 1h;\\nlet logTimeWindow = 7d;\\n// Define script extensions that suit your web application environment - a sample are provided below\\nlet scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]); \\nlet alertData = materialize(SecurityAlert \\n| where TimeGenerated \u003e ago(alertTimeWindow) \\n| where ProviderName == \\\"MDATP\\\" \\n// Parse and expand the alert JSON \\n| extend alertData = parse_json(Entities) \\n| mvexpand alertData);\\nlet fileData = alertData\\n// Extract web script files from MDATP alerts - our malicious web scripts - candidate webshells\\n| where alertData.Type =~ \\\"file\\\" \\n| where alertData.Name has_any(scriptExtensions) \\n| extend FileName = tostring(alertData.Name), Directory = tostring(alertData.Directory);\\nlet hostData = alertData\\n// Extract server details from alerts and map to alert id\\n| where alertData.Type =~ \\\"host\\\"\\n| project HostName = tostring(alertData.HostName), DnsDomain = tostring(alertData.DnsDomain), SystemAlertId\\n| distinct HostName, DnsDomain, SystemAlertId;\\n// Join the files on their impacted servers\\nlet webshellData = fileData\\n| join kind=inner (hostData) on SystemAlertId \\n| project TimeGenerated, FileName, Directory, HostName, DnsDomain;\\nwebshellData\\n| join ( \\n// Find requests that were made to this file on the impacted server in the W3CIISLog table \\nW3CIISLog \\n| where TimeGenerated \u003e ago(logTimeWindow) \\n// Restrict to accesses to script extensions \\n| where csUriStem has_any(scriptExtensions)\\n| extend splitUriStem = split(csUriStem, \\\"/\\\") \\n| extend FileName = splitUriStem[-1], HostName = sComputerName\\n// Summarize potential attacker activity\\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), RequestUserAgents=make_set(csUserAgent), ReqestMethods=make_set(csMethod), RequestStatusCodes=make_set(scStatus), RequestCookies=make_set(csCookie), RequestReferers=make_set(csReferer), RequestQueryStrings=make_set(csUriQuery) by AttackerIP=cIP, SiteName=sSiteName, ShellLocation=csUriStem, tostring(FileName), HostName \\n) on FileName, HostName\\n| project StartTime, EndTime, AttackerIP, RequestUserAgents, HostName, SiteName, ShellLocation, ReqestMethods, RequestStatusCodes, RequestCookies, RequestReferers, RequestQueryStrings, RequestCount = count_\\n// Expose the attacker ip address as a custom entity\\n| extend timestamp=StartTime, IPCustomEntity = AttackerIP, HostCustomEntity = HostName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Malicious web application requests linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts\",\"description\":\"Takes Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts where web scripts are present in the evidence and correlates with requests made to those scripts\\nin the WCSIISLog to surface new alerts for potentially malicious web request activity.\\nThe lookback for alerts is set to 1h and the lookback for W3CIISLogs is set to 7d. A sample set of popular web script extensions\\nhas been provided in scriptExtensions that should be tailored to your environment.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-05-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5f0d80db-3415-4265-9d52-8466b7372e3a\",\"name\":\"5f0d80db-3415-4265-9d52-8466b7372e3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"AzureDevOpsAuditing\\n| where AuthenticationMechanism startswith \\\"PAT\\\"\\n// Look for useragents that include a redenring engine\\n| where UserAgent has_any (\\\"Gecko\\\", \\\"WebKit\\\", \\\"Presto\\\", \\\"Trident\\\", \\\"EdgeHTML\\\", \\\"Blink\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure DevOps PAT used with Browser.\",\"description\":\"Personal Access Tokens (PATs) are used as an alternate password to authenticate into Azure DevOps. PATs are intended for programmatic access use in code or applications. \\nThis can be prone to attacker theft if not adequately secured. This query looks for the use of a PAT in authentication but from a User Agent indicating a browser. \\nThis should not be normal activity and could be an indicator of an attacker using a stolen PAT.\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/86a036b2-3686-42eb-b417-909fc0867771\",\"name\":\"86a036b2-3686-42eb-b417-909fc0867771\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/delete\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS Service Delete\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.\\nA threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.\\nThe health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.\\nMore information in this blog https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\"name\":\"b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\nlet createRoleAssignmentActivity = AzureActivity\\n| where OperationNameValue =~ \\\"microsoft.authorization/roleassignments/write\\\";\\ncreateRoleAssignmentActivity \\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller\\n| where count_ \u003e= alertOperationThreshold\\n| join kind = rightanti ( \\ncreateRoleAssignmentActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = make_set(TimeGenerated), ActivityStatusValue = make_set(ActivityStatusValue), \\nOperationIds = make_set(OperationId), CorrelationId = make_set(CorrelationId), ActivityCountByCallerIPAddress = count() \\nby ResourceId, CallerIpAddress, Caller, OperationNameValue, Resource, ResourceGroup\\n) on CallerIpAddress, Caller\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Suspicious granting of permissions to an account\",\"description\":\"Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\"name\":\"9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let szOperationNames = dynamic([\\\"Microsoft.Compute/virtualMachines/write\\\", \\\"Microsoft.Resources/deployments/write\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet RareCaller = AzureActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationNameValue in~ (szOperationNames)\\n| project ResourceGroup, Caller, OperationNameValue, CallerIpAddress\\n| join kind=rightantisemi (\\nAzureActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityStatusValue = makeset(ActivityStatusValue), OperationIds = makeset(OperationId), CallerIpAddress = makeset(CallerIpAddress) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n) on Caller, ResourceGroup \\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress);\\nlet Counts = RareCaller | summarize ActivityCountByCaller = count() by Caller;\\nRareCaller | join kind= inner (Counts) on Caller | project-away Caller1\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = tostring(CallerIpAddress)\\n| sort by ActivityCountByCaller desc nulls last\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Suspicious Resource deployment\",\"description\":\"Identifies when a rare Resource and ResourceGroup deployment occurs by a previously unseen Caller.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4902eddb-34f7-44a8-ac94-8486366e9494\",\"name\":\"4902eddb-34f7-44a8-ac94-8486366e9494\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 5000;\\n_Im_NetworkSession(eventresult=\u0027Failure\u0027)\\n| summarize Count=count() by SrcIpAddr, bin(TimeGenerated,5m)\\n| where Count \u003e threshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr\",\"customDetails\":{\"NumberOfDenies\":\"Count\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Excessive number of failed connections from {{SrcIpAddr}}\",\"alertDescriptionFormat\":\"The client at address {{SrcIpAddr}} generated more than {{threshold}} failures over a 5 minutes time window, which may indicate malicious activity.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Impact\"],\"displayName\":\"Excessive number of failed connections from a single source (ASIM Network Session schema)\",\"description\":\"This rule identifies that a single source generates an excessive amount of failed connections. Modify the threshold to change the sensitivity of the rule: the higher the threshold, the less sensitive is the rule and less incidents will be generated.\u003cbr\u003e\u003cbr\u003e\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f7c3f5c8-71ea-49ff-b8b3-148f0e346291\",\"name\":\"f7c3f5c8-71ea-49ff-b8b3-148f0e346291\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let known_locations = (SigninLogs\\n | where TimeGenerated between(ago(7d)..ago(1d))\\n | where ResultType == 0\\n | extend LocationDetail = strcat(Location, \\\"-\\\", LocationDetails.state)\\n | summarize by LocationDetail);\\n let known_asn = (SigninLogs\\n | where TimeGenerated between(ago(7d)..ago(1d))\\n | where ResultType == 0\\n | summarize by AutonomousSystemNumber);\\n SigninLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType == 0\\n | where isempty(DeviceDetail.deviceId)\\n | where AuthenticationRequirement == \\\"singleFactorAuthentication\\\"\\n | extend LocationDetail = strcat(Location, \\\"-\\\", LocationDetails.state)\\n | where AutonomousSystemNumber !in (known_asn) and LocationDetail !in (known_locations)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"UserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomolous Single Factor Signin\",\"description\":\"Detects successful signins using single factor authentication where the device, location, and ASN are abnormal.\\n Single factor authentications pose an opportunity to access compromised accounts, investigate these for anomalous occurrencess.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\"name\":\"1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 1d;\\nlet endtime = 1h;\\nlet prev23hThreshold = 4;\\nlet prev1hThreshold = 15;\\nlet Kerbevent = (union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(starttime)\\n| where EventID == 4769\\n| parse EventData with * \u0027TicketEncryptionType\\\"\u003e\u0027 TicketEncryptionType \\\"\u003c\\\" *\\n| where TicketEncryptionType == \u00270x17\u0027\\n| parse EventData with * \u0027TicketOptions\\\"\u003e\u0027 TicketOptions \\\"\u003c\\\" *\\n| where TicketOptions == \u00270x40810000\u0027\\n| parse EventData with * \u0027Status\\\"\u003e\u0027 Status \\\"\u003c\\\" *\\n| where Status == \u00270x0\u0027\\n| parse EventData with * \u0027ServiceName\\\"\u003e\u0027 ServiceName \\\"\u003c\\\" *\\n| where ServiceName !contains \\\"$\\\" and ServiceName !contains \\\"krbtgt\\\" \\n| parse EventData with * \u0027TargetUserName\\\"\u003e\u0027 TargetUserName \\\"\u003c\\\" *\\n| where TargetUserName !contains \\\"$@\\\" and TargetUserName !contains ServiceName\\n| parse EventData with * \u0027IpAddress\\\"\u003e::ffff:\u0027 ClientIPAddress \\\"\u003c\\\" *\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e= ago(starttime)\\n| where EventID == 4769 and EventData has \u00270x17\u0027 and EventData has \u00270x40810000\u0027 and EventData has \u0027krbtgt\u0027\\n| extend TicketEncryptionType = tostring(EventData.TicketEncryptionType)\\n| where TicketEncryptionType == \u00270x17\u0027\\n| extend TicketOptions = tostring(EventData.TicketOptions)\\n| where TicketOptions == \u00270x40810000\u0027\\n| extend Status = tostring(EventData.Status)\\n| where Status == \u00270x0\u0027\\n| extend ServiceName = tostring(EventData.ServiceName)\\n| where ServiceName !contains \\\"$\\\" and ServiceName !contains \\\"krbtgt\\\"\\n| extend TargetUserName = tostring(EventData.TargetUserName) \\n| where TargetUserName !contains \\\"$@\\\" and TargetUserName !contains ServiceName\\n| extend ClientIPAddress = tostring(EventData.IpAddress) \\n));\\nlet Kerbevent23h = Kerbevent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| summarize ServiceNameCountPrev23h = dcount(ServiceName), ServiceNameSet23h = makeset(ServiceName) \\nby Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status\\n| where ServiceNameCountPrev23h \u003c prev23hThreshold;\\nlet Kerbevent1h = \\nKerbevent\\n| where TimeGenerated \u003e= ago(endtime)\\n| summarize min(TimeGenerated), max(TimeGenerated), ServiceNameCountPrev1h = dcount(ServiceName), ServiceNameSet1h = makeset(ServiceName) \\nby Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status;\\nKerbevent1h \\n| join kind=leftanti\\n(\\nKerbevent23h\\n) on TargetUserName, TargetDomainName\\n// Threshold value set above is based on testing, this value may need to be changed for your environment.\\n| where ServiceNameCountPrev1h \u003e prev1hThreshold\\n| project StartTimeUtc = min_TimeGenerated, EndTimeUtc = max_TimeGenerated, TargetUserName, Computer, ClientIPAddress, TicketOptions, \\nTicketEncryptionType, Status, ServiceNameCountPrev1h, ServiceNameSet1h, TargetDomainName\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = strcat(TargetDomainName,\\\"\\\\\\\\\\\", TargetUserName), HostCustomEntity = Computer, IPCustomEntity = ClientIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Potential Kerberoasting\",\"description\":\"A service principal name (SPN) is used to uniquely identify a service instance in a Windows environment. \\nEach SPN is usually associated with a service account. Organizations may have used service accounts with weak passwords in their environment. \\nAn attacker can try requesting Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC) which contains \\na hash of the Service account. This can then be used for offline cracking. This hunting query looks for accounts that are generating excessive \\nrequests to different resources within the last hour compared with the previous 24 hours. Normal users would not make an unusually large number \\nof request within a small time window. This is based on 4769 events which can be very noisy so environment based tweaking might be needed.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-04-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/508cef41-2cd8-4d40-a519-b04826a9085f\",\"name\":\"508cef41-2cd8-4d40-a519-b04826a9085f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 1102 and EventSourceName == \\\"Microsoft-Windows-Eventlog\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Security Event log cleared\",\"description\":\"Checks for event id 1102 which indicates the security event log was cleared.\\nIt uses Event Source Name \\\"Microsoft-Windows-Eventlog\\\" to avoid generating false positives from other sources, like AD FS servers for instance.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3ff0fffb-d963-40c0-b235-3404f915add7\",\"name\":\"3ff0fffb-d963-40c0-b235-3404f915add7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"GitHubAudit\\n| where Action == \\\"org.disable_two_factor_requirement\\\"\\n| project TimeGenerated, Action, Actor, Country, IPaddress, Repository\\n| extend AccountCustomEntity = Actor, IPCustomEntity = IPaddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"GitHub Two Factor Auth Disable\",\"description\":\"Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ce02935c-cc67-4b77-9b96-93d9947e119a\",\"name\":\"ce02935c-cc67-4b77-9b96-93d9947e119a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"acrobatrelay.com\\\", \\\"finconsult.cc\\\", \\\"realmetaldns.com\\\"]); \\n(union isfuzzy=true \\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where DNSName in~ (DomainNames) \\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = DestinationIP \\n), \\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery \\n| extend IPAddress = SrcIpAddr, Computer = Dvc\\n), \\n(_Im_WebSession (url_has_any=DomainNames)\\n| extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n| extend IPAddress = SrcIpAddr, Computer = Dvc\\n), \\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 * \\n| where isnotempty(DNSName) \\n| where DNSName in~ (DomainNames) \\n| extend IPAddress = RemoteIp \\n), \\n( \\n DeviceNetworkEvents \\n| where isnotempty(RemoteUrl) \\n| where RemoteUrl has_any (DomainNames) \\n| extend IPAddress = RemoteIP \\n| extend Computer = DeviceName \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n) \\n) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"KNOTWEED C2 Domains July 2022\",\"description\":\"This query looks for references to known KNOTWEED Domains in network logs.\\n This query was published July 2022.\\n Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/\",\"lastUpdatedDateUTC\":\"2022-07-27T00:00:00Z\",\"createdDateUTC\":\"2022-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/594c653d-719a-4c23-b028-36e3413e632e\",\"name\":\"594c653d-719a-4c23-b028-36e3413e632e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"GitHubAudit\\n| where Action == \\\"org.disable_two_factor_requirement\\\"\\n| project TimeGenerated, Action, Actor, Country, IPaddress, Repository\\n| extend AccountCustomEntity = Actor, IPCustomEntity = IPaddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT GitHub Two Factor Auth Disable\",\"description\":\"Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. \",\"lastUpdatedDateUTC\":\"2022-05-22T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/50cbf34a-4cdd-45d7-b3f5-8b53a1d0d14f\",\"name\":\"50cbf34a-4cdd-45d7-b3f5-8b53a1d0d14f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n| parse EventData with * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" *\\n| where ParentCommandLine == \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe -k DcomLaunch\\\" and CommandLine == \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe -Embedding\\\"\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Lateral Movement via DCOM\",\"description\":\"This query detects a fairly uncommon attack technique using the Windows Distributed Component Object Model (DCOM) to make a remote execution call to another computer system and gain lateral movement throughout the network.\\nRef: http://thenegative.zone/incident%20response/2017/02/04/MMC20.Application-Lateral-Movement-Analysis.html\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b1832f60-6c3d-4722-a0a5-3d564ee61a63\",\"name\":\"b1832f60-6c3d-4722-a0a5-3d564ee61a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet DOMAIN_TI=ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName);\\nlet DOMAIN_TI_list= todynamic(toscalar(DOMAIN_TI | summarize NIoCs = dcount(DomainName), Domains = make_set(DomainName) \\n | project Domains=iff(NIoCs \u003e HAS_ANY_MAX, dynamic([]), Domains) ));\\nDOMAIN_TI\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n _Im_WebSession(starttime=ago(dt_lookBack), url_has_any= DOMAIN_TI_list )\\n //Extract domain patterns from syslog message\\n | extend domain = tostring(parse_url(Url)[\\\"Host\\\"])\\n | where isnotempty(domain)\\n | extend tld = tostring(split(domain, \u0027.\u0027)[-1])\\n | extend Event_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.domain\\n| where Event_TimeGenerated \u003c ExpirationDateTime\\n| summarize Event_TimeGenerated = arg_max(Event_TimeGenerated , *) by IndicatorId, domain\\n| project Event_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, domain, SrcIpAddr, Url\",\"customDetails\":{\"EventTime\":\"Event_TimeGenerated\",\"IoCDescription\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"IoCExpirationTime\":\"ExpirationDateTime\",\"IoCConfidenceScore\":\"ConfidenceScore\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"A web request from {{SrcIpAddr}} to hostname {{domain}} matched an IoC\",\"alertDescriptionFormat\":\"A client with address {{SrcIpAddr}} requested the URL {{Url}}, whose hostname is a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blead for more information on the indicator.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map Domain entity to Web Session Events (ASIM Web Session schema)\",\"description\":\"This rule identifies Web Sessions for which the target URL hostname is a known IoC. \u003cbr\u003e\u003cbr\u003eThis rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutSIM) and supports any web session source that complies with ASIM.\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/643c2025-9604-47c5-833f-7b4b9378a1f5\",\"name\":\"643c2025-9604-47c5-833f-7b4b9378a1f5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit your environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with AAD signin failures above our threshold\\nlet aadFunc = (tableName:string){\\nlet Suspicious_signins = \\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n| summarize count() by IPAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(IPAddress);\\nSuspicious_signins\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet Suspicious_signins = \\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize make_set(set_IPAddress);\\n//See if any of those IPs have sucessfully logged into the AWS console\\nAWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \\n| where LoginResult =~ \\\"Success\\\"\\n| where SourceIpAddress in (Suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed)\\n| extend User = iif(isempty(UserIdentityUserName), UserIdentityType, UserIdentityUserName) \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Reason, LoginResult, EventTypeName, UserIdentityType, User, AWSRegion, SourceIpAddress, UserAgent, MFAUsed\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AzureAD logons but success logon to AWS Console\",\"description\":\"Identifies a list of IP addresses with a minimum number(defualt of 5) of failed logon attempts to Azure Active Directory.\\nUses that list to identify any successful AWS Console logons from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e\",\"name\":\"7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]);\\nunion isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4663\\n| where Process has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where ObjectName has_any (scriptExtensions)\\n| where AccessMask in (\u00270x2\u0027,\u00270x100\u0027, \u00270x10\u0027, \u00270x4\u0027)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n (WindowsEvent\\n| where EventID == 4663 and EventData has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\") and EventData has_any (scriptExtensions) \\n| where EventData has_any (\u00270x2\u0027,\u00270x100\u0027, \u00270x10\u0027, \u00270x4\u0027)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName has_any (scriptExtensions)\\n| extend AccessMask = tostring(EventData.AccessMask)\\n| where AccessMask in (\u00270x2\u0027,\u00270x100\u0027, \u00270x10\u0027, \u00270x4\u0027)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n(imFileEvent\\n| where EventType == \\\"FileCreated\\\"\\n| where ActingProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n and\\n TargetFileName has_any (scriptExtensions)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\\n),\\n(DeviceFileEvents\\n| where ActionType =~ \\\"FileCreated\\\"\\n| where InitiatingProcessFileName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where FileName has_any(scriptExtensions)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName, IPCustomEntity = RequestSourceIP)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingProcessAccountUpn\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM UM Service writing suspicious file\",\"description\":\"This query looks for the Exchange server UM process writing suspicious files that may be indicative of webshells.\\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d714ef62-1a56-4779-804f-91c4158e528d\",\"name\":\"d714ef62-1a56-4779-804f-91c4158e528d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let ImagesList = dynamic ([\\\"sethc.exe\\\",\\\"utilman.exe\\\",\\\"osk.exe\\\",\\\"Magnify.exe\\\",\\\"Narrator.exe\\\",\\\"DisplaySwitch.exe\\\",\\\"AtBroker.exe\\\"]); \\nlet OriginalFileNameList = dynamic ([\\\"sethc.exe\\\",\\\"utilman.exe\\\",\\\"osk.exe\\\",\\\"Magnify.exe\\\",\\\"Narrator.exe\\\",\\\"DisplaySwitch.exe\\\",\\\"AtBroker.exe\\\",\\\"SR.exe\\\",\\\"utilman2.exe\\\",\\\"ScreenMagnifier.exe\\\"]); \\nEvent\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n| parse EventData with * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027OriginalFileName\\\"\u003e\u0027 OriginalFileName \\\"\u003c\\\" *\\n| where Image has_any (ImagesList) and not (OriginalFileName has_any (OriginalFileNameList))\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027Hashes\\\"\u003e\u0027 Hashes \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description, OriginalFileName, CurrentDirectory, Hashes\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Modification of Accessibility Features\",\"description\":\"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\\n Two common accessibility programs are C:\\\\Windows\\\\System32\\\\sethc.exe, launched when the shift key is pressed five times and C:\\\\Windows\\\\System32\\\\utilman.exe, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as \\\"sticky keys\\\", and has been used by adversaries for unauthenticated access through a remote desktop login screen. [1]\\nRef: https://attack.mitre.org/techniques/T1546/008/\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\"name\":\"f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let threshold = 1;\\nAzureDiagnostics\\n | where OperationName in (\\\"AzureFirewallApplicationRuleLog\\\",\\\"AzureFirewallNetworkRuleLog\\\")\\n | extend msg_s_replaced0 = replace(@\\\"\\\\s\\\\s\\\",@\\\" \\\",msg_s)\\n | extend msg_s_replaced1 = replace(@\\\"\\\\.\\\\s\\\",@\\\" \\\",msg_s_replaced0)\\n | extend msg_a = split(msg_s_replaced1,\\\" \\\")\\n | extend srcAddr_a = split(msg_a[3],\\\":\\\") , destAddr_a = split(msg_a[5],\\\":\\\")\\n | extend protocol = tostring(msg_a[0]), srcIp = tostring(srcAddr_a[0]), srcPort = tostring(srcAddr_a[1]), destIp = tostring(destAddr_a[0]), destPort = tostring(destAddr_a[1]), action = tostring(msg_a[7])\\n | where action == \\\"Deny\\\"\\n | extend url = iff(destIp matches regex \\\"\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\",\\\"\\\",destIp)\\n | summarize StartTime = min(TimeGenerated), count() by srcIp, destIp, url, action, protocol\\n | where count_ \u003e= [\\\"threshold\\\"]\\n | extend timestamp = StartTime, URLCustomEntity = url, IPCustomEntity = srcIp\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Discovery\",\"LateralMovement\",\"CommandAndControl\"],\"displayName\":\"Several deny actions registered\",\"description\":\"Identifies attack pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-10-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b9d2eebc-5dcb-4888-8165-900db44443ab\",\"name\":\"b9d2eebc-5dcb-4888-8165-900db44443ab\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"// Enter a reference list of hostnames for your DC servers\\n//let DCServersList = dynamic ([\\\"DC01.simulandlabs.com\\\",\\\"DC02.simulandlabs.com\\\"]);\\nSecurityEvent\\n//| where Computer in (DCServersList)\\n| where EventID == 4662 and ObjectServer == \u0027DS\u0027\\n| where AccountType != \u0027Machine\u0027\\n| where Properties has \u00271131f6aa-9c07-11d1-f79f-00c04fc2dcd2\u0027 //DS-Replication-Get-Changes\\n or Properties has \u00271131f6ad-9c07-11d1-f79f-00c04fc2dcd2\u0027 //DS-Replication-Get-Changes-All\\n or Properties has \u002789e95b76-444d-4c62-991a-0facbeda640c\u0027 //DS-Replication-Get-Changes-In-Filtered-Set\\n| project TimeGenerated, Account, Activity, Properties, SubjectLogonId, Computer\\n| join kind=leftouter\\n(\\n SecurityEvent\\n //| where Computer in (DCServersList)\\n | where EventID == 4624 and LogonType == 3\\n | where AccountType != \u0027Machine\u0027\\n | project TargetLogonId, IpAddress\\n)\\non $left.SubjectLogonId == $right.TargetLogonId\\n| project-reorder TimeGenerated, Computer, Account, IpAddress\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, SourceAddress = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Non Domain Controller Active Directory Replication\",\"description\":\"This query detects potential attempts by non-computer accounts (non domain controllers) to retrieve/synchronize an active directory object leveraging directory replication services (DRS).\\nA Domain Controller (computer account) would usually be performing these actions in a domain environment. Another detection rule can be created to cover domain controllers accounts doing at rare times.\\nA domain user with privileged permissions to use directory replication services is rare. Ref: https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html\",\"lastUpdatedDateUTC\":\"2021-11-08T00:00:00Z\",\"createdDateUTC\":\"2021-05-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75297f62-10a8-4fc1-9b2a-12f25c6f05a7\",\"name\":\"75297f62-10a8-4fc1-9b2a-12f25c6f05a7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let domain_lookBack= 14d;\\nlet timeframe = 1d;\\nlet top_million_list = Cisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(domain_lookBack) and TimeGenerated \u003c ago(timeframe)\\n| extend Hostname = parse_url(UrlOriginal)[\\\"Host\\\"]\\n| summarize count() by tostring(Hostname)\\n| top 1000000 by count_\\n| summarize make_list(Hostname);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| extend Hostname = parse_url(UrlOriginal)[\\\"Host\\\"]\\n| where Hostname !in (top_million_list)\\n| extend Message = \\\"Connect to unpopular website (possible malicious payload delivery)\\\"\\n| project Message, SrcIpAddr, DstIpAddr,UrlOriginal, TimeGenerated\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Connection to Unpopular Website Detected\",\"description\":\"Detects first connection to an unpopular website (possible malicious payload delivery).\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/89a86f70-615f-4a79-9621-6f68c50f365f\",\"name\":\"89a86f70-615f-4a79-9621-6f68c50f365f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 7d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet HistThreshold = 25; \\nlet CurrThreshold = 10; \\nlet HistoricalThreats = CommonSecurityLog\\n| where isnotempty(SourceIP)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n| where Activity =~ \\\"THREAT\\\" and SimplifiedDeviceAction =~ \\\"alert\\\" \\n| where DeviceEventClassID in (\u0027spyware\u0027, \u0027scan\u0027, \u0027file\u0027, \u0027vulnerability\u0027, \u0027flood\u0027, \u0027packet\u0027, \u0027virus\u0027,\u0027wildfire\u0027, \u0027wildfire-virus\u0027)\\n| summarize TotalEvents = count(), ThreatTypes = make_set(DeviceEventClassID), DestinationIpList = make_set(DestinationIP), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by SourceIP, DeviceAction, DeviceVendor;\\nlet CurrentHourThreats = CommonSecurityLog\\n| where isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(timeframe)\\n| where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n| where Activity =~ \\\"THREAT\\\" and SimplifiedDeviceAction =~ \\\"alert\\\" \\n| where DeviceEventClassID in (\u0027spyware\u0027, \u0027scan\u0027, \u0027file\u0027, \u0027vulnerability\u0027, \u0027flood\u0027, \u0027packet\u0027, \u0027virus\u0027,\u0027wildfire\u0027, \u0027wildfire-virus\u0027)\\n| summarize TotalEvents = count(), ThreatTypes = make_set(DeviceEventClassID), DestinationIpList = make_set(DestinationIP), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by SourceIP, DeviceAction, DeviceProduct, DeviceVendor;\\nCurrentHourThreats \\n| where TotalEvents \u003c CurrThreshold\\n| join kind = leftanti (HistoricalThreats \\n| where TotalEvents \u003e HistThreshold) on SourceIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]}],\"tactics\":[\"Discovery\",\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"Palo Alto Threat signatures from Unusual IP addresses\",\"description\":\"Identifies Palo Alto Threat signatures from unusual IP addresses which are not historically seen. \\nThis detection is also leveraged and required for MDE and PAN Fusion scenario\\nhttps://docs.microsoft.com/Azure/sentinel/fusion-scenario-reference#network-request-to-tor-anonymization-service-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall\",\"lastUpdatedDateUTC\":\"2022-04-20T00:00:00Z\",\"createdDateUTC\":\"2022-03-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/35a0792a-1269-431e-ac93-7ae2980d4dde\",\"name\":\"35a0792a-1269-431e-ac93-7ae2980d4dde\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now() \\n| where Active == true\\n| where isnotempty(EmailSenderAddress)\\n| extend TI_emailEntity = EmailSenderAddress\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n ProofpointPOD \\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(SrcUserUpn)\\n | extend ProofpointPOD_TimeGenerated = TimeGenerated, ClientEmail = SrcUserUpn\\n\\n)\\non $left.TI_emailEntity == $right.ClientEmail\\n| where ProofpointPOD_TimeGenerated \u003c ExpirationDateTime\\n| summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientEmail\\n| project ProofpointPOD_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, ClientEmail\\n| extend timestamp = ProofpointPOD_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ClientEmail\"}]}],\"tactics\":[\"Exfiltration\",\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Email sender in TI list\",\"description\":\"Email sender in TI list.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_maillog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c3b11fb2-9201-4844-b7b9-6b7bf6d9b851\",\"name\":\"c3b11fb2-9201-4844-b7b9-6b7bf6d9b851\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Medium\",\"query\":\"let threshold = 200;\\n_Im_Dns(responsecodename=\u0027NXDOMAIN\u0027)\\n| where isnotempty(DnsResponseCodeName)\\n//| where DnsResponseCodeName =~ \\\"NXDOMAIN\\\"\\n| summarize count() by SrcIpAddr, bin(TimeGenerated,15m)\\n| where count_ \u003e threshold\\n| join kind=inner (_Im_Dns(responsecodename=\u0027NXDOMAIN\u0027)\\n ) on SrcIpAddr\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Excessive NXDOMAIN DNS Queries (ASIM DNS Schema)\",\"description\":\"This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. \\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a172107d-794c-48c0-bc26-d3349fe10b4d\",\"name\":\"a172107d-794c-48c0-bc26-d3349fe10b4d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Dev-0530_July2022.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\n(union isfuzzy=true \\n(DeviceProcessEvents\\n| where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) or ( InitiatingProcessCommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) \\nand InitiatingProcessCommandLine has (\u0027sc minute /mo 1 /F /ru system\u0027))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, AccountName, SHA256\\n| extend Account = AccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = case(InitiatingProcessSHA256 in (sha256Hashes), \\\"InitiatingProcessSHA256\\\", SHA256 in (sha256Hashes), \\\"SHA256\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = case(FileHash == \\\"InitiatingProcessSHA256\\\", InitiatingProcessSHA256, FileHash == \\\"SHA256\\\", SHA256, \\\"No Match\\\")\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) and CommandLine has (\u0027/sc minute /mo 1 /F /ru system\u0027))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, EventID, CommandLine\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n( imFileEvent\\n| where Hash in~ (sha256Hashes) or ( ActingProcessCommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) and ActingProcessCommandLine has (\u0027/sc minute /mo 1 /F /ru system\u0027))\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, FileHashCustomEntity = FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) or ( CommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) and CommandLine has (\u0027/sc minute /mo 1 /F /ru system\u0027)) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(EmailEvents\\n| where SenderFromAddress == \u0027H0lyGh0st@mail2tor.com\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = SenderIPv4, AccountCustomEntity = SenderFromAddress \\n),\\n(CommonSecurityLog \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) or FileHash in (sha256Hashes)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch , FileHash\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n), \\n(OfficeActivity \\n|extend SourceIPAddress = ClientIP, Account = UserId \\n| where SourceIPAddress in (IPList) \\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \\n),\\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Dev-0530 IOC - July 2022\",\"description\":\"Identifies a IOC match related to Dev-0530 actor across various data sources.\",\"lastUpdatedDateUTC\":\"2022-07-14T00:00:00Z\",\"createdDateUTC\":\"2022-07-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceProcessEvents\",\"DeviceNetworkEvents\",\"EmailEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/572e75ef-5147-49d9-9d65-13f2ed1e3a86\",\"name\":\"572e75ef-5147-49d9-9d65-13f2ed1e3a86\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let inviting_users = (AuditLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where OperationName =~ \\\"Invite external user\\\"\\n | where Result =~ \\\"success\\\"\\n | extend invitingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | where isnotempty(invitingUser)\\n | summarize by invitingUser);\\n AuditLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where OperationName =~ \\\"Invite external user\\\"\\n | where Result =~ \\\"success\\\"\\n | extend invitingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | where isnotempty(invitingUser) and invitingUser !in (inviting_users)\\n | extend invitedUserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"invitingUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"invitedUserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Guest Users Invited to Tenant by New Inviters\",\"description\":\"Detects when a Guest User is added by a user account that has not been seen adding a guest in the previous 14 days.\\n Monitoring guest accounts and the access they are provided is important to detect potential account abuse.\\n Accounts added should be investigated to ensure the activity was legitimate.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500415fb-bba7-4227-a08a-9857fb61b6a7\",\"name\":\"500415fb-bba7-4227-a08a-9857fb61b6a7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where OfficeWorkload == \\\"Exchange\\\"\\n| where Operation in~ (\\\"New-TransportRule\\\", \\\"Set-TransportRule\\\")\\n| mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))\\n| extend RuleName = case(\\n Operation =~ \\\"Set-TransportRule\\\", OfficeObjectId,\\n Operation =~ \\\"New-TransportRule\\\", ParsedParameters.Name,\\n \\\"Unknown\\\")\\n| mv-expand ExpandedParameters = todynamic(Parameters)\\n| where ExpandedParameters.Name in~ (\\\"BlindCopyTo\\\", \\\"RedirectMessageTo\\\") and isnotempty(ExpandedParameters.Value)\\n| extend RedirectTo = ExpandedParameters.Value\\n| extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n| project TimeGenerated, RedirectTo, IPAddress = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1]), UserId, Operation, RuleName, Parameters\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Mail redirect via ExO transport rule\",\"description\":\"Identifies when Exchange Online transport rule configured to forward emails.\\nThis could be an adversary mailbox configured to collect mail from multiple user accounts.\",\"lastUpdatedDateUTC\":\"2022-04-18T00:00:00Z\",\"createdDateUTC\":\"2020-05-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500c103a-0319-4d56-8e99-3cec8d860757\",\"name\":\"500c103a-0319-4d56-8e99-3cec8d860757\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == \\\"50057\\\" \\n| where ResultDescription == \\\"User account is disabled. The account has been disabled by an administrator.\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), disabledAccountLoginAttempts = count(), \\ndisabledAccountsTargeted = dcount(UserPrincipalName), applicationsTargeted = dcount(AppDisplayName), disabledAccountSet = make_set(UserPrincipalName), \\napplicationSet = make_set(AppDisplayName) by IPAddress, Type\\n| order by disabledAccountLoginAttempts desc\\n| join kind= leftouter (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n table(tableName)\\n | where ResultType == 0\\n | summarize successfulAccountSigninCount = dcount(UserPrincipalName), successfulAccountSigninSet = make_set(UserPrincipalName, 15) by IPAddress, Type\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount \u003c 100\\n) on IPAddress \\n// IPs from which attempts to authenticate as disabled user accounts originated, and had a non-zero success rate for some other account\\n| where isnotempty(successfulAccountSigninCount)\\n| project StartTime, EndTime, IPAddress, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\nsuccessfulAccountSigninCount, successfulAccountSigninSet, Type\\n| order by disabledAccountLoginAttempts\\n| extend timestamp = StartTime, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts and where that same IP has had successful signins from other accounts.\\nThis could indicate an attacker who obtained credentials for a list of accounts and is attempting to login with those accounts, some of which may have already been disabled.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"lastUpdatedDateUTC\":\"2021-10-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e7470b35-0128-4508-bfc9-e01cfb3c2eb7\",\"name\":\"e7470b35-0128-4508-bfc9-e01cfb3c2eb7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n | where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n | parse EventData with * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" *\\n | where ParentImage has \\\"svchost.exe\\\" and Image has \\\"rundll32.exe\\\" and CommandLine has \\\"{c08afd90-f2a1-11d1-8455-00a0c91f3880}\\\"\\n | parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Detecting Macro Invoking ShellBrowserWindow COM Objects\",\"description\":\"This query detects a macro invoking ShellBrowserWindow COM Objects evade naive parent/child Office detection rules.\\nRef: https://blog.menasec.net/2019/02/threat-hunting-doc-with-macro-invoking.html\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c2da1106-bfe4-4a63-bf14-5ab73130ccd5\",\"name\":\"c2da1106-bfe4-4a63-bf14-5ab73130ccd5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.0\",\"severity\":\"Informational\",\"query\":\"let timeframe = ago(1d);\\nAppServiceAntivirusScanAuditLogs\\n| where ScanStatus == \\\"Failed\\\"\\n| extend HostCustomEntity = _ResourceId, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"displayName\":\"AppServices AV Scan Failure\",\"description\":\"Identifies if an AV scan fails in Azure App Services.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\"name\":\"68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let User_Agents = dynamic ([\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70\\\", \\n\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.1 Safari/605.1.15\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\", \\n\\\"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\"]);\\nOfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != \u0027UserLoggedIn\u0027\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = todynamic(ExtendedProperties).Value\\n| where UserAgent =~ \\\"ms-office\\\" or UserAgent has_any (User_Agents)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts \u003e 500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\"entityMappings\":[],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Possible STRONTIUM attempted credential harvesting - Oct 2020\",\"description\":\"Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\"name\":\"e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let threshold = 15;\\n// Below pulls messages from syslog-authpriv logs where there was an authentication failure with an unknown user.\\n// IP address of system attempting logon is also extracted from the SyslogMessage field. Some of these messages\\n// are aggregated.\\nSyslog\\n| where Facility =~ \\\"authpriv\\\"\\n| where SyslogMessage has \\\"authentication failure\\\" and SyslogMessage has \\\" uid=0\\\"\\n| parse SyslogMessage with * \\\"rhost=\\\" RemoteIP\\n| project TimeGenerated, Computer, ProcessName, HostIP, RemoteIP, ProcessID\\n| join kind=innerunique (\\n // Below pulls messages from syslog-authpriv logs that show each instance an unknown user tried to logon. \\n Syslog \\n | where Facility =~ \\\"authpriv\\\"\\n | where SyslogMessage has \\\"user unknown\\\"\\n | project Computer, HostIP, ProcessID\\n ) on Computer, HostIP, ProcessID\\n// Count the number of failed logon attempts by External IP and internal machine\\n| summarize FirstLogonAttempt = min(TimeGenerated), LatestLogonAttempt = max(TimeGenerated), TotalLogonAttempts = count() by Computer, HostIP, RemoteIP\\n// Calculate the time between first and last logon attempt (AttemptPeriodLength)\\n| extend TimeBetweenLogonAttempts = LatestLogonAttempt - FirstLogonAttempt\\n| where TotalLogonAttempts \u003e= threshold\\n| project FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts, TotalLogonAttempts, SourceAddress = RemoteIP, DestinationHost = Computer, DestinationAddress = HostIP\\n| sort by DestinationHost asc nulls last\\n| extend timestamp = FirstLogonAttempt, HostCustomEntity = DestinationHost, IPCustomEntity = DestinationAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed logon attempts in authpriv\",\"description\":\"Identifies failed logon attempts from unknown users in Syslog authpriv logs. The unknown user means the account that tried to log in \\nisn\u0027t provisioned on the machine. A few hits could indicate someone attempting to access a machine they aren\u0027t authorized to access. \\nIf there are many of hits, especially from outside your network, it could indicate a brute force attack. \\nDefault threshold for logon attempts is 15.\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f041e01d-840d-43da-95c8-4188f6cef546\",\"name\":\"f041e01d-840d-43da-95c8-4188f6cef546\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let LearningPeriod = 7d;\\nlet RunTime = 1h;\\nlet StartTime = 1h;\\nlet EndRunTime = StartTime - RunTime;\\nlet EndLearningTime = StartTime + LearningPeriod;\\nlet GitHubCountryCodeLogs = (GitHubAudit\\n| where Country != \\\"\\\");\\n GitHubCountryCodeLogs\\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime))\\n| summarize makeset(Country) by Actor\\n| join kind=innerunique (\\n GitHubCountryCodeLogs\\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime))\\n | distinct Country, Actor, TimeGenerated\\n) on Actor \\n| where set_Country !contains Country\\n| extend AccountCustomEntity = Actor , timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"GitHub Activites from a New Country\",\"description\":\"Detect activities from a location that was not recently or was never visited by the user or by any user in your organization.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/40ba9493-4183-4eee-974f-87fe39c8f267\",\"name\":\"40ba9493-4183-4eee-974f-87fe39c8f267\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Identity alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Identity\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (AATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\"name\":\"4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 50;\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet historicalActivity =\\nOfficeActivity\\n| where TimeGenerated between(ago(starttime)..ago(endtime))\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| summarize historicalCount = count() by ClientIP, RecordType, Operation;\\nlet recentActivity = OfficeActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by ClientIP, RecordType, Operation;\\nlet RareIP = recentActivity | join kind= leftanti ( historicalActivity ) on ClientIP, RecordType, Operation\\n// More than 50 downloads/uploads from a new IP\\n| where recentCount \u003e threshold;\\nOfficeActivity \\n| where TimeGenerated \u003e= ago(endtime) \\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| join kind= inner (RareIP) on ClientIP, RecordType, Operation\\n| where Start_Time between(min_Start_Time .. max_Start_Time)\\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgent, IPSeenCount = recentCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\\n| order by IPSeenCount desc, ClientIP asc, Operation asc, UserId asc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"SharePointFileOperation via previously unseen IPs\",\"description\":\"Identifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses\\nexceeds a threshold (default is 50).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3073ac-7383-48a9-90a8-eb6716183a54\",\"name\":\"4a3073ac-7383-48a9-90a8-eb6716183a54\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let excludeProcs = dynamic([@\\\"\\\\SolarWinds\\\\Orion\\\\APM\\\\APMServiceControl.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\ExportToPDFCmd.Exe\\\", @\\\"\\\\SolarWinds.Credentials\\\\SolarWinds.Credentials.Orion.WebApi.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Topology\\\\SolarWinds.Orion.Topology.Calculator.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Database-Maint.exe\\\", @\\\"\\\\SolarWinds.Orion.ApiPoller.Service\\\\SolarWinds.Orion.ApiPoller.Service.exe\\\", @\\\"\\\\Windows\\\\SysWOW64\\\\WerFault.exe\\\"]);\\nDeviceProcessEvents\\n| where InitiatingProcessFileName =~ \\\"solarwinds.businesslayerhost.exe\\\"\\n| where not(FolderPath has_any (excludeProcs))\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n AlgorithmCustomEntity = \\\"MD5\\\",\\n FileHashCustomEntity = MD5\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST suspicious SolarWinds child processes\",\"description\":\"Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-02-01T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32\",\"name\":\"d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet msgthreshold = 3;\\nlet msgszthreshold = 3000000;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where NetworkBytes \u003e msgszthreshold\\n| summarize count() by SrcUserUpn, DstUserUpn\\n| where count_ \u003e msgthreshold\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple large emails to the same recipient\",\"description\":\"Detects when multiple emails with large size where sent to the same recipient.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6dd2629c-534b-4275-8201-d7968b4fa77e\",\"name\":\"6dd2629c-534b-4275-8201-d7968b4fa77e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"SecurityEvent\\n| where EventID == 4657\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, TargetAccount, Computer, EventSourceName, Channel, Task, Level, EventID, Activity, TargetLogonId, SourceComputerId, EventOriginId, Type, _ResourceId, TenantId, SourceSystem, ManagementGroupName, IpAddress, Account)\\n| extend ObjectName = column_ifexists(\u0027ObjectName\u0027, \\\"\\\"), OperationType = column_ifexists(\u0027OperationType\u0027, \\\"\\\"), ObjectValueName = column_ifexists(\u0027ObjectValueName\u0027, \\\"\\\")\\n| where ObjectName has \u0027Schedule\\\\\\\\TaskCache\\\\\\\\Tree\u0027 and ObjectValueName == \\\"SD\\\" and OperationType == \\\"%%1906\\\" // %%1906 - Registry value deleted\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Scheduled Task Hide\",\"description\":\"This query detects attempts by malware to hide the scheduled task by deleting the SD (Security Descriptor) value. Removal of SD value results in the scheduled task disappearing from schtasks /query and Task Scheduler.\\n The query requires auditing to be turned on for HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree registry hive as well as audit policy for registry auditing to be turned on.\\n Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/\\n Reference: https://4sysops.com/archives/audit-changes-in-the-windows-registry/\",\"lastUpdatedDateUTC\":\"2022-04-12T00:00:00Z\",\"createdDateUTC\":\"2022-04-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3f0c20d5-6228-48ef-92f3-9ff7822c1954\",\"name\":\"3f0c20d5-6228-48ef-92f3-9ff7822c1954\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let threatCategory=\\\"Hacking Tool\\\";\\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\\n [ @\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\\\"] \\n with(format=\\\"csv\\\", ignoreFirstRecord=True));\\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet customUserAgents=toscalar(_GetWatchlist(\\\"UnusualUserAgents\\\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\\\"UserAgent\\\",\\\"\\\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet fullUAList = array_concat(knownUserAgents,customUserAgents);\\n_Im_WebSession(httpuseragent_has_any=fullUAList)\\n| project SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername\",\"customDetails\":{\"UserAgent\":\"HttpUserAgent\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"SrcUsername\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Host {{SrcIpAddr}} is potentially running a hacking tool\",\"alertDescriptionFormat\":\"The host at address {{SrcIpAddr}} sent an HTTP request to the URL {{Url}} with the HTTP user agent header {{HttpUserAgent}}. This user agent is known to be used by a hacking tool and indicates suspicious activity on the host.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"A host is potentially running a hacking tool (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request with a user agent header known to belong to a hacking tool. This indicates a hacking tool is used on the host.\u003cbr\u003eYou can add custom hacking tool indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).\u003cbr\u003e\u003cbr\u003e\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/738702fd-0a66-42c7-8586-e30f0583f8fe\",\"name\":\"738702fd-0a66-42c7-8586-e30f0583f8fe\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"DeviceEvents\\n| where ActionType has \\\"ExploitGuardNonMicrosoftSignedBlocked\\\"\\n| where InitiatingProcessFileName contains \\\"svchost.exe\\\" and FileName contains \\\"NetSetupSvc.dll\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\nHostCustomEntity = DeviceName, FileHashCustomEntity = InitiatingProcessSHA1, FileHashType = \\\"SHA1\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"TEARDROP memory-only dropper\",\"description\":\"Identifies SolarWinds TEARDROP memory-only dropper IOCs in Window\u0027s defender Exploit Guard activity\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a4025a76-6490-4e6b-bb69-d02be4b03f07\",\"name\":\"a4025a76-6490-4e6b-bb69-d02be4b03f07\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureNetworkAnalytics_CL\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AzureNetworkAnalytics_CL_TimeGenerated = TimeGenerated\\n // NSG Flow Logs have additional information concat with Public IP, removing onlp Public IP\\n | extend PIPs = split(PublicIPs_s, \u0027|\u0027, 0)\\n | extend PIP = tostring(PIPs[0])\\n)\\non $left.TI_ipEntity == $right.PIP\\n| where AzureNetworkAnalytics_CL_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureNetworkAnalytics_CL_TimeGenerated = arg_max(AzureNetworkAnalytics_CL_TimeGenerated, *) by IndicatorId, PIP\\n// Set to alert on Allowed NSG Flows from TI Public IP IOC\\n| where FlowStatus_s == \\\"A\\\"\\n| project AzureNetworkAnalytics_CL_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, FlowDirection_s, FlowStatus_s, FlowType_s, SrcPublicIPs_s, DestPublicIPs_s, PublicIPs_s, L7Protocol_s, DestPort_d, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureNetworkAnalytics_CL_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)\",\"description\":\"Identifies a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI that was Allowed\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/968358d6-6af8-49bb-aaa4-187b3067fb95\",\"name\":\"968358d6-6af8-49bb-aaa4-187b3067fb95\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let successCodes = dynamic([200, 302, 401]);\\nW3CIISLog\\n| where scStatus has_any (successCodes)\\n| where ipv4_is_private(cIP) == False\\n| where csUriStem hasprefix \\\"/autodiscover/autodiscover.json\\\"\\n| project TimeGenerated, cIP, sIP, sSiteName, csUriStem, csUriQuery, Computer, csUserName, _ResourceId, FileUri\\n| where (csUriQuery !has \\\"Protocol\\\" and isnotempty(csUriQuery))\\nor (csUriQuery has_any(\\\"/mapi/\\\", \\\"powershell\\\"))\\nor (csUriQuery contains \\\"@\\\" and csUriQuery matches regex @\\\"\\\\.[a-zA-Z]{2,4}?(?:[a-zA-Z]{2,4}\\\\/)\\\")\\nor (csUriQuery contains \\\":\\\" and csUriQuery matches regex @\\\"\\\\:[0-9]{2,4}\\\\/\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP, AccountCustomEntity = csUserName, ResourceCustomEntity = _ResourceId, FileCustomEntity = FileUri\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange SSRF Autodiscover ProxyShell - Detection\",\"description\":\"This query looks for suspicious request patterns to Exchange servers that fit patterns recently\\nblogged about by PeterJson. This exploitation chain utilises an SSRF vulnerability in Exchange\\nwhich eventually allows the attacker to execute arbitrary Powershell on the server. In the example\\npowershell can be used to write an email to disk with an encoded attachment containing a shell.\\nReference: https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-09T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/999e9f5d-db4a-4b07-a206-29c4e667b7e8\",\"name\":\"999e9f5d-db4a-4b07-a206-29c4e667b7e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet DomainTIs= ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n // Picking up only IOC\u0027s that contain the entities we want\\n | where isnotempty(DomainName)\\n | where Active == true\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId;\\nlet Domains = DomainTIs | where isnotempty(DomainName) |summarize NDomains=dcount(DomainName), DomainsList=make_set(DomainName) \\n | project DomainList = iff(NDomains \u003e HAS_ANY_MAX, dynamic([]), DomainsList) ;\\nDomainTIs\\n | join (\\n _Im_Dns(starttime=ago(dt_lookBack), domain_has_any=toscalar(Domains))\\n | extend DNS_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.DnsQuery\\n| where DNS_TimeGenerated \u003c ExpirationDateTime\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, DnsQueryType\\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url\",\"customDetails\":{\"LatestIndicatorTime\":\"LatestIndicatorTime\",\"Description\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"ExpirationDateTime\":\"ExpirationDateTime\",\"ConfidenceScore\":\"ConfidenceScore\",\"DNSRequestTime\":\"DNS_TimeGenerated\",\"SourceIPAddress\":\"SrcIpAddr\",\"DnsQuery\":\"DnsQuery\",\"QueryType\":\"DnsQueryType\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map Domain entity to Dns Events (ASIM DNS Schema)\",\"description\":\"Identifies a match in DNS events from any Domain IOC from TI\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-27T00:00:00Z\",\"createdDateUTC\":\"2021-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2dd4a3a-ebac-4994-9499-1a859938c947\",\"name\":\"f2dd4a3a-ebac-4994-9499-1a859938c947\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet bytessentperhourthreshold = 10;\\nlet TimeSeriesData = (union isfuzzy=true\\n(\\nVMConnection\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\\n| extend SourceIP = SourceIp, DestinationIP = DestinationIp\\n| where ipv4_is_private(DestinationIP) == false\\n| extend DeviceVendor = \\\"VMConnection\\\"\\n| project TimeGenerated, BytesSent, DeviceVendor\\n| make-series TotalBytesSent=sum(BytesSent) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n),\\n(\\nCommonSecurityLog\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where ipv4_is_private(DestinationIP) == false\\n| project TimeGenerated, SentBytes, DeviceVendor\\n| make-series TotalBytesSent=sum(SentBytes) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n)\\n);\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(TotalBytesSent, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand TotalBytesSent to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| extend TotalBytesSentinMBperHour = round(((TotalBytesSent / 1024)/1024),2), baselinebytessentperHour = round(((baseline / 1024)/1024),2), score = round(score,2)\\n| project DeviceVendor, AnomalyHour, TimeGenerated, TotalBytesSentinMBperHour, baselinebytessentperHour, anomalies, score);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\n//Union of all BaseLogs aggregated per hour\\nlet BaseLogs = (union isfuzzy=true\\n(\\nCommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| where ipv4_is_private(DestinationIP) == false\\n| extend SentBytesinMB = ((SentBytes / 1024)/1024), ReceivedBytesinMB = ((ReceivedBytes / 1024)/1024)\\n| summarize HourlyCount = count(), TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort,100), TotalSentBytesinMB = sum(SentBytesinMB), TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| where TotalSentBytesinMB \u003e bytessentperhourthreshold\\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\\n| where Rank \u003c 10 // Selecting Top 10 records with Highest BytesSent in each Hour\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\\n),\\n(\\nVMConnection\\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend SourceIP = SourceIp, DestinationIP = DestinationIp\\n| where ipv4_is_private(DestinationIP) == false | extend DeviceVendor = \\\"VMConnection\\\"\\n| extend SentBytesinMB = ((BytesSent / 1024)/1024), ReceivedBytesinMB = ((BytesReceived / 1024)/1024)\\n| summarize HourlyCount = count(),TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort, 100), TotalSentBytesinMB = sum(SentBytesinMB),TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| where TotalSentBytesinMB \u003e bytessentperhourthreshold\\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\\n| where Rank \u003c 10 // Selecting Top 10 records with Highest BytesSent in each Hour\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\\n)\\n);\\n// Join against base logs to retrive records associated with the hour of anomoly\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\n BaseLogs | extend AnomalyHour = TimeGeneratedHour\\n) on DeviceVendor, AnomalyHour | sort by score desc\\n| project DeviceVendor, AnomalyHour,TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\\n| summarize EventCount = count(), StartTimeUtc= min(TimeGeneratedMax), EndTimeUtc= max(TimeGeneratedMax), SourceIPMax= arg_max(SourceIP,*), TotalBytesSentinMB = sum(TotalSentBytesinMB), TotalBytesReceivedinMB = sum(TotalReceivedBytesinMB), SourceIPList = make_set(SourceIP, 100), DestinationIPList = make_set(DestinationIPList, 100) by AnomalyHour,TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\\n| project DeviceVendor, AnomalyHour, StartTimeUtc, EndTimeUtc, SourceIPMax, SourceIPList, DestinationIPList, DestinationPortList, TotalBytesSentinMB, TotalBytesReceivedinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies, EventCount\\n| extend timestamp =EndTimeUtc, IPCustomEntity = SourceIPMax\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"Time series anomaly for data size transferred to public internet\",\"description\":\"Identifies anomalous data transfer to public networks. The query leverages built-in KQL anomaly detection algorithms that detects large deviations from a baseline pattern.\\nA sudden increase in data transferred to unknown public networks is an indication of data exfiltration attempts and should be investigated.\\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port bytes sent traffic observed in the flagged anomaly hour.\\nThe source IP addresses which were sending less than bytessentperhourthreshold have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06bbf969-fcbe-43fa-bac2-b2fa131d113a\",\"name\":\"06bbf969-fcbe-43fa-bac2-b2fa131d113a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"// ADHealth Monitoring Agent Registry Key\\nlet aadHealthMonAgentRegKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\MicrosoftOnline\\\\\\\\Reporting\\\\\\\\MonitoringAgent\\\";\\n// Filter out known processes\\nlet aadConnectHealthProcs = dynamic ([\\n \u0027Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.InsightsService.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.PshSurrogate.exe\u0027,\\n \u0027Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe\u0027,\\n \u0027Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.AadConnect.Health.AadSync.Host.exe\u0027,\\n \u0027Microsoft.Azure.ActiveDirectory.Synchronization.Upgrader.exe\u0027,\\n \u0027miiserver.exe\u0027\\n]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| where EventData has aadHealthMonAgentRegKey\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| extend ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),\\n ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\")\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend SubjectUserName = column_ifexists(\\\"SubjectUserName\\\", \\\"\\\"),\\n SubjectDomainName = column_ifexists(\\\"SubjectDomainName\\\", \\\"\\\"),\\n ProcessName = column_ifexists(\\\"ProcessName\\\", \\\"\\\")\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],\\n Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n ( WindowsEvent\\n| where EventID == \u00274656\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n( WindowsEvent\\n| where EventID == \u00274663\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n)\\n)\\n// You can filter out potential machine accounts\\n//| where AccountType != \u0027Machine\u0027\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"Azure AD Health Service Agents Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).\\nInformation from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).\\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\\\\SOFTWARE\\\\Microsoft\\\\ADHealthAgent.\\nMake sure you set the SACL to propagate to its sub-keys. You can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml\\n\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a35f2c18-1b97-458f-ad26-e033af18eb99\",\"name\":\"a35f2c18-1b97-458f-ad26-e033af18eb99\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.2\",\"severity\":\"Low\",\"query\":\"// For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups\\nlet WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nunion isfuzzy=true \\n(\\nSecurityEvent \\n// When MemberName contains \u0027-\u0027 this indicates addition of a group to a group\\n| where AccountType == \\\"User\\\" and MemberName != \\\"-\\\"\\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group\\n| where EventID in (4728, 4732, 4756) \\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| extend SimpleMemberName = substring(MemberName, 3, indexof_regex(MemberName, @\\\",OU|,CN\\\") - 3)\\n| project TimeGenerated, EventID, Activity, Computer, SimpleMemberName, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SimpleMemberName, HostCustomEntity = Computer\\n),\\n(\\nWindowsEvent \\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group\\n| where EventID in (4728, 4732, 4756) and not(EventData has \\\"S-1-5-32-555\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| extend MemberName = tostring(EventData.MemberName)\\n// When MemberName contains \u0027-\u0027 this indicates addition of a group to a group\\n| where AccountType == \\\"User\\\" and MemberName != \\\"-\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| extend SimpleMemberName = substring(MemberName, 3, indexof_regex(MemberName, @\\\",OU|,CN\\\") - 3)\\n| extend MemberSid = tostring(EventData.MemberSid)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend TargetDomainName = tostring(EventData.TargetDomainName)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| project TimeGenerated, EventID, Computer, SimpleMemberName, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SimpleMemberName, HostCustomEntity = Computer\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account added to built in domain local or global group\",\"description\":\"Identifies when a user account has been added to a privileged built in domain local group or global group \\nsuch as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2acc91c3-17c2-4388-938e-4eac2d5894e8\",\"name\":\"2acc91c3-17c2-4388-938e-4eac2d5894e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"W3CIISLog\\n| where csMethod == \u0027GET\u0027\\n| where isnotempty(csUriStem) and isnotempty(csUriQuery)\\n| where csUriStem contains \\\"logoimagehandler.ashx\\\"\\n| where csUriQuery contains \\\"codes\\\" and csUriQuery contains \\\"clazz\\\" and csUriQuery contains \\\"method\\\" and csUriQuery contains \\\"args\\\"\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"CommandAndControl\"],\"displayName\":\"SUPERNOVA webshell\",\"description\":\"Identifies SUPERNOVA webshell based on W3CIISLog data.\\n References:\\n - https://unit42.paloaltonetworks.com/solarstorm-supernova/\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-01-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/223db5c1-1bf8-47d8-8806-bed401b356a4\",\"name\":\"223db5c1-1bf8-47d8-8806-bed401b356a4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let timeRange = 1d;\\nlet lookBack = 7d;\\nlet threshold_Failed = 5;\\nlet threshold_FailedwithSingleIP = 20;\\nlet threshold_IPAddressCount = 2;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet aadFunc = (tableName:string){\\nlet azPortalSignins = materialize(table(tableName)\\n| where TimeGenerated \u003e= ago(lookBack)\\n// Azure Portal only\\n| where AppDisplayName =~ \\\"Azure Portal\\\")\\n;\\nlet successPortalSignins = azPortalSignins\\n| where TimeGenerated \u003e= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n// Tagging identities not resolved to friendly names\\n//| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n| distinct TimeGenerated, UserPrincipalName\\n;\\nlet failPortalSignins = azPortalSignins\\n| where TimeGenerated \u003e= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70044\\\", \\\"70043\\\")\\n// Tagging identities not resolved to friendly names\\n| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n;\\n// Verify there is no success for the same connection attempt after the fail\\nlet failnoSuccess = failPortalSignins | join kind= leftouter (\\n successPortalSignins \\n) on UserPrincipalName\\n| where TimeGenerated \u003e TimeGenerated1 or isempty(TimeGenerated1)\\n| project-away TimeGenerated1, UserPrincipalName1\\n;\\n// Lookup up resolved identities from last 7 days\\nlet identityLookup = azPortalSignins\\n| where TimeGenerated \u003e= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName;\\n// Join resolved names to unresolved list from portal signins\\nlet unresolvedNames = failnoSuccess | where Unresolved == true | join kind= inner (\\n identityLookup \\n) on UserId\\n| extend UserDisplayName = lu_UserDisplayName, UserPrincipalName = lu_UserPrincipalName\\n| project-away lu_UserDisplayName, lu_UserPrincipalName;\\n// Join Signins that had resolved names with list of unresolved that now have a resolved name\\nlet u_azPortalSignins = failnoSuccess | where Unresolved == false | union unresolvedNames;\\nu_azPortalSignins\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend Status = strcat(ResultType, \\\": \\\", ResultDescription), OS = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n| extend FullLocation = strcat(Region,\u0027|\u0027, State, \u0027|\u0027, City)\\n| summarize TimeGenerated = makelist(TimeGenerated), Status = makelist(Status), IPAddresses = makelist(IPAddress), IPAddressCount = dcount(IPAddress), FailedLogonCount = count()\\nby UserPrincipalName, UserId, UserDisplayName, AppDisplayName, Browser, OS, FullLocation, Type\\n| mvexpand TimeGenerated, IPAddresses, Status\\n| extend TimeGenerated = todatetime(tostring(TimeGenerated)), IPAddress = tostring(IPAddresses), Status = tostring(Status)\\n| project-away IPAddresses\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserPrincipalName, UserId, UserDisplayName, Status, FailedLogonCount, IPAddress, IPAddressCount, AppDisplayName, Browser, OS, FullLocation, Type\\n| where (IPAddressCount \u003e= threshold_IPAddressCount and FailedLogonCount \u003e= threshold_Failed) or FailedLogonCount \u003e= threshold_FailedwithSingleIP\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed login attempts to Azure Portal\",\"description\":\"Identifies failed login attempts in the Azure Active Directory SigninLogs to the Azure Portal. Many failed logon \\nattempts or some failed logon attempts from multiple IPs could indicate a potential brute force attack. \\nThe following are excluded due to success and non-failure results:\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n0 - successful logon\\n50125 - Sign-in was interrupted due to a password reset or password registration entry.\\n50140 - This error occurred due to \u0027Keep me signed in\u0027 interrupt when the user was signing-in.\",\"lastUpdatedDateUTC\":\"2022-04-21T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/acc4c247-aaf7-494b-b5da-17f18863878a\",\"name\":\"acc4c247-aaf7-494b-b5da-17f18863878a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"let queryfrequency = 1h;\\nlet queryperiod = 1d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(queryperiod)\\n| where OperationName in (\\\"Invite external user\\\", \\\"Bulk invite users - started (bulk)\\\", \\\"Invite external user with reset invitation status\\\")\\n| extend InitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\\n// Uncomment the following line to filter events where the inviting user was a guest user\\n//| where InitiatedBy has_any (\\\"live.com#\\\", \\\"#EXT#\\\")\\n| extend InvitedUser = TargetResources[0].userPrincipalName\\n| mv-expand UserToCompare = pack_array(InitiatedBy, InvitedUser) to typeof(string)\\n| where UserToCompare has_any (\\\"live.com#\\\", \\\"#EXT#\\\")\\n| extend\\n parsedUser = replace_string(tolower(iff(UserToCompare startswith \\\"live.com#\\\", tostring(split(UserToCompare, \\\"#\\\")[1]), tostring(split(UserToCompare, \\\"#EXT#\\\")[0]))), \\\"@\\\", \\\"_\\\"),\\n InvitationTime = TimeGenerated\\n| join (\\n (union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs)\\n | where TimeGenerated \u003e ago(queryfrequency)\\n | where UserType != \\\"Member\\\"\\n | where AppId has_any\\n (\\\"1b730954-1685-4b74-9bfd-dac224a7b894\\\",// Azure Active Directory PowerShell\\n \\\"04b07795-8ddb-461a-bbee-02f9e1bf7b46\\\",// Microsoft Azure CLI\\n \\\"1950a258-227b-4e31-a9cf-717495945fc2\\\",// Microsoft Azure PowerShell\\n \\\"a0c73c16-a7e3-4564-9a95-2bdf47383716\\\",// Microsoft Exchange Online Remote PowerShell\\n \\\"fb78d390-0c51-40cd-8e17-fdbfab77341b\\\",// Microsoft Exchange REST API Based Powershell\\n \\\"d1ddf0e4-d672-4dae-b554-9d5bdfd93547\\\",// Microsoft Intune PowerShell\\n \\\"9bc3ab49-b65d-410a-85ad-de819febfddc\\\",// Microsoft SharePoint Online Management Shell\\n \\\"12128f48-ec9e-42f0-b203-ea49fb6af367\\\",// MS Teams Powershell Cmdlets\\n \\\"23d8f6bd-1eb0-4cc2-a08c-7bf525c67bcd\\\",// Power BI PowerShell\\n \\\"31359c7f-bd7e-475c-86db-fdb8c937548e\\\",// PnP Management Shell\\n \\\"90f610bf-206d-4950-b61d-37fa6fd1b224\\\" // Aadrm Admin Powershell\\n )\\n | summarize arg_min(TimeGenerated, *) by UserPrincipalName\\n | extend\\n parsedUser = replace_string(UserPrincipalName, \\\"@\\\", \\\"_\\\"),\\n SigninTime = TimeGenerated\\n )\\n on parsedUser\\n| project InvitationTime, InitiatedBy, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, IPAddress, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InvitedUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatedBy\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\",\"Discovery\"],\"displayName\":\"External guest invitation followed by Azure AD PowerShell signin\",\"description\":\"By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests\\nusers, who have been invited or have invited recently, who also are logging via various PowerShell CLI.\\nRef : \u0027https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\"name\":\"3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let threshold = 1;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ConditionalAccessStatus == 1 or ConditionalAccessStatus =~ \\\"failure\\\"\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion) \\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend ConditionalAccessPolicies = todynamic(ConditionalAccessPolicies)\\n| extend ConditionalAccessPol0Name = tostring(ConditionalAccessPolicies[0].displayName)\\n| extend ConditionalAccessPol1Name = tostring(ConditionalAccessPolicies[1].displayName)\\n| extend ConditionalAccessPol2Name = tostring(ConditionalAccessPolicies[2].displayName)\\n| extend Status = strcat(StatusCode, \\\": \\\", ResultDescription) \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Status = make_list(Status), StatusDetails = make_list(StatusDetails), IPAddresses = make_list(IPAddress), IPAddressCount = dcount(IPAddress), CorrelationIds = make_list(CorrelationId) \\nby UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name, Type\\n| where IPAddressCount \u003e threshold and StatusDetails !has \\\"MFA successfully completed\\\"\\n| mvexpand IPAddresses, Status, StatusDetails, CorrelationIds\\n| extend Status = strcat(Status, \\\" \\\", StatusDetails)\\n| summarize IPAddresses = make_set(IPAddresses), Status = make_set(Status), CorrelationIds = make_set(CorrelationIds) \\nby StartTime, EndTime, UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name, IPAddressCount, Type\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = tostring(IPAddresses)\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Attempt to bypass conditional access rule in Azure AD\",\"description\":\"Identifies an attempt to Bypass conditional access rule(s) in Azure Active Directory.\\nThe ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access\\nor if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1).\\nReferences: \\nhttps://docs.microsoft.com/azure/active-directory/conditional-access/overview\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\nConditionalAccessStatus == 0 // Success\\nConditionalAccessStatus == 1 // Failure\\nConditionalAccessStatus == 2 // Not Applied\\nConditionalAccessStatus == 3 // unknown\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0b904747-1336-4363-8d84-df2710bfe5e7\",\"name\":\"0b904747-1336-4363-8d84-df2710bfe5e7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureDiagnostics\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where OperationName in (\\\"AzureFirewallApplicationRuleLog\\\", \\\"AzureFirewallNetworkRuleLog\\\")\\n | parse kind=regex flags=U msg_s with Protocol \u0027request from \u0027 SourceHost \u0027to \u0027 DestinationHost @\u0027\\\\.? Action: \u0027 Firewall_Action @\u0027\\\\.\u0027 Rest_msg\\n | extend SourceAddress = extract(@\u0027([\\\\.0-9]+)(:[\\\\.0-9]+)?\u0027, 1, SourceHost)\\n | extend DestinationAddress = extract(@\u0027([\\\\.0-9]+)(:[\\\\.0-9]+)?\u0027, 1, DestinationHost)\\n | extend RemoteIP = case(not(ipv4_is_private(DestinationAddress)), DestinationAddress, not(ipv4_is_private(SourceAddress)), SourceAddress, \\\"\\\")\\n // Traffic that involves a public address, and in case this is the source address then the traffic was not denied\\n | where isnotempty(RemoteIP)\\n | project-rename AzureFirewall_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIP\\n| where AzureFirewall_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureFirewall_TimeGenerated = arg_max(AzureFirewall_TimeGenerated, *) by IndicatorId, RemoteIP\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, AzureFirewall_TimeGenerated,\\nTI_ipEntity, Resource, Category, msg_s, SourceAddress, DestinationAddress, Firewall_Action, Protocol, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureFirewall_TimeGenerated, IPCustomEntity = TI_ipEntity, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureFirewall\",\"description\":\"Identifies a match in AzureFirewall (NetworkRule \u0026 ApplicationRule Logs) from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ebbb5c2-8802-11ec-a8a3-0242ac120002\",\"name\":\"4ebbb5c2-8802-11ec-a8a3-0242ac120002\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"// Enter a reference list of decoy users (usernames) \\\"Case Sensitive\\\"\\nlet MaliciousServiceArtifacts = dynamic ([\\\"fgexec\\\",\\\"cachedump\\\",\\\"mimikatz\\\",\\\"mimidrv\\\",\\\"wceservice\\\",\\\"pwdump\\\"]);\\nEvent\\n| where Source == \\\"Service Control Manager\\\" and EventID == 7045\\n| parse EventData with * \u0027ServiceName\\\"\u003e\u0027 ServiceName \\\"\u003c\\\" * \u0027ImagePath\\\"\u003e\u0027 ImagePath \\\"\u003c\\\" *\\n| where ServiceName has_any (MaliciousServiceArtifacts) or ImagePath has_any (MaliciousServiceArtifacts)\\n| parse EventData with * \u0027AccountName\\\"\u003e\u0027 AccountName \\\"\u003c\\\" *\\n|summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, ServiceName, ImagePath, AccountName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountName\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ImagePath\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Credential Dumping Tools - Service Installation\",\"description\":\"This query detects the installation of a Windows service that contains artifacts from credential dumping tools such as Mimikatz.\\nRef: https://blueteamblog.com/darkside-ransomware-operations-preventions-and-detections\",\"lastUpdatedDateUTC\":\"2022-04-22T00:00:00Z\",\"createdDateUTC\":\"2022-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"Event\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/adc32a33-1cd6-46f5-8801-e3ed8337885f\",\"name\":\"adc32a33-1cd6-46f5-8801-e3ed8337885f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// Add any known allowed sources and source locations to the filter below (the NuGet Gallery has been added here as an example).\\nlet allowed_sources = dynamic([\\\"NuGet Gallery\\\"]);\\nlet allowed_locations = dynamic([\\\"https://api.nuget.org/v3/index.json\\\"]);\\nAzureDevOpsAuditing\\n// Look for feeds created or modified at either the organization or project level\\n| where OperationName matches regex \\\"Artifacts.Feed.(Org|Project).Modify\\\"\\n| where Details has \\\"UpstreamSources, added\\\"\\n| extend FeedName = tostring(Data.FeedName)\\n| extend FeedId = tostring(Data.FeedId)\\n| extend UpstreamsAdded = Data.UpstreamsAdded\\n// As multiple feeds may be added expand these out\\n| mv-expand UpstreamsAdded\\n// Only focus on external feeds\\n| where UpstreamsAdded.UpstreamSourceType !~ \\\"internal\\\"\\n| extend SourceLocation = tostring(UpstreamsAdded.Location)\\n| extend SourceName = tostring(UpstreamsAdded.Name)\\n// Exclude sources and locations in the allow list\\n| where SourceLocation !in (allowed_locations) and SourceName !in (allowed_sources)\\n| extend SourceProtocol = tostring(UpstreamsAdded.Protocol)\\n| extend SourceStatus = tostring(UpstreamsAdded.Status)\\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, ProjectName, FeedName, SourceName, SourceLocation, SourceProtocol, ActorUPN, UserAgent, IpAddress\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"External Upstream Source Added to Azure DevOps Feed\",\"description\":\"The detection looks for new external sources added to an Azure DevOps feed. An allow list can be customized to explicitly allow known good sources. \\nAn attacker could look to add a malicious feed in order to inject malicious packages into a build pipeline.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/feb0a2fb-ae75-4343-8cbc-ed545f1da289\",\"name\":\"feb0a2fb-ae75-4343-8cbc-ed545f1da289\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let VIPUsers = (IdentityInfo\\n| where AssignedRoles contains \\\"Admin\\\"\\n| summarize by tolower(AccountUPN));\\nAuditLogs\\n| where Category =~ \\\"UserManagement\\\"\\n| where ActivityDisplayName =~ \\\"User registered security info\\\"\\n| where LoggedByService =~ \\\"Authentication Methods\\\"\\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| where AccountCustomEntity in (VIPUsers)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Authentication Method Changed for Privileged Account\",\"description\":\"Identifies authentication methods being changed for a privileged account. This could be an indicated of an attacker adding an auth method to the account so they can have continued access.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2937bc6b-7cda-4fba-b452-ea43ba8e835f\",\"name\":\"2937bc6b-7cda-4fba-b452-ea43ba8e835f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 5136 \\n| parse EventData with * \u0027ObjectClass\\\"\u003e\u0027 ObjectClass \\\"\u003c\\\" *\\n| parse EventData with * \u0027AttributeLDAPDisplayName\\\"\u003e\u0027 AttributeLDAPDisplayName \\\"\u003c\\\" *\\n| where ObjectClass == \\\"computer\\\" and AttributeLDAPDisplayName == \\\"msDS-AllowedToActOnBehalfOfOtherIdentity\\\"\\n| parse EventData with * \u0027ObjectDN\\\"\u003e\u0027 ObjectDN \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, SubjectUserSid, SubjectLogonId, ObjectDN, AttributeLDAPDisplayName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Possible Resource-Based Constrained Delegation Abuse\",\"description\":\"This query identifies Active Directory computer objects modifications that allow an adversary to abuse the Resource-based constrained delegation. \\nThis query checks for event id 5136 that the Object Class field is \\\"computer\\\" and the LDAP Display Name is \\\"msDS-AllowedToActOnBehalfOfOtherIdentity\\\" which is an indicator of Resource-based constrained delegation.\\nRef: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html\",\"lastUpdatedDateUTC\":\"2022-01-19T00:00:00Z\",\"createdDateUTC\":\"2022-01-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/89e6adbd-612c-4fbe-bc3d-32f81baf3b6c\",\"name\":\"89e6adbd-612c-4fbe-bc3d-32f81baf3b6c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT4H\",\"queryPeriod\":\"PT4H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// Change to true to monitor for Project Administrator adds to *any* project\\nlet MonitorAllProjects = false;\\n// If MonitorAllProjects is false, trigger only on Project Administrator add for the following projects\\nlet ProjectsToMonitor = dynamic([\u0027\u003cproject_X\u003e\u0027,\u0027\u003cproject_Y\u003e\u0027]);\\nAzureDevOpsAuditing\\n| where Area == \\\"Group\\\" and OperationName == \\\"Group.UpdateGroupMembership.Add\\\"\\n| where Details has \u0027Administrators\u0027\\n| where Details has \\\"was added as a member of group\\\" and (Details endswith \u0027\\\\\\\\Project Administrators\u0027 or Details endswith \u0027\\\\\\\\Project Collection Administrators\u0027)\\n| parse Details with AddedIdentity \u0027 was added as a member of group [\u0027 EntityName \u0027]\\\\\\\\\u0027 GroupName\\n| extend Level = iif(GroupName == \u0027Project Collection Administrators\u0027, \u0027Organization\u0027, \u0027Project\u0027), AddedIdentityId = Data.MemberId\\n| extend Severity = iif(Level == \u0027Organization\u0027, \u0027High\u0027, \u0027Medium\u0027), AlertDetails = strcat(\u0027At \u0027, TimeGenerated, \u0027 UTC \u0027, ActorUPN, \u0027/\u0027, ActorDisplayName, \u0027 added \u0027, AddedIdentity, \u0027 to the \u0027, EntityName, \u0027 \u0027, Level)\\n| where MonitorAllProjects == true or EntityName in (ProjectsToMonitor) or Level == \u0027Organization\u0027\\n| project TimeGenerated, Severity, Adder = ActorUPN, AddedIdentity, AddedIdentityId, AlertDetails, Level, EntityName, GroupName, ActorAuthType = AuthenticationMechanism, \\n ActorIpAddress = IpAddress, ActorUserAgent = UserAgent, RawDetails = Details\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Adder, IPCustomEntity = ActorIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps Administrator Group Monitoring\",\"description\":\"This detection monitors for additions to projects or project collection administration groups in an Azure DevOps Organization.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/473d57e6-f787-435c-a16b-b38b51fa9a4b\",\"name\":\"473d57e6-f787-435c-a16b-b38b51fa9a4b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"let servicelist = dynamic([\u0027Services\\\\\\\\HealthService\u0027, \u0027Services\\\\\\\\Sense\u0027, \u0027Services\\\\\\\\WinDefend\u0027, \u0027Services\\\\\\\\MsSecFlt\u0027, \u0027Services\\\\\\\\DiagTrack\u0027, \u0027Services\\\\\\\\SgrmBroker\u0027, \u0027Services\\\\\\\\SgrmAgent\u0027, \u0027Services\\\\\\\\AATPSensorUpdater\u0027 , \u0027Services\\\\\\\\AATPSensor\u0027, \u0027Services\\\\\\\\mpssvc\u0027]);\\nlet filename = dynamic([\\\"subinacl.exe\\\",\u0027SetACL.exe\u0027]);\\nlet parameters = dynamic ([\u0027/deny=SYSTEM\u0027, \u0027/deny=S-1-5-18\u0027, \u0027/grant=SYSTEM=r\u0027, \u0027/grant=S-1-5-18=r\u0027, \u0027n:SYSTEM;p:READ\u0027, \u0027n1:SYSTEM;ta:remtrst;w:dacl\u0027]);\\nlet FullAccess = dynamic([\u0027A;CI;KA;;;SY\u0027, \u0027A;ID;KA;;;SY\u0027, \u0027A;CIID;KA;;;SY\u0027]);\\nlet ReadAccess = dynamic([\u0027A;CI;KR;;;SY\u0027, \u0027A;ID;KR;;;SY\u0027, \u0027A;CIID;KR;;;SY\u0027]);\\nlet DenyAccess = dynamic([\u0027D;CI;KR;;;SY\u0027, \u0027D;ID;KR;;;SY\u0027, \u0027D;CIID;KR;;;SY\u0027]);\\nlet timeframe = 1d;\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4670\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName has_any (servicelist)\\n| parse EventData with * \u0027OldSd\\\"\u003e\u0027 OldSd \\\"\u003c\\\" *\\n| parse EventData with * \u0027NewSd\\\"\u003e\u0027 NewSd \\\"\u003c\\\" *\\n| extend Reason = case( (OldSd has \u0027;;;SY\u0027 and NewSd !has \u0027;;;SY\u0027), \u0027System Account is removed\u0027, (OldSd has_any (FullAccess) and NewSd has_any (ReadAccess)) , \u0027System permission has been changed to read from full access\u0027, (OldSd has_any (FullAccess) and NewSd has_any (DenyAccess)), \u0027System account has been given denied permission\u0027, \u0027None\u0027)\\n| project TimeGenerated, Computer, Account, ProcessName, ProcessId, ObjectName, EventData, Activity, HandleId, SubjectLogonId, OldSd, NewSd , Reason\\n),\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688\\n| extend ProcessName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ProcessName in~ (filename) \\n| where CommandLine has_any (servicelist) and CommandLine has_any (parameters)\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4670 and EventData has_any (servicelist) and EventData has \u0027Key\u0027\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName has_any (servicelist)\\n| extend OldSd = tostring(EventData.OldSd)\\n| extend NewSd = tostring(EventData.NewSd)\\n| extend Reason = case( (OldSd has \u0027;;;SY\u0027 and NewSd !has \u0027;;;SY\u0027), \u0027System Account is removed\u0027, (OldSd has_any (FullAccess) and NewSd has_any (ReadAccess)) , \u0027System permission has been changed to read from full access\u0027, (OldSd has_any (FullAccess) and NewSd has_any (DenyAccess)), \u0027System account has been given denied permission\u0027, \u0027None\u0027)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend ProcessId = tostring(EventData.ProcessId)\\n| extend Activity= \\\"4670 - Permissions on an object were changed.\\\"\\n| extend HandleId = tostring(EventData.HandleId)\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| project TimeGenerated, Computer, Account, ProcessName, ProcessId, ObjectName, EventData, Activity, HandleId, SubjectLogonId, OldSd, NewSd , Reason\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688 and EventData has_any (filename) and EventData has_any (servicelist) and EventData has_any (parameters)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend ProcessName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ProcessName in~ (filename) \\n| extend CommandLine = tostring(EventData.CommandLine) \\n| where CommandLine has_any (servicelist) and CommandLine has_any (parameters)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountDomain = tostring(EventData.AccountDomain)\\n| extend Activity=\\\"4688 - A new process has been created.\\\"\\n| extend EventSourceName=Provider\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where InitiatingProcessFileName in~ (filename) \\n| where InitiatingProcessCommandLine has_any(servicelist) and InitiatingProcessCommandLine has_any (parameters)\\n| extend Account = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName), Computer = DeviceName\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName = InitiatingProcessFileName, ProcessNameFullPath = FolderPath, Activity = ActionType, CommandLine = InitiatingProcessCommandLine, Type, InitiatingProcessParentFileName\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Security Service Registry ACL Modification\",\"description\":\"Identifies attempts to modify registry ACL to evade security solutions. In the Solorigate attack, the attackers were found modifying registry permissions so services.exe cannot access the relevant registry keys to start the service.\\n The detection leverages Security Event as well as MDE data to identify when specific security services registry permissions are modified. \\n Only some portions of this detection are related to Solorigate, it also includes coverage for some common tools that perform this activity. \\n Reference on guidance for enabling registry auditing:\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing-faq\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-registry\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4670\\n - For the event 4670 to be created the audit policy for the registry must have auditing enabled for Write DAC and/or Write Owner\\n - https://github.com/OTRF/Set-AuditRule \\n - https://docs.microsoft.com/dotnet/api/system.security.accesscontrol.registryrights?view=dotnet-plat-ext-5.0\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-01-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/29283b22-a1c0-4d16-b0a9-3460b655a46a\",\"name\":\"29283b22-a1c0-4d16-b0a9-3460b655a46a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let UserAgentString = dynamic ([\\\"${jndi:ldap:/\\\", \\\"${jndi:rmi:/\\\", \\\"${jndi:ldaps:/\\\", \\\"${jndi:dns:/\\\", \\\"${jndi:iiop:/\\\",\\\"${jndi:\\\",\\\"${jndi:nds:/\\\",\\\"${jndi:corba/\\\"]);\\nlet UARegexMinimalString=dynamic([\u0027{\u0027,\u0027%7b\u0027, \u0027%7B\u0027]);\\nlet UARegex = @\u0027(\\\\\\\\$|%24)(\\\\\\\\{|%7B)([^jJ]*[jJ])([^nN]*[nN])([^dD]*[dD])([^iI]*[iI])(:|%3A|\\\\\\\\$|%24|}|%7D)\u0027;\\n(union isfuzzy=true\\n(OfficeActivity\\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, Operation\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n),\\n(AzureDiagnostics\\n| where Category in (\\\"FrontdoorWebApplicationFirewallLog\\\", \\\"FrontdoorAccessLog\\\", \\\"ApplicationGatewayFirewallLog\\\", \\\"ApplicationGatewayAccessLog\\\")\\n| where userAgent_s has_any (UserAgentString) or userAgent_s matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = userAgent_s, SourceIP = clientIP_s, Type, host_s, requestUri_s, httpStatus_d\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, UrlCustomEntity = requestUri_s\\n),\\n(\\nW3CIISLog\\n| where csUserAgent has_any (UserAgentString) or csUserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP, UrlCustomEntity = csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventName\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n),\\n(SigninLogs\\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, Operation = OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n),\\n(AADNonInteractiveUserSignInLogs \\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, Operation = OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n),\\n(_Im_WebSession (httpuseragent_has_any=array_concat(UserAgentString,UARegexMinimalString))\\n| where HttpUserAgent has_any (UserAgentString) or HttpUserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by HttpUserAgent, SourceIP = SrcIpAddr, DstIpAddr, Account = SrcUsername, Url, Type\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP, UrlCustomEntity = Url\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"User agent search for log4j exploitation attempt\",\"description\":\"This query uses various log sources having user agent data to look for log4j CVE-2021-44228 exploitation attempt based on user agent pattern. Log4j is an open-source Apache logging library that is used in \\n many Java-based applications. The regex and the string matching look for the most common attacks. This might not be comprehensive to detect every possible user agent variation.\\n Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\"name\":\"3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let starttime = 1d;\\nlet TimeDeltaThresholdInSeconds = 60; // we ignore beacons diffs that fall below this threshold \\nlet TotalBeaconsThreshold = 4; // minimum number of beacons required in a session to surface a row\\nlet JitterTolerance = 0.2; // tolerance to jitter, e.g. - 0.2 = 20% jitter is tolerated either side of the periodicity\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Fortinet\\\"\\n| where TimeGenerated \u003e ago(starttime)\\n// eliminate bad data\\n| where isnotempty(SourceIP) and isnotempty(DestinationIP) and SourceIP != \\\"0.0.0.0\\\"\\n// filter out deny, close, rst and SNMP to reduce data volume\\n| where DeviceAction !in (\\\"close\\\", \\\"client-rst\\\", \\\"server-rst\\\", \\\"deny\\\") and DestinationPort != 161\\n// map input fields\\n| project TimeGenerated , SourceIP, DestinationIP, DestinationPort, ReceivedBytes, SentBytes, DeviceAction \\n// where destination IPs are public\\n| where ipv4_is_private(DestinationIP) == false\\n// sort into source-\u003edestination \u0027sessions\u0027\\n| sort by SourceIP asc, DestinationIP asc, DestinationPort asc, TimeGenerated asc\\n| serialize\\n// time diff the contact times between source and destination to get a list of deltas\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1), nextDestIP = next(DestinationIP, 1), nextDestPort = next(DestinationPort, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\\\"second\\\",nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP and DestinationIP == nextDestIP and DestinationPort == nextDestPort\\n// remove small time deltas below the set threshold\\n| where TimeDeltainSeconds \u003e TimeDeltaThresholdInSeconds\\n// summarize the deltas by source-\u003edestination\\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), sum(ReceivedBytes), sum(SentBytes), makelist(TimeDeltainSeconds), makeset(DeviceAction) by SourceIP, DestinationIP, DestinationPort\\n// get some statistical properties of the delta distribution and smooth any outliers (e.g. laptop shut overnight, working hours)\\n| extend series_stats(list_TimeDeltainSeconds), outliers=series_outliers(list_TimeDeltainSeconds)\\n// expand the deltas and the outliers\\n| mvexpand list_TimeDeltainSeconds to typeof(double), outliers to typeof(double)\\n// replace outliers with the average of the distribution\\n| extend list_TimeDeltainSeconds_normalized=iff(outliers \u003e 1.5 or outliers \u003c -1.5, series_stats_list_TimeDeltainSeconds_avg , list_TimeDeltainSeconds)\\n// summarize with the smoothed distribution\\n| summarize BeaconCount=count(), makelist(list_TimeDeltainSeconds), list_TimeDeltainSeconds_normalized=makelist(list_TimeDeltainSeconds_normalized), makeset(set_DeviceAction) by StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, sum_ReceivedBytes, sum_SentBytes\\n// get stats on the smoothed distribution\\n| extend series_stats(list_TimeDeltainSeconds_normalized)\\n// match jitter tolerance on smoothed distrib\\n| extend MaxJitter = (series_stats_list_TimeDeltainSeconds_normalized_avg*JitterTolerance)\\n| where series_stats_list_TimeDeltainSeconds_normalized_stdev \u003c MaxJitter\\n// where the minimum beacon threshold is satisfied and there was some data transfer\\n| where BeaconCount \u003e TotalBeaconsThreshold and (sum_SentBytes \u003e 0 or sum_ReceivedBytes \u003e 0)\\n// final projection\\n| project StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, BeaconCount, TimeDeltasInSeconds=list_list_TimeDeltainSeconds, Periodicity=series_stats_list_TimeDeltainSeconds_normalized_avg, ReceivedBytes=sum_ReceivedBytes, SentBytes=sum_SentBytes, Actions=set_set_DeviceAction\\n// where periodicity is order of magnitude larger than time delta threshold (eliminates FPs whose periodicity is close to the values we ignored)\\n| where Periodicity \u003e= (10*TimeDeltaThresholdInSeconds)\\n| extend timestamp = StartTime, IPCustomEntity = DestinationIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Fortinet - Beacon pattern detected\",\"description\":\"Identifies patterns in the time deltas of contacts between internal and external IPs in Fortinet network data that are consistent with beaconing.\\n Accounts for randomness (jitter) and seasonality such as working hours that may have been introduced into the beacon pattern.\\n The lookback is set to 1d, the minimum granularity in time deltas is set to 60 seconds and the minimum number of beacons required to emit a\\n detection is set to 4.\\n Increase the lookback period to capture beacons with larger periodicities.\\n The jitter tolerance is set to 0.2 - This means we account for an overall 20% deviation from the infered beacon periodicity. Seasonality is dealt with\\n automatically using series_outliers.\\n Note: In large environments it may be necessary to reduce the lookback period to get fast query times.\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2020-03-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80733eb7-35b2-45b6-b2b8-3c51df258206\",\"name\":\"80733eb7-35b2-45b6-b2b8-3c51df258206\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\\"xmrget.com\\\", \\n\\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\\"supportxmr.com\\\",\\n\\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\n\\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\n\\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\n\\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\n\\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\",\\n\\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\",\\n\\\"shscrypto.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage), \\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage), \\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage), \\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \u0027200\u0027\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Squid proxy events related to mining pools\",\"description\":\"Checks for Squid proxy events in Syslog associated with common mining pools .This query presumes the default Squid log format is being used. \\n http://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-07-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b05727d-a8d1-477d-bbdd-d957da96ac7b\",\"name\":\"3b05727d-a8d1-477d-bbdd-d957da96ac7b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where OfficeWorkload =~ \\\"Exchange\\\"\\n| where Parameters has_any (\\\"ForwardTo\\\", \\\"RedirectTo\\\", \\\"ForwardingSmtpAddress\\\")\\n| mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))\\n| evaluate bag_unpack(ParsedParameters, columnsConflict=\u0027replace_source\u0027)\\n| extend DestinationMailAddress = tolower(case(\\n isnotempty(column_ifexists(\\\"ForwardTo\\\", \\\"\\\")), column_ifexists(\\\"ForwardTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"RedirectTo\\\", \\\"\\\")), column_ifexists(\\\"RedirectTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")), trim_start(@\\\"smtp:\\\", column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")),\\n \\\"\\\"))\\n| where isnotempty(DestinationMailAddress)\\n| mv-expand split(DestinationMailAddress, \\\";\\\")\\n| extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n| extend ClientIP = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1])\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId, 250), Ports = make_set(Port, 250), EventCount = count() by tostring(DestinationMailAddress), ClientIP\\n| where DistinctUserCount \u003e 1\\n| mv-expand UserId to typeof(string)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"NRT Multiple users email forwarded to same destination\",\"description\":\"Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination.\\nThis could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.\",\"lastUpdatedDateUTC\":\"2022-06-24T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\"name\":\"75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 3;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == \\\"50057\\\"\\n| where ResultDescription =~ \\\"User account is disabled. The account has been disabled by an administrator.\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), applicationCount = dcount(AppDisplayName), \\napplicationSet = make_set(AppDisplayName), count() by UserPrincipalName, IPAddress, Type\\n| where applicationCount \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Attempts to sign in to disabled accounts\",\"description\":\"Identifies failed attempts to sign in to disabled accounts across multiple Azure Applications.\\nDefault threshold for Azure Applications attempted to sign in to is 3.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bfb1c90f-8006-4325-98be-c7fffbc254d6\",\"name\":\"bfb1c90f-8006-4325-98be-c7fffbc254d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let s_threshold = 30;\\nlet l_threshold = 3;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where OperationName =~ \\\"Sign-in activity\\\"\\n// Error codes that we want to look at as they are related to the use of incorrect password.\\n| where ResultType in (\\\"50126\\\", \\\"50053\\\" , \\\"50055\\\", \\\"50056\\\")\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend LocationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), LocationCount=dcount(LocationString), Location = make_set(LocationString), \\nIPAddress = make_set(IPAddress), IPAddressCount = dcount(IPAddress), AppDisplayName = make_set(AppDisplayName), ResultDescription = make_set(ResultDescription), \\nBrowser = make_set(Browser), OS = make_set(OS), SigninCount = count() by UserPrincipalName, Type \\n// Setting a generic threshold - Can be different for different environment\\n| where SigninCount \u003e s_threshold and LocationCount \u003e= l_threshold\\n| extend tostring(Location), tostring(IPAddress), tostring(AppDisplayName), tostring(ResultDescription), tostring(Browser), tostring(OS)\\n| distinct *\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Distributed Password cracking attempts in AzureAD\",\"description\":\"Identifies distributed password cracking attempts from the Azure Active Directory SigninLogs.\\nThe query looks for unusually high number of failed password attempts coming from multiple locations for a user account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50053 Account is locked because the user tried to sign in too many times with an incorrect user ID or password.\\n50055 Invalid password, entered expired password.\\n50056 Invalid or null password - Password does not exist in store for this user.\\n50126 Invalid username or password, or invalid on-premises username or password.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7ad4c32b-d0d2-411c-a0e8-b557afa12fce\",\"name\":\"7ad4c32b-d0d2-411c-a0e8-b557afa12fce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName\\n| where CommandLine contains \\\".decode(\u0027base64\u0027)\\\"\\n or CommandLine contains \\\"base64 --decode\\\"\\n or CommandLine contains \\\".decode64(\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"NRT Process executed from binary hidden in Base64 encoded file\",\"description\":\"Encoding malicious software is a technique used to obfuscate files from detection.\\nThe first CommandLine component is looking for Python decoding base64.\\nThe second CommandLine component is looking for Bash/sh command line base64 decoding.\\nThe third one is looking for Ruby decoding base64.\",\"lastUpdatedDateUTC\":\"2022-02-08T00:00:00Z\",\"createdDateUTC\":\"2019-01-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95002681-4ecb-4da3-9ece-26d7e5feaa33\",\"name\":\"95002681-4ecb-4da3-9ece-26d7e5feaa33\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"imAuthentication\\n| where EventResult ==\u0027Failure\u0027\\n| where EventResultDetails == \u0027User disabled\u0027\\n| summarize StartTime=min(EventStartTime), EndTime=max(EventEndTime), disabledAccountLoginAttempts = count()\\n , disabledAccountsTargeted = dcount(TargetUsername), disabledAccountSet = make_set(TargetUsername)\\n , applicationsTargeted = dcount(TargetAppName)\\n , applicationSet = make_set(TargetAppName) \\n by SrcDvcIpAddr, Type\\n| order by disabledAccountLoginAttempts desc\\n| join kind=leftouter \\n (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n imAuthentication\\n | where EventResult==\u0027Success\u0027\\n | summarize successfulAccountSigninCount = dcount(TargetUsername), successfulAccountSigninSet = makeset(TargetUsername, 15) by SrcDvcIpAddr, Type\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount \u003c 100\\n )\\n on SrcDvcIpAddr\\n| where isnotempty(successfulAccountSigninCount)\\n| project StartTime, EndTime, SrcDvcIpAddr, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\nsuccessfulAccountSigninCount, successfulAccountSigninSet, Type\\n| order by disabledAccountLoginAttempts\\n| extend timestamp = StartTime, IPCustomEntity = SrcDvcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-07-27T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\"name\":\"795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"CommonSecurityLog \\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID in (\\\"733101\\\",\\\"733102\\\",\\\"733103\\\",\\\"733104\\\",\\\"733105\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\",\"Impact\"],\"displayName\":\"Cisco ASA - threat detection message fired\",\"description\":\"Identifies when the Cisco ASA Threat Detection engine fired an alert based on malicious activity occurring on the network inicated by DeviceEventClassID 733101-733105\\nResources: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1785d372-b9fe-4283-96a6-3a1d83cabfd1\",\"name\":\"1785d372-b9fe-4283-96a6-3a1d83cabfd1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let Tarrask_threats = dynamic([\\\"HackTool:Win64/Tarrask!MS\\\", \\\"HackTool:Win64/Ligolo!MSR\\\", \\\"Behavior:Win32/ScheduledTaskHide.A\\\", \\\"Tarrask\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=rightouter ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (Tarrask_threats) or ThreatFamilyName in~ (Tarrask_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AV detections related to Tarrask malware\",\"description\":\"This query looks for Microsoft Defender AV detections related to Tarrask malware. In Microsoft Sentinel the SecurityAlerts table \\n includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. \\n This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\\n Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-04-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/157c0cfc-d76d-463b-8755-c781608cdc1a\",\"name\":\"157c0cfc-d76d-463b-8755-c781608cdc1a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\nCommonSecurityLog\\n| where DeviceVendor =~ \\\"Cisco\\\"\\n| where DeviceAction =~ \\\"denied\\\"\\n| where ipv4_is_private(SourceIP) == false\\n| summarize count() by SourceIP\\n| join (\\n // Successful signins from IPs blocked by the firewall solution are suspect\\n // Include fully successful sign-ins, but also ones that failed only at MFA stage\\n // as that supposes the password was sucessfully guessed.\\n table(tableName)\\n | where ResultType in (\\\"0\\\", \\\"50074\\\", \\\"50076\\\") \\n) on $left.SourceIP == $right.IPAddress\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Cisco - firewall block but success logon to Azure AD\",\"description\":\"Correlate IPs blocked by a Cisco firewall appliance with successful Azure Active Directory signins. \\nBecause the IP was blocked by the firewall, that same IP logging on successfully to AAD is potentially suspect\\nand could indicate credential compromise for the user account.\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2019-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/875d0eb1-883a-4191-bd0e-dbfdeb95a464\",\"name\":\"875d0eb1-883a-4191-bd0e-dbfdeb95a464\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 5136 \\n| parse EventData with * \u0027AttributeLDAPDisplayName\\\"\u003e\u0027 AttributeLDAPDisplayName \\\"\u003c\\\" *\\n| parse EventData with * \u0027ObjectClass\\\"\u003e\u0027 ObjectClass \\\"\u003c\\\" *\\n| where AttributeLDAPDisplayName == \\\"servicePrincipalName\\\" and ObjectClass == \\\"user\\\"\\n| parse EventData with * \u0027ObjectDN\\\"\u003e\u0027 ObjectDN \\\"\u003c\\\" *\\n| parse EventData with * \u0027AttributeValue\\\"\u003e\u0027 AttributeValue \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, ObjectDN, AttributeValue\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Service Principal Name (SPN) Assigned to User Account\",\"description\":\"This query identifies whether a Active Directory user object was assigned a service principal name which could indicate that an adversary is preparing for performing Kerberoasting. \\nThis query checks for event id 5136 that the Object Class field is \\\"user\\\" and the LDAP Display Name is \\\"servicePrincipalName\\\".\\nRef: https://thevivi.net/assets/docs/2019/theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf\",\"lastUpdatedDateUTC\":\"2022-02-02T00:00:00Z\",\"createdDateUTC\":\"2022-01-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/45076281-35ae-45e0-b443-c32aa0baf965\",\"name\":\"45076281-35ae-45e0-b443-c32aa0baf965\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"High\",\"query\":\"let args = dynamic([\\\"objectcategory\\\",\\\"domainlist\\\",\\\"dcmodes\\\",\\\"adinfo\\\",\\\"trustdmp\\\",\\\"computers_pwdnotreqd\\\",\\\"Domain Admins\\\", \\\"objectcategory=person\\\", \\\"objectcategory=computer\\\", \\\"objectcategory=*\\\",\\\"dclist\\\"]);\\nlet parentProcesses = dynamic([\\\"pwsh.exe\\\",\\\"powershell.exe\\\",\\\"cmd.exe\\\"]);\\nimProcessCreate\\n//looks for execution from a shell\\n| where ActingProcessName has_any (parentProcesses)\\n| extend ActingProcessFileName = tostring(split(ActingProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ActingProcessFileName in~ (parentProcesses)\\n// main filter\\n| where Process hassuffix \\\"AdFind.exe\\\" or TargetProcessSHA256 == \\\"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\\\"\\n // AdFind common Flags to check for from various threat actor TTPs\\n or CommandLine has_any (args)\\n| extend AccountCustomEntity = User, HostCustomEntity = Dvc, ProcessCustomEntity = ActingProcessName, CommandLineCustomEntity = CommandLine, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = TargetProcessSHA256\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"},{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLineCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Probable AdFind Recon Tool Usage (Normalized Process Events)\",\"description\":\"Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-06-09T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/910124df-913c-47e3-a7cd-29e1643fa55e\",\"name\":\"910124df-913c-47e3-a7cd-29e1643fa55e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with failed AWS console logins\\nlet aws_fails = AWSCloudTrail\\n| where EventName == \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \\n| where LoginResult != \\\"Success\\\"\\n| where SourceIpAddress != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(SourceIpAddress);\\n//See if any of those IPs have sucessfully logged into Azure AD.\\nSigninLogs\\n| where ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (aws_fails) \\n| extend Reason = \\\"Multiple failed AWS Console logins from IP address\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AWS Console logons but success logon to AzureAD\",\"description\":\"Identifies a list of IP addresses with a minimum numbe(default of 5) of failed logon attempts to AWS Console.\\nUses that list to identify any successful Azure Active Directory logons from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a779e2d5-9109-4f0a-a75e-f3d4f3c58560\",\"name\":\"a779e2d5-9109-4f0a-a75e-f3d4f3c58560\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let sha256Hashes = dynamic([\\\"78c255a98003a101fa5ba3f49c50c6922b52ede601edac5db036ab72efc57629\\\", \\\"0588f61dc7e4b24554cffe4ea56d043d8f6139d2569bc180d4a77cf75b68792f\\\", \\\"441a3810b9e89bae12eea285a63f92e98181e9fb9efd6c57ef6d265435484964\\\", \\\"cbae79f66f724e0fe1705d6b5db3cc8a4e89f6bdf4c37004aa1d45eeab26e84b\\\", \\\"fd6515a71530b8329e2c0104d0866c5c6f87546d4b44cc17bbb03e64663b11fc\\\", \\\"5d169e083faa73f2920c8593fb95f599dad93d34a6aa2b0f794be978e44c8206\\\", \\\"7f29b69eb1af1cc6c1998bad980640bfe779525fd5bb775bc36a0ce3789a8bfc\\\", \\\"02a59fe2c94151a08d75a692b550e66a8738eb47f0001234c600b562bf8c227d\\\", \\\"7f84bf6a016ca15e654fb5ebc36fd7407cb32c69a0335a32bfc36cb91e36184d\\\", \\\"afab2e77dc14831f1719e746042063a8ec107de0e9730249d5681d07f598e5ec\\\", \\\"894138dfeee756e366c65a197b4dbef8816406bc32697fac6621601debe17d53\\\", \\\"4611340fdade4e36f074f75294194b64dcf2ec0db00f3d958956b4b0d6586431\\\", \\\"c96ae21b4cf2e28eec222cfe6ca903c4767a068630a73eca58424f9a975c6b7d\\\", \\\"fa30be45c5c5a8f679b42ae85410f6099f66fe2b38eb7aa460bcc022babb41ca\\\", \\\"e64bea4032cf2694e85ede1745811e7585d3580821a00ae1b9123bb3d2d442d6\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n(imFileEvent\\n| where TargetFileSHA256 has_any (sha256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(Event\\n| where Source =~ \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceImageLoadEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"KNOTWEED File Hashes July 2022\",\"description\":\"This query looks for references to known KNOTWEED file hashes in various logs.\\n This query was published July 2022.\\n Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/\",\"lastUpdatedDateUTC\":\"2022-07-27T00:00:00Z\",\"createdDateUTC\":\"2022-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\",\"DeviceFileEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aedc5b33-2d7c-42cb-a692-f25ef637cbb1\",\"name\":\"aedc5b33-2d7c-42cb-a692-f25ef637cbb1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where array_length(todynamic(DstUserUpn)) == 1\\n| extend sender = extract(@\u0027\\\\A(.*?)@\u0027, 1, SrcUserUpn)\\n| extend sender_domain = extract(@\u0027@(.*)$\u0027, 1, SrcUserUpn)\\n| extend recipient = extract(@\u0027\\\\A(.*?)@\u0027, 1, tostring(todynamic(DstUserUpn)[0]))\\n| extend recipient_domain = extract(@\u0027@(.*)$\u0027, 1, tostring(todynamic(DstUserUpn)[0]))\\n| where sender =~ recipient\\n| where sender_domain != recipient_domain\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Possible data exfiltration to private email\",\"description\":\"Detects when sender sent email to the non-corporate domain and recipient\u0027s username is the same as sender\u0027s username.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\"name\":\"30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nlet aadFunc = (tableName:string){\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n table(tableName) | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(UserPrincipalName)\\n //Normalizing the column to lower case for exact match with EmailSenderAddress column\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n | where UserPrincipalName matches regex emailregex\\n | extend Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n // renaming timestamp column so it is clear the log this came from SigninLogs table\\n | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type\\n)\\non $left.EmailSenderAddress == $right.UserPrincipalName\\n| where SigninLogs_TimeGenerated \u003c ExpirationDateTime\\n| summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, UserPrincipalName\\n| project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, IPAddress, UserPrincipalName, AppDisplayName,\\nStatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, Type\\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SigninLogs\",\"description\":\"Identifies a match in SigninLogs table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6190dde-8fd2-456a-ac5b-0a32400b0464\",\"name\":\"d6190dde-8fd2-456a-ac5b-0a32400b0464\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let ProcessCreationEvents=() {\\nlet processEvents=(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName\\n),\\n(WindowsEvent\\n| where EventID==4688\\n| where EventData has_any (\\\".decode(\u0027base64\u0027)\\\", \\\"base64 --decode\\\", \\\".decode64(\\\" )\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where isnotempty(CommandLine)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend FileName=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, CommandLine, ParentProcessName\\n));\\nprocessEvents;\\n};\\nProcessCreationEvents \\n| where CommandLine contains \\\".decode(\u0027base64\u0027)\\\"\\n or CommandLine contains \\\"base64 --decode\\\"\\n or CommandLine contains \\\".decode64(\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), CountToday = count() by Computer, Account, AccountDomain, FileName, CommandLine, ParentProcessName \\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Process executed from binary hidden in Base64 encoded file\",\"description\":\"Encoding malicious software is a technique used to obfuscate files from detection. \\nThe first CommandLine component is looking for Python decoding base64. \\nThe second CommandLine component is looking for Bash/sh command line base64 decoding.\\nThe third one is looking for Ruby decoding base64.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-01-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a04cf847-a832-4c60-b687-b0b6147da219\",\"name\":\"a04cf847-a832-4c60-b687-b0b6147da219\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"45.63.52.41\\\",\\\"140.82.17.161\\\",\\\"207.148.101.95\\\",\\\"45.32.87.51\\\",\\\"66.42.98.156\\\",\\\"45.76.144.105\\\",\\\"217.163.28.35\\\",\\\"45.32.141.174\\\",\\\"149.28.165.249\\\",\\\"209.250.225.247\\\",\\\"45.63.100.115\\\",\\\"95.179.229.230\\\",\\\"209.250.233.247\\\",\\\"45.77.121.232\\\",\\\"45.76.175.65\\\",\\\"104.238.160.237\\\",\\\"45.77.181.97\\\",\\\"95.179.192.125\\\",\\\"149.28.93.184\\\",\\\"140.82.16.81\\\",\\\"45.76.173.103\\\",\\\"45.77.255.22\\\",\\\"45.32.11.71\\\",\\\"149.28.77.26\\\",\\\"45.32.54.50\\\",\\\"104.156.233.156\\\",\\\"45.32.21.118\\\",\\\"45.63.62.109\\\",\\\"45.77.244.202\\\",\\\"149.248.11.205\\\",\\\"104.238.190.244\\\"]);\\nlet IOCTerms = \\\"\\\\\\\\?lang=[/..]*/dev/cmdb/sslvpn_websession|/dana-na/jam/[/..]*home/webserver/htdocs/dana/html5acc/guacamole[/..]*etc/passwd\\\\\\\\?\\\";\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or has_any_ipv4 (Message, IPList)\\n| extend IPMatch = case(\\nSourceIP in (IPList), \\\"SourceIP\\\", \\nDestinationIP in (IPList), \\\"DestinationIP\\\",\\n\\\"Message\\\") \\n| where Message matches regex IOCTerms\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n| where isnotempty(UserAgent) and ClientIP in (IPList)\\n| where UserAgent contains \\\"ExchangeServicesClient/0.0.0.0\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP = ClientIP, Account = UserId, Type, RecordType, OfficeWorkload, UserAgent, OfficeObjectId, IPMatch = \\\"ClientIP\\\"\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Collection\"],\"displayName\":\"Known Manganese IP and UserAgent activity\",\"description\":\"Matches IP plus UserAgent IOCs in OfficeActivity data, along with IP plus Connection string information in the CommonSecurityLog data related to Manganese group activity.\\nReferences: \\nhttps://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/\\nhttps://fortiguard.com/psirt/FG-IR-18-384\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-10-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/74ed028d-e392-40b7-baef-e69627bf89d1\",\"name\":\"74ed028d-e392-40b7-baef-e69627bf89d1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"AuditLog.StreamDisabledByUser\\\"\\n| extend StreamType = tostring(Data.ConsumerType)\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, StreamType\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Azure DevOps Audit Stream Disabled\",\"description\":\"Azure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams \\n before conducting activity and then re-enabling the stream after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action \\n its unlikely to have a high false positive rate.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a356c8bd-c81d-428b-aa36-83be706be034\",\"name\":\"a356c8bd-c81d-428b-aa36-83be706be034\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// AADJoined or Register Device Registry Keys\\nlet aadJoinRoot = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet001\\\\\\\\Control\\\\\\\\CloudDomainJoin\\\\\\\\JoinInfo\\\\\\\\\\\";\\nlet aadRegisteredRoot = \\\"\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\WorkplaceJoin\\\";\\n// Transport Key Registry Key\\nlet keyTransportKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet001\\\\\\\\Control\\\\\\\\Cryptography\\\\\\\\Ngc\\\\\\\\KeyTransportKey\\\\\\\\\\\";\\n(union isfuzzy=true\\n(\\n// Access to Object Requested\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| where EventData contains aadJoinRoot or EventData contains aadRegisteredRoot\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName startswith aadJoinRoot and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n| extend ProcessId = column_ifexists(\\\"ProcessId\\\", \\\"\\\"), Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| join kind=innerunique (\\n SecurityEvent\\n | where EventID == \u00274656\u0027\\n | where EventData contains keyTransportKey\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | mv-expand bagexpansion=array EventData\\n | evaluate bag_unpack(EventData)\\n | extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n | evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n | extend ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\")\\n | where ObjectType == \u0027Key\u0027\\n | where ObjectName startswith keyTransportKey and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n | extend ProcessId = column_ifexists(\\\"ProcessId\\\", \\\"\\\"), Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n) on $left.Computer == $right.Computer and $left.SubjectLogonId == $right.SubjectLogonId and $left.ProcessId == $right.ProcessId\\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, SubjectLogonId, ObjectName, tostring(Process), ProcessName, ProcessId, EventID\\n),\\n// Accessing Object\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| where ObjectType == \u0027Key\u0027\\n| where (ObjectName startswith aadJoinRoot or ObjectName contains aadRegisteredRoot) and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n| extend Account = SubjectAccount\\n| join kind=innerunique (\\n SecurityEvent\\n | where EventID == \u00274663\u0027\\n | where ObjectType == \u0027Key\u0027\\n | where ObjectName contains keyTransportKey and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n | extend Account = SubjectAccount\\n) on $left.Computer == $right.Computer and $left.SubjectLogonId == $right.SubjectLogonId and $left.ProcessId == $right.ProcessId\\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, SubjectLogonId, ObjectName, Process, ProcessName, ProcessId, EventID\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"AAD Local Device Join Information and Transport Key Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts by the same process\\n to registry keys that provide information about an AAD joined or registered devices and Transport keys (tkpub / tkpriv).\\n This information can be used to export the Device Certificate (dkpub / dkpriv) and Transport key (tkpub/tkpriv).\\n These set of keys can be used to impersonate existing Azure AD joined devices.\\n This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable objects:\\n HKLM:\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\CloudDomainJoin (AAD joined devices)\\n HKCU:\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\WorkplaceJoin (AAD registered devices)\\n HKLM:\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Cryptography\\\\Ngc\\\\KeyTransportKey (Transport Key)\\n Make sure you set the SACL to propagate to its sub-keys. You can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml\\n Reference: https://o365blog.com/post/deviceidentity/\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/58fc0170-0877-4ea8-a9ff-d805e361cfae\",\"name\":\"58fc0170-0877-4ea8-a9ff-d805e361cfae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let schedule_lookback = 14d; \\nlet join_lookback = 1d; \\n// If you want to whitelist specific timezones include them in a list here\\nlet tz_whitelist = dynamic([]);\\nlet meetings = ( \\nZoomLogs \\n| where TimeGenerated \u003e= ago(schedule_lookback) \\n| where Event =~ \\\"meeting.created\\\" \\n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId) \\n| extend SchedTimezone = tostring(parse_json(MeetingEvents).Timezone)); \\nZoomLogs \\n| where TimeGenerated \u003e= ago(join_lookback) \\n| where Event =~ \\\"meeting.participant_joined\\\" \\n| extend JoinedTimeZone = tostring(parse_json(MeetingEvents).Timezone) \\n| extend MeetingName = tostring(parse_json(MeetingEvents).MeetingName) \\n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId) \\n| where JoinedTimeZone !in (tz_whitelist)\\n| join (meetings) on MeetingId \\n| where SchedTimezone != JoinedTimeZone \\n| project TimeGenerated, MeetingName, JoiningUser=payload_object_participant_user_name_s, JoinedTimeZone, SchedTimezone, MeetingScheduler=User1 \\n| extend timestamp = TimeGenerated, AccountCustomEntity = JoiningUser\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"PrivilegeEscalation\"],\"displayName\":\"User joining Zoom meeting from suspicious timezone\",\"description\":\"The alert shows users that join a Zoom meeting from a time zone other than the one the meeting was created in.\\nYou can also whitelist known good time zones in the tz_whitelist value using the tz database name format https://en.wikipedia.org/wiki/List_of_tz_database_time_zones\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a09a0b8e-30fe-4ebf-94a0-cffe50f579cd\",\"name\":\"a09a0b8e-30fe-4ebf-94a0-cffe50f579cd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where OperationName =~ \\\"Update user\\\"\\n | where Result =~ \\\"success\\\"\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | where TargetResources_modifiedProperties.displayName =~ \\\"TargetId.UserType\\\"\\n | extend UpdatingServicePrincipal = tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalId)\\n | extend UpdatingUserPrincipal = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend UpdatingUser = iif(isnotempty(UpdatingServicePrincipal), UpdatingServicePrincipal, UpdatingUserPrincipal)\\n | extend UpdatedUserPrincipalName = tostring(TargetResources.userPrincipalName)\\n | project-reorder TimeGenerated, UpdatedUserPrincipalName, UpdatingUser\\n | where parse_json(tostring(TargetResources_modifiedProperties.newValue)) =~ \\\"\\\\\\\"Member\\\\\\\"\\\" and parse_json(tostring(TargetResources_modifiedProperties.oldValue)) =~ \\\"\\\\\\\"Guest\\\\\\\"\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatingUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatedUserPrincipalName\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User State changed from Guest to Member\",\"description\":\"Detects when a guest account in a tenant is converted to a member of the tenant.\\n Monitoring guest accounts and the access they are provided is important to detect potential account abuse.\\n Accounts converted to members should be investigated to ensure the activity was legitimate.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b12b3dab-d973-45af-b07e-e29bb34d8db9\",\"name\":\"b12b3dab-d973-45af-b07e-e29bb34d8db9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal contains \\\"WindowsPowerShell\\\"\\n| extend Message = \\\"Windows PowerShell User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"DefenseEvasion\"],\"displayName\":\"Cisco Umbrella - Windows PowerShell User-Agent Detected\",\"description\":\"Rule helps to detect Powershell user-agent activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d722831e-88f5-4e25-b106-4ef6e29f8c13\",\"name\":\"d722831e-88f5-4e25-b106-4ef6e29f8c13\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"// a threshold can be enabled, see commented line below for PrevSeenCount\\nlet threshold = 2;\\nlet uploadOp = \u0027FileUploaded\u0027;\\n// Extensions that are interesting. Add/Remove to this list as you see fit\\nlet execExt = dynamic([\u0027exe\u0027, \u0027inf\u0027, \u0027gzip\u0027, \u0027cmd\u0027, \u0027bat\u0027]);\\nlet starttime = 8d;\\nlet endtime = 1d;\\nOfficeActivity | where TimeGenerated \u003e= ago(endtime)\\n// Limited to File Uploads due to potential noise, comment out the Operation statement below to include any operation type\\n// Additional, but potentially noisy operation types that include Uploads and Downloads can be included by adding the following - Operation contains \\\"upload\\\" or Operation contains \\\"download\\\"\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| project TimeGenerated, OfficeId, OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, UserAgent, Site_Url, SourceRelativeUrl, SourceFileName\\n| join kind= leftanti (\\nOfficeActivity | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| summarize SourceRelativeUrl = make_set(SourceRelativeUrl), UserId = make_set(UserId) , PrevSeenCount = count() by SourceFileName\\n// To exclude previous matches when only above a specific count, change threshold above and uncomment the line below\\n//| where PrevSeenCount \u003e threshold\\n| mvexpand SourceRelativeUrl, UserId\\n| extend SourceRelativeUrl = tostring(SourceRelativeUrl), UserId = tostring(UserId)\\n) on SourceFileName, SourceRelativeUrl, UserId \\n| extend SiteUrlUserFolder = tolower(split(Site_Url, \u0027/\u0027)[-2])\\n| extend UserIdUserFolderFormat = tolower(replace(\u0027@|\\\\\\\\.\u0027, \u0027_\u0027,UserId))\\n// identify when UserId is not a match to the specific site url personal folder reference\\n| extend UserIdDiffThanUserFolder = iff(Site_Url has \u0027/personal/\u0027 and SiteUrlUserFolder != UserIdUserFolderFormat, true , false ) \\n| summarize TimeGenerated = make_list(TimeGenerated), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), \\nUserAgents = make_list(UserAgent), OfficeIds = make_list(OfficeId), SourceRelativeUrls = make_list(SourceRelativeUrl), FileNames = make_list(SourceFileName)\\nby OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, Site_Url, SiteUrlUserFolder, UserIdUserFolderFormat, UserIdDiffThanUserFolder\\n| extend timestamp = StartTime, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"New executable via Office FileUploaded Operation\",\"description\":\"Identifies when executable file types are uploaded to Office services such as SharePoint and OneDrive.\\nList currently includes \u0027exe\u0027, \u0027inf\u0027, \u0027gzip\u0027, \u0027cmd\u0027, \u0027bat\u0027 file extensions.\\nAdditionally, identifies when a given user is uploading these files to another users workspace.\\nThis may be indication of a staging location for malware or other malicious activity.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69a45b05-71f5-45ca-8944-2e038747fb39\",\"name\":\"69a45b05-71f5-45ca-8944-2e038747fb39\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let endtime = 1d;\\nlet starttime = 8d;\\n// The threshold below excludes matching on RDP connection computer counts of 5 or more by a given account and IP in a given day. Change the threshold as needed.\\nlet threshold = 5;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n// Labeling the first RDP connection time, computer and ip\\n| extend FirstHop = TimeGenerated, FirstComputer = toupper(Computer), FirstIPAddress = IpAddress, Account = tolower(Account)\\n),\\n( WindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10 // Labeling the first RDP connection time, computer and ip\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend FirstHop = TimeGenerated, FirstComputer = toupper(Computer), FirstIPAddress = IpAddress, Account = tolower(Account)\\n))\\n| join kind=inner (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n// Labeling the second RDP connection time, computer and ip\\n| extend SecondHop = TimeGenerated, SecondComputer = toupper(Computer), SecondIPAddress = IpAddress, Account = tolower(Account)\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = toint(EventData.LogonType)\\n| where LogonType == 10 // Labeling the second RDP connection time, computer and ip\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend SecondHop = TimeGenerated, SecondComputer = toupper(Computer), SecondIPAddress = IpAddress, Account = tolower(Account)\\n))\\n) on Account\\n// Make sure that the first connection is after the second connection --\u003e SecondHop \u003e FirstHop\\n// Then identify only RDP to another computer from within the first RDP connection by only choosing matches where the Computer names do not match --\u003e FirstComputer != SecondComputer\\n// Then make sure the IPAddresses do not match by excluding connections from the same computers with first hop RDP connections to multiple computers --\u003e FirstIPAddress != SecondIPAddress\\n| where FirstComputer != SecondComputer and FirstIPAddress != SecondIPAddress and SecondHop \u003e FirstHop\\n// where the second hop occurs within 30 minutes of the first hop\\n| where SecondHop \u003c= FirstHop+30m\\n| distinct Account, FirstHop, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, SecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\\n// use left anti to exclude anything from the previous 7 days where the Account and IP has connected 5 or more computers.\\n| join kind=leftanti (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize makeset(Computer), ComputerCount = dcount(Computer) by bin(TimeGenerated, 1d), Account = tolower(Account), IpAddress\\n// Connection count to computer by same account and IP to exclude counts of 5 or more on a given day\\n| where ComputerCount \u003e= threshold\\n| mvexpand set_Computer\\n| extend Computer = toupper(set_Computer)\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10 \\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| summarize makeset(Computer), ComputerCount = dcount(Computer) by bin(TimeGenerated, 1d), Account = tolower(Account), IpAddress\\n// Connection count to computer by same account and IP to exclude counts of 5 or more on a given day\\n| where ComputerCount \u003e= threshold\\n| mvexpand set_Computer\\n| extend Computer = toupper(set_Computer)\\n))\\n) on Account, $left.SecondComputer == $right.Computer, $left.SecondIPAddress == $right.IpAddress\\n| summarize FirstHopFirstSeen = min(FirstHop), FirstHopLastSeen = max(FirstHop) by Account, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, \\nSecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\\n| extend timestamp = FirstHopFirstSeen, AccountCustomEntity = Account, HostCustomEntity = FirstComputer, IPCustomEntity = FirstIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"RDP Nesting\",\"description\":\"Identifies when an RDP connection is made to a first system and then an RDP connection is made from the first system\\nto another system with the same account within the 60 minutes. Additionally, if historically daily\\nRDP connections are indicated by the logged EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-10-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884c4957-70ea-4f57-80b9-1bca3890315b\",\"name\":\"884c4957-70ea-4f57-80b9-1bca3890315b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeBin = 10m;\\nlet failedThreshold = 100;\\nW3CIISLog\\n| where scStatus in (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n// Handling Exchange specific items in IIS logs to remove the unique log identifier in the URI\\n| extend csUriQuery = iff(csUriQuery startswith \\\"MailboxId=\\\", tostring(split(csUriQuery, \\\"\u0026\\\")[0]) , csUriQuery )\\n| extend csUriQuery = iff(csUriQuery startswith \\\"X-ARR-CACHE-HIT=\\\", strcat(tostring(split(csUriQuery, \\\"\u0026\\\")[0]),tostring(split(csUriQuery, \\\"\u0026\\\")[1])) , csUriQuery )\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of failed logons by a user\\n| summarize makeset(decodedUriQuery), makeset(cIP), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), csUserName, Computer, sIP\\n| where FailedConnectionsCount \u003e= failedThreshold\\n| project TimeGenerated, csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_cIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"High count of failed logons by a user\",\"description\":\"Identifies when 100 or more failed attempts by a given user in 10 minutes occur on the IIS Server.\\nThis could be indicative of attempted brute force based on known account information.\\nThis could also simply indicate a misconfigured service or device. \\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\"name\":\"7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"let WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet AC_Add = \\n(union isfuzzy=true \\n(SecurityEvent\\n// Event ID related to member addition.\\n| where EventID in (4728, 4732,4756) \\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountAdded \\\",OU\\\" *\\n| where isnotempty(AccountAdded)\\n| extend GroupAddedTo = TargetUserName, AddingAccount = Account \\n| extend AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, \\\"||\\\", GroupAddedTo, \\\"||\\\", AddingAccount )\\n| project AccountAdded_GroupAddedTo_AddingAccount, AccountAddedTime = TimeGenerated\\n),\\n(WindowsEvent\\n// Event ID related to member addition.\\n| where EventID in (4728, 4732,4756) \\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData.MemberName with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountAdded \\\",OU\\\" *\\n| where isnotempty(AccountAdded)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend AddingAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend GroupAddedTo = TargetUserName\\n| extend AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, \\\"||\\\", GroupAddedTo, \\\"||\\\", AddingAccount )\\n| project AccountAdded_GroupAddedTo_AddingAccount, AccountAddedTime = TimeGenerated\\n)\\n);\\nlet AC_Remove = \\n( union isfuzzy=true \\n(SecurityEvent\\n// Event IDs related to member removal.\\n| where EventID in (4729,4733,4757)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountRemoved \\\",OU\\\" * \\n| where isnotempty(AccountRemoved)\\n| extend GroupRemovedFrom = TargetUserName, RemovingAccount = Account\\n| extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, \\\"||\\\", GroupRemovedFrom, \\\"||\\\", RemovingAccount)\\n| project AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime = TimeGenerated, Computer, RemovedAccountId = tolower(AccountRemoved), \\nRemovedByUser = SubjectUserName, RemovedByUserLogonId = SubjectLogonId, GroupRemovedFrom = TargetUserName, TargetDomainName\\n),\\n(WindowsEvent\\n// Event IDs related to member removal.\\n| where EventID in (4729,4733,4757)\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData.MemberName with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountRemoved \\\",OU\\\" * \\n| where isnotempty(AccountRemoved)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend RemovingAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend GroupRemovedFrom = TargetUserName\\n| extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, \\\"||\\\", GroupRemovedFrom, \\\"||\\\", RemovingAccount)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| extend TargetDomainName = tostring(EventData.TargetDomainName)\\n| project AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime = TimeGenerated, Computer, RemovedAccountId = tolower(AccountRemoved), \\nRemovedByUser = SubjectUserName, RemovedByUserLogonId = SubjectLogonId, GroupRemovedFrom = TargetUserName, TargetDomainName\\n)); \\nAC_Add \\n| join kind= inner AC_Remove on $left.AccountAdded_GroupAddedTo_AddingAccount == $right.AccountRemoved_GroupRemovedFrom_RemovingAccount \\n| extend DurationinSecondAfter_Removed = datetime_diff (\u0027second\u0027, AccountRemovedTime, AccountAddedTime)\\n| where DurationinSecondAfter_Removed \u003e 0\\n| project-away AccountRemoved_GroupRemovedFrom_RemovingAccount\\n| extend timestamp = AccountAddedTime, AccountCustomEntity = RemovedAccountId, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Account added and removed from privileged groups\",\"description\":\"Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise.\u0027 \",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-04-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f68a5046-b7eb-4f69-9519-1e99708bb9e0\",\"name\":\"f68a5046-b7eb-4f69-9519-1e99708bb9e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"DeviceFileEvents\\n | where ActionType =~ \\\"FileCreated\\\"\\n | where FolderPath has \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\spool\\\\\\\\drivers\\\\\\\\color\\\\\\\\\\\" \\n | where FileName endswith \\\".exe\\\" or FileName endswith \\\".dll\\\"\",\"entityMappings\":[{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceName\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"PE file dropped in Color Profile Folder\",\"description\":\"This query looks for writes of PE files to C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\color\\\\.\\n This is a common directory used by malware, as well as some legitimate programs, and writes of PE files to the folder should be monitored.\\n Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/\",\"lastUpdatedDateUTC\":\"2022-07-26T00:00:00Z\",\"createdDateUTC\":\"2022-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3df4a32-4805-4c6d-8699-f3c888af2f67\",\"name\":\"a3df4a32-4805-4c6d-8699-f3c888af2f67\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let Alert1 = \\nSecurityAlert\\n| where AlertName == \\\"Unfamiliar sign-in properties\\\"\\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\\\"User Account\\\"])\\n| extend Alert1Time = TimeGenerated\\n| extend Alert1 = AlertName\\n| extend Alert1Severity = AlertSeverity\\n;\\nlet Alert2 = \\nSecurityAlert\\n| where AlertName == \\\"Atypical travel\\\"\\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\\\"User Account\\\"])\\n| extend Alert2Time = TimeGenerated\\n| extend Alert2 = AlertName\\n| extend Alert2Severity = AlertSeverity\\n| extend CurrentLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[2].Location)).CountryCode), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).State), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).City))\\n| extend PreviousLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[3].Location)).CountryCode), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[3].Location)).State), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[3].Location)).City))\\n| extend CurrentIPAddress = tostring(parse_json(Entities)[2].Address)\\n| extend PreviousIPAddress = tostring(parse_json(Entities)[3].Address)\\n;\\nAlert1\\n| join kind=inner Alert2 on UserPrincipalName\\n| where abs(datetime_diff(\u0027minute\u0027, Alert1Time, Alert2Time)) \u003c=10\\n| extend TimeDelta = Alert1Time - Alert2Time\\n| project UserPrincipalName, Alert1, Alert1Time, Alert1Severity, Alert2, Alert2Time, Alert2Severity, TimeDelta, CurrentLocation, PreviousLocation, CurrentIPAddress, PreviousIPAddress\\n| extend AccountCustomEntity = UserPrincipalName\\n| extend IPCustomEntity = CurrentIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Correlate Unfamiliar sign-in properties and atypical travel alerts\",\"description\":\"The combination of an Unfamiliar sign-in properties alert and an Atypical travel alert about the same user within a +10m or -10m window is considered a high severity incident.\",\"lastUpdatedDateUTC\":\"2021-12-07T00:00:00Z\",\"createdDateUTC\":\"2020-09-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ed8c9153-6f7a-4602-97b4-48c336b299e1\",\"name\":\"ed8c9153-6f7a-4602-97b4-48c336b299e1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let guids = dynamic([\\\"{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\\\",\\\"{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\\\",\\\"{4590f811-1d3a-11d0-891f-00aa004b2e24}\\\", \\\"{4de225bf-cf59-4cfc-85f7-68b90f185355}\\\", \\\"{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\\\"]);\\n let mde_data = DeviceRegistryEvents\\n | where ActionType =~ \\\"RegistryValueSet\\\"\\n | where RegistryKey contains \\\"HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Classes\\\\\\\\CLSID\\\"\\n | where RegistryKey has_any (guids)\\n | where RegistryValueData has \\\"System32\\\\\\\\spool\\\\\\\\drivers\\\\\\\\color\\\";\\n let event_data = SecurityEvent\\n | where EventID == 4657\\n | where ObjectName contains \\\"HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Classes\\\\\\\\CLSID\\\"\\n | where ObjectName has_any (guids)\\n | where NewValue has \\\"System32\\\\\\\\spool\\\\\\\\drivers\\\\\\\\color\\\"\\n | extend RegistryKey = ObjectName, RegistryValueData = NewValue, DeviceName=Computer, InitiatingProcessFileName = Process, InitiatingProcessAccountName=SubjectAccount;\\n union mde_data, event_data\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"RegistryKey\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceName\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"InitiatingProcessFileName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingProcessAccountName\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"COM Registry Key Modified to Point to File in Color Profile Folder\",\"description\":\"This query looks for changes to COM registry keys to point to files in C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\color\\\\.\\n This can be used to enable COM hijacking for persistence.\\n Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/\",\"lastUpdatedDateUTC\":\"2022-07-26T00:00:00Z\",\"createdDateUTC\":\"2022-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceRegistryEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7564d76-ec6b-4519-a66b-fcc80c42332b\",\"name\":\"a7564d76-ec6b-4519-a66b-fcc80c42332b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet GroupAddition = (union isfuzzy=true \\n(SecurityEvent \\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group \\n| where EventID in (\\\"4728\\\", \\\"4732\\\", \\\"4756\\\") \\n| where AccountType =~ \\\"User\\\" and MemberName == \\\"-\\\"\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, GroupAddComputer = Computer, GroupAddTargetAccount = TargetAccount, \\nGroupAddTargetSid = TargetSid, GroupAddSubjectAccount = SubjectAccount, GroupAddSubjectUserSid = SubjectUserSid, GroupSid = MemberSid\\n),\\n(\\nWindowsEvent \\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group \\n| where EventID in (\\\"4728\\\", \\\"4732\\\", \\\"4756\\\") and not(EventData has \\\"S-1-5-32-555\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| extend MemberName = tostring(EventData.MemberName)\\n| where AccountType =~ \\\"User\\\" and MemberName == \\\"-\\\"\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend MemberSid = tostring(EventData.MemberSid)\\n| extend Activity= \\\"GroupAddActivity\\\"\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, GroupAddComputer = Computer, GroupAddTargetAccount = TargetAccount, \\nGroupAddTargetSid = TargetSid, GroupAddSubjectAccount = Account, GroupAddSubjectUserSid = SubjectUserSid, GroupSid = MemberSid\\n));\\nlet GroupCreated = (union isfuzzy=true \\n(SecurityEvent\\n// 4727 - A security-enabled global group was created\\n// 4731 - A security-enabled local group was created\\n// 4754 - A security-enabled universal group was created\\n| where EventID in (\\\"4727\\\", \\\"4731\\\", \\\"4754\\\")\\n| where AccountType =~ \\\"User\\\"\\n| project GroupCreateTime = TimeGenerated, GroupCreateEventID = EventID, GroupCreateActivity = Activity, GroupCreateComputer = Computer, GroupCreateTargetAccount = TargetAccount, \\nGroupCreateSubjectAccount = SubjectAccount, GroupCreateSubjectUserSid = SubjectUserSid, GroupSid = TargetSid\\n),\\n(WindowsEvent\\n// 4727 - A security-enabled global group was created\\n// 4731 - A security-enabled local group was created\\n// 4754 - A security-enabled universal group was created\\n| where EventID in (\\\"4727\\\", \\\"4731\\\", \\\"4754\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\", \\\"Machine\\\", iff(SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", iff(isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")))\\n| where AccountType =~ \\\"User\\\"\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend SubjectAccount = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName) \\n| extend TargetSid = tostring(EventData.TargetSid) \\n| extend Activity= \\\"GroupAddActivity\\\"\\n| project GroupCreateTime = TimeGenerated, GroupCreateEventID = EventID, GroupCreateActivity = Activity, GroupCreateComputer = Computer, GroupCreateTargetAccount = TargetAccount, \\nGroupCreateSubjectAccount = SubjectAccount, GroupCreateSubjectUserSid = SubjectUserSid, GroupSid = TargetSid\\n));\\nGroupCreated\\n| join (\\nGroupAddition\\n) on GroupSid \\n| extend timestamp = GroupCreateTime, AccountCustomEntity = GroupCreateSubjectAccount, HostCustomEntity = GroupCreateComputer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"GroupCreateSubjectUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Group created then added to built in domain local or global group\",\"description\":\"Identifies when a recently created Group was added to a privileged built in domain local group or global group such as the \\nEnterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\\nReferences: For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b443f22-9be9-4c35-ac70-a94757748439\",\"name\":\"3b443f22-9be9-4c35-ac70-a94757748439\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let files1 = dynamic([\\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\lsa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pc.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\Rar.exe\\\"]);\\nlet files2 = dynamic([\\\"svchost.exe\\\",\\\"wdmsvc.exe\\\"]);\\nlet FileHash1 = dynamic([\\\"43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\\\", \\\"ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\\\", \\\"010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77\\\", \\\"56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7\\\"]);\\nlet FileHash2 = dynamic([\\\"2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\\\", \\\"9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\\\", \\\"18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\\\"]);\\nDeviceProcessEvents\\n| where ( FolderPath has_any (files1) and SHA256 has_any (FileHash1)) or (FolderPath has_any (files2) and SHA256 has_any (FileHash2))\\n| extend DvcId = DeviceId\\n| join kind=leftouter (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| mv-expand todynamic(Entities)\\n| extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)\\n| where isnotempty(DvcId)\\n// Higher risk score are for Defender alerts related to threat actor\\n| extend AlertRiskScore = iif(ThreatName has_any (\\\"Backdoor:MSIL/ShellClient.A\\\", \\\"Backdoor:MSIL/ShellClient.A!dll\\\", \\\"Trojan:MSIL/Mimikatz.BA!MTB\\\"), 1.0, 0.5)\\n| project DvcId, AlertRiskScore) on DvcId\\n| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = AccountName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileName\"}]}],\"tactics\":[\"CredentialAccess\",\"Execution\"],\"displayName\":\"Dev-0228 File Path Hashes November 2021\",\"description\":\"This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.\\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-11-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2f561e20-d97b-4b13-b02d-18b34af6e87c\",\"name\":\"2f561e20-d97b-4b13-b02d-18b34af6e87c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet cmdList = dynamic([\\\"Set-CASMailbox\\\",\\\"ActiveSyncAllowedDeviceIDs\\\",\\\"add\\\"]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688\\n| where CommandLine has_all (cmdList)\\n| project Type, TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n( WindowsEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688\\n| where EventData has_all (cmdList)\\n| extend CommandLine = tostring(EventData.CommandLine) \\n| where CommandLine has_all (cmdList)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| project Type, TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where InitiatingProcessCommandLine has_all (cmdList)\\n| project Type, TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where CommandLine has_all (cmdList)\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| project Type, TimeGenerated, Computer, User, Process, ParentImage, CommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Email access via active sync\",\"description\":\"This query detects attempts to add attacker devices as allowed IDs for active sync using the Set-CASMailbox command.\\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\\n- Note that this query can be changed to use the KQL \\\"has_all\\\" operator, which hasn\u0027t yet been documented officially, but will be soon.\\n In short, \\\"has_all\\\" will only match when the referenced field has all strings in the list.\\n- Refer to Set-CASMailbox syntax: https://docs.microsoft.com/powershell/module/exchange/set-casmailbox?view=exchange-ps \",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-02-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\"name\":\"2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet TotalEventsThreshold = 5;\\nlet ExeList = dynamic([\\\"powershell.exe\\\",\\\"cmd.exe\\\",\\\"wmic.exe\\\",\\\"psexec.exe\\\",\\\"cacls.exe\\\",\\\"rundll.exe\\\"]);\\nlet TimeSeriesData =\\nSecurityEvent\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where Process in (ExeList)\\n| project TimeGenerated, Computer, AccountType, Account, Process\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by Process;\\nlet TimeSeriesAlerts = materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 1.5, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0\\n| project Process, TimeGenerated, Total, baseline, anomalies, score\\n| where Total \u003e TotalEventsThreshold);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\nSecurityEvent\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| summarize CommandlineCount = count() by bin(TimeGenerated, 1h), Process, CommandLine, Computer, Account\\n) on Process, TimeGenerated\\n| project AnomalyHour = TimeGenerated, Computer, Account, Process, CommandLine, CommandlineCount, Total, baseline, anomalies, score\\n| extend timestamp = AnomalyHour, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Process execution frequency anomaly\",\"description\":\"Identifies anomalous spike in frequency of executions of sensitive processes which are often leveraged as attack vectors.\\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\\nSudden increases in execution frequency of sensitive processes should be further investigated for malicious activity.\\nTune the values from 1.5 to 3 in series_decompose_anomalies for further outliers or based on custom threshold values for score.\",\"lastUpdatedDateUTC\":\"2022-03-07T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/694c91ee-d606-4ba9-928e-405a2dd0ff0f\",\"name\":\"694c91ee-d606-4ba9-928e-405a2dd0ff0f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"High\",\"query\":\"let queryperiod = 14d;\\nlet queryfrequency = 2h;\\nlet security_info_actions = dynamic([\\\"User registered security info\\\", \\\"User changed default security info\\\", \\\"User deleted security info\\\", \\\"Admin updated security info\\\", \\\"User reviewed security info\\\", \\\"Admin deleted security info\\\", \\\"Admin registered security info\\\"]);\\nlet VIPUsers = (\\n IdentityInfo\\n | where TimeGenerated \u003e ago(queryperiod)\\n | mv-expand AssignedRoles\\n | where AssignedRoles matches regex \u0027Admin\u0027\\n | summarize by tolower(AccountUPN));\\nAuditLogs\\n| where TimeGenerated \u003e ago(queryfrequency)\\n| where Category =~ \\\"UserManagement\\\"\\n| where ActivityDisplayName in (security_info_actions)\\n| extend Initiator = tostring(InitiatedBy.user.userPrincipalName)\\n| extend IP = tostring(InitiatedBy.user.ipAddress)\\n| extend Target = tolower(tostring(TargetResources[0].userPrincipalName))\\n| where Target in (VIPUsers)\\n// Uncomment the line below if you are experiencing high volumes of Target entities. If this is uncommented, the Target column will not be mapped to an entity.\\n//| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason, MaxSize=8), Targets=make_set(Target, MaxSize=256) by Initiator, IP, Result\\n// Comment out this line below, if line above is used.\\n| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason, MaxSize=8) by Initiator, IP, Result, Targets = Target\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Targets\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Initiator\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IP\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Authentication Methods Changed for Privileged Account\",\"description\":\"Identifies authentication methods being changed for a privileged account. This could be an indication of an attacker adding an auth method to the account so they can have continued access.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6267ce44-1e9d-471b-9f1e-ae76a6b7aa84\",\"name\":\"6267ce44-1e9d-471b-9f1e-ae76a6b7aa84\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityAlert\\n| where AlertName =~ \\\"mass download by a single user\\\"\\n| extend Extprop = parse_json(ExtendedProperties)\\n| extend Computer = iff(isnotempty(toupper(tostring(Extprop[\\\"Compromised Host\\\"]))), toupper(tostring(Extprop[\\\"Compromised Host\\\"])), tostring(parse_json(Entities)[0].HostName))\\n| extend Account = iff(isnotempty(tolower(tostring(Extprop[\\\"User Name\\\"]))), tolower(tostring(Extprop[\\\"User Name\\\"])), tolower(tostring(Extprop[\\\"user name\\\"])))\\n| extend IpAddress = tostring(parse_json(ExtendedProperties).[\\\"IpAddress\\\"]) \\n| project timestamp=TimeGenerated, AlertName, Computer, Account, IpAddress, ExtendedProperties\\n| join kind=inner\\n( \\nDeviceEvents\\n| where ActionType == \\\"PnpDeviceConnected\\\"\\n| extend parsed = parse_json(AdditionalFields)\\n| project DeviceId, DriveClass = tostring(parsed.ClassName), UsbDeviceId = tostring(parsed.DeviceId), ClassId = tostring(parsed.DeviceId), DeviceDescription = tostring(parsed.DeviceDescription), VendorIds = tostring(parsed.VendorIds), AccountDomain,AccountName,TimeGenerated, ActionType, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, Type\\n| where DriveClass == \u0027USB\u0027 and DeviceDescription == \u0027USB Mass Storage Device\u0027\\n) on $left.Account == $right.AccountName\\n| join kind=inner \\n(\\nDeviceFileEvents\\n| where FolderPath !startswith \\\"c\\\" and FolderPath !startswith @\\\"\\\\\\\"\\n) on DeviceId\\n| project TimeGenerated, ActionType, Computer, FileName, FileSize, IpAddress, InitiatingProcessCommandLine, InitiatingProcessFileName, Account\\n| extend timestamp = TimeGenerated, CompromisedEntity = Computer, AccountCustomEntity=Account, ProcessCustomEntity = InitiatingProcessFileName, IPCustomEntity=IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"Mass Download \u0026 copy to USB device by single user\",\"description\":\"This query looks for any mass download by a single user with possible file copy activity to a new USB drive. Malicious insiders may perform such activities that may cause harm to the organization. \\nThis query could also reveal unintentional insider that had no intention of malicious activity but their actions may impact an organizations security posture.\\nReference:https://docs.microsoft.com/defender-cloud-apps/policy-template-reference\",\"lastUpdatedDateUTC\":\"2022-05-04T00:00:00Z\",\"createdDateUTC\":\"2022-04-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\",\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3edb7215-250b-40c0-8b46-79093949242d\",\"name\":\"3edb7215-250b-40c0-8b46-79093949242d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetectionV2_CL\\n| where Severity_s == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\\n| where count_ \u003e= threshold\\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"High Number of Urgent Vulnerabilities Detected\",\"description\":\"This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.\",\"lastUpdatedDateUTC\":\"2021-12-08T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/492fbe35-cbac-4a8c-9059-826782e6915a\",\"name\":\"492fbe35-cbac-4a8c-9059-826782e6915a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where OperationName has_any (\\\"Update Application\\\", \\\"Update Service principal\\\")\\n | extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend UpdatedBy = iif(isnotempty(appName), appName, UPN)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | extend AppName = tostring(TargetResources[0].displayName)\\n | mv-expand mod_props\\n | extend Action = tostring(mod_props.displayName)\\n | where Action contains \\\"Url\\\"\\n | extend OldURL = tostring(mod_props.oldValue)\\n | extend NewURL = tostring(mod_props.newValue)\\n | project-reorder TimeGenerated, OperationName, Action, AppName, OldURL, NewURL, UpdatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatedBy\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"OldURL\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"NewURL\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Changes to Application Logout URL\",\"description\":\"Detects changes to an applications sign out URL.\\n Look for any modifications to a sign out URL. Blank entries or entries to non-existent locations would stop a user from terminating a session.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#logout-url-modified-or-removed\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\"name\":\"2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureActivity | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CallerIpAddress\\n| where AzureActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureActivity_TimeGenerated = arg_max(AzureActivity_TimeGenerated, *) by IndicatorId, CallerIpAddress\\n| project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CallerIpAddress, \\nCaller, OperationNameValue, ActivityStatusValue, CategoryValue, ResourceId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureActivity_TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureActivity\",\"description\":\"Identifies a match in AzureActivity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3174a9ec-d0ad-4152-8307-94ed04fa450a\",\"name\":\"3174a9ec-d0ad-4152-8307-94ed04fa450a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let SHA256Hash = \\\"1174fd03271f80f5e2a6435c72bdd0272a6e3a37049f6190abf125b216a83471\\\" ;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) \\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA265 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA256Hash) \\n| extend Account = UserName\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known ZINC related maldoc hash\",\"description\":\"Document hash used by ZINC in highly targeted spear phishing campaign.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\"name\":\"d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\" \\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed), LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\\n| where MFAUsed !~ \\\"Yes\\\" and LoginResult !~ \\\"Failure\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUsed, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"Login to AWS Management Console without MFA\",\"description\":\"Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.\\nYou can limit this detection to trigger for adminsitrative accounts if you do not have MFA enabled on all accounts.\\nThis is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used \\nand the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0ed0fe7c-af29-4990-af7f-bb5ccb231198\",\"name\":\"0ed0fe7c-af29-4990-af7f-bb5ccb231198\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"AuditLogs\\n | where Category =~ \\\"RoleManagement\\\"\\n | where OperationName =~ \\\"Update role setting in PIM\\\"\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | project-reorder TimeGenerated, OperationName, ResultReason, userPrincipalName, ipAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Changes to PIM Settings\",\"description\":\"PIM provides a key mechanism for assigning privileges to accounts, this query detects changes to PIM role settings.\\n Monitor these changes to ensure they are being made legitimately and don\u0027t confer more privileges than expected or reduce the security of a PIM elevation.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c805d9b1-97e7-4bc0-9172-67edb36273e4\",\"name\":\"c805d9b1-97e7-4bc0-9172-67edb36273e4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft 365 Insider Risk Management\",\"displayName\":\"(Private Preview) Create incidents based on Microsoft 365 Insider Risk Management\",\"description\":\"Create incidents based on all alerts generated in Microsoft 365 Insider Risk Management\",\"lastUpdatedDateUTC\":\"2021-05-13T00:00:00Z\",\"createdDateUTC\":\"2021-05-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeIRM\",\"dataTypes\":[\"SecurityAlert (OfficeIRM)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09551db0-e147-4a0c-9e7b-918f88847605\",\"name\":\"09551db0-e147-4a0c-9e7b-918f88847605\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.6.2\",\"severity\":\"High\",\"query\":\"let tokens = dynamic([\\\"SSL_HandShaking\\\", \\\"ASN2_TYPE_new\\\", \\\"sql_blob_open\\\", \\\"cmsSetLogHandlerTHR\\\", \\\"ntSystemInfo\\\", \\\"SetWebFilterString\\\", \\\"CleanupBrokerString\\\", \\\"glInitSampler\\\", \\\"deflateSuffix\\\", \\\"ntWindowsProc\\\"]);\\nlet DomainNames = dynamic([\u0027codevexillium.org\u0027, \u0027angeldonationblog.com\u0027, \u0027investbooking.de\u0027, \u0027krakenfolio.com\u0027]);\\nlet SHA256Hash = dynamic([\u002758a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495\u0027,\u0027e0e59bfc22876c170af65dcbf19f744ae560cc43b720b23b9d248f4505c02f3e\u0027,\u00273d3195697521973efe0097a320cbce0f0f98d29d50e044f4505e1fbc043e8cf9\u0027, \u00270a2d81164d524be7022ba8fd4e1e8e01bfd65407148569d172e2171b5cd76cd4\u0027, \u002796d7a93f6691303d39a9cc270b8814151dfec5683e12094537fd580afdf2e5fe\u0027,\u0027dc4cf164635db06b2a0b62d313dbd186350bca6fc88438617411a68df13ec83c\u0027, \u002746efd5179e43c9cbf07dcec22ce0d5527e2402655aee3afc016e5c260650284a\u0027, \u002795e42a94d4df1e7e472998f43b9879eb34aaa93f3705d7d3ef9e3b97349d7008\u0027, \u00279d5320e883264a80ea214077f44b1d4b22155446ad5083f4b27d2ab5bd127ef5\u0027, \u00279fd05063ad203581a126232ac68027ca731290d17bd43b5d3311e8153c893fe3\u0027, \u0027ada7e80c9d09f3efb39b729af238fcdf375383caaf0e9e0aed303931dc73b720\u0027, \u0027edb1597789c7ed784b85367a36440bf05267ac786efe5a4044ec23e490864cee\u0027, \u002733665ce1157ddb7cd7e905e3356b39245dfba17b7a658bdbf02b6968656b9998\u0027, \u00273ab770458577eb72bd6239fe97c35e7eb8816bce5a4b47da7bd0382622854f7c\u0027, \u0027b630ad8ffa11003693ce8431d2f1c6b8b126cd32b657a4bfa9c0dbe70b007d6c\u0027, \u002753f3e55c1217dafb8801af7087e7d68b605e2b6dde6368fceea14496c8a9f3e5\u0027, \u002799c95b5272c5b11093eed3ef2272e304b7a9311a22ff78caeb91632211fcb777\u0027, \u0027f21abadef52b4dbd01ad330efb28ef50f8205f57916a26daf5de02249c0f24ef\u0027, \u00272cbdea62e26d06080d114bbd922d6368807d7c6b950b1421d0aa030eca7e85da\u0027, \u0027079659fac6bd9a1ce28384e7e3a465be4380acade3b4a4a4f0e67fd0260e9447\u0027]);\\nlet SigNames = dynamic([\\\"Backdoor:Script/ComebackerCompile.A!dha\\\", \\\"Trojan:Win64/Comebacker.A!dha\\\", \\\"Trojan:Win64/Comebacker.A.gen!dha\\\", \\\"Trojan:Win64/Comebacker.B.gen!dha\\\", \\\"Trojan:Win32/Comebacker.C.gen!dha\\\", \\\"Trojan:Win32/Klackring.A!dha\\\", \\\"Trojan:Win32/Klackring.B!dha\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in~ (SHA256Hash) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n| project Type, TimeGenerated, Computer, Account, IPAddress, FileHash, DNSName\\n),\\n(_Im_Dns(domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend Type = \\\"imDns\\\", IPAddress = SrcIpAddr, Computer=Dvc\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(VMConnection\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| where isnotempty(Hashes)\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 * \\n| where SHA256 in~ (SHA256Hash) \\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = Hashes\\n| project Type, TimeGenerated, Computer, Account, FileHash\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (SHA256Hash)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (SHA256Hash)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl in~ (DomainNames)\\n| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName\\n| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl\\n),\\n(SecurityAlert\\n| where ProductName == \\\"Microsoft Defender Advanced Threat Protection\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where isnotempty(ThreatName)\\n| where ThreatName has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName) \\n| project Type, TimeGenerated, Computer\\n),\\n(DeviceProcessEvents\\n| where FileName =~ \\\"powershell.exe\\\" or FileName =~ \\\"rundll32.exe\\\"\\n| where (ProcessCommandLine has \\\"is64bitoperatingsystem\\\" and ProcessCommandLine has \\\"Debug\\\\\\\\Browse\\\") or (ProcessCommandLine has_any (tokens))\\n| extend Computer = DeviceName, Account = AccountName, CommandLine = ProcessCommandLine\\n| project Type, TimeGenerated, Computer, Account, CommandLine, FileName\\n),\\n(SecurityEvent\\n| where EventID == 4688\\n| where ProcessName has_any (\\\"powershell.exe\\\", \\\"rundll32.exe\\\")\\n| where (CommandLine has \\\"is64bitoperatingsystem\\\" and CommandLine has \\\"Debug\\\\\\\\Browse\\\") or (CommandLine has_any (tokens))\\n| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine \\n),\\n( WindowsEvent\\n| where EventID == 4688\\n| where EventData has_any (\\\"powershell.exe\\\", \\\"rundll32.exe\\\") and EventData has_any (tokens, \\\"Debug\\\\\\\\Browse\\\",\\\"is64bitoperatingsystem\\\" ) \\n| extend ProcessName = tostring(EventData.ProcessName)\\n| where ProcessName has_any (\\\"powershell.exe\\\", \\\"rundll32.exe\\\")\\n| extend CommandLine = tostring(EventData.CommandLine) \\n| where (CommandLine has \\\"is64bitoperatingsystem\\\" and CommandLine has \\\"Debug\\\\\\\\Browse\\\") or (CommandLine has_any (tokens))\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"Execution\"],\"displayName\":\"Known ZINC Comebacker and Klackring malware hashes\",\"description\":\"ZINC attacks against security researcher campaign malware hashes.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ce177b3-56b1-4f0e-b83e-27eed4cb0b16\",\"name\":\"4ce177b3-56b1-4f0e-b83e-27eed4cb0b16\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\n// exclude allowed users from query such as the ADO service\\nlet allowed_users = dynamic([\\\"Azure DevOps Service\\\"]);\\nunion\\n// Look for agents being added to a pool of a OS type not seen with that pool before\\n(AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName =~ \\\"Library.AgentAdded\\\"\\n| where ActorUPN !in (allowed_users)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| where isnotempty(OsDescription)\\n| extend OsDescription = tostring(split(OsDescription, \\\"#\\\", 0)[0])\\n| project AgentPoolName, OsDescription\\n| join kind=rightanti (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName == \\\"Library.AgentAdded\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| where isnotempty(OsDescription)\\n| extend OsDescription = tostring(split(OsDescription, \\\"#\\\", 0)[0])) on AgentPoolName, OsDescription),\\n// Look for users addeing agents to a pool that they have not added agents to before.\\n(AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| where ActorUPN !in (allowed_users)\\n| project AgentPoolName, ActorUPN\\n| join kind=rightanti (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName == \\\"Library.AgentAdded\\\"\\n| where ActorUPN !in (allowed_users)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n) on AgentPoolName, ActorUPN)\\n| extend AgentName = tostring(Data.AgentName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| extend SystemDetails = Data.SystemCapabilities\\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, AgentPoolName, AgentName, ActorUPN, IpAddress, UserAgent, OsDescription, SystemDetails, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"New Agent Added to Pool by New User or Added to a New OS Type.\",\"description\":\"As seen in attacks such as SolarWinds attackers can look to subvert a build process by controlling build servers. Azure DevOps uses agent pools to execute pipeline tasks. \\nAn attacker could insert compromised agents that they control into the pools in order to execute malicious code. This query looks for users adding agents to pools they have \\nnot added agents to before, or adding agents to a pool of an OS that has not been added to that pool before. This detection has potential for false positives so has a \\nconfigurable allow list to allow for certain users to be excluded from the logic.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/05b4bccd-dd12-423d-8de4-5a6fb526bb4f\",\"name\":\"05b4bccd-dd12-423d-8de4-5a6fb526bb4f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let known_processes = (\\n SecurityEvent\\n // If adjusting Query Period or Frequency update these\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where EventID == 4688\\n | where NewProcessName has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | summarize by Process);\\n SecurityEvent\\n // If adjusting Query Period or Frequency update these\\n | where TimeGenerated \u003e ago(1d)\\n | where EventID == 4688\\n | where NewProcessName has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | where Process !in (known_processes)\\n // This will likely apply to multiple hosts so summarize these data\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, NewProcessName, CommandLine, Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Execution\",\"LateralMovement\"],\"displayName\":\"New EXE deployed via Default Domain or Default Domain Controller Policies\",\"description\":\"This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice is that these policies should not be used for deployment of files.\\nA threat actor may use these policies to deploy files or scripts to all hosts in a domain.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c61ad0ac-ad68-4ebb-b41a-74296d3e0044\",\"name\":\"c61ad0ac-ad68-4ebb-b41a-74296d3e0044\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \\n| where TargetObject has (\\\"\\\\\\\\Control\\\\\\\\Session Manager\\\\\\\\AppCertDLLs\\\\\\\\\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Registry Persistence via AppCert DLL Modification\",\"description\":\"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. \\nDynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\ are loaded into every process that calls the ubiquitously used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec.\\nRef: https://attack.mitre.org/techniques/T1546/009/\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8ee967a2-a645-4832-85f4-72b635bcb3a6\",\"name\":\"8ee967a2-a645-4832-85f4-72b635bcb3a6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit the environment\\nlet signin_threshold = 5;\\n//Make a list of all IPs with failed signins to AAD above our threshold\\nlet aadFunc = (tableName:string){\\nlet suspicious_signins =\\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress !in (\u0027127.0.0.1\u0027, \u0027::1\u0027)\\n| summarize count() by IPAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(IPAddress);\\n//See if any of these IPs have sucessfully logged into *nix hosts\\nlet linux_logons =\\nSyslog\\n| where Facility contains \\\"auth\\\" and ProcessName != \\\"sudo\\\"\\n| where SyslogMessage has \\\"Accepted\\\"\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Computer, HostIP, IpAddress = SourceIP, SyslogMessage, Facility, ProcessName, Reason;\\n//See if any of these IPs have sucessfully logged into Windows hosts\\nlet win_logons = (union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4624\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| where IpAddress in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Account, AccountType, Computer, Activity, EventID, LogonProcessName, IpAddress, LogonTypeName, TargetUserSid, Reason\\n),\\n(WindowsEvent\\n| where EventID == 4624 and has_any_ipv4(EventData, toscalar(suspicious_signins))\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType in (10, 7, 3)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| where IpAddress != \\\"-\\\"\\n| where IpAddress in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| extend Activity = \\\"4624 - An account was successfully logged on.\\\"\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend AccountType =case(Account endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| extend LogonProcessName = tostring(EventData.LogonProcessName)\\n| project TimeGenerated, Account, AccountType, Computer, Activity, EventID, LogonProcessName, IpAddress, TargetUserSid, Reason\\n)\\n);\\nunion isfuzzy=true linux_logons,win_logons\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, IPCustomEntity = IpAddress, HostCustomEntity = Computer\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AzureAD logons but success logon to host\",\"description\":\"Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory.\\nUses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/46ac55ae-47b8-414a-8f94-89ccd1962178\",\"name\":\"46ac55ae-47b8-414a-8f94-89ccd1962178\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let queryperiod = 1d;\\nlet mode = \u0027Blocked\u0027;\\nlet successCode = dynamic([\u0027200\u0027, \u0027101\u0027,\u0027204\u0027, \u0027400\u0027,\u0027504\u0027,\u0027304\u0027,\u0027401\u0027,\u0027500\u0027]);\\nlet sessionBin = 30m;\\nAzureDiagnostics\\n| where TimeGenerated \u003e ago(queryperiod)\\n| where Category == \u0027ApplicationGatewayFirewallLog\u0027 and action_s == mode\\n| sort by hostname_s asc, clientIp_s asc, TimeGenerated asc\\n| extend SessionBlockedStarted = row_window_session(TimeGenerated, queryperiod, 10m, ((clientIp_s != prev(clientIp_s)) or (hostname_s != prev(hostname_s))))\\n| summarize SessionBlockedEnded = max(TimeGenerated), SessionBlockedCount = count() by hostname_s, clientIp_s, SessionBlockedStarted\\n| extend TimeKey = range(bin(SessionBlockedStarted, sessionBin), bin(SessionBlockedEnded, sessionBin), sessionBin)\\n| mv-expand TimeKey to typeof(datetime)\\n| join kind = inner(\\n AzureDiagnostics\\n | where TimeGenerated \u003e ago(queryperiod)\\n | where Category == \u0027ApplicationGatewayAccessLog\u0027 and (isempty(httpStatus_d) or httpStatus_d in (successCode))\\n | extend TimeKey = bin(TimeGenerated, sessionBin)\\n) on TimeKey, $left.hostname_s == $right.host_s, $left.clientIp_s == $right.clientIP_s\\n| where TimeGenerated between (SessionBlockedStarted..SessionBlockedEnded)\\n| extend\\n originalRequestUriWithArgs_s = column_ifexists(\\\"originalRequestUriWithArgs_s\\\", \\\"\\\"),\\n serverStatus_s = column_ifexists(\\\"serverStatus_s\\\", \\\"\\\")\\n| summarize\\n SuccessfulAccessCount = count(),\\n UserAgents = make_set(userAgent_s, 250),\\n RequestURIs = make_set(requestUri_s, 250),\\n OriginalRequestURIs = make_set(originalRequestUriWithArgs_s, 250),\\n SuccessCodes = make_set(httpStatus_d, 250),\\n SuccessCodes_BackendServer = make_set(serverStatus_s, 250),\\n take_any(SessionBlockedEnded, SessionBlockedCount)\\n by hostname_s, clientIp_s, SessionBlockedStarted\\n| where SessionBlockedCount \u003e SuccessfulAccessCount\\n| extend timestamp = SessionBlockedStarted, IPCustomEntity = clientIp_s\\n| extend BlockvsSuccessRatio = SessionBlockedCount/toreal(SuccessfulAccessCount)\\n| sort by BlockvsSuccessRatio desc, timestamp asc\\n| project-reorder SessionBlockedStarted, SessionBlockedEnded, hostname_s, clientIp_s, SessionBlockedCount, SuccessfulAccessCount, BlockvsSuccessRatio, SuccessCodes, RequestURIs, OriginalRequestURIs, UserAgents\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"A potentially malicious web request was executed against a web server\",\"description\":\"Detects unobstructed Web Application Firewall (WAF) activity in sessions where the WAF blocked incoming requests by computing the \\nratio between blocked requests and unobstructed WAF requests in these sessions (BlockvsSuccessRatio metric). A high ratio value for \\na given client IP and hostname calls for further investigation of the WAF data in that session, due to the significantly high number \\nof blocked requests and a few unobstructed logs which may be malicious but have passed undetected through the WAF. The successCode \\nvariable defines what the detection thinks is a successful status code, and should be altered to fit the environment.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2020-11-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d173248-439b-4741-8b37-f63ad0c896ae\",\"name\":\"4d173248-439b-4741-8b37-f63ad0c896ae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\n//This query uses sysmon data, sections that have - | where Source == \\\"Microsoft-Windows-Sysmon\\\" - may need to be updated with latest\\nWindowsEvent\\n| where EventID == \u00274688\u0027 and EventData has_any (process)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| where NewProcessName has_any (process)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n , Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n , NewProcessId = tostring(EventData.NewProcessId)\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027, -1)[-1]), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend FilePath = replace_string(NewProcessName, File, \u0027\u0027)\\n| project TimeGenerated, timestamp, File, AlertDetail, FilePath,Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileCustomEntity\"},{\"identifier\":\"Directory\",\"columnName\":\"FilePathCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashAlgo\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021\",\"description\":\"Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.\",\"lastUpdatedDateUTC\":\"2022-05-19T00:00:00Z\",\"createdDateUTC\":\"2022-02-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\"name\":\"7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\nOfficeActivity\\n| where Operation =~ \\\"New-InboxRule\\\"\\n| where Parameters has \\\"Deleted Items\\\" or Parameters has \\\"Junk Email\\\" or Parameters has \\\"DeleteMessage\\\"\\n| extend Events=todynamic(Parameters)\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords \u0027}\u0027*\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords \u0027}\u0027*\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords \u0027}\u0027*\\n| where SubjectContainsWords has_any (Keywords)\\n or BodyContainsWords has_any (Keywords)\\n or SubjectOrBodyContainsWords has_any (Keywords)\\n| extend ClientIPAddress = case( ClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), ClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))), ClientIP )\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\n| extend RuleDetail = case(OfficeObjectId contains \u0027/\u0027 , tostring(split(OfficeObjectId, \u0027/\u0027)[-1]) , tostring(split(OfficeObjectId, \u0027\\\\\\\\\u0027)[-1]))\\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation, UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIPAddress, AccountCustomEntity = UserId , HostCustomEntity = OriginatingServer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Malicious Inbox Rule\",\"description\":\"Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords. \\n This is done so as to limit ability to warn compromised users that they\u0027ve been compromised. Below is a sample query that tries to detect this.\\nReference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ef88eb96-861c-43a0-ab16-f3835a97c928\",\"name\":\"ef88eb96-861c-43a0-ab16-f3835a97c928\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let regexEmpire = @\\\"SetDelay|GetDelay|Set-LostLimit|Get-LostLimit|Set-Killdate|Get-Killdate|Set-WorkingHours|Get-WorkingHours|Get-Sysinfo|Add-Servers|Invoke-ShellCommand|Start-AgentJob|Update-Profile|Get-FilePart|Encrypt-Bytes|Decrypt-Bytes|Encode-Packet|Decode-Packet|Send-Message|Process-Packet|Process-Tasking|Get-Task|Start-Negotiate|Invoke-DllInjection|Invoke-ReflectivePEInjection|Invoke-Shellcode|Invoke-ShellcodeMSIL|Get-ChromeDump|Get-ClipboardContents|Get-IndexedItem|Get-Keystrokes|Invoke-Inveigh|Invoke-NetRipper|local:Invoke-PatchDll|Invoke-NinjaCopy|Get-Win32Types|Get-Win32Constants|Get-Win32Functions|Sub-SignedIntAsUnsigned|Add-SignedIntAsUnsigned|Compare-Val1GreaterThanVal2AsUInt|Convert-UIntToInt|Test-MemoryRangeValid|Write-BytesToMemory|Get-DelegateType|Get-ProcAddress|Enable-SeDebugPrivilege|Invoke-CreateRemoteThread|Get-ImageNtHeaders|Get-PEBasicInfo|Get-PEDetailedInfo|Import-DllInRemoteProcess|Get-RemoteProcAddress|Copy-Sections|Update-MemoryAddresses|Import-DllImports|Get-VirtualProtectValue|Update-MemoryProtectionFlags|Update-ExeFunctions|Copy-ArrayOfMemAddresses|Get-MemoryProcAddress|Invoke-MemoryLoadLibrary|Invoke-MemoryFreeLibrary|Out-Minidump|Get-VaultCredential|Invoke-DCSync|Translate-Name|Get-NetDomain|Get-NetForest|Get-NetForestDomain|Get-DomainSearcher|Get-NetComputer|Get-NetGroupMember|Get-NetUser|Invoke-Mimikatz|Invoke-PowerDump|Invoke-TokenManipulation|Exploit-JMXConsole|Exploit-JBoss|Invoke-Thunderstruck|Invoke-VoiceTroll|Set-WallPaper|Invoke-PsExec|Invoke-SSHCommand|Invoke-PSInject|Invoke-RunAs|Invoke-SendMail|Invoke-Rule|Get-OSVersion|Select-EmailItem|View-Email|Get-OutlookFolder|Get-EmailItems|Invoke-MailSearch|Get-SubFolders|Get-GlobalAddressList|Invoke-SearchGAL|Get-SMTPAddress|Disable-SecuritySettings|Reset-SecuritySettings|Get-OutlookInstance|New-HoneyHash|Set-MacAttribute|Invoke-PatchDll|Get-SecurityPackages|Install-SSP|Invoke-BackdoorLNK|New-ElevatedPersistenceOption|New-UserPersistenceOption|Add-Persistence|Invoke-CallbackIEX|Add-PSFirewallRules|Invoke-EventLoop|Invoke-PortBind|Invoke-DNSLoop|Invoke-PacketKnock|Invoke-CallbackLoop|Invoke-BypassUAC|Get-DecryptedCpassword|Get-GPPInnerFields|Invoke-WScriptBypassUAC|Get-ModifiableFile|Get-ServiceUnquoted|Get-ServiceFilePermission|Get-ServicePermission|Invoke-ServiceUserAdd|Invoke-ServiceCMD|Write-UserAddServiceBinary|Write-CMDServiceBinary|Write-ServiceEXE|Write-ServiceEXECMD|Restore-ServiceEXE|Invoke-ServiceStart|Invoke-ServiceStop|Invoke-ServiceEnable|Invoke-ServiceDisable|Get-ServiceDetail|Find-DLLHijack|Find-PathHijack|Write-HijackDll|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-VulnAutoRun|Get-VulnSchTask|Get-UnattendedInstallFile|Get-Webconfig|Get-ApplicationHost|Write-UserAddMSI|Invoke-AllChecks|Invoke-ThreadedFunction|Test-Login|Get-UserAgent|Test-Password|Get-ComputerDetails|Find-4648Logons|Find-4624Logons|Find-AppLockerLogs|Find-PSScriptsInPSAppLog|Find-RDPClientConnections|Get-SystemDNSServer|Invoke-Paranoia|Invoke-WinEnum{|Get-SPN|Invoke-ARPScan|Invoke-Portscan|Invoke-ReverseDNSLookup|Invoke-SMBScanner|New-InMemoryModule|Add-Win32Type|Export-PowerViewCSV|Get-MacAttribute|Copy-ClonedFile|Get-IPAddress|Convert-NameToSid|Convert-SidToName|Convert-NT4toCanonical|Get-Proxy|Get-PathAcl|Get-NameField|Convert-LDAPProperty|Get-NetDomainController|Add-NetUser|Add-NetGroupUser|Get-UserProperty|Find-UserField|Get-UserEvent|Get-ObjectAcl|Add-ObjectAcl|Invoke-ACLScanner|Get-GUIDMap|Get-ADObject|Set-ADObject|Get-ComputerProperty|Find-ComputerField|Get-NetOU|Get-NetSite|Get-NetSubnet|Get-DomainSID|Get-NetGroup|Get-NetFileServer|SplitPath|Get-DFSshare|Get-DFSshareV1|Get-DFSshareV2|Get-GptTmpl|Get-GroupsXML|Get-NetGPO|Get-NetGPOGroup|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Invoke-ImpersonateUser|Create-ProcessWithToken|Free-AllTokens|Enum-AllTokens|Invoke-RevertToSelf|Set-Speaker\\\\(\\\\$Volume\\\\){\\\\$wshShell|Local:Get-RandomString|Local:Invoke-PsExecCmd|Get-GPPPassword|Local:Inject-BypassStuff|Local:Invoke-CopyFile\\\\(\\\\$sSource,|ind-Fruit|New-IPv4Range|New-IPv4RangeFromCIDR|Parse-Hosts|Parse-ILHosts|Exclude-Hosts|Get-TopPort|Parse-Ports|Parse-IpPorts|Remove-Ports|Write-PortscanOut|Convert-SwitchtoBool|Get-ForeignUser|Get-ForeignGroup\\\";\\n(union isfuzzy=true\\n (SecurityEvent\\n| where EventID == 4688\\n//consider filtering on filename if perf issues occur\\n//where FileName in~ (\\\"powershell.exe\\\",\\\"powershell_ise.exe\\\",\\\"pwsh.exe\\\")\\n| where not(ParentProcessName has_any (\u0027gc_worker.exe\u0027, \u0027gc_service.exe\u0027))\\n| where CommandLine has \\\"-encodedCommand\\\"\\n| parse kind=regex flags=i CommandLine with * \\\"-EncodedCommand \\\" encodedCommand\\n| extend encodedCommand = iff(encodedCommand has \\\" \\\", tostring(split(encodedCommand, \\\" \\\")[0]), encodedCommand)\\n// Note: currently the base64_decode_tostring function is limited to supporting UTF8\\n| extend decodedCommand = translate(\u0027\\\\0\u0027,\u0027\u0027, base64_decode_tostring(substring(encodedCommand, 0, strlen(encodedCommand) - (strlen(encodedCommand) %8)))), encodedCommand, CommandLine , strlen(encodedCommand)\\n| extend EfectiveCommand = iff(isnotempty(encodedCommand), decodedCommand, CommandLine)\\n| where EfectiveCommand matches regex regexEmpire\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, EfectiveCommand, decodedCommand, encodedCommand, CommandLine, ParentProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(WindowsEvent\\n| where EventID == 4688 \\n| where EventData has_any (\\\"-encodedCommand\\\", \\\"powershell.exe\\\",\\\"powershell_ise.exe\\\",\\\"pwsh.exe\\\")\\n| where not(EventData has_any (\u0027gc_worker.exe\u0027, \u0027gc_service.exe\u0027))\\n//consider filtering on filename if perf issues occur\\n//extend NewProcessName = tostring(EventData.NewProcessName)\\n//extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n//FileName = Process\\n//where FileName in~ (\\\"powershell.exe\\\",\\\"powershell_ise.exe\\\",\\\"pwsh.exe\\\")\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where not(ParentProcessName has_any (\u0027gc_worker.exe\u0027, \u0027gc_service.exe\u0027))\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has \\\"-encodedCommand\\\"\\n| parse kind=regex flags=i CommandLine with * \\\"-EncodedCommand \\\" encodedCommand\\n| extend encodedCommand = iff(encodedCommand has \\\" \\\", tostring(split(encodedCommand, \\\" \\\")[0]), encodedCommand)\\n// Note: currently the base64_decode_tostring function is limited to supporting UTF8\\n| extend decodedCommand = translate(\u0027\\\\0\u0027,\u0027\u0027, base64_decode_tostring(substring(encodedCommand, 0, strlen(encodedCommand) - (strlen(encodedCommand) %8)))), encodedCommand, CommandLine , strlen(encodedCommand)\\n| extend EfectiveCommand = iff(isnotempty(encodedCommand), decodedCommand, CommandLine)\\n| where EfectiveCommand matches regex regexEmpire\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, EfectiveCommand, decodedCommand, encodedCommand, CommandLine, ParentProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"Powershell Empire cmdlets seen in command line\",\"description\":\"Identifies instances of PowerShell Empire cmdlets in powershell process command line data.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-01-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cda5928c-2c1e-4575-9dfa-07568bc27a4f\",\"name\":\"cda5928c-2c1e-4575-9dfa-07568bc27a4f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let lookback = 7d; \\nlet timeframe = 1h; \\nlet GlobalAdminsRemoved = AuditLogs \\n| where TimeGenerated \u003e ago(timeframe) \\n| where Category =~ \\\"RoleManagement\\\" \\n| where AADOperationType in (\\\"Unassign\\\", \\\"RemoveEligibleRole\\\") \\n| where ActivityDisplayName has_any (\\\"Remove member from role\\\", \\\"Remove eligible member from role\\\") \\n| mv-expand TargetResources \\n| mv-expand TargetResources.modifiedProperties \\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName) \\n| where displayName_ =~ \\\"Role.DisplayName\\\" \\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.oldValue))) \\n| where RoleName == \\\"Global Administrator\\\" // Add other Privileged role if applicable \\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName) \\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) \\n| where Initiator != \\\"MS-PIM\\\" // Filtering PIM events \\n| extend Target = tostring(TargetResources.userPrincipalName) \\n| summarize RemovedGlobalAdminTime = max(TimeGenerated), TargetAdmins = make_set(Target) by OperationName, RoleName, Initiator, Result; \\nlet GlobalAdminsAdded = AuditLogs \\n| where TimeGenerated \u003e ago(lookback) \\n| where Category =~ \\\"RoleManagement\\\" \\n| where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\") \\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\") and Result == \\\"success\\\" \\n| mv-expand TargetResources \\n| mv-expand TargetResources.modifiedProperties \\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName) \\n| where displayName_ =~ \\\"Role.DisplayName\\\" \\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue))) \\n| where RoleName == \\\"Global Administrator\\\" // Add other Privileged role if applicable \\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName) \\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) \\n| where Initiator != \\\"MS-PIM\\\" // Filtering PIM events \\n| extend Target = tostring(TargetResources.userPrincipalName) \\n| summarize AddedGlobalAdminTime = max(TimeGenerated) by OperationName, RoleName, Target, Initiator, Result \\n| extend AccountCustomEntity = Target; \\nGlobalAdminsAdded \\n| join kind= inner GlobalAdminsRemoved on $left.Target == $right.Initiator \\n| where AddedGlobalAdminTime \u003c RemovedGlobalAdminTime \\n| extend NoofAdminsRemoved = array_length(TargetAdmins) \\n| where NoofAdminsRemoved \u003e 1\\n| project AddedGlobalAdminTime, Initiator, Target, AccountCustomEntity, RemovedGlobalAdminTime, TargetAdmins, NoofAdminsRemoved\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Multiple admin membership removals from newly created admin.\",\"description\":\"This query detects when newly created Global admin removes multiple existing global admins which can be an attempt by adversaries to lock down organization and retain sole access. \\n Investigate reasoning and intention of multiple membership removal by new Global admins and take necessary actions accordingly.\",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2022-03-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/be52662c-3b23-435a-a6fa-f39bdfc849e6\",\"name\":\"be52662c-3b23-435a-a6fa-f39bdfc849e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetection_CL\\n| mv-expand todynamic(Detections_s)\\n| where Detections_s.Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\\n| where count_ \u003e= threshold\\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"High Number of Urgent Vulnerabilities Detected\",\"description\":\"This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/45b903c5-6f56-4969-af10-ae62ac709718\",\"name\":\"45b903c5-6f56-4969-af10-ae62ac709718\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count()\\nby Account = tolower(Account), Computer = toupper(Computer), IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n// use left anti to exclude anything from the previous 14 days that is not rare\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10 \\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend AccountType=case(Account endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| extend Activity=\\\"4624 - An account was successfully logged on.\\\"\\n| extend LogonTypeName=\\\"10 - RemoteInteractive\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count()\\nby Account = tolower(Account), Computer = toupper(Computer), IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n))\\n| join kind=leftanti (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where EventID == 4624\\n| summarize by Computer = toupper(Computer), IpAddress, Account = tolower(Account)\\n),\\n( WindowsEvent\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where EventID == 4624\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| summarize by Computer = toupper(Computer), IpAddress, Account = tolower(Account)\\n))\\n) on Account, Computer\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), ConnectionCount = sum(ConnectionCount)\\nby Account, Computer, IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Rare RDP Connections\",\"description\":\"Identifies when an RDP connection is new or rare related to any logon type by a given account today based on comparison with the previous 14 days.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2020-01-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a1080fc1-13d1-479b-8340-255f0290d96c\",\"name\":\"a1080fc1-13d1-479b-8340-255f0290d96c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where Result =~ \\\"success\\\"\\n | where OperationName =~ \u0027Update Application\u0027\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | where TargetResources_modifiedProperties.displayName =~ \\\"AppAddress\\\"\\n | extend Key = tostring(TargetResources_modifiedProperties.displayName)\\n | extend NewValue = TargetResources_modifiedProperties.newValue\\n | extend OldValue = TargetResources_modifiedProperties.oldValue\\n | where isnotempty(Key) and isnotempty(NewValue)\\n | project-reorder Key, NewValue, OldValue\\n | extend NewUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(NewValue))\\n | extend OldUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(OldValue))\\n | extend AddedUrls = set_difference(NewUrls, OldUrls)\\n | where array_length(AddedUrls) \u003e 0\\n | extend UserAgent = iif(tostring(AdditionalDetails[0].key) == \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), \\\"\\\")\\n | extend AddingUser = iif(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) , tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), \\\"\\\")\\n | extend AddingApp = iif(isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName)) , tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName), \\\"\\\")\\n | extend AddedBy = iif(isnotempty(AddingUser), AddingUser, AddingApp)\\n | project-away AddingApp, AddingUser\\n | extend AppDisplayName = tostring(TargetResources.displayName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | project-reorder TimeGenerated, AppDisplayName, AddedUrls, AddedBy, UserAgent, ipAddress\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"AddedUrls\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Application Redirect URL Update\",\"description\":\"Detects the redirect URL of an app being changed.\\n Applications associated with URLs not controlled by the organization can pose a security risk.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#application-configuration-changes\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e42e889a-caaf-4dbb-aec6-371b37d64298\",\"name\":\"e42e889a-caaf-4dbb-aec6-371b37d64298\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\")\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set != \\\"[]\\\"\\n| extend diff = set_difference(new_value_set, old_value_set)\\n| where isnotempty(diff)\\n| parse diff with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away diff, new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserOrApp\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT New access credential added to Application or Service Principal\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b79f6190-d104-4691-b7db-823e05980895\",\"name\":\"b79f6190-d104-4691-b7db-823e05980895\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\nOfficeActivity\\n| where OfficeWorkload =~ \\\"Exchange\\\"\\n| where Parameters has \\\"Deleted Items\\\" or Parameters has \\\"Junk Email\\\" or Parameters has \\\"DeleteMessage\\\"\\n| extend Events=todynamic(Parameters)\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords \u0027}\u0027*\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords \u0027}\u0027*\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords \u0027}\u0027*\\n| where SubjectContainsWords has_any (Keywords)\\n or BodyContainsWords has_any (Keywords)\\n or SubjectOrBodyContainsWords has_any (Keywords)\\n| extend ClientIPAddress = case( ClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), ClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))), ClientIP )\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\n| extend RuleDetail = case(OfficeObjectId contains \u0027/\u0027 , tostring(split(OfficeObjectId, \u0027/\u0027)[-1]) , tostring(split(OfficeObjectId, \u0027\\\\\\\\\u0027)[-1]))\\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"OriginatingServer\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIPAddress\"}]}],\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"NRT Malicious Inbox Rule\",\"description\":\"Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords.\\n This is done so as to limit ability to warn compromised users that they\u0027ve been compromised. Below is a sample query that tries to detect this.\\nReference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/\",\"lastUpdatedDateUTC\":\"2022-03-07T00:00:00Z\",\"createdDateUTC\":\"2020-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9fb2ee72-959f-4c2b-bc38-483affc539e4\",\"name\":\"9fb2ee72-959f-4c2b-bc38-483affc539e4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where Category == \\\"ApplicationManagement\\\"\\n | where OperationName has_any (\\\"Update Application\\\", \\\"Update Service principal\\\")\\n | extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend UpdatedBy = iif(isnotempty(appName), appName, UPN)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | extend AppName = tostring(TargetResources[0].displayName)\\n | mv-expand mod_props\\n | where mod_props.displayName has \\\"AppIdentifierUri\\\"\\n | extend OldURI = tostring(mod_props.oldValue)\\n | extend NewURI = tostring(mod_props.newValue)\\n | project-reorder TimeGenerated, OperationName, AppName, OldURI, NewURI, UpdatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatedBy\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"NewURI\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Application ID URI Changed\",\"description\":\"Detects changes to an Application ID URI.\\n Monitor these changes to make sure that they were authorized.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#appid-uri-added-modified-or-removed\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/faf1a6ff-53b5-4f92-8c55-4b20e9957594\",\"name\":\"faf1a6ff-53b5-4f92-8c55-4b20e9957594\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"SecurityEvent\\n// Look for specific Directory Service Changes and parse data\\n| where EventID == 5136\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion = array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value),TimeGenerated, EventID, Computer, Account, AccountType, EventSourceName, Activity, SubjectAccount)\\n// Where changes relate to Exchange OAB\\n| extend ObjectClass = column_ifexists(\\\"ObjectClass\\\", \\\"\\\")\\n| where ObjectClass =~ \\\"msExchOABVirtualDirectory\\\"\\n// Look for InternalHostName or ExternalHostName properties being changed\\n| extend AttributeLDAPDisplayName = column_ifexists(\\\"AttributeLDAPDisplayName\\\", \\\"\\\")\\n| where AttributeLDAPDisplayName in (\\\"msExchExternalHostName\\\", \\\"msExchInternalHostName\\\")\\n// Look for suspected webshell activity\\n| extend AttributeValue = column_ifexists(\\\"AttributeValue\\\", \\\"\\\")\\n| where AttributeValue has \\\"script\\\"\\n| project-rename LastSeen = TimeGenerated\\n| extend ObjectDN = column_ifexists(\\\"ObjectDN\\\", \\\"\\\")\\n| project-reorder LastSeen, Computer, Account, ObjectDN, AttributeLDAPDisplayName, AttributeValue\\n| extend timestamp = LastSeen, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange OAB Virtual Directory Attribute Containing Potential Webshell\",\"description\":\"This query uses Windows Event ID 5136 in order to detect potential webshell deployment by exploitation of CVE-2021-27065.\\nThis query looks for changes to the InternalHostName or ExternalHostName properties of Exchange OAB Virtual Directory objects in AD Directory Services\\nwhere the new objects contain potential webshell objects. Ref: https://aka.ms/ExchangeVulns\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b3cfc7c0-092c-481c-a55b-34a3979758cb\",\"name\":\"b3cfc7c0-092c-481c-a55b-34a3979758cb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft Cloud App Security\",\"displayName\":\"Create incidents based on Microsoft Cloud App Security alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Cloud Apps\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert (MCAS)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/eb68b129-5f17-4f56-bf6d-dde48d5e615a\",\"name\":\"eb68b129-5f17-4f56-bf6d-dde48d5e615a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| extend attachedMimeType = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where attachedMimeType == \u0027application/zip\u0027\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = DstUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Binary file in attachment\",\"description\":\"Detects when email received with binary file as attachment.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c0e84221-f240-4dd7-ab1e-37e034ea2a4e\",\"name\":\"c0e84221-f240-4dd7-ab1e-37e034ea2a4e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"union isfuzzy=true\\n(DeviceFileEvents\\n| where FolderPath endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated),\\n(WindowsEvent\\n| where EventID == 4663 and EventData has \\\"vmware-vmdmp.log\\\"\\n| extend ObjectName = tostring(EventData.ObjectName) \\n| where ObjectName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = Computer, timestamp=TimeGenerated),\\n(SecurityEvent\\n| where EventID == 4663\\n| where ObjectName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = Computer, timestamp=TimeGenerated),\\n(imFileEvent\\n| where TargetFileName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = DvcHostname, timestamp=TimeGenerated\\n)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"SUNSPOT log file creation\",\"description\":\"This query uses Microsoft Defender for Endpoint data and Windows Event Logs to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\\nMore details: \\n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \\n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5b6ae038-f66e-4f74-9315-df52fd492be4\",\"name\":\"5b6ae038-f66e-4f74-9315-df52fd492be4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"imProcess\\n | where CommandLine has_all (\\\"accepteula\\\", \\\"-s\\\", \\\"-r\\\", \\\"-q\\\")\\n | where Process !endswith \\\"sdelete.exe\\\"\\n | where CommandLine !has \\\"sdelete\\\"\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DvcHostname\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DvcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"}]}],\"tactics\":[\"DefenseEvasion\",\"Impact\"],\"displayName\":\"Potential re-named sdelete usage (ASIM Version)\",\"description\":\"This detection looks for command line parameters associated with the use of Sysinternals sdelete (https://docs.microsoft.com/sysinternals/downloads/sdelete) to delete multiple files on a host\u0027s C drive.\\nA threat actor may re-name the tool to avoid detection and then use it for destructive attacks on a host.\\nThis detection uses the ASIM imProcess parser, this will need to be deployed before use - https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8c8de3fa-6425-4623-9cd9-45de1dd0569a\",\"name\":\"8c8de3fa-6425-4623-9cd9-45de1dd0569a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let lookBack = 14d;\\nlet timeframe = 1d;\\nlet user_agents_list = Cisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(lookBack) and TimeGenerated \u003c ago(timeframe)\\n| summarize count() by HttpUserAgentOriginal\\n| summarize make_list(HttpUserAgentOriginal);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal !in (user_agents_list)\\n| extend Message = \\\"Rare User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Rare User Agent Detected\",\"description\":\"Rule helps to detect a rare user-agents indicating web browsing activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\"name\":\"02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let logonDiff = 10m;\\nlet aadFunc = (tableName:string){\\ntable(tableName) \\n| where ResultType == \\\"0\\\" \\n| where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\")\\n| project SuccessLogonTime = TimeGenerated, UserPrincipalName, SuccessIPAddress = IPAddress, AppDisplayName, SuccessIPBlock = strcat(split(IPAddress, \\\".\\\")[0], \\\".\\\", split(IPAddress, \\\".\\\")[1]), Type\\n| join kind= inner (\\n table(tableName)\\n | where ResultType !in (\\\"0\\\", \\\"50140\\\") \\n | where ResultDescription !~ \\\"Other\\\" \\n | where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\")\\n | project FailedLogonTime = TimeGenerated, UserPrincipalName, FailedIPAddress = IPAddress, AppDisplayName, ResultType, ResultDescription, Type\\n) on UserPrincipalName, AppDisplayName \\n| where SuccessLogonTime \u003c FailedLogonTime and FailedLogonTime - SuccessLogonTime \u003c= logonDiff and FailedIPAddress !startswith SuccessIPBlock\\n| summarize FailedLogonTime = max(FailedLogonTime), SuccessLogonTime = max(SuccessLogonTime) by UserPrincipalName, SuccessIPAddress, AppDisplayName, FailedIPAddress, ResultType, ResultDescription, Type\\n| extend timestamp = SuccessLogonTime\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SuccessIPAddress\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"FailedIPAddress\"}]}],\"tactics\":[\"CredentialAccess\",\"InitialAccess\"],\"displayName\":\"Successful logon from IP and failure from a different IP\",\"description\":\"Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP.\\nThis may indicate a malicious attempt at password guessing based on knowledge of the users account.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\"name\":\"9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.1.0\",\"severity\":\"Low\",\"query\":\"let tokens = dynamic([\\\"416\\\",\\\"208\\\",\\\"128\\\",\\\"120\\\",\\\"96\\\",\\\"80\\\",\\\"72\\\",\\\"64\\\",\\\"48\\\",\\\"44\\\",\\\"40\\\",\\\"g5\\\",\\\"gs5\\\",\\\"g4\\\",\\\"gs4\\\",\\\"nc12\\\",\\\"nc24\\\",\\\"nv12\\\"]);\\nlet operationList = dynamic([\\\"microsoft.compute/virtualmachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nAzureActivity\\n| where tolower(OperationNameValue) in (operationList)\\n| where ActivityStatusValue == \\\"Accepted\\\" \\n| where isnotempty(Properties)\\n| extend vmSize = tolower(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).hardwareProfile)).vmSize))\\n| where isnotempty(vmSize)\\n| where vmSize has_any (tokens) \\n| extend ComputerName = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).osProfile)).computerName)\\n| extend clientIpAddress = tostring(parse_json(HTTPRequest).clientIpAddress)\\n| project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Creation of expensive computes in Azure\",\"description\":\"Identifies the creation of large size/expensive VMs (GPU or with large no of virtual CPUs) in Azure.\\nAdversary may create new or update existing virtual machines sizes to evade defenses \\nor use it for cryptomining purposes.\\nFor Windows/Linux Vm Sizes - https://docs.microsoft.com/azure/virtual-machines/windows/sizes \\nAzure VM Naming Conventions - https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/78422ef2-62bf-48ca-9bab-72c69818a425\",\"name\":\"78422ef2-62bf-48ca-9bab-72c69818a425\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Low\",\"query\":\"let endtime = 1d;\\nlet starttime = 8d;\\nlet threshold = 2.0;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName)\\nby Account, IpAddress, AccountType, Activity, LogonTypeName),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 \\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend AccountType=case(Account endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| extend Activity=\\\"4624 - An account was successfully logged on.\\\"\\n| extend LogonTypeName=\\\"10 - RemoteInteractive\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName)\\nby Account, IpAddress, AccountType, Activity, LogonTypeName)\\n)\\n| join kind=inner (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize ComputerCountPrev7Days = dcount(Computer) by Account = tolower(Account), IpAddress\\n),\\n( WindowsEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = toint(EventData.LogonType)\\n| where LogonType == 10\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| summarize ComputerCountPrev7Days = dcount(Computer) by Account = tolower(Account), IpAddress)\\n)\\n) on Account, IpAddress\\n| extend Ratio = iff(isempty(ComputerCountPrev7Days), toreal(ComputerCountToday), ComputerCountToday / (ComputerCountPrev7Days * 1.0))\\n// Where the ratio of today to previous 7 days is more than double.\\n| where Ratio \u003e threshold\\n| project StartTimeUtc, EndTimeUtc, Account, IpAddress, ComputerSet, ComputerCountToday, ComputerCountPrev7Days, Ratio, AccountType, Activity, LogonTypeName, ProcessSet\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Multiple RDP connections from Single System\",\"description\":\"Identifies when an RDP connection is made to multiple systems and above the normal for the previous 7 days.\\nConnections from the same system with the same account within the same day.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-10-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d94d4a9-dc96-450a-9dea-4d4d4594199b\",\"name\":\"4d94d4a9-dc96-450a-9dea-4d4d4594199b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"SecurityNestedRecommendation\\n| where RemediationDescription has \u0027CVE-2021-38647\u0027\\n| parse ResourceDetails with * \u0027virtualMachines/\u0027 VirtualMAchine \u0027\\\"\u0027 *\\n| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId\\n| extend Timestamp = TimeGenerated, HostCustomEntity = VirtualMAchine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Execution\"],\"displayName\":\"Vulnerable Machines related to OMIGOD CVE-2021-38647\",\"description\":\"This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to OMIGOD CVE-2021-38647. OMI is the Linux equivalent of Windows WMI and \\n helps users manage configurations across remote and local environments. The query aims to find machines that have this OMI vulnerability (CVE-2021-38647).\\n Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).\\n Reference: https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure\\n Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d3980830-dd9d-40a5-911f-76b44dfdce16\",\"name\":\"d3980830-dd9d-40a5-911f-76b44dfdce16\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where AppDisplayName == \\\"GitHub.com\\\"\\n| where ResultType == 0\\n| summarize CountOfLocations = dcount(Location), Locations = make_set(Location), BurstStartTime = min(TimeGenerated), BurstEndTime = max(TimeGenerated) by UserPrincipalName, Type\\n| where CountOfLocations \u003e 1\\n| extend timestamp = BurstStartTime, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"GitHub Signin Burst from Multiple Locations\",\"description\":\"This alerts when there Signin burst from multiple locations in GitHub (AAD SSO).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/25a7f951-54b7-4cf5-9862-ebc04306c590\",\"name\":\"25a7f951-54b7-4cf5-9862-ebc04306c590\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let known_users = (AuditLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where OperationName has \\\"conditional access policy\\\"\\n | where Result =~ \\\"success\\\"\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | summarize by userPrincipalName);\\n AuditLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where OperationName has \\\"conditional access policy\\\"\\n | where Result =~ \\\"success\\\"\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend CAPolicyName = tostring(TargetResources[0].displayName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | where userPrincipalName !in (known_users)\\n | extend NewPolicyValues = TargetResources[0].modifiedProperties[0].newValue\\n | extend OldPolicyValues = TargetResources[0].modifiedProperties[0].oldValue\\n | project-reorder TimeGenerated, OperationName, CAPolicyName, userPrincipalName, ipAddress, NewPolicyValues, OldPolicyValues\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Conditional Access Policy Modified by New User\",\"description\":\"Detects a Conditional Access Policy being modified by a user who has not modified a policy in the last 14 days.\\n A threat actor may try to modify policies to weaken the security controls in place.\\n Investigate any change to ensure they are approved.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\"name\":\"70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"seoulhobi.biz\\\", \\\"reader.cash\\\", \\\"pieceview.club\\\", \\\"app-wallet.com\\\", \\\"bigwnet.com\\\", \\\"bitwoll.com\\\", \\\"cexrout.com\\\", \\\"change-pw.com\\\", \\\"checkprofie.com\\\", \\\"cloudwebappservice.com\\\", \\\"ctquast.com\\\", \\\"dataviewering.com\\\", \\\"day-post.com\\\", \\\"dialy-post.com\\\", \\\"documentviewingcom.com\\\", \\\"dovvn-mail.com\\\", \\\"down-error.com\\\", \\\"drivecheckingcom.com\\\", \\\"drog-service.com\\\", \\\"encodingmail.com\\\", \\\"filinvestment.com\\\", \\\"foldershareing.com\\\", \\\"golangapis.com\\\", \\\"hotrnall.com\\\", \\\"lh-logins.com\\\", \\\"login-use.com\\\", \\\"mail-down.com\\\", \\\"matmiho.com\\\", \\\"mihomat.com\\\", \\\"natwpersonal-online.com\\\", \\\"nidlogin.com\\\", \\\"nid-login.com\\\", \\\"nidlogon.com\\\", \\\"pw-change.com\\\", \\\"rnaii.com\\\", \\\"rnailm.com\\\", \\\"sec-live.com\\\", \\\"secrityprocessing.com\\\", \\\"securitedmode.com\\\", \\\"securytingmail.com\\\", \\\"set-login.com\\\", \\\"usrchecking.com\\\", \\\"com-serviceround.info\\\", \\\"mai1.info\\\", \\\"reviewer.mobi\\\", \\\"files-download.net\\\", \\\"fixcool.net\\\", \\\"hanrnaii.net\\\", \\\"office356-us.org\\\", \\\"smtper.org\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost \\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"THALLIUM domains included in DCU takedown\",\"description\":\"THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. \\n Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\\n References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ \",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2020-01-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\"name\":\"4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let OperationList = dynamic([\\\"Add member to role\\\",\\\"Add member to role in PIM requested (permanent)\\\"]);\\nlet PrivilegedGroups = dynamic([\\\"UserAccountAdmins\\\",\\\"PrivilegedRoleAdmins\\\",\\\"TenantAdmins\\\"]);\\nAuditLogs\\n//| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName in~ (OperationList)\\n| mv-expand TargetResources\\n| extend modProps = parse_json(TargetResources).modifiedProperties\\n| mv-expand bagexpansion=array modProps\\n| evaluate bag_unpack(modProps)\\n| extend displayName = column_ifexists(\\\"displayName\\\", \\\"NotAvailable\\\"), newValue = column_ifexists(\\\"newValue\\\", \\\"NotAvailable\\\")\\n| where displayName =~ \\\"Role.WellKnownObjectName\\\"\\n| extend DisplayName = displayName, GroupName = replace(\u0027\\\"\u0027,\u0027\u0027,newValue)\\n| extend initByApp = parse_json(InitiatedBy).app, initByUser = parse_json(InitiatedBy).user\\n| extend AppId = initByApp.appId, \\nInitiatedByDisplayName = case(isnotempty(initByApp.displayName), initByApp.displayName, isnotempty(initByUser.displayName), initByUser.displayName, \\\"not available\\\"),\\nServicePrincipalId = tostring(initByApp.servicePrincipalId),\\nServicePrincipalName = tostring(initByApp.servicePrincipalName),\\nUserId = initByUser.id,\\nUserIPAddress = initByUser.ipAddress,\\nUserRoles = initByUser.roles,\\nUserPrincipalName = tostring(initByUser.userPrincipalName),\\nTargetUserPrincipalName = tostring(TargetResources.userPrincipalName)\\n| where GroupName in~ (PrivilegedGroups)\\n// If you don\u0027t want to alert for operations from PIM, remove below filtering for MS-PIM.\\n//| where InitiatedByDisplayName != \\\"MS-PIM\\\"\\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, isnotempty(ServicePrincipalId), ServicePrincipalId, isnotempty(UserPrincipalName), UserPrincipalName, \\\"not available\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User added to Azure Active Directory Privileged Groups\",\"description\":\"This will alert when a user is added to any of the Privileged Groups.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\\nFor Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles\",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2020-07-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/50574fac-f8d1-4395-81c7-78a463ff0c52\",\"name\":\"50574fac-f8d1-4395-81c7-78a463ff0c52\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where AppId =~ \\\"1b730954-1685-4b74-9bfd-dac224a7b894\\\" // AppDisplayName IS Azure Active Directory PowerShell\\n| where TokenIssuerType =~ \\\"AzureAD\\\"\\n| where ResourceIdentity !in (\\\"00000002-0000-0000-c000-000000000000\\\", \\\"00000003-0000-0000-c000-000000000000\\\") // ResourceDisplayName IS NOT Windows Azure Active Directory OR Microsoft Graph\\n| extend Status = todynamic(Status)\\n| where Status.errorCode == 0 // Success\\n| project-reorder IPAddress, UserAgent, ResourceDisplayName, UserDisplayName, UserId, UserPrincipalName, Type\\n| order by TimeGenerated desc\\n// New entity mapping\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure Active Directory PowerShell accessing non-AAD resources\",\"description\":\"This will alert when a user or application signs in using Azure Active Directory PowerShell to access non-Active Directory resources, such as the Azure Key Vault, which may be undesired or unauthorized behavior.\\nFor capabilities and expected behavior of the Azure Active Directory PowerShell module, see: https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0.\\nFor further information on Azure Active Directory Signin activity reports, see: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins.\",\"lastUpdatedDateUTC\":\"2022-02-23T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cca3b4d9-ac39-4109-8b93-65bb284003e6\",\"name\":\"cca3b4d9-ac39-4109-8b93-65bb284003e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureActivity | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(Caller)\\n | extend Caller = tolower(Caller)\\n | where Caller matches regex emailregex\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.Caller\\n| where AzureActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureActivity_TimeGenerated = arg_max(AzureActivity_TimeGenerated, *) by IndicatorId, Caller\\n| project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, EmailSenderName, EmailRecipient, \\nEmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Caller, Level, CallerIpAddress, CategoryValue, OperationNameValue, ActivityStatusValue, \\nResourceGroup, SubscriptionId\\n| extend timestamp = AzureActivity_TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to AzureActivity\",\"description\":\"Identifies a match in AzureActivity table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9122a9cb-916b-4d98-a199-1b7b0af8d598\",\"name\":\"9122a9cb-916b-4d98-a199-1b7b0af8d598\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"beesweiserdog.com\\\", \\n \\\"bluehostfit.com\\\", \\n \\\"business-toys.com\\\", \\n \\\"cleanskycloud.com\\\", \\n \\\"cumberbat.com\\\", \\n \\\"czreadsecurity.com\\\", \\n \\\"dgtresorgouv.com\\\", \\n \\\"dimediamikedask.com\\\", \\n \\\"diresitioscon.com\\\", \\n \\\"elcolectador.com\\\", \\n \\\"elperuanos.org\\\", \\n \\\"eprotectioneu.com\\\", \\n \\\"fheacor.com\\\", \\n \\\"followthewaterdata.com\\\", \\n \\\"francevrteepress.com\\\", \\n \\\"futtuhy.com\\\", \\n \\\"gardienweb.com\\\", \\n \\\"heimflugaustr.com\\\", \\n \\\"ivpsers.com\\\", \\n \\\"jkeducation.org\\\", \\n \\\"micrlmb.com\\\", \\n \\\"muthesck.com\\\", \\n \\\"netscalertech.com\\\", \\n \\\"newgoldbalmap.com\\\", \\n \\\"news-laestrella.com\\\", \\n \\\"noticialif.com\\\", \\n \\\"opentanzanfoundation.com\\\", \\n \\\"optonlinepress.com\\\", \\n \\\"palazzochigi.com\\\", \\n \\\"pandemicacre.com\\\", \\n \\\"papa-ser.com\\\", \\n \\\"pekematclouds.com\\\", \\n \\\"pipcake.com\\\", \\n \\\"popularservicenter.com\\\", \\n \\\"projectsyndic.com\\\", \\n \\\"qsadtv.com\\\", \\n \\\"sankreal.com\\\", \\n \\\"scielope.com\\\", \\n \\\"seoamdcopywriting.com\\\", \\n \\\"slidenshare.com\\\", \\n \\\"somoswake.com\\\", \\n \\\"squarespacenow.com\\\", \\n \\\"subapostilla.com\\\", \\n \\\"suzukicycles.net\\\", \\n \\\"tatanotakeeps.com\\\", \\n \\\"tijuanazxc.com\\\", \\n \\\"transactioninfo.net\\\", \\n \\\"eurolabspro.com\\\", \\n \\\"adelluminate.com\\\", \\n \\\"headhunterblue.com\\\", \\n \\\"primenuesty.com\\\" \\n ]);\\nlet SHA256Hashes = dynamic ([\\\"02daf4544bcefb2de865d0b45fc406bee3630704be26a9d6da25c9abe906e7d2\\\", \\n \\\"0a45ec3da31838aa7f56e4cbe70d5b3b3809029f9159ff0235837e5b7a4cb34c\\\", \\n \\\"0d7965489810446ca7acc7a2160795b22e452a164261313c634a6529a0090a0c\\\", \\n \\\"10bb4e056fd19f2debe61d8fc5665434f56064a93ca0ec0bef946a4c3e098b95\\\", \\n \\\"12d914f24fe5501e09f5edf503820cc5fe8b763827a1c6d44cdb705e48651b21\\\", \\n \\\"1899f761123fedfeba0fee6a11f830a29cd3653bcdcf70380b72a05b921b4b49\\\", \\n \\\"22e68e366dd3323e5bb68161b0938da8e1331e4f1c1819c8e84a97e704d93844\\\", \\n \\\"259783405ec2cb37fdd8fd16304328edbb6a0703bc3d551eba252d9b450554ef\\\", \\n \\\"26debed09b1bbf24545e3b4501b799b66a0146d4020f882776465b5071e91822\\\", \\n \\\"35c5f22bb11f7dd7a2bb03808e0337cb7f9c0d96047b94c8afdab63efc0b9bb2\\\", \\n \\\"3ae2d9ffa4e53519e62cc0a75696f9023f9cce09b0a917f25699b48d0f7c4838\\\", \\n \\\"3bac2e459c69fcef8c1c93c18e5f4f3e3102d8d0f54a63e0650072aeb2a5fa65\\\", \\n \\\"3c0bf69f6faf85523d9e60d13218e77122b2adb0136ffebbad0f39f3e3eed4e6\\\", \\n \\\"3dc0001a11d54925d2591aec4ea296e64f1d4fdf17ff3343ddeea82e9bd5e4f1\\\", \\n \\\"3fd73af89e94af180b1fbf442bbfb7d7a6c4cf9043abd22ac0aa2f8149bafc90\\\", \\n \\\"6854df6aa0af46f7c77667c450796d5658b3058219158456e869ebd39a47d54b\\\", \\n \\\"6b79b807a66c786bd2e57d1c761fc7e69dd9f790ffab7ce74086c4115c9305ce\\\", \\n \\\"7944a86fbef6238d2a55c14c660c3a3d361c172f6b8fa490686cc8889b7a51a0\\\", \\n \\\"926904f7c0da13a6b8689c36dab9d20b3a2e6d32f212fca9e5f8cf2c6055333c\\\", \\n \\\"95e98c811ea9d212673d0e84046d6da94cbd9134284275195800278593594b5a\\\", \\n \\\"a142625512e5372a1728595be19dbee23eea50524b4827cb64ed5aaeaaa0270b\\\", \\n \\\"afe5e9145882e0b98a795468a4c0352f5b1ddb7b4a534783c9e8fc366914cf6a\\\", \\n \\\"b9027bad09a9f5c917cf0f811610438e46e42e5e984a8984b6d69206ceb74124\\\", \\n \\\"c132d59a3bf0099e0f9f5667daf7b65dba66780f4addd88f04eecae47d5d99fa\\\", \\n \\\"c9a5765561f52bbe34382ce06f4431f7ac65bafe786db5de89c29748cf371dda\\\", \\n \\\"ce0408f92635e42aadc99da3cc1cbc0044e63441129c597e7aa1d76bf2700c94\\\", \\n \\\"ce47bacc872516f91263f5e59441c54f14e9856cf213ca3128470217655fc5e6\\\", \\n \\\"d0fe4562970676e30a4be8cb4923dc9bfd1fca8178e8e7fea0f3f02e0c7435ce\\\", \\n \\\"d5b36648dc9828e69242b57aca91a0bb73296292bf987720c73fcd3d2becbae6\\\", \\n \\\"e72d142a2bc49572e2d99ed15827fc27c67fc0999e90d4bf1352b075f86a83ba\\\"\\n ]);\\nlet SigNames = dynamic([\\\"Backdoor:Win32/Leeson\\\", \\\"Trojan:Win32/Kechang\\\", \\\"Backdoor:Win32/Nightimp!dha\\\", \\\"Trojan:Win32/QuarkBandit.A!dha\\\", \\\"TrojanSpy:Win32/KeyLogger\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hashes) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(_Im_Dns(domain_has_any = DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(_Im_WebSession(url_has_any = DomainNames)\\n| extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n| extend IPAddress = SrcIpAddr\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA256Hashes) \\n| extend Account = UserName\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (SHA256Hashes)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (SHA256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl in~ (DomainNames)\\n| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName\\n| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl\\n),\\n(SecurityAlert\\n| where ProductName == \\\"Microsoft Defender Advanced Threat Protection\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where isnotempty(ThreatName)\\n| where ThreatName has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName)\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known NICKEL domains and hashes\",\"description\":\"IOC domains and hash values for tools and malware used by NICKEL. \\n Matches domain name, hash IOCs and M365 Defender sigs related to the NICKEL activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/720d12c6-a08c-44c4-b18f-2236412d59b0\",\"name\":\"720d12c6-a08c-44c4-b18f-2236412d59b0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"SecurityEvent\\n | where EventID == 4688\\n | where Process !~ \\\"sdelete.exe\\\"\\n | where CommandLine has_all (\\\"accepteula\\\", \\\"-r\\\", \\\"-s\\\", \\\"-q\\\", \\\"c:/\\\")\\n | where CommandLine !has (\\\"sdelete\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"DefenseEvasion\",\"Impact\"],\"displayName\":\"Potential re-named sdelete usage\",\"description\":\"This detection looks for command line parameters associated with the use of Sysinternals sdelete (https://docs.microsoft.com/sysinternals/downloads/sdelete) to delete multiple files on a host\u0027s C drive.\\nA threat actor may re-name the tool to avoid detection and then use it for destructive attacks on a host.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/009b9bae-23dd-43c4-bcb9-11c4ba7c784a\",\"name\":\"009b9bae-23dd-43c4-bcb9-11c4ba7c784a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where OperationName has \\\"Consent to application\\\"\\n | where Result =~ \\\"failure\\\"\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend userAgent = iif(AdditionalDetails[0].key == \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), tostring(AdditionalDetails[1].value))\\n | where isnotempty(TargetResources)\\n | extend AppName = tostring(TargetResources[0].displayName)\\n | mv-expand TargetResources[0].modifiedProperties\\n | extend TargetResources_0_modifiedProperties = columnifexists(\\\"TargetResources_0_modifiedProperties\\\", \u0027\u0027)\\n | where isnotempty(TargetResources_0_modifiedProperties)\\n | where TargetResources_0_modifiedProperties.displayName =~ \\\"MethodExecutionResult.\\\"\\n | extend FailureReason = tostring(parse_json(tostring(TargetResources_0_modifiedProperties.newValue)))\\n | where FailureReason contains \\\"Risky\\\"\\n | project-reorder TimeGenerated, OperationName, Result, AppName, FailureReason, userPrincipalName, userAgent, ipAddress\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"End-user consent stopped due to risk-based consent\",\"description\":\"Detects a user\u0027s consent to an OAuth application being blocked due to it being too risky.\\n These events should be investigated to understand why the user attempted to consent to the applicaiton and what other applicaitons they may have consented to.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#end-user-stopped-due-to-risk-based-consent\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e70fa6e0-796a-4e85-9420-98b17b0bb749\",\"name\":\"e70fa6e0-796a-4e85-9420-98b17b0bb749\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"DeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where ThreatName has \\\"Solorigate\\\"\\n| extend HostCustomEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.HostCustomEntity\\n| project TimeGenerated, DisplayName, ThreatName, CompromisedEntity, PublicIP, MachineGroup, AlertSeverity, Description, LoggedOnUsers, DeviceId, TenantId, HostCustomEntity\\n| extend timestamp = TimeGenerated, IPCustomEntity = PublicIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Solorigate Defender Detections\",\"description\":\"Surfaces any Defender Alert for Solorigate Events. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as \\n Device group, ip, logged on users etc. This way, the Microsoft Sentinel user can have all the pertinent device info in one view for all the the Solarigate Defender alerts.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9176b18f-a946-42c6-a2f6-0f6d17cd6a8a\",\"name\":\"9176b18f-a946-42c6-a2f6-0f6d17cd6a8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let triThreshold = 500;\\nlet querystarttime = 6h;\\nlet dgaLengthThreshold = 8;\\n// fetch the cisco umbrella top 1M domains\\nlet top1M = (externaldata (Position:int, Domain:string) [@\\\"http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip\\\"] with (format=\\\"csv\\\", zipPattern=\\\"*.csv\\\"));\\n// extract tri grams that are above our threshold - i.e. are common\\nlet triBaseline = top1M\\n | extend Domain = tolower(extract(\\\"([^.]*).{0,7}$\\\", 1, Domain))\\n | extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", Domain), extract_all(\\\"(...)\\\", substring(Domain, 1)), extract_all(\\\"(...)\\\", substring(Domain, 2)))\\n | mvexpand Trigram=AllTriGrams to typeof(string)\\n | summarize triCount=count() by Trigram\\n | sort by triCount desc\\n | where triCount \u003e triThreshold\\n | distinct Trigram;\\n// collect domain information from common security log, filter and extract the DGA candidate and its trigrams\\nlet allDataSummarized = _Im_WebSession \\n| where isnotempty(Url) \\n| extend Name = tolower(tostring(parse_url(Url)[\\\"Host\\\"]))\\n| summarize NameCount=count() by Name\\n| where Name has \\\".\\\"\\n| where Name !endswith \\\".home\\\" and Name !endswith \\\".lan\\\"\\n// extract DGA candidate\\n| extend DGADomain = extract(\\\"([^.]*).{0,7}$\\\", 1, Name)\\n| where strlen(DGADomain) \u003e dgaLengthThreshold\\n// throw out domains with number in them\\n| where DGADomain matches regex \\\"^[A-Za-z]{0,}$\\\"\\n// extract the tri grams from summarized data\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", DGADomain), extract_all(\\\"(...)\\\", substring(DGADomain, 1)), extract_all(\\\"(...)\\\", substring(DGADomain, 2)));\\n// throw out domains that have repeating tri\u0027s and/or \u003e=3 repeating letters\\nlet nonRepeatingTris = allDataSummarized\\n| join kind=leftanti\\n(\\n allDataSummarized\\n | mvexpand AllTriGrams\\n | summarize count() by tostring(AllTriGrams), DGADomain\\n | where count_ \u003e 1\\n | distinct DGADomain\\n)\\non DGADomain;\\n// find domains that do not have a common tri in the baseline\\nlet dataWithRareTris = nonRepeatingTris\\n| join kind=leftanti\\n(\\n nonRepeatingTris\\n | mvexpand AllTriGrams\\n | extend Trigram = tostring(AllTriGrams)\\n | distinct Trigram, DGADomain\\n | join kind=inner\\n (\\n triBaseline\\n )\\n on Trigram\\n | distinct DGADomain\\n)\\non DGADomain;\\ndataWithRareTris\\n// join DGAs back on connection data\\n| join kind=inner\\n(\\n _Im_WebSession\\n | where isnotempty(Url)\\n | extend Url = tolower(Url)\\n | summarize arg_max(TimeGenerated, EventVendor, SrcIpAddr) by Url\\n | extend Name=tostring(parse_url(Url)[\\\"Host\\\"])\\n | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) by Name, SrcIpAddr, Url\\n)\\non Name\\n| project StartTime, EndTime, Name, DGADomain, SrcIpAddr, Url, NameCount\",\"customDetails\":{\"DGAPattern\":\"DGADomain\",\"NameCount\":\"NameCount\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URL\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Potential communication from {{SrcIpAddr} with a Domain Generation Algorithm (DGA) based host {{Name}}\",\"alertDescriptionFormat\":\"A client with address {{SrcIpAddr}} communicated with host {{Name}} that have a domain name that might have been generated by a Domain Generation Algorithm (DGA), identified by the pattern {{DGADomain}}. DGAs are used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the top 1 million domain names to build a model of what normal domains look like and uses the model to identify domains that may have been randomly generated by an algorithm.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential communication with a Domain Generation Algorithm (DGA) based hostname (ASIM Web Session schema)\",\"description\":\"This rule identifies communication with hosts that have a domain name that might have been generated by a Domain Generation Algorithm (DGA). DGAs are used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the top 1 million domain names to build a model of what normal domains look like nad uses the model to identify domains that may have been randomly generated by an algorithm. You can modify the triThreshold and dgaLengthThreshold query parameters to change Analytic Rule sensitivity. The higher the numbers, the less noisy the rule is. \u003cbr\u003e\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f819c592-c5f9-4d5c-a79f-1e6819863533\",\"name\":\"f819c592-c5f9-4d5c-a79f-1e6819863533\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"// ADHealth Monitoring Agent Registry Key\\nlet aadHealthMonAgentRegKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Microsoft Online\\\\\\\\Reporting\\\\\\\\MonitoringAgent\\\";\\n// Filter out known processes\\nlet aadConnectHealthProcs = dynamic ([\\n \u0027Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.InsightsService.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.PshSurrogate.exe\u0027,\\n \u0027Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe\u0027,\\n \u0027Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.AadConnect.Health.AadSync.Host.exe\u0027,\\n \u0027Microsoft.Azure.ActiveDirectory.Synchronization.Upgrader.exe\u0027,\\n \u0027miiserver.exe\u0027\\n]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| where EventData has aadHealthMonAgentRegKey\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| extend ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),\\n ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\")\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend SubjectUserName = column_ifexists(\\\"SubjectUserName\\\", \\\"\\\"),\\n SubjectDomainName = column_ifexists(\\\"SubjectDomainName\\\", \\\"\\\"),\\n ProcessName = column_ifexists(\\\"ProcessName\\\", \\\"\\\")\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],\\n Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n(\\nWindowsEvent\\n| where EventID == \u00274656\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n (\\nWindowsEvent\\n| where EventID == \u00274663\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n)\\n)\\n// You can filter out potential machine accounts\\n//| where AccountType != \u0027Machine\u0027\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"Azure AD Health Monitoring Agent Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.\\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\\\\SOFTWARE\\\\Microsoft\\\\Microsoft Online\\\\Reporting\\\\MonitoringAgent.\\nYou can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_monitoring_agent.yml\\n\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/066395ac-ef91-4993-8bf6-25c61ab0ca5a\",\"name\":\"066395ac-ef91-4993-8bf6-25c61ab0ca5a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet file_path1 = (iocs | where Type =~ \\\"filepath1\\\" | project IoC);\\nlet file_path2 = (iocs | where Type =~ \\\"filepath2\\\" | project IoC);\\nlet file_path3 = (iocs | where Type =~ \\\"filepath3\\\" | project IoC);\\nlet reg_key = (iocs | where Type =~ \\\"regkey\\\" | project IoC);\\nWindowsEvent\\n| where EventID == 4688 and (EventData has_any (file_path1) or EventData has_any (file_path2) or EventData has_any (file_path3) or EventData has_any (\u0027reg add\u0027) or EventData has_any (reg_key) )\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where (CommandLine has_any (file_path1)) or\\n (CommandLine has_any (file_path3)) or\\n (CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) or \\n (NewProcessName has_any (file_path1)) or\\n (NewProcessName has_any (file_path3)) or\\n (ParentProcessName has_any (file_path1)) or \\n (ParentProcessName has_any (file_path3)) \\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend NewProcessId = tostring(EventData.NewProcessId)\\n| extend IPCustomEntity = tostring(EventData.IpAddress)\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, IPCustomEntity\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = \u0027SOURGUM IOC detected\u0027\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"SOURGUM Actor IOC - July 2021\",\"description\":\"Identifies a match across IOC\u0027s related to an actor tracked by Microsoft as SOURGUM\",\"lastUpdatedDateUTC\":\"2022-05-19T00:00:00Z\",\"createdDateUTC\":\"2022-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6116dc19-475a-4148-84b2-efe89c073e27\",\"name\":\"6116dc19-475a-4148-84b2-efe89c073e27\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetectionV2_CL\\n| extend Status = tostring(Status_s), Vulnerability = tostring(QID_s), Severity = tostring(Severity_s)\\n| where Status =~ \\\"New\\\" and Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(QID_s)\\n| where dcount_NetBios_s \u003e= threshold\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"tactics\":[\"InitialAccess\"],\"displayName\":\"New High Severity Vulnerability Detected Across Multiple Hosts\",\"description\":\"This creates an incident when a new high severity vulnerability is detected across multilple hosts\",\"lastUpdatedDateUTC\":\"2021-12-08T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\"name\":\"90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage), \\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage), \\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage), \\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \\\"200\\\"\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Squid proxy events for ToR proxies\",\"description\":\"Check for Squid proxy events associated with common ToR proxies. This query presumes the default squid log format is being used.\\nhttp://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-07-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70fc7201-f28e-4ba7-b9ea-c04b96701f13\",\"name\":\"70fc7201-f28e-4ba7-b9ea-c04b96701f13\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let OperationList = dynamic([\\\"Add member to role\\\",\\\"Add member to role in PIM requested (permanent)\\\"]);\\nlet PrivilegedGroups = dynamic([\\\"UserAccountAdmins\\\",\\\"PrivilegedRoleAdmins\\\",\\\"TenantAdmins\\\"]);\\nAuditLogs\\n//| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName in~ (OperationList)\\n| mv-expand TargetResources\\n| extend modProps = parse_json(TargetResources).modifiedProperties\\n| mv-expand bagexpansion=array modProps\\n| evaluate bag_unpack(modProps)\\n| extend displayName = column_ifexists(\\\"displayName\\\", \\\"NotAvailable\\\"), newValue = column_ifexists(\\\"newValue\\\", \\\"NotAvailable\\\")\\n| where displayName =~ \\\"Role.WellKnownObjectName\\\"\\n| extend DisplayName = displayName, GroupName = replace(\u0027\\\"\u0027,\u0027\u0027,newValue)\\n| extend initByApp = parse_json(InitiatedBy).app, initByUser = parse_json(InitiatedBy).user\\n| extend AppId = initByApp.appId,\\nInitiatedByDisplayName = case(isnotempty(initByApp.displayName), initByApp.displayName, isnotempty(initByUser.displayName), initByUser.displayName, \\\"not available\\\"),\\nServicePrincipalId = tostring(initByApp.servicePrincipalId),\\nServicePrincipalName = tostring(initByApp.servicePrincipalName),\\nUserId = initByUser.id,\\nUserIPAddress = initByUser.ipAddress,\\nUserRoles = initByUser.roles,\\nUserPrincipalName = tostring(initByUser.userPrincipalName),\\nTargetUserPrincipalName = tostring(TargetResources.userPrincipalName)\\n| where GroupName in~ (PrivilegedGroups)\\n// If you don\u0027t want to alert for operations from PIM, remove below filtering for MS-PIM.\\n//| where InitiatedByDisplayName != \\\"MS-PIM\\\"\\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName\\n| extend AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, isnotempty(ServicePrincipalId), ServicePrincipalId, isnotempty(UserPrincipalName), UserPrincipalName, \\\"not available\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"NRT User added to Azure Active Directory Privileged Groups\",\"description\":\"This will alert when a user is added to any of the Privileged Groups.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\\nFor Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles\",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2020-07-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5239248b-abfb-4c6a-8177-b104ade5db56\",\"name\":\"5239248b-abfb-4c6a-8177-b104ade5db56\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let RunCommandData = materialize ( AzureActivity\\n// Isolate run command actions\\n| where OperationNameValue == \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\\\"\\n// Confirm that the operation impacted a virtual machine\\n| where Authorization has \\\"virtualMachines\\\"\\n// Each runcommand operation consists of three events when successful, StartTimeed, Accepted (or Rejected), Successful (or Failed).\\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), max(CallerIpAddress), make_list(ActivityStatusValue) by CorrelationId, Authorization, Caller\\n// Limit to Run Command executions that Succeeded\\n| where list_ActivityStatusValue has \\\"Success\\\"\\n// Extract data from the Authorization field, allowing us to later extract the Caller (UPN) and CallerIpAddress\\n| extend Authorization_d = parse_json(Authorization)\\n| extend Scope = Authorization_d.scope\\n| extend Scope_s = split(Scope, \\\"/\\\")\\n| extend Subscription = tostring(Scope_s[2])\\n| extend VirtualMachineName = tostring(Scope_s[-1])\\n| project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress\\n| join kind=leftouter (\\n DeviceFileEvents\\n | where InitiatingProcessFileName == \\\"RunCommandExtension.exe\\\"\\n | extend VirtualMachineName = tostring(split(DeviceName, \\\".\\\")[0])\\n | project VirtualMachineName, PowershellFileCreatedTimestamp=TimeGenerated, FileName, FileSize, InitiatingProcessAccountName, InitiatingProcessAccountDomain, InitiatingProcessFolderPath, InitiatingProcessId\\n) on VirtualMachineName\\n// We need to filter by time sadly, this is the only way to link events\\n| where PowershellFileCreatedTimestamp between (StartTime .. EndTime)\\n| project StartTime, EndTime, PowershellFileCreatedTimestamp, VirtualMachineName, Caller, CallerIpAddress, FileName, FileSize, InitiatingProcessId, InitiatingProcessAccountDomain, InitiatingProcessFolderPath\\n| join kind=inner(\\n DeviceEvents\\n | extend VirtualMachineName = tostring(split(DeviceName, \\\".\\\")[0])\\n | where InitiatingProcessCommandLine has \\\"-File\\\"\\n // Extract the script name based on the structure used by the RunCommand extension\\n | extend PowershellFileName = extract(@\\\"\\\\-File\\\\s(script[0-9]{1,9}\\\\.ps1)\\\", 1, InitiatingProcessCommandLine)\\n // Discard results that didn\u0027t successfully extract, these are not run command related\\n | where isnotempty(PowershellFileName)\\n | extend PSCommand = tostring(parse_json(AdditionalFields).Command)\\n // The first execution of PowerShell will be the RunCommand script itself, we can discard this as it will break our hash later\\n | where PSCommand != PowershellFileName \\n // Now we normalise the cmdlets, we\u0027re aiming to hash them to find scripts using rare combinations\\n | extend PSCommand = toupper(PSCommand)\\n | order by PSCommand asc\\n | summarize PowershellExecStartTime=min(TimeGenerated), PowershellExecEnd=max(TimeGenerated), make_list(PSCommand) by PowershellFileName, InitiatingProcessCommandLine\\n) on $left.FileName == $right.PowershellFileName\\n| project StartTime, EndTime, PowershellFileCreatedTimestamp, PowershellExecStartTime, PowershellExecEnd, PowershellFileName, PowershellScriptCommands=list_PSCommand, Caller, CallerIpAddress, InitiatingProcessCommandLine, PowershellFileSize=FileSize, VirtualMachineName\\n| order by StartTime asc \\n// We generate the hash based on the cmdlets called and the size of the powershell script\\n| extend TempFingerprintString = strcat(PowershellScriptCommands, PowershellFileSize)\\n| extend ScriptFingerprintHash = hash_sha256(tostring(PowershellScriptCommands)));\\nlet totals = toscalar (RunCommandData\\n| summarize count());\\nlet hashTotals = RunCommandData\\n| summarize HashCount=count() by ScriptFingerprintHash;\\nRunCommandData\\n| join kind=leftouter (\\nhashTotals\\n) on ScriptFingerprintHash\\n// Calculate prevalence, while we don\u0027t need this, it may be useful for responders to know how rare this script is in relation to normal activity\\n| extend Prevalence = toreal(HashCount) / toreal(totals) * 100\\n// Where the hash was only ever seen once.\\n| where HashCount == 1\\n| extend timestamp = StartTime, IPCustomEntity=CallerIpAddress, AccountCustomEntity=Caller, HostCustomEntity=VirtualMachineName\\n| project timestamp, StartTime, EndTime, PowershellFileName, VirtualMachineName, Caller, CallerIpAddress, PowershellScriptCommands, PowershellFileSize, ScriptFingerprintHash, Prevalence, IPCustomEntity, AccountCustomEntity, HostCustomEntity\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"LateralMovement\",\"Execution\"],\"displayName\":\"Azure VM Run Command operations executing a unique PowerShell script\",\"description\":\"Identifies when Azure Run command is used to execute a PowerShell script on a VM that is unique.\\nThe uniqueness of the PowerShell script is determined by taking a combined hash of the cmdLets it imports\\nand the file size of the PowerShell script. Alerts from this detection indicate a unique PowerShell was executed\\nin your environment.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f15370f4-c6fa-42c5-9be4-1d308f40284e\",\"name\":\"f15370f4-c6fa-42c5-9be4-1d308f40284e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n OfficeActivity\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(ClientIP)\\n | extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]%]+)(%\\\\d+)?\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n | extend IPAddress = tostring(ClientIPValues[0])\\n // renaming time column so it is clear the log this came from\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.IPAddress\\n| where OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId\\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = OfficeActivity_TimeGenerated, IPCustomEntity = TI_ipEntity, AccountCustomEntity = UserId, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to OfficeActivity\",\"description\":\"Identifies a match in OfficeActivity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a4ce20ae-a2e4-4d50-b40d-d49f1353b6cc\",\"name\":\"a4ce20ae-a2e4-4d50-b40d-d49f1353b6cc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Extracts plaintext IPv4 addresses\\nlet ipv4_plaintext_extraction_regex = @\\\"((?:(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])(?:\\\\.)){3}(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]){1,3})\\\";\\n// Identified base64 encoded IPv4 addresses\\nlet ipv4_encoded_identification_regex = @\\\"\\\\=([a-zA-Z0-9\\\\/\\\\+]*(?:(?:MC|Au|wL|MS|Eu|xL|Mi|Iu|yL|My|Mu|zL|NC|Qu|0L|NS|Uu|1L|Ni|Yu|2L|Ny|cu|3L|OC|gu|4L|OS|ku|5L){1}[a-zA-Z0-9\\\\/\\\\+]{2,4}){3}[a-zA-Z0-9\\\\/\\\\+\\\\=]*)\\\";\\n// Extractes IPv4 addresses as hex values\\nlet ipv4_decoded_hex_extract = @\\\"((?:(?:61|62|63|64|65|66|67|68|69|6a|6b|6c|6d|6e|6f|70|71|72|73|74|75|76|77|78|79|7a|41|42|43|44|45|46|47|48|49|4a|4b|4c|4d|4e|4f|50|51|52|53|54|55|56|57|58|59|5a|2f|2b|3d),){7,15})\\\";\\nCommonSecurityLog\\n| where isnotempty(RequestURL)\\n// Identify requests with encoded IPv4 addresses\\n| where RequestURL matches regex ipv4_encoded_identification_regex\\n| project TimeGenerated, RequestURL\\n// Extract IP candidates in their base64 encoded format, significantly reducing the dataset\\n| extend extracted_encoded_ip_candidate = extract_all(ipv4_encoded_identification_regex, RequestURL)\\n// We could have more than one candidate, expand them out\\n| mv-expand extracted_encoded_ip_candidate to typeof(string)\\n| summarize Start=min(TimeGenerated), End=max(TimeGenerated), make_set(RequestURL) by extracted_encoded_ip_candidate\\n// Pad if we need to\\n| extend extracted_encoded_ip_candidate = iff(strlen(extracted_encoded_ip_candidate) % 2 == 0, extracted_encoded_ip_candidate, strcat(extracted_encoded_ip_candidate, \\\"=\\\"))\\n// Now decode the candidate to a long array, we cannot go straight to string as it cannot handle non-UTF8, we need to strip that first\\n| extend extracted_encoded_ip_candidate = tostring(base64_decode_toarray(extracted_encoded_ip_candidate))\\n// Extract the IP candidates from the array\\n| extend hex_extracted = extract_all(ipv4_decoded_hex_extract, extracted_encoded_ip_candidate)\\n// Expand, it\u0027s still possible that we might have more than 1 IP\\n| mv-expand hex_extracted\\n// Now we should have a clean string. We need to put it back into a dynamic array to convert back to a string.\\n| extend hex_extracted = trim_end(\\\",\\\", tostring(hex_extracted))\\n| extend hex_extracted = strcat(\\\"[\\\",hex_extracted,\\\"]\\\")\\n| extend hex_extracted = todynamic(hex_extracted)\\n| extend extracted_encoded_ip_candidate = todynamic(extracted_encoded_ip_candidate)\\n// Convert the array back into a string\\n| extend decoded_ip_candidate = make_string(hex_extracted)\\n| summarize by decoded_ip_candidate, tostring(set_RequestURL), Start, End\\n// Now the IP candidates will be in plaintext, extract the IPs using a regex\\n| extend ipmatch = extract_all(ipv4_plaintext_extraction_regex, decoded_ip_candidate)\\n// If it\u0027s not an IP, throw it out\\n| where isnotnull(ipmatch)\\n| mv-expand ipmatch to typeof(string)\\n// Join with DeviceNetworkEvents to find instances where an IP of a machine in our MDE estate sent it\u0027s IP in a base64 encoded string\\n| join (\\n DeviceNetworkEvents\\n | summarize make_set(DeviceId), make_set(DeviceName) by RemoteIP\\n) on $left.ipmatch == $right.RemoteIP\\n| project Start, End, IPmatch=ipmatch, RequestURL=set_RequestURL, DeviceNames=set_DeviceName, DeviceIds=set_DeviceId, RemoteIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPmatch\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceNames\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"IP address of Windows host encoded in web request\",\"description\":\"This detection will identify network requests in HTTP proxy data that contains Base64 encoded IP addresses. After identifying candidates the query\\njoins with DeviceNetworkEvents to idnetify any machine within the network using that IP address. Alerts indicate that the IP address of a machine\\nwithin your network was seen with it\u0027s IP address base64 encoded in an outbounf web request. This method of egressing the IP was seen used in POLONIUM\u0027s\\nRunningRAT tool, however the detection is generic.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cbf6ad48-fa5c-4bf7-b205-28dbadb91255\",\"name\":\"cbf6ad48-fa5c-4bf7-b205-28dbadb91255\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let procList = externaldata(Process:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Microsoft_Lolbas_Execution_Binaries.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nEvent\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n| parse EventData with * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027OriginalFileName\\\"\u003e\u0027 OriginalFileName \\\"\u003c\\\" *\\n| where OriginalFileName has_any (procList) and not (Image has_any (procList))\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027Hashes\\\"\u003e\u0027 Hashes \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description, OriginalFileName, CurrentDirectory, Hashes\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Windows Binaries Lolbins Renamed\",\"description\":\"This query detects the execution of renamed Windows binaries (Lolbins). This is a common technique used by adversaries to evade detection. \\nRef: https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/execution-of-renamed-lolbin.html\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3a9d5ede-2b9d-43a2-acc4-d272321ff77c\",\"name\":\"3a9d5ede-2b9d-43a2-acc4-d272321ff77c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 50;\\nlet aadFunc = (tableName:string){\\n // Failed Signins attempts with reasoning related to conditional access policies.\\n table(tableName)\\n | where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n | where ResultDescription has_any (\\\"conditional access\\\", \\\"CA\\\") or ResultType in (50005, 50131, 53000, 53001, 53002, 52003, 70044)\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt;\\nlet TimeSeriesAlerts = \\nallSignins\\n| make-series DailyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step 1d by UserPrincipalName\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(DailyCount, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand DailyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n// Filtering low count events per baselinethreshold\\n| where anomalies \u003e 0 and baseline \u003e baselinethreshold\\n| extend AnomalyHour = TimeGenerated\\n| project UserPrincipalName, AnomalyHour, TimeGenerated, DailyCount, baseline, anomalies, score;\\n// Filter the alerts for specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e startofday(ago(timeframe))\\n| join kind=inner ( \\n allSignins\\n | where TimeGenerated \u003e startofday(ago(timeframe))\\n // create a new column and round to hour\\n | extend DateHour = bin(TimeGenerated, 1h)\\n | summarize PartialFailedSignins = count(), LatestAnomalyTime = arg_max(TimeGenerated, *) by bin(TimeGenerated, 1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\\n) on UserPrincipalName, $left.AnomalyHour == $right.DateHour\\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, PartialFailedSignins, TotalFailedSignins = DailyCount, baseline, anomalies, score\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"User Accounts - Sign in Failure due to CA Spikes\",\"description\":\" Identifies spike in failed sign-ins from user accounts due to conditional access policied.\\nSpike is determined based on Time series anomaly which will look at historical baseline values.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b6d03b88-4d27-49a2-9c1c-29f1ad2842dc\",\"name\":\"b6d03b88-4d27-49a2-9c1c-29f1ad2842dc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let oneDriveCalls = dynamic([\u0027graph.microsoft.com/v1.0/me/drive/root:/Documents/data.txt:/content\u0027,\u0027graph.microsoft.com/v1.0/me/drive/root:/Documents/response.json:/content\u0027]);\\nlet oneDriveCallsRegex = dynamic([@\u0027graph\\\\.microsoft\\\\.com\\\\/v1\\\\.0\\\\/me\\\\/drive\\\\/root\\\\:\\\\/Uploaded\\\\/.*\\\\:\\\\/content\u0027,@\u0027graph\\\\.microsoft\\\\.com\\\\/v1\\\\.0\\\\/me\\\\/drive\\\\/root\\\\:\\\\/Downloaded\\\\/.*\\\\:\\\\/content\u0027]);\\nCommonSecurityLog\\n| where RequestURL has_any (oneDriveCalls) or RequestURL matches regex tostring(oneDriveCallsRegex[0]) or RequestURL matches regex tostring(oneDriveCallsRegex[1])\\n| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"SourceHostName\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"CreepyDrive URLs\",\"description\":\"CreepyDrive uses OneDrive for command and control. This detection identifies URLs specific to CreepyDrive.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/011c84d8-85f0-4370-b864-24c13455aa94\",\"name\":\"011c84d8-85f0-4370-b864-24c13455aa94\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityAlert\\n| extend Extprop = parse_json(ExtendedProperties)\\n| extend Computer = iff(isnotempty(toupper(tostring(Extprop[\\\"Compromised Host\\\"]))), toupper(tostring(Extprop[\\\"Compromised Host\\\"])), tostring(parse_json(Entities)[0].HostName))\\n| extend Account = iff(isnotempty(tolower(tostring(Extprop[\\\"User Name\\\"]))), tolower(tostring(Extprop[\\\"User Name\\\"])), tolower(tostring(Extprop[\\\"user name\\\"])))\\n| extend IpAddress = tostring(parse_json(ExtendedProperties).[\\\"IpAddress\\\"]) \\n| project TimeGenerated, AlertName, Computer, Account, IpAddress, ExtendedProperties\\n| extend timestamp = TimeGenerated, Account, MachineName = Computer, IpAddress\\n| join kind=inner\\n(\\nCoreAzureBackup\\n| where State =~ \\\"Deleted\\\"\\n| where OperationName =~ \\\"BackupItem\\\"\\n| extend data = split(BackupItemUniqueId, \\\";\\\")\\n| extend AzureLocation = data[0], VaultId=data[1], MachineName=data[2], DrivesBackedUp=data[3]\\n| project timestamp = TimeGenerated, AzureLocation, VaultId, tostring(MachineName), DrivesBackedUp, State, BackupItemUniqueId, _ResourceId, OperationName, BackupItemFriendlyName\\n)\\non MachineName\\n| project timestamp, AlertName, HostCustomEntity = MachineName, AccountCustomEntity = Account, ResourceCustomEntity = _ResourceId, IPCustomEntity = IpAddress, VaultId, AzureLocation, DrivesBackedUp, State, BackupItemUniqueId, OperationName, BackupItemFriendlyName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"CoreBackUp Deletion in correlation with other related security alerts\",\"description\":\"This query will help detect attackers attempt to delete backup containers in correlation with other alerts that could have triggered to help possibly reveal more details of attacker activity. \\nThough such an activity could be legitimate as part of business operation, some ransomware actors may perform such operation to cause interruption to regular business services.\",\"lastUpdatedDateUTC\":\"2021-11-05T00:00:00Z\",\"createdDateUTC\":\"2021-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1218175f-c534-421c-8070-5dcaabf28067\",\"name\":\"1218175f-c534-421c-8070-5dcaabf28067\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let threshold = 3; \\nZoomLogs \\n| where Event =~ \\\"chat_message.sent\\\" \\n| extend Channel = tostring(parse_json(ChatEvents).Channel) \\n| extend Message = tostring(parse_json(ChatEvents).Message) \\n| where Message matches regex \\\"http(s?):\\\\\\\\/\\\\\\\\/\\\" \\n| summarize Channels = makeset(Channel), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Message, User, UserId\\n| extend ChannelCount = arraylength(Channels) \\n| where ChannelCount \u003e threshold\\n| extend timestamp = StartTime, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"Suspicious link sharing pattern\",\"description\":\"Alerts in links that have been shared across multiple Zoom chat channels by the same user in a short space if time. \\nAdjust the threshold figure to change the number of channels a message needs to be posted in before an alert is raised.\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\"name\":\"0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"DNS events related to mining pools\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95a15f39-d9cc-4667-8cdd-58f3113691c9\",\"name\":\"95a15f39-d9cc-4667-8cdd-58f3113691c9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where EventID == 4688\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| join kind=rightanti (\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where EventID == 4688) on NewProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where EventID == 4688 and EventData has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| join kind=rightanti (\\nWindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventID == 4688 and EventData has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)) on NewProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM New UM Service Child Process\",\"description\":\"This query looks for new processes being spawned by the Exchange UM service where that process has not previously been observed before. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f845881e-2500-44dc-8ed7-b372af3e1e25\",\"name\":\"f845881e-2500-44dc-8ed7-b372af3e1e25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let short_uaLength = 5;\\nlet long_uaLength = 1000;\\nlet c_threshold = 100;\\nW3CIISLog \\n// Exclude local IPs as these create noise\\n| where cIP !startswith \\\"192.168.\\\" and cIP != \\\"::1\\\"\\n| where isnotempty(csUserAgent) and csUserAgent !in~ (\\\"-\\\", \\\"MSRPC\\\") and (string_size(csUserAgent) \u003c= short_uaLength or string_size(csUserAgent) \u003e= long_uaLength)\\n| extend csUserAgent_size = string_size(csUserAgent)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ConnectionCount = count() by Computer, sSiteName, sPort, csUserAgent, csUserAgent_size, csUserName , csMethod, csUriStem, sIP, cIP, scStatus, scSubStatus, scWin32Status\\n| where ConnectionCount \u003c c_threshold\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomalous User Agent connection attempt\",\"description\":\"Identifies connection attempts (success or fail) from clients with very short or very long User Agent strings and with less than 100 connection attempts.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\"name\":\"a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n SecurityAlert \\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\\n | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray\\n // Parsing relevant entity column to filter type account and creating new column by combining account and UPNSuffix\\n | extend Entitytype = tostring(parse_json(EntitiesDynamicArray).Type), EntityName = tostring(parse_json(EntitiesDynamicArray).Name),\\n EntityUPNSuffix = tostring(parse_json(EntitiesDynamicArray).UPNSuffix)\\n | where Entitytype =~ \\\"account\\\"\\n | extend EntityEmail = tolower(strcat(EntityName, \\\"@\\\", EntityUPNSuffix))\\n | where EntityEmail matches regex emailregex\\n | extend Alert_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.EntityEmail\\n| where Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\\n| project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, \\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, EntityEmail, AlertName, AlertType,\\nAlertSeverity, Entities, ProviderName, VendorName\\n| extend timestamp = Alert_TimeGenerated, AccountCustomEntity = EntityEmail, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SecurityAlert\",\"description\":\"Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c9b6d281-b96b-4763-b728-9a04b9fe1246\",\"name\":\"c9b6d281-b96b-4763-b728-9a04b9fe1246\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlCategory has_any (\u0027Dynamic and Residential\u0027, \u0027Personal VPN\u0027)\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"Exfiltration\"],\"displayName\":\"Cisco Umbrella - Connection to non-corporate private network\",\"description\":\"IP addresses of broadband links that usually indicates users attempting to access their home network, for example for a remote session to a home computer.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/631d02df-ab51-46c1-8d72-32d0cfec0720\",\"name\":\"631d02df-ab51-46c1-8d72-32d0cfec0720\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let excludeProcs = dynamic([@\\\"\\\\SolarWinds\\\\Orion\\\\APM\\\\APMServiceControl.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\ExportToPDFCmd.Exe\\\", @\\\"\\\\SolarWinds.Credentials\\\\SolarWinds.Credentials.Orion.WebApi.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Topology\\\\SolarWinds.Orion.Topology.Calculator.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Database-Maint.exe\\\", @\\\"\\\\SolarWinds.Orion.ApiPoller.Service\\\\SolarWinds.Orion.ApiPoller.Service.exe\\\", @\\\"\\\\Windows\\\\SysWOW64\\\\WerFault.exe\\\"]);\\nimProcessCreate\\n| where Process hassuffix \u0027solarwinds.businesslayerhost.exe\u0027\\n| where not(Process has_any (excludeProcs))\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = ActorUsername,\\n HostCustomEntity = User,\\n AlgorithmCustomEntity = \\\"MD5\\\",\\n FileHashCustomEntity = TargetProcessMD5 // Change to *hash* once implemented\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST suspicious SolarWinds child processes (Normalized Process Events)\",\"description\":\"Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0bd65651-1404-438b-8f63-eecddcec87b4\",\"name\":\"0bd65651-1404-438b-8f63-eecddcec87b4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\n// Adjust for a longer timeframe for identifying ADFS Servers\\nlet lookback = 6d;\\n// Identify ADFS Servers\\nlet ADFS_Servers = ( union isfuzzy=true\\n( Event\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n),\\n( SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and EventData has \\\"0x3e4\\\" and EventData has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| where SubjectLogonId != \\\"0x3e4\\\"\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n)\\n| distinct Computer);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == 4688\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where ParentProcessName has \u0027wmiprvse.exe\u0027\\n// Looking for rundll32.exe is based on intel from the blog linked in the description\\n// This can be commented out or altered to filter out known internal uses\\n| where CommandLine has_any (\u0027rundll32\u0027) \\n| project TimeGenerated, TargetAccount, CommandLine, Computer, Account, TargetLogonId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n// Search for recent logons to identify lateral movement\\n| join kind= inner\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventID == 4624 and LogonType == 3\\n| where Account !endswith \\\"$\\\"\\n| project TargetLogonId\\n) on TargetLogonId\\n),\\n(\\nWindowsEvent\\n| where EventID == 4688\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where EventData has \u0027wmiprvse.exe\u0027 and EventData has_any (\u0027rundll32\u0027) \\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where ParentProcessName has \u0027wmiprvse.exe\u0027\\n// Looking for rundll32.exe is based on intel from the blog linked in the description\\n// This can be commented out or altered to filter out known internal uses\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has_any (\u0027rundll32\u0027) \\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend Account = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend TargetLogonId = tostring(EventData.TargetLogonId)\\n| project TimeGenerated, TargetAccount, CommandLine, Computer, Account, TargetLogonId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n// Search for recent logons to identify lateral movement\\n| join kind= inner\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventID == 4624 \\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 3\\n| extend Account = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| where Account !endswith \\\"$\\\"\\n| extend TargetLogonId = tostring(EventData.TargetLogonId)\\n| project TargetLogonId\\n) on TargetLogonId\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n// Check for WMI Events\\n| where Computer in~ (ADFS_Servers) and EventID in (19, 20, 21)\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| project TimeGenerated, EventType, Image, Computer, UserName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = UserName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Gain Code Execution on ADFS Server via Remote WMI Execution\",\"description\":\"This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through remote WMI Execution.\\nIn order to use this query you need to be collecting Sysmon EventIDs 19, 20, and 21.\\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\\n Failed to resolve scalar expression named \\\"[@Name]\\\"\\nFor more on how WMI was used in Solorigate see https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/.\\nThe query contains some features from the following detections to look for potentially malicious ADFS activity. See them for more details.\\n- ADFS Key Export (Sysmon): https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSKeyExportSysmon.yaml\\n- ADFS DKM Master Key Export: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d71fc38-f249-454e-8479-0a358382ef9a\",\"name\":\"3d71fc38-f249-454e-8479-0a358382ef9a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"SecurityNestedRecommendation\\n| where RemediationDescription has \u0027CVE-2021-44228\u0027\\n| parse ResourceDetails with * \u0027virtualMachines/\u0027 VirtualMAchine \u0027\\\"\u0027 *\\n| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId\\n| extend Timestamp = TimeGenerated, HostCustomEntity = VirtualMAchine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Execution\"],\"displayName\":\"Vulnerable Machines related to log4j CVE-2021-44228\",\"description\":\"This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to log4j CVE-2021-44228. Log4j is an open-source Apache logging library that is used in \\n many Java-based applications. Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).\\n Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/\\n Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal\\n Reference: https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/how-defender-for-cloud-displays-machines-affected-by-log4j/ba-p/3037271\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\"name\":\"a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Security Center for IoT\",\"displayName\":\"Create incidents based on Microsoft Defender for IOT alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for IOT\",\"lastUpdatedDateUTC\":\"2019-12-24T00:00:00Z\",\"createdDateUTC\":\"2019-12-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"IoT\",\"dataTypes\":[\"SecurityAlert (ASC for IoT)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d2e8fd50-8d66-11ec-b909-0242ac120002\",\"name\":\"d2e8fd50-8d66-11ec-b909-0242ac120002\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID in (4624,4625) and LogonType in (10) and IpAddress in (\\\"::1\\\",\\\"127.0.0.1\\\")\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, TargetUserName, TargetLogonId, LogonType, IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential Remote Desktop Tunneling\",\"description\":\"This query detects remote desktop authentication attempts with a localhost source address which can indicate a tunneled login.\\nRef: https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling\",\"lastUpdatedDateUTC\":\"2022-02-15T00:00:00Z\",\"createdDateUTC\":\"2022-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c37711a4-5f44-4472-8afc-0679bc0ef966\",\"name\":\"c37711a4-5f44-4472-8afc-0679bc0ef966\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.1.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/FoggyWebIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type == \\\"sha256\\\" | project IoC);\\nlet FilePaths = (iocs | where Type =~ \\\"FilePath\\\" | project IoC);\\nlet POST_URI = (iocs | where Type =~ \\\"URI1\\\" | project IoC);\\nlet GET_URI = (iocs | where Type =~ \\\"URI2\\\" | project IoC);\\n//Include in the list below, the ADFS servers you know about in your environment. In the next part of the query, we will try to identify them for you if you have the telemetry.\\nlet ADFS_Servers1 = datatable(Computer:string)\\n[ \\\"\u003cADFS01\u003e.\u003cDOMAIN\u003e.\u003cCOM\u003e\\\",\\n\\\"\u003cADFS02\u003e.\u003cDOMAIN\u003e.\u003cCOM\u003e\\\"\\n];\\n// Automatically identify potential ADFS services in your environment by searching process event telemetry for \\\"Microsoft.IdentityServer.ServiceHost.exe\\\".\\nlet ADFS_Servers2 = \\n(union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n),\\n( WindowsEvent\\n| where EventID == 4688 and EventData has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\" and EventData has \\\"0x3e4\\\"\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| where ProcessName == \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| where SubjectLogonId != \\\"0x3e4\\\"\\n| distinct Computer\\n),\\n(DeviceProcessEvents\\n| where InitiatingProcessFileName == \u0027Microsoft.IdentityServer.ServiceHost.exe\u0027\\n| extend Computer = DeviceName\\n| distinct Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n)\\n);\\nlet ADFS_Servers =\\nADFS_Servers1\\n| union (ADFS_Servers2 | distinct Computer);\\n(union isfuzzy=true\\n(DeviceNetworkEvents\\n| where DeviceName in (ADFS_Servers)\\n| where isnotempty(InitiatingProcessSHA256) or isnotempty(InitiatingProcessFolderPath)\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or InitiatingProcessFolderPath has_any (FilePaths)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\" and EventID == \u00277\u0027\\n| where Computer in (ADFS_Servers)\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend ImageLoaded = EventDetail.[5].[\\\"#text\\\"], Hashes = EventDetail.[11].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| where ImageLoaded has_any (FilePaths) or SHA256 has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, ImageLoaded, EventID\\n| extend Type = strcat(Type,\\\":\\\",EventID, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\\\"#text\\\"] \\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceEvents\\n| where DeviceName in (ADFS_Servers)\\n| extend FilePath = strcat(FolderPath, \u0027\\\\\\\\\u0027, FileName)\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceFileEvents\\n| where DeviceName in (ADFS_Servers)\\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceImageLoadEvents\\n| where DeviceName in (ADFS_Servers)\\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where Computer in (ADFS_Servers)\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| where EventDetail has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\\\"#text\\\"] \\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(W3CIISLog \\n| where ( csMethod == \u0027GET\u0027 and csUriStem has_any (GET_URI)) or (csMethod == \u0027POST\u0027 and csUriStem has_any (POST_URI))\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), cIP_MethodCount = count() \\nby cIP, cIP_MethodCountType = \\\"Count of repeated entries, this is to reduce rowsets returned\\\", csMethod, \\ncsHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, csReferer\\n| extend timestamp = StartTime, IPCustomEntity = cIP, HostCustomEntity = csHost, AccountCustomEntity = csUserName\\n),\\n(imFileEvent\\n| where DvcHostname in (ADFS_Servers)\\n| where TargetFileSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"NOBELIUM IOCs related to FoggyWeb backdoor\",\"description\":\"Identifies a match across various data feeds for IOCs related to FoggyWeb backdoor by the threat actor NOBELIUM.\\n FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server.\\n It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server.\\n Reference: https://aka.ms/nobelium-foggy-web\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/61988db3-0565-49b5-b8e3-747195baac6e\",\"name\":\"61988db3-0565-49b5-b8e3-747195baac6e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let procList = dynamic([\\\"cmd.exe\\\",\\\"ftp.exe\\\",\\\"schtasks.exe\\\",\\\"powershell.exe\\\",\\\"rundll32.exe\\\",\\\"regsvr32.exe\\\",\\\"msiexec.exe\\\"]); \\nimProcessCreate\\n| where CommandLine has \\\"recycler\\\"\\n| where Process has_any (procList)\\n| extend FileName = tostring(split(Process, \u0027\\\\\\\\\u0027)[-1])\\n| where FileName in~ (procList)\\n| project StartTimeUtc = TimeGenerated, Dvc, User, Process, FileName, CommandLine, ActingProcessName, EventVendor, EventProduct\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Malware in the recycle bin (Normalized Process Events)\",\"description\":\"Identifies malware that has been hidden in the recycle bin.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-23T00:00:00Z\",\"createdDateUTC\":\"2021-06-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ec491363-5fe7-4eff-b68e-f42dcb76fcf6\",\"name\":\"ec491363-5fe7-4eff-b68e-f42dcb76fcf6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| project-away claimsJson\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Azure Active Directory Hybrid Health AD FS New Server\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.\\nA threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.\\nThis can be done programmatically via HTTP requests to Azure. More information in this blog: https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/32ffb19e-8ed8-40ed-87a0-1adb4746b7c4\",\"name\":\"32ffb19e-8ed8-40ed-87a0-1adb4746b7c4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"// Enter a reference list of malicious file artifacts\\nlet MaliciousFileArtifacts = dynamic ([\\\"lsass.dmp\\\",\\\"test.pwd\\\",\\\"lsremora.dll\\\",\\\"lsremora64.dll\\\",\\\"fgexec.exe\\\",\\\"pwdump\\\",\\\"kirbi\\\",\\\"wce_ccache\\\",\\\"wce_krbtkts\\\",\\\"wceaux.dll\\\",\\\"PwHashes\\\",\\\"SAM.out\\\",\\\"SECURITY.out\\\",\\\"SYSTEM.out\\\",\\\"NTDS.out\\\" \\\"DumpExt.dll\\\",\\\"DumpSvc.exe\\\",\\\"cachedump64.exe\\\",\\\"cachedump.exe\\\",\\\"pstgdump.exe\\\",\\\"servpw64.exe\\\",\\\"servpw.exe\\\",\\\"pwdump.exe\\\",\\\"fgdump-log\\\"]);\\nEvent\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==11\\n| parse EventData with * \u0027TargetFilename\\\"\u003e\u0027 TargetFilename \\\"\u003c\\\" *\\n| where TargetFilename has_any (MaliciousFileArtifacts)\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, Image, ProcessGuid, TargetFilename\",\"entityMappings\":[{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"TargetFilename\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"Image\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Credential Dumping Tools - File Artifacts\",\"description\":\"This query detects the creation of credential dumping tools files. Several credential dumping tools export files with hardcoded file names.\\nRef: https://jpcertcc.github.io/ToolAnalysisResultSheet/\",\"lastUpdatedDateUTC\":\"2022-04-22T00:00:00Z\",\"createdDateUTC\":\"2022-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"Event\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/983a6922-894d-413c-9f04-d7add0ecc307\",\"name\":\"983a6922-894d-413c-9f04-d7add0ecc307\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P10D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Medium\",\"query\":\"let referencestarttime = 10d;\\nlet referenceendtime = 1d;\\nlet threshold = 100;\\nlet nxDomainDnsEvents = (stime:datetime, etime:datetime) \\n {_Im_Dns(responsecodename=\u0027NXDOMAIN\u0027, starttime=stime, endtime=etime)\\n | where DnsQueryTypeName in (\\\"A\\\", \\\"AAAA\\\")\\n | where ipv4_is_match(\\\"127.0.0.1\\\", SrcIpAddr) == False\\n | where DnsQuery !contains \\\"/\\\" and DnsQuery contains \\\".\\\"};\\nnxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now())\\n | extend sld = tostring(split(DnsQuery, \\\".\\\")[-2])\\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld) by SrcIpAddr\\n | where dcount_sld \u003e threshold\\n // Filter out previously seen IPs\\n | join kind=leftanti (nxDomainDnsEvents (stime=ago(referencestarttime), etime=ago(referenceendtime))\\n | extend sld = tostring(split(DnsQuery, \\\".\\\")[-2])\\n | summarize dcount(sld) by SrcIpAddr\\n | where dcount_sld \u003e threshold ) on SrcIpAddr\\n// Pull out sample NXDomain responses for those remaining potentially infected IPs\\n| join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential DGA detected (ASIM DNS Schema)\",\"description\":\"Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains\\nwhere most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with \\nNXDomain records in prior 10-day baseline period).\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/18dbdc22-b69f-4109-9e39-723d9465f45f\",\"name\":\"18dbdc22-b69f-4109-9e39-723d9465f45f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet AVHits = (iocs | where Type =~ \\\"AVDetection\\\"| project IoC);\\nSecurityAlert\\n| where ProviderName == \u0027MDATP\u0027\\n| extend ThreatName_ = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where ThreatName_ has_any (AVHits)\\n| extend Directory = tostring(parse_json(Entities)[0].Directory), SHA256 = tostring(parse_json(tostring(parse_json(Entities)[0].FileHashes))[2].Value), FileName = tostring(parse_json(Entities)[0].Name), Hostname = tostring(parse_json(Entities)[6].FQDN)| extend AccountName = tostring(parse_json(tostring(parse_json(Entities)[6].LoggedOnUsers))[0].AccountName)\\n| project TimeGenerated, AlertName, ThreatName_, ProviderName, AlertSeverity, Description, RemediationSteps, ExtendedProperties, Entities, FileName,SHA256, Directory, Hostname, AccountName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Hostname , AccountCustomEntity = AccountName, FileHashCustomEntity = SHA256\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"ACTINIUM AV hits - Feb 2022\",\"description\":\"Identifies a match in the Security Alert table for MDATP hits related to the ACTINIUM actor\",\"lastUpdatedDateUTC\":\"2022-02-04T00:00:00Z\",\"createdDateUTC\":\"2022-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f6a51e2c-2d6a-4f92-a090-cfb002ca611f\",\"name\":\"f6a51e2c-2d6a-4f92-a090-cfb002ca611f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nlet disallowed_ext = dynamic([\u0027ps1\u0027, \u0027exe\u0027, \u0027vbs\u0027, \u0027js\u0027, \u0027scr\u0027]);\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| extend attachedExt = todynamic(MsgParts)[0][\u0027detectedExt\u0027]\\n| where attachedExt in (disallowed_ext)\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = DstUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Suspicious attachment\",\"description\":\"Detects when email contains suspicious attachment (file type).\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/707494a5-8e44-486b-90f8-155d1797a8eb\",\"name\":\"707494a5-8e44-486b-90f8-155d1797a8eb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let auditLookbackStart = 2d;\\nlet auditLookbackEnd = 1d;\\nAuditLogs\\n| where TimeGenerated \u003e= ago(auditLookbackStart)\\n| where OperationName =~ \\\"Consent to application\\\" \\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| extend targetResourceName = tostring(target.displayName)\\n| extend targetResourceID = tostring(target.id)\\n| extend targetResourceType = tostring(target.type)\\n| extend targetModifiedProp = TargetResources[0].modifiedProperties\\n| extend isAdminConsent = targetModifiedProp[0].newValue\\n| extend Consent_ServicePrincipalNames = targetModifiedProp[5].newValue\\n| extend Consent_Permissions = targetModifiedProp[4].newValue\\n| extend Consent_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend Consent_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| join ( \\nAuditLogs\\n| where TimeGenerated \u003e= ago(auditLookbackEnd)\\n| where OperationName =~ \\\"Add service principal credentials\\\"\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| extend targetResourceName = tostring(target.displayName)\\n| extend targetResourceID = tostring(target.id)\\n| extend targetModifiedProp = TargetResources[0].modifiedProperties\\n| extend Credential_KeyDescription = targetModifiedProp[0].newValue\\n| extend UpdatedProperties = targetModifiedProp[1].newValue\\n| extend Credential_ServicePrincipalNames = targetModifiedProp[2].newValue\\n| extend Credential_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend Credential_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n) on targetResourceName, targetResourceID\\n| extend TimeConsent = TimeGenerated, TimeCred = TimeGenerated1\\n| where TimeConsent \u003e TimeCred \\n| project TimeConsent, TimeCred, Consent_InitiatingUserOrApp, Credential_InitiatingUserOrApp, targetResourceName, targetResourceType, isAdminConsent, Consent_ServicePrincipalNames, Credential_ServicePrincipalNames, Consent_Permissions, Credential_KeyDescription, Consent_InitiatingIpAddress, Credential_InitiatingIpAddress\\n| extend timestamp = TimeConsent, AccountCustomEntity = Consent_InitiatingUserOrApp, IPCustomEntity = Consent_InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Credential added after admin consented to Application\",\"description\":\"This query will identify instances where Service Principal credentials were added to an application by one user after the application was granted admin consent rights by another user.\\n If a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\n Additional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow.\\n For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2021-02-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/11bda520-a965-4654-9a45-d09f372f71aa\",\"name\":\"11bda520-a965-4654-9a45-d09f372f71aa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"High\",\"query\":\"AzureActivity\\n// Isolate run command actions\\n| where OperationNameValue == \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\\\"\\n// Confirm that the operation impacted a virtual machine\\n| where Authorization has \\\"virtualMachines\\\"\\n// Each runcommand operation consists of three events when successful, Started, Accepted (or Rejected), Successful (or Failed).\\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), max(CallerIpAddress), make_list(ActivityStatusValue) by CorrelationId, Authorization, Caller\\n// Limit to Run Command executions that Succeeded\\n| where list_ActivityStatusValue has \\\"Success\\\"\\n// Extract data from the Authorization field\\n| extend Authorization_d = parse_json(Authorization)\\n| extend Scope = Authorization_d.scope\\n| extend Scope_s = split(Scope, \\\"/\\\")\\n| extend Subscription = tostring(Scope_s[2])\\n| extend VirtualMachineName = tostring(Scope_s[-1])\\n| project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress\\n// Create a join key using the Caller (UPN)\\n| extend joinkey = tolower(Caller)\\n// Join the Run Command actions to UEBA data\\n| join kind = inner (\\n BehaviorAnalytics\\n // We are specifically interested in unusual logins\\n | where EventSource == \\\"Azure AD\\\" and ActivityInsights.ActionUncommonlyPerformedByUser == \\\"True\\\"\\n | project UEBAEventTime=TimeGenerated, UEBAActionType=ActionType, UserPrincipalName, UEBASourceIPLocation=SourceIPLocation, UEBAActivityInsights=ActivityInsights, UEBAUsersInsights=UsersInsights\\n | where isnotempty(UserPrincipalName) and isnotempty(UEBASourceIPLocation)\\n | extend joinkey = tolower(UserPrincipalName)\\n) on joinkey\\n// Create a window around the UEBA event times, check to see if the Run Command action was performed within them\\n| extend UEBAWindowStart = UEBAEventTime - 1h, UEBAWindowEnd = UEBAEventTime + 6h\\n| where StartTime between (UEBAWindowStart .. UEBAWindowEnd)\\n| project StartTime, EndTime, Subscription, VirtualMachineName, Caller, CallerIpAddress, UEBAEventTime, UEBAActionType, UEBASourceIPLocation, UEBAActivityInsights, UEBAUsersInsights\\n| extend timestamp = StartTime, AccountCustomEntity=Caller, IPCustomEntity=CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"LateralMovement\",\"CredentialAccess\"],\"displayName\":\"Azure VM Run Command operation executed during suspicious login window\",\"description\":\"Identifies when the Azure Run Command operation is executed by a UserPrincipalName and IP Address \\nthat has resulted in a recent user entity behaviour alert.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3fe3c520-04f1-44b8-8398-782ed21435f8\",\"name\":\"3fe3c520-04f1-44b8-8398-782ed21435f8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Low\",\"query\":\"let torProxies=dynamic([\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\"]);\\n_Im_Dns(domain_has_any=torProxies)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"DNS events related to ToR proxies (ASIM DNS Schema)\",\"description\":\"Identifies IP addresses performing DNS lookups associated with common ToR proxies.\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d9938c3b-16f9-444d-bc22-ea9a9110e0fd\",\"name\":\"d9938c3b-16f9-444d-bc22-ea9a9110e0fd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Azure AD Connect Health Agent - cf6d7e68-f018-4e0a-a7b3-126e053fb88d\\n// Azure Active Directory Connect - cb1056e2-e479-49de-ae31-7812af012ed8\\nlet appList = dynamic([\u0027cf6d7e68-f018-4e0a-a7b3-126e053fb88d\u0027,\u0027cb1056e2-e479-49de-ae31-7812af012ed8\u0027]);\\nlet operationNamesList = dynamic([\u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027,\u0027Microsoft.ADHybridHealthService/services/delete\u0027]);\\nAzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue in~ (operationNamesList)\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| where AppId !in (appList)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS Suspicious Application\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to a suspicious application adding a server instance to an Azure AD Hybrid health AD FS service or deleting the AD FS service instance.\\nUsually the Azure AD Connect Health Agent application with ID cf6d7e68-f018-4e0a-a7b3-126e053fb88d is used to perform those operations.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9d0295ee-cb75-4f2c-9952-e5acfbb67036\",\"name\":\"9d0295ee-cb75-4f2c-9952-e5acfbb67036\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.0\",\"severity\":\"Informational\",\"query\":\"let timeframe = ago(1d);\\nAppServiceAntivirusScanAuditLogs\\n| where NumberOfInfectedFiles \u003e 0\\n| extend HostCustomEntity = _ResourceId, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"displayName\":\"AppServices AV Scan with Infected Files\",\"description\":\"Identifies if an AV scan finds infected files in Azure App Services.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b2199398-8942-4b8c-91a9-b0a707c5d147\",\"name\":\"b2199398-8942-4b8c-91a9-b0a707c5d147\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/HiveRansomwareJuly2022.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n(imFileEvent\\n| where TargetFileSHA256 has_any (sha256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceImageLoadEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Hive Ransomware IOC - July 2022\",\"description\":\"Identifies a hash match related to Hive Ransomware across various data sources.\",\"lastUpdatedDateUTC\":\"2022-07-05T00:00:00Z\",\"createdDateUTC\":\"2022-01-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1ff56009-db01-4615-8211-d4fda21da02d\",\"name\":\"1ff56009-db01-4615-8211-d4fda21da02d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where AADOperationType =~ \\\"Assign\\\"\\n| where ActivityDisplayName has_any (\\\"Add delegated permission grant\\\",\\\"Add app role assignment to service principal\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ has_any (\\\"AppRole.Value\\\",\\\"DelegatedPermissionGrant.Scope\\\")\\n| extend Permission = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where Permission has \\\"RoleManagement.ReadWrite.Directory\\\"\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n| extend Target = tostring(parse_json(tostring(TargetResources.modifiedProperties[4].newValue)))\\n| extend TargetId = iif(displayName_ =~ \u0027DelegatedPermissionGrant.Scope\u0027,\\n tostring(parse_json(tostring(TargetResources.modifiedProperties[2].newValue))),\\n tostring(parse_json(tostring(TargetResources.modifiedProperties[3].newValue))))\\n| summarize by bin(TimeGenerated, 1h), OperationName, Initiator, Target, TargetId, Result\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Initiator\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Target\"}]}],\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure AD Role Management Permission Grant\",\"description\":\"Identifies when the Microsoft Graph RoleManagement.ReadWrite.Directory (Delegated or Application) permission is granted to a service principal.\\nThis permission allows an application to read and manage the role-based access control (RBAC) settings for your company\u0027s directory.\\nAn adversary could use this permission to add an Azure AD object to an Admin directory role and escalate privileges.\\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions\\nRef : https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0\u0026tabs=http\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/71d374e0-1cf8-4e50-aecd-ab6c519795c2\",\"name\":\"71d374e0-1cf8-4e50-aecd-ab6c519795c2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"Pipelines.PipelineRetentionSettingChanged\\\"\\n| where Data.SettingName in (\\\"PurgeArtifacts\\\", \\\"PurgeRuns\\\")\\n| where Data.NewValue == 1 or Data.NewValue \u003c Data.OldValue/2\\n| project-reorder TimeGenerated, OperationName, ActorUPN, IpAddress, UserAgent, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Retention Reduced\",\"description\":\"AzureDevOps retains items such as run records and produced artifacts for a configurable amount of time. An attacker looking to reduce the footprint left by their malicious activity may look to reduce the retention time for artifacts and runs.\\nThis query will look for where retention has been reduced to the minimum level - 1, or reduced by more than half.\",\"lastUpdatedDateUTC\":\"2021-11-02T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/979c42dd-533e-4ede-b18b-31a84ba8b3d6\",\"name\":\"979c42dd-533e-4ede-b18b-31a84ba8b3d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \\n| where TargetObject has (\\\"HKLM\\\\\\\\System\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\DsrmAdminLogonBehavior\\\") and Details == \\\"DWORD (0x00000002)\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"DSRM Account Abuse\",\"description\":\"This query detects an abuse of the DSRM account in order to maintain persistence and access to the organization\u0027s Active Directory.\\nRef: https://adsecurity.org/?p=1785\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d82eb796-d1eb-43c8-a813-325ce3417cef\",\"name\":\"d82eb796-d1eb-43c8-a813-325ce3417cef\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(DeviceFileEvents\\n| where ActionType == \\\"FileCreated\\\"\\n| where FileName endswith \\\".h0lyenc\\\" or FolderPath == \\\"C:\\\\\\\\FOR_DECRYPT.html\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName), HostCustomEntity = DeviceName, Type, InitiatingProcessId, FileName, FolderPath, EventType = ActionType, Commandline = InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessSHA256, FileHashCustomEntity = SHA256\\n),\\n(imFileEvent\\n| where EventType == \\\"FileCreated\\\" \\n| where TargetFilePath endswith \\\".h0lyenc\\\" or TargetFilePath == \\\"C:\\\\\\\\FOR_DECRYPT.html\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname, DvcId, Type, EventType, FileHashCustomEntity = TargetFileSHA256, Hash, TargetFilePath, Commandline = ActingProcessCommandLine\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Dev-0530 File Extension Rename\",\"description\":\"Dev-0530 actors are known to encrypt the contents of the victims device as well as renaming the file extensions. This query looks for the creation of files with .h0lyenc extension or presence of ransom note.\",\"lastUpdatedDateUTC\":\"2022-07-14T00:00:00Z\",\"createdDateUTC\":\"2022-07-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ba144bf8-75b8-406f-9420-ed74397f9479\",\"name\":\"ba144bf8-75b8-406f-9420-ed74397f9479\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"//Set a threshold of failed AAD signins from an IP address within 1 day above which we want to deem those logins suspicious.\\nlet signin_threshold = 5; \\n//Make a list of IPs with AAD signin failures above our threshold.\\nlet aadFunc = (tableName:string){\\nlet suspicious_signins = \\n table(tableName)\\n //Looking for logon failure results\\n | where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n //Exclude localhost addresses to reduce the chance of FPs\\n | where IPAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n | summarize count() by IPAddress\\n | where count_ \u003e signin_threshold\\n | summarize make_set(IPAddress);\\n suspicious_signins\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet suspicious_signins = \\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize make_set(set_IPAddress);\\n//See if any of those IPs have sucessfully logged into PA VPNs during the same timeperiod\\nCommonSecurityLog\\n //Select only PA VPN sucessful logons\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"globalprotect\\\"\\n | where Message has \\\"GlobalProtect gateway user authentication succeeded\\\"\\n //Parse out the logon source IP from the Message field to match on\\n | extend SourceIP = extract(\\\"Login from: ([^,]+)\\\", 1, Message) \\n | where SourceIP in (suspicious_signins)\\n | extend Reason = \\\"Multiple failed AAD logins from SourceIP\\\"\\n //Parse out other useful information from Message field\\n | extend User = extract(\u0027User name: ([^,]+)\u0027, 1, Message) \\n | extend ClientOS = extract(\u0027Client OS version: ([^,\\\\\\\"]+)\u0027, 1, Message)\\n | extend Location = extract(\u0027Source region: ([^,]{2})\u0027,1, Message)\\n | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName\\n | extend AccountCustomEntity = User, IPCustomEntity = SourceIP, timestamp = TimeGenerated, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN\",\"description\":\"This query creates a list of IP addresses with a number failed login attempts to AAD \\nabove a set threshold. It then looks for any successful Palo Alto VPN logins from any\\nof these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-09-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/32555639-b639-4c2b-afda-c0ae0abefa55\",\"name\":\"32555639-b639-4c2b-afda-c0ae0abefa55\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"GetCallerIdentity\\\" and UserIdentityType =~ \\\"AssumedRole\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by SourceIpAddress, EventName, EventTypeName, UserIdentityType, UserIdentityAccountId, UserIdentityPrincipalid, \\nUserAgent, UserIdentityUserName, SessionMfaAuthenticated,AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTime, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\\n| sort by EndTime desc nulls last\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Monitor AWS Credential abuse or hijacking\",\"description\":\"Looking for GetCallerIdentity Events where the UserID Type is AssumedRole \\nAn attacker who has assumed the role of a legitimate account can call the GetCallerIdentity function to determine what account they are using.\\nA legitimate user using legitimate credentials would not need to call GetCallerIdentity since they should already know what account they are using.\\nMore Information: https://duo.com/decipher/trailblazer-hunts-compromised-credentials-in-aws\\nAWS STS GetCallerIdentity API: https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/53e936c6-6c30-4d12-8343-b8a0456e8429\",\"name\":\"53e936c6-6c30-4d12-8343-b8a0456e8429\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let SUNSPOT_Hashes = dynamic([\\\"c45c9bda8db1d470f1fd0dcc346dc449839eb5ce9a948c70369230af0b3ef168\\\", \\\"0819db19be479122c1d48743e644070a8dc9a1c852df9a8c0dc2343e904da389\\\"]);\\nunion isfuzzy=true(\\nDeviceEvents\\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes)),\\n(DeviceImageLoadEvents\\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes))\\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"SUNSPOT malware hashes\",\"description\":\"This query uses Microsoft Defender for Endpoint data to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\\nMore details: \\n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \\n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceImageLoadEvents\",\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fcb9d75c-c3c1-4910-8697-f136bfef2363\",\"name\":\"fcb9d75c-c3c1-4910-8697-f136bfef2363\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Low\",\"query\":\"let querystarttime = 2d;\\nlet queryendtime = 1d;\\nlet TimeDeltaThreshold = 10;\\nlet TotalEventsThreshold = 15;\\nlet PercentBeaconThreshold = 80;\\n_Im_NetworkSession(starttime=querystarttime, endtime=queryendtime)\\n| where not(ipv4_is_private(DstIpAddr))\\n| project TimeGenerated, SrcIpAddr, SrcPortNumber, DstIpAddr, DstPortNumber, DstBytes, SrcBytes\\n| sort by SrcIpAddr asc,TimeGenerated asc, DstIpAddr asc, DstPortNumber asc\\n| serialize\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSrcIpAddr = next(SrcIpAddr, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\u0027second\u0027,nextTimeGenerated,TimeGenerated)\\n| where SrcIpAddr == nextSrcIpAddr\\n//Whitelisting criteria/ threshold criteria\\n| where TimeDeltainSeconds \u003e TimeDeltaThreshold \\n| project TimeGenerated, TimeDeltainSeconds, SrcIpAddr, SrcPortNumber, DstIpAddr, DstPortNumber, DstBytes, SrcBytes\\n| summarize count(), sum(DstBytes), sum(SrcBytes), make_list(TimeDeltainSeconds) \\nby TimeDeltainSeconds, bin(TimeGenerated, 1h), SrcIpAddr, DstIpAddr, DstPortNumber\\n| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSrcBytes = sum(sum_SrcBytes), TotalDstBytes = sum(sum_DstBytes) \\nby bin(TimeGenerated, 1h), SrcIpAddr, DstIpAddr, DstPortNumber\\n| where TotalEvents \u003e TotalEventsThreshold \\n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\\n| where BeaconPercent \u003e PercentBeaconThreshold\",\"customDetails\":{\"DstPortNumber\":\"DstPortNumber\",\"FrequencyCount\":\"TotalSrcBytes\",\"FrequencyTime\":\"MostFrequentTimeDeltaCount\",\"TotalDstBytes\":\"TotalDstBytes\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DstIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Potential beaconing from {{SrcIpAddr}} to {{DstIpAddr}} over port {{DstPortNumber}}\",\"alertDescriptionFormat\":\"Potential beaconing pattern from a client at address {{SrcIpAddr}} to a server at address {{DstIpAddr}} over port {{DstPortNumber}} identified. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/). The recurring frequency, reported as FrequencyTime in the custom details, and the total transferred volume reported as TotalDstBytes in the custom details, can help to determine the significance of this incident.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential beaconing activity (ASIM Network Session schema)\",\"description\":\"This rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/).\\\\\u003cbr\u003e\u003cbr\u003e\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b8b8ba09-1e89-45a1-8bd7-691cd23bfa32\",\"name\":\"b8b8ba09-1e89-45a1-8bd7-691cd23bfa32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let query_frequency = 15m;\\nlet missing_period = 1h;\\n//Enter a reference list of hostnames for your DC servers\\nlet DCServersList = dynamic ([\\\"DC01.simulandlabs.com\\\",\\\"DC02.simulandlabs.com\\\"]);\\n//Alternatively, a Watchlist can be used\\n//let DCServersList = _GetWatchlist(\u0027HostName-DomainControllers\u0027) | project HostName;\\nHeartbeat\\n| summarize arg_max(TimeGenerated, *) by Computer\\n| where Computer in (DCServersList)\\n//You may specify the OS type of your Domain Controllers\\n//| where OSType == \u0027Windows\u0027\\n| where TimeGenerated between (ago(query_frequency + missing_period) .. ago(missing_period))\\n| project TimeGenerated, Computer, OSType, Version, ComputerEnvironment, Type, Solutions\\n| sort by TimeGenerated asc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Impact\",\"DefenseEvasion\"],\"displayName\":\"Missing Domain Controller Heartbeat\",\"description\":\"This detection will go over the heartbeats received from the agents of Domain Controllers over the last hour, and will create alerts if the last heartbeats were received an hour ago.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-11-23T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/737a2ce1-70a3-4968-9e90-3e6aca836abf\",\"name\":\"737a2ce1-70a3-4968-9e90-3e6aca836abf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MLBehaviorAnalytics\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous RDP Login Detections\",\"description\":\"This detection uses machine learning (ML) to identify anomalous Remote Desktop Protocol (RDP) login activity, based on Windows Security Event data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Microsoft Sentinel to build a profile of normal activity for your environment.\\t\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events)\\n\\nBy enabling this rule, you give Microsoft permission to copy ingested data outside of your Microsoft Sentinel workspace\u0027s geography as necessary for processing by the machine learning engine.\",\"lastUpdatedDateUTC\":\"2021-03-26T00:00:00Z\",\"createdDateUTC\":\"2020-04-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/85aca4d1-5d15-4001-abd9-acb86ca1786a\",\"name\":\"85aca4d1-5d15-4001-abd9-acb86ca1786a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n DnsEvents\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n //Extract domain patterns from syslog message\\n | where isnotempty(Name)\\n | extend parts = split(Name, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend DNS_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.Name\\n| where DNS_TimeGenerated \u003c ExpirationDateTime\\n| summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated , *) by IndicatorId, Name\\n| project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, Computer, ClientIP, Name, QueryType\\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = ClientIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to DnsEvents\",\"description\":\"Identifies a match in DnsEvents from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2022-02-15T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\"name\":\"5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n//Exclude local addresses, using the ipv4_is_private operator\\n| where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n W3CIISLog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(cIP)\\n //Exclude local addresses, using the ipv4_is_private operator\\n | where ipv4_is_private(cIP) == false and cIP !startswith \\\"fe80\\\" and cIP !startswith \\\"::\\\" and cIP !startswith \\\"127.\\\"\\n // renaming time column so it is clear the log this came from\\n | extend W3CIISLog_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.cIP\\n| where W3CIISLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize W3CIISLog_TimeGenerated = arg_max(W3CIISLog_TimeGenerated, *) by IndicatorId, cIP\\n| project W3CIISLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, sSiteName, cIP, sIP, sPort, csMethod, csUserName, scStatus, scSubStatus, scWin32Status,\\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = W3CIISLog_TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to W3CIISLog\",\"description\":\"Identifies a match in W3CIISLog from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-04-26T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d564ff12-8f53-41b8-8649-44f76b37b99f\",\"name\":\"d564ff12-8f53-41b8-8649-44f76b37b99f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// How many greater than Service Connections you want to view per build/release\\nlet ServiceConnectionThreshold = 4;\\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\\n[\\n//\\\"103\\\", \\\"Release\\\", \\\"ProjectA\\\",\\n//\\\"42\\\", \\\"Release\\\", \\\"ProjectB\\\",\\n//\\\"122\\\", \\\"Build\\\", \\\"ProjectB\\\"\\n];\\nAzureDevOpsAuditing\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| parse ScopeDisplayName with OrganizationName \u0027 (Organization)\u0027\\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) \\n by OrganizationName, tostring(DefId), tostring(Type), ProjectId, ProjectName\\n| where CurrentCount \u003e ServiceConnectionThreshold\\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\\n| extend link = iif(\\n Type == \\\"Build\\\", strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_build?definitionId=\u0027, DefId),\\n strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_release?_a=releases\u0026view=mine\u0026definitionId=\u0027, DefId))\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure DevOps Service Connection Abuse\",\"description\":\"Flags builds/releases that use a large number of service connections if they aren\u0027t manually in the allow list.\\nThis is to determine if someone is hijacking a build/release and adding many service connections in order to abuse \\nor dump credentials from service connections.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/01e8ffff-dc0c-43fe-aa22-d459c4204553\",\"name\":\"01e8ffff-dc0c-43fe-aa22-d459c4204553\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let discord=dynamic([\\\"cdn.discordapp.com\\\", \\\"media.discordapp.com\\\"]);\\n _Im_WebSession(url_has_any=discord, eventresult=\u0027Success\u0027)\\n | where Url has \\\"attachments\\\"\\n | extend DiscordServerId = extract(@\\\"\\\\/attachments\\\\/([0-9]+)\\\\/\\\", 1, Url)\\n | summarize dcount(Url), make_set(SrcUsername), make_set(SrcIpAddr), make_set(Url), min(TimeGenerated), max(TimeGenerated), make_set(EventResult) by DiscordServerId\\n | mv-expand set_SrcUsername to typeof(string), set_Url to typeof(string), set_EventResult to typeof(string), set_SrcIpAddr to typeof(string)\\n | summarize by DiscordServerId, dcount_Url, set_SrcUsername, min_TimeGenerated, max_TimeGenerated, set_EventResult, set_SrcIpAddr, set_Url\\n | project StartTime=min_TimeGenerated, EndTime=max_TimeGenerated, Result=set_EventResult, SourceUser=set_SrcUsername, SourceIP=set_SrcIpAddr, RequestURL=set_Url\\n | where RequestURL has_any (\\\".bin\\\",\\\".exe\\\",\\\".dll\\\",\\\".bin\\\",\\\".msi\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SourceUser\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Discord CDN Risky File Download (ASIM Web Session Schema)\",\"description\":\"Identifies callouts to Discord CDN addresses for risky file extensions. This detection will trigger when a callout for a risky file is made to a discord server that has only been seen once in your environment. Unique discord servers are identified using the server ID that is included in the request URL (DiscordServerId in query). Discord CDN has been used in multiple campaigns to download additional payloads.\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4e5914a4-2ccd-429d-a845-fa597f0bd8c5\",\"name\":\"4e5914a4-2ccd-429d-a845-fa597f0bd8c5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let Hive_threats = dynamic([\\\"Ransom:Win64/Hive\\\", \\\"Ransom:Win32/Hive\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (Hive_threats) or ThreatFamilyName in~ (Hive_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"AV detections related to Hive Ransomware\",\"description\":\"This query looks for Microsoft Defender AV detections related to Hive Ransomware . In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device,\\n this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\",\"lastUpdatedDateUTC\":\"2022-07-11T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\"name\":\"361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let szOperationNames = dynamic([\\\"microsoft.compute/virtualMachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nlet starttime = 7d;\\nlet endtime = 1d;\\nAzureActivity\\n| where TimeGenerated between (startofday(ago(starttime)) .. startofday(ago(endtime)))\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress)\\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(7d)), now(), 1d) \\nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatusValue), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationNameValue , Resource, ResourceGroup\\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\\n| where Slope \u003e 0.2\\n| join kind=leftsemi (\\n// Last day\u0027s activity is anomalous\\nAzureActivity\\n| where TimeGenerated \u003e= startofday(ago(endtime))\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress)\\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(1d)), now(), 1d) \\nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatusValue), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationNameValue , Resource, ResourceGroup\\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\\n| where Slope \u003e 0.2 \\n) on Caller, CallerIpAddress \\n| mvexpand todynamic(ActivityTimeStamp), todynamic(ActivityStatusValue), todynamic(OperationIds), todynamic(CorrelationId)\\n| extend timestamp = ActivityTimeStamp, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Suspicious number of resource creation or deployment activities\",\"description\":\"Indicates when an anomalous number of VM creations or deployment activities occur in Azure via the AzureActivity log.\\nThe anomaly detection identifies activities that have occurred both since the start of the day 1 day ago and the start of the day 7 days ago.\\nThe start of the day is considered 12am UTC time.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/050b9b3d-53d0-4364-a3da-1b678b8211ec\",\"name\":\"050b9b3d-53d0-4364-a3da-1b678b8211ec\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\")\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n// Uncomment below to not alert for PIM activations\\n//| where Initiator != \\\"MS-PIM\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| summarize by bin(TimeGenerated, 1h), OperationName, RoleName, Target, Initiator, Result\\n| extend AccountCustomEntity = Target\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Initiator\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User Assigned Privileged Role\",\"description\":\"Identifies when a new privileged role is assigned to a user. Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn\u0027t the responsibility of the account holder, investigate.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/48607a29-a26a-4abf-8078-a06dbdd174a4\",\"name\":\"48607a29-a26a-4abf-8078-a06dbdd174a4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let timeRange = 3d;\\nlet lookBack = 7d;\\nlet authenticationWindow = 20m;\\nlet authenticationThreshold = 5;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet failureCodes = dynamic([50053, 50126, 50055]); // invalid password, account is locked - too many sign ins, expired password\\nlet successCodes = dynamic([0, 50055, 50057, 50155, 50105, 50133, 50005, 50076, 50079, 50173, 50158, 50072, 50074, 53003, 53000, 53001, 50129]);\\n// Lookup up resolved identities from last 7 days\\nlet aadFunc = (tableName:string){\\nlet identityLookup = table(tableName)\\n| where TimeGenerated \u003e= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| where isnotempty(UserId)\\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName, Type;\\n// collect window threshold breaches\\ntable(tableName)\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(failureCodes)\\n| summarize FailedPrincipalCount = dcount(UserPrincipalName) by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName, Type\\n| where FailedPrincipalCount \u003e= authenticationThreshold\\n| summarize WindowThresholdBreaches = count() by IPAddress, Type\\n| join kind= inner (\\n// where we breached a threshold, join the details back on all failure data\\ntable(tableName)\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(failureCodes)\\n| extend LocationDetails = todynamic(LocationDetails)\\n| extend FullLocation = strcat(LocationDetails.countryOrRegion,\u0027|\u0027, LocationDetails.state, \u0027|\u0027, LocationDetails.city)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed), make_set(FullLocation), FailureCount = count() by IPAddress, AppDisplayName, UserPrincipalName, UserDisplayName, Identity, UserId, Type\\n// lookup any unresolved identities\\n| extend UnresolvedUserId = iff(Identity matches regex isGUID, UserId, \\\"\\\")\\n| join kind= leftouter (\\n identityLookup \\n) on $left.UnresolvedUserId==$right.UserId\\n| extend UserDisplayName=iff(isempty(lu_UserDisplayName), UserDisplayName, lu_UserDisplayName)\\n| extend UserPrincipalName=iff(isempty(lu_UserPrincipalName), UserPrincipalName, lu_UserPrincipalName)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), make_set(UserPrincipalName), make_set(UserDisplayName), make_set(set_ClientAppUsed), make_set(set_FullLocation), make_list(FailureCount) by IPAddress, AppDisplayName, Type\\n| extend FailedPrincipalCount = arraylength(set_UserPrincipalName)\\n) on IPAddress\\n| project IPAddress, StartTime, EndTime, TargetedApplication=AppDisplayName, FailedPrincipalCount, UserPrincipalNames=set_UserPrincipalName, UserDisplayNames=set_UserDisplayName, ClientAppsUsed=set_set_ClientAppUsed, Locations=set_set_FullLocation, FailureCountByPrincipal=list_FailureCount, WindowThresholdBreaches, Type\\n| join kind= inner (\\ntable(tableName) // get data on success vs. failure history for each IP\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(successCodes) or ResultType in(failureCodes) // success or failure types\\n| summarize GlobalSuccessPrincipalCount = dcountif(UserPrincipalName, (ResultType in(successCodes))), ResultTypeSuccesses = make_set_if(ResultType, (ResultType in(successCodes))), GlobalFailPrincipalCount = dcountif(UserPrincipalName, (ResultType in(failureCodes))), ResultTypeFailures = make_set_if(ResultType, (ResultType in(failureCodes))) by IPAddress, Type\\n| where GlobalFailPrincipalCount \u003e GlobalSuccessPrincipalCount // where the number of failed principals is greater than success - eliminates FPs from IPs who authenticate successfully alot and as a side effect have alot of failures\\n) on IPAddress\\n| project-away IPAddress1\\n| extend timestamp=StartTime, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Password spray attack against Azure AD application\",\"description\":\"Identifies evidence of password spray activity against Azure AD applications by looking for failures from multiple accounts from the same\\nIP address within a time window. If the number of accounts breaches the threshold just once, all failures from the IP address within the time range\\nare bought into the result. Details on whether there were successful authentications by the IP address within the time window are also included.\\nThis can be an indicator that an attack was successful.\\nThe default failure acccount threshold is 5, Default time window for failures is 20m and default look back window is 3 days\\nNote: Due to the number of possible accounts involved in a password spray it is not possible to map identities to a custom entity.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\"lastUpdatedDateUTC\":\"2022-02-16T00:00:00Z\",\"createdDateUTC\":\"2020-03-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\"name\":\"7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"154.223.45.38\\\",\\\"185.141.207.140\\\",\\\"185.234.73.19\\\",\\\"216.245.210.106\\\",\\\"51.91.48.210\\\",\\\"46.255.230.229\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n|extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account\\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DnsResponseName, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host, AccountCustomEntity=User\\n),\\n(_Im_WebSession (srcipaddr_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DstIpAddr, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(_Im_NetworkSession (srcipaddr_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DstIpAddr, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(_Im_NetworkSession (dstipaddr_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DstIpAddr, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(SigninLogs\\n| where isnotempty(IPAddress)\\n| where IPAddress in (IPList)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(AADNonInteractiveUserSignInLogs\\n| where isnotempty(IPAddress)\\n| where IPAddress in (IPList)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(W3CIISLog \\n| where isnotempty(cIP)\\n| where cIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(AzureActivity \\n| where isnotempty(CallerIpAddress)\\n| where CallerIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller\\n),\\n(\\nAWSCloudTrail\\n| where isnotempty(SourceIpAddress)\\n| where SourceIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known IRIDIUM IP\",\"description\":\"IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d7424fd9-abb3-4ded-a723-eebe023aaa0b\",\"name\":\"d7424fd9-abb3-4ded-a723-eebe023aaa0b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Administrative roles to look for, default is all admin roles\\nlet roles = dynamic([\\\"Administrator\\\", \\\"Admin\\\"]);\\n// The maximum distances between and invite and acceptance\\nlet maxTimeBetweenInviteAccept = 30min;\\n// The delta (minutes) between the invite being sent and the account being escalated\\nlet deltaBetweenInviteEscalation = 60;\\n// Collect external user invitations\\nlet invite = AuditLogs\\n| where Category =~ \\\"UserManagement\\\"\\n| where OperationName =~ \\\"Invite external user\\\"\\n| extend Target = tostring(TargetResources[0].[\\\"userPrincipalName\\\"])\\n| extend InviteInitiator = tostring(InitiatedBy.[\\\"user\\\"].[\\\"userPrincipalName\\\"])\\n| where isnotempty(InviteInitiator);\\n// Collect redeem events\\nlet redeem = AuditLogs\\n| where Category =~ \\\"UserManagement\\\"\\n| where OperationName =~ \\\"Redeem external user invite\\\"\\n| where Result =~ \\\"success\\\"\\n| extend Target = tostring(TargetResources[0].[\\\"displayName\\\"]) | extend Target = tostring(extract(@\\\"UPN\\\\:\\\\s(.+)\\\\,\\\\sEmail\\\",1,Target))\\n| where isnotempty(Target);\\n// Union the inivtation and redeem data then run the sequence_detect kusto plugin\\ninvite\\n| union redeem\\n| order by TimeGenerated\\n| project TimeGenerated, Target, InviteInitiator, OperationName, TenantId\\n| evaluate sequence_detect(TimeGenerated, maxTimeBetweenInviteAccept, maxTimeBetweenInviteAccept, invite=(OperationName has \\\"Invite external user\\\"), redeem=(OperationName has \\\"Redeem external user invite\\\"), Target)\\n| join (\\nAuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\")\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n// Limit to external accounts\\n| where TargetResources.userPrincipalName has \\\"EXT\\\"\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n// Perform check for admin roles\\n| where RoleName has_any(roles)\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n| where Initiator != \\\"MS-PIM\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| summarize by TimeGenerated, OperationName, RoleName, Target, Initiator, Result\\n) on Target\\n// Calculate delta between the invite and the account escalation\\n| extend delta = datetime_diff(\\\"minute\\\", TimeGenerated, invite_TimeGenerated)\\n| where delta \u003c= deltaBetweenInviteEscalation\\n| project InvitationTime=invite_TimeGenerated, RedeemTime=redeem_TimeGenerated, GrantTime=TimeGenerated, ExternalUser=Target, RoleGranted=RoleName, AdminInitiator=Initiator, MinsBetweenInviteAndEscalation=delta\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ExternalUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AdminInitiator\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"New External User Granted Admin\",\"description\":\"This query will detect instances where a newly invited external user is granted an administrative role. By default this query\\nwill alert on any granted administrative role, however this can be modified using the roles variable if false positives occur\\nin your environment. The maximum delta between invite and escalation to admin is 60 minues, this can be configured using the \\ndeltaBetweenInviteEscalation variable.\",\"lastUpdatedDateUTC\":\"2022-06-16T00:00:00Z\",\"createdDateUTC\":\"2022-06-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6bf1931-b1eb-448d-90b2-de118559c7ce\",\"name\":\"d6bf1931-b1eb-448d-90b2-de118559c7ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlCategory contains \u0027Adult Themes\u0027 or\\n UrlCategory contains \u0027Adware\u0027 or\\n UrlCategory contains \u0027Alcohol\u0027 or\\n UrlCategory contains \u0027Illegal Downloads\u0027 or\\n UrlCategory contains \u0027Drugs\u0027 or\\n UrlCategory contains \u0027Child Abuse Content\u0027 or\\n UrlCategory contains \u0027Hate/Discrimination\u0027 or\\n UrlCategory contains \u0027Nudity\u0027 or\\n UrlCategory contains \u0027Pornography\u0027 or\\n UrlCategory contains \u0027Proxy/Anonymizer\u0027 or\\n UrlCategory contains \u0027Sexuality\u0027 or\\n UrlCategory contains \u0027Tasteless\u0027 or\\n UrlCategory contains \u0027Terrorism\u0027 or\\n UrlCategory contains \u0027Web Spam\u0027 or\\n UrlCategory contains \u0027German Youth Protection\u0027 or\\n UrlCategory contains \u0027Illegal Activities\u0027 or\\n UrlCategory contains \u0027Lingerie/Bikini\u0027 or\\n UrlCategory contains \u0027Weapons\u0027\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"InitialAccess\"],\"displayName\":\"Cisco Umbrella - Request Allowed to harmful/malicious URI category\",\"description\":\"It is reccomended that these Categories shoud be blocked by policies because they provide harmful/malicious content..\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee55dc85-d2da-48c1-a6c0-3eaee62a8d56\",\"name\":\"ee55dc85-d2da-48c1-a6c0-3eaee62a8d56\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"// Add the environments expected username format regex below before deploying\\n let user_regex = \\\"\\\";\\n AuditLogs\\n | where OperationName =~ \\\"Add user\\\"\\n | where Result =~ \\\"success\\\"\\n | extend userAgent = tostring(AdditionalDetails[0].value)\\n | extend addingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend addingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend AddedBy = iif(isnotempty(addingUser), addingUser, addingApp)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | extend AddedUser = tostring(TargetResources[0].userPrincipalName)\\n | where AddedUser matches regex user_regex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedUser\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User Account Created Using Incorrect Naming Format\",\"description\":\"This query looks for accounts being created where the name does not match a defined pattern.\\n Attackers may attempt to add accounts as a means of establishing persistant access to an environment, looking for anomalies in created accounts may help identify illegitimately created accounts.\\n Created accounts should be investigated to ensure they were legitimated created.\\n The user_regex field in the query needs to be populated with the expected pattern for the environment before deployment.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#accounts-not-following-naming-policies\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\"name\":\"0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"let threshold = 20;\\nlet ReasontoSubStatus = datatable(SubStatus:string,Reason:string) [\\n\\\"0xC000005E\\\", \\\"There are currently no logon servers available to service the logon request.\\\",\\n\\\"0xC0000064\\\", \\\"User logon with misspelled or bad user account\\\", \\n\\\"0xC000006A\\\", \\\"User logon with misspelled or bad password\\\",\\n\\\"0xC000006D\\\", \\\"Bad user name or password\\\",\\n\\\"0xC000006E\\\", \\\"Unknown user name or bad password\\\",\\n\\\"0xC000006F\\\", \\\"User logon outside authorized hours\\\",\\n\\\"0xC0000070\\\", \\\"User logon from unauthorized workstation\\\",\\n\\\"0xC0000071\\\", \\\"User logon with expired password\\\",\\n\\\"0xC0000072\\\", \\\"User logon to account disabled by administrator\\\",\\n\\\"0xC00000DC\\\", \\\"Indicates the Sam Server was in the wrong state to perform the desired operation\\\",\\n\\\"0xC0000133\\\", \\\"Clocks between DC and other computer too far out of sync\\\",\\n\\\"0xC000015B\\\", \\\"The user has not been granted the requested logon type (aka logon right) at this machine\\\",\\n\\\"0xC000018C\\\", \\\"The logon request failed because the trust relationship between the primary domain and the trusted domain failed\\\",\\n\\\"0xC0000192\\\", \\\"An attempt was made to logon, but the Netlogon service was not started\\\",\\n\\\"0xC0000193\\\", \\\"User logon with expired account\\\",\\n\\\"0xC0000224\\\", \\\"User is required to change password at next logon\\\",\\n\\\"0xC0000225\\\", \\\"Evidently a bug in Windows and not a risk\\\",\\n\\\"0xC0000234\\\", \\\"User logon with account locked\\\",\\n\\\"0xC00002EE\\\", \\\"Failure Reason: An Error occurred during Logon\\\",\\n\\\"0xC0000413\\\", \\\"Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine\\\"\\n];\\n(union isfuzzy=true\\n(SecurityEvent \\n| where EventID == 4625\\n| where AccountType =~ \\\"User\\\"\\n| where SubStatus !=\u00270xc0000064\u0027 and Account !in (\u0027\\\\\\\\\u0027, \u0027-\\\\\\\\-\u0027)\\n// SubStatus \u00270xc0000064\u0027 signifies \u0027Account name does not exist\u0027\\n| extend ResourceId = column_ifexists(\\\"_ResourceId\\\", _ResourceId), SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", SourceComputerId)\\n| lookup ReasontoSubStatus on SubStatus\\n| extend coalesce(Reason, strcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), FailedLogonCount = count() by EventID, \\nActivity, Computer, Account, TargetAccount, TargetUserName, TargetDomainName, \\nLogonType, LogonTypeName, LogonProcessName, Status, SubStatus, Reason, ResourceId, SourceComputerId, WorkstationName, IpAddress\\n| where FailedLogonCount \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n(\\n(WindowsEvent \\n| where EventID == 4625 and not(EventData has \u00270xc0000064\u0027)\\n| extend TargetAccount = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend AccountType=case(EventData.TargetUserName endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType =~ \\\"User\\\"\\n| extend SubStatus = tostring(EventData.SubStatus)\\n| where SubStatus !=\u00270xc0000064\u0027 and TargetAccount !in (\u0027\\\\\\\\\u0027, \u0027-\\\\\\\\-\u0027)\\n// SubStatus \u00270xc0000064\u0027 signifies \u0027Account name does not exist\u0027\\n| extend ResourceId = column_ifexists(\\\"_ResourceId\\\", _ResourceId), SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", \\\"\\\")\\n| lookup ReasontoSubStatus on SubStatus\\n| extend coalesce(Reason, strcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n| extend Activity=\\\"4625 - An account failed to log on.\\\"\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend TargetDomainName = tostring(EventData.TargetDomainName)\\n| extend LogonType = tostring(EventData.LogonType)\\n| extend Status= tostring(EventData.Status)\\n| extend LogonProcessName = tostring(EventData.LogonProcessName)\\n| extend WorkstationName = tostring(EventData.WorkstationName)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend LogonTypeName=case(LogonType==2,\\\"2 - Interactive\\\", LogonType==3,\\\"3 - Network\\\", LogonType==4, \\\"4 - Batch\\\",LogonType==5, \\\"5 - Service\\\", LogonType==7, \\\"7 - Unlock\\\", LogonType==8, \\\"8 - NetworkCleartext\\\", LogonType==9, \\\"9 - NewCredentials\\\", LogonType==10, \\\"10 - RemoteInteractive\\\", LogonType==11, \\\"11 - CachedInteractive\\\",tostring(LogonType))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), FailedLogonCount = count() by EventID, \\nActivity, Computer, TargetAccount, TargetUserName, TargetDomainName, \\nLogonType, LogonTypeName, LogonProcessName, Status, SubStatus, Reason, ResourceId, SourceComputerId, WorkstationName, IpAddress\\n| where FailedLogonCount \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n)))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed logon attempts by valid accounts within 10 mins\",\"description\":\"Identifies when failed logon attempts are 20 or higher during a 10 minute period (2 failed logons per minute minimum) from valid account.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b9a44d7-c651-45ed-816c-eae583a6f2f1\",\"name\":\"3b9a44d7-c651-45ed-816c-eae583a6f2f1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\nlet historical_data =\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend variables = Data.Variables\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend UserKey = strcat(VariableGroupId, \\\"-\\\", ActorUserId)\\n| project UserKey;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend VariableGroupName = tostring(Data.VariableGroupName)\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend UserKey = strcat(VariableGroupId, \\\"-\\\", ActorUserId)\\n| where UserKey !in (historical_data)\\n| project-away UserKey\\n| project-reorder TimeGenerated, VariableGroupName, ActorUPN, IpAddress, UserAgent\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Build Variable Modified by New User.\",\"description\":\"Variables can be configured and used at any stage of the build process in Azure DevOps to inject values. An attacker with the required permissions could modify \\nor add to these variables to conduct malicious activity such as changing paths or remote endpoints called during the build. As variables are often changed by users, \\njust detecting these changes would have a high false positive rate. This detection looks for modifications to variable groups where that user has not been observed \\nmodifying them before.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8127962-7739-4211-a4a9-390a7a00e91f\",\"name\":\"f8127962-7739-4211-a4a9-390a7a00e91f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet lbperiod = 14d;\\nlet knownrecipients = ProofpointPOD\\n| where TimeGenerated \u003e ago(lbperiod)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where SrcUserUpn != \u0027\u0027\\n| where array_length(todynamic(DstUserUpn)) == 1\\n| summarize recipients = make_set(tostring(todynamic(DstUserUpn)[0])) by SrcUserUpn\\n| extend commcol = SrcUserUpn;\\nProofpointPOD\\n| where TimeGenerated between (ago(lbtime) .. now())\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| extend isProtected = todynamic(MsgParts)[0][\u0027isProtected\u0027]\\n| extend mimePgp = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where isProtected == \u0027true\u0027 or mimePgp == \u0027application/pgp-encrypted\u0027\\n| extend DstUserMail = tostring(todynamic(DstUserUpn)[0])\\n| extend commcol = tostring(todynamic(DstUserUpn)[0])\\n| join knownrecipients on commcol\\n| where recipients !contains DstUserMail\\n| project SrcUserUpn, DstUserMail\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple protected emails to unknown recipient\",\"description\":\"Detects when multiple protected messages where sent to early not seen recipient.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee1818ec-5f65-4991-b711-bcf2ab7e36c3\",\"name\":\"ee1818ec-5f65-4991-b711-bcf2ab7e36c3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlOriginal matches regex @\u0027\\\\Ahttp:\\\\/\\\\/\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}.*\u0027\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - URI contains IP address\",\"description\":\"Malware can use IP address to communicate with C2.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23005e87-2d3a-482b-b03d-edbebd1ae151\",\"name\":\"23005e87-2d3a-482b-b03d-edbebd1ae151\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let exchange_servers = (\\nW3CIISLog\\n| where TimeGenerated \u003e ago(14d)\\n| where sSiteName =~ \\\"Exchange Back End\\\"\\n| summarize by Computer);\\nW3CIISLog\\n| where TimeGenerated \u003e ago(1d)\\n| where Computer in (exchange_servers)\\n| where csUriQuery startswith \\\"t=\\\"\\n| project-reorder TimeGenerated, Computer, csUriStem, csUriQuery, csUserName, csUserAgent, cIP\\n| extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious Exchange Request\",\"description\":\"This query looks for suspicious request patterns to Exchange servers that fit a pattern observed by HAFNIUM actors.\\nThe same query can be run on HTTPProxy logs from on-premise hosted Exchange servers.\\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ac9e233e-44d4-45eb-b522-6e47445f6582\",\"name\":\"ac9e233e-44d4-45eb-b522-6e47445f6582\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"imRegistry\\n | where EventType in (\\\"RegistryValueSet\\\", \\\"RegistryKeyCreated\\\")\\n | where RegistryKey has \\\"Software\\\\\\\\Classes\\\\\\\\ms-settings\\\\\\\\shell\\\\\\\\open\\\\\\\\command\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)\\n | join (imProcess\\n | where Process endswith \\\"fodhelper.exe\\\"\\n | where ParentProcessName endswith \\\"cmd.exe\\\" or ParentProcessName endswith \\\"powershell.exe\\\" or ParentProcessName endswith \\\"powershell_ise.exe\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)) on TimeKey, Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DvcHostname\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DvcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Potential Fodhelper UAC Bypass (ASIM Version)\",\"description\":\"This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process within 1 hour - this can be tweaked as required.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\"name\":\"ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Office 365 Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Office 365 alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Office 365\",\"lastUpdatedDateUTC\":\"2020-09-01T00:00:00Z\",\"createdDateUTC\":\"2020-04-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert (OATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a333d8bf-22a3-4c55-a1e9-5f0a135c0253\",\"name\":\"a333d8bf-22a3-4c55-a1e9-5f0a135c0253\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let mde_threats = dynamic([\\\"Behavior:Win32/SuspAzureRequest.A\\\", \\\"Behavior:Win32/SuspAzureRequest.B\\\", \\\"Behavior:Win32/SuspAzureRequest.C\\\", \\\"Behavior:Win32/LaunchingSuspCMD.B\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (mde_threats) or ThreatFamilyName in~ (mde_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Microsoft Defender for Endpoint (MDE) signatures for Azure Synapse pipelines and Azure Data Factory\",\"description\":\"This query looks for Microsoft Defender for Endpoint detections related to the remote command execution attempts on Azure IR with Managed VNet or SHIR. \\nIn Microsoft Sentinel, the SecurityAlerts table includes the name of the impacted device. Additionally, this query joins the DeviceInfo table to connect other information such as device group, \\nIP address, signed in users, and others allowing analysts using Microsoft Sentinel to have more context related to the alert. \\nReference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29972 , \\nhttps://msrc-blog.microsoft.com/2022/05/09/vulnerability-mitigated-in-the-third-party-data-connector-used-in-azure-synapse-pipelines-and-azure-data-factory-cve-2022-29972\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5db427b2-f406-4274-b413-e9fcb29412f8\",\"name\":\"5db427b2-f406-4274-b413-e9fcb29412f8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where ActivityDisplayName =~\u0027Add member to role completed (PIM activation)\u0027\\n| where Result == \\\"failure\\\"\\n| extend Role = tostring(TargetResources[3].displayName)\\n| extend User = tostring(TargetResources[2].displayName)\\n| project-reorder TimeGenerated, User, Role, OperationName, Result, ResultDescription\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| extend IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"NRT PIM Elevation Request Rejected\",\"description\":\"Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/03e04c97-8cae-48b3-9d2f-4ab262e4ffff\",\"name\":\"03e04c97-8cae-48b3-9d2f-4ab262e4ffff\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]);\\nhttp_proxy_oab_CL\\n| where RawData contains \\\"Download failed and temporary file\\\"\\n| extend File = extract(\\\"([^\\\\\\\\\\\\\\\\]*)(\\\\\\\\\\\\\\\\[^\u0027]*)\\\",2,RawData)\\n| extend Extension = strcat(\\\".\\\",split(File, \\\".\\\")[-1])\\n| extend InteractiveFile = iif(Extension in (scriptExtensions), \\\"Yes\\\", \\\"No\\\")\\n// Uncomment the following line to alert only on interactive file download type\\n//| where InteractiveFile =~ \\\"Yes\\\"\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious File Downloads.\",\"description\":\"This query looks for messages related to file downloads of suspicious file types. This query uses the Exchange HttpProxy AOBGeneratorLog, you will need to onboard this log as a custom log under the table http_proxy_oab_CL before using this query. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d5b32cd4-2328-43da-ab47-cd289c1f5efc\",\"name\":\"d5b32cd4-2328-43da-ab47-cd289c1f5efc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\",\\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\",\\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\",\\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\",\\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\",\\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\",\\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\",\\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\",\\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\")\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"NRT DNS events related to mining pools\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/de58ee9e-b229-4252-8537-41a4c2f4045e\",\"name\":\"de58ee9e-b229-4252-8537-41a4c2f4045e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let file_ext_blocklist = dynamic([\u0027.ps1\u0027, \u0027.vbs\u0027, \u0027.bat\u0027, \u0027.scr\u0027]);\\nlet lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| extend file_ext = extract(@\u0027.*(\\\\.\\\\w+)$\u0027, 1, UrlOriginal)\\n| extend Filename = extract(@\u0027.*\\\\/*\\\\/(.*\\\\.\\\\w+)$\u0027, 1, UrlOriginal)\\n| where file_ext in (file_ext_blocklist)\\n| project TimeGenerated, SrcIpAddr, Identities, Filename\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Cisco Umbrella - Request to blocklisted file type\",\"description\":\"Detects request to potentially harmful file types (.ps1, .bat, .vbs, etc.).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\"name\":\"97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let LearningPeriod = 7d; \\nlet BinTime = 1h; \\nlet RunTime = 1h; \\nlet StartTime = 1h; \\nlet NumberOfStds = 3; \\nlet MinThreshold = 10.0; \\nlet EndRunTime = StartTime - RunTime; \\nlet EndLearningTime = StartTime + LearningPeriod;\\nlet aadFunc = (tableName:string){\\nlet GitHubFailedSSOLogins = (table(tableName) \\n| where AppDisplayName == \\\"GitHub.com\\\" \\n| where ResultType != 0); \\nGitHubFailedSSOLogins \\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime)) \\n| summarize FailedLoginsCountInBinTime = count() by UserPrincipalName, bin(TimeGenerated, BinTime), Type\\n| summarize AvgOfFailedLoginsInLearning = avg(FailedLoginsCountInBinTime), StdOfFailedLoginsInLearning = stdev(FailedLoginsCountInBinTime) by UserPrincipalName, Type\\n| extend LearningThreshold = max_of(AvgOfFailedLoginsInLearning + StdOfFailedLoginsInLearning * NumberOfStds, MinThreshold) \\n| join kind=innerunique ( \\n GitHubFailedSSOLogins \\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime)) \\n | summarize FailedLoginsCountInRunTime = count() by User = Identity, UserPrincipalName, bin(TimeGenerated, BinTime), Type\\n) on UserPrincipalName \\n| where FailedLoginsCountInRunTime \u003e LearningThreshold\\n| extend AccountCustomEntity = UserPrincipalName , timestamp = TimeGenerated\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute Force Attack against GitHub Account\",\"description\":\"Attackers who are trying to guess your users\u0027 passwords or use brute-force methods to get in. If your organization is using SSO with Azure Active Directory, authentication logs to GitHub.com will be generated. Using the following query can help you identify a sudden increase in failed logon attempt of users.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/12dcea64-bec2-41c9-9df2-9f28461b1295\",\"name\":\"12dcea64-bec2-41c9-9df2-9f28461b1295\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\n// Adjust for a longer timeframe for identifying ADFS Servers\\nlet lookback = 6d;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where NewProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n);\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where Account !endswith \\\"$\\\"\\n// Check for scheduled task events\\n| where EventID in (4697, 4698, 4699, 4700, 4701, 4702)\\n| extend EventDataParsed = parse_xml(EventData)\\n| extend SubjectLogonId = tostring(EventDataParsed.EventData.Data[3][\\\"#text\\\"])\\n// Check specifically for access to IPC$ share and PIPE\\\\svcctl and PIPE\\\\atsvc for Service Control Services and Schedule Control Services\\n| union (\\n SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n | where Account !endswith \\\"$\\\"\\n | where EventID == 5145\\n | where RelativeTargetName =~ \\\"svcctl\\\" or RelativeTargetName =~ \\\"atsvc\\\"\\n)\\n// Check for lateral movement\\n| join kind=inner\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Account !endswith \\\"$\\\"\\n| where EventID == 4624 and LogonType == 3\\n) on $left.SubjectLogonId == $right.TargetLogonId\\n| project TimeGenerated, Account, Computer, EventID, RelativeTargetName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task\",\"description\":\"This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through SMB and Remote Service or Scheduled Task.\",\"lastUpdatedDateUTC\":\"2022-01-30T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/155f40c6-610d-497d-85fc-3cf06ec13256\",\"name\":\"155f40c6-610d-497d-85fc-3cf06ec13256\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"yahoo-verification.org\\\",\\\"support-servics.com\\\",\\\"verification-live.com\\\",\\\"com-mailbox.com\\\",\\\"com-myaccuants.com\\\",\\\"notification-accountservice.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\\"verify-linkedin.net\\\", \\n\\\"yahoo-verification.net\\\",\\\"yahoo-verify.net\\\",\\\"outlook-verify.net\\\",\\\"com-users.net\\\",\\\"verifiy-account.net\\\",\\\"te1egram.net\\\",\\\"account-verifiy.net\\\",\\\"myaccount-services.net\\\",\\n\\\"com-identifier-servicelog.name\\\",\\\"microsoft-update.bid\\\",\\\"outlook-livecom.bid\\\",\\\"update-microsoft.bid\\\",\\\"documentsfilesharing.cloud\\\",\\\"com-microsoftonline.club\\\",\\n\\\"confirm-session-identifier.info\\\",\\\"session-management.info\\\",\\\"confirmation-service.info\\\",\\\"document-share.info\\\",\\\"broadcast-news.info\\\",\\\"customize-identity.info\\\",\\\"webemail.info\\\",\\n\\\"com-identifier-servicelog.info\\\",\\\"documentsharing.info\\\",\\\"notification-accountservice.info\\\",\\\"identifier-activities.info\\\",\\\"documentofficupdate.info\\\",\\\"recoveryusercustomer.info\\\",\\n\\\"serverbroadcast.info\\\",\\\"account-profile-users.info\\\",\\\"account-service-management.info\\\",\\\"accounts-manager.info\\\",\\\"activity-confirmation-service.info\\\",\\\"com-accountidentifier.info\\\",\\n\\\"com-privacy-help.info\\\",\\\"com-sessionidentifier.info\\\",\\\"com-useraccount.info\\\",\\\"confirmation-users-service.info\\\",\\\"confirm-identity.info\\\",\\\"confirm-session-identification.info\\\",\\n\\\"continue-session-identifier.info\\\",\\\"customer-recovery.info\\\",\\\"customers-activities.info\\\",\\\"elitemaildelivery.info\\\",\\\"email-delivery.info\\\",\\\"identify-user-session.info\\\",\\n\\\"message-serviceprovider.info\\\",\\\"notificationapp.info\\\",\\\"notification-manager.info\\\",\\\"recognized-activity.info\\\",\\\"recover-customers-service.info\\\",\\\"recovery-session-change.info\\\",\\n\\\"service-recovery-session.info\\\",\\\"service-session-continue.info\\\",\\\"session-mail-customers.info\\\",\\\"session-managment.info\\\",\\\"session-verify-user.info\\\",\\\"shop-sellwear.info\\\",\\n\\\"supportmailservice.info\\\",\\\"terms-service-notification.info\\\",\\\"user-activity-issues.info\\\",\\\"useridentity-confirm.info\\\",\\\"users-issue-services.info\\\",\\\"verify-user-session.info\\\",\\n\\\"login-gov.info\\\",\\\"notification-signal-agnecy.info\\\",\\\"notifications-center.info\\\",\\\"identifier-services-sessions.info\\\",\\\"customers-manager.info\\\",\\\"session-manager.info\\\",\\n\\\"customer-managers.info\\\",\\\"confirmation-recovery-options.info\\\",\\\"service-session-confirm.info\\\",\\\"session-recovery-options.info\\\",\\\"services-session-confirmation.info\\\",\\n\\\"notification-managers.info\\\",\\\"activities-services-notification.info\\\",\\\"activities-recovery-options.info\\\",\\\"activity-session-recovery.info\\\",\\\"customers-services.info\\\",\\n\\\"sessions-notification.info\\\",\\\"download-teamspeak.info\\\",\\\"services-issue-notification.info\\\",\\\"microsoft-upgrade.mobi\\\",\\\"broadcastnews.pro\\\",\\\"mobile-messengerplus.network\\\"]);\\nlet IPList = dynamic([\\\"51.91.200.147\\\"]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(SourceIP) and SourceIP in (IPList)) or (isnotempty(DestinationIP) and DestinationIP in (IPList)) \\nor (isnotempty(DNSName) and DNSName in~ (DomainNames)) or (isnotempty(DestinationHostName) and DestinationHostName in~ (DomainNames)) or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames) or RequestURLIP in (IPList))) \\nor (isnotempty(Message) and MessageIP in (IPList))\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURLIP in (IPList), \\\"RequestUrl\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP,IPMatch == \\\"Message\\\", MessageIP,\\nIPMatch == \\\"RequestUrl\\\", RequestURLIP,\\\"NoMatch\\\"), Account = SourceUserID, Host = DeviceName\\n),\\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\\n(_Im_WebSession(url_has_any=DomainNames)\\n| extend DestinationIPAddress = DstIpAddr, DNSName = tostring(parse_url(Url)[\\\"Host\\\"]), Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) or isnotempty(DNSName)\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or DNSName in~ (DomainNames)\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer),\\n(OfficeActivity\\n| extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPCustomEntity = SourceHost \\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Phosphorus group domains/IP\",\"description\":\"Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-10-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a1bddaf8-982b-4089-ba9e-6590dfcf80ea\",\"name\":\"a1bddaf8-982b-4089-ba9e-6590dfcf80ea\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let error403_count_threshold=200;\\n_Im_WebSession(eventresultdetails_in=\\\"403\\\")\\n| extend ParsedUrl=parse_url(Url)\\n| extend UrlHost=tostring(ParsedUrl[\\\"Host\\\"]), UrlSchema=tostring(ParsedUrl[\\\"Schema\\\"])\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = count(), Urls=makeset(Url) by UrlHost, SrcIpAddr\\n| where NumberOfErrors \u003e error403_count_threshold\\n| sort by NumberOfErrors desc\\n| extend Url=tostring(Urls[0])\",\"customDetails\":{\"NumberOfErrors\":\"NumberOfErrors\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URL\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Excessive number of HTTP authentication failures from {{SrcIpAddr}\",\"alertDescriptionFormat\":\"A client with address {{SrcIpAddr}} generated a large number of failed authentication HTTP requests. This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Persistence\",\"CredentialAccess\"],\"displayName\":\"Excessive number of HTTP authentication failures from a source (ASIM Web Session schema)\",\"description\":\"This rule identifies a source that repeatedly fails to authenticate to a web service (HTTP response code 403). This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.\u003cbr\u003e\u003cbr\u003e\\nThis rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutSIM) and supports any web session source that complies with ASIM. \",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2a09f8cb-deb7-4c40-b08b-9137667f1c0b\",\"name\":\"2a09f8cb-deb7-4c40-b08b-9137667f1c0b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n | where OperationName in (\\\"Add eligible member (permanent)\\\", \\\"Add eligible member (eligible)\\\")\\n | extend Role = tostring(TargetResources[0].displayName)\\n | where Role contains \\\"admin\\\"\\n | extend AddedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend AddedUser = tostring(TargetResources[2].userPrincipalName)\\n | project-reorder TimeGenerated, AddedUser, Role, AddedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedUser\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"User Added to Admin Role\",\"description\":\"Detects a user being added to a new privileged role. Monitor these additions to ensure the users are made eligible for these roles are intended to have these levels of access.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dc99e38c-f4e9-4837-94d7-353ac0b01a77\",\"name\":\"dc99e38c-f4e9-4837-94d7-353ac0b01a77\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let threshold = 10;\\n let default_ad_attributes = dynamic([\\\"LastDirSyncTime\\\", \\\"StsRefreshTokensValidFrom\\\", \\\"Included Updated Properties\\\", \\\"AccountEnabled\\\", \\\"Action Client Name\\\", \\\"SourceAnchor\\\"]);\\n AuditLogs\\n | where OperationName =~ \\\"Add user\\\"\\n | where Result =~ \\\"success\\\"\\n | extend properties = TargetResources[0].modifiedProperties\\n | mv-expand properties\\n | evaluate bag_unpack(properties)\\n | summarize count() by displayName, TenantId\\n | where displayName !in (default_ad_attributes)\\n | top threshold by count_ desc\\n | summarize make_set(displayName) by TenantId\\n | join kind=inner (AuditLogs\\n | where Result =~ \\\"success\\\"\\n | where OperationName =~ \\\"Add user\\\"\\n | extend CreatingUserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend CreatedUserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | extend AccountProperties = TargetResources[0].modifiedProperties\\n | mv-expand AccountProperties\\n | extend PropName = tostring(AccountProperties.displayName)) on TenantId\\n | summarize makeset(PropName) by TimeGenerated, CorrelationId, CreatedUserPrincipalName, CreatingUserPrincipalName, tostring(set_displayName)\\n | extend missing_props = set_difference(todynamic(set_displayName), set_PropName)\\n | where array_length(missing_props) \u003e 0\\n | join kind=innerunique (AuditLogs\\n | where Result =~ \\\"success\\\"\\n | where OperationName =~ \\\"Add user\\\"\\n | extend CreatedUserPrincipalName = tostring(TargetResources[0].userPrincipalName)) on CorrelationId, CreatedUserPrincipalName\\n | extend ExpectedProperties = set_displayName\\n | project-away set_displayName, set_PropName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CreatingUserPrincipalName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CreatedUserPrincipalName\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User account created without expected attributes defined\",\"description\":\"This query looks for accounts being created that do not have attributes populated that are commonly populated in the tenant.\\n Attackers may attempt to add accounts as a means of establishing persistant access to an environment, looking for anomalies in created accounts may help identify illegitimately created accounts.\\n Created accounts should be investigated to ensure they were legitimated created.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#accounts-not-following-naming-policies\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aa1eff90-29d4-49dc-a3ea-b65199f516db\",\"name\":\"aa1eff90-29d4-49dc-a3ea-b65199f516db\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Low\",\"query\":\"(union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4720\\n| where AccountType == \\\"User\\\"\\n| project CreatedUserTime = TimeGenerated, CreatedUserEventID = EventID, CreatedUserActivity = Activity, Computer = toupper(Computer), \\nCreatedUser = tolower(TargetAccount), CreatedUserSid = TargetSid, AccountUsedToCreateUser = strcat(SubjectAccount), SidofAccountUsedToCreateUser = SubjectUserSid\\n),\\n(WindowsEvent\\n| where EventID == 4720\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType == \\\"User\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend Activity=\\\"4720 - A user account was created.\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| project CreatedUserTime = TimeGenerated, CreatedUserEventID = EventID, CreatedUserActivity = Activity, Computer = toupper(Computer), \\nCreatedUser = tolower(TargetAccount), CreatedUserSid = TargetSid, AccountUsedToCreateUser = strcat(SubjectAccount), SidofAccountUsedToCreateUser = SubjectUserSid\\n))\\n| join ((union isfuzzy=true\\n(SecurityEvent \\n| where AccountType == \\\"User\\\"\\n// 4732 - A member was added to a security-enabled local group\\n| where EventID == 4732\\n// TargetSid is the builin Admins group: S-1-5-32-544\\n| where TargetSid == \\\"S-1-5-32-544\\\"\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, Computer = toupper(Computer), GroupName = tolower(TargetAccount), \\nGroupSid = TargetSid, AccountThatAddedUser = SubjectAccount, SIDofAccountThatAddedUser = SubjectUserSid, CreatedUserSid = MemberSid\\n),\\n( WindowsEvent \\n// 4732 - A member was added to a security-enabled local group\\n| where EventID == 4732 and EventData has \\\"S-1-5-32-544\\\"\\n//TargetSid is the builin Admins group: S-1-5-32-544\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType == \\\"User\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid == \\\"S-1-5-32-544\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend Activity=\\\"4732 - A member was added to a security-enabled local group.\\\"\\n| extend MemberSid = tostring(EventData.MemberSid)\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, Computer = toupper(Computer), GroupName = tolower(TargetAccount), \\nGroupSid = TargetSid, AccountThatAddedUser = SubjectAccount, SIDofAccountThatAddedUser = SubjectUserSid, CreatedUserSid = MemberSid)\\n))\\non CreatedUserSid\\n//Create User first, then the add to the group.\\n| project Computer, CreatedUserTime, CreatedUserEventID, CreatedUserActivity, CreatedUser, CreatedUserSid, GroupAddTime, GroupAddEventID, \\nGroupAddActivity, AccountUsedToCreateUser, GroupName, GroupSid, AccountThatAddedUser, SIDofAccountThatAddedUser \\n| extend timestamp = CreatedUserTime, AccountCustomEntity = CreatedUser, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"CreatedUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"New user created and added to the built-in administrators group\",\"description\":\"Identifies when a user account was created and then added to the builtin Administrators group in the same day.\\nThis should be monitored closely and all additions reviewed.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d23ed927-5be3-4902-a9c1-85f841eb4fa1\",\"name\":\"d23ed927-5be3-4902-a9c1-85f841eb4fa1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n DuoSecurityAuthentication_CL\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(access_device_ip_s)\\n // renaming time column so it is clear the log this came from\\n | extend Duo_TimeGenerated = isotimestamp_t\\n)\\non $left.TI_ipEntity == $right.access_device_ip_s\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Duo_TimeGenerated,\\nTI_ipEntity, user_name_s, factor_s, result_s, application_name_s, event_type_s, txid_g, user_key_s, access_device_ip_s, access_device_location_city_s, access_device_location_state_s, access_device_location_country_s\\n| extend timestamp = Duo_TimeGenerated, IPCustomEntity = access_device_ip_s, AccountCustomEntity = user_name_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Duo Security\",\"description\":\"Identifies a match in DuoSecurity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae\",\"name\":\"2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 4656\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, TargetAccount, Computer, EventSourceName, Channel, Task, Level, EventID, Activity, TargetLogonId, SourceComputerId, EventOriginId, Type, _ResourceId, TenantId, SourceSystem, ManagementGroupName, IpAddress, Account)\\n| extend ObjectServer = column_ifexists(\u0027ObjectServer\u0027, \\\"\\\"), ObjectType = column_ifexists(\u0027ObjectType\u0027, \\\"\\\"), ObjectName = column_ifexists(\u0027ObjectName\u0027, \\\"\\\")\\n| where isnotempty(ObjectServer) and isnotempty(ObjectType) and isnotempty(ObjectName)\\n| where ObjectServer =~ \\\"SC Manager\\\" and ObjectType =~ \\\"SERVICE OBJECT\\\" and ObjectName =~ \\\"HealthService\\\"\\n// Comment out the join below if the SACL only audits users that are part of the Network logon users, i.e. with user/group target pointing to \\\"NU.\\\"\\n| join kind=leftouter (\\n SecurityEvent\\n | where EventID == 4624\\n) on TargetLogonId\\n| project TimeGenerated, Computer, Account, TargetAccount, IpAddress,TargetLogonId, ObjectServer, ObjectType, ObjectName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Starting or Stopping HealthService to Avoid Detection\",\"description\":\"This query detects events where an actor is stopping or starting HealthService to disable telemetry collection/detection from the agent.\\n The query requires a SACL to audit for access request to the service.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-03-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bff093b2-500e-4ae5-bb49-a5b1423cbd5b\",\"name\":\"bff093b2-500e-4ae5-bb49-a5b1423cbd5b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n| where Operation =~ \\\"MemberAdded\\\"\\n| extend UPN = tostring(parse_json(Members)[0].UPN)\\n| where UPN contains (\\\"#EXT#\\\")\\n| project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName\\n| join (\\n OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n| where Operation =~ \\\"MemberRemoved\\\"\\n| extend UPN = tostring(parse_json(Members)[0].UPN)\\n| where UPN contains (\\\"#EXT#\\\")\\n| project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName\\n) on UPN\\n| where TimeDeleted \u003e TimeAdded\\n| project TimeAdded, TimeDeleted, UPN, UserWhoAdded, UserWhoDeleted, TeamName\\n| extend timestamp = TimeAdded, AccountCustomEntity = UPN\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"External user added and removed in short timeframe\",\"description\":\"This detection flags the occurances of external user accounts that are added to a Team and then removed within\\none hour.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9367dff0-941d-44e2-8875-cb48570c7add\",\"name\":\"9367dff0-941d-44e2-8875-cb48570c7add\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \\n| where TargetObject has \\\"\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_DLLs\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Registry Persistence via AppInit DLLs Modification\",\"description\":\"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. \\nDynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows or HKEY_LOCAL_MACHINE\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library.\\nRef: https://attack.mitre.org/techniques/T1546/010/\",\"lastUpdatedDateUTC\":\"2022-03-21T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8d537f3c-094f-430c-a588-8a87da36ee3a\",\"name\":\"8d537f3c-094f-430c-a588-8a87da36ee3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nlet user_agents=dynamic([\\n \u0027(hydra)\u0027,\\n \u0027 arachni/\u0027,\\n \u0027 BFAC \u0027,\\n \u0027 brutus \u0027,\\n \u0027 cgichk \u0027,\\n \u0027core-project/1.0\u0027,\\n \u0027 crimscanner/\u0027,\\n \u0027datacha0s\u0027,\\n \u0027dirbuster\u0027,\\n \u0027domino hunter\u0027,\\n \u0027dotdotpwn\u0027,\\n \u0027FHScan Core\u0027,\\n \u0027floodgate\u0027,\\n \u0027get-minimal\u0027,\\n \u0027gootkit auto-rooter scanner\u0027,\\n \u0027grendel-scan\u0027,\\n \u0027 inspath \u0027,\\n \u0027internet ninja\u0027,\\n \u0027jaascois\u0027,\\n \u0027 zmeu \u0027,\\n \u0027masscan\u0027,\\n \u0027 metis \u0027,\\n \u0027morfeus fucking scanner\u0027,\\n \u0027n-stealth\u0027,\\n \u0027nsauditor\u0027,\\n \u0027pmafind\u0027,\\n \u0027security scan\u0027,\\n \u0027springenwerk\u0027,\\n \u0027teh forest lobster\u0027,\\n \u0027toata dragostea\u0027,\\n \u0027 vega/\u0027,\\n \u0027voideye\u0027,\\n \u0027webshag\u0027,\\n \u0027webvulnscan\u0027,\\n \u0027 whcc/\u0027,\\n \u0027 Havij\u0027,\\n \u0027absinthe\u0027,\\n \u0027bsqlbf\u0027,\\n \u0027mysqloit\u0027,\\n \u0027pangolin\u0027,\\n \u0027sql power injector\u0027,\\n \u0027sqlmap\u0027,\\n \u0027sqlninja\u0027,\\n \u0027uil2pn\u0027,\\n \u0027ruler\u0027,\\n \u0027Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)\u0027\\n ]);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal has_any (user_agents)\\n| extend Message = \\\"Hack Tool User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Hack Tool User-Agent Detected\",\"description\":\"Detects suspicious user agent strings used by known hack tools\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/30c8b802-ace1-4408-bc29-4c5c5afb49e1\",\"name\":\"30c8b802-ace1-4408-bc29-4c5c5afb49e1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"imProcess\\n | where EventType =~ \\\"ProcessCreated\\\"\\n | where Process endswith \\\"svchost.exe\\\"\\n | where CommandLine has \\\"-k GPSvcGroup\\\" or CommandLine has \\\"-s gpsvc\\\"\\n | extend timekey = bin(TimeGenerated, 1m)\\n | project timekey, ActingProcessId, Dvc\\n | join kind=inner (imProcess\\n | where EventType =~ \\\"ProcessCreated\\\"\\n | where Process =~ \\\"sdelete.exe\\\" or CommandLine has \\\"sdelete\\\"\\n | where ActingProcessName endswith \\\"svchost.exe\\\"\\n | where CommandLine has_all (\\\"-s\\\", \\\"-r\\\")\\n | extend timekey = bin(TimeGenerated, 1m)\\n ) on $left.ActingProcessId == $right.ParentProcessId, timekey, Dvc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DvcIpAddr\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Sdelete deployed via GPO and run recursively (ASIM Version)\",\"description\":\"This query looks for the Sdelete process being run recursively after being deployed to a host via GPO. Attackers could use this technique to deploy Sdelete to multiple host and delete data on them.\\n This query uses the Advanced Security Information Model. Parsers will need to be deployed before use: https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84cccc86-5c11-4b3a-aca6-7c8f738ed0f7\",\"name\":\"84cccc86-5c11-4b3a-aca6-7c8f738ed0f7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where OperationName has_all (\\\"member to role\\\", \\\"add\\\")\\n | where Result =~ \\\"Success\\\"\\n | extend type_ = tostring(TargetResources[0].type)\\n | where type_ =~ \\\"ServicePrincipal\\\"\\n | where isnotempty(TargetResources)\\n | extend ServicePrincipal = tostring(TargetResources[0].displayName)\\n | extend SPID = tostring(TargetResources[0].id)\\n | mv-expand TargetResources[0].modifiedProperties\\n | extend TargetResources_0_modifiedProperties = columnifexists(\\\"TargetResources_0_modifiedProperties\\\", \u0027\u0027)\\n | where isnotempty(TargetResources_0_modifiedProperties)\\n | where TargetResources_0_modifiedProperties.displayName =~ \\\"Role.DisplayName\\\"\\n | extend TargetRole = parse_json(tostring(TargetResources_0_modifiedProperties.newValue))\\n | where TargetRole contains \\\"admin\\\"\\n | extend AddedByApp = iif(\\n isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName)),\\n tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName),\\n tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n )\\n | extend AddedByUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend AddedBy = iif(isnotempty(AddedByApp), AddedByApp, AddedByUser)\\n | extend IpAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | project-reorder TimeGenerated, ServicePrincipal, SPID, TargetRole, AddedBy, IpAddress\\n | project-away AddedByApp, AddedByUser\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"SPID\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Service Principal Assigned Privileged Role\",\"description\":\"Detects a privileged role being added to a Service Principal.\\n Ensure that any assignment to a Service Principal is valid and appropriate - Service Principals should not be assigned to very highly privileged roles such as Global Admin.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182\",\"name\":\"8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT5M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = ago(5m);\\nDuoSecurityTrustMonitor_CL\\n| where TimeGenerated \u003e= timeframe\\n| extend AccountCustomEntity = surfaced_auth_user_name_s, IPCustomEntity = surfaced_auth_access_device_ip_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Trust Monitor Event\",\"description\":\"This query identifies when a new trust monitor event is detected.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dcdf9bfc-c239-4764-a9f9-3612e6dff49c\",\"name\":\"dcdf9bfc-c239-4764-a9f9-3612e6dff49c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 6d;\\n// Adjust this to adjust the key export detection timeframe\\n//let timeframe = 1d;\\n// Start be identifying ADFS servers to reduce FP chance\\nlet ADFS_Servers = (\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\")\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| summarize by Computer);\\n// Look for ADFS servers where Named Pipes event are present\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| where Computer in~ (ADFS_Servers)\\n| extend RenderedDescription = tostring(split(RenderedDescription, \\\":\\\")[0])\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend RuleName = column_ifexists(\\\"RuleName\\\", \\\"\\\"),\\n TechniqueId = column_ifexists(\\\"TechniqueId\\\", \\\"\\\"),\\n TechniqueName = column_ifexists(\\\"TechniqueName\\\", \\\"\\\"),\\n Image = column_ifexists(\\\"Image\\\", \\\"\\\"),\\n PipeName = column_ifexists(\\\"PipeName\\\", \\\"\\\"),\\n EventType = column_ifexists(\\\"EventType\\\", \\\"\\\")\\n| parse RuleName with * \u0027technique_id=\u0027 TechniqueId \u0027,\u0027 * \u0027technique_name=\u0027 TechniqueName\\n// Look for Pipe related to querying the WID\\n| where PipeName == \\\"\\\\\\\\MICROSOFT##WID\\\\\\\\tsql\\\\\\\\query\\\"\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n// Exclude expected processes\\n| where process !in (\\\"Microsoft.IdentityServer.ServiceHost.exe\\\", \\\"Microsoft.Identity.Health.Adfs.PshSurrogate.exe\\\", \\\"AzureADConnect.exe\\\", \\\"Microsoft.Tri.Sensor.exe\\\", \\\"wsmprovhost.exe\\\",\\\"mmc.exe\\\", \\\"sqlservr.exe\\\")\\n| extend Operation = RenderedDescription\\n| project-reorder TimeGenerated, EventType, Operation, process, Image, Computer, UserName\\n| extend HostCustomEntity = Computer, AccountCustomEntity = UserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"ADFS Database Named Pipe Connection\",\"description\":\"This detection uses Sysmon telemetry to detect suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).\\nIn order to use this query you need to be collecting Sysmon EventIdD 18 (Pipe Connected).\\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\\nFailed to resolve scalar expression named \\\"[@Name]\",\"lastUpdatedDateUTC\":\"2021-11-23T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3617d76d-b15e-4c6f-985e-a1dac73c592d\",\"name\":\"3617d76d-b15e-4c6f-985e-a1dac73c592d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SigninLogs\\n| where ResultType == 500121\\n| extend additionalDetails_ = tostring(Status.additionalDetails)\\n| where additionalDetails_ =~ \\\"MFA denied; user declined the authentication\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"NRT MFA Rejected by User\",\"description\":\"Identifies occurrences where a user has rejected an MFA prompt. This could be an indicator that a threat actor has compromised the username and password of this user account and is using it to try and log into the account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-02-08T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5436f471-b03d-41cb-b333-65891f887c43\",\"name\":\"5436f471-b03d-41cb-b333-65891f887c43\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Informational\",\"query\":\"GitHubRepo\\n| where Action == \\\"vulnerabilityAlert\\\"\\n| project TimeGenerated, DismmisedAt, Reason, vulnerableManifestFilename, Description, Link, PublishedAt, Severity, Summary\",\"entityMappings\":[],\"displayName\":\"GitHub Security Vulnerability in Repository\",\"description\":\"This alerts when there is a new security vulnerability in a GitHub repository.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-10T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d82e1987-4356-4a7b-bc5e-064f29b143c0\",\"name\":\"d82e1987-4356-4a7b-bc5e-064f29b143c0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true \\n(SecurityEvent\\n| where EventID == 4688\\n| where Process =~ \u0027rundll32.exe\u0027 \\n| where CommandLine has_all (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n),\\n(WindowsEvent\\n| where EventID == 4688 and EventData has \u0027rundll32.exe\u0027 and EventData has_any (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process =~ \u0027rundll32.exe\u0027 \\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has_all (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName) \\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n) )\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"NOBELIUM - suspicious rundll32.exe execution of vbscript\",\"description\":\"This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/961b6a81-5c53-40b6-9800-4f661a8faea7\",\"name\":\"961b6a81-5c53-40b6-9800-4f661a8faea7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0586.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet Command_Line = (iocs | where Type =~ \\\"CommandLine\\\" | project IoC);\\n(union isfuzzy=true\\n(DeviceProcessEvents\\n| where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) or ( InitiatingProcessCommandLine has (\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and InitiatingProcessCommandLine has_any (Command_Line))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, AccountName, SHA256\\n| extend Account = AccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = case(InitiatingProcessSHA256 in (sha256Hashes), \\\"InitiatingProcessSHA256\\\", SHA256 in (sha256Hashes), \\\"SHA256\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = case(FileHash == \\\"InitiatingProcessSHA256\\\", InitiatingProcessSHA256, FileHash == \\\"SHA256\\\", SHA256, \\\"No Match\\\")\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has (@\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and CommandLine has_any (Command_Line))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, EventID\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n( CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n( imFileEvent\\n| where Hash in~ (sha256Hashes) or ( ActingProcessCommandLine has (\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and ActingProcessCommandLine has_any (Command_Line))\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) or ( CommandLine has (\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and CommandLine has_any (Command_Line)) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashAlgo\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"DEV-0586 Actor IOC - January 2022\",\"description\":\"Identifies a match across IOC\u0027s related to an actor tracked by Microsoft as DEV-0586\\n Refrence: https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2022-01-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/66c81ae2-1f89-4433-be00-2fbbd9ba5ebe\",\"name\":\"66c81ae2-1f89-4433-be00-2fbbd9ba5ebe\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MessageIP = extract(IPRegex, 0, Message)\\n | extend CS_ipEntity = iff(isnotempty(SourceIP), SourceIP, DestinationIP)\\n | extend CS_ipEntity = iff(isempty(CS_ipEntity) and isnotempty(MessageIP), MessageIP, CS_ipEntity)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CS_ipEntity\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, CS_ipEntity\\n| project CommonSecurityLog_TimeGenerated, SourceIP, DestinationIP, MessageIP, Message, DeviceVendor, DeviceProduct, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CS_ipEntity, LogSeverity, DeviceAction\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = CS_ipEntity\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to CommonSecurityLog\",\"description\":\"Identifies a match in CommonSecurityLog from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/17f23fbe-bb73-4324-8ecf-a18545a5dc26\",\"name\":\"17f23fbe-bb73-4324-8ecf-a18545a5dc26\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P3D\",\"queryPeriod\":\"P3D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 3d;\\n// Get Release Pipeline Creation Events and group by day\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineCreated\\\"\\n// Group by day\\n| extend timekey = bin(TimeGenerated, 1d)\\n| extend PipelineId = tostring(Data.PipelineId)\\n| extend PipelineName = tostring(Data.PipelineName)\\n// Rename some columns to make output clearer\\n| project-rename TimeCreated = TimeGenerated, CreatingUser = ActorUPN, CreatingUserAgent = UserAgent, CreatingIP = IpAddress\\n// Join with Release Pipeline Deletions where Pipeline ID is the same and deletion occurred on same day as creation\\n| join (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineDeleted\\\"\\n// Group by day\\n| extend timekey = bin(TimeGenerated, 1d)\\n| extend PipelineId = tostring(Data.PipelineId)\\n| extend PipelineName = tostring(Data.PipelineName)\\n// Rename some things to make the output clearer\\n| project-rename TimeDeleted = TimeGenerated, DeletingUser = ActorUPN, DeletingUserAgent = UserAgent, DeletingIP = IpAddress) on PipelineId, timekey\\n| project TimeCreated, TimeDeleted, PipelineName, PipelineId, CreatingUser, CreatingIP, CreatingUserAgent, DeletingUser, DeletingIP, DeletingUserAgent, ScopeDisplayName, ProjectName, Data, OperationName, OperationName1\\n| extend timestamp = TimeCreated, AccountCustomEntity = CreatingUser, IPCustomEntity = CreatingIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeletingUser\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DeletingIP\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Azure DevOps Pipeline Created and Deleted on the Same Day\",\"description\":\"An attacker with access to Azure DevOps could create a pipeline to inject artifacts used by other pipelines, \\nor to create a malicious software build that looks legitimate by using a pipeline that incorporates legitimate elements. \\nAn attacker would also likely want to cover their tracks once conducting such activity. This query looks for Pipelines \\ncreated and deleted within the same day, this is unlikely to be legitimate user activity in the majority of cases.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\"name\":\"83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":3,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let current = 1d;\\nlet auditLookback = 7d;\\n// Setting threshold to 3 as a default, change as needed. \\n// Any operation that has been initiated by a user or app more than 3 times in the past 7 days will be excluded\\nlet threshold = 3;\\n// Gather initial data from lookback period, excluding current, adjust current to more than a single day if no results\\nlet AuditTrail = AuditLogs | where TimeGenerated \u003e= ago(auditLookback) and TimeGenerated \u003c ago(current)\\n// 2 other operations that can be part of malicious activity in this situation are \\n// \\\"Add OAuth2PermissionGrant\\\" and \\\"Add service principal\\\", extend the filter below to capture these too\\n| where OperationName has \\\"Consent to application\\\"\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\n| summarize max(TimeGenerated), OperationCount = count() by OperationName, InitiatedBy, TargetResourceName\\n// only including operations by initiated by a user or app that is above the threshold so we produce only rare and has not occurred in last 7 days\\n| where OperationCount \u003e threshold\\n;\\n// Gather current period of audit data\\nlet RecentConsent = AuditLogs | where TimeGenerated \u003e= ago(current)\\n| where OperationName has \\\"Consent to application\\\"\\n| extend IpAddress = case(\\nisnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), \\nisnotempty(tostring(parse_json(tostring(InitiatedBy.app)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.app)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.app)).ipAddress),\\n\u0027Not Available\u0027)\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\n| parse TargetResources.[0].modifiedProperties with * \\\"ConsentType: \\\" ConsentType \\\"]\\\" *\\n| mv-expand AdditionalDetails\\n| extend UserAgent = iff(AdditionalDetails.key == \\\"User-Agent\\\",tostring(AdditionalDetails.value),\\\"\\\")\\n| project TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type;\\n// Exclude previously seen audit activity for \\\"Consent to application\\\" that was seen in the lookback period\\n// First for rare InitiatedBy\\nlet RareConsentBy = RecentConsent | join kind= leftanti AuditTrail on OperationName, InitiatedBy \\n| extend Reason = \\\"Previously unseen user consenting\\\";\\n// Second for rare TargetResourceName\\nlet RareConsentApp = RecentConsent | join kind= leftanti AuditTrail on OperationName, TargetResourceName\\n| extend Reason = \\\"Previously unseen app granted consent\\\";\\nRareConsentBy | union RareConsentApp\\n| summarize Reason = makeset(Reason) by TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatedBy, HostCustomEntity = TargetResourceName, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Rare application consent\",\"description\":\"This will alert when the \\\"Consent to application\\\" operation occurs by a user that has not done this operation before or rarely does this.\\nThis could indicate that permissions to access the listed Azure App were provided to a malicious actor. \\nConsent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events. \\nThis may help detect the Oauth2 attack that can be initiated by this publicly available tool - https://github.com/fireeye/PwnAuth\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-07-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69b7723c-2889-469f-8b55-a2d355ed9c87\",\"name\":\"69b7723c-2889-469f-8b55-a2d355ed9c87\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.3\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n DnsEvents\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where SubType =~ \\\"LookupQuery\\\" and isnotempty(IPAddresses)\\n | mv-expand SingleIP = split(IPAddresses, \\\", \\\") to typeof(string)\\n // renaming time column so it is clear the log this came from\\n | extend DNS_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SingleIP\\n| where DNS_TimeGenerated \u003c ExpirationDateTime\\n| summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated , *) by IndicatorId, SingleIP\\n| project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = DNS_TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to DnsEvents\",\"description\":\"Identifies a match in DnsEvents from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-06-27T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd\",\"name\":\"c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let args = dynamic([\\\"objectcategory\\\",\\\"domainlist\\\",\\\"dcmodes\\\",\\\"adinfo\\\",\\\"trustdmp\\\",\\\"computers_pwdnotreqd\\\",\\\"Domain Admins\\\", \\\"objectcategory=person\\\", \\\"objectcategory=computer\\\", \\\"objectcategory=*\\\",\\\"dclist\\\"]);\\nlet parentProcesses = dynamic([\\\"pwsh.exe\\\",\\\"powershell.exe\\\",\\\"cmd.exe\\\"]);\\nDeviceProcessEvents\\n//looks for execution from a shell\\n| where InitiatingProcessFileName in (parentProcesses)\\n// main filter\\n| where FileName =~ \\\"AdFind.exe\\\" or SHA256 == \\\"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\\\"\\n // AdFind common Flags to check for from various threat actor TTPs\\n or ProcessCommandLine has_any (args)\\n| extend AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, ProcessCustomEntity = InitiatingProcessFileName, CommandLineCustomEntity = ProcessCommandLine, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = SHA256\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"},{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLineCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Probable AdFind Recon Tool Usage\",\"description\":\"Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.\",\"lastUpdatedDateUTC\":\"2021-11-30T00:00:00Z\",\"createdDateUTC\":\"2021-04-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\"name\":\"b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n Syslog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // Extract URL from the Syslog message but only take messages that include URLs\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,SyslogMessage)\\n | where isnotempty(Url)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n) on Url\\n| where Syslog_TimeGenerated \u003c ExpirationDateTime\\n| summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, Url\\n| project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, Url, HostIP\\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to Syslog data\",\"description\":\"Identifies a match in Syslog data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/af435ca1-fb70-4de1-92c1-7435c48482a9\",\"name\":\"af435ca1-fb70-4de1-92c1-7435c48482a9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let admin_users = (IdentityInfo\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | where AssignedRoles contains \\\"admin\\\"\\n | summarize by tolower(AccountUPN));\\n let admin_asn = (SigninLogs\\n | where TimeGenerated between (ago(7d)..ago(1d))\\n | where tolower(UserPrincipalName) in (admin_users)\\n | summarize by AutonomousSystemNumber);\\n let admin_locations = (SigninLogs\\n | where TimeGenerated between (ago(7d)..ago(1d))\\n | where tolower(UserPrincipalName) in (admin_users)\\n | summarize by Location);\\n let admin_devices = (SigninLogs\\n | where TimeGenerated between (ago(7d)..ago(1d))\\n | where tolower(UserPrincipalName) in (admin_users)\\n | extend deviceId = tostring(DeviceDetail.deviceId)\\n | where isnotempty(deviceId)\\n | summarize by deviceId);\\n SigninLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType == 0\\n | where tolower(UserPrincipalName) in (admin_users)\\n | extend deviceId = tostring(DeviceDetail.deviceId)\\n | where AutonomousSystemNumber !in (admin_asn) and deviceId !in (admin_devices) and Location !in (admin_locations)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Authentications of Privileged Accounts Outside of Expected Controls\",\"description\":\"Detects when a privileged user account successfully authenticates from a location, device or ASN that another admin has not logged in from in the last 7 days.\\n Privileged accounts are a key target for threat actors, monitoring for logins from these accounts that deviate from normal activity can help identify compromised accounts.\\n Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a357535e-f722-4afe-b375-cff362b2b376\",\"name\":\"a357535e-f722-4afe-b375-cff362b2b376\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(OfficeActivity | where UserAgent != \\\"\\\"),\\n(OfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectory\\\", \\\"AzureActiveDirectoryStsLogon\\\")\\n| extend OperationName = Operation\\n| parse ExtendedProperties with * \u0027User-Agent\\\\\\\\\\\":\\\\\\\\\\\"\u0027 UserAgent2 \u0027\\\\\\\\\u0027 *\\n| parse ExtendedProperties with * \u0027UserAgent\\\", \\\"Value\\\": \\\"\u0027 UserAgent1 \u0027\\\"\u0027 *\\n| where isnotempty(UserAgent1) or isnotempty(UserAgent2)\\n| extend UserAgent = iff( RecordType == \u0027AzureActiveDirectoryStsLogon\u0027, UserAgent1, UserAgent2)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\\n),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"APPLICATIONGATEWAYS\\\" \\n| where OperationName =~ \\\"ApplicationGatewayAccess\\\" \\n| extend ClientIP = columnifexists(\\\"clientIP_s\\\", \\\"None\\\"), UserAgent = columnifexists(\\\"userAgent_s\\\", \\\"None\\\")\\n| where UserAgent != \u0027-\u0027\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, requestUri_s, httpMethod_s, host_s, requestQuery_s, Type\\n),\\n(\\nW3CIISLog\\n| where isnotempty(csUserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\\n),\\n(SigninLogs\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n)\\n)\\n// Likely artefact of hardcoding\\n| where UserAgent startswith \\\"User\\\" or UserAgent startswith \u0027\\\\\\\"\u0027\\n// Incorrect casing\\nor (UserAgent startswith \\\"Mozilla\\\" and not(UserAgent containscs \\\"Mozilla\\\"))\\n// Incorrect casing\\nor UserAgent containscs \\\"(Compatible;\\\"\\n// Missing MSIE version\\nor UserAgent matches regex @\\\"MSIE\\\\s?;\\\"\\n// Incorrect spacing around MSIE version\\nor UserAgent matches regex @\\\"MSIE(?:\\\\d|.{1,5}?\\\\d\\\\s;)\\\"\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CommandAndControl\",\"Execution\"],\"displayName\":\"Malformed user agent\",\"description\":\"Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware.\\nMalformed user agents can be an indication of such malware.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4acd3a04-2fad-4efc-8a4b-51476594cec4\",\"name\":\"4acd3a04-2fad-4efc-8a4b-51476594cec4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let triThreshold = 500;\\nlet startTime = 6h;\\nlet dgaLengthThreshold = 8;\\n// fetch the alexa top 1M domains\\nlet top1M = (externaldata (Position:int, Domain:string) [@\\\"http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip\\\"] with (format=\\\"csv\\\", zipPattern=\\\"*.csv\\\"));\\n// extract tri grams that are above our threshold - i.e. are common\\nlet triBaseline = top1M\\n| extend Domain = tolower(extract(\\\"([^.]*).{0,7}$\\\", 1, Domain))\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", Domain), extract_all(\\\"(...)\\\", substring(Domain, 1)), extract_all(\\\"(...)\\\", substring(Domain, 2)))\\n| mvexpand Trigram=AllTriGrams\\n| summarize triCount=count() by tostring(Trigram)\\n| sort by triCount desc\\n| where triCount \u003e triThreshold\\n| distinct Trigram;\\n// collect domain information from common security log, filter and extract the DGA candidate and its trigrams\\nlet allDataSummarized = CommonSecurityLog\\n| where TimeGenerated \u003e ago(startTime)\\n| where isnotempty(DestinationHostName)\\n| extend Name = tolower(DestinationHostName)\\n| distinct Name\\n| where Name has \\\".\\\"\\n| where Name !endswith \\\".home\\\" and Name !endswith \\\".lan\\\"\\n// extract DGA candidate\\n| extend DGADomain = extract(\\\"([^.]*).{0,7}$\\\", 1, Name)\\n| where strlen(DGADomain) \u003e dgaLengthThreshold\\n// throw out domains with number in them\\n| where DGADomain matches regex \\\"^[A-Za-z]{0,}$\\\"\\n// extract the tri grams from summarized data\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", DGADomain), extract_all(\\\"(...)\\\", substring(DGADomain, 1)), extract_all(\\\"(...)\\\", substring(DGADomain, 2)));\\n// throw out domains that have repeating tri\u0027s and/or \u003e=3 repeating letters\\nlet nonRepeatingTris = allDataSummarized\\n| join kind=leftanti\\n(\\n allDataSummarized\\n | mvexpand AllTriGrams\\n | summarize count() by tostring(AllTriGrams), DGADomain\\n | where count_ \u003e 1\\n | distinct DGADomain\\n)\\non DGADomain;\\n// find domains that do not have a common tri in the baseline\\nlet dataWithRareTris = nonRepeatingTris\\n| join kind=leftanti\\n(\\n nonRepeatingTris\\n | mvexpand AllTriGrams\\n | extend Trigram = tostring(AllTriGrams)\\n | distinct Trigram, DGADomain\\n | join kind=inner\\n (\\n triBaseline\\n )\\n on Trigram\\n | distinct DGADomain\\n)\\non DGADomain;\\ndataWithRareTris\\n// join DGAs back on connection data\\n| join kind=inner\\n(\\n CommonSecurityLog\\n | where TimeGenerated \u003e ago(startTime)\\n | where isnotempty(DestinationHostName)\\n | extend DestinationHostName = tolower(DestinationHostName)\\n | project-rename Name=DestinationHostName, DataSource=DeviceVendor\\n | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) by Name, SourceIP, DestinationIP, DataSource\\n)\\non Name\\n| project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, DataSource\\n| extend timestamp=StartTime, IPCustomEntity=SourceIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"Name\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Possible contact with a domain generated by a DGA\",\"description\":\"Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used\\nby malware to generate rendezvous points that are difficult to predict in advance. This detection uses the Alexa Top 1 million domain names to build a model\\nof what normal domains look like. It uses this to identify domains that may have been randomly generated by an algorithm.\\nThe triThreshold is set to 500 - increase this to report on domains that are less likely to have been randomly generated, decrease it for more likely.\\nThe start time and end time look back over 6 hours of data and the dgaLengthThreshold is set to 8 - meaning domains whose length is 8 or more are reported.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Barracuda\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aac495a9-feb1-446d-b08e-a1164a539452\",\"name\":\"aac495a9-feb1-446d-b08e-a1164a539452\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"ThreatIntelligenceIndicator\\n| where Action == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n GitHubAudit\\n | extend GitHubAudit_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.IPaddress\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, GitHubAudit_TimeGenerated, TI_ipEntity, IPaddress, Actor, Action, Country, OperationType, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = GitHubAudit_TimeGenerated, IPCustomEntity = IPaddress, AccountCustomEntity = Actor\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to GitHub_CL\",\"description\":\"Identifies a match in GitHub_CL table from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2cfc3c6e-f424-4b88-9cc9-c89f482d016a\",\"name\":\"2cfc3c6e-f424-4b88-9cc9-c89f482d016a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set == \\\"[]\\\"\\n| mv-expand new_value_set\\n| parse new_value_set with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"First access credential added to Application or Service Principal where no credential was present\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-02-11T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0dd422ee-e6af-4204-b219-f59ac172e4c6\",\"name\":\"0dd422ee-e6af-4204-b219-f59ac172e4c6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"ThreatIntelligence\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"Persistence\",\"LateralMovement\"],\"displayName\":\"(Preview) Microsoft Threat Intelligence Analytics\",\"description\":\"This rule generates an alert when a Microsoft Threat Intelligence Indicator gets matched with your event logs. The alerts are very high fidelity.\\n\\nNote : It is advised to turn off any custom alert rules which match the threat intelligence indicators with the same event logs matched by this analytics to prevent duplicate alerts.\",\"lastUpdatedDateUTC\":\"2021-07-28T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/074ce265-f684-41cd-af07-613c5f3e6d0d\",\"name\":\"074ce265-f684-41cd-af07-613c5f3e6d0d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"irf.services\\\",\\\"microsoft-onthehub.com\\\",\\\"msofficelab.com\\\",\\\"com-mailbox.com\\\",\\\"my-sharefile.com\\\",\\\"my-sharepoints.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\n\\\"onedrive-sharedfile.com\\\",\\\"onedrv-live.com\\\",\\\"transparencyinternational-my-sharepoint.com\\\",\\\"transparencyinternational-my-sharepoints.com\\\",\\\"soros-my-sharepoint.com\\\"]);\\n(union isfuzzy=true\\n (CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | extend Account = SourceUserID, Host = DeviceName, IPAddress = SourceIP\\n ),\\n (_Im_Dns(domain_has_any=DomainNames)\\n | extend IPAddress = SrcIpAddr, DNSName = DnsQuery, Host = Dvc),\\n (VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n | extend IPAddress = RemoteIp, Host = Computer\\n ),\\n (AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | extend DNSName = DestinationHost \\n | extend IPAddress = SourceHost\\n ),\\n (\\n _Im_WebSession(url_has_any=DomainNames)\\n | extend IPCustomEntity=IpAddr, HostCustomEntity=Hostname, AccoutCustomEntity=User\\n )\\n)\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = Account, HostCustomEntity = Host\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known STRONTIUM group domains - July 2019\",\"description\":\"Matches domain name IOCs related to Strontium group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2019-07-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a50766a7-0674-4ccb-8845-15dc55a80ba1\",\"name\":\"a50766a7-0674-4ccb-8845-15dc55a80ba1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n WireData | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(RemoteIP)\\n // renaming time column so it is clear the log this came from\\n | extend WireData_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIP\\n| where WireData_TimeGenerated \u003c ExpirationDateTime\\n| summarize WireData_TimeGenerated = arg_max(WireData_TimeGenerated, *) by IndicatorId, RemoteIP\\n| project WireData_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, LocalIP, RemoteIP, ProcessName, ApplicationProtocol, LocalPortNumber, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = WireData_TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to WireData\",\"description\":\"Identifies a match in WireData from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6d7214d9-4a28-44df-aafb-0910b9e6ae3e\",\"name\":\"6d7214d9-4a28-44df-aafb-0910b9e6ae3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Low\",\"query\":\"let match_window = 3m;\\nAzureActivity\\n| where ResourceGroup has \\\"cloud-shell\\\"\\n| where (OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/listKeys/action\\\") \\n| where ActivityStatusValue == \\\"Success\\\"\\n| extend TimeKey = bin(TimeGenerated, match_window), AzureIP = CallerIpAddress\\n| join kind = inner\\n(AzureActivity\\n| where ResourceGroup has \\\"cloud-shell\\\"\\n| where (OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/write\\\") \\n| extend TimeKey = bin(TimeGenerated, match_window), UserIP = CallerIpAddress\\n) on Caller, TimeKey\\n| summarize count() by TimeKey, Caller, ResourceGroup, SubscriptionId, TenantId, AzureIP, UserIP, HTTPRequest, Type, Properties, CategoryValue, OperationList = strcat(OperationNameValue, \u0027 , \u0027, OperationNameValue1)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"UserIP\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"New CloudShell User\",\"description\":\"Identifies when a user creates an Azure CloudShell for the first time.\\nMonitor this activity to ensure only expected user are using CloudShell\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5170c3c4-b8c9-485c-910d-a21d965ee181\",\"name\":\"5170c3c4-b8c9-485c-910d-a21d965ee181\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let queryfrequency = 30m;\\nlet accountthreshold = 10;\\nlet successCodes = dynamic([0, 50144]);\\nADFSSignInLogs\\n| extend IngestionTime = ingestion_time()\\n| where IngestionTime \u003e ago(queryfrequency)\\n| where not(todynamic(AuthenticationDetails)[0].authenticationMethod == \\\"Integrated Windows Authentication\\\")\\n| summarize\\n DistinctFailureCount = dcountif(UserPrincipalName, ResultType !in (successCodes)),\\n DistinctSuccessCount = dcountif(UserPrincipalName, ResultType in (successCodes)),\\n SuccessAccounts = make_set_if(UserPrincipalName, ResultType in (successCodes), 250),\\n arg_min(TimeGenerated, *)\\n by IPAddress\\n| where DistinctFailureCount \u003e DistinctSuccessCount and DistinctFailureCount \u003e= accountthreshold\\n//| extend SuccessAccounts = iff(array_length(SuccessAccounts) != 0, SuccessAccounts, dynamic([\\\"null\\\"]))\\n//| mv-expand SuccessAccounts\\n| project TimeGenerated, Category, OperationName, IPAddress, DistinctFailureCount, DistinctSuccessCount, SuccessAccounts, AuthenticationRequirement, ConditionalAccessStatus, IsInteractive, UserAgent, NetworkLocationDetails, DeviceDetail, TokenIssuerType, TokenIssuerName, ResourceIdentity\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Password spray attack against ADFSSignInLogs\",\"description\":\"Identifies evidence of password spray activity against Connect Health for AD FS sign-in events by looking for failures from multiple accounts from the same IP address within a time window.\\nReference: https://adfshelp.microsoft.com/References/ConnectHealthErrorCodeReference\",\"lastUpdatedDateUTC\":\"2022-05-04T00:00:00Z\",\"createdDateUTC\":\"2022-03-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"ADFSSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6d63efa6-7c25-4bd4-a486-aa6bf50fde8a\",\"name\":\"6d63efa6-7c25-4bd4-a486-aa6bf50fde8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// Add non-approved user principal names to the list below to search for their account creation/deletion activity\\n// ex: dynamic([\\\"UPN1\\\", \\\"upn123\\\"])\\nlet nonapproved_users = dynamic([]);\\nAuditLogs\\n| where OperationName == \\\"Add user\\\" or OperationName == \\\"Delete user\\\"\\n| where Result == \\\"success\\\"\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| where InitiatingUser has_any (nonapproved_users)\\n| project-reorder TimeGenerated, ResourceId, OperationName, InitiatingUser, TargetResources\\n| extend AccountCustomEntity = InitiatingUser, IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Account created or deleted by non-approved user\",\"description\":\"Identifies accounts that were created or deleted by a defined list of non-approved user principal names. Add to this list before running the query for accurate results.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/11b4c19d-2a79-4da3-af38-b067e1273dee\",\"name\":\"11b4c19d-2a79-4da3-af38-b067e1273dee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID in (17,18)\\n| where EventData has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend PipeName = column_ifexists(\\\"PipeName\\\", \\\"\\\")\\n| extend Account = UserName\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00275145\u0027\\n// %%4418 looks for presence of CreatePipeInstance value \\n| where AccessList has \u0027%%4418\u0027 \\n| where RelativeTargetName has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n),\\n(\\nWindowsEvent\\n| where EventID == \u00275145\u0027 and EventData has \u0027%%4418\u0027 and EventData has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027 \\n// %%4418 looks for presence of CreatePipeInstance value \\n| extend AccessList= tostring(EventData.AccessList)\\n| where AccessList has \u0027%%4418\u0027 \\n| extend RelativeTargetName= tostring(EventData.RelativeTargetName)\\n| where RelativeTargetName has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\"],\"displayName\":\"Solorigate Named Pipe\",\"description\":\"Identifies a match across various data feeds for named pipe IOCs related to the Solorigate incident.\\n For the sysmon events required for this detection, logging for Named Pipe Events needs to be configured in Sysmon config (Event ID 17 and Event ID 18)\\n Reference: https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2020-12-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\"name\":\"532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n Syslog\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n //Extract domain patterns from syslog message\\n | extend domain = extract(\\\"(([a-z0-9]+(-[a-z0-9]+)*\\\\\\\\.)+[a-z]{2,})\\\",1, tolower(SyslogMessage))\\n | where isnotempty(domain)\\n | extend parts = split(domain, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.domain\\n| where Syslog_TimeGenerated \u003c ExpirationDateTime\\n| summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, domain\\n| project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, domain, HostIP, Url\\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to Syslog\",\"description\":\"Identifies a match in Syslog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/19e01883-15d8-4eb6-a7a5-3276cd668388\",\"name\":\"19e01883-15d8-4eb6-a7a5-3276cd668388\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeBin = 1m;\\nlet failedThreshold = 20;\\nW3CIISLog\\n| where scStatus in (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of failed attempts from same client IP\\n| summarize makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\\n| where FailedConnectionsCount \u003e= failedThreshold\\n| project TimeGenerated, cIP, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"High count of failed attempts from same client IP\",\"description\":\"Identifies when 20 or more failed attempts from a given client IP in 1 minute occur on the IIS server.\\nThis could be indicative of an attempted brute force. This could also simply indicate a misconfigured service or device.\\nRecommendations: Validate that these are expected connections from the given Client IP. If the client IP is not recognized, \\npotentially block these connections at the edge device.\\nIf these are expected connections, verify the credentials are properly configured on the system, service, application or device \\nthat is associated with the client IP.\\nReferences:\\nIIS status code mapping: https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping: https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd78a122-d377-415a-afe9-f22e08d2112c\",\"name\":\"dd78a122-d377-415a-afe9-f22e08d2112c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Add other permissions to this list as needed\\n let permissions = dynamic([\\\"Mail.Read\\\", \\\"offline_access\\\", \\\"Files.Read\\\", \\\"Notes.Read\\\", \\\"ChannelMessage.Read\\\", \\\"Chat.Read\\\", \\\"TeamsActivity.Read\\\",\\n \\\"Group.Read\\\", \\\"EWS.AccessAsUser.All\\\", \\\"EAS.AccessAsUser.All\\\"]);\\n AuditLogs\\n | where OperationName =~ \\\"Add app role assignment to service principal\\\"\\n | mv-expand TargetResources[0].modifiedProperties\\n | extend TargetResources_0_modifiedProperties = columnifexists(\\\"TargetResources_0_modifiedProperties\\\", \u0027\u0027)\\n | where isnotempty(TargetResources_0_modifiedProperties)\\n | where TargetResources_0_modifiedProperties.displayName =~ \\\"AppRole.Value\\\" or TargetResources_0_modifiedProperties.displayName =~ \\\"DelegatedPermissionGrant.Scope\\\"\\n | extend Permissions = split((parse_json(tostring(TargetResources_0_modifiedProperties.newValue))), \\\" \\\")\\n | where Permissions has_any (permissions)\\n | summarize AddedPermissions=make_set(Permissions) by CorrelationId\\n | join kind=inner (AuditLogs\\n | where OperationName =~ \\\"Add app role assignment to service principal\\\") on CorrelationId\\n | extend InitiatedBy = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))\\n | extend ServicePrincipal = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[4].newValue)))\\n | extend SPID = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[6].newValue)))\\n | extend InitiatedBy = pack(\\\"User\\\", InitiatedBy, \\\"UA\\\", UserAgent, \\\"IPAddress\\\", IpAddress)\\n | mv-expand kind=array AddedPermissions\\n | summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), make_set(InitiatedBy), make_set(AddedPermissions) by SPID, ServicePrincipal\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ServicePrincipal\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"SPID\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Service Principal Assigned App Role With Sensitive Access\",\"description\":\"Detects a Service Principal being assigned an app role that has sensitive access such as Mail.Read.\\n A threat actor who compromises a Service Principal may assign it an app role to allow it to access sensitive data, or to perform other actions.\\n Ensure that any assignment to a Service Principal is valid and appropriate.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d9f28fdf-abc8-4f1a-a7e7-1aaec87a2fc5\",\"name\":\"d9f28fdf-abc8-4f1a-a7e7-1aaec87a2fc5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID == 4688\\n | where Process =~ \\\"svchost.exe\\\"\\n | where CommandLine has \\\"-k GPSvcGroup\\\" or CommandLine has \\\"-s gpsvc\\\"\\n | extend timekey = bin(TimeGenerated, 1m)\\n | project timekey, NewProcessId, Computer\\n | join kind=inner (SecurityEvent\\n | where EventID == 4688\\n | where Process =~ \\\"sdelete.exe\\\" or CommandLine has \\\"sdelete\\\"\\n | where ParentProcessName endswith \\\"svchost.exe\\\"\\n | where CommandLine has_all (\\\"-s\\\", \\\"-r\\\")\\n | extend newProcess = Process\\n | extend timekey = bin(TimeGenerated, 1m)\\n ) on $left.NewProcessId == $right.ProcessId, timekey, Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Sdelete deployed via GPO and run recursively\",\"description\":\"This query looks for the Sdelete process being run recursively after being deployed to a host via GPO. Attackers could use this technique to deploy Sdelete to multiple host and delete data on them.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5dd76a87-9f87-4576-bab3-268b0e2b338b\",\"name\":\"5dd76a87-9f87-4576-bab3-268b0e2b338b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 5;\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet historicalActivity =\\nOfficeActivity\\n| where TimeGenerated between(ago(starttime)..ago(endtime))\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| summarize historicalCount = count() by UserAgent, RecordType, Operation;\\nlet recentActivity = OfficeActivity\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where TimeGenerated \u003e ago(endtime)\\n| where isnotempty(UserAgent)\\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by UserAgent, RecordType, Operation;\\nlet RareUserAgent = recentActivity | join kind = leftanti (historicalActivity) on UserAgent\\n| order by recentCount desc, UserAgent\\n// More than 5 downloads/uploads from a new user agent today\\n| where recentCount \u003e threshold;\\nOfficeActivity \\n| where TimeGenerated \u003e ago(endtime) \\n| where RecordType =~ szSharePointFileOperation \\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| join kind= inner (RareUserAgent)\\non UserAgent, RecordType, Operation \\n| where Start_Time between(min_Start_Time .. max_Start_Time)\\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserAgent, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgentSeenCount = recentCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\\n| order by UserAgentSeenCount desc, UserAgent asc, Operation asc, UserId asc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"SharePointFileOperation via devices with previously unseen user agents\",\"description\":\"Identifies if the number of documents uploaded or downloaded from device(s) associated\\nwith a previously unseen user agent exceeds a threshold (default is 5).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f80d951a-eddc-4171-b9d0-d616bb83efdc\",\"name\":\"f80d951a-eddc-4171-b9d0-d616bb83efdc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where AADOperationType =~ \\\"Assign\\\"\\n| where ActivityDisplayName =~ \\\"Add app role assignment to service principal\\\"\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"AppRole.Value\\\"\\n| extend AppRole = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where AppRole has \\\"RoleManagement.ReadWrite.Directory\\\"\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n| extend Target = tostring(parse_json(tostring(TargetResources.modifiedProperties[4].newValue)))\\n| extend TargetId = tostring(parse_json(tostring(TargetResources.modifiedProperties[3].newValue)))\\n| project TimeGenerated, OperationName, Initiator, Target, TargetId, Result\\n| join kind=innerunique (\\n AuditLogs\\n | where LoggedByService =~ \\\"Core Directory\\\"\\n | where Category =~ \\\"RoleManagement\\\"\\n | where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\")\\n | where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n | where displayName_ =~ \\\"Role.DisplayName\\\"\\n | extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n | where RoleName contains \\\"Admin\\\"\\n | extend Initiator = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend InitiatorId = tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalId)\\n | extend TargetUser = tostring(TargetResources.userPrincipalName)\\n | extend Target = iif(isnotempty(TargetUser), TargetUser, tostring(TargetResources.displayName))\\n | extend TargetType = tostring(TargetResources.type)\\n | extend TargetId = tostring(TargetResources.id)\\n | project TimeGenerated, OperationName, RoleName, Initiator, InitiatorId, Target, TargetId, TargetType, Result\\n) on $left.TargetId == $right.InitiatorId\\n| extend TimeRoleMgGrant = TimeGenerated, TimeAdminPromo = TimeGenerated1, ServicePrincipal = Initiator1, ServicePrincipalId = InitiatorId,\\n TargetObject = Target1, TargetObjectId = TargetId1, TargetObjectType = TargetType\\n| where TimeRoleMgGrant \u003c TimeAdminPromo\\n| project TimeRoleMgGrant, TimeAdminPromo, RoleName, ServicePrincipal, ServicePrincipalId, TargetObject, TargetObjectId, TargetObjectType\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ServicePrincipal\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetObject\"}]}],\"tactics\":[\"PrivilegeEscalation\",\"Persistence\"],\"displayName\":\"Admin promotion after Role Management Application Permission Grant\",\"description\":\"This rule looks for a service principal being granted the Microsoft Graph RoleManagement.ReadWrite.Directory (application) permission before being used to add an Azure AD object or user account to an Admin directory role (i.e. Global Administrators).\\nThis is a known attack path that is usually abused when a service principal already has the AppRoleAssignment.ReadWrite.All permission granted. This permission Allows an app to manage permission grants for application permissions to any API.\\nA service principal can promote itself or other service principals to admin roles (i.e. Global Administrators). This would be considered a privilege escalation technique.\\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions, https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0\u0026tabs=http\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\"name\":\"79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let timeframe = 1h;\\nlet last1h = CommonSecurityLog \\n| where TimeGenerated \u003e= ago(timeframe)\\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend CurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend CurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend CumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize last1hCumTotal = sum(CumulativeTotal), last1hAvgRatePerSec = avg(CurrentAvgRatePerSec), last1hAvgBurstRatePerSec = avg(CurrentBurstRatePerSec) by DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlet prev6h = CommonSecurityLog \\n| where TimeGenerated between (ago(6h) .. ago(1h))\\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend prevCurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend prevCurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend prevCumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), prev6hCumTotal = sum(prevCumulativeTotal), prev6hAvgRatePerSec = avg(prevCurrentAvgRatePerSec), prev6hAvgBurstRatePerSec = avg(prevCurrentBurstRatePerSec) \\nby DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlast1h | join (\\n prev6h \\n) on DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate\\n| project StartTimeUtc, EndTimeUtc, DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate, last1hCumTotal, prev6hCumTotal, prev6hAvgCumTotal = prev6hCumTotal/6, last1hAvgRatePerSec, prev6hAvgRatePerSec, last1hAvgBurstRatePerSec, prev6hAvgBurstRatePerSec\\n// Select only events that indicate a doubling of the expected rate in the last hour over the previous 6 hours\\n| where last1hCumTotal \u003e 2*prev6hAvgCumTotal or last1hAvgRatePerSec \u003e 2*prev6hAvgRatePerSec or last1hAvgBurstRatePerSec \u003e 2*prev6hAvgBurstRatePerSec\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\",\"Impact\"],\"displayName\":\"Cisco ASA - average attack detection rate increase\",\"description\":\"This will help you determine if Cisco ASA devices are under heavier attack than normal over the last hour versus the previous 6 hours based on DeviceEventClassID 733100\\nReferences: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/826bb2f8-7894-4785-9a6b-a8a855d8366f\",\"name\":\"826bb2f8-7894-4785-9a6b-a8a855d8366f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let EventNameList = dynamic([\\\"AttachUserPolicy\\\",\\\"AttachRolePolicy\\\",\\\"AttachGroupPolicy\\\"]);\\nlet createPolicy = \\\"CreatePolicy\\\";\\nlet timeframe = 1d;\\nlet lookback = 14d;\\n// Creating Master table with all the events to use with materialize for better performance\\nlet EventInfo = AWSCloudTrail\\n| where TimeGenerated \u003e= ago(lookback)\\n| where EventName in (EventNameList) or EventName == createPolicy;\\n//Checking for Policy creation event with Full Admin Privileges since lookback period.\\nlet FullAdminPolicyEvents = materialize( EventInfo\\n| where TimeGenerated \u003e= ago(lookback)\\n| where EventName == createPolicy\\n| extend PolicyName = tostring(parse_json(RequestParameters).policyName)\\n| extend Statement = parse_json(tostring((parse_json(RequestParameters).policyDocument))).Statement\\n| mvexpand Statement\\n| extend Action = parse_json(Statement).Action , Effect = tostring(parse_json(Statement).Effect), Resource = tostring(parse_json(Statement).Resource)\\n| mvexpand Action\\n| extend Action = tostring(Action)\\n| where Effect =~ \\\"Allow\\\" and Action == \\\"*\\\" and Resource == \\\"*\\\"\\n| distinct TimeGenerated, EventName, PolicyName, SourceIpAddress, UserIdentityArn, UserIdentityUserName\\n| extend UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,\u0027/\u0027)[-1]))\\n| project-rename StartTime = TimeGenerated );\\nlet PolicyAttach = materialize( EventInfo\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventName in (EventNameList)\\n| extend PolicyName = tostring(split(tostring(parse_json(RequestParameters).policyArn),\\\"/\\\")[1])\\n| summarize AttachEventCount=count(), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventSource, EventName, UserIdentityType , UserIdentityArn, SourceIpAddress, UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,\u0027/\u0027)[-1])), PolicyName\\n| extend AttachEvent = pack(\\\"StartTime\\\", StartTime, \\\"EndTime\\\", EndTime, \\\"EventName\\\", EventName, \\\"UserIdentityType\\\", UserIdentityType, \\\"UserIdentityArn\\\", UserIdentityArn, \\\"SourceIpAddress\\\", SourceIpAddress, \\\"UserIdentityUserName\\\", UserIdentityUserName)\\n| project EventSource, PolicyName, AttachEvent, AttachEventCount\\n);\\n// Joining the list of PolicyNames and checking if it has been attached to any Roles/Users/Groups.\\n// These Roles/Users/Groups will be Privileged and can be used by adversaries as pivot point for privilege escalation via multiple ways.\\nFullAdminPolicyEvents\\n| join kind=leftouter\\n(\\n PolicyAttach\\n)\\non PolicyName\\n| project-away PolicyName1\\n| extend timestamp = StartTime, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Full Admin policy created and then attached to Roles, Users or Groups\",\"description\":\"Identity and Access Management (IAM) securely manages access to AWS services and resources. \\nIdentifies when a policy is created with Full Administrators Access (Allow-Action:*,Resource:*). \\nThis policy can be attached to role,user or group and may be used by an adversary to escalate a normal user privileges to an adminsitrative level.\\nAWS IAM Policy Grammar: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html\\nand AWS IAM API at https://docs.aws.amazon.com/IAM/latest/APIReference/API_Operations.html\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2020-04-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/34c5aff9-a8c2-4601-9654-c7e46342d03b\",\"name\":\"34c5aff9-a8c2-4601-9654-c7e46342d03b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 5;\\nlet aadFunc = (tableName:string){\\n IdentityInfo\\n | where TimeGenerated \u003e ago(starttime)\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | mv-expand AssignedRoles\\n | where AssignedRoles matches regex \u0027Admin\u0027\\n | summarize Roles = make_list(AssignedRoles) by AccountUPN = tolower(AccountUPN)\\n | join kind=inner (\\n table(tableName)\\n | where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n | where ResultType != 0\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n ) on $left.AccountUPN == $right.UserPrincipalName\\n | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, Roles = tostring(Roles)\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt;\\nlet TimeSeriesAlerts = \\n allSignins\\n | make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step 1h by UserPrincipalName, Roles\\n | extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, \u0027linefit\u0027)\\n | mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n // Filtering low count events per baselinethreshold\\n | where anomalies \u003e 0 and baseline \u003e baselinethreshold\\n | extend AnomalyHour = TimeGenerated\\n | project UserPrincipalName, Roles, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\n// Filter the alerts for specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e startofday(ago(timeframe))\\n| join kind=inner ( \\n allSignins\\n | where TimeGenerated \u003e startofday(ago(timeframe))\\n // create a new column and round to hour\\n | extend DateHour = bin(TimeGenerated, 1h)\\n | summarize PartialFailedSignins = count(), LatestAnomalyTime = arg_max(TimeGenerated, *) by bin(TimeGenerated, 1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, Roles, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\\n) on UserPrincipalName, $left.AnomalyHour == $right.DateHour\\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, Roles = todynamic(Roles), UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, PartialFailedSignins, TotalFailedSignins = HourlyCount, baseline, anomalies, score\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Privileged Accounts - Sign in Failure Spikes\",\"description\":\" Identifies spike in failed sign-ins from Privileged accounts. Privileged accounts list can be based on IdentityInfo UEBA table or built-in watchlist.\\nSpike is determined based on Time series anomaly which will look at historical baseline values.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor\",\"lastUpdatedDateUTC\":\"2022-01-25T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/106813db-679e-4382-a51b-1bfc463befc3\",\"name\":\"106813db-679e-4382-a51b-1bfc463befc3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n // Select on Palo Alto logs\\n | where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Select logs where URL data is populated\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url), extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | where isnotempty(PA_Url)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n) on $left.Url == $right.PA_Url\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, PA_Url\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, SourceIP, PA_Url, DeviceName\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to PaloAlto data\",\"description\":\"Identifies a match in PaloAlto data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884ead54-cb3f-4676-a1eb-b26532d6cbfd\",\"name\":\"884ead54-cb3f-4676-a1eb-b26532d6cbfd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let SensitiveOperationList = dynamic(\\n[\\\"VaultDelete\\\", \\\"KeyDelete\\\", \\\"SecretDelete\\\", \\\"SecretPurge\\\", \\\"KeyPurge\\\", \\\"SecretBackup\\\", \\\"KeyBackup\\\"]);\\nAzureDiagnostics\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in~ (SensitiveOperationList)\\n| summarize EventCount=count(), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIPMax\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"NRT Sensitive Azure Key Vault operations\",\"description\":\"Identifies when sensitive Azure Key Vault operations are used. This includes: VaultDelete, KeyDelete, SecretDelete, SecretPurge, KeyPurge, SecretBackup, KeyBackup.\\nAny Backup operations should match with expected scheduled backup activity.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95dc4ae3-e0f2-48bd-b996-cdd22b90f9af\",\"name\":\"95dc4ae3-e0f2-48bd-b996-cdd22b90f9af\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(\\nAuditLogs\\n| where OperationName =~ \\\"Set federation settings on domain\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName)\\n| mv-expand AdditionalDetails\\n),\\n(\\nAuditLogs\\n| where OperationName =~ \\\"Set domain authentication\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName), NewDomainValue=tostring(parse_json(modifiedProperties).newValue)\\n| where NewDomainValue has \\\"Federated\\\"\\n)\\n)\\n| extend UserAgent = iff(AdditionalDetails.key == \\\"User-Agent\\\",tostring(AdditionalDetails.value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Modified domain federation trust settings\",\"description\":\"This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ac891683-53c3-4f86-86b4-c361708e2b2b\",\"name\":\"ac891683-53c3-4f86-86b4-c361708e2b2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"// Allowlisted UPNs should likely stay empty\\nlet AllowlistedUpns = datatable(UPN:string)[\u0027foo@bar.com\u0027, \u0027test@foo.com\u0027];\\n// Operation Name parts that will alert\\nlet HasAnyBlocklist = datatable(OperationNamePart:string)[\u0027Security.\u0027,\u0027Project.\u0027,\u0027AuditLog.\u0027,\u0027Extension.\u0027];\\n// Distinct Operation Names that will flag\\nlet HasExactBlocklist = datatable(OperationName:string)[\u0027Group.UpdateGroupMembership.Add\u0027,\u0027Library.ServiceConnectionExecuted\u0027,\u0027Pipelines.PipelineModified\u0027,\\n\u0027Release.ReleasePipelineModified\u0027, \u0027Git.RefUpdatePoliciesBypassed\u0027];\\nAzureDevOpsAuditing\\n| where AuthenticationMechanism startswith \\\"PAT\\\" and (OperationName has_any (HasAnyBlocklist) or OperationName in (HasExactBlocklist))\\n and ActorUPN !in (AllowlistedUpns)\\n| project TimeGenerated, AuthenticationMechanism, ProjectName, ActorUPN, ActorDisplayName, IpAddress, UserAgent, OperationName, Details, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Impact\"],\"displayName\":\"Azure DevOps Personal Access Token (PAT) misuse\",\"description\":\"This Alert detects whenever a PAT is used in ways that PATs are not normally used. May require an allow list and baselining.\\nReference - https://docs.microsoft.com/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops\u0026tabs=preview-page\\nUse this query for baselining:\\nAzureDevOpsAuditing\\n| distinct OperationName\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-06-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/acfdee3f-b794-404a-aeba-ef6a1fa08ad1\",\"name\":\"acfdee3f-b794-404a-aeba-ef6a1fa08ad1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let lookback = 14d;\\nlet timewindow = 7d;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback)\\n| where OperationName =~ \\\"Library.AgentPoolCreated\\\"\\n| extend AgentCloudId = tostring(Data.AgentCloudId)\\n| extend PoolType = iif(isnotempty(AgentCloudId), \\\"Azure VMs\\\", \\\"Self Hosted\\\")\\n// Comment this line out to include cloud pools as well\\n| where PoolType == \\\"Self Hosted\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend AgentPoolId = tostring(Data.AgentPoolId)\\n| extend IsHosted = tostring(Data.IsHosted)\\n| extend IsLegacy = tostring(Data.IsLegacy)\\n| extend timekey = bin(TimeGenerated, timewindow)\\n// Join only with pools deleted in the same window\\n| join (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback)\\n| where OperationName =~ \\\"Library.AgentPoolDeleted\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend AgentPoolId = tostring(Data.AgentPoolId)\\n| extend timekey = bin(TimeGenerated, timewindow)) on AgentPoolId, timekey\\n| project-reorder TimeGenerated, ActorUPN, UserAgent, IpAddress, AuthenticationMechanism, OperationName, AgentPoolName, IsHosted, IsLegacy, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Agent Pool Created Then Deleted\",\"description\":\"As well as adding build agents to an existing pool to execute malicious activity within a pipeline, an attacker could create a complete new agent pool and use this for execution.\\nAzure DevOps allows for the creation of agent pools with Azure hosted infrastructure or self-hosted infrastructure. Given the additional customizability of self-hosted agents this \\ndetection focuses on the creation of new self-hosted pools. To further reduce false positive rates the detection looks for pools created and deleted relatively quickly (within 7 days by default), \\nas an attacker is likely to remove a malicious pool once used in order to reduce/remove evidence of their activity.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/26a3b261-b997-4374-94ea-6c37f67f4f39\",\"name\":\"26a3b261-b997-4374-94ea-6c37f67f4f39\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.5.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"asyspy256.ddns.net\\\",\\\"hotkillmail9sddcc.ddns.net\\\",\\\"rosaf112.ddns.net\\\",\\\"cvdfhjh1231.myftp.biz\\\",\\\"sz2016rose.ddns.net\\\",\\\"dffwescwer4325.myftp.biz\\\",\\\"cvdfhjh1231.ddns.net\\\"]);\\nlet SHA1Hash = dynamic ([\\\"53a44c2396d15c3a03723fa5e5db54cafd527635\\\", \\\"9c5e496921e3bc882dc40694f1dcc3746a75db19\\\", \\\"aeb573accfd95758550cf30bf04f389a92922844\\\", \\\"79ef78a797403a4ed1a616c68e07fff868a8650a\\\", \\\"4f6f38b4cec35e895d91c052b1f5a83d665c2196\\\", \\\"1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d\\\", \\\"e841a63e47361a572db9a7334af459ddca11347a\\\", \\\"c28f606df28a9bc8df75a4d5e5837fc5522dd34d\\\", \\\"2e94b305d6812a9f96e6781c888e48c7fb157b6b\\\", \\\"dd44133716b8a241957b912fa6a02efde3ce3025\\\", \\\"8793bf166cb89eb55f0593404e4e933ab605e803\\\", \\\"a39b57032dbb2335499a51e13470a7cd5d86b138\\\", \\\"41cc2b15c662bc001c0eb92f6cc222934f0beeea\\\", \\\"d209430d6af54792371174e70e27dd11d3def7a7\\\", \\\"1c6452026c56efd2c94cea7e0f671eb55515edb0\\\", \\\"c6b41d3afdcdcaf9f442bbe772f5da871801fd5a\\\", \\\"4923d460e22fbbf165bbbaba168e5a46b8157d9f\\\", \\\"f201504bd96e81d0d350c3a8332593ee1c9e09de\\\", \\\"ddd2db1127632a2a52943a2fe516a2e7d05d70d2\\\"]);\\nlet SHA256Hash = dynamic ([\\\"9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd\\\", \\\"7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b\\\", \\\"657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5\\\", \\\"2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29\\\", \\\"52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77\\\", \\\"a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3\\\", \\\"5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022\\\", \\\"6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883\\\", \\\"3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e\\\", \\\"1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7\\\", \\\"fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1\\\", \\\"7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c\\\", \\\"178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945\\\", \\\"51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9\\\", \\\"889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79\\\", \\\"332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf\\\", \\\"44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08\\\", \\\"63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef\\\", \\\"056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070\\\"]);\\nlet SigNames = dynamic([\\\"TrojanDropper:Win32/BlackMould.A!dha\\\", \\\"Trojan:Win32/BlackMould.B!dha\\\", \\\"Trojan:Win32/QuarkBandit.A!dha\\\", \\\"Trojan:Win32/Sidelod.A!dha\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n( _Im_Dns(domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA1=\u0027 SHA1 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA1Hash) \\n| extend Account = UserName\\n),\\n(SecurityAlert\\n| where ProductName == \\\"Microsoft Defender Advanced Threat Protection\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where isnotempty(ThreatName)\\n| where ThreatName has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName)\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known GALLIUM domains and hashes\",\"description\":\"GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. \\n Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\\n References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ \",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2019-12-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/52aec824-96c1-4a03-8e44-bb70532e6cea\",\"name\":\"52aec824-96c1-4a03-8e44-bb70532e6cea\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"SecurityEvent\\n| where EventID == 5136 and EventData contains \\\"\u003cData Name=\\\\\\\"ObjectDN\\\\\\\"\u003eCN=AdminSDHolder,CN=System\\\"\\n| parse EventData with * \u0027ObjectDN\\\"\u003e\u0027 ObjectDN \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, SubjectUserSid, SubjectLogonId, ObjectDN\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AdminSDHolder Modifications\",\"description\":\"This query detects modification in the AdminSDHolder in the Active Directory which could indicate an attempt for persistence. \\nAdminSDHolder Modification is a persistence technique in which an attacker abuses the SDProp process in Active Directory to establish a persistent backdoor to Active Directory.\\nThis query searches for the event id 5136 where the Object DN is AdminSDHolder.\\nRef: https://attack.stealthbits.com/adminsdholder-modification-ad-persistence\",\"lastUpdatedDateUTC\":\"2022-01-20T00:00:00Z\",\"createdDateUTC\":\"2021-12-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8540c842-5bbc-4a24-9fb2-a836c0e55a51\",\"name\":\"8540c842-5bbc-4a24-9fb2-a836c0e55a51\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where OperationName =~ \\\"Set federation settings on domain\\\" or OperationName =~ \\\"Set domain authentication\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName), NewDomainValue=tostring(parse_json(modifiedProperties).newValue)\\n| extend Federated = iif(OperationName =~ \\\"Set domain authentication\\\", iif(NewDomainValue has \\\"Federated\\\", True, False), True)\\n| where Federated == True\\n| mv-expand AdditionalDetails\\n| extend UserAgent = iff(AdditionalDetails.key == \\\"User-Agent\\\",tostring(AdditionalDetails.value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserOrApp\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"NRT Modified domain federation trust settings\",\"description\":\"This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/327cd4ed-ca42-454b-887c-54e1c91363c6\",\"name\":\"327cd4ed-ca42-454b-887c-54e1c91363c6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft Defender Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Endpoint alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Endpoint\",\"lastUpdatedDateUTC\":\"2019-10-24T00:00:00Z\",\"createdDateUTC\":\"2019-10-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\"name\":\"0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.1.1\",\"severity\":\"Low\",\"query\":\"let PerUserThreshold = 5;\\nlet TotalThreshold = 100;\\nlet action = dynamic([\\\"change\\\", \\\"changed\\\", \\\"reset\\\"]);\\nlet pWord = dynamic([\\\"password\\\", \\\"credentials\\\"]);\\nlet PasswordResetMultiDataSource =\\n(union isfuzzy=true\\n(//Password reset events\\n//4723: An attempt was made to change an account\u0027s password\\n//4724: An attempt was made to reset an accounts password\\nSecurityEvent\\n| where EventID in (\\\"4723\\\",\\\"4724\\\")\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName),\\n(//Password reset events\\n//4723: An attempt was made to change an account\u0027s password\\n//4724: An attempt was made to reset an accounts password\\nWindowsEvent\\n| where EventID in (\\\"4723\\\",\\\"4724\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName),\\n(//Azure Active Directory Password reset events\\nAuditLogs\\n| where OperationName has_any (pWord) and OperationName has_any (action) and Result =~ \\\"success\\\"\\n| extend AccountType = tostring(TargetResources[0].type), Account = tostring(TargetResources[0].userPrincipalName), \\nTargetUserName = tolower(tostring(TargetResources[0].displayName))\\n| project TimeGenerated, AccountType, Account, Computer = \\\"\\\", Type),\\n(//OfficeActive ActiveDirectory Password reset events\\nOfficeActivity\\n| where OfficeWorkload == \\\"AzureActiveDirectory\\\" \\n| where (ExtendedProperties has_any (pWord) or ModifiedProperties has_any (pWord)) and (ExtendedProperties has_any (action) or ModifiedProperties has_any (action))\\n| extend AccountType = UserType, Account = OfficeObjectId \\n| project TimeGenerated, AccountType, Account, Type, Computer = \\\"\\\"),\\n(// Unix syslog password reset events\\nSyslog\\n| where Facility in (\\\"auth\\\",\\\"authpriv\\\")\\n| where SyslogMessage has_any (pWord) and SyslogMessage has_any (action)\\n| extend AccountType = iif(SyslogMessage contains \\\"root\\\", \\\"Root\\\", \\\"Non-Root\\\")\\n| where SyslogMessage matches regex \\\".*password changed for.*\\\"\\n| parse SyslogMessage with * \\\"password changed for\\\" Account\\n| project TimeGenerated, AccountType, Account, Computer = HostName, Type)\\n);\\nlet pwrmd = PasswordResetMultiDataSource\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName;\\n(union isfuzzy=true \\n(pwrmd\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Computerlist = make_set(Computer, 25), AccountType = make_set(AccountType, 25), Computer = arg_max(Computer , TimeGenerated), TargetUserList = make_set(TargetUserName, 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), Total=count() by Account, Type\\n| where Total \u003e PerUserThreshold\\n| extend ResetPivot = \\\"PerUserReset\\\"), \\n(pwrmd\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerList = make_set(Computer, 25), AccountList = make_set(Account, 25), AccountType = make_set(AccountType, 25), Computer = arg_max(Computer , TimeGenerated), TargetUserList = make_set(TargetUserName, 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), Total=count() by Type\\n| where Total \u003e TotalThreshold\\n| extend ResetPivot = \\\"TotalUserReset\\\")\\n)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserName\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Multiple Password Reset by user\",\"description\":\"This query will determine multiple password resets by user across multiple data sources. \\nAccount manipulation including password reset may aid adversaries in maintaining access to credentials \\nand certain permission levels within an environment.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-09-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d804b39c-03a4-417c-a949-bdbf21fa3305\",\"name\":\"d804b39c-03a4-417c-a949-bdbf21fa3305\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.7.2\",\"severity\":\"Medium\",\"query\":\"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\\n[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet file_paths = (iocs | where Type =~ \\\"filepath\\\" | project IoC);\\nlet sha256s = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet ips = (iocs | where Type =~ \\\"ip\\\" | project IoC);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\" | project IoC);\\nlet dyndomains = todynamic(toscalar((domains | summarize make_set(IoC))));\\nunion isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4663\\n| where ObjectName in (file_paths)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(WindowsEvent\\n| where EventID == 4663 and EventData has_any (file_paths)\\n| extend ObjectName = tostring(EventData.ObjectName) \\n| where ObjectName in (file_paths)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName), \\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(imFileEvent\\n| where TargetFileName in (file_paths)\\n or\\n TargetFileSHA256 in (sha256s)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\\n),\\n(DeviceFileEvents\\n| where FolderPath in (file_paths)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 in (sha256s)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\\n),\\n (CommonSecurityLog\\n| where FileHash in (sha256s)\\n| extend timestamp = TimeGenerated\\n),\\n(Event // File iocs\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| where isnotempty(Hashes)\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 *\\n| where SHA256 in~ (sha256s)\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = Hashes\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where (SourceIP in (ips) or DestinationIP in (ips) or Message has_any (ips)) or (RequestURL has_any (domains))\\n| extend IPMatch = case(SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"Message\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\")\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(WireData\\n| where isnotempty(RemoteIP)\\n| where RemoteIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer\\n),\\n(W3CIISLog\\n| where isnotempty(cIP)\\n| where cIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(\\nWindowsFirewall\\n| where SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n),\\n(\\n _Im_NetworkSession(srcipaddr_has_any_prefix=ips) \\n | extend IPCustomEntity = SrcIpAddr, AccountCustomEntity= User, HostCustomEntity=Hostname\\n),\\n (\\n _Im_NetworkSession(dstipaddr_has_any_prefix=ips) \\n | extend IPCustomEntity = DstIpAddr, AccountCustomEntity= User, HostCustomEntity=Hostname\\n),\\n(_Im_Dns(domain_has_any=dyndomains)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\\n)\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange Server Vulnerabilities Disclosed March 2021 IoC Match\",\"description\":\"This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements.\\nRef: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-03-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog (Cisco)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog (F5)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09ec8fa2-b25f-4696-bfae-05a7b85d7b9e\",\"name\":\"09ec8fa2-b25f-4696-bfae-05a7b85d7b9e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT3H\",\"queryPeriod\":\"PT3H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"let timeframe = ago(3h);\\nlet threshold = 2;\\nimAuthentication\\n| where TimeGenerated \u003e timeframe\\n| where EventType==\u0027Logon\u0027 and EventResult==\u0027Success\u0027\\n| where isnotempty(SrcGeoCountry)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Vendors=make_set(EventVendor), Products=make_set(EventProduct)\\n , NumOfCountries = dcount(SrcGeoCountry)\\n by TargetUserId, TargetUsername, TargetUserType\\n| where NumOfCountries \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = TargetUsername\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"User login from different countries within 3 hours (Uses Authentication Normalization)\",\"description\":\"This query searches for successful user logins from different countries within 3 hours.\\n To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/67775878-7f8b-4380-ac54-115e1e828901\",\"name\":\"67775878-7f8b-4380-ac54-115e1e828901\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX=10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet IP_TI = (ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\\\"\\\")\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true);\\nlet TI_IP_List=IP_TI | summarize NIPs=dcount(TI_ipEntity), IP_List=make_set( TI_ipEntity) \\n| project IP_List=iff(NIPs \u003e HAS_ANY_MAX, dynamic([]), IP_List);\\n_Im_Dns(starttime=ago(dt_lookBack), response_has_any_prefix=todynamic(toscalar(TI_IP_List)))\\n | extend tilist = toscalar(TI_IP_List)\\n | mv-expand tilist\\n | extend SingleIP=tostring(tilist)\\n | project-away tilist\\n | where has_ipv4(DnsResponseName, SingleIP)\\n | extend DNS_TimeGenerated = TimeGenerated\\n| join IP_TI\\n on $left.SingleIP == $right.TI_ipEntity\\n| where DNS_TimeGenerated \u003e= TimeGenerated and DNS_TimeGenerated \u003c ExpirationDateTime\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated,\\nTI_ipEntity, Dvc, EventSubType, SrcIpAddr, DnsQuery, DnsResponseName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = DNS_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Dvc, URLCustomEntity = Url\",\"customDetails\":{\"LatestIndicatorTime\":\"LatestIndicatorTime\",\"Description\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"ExpirationDateTime\":\"ExpirationDateTime\",\"ConfidenceScore\":\"ConfidenceScore\",\"DNSRequestTime\":\"DNS_TimeGenerated\",\"SourceIPAddress\":\"SrcIpAddr\",\"SubType\":\"EventSubType\",\"DnsQuery\":\"DnsQuery\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map IP entity to Dns Events (ASIM DNS Schema)\",\"description\":\"Identifies a match in DNS events from any IP IOC from TI\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-27T00:00:00Z\",\"createdDateUTC\":\"2021-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\"name\":\"ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let ProcessCreationEvents=() {\\nlet processEvents=(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,\\nFileName = Process, CommandLine, ParentProcessName\\n),\\n(WindowsEvent\\n| where EventID==4688\\n| where EventData has \\\"TVqQAAMAAAAEAAA\\\"\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where isnotempty(CommandLine)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,\\nFileName = Process, CommandLine, ParentProcessName));\\nprocessEvents};\\nProcessCreationEvents\\n| where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Base64 encoded Windows process command-lines\",\"description\":\"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2018-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\"name\":\"90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Security Center\",\"severitiesFilter\":[\"Low\",\"Medium\",\"High\"],\"displayName\":\"Create incidents based on Microsoft Defender for Cloud\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Cloud\",\"lastUpdatedDateUTC\":\"2021-07-25T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert (ASC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d57c33a9-76b9-40e0-9dfa-ff0404546410\",\"name\":\"d57c33a9-76b9-40e0-9dfa-ff0404546410\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 0d;\\n// Adjust this to adjust detection timeframe\\n//let timeframe = 1d;\\n// Filter out other servers in the AD FS farm\\nlet ADFSServersList = dynamic([\\\"ADFS02.domain.com\\\",\\\"ADFS03.domain.com\\\"]);\\n// Start by identifying ADFS servers to reduce FP chance\\nlet ADFS_Servers = (\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| where Computer !in (ADFSServersList)\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\")\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| summarize by Computer\\n);\\n// Look for ADFS servers receiving connections over port 80\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where Computer in~ (ADFS_Servers)\\n| extend RenderedDescription = tostring(split(RenderedDescription, \\\":\\\")[0])\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, _ResourceId)\\n| extend RuleName = column_ifexists(\\\"RuleName\\\", \\\"\\\"), TechniqueId = column_ifexists(\\\"TechniqueId\\\", \\\"\\\"), TechniqueName = column_ifexists(\\\"TechniqueName\\\", \\\"\\\")\\n| parse RuleName with * \u0027technique_id=\u0027 TechniqueId \u0027,\u0027 * \u0027technique_name=\u0027 TechniqueName\\n| where EventID == 3\\n// Look for endpoints connecting to the AD FS server over port 80\\n| extend DestinationPort = column_ifexists(\\\"DestinationPort\\\", \\\"\\\"), Image = column_ifexists(\\\"Image\\\", \\\"\\\"), Initiated = column_ifexists(\\\"Initiated\\\", \\\"\\\"), SourceIp = column_ifexists(\\\"DestinationIp\\\", \\\"\\\"), DestinationIp = column_ifexists(\\\"DestinationIp\\\", \\\"\\\")\\n| where DestinationPort == 80\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n// Look for the System process receiving connections\\n| where process == \u0027System\u0027 and Initiated == \u0027false\u0027\\n| where DestinationIp !in (\u0027::1\u0027,\u00270:0:0:0:0:0:0:1\u0027)\\n| extend Operation = RenderedDescription\\n| project-reorder TimeGenerated, Operation, Image, Computer, UserName\\n| extend HostCustomEntity = Computer, AccountCustomEntity = UserName, IPCustomEntity = SourceIp\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"AD FS Remote HTTP Network Connection\",\"description\":\"This detection uses Sysmon events (NetworkConnect events) to detect incoming network traffic on port 80 on AD FS servers. This could be a sign of a threat actor\\ntrying to use replication services on the AD FS server to get its configuration settings and extract sensitive information such as AD FS certificates.\\nIn order to use this query you need to enable Sysmon telemetry on the AD FS Server.\\nReference: https://twitter.com/OTR_Community/status/1387038995016732672\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c1faf5e8-6958-11ec-90d6-0242ac120003\",\"name\":\"c1faf5e8-6958-11ec-90d6-0242ac120003\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 4720 and TargetUserName endswith \\\"$\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectUserName, SubjectUserSid, SubjectLogonId, TargetUserName, TargetSid\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectUserName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Fake computer account created\",\"description\":\"This query detects domain user accounts creation (event ID 4720) where the username ends with $. \\nAccounts that end with $ are normally domain computer accounts and when they are created the event ID 4741 is generated instead.\\nRef: https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights.html\",\"lastUpdatedDateUTC\":\"2022-01-19T00:00:00Z\",\"createdDateUTC\":\"2021-12-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/04384937-e927-4595-8f3c-89ff58ed231f\",\"name\":\"04384937-e927-4595-8f3c-89ff58ed231f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let IPs = dynamic ([\\\"199.249.230.\\\",\\\"185.220.101.\\\",\\\"23.129.64.\\\",\\\"109.70.100.\\\",\\\"185.220.102.\\\"]);\\nOfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != \u0027UserLoggedIn\u0027\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = ExtendedProperties.Value\\n| where ClientIP has_any (IPs)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts \u003e 2500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\"entityMappings\":[],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Possible STRONTIUM attempted credential harvesting - Sept 2020\",\"description\":\"Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.\\nReferences: https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7d7e20f8-3384-4b71-811c-f5e950e8306c\",\"name\":\"7d7e20f8-3384-4b71-811c-f5e950e8306c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where ActivityDisplayName =~\u0027Add member to role completed (PIM activation)\u0027\\n| where Result == \\\"failure\\\"\\n| extend Role = tostring(TargetResources[3].displayName)\\n| extend User = tostring(TargetResources[2].displayName)\\n| project-reorder TimeGenerated, User, Role, OperationName, Result, ResultDescription\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| extend AccountCustomEntity = User, IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"PIM Elevation Request Rejected\",\"description\":\"Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6852d9da-8015-4b95-8ecf-d9572ee0395d\",\"name\":\"6852d9da-8015-4b95-8ecf-d9572ee0395d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let queryfrequency = 1h;\\nlet wait_for_deletion = 10m;\\nlet account_created =\\n AuditLogs \\n | where ActivityDisplayName == \\\"Add service principal\\\"\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend creationTime = ActivityDateTime\\n | extend userPrincipalName_creator = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend ipAddress_creator = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\\nlet account_activity =\\n AADServicePrincipalSignInLogs\\n | extend Activities = pack(\\\"ActivityTime\\\", TimeGenerated ,\\\"IpAddress\\\", IPAddress, \\\"ResourceDisplayName\\\", ResourceDisplayName)\\n | extend AppID = AppId\\n | summarize make_list(Activities) by AppID;\\nlet account_deleted =\\n AuditLogs \\n | where OperationName == \\\"Remove service principal\\\"\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend deletionTime = ActivityDateTime\\n | extend userPrincipalName_deleter = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend ipAddress_deleter = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\\nlet account_credentials =\\n AuditLogs\\n | where OperationName has_all (\\\"Update application\\\", \\\"Certificates and secrets management\\\")\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend credentialCreationTime = ActivityDateTime;\\nlet roles_assigned =\\n AuditLogs\\n | where ActivityDisplayName == \\\"Add app role assignment to service principal\\\"\\n | extend AppID = tostring(TargetResources[1].displayName)\\n | extend AssignedRole = iff(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].displayName)==\\\"AppRole.Value\\\", tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue))),\\\"\\\")\\n | extend AssignedRoles = pack(\\\"Role\\\", AssignedRole)\\n | summarize make_list(AssignedRoles) by AppID;\\naccount_created\\n| where TimeGenerated between (ago(wait_for_deletion+queryfrequency)..ago(wait_for_deletion))\\n| join kind= inner (account_activity) on AppID\\n| join kind= inner (account_deleted) on AppID\\n| join kind= inner (account_credentials) on AppID\\n| join kind= inner (roles_assigned) on AppID\\n| where deletionTime - creationTime between (time(0s)..wait_for_deletion)\\n| extend AliveTime = deletionTime - creationTime\\n| project AADTenantId, AppID, creationTime, deletionTime, userPrincipalName_creator, userPrincipalName_deleter, ipAddress_creator, ipAddress_deleter, list_Activities, list_AssignedRoles, AliveTime\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName_creator\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName_deleter\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress_creator\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress_deleter\"}]}],\"tactics\":[\"CredentialAccess\",\"PrivilegeEscalation\",\"InitialAccess\"],\"displayName\":\"Suspicious Service Principal creation activity\",\"description\":\"This alert will detect creation of an SPN, permissions granted, credentials created, activity and deletion of the SPN in a time frame (default 10 minutes)\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\",\"AADServicePrincipalSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ec21493c-2684-4acd-9bc2-696dbad72426\",\"name\":\"ec21493c-2684-4acd-9bc2-696dbad72426\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation of extracted domains\\nlet list_tlds = ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e ago(ioc_lookBack)\\n | where isnotempty(DomainName)\\n | extend DomainName = tolower(DomainName)\\n | extend parts = split(DomainName, \u0027.\u0027)\\n | extend tld = parts[(array_length(parts)-1)]\\n | summarize count() by tostring(tld)\\n | summarize make_list(tld);\\n ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true\\n // Picking up only IOC\u0027s that contain the entities we want\\n | where isnotempty(DomainName)\\n // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n | join kind=innerunique (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n | where DeviceVendor =~ \u0027Palo Alto Networks\u0027\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | extend Domain = trim(@\\\"\\\"\\\"\\\",tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend parts = split(Domain, \u0027.\u0027)\\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\\n | where tld in~ (list_tlds)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n ) on $left.DomainName==$right.Domain\\n | where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, Domain\\n | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, \\n DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\\n | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to PaloAlto\",\"description\":\"Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/caf78b95-d886-4ac3-957a-a7a3691ff4ed\",\"name\":\"caf78b95-d886-4ac3-957a-a7a3691ff4ed\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Tarrask.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n(imFileEvent\\n| where TargetFileSHA256 has_any (sha256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceImageLoadEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Tarrask malware IOC - April 2022\",\"description\":\"Identifies a hash match related to Tarrask malware across various data sources.\\n Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/\",\"lastUpdatedDateUTC\":\"2022-04-12T00:00:00Z\",\"createdDateUTC\":\"2022-01-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2560515c-07d1-434e-87fb-ebe3af267760\",\"name\":\"2560515c-07d1-434e-87fb-ebe3af267760\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add delegated permission grant\\\",\\\"Add app role assignment to service principal\\\")\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend props = parse_json(tostring(TargetResources[0].modifiedProperties))\\n| mv-expand props\\n| extend UserAgent = tostring(AdditionalDetails[0].value)\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| extend UserIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| extend DisplayName = tostring(props.displayName)\\n| extend Permissions = tostring(parse_json(tostring(props.newValue)))\\n| where Permissions has_any (\\\"Mail.Read\\\", \\\"Mail.ReadWrite\\\")\\n| extend PermissionsAddedTo = tostring(TargetResources[0].displayName)\\n| extend Type = tostring(TargetResources[0].type)\\n| project-away props\\n| join kind=leftouter(\\n AuditLogs\\n | where ActivityDisplayName has \\\"Consent to application\\\"\\n | extend AppName = tostring(TargetResources[0].displayName)\\n | extend AppId = tostring(TargetResources[0].id)\\n | project AppName, AppId, CorrelationId) on CorrelationId\\n| project-reorder TimeGenerated, OperationName, InitiatingUser, UserIPAddress, UserAgent, PermissionsAddedTo, Permissions, AppName, AppId, CorrelationId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUser, IPCustomEntity = UserIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Mail.Read Permissions Granted to Application\",\"description\":\"This query look for applications that have been granted (Delegated or App/Role) permissions to Read Mail (Permissions field has Mail.Read) and subsequently has been consented to. This can help identify applications that have been abused to gain access to mailboxes.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532c1811-79ee-4d9f-8d4d-6304c840daa1\",\"name\":\"532c1811-79ee-4d9f-8d4d-6304c840daa1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Active Directory Identity Protection\",\"displayName\":\"Create incidents based on Azure Active Directory Identity Protection alerts\",\"description\":\"Create incidents based on all alerts generated in Azure Active Directory Identity Protection\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb616d82-108f-47d3-9dec-9652ea0d3bf6\",\"name\":\"bb616d82-108f-47d3-9dec-9652ea0d3bf6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let queryfrequency = 1h;\\nlet queryperiod = 1d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(queryfrequency)\\n| where OperationName =~ \\\"Delete user\\\"\\n//extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n| extend UserPrincipalName = extract(@\u0027([a-f0-9]{32})?(.*)\u0027, 2, tostring(TargetResources[0].userPrincipalName))\\n| extend DeletedByUser = tostring(InitiatedBy.user.userPrincipalName), DeletedByIPAddress = tostring(InitiatedBy.user.ipAddress)\\n| extend DeletedByApp = tostring(InitiatedBy.app.displayName)\\n| project Deletion_TimeGenerated = TimeGenerated, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, Deletion_AdditionalDetails = AdditionalDetails, Deletion_InitiatedBy = InitiatedBy, Deletion_TargetResources = TargetResources\\n| join kind=inner (\\n AuditLogs\\n | where TimeGenerated \u003e ago(queryperiod)\\n | where OperationName =~ \\\"Add user\\\"\\n | extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | project-rename Creation_TimeGenerated = TimeGenerated\\n) on UserPrincipalName\\n| extend TimeDelta = Deletion_TimeGenerated - Creation_TimeGenerated\\n| where TimeDelta between (time(0s) .. queryperiod)\\n| extend CreatedByUser = tostring(InitiatedBy.user.userPrincipalName), CreatedByIPAddress = tostring(InitiatedBy.user.ipAddress)\\n| extend CreatedByApp = tostring(InitiatedBy.app.displayName)\\n| project Creation_TimeGenerated, Deletion_TimeGenerated, TimeDelta, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, CreatedByUser, CreatedByIPAddress, CreatedByApp, Creation_AdditionalDetails = AdditionalDetails, Creation_InitiatedBy = InitiatedBy, Creation_TargetResources = TargetResources, Deletion_AdditionalDetails, Deletion_InitiatedBy, Deletion_TargetResources\\n| extend timestamp = Deletion_TimeGenerated, CustomAccountEntity = UserPrincipalName, IPCustomEntity = DeletedByIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CustomAccountEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Account Created and Deleted in Short Timeframe\",\"description\":\"Search for user principal name (UPN) events. Look for accounts created and then deleted in under 24 hours. Attackers may create an account for their use, and then remove the account when no longer needed.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-account\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a0907abe-6925-4d90-af2b-c7e89dc201a6\",\"name\":\"a0907abe-6925-4d90-af2b-c7e89dc201a6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P10D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 10d;\\nlet endtime = 1d;\\nlet threshold = 100;\\nlet nxDomainDnsEvents = DnsEvents \\n| where ResultCode == 3 \\n| where QueryType in (\\\"A\\\", \\\"AAAA\\\")\\n| where ipv4_is_match(\\\"127.0.0.1\\\", ClientIP) == False\\n| where Name !contains \\\"/\\\"\\n| where Name contains \\\".\\\";\\nnxDomainDnsEvents\\n| where TimeGenerated \u003e ago(endtime)\\n| extend sld = tostring(split(Name, \\\".\\\")[-2])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld) by ClientIP\\n| where dcount_sld \u003e threshold\\n// Filter out previously seen IPs\\n| join kind=leftanti (nxDomainDnsEvents\\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | extend sld = tostring(split(Name, \\\".\\\")[-2])\\n | summarize dcount(sld) by ClientIP\\n | where dcount_sld \u003e threshold ) on ClientIP\\n// Pull out sample NXDomain responses for those remaining potentially infected IPs\\n| join kind = inner (nxDomainDnsEvents | summarize by Name, ClientIP) on ClientIP\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(Name, 100) by ClientIP, dcount_sld\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential DGA detected\",\"description\":\"Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains\\nwhere most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with \\nNXDomain records in prior 10-day baseline period).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ef895ada-e8e8-4cf0-9313-b1ab67fab69f\",\"name\":\"ef895ada-e8e8-4cf0-9313-b1ab67fab69f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let known_locations =\\n union isfuzzy=True AADNonInteractiveUserSignInLogs, SigninLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where ResultType == 0\\n | summarize by Location;\\n union isfuzzy=True AADNonInteractiveUserSignInLogs, SigninLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType != 50126\\n | where Location !in (known_locations)\\n | extend LocationDetails_dynamic = column_ifexists(\\\"LocationDetails_dynamic\\\", \\\"\\\")\\n | extend DeviceDetail_dynamic = column_ifexists(\\\"DeviceDetail_dynamic\\\", \\\"\\\")\\n | extend LocationDetails = iif(isnotempty(LocationDetails_dynamic), LocationDetails_dynamic, parse_json(LocationDetails_string))\\n | extend DeviceDetail = iif(isnotempty(DeviceDetail_dynamic), DeviceDetail_dynamic, parse_json(DeviceDetail_string))\\n | extend City = tostring(LocationDetails.city)\\n | extend State = tostring(LocationDetails.state)\\n | extend Place = strcat(City, \\\" - \\\", State)\\n | extend DeviceId = tostring(DeviceDetail.deviceId)\\n | extend Result = strcat(tostring(ResultType), \\\" - \\\", ResultDescription)\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), make_set(Result), make_set(IPAddress), make_set(UserAgent), make_set(Place), make_set(DeviceId) by UserPrincipalName, Location, Category\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Authentication Attempt from New Country\",\"description\":\"Detects when there is a log in attempt from a country that has not seen a successful login in the previous 14 days.\\n Threat actors may attempt to authenticate with credentials from compromised accounts - monitoring attempts from anomalous locations may help identify these attempts.\\n Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\",\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9713e3c0-1410-468d-b79e-383448434b2d\",\"name\":\"9713e3c0-1410-468d-b79e-383448434b2d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n VMConnection\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend VMConnection_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIp\\n| where VMConnection_TimeGenerated \u003c ExpirationDateTime\\n| summarize VMConnection_TimeGenerated = arg_max(VMConnection_TimeGenerated, *) by IndicatorId, RemoteIp\\n| project VMConnection_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = VMConnection_TimeGenerated, IPCustomEntity = RemoteIp, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to VMConnection\",\"description\":\"Identifies a match in VMConnection from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/017e095a-94d8-430c-a047-e51a11fb737b\",\"name\":\"017e095a-94d8-430c-a047-e51a11fb737b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let domains =\\n SigninLogs\\n | where ResultType == 0\\n | extend domain = split(UserPrincipalName, \\\"@\\\")[1]\\n | extend domain = tostring(split(UserPrincipalName, \\\"@\\\")[1])\\n | summarize by tolower(tostring(domain));\\n AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where Result =~ \\\"success\\\"\\n | where OperationName =~ \u0027Update Application\u0027\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | where TargetResources_modifiedProperties.displayName =~ \\\"AppAddress\\\"\\n | extend Key = tostring(TargetResources_modifiedProperties.displayName)\\n | extend NewValue = TargetResources_modifiedProperties.newValue\\n | extend OldValue = TargetResources_modifiedProperties.oldValue\\n | where isnotempty(Key) and isnotempty(NewValue)\\n | project-reorder Key, NewValue, OldValue\\n | extend NewUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(NewValue))\\n | extend OldUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(OldValue))\\n | extend AddedUrls = set_difference(NewUrls, OldUrls)\\n | where array_length(AddedUrls) \u003e 0\\n | extend UserAgent = iif(tostring(AdditionalDetails[0].key) == \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), \\\"\\\")\\n | extend AddingUser = iif(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) , tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), \\\"\\\")\\n | extend AddingApp = iif(isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName)) , tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName), \\\"\\\")\\n | extend AddedBy = iif(isnotempty(AddingUser), AddingUser, AddingApp)\\n | project-away AddingApp, AddingUser\\n | extend AppDisplayName = tostring(TargetResources.displayName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | where isnotempty(AddedUrls)\\n | mv-expand AddedUrls\\n | extend Domain = extract(\\\"^(?:https?:\\\\\\\\/\\\\\\\\/)?(?:[^@\\\\\\\\/\\\\\\\\n]+@)?(?:www\\\\\\\\.)?([^:\\\\\\\\/?\\\\\\\\n]+)/\\\", 1, replace_string(tolower(tostring(AddedUrls)), \u0027\\\"\u0027, \\\"\\\"))\\n | where isnotempty(Domain)\\n | extend Domain = strcat(split(Domain, \\\".\\\")[-2], \\\".\\\", split(Domain, \\\".\\\")[-1])\\n | where Domain !in (domains)\\n | project-reorder TimeGenerated, AppDisplayName, AddedUrls, AddedBy, UserAgent, ipAddress\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"AddedUrls\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"URL Added to Application from Unknown Domain\",\"description\":\"Detects a URL being added to an application where the domain is not one that is associated with the tenant.\\n The query uses domains seen in sign in logs to determine if the domain is associated with the tenant.\\n Applications associated with URLs not controlled by the organization can pose a security risk.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#application-configuration-changes\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d\",\"name\":\"b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"//Collect the alert events\\nlet alertData = SecurityAlert \\n| where DisplayName has \\\"Potential malware uploaded to\\\" \\n| extend Entities = parse_json(Entities) \\n| mv-expand Entities;\\n//Parse the IP address data\\nlet ipData = alertData \\n| where Entities[\u0027Type\u0027] =~ \\\"ip\\\" \\n| extend AttackerIP = tostring(Entities[\u0027Address\u0027]), AttackerCountry = tostring(Entities[\u0027Location\u0027][\u0027CountryName\u0027]);\\n//Parse the file data\\nlet FileData = alertData \\n| where Entities[\u0027Type\u0027] =~ \\\"file\\\" \\n| extend MaliciousFileDirectory = tostring(Entities[\u0027Directory\u0027]), MaliciousFileName = tostring(Entities[\u0027Name\u0027]), MaliciousFileHashes = tostring(Entities[\u0027FileHashes\u0027]);\\n//Combine the File and IP data together\\nipData \\n| join (FileData) on VendorOriginalId \\n| summarize by TimeGenerated, AttackerIP, AttackerCountry, DisplayName, ResourceId, AlertType, MaliciousFileDirectory, MaliciousFileName, MaliciousFileHashes\\n//Create a type column so we can track if it was a File storage or blobl storage upload \\n| extend type = iff(DisplayName has \\\"file\\\", \\\"File\\\", \\\"Blob\\\") \\n| join (\\n union\\n StorageFileLogs, \\n StorageBlobLogs \\n //File upload operations \\n | where OperationName =~ \\\"PutBlob\\\" or OperationName =~ \\\"PutRange\\\"\\n //Parse out the uploader IP \\n | extend ClientIP = tostring(split(CallerIpAddress, \\\":\\\", 0)[0])\\n //Extract the filename from the Uri \\n | extend FileName = extract(@\\\"\\\\/([\\\\w\\\\-. ]+)\\\\?\\\", 1, Uri)\\n //Base64 decode the MD5 filehash, we will encounter non-ascii hex so string operations don\u0027t work\\n //We can work around this by making it an array then converting it to hex from an int \\n | extend base64Char = base64_decode_toarray(ResponseMd5) \\n | mv-expand base64Char \\n | extend hexChar = tohex(toint(base64Char))\\n | extend hexChar = iff(strlen(hexChar) \u003c 2, strcat(\\\"0\\\", hexChar), hexChar) \\n | extend SourceTable = iff(OperationName has \\\"range\\\", \\\"StorageFileLogs\\\", \\\"StorageBlobLogs\\\") \\n | summarize make_list(hexChar) by CorrelationId, ResponseMd5, FileName, AccountName, TimeGenerated, RequestBodySize, ClientIP, SourceTable \\n | extend Md5Hash = strcat_array(list_hexChar, \\\"\\\")\\n //Pack the file information the summarise into a ClientIP row \\n | extend p = pack(\\\"FileName\\\", FileName, \\\"FileSize\\\", RequestBodySize, \\\"Md5Hash\\\", Md5Hash, \\\"Time\\\", TimeGenerated, \\\"SourceTable\\\", SourceTable) \\n | summarize UploadedFileInfo=make_list(p), FilesUploaded=count() by ClientIP \\n | join kind=leftouter (\\n union\\n StorageFileLogs,\\n StorageBlobLogs \\n | where OperationName =~ \\\"DeleteFile\\\" or OperationName =~ \\\"DeleteBlob\\\" \\n | extend ClientIP = tostring(split(CallerIpAddress, \\\":\\\", 0)[0]) \\n | extend FileName = extract(@\\\"\\\\/([\\\\w\\\\-. ]+)\\\\?\\\", 1, Uri) \\n | extend SourceTable = iff(OperationName has \\\"range\\\", \\\"StorageFileLogs\\\", \\\"StorageBlobLogs\\\") \\n | extend p = pack(\\\"FileName\\\", FileName, \\\"Time\\\", TimeGenerated, \\\"SourceTable\\\", SourceTable) \\n | summarize DeletedFileInfo=make_list(p), FilesDeleted=count() by ClientIP\\n ) on ClientIP\\n ) on $left.AttackerIP == $right.ClientIP \\n| mvexpand UploadedFileInfo \\n| extend LinkedMaliciousFileName = UploadedFileInfo.FileName \\n| extend LinkedMaliciousFileHash = UploadedFileInfo.Md5Hash \\n| project AlertTimeGenerated = TimeGenerated, tostring(LinkedMaliciousFileName), tostring(LinkedMaliciousFileHash), AlertType, AttackerIP, AttackerCountry, MaliciousFileDirectory, MaliciousFileName, FilesUploaded, UploadedFileInfo \\n| extend FileHashCustomEntity = LinkedMaliciousFileName, HashAlgorithm = \\\"MD5\\\", IPCustomEntity = AttackerIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"Exfiltration\"],\"displayName\":\"Linked Malicious Storage Artifacts\",\"description\":\"An IP address which uploaded malicious content to an Azure Blob or File Storage container (triggering a malware alert) also uploaded additional files.\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2021-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c7cd6073-6d2c-4284-a5c8-da27605bdfde\",\"name\":\"c7cd6073-6d2c-4284-a5c8-da27605bdfde\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| where FilterModulesSpamScoresOverall == \u0027100\u0027\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - High risk message not discarded\",\"description\":\"Detects when email with high risk score was not rejected or discarded by filters.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\"name\":\"c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"let DomainNames = \\\"miniodaum.ml\\\";\\nlet SHA256Hash = dynamic ([\\\"53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0dfd44771762257\\\", \\\"0897c80df8b80b4c49bf1ccf876f5f782849608b830c3b5cb3ad212dc3e19eff\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName =~ DomainNames\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n (_Im_Dns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery \\n| extend IPAddress = SrcIpAddr, Computer = Dvc\\n), \\n(_Im_WebSession(url_has_any=DomainNames) \\n| extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n| extend IPAddress = SrcIpAddr, Account=User\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName =~ DomainNames\\n| extend IPAddress = RemoteIp\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known CERIUM domains and hashes\",\"description\":\"CERIUM malicious webserver and hash values for maldocs and malware. \\n Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/712fab52-2a7d-401e-a08c-ff939cc7c25e\",\"name\":\"712fab52-2a7d-401e-a08c-ff939cc7c25e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AuditLogs\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // Extract the URL that is contained within the JSON data\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\\\", 1,tostring(TargetResources))\\n | where isnotempty(Url)\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend TargetResourceDisplayName = tostring(TargetResources[0].displayName)\\n | extend Audit_TimeGenerated = TimeGenerated\\n) on Url\\n| where Audit_TimeGenerated \u003c ExpirationDateTime\\n| summarize Audit_TimeGenerated = arg_max(Audit_TimeGenerated, *) by IndicatorId, Url\\n| project Audit_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nOperationName, Identity, userPrincipalName, TargetResourceDisplayName, Url\\n| extend timestamp = Audit_TimeGenerated, AccountCustomEntity = userPrincipalName, HostCustomEntity = TargetResourceDisplayName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to AuditLogs\",\"description\":\"Identifies a match in AuditLogs from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ab4b6944-a20d-42ab-8b63-238426525801\",\"name\":\"ab4b6944-a20d-42ab-8b63-238426525801\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\nlet timeframe = 1h;\\nlet connections = VMConnection \\n | where TimeGenerated \u003e= ago(timeframe)\\n | extend DNSName = set_union(todynamic(RemoteDnsCanonicalNames),todynamic(RemoteDnsQuestions))\\n | mv-expand DNSName\\n | where isnotempty(DNSName)\\n | where DNSName has_any (domains)\\n | extend IPCustomEntity = RemoteIp\\n | summarize TimeGenerated = arg_min(TimeGenerated, *), requests = count() by IPCustomEntity, DNSName = tostring(DNSName), AgentId, Machine, Process;\\nlet processes = VMProcess\\n | where TimeGenerated \u003e= ago(timeframe)\\n | project AgentId, Machine, Process, UserName, UserDomain, ExecutablePath, CommandLine, FirstPid\\n | extend exePathArr = split(ExecutablePath, \\\"\\\\\\\\\\\")\\n | extend DirectoryName = array_strcat(array_slice(exePathArr, 0, array_length(exePathArr) - 2), \\\"\\\\\\\\\\\")\\n | extend Filename = array_strcat(array_slice(exePathArr, array_length(exePathArr) - 1, array_length(exePathArr)), \\\"\\\\\\\\\\\")\\n | project-away exePathArr;\\nlet computers = VMComputer\\n | where TimeGenerated \u003e= ago(timeframe)\\n | project HostCustomEntity = HostName, AzureResourceId = _ResourceId, AgentId, Machine;\\nconnections | join kind = inner (processes) on AgentId, Machine, Process\\n | join kind = inner (computers) on AgentId, Machine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"FirstPid\"},{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Directory\",\"columnName\":\"DirectoryName\"},{\"identifier\":\"Name\",\"columnName\":\"Filename\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Solorigate Domains Found in VM Insights\",\"description\":\"Identifies connections to Solorigate-related DNS records based on VM insights data\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMProcess\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMComputer\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\"name\":\"1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with failed Windows host logins above threshold\\nlet win_fails = \\nSecurityEvent\\n| where EventID == 4625\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| summarize count() by IpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_list(IpAddress);\\nlet wef_fails =\\nWindowsEvent\\n| where EventID == 4625\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType in (10, 7, 3)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| where IpAddress != \\\"-\\\"\\n| summarize count() by IpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_list(IpAddress);\\n//Make a list of IPs with failed *nix host logins above threshold\\nlet nix_fails = \\nSyslog\\n| where Facility contains \u0027auth\u0027 and ProcessName != \u0027sudo\u0027\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP != \\\"\\\" and SourceIP != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIP\\n| where count_ \u003e signin_threshold\\n| summarize make_list(SourceIP);\\n//See if any of the IPs with failed host logins hve had a sucessful Azure AD login\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (win_fails) or IPAddress in (nix_fails) or IPAddress in (wef_fails)\\n| extend Reason= \\\"Multiple failed host logins from IP address with successful Azure AD login\\\"\\n| extend timstamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, Type = Type\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed host logons but success logon to AzureAD\",\"description\":\"Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts.\\nUses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\"name\":\"28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"Medium\",\"query\":\"let timeRange = 24h;\\nlet failureCountThreshold = 5;\\nlet authenticationWindow = 20m;\\nlet aadFunc = (tableName:string){\\n table(tableName)\\n| where AppDisplayName has \\\"Azure Portal\\\"\\n| extend\\n DeviceDetail = todynamic(DeviceDetail),\\n //Status = todynamic(Status),\\n LocationDetails = todynamic(LocationDetails)\\n| extend\\n OS = tostring(DeviceDetail.operatingSystem),\\n Browser = tostring(DeviceDetail.browser),\\n //StatusCode = tostring(Status.errorCode),\\n //StatusDetails = tostring(Status.additionalDetails),\\n State = tostring(LocationDetails.state),\\n City = tostring(LocationDetails.city),\\n Region = tostring(LocationDetails.countryOrRegion)\\n// Split out failure versus non-failure types\\n| extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\") \\n// bin outcomes based on authenticationWindow\\n| summarize take_anyif(UserPrincipalName, not(UserPrincipalName matches regex @\\\"[a-f\\\\d]+\\\\-[a-f\\\\d]+\\\\-[a-f\\\\d]+\\\\-[a-f\\\\d]+\\\\-[a-f\\\\d]+\\\")),\\n take_anyif(UserDisplayName, isnotempty(UserDisplayName)), FailureOrSuccessCount = count() by FailureOrSuccess, UserId, UserDisplayName, AppDisplayName, IPAddress, Browser, OS, State, City, Region, Type, CorrelationId, bin(TimeGenerated, authenticationWindow), ResultType\\n// sort for sessionizing - by UserPrincipalName and time of the authentication outcome\\n| sort by UserPrincipalName asc, TimeGenerated asc\\n| serialize \\n// sessionize into failure groupings until either the account changes or there is a success\\n| extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, UserPrincipalName != prev(UserPrincipalName) or prev(FailureOrSuccess) == \\\"Success\\\")\\n// count the failures in each session\\n| summarize FailureCountBeforeSuccess=sumif(FailureOrSuccessCount, FailureOrSuccess == \\\"Failure\\\"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), makelist(FailureOrSuccess), IPAddress = make_set(IPAddress), make_set(Browser), make_set(City), make_set(State), make_set(Region), make_set(ResultType) by SessionStartedUtc, UserPrincipalName, CorrelationId, AppDisplayName, UserId, Type\\n// the session must not start with a success, and must end with one\\n| where array_index_of(list_FailureOrSuccess, \\\"Success\\\") != 0\\n| where array_index_of(list_FailureOrSuccess, \\\"Success\\\") == array_length(list_FailureOrSuccess) - 1\\n| project-away SessionStartedUtc, list_FailureOrSuccess\\n// where the number of failures before the success is above the threshold \\n| where FailureCountBeforeSuccess \u003e= failureCountThreshold \\n// expand out ip for entity assignment\\n| mv-expand IPAddress\\n| extend IPAddress = tostring(IPAddress)\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n};\\n let aadSignin = aadFunc(\\\"SigninLogs\\\");\\n let aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\n union isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against Azure Portal\",\"description\":\"Identifies evidence of brute force activity against Azure Portal by highlighting multiple authentication failures \\nand by a successful authentication within a given time window. \\nDefault Failure count is 5 and default Time Window is 20 minutes.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-04-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23de46ea-c425-4a77-b456-511ae4855d69\",\"name\":\"23de46ea-c425-4a77-b456-511ae4855d69\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\nlet SensitiveOperationList = dynamic([\\\"microsoft.compute/snapshots/write\\\", \\\"microsoft.network/networksecuritygroups/write\\\", \\\"microsoft.storage/storageaccounts/listkeys/action\\\"]);\\nlet SensitiveActivity = AzureActivity\\n| where OperationNameValue in~ (SensitiveOperationList) or OperationNameValue hassuffix \\\"listkeys/action\\\"\\n| where ActivityStatusValue =~ \\\"Success\\\";\\nSensitiveActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller, OperationNameValue\\n| where count_ \u003e= alertOperationThreshold\\n| join kind = rightanti ( \\nSensitiveActivity\\n| where TimeGenerated \u003e= ago(endtime)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CorrelationIds = makelist(CorrelationId), Resources = makelist(Resource), ResourceGroups = makelist(ResourceGroup), ResourceIds = makelist(ResourceId), ActivityCountByCallerIPAddress = count() \\nby CallerIpAddress, Caller, OperationNameValue\\n) on CallerIpAddress, Caller, OperationNameValue\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"Rare subscription-level operations in Azure\",\"description\":\"This query looks for a few sensitive subscription-level events based on Azure Activity Logs. \\n For example this monitors for the operation name \u0027Create or Update Snapshot\u0027 which is used for creating backups but could be misused by attackers \\n to dump hashes or extract sensitive information from the disk.\",\"lastUpdatedDateUTC\":\"2022-03-15T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84cf1d59-f620-4fee-b569-68daf7008b7b\",\"name\":\"84cf1d59-f620-4fee-b569-68daf7008b7b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetection_CL\\n| mv-expand todynamic(Detections_s)\\n| extend Status = tostring(Detections_s.Status), Vulnerability = tostring(Detections_s.Results), Severity = tostring(Detections_s.Severity)\\n| where Status =~ \\\"New\\\" and Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(Detections_s.QID)\\n| where dcount_NetBios_s \u003e= threshold\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"tactics\":[\"InitialAccess\"],\"displayName\":\"New High Severity Vulnerability Detected Across Multiple Hosts\",\"description\":\"This creates an incident when a new high severity vulnerability is detected across multilple hosts\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bc5ffe2a-84d6-48fe-bc7b-1055100469bc\",\"name\":\"bc5ffe2a-84d6-48fe-bc7b-1055100469bc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"let SunburstMD5=dynamic([\\\"b91ce2fa41029f6955bff20079468448\\\",\\\"02af7cec58b9a5da1c542b5a32151ba1\\\",\\\"2c4a910a1299cdae2a4e55988a2f102e\\\",\\\"846e27a652a5e1bfbd0ddd38a16dc865\\\",\\\"4f2eb62fa529c0283b28d05ddd311fae\\\"]);\\nlet SupernovaMD5=\\\"56ceb6d0011d87b6e4d7023d7ef85676\\\";\\nimFileEvent\\n| where TargetFileMD5 in(SunburstMD5) or TargetFileMD5 in(SupernovaMD5)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = User, \\n HostCustomEntity = DvcHostname,\\n FileHashCustomEntity = TargetFileMD5,\\n AlgorithmCustomEntity = \\\"MD5\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events)\",\"description\":\"Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in File Events\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimFileEvent)\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8cbc3215-fa58-4bd6-aaaa-f0029c351730\",\"name\":\"8cbc3215-fa58-4bd6-aaaa-f0029c351730\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let threatCategory=\\\"Cryptominer\\\";\\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\\n [ @\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\\\"] \\n with(format=\\\"csv\\\", ignoreFirstRecord=True));\\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet customUserAgents=toscalar(_GetWatchlist(\\\"UnusualUserAgents\\\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\\\"UserAgent\\\",\\\"\\\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet fullUAList = array_concat(knownUserAgents,customUserAgents);\\n_Im_WebSession(httpuseragent_has_any=fullUAList)\\n| summarize N_Events=count() by SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername\",\"customDetails\":{\"UserAgent\":\"HttpUserAgent\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"SrcUsername\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"The host {{SrcIpAddr}} is potentially running a crypto miner\",\"alertDescriptionFormat\":\"The host at address {{SrcIpAddr}} sent an HTTP request to the URL {{Url}} with the HTTP user agent header {{HttpUserAgent}}. This user agent is known to be used by crypto miners and indicates crypto mining activity on the client.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"A host is potentially running a crypto miner (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request with a user agent header known to belong to a crypto miner. This indicates a crypto miner may have infected the client machine.\u003cbr\u003eYou can add custom crypto mining indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).\u003cbr\u003e\u003cbr\u003e This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\"name\":\"24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"let EventCountThreshold = 25;\\n// To avoid any False Positives, filtering using AppId is recommended.\\n// For example the AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds \\n// to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\\n// The AppId 8cae6e77-e04e-42ce-b5cb-50d82bce26b1 has been added as it correspond to Microsoft Policy Insights Provider Data Plane performing VaultGet operations for policies checks.\\nlet Allowedappid = dynamic([\\\"509e4652-da8d-478d-a730-e9d4a1996ca4\\\",\\\"8cae6e77-e04e-42ce-b5cb-50d82bce26b1\\\"]);\\nlet OperationList = dynamic(\\n[\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nAzureDiagnostics\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList) \\n| summarize count() by identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, OperationName\\n| where count_ \u003e EventCountThreshold \\n| join (\\nAzureDiagnostics\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where OperationName in~ (OperationList) \\n) on identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g \\n| summarize EventCount=sum(count_), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\\n| extend timestamp = EndTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Mass secret retrieval from Azure Key Vault\",\"description\":\"Identifies mass secret retrieval from Azure Key Vault observed by a single user. \\nMass secret retrival crossing a certain threshold is an indication of credential dump operations or mis-configured applications. \\nYou can tweak the EventCountThreshold based on average count seen in your environment \\nand also filter any known sources (IP/Account) and useragent combinations based on historical analysis to further reduce noise\",\"lastUpdatedDateUTC\":\"2022-07-04T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b619d1f1-7f39-4c7e-bf9e-afbb46457997\",\"name\":\"b619d1f1-7f39-4c7e-bf9e-afbb46457997\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal contains \\\"XMRig\\\" or HttpUserAgentOriginal contains \\\"ccminer\\\"\\n| extend Message = \\\"Crypto Miner User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Crypto Miner User-Agent Detected\",\"description\":\"Detects suspicious user agent strings used by crypto miners in proxy logs.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd03057e-4347-4853-bf1e-2b2d21eb4e59\",\"name\":\"dd03057e-4347-4853-bf1e-2b2d21eb4e59\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\\"xmrget.com\\\",\\n\\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\\"supportxmr.com\\\",\\n\\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\\"gntl.co.uk\\\", \\\"semipool.com\\\",\\n\\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\",\\n\\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\\"extrmepool.org\\\", \\\"webcoin.me\\\",\\n\\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\",\\n\\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\",\\n\\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\",\\n\\\"shscrypto.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage),\\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage),\\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage),\\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \u0027200\u0027\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URL\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"NRT Squid proxy events related to mining pools\",\"description\":\"Checks for Squid proxy events in Syslog associated with common mining pools .This query presumes the default Squid log format is being used.\\n http://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-07-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2b701288-b428-4fb8-805e-e4372c574786\",\"name\":\"2b701288-b428-4fb8-805e-e4372c574786\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"//The bigger the window the better the data sample size, as we use IP prevalence, more sample data is better.\\n//The minimum number of countries that the account has been accessed from [default: 2]\\nlet minimumCountries = 2;\\n//The delta (%) between the largest in-use IP and the smallest [default: 95]\\nlet deltaThreshold = 95;\\n//The maximum (%) threshold that the country appears in login data [default: 10]\\nlet countryPrevalenceThreshold = 10;\\n//The time to project forward after the last login activity [default: 60min]\\nlet projectedEndTime = 60m;\\nlet queryfrequency = 1d;\\nlet queryperiod = 14d;\\nlet aadFunc = (tableName: string) {\\n // Get successful signins to Teams\\n let signinData =\\n table(tableName)\\n | where TimeGenerated \u003e ago(queryperiod)\\n | where AppDisplayName has \\\"Teams\\\" and ConditionalAccessStatus =~ \\\"success\\\"\\n | extend Country = tostring(todynamic(LocationDetails)[\u0027countryOrRegion\u0027])\\n | where isnotempty(Country) and isnotempty(IPAddress);\\n // Calculate prevalence of countries\\n let countryPrevalence =\\n signinData\\n | summarize CountCountrySignin = count() by Country\\n | extend TotalSignin = toscalar(signinData | summarize count())\\n | extend CountryPrevalence = toreal(CountCountrySignin) / toreal(TotalSignin) * 100;\\n // Count signins by user and IP address\\n let userIpSignin =\\n signinData\\n | summarize CountIPSignin = count(), Country = any(Country), ListSigninTimeGenerated = make_list(TimeGenerated) by IPAddress, UserPrincipalName;\\n // Calculate delta between the IP addresses with the most and minimum activity by user\\n let userIpDelta =\\n userIpSignin\\n | summarize MaxIPSignin = max(CountIPSignin), MinIPSignin = min(CountIPSignin), DistinctCountries = dcount(Country), make_set(Country) by UserPrincipalName\\n | extend UserIPDelta = toreal(MaxIPSignin - MinIPSignin) / toreal(MaxIPSignin) * 100;\\n // Collect Team operations the user account has performed within a time range of the suspicious signins\\n OfficeActivity\\n | where TimeGenerated \u003e ago(queryfrequency)\\n | where Operation in~ (\\\"TeamsAdminAction\\\", \\\"MemberAdded\\\", \\\"MemberRemoved\\\", \\\"MemberRoleChanged\\\", \\\"AppInstalled\\\", \\\"BotAddedToTeam\\\")\\n | project OperationTimeGenerated = TimeGenerated, UserId = tolower(UserId), Operation\\n | join kind = inner(\\n userIpDelta\\n // Check users with activity from distinct countries\\n | where DistinctCountries \u003e= minimumCountries\\n // Check users with high IP delta\\n | where UserIPDelta \u003e= deltaThreshold\\n // Add information about signins and countries\\n | join kind = leftouter userIpSignin on UserPrincipalName\\n | join kind = leftouter countryPrevalence on Country\\n // Check activity that comes from nonprevalent countries\\n | where CountryPrevalence \u003c countryPrevalenceThreshold\\n | project\\n UserPrincipalName,\\n SuspiciousIP = IPAddress,\\n UserIPDelta,\\n SuspiciousSigninCountry = Country,\\n SuspiciousCountryPrevalence = CountryPrevalence,\\n EventTimes = ListSigninTimeGenerated\\n ) on $left.UserId == $right.UserPrincipalName\\n // Check the signins occured 60 min before the Teams operations\\n | mv-expand SigninTimeGenerated = EventTimes\\n | extend SigninTimeGenerated = todatetime(SigninTimeGenerated)\\n | where OperationTimeGenerated between (SigninTimeGenerated .. (SigninTimeGenerated + projectedEndTime))\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize arg_max(SigninTimeGenerated, *) by UserPrincipalName, SuspiciousIP, OperationTimeGenerated\\n| summarize\\n ActivitySummary = make_bag(pack(tostring(SigninTimeGenerated), pack(\\\"Operation\\\", tostring(Operation), \\\"OperationTime\\\", OperationTimeGenerated)))\\n by UserPrincipalName, SuspiciousIP, SuspiciousSigninCountry, SuspiciousCountryPrevalence\\n| extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Anomalous login followed by Teams action\",\"description\":\"Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed.\\nQuery calculates IP usage Delta for each user account and selects accounts where a delta \u003e= 90% is observed between the most and least used IP.\\nTo further reduce results the query performs a prevalence check on the lowest used IP\u0027s country, only keeping IP\u0027s where the country is unusual for the tenant (dynamic ranges)\\nFinally the user accounts activity within Teams logs is checked for suspicious commands (modifying user privileges or admin actions) during the period the suspicious IP was active.\",\"lastUpdatedDateUTC\":\"2022-03-21T00:00:00Z\",\"createdDateUTC\":\"2020-06-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fa118b98-de46-4e94-87f9-8e6d5060b60b\",\"name\":\"fa118b98-de46-4e94-87f9-8e6d5060b60b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MLBehaviorAnalytics\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous SSH Login Detection\",\"description\":\"This detection uses machine learning (ML) to identify anomalous Secure Shell (SSH) login activity, based on syslog data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Microsoft Sentinel to build a profile of normal activity for your environment.\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-syslog#configure-the-syslog-connector-for-anomalous-ssh-login-detection)\\n\\nBy enabling this rule, you give Microsoft permission to copy ingested data outside of your Microsoft Sentinel workspace\u0027s geography as necessary for processing by the machine learning engine.\",\"lastUpdatedDateUTC\":\"2021-03-26T00:00:00Z\",\"createdDateUTC\":\"2019-08-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c094384d-7ea7-4091-83be-18706ecca981\",\"name\":\"c094384d-7ea7-4091-83be-18706ecca981\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Low\",\"query\":\"let minersDomains=dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\"]);\\n_Im_Dns(domain_has_any=minersDomains)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"DNS events related to mining pools (ASIM DNS Schema)\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/99d589fa-7337-40d7-91a0-c96d0c4fa437\",\"name\":\"99d589fa-7337-40d7-91a0-c96d0c4fa437\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let core_domains = (SigninLogs\\n | where TimeGenerated \u003e ago(7d)\\n | where ResultType == 0\\n | extend domain = tolower(split(UserPrincipalName, \\\"@\\\")[1])\\n | summarize by tostring(domain));\\n let alternative_domains = (SigninLogs\\n | where TimeGenerated \u003e ago(7d)\\n | where isnotempty(AlternateSignInName)\\n | where ResultType == 0\\n | extend domain = tolower(split(AlternateSignInName, \\\"@\\\")[1])\\n | summarize by tostring(domain));\\n AuditLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where OperationName =~ \\\"Add User\\\"\\n | extend AddingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend AddingSPN = tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName)\\n | extend AddedBy = iif(isnotempty(AddingUser), AddingUser, AddingSPN)\\n | extend UserAdded = tostring(TargetResources[0].userPrincipalName)\\n | extend Domain = tolower(split(UserAdded, \\\"@\\\")[1])\\n | where Domain !in (core_domains) and Domain !in (alternative_domains)\\n | project-away AddingUser\\n | project-reorder TimeGenerated, UserAdded, Domain, AddedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserAdded\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Account created from non-approved sources\",\"description\":\"This query looks for account being created from a domain that is not regularly seen in a tenant.\\n Attackers may attempt to add accounts from these sources as a means of establishing persistant access to an environment.\\n Created accounts should be investigated to ensure they were legitimated created.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\",\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/15ae38a2-2e29-48f7-883f-863fb25a5a06\",\"name\":\"15ae38a2-2e29-48f7-883f-863fb25a5a06\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 10;\\nDnsEvents \\n| where TimeGenerated \u003e ago(endtime)\\n| where Name contains \\\"in-addr.arpa\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(Name) by ClientIP\\n| where dcount_Name \u003e threshold\\n| project StartTimeUtc, EndTimeUtc, ClientIP , dcount_Name \\n| join kind=leftanti (DnsEvents \\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | where Name contains \\\"in-addr.arpa\\\" \\n | summarize dcount(Name) by ClientIP, bin(TimeGenerated, 1d)\\n | where dcount_Name \u003e threshold\\n | project ClientIP , dcount_Name \\n) on ClientIP\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Rare client observed with high reverse DNS lookup count\",\"description\":\"Identifies clients with a high reverse DNS counts which could be carrying out reconnaissance or discovery activity.\\nAlert is generated if the IP performing such reverse DNS lookups was not seen doing so in the preceding 7-day period.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\"name\":\"a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\n let ioc_lookBack = 14d;\\n ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true\\n | where isnotempty(FileHashValue)\\n | extend FileHashValue = toupper(FileHashValue)\\n // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n | join kind=innerunique ( union isfuzzy=true \\n (SecurityEvent | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where EventID in (\\\"8003\\\",\\\"8002\\\",\\\"8005\\\")\\n | where isnotempty(FileHash)\\n | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID, FileHash = toupper(FileHash)\\n ),\\n (WindowsEvent | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where EventID in (\\\"8003\\\",\\\"8002\\\",\\\"8005\\\")\\n | where isnotempty(EventData.FileHash)\\n | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID, FileHash = toupper(EventData.FileHash)\\n )\\n )\\n on $left.FileHashValue == $right.FileHash\\n | where SecurityEvent_TimeGenerated \u003c ExpirationDateTime\\n | summarize SecurityEvent_TimeGenerated = arg_max(SecurityEvent_TimeGenerated, *) by IndicatorId, FileHash\\n | project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\n Process, FileHash, Computer, Account, Event, FileHashValue, FileHashType\\n | extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Value\",\"columnName\":\"FileHashValue\"},{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map File Hash to Security Event\",\"description\":\"Identifies a match in Security Event data from any File Hash IOC from TI\",\"lastUpdatedDateUTC\":\"2022-07-07T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1bf6e165-5e32-420e-ab4f-0da8558a8be2\",\"name\":\"1bf6e165-5e32-420e-ab4f-0da8558a8be2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// How far back to look for events from\\nlet timeframe = 1d;\\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\\nlet time_window = 5m;\\n// Edit this to include build processes used\\nlet build_processes = dynamic([\\\"MSBuild.exe\\\", \\\"dotnet.exe\\\", \\\"VBCSCompiler.exe\\\"]);\\n// Include any processes that you want to allow to edit files during/around the build process\\nlet allow_list = dynamic([]);\\nDeviceProcessEvents\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where FileName has_any (build_processes)\\n| summarize by BuildParentProcess=InitiatingProcessFileName, BuildProcess=FileName, BuildAccount = AccountName, DeviceName, BuildCommand=ProcessCommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nDeviceFileEvents\\n| where TimeGenerated \u003e ago(timeframe)\\n| where InitiatingProcessFileName !in (allow_list)\\n| where ActionType == \\\"FileCreated\\\" or ActionType == \\\"FileModified\\\"\\n// Look for code files, edit this to include file extensions used in build.\\n| where FileName endswith \\\".cs\\\" or FileName endswith \\\".cpp\\\"\\n| summarize by FileEditParentProcess=InitiatingProcessParentFileName, FileEditAccount = InitiatingProcessAccountName, DeviceName, FileEdited=FileName, FileEditProcess=InitiatingProcessFileName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, DeviceName\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, DeviceName, BuildParentProcess, BuildProcess\\n| extend HostCustomEntity=DeviceName, timestamp=timekey\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Potential Build Process Compromise - MDE\",\"description\":\"The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process. This query uses Microsoft Defender for Endpoint telemetry.\\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\",\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/957cb240-f45d-4491-9ba5-93430a3c08be\",\"name\":\"957cb240-f45d-4491-9ba5-93430a3c08be\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"OfficeActivity\\n| where Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Add-MailboxFolderPermission\\\", \\\"Set-Mailbox\\\", \\\"New-ManagementRoleAssignment\\\", \\\"New-InboxRule\\\", \\\"Set-InboxRule\\\", \\\"Set-TransportRule\\\")\\nand not(UserId has_any (\u0027NT AUTHORITY\\\\\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\u0027, \u0027NT AUTHORITY\\\\\\\\SYSTEM (w3wp)\u0027, \u0027devilfish-applicationaccount\u0027) and Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Set-Mailbox\\\"))\\n| extend ClientIPOnly = tostring(extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?\u0027, dynamic([\\\"IPAddress\\\"]), ClientIP)[0][0])\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIPOnly\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"Collection\"],\"displayName\":\"Rare and potentially high-risk Office operations\",\"description\":\"Identifies Office operations that are typically rare and can provide capabilities useful to attackers.\",\"lastUpdatedDateUTC\":\"2022-05-24T00:00:00Z\",\"createdDateUTC\":\"2019-02-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2fc5d810-c9cc-491a-b564-841427ae0e50\",\"name\":\"2fc5d810-c9cc-491a-b564-841427ae0e50\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique ( \\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(TargetUserName)\\n//Normalizing the column to lower case for exact match with EmailSenderAddress column\\n| extend TargetUserName = tolower(TargetUserName)\\n// renaming timestamp column so it is clear the log this came from SecurityEvent table\\n| extend SecurityEvent_TimeGenerated = TimeGenerated\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(dt_lookBack) \\n| extend TargetUserName = tostring(EventData.TargetUserName) \\n| where isnotempty(TargetUserName)\\n//Normalizing the column to lower case for exact match with EmailSenderAddress column\\n| extend TargetUserName = tolower(TargetUserName)\\n// renaming timestamp column so it is clear the log this came from SecurityEvent table\\n| extend SecurityEvent_TimeGenerated = TimeGenerated\\n))\\n)\\non $left.EmailSenderAddress == $right.TargetUserName\\n| where SecurityEvent_TimeGenerated \u003c ExpirationDateTime\\n| summarize SecurityEvent_TimeGenerated = arg_max(SecurityEvent_TimeGenerated, *) by IndicatorId, TargetUserName\\n| project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Computer, EventID, TargetUserName, Activity, IpAddress, AccountType,\\nLogonTypeName, LogonProcessName, Status, SubStatus\\n| extend\\ntimestamp = SecurityEvent_TimeGenerated,\\nAccountCustomEntity = TargetUserName,\\nIPCustomEntity = IpAddress,\\nHostCustomEntity = Computer,\\nURLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SecurityEvent\",\"description\":\"Identifies a match in SecurityEvent table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/01f64465-b1ef-41ea-a7f5-31553a11ad43\",\"name\":\"01f64465-b1ef-41ea-a7f5-31553a11ad43\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let endpointData = \\n(union isfuzzy=true\\n(SecurityEvent\\n | where EventID == 4688\\n | extend shortFileName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n ),\\n (WindowsEvent\\n | where EventID == 4688\\n | extend NewProcessName = tostring(EventData.NewProcessName)\\n | extend shortFileName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n | extend TargetUserName = tostring(EventData.TargetUserName)\\n ));\\n// Correlate suspect executables seen in TrendMicro rule updates with similar activity on endpoints\\nCommonSecurityLog\\n| where DeviceVendor =~ \\\"Trend Micro\\\"\\n| where Activity =~ \\\"Deny List updated\\\" \\n| where RequestURL endswith \\\".exe\\\"\\n| project TimeGenerated, Activity , RequestURL , SourceIP, DestinationIP\\n| extend suspectExeName = tolower(tostring(split(RequestURL, \u0027/\u0027)[-1]))\\n| join (endpointData) on $left.suspectExeName == $right.shortFileName \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = TargetUserName, HostCustomEntity = Computer, URLCustomEntity = RequestURL\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Network endpoint to host executable correlation\",\"description\":\"Correlates blocked URLs hosting [malicious] executables with host endpoint data\\nto identify potential instances of executables of the same name having been recently run.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"TrendMicro\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5efb0cfd-063d-417a-803b-562eae5b0301\",\"name\":\"5efb0cfd-063d-417a-803b-562eae5b0301\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 6h;\\n// Ignore Build/Releases with less/equal this number\\nlet ServiceConnectionThreshold = 3;\\n// New Connections need to exhibit execution of more \\\"new\\\" connections than this number.\\nlet NewConnectionThreshold = 1;\\n// List of Builds/Releases to ignore in your space\\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\\n[\\n//\\\"103\\\", \\\"Release\\\", \\\"ProjectA\\\",\\n//\\\"42\\\", \\\"Release\\\", \\\"ProjectB\\\",\\n//\\\"122\\\", \\\"Build\\\", \\\"ProjectB\\\"\\n];\\nlet HistoricDefs = AzureDevOpsAuditing\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| summarize HistoricCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)) \\n by DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e= ago(endtime)\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| parse ScopeDisplayName with OrganizationName \u0027 (Organization)\u0027\\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) \\n by OrganizationName, DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN\\n| where CurrentCount \u003e ServiceConnectionThreshold\\n| join (HistoricDefs) on ProjectId, DefId, Type, ActorUPN\\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\\n| extend link = iff(\\nType == \\\"Build\\\", strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_build?definitionId=\u0027, DefId),\\nstrcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_release?_a=releases\u0026view=mine\u0026definitionId=\u0027, DefId))\\n| where CurrentCount \u003e= HistoricCount + NewConnectionThreshold\\n| project StartTime, OrganizationName, ProjectName, DefId, link, RecentDistinctServiceConnections = CurrentCount, HistoricDistinctServiceConnections = HistoricCount, \\n RecentConnections = ConnectionNames, HistoricConnections = ConnectionNames1, ActorUPN\\n| extend timestamp = StartTime, AccountCustomEntity = ActorUPN\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure DevOps Service Connection Addition/Abuse - Historic allow list\",\"description\":\"This detection builds an allow list of historic service connection use by Builds and Releases and compares to recent history, flagging growth of service connection use which are not manually included in the allow list and \\nnot historically included in the allow list Build/Release runs. This is to determine if someone is hijacking a build/release and adding many service connections in order to abuse or dump credentials from service connections.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3bd33158-3f0b-47e3-a50f-7c20a1b88038\",\"name\":\"3bd33158-3f0b-47e3-a50f-7c20a1b88038\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let SpringShell_threats = dynamic([\\\"Trojan:Python/SpringShellExpl\\\", \\\"Exploit:Python/SpringShell\\\", \\\"Backdoor:PHP/Remoteshell.V\\\", \\\"SpringShell\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (SpringShell_threats) or ThreatFamilyName in~ (SpringShell_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"AV detections related to SpringShell Vulnerability\",\"description\":\"This query looks for Microsoft Defender AV detections related to SpringShell Vulnerability. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, \\n this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\\n Reference: https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b4ceb583-4c44-4555-8ecf-39f572e827ba\",\"name\":\"b4ceb583-4c44-4555-8ecf-39f572e827ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 1.5;\\nlet percentthreshold = 50;\\n// Preparing the time series data aggregated hourly count of MailItemsAccessd Operation in the form of multi-value array to use with time series anomaly function.\\nlet TimeSeriesData =\\nOfficeActivity\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where OfficeWorkload=~ \\\"Exchange\\\" and Operation =~ \\\"MailItemsAccessed\\\" and ResultStatus =~ \\\"Succeeded\\\"\\n| project TimeGenerated, Operation, MailboxOwnerUPN\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe;\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0\\n| project TimeGenerated, Total, baseline, anomalies, score;\\n// Joining the flagged outlier from the previous step with the original dataset to present contextual information\\n// during the anomalyhour to analysts to conduct investigation or informed decisions.\\nTimeSeriesAlerts | where TimeGenerated \u003e ago(2d)\\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\\n| join (\\n OfficeActivity\\n | where TimeGenerated \u003e ago(2d)\\n | extend DateHour = bin(TimeGenerated, 1h)\\n | where OfficeWorkload=~ \\\"Exchange\\\" and Operation =~ \\\"MailItemsAccessed\\\" and ResultStatus =~ \\\"Succeeded\\\"\\n | summarize HourlyCount=count(), TimeGeneratedMax = arg_max(TimeGenerated, *), IPAdressList = make_set(Client_IPAddress), SourceIPMax= arg_max(Client_IPAddress, *), ClientInfoStringList= make_set(ClientInfoString) by MailboxOwnerUPN, Logon_Type, TenantId, UserType, TimeGenerated = bin(TimeGenerated, 1h) \\n | where HourlyCount \u003e 25 // Only considering operations with more than 25 hourly count to reduce False Positivies\\n | order by HourlyCount desc \\n) on TimeGenerated\\n| extend PercentofTotal = round(HourlyCount/Total, 2) * 100 \\n| where PercentofTotal \u003e percentthreshold // Filter Users with count of less than 5 percent of TotalEvents per Hour to remove FPs/ users with very low count of MailItemsAccessed events\\n| order by PercentofTotal desc \\n| project-reorder TimeGeneratedMax, Type, OfficeWorkload, Operation, UserId,SourceIPMax ,IPAdressList, ClientInfoStringList, HourlyCount, PercentofTotal, Total, baseline, score, anomalies\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"Exchange workflow MailItemsAccessed operation anomaly\",\"description\":\"Identifies anomalous increases in Exchange mail items accessed operations.\\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\\nSudden increases in execution frequency of sensitive actions should be further investigated for malicious activity.\\nManually change scorethreshold from 1.5 to 3 or higher to reduce the noise based on outliers flagged from the query criteria.\\nRead more about MailItemsAccessed- https://docs.microsoft.com/microsoft-365/compliance/advanced-audit?view=o365-worldwide#mailitemsaccessed\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/00cb180c-08a8-4e55-a276-63fb1442d5b5\",\"name\":\"00cb180c-08a8-4e55-a276-63fb1442d5b5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let cmdTokens0 = dynamic([\u0027vbscript\u0027,\u0027jscript\u0027]);\\nlet cmdTokens1 = dynamic([\u0027mshtml\u0027,\u0027RunHTMLApplication\u0027]);\\nlet cmdTokens2 = dynamic([\u0027Execute\u0027,\u0027CreateObject\u0027,\u0027RegRead\u0027,\u0027window.close\u0027]);\\n(union isfuzzy=true \\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(14d)\\n| where EventID == 4688\\n| where CommandLine has @\u0027\\\\Microsoft\\\\Windows\\\\CurrentVersion\u0027\\n| where not(CommandLine has_any (@\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\u0027, @\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\u0027))\\n// If you are receiving false positives, then it may help to make the query more strict by uncommenting one or both of the lines below to refine the matches\\n//| where CommandLine has_any (cmdTokens0)\\n//| where CommandLine has_all (cmdTokens1)\\n| where CommandLine has_all (cmdTokens2)\\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(14d)\\n| where EventID == 4688 and EventData has_all(cmdTokens2) and EventData has @\u0027\\\\Microsoft\\\\Windows\\\\CurrentVersion\u0027\\n| where not(EventData has_any (@\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\u0027, @\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\u0027))\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has @\u0027\\\\Microsoft\\\\Windows\\\\CurrentVersion\u0027\\n| where not(CommandLine has_any (@\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\u0027, @\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\u0027))\\n// If you are receiving false positives, then it may help to make the query more strict by uncommenting one or both of the lines below to refine the matches\\n//| where CommandLine has_any (cmdTokens0)\\n//| where CommandLine has_all (cmdTokens1)\\n| where CommandLine has_all (cmdTokens2)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend ParentProcessName = tostring(EventData.ParentProcessName) \\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"NOBELIUM - Script payload stored in Registry\",\"description\":\"This query idenifies when a process execution commandline indicates that a registry value is written to allow for later execution a malicious script\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3cc5ccd8-b416-4141-bb2d-4eba370e37a5\",\"name\":\"3cc5ccd8-b416-4141-bb2d-4eba370e37a5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let OMIVulnerabilityPatchVersion = \\\"OMIVulnerabilityPatchVersion:1.13.40-0\\\";\\nHeartbeat\\n| where Category == \\\"Direct Agent\\\"\\n| summarize arg_max(TimeGenerated,*) by Computer\\n| parse strcat(\\\"Version:\\\" , Version) with * \\\"Version:\\\" Major:long \\\".\\\"\\nMinor:long \\\".\\\" Patch:long \\\"-\\\" *\\n| parse OMIVulnerabilityPatchVersion with * \\\"OMIVulnerabilityPatchVersion:\\\"\\nOMIVersionMajor:long \\\".\\\" OMIVersionMinor:long \\\".\\\" OMIVersionPatch:long \\\"-\\\" *\\n| where Major \u003cOMIVersionMajor or (Major==OMIVersionMajor and Minor\\n\u003cOMIVersionMinor) or (Major==OMIVersionMajor and Minor==OMIVersionMinor and\\nPatch\u003cOMIVersionPatch) \\n| project Version, Major,Minor,Patch,\\nComputer,ComputerIP,OSType,OSName,ResourceId\",\"customDetails\":{\"HostIp\":\"ComputerIP\",\"OSType\":\"OSType\",\"OSName\":\"OSName\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"OMI Vulnerability Exploitation\",\"description\":\"Following the September 14th, 2021 release of three Elevation of Privilege\\n(EoP) vulnerabilities (CVE-2021-38645, CVE-2021-38649, CVE-2021-38648) and one\\nunauthenticated Remote Code Execution (RCE) vulnerability (CVE-2021-38647) in\\nthe Open Management Infrastructure (OMI) Framework.\\nThis detection validates that any OMS-agent that is reporting to the Microsoft\\nSentinel workspace is updated with the patch. The detection will go over the\\nheartbeats received from all agents over the last day and will create alert\\nfor those agents who are not updated.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-09-23T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c1c66f0b-5531-4a3e-a619-9d2f770ef730\",\"name\":\"c1c66f0b-5531-4a3e-a619-9d2f770ef730\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where OperationName =~ \\\"Add member to role completed (PIM activation)\\\"\\n | where Result =~ \\\"success\\\"\\n | extend ElevatedUser = tostring(TargetResources[2].userPrincipalName)\\n | extend displayName = tostring(TargetResources[0].displayName)\\n | extend displayName2 = tostring(TargetResources[3].displayName)\\n | extend ElevatedRole = iif(displayName =~ \\\"Member\\\", displayName2, displayName)\\n | join kind = rightanti (AuditLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where OperationName =~ \\\"Add member to role completed (PIM activation)\\\"\\n | where Result =~ \\\"success\\\"\\n | extend ElevatedUser = tostring(TargetResources[2].userPrincipalName)\\n | extend displayName = tostring(TargetResources[0].displayName)\\n | extend displayName2 = tostring(TargetResources[3].displayName)\\n | extend ElevatedRole = iif(displayName =~ \\\"Member\\\", displayName2, displayName)\\n | extend ElevatedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) on ElevatedRole, ElevatedUser\\n | project-reorder ElevatedUser, ElevatedRole, ResultReason,ElevatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ElevatedUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ElevatedBy\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Account Elevated to New Role\",\"description\":\"Detects an account that is elevated to a new role where that account has not had that role in the last 14 days.\\n Role elevations are a key mechanism for gaining permissions, monitoring which users have which roles, and for anomalies in those roles is useful for finding suspicious activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d0c82b7f-40b2-4180-a4d6-7aa0541b7599\",\"name\":\"d0c82b7f-40b2-4180-a4d6-7aa0541b7599\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let threshold = 3;\\nPulseConnectSecure\\n| where Messages contains \\\"Unauthenticated request url /dana-na/\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by Source_IP\\n| where count_ \u003e threshold\\n| extend timestamp = StartTime, IPCustomEntity = Source_IP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"PulseConnectSecure - CVE-2021-22893 Possible Pulse Connect Secure RCE Vulnerability Attack\",\"description\":\"This query identifies exploitation attempts using Pulse Connect Secure(PCS) vulnerability (CVE-2021-22893) to the VPN server\",\"lastUpdatedDateUTC\":\"2022-05-11T00:00:00Z\",\"createdDateUTC\":\"2022-05-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PulseConnectSecure\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bf0cde21-0c41-48f6-a40c-6b5bd71fa106\",\"name\":\"bf0cde21-0c41-48f6-a40c-6b5bd71fa106\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"AWSGuardDuty | extend tokens = split(ActivityType,\\\":\\\") | extend ThreatPurpose = tokens[0], tokens= split(tokens[1],\\\"/\\\") | extend ResourceTypeAffected = tokens[0], ThreatFamilyName= tokens[1] | extend UniqueFindingId = Id | extend AWSAcoundId = AccountId | project-away tokens,ActivityType, Id, AccountId | project-away TimeGenerated, TenantId, SchemaVersion, Region, Partition | extend Severity= iff(Severity between (7.0..8.9),\\\"High\\\",iff(Severity between (4.0..6.9), \\\"Medium\\\", iff(Severity between (1.0..3.9),\\\"Low\\\",\\\"Unknown\\\")))\",\"customDetails\":{\"ThreatPurpose\":\"ThreatPurpose\",\"ResourceTypeAffected\":\"ResourceTypeAffected\",\"UniqueFindingId\":\"UniqueFindingId\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Arn\"},{\"identifier\":\"ObjectGuid\",\"columnName\":\"AWSAcoundId\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"{{Title}}\",\"alertDescriptionFormat\":\"{{Description}}\",\"alertTacticsColumnName\":\"ThreatPurpose\",\"alertSeverityColumnName\":\"Severity\"},\"displayName\":\"AWS Guard Duty Alert\",\"description\":\"Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. This templates create an alert for each Amazon GuardDuty finding.\",\"lastUpdatedDateUTC\":\"2022-02-08T00:00:00Z\",\"createdDateUTC\":\"2021-11-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSGuardDuty\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b6685757-3ed1-4b05-a5bd-2cacadc86c2a\",\"name\":\"b6685757-3ed1-4b05-a5bd-2cacadc86c2a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"let UA_threats = dynamic([\\\"FoxBlade\\\", \\\"WhisperGate\\\", \\\"Lasainraw\\\", \\\"SonicVote\\\"]);\\n SecurityAlert\\n | where ProviderName == \\\"MDATP\\\"\\n | extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n | where ThreatFamilyName in (UA_threats)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"AV detections related to Ukraine threats\",\"description\":\"This query looks for Microsoft Defender AV detections for malware observed in relation to the war in Ukraine.\\n Ref: https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/ \",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cf3ede88-a429-493b-9108-3e46d3c741f7\",\"name\":\"cf3ede88-a429-493b-9108-3e46d3c741f7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let timeRange = 6h;\\nlet authenticationWindow = 1h;\\nlet authenticationThreshold = 5;\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeRange)\\n| where EventID == 4624 or EventID == 4625\\n| where IpAddress != \\\"-\\\" and isnotempty(Account)\\n| extend Outcome = iff(EventID == 4624, \\\"Success\\\", \\\"Failure\\\")\\n// bin outcomes into 5 minute windows to reduce the volume of data\\n| summarize OutcomeCount=count() by Account, IpAddress, Computer, Outcome, bin(TimeGenerated, 5m)\\n| project TimeGenerated, Account, IpAddress, Computer, Outcome, OutcomeCount\\n// sort ready for sessionizing - by account and time of the authentication outcome\\n| sort by Account asc, TimeGenerated asc\\n| serialize \\n// sessionize into failure groupings until either the account changes or there is a success\\n| extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, Account != prev(Account) or prev(Outcome) == \\\"Success\\\")\\n// count the failures in each session\\n| summarize FailureCountBeforeSuccess=sumif(OutcomeCount, Outcome == \\\"Failure\\\"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), makelist(Outcome), makeset(Computer), makeset(IpAddress) by SessionStartedUtc, Account\\n// the session must not start with a success, and must end with one\\n| where array_index_of(list_Outcome, \\\"Success\\\") != 0\\n| where array_index_of(list_Outcome, \\\"Success\\\") == array_length(list_Outcome) - 1\\n| project-away SessionStartedUtc, list_Outcome \\n// where the number of failures before the success is above the threshold \\n| where FailureCountBeforeSuccess \u003e= authenticationThreshold\\n// expand out ip and computer for customer entity assignment\\n| mvexpand set_IpAddress, set_Computer\\n| extend IpAddress = tostring(set_IpAddress), Computer = tostring(set_Computer)\\n| extend timestamp=StartTime, AccountCustomEntity=Account, HostCustomEntity=Computer, IPCustomEntity=IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"SecurityEvent - Multiple authentication failures followed by a success\",\"description\":\"Identifies accounts who have failed to logon to the domain multiple times in a row, followed by a successful authentication\\nwithin a short time frame. Multiple failed attempts followed by a success can be an indication of a brute force attempt or\\npossible mis-configuration of a service account within an environment.\\nThe lookback is set to 6h and the authentication window and threshold are set to 1h and 5, meaning we need to see a minimum\\nof 5 failures followed by a success for an account within 1 hour to surface an alert.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"name\":\"cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | where DNSName in~ (domains) or DestinationHostName has_any (domains) or RequestURL has_any(domains)\\n | extend AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName, IPCustomEntity = SourceIP\\n ),\\n(_Im_Dns (domain_has_any=domains)\\n | extend DNSName = DnsQuery\\n | extend IPCustomEntity = SrcIpAddr\\n ),\\n(VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n | where isnotempty(DNSName)\\n | where DNSName in~ (domains)\\n | extend IPCustomEntity = RemoteIp\\n ),\\n(DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl has_any (domains) \\n | extend DNSName = RemoteUrl\\n | extend IPCustomEntity = RemoteIP \\n | extend HostCustomEntity = DeviceName \\n ),\\n(AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (domains) \\n | extend DNSName = DestinationHost \\n | extend IPCustomEntity = SourceHost\\n ) \\n )\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Solorigate Network Beacon\",\"description\":\"Identifies a match across various data feeds for domains IOCs related to the Solorigate incident.\\n References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \\n https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2790795b-7dba-483e-853f-44aa0bc9c985\",\"name\":\"2790795b-7dba-483e-853f-44aa0bc9c985\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"CommonSecurityLog\\n| where DeviceProduct =~ \\\"Wazuh\\\"\\n| where Activity has \\\"Web server 400 error code.\\\"\\n| where Message has \\\"403\\\"\\n| extend HostName=substring(split(DeviceCustomString1,\\\")\\\")[0],1)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = dcount(SourceIP) by HostName, SourceIP\\n| where NumberOfErrors \u003e 400\\n| sort by NumberOfErrors desc\\n| extend timestamp = StartTime, HostCustomEntity = HostName, IPCustomEntity = SourceIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Wazuh - Large Number of Web errors from an IP\",\"description\":\"Identifies instances where Wazuh logged over 400 \u0027403\u0027 Web Errors from one IP Address. To onboard Wazuh data into Sentinel please view: https://github.com/wazuh/wazuh-documentation/blob/master/source/azure/monitoring%20activity.rst\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2020-04-21T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/78979d32-e63f-4740-b206-cfb300c735e0\",\"name\":\"78979d32-e63f-4740-b206-cfb300c735e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n ProofpointPOD \\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(SrcIpAddr)\\n | extend ProofpointPOD_TimeGenerated = TimeGenerated, ClientIP = SrcIpAddr\\n )\\non $left.TI_ipEntity == $right.ClientIP\\n| where ProofpointPOD_TimeGenerated \u003c ExpirationDateTime\\n| summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientIP\\n| project ProofpointPOD_TimeGenerated, SrcUserUpn, DstUserUpn, SrcIpAddr, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ClientIP\\n| extend timestamp = ProofpointPOD_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SrcUserUpn\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Exfiltration\",\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Email sender IP in TI list\",\"description\":\"Email sender IP in TI list.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_maillog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2b328487-162d-4034-b472-59f1d53684a1\",\"name\":\"2b328487-162d-4034-b472-59f1d53684a1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal == \u0027\u0027\\n| extend Message = \\\"Empty User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Empty User Agent Detected\",\"description\":\"Rule helps to detect empty and unusual user agent indicating web browsing activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\"name\":\"a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == 500121\\n| where Status has \\\"MFA Denied; user declined the authentication\\\" or Status has \\\"MFA denied; Phone App Reported Fraud\\\"\\n| extend Type = Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = ClientAppUsed\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Explicit MFA Deny\",\"description\":\"User explicitly denies MFA push, indicating that login was not expected and the account\u0027s password may be compromised.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-10-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}}]}", "isContentBase64": false } }, - "Get-AzSentinelAlertRuleTemplate+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRuleTemplates?api-version=2021-09-01-preview+1": { + "Get-AzSentinelAlertRuleTemplate+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRuleTemplates?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRuleTemplates?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRuleTemplates?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "170" ], - "x-ms-client-request-id": [ "f5e86cbc-d63a-4b6e-97dd-d0b6a31e1f05" ], + "x-ms-unique-id": [ "168" ], + "x-ms-client-request-id": [ "5609626e-44f8-485e-b5cd-a13100ca8b03" ], "CommandName": [ "Get-AzSentinelAlertRuleTemplate" ], "FullCommandName": [ "Get-AzSentinelAlertRuleTemplate_List" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -106,31 +106,31 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-reads": [ "11989" ], - "x-ms-request-id": [ "18e918a8-1c4d-4650-b7f5-c4b301a42804" ], - "x-ms-correlation-request-id": [ "18e918a8-1c4d-4650-b7f5-c4b301a42804" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183111Z:18e918a8-1c4d-4650-b7f5-c4b301a42804" ], + "x-ms-request-id": [ "320a13c5-e8eb-4f49-80f0-4a59a4eea2df" ], + "x-ms-correlation-request-id": [ "320a13c5-e8eb-4f49-80f0-4a59a4eea2df" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160656Z:320a13c5-e8eb-4f49-80f0-4a59a4eea2df" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:31:10 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:06:56 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1418736" ], + "Content-Length": [ "1435342" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8\",\"name\":\"f71aba3d-28fb-450b-b192-4e76a83015c8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Fusion\",\"properties\":{\"severity\":\"High\",\"tactics\":[\"Collection\",\"CommandAndControl\",\"CredentialAccess\",\"DefenseEvasion\",\"Discovery\",\"Execution\",\"Exfiltration\",\"Impact\",\"InitialAccess\",\"LateralMovement\",\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Advanced Multistage Attack Detection\",\"description\":\"Microsoft Sentinel uses Fusion, a correlation engine based on scalable machine learning algorithms, to automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.\\n\\nSince Fusion correlates multiple signals from various products to detect advanced multistage attacks, successful Fusion detections are presented as Fusion incidents on the Microsoft Sentinel Incidents page. This rule covers the following detections:\\n- Fusion for emerging threats\\n- Fusion for ransomware\\n- Scenario-based Fusion detections (122 scenarios)\\n\\nTo enable these detections, we recommend you configure the following data connectors for best results:\\n- Out-of-the-box anomaly detections\\n- Azure Active Directory Identity Protection\\n- Azure Defender\\n- Azure Defender for IoT\\n- Microsoft 365 Defender\\n- Microsoft Cloud App Security \\n- Microsoft Defender for Endpoint\\n- Microsoft Defender for Identity\\n- Microsoft Defender for Office 365\\n- Scheduled analytics rules, both built-in and those created by your security analysts. Analytics rules must contain kill-chain (tactics) and entity mapping information in order to be used by Fusion.\\n\\nFor the full description of each detection that is supported by Fusion, go to https://aka.ms/SentinelFusion.\",\"lastUpdatedDateUTC\":\"2021-06-09T00:00:00Z\",\"createdDateUTC\":\"2019-07-25T00:00:00Z\",\"status\":\"Installed\",\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/57c7e832-64eb-411f-8928-4133f01f4a25\",\"name\":\"57c7e832-64eb-411f-8928-4133f01f4a25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureDiagnostics\\n | where ResourceType =~ \\\"VAULTS\\\"\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend KeyVaultEvents_TimeGenerated = TimeGenerated, ClientIP = CallerIPAddress\\n)\\non $left.TI_ipEntity == $right.ClientIP\\n| where KeyVaultEvents_TimeGenerated \u003c ExpirationDateTime\\n| summarize KeyVaultEvents_TimeGenerated = arg_max(KeyVaultEvents_TimeGenerated, *) by IndicatorId, ClientIP\\n| project KeyVaultEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ClientIP, ResourceId, SubscriptionId, OperationName, ResultType, CorrelationId, id_s, clientInfo_s, httpStatusCode_d, identity_claim_appid_g, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\n| extend timestamp = KeyVaultEvents_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Azure Key Vault logs\",\"description\":\"Identifies a match in Azure Key Vault logsfrom any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f948a32f-226c-4116-bddd-d95e91d97eb9\",\"name\":\"f948a32f-226c-4116-bddd-d95e91d97eb9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"mailboxsettings\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"contacts.read\\\" and ConsentFull contains \\\"user.read\\\" and ConsentFull contains \\\"mail.read\\\" and ConsentFull contains \\\"notes.read.all\\\" and ConsentFull contains \\\"mailboxsettings.readwrite\\\" and ConsentFull contains \\\"Files.ReadWrite.All\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), \\\"\\\")\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Suspicious application consent similar to O365 Attack Toolkit\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\\nThe default permissions/scope for the MDSec O365 Attack toolkit are contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, and files.readwrite.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3c144f9-8051-47d4-ac29-ffb0c312c910\",\"name\":\"a3c144f9-8051-47d4-ac29-ffb0c312c910\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"let SunburstMD5=dynamic([\\\"b91ce2fa41029f6955bff20079468448\\\",\\\"02af7cec58b9a5da1c542b5a32151ba1\\\",\\\"2c4a910a1299cdae2a4e55988a2f102e\\\",\\\"846e27a652a5e1bfbd0ddd38a16dc865\\\",\\\"4f2eb62fa529c0283b28d05ddd311fae\\\"]);\\nlet SupernovaMD5=\\\"56ceb6d0011d87b6e4d7023d7ef85676\\\";\\nDeviceFileEvents\\n| where MD5 in(SunburstMD5) or MD5 in(SupernovaMD5)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n AlgorithmCustomEntity = \\\"MD5\\\",\\n FileHashCustomEntity = MD5\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"SUNBURST and SUPERNOVA backdoor hashes\",\"description\":\"Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in DeviceFileEvents\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/87210ca1-49a4-4a7d-bb4a-4988752f978c\",\"name\":\"87210ca1-49a4-4a7d-bb4a-4988752f978c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"// Get details of current Azure Ranges (note this URL updates regularly so will need to be manually updated over time)\\n// You may find the name of the new JSON here: https://www.microsoft.com/download/details.aspx?id=56519\\n// On the downloads page, click the \u0027details\u0027 button, and then replace just the filename in the URL below\\nlet azure_ranges = externaldata(changeNumber: string, cloud: string, values: dynamic)\\n[\\\"https://download.microsoft.com/download/7/1/D/71D86715-5596-4529-9B13-DA13A5DE5B63/ServiceTags_Public_20220321.json\\\"]\\nwith(format=\u0027multijson\u0027)\\n| mv-expand values\\n| mv-expand values.properties.addressPrefixes\\n| mv-expand values_properties_addressPrefixes\\n| summarize by tostring(values_properties_addressPrefixes);\\nSigninLogs\\n// Limiting to Azure Portal really reduces false positives and helps focus on potential admin activity\\n| where AppDisplayName =~ \\\"Azure Portal\\\"\\n// Only get logons where the IP address is in an Azure range\\n| evaluate ipv4_lookup(azure_ranges, IPAddress, values_properties_addressPrefixes)\\n// Limit to where the user is external to the tenant\\n| where HomeTenantId != ResourceTenantId\\n// Further limit it to just access to the current tenant (you can drop this if you wanted to look elsewhere as well but it helps reduce FPs)\\n| where ResourceTenantId == AADTenantId\\n| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), make_set(ResourceDisplayName) by UserPrincipalName, IPAddress, UserAgent, Location, HomeTenantId, ResourceTenantId\\n| extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure Portal Signin from another Azure Tenant\",\"description\":\"This query looks for sign in attempts to the Azure Portal where the user who is signing in from another Azure tenant,\\n and the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look\\n to pivot to other tenants leveraging cross-tenant delegated access in this manner.\",\"lastUpdatedDateUTC\":\"2022-03-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/29a29e5d-354e-4f5e-8321-8b39d25047bf\",\"name\":\"29a29e5d-354e-4f5e-8321-8b39d25047bf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"High\",\"query\":\"let files1 = dynamic([\\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\lsa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pc.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\Rar.exe\\\"]);\\nlet files2 = dynamic([\\\"svchost.exe\\\",\\\"wdmsvc.exe\\\"]);\\nlet FileHash1 = dynamic([\\\"43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\\\", \\\"ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\\\", \\\"010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77\\\", \\\"56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7\\\"]);\\nlet FileHash2 = dynamic([\\\"2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\\\", \\\"9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\\\", \\\"18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\\\"]);\\nimFileEvent\\n| where ((FilePath has_any (files1)) and (ActingProcessSHA256 has_any (FileHash1))) or ((FilePath has_any (files2)) and (ActingProcessSHA256 has_any (FileHash2)))\\n// Increase risk score if recent alerts for the host\\n| join kind=leftouter (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| mv-expand todynamic(Entities)\\n| extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)\\n| where isnotempty(DvcId)\\n// Higher risk score are for Defender alerts related to threat actor\\n| extend AlertRiskScore = iif(ThreatName has_any (\\\"Backdoor:MSIL/ShellClient.A\\\", \\\"Backdoor:MSIL/ShellClient.A!dll\\\", \\\"Trojan:MSIL/Mimikatz.BA!MTB\\\"), 1.0, 0.5)\\n| project DvcId, AlertRiskScore) on DvcId\\n| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = ActorUsername\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileName\"}]}],\"tactics\":[\"CredentialAccess\",\"Execution\"],\"displayName\":\"Dev-0228 File Path Hashes November 2021 (ASIM Version)\",\"description\":\"This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.\\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.\\n This query uses the Microsoft Sentinel Information Model - https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-11-18T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0dd2a343-4bf9-4c93-a547-adf3658ddaec\",\"name\":\"0dd2a343-4bf9-4c93-a547-adf3658ddaec\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let known_processes = (\\n imProcess\\n // Change these values if adjusting Query Frequency or Query Period\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where Process has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | summarize by Process);\\n imProcess\\n // Change these values if adjusting Query Frequency or Query Period\\n | where TimeGenerated \u003e ago(1d)\\n | where Process has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | where Process !in (known_processes)\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, CommandLine, DvcHostname\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DvcHostname\"}]}],\"tactics\":[\"Execution\",\"LateralMovement\"],\"displayName\":\"New EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version)\",\"description\":\"This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice is that these policies should not be used for deployment of files.\\n A threat actor may use these policies to deploy files or scripts to all hosts in a domain.\\n This query uses the ASIM parsers and will need them deployed before usage - https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/871ba14c-88ef-48aa-ad38-810f26760ca3\",\"name\":\"871ba14c-88ef-48aa-ad38-810f26760ca3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let queryfrequency = 1d;\\nlet queryperiod = 7d;\\nOfficeActivity\\n| where TimeGenerated \u003e ago(queryperiod)\\n| where OfficeWorkload =~ \\\"Exchange\\\"\\n//| where Operation in (\\\"Set-Mailbox\\\", \\\"New-InboxRule\\\", \\\"Set-InboxRule\\\")\\n| where Parameters has_any (\\\"ForwardTo\\\", \\\"RedirectTo\\\", \\\"ForwardingSmtpAddress\\\")\\n| mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))\\n| evaluate bag_unpack(ParsedParameters, columnsConflict=\u0027replace_source\u0027)\\n| extend DestinationMailAddress = tolower(case(\\n isnotempty(column_ifexists(\\\"ForwardTo\\\", \\\"\\\")), column_ifexists(\\\"ForwardTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"RedirectTo\\\", \\\"\\\")), column_ifexists(\\\"RedirectTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")), trim_start(@\\\"smtp:\\\", column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")),\\n \\\"\\\"))\\n| where isnotempty(DestinationMailAddress)\\n| mv-expand split(DestinationMailAddress, \\\";\\\")\\n| extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n| extend ClientIP = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1])\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId, 250), Ports = make_set(Port, 250), EventCount = count() by tostring(DestinationMailAddress), ClientIP\\n| where DistinctUserCount \u003e 1 and EndTime \u003e ago(queryfrequency)\\n| mv-expand UserId to typeof(string)\\n| extend timestamp = StartTime, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Multiple users email forwarded to same destination\",\"description\":\"Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination. \\nThis could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.\",\"lastUpdatedDateUTC\":\"2022-06-24T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a6c435a2-b1a0-466d-b730-9f8af69262e8\",\"name\":\"a6c435a2-b1a0-466d-b730-9f8af69262e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT20M\",\"queryPeriod\":\"PT20M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let failureCountThreshold = 10;\\nlet successCountThreshold = 1;\\n// let authenticationWindow = 20m; // Implicit in the analytic rule query period \\nimAuthentication\\n| summarize \\n StartTime = min(TimeGenerated), \\n EndTime = max(TimeGenerated), \\n IpAddresses = make_set (SrcDvcIpAddr, 100),\\n ReportedBy = make_set (strcat (EventVendor, \\\"/\\\", EventProduct), 100),\\n FailureCount = countif(EventResult==\u0027Failure\u0027),\\n SuccessCount = countif(EventResult==\u0027Success\u0027)\\n by \\n TargetUserId, TargetUsername, TargetUserType \\n| where FailureCount \u003e= failureCountThreshold and SuccessCount \u003e= successCountThreshold\\n| extend\\n IpAddresses = strcat_array(IpAddresses, \\\", \\\"), \\n ReportedBy = strcat_array(ReportedBy, \\\", \\\")\",\"customDetails\":{\"IpAddresses\":\"IpAddresses\",\"ReportedBy\":\"ReportedBy\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUsername\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against user credentials (Uses Authentication Normalization)\",\"description\":\"Identifies evidence of brute force activity against a user based on multiple authentication failures \\nand at least one successful authentication within a given time window. Note that the query does not enforce any sequence,\\nand does not require the successful authentication to occur last.\\nThe default failure threshold is 10, success threshold is 1, and the default time window is 20 minutes.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb8a3481-dd14-4e76-8dcc-bbec8776d695\",\"name\":\"bb8a3481-dd14-4e76-8dcc-bbec8776d695\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Medium\",\"query\":\"let DomainNames = dynamic([\u0027onetechcompany.com\u0027, \u0027reyweb.com\u0027, \u0027srfnetwork.org\u0027, \u0027sense4baby.fr\u0027, \u0027nikeoutletinc.org\u0027, \u0027megatoolkit.com\u0027]);\\nlet IPList = dynamic([\u0027185.225.69.69\u0027]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (DomainNames) or RequestURL has_any (DomainNames) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (DomainNames), \\\"RequestUrl\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(_Im_WebSession(url_has_any=DomainNames)\\n| extend DestinationIPAddress = DstIpAddr, DNSName = tostring(parse_url(Url)[\\\"Host\\\"]), Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (DomainNames)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer\\n),\\n(OfficeActivity\\n| where ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (DomainNames) or RemoteIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"NOBELIUM - Domain and IP IOCs - March 2021\",\"description\":\"Identifies a match across various data feeds for domains and IP IOCs related to NOBELIUM.\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\"name\":\"f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"// Replace these with the username or emails of your VIP users you wish to monitor for.\\nlet vips = dynamic([\u0027vip1@email.com\u0027,\u0027vip2@email.com\u0027]);\\n// Add users who are allowed to conduct these searches - this could be specific SOC team members\\nlet allowed_users = dynamic([]);\\nLAQueryLogs\\n| where QueryText has_any (vips) or QueryText has_any (\u0027_GetWatchlist(\\\"VIPUsers\\\")\u0027, \\\"_GetWatchlist(\u0027VIPUsers\u0027)\\\")\\n| where AADEmail !in (allowed_users)\\n| project TimeGenerated, AADEmail, RequestClientApp, QueryText, ResponseRowCount, RequestTarget\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AADEmail\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"RequestTarget\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Users searching for VIP user activity\",\"description\":\"This query monitors for users running Log Analytics queries that contain filters\\nfor specific, defined VIP user accounts or the VIPUser watchlist template.\\nUse this detection to alert for users specifically searching for activity of sensitive users.\",\"lastUpdatedDateUTC\":\"2021-11-11T00:00:00Z\",\"createdDateUTC\":\"2020-09-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/62085097-d113-459f-9ea7-30216f2ee6af\",\"name\":\"62085097-d113-459f-9ea7-30216f2ee6af\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P3D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let starttime = 3d;\\nlet SecEvents = materialize ( SecurityEvent | where TimeGenerated \u003e= ago(starttime)\\n| where EventID in (4722,4723) | where TargetUserName !endswith \\\"$\\\"\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, SubjectAccount, SubjectUserSid);\\nlet userEnable = SecEvents\\n| extend EventID4722Time = TimeGenerated\\n// 4722: User Account Enabled\\n| where EventID == 4722\\n| project Time_Event4722 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4722 = SubjectAccount, SubjectUserSid_Event4722 = SubjectUserSid, Activity_4722 = Activity, Computer_4722 = Computer;\\nlet userPwdSet = SecEvents\\n// 4723: Attempt made by user to set password\\n| where EventID == 4723\\n| project Time_Event4723 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4723 = SubjectAccount, SubjectUserSid_Event4723 = SubjectUserSid, Activity_4723 = Activity, Computer_4723 = Computer;\\nuserEnable | join kind=leftouter userPwdSet on TargetAccount, TargetSid\\n| extend PasswordSetAttemptDelta_Min = datetime_diff(\u0027minute\u0027, Time_Event4723, Time_Event4722)\\n| where PasswordSetAttemptDelta_Min \u003e 2880 or isempty(PasswordSetAttemptDelta_Min)\\n| project-away TargetAccount1, TargetSid1\\n| extend Reason = @\\\"User either has not yet attempted to set the initial password after account was enabled or it occurred after 48 hours\\\"\\n| order by Time_Event4722 asc \\n| extend timestamp = Time_Event4722, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer_4722\\n| project-reorder Time_Event4722, Time_Event4723, PasswordSetAttemptDelta_Min, TargetAccount, TargetSid\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AD user enabled and password not set within 48 hours\",\"description\":\"Identifies when an account is enabled with a default password and the password is not set by the user within 48 hours.\\nEffectively, there is an event 4722 indicating an account was enabled and within 48 hours, no event 4723 occurs which \\nindicates there was no attempt by the user to set the password. This will show any attempts (success or fail) that occur \\nafter 48 hours, which can indicate too long of a time period in setting the password to something that only the user knows.\\nIt is recommended that this time period is adjusted per your internal company policy.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f9949656-473f-4503-bf43-a9d9890f7d08\",\"name\":\"f9949656-473f-4503-bf43-a9d9890f7d08\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.3\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n//Exclude local addresses, using the ipv4_is_private operator\\n| where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AppServiceHTTPLogs | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(CIp)\\n | extend WebApp = split(_ResourceId, \u0027/\u0027)[8]\\n // renaming time column so it is clear the log this came from\\n | extend AppService_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CIp\\n| where AppService_TimeGenerated \u003c ExpirationDateTime\\n| summarize AppService_TimeGenerated = arg_max(AppService_TimeGenerated, *) by IndicatorId, CIp\\n| project AppService_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CsUsername, \\nWebApp = split(_ResourceId, \u0027/\u0027)[8], CIp, CsHost, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, _ResourceId\\n| extend timestamp = AppService_TimeGenerated, AccountCustomEntity = CsUsername, IPCustomEntity = CIp, URLCustomEntity = Url, HostCustomEntity = CsHost\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"_ResourceId\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AppServiceHTTPLogs\",\"description\":\"Identifies a match in AppServiceHTTPLogs from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-04-26T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8b3c49c-4087-499b-920f-0dcfaff0cbca\",\"name\":\"f8b3c49c-4087-499b-920f-0dcfaff0cbca\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"imProcessCreate\\n | where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n | where isnotempty(Process)\\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Dvc, ActorUsername, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\\n | extend timestamp = StartTimeUtc, AccountCustomEntity = ActorUsername, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Base64 encoded Windows process command-lines (Normalized Process Events)\",\"description\":\"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2018-09-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c3e5dbaa-a540-408c-8b36-68bdfb3df088\",\"name\":\"c3e5dbaa-a540-408c-8b36-68bdfb3df088\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID==4688\\n | where isnotempty(CommandLine)\\n | where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"NRT Base64 encoded Windows process command-lines\",\"description\":\"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2022-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0433c8a3-9aa6-4577-beef-2ea23be41137\",\"name\":\"0433c8a3-9aa6-4577-beef-2ea23be41137\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let admin_users = (IdentityInfo\\n | where TimeGenerated \u003e ago(2d)\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | where AssignedRoles contains \\\"admin\\\"\\n | summarize by tolower(AccountUPN));\\n AuditLogs\\n | where Category =~ \\\"RoleManagement\\\"\\n | where OperationName has \\\"Add eligible member\\\"\\n | extend userPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | where tolower(userPrincipalName) in (admin_users)\\n | extend Group = tostring(TargetResources[0].displayName)\\n | extend AddedTo = iif(isnotempty(userPrincipalName), userPrincipalName, Group)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend AddedBy = iif(isnotempty(appName), appName, UPN)\\n | mv-expand mod_props\\n | where mod_props.displayName == \\\"Role.DisplayName\\\"\\n | extend RoleAdded = tostring(parse_json(tostring(mod_props.newValue)))\\n | project-reorder TimeGenerated, OperationName, AddedTo, RoleAdded, AddedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Privileged Account Permissions Changed\",\"description\":\"Detects changes to permissions assigned to admin users. Threat actors may try and increase permission scope by adding additional roles to already privileged accounts.\\nReview any modifications to ensure they were made legitimately.\\nRef: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79566f41-df67-4e10-a703-c38a6213afd8\",\"name\":\"79566f41-df67-4e10-a703-c38a6213afd8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set != \\\"[]\\\"\\n| extend diff = set_difference(new_value_set, old_value_set)\\n| where isnotempty(diff)\\n| parse diff with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away diff, new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"New access credential added to Application or Service Principal\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/66276b14-32c5-4226-88e3-080dacc31ce1\",\"name\":\"66276b14-32c5-4226-88e3-080dacc31ce1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet AccountAllowList = dynamic([\u0027SYSTEM\u0027]);\\nlet SubCategoryList = dynamic([\\\"Logoff\\\", \\\"Account Lockout\\\", \\\"User Account Management\\\", \\\"Authorization Policy Change\\\"]); // Add any Category in the list to be allowed or disallowed\\nlet tokens = dynamic([\\\"clear\\\", \\\"remove\\\", \\\"success:disable\\\",\\\"failure:disable\\\"]); \\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n//| where Process =~ \\\"auditpol.exe\\\" \\n| where CommandLine has_any (tokens)\\n| where AccountType !~ \\\"Machine\\\" and Account !in~ (AccountAllowList)\\n| parse CommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n// | where InitiatingProcessFileName =~ \\\"auditpol.exe\\\" \\n| where InitiatingProcessCommandLine has_any (tokens)\\n| where AccountName !in~ (AccountAllowList)\\n| parse InitiatingProcessCommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n// | where OriginalFileName =~ \\\"auditpol.exe\\\"\\n| where CommandLine has_any (tokens)\\n| where User !in~ (AccountAllowList)\\n| parse CommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, Computer, User, Process, ParentImage, CommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Audit policy manipulation using auditpol utility\",\"description\":\"This detects attempt to manipulate audit policies using auditpol command.\\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\\nThe process name in each data source is commented out as an adversary could rename it. It is advisable to keep process name commented but \\nif the results show unrelated false positives, users may want to uncomment it.\\nRefer to auditpol syntax: https://docs.microsoft.com/windows-server/administration/windows-commands/auditpol \\nRefer to our M365 blog for details on use during the Solorigate attack:\\nhttps://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/18e6a87e-9d06-4a4e-8b59-3469cd49552d\",\"name\":\"18e6a87e-9d06-4a4e-8b59-3469cd49552d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true \\n(SecurityEvent \\n| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created. \\n| where ObjectServer == \u0027DS\u0027\\n| where OperationType == \u0027Object Access\u0027\\n//| where ObjectName contains \u0027\u003cGUID of ADFS Policy Store DKM Group object\u0027 This is unique to the domain. Check description for more details.\\n| where ObjectType contains \u00275cb41ed0-0e4c-11d0-a286-00aa003049e2\u0027 // Contact Class\\n| where Properties contains \u00278d3bca50-1d7e-11d0-a081-00aa006c33ed\u0027 // Picture Attribute - Ldap-Display-Name: thumbnailPhoto\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = SubjectAccount\\n),\\n( WindowsEvent \\n| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created. \\n| where EventData has_all(\u0027Object Access\u0027, \u00275cb41ed0-0e4c-11d0-a286-00aa003049e2\u0027,\u00278d3bca50-1d7e-11d0-a081-00aa006c33ed\u0027) \\n| extend ObjectServer = tostring(EventData.ObjectServer)\\n| where ObjectServer == \u0027DS\u0027\\n| extend OperationType = tostring(EventData.OperationType)\\n| where OperationType == \u0027Object Access\u0027\\n//| where ObjectName contains \u0027\u003cGUID of ADFS Policy Store DKM Group object\u0027 This is unique to the domain. Check description for more details.\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType contains \u00275cb41ed0-0e4c-11d0-a286-00aa003049e2\u0027 // Contact Class\\n| extend Properties = tostring(EventData.Properties)\\n| where Properties contains \u00278d3bca50-1d7e-11d0-a081-00aa006c33ed\u0027 // Picture Attribute - Ldap-Display-Name: thumbnailPhoto\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName), \\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend \\n timestamp = TimeGenerated,\\n HostCustomEntity = Computer,\\n AccountCustomEntity = SubjectAccount\\n),\\n(DeviceEvents\\n| where ActionType =~ \\\"LdapSearch\\\"\\n| where AdditionalFields.AttributeList contains \\\"thumbnailPhoto\\\"\\n| where AdditionalFields.DistinguishedName contains \\\"CN=ADFS,CN=Microsoft,CN=Program Data\\\" // Filter results to show only hits related to the ADFS AD container\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = InitiatingProcessAccountName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"ADFS DKM Master Key Export\",\"description\":\"Identifies an export of the ADFS DKM Master Key from Active Directory.\\nReferences: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \\nhttps://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1\\nTo understand further the details behind this detection, please review the details in the original PR and subequent PR update to this:\\nhttps://github.com/Azure/Azure-Sentinel/pull/1562#issue-551542469\\nhttps://github.com/Azure/Azure-Sentinel/pull/1512#issue-543053339\\n\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2391ce61-8c8d-41ac-9723-d945b2e90720\",\"name\":\"2391ce61-8c8d-41ac-9723-d945b2e90720\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"Low\",\"query\":\"let starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 0.333;\\nlet countlimit = 50;\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4625 and AccountType =~ \\\"User\\\"\\n| where IpAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), CountToday = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress, Process\\n| join kind=leftouter (\\n SecurityEvent \\n | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n | where EventID == 4625 and AccountType =~ \\\"User\\\"\\n | where IpAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n | summarize CountPrev7day = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n) on EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n| where CountToday \u003e= coalesce(CountPrev7day,0)*threshold and CountToday \u003e= countlimit\\n//SubStatus Codes are detailed here - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4625\\n| extend Reason = case(\\nSubStatus =~ \u00270xC000005E\u0027, \u0027There are currently no logon servers available to service the logon request.\u0027,\\nSubStatus =~ \u00270xC0000064\u0027, \u0027User logon with misspelled or bad user account\u0027,\\nSubStatus =~ \u00270xC000006A\u0027, \u0027User logon with misspelled or bad password\u0027, \\nSubStatus =~ \u00270xC000006D\u0027, \u0027Bad user name or password\u0027,\\nSubStatus =~ \u00270xC000006E\u0027, \u0027Unknown user name or bad password\u0027,\\nSubStatus =~ \u00270xC000006F\u0027, \u0027User logon outside authorized hours\u0027,\\nSubStatus =~ \u00270xC0000070\u0027, \u0027User logon from unauthorized workstation\u0027,\\nSubStatus =~ \u00270xC0000071\u0027, \u0027User logon with expired password\u0027,\\nSubStatus =~ \u00270xC0000072\u0027, \u0027User logon to account disabled by administrator\u0027,\\nSubStatus =~ \u00270xC00000DC\u0027, \u0027Indicates the Sam Server was in the wrong state to perform the desired operation\u0027, \\nSubStatus =~ \u00270xC0000133\u0027, \u0027Clocks between DC and other computer too far out of sync\u0027,\\nSubStatus =~ \u00270xC000015B\u0027, \u0027The user has not been granted the requested logon type (aka logon right) at this machine\u0027,\\nSubStatus =~ \u00270xC000018C\u0027, \u0027The logon request failed because the trust relationship between the primary domain and the trusted domain failed\u0027,\\nSubStatus =~ \u00270xC0000192\u0027, \u0027An attempt was made to logon, but the Netlogon service was not started\u0027,\\nSubStatus =~ \u00270xC0000193\u0027, \u0027User logon with expired account\u0027,\\nSubStatus =~ \u00270xC0000224\u0027, \u0027User is required to change password at next logon\u0027,\\nSubStatus =~ \u00270xC0000225\u0027, \u0027Evidently a bug in Windows and not a risk\u0027,\\nSubStatus =~ \u00270xC0000234\u0027, \u0027User logon with account locked\u0027,\\nSubStatus =~ \u00270xC00002EE\u0027, \u0027Failure Reason: An Error occurred during Logon\u0027,\\nSubStatus =~ \u00270xC0000413\u0027, \u0027Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine\u0027,\\nstrcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n| extend WorkstationName = iff(WorkstationName == \\\"-\\\" or isempty(WorkstationName), Computer , WorkstationName) \\n| project StartTime, EndTime, EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, Computer, WorkstationName, IpAddress, CountToday, CountPrev7day, Avg7Day = round(CountPrev7day*1.00/7,2), Process\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), Computer = make_set(Computer,128), IpAddressList = make_set(IpAddress,128), sum(CountToday), sum(CountPrev7day), avg(Avg7Day) \\nby EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, WorkstationName, Process\\n| order by sum_CountToday desc nulls last \\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = WorkstationName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"Process\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Excessive Windows logon failures\",\"description\":\"User has over 50 Windows logon failures today and at least 33% of the count of logon failures over the previous 7 days.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56f3f35c-3aca-4437-a1fb-b7a84dc4af00\",\"name\":\"56f3f35c-3aca-4437-a1fb-b7a84dc4af00\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID == 4657\\n | parse ObjectName with \\\"\\\\\\\\REGISTRY\\\\\\\\\\\" KeyPrefix \\\"\\\\\\\\\\\" RegistryKey\\n | project-reorder RegistryKey\\n | where RegistryKey has \\\"Software\\\\\\\\Classes\\\\\\\\ms-settings\\\\\\\\shell\\\\\\\\open\\\\\\\\command\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)\\n | join (\\n SecurityEvent\\n | where EventID == 4688\\n | where Process =~ \\\"fodhelper.exe\\\"\\n | where ParentProcessName endswith \\\"cmd.exe\\\" or ParentProcessName endswith \\\"powershell.exe\\\" or ParentProcessName endswith \\\"powershell_ise.exe\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)) on TimeKey, Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Potential Fodhelper UAC Bypass\",\"description\":\"This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process within 1 hour - this can be tweaked as required.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b93c5af-d20b-4236-b696-a28b8c51407f\",\"name\":\"4b93c5af-d20b-4236-b696-a28b8c51407f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1DT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\n (union isfuzzy=true\\n (SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+spanoftime)\\n// A user account was created\\n| where EventID == 4720\\n| where AccountType =~ \\\"User\\\"\\n| project creationTime = TimeGenerated, CreateEventID = EventID, CreateActivity = Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToCreate = SubjectAccount, SIDofAccountUsedToCreate = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e ago(timeframe+spanoftime)\\n// A user account was created\\n| where EventID == 4720\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType =~ \\\"User\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| extend Activity = \\\"4720 - A user account was created.\\\"\\n| extend TargetUserName = tostring(EventData.TargetUserName) \\n| project creationTime = TimeGenerated, CreateEventID = EventID, CreateActivity = Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToCreate = SubjectAccount, SIDofAccountUsedToCreate = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid \\n))\\n| join kind= inner (\\n (union isfuzzy=true\\n (SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n // A user account was deleted\\n | where EventID == 4726\\n| where AccountType == \\\"User\\\"\\n| project deletionTime = TimeGenerated, DeleteEventID = EventID, DeleteActivity = Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToDelete = SubjectAccount, SIDofAccountUsedToDelete = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n // A user account was deleted\\n| where EventID == 4726\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(SubjectAccount endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType == \\\"User\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| extend Activity = \\\"4726 - A user account was deleted.\\\"\\n| extend TargetUserName = tostring(EventData.TargetUserName) \\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| project deletionTime = TimeGenerated, DeleteEventID = EventID, DeleteActivity = Activity, Computer, TargetUserName, UserPrincipalName, AccountUsedToDelete = SubjectAccount, SIDofAccountUsedToDelete = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid))\\n) on Computer, TargetAccount\\n| where deletionTime - creationTime \u003c spanoftime\\n| extend TimeDelta = deletionTime - creationTime\\n| where tolong(TimeDelta) \u003e= threshold\\n| project TimeDelta, creationTime, CreateEventID, CreateActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToCreate, SIDofAccountUsedToCreate,\\ndeletionTime, DeleteEventID, DeleteActivity, AccountUsedToDelete, SIDofAccountUsedToDelete\\n| extend timestamp = creationTime, AccountCustomEntity = AccountUsedToCreate, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"SIDofAccountUsedToCreate\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account created and deleted within 10 mins\",\"description\":\"Identifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and\\nan adversary attempting to hide in the noise.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d7feb859-f03e-4e8d-8b21-617be0213b13\",\"name\":\"d7feb859-f03e-4e8d-8b21-617be0213b13\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let admin_users = (IdentityInfo\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | where AssignedRoles contains \\\"admin\\\"\\n | summarize by tolower(AccountUPN));\\n AuditLogs\\n | where OperationName =~ \\\"Admin registered security info\\\"\\n | where ResultReason =~ \\\"Admin registered temporary access pass method for user\\\"\\n | extend userPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | where tolower(userPrincipalName) in (admin_users)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Addition of a Temporary Access Pass to a Privileged Account\",\"description\":\"Detects when a Temporary Access Pass (TAP) is created for a Privileged Account.\\n A Temporary Access Pass is a time-limited passcode issued by an admin that satisfies strong authentication requirements and can be used to onboard other authentication methods, including Passwordless ones such as Microsoft Authenticator or even Windows Hello.\\n A threat actor could use a TAP to register a new authentication method to maintain persistance to an account.\\n Review any TAP creations to ensure they were used legitimately.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1399664f-9434-497c-9cde-42e4d74ae20e\",\"name\":\"1399664f-9434-497c-9cde-42e4d74ae20e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityAlert \\n| where AlertName == \\\"Impossible travel activity\\\"\\n| extend Extprop = parsejson(Entities)\\n| mv-expand Extprop\\n| extend Extprop = parsejson(Extprop)\\n| extend CmdLine = iff(Extprop[\u0027Type\u0027]==\\\"process\\\", Extprop[\u0027CommandLine\u0027], \u0027\u0027)\\n| extend File = iff(Extprop[\u0027Type\u0027]==\\\"file\\\", Extprop[\u0027Name\u0027], \u0027\u0027)\\n| extend Account = Extprop[\u0027Name\u0027]\\n| extend Domain = Extprop[\u0027UPNSuffix\u0027]\\n| extend Account = iif(isnotempty(Domain) and Extprop[\u0027Type\u0027]==\\\"account\\\", tolower(strcat(Account, \\\"@\\\", Domain)), iif(Extprop[\u0027Type\u0027]==\\\"account\\\", tolower(Account), \\\"\\\"))\\n| extend IpAddress = iff(Extprop[\\\"Type\\\"] == \\\"ip\\\",Extprop[\u0027Address\u0027], \u0027\u0027)\\n| extend Process = iff(isnotempty(CmdLine), CmdLine, File)\\n| project TimeGenerated,Account,IpAddress,CompromisedEntity,Description,ProviderName,ResourceId\\n| join kind=inner\\n(\\nOfficeActivity\\n| where Operation =~ \\\"Add-MailboxPermission\\\"\\n| extend value = tostring(parse_json(Parameters)[3].Value)\\n| where value contains \\\"FullAccess\\\"\\n| where ResultStatus == \\\"True\\\"\\n| project Parameters,TimeGenerated,value,RecordType,Operation,OrganizationId,UserType,UserKey,OfficeWorkload,ResultStatus,OfficeObjectId,UserId,ClientIP,ExternalAccess,OriginatingServer,OrganizationName,TenantId,ElevationTime,SourceSystem,OfficeId,OfficeTenantId,Type,SourceRecordId\\n) on $left.Account == $right.UserId\\n| join kind=inner\\n(\\nAuditLogs\\n| where ActivityDisplayName =~ \\\"Add eligible member to role in PIM requested (timebound)\\\"\\n| where AADOperationType =~ \\\"CreateRequestEligibleRole\\\"\\n| where TargetResources has_any (\\\"-PRIV\\\", \\\"Administrator\\\", \\\"Security\\\")\\n| extend BuiltinRole = tostring(parse_json(TargetResources[0].displayName))\\n| extend CustomGroup = tostring(parse_json(TargetResources[3].displayName))\\n| extend TargetAccount = tostring(parse_json(TargetResources[2].displayName))\\n| extend Initiatedby = Identity\\n| project TimeGenerated, ActivityDisplayName, AADOperationType, Initiatedby, TargetAccount, BuiltinRole, CustomGroup, LoggedByService, Result, ResourceId, Id\\n| sort by TimeGenerated desc\\n) on $left.UserId == $right.Initiatedby\\n| project AADOperationType, ActivityDisplayName,AccountCustomEntity=Initiatedby, Id,ResourceId,IPCustomEntity=IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"PrivilegeEscalation\"],\"displayName\":\"Detecting Impossible travel with mailbox permission tampering \u0026 Privilege Escalation attempt\",\"description\":\"This hunting query will alert on any Impossible travel activity in correlation with mailbox permission tampering followed by account being added to a PIM managed privileged group.\\nEnsure this impossible travel incident with increase of privileges is legitimate in your environment.\",\"lastUpdatedDateUTC\":\"2022-02-09T00:00:00Z\",\"createdDateUTC\":\"2022-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert (ASC)\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\"name\":\"4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([ \\\"AuthorizeSecurityGroupEgress\\\", \\\"AuthorizeSecurityGroupIngress\\\", \\\"RevokeSecurityGroupEgress\\\", \\\"RevokeSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \\nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion, \\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to AWS Security Group ingress and egress settings\",\"description\":\"A Security Group acts as a virtual firewall of an instance to control inbound and outbound traffic. \\n Hence, ingress and egress settings changes to AWS Security Group should be monitored as these can expose the enviornment to new attack vectors.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0914adab-90b5-47a3-a79f-7cdcac843aa7\",\"name\":\"0914adab-90b5-47a3-a79f-7cdcac843aa7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 5;\\n// To avoid any False Positives, filtering using AppId is recommended. For example the AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds \\n// to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\\nlet Allowedappid = dynamic([\\\"509e4652-da8d-478d-a730-e9d4a1996ca4\\\"]);\\nlet OperationList = dynamic(\\n[\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nlet TimeSeriesData = AzureDiagnostics\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList)\\n| project TimeGenerated, OperationName, Resource, CallerIPAddress\\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by Resource;\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| where baseline \u003e baselinethreshold // Filtering low count events per baselinethreshold\\n| project Resource, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated;\\n// Filter the alerts since specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\\n| join (\\nAzureDiagnostics\\n| where TimeGenerated \u003e ago(timeframe)\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList)\\n| summarize PerOperationCount=count(), LatestAnomalyTime = arg_max(TimeGenerated,*) by bin(TimeGenerated,1h), Resource, OperationName, id_s, CallerIPAddress, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, requestUri_s, clientInfo_s\\n) on Resource, TimeGenerated\\n| summarize EventCount=count(), OperationNameList = make_set(OperationName), RequestURLList = make_set(requestUri_s, 100), AccountList = make_set(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, 100), AccountMax = arg_max(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g,*) by Resource, id_s, clientInfo_s, LatestAnomalyTime\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = CallerIPAddress, AccountCustomEntity = AccountMax\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure Key Vault access TimeSeries anomaly\",\"description\":\"Indentifies a sudden increase in count of Azure Key Vault secret or vault access operations by CallerIPAddress. The query leverages a built-in KQL anomaly detection algorithm\\nto find large deviations from baseline Azure Key Vault access patterns. Any sudden increase in the count of Azure Key Vault accesses can be an\\nindication of adversary dumping credentials via automated methods. If you are seeing any noise, try filtering known source(IP/Account) and user-agent combinations.\\nTimeSeries Reference Blog: https://techcommunity.microsoft.com/t5/azure-sentinel/looking-for-unknown-anomalies-what-is-normal-time-series/ba-p/555052\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6a2e2ff4-5568-475e-bef2-b95f12b9367b\",\"name\":\"6a2e2ff4-5568-475e-bef2-b95f12b9367b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let FailureThreshold = 15;\\nimAuthentication\\n| where EventType== \u0027Logon\u0027 and EventResult== \u0027Failure\u0027\\n// reason: creds \\n| where EventResultDetails in (\u0027No such user or password\u0027, \u0027Incorrect password\u0027)\\n| summarize UserCount=dcount(TargetUserId), Vendors=make_set(EventVendor), Products=make_set(EventVendor)\\n , Users = make_set(TargetUserId,100) \\n by SrcDvcIpAddr, SrcGeoCountry, bin(TimeGenerated, 5m)\\n| where UserCount \u003e FailureThreshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcDvcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Potential Password Spray Attack (Uses Authentication Normalization)\",\"description\":\"This query searches for failed attempts to log in from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack\\n To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a5b3429d-f1da-42b9-883c-327ecb7b91ff\",\"name\":\"a5b3429d-f1da-42b9-883c-327ecb7b91ff\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityAlert \\n| where AlertName == \\\"Sign-in from an infected device\\\"\\n| extend Extprop = parsejson(Entities)\\n| mv-expand Extprop\\n| extend Extprop = parsejson(Extprop)\\n| extend CmdLine = iff(Extprop[\u0027Type\u0027]==\\\"process\\\", Extprop[\u0027CommandLine\u0027], \u0027\u0027)\\n| extend File = iff(Extprop[\u0027Type\u0027]==\\\"file\\\", Extprop[\u0027Name\u0027], \u0027\u0027)\\n| extend Account = Extprop[\u0027Name\u0027]\\n| extend Domain = Extprop[\u0027UPNSuffix\u0027]\\n| extend Account = iif(isnotempty(Domain) and Extprop[\u0027Type\u0027]==\\\"account\\\", tolower(strcat(Account, \\\"@\\\", Domain)), iif(Extprop[\u0027Type\u0027]==\\\"account\\\", tolower(Account), \\\"\\\"))\\n| extend IpAddress = iff(Extprop[\\\"Type\\\"] == \\\"ip\\\",Extprop[\u0027Address\u0027], \u0027\u0027)\\n| extend Process = iff(isnotempty(CmdLine), CmdLine, File)\\n| summarize count() by AlertName, AlertSeverity, CompromisedEntity, Account, IpAddress\\n| join kind=inner \\n(\\nAzureActivity\\n| where OperationNameValue hassuffix (\\\"/workspaces/computes/delete\\\")\\n| where ActivityStatusValue =~ \\\"Succeeded\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), OperationIds = makelist(OperationId), CorrelationIds = makelist(CorrelationId), Resources = makelist(Resource), ResourceGroups = makelist(ResourceGroup), ResourceIds = makelist(ResourceId), ActivityCountByCallerIPAddress = count() \\nby CallerIpAddress, Caller, OperationNameValue\\n) on $left. IpAddress == $right. CallerIpAddress\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Impact\"],\"displayName\":\"Workspace deletion attempt from an infected device\",\"description\":\"This hunting query will alert on any sign-ins from devices infected with malware in correlation with potential workspace deletion activity. \\nAttackers may attempt to delete workspaces containing compute instances after successful compromise to cause service unavailability to regular business operation.\",\"lastUpdatedDateUTC\":\"2022-04-11T00:00:00Z\",\"createdDateUTC\":\"2022-04-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8e267e91-6bda-4b3c-bf68-9f5cbdd103a3\",\"name\":\"8e267e91-6bda-4b3c-bf68-9f5cbdd103a3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"ZoomLogs\\n| where Event =~ \\\"account.settings_updated\\\" \\n| extend EnforceLogin = columnifexists(\\\"payload_object_settings_schedule_meeting_enfore_login_b\\\", \\\"\\\") \\n| extend EnforceLoginDomain = columnifexists(\\\"payload_object_settings_schedule_meeting_enfore_login_b\\\", \\\"\\\") \\n| extend GuestAlerts = columnifexists(\\\"payload_object_settings_in_meeting_alert_guest_join_b\\\", \\\"\\\") \\n| where EnforceLogin == \u0027false\u0027 or EnforceLoginDomain == \u0027false\u0027 or GuestAlerts == \u0027false\u0027 \\n| extend SettingChanged = case(EnforceLogin == \u0027false\u0027 and EnforceLoginDomain == \u0027false\u0027 and GuestAlerts == \u0027false\u0027, \\\"All settings changed\\\", \\n EnforceLogin == \u0027false\u0027 and EnforceLoginDomain == \u0027false\u0027, \\\"Enforced Logons and Restricted Domains Changed\\\", \\n EnforceLoginDomain == \u0027false\u0027 and GuestAlerts == \u0027false\u0027, \\\"Enforced Domains Changed\\\", \\n EnforceLoginDomain == \u0027false\u0027, \\\"Enfored Domains Changed\\\", \\n GuestAlerts == \u0027false\u0027, \\\"Guest Join Alerts Changed\\\", \\n EnforceLogin == \u0027false\u0027, \\\"Enforced Logins Changed\\\", \\n \\\"No Changes\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"External User Access Enabled\",\"description\":\"This alerts when the account setting is changed to allow either external domain access or anonymous access to meetings.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56b0a0cd-894e-4b38-a0a1-c41d9f96649a\",\"name\":\"56b0a0cd-894e-4b38-a0a1-c41d9f96649a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let lbtime = 1h;\\nlet tls_ciphers = dynamic([\u0027RC4-SHA\u0027, \u0027DES-CBC3-SHA\u0027]);\\nProofpointPOD\\n| where EventType == \u0027message\u0027\\n| where TlsCipher in (tls_ciphers)\\n| extend IpCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"ProofpointPOD - Weak ciphers\",\"description\":\"Detects when weak TLS ciphers are used.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/87890d78-3e05-43ec-9ab9-ba32f4e01250\",\"name\":\"87890d78-3e05-43ec-9ab9-ba32f4e01250\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.3\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n SecurityAlert\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n //Extract domain patterns from message\\n | extend domain = todynamic(dynamic_to_json(extract_all(@\\\"(((xn--)?[a-z0-9\\\\-]+\\\\.)+([a-z]+|(xn--[a-z0-9]+)))\\\", dynamic([1]), tolower(Entities))))\\n | mv-expand domain\\n | extend domain = tostring(domain[0])\\n | extend parts = split(domain, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\\n | extend EntitiesDynamicArray = parse_json(Entities)\\n | mv-apply EntitiesDynamicArray on\\n (summarize\\n HostName = take_anyif(tostring(EntitiesDynamicArray.HostName), EntitiesDynamicArray.Type == \\\"host\\\"),\\n IP_addr = take_anyif(tostring(EntitiesDynamicArray.Address), EntitiesDynamicArray.Type == \\\"ip\\\")\\n )\\n | extend Alert_TimeGenerated = TimeGenerated\\n | extend Alert_Description = Description\\n) on $left.DomainName==$right.domain\\n| where Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\\n| project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DomainName, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url, Entities\\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = HostName, IPCustomEntity = IP_addr, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to SecurityAlert\",\"description\":\"Identifies a match in SecurityAlert table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/88f453ff-7b9e-45bb-8c12-4058ca5e44ee\",\"name\":\"88f453ff-7b9e-45bb-8c12-4058ca5e44ee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS New Server\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.\\nA threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.\\nThis can be done programmatically via HTTP requests to Azure. More information in this blog: https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e1ce0eab-10d1-4aae-863f-9a383345ba88\",\"name\":\"e1ce0eab-10d1-4aae-863f-9a383345ba88\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let threshold = 15;\\nSyslog\\n| where SyslogMessage contains \\\"Failed password for invalid user\\\"\\n| where ProcessName =~ \\\"sshd\\\" \\n| parse kind=relaxed SyslogMessage with * \\\"invalid user\\\" user \\\" from \\\" ip \\\" port\\\" port \\\" ssh2\\\"\\n| project user, ip, port, SyslogMessage, EventTime\\n| summarize EventTimes = make_list(EventTime), PerHourCount = count() by ip, bin(EventTime, 4h), user\\n| where PerHourCount \u003e threshold\\n| mvexpand EventTimes\\n| extend EventTimes = tostring(EventTimes) \\n| summarize StartTimeUtc = min(EventTimes), EndTimeUtc = max(EventTimes), UserList = makeset(user), sum(PerHourCount) by IPAddress = ip\\n| extend UserList = tostring(UserList) \\n| extend timestamp = StartTimeUtc, IPCustomEntity = IPAddress, AccountCustomEntity = UserList\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"SSH - Potential Brute Force\",\"description\":\"Identifies an IP address that had 15 failed attempts to sign in via SSH in a 4 hour block during a 24 hour time period.\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-02-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/55073036-bb86-47d3-a85a-b113ac3d9396\",\"name\":\"55073036-bb86-47d3-a85a-b113ac3d9396\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let admins=(IdentityInfo\\n | where AssignedRoles contains \\\"admin\\\"\\n | summarize by tolower(AccountUPN));\\n let known_asns = (\\n SigninLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where ResultType == 0\\n | summarize by AutonomousSystemNumber);\\n SigninLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType == 0\\n | where tolower(UserPrincipalName) in (admins)\\n | where AutonomousSystemNumber !in (known_asns)\\n | project-reorder TimeGenerated, UserPrincipalName, UserAgent, IpAddress, AutonomousSystemNumber\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"UserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Privileged User Logon from new ASN\",\"description\":\"Detects a successful logon by a privileged account from an ASN not logged in from in the last 14 days.\\n Monitor these logons to ensure they are legitimate and identify if there are any similar sign ins.\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7b9df32-1367-402d-b385-882daf6e3020\",\"name\":\"a7b9df32-1367-402d-b385-882daf6e3020\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==10\\n| parse EventData with * \u0027TargetImage\\\"\u003e\u0027 TargetImage \\\"\u003c\\\" * \u0027GrantedAccess\\\"\u003e\u0027 GrantedAccess \\\"\u003c\\\" * \u0027CallTrace\\\"\u003e\u0027 CallTrace \\\"\u003c\\\" * \\n| where GrantedAccess == \\\"0x1FFFFF\\\" and TargetImage == \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\" and CallTrace has_any (\\\"dbghelp.dll\\\",\\\"dbgcore.dll\\\")\\n| parse EventData with * \u0027SourceProcessGUID\\\"\u003e\u0027 SourceProcessGUID \\\"\u003c\\\" * \u0027SourceImage\\\"\u003e\u0027 SourceImage \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, SourceProcessGUID, SourceImage, GrantedAccess, TargetImage, CallTrace\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"SourceImage\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Dumping LSASS Process Into a File\",\"description\":\"Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). \\nAfter a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. \\nThese credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement using Use Alternate Authentication Material. \\nAs well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.\\nRef: https://attack.mitre.org/techniques/T1003/001/\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/94749332-1ad9-49dd-a5ab-5ff2170788fc\",\"name\":\"94749332-1ad9-49dd-a5ab-5ff2170788fc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet file_path1 = (iocs | where Type =~ \\\"filepath1\\\" | project IoC);\\nlet file_path2 = (iocs | where Type =~ \\\"filepath2\\\" | project IoC);\\nlet file_path3 = (iocs | where Type =~ \\\"filepath3\\\" | project IoC);\\nlet reg_key = (iocs | where Type =~ \\\"regkey\\\" | project IoC);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (domains)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 *\\n| project TimeGenerated, Message, SourceUserID, RequestURL, DestinationHostName, Type, SourceIP, DestinationIP, DNSName\\n| extend Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SourceUserID, UrlCustomEntity = RequestURL , IPCustomEntity = DestinationIP, DNSCustomEntity = DNSName\\n),\\n(DnsEvents\\n| where Name in~ (domains)\\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DNSName = Name, Host = Computer , Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Host, DNSCustomEntity = DNSName, IPCustomEntity = IPAddresses\\n),\\n(VMConnection\\n| where RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, RemoteDnsCanonicalNames, ProcessName, SourceIp, DestinationIp, DestinationPort, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIp, HostCustomEntity = Computer, ProcessCustomEntity = ProcessName, DNSCustomEntity = DNSName, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"]), Image = EventDetail.[4].[\\\"#text\\\"]\\n| where Image has_any (file_path1) or Image has_any (file_path3)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, EventDetail, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), HostCustomEntity = Computer , IPCustomEntity = DestinationIP, Alert = \u0027SOURGUM IOC detected\u0027\\n), \\n(DeviceNetworkEvents\\n| where (RemoteUrl has_any (domains)) or (InitiatingProcessSHA256 in (sha256Hashes) and InitiatingProcessFolderPath has_any (file_path1)) or InitiatingProcessFolderPath has_any (file_path3)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, Alert = \u0027SOURGUM IOC detected\u0027, UrlCustomEntity =RemoteUrl\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"]\\n| where (SHA256 has_any (sha256Hashes) and Image has_any (file_path1)) or (Image has_any (file_path3)) or ( CommandLine has_any (file_path3)) or ( CommandLine has_any (file_path1)) or ( CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source), Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = SHA256\\n),\\n(DeviceRegistryEvents\\n| where RegistryKey has_any (reg_key) and RegistryValueData has_any (file_path2)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type \\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceProcessEvents\\n| where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3)) or ( InitiatingProcessCommandLine has \u0027reg add\u0027 and InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceFileEvents\\n| where (InitiatingProcessSHA256 has_any (sha256Hashes) and InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3)) or ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = RequestAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceEvents\\n| where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3)) or ( InitiatingProcessCommandLine has \u0027reg add\u0027 and InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend CommandLine = InitiatingProcessCommandLine, Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has_any (file_path1)) or ( CommandLine has_any (file_path3)) or ( CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) or (NewProcessName has_any (file_path1)) or (NewProcessName has_any (file_path3)) or (ParentProcessName has_any (file_path1)) or (ParentProcessName has_any (file_path3))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = \u0027SOURGUM IOC detected\u0027\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"SOURGUM Actor IOC - July 2021\",\"description\":\"Identifies a match across IOC\u0027s related to an actor tracked by Microsoft as SOURGUM\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-07-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceRegistryEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95407904-0131-4918-bc49-ebf282ce149a\",\"name\":\"95407904-0131-4918-bc49-ebf282ce149a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"135.125.147.170:80\\\",\\\"185.244.129.79:63047\\\",\\\"185.244.129.79:80\\\",\\\"45.80.149.108:63047\\\",\\\"45.80.149.108:80\\\",\\\"45.80.149.57:63047\\\",\\\"45.80.149.68:63047\\\",\\\"45.80.149.71:80\\\",\\\"185.244.129.109\\\",\\\"172.96.188.51\\\",\\\"51.83.246.73\\\"]); \\n(union isfuzzy=true \\n(CommonSecurityLog \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch \\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n), \\n(OfficeActivity \\n|extend SourceIPAddress = ClientIP, Account = UserId \\n| where SourceIPAddress in (IPList) \\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \\n), \\n(_Im_NetworkSession (srcipaddr_has_any_prefix=IPList)\\n | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Hostname, AccountCustomEntity=User\\n), \\n(_Im_NetworkSession (dstipaddr_has_any_prefix=IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = Hostname , AccountCustomEntity = User\\n), \\n(WireData \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer \\n), \\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known POLONIUM IP\",\"description\":\"Identifies a match across various data feeds for IP IOCs related to the POLONIUM activity group. \\n References: BLOGURL\u0027 \",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ed43bdb7-eaab-4ea4-be52-6951fcfa7e3b\",\"name\":\"ed43bdb7-eaab-4ea4-be52-6951fcfa7e3b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet TotalEventsThreshold = 25; \\nlet TimeSeriesData = \\nAzureActivity \\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where OperationNameValue endswith \\\"delete\\\" \\n| project TimeGenerated, Caller \\n| make-series Total = count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by Caller; \\nlet TimeSeriesAlerts = materialize(TimeSeriesData \\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 3, -1, \u0027linefit\u0027) \\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long) \\n| where anomalies \u003e 0 \\n| project Caller, TimeGenerated, Total, baseline, anomalies, score \\n| where Total \u003e TotalEventsThreshold and baseline \u003e 0 ); \\nTimeSeriesAlerts \\n| where TimeGenerated \u003e (ago(endtime)) \\n| project TimeGenerated, Caller \\n| join (AzureActivity \\n| where TimeGenerated \u003e (ago(endtime)) \\n| where OperationNameValue endswith \\\"delete\\\" \\n| summarize count(), make_set(OperationNameValue), make_set(Resource) by bin(TimeGenerated, 1h), Caller) on TimeGenerated, Caller \\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Mass Cloud resource deletions Time Series Anomaly\",\"description\":\"This query generates baseline pattern of cloud resource deletions by an user and generated anomaly \\nwhen any unusual spike is detected.\\nThese anomalies from unusual or privileged users could be an indication of cloud infrastructure \\ntake-down by an adversary \",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2022-03-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b6988c32-4f3b-4a45-8313-b46b33061a74\",\"name\":\"b6988c32-4f3b-4a45-8313-b46b33061a74\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set == \\\"[]\\\"\\n| mv-expand new_value_set\\n| parse new_value_set with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT First access credential added to Application or Service Principal where no credential was present\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-06-01T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba\",\"name\":\"fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let account_threshold = 5;\\nAADNonInteractiveUserSignInLogs\\n//| where ResultType == \\\"81016\\\"\\n| where ResultType startswith \\\"81\\\"\\n| summarize DistinctAccounts = dcount(UserPrincipalName), DistinctAddresses = make_set(IPAddress) by ResultType\\n| where DistinctAccounts \u003e account_threshold\\n| mv-expand IPAddress = DistinctAddresses\\n| extend IPAddress = tostring(IPAddress)\\n| join kind=leftouter (union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs) on IPAddress\\n| summarize\\n StartTime = min(TimeGenerated),\\n EndTime = max(TimeGenerated),\\n UserPrincipalName = make_set(UserPrincipalName),\\n UserAgent = make_set(UserAgent),\\n ResultDescription = take_any(ResultDescription),\\n ResultSignature = take_any(ResultSignature)\\n by IPAddress, Type, ResultType\\n| project Type, StartTime, EndTime, IPAddress, ResultType, ResultDescription, ResultSignature, UserPrincipalName, UserAgent = iff(array_length(UserAgent) == 1, UserAgent[0], UserAgent)\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Password spray attack against Azure AD Seamless SSO\",\"description\":\"This query detects when there is a spike in Azure AD Seamless SSO errors. They may not be caused by a Password Spray attack, but the cause of the errors might need to be investigated.\\nAzure AD only logs the requests that matched existing accounts, thus there might have been unlogged requests for non-existing accounts.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2022-03-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/825991eb-ea39-4590-9de2-ee97ef42eb93\",\"name\":\"825991eb-ea39-4590-9de2-ee97ef42eb93\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\n(union isfuzzy=true\\n(DeviceProcessEvents\\n| where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) or (ProcessCommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and ProcessCommandLine has (\u0027/tr \\\"wscript.exe\u0027) and ProcessCommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and ProcessCommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (ProcessCommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and ProcessCommandLine has (\u0027.wav\u0027) and ProcessCommandLine has (\u0027//e:VBScript //b\u0027) \\nor (ProcessCommandLine has_all (\\\"schtasks.exe\\\", \\\"create\\\", \\\"wscript\\\", \\\"e:vbscript\\\", \\\".wav\\\")))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessCommandLine, FolderPath, InitiatingProcessFolderPath, ProcessId, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, AccountName, SHA256, FileName\\n| extend Account = AccountName, Computer = DeviceName, FileHash = case(InitiatingProcessSHA256 in (sha256Hashes), \\\"InitiatingProcessSHA256\\\", SHA256 in (sha256Hashes), \\\"SHA256\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = FileName, FileHashCustomEntity = case(FileHash == \\\"InitiatingProcessSHA256\\\", InitiatingProcessSHA256, FileHash == \\\"SHA256\\\", SHA256, \\\"No Match\\\")\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where (CommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and CommandLine has (\u0027/tr \\\"wscript.exe\u0027) and CommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and CommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (CommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and CommandLine has (\u0027.wav\u0027) and CommandLine has (\u0027//e:VBScript //b\u0027))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, EventID\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n( CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n( imFileEvent\\n| where Hash in~ (sha256Hashes) or (ActingProcessCommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and ActingProcessCommandLine has (\u0027/tr \\\"wscript.exe\u0027) and ActingProcessCommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and ActingProcessCommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (ActingProcessCommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and ActingProcessCommandLine has (\u0027.wav\u0027) and ActingProcessCommandLine has (\u0027//e:VBScript //b\u0027) \\n or (ActingProcessCommandLine has_all (\\\"schtasks.exe\\\", \\\"create\\\", \\\"wscript\\\", \\\"e:vbscript\\\", \\\".wav\\\")))\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = Hash\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) or (CommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and CommandLine has (\u0027/tr \\\"wscript.exe\u0027) and CommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and CommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (CommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and CommandLine has (\u0027.wav\u0027) and CommandLine has (\u0027//e:VBScript //b\u0027) or (CommandLine has_all (\\\"schtasks.exe\\\", \\\"create\\\", \\\"wscript\\\", \\\"e:vbscript\\\", \\\".wav\\\")))\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n),\\n(DnsEvents\\n| where Name in~ (domains) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Computer \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress\\n),\\n(VMConnection\\n| where RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIp, File = ProcessName\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(DeviceNetworkEvents \\n| where isnotempty(RemoteUrl) \\n| where RemoteUrl in~ (domains) \\n| project Type, TimeGenerated, DeviceName, RemoteIP, RemoteUrl, InitiatingProcessAccountName\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, DNSName = RemoteUrl, IPCustomEntity = RemoteIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"ACTINIUM Actor IOCs - Feb 2022\",\"description\":\"Identifies a match across various data feeds for domains, hashes and commands related to an actor tracked by Microsoft as Actinium.\",\"lastUpdatedDateUTC\":\"2022-03-09T00:00:00Z\",\"createdDateUTC\":\"2022-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65360bb0-8986-4ade-a89d-af3cf44d28aa\",\"name\":\"65360bb0-8986-4ade-a89d-af3cf44d28aa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"CreateNetworkAclEntry\\\",\\\"CreateRoute\\\",\\\"CreateRouteTable\\\",\\\"CreateInternetGateway\\\",\\\"CreateNatGateway\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\",\"LateralMovement\"],\"displayName\":\"Changes to Amazon VPC settings\",\"description\":\"Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources\\nin a virtual network that you define.\\nThis identifies changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries,routes, routetable or Gateways.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\nand AWS VPC API Docs: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/OperationList-query-vpc.html\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2eb15bd-8a88-4b24-9281-e133edfba315\",\"name\":\"f2eb15bd-8a88-4b24-9281-e133edfba315\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet aadFunc = (tableName:string){\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n table(tableName) | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend Status = todynamic(Status), LocationDetails = todynamic(LocationDetails)\\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails), StatusReason = tostring(Status.failureReason)\\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n // renaming time column so it is clear the log this came from\\n | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type\\n)\\non $left.TI_ipEntity == $right.IPAddress\\n| where SigninLogs_TimeGenerated \u003c ExpirationDateTime\\n| summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, IPAddress\\n| project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDetails, StatusReason, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to SigninLogs\",\"description\":\"Identifies a match in SigninLogs from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6e715730-82c0-496c-983b-7a20c4590bd9\",\"name\":\"6e715730-82c0-496c-983b-7a20c4590bd9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let accountLookback = 3d;\\nlet requestLookback = 3d;\\nlet extraction_regex = @\\\"(?:\\\\?|\u0026)[a-zA-Z0-9\\\\%]*=([a-zA-Z0-9\\\\/\\\\+\\\\=]*)\\\";\\n// Collect account names and base64 encode them\\nDeviceEvents\\n| where TimeGenerated \u003e ago(accountLookback)\\n| summarize make_set(DeviceId), make_set(DeviceName) by InitiatingProcessAccountName\\n| where isnotempty(InitiatingProcessAccountName)\\n| extend base64_user = base64_encode_tostring(InitiatingProcessAccountName)\\n| join (\\n // Collect requests and extract base64 parameters\\n CommonSecurityLog\\n | where TimeGenerated \u003e ago(requestLookback)\\n | where isnotempty(RequestURL)\\n // Summarize early on the RequestURL\\n | summarize FirstRequest=min(TimeGenerated), LastRequest=max(TimeGenerated), NumberOfRequests=count() by RequestURL\\n | extend base64_candidate = extract_all(extraction_regex, RequestURL)\\n | mv-expand base64_candidate to typeof(string)\\n) on $left.base64_user == $right.base64_candidate\\n| project FirstRequest, LastRequest, NumberOfRequests, RequestURL, DeviceIds=set_DeviceId, DeviceNames=set_DeviceName, UserName=InitiatingProcessAccountName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceNames\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"UserName\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"Windows host username encoded in base64 web request\",\"description\":\"This detection will identify network requests in HTTP proxy data that contains Base64 encoded usernames from machines in the DeviceEvents table.\\nThis technique was seen usee by POLONIUM in their RunningRAT tool.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e4779bdc-397a-4b71-be28-59e6a1e1d16b\",\"name\":\"e4779bdc-397a-4b71-be28-59e6a1e1d16b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"ZoomLogs\\n| where Event =~ \\\"account.settings_updated\\\"\\n| extend NewE2ESetting = columnifexists(\\\"payload_object_settings_in_meeting_e2e_encryption_b\\\", \\\"\\\")\\n| extend OldE2ESetting = columnifexists(\\\"payload_old_object_settings_in_meeting_e2e_encryption_b\\\", \\\"\\\")\\n| where OldE2ESetting =~ \u0027false\u0027 and NewE2ESetting =~ \u0027true\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Discovery\"],\"displayName\":\"Zoom E2E Encryption Disabled\",\"description\":\"This alerts when end to end encryption is disabled for Zoom meetings.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/194dd92e-d6e7-4249-85a5-273350a7f5ce\",\"name\":\"194dd92e-d6e7-4249-85a5-273350a7f5ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\") \\n// Only admin or global-admin can disable audit logging\\n| where Operation =~ \\\"Set-AdminAuditLogConfig\\\" \\n| extend AdminAuditLogEnabledValue = tostring(parse_json(tostring(parse_json(tostring(array_slice(parse_json(Parameters),3,3)))[0])).Value)\\n| where AdminAuditLogEnabledValue =~ \\\"False\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP, ResultStatus, Parameters, AdminAuditLogEnabledValue\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Exchange AuditLog disabled\",\"description\":\"Identifies when the exchange audit logging has been disabled which may be an adversary attempt\\nto evade detection or avoid other defenses.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/218f60de-c269-457a-b882-9966632b9dc6\",\"name\":\"218f60de-c269-457a-b882-9966632b9dc6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| summarize dcount(Target) by bin(TimeGenerated, 1h)\\n| where dcount_Target \u003e 9\\n| join kind=rightsemi (AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| extend TimeWindow = bin(TimeGenerated, 1h)) on $left.TimeGenerated == $right.TimeWindow\\n| extend AccountCustomEntity = Target\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Bulk Changes to Privileged Account Permissions\",\"description\":\"Identifies when changes to multiple users permissions are changed at once. Investigate immediately if not a planned change. This setting could enable an attacker access to Azure subscriptions in your environment.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6e575295-a7e6-464c-8192-3e1d8fd6a990\",\"name\":\"6e575295-a7e6-464c-8192-3e1d8fd6a990\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.1\",\"severity\":\"High\",\"query\":\"let IPList = externaldata(IPAddress:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Log4j_IOC_List.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n//Network logs\\nlet CSlogSourceIP = CommonSecurityLog | summarize by IPAddress = SourceIP, Type;\\nlet CSlogDestIP = CommonSecurityLog | summarize by IPAddress = DestinationIP, Type;\\nlet CSlogMsgIP = CommonSecurityLog | extend MessageIP = extract(IPRegex, 0, Message) | summarize by IPAddress = MessageIP, Type;\\nlet DnsIP = DnsEvents | summarize by IPAddress = IPAddresses, Type;\\n// If you have enabled the imDNS and/or imNetworkSession normalization in your workspace, you can uncomment one or both below. Reference - https://docs.microsoft.com/azure/sentinel/normalization\\n//let imDnsIP = imDns (response_has_any_prefix=IPList) | summarize by IPAddress = ResponseName, Type;\\n//let imNetSessIP = imNetworkSession (dstipaddr_has_any_prefix=IPList) | summarize by IPAddress = DstIpAddr, Type;\\n//Cloud service logs\\nlet officeIP = OfficeActivity | summarize by IPAddress = ClientIP, Type;\\nlet signinIP = SigninLogs | summarize by IPAddress, Type;\\nlet nonintSigninIP = AADNonInteractiveUserSignInLogs | summarize by IPAddress, Type;\\nlet azureActIP = AzureActivity | summarize by IPAddress = CallerIpAddress, Type;\\nlet awsCtIP = AWSCloudTrail | summarize by IPAddress = SourceIpAddress, Type;\\n//Device logs\\nlet vmConnSourceIP = VMConnection | summarize by IPAddress = SourceIp, Type;\\nlet vmConnDestIP = VMConnection | summarize by IPAddress = DestinationIp, Type;\\nlet iisLogIP = W3CIISLog | summarize by IPAddress = cIP, Type;\\nlet devNetIP = DeviceNetworkEvents | summarize by IPAddress = RemoteIP, Type;\\n//need to parse to get IP\\nlet azureDiagIP = AzureDiagnostics | where ResourceType == \\\"AZUREFIREWALLS\\\" | where Category in (\\\"AzureFirewallApplicationRule\\\", \\\"AzureFirewallNetworkRule\\\") \\n| where msg_s has_any (IPList) | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action | summarize by IPAddress = DestinationHost, Type;\\nlet sysEvtIP = Event | where Source == \\\"Microsoft-Windows-Sysmon\\\" | where EventID == 3 | where EventData has_any (IPList) | extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"])\\n| where SourceIP in (IPList) or DestinationIP in (IPList) | extend IPAddress = iff(SourceIP in (IPList), SourceIP, DestinationIP) | summarize by IPAddress, Type;\\n// If you have enabled the imDNS and/or imNetworkSession normalization in your workdspace, you can uncomment below and include. Reference - https://docs.microsoft.com/azure/sentinel/normalization\\n//let ipsort = union isfuzzy=true CSlogDestIP, CSlogMsgIP, CSlogSourceIP, DnsIP, officeIP, signinIP, nonintSigninIP, azureActIP, awsCtIP, vmConnDestIP, vmConnSourceIP, azureDiagIP, sysEvtIP, imDnsIP, imNetSessIP\\n// If you uncomment above, then comment out the line below\\nlet ipsort = union isfuzzy=true CSlogDestIP, CSlogMsgIP, CSlogSourceIP, DnsIP, officeIP, signinIP, nonintSigninIP, azureActIP, awsCtIP, vmConnDestIP, vmConnSourceIP, azureDiagIP, sysEvtIP\\n| summarize by IPAddress\\n| where isnotempty(IPAddress) | where not(ipv4_is_private(IPAddress)) and IPAddress !in (\u00270.0.0.0\u0027,\u0027127.0.0.1\u0027);\\nlet ipMatch = ipsort | where IPAddress in (IPList);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (ipMatch) or DestinationIP in (ipMatch) or Message has_any (ipMatch)\\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, Type\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (ipMatch), \\\"SourceIP\\\", DestinationIP in (ipMatch), \\\"DestinationIP\\\", MessageIP in (ipMatch), \\\"Message\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"No Match\\\")\\n),\\n(OfficeActivity\\n| where ClientIP in (ipMatch)\\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, Type\\n| extend SourceIPAddress = ClientIP, Account = UserId\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account\\n),\\n(DnsEvents\\n| where IPAddresses has_any (ipMatch)\\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, Host = Computer\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (ipMatch) or DestinationIp in (ipMatch)\\n| project TimeGenerated, Computer, SourceIp, DestinationIp, Type\\n| extend IPMatch = case( SourceIp in (ipMatch), \\\"SourceIP\\\", DestinationIp in (ipMatch), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| where EventData has_any (ipMatch)\\n| project TimeGenerated, EventData, UserName, Computer, Type\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"])\\n| where SourceIP in (ipMatch) or DestinationIP in (ipMatch)\\n| extend IPMatch = case( SourceIP in (ipMatch), \\\"SourceIP\\\", DestinationIP in (ipMatch), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(SigninLogs\\n| where IPAddress in (ipMatch)\\n| project TimeGenerated, UserPrincipalName, IPAddress, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(AADNonInteractiveUserSignInLogs\\n| where IPAddress in (ipMatch)\\n| project TimeGenerated, UserPrincipalName, IPAddress, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(W3CIISLog\\n| where cIP in (ipMatch)\\n| project TimeGenerated, Computer, cIP, csUserName, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(AzureActivity\\n| where CallerIpAddress in (ipMatch)\\n| project TimeGenerated, CallerIpAddress, Caller, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller\\n),\\n(\\nAWSCloudTrail\\n| where SourceIpAddress in (ipMatch)\\n| project TimeGenerated, SourceIpAddress, UserIdentityUserName, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\\n), \\n( \\nDeviceNetworkEvents\\n| where RemoteIP in (ipMatch)\\n| where ActionType == \\\"InboundConnectionAccepted\\\"\\n| project TimeGenerated, RemoteIP, DeviceName, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category in (\\\"AzureFirewallApplicationRule\\\", \\\"AzureFirewallNetworkRule\\\")\\n| where msg_s has_any (ipMatch)\\n| project TimeGenerated, msg_s, Type\\n| parse msg_s with Protocol \u0027request from \u0027 SourceIP \u0027:\u0027 SourcePort \u0027to \u0027 DestinationIP \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where DestinationIP has_any (ipMatch)\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP\\n)\\n// If you have enabled the imDNS and/or imNetworkSession normalization in your workdspace, you can uncomment below and include. Reference - https://docs.microsoft.com/azure/sentinel/normalization\\n//,\\n//(imDns (response_has_any_prefix=IPList)\\n//| project TimeGenerated, ResponseName, SrcIpAddr, Type\\n//| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr\\n//| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n//),\\n//(imNetworkSession (dstipaddr_has_any_prefix=IPList)\\n//| project TimeGenerated, DstIpAddr, SrcIpAddr, Type\\n//| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = SrcIpAddr\\n//)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Log4j vulnerability exploit aka Log4Shell IP IOC\",\"description\":\"Identifies a match across various data feeds for IP IOCs related to the Log4j vulnerability exploit aka Log4Shell described in CVE-2021-44228. \\n References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228\u0027 \",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bda5a2bd-979b-4828-a91f-27c2a5048f7f\",\"name\":\"bda5a2bd-979b-4828-a91f-27c2a5048f7f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet msgthreshold = 3;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| extend attachedMimeType = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where attachedMimeType == \u0027application/zip\u0027\\n| summarize count() by SrcUserUpn, DstUserUpn\\n| where count_ \u003e msgthreshold\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple archived attachments to the same recipient\",\"description\":\"Detects when multiple emails where sent to the same recipient with large archived attachments.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1baaaf00-655f-4de9-8ff8-312e902cda71\",\"name\":\"1baaaf00-655f-4de9-8ff8-312e902cda71\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let known_locations = (\\n AADServicePrincipalSignInLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where ResultType == 0\\n | summarize by Location);\\n AADServicePrincipalSignInLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType != 50126\\n | where Location !in (known_locations)\\n | extend City = tostring(parse_json(LocationDetails).city)\\n | extend State = tostring(parse_json(LocationDetails).state)\\n | extend Place = strcat(City, \\\" - \\\", State)\\n | extend Result = strcat(tostring(ResultType), \\\" - \\\", ResultDescription)\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), make_set(Result), make_set(IPAddress), make_set(Place) by ServicePrincipalName, Location\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ServicePrincipalName\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Service Principal Authentication Attempt from New Country\",\"description\":\"Detects when there is a Service Principal login attempt from a country that has not seen a successful login in the previous 14 days.\\n Threat actors may attempt to authenticate with credentials from compromised accounts - monitoring attempts from anomalous locations may help identify these attempts.\\n Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADServicePrincipalSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/39198934-62a0-4781-8416-a81265c03fd6\",\"name\":\"39198934-62a0-4781-8416-a81265c03fd6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"user.read\\\" and ConsentFull contains \\\"offline_access\\\" and ConsentFull contains \\\"mail.readwrite\\\" and ConsentFull contains \\\"mail.send\\\" and ConsentFull contains \\\"files.read.all\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\")\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Suspicious application consent similar to PwnAuth\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the FireEye PwnAuth toolkit (https://github.com/fireeye/PwnAuth).\\nThe default permissions/scope for the PwnAuth toolkit are user.read, offline_access, mail.readwrite, mail.send, and files.read.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\"name\":\"fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let opList = OfficeActivity \\n| summarize by Operation\\n//| where Operation startswith \\\"Remove-\\\" or Operation startswith \\\"Disable-\\\"\\n| where Operation has_any (\\\"Remove\\\", \\\"Disable\\\")\\n| where Operation contains \\\"AntiPhish\\\" or Operation contains \\\"SafeAttachment\\\" or Operation contains \\\"SafeLinks\\\" or Operation contains \\\"Dlp\\\" or Operation contains \\\"Audit\\\"\\n| summarize make_set(Operation);\\nOfficeActivity\\n// Only admin or global-admin can disable/remove policy\\n| where RecordType =~ \\\"ExchangeAdmin\\\"\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\")\\n// Pass in interesting Operation list\\n| where Operation in~ (opList)\\n| extend ClientIPOnly = case( \\nClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), \\nClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))),\\nClientIP\\n) \\n| extend Port = case(\\nClientIP has \\\".\\\", (split(ClientIP,\\\":\\\")[1]),\\nClientIP has \\\"[\\\", tostring(split(ClientIP,\\\"]:\\\")[1]),\\nClientIP\\n)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP = ClientIPOnly, Port, ResultStatus, Parameters\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Office policy tampering\",\"description\":\"Identifies if any tampering is done to either auditlog, ATP Safelink, SafeAttachment, AntiPhish or Dlp policy. \\nAn adversary may use this technique to evade detection or avoid other policy based defenses.\\nReferences: https://docs.microsoft.com/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06a9b845-6a95-4432-a78b-83919b28c375\",\"name\":\"06a9b845-6a95-4432-a78b-83919b28c375\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":3,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet percentotalthreshold = 50;\\nlet TimeSeriesData = CommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| project TimeGenerated,SourceIP, DestinationIP, DeviceVendor\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor;\\n// Filtering specific records associated with spikes as outliers\\nlet TimeSeriesAlerts=materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend score = round(score,2), AnomalyHour = TimeGenerated\\n| project DeviceVendor,AnomalyHour, TimeGenerated, Total, baseline, anomalies, score);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\n// Join anomalies with Base Data to popalate associated records for investigation - Results sorted by score in descending order\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\n CommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| summarize HourlyCount = count(), TimeGeneratedMax = arg_max(TimeGenerated, *), DestinationIPlist = make_set(DestinationIP, 100), DestinationPortlist = make_set(DestinationPort, 100) by DeviceVendor, SourceIP, TimeGeneratedHour= bin(TimeGenerated, 1h)\\n| extend AnomalyHour = TimeGeneratedHour\\n) on AnomalyHour, DeviceVendor\\n| extend PercentTotal = round((HourlyCount / Total) * 100, 3)\\n| where PercentTotal \u003e percentotalthreshold\\n| project DeviceVendor , AnomalyHour, TimeGeneratedMax, SourceIP, DestinationIPlist, DestinationPortlist, HourlyCount, PercentTotal, Total, baseline, score, anomalies\\n| summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist, 100), DestinationPortlist = make_set(DestinationPortlist, 100) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies\\n| project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies\\n| extend timestamp= EndTimeUtc , IPCustomEntity = SourceIPMax\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"Time series anomaly detection for total volume of traffic\",\"description\":\"Identifies anamalous spikes in network traffic logs as compared to baseline or normal historical patterns.\\nThe query leverages a KQL built-in anomaly detection algorithm to find large deviations from baseline patterns.\\nSudden increases in network traffic volume may be an indication of data exfiltration attempts and should be investigated.\\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port traffic observed in the flagged anomaly hour.\\nThe source IP addresses which were sending less than percentotalthreshold of the total traffic have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Barracuda\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f110287e-1358-490d-8147-ed804b328514\",\"name\":\"f110287e-1358-490d-8147-ed804b328514\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AWSCloudTrail | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AWSCloudTrail_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SourceIpAddress\\n| where AWSCloudTrail_TimeGenerated \u003c ExpirationDateTime\\n| summarize AWSCloudTrail_TimeGenerated = arg_max(AWSCloudTrail_TimeGenerated, *) by IndicatorId, SourceIpAddress\\n| project AWSCloudTrail_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress,\\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AWSCloudTrail_TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AWSCloudTrail\",\"description\":\"Identifies a match in AWSCloudTrail from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7249500f-3038-4b83-8549-9cd8dfa2d498\",\"name\":\"7249500f-3038-4b83-8549-9cd8dfa2d498\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"de-ma.online\\\", \\\"g20saudi.000webhostapp.com\\\", \\\"ksat20.000webhostapp.com\\\"]);\\nlet EmailAddresses = dynamic([\\\"munichconference1962@gmail.com\\\",\\\"munichconference@outlook.de\\\", \\\"munichconference@outlook.com\\\", \\\"t20saudiarabia@gmail.com\\\", \\\"t20saudiarabia@hotmail.com\\\", \\\"t20saudiarabia@outlook.sa\\\"]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(DNSName) and DNSName has_any (DomainNames)) \\n or (isnotempty(DestinationHostName) and DestinationHostName has_any (DomainNames)) \\n or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames)))\\n| extend timestamp = TimeGenerated , AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\\n),\\n(DnsEvents \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| where DNSName has_any (DomainNames) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend timestamp = TimeGenerated , HostCustomEntity = Computer),\\n(SecurityAlert\\n| where ProviderName =~ \u0027OATP\u0027\\n| extend UPN = case(isnotempty(parse_json(Entities)[0].Upn), parse_json(Entities)[0].Upn, \\n isnotempty(parse_json(Entities)[1].Upn), parse_json(Entities)[1].Upn,\\n isnotempty(parse_json(Entities)[2].Upn), parse_json(Entities)[2].Upn,\\n isnotempty(parse_json(Entities)[3].Upn), parse_json(Entities)[3].Upn,\\n isnotempty(parse_json(Entities)[4].Upn), parse_json(Entities)[4].Upn,\\n isnotempty(parse_json(Entities)[5].Upn), parse_json(Entities)[5].Upn,\\n isnotempty(parse_json(Entities)[6].Upn), parse_json(Entities)[6].Upn,\\n isnotempty(parse_json(Entities)[7].Upn), parse_json(Entities)[7].Upn,\\n isnotempty(parse_json(Entities)[8].Upn), parse_json(Entities)[8].Upn,\\n parse_json(Entities)[9].Upn)\\n| where Entities has_any (EmailAddresses)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = tostring(UPN)),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"AZUREFIREWALLS\\\"\\n| where msg_s has_any (DomainNames)\\n| extend timestamp = TimeGenerated))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"InitialAccess\"],\"displayName\":\"Known PHOSPHORUS group domains/IP - October 2020\",\"description\":\"Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\\nReferences: \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog (Cisco)\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert (OATP)\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics (Azure Firewall)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5ef06767-b37c-4818-b035-47de950d0046\",\"name\":\"5ef06767-b37c-4818-b035-47de950d0046\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"// How far back to look for events from\\nlet timeframe = 1d;\\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\\nlet time_window = 5m;\\n// Edit this to include build processes used\\nlet build_processes = dynamic([\\\"MSBuild.exe\\\", \\\"dotnet.exe\\\", \\\"VBCSCompiler.exe\\\"]);\\n// Include any processes that you want to allow to edit files during/around the build process\\nlet allow_list = dynamic([\\\"\\\"]);\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where EventID == 4688\\n| where Process has_any (build_processes)\\n| summarize by BuildParentProcess=ParentProcessName, BuildProcess=Process, BuildAccount = Account, Computer, BuildCommand=CommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for file modifications to code file\\n| where EventID == 4663\\n| where Process !in (allow_list)\\n// Look for code files, edit this to include file extensions used in build.\\n| where ObjectName endswith \\\".cs\\\" or ObjectName endswith \\\".cpp\\\"\\n// 0x6 and 0x4 for file append, 0x100 for file replacements\\n| where AccessMask == \\\"0x6\\\" or AccessMask == \\\"0x4\\\" or AccessMask == \\\"0X100\\\"\\n| summarize by FileEditParentProcess=ParentProcessName, FileEditAccount = Account, Computer, FileEdited=ObjectName, FileEditProcess=ProcessName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, Computer\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, Computer, BuildParentProcess, BuildProcess\\n| extend HostCustomEntity=Computer, timestamp=timekey\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where EventID == 4688 and EventData has_any (build_processes)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process has_any (build_processes)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend CommandLine = tostring(EventData.CommandLine) \\n| summarize by BuildParentProcess=ParentProcessName, BuildProcess=Process, BuildAccount = Account, Computer, BuildCommand=CommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nWindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for file modifications to code file\\n| where EventID == 4663 and EventData has_any (\\\"0x6\\\", \\\"0x4\\\", \\\"0X100\\\") and EventData has_any (\\\".cs\\\", \\\".cpp\\\")\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (allow_list)\\n// Look for code files, edit this to include file extensions used in build.\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName endswith \\\".cs\\\" or ObjectName endswith \\\".cpp\\\"\\n// 0x6 and 0x4 for file append, 0x100 for file replacements\\n| extend AccessMask = tostring(EventData.AccessMask) \\n| where AccessMask == \\\"0x6\\\" or AccessMask == \\\"0x4\\\" or AccessMask == \\\"0X100\\\"\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| summarize by FileEditParentProcess=ParentProcessName, FileEditAccount = Account, Computer, FileEdited=ObjectName, FileEditProcess=ProcessName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, Computer\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, Computer, BuildParentProcess, BuildProcess\\n| extend HostCustomEntity=Computer, timestamp=timekey\\n))\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Potential Build Process Compromise\",\"description\":\"The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process.\\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\"name\":\"a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"DNS events related to ToR proxies\",\"description\":\"Identifies IP addresses performing DNS lookups associated with common ToR proxies.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/42436753-9944-4d70-801c-daaa4d19ddd2\",\"name\":\"42436753-9944-4d70-801c-daaa4d19ddd2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let threatCategory=\\\"Powershell\\\";\\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\\n [ @\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\\\"]\\n with(format=\\\"csv\\\", ignoreFirstRecord=True));\\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet customUserAgents=toscalar(_GetWatchlist(\\\"UnusualUserAgents\\\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\\\"UserAgent\\\",\\\"\\\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet fullUAList = array_concat(knownUserAgents,customUserAgents);\\n_Im_WebSession(httpuseragent_has_any=fullUAList)\\n| project SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername\",\"customDetails\":{\"UserAgent\":\"HttpUserAgent\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"SrcUsername\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Host {{SrcIpAddr}} is potentially running PowerShell\",\"alertDescriptionFormat\":\"The host at address {{SrcIpAddr}} sent an HTTP request to the URL {{Url}} with the HTTP user agent header {{HttpUserAgent}}. This user agent is known to be used by PoerShell and indicates suspicious activity on the host.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\",\"DefenseEvasion\"],\"displayName\":\"A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request with a user agent header known to belong PowerShell. \u003cbr\u003eYou can add custom Powershell indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).\u003cbr\u003e\u003cbr\u003e\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56fe0db0-6779-46fa-b3c5-006082a53064\",\"name\":\"56fe0db0-6779-46fa-b3c5-006082a53064\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let tokens = dynamic([\\\"416\\\",\\\"208\\\",\\\"128\\\",\\\"120\\\",\\\"96\\\",\\\"80\\\",\\\"72\\\",\\\"64\\\",\\\"48\\\",\\\"44\\\",\\\"40\\\",\\\"g5\\\",\\\"gs5\\\",\\\"g4\\\",\\\"gs4\\\",\\\"nc12\\\",\\\"nc24\\\",\\\"nv12\\\"]);\\nlet operationList = dynamic([\\\"microsoft.compute/virtualmachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nAzureActivity\\n| where tolower(OperationNameValue) in (operationList)\\n| where ActivityStatusValue == \\\"Accepted\\\" \\n| where isnotempty(Properties)\\n| extend vmSize = tolower(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).hardwareProfile)).vmSize))\\n| where isnotempty(vmSize)\\n| where vmSize has_any (tokens) \\n| extend ComputerName = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).osProfile)).computerName)\\n| extend clientIpAddress = tostring(parse_json(HTTPRequest).clientIpAddress)\\n| project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Creation of expensive computes in Azure\",\"description\":\"Identifies the creation of large size/expensive VMs (GPU or with large no of virtual CPUs) in Azure.\\nAdversary may create new or update existing virtual machines sizes to evade defenses \\nor use it for cryptomining purposes.\\nFor Windows/Linux Vm Sizes - https://docs.microsoft.com/azure/virtual-machines/windows/sizes \\nAzure VM Naming Conventions - https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions\",\"lastUpdatedDateUTC\":\"2022-03-31T00:00:00Z\",\"createdDateUTC\":\"2020-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5d33fc63-b83b-4913-b95e-94d13f0d379f\",\"name\":\"5d33fc63-b83b-4913-b95e-94d13f0d379f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet fileHashIndicators = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n| where isnotempty(FileHashValue);\\n// Handle matches against both lower case and uppercase versions of the hash:\\n(fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n| union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n )\\non $left.FileHashValue == $right.FileHash\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, FileHashValue\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nSourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction,\\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity, FileHashValue, FileHashType\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Value\",\"columnName\":\"FileHashValue\"},{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map File Hash to CommonSecurityLog Event\",\"description\":\"Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI\",\"lastUpdatedDateUTC\":\"2022-07-07T00:00:00Z\",\"createdDateUTC\":\"2019-08-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1f3b4dfd-21ff-4ed3-8e27-afc219e05c50\",\"name\":\"1f3b4dfd-21ff-4ed3-8e27-afc219e05c50\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where LoggedByService =~ \\\"PIM\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has \\\"Disable PIM Alert\\\"\\n| extend IpAddress = case(\\n isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), \\n isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.app)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.app)).ipAddress),\\n \u0027Not Available\u0027)\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName)), UserRoles = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| project InitiatedBy, ActivityDateTime, ActivityDisplayName, IpAddress, AADOperationType, AADTenantId, ResourceId, CorrelationId, Identity\\n| extend timestamp = ActivityDateTime, IPCustomEntity = IpAddress, AccountCustomEntity = tolower(InitiatedBy), ResourceCustomEntity = ResourceId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Detect PIM Alert Disabling activity\",\"description\":\"Privileged Identity Management (PIM) generates alerts when there is suspicious or unsafe activity in Azure Active Directory (Azure AD) organization. \\nThis query will help detect attackers attempts to disable in product PIM alerts which are associated with Azure MFA requirements and could indicate activation of privileged access\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d99cf5c3-d660-436c-895b-8a8f8448da23\",\"name\":\"d99cf5c3-d660-436c-895b-8a8f8448da23\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"SigninLogs\\n| where ResultType == 500121\\n| extend additionalDetails_ = tostring(Status.additionalDetails)\\n| where additionalDetails_ =~ \\\"MFA denied; user declined the authentication\\\"\\n| extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"AadUserId\",\"columnName\":\"UserId\"},{\"identifier\":\"AadTenantId\",\"columnName\":\"AADTenantId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"MFA Rejected by User\",\"description\":\"Identifies accurances where a user has rejected an MFA prompt. This could be an indicator that a threat actor has compromised the username and password of this user account and is using it to try and log into the account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d0aa8969-1bbe-4da3-9e76-09e5f67c9d85\",\"name\":\"d0aa8969-1bbe-4da3-9e76-09e5f67c9d85\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureDiagnostics\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where ResourceProvider == \u0027MICROSOFT.SQL\u0027\\n | where Category == \u0027SQLSecurityAuditEvents\u0027\\n | extend SQLSecurityAuditEvents_TimeGenerated = TimeGenerated\\n // projecting fields with column if exists as this is in AzureDiag and if the event is not in the table, then queries will fail due to event specific schemas\\n | extend ClientIP = column_ifexists(\\\"client_ip_s\\\", \\\"Not Available\\\"), Action = column_ifexists(\\\"action_name_s\\\", \\\"Not Available\\\"), \\n Application = column_ifexists(\\\"application_name_s\\\", \\\"Not Available\\\"), HostName = column_ifexists(\\\"host_name_s\\\", \\\"Not Available\\\")\\n)\\non $left.TI_ipEntity == $right.ClientIP\\n| where SQLSecurityAuditEvents_TimeGenerated \u003c ExpirationDateTime\\n| summarize SQLSecurityAuditEvents_TimeGenerated = arg_max(SQLSecurityAuditEvents_TimeGenerated, *) by IndicatorId, ClientIP\\n| project SQLSecurityAuditEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ResourceId, ClientIP, Action, Application, HostName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = SQLSecurityAuditEvents_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Azure SQL Security Audit Events\",\"description\":\"Identifies a match in SQLSecurityAuditEvents from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\"name\":\"4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n OfficeActivity | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(UserId)\\n | where UserId matches regex emailregex\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.UserId\\n| where OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, UserId\\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters\\n| extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to OfficeActivity\",\"description\":\"Identifies a match in OfficeActivity table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/44a555d8-ecee-4a25-95ce-055879b4b14b\",\"name\":\"44a555d8-ecee-4a25-95ce-055879b4b14b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeBin = 10m;\\nlet portThreshold = 30;\\nW3CIISLog\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of attempts by client IP on many ports\\n| summarize makeset(sPort), makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), ConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\\n| extend portCount = arraylength(set_sPort)\\n| where portCount \u003e= portThreshold\\n| project TimeGenerated, cIP, set_sPort, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, ConnectionsCount, portCount\\n| order by portCount\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"High count of connections by client IP on many ports\",\"description\":\"Identifies when 30 or more ports are used for a given client IP in 10 minutes occurring on the IIS server.\\nThis could be indicative of attempted port scanning or exploit attempt at internet facing web applications. \\nThis could also simply indicate a misconfigured service or device.\\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2de8abd6-a613-450e-95ed-08e503369fb3\",\"name\":\"2de8abd6-a613-450e-95ed-08e503369fb3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"AzureDiagnostics\\n| where details_data_s has \\\"jndi:\\\"\\n| parse details_data_s with * \u0027${\u0027 MaliciousCommand \u0027}\u0027 *\\n| extend EncodeCmd = iff(MaliciousCommand has \u0027Base64/\u0027, split(split(MaliciousCommand, \\\"Base64/\\\",1)[0], \\\"}\\\", 0)[0], \\\"\\\")\\n| extend EncodeCmd1 = iff(MaliciousCommand has \u0027base64/\u0027, split(split(MaliciousCommand, \\\"base64/\\\",1)[0], \\\"}\\\", 0)[0], \\\"\\\")\\n| extend CmdLine = iff( isnotempty(EncodeCmd), EncodeCmd, EncodeCmd1)\\n| extend DecodedCmdLine = base64_decode_tostring(tostring(CmdLine))\\n| extend DecodedCmdLine = iff( isnotempty(DecodedCmdLine), DecodedCmdLine, \\\"Unable to decode\\\")\\n| project TimeGenerated, Target=hostname_s, MaliciousHost = clientIp_s, MaliciousCommand, details_data_s, DecodedCmdLine, Message, ruleSetType_s, OperationName, SubscriptionId, details_message_s, details_file_s \\n| extend IPCustomEntity = MaliciousHost, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure WAF matching for Log4j vuln(CVE-2021-44228)\",\"description\":\"This query will alert on a positive pattern match by Azure WAF for CVE-2021-44228 log4j vulnerability exploitation attempt. If possible, it then decodes the malicious command for further analysis.\\n Refrence: https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-12-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/972c89fa-c969-4d12-932f-04d55d145299\",\"name\":\"972c89fa-c969-4d12-932f-04d55d145299\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"( union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| extend FileName = Process, ProcessCommandLine = CommandLine\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\n or ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(DeviceProcessEvents\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\nor ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1 \\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\"), ProcessCommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| extend FileName = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\n or ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"MSHTML vulnerability CVE-2021-40444 attack\",\"description\":\"This query detects attacks that exploit the CVE-2021-40444 MSHTML vulnerability using specially crafted Microsoft Office documents. \\n The detection searches for relevant files used in the attack along with regex matches in commnadline to look for pattern similar to : \\\".cpl:../../msword.inf\\\"\\n Refrence: https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ca74dc0-8352-4ac5-893c-73571cc78331\",\"name\":\"4ca74dc0-8352-4ac5-893c-73571cc78331\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let keywords = dynamic([\\\"secret\\\", \\\"secrets\\\", \\\"password\\\", \\\"PAT\\\", \\\"passwd\\\", \\\"pswd\\\", \\\"pwd\\\", \\\"cred\\\", \\\"creds\\\", \\\"credentials\\\", \\\"credential\\\", \\\"key\\\"]);\\nAzureDevOpsAuditing\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend Type = tostring(Data.Type)\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend VariableGroupName = tostring(Data.VariableGroupName)\\n| mv-expand Data.Variables\\n| where VariableGroupName has_any (keywords) or Data_Variables has_any (keywords)\\n| where Type != \\\"AzureKeyVault\\\"\\n| where Data_Variables !has \\\"IsSecret\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure DevOps Variable Secret Not Secured\",\"description\":\"Credentials used in the build process may be stored as Azure DevOps variables. To secure these variables they should be stored in KeyVault or marked as Secrets. \\nThis detection looks for new variables added with names that suggest they are credentials but where they are not set as Secrets or stored in KeyVault.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cc5780ce-3245-4bba-8bc1-e9048c2257ce\",\"name\":\"cc5780ce-3245-4bba-8bc1-e9048c2257ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where OperationName =~ \\\"Add owner to application\\\"\\n | extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend UpdatedBy = iif(isnotempty(appName), appName, UPN)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | extend AddedUser = TargetResources[0].userPrincipalName\\n | mv-expand mod_props\\n | where mod_props.displayName =~ \\\"Application.DisplayName\\\"\\n | extend AppName = tostring(parse_json(tostring(mod_props.newValue)))\\n | project-reorder TimeGenerated, OperationName, AppName, AddedUser, UpdatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatedBy\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedUser\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Changes to Application Ownership\",\"description\":\"Detects changes to the ownership of an appplicaiton.\\n Monitor these changes to make sure that they were authorized.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#new-owner\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/15049017-527f-4d3b-b011-b0e99e68ef45\",\"name\":\"15049017-527f-4d3b-b011-b0e99e68ef45\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let procList = externaldata(Process:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Microsoft_Lolbas_Execution_Binaries.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityEvent\\n| where EventID == 4688 and Process has_any (procList) and not (NewProcessName has (\\\"C:\\\\\\\\Windows\\\\\\\\\\\"))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, SubjectUserName, NewProcessName, Process, CommandLine\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectUserName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Windows Binaries Executed from Non-Default Directory\",\"description\":\"The query detects Windows binaries, that can be executed from a non-default directory (e.g. C:\\\\Windows\\\\, C:\\\\Windows\\\\System32 etc.). \\nRef: https://lolbas-project.github.io/\",\"lastUpdatedDateUTC\":\"2022-02-15T00:00:00Z\",\"createdDateUTC\":\"2022-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6\",\"name\":\"2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 0d;\\n// Adjust this to adjust detection timeframe\\n//let timeframe = 1d;\\n// SamAccountName of AD FS Service Account. Filter on the use of a specific AD FS user account\\n//let adfsuser = \u0027adfsadmin\u0027;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\n SecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe+lookback)\\n | where EventSourceName == \u0027AD FS Auditing\u0027\\n | distinct Computer\\n);\\nSecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n // A token of type \u0027http://schemas.microsoft.com/ws/2006/05/servicemodel/tokens/SecureConversation\u0027\\n // for relying party \u0027-\u0027 was successfully authenticated.\\n | where EventID == 412\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | extend InstanceId = tostring(EventData[0])\\n| join kind=inner\\n(\\n SecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n // Events to identify caller identity from event 412\\n | where EventID == 501\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | where tostring(EventData[1]) contains \u0027identity/claims/name\u0027\\n | extend InstanceId = tostring(EventData[0])\\n | extend ClaimsName = tostring(EventData[2])\\n // Filter on the use of a specific AD FS user account\\n //| where ClaimsName contains adfsuser\\n)\\non $left.InstanceId == $right.InstanceId\\n| join kind=inner\\n(\\n SecurityEvent\\n | where EventID == 5156\\n | where Computer in~ (ADFS_Servers)\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | mv-expand bagexpansion=array EventData\\n | evaluate bag_unpack(EventData)\\n | extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n | evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n | extend DestPort = column_ifexists(\\\"DestPort\\\", \\\"\\\"),\\n Direction = column_ifexists(\\\"Direction\\\", \\\"\\\"),\\n Application = column_ifexists(\\\"Application\\\", \\\"\\\"),\\n DestAddress = column_ifexists(\\\"DestAddress\\\", \\\"\\\"),\\n SourceAddress = column_ifexists(\\\"SourceAddress\\\", \\\"\\\"),\\n SourcePort = column_ifexists(\\\"SourcePort\\\", \\\"\\\")\\n // Look for inbound connections from endpoints on port 80\\n | where DestPort == 80 and Direction == \u0027%%14592\u0027 and Application == \u0027System\u0027\\n | where DestAddress !in (\u0027::1\u0027,\u00270:0:0:0:0:0:0:1\u0027) \\n)\\non $left.Computer == $right.Computer\\n| project TimeGenerated, Computer, ClaimsName, SourceAddress, SourcePort\\n| extend HostCustomEntity = Computer, AccountCustomEntity = ClaimsName, IPCustomEntity = SourceAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"AD FS Remote Auth Sync Connection\",\"description\":\"This detection uses Security events from the \\\"AD FS Auditing\\\" provider to detect suspicious authentication events on an AD FS server. The results then get\\ncorrelated with events from the Windows Filtering Platform (WFP) to detect suspicious incoming network traffic on port 80 on the AD FS server.\\nThis could be a sign of a threat actor trying to use replication services on the AD FS server to get its configuration settings and extract\\nsensitive information such as AD FS certificates.\\nIn order to use this query you need to enable AD FS auditing on the AD FS Server.\\nReference: https://twitter.com/OTR_Community/status/1387038995016732672\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-04-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d992b87b-eb49-4a9d-aa96-baacf9d26247\",\"name\":\"d992b87b-eb49-4a9d-aa96-baacf9d26247\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let IPList = dynamic([\\\"185.63.90.137\\\"]); \\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet sha256Hashes = \\ndynamic([\\\"53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441\\\",\\n\\\"c297e545b8f150cc5ff56dbb68dc74fe30a421d9d40f38f4a53083192697c44c\\\",\\n\\\"17921368901f23e0cad0d2fe4ce5694aebaf4727699ed0358117500701914d1b\\\",\\n\\\"198a2d42df010d838b4207f478d885ef36e3db13b1744d673e221b828c28bf77\\\",\\n\\\"71d7b48c2fdc7b57b104a7858a35165bbed21d2fa7e34828d6c1d50b2b33a1d0\\\",\\n\\\"601227d52c6e367e11b80240183d07d38bc11a88e844e8401fce17eb25e92ba8\\\",\\n\\\"63ff04bed4fdb120a9cb9b1ea7fd88e83f12fb01ab6a057088f8016e663b48d4\\\",\\n\\\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\\\",\\n\\\"e19b8be1b21c066d60725e550f8455f824065abbf1b43f7b2fe4fb338b241ffc\\\",\\n\\\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\\\"\\n]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", MessageIP in (IPList), \\\"Message\\\", \\\"NoMatch\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DeviceNetworkEvents\\n| where RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) \\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP\\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost) \\n| where SourceHost in (IPList) or DestinationHost in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(DeviceFileEvents\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n| where FileHash in (sha256Hashes)\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash\\n| extend timestamp = TimeGenerated, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 in~ (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(SecurityEvent\\n| where EventID == \u00274688\u0027\\n| where CommandLine has_any (IPList) \\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n(WindowsEvent\\n| where EventID == \u00274688\u0027 and has_any_ipv4(EventData, toscalar(IPList)) \\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| where NewProcessName in (IPList) \\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend NewProcessId = tostring(EventData.NewProcessId)\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021\",\"description\":\"Identifies a match across various data feeds for IP,hashes and IOCs related to Windows/ELF malware published by Black Lotus Labs\\nReference: \\nhttps://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders\\nhttps://github.com/ManuelBerrueta/YARA-rules/blob/master/BlackLotusLabs-WSLMalware/BLL_SneakyWSL.yar\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ce1e7025-866c-41f3-9b08-ec170e05e73e\",\"name\":\"ce1e7025-866c-41f3-9b08-ec170e05e73e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let SunburstURL=dynamic([\\\"panhardware.com\\\",\\\"databasegalore.com\\\",\\\"avsvmcloud.com\\\",\\\"freescanonline.com\\\",\\\"thedoccloud.com\\\",\\\"deftsecurity.com\\\"]);\\nDeviceNetworkEvents\\n| where ActionType == \\\"ConnectionSuccess\\\"\\n| where RemoteUrl in(SunburstURL)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n FileHashCustomEntity = InitiatingProcessMD5, \\n HashAlgorithm = \u0027MD5\u0027,\\n URLCustomEntity = RemoteUrl,\\n IPCustomEntity = RemoteIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"SUNBURST network beacons\",\"description\":\"Identifies SolarWinds SUNBURST domain beacon IOCs in DeviceNetworkEvents\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/baedfdf4-7cc8-45a1-81a9-065821628b83\",\"name\":\"baedfdf4-7cc8-45a1-81a9-065821628b83\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let runningRAT_parameters = dynamic([\u0027/ui/chk\u0027, \u0027mactok=\u0027, \u0027UsRnMe=\u0027, \u0027IlocalP=\u0027, \u0027kMnD=\u0027]);\\nCommonSecurityLog\\n| where RequestMethod == \\\"GET\\\"\\n| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication\\n| where RequestURL has_any (runningRAT_parameters)\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DestinationIP\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"SourceHostName\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"RunningRAT request parameters\",\"description\":\"This detection will alert when RunningRAT URI parameters or paths are detect in an HTTP request. Id the device blocked this communication\\npresence of this alert means the RunningRAT implant is likely still executing on the source host.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d8de9e6-263e-4845-8618-cd23a4f58b70\",\"name\":\"4d8de9e6-263e-4845-8618-cd23a4f58b70\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT3H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 3h;\\n// Add full UPN (user@domain.com) to Authorized Bypassers to ignore policy bypasses by certain authorized users\\nlet AuthorizedBypassers = dynamic([\u0027foo@baz.com\u0027, \u0027test@foo.com\u0027]);\\nlet historicBypassers = AzureDevOpsAuditing\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationName == \u0027Git.RefUpdatePoliciesBypassed\u0027\\n| distinct ActorUPN;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e= ago(endtime)\\n| where OperationName == \u0027Git.RefUpdatePoliciesBypassed\u0027\\n| where ActorUPN !in (historicBypassers) and ActorUPN !in (AuthorizedBypassers)\\n| parse ScopeDisplayName with OrganizationName \u0027(Organization)\u0027\\n| project TimeGenerated, ActorUPN, IpAddress, UserAgent, OrganizationName, ProjectName, RepoName = Data.RepoName, AlertDetails = Details, Branch = Data.Name, \\n BypassReason = Data.BypassReason, PRLink = strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_git/\u0027, Data.RepoName, \u0027/pullrequest/\u0027, Data.PullRequestId)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps Pull Request Policy Bypassing - Historic allow list\",\"description\":\"This detection builds an allow list of historic PR policy bypasses and compares to recent history, flagging pull request bypasses that are not manually in the allow list and not historically included in the allow list.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75bf9902-0789-47c1-a5d8-f57046aa72df\",\"name\":\"75bf9902-0789-47c1-a5d8-f57046aa72df\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let procList = externaldata(Process:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Microsoft_Lolbas_Execution_Binaries.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet ProcessCreationEvents=() {\\nlet processEvents=(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,\\nFileName = Process, CommandLine, ParentProcessName\\n),\\n(WindowsEvent\\n| where EventID==4688 and EventData has_any (procList) and EventData has \\\":\\\\\\\\recycler\\\"\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where isnotempty(CommandLine)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName) \\n| extend NewProcessName = tostring(EventData.NewProcessName) \\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,\\nFileName = Process, CommandLine, ParentProcessName\\n));\\nprocessEvents};\\nProcessCreationEvents \\n| where FileName in~ (procList)\\n| where CommandLine contains \\\":\\\\\\\\recycler\\\"\\n| project StartTimeUtc = TimeGenerated, Computer, Account, NewProcessName, FileName, CommandLine, ParentProcessName\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Malware in the recycle bin\",\"description\":\"The query detects Windows binaries, that can be used for executing malware, that have been hidden in the recycle bin. \\n The list of these binaries are sourced from https://lolbas-project.github.io/\\n References: https://azure.microsoft.com/blog/how-azure-security-center-helps-reveal-a-cyberattack/.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2018-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e2399891-383c-4caf-ae67-68a008b9f89e\",\"name\":\"e2399891-383c-4caf-ae67-68a008b9f89e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet IP_TI=ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\\\"NO_IP\\\")\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where TI_ipEntity != \\\"NO_IP\\\";\\nlet IP_TI_list=toscalar(IP_TI | summarize NIoCs=dcount(TI_ipEntity), IoCs=make_set( TI_ipEntity)\\n | project IoCs=iff(NIoCs \u003e HAS_ANY_MAX, dynamic([]), IoCs));\\nIP_TI\\n // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n | join kind=innerunique \\n (\\n union \\n (\\n _Im_NetworkSession (starttime=ago(dt_lookBack), dstipaddr_has_any_prefix=IP_TI_list)\\n | where isnotempty(SrcIpAddr)\\n // renaming time column so it is clear the log this came from\\n | extend imNWS_TimeGenerated = TimeGenerated, IoCIP=DstIpAddr, IoCIPDirection=\u0027Destination\u0027\\n ),\\n (\\n _Im_NetworkSession (starttime=ago(dt_lookBack), srcipaddr_has_any_prefix=IP_TI_list)\\n | where isnotempty(DstIpAddr)\\n // renaming time column so it is clear the log this came from\\n | extend imNWS_TimeGenerated = TimeGenerated, IoCIP=SrcIpAddr, IoCIPDirection=\u0027Source\u0027\\n )\\n)on $left.TI_ipEntity == $right.IoCIP\\n| where imNWS_TimeGenerated \u003c ExpirationDateTime\\n| summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, IoCIP, IoCIPDirection\\n| project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Dvc, SrcIpAddr, DstIpAddr, IoCIPDirection, IoCIP\",\"customDetails\":{\"EventTime\":\"imNWS_TimeGenerated\",\"IoCDescription\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"IoCExpirationTime\":\"ExpirationDateTime\",\"IoCConfidenceScore\":\"ConfidenceScore\",\"IoCIPDirection\":\"IoCIPDirection\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IoCIP\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"A network session {{IoCIPDirection}} address {{IoCIP}} matched an IoC.\",\"alertDescriptionFormat\":\"The {{IoCIPDirection}} address {{IoCIP}} of a network session matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blead for more information on the indicator.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map IP entity to Network Session Events (ASIM Network Session schema)\",\"description\":\"This rule identifies a match Network Sessions for which the source of destination IP address is a known IoC. \u003cbr\u003e\u003cbr\u003e\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2022-04-27T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\"name\":\"8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"AuthorizeDBSecurityGroupIngress\\\",\\\"CreateDBSecurityGroup\\\",\\\"DeleteDBSecurityGroup\\\",\\\"RevokeDBSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to internet facing AWS RDS Database instances\",\"description\":\"Amazon Relational Database Service (RDS) is scalable relational database in the cloud. \\nIf your organization have one or more AWS RDS Databases running, monitoring changes to especially internet facing AWS RDS (Relational Database Service) \\nOnce alerts triggered, validate if changes observed are authorized and adhere to change control policy. \\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255\\nand RDS API Reference Docs: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Operations.html\",\"lastUpdatedDateUTC\":\"2021-11-28T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6ee72a9e-2e54-459c-bc9a-9c09a6502a63\",\"name\":\"6ee72a9e-2e54-459c-bc9a-9c09a6502a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"216.24.185.74\\\", \\\"107.175.189.159\\\", \\\"192.210.132.102\\\", \\\"67.230.163.214\\\", \\n \\\"199.19.110.240\\\", \\\"107.148.130.176\\\", \\\"154.212.129.218\\\", \\\"172.86.75.54\\\", \\\"45.61.136.199\\\", \\n \\\"149.28.150.195\\\", \\\"108.61.214.194\\\", \\\"144.202.98.198\\\", \\\"149.28.84.98\\\", \\\"103.99.209.78\\\", \\n \\\"45.61.136.2\\\", \\\"176.122.162.149\\\", \\\"192.3.80.245\\\", \\\"149.28.23.32\\\", \\\"107.182.18.149\\\", \\\"107.174.45.134\\\", \\n \\\"149.248.18.104\\\", \\\"65.49.192.74\\\", \\\"156.255.2.154\\\", \\\"45.76.6.149\\\", \\\"8.9.11.130\\\", \\\"140.238.27.255\\\", \\n \\\"107.182.24.70\\\", \\\"176.122.188.254\\\", \\\"192.161.161.108\\\", \\\"64.64.234.24\\\", \\\"104.224.185.36\\\", \\n \\\"104.233.224.227\\\", \\\"104.36.69.105\\\", \\\"119.28.139.120\\\", \\\"161.117.39.130\\\", \\\"66.42.100.42\\\", \\\"45.76.31.159\\\", \\n \\\"149.248.8.134\\\", \\\"216.24.182.48\\\", \\\"66.42.103.222\\\", \\\"218.89.236.11\\\", \\\"180.150.227.249\\\", \\\"47.75.80.23\\\",\\n \\\"124.156.164.19\\\", \\\"149.248.62.83\\\", \\\"150.109.76.174\\\", \\\"222.209.187.207\\\", \\\"218.38.191.38\\\", \\n \\\"119.28.226.59\\\", \\\"66.42.98.220\\\", \\\"74.82.201.8\\\", \\\"173.242.122.198\\\", \\\"45.32.130.72\\\", \\\"89.35.178.10\\\", \\n \\\"89.43.60.113\\\"]); \\n(union isfuzzy=true \\n(CommonSecurityLog \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch \\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n), \\n(OfficeActivity \\n|extend SourceIPAddress = ClientIP, Account = UserId \\n| where SourceIPAddress in (IPList) \\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \\n), \\n(_Im_NetworkSession (srcipaddr_has_any_prefix=IPList)\\n | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Hostname, AccountCustomEntity=User\\n), \\n(_Im_NetworkSession (dstipaddr_has_any_prefix=IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = Hostname , AccountCustomEntity = User\\n), \\n(WireData \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer \\n), \\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Barium IP\",\"description\":\"Identifies a match across various data feeds for IP IOCs related to the Barium activity group. \\n References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer\u0027 \",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/595a10c9-91be-4abb-bbc7-ae9c57848bef\",\"name\":\"595a10c9-91be-4abb-bbc7-ae9c57848bef\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Low\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n//This query uses sysmon data, sections that have - | where Source == \\\"Microsoft-Windows-Sysmon\\\" - may need to be updated with latest\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, DNSName, Type\\n| extend MessageIP = extract(IPRegex, 0, Message), RequestIP = extract(IPRegex, 0, RequestURL)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL has_any (domains), \\\"RequestUrl\\\", \\\"NoMatch\\\"), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), Account = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) or Name in~ (domains) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Computer , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPEntity = DestinationIPAddress\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), File = ProcessName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"]), Image = tostring(EventDetail.[4].[\\\"#text\\\"])\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Image has_any (process)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, Account = UserName, Computer, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, File = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n| extend FilePath = replace_string(Image, File, \u0027\u0027)\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) \\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, AlertDetail = \u0027Chia crypto IOC detected\u0027, Type\\n| extend timestamp = TimeGenerated, IPEntity = ClientIP, Account = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (domains) or RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) or InitiatingProcessFileName has_any (process)\\n| project TimeGenerated, ActionType, DeviceId, Computer = DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPEntity = RemoteIP, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\"), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, Computer, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains) or ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPEntity = ClientIP, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPEntity = SourceHost, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| where EventDetail has_any (sha256Hashes) \\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = tostring(EventDetail.[4].[\\\"#text\\\"]), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath = replace_string(Image, File, \u0027\u0027)\\n),\\n(DeviceFileEvents\\n| where InitiatingProcessFolderPath has_any (process)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, Computer, Account, File = InitiatingProcessFileName, FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath = replace_string(InitiatingProcessFolderPath, File, \u0027\u0027)\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, AlertDetail = \u0027Chia crypto IOC detected\u0027, FileHashAlgo = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| project TimeGenerated, EventDetail, UserName, Computer, Type\\n| extend Image = tostring(EventDetail.[4].[\\\"#text\\\"]), CommandLine = tostring(EventDetail.[10].[\\\"#text\\\"]), Account = UserName, FileHash = tostring(EventDetail.[17].[\\\"#text\\\"]), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| where Image has_any (process)\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath= replace_string(Image, File, \u0027\u0027)\\n),\\n(DeviceEvents\\n| where InitiatingProcessFileName has_any (process) or InitiatingProcessSHA256 in~ (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, Computer, Account, File = InitiatingProcessFileName, FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath = replace_string(InitiatingProcessFolderPath, File, \u0027\u0027)\\n),\\n(SecurityEvent\\n| where EventID == \u00274688\u0027\\n| where NewProcessName has_any (process)\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027, -1)[-1]), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend FilePath = replace_string(NewProcessName, File, \u0027\u0027)\\n)\\n)\\n| extend AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPEntity, FileCustomEntity = File, FilePathCustomEntity = FilePath, FileHashCustomEntity = FileHash\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileCustomEntity\"},{\"identifier\":\"Directory\",\"columnName\":\"FilePathCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashAlgo\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021\",\"description\":\"Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.\",\"lastUpdatedDateUTC\":\"2021-12-08T00:00:00Z\",\"createdDateUTC\":\"2021-06-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd0a6029-ecef-4507-89c4-fc355ac52111\",\"name\":\"dd0a6029-ecef-4507-89c4-fc355ac52111\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation of extracted domains\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend DomainName = tolower(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | extend Domain = trim(@\\\"\\\"\\\"\\\",tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend parts = split(Domain, \u0027.\u0027)\\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\\n | where tld in~ (list_tlds)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n ) on $left.DomainName==$right.Domain\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, FileHashValue\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to CommonSecurityLog\",\"description\":\"Identifies a match in CommonSecurityLog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\"name\":\"6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"union isfuzzy=true \\n(\\n SecurityEvent\\n | where EventID == 4738\\n // 2089 value indicates the Don\u0027t Expire Password value has been set\\n | where UserAccountControl has \\\"%%2089\\\" \\n | extend Value_2089 = iff(UserAccountControl has \\\"%%2089\\\",\\\"\u0027Don\u0027t Expire Password\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n // 2050 indicates that the Password Not Required value is NOT set, this often shows up at the same time as a 2089 and is the recommended value. This value may not be in the event. \\n | extend Value_2050 = iff(UserAccountControl has \\\"%%2050\\\",\\\"\u0027Password Not Required\u0027 - Disabled\\\", \\\"Not Changed\\\")\\n // If value %%2082 is present in the 4738 event, this indicates the account has been configured to logon WITHOUT a password. Generally you should only see this value when an account is created and only in Event 4720: Account Creation Event. \\n | extend Value_2082 = iff(UserAccountControl has \\\"%%2082\\\",\\\"\u0027Password Not Required\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n | project StartTime = TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, AccountType, UserAccountControl, Value_2089, Value_2050, Value_2082, SubjectAccount\\n | extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer\\n ),\\n (\\n WindowsEvent\\n | where EventID == 4738 and EventData has \u00272089\u0027\\n // 2089 value indicates the Don\u0027t Expire Password value has been set\\n | extend UserAccountControl = tostring(EventData.UserAccountControl)\\n | where UserAccountControl has \\\"%%2089\\\" \\n | extend Value_2089 = iff(UserAccountControl has \\\"%%2089\\\",\\\"\u0027Don\u0027t Expire Password\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n // 2050 indicates that the Password Not Required value is NOT set, this often shows up at the same time as a 2089 and is the recommended value. This value may not be in the event. \\n | extend Value_2050 = iff(UserAccountControl has \\\"%%2050\\\",\\\"\u0027Password Not Required\u0027 - Disabled\\\", \\\"Not Changed\\\")\\n // If value %%2082 is present in the 4738 event, this indicates the account has been configured to logon WITHOUT a password. Generally you should only see this value when an account is created and only in Event 4720: Account Creation Event. \\n | extend Value_2082 = iff(UserAccountControl has \\\"%%2082\\\",\\\"\u0027Password Not Required\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n | extend Activity=\\\"4738 - A user account was changed.\\\"\\n | extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n | extend TargetSid = tostring(EventData.TargetSid)\\n | extend SubjectAccount = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n | extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n | extend AccountType=case(SubjectAccount endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n | project StartTime = TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, AccountType, UserAccountControl, Value_2089, Value_2050, Value_2082, SubjectAccount\\n | extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer\\n )\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AD account with Don\u0027t Expire Password\",\"description\":\"Identifies whenever a user account has the setting \\\"Password Never Expires\\\" in the user account properties selected.\\nThis is indicated in Security event 4738 in the EventData item labeled UserAccountControl with an included value of %%2089.\\n%%2089 resolves to \\\"Don\u0027t Expire Password - Enabled\\\".\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4e8238bd-ff4f-4126-a9f6-09b3b6801b3d\",\"name\":\"4e8238bd-ff4f-4126-a9f6-09b3b6801b3d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"AuditLog.StreamDisabledByUser\\\"\\n| extend StreamType = tostring(Data.ConsumerType)\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, StreamType\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Audit Stream Disabled\",\"description\":\"Azure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams \\nbefore conducting activity and then re-enabling the stream after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action \\nits unlikely to have a high false positive rate.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e2559891-383c-4caf-ae67-55a008b9f89e\",\"name\":\"e2559891-383c-4caf-ae67-55a008b9f89e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet IP_TI=ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\\\"NO_IP\\\")\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where TI_ipEntity != \\\"NO_IP\\\";\\nlet IP_TI_list=toscalar(IP_TI | summarize NIoCs= dcount(TI_ipEntity), IoCs=make_set(TI_ipEntity) \\n | project IoCs=iff(NIoCs \u003e HAS_ANY_MAX, dynamic([]), IoCs ) );\\nIP_TI\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n _Im_WebSession (starttime=ago(dt_lookBack), srcipaddr_has_any_prefix=IP_TI_list)\\n | where isnotempty(SrcIpAddr)\\n // renaming time column so it is clear the log this came from\\n | extend imNWS_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SrcIpAddr\\n| where imNWS_TimeGenerated \u003c ExpirationDateTime\\n| summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, DstIpAddr\\n| project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Dvc, SrcIpAddr, DstIpAddr\",\"customDetails\":{\"EventTime\":\"imNWS_TimeGenerated\",\"IoCDescription\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"IoCExpirationTime\":\"ExpirationDateTime\",\"IoCConfidenceScore\":\"ConfidenceScore\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DstIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"The IP {{SrcIpAddr}} of a web request to hostname {{domain}} matched an IoC\",\"alertDescriptionFormat\":\"The source address {{SrcIpAddr}} of a web request for URL {{Url}} matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blead for more information on the indicator.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map IP entity to Web Session Events (ASIM Web Session schema)\",\"description\":\"This rule identifies Web Sessions for which the source IP address is a known IoC. \u003cbr\u003e\u003cbr\u003eThis rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM.\",\"lastUpdatedDateUTC\":\"2022-03-15T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\"name\":\"c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"ApplySecurityGroupsToLoadBalancer\\\", \\\"SetSecurityGroups\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \\nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion,\\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to AWS Elastic Load Balancer security groups\",\"description\":\"Elastic Load Balancer distributes incoming traffic across multiple instances in multiple availability Zones. This increases the fault tolerance of your applications. \\n Unwanted changes to Elastic Load Balancer specific security groups could open your environment to attack and hence needs monitoring.\\n More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\n and https://aws.amazon.com/elasticloadbalancing/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bdf04f58-242b-4729-b376-577c4bdf5d3a\",\"name\":\"bdf04f58-242b-4729-b376-577c4bdf5d3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"imProcessCreate\\n| where Process hassuffix \u0027rundll32.exe\u0027\\n| where CommandLine has_any (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| project TimeGenerated, Dvc, User, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\\n| extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"NOBELIUM - suspicious rundll32.exe execution of vbscript (Normalized Process Events)\",\"description\":\"This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\\nReferences: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f30a47c1-65fb-42b1-a7f4-00941c12550b\",\"name\":\"f30a47c1-65fb-42b1-a7f4-00941c12550b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n SecurityAlert\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n // Extract URL from JSON data\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,Entities)\\n // We only want alerts that actually contain URL data\\n | where isnotempty(Url)\\n // Extract hostname from JSON data for entity mapping\\n | extend Compromised_Host = tostring(parse_json(ExtendedProperties).[\\\"Compromised Host\\\"])\\n | extend Alert_TimeGenerated = TimeGenerated\\n) on Url\\n| where Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\\n| project Alert_TimeGenerated, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, AlertName, AlertSeverity, Description, Url, Compromised_Host\\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = Compromised_Host, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to SecurityAlert data\",\"description\":\"Identifies a match in SecurityAlert data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\"name\":\"80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == 1102 and EventSourceName == \\\"Microsoft-Windows-Eventlog\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(\\nWindowsEvent\\n| where EventID == 1102 and Provider == \\\"Microsoft-Windows-Eventlog\\\" \\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend Activity= \\\"1102 - The audit log was cleared.\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Security Event log cleared\",\"description\":\"Checks for event id 1102 which indicates the security event log was cleared. \\nIt uses Event Source Name \\\"Microsoft-Windows-Eventlog\\\" to avoid generating false positives from other sources, like AD FS servers for instance.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\"name\":\"36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n OfficeActivity\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n //Extract the Url from a number of potential fields\\n | extend Url = iif(OfficeWorkload == \\\"AzureActiveDirectory\\\",extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\\\", 1,ModifiedProperties),tostring(parse_json(ModifiedProperties)[12].NewValue))\\n | where isnotempty(Url)\\n // Ensure we get a clean URL\\n | extend Url = tostring(split(Url, \u0027;\u0027)[0])\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n // Project a single user identity that we can use for entity mapping\\n | extend User = iif(isnotempty(UserId), UserId, iif(isnotempty(Actor), tostring(parse_json(Actor)[0].ID), tostring(parse_json(Parameters)[0].Value)))\\n) on Url\\n| where OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, Url\\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Operation, \\nUserType, OfficeWorkload, Parameters, Url, User\\n| extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = User, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to OfficeActivity data\",\"description\":\"Identifies a match in OfficeActivity data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f0be259a-34ac-4946-aa15-ca2b115d5feb\",\"name\":\"f0be259a-34ac-4946-aa15-ca2b115d5feb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let starttime = 2d;\\nlet endtime = 1d;\\nlet TimeDeltaThreshold = 25;\\nlet TotalEventsThreshold = 30;\\nlet MostFrequentTimeDeltaThreshold = 25;\\nlet PercentBeaconThreshold = 80;\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Palo Alto Networks\\\" and Activity == \\\"TRAFFIC\\\"\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where ipv4_is_private(DestinationIP)== false\\n| project TimeGenerated, DeviceName, SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, ReceivedBytes, SentBytes\\n| sort by SourceIP asc,TimeGenerated asc, DestinationIP asc, DestinationPort asc\\n| serialize\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\u0027second\u0027,nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP\\n//Whitelisting criteria/ threshold criteria\\n| where TimeDeltainSeconds \u003e TimeDeltaThreshold \\n| summarize count(), sum(ReceivedBytes), sum(SentBytes)\\nby TimeDeltainSeconds, bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSentBytes = sum(sum_SentBytes), TotalReceivedBytes = sum(sum_ReceivedBytes) \\nby bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| where TotalEvents \u003e TotalEventsThreshold and MostFrequentTimeDeltaCount \u003e MostFrequentTimeDeltaThreshold\\n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\\n| where BeaconPercent \u003e PercentBeaconThreshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Palo Alto - potential beaconing detected\",\"description\":\"Identifies beaconing patterns from Palo Alto Network traffic logs based on recurrent timedelta patterns. \\nThe query leverages various KQL functions to calculate time deltas and then compares it with total events observed in a day to find percentage of beaconing. \\nThis outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts.\\nReference Blog:\\nhttp://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/\\nhttps://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/detect-network-beaconing-via-intra-request-time-delta-patterns/ba-p/779586\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/14f6da04-2f96-44ee-9210-9ccc1be6401e\",\"name\":\"14f6da04-2f96-44ee-9210-9ccc1be6401e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName has \\\"Add member to role outside of PIM\\\"\\n or (LoggedByService == \\\"Core Directory\\\" and OperationName == \\\"Add member to role\\\" and Identity != \\\"MS-PIM\\\")\\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"NRT Privileged Role Assigned Outside PIM\",\"description\":\"Identifies a privileged role being assigned to a user outside of PIM\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-04-22T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f6502545-ae3a-4232-a8b0-79d87e5c98d7\",\"name\":\"f6502545-ae3a-4232-a8b0-79d87e5c98d7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \\n| where TargetObject==\\\"HKLM\\\\\\\\System\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\SecurityProviders\\\\\\\\WDigest\\\\\\\\UseLogonCredential\\\" and Details !=\\\"DWORD (0x00000000)\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"WDigest downgrade attack\",\"description\":\"When the WDigest Authentication protocol is enabled, plain text passwords are stored in the Local Security Authority Subsystem Service (LSASS) exposing them to theft. This setting will prevent WDigest from storing credentials in memory.\\nRef: https://www.stigviewer.com/stig/windows_7/2016-12-19/finding/V-72753\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2022-03-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\"name\":\"b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet UserAgentAll =\\n(union isfuzzy=true\\n(OfficeActivity\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\\n),\\n(\\nW3CIISLog\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(csUserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\\n))\\n// remove wordSize blocks of non-numeric hex characters prior to word extraction\\n| extend UserAgentNoHexAlphas = replace(\\\"([A-Fa-f]{4,})\\\", \\\"x\\\", UserAgent)\\n// once blocks of hex chars are removed, extract wordSize blocks of a-z\\n| extend Tokens = extract_all(\\\"([A-Za-z]{4,})\\\", UserAgentNoHexAlphas)\\n// concatenate extracted words to create a summarized user agent for baseline and comparison\\n| extend NormalizedUserAgent = strcat_array(Tokens, \\\"|\\\")\\n| project-away UserAgentNoHexAlphas, Tokens;\\nUserAgentAll\\n| where StartTime \u003e= ago(endtime)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), count() by UserAgent, NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n| join kind=leftanti\\n(\\nUserAgentAll\\n| where StartTime \u003c ago(endtime)\\n| summarize by NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n)\\non NormalizedUserAgent\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CommandAndControl\",\"Execution\"],\"displayName\":\"New UserAgent observed in last 24 hours\",\"description\":\"Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection\\nextracts words from user agents to build the baseline and determine rareity rather than perform a\\ndirect comparison. This avoids FPs caused by version numbers and other high entropy user agent components.\\nThese new UserAgents could be benign. However, in normally stable environments,\\nthese new UserAgents could provide a starting point for investigating malicious activity.\\nNote: W3CIISLog can be noisy depending on the environment, however OfficeActivity and AWSCloudTrail are\\nusually stable with low numbers of detections.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/155e9134-d5ad-4a6f-88f3-99c220040b66\",\"name\":\"155e9134-d5ad-4a6f-88f3-99c220040b66\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"// Set the lookback to determine if user has created pipelines before\\nlet timeback = 14d;\\n// Set the period for detections\\nlet timeframe = 1d;\\n// Get a list of previous Release Pipeline creators to exclude\\nlet releaseusers = AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName in (\\\"Release.ReleasePipelineCreated\\\", \\\"Release.ReleasePipelineModified\\\")\\n// We want to look for users performing actions in specific projects so we create this userscope object to match on\\n| extend UserScope = strcat(ActorUserId, \\\"-\\\", ProjectName)\\n| summarize by UserScope;\\n// Get Release Pipeline creations by new users\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineModified\\\"\\n| extend UserScope = strcat(ActorUserId, \\\"-\\\", ProjectName)\\n| where UserScope !in (releaseusers)\\n| extend ActorUPN = tolower(ActorUPN)\\n| project-away Id, ActivityId, ActorCUID, ScopeId, ProjectId, TenantId, SourceSystem, UserScope\\n// See if any of these users have Azure AD alerts associated with them in the same timeframe\\n| join kind = leftouter (\\nSecurityAlert\\n| where TimeGenerated \u003e ago(timeframe)\\n| where ProviderName == \\\"IPC\\\"\\n| extend AadUserId = tostring(parse_json(Entities)[0].AadUserId)\\n| summarize Alerts=count() by AadUserId) on $left.ActorUserId == $right.AadUserId\\n| extend Alerts = iif(isnotempty(Alerts), Alerts, 0)\\n// Uncomment the line below to only show results where the user as AADIdP alerts\\n//| where Alerts \u003e 0\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Pipeline modified by a new user.\",\"description\":\"There are several potential pipeline steps that could be modified by an attacker to inject malicious code into the build cycle. A likely attacker path is the modification to an existing pipeline that they have access to. \\nThis detection looks for users modifying a pipeline when they have not previously been observed modifying or creating that pipeline before. This query also joins events with data to Azure AD Identity Protection (AAD IdP) \\nin order to show if the user conducting the action has any associated AAD IdP alerts. You can also choose to filter this detection to only alert when the user also has AAD IdP alerts associated with them.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d023f64-8225-41a2-9570-2bd7c2c4535e\",\"name\":\"3d023f64-8225-41a2-9570-2bd7c2c4535e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1DT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+spanoftime)\\n// A user account was enabled\\n| where EventID == 4722\\n| where AccountType =~ \\\"User\\\"\\n| where TargetAccount !endswith \\\"$\\\"\\n| project EnableTime = TimeGenerated, EnableEventID = EventID, EnableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToEnable = SubjectAccount, SIDofAccountUsedToEnable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e ago(timeframe+spanoftime)\\n// A user account was enabled\\n| where EventID == 4722\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType =~ \\\"User\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| where TargetAccount !endswith \\\"$\\\"\\n| extend Activity=\\\"4722 - A user account was enabled.\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| project EnableTime = TimeGenerated, EnableEventID = EventID, EnableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToEnable = SubjectAccount, SIDofAccountUsedToEnable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n))\\n| join kind= inner (\\n (union isfuzzy=true\\n (SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n // A user account was disabled\\n | where EventID == 4725\\n| where AccountType =~ \\\"User\\\"\\n| project DisableTime = TimeGenerated, DisableEventID = EventID, DisableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToDisable = SubjectAccount, SIDofAccountUsedToDisable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n),\\n(WindowsEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n // A user account was disabled\\n | where EventID == 4725\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType =~ \\\"User\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| extend Activity = \\\"4725 - A user account was disabled.\\\"\\n| project DisableTime = TimeGenerated, DisableEventID = EventID, DisableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToDisable = SubjectAccount, SIDofAccountUsedToDisable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid))\\n) on Computer, TargetAccount\\n| where DisableTime - EnableTime \u003c spanoftime\\n| extend TimeDelta = DisableTime - EnableTime\\n| where tolong(TimeDelta) \u003e= threshold\\n| project TimeDelta, EnableTime, EnableEventID, EnableActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToEnable, SIDofAccountUsedToEnable, \\nDisableTime, DisableEventID, DisableActivity, AccountUsedToDisable, SIDofAccountUsedToDisable\\n| extend timestamp = EnableTime, AccountCustomEntity = AccountUsedToEnable, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"SIDofAccountUsedToEnable\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account enabled and disabled within 10 mins\",\"description\":\"Identifies when a user account is enabled and then disabled within 10 minutes. This can be an indication of compromise and\\nan adversary attempting to hide in the noise.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0625fcce-6d52-491e-8c68-1d9b801d25b9\",\"name\":\"0625fcce-6d52-491e-8c68-1d9b801d25b9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"Event\\n| where EventLog =~ \\\"Application\\\"\\n| where Source startswith \\\"MSExchange\\\"\\n| where EventLevelName =~ \\\"error\\\"\\n| where (RenderedDescription startswith \\\"Watson report\\\" and RenderedDescription contains \\\"umworkerprocess\\\" and RenderedDescription contains \\\"TextFormattingRunProperties\\\") or RenderedDescription startswith \\\"An unhandled exception occurred in a UM worker process\\\" or RenderedDescription startswith \\\"The Microsoft Exchange Unified Messaging service\\\" or RenderedDescription contains \\\"MSExchange Unified Messaging\\\"\\n| where RenderedDescription !contains \\\"System.OutOfMemoryException\\\"\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious UM Service Error\",\"description\":\"This query looks for errors that may indicate that an attacker is attempting to exploit a vulnerability in the service. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09c49590-4e9d-4da9-a34d-17222d0c9e7e\",\"name\":\"09c49590-4e9d-4da9-a34d-17222d0c9e7e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let default_file_ext_blocklist = dynamic([\u0027.ps1\u0027, \u0027.vbs\u0027, \u0027.bat\u0027, \u0027.scr\u0027]);\\nlet custom_file_ext_blocklist=toscalar(_GetWatchlist(\u0027RiskyFileTypes\u0027) | extend Extension=column_ifexists(\\\"Extension\\\",\\\"\\\") | where isnotempty(Extension) | summarize make_set(Extension));\\nlet file_ext_blocklist = array_concat(default_file_ext_blocklist, custom_file_ext_blocklist);\\n_Im_WebSession(url_has_any=file_ext_blocklist, eventresult=\u0027Success\u0027)\\n| extend requestedFileName=tostring(split(tostring(parse_url(Url)[\\\"Path\\\"]),\u0027/\u0027)[-1])\\n| extend requestedFileExt=extract(@(\\\\.\\\\w+)$,1,requestedFileName, typeof(string))\\n| where requestedFileExtension in (file_ext_blocklist)\\n| summarize LastAttemptTime=max(TimeGenerated), NumFailedAttempts=count() by SrcIpAddr, requestedFileName, Url\\n| extend IPCustomEntity = SrcIpAddr, UrlCustomEntity=Url\",\"customDetails\":{\"requestedFileName\":\"requestedFileName\",\"requestedFileExt\":\"requestedFileExt\",\"Username\":\"SrcUsername\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Client {{SrcIpAddr}} accessed a URL with potentially harmful extension {{requestedFileExt}}\",\"alertDescriptionFormat\":\"The client at address {{SrcIpAddr}} accessed the URL {{Url}} that has the extension {{requestedFileExt}}. Downloading a file with this extension may be harmful and may indicate malicious activity.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"InitialAccess\"],\"displayName\":\"A client made a web request to a potentially harmful file (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request to a URL that holds a file type, including .ps1, .bat, .vbs, and .scr that can be harmful if downloaded. This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM. To use this Analytics Rule, deploy the Advanced Security Information Model (ASIM).\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\"name\":\"ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(DestinationUserID)\\n // Filtering PAN Logs for specific event type to match relevant email entities\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"wildfire\\\" and ApplicationProtocol in (\\\"smtp\\\",\\\"pop3\\\")\\n | extend DestinationUserID = tolower(DestinationUserID)\\n | where DestinationUserID matches regex emailregex\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.DestinationUserID\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, DestinationUserID\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, EmailSenderName, EmailRecipient, \\nEmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction, SourceIP, SourcePort, \\nDestinationIP, DestinationPort, Protocol, ApplicationProtocol\\n| extend timestamp = CommonSecurityLog_TimeGenerated, AccountCustomEntity = DestinationUserID, IPCustomEntity = SourceIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to CommonSecurityLog\",\"description\":\"Identifies a match in CommonSecurityLog table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\"name\":\"7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let lookBack_long = 7d;\\nlet lookBack_med = 3d;\\nlet lookBack = 1d;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack_long))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n// Create time series \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_long)),now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n// Compute best fit line for each entry \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount) \\n// Chart the 3 most interesting lines \\n// A 0-value slope corresponds to an account being completely stable over time for a given Azure Active Directory application\\n| where Slope \u003e 0.3\\n| top 50 by Slope desc\\n| join kind = leftsemi (\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack_med))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_med)) ,now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount)\\n| where Slope \u003e 0.3\\n| top 50 by Slope desc\\n) on UserPrincipalName, AppDisplayName\\n| join kind = leftsemi (\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack)) ,now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount)\\n| where Slope \u003e 5\\n| top 50 by Slope desc\\n// Higher threshold requirement on last day anomaly\\n) on UserPrincipalName, AppDisplayName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomalous sign-in location by user account and authenticating application\",\"description\":\"This query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active \\nDirectory application and picks out the most anomalous change in location profile for a user within an \\nindividual application. An alert is generated for recent sign-ins that have location counts that are anomalous\\nover last day but also over the last 3-day and 7-day periods.\\nPlease note that on workspaces with larger volume of Signin data (~10M+ events a day) may timeout when using this default query time period.\\nIt is recommended that you test and tune this appropriately for the workspace.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1da9853f-3dea-4ea9-b7e5-26730da3d537\",\"name\":\"1da9853f-3dea-4ea9-b7e5-26730da3d537\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let PortScanThreshold = 50;\\n_Im_NetworkSession\\n| where ipv4_is_private(SrcIpAddr) == False\\n| summarize AttemptedPortsCount=dcount(DstPortNumber) by SrcIpAddr, bin(TimeGenerated, 5m)\\n| where AttemptedPortsCount \u003e PortScanThreshold\",\"customDetails\":{\"AttemptedPortsCount\":\"AttemptedPortsCount\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Potential port scan from {{SrcIpAddr}}\",\"alertDescriptionFormat\":\"A port scan has been performed from address {{SrcIpAddr}} over {{AttemptedPortsCount}} pots within 5 minutes. This may indicate that a [port scanner](https://en.wikipedia.org/wiki/Port_scanner) is trying to identify open ports in order to penetrate a system.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Discovery\"],\"displayName\":\"Port scan detected (ASIM Network Session schema)\",\"description\":\"This rule identifies a possible port scan, in which a single source tries to access a large number of different ports is a short time frame. This may indicate that a [port scanner](https://en.wikipedia.org/wiki/Port_scanner) is trying to identify open ports in order to penetrate a system.\u003cbr\u003e\u003cbr\u003e\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/eda260eb-f4a1-4379-ad98-452604da9b3e\",\"name\":\"eda260eb-f4a1-4379-ad98-452604da9b3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let eventsThreshold = 20;\\nCommonSecurityLog\\n| where isnotempty(RequestURL)\\n| project TimeGenerated, RequestURL, RequestMethod, SourceIP, SourceHostName\\n| evaluate sequence_detect(TimeGenerated, 5s, 8s, login=(RequestURL has \\\"login.microsoftonline.com/consumers/oauth2/v2.0/token\\\"), graph=(RequestURL has \\\"graph.microsoft.com/v1.0/me/drive/\\\"), SourceIP, SourceHostName)\\n| summarize Events=count() by SourceIP, SourceHostName\\n| where Events \u003e= eventsThreshold\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"SourceHostName\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"CreepyDrive request URL sequence\",\"description\":\"CreepyDrive uses OneDrive for command and control, however, it makes regular requests to predicatable paths.\\nThis detecton will alert when over 20 sequences are observed in a single day.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3533f74c-9207-4047-96e2-0eb9383be587\",\"name\":\"3533f74c-9207-4047-96e2-0eb9383be587\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"offline_access\\\" and ConsentFull contains \\\"Files.Read\\\" or ConsentFull contains \\\"Mail.Read\\\" or ConsentFull contains \\\"Notes.Read\\\" or ConsentFull contains \\\"ChannelMessage.Read\\\" or ConsentFull contains \\\"Chat.Read\\\" or ConsentFull contains \\\"TeamsActivity.Read\\\" or ConsentFull contains \\\"Group.Read\\\" or ConsentFull contains \\\"EWS.AccessAsUser.All\\\" or ConsentFull contains \\\"EAS.AccessAsUser.All\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))\\n| extend GrantUserAgent = tostring(iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\"))\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Suspicious application consent for offline access\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with offline access via OAuth.\\nOffline access will provide the Azure App with access to the listed resources without requiring two-factor authentication.\\nConsent to applications with offline access and read capabilities should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0ee2aafb-4500-4e36-bcb1-e90eec2f0b9b\",\"name\":\"0ee2aafb-4500-4e36-bcb1-e90eec2f0b9b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\"\\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed), LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\\n| where MFAUsed !~ \\\"Yes\\\" and LoginResult !~ \\\"Failure\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUsed, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent,\\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserIdentityUserName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"NRT Login to AWS Management Console without MFA\",\"description\":\"Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.\\nYou can limit this detection to trigger for administrative accounts if you do not have MFA enabled on all accounts.\\nThis is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used\\nand the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.\",\"lastUpdatedDateUTC\":\"2022-02-08T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/269435e3-1db8-4423-9dfc-9bf59997da1c\",\"name\":\"269435e3-1db8-4423-9dfc-9bf59997da1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName has \\\"Add member to role outside of PIM\\\"\\n or (LoggedByService == \\\"Core Directory\\\" and OperationName == \\\"Add member to role\\\" and Identity != \\\"MS-PIM\\\")\\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Privileged Role Assigned Outside PIM\",\"description\":\"Identifies a privileged role being assigned to a user outside of PIM\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2be4ef67-a93f-4d8a-981a-88158cb73abd\",\"name\":\"2be4ef67-a93f-4d8a-981a-88158cb73abd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet covidIndicators = (externaldata(TimeGenerated:datetime, FileHashValue:string, FileHashType: string, TlpLevel: string, Product: string, ThreatType: string, Description: string )\\n[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.csv\\\"] with (format=\\\"csv\\\"));\\nlet fileHashIndicators = covidIndicators\\n| where isnotempty(FileHashValue);\\n// Handle matches against both lower case and uppercase versions of the hash:\\n(fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n| union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack) \\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n )\\non $left.FileHashValue == $right.FileHash\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by FileHashValue\\n| project CommonSecurityLog_TimeGenerated, FileHashValue, FileHashType, Description, ThreatType, \\nSourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, \\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Value\",\"columnName\":\"FileHashValue\"},{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Microsoft COVID-19 file hash indicator matches\",\"description\":\"Identifies a match in CommonSecurityLog Event data from any FileHash published in the Microsoft COVID-19 Threat Intel Feed - as described at https://www.microsoft.com/security/blog/2020/05/14/open-sourcing-covid-threat-intelligence/\",\"lastUpdatedDateUTC\":\"2022-07-07T00:00:00Z\",\"createdDateUTC\":\"2019-08-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\"name\":\"5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"CommonSecurityLog\\n| where isnotempty(DestinationPort) and DeviceAction !in (\\\"reset-both\\\", \\\"deny\\\") \\n// filter out common usage ports. Add ports that are legitimate for your environment\\n| where DestinationPort !in (\\\"443\\\", \\\"53\\\", \\\"389\\\", \\\"80\\\", \\\"0\\\", \\\"880\\\", \\\"8888\\\", \\\"8080\\\")\\n| where ApplicationProtocol == \\\"incomplete\\\" \\n// filter out IANA ephemeral or negotiated ports as per https://en.wikipedia.org/wiki/Ephemeral_port\\n| where DestinationPort !between (toint(49512) .. toint(65535)) \\n| where Computer != \\\"\\\" \\n| where DestinationIP !startswith \\\"10.\\\"\\n| extend Reason = coalesce(\\n column_ifexists(\\\"Reason\\\", \\\"\\\"), \\n extract(\\\"reason=(.+?)(;|$)\\\", 1, AdditionalExtensions),\\n \\\"\\\"\\n )\\n// Filter out any graceful reset reasons of AGED OUT which occurs when a TCP session closes with a FIN due to aging out. \\n| where Reason !has \\\"aged-out\\\" \\n// Filter out any TCP FIN which occurs when a TCP FIN is used to gracefully close half or both sides of a connection.\\n| where Reason !has \\\"tcp-fin\\\" \\n// Uncomment one of the following where clauses to trigger on specific TCP reset reasons\\n// See Palo Alto article for details - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK\\n// TCP RST-server - Occurs when the server sends a TCP reset to the client\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-server\\\" \\n// TCP RST-client - Occurs when the client sends a TCP reset to the server\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-client\\\" \\n// Already performed\\n//| extend reason = tostring(split(AdditionalExtensions, \\\";\\\")[3])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, Reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction, DestinationIP\\n| where count_ \u003e= 10\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), makeset(DestinationIP), totalcount = sum(count_) by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, Reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Palo Alto - possible internal to external port scanning\",\"description\":\"Identifies a list of internal Source IPs (10.x.x.x Hosts) that have triggered 10 or more non-graceful tcp server resets from one or more Destination IPs which \\nresults in an \\\"ApplicationProtocol = incomplete\\\" designation. The server resets coupled with an \\\"Incomplete\\\" ApplicationProtocol designation can be an indication \\nof internal to external port scanning or probing attack. \\nReferences: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK and\\nhttps://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTaCAK\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/677da133-e487-4108-a150-5b926591a92b\",\"name\":\"677da133-e487-4108-a150-5b926591a92b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.5.1\",\"severity\":\"Medium\",\"query\":\"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\\n[@\\\"https://raw.githubusercontent.com/microsoft/mstic/master/Indicators/May21-NOBELIUM/May21NOBELIUMIoCs.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256s = (iocs | where Type =~ \\\"SHA256\\\"| project IoC);\\nlet ips = (iocs | where Type =~ \\\"IP\\\"| project IoC);\\nlet IPList = dynamic([\\\"192.99.221.77\\\",\\\"83.171.237.173\\\"]);\\nlet ips_list=toscalar(ips | summarize makeset(IoC));\\nlet full_ip_list= array_concat(ips_list, IPList);\\nlet domains = (iocs | where Type =~ \\\"Domain\\\"| project IoC);\\nlet domain_list=toscalar(domains | summarize make_set(IoC));\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet sha256Hashes = dynamic([\\\"2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252\\\",\\n\\\"d035d394a82ae1e44b25e273f99eae8e2369da828d6b6fdb95076fd3eb5de142\\\",\\n\\\"94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916\\\",\\n\\\"48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0\\\",\\n\\\"ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c\\\",\\n\\\"ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (domains) or RequestURL has_any (domains) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (domains), \\\"RequestUrl\\\", SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(_Im_Dns (domain_has_any=todynamic(domain_list))\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(_Im_Dns (response_has_any_prefix=todynamic(full_ip_list))\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or SourceIp in (ips) or DestinationIp in (ips) or RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", SourceIp in (ips), \\\"SourceIP\\\", DestinationIp in (ips), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer\\n),\\n(OfficeActivity\\n| where ClientIP in (IPList) or ClientIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n),\\n(_Im_NetworkSession(srcipaddr_has_any_prefix=full_ip_list)\\n | extend IPMatch = \\\"SourceIP\\\"\\n | extend timestamp = TimeGenerated, HostCustomEntity = Dvc , IPCustomEntity = SrcIpAddr //, AccountCustomEntity =User\\n),\\n(_Im_NetworkSession(dstipaddr_has_any_prefix=full_ip_list)\\n | extend IPMatch = \\\"DestinationIP\\\"\\n | extend timestamp = TimeGenerated, HostCustomEntity = Dvc , IPCustomEntity = DstIpAddr //, AccountCustomEntity =User\\n),\\n(_Im_WebSession(url_has_any=domains)\\n | extend timestamp=TimeGenerated, HostCustomEntity=Dvc , DNSName=tostring(parse_url(Url)[\\\"Host\\\"]), AccountCustomEntity=User\\n),\\n(_Im_WebSession(srcipaddr_has_any_prefix=full_ip_list)\\n | extend timestamp=TimeGenerated, HostCustomEntity=Dvc , DNSName=tostring(parse_url(Url)[\\\"Host\\\"]), AccountCustomEntity=User\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| where EventDetail has_any (sha256Hashes) or EventDetail has_any (sha256s)\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, FileHash\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (sha256Hashes) or SHA256 in~ (sha256s)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (sha256Hashes) or TargetFileSHA256 in~ (sha256s)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes) or FileHash in (sha256s)\\n| extend timestamp = TimeGenerated\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"tactics\":[\"CommandAndControl\",\"Execution\"],\"displayName\":\"NOBELIUM - Domain, Hash and IP IOCs - May 2021\",\"description\":\"Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM.\\nRef: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/35ce9aff-1708-45b8-a295-5e9a307f5f17\",\"name\":\"35ce9aff-1708-45b8-a295-5e9a307f5f17\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"Group.UpdateGroupMembership.Add\\\"\\n| where Details has_any (\\\"Project Administrators\\\", \\\"Project Collection Administrators\\\", \\\"Project Collection Service Accounts\\\", \\\"Build Administrator\\\")\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, AuthenticationMechanism, ScopeDisplayName\\n| extend timekey = bin(TimeGenerated, 1h)\\n| extend ActorUserId = tostring(Data.MemberId)\\n| project timekey, ActorUserId, AddingUser=ActorUPN, TimeAdded=TimeGenerated, PermissionGrantDetails = Details\\n// Get details of operations conducted by user soon after elevation of permissions\\n| join (AzureDevOpsAuditing\\n| extend ActorUserId = tostring(Data.MemberId)\\n| extend timekey = bin(TimeGenerated, 1h)) on timekey, ActorUserId\\n| summarize ActionsWhenAdded = make_set(OperationName) by ActorUPN, AddingUser, TimeAdded, PermissionGrantDetails, IpAddress, UserAgent\\n| extend timestamp = TimeAdded, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddingUser\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"New PA, PCA, or PCAS added to Azure DevOps\",\"description\":\"In order for an attacker to be able to conduct many potential attacks against Azure DevOps they will need to gain elevated permissions. \\nThis detection looks for users being granted key administrative permissions. If the principal of least privilege is applied, the number of \\nusers granted these permissions should be small. Note that permissions can also be granted via Azure AD groups and monitoring of these \\nshould also be conducted.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bf07ca9c-e408-443a-8939-6860a45a929e\",\"name\":\"bf07ca9c-e408-443a-8939-6860a45a929e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let allowed_publishers = dynamic([]);\\nAzureDevOpsAuditing\\n| where OperationName =~ \\\"Extension.Installed\\\"\\n| extend ExtensionName = tostring(Data.ExtensionName)\\n| extend PublisherName = tostring(Data.PublisherName)\\n| where PublisherName !in (allowed_publishers)\\n| project-reorder TimeGenerated, OperationName, ExtensionName, PublisherName, ActorUPN, IpAddress, UserAgent, ScopeDisplayName, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps New Extension Added\",\"description\":\"Extensions add additional features to Azure DevOps. An attacker could use a malicious extension to conduct malicious activity. \\nThis query looks for new extensions that are not from a configurable list of approved publishers.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65c78944-930b-4cae-bd79-c3664ae30ba7\",\"name\":\"65c78944-930b-4cae-bd79-c3664ae30ba7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(AuditLogs \\n| where OperationName =~ \\\"Disable Strong Authentication\\\"\\n| extend IPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) \\n| extend InitiatedByUser = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend Targetprop = todynamic(TargetResources)\\n| extend TargetUser = tostring(Targetprop[0].userPrincipalName) \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, InitiatedByUser , Operation = OperationName , CorrelationId, IPAddress, Category, Source = SourceSystem , AADTenantId, Type\\n),\\n(AWSCloudTrail\\n| where EventName in~ (\\\"DeactivateMFADevice\\\", \\\"DeleteVirtualMFADevice\\\") \\n| extend InstanceProfileName = tostring(parse_json(RequestParameters).InstanceProfileName)\\n| extend TargetUser = tostring(parse_json(RequestParameters).userName)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, Source = EventSource , Operation = EventName , TenantorInstance_Detail = InstanceProfileName, IPAddress = SourceIpAddress\\n)\\n)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"MFA disabled for a user\",\"description\":\"Multi-Factor Authentication (MFA) helps prevent credential compromise. This alert identifies when an attempt has been made to disable MFA for a user \",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4759ddb4-2daf-43cb-b34e-d85b85b4e4a5\",\"name\":\"4759ddb4-2daf-43cb-b34e-d85b85b4e4a5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\nlet parentprocess = (iocs | where Type =~ \\\"parentprocess\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or RequestURL has_any (IPList) or Message has_any (IPList)\\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, Type\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (IPList), \\\"RequestUrl\\\",\\\"NoMatch\\\"), AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, IPMatch == \\\"RequestUrl\\\", RequestURL, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer, ProcessCustomEntity = ProcessName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) \\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, AlertDetail = \u0027Dev-0322 IOC match\u0027, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, AlertDetail = \u0027Dev-0322 IOC match\u0027, UrlCustomEntity =RemoteUrl, ProcessCustomEntity = InitiatingProcessFileName\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\"), AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where SourceHost in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend ParentImage = EventDetail.[20].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where ( ParentImage has_any (parentprocess) and Image has_any (process))\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256,Image, ParentImage \\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceFileEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type, CommandLineIP\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash, IPCustomEntity = CommandLineIP\\n),\\n(DeviceEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, CommandLineIP\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash, IPCustomEntity = CommandLineIP\\n),\\n(DeviceProcessEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, CommandLineIP, AccountName\\n| extend Account = AccountName, Computer = DeviceName, IPAddress = CommandLineIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash, IPCustomEntity = IPAddress\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| extend CommandLineIP = extract(IPRegex, 0, CommandLine)\\n| where CommandLineIP in (IPList) or (NewProcessName has_any (process) and ParentProcessName has_any (parentprocess))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, CommandLine, CommandLineIP\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = \u0027Dev-0322 IOC match\u0027, IPCustomEntity = CommandLineIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"DEV-0322 Serv-U related IOCs - July 2021\",\"description\":\"Identifies a match across IOC\u0027s related to DEV-0322 targeting SolarWinds Serv-U software.\",\"lastUpdatedDateUTC\":\"2021-11-30T00:00:00Z\",\"createdDateUTC\":\"2021-06-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\"name\":\"d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let SensitiveOperationList = dynamic(\\n[\\\"VaultDelete\\\", \\\"KeyDelete\\\", \\\"SecretDelete\\\", \\\"SecretPurge\\\", \\\"KeyPurge\\\", \\\"SecretBackup\\\", \\\"KeyBackup\\\"]);\\nAzureDiagnostics\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\" \\n| where OperationName in~ (SensitiveOperationList) \\n| summarize EventCount=count(), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\\n| extend timestamp = StartTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Sensitive Azure Key Vault operations\",\"description\":\"Identifies when sensitive Azure Key Vault operations are used. This includes: VaultDelete, KeyDelete, SecretDelete, SecretPurge, KeyPurge, SecretBackup, KeyBackup. \\nAny Backup operations should match with expected scheduled backup activity.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4899-42cb-910c-5ffaf9d7997d\",\"name\":\"70b12a3b-4899-42cb-910c-5ffaf9d7997d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.6.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"0.ns1.dns-info.gq\\\", \\\"1.ns1.dns-info.gq\\\", \\\"10.ns1.dns-info.gq\\\", \\\"102.ns1.dns-info.gq\\\", \\n \\\"104.ns1.dns-info.gq\\\", \\\"11.ns1.dns-info.gq\\\", \\\"110.ns1.dns-info.gq\\\", \\\"115.ns1.dns-info.gq\\\", \\\"116.ns1.dns-info.gq\\\", \\n \\\"117.ns1.dns-info.gq\\\", \\\"118.ns1.dns-info.gq\\\", \\\"12.ns1.dns-info.gq\\\", \\\"120.ns1.dns-info.gq\\\", \\\"122.ns1.dns-info.gq\\\", \\n \\\"123.ns1.dns-info.gq\\\", \\\"128.ns1.dns-info.gq\\\", \\\"13.ns1.dns-info.gq\\\", \\\"134.ns1.dns-info.gq\\\", \\\"135.ns1.dns-info.gq\\\", \\n \\\"138.ns1.dns-info.gq\\\", \\\"14.ns1.dns-info.gq\\\", \\\"144.ns1.dns-info.gq\\\", \\\"15.ns1.dns-info.gq\\\", \\\"153.ns1.dns-info.gq\\\", \\n \\\"157.ns1.dns-info.gq\\\", \\\"16.ns1.dns-info.gq\\\", \\\"17.ns1.dns-info.gq\\\", \\\"18.ns1.dns-info.gq\\\", \\\"19.ns1.dns-info.gq\\\", \\n \\\"1a9604fa.ns1.feedsdns.com\\\", \\\"1c7606b6.ns1.steamappstore.com\\\", \\\"2.ns1.dns-info.gq\\\", \\\"20.ns1.dns-info.gq\\\", \\n \\\"201.ns1.dns-info.gq\\\", \\\"202.ns1.dns-info.gq\\\", \\\"204.ns1.dns-info.gq\\\", \\\"207.ns1.dns-info.gq\\\", \\\"21.ns1.dns-info.gq\\\", \\n \\\"210.ns1.dns-info.gq\\\", \\\"211.ns1.dns-info.gq\\\", \\\"216.ns1.dns-info.gq\\\", \\\"22.ns1.dns-info.gq\\\", \\\"220.ns1.dns-info.gq\\\", \\n \\\"223.ns1.dns-info.gq\\\", \\\"23.ns1.dns-info.gq\\\", \\\"24.ns1.dns-info.gq\\\", \\\"25.ns1.dns-info.gq\\\", \\\"26.ns1.dns-info.gq\\\", \\n \\\"27.ns1.dns-info.gq\\\", \\\"28.ns1.dns-info.gq\\\", \\\"29.ns1.dns-info.gq\\\", \\\"3.ns1.dns-info.gq\\\", \\\"30.ns1.dns-info.gq\\\", \\n \\\"31.ns1.dns-info.gq\\\", \\\"32.ns1.dns-info.gq\\\", \\\"33.ns1.dns-info.gq\\\", \\\"34.ns1.dns-info.gq\\\", \\\"35.ns1.dns-info.gq\\\", \\n \\\"36.ns1.dns-info.gq\\\", \\\"37.ns1.dns-info.gq\\\", \\\"39.ns1.dns-info.gq\\\", \\\"3d6fe4b2.ns1.steamappstore.com\\\", \\n \\\"4.ns1.dns-info.gq\\\", \\\"40.ns1.dns-info.gq\\\", \\\"42.ns1.dns-info.gq\\\", \\\"43.ns1.dns-info.gq\\\", \\\"44.ns1.dns-info.gq\\\", \\n \\\"45.ns1.dns-info.gq\\\", \\\"46.ns1.dns-info.gq\\\", \\\"48.ns1.dns-info.gq\\\", \\\"5.ns1.dns-info.gq\\\", \\\"50.ns1.dns-info.gq\\\", \\n \\\"50417.service.gstatic.dnset.com\\\", \\\"51.ns1.dns-info.gq\\\", \\\"52.ns1.dns-info.gq\\\", \\\"53.ns1.dns-info.gq\\\",\\n \\\"54.ns1.dns-info.gq\\\", \\\"55.ns1.dns-info.gq\\\", \\\"56.ns1.dns-info.gq\\\", \\\"57.ns1.dns-info.gq\\\", \\\"58.ns1.dns-info.gq\\\", \\n \\\"6.ns1.dns-info.gq\\\", \\\"60.ns1.dns-info.gq\\\", \\\"62.ns1.dns-info.gq\\\", \\\"63.ns1.dns-info.gq\\\", \\\"64.ns1.dns-info.gq\\\", \\n \\\"65.ns1.dns-info.gq\\\", \\\"67.ns1.dns-info.gq\\\", \\\"7.ns1.dns-info.gq\\\", \\\"70.ns1.dns-info.gq\\\", \\\"71.ns1.dns-info.gq\\\",\\n \\\"73.ns1.dns-info.gq\\\", \\\"77.ns1.dns-info.gq\\\", \\\"77075.service.gstatic.dnset.com\\\", \\\"7c1947fa.ns1.steamappstore.com\\\",\\n \\\"8.ns1.dns-info.gq\\\", \\\"81.ns1.dns-info.gq\\\", \\\"86.ns1.dns-info.gq\\\", \\\"87.ns1.dns-info.gq\\\", \\\"9.ns1.dns-info.gq\\\", \\n \\\"94343.service.gstatic.dnset.com\\\", \\\"9939.service.gstatic.dnset.com\\\", \\\"aa.ns.mircosoftdoc.com\\\", \\n \\\"aaa.feeds.api.ns1.feedsdns.com\\\", \\\"aaa.googlepublic.feeds.ns1.dns-info.gq\\\", \\n \\\"aaa.resolution.174547._get.cache.up.sourcedns.tk\\\", \\\"acc.microsoftonetravel.com\\\", \\n \\\"accounts.longmusic.com\\\", \\\"admin.dnstemplog.com\\\", \\\"agent.updatenai.com\\\", \\n \\\"alibaba.zzux.com\\\", \\\"api.feedsdns.com\\\", \\\"app.portomnail.com\\\", \\\"asia.updatenai.com\\\", \\n \\\"battllestategames.com\\\", \\\"bguha.serveuser.com\\\", \\\"binann-ce.com\\\", \\\"bing.dsmtp.com\\\", \\n \\\"blog.cdsend.xyz\\\", \\\"brives.minivineyapp.com\\\", \\\"bsbana.dynamic-dns.net\\\", \\n \\\"californiaforce.000webhostapp.com\\\", \\\"californiafroce.000webhostapp.com\\\", \\n \\\"cdn.freetcp.com\\\", \\\"cdsend.xyz\\\", \\\"cipla.zzux.com\\\", \\\"cloudfeeddns.com\\\", \\\"comcleanner.info\\\",\\n \\\"cs.microsoftsonline.net\\\", \\\"dns-info.gq\\\", \\\"dns05.cf\\\", \\\"dns22.ml\\\", \\\"dns224.com\\\", \\n \\\"dnsdist.org\\\", \\\"dnstemplog.com\\\", \\\"doc.mircosoftdoc.com\\\", \\\"dropdns.com\\\", \\n \\\"eshop.cdn.freetcp.com\\\", \\\"exchange.dumb1.com\\\", \\\"exchange.misecure.com\\\", \\\"exchange.mrbasic.com\\\",\\n \\\"facebookdocs.com\\\", \\\"facebookint.com\\\", \\\"facebookvi.com\\\", \\\"feed.ns1.dns-info.gq\\\", \\\"feedsdns.com\\\", \\n \\\"firejun.freeddns.com\\\", \\\"ftp.dns-info.dyndns.pro\\\", \\\"goallbandungtravel.com\\\", \\\"goodhk.azurewebsites.net\\\", \\n \\\"googlepublic.feed.ns1.dns-info.gq\\\", \\\"gp.spotifylite.cloud\\\", \\\"gskytop.com\\\", \\\"gstatic.dnset.com\\\", \\n \\\"gxxservice.com\\\", \\\"helpdesk.cdn.freetcp.com\\\", \\\"id.serveuser.com\\\", \\\"infestexe.com\\\", \\\"item.itemdb.com\\\",\\n \\\"m.mircosoftdoc.com\\\", \\\"mail.transferdkim.xyz\\\", \\\"mcafee.updatenai.com\\\", \\\"mecgjm.mircosoftdoc.com\\\",\\n \\\"microdocs.ga\\\", \\\"microsock.website\\\", \\\"microsocks.net\\\", \\\"microsoft.sendsmtp.com\\\", \\n \\\"microsoftbook.dns05.com\\\", \\\"microsoftcontactcenter.com\\\", \\\"microsoftdocs.dns05.com\\\", \\\"microsoftdocs.ml\\\", \\n \\\"microsoftonetravel.com\\\", \\\"microsoftonlines.net\\\", \\\"microsoftprod.com\\\", \\\"microsofts.dns1.us\\\", \\\"microsoftsonline.net\\\",\\n \\\"minivineyapp.com\\\", \\\"mircosoftdoc.com\\\", \\\"mircosoftdocs.com\\\", \\\"mlcrosoft.ninth.biz\\\", \\\"mlcrosoft.site\\\", \\n \\\"mm.portomnail.com\\\", \\\"msdnupdate.com\\\", \\\"msecdn.cloud\\\", \\\"mtnl1.dynamic-dns.net\\\", \\\"ns.gstatic.dnset.com\\\", \\n \\\"ns.microsoftprod.com\\\", \\\"ns.steamappstore.com\\\", \\\"ns1.cdn.freetcp.com\\\", \\\"ns1.comcleanner.info\\\", \\\"ns1.dns-info.gq\\\", \\n \\\"ns1.dns05.cf\\\", \\\"ns1.dnstemplog.com\\\", \\\"ns1.dropdns.com\\\", \\\"ns1.microsoftonetravel.com\\\", \\n \\\"ns1.microsoftonlines.net\\\", \\\"ns1.microsoftprod.com\\\", \\\"ns1.microsoftsonline.net\\\", \\\"ns1.mlcrosoft.site\\\", \\n \\\"ns1.teams.wikaba.com\\\", \\\"ns1.windowsdefende.com\\\", \\\"ns2.comcleanner.info\\\", \\\"ns2.dnstemplog.com\\\", \\n \\\"ns2.microsoftonetravel.com\\\", \\\"ns2.microsoftprod.com\\\", \\\"ns2.microsoftsonline.net\\\", \\\"ns2.mlcrosoft.site\\\", \\n \\\"ns2.windowsdefende.com\\\", \\\"ns3.microsoftprod.com\\\", \\\"ns3.mlcrosoft.site\\\", \\\"nutrition.mrbasic.com\\\", \\n \\\"nutrition.youdontcare.com\\\", \\\"online.mlcrosoft.site\\\", \\\"online.msdnupdate.com\\\", \\\"outlookservce.site\\\", \\n \\\"owa.jetos.com\\\", \\\"owa.otzo.com\\\", \\\"pornotime.co\\\", \\\"portomnail.com\\\", \\n \\\"post.1a0.066e063ac.7c1947fa.ns1.steamappstore.com\\\", \\\"pricingdmdk.com\\\", \\\"prod.microsoftprod.com\\\", \\n \\\"product.microsoftprod.com\\\", \\\"ptcl.yourtrap.com\\\", \\\"query.api.sourcedns.tk\\\", \\\"rb.itemdb.com\\\", \\\"redditcdn.com\\\", \\n \\\"rss.otzo.com\\\", \\\"secure.msdnupdate.com\\\", \\\"service.dns22.ml\\\", \\\"service.gstatic.dnset.com\\\", \\\"service04.dns04.com\\\", \\n \\\"settings.teams.wikaba.com\\\", \\\"sip.outlookservce.site\\\", \\\"sixindent.epizy.com\\\", \\\"soft.msdnupdate.com\\\", \\\"sourcedns.ml\\\", \\n \\\"sourcedns.tk\\\", \\\"sport.msdnupdate.com\\\", \\\"spotifylite.cloud\\\", \\\"static.misecure.com\\\", \\\"steamappstore.com\\\", \\n \\\"store.otzo.com\\\", \\\"survey.outlookservce.site\\\", \\\"team.itemdb.com\\\", \\\"temp221.com\\\", \\\"test.microsoftprod.com\\\", \\n \\\"thisisaaa.000webhostapp.com\\\", \\\"token.dns04.com\\\", \\\"token.dns05.com\\\", \\\"transferdkim.xyz\\\", \\n \\\"travelsanignacio.com\\\", \\\"update08.com\\\", \\\"updated08.com\\\", \\\"updatenai.com\\\", \\\"wantforspeed.com\\\",\\n \\\"web.mircosoftdoc.com\\\", \\\"webmail.pornotime.co\\\", \\\"webwhois.team.itemdb.com\\\", \\\"windowsdefende.com\\\", \\\"wnswindows.com\\\",\\n \\\"ashcrack.freetcp.com\\\", \\\"battllestategames.com\\\", \\\"binannce.com\\\", \\\"cdsend.xyz\\\", \\\"comcleanner.info\\\", \\\"microsock.website\\\", \\n \\\"microsocks.net\\\", \\\"microsoftsonline.net\\\", \\\"mlcrosoft.site\\\", \\\"notify.serveuser.com\\\", \\\"ns1.microsoftprod.com\\\", \\n \\\"ns2.microsoftprod.com\\\", \\\"pricingdmdk.com\\\", \\\"steamappstore.com\\\", \\\"update08.com\\\", \\\"wnswindows.com\\\", \\n \\\"youtube.dns05.com\\\", \\\"z1.zalofilescdn.com\\\", \\\"z2.zalofilescdn.com\\\", \\\"zalofilescdn.com\\\"]); \\n(union isfuzzy=true \\n (CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | where DNSName in~ (DomainNames) \\n | extend Account = SourceUserID, Computer = DeviceName, IPAddress = DestinationIP \\n ), \\n (_Im_Dns (domain_has_any=DomainNames)\\n | extend DNSName = DnsQuery \\n | extend IPAddress = SrcIpAddr, Computer = Dvc\\n ), \\n (_Im_WebSession (url_has_any=DomainNames)\\n | extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n | extend IPAddress = SrcIpAddr, Computer = Dvc\\n ), \\n (VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 * \\n | where isnotempty(DNSName) \\n | where DNSName in~ (DomainNames) \\n | extend IPAddress = RemoteIp \\n ), \\n ( \\n DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl in~ (DomainNames) \\n | extend IPAddress = RemoteIP \\n | extend Computer = DeviceName \\n ),\\n (AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (DomainNames) \\n | extend DNSName = DestinationHost \\n | extend IPAddress = SourceHost\\n ) \\n ) \\n | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Barium domains\",\"description\":\"Identifies a match across various data feeds for domains IOCs related to the Barium activity group.\\n References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bff058b2-500e-4ae5-bb49-a5b1423cbd5b\",\"name\":\"bff058b2-500e-4ae5-bb49-a5b1423cbd5b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let fileAccessThrehold = 10;\\nOfficeActivity\\n | where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n | where Operation =~ \\\"MemberAdded\\\"\\n | extend UPN = tostring(parse_json(Members)[0].UPN)\\n | where UPN contains (\\\"#EXT#\\\")\\n | project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName\\n | join kind = inner(\\n OfficeActivity\\n | where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n | where Operation =~ \\\"MemberRemoved\\\"\\n | extend UPN = tostring(parse_json(Members)[0].UPN)\\n | where UPN contains (\\\"#EXT#\\\")\\n | project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName\\n ) on UPN\\n | where TimeDeleted \u003e TimeAdded\\n | join kind=inner \\n (\\n OfficeActivity\\n | where RecordType == \\\"SharePointFileOperation\\\"\\n | where SourceRelativeUrl has \\\"Microsoft Teams Chat Files\\\"\\n | where Operation == \\\"FileUploaded\\\"\\n | join kind = inner \\n (\\n OfficeActivity\\n | where RecordType == \\\"SharePointFileOperation\\\"\\n | where Operation == \\\"FileAccessed\\\"\\n | where SourceRelativeUrl has \\\"Microsoft Teams Chat Files\\\"\\n | summarize FileAccessCount = count() by OfficeObjectId\\n | where FileAccessCount \u003e fileAccessThrehold\\n ) on $left.OfficeObjectId == $right.OfficeObjectId\\n )on $left.UPN == $right.UserId\\n | extend timestamp=TimeGenerated, AccountCustomEntity = UserWhoAdded\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Accessed files shared by temporary external user\",\"description\":\"This detection identifies an external user is added to a Team or Teams chat\\nand shares a files which is accessed by many users (\u003e10) and the users is removed within short period of time. This might be\\nan indicator of suspicious activity.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2020-08-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/610d3850-c26f-4f20-8d86-f10fdf2425f5\",\"name\":\"610d3850-c26f-4f20-8d86-f10fdf2425f5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"UpdateTrail\\\",\\\"DeleteTrail\\\",\\\"StopLogging\\\",\\\"DeleteFlowLogs\\\",\\\"DeleteEventBus\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Changes made to AWS CloudTrail logs\",\"description\":\"Attackers often try to hide their steps by deleting or stopping the collection of logs that could show their activity. \\nThis alert identifies any manipulation of AWS CloudTrail, Cloudwatch/EventBridge or VPC Flow logs.\\nMore Information: AWS CloudTrail API: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html\\nAWS Cloudwatch/Eventbridge API: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_Operations.html\\nAWS DelteteFlowLogs API : https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html \",\"lastUpdatedDateUTC\":\"2022-01-11T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3fbc20a4-04c4-464e-8fcb-6667f53e4987\",\"name\":\"3fbc20a4-04c4-464e-8fcb-6667f53e4987\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let failureCountThreshold = 5;\\nlet successCountThreshold = 1;\\nlet authenticationWindow = 20m;\\nSigninLogs\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\\n| where AppDisplayName =~ \\\"Windows Sign In\\\"\\n// Split out failure versus non-failure types\\n| extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = makeset(IPAddress), makeset(OS), makeset(Browser), makeset(City), \\nmakeset(ResultType), FailureCount = countif(FailureOrSuccess==\\\"Failure\\\"), SuccessCount = countif(FailureOrSuccess==\\\"Success\\\") \\nby bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName, AppDisplayName\\n| where FailureCount \u003e= failureCountThreshold and SuccessCount \u003e= successCountThreshold\\n| mvexpand IPAddress\\n| extend IPAddress = tostring(IPAddress)\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against a Cloud PC\",\"description\":\"Identifies evidence of brute force activity against a Windows 365 Cloud PC by highlighting multiple authentication failures and by a successful authentication within a given time window.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/173f8699-6af5-484a-8b06-8c47ba89b380\",\"name\":\"173f8699-6af5-484a-8b06-8c47ba89b380\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"// Adjust this value to change how many Teams should be deleted before including\\nlet max_delete_count = 3;\\n// Adjust this value to change the timewindow the query runs over\\n OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\" \\n| where Operation =~ \\\"TeamDeleted\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DeletedTeams = make_set(TeamName) by UserId\\n| where array_length(DeletedTeams) \u003e max_delete_count\\n| extend timestamp = StartTime, AccountCustomEntity = UserId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Multiple Teams deleted by a single user\",\"description\":\"This detection flags the occurrences of deleting multiple teams within an hour.\\nThis data is a part of Office 365 Connector in Microsoft Sentinel.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5f171045-88ab-4634-baae-a7b6509f483b\",\"name\":\"5f171045-88ab-4634-baae-a7b6509f483b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let Dev0530_threats = dynamic([\\\"Trojan:Win32/SiennaPurple.A\\\", \\\"Ransom:Win32/SiennaBlue.A\\\", \\\"Ransom:Win32/SiennaBlue.B\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (Dev0530_threats) or ThreatFamilyName in~ (Dev0530_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"AV detections related to Dev-0530 actors\",\"description\":\"This query looks for Microsoft Defender AV detections related to Dev-0530 actors. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, \\n this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\",\"lastUpdatedDateUTC\":\"2022-07-14T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbfbf530-506b-49a4-81ad-4030885a195c\",\"name\":\"fbfbf530-506b-49a4-81ad-4030885a195c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let alertTimeWindow = 1h;\\nlet logTimeWindow = 7d;\\n// Define script extensions that suit your web application environment - a sample are provided below\\nlet scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]); \\nlet alertData = materialize(SecurityAlert \\n| where TimeGenerated \u003e ago(alertTimeWindow) \\n| where ProviderName == \\\"MDATP\\\" \\n// Parse and expand the alert JSON \\n| extend alertData = parse_json(Entities) \\n| mvexpand alertData);\\nlet fileData = alertData\\n// Extract web script files from MDATP alerts - our malicious web scripts - candidate webshells\\n| where alertData.Type =~ \\\"file\\\" \\n| where alertData.Name has_any(scriptExtensions) \\n| extend FileName = tostring(alertData.Name), Directory = tostring(alertData.Directory);\\nlet hostData = alertData\\n// Extract server details from alerts and map to alert id\\n| where alertData.Type =~ \\\"host\\\"\\n| project HostName = tostring(alertData.HostName), DnsDomain = tostring(alertData.DnsDomain), SystemAlertId\\n| distinct HostName, DnsDomain, SystemAlertId;\\n// Join the files on their impacted servers\\nlet webshellData = fileData\\n| join kind=inner (hostData) on SystemAlertId \\n| project TimeGenerated, FileName, Directory, HostName, DnsDomain;\\nwebshellData\\n| join ( \\n// Find requests that were made to this file on the impacted server in the W3CIISLog table \\nW3CIISLog \\n| where TimeGenerated \u003e ago(logTimeWindow) \\n// Restrict to accesses to script extensions \\n| where csUriStem has_any(scriptExtensions)\\n| extend splitUriStem = split(csUriStem, \\\"/\\\") \\n| extend FileName = splitUriStem[-1], HostName = sComputerName\\n// Summarize potential attacker activity\\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), RequestUserAgents=make_set(csUserAgent), ReqestMethods=make_set(csMethod), RequestStatusCodes=make_set(scStatus), RequestCookies=make_set(csCookie), RequestReferers=make_set(csReferer), RequestQueryStrings=make_set(csUriQuery) by AttackerIP=cIP, SiteName=sSiteName, ShellLocation=csUriStem, tostring(FileName), HostName \\n) on FileName, HostName\\n| project StartTime, EndTime, AttackerIP, RequestUserAgents, HostName, SiteName, ShellLocation, ReqestMethods, RequestStatusCodes, RequestCookies, RequestReferers, RequestQueryStrings, RequestCount = count_\\n// Expose the attacker ip address as a custom entity\\n| extend timestamp=StartTime, IPCustomEntity = AttackerIP, HostCustomEntity = HostName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Malicious web application requests linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts\",\"description\":\"Takes Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts where web scripts are present in the evidence and correlates with requests made to those scripts\\nin the WCSIISLog to surface new alerts for potentially malicious web request activity.\\nThe lookback for alerts is set to 1h and the lookback for W3CIISLogs is set to 7d. A sample set of popular web script extensions\\nhas been provided in scriptExtensions that should be tailored to your environment.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-05-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5f0d80db-3415-4265-9d52-8466b7372e3a\",\"name\":\"5f0d80db-3415-4265-9d52-8466b7372e3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"AzureDevOpsAuditing\\n| where AuthenticationMechanism startswith \\\"PAT\\\"\\n// Look for useragents that include a redenring engine\\n| where UserAgent has_any (\\\"Gecko\\\", \\\"WebKit\\\", \\\"Presto\\\", \\\"Trident\\\", \\\"EdgeHTML\\\", \\\"Blink\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure DevOps PAT used with Browser.\",\"description\":\"Personal Access Tokens (PATs) are used as an alternate password to authenticate into Azure DevOps. PATs are intended for programmatic access use in code or applications. \\nThis can be prone to attacker theft if not adequately secured. This query looks for the use of a PAT in authentication but from a User Agent indicating a browser. \\nThis should not be normal activity and could be an indicator of an attacker using a stolen PAT.\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/86a036b2-3686-42eb-b417-909fc0867771\",\"name\":\"86a036b2-3686-42eb-b417-909fc0867771\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/delete\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS Service Delete\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.\\nA threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.\\nThe health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.\\nMore information in this blog https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\"name\":\"b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\nlet createRoleAssignmentActivity = AzureActivity\\n| where OperationNameValue =~ \\\"microsoft.authorization/roleassignments/write\\\";\\ncreateRoleAssignmentActivity \\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller\\n| where count_ \u003e= alertOperationThreshold\\n| join kind = rightanti ( \\ncreateRoleAssignmentActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = make_set(TimeGenerated), ActivityStatusValue = make_set(ActivityStatusValue), \\nOperationIds = make_set(OperationId), CorrelationId = make_set(CorrelationId), ActivityCountByCallerIPAddress = count() \\nby ResourceId, CallerIpAddress, Caller, OperationNameValue, Resource, ResourceGroup\\n) on CallerIpAddress, Caller\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Suspicious granting of permissions to an account\",\"description\":\"Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\"name\":\"9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let szOperationNames = dynamic([\\\"Microsoft.Compute/virtualMachines/write\\\", \\\"Microsoft.Resources/deployments/write\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet RareCaller = AzureActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationNameValue in~ (szOperationNames)\\n| project ResourceGroup, Caller, OperationNameValue, CallerIpAddress\\n| join kind=rightantisemi (\\nAzureActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityStatusValue = makeset(ActivityStatusValue), OperationIds = makeset(OperationId), CallerIpAddress = makeset(CallerIpAddress) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n) on Caller, ResourceGroup \\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress);\\nlet Counts = RareCaller | summarize ActivityCountByCaller = count() by Caller;\\nRareCaller | join kind= inner (Counts) on Caller | project-away Caller1\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = tostring(CallerIpAddress)\\n| sort by ActivityCountByCaller desc nulls last\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Suspicious Resource deployment\",\"description\":\"Identifies when a rare Resource and ResourceGroup deployment occurs by a previously unseen Caller.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4902eddb-34f7-44a8-ac94-8486366e9494\",\"name\":\"4902eddb-34f7-44a8-ac94-8486366e9494\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 5000;\\n_Im_NetworkSession(eventresult=\u0027Failure\u0027)\\n| summarize Count=count() by SrcIpAddr, bin(TimeGenerated,5m)\\n| where Count \u003e threshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr\",\"customDetails\":{\"NumberOfDenies\":\"Count\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Excessive number of failed connections from {{SrcIpAddr}}\",\"alertDescriptionFormat\":\"The client at address {{SrcIpAddr}} generated more than {{threshold}} failures over a 5 minutes time window, which may indicate malicious activity.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Impact\"],\"displayName\":\"Excessive number of failed connections from a single source (ASIM Network Session schema)\",\"description\":\"This rule identifies that a single source generates an excessive amount of failed connections. Modify the threshold to change the sensitivity of the rule: the higher the threshold, the less sensitive is the rule and less incidents will be generated.\u003cbr\u003e\u003cbr\u003e\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f7c3f5c8-71ea-49ff-b8b3-148f0e346291\",\"name\":\"f7c3f5c8-71ea-49ff-b8b3-148f0e346291\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let known_locations = (SigninLogs\\n | where TimeGenerated between(ago(7d)..ago(1d))\\n | where ResultType == 0\\n | extend LocationDetail = strcat(Location, \\\"-\\\", LocationDetails.state)\\n | summarize by LocationDetail);\\n let known_asn = (SigninLogs\\n | where TimeGenerated between(ago(7d)..ago(1d))\\n | where ResultType == 0\\n | summarize by AutonomousSystemNumber);\\n SigninLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType == 0\\n | where isempty(DeviceDetail.deviceId)\\n | where AuthenticationRequirement == \\\"singleFactorAuthentication\\\"\\n | extend LocationDetail = strcat(Location, \\\"-\\\", LocationDetails.state)\\n | where AutonomousSystemNumber !in (known_asn) and LocationDetail !in (known_locations)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"UserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomolous Single Factor Signin\",\"description\":\"Detects successful signins using single factor authentication where the device, location, and ASN are abnormal.\\n Single factor authentications pose an opportunity to access compromised accounts, investigate these for anomalous occurrencess.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\"name\":\"1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 1d;\\nlet endtime = 1h;\\nlet prev23hThreshold = 4;\\nlet prev1hThreshold = 15;\\nlet Kerbevent = (union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(starttime)\\n| where EventID == 4769\\n| parse EventData with * \u0027TicketEncryptionType\\\"\u003e\u0027 TicketEncryptionType \\\"\u003c\\\" *\\n| where TicketEncryptionType == \u00270x17\u0027\\n| parse EventData with * \u0027TicketOptions\\\"\u003e\u0027 TicketOptions \\\"\u003c\\\" *\\n| where TicketOptions == \u00270x40810000\u0027\\n| parse EventData with * \u0027Status\\\"\u003e\u0027 Status \\\"\u003c\\\" *\\n| where Status == \u00270x0\u0027\\n| parse EventData with * \u0027ServiceName\\\"\u003e\u0027 ServiceName \\\"\u003c\\\" *\\n| where ServiceName !contains \\\"$\\\" and ServiceName !contains \\\"krbtgt\\\" \\n| parse EventData with * \u0027TargetUserName\\\"\u003e\u0027 TargetUserName \\\"\u003c\\\" *\\n| where TargetUserName !contains \\\"$@\\\" and TargetUserName !contains ServiceName\\n| parse EventData with * \u0027IpAddress\\\"\u003e::ffff:\u0027 ClientIPAddress \\\"\u003c\\\" *\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e= ago(starttime)\\n| where EventID == 4769 and EventData has \u00270x17\u0027 and EventData has \u00270x40810000\u0027 and EventData has \u0027krbtgt\u0027\\n| extend TicketEncryptionType = tostring(EventData.TicketEncryptionType)\\n| where TicketEncryptionType == \u00270x17\u0027\\n| extend TicketOptions = tostring(EventData.TicketOptions)\\n| where TicketOptions == \u00270x40810000\u0027\\n| extend Status = tostring(EventData.Status)\\n| where Status == \u00270x0\u0027\\n| extend ServiceName = tostring(EventData.ServiceName)\\n| where ServiceName !contains \\\"$\\\" and ServiceName !contains \\\"krbtgt\\\"\\n| extend TargetUserName = tostring(EventData.TargetUserName) \\n| where TargetUserName !contains \\\"$@\\\" and TargetUserName !contains ServiceName\\n| extend ClientIPAddress = tostring(EventData.IpAddress) \\n));\\nlet Kerbevent23h = Kerbevent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| summarize ServiceNameCountPrev23h = dcount(ServiceName), ServiceNameSet23h = makeset(ServiceName) \\nby Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status\\n| where ServiceNameCountPrev23h \u003c prev23hThreshold;\\nlet Kerbevent1h = \\nKerbevent\\n| where TimeGenerated \u003e= ago(endtime)\\n| summarize min(TimeGenerated), max(TimeGenerated), ServiceNameCountPrev1h = dcount(ServiceName), ServiceNameSet1h = makeset(ServiceName) \\nby Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status;\\nKerbevent1h \\n| join kind=leftanti\\n(\\nKerbevent23h\\n) on TargetUserName, TargetDomainName\\n// Threshold value set above is based on testing, this value may need to be changed for your environment.\\n| where ServiceNameCountPrev1h \u003e prev1hThreshold\\n| project StartTimeUtc = min_TimeGenerated, EndTimeUtc = max_TimeGenerated, TargetUserName, Computer, ClientIPAddress, TicketOptions, \\nTicketEncryptionType, Status, ServiceNameCountPrev1h, ServiceNameSet1h, TargetDomainName\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = strcat(TargetDomainName,\\\"\\\\\\\\\\\", TargetUserName), HostCustomEntity = Computer, IPCustomEntity = ClientIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Potential Kerberoasting\",\"description\":\"A service principal name (SPN) is used to uniquely identify a service instance in a Windows environment. \\nEach SPN is usually associated with a service account. Organizations may have used service accounts with weak passwords in their environment. \\nAn attacker can try requesting Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC) which contains \\na hash of the Service account. This can then be used for offline cracking. This hunting query looks for accounts that are generating excessive \\nrequests to different resources within the last hour compared with the previous 24 hours. Normal users would not make an unusually large number \\nof request within a small time window. This is based on 4769 events which can be very noisy so environment based tweaking might be needed.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-04-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/508cef41-2cd8-4d40-a519-b04826a9085f\",\"name\":\"508cef41-2cd8-4d40-a519-b04826a9085f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 1102 and EventSourceName == \\\"Microsoft-Windows-Eventlog\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Security Event log cleared\",\"description\":\"Checks for event id 1102 which indicates the security event log was cleared.\\nIt uses Event Source Name \\\"Microsoft-Windows-Eventlog\\\" to avoid generating false positives from other sources, like AD FS servers for instance.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3ff0fffb-d963-40c0-b235-3404f915add7\",\"name\":\"3ff0fffb-d963-40c0-b235-3404f915add7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"GitHubAudit\\n| where Action == \\\"org.disable_two_factor_requirement\\\"\\n| project TimeGenerated, Action, Actor, Country, IPaddress, Repository\\n| extend AccountCustomEntity = Actor, IPCustomEntity = IPaddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"GitHub Two Factor Auth Disable\",\"description\":\"Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/594c653d-719a-4c23-b028-36e3413e632e\",\"name\":\"594c653d-719a-4c23-b028-36e3413e632e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"GitHubAudit\\n| where Action == \\\"org.disable_two_factor_requirement\\\"\\n| project TimeGenerated, Action, Actor, Country, IPaddress, Repository\\n| extend AccountCustomEntity = Actor, IPCustomEntity = IPaddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT GitHub Two Factor Auth Disable\",\"description\":\"Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. \",\"lastUpdatedDateUTC\":\"2022-05-22T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/50cbf34a-4cdd-45d7-b3f5-8b53a1d0d14f\",\"name\":\"50cbf34a-4cdd-45d7-b3f5-8b53a1d0d14f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n| parse EventData with * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" *\\n| where ParentCommandLine == \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe -k DcomLaunch\\\" and CommandLine == \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe -Embedding\\\"\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Lateral Movement via DCOM\",\"description\":\"This query detects a fairly uncommon attack technique using the Windows Distributed Component Object Model (DCOM) to make a remote execution call to another computer system and gain lateral movement throughout the network.\\nRef: http://thenegative.zone/incident%20response/2017/02/04/MMC20.Application-Lateral-Movement-Analysis.html\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b1832f60-6c3d-4722-a0a5-3d564ee61a63\",\"name\":\"b1832f60-6c3d-4722-a0a5-3d564ee61a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet DOMAIN_TI=ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName);\\nlet DOMAIN_TI_list= todynamic(toscalar(DOMAIN_TI | summarize NIoCs = dcount(DomainName), Domains = make_set(DomainName) \\n | project Domains=iff(NIoCs \u003e HAS_ANY_MAX, dynamic([]), Domains) ));\\nDOMAIN_TI\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n _Im_WebSession(starttime=ago(dt_lookBack), url_has_any= DOMAIN_TI_list )\\n //Extract domain patterns from syslog message\\n | extend domain = tostring(parse_url(Url)[\\\"Host\\\"])\\n | where isnotempty(domain)\\n | extend tld = tostring(split(domain, \u0027.\u0027)[-1])\\n | extend Event_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.domain\\n| where Event_TimeGenerated \u003c ExpirationDateTime\\n| summarize Event_TimeGenerated = arg_max(Event_TimeGenerated , *) by IndicatorId, domain\\n| project Event_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, domain, SrcIpAddr, Url\",\"customDetails\":{\"EventTime\":\"Event_TimeGenerated\",\"IoCDescription\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"IoCExpirationTime\":\"ExpirationDateTime\",\"IoCConfidenceScore\":\"ConfidenceScore\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"A web request from {{SrcIpAddr}} to hostname {{domain}} matched an IoC\",\"alertDescriptionFormat\":\"A client with address {{SrcIpAddr}} requested the URL {{Url}}, whose hostname is a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blead for more information on the indicator.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map Domain entity to Web Session Events (ASIM Web Session schema)\",\"description\":\"This rule identifies Web Sessions for which the target URL hostname is a known IoC. \u003cbr\u003e\u003cbr\u003eThis rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutSIM) and supports any web session source that complies with ASIM.\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/643c2025-9604-47c5-833f-7b4b9378a1f5\",\"name\":\"643c2025-9604-47c5-833f-7b4b9378a1f5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit your environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with AAD signin failures above our threshold\\nlet aadFunc = (tableName:string){\\nlet Suspicious_signins = \\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n| summarize count() by IPAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(IPAddress);\\nSuspicious_signins\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet Suspicious_signins = \\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize make_set(set_IPAddress);\\n//See if any of those IPs have sucessfully logged into the AWS console\\nAWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \\n| where LoginResult =~ \\\"Success\\\"\\n| where SourceIpAddress in (Suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed)\\n| extend User = iif(isempty(UserIdentityUserName), UserIdentityType, UserIdentityUserName) \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Reason, LoginResult, EventTypeName, UserIdentityType, User, AWSRegion, SourceIpAddress, UserAgent, MFAUsed\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AzureAD logons but success logon to AWS Console\",\"description\":\"Identifies a list of IP addresses with a minimum number(defualt of 5) of failed logon attempts to Azure Active Directory.\\nUses that list to identify any successful AWS Console logons from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e\",\"name\":\"7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]);\\nunion isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4663\\n| where Process has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where ObjectName has_any (scriptExtensions)\\n| where AccessMask in (\u00270x2\u0027,\u00270x100\u0027, \u00270x10\u0027, \u00270x4\u0027)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n (WindowsEvent\\n| where EventID == 4663 and EventData has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\") and EventData has_any (scriptExtensions) \\n| where EventData has_any (\u00270x2\u0027,\u00270x100\u0027, \u00270x10\u0027, \u00270x4\u0027)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName has_any (scriptExtensions)\\n| extend AccessMask = tostring(EventData.AccessMask)\\n| where AccessMask in (\u00270x2\u0027,\u00270x100\u0027, \u00270x10\u0027, \u00270x4\u0027)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n(imFileEvent\\n| where EventType == \\\"FileCreated\\\"\\n| where ActingProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n and\\n TargetFileName has_any (scriptExtensions)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\\n),\\n(DeviceFileEvents\\n| where ActionType =~ \\\"FileCreated\\\"\\n| where InitiatingProcessFileName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where FileName has_any(scriptExtensions)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName, IPCustomEntity = RequestSourceIP)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingProcessAccountUpn\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM UM Service writing suspicious file\",\"description\":\"This query looks for the Exchange server UM process writing suspicious files that may be indicative of webshells.\\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d714ef62-1a56-4779-804f-91c4158e528d\",\"name\":\"d714ef62-1a56-4779-804f-91c4158e528d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let ImagesList = dynamic ([\\\"sethc.exe\\\",\\\"utilman.exe\\\",\\\"osk.exe\\\",\\\"Magnify.exe\\\",\\\"Narrator.exe\\\",\\\"DisplaySwitch.exe\\\",\\\"AtBroker.exe\\\"]); \\nlet OriginalFileNameList = dynamic ([\\\"sethc.exe\\\",\\\"utilman.exe\\\",\\\"osk.exe\\\",\\\"Magnify.exe\\\",\\\"Narrator.exe\\\",\\\"DisplaySwitch.exe\\\",\\\"AtBroker.exe\\\",\\\"SR.exe\\\",\\\"utilman2.exe\\\",\\\"ScreenMagnifier.exe\\\"]); \\nEvent\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n| parse EventData with * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027OriginalFileName\\\"\u003e\u0027 OriginalFileName \\\"\u003c\\\" *\\n| where Image has_any (ImagesList) and not (OriginalFileName has_any (OriginalFileNameList))\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027Hashes\\\"\u003e\u0027 Hashes \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description, OriginalFileName, CurrentDirectory, Hashes\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Modification of Accessibility Features\",\"description\":\"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\\n Two common accessibility programs are C:\\\\Windows\\\\System32\\\\sethc.exe, launched when the shift key is pressed five times and C:\\\\Windows\\\\System32\\\\utilman.exe, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as \\\"sticky keys\\\", and has been used by adversaries for unauthenticated access through a remote desktop login screen. [1]\\nRef: https://attack.mitre.org/techniques/T1546/008/\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\"name\":\"f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let threshold = 1;\\nAzureDiagnostics\\n | where OperationName in (\\\"AzureFirewallApplicationRuleLog\\\",\\\"AzureFirewallNetworkRuleLog\\\")\\n | extend msg_s_replaced0 = replace(@\\\"\\\\s\\\\s\\\",@\\\" \\\",msg_s)\\n | extend msg_s_replaced1 = replace(@\\\"\\\\.\\\\s\\\",@\\\" \\\",msg_s_replaced0)\\n | extend msg_a = split(msg_s_replaced1,\\\" \\\")\\n | extend srcAddr_a = split(msg_a[3],\\\":\\\") , destAddr_a = split(msg_a[5],\\\":\\\")\\n | extend protocol = tostring(msg_a[0]), srcIp = tostring(srcAddr_a[0]), srcPort = tostring(srcAddr_a[1]), destIp = tostring(destAddr_a[0]), destPort = tostring(destAddr_a[1]), action = tostring(msg_a[7])\\n | where action == \\\"Deny\\\"\\n | extend url = iff(destIp matches regex \\\"\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\",\\\"\\\",destIp)\\n | summarize StartTime = min(TimeGenerated), count() by srcIp, destIp, url, action, protocol\\n | where count_ \u003e= [\\\"threshold\\\"]\\n | extend timestamp = StartTime, URLCustomEntity = url, IPCustomEntity = srcIp\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Discovery\",\"LateralMovement\",\"CommandAndControl\"],\"displayName\":\"Several deny actions registered\",\"description\":\"Identifies attack pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-10-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b9d2eebc-5dcb-4888-8165-900db44443ab\",\"name\":\"b9d2eebc-5dcb-4888-8165-900db44443ab\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"// Enter a reference list of hostnames for your DC servers\\n//let DCServersList = dynamic ([\\\"DC01.simulandlabs.com\\\",\\\"DC02.simulandlabs.com\\\"]);\\nSecurityEvent\\n//| where Computer in (DCServersList)\\n| where EventID == 4662 and ObjectServer == \u0027DS\u0027\\n| where AccountType != \u0027Machine\u0027\\n| where Properties has \u00271131f6aa-9c07-11d1-f79f-00c04fc2dcd2\u0027 //DS-Replication-Get-Changes\\n or Properties has \u00271131f6ad-9c07-11d1-f79f-00c04fc2dcd2\u0027 //DS-Replication-Get-Changes-All\\n or Properties has \u002789e95b76-444d-4c62-991a-0facbeda640c\u0027 //DS-Replication-Get-Changes-In-Filtered-Set\\n| project TimeGenerated, Account, Activity, Properties, SubjectLogonId, Computer\\n| join kind=leftouter\\n(\\n SecurityEvent\\n //| where Computer in (DCServersList)\\n | where EventID == 4624 and LogonType == 3\\n | where AccountType != \u0027Machine\u0027\\n | project TargetLogonId, IpAddress\\n)\\non $left.SubjectLogonId == $right.TargetLogonId\\n| project-reorder TimeGenerated, Computer, Account, IpAddress\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, SourceAddress = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Non Domain Controller Active Directory Replication\",\"description\":\"This query detects potential attempts by non-computer accounts (non domain controllers) to retrieve/synchronize an active directory object leveraging directory replication services (DRS).\\nA Domain Controller (computer account) would usually be performing these actions in a domain environment. Another detection rule can be created to cover domain controllers accounts doing at rare times.\\nA domain user with privileged permissions to use directory replication services is rare. Ref: https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html\",\"lastUpdatedDateUTC\":\"2021-11-08T00:00:00Z\",\"createdDateUTC\":\"2021-05-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75297f62-10a8-4fc1-9b2a-12f25c6f05a7\",\"name\":\"75297f62-10a8-4fc1-9b2a-12f25c6f05a7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let domain_lookBack= 14d;\\nlet timeframe = 1d;\\nlet top_million_list = Cisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(domain_lookBack) and TimeGenerated \u003c ago(timeframe)\\n| extend Hostname = parse_url(UrlOriginal)[\\\"Host\\\"]\\n| summarize count() by tostring(Hostname)\\n| top 1000000 by count_\\n| summarize make_list(Hostname);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| extend Hostname = parse_url(UrlOriginal)[\\\"Host\\\"]\\n| where Hostname !in (top_million_list)\\n| extend Message = \\\"Connect to unpopular website (possible malicious payload delivery)\\\"\\n| project Message, SrcIpAddr, DstIpAddr,UrlOriginal, TimeGenerated\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Connection to Unpopular Website Detected\",\"description\":\"Detects first connection to an unpopular website (possible malicious payload delivery).\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/89a86f70-615f-4a79-9621-6f68c50f365f\",\"name\":\"89a86f70-615f-4a79-9621-6f68c50f365f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 7d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet HistThreshold = 25; \\nlet CurrThreshold = 10; \\nlet HistoricalThreats = CommonSecurityLog\\n| where isnotempty(SourceIP)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n| where Activity =~ \\\"THREAT\\\" and SimplifiedDeviceAction =~ \\\"alert\\\" \\n| where DeviceEventClassID in (\u0027spyware\u0027, \u0027scan\u0027, \u0027file\u0027, \u0027vulnerability\u0027, \u0027flood\u0027, \u0027packet\u0027, \u0027virus\u0027,\u0027wildfire\u0027, \u0027wildfire-virus\u0027)\\n| summarize TotalEvents = count(), ThreatTypes = make_set(DeviceEventClassID), DestinationIpList = make_set(DestinationIP), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by SourceIP, DeviceAction, DeviceVendor;\\nlet CurrentHourThreats = CommonSecurityLog\\n| where isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(timeframe)\\n| where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n| where Activity =~ \\\"THREAT\\\" and SimplifiedDeviceAction =~ \\\"alert\\\" \\n| where DeviceEventClassID in (\u0027spyware\u0027, \u0027scan\u0027, \u0027file\u0027, \u0027vulnerability\u0027, \u0027flood\u0027, \u0027packet\u0027, \u0027virus\u0027,\u0027wildfire\u0027, \u0027wildfire-virus\u0027)\\n| summarize TotalEvents = count(), ThreatTypes = make_set(DeviceEventClassID), DestinationIpList = make_set(DestinationIP), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by SourceIP, DeviceAction, DeviceProduct, DeviceVendor;\\nCurrentHourThreats \\n| where TotalEvents \u003c CurrThreshold\\n| join kind = leftanti (HistoricalThreats \\n| where TotalEvents \u003e HistThreshold) on SourceIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]}],\"tactics\":[\"Discovery\",\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"Palo Alto Threat signatures from Unusual IP addresses\",\"description\":\"Identifies Palo Alto Threat signatures from unusual IP addresses which are not historically seen. \\nThis detection is also leveraged and required for MDE and PAN Fusion scenario\\nhttps://docs.microsoft.com/Azure/sentinel/fusion-scenario-reference#network-request-to-tor-anonymization-service-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall\",\"lastUpdatedDateUTC\":\"2022-04-20T00:00:00Z\",\"createdDateUTC\":\"2022-03-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/35a0792a-1269-431e-ac93-7ae2980d4dde\",\"name\":\"35a0792a-1269-431e-ac93-7ae2980d4dde\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now() \\n| where Active == true\\n| where isnotempty(EmailSenderAddress)\\n| extend TI_emailEntity = EmailSenderAddress\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n ProofpointPOD \\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(SrcUserUpn)\\n | extend ProofpointPOD_TimeGenerated = TimeGenerated, ClientEmail = SrcUserUpn\\n\\n)\\non $left.TI_emailEntity == $right.ClientEmail\\n| where ProofpointPOD_TimeGenerated \u003c ExpirationDateTime\\n| summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientEmail\\n| project ProofpointPOD_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, ClientEmail\\n| extend timestamp = ProofpointPOD_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ClientEmail\"}]}],\"tactics\":[\"Exfiltration\",\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Email sender in TI list\",\"description\":\"Email sender in TI list.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_maillog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c3b11fb2-9201-4844-b7b9-6b7bf6d9b851\",\"name\":\"c3b11fb2-9201-4844-b7b9-6b7bf6d9b851\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Medium\",\"query\":\"let threshold = 200;\\n_Im_Dns(responsecodename=\u0027NXDOMAIN\u0027)\\n| where isnotempty(DnsResponseCodeName)\\n//| where DnsResponseCodeName =~ \\\"NXDOMAIN\\\"\\n| summarize count() by SrcIpAddr, bin(TimeGenerated,15m)\\n| where count_ \u003e threshold\\n| join kind=inner (_Im_Dns(responsecodename=\u0027NXDOMAIN\u0027)\\n ) on SrcIpAddr\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Excessive NXDOMAIN DNS Queries (ASIM DNS Schema)\",\"description\":\"This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. \\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a172107d-794c-48c0-bc26-d3349fe10b4d\",\"name\":\"a172107d-794c-48c0-bc26-d3349fe10b4d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Dev-0530_July2022.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\n(union isfuzzy=true \\n(DeviceProcessEvents\\n| where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) or ( InitiatingProcessCommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) \\nand InitiatingProcessCommandLine has (\u0027sc minute /mo 1 /F /ru system\u0027))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, AccountName, SHA256\\n| extend Account = AccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = case(InitiatingProcessSHA256 in (sha256Hashes), \\\"InitiatingProcessSHA256\\\", SHA256 in (sha256Hashes), \\\"SHA256\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = case(FileHash == \\\"InitiatingProcessSHA256\\\", InitiatingProcessSHA256, FileHash == \\\"SHA256\\\", SHA256, \\\"No Match\\\")\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) and CommandLine has (\u0027/sc minute /mo 1 /F /ru system\u0027))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, EventID, CommandLine\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n( imFileEvent\\n| where Hash in~ (sha256Hashes) or ( ActingProcessCommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) and ActingProcessCommandLine has (\u0027/sc minute /mo 1 /F /ru system\u0027))\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, FileHashCustomEntity = FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) or ( CommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) and CommandLine has (\u0027/sc minute /mo 1 /F /ru system\u0027)) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(EmailEvents\\n| where SenderFromAddress == \u0027H0lyGh0st@mail2tor.com\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = SenderIPv4, AccountCustomEntity = SenderFromAddress \\n),\\n(CommonSecurityLog \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) or FileHash in (sha256Hashes)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch , FileHash\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n), \\n(OfficeActivity \\n|extend SourceIPAddress = ClientIP, Account = UserId \\n| where SourceIPAddress in (IPList) \\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \\n),\\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Dev-0530 IOC - July 2022\",\"description\":\"Identifies a IOC match related to Dev-0530 actor across various data sources.\",\"lastUpdatedDateUTC\":\"2022-07-14T00:00:00Z\",\"createdDateUTC\":\"2022-07-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceProcessEvents\",\"DeviceNetworkEvents\",\"EmailEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/572e75ef-5147-49d9-9d65-13f2ed1e3a86\",\"name\":\"572e75ef-5147-49d9-9d65-13f2ed1e3a86\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let inviting_users = (AuditLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where OperationName =~ \\\"Invite external user\\\"\\n | where Result =~ \\\"success\\\"\\n | extend invitingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | where isnotempty(invitingUser)\\n | summarize by invitingUser);\\n AuditLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where OperationName =~ \\\"Invite external user\\\"\\n | where Result =~ \\\"success\\\"\\n | extend invitingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | where isnotempty(invitingUser) and invitingUser !in (inviting_users)\\n | extend invitedUserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"invitingUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"invitedUserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Guest Users Invited to Tenant by New Inviters\",\"description\":\"Detects when a Guest User is added by a user account that has not been seen adding a guest in the previous 14 days.\\n Monitoring guest accounts and the access they are provided is important to detect potential account abuse.\\n Accounts added should be investigated to ensure the activity was legitimate.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500415fb-bba7-4227-a08a-9857fb61b6a7\",\"name\":\"500415fb-bba7-4227-a08a-9857fb61b6a7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where OfficeWorkload == \\\"Exchange\\\"\\n| where Operation in~ (\\\"New-TransportRule\\\", \\\"Set-TransportRule\\\")\\n| mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))\\n| extend RuleName = case(\\n Operation =~ \\\"Set-TransportRule\\\", OfficeObjectId,\\n Operation =~ \\\"New-TransportRule\\\", ParsedParameters.Name,\\n \\\"Unknown\\\")\\n| mv-expand ExpandedParameters = todynamic(Parameters)\\n| where ExpandedParameters.Name in~ (\\\"BlindCopyTo\\\", \\\"RedirectMessageTo\\\") and isnotempty(ExpandedParameters.Value)\\n| extend RedirectTo = ExpandedParameters.Value\\n| extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n| project TimeGenerated, RedirectTo, IPAddress = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1]), UserId, Operation, RuleName, Parameters\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Mail redirect via ExO transport rule\",\"description\":\"Identifies when Exchange Online transport rule configured to forward emails.\\nThis could be an adversary mailbox configured to collect mail from multiple user accounts.\",\"lastUpdatedDateUTC\":\"2022-04-18T00:00:00Z\",\"createdDateUTC\":\"2020-05-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500c103a-0319-4d56-8e99-3cec8d860757\",\"name\":\"500c103a-0319-4d56-8e99-3cec8d860757\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == \\\"50057\\\" \\n| where ResultDescription == \\\"User account is disabled. The account has been disabled by an administrator.\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), disabledAccountLoginAttempts = count(), \\ndisabledAccountsTargeted = dcount(UserPrincipalName), applicationsTargeted = dcount(AppDisplayName), disabledAccountSet = make_set(UserPrincipalName), \\napplicationSet = make_set(AppDisplayName) by IPAddress, Type\\n| order by disabledAccountLoginAttempts desc\\n| join kind= leftouter (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n table(tableName)\\n | where ResultType == 0\\n | summarize successfulAccountSigninCount = dcount(UserPrincipalName), successfulAccountSigninSet = make_set(UserPrincipalName, 15) by IPAddress, Type\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount \u003c 100\\n) on IPAddress \\n// IPs from which attempts to authenticate as disabled user accounts originated, and had a non-zero success rate for some other account\\n| where isnotempty(successfulAccountSigninCount)\\n| project StartTime, EndTime, IPAddress, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\nsuccessfulAccountSigninCount, successfulAccountSigninSet, Type\\n| order by disabledAccountLoginAttempts\\n| extend timestamp = StartTime, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts and where that same IP has had successful signins from other accounts.\\nThis could indicate an attacker who obtained credentials for a list of accounts and is attempting to login with those accounts, some of which may have already been disabled.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"lastUpdatedDateUTC\":\"2021-10-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e7470b35-0128-4508-bfc9-e01cfb3c2eb7\",\"name\":\"e7470b35-0128-4508-bfc9-e01cfb3c2eb7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n | where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n | parse EventData with * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" *\\n | where ParentImage has \\\"svchost.exe\\\" and Image has \\\"rundll32.exe\\\" and CommandLine has \\\"{c08afd90-f2a1-11d1-8455-00a0c91f3880}\\\"\\n | parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Detecting Macro Invoking ShellBrowserWindow COM Objects\",\"description\":\"This query detects a macro invoking ShellBrowserWindow COM Objects evade naive parent/child Office detection rules.\\nRef: https://blog.menasec.net/2019/02/threat-hunting-doc-with-macro-invoking.html\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c2da1106-bfe4-4a63-bf14-5ab73130ccd5\",\"name\":\"c2da1106-bfe4-4a63-bf14-5ab73130ccd5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.0\",\"severity\":\"Informational\",\"query\":\"let timeframe = ago(1d);\\nAppServiceAntivirusScanAuditLogs\\n| where ScanStatus == \\\"Failed\\\"\\n| extend HostCustomEntity = _ResourceId, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"displayName\":\"AppServices AV Scan Failure\",\"description\":\"Identifies if an AV scan fails in Azure App Services.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\"name\":\"68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let User_Agents = dynamic ([\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70\\\", \\n\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.1 Safari/605.1.15\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\", \\n\\\"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\"]);\\nOfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != \u0027UserLoggedIn\u0027\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = todynamic(ExtendedProperties).Value\\n| where UserAgent =~ \\\"ms-office\\\" or UserAgent has_any (User_Agents)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts \u003e 500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\"entityMappings\":[],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Possible STRONTIUM attempted credential harvesting - Oct 2020\",\"description\":\"Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\"name\":\"e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let threshold = 15;\\n// Below pulls messages from syslog-authpriv logs where there was an authentication failure with an unknown user.\\n// IP address of system attempting logon is also extracted from the SyslogMessage field. Some of these messages\\n// are aggregated.\\nSyslog\\n| where Facility =~ \\\"authpriv\\\"\\n| where SyslogMessage has \\\"authentication failure\\\" and SyslogMessage has \\\" uid=0\\\"\\n| parse SyslogMessage with * \\\"rhost=\\\" RemoteIP\\n| project TimeGenerated, Computer, ProcessName, HostIP, RemoteIP, ProcessID\\n| join kind=innerunique (\\n // Below pulls messages from syslog-authpriv logs that show each instance an unknown user tried to logon. \\n Syslog \\n | where Facility =~ \\\"authpriv\\\"\\n | where SyslogMessage has \\\"user unknown\\\"\\n | project Computer, HostIP, ProcessID\\n ) on Computer, HostIP, ProcessID\\n// Count the number of failed logon attempts by External IP and internal machine\\n| summarize FirstLogonAttempt = min(TimeGenerated), LatestLogonAttempt = max(TimeGenerated), TotalLogonAttempts = count() by Computer, HostIP, RemoteIP\\n// Calculate the time between first and last logon attempt (AttemptPeriodLength)\\n| extend TimeBetweenLogonAttempts = LatestLogonAttempt - FirstLogonAttempt\\n| where TotalLogonAttempts \u003e= threshold\\n| project FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts, TotalLogonAttempts, SourceAddress = RemoteIP, DestinationHost = Computer, DestinationAddress = HostIP\\n| sort by DestinationHost asc nulls last\\n| extend timestamp = FirstLogonAttempt, HostCustomEntity = DestinationHost, IPCustomEntity = DestinationAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed logon attempts in authpriv\",\"description\":\"Identifies failed logon attempts from unknown users in Syslog authpriv logs. The unknown user means the account that tried to log in \\nisn\u0027t provisioned on the machine. A few hits could indicate someone attempting to access a machine they aren\u0027t authorized to access. \\nIf there are many of hits, especially from outside your network, it could indicate a brute force attack. \\nDefault threshold for logon attempts is 15.\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f041e01d-840d-43da-95c8-4188f6cef546\",\"name\":\"f041e01d-840d-43da-95c8-4188f6cef546\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let LearningPeriod = 7d;\\nlet RunTime = 1h;\\nlet StartTime = 1h;\\nlet EndRunTime = StartTime - RunTime;\\nlet EndLearningTime = StartTime + LearningPeriod;\\nlet GitHubCountryCodeLogs = (GitHubAudit\\n| where Country != \\\"\\\");\\n GitHubCountryCodeLogs\\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime))\\n| summarize makeset(Country) by Actor\\n| join kind=innerunique (\\n GitHubCountryCodeLogs\\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime))\\n | distinct Country, Actor, TimeGenerated\\n) on Actor \\n| where set_Country !contains Country\\n| extend AccountCustomEntity = Actor , timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"GitHub Activites from a New Country\",\"description\":\"Detect activities from a location that was not recently or was never visited by the user or by any user in your organization.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/40ba9493-4183-4eee-974f-87fe39c8f267\",\"name\":\"40ba9493-4183-4eee-974f-87fe39c8f267\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Identity alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Identity\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (AATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\"name\":\"4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 50;\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet historicalActivity =\\nOfficeActivity\\n| where TimeGenerated between(ago(starttime)..ago(endtime))\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| summarize historicalCount = count() by ClientIP, RecordType, Operation;\\nlet recentActivity = OfficeActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by ClientIP, RecordType, Operation;\\nlet RareIP = recentActivity | join kind= leftanti ( historicalActivity ) on ClientIP, RecordType, Operation\\n// More than 50 downloads/uploads from a new IP\\n| where recentCount \u003e threshold;\\nOfficeActivity \\n| where TimeGenerated \u003e= ago(endtime) \\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| join kind= inner (RareIP) on ClientIP, RecordType, Operation\\n| where Start_Time between(min_Start_Time .. max_Start_Time)\\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgent, IPSeenCount = recentCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\\n| order by IPSeenCount desc, ClientIP asc, Operation asc, UserId asc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"SharePointFileOperation via previously unseen IPs\",\"description\":\"Identifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses\\nexceeds a threshold (default is 50).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3073ac-7383-48a9-90a8-eb6716183a54\",\"name\":\"4a3073ac-7383-48a9-90a8-eb6716183a54\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let excludeProcs = dynamic([@\\\"\\\\SolarWinds\\\\Orion\\\\APM\\\\APMServiceControl.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\ExportToPDFCmd.Exe\\\", @\\\"\\\\SolarWinds.Credentials\\\\SolarWinds.Credentials.Orion.WebApi.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Topology\\\\SolarWinds.Orion.Topology.Calculator.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Database-Maint.exe\\\", @\\\"\\\\SolarWinds.Orion.ApiPoller.Service\\\\SolarWinds.Orion.ApiPoller.Service.exe\\\", @\\\"\\\\Windows\\\\SysWOW64\\\\WerFault.exe\\\"]);\\nDeviceProcessEvents\\n| where InitiatingProcessFileName =~ \\\"solarwinds.businesslayerhost.exe\\\"\\n| where not(FolderPath has_any (excludeProcs))\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n AlgorithmCustomEntity = \\\"MD5\\\",\\n FileHashCustomEntity = MD5\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST suspicious SolarWinds child processes\",\"description\":\"Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-02-01T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32\",\"name\":\"d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet msgthreshold = 3;\\nlet msgszthreshold = 3000000;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where NetworkBytes \u003e msgszthreshold\\n| summarize count() by SrcUserUpn, DstUserUpn\\n| where count_ \u003e msgthreshold\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple large emails to the same recipient\",\"description\":\"Detects when multiple emails with large size where sent to the same recipient.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6dd2629c-534b-4275-8201-d7968b4fa77e\",\"name\":\"6dd2629c-534b-4275-8201-d7968b4fa77e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"SecurityEvent\\n| where EventID == 4657\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, TargetAccount, Computer, EventSourceName, Channel, Task, Level, EventID, Activity, TargetLogonId, SourceComputerId, EventOriginId, Type, _ResourceId, TenantId, SourceSystem, ManagementGroupName, IpAddress, Account)\\n| extend ObjectName = column_ifexists(\u0027ObjectName\u0027, \\\"\\\"), OperationType = column_ifexists(\u0027OperationType\u0027, \\\"\\\"), ObjectValueName = column_ifexists(\u0027ObjectValueName\u0027, \\\"\\\")\\n| where ObjectName has \u0027Schedule\\\\\\\\TaskCache\\\\\\\\Tree\u0027 and ObjectValueName == \\\"SD\\\" and OperationType == \\\"%%1906\\\" // %%1906 - Registry value deleted\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Scheduled Task Hide\",\"description\":\"This query detects attempts by malware to hide the scheduled task by deleting the SD (Security Descriptor) value. Removal of SD value results in the scheduled task disappearing from schtasks /query and Task Scheduler.\\n The query requires auditing to be turned on for HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree registry hive as well as audit policy for registry auditing to be turned on.\\n Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/\\n Reference: https://4sysops.com/archives/audit-changes-in-the-windows-registry/\",\"lastUpdatedDateUTC\":\"2022-04-12T00:00:00Z\",\"createdDateUTC\":\"2022-04-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3f0c20d5-6228-48ef-92f3-9ff7822c1954\",\"name\":\"3f0c20d5-6228-48ef-92f3-9ff7822c1954\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let threatCategory=\\\"Hacking Tool\\\";\\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\\n [ @\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\\\"] \\n with(format=\\\"csv\\\", ignoreFirstRecord=True));\\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet customUserAgents=toscalar(_GetWatchlist(\\\"UnusualUserAgents\\\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\\\"UserAgent\\\",\\\"\\\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet fullUAList = array_concat(knownUserAgents,customUserAgents);\\n_Im_WebSession(httpuseragent_has_any=fullUAList)\\n| project SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername\",\"customDetails\":{\"UserAgent\":\"HttpUserAgent\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"SrcUsername\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Host {{SrcIpAddr}} is potentially running a hacking tool\",\"alertDescriptionFormat\":\"The host at address {{SrcIpAddr}} sent an HTTP request to the URL {{Url}} with the HTTP user agent header {{HttpUserAgent}}. This user agent is known to be used by a hacking tool and indicates suspicious activity on the host.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"A host is potentially running a hacking tool (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request with a user agent header known to belong to a hacking tool. This indicates a hacking tool is used on the host.\u003cbr\u003eYou can add custom hacking tool indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).\u003cbr\u003e\u003cbr\u003e\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/738702fd-0a66-42c7-8586-e30f0583f8fe\",\"name\":\"738702fd-0a66-42c7-8586-e30f0583f8fe\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"DeviceEvents\\n| where ActionType has \\\"ExploitGuardNonMicrosoftSignedBlocked\\\"\\n| where InitiatingProcessFileName contains \\\"svchost.exe\\\" and FileName contains \\\"NetSetupSvc.dll\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\nHostCustomEntity = DeviceName, FileHashCustomEntity = InitiatingProcessSHA1, FileHashType = \\\"SHA1\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"TEARDROP memory-only dropper\",\"description\":\"Identifies SolarWinds TEARDROP memory-only dropper IOCs in Window\u0027s defender Exploit Guard activity\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a4025a76-6490-4e6b-bb69-d02be4b03f07\",\"name\":\"a4025a76-6490-4e6b-bb69-d02be4b03f07\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureNetworkAnalytics_CL\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AzureNetworkAnalytics_CL_TimeGenerated = TimeGenerated\\n // NSG Flow Logs have additional information concat with Public IP, removing onlp Public IP\\n | extend PIPs = split(PublicIPs_s, \u0027|\u0027, 0)\\n | extend PIP = tostring(PIPs[0])\\n)\\non $left.TI_ipEntity == $right.PIP\\n| where AzureNetworkAnalytics_CL_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureNetworkAnalytics_CL_TimeGenerated = arg_max(AzureNetworkAnalytics_CL_TimeGenerated, *) by IndicatorId, PIP\\n// Set to alert on Allowed NSG Flows from TI Public IP IOC\\n| where FlowStatus_s == \\\"A\\\"\\n| project AzureNetworkAnalytics_CL_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, FlowDirection_s, FlowStatus_s, FlowType_s, SrcPublicIPs_s, DestPublicIPs_s, PublicIPs_s, L7Protocol_s, DestPort_d, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureNetworkAnalytics_CL_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)\",\"description\":\"Identifies a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI that was Allowed\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/968358d6-6af8-49bb-aaa4-187b3067fb95\",\"name\":\"968358d6-6af8-49bb-aaa4-187b3067fb95\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let successCodes = dynamic([200, 302, 401]);\\nW3CIISLog\\n| where scStatus has_any (successCodes)\\n| where ipv4_is_private(cIP) == False\\n| where csUriStem hasprefix \\\"/autodiscover/autodiscover.json\\\"\\n| project TimeGenerated, cIP, sIP, sSiteName, csUriStem, csUriQuery, Computer, csUserName, _ResourceId, FileUri\\n| where (csUriQuery !has \\\"Protocol\\\" and isnotempty(csUriQuery))\\nor (csUriQuery has_any(\\\"/mapi/\\\", \\\"powershell\\\"))\\nor (csUriQuery contains \\\"@\\\" and csUriQuery matches regex @\\\"\\\\.[a-zA-Z]{2,4}?(?:[a-zA-Z]{2,4}\\\\/)\\\")\\nor (csUriQuery contains \\\":\\\" and csUriQuery matches regex @\\\"\\\\:[0-9]{2,4}\\\\/\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP, AccountCustomEntity = csUserName, ResourceCustomEntity = _ResourceId, FileCustomEntity = FileUri\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange SSRF Autodiscover ProxyShell - Detection\",\"description\":\"This query looks for suspicious request patterns to Exchange servers that fit patterns recently\\nblogged about by PeterJson. This exploitation chain utilises an SSRF vulnerability in Exchange\\nwhich eventually allows the attacker to execute arbitrary Powershell on the server. In the example\\npowershell can be used to write an email to disk with an encoded attachment containing a shell.\\nReference: https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-09T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/999e9f5d-db4a-4b07-a206-29c4e667b7e8\",\"name\":\"999e9f5d-db4a-4b07-a206-29c4e667b7e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet DomainTIs= ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n // Picking up only IOC\u0027s that contain the entities we want\\n | where isnotempty(DomainName)\\n | where Active == true\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId;\\nlet Domains = DomainTIs | where isnotempty(DomainName) |summarize NDomains=dcount(DomainName), DomainsList=make_set(DomainName) \\n | project DomainList = iff(NDomains \u003e HAS_ANY_MAX, dynamic([]), DomainsList) ;\\nDomainTIs\\n | join (\\n _Im_Dns(starttime=ago(dt_lookBack), domain_has_any=toscalar(Domains))\\n | extend DNS_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.DnsQuery\\n| where DNS_TimeGenerated \u003c ExpirationDateTime\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, DnsQueryType\\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url\",\"customDetails\":{\"LatestIndicatorTime\":\"LatestIndicatorTime\",\"Description\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"ExpirationDateTime\":\"ExpirationDateTime\",\"ConfidenceScore\":\"ConfidenceScore\",\"DNSRequestTime\":\"DNS_TimeGenerated\",\"SourceIPAddress\":\"SrcIpAddr\",\"DnsQuery\":\"DnsQuery\",\"QueryType\":\"DnsQueryType\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map Domain entity to Dns Events (ASIM DNS Schema)\",\"description\":\"Identifies a match in DNS events from any Domain IOC from TI\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-27T00:00:00Z\",\"createdDateUTC\":\"2021-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2dd4a3a-ebac-4994-9499-1a859938c947\",\"name\":\"f2dd4a3a-ebac-4994-9499-1a859938c947\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet bytessentperhourthreshold = 10;\\nlet TimeSeriesData = (union isfuzzy=true\\n(\\nVMConnection\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\\n| extend SourceIP = SourceIp, DestinationIP = DestinationIp\\n| where ipv4_is_private(DestinationIP) == false\\n| extend DeviceVendor = \\\"VMConnection\\\"\\n| project TimeGenerated, BytesSent, DeviceVendor\\n| make-series TotalBytesSent=sum(BytesSent) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n),\\n(\\nCommonSecurityLog\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where ipv4_is_private(DestinationIP) == false\\n| project TimeGenerated, SentBytes, DeviceVendor\\n| make-series TotalBytesSent=sum(SentBytes) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n)\\n);\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(TotalBytesSent, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand TotalBytesSent to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| extend TotalBytesSentinMBperHour = round(((TotalBytesSent / 1024)/1024),2), baselinebytessentperHour = round(((baseline / 1024)/1024),2), score = round(score,2)\\n| project DeviceVendor, AnomalyHour, TimeGenerated, TotalBytesSentinMBperHour, baselinebytessentperHour, anomalies, score);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\n//Union of all BaseLogs aggregated per hour\\nlet BaseLogs = (union isfuzzy=true\\n(\\nCommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| where ipv4_is_private(DestinationIP) == false\\n| extend SentBytesinMB = ((SentBytes / 1024)/1024), ReceivedBytesinMB = ((ReceivedBytes / 1024)/1024)\\n| summarize HourlyCount = count(), TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort,100), TotalSentBytesinMB = sum(SentBytesinMB), TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| where TotalSentBytesinMB \u003e bytessentperhourthreshold\\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\\n| where Rank \u003c 10 // Selecting Top 10 records with Highest BytesSent in each Hour\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\\n),\\n(\\nVMConnection\\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend SourceIP = SourceIp, DestinationIP = DestinationIp\\n| where ipv4_is_private(DestinationIP) == false | extend DeviceVendor = \\\"VMConnection\\\"\\n| extend SentBytesinMB = ((BytesSent / 1024)/1024), ReceivedBytesinMB = ((BytesReceived / 1024)/1024)\\n| summarize HourlyCount = count(),TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort, 100), TotalSentBytesinMB = sum(SentBytesinMB),TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| where TotalSentBytesinMB \u003e bytessentperhourthreshold\\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\\n| where Rank \u003c 10 // Selecting Top 10 records with Highest BytesSent in each Hour\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\\n)\\n);\\n// Join against base logs to retrive records associated with the hour of anomoly\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\n BaseLogs | extend AnomalyHour = TimeGeneratedHour\\n) on DeviceVendor, AnomalyHour | sort by score desc\\n| project DeviceVendor, AnomalyHour,TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\\n| summarize EventCount = count(), StartTimeUtc= min(TimeGeneratedMax), EndTimeUtc= max(TimeGeneratedMax), SourceIPMax= arg_max(SourceIP,*), TotalBytesSentinMB = sum(TotalSentBytesinMB), TotalBytesReceivedinMB = sum(TotalReceivedBytesinMB), SourceIPList = make_set(SourceIP, 100), DestinationIPList = make_set(DestinationIPList, 100) by AnomalyHour,TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\\n| project DeviceVendor, AnomalyHour, StartTimeUtc, EndTimeUtc, SourceIPMax, SourceIPList, DestinationIPList, DestinationPortList, TotalBytesSentinMB, TotalBytesReceivedinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies, EventCount\\n| extend timestamp =EndTimeUtc, IPCustomEntity = SourceIPMax\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"Time series anomaly for data size transferred to public internet\",\"description\":\"Identifies anomalous data transfer to public networks. The query leverages built-in KQL anomaly detection algorithms that detects large deviations from a baseline pattern.\\nA sudden increase in data transferred to unknown public networks is an indication of data exfiltration attempts and should be investigated.\\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port bytes sent traffic observed in the flagged anomaly hour.\\nThe source IP addresses which were sending less than bytessentperhourthreshold have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06bbf969-fcbe-43fa-bac2-b2fa131d113a\",\"name\":\"06bbf969-fcbe-43fa-bac2-b2fa131d113a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"// ADHealth Monitoring Agent Registry Key\\nlet aadHealthMonAgentRegKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\MicrosoftOnline\\\\\\\\Reporting\\\\\\\\MonitoringAgent\\\";\\n// Filter out known processes\\nlet aadConnectHealthProcs = dynamic ([\\n \u0027Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.InsightsService.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.PshSurrogate.exe\u0027,\\n \u0027Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe\u0027,\\n \u0027Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.AadConnect.Health.AadSync.Host.exe\u0027,\\n \u0027Microsoft.Azure.ActiveDirectory.Synchronization.Upgrader.exe\u0027,\\n \u0027miiserver.exe\u0027\\n]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| where EventData has aadHealthMonAgentRegKey\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| extend ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),\\n ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\")\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend SubjectUserName = column_ifexists(\\\"SubjectUserName\\\", \\\"\\\"),\\n SubjectDomainName = column_ifexists(\\\"SubjectDomainName\\\", \\\"\\\"),\\n ProcessName = column_ifexists(\\\"ProcessName\\\", \\\"\\\")\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],\\n Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n ( WindowsEvent\\n| where EventID == \u00274656\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n( WindowsEvent\\n| where EventID == \u00274663\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n)\\n)\\n// You can filter out potential machine accounts\\n//| where AccountType != \u0027Machine\u0027\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"Azure AD Health Service Agents Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).\\nInformation from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).\\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\\\\SOFTWARE\\\\Microsoft\\\\ADHealthAgent.\\nMake sure you set the SACL to propagate to its sub-keys. You can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml\\n\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a35f2c18-1b97-458f-ad26-e033af18eb99\",\"name\":\"a35f2c18-1b97-458f-ad26-e033af18eb99\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.2\",\"severity\":\"Low\",\"query\":\"// For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups\\nlet WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nunion isfuzzy=true \\n(\\nSecurityEvent \\n// When MemberName contains \u0027-\u0027 this indicates addition of a group to a group\\n| where AccountType == \\\"User\\\" and MemberName != \\\"-\\\"\\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group\\n| where EventID in (4728, 4732, 4756) \\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| extend SimpleMemberName = substring(MemberName, 3, indexof_regex(MemberName, @\\\",OU|,CN\\\") - 3)\\n| project TimeGenerated, EventID, Activity, Computer, SimpleMemberName, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SimpleMemberName, HostCustomEntity = Computer\\n),\\n(\\nWindowsEvent \\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group\\n| where EventID in (4728, 4732, 4756) and not(EventData has \\\"S-1-5-32-555\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| extend MemberName = tostring(EventData.MemberName)\\n// When MemberName contains \u0027-\u0027 this indicates addition of a group to a group\\n| where AccountType == \\\"User\\\" and MemberName != \\\"-\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| extend SimpleMemberName = substring(MemberName, 3, indexof_regex(MemberName, @\\\",OU|,CN\\\") - 3)\\n| extend MemberSid = tostring(EventData.MemberSid)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend TargetDomainName = tostring(EventData.TargetDomainName)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| project TimeGenerated, EventID, Computer, SimpleMemberName, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SimpleMemberName, HostCustomEntity = Computer\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account added to built in domain local or global group\",\"description\":\"Identifies when a user account has been added to a privileged built in domain local group or global group \\nsuch as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2acc91c3-17c2-4388-938e-4eac2d5894e8\",\"name\":\"2acc91c3-17c2-4388-938e-4eac2d5894e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"W3CIISLog\\n| where csMethod == \u0027GET\u0027\\n| where isnotempty(csUriStem) and isnotempty(csUriQuery)\\n| where csUriStem contains \\\"logoimagehandler.ashx\\\"\\n| where csUriQuery contains \\\"codes\\\" and csUriQuery contains \\\"clazz\\\" and csUriQuery contains \\\"method\\\" and csUriQuery contains \\\"args\\\"\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"CommandAndControl\"],\"displayName\":\"SUPERNOVA webshell\",\"description\":\"Identifies SUPERNOVA webshell based on W3CIISLog data.\\n References:\\n - https://unit42.paloaltonetworks.com/solarstorm-supernova/\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-01-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/223db5c1-1bf8-47d8-8806-bed401b356a4\",\"name\":\"223db5c1-1bf8-47d8-8806-bed401b356a4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let timeRange = 1d;\\nlet lookBack = 7d;\\nlet threshold_Failed = 5;\\nlet threshold_FailedwithSingleIP = 20;\\nlet threshold_IPAddressCount = 2;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet aadFunc = (tableName:string){\\nlet azPortalSignins = materialize(table(tableName)\\n| where TimeGenerated \u003e= ago(lookBack)\\n// Azure Portal only\\n| where AppDisplayName =~ \\\"Azure Portal\\\")\\n;\\nlet successPortalSignins = azPortalSignins\\n| where TimeGenerated \u003e= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n// Tagging identities not resolved to friendly names\\n//| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n| distinct TimeGenerated, UserPrincipalName\\n;\\nlet failPortalSignins = azPortalSignins\\n| where TimeGenerated \u003e= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70044\\\", \\\"70043\\\")\\n// Tagging identities not resolved to friendly names\\n| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n;\\n// Verify there is no success for the same connection attempt after the fail\\nlet failnoSuccess = failPortalSignins | join kind= leftouter (\\n successPortalSignins \\n) on UserPrincipalName\\n| where TimeGenerated \u003e TimeGenerated1 or isempty(TimeGenerated1)\\n| project-away TimeGenerated1, UserPrincipalName1\\n;\\n// Lookup up resolved identities from last 7 days\\nlet identityLookup = azPortalSignins\\n| where TimeGenerated \u003e= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName;\\n// Join resolved names to unresolved list from portal signins\\nlet unresolvedNames = failnoSuccess | where Unresolved == true | join kind= inner (\\n identityLookup \\n) on UserId\\n| extend UserDisplayName = lu_UserDisplayName, UserPrincipalName = lu_UserPrincipalName\\n| project-away lu_UserDisplayName, lu_UserPrincipalName;\\n// Join Signins that had resolved names with list of unresolved that now have a resolved name\\nlet u_azPortalSignins = failnoSuccess | where Unresolved == false | union unresolvedNames;\\nu_azPortalSignins\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend Status = strcat(ResultType, \\\": \\\", ResultDescription), OS = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n| extend FullLocation = strcat(Region,\u0027|\u0027, State, \u0027|\u0027, City)\\n| summarize TimeGenerated = makelist(TimeGenerated), Status = makelist(Status), IPAddresses = makelist(IPAddress), IPAddressCount = dcount(IPAddress), FailedLogonCount = count()\\nby UserPrincipalName, UserId, UserDisplayName, AppDisplayName, Browser, OS, FullLocation, Type\\n| mvexpand TimeGenerated, IPAddresses, Status\\n| extend TimeGenerated = todatetime(tostring(TimeGenerated)), IPAddress = tostring(IPAddresses), Status = tostring(Status)\\n| project-away IPAddresses\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserPrincipalName, UserId, UserDisplayName, Status, FailedLogonCount, IPAddress, IPAddressCount, AppDisplayName, Browser, OS, FullLocation, Type\\n| where (IPAddressCount \u003e= threshold_IPAddressCount and FailedLogonCount \u003e= threshold_Failed) or FailedLogonCount \u003e= threshold_FailedwithSingleIP\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed login attempts to Azure Portal\",\"description\":\"Identifies failed login attempts in the Azure Active Directory SigninLogs to the Azure Portal. Many failed logon \\nattempts or some failed logon attempts from multiple IPs could indicate a potential brute force attack. \\nThe following are excluded due to success and non-failure results:\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n0 - successful logon\\n50125 - Sign-in was interrupted due to a password reset or password registration entry.\\n50140 - This error occurred due to \u0027Keep me signed in\u0027 interrupt when the user was signing-in.\",\"lastUpdatedDateUTC\":\"2022-04-21T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/acc4c247-aaf7-494b-b5da-17f18863878a\",\"name\":\"acc4c247-aaf7-494b-b5da-17f18863878a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"let queryfrequency = 1h;\\nlet queryperiod = 1d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(queryperiod)\\n| where OperationName in (\\\"Invite external user\\\", \\\"Bulk invite users - started (bulk)\\\", \\\"Invite external user with reset invitation status\\\")\\n| extend InitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\\n// Uncomment the following line to filter events where the inviting user was a guest user\\n//| where InitiatedBy has_any (\\\"live.com#\\\", \\\"#EXT#\\\")\\n| extend InvitedUser = TargetResources[0].userPrincipalName\\n| mv-expand UserToCompare = pack_array(InitiatedBy, InvitedUser) to typeof(string)\\n| where UserToCompare has_any (\\\"live.com#\\\", \\\"#EXT#\\\")\\n| extend\\n parsedUser = replace_string(tolower(iff(UserToCompare startswith \\\"live.com#\\\", tostring(split(UserToCompare, \\\"#\\\")[1]), tostring(split(UserToCompare, \\\"#EXT#\\\")[0]))), \\\"@\\\", \\\"_\\\"),\\n InvitationTime = TimeGenerated\\n| join (\\n (union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs)\\n | where TimeGenerated \u003e ago(queryfrequency)\\n | where UserType != \\\"Member\\\"\\n | where AppId has_any\\n (\\\"1b730954-1685-4b74-9bfd-dac224a7b894\\\",// Azure Active Directory PowerShell\\n \\\"04b07795-8ddb-461a-bbee-02f9e1bf7b46\\\",// Microsoft Azure CLI\\n \\\"1950a258-227b-4e31-a9cf-717495945fc2\\\",// Microsoft Azure PowerShell\\n \\\"a0c73c16-a7e3-4564-9a95-2bdf47383716\\\",// Microsoft Exchange Online Remote PowerShell\\n \\\"fb78d390-0c51-40cd-8e17-fdbfab77341b\\\",// Microsoft Exchange REST API Based Powershell\\n \\\"d1ddf0e4-d672-4dae-b554-9d5bdfd93547\\\",// Microsoft Intune PowerShell\\n \\\"9bc3ab49-b65d-410a-85ad-de819febfddc\\\",// Microsoft SharePoint Online Management Shell\\n \\\"12128f48-ec9e-42f0-b203-ea49fb6af367\\\",// MS Teams Powershell Cmdlets\\n \\\"23d8f6bd-1eb0-4cc2-a08c-7bf525c67bcd\\\",// Power BI PowerShell\\n \\\"31359c7f-bd7e-475c-86db-fdb8c937548e\\\",// PnP Management Shell\\n \\\"90f610bf-206d-4950-b61d-37fa6fd1b224\\\" // Aadrm Admin Powershell\\n )\\n | summarize arg_min(TimeGenerated, *) by UserPrincipalName\\n | extend\\n parsedUser = replace_string(UserPrincipalName, \\\"@\\\", \\\"_\\\"),\\n SigninTime = TimeGenerated\\n )\\n on parsedUser\\n| project InvitationTime, InitiatedBy, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, IPAddress, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InvitedUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatedBy\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\",\"Discovery\"],\"displayName\":\"External guest invitation followed by Azure AD PowerShell signin\",\"description\":\"By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests\\nusers, who have been invited or have invited recently, who also are logging via various PowerShell CLI.\\nRef : \u0027https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\"name\":\"3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let threshold = 1;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ConditionalAccessStatus == 1 or ConditionalAccessStatus =~ \\\"failure\\\"\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion) \\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend ConditionalAccessPolicies = todynamic(ConditionalAccessPolicies)\\n| extend ConditionalAccessPol0Name = tostring(ConditionalAccessPolicies[0].displayName)\\n| extend ConditionalAccessPol1Name = tostring(ConditionalAccessPolicies[1].displayName)\\n| extend ConditionalAccessPol2Name = tostring(ConditionalAccessPolicies[2].displayName)\\n| extend Status = strcat(StatusCode, \\\": \\\", ResultDescription) \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Status = make_list(Status), StatusDetails = make_list(StatusDetails), IPAddresses = make_list(IPAddress), IPAddressCount = dcount(IPAddress), CorrelationIds = make_list(CorrelationId) \\nby UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name, Type\\n| where IPAddressCount \u003e threshold and StatusDetails !has \\\"MFA successfully completed\\\"\\n| mvexpand IPAddresses, Status, StatusDetails, CorrelationIds\\n| extend Status = strcat(Status, \\\" \\\", StatusDetails)\\n| summarize IPAddresses = make_set(IPAddresses), Status = make_set(Status), CorrelationIds = make_set(CorrelationIds) \\nby StartTime, EndTime, UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name, IPAddressCount, Type\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = tostring(IPAddresses)\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Attempt to bypass conditional access rule in Azure AD\",\"description\":\"Identifies an attempt to Bypass conditional access rule(s) in Azure Active Directory.\\nThe ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access\\nor if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1).\\nReferences: \\nhttps://docs.microsoft.com/azure/active-directory/conditional-access/overview\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\nConditionalAccessStatus == 0 // Success\\nConditionalAccessStatus == 1 // Failure\\nConditionalAccessStatus == 2 // Not Applied\\nConditionalAccessStatus == 3 // unknown\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0b904747-1336-4363-8d84-df2710bfe5e7\",\"name\":\"0b904747-1336-4363-8d84-df2710bfe5e7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureDiagnostics\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where OperationName in (\\\"AzureFirewallApplicationRuleLog\\\", \\\"AzureFirewallNetworkRuleLog\\\")\\n | parse kind=regex flags=U msg_s with Protocol \u0027request from \u0027 SourceHost \u0027to \u0027 DestinationHost @\u0027\\\\.? Action: \u0027 Firewall_Action @\u0027\\\\.\u0027 Rest_msg\\n | extend SourceAddress = extract(@\u0027([\\\\.0-9]+)(:[\\\\.0-9]+)?\u0027, 1, SourceHost)\\n | extend DestinationAddress = extract(@\u0027([\\\\.0-9]+)(:[\\\\.0-9]+)?\u0027, 1, DestinationHost)\\n | extend RemoteIP = case(not(ipv4_is_private(DestinationAddress)), DestinationAddress, not(ipv4_is_private(SourceAddress)), SourceAddress, \\\"\\\")\\n // Traffic that involves a public address, and in case this is the source address then the traffic was not denied\\n | where isnotempty(RemoteIP)\\n | project-rename AzureFirewall_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIP\\n| where AzureFirewall_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureFirewall_TimeGenerated = arg_max(AzureFirewall_TimeGenerated, *) by IndicatorId, RemoteIP\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, AzureFirewall_TimeGenerated,\\nTI_ipEntity, Resource, Category, msg_s, SourceAddress, DestinationAddress, Firewall_Action, Protocol, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureFirewall_TimeGenerated, IPCustomEntity = TI_ipEntity, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureFirewall\",\"description\":\"Identifies a match in AzureFirewall (NetworkRule \u0026 ApplicationRule Logs) from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ebbb5c2-8802-11ec-a8a3-0242ac120002\",\"name\":\"4ebbb5c2-8802-11ec-a8a3-0242ac120002\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"// Enter a reference list of decoy users (usernames) \\\"Case Sensitive\\\"\\nlet MaliciousServiceArtifacts = dynamic ([\\\"fgexec\\\",\\\"cachedump\\\",\\\"mimikatz\\\",\\\"mimidrv\\\",\\\"wceservice\\\",\\\"pwdump\\\"]);\\nEvent\\n| where Source == \\\"Service Control Manager\\\" and EventID == 7045\\n| parse EventData with * \u0027ServiceName\\\"\u003e\u0027 ServiceName \\\"\u003c\\\" * \u0027ImagePath\\\"\u003e\u0027 ImagePath \\\"\u003c\\\" *\\n| where ServiceName has_any (MaliciousServiceArtifacts) or ImagePath has_any (MaliciousServiceArtifacts)\\n| parse EventData with * \u0027AccountName\\\"\u003e\u0027 AccountName \\\"\u003c\\\" *\\n|summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, ServiceName, ImagePath, AccountName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountName\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ImagePath\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Credential Dumping Tools - Service Installation\",\"description\":\"This query detects the installation of a Windows service that contains artifacts from credential dumping tools such as Mimikatz.\\nRef: https://blueteamblog.com/darkside-ransomware-operations-preventions-and-detections\",\"lastUpdatedDateUTC\":\"2022-04-22T00:00:00Z\",\"createdDateUTC\":\"2022-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"Event\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/adc32a33-1cd6-46f5-8801-e3ed8337885f\",\"name\":\"adc32a33-1cd6-46f5-8801-e3ed8337885f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// Add any known allowed sources and source locations to the filter below (the NuGet Gallery has been added here as an example).\\nlet allowed_sources = dynamic([\\\"NuGet Gallery\\\"]);\\nlet allowed_locations = dynamic([\\\"https://api.nuget.org/v3/index.json\\\"]);\\nAzureDevOpsAuditing\\n// Look for feeds created or modified at either the organization or project level\\n| where OperationName matches regex \\\"Artifacts.Feed.(Org|Project).Modify\\\"\\n| where Details has \\\"UpstreamSources, added\\\"\\n| extend FeedName = tostring(Data.FeedName)\\n| extend FeedId = tostring(Data.FeedId)\\n| extend UpstreamsAdded = Data.UpstreamsAdded\\n// As multiple feeds may be added expand these out\\n| mv-expand UpstreamsAdded\\n// Only focus on external feeds\\n| where UpstreamsAdded.UpstreamSourceType !~ \\\"internal\\\"\\n| extend SourceLocation = tostring(UpstreamsAdded.Location)\\n| extend SourceName = tostring(UpstreamsAdded.Name)\\n// Exclude sources and locations in the allow list\\n| where SourceLocation !in (allowed_locations) and SourceName !in (allowed_sources)\\n| extend SourceProtocol = tostring(UpstreamsAdded.Protocol)\\n| extend SourceStatus = tostring(UpstreamsAdded.Status)\\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, ProjectName, FeedName, SourceName, SourceLocation, SourceProtocol, ActorUPN, UserAgent, IpAddress\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"External Upstream Source Added to Azure DevOps Feed\",\"description\":\"The detection looks for new external sources added to an Azure DevOps feed. An allow list can be customized to explicitly allow known good sources. \\nAn attacker could look to add a malicious feed in order to inject malicious packages into a build pipeline.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/feb0a2fb-ae75-4343-8cbc-ed545f1da289\",\"name\":\"feb0a2fb-ae75-4343-8cbc-ed545f1da289\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let VIPUsers = (IdentityInfo\\n| where AssignedRoles contains \\\"Admin\\\"\\n| summarize by tolower(AccountUPN));\\nAuditLogs\\n| where Category =~ \\\"UserManagement\\\"\\n| where ActivityDisplayName =~ \\\"User registered security info\\\"\\n| where LoggedByService =~ \\\"Authentication Methods\\\"\\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| where AccountCustomEntity in (VIPUsers)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Authentication Method Changed for Privileged Account\",\"description\":\"Identifies authentication methods being changed for a privileged account. This could be an indicated of an attacker adding an auth method to the account so they can have continued access.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2937bc6b-7cda-4fba-b452-ea43ba8e835f\",\"name\":\"2937bc6b-7cda-4fba-b452-ea43ba8e835f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 5136 \\n| parse EventData with * \u0027ObjectClass\\\"\u003e\u0027 ObjectClass \\\"\u003c\\\" *\\n| parse EventData with * \u0027AttributeLDAPDisplayName\\\"\u003e\u0027 AttributeLDAPDisplayName \\\"\u003c\\\" *\\n| where ObjectClass == \\\"computer\\\" and AttributeLDAPDisplayName == \\\"msDS-AllowedToActOnBehalfOfOtherIdentity\\\"\\n| parse EventData with * \u0027ObjectDN\\\"\u003e\u0027 ObjectDN \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, SubjectUserSid, SubjectLogonId, ObjectDN, AttributeLDAPDisplayName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Possible Resource-Based Constrained Delegation Abuse\",\"description\":\"This query identifies Active Directory computer objects modifications that allow an adversary to abuse the Resource-based constrained delegation. \\nThis query checks for event id 5136 that the Object Class field is \\\"computer\\\" and the LDAP Display Name is \\\"msDS-AllowedToActOnBehalfOfOtherIdentity\\\" which is an indicator of Resource-based constrained delegation.\\nRef: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html\",\"lastUpdatedDateUTC\":\"2022-01-19T00:00:00Z\",\"createdDateUTC\":\"2022-01-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/89e6adbd-612c-4fbe-bc3d-32f81baf3b6c\",\"name\":\"89e6adbd-612c-4fbe-bc3d-32f81baf3b6c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT4H\",\"queryPeriod\":\"PT4H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// Change to true to monitor for Project Administrator adds to *any* project\\nlet MonitorAllProjects = false;\\n// If MonitorAllProjects is false, trigger only on Project Administrator add for the following projects\\nlet ProjectsToMonitor = dynamic([\u0027\u003cproject_X\u003e\u0027,\u0027\u003cproject_Y\u003e\u0027]);\\nAzureDevOpsAuditing\\n| where Area == \\\"Group\\\" and OperationName == \\\"Group.UpdateGroupMembership.Add\\\"\\n| where Details has \u0027Administrators\u0027\\n| where Details has \\\"was added as a member of group\\\" and (Details endswith \u0027\\\\\\\\Project Administrators\u0027 or Details endswith \u0027\\\\\\\\Project Collection Administrators\u0027)\\n| parse Details with AddedIdentity \u0027 was added as a member of group [\u0027 EntityName \u0027]\\\\\\\\\u0027 GroupName\\n| extend Level = iif(GroupName == \u0027Project Collection Administrators\u0027, \u0027Organization\u0027, \u0027Project\u0027), AddedIdentityId = Data.MemberId\\n| extend Severity = iif(Level == \u0027Organization\u0027, \u0027High\u0027, \u0027Medium\u0027), AlertDetails = strcat(\u0027At \u0027, TimeGenerated, \u0027 UTC \u0027, ActorUPN, \u0027/\u0027, ActorDisplayName, \u0027 added \u0027, AddedIdentity, \u0027 to the \u0027, EntityName, \u0027 \u0027, Level)\\n| where MonitorAllProjects == true or EntityName in (ProjectsToMonitor) or Level == \u0027Organization\u0027\\n| project TimeGenerated, Severity, Adder = ActorUPN, AddedIdentity, AddedIdentityId, AlertDetails, Level, EntityName, GroupName, ActorAuthType = AuthenticationMechanism, \\n ActorIpAddress = IpAddress, ActorUserAgent = UserAgent, RawDetails = Details\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Adder, IPCustomEntity = ActorIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps Administrator Group Monitoring\",\"description\":\"This detection monitors for additions to projects or project collection administration groups in an Azure DevOps Organization.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/473d57e6-f787-435c-a16b-b38b51fa9a4b\",\"name\":\"473d57e6-f787-435c-a16b-b38b51fa9a4b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"let servicelist = dynamic([\u0027Services\\\\\\\\HealthService\u0027, \u0027Services\\\\\\\\Sense\u0027, \u0027Services\\\\\\\\WinDefend\u0027, \u0027Services\\\\\\\\MsSecFlt\u0027, \u0027Services\\\\\\\\DiagTrack\u0027, \u0027Services\\\\\\\\SgrmBroker\u0027, \u0027Services\\\\\\\\SgrmAgent\u0027, \u0027Services\\\\\\\\AATPSensorUpdater\u0027 , \u0027Services\\\\\\\\AATPSensor\u0027, \u0027Services\\\\\\\\mpssvc\u0027]);\\nlet filename = dynamic([\\\"subinacl.exe\\\",\u0027SetACL.exe\u0027]);\\nlet parameters = dynamic ([\u0027/deny=SYSTEM\u0027, \u0027/deny=S-1-5-18\u0027, \u0027/grant=SYSTEM=r\u0027, \u0027/grant=S-1-5-18=r\u0027, \u0027n:SYSTEM;p:READ\u0027, \u0027n1:SYSTEM;ta:remtrst;w:dacl\u0027]);\\nlet FullAccess = dynamic([\u0027A;CI;KA;;;SY\u0027, \u0027A;ID;KA;;;SY\u0027, \u0027A;CIID;KA;;;SY\u0027]);\\nlet ReadAccess = dynamic([\u0027A;CI;KR;;;SY\u0027, \u0027A;ID;KR;;;SY\u0027, \u0027A;CIID;KR;;;SY\u0027]);\\nlet DenyAccess = dynamic([\u0027D;CI;KR;;;SY\u0027, \u0027D;ID;KR;;;SY\u0027, \u0027D;CIID;KR;;;SY\u0027]);\\nlet timeframe = 1d;\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4670\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName has_any (servicelist)\\n| parse EventData with * \u0027OldSd\\\"\u003e\u0027 OldSd \\\"\u003c\\\" *\\n| parse EventData with * \u0027NewSd\\\"\u003e\u0027 NewSd \\\"\u003c\\\" *\\n| extend Reason = case( (OldSd has \u0027;;;SY\u0027 and NewSd !has \u0027;;;SY\u0027), \u0027System Account is removed\u0027, (OldSd has_any (FullAccess) and NewSd has_any (ReadAccess)) , \u0027System permission has been changed to read from full access\u0027, (OldSd has_any (FullAccess) and NewSd has_any (DenyAccess)), \u0027System account has been given denied permission\u0027, \u0027None\u0027)\\n| project TimeGenerated, Computer, Account, ProcessName, ProcessId, ObjectName, EventData, Activity, HandleId, SubjectLogonId, OldSd, NewSd , Reason\\n),\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688\\n| extend ProcessName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ProcessName in~ (filename) \\n| where CommandLine has_any (servicelist) and CommandLine has_any (parameters)\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4670 and EventData has_any (servicelist) and EventData has \u0027Key\u0027\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName has_any (servicelist)\\n| extend OldSd = tostring(EventData.OldSd)\\n| extend NewSd = tostring(EventData.NewSd)\\n| extend Reason = case( (OldSd has \u0027;;;SY\u0027 and NewSd !has \u0027;;;SY\u0027), \u0027System Account is removed\u0027, (OldSd has_any (FullAccess) and NewSd has_any (ReadAccess)) , \u0027System permission has been changed to read from full access\u0027, (OldSd has_any (FullAccess) and NewSd has_any (DenyAccess)), \u0027System account has been given denied permission\u0027, \u0027None\u0027)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend ProcessId = tostring(EventData.ProcessId)\\n| extend Activity= \\\"4670 - Permissions on an object were changed.\\\"\\n| extend HandleId = tostring(EventData.HandleId)\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| project TimeGenerated, Computer, Account, ProcessName, ProcessId, ObjectName, EventData, Activity, HandleId, SubjectLogonId, OldSd, NewSd , Reason\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688 and EventData has_any (filename) and EventData has_any (servicelist) and EventData has_any (parameters)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend ProcessName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ProcessName in~ (filename) \\n| extend CommandLine = tostring(EventData.CommandLine) \\n| where CommandLine has_any (servicelist) and CommandLine has_any (parameters)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountDomain = tostring(EventData.AccountDomain)\\n| extend Activity=\\\"4688 - A new process has been created.\\\"\\n| extend EventSourceName=Provider\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where InitiatingProcessFileName in~ (filename) \\n| where InitiatingProcessCommandLine has_any(servicelist) and InitiatingProcessCommandLine has_any (parameters)\\n| extend Account = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName), Computer = DeviceName\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName = InitiatingProcessFileName, ProcessNameFullPath = FolderPath, Activity = ActionType, CommandLine = InitiatingProcessCommandLine, Type, InitiatingProcessParentFileName\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Security Service Registry ACL Modification\",\"description\":\"Identifies attempts to modify registry ACL to evade security solutions. In the Solorigate attack, the attackers were found modifying registry permissions so services.exe cannot access the relevant registry keys to start the service.\\n The detection leverages Security Event as well as MDE data to identify when specific security services registry permissions are modified. \\n Only some portions of this detection are related to Solorigate, it also includes coverage for some common tools that perform this activity. \\n Reference on guidance for enabling registry auditing:\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing-faq\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-registry\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4670\\n - For the event 4670 to be created the audit policy for the registry must have auditing enabled for Write DAC and/or Write Owner\\n - https://github.com/OTRF/Set-AuditRule \\n - https://docs.microsoft.com/dotnet/api/system.security.accesscontrol.registryrights?view=dotnet-plat-ext-5.0\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-01-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/29283b22-a1c0-4d16-b0a9-3460b655a46a\",\"name\":\"29283b22-a1c0-4d16-b0a9-3460b655a46a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let UserAgentString = dynamic ([\\\"${jndi:ldap:/\\\", \\\"${jndi:rmi:/\\\", \\\"${jndi:ldaps:/\\\", \\\"${jndi:dns:/\\\", \\\"${jndi:iiop:/\\\",\\\"${jndi:\\\",\\\"${jndi:nds:/\\\",\\\"${jndi:corba/\\\"]);\\nlet UARegexMinimalString=dynamic([\u0027{\u0027,\u0027%7b\u0027, \u0027%7B\u0027]);\\nlet UARegex = @\u0027(\\\\\\\\$|%24)(\\\\\\\\{|%7B)([^jJ]*[jJ])([^nN]*[nN])([^dD]*[dD])([^iI]*[iI])(:|%3A|\\\\\\\\$|%24|}|%7D)\u0027;\\n(union isfuzzy=true\\n(OfficeActivity\\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, Operation\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n),\\n(AzureDiagnostics\\n| where Category in (\\\"FrontdoorWebApplicationFirewallLog\\\", \\\"FrontdoorAccessLog\\\", \\\"ApplicationGatewayFirewallLog\\\", \\\"ApplicationGatewayAccessLog\\\")\\n| where userAgent_s has_any (UserAgentString) or userAgent_s matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = userAgent_s, SourceIP = clientIP_s, Type, host_s, requestUri_s, httpStatus_d\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, UrlCustomEntity = requestUri_s\\n),\\n(\\nW3CIISLog\\n| where csUserAgent has_any (UserAgentString) or csUserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP, UrlCustomEntity = csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventName\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n),\\n(SigninLogs\\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, Operation = OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n),\\n(AADNonInteractiveUserSignInLogs \\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, Operation = OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n),\\n(_Im_WebSession (httpuseragent_has_any=array_concat(UserAgentString,UARegexMinimalString))\\n| where HttpUserAgent has_any (UserAgentString) or HttpUserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by HttpUserAgent, SourceIP = SrcIpAddr, DstIpAddr, Account = SrcUsername, Url, Type\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP, UrlCustomEntity = Url\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"User agent search for log4j exploitation attempt\",\"description\":\"This query uses various log sources having user agent data to look for log4j CVE-2021-44228 exploitation attempt based on user agent pattern. Log4j is an open-source Apache logging library that is used in \\n many Java-based applications. The regex and the string matching look for the most common attacks. This might not be comprehensive to detect every possible user agent variation.\\n Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\"name\":\"3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let starttime = 1d;\\nlet TimeDeltaThresholdInSeconds = 60; // we ignore beacons diffs that fall below this threshold \\nlet TotalBeaconsThreshold = 4; // minimum number of beacons required in a session to surface a row\\nlet JitterTolerance = 0.2; // tolerance to jitter, e.g. - 0.2 = 20% jitter is tolerated either side of the periodicity\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Fortinet\\\"\\n| where TimeGenerated \u003e ago(starttime)\\n// eliminate bad data\\n| where isnotempty(SourceIP) and isnotempty(DestinationIP) and SourceIP != \\\"0.0.0.0\\\"\\n// filter out deny, close, rst and SNMP to reduce data volume\\n| where DeviceAction !in (\\\"close\\\", \\\"client-rst\\\", \\\"server-rst\\\", \\\"deny\\\") and DestinationPort != 161\\n// map input fields\\n| project TimeGenerated , SourceIP, DestinationIP, DestinationPort, ReceivedBytes, SentBytes, DeviceAction \\n// where destination IPs are public\\n| where ipv4_is_private(DestinationIP) == false\\n// sort into source-\u003edestination \u0027sessions\u0027\\n| sort by SourceIP asc, DestinationIP asc, DestinationPort asc, TimeGenerated asc\\n| serialize\\n// time diff the contact times between source and destination to get a list of deltas\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1), nextDestIP = next(DestinationIP, 1), nextDestPort = next(DestinationPort, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\\\"second\\\",nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP and DestinationIP == nextDestIP and DestinationPort == nextDestPort\\n// remove small time deltas below the set threshold\\n| where TimeDeltainSeconds \u003e TimeDeltaThresholdInSeconds\\n// summarize the deltas by source-\u003edestination\\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), sum(ReceivedBytes), sum(SentBytes), makelist(TimeDeltainSeconds), makeset(DeviceAction) by SourceIP, DestinationIP, DestinationPort\\n// get some statistical properties of the delta distribution and smooth any outliers (e.g. laptop shut overnight, working hours)\\n| extend series_stats(list_TimeDeltainSeconds), outliers=series_outliers(list_TimeDeltainSeconds)\\n// expand the deltas and the outliers\\n| mvexpand list_TimeDeltainSeconds to typeof(double), outliers to typeof(double)\\n// replace outliers with the average of the distribution\\n| extend list_TimeDeltainSeconds_normalized=iff(outliers \u003e 1.5 or outliers \u003c -1.5, series_stats_list_TimeDeltainSeconds_avg , list_TimeDeltainSeconds)\\n// summarize with the smoothed distribution\\n| summarize BeaconCount=count(), makelist(list_TimeDeltainSeconds), list_TimeDeltainSeconds_normalized=makelist(list_TimeDeltainSeconds_normalized), makeset(set_DeviceAction) by StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, sum_ReceivedBytes, sum_SentBytes\\n// get stats on the smoothed distribution\\n| extend series_stats(list_TimeDeltainSeconds_normalized)\\n// match jitter tolerance on smoothed distrib\\n| extend MaxJitter = (series_stats_list_TimeDeltainSeconds_normalized_avg*JitterTolerance)\\n| where series_stats_list_TimeDeltainSeconds_normalized_stdev \u003c MaxJitter\\n// where the minimum beacon threshold is satisfied and there was some data transfer\\n| where BeaconCount \u003e TotalBeaconsThreshold and (sum_SentBytes \u003e 0 or sum_ReceivedBytes \u003e 0)\\n// final projection\\n| project StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, BeaconCount, TimeDeltasInSeconds=list_list_TimeDeltainSeconds, Periodicity=series_stats_list_TimeDeltainSeconds_normalized_avg, ReceivedBytes=sum_ReceivedBytes, SentBytes=sum_SentBytes, Actions=set_set_DeviceAction\\n// where periodicity is order of magnitude larger than time delta threshold (eliminates FPs whose periodicity is close to the values we ignored)\\n| where Periodicity \u003e= (10*TimeDeltaThresholdInSeconds)\\n| extend timestamp = StartTime, IPCustomEntity = DestinationIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Fortinet - Beacon pattern detected\",\"description\":\"Identifies patterns in the time deltas of contacts between internal and external IPs in Fortinet network data that are consistent with beaconing.\\n Accounts for randomness (jitter) and seasonality such as working hours that may have been introduced into the beacon pattern.\\n The lookback is set to 1d, the minimum granularity in time deltas is set to 60 seconds and the minimum number of beacons required to emit a\\n detection is set to 4.\\n Increase the lookback period to capture beacons with larger periodicities.\\n The jitter tolerance is set to 0.2 - This means we account for an overall 20% deviation from the infered beacon periodicity. Seasonality is dealt with\\n automatically using series_outliers.\\n Note: In large environments it may be necessary to reduce the lookback period to get fast query times.\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2020-03-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80733eb7-35b2-45b6-b2b8-3c51df258206\",\"name\":\"80733eb7-35b2-45b6-b2b8-3c51df258206\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\\"xmrget.com\\\", \\n\\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\\"supportxmr.com\\\",\\n\\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\n\\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\n\\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\n\\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\n\\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\",\\n\\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\",\\n\\\"shscrypto.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage), \\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage), \\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage), \\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \u0027200\u0027\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Squid proxy events related to mining pools\",\"description\":\"Checks for Squid proxy events in Syslog associated with common mining pools .This query presumes the default Squid log format is being used. \\n http://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-07-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b05727d-a8d1-477d-bbdd-d957da96ac7b\",\"name\":\"3b05727d-a8d1-477d-bbdd-d957da96ac7b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where OfficeWorkload =~ \\\"Exchange\\\"\\n| where Parameters has_any (\\\"ForwardTo\\\", \\\"RedirectTo\\\", \\\"ForwardingSmtpAddress\\\")\\n| mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))\\n| evaluate bag_unpack(ParsedParameters, columnsConflict=\u0027replace_source\u0027)\\n| extend DestinationMailAddress = tolower(case(\\n isnotempty(column_ifexists(\\\"ForwardTo\\\", \\\"\\\")), column_ifexists(\\\"ForwardTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"RedirectTo\\\", \\\"\\\")), column_ifexists(\\\"RedirectTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")), trim_start(@\\\"smtp:\\\", column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")),\\n \\\"\\\"))\\n| where isnotempty(DestinationMailAddress)\\n| mv-expand split(DestinationMailAddress, \\\";\\\")\\n| extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n| extend ClientIP = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1])\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId, 250), Ports = make_set(Port, 250), EventCount = count() by tostring(DestinationMailAddress), ClientIP\\n| where DistinctUserCount \u003e 1\\n| mv-expand UserId to typeof(string)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"NRT Multiple users email forwarded to same destination\",\"description\":\"Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination.\\nThis could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.\",\"lastUpdatedDateUTC\":\"2022-06-24T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\"name\":\"75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 3;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == \\\"50057\\\"\\n| where ResultDescription =~ \\\"User account is disabled. The account has been disabled by an administrator.\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), applicationCount = dcount(AppDisplayName), \\napplicationSet = make_set(AppDisplayName), count() by UserPrincipalName, IPAddress, Type\\n| where applicationCount \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Attempts to sign in to disabled accounts\",\"description\":\"Identifies failed attempts to sign in to disabled accounts across multiple Azure Applications.\\nDefault threshold for Azure Applications attempted to sign in to is 3.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bfb1c90f-8006-4325-98be-c7fffbc254d6\",\"name\":\"bfb1c90f-8006-4325-98be-c7fffbc254d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let s_threshold = 30;\\nlet l_threshold = 3;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where OperationName =~ \\\"Sign-in activity\\\"\\n// Error codes that we want to look at as they are related to the use of incorrect password.\\n| where ResultType in (\\\"50126\\\", \\\"50053\\\" , \\\"50055\\\", \\\"50056\\\")\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend LocationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), LocationCount=dcount(LocationString), Location = make_set(LocationString), \\nIPAddress = make_set(IPAddress), IPAddressCount = dcount(IPAddress), AppDisplayName = make_set(AppDisplayName), ResultDescription = make_set(ResultDescription), \\nBrowser = make_set(Browser), OS = make_set(OS), SigninCount = count() by UserPrincipalName, Type \\n// Setting a generic threshold - Can be different for different environment\\n| where SigninCount \u003e s_threshold and LocationCount \u003e= l_threshold\\n| extend tostring(Location), tostring(IPAddress), tostring(AppDisplayName), tostring(ResultDescription), tostring(Browser), tostring(OS)\\n| distinct *\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Distributed Password cracking attempts in AzureAD\",\"description\":\"Identifies distributed password cracking attempts from the Azure Active Directory SigninLogs.\\nThe query looks for unusually high number of failed password attempts coming from multiple locations for a user account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50053 Account is locked because the user tried to sign in too many times with an incorrect user ID or password.\\n50055 Invalid password, entered expired password.\\n50056 Invalid or null password - Password does not exist in store for this user.\\n50126 Invalid username or password, or invalid on-premises username or password.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7ad4c32b-d0d2-411c-a0e8-b557afa12fce\",\"name\":\"7ad4c32b-d0d2-411c-a0e8-b557afa12fce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName\\n| where CommandLine contains \\\".decode(\u0027base64\u0027)\\\"\\n or CommandLine contains \\\"base64 --decode\\\"\\n or CommandLine contains \\\".decode64(\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"NRT Process executed from binary hidden in Base64 encoded file\",\"description\":\"Encoding malicious software is a technique used to obfuscate files from detection.\\nThe first CommandLine component is looking for Python decoding base64.\\nThe second CommandLine component is looking for Bash/sh command line base64 decoding.\\nThe third one is looking for Ruby decoding base64.\",\"lastUpdatedDateUTC\":\"2022-02-08T00:00:00Z\",\"createdDateUTC\":\"2019-01-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95002681-4ecb-4da3-9ece-26d7e5feaa33\",\"name\":\"95002681-4ecb-4da3-9ece-26d7e5feaa33\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"imAuthentication\\n| where EventResult ==\u0027Failure\u0027\\n| where EventResultDetails == \u0027User disabled\u0027\\n| summarize StartTime=min(EventStartTime), EndTime=max(EventEndTime), disabledAccountLoginAttempts = count()\\n , disabledAccountsTargeted = dcount(TargetUsername), disabledAccountSet = make_set(TargetUsername)\\n , applicationsTargeted = dcount(TargetAppName)\\n , applicationSet = make_set(TargetAppName) \\n by SrcDvcIpAddr, Type\\n| order by disabledAccountLoginAttempts desc\\n| join kind=leftouter \\n (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n imAuthentication\\n | where EventResult==\u0027Success\u0027\\n | summarize successfulAccountSigninCount = dcount(TargetUsername), successfulAccountSigninSet = makeset(TargetUsername, 15) by SrcDvcIpAddr, Type\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount \u003c 100\\n )\\n on SrcDvcIpAddr\\n| where isnotempty(successfulAccountSigninCount)\\n| project StartTime, EndTime, SrcDvcIpAddr, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\nsuccessfulAccountSigninCount, successfulAccountSigninSet, Type\\n| order by disabledAccountLoginAttempts\\n| extend timestamp = StartTime, IPCustomEntity = SrcDvcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-07-27T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\"name\":\"795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"CommonSecurityLog \\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID in (\\\"733101\\\",\\\"733102\\\",\\\"733103\\\",\\\"733104\\\",\\\"733105\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\",\"Impact\"],\"displayName\":\"Cisco ASA - threat detection message fired\",\"description\":\"Identifies when the Cisco ASA Threat Detection engine fired an alert based on malicious activity occurring on the network inicated by DeviceEventClassID 733101-733105\\nResources: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1785d372-b9fe-4283-96a6-3a1d83cabfd1\",\"name\":\"1785d372-b9fe-4283-96a6-3a1d83cabfd1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let Tarrask_threats = dynamic([\\\"HackTool:Win64/Tarrask!MS\\\", \\\"HackTool:Win64/Ligolo!MSR\\\", \\\"Behavior:Win32/ScheduledTaskHide.A\\\", \\\"Tarrask\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=rightouter ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (Tarrask_threats) or ThreatFamilyName in~ (Tarrask_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AV detections related to Tarrask malware\",\"description\":\"This query looks for Microsoft Defender AV detections related to Tarrask malware. In Microsoft Sentinel the SecurityAlerts table \\n includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. \\n This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\\n Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-04-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/157c0cfc-d76d-463b-8755-c781608cdc1a\",\"name\":\"157c0cfc-d76d-463b-8755-c781608cdc1a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\nCommonSecurityLog\\n| where DeviceVendor =~ \\\"Cisco\\\"\\n| where DeviceAction =~ \\\"denied\\\"\\n| where ipv4_is_private(SourceIP) == false\\n| summarize count() by SourceIP\\n| join (\\n // Successful signins from IPs blocked by the firewall solution are suspect\\n // Include fully successful sign-ins, but also ones that failed only at MFA stage\\n // as that supposes the password was sucessfully guessed.\\n table(tableName)\\n | where ResultType in (\\\"0\\\", \\\"50074\\\", \\\"50076\\\") \\n) on $left.SourceIP == $right.IPAddress\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Cisco - firewall block but success logon to Azure AD\",\"description\":\"Correlate IPs blocked by a Cisco firewall appliance with successful Azure Active Directory signins. \\nBecause the IP was blocked by the firewall, that same IP logging on successfully to AAD is potentially suspect\\nand could indicate credential compromise for the user account.\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2019-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/875d0eb1-883a-4191-bd0e-dbfdeb95a464\",\"name\":\"875d0eb1-883a-4191-bd0e-dbfdeb95a464\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 5136 \\n| parse EventData with * \u0027AttributeLDAPDisplayName\\\"\u003e\u0027 AttributeLDAPDisplayName \\\"\u003c\\\" *\\n| parse EventData with * \u0027ObjectClass\\\"\u003e\u0027 ObjectClass \\\"\u003c\\\" *\\n| where AttributeLDAPDisplayName == \\\"servicePrincipalName\\\" and ObjectClass == \\\"user\\\"\\n| parse EventData with * \u0027ObjectDN\\\"\u003e\u0027 ObjectDN \\\"\u003c\\\" *\\n| parse EventData with * \u0027AttributeValue\\\"\u003e\u0027 AttributeValue \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, ObjectDN, AttributeValue\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Service Principal Name (SPN) Assigned to User Account\",\"description\":\"This query identifies whether a Active Directory user object was assigned a service principal name which could indicate that an adversary is preparing for performing Kerberoasting. \\nThis query checks for event id 5136 that the Object Class field is \\\"user\\\" and the LDAP Display Name is \\\"servicePrincipalName\\\".\\nRef: https://thevivi.net/assets/docs/2019/theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf\",\"lastUpdatedDateUTC\":\"2022-02-02T00:00:00Z\",\"createdDateUTC\":\"2022-01-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/45076281-35ae-45e0-b443-c32aa0baf965\",\"name\":\"45076281-35ae-45e0-b443-c32aa0baf965\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"High\",\"query\":\"let args = dynamic([\\\"objectcategory\\\",\\\"domainlist\\\",\\\"dcmodes\\\",\\\"adinfo\\\",\\\"trustdmp\\\",\\\"computers_pwdnotreqd\\\",\\\"Domain Admins\\\", \\\"objectcategory=person\\\", \\\"objectcategory=computer\\\", \\\"objectcategory=*\\\",\\\"dclist\\\"]);\\nlet parentProcesses = dynamic([\\\"pwsh.exe\\\",\\\"powershell.exe\\\",\\\"cmd.exe\\\"]);\\nimProcessCreate\\n//looks for execution from a shell\\n| where ActingProcessName has_any (parentProcesses)\\n| extend ActingProcessFileName = tostring(split(ActingProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ActingProcessFileName in~ (parentProcesses)\\n// main filter\\n| where Process hassuffix \\\"AdFind.exe\\\" or TargetProcessSHA256 == \\\"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\\\"\\n // AdFind common Flags to check for from various threat actor TTPs\\n or CommandLine has_any (args)\\n| extend AccountCustomEntity = User, HostCustomEntity = Dvc, ProcessCustomEntity = ActingProcessName, CommandLineCustomEntity = CommandLine, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = TargetProcessSHA256\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"},{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLineCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Probable AdFind Recon Tool Usage (Normalized Process Events)\",\"description\":\"Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-06-09T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/910124df-913c-47e3-a7cd-29e1643fa55e\",\"name\":\"910124df-913c-47e3-a7cd-29e1643fa55e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with failed AWS console logins\\nlet aws_fails = AWSCloudTrail\\n| where EventName == \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \\n| where LoginResult != \\\"Success\\\"\\n| where SourceIpAddress != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(SourceIpAddress);\\n//See if any of those IPs have sucessfully logged into Azure AD.\\nSigninLogs\\n| where ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (aws_fails) \\n| extend Reason = \\\"Multiple failed AWS Console logins from IP address\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AWS Console logons but success logon to AzureAD\",\"description\":\"Identifies a list of IP addresses with a minimum numbe(default of 5) of failed logon attempts to AWS Console.\\nUses that list to identify any successful Azure Active Directory logons from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aedc5b33-2d7c-42cb-a692-f25ef637cbb1\",\"name\":\"aedc5b33-2d7c-42cb-a692-f25ef637cbb1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where array_length(todynamic(DstUserUpn)) == 1\\n| extend sender = extract(@\u0027\\\\A(.*?)@\u0027, 1, SrcUserUpn)\\n| extend sender_domain = extract(@\u0027@(.*)$\u0027, 1, SrcUserUpn)\\n| extend recipient = extract(@\u0027\\\\A(.*?)@\u0027, 1, tostring(todynamic(DstUserUpn)[0]))\\n| extend recipient_domain = extract(@\u0027@(.*)$\u0027, 1, tostring(todynamic(DstUserUpn)[0]))\\n| where sender =~ recipient\\n| where sender_domain != recipient_domain\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Possible data exfiltration to private email\",\"description\":\"Detects when sender sent email to the non-corporate domain and recipient\u0027s username is the same as sender\u0027s username.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\"name\":\"30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nlet aadFunc = (tableName:string){\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n table(tableName) | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(UserPrincipalName)\\n //Normalizing the column to lower case for exact match with EmailSenderAddress column\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n | where UserPrincipalName matches regex emailregex\\n | extend Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n // renaming timestamp column so it is clear the log this came from SigninLogs table\\n | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type\\n)\\non $left.EmailSenderAddress == $right.UserPrincipalName\\n| where SigninLogs_TimeGenerated \u003c ExpirationDateTime\\n| summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, UserPrincipalName\\n| project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, IPAddress, UserPrincipalName, AppDisplayName,\\nStatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, Type\\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SigninLogs\",\"description\":\"Identifies a match in SigninLogs table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6190dde-8fd2-456a-ac5b-0a32400b0464\",\"name\":\"d6190dde-8fd2-456a-ac5b-0a32400b0464\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let ProcessCreationEvents=() {\\nlet processEvents=(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName\\n),\\n(WindowsEvent\\n| where EventID==4688\\n| where EventData has_any (\\\".decode(\u0027base64\u0027)\\\", \\\"base64 --decode\\\", \\\".decode64(\\\" )\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where isnotempty(CommandLine)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend FileName=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, CommandLine, ParentProcessName\\n));\\nprocessEvents;\\n};\\nProcessCreationEvents \\n| where CommandLine contains \\\".decode(\u0027base64\u0027)\\\"\\n or CommandLine contains \\\"base64 --decode\\\"\\n or CommandLine contains \\\".decode64(\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), CountToday = count() by Computer, Account, AccountDomain, FileName, CommandLine, ParentProcessName \\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Process executed from binary hidden in Base64 encoded file\",\"description\":\"Encoding malicious software is a technique used to obfuscate files from detection. \\nThe first CommandLine component is looking for Python decoding base64. \\nThe second CommandLine component is looking for Bash/sh command line base64 decoding.\\nThe third one is looking for Ruby decoding base64.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-01-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a04cf847-a832-4c60-b687-b0b6147da219\",\"name\":\"a04cf847-a832-4c60-b687-b0b6147da219\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"45.63.52.41\\\",\\\"140.82.17.161\\\",\\\"207.148.101.95\\\",\\\"45.32.87.51\\\",\\\"66.42.98.156\\\",\\\"45.76.144.105\\\",\\\"217.163.28.35\\\",\\\"45.32.141.174\\\",\\\"149.28.165.249\\\",\\\"209.250.225.247\\\",\\\"45.63.100.115\\\",\\\"95.179.229.230\\\",\\\"209.250.233.247\\\",\\\"45.77.121.232\\\",\\\"45.76.175.65\\\",\\\"104.238.160.237\\\",\\\"45.77.181.97\\\",\\\"95.179.192.125\\\",\\\"149.28.93.184\\\",\\\"140.82.16.81\\\",\\\"45.76.173.103\\\",\\\"45.77.255.22\\\",\\\"45.32.11.71\\\",\\\"149.28.77.26\\\",\\\"45.32.54.50\\\",\\\"104.156.233.156\\\",\\\"45.32.21.118\\\",\\\"45.63.62.109\\\",\\\"45.77.244.202\\\",\\\"149.248.11.205\\\",\\\"104.238.190.244\\\"]);\\nlet IOCTerms = \\\"\\\\\\\\?lang=[/..]*/dev/cmdb/sslvpn_websession|/dana-na/jam/[/..]*home/webserver/htdocs/dana/html5acc/guacamole[/..]*etc/passwd\\\\\\\\?\\\";\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or has_any_ipv4 (Message, IPList)\\n| extend IPMatch = case(\\nSourceIP in (IPList), \\\"SourceIP\\\", \\nDestinationIP in (IPList), \\\"DestinationIP\\\",\\n\\\"Message\\\") \\n| where Message matches regex IOCTerms\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n| where isnotempty(UserAgent) and ClientIP in (IPList)\\n| where UserAgent contains \\\"ExchangeServicesClient/0.0.0.0\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP = ClientIP, Account = UserId, Type, RecordType, OfficeWorkload, UserAgent, OfficeObjectId, IPMatch = \\\"ClientIP\\\"\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Collection\"],\"displayName\":\"Known Manganese IP and UserAgent activity\",\"description\":\"Matches IP plus UserAgent IOCs in OfficeActivity data, along with IP plus Connection string information in the CommonSecurityLog data related to Manganese group activity.\\nReferences: \\nhttps://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/\\nhttps://fortiguard.com/psirt/FG-IR-18-384\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-10-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/74ed028d-e392-40b7-baef-e69627bf89d1\",\"name\":\"74ed028d-e392-40b7-baef-e69627bf89d1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"AuditLog.StreamDisabledByUser\\\"\\n| extend StreamType = tostring(Data.ConsumerType)\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, StreamType\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Azure DevOps Audit Stream Disabled\",\"description\":\"Azure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams \\n before conducting activity and then re-enabling the stream after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action \\n its unlikely to have a high false positive rate.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a356c8bd-c81d-428b-aa36-83be706be034\",\"name\":\"a356c8bd-c81d-428b-aa36-83be706be034\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// AADJoined or Register Device Registry Keys\\nlet aadJoinRoot = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet001\\\\\\\\Control\\\\\\\\CloudDomainJoin\\\\\\\\JoinInfo\\\\\\\\\\\";\\nlet aadRegisteredRoot = \\\"\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\WorkplaceJoin\\\";\\n// Transport Key Registry Key\\nlet keyTransportKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet001\\\\\\\\Control\\\\\\\\Cryptography\\\\\\\\Ngc\\\\\\\\KeyTransportKey\\\\\\\\\\\";\\n(union isfuzzy=true\\n(\\n// Access to Object Requested\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| where EventData contains aadJoinRoot or EventData contains aadRegisteredRoot\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName startswith aadJoinRoot and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n| extend ProcessId = column_ifexists(\\\"ProcessId\\\", \\\"\\\"), Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| join kind=innerunique (\\n SecurityEvent\\n | where EventID == \u00274656\u0027\\n | where EventData contains keyTransportKey\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | mv-expand bagexpansion=array EventData\\n | evaluate bag_unpack(EventData)\\n | extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n | evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n | extend ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\")\\n | where ObjectType == \u0027Key\u0027\\n | where ObjectName startswith keyTransportKey and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n | extend ProcessId = column_ifexists(\\\"ProcessId\\\", \\\"\\\"), Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n) on $left.Computer == $right.Computer and $left.SubjectLogonId == $right.SubjectLogonId and $left.ProcessId == $right.ProcessId\\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, SubjectLogonId, ObjectName, tostring(Process), ProcessName, ProcessId, EventID\\n),\\n// Accessing Object\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| where ObjectType == \u0027Key\u0027\\n| where (ObjectName startswith aadJoinRoot or ObjectName contains aadRegisteredRoot) and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n| extend Account = SubjectAccount\\n| join kind=innerunique (\\n SecurityEvent\\n | where EventID == \u00274663\u0027\\n | where ObjectType == \u0027Key\u0027\\n | where ObjectName contains keyTransportKey and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n | extend Account = SubjectAccount\\n) on $left.Computer == $right.Computer and $left.SubjectLogonId == $right.SubjectLogonId and $left.ProcessId == $right.ProcessId\\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, SubjectLogonId, ObjectName, Process, ProcessName, ProcessId, EventID\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"AAD Local Device Join Information and Transport Key Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts by the same process\\n to registry keys that provide information about an AAD joined or registered devices and Transport keys (tkpub / tkpriv).\\n This information can be used to export the Device Certificate (dkpub / dkpriv) and Transport key (tkpub/tkpriv).\\n These set of keys can be used to impersonate existing Azure AD joined devices.\\n This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable objects:\\n HKLM:\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\CloudDomainJoin (AAD joined devices)\\n HKCU:\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\WorkplaceJoin (AAD registered devices)\\n HKLM:\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Cryptography\\\\Ngc\\\\KeyTransportKey (Transport Key)\\n Make sure you set the SACL to propagate to its sub-keys. You can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml\\n Reference: https://o365blog.com/post/deviceidentity/\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/58fc0170-0877-4ea8-a9ff-d805e361cfae\",\"name\":\"58fc0170-0877-4ea8-a9ff-d805e361cfae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let schedule_lookback = 14d; \\nlet join_lookback = 1d; \\n// If you want to whitelist specific timezones include them in a list here\\nlet tz_whitelist = dynamic([]);\\nlet meetings = ( \\nZoomLogs \\n| where TimeGenerated \u003e= ago(schedule_lookback) \\n| where Event =~ \\\"meeting.created\\\" \\n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId) \\n| extend SchedTimezone = tostring(parse_json(MeetingEvents).Timezone)); \\nZoomLogs \\n| where TimeGenerated \u003e= ago(join_lookback) \\n| where Event =~ \\\"meeting.participant_joined\\\" \\n| extend JoinedTimeZone = tostring(parse_json(MeetingEvents).Timezone) \\n| extend MeetingName = tostring(parse_json(MeetingEvents).MeetingName) \\n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId) \\n| where JoinedTimeZone !in (tz_whitelist)\\n| join (meetings) on MeetingId \\n| where SchedTimezone != JoinedTimeZone \\n| project TimeGenerated, MeetingName, JoiningUser=payload_object_participant_user_name_s, JoinedTimeZone, SchedTimezone, MeetingScheduler=User1 \\n| extend timestamp = TimeGenerated, AccountCustomEntity = JoiningUser\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"PrivilegeEscalation\"],\"displayName\":\"User joining Zoom meeting from suspicious timezone\",\"description\":\"The alert shows users that join a Zoom meeting from a time zone other than the one the meeting was created in.\\nYou can also whitelist known good time zones in the tz_whitelist value using the tz database name format https://en.wikipedia.org/wiki/List_of_tz_database_time_zones\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a09a0b8e-30fe-4ebf-94a0-cffe50f579cd\",\"name\":\"a09a0b8e-30fe-4ebf-94a0-cffe50f579cd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where OperationName =~ \\\"Update user\\\"\\n | where Result =~ \\\"success\\\"\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | where TargetResources_modifiedProperties.displayName =~ \\\"TargetId.UserType\\\"\\n | extend UpdatingServicePrincipal = tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalId)\\n | extend UpdatingUserPrincipal = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend UpdatingUser = iif(isnotempty(UpdatingServicePrincipal), UpdatingServicePrincipal, UpdatingUserPrincipal)\\n | extend UpdatedUserPrincipalName = tostring(TargetResources.userPrincipalName)\\n | project-reorder TimeGenerated, UpdatedUserPrincipalName, UpdatingUser\\n | where parse_json(tostring(TargetResources_modifiedProperties.newValue)) =~ \\\"\\\\\\\"Member\\\\\\\"\\\" and parse_json(tostring(TargetResources_modifiedProperties.oldValue)) =~ \\\"\\\\\\\"Guest\\\\\\\"\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatingUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatedUserPrincipalName\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User State changed from Guest to Member\",\"description\":\"Detects when a guest account in a tenant is converted to a member of the tenant.\\n Monitoring guest accounts and the access they are provided is important to detect potential account abuse.\\n Accounts converted to members should be investigated to ensure the activity was legitimate.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b12b3dab-d973-45af-b07e-e29bb34d8db9\",\"name\":\"b12b3dab-d973-45af-b07e-e29bb34d8db9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal contains \\\"WindowsPowerShell\\\"\\n| extend Message = \\\"Windows PowerShell User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"DefenseEvasion\"],\"displayName\":\"Cisco Umbrella - Windows PowerShell User-Agent Detected\",\"description\":\"Rule helps to detect Powershell user-agent activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d722831e-88f5-4e25-b106-4ef6e29f8c13\",\"name\":\"d722831e-88f5-4e25-b106-4ef6e29f8c13\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"// a threshold can be enabled, see commented line below for PrevSeenCount\\nlet threshold = 2;\\nlet uploadOp = \u0027FileUploaded\u0027;\\n// Extensions that are interesting. Add/Remove to this list as you see fit\\nlet execExt = dynamic([\u0027exe\u0027, \u0027inf\u0027, \u0027gzip\u0027, \u0027cmd\u0027, \u0027bat\u0027]);\\nlet starttime = 8d;\\nlet endtime = 1d;\\nOfficeActivity | where TimeGenerated \u003e= ago(endtime)\\n// Limited to File Uploads due to potential noise, comment out the Operation statement below to include any operation type\\n// Additional, but potentially noisy operation types that include Uploads and Downloads can be included by adding the following - Operation contains \\\"upload\\\" or Operation contains \\\"download\\\"\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| project TimeGenerated, OfficeId, OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, UserAgent, Site_Url, SourceRelativeUrl, SourceFileName\\n| join kind= leftanti (\\nOfficeActivity | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| summarize SourceRelativeUrl = make_set(SourceRelativeUrl), UserId = make_set(UserId) , PrevSeenCount = count() by SourceFileName\\n// To exclude previous matches when only above a specific count, change threshold above and uncomment the line below\\n//| where PrevSeenCount \u003e threshold\\n| mvexpand SourceRelativeUrl, UserId\\n| extend SourceRelativeUrl = tostring(SourceRelativeUrl), UserId = tostring(UserId)\\n) on SourceFileName, SourceRelativeUrl, UserId \\n| extend SiteUrlUserFolder = tolower(split(Site_Url, \u0027/\u0027)[-2])\\n| extend UserIdUserFolderFormat = tolower(replace(\u0027@|\\\\\\\\.\u0027, \u0027_\u0027,UserId))\\n// identify when UserId is not a match to the specific site url personal folder reference\\n| extend UserIdDiffThanUserFolder = iff(Site_Url has \u0027/personal/\u0027 and SiteUrlUserFolder != UserIdUserFolderFormat, true , false ) \\n| summarize TimeGenerated = make_list(TimeGenerated), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), \\nUserAgents = make_list(UserAgent), OfficeIds = make_list(OfficeId), SourceRelativeUrls = make_list(SourceRelativeUrl), FileNames = make_list(SourceFileName)\\nby OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, Site_Url, SiteUrlUserFolder, UserIdUserFolderFormat, UserIdDiffThanUserFolder\\n| extend timestamp = StartTime, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"New executable via Office FileUploaded Operation\",\"description\":\"Identifies when executable file types are uploaded to Office services such as SharePoint and OneDrive.\\nList currently includes \u0027exe\u0027, \u0027inf\u0027, \u0027gzip\u0027, \u0027cmd\u0027, \u0027bat\u0027 file extensions.\\nAdditionally, identifies when a given user is uploading these files to another users workspace.\\nThis may be indication of a staging location for malware or other malicious activity.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69a45b05-71f5-45ca-8944-2e038747fb39\",\"name\":\"69a45b05-71f5-45ca-8944-2e038747fb39\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let endtime = 1d;\\nlet starttime = 8d;\\n// The threshold below excludes matching on RDP connection computer counts of 5 or more by a given account and IP in a given day. Change the threshold as needed.\\nlet threshold = 5;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n// Labeling the first RDP connection time, computer and ip\\n| extend FirstHop = TimeGenerated, FirstComputer = toupper(Computer), FirstIPAddress = IpAddress, Account = tolower(Account)\\n),\\n( WindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10 // Labeling the first RDP connection time, computer and ip\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend FirstHop = TimeGenerated, FirstComputer = toupper(Computer), FirstIPAddress = IpAddress, Account = tolower(Account)\\n))\\n| join kind=inner (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n// Labeling the second RDP connection time, computer and ip\\n| extend SecondHop = TimeGenerated, SecondComputer = toupper(Computer), SecondIPAddress = IpAddress, Account = tolower(Account)\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = toint(EventData.LogonType)\\n| where LogonType == 10 // Labeling the second RDP connection time, computer and ip\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend SecondHop = TimeGenerated, SecondComputer = toupper(Computer), SecondIPAddress = IpAddress, Account = tolower(Account)\\n))\\n) on Account\\n// Make sure that the first connection is after the second connection --\u003e SecondHop \u003e FirstHop\\n// Then identify only RDP to another computer from within the first RDP connection by only choosing matches where the Computer names do not match --\u003e FirstComputer != SecondComputer\\n// Then make sure the IPAddresses do not match by excluding connections from the same computers with first hop RDP connections to multiple computers --\u003e FirstIPAddress != SecondIPAddress\\n| where FirstComputer != SecondComputer and FirstIPAddress != SecondIPAddress and SecondHop \u003e FirstHop\\n// where the second hop occurs within 30 minutes of the first hop\\n| where SecondHop \u003c= FirstHop+30m\\n| distinct Account, FirstHop, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, SecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\\n// use left anti to exclude anything from the previous 7 days where the Account and IP has connected 5 or more computers.\\n| join kind=leftanti (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize makeset(Computer), ComputerCount = dcount(Computer) by bin(TimeGenerated, 1d), Account = tolower(Account), IpAddress\\n// Connection count to computer by same account and IP to exclude counts of 5 or more on a given day\\n| where ComputerCount \u003e= threshold\\n| mvexpand set_Computer\\n| extend Computer = toupper(set_Computer)\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10 \\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| summarize makeset(Computer), ComputerCount = dcount(Computer) by bin(TimeGenerated, 1d), Account = tolower(Account), IpAddress\\n// Connection count to computer by same account and IP to exclude counts of 5 or more on a given day\\n| where ComputerCount \u003e= threshold\\n| mvexpand set_Computer\\n| extend Computer = toupper(set_Computer)\\n))\\n) on Account, $left.SecondComputer == $right.Computer, $left.SecondIPAddress == $right.IpAddress\\n| summarize FirstHopFirstSeen = min(FirstHop), FirstHopLastSeen = max(FirstHop) by Account, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, \\nSecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\\n| extend timestamp = FirstHopFirstSeen, AccountCustomEntity = Account, HostCustomEntity = FirstComputer, IPCustomEntity = FirstIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"RDP Nesting\",\"description\":\"Identifies when an RDP connection is made to a first system and then an RDP connection is made from the first system\\nto another system with the same account within the 60 minutes. Additionally, if historically daily\\nRDP connections are indicated by the logged EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-10-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884c4957-70ea-4f57-80b9-1bca3890315b\",\"name\":\"884c4957-70ea-4f57-80b9-1bca3890315b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeBin = 10m;\\nlet failedThreshold = 100;\\nW3CIISLog\\n| where scStatus in (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n// Handling Exchange specific items in IIS logs to remove the unique log identifier in the URI\\n| extend csUriQuery = iff(csUriQuery startswith \\\"MailboxId=\\\", tostring(split(csUriQuery, \\\"\u0026\\\")[0]) , csUriQuery )\\n| extend csUriQuery = iff(csUriQuery startswith \\\"X-ARR-CACHE-HIT=\\\", strcat(tostring(split(csUriQuery, \\\"\u0026\\\")[0]),tostring(split(csUriQuery, \\\"\u0026\\\")[1])) , csUriQuery )\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of failed logons by a user\\n| summarize makeset(decodedUriQuery), makeset(cIP), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), csUserName, Computer, sIP\\n| where FailedConnectionsCount \u003e= failedThreshold\\n| project TimeGenerated, csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_cIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"High count of failed logons by a user\",\"description\":\"Identifies when 100 or more failed attempts by a given user in 10 minutes occur on the IIS Server.\\nThis could be indicative of attempted brute force based on known account information.\\nThis could also simply indicate a misconfigured service or device. \\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\"name\":\"7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"let WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet AC_Add = \\n(union isfuzzy=true \\n(SecurityEvent\\n// Event ID related to member addition.\\n| where EventID in (4728, 4732,4756) \\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountAdded \\\",OU\\\" *\\n| where isnotempty(AccountAdded)\\n| extend GroupAddedTo = TargetUserName, AddingAccount = Account \\n| extend AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, \\\"||\\\", GroupAddedTo, \\\"||\\\", AddingAccount )\\n| project AccountAdded_GroupAddedTo_AddingAccount, AccountAddedTime = TimeGenerated\\n),\\n(WindowsEvent\\n// Event ID related to member addition.\\n| where EventID in (4728, 4732,4756) \\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData.MemberName with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountAdded \\\",OU\\\" *\\n| where isnotempty(AccountAdded)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend AddingAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend GroupAddedTo = TargetUserName\\n| extend AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, \\\"||\\\", GroupAddedTo, \\\"||\\\", AddingAccount )\\n| project AccountAdded_GroupAddedTo_AddingAccount, AccountAddedTime = TimeGenerated\\n)\\n);\\nlet AC_Remove = \\n( union isfuzzy=true \\n(SecurityEvent\\n// Event IDs related to member removal.\\n| where EventID in (4729,4733,4757)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountRemoved \\\",OU\\\" * \\n| where isnotempty(AccountRemoved)\\n| extend GroupRemovedFrom = TargetUserName, RemovingAccount = Account\\n| extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, \\\"||\\\", GroupRemovedFrom, \\\"||\\\", RemovingAccount)\\n| project AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime = TimeGenerated, Computer, RemovedAccountId = tolower(AccountRemoved), \\nRemovedByUser = SubjectUserName, RemovedByUserLogonId = SubjectLogonId, GroupRemovedFrom = TargetUserName, TargetDomainName\\n),\\n(WindowsEvent\\n// Event IDs related to member removal.\\n| where EventID in (4729,4733,4757)\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData.MemberName with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountRemoved \\\",OU\\\" * \\n| where isnotempty(AccountRemoved)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend RemovingAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend GroupRemovedFrom = TargetUserName\\n| extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, \\\"||\\\", GroupRemovedFrom, \\\"||\\\", RemovingAccount)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| extend TargetDomainName = tostring(EventData.TargetDomainName)\\n| project AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime = TimeGenerated, Computer, RemovedAccountId = tolower(AccountRemoved), \\nRemovedByUser = SubjectUserName, RemovedByUserLogonId = SubjectLogonId, GroupRemovedFrom = TargetUserName, TargetDomainName\\n)); \\nAC_Add \\n| join kind= inner AC_Remove on $left.AccountAdded_GroupAddedTo_AddingAccount == $right.AccountRemoved_GroupRemovedFrom_RemovingAccount \\n| extend DurationinSecondAfter_Removed = datetime_diff (\u0027second\u0027, AccountRemovedTime, AccountAddedTime)\\n| where DurationinSecondAfter_Removed \u003e 0\\n| project-away AccountRemoved_GroupRemovedFrom_RemovingAccount\\n| extend timestamp = AccountAddedTime, AccountCustomEntity = RemovedAccountId, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Account added and removed from privileged groups\",\"description\":\"Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise.\u0027 \",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-04-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3df4a32-4805-4c6d-8699-f3c888af2f67\",\"name\":\"a3df4a32-4805-4c6d-8699-f3c888af2f67\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let Alert1 = \\nSecurityAlert\\n| where AlertName == \\\"Unfamiliar sign-in properties\\\"\\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\\\"User Account\\\"])\\n| extend Alert1Time = TimeGenerated\\n| extend Alert1 = AlertName\\n| extend Alert1Severity = AlertSeverity\\n;\\nlet Alert2 = \\nSecurityAlert\\n| where AlertName == \\\"Atypical travel\\\"\\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\\\"User Account\\\"])\\n| extend Alert2Time = TimeGenerated\\n| extend Alert2 = AlertName\\n| extend Alert2Severity = AlertSeverity\\n| extend CurrentLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[2].Location)).CountryCode), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).State), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).City))\\n| extend PreviousLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[3].Location)).CountryCode), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[3].Location)).State), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[3].Location)).City))\\n| extend CurrentIPAddress = tostring(parse_json(Entities)[2].Address)\\n| extend PreviousIPAddress = tostring(parse_json(Entities)[3].Address)\\n;\\nAlert1\\n| join kind=inner Alert2 on UserPrincipalName\\n| where abs(datetime_diff(\u0027minute\u0027, Alert1Time, Alert2Time)) \u003c=10\\n| extend TimeDelta = Alert1Time - Alert2Time\\n| project UserPrincipalName, Alert1, Alert1Time, Alert1Severity, Alert2, Alert2Time, Alert2Severity, TimeDelta, CurrentLocation, PreviousLocation, CurrentIPAddress, PreviousIPAddress\\n| extend AccountCustomEntity = UserPrincipalName\\n| extend IPCustomEntity = CurrentIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Correlate Unfamiliar sign-in properties and atypical travel alerts\",\"description\":\"The combination of an Unfamiliar sign-in properties alert and an Atypical travel alert about the same user within a +10m or -10m window is considered a high severity incident.\",\"lastUpdatedDateUTC\":\"2021-12-07T00:00:00Z\",\"createdDateUTC\":\"2020-09-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7564d76-ec6b-4519-a66b-fcc80c42332b\",\"name\":\"a7564d76-ec6b-4519-a66b-fcc80c42332b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet GroupAddition = (union isfuzzy=true \\n(SecurityEvent \\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group \\n| where EventID in (\\\"4728\\\", \\\"4732\\\", \\\"4756\\\") \\n| where AccountType =~ \\\"User\\\" and MemberName == \\\"-\\\"\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, GroupAddComputer = Computer, GroupAddTargetAccount = TargetAccount, \\nGroupAddTargetSid = TargetSid, GroupAddSubjectAccount = SubjectAccount, GroupAddSubjectUserSid = SubjectUserSid, GroupSid = MemberSid\\n),\\n(\\nWindowsEvent \\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group \\n| where EventID in (\\\"4728\\\", \\\"4732\\\", \\\"4756\\\") and not(EventData has \\\"S-1-5-32-555\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| extend MemberName = tostring(EventData.MemberName)\\n| where AccountType =~ \\\"User\\\" and MemberName == \\\"-\\\"\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend MemberSid = tostring(EventData.MemberSid)\\n| extend Activity= \\\"GroupAddActivity\\\"\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, GroupAddComputer = Computer, GroupAddTargetAccount = TargetAccount, \\nGroupAddTargetSid = TargetSid, GroupAddSubjectAccount = Account, GroupAddSubjectUserSid = SubjectUserSid, GroupSid = MemberSid\\n));\\nlet GroupCreated = (union isfuzzy=true \\n(SecurityEvent\\n// 4727 - A security-enabled global group was created\\n// 4731 - A security-enabled local group was created\\n// 4754 - A security-enabled universal group was created\\n| where EventID in (\\\"4727\\\", \\\"4731\\\", \\\"4754\\\")\\n| where AccountType =~ \\\"User\\\"\\n| project GroupCreateTime = TimeGenerated, GroupCreateEventID = EventID, GroupCreateActivity = Activity, GroupCreateComputer = Computer, GroupCreateTargetAccount = TargetAccount, \\nGroupCreateSubjectAccount = SubjectAccount, GroupCreateSubjectUserSid = SubjectUserSid, GroupSid = TargetSid\\n),\\n(WindowsEvent\\n// 4727 - A security-enabled global group was created\\n// 4731 - A security-enabled local group was created\\n// 4754 - A security-enabled universal group was created\\n| where EventID in (\\\"4727\\\", \\\"4731\\\", \\\"4754\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\", \\\"Machine\\\", iff(SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", iff(isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")))\\n| where AccountType =~ \\\"User\\\"\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend SubjectAccount = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName) \\n| extend TargetSid = tostring(EventData.TargetSid) \\n| extend Activity= \\\"GroupAddActivity\\\"\\n| project GroupCreateTime = TimeGenerated, GroupCreateEventID = EventID, GroupCreateActivity = Activity, GroupCreateComputer = Computer, GroupCreateTargetAccount = TargetAccount, \\nGroupCreateSubjectAccount = SubjectAccount, GroupCreateSubjectUserSid = SubjectUserSid, GroupSid = TargetSid\\n));\\nGroupCreated\\n| join (\\nGroupAddition\\n) on GroupSid \\n| extend timestamp = GroupCreateTime, AccountCustomEntity = GroupCreateSubjectAccount, HostCustomEntity = GroupCreateComputer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"GroupCreateSubjectUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Group created then added to built in domain local or global group\",\"description\":\"Identifies when a recently created Group was added to a privileged built in domain local group or global group such as the \\nEnterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\\nReferences: For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b443f22-9be9-4c35-ac70-a94757748439\",\"name\":\"3b443f22-9be9-4c35-ac70-a94757748439\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let files1 = dynamic([\\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\lsa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pc.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\Rar.exe\\\"]);\\nlet files2 = dynamic([\\\"svchost.exe\\\",\\\"wdmsvc.exe\\\"]);\\nlet FileHash1 = dynamic([\\\"43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\\\", \\\"ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\\\", \\\"010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77\\\", \\\"56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7\\\"]);\\nlet FileHash2 = dynamic([\\\"2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\\\", \\\"9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\\\", \\\"18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\\\"]);\\nDeviceProcessEvents\\n| where ( FolderPath has_any (files1) and SHA256 has_any (FileHash1)) or (FolderPath has_any (files2) and SHA256 has_any (FileHash2))\\n| extend DvcId = DeviceId\\n| join kind=leftouter (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| mv-expand todynamic(Entities)\\n| extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)\\n| where isnotempty(DvcId)\\n// Higher risk score are for Defender alerts related to threat actor\\n| extend AlertRiskScore = iif(ThreatName has_any (\\\"Backdoor:MSIL/ShellClient.A\\\", \\\"Backdoor:MSIL/ShellClient.A!dll\\\", \\\"Trojan:MSIL/Mimikatz.BA!MTB\\\"), 1.0, 0.5)\\n| project DvcId, AlertRiskScore) on DvcId\\n| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = AccountName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileName\"}]}],\"tactics\":[\"CredentialAccess\",\"Execution\"],\"displayName\":\"Dev-0228 File Path Hashes November 2021\",\"description\":\"This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.\\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-11-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2f561e20-d97b-4b13-b02d-18b34af6e87c\",\"name\":\"2f561e20-d97b-4b13-b02d-18b34af6e87c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet cmdList = dynamic([\\\"Set-CASMailbox\\\",\\\"ActiveSyncAllowedDeviceIDs\\\",\\\"add\\\"]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688\\n| where CommandLine has_all (cmdList)\\n| project Type, TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n( WindowsEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688\\n| where EventData has_all (cmdList)\\n| extend CommandLine = tostring(EventData.CommandLine) \\n| where CommandLine has_all (cmdList)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| project Type, TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where InitiatingProcessCommandLine has_all (cmdList)\\n| project Type, TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where CommandLine has_all (cmdList)\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| project Type, TimeGenerated, Computer, User, Process, ParentImage, CommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Email access via active sync\",\"description\":\"This query detects attempts to add attacker devices as allowed IDs for active sync using the Set-CASMailbox command.\\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\\n- Note that this query can be changed to use the KQL \\\"has_all\\\" operator, which hasn\u0027t yet been documented officially, but will be soon.\\n In short, \\\"has_all\\\" will only match when the referenced field has all strings in the list.\\n- Refer to Set-CASMailbox syntax: https://docs.microsoft.com/powershell/module/exchange/set-casmailbox?view=exchange-ps \",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-02-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\"name\":\"2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet TotalEventsThreshold = 5;\\nlet ExeList = dynamic([\\\"powershell.exe\\\",\\\"cmd.exe\\\",\\\"wmic.exe\\\",\\\"psexec.exe\\\",\\\"cacls.exe\\\",\\\"rundll.exe\\\"]);\\nlet TimeSeriesData =\\nSecurityEvent\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where Process in (ExeList)\\n| project TimeGenerated, Computer, AccountType, Account, Process\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by Process;\\nlet TimeSeriesAlerts = materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 1.5, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0\\n| project Process, TimeGenerated, Total, baseline, anomalies, score\\n| where Total \u003e TotalEventsThreshold);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\nSecurityEvent\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| summarize CommandlineCount = count() by bin(TimeGenerated, 1h), Process, CommandLine, Computer, Account\\n) on Process, TimeGenerated\\n| project AnomalyHour = TimeGenerated, Computer, Account, Process, CommandLine, CommandlineCount, Total, baseline, anomalies, score\\n| extend timestamp = AnomalyHour, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Process execution frequency anomaly\",\"description\":\"Identifies anomalous spike in frequency of executions of sensitive processes which are often leveraged as attack vectors.\\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\\nSudden increases in execution frequency of sensitive processes should be further investigated for malicious activity.\\nTune the values from 1.5 to 3 in series_decompose_anomalies for further outliers or based on custom threshold values for score.\",\"lastUpdatedDateUTC\":\"2022-03-07T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/694c91ee-d606-4ba9-928e-405a2dd0ff0f\",\"name\":\"694c91ee-d606-4ba9-928e-405a2dd0ff0f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"High\",\"query\":\"let queryperiod = 14d;\\nlet queryfrequency = 2h;\\nlet security_info_actions = dynamic([\\\"User registered security info\\\", \\\"User changed default security info\\\", \\\"User deleted security info\\\", \\\"Admin updated security info\\\", \\\"User reviewed security info\\\", \\\"Admin deleted security info\\\", \\\"Admin registered security info\\\"]);\\nlet VIPUsers = (\\n IdentityInfo\\n | where TimeGenerated \u003e ago(queryperiod)\\n | mv-expand AssignedRoles\\n | where AssignedRoles matches regex \u0027Admin\u0027\\n | summarize by tolower(AccountUPN));\\nAuditLogs\\n| where TimeGenerated \u003e ago(queryfrequency)\\n| where Category =~ \\\"UserManagement\\\"\\n| where ActivityDisplayName in (security_info_actions)\\n| extend Initiator = tostring(InitiatedBy.user.userPrincipalName)\\n| extend IP = tostring(InitiatedBy.user.ipAddress)\\n| extend Target = tolower(tostring(TargetResources[0].userPrincipalName))\\n| where Target in (VIPUsers)\\n// Uncomment the line below if you are experiencing high volumes of Target entities. If this is uncommented, the Target column will not be mapped to an entity.\\n//| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason, MaxSize=8), Targets=make_set(Target, MaxSize=256) by Initiator, IP, Result\\n// Comment out this line below, if line above is used.\\n| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason, MaxSize=8) by Initiator, IP, Result, Targets = Target\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Targets\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Initiator\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IP\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Authentication Methods Changed for Privileged Account\",\"description\":\"Identifies authentication methods being changed for a privileged account. This could be an indication of an attacker adding an auth method to the account so they can have continued access.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6267ce44-1e9d-471b-9f1e-ae76a6b7aa84\",\"name\":\"6267ce44-1e9d-471b-9f1e-ae76a6b7aa84\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityAlert\\n| where AlertName =~ \\\"mass download by a single user\\\"\\n| extend Extprop = parse_json(ExtendedProperties)\\n| extend Computer = iff(isnotempty(toupper(tostring(Extprop[\\\"Compromised Host\\\"]))), toupper(tostring(Extprop[\\\"Compromised Host\\\"])), tostring(parse_json(Entities)[0].HostName))\\n| extend Account = iff(isnotempty(tolower(tostring(Extprop[\\\"User Name\\\"]))), tolower(tostring(Extprop[\\\"User Name\\\"])), tolower(tostring(Extprop[\\\"user name\\\"])))\\n| extend IpAddress = tostring(parse_json(ExtendedProperties).[\\\"IpAddress\\\"]) \\n| project timestamp=TimeGenerated, AlertName, Computer, Account, IpAddress, ExtendedProperties\\n| join kind=inner\\n( \\nDeviceEvents\\n| where ActionType == \\\"PnpDeviceConnected\\\"\\n| extend parsed = parse_json(AdditionalFields)\\n| project DeviceId, DriveClass = tostring(parsed.ClassName), UsbDeviceId = tostring(parsed.DeviceId), ClassId = tostring(parsed.DeviceId), DeviceDescription = tostring(parsed.DeviceDescription), VendorIds = tostring(parsed.VendorIds), AccountDomain,AccountName,TimeGenerated, ActionType, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, Type\\n| where DriveClass == \u0027USB\u0027 and DeviceDescription == \u0027USB Mass Storage Device\u0027\\n) on $left.Account == $right.AccountName\\n| join kind=inner \\n(\\nDeviceFileEvents\\n| where FolderPath !startswith \\\"c\\\" and FolderPath !startswith @\\\"\\\\\\\"\\n) on DeviceId\\n| project TimeGenerated, ActionType, Computer, FileName, FileSize, IpAddress, InitiatingProcessCommandLine, InitiatingProcessFileName, Account\\n| extend timestamp = TimeGenerated, CompromisedEntity = Computer, AccountCustomEntity=Account, ProcessCustomEntity = InitiatingProcessFileName, IPCustomEntity=IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"Mass Download \u0026 copy to USB device by single user\",\"description\":\"This query looks for any mass download by a single user with possible file copy activity to a new USB drive. Malicious insiders may perform such activities that may cause harm to the organization. \\nThis query could also reveal unintentional insider that had no intention of malicious activity but their actions may impact an organizations security posture.\\nReference:https://docs.microsoft.com/defender-cloud-apps/policy-template-reference\",\"lastUpdatedDateUTC\":\"2022-05-04T00:00:00Z\",\"createdDateUTC\":\"2022-04-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\",\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3edb7215-250b-40c0-8b46-79093949242d\",\"name\":\"3edb7215-250b-40c0-8b46-79093949242d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetectionV2_CL\\n| where Severity_s == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\\n| where count_ \u003e= threshold\\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"High Number of Urgent Vulnerabilities Detected\",\"description\":\"This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.\",\"lastUpdatedDateUTC\":\"2021-12-08T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/492fbe35-cbac-4a8c-9059-826782e6915a\",\"name\":\"492fbe35-cbac-4a8c-9059-826782e6915a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where OperationName has_any (\\\"Update Application\\\", \\\"Update Service principal\\\")\\n | extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend UpdatedBy = iif(isnotempty(appName), appName, UPN)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | extend AppName = tostring(TargetResources[0].displayName)\\n | mv-expand mod_props\\n | extend Action = tostring(mod_props.displayName)\\n | where Action contains \\\"Url\\\"\\n | extend OldURL = tostring(mod_props.oldValue)\\n | extend NewURL = tostring(mod_props.newValue)\\n | project-reorder TimeGenerated, OperationName, Action, AppName, OldURL, NewURL, UpdatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatedBy\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"OldURL\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"NewURL\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Changes to Application Logout URL\",\"description\":\"Detects changes to an applications sign out URL.\\n Look for any modifications to a sign out URL. Blank entries or entries to non-existent locations would stop a user from terminating a session.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#logout-url-modified-or-removed\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\"name\":\"2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureActivity | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CallerIpAddress\\n| where AzureActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureActivity_TimeGenerated = arg_max(AzureActivity_TimeGenerated, *) by IndicatorId, CallerIpAddress\\n| project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CallerIpAddress, \\nCaller, OperationNameValue, ActivityStatusValue, CategoryValue, ResourceId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureActivity_TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureActivity\",\"description\":\"Identifies a match in AzureActivity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3174a9ec-d0ad-4152-8307-94ed04fa450a\",\"name\":\"3174a9ec-d0ad-4152-8307-94ed04fa450a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let SHA256Hash = \\\"1174fd03271f80f5e2a6435c72bdd0272a6e3a37049f6190abf125b216a83471\\\" ;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) \\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA265 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA256Hash) \\n| extend Account = UserName\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known ZINC related maldoc hash\",\"description\":\"Document hash used by ZINC in highly targeted spear phishing campaign.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\"name\":\"d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\" \\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed), LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\\n| where MFAUsed !~ \\\"Yes\\\" and LoginResult !~ \\\"Failure\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUsed, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"Login to AWS Management Console without MFA\",\"description\":\"Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.\\nYou can limit this detection to trigger for adminsitrative accounts if you do not have MFA enabled on all accounts.\\nThis is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used \\nand the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0ed0fe7c-af29-4990-af7f-bb5ccb231198\",\"name\":\"0ed0fe7c-af29-4990-af7f-bb5ccb231198\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"AuditLogs\\n | where Category =~ \\\"RoleManagement\\\"\\n | where OperationName =~ \\\"Update role setting in PIM\\\"\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | project-reorder TimeGenerated, OperationName, ResultReason, userPrincipalName, ipAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Changes to PIM Settings\",\"description\":\"PIM provides a key mechanism for assigning privileges to accounts, this query detects changes to PIM role settings.\\n Monitor these changes to ensure they are being made legitimately and don\u0027t confer more privileges than expected or reduce the security of a PIM elevation.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c805d9b1-97e7-4bc0-9172-67edb36273e4\",\"name\":\"c805d9b1-97e7-4bc0-9172-67edb36273e4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft 365 Insider Risk Management\",\"displayName\":\"(Private Preview) Create incidents based on Microsoft 365 Insider Risk Management\",\"description\":\"Create incidents based on all alerts generated in Microsoft 365 Insider Risk Management\",\"lastUpdatedDateUTC\":\"2021-05-13T00:00:00Z\",\"createdDateUTC\":\"2021-05-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeIRM\",\"dataTypes\":[\"SecurityAlert (OfficeIRM)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09551db0-e147-4a0c-9e7b-918f88847605\",\"name\":\"09551db0-e147-4a0c-9e7b-918f88847605\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.6.2\",\"severity\":\"High\",\"query\":\"let tokens = dynamic([\\\"SSL_HandShaking\\\", \\\"ASN2_TYPE_new\\\", \\\"sql_blob_open\\\", \\\"cmsSetLogHandlerTHR\\\", \\\"ntSystemInfo\\\", \\\"SetWebFilterString\\\", \\\"CleanupBrokerString\\\", \\\"glInitSampler\\\", \\\"deflateSuffix\\\", \\\"ntWindowsProc\\\"]);\\nlet DomainNames = dynamic([\u0027codevexillium.org\u0027, \u0027angeldonationblog.com\u0027, \u0027investbooking.de\u0027, \u0027krakenfolio.com\u0027]);\\nlet SHA256Hash = dynamic([\u002758a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495\u0027,\u0027e0e59bfc22876c170af65dcbf19f744ae560cc43b720b23b9d248f4505c02f3e\u0027,\u00273d3195697521973efe0097a320cbce0f0f98d29d50e044f4505e1fbc043e8cf9\u0027, \u00270a2d81164d524be7022ba8fd4e1e8e01bfd65407148569d172e2171b5cd76cd4\u0027, \u002796d7a93f6691303d39a9cc270b8814151dfec5683e12094537fd580afdf2e5fe\u0027,\u0027dc4cf164635db06b2a0b62d313dbd186350bca6fc88438617411a68df13ec83c\u0027, \u002746efd5179e43c9cbf07dcec22ce0d5527e2402655aee3afc016e5c260650284a\u0027, \u002795e42a94d4df1e7e472998f43b9879eb34aaa93f3705d7d3ef9e3b97349d7008\u0027, \u00279d5320e883264a80ea214077f44b1d4b22155446ad5083f4b27d2ab5bd127ef5\u0027, \u00279fd05063ad203581a126232ac68027ca731290d17bd43b5d3311e8153c893fe3\u0027, \u0027ada7e80c9d09f3efb39b729af238fcdf375383caaf0e9e0aed303931dc73b720\u0027, \u0027edb1597789c7ed784b85367a36440bf05267ac786efe5a4044ec23e490864cee\u0027, \u002733665ce1157ddb7cd7e905e3356b39245dfba17b7a658bdbf02b6968656b9998\u0027, \u00273ab770458577eb72bd6239fe97c35e7eb8816bce5a4b47da7bd0382622854f7c\u0027, \u0027b630ad8ffa11003693ce8431d2f1c6b8b126cd32b657a4bfa9c0dbe70b007d6c\u0027, \u002753f3e55c1217dafb8801af7087e7d68b605e2b6dde6368fceea14496c8a9f3e5\u0027, \u002799c95b5272c5b11093eed3ef2272e304b7a9311a22ff78caeb91632211fcb777\u0027, \u0027f21abadef52b4dbd01ad330efb28ef50f8205f57916a26daf5de02249c0f24ef\u0027, \u00272cbdea62e26d06080d114bbd922d6368807d7c6b950b1421d0aa030eca7e85da\u0027, \u0027079659fac6bd9a1ce28384e7e3a465be4380acade3b4a4a4f0e67fd0260e9447\u0027]);\\nlet SigNames = dynamic([\\\"Backdoor:Script/ComebackerCompile.A!dha\\\", \\\"Trojan:Win64/Comebacker.A!dha\\\", \\\"Trojan:Win64/Comebacker.A.gen!dha\\\", \\\"Trojan:Win64/Comebacker.B.gen!dha\\\", \\\"Trojan:Win32/Comebacker.C.gen!dha\\\", \\\"Trojan:Win32/Klackring.A!dha\\\", \\\"Trojan:Win32/Klackring.B!dha\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in~ (SHA256Hash) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n| project Type, TimeGenerated, Computer, Account, IPAddress, FileHash, DNSName\\n),\\n(_Im_Dns(domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend Type = \\\"imDns\\\", IPAddress = SrcIpAddr, Computer=Dvc\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(VMConnection\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| where isnotempty(Hashes)\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 * \\n| where SHA256 in~ (SHA256Hash) \\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = Hashes\\n| project Type, TimeGenerated, Computer, Account, FileHash\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (SHA256Hash)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (SHA256Hash)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl in~ (DomainNames)\\n| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName\\n| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl\\n),\\n(SecurityAlert\\n| where ProductName == \\\"Microsoft Defender Advanced Threat Protection\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where isnotempty(ThreatName)\\n| where ThreatName has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName) \\n| project Type, TimeGenerated, Computer\\n),\\n(DeviceProcessEvents\\n| where FileName =~ \\\"powershell.exe\\\" or FileName =~ \\\"rundll32.exe\\\"\\n| where (ProcessCommandLine has \\\"is64bitoperatingsystem\\\" and ProcessCommandLine has \\\"Debug\\\\\\\\Browse\\\") or (ProcessCommandLine has_any (tokens))\\n| extend Computer = DeviceName, Account = AccountName, CommandLine = ProcessCommandLine\\n| project Type, TimeGenerated, Computer, Account, CommandLine, FileName\\n),\\n(SecurityEvent\\n| where EventID == 4688\\n| where ProcessName has_any (\\\"powershell.exe\\\", \\\"rundll32.exe\\\")\\n| where (CommandLine has \\\"is64bitoperatingsystem\\\" and CommandLine has \\\"Debug\\\\\\\\Browse\\\") or (CommandLine has_any (tokens))\\n| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine \\n),\\n( WindowsEvent\\n| where EventID == 4688\\n| where EventData has_any (\\\"powershell.exe\\\", \\\"rundll32.exe\\\") and EventData has_any (tokens, \\\"Debug\\\\\\\\Browse\\\",\\\"is64bitoperatingsystem\\\" ) \\n| extend ProcessName = tostring(EventData.ProcessName)\\n| where ProcessName has_any (\\\"powershell.exe\\\", \\\"rundll32.exe\\\")\\n| extend CommandLine = tostring(EventData.CommandLine) \\n| where (CommandLine has \\\"is64bitoperatingsystem\\\" and CommandLine has \\\"Debug\\\\\\\\Browse\\\") or (CommandLine has_any (tokens))\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"Execution\"],\"displayName\":\"Known ZINC Comebacker and Klackring malware hashes\",\"description\":\"ZINC attacks against security researcher campaign malware hashes.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ce177b3-56b1-4f0e-b83e-27eed4cb0b16\",\"name\":\"4ce177b3-56b1-4f0e-b83e-27eed4cb0b16\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\n// exclude allowed users from query such as the ADO service\\nlet allowed_users = dynamic([\\\"Azure DevOps Service\\\"]);\\nunion\\n// Look for agents being added to a pool of a OS type not seen with that pool before\\n(AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName =~ \\\"Library.AgentAdded\\\"\\n| where ActorUPN !in (allowed_users)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| where isnotempty(OsDescription)\\n| extend OsDescription = tostring(split(OsDescription, \\\"#\\\", 0)[0])\\n| project AgentPoolName, OsDescription\\n| join kind=rightanti (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName == \\\"Library.AgentAdded\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| where isnotempty(OsDescription)\\n| extend OsDescription = tostring(split(OsDescription, \\\"#\\\", 0)[0])) on AgentPoolName, OsDescription),\\n// Look for users addeing agents to a pool that they have not added agents to before.\\n(AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| where ActorUPN !in (allowed_users)\\n| project AgentPoolName, ActorUPN\\n| join kind=rightanti (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName == \\\"Library.AgentAdded\\\"\\n| where ActorUPN !in (allowed_users)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n) on AgentPoolName, ActorUPN)\\n| extend AgentName = tostring(Data.AgentName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| extend SystemDetails = Data.SystemCapabilities\\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, AgentPoolName, AgentName, ActorUPN, IpAddress, UserAgent, OsDescription, SystemDetails, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"New Agent Added to Pool by New User or Added to a New OS Type.\",\"description\":\"As seen in attacks such as SolarWinds attackers can look to subvert a build process by controlling build servers. Azure DevOps uses agent pools to execute pipeline tasks. \\nAn attacker could insert compromised agents that they control into the pools in order to execute malicious code. This query looks for users adding agents to pools they have \\nnot added agents to before, or adding agents to a pool of an OS that has not been added to that pool before. This detection has potential for false positives so has a \\nconfigurable allow list to allow for certain users to be excluded from the logic.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/05b4bccd-dd12-423d-8de4-5a6fb526bb4f\",\"name\":\"05b4bccd-dd12-423d-8de4-5a6fb526bb4f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let known_processes = (\\n SecurityEvent\\n // If adjusting Query Period or Frequency update these\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where EventID == 4688\\n | where NewProcessName has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | summarize by Process);\\n SecurityEvent\\n // If adjusting Query Period or Frequency update these\\n | where TimeGenerated \u003e ago(1d)\\n | where EventID == 4688\\n | where NewProcessName has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | where Process !in (known_processes)\\n // This will likely apply to multiple hosts so summarize these data\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, NewProcessName, CommandLine, Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Execution\",\"LateralMovement\"],\"displayName\":\"New EXE deployed via Default Domain or Default Domain Controller Policies\",\"description\":\"This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice is that these policies should not be used for deployment of files.\\nA threat actor may use these policies to deploy files or scripts to all hosts in a domain.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c61ad0ac-ad68-4ebb-b41a-74296d3e0044\",\"name\":\"c61ad0ac-ad68-4ebb-b41a-74296d3e0044\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \\n| where TargetObject has (\\\"\\\\\\\\Control\\\\\\\\Session Manager\\\\\\\\AppCertDLLs\\\\\\\\\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Registry Persistence via AppCert DLL Modification\",\"description\":\"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. \\nDynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\ are loaded into every process that calls the ubiquitously used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec.\\nRef: https://attack.mitre.org/techniques/T1546/009/\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8ee967a2-a645-4832-85f4-72b635bcb3a6\",\"name\":\"8ee967a2-a645-4832-85f4-72b635bcb3a6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit the environment\\nlet signin_threshold = 5;\\n//Make a list of all IPs with failed signins to AAD above our threshold\\nlet aadFunc = (tableName:string){\\nlet suspicious_signins =\\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress !in (\u0027127.0.0.1\u0027, \u0027::1\u0027)\\n| summarize count() by IPAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(IPAddress);\\n//See if any of these IPs have sucessfully logged into *nix hosts\\nlet linux_logons =\\nSyslog\\n| where Facility contains \\\"auth\\\" and ProcessName != \\\"sudo\\\"\\n| where SyslogMessage has \\\"Accepted\\\"\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Computer, HostIP, IpAddress = SourceIP, SyslogMessage, Facility, ProcessName, Reason;\\n//See if any of these IPs have sucessfully logged into Windows hosts\\nlet win_logons = (union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4624\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| where IpAddress in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Account, AccountType, Computer, Activity, EventID, LogonProcessName, IpAddress, LogonTypeName, TargetUserSid, Reason\\n),\\n(WindowsEvent\\n| where EventID == 4624 and has_any_ipv4(EventData, toscalar(suspicious_signins))\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType in (10, 7, 3)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| where IpAddress != \\\"-\\\"\\n| where IpAddress in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| extend Activity = \\\"4624 - An account was successfully logged on.\\\"\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend AccountType =case(Account endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| extend LogonProcessName = tostring(EventData.LogonProcessName)\\n| project TimeGenerated, Account, AccountType, Computer, Activity, EventID, LogonProcessName, IpAddress, TargetUserSid, Reason\\n)\\n);\\nunion isfuzzy=true linux_logons,win_logons\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, IPCustomEntity = IpAddress, HostCustomEntity = Computer\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AzureAD logons but success logon to host\",\"description\":\"Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory.\\nUses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/46ac55ae-47b8-414a-8f94-89ccd1962178\",\"name\":\"46ac55ae-47b8-414a-8f94-89ccd1962178\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let queryperiod = 1d;\\nlet mode = \u0027Blocked\u0027;\\nlet successCode = dynamic([\u0027200\u0027, \u0027101\u0027,\u0027204\u0027, \u0027400\u0027,\u0027504\u0027,\u0027304\u0027,\u0027401\u0027,\u0027500\u0027]);\\nlet sessionBin = 30m;\\nAzureDiagnostics\\n| where TimeGenerated \u003e ago(queryperiod)\\n| where Category == \u0027ApplicationGatewayFirewallLog\u0027 and action_s == mode\\n| sort by hostname_s asc, clientIp_s asc, TimeGenerated asc\\n| extend SessionBlockedStarted = row_window_session(TimeGenerated, queryperiod, 10m, ((clientIp_s != prev(clientIp_s)) or (hostname_s != prev(hostname_s))))\\n| summarize SessionBlockedEnded = max(TimeGenerated), SessionBlockedCount = count() by hostname_s, clientIp_s, SessionBlockedStarted\\n| extend TimeKey = range(bin(SessionBlockedStarted, sessionBin), bin(SessionBlockedEnded, sessionBin), sessionBin)\\n| mv-expand TimeKey to typeof(datetime)\\n| join kind = inner(\\n AzureDiagnostics\\n | where TimeGenerated \u003e ago(queryperiod)\\n | where Category == \u0027ApplicationGatewayAccessLog\u0027 and (isempty(httpStatus_d) or httpStatus_d in (successCode))\\n | extend TimeKey = bin(TimeGenerated, sessionBin)\\n) on TimeKey, $left.hostname_s == $right.host_s, $left.clientIp_s == $right.clientIP_s\\n| where TimeGenerated between (SessionBlockedStarted..SessionBlockedEnded)\\n| extend\\n originalRequestUriWithArgs_s = column_ifexists(\\\"originalRequestUriWithArgs_s\\\", \\\"\\\"),\\n serverStatus_s = column_ifexists(\\\"serverStatus_s\\\", \\\"\\\")\\n| summarize\\n SuccessfulAccessCount = count(),\\n UserAgents = make_set(userAgent_s, 250),\\n RequestURIs = make_set(requestUri_s, 250),\\n OriginalRequestURIs = make_set(originalRequestUriWithArgs_s, 250),\\n SuccessCodes = make_set(httpStatus_d, 250),\\n SuccessCodes_BackendServer = make_set(serverStatus_s, 250),\\n take_any(SessionBlockedEnded, SessionBlockedCount)\\n by hostname_s, clientIp_s, SessionBlockedStarted\\n| where SessionBlockedCount \u003e SuccessfulAccessCount\\n| extend timestamp = SessionBlockedStarted, IPCustomEntity = clientIp_s\\n| extend BlockvsSuccessRatio = SessionBlockedCount/toreal(SuccessfulAccessCount)\\n| sort by BlockvsSuccessRatio desc, timestamp asc\\n| project-reorder SessionBlockedStarted, SessionBlockedEnded, hostname_s, clientIp_s, SessionBlockedCount, SuccessfulAccessCount, BlockvsSuccessRatio, SuccessCodes, RequestURIs, OriginalRequestURIs, UserAgents\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"A potentially malicious web request was executed against a web server\",\"description\":\"Detects unobstructed Web Application Firewall (WAF) activity in sessions where the WAF blocked incoming requests by computing the \\nratio between blocked requests and unobstructed WAF requests in these sessions (BlockvsSuccessRatio metric). A high ratio value for \\na given client IP and hostname calls for further investigation of the WAF data in that session, due to the significantly high number \\nof blocked requests and a few unobstructed logs which may be malicious but have passed undetected through the WAF. The successCode \\nvariable defines what the detection thinks is a successful status code, and should be altered to fit the environment.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2020-11-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d173248-439b-4741-8b37-f63ad0c896ae\",\"name\":\"4d173248-439b-4741-8b37-f63ad0c896ae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\n//This query uses sysmon data, sections that have - | where Source == \\\"Microsoft-Windows-Sysmon\\\" - may need to be updated with latest\\nWindowsEvent\\n| where EventID == \u00274688\u0027 and EventData has_any (process)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| where NewProcessName has_any (process)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n , Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n , NewProcessId = tostring(EventData.NewProcessId)\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027, -1)[-1]), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend FilePath = replace_string(NewProcessName, File, \u0027\u0027)\\n| project TimeGenerated, timestamp, File, AlertDetail, FilePath,Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileCustomEntity\"},{\"identifier\":\"Directory\",\"columnName\":\"FilePathCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashAlgo\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021\",\"description\":\"Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.\",\"lastUpdatedDateUTC\":\"2022-05-19T00:00:00Z\",\"createdDateUTC\":\"2022-02-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\"name\":\"7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\nOfficeActivity\\n| where Operation =~ \\\"New-InboxRule\\\"\\n| where Parameters has \\\"Deleted Items\\\" or Parameters has \\\"Junk Email\\\" or Parameters has \\\"DeleteMessage\\\"\\n| extend Events=todynamic(Parameters)\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords \u0027}\u0027*\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords \u0027}\u0027*\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords \u0027}\u0027*\\n| where SubjectContainsWords has_any (Keywords)\\n or BodyContainsWords has_any (Keywords)\\n or SubjectOrBodyContainsWords has_any (Keywords)\\n| extend ClientIPAddress = case( ClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), ClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))), ClientIP )\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\n| extend RuleDetail = case(OfficeObjectId contains \u0027/\u0027 , tostring(split(OfficeObjectId, \u0027/\u0027)[-1]) , tostring(split(OfficeObjectId, \u0027\\\\\\\\\u0027)[-1]))\\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation, UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIPAddress, AccountCustomEntity = UserId , HostCustomEntity = OriginatingServer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Malicious Inbox Rule\",\"description\":\"Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords. \\n This is done so as to limit ability to warn compromised users that they\u0027ve been compromised. Below is a sample query that tries to detect this.\\nReference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ef88eb96-861c-43a0-ab16-f3835a97c928\",\"name\":\"ef88eb96-861c-43a0-ab16-f3835a97c928\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let regexEmpire = @\\\"SetDelay|GetDelay|Set-LostLimit|Get-LostLimit|Set-Killdate|Get-Killdate|Set-WorkingHours|Get-WorkingHours|Get-Sysinfo|Add-Servers|Invoke-ShellCommand|Start-AgentJob|Update-Profile|Get-FilePart|Encrypt-Bytes|Decrypt-Bytes|Encode-Packet|Decode-Packet|Send-Message|Process-Packet|Process-Tasking|Get-Task|Start-Negotiate|Invoke-DllInjection|Invoke-ReflectivePEInjection|Invoke-Shellcode|Invoke-ShellcodeMSIL|Get-ChromeDump|Get-ClipboardContents|Get-IndexedItem|Get-Keystrokes|Invoke-Inveigh|Invoke-NetRipper|local:Invoke-PatchDll|Invoke-NinjaCopy|Get-Win32Types|Get-Win32Constants|Get-Win32Functions|Sub-SignedIntAsUnsigned|Add-SignedIntAsUnsigned|Compare-Val1GreaterThanVal2AsUInt|Convert-UIntToInt|Test-MemoryRangeValid|Write-BytesToMemory|Get-DelegateType|Get-ProcAddress|Enable-SeDebugPrivilege|Invoke-CreateRemoteThread|Get-ImageNtHeaders|Get-PEBasicInfo|Get-PEDetailedInfo|Import-DllInRemoteProcess|Get-RemoteProcAddress|Copy-Sections|Update-MemoryAddresses|Import-DllImports|Get-VirtualProtectValue|Update-MemoryProtectionFlags|Update-ExeFunctions|Copy-ArrayOfMemAddresses|Get-MemoryProcAddress|Invoke-MemoryLoadLibrary|Invoke-MemoryFreeLibrary|Out-Minidump|Get-VaultCredential|Invoke-DCSync|Translate-Name|Get-NetDomain|Get-NetForest|Get-NetForestDomain|Get-DomainSearcher|Get-NetComputer|Get-NetGroupMember|Get-NetUser|Invoke-Mimikatz|Invoke-PowerDump|Invoke-TokenManipulation|Exploit-JMXConsole|Exploit-JBoss|Invoke-Thunderstruck|Invoke-VoiceTroll|Set-WallPaper|Invoke-PsExec|Invoke-SSHCommand|Invoke-PSInject|Invoke-RunAs|Invoke-SendMail|Invoke-Rule|Get-OSVersion|Select-EmailItem|View-Email|Get-OutlookFolder|Get-EmailItems|Invoke-MailSearch|Get-SubFolders|Get-GlobalAddressList|Invoke-SearchGAL|Get-SMTPAddress|Disable-SecuritySettings|Reset-SecuritySettings|Get-OutlookInstance|New-HoneyHash|Set-MacAttribute|Invoke-PatchDll|Get-SecurityPackages|Install-SSP|Invoke-BackdoorLNK|New-ElevatedPersistenceOption|New-UserPersistenceOption|Add-Persistence|Invoke-CallbackIEX|Add-PSFirewallRules|Invoke-EventLoop|Invoke-PortBind|Invoke-DNSLoop|Invoke-PacketKnock|Invoke-CallbackLoop|Invoke-BypassUAC|Get-DecryptedCpassword|Get-GPPInnerFields|Invoke-WScriptBypassUAC|Get-ModifiableFile|Get-ServiceUnquoted|Get-ServiceFilePermission|Get-ServicePermission|Invoke-ServiceUserAdd|Invoke-ServiceCMD|Write-UserAddServiceBinary|Write-CMDServiceBinary|Write-ServiceEXE|Write-ServiceEXECMD|Restore-ServiceEXE|Invoke-ServiceStart|Invoke-ServiceStop|Invoke-ServiceEnable|Invoke-ServiceDisable|Get-ServiceDetail|Find-DLLHijack|Find-PathHijack|Write-HijackDll|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-VulnAutoRun|Get-VulnSchTask|Get-UnattendedInstallFile|Get-Webconfig|Get-ApplicationHost|Write-UserAddMSI|Invoke-AllChecks|Invoke-ThreadedFunction|Test-Login|Get-UserAgent|Test-Password|Get-ComputerDetails|Find-4648Logons|Find-4624Logons|Find-AppLockerLogs|Find-PSScriptsInPSAppLog|Find-RDPClientConnections|Get-SystemDNSServer|Invoke-Paranoia|Invoke-WinEnum{|Get-SPN|Invoke-ARPScan|Invoke-Portscan|Invoke-ReverseDNSLookup|Invoke-SMBScanner|New-InMemoryModule|Add-Win32Type|Export-PowerViewCSV|Get-MacAttribute|Copy-ClonedFile|Get-IPAddress|Convert-NameToSid|Convert-SidToName|Convert-NT4toCanonical|Get-Proxy|Get-PathAcl|Get-NameField|Convert-LDAPProperty|Get-NetDomainController|Add-NetUser|Add-NetGroupUser|Get-UserProperty|Find-UserField|Get-UserEvent|Get-ObjectAcl|Add-ObjectAcl|Invoke-ACLScanner|Get-GUIDMap|Get-ADObject|Set-ADObject|Get-ComputerProperty|Find-ComputerField|Get-NetOU|Get-NetSite|Get-NetSubnet|Get-DomainSID|Get-NetGroup|Get-NetFileServer|SplitPath|Get-DFSshare|Get-DFSshareV1|Get-DFSshareV2|Get-GptTmpl|Get-GroupsXML|Get-NetGPO|Get-NetGPOGroup|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Invoke-ImpersonateUser|Create-ProcessWithToken|Free-AllTokens|Enum-AllTokens|Invoke-RevertToSelf|Set-Speaker\\\\(\\\\$Volume\\\\){\\\\$wshShell|Local:Get-RandomString|Local:Invoke-PsExecCmd|Get-GPPPassword|Local:Inject-BypassStuff|Local:Invoke-CopyFile\\\\(\\\\$sSource,|ind-Fruit|New-IPv4Range|New-IPv4RangeFromCIDR|Parse-Hosts|Parse-ILHosts|Exclude-Hosts|Get-TopPort|Parse-Ports|Parse-IpPorts|Remove-Ports|Write-PortscanOut|Convert-SwitchtoBool|Get-ForeignUser|Get-ForeignGroup\\\";\\n(union isfuzzy=true\\n (SecurityEvent\\n| where EventID == 4688\\n//consider filtering on filename if perf issues occur\\n//where FileName in~ (\\\"powershell.exe\\\",\\\"powershell_ise.exe\\\",\\\"pwsh.exe\\\")\\n| where not(ParentProcessName has_any (\u0027gc_worker.exe\u0027, \u0027gc_service.exe\u0027))\\n| where CommandLine has \\\"-encodedCommand\\\"\\n| parse kind=regex flags=i CommandLine with * \\\"-EncodedCommand \\\" encodedCommand\\n| extend encodedCommand = iff(encodedCommand has \\\" \\\", tostring(split(encodedCommand, \\\" \\\")[0]), encodedCommand)\\n// Note: currently the base64_decode_tostring function is limited to supporting UTF8\\n| extend decodedCommand = translate(\u0027\\\\0\u0027,\u0027\u0027, base64_decode_tostring(substring(encodedCommand, 0, strlen(encodedCommand) - (strlen(encodedCommand) %8)))), encodedCommand, CommandLine , strlen(encodedCommand)\\n| extend EfectiveCommand = iff(isnotempty(encodedCommand), decodedCommand, CommandLine)\\n| where EfectiveCommand matches regex regexEmpire\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, EfectiveCommand, decodedCommand, encodedCommand, CommandLine, ParentProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(WindowsEvent\\n| where EventID == 4688 \\n| where EventData has_any (\\\"-encodedCommand\\\", \\\"powershell.exe\\\",\\\"powershell_ise.exe\\\",\\\"pwsh.exe\\\")\\n| where not(EventData has_any (\u0027gc_worker.exe\u0027, \u0027gc_service.exe\u0027))\\n//consider filtering on filename if perf issues occur\\n//extend NewProcessName = tostring(EventData.NewProcessName)\\n//extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n//FileName = Process\\n//where FileName in~ (\\\"powershell.exe\\\",\\\"powershell_ise.exe\\\",\\\"pwsh.exe\\\")\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where not(ParentProcessName has_any (\u0027gc_worker.exe\u0027, \u0027gc_service.exe\u0027))\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has \\\"-encodedCommand\\\"\\n| parse kind=regex flags=i CommandLine with * \\\"-EncodedCommand \\\" encodedCommand\\n| extend encodedCommand = iff(encodedCommand has \\\" \\\", tostring(split(encodedCommand, \\\" \\\")[0]), encodedCommand)\\n// Note: currently the base64_decode_tostring function is limited to supporting UTF8\\n| extend decodedCommand = translate(\u0027\\\\0\u0027,\u0027\u0027, base64_decode_tostring(substring(encodedCommand, 0, strlen(encodedCommand) - (strlen(encodedCommand) %8)))), encodedCommand, CommandLine , strlen(encodedCommand)\\n| extend EfectiveCommand = iff(isnotempty(encodedCommand), decodedCommand, CommandLine)\\n| where EfectiveCommand matches regex regexEmpire\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, EfectiveCommand, decodedCommand, encodedCommand, CommandLine, ParentProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"Powershell Empire cmdlets seen in command line\",\"description\":\"Identifies instances of PowerShell Empire cmdlets in powershell process command line data.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-01-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cda5928c-2c1e-4575-9dfa-07568bc27a4f\",\"name\":\"cda5928c-2c1e-4575-9dfa-07568bc27a4f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let lookback = 7d; \\nlet timeframe = 1h; \\nlet GlobalAdminsRemoved = AuditLogs \\n| where TimeGenerated \u003e ago(timeframe) \\n| where Category =~ \\\"RoleManagement\\\" \\n| where AADOperationType in (\\\"Unassign\\\", \\\"RemoveEligibleRole\\\") \\n| where ActivityDisplayName has_any (\\\"Remove member from role\\\", \\\"Remove eligible member from role\\\") \\n| mv-expand TargetResources \\n| mv-expand TargetResources.modifiedProperties \\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName) \\n| where displayName_ =~ \\\"Role.DisplayName\\\" \\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.oldValue))) \\n| where RoleName == \\\"Global Administrator\\\" // Add other Privileged role if applicable \\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName) \\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) \\n| where Initiator != \\\"MS-PIM\\\" // Filtering PIM events \\n| extend Target = tostring(TargetResources.userPrincipalName) \\n| summarize RemovedGlobalAdminTime = max(TimeGenerated), TargetAdmins = make_set(Target) by OperationName, RoleName, Initiator, Result; \\nlet GlobalAdminsAdded = AuditLogs \\n| where TimeGenerated \u003e ago(lookback) \\n| where Category =~ \\\"RoleManagement\\\" \\n| where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\") \\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\") and Result == \\\"success\\\" \\n| mv-expand TargetResources \\n| mv-expand TargetResources.modifiedProperties \\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName) \\n| where displayName_ =~ \\\"Role.DisplayName\\\" \\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue))) \\n| where RoleName == \\\"Global Administrator\\\" // Add other Privileged role if applicable \\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName) \\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) \\n| where Initiator != \\\"MS-PIM\\\" // Filtering PIM events \\n| extend Target = tostring(TargetResources.userPrincipalName) \\n| summarize AddedGlobalAdminTime = max(TimeGenerated) by OperationName, RoleName, Target, Initiator, Result \\n| extend AccountCustomEntity = Target; \\nGlobalAdminsAdded \\n| join kind= inner GlobalAdminsRemoved on $left.Target == $right.Initiator \\n| where AddedGlobalAdminTime \u003c RemovedGlobalAdminTime \\n| extend NoofAdminsRemoved = array_length(TargetAdmins) \\n| where NoofAdminsRemoved \u003e 1\\n| project AddedGlobalAdminTime, Initiator, Target, AccountCustomEntity, RemovedGlobalAdminTime, TargetAdmins, NoofAdminsRemoved\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Multiple admin membership removals from newly created admin.\",\"description\":\"This query detects when newly created Global admin removes multiple existing global admins which can be an attempt by adversaries to lock down organization and retain sole access. \\n Investigate reasoning and intention of multiple membership removal by new Global admins and take necessary actions accordingly.\",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2022-03-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/be52662c-3b23-435a-a6fa-f39bdfc849e6\",\"name\":\"be52662c-3b23-435a-a6fa-f39bdfc849e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetection_CL\\n| mv-expand todynamic(Detections_s)\\n| where Detections_s.Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\\n| where count_ \u003e= threshold\\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"High Number of Urgent Vulnerabilities Detected\",\"description\":\"This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/45b903c5-6f56-4969-af10-ae62ac709718\",\"name\":\"45b903c5-6f56-4969-af10-ae62ac709718\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count()\\nby Account = tolower(Account), Computer = toupper(Computer), IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n// use left anti to exclude anything from the previous 14 days that is not rare\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10 \\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend AccountType=case(Account endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| extend Activity=\\\"4624 - An account was successfully logged on.\\\"\\n| extend LogonTypeName=\\\"10 - RemoteInteractive\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count()\\nby Account = tolower(Account), Computer = toupper(Computer), IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n))\\n| join kind=leftanti (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where EventID == 4624\\n| summarize by Computer = toupper(Computer), IpAddress, Account = tolower(Account)\\n),\\n( WindowsEvent\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where EventID == 4624\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| summarize by Computer = toupper(Computer), IpAddress, Account = tolower(Account)\\n))\\n) on Account, Computer\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), ConnectionCount = sum(ConnectionCount)\\nby Account, Computer, IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Rare RDP Connections\",\"description\":\"Identifies when an RDP connection is new or rare related to any logon type by a given account today based on comparison with the previous 14 days.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2020-01-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a1080fc1-13d1-479b-8340-255f0290d96c\",\"name\":\"a1080fc1-13d1-479b-8340-255f0290d96c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where Result =~ \\\"success\\\"\\n | where OperationName =~ \u0027Update Application\u0027\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | where TargetResources_modifiedProperties.displayName =~ \\\"AppAddress\\\"\\n | extend Key = tostring(TargetResources_modifiedProperties.displayName)\\n | extend NewValue = TargetResources_modifiedProperties.newValue\\n | extend OldValue = TargetResources_modifiedProperties.oldValue\\n | where isnotempty(Key) and isnotempty(NewValue)\\n | project-reorder Key, NewValue, OldValue\\n | extend NewUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(NewValue))\\n | extend OldUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(OldValue))\\n | extend AddedUrls = set_difference(NewUrls, OldUrls)\\n | where array_length(AddedUrls) \u003e 0\\n | extend UserAgent = iif(tostring(AdditionalDetails[0].key) == \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), \\\"\\\")\\n | extend AddingUser = iif(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) , tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), \\\"\\\")\\n | extend AddingApp = iif(isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName)) , tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName), \\\"\\\")\\n | extend AddedBy = iif(isnotempty(AddingUser), AddingUser, AddingApp)\\n | project-away AddingApp, AddingUser\\n | extend AppDisplayName = tostring(TargetResources.displayName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | project-reorder TimeGenerated, AppDisplayName, AddedUrls, AddedBy, UserAgent, ipAddress\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"AddedUrls\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Application Redirect URL Update\",\"description\":\"Detects the redirect URL of an app being changed.\\n Applications associated with URLs not controlled by the organization can pose a security risk.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#application-configuration-changes\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e42e889a-caaf-4dbb-aec6-371b37d64298\",\"name\":\"e42e889a-caaf-4dbb-aec6-371b37d64298\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\")\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set != \\\"[]\\\"\\n| extend diff = set_difference(new_value_set, old_value_set)\\n| where isnotempty(diff)\\n| parse diff with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away diff, new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserOrApp\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT New access credential added to Application or Service Principal\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b79f6190-d104-4691-b7db-823e05980895\",\"name\":\"b79f6190-d104-4691-b7db-823e05980895\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\nOfficeActivity\\n| where OfficeWorkload =~ \\\"Exchange\\\"\\n| where Parameters has \\\"Deleted Items\\\" or Parameters has \\\"Junk Email\\\" or Parameters has \\\"DeleteMessage\\\"\\n| extend Events=todynamic(Parameters)\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords \u0027}\u0027*\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords \u0027}\u0027*\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords \u0027}\u0027*\\n| where SubjectContainsWords has_any (Keywords)\\n or BodyContainsWords has_any (Keywords)\\n or SubjectOrBodyContainsWords has_any (Keywords)\\n| extend ClientIPAddress = case( ClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), ClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))), ClientIP )\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\n| extend RuleDetail = case(OfficeObjectId contains \u0027/\u0027 , tostring(split(OfficeObjectId, \u0027/\u0027)[-1]) , tostring(split(OfficeObjectId, \u0027\\\\\\\\\u0027)[-1]))\\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"OriginatingServer\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIPAddress\"}]}],\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"NRT Malicious Inbox Rule\",\"description\":\"Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords.\\n This is done so as to limit ability to warn compromised users that they\u0027ve been compromised. Below is a sample query that tries to detect this.\\nReference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/\",\"lastUpdatedDateUTC\":\"2022-03-07T00:00:00Z\",\"createdDateUTC\":\"2020-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9fb2ee72-959f-4c2b-bc38-483affc539e4\",\"name\":\"9fb2ee72-959f-4c2b-bc38-483affc539e4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where Category == \\\"ApplicationManagement\\\"\\n | where OperationName has_any (\\\"Update Application\\\", \\\"Update Service principal\\\")\\n | extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend UpdatedBy = iif(isnotempty(appName), appName, UPN)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | extend AppName = tostring(TargetResources[0].displayName)\\n | mv-expand mod_props\\n | where mod_props.displayName has \\\"AppIdentifierUri\\\"\\n | extend OldURI = tostring(mod_props.oldValue)\\n | extend NewURI = tostring(mod_props.newValue)\\n | project-reorder TimeGenerated, OperationName, AppName, OldURI, NewURI, UpdatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatedBy\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"NewURI\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Application ID URI Changed\",\"description\":\"Detects changes to an Application ID URI.\\n Monitor these changes to make sure that they were authorized.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#appid-uri-added-modified-or-removed\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/faf1a6ff-53b5-4f92-8c55-4b20e9957594\",\"name\":\"faf1a6ff-53b5-4f92-8c55-4b20e9957594\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"SecurityEvent\\n// Look for specific Directory Service Changes and parse data\\n| where EventID == 5136\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion = array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value),TimeGenerated, EventID, Computer, Account, AccountType, EventSourceName, Activity, SubjectAccount)\\n// Where changes relate to Exchange OAB\\n| extend ObjectClass = column_ifexists(\\\"ObjectClass\\\", \\\"\\\")\\n| where ObjectClass =~ \\\"msExchOABVirtualDirectory\\\"\\n// Look for InternalHostName or ExternalHostName properties being changed\\n| extend AttributeLDAPDisplayName = column_ifexists(\\\"AttributeLDAPDisplayName\\\", \\\"\\\")\\n| where AttributeLDAPDisplayName in (\\\"msExchExternalHostName\\\", \\\"msExchInternalHostName\\\")\\n// Look for suspected webshell activity\\n| extend AttributeValue = column_ifexists(\\\"AttributeValue\\\", \\\"\\\")\\n| where AttributeValue has \\\"script\\\"\\n| project-rename LastSeen = TimeGenerated\\n| extend ObjectDN = column_ifexists(\\\"ObjectDN\\\", \\\"\\\")\\n| project-reorder LastSeen, Computer, Account, ObjectDN, AttributeLDAPDisplayName, AttributeValue\\n| extend timestamp = LastSeen, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange OAB Virtual Directory Attribute Containing Potential Webshell\",\"description\":\"This query uses Windows Event ID 5136 in order to detect potential webshell deployment by exploitation of CVE-2021-27065.\\nThis query looks for changes to the InternalHostName or ExternalHostName properties of Exchange OAB Virtual Directory objects in AD Directory Services\\nwhere the new objects contain potential webshell objects. Ref: https://aka.ms/ExchangeVulns\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b3cfc7c0-092c-481c-a55b-34a3979758cb\",\"name\":\"b3cfc7c0-092c-481c-a55b-34a3979758cb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft Cloud App Security\",\"displayName\":\"Create incidents based on Microsoft Cloud App Security alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Cloud Apps\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert (MCAS)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/eb68b129-5f17-4f56-bf6d-dde48d5e615a\",\"name\":\"eb68b129-5f17-4f56-bf6d-dde48d5e615a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| extend attachedMimeType = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where attachedMimeType == \u0027application/zip\u0027\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = DstUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Binary file in attachment\",\"description\":\"Detects when email received with binary file as attachment.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c0e84221-f240-4dd7-ab1e-37e034ea2a4e\",\"name\":\"c0e84221-f240-4dd7-ab1e-37e034ea2a4e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"union isfuzzy=true\\n(DeviceFileEvents\\n| where FolderPath endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated),\\n(WindowsEvent\\n| where EventID == 4663 and EventData has \\\"vmware-vmdmp.log\\\"\\n| extend ObjectName = tostring(EventData.ObjectName) \\n| where ObjectName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = Computer, timestamp=TimeGenerated),\\n(SecurityEvent\\n| where EventID == 4663\\n| where ObjectName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = Computer, timestamp=TimeGenerated),\\n(imFileEvent\\n| where TargetFileName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = DvcHostname, timestamp=TimeGenerated\\n)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"SUNSPOT log file creation\",\"description\":\"This query uses Microsoft Defender for Endpoint data and Windows Event Logs to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\\nMore details: \\n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \\n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5b6ae038-f66e-4f74-9315-df52fd492be4\",\"name\":\"5b6ae038-f66e-4f74-9315-df52fd492be4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"imProcess\\n | where CommandLine has_all (\\\"accepteula\\\", \\\"-s\\\", \\\"-r\\\", \\\"-q\\\")\\n | where Process !endswith \\\"sdelete.exe\\\"\\n | where CommandLine !has \\\"sdelete\\\"\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DvcHostname\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DvcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"}]}],\"tactics\":[\"DefenseEvasion\",\"Impact\"],\"displayName\":\"Potential re-named sdelete usage (ASIM Version)\",\"description\":\"This detection looks for command line parameters associated with the use of Sysinternals sdelete (https://docs.microsoft.com/sysinternals/downloads/sdelete) to delete multiple files on a host\u0027s C drive.\\nA threat actor may re-name the tool to avoid detection and then use it for destructive attacks on a host.\\nThis detection uses the ASIM imProcess parser, this will need to be deployed before use - https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8c8de3fa-6425-4623-9cd9-45de1dd0569a\",\"name\":\"8c8de3fa-6425-4623-9cd9-45de1dd0569a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let lookBack = 14d;\\nlet timeframe = 1d;\\nlet user_agents_list = Cisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(lookBack) and TimeGenerated \u003c ago(timeframe)\\n| summarize count() by HttpUserAgentOriginal\\n| summarize make_list(HttpUserAgentOriginal);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal !in (user_agents_list)\\n| extend Message = \\\"Rare User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Rare User Agent Detected\",\"description\":\"Rule helps to detect a rare user-agents indicating web browsing activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\"name\":\"02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let logonDiff = 10m;\\nlet aadFunc = (tableName:string){\\ntable(tableName) \\n| where ResultType == \\\"0\\\" \\n| where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\")\\n| project SuccessLogonTime = TimeGenerated, UserPrincipalName, SuccessIPAddress = IPAddress, AppDisplayName, SuccessIPBlock = strcat(split(IPAddress, \\\".\\\")[0], \\\".\\\", split(IPAddress, \\\".\\\")[1]), Type\\n| join kind= inner (\\n table(tableName)\\n | where ResultType !in (\\\"0\\\", \\\"50140\\\") \\n | where ResultDescription !~ \\\"Other\\\" \\n | where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\")\\n | project FailedLogonTime = TimeGenerated, UserPrincipalName, FailedIPAddress = IPAddress, AppDisplayName, ResultType, ResultDescription, Type\\n) on UserPrincipalName, AppDisplayName \\n| where SuccessLogonTime \u003c FailedLogonTime and FailedLogonTime - SuccessLogonTime \u003c= logonDiff and FailedIPAddress !startswith SuccessIPBlock\\n| summarize FailedLogonTime = max(FailedLogonTime), SuccessLogonTime = max(SuccessLogonTime) by UserPrincipalName, SuccessIPAddress, AppDisplayName, FailedIPAddress, ResultType, ResultDescription, Type\\n| extend timestamp = SuccessLogonTime\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SuccessIPAddress\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"FailedIPAddress\"}]}],\"tactics\":[\"CredentialAccess\",\"InitialAccess\"],\"displayName\":\"Successful logon from IP and failure from a different IP\",\"description\":\"Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP.\\nThis may indicate a malicious attempt at password guessing based on knowledge of the users account.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\"name\":\"9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.1.0\",\"severity\":\"Low\",\"query\":\"let tokens = dynamic([\\\"416\\\",\\\"208\\\",\\\"128\\\",\\\"120\\\",\\\"96\\\",\\\"80\\\",\\\"72\\\",\\\"64\\\",\\\"48\\\",\\\"44\\\",\\\"40\\\",\\\"g5\\\",\\\"gs5\\\",\\\"g4\\\",\\\"gs4\\\",\\\"nc12\\\",\\\"nc24\\\",\\\"nv12\\\"]);\\nlet operationList = dynamic([\\\"microsoft.compute/virtualmachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nAzureActivity\\n| where tolower(OperationNameValue) in (operationList)\\n| where ActivityStatusValue == \\\"Accepted\\\" \\n| where isnotempty(Properties)\\n| extend vmSize = tolower(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).hardwareProfile)).vmSize))\\n| where isnotempty(vmSize)\\n| where vmSize has_any (tokens) \\n| extend ComputerName = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).osProfile)).computerName)\\n| extend clientIpAddress = tostring(parse_json(HTTPRequest).clientIpAddress)\\n| project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Creation of expensive computes in Azure\",\"description\":\"Identifies the creation of large size/expensive VMs (GPU or with large no of virtual CPUs) in Azure.\\nAdversary may create new or update existing virtual machines sizes to evade defenses \\nor use it for cryptomining purposes.\\nFor Windows/Linux Vm Sizes - https://docs.microsoft.com/azure/virtual-machines/windows/sizes \\nAzure VM Naming Conventions - https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/78422ef2-62bf-48ca-9bab-72c69818a425\",\"name\":\"78422ef2-62bf-48ca-9bab-72c69818a425\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Low\",\"query\":\"let endtime = 1d;\\nlet starttime = 8d;\\nlet threshold = 2.0;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName)\\nby Account, IpAddress, AccountType, Activity, LogonTypeName),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 \\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend AccountType=case(Account endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| extend Activity=\\\"4624 - An account was successfully logged on.\\\"\\n| extend LogonTypeName=\\\"10 - RemoteInteractive\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName)\\nby Account, IpAddress, AccountType, Activity, LogonTypeName)\\n)\\n| join kind=inner (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize ComputerCountPrev7Days = dcount(Computer) by Account = tolower(Account), IpAddress\\n),\\n( WindowsEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = toint(EventData.LogonType)\\n| where LogonType == 10\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| summarize ComputerCountPrev7Days = dcount(Computer) by Account = tolower(Account), IpAddress)\\n)\\n) on Account, IpAddress\\n| extend Ratio = iff(isempty(ComputerCountPrev7Days), toreal(ComputerCountToday), ComputerCountToday / (ComputerCountPrev7Days * 1.0))\\n// Where the ratio of today to previous 7 days is more than double.\\n| where Ratio \u003e threshold\\n| project StartTimeUtc, EndTimeUtc, Account, IpAddress, ComputerSet, ComputerCountToday, ComputerCountPrev7Days, Ratio, AccountType, Activity, LogonTypeName, ProcessSet\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Multiple RDP connections from Single System\",\"description\":\"Identifies when an RDP connection is made to multiple systems and above the normal for the previous 7 days.\\nConnections from the same system with the same account within the same day.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-10-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d94d4a9-dc96-450a-9dea-4d4d4594199b\",\"name\":\"4d94d4a9-dc96-450a-9dea-4d4d4594199b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"SecurityNestedRecommendation\\n| where RemediationDescription has \u0027CVE-2021-38647\u0027\\n| parse ResourceDetails with * \u0027virtualMachines/\u0027 VirtualMAchine \u0027\\\"\u0027 *\\n| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId\\n| extend Timestamp = TimeGenerated, HostCustomEntity = VirtualMAchine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Execution\"],\"displayName\":\"Vulnerable Machines related to OMIGOD CVE-2021-38647\",\"description\":\"This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to OMIGOD CVE-2021-38647. OMI is the Linux equivalent of Windows WMI and \\n helps users manage configurations across remote and local environments. The query aims to find machines that have this OMI vulnerability (CVE-2021-38647).\\n Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).\\n Reference: https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure\\n Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d3980830-dd9d-40a5-911f-76b44dfdce16\",\"name\":\"d3980830-dd9d-40a5-911f-76b44dfdce16\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where AppDisplayName == \\\"GitHub.com\\\"\\n| where ResultType == 0\\n| summarize CountOfLocations = dcount(Location), Locations = make_set(Location), BurstStartTime = min(TimeGenerated), BurstEndTime = max(TimeGenerated) by UserPrincipalName, Type\\n| where CountOfLocations \u003e 1\\n| extend timestamp = BurstStartTime, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"GitHub Signin Burst from Multiple Locations\",\"description\":\"This alerts when there Signin burst from multiple locations in GitHub (AAD SSO).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/25a7f951-54b7-4cf5-9862-ebc04306c590\",\"name\":\"25a7f951-54b7-4cf5-9862-ebc04306c590\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let known_users = (AuditLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where OperationName has \\\"conditional access policy\\\"\\n | where Result =~ \\\"success\\\"\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | summarize by userPrincipalName);\\n AuditLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where OperationName has \\\"conditional access policy\\\"\\n | where Result =~ \\\"success\\\"\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend CAPolicyName = tostring(TargetResources[0].displayName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | where userPrincipalName !in (known_users)\\n | extend NewPolicyValues = TargetResources[0].modifiedProperties[0].newValue\\n | extend OldPolicyValues = TargetResources[0].modifiedProperties[0].oldValue\\n | project-reorder TimeGenerated, OperationName, CAPolicyName, userPrincipalName, ipAddress, NewPolicyValues, OldPolicyValues\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Conditional Access Policy Modified by New User\",\"description\":\"Detects a Conditional Access Policy being modified by a user who has not modified a policy in the last 14 days.\\n A threat actor may try to modify policies to weaken the security controls in place.\\n Investigate any change to ensure they are approved.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\"name\":\"70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"seoulhobi.biz\\\", \\\"reader.cash\\\", \\\"pieceview.club\\\", \\\"app-wallet.com\\\", \\\"bigwnet.com\\\", \\\"bitwoll.com\\\", \\\"cexrout.com\\\", \\\"change-pw.com\\\", \\\"checkprofie.com\\\", \\\"cloudwebappservice.com\\\", \\\"ctquast.com\\\", \\\"dataviewering.com\\\", \\\"day-post.com\\\", \\\"dialy-post.com\\\", \\\"documentviewingcom.com\\\", \\\"dovvn-mail.com\\\", \\\"down-error.com\\\", \\\"drivecheckingcom.com\\\", \\\"drog-service.com\\\", \\\"encodingmail.com\\\", \\\"filinvestment.com\\\", \\\"foldershareing.com\\\", \\\"golangapis.com\\\", \\\"hotrnall.com\\\", \\\"lh-logins.com\\\", \\\"login-use.com\\\", \\\"mail-down.com\\\", \\\"matmiho.com\\\", \\\"mihomat.com\\\", \\\"natwpersonal-online.com\\\", \\\"nidlogin.com\\\", \\\"nid-login.com\\\", \\\"nidlogon.com\\\", \\\"pw-change.com\\\", \\\"rnaii.com\\\", \\\"rnailm.com\\\", \\\"sec-live.com\\\", \\\"secrityprocessing.com\\\", \\\"securitedmode.com\\\", \\\"securytingmail.com\\\", \\\"set-login.com\\\", \\\"usrchecking.com\\\", \\\"com-serviceround.info\\\", \\\"mai1.info\\\", \\\"reviewer.mobi\\\", \\\"files-download.net\\\", \\\"fixcool.net\\\", \\\"hanrnaii.net\\\", \\\"office356-us.org\\\", \\\"smtper.org\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost \\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"THALLIUM domains included in DCU takedown\",\"description\":\"THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. \\n Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\\n References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ \",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2020-01-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\"name\":\"4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let OperationList = dynamic([\\\"Add member to role\\\",\\\"Add member to role in PIM requested (permanent)\\\"]);\\nlet PrivilegedGroups = dynamic([\\\"UserAccountAdmins\\\",\\\"PrivilegedRoleAdmins\\\",\\\"TenantAdmins\\\"]);\\nAuditLogs\\n//| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName in~ (OperationList)\\n| mv-expand TargetResources\\n| extend modProps = parse_json(TargetResources).modifiedProperties\\n| mv-expand bagexpansion=array modProps\\n| evaluate bag_unpack(modProps)\\n| extend displayName = column_ifexists(\\\"displayName\\\", \\\"NotAvailable\\\"), newValue = column_ifexists(\\\"newValue\\\", \\\"NotAvailable\\\")\\n| where displayName =~ \\\"Role.WellKnownObjectName\\\"\\n| extend DisplayName = displayName, GroupName = replace(\u0027\\\"\u0027,\u0027\u0027,newValue)\\n| extend initByApp = parse_json(InitiatedBy).app, initByUser = parse_json(InitiatedBy).user\\n| extend AppId = initByApp.appId, \\nInitiatedByDisplayName = case(isnotempty(initByApp.displayName), initByApp.displayName, isnotempty(initByUser.displayName), initByUser.displayName, \\\"not available\\\"),\\nServicePrincipalId = tostring(initByApp.servicePrincipalId),\\nServicePrincipalName = tostring(initByApp.servicePrincipalName),\\nUserId = initByUser.id,\\nUserIPAddress = initByUser.ipAddress,\\nUserRoles = initByUser.roles,\\nUserPrincipalName = tostring(initByUser.userPrincipalName),\\nTargetUserPrincipalName = tostring(TargetResources.userPrincipalName)\\n| where GroupName in~ (PrivilegedGroups)\\n// If you don\u0027t want to alert for operations from PIM, remove below filtering for MS-PIM.\\n//| where InitiatedByDisplayName != \\\"MS-PIM\\\"\\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, isnotempty(ServicePrincipalId), ServicePrincipalId, isnotempty(UserPrincipalName), UserPrincipalName, \\\"not available\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User added to Azure Active Directory Privileged Groups\",\"description\":\"This will alert when a user is added to any of the Privileged Groups.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\\nFor Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles\",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2020-07-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/50574fac-f8d1-4395-81c7-78a463ff0c52\",\"name\":\"50574fac-f8d1-4395-81c7-78a463ff0c52\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where AppId =~ \\\"1b730954-1685-4b74-9bfd-dac224a7b894\\\" // AppDisplayName IS Azure Active Directory PowerShell\\n| where TokenIssuerType =~ \\\"AzureAD\\\"\\n| where ResourceIdentity !in (\\\"00000002-0000-0000-c000-000000000000\\\", \\\"00000003-0000-0000-c000-000000000000\\\") // ResourceDisplayName IS NOT Windows Azure Active Directory OR Microsoft Graph\\n| extend Status = todynamic(Status)\\n| where Status.errorCode == 0 // Success\\n| project-reorder IPAddress, UserAgent, ResourceDisplayName, UserDisplayName, UserId, UserPrincipalName, Type\\n| order by TimeGenerated desc\\n// New entity mapping\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure Active Directory PowerShell accessing non-AAD resources\",\"description\":\"This will alert when a user or application signs in using Azure Active Directory PowerShell to access non-Active Directory resources, such as the Azure Key Vault, which may be undesired or unauthorized behavior.\\nFor capabilities and expected behavior of the Azure Active Directory PowerShell module, see: https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0.\\nFor further information on Azure Active Directory Signin activity reports, see: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins.\",\"lastUpdatedDateUTC\":\"2022-02-23T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cca3b4d9-ac39-4109-8b93-65bb284003e6\",\"name\":\"cca3b4d9-ac39-4109-8b93-65bb284003e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureActivity | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(Caller)\\n | extend Caller = tolower(Caller)\\n | where Caller matches regex emailregex\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.Caller\\n| where AzureActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureActivity_TimeGenerated = arg_max(AzureActivity_TimeGenerated, *) by IndicatorId, Caller\\n| project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, EmailSenderName, EmailRecipient, \\nEmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Caller, Level, CallerIpAddress, CategoryValue, OperationNameValue, ActivityStatusValue, \\nResourceGroup, SubscriptionId\\n| extend timestamp = AzureActivity_TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to AzureActivity\",\"description\":\"Identifies a match in AzureActivity table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9122a9cb-916b-4d98-a199-1b7b0af8d598\",\"name\":\"9122a9cb-916b-4d98-a199-1b7b0af8d598\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"beesweiserdog.com\\\", \\n \\\"bluehostfit.com\\\", \\n \\\"business-toys.com\\\", \\n \\\"cleanskycloud.com\\\", \\n \\\"cumberbat.com\\\", \\n \\\"czreadsecurity.com\\\", \\n \\\"dgtresorgouv.com\\\", \\n \\\"dimediamikedask.com\\\", \\n \\\"diresitioscon.com\\\", \\n \\\"elcolectador.com\\\", \\n \\\"elperuanos.org\\\", \\n \\\"eprotectioneu.com\\\", \\n \\\"fheacor.com\\\", \\n \\\"followthewaterdata.com\\\", \\n \\\"francevrteepress.com\\\", \\n \\\"futtuhy.com\\\", \\n \\\"gardienweb.com\\\", \\n \\\"heimflugaustr.com\\\", \\n \\\"ivpsers.com\\\", \\n \\\"jkeducation.org\\\", \\n \\\"micrlmb.com\\\", \\n \\\"muthesck.com\\\", \\n \\\"netscalertech.com\\\", \\n \\\"newgoldbalmap.com\\\", \\n \\\"news-laestrella.com\\\", \\n \\\"noticialif.com\\\", \\n \\\"opentanzanfoundation.com\\\", \\n \\\"optonlinepress.com\\\", \\n \\\"palazzochigi.com\\\", \\n \\\"pandemicacre.com\\\", \\n \\\"papa-ser.com\\\", \\n \\\"pekematclouds.com\\\", \\n \\\"pipcake.com\\\", \\n \\\"popularservicenter.com\\\", \\n \\\"projectsyndic.com\\\", \\n \\\"qsadtv.com\\\", \\n \\\"sankreal.com\\\", \\n \\\"scielope.com\\\", \\n \\\"seoamdcopywriting.com\\\", \\n \\\"slidenshare.com\\\", \\n \\\"somoswake.com\\\", \\n \\\"squarespacenow.com\\\", \\n \\\"subapostilla.com\\\", \\n \\\"suzukicycles.net\\\", \\n \\\"tatanotakeeps.com\\\", \\n \\\"tijuanazxc.com\\\", \\n \\\"transactioninfo.net\\\", \\n \\\"eurolabspro.com\\\", \\n \\\"adelluminate.com\\\", \\n \\\"headhunterblue.com\\\", \\n \\\"primenuesty.com\\\" \\n ]);\\nlet SHA256Hashes = dynamic ([\\\"02daf4544bcefb2de865d0b45fc406bee3630704be26a9d6da25c9abe906e7d2\\\", \\n \\\"0a45ec3da31838aa7f56e4cbe70d5b3b3809029f9159ff0235837e5b7a4cb34c\\\", \\n \\\"0d7965489810446ca7acc7a2160795b22e452a164261313c634a6529a0090a0c\\\", \\n \\\"10bb4e056fd19f2debe61d8fc5665434f56064a93ca0ec0bef946a4c3e098b95\\\", \\n \\\"12d914f24fe5501e09f5edf503820cc5fe8b763827a1c6d44cdb705e48651b21\\\", \\n \\\"1899f761123fedfeba0fee6a11f830a29cd3653bcdcf70380b72a05b921b4b49\\\", \\n \\\"22e68e366dd3323e5bb68161b0938da8e1331e4f1c1819c8e84a97e704d93844\\\", \\n \\\"259783405ec2cb37fdd8fd16304328edbb6a0703bc3d551eba252d9b450554ef\\\", \\n \\\"26debed09b1bbf24545e3b4501b799b66a0146d4020f882776465b5071e91822\\\", \\n \\\"35c5f22bb11f7dd7a2bb03808e0337cb7f9c0d96047b94c8afdab63efc0b9bb2\\\", \\n \\\"3ae2d9ffa4e53519e62cc0a75696f9023f9cce09b0a917f25699b48d0f7c4838\\\", \\n \\\"3bac2e459c69fcef8c1c93c18e5f4f3e3102d8d0f54a63e0650072aeb2a5fa65\\\", \\n \\\"3c0bf69f6faf85523d9e60d13218e77122b2adb0136ffebbad0f39f3e3eed4e6\\\", \\n \\\"3dc0001a11d54925d2591aec4ea296e64f1d4fdf17ff3343ddeea82e9bd5e4f1\\\", \\n \\\"3fd73af89e94af180b1fbf442bbfb7d7a6c4cf9043abd22ac0aa2f8149bafc90\\\", \\n \\\"6854df6aa0af46f7c77667c450796d5658b3058219158456e869ebd39a47d54b\\\", \\n \\\"6b79b807a66c786bd2e57d1c761fc7e69dd9f790ffab7ce74086c4115c9305ce\\\", \\n \\\"7944a86fbef6238d2a55c14c660c3a3d361c172f6b8fa490686cc8889b7a51a0\\\", \\n \\\"926904f7c0da13a6b8689c36dab9d20b3a2e6d32f212fca9e5f8cf2c6055333c\\\", \\n \\\"95e98c811ea9d212673d0e84046d6da94cbd9134284275195800278593594b5a\\\", \\n \\\"a142625512e5372a1728595be19dbee23eea50524b4827cb64ed5aaeaaa0270b\\\", \\n \\\"afe5e9145882e0b98a795468a4c0352f5b1ddb7b4a534783c9e8fc366914cf6a\\\", \\n \\\"b9027bad09a9f5c917cf0f811610438e46e42e5e984a8984b6d69206ceb74124\\\", \\n \\\"c132d59a3bf0099e0f9f5667daf7b65dba66780f4addd88f04eecae47d5d99fa\\\", \\n \\\"c9a5765561f52bbe34382ce06f4431f7ac65bafe786db5de89c29748cf371dda\\\", \\n \\\"ce0408f92635e42aadc99da3cc1cbc0044e63441129c597e7aa1d76bf2700c94\\\", \\n \\\"ce47bacc872516f91263f5e59441c54f14e9856cf213ca3128470217655fc5e6\\\", \\n \\\"d0fe4562970676e30a4be8cb4923dc9bfd1fca8178e8e7fea0f3f02e0c7435ce\\\", \\n \\\"d5b36648dc9828e69242b57aca91a0bb73296292bf987720c73fcd3d2becbae6\\\", \\n \\\"e72d142a2bc49572e2d99ed15827fc27c67fc0999e90d4bf1352b075f86a83ba\\\"\\n ]);\\nlet SigNames = dynamic([\\\"Backdoor:Win32/Leeson\\\", \\\"Trojan:Win32/Kechang\\\", \\\"Backdoor:Win32/Nightimp!dha\\\", \\\"Trojan:Win32/QuarkBandit.A!dha\\\", \\\"TrojanSpy:Win32/KeyLogger\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hashes) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(_Im_Dns(domain_has_any = DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(_Im_WebSession(url_has_any = DomainNames)\\n| extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n| extend IPAddress = SrcIpAddr\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA256Hashes) \\n| extend Account = UserName\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (SHA256Hashes)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (SHA256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl in~ (DomainNames)\\n| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName\\n| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl\\n),\\n(SecurityAlert\\n| where ProductName == \\\"Microsoft Defender Advanced Threat Protection\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where isnotempty(ThreatName)\\n| where ThreatName has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName)\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known NICKEL domains and hashes\",\"description\":\"IOC domains and hash values for tools and malware used by NICKEL. \\n Matches domain name, hash IOCs and M365 Defender sigs related to the NICKEL activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/720d12c6-a08c-44c4-b18f-2236412d59b0\",\"name\":\"720d12c6-a08c-44c4-b18f-2236412d59b0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"SecurityEvent\\n | where EventID == 4688\\n | where Process !~ \\\"sdelete.exe\\\"\\n | where CommandLine has_all (\\\"accepteula\\\", \\\"-r\\\", \\\"-s\\\", \\\"-q\\\", \\\"c:/\\\")\\n | where CommandLine !has (\\\"sdelete\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"DefenseEvasion\",\"Impact\"],\"displayName\":\"Potential re-named sdelete usage\",\"description\":\"This detection looks for command line parameters associated with the use of Sysinternals sdelete (https://docs.microsoft.com/sysinternals/downloads/sdelete) to delete multiple files on a host\u0027s C drive.\\nA threat actor may re-name the tool to avoid detection and then use it for destructive attacks on a host.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/009b9bae-23dd-43c4-bcb9-11c4ba7c784a\",\"name\":\"009b9bae-23dd-43c4-bcb9-11c4ba7c784a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where OperationName has \\\"Consent to application\\\"\\n | where Result =~ \\\"failure\\\"\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend userAgent = iif(AdditionalDetails[0].key == \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), tostring(AdditionalDetails[1].value))\\n | where isnotempty(TargetResources)\\n | extend AppName = tostring(TargetResources[0].displayName)\\n | mv-expand TargetResources[0].modifiedProperties\\n | extend TargetResources_0_modifiedProperties = columnifexists(\\\"TargetResources_0_modifiedProperties\\\", \u0027\u0027)\\n | where isnotempty(TargetResources_0_modifiedProperties)\\n | where TargetResources_0_modifiedProperties.displayName =~ \\\"MethodExecutionResult.\\\"\\n | extend FailureReason = tostring(parse_json(tostring(TargetResources_0_modifiedProperties.newValue)))\\n | where FailureReason contains \\\"Risky\\\"\\n | project-reorder TimeGenerated, OperationName, Result, AppName, FailureReason, userPrincipalName, userAgent, ipAddress\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"End-user consent stopped due to risk-based consent\",\"description\":\"Detects a user\u0027s consent to an OAuth application being blocked due to it being too risky.\\n These events should be investigated to understand why the user attempted to consent to the applicaiton and what other applicaitons they may have consented to.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#end-user-stopped-due-to-risk-based-consent\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e70fa6e0-796a-4e85-9420-98b17b0bb749\",\"name\":\"e70fa6e0-796a-4e85-9420-98b17b0bb749\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"DeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where ThreatName has \\\"Solorigate\\\"\\n| extend HostCustomEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.HostCustomEntity\\n| project TimeGenerated, DisplayName, ThreatName, CompromisedEntity, PublicIP, MachineGroup, AlertSeverity, Description, LoggedOnUsers, DeviceId, TenantId, HostCustomEntity\\n| extend timestamp = TimeGenerated, IPCustomEntity = PublicIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Solorigate Defender Detections\",\"description\":\"Surfaces any Defender Alert for Solorigate Events. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as \\n Device group, ip, logged on users etc. This way, the Microsoft Sentinel user can have all the pertinent device info in one view for all the the Solarigate Defender alerts.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9176b18f-a946-42c6-a2f6-0f6d17cd6a8a\",\"name\":\"9176b18f-a946-42c6-a2f6-0f6d17cd6a8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let triThreshold = 500;\\nlet querystarttime = 6h;\\nlet dgaLengthThreshold = 8;\\n// fetch the cisco umbrella top 1M domains\\nlet top1M = (externaldata (Position:int, Domain:string) [@\\\"http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip\\\"] with (format=\\\"csv\\\", zipPattern=\\\"*.csv\\\"));\\n// extract tri grams that are above our threshold - i.e. are common\\nlet triBaseline = top1M\\n | extend Domain = tolower(extract(\\\"([^.]*).{0,7}$\\\", 1, Domain))\\n | extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", Domain), extract_all(\\\"(...)\\\", substring(Domain, 1)), extract_all(\\\"(...)\\\", substring(Domain, 2)))\\n | mvexpand Trigram=AllTriGrams to typeof(string)\\n | summarize triCount=count() by Trigram\\n | sort by triCount desc\\n | where triCount \u003e triThreshold\\n | distinct Trigram;\\n// collect domain information from common security log, filter and extract the DGA candidate and its trigrams\\nlet allDataSummarized = _Im_WebSession \\n| where isnotempty(Url) \\n| extend Name = tolower(tostring(parse_url(Url)[\\\"Host\\\"]))\\n| summarize NameCount=count() by Name\\n| where Name has \\\".\\\"\\n| where Name !endswith \\\".home\\\" and Name !endswith \\\".lan\\\"\\n// extract DGA candidate\\n| extend DGADomain = extract(\\\"([^.]*).{0,7}$\\\", 1, Name)\\n| where strlen(DGADomain) \u003e dgaLengthThreshold\\n// throw out domains with number in them\\n| where DGADomain matches regex \\\"^[A-Za-z]{0,}$\\\"\\n// extract the tri grams from summarized data\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", DGADomain), extract_all(\\\"(...)\\\", substring(DGADomain, 1)), extract_all(\\\"(...)\\\", substring(DGADomain, 2)));\\n// throw out domains that have repeating tri\u0027s and/or \u003e=3 repeating letters\\nlet nonRepeatingTris = allDataSummarized\\n| join kind=leftanti\\n(\\n allDataSummarized\\n | mvexpand AllTriGrams\\n | summarize count() by tostring(AllTriGrams), DGADomain\\n | where count_ \u003e 1\\n | distinct DGADomain\\n)\\non DGADomain;\\n// find domains that do not have a common tri in the baseline\\nlet dataWithRareTris = nonRepeatingTris\\n| join kind=leftanti\\n(\\n nonRepeatingTris\\n | mvexpand AllTriGrams\\n | extend Trigram = tostring(AllTriGrams)\\n | distinct Trigram, DGADomain\\n | join kind=inner\\n (\\n triBaseline\\n )\\n on Trigram\\n | distinct DGADomain\\n)\\non DGADomain;\\ndataWithRareTris\\n// join DGAs back on connection data\\n| join kind=inner\\n(\\n _Im_WebSession\\n | where isnotempty(Url)\\n | extend Url = tolower(Url)\\n | summarize arg_max(TimeGenerated, EventVendor, SrcIpAddr) by Url\\n | extend Name=tostring(parse_url(Url)[\\\"Host\\\"])\\n | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) by Name, SrcIpAddr, Url\\n)\\non Name\\n| project StartTime, EndTime, Name, DGADomain, SrcIpAddr, Url, NameCount\",\"customDetails\":{\"DGAPattern\":\"DGADomain\",\"NameCount\":\"NameCount\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URL\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Potential communication from {{SrcIpAddr} with a Domain Generation Algorithm (DGA) based host {{Name}}\",\"alertDescriptionFormat\":\"A client with address {{SrcIpAddr}} communicated with host {{Name}} that have a domain name that might have been generated by a Domain Generation Algorithm (DGA), identified by the pattern {{DGADomain}}. DGAs are used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the top 1 million domain names to build a model of what normal domains look like and uses the model to identify domains that may have been randomly generated by an algorithm.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential communication with a Domain Generation Algorithm (DGA) based hostname (ASIM Web Session schema)\",\"description\":\"This rule identifies communication with hosts that have a domain name that might have been generated by a Domain Generation Algorithm (DGA). DGAs are used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the top 1 million domain names to build a model of what normal domains look like nad uses the model to identify domains that may have been randomly generated by an algorithm. You can modify the triThreshold and dgaLengthThreshold query parameters to change Analytic Rule sensitivity. The higher the numbers, the less noisy the rule is. \u003cbr\u003e\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f819c592-c5f9-4d5c-a79f-1e6819863533\",\"name\":\"f819c592-c5f9-4d5c-a79f-1e6819863533\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"// ADHealth Monitoring Agent Registry Key\\nlet aadHealthMonAgentRegKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Microsoft Online\\\\\\\\Reporting\\\\\\\\MonitoringAgent\\\";\\n// Filter out known processes\\nlet aadConnectHealthProcs = dynamic ([\\n \u0027Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.InsightsService.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.PshSurrogate.exe\u0027,\\n \u0027Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe\u0027,\\n \u0027Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.AadConnect.Health.AadSync.Host.exe\u0027,\\n \u0027Microsoft.Azure.ActiveDirectory.Synchronization.Upgrader.exe\u0027,\\n \u0027miiserver.exe\u0027\\n]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| where EventData has aadHealthMonAgentRegKey\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| extend ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),\\n ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\")\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend SubjectUserName = column_ifexists(\\\"SubjectUserName\\\", \\\"\\\"),\\n SubjectDomainName = column_ifexists(\\\"SubjectDomainName\\\", \\\"\\\"),\\n ProcessName = column_ifexists(\\\"ProcessName\\\", \\\"\\\")\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],\\n Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n(\\nWindowsEvent\\n| where EventID == \u00274656\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n (\\nWindowsEvent\\n| where EventID == \u00274663\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n)\\n)\\n// You can filter out potential machine accounts\\n//| where AccountType != \u0027Machine\u0027\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"Azure AD Health Monitoring Agent Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.\\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\\\\SOFTWARE\\\\Microsoft\\\\Microsoft Online\\\\Reporting\\\\MonitoringAgent.\\nYou can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_monitoring_agent.yml\\n\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/066395ac-ef91-4993-8bf6-25c61ab0ca5a\",\"name\":\"066395ac-ef91-4993-8bf6-25c61ab0ca5a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet file_path1 = (iocs | where Type =~ \\\"filepath1\\\" | project IoC);\\nlet file_path2 = (iocs | where Type =~ \\\"filepath2\\\" | project IoC);\\nlet file_path3 = (iocs | where Type =~ \\\"filepath3\\\" | project IoC);\\nlet reg_key = (iocs | where Type =~ \\\"regkey\\\" | project IoC);\\nWindowsEvent\\n| where EventID == 4688 and (EventData has_any (file_path1) or EventData has_any (file_path2) or EventData has_any (file_path3) or EventData has_any (\u0027reg add\u0027) or EventData has_any (reg_key) )\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where (CommandLine has_any (file_path1)) or\\n (CommandLine has_any (file_path3)) or\\n (CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) or \\n (NewProcessName has_any (file_path1)) or\\n (NewProcessName has_any (file_path3)) or\\n (ParentProcessName has_any (file_path1)) or \\n (ParentProcessName has_any (file_path3)) \\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend NewProcessId = tostring(EventData.NewProcessId)\\n| extend IPCustomEntity = tostring(EventData.IpAddress)\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, IPCustomEntity\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = \u0027SOURGUM IOC detected\u0027\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"SOURGUM Actor IOC - July 2021\",\"description\":\"Identifies a match across IOC\u0027s related to an actor tracked by Microsoft as SOURGUM\",\"lastUpdatedDateUTC\":\"2022-05-19T00:00:00Z\",\"createdDateUTC\":\"2022-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6116dc19-475a-4148-84b2-efe89c073e27\",\"name\":\"6116dc19-475a-4148-84b2-efe89c073e27\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetectionV2_CL\\n| extend Status = tostring(Status_s), Vulnerability = tostring(QID_s), Severity = tostring(Severity_s)\\n| where Status =~ \\\"New\\\" and Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(QID_s)\\n| where dcount_NetBios_s \u003e= threshold\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"tactics\":[\"InitialAccess\"],\"displayName\":\"New High Severity Vulnerability Detected Across Multiple Hosts\",\"description\":\"This creates an incident when a new high severity vulnerability is detected across multilple hosts\",\"lastUpdatedDateUTC\":\"2021-12-08T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\"name\":\"90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage), \\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage), \\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage), \\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \\\"200\\\"\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Squid proxy events for ToR proxies\",\"description\":\"Check for Squid proxy events associated with common ToR proxies. This query presumes the default squid log format is being used.\\nhttp://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-07-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70fc7201-f28e-4ba7-b9ea-c04b96701f13\",\"name\":\"70fc7201-f28e-4ba7-b9ea-c04b96701f13\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let OperationList = dynamic([\\\"Add member to role\\\",\\\"Add member to role in PIM requested (permanent)\\\"]);\\nlet PrivilegedGroups = dynamic([\\\"UserAccountAdmins\\\",\\\"PrivilegedRoleAdmins\\\",\\\"TenantAdmins\\\"]);\\nAuditLogs\\n//| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName in~ (OperationList)\\n| mv-expand TargetResources\\n| extend modProps = parse_json(TargetResources).modifiedProperties\\n| mv-expand bagexpansion=array modProps\\n| evaluate bag_unpack(modProps)\\n| extend displayName = column_ifexists(\\\"displayName\\\", \\\"NotAvailable\\\"), newValue = column_ifexists(\\\"newValue\\\", \\\"NotAvailable\\\")\\n| where displayName =~ \\\"Role.WellKnownObjectName\\\"\\n| extend DisplayName = displayName, GroupName = replace(\u0027\\\"\u0027,\u0027\u0027,newValue)\\n| extend initByApp = parse_json(InitiatedBy).app, initByUser = parse_json(InitiatedBy).user\\n| extend AppId = initByApp.appId,\\nInitiatedByDisplayName = case(isnotempty(initByApp.displayName), initByApp.displayName, isnotempty(initByUser.displayName), initByUser.displayName, \\\"not available\\\"),\\nServicePrincipalId = tostring(initByApp.servicePrincipalId),\\nServicePrincipalName = tostring(initByApp.servicePrincipalName),\\nUserId = initByUser.id,\\nUserIPAddress = initByUser.ipAddress,\\nUserRoles = initByUser.roles,\\nUserPrincipalName = tostring(initByUser.userPrincipalName),\\nTargetUserPrincipalName = tostring(TargetResources.userPrincipalName)\\n| where GroupName in~ (PrivilegedGroups)\\n// If you don\u0027t want to alert for operations from PIM, remove below filtering for MS-PIM.\\n//| where InitiatedByDisplayName != \\\"MS-PIM\\\"\\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName\\n| extend AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, isnotempty(ServicePrincipalId), ServicePrincipalId, isnotempty(UserPrincipalName), UserPrincipalName, \\\"not available\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"NRT User added to Azure Active Directory Privileged Groups\",\"description\":\"This will alert when a user is added to any of the Privileged Groups.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\\nFor Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles\",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2020-07-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5239248b-abfb-4c6a-8177-b104ade5db56\",\"name\":\"5239248b-abfb-4c6a-8177-b104ade5db56\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let RunCommandData = materialize ( AzureActivity\\n// Isolate run command actions\\n| where OperationNameValue == \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\\\"\\n// Confirm that the operation impacted a virtual machine\\n| where Authorization has \\\"virtualMachines\\\"\\n// Each runcommand operation consists of three events when successful, StartTimeed, Accepted (or Rejected), Successful (or Failed).\\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), max(CallerIpAddress), make_list(ActivityStatusValue) by CorrelationId, Authorization, Caller\\n// Limit to Run Command executions that Succeeded\\n| where list_ActivityStatusValue has \\\"Success\\\"\\n// Extract data from the Authorization field, allowing us to later extract the Caller (UPN) and CallerIpAddress\\n| extend Authorization_d = parse_json(Authorization)\\n| extend Scope = Authorization_d.scope\\n| extend Scope_s = split(Scope, \\\"/\\\")\\n| extend Subscription = tostring(Scope_s[2])\\n| extend VirtualMachineName = tostring(Scope_s[-1])\\n| project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress\\n| join kind=leftouter (\\n DeviceFileEvents\\n | where InitiatingProcessFileName == \\\"RunCommandExtension.exe\\\"\\n | extend VirtualMachineName = tostring(split(DeviceName, \\\".\\\")[0])\\n | project VirtualMachineName, PowershellFileCreatedTimestamp=TimeGenerated, FileName, FileSize, InitiatingProcessAccountName, InitiatingProcessAccountDomain, InitiatingProcessFolderPath, InitiatingProcessId\\n) on VirtualMachineName\\n// We need to filter by time sadly, this is the only way to link events\\n| where PowershellFileCreatedTimestamp between (StartTime .. EndTime)\\n| project StartTime, EndTime, PowershellFileCreatedTimestamp, VirtualMachineName, Caller, CallerIpAddress, FileName, FileSize, InitiatingProcessId, InitiatingProcessAccountDomain, InitiatingProcessFolderPath\\n| join kind=inner(\\n DeviceEvents\\n | extend VirtualMachineName = tostring(split(DeviceName, \\\".\\\")[0])\\n | where InitiatingProcessCommandLine has \\\"-File\\\"\\n // Extract the script name based on the structure used by the RunCommand extension\\n | extend PowershellFileName = extract(@\\\"\\\\-File\\\\s(script[0-9]{1,9}\\\\.ps1)\\\", 1, InitiatingProcessCommandLine)\\n // Discard results that didn\u0027t successfully extract, these are not run command related\\n | where isnotempty(PowershellFileName)\\n | extend PSCommand = tostring(parse_json(AdditionalFields).Command)\\n // The first execution of PowerShell will be the RunCommand script itself, we can discard this as it will break our hash later\\n | where PSCommand != PowershellFileName \\n // Now we normalise the cmdlets, we\u0027re aiming to hash them to find scripts using rare combinations\\n | extend PSCommand = toupper(PSCommand)\\n | order by PSCommand asc\\n | summarize PowershellExecStartTime=min(TimeGenerated), PowershellExecEnd=max(TimeGenerated), make_list(PSCommand) by PowershellFileName, InitiatingProcessCommandLine\\n) on $left.FileName == $right.PowershellFileName\\n| project StartTime, EndTime, PowershellFileCreatedTimestamp, PowershellExecStartTime, PowershellExecEnd, PowershellFileName, PowershellScriptCommands=list_PSCommand, Caller, CallerIpAddress, InitiatingProcessCommandLine, PowershellFileSize=FileSize, VirtualMachineName\\n| order by StartTime asc \\n// We generate the hash based on the cmdlets called and the size of the powershell script\\n| extend TempFingerprintString = strcat(PowershellScriptCommands, PowershellFileSize)\\n| extend ScriptFingerprintHash = hash_sha256(tostring(PowershellScriptCommands)));\\nlet totals = toscalar (RunCommandData\\n| summarize count());\\nlet hashTotals = RunCommandData\\n| summarize HashCount=count() by ScriptFingerprintHash;\\nRunCommandData\\n| join kind=leftouter (\\nhashTotals\\n) on ScriptFingerprintHash\\n// Calculate prevalence, while we don\u0027t need this, it may be useful for responders to know how rare this script is in relation to normal activity\\n| extend Prevalence = toreal(HashCount) / toreal(totals) * 100\\n// Where the hash was only ever seen once.\\n| where HashCount == 1\\n| extend timestamp = StartTime, IPCustomEntity=CallerIpAddress, AccountCustomEntity=Caller, HostCustomEntity=VirtualMachineName\\n| project timestamp, StartTime, EndTime, PowershellFileName, VirtualMachineName, Caller, CallerIpAddress, PowershellScriptCommands, PowershellFileSize, ScriptFingerprintHash, Prevalence, IPCustomEntity, AccountCustomEntity, HostCustomEntity\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"LateralMovement\",\"Execution\"],\"displayName\":\"Azure VM Run Command operations executing a unique PowerShell script\",\"description\":\"Identifies when Azure Run command is used to execute a PowerShell script on a VM that is unique.\\nThe uniqueness of the PowerShell script is determined by taking a combined hash of the cmdLets it imports\\nand the file size of the PowerShell script. Alerts from this detection indicate a unique PowerShell was executed\\nin your environment.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f15370f4-c6fa-42c5-9be4-1d308f40284e\",\"name\":\"f15370f4-c6fa-42c5-9be4-1d308f40284e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n OfficeActivity\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(ClientIP)\\n | extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]%]+)(%\\\\d+)?\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n | extend IPAddress = tostring(ClientIPValues[0])\\n // renaming time column so it is clear the log this came from\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.IPAddress\\n| where OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId\\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = OfficeActivity_TimeGenerated, IPCustomEntity = TI_ipEntity, AccountCustomEntity = UserId, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to OfficeActivity\",\"description\":\"Identifies a match in OfficeActivity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a4ce20ae-a2e4-4d50-b40d-d49f1353b6cc\",\"name\":\"a4ce20ae-a2e4-4d50-b40d-d49f1353b6cc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Extracts plaintext IPv4 addresses\\nlet ipv4_plaintext_extraction_regex = @\\\"((?:(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])(?:\\\\.)){3}(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]){1,3})\\\";\\n// Identified base64 encoded IPv4 addresses\\nlet ipv4_encoded_identification_regex = @\\\"\\\\=([a-zA-Z0-9\\\\/\\\\+]*(?:(?:MC|Au|wL|MS|Eu|xL|Mi|Iu|yL|My|Mu|zL|NC|Qu|0L|NS|Uu|1L|Ni|Yu|2L|Ny|cu|3L|OC|gu|4L|OS|ku|5L){1}[a-zA-Z0-9\\\\/\\\\+]{2,4}){3}[a-zA-Z0-9\\\\/\\\\+\\\\=]*)\\\";\\n// Extractes IPv4 addresses as hex values\\nlet ipv4_decoded_hex_extract = @\\\"((?:(?:61|62|63|64|65|66|67|68|69|6a|6b|6c|6d|6e|6f|70|71|72|73|74|75|76|77|78|79|7a|41|42|43|44|45|46|47|48|49|4a|4b|4c|4d|4e|4f|50|51|52|53|54|55|56|57|58|59|5a|2f|2b|3d),){7,15})\\\";\\nCommonSecurityLog\\n| where isnotempty(RequestURL)\\n// Identify requests with encoded IPv4 addresses\\n| where RequestURL matches regex ipv4_encoded_identification_regex\\n| project TimeGenerated, RequestURL\\n// Extract IP candidates in their base64 encoded format, significantly reducing the dataset\\n| extend extracted_encoded_ip_candidate = extract_all(ipv4_encoded_identification_regex, RequestURL)\\n// We could have more than one candidate, expand them out\\n| mv-expand extracted_encoded_ip_candidate to typeof(string)\\n| summarize Start=min(TimeGenerated), End=max(TimeGenerated), make_set(RequestURL) by extracted_encoded_ip_candidate\\n// Pad if we need to\\n| extend extracted_encoded_ip_candidate = iff(strlen(extracted_encoded_ip_candidate) % 2 == 0, extracted_encoded_ip_candidate, strcat(extracted_encoded_ip_candidate, \\\"=\\\"))\\n// Now decode the candidate to a long array, we cannot go straight to string as it cannot handle non-UTF8, we need to strip that first\\n| extend extracted_encoded_ip_candidate = tostring(base64_decode_toarray(extracted_encoded_ip_candidate))\\n// Extract the IP candidates from the array\\n| extend hex_extracted = extract_all(ipv4_decoded_hex_extract, extracted_encoded_ip_candidate)\\n// Expand, it\u0027s still possible that we might have more than 1 IP\\n| mv-expand hex_extracted\\n// Now we should have a clean string. We need to put it back into a dynamic array to convert back to a string.\\n| extend hex_extracted = trim_end(\\\",\\\", tostring(hex_extracted))\\n| extend hex_extracted = strcat(\\\"[\\\",hex_extracted,\\\"]\\\")\\n| extend hex_extracted = todynamic(hex_extracted)\\n| extend extracted_encoded_ip_candidate = todynamic(extracted_encoded_ip_candidate)\\n// Convert the array back into a string\\n| extend decoded_ip_candidate = make_string(hex_extracted)\\n| summarize by decoded_ip_candidate, tostring(set_RequestURL), Start, End\\n// Now the IP candidates will be in plaintext, extract the IPs using a regex\\n| extend ipmatch = extract_all(ipv4_plaintext_extraction_regex, decoded_ip_candidate)\\n// If it\u0027s not an IP, throw it out\\n| where isnotnull(ipmatch)\\n| mv-expand ipmatch to typeof(string)\\n// Join with DeviceNetworkEvents to find instances where an IP of a machine in our MDE estate sent it\u0027s IP in a base64 encoded string\\n| join (\\n DeviceNetworkEvents\\n | summarize make_set(DeviceId), make_set(DeviceName) by RemoteIP\\n) on $left.ipmatch == $right.RemoteIP\\n| project Start, End, IPmatch=ipmatch, RequestURL=set_RequestURL, DeviceNames=set_DeviceName, DeviceIds=set_DeviceId, RemoteIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPmatch\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceNames\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"IP address of Windows host encoded in web request\",\"description\":\"This detection will identify network requests in HTTP proxy data that contains Base64 encoded IP addresses. After identifying candidates the query\\njoins with DeviceNetworkEvents to idnetify any machine within the network using that IP address. Alerts indicate that the IP address of a machine\\nwithin your network was seen with it\u0027s IP address base64 encoded in an outbounf web request. This method of egressing the IP was seen used in POLONIUM\u0027s\\nRunningRAT tool, however the detection is generic.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cbf6ad48-fa5c-4bf7-b205-28dbadb91255\",\"name\":\"cbf6ad48-fa5c-4bf7-b205-28dbadb91255\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let procList = externaldata(Process:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Microsoft_Lolbas_Execution_Binaries.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nEvent\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n| parse EventData with * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027OriginalFileName\\\"\u003e\u0027 OriginalFileName \\\"\u003c\\\" *\\n| where OriginalFileName has_any (procList) and not (Image has_any (procList))\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027Hashes\\\"\u003e\u0027 Hashes \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description, OriginalFileName, CurrentDirectory, Hashes\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Windows Binaries Lolbins Renamed\",\"description\":\"This query detects the execution of renamed Windows binaries (Lolbins). This is a common technique used by adversaries to evade detection. \\nRef: https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/execution-of-renamed-lolbin.html\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3a9d5ede-2b9d-43a2-acc4-d272321ff77c\",\"name\":\"3a9d5ede-2b9d-43a2-acc4-d272321ff77c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 50;\\nlet aadFunc = (tableName:string){\\n // Failed Signins attempts with reasoning related to conditional access policies.\\n table(tableName)\\n | where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n | where ResultDescription has_any (\\\"conditional access\\\", \\\"CA\\\") or ResultType in (50005, 50131, 53000, 53001, 53002, 52003, 70044)\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt;\\nlet TimeSeriesAlerts = \\nallSignins\\n| make-series DailyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step 1d by UserPrincipalName\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(DailyCount, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand DailyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n// Filtering low count events per baselinethreshold\\n| where anomalies \u003e 0 and baseline \u003e baselinethreshold\\n| extend AnomalyHour = TimeGenerated\\n| project UserPrincipalName, AnomalyHour, TimeGenerated, DailyCount, baseline, anomalies, score;\\n// Filter the alerts for specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e startofday(ago(timeframe))\\n| join kind=inner ( \\n allSignins\\n | where TimeGenerated \u003e startofday(ago(timeframe))\\n // create a new column and round to hour\\n | extend DateHour = bin(TimeGenerated, 1h)\\n | summarize PartialFailedSignins = count(), LatestAnomalyTime = arg_max(TimeGenerated, *) by bin(TimeGenerated, 1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\\n) on UserPrincipalName, $left.AnomalyHour == $right.DateHour\\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, PartialFailedSignins, TotalFailedSignins = DailyCount, baseline, anomalies, score\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"User Accounts - Sign in Failure due to CA Spikes\",\"description\":\" Identifies spike in failed sign-ins from user accounts due to conditional access policied.\\nSpike is determined based on Time series anomaly which will look at historical baseline values.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b6d03b88-4d27-49a2-9c1c-29f1ad2842dc\",\"name\":\"b6d03b88-4d27-49a2-9c1c-29f1ad2842dc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let oneDriveCalls = dynamic([\u0027graph.microsoft.com/v1.0/me/drive/root:/Documents/data.txt:/content\u0027,\u0027graph.microsoft.com/v1.0/me/drive/root:/Documents/response.json:/content\u0027]);\\nlet oneDriveCallsRegex = dynamic([@\u0027graph\\\\.microsoft\\\\.com\\\\/v1\\\\.0\\\\/me\\\\/drive\\\\/root\\\\:\\\\/Uploaded\\\\/.*\\\\:\\\\/content\u0027,@\u0027graph\\\\.microsoft\\\\.com\\\\/v1\\\\.0\\\\/me\\\\/drive\\\\/root\\\\:\\\\/Downloaded\\\\/.*\\\\:\\\\/content\u0027]);\\nCommonSecurityLog\\n| where RequestURL has_any (oneDriveCalls) or RequestURL matches regex tostring(oneDriveCallsRegex[0]) or RequestURL matches regex tostring(oneDriveCallsRegex[1])\\n| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"SourceHostName\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"CreepyDrive URLs\",\"description\":\"CreepyDrive uses OneDrive for command and control. This detection identifies URLs specific to CreepyDrive.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/011c84d8-85f0-4370-b864-24c13455aa94\",\"name\":\"011c84d8-85f0-4370-b864-24c13455aa94\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityAlert\\n| extend Extprop = parse_json(ExtendedProperties)\\n| extend Computer = iff(isnotempty(toupper(tostring(Extprop[\\\"Compromised Host\\\"]))), toupper(tostring(Extprop[\\\"Compromised Host\\\"])), tostring(parse_json(Entities)[0].HostName))\\n| extend Account = iff(isnotempty(tolower(tostring(Extprop[\\\"User Name\\\"]))), tolower(tostring(Extprop[\\\"User Name\\\"])), tolower(tostring(Extprop[\\\"user name\\\"])))\\n| extend IpAddress = tostring(parse_json(ExtendedProperties).[\\\"IpAddress\\\"]) \\n| project TimeGenerated, AlertName, Computer, Account, IpAddress, ExtendedProperties\\n| extend timestamp = TimeGenerated, Account, MachineName = Computer, IpAddress\\n| join kind=inner\\n(\\nCoreAzureBackup\\n| where State =~ \\\"Deleted\\\"\\n| where OperationName =~ \\\"BackupItem\\\"\\n| extend data = split(BackupItemUniqueId, \\\";\\\")\\n| extend AzureLocation = data[0], VaultId=data[1], MachineName=data[2], DrivesBackedUp=data[3]\\n| project timestamp = TimeGenerated, AzureLocation, VaultId, tostring(MachineName), DrivesBackedUp, State, BackupItemUniqueId, _ResourceId, OperationName, BackupItemFriendlyName\\n)\\non MachineName\\n| project timestamp, AlertName, HostCustomEntity = MachineName, AccountCustomEntity = Account, ResourceCustomEntity = _ResourceId, IPCustomEntity = IpAddress, VaultId, AzureLocation, DrivesBackedUp, State, BackupItemUniqueId, OperationName, BackupItemFriendlyName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"CoreBackUp Deletion in correlation with other related security alerts\",\"description\":\"This query will help detect attackers attempt to delete backup containers in correlation with other alerts that could have triggered to help possibly reveal more details of attacker activity. \\nThough such an activity could be legitimate as part of business operation, some ransomware actors may perform such operation to cause interruption to regular business services.\",\"lastUpdatedDateUTC\":\"2021-11-05T00:00:00Z\",\"createdDateUTC\":\"2021-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1218175f-c534-421c-8070-5dcaabf28067\",\"name\":\"1218175f-c534-421c-8070-5dcaabf28067\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let threshold = 3; \\nZoomLogs \\n| where Event =~ \\\"chat_message.sent\\\" \\n| extend Channel = tostring(parse_json(ChatEvents).Channel) \\n| extend Message = tostring(parse_json(ChatEvents).Message) \\n| where Message matches regex \\\"http(s?):\\\\\\\\/\\\\\\\\/\\\" \\n| summarize Channels = makeset(Channel), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Message, User, UserId\\n| extend ChannelCount = arraylength(Channels) \\n| where ChannelCount \u003e threshold\\n| extend timestamp = StartTime, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"Suspicious link sharing pattern\",\"description\":\"Alerts in links that have been shared across multiple Zoom chat channels by the same user in a short space if time. \\nAdjust the threshold figure to change the number of channels a message needs to be posted in before an alert is raised.\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\"name\":\"0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"DNS events related to mining pools\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95a15f39-d9cc-4667-8cdd-58f3113691c9\",\"name\":\"95a15f39-d9cc-4667-8cdd-58f3113691c9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where EventID == 4688\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| join kind=rightanti (\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where EventID == 4688) on NewProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where EventID == 4688 and EventData has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| join kind=rightanti (\\nWindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventID == 4688 and EventData has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)) on NewProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM New UM Service Child Process\",\"description\":\"This query looks for new processes being spawned by the Exchange UM service where that process has not previously been observed before. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f845881e-2500-44dc-8ed7-b372af3e1e25\",\"name\":\"f845881e-2500-44dc-8ed7-b372af3e1e25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let short_uaLength = 5;\\nlet long_uaLength = 1000;\\nlet c_threshold = 100;\\nW3CIISLog \\n// Exclude local IPs as these create noise\\n| where cIP !startswith \\\"192.168.\\\" and cIP != \\\"::1\\\"\\n| where isnotempty(csUserAgent) and csUserAgent !in~ (\\\"-\\\", \\\"MSRPC\\\") and (string_size(csUserAgent) \u003c= short_uaLength or string_size(csUserAgent) \u003e= long_uaLength)\\n| extend csUserAgent_size = string_size(csUserAgent)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ConnectionCount = count() by Computer, sSiteName, sPort, csUserAgent, csUserAgent_size, csUserName , csMethod, csUriStem, sIP, cIP, scStatus, scSubStatus, scWin32Status\\n| where ConnectionCount \u003c c_threshold\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomalous User Agent connection attempt\",\"description\":\"Identifies connection attempts (success or fail) from clients with very short or very long User Agent strings and with less than 100 connection attempts.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\"name\":\"a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n SecurityAlert \\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\\n | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray\\n // Parsing relevant entity column to filter type account and creating new column by combining account and UPNSuffix\\n | extend Entitytype = tostring(parse_json(EntitiesDynamicArray).Type), EntityName = tostring(parse_json(EntitiesDynamicArray).Name),\\n EntityUPNSuffix = tostring(parse_json(EntitiesDynamicArray).UPNSuffix)\\n | where Entitytype =~ \\\"account\\\"\\n | extend EntityEmail = tolower(strcat(EntityName, \\\"@\\\", EntityUPNSuffix))\\n | where EntityEmail matches regex emailregex\\n | extend Alert_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.EntityEmail\\n| where Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\\n| project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, \\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, EntityEmail, AlertName, AlertType,\\nAlertSeverity, Entities, ProviderName, VendorName\\n| extend timestamp = Alert_TimeGenerated, AccountCustomEntity = EntityEmail, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SecurityAlert\",\"description\":\"Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c9b6d281-b96b-4763-b728-9a04b9fe1246\",\"name\":\"c9b6d281-b96b-4763-b728-9a04b9fe1246\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlCategory has_any (\u0027Dynamic and Residential\u0027, \u0027Personal VPN\u0027)\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"Exfiltration\"],\"displayName\":\"Cisco Umbrella - Connection to non-corporate private network\",\"description\":\"IP addresses of broadband links that usually indicates users attempting to access their home network, for example for a remote session to a home computer.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/631d02df-ab51-46c1-8d72-32d0cfec0720\",\"name\":\"631d02df-ab51-46c1-8d72-32d0cfec0720\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let excludeProcs = dynamic([@\\\"\\\\SolarWinds\\\\Orion\\\\APM\\\\APMServiceControl.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\ExportToPDFCmd.Exe\\\", @\\\"\\\\SolarWinds.Credentials\\\\SolarWinds.Credentials.Orion.WebApi.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Topology\\\\SolarWinds.Orion.Topology.Calculator.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Database-Maint.exe\\\", @\\\"\\\\SolarWinds.Orion.ApiPoller.Service\\\\SolarWinds.Orion.ApiPoller.Service.exe\\\", @\\\"\\\\Windows\\\\SysWOW64\\\\WerFault.exe\\\"]);\\nimProcessCreate\\n| where Process hassuffix \u0027solarwinds.businesslayerhost.exe\u0027\\n| where not(Process has_any (excludeProcs))\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = ActorUsername,\\n HostCustomEntity = User,\\n AlgorithmCustomEntity = \\\"MD5\\\",\\n FileHashCustomEntity = TargetProcessMD5 // Change to *hash* once implemented\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST suspicious SolarWinds child processes (Normalized Process Events)\",\"description\":\"Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0bd65651-1404-438b-8f63-eecddcec87b4\",\"name\":\"0bd65651-1404-438b-8f63-eecddcec87b4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\n// Adjust for a longer timeframe for identifying ADFS Servers\\nlet lookback = 6d;\\n// Identify ADFS Servers\\nlet ADFS_Servers = ( union isfuzzy=true\\n( Event\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n),\\n( SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and EventData has \\\"0x3e4\\\" and EventData has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| where SubjectLogonId != \\\"0x3e4\\\"\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n)\\n| distinct Computer);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == 4688\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where ParentProcessName has \u0027wmiprvse.exe\u0027\\n// Looking for rundll32.exe is based on intel from the blog linked in the description\\n// This can be commented out or altered to filter out known internal uses\\n| where CommandLine has_any (\u0027rundll32\u0027) \\n| project TimeGenerated, TargetAccount, CommandLine, Computer, Account, TargetLogonId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n// Search for recent logons to identify lateral movement\\n| join kind= inner\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventID == 4624 and LogonType == 3\\n| where Account !endswith \\\"$\\\"\\n| project TargetLogonId\\n) on TargetLogonId\\n),\\n(\\nWindowsEvent\\n| where EventID == 4688\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where EventData has \u0027wmiprvse.exe\u0027 and EventData has_any (\u0027rundll32\u0027) \\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where ParentProcessName has \u0027wmiprvse.exe\u0027\\n// Looking for rundll32.exe is based on intel from the blog linked in the description\\n// This can be commented out or altered to filter out known internal uses\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has_any (\u0027rundll32\u0027) \\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend Account = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend TargetLogonId = tostring(EventData.TargetLogonId)\\n| project TimeGenerated, TargetAccount, CommandLine, Computer, Account, TargetLogonId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n// Search for recent logons to identify lateral movement\\n| join kind= inner\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventID == 4624 \\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 3\\n| extend Account = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| where Account !endswith \\\"$\\\"\\n| extend TargetLogonId = tostring(EventData.TargetLogonId)\\n| project TargetLogonId\\n) on TargetLogonId\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n// Check for WMI Events\\n| where Computer in~ (ADFS_Servers) and EventID in (19, 20, 21)\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| project TimeGenerated, EventType, Image, Computer, UserName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = UserName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Gain Code Execution on ADFS Server via Remote WMI Execution\",\"description\":\"This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through remote WMI Execution.\\nIn order to use this query you need to be collecting Sysmon EventIDs 19, 20, and 21.\\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\\n Failed to resolve scalar expression named \\\"[@Name]\\\"\\nFor more on how WMI was used in Solorigate see https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/.\\nThe query contains some features from the following detections to look for potentially malicious ADFS activity. See them for more details.\\n- ADFS Key Export (Sysmon): https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSKeyExportSysmon.yaml\\n- ADFS DKM Master Key Export: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d71fc38-f249-454e-8479-0a358382ef9a\",\"name\":\"3d71fc38-f249-454e-8479-0a358382ef9a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"SecurityNestedRecommendation\\n| where RemediationDescription has \u0027CVE-2021-44228\u0027\\n| parse ResourceDetails with * \u0027virtualMachines/\u0027 VirtualMAchine \u0027\\\"\u0027 *\\n| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId\\n| extend Timestamp = TimeGenerated, HostCustomEntity = VirtualMAchine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Execution\"],\"displayName\":\"Vulnerable Machines related to log4j CVE-2021-44228\",\"description\":\"This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to log4j CVE-2021-44228. Log4j is an open-source Apache logging library that is used in \\n many Java-based applications. Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).\\n Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/\\n Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal\\n Reference: https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/how-defender-for-cloud-displays-machines-affected-by-log4j/ba-p/3037271\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\"name\":\"a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Security Center for IoT\",\"displayName\":\"Create incidents based on Microsoft Defender for IOT alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for IOT\",\"lastUpdatedDateUTC\":\"2019-12-24T00:00:00Z\",\"createdDateUTC\":\"2019-12-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"IoT\",\"dataTypes\":[\"SecurityAlert (ASC for IoT)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d2e8fd50-8d66-11ec-b909-0242ac120002\",\"name\":\"d2e8fd50-8d66-11ec-b909-0242ac120002\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID in (4624,4625) and LogonType in (10) and IpAddress in (\\\"::1\\\",\\\"127.0.0.1\\\")\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, TargetUserName, TargetLogonId, LogonType, IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential Remote Desktop Tunneling\",\"description\":\"This query detects remote desktop authentication attempts with a localhost source address which can indicate a tunneled login.\\nRef: https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling\",\"lastUpdatedDateUTC\":\"2022-02-15T00:00:00Z\",\"createdDateUTC\":\"2022-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c37711a4-5f44-4472-8afc-0679bc0ef966\",\"name\":\"c37711a4-5f44-4472-8afc-0679bc0ef966\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.1.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/FoggyWebIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type == \\\"sha256\\\" | project IoC);\\nlet FilePaths = (iocs | where Type =~ \\\"FilePath\\\" | project IoC);\\nlet POST_URI = (iocs | where Type =~ \\\"URI1\\\" | project IoC);\\nlet GET_URI = (iocs | where Type =~ \\\"URI2\\\" | project IoC);\\n//Include in the list below, the ADFS servers you know about in your environment. In the next part of the query, we will try to identify them for you if you have the telemetry.\\nlet ADFS_Servers1 = datatable(Computer:string)\\n[ \\\"\u003cADFS01\u003e.\u003cDOMAIN\u003e.\u003cCOM\u003e\\\",\\n\\\"\u003cADFS02\u003e.\u003cDOMAIN\u003e.\u003cCOM\u003e\\\"\\n];\\n// Automatically identify potential ADFS services in your environment by searching process event telemetry for \\\"Microsoft.IdentityServer.ServiceHost.exe\\\".\\nlet ADFS_Servers2 = \\n(union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n),\\n( WindowsEvent\\n| where EventID == 4688 and EventData has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\" and EventData has \\\"0x3e4\\\"\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| where ProcessName == \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| where SubjectLogonId != \\\"0x3e4\\\"\\n| distinct Computer\\n),\\n(DeviceProcessEvents\\n| where InitiatingProcessFileName == \u0027Microsoft.IdentityServer.ServiceHost.exe\u0027\\n| extend Computer = DeviceName\\n| distinct Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n)\\n);\\nlet ADFS_Servers =\\nADFS_Servers1\\n| union (ADFS_Servers2 | distinct Computer);\\n(union isfuzzy=true\\n(DeviceNetworkEvents\\n| where DeviceName in (ADFS_Servers)\\n| where isnotempty(InitiatingProcessSHA256) or isnotempty(InitiatingProcessFolderPath)\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or InitiatingProcessFolderPath has_any (FilePaths)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\" and EventID == \u00277\u0027\\n| where Computer in (ADFS_Servers)\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend ImageLoaded = EventDetail.[5].[\\\"#text\\\"], Hashes = EventDetail.[11].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| where ImageLoaded has_any (FilePaths) or SHA256 has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, ImageLoaded, EventID\\n| extend Type = strcat(Type,\\\":\\\",EventID, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\\\"#text\\\"] \\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceEvents\\n| where DeviceName in (ADFS_Servers)\\n| extend FilePath = strcat(FolderPath, \u0027\\\\\\\\\u0027, FileName)\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceFileEvents\\n| where DeviceName in (ADFS_Servers)\\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceImageLoadEvents\\n| where DeviceName in (ADFS_Servers)\\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where Computer in (ADFS_Servers)\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| where EventDetail has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\\\"#text\\\"] \\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(W3CIISLog \\n| where ( csMethod == \u0027GET\u0027 and csUriStem has_any (GET_URI)) or (csMethod == \u0027POST\u0027 and csUriStem has_any (POST_URI))\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), cIP_MethodCount = count() \\nby cIP, cIP_MethodCountType = \\\"Count of repeated entries, this is to reduce rowsets returned\\\", csMethod, \\ncsHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, csReferer\\n| extend timestamp = StartTime, IPCustomEntity = cIP, HostCustomEntity = csHost, AccountCustomEntity = csUserName\\n),\\n(imFileEvent\\n| where DvcHostname in (ADFS_Servers)\\n| where TargetFileSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"NOBELIUM IOCs related to FoggyWeb backdoor\",\"description\":\"Identifies a match across various data feeds for IOCs related to FoggyWeb backdoor by the threat actor NOBELIUM.\\n FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server.\\n It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server.\\n Reference: https://aka.ms/nobelium-foggy-web\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/61988db3-0565-49b5-b8e3-747195baac6e\",\"name\":\"61988db3-0565-49b5-b8e3-747195baac6e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let procList = dynamic([\\\"cmd.exe\\\",\\\"ftp.exe\\\",\\\"schtasks.exe\\\",\\\"powershell.exe\\\",\\\"rundll32.exe\\\",\\\"regsvr32.exe\\\",\\\"msiexec.exe\\\"]); \\nimProcessCreate\\n| where CommandLine has \\\"recycler\\\"\\n| where Process has_any (procList)\\n| extend FileName = tostring(split(Process, \u0027\\\\\\\\\u0027)[-1])\\n| where FileName in~ (procList)\\n| project StartTimeUtc = TimeGenerated, Dvc, User, Process, FileName, CommandLine, ActingProcessName, EventVendor, EventProduct\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Malware in the recycle bin (Normalized Process Events)\",\"description\":\"Identifies malware that has been hidden in the recycle bin.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-23T00:00:00Z\",\"createdDateUTC\":\"2021-06-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ec491363-5fe7-4eff-b68e-f42dcb76fcf6\",\"name\":\"ec491363-5fe7-4eff-b68e-f42dcb76fcf6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| project-away claimsJson\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Azure Active Directory Hybrid Health AD FS New Server\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.\\nA threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.\\nThis can be done programmatically via HTTP requests to Azure. More information in this blog: https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/32ffb19e-8ed8-40ed-87a0-1adb4746b7c4\",\"name\":\"32ffb19e-8ed8-40ed-87a0-1adb4746b7c4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"// Enter a reference list of malicious file artifacts\\nlet MaliciousFileArtifacts = dynamic ([\\\"lsass.dmp\\\",\\\"test.pwd\\\",\\\"lsremora.dll\\\",\\\"lsremora64.dll\\\",\\\"fgexec.exe\\\",\\\"pwdump\\\",\\\"kirbi\\\",\\\"wce_ccache\\\",\\\"wce_krbtkts\\\",\\\"wceaux.dll\\\",\\\"PwHashes\\\",\\\"SAM.out\\\",\\\"SECURITY.out\\\",\\\"SYSTEM.out\\\",\\\"NTDS.out\\\" \\\"DumpExt.dll\\\",\\\"DumpSvc.exe\\\",\\\"cachedump64.exe\\\",\\\"cachedump.exe\\\",\\\"pstgdump.exe\\\",\\\"servpw64.exe\\\",\\\"servpw.exe\\\",\\\"pwdump.exe\\\",\\\"fgdump-log\\\"]);\\nEvent\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==11\\n| parse EventData with * \u0027TargetFilename\\\"\u003e\u0027 TargetFilename \\\"\u003c\\\" *\\n| where TargetFilename has_any (MaliciousFileArtifacts)\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, Image, ProcessGuid, TargetFilename\",\"entityMappings\":[{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"TargetFilename\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"Image\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Credential Dumping Tools - File Artifacts\",\"description\":\"This query detects the creation of credential dumping tools files. Several credential dumping tools export files with hardcoded file names.\\nRef: https://jpcertcc.github.io/ToolAnalysisResultSheet/\",\"lastUpdatedDateUTC\":\"2022-04-22T00:00:00Z\",\"createdDateUTC\":\"2022-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"Event\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/983a6922-894d-413c-9f04-d7add0ecc307\",\"name\":\"983a6922-894d-413c-9f04-d7add0ecc307\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P10D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Medium\",\"query\":\"let referencestarttime = 10d;\\nlet referenceendtime = 1d;\\nlet threshold = 100;\\nlet nxDomainDnsEvents = (stime:datetime, etime:datetime) \\n {_Im_Dns(responsecodename=\u0027NXDOMAIN\u0027, starttime=stime, endtime=etime)\\n | where DnsQueryTypeName in (\\\"A\\\", \\\"AAAA\\\")\\n | where ipv4_is_match(\\\"127.0.0.1\\\", SrcIpAddr) == False\\n | where DnsQuery !contains \\\"/\\\" and DnsQuery contains \\\".\\\"};\\nnxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now())\\n | extend sld = tostring(split(DnsQuery, \\\".\\\")[-2])\\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld) by SrcIpAddr\\n | where dcount_sld \u003e threshold\\n // Filter out previously seen IPs\\n | join kind=leftanti (nxDomainDnsEvents (stime=ago(referencestarttime), etime=ago(referenceendtime))\\n | extend sld = tostring(split(DnsQuery, \\\".\\\")[-2])\\n | summarize dcount(sld) by SrcIpAddr\\n | where dcount_sld \u003e threshold ) on SrcIpAddr\\n// Pull out sample NXDomain responses for those remaining potentially infected IPs\\n| join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential DGA detected (ASIM DNS Schema)\",\"description\":\"Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains\\nwhere most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with \\nNXDomain records in prior 10-day baseline period).\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/18dbdc22-b69f-4109-9e39-723d9465f45f\",\"name\":\"18dbdc22-b69f-4109-9e39-723d9465f45f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet AVHits = (iocs | where Type =~ \\\"AVDetection\\\"| project IoC);\\nSecurityAlert\\n| where ProviderName == \u0027MDATP\u0027\\n| extend ThreatName_ = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where ThreatName_ has_any (AVHits)\\n| extend Directory = tostring(parse_json(Entities)[0].Directory), SHA256 = tostring(parse_json(tostring(parse_json(Entities)[0].FileHashes))[2].Value), FileName = tostring(parse_json(Entities)[0].Name), Hostname = tostring(parse_json(Entities)[6].FQDN)| extend AccountName = tostring(parse_json(tostring(parse_json(Entities)[6].LoggedOnUsers))[0].AccountName)\\n| project TimeGenerated, AlertName, ThreatName_, ProviderName, AlertSeverity, Description, RemediationSteps, ExtendedProperties, Entities, FileName,SHA256, Directory, Hostname, AccountName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Hostname , AccountCustomEntity = AccountName, FileHashCustomEntity = SHA256\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"ACTINIUM AV hits - Feb 2022\",\"description\":\"Identifies a match in the Security Alert table for MDATP hits related to the ACTINIUM actor\",\"lastUpdatedDateUTC\":\"2022-02-04T00:00:00Z\",\"createdDateUTC\":\"2022-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f6a51e2c-2d6a-4f92-a090-cfb002ca611f\",\"name\":\"f6a51e2c-2d6a-4f92-a090-cfb002ca611f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nlet disallowed_ext = dynamic([\u0027ps1\u0027, \u0027exe\u0027, \u0027vbs\u0027, \u0027js\u0027, \u0027scr\u0027]);\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| extend attachedExt = todynamic(MsgParts)[0][\u0027detectedExt\u0027]\\n| where attachedExt in (disallowed_ext)\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = DstUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Suspicious attachment\",\"description\":\"Detects when email contains suspicious attachment (file type).\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/707494a5-8e44-486b-90f8-155d1797a8eb\",\"name\":\"707494a5-8e44-486b-90f8-155d1797a8eb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let auditLookbackStart = 2d;\\nlet auditLookbackEnd = 1d;\\nAuditLogs\\n| where TimeGenerated \u003e= ago(auditLookbackStart)\\n| where OperationName =~ \\\"Consent to application\\\" \\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| extend targetResourceName = tostring(target.displayName)\\n| extend targetResourceID = tostring(target.id)\\n| extend targetResourceType = tostring(target.type)\\n| extend targetModifiedProp = TargetResources[0].modifiedProperties\\n| extend isAdminConsent = targetModifiedProp[0].newValue\\n| extend Consent_ServicePrincipalNames = targetModifiedProp[5].newValue\\n| extend Consent_Permissions = targetModifiedProp[4].newValue\\n| extend Consent_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend Consent_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| join ( \\nAuditLogs\\n| where TimeGenerated \u003e= ago(auditLookbackEnd)\\n| where OperationName =~ \\\"Add service principal credentials\\\"\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| extend targetResourceName = tostring(target.displayName)\\n| extend targetResourceID = tostring(target.id)\\n| extend targetModifiedProp = TargetResources[0].modifiedProperties\\n| extend Credential_KeyDescription = targetModifiedProp[0].newValue\\n| extend UpdatedProperties = targetModifiedProp[1].newValue\\n| extend Credential_ServicePrincipalNames = targetModifiedProp[2].newValue\\n| extend Credential_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend Credential_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n) on targetResourceName, targetResourceID\\n| extend TimeConsent = TimeGenerated, TimeCred = TimeGenerated1\\n| where TimeConsent \u003e TimeCred \\n| project TimeConsent, TimeCred, Consent_InitiatingUserOrApp, Credential_InitiatingUserOrApp, targetResourceName, targetResourceType, isAdminConsent, Consent_ServicePrincipalNames, Credential_ServicePrincipalNames, Consent_Permissions, Credential_KeyDescription, Consent_InitiatingIpAddress, Credential_InitiatingIpAddress\\n| extend timestamp = TimeConsent, AccountCustomEntity = Consent_InitiatingUserOrApp, IPCustomEntity = Consent_InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Credential added after admin consented to Application\",\"description\":\"This query will identify instances where Service Principal credentials were added to an application by one user after the application was granted admin consent rights by another user.\\n If a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\n Additional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow.\\n For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2021-02-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/11bda520-a965-4654-9a45-d09f372f71aa\",\"name\":\"11bda520-a965-4654-9a45-d09f372f71aa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"High\",\"query\":\"AzureActivity\\n// Isolate run command actions\\n| where OperationNameValue == \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\\\"\\n// Confirm that the operation impacted a virtual machine\\n| where Authorization has \\\"virtualMachines\\\"\\n// Each runcommand operation consists of three events when successful, Started, Accepted (or Rejected), Successful (or Failed).\\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), max(CallerIpAddress), make_list(ActivityStatusValue) by CorrelationId, Authorization, Caller\\n// Limit to Run Command executions that Succeeded\\n| where list_ActivityStatusValue has \\\"Success\\\"\\n// Extract data from the Authorization field\\n| extend Authorization_d = parse_json(Authorization)\\n| extend Scope = Authorization_d.scope\\n| extend Scope_s = split(Scope, \\\"/\\\")\\n| extend Subscription = tostring(Scope_s[2])\\n| extend VirtualMachineName = tostring(Scope_s[-1])\\n| project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress\\n// Create a join key using the Caller (UPN)\\n| extend joinkey = tolower(Caller)\\n// Join the Run Command actions to UEBA data\\n| join kind = inner (\\n BehaviorAnalytics\\n // We are specifically interested in unusual logins\\n | where EventSource == \\\"Azure AD\\\" and ActivityInsights.ActionUncommonlyPerformedByUser == \\\"True\\\"\\n | project UEBAEventTime=TimeGenerated, UEBAActionType=ActionType, UserPrincipalName, UEBASourceIPLocation=SourceIPLocation, UEBAActivityInsights=ActivityInsights, UEBAUsersInsights=UsersInsights\\n | where isnotempty(UserPrincipalName) and isnotempty(UEBASourceIPLocation)\\n | extend joinkey = tolower(UserPrincipalName)\\n) on joinkey\\n// Create a window around the UEBA event times, check to see if the Run Command action was performed within them\\n| extend UEBAWindowStart = UEBAEventTime - 1h, UEBAWindowEnd = UEBAEventTime + 6h\\n| where StartTime between (UEBAWindowStart .. UEBAWindowEnd)\\n| project StartTime, EndTime, Subscription, VirtualMachineName, Caller, CallerIpAddress, UEBAEventTime, UEBAActionType, UEBASourceIPLocation, UEBAActivityInsights, UEBAUsersInsights\\n| extend timestamp = StartTime, AccountCustomEntity=Caller, IPCustomEntity=CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"LateralMovement\",\"CredentialAccess\"],\"displayName\":\"Azure VM Run Command operation executed during suspicious login window\",\"description\":\"Identifies when the Azure Run Command operation is executed by a UserPrincipalName and IP Address \\nthat has resulted in a recent user entity behaviour alert.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3fe3c520-04f1-44b8-8398-782ed21435f8\",\"name\":\"3fe3c520-04f1-44b8-8398-782ed21435f8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Low\",\"query\":\"let torProxies=dynamic([\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\"]);\\n_Im_Dns(domain_has_any=torProxies)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"DNS events related to ToR proxies (ASIM DNS Schema)\",\"description\":\"Identifies IP addresses performing DNS lookups associated with common ToR proxies.\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d9938c3b-16f9-444d-bc22-ea9a9110e0fd\",\"name\":\"d9938c3b-16f9-444d-bc22-ea9a9110e0fd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Azure AD Connect Health Agent - cf6d7e68-f018-4e0a-a7b3-126e053fb88d\\n// Azure Active Directory Connect - cb1056e2-e479-49de-ae31-7812af012ed8\\nlet appList = dynamic([\u0027cf6d7e68-f018-4e0a-a7b3-126e053fb88d\u0027,\u0027cb1056e2-e479-49de-ae31-7812af012ed8\u0027]);\\nlet operationNamesList = dynamic([\u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027,\u0027Microsoft.ADHybridHealthService/services/delete\u0027]);\\nAzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue in~ (operationNamesList)\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| where AppId !in (appList)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS Suspicious Application\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to a suspicious application adding a server instance to an Azure AD Hybrid health AD FS service or deleting the AD FS service instance.\\nUsually the Azure AD Connect Health Agent application with ID cf6d7e68-f018-4e0a-a7b3-126e053fb88d is used to perform those operations.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9d0295ee-cb75-4f2c-9952-e5acfbb67036\",\"name\":\"9d0295ee-cb75-4f2c-9952-e5acfbb67036\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.0\",\"severity\":\"Informational\",\"query\":\"let timeframe = ago(1d);\\nAppServiceAntivirusScanAuditLogs\\n| where NumberOfInfectedFiles \u003e 0\\n| extend HostCustomEntity = _ResourceId, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"displayName\":\"AppServices AV Scan with Infected Files\",\"description\":\"Identifies if an AV scan finds infected files in Azure App Services.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b2199398-8942-4b8c-91a9-b0a707c5d147\",\"name\":\"b2199398-8942-4b8c-91a9-b0a707c5d147\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/HiveRansomwareJuly2022.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n(imFileEvent\\n| where TargetFileSHA256 has_any (sha256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceImageLoadEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Hive Ransomware IOC - July 2022\",\"description\":\"Identifies a hash match related to Hive Ransomware across various data sources.\",\"lastUpdatedDateUTC\":\"2022-07-05T00:00:00Z\",\"createdDateUTC\":\"2022-01-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1ff56009-db01-4615-8211-d4fda21da02d\",\"name\":\"1ff56009-db01-4615-8211-d4fda21da02d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where AADOperationType =~ \\\"Assign\\\"\\n| where ActivityDisplayName has_any (\\\"Add delegated permission grant\\\",\\\"Add app role assignment to service principal\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ has_any (\\\"AppRole.Value\\\",\\\"DelegatedPermissionGrant.Scope\\\")\\n| extend Permission = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where Permission has \\\"RoleManagement.ReadWrite.Directory\\\"\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n| extend Target = tostring(parse_json(tostring(TargetResources.modifiedProperties[4].newValue)))\\n| extend TargetId = iif(displayName_ =~ \u0027DelegatedPermissionGrant.Scope\u0027,\\n tostring(parse_json(tostring(TargetResources.modifiedProperties[2].newValue))),\\n tostring(parse_json(tostring(TargetResources.modifiedProperties[3].newValue))))\\n| summarize by bin(TimeGenerated, 1h), OperationName, Initiator, Target, TargetId, Result\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Initiator\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Target\"}]}],\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure AD Role Management Permission Grant\",\"description\":\"Identifies when the Microsoft Graph RoleManagement.ReadWrite.Directory (Delegated or Application) permission is granted to a service principal.\\nThis permission allows an application to read and manage the role-based access control (RBAC) settings for your company\u0027s directory.\\nAn adversary could use this permission to add an Azure AD object to an Admin directory role and escalate privileges.\\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions\\nRef : https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0\u0026tabs=http\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/71d374e0-1cf8-4e50-aecd-ab6c519795c2\",\"name\":\"71d374e0-1cf8-4e50-aecd-ab6c519795c2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"Pipelines.PipelineRetentionSettingChanged\\\"\\n| where Data.SettingName in (\\\"PurgeArtifacts\\\", \\\"PurgeRuns\\\")\\n| where Data.NewValue == 1 or Data.NewValue \u003c Data.OldValue/2\\n| project-reorder TimeGenerated, OperationName, ActorUPN, IpAddress, UserAgent, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Retention Reduced\",\"description\":\"AzureDevOps retains items such as run records and produced artifacts for a configurable amount of time. An attacker looking to reduce the footprint left by their malicious activity may look to reduce the retention time for artifacts and runs.\\nThis query will look for where retention has been reduced to the minimum level - 1, or reduced by more than half.\",\"lastUpdatedDateUTC\":\"2021-11-02T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/979c42dd-533e-4ede-b18b-31a84ba8b3d6\",\"name\":\"979c42dd-533e-4ede-b18b-31a84ba8b3d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \\n| where TargetObject has (\\\"HKLM\\\\\\\\System\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\DsrmAdminLogonBehavior\\\") and Details == \\\"DWORD (0x00000002)\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"DSRM Account Abuse\",\"description\":\"This query detects an abuse of the DSRM account in order to maintain persistence and access to the organization\u0027s Active Directory.\\nRef: https://adsecurity.org/?p=1785\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d82eb796-d1eb-43c8-a813-325ce3417cef\",\"name\":\"d82eb796-d1eb-43c8-a813-325ce3417cef\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(DeviceFileEvents\\n| where ActionType == \\\"FileCreated\\\"\\n| where FileName endswith \\\".h0lyenc\\\" or FolderPath == \\\"C:\\\\\\\\FOR_DECRYPT.html\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName), HostCustomEntity = DeviceName, Type, InitiatingProcessId, FileName, FolderPath, EventType = ActionType, Commandline = InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessSHA256, FileHashCustomEntity = SHA256\\n),\\n(imFileEvent\\n| where EventType == \\\"FileCreated\\\" \\n| where TargetFilePath endswith \\\".h0lyenc\\\" or TargetFilePath == \\\"C:\\\\\\\\FOR_DECRYPT.html\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname, DvcId, Type, EventType, FileHashCustomEntity = TargetFileSHA256, Hash, TargetFilePath, Commandline = ActingProcessCommandLine\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Dev-0530 File Extension Rename\",\"description\":\"Dev-0530 actors are known to encrypt the contents of the victims device as well as renaming the file extensions. This query looks for the creation of files with .h0lyenc extension or presence of ransom note.\",\"lastUpdatedDateUTC\":\"2022-07-14T00:00:00Z\",\"createdDateUTC\":\"2022-07-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ba144bf8-75b8-406f-9420-ed74397f9479\",\"name\":\"ba144bf8-75b8-406f-9420-ed74397f9479\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"//Set a threshold of failed AAD signins from an IP address within 1 day above which we want to deem those logins suspicious.\\nlet signin_threshold = 5; \\n//Make a list of IPs with AAD signin failures above our threshold.\\nlet aadFunc = (tableName:string){\\nlet suspicious_signins = \\n table(tableName)\\n //Looking for logon failure results\\n | where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n //Exclude localhost addresses to reduce the chance of FPs\\n | where IPAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n | summarize count() by IPAddress\\n | where count_ \u003e signin_threshold\\n | summarize make_set(IPAddress);\\n suspicious_signins\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet suspicious_signins = \\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize make_set(set_IPAddress);\\n//See if any of those IPs have sucessfully logged into PA VPNs during the same timeperiod\\nCommonSecurityLog\\n //Select only PA VPN sucessful logons\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"globalprotect\\\"\\n | where Message has \\\"GlobalProtect gateway user authentication succeeded\\\"\\n //Parse out the logon source IP from the Message field to match on\\n | extend SourceIP = extract(\\\"Login from: ([^,]+)\\\", 1, Message) \\n | where SourceIP in (suspicious_signins)\\n | extend Reason = \\\"Multiple failed AAD logins from SourceIP\\\"\\n //Parse out other useful information from Message field\\n | extend User = extract(\u0027User name: ([^,]+)\u0027, 1, Message) \\n | extend ClientOS = extract(\u0027Client OS version: ([^,\\\\\\\"]+)\u0027, 1, Message)\\n | extend Location = extract(\u0027Source region: ([^,]{2})\u0027,1, Message)\\n | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName\\n | extend AccountCustomEntity = User, IPCustomEntity = SourceIP, timestamp = TimeGenerated, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN\",\"description\":\"This query creates a list of IP addresses with a number failed login attempts to AAD \\nabove a set threshold. It then looks for any successful Palo Alto VPN logins from any\\nof these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-09-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/32555639-b639-4c2b-afda-c0ae0abefa55\",\"name\":\"32555639-b639-4c2b-afda-c0ae0abefa55\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"GetCallerIdentity\\\" and UserIdentityType =~ \\\"AssumedRole\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by SourceIpAddress, EventName, EventTypeName, UserIdentityType, UserIdentityAccountId, UserIdentityPrincipalid, \\nUserAgent, UserIdentityUserName, SessionMfaAuthenticated,AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTime, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\\n| sort by EndTime desc nulls last\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Monitor AWS Credential abuse or hijacking\",\"description\":\"Looking for GetCallerIdentity Events where the UserID Type is AssumedRole \\nAn attacker who has assumed the role of a legitimate account can call the GetCallerIdentity function to determine what account they are using.\\nA legitimate user using legitimate credentials would not need to call GetCallerIdentity since they should already know what account they are using.\\nMore Information: https://duo.com/decipher/trailblazer-hunts-compromised-credentials-in-aws\\nAWS STS GetCallerIdentity API: https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/53e936c6-6c30-4d12-8343-b8a0456e8429\",\"name\":\"53e936c6-6c30-4d12-8343-b8a0456e8429\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let SUNSPOT_Hashes = dynamic([\\\"c45c9bda8db1d470f1fd0dcc346dc449839eb5ce9a948c70369230af0b3ef168\\\", \\\"0819db19be479122c1d48743e644070a8dc9a1c852df9a8c0dc2343e904da389\\\"]);\\nunion isfuzzy=true(\\nDeviceEvents\\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes)),\\n(DeviceImageLoadEvents\\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes))\\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"SUNSPOT malware hashes\",\"description\":\"This query uses Microsoft Defender for Endpoint data to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\\nMore details: \\n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \\n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceImageLoadEvents\",\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fcb9d75c-c3c1-4910-8697-f136bfef2363\",\"name\":\"fcb9d75c-c3c1-4910-8697-f136bfef2363\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Low\",\"query\":\"let querystarttime = 2d;\\nlet queryendtime = 1d;\\nlet TimeDeltaThreshold = 10;\\nlet TotalEventsThreshold = 15;\\nlet PercentBeaconThreshold = 80;\\n_Im_NetworkSession(starttime=querystarttime, endtime=queryendtime)\\n| where not(ipv4_is_private(DstIpAddr))\\n| project TimeGenerated, SrcIpAddr, SrcPortNumber, DstIpAddr, DstPortNumber, DstBytes, SrcBytes\\n| sort by SrcIpAddr asc,TimeGenerated asc, DstIpAddr asc, DstPortNumber asc\\n| serialize\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSrcIpAddr = next(SrcIpAddr, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\u0027second\u0027,nextTimeGenerated,TimeGenerated)\\n| where SrcIpAddr == nextSrcIpAddr\\n//Whitelisting criteria/ threshold criteria\\n| where TimeDeltainSeconds \u003e TimeDeltaThreshold \\n| project TimeGenerated, TimeDeltainSeconds, SrcIpAddr, SrcPortNumber, DstIpAddr, DstPortNumber, DstBytes, SrcBytes\\n| summarize count(), sum(DstBytes), sum(SrcBytes), make_list(TimeDeltainSeconds) \\nby TimeDeltainSeconds, bin(TimeGenerated, 1h), SrcIpAddr, DstIpAddr, DstPortNumber\\n| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSrcBytes = sum(sum_SrcBytes), TotalDstBytes = sum(sum_DstBytes) \\nby bin(TimeGenerated, 1h), SrcIpAddr, DstIpAddr, DstPortNumber\\n| where TotalEvents \u003e TotalEventsThreshold \\n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\\n| where BeaconPercent \u003e PercentBeaconThreshold\",\"customDetails\":{\"DstPortNumber\":\"DstPortNumber\",\"FrequencyCount\":\"TotalSrcBytes\",\"FrequencyTime\":\"MostFrequentTimeDeltaCount\",\"TotalDstBytes\":\"TotalDstBytes\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DstIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Potential beaconing from {{SrcIpAddr}} to {{DstIpAddr}} over port {{DstPortNumber}}\",\"alertDescriptionFormat\":\"Potential beaconing pattern from a client at address {{SrcIpAddr}} to a server at address {{DstIpAddr}} over port {{DstPortNumber}} identified. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/). The recurring frequency, reported as FrequencyTime in the custom details, and the total transferred volume reported as TotalDstBytes in the custom details, can help to determine the significance of this incident.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential beaconing activity (ASIM Network Session schema)\",\"description\":\"This rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/).\\\\\u003cbr\u003e\u003cbr\u003e\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b8b8ba09-1e89-45a1-8bd7-691cd23bfa32\",\"name\":\"b8b8ba09-1e89-45a1-8bd7-691cd23bfa32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let query_frequency = 15m;\\nlet missing_period = 1h;\\n//Enter a reference list of hostnames for your DC servers\\nlet DCServersList = dynamic ([\\\"DC01.simulandlabs.com\\\",\\\"DC02.simulandlabs.com\\\"]);\\n//Alternatively, a Watchlist can be used\\n//let DCServersList = _GetWatchlist(\u0027HostName-DomainControllers\u0027) | project HostName;\\nHeartbeat\\n| summarize arg_max(TimeGenerated, *) by Computer\\n| where Computer in (DCServersList)\\n//You may specify the OS type of your Domain Controllers\\n//| where OSType == \u0027Windows\u0027\\n| where TimeGenerated between (ago(query_frequency + missing_period) .. ago(missing_period))\\n| project TimeGenerated, Computer, OSType, Version, ComputerEnvironment, Type, Solutions\\n| sort by TimeGenerated asc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Impact\",\"DefenseEvasion\"],\"displayName\":\"Missing Domain Controller Heartbeat\",\"description\":\"This detection will go over the heartbeats received from the agents of Domain Controllers over the last hour, and will create alerts if the last heartbeats were received an hour ago.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-11-23T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/737a2ce1-70a3-4968-9e90-3e6aca836abf\",\"name\":\"737a2ce1-70a3-4968-9e90-3e6aca836abf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MLBehaviorAnalytics\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous RDP Login Detections\",\"description\":\"This detection uses machine learning (ML) to identify anomalous Remote Desktop Protocol (RDP) login activity, based on Windows Security Event data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Microsoft Sentinel to build a profile of normal activity for your environment.\\t\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events)\\n\\nBy enabling this rule, you give Microsoft permission to copy ingested data outside of your Microsoft Sentinel workspace\u0027s geography as necessary for processing by the machine learning engine.\",\"lastUpdatedDateUTC\":\"2021-03-26T00:00:00Z\",\"createdDateUTC\":\"2020-04-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/85aca4d1-5d15-4001-abd9-acb86ca1786a\",\"name\":\"85aca4d1-5d15-4001-abd9-acb86ca1786a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n DnsEvents\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n //Extract domain patterns from syslog message\\n | where isnotempty(Name)\\n | extend parts = split(Name, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend DNS_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.Name\\n| where DNS_TimeGenerated \u003c ExpirationDateTime\\n| summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated , *) by IndicatorId, Name\\n| project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, Computer, ClientIP, Name, QueryType\\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = ClientIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to DnsEvents\",\"description\":\"Identifies a match in DnsEvents from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2022-02-15T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\"name\":\"5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n//Exclude local addresses, using the ipv4_is_private operator\\n| where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n W3CIISLog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(cIP)\\n //Exclude local addresses, using the ipv4_is_private operator\\n | where ipv4_is_private(cIP) == false and cIP !startswith \\\"fe80\\\" and cIP !startswith \\\"::\\\" and cIP !startswith \\\"127.\\\"\\n // renaming time column so it is clear the log this came from\\n | extend W3CIISLog_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.cIP\\n| where W3CIISLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize W3CIISLog_TimeGenerated = arg_max(W3CIISLog_TimeGenerated, *) by IndicatorId, cIP\\n| project W3CIISLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, sSiteName, cIP, sIP, sPort, csMethod, csUserName, scStatus, scSubStatus, scWin32Status,\\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = W3CIISLog_TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to W3CIISLog\",\"description\":\"Identifies a match in W3CIISLog from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-04-26T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d564ff12-8f53-41b8-8649-44f76b37b99f\",\"name\":\"d564ff12-8f53-41b8-8649-44f76b37b99f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// How many greater than Service Connections you want to view per build/release\\nlet ServiceConnectionThreshold = 4;\\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\\n[\\n//\\\"103\\\", \\\"Release\\\", \\\"ProjectA\\\",\\n//\\\"42\\\", \\\"Release\\\", \\\"ProjectB\\\",\\n//\\\"122\\\", \\\"Build\\\", \\\"ProjectB\\\"\\n];\\nAzureDevOpsAuditing\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| parse ScopeDisplayName with OrganizationName \u0027 (Organization)\u0027\\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) \\n by OrganizationName, tostring(DefId), tostring(Type), ProjectId, ProjectName\\n| where CurrentCount \u003e ServiceConnectionThreshold\\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\\n| extend link = iif(\\n Type == \\\"Build\\\", strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_build?definitionId=\u0027, DefId),\\n strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_release?_a=releases\u0026view=mine\u0026definitionId=\u0027, DefId))\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure DevOps Service Connection Abuse\",\"description\":\"Flags builds/releases that use a large number of service connections if they aren\u0027t manually in the allow list.\\nThis is to determine if someone is hijacking a build/release and adding many service connections in order to abuse \\nor dump credentials from service connections.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/01e8ffff-dc0c-43fe-aa22-d459c4204553\",\"name\":\"01e8ffff-dc0c-43fe-aa22-d459c4204553\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let discord=dynamic([\\\"cdn.discordapp.com\\\", \\\"media.discordapp.com\\\"]);\\n _Im_WebSession(url_has_any=discord, eventresult=\u0027Success\u0027)\\n | where Url has \\\"attachments\\\"\\n | extend DiscordServerId = extract(@\\\"\\\\/attachments\\\\/([0-9]+)\\\\/\\\", 1, Url)\\n | summarize dcount(Url), make_set(SrcUsername), make_set(SrcIpAddr), make_set(Url), min(TimeGenerated), max(TimeGenerated), make_set(EventResult) by DiscordServerId\\n | mv-expand set_SrcUsername to typeof(string), set_Url to typeof(string), set_EventResult to typeof(string), set_SrcIpAddr to typeof(string)\\n | summarize by DiscordServerId, dcount_Url, set_SrcUsername, min_TimeGenerated, max_TimeGenerated, set_EventResult, set_SrcIpAddr, set_Url\\n | project StartTime=min_TimeGenerated, EndTime=max_TimeGenerated, Result=set_EventResult, SourceUser=set_SrcUsername, SourceIP=set_SrcIpAddr, RequestURL=set_Url\\n | where RequestURL has_any (\\\".bin\\\",\\\".exe\\\",\\\".dll\\\",\\\".bin\\\",\\\".msi\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SourceUser\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Discord CDN Risky File Download (ASIM Web Session Schema)\",\"description\":\"Identifies callouts to Discord CDN addresses for risky file extensions. This detection will trigger when a callout for a risky file is made to a discord server that has only been seen once in your environment. Unique discord servers are identified using the server ID that is included in the request URL (DiscordServerId in query). Discord CDN has been used in multiple campaigns to download additional payloads.\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4e5914a4-2ccd-429d-a845-fa597f0bd8c5\",\"name\":\"4e5914a4-2ccd-429d-a845-fa597f0bd8c5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let Hive_threats = dynamic([\\\"Ransom:Win64/Hive\\\", \\\"Ransom:Win32/Hive\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (Hive_threats) or ThreatFamilyName in~ (Hive_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"AV detections related to Hive Ransomware\",\"description\":\"This query looks for Microsoft Defender AV detections related to Hive Ransomware . In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device,\\n this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\",\"lastUpdatedDateUTC\":\"2022-07-11T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\"name\":\"361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let szOperationNames = dynamic([\\\"microsoft.compute/virtualMachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nlet starttime = 7d;\\nlet endtime = 1d;\\nAzureActivity\\n| where TimeGenerated between (startofday(ago(starttime)) .. startofday(ago(endtime)))\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress)\\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(7d)), now(), 1d) \\nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatusValue), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationNameValue , Resource, ResourceGroup\\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\\n| where Slope \u003e 0.2\\n| join kind=leftsemi (\\n// Last day\u0027s activity is anomalous\\nAzureActivity\\n| where TimeGenerated \u003e= startofday(ago(endtime))\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress)\\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(1d)), now(), 1d) \\nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatusValue), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationNameValue , Resource, ResourceGroup\\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\\n| where Slope \u003e 0.2 \\n) on Caller, CallerIpAddress \\n| mvexpand todynamic(ActivityTimeStamp), todynamic(ActivityStatusValue), todynamic(OperationIds), todynamic(CorrelationId)\\n| extend timestamp = ActivityTimeStamp, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Suspicious number of resource creation or deployment activities\",\"description\":\"Indicates when an anomalous number of VM creations or deployment activities occur in Azure via the AzureActivity log.\\nThe anomaly detection identifies activities that have occurred both since the start of the day 1 day ago and the start of the day 7 days ago.\\nThe start of the day is considered 12am UTC time.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/050b9b3d-53d0-4364-a3da-1b678b8211ec\",\"name\":\"050b9b3d-53d0-4364-a3da-1b678b8211ec\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\")\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n// Uncomment below to not alert for PIM activations\\n//| where Initiator != \\\"MS-PIM\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| summarize by bin(TimeGenerated, 1h), OperationName, RoleName, Target, Initiator, Result\\n| extend AccountCustomEntity = Target\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Initiator\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User Assigned Privileged Role\",\"description\":\"Identifies when a new privileged role is assigned to a user. Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn\u0027t the responsibility of the account holder, investigate.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/48607a29-a26a-4abf-8078-a06dbdd174a4\",\"name\":\"48607a29-a26a-4abf-8078-a06dbdd174a4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let timeRange = 3d;\\nlet lookBack = 7d;\\nlet authenticationWindow = 20m;\\nlet authenticationThreshold = 5;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet failureCodes = dynamic([50053, 50126, 50055]); // invalid password, account is locked - too many sign ins, expired password\\nlet successCodes = dynamic([0, 50055, 50057, 50155, 50105, 50133, 50005, 50076, 50079, 50173, 50158, 50072, 50074, 53003, 53000, 53001, 50129]);\\n// Lookup up resolved identities from last 7 days\\nlet aadFunc = (tableName:string){\\nlet identityLookup = table(tableName)\\n| where TimeGenerated \u003e= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| where isnotempty(UserId)\\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName, Type;\\n// collect window threshold breaches\\ntable(tableName)\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(failureCodes)\\n| summarize FailedPrincipalCount = dcount(UserPrincipalName) by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName, Type\\n| where FailedPrincipalCount \u003e= authenticationThreshold\\n| summarize WindowThresholdBreaches = count() by IPAddress, Type\\n| join kind= inner (\\n// where we breached a threshold, join the details back on all failure data\\ntable(tableName)\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(failureCodes)\\n| extend LocationDetails = todynamic(LocationDetails)\\n| extend FullLocation = strcat(LocationDetails.countryOrRegion,\u0027|\u0027, LocationDetails.state, \u0027|\u0027, LocationDetails.city)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed), make_set(FullLocation), FailureCount = count() by IPAddress, AppDisplayName, UserPrincipalName, UserDisplayName, Identity, UserId, Type\\n// lookup any unresolved identities\\n| extend UnresolvedUserId = iff(Identity matches regex isGUID, UserId, \\\"\\\")\\n| join kind= leftouter (\\n identityLookup \\n) on $left.UnresolvedUserId==$right.UserId\\n| extend UserDisplayName=iff(isempty(lu_UserDisplayName), UserDisplayName, lu_UserDisplayName)\\n| extend UserPrincipalName=iff(isempty(lu_UserPrincipalName), UserPrincipalName, lu_UserPrincipalName)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), make_set(UserPrincipalName), make_set(UserDisplayName), make_set(set_ClientAppUsed), make_set(set_FullLocation), make_list(FailureCount) by IPAddress, AppDisplayName, Type\\n| extend FailedPrincipalCount = arraylength(set_UserPrincipalName)\\n) on IPAddress\\n| project IPAddress, StartTime, EndTime, TargetedApplication=AppDisplayName, FailedPrincipalCount, UserPrincipalNames=set_UserPrincipalName, UserDisplayNames=set_UserDisplayName, ClientAppsUsed=set_set_ClientAppUsed, Locations=set_set_FullLocation, FailureCountByPrincipal=list_FailureCount, WindowThresholdBreaches, Type\\n| join kind= inner (\\ntable(tableName) // get data on success vs. failure history for each IP\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(successCodes) or ResultType in(failureCodes) // success or failure types\\n| summarize GlobalSuccessPrincipalCount = dcountif(UserPrincipalName, (ResultType in(successCodes))), ResultTypeSuccesses = make_set_if(ResultType, (ResultType in(successCodes))), GlobalFailPrincipalCount = dcountif(UserPrincipalName, (ResultType in(failureCodes))), ResultTypeFailures = make_set_if(ResultType, (ResultType in(failureCodes))) by IPAddress, Type\\n| where GlobalFailPrincipalCount \u003e GlobalSuccessPrincipalCount // where the number of failed principals is greater than success - eliminates FPs from IPs who authenticate successfully alot and as a side effect have alot of failures\\n) on IPAddress\\n| project-away IPAddress1\\n| extend timestamp=StartTime, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Password spray attack against Azure AD application\",\"description\":\"Identifies evidence of password spray activity against Azure AD applications by looking for failures from multiple accounts from the same\\nIP address within a time window. If the number of accounts breaches the threshold just once, all failures from the IP address within the time range\\nare bought into the result. Details on whether there were successful authentications by the IP address within the time window are also included.\\nThis can be an indicator that an attack was successful.\\nThe default failure acccount threshold is 5, Default time window for failures is 20m and default look back window is 3 days\\nNote: Due to the number of possible accounts involved in a password spray it is not possible to map identities to a custom entity.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\"lastUpdatedDateUTC\":\"2022-02-16T00:00:00Z\",\"createdDateUTC\":\"2020-03-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\"name\":\"7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"154.223.45.38\\\",\\\"185.141.207.140\\\",\\\"185.234.73.19\\\",\\\"216.245.210.106\\\",\\\"51.91.48.210\\\",\\\"46.255.230.229\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n|extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account\\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DnsResponseName, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host, AccountCustomEntity=User\\n),\\n(_Im_WebSession (srcipaddr_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DstIpAddr, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(_Im_NetworkSession (srcipaddr_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DstIpAddr, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(_Im_NetworkSession (dstipaddr_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DstIpAddr, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(SigninLogs\\n| where isnotempty(IPAddress)\\n| where IPAddress in (IPList)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(AADNonInteractiveUserSignInLogs\\n| where isnotempty(IPAddress)\\n| where IPAddress in (IPList)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(W3CIISLog \\n| where isnotempty(cIP)\\n| where cIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(AzureActivity \\n| where isnotempty(CallerIpAddress)\\n| where CallerIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller\\n),\\n(\\nAWSCloudTrail\\n| where isnotempty(SourceIpAddress)\\n| where SourceIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known IRIDIUM IP\",\"description\":\"IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d7424fd9-abb3-4ded-a723-eebe023aaa0b\",\"name\":\"d7424fd9-abb3-4ded-a723-eebe023aaa0b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Administrative roles to look for, default is all admin roles\\nlet roles = dynamic([\\\"Administrator\\\", \\\"Admin\\\"]);\\n// The maximum distances between and invite and acceptance\\nlet maxTimeBetweenInviteAccept = 30min;\\n// The delta (minutes) between the invite being sent and the account being escalated\\nlet deltaBetweenInviteEscalation = 60;\\n// Collect external user invitations\\nlet invite = AuditLogs\\n| where Category =~ \\\"UserManagement\\\"\\n| where OperationName =~ \\\"Invite external user\\\"\\n| extend Target = tostring(TargetResources[0].[\\\"userPrincipalName\\\"])\\n| extend InviteInitiator = tostring(InitiatedBy.[\\\"user\\\"].[\\\"userPrincipalName\\\"])\\n| where isnotempty(InviteInitiator);\\n// Collect redeem events\\nlet redeem = AuditLogs\\n| where Category =~ \\\"UserManagement\\\"\\n| where OperationName =~ \\\"Redeem external user invite\\\"\\n| where Result =~ \\\"success\\\"\\n| extend Target = tostring(TargetResources[0].[\\\"displayName\\\"]) | extend Target = tostring(extract(@\\\"UPN\\\\:\\\\s(.+)\\\\,\\\\sEmail\\\",1,Target))\\n| where isnotempty(Target);\\n// Union the inivtation and redeem data then run the sequence_detect kusto plugin\\ninvite\\n| union redeem\\n| order by TimeGenerated\\n| project TimeGenerated, Target, InviteInitiator, OperationName, TenantId\\n| evaluate sequence_detect(TimeGenerated, maxTimeBetweenInviteAccept, maxTimeBetweenInviteAccept, invite=(OperationName has \\\"Invite external user\\\"), redeem=(OperationName has \\\"Redeem external user invite\\\"), Target)\\n| join (\\nAuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\")\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n// Limit to external accounts\\n| where TargetResources.userPrincipalName has \\\"EXT\\\"\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n// Perform check for admin roles\\n| where RoleName has_any(roles)\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n| where Initiator != \\\"MS-PIM\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| summarize by TimeGenerated, OperationName, RoleName, Target, Initiator, Result\\n) on Target\\n// Calculate delta between the invite and the account escalation\\n| extend delta = datetime_diff(\\\"minute\\\", TimeGenerated, invite_TimeGenerated)\\n| where delta \u003c= deltaBetweenInviteEscalation\\n| project InvitationTime=invite_TimeGenerated, RedeemTime=redeem_TimeGenerated, GrantTime=TimeGenerated, ExternalUser=Target, RoleGranted=RoleName, AdminInitiator=Initiator, MinsBetweenInviteAndEscalation=delta\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ExternalUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AdminInitiator\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"New External User Granted Admin\",\"description\":\"This query will detect instances where a newly invited external user is granted an administrative role. By default this query\\nwill alert on any granted administrative role, however this can be modified using the roles variable if false positives occur\\nin your environment. The maximum delta between invite and escalation to admin is 60 minues, this can be configured using the \\ndeltaBetweenInviteEscalation variable.\",\"lastUpdatedDateUTC\":\"2022-06-16T00:00:00Z\",\"createdDateUTC\":\"2022-06-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6bf1931-b1eb-448d-90b2-de118559c7ce\",\"name\":\"d6bf1931-b1eb-448d-90b2-de118559c7ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlCategory contains \u0027Adult Themes\u0027 or\\n UrlCategory contains \u0027Adware\u0027 or\\n UrlCategory contains \u0027Alcohol\u0027 or\\n UrlCategory contains \u0027Illegal Downloads\u0027 or\\n UrlCategory contains \u0027Drugs\u0027 or\\n UrlCategory contains \u0027Child Abuse Content\u0027 or\\n UrlCategory contains \u0027Hate/Discrimination\u0027 or\\n UrlCategory contains \u0027Nudity\u0027 or\\n UrlCategory contains \u0027Pornography\u0027 or\\n UrlCategory contains \u0027Proxy/Anonymizer\u0027 or\\n UrlCategory contains \u0027Sexuality\u0027 or\\n UrlCategory contains \u0027Tasteless\u0027 or\\n UrlCategory contains \u0027Terrorism\u0027 or\\n UrlCategory contains \u0027Web Spam\u0027 or\\n UrlCategory contains \u0027German Youth Protection\u0027 or\\n UrlCategory contains \u0027Illegal Activities\u0027 or\\n UrlCategory contains \u0027Lingerie/Bikini\u0027 or\\n UrlCategory contains \u0027Weapons\u0027\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"InitialAccess\"],\"displayName\":\"Cisco Umbrella - Request Allowed to harmful/malicious URI category\",\"description\":\"It is reccomended that these Categories shoud be blocked by policies because they provide harmful/malicious content..\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee55dc85-d2da-48c1-a6c0-3eaee62a8d56\",\"name\":\"ee55dc85-d2da-48c1-a6c0-3eaee62a8d56\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"// Add the environments expected username format regex below before deploying\\n let user_regex = \\\"\\\";\\n AuditLogs\\n | where OperationName =~ \\\"Add user\\\"\\n | where Result =~ \\\"success\\\"\\n | extend userAgent = tostring(AdditionalDetails[0].value)\\n | extend addingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend addingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend AddedBy = iif(isnotempty(addingUser), addingUser, addingApp)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | extend AddedUser = tostring(TargetResources[0].userPrincipalName)\\n | where AddedUser matches regex user_regex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedUser\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User Account Created Using Incorrect Naming Format\",\"description\":\"This query looks for accounts being created where the name does not match a defined pattern.\\n Attackers may attempt to add accounts as a means of establishing persistant access to an environment, looking for anomalies in created accounts may help identify illegitimately created accounts.\\n Created accounts should be investigated to ensure they were legitimated created.\\n The user_regex field in the query needs to be populated with the expected pattern for the environment before deployment.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#accounts-not-following-naming-policies\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\"name\":\"0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"let threshold = 20;\\nlet ReasontoSubStatus = datatable(SubStatus:string,Reason:string) [\\n\\\"0xC000005E\\\", \\\"There are currently no logon servers available to service the logon request.\\\",\\n\\\"0xC0000064\\\", \\\"User logon with misspelled or bad user account\\\", \\n\\\"0xC000006A\\\", \\\"User logon with misspelled or bad password\\\",\\n\\\"0xC000006D\\\", \\\"Bad user name or password\\\",\\n\\\"0xC000006E\\\", \\\"Unknown user name or bad password\\\",\\n\\\"0xC000006F\\\", \\\"User logon outside authorized hours\\\",\\n\\\"0xC0000070\\\", \\\"User logon from unauthorized workstation\\\",\\n\\\"0xC0000071\\\", \\\"User logon with expired password\\\",\\n\\\"0xC0000072\\\", \\\"User logon to account disabled by administrator\\\",\\n\\\"0xC00000DC\\\", \\\"Indicates the Sam Server was in the wrong state to perform the desired operation\\\",\\n\\\"0xC0000133\\\", \\\"Clocks between DC and other computer too far out of sync\\\",\\n\\\"0xC000015B\\\", \\\"The user has not been granted the requested logon type (aka logon right) at this machine\\\",\\n\\\"0xC000018C\\\", \\\"The logon request failed because the trust relationship between the primary domain and the trusted domain failed\\\",\\n\\\"0xC0000192\\\", \\\"An attempt was made to logon, but the Netlogon service was not started\\\",\\n\\\"0xC0000193\\\", \\\"User logon with expired account\\\",\\n\\\"0xC0000224\\\", \\\"User is required to change password at next logon\\\",\\n\\\"0xC0000225\\\", \\\"Evidently a bug in Windows and not a risk\\\",\\n\\\"0xC0000234\\\", \\\"User logon with account locked\\\",\\n\\\"0xC00002EE\\\", \\\"Failure Reason: An Error occurred during Logon\\\",\\n\\\"0xC0000413\\\", \\\"Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine\\\"\\n];\\n(union isfuzzy=true\\n(SecurityEvent \\n| where EventID == 4625\\n| where AccountType =~ \\\"User\\\"\\n| where SubStatus !=\u00270xc0000064\u0027 and Account !in (\u0027\\\\\\\\\u0027, \u0027-\\\\\\\\-\u0027)\\n// SubStatus \u00270xc0000064\u0027 signifies \u0027Account name does not exist\u0027\\n| extend ResourceId = column_ifexists(\\\"_ResourceId\\\", _ResourceId), SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", SourceComputerId)\\n| lookup ReasontoSubStatus on SubStatus\\n| extend coalesce(Reason, strcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), FailedLogonCount = count() by EventID, \\nActivity, Computer, Account, TargetAccount, TargetUserName, TargetDomainName, \\nLogonType, LogonTypeName, LogonProcessName, Status, SubStatus, Reason, ResourceId, SourceComputerId, WorkstationName, IpAddress\\n| where FailedLogonCount \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n(\\n(WindowsEvent \\n| where EventID == 4625 and not(EventData has \u00270xc0000064\u0027)\\n| extend TargetAccount = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend AccountType=case(EventData.TargetUserName endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType =~ \\\"User\\\"\\n| extend SubStatus = tostring(EventData.SubStatus)\\n| where SubStatus !=\u00270xc0000064\u0027 and TargetAccount !in (\u0027\\\\\\\\\u0027, \u0027-\\\\\\\\-\u0027)\\n// SubStatus \u00270xc0000064\u0027 signifies \u0027Account name does not exist\u0027\\n| extend ResourceId = column_ifexists(\\\"_ResourceId\\\", _ResourceId), SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", \\\"\\\")\\n| lookup ReasontoSubStatus on SubStatus\\n| extend coalesce(Reason, strcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n| extend Activity=\\\"4625 - An account failed to log on.\\\"\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend TargetDomainName = tostring(EventData.TargetDomainName)\\n| extend LogonType = tostring(EventData.LogonType)\\n| extend Status= tostring(EventData.Status)\\n| extend LogonProcessName = tostring(EventData.LogonProcessName)\\n| extend WorkstationName = tostring(EventData.WorkstationName)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend LogonTypeName=case(LogonType==2,\\\"2 - Interactive\\\", LogonType==3,\\\"3 - Network\\\", LogonType==4, \\\"4 - Batch\\\",LogonType==5, \\\"5 - Service\\\", LogonType==7, \\\"7 - Unlock\\\", LogonType==8, \\\"8 - NetworkCleartext\\\", LogonType==9, \\\"9 - NewCredentials\\\", LogonType==10, \\\"10 - RemoteInteractive\\\", LogonType==11, \\\"11 - CachedInteractive\\\",tostring(LogonType))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), FailedLogonCount = count() by EventID, \\nActivity, Computer, TargetAccount, TargetUserName, TargetDomainName, \\nLogonType, LogonTypeName, LogonProcessName, Status, SubStatus, Reason, ResourceId, SourceComputerId, WorkstationName, IpAddress\\n| where FailedLogonCount \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n)))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed logon attempts by valid accounts within 10 mins\",\"description\":\"Identifies when failed logon attempts are 20 or higher during a 10 minute period (2 failed logons per minute minimum) from valid account.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b9a44d7-c651-45ed-816c-eae583a6f2f1\",\"name\":\"3b9a44d7-c651-45ed-816c-eae583a6f2f1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\nlet historical_data =\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend variables = Data.Variables\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend UserKey = strcat(VariableGroupId, \\\"-\\\", ActorUserId)\\n| project UserKey;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend VariableGroupName = tostring(Data.VariableGroupName)\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend UserKey = strcat(VariableGroupId, \\\"-\\\", ActorUserId)\\n| where UserKey !in (historical_data)\\n| project-away UserKey\\n| project-reorder TimeGenerated, VariableGroupName, ActorUPN, IpAddress, UserAgent\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Build Variable Modified by New User.\",\"description\":\"Variables can be configured and used at any stage of the build process in Azure DevOps to inject values. An attacker with the required permissions could modify \\nor add to these variables to conduct malicious activity such as changing paths or remote endpoints called during the build. As variables are often changed by users, \\njust detecting these changes would have a high false positive rate. This detection looks for modifications to variable groups where that user has not been observed \\nmodifying them before.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8127962-7739-4211-a4a9-390a7a00e91f\",\"name\":\"f8127962-7739-4211-a4a9-390a7a00e91f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet lbperiod = 14d;\\nlet knownrecipients = ProofpointPOD\\n| where TimeGenerated \u003e ago(lbperiod)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where SrcUserUpn != \u0027\u0027\\n| where array_length(todynamic(DstUserUpn)) == 1\\n| summarize recipients = make_set(tostring(todynamic(DstUserUpn)[0])) by SrcUserUpn\\n| extend commcol = SrcUserUpn;\\nProofpointPOD\\n| where TimeGenerated between (ago(lbtime) .. now())\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| extend isProtected = todynamic(MsgParts)[0][\u0027isProtected\u0027]\\n| extend mimePgp = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where isProtected == \u0027true\u0027 or mimePgp == \u0027application/pgp-encrypted\u0027\\n| extend DstUserMail = tostring(todynamic(DstUserUpn)[0])\\n| extend commcol = tostring(todynamic(DstUserUpn)[0])\\n| join knownrecipients on commcol\\n| where recipients !contains DstUserMail\\n| project SrcUserUpn, DstUserMail\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple protected emails to unknown recipient\",\"description\":\"Detects when multiple protected messages where sent to early not seen recipient.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee1818ec-5f65-4991-b711-bcf2ab7e36c3\",\"name\":\"ee1818ec-5f65-4991-b711-bcf2ab7e36c3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlOriginal matches regex @\u0027\\\\Ahttp:\\\\/\\\\/\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}.*\u0027\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - URI contains IP address\",\"description\":\"Malware can use IP address to communicate with C2.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23005e87-2d3a-482b-b03d-edbebd1ae151\",\"name\":\"23005e87-2d3a-482b-b03d-edbebd1ae151\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let exchange_servers = (\\nW3CIISLog\\n| where TimeGenerated \u003e ago(14d)\\n| where sSiteName =~ \\\"Exchange Back End\\\"\\n| summarize by Computer);\\nW3CIISLog\\n| where TimeGenerated \u003e ago(1d)\\n| where Computer in (exchange_servers)\\n| where csUriQuery startswith \\\"t=\\\"\\n| project-reorder TimeGenerated, Computer, csUriStem, csUriQuery, csUserName, csUserAgent, cIP\\n| extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious Exchange Request\",\"description\":\"This query looks for suspicious request patterns to Exchange servers that fit a pattern observed by HAFNIUM actors.\\nThe same query can be run on HTTPProxy logs from on-premise hosted Exchange servers.\\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ac9e233e-44d4-45eb-b522-6e47445f6582\",\"name\":\"ac9e233e-44d4-45eb-b522-6e47445f6582\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"imRegistry\\n | where EventType in (\\\"RegistryValueSet\\\", \\\"RegistryKeyCreated\\\")\\n | where RegistryKey has \\\"Software\\\\\\\\Classes\\\\\\\\ms-settings\\\\\\\\shell\\\\\\\\open\\\\\\\\command\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)\\n | join (imProcess\\n | where Process endswith \\\"fodhelper.exe\\\"\\n | where ParentProcessName endswith \\\"cmd.exe\\\" or ParentProcessName endswith \\\"powershell.exe\\\" or ParentProcessName endswith \\\"powershell_ise.exe\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)) on TimeKey, Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DvcHostname\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DvcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Potential Fodhelper UAC Bypass (ASIM Version)\",\"description\":\"This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process within 1 hour - this can be tweaked as required.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\"name\":\"ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Office 365 Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Office 365 alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Office 365\",\"lastUpdatedDateUTC\":\"2020-09-01T00:00:00Z\",\"createdDateUTC\":\"2020-04-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert (OATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a333d8bf-22a3-4c55-a1e9-5f0a135c0253\",\"name\":\"a333d8bf-22a3-4c55-a1e9-5f0a135c0253\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let mde_threats = dynamic([\\\"Behavior:Win32/SuspAzureRequest.A\\\", \\\"Behavior:Win32/SuspAzureRequest.B\\\", \\\"Behavior:Win32/SuspAzureRequest.C\\\", \\\"Behavior:Win32/LaunchingSuspCMD.B\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (mde_threats) or ThreatFamilyName in~ (mde_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Microsoft Defender for Endpoint (MDE) signatures for Azure Synapse pipelines and Azure Data Factory\",\"description\":\"This query looks for Microsoft Defender for Endpoint detections related to the remote command execution attempts on Azure IR with Managed VNet or SHIR. \\nIn Microsoft Sentinel, the SecurityAlerts table includes the name of the impacted device. Additionally, this query joins the DeviceInfo table to connect other information such as device group, \\nIP address, signed in users, and others allowing analysts using Microsoft Sentinel to have more context related to the alert. \\nReference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29972 , \\nhttps://msrc-blog.microsoft.com/2022/05/09/vulnerability-mitigated-in-the-third-party-data-connector-used-in-azure-synapse-pipelines-and-azure-data-factory-cve-2022-29972\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5db427b2-f406-4274-b413-e9fcb29412f8\",\"name\":\"5db427b2-f406-4274-b413-e9fcb29412f8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where ActivityDisplayName =~\u0027Add member to role completed (PIM activation)\u0027\\n| where Result == \\\"failure\\\"\\n| extend Role = tostring(TargetResources[3].displayName)\\n| extend User = tostring(TargetResources[2].displayName)\\n| project-reorder TimeGenerated, User, Role, OperationName, Result, ResultDescription\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| extend IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"NRT PIM Elevation Request Rejected\",\"description\":\"Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/03e04c97-8cae-48b3-9d2f-4ab262e4ffff\",\"name\":\"03e04c97-8cae-48b3-9d2f-4ab262e4ffff\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]);\\nhttp_proxy_oab_CL\\n| where RawData contains \\\"Download failed and temporary file\\\"\\n| extend File = extract(\\\"([^\\\\\\\\\\\\\\\\]*)(\\\\\\\\\\\\\\\\[^\u0027]*)\\\",2,RawData)\\n| extend Extension = strcat(\\\".\\\",split(File, \\\".\\\")[-1])\\n| extend InteractiveFile = iif(Extension in (scriptExtensions), \\\"Yes\\\", \\\"No\\\")\\n// Uncomment the following line to alert only on interactive file download type\\n//| where InteractiveFile =~ \\\"Yes\\\"\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious File Downloads.\",\"description\":\"This query looks for messages related to file downloads of suspicious file types. This query uses the Exchange HttpProxy AOBGeneratorLog, you will need to onboard this log as a custom log under the table http_proxy_oab_CL before using this query. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d5b32cd4-2328-43da-ab47-cd289c1f5efc\",\"name\":\"d5b32cd4-2328-43da-ab47-cd289c1f5efc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\",\\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\",\\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\",\\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\",\\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\",\\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\",\\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\",\\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\",\\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\")\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"NRT DNS events related to mining pools\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/de58ee9e-b229-4252-8537-41a4c2f4045e\",\"name\":\"de58ee9e-b229-4252-8537-41a4c2f4045e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let file_ext_blocklist = dynamic([\u0027.ps1\u0027, \u0027.vbs\u0027, \u0027.bat\u0027, \u0027.scr\u0027]);\\nlet lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| extend file_ext = extract(@\u0027.*(\\\\.\\\\w+)$\u0027, 1, UrlOriginal)\\n| extend Filename = extract(@\u0027.*\\\\/*\\\\/(.*\\\\.\\\\w+)$\u0027, 1, UrlOriginal)\\n| where file_ext in (file_ext_blocklist)\\n| project TimeGenerated, SrcIpAddr, Identities, Filename\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Cisco Umbrella - Request to blocklisted file type\",\"description\":\"Detects request to potentially harmful file types (.ps1, .bat, .vbs, etc.).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\"name\":\"97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let LearningPeriod = 7d; \\nlet BinTime = 1h; \\nlet RunTime = 1h; \\nlet StartTime = 1h; \\nlet NumberOfStds = 3; \\nlet MinThreshold = 10.0; \\nlet EndRunTime = StartTime - RunTime; \\nlet EndLearningTime = StartTime + LearningPeriod;\\nlet aadFunc = (tableName:string){\\nlet GitHubFailedSSOLogins = (table(tableName) \\n| where AppDisplayName == \\\"GitHub.com\\\" \\n| where ResultType != 0); \\nGitHubFailedSSOLogins \\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime)) \\n| summarize FailedLoginsCountInBinTime = count() by UserPrincipalName, bin(TimeGenerated, BinTime), Type\\n| summarize AvgOfFailedLoginsInLearning = avg(FailedLoginsCountInBinTime), StdOfFailedLoginsInLearning = stdev(FailedLoginsCountInBinTime) by UserPrincipalName, Type\\n| extend LearningThreshold = max_of(AvgOfFailedLoginsInLearning + StdOfFailedLoginsInLearning * NumberOfStds, MinThreshold) \\n| join kind=innerunique ( \\n GitHubFailedSSOLogins \\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime)) \\n | summarize FailedLoginsCountInRunTime = count() by User = Identity, UserPrincipalName, bin(TimeGenerated, BinTime), Type\\n) on UserPrincipalName \\n| where FailedLoginsCountInRunTime \u003e LearningThreshold\\n| extend AccountCustomEntity = UserPrincipalName , timestamp = TimeGenerated\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute Force Attack against GitHub Account\",\"description\":\"Attackers who are trying to guess your users\u0027 passwords or use brute-force methods to get in. If your organization is using SSO with Azure Active Directory, authentication logs to GitHub.com will be generated. Using the following query can help you identify a sudden increase in failed logon attempt of users.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/12dcea64-bec2-41c9-9df2-9f28461b1295\",\"name\":\"12dcea64-bec2-41c9-9df2-9f28461b1295\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\n// Adjust for a longer timeframe for identifying ADFS Servers\\nlet lookback = 6d;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where NewProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n);\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where Account !endswith \\\"$\\\"\\n// Check for scheduled task events\\n| where EventID in (4697, 4698, 4699, 4700, 4701, 4702)\\n| extend EventDataParsed = parse_xml(EventData)\\n| extend SubjectLogonId = tostring(EventDataParsed.EventData.Data[3][\\\"#text\\\"])\\n// Check specifically for access to IPC$ share and PIPE\\\\svcctl and PIPE\\\\atsvc for Service Control Services and Schedule Control Services\\n| union (\\n SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n | where Account !endswith \\\"$\\\"\\n | where EventID == 5145\\n | where RelativeTargetName =~ \\\"svcctl\\\" or RelativeTargetName =~ \\\"atsvc\\\"\\n)\\n// Check for lateral movement\\n| join kind=inner\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Account !endswith \\\"$\\\"\\n| where EventID == 4624 and LogonType == 3\\n) on $left.SubjectLogonId == $right.TargetLogonId\\n| project TimeGenerated, Account, Computer, EventID, RelativeTargetName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task\",\"description\":\"This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through SMB and Remote Service or Scheduled Task.\",\"lastUpdatedDateUTC\":\"2022-01-30T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/155f40c6-610d-497d-85fc-3cf06ec13256\",\"name\":\"155f40c6-610d-497d-85fc-3cf06ec13256\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"yahoo-verification.org\\\",\\\"support-servics.com\\\",\\\"verification-live.com\\\",\\\"com-mailbox.com\\\",\\\"com-myaccuants.com\\\",\\\"notification-accountservice.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\\"verify-linkedin.net\\\", \\n\\\"yahoo-verification.net\\\",\\\"yahoo-verify.net\\\",\\\"outlook-verify.net\\\",\\\"com-users.net\\\",\\\"verifiy-account.net\\\",\\\"te1egram.net\\\",\\\"account-verifiy.net\\\",\\\"myaccount-services.net\\\",\\n\\\"com-identifier-servicelog.name\\\",\\\"microsoft-update.bid\\\",\\\"outlook-livecom.bid\\\",\\\"update-microsoft.bid\\\",\\\"documentsfilesharing.cloud\\\",\\\"com-microsoftonline.club\\\",\\n\\\"confirm-session-identifier.info\\\",\\\"session-management.info\\\",\\\"confirmation-service.info\\\",\\\"document-share.info\\\",\\\"broadcast-news.info\\\",\\\"customize-identity.info\\\",\\\"webemail.info\\\",\\n\\\"com-identifier-servicelog.info\\\",\\\"documentsharing.info\\\",\\\"notification-accountservice.info\\\",\\\"identifier-activities.info\\\",\\\"documentofficupdate.info\\\",\\\"recoveryusercustomer.info\\\",\\n\\\"serverbroadcast.info\\\",\\\"account-profile-users.info\\\",\\\"account-service-management.info\\\",\\\"accounts-manager.info\\\",\\\"activity-confirmation-service.info\\\",\\\"com-accountidentifier.info\\\",\\n\\\"com-privacy-help.info\\\",\\\"com-sessionidentifier.info\\\",\\\"com-useraccount.info\\\",\\\"confirmation-users-service.info\\\",\\\"confirm-identity.info\\\",\\\"confirm-session-identification.info\\\",\\n\\\"continue-session-identifier.info\\\",\\\"customer-recovery.info\\\",\\\"customers-activities.info\\\",\\\"elitemaildelivery.info\\\",\\\"email-delivery.info\\\",\\\"identify-user-session.info\\\",\\n\\\"message-serviceprovider.info\\\",\\\"notificationapp.info\\\",\\\"notification-manager.info\\\",\\\"recognized-activity.info\\\",\\\"recover-customers-service.info\\\",\\\"recovery-session-change.info\\\",\\n\\\"service-recovery-session.info\\\",\\\"service-session-continue.info\\\",\\\"session-mail-customers.info\\\",\\\"session-managment.info\\\",\\\"session-verify-user.info\\\",\\\"shop-sellwear.info\\\",\\n\\\"supportmailservice.info\\\",\\\"terms-service-notification.info\\\",\\\"user-activity-issues.info\\\",\\\"useridentity-confirm.info\\\",\\\"users-issue-services.info\\\",\\\"verify-user-session.info\\\",\\n\\\"login-gov.info\\\",\\\"notification-signal-agnecy.info\\\",\\\"notifications-center.info\\\",\\\"identifier-services-sessions.info\\\",\\\"customers-manager.info\\\",\\\"session-manager.info\\\",\\n\\\"customer-managers.info\\\",\\\"confirmation-recovery-options.info\\\",\\\"service-session-confirm.info\\\",\\\"session-recovery-options.info\\\",\\\"services-session-confirmation.info\\\",\\n\\\"notification-managers.info\\\",\\\"activities-services-notification.info\\\",\\\"activities-recovery-options.info\\\",\\\"activity-session-recovery.info\\\",\\\"customers-services.info\\\",\\n\\\"sessions-notification.info\\\",\\\"download-teamspeak.info\\\",\\\"services-issue-notification.info\\\",\\\"microsoft-upgrade.mobi\\\",\\\"broadcastnews.pro\\\",\\\"mobile-messengerplus.network\\\"]);\\nlet IPList = dynamic([\\\"51.91.200.147\\\"]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(SourceIP) and SourceIP in (IPList)) or (isnotempty(DestinationIP) and DestinationIP in (IPList)) \\nor (isnotempty(DNSName) and DNSName in~ (DomainNames)) or (isnotempty(DestinationHostName) and DestinationHostName in~ (DomainNames)) or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames) or RequestURLIP in (IPList))) \\nor (isnotempty(Message) and MessageIP in (IPList))\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURLIP in (IPList), \\\"RequestUrl\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP,IPMatch == \\\"Message\\\", MessageIP,\\nIPMatch == \\\"RequestUrl\\\", RequestURLIP,\\\"NoMatch\\\"), Account = SourceUserID, Host = DeviceName\\n),\\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\\n(_Im_WebSession(url_has_any=DomainNames)\\n| extend DestinationIPAddress = DstIpAddr, DNSName = tostring(parse_url(Url)[\\\"Host\\\"]), Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) or isnotempty(DNSName)\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or DNSName in~ (DomainNames)\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer),\\n(OfficeActivity\\n| extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPCustomEntity = SourceHost \\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Phosphorus group domains/IP\",\"description\":\"Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-10-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a1bddaf8-982b-4089-ba9e-6590dfcf80ea\",\"name\":\"a1bddaf8-982b-4089-ba9e-6590dfcf80ea\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let error403_count_threshold=200;\\n_Im_WebSession(eventresultdetails_in=\\\"403\\\")\\n| extend ParsedUrl=parse_url(Url)\\n| extend UrlHost=tostring(ParsedUrl[\\\"Host\\\"]), UrlSchema=tostring(ParsedUrl[\\\"Schema\\\"])\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = count(), Urls=makeset(Url) by UrlHost, SrcIpAddr\\n| where NumberOfErrors \u003e error403_count_threshold\\n| sort by NumberOfErrors desc\\n| extend Url=tostring(Urls[0])\",\"customDetails\":{\"NumberOfErrors\":\"NumberOfErrors\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URL\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Excessive number of HTTP authentication failures from {{SrcIpAddr}\",\"alertDescriptionFormat\":\"A client with address {{SrcIpAddr}} generated a large number of failed authentication HTTP requests. This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Persistence\",\"CredentialAccess\"],\"displayName\":\"Excessive number of HTTP authentication failures from a source (ASIM Web Session schema)\",\"description\":\"This rule identifies a source that repeatedly fails to authenticate to a web service (HTTP response code 403). This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.\u003cbr\u003e\u003cbr\u003e\\nThis rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutSIM) and supports any web session source that complies with ASIM. \",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2a09f8cb-deb7-4c40-b08b-9137667f1c0b\",\"name\":\"2a09f8cb-deb7-4c40-b08b-9137667f1c0b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n | where OperationName in (\\\"Add eligible member (permanent)\\\", \\\"Add eligible member (eligible)\\\")\\n | extend Role = tostring(TargetResources[0].displayName)\\n | where Role contains \\\"admin\\\"\\n | extend AddedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend AddedUser = tostring(TargetResources[2].userPrincipalName)\\n | project-reorder TimeGenerated, AddedUser, Role, AddedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedUser\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"User Added to Admin Role\",\"description\":\"Detects a user being added to a new privileged role. Monitor these additions to ensure the users are made eligible for these roles are intended to have these levels of access.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dc99e38c-f4e9-4837-94d7-353ac0b01a77\",\"name\":\"dc99e38c-f4e9-4837-94d7-353ac0b01a77\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let threshold = 10;\\n let default_ad_attributes = dynamic([\\\"LastDirSyncTime\\\", \\\"StsRefreshTokensValidFrom\\\", \\\"Included Updated Properties\\\", \\\"AccountEnabled\\\", \\\"Action Client Name\\\", \\\"SourceAnchor\\\"]);\\n AuditLogs\\n | where OperationName =~ \\\"Add user\\\"\\n | where Result =~ \\\"success\\\"\\n | extend properties = TargetResources[0].modifiedProperties\\n | mv-expand properties\\n | evaluate bag_unpack(properties)\\n | summarize count() by displayName, TenantId\\n | where displayName !in (default_ad_attributes)\\n | top threshold by count_ desc\\n | summarize make_set(displayName) by TenantId\\n | join kind=inner (AuditLogs\\n | where Result =~ \\\"success\\\"\\n | where OperationName =~ \\\"Add user\\\"\\n | extend CreatingUserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend CreatedUserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | extend AccountProperties = TargetResources[0].modifiedProperties\\n | mv-expand AccountProperties\\n | extend PropName = tostring(AccountProperties.displayName)) on TenantId\\n | summarize makeset(PropName) by TimeGenerated, CorrelationId, CreatedUserPrincipalName, CreatingUserPrincipalName, tostring(set_displayName)\\n | extend missing_props = set_difference(todynamic(set_displayName), set_PropName)\\n | where array_length(missing_props) \u003e 0\\n | join kind=innerunique (AuditLogs\\n | where Result =~ \\\"success\\\"\\n | where OperationName =~ \\\"Add user\\\"\\n | extend CreatedUserPrincipalName = tostring(TargetResources[0].userPrincipalName)) on CorrelationId, CreatedUserPrincipalName\\n | extend ExpectedProperties = set_displayName\\n | project-away set_displayName, set_PropName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CreatingUserPrincipalName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CreatedUserPrincipalName\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User account created without expected attributes defined\",\"description\":\"This query looks for accounts being created that do not have attributes populated that are commonly populated in the tenant.\\n Attackers may attempt to add accounts as a means of establishing persistant access to an environment, looking for anomalies in created accounts may help identify illegitimately created accounts.\\n Created accounts should be investigated to ensure they were legitimated created.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#accounts-not-following-naming-policies\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aa1eff90-29d4-49dc-a3ea-b65199f516db\",\"name\":\"aa1eff90-29d4-49dc-a3ea-b65199f516db\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Low\",\"query\":\"(union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4720\\n| where AccountType == \\\"User\\\"\\n| project CreatedUserTime = TimeGenerated, CreatedUserEventID = EventID, CreatedUserActivity = Activity, Computer = toupper(Computer), \\nCreatedUser = tolower(TargetAccount), CreatedUserSid = TargetSid, AccountUsedToCreateUser = strcat(SubjectAccount), SidofAccountUsedToCreateUser = SubjectUserSid\\n),\\n(WindowsEvent\\n| where EventID == 4720\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType == \\\"User\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend Activity=\\\"4720 - A user account was created.\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| project CreatedUserTime = TimeGenerated, CreatedUserEventID = EventID, CreatedUserActivity = Activity, Computer = toupper(Computer), \\nCreatedUser = tolower(TargetAccount), CreatedUserSid = TargetSid, AccountUsedToCreateUser = strcat(SubjectAccount), SidofAccountUsedToCreateUser = SubjectUserSid\\n))\\n| join ((union isfuzzy=true\\n(SecurityEvent \\n| where AccountType == \\\"User\\\"\\n// 4732 - A member was added to a security-enabled local group\\n| where EventID == 4732\\n// TargetSid is the builin Admins group: S-1-5-32-544\\n| where TargetSid == \\\"S-1-5-32-544\\\"\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, Computer = toupper(Computer), GroupName = tolower(TargetAccount), \\nGroupSid = TargetSid, AccountThatAddedUser = SubjectAccount, SIDofAccountThatAddedUser = SubjectUserSid, CreatedUserSid = MemberSid\\n),\\n( WindowsEvent \\n// 4732 - A member was added to a security-enabled local group\\n| where EventID == 4732 and EventData has \\\"S-1-5-32-544\\\"\\n//TargetSid is the builin Admins group: S-1-5-32-544\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType == \\\"User\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid == \\\"S-1-5-32-544\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend Activity=\\\"4732 - A member was added to a security-enabled local group.\\\"\\n| extend MemberSid = tostring(EventData.MemberSid)\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, Computer = toupper(Computer), GroupName = tolower(TargetAccount), \\nGroupSid = TargetSid, AccountThatAddedUser = SubjectAccount, SIDofAccountThatAddedUser = SubjectUserSid, CreatedUserSid = MemberSid)\\n))\\non CreatedUserSid\\n//Create User first, then the add to the group.\\n| project Computer, CreatedUserTime, CreatedUserEventID, CreatedUserActivity, CreatedUser, CreatedUserSid, GroupAddTime, GroupAddEventID, \\nGroupAddActivity, AccountUsedToCreateUser, GroupName, GroupSid, AccountThatAddedUser, SIDofAccountThatAddedUser \\n| extend timestamp = CreatedUserTime, AccountCustomEntity = CreatedUser, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"CreatedUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"New user created and added to the built-in administrators group\",\"description\":\"Identifies when a user account was created and then added to the builtin Administrators group in the same day.\\nThis should be monitored closely and all additions reviewed.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d23ed927-5be3-4902-a9c1-85f841eb4fa1\",\"name\":\"d23ed927-5be3-4902-a9c1-85f841eb4fa1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n DuoSecurityAuthentication_CL\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(access_device_ip_s)\\n // renaming time column so it is clear the log this came from\\n | extend Duo_TimeGenerated = isotimestamp_t\\n)\\non $left.TI_ipEntity == $right.access_device_ip_s\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Duo_TimeGenerated,\\nTI_ipEntity, user_name_s, factor_s, result_s, application_name_s, event_type_s, txid_g, user_key_s, access_device_ip_s, access_device_location_city_s, access_device_location_state_s, access_device_location_country_s\\n| extend timestamp = Duo_TimeGenerated, IPCustomEntity = access_device_ip_s, AccountCustomEntity = user_name_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Duo Security\",\"description\":\"Identifies a match in DuoSecurity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae\",\"name\":\"2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 4656\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, TargetAccount, Computer, EventSourceName, Channel, Task, Level, EventID, Activity, TargetLogonId, SourceComputerId, EventOriginId, Type, _ResourceId, TenantId, SourceSystem, ManagementGroupName, IpAddress, Account)\\n| extend ObjectServer = column_ifexists(\u0027ObjectServer\u0027, \\\"\\\"), ObjectType = column_ifexists(\u0027ObjectType\u0027, \\\"\\\"), ObjectName = column_ifexists(\u0027ObjectName\u0027, \\\"\\\")\\n| where isnotempty(ObjectServer) and isnotempty(ObjectType) and isnotempty(ObjectName)\\n| where ObjectServer =~ \\\"SC Manager\\\" and ObjectType =~ \\\"SERVICE OBJECT\\\" and ObjectName =~ \\\"HealthService\\\"\\n// Comment out the join below if the SACL only audits users that are part of the Network logon users, i.e. with user/group target pointing to \\\"NU.\\\"\\n| join kind=leftouter (\\n SecurityEvent\\n | where EventID == 4624\\n) on TargetLogonId\\n| project TimeGenerated, Computer, Account, TargetAccount, IpAddress,TargetLogonId, ObjectServer, ObjectType, ObjectName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Starting or Stopping HealthService to Avoid Detection\",\"description\":\"This query detects events where an actor is stopping or starting HealthService to disable telemetry collection/detection from the agent.\\n The query requires a SACL to audit for access request to the service.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-03-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bff093b2-500e-4ae5-bb49-a5b1423cbd5b\",\"name\":\"bff093b2-500e-4ae5-bb49-a5b1423cbd5b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n| where Operation =~ \\\"MemberAdded\\\"\\n| extend UPN = tostring(parse_json(Members)[0].UPN)\\n| where UPN contains (\\\"#EXT#\\\")\\n| project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName\\n| join (\\n OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n| where Operation =~ \\\"MemberRemoved\\\"\\n| extend UPN = tostring(parse_json(Members)[0].UPN)\\n| where UPN contains (\\\"#EXT#\\\")\\n| project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName\\n) on UPN\\n| where TimeDeleted \u003e TimeAdded\\n| project TimeAdded, TimeDeleted, UPN, UserWhoAdded, UserWhoDeleted, TeamName\\n| extend timestamp = TimeAdded, AccountCustomEntity = UPN\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"External user added and removed in short timeframe\",\"description\":\"This detection flags the occurances of external user accounts that are added to a Team and then removed within\\none hour.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9367dff0-941d-44e2-8875-cb48570c7add\",\"name\":\"9367dff0-941d-44e2-8875-cb48570c7add\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \\n| where TargetObject has \\\"\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_DLLs\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Registry Persistence via AppInit DLLs Modification\",\"description\":\"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. \\nDynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows or HKEY_LOCAL_MACHINE\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library.\\nRef: https://attack.mitre.org/techniques/T1546/010/\",\"lastUpdatedDateUTC\":\"2022-03-21T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8d537f3c-094f-430c-a588-8a87da36ee3a\",\"name\":\"8d537f3c-094f-430c-a588-8a87da36ee3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nlet user_agents=dynamic([\\n \u0027(hydra)\u0027,\\n \u0027 arachni/\u0027,\\n \u0027 BFAC \u0027,\\n \u0027 brutus \u0027,\\n \u0027 cgichk \u0027,\\n \u0027core-project/1.0\u0027,\\n \u0027 crimscanner/\u0027,\\n \u0027datacha0s\u0027,\\n \u0027dirbuster\u0027,\\n \u0027domino hunter\u0027,\\n \u0027dotdotpwn\u0027,\\n \u0027FHScan Core\u0027,\\n \u0027floodgate\u0027,\\n \u0027get-minimal\u0027,\\n \u0027gootkit auto-rooter scanner\u0027,\\n \u0027grendel-scan\u0027,\\n \u0027 inspath \u0027,\\n \u0027internet ninja\u0027,\\n \u0027jaascois\u0027,\\n \u0027 zmeu \u0027,\\n \u0027masscan\u0027,\\n \u0027 metis \u0027,\\n \u0027morfeus fucking scanner\u0027,\\n \u0027n-stealth\u0027,\\n \u0027nsauditor\u0027,\\n \u0027pmafind\u0027,\\n \u0027security scan\u0027,\\n \u0027springenwerk\u0027,\\n \u0027teh forest lobster\u0027,\\n \u0027toata dragostea\u0027,\\n \u0027 vega/\u0027,\\n \u0027voideye\u0027,\\n \u0027webshag\u0027,\\n \u0027webvulnscan\u0027,\\n \u0027 whcc/\u0027,\\n \u0027 Havij\u0027,\\n \u0027absinthe\u0027,\\n \u0027bsqlbf\u0027,\\n \u0027mysqloit\u0027,\\n \u0027pangolin\u0027,\\n \u0027sql power injector\u0027,\\n \u0027sqlmap\u0027,\\n \u0027sqlninja\u0027,\\n \u0027uil2pn\u0027,\\n \u0027ruler\u0027,\\n \u0027Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)\u0027\\n ]);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal has_any (user_agents)\\n| extend Message = \\\"Hack Tool User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Hack Tool User-Agent Detected\",\"description\":\"Detects suspicious user agent strings used by known hack tools\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/30c8b802-ace1-4408-bc29-4c5c5afb49e1\",\"name\":\"30c8b802-ace1-4408-bc29-4c5c5afb49e1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"imProcess\\n | where EventType =~ \\\"ProcessCreated\\\"\\n | where Process endswith \\\"svchost.exe\\\"\\n | where CommandLine has \\\"-k GPSvcGroup\\\" or CommandLine has \\\"-s gpsvc\\\"\\n | extend timekey = bin(TimeGenerated, 1m)\\n | project timekey, ActingProcessId, Dvc\\n | join kind=inner (imProcess\\n | where EventType =~ \\\"ProcessCreated\\\"\\n | where Process =~ \\\"sdelete.exe\\\" or CommandLine has \\\"sdelete\\\"\\n | where ActingProcessName endswith \\\"svchost.exe\\\"\\n | where CommandLine has_all (\\\"-s\\\", \\\"-r\\\")\\n | extend timekey = bin(TimeGenerated, 1m)\\n ) on $left.ActingProcessId == $right.ParentProcessId, timekey, Dvc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DvcIpAddr\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Sdelete deployed via GPO and run recursively (ASIM Version)\",\"description\":\"This query looks for the Sdelete process being run recursively after being deployed to a host via GPO. Attackers could use this technique to deploy Sdelete to multiple host and delete data on them.\\n This query uses the Advanced Security Information Model. Parsers will need to be deployed before use: https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84cccc86-5c11-4b3a-aca6-7c8f738ed0f7\",\"name\":\"84cccc86-5c11-4b3a-aca6-7c8f738ed0f7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where OperationName has_all (\\\"member to role\\\", \\\"add\\\")\\n | where Result =~ \\\"Success\\\"\\n | extend type_ = tostring(TargetResources[0].type)\\n | where type_ =~ \\\"ServicePrincipal\\\"\\n | where isnotempty(TargetResources)\\n | extend ServicePrincipal = tostring(TargetResources[0].displayName)\\n | extend SPID = tostring(TargetResources[0].id)\\n | mv-expand TargetResources[0].modifiedProperties\\n | extend TargetResources_0_modifiedProperties = columnifexists(\\\"TargetResources_0_modifiedProperties\\\", \u0027\u0027)\\n | where isnotempty(TargetResources_0_modifiedProperties)\\n | where TargetResources_0_modifiedProperties.displayName =~ \\\"Role.DisplayName\\\"\\n | extend TargetRole = parse_json(tostring(TargetResources_0_modifiedProperties.newValue))\\n | where TargetRole contains \\\"admin\\\"\\n | extend AddedByApp = iif(\\n isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName)),\\n tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName),\\n tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n )\\n | extend AddedByUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend AddedBy = iif(isnotempty(AddedByApp), AddedByApp, AddedByUser)\\n | extend IpAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | project-reorder TimeGenerated, ServicePrincipal, SPID, TargetRole, AddedBy, IpAddress\\n | project-away AddedByApp, AddedByUser\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"SPID\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Service Principal Assigned Privileged Role\",\"description\":\"Detects a privileged role being added to a Service Principal.\\n Ensure that any assignment to a Service Principal is valid and appropriate - Service Principals should not be assigned to very highly privileged roles such as Global Admin.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182\",\"name\":\"8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT5M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = ago(5m);\\nDuoSecurityTrustMonitor_CL\\n| where TimeGenerated \u003e= timeframe\\n| extend AccountCustomEntity = surfaced_auth_user_name_s, IPCustomEntity = surfaced_auth_access_device_ip_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Trust Monitor Event\",\"description\":\"This query identifies when a new trust monitor event is detected.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dcdf9bfc-c239-4764-a9f9-3612e6dff49c\",\"name\":\"dcdf9bfc-c239-4764-a9f9-3612e6dff49c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 6d;\\n// Adjust this to adjust the key export detection timeframe\\n//let timeframe = 1d;\\n// Start be identifying ADFS servers to reduce FP chance\\nlet ADFS_Servers = (\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\")\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| summarize by Computer);\\n// Look for ADFS servers where Named Pipes event are present\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| where Computer in~ (ADFS_Servers)\\n| extend RenderedDescription = tostring(split(RenderedDescription, \\\":\\\")[0])\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend RuleName = column_ifexists(\\\"RuleName\\\", \\\"\\\"),\\n TechniqueId = column_ifexists(\\\"TechniqueId\\\", \\\"\\\"),\\n TechniqueName = column_ifexists(\\\"TechniqueName\\\", \\\"\\\"),\\n Image = column_ifexists(\\\"Image\\\", \\\"\\\"),\\n PipeName = column_ifexists(\\\"PipeName\\\", \\\"\\\"),\\n EventType = column_ifexists(\\\"EventType\\\", \\\"\\\")\\n| parse RuleName with * \u0027technique_id=\u0027 TechniqueId \u0027,\u0027 * \u0027technique_name=\u0027 TechniqueName\\n// Look for Pipe related to querying the WID\\n| where PipeName == \\\"\\\\\\\\MICROSOFT##WID\\\\\\\\tsql\\\\\\\\query\\\"\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n// Exclude expected processes\\n| where process !in (\\\"Microsoft.IdentityServer.ServiceHost.exe\\\", \\\"Microsoft.Identity.Health.Adfs.PshSurrogate.exe\\\", \\\"AzureADConnect.exe\\\", \\\"Microsoft.Tri.Sensor.exe\\\", \\\"wsmprovhost.exe\\\",\\\"mmc.exe\\\", \\\"sqlservr.exe\\\")\\n| extend Operation = RenderedDescription\\n| project-reorder TimeGenerated, EventType, Operation, process, Image, Computer, UserName\\n| extend HostCustomEntity = Computer, AccountCustomEntity = UserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"ADFS Database Named Pipe Connection\",\"description\":\"This detection uses Sysmon telemetry to detect suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).\\nIn order to use this query you need to be collecting Sysmon EventIdD 18 (Pipe Connected).\\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\\nFailed to resolve scalar expression named \\\"[@Name]\",\"lastUpdatedDateUTC\":\"2021-11-23T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3617d76d-b15e-4c6f-985e-a1dac73c592d\",\"name\":\"3617d76d-b15e-4c6f-985e-a1dac73c592d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SigninLogs\\n| where ResultType == 500121\\n| extend additionalDetails_ = tostring(Status.additionalDetails)\\n| where additionalDetails_ =~ \\\"MFA denied; user declined the authentication\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"NRT MFA Rejected by User\",\"description\":\"Identifies occurrences where a user has rejected an MFA prompt. This could be an indicator that a threat actor has compromised the username and password of this user account and is using it to try and log into the account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-02-08T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5436f471-b03d-41cb-b333-65891f887c43\",\"name\":\"5436f471-b03d-41cb-b333-65891f887c43\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Informational\",\"query\":\"GitHubRepo\\n| where Action == \\\"vulnerabilityAlert\\\"\\n| project TimeGenerated, DismmisedAt, Reason, vulnerableManifestFilename, Description, Link, PublishedAt, Severity, Summary\",\"entityMappings\":[],\"displayName\":\"GitHub Security Vulnerability in Repository\",\"description\":\"This alerts when there is a new security vulnerability in a GitHub repository.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-10T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d82e1987-4356-4a7b-bc5e-064f29b143c0\",\"name\":\"d82e1987-4356-4a7b-bc5e-064f29b143c0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true \\n(SecurityEvent\\n| where EventID == 4688\\n| where Process =~ \u0027rundll32.exe\u0027 \\n| where CommandLine has_all (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n),\\n(WindowsEvent\\n| where EventID == 4688 and EventData has \u0027rundll32.exe\u0027 and EventData has_any (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process =~ \u0027rundll32.exe\u0027 \\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has_all (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName) \\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n) )\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"NOBELIUM - suspicious rundll32.exe execution of vbscript\",\"description\":\"This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/961b6a81-5c53-40b6-9800-4f661a8faea7\",\"name\":\"961b6a81-5c53-40b6-9800-4f661a8faea7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0586.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet Command_Line = (iocs | where Type =~ \\\"CommandLine\\\" | project IoC);\\n(union isfuzzy=true\\n(DeviceProcessEvents\\n| where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) or ( InitiatingProcessCommandLine has (\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and InitiatingProcessCommandLine has_any (Command_Line))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, AccountName, SHA256\\n| extend Account = AccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = case(InitiatingProcessSHA256 in (sha256Hashes), \\\"InitiatingProcessSHA256\\\", SHA256 in (sha256Hashes), \\\"SHA256\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = case(FileHash == \\\"InitiatingProcessSHA256\\\", InitiatingProcessSHA256, FileHash == \\\"SHA256\\\", SHA256, \\\"No Match\\\")\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has (@\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and CommandLine has_any (Command_Line))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, EventID\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n( CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n( imFileEvent\\n| where Hash in~ (sha256Hashes) or ( ActingProcessCommandLine has (\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and ActingProcessCommandLine has_any (Command_Line))\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) or ( CommandLine has (\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and CommandLine has_any (Command_Line)) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashAlgo\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"DEV-0586 Actor IOC - January 2022\",\"description\":\"Identifies a match across IOC\u0027s related to an actor tracked by Microsoft as DEV-0586\\n Refrence: https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2022-01-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/66c81ae2-1f89-4433-be00-2fbbd9ba5ebe\",\"name\":\"66c81ae2-1f89-4433-be00-2fbbd9ba5ebe\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MessageIP = extract(IPRegex, 0, Message)\\n | extend CS_ipEntity = iff(isnotempty(SourceIP), SourceIP, DestinationIP)\\n | extend CS_ipEntity = iff(isempty(CS_ipEntity) and isnotempty(MessageIP), MessageIP, CS_ipEntity)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CS_ipEntity\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, CS_ipEntity\\n| project CommonSecurityLog_TimeGenerated, SourceIP, DestinationIP, MessageIP, Message, DeviceVendor, DeviceProduct, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CS_ipEntity, LogSeverity, DeviceAction\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = CS_ipEntity\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to CommonSecurityLog\",\"description\":\"Identifies a match in CommonSecurityLog from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/17f23fbe-bb73-4324-8ecf-a18545a5dc26\",\"name\":\"17f23fbe-bb73-4324-8ecf-a18545a5dc26\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P3D\",\"queryPeriod\":\"P3D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 3d;\\n// Get Release Pipeline Creation Events and group by day\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineCreated\\\"\\n// Group by day\\n| extend timekey = bin(TimeGenerated, 1d)\\n| extend PipelineId = tostring(Data.PipelineId)\\n| extend PipelineName = tostring(Data.PipelineName)\\n// Rename some columns to make output clearer\\n| project-rename TimeCreated = TimeGenerated, CreatingUser = ActorUPN, CreatingUserAgent = UserAgent, CreatingIP = IpAddress\\n// Join with Release Pipeline Deletions where Pipeline ID is the same and deletion occurred on same day as creation\\n| join (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineDeleted\\\"\\n// Group by day\\n| extend timekey = bin(TimeGenerated, 1d)\\n| extend PipelineId = tostring(Data.PipelineId)\\n| extend PipelineName = tostring(Data.PipelineName)\\n// Rename some things to make the output clearer\\n| project-rename TimeDeleted = TimeGenerated, DeletingUser = ActorUPN, DeletingUserAgent = UserAgent, DeletingIP = IpAddress) on PipelineId, timekey\\n| project TimeCreated, TimeDeleted, PipelineName, PipelineId, CreatingUser, CreatingIP, CreatingUserAgent, DeletingUser, DeletingIP, DeletingUserAgent, ScopeDisplayName, ProjectName, Data, OperationName, OperationName1\\n| extend timestamp = TimeCreated, AccountCustomEntity = CreatingUser, IPCustomEntity = CreatingIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeletingUser\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DeletingIP\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Azure DevOps Pipeline Created and Deleted on the Same Day\",\"description\":\"An attacker with access to Azure DevOps could create a pipeline to inject artifacts used by other pipelines, \\nor to create a malicious software build that looks legitimate by using a pipeline that incorporates legitimate elements. \\nAn attacker would also likely want to cover their tracks once conducting such activity. This query looks for Pipelines \\ncreated and deleted within the same day, this is unlikely to be legitimate user activity in the majority of cases.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\"name\":\"83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":3,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let current = 1d;\\nlet auditLookback = 7d;\\n// Setting threshold to 3 as a default, change as needed. \\n// Any operation that has been initiated by a user or app more than 3 times in the past 7 days will be excluded\\nlet threshold = 3;\\n// Gather initial data from lookback period, excluding current, adjust current to more than a single day if no results\\nlet AuditTrail = AuditLogs | where TimeGenerated \u003e= ago(auditLookback) and TimeGenerated \u003c ago(current)\\n// 2 other operations that can be part of malicious activity in this situation are \\n// \\\"Add OAuth2PermissionGrant\\\" and \\\"Add service principal\\\", extend the filter below to capture these too\\n| where OperationName has \\\"Consent to application\\\"\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\n| summarize max(TimeGenerated), OperationCount = count() by OperationName, InitiatedBy, TargetResourceName\\n// only including operations by initiated by a user or app that is above the threshold so we produce only rare and has not occurred in last 7 days\\n| where OperationCount \u003e threshold\\n;\\n// Gather current period of audit data\\nlet RecentConsent = AuditLogs | where TimeGenerated \u003e= ago(current)\\n| where OperationName has \\\"Consent to application\\\"\\n| extend IpAddress = case(\\nisnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), \\nisnotempty(tostring(parse_json(tostring(InitiatedBy.app)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.app)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.app)).ipAddress),\\n\u0027Not Available\u0027)\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\n| parse TargetResources.[0].modifiedProperties with * \\\"ConsentType: \\\" ConsentType \\\"]\\\" *\\n| mv-expand AdditionalDetails\\n| extend UserAgent = iff(AdditionalDetails.key == \\\"User-Agent\\\",tostring(AdditionalDetails.value),\\\"\\\")\\n| project TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type;\\n// Exclude previously seen audit activity for \\\"Consent to application\\\" that was seen in the lookback period\\n// First for rare InitiatedBy\\nlet RareConsentBy = RecentConsent | join kind= leftanti AuditTrail on OperationName, InitiatedBy \\n| extend Reason = \\\"Previously unseen user consenting\\\";\\n// Second for rare TargetResourceName\\nlet RareConsentApp = RecentConsent | join kind= leftanti AuditTrail on OperationName, TargetResourceName\\n| extend Reason = \\\"Previously unseen app granted consent\\\";\\nRareConsentBy | union RareConsentApp\\n| summarize Reason = makeset(Reason) by TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatedBy, HostCustomEntity = TargetResourceName, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Rare application consent\",\"description\":\"This will alert when the \\\"Consent to application\\\" operation occurs by a user that has not done this operation before or rarely does this.\\nThis could indicate that permissions to access the listed Azure App were provided to a malicious actor. \\nConsent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events. \\nThis may help detect the Oauth2 attack that can be initiated by this publicly available tool - https://github.com/fireeye/PwnAuth\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-07-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69b7723c-2889-469f-8b55-a2d355ed9c87\",\"name\":\"69b7723c-2889-469f-8b55-a2d355ed9c87\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.3\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n DnsEvents\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where SubType =~ \\\"LookupQuery\\\" and isnotempty(IPAddresses)\\n | mv-expand SingleIP = split(IPAddresses, \\\", \\\") to typeof(string)\\n // renaming time column so it is clear the log this came from\\n | extend DNS_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SingleIP\\n| where DNS_TimeGenerated \u003c ExpirationDateTime\\n| summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated , *) by IndicatorId, SingleIP\\n| project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = DNS_TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to DnsEvents\",\"description\":\"Identifies a match in DnsEvents from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-06-27T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd\",\"name\":\"c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let args = dynamic([\\\"objectcategory\\\",\\\"domainlist\\\",\\\"dcmodes\\\",\\\"adinfo\\\",\\\"trustdmp\\\",\\\"computers_pwdnotreqd\\\",\\\"Domain Admins\\\", \\\"objectcategory=person\\\", \\\"objectcategory=computer\\\", \\\"objectcategory=*\\\",\\\"dclist\\\"]);\\nlet parentProcesses = dynamic([\\\"pwsh.exe\\\",\\\"powershell.exe\\\",\\\"cmd.exe\\\"]);\\nDeviceProcessEvents\\n//looks for execution from a shell\\n| where InitiatingProcessFileName in (parentProcesses)\\n// main filter\\n| where FileName =~ \\\"AdFind.exe\\\" or SHA256 == \\\"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\\\"\\n // AdFind common Flags to check for from various threat actor TTPs\\n or ProcessCommandLine has_any (args)\\n| extend AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, ProcessCustomEntity = InitiatingProcessFileName, CommandLineCustomEntity = ProcessCommandLine, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = SHA256\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"},{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLineCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Probable AdFind Recon Tool Usage\",\"description\":\"Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.\",\"lastUpdatedDateUTC\":\"2021-11-30T00:00:00Z\",\"createdDateUTC\":\"2021-04-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\"name\":\"b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n Syslog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // Extract URL from the Syslog message but only take messages that include URLs\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,SyslogMessage)\\n | where isnotempty(Url)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n) on Url\\n| where Syslog_TimeGenerated \u003c ExpirationDateTime\\n| summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, Url\\n| project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, Url, HostIP\\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to Syslog data\",\"description\":\"Identifies a match in Syslog data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/af435ca1-fb70-4de1-92c1-7435c48482a9\",\"name\":\"af435ca1-fb70-4de1-92c1-7435c48482a9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let admin_users = (IdentityInfo\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | where AssignedRoles contains \\\"admin\\\"\\n | summarize by tolower(AccountUPN));\\n let admin_asn = (SigninLogs\\n | where TimeGenerated between (ago(7d)..ago(1d))\\n | where tolower(UserPrincipalName) in (admin_users)\\n | summarize by AutonomousSystemNumber);\\n let admin_locations = (SigninLogs\\n | where TimeGenerated between (ago(7d)..ago(1d))\\n | where tolower(UserPrincipalName) in (admin_users)\\n | summarize by Location);\\n let admin_devices = (SigninLogs\\n | where TimeGenerated between (ago(7d)..ago(1d))\\n | where tolower(UserPrincipalName) in (admin_users)\\n | extend deviceId = tostring(DeviceDetail.deviceId)\\n | where isnotempty(deviceId)\\n | summarize by deviceId);\\n SigninLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType == 0\\n | where tolower(UserPrincipalName) in (admin_users)\\n | extend deviceId = tostring(DeviceDetail.deviceId)\\n | where AutonomousSystemNumber !in (admin_asn) and deviceId !in (admin_devices) and Location !in (admin_locations)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Authentications of Privileged Accounts Outside of Expected Controls\",\"description\":\"Detects when a privileged user account successfully authenticates from a location, device or ASN that another admin has not logged in from in the last 7 days.\\n Privileged accounts are a key target for threat actors, monitoring for logins from these accounts that deviate from normal activity can help identify compromised accounts.\\n Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a357535e-f722-4afe-b375-cff362b2b376\",\"name\":\"a357535e-f722-4afe-b375-cff362b2b376\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(OfficeActivity | where UserAgent != \\\"\\\"),\\n(OfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectory\\\", \\\"AzureActiveDirectoryStsLogon\\\")\\n| extend OperationName = Operation\\n| parse ExtendedProperties with * \u0027User-Agent\\\\\\\\\\\":\\\\\\\\\\\"\u0027 UserAgent2 \u0027\\\\\\\\\u0027 *\\n| parse ExtendedProperties with * \u0027UserAgent\\\", \\\"Value\\\": \\\"\u0027 UserAgent1 \u0027\\\"\u0027 *\\n| where isnotempty(UserAgent1) or isnotempty(UserAgent2)\\n| extend UserAgent = iff( RecordType == \u0027AzureActiveDirectoryStsLogon\u0027, UserAgent1, UserAgent2)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\\n),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"APPLICATIONGATEWAYS\\\" \\n| where OperationName =~ \\\"ApplicationGatewayAccess\\\" \\n| extend ClientIP = columnifexists(\\\"clientIP_s\\\", \\\"None\\\"), UserAgent = columnifexists(\\\"userAgent_s\\\", \\\"None\\\")\\n| where UserAgent != \u0027-\u0027\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, requestUri_s, httpMethod_s, host_s, requestQuery_s, Type\\n),\\n(\\nW3CIISLog\\n| where isnotempty(csUserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\\n),\\n(SigninLogs\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n)\\n)\\n// Likely artefact of hardcoding\\n| where UserAgent startswith \\\"User\\\" or UserAgent startswith \u0027\\\\\\\"\u0027\\n// Incorrect casing\\nor (UserAgent startswith \\\"Mozilla\\\" and not(UserAgent containscs \\\"Mozilla\\\"))\\n// Incorrect casing\\nor UserAgent containscs \\\"(Compatible;\\\"\\n// Missing MSIE version\\nor UserAgent matches regex @\\\"MSIE\\\\s?;\\\"\\n// Incorrect spacing around MSIE version\\nor UserAgent matches regex @\\\"MSIE(?:\\\\d|.{1,5}?\\\\d\\\\s;)\\\"\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CommandAndControl\",\"Execution\"],\"displayName\":\"Malformed user agent\",\"description\":\"Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware.\\nMalformed user agents can be an indication of such malware.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4acd3a04-2fad-4efc-8a4b-51476594cec4\",\"name\":\"4acd3a04-2fad-4efc-8a4b-51476594cec4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let triThreshold = 500;\\nlet startTime = 6h;\\nlet dgaLengthThreshold = 8;\\n// fetch the alexa top 1M domains\\nlet top1M = (externaldata (Position:int, Domain:string) [@\\\"http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip\\\"] with (format=\\\"csv\\\", zipPattern=\\\"*.csv\\\"));\\n// extract tri grams that are above our threshold - i.e. are common\\nlet triBaseline = top1M\\n| extend Domain = tolower(extract(\\\"([^.]*).{0,7}$\\\", 1, Domain))\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", Domain), extract_all(\\\"(...)\\\", substring(Domain, 1)), extract_all(\\\"(...)\\\", substring(Domain, 2)))\\n| mvexpand Trigram=AllTriGrams\\n| summarize triCount=count() by tostring(Trigram)\\n| sort by triCount desc\\n| where triCount \u003e triThreshold\\n| distinct Trigram;\\n// collect domain information from common security log, filter and extract the DGA candidate and its trigrams\\nlet allDataSummarized = CommonSecurityLog\\n| where TimeGenerated \u003e ago(startTime)\\n| where isnotempty(DestinationHostName)\\n| extend Name = tolower(DestinationHostName)\\n| distinct Name\\n| where Name has \\\".\\\"\\n| where Name !endswith \\\".home\\\" and Name !endswith \\\".lan\\\"\\n// extract DGA candidate\\n| extend DGADomain = extract(\\\"([^.]*).{0,7}$\\\", 1, Name)\\n| where strlen(DGADomain) \u003e dgaLengthThreshold\\n// throw out domains with number in them\\n| where DGADomain matches regex \\\"^[A-Za-z]{0,}$\\\"\\n// extract the tri grams from summarized data\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", DGADomain), extract_all(\\\"(...)\\\", substring(DGADomain, 1)), extract_all(\\\"(...)\\\", substring(DGADomain, 2)));\\n// throw out domains that have repeating tri\u0027s and/or \u003e=3 repeating letters\\nlet nonRepeatingTris = allDataSummarized\\n| join kind=leftanti\\n(\\n allDataSummarized\\n | mvexpand AllTriGrams\\n | summarize count() by tostring(AllTriGrams), DGADomain\\n | where count_ \u003e 1\\n | distinct DGADomain\\n)\\non DGADomain;\\n// find domains that do not have a common tri in the baseline\\nlet dataWithRareTris = nonRepeatingTris\\n| join kind=leftanti\\n(\\n nonRepeatingTris\\n | mvexpand AllTriGrams\\n | extend Trigram = tostring(AllTriGrams)\\n | distinct Trigram, DGADomain\\n | join kind=inner\\n (\\n triBaseline\\n )\\n on Trigram\\n | distinct DGADomain\\n)\\non DGADomain;\\ndataWithRareTris\\n// join DGAs back on connection data\\n| join kind=inner\\n(\\n CommonSecurityLog\\n | where TimeGenerated \u003e ago(startTime)\\n | where isnotempty(DestinationHostName)\\n | extend DestinationHostName = tolower(DestinationHostName)\\n | project-rename Name=DestinationHostName, DataSource=DeviceVendor\\n | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) by Name, SourceIP, DestinationIP, DataSource\\n)\\non Name\\n| project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, DataSource\\n| extend timestamp=StartTime, IPCustomEntity=SourceIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"Name\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Possible contact with a domain generated by a DGA\",\"description\":\"Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used\\nby malware to generate rendezvous points that are difficult to predict in advance. This detection uses the Alexa Top 1 million domain names to build a model\\nof what normal domains look like. It uses this to identify domains that may have been randomly generated by an algorithm.\\nThe triThreshold is set to 500 - increase this to report on domains that are less likely to have been randomly generated, decrease it for more likely.\\nThe start time and end time look back over 6 hours of data and the dgaLengthThreshold is set to 8 - meaning domains whose length is 8 or more are reported.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Barracuda\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aac495a9-feb1-446d-b08e-a1164a539452\",\"name\":\"aac495a9-feb1-446d-b08e-a1164a539452\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"ThreatIntelligenceIndicator\\n| where Action == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n GitHubAudit\\n | extend GitHubAudit_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.IPaddress\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, GitHubAudit_TimeGenerated, TI_ipEntity, IPaddress, Actor, Action, Country, OperationType, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = GitHubAudit_TimeGenerated, IPCustomEntity = IPaddress, AccountCustomEntity = Actor\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to GitHub_CL\",\"description\":\"Identifies a match in GitHub_CL table from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2cfc3c6e-f424-4b88-9cc9-c89f482d016a\",\"name\":\"2cfc3c6e-f424-4b88-9cc9-c89f482d016a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set == \\\"[]\\\"\\n| mv-expand new_value_set\\n| parse new_value_set with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"First access credential added to Application or Service Principal where no credential was present\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-02-11T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0dd422ee-e6af-4204-b219-f59ac172e4c6\",\"name\":\"0dd422ee-e6af-4204-b219-f59ac172e4c6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"ThreatIntelligence\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"Persistence\",\"LateralMovement\"],\"displayName\":\"(Preview) Microsoft Threat Intelligence Analytics\",\"description\":\"This rule generates an alert when a Microsoft Threat Intelligence Indicator gets matched with your event logs. The alerts are very high fidelity.\\n\\nNote : It is advised to turn off any custom alert rules which match the threat intelligence indicators with the same event logs matched by this analytics to prevent duplicate alerts.\",\"lastUpdatedDateUTC\":\"2021-07-28T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/074ce265-f684-41cd-af07-613c5f3e6d0d\",\"name\":\"074ce265-f684-41cd-af07-613c5f3e6d0d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"irf.services\\\",\\\"microsoft-onthehub.com\\\",\\\"msofficelab.com\\\",\\\"com-mailbox.com\\\",\\\"my-sharefile.com\\\",\\\"my-sharepoints.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\n\\\"onedrive-sharedfile.com\\\",\\\"onedrv-live.com\\\",\\\"transparencyinternational-my-sharepoint.com\\\",\\\"transparencyinternational-my-sharepoints.com\\\",\\\"soros-my-sharepoint.com\\\"]);\\n(union isfuzzy=true\\n (CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | extend Account = SourceUserID, Host = DeviceName, IPAddress = SourceIP\\n ),\\n (_Im_Dns(domain_has_any=DomainNames)\\n | extend IPAddress = SrcIpAddr, DNSName = DnsQuery, Host = Dvc),\\n (VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n | extend IPAddress = RemoteIp, Host = Computer\\n ),\\n (AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | extend DNSName = DestinationHost \\n | extend IPAddress = SourceHost\\n ),\\n (\\n _Im_WebSession(url_has_any=DomainNames)\\n | extend IPCustomEntity=IpAddr, HostCustomEntity=Hostname, AccoutCustomEntity=User\\n )\\n)\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = Account, HostCustomEntity = Host\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known STRONTIUM group domains - July 2019\",\"description\":\"Matches domain name IOCs related to Strontium group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2019-07-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a50766a7-0674-4ccb-8845-15dc55a80ba1\",\"name\":\"a50766a7-0674-4ccb-8845-15dc55a80ba1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n WireData | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(RemoteIP)\\n // renaming time column so it is clear the log this came from\\n | extend WireData_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIP\\n| where WireData_TimeGenerated \u003c ExpirationDateTime\\n| summarize WireData_TimeGenerated = arg_max(WireData_TimeGenerated, *) by IndicatorId, RemoteIP\\n| project WireData_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, LocalIP, RemoteIP, ProcessName, ApplicationProtocol, LocalPortNumber, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = WireData_TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to WireData\",\"description\":\"Identifies a match in WireData from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6d7214d9-4a28-44df-aafb-0910b9e6ae3e\",\"name\":\"6d7214d9-4a28-44df-aafb-0910b9e6ae3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Low\",\"query\":\"let match_window = 3m;\\nAzureActivity\\n| where ResourceGroup has \\\"cloud-shell\\\"\\n| where (OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/listKeys/action\\\") \\n| where ActivityStatusValue == \\\"Success\\\"\\n| extend TimeKey = bin(TimeGenerated, match_window), AzureIP = CallerIpAddress\\n| join kind = inner\\n(AzureActivity\\n| where ResourceGroup has \\\"cloud-shell\\\"\\n| where (OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/write\\\") \\n| extend TimeKey = bin(TimeGenerated, match_window), UserIP = CallerIpAddress\\n) on Caller, TimeKey\\n| summarize count() by TimeKey, Caller, ResourceGroup, SubscriptionId, TenantId, AzureIP, UserIP, HTTPRequest, Type, Properties, CategoryValue, OperationList = strcat(OperationNameValue, \u0027 , \u0027, OperationNameValue1)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"UserIP\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"New CloudShell User\",\"description\":\"Identifies when a user creates an Azure CloudShell for the first time.\\nMonitor this activity to ensure only expected user are using CloudShell\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5170c3c4-b8c9-485c-910d-a21d965ee181\",\"name\":\"5170c3c4-b8c9-485c-910d-a21d965ee181\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let queryfrequency = 30m;\\nlet accountthreshold = 10;\\nlet successCodes = dynamic([0, 50144]);\\nADFSSignInLogs\\n| extend IngestionTime = ingestion_time()\\n| where IngestionTime \u003e ago(queryfrequency)\\n| where not(todynamic(AuthenticationDetails)[0].authenticationMethod == \\\"Integrated Windows Authentication\\\")\\n| summarize\\n DistinctFailureCount = dcountif(UserPrincipalName, ResultType !in (successCodes)),\\n DistinctSuccessCount = dcountif(UserPrincipalName, ResultType in (successCodes)),\\n SuccessAccounts = make_set_if(UserPrincipalName, ResultType in (successCodes), 250),\\n arg_min(TimeGenerated, *)\\n by IPAddress\\n| where DistinctFailureCount \u003e DistinctSuccessCount and DistinctFailureCount \u003e= accountthreshold\\n//| extend SuccessAccounts = iff(array_length(SuccessAccounts) != 0, SuccessAccounts, dynamic([\\\"null\\\"]))\\n//| mv-expand SuccessAccounts\\n| project TimeGenerated, Category, OperationName, IPAddress, DistinctFailureCount, DistinctSuccessCount, SuccessAccounts, AuthenticationRequirement, ConditionalAccessStatus, IsInteractive, UserAgent, NetworkLocationDetails, DeviceDetail, TokenIssuerType, TokenIssuerName, ResourceIdentity\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Password spray attack against ADFSSignInLogs\",\"description\":\"Identifies evidence of password spray activity against Connect Health for AD FS sign-in events by looking for failures from multiple accounts from the same IP address within a time window.\\nReference: https://adfshelp.microsoft.com/References/ConnectHealthErrorCodeReference\",\"lastUpdatedDateUTC\":\"2022-05-04T00:00:00Z\",\"createdDateUTC\":\"2022-03-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"ADFSSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6d63efa6-7c25-4bd4-a486-aa6bf50fde8a\",\"name\":\"6d63efa6-7c25-4bd4-a486-aa6bf50fde8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// Add non-approved user principal names to the list below to search for their account creation/deletion activity\\n// ex: dynamic([\\\"UPN1\\\", \\\"upn123\\\"])\\nlet nonapproved_users = dynamic([]);\\nAuditLogs\\n| where OperationName == \\\"Add user\\\" or OperationName == \\\"Delete user\\\"\\n| where Result == \\\"success\\\"\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| where InitiatingUser has_any (nonapproved_users)\\n| project-reorder TimeGenerated, ResourceId, OperationName, InitiatingUser, TargetResources\\n| extend AccountCustomEntity = InitiatingUser, IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Account created or deleted by non-approved user\",\"description\":\"Identifies accounts that were created or deleted by a defined list of non-approved user principal names. Add to this list before running the query for accurate results.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/11b4c19d-2a79-4da3-af38-b067e1273dee\",\"name\":\"11b4c19d-2a79-4da3-af38-b067e1273dee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID in (17,18)\\n| where EventData has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend PipeName = column_ifexists(\\\"PipeName\\\", \\\"\\\")\\n| extend Account = UserName\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00275145\u0027\\n// %%4418 looks for presence of CreatePipeInstance value \\n| where AccessList has \u0027%%4418\u0027 \\n| where RelativeTargetName has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n),\\n(\\nWindowsEvent\\n| where EventID == \u00275145\u0027 and EventData has \u0027%%4418\u0027 and EventData has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027 \\n// %%4418 looks for presence of CreatePipeInstance value \\n| extend AccessList= tostring(EventData.AccessList)\\n| where AccessList has \u0027%%4418\u0027 \\n| extend RelativeTargetName= tostring(EventData.RelativeTargetName)\\n| where RelativeTargetName has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\"],\"displayName\":\"Solorigate Named Pipe\",\"description\":\"Identifies a match across various data feeds for named pipe IOCs related to the Solorigate incident.\\n For the sysmon events required for this detection, logging for Named Pipe Events needs to be configured in Sysmon config (Event ID 17 and Event ID 18)\\n Reference: https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2020-12-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\"name\":\"532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n Syslog\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n //Extract domain patterns from syslog message\\n | extend domain = extract(\\\"(([a-z0-9]+(-[a-z0-9]+)*\\\\\\\\.)+[a-z]{2,})\\\",1, tolower(SyslogMessage))\\n | where isnotempty(domain)\\n | extend parts = split(domain, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.domain\\n| where Syslog_TimeGenerated \u003c ExpirationDateTime\\n| summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, domain\\n| project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, domain, HostIP, Url\\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to Syslog\",\"description\":\"Identifies a match in Syslog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/19e01883-15d8-4eb6-a7a5-3276cd668388\",\"name\":\"19e01883-15d8-4eb6-a7a5-3276cd668388\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeBin = 1m;\\nlet failedThreshold = 20;\\nW3CIISLog\\n| where scStatus in (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of failed attempts from same client IP\\n| summarize makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\\n| where FailedConnectionsCount \u003e= failedThreshold\\n| project TimeGenerated, cIP, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"High count of failed attempts from same client IP\",\"description\":\"Identifies when 20 or more failed attempts from a given client IP in 1 minute occur on the IIS server.\\nThis could be indicative of an attempted brute force. This could also simply indicate a misconfigured service or device.\\nRecommendations: Validate that these are expected connections from the given Client IP. If the client IP is not recognized, \\npotentially block these connections at the edge device.\\nIf these are expected connections, verify the credentials are properly configured on the system, service, application or device \\nthat is associated with the client IP.\\nReferences:\\nIIS status code mapping: https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping: https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd78a122-d377-415a-afe9-f22e08d2112c\",\"name\":\"dd78a122-d377-415a-afe9-f22e08d2112c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Add other permissions to this list as needed\\n let permissions = dynamic([\\\"Mail.Read\\\", \\\"offline_access\\\", \\\"Files.Read\\\", \\\"Notes.Read\\\", \\\"ChannelMessage.Read\\\", \\\"Chat.Read\\\", \\\"TeamsActivity.Read\\\",\\n \\\"Group.Read\\\", \\\"EWS.AccessAsUser.All\\\", \\\"EAS.AccessAsUser.All\\\"]);\\n AuditLogs\\n | where OperationName =~ \\\"Add app role assignment to service principal\\\"\\n | mv-expand TargetResources[0].modifiedProperties\\n | extend TargetResources_0_modifiedProperties = columnifexists(\\\"TargetResources_0_modifiedProperties\\\", \u0027\u0027)\\n | where isnotempty(TargetResources_0_modifiedProperties)\\n | where TargetResources_0_modifiedProperties.displayName =~ \\\"AppRole.Value\\\" or TargetResources_0_modifiedProperties.displayName =~ \\\"DelegatedPermissionGrant.Scope\\\"\\n | extend Permissions = split((parse_json(tostring(TargetResources_0_modifiedProperties.newValue))), \\\" \\\")\\n | where Permissions has_any (permissions)\\n | summarize AddedPermissions=make_set(Permissions) by CorrelationId\\n | join kind=inner (AuditLogs\\n | where OperationName =~ \\\"Add app role assignment to service principal\\\") on CorrelationId\\n | extend InitiatedBy = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))\\n | extend ServicePrincipal = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[4].newValue)))\\n | extend SPID = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[6].newValue)))\\n | extend InitiatedBy = pack(\\\"User\\\", InitiatedBy, \\\"UA\\\", UserAgent, \\\"IPAddress\\\", IpAddress)\\n | mv-expand kind=array AddedPermissions\\n | summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), make_set(InitiatedBy), make_set(AddedPermissions) by SPID, ServicePrincipal\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ServicePrincipal\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"SPID\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Service Principal Assigned App Role With Sensitive Access\",\"description\":\"Detects a Service Principal being assigned an app role that has sensitive access such as Mail.Read.\\n A threat actor who compromises a Service Principal may assign it an app role to allow it to access sensitive data, or to perform other actions.\\n Ensure that any assignment to a Service Principal is valid and appropriate.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d9f28fdf-abc8-4f1a-a7e7-1aaec87a2fc5\",\"name\":\"d9f28fdf-abc8-4f1a-a7e7-1aaec87a2fc5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID == 4688\\n | where Process =~ \\\"svchost.exe\\\"\\n | where CommandLine has \\\"-k GPSvcGroup\\\" or CommandLine has \\\"-s gpsvc\\\"\\n | extend timekey = bin(TimeGenerated, 1m)\\n | project timekey, NewProcessId, Computer\\n | join kind=inner (SecurityEvent\\n | where EventID == 4688\\n | where Process =~ \\\"sdelete.exe\\\" or CommandLine has \\\"sdelete\\\"\\n | where ParentProcessName endswith \\\"svchost.exe\\\"\\n | where CommandLine has_all (\\\"-s\\\", \\\"-r\\\")\\n | extend newProcess = Process\\n | extend timekey = bin(TimeGenerated, 1m)\\n ) on $left.NewProcessId == $right.ProcessId, timekey, Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Sdelete deployed via GPO and run recursively\",\"description\":\"This query looks for the Sdelete process being run recursively after being deployed to a host via GPO. Attackers could use this technique to deploy Sdelete to multiple host and delete data on them.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5dd76a87-9f87-4576-bab3-268b0e2b338b\",\"name\":\"5dd76a87-9f87-4576-bab3-268b0e2b338b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 5;\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet historicalActivity =\\nOfficeActivity\\n| where TimeGenerated between(ago(starttime)..ago(endtime))\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| summarize historicalCount = count() by UserAgent, RecordType, Operation;\\nlet recentActivity = OfficeActivity\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where TimeGenerated \u003e ago(endtime)\\n| where isnotempty(UserAgent)\\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by UserAgent, RecordType, Operation;\\nlet RareUserAgent = recentActivity | join kind = leftanti (historicalActivity) on UserAgent\\n| order by recentCount desc, UserAgent\\n// More than 5 downloads/uploads from a new user agent today\\n| where recentCount \u003e threshold;\\nOfficeActivity \\n| where TimeGenerated \u003e ago(endtime) \\n| where RecordType =~ szSharePointFileOperation \\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| join kind= inner (RareUserAgent)\\non UserAgent, RecordType, Operation \\n| where Start_Time between(min_Start_Time .. max_Start_Time)\\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserAgent, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgentSeenCount = recentCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\\n| order by UserAgentSeenCount desc, UserAgent asc, Operation asc, UserId asc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"SharePointFileOperation via devices with previously unseen user agents\",\"description\":\"Identifies if the number of documents uploaded or downloaded from device(s) associated\\nwith a previously unseen user agent exceeds a threshold (default is 5).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f80d951a-eddc-4171-b9d0-d616bb83efdc\",\"name\":\"f80d951a-eddc-4171-b9d0-d616bb83efdc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where AADOperationType =~ \\\"Assign\\\"\\n| where ActivityDisplayName =~ \\\"Add app role assignment to service principal\\\"\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"AppRole.Value\\\"\\n| extend AppRole = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where AppRole has \\\"RoleManagement.ReadWrite.Directory\\\"\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n| extend Target = tostring(parse_json(tostring(TargetResources.modifiedProperties[4].newValue)))\\n| extend TargetId = tostring(parse_json(tostring(TargetResources.modifiedProperties[3].newValue)))\\n| project TimeGenerated, OperationName, Initiator, Target, TargetId, Result\\n| join kind=innerunique (\\n AuditLogs\\n | where LoggedByService =~ \\\"Core Directory\\\"\\n | where Category =~ \\\"RoleManagement\\\"\\n | where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\")\\n | where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n | where displayName_ =~ \\\"Role.DisplayName\\\"\\n | extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n | where RoleName contains \\\"Admin\\\"\\n | extend Initiator = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend InitiatorId = tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalId)\\n | extend TargetUser = tostring(TargetResources.userPrincipalName)\\n | extend Target = iif(isnotempty(TargetUser), TargetUser, tostring(TargetResources.displayName))\\n | extend TargetType = tostring(TargetResources.type)\\n | extend TargetId = tostring(TargetResources.id)\\n | project TimeGenerated, OperationName, RoleName, Initiator, InitiatorId, Target, TargetId, TargetType, Result\\n) on $left.TargetId == $right.InitiatorId\\n| extend TimeRoleMgGrant = TimeGenerated, TimeAdminPromo = TimeGenerated1, ServicePrincipal = Initiator1, ServicePrincipalId = InitiatorId,\\n TargetObject = Target1, TargetObjectId = TargetId1, TargetObjectType = TargetType\\n| where TimeRoleMgGrant \u003c TimeAdminPromo\\n| project TimeRoleMgGrant, TimeAdminPromo, RoleName, ServicePrincipal, ServicePrincipalId, TargetObject, TargetObjectId, TargetObjectType\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ServicePrincipal\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetObject\"}]}],\"tactics\":[\"PrivilegeEscalation\",\"Persistence\"],\"displayName\":\"Admin promotion after Role Management Application Permission Grant\",\"description\":\"This rule looks for a service principal being granted the Microsoft Graph RoleManagement.ReadWrite.Directory (application) permission before being used to add an Azure AD object or user account to an Admin directory role (i.e. Global Administrators).\\nThis is a known attack path that is usually abused when a service principal already has the AppRoleAssignment.ReadWrite.All permission granted. This permission Allows an app to manage permission grants for application permissions to any API.\\nA service principal can promote itself or other service principals to admin roles (i.e. Global Administrators). This would be considered a privilege escalation technique.\\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions, https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0\u0026tabs=http\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\"name\":\"79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let timeframe = 1h;\\nlet last1h = CommonSecurityLog \\n| where TimeGenerated \u003e= ago(timeframe)\\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend CurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend CurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend CumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize last1hCumTotal = sum(CumulativeTotal), last1hAvgRatePerSec = avg(CurrentAvgRatePerSec), last1hAvgBurstRatePerSec = avg(CurrentBurstRatePerSec) by DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlet prev6h = CommonSecurityLog \\n| where TimeGenerated between (ago(6h) .. ago(1h))\\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend prevCurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend prevCurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend prevCumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), prev6hCumTotal = sum(prevCumulativeTotal), prev6hAvgRatePerSec = avg(prevCurrentAvgRatePerSec), prev6hAvgBurstRatePerSec = avg(prevCurrentBurstRatePerSec) \\nby DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlast1h | join (\\n prev6h \\n) on DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate\\n| project StartTimeUtc, EndTimeUtc, DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate, last1hCumTotal, prev6hCumTotal, prev6hAvgCumTotal = prev6hCumTotal/6, last1hAvgRatePerSec, prev6hAvgRatePerSec, last1hAvgBurstRatePerSec, prev6hAvgBurstRatePerSec\\n// Select only events that indicate a doubling of the expected rate in the last hour over the previous 6 hours\\n| where last1hCumTotal \u003e 2*prev6hAvgCumTotal or last1hAvgRatePerSec \u003e 2*prev6hAvgRatePerSec or last1hAvgBurstRatePerSec \u003e 2*prev6hAvgBurstRatePerSec\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\",\"Impact\"],\"displayName\":\"Cisco ASA - average attack detection rate increase\",\"description\":\"This will help you determine if Cisco ASA devices are under heavier attack than normal over the last hour versus the previous 6 hours based on DeviceEventClassID 733100\\nReferences: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/826bb2f8-7894-4785-9a6b-a8a855d8366f\",\"name\":\"826bb2f8-7894-4785-9a6b-a8a855d8366f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let EventNameList = dynamic([\\\"AttachUserPolicy\\\",\\\"AttachRolePolicy\\\",\\\"AttachGroupPolicy\\\"]);\\nlet createPolicy = \\\"CreatePolicy\\\";\\nlet timeframe = 1d;\\nlet lookback = 14d;\\n// Creating Master table with all the events to use with materialize for better performance\\nlet EventInfo = AWSCloudTrail\\n| where TimeGenerated \u003e= ago(lookback)\\n| where EventName in (EventNameList) or EventName == createPolicy;\\n//Checking for Policy creation event with Full Admin Privileges since lookback period.\\nlet FullAdminPolicyEvents = materialize( EventInfo\\n| where TimeGenerated \u003e= ago(lookback)\\n| where EventName == createPolicy\\n| extend PolicyName = tostring(parse_json(RequestParameters).policyName)\\n| extend Statement = parse_json(tostring((parse_json(RequestParameters).policyDocument))).Statement\\n| mvexpand Statement\\n| extend Action = parse_json(Statement).Action , Effect = tostring(parse_json(Statement).Effect), Resource = tostring(parse_json(Statement).Resource)\\n| mvexpand Action\\n| extend Action = tostring(Action)\\n| where Effect =~ \\\"Allow\\\" and Action == \\\"*\\\" and Resource == \\\"*\\\"\\n| distinct TimeGenerated, EventName, PolicyName, SourceIpAddress, UserIdentityArn, UserIdentityUserName\\n| extend UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,\u0027/\u0027)[-1]))\\n| project-rename StartTime = TimeGenerated );\\nlet PolicyAttach = materialize( EventInfo\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventName in (EventNameList)\\n| extend PolicyName = tostring(split(tostring(parse_json(RequestParameters).policyArn),\\\"/\\\")[1])\\n| summarize AttachEventCount=count(), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventSource, EventName, UserIdentityType , UserIdentityArn, SourceIpAddress, UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,\u0027/\u0027)[-1])), PolicyName\\n| extend AttachEvent = pack(\\\"StartTime\\\", StartTime, \\\"EndTime\\\", EndTime, \\\"EventName\\\", EventName, \\\"UserIdentityType\\\", UserIdentityType, \\\"UserIdentityArn\\\", UserIdentityArn, \\\"SourceIpAddress\\\", SourceIpAddress, \\\"UserIdentityUserName\\\", UserIdentityUserName)\\n| project EventSource, PolicyName, AttachEvent, AttachEventCount\\n);\\n// Joining the list of PolicyNames and checking if it has been attached to any Roles/Users/Groups.\\n// These Roles/Users/Groups will be Privileged and can be used by adversaries as pivot point for privilege escalation via multiple ways.\\nFullAdminPolicyEvents\\n| join kind=leftouter\\n(\\n PolicyAttach\\n)\\non PolicyName\\n| project-away PolicyName1\\n| extend timestamp = StartTime, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Full Admin policy created and then attached to Roles, Users or Groups\",\"description\":\"Identity and Access Management (IAM) securely manages access to AWS services and resources. \\nIdentifies when a policy is created with Full Administrators Access (Allow-Action:*,Resource:*). \\nThis policy can be attached to role,user or group and may be used by an adversary to escalate a normal user privileges to an adminsitrative level.\\nAWS IAM Policy Grammar: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html\\nand AWS IAM API at https://docs.aws.amazon.com/IAM/latest/APIReference/API_Operations.html\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2020-04-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/34c5aff9-a8c2-4601-9654-c7e46342d03b\",\"name\":\"34c5aff9-a8c2-4601-9654-c7e46342d03b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 5;\\nlet aadFunc = (tableName:string){\\n IdentityInfo\\n | where TimeGenerated \u003e ago(starttime)\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | mv-expand AssignedRoles\\n | where AssignedRoles matches regex \u0027Admin\u0027\\n | summarize Roles = make_list(AssignedRoles) by AccountUPN = tolower(AccountUPN)\\n | join kind=inner (\\n table(tableName)\\n | where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n | where ResultType != 0\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n ) on $left.AccountUPN == $right.UserPrincipalName\\n | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, Roles = tostring(Roles)\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt;\\nlet TimeSeriesAlerts = \\n allSignins\\n | make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step 1h by UserPrincipalName, Roles\\n | extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, \u0027linefit\u0027)\\n | mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n // Filtering low count events per baselinethreshold\\n | where anomalies \u003e 0 and baseline \u003e baselinethreshold\\n | extend AnomalyHour = TimeGenerated\\n | project UserPrincipalName, Roles, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\n// Filter the alerts for specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e startofday(ago(timeframe))\\n| join kind=inner ( \\n allSignins\\n | where TimeGenerated \u003e startofday(ago(timeframe))\\n // create a new column and round to hour\\n | extend DateHour = bin(TimeGenerated, 1h)\\n | summarize PartialFailedSignins = count(), LatestAnomalyTime = arg_max(TimeGenerated, *) by bin(TimeGenerated, 1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, Roles, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\\n) on UserPrincipalName, $left.AnomalyHour == $right.DateHour\\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, Roles = todynamic(Roles), UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, PartialFailedSignins, TotalFailedSignins = HourlyCount, baseline, anomalies, score\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Privileged Accounts - Sign in Failure Spikes\",\"description\":\" Identifies spike in failed sign-ins from Privileged accounts. Privileged accounts list can be based on IdentityInfo UEBA table or built-in watchlist.\\nSpike is determined based on Time series anomaly which will look at historical baseline values.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor\",\"lastUpdatedDateUTC\":\"2022-01-25T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/106813db-679e-4382-a51b-1bfc463befc3\",\"name\":\"106813db-679e-4382-a51b-1bfc463befc3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n // Select on Palo Alto logs\\n | where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Select logs where URL data is populated\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url), extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | where isnotempty(PA_Url)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n) on $left.Url == $right.PA_Url\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, PA_Url\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, SourceIP, PA_Url, DeviceName\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to PaloAlto data\",\"description\":\"Identifies a match in PaloAlto data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884ead54-cb3f-4676-a1eb-b26532d6cbfd\",\"name\":\"884ead54-cb3f-4676-a1eb-b26532d6cbfd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let SensitiveOperationList = dynamic(\\n[\\\"VaultDelete\\\", \\\"KeyDelete\\\", \\\"SecretDelete\\\", \\\"SecretPurge\\\", \\\"KeyPurge\\\", \\\"SecretBackup\\\", \\\"KeyBackup\\\"]);\\nAzureDiagnostics\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in~ (SensitiveOperationList)\\n| summarize EventCount=count(), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIPMax\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"NRT Sensitive Azure Key Vault operations\",\"description\":\"Identifies when sensitive Azure Key Vault operations are used. This includes: VaultDelete, KeyDelete, SecretDelete, SecretPurge, KeyPurge, SecretBackup, KeyBackup.\\nAny Backup operations should match with expected scheduled backup activity.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95dc4ae3-e0f2-48bd-b996-cdd22b90f9af\",\"name\":\"95dc4ae3-e0f2-48bd-b996-cdd22b90f9af\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(\\nAuditLogs\\n| where OperationName =~ \\\"Set federation settings on domain\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName)\\n| mv-expand AdditionalDetails\\n),\\n(\\nAuditLogs\\n| where OperationName =~ \\\"Set domain authentication\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName), NewDomainValue=tostring(parse_json(modifiedProperties).newValue)\\n| where NewDomainValue has \\\"Federated\\\"\\n)\\n)\\n| extend UserAgent = iff(AdditionalDetails.key == \\\"User-Agent\\\",tostring(AdditionalDetails.value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Modified domain federation trust settings\",\"description\":\"This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ac891683-53c3-4f86-86b4-c361708e2b2b\",\"name\":\"ac891683-53c3-4f86-86b4-c361708e2b2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"// Allowlisted UPNs should likely stay empty\\nlet AllowlistedUpns = datatable(UPN:string)[\u0027foo@bar.com\u0027, \u0027test@foo.com\u0027];\\n// Operation Name parts that will alert\\nlet HasAnyBlocklist = datatable(OperationNamePart:string)[\u0027Security.\u0027,\u0027Project.\u0027,\u0027AuditLog.\u0027,\u0027Extension.\u0027];\\n// Distinct Operation Names that will flag\\nlet HasExactBlocklist = datatable(OperationName:string)[\u0027Group.UpdateGroupMembership.Add\u0027,\u0027Library.ServiceConnectionExecuted\u0027,\u0027Pipelines.PipelineModified\u0027,\\n\u0027Release.ReleasePipelineModified\u0027, \u0027Git.RefUpdatePoliciesBypassed\u0027];\\nAzureDevOpsAuditing\\n| where AuthenticationMechanism startswith \\\"PAT\\\" and (OperationName has_any (HasAnyBlocklist) or OperationName in (HasExactBlocklist))\\n and ActorUPN !in (AllowlistedUpns)\\n| project TimeGenerated, AuthenticationMechanism, ProjectName, ActorUPN, ActorDisplayName, IpAddress, UserAgent, OperationName, Details, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Impact\"],\"displayName\":\"Azure DevOps Personal Access Token (PAT) misuse\",\"description\":\"This Alert detects whenever a PAT is used in ways that PATs are not normally used. May require an allow list and baselining.\\nReference - https://docs.microsoft.com/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops\u0026tabs=preview-page\\nUse this query for baselining:\\nAzureDevOpsAuditing\\n| distinct OperationName\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-06-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/acfdee3f-b794-404a-aeba-ef6a1fa08ad1\",\"name\":\"acfdee3f-b794-404a-aeba-ef6a1fa08ad1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let lookback = 14d;\\nlet timewindow = 7d;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback)\\n| where OperationName =~ \\\"Library.AgentPoolCreated\\\"\\n| extend AgentCloudId = tostring(Data.AgentCloudId)\\n| extend PoolType = iif(isnotempty(AgentCloudId), \\\"Azure VMs\\\", \\\"Self Hosted\\\")\\n// Comment this line out to include cloud pools as well\\n| where PoolType == \\\"Self Hosted\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend AgentPoolId = tostring(Data.AgentPoolId)\\n| extend IsHosted = tostring(Data.IsHosted)\\n| extend IsLegacy = tostring(Data.IsLegacy)\\n| extend timekey = bin(TimeGenerated, timewindow)\\n// Join only with pools deleted in the same window\\n| join (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback)\\n| where OperationName =~ \\\"Library.AgentPoolDeleted\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend AgentPoolId = tostring(Data.AgentPoolId)\\n| extend timekey = bin(TimeGenerated, timewindow)) on AgentPoolId, timekey\\n| project-reorder TimeGenerated, ActorUPN, UserAgent, IpAddress, AuthenticationMechanism, OperationName, AgentPoolName, IsHosted, IsLegacy, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Agent Pool Created Then Deleted\",\"description\":\"As well as adding build agents to an existing pool to execute malicious activity within a pipeline, an attacker could create a complete new agent pool and use this for execution.\\nAzure DevOps allows for the creation of agent pools with Azure hosted infrastructure or self-hosted infrastructure. Given the additional customizability of self-hosted agents this \\ndetection focuses on the creation of new self-hosted pools. To further reduce false positive rates the detection looks for pools created and deleted relatively quickly (within 7 days by default), \\nas an attacker is likely to remove a malicious pool once used in order to reduce/remove evidence of their activity.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/26a3b261-b997-4374-94ea-6c37f67f4f39\",\"name\":\"26a3b261-b997-4374-94ea-6c37f67f4f39\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.5.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"asyspy256.ddns.net\\\",\\\"hotkillmail9sddcc.ddns.net\\\",\\\"rosaf112.ddns.net\\\",\\\"cvdfhjh1231.myftp.biz\\\",\\\"sz2016rose.ddns.net\\\",\\\"dffwescwer4325.myftp.biz\\\",\\\"cvdfhjh1231.ddns.net\\\"]);\\nlet SHA1Hash = dynamic ([\\\"53a44c2396d15c3a03723fa5e5db54cafd527635\\\", \\\"9c5e496921e3bc882dc40694f1dcc3746a75db19\\\", \\\"aeb573accfd95758550cf30bf04f389a92922844\\\", \\\"79ef78a797403a4ed1a616c68e07fff868a8650a\\\", \\\"4f6f38b4cec35e895d91c052b1f5a83d665c2196\\\", \\\"1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d\\\", \\\"e841a63e47361a572db9a7334af459ddca11347a\\\", \\\"c28f606df28a9bc8df75a4d5e5837fc5522dd34d\\\", \\\"2e94b305d6812a9f96e6781c888e48c7fb157b6b\\\", \\\"dd44133716b8a241957b912fa6a02efde3ce3025\\\", \\\"8793bf166cb89eb55f0593404e4e933ab605e803\\\", \\\"a39b57032dbb2335499a51e13470a7cd5d86b138\\\", \\\"41cc2b15c662bc001c0eb92f6cc222934f0beeea\\\", \\\"d209430d6af54792371174e70e27dd11d3def7a7\\\", \\\"1c6452026c56efd2c94cea7e0f671eb55515edb0\\\", \\\"c6b41d3afdcdcaf9f442bbe772f5da871801fd5a\\\", \\\"4923d460e22fbbf165bbbaba168e5a46b8157d9f\\\", \\\"f201504bd96e81d0d350c3a8332593ee1c9e09de\\\", \\\"ddd2db1127632a2a52943a2fe516a2e7d05d70d2\\\"]);\\nlet SHA256Hash = dynamic ([\\\"9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd\\\", \\\"7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b\\\", \\\"657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5\\\", \\\"2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29\\\", \\\"52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77\\\", \\\"a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3\\\", \\\"5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022\\\", \\\"6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883\\\", \\\"3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e\\\", \\\"1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7\\\", \\\"fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1\\\", \\\"7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c\\\", \\\"178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945\\\", \\\"51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9\\\", \\\"889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79\\\", \\\"332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf\\\", \\\"44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08\\\", \\\"63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef\\\", \\\"056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070\\\"]);\\nlet SigNames = dynamic([\\\"TrojanDropper:Win32/BlackMould.A!dha\\\", \\\"Trojan:Win32/BlackMould.B!dha\\\", \\\"Trojan:Win32/QuarkBandit.A!dha\\\", \\\"Trojan:Win32/Sidelod.A!dha\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n( _Im_Dns(domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA1=\u0027 SHA1 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA1Hash) \\n| extend Account = UserName\\n),\\n(SecurityAlert\\n| where ProductName == \\\"Microsoft Defender Advanced Threat Protection\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where isnotempty(ThreatName)\\n| where ThreatName has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName)\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known GALLIUM domains and hashes\",\"description\":\"GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. \\n Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\\n References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ \",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2019-12-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/52aec824-96c1-4a03-8e44-bb70532e6cea\",\"name\":\"52aec824-96c1-4a03-8e44-bb70532e6cea\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"SecurityEvent\\n| where EventID == 5136 and EventData contains \\\"\u003cData Name=\\\\\\\"ObjectDN\\\\\\\"\u003eCN=AdminSDHolder,CN=System\\\"\\n| parse EventData with * \u0027ObjectDN\\\"\u003e\u0027 ObjectDN \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, SubjectUserSid, SubjectLogonId, ObjectDN\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AdminSDHolder Modifications\",\"description\":\"This query detects modification in the AdminSDHolder in the Active Directory which could indicate an attempt for persistence. \\nAdminSDHolder Modification is a persistence technique in which an attacker abuses the SDProp process in Active Directory to establish a persistent backdoor to Active Directory.\\nThis query searches for the event id 5136 where the Object DN is AdminSDHolder.\\nRef: https://attack.stealthbits.com/adminsdholder-modification-ad-persistence\",\"lastUpdatedDateUTC\":\"2022-01-20T00:00:00Z\",\"createdDateUTC\":\"2021-12-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8540c842-5bbc-4a24-9fb2-a836c0e55a51\",\"name\":\"8540c842-5bbc-4a24-9fb2-a836c0e55a51\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where OperationName =~ \\\"Set federation settings on domain\\\" or OperationName =~ \\\"Set domain authentication\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName), NewDomainValue=tostring(parse_json(modifiedProperties).newValue)\\n| extend Federated = iif(OperationName =~ \\\"Set domain authentication\\\", iif(NewDomainValue has \\\"Federated\\\", True, False), True)\\n| where Federated == True\\n| mv-expand AdditionalDetails\\n| extend UserAgent = iff(AdditionalDetails.key == \\\"User-Agent\\\",tostring(AdditionalDetails.value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserOrApp\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"NRT Modified domain federation trust settings\",\"description\":\"This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/327cd4ed-ca42-454b-887c-54e1c91363c6\",\"name\":\"327cd4ed-ca42-454b-887c-54e1c91363c6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft Defender Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Endpoint alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Endpoint\",\"lastUpdatedDateUTC\":\"2019-10-24T00:00:00Z\",\"createdDateUTC\":\"2019-10-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\"name\":\"0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.1.1\",\"severity\":\"Low\",\"query\":\"let PerUserThreshold = 5;\\nlet TotalThreshold = 100;\\nlet action = dynamic([\\\"change\\\", \\\"changed\\\", \\\"reset\\\"]);\\nlet pWord = dynamic([\\\"password\\\", \\\"credentials\\\"]);\\nlet PasswordResetMultiDataSource =\\n(union isfuzzy=true\\n(//Password reset events\\n//4723: An attempt was made to change an account\u0027s password\\n//4724: An attempt was made to reset an accounts password\\nSecurityEvent\\n| where EventID in (\\\"4723\\\",\\\"4724\\\")\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName),\\n(//Password reset events\\n//4723: An attempt was made to change an account\u0027s password\\n//4724: An attempt was made to reset an accounts password\\nWindowsEvent\\n| where EventID in (\\\"4723\\\",\\\"4724\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName),\\n(//Azure Active Directory Password reset events\\nAuditLogs\\n| where OperationName has_any (pWord) and OperationName has_any (action) and Result =~ \\\"success\\\"\\n| extend AccountType = tostring(TargetResources[0].type), Account = tostring(TargetResources[0].userPrincipalName), \\nTargetUserName = tolower(tostring(TargetResources[0].displayName))\\n| project TimeGenerated, AccountType, Account, Computer = \\\"\\\", Type),\\n(//OfficeActive ActiveDirectory Password reset events\\nOfficeActivity\\n| where OfficeWorkload == \\\"AzureActiveDirectory\\\" \\n| where (ExtendedProperties has_any (pWord) or ModifiedProperties has_any (pWord)) and (ExtendedProperties has_any (action) or ModifiedProperties has_any (action))\\n| extend AccountType = UserType, Account = OfficeObjectId \\n| project TimeGenerated, AccountType, Account, Type, Computer = \\\"\\\"),\\n(// Unix syslog password reset events\\nSyslog\\n| where Facility in (\\\"auth\\\",\\\"authpriv\\\")\\n| where SyslogMessage has_any (pWord) and SyslogMessage has_any (action)\\n| extend AccountType = iif(SyslogMessage contains \\\"root\\\", \\\"Root\\\", \\\"Non-Root\\\")\\n| where SyslogMessage matches regex \\\".*password changed for.*\\\"\\n| parse SyslogMessage with * \\\"password changed for\\\" Account\\n| project TimeGenerated, AccountType, Account, Computer = HostName, Type)\\n);\\nlet pwrmd = PasswordResetMultiDataSource\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName;\\n(union isfuzzy=true \\n(pwrmd\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Computerlist = make_set(Computer, 25), AccountType = make_set(AccountType, 25), Computer = arg_max(Computer , TimeGenerated), TargetUserList = make_set(TargetUserName, 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), Total=count() by Account, Type\\n| where Total \u003e PerUserThreshold\\n| extend ResetPivot = \\\"PerUserReset\\\"), \\n(pwrmd\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerList = make_set(Computer, 25), AccountList = make_set(Account, 25), AccountType = make_set(AccountType, 25), Computer = arg_max(Computer , TimeGenerated), TargetUserList = make_set(TargetUserName, 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), Total=count() by Type\\n| where Total \u003e TotalThreshold\\n| extend ResetPivot = \\\"TotalUserReset\\\")\\n)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserName\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Multiple Password Reset by user\",\"description\":\"This query will determine multiple password resets by user across multiple data sources. \\nAccount manipulation including password reset may aid adversaries in maintaining access to credentials \\nand certain permission levels within an environment.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-09-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d804b39c-03a4-417c-a949-bdbf21fa3305\",\"name\":\"d804b39c-03a4-417c-a949-bdbf21fa3305\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.7.2\",\"severity\":\"Medium\",\"query\":\"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\\n[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet file_paths = (iocs | where Type =~ \\\"filepath\\\" | project IoC);\\nlet sha256s = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet ips = (iocs | where Type =~ \\\"ip\\\" | project IoC);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\" | project IoC);\\nlet dyndomains = todynamic(toscalar((domains | summarize make_set(IoC))));\\nunion isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4663\\n| where ObjectName in (file_paths)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(WindowsEvent\\n| where EventID == 4663 and EventData has_any (file_paths)\\n| extend ObjectName = tostring(EventData.ObjectName) \\n| where ObjectName in (file_paths)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName), \\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(imFileEvent\\n| where TargetFileName in (file_paths)\\n or\\n TargetFileSHA256 in (sha256s)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\\n),\\n(DeviceFileEvents\\n| where FolderPath in (file_paths)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 in (sha256s)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\\n),\\n (CommonSecurityLog\\n| where FileHash in (sha256s)\\n| extend timestamp = TimeGenerated\\n),\\n(Event // File iocs\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| where isnotempty(Hashes)\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 *\\n| where SHA256 in~ (sha256s)\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = Hashes\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where (SourceIP in (ips) or DestinationIP in (ips) or Message has_any (ips)) or (RequestURL has_any (domains))\\n| extend IPMatch = case(SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"Message\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\")\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(WireData\\n| where isnotempty(RemoteIP)\\n| where RemoteIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer\\n),\\n(W3CIISLog\\n| where isnotempty(cIP)\\n| where cIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(\\nWindowsFirewall\\n| where SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n),\\n(\\n _Im_NetworkSession(srcipaddr_has_any_prefix=ips) \\n | extend IPCustomEntity = SrcIpAddr, AccountCustomEntity= User, HostCustomEntity=Hostname\\n),\\n (\\n _Im_NetworkSession(dstipaddr_has_any_prefix=ips) \\n | extend IPCustomEntity = DstIpAddr, AccountCustomEntity= User, HostCustomEntity=Hostname\\n),\\n(_Im_Dns(domain_has_any=dyndomains)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\\n)\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange Server Vulnerabilities Disclosed March 2021 IoC Match\",\"description\":\"This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements.\\nRef: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-03-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog (Cisco)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog (F5)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09ec8fa2-b25f-4696-bfae-05a7b85d7b9e\",\"name\":\"09ec8fa2-b25f-4696-bfae-05a7b85d7b9e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT3H\",\"queryPeriod\":\"PT3H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"let timeframe = ago(3h);\\nlet threshold = 2;\\nimAuthentication\\n| where TimeGenerated \u003e timeframe\\n| where EventType==\u0027Logon\u0027 and EventResult==\u0027Success\u0027\\n| where isnotempty(SrcGeoCountry)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Vendors=make_set(EventVendor), Products=make_set(EventProduct)\\n , NumOfCountries = dcount(SrcGeoCountry)\\n by TargetUserId, TargetUsername, TargetUserType\\n| where NumOfCountries \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = TargetUsername\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"User login from different countries within 3 hours (Uses Authentication Normalization)\",\"description\":\"This query searches for successful user logins from different countries within 3 hours.\\n To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/67775878-7f8b-4380-ac54-115e1e828901\",\"name\":\"67775878-7f8b-4380-ac54-115e1e828901\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX=10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet IP_TI = (ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\\\"\\\")\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true);\\nlet TI_IP_List=IP_TI | summarize NIPs=dcount(TI_ipEntity), IP_List=make_set( TI_ipEntity) \\n| project IP_List=iff(NIPs \u003e HAS_ANY_MAX, dynamic([]), IP_List);\\n_Im_Dns(starttime=ago(dt_lookBack), response_has_any_prefix=todynamic(toscalar(TI_IP_List)))\\n | extend tilist = toscalar(TI_IP_List)\\n | mv-expand tilist\\n | extend SingleIP=tostring(tilist)\\n | project-away tilist\\n | where has_ipv4(DnsResponseName, SingleIP)\\n | extend DNS_TimeGenerated = TimeGenerated\\n| join IP_TI\\n on $left.SingleIP == $right.TI_ipEntity\\n| where DNS_TimeGenerated \u003e= TimeGenerated and DNS_TimeGenerated \u003c ExpirationDateTime\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated,\\nTI_ipEntity, Dvc, EventSubType, SrcIpAddr, DnsQuery, DnsResponseName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = DNS_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Dvc, URLCustomEntity = Url\",\"customDetails\":{\"LatestIndicatorTime\":\"LatestIndicatorTime\",\"Description\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"ExpirationDateTime\":\"ExpirationDateTime\",\"ConfidenceScore\":\"ConfidenceScore\",\"DNSRequestTime\":\"DNS_TimeGenerated\",\"SourceIPAddress\":\"SrcIpAddr\",\"SubType\":\"EventSubType\",\"DnsQuery\":\"DnsQuery\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map IP entity to Dns Events (ASIM DNS Schema)\",\"description\":\"Identifies a match in DNS events from any IP IOC from TI\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-27T00:00:00Z\",\"createdDateUTC\":\"2021-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\"name\":\"ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let ProcessCreationEvents=() {\\nlet processEvents=(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,\\nFileName = Process, CommandLine, ParentProcessName\\n),\\n(WindowsEvent\\n| where EventID==4688\\n| where EventData has \\\"TVqQAAMAAAAEAAA\\\"\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where isnotempty(CommandLine)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,\\nFileName = Process, CommandLine, ParentProcessName));\\nprocessEvents};\\nProcessCreationEvents\\n| where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Base64 encoded Windows process command-lines\",\"description\":\"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2018-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\"name\":\"90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Security Center\",\"severitiesFilter\":[\"Low\",\"Medium\",\"High\"],\"displayName\":\"Create incidents based on Microsoft Defender for Cloud\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Cloud\",\"lastUpdatedDateUTC\":\"2021-07-25T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert (ASC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d57c33a9-76b9-40e0-9dfa-ff0404546410\",\"name\":\"d57c33a9-76b9-40e0-9dfa-ff0404546410\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 0d;\\n// Adjust this to adjust detection timeframe\\n//let timeframe = 1d;\\n// Filter out other servers in the AD FS farm\\nlet ADFSServersList = dynamic([\\\"ADFS02.domain.com\\\",\\\"ADFS03.domain.com\\\"]);\\n// Start by identifying ADFS servers to reduce FP chance\\nlet ADFS_Servers = (\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| where Computer !in (ADFSServersList)\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\")\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| summarize by Computer\\n);\\n// Look for ADFS servers receiving connections over port 80\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where Computer in~ (ADFS_Servers)\\n| extend RenderedDescription = tostring(split(RenderedDescription, \\\":\\\")[0])\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, _ResourceId)\\n| extend RuleName = column_ifexists(\\\"RuleName\\\", \\\"\\\"), TechniqueId = column_ifexists(\\\"TechniqueId\\\", \\\"\\\"), TechniqueName = column_ifexists(\\\"TechniqueName\\\", \\\"\\\")\\n| parse RuleName with * \u0027technique_id=\u0027 TechniqueId \u0027,\u0027 * \u0027technique_name=\u0027 TechniqueName\\n| where EventID == 3\\n// Look for endpoints connecting to the AD FS server over port 80\\n| extend DestinationPort = column_ifexists(\\\"DestinationPort\\\", \\\"\\\"), Image = column_ifexists(\\\"Image\\\", \\\"\\\"), Initiated = column_ifexists(\\\"Initiated\\\", \\\"\\\"), SourceIp = column_ifexists(\\\"DestinationIp\\\", \\\"\\\"), DestinationIp = column_ifexists(\\\"DestinationIp\\\", \\\"\\\")\\n| where DestinationPort == 80\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n// Look for the System process receiving connections\\n| where process == \u0027System\u0027 and Initiated == \u0027false\u0027\\n| where DestinationIp !in (\u0027::1\u0027,\u00270:0:0:0:0:0:0:1\u0027)\\n| extend Operation = RenderedDescription\\n| project-reorder TimeGenerated, Operation, Image, Computer, UserName\\n| extend HostCustomEntity = Computer, AccountCustomEntity = UserName, IPCustomEntity = SourceIp\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"AD FS Remote HTTP Network Connection\",\"description\":\"This detection uses Sysmon events (NetworkConnect events) to detect incoming network traffic on port 80 on AD FS servers. This could be a sign of a threat actor\\ntrying to use replication services on the AD FS server to get its configuration settings and extract sensitive information such as AD FS certificates.\\nIn order to use this query you need to enable Sysmon telemetry on the AD FS Server.\\nReference: https://twitter.com/OTR_Community/status/1387038995016732672\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c1faf5e8-6958-11ec-90d6-0242ac120003\",\"name\":\"c1faf5e8-6958-11ec-90d6-0242ac120003\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 4720 and TargetUserName endswith \\\"$\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectUserName, SubjectUserSid, SubjectLogonId, TargetUserName, TargetSid\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectUserName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Fake computer account created\",\"description\":\"This query detects domain user accounts creation (event ID 4720) where the username ends with $. \\nAccounts that end with $ are normally domain computer accounts and when they are created the event ID 4741 is generated instead.\\nRef: https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights.html\",\"lastUpdatedDateUTC\":\"2022-01-19T00:00:00Z\",\"createdDateUTC\":\"2021-12-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/04384937-e927-4595-8f3c-89ff58ed231f\",\"name\":\"04384937-e927-4595-8f3c-89ff58ed231f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let IPs = dynamic ([\\\"199.249.230.\\\",\\\"185.220.101.\\\",\\\"23.129.64.\\\",\\\"109.70.100.\\\",\\\"185.220.102.\\\"]);\\nOfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != \u0027UserLoggedIn\u0027\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = ExtendedProperties.Value\\n| where ClientIP has_any (IPs)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts \u003e 2500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\"entityMappings\":[],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Possible STRONTIUM attempted credential harvesting - Sept 2020\",\"description\":\"Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.\\nReferences: https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7d7e20f8-3384-4b71-811c-f5e950e8306c\",\"name\":\"7d7e20f8-3384-4b71-811c-f5e950e8306c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where ActivityDisplayName =~\u0027Add member to role completed (PIM activation)\u0027\\n| where Result == \\\"failure\\\"\\n| extend Role = tostring(TargetResources[3].displayName)\\n| extend User = tostring(TargetResources[2].displayName)\\n| project-reorder TimeGenerated, User, Role, OperationName, Result, ResultDescription\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| extend AccountCustomEntity = User, IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"PIM Elevation Request Rejected\",\"description\":\"Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6852d9da-8015-4b95-8ecf-d9572ee0395d\",\"name\":\"6852d9da-8015-4b95-8ecf-d9572ee0395d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let queryfrequency = 1h;\\nlet wait_for_deletion = 10m;\\nlet account_created =\\n AuditLogs \\n | where ActivityDisplayName == \\\"Add service principal\\\"\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend creationTime = ActivityDateTime\\n | extend userPrincipalName_creator = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend ipAddress_creator = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\\nlet account_activity =\\n AADServicePrincipalSignInLogs\\n | extend Activities = pack(\\\"ActivityTime\\\", TimeGenerated ,\\\"IpAddress\\\", IPAddress, \\\"ResourceDisplayName\\\", ResourceDisplayName)\\n | extend AppID = AppId\\n | summarize make_list(Activities) by AppID;\\nlet account_deleted =\\n AuditLogs \\n | where OperationName == \\\"Remove service principal\\\"\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend deletionTime = ActivityDateTime\\n | extend userPrincipalName_deleter = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend ipAddress_deleter = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\\nlet account_credentials =\\n AuditLogs\\n | where OperationName has_all (\\\"Update application\\\", \\\"Certificates and secrets management\\\")\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend credentialCreationTime = ActivityDateTime;\\nlet roles_assigned =\\n AuditLogs\\n | where ActivityDisplayName == \\\"Add app role assignment to service principal\\\"\\n | extend AppID = tostring(TargetResources[1].displayName)\\n | extend AssignedRole = iff(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].displayName)==\\\"AppRole.Value\\\", tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue))),\\\"\\\")\\n | extend AssignedRoles = pack(\\\"Role\\\", AssignedRole)\\n | summarize make_list(AssignedRoles) by AppID;\\naccount_created\\n| where TimeGenerated between (ago(wait_for_deletion+queryfrequency)..ago(wait_for_deletion))\\n| join kind= inner (account_activity) on AppID\\n| join kind= inner (account_deleted) on AppID\\n| join kind= inner (account_credentials) on AppID\\n| join kind= inner (roles_assigned) on AppID\\n| where deletionTime - creationTime between (time(0s)..wait_for_deletion)\\n| extend AliveTime = deletionTime - creationTime\\n| project AADTenantId, AppID, creationTime, deletionTime, userPrincipalName_creator, userPrincipalName_deleter, ipAddress_creator, ipAddress_deleter, list_Activities, list_AssignedRoles, AliveTime\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName_creator\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName_deleter\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress_creator\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress_deleter\"}]}],\"tactics\":[\"CredentialAccess\",\"PrivilegeEscalation\",\"InitialAccess\"],\"displayName\":\"Suspicious Service Principal creation activity\",\"description\":\"This alert will detect creation of an SPN, permissions granted, credentials created, activity and deletion of the SPN in a time frame (default 10 minutes)\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\",\"AADServicePrincipalSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ec21493c-2684-4acd-9bc2-696dbad72426\",\"name\":\"ec21493c-2684-4acd-9bc2-696dbad72426\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation of extracted domains\\nlet list_tlds = ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e ago(ioc_lookBack)\\n | where isnotempty(DomainName)\\n | extend DomainName = tolower(DomainName)\\n | extend parts = split(DomainName, \u0027.\u0027)\\n | extend tld = parts[(array_length(parts)-1)]\\n | summarize count() by tostring(tld)\\n | summarize make_list(tld);\\n ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true\\n // Picking up only IOC\u0027s that contain the entities we want\\n | where isnotempty(DomainName)\\n // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n | join kind=innerunique (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n | where DeviceVendor =~ \u0027Palo Alto Networks\u0027\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | extend Domain = trim(@\\\"\\\"\\\"\\\",tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend parts = split(Domain, \u0027.\u0027)\\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\\n | where tld in~ (list_tlds)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n ) on $left.DomainName==$right.Domain\\n | where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, Domain\\n | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, \\n DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\\n | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to PaloAlto\",\"description\":\"Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/caf78b95-d886-4ac3-957a-a7a3691ff4ed\",\"name\":\"caf78b95-d886-4ac3-957a-a7a3691ff4ed\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Tarrask.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n(imFileEvent\\n| where TargetFileSHA256 has_any (sha256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceImageLoadEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Tarrask malware IOC - April 2022\",\"description\":\"Identifies a hash match related to Tarrask malware across various data sources.\\n Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/\",\"lastUpdatedDateUTC\":\"2022-04-12T00:00:00Z\",\"createdDateUTC\":\"2022-01-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2560515c-07d1-434e-87fb-ebe3af267760\",\"name\":\"2560515c-07d1-434e-87fb-ebe3af267760\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add delegated permission grant\\\",\\\"Add app role assignment to service principal\\\")\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend props = parse_json(tostring(TargetResources[0].modifiedProperties))\\n| mv-expand props\\n| extend UserAgent = tostring(AdditionalDetails[0].value)\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| extend UserIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| extend DisplayName = tostring(props.displayName)\\n| extend Permissions = tostring(parse_json(tostring(props.newValue)))\\n| where Permissions has_any (\\\"Mail.Read\\\", \\\"Mail.ReadWrite\\\")\\n| extend PermissionsAddedTo = tostring(TargetResources[0].displayName)\\n| extend Type = tostring(TargetResources[0].type)\\n| project-away props\\n| join kind=leftouter(\\n AuditLogs\\n | where ActivityDisplayName has \\\"Consent to application\\\"\\n | extend AppName = tostring(TargetResources[0].displayName)\\n | extend AppId = tostring(TargetResources[0].id)\\n | project AppName, AppId, CorrelationId) on CorrelationId\\n| project-reorder TimeGenerated, OperationName, InitiatingUser, UserIPAddress, UserAgent, PermissionsAddedTo, Permissions, AppName, AppId, CorrelationId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUser, IPCustomEntity = UserIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Mail.Read Permissions Granted to Application\",\"description\":\"This query look for applications that have been granted (Delegated or App/Role) permissions to Read Mail (Permissions field has Mail.Read) and subsequently has been consented to. This can help identify applications that have been abused to gain access to mailboxes.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532c1811-79ee-4d9f-8d4d-6304c840daa1\",\"name\":\"532c1811-79ee-4d9f-8d4d-6304c840daa1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Active Directory Identity Protection\",\"displayName\":\"Create incidents based on Azure Active Directory Identity Protection alerts\",\"description\":\"Create incidents based on all alerts generated in Azure Active Directory Identity Protection\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb616d82-108f-47d3-9dec-9652ea0d3bf6\",\"name\":\"bb616d82-108f-47d3-9dec-9652ea0d3bf6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let queryfrequency = 1h;\\nlet queryperiod = 1d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(queryfrequency)\\n| where OperationName =~ \\\"Delete user\\\"\\n//extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n| extend UserPrincipalName = extract(@\u0027([a-f0-9]{32})?(.*)\u0027, 2, tostring(TargetResources[0].userPrincipalName))\\n| extend DeletedByUser = tostring(InitiatedBy.user.userPrincipalName), DeletedByIPAddress = tostring(InitiatedBy.user.ipAddress)\\n| extend DeletedByApp = tostring(InitiatedBy.app.displayName)\\n| project Deletion_TimeGenerated = TimeGenerated, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, Deletion_AdditionalDetails = AdditionalDetails, Deletion_InitiatedBy = InitiatedBy, Deletion_TargetResources = TargetResources\\n| join kind=inner (\\n AuditLogs\\n | where TimeGenerated \u003e ago(queryperiod)\\n | where OperationName =~ \\\"Add user\\\"\\n | extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | project-rename Creation_TimeGenerated = TimeGenerated\\n) on UserPrincipalName\\n| extend TimeDelta = Deletion_TimeGenerated - Creation_TimeGenerated\\n| where TimeDelta between (time(0s) .. queryperiod)\\n| extend CreatedByUser = tostring(InitiatedBy.user.userPrincipalName), CreatedByIPAddress = tostring(InitiatedBy.user.ipAddress)\\n| extend CreatedByApp = tostring(InitiatedBy.app.displayName)\\n| project Creation_TimeGenerated, Deletion_TimeGenerated, TimeDelta, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, CreatedByUser, CreatedByIPAddress, CreatedByApp, Creation_AdditionalDetails = AdditionalDetails, Creation_InitiatedBy = InitiatedBy, Creation_TargetResources = TargetResources, Deletion_AdditionalDetails, Deletion_InitiatedBy, Deletion_TargetResources\\n| extend timestamp = Deletion_TimeGenerated, CustomAccountEntity = UserPrincipalName, IPCustomEntity = DeletedByIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CustomAccountEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Account Created and Deleted in Short Timeframe\",\"description\":\"Search for user principal name (UPN) events. Look for accounts created and then deleted in under 24 hours. Attackers may create an account for their use, and then remove the account when no longer needed.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-account\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a0907abe-6925-4d90-af2b-c7e89dc201a6\",\"name\":\"a0907abe-6925-4d90-af2b-c7e89dc201a6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P10D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 10d;\\nlet endtime = 1d;\\nlet threshold = 100;\\nlet nxDomainDnsEvents = DnsEvents \\n| where ResultCode == 3 \\n| where QueryType in (\\\"A\\\", \\\"AAAA\\\")\\n| where ipv4_is_match(\\\"127.0.0.1\\\", ClientIP) == False\\n| where Name !contains \\\"/\\\"\\n| where Name contains \\\".\\\";\\nnxDomainDnsEvents\\n| where TimeGenerated \u003e ago(endtime)\\n| extend sld = tostring(split(Name, \\\".\\\")[-2])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld) by ClientIP\\n| where dcount_sld \u003e threshold\\n// Filter out previously seen IPs\\n| join kind=leftanti (nxDomainDnsEvents\\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | extend sld = tostring(split(Name, \\\".\\\")[-2])\\n | summarize dcount(sld) by ClientIP\\n | where dcount_sld \u003e threshold ) on ClientIP\\n// Pull out sample NXDomain responses for those remaining potentially infected IPs\\n| join kind = inner (nxDomainDnsEvents | summarize by Name, ClientIP) on ClientIP\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(Name, 100) by ClientIP, dcount_sld\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential DGA detected\",\"description\":\"Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains\\nwhere most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with \\nNXDomain records in prior 10-day baseline period).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ef895ada-e8e8-4cf0-9313-b1ab67fab69f\",\"name\":\"ef895ada-e8e8-4cf0-9313-b1ab67fab69f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let known_locations =\\n union isfuzzy=True AADNonInteractiveUserSignInLogs, SigninLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where ResultType == 0\\n | summarize by Location;\\n union isfuzzy=True AADNonInteractiveUserSignInLogs, SigninLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType != 50126\\n | where Location !in (known_locations)\\n | extend LocationDetails_dynamic = column_ifexists(\\\"LocationDetails_dynamic\\\", \\\"\\\")\\n | extend DeviceDetail_dynamic = column_ifexists(\\\"DeviceDetail_dynamic\\\", \\\"\\\")\\n | extend LocationDetails = iif(isnotempty(LocationDetails_dynamic), LocationDetails_dynamic, parse_json(LocationDetails_string))\\n | extend DeviceDetail = iif(isnotempty(DeviceDetail_dynamic), DeviceDetail_dynamic, parse_json(DeviceDetail_string))\\n | extend City = tostring(LocationDetails.city)\\n | extend State = tostring(LocationDetails.state)\\n | extend Place = strcat(City, \\\" - \\\", State)\\n | extend DeviceId = tostring(DeviceDetail.deviceId)\\n | extend Result = strcat(tostring(ResultType), \\\" - \\\", ResultDescription)\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), make_set(Result), make_set(IPAddress), make_set(UserAgent), make_set(Place), make_set(DeviceId) by UserPrincipalName, Location, Category\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Authentication Attempt from New Country\",\"description\":\"Detects when there is a log in attempt from a country that has not seen a successful login in the previous 14 days.\\n Threat actors may attempt to authenticate with credentials from compromised accounts - monitoring attempts from anomalous locations may help identify these attempts.\\n Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\",\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9713e3c0-1410-468d-b79e-383448434b2d\",\"name\":\"9713e3c0-1410-468d-b79e-383448434b2d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n VMConnection\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend VMConnection_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIp\\n| where VMConnection_TimeGenerated \u003c ExpirationDateTime\\n| summarize VMConnection_TimeGenerated = arg_max(VMConnection_TimeGenerated, *) by IndicatorId, RemoteIp\\n| project VMConnection_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = VMConnection_TimeGenerated, IPCustomEntity = RemoteIp, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to VMConnection\",\"description\":\"Identifies a match in VMConnection from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/017e095a-94d8-430c-a047-e51a11fb737b\",\"name\":\"017e095a-94d8-430c-a047-e51a11fb737b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let domains =\\n SigninLogs\\n | where ResultType == 0\\n | extend domain = split(UserPrincipalName, \\\"@\\\")[1]\\n | extend domain = tostring(split(UserPrincipalName, \\\"@\\\")[1])\\n | summarize by tolower(tostring(domain));\\n AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where Result =~ \\\"success\\\"\\n | where OperationName =~ \u0027Update Application\u0027\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | where TargetResources_modifiedProperties.displayName =~ \\\"AppAddress\\\"\\n | extend Key = tostring(TargetResources_modifiedProperties.displayName)\\n | extend NewValue = TargetResources_modifiedProperties.newValue\\n | extend OldValue = TargetResources_modifiedProperties.oldValue\\n | where isnotempty(Key) and isnotempty(NewValue)\\n | project-reorder Key, NewValue, OldValue\\n | extend NewUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(NewValue))\\n | extend OldUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(OldValue))\\n | extend AddedUrls = set_difference(NewUrls, OldUrls)\\n | where array_length(AddedUrls) \u003e 0\\n | extend UserAgent = iif(tostring(AdditionalDetails[0].key) == \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), \\\"\\\")\\n | extend AddingUser = iif(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) , tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), \\\"\\\")\\n | extend AddingApp = iif(isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName)) , tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName), \\\"\\\")\\n | extend AddedBy = iif(isnotempty(AddingUser), AddingUser, AddingApp)\\n | project-away AddingApp, AddingUser\\n | extend AppDisplayName = tostring(TargetResources.displayName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | where isnotempty(AddedUrls)\\n | mv-expand AddedUrls\\n | extend Domain = extract(\\\"^(?:https?:\\\\\\\\/\\\\\\\\/)?(?:[^@\\\\\\\\/\\\\\\\\n]+@)?(?:www\\\\\\\\.)?([^:\\\\\\\\/?\\\\\\\\n]+)/\\\", 1, replace_string(tolower(tostring(AddedUrls)), \u0027\\\"\u0027, \\\"\\\"))\\n | where isnotempty(Domain)\\n | extend Domain = strcat(split(Domain, \\\".\\\")[-2], \\\".\\\", split(Domain, \\\".\\\")[-1])\\n | where Domain !in (domains)\\n | project-reorder TimeGenerated, AppDisplayName, AddedUrls, AddedBy, UserAgent, ipAddress\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"AddedUrls\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"URL Added to Application from Unknown Domain\",\"description\":\"Detects a URL being added to an application where the domain is not one that is associated with the tenant.\\n The query uses domains seen in sign in logs to determine if the domain is associated with the tenant.\\n Applications associated with URLs not controlled by the organization can pose a security risk.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#application-configuration-changes\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d\",\"name\":\"b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"//Collect the alert events\\nlet alertData = SecurityAlert \\n| where DisplayName has \\\"Potential malware uploaded to\\\" \\n| extend Entities = parse_json(Entities) \\n| mv-expand Entities;\\n//Parse the IP address data\\nlet ipData = alertData \\n| where Entities[\u0027Type\u0027] =~ \\\"ip\\\" \\n| extend AttackerIP = tostring(Entities[\u0027Address\u0027]), AttackerCountry = tostring(Entities[\u0027Location\u0027][\u0027CountryName\u0027]);\\n//Parse the file data\\nlet FileData = alertData \\n| where Entities[\u0027Type\u0027] =~ \\\"file\\\" \\n| extend MaliciousFileDirectory = tostring(Entities[\u0027Directory\u0027]), MaliciousFileName = tostring(Entities[\u0027Name\u0027]), MaliciousFileHashes = tostring(Entities[\u0027FileHashes\u0027]);\\n//Combine the File and IP data together\\nipData \\n| join (FileData) on VendorOriginalId \\n| summarize by TimeGenerated, AttackerIP, AttackerCountry, DisplayName, ResourceId, AlertType, MaliciousFileDirectory, MaliciousFileName, MaliciousFileHashes\\n//Create a type column so we can track if it was a File storage or blobl storage upload \\n| extend type = iff(DisplayName has \\\"file\\\", \\\"File\\\", \\\"Blob\\\") \\n| join (\\n union\\n StorageFileLogs, \\n StorageBlobLogs \\n //File upload operations \\n | where OperationName =~ \\\"PutBlob\\\" or OperationName =~ \\\"PutRange\\\"\\n //Parse out the uploader IP \\n | extend ClientIP = tostring(split(CallerIpAddress, \\\":\\\", 0)[0])\\n //Extract the filename from the Uri \\n | extend FileName = extract(@\\\"\\\\/([\\\\w\\\\-. ]+)\\\\?\\\", 1, Uri)\\n //Base64 decode the MD5 filehash, we will encounter non-ascii hex so string operations don\u0027t work\\n //We can work around this by making it an array then converting it to hex from an int \\n | extend base64Char = base64_decode_toarray(ResponseMd5) \\n | mv-expand base64Char \\n | extend hexChar = tohex(toint(base64Char))\\n | extend hexChar = iff(strlen(hexChar) \u003c 2, strcat(\\\"0\\\", hexChar), hexChar) \\n | extend SourceTable = iff(OperationName has \\\"range\\\", \\\"StorageFileLogs\\\", \\\"StorageBlobLogs\\\") \\n | summarize make_list(hexChar) by CorrelationId, ResponseMd5, FileName, AccountName, TimeGenerated, RequestBodySize, ClientIP, SourceTable \\n | extend Md5Hash = strcat_array(list_hexChar, \\\"\\\")\\n //Pack the file information the summarise into a ClientIP row \\n | extend p = pack(\\\"FileName\\\", FileName, \\\"FileSize\\\", RequestBodySize, \\\"Md5Hash\\\", Md5Hash, \\\"Time\\\", TimeGenerated, \\\"SourceTable\\\", SourceTable) \\n | summarize UploadedFileInfo=make_list(p), FilesUploaded=count() by ClientIP \\n | join kind=leftouter (\\n union\\n StorageFileLogs,\\n StorageBlobLogs \\n | where OperationName =~ \\\"DeleteFile\\\" or OperationName =~ \\\"DeleteBlob\\\" \\n | extend ClientIP = tostring(split(CallerIpAddress, \\\":\\\", 0)[0]) \\n | extend FileName = extract(@\\\"\\\\/([\\\\w\\\\-. ]+)\\\\?\\\", 1, Uri) \\n | extend SourceTable = iff(OperationName has \\\"range\\\", \\\"StorageFileLogs\\\", \\\"StorageBlobLogs\\\") \\n | extend p = pack(\\\"FileName\\\", FileName, \\\"Time\\\", TimeGenerated, \\\"SourceTable\\\", SourceTable) \\n | summarize DeletedFileInfo=make_list(p), FilesDeleted=count() by ClientIP\\n ) on ClientIP\\n ) on $left.AttackerIP == $right.ClientIP \\n| mvexpand UploadedFileInfo \\n| extend LinkedMaliciousFileName = UploadedFileInfo.FileName \\n| extend LinkedMaliciousFileHash = UploadedFileInfo.Md5Hash \\n| project AlertTimeGenerated = TimeGenerated, tostring(LinkedMaliciousFileName), tostring(LinkedMaliciousFileHash), AlertType, AttackerIP, AttackerCountry, MaliciousFileDirectory, MaliciousFileName, FilesUploaded, UploadedFileInfo \\n| extend FileHashCustomEntity = LinkedMaliciousFileName, HashAlgorithm = \\\"MD5\\\", IPCustomEntity = AttackerIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"Exfiltration\"],\"displayName\":\"Linked Malicious Storage Artifacts\",\"description\":\"An IP address which uploaded malicious content to an Azure Blob or File Storage container (triggering a malware alert) also uploaded additional files.\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2021-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c7cd6073-6d2c-4284-a5c8-da27605bdfde\",\"name\":\"c7cd6073-6d2c-4284-a5c8-da27605bdfde\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| where FilterModulesSpamScoresOverall == \u0027100\u0027\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - High risk message not discarded\",\"description\":\"Detects when email with high risk score was not rejected or discarded by filters.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\"name\":\"c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"let DomainNames = \\\"miniodaum.ml\\\";\\nlet SHA256Hash = dynamic ([\\\"53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0dfd44771762257\\\", \\\"0897c80df8b80b4c49bf1ccf876f5f782849608b830c3b5cb3ad212dc3e19eff\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName =~ DomainNames\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n (_Im_Dns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery \\n| extend IPAddress = SrcIpAddr, Computer = Dvc\\n), \\n(_Im_WebSession(url_has_any=DomainNames) \\n| extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n| extend IPAddress = SrcIpAddr, Account=User\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName =~ DomainNames\\n| extend IPAddress = RemoteIp\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known CERIUM domains and hashes\",\"description\":\"CERIUM malicious webserver and hash values for maldocs and malware. \\n Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/712fab52-2a7d-401e-a08c-ff939cc7c25e\",\"name\":\"712fab52-2a7d-401e-a08c-ff939cc7c25e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AuditLogs\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // Extract the URL that is contained within the JSON data\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\\\", 1,tostring(TargetResources))\\n | where isnotempty(Url)\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend TargetResourceDisplayName = tostring(TargetResources[0].displayName)\\n | extend Audit_TimeGenerated = TimeGenerated\\n) on Url\\n| where Audit_TimeGenerated \u003c ExpirationDateTime\\n| summarize Audit_TimeGenerated = arg_max(Audit_TimeGenerated, *) by IndicatorId, Url\\n| project Audit_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nOperationName, Identity, userPrincipalName, TargetResourceDisplayName, Url\\n| extend timestamp = Audit_TimeGenerated, AccountCustomEntity = userPrincipalName, HostCustomEntity = TargetResourceDisplayName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to AuditLogs\",\"description\":\"Identifies a match in AuditLogs from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ab4b6944-a20d-42ab-8b63-238426525801\",\"name\":\"ab4b6944-a20d-42ab-8b63-238426525801\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\nlet timeframe = 1h;\\nlet connections = VMConnection \\n | where TimeGenerated \u003e= ago(timeframe)\\n | extend DNSName = set_union(todynamic(RemoteDnsCanonicalNames),todynamic(RemoteDnsQuestions))\\n | mv-expand DNSName\\n | where isnotempty(DNSName)\\n | where DNSName has_any (domains)\\n | extend IPCustomEntity = RemoteIp\\n | summarize TimeGenerated = arg_min(TimeGenerated, *), requests = count() by IPCustomEntity, DNSName = tostring(DNSName), AgentId, Machine, Process;\\nlet processes = VMProcess\\n | where TimeGenerated \u003e= ago(timeframe)\\n | project AgentId, Machine, Process, UserName, UserDomain, ExecutablePath, CommandLine, FirstPid\\n | extend exePathArr = split(ExecutablePath, \\\"\\\\\\\\\\\")\\n | extend DirectoryName = array_strcat(array_slice(exePathArr, 0, array_length(exePathArr) - 2), \\\"\\\\\\\\\\\")\\n | extend Filename = array_strcat(array_slice(exePathArr, array_length(exePathArr) - 1, array_length(exePathArr)), \\\"\\\\\\\\\\\")\\n | project-away exePathArr;\\nlet computers = VMComputer\\n | where TimeGenerated \u003e= ago(timeframe)\\n | project HostCustomEntity = HostName, AzureResourceId = _ResourceId, AgentId, Machine;\\nconnections | join kind = inner (processes) on AgentId, Machine, Process\\n | join kind = inner (computers) on AgentId, Machine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"FirstPid\"},{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Directory\",\"columnName\":\"DirectoryName\"},{\"identifier\":\"Name\",\"columnName\":\"Filename\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Solorigate Domains Found in VM Insights\",\"description\":\"Identifies connections to Solorigate-related DNS records based on VM insights data\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMProcess\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMComputer\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\"name\":\"1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with failed Windows host logins above threshold\\nlet win_fails = \\nSecurityEvent\\n| where EventID == 4625\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| summarize count() by IpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_list(IpAddress);\\nlet wef_fails =\\nWindowsEvent\\n| where EventID == 4625\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType in (10, 7, 3)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| where IpAddress != \\\"-\\\"\\n| summarize count() by IpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_list(IpAddress);\\n//Make a list of IPs with failed *nix host logins above threshold\\nlet nix_fails = \\nSyslog\\n| where Facility contains \u0027auth\u0027 and ProcessName != \u0027sudo\u0027\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP != \\\"\\\" and SourceIP != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIP\\n| where count_ \u003e signin_threshold\\n| summarize make_list(SourceIP);\\n//See if any of the IPs with failed host logins hve had a sucessful Azure AD login\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (win_fails) or IPAddress in (nix_fails) or IPAddress in (wef_fails)\\n| extend Reason= \\\"Multiple failed host logins from IP address with successful Azure AD login\\\"\\n| extend timstamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, Type = Type\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed host logons but success logon to AzureAD\",\"description\":\"Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts.\\nUses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\"name\":\"28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"Medium\",\"query\":\"let timeRange = 24h;\\nlet failureCountThreshold = 5;\\nlet authenticationWindow = 20m;\\nlet aadFunc = (tableName:string){\\n table(tableName)\\n| where AppDisplayName has \\\"Azure Portal\\\"\\n| extend\\n DeviceDetail = todynamic(DeviceDetail),\\n //Status = todynamic(Status),\\n LocationDetails = todynamic(LocationDetails)\\n| extend\\n OS = tostring(DeviceDetail.operatingSystem),\\n Browser = tostring(DeviceDetail.browser),\\n //StatusCode = tostring(Status.errorCode),\\n //StatusDetails = tostring(Status.additionalDetails),\\n State = tostring(LocationDetails.state),\\n City = tostring(LocationDetails.city),\\n Region = tostring(LocationDetails.countryOrRegion)\\n// Split out failure versus non-failure types\\n| extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\") \\n// bin outcomes based on authenticationWindow\\n| summarize take_anyif(UserPrincipalName, not(UserPrincipalName matches regex @\\\"[a-f\\\\d]+\\\\-[a-f\\\\d]+\\\\-[a-f\\\\d]+\\\\-[a-f\\\\d]+\\\\-[a-f\\\\d]+\\\")),\\n take_anyif(UserDisplayName, isnotempty(UserDisplayName)), FailureOrSuccessCount = count() by FailureOrSuccess, UserId, UserDisplayName, AppDisplayName, IPAddress, Browser, OS, State, City, Region, Type, CorrelationId, bin(TimeGenerated, authenticationWindow), ResultType\\n// sort for sessionizing - by UserPrincipalName and time of the authentication outcome\\n| sort by UserPrincipalName asc, TimeGenerated asc\\n| serialize \\n// sessionize into failure groupings until either the account changes or there is a success\\n| extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, UserPrincipalName != prev(UserPrincipalName) or prev(FailureOrSuccess) == \\\"Success\\\")\\n// count the failures in each session\\n| summarize FailureCountBeforeSuccess=sumif(FailureOrSuccessCount, FailureOrSuccess == \\\"Failure\\\"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), makelist(FailureOrSuccess), IPAddress = make_set(IPAddress), make_set(Browser), make_set(City), make_set(State), make_set(Region), make_set(ResultType) by SessionStartedUtc, UserPrincipalName, CorrelationId, AppDisplayName, UserId, Type\\n// the session must not start with a success, and must end with one\\n| where array_index_of(list_FailureOrSuccess, \\\"Success\\\") != 0\\n| where array_index_of(list_FailureOrSuccess, \\\"Success\\\") == array_length(list_FailureOrSuccess) - 1\\n| project-away SessionStartedUtc, list_FailureOrSuccess\\n// where the number of failures before the success is above the threshold \\n| where FailureCountBeforeSuccess \u003e= failureCountThreshold \\n// expand out ip for entity assignment\\n| mv-expand IPAddress\\n| extend IPAddress = tostring(IPAddress)\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n};\\n let aadSignin = aadFunc(\\\"SigninLogs\\\");\\n let aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\n union isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against Azure Portal\",\"description\":\"Identifies evidence of brute force activity against Azure Portal by highlighting multiple authentication failures \\nand by a successful authentication within a given time window. \\nDefault Failure count is 5 and default Time Window is 20 minutes.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-04-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23de46ea-c425-4a77-b456-511ae4855d69\",\"name\":\"23de46ea-c425-4a77-b456-511ae4855d69\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\nlet SensitiveOperationList = dynamic([\\\"microsoft.compute/snapshots/write\\\", \\\"microsoft.network/networksecuritygroups/write\\\", \\\"microsoft.storage/storageaccounts/listkeys/action\\\"]);\\nlet SensitiveActivity = AzureActivity\\n| where OperationNameValue in~ (SensitiveOperationList) or OperationNameValue hassuffix \\\"listkeys/action\\\"\\n| where ActivityStatusValue =~ \\\"Success\\\";\\nSensitiveActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller, OperationNameValue\\n| where count_ \u003e= alertOperationThreshold\\n| join kind = rightanti ( \\nSensitiveActivity\\n| where TimeGenerated \u003e= ago(endtime)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CorrelationIds = makelist(CorrelationId), Resources = makelist(Resource), ResourceGroups = makelist(ResourceGroup), ResourceIds = makelist(ResourceId), ActivityCountByCallerIPAddress = count() \\nby CallerIpAddress, Caller, OperationNameValue\\n) on CallerIpAddress, Caller, OperationNameValue\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"Rare subscription-level operations in Azure\",\"description\":\"This query looks for a few sensitive subscription-level events based on Azure Activity Logs. \\n For example this monitors for the operation name \u0027Create or Update Snapshot\u0027 which is used for creating backups but could be misused by attackers \\n to dump hashes or extract sensitive information from the disk.\",\"lastUpdatedDateUTC\":\"2022-03-15T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84cf1d59-f620-4fee-b569-68daf7008b7b\",\"name\":\"84cf1d59-f620-4fee-b569-68daf7008b7b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetection_CL\\n| mv-expand todynamic(Detections_s)\\n| extend Status = tostring(Detections_s.Status), Vulnerability = tostring(Detections_s.Results), Severity = tostring(Detections_s.Severity)\\n| where Status =~ \\\"New\\\" and Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(Detections_s.QID)\\n| where dcount_NetBios_s \u003e= threshold\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"tactics\":[\"InitialAccess\"],\"displayName\":\"New High Severity Vulnerability Detected Across Multiple Hosts\",\"description\":\"This creates an incident when a new high severity vulnerability is detected across multilple hosts\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bc5ffe2a-84d6-48fe-bc7b-1055100469bc\",\"name\":\"bc5ffe2a-84d6-48fe-bc7b-1055100469bc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"let SunburstMD5=dynamic([\\\"b91ce2fa41029f6955bff20079468448\\\",\\\"02af7cec58b9a5da1c542b5a32151ba1\\\",\\\"2c4a910a1299cdae2a4e55988a2f102e\\\",\\\"846e27a652a5e1bfbd0ddd38a16dc865\\\",\\\"4f2eb62fa529c0283b28d05ddd311fae\\\"]);\\nlet SupernovaMD5=\\\"56ceb6d0011d87b6e4d7023d7ef85676\\\";\\nimFileEvent\\n| where TargetFileMD5 in(SunburstMD5) or TargetFileMD5 in(SupernovaMD5)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = User, \\n HostCustomEntity = DvcHostname,\\n FileHashCustomEntity = TargetFileMD5,\\n AlgorithmCustomEntity = \\\"MD5\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events)\",\"description\":\"Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in File Events\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimFileEvent)\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8cbc3215-fa58-4bd6-aaaa-f0029c351730\",\"name\":\"8cbc3215-fa58-4bd6-aaaa-f0029c351730\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let threatCategory=\\\"Cryptominer\\\";\\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\\n [ @\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\\\"] \\n with(format=\\\"csv\\\", ignoreFirstRecord=True));\\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet customUserAgents=toscalar(_GetWatchlist(\\\"UnusualUserAgents\\\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\\\"UserAgent\\\",\\\"\\\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet fullUAList = array_concat(knownUserAgents,customUserAgents);\\n_Im_WebSession(httpuseragent_has_any=fullUAList)\\n| summarize N_Events=count() by SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername\",\"customDetails\":{\"UserAgent\":\"HttpUserAgent\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"SrcUsername\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"The host {{SrcIpAddr}} is potentially running a crypto miner\",\"alertDescriptionFormat\":\"The host at address {{SrcIpAddr}} sent an HTTP request to the URL {{Url}} with the HTTP user agent header {{HttpUserAgent}}. This user agent is known to be used by crypto miners and indicates crypto mining activity on the client.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"A host is potentially running a crypto miner (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request with a user agent header known to belong to a crypto miner. This indicates a crypto miner may have infected the client machine.\u003cbr\u003eYou can add custom crypto mining indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).\u003cbr\u003e\u003cbr\u003e This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\"name\":\"24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"let EventCountThreshold = 25;\\n// To avoid any False Positives, filtering using AppId is recommended.\\n// For example the AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds \\n// to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\\n// The AppId 8cae6e77-e04e-42ce-b5cb-50d82bce26b1 has been added as it correspond to Microsoft Policy Insights Provider Data Plane performing VaultGet operations for policies checks.\\nlet Allowedappid = dynamic([\\\"509e4652-da8d-478d-a730-e9d4a1996ca4\\\",\\\"8cae6e77-e04e-42ce-b5cb-50d82bce26b1\\\"]);\\nlet OperationList = dynamic(\\n[\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nAzureDiagnostics\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList) \\n| summarize count() by identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, OperationName\\n| where count_ \u003e EventCountThreshold \\n| join (\\nAzureDiagnostics\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where OperationName in~ (OperationList) \\n) on identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g \\n| summarize EventCount=sum(count_), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\\n| extend timestamp = EndTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Mass secret retrieval from Azure Key Vault\",\"description\":\"Identifies mass secret retrieval from Azure Key Vault observed by a single user. \\nMass secret retrival crossing a certain threshold is an indication of credential dump operations or mis-configured applications. \\nYou can tweak the EventCountThreshold based on average count seen in your environment \\nand also filter any known sources (IP/Account) and useragent combinations based on historical analysis to further reduce noise\",\"lastUpdatedDateUTC\":\"2022-07-04T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b619d1f1-7f39-4c7e-bf9e-afbb46457997\",\"name\":\"b619d1f1-7f39-4c7e-bf9e-afbb46457997\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal contains \\\"XMRig\\\" or HttpUserAgentOriginal contains \\\"ccminer\\\"\\n| extend Message = \\\"Crypto Miner User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Crypto Miner User-Agent Detected\",\"description\":\"Detects suspicious user agent strings used by crypto miners in proxy logs.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd03057e-4347-4853-bf1e-2b2d21eb4e59\",\"name\":\"dd03057e-4347-4853-bf1e-2b2d21eb4e59\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\\"xmrget.com\\\",\\n\\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\\"supportxmr.com\\\",\\n\\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\\"gntl.co.uk\\\", \\\"semipool.com\\\",\\n\\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\",\\n\\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\\"extrmepool.org\\\", \\\"webcoin.me\\\",\\n\\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\",\\n\\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\",\\n\\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\",\\n\\\"shscrypto.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage),\\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage),\\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage),\\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \u0027200\u0027\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URL\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"NRT Squid proxy events related to mining pools\",\"description\":\"Checks for Squid proxy events in Syslog associated with common mining pools .This query presumes the default Squid log format is being used.\\n http://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-07-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2b701288-b428-4fb8-805e-e4372c574786\",\"name\":\"2b701288-b428-4fb8-805e-e4372c574786\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"//The bigger the window the better the data sample size, as we use IP prevalence, more sample data is better.\\n//The minimum number of countries that the account has been accessed from [default: 2]\\nlet minimumCountries = 2;\\n//The delta (%) between the largest in-use IP and the smallest [default: 95]\\nlet deltaThreshold = 95;\\n//The maximum (%) threshold that the country appears in login data [default: 10]\\nlet countryPrevalenceThreshold = 10;\\n//The time to project forward after the last login activity [default: 60min]\\nlet projectedEndTime = 60m;\\nlet queryfrequency = 1d;\\nlet queryperiod = 14d;\\nlet aadFunc = (tableName: string) {\\n // Get successful signins to Teams\\n let signinData =\\n table(tableName)\\n | where TimeGenerated \u003e ago(queryperiod)\\n | where AppDisplayName has \\\"Teams\\\" and ConditionalAccessStatus =~ \\\"success\\\"\\n | extend Country = tostring(todynamic(LocationDetails)[\u0027countryOrRegion\u0027])\\n | where isnotempty(Country) and isnotempty(IPAddress);\\n // Calculate prevalence of countries\\n let countryPrevalence =\\n signinData\\n | summarize CountCountrySignin = count() by Country\\n | extend TotalSignin = toscalar(signinData | summarize count())\\n | extend CountryPrevalence = toreal(CountCountrySignin) / toreal(TotalSignin) * 100;\\n // Count signins by user and IP address\\n let userIpSignin =\\n signinData\\n | summarize CountIPSignin = count(), Country = any(Country), ListSigninTimeGenerated = make_list(TimeGenerated) by IPAddress, UserPrincipalName;\\n // Calculate delta between the IP addresses with the most and minimum activity by user\\n let userIpDelta =\\n userIpSignin\\n | summarize MaxIPSignin = max(CountIPSignin), MinIPSignin = min(CountIPSignin), DistinctCountries = dcount(Country), make_set(Country) by UserPrincipalName\\n | extend UserIPDelta = toreal(MaxIPSignin - MinIPSignin) / toreal(MaxIPSignin) * 100;\\n // Collect Team operations the user account has performed within a time range of the suspicious signins\\n OfficeActivity\\n | where TimeGenerated \u003e ago(queryfrequency)\\n | where Operation in~ (\\\"TeamsAdminAction\\\", \\\"MemberAdded\\\", \\\"MemberRemoved\\\", \\\"MemberRoleChanged\\\", \\\"AppInstalled\\\", \\\"BotAddedToTeam\\\")\\n | project OperationTimeGenerated = TimeGenerated, UserId = tolower(UserId), Operation\\n | join kind = inner(\\n userIpDelta\\n // Check users with activity from distinct countries\\n | where DistinctCountries \u003e= minimumCountries\\n // Check users with high IP delta\\n | where UserIPDelta \u003e= deltaThreshold\\n // Add information about signins and countries\\n | join kind = leftouter userIpSignin on UserPrincipalName\\n | join kind = leftouter countryPrevalence on Country\\n // Check activity that comes from nonprevalent countries\\n | where CountryPrevalence \u003c countryPrevalenceThreshold\\n | project\\n UserPrincipalName,\\n SuspiciousIP = IPAddress,\\n UserIPDelta,\\n SuspiciousSigninCountry = Country,\\n SuspiciousCountryPrevalence = CountryPrevalence,\\n EventTimes = ListSigninTimeGenerated\\n ) on $left.UserId == $right.UserPrincipalName\\n // Check the signins occured 60 min before the Teams operations\\n | mv-expand SigninTimeGenerated = EventTimes\\n | extend SigninTimeGenerated = todatetime(SigninTimeGenerated)\\n | where OperationTimeGenerated between (SigninTimeGenerated .. (SigninTimeGenerated + projectedEndTime))\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize arg_max(SigninTimeGenerated, *) by UserPrincipalName, SuspiciousIP, OperationTimeGenerated\\n| summarize\\n ActivitySummary = make_bag(pack(tostring(SigninTimeGenerated), pack(\\\"Operation\\\", tostring(Operation), \\\"OperationTime\\\", OperationTimeGenerated)))\\n by UserPrincipalName, SuspiciousIP, SuspiciousSigninCountry, SuspiciousCountryPrevalence\\n| extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Anomalous login followed by Teams action\",\"description\":\"Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed.\\nQuery calculates IP usage Delta for each user account and selects accounts where a delta \u003e= 90% is observed between the most and least used IP.\\nTo further reduce results the query performs a prevalence check on the lowest used IP\u0027s country, only keeping IP\u0027s where the country is unusual for the tenant (dynamic ranges)\\nFinally the user accounts activity within Teams logs is checked for suspicious commands (modifying user privileges or admin actions) during the period the suspicious IP was active.\",\"lastUpdatedDateUTC\":\"2022-03-21T00:00:00Z\",\"createdDateUTC\":\"2020-06-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fa118b98-de46-4e94-87f9-8e6d5060b60b\",\"name\":\"fa118b98-de46-4e94-87f9-8e6d5060b60b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MLBehaviorAnalytics\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous SSH Login Detection\",\"description\":\"This detection uses machine learning (ML) to identify anomalous Secure Shell (SSH) login activity, based on syslog data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Microsoft Sentinel to build a profile of normal activity for your environment.\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-syslog#configure-the-syslog-connector-for-anomalous-ssh-login-detection)\\n\\nBy enabling this rule, you give Microsoft permission to copy ingested data outside of your Microsoft Sentinel workspace\u0027s geography as necessary for processing by the machine learning engine.\",\"lastUpdatedDateUTC\":\"2021-03-26T00:00:00Z\",\"createdDateUTC\":\"2019-08-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c094384d-7ea7-4091-83be-18706ecca981\",\"name\":\"c094384d-7ea7-4091-83be-18706ecca981\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Low\",\"query\":\"let minersDomains=dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\"]);\\n_Im_Dns(domain_has_any=minersDomains)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"DNS events related to mining pools (ASIM DNS Schema)\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/99d589fa-7337-40d7-91a0-c96d0c4fa437\",\"name\":\"99d589fa-7337-40d7-91a0-c96d0c4fa437\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let core_domains = (SigninLogs\\n | where TimeGenerated \u003e ago(7d)\\n | where ResultType == 0\\n | extend domain = tolower(split(UserPrincipalName, \\\"@\\\")[1])\\n | summarize by tostring(domain));\\n let alternative_domains = (SigninLogs\\n | where TimeGenerated \u003e ago(7d)\\n | where isnotempty(AlternateSignInName)\\n | where ResultType == 0\\n | extend domain = tolower(split(AlternateSignInName, \\\"@\\\")[1])\\n | summarize by tostring(domain));\\n AuditLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where OperationName =~ \\\"Add User\\\"\\n | extend AddingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend AddingSPN = tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName)\\n | extend AddedBy = iif(isnotempty(AddingUser), AddingUser, AddingSPN)\\n | extend UserAdded = tostring(TargetResources[0].userPrincipalName)\\n | extend Domain = tolower(split(UserAdded, \\\"@\\\")[1])\\n | where Domain !in (core_domains) and Domain !in (alternative_domains)\\n | project-away AddingUser\\n | project-reorder TimeGenerated, UserAdded, Domain, AddedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserAdded\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Account created from non-approved sources\",\"description\":\"This query looks for account being created from a domain that is not regularly seen in a tenant.\\n Attackers may attempt to add accounts from these sources as a means of establishing persistant access to an environment.\\n Created accounts should be investigated to ensure they were legitimated created.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\",\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/15ae38a2-2e29-48f7-883f-863fb25a5a06\",\"name\":\"15ae38a2-2e29-48f7-883f-863fb25a5a06\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 10;\\nDnsEvents \\n| where TimeGenerated \u003e ago(endtime)\\n| where Name contains \\\"in-addr.arpa\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(Name) by ClientIP\\n| where dcount_Name \u003e threshold\\n| project StartTimeUtc, EndTimeUtc, ClientIP , dcount_Name \\n| join kind=leftanti (DnsEvents \\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | where Name contains \\\"in-addr.arpa\\\" \\n | summarize dcount(Name) by ClientIP, bin(TimeGenerated, 1d)\\n | where dcount_Name \u003e threshold\\n | project ClientIP , dcount_Name \\n) on ClientIP\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Rare client observed with high reverse DNS lookup count\",\"description\":\"Identifies clients with a high reverse DNS counts which could be carrying out reconnaissance or discovery activity.\\nAlert is generated if the IP performing such reverse DNS lookups was not seen doing so in the preceding 7-day period.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\"name\":\"a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\n let ioc_lookBack = 14d;\\n ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true\\n | where isnotempty(FileHashValue)\\n | extend FileHashValue = toupper(FileHashValue)\\n // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n | join kind=innerunique ( union isfuzzy=true \\n (SecurityEvent | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where EventID in (\\\"8003\\\",\\\"8002\\\",\\\"8005\\\")\\n | where isnotempty(FileHash)\\n | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID, FileHash = toupper(FileHash)\\n ),\\n (WindowsEvent | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where EventID in (\\\"8003\\\",\\\"8002\\\",\\\"8005\\\")\\n | where isnotempty(EventData.FileHash)\\n | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID, FileHash = toupper(EventData.FileHash)\\n )\\n )\\n on $left.FileHashValue == $right.FileHash\\n | where SecurityEvent_TimeGenerated \u003c ExpirationDateTime\\n | summarize SecurityEvent_TimeGenerated = arg_max(SecurityEvent_TimeGenerated, *) by IndicatorId, FileHash\\n | project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\n Process, FileHash, Computer, Account, Event, FileHashValue, FileHashType\\n | extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Value\",\"columnName\":\"FileHashValue\"},{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map File Hash to Security Event\",\"description\":\"Identifies a match in Security Event data from any File Hash IOC from TI\",\"lastUpdatedDateUTC\":\"2022-07-07T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1bf6e165-5e32-420e-ab4f-0da8558a8be2\",\"name\":\"1bf6e165-5e32-420e-ab4f-0da8558a8be2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// How far back to look for events from\\nlet timeframe = 1d;\\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\\nlet time_window = 5m;\\n// Edit this to include build processes used\\nlet build_processes = dynamic([\\\"MSBuild.exe\\\", \\\"dotnet.exe\\\", \\\"VBCSCompiler.exe\\\"]);\\n// Include any processes that you want to allow to edit files during/around the build process\\nlet allow_list = dynamic([]);\\nDeviceProcessEvents\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where FileName has_any (build_processes)\\n| summarize by BuildParentProcess=InitiatingProcessFileName, BuildProcess=FileName, BuildAccount = AccountName, DeviceName, BuildCommand=ProcessCommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nDeviceFileEvents\\n| where TimeGenerated \u003e ago(timeframe)\\n| where InitiatingProcessFileName !in (allow_list)\\n| where ActionType == \\\"FileCreated\\\" or ActionType == \\\"FileModified\\\"\\n// Look for code files, edit this to include file extensions used in build.\\n| where FileName endswith \\\".cs\\\" or FileName endswith \\\".cpp\\\"\\n| summarize by FileEditParentProcess=InitiatingProcessParentFileName, FileEditAccount = InitiatingProcessAccountName, DeviceName, FileEdited=FileName, FileEditProcess=InitiatingProcessFileName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, DeviceName\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, DeviceName, BuildParentProcess, BuildProcess\\n| extend HostCustomEntity=DeviceName, timestamp=timekey\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Potential Build Process Compromise - MDE\",\"description\":\"The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process. This query uses Microsoft Defender for Endpoint telemetry.\\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\",\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/957cb240-f45d-4491-9ba5-93430a3c08be\",\"name\":\"957cb240-f45d-4491-9ba5-93430a3c08be\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"OfficeActivity\\n| where Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Add-MailboxFolderPermission\\\", \\\"Set-Mailbox\\\", \\\"New-ManagementRoleAssignment\\\", \\\"New-InboxRule\\\", \\\"Set-InboxRule\\\", \\\"Set-TransportRule\\\")\\nand not(UserId has_any (\u0027NT AUTHORITY\\\\\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\u0027, \u0027NT AUTHORITY\\\\\\\\SYSTEM (w3wp)\u0027, \u0027devilfish-applicationaccount\u0027) and Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Set-Mailbox\\\"))\\n| extend ClientIPOnly = tostring(extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?\u0027, dynamic([\\\"IPAddress\\\"]), ClientIP)[0][0])\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIPOnly\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"Collection\"],\"displayName\":\"Rare and potentially high-risk Office operations\",\"description\":\"Identifies Office operations that are typically rare and can provide capabilities useful to attackers.\",\"lastUpdatedDateUTC\":\"2022-05-24T00:00:00Z\",\"createdDateUTC\":\"2019-02-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2fc5d810-c9cc-491a-b564-841427ae0e50\",\"name\":\"2fc5d810-c9cc-491a-b564-841427ae0e50\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique ( \\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(TargetUserName)\\n//Normalizing the column to lower case for exact match with EmailSenderAddress column\\n| extend TargetUserName = tolower(TargetUserName)\\n// renaming timestamp column so it is clear the log this came from SecurityEvent table\\n| extend SecurityEvent_TimeGenerated = TimeGenerated\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(dt_lookBack) \\n| extend TargetUserName = tostring(EventData.TargetUserName) \\n| where isnotempty(TargetUserName)\\n//Normalizing the column to lower case for exact match with EmailSenderAddress column\\n| extend TargetUserName = tolower(TargetUserName)\\n// renaming timestamp column so it is clear the log this came from SecurityEvent table\\n| extend SecurityEvent_TimeGenerated = TimeGenerated\\n))\\n)\\non $left.EmailSenderAddress == $right.TargetUserName\\n| where SecurityEvent_TimeGenerated \u003c ExpirationDateTime\\n| summarize SecurityEvent_TimeGenerated = arg_max(SecurityEvent_TimeGenerated, *) by IndicatorId, TargetUserName\\n| project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Computer, EventID, TargetUserName, Activity, IpAddress, AccountType,\\nLogonTypeName, LogonProcessName, Status, SubStatus\\n| extend\\ntimestamp = SecurityEvent_TimeGenerated,\\nAccountCustomEntity = TargetUserName,\\nIPCustomEntity = IpAddress,\\nHostCustomEntity = Computer,\\nURLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SecurityEvent\",\"description\":\"Identifies a match in SecurityEvent table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/01f64465-b1ef-41ea-a7f5-31553a11ad43\",\"name\":\"01f64465-b1ef-41ea-a7f5-31553a11ad43\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let endpointData = \\n(union isfuzzy=true\\n(SecurityEvent\\n | where EventID == 4688\\n | extend shortFileName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n ),\\n (WindowsEvent\\n | where EventID == 4688\\n | extend NewProcessName = tostring(EventData.NewProcessName)\\n | extend shortFileName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n | extend TargetUserName = tostring(EventData.TargetUserName)\\n ));\\n// Correlate suspect executables seen in TrendMicro rule updates with similar activity on endpoints\\nCommonSecurityLog\\n| where DeviceVendor =~ \\\"Trend Micro\\\"\\n| where Activity =~ \\\"Deny List updated\\\" \\n| where RequestURL endswith \\\".exe\\\"\\n| project TimeGenerated, Activity , RequestURL , SourceIP, DestinationIP\\n| extend suspectExeName = tolower(tostring(split(RequestURL, \u0027/\u0027)[-1]))\\n| join (endpointData) on $left.suspectExeName == $right.shortFileName \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = TargetUserName, HostCustomEntity = Computer, URLCustomEntity = RequestURL\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Network endpoint to host executable correlation\",\"description\":\"Correlates blocked URLs hosting [malicious] executables with host endpoint data\\nto identify potential instances of executables of the same name having been recently run.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"TrendMicro\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5efb0cfd-063d-417a-803b-562eae5b0301\",\"name\":\"5efb0cfd-063d-417a-803b-562eae5b0301\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 6h;\\n// Ignore Build/Releases with less/equal this number\\nlet ServiceConnectionThreshold = 3;\\n// New Connections need to exhibit execution of more \\\"new\\\" connections than this number.\\nlet NewConnectionThreshold = 1;\\n// List of Builds/Releases to ignore in your space\\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\\n[\\n//\\\"103\\\", \\\"Release\\\", \\\"ProjectA\\\",\\n//\\\"42\\\", \\\"Release\\\", \\\"ProjectB\\\",\\n//\\\"122\\\", \\\"Build\\\", \\\"ProjectB\\\"\\n];\\nlet HistoricDefs = AzureDevOpsAuditing\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| summarize HistoricCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)) \\n by DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e= ago(endtime)\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| parse ScopeDisplayName with OrganizationName \u0027 (Organization)\u0027\\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) \\n by OrganizationName, DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN\\n| where CurrentCount \u003e ServiceConnectionThreshold\\n| join (HistoricDefs) on ProjectId, DefId, Type, ActorUPN\\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\\n| extend link = iff(\\nType == \\\"Build\\\", strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_build?definitionId=\u0027, DefId),\\nstrcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_release?_a=releases\u0026view=mine\u0026definitionId=\u0027, DefId))\\n| where CurrentCount \u003e= HistoricCount + NewConnectionThreshold\\n| project StartTime, OrganizationName, ProjectName, DefId, link, RecentDistinctServiceConnections = CurrentCount, HistoricDistinctServiceConnections = HistoricCount, \\n RecentConnections = ConnectionNames, HistoricConnections = ConnectionNames1, ActorUPN\\n| extend timestamp = StartTime, AccountCustomEntity = ActorUPN\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure DevOps Service Connection Addition/Abuse - Historic allow list\",\"description\":\"This detection builds an allow list of historic service connection use by Builds and Releases and compares to recent history, flagging growth of service connection use which are not manually included in the allow list and \\nnot historically included in the allow list Build/Release runs. This is to determine if someone is hijacking a build/release and adding many service connections in order to abuse or dump credentials from service connections.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3bd33158-3f0b-47e3-a50f-7c20a1b88038\",\"name\":\"3bd33158-3f0b-47e3-a50f-7c20a1b88038\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let SpringShell_threats = dynamic([\\\"Trojan:Python/SpringShellExpl\\\", \\\"Exploit:Python/SpringShell\\\", \\\"Backdoor:PHP/Remoteshell.V\\\", \\\"SpringShell\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (SpringShell_threats) or ThreatFamilyName in~ (SpringShell_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"AV detections related to SpringShell Vulnerability\",\"description\":\"This query looks for Microsoft Defender AV detections related to SpringShell Vulnerability. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, \\n this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\\n Reference: https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b4ceb583-4c44-4555-8ecf-39f572e827ba\",\"name\":\"b4ceb583-4c44-4555-8ecf-39f572e827ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 1.5;\\nlet percentthreshold = 50;\\n// Preparing the time series data aggregated hourly count of MailItemsAccessd Operation in the form of multi-value array to use with time series anomaly function.\\nlet TimeSeriesData =\\nOfficeActivity\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where OfficeWorkload=~ \\\"Exchange\\\" and Operation =~ \\\"MailItemsAccessed\\\" and ResultStatus =~ \\\"Succeeded\\\"\\n| project TimeGenerated, Operation, MailboxOwnerUPN\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe;\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0\\n| project TimeGenerated, Total, baseline, anomalies, score;\\n// Joining the flagged outlier from the previous step with the original dataset to present contextual information\\n// during the anomalyhour to analysts to conduct investigation or informed decisions.\\nTimeSeriesAlerts | where TimeGenerated \u003e ago(2d)\\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\\n| join (\\n OfficeActivity\\n | where TimeGenerated \u003e ago(2d)\\n | extend DateHour = bin(TimeGenerated, 1h)\\n | where OfficeWorkload=~ \\\"Exchange\\\" and Operation =~ \\\"MailItemsAccessed\\\" and ResultStatus =~ \\\"Succeeded\\\"\\n | summarize HourlyCount=count(), TimeGeneratedMax = arg_max(TimeGenerated, *), IPAdressList = make_set(Client_IPAddress), SourceIPMax= arg_max(Client_IPAddress, *), ClientInfoStringList= make_set(ClientInfoString) by MailboxOwnerUPN, Logon_Type, TenantId, UserType, TimeGenerated = bin(TimeGenerated, 1h) \\n | where HourlyCount \u003e 25 // Only considering operations with more than 25 hourly count to reduce False Positivies\\n | order by HourlyCount desc \\n) on TimeGenerated\\n| extend PercentofTotal = round(HourlyCount/Total, 2) * 100 \\n| where PercentofTotal \u003e percentthreshold // Filter Users with count of less than 5 percent of TotalEvents per Hour to remove FPs/ users with very low count of MailItemsAccessed events\\n| order by PercentofTotal desc \\n| project-reorder TimeGeneratedMax, Type, OfficeWorkload, Operation, UserId,SourceIPMax ,IPAdressList, ClientInfoStringList, HourlyCount, PercentofTotal, Total, baseline, score, anomalies\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"Exchange workflow MailItemsAccessed operation anomaly\",\"description\":\"Identifies anomalous increases in Exchange mail items accessed operations.\\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\\nSudden increases in execution frequency of sensitive actions should be further investigated for malicious activity.\\nManually change scorethreshold from 1.5 to 3 or higher to reduce the noise based on outliers flagged from the query criteria.\\nRead more about MailItemsAccessed- https://docs.microsoft.com/microsoft-365/compliance/advanced-audit?view=o365-worldwide#mailitemsaccessed\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/00cb180c-08a8-4e55-a276-63fb1442d5b5\",\"name\":\"00cb180c-08a8-4e55-a276-63fb1442d5b5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let cmdTokens0 = dynamic([\u0027vbscript\u0027,\u0027jscript\u0027]);\\nlet cmdTokens1 = dynamic([\u0027mshtml\u0027,\u0027RunHTMLApplication\u0027]);\\nlet cmdTokens2 = dynamic([\u0027Execute\u0027,\u0027CreateObject\u0027,\u0027RegRead\u0027,\u0027window.close\u0027]);\\n(union isfuzzy=true \\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(14d)\\n| where EventID == 4688\\n| where CommandLine has @\u0027\\\\Microsoft\\\\Windows\\\\CurrentVersion\u0027\\n| where not(CommandLine has_any (@\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\u0027, @\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\u0027))\\n// If you are receiving false positives, then it may help to make the query more strict by uncommenting one or both of the lines below to refine the matches\\n//| where CommandLine has_any (cmdTokens0)\\n//| where CommandLine has_all (cmdTokens1)\\n| where CommandLine has_all (cmdTokens2)\\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(14d)\\n| where EventID == 4688 and EventData has_all(cmdTokens2) and EventData has @\u0027\\\\Microsoft\\\\Windows\\\\CurrentVersion\u0027\\n| where not(EventData has_any (@\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\u0027, @\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\u0027))\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has @\u0027\\\\Microsoft\\\\Windows\\\\CurrentVersion\u0027\\n| where not(CommandLine has_any (@\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\u0027, @\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\u0027))\\n// If you are receiving false positives, then it may help to make the query more strict by uncommenting one or both of the lines below to refine the matches\\n//| where CommandLine has_any (cmdTokens0)\\n//| where CommandLine has_all (cmdTokens1)\\n| where CommandLine has_all (cmdTokens2)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend ParentProcessName = tostring(EventData.ParentProcessName) \\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"NOBELIUM - Script payload stored in Registry\",\"description\":\"This query idenifies when a process execution commandline indicates that a registry value is written to allow for later execution a malicious script\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3cc5ccd8-b416-4141-bb2d-4eba370e37a5\",\"name\":\"3cc5ccd8-b416-4141-bb2d-4eba370e37a5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let OMIVulnerabilityPatchVersion = \\\"OMIVulnerabilityPatchVersion:1.13.40-0\\\";\\nHeartbeat\\n| where Category == \\\"Direct Agent\\\"\\n| summarize arg_max(TimeGenerated,*) by Computer\\n| parse strcat(\\\"Version:\\\" , Version) with * \\\"Version:\\\" Major:long \\\".\\\"\\nMinor:long \\\".\\\" Patch:long \\\"-\\\" *\\n| parse OMIVulnerabilityPatchVersion with * \\\"OMIVulnerabilityPatchVersion:\\\"\\nOMIVersionMajor:long \\\".\\\" OMIVersionMinor:long \\\".\\\" OMIVersionPatch:long \\\"-\\\" *\\n| where Major \u003cOMIVersionMajor or (Major==OMIVersionMajor and Minor\\n\u003cOMIVersionMinor) or (Major==OMIVersionMajor and Minor==OMIVersionMinor and\\nPatch\u003cOMIVersionPatch) \\n| project Version, Major,Minor,Patch,\\nComputer,ComputerIP,OSType,OSName,ResourceId\",\"customDetails\":{\"HostIp\":\"ComputerIP\",\"OSType\":\"OSType\",\"OSName\":\"OSName\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"OMI Vulnerability Exploitation\",\"description\":\"Following the September 14th, 2021 release of three Elevation of Privilege\\n(EoP) vulnerabilities (CVE-2021-38645, CVE-2021-38649, CVE-2021-38648) and one\\nunauthenticated Remote Code Execution (RCE) vulnerability (CVE-2021-38647) in\\nthe Open Management Infrastructure (OMI) Framework.\\nThis detection validates that any OMS-agent that is reporting to the Microsoft\\nSentinel workspace is updated with the patch. The detection will go over the\\nheartbeats received from all agents over the last day and will create alert\\nfor those agents who are not updated.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-09-23T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c1c66f0b-5531-4a3e-a619-9d2f770ef730\",\"name\":\"c1c66f0b-5531-4a3e-a619-9d2f770ef730\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where OperationName =~ \\\"Add member to role completed (PIM activation)\\\"\\n | where Result =~ \\\"success\\\"\\n | extend ElevatedUser = tostring(TargetResources[2].userPrincipalName)\\n | extend displayName = tostring(TargetResources[0].displayName)\\n | extend displayName2 = tostring(TargetResources[3].displayName)\\n | extend ElevatedRole = iif(displayName =~ \\\"Member\\\", displayName2, displayName)\\n | join kind = rightanti (AuditLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where OperationName =~ \\\"Add member to role completed (PIM activation)\\\"\\n | where Result =~ \\\"success\\\"\\n | extend ElevatedUser = tostring(TargetResources[2].userPrincipalName)\\n | extend displayName = tostring(TargetResources[0].displayName)\\n | extend displayName2 = tostring(TargetResources[3].displayName)\\n | extend ElevatedRole = iif(displayName =~ \\\"Member\\\", displayName2, displayName)\\n | extend ElevatedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) on ElevatedRole, ElevatedUser\\n | project-reorder ElevatedUser, ElevatedRole, ResultReason,ElevatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ElevatedUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ElevatedBy\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Account Elevated to New Role\",\"description\":\"Detects an account that is elevated to a new role where that account has not had that role in the last 14 days.\\n Role elevations are a key mechanism for gaining permissions, monitoring which users have which roles, and for anomalies in those roles is useful for finding suspicious activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d0c82b7f-40b2-4180-a4d6-7aa0541b7599\",\"name\":\"d0c82b7f-40b2-4180-a4d6-7aa0541b7599\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let threshold = 3;\\nPulseConnectSecure\\n| where Messages contains \\\"Unauthenticated request url /dana-na/\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by Source_IP\\n| where count_ \u003e threshold\\n| extend timestamp = StartTime, IPCustomEntity = Source_IP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"PulseConnectSecure - CVE-2021-22893 Possible Pulse Connect Secure RCE Vulnerability Attack\",\"description\":\"This query identifies exploitation attempts using Pulse Connect Secure(PCS) vulnerability (CVE-2021-22893) to the VPN server\",\"lastUpdatedDateUTC\":\"2022-05-11T00:00:00Z\",\"createdDateUTC\":\"2022-05-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PulseConnectSecure\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bf0cde21-0c41-48f6-a40c-6b5bd71fa106\",\"name\":\"bf0cde21-0c41-48f6-a40c-6b5bd71fa106\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"AWSGuardDuty | extend tokens = split(ActivityType,\\\":\\\") | extend ThreatPurpose = tokens[0], tokens= split(tokens[1],\\\"/\\\") | extend ResourceTypeAffected = tokens[0], ThreatFamilyName= tokens[1] | extend UniqueFindingId = Id | extend AWSAcoundId = AccountId | project-away tokens,ActivityType, Id, AccountId | project-away TimeGenerated, TenantId, SchemaVersion, Region, Partition | extend Severity= iff(Severity between (7.0..8.9),\\\"High\\\",iff(Severity between (4.0..6.9), \\\"Medium\\\", iff(Severity between (1.0..3.9),\\\"Low\\\",\\\"Unknown\\\")))\",\"customDetails\":{\"ThreatPurpose\":\"ThreatPurpose\",\"ResourceTypeAffected\":\"ResourceTypeAffected\",\"UniqueFindingId\":\"UniqueFindingId\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Arn\"},{\"identifier\":\"ObjectGuid\",\"columnName\":\"AWSAcoundId\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"{{Title}}\",\"alertDescriptionFormat\":\"{{Description}}\",\"alertTacticsColumnName\":\"ThreatPurpose\",\"alertSeverityColumnName\":\"Severity\"},\"displayName\":\"AWS Guard Duty Alert\",\"description\":\"Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. This templates create an alert for each Amazon GuardDuty finding.\",\"lastUpdatedDateUTC\":\"2022-02-08T00:00:00Z\",\"createdDateUTC\":\"2021-11-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSGuardDuty\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b6685757-3ed1-4b05-a5bd-2cacadc86c2a\",\"name\":\"b6685757-3ed1-4b05-a5bd-2cacadc86c2a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"let UA_threats = dynamic([\\\"FoxBlade\\\", \\\"WhisperGate\\\", \\\"Lasainraw\\\", \\\"SonicVote\\\"]);\\n SecurityAlert\\n | where ProviderName == \\\"MDATP\\\"\\n | extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n | where ThreatFamilyName in (UA_threats)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"AV detections related to Ukraine threats\",\"description\":\"This query looks for Microsoft Defender AV detections for malware observed in relation to the war in Ukraine.\\n Ref: https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/ \",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cf3ede88-a429-493b-9108-3e46d3c741f7\",\"name\":\"cf3ede88-a429-493b-9108-3e46d3c741f7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let timeRange = 6h;\\nlet authenticationWindow = 1h;\\nlet authenticationThreshold = 5;\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeRange)\\n| where EventID == 4624 or EventID == 4625\\n| where IpAddress != \\\"-\\\" and isnotempty(Account)\\n| extend Outcome = iff(EventID == 4624, \\\"Success\\\", \\\"Failure\\\")\\n// bin outcomes into 5 minute windows to reduce the volume of data\\n| summarize OutcomeCount=count() by Account, IpAddress, Computer, Outcome, bin(TimeGenerated, 5m)\\n| project TimeGenerated, Account, IpAddress, Computer, Outcome, OutcomeCount\\n// sort ready for sessionizing - by account and time of the authentication outcome\\n| sort by Account asc, TimeGenerated asc\\n| serialize \\n// sessionize into failure groupings until either the account changes or there is a success\\n| extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, Account != prev(Account) or prev(Outcome) == \\\"Success\\\")\\n// count the failures in each session\\n| summarize FailureCountBeforeSuccess=sumif(OutcomeCount, Outcome == \\\"Failure\\\"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), makelist(Outcome), makeset(Computer), makeset(IpAddress) by SessionStartedUtc, Account\\n// the session must not start with a success, and must end with one\\n| where array_index_of(list_Outcome, \\\"Success\\\") != 0\\n| where array_index_of(list_Outcome, \\\"Success\\\") == array_length(list_Outcome) - 1\\n| project-away SessionStartedUtc, list_Outcome \\n// where the number of failures before the success is above the threshold \\n| where FailureCountBeforeSuccess \u003e= authenticationThreshold\\n// expand out ip and computer for customer entity assignment\\n| mvexpand set_IpAddress, set_Computer\\n| extend IpAddress = tostring(set_IpAddress), Computer = tostring(set_Computer)\\n| extend timestamp=StartTime, AccountCustomEntity=Account, HostCustomEntity=Computer, IPCustomEntity=IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"SecurityEvent - Multiple authentication failures followed by a success\",\"description\":\"Identifies accounts who have failed to logon to the domain multiple times in a row, followed by a successful authentication\\nwithin a short time frame. Multiple failed attempts followed by a success can be an indication of a brute force attempt or\\npossible mis-configuration of a service account within an environment.\\nThe lookback is set to 6h and the authentication window and threshold are set to 1h and 5, meaning we need to see a minimum\\nof 5 failures followed by a success for an account within 1 hour to surface an alert.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"name\":\"cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | where DNSName in~ (domains) or DestinationHostName has_any (domains) or RequestURL has_any(domains)\\n | extend AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName, IPCustomEntity = SourceIP\\n ),\\n(_Im_Dns (domain_has_any=domains)\\n | extend DNSName = DnsQuery\\n | extend IPCustomEntity = SrcIpAddr\\n ),\\n(VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n | where isnotempty(DNSName)\\n | where DNSName in~ (domains)\\n | extend IPCustomEntity = RemoteIp\\n ),\\n(DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl has_any (domains) \\n | extend DNSName = RemoteUrl\\n | extend IPCustomEntity = RemoteIP \\n | extend HostCustomEntity = DeviceName \\n ),\\n(AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (domains) \\n | extend DNSName = DestinationHost \\n | extend IPCustomEntity = SourceHost\\n ) \\n )\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Solorigate Network Beacon\",\"description\":\"Identifies a match across various data feeds for domains IOCs related to the Solorigate incident.\\n References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \\n https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2790795b-7dba-483e-853f-44aa0bc9c985\",\"name\":\"2790795b-7dba-483e-853f-44aa0bc9c985\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"CommonSecurityLog\\n| where DeviceProduct =~ \\\"Wazuh\\\"\\n| where Activity has \\\"Web server 400 error code.\\\"\\n| where Message has \\\"403\\\"\\n| extend HostName=substring(split(DeviceCustomString1,\\\")\\\")[0],1)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = dcount(SourceIP) by HostName, SourceIP\\n| where NumberOfErrors \u003e 400\\n| sort by NumberOfErrors desc\\n| extend timestamp = StartTime, HostCustomEntity = HostName, IPCustomEntity = SourceIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Wazuh - Large Number of Web errors from an IP\",\"description\":\"Identifies instances where Wazuh logged over 400 \u0027403\u0027 Web Errors from one IP Address. To onboard Wazuh data into Sentinel please view: https://github.com/wazuh/wazuh-documentation/blob/master/source/azure/monitoring%20activity.rst\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2020-04-21T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/78979d32-e63f-4740-b206-cfb300c735e0\",\"name\":\"78979d32-e63f-4740-b206-cfb300c735e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n ProofpointPOD \\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(SrcIpAddr)\\n | extend ProofpointPOD_TimeGenerated = TimeGenerated, ClientIP = SrcIpAddr\\n )\\non $left.TI_ipEntity == $right.ClientIP\\n| where ProofpointPOD_TimeGenerated \u003c ExpirationDateTime\\n| summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientIP\\n| project ProofpointPOD_TimeGenerated, SrcUserUpn, DstUserUpn, SrcIpAddr, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ClientIP\\n| extend timestamp = ProofpointPOD_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SrcUserUpn\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Exfiltration\",\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Email sender IP in TI list\",\"description\":\"Email sender IP in TI list.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_maillog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2b328487-162d-4034-b472-59f1d53684a1\",\"name\":\"2b328487-162d-4034-b472-59f1d53684a1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal == \u0027\u0027\\n| extend Message = \\\"Empty User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Empty User Agent Detected\",\"description\":\"Rule helps to detect empty and unusual user agent indicating web browsing activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\"name\":\"a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == 500121\\n| where Status has \\\"MFA Denied; user declined the authentication\\\" or Status has \\\"MFA denied; Phone App Reported Fraud\\\"\\n| extend Type = Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = ClientAppUsed\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Explicit MFA Deny\",\"description\":\"User explicitly denies MFA push, indicating that login was not expected and the account\u0027s password may be compromised.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-10-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8\",\"name\":\"f71aba3d-28fb-450b-b192-4e76a83015c8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Fusion\",\"properties\":{\"severity\":\"High\",\"tactics\":[\"Collection\",\"CommandAndControl\",\"CredentialAccess\",\"DefenseEvasion\",\"Discovery\",\"Execution\",\"Exfiltration\",\"Impact\",\"InitialAccess\",\"LateralMovement\",\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Advanced Multistage Attack Detection\",\"description\":\"Microsoft Sentinel uses Fusion, a correlation engine based on scalable machine learning algorithms, to automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.\\n\\nSince Fusion correlates multiple signals from various products to detect advanced multistage attacks, successful Fusion detections are presented as Fusion incidents on the Microsoft Sentinel Incidents page. This rule covers the following detections:\\n- Fusion for emerging threats\\n- Fusion for ransomware\\n- Scenario-based Fusion detections (122 scenarios)\\n\\nTo enable these detections, we recommend you configure the following data connectors for best results:\\n- Out-of-the-box anomaly detections\\n- Azure Active Directory Identity Protection\\n- Azure Defender\\n- Azure Defender for IoT\\n- Microsoft 365 Defender\\n- Microsoft Cloud App Security \\n- Microsoft Defender for Endpoint\\n- Microsoft Defender for Identity\\n- Microsoft Defender for Office 365\\n- Scheduled analytics rules, both built-in and those created by your security analysts. Analytics rules must contain kill-chain (tactics) and entity mapping information in order to be used by Fusion.\\n\\nFor the full description of each detection that is supported by Fusion, go to https://aka.ms/SentinelFusion.\",\"lastUpdatedDateUTC\":\"2021-06-09T00:00:00Z\",\"createdDateUTC\":\"2019-07-25T00:00:00Z\",\"status\":\"Installed\",\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/57c7e832-64eb-411f-8928-4133f01f4a25\",\"name\":\"57c7e832-64eb-411f-8928-4133f01f4a25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureDiagnostics\\n | where ResourceType =~ \\\"VAULTS\\\"\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend KeyVaultEvents_TimeGenerated = TimeGenerated, ClientIP = CallerIPAddress\\n)\\non $left.TI_ipEntity == $right.ClientIP\\n| where KeyVaultEvents_TimeGenerated \u003c ExpirationDateTime\\n| summarize KeyVaultEvents_TimeGenerated = arg_max(KeyVaultEvents_TimeGenerated, *) by IndicatorId, ClientIP\\n| project KeyVaultEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ClientIP, ResourceId, SubscriptionId, OperationName, ResultType, CorrelationId, id_s, clientInfo_s, httpStatusCode_d, identity_claim_appid_g, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\n| extend timestamp = KeyVaultEvents_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Azure Key Vault logs\",\"description\":\"Identifies a match in Azure Key Vault logsfrom any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f948a32f-226c-4116-bddd-d95e91d97eb9\",\"name\":\"f948a32f-226c-4116-bddd-d95e91d97eb9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"mailboxsettings\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"contacts.read\\\" and ConsentFull contains \\\"user.read\\\" and ConsentFull contains \\\"mail.read\\\" and ConsentFull contains \\\"notes.read.all\\\" and ConsentFull contains \\\"mailboxsettings.readwrite\\\" and ConsentFull contains \\\"Files.ReadWrite.All\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), \\\"\\\")\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Suspicious application consent similar to O365 Attack Toolkit\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\\nThe default permissions/scope for the MDSec O365 Attack toolkit are contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, and files.readwrite.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3c144f9-8051-47d4-ac29-ffb0c312c910\",\"name\":\"a3c144f9-8051-47d4-ac29-ffb0c312c910\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"let SunburstMD5=dynamic([\\\"b91ce2fa41029f6955bff20079468448\\\",\\\"02af7cec58b9a5da1c542b5a32151ba1\\\",\\\"2c4a910a1299cdae2a4e55988a2f102e\\\",\\\"846e27a652a5e1bfbd0ddd38a16dc865\\\",\\\"4f2eb62fa529c0283b28d05ddd311fae\\\"]);\\nlet SupernovaMD5=\\\"56ceb6d0011d87b6e4d7023d7ef85676\\\";\\nDeviceFileEvents\\n| where MD5 in(SunburstMD5) or MD5 in(SupernovaMD5)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n AlgorithmCustomEntity = \\\"MD5\\\",\\n FileHashCustomEntity = MD5\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"SUNBURST and SUPERNOVA backdoor hashes\",\"description\":\"Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in DeviceFileEvents\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/87210ca1-49a4-4a7d-bb4a-4988752f978c\",\"name\":\"87210ca1-49a4-4a7d-bb4a-4988752f978c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"// Get details of current Azure Ranges (note this URL updates regularly so will need to be manually updated over time)\\n// You may find the name of the new JSON here: https://www.microsoft.com/download/details.aspx?id=56519\\n// On the downloads page, click the \u0027details\u0027 button, and then replace just the filename in the URL below\\nlet azure_ranges = externaldata(changeNumber: string, cloud: string, values: dynamic)\\n[\\\"https://download.microsoft.com/download/7/1/D/71D86715-5596-4529-9B13-DA13A5DE5B63/ServiceTags_Public_20220321.json\\\"]\\nwith(format=\u0027multijson\u0027)\\n| mv-expand values\\n| mv-expand values.properties.addressPrefixes\\n| mv-expand values_properties_addressPrefixes\\n| summarize by tostring(values_properties_addressPrefixes);\\nSigninLogs\\n// Limiting to Azure Portal really reduces false positives and helps focus on potential admin activity\\n| where AppDisplayName =~ \\\"Azure Portal\\\"\\n// Only get logons where the IP address is in an Azure range\\n| evaluate ipv4_lookup(azure_ranges, IPAddress, values_properties_addressPrefixes)\\n// Limit to where the user is external to the tenant\\n| where HomeTenantId != ResourceTenantId\\n// Further limit it to just access to the current tenant (you can drop this if you wanted to look elsewhere as well but it helps reduce FPs)\\n| where ResourceTenantId == AADTenantId\\n| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), make_set(ResourceDisplayName) by UserPrincipalName, IPAddress, UserAgent, Location, HomeTenantId, ResourceTenantId\\n| extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure Portal Signin from another Azure Tenant\",\"description\":\"This query looks for sign in attempts to the Azure Portal where the user who is signing in from another Azure tenant,\\n and the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look\\n to pivot to other tenants leveraging cross-tenant delegated access in this manner.\",\"lastUpdatedDateUTC\":\"2022-03-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/29a29e5d-354e-4f5e-8321-8b39d25047bf\",\"name\":\"29a29e5d-354e-4f5e-8321-8b39d25047bf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"High\",\"query\":\"let files1 = dynamic([\\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\lsa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pc.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\Rar.exe\\\"]);\\nlet files2 = dynamic([\\\"svchost.exe\\\",\\\"wdmsvc.exe\\\"]);\\nlet FileHash1 = dynamic([\\\"43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\\\", \\\"ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\\\", \\\"010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77\\\", \\\"56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7\\\"]);\\nlet FileHash2 = dynamic([\\\"2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\\\", \\\"9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\\\", \\\"18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\\\"]);\\nimFileEvent\\n| where ((FilePath has_any (files1)) and (ActingProcessSHA256 has_any (FileHash1))) or ((FilePath has_any (files2)) and (ActingProcessSHA256 has_any (FileHash2)))\\n// Increase risk score if recent alerts for the host\\n| join kind=leftouter (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| mv-expand todynamic(Entities)\\n| extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)\\n| where isnotempty(DvcId)\\n// Higher risk score are for Defender alerts related to threat actor\\n| extend AlertRiskScore = iif(ThreatName has_any (\\\"Backdoor:MSIL/ShellClient.A\\\", \\\"Backdoor:MSIL/ShellClient.A!dll\\\", \\\"Trojan:MSIL/Mimikatz.BA!MTB\\\"), 1.0, 0.5)\\n| project DvcId, AlertRiskScore) on DvcId\\n| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = ActorUsername\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileName\"}]}],\"tactics\":[\"CredentialAccess\",\"Execution\"],\"displayName\":\"Dev-0228 File Path Hashes November 2021 (ASIM Version)\",\"description\":\"This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.\\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.\\n This query uses the Microsoft Sentinel Information Model - https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-11-18T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0dd2a343-4bf9-4c93-a547-adf3658ddaec\",\"name\":\"0dd2a343-4bf9-4c93-a547-adf3658ddaec\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let known_processes = (\\n imProcess\\n // Change these values if adjusting Query Frequency or Query Period\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where Process has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | summarize by Process);\\n imProcess\\n // Change these values if adjusting Query Frequency or Query Period\\n | where TimeGenerated \u003e ago(1d)\\n | where Process has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | where Process !in (known_processes)\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, CommandLine, DvcHostname\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DvcHostname\"}]}],\"tactics\":[\"Execution\",\"LateralMovement\"],\"displayName\":\"New EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version)\",\"description\":\"This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice is that these policies should not be used for deployment of files.\\n A threat actor may use these policies to deploy files or scripts to all hosts in a domain.\\n This query uses the ASIM parsers and will need them deployed before usage - https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/871ba14c-88ef-48aa-ad38-810f26760ca3\",\"name\":\"871ba14c-88ef-48aa-ad38-810f26760ca3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let queryfrequency = 1d;\\nlet queryperiod = 7d;\\nOfficeActivity\\n| where TimeGenerated \u003e ago(queryperiod)\\n| where OfficeWorkload =~ \\\"Exchange\\\"\\n//| where Operation in (\\\"Set-Mailbox\\\", \\\"New-InboxRule\\\", \\\"Set-InboxRule\\\")\\n| where Parameters has_any (\\\"ForwardTo\\\", \\\"RedirectTo\\\", \\\"ForwardingSmtpAddress\\\")\\n| mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))\\n| evaluate bag_unpack(ParsedParameters, columnsConflict=\u0027replace_source\u0027)\\n| extend DestinationMailAddress = tolower(case(\\n isnotempty(column_ifexists(\\\"ForwardTo\\\", \\\"\\\")), column_ifexists(\\\"ForwardTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"RedirectTo\\\", \\\"\\\")), column_ifexists(\\\"RedirectTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")), trim_start(@\\\"smtp:\\\", column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")),\\n \\\"\\\"))\\n| where isnotempty(DestinationMailAddress)\\n| mv-expand split(DestinationMailAddress, \\\";\\\")\\n| extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n| extend ClientIP = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1])\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId, 250), Ports = make_set(Port, 250), EventCount = count() by tostring(DestinationMailAddress), ClientIP\\n| where DistinctUserCount \u003e 1 and EndTime \u003e ago(queryfrequency)\\n| mv-expand UserId to typeof(string)\\n| extend timestamp = StartTime, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Multiple users email forwarded to same destination\",\"description\":\"Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination. \\nThis could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.\",\"lastUpdatedDateUTC\":\"2022-06-24T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a6c435a2-b1a0-466d-b730-9f8af69262e8\",\"name\":\"a6c435a2-b1a0-466d-b730-9f8af69262e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT20M\",\"queryPeriod\":\"PT20M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let failureCountThreshold = 10;\\nlet successCountThreshold = 1;\\n// let authenticationWindow = 20m; // Implicit in the analytic rule query period \\nimAuthentication\\n| summarize \\n StartTime = min(TimeGenerated), \\n EndTime = max(TimeGenerated), \\n IpAddresses = make_set (SrcDvcIpAddr, 100),\\n ReportedBy = make_set (strcat (EventVendor, \\\"/\\\", EventProduct), 100),\\n FailureCount = countif(EventResult==\u0027Failure\u0027),\\n SuccessCount = countif(EventResult==\u0027Success\u0027)\\n by \\n TargetUserId, TargetUsername, TargetUserType \\n| where FailureCount \u003e= failureCountThreshold and SuccessCount \u003e= successCountThreshold\\n| extend\\n IpAddresses = strcat_array(IpAddresses, \\\", \\\"), \\n ReportedBy = strcat_array(ReportedBy, \\\", \\\")\",\"customDetails\":{\"IpAddresses\":\"IpAddresses\",\"ReportedBy\":\"ReportedBy\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUsername\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against user credentials (Uses Authentication Normalization)\",\"description\":\"Identifies evidence of brute force activity against a user based on multiple authentication failures \\nand at least one successful authentication within a given time window. Note that the query does not enforce any sequence,\\nand does not require the successful authentication to occur last.\\nThe default failure threshold is 10, success threshold is 1, and the default time window is 20 minutes.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb8a3481-dd14-4e76-8dcc-bbec8776d695\",\"name\":\"bb8a3481-dd14-4e76-8dcc-bbec8776d695\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Medium\",\"query\":\"let DomainNames = dynamic([\u0027onetechcompany.com\u0027, \u0027reyweb.com\u0027, \u0027srfnetwork.org\u0027, \u0027sense4baby.fr\u0027, \u0027nikeoutletinc.org\u0027, \u0027megatoolkit.com\u0027]);\\nlet IPList = dynamic([\u0027185.225.69.69\u0027]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (DomainNames) or RequestURL has_any (DomainNames) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (DomainNames), \\\"RequestUrl\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(_Im_WebSession(url_has_any=DomainNames)\\n| extend DestinationIPAddress = DstIpAddr, DNSName = tostring(parse_url(Url)[\\\"Host\\\"]), Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (DomainNames)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer\\n),\\n(OfficeActivity\\n| where ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (DomainNames) or RemoteIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"NOBELIUM - Domain and IP IOCs - March 2021\",\"description\":\"Identifies a match across various data feeds for domains and IP IOCs related to NOBELIUM.\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\"name\":\"f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"// Replace these with the username or emails of your VIP users you wish to monitor for.\\nlet vips = dynamic([\u0027vip1@email.com\u0027,\u0027vip2@email.com\u0027]);\\n// Add users who are allowed to conduct these searches - this could be specific SOC team members\\nlet allowed_users = dynamic([]);\\nLAQueryLogs\\n| where QueryText has_any (vips) or QueryText has_any (\u0027_GetWatchlist(\\\"VIPUsers\\\")\u0027, \\\"_GetWatchlist(\u0027VIPUsers\u0027)\\\")\\n| where AADEmail !in (allowed_users)\\n| project TimeGenerated, AADEmail, RequestClientApp, QueryText, ResponseRowCount, RequestTarget\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AADEmail\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"RequestTarget\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Users searching for VIP user activity\",\"description\":\"This query monitors for users running Log Analytics queries that contain filters\\nfor specific, defined VIP user accounts or the VIPUser watchlist template.\\nUse this detection to alert for users specifically searching for activity of sensitive users.\",\"lastUpdatedDateUTC\":\"2021-11-11T00:00:00Z\",\"createdDateUTC\":\"2020-09-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/62085097-d113-459f-9ea7-30216f2ee6af\",\"name\":\"62085097-d113-459f-9ea7-30216f2ee6af\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P3D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let starttime = 3d;\\nlet SecEvents = materialize ( SecurityEvent | where TimeGenerated \u003e= ago(starttime)\\n| where EventID in (4722,4723) | where TargetUserName !endswith \\\"$\\\"\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, SubjectAccount, SubjectUserSid);\\nlet userEnable = SecEvents\\n| extend EventID4722Time = TimeGenerated\\n// 4722: User Account Enabled\\n| where EventID == 4722\\n| project Time_Event4722 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4722 = SubjectAccount, SubjectUserSid_Event4722 = SubjectUserSid, Activity_4722 = Activity, Computer_4722 = Computer;\\nlet userPwdSet = SecEvents\\n// 4723: Attempt made by user to set password\\n| where EventID == 4723\\n| project Time_Event4723 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4723 = SubjectAccount, SubjectUserSid_Event4723 = SubjectUserSid, Activity_4723 = Activity, Computer_4723 = Computer;\\nuserEnable | join kind=leftouter userPwdSet on TargetAccount, TargetSid\\n| extend PasswordSetAttemptDelta_Min = datetime_diff(\u0027minute\u0027, Time_Event4723, Time_Event4722)\\n| where PasswordSetAttemptDelta_Min \u003e 2880 or isempty(PasswordSetAttemptDelta_Min)\\n| project-away TargetAccount1, TargetSid1\\n| extend Reason = @\\\"User either has not yet attempted to set the initial password after account was enabled or it occurred after 48 hours\\\"\\n| order by Time_Event4722 asc \\n| extend timestamp = Time_Event4722, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer_4722\\n| project-reorder Time_Event4722, Time_Event4723, PasswordSetAttemptDelta_Min, TargetAccount, TargetSid\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AD user enabled and password not set within 48 hours\",\"description\":\"Identifies when an account is enabled with a default password and the password is not set by the user within 48 hours.\\nEffectively, there is an event 4722 indicating an account was enabled and within 48 hours, no event 4723 occurs which \\nindicates there was no attempt by the user to set the password. This will show any attempts (success or fail) that occur \\nafter 48 hours, which can indicate too long of a time period in setting the password to something that only the user knows.\\nIt is recommended that this time period is adjusted per your internal company policy.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f9949656-473f-4503-bf43-a9d9890f7d08\",\"name\":\"f9949656-473f-4503-bf43-a9d9890f7d08\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.3\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n//Exclude local addresses, using the ipv4_is_private operator\\n| where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AppServiceHTTPLogs | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(CIp)\\n | extend WebApp = split(_ResourceId, \u0027/\u0027)[8]\\n // renaming time column so it is clear the log this came from\\n | extend AppService_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CIp\\n| where AppService_TimeGenerated \u003c ExpirationDateTime\\n| summarize AppService_TimeGenerated = arg_max(AppService_TimeGenerated, *) by IndicatorId, CIp\\n| project AppService_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CsUsername, \\nWebApp = split(_ResourceId, \u0027/\u0027)[8], CIp, CsHost, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, _ResourceId\\n| extend timestamp = AppService_TimeGenerated, AccountCustomEntity = CsUsername, IPCustomEntity = CIp, URLCustomEntity = Url, HostCustomEntity = CsHost\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"_ResourceId\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AppServiceHTTPLogs\",\"description\":\"Identifies a match in AppServiceHTTPLogs from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-04-26T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8b3c49c-4087-499b-920f-0dcfaff0cbca\",\"name\":\"f8b3c49c-4087-499b-920f-0dcfaff0cbca\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"imProcessCreate\\n | where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n | where isnotempty(Process)\\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Dvc, ActorUsername, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\\n | extend timestamp = StartTimeUtc, AccountCustomEntity = ActorUsername, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Base64 encoded Windows process command-lines (Normalized Process Events)\",\"description\":\"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2018-09-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c3e5dbaa-a540-408c-8b36-68bdfb3df088\",\"name\":\"c3e5dbaa-a540-408c-8b36-68bdfb3df088\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID==4688\\n | where isnotempty(CommandLine)\\n | where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"NRT Base64 encoded Windows process command-lines\",\"description\":\"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2022-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0433c8a3-9aa6-4577-beef-2ea23be41137\",\"name\":\"0433c8a3-9aa6-4577-beef-2ea23be41137\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let admin_users = (IdentityInfo\\n | where TimeGenerated \u003e ago(2d)\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | where AssignedRoles contains \\\"admin\\\"\\n | summarize by tolower(AccountUPN));\\n AuditLogs\\n | where Category =~ \\\"RoleManagement\\\"\\n | where OperationName has \\\"Add eligible member\\\"\\n | extend userPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | where tolower(userPrincipalName) in (admin_users)\\n | extend Group = tostring(TargetResources[0].displayName)\\n | extend AddedTo = iif(isnotempty(userPrincipalName), userPrincipalName, Group)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend AddedBy = iif(isnotempty(appName), appName, UPN)\\n | mv-expand mod_props\\n | where mod_props.displayName == \\\"Role.DisplayName\\\"\\n | extend RoleAdded = tostring(parse_json(tostring(mod_props.newValue)))\\n | project-reorder TimeGenerated, OperationName, AddedTo, RoleAdded, AddedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Privileged Account Permissions Changed\",\"description\":\"Detects changes to permissions assigned to admin users. Threat actors may try and increase permission scope by adding additional roles to already privileged accounts.\\nReview any modifications to ensure they were made legitimately.\\nRef: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79566f41-df67-4e10-a703-c38a6213afd8\",\"name\":\"79566f41-df67-4e10-a703-c38a6213afd8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set != \\\"[]\\\"\\n| extend diff = set_difference(new_value_set, old_value_set)\\n| where isnotempty(diff)\\n| parse diff with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away diff, new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"New access credential added to Application or Service Principal\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/66276b14-32c5-4226-88e3-080dacc31ce1\",\"name\":\"66276b14-32c5-4226-88e3-080dacc31ce1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet AccountAllowList = dynamic([\u0027SYSTEM\u0027]);\\nlet SubCategoryList = dynamic([\\\"Logoff\\\", \\\"Account Lockout\\\", \\\"User Account Management\\\", \\\"Authorization Policy Change\\\"]); // Add any Category in the list to be allowed or disallowed\\nlet tokens = dynamic([\\\"clear\\\", \\\"remove\\\", \\\"success:disable\\\",\\\"failure:disable\\\"]); \\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n//| where Process =~ \\\"auditpol.exe\\\" \\n| where CommandLine has_any (tokens)\\n| where AccountType !~ \\\"Machine\\\" and Account !in~ (AccountAllowList)\\n| parse CommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n// | where InitiatingProcessFileName =~ \\\"auditpol.exe\\\" \\n| where InitiatingProcessCommandLine has_any (tokens)\\n| where AccountName !in~ (AccountAllowList)\\n| parse InitiatingProcessCommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n// | where OriginalFileName =~ \\\"auditpol.exe\\\"\\n| where CommandLine has_any (tokens)\\n| where User !in~ (AccountAllowList)\\n| parse CommandLine with * \\\"/subcategory:\\\" subcategorytoken\\n| extend SubCategory = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[1]) , Toggle = tostring(split(subcategorytoken, \\\"\\\\\\\"\\\")[2])\\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\\n| where Toggle !in~ (\\\"/failure:disable\\\", \\\" /success:enable /failure:disable\\\") // use this filter if required to exclude certain toggles\\n| project TimeGenerated, Computer, User, Process, ParentImage, CommandLine, SubCategory, Toggle\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Audit policy manipulation using auditpol utility\",\"description\":\"This detects attempt to manipulate audit policies using auditpol command.\\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\\nThe process name in each data source is commented out as an adversary could rename it. It is advisable to keep process name commented but \\nif the results show unrelated false positives, users may want to uncomment it.\\nRefer to auditpol syntax: https://docs.microsoft.com/windows-server/administration/windows-commands/auditpol \\nRefer to our M365 blog for details on use during the Solorigate attack:\\nhttps://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/18e6a87e-9d06-4a4e-8b59-3469cd49552d\",\"name\":\"18e6a87e-9d06-4a4e-8b59-3469cd49552d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true \\n(SecurityEvent \\n| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created. \\n| where ObjectServer == \u0027DS\u0027\\n| where OperationType == \u0027Object Access\u0027\\n//| where ObjectName contains \u0027\u003cGUID of ADFS Policy Store DKM Group object\u0027 This is unique to the domain. Check description for more details.\\n| where ObjectType contains \u00275cb41ed0-0e4c-11d0-a286-00aa003049e2\u0027 // Contact Class\\n| where Properties contains \u00278d3bca50-1d7e-11d0-a081-00aa006c33ed\u0027 // Picture Attribute - Ldap-Display-Name: thumbnailPhoto\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = SubjectAccount\\n),\\n( WindowsEvent \\n| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created. \\n| where EventData has_all(\u0027Object Access\u0027, \u00275cb41ed0-0e4c-11d0-a286-00aa003049e2\u0027,\u00278d3bca50-1d7e-11d0-a081-00aa006c33ed\u0027) \\n| extend ObjectServer = tostring(EventData.ObjectServer)\\n| where ObjectServer == \u0027DS\u0027\\n| extend OperationType = tostring(EventData.OperationType)\\n| where OperationType == \u0027Object Access\u0027\\n//| where ObjectName contains \u0027\u003cGUID of ADFS Policy Store DKM Group object\u0027 This is unique to the domain. Check description for more details.\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType contains \u00275cb41ed0-0e4c-11d0-a286-00aa003049e2\u0027 // Contact Class\\n| extend Properties = tostring(EventData.Properties)\\n| where Properties contains \u00278d3bca50-1d7e-11d0-a081-00aa006c33ed\u0027 // Picture Attribute - Ldap-Display-Name: thumbnailPhoto\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName), \\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend \\n timestamp = TimeGenerated,\\n HostCustomEntity = Computer,\\n AccountCustomEntity = SubjectAccount\\n),\\n(DeviceEvents\\n| where ActionType =~ \\\"LdapSearch\\\"\\n| where AdditionalFields.AttributeList contains \\\"thumbnailPhoto\\\"\\n| where AdditionalFields.DistinguishedName contains \\\"CN=ADFS,CN=Microsoft,CN=Program Data\\\" // Filter results to show only hits related to the ADFS AD container\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = InitiatingProcessAccountName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"ADFS DKM Master Key Export\",\"description\":\"Identifies an export of the ADFS DKM Master Key from Active Directory.\\nReferences: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \\nhttps://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1\\nTo understand further the details behind this detection, please review the details in the original PR and subequent PR update to this:\\nhttps://github.com/Azure/Azure-Sentinel/pull/1562#issue-551542469\\nhttps://github.com/Azure/Azure-Sentinel/pull/1512#issue-543053339\\n\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2391ce61-8c8d-41ac-9723-d945b2e90720\",\"name\":\"2391ce61-8c8d-41ac-9723-d945b2e90720\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"Low\",\"query\":\"let starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 0.333;\\nlet countlimit = 50;\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4625 and AccountType =~ \\\"User\\\"\\n| where IpAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), CountToday = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress, Process\\n| join kind=leftouter (\\n SecurityEvent \\n | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n | where EventID == 4625 and AccountType =~ \\\"User\\\"\\n | where IpAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n | summarize CountPrev7day = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n) on EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\\n| where CountToday \u003e= coalesce(CountPrev7day,0)*threshold and CountToday \u003e= countlimit\\n//SubStatus Codes are detailed here - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4625\\n| extend Reason = case(\\nSubStatus =~ \u00270xC000005E\u0027, \u0027There are currently no logon servers available to service the logon request.\u0027,\\nSubStatus =~ \u00270xC0000064\u0027, \u0027User logon with misspelled or bad user account\u0027,\\nSubStatus =~ \u00270xC000006A\u0027, \u0027User logon with misspelled or bad password\u0027, \\nSubStatus =~ \u00270xC000006D\u0027, \u0027Bad user name or password\u0027,\\nSubStatus =~ \u00270xC000006E\u0027, \u0027Unknown user name or bad password\u0027,\\nSubStatus =~ \u00270xC000006F\u0027, \u0027User logon outside authorized hours\u0027,\\nSubStatus =~ \u00270xC0000070\u0027, \u0027User logon from unauthorized workstation\u0027,\\nSubStatus =~ \u00270xC0000071\u0027, \u0027User logon with expired password\u0027,\\nSubStatus =~ \u00270xC0000072\u0027, \u0027User logon to account disabled by administrator\u0027,\\nSubStatus =~ \u00270xC00000DC\u0027, \u0027Indicates the Sam Server was in the wrong state to perform the desired operation\u0027, \\nSubStatus =~ \u00270xC0000133\u0027, \u0027Clocks between DC and other computer too far out of sync\u0027,\\nSubStatus =~ \u00270xC000015B\u0027, \u0027The user has not been granted the requested logon type (aka logon right) at this machine\u0027,\\nSubStatus =~ \u00270xC000018C\u0027, \u0027The logon request failed because the trust relationship between the primary domain and the trusted domain failed\u0027,\\nSubStatus =~ \u00270xC0000192\u0027, \u0027An attempt was made to logon, but the Netlogon service was not started\u0027,\\nSubStatus =~ \u00270xC0000193\u0027, \u0027User logon with expired account\u0027,\\nSubStatus =~ \u00270xC0000224\u0027, \u0027User is required to change password at next logon\u0027,\\nSubStatus =~ \u00270xC0000225\u0027, \u0027Evidently a bug in Windows and not a risk\u0027,\\nSubStatus =~ \u00270xC0000234\u0027, \u0027User logon with account locked\u0027,\\nSubStatus =~ \u00270xC00002EE\u0027, \u0027Failure Reason: An Error occurred during Logon\u0027,\\nSubStatus =~ \u00270xC0000413\u0027, \u0027Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine\u0027,\\nstrcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n| extend WorkstationName = iff(WorkstationName == \\\"-\\\" or isempty(WorkstationName), Computer , WorkstationName) \\n| project StartTime, EndTime, EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, Computer, WorkstationName, IpAddress, CountToday, CountPrev7day, Avg7Day = round(CountPrev7day*1.00/7,2), Process\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), Computer = make_set(Computer,128), IpAddressList = make_set(IpAddress,128), sum(CountToday), sum(CountPrev7day), avg(Avg7Day) \\nby EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, WorkstationName, Process\\n| order by sum_CountToday desc nulls last \\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = WorkstationName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"Process\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Excessive Windows logon failures\",\"description\":\"User has over 50 Windows logon failures today and at least 33% of the count of logon failures over the previous 7 days.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56f3f35c-3aca-4437-a1fb-b7a84dc4af00\",\"name\":\"56f3f35c-3aca-4437-a1fb-b7a84dc4af00\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID == 4657\\n | parse ObjectName with \\\"\\\\\\\\REGISTRY\\\\\\\\\\\" KeyPrefix \\\"\\\\\\\\\\\" RegistryKey\\n | project-reorder RegistryKey\\n | where RegistryKey has \\\"Software\\\\\\\\Classes\\\\\\\\ms-settings\\\\\\\\shell\\\\\\\\open\\\\\\\\command\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)\\n | join (\\n SecurityEvent\\n | where EventID == 4688\\n | where Process =~ \\\"fodhelper.exe\\\"\\n | where ParentProcessName endswith \\\"cmd.exe\\\" or ParentProcessName endswith \\\"powershell.exe\\\" or ParentProcessName endswith \\\"powershell_ise.exe\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)) on TimeKey, Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Potential Fodhelper UAC Bypass\",\"description\":\"This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process within 1 hour - this can be tweaked as required.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b93c5af-d20b-4236-b696-a28b8c51407f\",\"name\":\"4b93c5af-d20b-4236-b696-a28b8c51407f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1DT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\n (union isfuzzy=true\\n (SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+spanoftime)\\n// A user account was created\\n| where EventID == 4720\\n| where AccountType =~ \\\"User\\\"\\n| project creationTime = TimeGenerated, CreateEventID = EventID, CreateActivity = Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToCreate = SubjectAccount, SIDofAccountUsedToCreate = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e ago(timeframe+spanoftime)\\n// A user account was created\\n| where EventID == 4720\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType =~ \\\"User\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| extend Activity = \\\"4720 - A user account was created.\\\"\\n| extend TargetUserName = tostring(EventData.TargetUserName) \\n| project creationTime = TimeGenerated, CreateEventID = EventID, CreateActivity = Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToCreate = SubjectAccount, SIDofAccountUsedToCreate = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid \\n))\\n| join kind= inner (\\n (union isfuzzy=true\\n (SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n // A user account was deleted\\n | where EventID == 4726\\n| where AccountType == \\\"User\\\"\\n| project deletionTime = TimeGenerated, DeleteEventID = EventID, DeleteActivity = Activity, Computer, TargetUserName, UserPrincipalName, \\nAccountUsedToDelete = SubjectAccount, SIDofAccountUsedToDelete = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n // A user account was deleted\\n| where EventID == 4726\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(SubjectAccount endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType == \\\"User\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| extend Activity = \\\"4726 - A user account was deleted.\\\"\\n| extend TargetUserName = tostring(EventData.TargetUserName) \\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| project deletionTime = TimeGenerated, DeleteEventID = EventID, DeleteActivity = Activity, Computer, TargetUserName, UserPrincipalName, AccountUsedToDelete = SubjectAccount, SIDofAccountUsedToDelete = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid))\\n) on Computer, TargetAccount\\n| where deletionTime - creationTime \u003c spanoftime\\n| extend TimeDelta = deletionTime - creationTime\\n| where tolong(TimeDelta) \u003e= threshold\\n| project TimeDelta, creationTime, CreateEventID, CreateActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToCreate, SIDofAccountUsedToCreate,\\ndeletionTime, DeleteEventID, DeleteActivity, AccountUsedToDelete, SIDofAccountUsedToDelete\\n| extend timestamp = creationTime, AccountCustomEntity = AccountUsedToCreate, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"SIDofAccountUsedToCreate\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account created and deleted within 10 mins\",\"description\":\"Identifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and\\nan adversary attempting to hide in the noise.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d7feb859-f03e-4e8d-8b21-617be0213b13\",\"name\":\"d7feb859-f03e-4e8d-8b21-617be0213b13\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let admin_users = (IdentityInfo\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | where AssignedRoles contains \\\"admin\\\"\\n | summarize by tolower(AccountUPN));\\n AuditLogs\\n | where OperationName =~ \\\"Admin registered security info\\\"\\n | where ResultReason =~ \\\"Admin registered temporary access pass method for user\\\"\\n | extend userPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | where tolower(userPrincipalName) in (admin_users)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Addition of a Temporary Access Pass to a Privileged Account\",\"description\":\"Detects when a Temporary Access Pass (TAP) is created for a Privileged Account.\\n A Temporary Access Pass is a time-limited passcode issued by an admin that satisfies strong authentication requirements and can be used to onboard other authentication methods, including Passwordless ones such as Microsoft Authenticator or even Windows Hello.\\n A threat actor could use a TAP to register a new authentication method to maintain persistance to an account.\\n Review any TAP creations to ensure they were used legitimately.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1399664f-9434-497c-9cde-42e4d74ae20e\",\"name\":\"1399664f-9434-497c-9cde-42e4d74ae20e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityAlert \\n| where AlertName == \\\"Impossible travel activity\\\"\\n| extend Extprop = parsejson(Entities)\\n| mv-expand Extprop\\n| extend Extprop = parsejson(Extprop)\\n| extend CmdLine = iff(Extprop[\u0027Type\u0027]==\\\"process\\\", Extprop[\u0027CommandLine\u0027], \u0027\u0027)\\n| extend File = iff(Extprop[\u0027Type\u0027]==\\\"file\\\", Extprop[\u0027Name\u0027], \u0027\u0027)\\n| extend Account = Extprop[\u0027Name\u0027]\\n| extend Domain = Extprop[\u0027UPNSuffix\u0027]\\n| extend Account = iif(isnotempty(Domain) and Extprop[\u0027Type\u0027]==\\\"account\\\", tolower(strcat(Account, \\\"@\\\", Domain)), iif(Extprop[\u0027Type\u0027]==\\\"account\\\", tolower(Account), \\\"\\\"))\\n| extend IpAddress = iff(Extprop[\\\"Type\\\"] == \\\"ip\\\",Extprop[\u0027Address\u0027], \u0027\u0027)\\n| extend Process = iff(isnotempty(CmdLine), CmdLine, File)\\n| project TimeGenerated,Account,IpAddress,CompromisedEntity,Description,ProviderName,ResourceId\\n| join kind=inner\\n(\\nOfficeActivity\\n| where Operation =~ \\\"Add-MailboxPermission\\\"\\n| extend value = tostring(parse_json(Parameters)[3].Value)\\n| where value contains \\\"FullAccess\\\"\\n| where ResultStatus == \\\"True\\\"\\n| project Parameters,TimeGenerated,value,RecordType,Operation,OrganizationId,UserType,UserKey,OfficeWorkload,ResultStatus,OfficeObjectId,UserId,ClientIP,ExternalAccess,OriginatingServer,OrganizationName,TenantId,ElevationTime,SourceSystem,OfficeId,OfficeTenantId,Type,SourceRecordId\\n) on $left.Account == $right.UserId\\n| join kind=inner\\n(\\nAuditLogs\\n| where ActivityDisplayName =~ \\\"Add eligible member to role in PIM requested (timebound)\\\"\\n| where AADOperationType =~ \\\"CreateRequestEligibleRole\\\"\\n| where TargetResources has_any (\\\"-PRIV\\\", \\\"Administrator\\\", \\\"Security\\\")\\n| extend BuiltinRole = tostring(parse_json(TargetResources[0].displayName))\\n| extend CustomGroup = tostring(parse_json(TargetResources[3].displayName))\\n| extend TargetAccount = tostring(parse_json(TargetResources[2].displayName))\\n| extend Initiatedby = Identity\\n| project TimeGenerated, ActivityDisplayName, AADOperationType, Initiatedby, TargetAccount, BuiltinRole, CustomGroup, LoggedByService, Result, ResourceId, Id\\n| sort by TimeGenerated desc\\n) on $left.UserId == $right.Initiatedby\\n| project AADOperationType, ActivityDisplayName,AccountCustomEntity=Initiatedby, Id,ResourceId,IPCustomEntity=IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"PrivilegeEscalation\"],\"displayName\":\"Detecting Impossible travel with mailbox permission tampering \u0026 Privilege Escalation attempt\",\"description\":\"This hunting query will alert on any Impossible travel activity in correlation with mailbox permission tampering followed by account being added to a PIM managed privileged group.\\nEnsure this impossible travel incident with increase of privileges is legitimate in your environment.\",\"lastUpdatedDateUTC\":\"2022-02-09T00:00:00Z\",\"createdDateUTC\":\"2022-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert (ASC)\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\"name\":\"4f19d4e3-ec5f-4abc-9e61-819eb131758c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([ \\\"AuthorizeSecurityGroupEgress\\\", \\\"AuthorizeSecurityGroupIngress\\\", \\\"RevokeSecurityGroupEgress\\\", \\\"RevokeSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \\nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion, \\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to AWS Security Group ingress and egress settings\",\"description\":\"A Security Group acts as a virtual firewall of an instance to control inbound and outbound traffic. \\n Hence, ingress and egress settings changes to AWS Security Group should be monitored as these can expose the enviornment to new attack vectors.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0914adab-90b5-47a3-a79f-7cdcac843aa7\",\"name\":\"0914adab-90b5-47a3-a79f-7cdcac843aa7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 5;\\n// To avoid any False Positives, filtering using AppId is recommended. For example the AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds \\n// to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\\nlet Allowedappid = dynamic([\\\"509e4652-da8d-478d-a730-e9d4a1996ca4\\\"]);\\nlet OperationList = dynamic(\\n[\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nlet TimeSeriesData = AzureDiagnostics\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList)\\n| project TimeGenerated, OperationName, Resource, CallerIPAddress\\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by Resource;\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| where baseline \u003e baselinethreshold // Filtering low count events per baselinethreshold\\n| project Resource, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated;\\n// Filter the alerts since specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\\n| join (\\nAzureDiagnostics\\n| where TimeGenerated \u003e ago(timeframe)\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList)\\n| summarize PerOperationCount=count(), LatestAnomalyTime = arg_max(TimeGenerated,*) by bin(TimeGenerated,1h), Resource, OperationName, id_s, CallerIPAddress, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, requestUri_s, clientInfo_s\\n) on Resource, TimeGenerated\\n| summarize EventCount=count(), OperationNameList = make_set(OperationName), RequestURLList = make_set(requestUri_s, 100), AccountList = make_set(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, 100), AccountMax = arg_max(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g,*) by Resource, id_s, clientInfo_s, LatestAnomalyTime\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = CallerIPAddress, AccountCustomEntity = AccountMax\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure Key Vault access TimeSeries anomaly\",\"description\":\"Indentifies a sudden increase in count of Azure Key Vault secret or vault access operations by CallerIPAddress. The query leverages a built-in KQL anomaly detection algorithm\\nto find large deviations from baseline Azure Key Vault access patterns. Any sudden increase in the count of Azure Key Vault accesses can be an\\nindication of adversary dumping credentials via automated methods. If you are seeing any noise, try filtering known source(IP/Account) and user-agent combinations.\\nTimeSeries Reference Blog: https://techcommunity.microsoft.com/t5/azure-sentinel/looking-for-unknown-anomalies-what-is-normal-time-series/ba-p/555052\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6a2e2ff4-5568-475e-bef2-b95f12b9367b\",\"name\":\"6a2e2ff4-5568-475e-bef2-b95f12b9367b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let FailureThreshold = 15;\\nimAuthentication\\n| where EventType== \u0027Logon\u0027 and EventResult== \u0027Failure\u0027\\n// reason: creds \\n| where EventResultDetails in (\u0027No such user or password\u0027, \u0027Incorrect password\u0027)\\n| summarize UserCount=dcount(TargetUserId), Vendors=make_set(EventVendor), Products=make_set(EventVendor)\\n , Users = make_set(TargetUserId,100) \\n by SrcDvcIpAddr, SrcGeoCountry, bin(TimeGenerated, 5m)\\n| where UserCount \u003e FailureThreshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcDvcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Potential Password Spray Attack (Uses Authentication Normalization)\",\"description\":\"This query searches for failed attempts to log in from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack\\n To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a5b3429d-f1da-42b9-883c-327ecb7b91ff\",\"name\":\"a5b3429d-f1da-42b9-883c-327ecb7b91ff\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityAlert \\n| where AlertName == \\\"Sign-in from an infected device\\\"\\n| extend Extprop = parsejson(Entities)\\n| mv-expand Extprop\\n| extend Extprop = parsejson(Extprop)\\n| extend CmdLine = iff(Extprop[\u0027Type\u0027]==\\\"process\\\", Extprop[\u0027CommandLine\u0027], \u0027\u0027)\\n| extend File = iff(Extprop[\u0027Type\u0027]==\\\"file\\\", Extprop[\u0027Name\u0027], \u0027\u0027)\\n| extend Account = Extprop[\u0027Name\u0027]\\n| extend Domain = Extprop[\u0027UPNSuffix\u0027]\\n| extend Account = iif(isnotempty(Domain) and Extprop[\u0027Type\u0027]==\\\"account\\\", tolower(strcat(Account, \\\"@\\\", Domain)), iif(Extprop[\u0027Type\u0027]==\\\"account\\\", tolower(Account), \\\"\\\"))\\n| extend IpAddress = iff(Extprop[\\\"Type\\\"] == \\\"ip\\\",Extprop[\u0027Address\u0027], \u0027\u0027)\\n| extend Process = iff(isnotempty(CmdLine), CmdLine, File)\\n| summarize count() by AlertName, AlertSeverity, CompromisedEntity, Account, IpAddress\\n| join kind=inner \\n(\\nAzureActivity\\n| where OperationNameValue hassuffix (\\\"/workspaces/computes/delete\\\")\\n| where ActivityStatusValue =~ \\\"Succeeded\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), OperationIds = makelist(OperationId), CorrelationIds = makelist(CorrelationId), Resources = makelist(Resource), ResourceGroups = makelist(ResourceGroup), ResourceIds = makelist(ResourceId), ActivityCountByCallerIPAddress = count() \\nby CallerIpAddress, Caller, OperationNameValue\\n) on $left. IpAddress == $right. CallerIpAddress\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Impact\"],\"displayName\":\"Workspace deletion attempt from an infected device\",\"description\":\"This hunting query will alert on any sign-ins from devices infected with malware in correlation with potential workspace deletion activity. \\nAttackers may attempt to delete workspaces containing compute instances after successful compromise to cause service unavailability to regular business operation.\",\"lastUpdatedDateUTC\":\"2022-04-11T00:00:00Z\",\"createdDateUTC\":\"2022-04-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8e267e91-6bda-4b3c-bf68-9f5cbdd103a3\",\"name\":\"8e267e91-6bda-4b3c-bf68-9f5cbdd103a3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"ZoomLogs\\n| where Event =~ \\\"account.settings_updated\\\" \\n| extend EnforceLogin = columnifexists(\\\"payload_object_settings_schedule_meeting_enfore_login_b\\\", \\\"\\\") \\n| extend EnforceLoginDomain = columnifexists(\\\"payload_object_settings_schedule_meeting_enfore_login_b\\\", \\\"\\\") \\n| extend GuestAlerts = columnifexists(\\\"payload_object_settings_in_meeting_alert_guest_join_b\\\", \\\"\\\") \\n| where EnforceLogin == \u0027false\u0027 or EnforceLoginDomain == \u0027false\u0027 or GuestAlerts == \u0027false\u0027 \\n| extend SettingChanged = case(EnforceLogin == \u0027false\u0027 and EnforceLoginDomain == \u0027false\u0027 and GuestAlerts == \u0027false\u0027, \\\"All settings changed\\\", \\n EnforceLogin == \u0027false\u0027 and EnforceLoginDomain == \u0027false\u0027, \\\"Enforced Logons and Restricted Domains Changed\\\", \\n EnforceLoginDomain == \u0027false\u0027 and GuestAlerts == \u0027false\u0027, \\\"Enforced Domains Changed\\\", \\n EnforceLoginDomain == \u0027false\u0027, \\\"Enfored Domains Changed\\\", \\n GuestAlerts == \u0027false\u0027, \\\"Guest Join Alerts Changed\\\", \\n EnforceLogin == \u0027false\u0027, \\\"Enforced Logins Changed\\\", \\n \\\"No Changes\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"External User Access Enabled\",\"description\":\"This alerts when the account setting is changed to allow either external domain access or anonymous access to meetings.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56b0a0cd-894e-4b38-a0a1-c41d9f96649a\",\"name\":\"56b0a0cd-894e-4b38-a0a1-c41d9f96649a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let lbtime = 1h;\\nlet tls_ciphers = dynamic([\u0027RC4-SHA\u0027, \u0027DES-CBC3-SHA\u0027]);\\nProofpointPOD\\n| where EventType == \u0027message\u0027\\n| where TlsCipher in (tls_ciphers)\\n| extend IpCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"ProofpointPOD - Weak ciphers\",\"description\":\"Detects when weak TLS ciphers are used.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/87890d78-3e05-43ec-9ab9-ba32f4e01250\",\"name\":\"87890d78-3e05-43ec-9ab9-ba32f4e01250\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.3\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n SecurityAlert\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n //Extract domain patterns from message\\n | extend domain = todynamic(dynamic_to_json(extract_all(@\\\"(((xn--)?[a-z0-9\\\\-]+\\\\.)+([a-z]+|(xn--[a-z0-9]+)))\\\", dynamic([1]), tolower(Entities))))\\n | mv-expand domain\\n | extend domain = tostring(domain[0])\\n | extend parts = split(domain, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\\n | extend EntitiesDynamicArray = parse_json(Entities)\\n | mv-apply EntitiesDynamicArray on\\n (summarize\\n HostName = take_anyif(tostring(EntitiesDynamicArray.HostName), EntitiesDynamicArray.Type == \\\"host\\\"),\\n IP_addr = take_anyif(tostring(EntitiesDynamicArray.Address), EntitiesDynamicArray.Type == \\\"ip\\\")\\n )\\n | extend Alert_TimeGenerated = TimeGenerated\\n | extend Alert_Description = Description\\n) on $left.DomainName==$right.domain\\n| where Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\\n| project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DomainName, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url, Entities\\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = HostName, IPCustomEntity = IP_addr, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to SecurityAlert\",\"description\":\"Identifies a match in SecurityAlert table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/88f453ff-7b9e-45bb-8c12-4058ca5e44ee\",\"name\":\"88f453ff-7b9e-45bb-8c12-4058ca5e44ee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS New Server\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.\\nA threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.\\nThis can be done programmatically via HTTP requests to Azure. More information in this blog: https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e1ce0eab-10d1-4aae-863f-9a383345ba88\",\"name\":\"e1ce0eab-10d1-4aae-863f-9a383345ba88\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let threshold = 15;\\nSyslog\\n| where SyslogMessage contains \\\"Failed password for invalid user\\\"\\n| where ProcessName =~ \\\"sshd\\\" \\n| parse kind=relaxed SyslogMessage with * \\\"invalid user\\\" user \\\" from \\\" ip \\\" port\\\" port \\\" ssh2\\\"\\n| project user, ip, port, SyslogMessage, EventTime\\n| summarize EventTimes = make_list(EventTime), PerHourCount = count() by ip, bin(EventTime, 4h), user\\n| where PerHourCount \u003e threshold\\n| mvexpand EventTimes\\n| extend EventTimes = tostring(EventTimes) \\n| summarize StartTimeUtc = min(EventTimes), EndTimeUtc = max(EventTimes), UserList = makeset(user), sum(PerHourCount) by IPAddress = ip\\n| extend UserList = tostring(UserList) \\n| extend timestamp = StartTimeUtc, IPCustomEntity = IPAddress, AccountCustomEntity = UserList\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"SSH - Potential Brute Force\",\"description\":\"Identifies an IP address that had 15 failed attempts to sign in via SSH in a 4 hour block during a 24 hour time period.\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-02-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/55073036-bb86-47d3-a85a-b113ac3d9396\",\"name\":\"55073036-bb86-47d3-a85a-b113ac3d9396\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let admins=(IdentityInfo\\n | where AssignedRoles contains \\\"admin\\\"\\n | summarize by tolower(AccountUPN));\\n let known_asns = (\\n SigninLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where ResultType == 0\\n | summarize by AutonomousSystemNumber);\\n SigninLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType == 0\\n | where tolower(UserPrincipalName) in (admins)\\n | where AutonomousSystemNumber !in (known_asns)\\n | project-reorder TimeGenerated, UserPrincipalName, UserAgent, IpAddress, AutonomousSystemNumber\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"UserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Privileged User Logon from new ASN\",\"description\":\"Detects a successful logon by a privileged account from an ASN not logged in from in the last 14 days.\\n Monitor these logons to ensure they are legitimate and identify if there are any similar sign ins.\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7b9df32-1367-402d-b385-882daf6e3020\",\"name\":\"a7b9df32-1367-402d-b385-882daf6e3020\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==10\\n| parse EventData with * \u0027TargetImage\\\"\u003e\u0027 TargetImage \\\"\u003c\\\" * \u0027GrantedAccess\\\"\u003e\u0027 GrantedAccess \\\"\u003c\\\" * \u0027CallTrace\\\"\u003e\u0027 CallTrace \\\"\u003c\\\" * \\n| where GrantedAccess == \\\"0x1FFFFF\\\" and TargetImage == \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\" and CallTrace has_any (\\\"dbghelp.dll\\\",\\\"dbgcore.dll\\\")\\n| parse EventData with * \u0027SourceProcessGUID\\\"\u003e\u0027 SourceProcessGUID \\\"\u003c\\\" * \u0027SourceImage\\\"\u003e\u0027 SourceImage \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, SourceProcessGUID, SourceImage, GrantedAccess, TargetImage, CallTrace\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"SourceImage\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Dumping LSASS Process Into a File\",\"description\":\"Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). \\nAfter a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. \\nThese credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement using Use Alternate Authentication Material. \\nAs well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.\\nRef: https://attack.mitre.org/techniques/T1003/001/\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/94749332-1ad9-49dd-a5ab-5ff2170788fc\",\"name\":\"94749332-1ad9-49dd-a5ab-5ff2170788fc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet file_path1 = (iocs | where Type =~ \\\"filepath1\\\" | project IoC);\\nlet file_path2 = (iocs | where Type =~ \\\"filepath2\\\" | project IoC);\\nlet file_path3 = (iocs | where Type =~ \\\"filepath3\\\" | project IoC);\\nlet reg_key = (iocs | where Type =~ \\\"regkey\\\" | project IoC);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (domains)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 *\\n| project TimeGenerated, Message, SourceUserID, RequestURL, DestinationHostName, Type, SourceIP, DestinationIP, DNSName\\n| extend Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SourceUserID, UrlCustomEntity = RequestURL , IPCustomEntity = DestinationIP, DNSCustomEntity = DNSName\\n),\\n(DnsEvents\\n| where Name in~ (domains)\\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DNSName = Name, Host = Computer , Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Host, DNSCustomEntity = DNSName, IPCustomEntity = IPAddresses\\n),\\n(VMConnection\\n| where RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, RemoteDnsCanonicalNames, ProcessName, SourceIp, DestinationIp, DestinationPort, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIp, HostCustomEntity = Computer, ProcessCustomEntity = ProcessName, DNSCustomEntity = DNSName, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"]), Image = EventDetail.[4].[\\\"#text\\\"]\\n| where Image has_any (file_path1) or Image has_any (file_path3)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, EventDetail, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), HostCustomEntity = Computer , IPCustomEntity = DestinationIP, Alert = \u0027SOURGUM IOC detected\u0027\\n), \\n(DeviceNetworkEvents\\n| where (RemoteUrl has_any (domains)) or (InitiatingProcessSHA256 in (sha256Hashes) and InitiatingProcessFolderPath has_any (file_path1)) or InitiatingProcessFolderPath has_any (file_path3)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, Alert = \u0027SOURGUM IOC detected\u0027, UrlCustomEntity =RemoteUrl\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"]\\n| where (SHA256 has_any (sha256Hashes) and Image has_any (file_path1)) or (Image has_any (file_path3)) or ( CommandLine has_any (file_path3)) or ( CommandLine has_any (file_path1)) or ( CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source), Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = SHA256\\n),\\n(DeviceRegistryEvents\\n| where RegistryKey has_any (reg_key) and RegistryValueData has_any (file_path2)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type \\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceProcessEvents\\n| where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3)) or ( InitiatingProcessCommandLine has \u0027reg add\u0027 and InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceFileEvents\\n| where (InitiatingProcessSHA256 has_any (sha256Hashes) and InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3)) or ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, FolderPath, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = RequestAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, Alert = \u0027SOURGUM IOC detected\u0027\\n),\\n(DeviceEvents\\n| where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3)) or ( InitiatingProcessCommandLine has \u0027reg add\u0027 and InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\\n| extend CommandLine = InitiatingProcessCommandLine, Alert = \u0027SOURGUM IOC detected\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has_any (file_path1)) or ( CommandLine has_any (file_path3)) or ( CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) or (NewProcessName has_any (file_path1)) or (NewProcessName has_any (file_path3)) or (ParentProcessName has_any (file_path1)) or (ParentProcessName has_any (file_path3))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = \u0027SOURGUM IOC detected\u0027\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"SOURGUM Actor IOC - July 2021\",\"description\":\"Identifies a match across IOC\u0027s related to an actor tracked by Microsoft as SOURGUM\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-07-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceRegistryEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95407904-0131-4918-bc49-ebf282ce149a\",\"name\":\"95407904-0131-4918-bc49-ebf282ce149a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"135.125.147.170:80\\\",\\\"185.244.129.79:63047\\\",\\\"185.244.129.79:80\\\",\\\"45.80.149.108:63047\\\",\\\"45.80.149.108:80\\\",\\\"45.80.149.57:63047\\\",\\\"45.80.149.68:63047\\\",\\\"45.80.149.71:80\\\",\\\"185.244.129.109\\\",\\\"172.96.188.51\\\",\\\"51.83.246.73\\\"]); \\n(union isfuzzy=true \\n(CommonSecurityLog \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch \\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n), \\n(OfficeActivity \\n|extend SourceIPAddress = ClientIP, Account = UserId \\n| where SourceIPAddress in (IPList) \\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \\n), \\n(_Im_NetworkSession (srcipaddr_has_any_prefix=IPList)\\n | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Hostname, AccountCustomEntity=User\\n), \\n(_Im_NetworkSession (dstipaddr_has_any_prefix=IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = Hostname , AccountCustomEntity = User\\n), \\n(WireData \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer \\n), \\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known POLONIUM IP\",\"description\":\"Identifies a match across various data feeds for IP IOCs related to the POLONIUM activity group. \\n References: BLOGURL\u0027 \",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ed43bdb7-eaab-4ea4-be52-6951fcfa7e3b\",\"name\":\"ed43bdb7-eaab-4ea4-be52-6951fcfa7e3b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet TotalEventsThreshold = 25; \\nlet TimeSeriesData = \\nAzureActivity \\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where OperationNameValue endswith \\\"delete\\\" \\n| project TimeGenerated, Caller \\n| make-series Total = count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by Caller; \\nlet TimeSeriesAlerts = materialize(TimeSeriesData \\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 3, -1, \u0027linefit\u0027) \\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long) \\n| where anomalies \u003e 0 \\n| project Caller, TimeGenerated, Total, baseline, anomalies, score \\n| where Total \u003e TotalEventsThreshold and baseline \u003e 0 ); \\nTimeSeriesAlerts \\n| where TimeGenerated \u003e (ago(endtime)) \\n| project TimeGenerated, Caller \\n| join (AzureActivity \\n| where TimeGenerated \u003e (ago(endtime)) \\n| where OperationNameValue endswith \\\"delete\\\" \\n| summarize count(), make_set(OperationNameValue), make_set(Resource) by bin(TimeGenerated, 1h), Caller) on TimeGenerated, Caller \\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Mass Cloud resource deletions Time Series Anomaly\",\"description\":\"This query generates baseline pattern of cloud resource deletions by an user and generated anomaly \\nwhen any unusual spike is detected.\\nThese anomalies from unusual or privileged users could be an indication of cloud infrastructure \\ntake-down by an adversary \",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2022-03-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b6988c32-4f3b-4a45-8313-b46b33061a74\",\"name\":\"b6988c32-4f3b-4a45-8313-b46b33061a74\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set == \\\"[]\\\"\\n| mv-expand new_value_set\\n| parse new_value_set with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT First access credential added to Application or Service Principal where no credential was present\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-06-01T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba\",\"name\":\"fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let account_threshold = 5;\\nAADNonInteractiveUserSignInLogs\\n//| where ResultType == \\\"81016\\\"\\n| where ResultType startswith \\\"81\\\"\\n| summarize DistinctAccounts = dcount(UserPrincipalName), DistinctAddresses = make_set(IPAddress) by ResultType\\n| where DistinctAccounts \u003e account_threshold\\n| mv-expand IPAddress = DistinctAddresses\\n| extend IPAddress = tostring(IPAddress)\\n| join kind=leftouter (union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs) on IPAddress\\n| summarize\\n StartTime = min(TimeGenerated),\\n EndTime = max(TimeGenerated),\\n UserPrincipalName = make_set(UserPrincipalName),\\n UserAgent = make_set(UserAgent),\\n ResultDescription = take_any(ResultDescription),\\n ResultSignature = take_any(ResultSignature)\\n by IPAddress, Type, ResultType\\n| project Type, StartTime, EndTime, IPAddress, ResultType, ResultDescription, ResultSignature, UserPrincipalName, UserAgent = iff(array_length(UserAgent) == 1, UserAgent[0], UserAgent)\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Password spray attack against Azure AD Seamless SSO\",\"description\":\"This query detects when there is a spike in Azure AD Seamless SSO errors. They may not be caused by a Password Spray attack, but the cause of the errors might need to be investigated.\\nAzure AD only logs the requests that matched existing accounts, thus there might have been unlogged requests for non-existing accounts.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2022-03-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/825991eb-ea39-4590-9de2-ee97ef42eb93\",\"name\":\"825991eb-ea39-4590-9de2-ee97ef42eb93\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\n(union isfuzzy=true\\n(DeviceProcessEvents\\n| where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) or (ProcessCommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and ProcessCommandLine has (\u0027/tr \\\"wscript.exe\u0027) and ProcessCommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and ProcessCommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (ProcessCommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and ProcessCommandLine has (\u0027.wav\u0027) and ProcessCommandLine has (\u0027//e:VBScript //b\u0027) \\nor (ProcessCommandLine has_all (\\\"schtasks.exe\\\", \\\"create\\\", \\\"wscript\\\", \\\"e:vbscript\\\", \\\".wav\\\")))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessCommandLine, FolderPath, InitiatingProcessFolderPath, ProcessId, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, AccountName, SHA256, FileName\\n| extend Account = AccountName, Computer = DeviceName, FileHash = case(InitiatingProcessSHA256 in (sha256Hashes), \\\"InitiatingProcessSHA256\\\", SHA256 in (sha256Hashes), \\\"SHA256\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = FileName, FileHashCustomEntity = case(FileHash == \\\"InitiatingProcessSHA256\\\", InitiatingProcessSHA256, FileHash == \\\"SHA256\\\", SHA256, \\\"No Match\\\")\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where (CommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and CommandLine has (\u0027/tr \\\"wscript.exe\u0027) and CommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and CommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (CommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and CommandLine has (\u0027.wav\u0027) and CommandLine has (\u0027//e:VBScript //b\u0027))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, EventID\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n( CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n( imFileEvent\\n| where Hash in~ (sha256Hashes) or (ActingProcessCommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and ActingProcessCommandLine has (\u0027/tr \\\"wscript.exe\u0027) and ActingProcessCommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and ActingProcessCommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (ActingProcessCommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and ActingProcessCommandLine has (\u0027.wav\u0027) and ActingProcessCommandLine has (\u0027//e:VBScript //b\u0027) \\n or (ActingProcessCommandLine has_all (\\\"schtasks.exe\\\", \\\"create\\\", \\\"wscript\\\", \\\"e:vbscript\\\", \\\".wav\\\")))\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = Hash\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) or (CommandLine has (\u0027schtasks.exe /CREATE /sc minute /mo 12 /tn\u0027) and CommandLine has (\u0027/tr \\\"wscript.exe\u0027) and CommandLine has (\u0027\\\"%PUBLIC%\\\\\\\\Pictures\\\\\\\\\u0027) and CommandLine has (\u0027//e:VBScript //b\\\" /F\u0027)) or (CommandLine has (\u0027wscript.exe C:\\\\\\\\Users\\\\\\\\\u0027) and CommandLine has (\u0027.wav\u0027) and CommandLine has (\u0027//e:VBScript //b\u0027) or (CommandLine has_all (\\\"schtasks.exe\\\", \\\"create\\\", \\\"wscript\\\", \\\"e:vbscript\\\", \\\".wav\\\")))\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n),\\n(DnsEvents\\n| where Name in~ (domains) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Computer \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress\\n),\\n(VMConnection\\n| where RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIp, File = ProcessName\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(DeviceNetworkEvents \\n| where isnotempty(RemoteUrl) \\n| where RemoteUrl in~ (domains) \\n| project Type, TimeGenerated, DeviceName, RemoteIP, RemoteUrl, InitiatingProcessAccountName\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, DNSName = RemoteUrl, IPCustomEntity = RemoteIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"ACTINIUM Actor IOCs - Feb 2022\",\"description\":\"Identifies a match across various data feeds for domains, hashes and commands related to an actor tracked by Microsoft as Actinium.\",\"lastUpdatedDateUTC\":\"2022-03-09T00:00:00Z\",\"createdDateUTC\":\"2022-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65360bb0-8986-4ade-a89d-af3cf44d28aa\",\"name\":\"65360bb0-8986-4ade-a89d-af3cf44d28aa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"CreateNetworkAclEntry\\\",\\\"CreateRoute\\\",\\\"CreateRouteTable\\\",\\\"CreateInternetGateway\\\",\\\"CreateNatGateway\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\",\"LateralMovement\"],\"displayName\":\"Changes to Amazon VPC settings\",\"description\":\"Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources\\nin a virtual network that you define.\\nThis identifies changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries,routes, routetable or Gateways.\\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\nand AWS VPC API Docs: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/OperationList-query-vpc.html\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2eb15bd-8a88-4b24-9281-e133edfba315\",\"name\":\"f2eb15bd-8a88-4b24-9281-e133edfba315\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet aadFunc = (tableName:string){\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n table(tableName) | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend Status = todynamic(Status), LocationDetails = todynamic(LocationDetails)\\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails), StatusReason = tostring(Status.failureReason)\\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n // renaming time column so it is clear the log this came from\\n | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type\\n)\\non $left.TI_ipEntity == $right.IPAddress\\n| where SigninLogs_TimeGenerated \u003c ExpirationDateTime\\n| summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, IPAddress\\n| project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDetails, StatusReason, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to SigninLogs\",\"description\":\"Identifies a match in SigninLogs from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6e715730-82c0-496c-983b-7a20c4590bd9\",\"name\":\"6e715730-82c0-496c-983b-7a20c4590bd9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let accountLookback = 3d;\\nlet requestLookback = 3d;\\nlet extraction_regex = @\\\"(?:\\\\?|\u0026)[a-zA-Z0-9\\\\%]*=([a-zA-Z0-9\\\\/\\\\+\\\\=]*)\\\";\\n// Collect account names and base64 encode them\\nDeviceEvents\\n| where TimeGenerated \u003e ago(accountLookback)\\n| summarize make_set(DeviceId), make_set(DeviceName) by InitiatingProcessAccountName\\n| where isnotempty(InitiatingProcessAccountName)\\n| extend base64_user = base64_encode_tostring(InitiatingProcessAccountName)\\n| join (\\n // Collect requests and extract base64 parameters\\n CommonSecurityLog\\n | where TimeGenerated \u003e ago(requestLookback)\\n | where isnotempty(RequestURL)\\n // Summarize early on the RequestURL\\n | summarize FirstRequest=min(TimeGenerated), LastRequest=max(TimeGenerated), NumberOfRequests=count() by RequestURL\\n | extend base64_candidate = extract_all(extraction_regex, RequestURL)\\n | mv-expand base64_candidate to typeof(string)\\n) on $left.base64_user == $right.base64_candidate\\n| project FirstRequest, LastRequest, NumberOfRequests, RequestURL, DeviceIds=set_DeviceId, DeviceNames=set_DeviceName, UserName=InitiatingProcessAccountName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceNames\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"UserName\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"Windows host username encoded in base64 web request\",\"description\":\"This detection will identify network requests in HTTP proxy data that contains Base64 encoded usernames from machines in the DeviceEvents table.\\nThis technique was seen usee by POLONIUM in their RunningRAT tool.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e4779bdc-397a-4b71-be28-59e6a1e1d16b\",\"name\":\"e4779bdc-397a-4b71-be28-59e6a1e1d16b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"ZoomLogs\\n| where Event =~ \\\"account.settings_updated\\\"\\n| extend NewE2ESetting = columnifexists(\\\"payload_object_settings_in_meeting_e2e_encryption_b\\\", \\\"\\\")\\n| extend OldE2ESetting = columnifexists(\\\"payload_old_object_settings_in_meeting_e2e_encryption_b\\\", \\\"\\\")\\n| where OldE2ESetting =~ \u0027false\u0027 and NewE2ESetting =~ \u0027true\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Discovery\"],\"displayName\":\"Zoom E2E Encryption Disabled\",\"description\":\"This alerts when end to end encryption is disabled for Zoom meetings.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/194dd92e-d6e7-4249-85a5-273350a7f5ce\",\"name\":\"194dd92e-d6e7-4249-85a5-273350a7f5ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\") \\n// Only admin or global-admin can disable audit logging\\n| where Operation =~ \\\"Set-AdminAuditLogConfig\\\" \\n| extend AdminAuditLogEnabledValue = tostring(parse_json(tostring(parse_json(tostring(array_slice(parse_json(Parameters),3,3)))[0])).Value)\\n| where AdminAuditLogEnabledValue =~ \\\"False\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP, ResultStatus, Parameters, AdminAuditLogEnabledValue\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Exchange AuditLog disabled\",\"description\":\"Identifies when the exchange audit logging has been disabled which may be an adversary attempt\\nto evade detection or avoid other defenses.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/218f60de-c269-457a-b882-9966632b9dc6\",\"name\":\"218f60de-c269-457a-b882-9966632b9dc6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| summarize dcount(Target) by bin(TimeGenerated, 1h)\\n| where dcount_Target \u003e 9\\n| join kind=rightsemi (AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| extend TimeWindow = bin(TimeGenerated, 1h)) on $left.TimeGenerated == $right.TimeWindow\\n| extend AccountCustomEntity = Target\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Bulk Changes to Privileged Account Permissions\",\"description\":\"Identifies when changes to multiple users permissions are changed at once. Investigate immediately if not a planned change. This setting could enable an attacker access to Azure subscriptions in your environment.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6e575295-a7e6-464c-8192-3e1d8fd6a990\",\"name\":\"6e575295-a7e6-464c-8192-3e1d8fd6a990\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.1\",\"severity\":\"High\",\"query\":\"let IPList = externaldata(IPAddress:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Log4j_IOC_List.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n//Network logs\\nlet CSlogSourceIP = CommonSecurityLog | summarize by IPAddress = SourceIP, Type;\\nlet CSlogDestIP = CommonSecurityLog | summarize by IPAddress = DestinationIP, Type;\\nlet CSlogMsgIP = CommonSecurityLog | extend MessageIP = extract(IPRegex, 0, Message) | summarize by IPAddress = MessageIP, Type;\\nlet DnsIP = DnsEvents | summarize by IPAddress = IPAddresses, Type;\\n// If you have enabled the imDNS and/or imNetworkSession normalization in your workspace, you can uncomment one or both below. Reference - https://docs.microsoft.com/azure/sentinel/normalization\\n//let imDnsIP = imDns (response_has_any_prefix=IPList) | summarize by IPAddress = ResponseName, Type;\\n//let imNetSessIP = imNetworkSession (dstipaddr_has_any_prefix=IPList) | summarize by IPAddress = DstIpAddr, Type;\\n//Cloud service logs\\nlet officeIP = OfficeActivity | summarize by IPAddress = ClientIP, Type;\\nlet signinIP = SigninLogs | summarize by IPAddress, Type;\\nlet nonintSigninIP = AADNonInteractiveUserSignInLogs | summarize by IPAddress, Type;\\nlet azureActIP = AzureActivity | summarize by IPAddress = CallerIpAddress, Type;\\nlet awsCtIP = AWSCloudTrail | summarize by IPAddress = SourceIpAddress, Type;\\n//Device logs\\nlet vmConnSourceIP = VMConnection | summarize by IPAddress = SourceIp, Type;\\nlet vmConnDestIP = VMConnection | summarize by IPAddress = DestinationIp, Type;\\nlet iisLogIP = W3CIISLog | summarize by IPAddress = cIP, Type;\\nlet devNetIP = DeviceNetworkEvents | summarize by IPAddress = RemoteIP, Type;\\n//need to parse to get IP\\nlet azureDiagIP = AzureDiagnostics | where ResourceType == \\\"AZUREFIREWALLS\\\" | where Category in (\\\"AzureFirewallApplicationRule\\\", \\\"AzureFirewallNetworkRule\\\") \\n| where msg_s has_any (IPList) | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action | summarize by IPAddress = DestinationHost, Type;\\nlet sysEvtIP = Event | where Source == \\\"Microsoft-Windows-Sysmon\\\" | where EventID == 3 | where EventData has_any (IPList) | extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"])\\n| where SourceIP in (IPList) or DestinationIP in (IPList) | extend IPAddress = iff(SourceIP in (IPList), SourceIP, DestinationIP) | summarize by IPAddress, Type;\\n// If you have enabled the imDNS and/or imNetworkSession normalization in your workdspace, you can uncomment below and include. Reference - https://docs.microsoft.com/azure/sentinel/normalization\\n//let ipsort = union isfuzzy=true CSlogDestIP, CSlogMsgIP, CSlogSourceIP, DnsIP, officeIP, signinIP, nonintSigninIP, azureActIP, awsCtIP, vmConnDestIP, vmConnSourceIP, azureDiagIP, sysEvtIP, imDnsIP, imNetSessIP\\n// If you uncomment above, then comment out the line below\\nlet ipsort = union isfuzzy=true CSlogDestIP, CSlogMsgIP, CSlogSourceIP, DnsIP, officeIP, signinIP, nonintSigninIP, azureActIP, awsCtIP, vmConnDestIP, vmConnSourceIP, azureDiagIP, sysEvtIP\\n| summarize by IPAddress\\n| where isnotempty(IPAddress) | where not(ipv4_is_private(IPAddress)) and IPAddress !in (\u00270.0.0.0\u0027,\u0027127.0.0.1\u0027);\\nlet ipMatch = ipsort | where IPAddress in (IPList);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (ipMatch) or DestinationIP in (ipMatch) or Message has_any (ipMatch)\\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, Type\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (ipMatch), \\\"SourceIP\\\", DestinationIP in (ipMatch), \\\"DestinationIP\\\", MessageIP in (ipMatch), \\\"Message\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"No Match\\\")\\n),\\n(OfficeActivity\\n| where ClientIP in (ipMatch)\\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, Type\\n| extend SourceIPAddress = ClientIP, Account = UserId\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account\\n),\\n(DnsEvents\\n| where IPAddresses has_any (ipMatch)\\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, Host = Computer\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (ipMatch) or DestinationIp in (ipMatch)\\n| project TimeGenerated, Computer, SourceIp, DestinationIp, Type\\n| extend IPMatch = case( SourceIp in (ipMatch), \\\"SourceIP\\\", DestinationIp in (ipMatch), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| where EventData has_any (ipMatch)\\n| project TimeGenerated, EventData, UserName, Computer, Type\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"])\\n| where SourceIP in (ipMatch) or DestinationIP in (ipMatch)\\n| extend IPMatch = case( SourceIP in (ipMatch), \\\"SourceIP\\\", DestinationIP in (ipMatch), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(SigninLogs\\n| where IPAddress in (ipMatch)\\n| project TimeGenerated, UserPrincipalName, IPAddress, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(AADNonInteractiveUserSignInLogs\\n| where IPAddress in (ipMatch)\\n| project TimeGenerated, UserPrincipalName, IPAddress, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(W3CIISLog\\n| where cIP in (ipMatch)\\n| project TimeGenerated, Computer, cIP, csUserName, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(AzureActivity\\n| where CallerIpAddress in (ipMatch)\\n| project TimeGenerated, CallerIpAddress, Caller, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller\\n),\\n(\\nAWSCloudTrail\\n| where SourceIpAddress in (ipMatch)\\n| project TimeGenerated, SourceIpAddress, UserIdentityUserName, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\\n), \\n( \\nDeviceNetworkEvents\\n| where RemoteIP in (ipMatch)\\n| where ActionType == \\\"InboundConnectionAccepted\\\"\\n| project TimeGenerated, RemoteIP, DeviceName, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category in (\\\"AzureFirewallApplicationRule\\\", \\\"AzureFirewallNetworkRule\\\")\\n| where msg_s has_any (ipMatch)\\n| project TimeGenerated, msg_s, Type\\n| parse msg_s with Protocol \u0027request from \u0027 SourceIP \u0027:\u0027 SourcePort \u0027to \u0027 DestinationIP \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where DestinationIP has_any (ipMatch)\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP\\n)\\n// If you have enabled the imDNS and/or imNetworkSession normalization in your workdspace, you can uncomment below and include. Reference - https://docs.microsoft.com/azure/sentinel/normalization\\n//,\\n//(imDns (response_has_any_prefix=IPList)\\n//| project TimeGenerated, ResponseName, SrcIpAddr, Type\\n//| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr\\n//| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n//),\\n//(imNetworkSession (dstipaddr_has_any_prefix=IPList)\\n//| project TimeGenerated, DstIpAddr, SrcIpAddr, Type\\n//| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = SrcIpAddr\\n//)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Log4j vulnerability exploit aka Log4Shell IP IOC\",\"description\":\"Identifies a match across various data feeds for IP IOCs related to the Log4j vulnerability exploit aka Log4Shell described in CVE-2021-44228. \\n References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228\u0027 \",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bda5a2bd-979b-4828-a91f-27c2a5048f7f\",\"name\":\"bda5a2bd-979b-4828-a91f-27c2a5048f7f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet msgthreshold = 3;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| extend attachedMimeType = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where attachedMimeType == \u0027application/zip\u0027\\n| summarize count() by SrcUserUpn, DstUserUpn\\n| where count_ \u003e msgthreshold\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple archived attachments to the same recipient\",\"description\":\"Detects when multiple emails where sent to the same recipient with large archived attachments.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1baaaf00-655f-4de9-8ff8-312e902cda71\",\"name\":\"1baaaf00-655f-4de9-8ff8-312e902cda71\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let known_locations = (\\n AADServicePrincipalSignInLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where ResultType == 0\\n | summarize by Location);\\n AADServicePrincipalSignInLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType != 50126\\n | where Location !in (known_locations)\\n | extend City = tostring(parse_json(LocationDetails).city)\\n | extend State = tostring(parse_json(LocationDetails).state)\\n | extend Place = strcat(City, \\\" - \\\", State)\\n | extend Result = strcat(tostring(ResultType), \\\" - \\\", ResultDescription)\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), make_set(Result), make_set(IPAddress), make_set(Place) by ServicePrincipalName, Location\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ServicePrincipalName\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Service Principal Authentication Attempt from New Country\",\"description\":\"Detects when there is a Service Principal login attempt from a country that has not seen a successful login in the previous 14 days.\\n Threat actors may attempt to authenticate with credentials from compromised accounts - monitoring attempts from anomalous locations may help identify these attempts.\\n Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADServicePrincipalSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/39198934-62a0-4781-8416-a81265c03fd6\",\"name\":\"39198934-62a0-4781-8416-a81265c03fd6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"user.read\\\" and ConsentFull contains \\\"offline_access\\\" and ConsentFull contains \\\"mail.readwrite\\\" and ConsentFull contains \\\"mail.send\\\" and ConsentFull contains \\\"files.read.all\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\")\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Suspicious application consent similar to PwnAuth\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the FireEye PwnAuth toolkit (https://github.com/fireeye/PwnAuth).\\nThe default permissions/scope for the PwnAuth toolkit are user.read, offline_access, mail.readwrite, mail.send, and files.read.all.\\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\"name\":\"fbd72eb8-087e-466b-bd54-1ca6ea08c6d3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let opList = OfficeActivity \\n| summarize by Operation\\n//| where Operation startswith \\\"Remove-\\\" or Operation startswith \\\"Disable-\\\"\\n| where Operation has_any (\\\"Remove\\\", \\\"Disable\\\")\\n| where Operation contains \\\"AntiPhish\\\" or Operation contains \\\"SafeAttachment\\\" or Operation contains \\\"SafeLinks\\\" or Operation contains \\\"Dlp\\\" or Operation contains \\\"Audit\\\"\\n| summarize make_set(Operation);\\nOfficeActivity\\n// Only admin or global-admin can disable/remove policy\\n| where RecordType =~ \\\"ExchangeAdmin\\\"\\n| where UserType in~ (\\\"Admin\\\",\\\"DcAdmin\\\")\\n// Pass in interesting Operation list\\n| where Operation in~ (opList)\\n| extend ClientIPOnly = case( \\nClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), \\nClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))),\\nClientIP\\n) \\n| extend Port = case(\\nClientIP has \\\".\\\", (split(ClientIP,\\\":\\\")[1]),\\nClientIP has \\\"[\\\", tostring(split(ClientIP,\\\"]:\\\")[1]),\\nClientIP\\n)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP = ClientIPOnly, Port, ResultStatus, Parameters\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Office policy tampering\",\"description\":\"Identifies if any tampering is done to either auditlog, ATP Safelink, SafeAttachment, AntiPhish or Dlp policy. \\nAn adversary may use this technique to evade detection or avoid other policy based defenses.\\nReferences: https://docs.microsoft.com/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06a9b845-6a95-4432-a78b-83919b28c375\",\"name\":\"06a9b845-6a95-4432-a78b-83919b28c375\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":3,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet percentotalthreshold = 50;\\nlet TimeSeriesData = CommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| project TimeGenerated,SourceIP, DestinationIP, DeviceVendor\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor;\\n// Filtering specific records associated with spikes as outliers\\nlet TimeSeriesAlerts=materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend score = round(score,2), AnomalyHour = TimeGenerated\\n| project DeviceVendor,AnomalyHour, TimeGenerated, Total, baseline, anomalies, score);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\n// Join anomalies with Base Data to popalate associated records for investigation - Results sorted by score in descending order\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\n CommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| summarize HourlyCount = count(), TimeGeneratedMax = arg_max(TimeGenerated, *), DestinationIPlist = make_set(DestinationIP, 100), DestinationPortlist = make_set(DestinationPort, 100) by DeviceVendor, SourceIP, TimeGeneratedHour= bin(TimeGenerated, 1h)\\n| extend AnomalyHour = TimeGeneratedHour\\n) on AnomalyHour, DeviceVendor\\n| extend PercentTotal = round((HourlyCount / Total) * 100, 3)\\n| where PercentTotal \u003e percentotalthreshold\\n| project DeviceVendor , AnomalyHour, TimeGeneratedMax, SourceIP, DestinationIPlist, DestinationPortlist, HourlyCount, PercentTotal, Total, baseline, score, anomalies\\n| summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist, 100), DestinationPortlist = make_set(DestinationPortlist, 100) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies\\n| project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies\\n| extend timestamp= EndTimeUtc , IPCustomEntity = SourceIPMax\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"Time series anomaly detection for total volume of traffic\",\"description\":\"Identifies anamalous spikes in network traffic logs as compared to baseline or normal historical patterns.\\nThe query leverages a KQL built-in anomaly detection algorithm to find large deviations from baseline patterns.\\nSudden increases in network traffic volume may be an indication of data exfiltration attempts and should be investigated.\\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port traffic observed in the flagged anomaly hour.\\nThe source IP addresses which were sending less than percentotalthreshold of the total traffic have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Barracuda\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f110287e-1358-490d-8147-ed804b328514\",\"name\":\"f110287e-1358-490d-8147-ed804b328514\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AWSCloudTrail | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AWSCloudTrail_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SourceIpAddress\\n| where AWSCloudTrail_TimeGenerated \u003c ExpirationDateTime\\n| summarize AWSCloudTrail_TimeGenerated = arg_max(AWSCloudTrail_TimeGenerated, *) by IndicatorId, SourceIpAddress\\n| project AWSCloudTrail_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress,\\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AWSCloudTrail_TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AWSCloudTrail\",\"description\":\"Identifies a match in AWSCloudTrail from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7249500f-3038-4b83-8549-9cd8dfa2d498\",\"name\":\"7249500f-3038-4b83-8549-9cd8dfa2d498\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"de-ma.online\\\", \\\"g20saudi.000webhostapp.com\\\", \\\"ksat20.000webhostapp.com\\\"]);\\nlet EmailAddresses = dynamic([\\\"munichconference1962@gmail.com\\\",\\\"munichconference@outlook.de\\\", \\\"munichconference@outlook.com\\\", \\\"t20saudiarabia@gmail.com\\\", \\\"t20saudiarabia@hotmail.com\\\", \\\"t20saudiarabia@outlook.sa\\\"]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(DNSName) and DNSName has_any (DomainNames)) \\n or (isnotempty(DestinationHostName) and DestinationHostName has_any (DomainNames)) \\n or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames)))\\n| extend timestamp = TimeGenerated , AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\\n),\\n(DnsEvents \\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\\n| where DNSName has_any (DomainNames) \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend timestamp = TimeGenerated , HostCustomEntity = Computer),\\n(SecurityAlert\\n| where ProviderName =~ \u0027OATP\u0027\\n| extend UPN = case(isnotempty(parse_json(Entities)[0].Upn), parse_json(Entities)[0].Upn, \\n isnotempty(parse_json(Entities)[1].Upn), parse_json(Entities)[1].Upn,\\n isnotempty(parse_json(Entities)[2].Upn), parse_json(Entities)[2].Upn,\\n isnotempty(parse_json(Entities)[3].Upn), parse_json(Entities)[3].Upn,\\n isnotempty(parse_json(Entities)[4].Upn), parse_json(Entities)[4].Upn,\\n isnotempty(parse_json(Entities)[5].Upn), parse_json(Entities)[5].Upn,\\n isnotempty(parse_json(Entities)[6].Upn), parse_json(Entities)[6].Upn,\\n isnotempty(parse_json(Entities)[7].Upn), parse_json(Entities)[7].Upn,\\n isnotempty(parse_json(Entities)[8].Upn), parse_json(Entities)[8].Upn,\\n parse_json(Entities)[9].Upn)\\n| where Entities has_any (EmailAddresses)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = tostring(UPN)),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"AZUREFIREWALLS\\\"\\n| where msg_s has_any (DomainNames)\\n| extend timestamp = TimeGenerated))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"InitialAccess\"],\"displayName\":\"Known PHOSPHORUS group domains/IP - October 2020\",\"description\":\"Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\\nReferences: \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog (Cisco)\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog (Zscaler)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert (OATP)\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics (Azure Firewall)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5ef06767-b37c-4818-b035-47de950d0046\",\"name\":\"5ef06767-b37c-4818-b035-47de950d0046\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"// How far back to look for events from\\nlet timeframe = 1d;\\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\\nlet time_window = 5m;\\n// Edit this to include build processes used\\nlet build_processes = dynamic([\\\"MSBuild.exe\\\", \\\"dotnet.exe\\\", \\\"VBCSCompiler.exe\\\"]);\\n// Include any processes that you want to allow to edit files during/around the build process\\nlet allow_list = dynamic([\\\"\\\"]);\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where EventID == 4688\\n| where Process has_any (build_processes)\\n| summarize by BuildParentProcess=ParentProcessName, BuildProcess=Process, BuildAccount = Account, Computer, BuildCommand=CommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for file modifications to code file\\n| where EventID == 4663\\n| where Process !in (allow_list)\\n// Look for code files, edit this to include file extensions used in build.\\n| where ObjectName endswith \\\".cs\\\" or ObjectName endswith \\\".cpp\\\"\\n// 0x6 and 0x4 for file append, 0x100 for file replacements\\n| where AccessMask == \\\"0x6\\\" or AccessMask == \\\"0x4\\\" or AccessMask == \\\"0X100\\\"\\n| summarize by FileEditParentProcess=ParentProcessName, FileEditAccount = Account, Computer, FileEdited=ObjectName, FileEditProcess=ProcessName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, Computer\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, Computer, BuildParentProcess, BuildProcess\\n| extend HostCustomEntity=Computer, timestamp=timekey\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where EventID == 4688 and EventData has_any (build_processes)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process has_any (build_processes)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend CommandLine = tostring(EventData.CommandLine) \\n| summarize by BuildParentProcess=ParentProcessName, BuildProcess=Process, BuildAccount = Account, Computer, BuildCommand=CommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nWindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for file modifications to code file\\n| where EventID == 4663 and EventData has_any (\\\"0x6\\\", \\\"0x4\\\", \\\"0X100\\\") and EventData has_any (\\\".cs\\\", \\\".cpp\\\")\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (allow_list)\\n// Look for code files, edit this to include file extensions used in build.\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName endswith \\\".cs\\\" or ObjectName endswith \\\".cpp\\\"\\n// 0x6 and 0x4 for file append, 0x100 for file replacements\\n| extend AccessMask = tostring(EventData.AccessMask) \\n| where AccessMask == \\\"0x6\\\" or AccessMask == \\\"0x4\\\" or AccessMask == \\\"0X100\\\"\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| summarize by FileEditParentProcess=ParentProcessName, FileEditAccount = Account, Computer, FileEdited=ObjectName, FileEditProcess=ProcessName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, Computer\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, Computer, BuildParentProcess, BuildProcess\\n| extend HostCustomEntity=Computer, timestamp=timekey\\n))\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Potential Build Process Compromise\",\"description\":\"The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process.\\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\"name\":\"a83ef0f4-dace-4767-bce3-ebd32599d2a0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"DNS events related to ToR proxies\",\"description\":\"Identifies IP addresses performing DNS lookups associated with common ToR proxies.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/42436753-9944-4d70-801c-daaa4d19ddd2\",\"name\":\"42436753-9944-4d70-801c-daaa4d19ddd2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let threatCategory=\\\"Powershell\\\";\\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\\n [ @\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\\\"]\\n with(format=\\\"csv\\\", ignoreFirstRecord=True));\\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet customUserAgents=toscalar(_GetWatchlist(\\\"UnusualUserAgents\\\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\\\"UserAgent\\\",\\\"\\\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet fullUAList = array_concat(knownUserAgents,customUserAgents);\\n_Im_WebSession(httpuseragent_has_any=fullUAList)\\n| project SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername\",\"customDetails\":{\"UserAgent\":\"HttpUserAgent\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"SrcUsername\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Host {{SrcIpAddr}} is potentially running PowerShell\",\"alertDescriptionFormat\":\"The host at address {{SrcIpAddr}} sent an HTTP request to the URL {{Url}} with the HTTP user agent header {{HttpUserAgent}}. This user agent is known to be used by PoerShell and indicates suspicious activity on the host.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\",\"DefenseEvasion\"],\"displayName\":\"A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request with a user agent header known to belong PowerShell. \u003cbr\u003eYou can add custom Powershell indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).\u003cbr\u003e\u003cbr\u003e\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/56fe0db0-6779-46fa-b3c5-006082a53064\",\"name\":\"56fe0db0-6779-46fa-b3c5-006082a53064\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let tokens = dynamic([\\\"416\\\",\\\"208\\\",\\\"128\\\",\\\"120\\\",\\\"96\\\",\\\"80\\\",\\\"72\\\",\\\"64\\\",\\\"48\\\",\\\"44\\\",\\\"40\\\",\\\"g5\\\",\\\"gs5\\\",\\\"g4\\\",\\\"gs4\\\",\\\"nc12\\\",\\\"nc24\\\",\\\"nv12\\\"]);\\nlet operationList = dynamic([\\\"microsoft.compute/virtualmachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nAzureActivity\\n| where tolower(OperationNameValue) in (operationList)\\n| where ActivityStatusValue == \\\"Accepted\\\" \\n| where isnotempty(Properties)\\n| extend vmSize = tolower(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).hardwareProfile)).vmSize))\\n| where isnotempty(vmSize)\\n| where vmSize has_any (tokens) \\n| extend ComputerName = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).osProfile)).computerName)\\n| extend clientIpAddress = tostring(parse_json(HTTPRequest).clientIpAddress)\\n| project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Creation of expensive computes in Azure\",\"description\":\"Identifies the creation of large size/expensive VMs (GPU or with large no of virtual CPUs) in Azure.\\nAdversary may create new or update existing virtual machines sizes to evade defenses \\nor use it for cryptomining purposes.\\nFor Windows/Linux Vm Sizes - https://docs.microsoft.com/azure/virtual-machines/windows/sizes \\nAzure VM Naming Conventions - https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions\",\"lastUpdatedDateUTC\":\"2022-03-31T00:00:00Z\",\"createdDateUTC\":\"2020-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5d33fc63-b83b-4913-b95e-94d13f0d379f\",\"name\":\"5d33fc63-b83b-4913-b95e-94d13f0d379f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet fileHashIndicators = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n| where isnotempty(FileHashValue);\\n// Handle matches against both lower case and uppercase versions of the hash:\\n(fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n| union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n )\\non $left.FileHashValue == $right.FileHash\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, FileHashValue\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nSourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction,\\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity, FileHashValue, FileHashType\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Value\",\"columnName\":\"FileHashValue\"},{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map File Hash to CommonSecurityLog Event\",\"description\":\"Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI\",\"lastUpdatedDateUTC\":\"2022-07-07T00:00:00Z\",\"createdDateUTC\":\"2019-08-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1f3b4dfd-21ff-4ed3-8e27-afc219e05c50\",\"name\":\"1f3b4dfd-21ff-4ed3-8e27-afc219e05c50\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where LoggedByService =~ \\\"PIM\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where ActivityDisplayName has \\\"Disable PIM Alert\\\"\\n| extend IpAddress = case(\\n isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), \\n isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.app)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.app)).ipAddress),\\n \u0027Not Available\u0027)\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName)), UserRoles = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| project InitiatedBy, ActivityDateTime, ActivityDisplayName, IpAddress, AADOperationType, AADTenantId, ResourceId, CorrelationId, Identity\\n| extend timestamp = ActivityDateTime, IPCustomEntity = IpAddress, AccountCustomEntity = tolower(InitiatedBy), ResourceCustomEntity = ResourceId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Detect PIM Alert Disabling activity\",\"description\":\"Privileged Identity Management (PIM) generates alerts when there is suspicious or unsafe activity in Azure Active Directory (Azure AD) organization. \\nThis query will help detect attackers attempts to disable in product PIM alerts which are associated with Azure MFA requirements and could indicate activation of privileged access\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d99cf5c3-d660-436c-895b-8a8f8448da23\",\"name\":\"d99cf5c3-d660-436c-895b-8a8f8448da23\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"SigninLogs\\n| where ResultType == 500121\\n| extend additionalDetails_ = tostring(Status.additionalDetails)\\n| where additionalDetails_ =~ \\\"MFA denied; user declined the authentication\\\"\\n| extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"AadUserId\",\"columnName\":\"UserId\"},{\"identifier\":\"AadTenantId\",\"columnName\":\"AADTenantId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"MFA Rejected by User\",\"description\":\"Identifies accurances where a user has rejected an MFA prompt. This could be an indicator that a threat actor has compromised the username and password of this user account and is using it to try and log into the account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d0aa8969-1bbe-4da3-9e76-09e5f67c9d85\",\"name\":\"d0aa8969-1bbe-4da3-9e76-09e5f67c9d85\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureDiagnostics\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where ResourceProvider == \u0027MICROSOFT.SQL\u0027\\n | where Category == \u0027SQLSecurityAuditEvents\u0027\\n | extend SQLSecurityAuditEvents_TimeGenerated = TimeGenerated\\n // projecting fields with column if exists as this is in AzureDiag and if the event is not in the table, then queries will fail due to event specific schemas\\n | extend ClientIP = column_ifexists(\\\"client_ip_s\\\", \\\"Not Available\\\"), Action = column_ifexists(\\\"action_name_s\\\", \\\"Not Available\\\"), \\n Application = column_ifexists(\\\"application_name_s\\\", \\\"Not Available\\\"), HostName = column_ifexists(\\\"host_name_s\\\", \\\"Not Available\\\")\\n)\\non $left.TI_ipEntity == $right.ClientIP\\n| where SQLSecurityAuditEvents_TimeGenerated \u003c ExpirationDateTime\\n| summarize SQLSecurityAuditEvents_TimeGenerated = arg_max(SQLSecurityAuditEvents_TimeGenerated, *) by IndicatorId, ClientIP\\n| project SQLSecurityAuditEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ResourceId, ClientIP, Action, Application, HostName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = SQLSecurityAuditEvents_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Azure SQL Security Audit Events\",\"description\":\"Identifies a match in SQLSecurityAuditEvents from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\"name\":\"4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n OfficeActivity | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(UserId)\\n | where UserId matches regex emailregex\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.UserId\\n| where OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, UserId\\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters\\n| extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to OfficeActivity\",\"description\":\"Identifies a match in OfficeActivity table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/44a555d8-ecee-4a25-95ce-055879b4b14b\",\"name\":\"44a555d8-ecee-4a25-95ce-055879b4b14b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeBin = 10m;\\nlet portThreshold = 30;\\nW3CIISLog\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of attempts by client IP on many ports\\n| summarize makeset(sPort), makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), ConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\\n| extend portCount = arraylength(set_sPort)\\n| where portCount \u003e= portThreshold\\n| project TimeGenerated, cIP, set_sPort, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, ConnectionsCount, portCount\\n| order by portCount\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"High count of connections by client IP on many ports\",\"description\":\"Identifies when 30 or more ports are used for a given client IP in 10 minutes occurring on the IIS server.\\nThis could be indicative of attempted port scanning or exploit attempt at internet facing web applications. \\nThis could also simply indicate a misconfigured service or device.\\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2de8abd6-a613-450e-95ed-08e503369fb3\",\"name\":\"2de8abd6-a613-450e-95ed-08e503369fb3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"AzureDiagnostics\\n| where details_data_s has \\\"jndi:\\\"\\n| parse details_data_s with * \u0027${\u0027 MaliciousCommand \u0027}\u0027 *\\n| extend EncodeCmd = iff(MaliciousCommand has \u0027Base64/\u0027, split(split(MaliciousCommand, \\\"Base64/\\\",1)[0], \\\"}\\\", 0)[0], \\\"\\\")\\n| extend EncodeCmd1 = iff(MaliciousCommand has \u0027base64/\u0027, split(split(MaliciousCommand, \\\"base64/\\\",1)[0], \\\"}\\\", 0)[0], \\\"\\\")\\n| extend CmdLine = iff( isnotempty(EncodeCmd), EncodeCmd, EncodeCmd1)\\n| extend DecodedCmdLine = base64_decode_tostring(tostring(CmdLine))\\n| extend DecodedCmdLine = iff( isnotempty(DecodedCmdLine), DecodedCmdLine, \\\"Unable to decode\\\")\\n| project TimeGenerated, Target=hostname_s, MaliciousHost = clientIp_s, MaliciousCommand, details_data_s, DecodedCmdLine, Message, ruleSetType_s, OperationName, SubscriptionId, details_message_s, details_file_s \\n| extend IPCustomEntity = MaliciousHost, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure WAF matching for Log4j vuln(CVE-2021-44228)\",\"description\":\"This query will alert on a positive pattern match by Azure WAF for CVE-2021-44228 log4j vulnerability exploitation attempt. If possible, it then decodes the malicious command for further analysis.\\n Refrence: https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-12-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/972c89fa-c969-4d12-932f-04d55d145299\",\"name\":\"972c89fa-c969-4d12-932f-04d55d145299\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"( union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| extend FileName = Process, ProcessCommandLine = CommandLine\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\n or ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(DeviceProcessEvents\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\nor ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1 \\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\"), ProcessCommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| extend FileName = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where (FileName in~(\u0027control.exe\u0027,\u0027rundll32.exe\u0027) and ProcessCommandLine has \u0027.cpl:\u0027)\\n or ProcessCommandLine matches regex @\u0027\\\\\\\".[a-zA-Z]{2,4}:\\\\.\\\\.\\\\/\\\\.\\\\.\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"MSHTML vulnerability CVE-2021-40444 attack\",\"description\":\"This query detects attacks that exploit the CVE-2021-40444 MSHTML vulnerability using specially crafted Microsoft Office documents. \\n The detection searches for relevant files used in the attack along with regex matches in commnadline to look for pattern similar to : \\\".cpl:../../msword.inf\\\"\\n Refrence: https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ca74dc0-8352-4ac5-893c-73571cc78331\",\"name\":\"4ca74dc0-8352-4ac5-893c-73571cc78331\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let keywords = dynamic([\\\"secret\\\", \\\"secrets\\\", \\\"password\\\", \\\"PAT\\\", \\\"passwd\\\", \\\"pswd\\\", \\\"pwd\\\", \\\"cred\\\", \\\"creds\\\", \\\"credentials\\\", \\\"credential\\\", \\\"key\\\"]);\\nAzureDevOpsAuditing\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend Type = tostring(Data.Type)\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend VariableGroupName = tostring(Data.VariableGroupName)\\n| mv-expand Data.Variables\\n| where VariableGroupName has_any (keywords) or Data_Variables has_any (keywords)\\n| where Type != \\\"AzureKeyVault\\\"\\n| where Data_Variables !has \\\"IsSecret\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure DevOps Variable Secret Not Secured\",\"description\":\"Credentials used in the build process may be stored as Azure DevOps variables. To secure these variables they should be stored in KeyVault or marked as Secrets. \\nThis detection looks for new variables added with names that suggest they are credentials but where they are not set as Secrets or stored in KeyVault.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cc5780ce-3245-4bba-8bc1-e9048c2257ce\",\"name\":\"cc5780ce-3245-4bba-8bc1-e9048c2257ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where OperationName =~ \\\"Add owner to application\\\"\\n | extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend UpdatedBy = iif(isnotempty(appName), appName, UPN)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | extend AddedUser = TargetResources[0].userPrincipalName\\n | mv-expand mod_props\\n | where mod_props.displayName =~ \\\"Application.DisplayName\\\"\\n | extend AppName = tostring(parse_json(tostring(mod_props.newValue)))\\n | project-reorder TimeGenerated, OperationName, AppName, AddedUser, UpdatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatedBy\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedUser\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Changes to Application Ownership\",\"description\":\"Detects changes to the ownership of an appplicaiton.\\n Monitor these changes to make sure that they were authorized.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#new-owner\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/15049017-527f-4d3b-b011-b0e99e68ef45\",\"name\":\"15049017-527f-4d3b-b011-b0e99e68ef45\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let procList = externaldata(Process:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Microsoft_Lolbas_Execution_Binaries.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nSecurityEvent\\n| where EventID == 4688 and Process has_any (procList) and not (NewProcessName has (\\\"C:\\\\\\\\Windows\\\\\\\\\\\"))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, SubjectUserName, NewProcessName, Process, CommandLine\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectUserName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Windows Binaries Executed from Non-Default Directory\",\"description\":\"The query detects Windows binaries, that can be executed from a non-default directory (e.g. C:\\\\Windows\\\\, C:\\\\Windows\\\\System32 etc.). \\nRef: https://lolbas-project.github.io/\",\"lastUpdatedDateUTC\":\"2022-02-15T00:00:00Z\",\"createdDateUTC\":\"2022-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6\",\"name\":\"2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 0d;\\n// Adjust this to adjust detection timeframe\\n//let timeframe = 1d;\\n// SamAccountName of AD FS Service Account. Filter on the use of a specific AD FS user account\\n//let adfsuser = \u0027adfsadmin\u0027;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\n SecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe+lookback)\\n | where EventSourceName == \u0027AD FS Auditing\u0027\\n | distinct Computer\\n);\\nSecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n // A token of type \u0027http://schemas.microsoft.com/ws/2006/05/servicemodel/tokens/SecureConversation\u0027\\n // for relying party \u0027-\u0027 was successfully authenticated.\\n | where EventID == 412\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | extend InstanceId = tostring(EventData[0])\\n| join kind=inner\\n(\\n SecurityEvent\\n //| where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n // Events to identify caller identity from event 412\\n | where EventID == 501\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | where tostring(EventData[1]) contains \u0027identity/claims/name\u0027\\n | extend InstanceId = tostring(EventData[0])\\n | extend ClaimsName = tostring(EventData[2])\\n // Filter on the use of a specific AD FS user account\\n //| where ClaimsName contains adfsuser\\n)\\non $left.InstanceId == $right.InstanceId\\n| join kind=inner\\n(\\n SecurityEvent\\n | where EventID == 5156\\n | where Computer in~ (ADFS_Servers)\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | mv-expand bagexpansion=array EventData\\n | evaluate bag_unpack(EventData)\\n | extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n | evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n | extend DestPort = column_ifexists(\\\"DestPort\\\", \\\"\\\"),\\n Direction = column_ifexists(\\\"Direction\\\", \\\"\\\"),\\n Application = column_ifexists(\\\"Application\\\", \\\"\\\"),\\n DestAddress = column_ifexists(\\\"DestAddress\\\", \\\"\\\"),\\n SourceAddress = column_ifexists(\\\"SourceAddress\\\", \\\"\\\"),\\n SourcePort = column_ifexists(\\\"SourcePort\\\", \\\"\\\")\\n // Look for inbound connections from endpoints on port 80\\n | where DestPort == 80 and Direction == \u0027%%14592\u0027 and Application == \u0027System\u0027\\n | where DestAddress !in (\u0027::1\u0027,\u00270:0:0:0:0:0:0:1\u0027) \\n)\\non $left.Computer == $right.Computer\\n| project TimeGenerated, Computer, ClaimsName, SourceAddress, SourcePort\\n| extend HostCustomEntity = Computer, AccountCustomEntity = ClaimsName, IPCustomEntity = SourceAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"AD FS Remote Auth Sync Connection\",\"description\":\"This detection uses Security events from the \\\"AD FS Auditing\\\" provider to detect suspicious authentication events on an AD FS server. The results then get\\ncorrelated with events from the Windows Filtering Platform (WFP) to detect suspicious incoming network traffic on port 80 on the AD FS server.\\nThis could be a sign of a threat actor trying to use replication services on the AD FS server to get its configuration settings and extract\\nsensitive information such as AD FS certificates.\\nIn order to use this query you need to enable AD FS auditing on the AD FS Server.\\nReference: https://twitter.com/OTR_Community/status/1387038995016732672\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-04-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d992b87b-eb49-4a9d-aa96-baacf9d26247\",\"name\":\"d992b87b-eb49-4a9d-aa96-baacf9d26247\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let IPList = dynamic([\\\"185.63.90.137\\\"]); \\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet sha256Hashes = \\ndynamic([\\\"53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441\\\",\\n\\\"c297e545b8f150cc5ff56dbb68dc74fe30a421d9d40f38f4a53083192697c44c\\\",\\n\\\"17921368901f23e0cad0d2fe4ce5694aebaf4727699ed0358117500701914d1b\\\",\\n\\\"198a2d42df010d838b4207f478d885ef36e3db13b1744d673e221b828c28bf77\\\",\\n\\\"71d7b48c2fdc7b57b104a7858a35165bbed21d2fa7e34828d6c1d50b2b33a1d0\\\",\\n\\\"601227d52c6e367e11b80240183d07d38bc11a88e844e8401fce17eb25e92ba8\\\",\\n\\\"63ff04bed4fdb120a9cb9b1ea7fd88e83f12fb01ab6a057088f8016e663b48d4\\\",\\n\\\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\\\",\\n\\\"e19b8be1b21c066d60725e550f8455f824065abbf1b43f7b2fe4fb338b241ffc\\\",\\n\\\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\\\"\\n]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", MessageIP in (IPList), \\\"Message\\\", \\\"NoMatch\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DeviceNetworkEvents\\n| where RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) \\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP\\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost) \\n| where SourceHost in (IPList) or DestinationHost in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(DeviceFileEvents\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n| where FileHash in (sha256Hashes)\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash\\n| extend timestamp = TimeGenerated, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 in~ (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(SecurityEvent\\n| where EventID == \u00274688\u0027\\n| where CommandLine has_any (IPList) \\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n(WindowsEvent\\n| where EventID == \u00274688\u0027 and has_any_ipv4(EventData, toscalar(IPList)) \\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| where NewProcessName in (IPList) \\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend NewProcessId = tostring(EventData.NewProcessId)\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021\",\"description\":\"Identifies a match across various data feeds for IP,hashes and IOCs related to Windows/ELF malware published by Black Lotus Labs\\nReference: \\nhttps://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders\\nhttps://github.com/ManuelBerrueta/YARA-rules/blob/master/BlackLotusLabs-WSLMalware/BLL_SneakyWSL.yar\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ce1e7025-866c-41f3-9b08-ec170e05e73e\",\"name\":\"ce1e7025-866c-41f3-9b08-ec170e05e73e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let SunburstURL=dynamic([\\\"panhardware.com\\\",\\\"databasegalore.com\\\",\\\"avsvmcloud.com\\\",\\\"freescanonline.com\\\",\\\"thedoccloud.com\\\",\\\"deftsecurity.com\\\"]);\\nDeviceNetworkEvents\\n| where ActionType == \\\"ConnectionSuccess\\\"\\n| where RemoteUrl in(SunburstURL)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n FileHashCustomEntity = InitiatingProcessMD5, \\n HashAlgorithm = \u0027MD5\u0027,\\n URLCustomEntity = RemoteUrl,\\n IPCustomEntity = RemoteIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"SUNBURST network beacons\",\"description\":\"Identifies SolarWinds SUNBURST domain beacon IOCs in DeviceNetworkEvents\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/baedfdf4-7cc8-45a1-81a9-065821628b83\",\"name\":\"baedfdf4-7cc8-45a1-81a9-065821628b83\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let runningRAT_parameters = dynamic([\u0027/ui/chk\u0027, \u0027mactok=\u0027, \u0027UsRnMe=\u0027, \u0027IlocalP=\u0027, \u0027kMnD=\u0027]);\\nCommonSecurityLog\\n| where RequestMethod == \\\"GET\\\"\\n| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication\\n| where RequestURL has_any (runningRAT_parameters)\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DestinationIP\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"SourceHostName\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"RunningRAT request parameters\",\"description\":\"This detection will alert when RunningRAT URI parameters or paths are detect in an HTTP request. Id the device blocked this communication\\npresence of this alert means the RunningRAT implant is likely still executing on the source host.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d8de9e6-263e-4845-8618-cd23a4f58b70\",\"name\":\"4d8de9e6-263e-4845-8618-cd23a4f58b70\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT3H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 3h;\\n// Add full UPN (user@domain.com) to Authorized Bypassers to ignore policy bypasses by certain authorized users\\nlet AuthorizedBypassers = dynamic([\u0027foo@baz.com\u0027, \u0027test@foo.com\u0027]);\\nlet historicBypassers = AzureDevOpsAuditing\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationName == \u0027Git.RefUpdatePoliciesBypassed\u0027\\n| distinct ActorUPN;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e= ago(endtime)\\n| where OperationName == \u0027Git.RefUpdatePoliciesBypassed\u0027\\n| where ActorUPN !in (historicBypassers) and ActorUPN !in (AuthorizedBypassers)\\n| parse ScopeDisplayName with OrganizationName \u0027(Organization)\u0027\\n| project TimeGenerated, ActorUPN, IpAddress, UserAgent, OrganizationName, ProjectName, RepoName = Data.RepoName, AlertDetails = Details, Branch = Data.Name, \\n BypassReason = Data.BypassReason, PRLink = strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_git/\u0027, Data.RepoName, \u0027/pullrequest/\u0027, Data.PullRequestId)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps Pull Request Policy Bypassing - Historic allow list\",\"description\":\"This detection builds an allow list of historic PR policy bypasses and compares to recent history, flagging pull request bypasses that are not manually in the allow list and not historically included in the allow list.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75bf9902-0789-47c1-a5d8-f57046aa72df\",\"name\":\"75bf9902-0789-47c1-a5d8-f57046aa72df\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let procList = externaldata(Process:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Microsoft_Lolbas_Execution_Binaries.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet ProcessCreationEvents=() {\\nlet processEvents=(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,\\nFileName = Process, CommandLine, ParentProcessName\\n),\\n(WindowsEvent\\n| where EventID==4688 and EventData has_any (procList) and EventData has \\\":\\\\\\\\recycler\\\"\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where isnotempty(CommandLine)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName) \\n| extend NewProcessName = tostring(EventData.NewProcessName) \\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,\\nFileName = Process, CommandLine, ParentProcessName\\n));\\nprocessEvents};\\nProcessCreationEvents \\n| where FileName in~ (procList)\\n| where CommandLine contains \\\":\\\\\\\\recycler\\\"\\n| project StartTimeUtc = TimeGenerated, Computer, Account, NewProcessName, FileName, CommandLine, ParentProcessName\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Malware in the recycle bin\",\"description\":\"The query detects Windows binaries, that can be used for executing malware, that have been hidden in the recycle bin. \\n The list of these binaries are sourced from https://lolbas-project.github.io/\\n References: https://azure.microsoft.com/blog/how-azure-security-center-helps-reveal-a-cyberattack/.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2018-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e2399891-383c-4caf-ae67-68a008b9f89e\",\"name\":\"e2399891-383c-4caf-ae67-68a008b9f89e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet IP_TI=ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\\\"NO_IP\\\")\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where TI_ipEntity != \\\"NO_IP\\\";\\nlet IP_TI_list=toscalar(IP_TI | summarize NIoCs=dcount(TI_ipEntity), IoCs=make_set( TI_ipEntity)\\n | project IoCs=iff(NIoCs \u003e HAS_ANY_MAX, dynamic([]), IoCs));\\nIP_TI\\n // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n | join kind=innerunique \\n (\\n union \\n (\\n _Im_NetworkSession (starttime=ago(dt_lookBack), dstipaddr_has_any_prefix=IP_TI_list)\\n | where isnotempty(SrcIpAddr)\\n // renaming time column so it is clear the log this came from\\n | extend imNWS_TimeGenerated = TimeGenerated, IoCIP=DstIpAddr, IoCIPDirection=\u0027Destination\u0027\\n ),\\n (\\n _Im_NetworkSession (starttime=ago(dt_lookBack), srcipaddr_has_any_prefix=IP_TI_list)\\n | where isnotempty(DstIpAddr)\\n // renaming time column so it is clear the log this came from\\n | extend imNWS_TimeGenerated = TimeGenerated, IoCIP=SrcIpAddr, IoCIPDirection=\u0027Source\u0027\\n )\\n)on $left.TI_ipEntity == $right.IoCIP\\n| where imNWS_TimeGenerated \u003c ExpirationDateTime\\n| summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, IoCIP, IoCIPDirection\\n| project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Dvc, SrcIpAddr, DstIpAddr, IoCIPDirection, IoCIP\",\"customDetails\":{\"EventTime\":\"imNWS_TimeGenerated\",\"IoCDescription\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"IoCExpirationTime\":\"ExpirationDateTime\",\"IoCConfidenceScore\":\"ConfidenceScore\",\"IoCIPDirection\":\"IoCIPDirection\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IoCIP\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"A network session {{IoCIPDirection}} address {{IoCIP}} matched an IoC.\",\"alertDescriptionFormat\":\"The {{IoCIPDirection}} address {{IoCIP}} of a network session matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blead for more information on the indicator.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map IP entity to Network Session Events (ASIM Network Session schema)\",\"description\":\"This rule identifies a match Network Sessions for which the source of destination IP address is a known IoC. \u003cbr\u003e\u003cbr\u003e\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2022-04-27T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\"name\":\"8c2ef238-67a0-497d-b1dd-5c8a0f533e25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"AuthorizeDBSecurityGroupIngress\\\",\\\"CreateDBSecurityGroup\\\",\\\"DeleteDBSecurityGroup\\\",\\\"RevokeDBSecurityGroupIngress\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to internet facing AWS RDS Database instances\",\"description\":\"Amazon Relational Database Service (RDS) is scalable relational database in the cloud. \\nIf your organization have one or more AWS RDS Databases running, monitoring changes to especially internet facing AWS RDS (Relational Database Service) \\nOnce alerts triggered, validate if changes observed are authorized and adhere to change control policy. \\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255\\nand RDS API Reference Docs: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Operations.html\",\"lastUpdatedDateUTC\":\"2021-11-28T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6ee72a9e-2e54-459c-bc9a-9c09a6502a63\",\"name\":\"6ee72a9e-2e54-459c-bc9a-9c09a6502a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"216.24.185.74\\\", \\\"107.175.189.159\\\", \\\"192.210.132.102\\\", \\\"67.230.163.214\\\", \\n \\\"199.19.110.240\\\", \\\"107.148.130.176\\\", \\\"154.212.129.218\\\", \\\"172.86.75.54\\\", \\\"45.61.136.199\\\", \\n \\\"149.28.150.195\\\", \\\"108.61.214.194\\\", \\\"144.202.98.198\\\", \\\"149.28.84.98\\\", \\\"103.99.209.78\\\", \\n \\\"45.61.136.2\\\", \\\"176.122.162.149\\\", \\\"192.3.80.245\\\", \\\"149.28.23.32\\\", \\\"107.182.18.149\\\", \\\"107.174.45.134\\\", \\n \\\"149.248.18.104\\\", \\\"65.49.192.74\\\", \\\"156.255.2.154\\\", \\\"45.76.6.149\\\", \\\"8.9.11.130\\\", \\\"140.238.27.255\\\", \\n \\\"107.182.24.70\\\", \\\"176.122.188.254\\\", \\\"192.161.161.108\\\", \\\"64.64.234.24\\\", \\\"104.224.185.36\\\", \\n \\\"104.233.224.227\\\", \\\"104.36.69.105\\\", \\\"119.28.139.120\\\", \\\"161.117.39.130\\\", \\\"66.42.100.42\\\", \\\"45.76.31.159\\\", \\n \\\"149.248.8.134\\\", \\\"216.24.182.48\\\", \\\"66.42.103.222\\\", \\\"218.89.236.11\\\", \\\"180.150.227.249\\\", \\\"47.75.80.23\\\",\\n \\\"124.156.164.19\\\", \\\"149.248.62.83\\\", \\\"150.109.76.174\\\", \\\"222.209.187.207\\\", \\\"218.38.191.38\\\", \\n \\\"119.28.226.59\\\", \\\"66.42.98.220\\\", \\\"74.82.201.8\\\", \\\"173.242.122.198\\\", \\\"45.32.130.72\\\", \\\"89.35.178.10\\\", \\n \\\"89.43.60.113\\\"]); \\n(union isfuzzy=true \\n(CommonSecurityLog \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch \\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n), \\n(OfficeActivity \\n|extend SourceIPAddress = ClientIP, Account = UserId \\n| where SourceIPAddress in (IPList) \\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \\n), \\n(_Im_NetworkSession (srcipaddr_has_any_prefix=IPList)\\n | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Hostname, AccountCustomEntity=User\\n), \\n(_Im_NetworkSession (dstipaddr_has_any_prefix=IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = Hostname , AccountCustomEntity = User\\n), \\n(WireData \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer \\n), \\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Barium IP\",\"description\":\"Identifies a match across various data feeds for IP IOCs related to the Barium activity group. \\n References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer\u0027 \",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/595a10c9-91be-4abb-bbc7-ae9c57848bef\",\"name\":\"595a10c9-91be-4abb-bbc7-ae9c57848bef\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Low\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n//This query uses sysmon data, sections that have - | where Source == \\\"Microsoft-Windows-Sysmon\\\" - may need to be updated with latest\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, DNSName, Type\\n| extend MessageIP = extract(IPRegex, 0, Message), RequestIP = extract(IPRegex, 0, RequestURL)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL has_any (domains), \\\"RequestUrl\\\", \\\"NoMatch\\\"), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), Account = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) or Name in~ (domains) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Computer , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPEntity = DestinationIPAddress\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), File = ProcessName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = tostring(EventDetail.[9].[\\\"#text\\\"]), DestinationIP = tostring(EventDetail.[14].[\\\"#text\\\"]), Image = tostring(EventDetail.[4].[\\\"#text\\\"])\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Image has_any (process)\\n| project TimeGenerated, SourceIP, DestinationIP, Image, Account = UserName, Computer, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, File = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n| extend FilePath = replace_string(Image, File, \u0027\u0027)\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) \\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, AlertDetail = \u0027Chia crypto IOC detected\u0027, Type\\n| extend timestamp = TimeGenerated, IPEntity = ClientIP, Account = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl has_any (domains) or RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) or InitiatingProcessFileName has_any (process)\\n| project TimeGenerated, ActionType, DeviceId, Computer = DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPEntity = RemoteIP, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\"), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, Computer, IPEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where Request_Name has_any (domains) or ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPEntity = ClientIP, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPEntity = SourceHost, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| where EventDetail has_any (sha256Hashes) \\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = tostring(EventDetail.[4].[\\\"#text\\\"]), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath = replace_string(Image, File, \u0027\u0027)\\n),\\n(DeviceFileEvents\\n| where InitiatingProcessFolderPath has_any (process)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, Computer, Account, File = InitiatingProcessFileName, FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath = replace_string(InitiatingProcessFolderPath, File, \u0027\u0027)\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, AlertDetail = \u0027Chia crypto IOC detected\u0027, FileHashAlgo = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| project TimeGenerated, EventDetail, UserName, Computer, Type\\n| extend Image = tostring(EventDetail.[4].[\\\"#text\\\"]), CommandLine = tostring(EventDetail.[10].[\\\"#text\\\"]), Account = UserName, FileHash = tostring(EventDetail.[17].[\\\"#text\\\"]), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| where Image has_any (process)\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath= replace_string(Image, File, \u0027\u0027)\\n),\\n(DeviceEvents\\n| where InitiatingProcessFileName has_any (process) or InitiatingProcessSHA256 in~ (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath, AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend timestamp = TimeGenerated, Computer, Account, File = InitiatingProcessFileName, FileHashAlgo = \u0027SHA256\u0027\\n| extend FilePath = replace_string(InitiatingProcessFolderPath, File, \u0027\u0027)\\n),\\n(SecurityEvent\\n| where EventID == \u00274688\u0027\\n| where NewProcessName has_any (process)\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027, -1)[-1]), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend FilePath = replace_string(NewProcessName, File, \u0027\u0027)\\n)\\n)\\n| extend AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPEntity, FileCustomEntity = File, FilePathCustomEntity = FilePath, FileHashCustomEntity = FileHash\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileCustomEntity\"},{\"identifier\":\"Directory\",\"columnName\":\"FilePathCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashAlgo\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021\",\"description\":\"Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.\",\"lastUpdatedDateUTC\":\"2021-12-08T00:00:00Z\",\"createdDateUTC\":\"2021-06-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd0a6029-ecef-4507-89c4-fc355ac52111\",\"name\":\"dd0a6029-ecef-4507-89c4-fc355ac52111\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation of extracted domains\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend DomainName = tolower(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | extend Domain = trim(@\\\"\\\"\\\"\\\",tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend parts = split(Domain, \u0027.\u0027)\\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\\n | where tld in~ (list_tlds)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n ) on $left.DomainName==$right.Domain\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, FileHashValue\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to CommonSecurityLog\",\"description\":\"Identifies a match in CommonSecurityLog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\"name\":\"6c360107-f3ee-4b91-9f43-f4cfd90441cf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"union isfuzzy=true \\n(\\n SecurityEvent\\n | where EventID == 4738\\n // 2089 value indicates the Don\u0027t Expire Password value has been set\\n | where UserAccountControl has \\\"%%2089\\\" \\n | extend Value_2089 = iff(UserAccountControl has \\\"%%2089\\\",\\\"\u0027Don\u0027t Expire Password\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n // 2050 indicates that the Password Not Required value is NOT set, this often shows up at the same time as a 2089 and is the recommended value. This value may not be in the event. \\n | extend Value_2050 = iff(UserAccountControl has \\\"%%2050\\\",\\\"\u0027Password Not Required\u0027 - Disabled\\\", \\\"Not Changed\\\")\\n // If value %%2082 is present in the 4738 event, this indicates the account has been configured to logon WITHOUT a password. Generally you should only see this value when an account is created and only in Event 4720: Account Creation Event. \\n | extend Value_2082 = iff(UserAccountControl has \\\"%%2082\\\",\\\"\u0027Password Not Required\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n | project StartTime = TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, AccountType, UserAccountControl, Value_2089, Value_2050, Value_2082, SubjectAccount\\n | extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer\\n ),\\n (\\n WindowsEvent\\n | where EventID == 4738 and EventData has \u00272089\u0027\\n // 2089 value indicates the Don\u0027t Expire Password value has been set\\n | extend UserAccountControl = tostring(EventData.UserAccountControl)\\n | where UserAccountControl has \\\"%%2089\\\" \\n | extend Value_2089 = iff(UserAccountControl has \\\"%%2089\\\",\\\"\u0027Don\u0027t Expire Password\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n // 2050 indicates that the Password Not Required value is NOT set, this often shows up at the same time as a 2089 and is the recommended value. This value may not be in the event. \\n | extend Value_2050 = iff(UserAccountControl has \\\"%%2050\\\",\\\"\u0027Password Not Required\u0027 - Disabled\\\", \\\"Not Changed\\\")\\n // If value %%2082 is present in the 4738 event, this indicates the account has been configured to logon WITHOUT a password. Generally you should only see this value when an account is created and only in Event 4720: Account Creation Event. \\n | extend Value_2082 = iff(UserAccountControl has \\\"%%2082\\\",\\\"\u0027Password Not Required\u0027 - Enabled\\\", \\\"Not Changed\\\")\\n | extend Activity=\\\"4738 - A user account was changed.\\\"\\n | extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n | extend TargetSid = tostring(EventData.TargetSid)\\n | extend SubjectAccount = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n | extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n | extend AccountType=case(SubjectAccount endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n | project StartTime = TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, AccountType, UserAccountControl, Value_2089, Value_2050, Value_2082, SubjectAccount\\n | extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer\\n )\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"TargetSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AD account with Don\u0027t Expire Password\",\"description\":\"Identifies whenever a user account has the setting \\\"Password Never Expires\\\" in the user account properties selected.\\nThis is indicated in Security event 4738 in the EventData item labeled UserAccountControl with an included value of %%2089.\\n%%2089 resolves to \\\"Don\u0027t Expire Password - Enabled\\\".\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4e8238bd-ff4f-4126-a9f6-09b3b6801b3d\",\"name\":\"4e8238bd-ff4f-4126-a9f6-09b3b6801b3d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"AuditLog.StreamDisabledByUser\\\"\\n| extend StreamType = tostring(Data.ConsumerType)\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, StreamType\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Audit Stream Disabled\",\"description\":\"Azure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams \\nbefore conducting activity and then re-enabling the stream after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action \\nits unlikely to have a high false positive rate.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e2559891-383c-4caf-ae67-55a008b9f89e\",\"name\":\"e2559891-383c-4caf-ae67-55a008b9f89e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet IP_TI=ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\\\"NO_IP\\\")\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where TI_ipEntity != \\\"NO_IP\\\";\\nlet IP_TI_list=toscalar(IP_TI | summarize NIoCs= dcount(TI_ipEntity), IoCs=make_set(TI_ipEntity) \\n | project IoCs=iff(NIoCs \u003e HAS_ANY_MAX, dynamic([]), IoCs ) );\\nIP_TI\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n _Im_WebSession (starttime=ago(dt_lookBack), srcipaddr_has_any_prefix=IP_TI_list)\\n | where isnotempty(SrcIpAddr)\\n // renaming time column so it is clear the log this came from\\n | extend imNWS_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SrcIpAddr\\n| where imNWS_TimeGenerated \u003c ExpirationDateTime\\n| summarize imNWS_TimeGenerated = arg_max(imNWS_TimeGenerated , *) by IndicatorId, DstIpAddr\\n| project imNWS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Dvc, SrcIpAddr, DstIpAddr\",\"customDetails\":{\"EventTime\":\"imNWS_TimeGenerated\",\"IoCDescription\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"IoCExpirationTime\":\"ExpirationDateTime\",\"IoCConfidenceScore\":\"ConfidenceScore\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DstIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"The IP {{SrcIpAddr}} of a web request to hostname {{domain}} matched an IoC\",\"alertDescriptionFormat\":\"The source address {{SrcIpAddr}} of a web request for URL {{Url}} matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blead for more information on the indicator.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map IP entity to Web Session Events (ASIM Web Session schema)\",\"description\":\"This rule identifies Web Sessions for which the source IP address is a known IoC. \u003cbr\u003e\u003cbr\u003eThis rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM.\",\"lastUpdatedDateUTC\":\"2022-03-15T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\"name\":\"c7bfadd4-34a6-4fa5-82f8-3691a32261e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"ApplySecurityGroupsToLoadBalancer\\\", \\\"SetSecurityGroups\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \\nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion,\\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Changes to AWS Elastic Load Balancer security groups\",\"description\":\"Elastic Load Balancer distributes incoming traffic across multiple instances in multiple availability Zones. This increases the fault tolerance of your applications. \\n Unwanted changes to Elastic Load Balancer specific security groups could open your environment to attack and hence needs monitoring.\\n More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \\n and https://aws.amazon.com/elasticloadbalancing/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bdf04f58-242b-4729-b376-577c4bdf5d3a\",\"name\":\"bdf04f58-242b-4729-b376-577c4bdf5d3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"imProcessCreate\\n| where Process hassuffix \u0027rundll32.exe\u0027\\n| where CommandLine has_any (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| project TimeGenerated, Dvc, User, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\\n| extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"NOBELIUM - suspicious rundll32.exe execution of vbscript (Normalized Process Events)\",\"description\":\"This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\\nReferences: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f30a47c1-65fb-42b1-a7f4-00941c12550b\",\"name\":\"f30a47c1-65fb-42b1-a7f4-00941c12550b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n SecurityAlert\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n // Extract URL from JSON data\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,Entities)\\n // We only want alerts that actually contain URL data\\n | where isnotempty(Url)\\n // Extract hostname from JSON data for entity mapping\\n | extend Compromised_Host = tostring(parse_json(ExtendedProperties).[\\\"Compromised Host\\\"])\\n | extend Alert_TimeGenerated = TimeGenerated\\n) on Url\\n| where Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\\n| project Alert_TimeGenerated, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, AlertName, AlertSeverity, Description, Url, Compromised_Host\\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = Compromised_Host, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to SecurityAlert data\",\"description\":\"Identifies a match in SecurityAlert data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\"name\":\"80da0a8f-cfe1-4cd0-a895-8bc1771a720e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == 1102 and EventSourceName == \\\"Microsoft-Windows-Eventlog\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(\\nWindowsEvent\\n| where EventID == 1102 and Provider == \\\"Microsoft-Windows-Eventlog\\\" \\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend Activity= \\\"1102 - The audit log was cleared.\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Security Event log cleared\",\"description\":\"Checks for event id 1102 which indicates the security event log was cleared. \\nIt uses Event Source Name \\\"Microsoft-Windows-Eventlog\\\" to avoid generating false positives from other sources, like AD FS servers for instance.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\"name\":\"36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n OfficeActivity\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n //Extract the Url from a number of potential fields\\n | extend Url = iif(OfficeWorkload == \\\"AzureActiveDirectory\\\",extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\\\", 1,ModifiedProperties),tostring(parse_json(ModifiedProperties)[12].NewValue))\\n | where isnotempty(Url)\\n // Ensure we get a clean URL\\n | extend Url = tostring(split(Url, \u0027;\u0027)[0])\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n // Project a single user identity that we can use for entity mapping\\n | extend User = iif(isnotempty(UserId), UserId, iif(isnotempty(Actor), tostring(parse_json(Actor)[0].ID), tostring(parse_json(Parameters)[0].Value)))\\n) on Url\\n| where OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, Url\\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Operation, \\nUserType, OfficeWorkload, Parameters, Url, User\\n| extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = User, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to OfficeActivity data\",\"description\":\"Identifies a match in OfficeActivity data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f0be259a-34ac-4946-aa15-ca2b115d5feb\",\"name\":\"f0be259a-34ac-4946-aa15-ca2b115d5feb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let starttime = 2d;\\nlet endtime = 1d;\\nlet TimeDeltaThreshold = 25;\\nlet TotalEventsThreshold = 30;\\nlet MostFrequentTimeDeltaThreshold = 25;\\nlet PercentBeaconThreshold = 80;\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Palo Alto Networks\\\" and Activity == \\\"TRAFFIC\\\"\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where ipv4_is_private(DestinationIP)== false\\n| project TimeGenerated, DeviceName, SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, ReceivedBytes, SentBytes\\n| sort by SourceIP asc,TimeGenerated asc, DestinationIP asc, DestinationPort asc\\n| serialize\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\u0027second\u0027,nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP\\n//Whitelisting criteria/ threshold criteria\\n| where TimeDeltainSeconds \u003e TimeDeltaThreshold \\n| summarize count(), sum(ReceivedBytes), sum(SentBytes)\\nby TimeDeltainSeconds, bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSentBytes = sum(sum_SentBytes), TotalReceivedBytes = sum(sum_ReceivedBytes) \\nby bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\\n| where TotalEvents \u003e TotalEventsThreshold and MostFrequentTimeDeltaCount \u003e MostFrequentTimeDeltaThreshold\\n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\\n| where BeaconPercent \u003e PercentBeaconThreshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Palo Alto - potential beaconing detected\",\"description\":\"Identifies beaconing patterns from Palo Alto Network traffic logs based on recurrent timedelta patterns. \\nThe query leverages various KQL functions to calculate time deltas and then compares it with total events observed in a day to find percentage of beaconing. \\nThis outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts.\\nReference Blog:\\nhttp://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/\\nhttps://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/detect-network-beaconing-via-intra-request-time-delta-patterns/ba-p/779586\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/14f6da04-2f96-44ee-9210-9ccc1be6401e\",\"name\":\"14f6da04-2f96-44ee-9210-9ccc1be6401e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName has \\\"Add member to role outside of PIM\\\"\\n or (LoggedByService == \\\"Core Directory\\\" and OperationName == \\\"Add member to role\\\" and Identity != \\\"MS-PIM\\\")\\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"NRT Privileged Role Assigned Outside PIM\",\"description\":\"Identifies a privileged role being assigned to a user outside of PIM\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-04-22T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f6502545-ae3a-4232-a8b0-79d87e5c98d7\",\"name\":\"f6502545-ae3a-4232-a8b0-79d87e5c98d7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \\n| where TargetObject==\\\"HKLM\\\\\\\\System\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\SecurityProviders\\\\\\\\WDigest\\\\\\\\UseLogonCredential\\\" and Details !=\\\"DWORD (0x00000000)\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"WDigest downgrade attack\",\"description\":\"When the WDigest Authentication protocol is enabled, plain text passwords are stored in the Local Security Authority Subsystem Service (LSASS) exposing them to theft. This setting will prevent WDigest from storing credentials in memory.\\nRef: https://www.stigviewer.com/stig/windows_7/2016-12-19/finding/V-72753\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2022-03-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\"name\":\"b725d62c-eb77-42ff-96f6-bdc6745fc6e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet UserAgentAll =\\n(union isfuzzy=true\\n(OfficeActivity\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\\n),\\n(\\nW3CIISLog\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(csUserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where TimeGenerated \u003e= ago(starttime)\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\\n))\\n// remove wordSize blocks of non-numeric hex characters prior to word extraction\\n| extend UserAgentNoHexAlphas = replace(\\\"([A-Fa-f]{4,})\\\", \\\"x\\\", UserAgent)\\n// once blocks of hex chars are removed, extract wordSize blocks of a-z\\n| extend Tokens = extract_all(\\\"([A-Za-z]{4,})\\\", UserAgentNoHexAlphas)\\n// concatenate extracted words to create a summarized user agent for baseline and comparison\\n| extend NormalizedUserAgent = strcat_array(Tokens, \\\"|\\\")\\n| project-away UserAgentNoHexAlphas, Tokens;\\nUserAgentAll\\n| where StartTime \u003e= ago(endtime)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), count() by UserAgent, NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n| join kind=leftanti\\n(\\nUserAgentAll\\n| where StartTime \u003c ago(endtime)\\n| summarize by NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\\n)\\non NormalizedUserAgent\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CommandAndControl\",\"Execution\"],\"displayName\":\"New UserAgent observed in last 24 hours\",\"description\":\"Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection\\nextracts words from user agents to build the baseline and determine rareity rather than perform a\\ndirect comparison. This avoids FPs caused by version numbers and other high entropy user agent components.\\nThese new UserAgents could be benign. However, in normally stable environments,\\nthese new UserAgents could provide a starting point for investigating malicious activity.\\nNote: W3CIISLog can be noisy depending on the environment, however OfficeActivity and AWSCloudTrail are\\nusually stable with low numbers of detections.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-04-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/155e9134-d5ad-4a6f-88f3-99c220040b66\",\"name\":\"155e9134-d5ad-4a6f-88f3-99c220040b66\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"// Set the lookback to determine if user has created pipelines before\\nlet timeback = 14d;\\n// Set the period for detections\\nlet timeframe = 1d;\\n// Get a list of previous Release Pipeline creators to exclude\\nlet releaseusers = AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName in (\\\"Release.ReleasePipelineCreated\\\", \\\"Release.ReleasePipelineModified\\\")\\n// We want to look for users performing actions in specific projects so we create this userscope object to match on\\n| extend UserScope = strcat(ActorUserId, \\\"-\\\", ProjectName)\\n| summarize by UserScope;\\n// Get Release Pipeline creations by new users\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineModified\\\"\\n| extend UserScope = strcat(ActorUserId, \\\"-\\\", ProjectName)\\n| where UserScope !in (releaseusers)\\n| extend ActorUPN = tolower(ActorUPN)\\n| project-away Id, ActivityId, ActorCUID, ScopeId, ProjectId, TenantId, SourceSystem, UserScope\\n// See if any of these users have Azure AD alerts associated with them in the same timeframe\\n| join kind = leftouter (\\nSecurityAlert\\n| where TimeGenerated \u003e ago(timeframe)\\n| where ProviderName == \\\"IPC\\\"\\n| extend AadUserId = tostring(parse_json(Entities)[0].AadUserId)\\n| summarize Alerts=count() by AadUserId) on $left.ActorUserId == $right.AadUserId\\n| extend Alerts = iif(isnotempty(Alerts), Alerts, 0)\\n// Uncomment the line below to only show results where the user as AADIdP alerts\\n//| where Alerts \u003e 0\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Pipeline modified by a new user.\",\"description\":\"There are several potential pipeline steps that could be modified by an attacker to inject malicious code into the build cycle. A likely attacker path is the modification to an existing pipeline that they have access to. \\nThis detection looks for users modifying a pipeline when they have not previously been observed modifying or creating that pipeline before. This query also joins events with data to Azure AD Identity Protection (AAD IdP) \\nin order to show if the user conducting the action has any associated AAD IdP alerts. You can also choose to filter this detection to only alert when the user also has AAD IdP alerts associated with them.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d023f64-8225-41a2-9570-2bd7c2c4535e\",\"name\":\"3d023f64-8225-41a2-9570-2bd7c2c4535e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1DT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet spanoftime = 10m;\\nlet threshold = 0;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+spanoftime)\\n// A user account was enabled\\n| where EventID == 4722\\n| where AccountType =~ \\\"User\\\"\\n| where TargetAccount !endswith \\\"$\\\"\\n| project EnableTime = TimeGenerated, EnableEventID = EventID, EnableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToEnable = SubjectAccount, SIDofAccountUsedToEnable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e ago(timeframe+spanoftime)\\n// A user account was enabled\\n| where EventID == 4722\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType =~ \\\"User\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| where TargetAccount !endswith \\\"$\\\"\\n| extend Activity=\\\"4722 - A user account was enabled.\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| project EnableTime = TimeGenerated, EnableEventID = EventID, EnableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToEnable = SubjectAccount, SIDofAccountUsedToEnable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n))\\n| join kind= inner (\\n (union isfuzzy=true\\n (SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n // A user account was disabled\\n | where EventID == 4725\\n| where AccountType =~ \\\"User\\\"\\n| project DisableTime = TimeGenerated, DisableEventID = EventID, DisableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToDisable = SubjectAccount, SIDofAccountUsedToDisable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\\n),\\n(WindowsEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n // A user account was disabled\\n | where EventID == 4725\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType =~ \\\"User\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| extend Activity = \\\"4725 - A user account was disabled.\\\"\\n| project DisableTime = TimeGenerated, DisableEventID = EventID, DisableActivity = Activity, Computer, UserPrincipalName, \\nAccountUsedToDisable = SubjectAccount, SIDofAccountUsedToDisable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid))\\n) on Computer, TargetAccount\\n| where DisableTime - EnableTime \u003c spanoftime\\n| extend TimeDelta = DisableTime - EnableTime\\n| where tolong(TimeDelta) \u003e= threshold\\n| project TimeDelta, EnableTime, EnableEventID, EnableActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToEnable, SIDofAccountUsedToEnable, \\nDisableTime, DisableEventID, DisableActivity, AccountUsedToDisable, SIDofAccountUsedToDisable\\n| extend timestamp = EnableTime, AccountCustomEntity = AccountUsedToEnable, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"SIDofAccountUsedToEnable\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account enabled and disabled within 10 mins\",\"description\":\"Identifies when a user account is enabled and then disabled within 10 minutes. This can be an indication of compromise and\\nan adversary attempting to hide in the noise.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0625fcce-6d52-491e-8c68-1d9b801d25b9\",\"name\":\"0625fcce-6d52-491e-8c68-1d9b801d25b9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"Event\\n| where EventLog =~ \\\"Application\\\"\\n| where Source startswith \\\"MSExchange\\\"\\n| where EventLevelName =~ \\\"error\\\"\\n| where (RenderedDescription startswith \\\"Watson report\\\" and RenderedDescription contains \\\"umworkerprocess\\\" and RenderedDescription contains \\\"TextFormattingRunProperties\\\") or RenderedDescription startswith \\\"An unhandled exception occurred in a UM worker process\\\" or RenderedDescription startswith \\\"The Microsoft Exchange Unified Messaging service\\\" or RenderedDescription contains \\\"MSExchange Unified Messaging\\\"\\n| where RenderedDescription !contains \\\"System.OutOfMemoryException\\\"\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious UM Service Error\",\"description\":\"This query looks for errors that may indicate that an attacker is attempting to exploit a vulnerability in the service. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09c49590-4e9d-4da9-a34d-17222d0c9e7e\",\"name\":\"09c49590-4e9d-4da9-a34d-17222d0c9e7e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let default_file_ext_blocklist = dynamic([\u0027.ps1\u0027, \u0027.vbs\u0027, \u0027.bat\u0027, \u0027.scr\u0027]);\\nlet custom_file_ext_blocklist=toscalar(_GetWatchlist(\u0027RiskyFileTypes\u0027) | extend Extension=column_ifexists(\\\"Extension\\\",\\\"\\\") | where isnotempty(Extension) | summarize make_set(Extension));\\nlet file_ext_blocklist = array_concat(default_file_ext_blocklist, custom_file_ext_blocklist);\\n_Im_WebSession(url_has_any=file_ext_blocklist, eventresult=\u0027Success\u0027)\\n| extend requestedFileName=tostring(split(tostring(parse_url(Url)[\\\"Path\\\"]),\u0027/\u0027)[-1])\\n| extend requestedFileExt=extract(@(\\\\.\\\\w+)$,1,requestedFileName, typeof(string))\\n| where requestedFileExtension in (file_ext_blocklist)\\n| summarize LastAttemptTime=max(TimeGenerated), NumFailedAttempts=count() by SrcIpAddr, requestedFileName, Url\\n| extend IPCustomEntity = SrcIpAddr, UrlCustomEntity=Url\",\"customDetails\":{\"requestedFileName\":\"requestedFileName\",\"requestedFileExt\":\"requestedFileExt\",\"Username\":\"SrcUsername\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Client {{SrcIpAddr}} accessed a URL with potentially harmful extension {{requestedFileExt}}\",\"alertDescriptionFormat\":\"The client at address {{SrcIpAddr}} accessed the URL {{Url}} that has the extension {{requestedFileExt}}. Downloading a file with this extension may be harmful and may indicate malicious activity.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"InitialAccess\"],\"displayName\":\"A client made a web request to a potentially harmful file (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request to a URL that holds a file type, including .ps1, .bat, .vbs, and .scr that can be harmful if downloaded. This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM. To use this Analytics Rule, deploy the Advanced Security Information Model (ASIM).\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\"name\":\"ffcd575b-3d54-482a-a6d8-d0de13b6ac63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(DestinationUserID)\\n // Filtering PAN Logs for specific event type to match relevant email entities\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"wildfire\\\" and ApplicationProtocol in (\\\"smtp\\\",\\\"pop3\\\")\\n | extend DestinationUserID = tolower(DestinationUserID)\\n | where DestinationUserID matches regex emailregex\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.DestinationUserID\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, DestinationUserID\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, EmailSenderName, EmailRecipient, \\nEmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction, SourceIP, SourcePort, \\nDestinationIP, DestinationPort, Protocol, ApplicationProtocol\\n| extend timestamp = CommonSecurityLog_TimeGenerated, AccountCustomEntity = DestinationUserID, IPCustomEntity = SourceIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to CommonSecurityLog\",\"description\":\"Identifies a match in CommonSecurityLog table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\"name\":\"7cb8f77d-c52f-4e46-b82f-3cf2e106224a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let lookBack_long = 7d;\\nlet lookBack_med = 3d;\\nlet lookBack = 1d;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack_long))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n// Create time series \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_long)),now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n// Compute best fit line for each entry \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount) \\n// Chart the 3 most interesting lines \\n// A 0-value slope corresponds to an account being completely stable over time for a given Azure Active Directory application\\n| where Slope \u003e 0.3\\n| top 50 by Slope desc\\n| join kind = leftsemi (\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack_med))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_med)) ,now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount)\\n| where Slope \u003e 0.3\\n| top 50 by Slope desc\\n) on UserPrincipalName, AppDisplayName\\n| join kind = leftsemi (\\ntable(tableName)\\n| where TimeGenerated \u003e= startofday(ago(lookBack))\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city), \\\";\\\") \\n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \\n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack)) ,now(), 1d) \\nby UserPrincipalName, AppDisplayName \\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount)\\n| where Slope \u003e 5\\n| top 50 by Slope desc\\n// Higher threshold requirement on last day anomaly\\n) on UserPrincipalName, AppDisplayName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomalous sign-in location by user account and authenticating application\",\"description\":\"This query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active \\nDirectory application and picks out the most anomalous change in location profile for a user within an \\nindividual application. An alert is generated for recent sign-ins that have location counts that are anomalous\\nover last day but also over the last 3-day and 7-day periods.\\nPlease note that on workspaces with larger volume of Signin data (~10M+ events a day) may timeout when using this default query time period.\\nIt is recommended that you test and tune this appropriately for the workspace.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1da9853f-3dea-4ea9-b7e5-26730da3d537\",\"name\":\"1da9853f-3dea-4ea9-b7e5-26730da3d537\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let PortScanThreshold = 50;\\n_Im_NetworkSession\\n| where ipv4_is_private(SrcIpAddr) == False\\n| summarize AttemptedPortsCount=dcount(DstPortNumber) by SrcIpAddr, bin(TimeGenerated, 5m)\\n| where AttemptedPortsCount \u003e PortScanThreshold\",\"customDetails\":{\"AttemptedPortsCount\":\"AttemptedPortsCount\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Potential port scan from {{SrcIpAddr}}\",\"alertDescriptionFormat\":\"A port scan has been performed from address {{SrcIpAddr}} over {{AttemptedPortsCount}} pots within 5 minutes. This may indicate that a [port scanner](https://en.wikipedia.org/wiki/Port_scanner) is trying to identify open ports in order to penetrate a system.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Discovery\"],\"displayName\":\"Port scan detected (ASIM Network Session schema)\",\"description\":\"This rule identifies a possible port scan, in which a single source tries to access a large number of different ports is a short time frame. This may indicate that a [port scanner](https://en.wikipedia.org/wiki/Port_scanner) is trying to identify open ports in order to penetrate a system.\u003cbr\u003e\u003cbr\u003e\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/eda260eb-f4a1-4379-ad98-452604da9b3e\",\"name\":\"eda260eb-f4a1-4379-ad98-452604da9b3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let eventsThreshold = 20;\\nCommonSecurityLog\\n| where isnotempty(RequestURL)\\n| project TimeGenerated, RequestURL, RequestMethod, SourceIP, SourceHostName\\n| evaluate sequence_detect(TimeGenerated, 5s, 8s, login=(RequestURL has \\\"login.microsoftonline.com/consumers/oauth2/v2.0/token\\\"), graph=(RequestURL has \\\"graph.microsoft.com/v1.0/me/drive/\\\"), SourceIP, SourceHostName)\\n| summarize Events=count() by SourceIP, SourceHostName\\n| where Events \u003e= eventsThreshold\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"SourceHostName\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"CreepyDrive request URL sequence\",\"description\":\"CreepyDrive uses OneDrive for command and control, however, it makes regular requests to predicatable paths.\\nThis detecton will alert when over 20 sequences are observed in a single day.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3533f74c-9207-4047-96e2-0eb9383be587\",\"name\":\"3533f74c-9207-4047-96e2-0eb9383be587\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let detectionTime = 1d;\\nlet joinLookback = 14d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(detectionTime)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Consent to application\\\"\\n| where TargetResources has \\\"offline\\\"\\n| extend AppDisplayName = TargetResources.[0].displayName\\n| extend AppClientId = tolower(TargetResources.[0].id)\\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\\\"] with (format=\\\"csv\\\")))\\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\\n| parse ConsentFull with * \\\"ConsentType: \\\" GrantConsentType \\\", Scope: \\\" GrantScope1 \\\"]\\\" *\\n| where ConsentFull contains \\\"offline_access\\\" and ConsentFull contains \\\"Files.Read\\\" or ConsentFull contains \\\"Mail.Read\\\" or ConsentFull contains \\\"Notes.Read\\\" or ConsentFull contains \\\"ChannelMessage.Read\\\" or ConsentFull contains \\\"Chat.Read\\\" or ConsentFull contains \\\"TeamsActivity.Read\\\" or ConsentFull contains \\\"Group.Read\\\" or ConsentFull contains \\\"EWS.AccessAsUser.All\\\" or ConsentFull contains \\\"EAS.AccessAsUser.All\\\"\\n| where GrantConsentType != \\\"AllPrincipals\\\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\\n| extend GrantIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\\n| extend GrantInitiatedBy = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))\\n| extend GrantUserAgent = tostring(iff(AdditionalDetails[0].key =~ \\\"User-Agent\\\", AdditionalDetails[0].value, \\\"\\\"))\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\\n| join kind = leftouter (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add service principal\\\"\\n| extend AppClientId = tolower(TargetResources[0].id)\\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \\\"AddressType\\\", TargetResources[0].modifiedProperties[1].newValue, \\\"\\\")\\n| distinct AppClientId, tostring(AppReplyURLs)\\n)\\non AppClientId\\n| join kind = innerunique (AuditLogs\\n| where TimeGenerated \u003e ago(joinLookback)\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where OperationName =~ \\\"Add OAuth2PermissionGrant\\\" or OperationName =~ \\\"Add delegated permission grant\\\"\\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\\n| extend GrantOperation = OperationName\\n| project GrantAuthentication, GrantOperation, CorrelationId\\n) on CorrelationId\\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Suspicious application consent for offline access\",\"description\":\"This will alert when a user consents to provide a previously-unknown Azure application with offline access via OAuth.\\nOffline access will provide the Azure App with access to the listed resources without requiring two-factor authentication.\\nConsent to applications with offline access and read capabilities should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0ee2aafb-4500-4e36-bcb1-e90eec2f0b9b\",\"name\":\"0ee2aafb-4500-4e36-bcb1-e90eec2f0b9b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\"\\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed), LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\\n| where MFAUsed !~ \\\"Yes\\\" and LoginResult !~ \\\"Failure\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUsed, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent,\\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserIdentityUserName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"NRT Login to AWS Management Console without MFA\",\"description\":\"Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.\\nYou can limit this detection to trigger for administrative accounts if you do not have MFA enabled on all accounts.\\nThis is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used\\nand the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.\",\"lastUpdatedDateUTC\":\"2022-02-08T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/269435e3-1db8-4423-9dfc-9bf59997da1c\",\"name\":\"269435e3-1db8-4423-9dfc-9bf59997da1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName has \\\"Add member to role outside of PIM\\\"\\n or (LoggedByService == \\\"Core Directory\\\" and OperationName == \\\"Add member to role\\\" and Identity != \\\"MS-PIM\\\")\\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Privileged Role Assigned Outside PIM\",\"description\":\"Identifies a privileged role being assigned to a user outside of PIM\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2be4ef67-a93f-4d8a-981a-88158cb73abd\",\"name\":\"2be4ef67-a93f-4d8a-981a-88158cb73abd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet covidIndicators = (externaldata(TimeGenerated:datetime, FileHashValue:string, FileHashType: string, TlpLevel: string, Product: string, ThreatType: string, Description: string )\\n[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.csv\\\"] with (format=\\\"csv\\\"));\\nlet fileHashIndicators = covidIndicators\\n| where isnotempty(FileHashValue);\\n// Handle matches against both lower case and uppercase versions of the hash:\\n(fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\\n| union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog | where TimeGenerated \u003e= ago(dt_lookBack) \\n | where isnotempty(FileHash)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n )\\non $left.FileHashValue == $right.FileHash\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by FileHashValue\\n| project CommonSecurityLog_TimeGenerated, FileHashValue, FileHashType, Description, ThreatType, \\nSourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, \\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Value\",\"columnName\":\"FileHashValue\"},{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Microsoft COVID-19 file hash indicator matches\",\"description\":\"Identifies a match in CommonSecurityLog Event data from any FileHash published in the Microsoft COVID-19 Threat Intel Feed - as described at https://www.microsoft.com/security/blog/2020/05/14/open-sourcing-covid-threat-intelligence/\",\"lastUpdatedDateUTC\":\"2022-07-07T00:00:00Z\",\"createdDateUTC\":\"2019-08-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\"name\":\"5b72f527-e3f6-4a00-9908-8e4fee14da9f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"CommonSecurityLog\\n| where isnotempty(DestinationPort) and DeviceAction !in (\\\"reset-both\\\", \\\"deny\\\") \\n// filter out common usage ports. Add ports that are legitimate for your environment\\n| where DestinationPort !in (\\\"443\\\", \\\"53\\\", \\\"389\\\", \\\"80\\\", \\\"0\\\", \\\"880\\\", \\\"8888\\\", \\\"8080\\\")\\n| where ApplicationProtocol == \\\"incomplete\\\" \\n// filter out IANA ephemeral or negotiated ports as per https://en.wikipedia.org/wiki/Ephemeral_port\\n| where DestinationPort !between (toint(49512) .. toint(65535)) \\n| where Computer != \\\"\\\" \\n| where DestinationIP !startswith \\\"10.\\\"\\n| extend Reason = coalesce(\\n column_ifexists(\\\"Reason\\\", \\\"\\\"), \\n extract(\\\"reason=(.+?)(;|$)\\\", 1, AdditionalExtensions),\\n \\\"\\\"\\n )\\n// Filter out any graceful reset reasons of AGED OUT which occurs when a TCP session closes with a FIN due to aging out. \\n| where Reason !has \\\"aged-out\\\" \\n// Filter out any TCP FIN which occurs when a TCP FIN is used to gracefully close half or both sides of a connection.\\n| where Reason !has \\\"tcp-fin\\\" \\n// Uncomment one of the following where clauses to trigger on specific TCP reset reasons\\n// See Palo Alto article for details - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK\\n// TCP RST-server - Occurs when the server sends a TCP reset to the client\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-server\\\" \\n// TCP RST-client - Occurs when the client sends a TCP reset to the server\\n// | where AdditionalExtensions has \\\"reason=tcp-rst-from-client\\\" \\n// Already performed\\n//| extend reason = tostring(split(AdditionalExtensions, \\\";\\\")[3])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, Reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction, DestinationIP\\n| where count_ \u003e= 10\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), makeset(DestinationIP), totalcount = sum(count_) by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, Reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Palo Alto - possible internal to external port scanning\",\"description\":\"Identifies a list of internal Source IPs (10.x.x.x Hosts) that have triggered 10 or more non-graceful tcp server resets from one or more Destination IPs which \\nresults in an \\\"ApplicationProtocol = incomplete\\\" designation. The server resets coupled with an \\\"Incomplete\\\" ApplicationProtocol designation can be an indication \\nof internal to external port scanning or probing attack. \\nReferences: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK and\\nhttps://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTaCAK\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/677da133-e487-4108-a150-5b926591a92b\",\"name\":\"677da133-e487-4108-a150-5b926591a92b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.5.1\",\"severity\":\"Medium\",\"query\":\"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\\n[@\\\"https://raw.githubusercontent.com/microsoft/mstic/master/Indicators/May21-NOBELIUM/May21NOBELIUMIoCs.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256s = (iocs | where Type =~ \\\"SHA256\\\"| project IoC);\\nlet ips = (iocs | where Type =~ \\\"IP\\\"| project IoC);\\nlet IPList = dynamic([\\\"192.99.221.77\\\",\\\"83.171.237.173\\\"]);\\nlet ips_list=toscalar(ips | summarize makeset(IoC));\\nlet full_ip_list= array_concat(ips_list, IPList);\\nlet domains = (iocs | where Type =~ \\\"Domain\\\"| project IoC);\\nlet domain_list=toscalar(domains | summarize make_set(IoC));\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet sha256Hashes = dynamic([\\\"2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252\\\",\\n\\\"d035d394a82ae1e44b25e273f99eae8e2369da828d6b6fdb95076fd3eb5de142\\\",\\n\\\"94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916\\\",\\n\\\"48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0\\\",\\n\\\"ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c\\\",\\n\\\"ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (domains) or RequestURL has_any (domains) or Message has_any (IPList)\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (domains), \\\"RequestUrl\\\", SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(_Im_Dns (domain_has_any=todynamic(domain_list))\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(_Im_Dns (response_has_any_prefix=todynamic(full_ip_list))\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or SourceIp in (ips) or DestinationIp in (ips) or RemoteDnsCanonicalNames has_any (domains)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", SourceIp in (ips), \\\"SourceIP\\\", DestinationIp in (ips), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer\\n),\\n(OfficeActivity\\n| where ClientIP in (IPList) or ClientIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n),\\n(_Im_NetworkSession(srcipaddr_has_any_prefix=full_ip_list)\\n | extend IPMatch = \\\"SourceIP\\\"\\n | extend timestamp = TimeGenerated, HostCustomEntity = Dvc , IPCustomEntity = SrcIpAddr //, AccountCustomEntity =User\\n),\\n(_Im_NetworkSession(dstipaddr_has_any_prefix=full_ip_list)\\n | extend IPMatch = \\\"DestinationIP\\\"\\n | extend timestamp = TimeGenerated, HostCustomEntity = Dvc , IPCustomEntity = DstIpAddr //, AccountCustomEntity =User\\n),\\n(_Im_WebSession(url_has_any=domains)\\n | extend timestamp=TimeGenerated, HostCustomEntity=Dvc , DNSName=tostring(parse_url(Url)[\\\"Host\\\"]), AccountCustomEntity=User\\n),\\n(_Im_WebSession(srcipaddr_has_any_prefix=full_ip_list)\\n | extend timestamp=TimeGenerated, HostCustomEntity=Dvc , DNSName=tostring(parse_url(Url)[\\\"Host\\\"]), AccountCustomEntity=User\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (domains) \\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| where EventDetail has_any (sha256Hashes) or EventDetail has_any (sha256s)\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, FileHash\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (sha256Hashes) or SHA256 in~ (sha256s)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (sha256Hashes) or TargetFileSHA256 in~ (sha256s)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes) or FileHash in (sha256s)\\n| extend timestamp = TimeGenerated\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"tactics\":[\"CommandAndControl\",\"Execution\"],\"displayName\":\"NOBELIUM - Domain, Hash and IP IOCs - May 2021\",\"description\":\"Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM.\\nRef: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/35ce9aff-1708-45b8-a295-5e9a307f5f17\",\"name\":\"35ce9aff-1708-45b8-a295-5e9a307f5f17\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"Group.UpdateGroupMembership.Add\\\"\\n| where Details has_any (\\\"Project Administrators\\\", \\\"Project Collection Administrators\\\", \\\"Project Collection Service Accounts\\\", \\\"Build Administrator\\\")\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, AuthenticationMechanism, ScopeDisplayName\\n| extend timekey = bin(TimeGenerated, 1h)\\n| extend ActorUserId = tostring(Data.MemberId)\\n| project timekey, ActorUserId, AddingUser=ActorUPN, TimeAdded=TimeGenerated, PermissionGrantDetails = Details\\n// Get details of operations conducted by user soon after elevation of permissions\\n| join (AzureDevOpsAuditing\\n| extend ActorUserId = tostring(Data.MemberId)\\n| extend timekey = bin(TimeGenerated, 1h)) on timekey, ActorUserId\\n| summarize ActionsWhenAdded = make_set(OperationName) by ActorUPN, AddingUser, TimeAdded, PermissionGrantDetails, IpAddress, UserAgent\\n| extend timestamp = TimeAdded, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddingUser\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"New PA, PCA, or PCAS added to Azure DevOps\",\"description\":\"In order for an attacker to be able to conduct many potential attacks against Azure DevOps they will need to gain elevated permissions. \\nThis detection looks for users being granted key administrative permissions. If the principal of least privilege is applied, the number of \\nusers granted these permissions should be small. Note that permissions can also be granted via Azure AD groups and monitoring of these \\nshould also be conducted.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bf07ca9c-e408-443a-8939-6860a45a929e\",\"name\":\"bf07ca9c-e408-443a-8939-6860a45a929e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let allowed_publishers = dynamic([]);\\nAzureDevOpsAuditing\\n| where OperationName =~ \\\"Extension.Installed\\\"\\n| extend ExtensionName = tostring(Data.ExtensionName)\\n| extend PublisherName = tostring(Data.PublisherName)\\n| where PublisherName !in (allowed_publishers)\\n| project-reorder TimeGenerated, OperationName, ExtensionName, PublisherName, ActorUPN, IpAddress, UserAgent, ScopeDisplayName, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps New Extension Added\",\"description\":\"Extensions add additional features to Azure DevOps. An attacker could use a malicious extension to conduct malicious activity. \\nThis query looks for new extensions that are not from a configurable list of approved publishers.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/65c78944-930b-4cae-bd79-c3664ae30ba7\",\"name\":\"65c78944-930b-4cae-bd79-c3664ae30ba7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(AuditLogs \\n| where OperationName =~ \\\"Disable Strong Authentication\\\"\\n| extend IPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) \\n| extend InitiatedByUser = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend Targetprop = todynamic(TargetResources)\\n| extend TargetUser = tostring(Targetprop[0].userPrincipalName) \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, InitiatedByUser , Operation = OperationName , CorrelationId, IPAddress, Category, Source = SourceSystem , AADTenantId, Type\\n),\\n(AWSCloudTrail\\n| where EventName in~ (\\\"DeactivateMFADevice\\\", \\\"DeleteVirtualMFADevice\\\") \\n| extend InstanceProfileName = tostring(parse_json(RequestParameters).InstanceProfileName)\\n| extend TargetUser = tostring(parse_json(RequestParameters).userName)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, Source = EventSource , Operation = EventName , TenantorInstance_Detail = InstanceProfileName, IPAddress = SourceIpAddress\\n)\\n)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"MFA disabled for a user\",\"description\":\"Multi-Factor Authentication (MFA) helps prevent credential compromise. This alert identifies when an attempt has been made to disable MFA for a user \",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4759ddb4-2daf-43cb-b34e-d85b85b4e4a5\",\"name\":\"4759ddb4-2daf-43cb-b34e-d85b85b4e4a5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\nlet parentprocess = (iocs | where Type =~ \\\"parentprocess\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or RequestURL has_any (IPList) or Message has_any (IPList)\\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, Type\\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURL in (IPList), \\\"RequestUrl\\\",\\\"NoMatch\\\"), AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, IPMatch == \\\"Message\\\", MessageIP, IPMatch == \\\"RequestUrl\\\", RequestURL, \\\"NoMatch\\\"), AccountCustomEntity = SourceUserID\\n),\\n(DnsEvents\\n| where IPAddresses in (IPList) \\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\\n),\\n(VMConnection\\n| where SourceIp in (IPList) or DestinationIp in (IPList)\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"NoMatch\\\"), HostCustomEntity = Computer, ProcessCustomEntity = ProcessName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") , AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n), \\n(OfficeActivity\\n| where ClientIP in (IPList) \\n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, AlertDetail = \u0027Dev-0322 IOC match\u0027, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\\n),\\n(DeviceNetworkEvents\\n| where RemoteIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, AlertDetail = \u0027Dev-0322 IOC match\u0027, UrlCustomEntity =RemoteUrl, ProcessCustomEntity = InitiatingProcessFileName\\n),\\n(WindowsFirewall\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\"), AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(AzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallDnsProxy\\\"\\n| project TimeGenerated,Resource, msg_s, Type\\n| parse msg_s with \\\"DNS Request: \\\" ClientIP \\\":\\\" ClientPort \\\" - \\\" QueryID \\\" \\\" Request_Type \\\" \\\" Request_Class \\\" \\\" Request_Name \\\". \\\" Request_Protocol \\\" \\\" Request_Size \\\" \\\" EDNSO_DO \\\" \\\" EDNS0_Buffersize \\\" \\\" Responce_Code \\\" \\\" Responce_Flags \\\" \\\" Responce_Size \\\" \\\" Response_Duration\\n| where ClientIP in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| project TimeGenerated,Resource, msg_s\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where SourceHost in (IPList)\\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend ParentImage = EventDetail.[20].[\\\"#text\\\"], Image = EventDetail.[4].[\\\"#text\\\"]\\n| where ( ParentImage has_any (parentprocess) and Image has_any (process))\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256,Image, ParentImage \\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceFileEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type, CommandLineIP\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash, IPCustomEntity = CommandLineIP\\n),\\n(DeviceEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, CommandLineIP\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash, IPCustomEntity = CommandLineIP\\n),\\n(DeviceProcessEvents\\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, CommandLineIP, AccountName\\n| extend Account = AccountName, Computer = DeviceName, IPAddress = CommandLineIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = \u0027Dev-0322 IOC match\u0027\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash, IPCustomEntity = IPAddress\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| extend CommandLineIP = extract(IPRegex, 0, CommandLine)\\n| where CommandLineIP in (IPList) or (NewProcessName has_any (process) and ParentProcessName has_any (parentprocess))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, CommandLine, CommandLineIP\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = \u0027Dev-0322 IOC match\u0027, IPCustomEntity = CommandLineIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"DEV-0322 Serv-U related IOCs - July 2021\",\"description\":\"Identifies a match across IOC\u0027s related to DEV-0322 targeting SolarWinds Serv-U software.\",\"lastUpdatedDateUTC\":\"2021-11-30T00:00:00Z\",\"createdDateUTC\":\"2021-06-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\"name\":\"d6491be0-ab2d-439d-95d6-ad8ea39277c5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let SensitiveOperationList = dynamic(\\n[\\\"VaultDelete\\\", \\\"KeyDelete\\\", \\\"SecretDelete\\\", \\\"SecretPurge\\\", \\\"KeyPurge\\\", \\\"SecretBackup\\\", \\\"KeyBackup\\\"]);\\nAzureDiagnostics\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\" \\n| where OperationName in~ (SensitiveOperationList) \\n| summarize EventCount=count(), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\\n| extend timestamp = StartTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Sensitive Azure Key Vault operations\",\"description\":\"Identifies when sensitive Azure Key Vault operations are used. This includes: VaultDelete, KeyDelete, SecretDelete, SecretPurge, KeyPurge, SecretBackup, KeyBackup. \\nAny Backup operations should match with expected scheduled backup activity.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4899-42cb-910c-5ffaf9d7997d\",\"name\":\"70b12a3b-4899-42cb-910c-5ffaf9d7997d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.6.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"0.ns1.dns-info.gq\\\", \\\"1.ns1.dns-info.gq\\\", \\\"10.ns1.dns-info.gq\\\", \\\"102.ns1.dns-info.gq\\\", \\n \\\"104.ns1.dns-info.gq\\\", \\\"11.ns1.dns-info.gq\\\", \\\"110.ns1.dns-info.gq\\\", \\\"115.ns1.dns-info.gq\\\", \\\"116.ns1.dns-info.gq\\\", \\n \\\"117.ns1.dns-info.gq\\\", \\\"118.ns1.dns-info.gq\\\", \\\"12.ns1.dns-info.gq\\\", \\\"120.ns1.dns-info.gq\\\", \\\"122.ns1.dns-info.gq\\\", \\n \\\"123.ns1.dns-info.gq\\\", \\\"128.ns1.dns-info.gq\\\", \\\"13.ns1.dns-info.gq\\\", \\\"134.ns1.dns-info.gq\\\", \\\"135.ns1.dns-info.gq\\\", \\n \\\"138.ns1.dns-info.gq\\\", \\\"14.ns1.dns-info.gq\\\", \\\"144.ns1.dns-info.gq\\\", \\\"15.ns1.dns-info.gq\\\", \\\"153.ns1.dns-info.gq\\\", \\n \\\"157.ns1.dns-info.gq\\\", \\\"16.ns1.dns-info.gq\\\", \\\"17.ns1.dns-info.gq\\\", \\\"18.ns1.dns-info.gq\\\", \\\"19.ns1.dns-info.gq\\\", \\n \\\"1a9604fa.ns1.feedsdns.com\\\", \\\"1c7606b6.ns1.steamappstore.com\\\", \\\"2.ns1.dns-info.gq\\\", \\\"20.ns1.dns-info.gq\\\", \\n \\\"201.ns1.dns-info.gq\\\", \\\"202.ns1.dns-info.gq\\\", \\\"204.ns1.dns-info.gq\\\", \\\"207.ns1.dns-info.gq\\\", \\\"21.ns1.dns-info.gq\\\", \\n \\\"210.ns1.dns-info.gq\\\", \\\"211.ns1.dns-info.gq\\\", \\\"216.ns1.dns-info.gq\\\", \\\"22.ns1.dns-info.gq\\\", \\\"220.ns1.dns-info.gq\\\", \\n \\\"223.ns1.dns-info.gq\\\", \\\"23.ns1.dns-info.gq\\\", \\\"24.ns1.dns-info.gq\\\", \\\"25.ns1.dns-info.gq\\\", \\\"26.ns1.dns-info.gq\\\", \\n \\\"27.ns1.dns-info.gq\\\", \\\"28.ns1.dns-info.gq\\\", \\\"29.ns1.dns-info.gq\\\", \\\"3.ns1.dns-info.gq\\\", \\\"30.ns1.dns-info.gq\\\", \\n \\\"31.ns1.dns-info.gq\\\", \\\"32.ns1.dns-info.gq\\\", \\\"33.ns1.dns-info.gq\\\", \\\"34.ns1.dns-info.gq\\\", \\\"35.ns1.dns-info.gq\\\", \\n \\\"36.ns1.dns-info.gq\\\", \\\"37.ns1.dns-info.gq\\\", \\\"39.ns1.dns-info.gq\\\", \\\"3d6fe4b2.ns1.steamappstore.com\\\", \\n \\\"4.ns1.dns-info.gq\\\", \\\"40.ns1.dns-info.gq\\\", \\\"42.ns1.dns-info.gq\\\", \\\"43.ns1.dns-info.gq\\\", \\\"44.ns1.dns-info.gq\\\", \\n \\\"45.ns1.dns-info.gq\\\", \\\"46.ns1.dns-info.gq\\\", \\\"48.ns1.dns-info.gq\\\", \\\"5.ns1.dns-info.gq\\\", \\\"50.ns1.dns-info.gq\\\", \\n \\\"50417.service.gstatic.dnset.com\\\", \\\"51.ns1.dns-info.gq\\\", \\\"52.ns1.dns-info.gq\\\", \\\"53.ns1.dns-info.gq\\\",\\n \\\"54.ns1.dns-info.gq\\\", \\\"55.ns1.dns-info.gq\\\", \\\"56.ns1.dns-info.gq\\\", \\\"57.ns1.dns-info.gq\\\", \\\"58.ns1.dns-info.gq\\\", \\n \\\"6.ns1.dns-info.gq\\\", \\\"60.ns1.dns-info.gq\\\", \\\"62.ns1.dns-info.gq\\\", \\\"63.ns1.dns-info.gq\\\", \\\"64.ns1.dns-info.gq\\\", \\n \\\"65.ns1.dns-info.gq\\\", \\\"67.ns1.dns-info.gq\\\", \\\"7.ns1.dns-info.gq\\\", \\\"70.ns1.dns-info.gq\\\", \\\"71.ns1.dns-info.gq\\\",\\n \\\"73.ns1.dns-info.gq\\\", \\\"77.ns1.dns-info.gq\\\", \\\"77075.service.gstatic.dnset.com\\\", \\\"7c1947fa.ns1.steamappstore.com\\\",\\n \\\"8.ns1.dns-info.gq\\\", \\\"81.ns1.dns-info.gq\\\", \\\"86.ns1.dns-info.gq\\\", \\\"87.ns1.dns-info.gq\\\", \\\"9.ns1.dns-info.gq\\\", \\n \\\"94343.service.gstatic.dnset.com\\\", \\\"9939.service.gstatic.dnset.com\\\", \\\"aa.ns.mircosoftdoc.com\\\", \\n \\\"aaa.feeds.api.ns1.feedsdns.com\\\", \\\"aaa.googlepublic.feeds.ns1.dns-info.gq\\\", \\n \\\"aaa.resolution.174547._get.cache.up.sourcedns.tk\\\", \\\"acc.microsoftonetravel.com\\\", \\n \\\"accounts.longmusic.com\\\", \\\"admin.dnstemplog.com\\\", \\\"agent.updatenai.com\\\", \\n \\\"alibaba.zzux.com\\\", \\\"api.feedsdns.com\\\", \\\"app.portomnail.com\\\", \\\"asia.updatenai.com\\\", \\n \\\"battllestategames.com\\\", \\\"bguha.serveuser.com\\\", \\\"binann-ce.com\\\", \\\"bing.dsmtp.com\\\", \\n \\\"blog.cdsend.xyz\\\", \\\"brives.minivineyapp.com\\\", \\\"bsbana.dynamic-dns.net\\\", \\n \\\"californiaforce.000webhostapp.com\\\", \\\"californiafroce.000webhostapp.com\\\", \\n \\\"cdn.freetcp.com\\\", \\\"cdsend.xyz\\\", \\\"cipla.zzux.com\\\", \\\"cloudfeeddns.com\\\", \\\"comcleanner.info\\\",\\n \\\"cs.microsoftsonline.net\\\", \\\"dns-info.gq\\\", \\\"dns05.cf\\\", \\\"dns22.ml\\\", \\\"dns224.com\\\", \\n \\\"dnsdist.org\\\", \\\"dnstemplog.com\\\", \\\"doc.mircosoftdoc.com\\\", \\\"dropdns.com\\\", \\n \\\"eshop.cdn.freetcp.com\\\", \\\"exchange.dumb1.com\\\", \\\"exchange.misecure.com\\\", \\\"exchange.mrbasic.com\\\",\\n \\\"facebookdocs.com\\\", \\\"facebookint.com\\\", \\\"facebookvi.com\\\", \\\"feed.ns1.dns-info.gq\\\", \\\"feedsdns.com\\\", \\n \\\"firejun.freeddns.com\\\", \\\"ftp.dns-info.dyndns.pro\\\", \\\"goallbandungtravel.com\\\", \\\"goodhk.azurewebsites.net\\\", \\n \\\"googlepublic.feed.ns1.dns-info.gq\\\", \\\"gp.spotifylite.cloud\\\", \\\"gskytop.com\\\", \\\"gstatic.dnset.com\\\", \\n \\\"gxxservice.com\\\", \\\"helpdesk.cdn.freetcp.com\\\", \\\"id.serveuser.com\\\", \\\"infestexe.com\\\", \\\"item.itemdb.com\\\",\\n \\\"m.mircosoftdoc.com\\\", \\\"mail.transferdkim.xyz\\\", \\\"mcafee.updatenai.com\\\", \\\"mecgjm.mircosoftdoc.com\\\",\\n \\\"microdocs.ga\\\", \\\"microsock.website\\\", \\\"microsocks.net\\\", \\\"microsoft.sendsmtp.com\\\", \\n \\\"microsoftbook.dns05.com\\\", \\\"microsoftcontactcenter.com\\\", \\\"microsoftdocs.dns05.com\\\", \\\"microsoftdocs.ml\\\", \\n \\\"microsoftonetravel.com\\\", \\\"microsoftonlines.net\\\", \\\"microsoftprod.com\\\", \\\"microsofts.dns1.us\\\", \\\"microsoftsonline.net\\\",\\n \\\"minivineyapp.com\\\", \\\"mircosoftdoc.com\\\", \\\"mircosoftdocs.com\\\", \\\"mlcrosoft.ninth.biz\\\", \\\"mlcrosoft.site\\\", \\n \\\"mm.portomnail.com\\\", \\\"msdnupdate.com\\\", \\\"msecdn.cloud\\\", \\\"mtnl1.dynamic-dns.net\\\", \\\"ns.gstatic.dnset.com\\\", \\n \\\"ns.microsoftprod.com\\\", \\\"ns.steamappstore.com\\\", \\\"ns1.cdn.freetcp.com\\\", \\\"ns1.comcleanner.info\\\", \\\"ns1.dns-info.gq\\\", \\n \\\"ns1.dns05.cf\\\", \\\"ns1.dnstemplog.com\\\", \\\"ns1.dropdns.com\\\", \\\"ns1.microsoftonetravel.com\\\", \\n \\\"ns1.microsoftonlines.net\\\", \\\"ns1.microsoftprod.com\\\", \\\"ns1.microsoftsonline.net\\\", \\\"ns1.mlcrosoft.site\\\", \\n \\\"ns1.teams.wikaba.com\\\", \\\"ns1.windowsdefende.com\\\", \\\"ns2.comcleanner.info\\\", \\\"ns2.dnstemplog.com\\\", \\n \\\"ns2.microsoftonetravel.com\\\", \\\"ns2.microsoftprod.com\\\", \\\"ns2.microsoftsonline.net\\\", \\\"ns2.mlcrosoft.site\\\", \\n \\\"ns2.windowsdefende.com\\\", \\\"ns3.microsoftprod.com\\\", \\\"ns3.mlcrosoft.site\\\", \\\"nutrition.mrbasic.com\\\", \\n \\\"nutrition.youdontcare.com\\\", \\\"online.mlcrosoft.site\\\", \\\"online.msdnupdate.com\\\", \\\"outlookservce.site\\\", \\n \\\"owa.jetos.com\\\", \\\"owa.otzo.com\\\", \\\"pornotime.co\\\", \\\"portomnail.com\\\", \\n \\\"post.1a0.066e063ac.7c1947fa.ns1.steamappstore.com\\\", \\\"pricingdmdk.com\\\", \\\"prod.microsoftprod.com\\\", \\n \\\"product.microsoftprod.com\\\", \\\"ptcl.yourtrap.com\\\", \\\"query.api.sourcedns.tk\\\", \\\"rb.itemdb.com\\\", \\\"redditcdn.com\\\", \\n \\\"rss.otzo.com\\\", \\\"secure.msdnupdate.com\\\", \\\"service.dns22.ml\\\", \\\"service.gstatic.dnset.com\\\", \\\"service04.dns04.com\\\", \\n \\\"settings.teams.wikaba.com\\\", \\\"sip.outlookservce.site\\\", \\\"sixindent.epizy.com\\\", \\\"soft.msdnupdate.com\\\", \\\"sourcedns.ml\\\", \\n \\\"sourcedns.tk\\\", \\\"sport.msdnupdate.com\\\", \\\"spotifylite.cloud\\\", \\\"static.misecure.com\\\", \\\"steamappstore.com\\\", \\n \\\"store.otzo.com\\\", \\\"survey.outlookservce.site\\\", \\\"team.itemdb.com\\\", \\\"temp221.com\\\", \\\"test.microsoftprod.com\\\", \\n \\\"thisisaaa.000webhostapp.com\\\", \\\"token.dns04.com\\\", \\\"token.dns05.com\\\", \\\"transferdkim.xyz\\\", \\n \\\"travelsanignacio.com\\\", \\\"update08.com\\\", \\\"updated08.com\\\", \\\"updatenai.com\\\", \\\"wantforspeed.com\\\",\\n \\\"web.mircosoftdoc.com\\\", \\\"webmail.pornotime.co\\\", \\\"webwhois.team.itemdb.com\\\", \\\"windowsdefende.com\\\", \\\"wnswindows.com\\\",\\n \\\"ashcrack.freetcp.com\\\", \\\"battllestategames.com\\\", \\\"binannce.com\\\", \\\"cdsend.xyz\\\", \\\"comcleanner.info\\\", \\\"microsock.website\\\", \\n \\\"microsocks.net\\\", \\\"microsoftsonline.net\\\", \\\"mlcrosoft.site\\\", \\\"notify.serveuser.com\\\", \\\"ns1.microsoftprod.com\\\", \\n \\\"ns2.microsoftprod.com\\\", \\\"pricingdmdk.com\\\", \\\"steamappstore.com\\\", \\\"update08.com\\\", \\\"wnswindows.com\\\", \\n \\\"youtube.dns05.com\\\", \\\"z1.zalofilescdn.com\\\", \\\"z2.zalofilescdn.com\\\", \\\"zalofilescdn.com\\\"]); \\n(union isfuzzy=true \\n (CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | where DNSName in~ (DomainNames) \\n | extend Account = SourceUserID, Computer = DeviceName, IPAddress = DestinationIP \\n ), \\n (_Im_Dns (domain_has_any=DomainNames)\\n | extend DNSName = DnsQuery \\n | extend IPAddress = SrcIpAddr, Computer = Dvc\\n ), \\n (_Im_WebSession (url_has_any=DomainNames)\\n | extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n | extend IPAddress = SrcIpAddr, Computer = Dvc\\n ), \\n (VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 * \\n | where isnotempty(DNSName) \\n | where DNSName in~ (DomainNames) \\n | extend IPAddress = RemoteIp \\n ), \\n ( \\n DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl in~ (DomainNames) \\n | extend IPAddress = RemoteIP \\n | extend Computer = DeviceName \\n ),\\n (AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (DomainNames) \\n | extend DNSName = DestinationHost \\n | extend IPAddress = SourceHost\\n ) \\n ) \\n | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Barium domains\",\"description\":\"Identifies a match across various data feeds for domains IOCs related to the Barium activity group.\\n References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bff058b2-500e-4ae5-bb49-a5b1423cbd5b\",\"name\":\"bff058b2-500e-4ae5-bb49-a5b1423cbd5b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let fileAccessThrehold = 10;\\nOfficeActivity\\n | where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n | where Operation =~ \\\"MemberAdded\\\"\\n | extend UPN = tostring(parse_json(Members)[0].UPN)\\n | where UPN contains (\\\"#EXT#\\\")\\n | project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName\\n | join kind = inner(\\n OfficeActivity\\n | where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n | where Operation =~ \\\"MemberRemoved\\\"\\n | extend UPN = tostring(parse_json(Members)[0].UPN)\\n | where UPN contains (\\\"#EXT#\\\")\\n | project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName\\n ) on UPN\\n | where TimeDeleted \u003e TimeAdded\\n | join kind=inner \\n (\\n OfficeActivity\\n | where RecordType == \\\"SharePointFileOperation\\\"\\n | where SourceRelativeUrl has \\\"Microsoft Teams Chat Files\\\"\\n | where Operation == \\\"FileUploaded\\\"\\n | join kind = inner \\n (\\n OfficeActivity\\n | where RecordType == \\\"SharePointFileOperation\\\"\\n | where Operation == \\\"FileAccessed\\\"\\n | where SourceRelativeUrl has \\\"Microsoft Teams Chat Files\\\"\\n | summarize FileAccessCount = count() by OfficeObjectId\\n | where FileAccessCount \u003e fileAccessThrehold\\n ) on $left.OfficeObjectId == $right.OfficeObjectId\\n )on $left.UPN == $right.UserId\\n | extend timestamp=TimeGenerated, AccountCustomEntity = UserWhoAdded\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Accessed files shared by temporary external user\",\"description\":\"This detection identifies an external user is added to a Team or Teams chat\\nand shares a files which is accessed by many users (\u003e10) and the users is removed within short period of time. This might be\\nan indicator of suspicious activity.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2020-08-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/610d3850-c26f-4f20-8d86-f10fdf2425f5\",\"name\":\"610d3850-c26f-4f20-8d86-f10fdf2425f5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let EventNameList = dynamic([\\\"UpdateTrail\\\",\\\"DeleteTrail\\\",\\\"StopLogging\\\",\\\"DeleteFlowLogs\\\",\\\"DeleteEventBus\\\"]);\\nAWSCloudTrail\\n| where EventName in~ (EventNameList)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Changes made to AWS CloudTrail logs\",\"description\":\"Attackers often try to hide their steps by deleting or stopping the collection of logs that could show their activity. \\nThis alert identifies any manipulation of AWS CloudTrail, Cloudwatch/EventBridge or VPC Flow logs.\\nMore Information: AWS CloudTrail API: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html\\nAWS Cloudwatch/Eventbridge API: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_Operations.html\\nAWS DelteteFlowLogs API : https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html \",\"lastUpdatedDateUTC\":\"2022-01-11T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3fbc20a4-04c4-464e-8fcb-6667f53e4987\",\"name\":\"3fbc20a4-04c4-464e-8fcb-6667f53e4987\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let failureCountThreshold = 5;\\nlet successCountThreshold = 1;\\nlet authenticationWindow = 20m;\\nSigninLogs\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\\n| where AppDisplayName =~ \\\"Windows Sign In\\\"\\n// Split out failure versus non-failure types\\n| extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\")\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = makeset(IPAddress), makeset(OS), makeset(Browser), makeset(City), \\nmakeset(ResultType), FailureCount = countif(FailureOrSuccess==\\\"Failure\\\"), SuccessCount = countif(FailureOrSuccess==\\\"Success\\\") \\nby bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName, AppDisplayName\\n| where FailureCount \u003e= failureCountThreshold and SuccessCount \u003e= successCountThreshold\\n| mvexpand IPAddress\\n| extend IPAddress = tostring(IPAddress)\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against a Cloud PC\",\"description\":\"Identifies evidence of brute force activity against a Windows 365 Cloud PC by highlighting multiple authentication failures and by a successful authentication within a given time window.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/173f8699-6af5-484a-8b06-8c47ba89b380\",\"name\":\"173f8699-6af5-484a-8b06-8c47ba89b380\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"// Adjust this value to change how many Teams should be deleted before including\\nlet max_delete_count = 3;\\n// Adjust this value to change the timewindow the query runs over\\n OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\" \\n| where Operation =~ \\\"TeamDeleted\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DeletedTeams = make_set(TeamName) by UserId\\n| where array_length(DeletedTeams) \u003e max_delete_count\\n| extend timestamp = StartTime, AccountCustomEntity = UserId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Multiple Teams deleted by a single user\",\"description\":\"This detection flags the occurrences of deleting multiple teams within an hour.\\nThis data is a part of Office 365 Connector in Microsoft Sentinel.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9f9c1e51-4fb1-4510-a675-c7c2fb32f47e\",\"name\":\"9f9c1e51-4fb1-4510-a675-c7c2fb32f47e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let knotweed_sigs = dynamic([\\\"JumplumpDropper\\\", \\\"Jumplump\\\", \\\"Corelump\\\", \\\"Medcerc\\\", \\\"SuspModuleLoad\\\", \\\"Mexlib\\\"]);\\n let mde_data = (DeviceInfo\\n | extend DeviceName = tolower(DeviceName)\\n | join kind=rightouter ( SecurityAlert\\n | where ProviderName =~ \\\"MDATP\\\"\\n | extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n | extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n | where ThreatFamilyName in~ (knotweed_sigs)\\n | extend CompromisedEntity = tolower(CompromisedEntity)\\n ) on $left.DeviceName == $right.CompromisedEntity);\\n let event_data = ( Event\\n | where EventID in (1006, 1009, 1116, 1119)\\n | extend ThreatData = parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_xml(EventData).DataItem)).EventData)).Data))\\n | mv-expand ThreatData\\n | where tostring(ThreatData.[\\\"@Name\\\"]) == \\\"Threat Name\\\"\\n | extend EventData = parse_xml(EventData)\\n | where tostring(ThreatData.[\\\"#text\\\"]) has_any (knotweed_sigs));\\n union mde_data, event_data\\n | extend ThreatName = iif(isnotempty(ThreatName), ThreatName, tostring(ThreatData.[\\\"#text\\\"]))\\n | extend ThreatFamilyName = iif(isnotempty(ThreatFamilyName), ThreatFamilyName, split(tostring(ThreatData.[\\\"#text\\\"]), \\\"/\\\")[-1])\\n | extend TimeGenerated = iif(isnotempty(TimeGenerated), TimeGenerated, TimeGenerated1)\\n | extend DeviceName = iif(isnotempty(DeviceName), DeviceName, Computer)\\n | project-reorder TimeGenerated, CompromisedEntity, ThreatName, ThreatFamilyName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceName\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"KNOTWEED AV Detection\",\"description\":\"This query looks for Microsoft Defender AV detections related to the KNOTWEED threat actor and the Corelump and Jumplump malware.\\n Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/\",\"lastUpdatedDateUTC\":\"2022-07-27T00:00:00Z\",\"createdDateUTC\":\"2022-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceInfo\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5f171045-88ab-4634-baae-a7b6509f483b\",\"name\":\"5f171045-88ab-4634-baae-a7b6509f483b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let Dev0530_threats = dynamic([\\\"Trojan:Win32/SiennaPurple.A\\\", \\\"Ransom:Win32/SiennaBlue.A\\\", \\\"Ransom:Win32/SiennaBlue.B\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (Dev0530_threats) or ThreatFamilyName in~ (Dev0530_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"AV detections related to Dev-0530 actors\",\"description\":\"This query looks for Microsoft Defender AV detections related to Dev-0530 actors. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, \\n this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\",\"lastUpdatedDateUTC\":\"2022-07-14T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fbfbf530-506b-49a4-81ad-4030885a195c\",\"name\":\"fbfbf530-506b-49a4-81ad-4030885a195c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let alertTimeWindow = 1h;\\nlet logTimeWindow = 7d;\\n// Define script extensions that suit your web application environment - a sample are provided below\\nlet scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]); \\nlet alertData = materialize(SecurityAlert \\n| where TimeGenerated \u003e ago(alertTimeWindow) \\n| where ProviderName == \\\"MDATP\\\" \\n// Parse and expand the alert JSON \\n| extend alertData = parse_json(Entities) \\n| mvexpand alertData);\\nlet fileData = alertData\\n// Extract web script files from MDATP alerts - our malicious web scripts - candidate webshells\\n| where alertData.Type =~ \\\"file\\\" \\n| where alertData.Name has_any(scriptExtensions) \\n| extend FileName = tostring(alertData.Name), Directory = tostring(alertData.Directory);\\nlet hostData = alertData\\n// Extract server details from alerts and map to alert id\\n| where alertData.Type =~ \\\"host\\\"\\n| project HostName = tostring(alertData.HostName), DnsDomain = tostring(alertData.DnsDomain), SystemAlertId\\n| distinct HostName, DnsDomain, SystemAlertId;\\n// Join the files on their impacted servers\\nlet webshellData = fileData\\n| join kind=inner (hostData) on SystemAlertId \\n| project TimeGenerated, FileName, Directory, HostName, DnsDomain;\\nwebshellData\\n| join ( \\n// Find requests that were made to this file on the impacted server in the W3CIISLog table \\nW3CIISLog \\n| where TimeGenerated \u003e ago(logTimeWindow) \\n// Restrict to accesses to script extensions \\n| where csUriStem has_any(scriptExtensions)\\n| extend splitUriStem = split(csUriStem, \\\"/\\\") \\n| extend FileName = splitUriStem[-1], HostName = sComputerName\\n// Summarize potential attacker activity\\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), RequestUserAgents=make_set(csUserAgent), ReqestMethods=make_set(csMethod), RequestStatusCodes=make_set(scStatus), RequestCookies=make_set(csCookie), RequestReferers=make_set(csReferer), RequestQueryStrings=make_set(csUriQuery) by AttackerIP=cIP, SiteName=sSiteName, ShellLocation=csUriStem, tostring(FileName), HostName \\n) on FileName, HostName\\n| project StartTime, EndTime, AttackerIP, RequestUserAgents, HostName, SiteName, ShellLocation, ReqestMethods, RequestStatusCodes, RequestCookies, RequestReferers, RequestQueryStrings, RequestCount = count_\\n// Expose the attacker ip address as a custom entity\\n| extend timestamp=StartTime, IPCustomEntity = AttackerIP, HostCustomEntity = HostName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Malicious web application requests linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts\",\"description\":\"Takes Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts where web scripts are present in the evidence and correlates with requests made to those scripts\\nin the WCSIISLog to surface new alerts for potentially malicious web request activity.\\nThe lookback for alerts is set to 1h and the lookback for W3CIISLogs is set to 7d. A sample set of popular web script extensions\\nhas been provided in scriptExtensions that should be tailored to your environment.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-05-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5f0d80db-3415-4265-9d52-8466b7372e3a\",\"name\":\"5f0d80db-3415-4265-9d52-8466b7372e3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"AzureDevOpsAuditing\\n| where AuthenticationMechanism startswith \\\"PAT\\\"\\n// Look for useragents that include a redenring engine\\n| where UserAgent has_any (\\\"Gecko\\\", \\\"WebKit\\\", \\\"Presto\\\", \\\"Trident\\\", \\\"EdgeHTML\\\", \\\"Blink\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Azure DevOps PAT used with Browser.\",\"description\":\"Personal Access Tokens (PATs) are used as an alternate password to authenticate into Azure DevOps. PATs are intended for programmatic access use in code or applications. \\nThis can be prone to attacker theft if not adequately secured. This query looks for the use of a PAT in authentication but from a User Agent indicating a browser. \\nThis should not be normal activity and could be an indicator of an attacker using a stolen PAT.\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/86a036b2-3686-42eb-b417-909fc0867771\",\"name\":\"86a036b2-3686-42eb-b417-909fc0867771\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/delete\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS Service Delete\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.\\nA threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.\\nThe health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.\\nMore information in this blog https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\"name\":\"b2c15736-b9eb-4dae-8b02-3016b6a45a32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\nlet createRoleAssignmentActivity = AzureActivity\\n| where OperationNameValue =~ \\\"microsoft.authorization/roleassignments/write\\\";\\ncreateRoleAssignmentActivity \\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller\\n| where count_ \u003e= alertOperationThreshold\\n| join kind = rightanti ( \\ncreateRoleAssignmentActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = make_set(TimeGenerated), ActivityStatusValue = make_set(ActivityStatusValue), \\nOperationIds = make_set(OperationId), CorrelationId = make_set(CorrelationId), ActivityCountByCallerIPAddress = count() \\nby ResourceId, CallerIpAddress, Caller, OperationNameValue, Resource, ResourceGroup\\n) on CallerIpAddress, Caller\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Suspicious granting of permissions to an account\",\"description\":\"Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\"name\":\"9fb57e58-3ed8-4b89-afcf-c8e786508b1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let szOperationNames = dynamic([\\\"Microsoft.Compute/virtualMachines/write\\\", \\\"Microsoft.Resources/deployments/write\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet RareCaller = AzureActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationNameValue in~ (szOperationNames)\\n| project ResourceGroup, Caller, OperationNameValue, CallerIpAddress\\n| join kind=rightantisemi (\\nAzureActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityStatusValue = makeset(ActivityStatusValue), OperationIds = makeset(OperationId), CallerIpAddress = makeset(CallerIpAddress) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n) on Caller, ResourceGroup \\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress);\\nlet Counts = RareCaller | summarize ActivityCountByCaller = count() by Caller;\\nRareCaller | join kind= inner (Counts) on Caller | project-away Caller1\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = tostring(CallerIpAddress)\\n| sort by ActivityCountByCaller desc nulls last\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Suspicious Resource deployment\",\"description\":\"Identifies when a rare Resource and ResourceGroup deployment occurs by a previously unseen Caller.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4902eddb-34f7-44a8-ac94-8486366e9494\",\"name\":\"4902eddb-34f7-44a8-ac94-8486366e9494\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 5000;\\n_Im_NetworkSession(eventresult=\u0027Failure\u0027)\\n| summarize Count=count() by SrcIpAddr, bin(TimeGenerated,5m)\\n| where Count \u003e threshold\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr\",\"customDetails\":{\"NumberOfDenies\":\"Count\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Excessive number of failed connections from {{SrcIpAddr}}\",\"alertDescriptionFormat\":\"The client at address {{SrcIpAddr}} generated more than {{threshold}} failures over a 5 minutes time window, which may indicate malicious activity.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Impact\"],\"displayName\":\"Excessive number of failed connections from a single source (ASIM Network Session schema)\",\"description\":\"This rule identifies that a single source generates an excessive amount of failed connections. Modify the threshold to change the sensitivity of the rule: the higher the threshold, the less sensitive is the rule and less incidents will be generated.\u003cbr\u003e\u003cbr\u003e\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f7c3f5c8-71ea-49ff-b8b3-148f0e346291\",\"name\":\"f7c3f5c8-71ea-49ff-b8b3-148f0e346291\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let known_locations = (SigninLogs\\n | where TimeGenerated between(ago(7d)..ago(1d))\\n | where ResultType == 0\\n | extend LocationDetail = strcat(Location, \\\"-\\\", LocationDetails.state)\\n | summarize by LocationDetail);\\n let known_asn = (SigninLogs\\n | where TimeGenerated between(ago(7d)..ago(1d))\\n | where ResultType == 0\\n | summarize by AutonomousSystemNumber);\\n SigninLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType == 0\\n | where isempty(DeviceDetail.deviceId)\\n | where AuthenticationRequirement == \\\"singleFactorAuthentication\\\"\\n | extend LocationDetail = strcat(Location, \\\"-\\\", LocationDetails.state)\\n | where AutonomousSystemNumber !in (known_asn) and LocationDetail !in (known_locations)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"UserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomolous Single Factor Signin\",\"description\":\"Detects successful signins using single factor authentication where the device, location, and ASN are abnormal.\\n Single factor authentications pose an opportunity to access compromised accounts, investigate these for anomalous occurrencess.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\"name\":\"1572e66b-20a7-4012-9ec4-77ec4b101bc8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 1d;\\nlet endtime = 1h;\\nlet prev23hThreshold = 4;\\nlet prev1hThreshold = 15;\\nlet Kerbevent = (union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(starttime)\\n| where EventID == 4769\\n| parse EventData with * \u0027TicketEncryptionType\\\"\u003e\u0027 TicketEncryptionType \\\"\u003c\\\" *\\n| where TicketEncryptionType == \u00270x17\u0027\\n| parse EventData with * \u0027TicketOptions\\\"\u003e\u0027 TicketOptions \\\"\u003c\\\" *\\n| where TicketOptions == \u00270x40810000\u0027\\n| parse EventData with * \u0027Status\\\"\u003e\u0027 Status \\\"\u003c\\\" *\\n| where Status == \u00270x0\u0027\\n| parse EventData with * \u0027ServiceName\\\"\u003e\u0027 ServiceName \\\"\u003c\\\" *\\n| where ServiceName !contains \\\"$\\\" and ServiceName !contains \\\"krbtgt\\\" \\n| parse EventData with * \u0027TargetUserName\\\"\u003e\u0027 TargetUserName \\\"\u003c\\\" *\\n| where TargetUserName !contains \\\"$@\\\" and TargetUserName !contains ServiceName\\n| parse EventData with * \u0027IpAddress\\\"\u003e::ffff:\u0027 ClientIPAddress \\\"\u003c\\\" *\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e= ago(starttime)\\n| where EventID == 4769 and EventData has \u00270x17\u0027 and EventData has \u00270x40810000\u0027 and EventData has \u0027krbtgt\u0027\\n| extend TicketEncryptionType = tostring(EventData.TicketEncryptionType)\\n| where TicketEncryptionType == \u00270x17\u0027\\n| extend TicketOptions = tostring(EventData.TicketOptions)\\n| where TicketOptions == \u00270x40810000\u0027\\n| extend Status = tostring(EventData.Status)\\n| where Status == \u00270x0\u0027\\n| extend ServiceName = tostring(EventData.ServiceName)\\n| where ServiceName !contains \\\"$\\\" and ServiceName !contains \\\"krbtgt\\\"\\n| extend TargetUserName = tostring(EventData.TargetUserName) \\n| where TargetUserName !contains \\\"$@\\\" and TargetUserName !contains ServiceName\\n| extend ClientIPAddress = tostring(EventData.IpAddress) \\n));\\nlet Kerbevent23h = Kerbevent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| summarize ServiceNameCountPrev23h = dcount(ServiceName), ServiceNameSet23h = makeset(ServiceName) \\nby Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status\\n| where ServiceNameCountPrev23h \u003c prev23hThreshold;\\nlet Kerbevent1h = \\nKerbevent\\n| where TimeGenerated \u003e= ago(endtime)\\n| summarize min(TimeGenerated), max(TimeGenerated), ServiceNameCountPrev1h = dcount(ServiceName), ServiceNameSet1h = makeset(ServiceName) \\nby Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status;\\nKerbevent1h \\n| join kind=leftanti\\n(\\nKerbevent23h\\n) on TargetUserName, TargetDomainName\\n// Threshold value set above is based on testing, this value may need to be changed for your environment.\\n| where ServiceNameCountPrev1h \u003e prev1hThreshold\\n| project StartTimeUtc = min_TimeGenerated, EndTimeUtc = max_TimeGenerated, TargetUserName, Computer, ClientIPAddress, TicketOptions, \\nTicketEncryptionType, Status, ServiceNameCountPrev1h, ServiceNameSet1h, TargetDomainName\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = strcat(TargetDomainName,\\\"\\\\\\\\\\\", TargetUserName), HostCustomEntity = Computer, IPCustomEntity = ClientIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Potential Kerberoasting\",\"description\":\"A service principal name (SPN) is used to uniquely identify a service instance in a Windows environment. \\nEach SPN is usually associated with a service account. Organizations may have used service accounts with weak passwords in their environment. \\nAn attacker can try requesting Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC) which contains \\na hash of the Service account. This can then be used for offline cracking. This hunting query looks for accounts that are generating excessive \\nrequests to different resources within the last hour compared with the previous 24 hours. Normal users would not make an unusually large number \\nof request within a small time window. This is based on 4769 events which can be very noisy so environment based tweaking might be needed.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-04-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/508cef41-2cd8-4d40-a519-b04826a9085f\",\"name\":\"508cef41-2cd8-4d40-a519-b04826a9085f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 1102 and EventSourceName == \\\"Microsoft-Windows-Eventlog\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Security Event log cleared\",\"description\":\"Checks for event id 1102 which indicates the security event log was cleared.\\nIt uses Event Source Name \\\"Microsoft-Windows-Eventlog\\\" to avoid generating false positives from other sources, like AD FS servers for instance.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3ff0fffb-d963-40c0-b235-3404f915add7\",\"name\":\"3ff0fffb-d963-40c0-b235-3404f915add7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"GitHubAudit\\n| where Action == \\\"org.disable_two_factor_requirement\\\"\\n| project TimeGenerated, Action, Actor, Country, IPaddress, Repository\\n| extend AccountCustomEntity = Actor, IPCustomEntity = IPaddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"GitHub Two Factor Auth Disable\",\"description\":\"Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ce02935c-cc67-4b77-9b96-93d9947e119a\",\"name\":\"ce02935c-cc67-4b77-9b96-93d9947e119a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"acrobatrelay.com\\\", \\\"finconsult.cc\\\", \\\"realmetaldns.com\\\"]); \\n(union isfuzzy=true \\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where DNSName in~ (DomainNames) \\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = DestinationIP \\n), \\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery \\n| extend IPAddress = SrcIpAddr, Computer = Dvc\\n), \\n(_Im_WebSession (url_has_any=DomainNames)\\n| extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n| extend IPAddress = SrcIpAddr, Computer = Dvc\\n), \\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 * \\n| where isnotempty(DNSName) \\n| where DNSName in~ (DomainNames) \\n| extend IPAddress = RemoteIp \\n), \\n( \\n DeviceNetworkEvents \\n| where isnotempty(RemoteUrl) \\n| where RemoteUrl has_any (DomainNames) \\n| extend IPAddress = RemoteIP \\n| extend Computer = DeviceName \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n) \\n) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"KNOTWEED C2 Domains July 2022\",\"description\":\"This query looks for references to known KNOTWEED Domains in network logs.\\n This query was published July 2022.\\n Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/\",\"lastUpdatedDateUTC\":\"2022-07-27T00:00:00Z\",\"createdDateUTC\":\"2022-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/594c653d-719a-4c23-b028-36e3413e632e\",\"name\":\"594c653d-719a-4c23-b028-36e3413e632e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"GitHubAudit\\n| where Action == \\\"org.disable_two_factor_requirement\\\"\\n| project TimeGenerated, Action, Actor, Country, IPaddress, Repository\\n| extend AccountCustomEntity = Actor, IPCustomEntity = IPaddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT GitHub Two Factor Auth Disable\",\"description\":\"Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. \",\"lastUpdatedDateUTC\":\"2022-05-22T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/50cbf34a-4cdd-45d7-b3f5-8b53a1d0d14f\",\"name\":\"50cbf34a-4cdd-45d7-b3f5-8b53a1d0d14f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n| parse EventData with * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" *\\n| where ParentCommandLine == \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe -k DcomLaunch\\\" and CommandLine == \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe -Embedding\\\"\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Lateral Movement via DCOM\",\"description\":\"This query detects a fairly uncommon attack technique using the Windows Distributed Component Object Model (DCOM) to make a remote execution call to another computer system and gain lateral movement throughout the network.\\nRef: http://thenegative.zone/incident%20response/2017/02/04/MMC20.Application-Lateral-Movement-Analysis.html\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b1832f60-6c3d-4722-a0a5-3d564ee61a63\",\"name\":\"b1832f60-6c3d-4722-a0a5-3d564ee61a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet DOMAIN_TI=ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName);\\nlet DOMAIN_TI_list= todynamic(toscalar(DOMAIN_TI | summarize NIoCs = dcount(DomainName), Domains = make_set(DomainName) \\n | project Domains=iff(NIoCs \u003e HAS_ANY_MAX, dynamic([]), Domains) ));\\nDOMAIN_TI\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n _Im_WebSession(starttime=ago(dt_lookBack), url_has_any= DOMAIN_TI_list )\\n //Extract domain patterns from syslog message\\n | extend domain = tostring(parse_url(Url)[\\\"Host\\\"])\\n | where isnotempty(domain)\\n | extend tld = tostring(split(domain, \u0027.\u0027)[-1])\\n | extend Event_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.domain\\n| where Event_TimeGenerated \u003c ExpirationDateTime\\n| summarize Event_TimeGenerated = arg_max(Event_TimeGenerated , *) by IndicatorId, domain\\n| project Event_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, domain, SrcIpAddr, Url\",\"customDetails\":{\"EventTime\":\"Event_TimeGenerated\",\"IoCDescription\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"IoCExpirationTime\":\"ExpirationDateTime\",\"IoCConfidenceScore\":\"ConfidenceScore\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"A web request from {{SrcIpAddr}} to hostname {{domain}} matched an IoC\",\"alertDescriptionFormat\":\"A client with address {{SrcIpAddr}} requested the URL {{Url}}, whose hostname is a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blead for more information on the indicator.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map Domain entity to Web Session Events (ASIM Web Session schema)\",\"description\":\"This rule identifies Web Sessions for which the target URL hostname is a known IoC. \u003cbr\u003e\u003cbr\u003eThis rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutSIM) and supports any web session source that complies with ASIM.\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/643c2025-9604-47c5-833f-7b4b9378a1f5\",\"name\":\"643c2025-9604-47c5-833f-7b4b9378a1f5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit your environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with AAD signin failures above our threshold\\nlet aadFunc = (tableName:string){\\nlet Suspicious_signins = \\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n| summarize count() by IPAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(IPAddress);\\nSuspicious_signins\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet Suspicious_signins = \\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize make_set(set_IPAddress);\\n//See if any of those IPs have sucessfully logged into the AWS console\\nAWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \\n| where LoginResult =~ \\\"Success\\\"\\n| where SourceIpAddress in (Suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed)\\n| extend User = iif(isempty(UserIdentityUserName), UserIdentityType, UserIdentityUserName) \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Reason, LoginResult, EventTypeName, UserIdentityType, User, AWSRegion, SourceIpAddress, UserAgent, MFAUsed\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AzureAD logons but success logon to AWS Console\",\"description\":\"Identifies a list of IP addresses with a minimum number(defualt of 5) of failed logon attempts to Azure Active Directory.\\nUses that list to identify any successful AWS Console logons from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e\",\"name\":\"7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]);\\nunion isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4663\\n| where Process has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where ObjectName has_any (scriptExtensions)\\n| where AccessMask in (\u00270x2\u0027,\u00270x100\u0027, \u00270x10\u0027, \u00270x4\u0027)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n (WindowsEvent\\n| where EventID == 4663 and EventData has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\") and EventData has_any (scriptExtensions) \\n| where EventData has_any (\u00270x2\u0027,\u00270x100\u0027, \u00270x10\u0027, \u00270x4\u0027)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName has_any (scriptExtensions)\\n| extend AccessMask = tostring(EventData.AccessMask)\\n| where AccessMask in (\u00270x2\u0027,\u00270x100\u0027, \u00270x10\u0027, \u00270x4\u0027)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n(imFileEvent\\n| where EventType == \\\"FileCreated\\\"\\n| where ActingProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n and\\n TargetFileName has_any (scriptExtensions)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\\n),\\n(DeviceFileEvents\\n| where ActionType =~ \\\"FileCreated\\\"\\n| where InitiatingProcessFileName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where FileName has_any(scriptExtensions)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName, IPCustomEntity = RequestSourceIP)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingProcessAccountUpn\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeviceName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM UM Service writing suspicious file\",\"description\":\"This query looks for the Exchange server UM process writing suspicious files that may be indicative of webshells.\\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d714ef62-1a56-4779-804f-91c4158e528d\",\"name\":\"d714ef62-1a56-4779-804f-91c4158e528d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let ImagesList = dynamic ([\\\"sethc.exe\\\",\\\"utilman.exe\\\",\\\"osk.exe\\\",\\\"Magnify.exe\\\",\\\"Narrator.exe\\\",\\\"DisplaySwitch.exe\\\",\\\"AtBroker.exe\\\"]); \\nlet OriginalFileNameList = dynamic ([\\\"sethc.exe\\\",\\\"utilman.exe\\\",\\\"osk.exe\\\",\\\"Magnify.exe\\\",\\\"Narrator.exe\\\",\\\"DisplaySwitch.exe\\\",\\\"AtBroker.exe\\\",\\\"SR.exe\\\",\\\"utilman2.exe\\\",\\\"ScreenMagnifier.exe\\\"]); \\nEvent\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n| parse EventData with * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027OriginalFileName\\\"\u003e\u0027 OriginalFileName \\\"\u003c\\\" *\\n| where Image has_any (ImagesList) and not (OriginalFileName has_any (OriginalFileNameList))\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027Hashes\\\"\u003e\u0027 Hashes \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description, OriginalFileName, CurrentDirectory, Hashes\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Modification of Accessibility Features\",\"description\":\"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\\n Two common accessibility programs are C:\\\\Windows\\\\System32\\\\sethc.exe, launched when the shift key is pressed five times and C:\\\\Windows\\\\System32\\\\utilman.exe, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as \\\"sticky keys\\\", and has been used by adversaries for unauthenticated access through a remote desktop login screen. [1]\\nRef: https://attack.mitre.org/techniques/T1546/008/\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\"name\":\"f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let threshold = 1;\\nAzureDiagnostics\\n | where OperationName in (\\\"AzureFirewallApplicationRuleLog\\\",\\\"AzureFirewallNetworkRuleLog\\\")\\n | extend msg_s_replaced0 = replace(@\\\"\\\\s\\\\s\\\",@\\\" \\\",msg_s)\\n | extend msg_s_replaced1 = replace(@\\\"\\\\.\\\\s\\\",@\\\" \\\",msg_s_replaced0)\\n | extend msg_a = split(msg_s_replaced1,\\\" \\\")\\n | extend srcAddr_a = split(msg_a[3],\\\":\\\") , destAddr_a = split(msg_a[5],\\\":\\\")\\n | extend protocol = tostring(msg_a[0]), srcIp = tostring(srcAddr_a[0]), srcPort = tostring(srcAddr_a[1]), destIp = tostring(destAddr_a[0]), destPort = tostring(destAddr_a[1]), action = tostring(msg_a[7])\\n | where action == \\\"Deny\\\"\\n | extend url = iff(destIp matches regex \\\"\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\\\\\\.\\\\\\\\d+\\\",\\\"\\\",destIp)\\n | summarize StartTime = min(TimeGenerated), count() by srcIp, destIp, url, action, protocol\\n | where count_ \u003e= [\\\"threshold\\\"]\\n | extend timestamp = StartTime, URLCustomEntity = url, IPCustomEntity = srcIp\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Discovery\",\"LateralMovement\",\"CommandAndControl\"],\"displayName\":\"Several deny actions registered\",\"description\":\"Identifies attack pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-10-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b9d2eebc-5dcb-4888-8165-900db44443ab\",\"name\":\"b9d2eebc-5dcb-4888-8165-900db44443ab\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"// Enter a reference list of hostnames for your DC servers\\n//let DCServersList = dynamic ([\\\"DC01.simulandlabs.com\\\",\\\"DC02.simulandlabs.com\\\"]);\\nSecurityEvent\\n//| where Computer in (DCServersList)\\n| where EventID == 4662 and ObjectServer == \u0027DS\u0027\\n| where AccountType != \u0027Machine\u0027\\n| where Properties has \u00271131f6aa-9c07-11d1-f79f-00c04fc2dcd2\u0027 //DS-Replication-Get-Changes\\n or Properties has \u00271131f6ad-9c07-11d1-f79f-00c04fc2dcd2\u0027 //DS-Replication-Get-Changes-All\\n or Properties has \u002789e95b76-444d-4c62-991a-0facbeda640c\u0027 //DS-Replication-Get-Changes-In-Filtered-Set\\n| project TimeGenerated, Account, Activity, Properties, SubjectLogonId, Computer\\n| join kind=leftouter\\n(\\n SecurityEvent\\n //| where Computer in (DCServersList)\\n | where EventID == 4624 and LogonType == 3\\n | where AccountType != \u0027Machine\u0027\\n | project TargetLogonId, IpAddress\\n)\\non $left.SubjectLogonId == $right.TargetLogonId\\n| project-reorder TimeGenerated, Computer, Account, IpAddress\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, SourceAddress = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Non Domain Controller Active Directory Replication\",\"description\":\"This query detects potential attempts by non-computer accounts (non domain controllers) to retrieve/synchronize an active directory object leveraging directory replication services (DRS).\\nA Domain Controller (computer account) would usually be performing these actions in a domain environment. Another detection rule can be created to cover domain controllers accounts doing at rare times.\\nA domain user with privileged permissions to use directory replication services is rare. Ref: https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html\",\"lastUpdatedDateUTC\":\"2021-11-08T00:00:00Z\",\"createdDateUTC\":\"2021-05-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75297f62-10a8-4fc1-9b2a-12f25c6f05a7\",\"name\":\"75297f62-10a8-4fc1-9b2a-12f25c6f05a7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let domain_lookBack= 14d;\\nlet timeframe = 1d;\\nlet top_million_list = Cisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(domain_lookBack) and TimeGenerated \u003c ago(timeframe)\\n| extend Hostname = parse_url(UrlOriginal)[\\\"Host\\\"]\\n| summarize count() by tostring(Hostname)\\n| top 1000000 by count_\\n| summarize make_list(Hostname);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| extend Hostname = parse_url(UrlOriginal)[\\\"Host\\\"]\\n| where Hostname !in (top_million_list)\\n| extend Message = \\\"Connect to unpopular website (possible malicious payload delivery)\\\"\\n| project Message, SrcIpAddr, DstIpAddr,UrlOriginal, TimeGenerated\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Connection to Unpopular Website Detected\",\"description\":\"Detects first connection to an unpopular website (possible malicious payload delivery).\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/89a86f70-615f-4a79-9621-6f68c50f365f\",\"name\":\"89a86f70-615f-4a79-9621-6f68c50f365f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 7d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet HistThreshold = 25; \\nlet CurrThreshold = 10; \\nlet HistoricalThreats = CommonSecurityLog\\n| where isnotempty(SourceIP)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n| where Activity =~ \\\"THREAT\\\" and SimplifiedDeviceAction =~ \\\"alert\\\" \\n| where DeviceEventClassID in (\u0027spyware\u0027, \u0027scan\u0027, \u0027file\u0027, \u0027vulnerability\u0027, \u0027flood\u0027, \u0027packet\u0027, \u0027virus\u0027,\u0027wildfire\u0027, \u0027wildfire-virus\u0027)\\n| summarize TotalEvents = count(), ThreatTypes = make_set(DeviceEventClassID), DestinationIpList = make_set(DestinationIP), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by SourceIP, DeviceAction, DeviceVendor;\\nlet CurrentHourThreats = CommonSecurityLog\\n| where isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(timeframe)\\n| where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n| where Activity =~ \\\"THREAT\\\" and SimplifiedDeviceAction =~ \\\"alert\\\" \\n| where DeviceEventClassID in (\u0027spyware\u0027, \u0027scan\u0027, \u0027file\u0027, \u0027vulnerability\u0027, \u0027flood\u0027, \u0027packet\u0027, \u0027virus\u0027,\u0027wildfire\u0027, \u0027wildfire-virus\u0027)\\n| summarize TotalEvents = count(), ThreatTypes = make_set(DeviceEventClassID), DestinationIpList = make_set(DestinationIP), FirstSeen = min(TimeGenerated) , LastSeen = max(TimeGenerated) by SourceIP, DeviceAction, DeviceProduct, DeviceVendor;\\nCurrentHourThreats \\n| where TotalEvents \u003c CurrThreshold\\n| join kind = leftanti (HistoricalThreats \\n| where TotalEvents \u003e HistThreshold) on SourceIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]}],\"tactics\":[\"Discovery\",\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"Palo Alto Threat signatures from Unusual IP addresses\",\"description\":\"Identifies Palo Alto Threat signatures from unusual IP addresses which are not historically seen. \\nThis detection is also leveraged and required for MDE and PAN Fusion scenario\\nhttps://docs.microsoft.com/Azure/sentinel/fusion-scenario-reference#network-request-to-tor-anonymization-service-followed-by-anomalous-traffic-flagged-by-palo-alto-networks-firewall\",\"lastUpdatedDateUTC\":\"2022-04-20T00:00:00Z\",\"createdDateUTC\":\"2022-03-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/35a0792a-1269-431e-ac93-7ae2980d4dde\",\"name\":\"35a0792a-1269-431e-ac93-7ae2980d4dde\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now() \\n| where Active == true\\n| where isnotempty(EmailSenderAddress)\\n| extend TI_emailEntity = EmailSenderAddress\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n ProofpointPOD \\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(SrcUserUpn)\\n | extend ProofpointPOD_TimeGenerated = TimeGenerated, ClientEmail = SrcUserUpn\\n\\n)\\non $left.TI_emailEntity == $right.ClientEmail\\n| where ProofpointPOD_TimeGenerated \u003c ExpirationDateTime\\n| summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientEmail\\n| project ProofpointPOD_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, ClientEmail\\n| extend timestamp = ProofpointPOD_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ClientEmail\"}]}],\"tactics\":[\"Exfiltration\",\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Email sender in TI list\",\"description\":\"Email sender in TI list.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_maillog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c3b11fb2-9201-4844-b7b9-6b7bf6d9b851\",\"name\":\"c3b11fb2-9201-4844-b7b9-6b7bf6d9b851\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Medium\",\"query\":\"let threshold = 200;\\n_Im_Dns(responsecodename=\u0027NXDOMAIN\u0027)\\n| where isnotempty(DnsResponseCodeName)\\n//| where DnsResponseCodeName =~ \\\"NXDOMAIN\\\"\\n| summarize count() by SrcIpAddr, bin(TimeGenerated,15m)\\n| where count_ \u003e threshold\\n| join kind=inner (_Im_Dns(responsecodename=\u0027NXDOMAIN\u0027)\\n ) on SrcIpAddr\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Excessive NXDOMAIN DNS Queries (ASIM DNS Schema)\",\"description\":\"This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. \\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a172107d-794c-48c0-bc26-d3349fe10b4d\",\"name\":\"a172107d-794c-48c0-bc26-d3349fe10b4d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Dev-0530_July2022.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet IPList = (iocs | where Type =~ \\\"ip\\\"| project IoC);\\n(union isfuzzy=true \\n(DeviceProcessEvents\\n| where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) or ( InitiatingProcessCommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) \\nand InitiatingProcessCommandLine has (\u0027sc minute /mo 1 /F /ru system\u0027))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, AccountName, SHA256\\n| extend Account = AccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = case(InitiatingProcessSHA256 in (sha256Hashes), \\\"InitiatingProcessSHA256\\\", SHA256 in (sha256Hashes), \\\"SHA256\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = case(FileHash == \\\"InitiatingProcessSHA256\\\", InitiatingProcessSHA256, FileHash == \\\"SHA256\\\", SHA256, \\\"No Match\\\")\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) and CommandLine has (\u0027/sc minute /mo 1 /F /ru system\u0027))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, EventID, CommandLine\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n( imFileEvent\\n| where Hash in~ (sha256Hashes) or ( ActingProcessCommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) and ActingProcessCommandLine has (\u0027/sc minute /mo 1 /F /ru system\u0027))\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, FileHashCustomEntity = FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) or ( CommandLine has (\u0027cmd.exe /Q /c schtasks /create /tn lockertask /tr\u0027) and CommandLine has (\u0027/sc minute /mo 1 /F /ru system\u0027)) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(EmailEvents\\n| where SenderFromAddress == \u0027H0lyGh0st@mail2tor.com\u0027\\n| extend timestamp = TimeGenerated, IPCustomEntity = SenderIPv4, AccountCustomEntity = SenderFromAddress \\n),\\n(CommonSecurityLog \\n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) or FileHash in (sha256Hashes)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch , FileHash\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n), \\n(OfficeActivity \\n|extend SourceIPAddress = ClientIP, Account = UserId \\n| where SourceIPAddress in (IPList) \\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \\n),\\n(SigninLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(IPAddress) \\n| where IPAddress in (IPList) \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n), \\n(W3CIISLog \\n| where isnotempty(cIP) \\n| where cIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \\n), \\n(AzureActivity \\n| where isnotempty(CallerIpAddress) \\n| where CallerIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \\n), \\n( \\nAWSCloudTrail \\n| where isnotempty(SourceIpAddress) \\n| where SourceIpAddress in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \\n), \\n( \\nDeviceNetworkEvents \\n| where isnotempty(RemoteIP) \\n| where RemoteIP in (IPList) \\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallNetworkRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Dev-0530 IOC - July 2022\",\"description\":\"Identifies a IOC match related to Dev-0530 actor across various data sources.\",\"lastUpdatedDateUTC\":\"2022-07-14T00:00:00Z\",\"createdDateUTC\":\"2022-07-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceProcessEvents\",\"DeviceNetworkEvents\",\"EmailEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/572e75ef-5147-49d9-9d65-13f2ed1e3a86\",\"name\":\"572e75ef-5147-49d9-9d65-13f2ed1e3a86\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let inviting_users = (AuditLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where OperationName =~ \\\"Invite external user\\\"\\n | where Result =~ \\\"success\\\"\\n | extend invitingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | where isnotempty(invitingUser)\\n | summarize by invitingUser);\\n AuditLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where OperationName =~ \\\"Invite external user\\\"\\n | where Result =~ \\\"success\\\"\\n | extend invitingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | where isnotempty(invitingUser) and invitingUser !in (inviting_users)\\n | extend invitedUserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"invitingUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"invitedUserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Guest Users Invited to Tenant by New Inviters\",\"description\":\"Detects when a Guest User is added by a user account that has not been seen adding a guest in the previous 14 days.\\n Monitoring guest accounts and the access they are provided is important to detect potential account abuse.\\n Accounts added should be investigated to ensure the activity was legitimate.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500415fb-bba7-4227-a08a-9857fb61b6a7\",\"name\":\"500415fb-bba7-4227-a08a-9857fb61b6a7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where OfficeWorkload == \\\"Exchange\\\"\\n| where Operation in~ (\\\"New-TransportRule\\\", \\\"Set-TransportRule\\\")\\n| mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))\\n| extend RuleName = case(\\n Operation =~ \\\"Set-TransportRule\\\", OfficeObjectId,\\n Operation =~ \\\"New-TransportRule\\\", ParsedParameters.Name,\\n \\\"Unknown\\\")\\n| mv-expand ExpandedParameters = todynamic(Parameters)\\n| where ExpandedParameters.Name in~ (\\\"BlindCopyTo\\\", \\\"RedirectMessageTo\\\") and isnotempty(ExpandedParameters.Value)\\n| extend RedirectTo = ExpandedParameters.Value\\n| extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n| project TimeGenerated, RedirectTo, IPAddress = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1]), UserId, Operation, RuleName, Parameters\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"Mail redirect via ExO transport rule\",\"description\":\"Identifies when Exchange Online transport rule configured to forward emails.\\nThis could be an adversary mailbox configured to collect mail from multiple user accounts.\",\"lastUpdatedDateUTC\":\"2022-04-18T00:00:00Z\",\"createdDateUTC\":\"2020-05-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/500c103a-0319-4d56-8e99-3cec8d860757\",\"name\":\"500c103a-0319-4d56-8e99-3cec8d860757\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == \\\"50057\\\" \\n| where ResultDescription == \\\"User account is disabled. The account has been disabled by an administrator.\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), disabledAccountLoginAttempts = count(), \\ndisabledAccountsTargeted = dcount(UserPrincipalName), applicationsTargeted = dcount(AppDisplayName), disabledAccountSet = make_set(UserPrincipalName), \\napplicationSet = make_set(AppDisplayName) by IPAddress, Type\\n| order by disabledAccountLoginAttempts desc\\n| join kind= leftouter (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n table(tableName)\\n | where ResultType == 0\\n | summarize successfulAccountSigninCount = dcount(UserPrincipalName), successfulAccountSigninSet = make_set(UserPrincipalName, 15) by IPAddress, Type\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount \u003c 100\\n) on IPAddress \\n// IPs from which attempts to authenticate as disabled user accounts originated, and had a non-zero success rate for some other account\\n| where isnotempty(successfulAccountSigninCount)\\n| project StartTime, EndTime, IPAddress, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\nsuccessfulAccountSigninCount, successfulAccountSigninSet, Type\\n| order by disabledAccountLoginAttempts\\n| extend timestamp = StartTime, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts and where that same IP has had successful signins from other accounts.\\nThis could indicate an attacker who obtained credentials for a list of accounts and is attempting to login with those accounts, some of which may have already been disabled.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"lastUpdatedDateUTC\":\"2021-10-22T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e7470b35-0128-4508-bfc9-e01cfb3c2eb7\",\"name\":\"e7470b35-0128-4508-bfc9-e01cfb3c2eb7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n | where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n | parse EventData with * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" *\\n | where ParentImage has \\\"svchost.exe\\\" and Image has \\\"rundll32.exe\\\" and CommandLine has \\\"{c08afd90-f2a1-11d1-8455-00a0c91f3880}\\\"\\n | parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Detecting Macro Invoking ShellBrowserWindow COM Objects\",\"description\":\"This query detects a macro invoking ShellBrowserWindow COM Objects evade naive parent/child Office detection rules.\\nRef: https://blog.menasec.net/2019/02/threat-hunting-doc-with-macro-invoking.html\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c2da1106-bfe4-4a63-bf14-5ab73130ccd5\",\"name\":\"c2da1106-bfe4-4a63-bf14-5ab73130ccd5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.0\",\"severity\":\"Informational\",\"query\":\"let timeframe = ago(1d);\\nAppServiceAntivirusScanAuditLogs\\n| where ScanStatus == \\\"Failed\\\"\\n| extend HostCustomEntity = _ResourceId, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"displayName\":\"AppServices AV Scan Failure\",\"description\":\"Identifies if an AV scan fails in Azure App Services.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\"name\":\"68271db2-cbe9-4009-b1d3-bb3b5fe5713c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let User_Agents = dynamic ([\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70\\\", \\n\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.1 Safari/605.1.15\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0\\\", \\n\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\", \\n\\\"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\\\"]);\\nOfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != \u0027UserLoggedIn\u0027\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = todynamic(ExtendedProperties).Value\\n| where UserAgent =~ \\\"ms-office\\\" or UserAgent has_any (User_Agents)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts \u003e 500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\"entityMappings\":[],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Possible STRONTIUM attempted credential harvesting - Oct 2020\",\"description\":\"Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\"name\":\"e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let threshold = 15;\\n// Below pulls messages from syslog-authpriv logs where there was an authentication failure with an unknown user.\\n// IP address of system attempting logon is also extracted from the SyslogMessage field. Some of these messages\\n// are aggregated.\\nSyslog\\n| where Facility =~ \\\"authpriv\\\"\\n| where SyslogMessage has \\\"authentication failure\\\" and SyslogMessage has \\\" uid=0\\\"\\n| parse SyslogMessage with * \\\"rhost=\\\" RemoteIP\\n| project TimeGenerated, Computer, ProcessName, HostIP, RemoteIP, ProcessID\\n| join kind=innerunique (\\n // Below pulls messages from syslog-authpriv logs that show each instance an unknown user tried to logon. \\n Syslog \\n | where Facility =~ \\\"authpriv\\\"\\n | where SyslogMessage has \\\"user unknown\\\"\\n | project Computer, HostIP, ProcessID\\n ) on Computer, HostIP, ProcessID\\n// Count the number of failed logon attempts by External IP and internal machine\\n| summarize FirstLogonAttempt = min(TimeGenerated), LatestLogonAttempt = max(TimeGenerated), TotalLogonAttempts = count() by Computer, HostIP, RemoteIP\\n// Calculate the time between first and last logon attempt (AttemptPeriodLength)\\n| extend TimeBetweenLogonAttempts = LatestLogonAttempt - FirstLogonAttempt\\n| where TotalLogonAttempts \u003e= threshold\\n| project FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts, TotalLogonAttempts, SourceAddress = RemoteIP, DestinationHost = Computer, DestinationAddress = HostIP\\n| sort by DestinationHost asc nulls last\\n| extend timestamp = FirstLogonAttempt, HostCustomEntity = DestinationHost, IPCustomEntity = DestinationAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed logon attempts in authpriv\",\"description\":\"Identifies failed logon attempts from unknown users in Syslog authpriv logs. The unknown user means the account that tried to log in \\nisn\u0027t provisioned on the machine. A few hits could indicate someone attempting to access a machine they aren\u0027t authorized to access. \\nIf there are many of hits, especially from outside your network, it could indicate a brute force attack. \\nDefault threshold for logon attempts is 15.\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f041e01d-840d-43da-95c8-4188f6cef546\",\"name\":\"f041e01d-840d-43da-95c8-4188f6cef546\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let LearningPeriod = 7d;\\nlet RunTime = 1h;\\nlet StartTime = 1h;\\nlet EndRunTime = StartTime - RunTime;\\nlet EndLearningTime = StartTime + LearningPeriod;\\nlet GitHubCountryCodeLogs = (GitHubAudit\\n| where Country != \\\"\\\");\\n GitHubCountryCodeLogs\\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime))\\n| summarize makeset(Country) by Actor\\n| join kind=innerunique (\\n GitHubCountryCodeLogs\\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime))\\n | distinct Country, Actor, TimeGenerated\\n) on Actor \\n| where set_Country !contains Country\\n| extend AccountCustomEntity = Actor , timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"GitHub Activites from a New Country\",\"description\":\"Detect activities from a location that was not recently or was never visited by the user or by any user in your organization.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/40ba9493-4183-4eee-974f-87fe39c8f267\",\"name\":\"40ba9493-4183-4eee-974f-87fe39c8f267\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Identity alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Identity\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (AATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\"name\":\"4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 50;\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet historicalActivity =\\nOfficeActivity\\n| where TimeGenerated between(ago(starttime)..ago(endtime))\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| summarize historicalCount = count() by ClientIP, RecordType, Operation;\\nlet recentActivity = OfficeActivity\\n| where TimeGenerated \u003e ago(endtime)\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by ClientIP, RecordType, Operation;\\nlet RareIP = recentActivity | join kind= leftanti ( historicalActivity ) on ClientIP, RecordType, Operation\\n// More than 50 downloads/uploads from a new IP\\n| where recentCount \u003e threshold;\\nOfficeActivity \\n| where TimeGenerated \u003e= ago(endtime) \\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| join kind= inner (RareIP) on ClientIP, RecordType, Operation\\n| where Start_Time between(min_Start_Time .. max_Start_Time)\\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgent, IPSeenCount = recentCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\\n| order by IPSeenCount desc, ClientIP asc, Operation asc, UserId asc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"SharePointFileOperation via previously unseen IPs\",\"description\":\"Identifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses\\nexceeds a threshold (default is 50).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4a3073ac-7383-48a9-90a8-eb6716183a54\",\"name\":\"4a3073ac-7383-48a9-90a8-eb6716183a54\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let excludeProcs = dynamic([@\\\"\\\\SolarWinds\\\\Orion\\\\APM\\\\APMServiceControl.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\ExportToPDFCmd.Exe\\\", @\\\"\\\\SolarWinds.Credentials\\\\SolarWinds.Credentials.Orion.WebApi.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Topology\\\\SolarWinds.Orion.Topology.Calculator.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Database-Maint.exe\\\", @\\\"\\\\SolarWinds.Orion.ApiPoller.Service\\\\SolarWinds.Orion.ApiPoller.Service.exe\\\", @\\\"\\\\Windows\\\\SysWOW64\\\\WerFault.exe\\\"]);\\nDeviceProcessEvents\\n| where InitiatingProcessFileName =~ \\\"solarwinds.businesslayerhost.exe\\\"\\n| where not(FolderPath has_any (excludeProcs))\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\n HostCustomEntity = DeviceName,\\n AlgorithmCustomEntity = \\\"MD5\\\",\\n FileHashCustomEntity = MD5\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST suspicious SolarWinds child processes\",\"description\":\"Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-02-01T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32\",\"name\":\"d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet msgthreshold = 3;\\nlet msgszthreshold = 3000000;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where NetworkBytes \u003e msgszthreshold\\n| summarize count() by SrcUserUpn, DstUserUpn\\n| where count_ \u003e msgthreshold\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple large emails to the same recipient\",\"description\":\"Detects when multiple emails with large size where sent to the same recipient.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6dd2629c-534b-4275-8201-d7968b4fa77e\",\"name\":\"6dd2629c-534b-4275-8201-d7968b4fa77e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"SecurityEvent\\n| where EventID == 4657\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, TargetAccount, Computer, EventSourceName, Channel, Task, Level, EventID, Activity, TargetLogonId, SourceComputerId, EventOriginId, Type, _ResourceId, TenantId, SourceSystem, ManagementGroupName, IpAddress, Account)\\n| extend ObjectName = column_ifexists(\u0027ObjectName\u0027, \\\"\\\"), OperationType = column_ifexists(\u0027OperationType\u0027, \\\"\\\"), ObjectValueName = column_ifexists(\u0027ObjectValueName\u0027, \\\"\\\")\\n| where ObjectName has \u0027Schedule\\\\\\\\TaskCache\\\\\\\\Tree\u0027 and ObjectValueName == \\\"SD\\\" and OperationType == \\\"%%1906\\\" // %%1906 - Registry value deleted\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Scheduled Task Hide\",\"description\":\"This query detects attempts by malware to hide the scheduled task by deleting the SD (Security Descriptor) value. Removal of SD value results in the scheduled task disappearing from schtasks /query and Task Scheduler.\\n The query requires auditing to be turned on for HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree registry hive as well as audit policy for registry auditing to be turned on.\\n Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/\\n Reference: https://4sysops.com/archives/audit-changes-in-the-windows-registry/\",\"lastUpdatedDateUTC\":\"2022-04-12T00:00:00Z\",\"createdDateUTC\":\"2022-04-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3f0c20d5-6228-48ef-92f3-9ff7822c1954\",\"name\":\"3f0c20d5-6228-48ef-92f3-9ff7822c1954\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let threatCategory=\\\"Hacking Tool\\\";\\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\\n [ @\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\\\"] \\n with(format=\\\"csv\\\", ignoreFirstRecord=True));\\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet customUserAgents=toscalar(_GetWatchlist(\\\"UnusualUserAgents\\\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\\\"UserAgent\\\",\\\"\\\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet fullUAList = array_concat(knownUserAgents,customUserAgents);\\n_Im_WebSession(httpuseragent_has_any=fullUAList)\\n| project SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername\",\"customDetails\":{\"UserAgent\":\"HttpUserAgent\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"SrcUsername\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Host {{SrcIpAddr}} is potentially running a hacking tool\",\"alertDescriptionFormat\":\"The host at address {{SrcIpAddr}} sent an HTTP request to the URL {{Url}} with the HTTP user agent header {{HttpUserAgent}}. This user agent is known to be used by a hacking tool and indicates suspicious activity on the host.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"A host is potentially running a hacking tool (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request with a user agent header known to belong to a hacking tool. This indicates a hacking tool is used on the host.\u003cbr\u003eYou can add custom hacking tool indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).\u003cbr\u003e\u003cbr\u003e\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/738702fd-0a66-42c7-8586-e30f0583f8fe\",\"name\":\"738702fd-0a66-42c7-8586-e30f0583f8fe\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"DeviceEvents\\n| where ActionType has \\\"ExploitGuardNonMicrosoftSignedBlocked\\\"\\n| where InitiatingProcessFileName contains \\\"svchost.exe\\\" and FileName contains \\\"NetSetupSvc.dll\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\\nHostCustomEntity = DeviceName, FileHashCustomEntity = InitiatingProcessSHA1, FileHashType = \\\"SHA1\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"TEARDROP memory-only dropper\",\"description\":\"Identifies SolarWinds TEARDROP memory-only dropper IOCs in Window\u0027s defender Exploit Guard activity\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a4025a76-6490-4e6b-bb69-d02be4b03f07\",\"name\":\"a4025a76-6490-4e6b-bb69-d02be4b03f07\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureNetworkAnalytics_CL\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AzureNetworkAnalytics_CL_TimeGenerated = TimeGenerated\\n // NSG Flow Logs have additional information concat with Public IP, removing onlp Public IP\\n | extend PIPs = split(PublicIPs_s, \u0027|\u0027, 0)\\n | extend PIP = tostring(PIPs[0])\\n)\\non $left.TI_ipEntity == $right.PIP\\n| where AzureNetworkAnalytics_CL_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureNetworkAnalytics_CL_TimeGenerated = arg_max(AzureNetworkAnalytics_CL_TimeGenerated, *) by IndicatorId, PIP\\n// Set to alert on Allowed NSG Flows from TI Public IP IOC\\n| where FlowStatus_s == \\\"A\\\"\\n| project AzureNetworkAnalytics_CL_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, FlowDirection_s, FlowStatus_s, FlowType_s, SrcPublicIPs_s, DestPublicIPs_s, PublicIPs_s, L7Protocol_s, DestPort_d, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureNetworkAnalytics_CL_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)\",\"description\":\"Identifies a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI that was Allowed\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/968358d6-6af8-49bb-aaa4-187b3067fb95\",\"name\":\"968358d6-6af8-49bb-aaa4-187b3067fb95\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let successCodes = dynamic([200, 302, 401]);\\nW3CIISLog\\n| where scStatus has_any (successCodes)\\n| where ipv4_is_private(cIP) == False\\n| where csUriStem hasprefix \\\"/autodiscover/autodiscover.json\\\"\\n| project TimeGenerated, cIP, sIP, sSiteName, csUriStem, csUriQuery, Computer, csUserName, _ResourceId, FileUri\\n| where (csUriQuery !has \\\"Protocol\\\" and isnotempty(csUriQuery))\\nor (csUriQuery has_any(\\\"/mapi/\\\", \\\"powershell\\\"))\\nor (csUriQuery contains \\\"@\\\" and csUriQuery matches regex @\\\"\\\\.[a-zA-Z]{2,4}?(?:[a-zA-Z]{2,4}\\\\/)\\\")\\nor (csUriQuery contains \\\":\\\" and csUriQuery matches regex @\\\"\\\\:[0-9]{2,4}\\\\/\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP, AccountCustomEntity = csUserName, ResourceCustomEntity = _ResourceId, FileCustomEntity = FileUri\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange SSRF Autodiscover ProxyShell - Detection\",\"description\":\"This query looks for suspicious request patterns to Exchange servers that fit patterns recently\\nblogged about by PeterJson. This exploitation chain utilises an SSRF vulnerability in Exchange\\nwhich eventually allows the attacker to execute arbitrary Powershell on the server. In the example\\npowershell can be used to write an email to disk with an encoded attachment containing a shell.\\nReference: https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-09T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/999e9f5d-db4a-4b07-a206-29c4e667b7e8\",\"name\":\"999e9f5d-db4a-4b07-a206-29c4e667b7e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX = 10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet DomainTIs= ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n // Picking up only IOC\u0027s that contain the entities we want\\n | where isnotempty(DomainName)\\n | where Active == true\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId;\\nlet Domains = DomainTIs | where isnotempty(DomainName) |summarize NDomains=dcount(DomainName), DomainsList=make_set(DomainName) \\n | project DomainList = iff(NDomains \u003e HAS_ANY_MAX, dynamic([]), DomainsList) ;\\nDomainTIs\\n | join (\\n _Im_Dns(starttime=ago(dt_lookBack), domain_has_any=toscalar(Domains))\\n | extend DNS_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.DnsQuery\\n| where DNS_TimeGenerated \u003c ExpirationDateTime\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, DnsQueryType\\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url\",\"customDetails\":{\"LatestIndicatorTime\":\"LatestIndicatorTime\",\"Description\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"ExpirationDateTime\":\"ExpirationDateTime\",\"ConfidenceScore\":\"ConfidenceScore\",\"DNSRequestTime\":\"DNS_TimeGenerated\",\"SourceIPAddress\":\"SrcIpAddr\",\"DnsQuery\":\"DnsQuery\",\"QueryType\":\"DnsQueryType\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map Domain entity to Dns Events (ASIM DNS Schema)\",\"description\":\"Identifies a match in DNS events from any Domain IOC from TI\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-27T00:00:00Z\",\"createdDateUTC\":\"2021-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f2dd4a3a-ebac-4994-9499-1a859938c947\",\"name\":\"f2dd4a3a-ebac-4994-9499-1a859938c947\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 5;\\nlet bytessentperhourthreshold = 10;\\nlet TimeSeriesData = (union isfuzzy=true\\n(\\nVMConnection\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\\n| extend SourceIP = SourceIp, DestinationIP = DestinationIp\\n| where ipv4_is_private(DestinationIP) == false\\n| extend DeviceVendor = \\\"VMConnection\\\"\\n| project TimeGenerated, BytesSent, DeviceVendor\\n| make-series TotalBytesSent=sum(BytesSent) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n),\\n(\\nCommonSecurityLog\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where ipv4_is_private(DestinationIP) == false\\n| project TimeGenerated, SentBytes, DeviceVendor\\n| make-series TotalBytesSent=sum(SentBytes) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\\n)\\n);\\n//Filter anomolies against TimeSeriesData\\nlet TimeSeriesAlerts = materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(TotalBytesSent, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand TotalBytesSent to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0 | extend AnomalyHour = TimeGenerated\\n| extend TotalBytesSentinMBperHour = round(((TotalBytesSent / 1024)/1024),2), baselinebytessentperHour = round(((baseline / 1024)/1024),2), score = round(score,2)\\n| project DeviceVendor, AnomalyHour, TimeGenerated, TotalBytesSentinMBperHour, baselinebytessentperHour, anomalies, score);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\n//Union of all BaseLogs aggregated per hour\\nlet BaseLogs = (union isfuzzy=true\\n(\\nCommonSecurityLog\\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| where ipv4_is_private(DestinationIP) == false\\n| extend SentBytesinMB = ((SentBytes / 1024)/1024), ReceivedBytesinMB = ((ReceivedBytes / 1024)/1024)\\n| summarize HourlyCount = count(), TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort,100), TotalSentBytesinMB = sum(SentBytesinMB), TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| where TotalSentBytesinMB \u003e bytessentperhourthreshold\\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\\n| where Rank \u003c 10 // Selecting Top 10 records with Highest BytesSent in each Hour\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\\n),\\n(\\nVMConnection\\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\\n| where TimeGenerated \u003e ago(2d)\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| extend SourceIP = SourceIp, DestinationIP = DestinationIp\\n| where ipv4_is_private(DestinationIP) == false | extend DeviceVendor = \\\"VMConnection\\\"\\n| extend SentBytesinMB = ((BytesSent / 1024)/1024), ReceivedBytesinMB = ((BytesReceived / 1024)/1024)\\n| summarize HourlyCount = count(),TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort, 100), TotalSentBytesinMB = sum(SentBytesinMB),TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\\n| where TotalSentBytesinMB \u003e bytessentperhourthreshold\\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\\n| where Rank \u003c 10 // Selecting Top 10 records with Highest BytesSent in each Hour\\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\\n)\\n);\\n// Join against base logs to retrive records associated with the hour of anomoly\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\n BaseLogs | extend AnomalyHour = TimeGeneratedHour\\n) on DeviceVendor, AnomalyHour | sort by score desc\\n| project DeviceVendor, AnomalyHour,TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\\n| summarize EventCount = count(), StartTimeUtc= min(TimeGeneratedMax), EndTimeUtc= max(TimeGeneratedMax), SourceIPMax= arg_max(SourceIP,*), TotalBytesSentinMB = sum(TotalSentBytesinMB), TotalBytesReceivedinMB = sum(TotalReceivedBytesinMB), SourceIPList = make_set(SourceIP, 100), DestinationIPList = make_set(DestinationIPList, 100) by AnomalyHour,TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\\n| project DeviceVendor, AnomalyHour, StartTimeUtc, EndTimeUtc, SourceIPMax, SourceIPList, DestinationIPList, DestinationPortList, TotalBytesSentinMB, TotalBytesReceivedinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies, EventCount\\n| extend timestamp =EndTimeUtc, IPCustomEntity = SourceIPMax\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"Time series anomaly for data size transferred to public internet\",\"description\":\"Identifies anomalous data transfer to public networks. The query leverages built-in KQL anomaly detection algorithms that detects large deviations from a baseline pattern.\\nA sudden increase in data transferred to unknown public networks is an indication of data exfiltration attempts and should be investigated.\\nThe higher the score, the further it is from the baseline value.\\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port bytes sent traffic observed in the flagged anomaly hour.\\nThe source IP addresses which were sending less than bytessentperhourthreshold have been exluded whose value can be adjusted as needed .\\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious\",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/06bbf969-fcbe-43fa-bac2-b2fa131d113a\",\"name\":\"06bbf969-fcbe-43fa-bac2-b2fa131d113a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"// ADHealth Monitoring Agent Registry Key\\nlet aadHealthMonAgentRegKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\MicrosoftOnline\\\\\\\\Reporting\\\\\\\\MonitoringAgent\\\";\\n// Filter out known processes\\nlet aadConnectHealthProcs = dynamic ([\\n \u0027Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.InsightsService.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.PshSurrogate.exe\u0027,\\n \u0027Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe\u0027,\\n \u0027Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.AadConnect.Health.AadSync.Host.exe\u0027,\\n \u0027Microsoft.Azure.ActiveDirectory.Synchronization.Upgrader.exe\u0027,\\n \u0027miiserver.exe\u0027\\n]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| where EventData has aadHealthMonAgentRegKey\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| extend ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),\\n ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\")\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend SubjectUserName = column_ifexists(\\\"SubjectUserName\\\", \\\"\\\"),\\n SubjectDomainName = column_ifexists(\\\"SubjectDomainName\\\", \\\"\\\"),\\n ProcessName = column_ifexists(\\\"ProcessName\\\", \\\"\\\")\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],\\n Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n ( WindowsEvent\\n| where EventID == \u00274656\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n( WindowsEvent\\n| where EventID == \u00274663\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n)\\n)\\n// You can filter out potential machine accounts\\n//| where AccountType != \u0027Machine\u0027\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"Azure AD Health Service Agents Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).\\nInformation from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).\\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\\\\SOFTWARE\\\\Microsoft\\\\ADHealthAgent.\\nMake sure you set the SACL to propagate to its sub-keys. You can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml\\n\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a35f2c18-1b97-458f-ad26-e033af18eb99\",\"name\":\"a35f2c18-1b97-458f-ad26-e033af18eb99\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.2\",\"severity\":\"Low\",\"query\":\"// For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups\\nlet WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nunion isfuzzy=true \\n(\\nSecurityEvent \\n// When MemberName contains \u0027-\u0027 this indicates addition of a group to a group\\n| where AccountType == \\\"User\\\" and MemberName != \\\"-\\\"\\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group\\n| where EventID in (4728, 4732, 4756) \\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| extend SimpleMemberName = substring(MemberName, 3, indexof_regex(MemberName, @\\\",OU|,CN\\\") - 3)\\n| project TimeGenerated, EventID, Activity, Computer, SimpleMemberName, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SimpleMemberName, HostCustomEntity = Computer\\n),\\n(\\nWindowsEvent \\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group\\n| where EventID in (4728, 4732, 4756) and not(EventData has \\\"S-1-5-32-555\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| extend MemberName = tostring(EventData.MemberName)\\n// When MemberName contains \u0027-\u0027 this indicates addition of a group to a group\\n| where AccountType == \\\"User\\\" and MemberName != \\\"-\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| extend SimpleMemberName = substring(MemberName, 3, indexof_regex(MemberName, @\\\",OU|,CN\\\") - 3)\\n| extend MemberSid = tostring(EventData.MemberSid)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend TargetDomainName = tostring(EventData.TargetDomainName)\\n| extend UserPrincipalName = tostring(EventData.UserPrincipalName)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| project TimeGenerated, EventID, Computer, SimpleMemberName, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SimpleMemberName, HostCustomEntity = Computer\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User account added to built in domain local or global group\",\"description\":\"Identifies when a user account has been added to a privileged built in domain local group or global group \\nsuch as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2acc91c3-17c2-4388-938e-4eac2d5894e8\",\"name\":\"2acc91c3-17c2-4388-938e-4eac2d5894e8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"W3CIISLog\\n| where csMethod == \u0027GET\u0027\\n| where isnotempty(csUriStem) and isnotempty(csUriQuery)\\n| where csUriStem contains \\\"logoimagehandler.ashx\\\"\\n| where csUriQuery contains \\\"codes\\\" and csUriQuery contains \\\"clazz\\\" and csUriQuery contains \\\"method\\\" and csUriQuery contains \\\"args\\\"\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"CommandAndControl\"],\"displayName\":\"SUPERNOVA webshell\",\"description\":\"Identifies SUPERNOVA webshell based on W3CIISLog data.\\n References:\\n - https://unit42.paloaltonetworks.com/solarstorm-supernova/\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-01-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/223db5c1-1bf8-47d8-8806-bed401b356a4\",\"name\":\"223db5c1-1bf8-47d8-8806-bed401b356a4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let timeRange = 1d;\\nlet lookBack = 7d;\\nlet threshold_Failed = 5;\\nlet threshold_FailedwithSingleIP = 20;\\nlet threshold_IPAddressCount = 2;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet aadFunc = (tableName:string){\\nlet azPortalSignins = materialize(table(tableName)\\n| where TimeGenerated \u003e= ago(lookBack)\\n// Azure Portal only\\n| where AppDisplayName =~ \\\"Azure Portal\\\")\\n;\\nlet successPortalSignins = azPortalSignins\\n| where TimeGenerated \u003e= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n// Tagging identities not resolved to friendly names\\n//| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n| distinct TimeGenerated, UserPrincipalName\\n;\\nlet failPortalSignins = azPortalSignins\\n| where TimeGenerated \u003e= ago(timeRange)\\n// Azure Portal only and exclude non-failure Result Types\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70044\\\", \\\"70043\\\")\\n// Tagging identities not resolved to friendly names\\n| extend Unresolved = iff(Identity matches regex isGUID, true, false)\\n;\\n// Verify there is no success for the same connection attempt after the fail\\nlet failnoSuccess = failPortalSignins | join kind= leftouter (\\n successPortalSignins \\n) on UserPrincipalName\\n| where TimeGenerated \u003e TimeGenerated1 or isempty(TimeGenerated1)\\n| project-away TimeGenerated1, UserPrincipalName1\\n;\\n// Lookup up resolved identities from last 7 days\\nlet identityLookup = azPortalSignins\\n| where TimeGenerated \u003e= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName;\\n// Join resolved names to unresolved list from portal signins\\nlet unresolvedNames = failnoSuccess | where Unresolved == true | join kind= inner (\\n identityLookup \\n) on UserId\\n| extend UserDisplayName = lu_UserDisplayName, UserPrincipalName = lu_UserPrincipalName\\n| project-away lu_UserDisplayName, lu_UserPrincipalName;\\n// Join Signins that had resolved names with list of unresolved that now have a resolved name\\nlet u_azPortalSignins = failnoSuccess | where Unresolved == false | union unresolvedNames;\\nu_azPortalSignins\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend Status = strcat(ResultType, \\\": \\\", ResultDescription), OS = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser)\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n| extend FullLocation = strcat(Region,\u0027|\u0027, State, \u0027|\u0027, City)\\n| summarize TimeGenerated = makelist(TimeGenerated), Status = makelist(Status), IPAddresses = makelist(IPAddress), IPAddressCount = dcount(IPAddress), FailedLogonCount = count()\\nby UserPrincipalName, UserId, UserDisplayName, AppDisplayName, Browser, OS, FullLocation, Type\\n| mvexpand TimeGenerated, IPAddresses, Status\\n| extend TimeGenerated = todatetime(tostring(TimeGenerated)), IPAddress = tostring(IPAddresses), Status = tostring(Status)\\n| project-away IPAddresses\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserPrincipalName, UserId, UserDisplayName, Status, FailedLogonCount, IPAddress, IPAddressCount, AppDisplayName, Browser, OS, FullLocation, Type\\n| where (IPAddressCount \u003e= threshold_IPAddressCount and FailedLogonCount \u003e= threshold_Failed) or FailedLogonCount \u003e= threshold_FailedwithSingleIP\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed login attempts to Azure Portal\",\"description\":\"Identifies failed login attempts in the Azure Active Directory SigninLogs to the Azure Portal. Many failed logon \\nattempts or some failed logon attempts from multiple IPs could indicate a potential brute force attack. \\nThe following are excluded due to success and non-failure results:\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n0 - successful logon\\n50125 - Sign-in was interrupted due to a password reset or password registration entry.\\n50140 - This error occurred due to \u0027Keep me signed in\u0027 interrupt when the user was signing-in.\",\"lastUpdatedDateUTC\":\"2022-04-21T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/acc4c247-aaf7-494b-b5da-17f18863878a\",\"name\":\"acc4c247-aaf7-494b-b5da-17f18863878a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"Medium\",\"query\":\"let queryfrequency = 1h;\\nlet queryperiod = 1d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(queryperiod)\\n| where OperationName in (\\\"Invite external user\\\", \\\"Bulk invite users - started (bulk)\\\", \\\"Invite external user with reset invitation status\\\")\\n| extend InitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\\n// Uncomment the following line to filter events where the inviting user was a guest user\\n//| where InitiatedBy has_any (\\\"live.com#\\\", \\\"#EXT#\\\")\\n| extend InvitedUser = TargetResources[0].userPrincipalName\\n| mv-expand UserToCompare = pack_array(InitiatedBy, InvitedUser) to typeof(string)\\n| where UserToCompare has_any (\\\"live.com#\\\", \\\"#EXT#\\\")\\n| extend\\n parsedUser = replace_string(tolower(iff(UserToCompare startswith \\\"live.com#\\\", tostring(split(UserToCompare, \\\"#\\\")[1]), tostring(split(UserToCompare, \\\"#EXT#\\\")[0]))), \\\"@\\\", \\\"_\\\"),\\n InvitationTime = TimeGenerated\\n| join (\\n (union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs)\\n | where TimeGenerated \u003e ago(queryfrequency)\\n | where UserType != \\\"Member\\\"\\n | where AppId has_any\\n (\\\"1b730954-1685-4b74-9bfd-dac224a7b894\\\",// Azure Active Directory PowerShell\\n \\\"04b07795-8ddb-461a-bbee-02f9e1bf7b46\\\",// Microsoft Azure CLI\\n \\\"1950a258-227b-4e31-a9cf-717495945fc2\\\",// Microsoft Azure PowerShell\\n \\\"a0c73c16-a7e3-4564-9a95-2bdf47383716\\\",// Microsoft Exchange Online Remote PowerShell\\n \\\"fb78d390-0c51-40cd-8e17-fdbfab77341b\\\",// Microsoft Exchange REST API Based Powershell\\n \\\"d1ddf0e4-d672-4dae-b554-9d5bdfd93547\\\",// Microsoft Intune PowerShell\\n \\\"9bc3ab49-b65d-410a-85ad-de819febfddc\\\",// Microsoft SharePoint Online Management Shell\\n \\\"12128f48-ec9e-42f0-b203-ea49fb6af367\\\",// MS Teams Powershell Cmdlets\\n \\\"23d8f6bd-1eb0-4cc2-a08c-7bf525c67bcd\\\",// Power BI PowerShell\\n \\\"31359c7f-bd7e-475c-86db-fdb8c937548e\\\",// PnP Management Shell\\n \\\"90f610bf-206d-4950-b61d-37fa6fd1b224\\\" // Aadrm Admin Powershell\\n )\\n | summarize arg_min(TimeGenerated, *) by UserPrincipalName\\n | extend\\n parsedUser = replace_string(UserPrincipalName, \\\"@\\\", \\\"_\\\"),\\n SigninTime = TimeGenerated\\n )\\n on parsedUser\\n| project InvitationTime, InitiatedBy, OperationName, InvitedUser, SigninTime, SigninCategory = Category1, SigninUserPrincipalName = UserPrincipalName, IPAddress, AppDisplayName, ResourceDisplayName, UserAgent, InvitationAdditionalDetails = AdditionalDetails, InvitationTargetResources = TargetResources\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InvitedUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatedBy\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\",\"Discovery\"],\"displayName\":\"External guest invitation followed by Azure AD PowerShell signin\",\"description\":\"By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests\\nusers, who have been invited or have invited recently, who also are logging via various PowerShell CLI.\\nRef : \u0027https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\"name\":\"3af9285d-bb98-4a35-ad29-5ea39ba0c628\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let threshold = 1;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ConditionalAccessStatus == 1 or ConditionalAccessStatus =~ \\\"failure\\\"\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion) \\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend ConditionalAccessPolicies = todynamic(ConditionalAccessPolicies)\\n| extend ConditionalAccessPol0Name = tostring(ConditionalAccessPolicies[0].displayName)\\n| extend ConditionalAccessPol1Name = tostring(ConditionalAccessPolicies[1].displayName)\\n| extend ConditionalAccessPol2Name = tostring(ConditionalAccessPolicies[2].displayName)\\n| extend Status = strcat(StatusCode, \\\": \\\", ResultDescription) \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Status = make_list(Status), StatusDetails = make_list(StatusDetails), IPAddresses = make_list(IPAddress), IPAddressCount = dcount(IPAddress), CorrelationIds = make_list(CorrelationId) \\nby UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name, Type\\n| where IPAddressCount \u003e threshold and StatusDetails !has \\\"MFA successfully completed\\\"\\n| mvexpand IPAddresses, Status, StatusDetails, CorrelationIds\\n| extend Status = strcat(Status, \\\" \\\", StatusDetails)\\n| summarize IPAddresses = make_set(IPAddresses), Status = make_set(Status), CorrelationIds = make_set(CorrelationIds) \\nby StartTime, EndTime, UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name, IPAddressCount, Type\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = tostring(IPAddresses)\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Attempt to bypass conditional access rule in Azure AD\",\"description\":\"Identifies an attempt to Bypass conditional access rule(s) in Azure Active Directory.\\nThe ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access\\nor if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1).\\nReferences: \\nhttps://docs.microsoft.com/azure/active-directory/conditional-access/overview\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins\\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\nConditionalAccessStatus == 0 // Success\\nConditionalAccessStatus == 1 // Failure\\nConditionalAccessStatus == 2 // Not Applied\\nConditionalAccessStatus == 3 // unknown\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0b904747-1336-4363-8d84-df2710bfe5e7\",\"name\":\"0b904747-1336-4363-8d84-df2710bfe5e7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureDiagnostics\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where OperationName in (\\\"AzureFirewallApplicationRuleLog\\\", \\\"AzureFirewallNetworkRuleLog\\\")\\n | parse kind=regex flags=U msg_s with Protocol \u0027request from \u0027 SourceHost \u0027to \u0027 DestinationHost @\u0027\\\\.? Action: \u0027 Firewall_Action @\u0027\\\\.\u0027 Rest_msg\\n | extend SourceAddress = extract(@\u0027([\\\\.0-9]+)(:[\\\\.0-9]+)?\u0027, 1, SourceHost)\\n | extend DestinationAddress = extract(@\u0027([\\\\.0-9]+)(:[\\\\.0-9]+)?\u0027, 1, DestinationHost)\\n | extend RemoteIP = case(not(ipv4_is_private(DestinationAddress)), DestinationAddress, not(ipv4_is_private(SourceAddress)), SourceAddress, \\\"\\\")\\n // Traffic that involves a public address, and in case this is the source address then the traffic was not denied\\n | where isnotempty(RemoteIP)\\n | project-rename AzureFirewall_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIP\\n| where AzureFirewall_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureFirewall_TimeGenerated = arg_max(AzureFirewall_TimeGenerated, *) by IndicatorId, RemoteIP\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, AzureFirewall_TimeGenerated,\\nTI_ipEntity, Resource, Category, msg_s, SourceAddress, DestinationAddress, Firewall_Action, Protocol, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureFirewall_TimeGenerated, IPCustomEntity = TI_ipEntity, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureFirewall\",\"description\":\"Identifies a match in AzureFirewall (NetworkRule \u0026 ApplicationRule Logs) from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ebbb5c2-8802-11ec-a8a3-0242ac120002\",\"name\":\"4ebbb5c2-8802-11ec-a8a3-0242ac120002\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"// Enter a reference list of decoy users (usernames) \\\"Case Sensitive\\\"\\nlet MaliciousServiceArtifacts = dynamic ([\\\"fgexec\\\",\\\"cachedump\\\",\\\"mimikatz\\\",\\\"mimidrv\\\",\\\"wceservice\\\",\\\"pwdump\\\"]);\\nEvent\\n| where Source == \\\"Service Control Manager\\\" and EventID == 7045\\n| parse EventData with * \u0027ServiceName\\\"\u003e\u0027 ServiceName \\\"\u003c\\\" * \u0027ImagePath\\\"\u003e\u0027 ImagePath \\\"\u003c\\\" *\\n| where ServiceName has_any (MaliciousServiceArtifacts) or ImagePath has_any (MaliciousServiceArtifacts)\\n| parse EventData with * \u0027AccountName\\\"\u003e\u0027 AccountName \\\"\u003c\\\" *\\n|summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, ServiceName, ImagePath, AccountName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountName\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ImagePath\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Credential Dumping Tools - Service Installation\",\"description\":\"This query detects the installation of a Windows service that contains artifacts from credential dumping tools such as Mimikatz.\\nRef: https://blueteamblog.com/darkside-ransomware-operations-preventions-and-detections\",\"lastUpdatedDateUTC\":\"2022-04-22T00:00:00Z\",\"createdDateUTC\":\"2022-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"Event\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/adc32a33-1cd6-46f5-8801-e3ed8337885f\",\"name\":\"adc32a33-1cd6-46f5-8801-e3ed8337885f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// Add any known allowed sources and source locations to the filter below (the NuGet Gallery has been added here as an example).\\nlet allowed_sources = dynamic([\\\"NuGet Gallery\\\"]);\\nlet allowed_locations = dynamic([\\\"https://api.nuget.org/v3/index.json\\\"]);\\nAzureDevOpsAuditing\\n// Look for feeds created or modified at either the organization or project level\\n| where OperationName matches regex \\\"Artifacts.Feed.(Org|Project).Modify\\\"\\n| where Details has \\\"UpstreamSources, added\\\"\\n| extend FeedName = tostring(Data.FeedName)\\n| extend FeedId = tostring(Data.FeedId)\\n| extend UpstreamsAdded = Data.UpstreamsAdded\\n// As multiple feeds may be added expand these out\\n| mv-expand UpstreamsAdded\\n// Only focus on external feeds\\n| where UpstreamsAdded.UpstreamSourceType !~ \\\"internal\\\"\\n| extend SourceLocation = tostring(UpstreamsAdded.Location)\\n| extend SourceName = tostring(UpstreamsAdded.Name)\\n// Exclude sources and locations in the allow list\\n| where SourceLocation !in (allowed_locations) and SourceName !in (allowed_sources)\\n| extend SourceProtocol = tostring(UpstreamsAdded.Protocol)\\n| extend SourceStatus = tostring(UpstreamsAdded.Status)\\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, ProjectName, FeedName, SourceName, SourceLocation, SourceProtocol, ActorUPN, UserAgent, IpAddress\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"External Upstream Source Added to Azure DevOps Feed\",\"description\":\"The detection looks for new external sources added to an Azure DevOps feed. An allow list can be customized to explicitly allow known good sources. \\nAn attacker could look to add a malicious feed in order to inject malicious packages into a build pipeline.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/feb0a2fb-ae75-4343-8cbc-ed545f1da289\",\"name\":\"feb0a2fb-ae75-4343-8cbc-ed545f1da289\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let VIPUsers = (IdentityInfo\\n| where AssignedRoles contains \\\"Admin\\\"\\n| summarize by tolower(AccountUPN));\\nAuditLogs\\n| where Category =~ \\\"UserManagement\\\"\\n| where ActivityDisplayName =~ \\\"User registered security info\\\"\\n| where LoggedByService =~ \\\"Authentication Methods\\\"\\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| where AccountCustomEntity in (VIPUsers)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Authentication Method Changed for Privileged Account\",\"description\":\"Identifies authentication methods being changed for a privileged account. This could be an indicated of an attacker adding an auth method to the account so they can have continued access.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2937bc6b-7cda-4fba-b452-ea43ba8e835f\",\"name\":\"2937bc6b-7cda-4fba-b452-ea43ba8e835f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 5136 \\n| parse EventData with * \u0027ObjectClass\\\"\u003e\u0027 ObjectClass \\\"\u003c\\\" *\\n| parse EventData with * \u0027AttributeLDAPDisplayName\\\"\u003e\u0027 AttributeLDAPDisplayName \\\"\u003c\\\" *\\n| where ObjectClass == \\\"computer\\\" and AttributeLDAPDisplayName == \\\"msDS-AllowedToActOnBehalfOfOtherIdentity\\\"\\n| parse EventData with * \u0027ObjectDN\\\"\u003e\u0027 ObjectDN \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, SubjectUserSid, SubjectLogonId, ObjectDN, AttributeLDAPDisplayName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Possible Resource-Based Constrained Delegation Abuse\",\"description\":\"This query identifies Active Directory computer objects modifications that allow an adversary to abuse the Resource-based constrained delegation. \\nThis query checks for event id 5136 that the Object Class field is \\\"computer\\\" and the LDAP Display Name is \\\"msDS-AllowedToActOnBehalfOfOtherIdentity\\\" which is an indicator of Resource-based constrained delegation.\\nRef: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html\",\"lastUpdatedDateUTC\":\"2022-01-19T00:00:00Z\",\"createdDateUTC\":\"2022-01-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/89e6adbd-612c-4fbe-bc3d-32f81baf3b6c\",\"name\":\"89e6adbd-612c-4fbe-bc3d-32f81baf3b6c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT4H\",\"queryPeriod\":\"PT4H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// Change to true to monitor for Project Administrator adds to *any* project\\nlet MonitorAllProjects = false;\\n// If MonitorAllProjects is false, trigger only on Project Administrator add for the following projects\\nlet ProjectsToMonitor = dynamic([\u0027\u003cproject_X\u003e\u0027,\u0027\u003cproject_Y\u003e\u0027]);\\nAzureDevOpsAuditing\\n| where Area == \\\"Group\\\" and OperationName == \\\"Group.UpdateGroupMembership.Add\\\"\\n| where Details has \u0027Administrators\u0027\\n| where Details has \\\"was added as a member of group\\\" and (Details endswith \u0027\\\\\\\\Project Administrators\u0027 or Details endswith \u0027\\\\\\\\Project Collection Administrators\u0027)\\n| parse Details with AddedIdentity \u0027 was added as a member of group [\u0027 EntityName \u0027]\\\\\\\\\u0027 GroupName\\n| extend Level = iif(GroupName == \u0027Project Collection Administrators\u0027, \u0027Organization\u0027, \u0027Project\u0027), AddedIdentityId = Data.MemberId\\n| extend Severity = iif(Level == \u0027Organization\u0027, \u0027High\u0027, \u0027Medium\u0027), AlertDetails = strcat(\u0027At \u0027, TimeGenerated, \u0027 UTC \u0027, ActorUPN, \u0027/\u0027, ActorDisplayName, \u0027 added \u0027, AddedIdentity, \u0027 to the \u0027, EntityName, \u0027 \u0027, Level)\\n| where MonitorAllProjects == true or EntityName in (ProjectsToMonitor) or Level == \u0027Organization\u0027\\n| project TimeGenerated, Severity, Adder = ActorUPN, AddedIdentity, AddedIdentityId, AlertDetails, Level, EntityName, GroupName, ActorAuthType = AuthenticationMechanism, \\n ActorIpAddress = IpAddress, ActorUserAgent = UserAgent, RawDetails = Details\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Adder, IPCustomEntity = ActorIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Azure DevOps Administrator Group Monitoring\",\"description\":\"This detection monitors for additions to projects or project collection administration groups in an Azure DevOps Organization.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/473d57e6-f787-435c-a16b-b38b51fa9a4b\",\"name\":\"473d57e6-f787-435c-a16b-b38b51fa9a4b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"let servicelist = dynamic([\u0027Services\\\\\\\\HealthService\u0027, \u0027Services\\\\\\\\Sense\u0027, \u0027Services\\\\\\\\WinDefend\u0027, \u0027Services\\\\\\\\MsSecFlt\u0027, \u0027Services\\\\\\\\DiagTrack\u0027, \u0027Services\\\\\\\\SgrmBroker\u0027, \u0027Services\\\\\\\\SgrmAgent\u0027, \u0027Services\\\\\\\\AATPSensorUpdater\u0027 , \u0027Services\\\\\\\\AATPSensor\u0027, \u0027Services\\\\\\\\mpssvc\u0027]);\\nlet filename = dynamic([\\\"subinacl.exe\\\",\u0027SetACL.exe\u0027]);\\nlet parameters = dynamic ([\u0027/deny=SYSTEM\u0027, \u0027/deny=S-1-5-18\u0027, \u0027/grant=SYSTEM=r\u0027, \u0027/grant=S-1-5-18=r\u0027, \u0027n:SYSTEM;p:READ\u0027, \u0027n1:SYSTEM;ta:remtrst;w:dacl\u0027]);\\nlet FullAccess = dynamic([\u0027A;CI;KA;;;SY\u0027, \u0027A;ID;KA;;;SY\u0027, \u0027A;CIID;KA;;;SY\u0027]);\\nlet ReadAccess = dynamic([\u0027A;CI;KR;;;SY\u0027, \u0027A;ID;KR;;;SY\u0027, \u0027A;CIID;KR;;;SY\u0027]);\\nlet DenyAccess = dynamic([\u0027D;CI;KR;;;SY\u0027, \u0027D;ID;KR;;;SY\u0027, \u0027D;CIID;KR;;;SY\u0027]);\\nlet timeframe = 1d;\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4670\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName has_any (servicelist)\\n| parse EventData with * \u0027OldSd\\\"\u003e\u0027 OldSd \\\"\u003c\\\" *\\n| parse EventData with * \u0027NewSd\\\"\u003e\u0027 NewSd \\\"\u003c\\\" *\\n| extend Reason = case( (OldSd has \u0027;;;SY\u0027 and NewSd !has \u0027;;;SY\u0027), \u0027System Account is removed\u0027, (OldSd has_any (FullAccess) and NewSd has_any (ReadAccess)) , \u0027System permission has been changed to read from full access\u0027, (OldSd has_any (FullAccess) and NewSd has_any (DenyAccess)), \u0027System account has been given denied permission\u0027, \u0027None\u0027)\\n| project TimeGenerated, Computer, Account, ProcessName, ProcessId, ObjectName, EventData, Activity, HandleId, SubjectLogonId, OldSd, NewSd , Reason\\n),\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688\\n| extend ProcessName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ProcessName in~ (filename) \\n| where CommandLine has_any (servicelist) and CommandLine has_any (parameters)\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4670 and EventData has_any (servicelist) and EventData has \u0027Key\u0027\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName has_any (servicelist)\\n| extend OldSd = tostring(EventData.OldSd)\\n| extend NewSd = tostring(EventData.NewSd)\\n| extend Reason = case( (OldSd has \u0027;;;SY\u0027 and NewSd !has \u0027;;;SY\u0027), \u0027System Account is removed\u0027, (OldSd has_any (FullAccess) and NewSd has_any (ReadAccess)) , \u0027System permission has been changed to read from full access\u0027, (OldSd has_any (FullAccess) and NewSd has_any (DenyAccess)), \u0027System account has been given denied permission\u0027, \u0027None\u0027)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend ProcessId = tostring(EventData.ProcessId)\\n| extend Activity= \\\"4670 - Permissions on an object were changed.\\\"\\n| extend HandleId = tostring(EventData.HandleId)\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| project TimeGenerated, Computer, Account, ProcessName, ProcessId, ObjectName, EventData, Activity, HandleId, SubjectLogonId, OldSd, NewSd , Reason\\n),\\n(\\nWindowsEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688 and EventData has_any (filename) and EventData has_any (servicelist) and EventData has_any (parameters)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend ProcessName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ProcessName in~ (filename) \\n| extend CommandLine = tostring(EventData.CommandLine) \\n| where CommandLine has_any (servicelist) and CommandLine has_any (parameters)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountDomain = tostring(EventData.AccountDomain)\\n| extend Activity=\\\"4688 - A new process has been created.\\\"\\n| extend EventSourceName=Provider\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where InitiatingProcessFileName in~ (filename) \\n| where InitiatingProcessCommandLine has_any(servicelist) and InitiatingProcessCommandLine has_any (parameters)\\n| extend Account = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName), Computer = DeviceName\\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName = InitiatingProcessFileName, ProcessNameFullPath = FolderPath, Activity = ActionType, CommandLine = InitiatingProcessCommandLine, Type, InitiatingProcessParentFileName\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Security Service Registry ACL Modification\",\"description\":\"Identifies attempts to modify registry ACL to evade security solutions. In the Solorigate attack, the attackers were found modifying registry permissions so services.exe cannot access the relevant registry keys to start the service.\\n The detection leverages Security Event as well as MDE data to identify when specific security services registry permissions are modified. \\n Only some portions of this detection are related to Solorigate, it also includes coverage for some common tools that perform this activity. \\n Reference on guidance for enabling registry auditing:\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing-faq\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-registry\\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4670\\n - For the event 4670 to be created the audit policy for the registry must have auditing enabled for Write DAC and/or Write Owner\\n - https://github.com/OTRF/Set-AuditRule \\n - https://docs.microsoft.com/dotnet/api/system.security.accesscontrol.registryrights?view=dotnet-plat-ext-5.0\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-01-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/29283b22-a1c0-4d16-b0a9-3460b655a46a\",\"name\":\"29283b22-a1c0-4d16-b0a9-3460b655a46a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let UserAgentString = dynamic ([\\\"${jndi:ldap:/\\\", \\\"${jndi:rmi:/\\\", \\\"${jndi:ldaps:/\\\", \\\"${jndi:dns:/\\\", \\\"${jndi:iiop:/\\\",\\\"${jndi:\\\",\\\"${jndi:nds:/\\\",\\\"${jndi:corba/\\\"]);\\nlet UARegexMinimalString=dynamic([\u0027{\u0027,\u0027%7b\u0027, \u0027%7B\u0027]);\\nlet UARegex = @\u0027(\\\\\\\\$|%24)(\\\\\\\\{|%7B)([^jJ]*[jJ])([^nN]*[nN])([^dD]*[dD])([^iI]*[iI])(:|%3A|\\\\\\\\$|%24|}|%7D)\u0027;\\n(union isfuzzy=true\\n(OfficeActivity\\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, Operation\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n),\\n(AzureDiagnostics\\n| where Category in (\\\"FrontdoorWebApplicationFirewallLog\\\", \\\"FrontdoorAccessLog\\\", \\\"ApplicationGatewayFirewallLog\\\", \\\"ApplicationGatewayAccessLog\\\")\\n| where userAgent_s has_any (UserAgentString) or userAgent_s matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = userAgent_s, SourceIP = clientIP_s, Type, host_s, requestUri_s, httpStatus_d\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, UrlCustomEntity = requestUri_s\\n),\\n(\\nW3CIISLog\\n| where csUserAgent has_any (UserAgentString) or csUserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP, UrlCustomEntity = csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventName\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n),\\n(SigninLogs\\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, Operation = OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n),\\n(AADNonInteractiveUserSignInLogs \\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, Operation = OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n),\\n(_Im_WebSession (httpuseragent_has_any=array_concat(UserAgentString,UARegexMinimalString))\\n| where HttpUserAgent has_any (UserAgentString) or HttpUserAgent matches regex UARegex\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by HttpUserAgent, SourceIP = SrcIpAddr, DstIpAddr, Account = SrcUsername, Url, Type\\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP, UrlCustomEntity = Url\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"User agent search for log4j exploitation attempt\",\"description\":\"This query uses various log sources having user agent data to look for log4j CVE-2021-44228 exploitation attempt based on user agent pattern. Log4j is an open-source Apache logging library that is used in \\n many Java-based applications. The regex and the string matching look for the most common attacks. This might not be comprehensive to detect every possible user agent variation.\\n Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\"name\":\"3255ec41-6bd6-4f35-84b1-c032b18bbfcb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let starttime = 1d;\\nlet TimeDeltaThresholdInSeconds = 60; // we ignore beacons diffs that fall below this threshold \\nlet TotalBeaconsThreshold = 4; // minimum number of beacons required in a session to surface a row\\nlet JitterTolerance = 0.2; // tolerance to jitter, e.g. - 0.2 = 20% jitter is tolerated either side of the periodicity\\nCommonSecurityLog\\n| where DeviceVendor == \\\"Fortinet\\\"\\n| where TimeGenerated \u003e ago(starttime)\\n// eliminate bad data\\n| where isnotempty(SourceIP) and isnotempty(DestinationIP) and SourceIP != \\\"0.0.0.0\\\"\\n// filter out deny, close, rst and SNMP to reduce data volume\\n| where DeviceAction !in (\\\"close\\\", \\\"client-rst\\\", \\\"server-rst\\\", \\\"deny\\\") and DestinationPort != 161\\n// map input fields\\n| project TimeGenerated , SourceIP, DestinationIP, DestinationPort, ReceivedBytes, SentBytes, DeviceAction \\n// where destination IPs are public\\n| where ipv4_is_private(DestinationIP) == false\\n// sort into source-\u003edestination \u0027sessions\u0027\\n| sort by SourceIP asc, DestinationIP asc, DestinationPort asc, TimeGenerated asc\\n| serialize\\n// time diff the contact times between source and destination to get a list of deltas\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1), nextDestIP = next(DestinationIP, 1), nextDestPort = next(DestinationPort, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\\\"second\\\",nextTimeGenerated,TimeGenerated)\\n| where SourceIP == nextSourceIP and DestinationIP == nextDestIP and DestinationPort == nextDestPort\\n// remove small time deltas below the set threshold\\n| where TimeDeltainSeconds \u003e TimeDeltaThresholdInSeconds\\n// summarize the deltas by source-\u003edestination\\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), sum(ReceivedBytes), sum(SentBytes), makelist(TimeDeltainSeconds), makeset(DeviceAction) by SourceIP, DestinationIP, DestinationPort\\n// get some statistical properties of the delta distribution and smooth any outliers (e.g. laptop shut overnight, working hours)\\n| extend series_stats(list_TimeDeltainSeconds), outliers=series_outliers(list_TimeDeltainSeconds)\\n// expand the deltas and the outliers\\n| mvexpand list_TimeDeltainSeconds to typeof(double), outliers to typeof(double)\\n// replace outliers with the average of the distribution\\n| extend list_TimeDeltainSeconds_normalized=iff(outliers \u003e 1.5 or outliers \u003c -1.5, series_stats_list_TimeDeltainSeconds_avg , list_TimeDeltainSeconds)\\n// summarize with the smoothed distribution\\n| summarize BeaconCount=count(), makelist(list_TimeDeltainSeconds), list_TimeDeltainSeconds_normalized=makelist(list_TimeDeltainSeconds_normalized), makeset(set_DeviceAction) by StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, sum_ReceivedBytes, sum_SentBytes\\n// get stats on the smoothed distribution\\n| extend series_stats(list_TimeDeltainSeconds_normalized)\\n// match jitter tolerance on smoothed distrib\\n| extend MaxJitter = (series_stats_list_TimeDeltainSeconds_normalized_avg*JitterTolerance)\\n| where series_stats_list_TimeDeltainSeconds_normalized_stdev \u003c MaxJitter\\n// where the minimum beacon threshold is satisfied and there was some data transfer\\n| where BeaconCount \u003e TotalBeaconsThreshold and (sum_SentBytes \u003e 0 or sum_ReceivedBytes \u003e 0)\\n// final projection\\n| project StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, BeaconCount, TimeDeltasInSeconds=list_list_TimeDeltainSeconds, Periodicity=series_stats_list_TimeDeltainSeconds_normalized_avg, ReceivedBytes=sum_ReceivedBytes, SentBytes=sum_SentBytes, Actions=set_set_DeviceAction\\n// where periodicity is order of magnitude larger than time delta threshold (eliminates FPs whose periodicity is close to the values we ignored)\\n| where Periodicity \u003e= (10*TimeDeltaThresholdInSeconds)\\n| extend timestamp = StartTime, IPCustomEntity = DestinationIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Fortinet - Beacon pattern detected\",\"description\":\"Identifies patterns in the time deltas of contacts between internal and external IPs in Fortinet network data that are consistent with beaconing.\\n Accounts for randomness (jitter) and seasonality such as working hours that may have been introduced into the beacon pattern.\\n The lookback is set to 1d, the minimum granularity in time deltas is set to 60 seconds and the minimum number of beacons required to emit a\\n detection is set to 4.\\n Increase the lookback period to capture beacons with larger periodicities.\\n The jitter tolerance is set to 0.2 - This means we account for an overall 20% deviation from the infered beacon periodicity. Seasonality is dealt with\\n automatically using series_outliers.\\n Note: In large environments it may be necessary to reduce the lookback period to get fast query times.\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2020-03-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/80733eb7-35b2-45b6-b2b8-3c51df258206\",\"name\":\"80733eb7-35b2-45b6-b2b8-3c51df258206\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\\"xmrget.com\\\", \\n\\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\\"supportxmr.com\\\",\\n\\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\n\\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\n\\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\n\\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\n\\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\",\\n\\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\",\\n\\\"shscrypto.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage), \\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage), \\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage), \\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \u0027200\u0027\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Squid proxy events related to mining pools\",\"description\":\"Checks for Squid proxy events in Syslog associated with common mining pools .This query presumes the default Squid log format is being used. \\n http://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-07-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b05727d-a8d1-477d-bbdd-d957da96ac7b\",\"name\":\"3b05727d-a8d1-477d-bbdd-d957da96ac7b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"OfficeActivity\\n| where OfficeWorkload =~ \\\"Exchange\\\"\\n| where Parameters has_any (\\\"ForwardTo\\\", \\\"RedirectTo\\\", \\\"ForwardingSmtpAddress\\\")\\n| mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))\\n| evaluate bag_unpack(ParsedParameters, columnsConflict=\u0027replace_source\u0027)\\n| extend DestinationMailAddress = tolower(case(\\n isnotempty(column_ifexists(\\\"ForwardTo\\\", \\\"\\\")), column_ifexists(\\\"ForwardTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"RedirectTo\\\", \\\"\\\")), column_ifexists(\\\"RedirectTo\\\", \\\"\\\"),\\n isnotempty(column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")), trim_start(@\\\"smtp:\\\", column_ifexists(\\\"ForwardingSmtpAddress\\\", \\\"\\\")),\\n \\\"\\\"))\\n| where isnotempty(DestinationMailAddress)\\n| mv-expand split(DestinationMailAddress, \\\";\\\")\\n| extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n| extend ClientIP = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1])\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId, 250), Ports = make_set(Port, 250), EventCount = count() by tostring(DestinationMailAddress), ClientIP\\n| where DistinctUserCount \u003e 1\\n| mv-expand UserId to typeof(string)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Collection\",\"Exfiltration\"],\"displayName\":\"NRT Multiple users email forwarded to same destination\",\"description\":\"Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination.\\nThis could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.\",\"lastUpdatedDateUTC\":\"2022-06-24T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\"name\":\"75ea5c39-93e5-489b-b1e1-68fa6c9d2d04\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 3;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == \\\"50057\\\"\\n| where ResultDescription =~ \\\"User account is disabled. The account has been disabled by an administrator.\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), applicationCount = dcount(AppDisplayName), \\napplicationSet = make_set(AppDisplayName), count() by UserPrincipalName, IPAddress, Type\\n| where applicationCount \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Attempts to sign in to disabled accounts\",\"description\":\"Identifies failed attempts to sign in to disabled accounts across multiple Azure Applications.\\nDefault threshold for Azure Applications attempted to sign in to is 3.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bfb1c90f-8006-4325-98be-c7fffbc254d6\",\"name\":\"bfb1c90f-8006-4325-98be-c7fffbc254d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let s_threshold = 30;\\nlet l_threshold = 3;\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where OperationName =~ \\\"Sign-in activity\\\"\\n// Error codes that we want to look at as they are related to the use of incorrect password.\\n| where ResultType in (\\\"50126\\\", \\\"50053\\\" , \\\"50055\\\", \\\"50056\\\")\\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n| extend LocationString = strcat(tostring(LocationDetails.countryOrRegion), \\\"/\\\", tostring(LocationDetails.state), \\\"/\\\", tostring(LocationDetails.city))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), LocationCount=dcount(LocationString), Location = make_set(LocationString), \\nIPAddress = make_set(IPAddress), IPAddressCount = dcount(IPAddress), AppDisplayName = make_set(AppDisplayName), ResultDescription = make_set(ResultDescription), \\nBrowser = make_set(Browser), OS = make_set(OS), SigninCount = count() by UserPrincipalName, Type \\n// Setting a generic threshold - Can be different for different environment\\n| where SigninCount \u003e s_threshold and LocationCount \u003e= l_threshold\\n| extend tostring(Location), tostring(IPAddress), tostring(AppDisplayName), tostring(ResultDescription), tostring(Browser), tostring(OS)\\n| distinct *\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Distributed Password cracking attempts in AzureAD\",\"description\":\"Identifies distributed password cracking attempts from the Azure Active Directory SigninLogs.\\nThe query looks for unusually high number of failed password attempts coming from multiple locations for a user account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50053 Account is locked because the user tried to sign in too many times with an incorrect user ID or password.\\n50055 Invalid password, entered expired password.\\n50056 Invalid or null password - Password does not exist in store for this user.\\n50126 Invalid username or password, or invalid on-premises username or password.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7ad4c32b-d0d2-411c-a0e8-b557afa12fce\",\"name\":\"7ad4c32b-d0d2-411c-a0e8-b557afa12fce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName\\n| where CommandLine contains \\\".decode(\u0027base64\u0027)\\\"\\n or CommandLine contains \\\"base64 --decode\\\"\\n or CommandLine contains \\\".decode64(\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"NRT Process executed from binary hidden in Base64 encoded file\",\"description\":\"Encoding malicious software is a technique used to obfuscate files from detection.\\nThe first CommandLine component is looking for Python decoding base64.\\nThe second CommandLine component is looking for Bash/sh command line base64 decoding.\\nThe third one is looking for Ruby decoding base64.\",\"lastUpdatedDateUTC\":\"2022-02-08T00:00:00Z\",\"createdDateUTC\":\"2019-01-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95002681-4ecb-4da3-9ece-26d7e5feaa33\",\"name\":\"95002681-4ecb-4da3-9ece-26d7e5feaa33\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"imAuthentication\\n| where EventResult ==\u0027Failure\u0027\\n| where EventResultDetails == \u0027User disabled\u0027\\n| summarize StartTime=min(EventStartTime), EndTime=max(EventEndTime), disabledAccountLoginAttempts = count()\\n , disabledAccountsTargeted = dcount(TargetUsername), disabledAccountSet = make_set(TargetUsername)\\n , applicationsTargeted = dcount(TargetAppName)\\n , applicationSet = make_set(TargetAppName) \\n by SrcDvcIpAddr, Type\\n| order by disabledAccountLoginAttempts desc\\n| join kind=leftouter \\n (\\n // Consider these IPs suspicious - and alert any related successful sign-ins\\n imAuthentication\\n | where EventResult==\u0027Success\u0027\\n | summarize successfulAccountSigninCount = dcount(TargetUsername), successfulAccountSigninSet = makeset(TargetUsername, 15) by SrcDvcIpAddr, Type\\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\\n | where successfulAccountSigninCount \u003c 100\\n )\\n on SrcDvcIpAddr\\n| where isnotempty(successfulAccountSigninCount)\\n| project StartTime, EndTime, SrcDvcIpAddr, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \\nsuccessfulAccountSigninCount, successfulAccountSigninSet, Type\\n| order by disabledAccountLoginAttempts\\n| extend timestamp = StartTime, IPCustomEntity = SrcDvcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-07-27T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\"name\":\"795edf2d-cf3e-45b5-8452-fe6c9e6a582e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"CommonSecurityLog \\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID in (\\\"733101\\\",\\\"733102\\\",\\\"733103\\\",\\\"733104\\\",\\\"733105\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\",\"Impact\"],\"displayName\":\"Cisco ASA - threat detection message fired\",\"description\":\"Identifies when the Cisco ASA Threat Detection engine fired an alert based on malicious activity occurring on the network inicated by DeviceEventClassID 733101-733105\\nResources: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1785d372-b9fe-4283-96a6-3a1d83cabfd1\",\"name\":\"1785d372-b9fe-4283-96a6-3a1d83cabfd1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let Tarrask_threats = dynamic([\\\"HackTool:Win64/Tarrask!MS\\\", \\\"HackTool:Win64/Ligolo!MSR\\\", \\\"Behavior:Win32/ScheduledTaskHide.A\\\", \\\"Tarrask\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=rightouter ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (Tarrask_threats) or ThreatFamilyName in~ (Tarrask_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AV detections related to Tarrask malware\",\"description\":\"This query looks for Microsoft Defender AV detections related to Tarrask malware. In Microsoft Sentinel the SecurityAlerts table \\n includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. \\n This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\\n Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-04-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/157c0cfc-d76d-463b-8755-c781608cdc1a\",\"name\":\"157c0cfc-d76d-463b-8755-c781608cdc1a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\nCommonSecurityLog\\n| where DeviceVendor =~ \\\"Cisco\\\"\\n| where DeviceAction =~ \\\"denied\\\"\\n| where ipv4_is_private(SourceIP) == false\\n| summarize count() by SourceIP\\n| join (\\n // Successful signins from IPs blocked by the firewall solution are suspect\\n // Include fully successful sign-ins, but also ones that failed only at MFA stage\\n // as that supposes the password was sucessfully guessed.\\n table(tableName)\\n | where ResultType in (\\\"0\\\", \\\"50074\\\", \\\"50076\\\") \\n) on $left.SourceIP == $right.IPAddress\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Cisco - firewall block but success logon to Azure AD\",\"description\":\"Correlate IPs blocked by a Cisco firewall appliance with successful Azure Active Directory signins. \\nBecause the IP was blocked by the firewall, that same IP logging on successfully to AAD is potentially suspect\\nand could indicate credential compromise for the user account.\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2019-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/875d0eb1-883a-4191-bd0e-dbfdeb95a464\",\"name\":\"875d0eb1-883a-4191-bd0e-dbfdeb95a464\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 5136 \\n| parse EventData with * \u0027AttributeLDAPDisplayName\\\"\u003e\u0027 AttributeLDAPDisplayName \\\"\u003c\\\" *\\n| parse EventData with * \u0027ObjectClass\\\"\u003e\u0027 ObjectClass \\\"\u003c\\\" *\\n| where AttributeLDAPDisplayName == \\\"servicePrincipalName\\\" and ObjectClass == \\\"user\\\"\\n| parse EventData with * \u0027ObjectDN\\\"\u003e\u0027 ObjectDN \\\"\u003c\\\" *\\n| parse EventData with * \u0027AttributeValue\\\"\u003e\u0027 AttributeValue \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, ObjectDN, AttributeValue\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Service Principal Name (SPN) Assigned to User Account\",\"description\":\"This query identifies whether a Active Directory user object was assigned a service principal name which could indicate that an adversary is preparing for performing Kerberoasting. \\nThis query checks for event id 5136 that the Object Class field is \\\"user\\\" and the LDAP Display Name is \\\"servicePrincipalName\\\".\\nRef: https://thevivi.net/assets/docs/2019/theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf\",\"lastUpdatedDateUTC\":\"2022-02-02T00:00:00Z\",\"createdDateUTC\":\"2022-01-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/45076281-35ae-45e0-b443-c32aa0baf965\",\"name\":\"45076281-35ae-45e0-b443-c32aa0baf965\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"High\",\"query\":\"let args = dynamic([\\\"objectcategory\\\",\\\"domainlist\\\",\\\"dcmodes\\\",\\\"adinfo\\\",\\\"trustdmp\\\",\\\"computers_pwdnotreqd\\\",\\\"Domain Admins\\\", \\\"objectcategory=person\\\", \\\"objectcategory=computer\\\", \\\"objectcategory=*\\\",\\\"dclist\\\"]);\\nlet parentProcesses = dynamic([\\\"pwsh.exe\\\",\\\"powershell.exe\\\",\\\"cmd.exe\\\"]);\\nimProcessCreate\\n//looks for execution from a shell\\n| where ActingProcessName has_any (parentProcesses)\\n| extend ActingProcessFileName = tostring(split(ActingProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where ActingProcessFileName in~ (parentProcesses)\\n// main filter\\n| where Process hassuffix \\\"AdFind.exe\\\" or TargetProcessSHA256 == \\\"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\\\"\\n // AdFind common Flags to check for from various threat actor TTPs\\n or CommandLine has_any (args)\\n| extend AccountCustomEntity = User, HostCustomEntity = Dvc, ProcessCustomEntity = ActingProcessName, CommandLineCustomEntity = CommandLine, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = TargetProcessSHA256\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"},{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLineCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Probable AdFind Recon Tool Usage (Normalized Process Events)\",\"description\":\"Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-06-09T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/910124df-913c-47e3-a7cd-29e1643fa55e\",\"name\":\"910124df-913c-47e3-a7cd-29e1643fa55e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with failed AWS console logins\\nlet aws_fails = AWSCloudTrail\\n| where EventName == \\\"ConsoleLogin\\\"\\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \\n| where LoginResult != \\\"Success\\\"\\n| where SourceIpAddress != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(SourceIpAddress);\\n//See if any of those IPs have sucessfully logged into Azure AD.\\nSigninLogs\\n| where ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (aws_fails) \\n| extend Reason = \\\"Multiple failed AWS Console logins from IP address\\\"\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AWS Console logons but success logon to AzureAD\",\"description\":\"Identifies a list of IP addresses with a minimum numbe(default of 5) of failed logon attempts to AWS Console.\\nUses that list to identify any successful Azure Active Directory logons from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a779e2d5-9109-4f0a-a75e-f3d4f3c58560\",\"name\":\"a779e2d5-9109-4f0a-a75e-f3d4f3c58560\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let sha256Hashes = dynamic([\\\"78c255a98003a101fa5ba3f49c50c6922b52ede601edac5db036ab72efc57629\\\", \\\"0588f61dc7e4b24554cffe4ea56d043d8f6139d2569bc180d4a77cf75b68792f\\\", \\\"441a3810b9e89bae12eea285a63f92e98181e9fb9efd6c57ef6d265435484964\\\", \\\"cbae79f66f724e0fe1705d6b5db3cc8a4e89f6bdf4c37004aa1d45eeab26e84b\\\", \\\"fd6515a71530b8329e2c0104d0866c5c6f87546d4b44cc17bbb03e64663b11fc\\\", \\\"5d169e083faa73f2920c8593fb95f599dad93d34a6aa2b0f794be978e44c8206\\\", \\\"7f29b69eb1af1cc6c1998bad980640bfe779525fd5bb775bc36a0ce3789a8bfc\\\", \\\"02a59fe2c94151a08d75a692b550e66a8738eb47f0001234c600b562bf8c227d\\\", \\\"7f84bf6a016ca15e654fb5ebc36fd7407cb32c69a0335a32bfc36cb91e36184d\\\", \\\"afab2e77dc14831f1719e746042063a8ec107de0e9730249d5681d07f598e5ec\\\", \\\"894138dfeee756e366c65a197b4dbef8816406bc32697fac6621601debe17d53\\\", \\\"4611340fdade4e36f074f75294194b64dcf2ec0db00f3d958956b4b0d6586431\\\", \\\"c96ae21b4cf2e28eec222cfe6ca903c4767a068630a73eca58424f9a975c6b7d\\\", \\\"fa30be45c5c5a8f679b42ae85410f6099f66fe2b38eb7aa460bcc022babb41ca\\\", \\\"e64bea4032cf2694e85ede1745811e7585d3580821a00ae1b9123bb3d2d442d6\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n(imFileEvent\\n| where TargetFileSHA256 has_any (sha256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(Event\\n| where Source =~ \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceImageLoadEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"KNOTWEED File Hashes July 2022\",\"description\":\"This query looks for references to known KNOTWEED file hashes in various logs.\\n This query was published July 2022.\\n Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/\",\"lastUpdatedDateUTC\":\"2022-07-27T00:00:00Z\",\"createdDateUTC\":\"2022-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\",\"DeviceFileEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aedc5b33-2d7c-42cb-a692-f25ef637cbb1\",\"name\":\"aedc5b33-2d7c-42cb-a692-f25ef637cbb1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where array_length(todynamic(DstUserUpn)) == 1\\n| extend sender = extract(@\u0027\\\\A(.*?)@\u0027, 1, SrcUserUpn)\\n| extend sender_domain = extract(@\u0027@(.*)$\u0027, 1, SrcUserUpn)\\n| extend recipient = extract(@\u0027\\\\A(.*?)@\u0027, 1, tostring(todynamic(DstUserUpn)[0]))\\n| extend recipient_domain = extract(@\u0027@(.*)$\u0027, 1, tostring(todynamic(DstUserUpn)[0]))\\n| where sender =~ recipient\\n| where sender_domain != recipient_domain\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Possible data exfiltration to private email\",\"description\":\"Detects when sender sent email to the non-corporate domain and recipient\u0027s username is the same as sender\u0027s username.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\"name\":\"30fa312c-31eb-43d8-b0cc-bcbdfb360822\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nlet aadFunc = (tableName:string){\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n table(tableName) | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(UserPrincipalName)\\n //Normalizing the column to lower case for exact match with EmailSenderAddress column\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n | where UserPrincipalName matches regex emailregex\\n | extend Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\\n // renaming timestamp column so it is clear the log this came from SigninLogs table\\n | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type\\n)\\non $left.EmailSenderAddress == $right.UserPrincipalName\\n| where SigninLogs_TimeGenerated \u003c ExpirationDateTime\\n| summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, UserPrincipalName\\n| project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, IPAddress, UserPrincipalName, AppDisplayName,\\nStatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, Type\\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SigninLogs\",\"description\":\"Identifies a match in SigninLogs table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6190dde-8fd2-456a-ac5b-0a32400b0464\",\"name\":\"d6190dde-8fd2-456a-ac5b-0a32400b0464\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let ProcessCreationEvents=() {\\nlet processEvents=(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName\\n),\\n(WindowsEvent\\n| where EventID==4688\\n| where EventData has_any (\\\".decode(\u0027base64\u0027)\\\", \\\"base64 --decode\\\", \\\".decode64(\\\" )\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where isnotempty(CommandLine)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend FileName=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, CommandLine, ParentProcessName\\n));\\nprocessEvents;\\n};\\nProcessCreationEvents \\n| where CommandLine contains \\\".decode(\u0027base64\u0027)\\\"\\n or CommandLine contains \\\"base64 --decode\\\"\\n or CommandLine contains \\\".decode64(\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), CountToday = count() by Computer, Account, AccountDomain, FileName, CommandLine, ParentProcessName \\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Process executed from binary hidden in Base64 encoded file\",\"description\":\"Encoding malicious software is a technique used to obfuscate files from detection. \\nThe first CommandLine component is looking for Python decoding base64. \\nThe second CommandLine component is looking for Bash/sh command line base64 decoding.\\nThe third one is looking for Ruby decoding base64.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-01-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a04cf847-a832-4c60-b687-b0b6147da219\",\"name\":\"a04cf847-a832-4c60-b687-b0b6147da219\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"45.63.52.41\\\",\\\"140.82.17.161\\\",\\\"207.148.101.95\\\",\\\"45.32.87.51\\\",\\\"66.42.98.156\\\",\\\"45.76.144.105\\\",\\\"217.163.28.35\\\",\\\"45.32.141.174\\\",\\\"149.28.165.249\\\",\\\"209.250.225.247\\\",\\\"45.63.100.115\\\",\\\"95.179.229.230\\\",\\\"209.250.233.247\\\",\\\"45.77.121.232\\\",\\\"45.76.175.65\\\",\\\"104.238.160.237\\\",\\\"45.77.181.97\\\",\\\"95.179.192.125\\\",\\\"149.28.93.184\\\",\\\"140.82.16.81\\\",\\\"45.76.173.103\\\",\\\"45.77.255.22\\\",\\\"45.32.11.71\\\",\\\"149.28.77.26\\\",\\\"45.32.54.50\\\",\\\"104.156.233.156\\\",\\\"45.32.21.118\\\",\\\"45.63.62.109\\\",\\\"45.77.244.202\\\",\\\"149.248.11.205\\\",\\\"104.238.190.244\\\"]);\\nlet IOCTerms = \\\"\\\\\\\\?lang=[/..]*/dev/cmdb/sslvpn_websession|/dana-na/jam/[/..]*home/webserver/htdocs/dana/html5acc/guacamole[/..]*etc/passwd\\\\\\\\?\\\";\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or has_any_ipv4 (Message, IPList)\\n| extend IPMatch = case(\\nSourceIP in (IPList), \\\"SourceIP\\\", \\nDestinationIP in (IPList), \\\"DestinationIP\\\",\\n\\\"Message\\\") \\n| where Message matches regex IOCTerms\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n| where isnotempty(UserAgent) and ClientIP in (IPList)\\n| where UserAgent contains \\\"ExchangeServicesClient/0.0.0.0\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP = ClientIP, Account = UserId, Type, RecordType, OfficeWorkload, UserAgent, OfficeObjectId, IPMatch = \\\"ClientIP\\\"\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = SourceIP\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Collection\"],\"displayName\":\"Known Manganese IP and UserAgent activity\",\"description\":\"Matches IP plus UserAgent IOCs in OfficeActivity data, along with IP plus Connection string information in the CommonSecurityLog data related to Manganese group activity.\\nReferences: \\nhttps://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/\\nhttps://fortiguard.com/psirt/FG-IR-18-384\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-10-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/74ed028d-e392-40b7-baef-e69627bf89d1\",\"name\":\"74ed028d-e392-40b7-baef-e69627bf89d1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"AuditLog.StreamDisabledByUser\\\"\\n| extend StreamType = tostring(Data.ConsumerType)\\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, StreamType\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Azure DevOps Audit Stream Disabled\",\"description\":\"Azure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams \\n before conducting activity and then re-enabling the stream after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action \\n its unlikely to have a high false positive rate.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a356c8bd-c81d-428b-aa36-83be706be034\",\"name\":\"a356c8bd-c81d-428b-aa36-83be706be034\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// AADJoined or Register Device Registry Keys\\nlet aadJoinRoot = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet001\\\\\\\\Control\\\\\\\\CloudDomainJoin\\\\\\\\JoinInfo\\\\\\\\\\\";\\nlet aadRegisteredRoot = \\\"\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\WorkplaceJoin\\\";\\n// Transport Key Registry Key\\nlet keyTransportKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet001\\\\\\\\Control\\\\\\\\Cryptography\\\\\\\\Ngc\\\\\\\\KeyTransportKey\\\\\\\\\\\";\\n(union isfuzzy=true\\n(\\n// Access to Object Requested\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| where EventData contains aadJoinRoot or EventData contains aadRegisteredRoot\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName startswith aadJoinRoot and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n| extend ProcessId = column_ifexists(\\\"ProcessId\\\", \\\"\\\"), Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| join kind=innerunique (\\n SecurityEvent\\n | where EventID == \u00274656\u0027\\n | where EventData contains keyTransportKey\\n | extend EventData = parse_xml(EventData).EventData.Data\\n | mv-expand bagexpansion=array EventData\\n | evaluate bag_unpack(EventData)\\n | extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n | evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n | extend ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\")\\n | where ObjectType == \u0027Key\u0027\\n | where ObjectName startswith keyTransportKey and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n | extend ProcessId = column_ifexists(\\\"ProcessId\\\", \\\"\\\"), Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n) on $left.Computer == $right.Computer and $left.SubjectLogonId == $right.SubjectLogonId and $left.ProcessId == $right.ProcessId\\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, SubjectLogonId, ObjectName, tostring(Process), ProcessName, ProcessId, EventID\\n),\\n// Accessing Object\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| where ObjectType == \u0027Key\u0027\\n| where (ObjectName startswith aadJoinRoot or ObjectName contains aadRegisteredRoot) and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n| extend Account = SubjectAccount\\n| join kind=innerunique (\\n SecurityEvent\\n | where EventID == \u00274663\u0027\\n | where ObjectType == \u0027Key\u0027\\n | where ObjectName contains keyTransportKey and SubjectLogonId != \u00270x3e7\u0027 //Local System\\n | extend Account = SubjectAccount\\n) on $left.Computer == $right.Computer and $left.SubjectLogonId == $right.SubjectLogonId and $left.ProcessId == $right.ProcessId\\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, SubjectLogonId, ObjectName, Process, ProcessName, ProcessId, EventID\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"AAD Local Device Join Information and Transport Key Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts by the same process\\n to registry keys that provide information about an AAD joined or registered devices and Transport keys (tkpub / tkpriv).\\n This information can be used to export the Device Certificate (dkpub / dkpriv) and Transport key (tkpub/tkpriv).\\n These set of keys can be used to impersonate existing Azure AD joined devices.\\n This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable objects:\\n HKLM:\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\CloudDomainJoin (AAD joined devices)\\n HKCU:\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\WorkplaceJoin (AAD registered devices)\\n HKLM:\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Cryptography\\\\Ngc\\\\KeyTransportKey (Transport Key)\\n Make sure you set the SACL to propagate to its sub-keys. You can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml\\n Reference: https://o365blog.com/post/deviceidentity/\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/58fc0170-0877-4ea8-a9ff-d805e361cfae\",\"name\":\"58fc0170-0877-4ea8-a9ff-d805e361cfae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let schedule_lookback = 14d; \\nlet join_lookback = 1d; \\n// If you want to whitelist specific timezones include them in a list here\\nlet tz_whitelist = dynamic([]);\\nlet meetings = ( \\nZoomLogs \\n| where TimeGenerated \u003e= ago(schedule_lookback) \\n| where Event =~ \\\"meeting.created\\\" \\n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId) \\n| extend SchedTimezone = tostring(parse_json(MeetingEvents).Timezone)); \\nZoomLogs \\n| where TimeGenerated \u003e= ago(join_lookback) \\n| where Event =~ \\\"meeting.participant_joined\\\" \\n| extend JoinedTimeZone = tostring(parse_json(MeetingEvents).Timezone) \\n| extend MeetingName = tostring(parse_json(MeetingEvents).MeetingName) \\n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId) \\n| where JoinedTimeZone !in (tz_whitelist)\\n| join (meetings) on MeetingId \\n| where SchedTimezone != JoinedTimeZone \\n| project TimeGenerated, MeetingName, JoiningUser=payload_object_participant_user_name_s, JoinedTimeZone, SchedTimezone, MeetingScheduler=User1 \\n| extend timestamp = TimeGenerated, AccountCustomEntity = JoiningUser\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"PrivilegeEscalation\"],\"displayName\":\"User joining Zoom meeting from suspicious timezone\",\"description\":\"The alert shows users that join a Zoom meeting from a time zone other than the one the meeting was created in.\\nYou can also whitelist known good time zones in the tz_whitelist value using the tz database name format https://en.wikipedia.org/wiki/List_of_tz_database_time_zones\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a09a0b8e-30fe-4ebf-94a0-cffe50f579cd\",\"name\":\"a09a0b8e-30fe-4ebf-94a0-cffe50f579cd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where OperationName =~ \\\"Update user\\\"\\n | where Result =~ \\\"success\\\"\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | where TargetResources_modifiedProperties.displayName =~ \\\"TargetId.UserType\\\"\\n | extend UpdatingServicePrincipal = tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalId)\\n | extend UpdatingUserPrincipal = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend UpdatingUser = iif(isnotempty(UpdatingServicePrincipal), UpdatingServicePrincipal, UpdatingUserPrincipal)\\n | extend UpdatedUserPrincipalName = tostring(TargetResources.userPrincipalName)\\n | project-reorder TimeGenerated, UpdatedUserPrincipalName, UpdatingUser\\n | where parse_json(tostring(TargetResources_modifiedProperties.newValue)) =~ \\\"\\\\\\\"Member\\\\\\\"\\\" and parse_json(tostring(TargetResources_modifiedProperties.oldValue)) =~ \\\"\\\\\\\"Guest\\\\\\\"\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatingUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatedUserPrincipalName\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User State changed from Guest to Member\",\"description\":\"Detects when a guest account in a tenant is converted to a member of the tenant.\\n Monitoring guest accounts and the access they are provided is important to detect potential account abuse.\\n Accounts converted to members should be investigated to ensure the activity was legitimate.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b12b3dab-d973-45af-b07e-e29bb34d8db9\",\"name\":\"b12b3dab-d973-45af-b07e-e29bb34d8db9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal contains \\\"WindowsPowerShell\\\"\\n| extend Message = \\\"Windows PowerShell User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"DefenseEvasion\"],\"displayName\":\"Cisco Umbrella - Windows PowerShell User-Agent Detected\",\"description\":\"Rule helps to detect Powershell user-agent activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d722831e-88f5-4e25-b106-4ef6e29f8c13\",\"name\":\"d722831e-88f5-4e25-b106-4ef6e29f8c13\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"// a threshold can be enabled, see commented line below for PrevSeenCount\\nlet threshold = 2;\\nlet uploadOp = \u0027FileUploaded\u0027;\\n// Extensions that are interesting. Add/Remove to this list as you see fit\\nlet execExt = dynamic([\u0027exe\u0027, \u0027inf\u0027, \u0027gzip\u0027, \u0027cmd\u0027, \u0027bat\u0027]);\\nlet starttime = 8d;\\nlet endtime = 1d;\\nOfficeActivity | where TimeGenerated \u003e= ago(endtime)\\n// Limited to File Uploads due to potential noise, comment out the Operation statement below to include any operation type\\n// Additional, but potentially noisy operation types that include Uploads and Downloads can be included by adding the following - Operation contains \\\"upload\\\" or Operation contains \\\"download\\\"\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| project TimeGenerated, OfficeId, OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, UserAgent, Site_Url, SourceRelativeUrl, SourceFileName\\n| join kind= leftanti (\\nOfficeActivity | where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where Operation =~ uploadOp\\n| where SourceFileExtension has_any (execExt)\\n| summarize SourceRelativeUrl = make_set(SourceRelativeUrl), UserId = make_set(UserId) , PrevSeenCount = count() by SourceFileName\\n// To exclude previous matches when only above a specific count, change threshold above and uncomment the line below\\n//| where PrevSeenCount \u003e threshold\\n| mvexpand SourceRelativeUrl, UserId\\n| extend SourceRelativeUrl = tostring(SourceRelativeUrl), UserId = tostring(UserId)\\n) on SourceFileName, SourceRelativeUrl, UserId \\n| extend SiteUrlUserFolder = tolower(split(Site_Url, \u0027/\u0027)[-2])\\n| extend UserIdUserFolderFormat = tolower(replace(\u0027@|\\\\\\\\.\u0027, \u0027_\u0027,UserId))\\n// identify when UserId is not a match to the specific site url personal folder reference\\n| extend UserIdDiffThanUserFolder = iff(Site_Url has \u0027/personal/\u0027 and SiteUrlUserFolder != UserIdUserFolderFormat, true , false ) \\n| summarize TimeGenerated = make_list(TimeGenerated), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), \\nUserAgents = make_list(UserAgent), OfficeIds = make_list(OfficeId), SourceRelativeUrls = make_list(SourceRelativeUrl), FileNames = make_list(SourceFileName)\\nby OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, Site_Url, SiteUrlUserFolder, UserIdUserFolderFormat, UserIdDiffThanUserFolder\\n| extend timestamp = StartTime, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"New executable via Office FileUploaded Operation\",\"description\":\"Identifies when executable file types are uploaded to Office services such as SharePoint and OneDrive.\\nList currently includes \u0027exe\u0027, \u0027inf\u0027, \u0027gzip\u0027, \u0027cmd\u0027, \u0027bat\u0027 file extensions.\\nAdditionally, identifies when a given user is uploading these files to another users workspace.\\nThis may be indication of a staging location for malware or other malicious activity.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69a45b05-71f5-45ca-8944-2e038747fb39\",\"name\":\"69a45b05-71f5-45ca-8944-2e038747fb39\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let endtime = 1d;\\nlet starttime = 8d;\\n// The threshold below excludes matching on RDP connection computer counts of 5 or more by a given account and IP in a given day. Change the threshold as needed.\\nlet threshold = 5;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n// Labeling the first RDP connection time, computer and ip\\n| extend FirstHop = TimeGenerated, FirstComputer = toupper(Computer), FirstIPAddress = IpAddress, Account = tolower(Account)\\n),\\n( WindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10 // Labeling the first RDP connection time, computer and ip\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend FirstHop = TimeGenerated, FirstComputer = toupper(Computer), FirstIPAddress = IpAddress, Account = tolower(Account)\\n))\\n| join kind=inner (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n// Labeling the second RDP connection time, computer and ip\\n| extend SecondHop = TimeGenerated, SecondComputer = toupper(Computer), SecondIPAddress = IpAddress, Account = tolower(Account)\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = toint(EventData.LogonType)\\n| where LogonType == 10 // Labeling the second RDP connection time, computer and ip\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend SecondHop = TimeGenerated, SecondComputer = toupper(Computer), SecondIPAddress = IpAddress, Account = tolower(Account)\\n))\\n) on Account\\n// Make sure that the first connection is after the second connection --\u003e SecondHop \u003e FirstHop\\n// Then identify only RDP to another computer from within the first RDP connection by only choosing matches where the Computer names do not match --\u003e FirstComputer != SecondComputer\\n// Then make sure the IPAddresses do not match by excluding connections from the same computers with first hop RDP connections to multiple computers --\u003e FirstIPAddress != SecondIPAddress\\n| where FirstComputer != SecondComputer and FirstIPAddress != SecondIPAddress and SecondHop \u003e FirstHop\\n// where the second hop occurs within 30 minutes of the first hop\\n| where SecondHop \u003c= FirstHop+30m\\n| distinct Account, FirstHop, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, SecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\\n// use left anti to exclude anything from the previous 7 days where the Account and IP has connected 5 or more computers.\\n| join kind=leftanti (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize makeset(Computer), ComputerCount = dcount(Computer) by bin(TimeGenerated, 1d), Account = tolower(Account), IpAddress\\n// Connection count to computer by same account and IP to exclude counts of 5 or more on a given day\\n| where ComputerCount \u003e= threshold\\n| mvexpand set_Computer\\n| extend Computer = toupper(set_Computer)\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10 \\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| summarize makeset(Computer), ComputerCount = dcount(Computer) by bin(TimeGenerated, 1d), Account = tolower(Account), IpAddress\\n// Connection count to computer by same account and IP to exclude counts of 5 or more on a given day\\n| where ComputerCount \u003e= threshold\\n| mvexpand set_Computer\\n| extend Computer = toupper(set_Computer)\\n))\\n) on Account, $left.SecondComputer == $right.Computer, $left.SecondIPAddress == $right.IpAddress\\n| summarize FirstHopFirstSeen = min(FirstHop), FirstHopLastSeen = max(FirstHop) by Account, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, \\nSecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\\n| extend timestamp = FirstHopFirstSeen, AccountCustomEntity = Account, HostCustomEntity = FirstComputer, IPCustomEntity = FirstIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"RDP Nesting\",\"description\":\"Identifies when an RDP connection is made to a first system and then an RDP connection is made from the first system\\nto another system with the same account within the 60 minutes. Additionally, if historically daily\\nRDP connections are indicated by the logged EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-10-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884c4957-70ea-4f57-80b9-1bca3890315b\",\"name\":\"884c4957-70ea-4f57-80b9-1bca3890315b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeBin = 10m;\\nlet failedThreshold = 100;\\nW3CIISLog\\n| where scStatus in (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n// Handling Exchange specific items in IIS logs to remove the unique log identifier in the URI\\n| extend csUriQuery = iff(csUriQuery startswith \\\"MailboxId=\\\", tostring(split(csUriQuery, \\\"\u0026\\\")[0]) , csUriQuery )\\n| extend csUriQuery = iff(csUriQuery startswith \\\"X-ARR-CACHE-HIT=\\\", strcat(tostring(split(csUriQuery, \\\"\u0026\\\")[0]),tostring(split(csUriQuery, \\\"\u0026\\\")[1])) , csUriQuery )\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of failed logons by a user\\n| summarize makeset(decodedUriQuery), makeset(cIP), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), csUserName, Computer, sIP\\n| where FailedConnectionsCount \u003e= failedThreshold\\n| project TimeGenerated, csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_cIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"High count of failed logons by a user\",\"description\":\"Identifies when 100 or more failed attempts by a given user in 10 minutes occur on the IIS Server.\\nThis could be indicative of attempted brute force based on known account information.\\nThis could also simply indicate a misconfigured service or device. \\nReferences:\\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\"name\":\"7efc75ce-e2a4-400f-a8b1-283d3b0f2c60\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"let WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet AC_Add = \\n(union isfuzzy=true \\n(SecurityEvent\\n// Event ID related to member addition.\\n| where EventID in (4728, 4732,4756) \\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountAdded \\\",OU\\\" *\\n| where isnotempty(AccountAdded)\\n| extend GroupAddedTo = TargetUserName, AddingAccount = Account \\n| extend AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, \\\"||\\\", GroupAddedTo, \\\"||\\\", AddingAccount )\\n| project AccountAdded_GroupAddedTo_AddingAccount, AccountAddedTime = TimeGenerated\\n),\\n(WindowsEvent\\n// Event ID related to member addition.\\n| where EventID in (4728, 4732,4756) \\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData.MemberName with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountAdded \\\",OU\\\" *\\n| where isnotempty(AccountAdded)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend AddingAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend GroupAddedTo = TargetUserName\\n| extend AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, \\\"||\\\", GroupAddedTo, \\\"||\\\", AddingAccount )\\n| project AccountAdded_GroupAddedTo_AddingAccount, AccountAddedTime = TimeGenerated\\n)\\n);\\nlet AC_Remove = \\n( union isfuzzy=true \\n(SecurityEvent\\n// Event IDs related to member removal.\\n| where EventID in (4729,4733,4757)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountRemoved \\\",OU\\\" * \\n| where isnotempty(AccountRemoved)\\n| extend GroupRemovedFrom = TargetUserName, RemovingAccount = Account\\n| extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, \\\"||\\\", GroupRemovedFrom, \\\"||\\\", RemovingAccount)\\n| project AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime = TimeGenerated, Computer, RemovedAccountId = tolower(AccountRemoved), \\nRemovedByUser = SubjectUserName, RemovedByUserLogonId = SubjectLogonId, GroupRemovedFrom = TargetUserName, TargetDomainName\\n),\\n(WindowsEvent\\n// Event IDs related to member removal.\\n| where EventID in (4729,4733,4757)\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \\n| parse EventData.MemberName with * \u0027\\\"MemberName\\\"\u003e\u0027 * \u0027=\u0027 AccountRemoved \\\",OU\\\" * \\n| where isnotempty(AccountRemoved)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend RemovingAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend GroupRemovedFrom = TargetUserName\\n| extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, \\\"||\\\", GroupRemovedFrom, \\\"||\\\", RemovingAccount)\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| extend TargetDomainName = tostring(EventData.TargetDomainName)\\n| project AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime = TimeGenerated, Computer, RemovedAccountId = tolower(AccountRemoved), \\nRemovedByUser = SubjectUserName, RemovedByUserLogonId = SubjectLogonId, GroupRemovedFrom = TargetUserName, TargetDomainName\\n)); \\nAC_Add \\n| join kind= inner AC_Remove on $left.AccountAdded_GroupAddedTo_AddingAccount == $right.AccountRemoved_GroupRemovedFrom_RemovingAccount \\n| extend DurationinSecondAfter_Removed = datetime_diff (\u0027second\u0027, AccountRemovedTime, AccountAddedTime)\\n| where DurationinSecondAfter_Removed \u003e 0\\n| project-away AccountRemoved_GroupRemovedFrom_RemovingAccount\\n| extend timestamp = AccountAddedTime, AccountCustomEntity = RemovedAccountId, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Account added and removed from privileged groups\",\"description\":\"Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise.\u0027 \",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-04-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f68a5046-b7eb-4f69-9519-1e99708bb9e0\",\"name\":\"f68a5046-b7eb-4f69-9519-1e99708bb9e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"DeviceFileEvents\\n | where ActionType =~ \\\"FileCreated\\\"\\n | where FolderPath has \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\spool\\\\\\\\drivers\\\\\\\\color\\\\\\\\\\\" \\n | where FileName endswith \\\".exe\\\" or FileName endswith \\\".dll\\\"\",\"entityMappings\":[{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceName\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"PE file dropped in Color Profile Folder\",\"description\":\"This query looks for writes of PE files to C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\color\\\\.\\n This is a common directory used by malware, as well as some legitimate programs, and writes of PE files to the folder should be monitored.\\n Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/\",\"lastUpdatedDateUTC\":\"2022-07-26T00:00:00Z\",\"createdDateUTC\":\"2022-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a3df4a32-4805-4c6d-8699-f3c888af2f67\",\"name\":\"a3df4a32-4805-4c6d-8699-f3c888af2f67\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let Alert1 = \\nSecurityAlert\\n| where AlertName == \\\"Unfamiliar sign-in properties\\\"\\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\\\"User Account\\\"])\\n| extend Alert1Time = TimeGenerated\\n| extend Alert1 = AlertName\\n| extend Alert1Severity = AlertSeverity\\n;\\nlet Alert2 = \\nSecurityAlert\\n| where AlertName == \\\"Atypical travel\\\"\\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\\\"User Account\\\"])\\n| extend Alert2Time = TimeGenerated\\n| extend Alert2 = AlertName\\n| extend Alert2Severity = AlertSeverity\\n| extend CurrentLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[2].Location)).CountryCode), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).State), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).City))\\n| extend PreviousLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[3].Location)).CountryCode), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[3].Location)).State), \\\"|\\\", tostring(parse_json(tostring(parse_json(Entities)[3].Location)).City))\\n| extend CurrentIPAddress = tostring(parse_json(Entities)[2].Address)\\n| extend PreviousIPAddress = tostring(parse_json(Entities)[3].Address)\\n;\\nAlert1\\n| join kind=inner Alert2 on UserPrincipalName\\n| where abs(datetime_diff(\u0027minute\u0027, Alert1Time, Alert2Time)) \u003c=10\\n| extend TimeDelta = Alert1Time - Alert2Time\\n| project UserPrincipalName, Alert1, Alert1Time, Alert1Severity, Alert2, Alert2Time, Alert2Severity, TimeDelta, CurrentLocation, PreviousLocation, CurrentIPAddress, PreviousIPAddress\\n| extend AccountCustomEntity = UserPrincipalName\\n| extend IPCustomEntity = CurrentIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Correlate Unfamiliar sign-in properties and atypical travel alerts\",\"description\":\"The combination of an Unfamiliar sign-in properties alert and an Atypical travel alert about the same user within a +10m or -10m window is considered a high severity incident.\",\"lastUpdatedDateUTC\":\"2021-12-07T00:00:00Z\",\"createdDateUTC\":\"2020-09-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ed8c9153-6f7a-4602-97b4-48c336b299e1\",\"name\":\"ed8c9153-6f7a-4602-97b4-48c336b299e1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let guids = dynamic([\\\"{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\\\",\\\"{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\\\",\\\"{4590f811-1d3a-11d0-891f-00aa004b2e24}\\\", \\\"{4de225bf-cf59-4cfc-85f7-68b90f185355}\\\", \\\"{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\\\"]);\\n let mde_data = DeviceRegistryEvents\\n | where ActionType =~ \\\"RegistryValueSet\\\"\\n | where RegistryKey contains \\\"HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Classes\\\\\\\\CLSID\\\"\\n | where RegistryKey has_any (guids)\\n | where RegistryValueData has \\\"System32\\\\\\\\spool\\\\\\\\drivers\\\\\\\\color\\\";\\n let event_data = SecurityEvent\\n | where EventID == 4657\\n | where ObjectName contains \\\"HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Classes\\\\\\\\CLSID\\\"\\n | where ObjectName has_any (guids)\\n | where NewValue has \\\"System32\\\\\\\\spool\\\\\\\\drivers\\\\\\\\color\\\"\\n | extend RegistryKey = ObjectName, RegistryValueData = NewValue, DeviceName=Computer, InitiatingProcessFileName = Process, InitiatingProcessAccountName=SubjectAccount;\\n union mde_data, event_data\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"RegistryKey\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceName\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"InitiatingProcessFileName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingProcessAccountName\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"COM Registry Key Modified to Point to File in Color Profile Folder\",\"description\":\"This query looks for changes to COM registry keys to point to files in C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\color\\\\.\\n This can be used to enable COM hijacking for persistence.\\n Ref: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/\",\"lastUpdatedDateUTC\":\"2022-07-26T00:00:00Z\",\"createdDateUTC\":\"2022-07-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceRegistryEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7564d76-ec6b-4519-a66b-fcc80c42332b\",\"name\":\"a7564d76-ec6b-4519-a66b-fcc80c42332b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let WellKnownLocalSID = \\\"S-1-5-32-5[0-9][0-9]$\\\";\\nlet WellKnownGroupSID = \\\"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\\\";\\nlet GroupAddition = (union isfuzzy=true \\n(SecurityEvent \\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group \\n| where EventID in (\\\"4728\\\", \\\"4732\\\", \\\"4756\\\") \\n| where AccountType =~ \\\"User\\\" and MemberName == \\\"-\\\"\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, GroupAddComputer = Computer, GroupAddTargetAccount = TargetAccount, \\nGroupAddTargetSid = TargetSid, GroupAddSubjectAccount = SubjectAccount, GroupAddSubjectUserSid = SubjectUserSid, GroupSid = MemberSid\\n),\\n(\\nWindowsEvent \\n// 4728 - A member was added to a security-enabled global group\\n// 4732 - A member was added to a security-enabled local group\\n// 4756 - A member was added to a security-enabled universal group \\n| where EventID in (\\\"4728\\\", \\\"4732\\\", \\\"4756\\\") and not(EventData has \\\"S-1-5-32-555\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| extend MemberName = tostring(EventData.MemberName)\\n| where AccountType =~ \\\"User\\\" and MemberName == \\\"-\\\"\\n// Exclude Remote Desktop Users group: S-1-5-32-555\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid !in (\\\"S-1-5-32-555\\\")\\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend MemberSid = tostring(EventData.MemberSid)\\n| extend Activity= \\\"GroupAddActivity\\\"\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, GroupAddComputer = Computer, GroupAddTargetAccount = TargetAccount, \\nGroupAddTargetSid = TargetSid, GroupAddSubjectAccount = Account, GroupAddSubjectUserSid = SubjectUserSid, GroupSid = MemberSid\\n));\\nlet GroupCreated = (union isfuzzy=true \\n(SecurityEvent\\n// 4727 - A security-enabled global group was created\\n// 4731 - A security-enabled local group was created\\n// 4754 - A security-enabled universal group was created\\n| where EventID in (\\\"4727\\\", \\\"4731\\\", \\\"4754\\\")\\n| where AccountType =~ \\\"User\\\"\\n| project GroupCreateTime = TimeGenerated, GroupCreateEventID = EventID, GroupCreateActivity = Activity, GroupCreateComputer = Computer, GroupCreateTargetAccount = TargetAccount, \\nGroupCreateSubjectAccount = SubjectAccount, GroupCreateSubjectUserSid = SubjectUserSid, GroupSid = TargetSid\\n),\\n(WindowsEvent\\n// 4727 - A security-enabled global group was created\\n// 4731 - A security-enabled local group was created\\n// 4754 - A security-enabled universal group was created\\n| where EventID in (\\\"4727\\\", \\\"4731\\\", \\\"4754\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\", \\\"Machine\\\", iff(SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", iff(isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")))\\n| where AccountType =~ \\\"User\\\"\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend SubjectAccount = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName) \\n| extend TargetSid = tostring(EventData.TargetSid) \\n| extend Activity= \\\"GroupAddActivity\\\"\\n| project GroupCreateTime = TimeGenerated, GroupCreateEventID = EventID, GroupCreateActivity = Activity, GroupCreateComputer = Computer, GroupCreateTargetAccount = TargetAccount, \\nGroupCreateSubjectAccount = SubjectAccount, GroupCreateSubjectUserSid = SubjectUserSid, GroupSid = TargetSid\\n));\\nGroupCreated\\n| join (\\nGroupAddition\\n) on GroupSid \\n| extend timestamp = GroupCreateTime, AccountCustomEntity = GroupCreateSubjectAccount, HostCustomEntity = GroupCreateComputer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"GroupCreateSubjectUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Group created then added to built in domain local or global group\",\"description\":\"Identifies when a recently created Group was added to a privileged built in domain local group or global group such as the \\nEnterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\\nReferences: For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b443f22-9be9-4c35-ac70-a94757748439\",\"name\":\"3b443f22-9be9-4c35-ac70-a94757748439\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let files1 = dynamic([\\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\lsa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pa.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\pc.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\Rar.exe\\\"]);\\nlet files2 = dynamic([\\\"svchost.exe\\\",\\\"wdmsvc.exe\\\"]);\\nlet FileHash1 = dynamic([\\\"43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\\\", \\\"ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\\\", \\\"010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77\\\", \\\"56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7\\\"]);\\nlet FileHash2 = dynamic([\\\"2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\\\", \\\"9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\\\", \\\"18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\\\"]);\\nDeviceProcessEvents\\n| where ( FolderPath has_any (files1) and SHA256 has_any (FileHash1)) or (FolderPath has_any (files2) and SHA256 has_any (FileHash2))\\n| extend DvcId = DeviceId\\n| join kind=leftouter (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| mv-expand todynamic(Entities)\\n| extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)\\n| where isnotempty(DvcId)\\n// Higher risk score are for Defender alerts related to threat actor\\n| extend AlertRiskScore = iif(ThreatName has_any (\\\"Backdoor:MSIL/ShellClient.A\\\", \\\"Backdoor:MSIL/ShellClient.A!dll\\\", \\\"Trojan:MSIL/Mimikatz.BA!MTB\\\"), 1.0, 0.5)\\n| project DvcId, AlertRiskScore) on DvcId\\n| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = AccountName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileName\"}]}],\"tactics\":[\"CredentialAccess\",\"Execution\"],\"displayName\":\"Dev-0228 File Path Hashes November 2021\",\"description\":\"This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.\\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-11-18T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2f561e20-d97b-4b13-b02d-18b34af6e87c\",\"name\":\"2f561e20-d97b-4b13-b02d-18b34af6e87c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\nlet cmdList = dynamic([\\\"Set-CASMailbox\\\",\\\"ActiveSyncAllowedDeviceIDs\\\",\\\"add\\\"]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688\\n| where CommandLine has_all (cmdList)\\n| project Type, TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n( WindowsEvent\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventID == 4688\\n| where EventData has_all (cmdList)\\n| extend CommandLine = tostring(EventData.CommandLine) \\n| where CommandLine has_all (cmdList)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| project Type, TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(\\nDeviceProcessEvents\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where InitiatingProcessCommandLine has_all (cmdList)\\n| project Type, TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where CommandLine has_all (cmdList)\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| project Type, TimeGenerated, Computer, User, Process, ParentImage, CommandLine\\n| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Email access via active sync\",\"description\":\"This query detects attempts to add attacker devices as allowed IDs for active sync using the Set-CASMailbox command.\\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\\n- Note that this query can be changed to use the KQL \\\"has_all\\\" operator, which hasn\u0027t yet been documented officially, but will be soon.\\n In short, \\\"has_all\\\" will only match when the referenced field has all strings in the list.\\n- Refer to Set-CASMailbox syntax: https://docs.microsoft.com/powershell/module/exchange/set-casmailbox?view=exchange-ps \",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-02-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\"name\":\"2c55fe7a-b06f-4029-a5b9-c54a2320d7b8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet TotalEventsThreshold = 5;\\nlet ExeList = dynamic([\\\"powershell.exe\\\",\\\"cmd.exe\\\",\\\"wmic.exe\\\",\\\"psexec.exe\\\",\\\"cacls.exe\\\",\\\"rundll.exe\\\"]);\\nlet TimeSeriesData =\\nSecurityEvent\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where Process in (ExeList)\\n| project TimeGenerated, Computer, AccountType, Account, Process\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by Process;\\nlet TimeSeriesAlerts = materialize(TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 1.5, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0\\n| project Process, TimeGenerated, Total, baseline, anomalies, score\\n| where Total \u003e TotalEventsThreshold);\\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated \u003e ago(2d) | project TimeGenerated);\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e ago(2d)\\n| join (\\nSecurityEvent\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\\n| where EventID == 4688 | extend Process = tolower(Process)\\n| summarize CommandlineCount = count() by bin(TimeGenerated, 1h), Process, CommandLine, Computer, Account\\n) on Process, TimeGenerated\\n| project AnomalyHour = TimeGenerated, Computer, Account, Process, CommandLine, CommandlineCount, Total, baseline, anomalies, score\\n| extend timestamp = AnomalyHour, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Process execution frequency anomaly\",\"description\":\"Identifies anomalous spike in frequency of executions of sensitive processes which are often leveraged as attack vectors.\\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\\nSudden increases in execution frequency of sensitive processes should be further investigated for malicious activity.\\nTune the values from 1.5 to 3 in series_decompose_anomalies for further outliers or based on custom threshold values for score.\",\"lastUpdatedDateUTC\":\"2022-03-07T00:00:00Z\",\"createdDateUTC\":\"2019-05-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/694c91ee-d606-4ba9-928e-405a2dd0ff0f\",\"name\":\"694c91ee-d606-4ba9-928e-405a2dd0ff0f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.6\",\"severity\":\"High\",\"query\":\"let queryperiod = 14d;\\nlet queryfrequency = 2h;\\nlet security_info_actions = dynamic([\\\"User registered security info\\\", \\\"User changed default security info\\\", \\\"User deleted security info\\\", \\\"Admin updated security info\\\", \\\"User reviewed security info\\\", \\\"Admin deleted security info\\\", \\\"Admin registered security info\\\"]);\\nlet VIPUsers = (\\n IdentityInfo\\n | where TimeGenerated \u003e ago(queryperiod)\\n | mv-expand AssignedRoles\\n | where AssignedRoles matches regex \u0027Admin\u0027\\n | summarize by tolower(AccountUPN));\\nAuditLogs\\n| where TimeGenerated \u003e ago(queryfrequency)\\n| where Category =~ \\\"UserManagement\\\"\\n| where ActivityDisplayName in (security_info_actions)\\n| extend Initiator = tostring(InitiatedBy.user.userPrincipalName)\\n| extend IP = tostring(InitiatedBy.user.ipAddress)\\n| extend Target = tolower(tostring(TargetResources[0].userPrincipalName))\\n| where Target in (VIPUsers)\\n// Uncomment the line below if you are experiencing high volumes of Target entities. If this is uncommented, the Target column will not be mapped to an entity.\\n//| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason, MaxSize=8), Targets=make_set(Target, MaxSize=256) by Initiator, IP, Result\\n// Comment out this line below, if line above is used.\\n| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason, MaxSize=8) by Initiator, IP, Result, Targets = Target\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Targets\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Initiator\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IP\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Authentication Methods Changed for Privileged Account\",\"description\":\"Identifies authentication methods being changed for a privileged account. This could be an indication of an attacker adding an auth method to the account so they can have continued access.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6267ce44-1e9d-471b-9f1e-ae76a6b7aa84\",\"name\":\"6267ce44-1e9d-471b-9f1e-ae76a6b7aa84\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityAlert\\n| where AlertName =~ \\\"mass download by a single user\\\"\\n| extend Extprop = parse_json(ExtendedProperties)\\n| extend Computer = iff(isnotempty(toupper(tostring(Extprop[\\\"Compromised Host\\\"]))), toupper(tostring(Extprop[\\\"Compromised Host\\\"])), tostring(parse_json(Entities)[0].HostName))\\n| extend Account = iff(isnotempty(tolower(tostring(Extprop[\\\"User Name\\\"]))), tolower(tostring(Extprop[\\\"User Name\\\"])), tolower(tostring(Extprop[\\\"user name\\\"])))\\n| extend IpAddress = tostring(parse_json(ExtendedProperties).[\\\"IpAddress\\\"]) \\n| project timestamp=TimeGenerated, AlertName, Computer, Account, IpAddress, ExtendedProperties\\n| join kind=inner\\n( \\nDeviceEvents\\n| where ActionType == \\\"PnpDeviceConnected\\\"\\n| extend parsed = parse_json(AdditionalFields)\\n| project DeviceId, DriveClass = tostring(parsed.ClassName), UsbDeviceId = tostring(parsed.DeviceId), ClassId = tostring(parsed.DeviceId), DeviceDescription = tostring(parsed.DeviceDescription), VendorIds = tostring(parsed.VendorIds), AccountDomain,AccountName,TimeGenerated, ActionType, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, Type\\n| where DriveClass == \u0027USB\u0027 and DeviceDescription == \u0027USB Mass Storage Device\u0027\\n) on $left.Account == $right.AccountName\\n| join kind=inner \\n(\\nDeviceFileEvents\\n| where FolderPath !startswith \\\"c\\\" and FolderPath !startswith @\\\"\\\\\\\"\\n) on DeviceId\\n| project TimeGenerated, ActionType, Computer, FileName, FileSize, IpAddress, InitiatingProcessCommandLine, InitiatingProcessFileName, Account\\n| extend timestamp = TimeGenerated, CompromisedEntity = Computer, AccountCustomEntity=Account, ProcessCustomEntity = InitiatingProcessFileName, IPCustomEntity=IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"Mass Download \u0026 copy to USB device by single user\",\"description\":\"This query looks for any mass download by a single user with possible file copy activity to a new USB drive. Malicious insiders may perform such activities that may cause harm to the organization. \\nThis query could also reveal unintentional insider that had no intention of malicious activity but their actions may impact an organizations security posture.\\nReference:https://docs.microsoft.com/defender-cloud-apps/policy-template-reference\",\"lastUpdatedDateUTC\":\"2022-05-04T00:00:00Z\",\"createdDateUTC\":\"2022-04-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceEvents\",\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3edb7215-250b-40c0-8b46-79093949242d\",\"name\":\"3edb7215-250b-40c0-8b46-79093949242d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetectionV2_CL\\n| where Severity_s == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\\n| where count_ \u003e= threshold\\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"High Number of Urgent Vulnerabilities Detected\",\"description\":\"This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.\",\"lastUpdatedDateUTC\":\"2021-12-08T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/492fbe35-cbac-4a8c-9059-826782e6915a\",\"name\":\"492fbe35-cbac-4a8c-9059-826782e6915a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where OperationName has_any (\\\"Update Application\\\", \\\"Update Service principal\\\")\\n | extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend UpdatedBy = iif(isnotempty(appName), appName, UPN)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | extend AppName = tostring(TargetResources[0].displayName)\\n | mv-expand mod_props\\n | extend Action = tostring(mod_props.displayName)\\n | where Action contains \\\"Url\\\"\\n | extend OldURL = tostring(mod_props.oldValue)\\n | extend NewURL = tostring(mod_props.newValue)\\n | project-reorder TimeGenerated, OperationName, Action, AppName, OldURL, NewURL, UpdatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatedBy\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"OldURL\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"NewURL\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Changes to Application Logout URL\",\"description\":\"Detects changes to an applications sign out URL.\\n Look for any modifications to a sign out URL. Blank entries or entries to non-existent locations would stop a user from terminating a session.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#logout-url-modified-or-removed\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\"name\":\"2441bce9-02e4-407b-8cc7-7d597f38b8b0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureActivity | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CallerIpAddress\\n| where AzureActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureActivity_TimeGenerated = arg_max(AzureActivity_TimeGenerated, *) by IndicatorId, CallerIpAddress\\n| project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CallerIpAddress, \\nCaller, OperationNameValue, ActivityStatusValue, CategoryValue, ResourceId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = AzureActivity_TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to AzureActivity\",\"description\":\"Identifies a match in AzureActivity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3174a9ec-d0ad-4152-8307-94ed04fa450a\",\"name\":\"3174a9ec-d0ad-4152-8307-94ed04fa450a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let SHA256Hash = \\\"1174fd03271f80f5e2a6435c72bdd0272a6e3a37049f6190abf125b216a83471\\\" ;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) \\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA265 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA256Hash) \\n| extend Account = UserName\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known ZINC related maldoc hash\",\"description\":\"Document hash used by ZINC in highly targeted spear phishing campaign.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\"name\":\"d25b1998-a592-4bc5-8a3a-92b39eedb1bc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"ConsoleLogin\\\" \\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed), LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\\n| where MFAUsed !~ \\\"Yes\\\" and LoginResult !~ \\\"Failure\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUsed, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"Login to AWS Management Console without MFA\",\"description\":\"Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.\\nYou can limit this detection to trigger for adminsitrative accounts if you do not have MFA enabled on all accounts.\\nThis is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used \\nand the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0ed0fe7c-af29-4990-af7f-bb5ccb231198\",\"name\":\"0ed0fe7c-af29-4990-af7f-bb5ccb231198\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"AuditLogs\\n | where Category =~ \\\"RoleManagement\\\"\\n | where OperationName =~ \\\"Update role setting in PIM\\\"\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | project-reorder TimeGenerated, OperationName, ResultReason, userPrincipalName, ipAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Changes to PIM Settings\",\"description\":\"PIM provides a key mechanism for assigning privileges to accounts, this query detects changes to PIM role settings.\\n Monitor these changes to ensure they are being made legitimately and don\u0027t confer more privileges than expected or reduce the security of a PIM elevation.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c805d9b1-97e7-4bc0-9172-67edb36273e4\",\"name\":\"c805d9b1-97e7-4bc0-9172-67edb36273e4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft 365 Insider Risk Management\",\"displayName\":\"(Private Preview) Create incidents based on Microsoft 365 Insider Risk Management\",\"description\":\"Create incidents based on all alerts generated in Microsoft 365 Insider Risk Management\",\"lastUpdatedDateUTC\":\"2021-05-13T00:00:00Z\",\"createdDateUTC\":\"2021-05-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeIRM\",\"dataTypes\":[\"SecurityAlert (OfficeIRM)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09551db0-e147-4a0c-9e7b-918f88847605\",\"name\":\"09551db0-e147-4a0c-9e7b-918f88847605\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.6.2\",\"severity\":\"High\",\"query\":\"let tokens = dynamic([\\\"SSL_HandShaking\\\", \\\"ASN2_TYPE_new\\\", \\\"sql_blob_open\\\", \\\"cmsSetLogHandlerTHR\\\", \\\"ntSystemInfo\\\", \\\"SetWebFilterString\\\", \\\"CleanupBrokerString\\\", \\\"glInitSampler\\\", \\\"deflateSuffix\\\", \\\"ntWindowsProc\\\"]);\\nlet DomainNames = dynamic([\u0027codevexillium.org\u0027, \u0027angeldonationblog.com\u0027, \u0027investbooking.de\u0027, \u0027krakenfolio.com\u0027]);\\nlet SHA256Hash = dynamic([\u002758a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495\u0027,\u0027e0e59bfc22876c170af65dcbf19f744ae560cc43b720b23b9d248f4505c02f3e\u0027,\u00273d3195697521973efe0097a320cbce0f0f98d29d50e044f4505e1fbc043e8cf9\u0027, \u00270a2d81164d524be7022ba8fd4e1e8e01bfd65407148569d172e2171b5cd76cd4\u0027, \u002796d7a93f6691303d39a9cc270b8814151dfec5683e12094537fd580afdf2e5fe\u0027,\u0027dc4cf164635db06b2a0b62d313dbd186350bca6fc88438617411a68df13ec83c\u0027, \u002746efd5179e43c9cbf07dcec22ce0d5527e2402655aee3afc016e5c260650284a\u0027, \u002795e42a94d4df1e7e472998f43b9879eb34aaa93f3705d7d3ef9e3b97349d7008\u0027, \u00279d5320e883264a80ea214077f44b1d4b22155446ad5083f4b27d2ab5bd127ef5\u0027, \u00279fd05063ad203581a126232ac68027ca731290d17bd43b5d3311e8153c893fe3\u0027, \u0027ada7e80c9d09f3efb39b729af238fcdf375383caaf0e9e0aed303931dc73b720\u0027, \u0027edb1597789c7ed784b85367a36440bf05267ac786efe5a4044ec23e490864cee\u0027, \u002733665ce1157ddb7cd7e905e3356b39245dfba17b7a658bdbf02b6968656b9998\u0027, \u00273ab770458577eb72bd6239fe97c35e7eb8816bce5a4b47da7bd0382622854f7c\u0027, \u0027b630ad8ffa11003693ce8431d2f1c6b8b126cd32b657a4bfa9c0dbe70b007d6c\u0027, \u002753f3e55c1217dafb8801af7087e7d68b605e2b6dde6368fceea14496c8a9f3e5\u0027, \u002799c95b5272c5b11093eed3ef2272e304b7a9311a22ff78caeb91632211fcb777\u0027, \u0027f21abadef52b4dbd01ad330efb28ef50f8205f57916a26daf5de02249c0f24ef\u0027, \u00272cbdea62e26d06080d114bbd922d6368807d7c6b950b1421d0aa030eca7e85da\u0027, \u0027079659fac6bd9a1ce28384e7e3a465be4380acade3b4a4a4f0e67fd0260e9447\u0027]);\\nlet SigNames = dynamic([\\\"Backdoor:Script/ComebackerCompile.A!dha\\\", \\\"Trojan:Win64/Comebacker.A!dha\\\", \\\"Trojan:Win64/Comebacker.A.gen!dha\\\", \\\"Trojan:Win64/Comebacker.B.gen!dha\\\", \\\"Trojan:Win32/Comebacker.C.gen!dha\\\", \\\"Trojan:Win32/Klackring.A!dha\\\", \\\"Trojan:Win32/Klackring.B!dha\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in~ (SHA256Hash) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n| project Type, TimeGenerated, Computer, Account, IPAddress, FileHash, DNSName\\n),\\n(_Im_Dns(domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend Type = \\\"imDns\\\", IPAddress = SrcIpAddr, Computer=Dvc\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(VMConnection\\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| where isnotempty(Hashes)\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 * \\n| where SHA256 in~ (SHA256Hash) \\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = Hashes\\n| project Type, TimeGenerated, Computer, Account, FileHash\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (SHA256Hash)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (SHA256Hash)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl in~ (DomainNames)\\n| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName\\n| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl\\n),\\n(SecurityAlert\\n| where ProductName == \\\"Microsoft Defender Advanced Threat Protection\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where isnotempty(ThreatName)\\n| where ThreatName has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName) \\n| project Type, TimeGenerated, Computer\\n),\\n(DeviceProcessEvents\\n| where FileName =~ \\\"powershell.exe\\\" or FileName =~ \\\"rundll32.exe\\\"\\n| where (ProcessCommandLine has \\\"is64bitoperatingsystem\\\" and ProcessCommandLine has \\\"Debug\\\\\\\\Browse\\\") or (ProcessCommandLine has_any (tokens))\\n| extend Computer = DeviceName, Account = AccountName, CommandLine = ProcessCommandLine\\n| project Type, TimeGenerated, Computer, Account, CommandLine, FileName\\n),\\n(SecurityEvent\\n| where EventID == 4688\\n| where ProcessName has_any (\\\"powershell.exe\\\", \\\"rundll32.exe\\\")\\n| where (CommandLine has \\\"is64bitoperatingsystem\\\" and CommandLine has \\\"Debug\\\\\\\\Browse\\\") or (CommandLine has_any (tokens))\\n| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine \\n),\\n( WindowsEvent\\n| where EventID == 4688\\n| where EventData has_any (\\\"powershell.exe\\\", \\\"rundll32.exe\\\") and EventData has_any (tokens, \\\"Debug\\\\\\\\Browse\\\",\\\"is64bitoperatingsystem\\\" ) \\n| extend ProcessName = tostring(EventData.ProcessName)\\n| where ProcessName has_any (\\\"powershell.exe\\\", \\\"rundll32.exe\\\")\\n| extend CommandLine = tostring(EventData.CommandLine) \\n| where (CommandLine has \\\"is64bitoperatingsystem\\\" and CommandLine has \\\"Debug\\\\\\\\Browse\\\") or (CommandLine has_any (tokens))\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine \\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"Execution\"],\"displayName\":\"Known ZINC Comebacker and Klackring malware hashes\",\"description\":\"ZINC attacks against security researcher campaign malware hashes.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-01-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4ce177b3-56b1-4f0e-b83e-27eed4cb0b16\",\"name\":\"4ce177b3-56b1-4f0e-b83e-27eed4cb0b16\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\n// exclude allowed users from query such as the ADO service\\nlet allowed_users = dynamic([\\\"Azure DevOps Service\\\"]);\\nunion\\n// Look for agents being added to a pool of a OS type not seen with that pool before\\n(AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName =~ \\\"Library.AgentAdded\\\"\\n| where ActorUPN !in (allowed_users)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| where isnotempty(OsDescription)\\n| extend OsDescription = tostring(split(OsDescription, \\\"#\\\", 0)[0])\\n| project AgentPoolName, OsDescription\\n| join kind=rightanti (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName == \\\"Library.AgentAdded\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| where isnotempty(OsDescription)\\n| extend OsDescription = tostring(split(OsDescription, \\\"#\\\", 0)[0])) on AgentPoolName, OsDescription),\\n// Look for users addeing agents to a pool that they have not added agents to before.\\n(AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| where ActorUPN !in (allowed_users)\\n| project AgentPoolName, ActorUPN\\n| join kind=rightanti (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName == \\\"Library.AgentAdded\\\"\\n| where ActorUPN !in (allowed_users)\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n) on AgentPoolName, ActorUPN)\\n| extend AgentName = tostring(Data.AgentName)\\n| extend OsDescription = tostring(Data.OsDescription)\\n| extend SystemDetails = Data.SystemCapabilities\\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, AgentPoolName, AgentName, ActorUPN, IpAddress, UserAgent, OsDescription, SystemDetails, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"New Agent Added to Pool by New User or Added to a New OS Type.\",\"description\":\"As seen in attacks such as SolarWinds attackers can look to subvert a build process by controlling build servers. Azure DevOps uses agent pools to execute pipeline tasks. \\nAn attacker could insert compromised agents that they control into the pools in order to execute malicious code. This query looks for users adding agents to pools they have \\nnot added agents to before, or adding agents to a pool of an OS that has not been added to that pool before. This detection has potential for false positives so has a \\nconfigurable allow list to allow for certain users to be excluded from the logic.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/05b4bccd-dd12-423d-8de4-5a6fb526bb4f\",\"name\":\"05b4bccd-dd12-423d-8de4-5a6fb526bb4f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let known_processes = (\\n SecurityEvent\\n // If adjusting Query Period or Frequency update these\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where EventID == 4688\\n | where NewProcessName has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | summarize by Process);\\n SecurityEvent\\n // If adjusting Query Period or Frequency update these\\n | where TimeGenerated \u003e ago(1d)\\n | where EventID == 4688\\n | where NewProcessName has_any (\\\"Policies\\\\\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\\", \\\"Policies\\\\\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\")\\n | where Process !in (known_processes)\\n // This will likely apply to multiple hosts so summarize these data\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, NewProcessName, CommandLine, Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Execution\",\"LateralMovement\"],\"displayName\":\"New EXE deployed via Default Domain or Default Domain Controller Policies\",\"description\":\"This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice is that these policies should not be used for deployment of files.\\nA threat actor may use these policies to deploy files or scripts to all hosts in a domain.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c61ad0ac-ad68-4ebb-b41a-74296d3e0044\",\"name\":\"c61ad0ac-ad68-4ebb-b41a-74296d3e0044\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \\n| where TargetObject has (\\\"\\\\\\\\Control\\\\\\\\Session Manager\\\\\\\\AppCertDLLs\\\\\\\\\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Registry Persistence via AppCert DLL Modification\",\"description\":\"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. \\nDynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\ are loaded into every process that calls the ubiquitously used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec.\\nRef: https://attack.mitre.org/techniques/T1546/009/\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8ee967a2-a645-4832-85f4-72b635bcb3a6\",\"name\":\"8ee967a2-a645-4832-85f4-72b635bcb3a6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit the environment\\nlet signin_threshold = 5;\\n//Make a list of all IPs with failed signins to AAD above our threshold\\nlet aadFunc = (tableName:string){\\nlet suspicious_signins =\\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress !in (\u0027127.0.0.1\u0027, \u0027::1\u0027)\\n| summarize count() by IPAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_set(IPAddress);\\n//See if any of these IPs have sucessfully logged into *nix hosts\\nlet linux_logons =\\nSyslog\\n| where Facility contains \\\"auth\\\" and ProcessName != \\\"sudo\\\"\\n| where SyslogMessage has \\\"Accepted\\\"\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Computer, HostIP, IpAddress = SourceIP, SyslogMessage, Facility, ProcessName, Reason;\\n//See if any of these IPs have sucessfully logged into Windows hosts\\nlet win_logons = (union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4624\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| where IpAddress in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| project TimeGenerated, Account, AccountType, Computer, Activity, EventID, LogonProcessName, IpAddress, LogonTypeName, TargetUserSid, Reason\\n),\\n(WindowsEvent\\n| where EventID == 4624 and has_any_ipv4(EventData, toscalar(suspicious_signins))\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType in (10, 7, 3)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| where IpAddress != \\\"-\\\"\\n| where IpAddress in (suspicious_signins)\\n| extend Reason = \\\"Multiple failed AAD logins from IP address\\\"\\n| extend Activity = \\\"4624 - An account was successfully logged on.\\\"\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend AccountType =case(Account endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| extend LogonProcessName = tostring(EventData.LogonProcessName)\\n| project TimeGenerated, Account, AccountType, Computer, Activity, EventID, LogonProcessName, IpAddress, TargetUserSid, Reason\\n)\\n);\\nunion isfuzzy=true linux_logons,win_logons\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, IPCustomEntity = IpAddress, HostCustomEntity = Computer\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed AzureAD logons but success logon to host\",\"description\":\"Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory.\\nUses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/46ac55ae-47b8-414a-8f94-89ccd1962178\",\"name\":\"46ac55ae-47b8-414a-8f94-89ccd1962178\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"let queryperiod = 1d;\\nlet mode = \u0027Blocked\u0027;\\nlet successCode = dynamic([\u0027200\u0027, \u0027101\u0027,\u0027204\u0027, \u0027400\u0027,\u0027504\u0027,\u0027304\u0027,\u0027401\u0027,\u0027500\u0027]);\\nlet sessionBin = 30m;\\nAzureDiagnostics\\n| where TimeGenerated \u003e ago(queryperiod)\\n| where Category == \u0027ApplicationGatewayFirewallLog\u0027 and action_s == mode\\n| sort by hostname_s asc, clientIp_s asc, TimeGenerated asc\\n| extend SessionBlockedStarted = row_window_session(TimeGenerated, queryperiod, 10m, ((clientIp_s != prev(clientIp_s)) or (hostname_s != prev(hostname_s))))\\n| summarize SessionBlockedEnded = max(TimeGenerated), SessionBlockedCount = count() by hostname_s, clientIp_s, SessionBlockedStarted\\n| extend TimeKey = range(bin(SessionBlockedStarted, sessionBin), bin(SessionBlockedEnded, sessionBin), sessionBin)\\n| mv-expand TimeKey to typeof(datetime)\\n| join kind = inner(\\n AzureDiagnostics\\n | where TimeGenerated \u003e ago(queryperiod)\\n | where Category == \u0027ApplicationGatewayAccessLog\u0027 and (isempty(httpStatus_d) or httpStatus_d in (successCode))\\n | extend TimeKey = bin(TimeGenerated, sessionBin)\\n) on TimeKey, $left.hostname_s == $right.host_s, $left.clientIp_s == $right.clientIP_s\\n| where TimeGenerated between (SessionBlockedStarted..SessionBlockedEnded)\\n| extend\\n originalRequestUriWithArgs_s = column_ifexists(\\\"originalRequestUriWithArgs_s\\\", \\\"\\\"),\\n serverStatus_s = column_ifexists(\\\"serverStatus_s\\\", \\\"\\\")\\n| summarize\\n SuccessfulAccessCount = count(),\\n UserAgents = make_set(userAgent_s, 250),\\n RequestURIs = make_set(requestUri_s, 250),\\n OriginalRequestURIs = make_set(originalRequestUriWithArgs_s, 250),\\n SuccessCodes = make_set(httpStatus_d, 250),\\n SuccessCodes_BackendServer = make_set(serverStatus_s, 250),\\n take_any(SessionBlockedEnded, SessionBlockedCount)\\n by hostname_s, clientIp_s, SessionBlockedStarted\\n| where SessionBlockedCount \u003e SuccessfulAccessCount\\n| extend timestamp = SessionBlockedStarted, IPCustomEntity = clientIp_s\\n| extend BlockvsSuccessRatio = SessionBlockedCount/toreal(SuccessfulAccessCount)\\n| sort by BlockvsSuccessRatio desc, timestamp asc\\n| project-reorder SessionBlockedStarted, SessionBlockedEnded, hostname_s, clientIp_s, SessionBlockedCount, SuccessfulAccessCount, BlockvsSuccessRatio, SuccessCodes, RequestURIs, OriginalRequestURIs, UserAgents\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"A potentially malicious web request was executed against a web server\",\"description\":\"Detects unobstructed Web Application Firewall (WAF) activity in sessions where the WAF blocked incoming requests by computing the \\nratio between blocked requests and unobstructed WAF requests in these sessions (BlockvsSuccessRatio metric). A high ratio value for \\na given client IP and hostname calls for further investigation of the WAF data in that session, due to the significantly high number \\nof blocked requests and a few unobstructed logs which may be malicious but have passed undetected through the WAF. The successCode \\nvariable defines what the detection thinks is a successful status code, and should be altered to fit the environment.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2020-11-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d173248-439b-4741-8b37-f63ad0c896ae\",\"name\":\"4d173248-439b-4741-8b37-f63ad0c896ae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet process = (iocs | where Type =~ \\\"process\\\" | project IoC);\\n//This query uses sysmon data, sections that have - | where Source == \\\"Microsoft-Windows-Sysmon\\\" - may need to be updated with latest\\nWindowsEvent\\n| where EventID == \u00274688\u0027 and EventData has_any (process)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| where NewProcessName has_any (process)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n , Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n , NewProcessId = tostring(EventData.NewProcessId)\\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027, -1)[-1]), AlertDetail = \u0027Chia crypto IOC detected\u0027\\n| extend FilePath = replace_string(NewProcessName, File, \u0027\u0027)\\n| project TimeGenerated, timestamp, File, AlertDetail, FilePath,Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"FileCustomEntity\"},{\"identifier\":\"Directory\",\"columnName\":\"FilePathCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashAlgo\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021\",\"description\":\"Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.\",\"lastUpdatedDateUTC\":\"2022-05-19T00:00:00Z\",\"createdDateUTC\":\"2022-02-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\"name\":\"7b907bf7-77d4-41d0-a208-5643ff75bf9a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\nOfficeActivity\\n| where Operation =~ \\\"New-InboxRule\\\"\\n| where Parameters has \\\"Deleted Items\\\" or Parameters has \\\"Junk Email\\\" or Parameters has \\\"DeleteMessage\\\"\\n| extend Events=todynamic(Parameters)\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords \u0027}\u0027*\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords \u0027}\u0027*\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords \u0027}\u0027*\\n| where SubjectContainsWords has_any (Keywords)\\n or BodyContainsWords has_any (Keywords)\\n or SubjectOrBodyContainsWords has_any (Keywords)\\n| extend ClientIPAddress = case( ClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), ClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))), ClientIP )\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\n| extend RuleDetail = case(OfficeObjectId contains \u0027/\u0027 , tostring(split(OfficeObjectId, \u0027/\u0027)[-1]) , tostring(split(OfficeObjectId, \u0027\\\\\\\\\u0027)[-1]))\\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation, UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIPAddress, AccountCustomEntity = UserId , HostCustomEntity = OriginatingServer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"Malicious Inbox Rule\",\"description\":\"Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords. \\n This is done so as to limit ability to warn compromised users that they\u0027ve been compromised. Below is a sample query that tries to detect this.\\nReference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ef88eb96-861c-43a0-ab16-f3835a97c928\",\"name\":\"ef88eb96-861c-43a0-ab16-f3835a97c928\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let regexEmpire = @\\\"SetDelay|GetDelay|Set-LostLimit|Get-LostLimit|Set-Killdate|Get-Killdate|Set-WorkingHours|Get-WorkingHours|Get-Sysinfo|Add-Servers|Invoke-ShellCommand|Start-AgentJob|Update-Profile|Get-FilePart|Encrypt-Bytes|Decrypt-Bytes|Encode-Packet|Decode-Packet|Send-Message|Process-Packet|Process-Tasking|Get-Task|Start-Negotiate|Invoke-DllInjection|Invoke-ReflectivePEInjection|Invoke-Shellcode|Invoke-ShellcodeMSIL|Get-ChromeDump|Get-ClipboardContents|Get-IndexedItem|Get-Keystrokes|Invoke-Inveigh|Invoke-NetRipper|local:Invoke-PatchDll|Invoke-NinjaCopy|Get-Win32Types|Get-Win32Constants|Get-Win32Functions|Sub-SignedIntAsUnsigned|Add-SignedIntAsUnsigned|Compare-Val1GreaterThanVal2AsUInt|Convert-UIntToInt|Test-MemoryRangeValid|Write-BytesToMemory|Get-DelegateType|Get-ProcAddress|Enable-SeDebugPrivilege|Invoke-CreateRemoteThread|Get-ImageNtHeaders|Get-PEBasicInfo|Get-PEDetailedInfo|Import-DllInRemoteProcess|Get-RemoteProcAddress|Copy-Sections|Update-MemoryAddresses|Import-DllImports|Get-VirtualProtectValue|Update-MemoryProtectionFlags|Update-ExeFunctions|Copy-ArrayOfMemAddresses|Get-MemoryProcAddress|Invoke-MemoryLoadLibrary|Invoke-MemoryFreeLibrary|Out-Minidump|Get-VaultCredential|Invoke-DCSync|Translate-Name|Get-NetDomain|Get-NetForest|Get-NetForestDomain|Get-DomainSearcher|Get-NetComputer|Get-NetGroupMember|Get-NetUser|Invoke-Mimikatz|Invoke-PowerDump|Invoke-TokenManipulation|Exploit-JMXConsole|Exploit-JBoss|Invoke-Thunderstruck|Invoke-VoiceTroll|Set-WallPaper|Invoke-PsExec|Invoke-SSHCommand|Invoke-PSInject|Invoke-RunAs|Invoke-SendMail|Invoke-Rule|Get-OSVersion|Select-EmailItem|View-Email|Get-OutlookFolder|Get-EmailItems|Invoke-MailSearch|Get-SubFolders|Get-GlobalAddressList|Invoke-SearchGAL|Get-SMTPAddress|Disable-SecuritySettings|Reset-SecuritySettings|Get-OutlookInstance|New-HoneyHash|Set-MacAttribute|Invoke-PatchDll|Get-SecurityPackages|Install-SSP|Invoke-BackdoorLNK|New-ElevatedPersistenceOption|New-UserPersistenceOption|Add-Persistence|Invoke-CallbackIEX|Add-PSFirewallRules|Invoke-EventLoop|Invoke-PortBind|Invoke-DNSLoop|Invoke-PacketKnock|Invoke-CallbackLoop|Invoke-BypassUAC|Get-DecryptedCpassword|Get-GPPInnerFields|Invoke-WScriptBypassUAC|Get-ModifiableFile|Get-ServiceUnquoted|Get-ServiceFilePermission|Get-ServicePermission|Invoke-ServiceUserAdd|Invoke-ServiceCMD|Write-UserAddServiceBinary|Write-CMDServiceBinary|Write-ServiceEXE|Write-ServiceEXECMD|Restore-ServiceEXE|Invoke-ServiceStart|Invoke-ServiceStop|Invoke-ServiceEnable|Invoke-ServiceDisable|Get-ServiceDetail|Find-DLLHijack|Find-PathHijack|Write-HijackDll|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-VulnAutoRun|Get-VulnSchTask|Get-UnattendedInstallFile|Get-Webconfig|Get-ApplicationHost|Write-UserAddMSI|Invoke-AllChecks|Invoke-ThreadedFunction|Test-Login|Get-UserAgent|Test-Password|Get-ComputerDetails|Find-4648Logons|Find-4624Logons|Find-AppLockerLogs|Find-PSScriptsInPSAppLog|Find-RDPClientConnections|Get-SystemDNSServer|Invoke-Paranoia|Invoke-WinEnum{|Get-SPN|Invoke-ARPScan|Invoke-Portscan|Invoke-ReverseDNSLookup|Invoke-SMBScanner|New-InMemoryModule|Add-Win32Type|Export-PowerViewCSV|Get-MacAttribute|Copy-ClonedFile|Get-IPAddress|Convert-NameToSid|Convert-SidToName|Convert-NT4toCanonical|Get-Proxy|Get-PathAcl|Get-NameField|Convert-LDAPProperty|Get-NetDomainController|Add-NetUser|Add-NetGroupUser|Get-UserProperty|Find-UserField|Get-UserEvent|Get-ObjectAcl|Add-ObjectAcl|Invoke-ACLScanner|Get-GUIDMap|Get-ADObject|Set-ADObject|Get-ComputerProperty|Find-ComputerField|Get-NetOU|Get-NetSite|Get-NetSubnet|Get-DomainSID|Get-NetGroup|Get-NetFileServer|SplitPath|Get-DFSshare|Get-DFSshareV1|Get-DFSshareV2|Get-GptTmpl|Get-GroupsXML|Get-NetGPO|Get-NetGPOGroup|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Invoke-ImpersonateUser|Create-ProcessWithToken|Free-AllTokens|Enum-AllTokens|Invoke-RevertToSelf|Set-Speaker\\\\(\\\\$Volume\\\\){\\\\$wshShell|Local:Get-RandomString|Local:Invoke-PsExecCmd|Get-GPPPassword|Local:Inject-BypassStuff|Local:Invoke-CopyFile\\\\(\\\\$sSource,|ind-Fruit|New-IPv4Range|New-IPv4RangeFromCIDR|Parse-Hosts|Parse-ILHosts|Exclude-Hosts|Get-TopPort|Parse-Ports|Parse-IpPorts|Remove-Ports|Write-PortscanOut|Convert-SwitchtoBool|Get-ForeignUser|Get-ForeignGroup\\\";\\n(union isfuzzy=true\\n (SecurityEvent\\n| where EventID == 4688\\n//consider filtering on filename if perf issues occur\\n//where FileName in~ (\\\"powershell.exe\\\",\\\"powershell_ise.exe\\\",\\\"pwsh.exe\\\")\\n| where not(ParentProcessName has_any (\u0027gc_worker.exe\u0027, \u0027gc_service.exe\u0027))\\n| where CommandLine has \\\"-encodedCommand\\\"\\n| parse kind=regex flags=i CommandLine with * \\\"-EncodedCommand \\\" encodedCommand\\n| extend encodedCommand = iff(encodedCommand has \\\" \\\", tostring(split(encodedCommand, \\\" \\\")[0]), encodedCommand)\\n// Note: currently the base64_decode_tostring function is limited to supporting UTF8\\n| extend decodedCommand = translate(\u0027\\\\0\u0027,\u0027\u0027, base64_decode_tostring(substring(encodedCommand, 0, strlen(encodedCommand) - (strlen(encodedCommand) %8)))), encodedCommand, CommandLine , strlen(encodedCommand)\\n| extend EfectiveCommand = iff(isnotempty(encodedCommand), decodedCommand, CommandLine)\\n| where EfectiveCommand matches regex regexEmpire\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, EfectiveCommand, decodedCommand, encodedCommand, CommandLine, ParentProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(WindowsEvent\\n| where EventID == 4688 \\n| where EventData has_any (\\\"-encodedCommand\\\", \\\"powershell.exe\\\",\\\"powershell_ise.exe\\\",\\\"pwsh.exe\\\")\\n| where not(EventData has_any (\u0027gc_worker.exe\u0027, \u0027gc_service.exe\u0027))\\n//consider filtering on filename if perf issues occur\\n//extend NewProcessName = tostring(EventData.NewProcessName)\\n//extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n//FileName = Process\\n//where FileName in~ (\\\"powershell.exe\\\",\\\"powershell_ise.exe\\\",\\\"pwsh.exe\\\")\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where not(ParentProcessName has_any (\u0027gc_worker.exe\u0027, \u0027gc_service.exe\u0027))\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has \\\"-encodedCommand\\\"\\n| parse kind=regex flags=i CommandLine with * \\\"-EncodedCommand \\\" encodedCommand\\n| extend encodedCommand = iff(encodedCommand has \\\" \\\", tostring(split(encodedCommand, \\\" \\\")[0]), encodedCommand)\\n// Note: currently the base64_decode_tostring function is limited to supporting UTF8\\n| extend decodedCommand = translate(\u0027\\\\0\u0027,\u0027\u0027, base64_decode_tostring(substring(encodedCommand, 0, strlen(encodedCommand) - (strlen(encodedCommand) %8)))), encodedCommand, CommandLine , strlen(encodedCommand)\\n| extend EfectiveCommand = iff(isnotempty(encodedCommand), decodedCommand, CommandLine)\\n| where EfectiveCommand matches regex regexEmpire\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, EfectiveCommand, decodedCommand, encodedCommand, CommandLine, ParentProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"Powershell Empire cmdlets seen in command line\",\"description\":\"Identifies instances of PowerShell Empire cmdlets in powershell process command line data.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-01-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cda5928c-2c1e-4575-9dfa-07568bc27a4f\",\"name\":\"cda5928c-2c1e-4575-9dfa-07568bc27a4f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let lookback = 7d; \\nlet timeframe = 1h; \\nlet GlobalAdminsRemoved = AuditLogs \\n| where TimeGenerated \u003e ago(timeframe) \\n| where Category =~ \\\"RoleManagement\\\" \\n| where AADOperationType in (\\\"Unassign\\\", \\\"RemoveEligibleRole\\\") \\n| where ActivityDisplayName has_any (\\\"Remove member from role\\\", \\\"Remove eligible member from role\\\") \\n| mv-expand TargetResources \\n| mv-expand TargetResources.modifiedProperties \\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName) \\n| where displayName_ =~ \\\"Role.DisplayName\\\" \\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.oldValue))) \\n| where RoleName == \\\"Global Administrator\\\" // Add other Privileged role if applicable \\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName) \\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) \\n| where Initiator != \\\"MS-PIM\\\" // Filtering PIM events \\n| extend Target = tostring(TargetResources.userPrincipalName) \\n| summarize RemovedGlobalAdminTime = max(TimeGenerated), TargetAdmins = make_set(Target) by OperationName, RoleName, Initiator, Result; \\nlet GlobalAdminsAdded = AuditLogs \\n| where TimeGenerated \u003e ago(lookback) \\n| where Category =~ \\\"RoleManagement\\\" \\n| where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\") \\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\") and Result == \\\"success\\\" \\n| mv-expand TargetResources \\n| mv-expand TargetResources.modifiedProperties \\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName) \\n| where displayName_ =~ \\\"Role.DisplayName\\\" \\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue))) \\n| where RoleName == \\\"Global Administrator\\\" // Add other Privileged role if applicable \\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName) \\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) \\n| where Initiator != \\\"MS-PIM\\\" // Filtering PIM events \\n| extend Target = tostring(TargetResources.userPrincipalName) \\n| summarize AddedGlobalAdminTime = max(TimeGenerated) by OperationName, RoleName, Target, Initiator, Result \\n| extend AccountCustomEntity = Target; \\nGlobalAdminsAdded \\n| join kind= inner GlobalAdminsRemoved on $left.Target == $right.Initiator \\n| where AddedGlobalAdminTime \u003c RemovedGlobalAdminTime \\n| extend NoofAdminsRemoved = array_length(TargetAdmins) \\n| where NoofAdminsRemoved \u003e 1\\n| project AddedGlobalAdminTime, Initiator, Target, AccountCustomEntity, RemovedGlobalAdminTime, TargetAdmins, NoofAdminsRemoved\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Multiple admin membership removals from newly created admin.\",\"description\":\"This query detects when newly created Global admin removes multiple existing global admins which can be an attempt by adversaries to lock down organization and retain sole access. \\n Investigate reasoning and intention of multiple membership removal by new Global admins and take necessary actions accordingly.\",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2022-03-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/be52662c-3b23-435a-a6fa-f39bdfc849e6\",\"name\":\"be52662c-3b23-435a-a6fa-f39bdfc849e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetection_CL\\n| mv-expand todynamic(Detections_s)\\n| where Detections_s.Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\\n| where count_ \u003e= threshold\\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"High Number of Urgent Vulnerabilities Detected\",\"description\":\"This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/45b903c5-6f56-4969-af10-ae62ac709718\",\"name\":\"45b903c5-6f56-4969-af10-ae62ac709718\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count()\\nby Account = tolower(Account), Computer = toupper(Computer), IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n// use left anti to exclude anything from the previous 14 days that is not rare\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10 \\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend AccountType=case(Account endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| extend Activity=\\\"4624 - An account was successfully logged on.\\\"\\n| extend LogonTypeName=\\\"10 - RemoteInteractive\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count()\\nby Account = tolower(Account), Computer = toupper(Computer), IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n))\\n| join kind=leftanti (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where EventID == 4624\\n| summarize by Computer = toupper(Computer), IpAddress, Account = tolower(Account)\\n),\\n( WindowsEvent\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where EventID == 4624\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| summarize by Computer = toupper(Computer), IpAddress, Account = tolower(Account)\\n))\\n) on Account, Computer\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), ConnectionCount = sum(ConnectionCount)\\nby Account, Computer, IpAddress, AccountType, Activity, LogonTypeName, ProcessName\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Rare RDP Connections\",\"description\":\"Identifies when an RDP connection is new or rare related to any logon type by a given account today based on comparison with the previous 14 days.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2020-01-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a1080fc1-13d1-479b-8340-255f0290d96c\",\"name\":\"a1080fc1-13d1-479b-8340-255f0290d96c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where Result =~ \\\"success\\\"\\n | where OperationName =~ \u0027Update Application\u0027\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | where TargetResources_modifiedProperties.displayName =~ \\\"AppAddress\\\"\\n | extend Key = tostring(TargetResources_modifiedProperties.displayName)\\n | extend NewValue = TargetResources_modifiedProperties.newValue\\n | extend OldValue = TargetResources_modifiedProperties.oldValue\\n | where isnotempty(Key) and isnotempty(NewValue)\\n | project-reorder Key, NewValue, OldValue\\n | extend NewUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(NewValue))\\n | extend OldUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(OldValue))\\n | extend AddedUrls = set_difference(NewUrls, OldUrls)\\n | where array_length(AddedUrls) \u003e 0\\n | extend UserAgent = iif(tostring(AdditionalDetails[0].key) == \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), \\\"\\\")\\n | extend AddingUser = iif(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) , tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), \\\"\\\")\\n | extend AddingApp = iif(isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName)) , tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName), \\\"\\\")\\n | extend AddedBy = iif(isnotempty(AddingUser), AddingUser, AddingApp)\\n | project-away AddingApp, AddingUser\\n | extend AppDisplayName = tostring(TargetResources.displayName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | project-reorder TimeGenerated, AppDisplayName, AddedUrls, AddedBy, UserAgent, ipAddress\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"AddedUrls\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Application Redirect URL Update\",\"description\":\"Detects the redirect URL of an app being changed.\\n Applications associated with URLs not controlled by the organization can pose a security risk.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#application-configuration-changes\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e42e889a-caaf-4dbb-aec6-371b37d64298\",\"name\":\"e42e889a-caaf-4dbb-aec6-371b37d64298\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\")\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set != \\\"[]\\\"\\n| extend diff = set_difference(new_value_set, old_value_set)\\n| where isnotempty(diff)\\n| parse diff with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away diff, new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserOrApp\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT New access credential added to Application or Service Principal\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b79f6190-d104-4691-b7db-823e05980895\",\"name\":\"b79f6190-d104-4691-b7db-823e05980895\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let Keywords = dynamic([\\\"helpdesk\\\", \\\" alert\\\", \\\" suspicious\\\", \\\"fake\\\", \\\"malicious\\\", \\\"phishing\\\", \\\"spam\\\", \\\"do not click\\\", \\\"do not open\\\", \\\"hijacked\\\", \\\"Fatal\\\"]);\\nOfficeActivity\\n| where OfficeWorkload =~ \\\"Exchange\\\"\\n| where Parameters has \\\"Deleted Items\\\" or Parameters has \\\"Junk Email\\\" or Parameters has \\\"DeleteMessage\\\"\\n| extend Events=todynamic(Parameters)\\n| parse Events with * \\\"SubjectContainsWords\\\" SubjectContainsWords \u0027}\u0027*\\n| parse Events with * \\\"BodyContainsWords\\\" BodyContainsWords \u0027}\u0027*\\n| parse Events with * \\\"SubjectOrBodyContainsWords\\\" SubjectOrBodyContainsWords \u0027}\u0027*\\n| where SubjectContainsWords has_any (Keywords)\\n or BodyContainsWords has_any (Keywords)\\n or SubjectOrBodyContainsWords has_any (Keywords)\\n| extend ClientIPAddress = case( ClientIP has \\\".\\\", tostring(split(ClientIP,\\\":\\\")[0]), ClientIP has \\\"[\\\", tostring(trim_start(@\u0027[[]\u0027,tostring(split(ClientIP,\\\"]\\\")[0]))), ClientIP )\\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\\n| extend RuleDetail = case(OfficeObjectId contains \u0027/\u0027 , tostring(split(OfficeObjectId, \u0027/\u0027)[-1]) , tostring(split(OfficeObjectId, \u0027\\\\\\\\\u0027)[-1]))\\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserId\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"OriginatingServer\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIPAddress\"}]}],\"tactics\":[\"Persistence\",\"DefenseEvasion\"],\"displayName\":\"NRT Malicious Inbox Rule\",\"description\":\"Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords.\\n This is done so as to limit ability to warn compromised users that they\u0027ve been compromised. Below is a sample query that tries to detect this.\\nReference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/\",\"lastUpdatedDateUTC\":\"2022-03-07T00:00:00Z\",\"createdDateUTC\":\"2020-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9fb2ee72-959f-4c2b-bc38-483affc539e4\",\"name\":\"9fb2ee72-959f-4c2b-bc38-483affc539e4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where Category == \\\"ApplicationManagement\\\"\\n | where OperationName has_any (\\\"Update Application\\\", \\\"Update Service principal\\\")\\n | extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend UpdatedBy = iif(isnotempty(appName), appName, UPN)\\n | extend mod_props = TargetResources[0].modifiedProperties\\n | extend AppName = tostring(TargetResources[0].displayName)\\n | mv-expand mod_props\\n | where mod_props.displayName has \\\"AppIdentifierUri\\\"\\n | extend OldURI = tostring(mod_props.oldValue)\\n | extend NewURI = tostring(mod_props.newValue)\\n | project-reorder TimeGenerated, OperationName, AppName, OldURI, NewURI, UpdatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UpdatedBy\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"NewURI\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Application ID URI Changed\",\"description\":\"Detects changes to an Application ID URI.\\n Monitor these changes to make sure that they were authorized.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#appid-uri-added-modified-or-removed\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/faf1a6ff-53b5-4f92-8c55-4b20e9957594\",\"name\":\"faf1a6ff-53b5-4f92-8c55-4b20e9957594\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"SecurityEvent\\n// Look for specific Directory Service Changes and parse data\\n| where EventID == 5136\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion = array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value),TimeGenerated, EventID, Computer, Account, AccountType, EventSourceName, Activity, SubjectAccount)\\n// Where changes relate to Exchange OAB\\n| extend ObjectClass = column_ifexists(\\\"ObjectClass\\\", \\\"\\\")\\n| where ObjectClass =~ \\\"msExchOABVirtualDirectory\\\"\\n// Look for InternalHostName or ExternalHostName properties being changed\\n| extend AttributeLDAPDisplayName = column_ifexists(\\\"AttributeLDAPDisplayName\\\", \\\"\\\")\\n| where AttributeLDAPDisplayName in (\\\"msExchExternalHostName\\\", \\\"msExchInternalHostName\\\")\\n// Look for suspected webshell activity\\n| extend AttributeValue = column_ifexists(\\\"AttributeValue\\\", \\\"\\\")\\n| where AttributeValue has \\\"script\\\"\\n| project-rename LastSeen = TimeGenerated\\n| extend ObjectDN = column_ifexists(\\\"ObjectDN\\\", \\\"\\\")\\n| project-reorder LastSeen, Computer, Account, ObjectDN, AttributeLDAPDisplayName, AttributeValue\\n| extend timestamp = LastSeen, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange OAB Virtual Directory Attribute Containing Potential Webshell\",\"description\":\"This query uses Windows Event ID 5136 in order to detect potential webshell deployment by exploitation of CVE-2021-27065.\\nThis query looks for changes to the InternalHostName or ExternalHostName properties of Exchange OAB Virtual Directory objects in AD Directory Services\\nwhere the new objects contain potential webshell objects. Ref: https://aka.ms/ExchangeVulns\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b3cfc7c0-092c-481c-a55b-34a3979758cb\",\"name\":\"b3cfc7c0-092c-481c-a55b-34a3979758cb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft Cloud App Security\",\"displayName\":\"Create incidents based on Microsoft Cloud App Security alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Cloud Apps\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert (MCAS)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/eb68b129-5f17-4f56-bf6d-dde48d5e615a\",\"name\":\"eb68b129-5f17-4f56-bf6d-dde48d5e615a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| extend attachedMimeType = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where attachedMimeType == \u0027application/zip\u0027\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = DstUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Binary file in attachment\",\"description\":\"Detects when email received with binary file as attachment.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c0e84221-f240-4dd7-ab1e-37e034ea2a4e\",\"name\":\"c0e84221-f240-4dd7-ab1e-37e034ea2a4e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"union isfuzzy=true\\n(DeviceFileEvents\\n| where FolderPath endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated),\\n(WindowsEvent\\n| where EventID == 4663 and EventData has \\\"vmware-vmdmp.log\\\"\\n| extend ObjectName = tostring(EventData.ObjectName) \\n| where ObjectName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = Computer, timestamp=TimeGenerated),\\n(SecurityEvent\\n| where EventID == 4663\\n| where ObjectName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = Computer, timestamp=TimeGenerated),\\n(imFileEvent\\n| where TargetFileName endswith \\\"vmware-vmdmp.log\\\"\\n| extend HostCustomEntity = DvcHostname, timestamp=TimeGenerated\\n)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"SUNSPOT log file creation\",\"description\":\"This query uses Microsoft Defender for Endpoint data and Windows Event Logs to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\\nMore details: \\n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \\n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5b6ae038-f66e-4f74-9315-df52fd492be4\",\"name\":\"5b6ae038-f66e-4f74-9315-df52fd492be4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"imProcess\\n | where CommandLine has_all (\\\"accepteula\\\", \\\"-s\\\", \\\"-r\\\", \\\"-q\\\")\\n | where Process !endswith \\\"sdelete.exe\\\"\\n | where CommandLine !has \\\"sdelete\\\"\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DvcHostname\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DvcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"}]}],\"tactics\":[\"DefenseEvasion\",\"Impact\"],\"displayName\":\"Potential re-named sdelete usage (ASIM Version)\",\"description\":\"This detection looks for command line parameters associated with the use of Sysinternals sdelete (https://docs.microsoft.com/sysinternals/downloads/sdelete) to delete multiple files on a host\u0027s C drive.\\nA threat actor may re-name the tool to avoid detection and then use it for destructive attacks on a host.\\nThis detection uses the ASIM imProcess parser, this will need to be deployed before use - https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8c8de3fa-6425-4623-9cd9-45de1dd0569a\",\"name\":\"8c8de3fa-6425-4623-9cd9-45de1dd0569a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let lookBack = 14d;\\nlet timeframe = 1d;\\nlet user_agents_list = Cisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(lookBack) and TimeGenerated \u003c ago(timeframe)\\n| summarize count() by HttpUserAgentOriginal\\n| summarize make_list(HttpUserAgentOriginal);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal !in (user_agents_list)\\n| extend Message = \\\"Rare User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Rare User Agent Detected\",\"description\":\"Rule helps to detect a rare user-agents indicating web browsing activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\"name\":\"02ef8d7e-fc3a-4d86-a457-650fa571d8d2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let logonDiff = 10m;\\nlet aadFunc = (tableName:string){\\ntable(tableName) \\n| where ResultType == \\\"0\\\" \\n| where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\")\\n| project SuccessLogonTime = TimeGenerated, UserPrincipalName, SuccessIPAddress = IPAddress, AppDisplayName, SuccessIPBlock = strcat(split(IPAddress, \\\".\\\")[0], \\\".\\\", split(IPAddress, \\\".\\\")[1]), Type\\n| join kind= inner (\\n table(tableName)\\n | where ResultType !in (\\\"0\\\", \\\"50140\\\") \\n | where ResultDescription !~ \\\"Other\\\" \\n | where AppDisplayName !in (\\\"Office 365 Exchange Online\\\", \\\"Skype for Business Online\\\")\\n | project FailedLogonTime = TimeGenerated, UserPrincipalName, FailedIPAddress = IPAddress, AppDisplayName, ResultType, ResultDescription, Type\\n) on UserPrincipalName, AppDisplayName \\n| where SuccessLogonTime \u003c FailedLogonTime and FailedLogonTime - SuccessLogonTime \u003c= logonDiff and FailedIPAddress !startswith SuccessIPBlock\\n| summarize FailedLogonTime = max(FailedLogonTime), SuccessLogonTime = max(SuccessLogonTime) by UserPrincipalName, SuccessIPAddress, AppDisplayName, FailedIPAddress, ResultType, ResultDescription, Type\\n| extend timestamp = SuccessLogonTime\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SuccessIPAddress\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"FailedIPAddress\"}]}],\"tactics\":[\"CredentialAccess\",\"InitialAccess\"],\"displayName\":\"Successful logon from IP and failure from a different IP\",\"description\":\"Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP.\\nThis may indicate a malicious attempt at password guessing based on knowledge of the users account.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\"name\":\"9736e5f1-7b6e-4bfb-a708-e53ff1d182c3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.1.0\",\"severity\":\"Low\",\"query\":\"let tokens = dynamic([\\\"416\\\",\\\"208\\\",\\\"128\\\",\\\"120\\\",\\\"96\\\",\\\"80\\\",\\\"72\\\",\\\"64\\\",\\\"48\\\",\\\"44\\\",\\\"40\\\",\\\"g5\\\",\\\"gs5\\\",\\\"g4\\\",\\\"gs4\\\",\\\"nc12\\\",\\\"nc24\\\",\\\"nv12\\\"]);\\nlet operationList = dynamic([\\\"microsoft.compute/virtualmachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nAzureActivity\\n| where tolower(OperationNameValue) in (operationList)\\n| where ActivityStatusValue == \\\"Accepted\\\" \\n| where isnotempty(Properties)\\n| extend vmSize = tolower(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).hardwareProfile)).vmSize))\\n| where isnotempty(vmSize)\\n| where vmSize has_any (tokens) \\n| extend ComputerName = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).osProfile)).computerName)\\n| extend clientIpAddress = tostring(parse_json(HTTPRequest).clientIpAddress)\\n| project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Creation of expensive computes in Azure\",\"description\":\"Identifies the creation of large size/expensive VMs (GPU or with large no of virtual CPUs) in Azure.\\nAdversary may create new or update existing virtual machines sizes to evade defenses \\nor use it for cryptomining purposes.\\nFor Windows/Linux Vm Sizes - https://docs.microsoft.com/azure/virtual-machines/windows/sizes \\nAzure VM Naming Conventions - https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/78422ef2-62bf-48ca-9bab-72c69818a425\",\"name\":\"78422ef2-62bf-48ca-9bab-72c69818a425\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Low\",\"query\":\"let endtime = 1d;\\nlet starttime = 8d;\\nlet threshold = 2.0;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName)\\nby Account, IpAddress, AccountType, Activity, LogonTypeName),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(endtime)\\n| where EventID == 4624 \\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 10\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend AccountType=case(Account endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| extend Activity=\\\"4624 - An account was successfully logged on.\\\"\\n| extend LogonTypeName=\\\"10 - RemoteInteractive\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName)\\nby Account, IpAddress, AccountType, Activity, LogonTypeName)\\n)\\n| join kind=inner (\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| where EventID == 4624 and LogonType == 10\\n| summarize ComputerCountPrev7Days = dcount(Computer) by Account = tolower(Account), IpAddress\\n),\\n( WindowsEvent\\n| where TimeGenerated \u003e= ago(starttime) and TimeGenerated \u003c ago(endtime)\\n| where EventID == 4624 and EventData has (\\\"10\\\")\\n| extend LogonType = toint(EventData.LogonType)\\n| where LogonType == 10\\n| extend Account = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| summarize ComputerCountPrev7Days = dcount(Computer) by Account = tolower(Account), IpAddress)\\n)\\n) on Account, IpAddress\\n| extend Ratio = iff(isempty(ComputerCountPrev7Days), toreal(ComputerCountToday), ComputerCountToday / (ComputerCountPrev7Days * 1.0))\\n// Where the ratio of today to previous 7 days is more than double.\\n| where Ratio \u003e threshold\\n| project StartTimeUtc, EndTimeUtc, Account, IpAddress, ComputerSet, ComputerCountToday, ComputerCountPrev7Days, Ratio, AccountType, Activity, LogonTypeName, ProcessSet\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Multiple RDP connections from Single System\",\"description\":\"Identifies when an RDP connection is made to multiple systems and above the normal for the previous 7 days.\\nConnections from the same system with the same account within the same day.\\nRDP connections are indicated by the EventID 4624 with LogonType = 10\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-10-21T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d94d4a9-dc96-450a-9dea-4d4d4594199b\",\"name\":\"4d94d4a9-dc96-450a-9dea-4d4d4594199b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"SecurityNestedRecommendation\\n| where RemediationDescription has \u0027CVE-2021-38647\u0027\\n| parse ResourceDetails with * \u0027virtualMachines/\u0027 VirtualMAchine \u0027\\\"\u0027 *\\n| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId\\n| extend Timestamp = TimeGenerated, HostCustomEntity = VirtualMAchine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Execution\"],\"displayName\":\"Vulnerable Machines related to OMIGOD CVE-2021-38647\",\"description\":\"This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to OMIGOD CVE-2021-38647. OMI is the Linux equivalent of Windows WMI and \\n helps users manage configurations across remote and local environments. The query aims to find machines that have this OMI vulnerability (CVE-2021-38647).\\n Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).\\n Reference: https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure\\n Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d3980830-dd9d-40a5-911f-76b44dfdce16\",\"name\":\"d3980830-dd9d-40a5-911f-76b44dfdce16\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where AppDisplayName == \\\"GitHub.com\\\"\\n| where ResultType == 0\\n| summarize CountOfLocations = dcount(Location), Locations = make_set(Location), BurstStartTime = min(TimeGenerated), BurstEndTime = max(TimeGenerated) by UserPrincipalName, Type\\n| where CountOfLocations \u003e 1\\n| extend timestamp = BurstStartTime, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"GitHub Signin Burst from Multiple Locations\",\"description\":\"This alerts when there Signin burst from multiple locations in GitHub (AAD SSO).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/25a7f951-54b7-4cf5-9862-ebc04306c590\",\"name\":\"25a7f951-54b7-4cf5-9862-ebc04306c590\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let known_users = (AuditLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where OperationName has \\\"conditional access policy\\\"\\n | where Result =~ \\\"success\\\"\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | summarize by userPrincipalName);\\n AuditLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where OperationName has \\\"conditional access policy\\\"\\n | where Result =~ \\\"success\\\"\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend CAPolicyName = tostring(TargetResources[0].displayName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | where userPrincipalName !in (known_users)\\n | extend NewPolicyValues = TargetResources[0].modifiedProperties[0].newValue\\n | extend OldPolicyValues = TargetResources[0].modifiedProperties[0].oldValue\\n | project-reorder TimeGenerated, OperationName, CAPolicyName, userPrincipalName, ipAddress, NewPolicyValues, OldPolicyValues\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Conditional Access Policy Modified by New User\",\"description\":\"Detects a Conditional Access Policy being modified by a user who has not modified a policy in the last 14 days.\\n A threat actor may try to modify policies to weaken the security controls in place.\\n Investigate any change to ensure they are approved.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\"name\":\"70b12a3b-4896-42cb-910c-5ffaf8d7987d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"seoulhobi.biz\\\", \\\"reader.cash\\\", \\\"pieceview.club\\\", \\\"app-wallet.com\\\", \\\"bigwnet.com\\\", \\\"bitwoll.com\\\", \\\"cexrout.com\\\", \\\"change-pw.com\\\", \\\"checkprofie.com\\\", \\\"cloudwebappservice.com\\\", \\\"ctquast.com\\\", \\\"dataviewering.com\\\", \\\"day-post.com\\\", \\\"dialy-post.com\\\", \\\"documentviewingcom.com\\\", \\\"dovvn-mail.com\\\", \\\"down-error.com\\\", \\\"drivecheckingcom.com\\\", \\\"drog-service.com\\\", \\\"encodingmail.com\\\", \\\"filinvestment.com\\\", \\\"foldershareing.com\\\", \\\"golangapis.com\\\", \\\"hotrnall.com\\\", \\\"lh-logins.com\\\", \\\"login-use.com\\\", \\\"mail-down.com\\\", \\\"matmiho.com\\\", \\\"mihomat.com\\\", \\\"natwpersonal-online.com\\\", \\\"nidlogin.com\\\", \\\"nid-login.com\\\", \\\"nidlogon.com\\\", \\\"pw-change.com\\\", \\\"rnaii.com\\\", \\\"rnailm.com\\\", \\\"sec-live.com\\\", \\\"secrityprocessing.com\\\", \\\"securitedmode.com\\\", \\\"securytingmail.com\\\", \\\"set-login.com\\\", \\\"usrchecking.com\\\", \\\"com-serviceround.info\\\", \\\"mai1.info\\\", \\\"reviewer.mobi\\\", \\\"files-download.net\\\", \\\"fixcool.net\\\", \\\"hanrnaii.net\\\", \\\"office356-us.org\\\", \\\"smtper.org\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost \\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"THALLIUM domains included in DCU takedown\",\"description\":\"THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. \\n Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\\n References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ \",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2020-01-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\"name\":\"4d94d4a9-dc96-410a-8dea-4d4d4584188b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let OperationList = dynamic([\\\"Add member to role\\\",\\\"Add member to role in PIM requested (permanent)\\\"]);\\nlet PrivilegedGroups = dynamic([\\\"UserAccountAdmins\\\",\\\"PrivilegedRoleAdmins\\\",\\\"TenantAdmins\\\"]);\\nAuditLogs\\n//| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName in~ (OperationList)\\n| mv-expand TargetResources\\n| extend modProps = parse_json(TargetResources).modifiedProperties\\n| mv-expand bagexpansion=array modProps\\n| evaluate bag_unpack(modProps)\\n| extend displayName = column_ifexists(\\\"displayName\\\", \\\"NotAvailable\\\"), newValue = column_ifexists(\\\"newValue\\\", \\\"NotAvailable\\\")\\n| where displayName =~ \\\"Role.WellKnownObjectName\\\"\\n| extend DisplayName = displayName, GroupName = replace(\u0027\\\"\u0027,\u0027\u0027,newValue)\\n| extend initByApp = parse_json(InitiatedBy).app, initByUser = parse_json(InitiatedBy).user\\n| extend AppId = initByApp.appId, \\nInitiatedByDisplayName = case(isnotempty(initByApp.displayName), initByApp.displayName, isnotempty(initByUser.displayName), initByUser.displayName, \\\"not available\\\"),\\nServicePrincipalId = tostring(initByApp.servicePrincipalId),\\nServicePrincipalName = tostring(initByApp.servicePrincipalName),\\nUserId = initByUser.id,\\nUserIPAddress = initByUser.ipAddress,\\nUserRoles = initByUser.roles,\\nUserPrincipalName = tostring(initByUser.userPrincipalName),\\nTargetUserPrincipalName = tostring(TargetResources.userPrincipalName)\\n| where GroupName in~ (PrivilegedGroups)\\n// If you don\u0027t want to alert for operations from PIM, remove below filtering for MS-PIM.\\n//| where InitiatedByDisplayName != \\\"MS-PIM\\\"\\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, isnotempty(ServicePrincipalId), ServicePrincipalId, isnotempty(UserPrincipalName), UserPrincipalName, \\\"not available\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"User added to Azure Active Directory Privileged Groups\",\"description\":\"This will alert when a user is added to any of the Privileged Groups.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\\nFor Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles\",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2020-07-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/50574fac-f8d1-4395-81c7-78a463ff0c52\",\"name\":\"50574fac-f8d1-4395-81c7-78a463ff0c52\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where AppId =~ \\\"1b730954-1685-4b74-9bfd-dac224a7b894\\\" // AppDisplayName IS Azure Active Directory PowerShell\\n| where TokenIssuerType =~ \\\"AzureAD\\\"\\n| where ResourceIdentity !in (\\\"00000002-0000-0000-c000-000000000000\\\", \\\"00000003-0000-0000-c000-000000000000\\\") // ResourceDisplayName IS NOT Windows Azure Active Directory OR Microsoft Graph\\n| extend Status = todynamic(Status)\\n| where Status.errorCode == 0 // Success\\n| project-reorder IPAddress, UserAgent, ResourceDisplayName, UserDisplayName, UserId, UserPrincipalName, Type\\n| order by TimeGenerated desc\\n// New entity mapping\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Azure Active Directory PowerShell accessing non-AAD resources\",\"description\":\"This will alert when a user or application signs in using Azure Active Directory PowerShell to access non-Active Directory resources, such as the Azure Key Vault, which may be undesired or unauthorized behavior.\\nFor capabilities and expected behavior of the Azure Active Directory PowerShell module, see: https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0.\\nFor further information on Azure Active Directory Signin activity reports, see: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins.\",\"lastUpdatedDateUTC\":\"2022-02-23T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cca3b4d9-ac39-4109-8b93-65bb284003e6\",\"name\":\"cca3b4d9-ac39-4109-8b93-65bb284003e6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AzureActivity | where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(Caller)\\n | extend Caller = tolower(Caller)\\n | where Caller matches regex emailregex\\n | extend AzureActivity_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.Caller\\n| where AzureActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize AzureActivity_TimeGenerated = arg_max(AzureActivity_TimeGenerated, *) by IndicatorId, Caller\\n| project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, EmailSenderName, EmailRecipient, \\nEmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Caller, Level, CallerIpAddress, CategoryValue, OperationNameValue, ActivityStatusValue, \\nResourceGroup, SubscriptionId\\n| extend timestamp = AzureActivity_TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to AzureActivity\",\"description\":\"Identifies a match in AzureActivity table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9122a9cb-916b-4d98-a199-1b7b0af8d598\",\"name\":\"9122a9cb-916b-4d98-a199-1b7b0af8d598\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"beesweiserdog.com\\\", \\n \\\"bluehostfit.com\\\", \\n \\\"business-toys.com\\\", \\n \\\"cleanskycloud.com\\\", \\n \\\"cumberbat.com\\\", \\n \\\"czreadsecurity.com\\\", \\n \\\"dgtresorgouv.com\\\", \\n \\\"dimediamikedask.com\\\", \\n \\\"diresitioscon.com\\\", \\n \\\"elcolectador.com\\\", \\n \\\"elperuanos.org\\\", \\n \\\"eprotectioneu.com\\\", \\n \\\"fheacor.com\\\", \\n \\\"followthewaterdata.com\\\", \\n \\\"francevrteepress.com\\\", \\n \\\"futtuhy.com\\\", \\n \\\"gardienweb.com\\\", \\n \\\"heimflugaustr.com\\\", \\n \\\"ivpsers.com\\\", \\n \\\"jkeducation.org\\\", \\n \\\"micrlmb.com\\\", \\n \\\"muthesck.com\\\", \\n \\\"netscalertech.com\\\", \\n \\\"newgoldbalmap.com\\\", \\n \\\"news-laestrella.com\\\", \\n \\\"noticialif.com\\\", \\n \\\"opentanzanfoundation.com\\\", \\n \\\"optonlinepress.com\\\", \\n \\\"palazzochigi.com\\\", \\n \\\"pandemicacre.com\\\", \\n \\\"papa-ser.com\\\", \\n \\\"pekematclouds.com\\\", \\n \\\"pipcake.com\\\", \\n \\\"popularservicenter.com\\\", \\n \\\"projectsyndic.com\\\", \\n \\\"qsadtv.com\\\", \\n \\\"sankreal.com\\\", \\n \\\"scielope.com\\\", \\n \\\"seoamdcopywriting.com\\\", \\n \\\"slidenshare.com\\\", \\n \\\"somoswake.com\\\", \\n \\\"squarespacenow.com\\\", \\n \\\"subapostilla.com\\\", \\n \\\"suzukicycles.net\\\", \\n \\\"tatanotakeeps.com\\\", \\n \\\"tijuanazxc.com\\\", \\n \\\"transactioninfo.net\\\", \\n \\\"eurolabspro.com\\\", \\n \\\"adelluminate.com\\\", \\n \\\"headhunterblue.com\\\", \\n \\\"primenuesty.com\\\" \\n ]);\\nlet SHA256Hashes = dynamic ([\\\"02daf4544bcefb2de865d0b45fc406bee3630704be26a9d6da25c9abe906e7d2\\\", \\n \\\"0a45ec3da31838aa7f56e4cbe70d5b3b3809029f9159ff0235837e5b7a4cb34c\\\", \\n \\\"0d7965489810446ca7acc7a2160795b22e452a164261313c634a6529a0090a0c\\\", \\n \\\"10bb4e056fd19f2debe61d8fc5665434f56064a93ca0ec0bef946a4c3e098b95\\\", \\n \\\"12d914f24fe5501e09f5edf503820cc5fe8b763827a1c6d44cdb705e48651b21\\\", \\n \\\"1899f761123fedfeba0fee6a11f830a29cd3653bcdcf70380b72a05b921b4b49\\\", \\n \\\"22e68e366dd3323e5bb68161b0938da8e1331e4f1c1819c8e84a97e704d93844\\\", \\n \\\"259783405ec2cb37fdd8fd16304328edbb6a0703bc3d551eba252d9b450554ef\\\", \\n \\\"26debed09b1bbf24545e3b4501b799b66a0146d4020f882776465b5071e91822\\\", \\n \\\"35c5f22bb11f7dd7a2bb03808e0337cb7f9c0d96047b94c8afdab63efc0b9bb2\\\", \\n \\\"3ae2d9ffa4e53519e62cc0a75696f9023f9cce09b0a917f25699b48d0f7c4838\\\", \\n \\\"3bac2e459c69fcef8c1c93c18e5f4f3e3102d8d0f54a63e0650072aeb2a5fa65\\\", \\n \\\"3c0bf69f6faf85523d9e60d13218e77122b2adb0136ffebbad0f39f3e3eed4e6\\\", \\n \\\"3dc0001a11d54925d2591aec4ea296e64f1d4fdf17ff3343ddeea82e9bd5e4f1\\\", \\n \\\"3fd73af89e94af180b1fbf442bbfb7d7a6c4cf9043abd22ac0aa2f8149bafc90\\\", \\n \\\"6854df6aa0af46f7c77667c450796d5658b3058219158456e869ebd39a47d54b\\\", \\n \\\"6b79b807a66c786bd2e57d1c761fc7e69dd9f790ffab7ce74086c4115c9305ce\\\", \\n \\\"7944a86fbef6238d2a55c14c660c3a3d361c172f6b8fa490686cc8889b7a51a0\\\", \\n \\\"926904f7c0da13a6b8689c36dab9d20b3a2e6d32f212fca9e5f8cf2c6055333c\\\", \\n \\\"95e98c811ea9d212673d0e84046d6da94cbd9134284275195800278593594b5a\\\", \\n \\\"a142625512e5372a1728595be19dbee23eea50524b4827cb64ed5aaeaaa0270b\\\", \\n \\\"afe5e9145882e0b98a795468a4c0352f5b1ddb7b4a534783c9e8fc366914cf6a\\\", \\n \\\"b9027bad09a9f5c917cf0f811610438e46e42e5e984a8984b6d69206ceb74124\\\", \\n \\\"c132d59a3bf0099e0f9f5667daf7b65dba66780f4addd88f04eecae47d5d99fa\\\", \\n \\\"c9a5765561f52bbe34382ce06f4431f7ac65bafe786db5de89c29748cf371dda\\\", \\n \\\"ce0408f92635e42aadc99da3cc1cbc0044e63441129c597e7aa1d76bf2700c94\\\", \\n \\\"ce47bacc872516f91263f5e59441c54f14e9856cf213ca3128470217655fc5e6\\\", \\n \\\"d0fe4562970676e30a4be8cb4923dc9bfd1fca8178e8e7fea0f3f02e0c7435ce\\\", \\n \\\"d5b36648dc9828e69242b57aca91a0bb73296292bf987720c73fcd3d2becbae6\\\", \\n \\\"e72d142a2bc49572e2d99ed15827fc27c67fc0999e90d4bf1352b075f86a83ba\\\"\\n ]);\\nlet SigNames = dynamic([\\\"Backdoor:Win32/Leeson\\\", \\\"Trojan:Win32/Kechang\\\", \\\"Backdoor:Win32/Nightimp!dha\\\", \\\"Trojan:Win32/QuarkBandit.A!dha\\\", \\\"TrojanSpy:Win32/KeyLogger\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hashes) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n(_Im_Dns(domain_has_any = DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(_Im_WebSession(url_has_any = DomainNames)\\n| extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n| extend IPAddress = SrcIpAddr\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA256Hashes) \\n| extend Account = UserName\\n),\\n(DeviceFileEvents\\n| where SHA256 in~ (SHA256Hashes)\\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(imFileEvent\\n| where TargetFileSHA256 in~ (SHA256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(DeviceNetworkEvents\\n| where RemoteUrl in~ (DomainNames)\\n| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName\\n| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl\\n),\\n(SecurityAlert\\n| where ProductName == \\\"Microsoft Defender Advanced Threat Protection\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where isnotempty(ThreatName)\\n| where ThreatName has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName)\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known NICKEL domains and hashes\",\"description\":\"IOC domains and hash values for tools and malware used by NICKEL. \\n Matches domain name, hash IOCs and M365 Defender sigs related to the NICKEL activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/720d12c6-a08c-44c4-b18f-2236412d59b0\",\"name\":\"720d12c6-a08c-44c4-b18f-2236412d59b0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"SecurityEvent\\n | where EventID == 4688\\n | where Process !~ \\\"sdelete.exe\\\"\\n | where CommandLine has_all (\\\"accepteula\\\", \\\"-r\\\", \\\"-s\\\", \\\"-q\\\", \\\"c:/\\\")\\n | where CommandLine !has (\\\"sdelete\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"DefenseEvasion\",\"Impact\"],\"displayName\":\"Potential re-named sdelete usage\",\"description\":\"This detection looks for command line parameters associated with the use of Sysinternals sdelete (https://docs.microsoft.com/sysinternals/downloads/sdelete) to delete multiple files on a host\u0027s C drive.\\nA threat actor may re-name the tool to avoid detection and then use it for destructive attacks on a host.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/009b9bae-23dd-43c4-bcb9-11c4ba7c784a\",\"name\":\"009b9bae-23dd-43c4-bcb9-11c4ba7c784a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where OperationName has \\\"Consent to application\\\"\\n | where Result =~ \\\"failure\\\"\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend userAgent = iif(AdditionalDetails[0].key == \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), tostring(AdditionalDetails[1].value))\\n | where isnotempty(TargetResources)\\n | extend AppName = tostring(TargetResources[0].displayName)\\n | mv-expand TargetResources[0].modifiedProperties\\n | extend TargetResources_0_modifiedProperties = columnifexists(\\\"TargetResources_0_modifiedProperties\\\", \u0027\u0027)\\n | where isnotempty(TargetResources_0_modifiedProperties)\\n | where TargetResources_0_modifiedProperties.displayName =~ \\\"MethodExecutionResult.\\\"\\n | extend FailureReason = tostring(parse_json(tostring(TargetResources_0_modifiedProperties.newValue)))\\n | where FailureReason contains \\\"Risky\\\"\\n | project-reorder TimeGenerated, OperationName, Result, AppName, FailureReason, userPrincipalName, userAgent, ipAddress\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"End-user consent stopped due to risk-based consent\",\"description\":\"Detects a user\u0027s consent to an OAuth application being blocked due to it being too risky.\\n These events should be investigated to understand why the user attempted to consent to the applicaiton and what other applicaitons they may have consented to.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#end-user-stopped-due-to-risk-based-consent\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/e70fa6e0-796a-4e85-9420-98b17b0bb749\",\"name\":\"e70fa6e0-796a-4e85-9420-98b17b0bb749\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"DeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join (SecurityAlert\\n| where ProviderName =~ \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where ThreatName has \\\"Solorigate\\\"\\n| extend HostCustomEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.HostCustomEntity\\n| project TimeGenerated, DisplayName, ThreatName, CompromisedEntity, PublicIP, MachineGroup, AlertSeverity, Description, LoggedOnUsers, DeviceId, TenantId, HostCustomEntity\\n| extend timestamp = TimeGenerated, IPCustomEntity = PublicIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Solorigate Defender Detections\",\"description\":\"Surfaces any Defender Alert for Solorigate Events. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as \\n Device group, ip, logged on users etc. This way, the Microsoft Sentinel user can have all the pertinent device info in one view for all the the Solarigate Defender alerts.\",\"lastUpdatedDateUTC\":\"2021-11-10T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceInfo\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9176b18f-a946-42c6-a2f6-0f6d17cd6a8a\",\"name\":\"9176b18f-a946-42c6-a2f6-0f6d17cd6a8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let triThreshold = 500;\\nlet querystarttime = 6h;\\nlet dgaLengthThreshold = 8;\\n// fetch the cisco umbrella top 1M domains\\nlet top1M = (externaldata (Position:int, Domain:string) [@\\\"http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip\\\"] with (format=\\\"csv\\\", zipPattern=\\\"*.csv\\\"));\\n// extract tri grams that are above our threshold - i.e. are common\\nlet triBaseline = top1M\\n | extend Domain = tolower(extract(\\\"([^.]*).{0,7}$\\\", 1, Domain))\\n | extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", Domain), extract_all(\\\"(...)\\\", substring(Domain, 1)), extract_all(\\\"(...)\\\", substring(Domain, 2)))\\n | mvexpand Trigram=AllTriGrams to typeof(string)\\n | summarize triCount=count() by Trigram\\n | sort by triCount desc\\n | where triCount \u003e triThreshold\\n | distinct Trigram;\\n// collect domain information from common security log, filter and extract the DGA candidate and its trigrams\\nlet allDataSummarized = _Im_WebSession \\n| where isnotempty(Url) \\n| extend Name = tolower(tostring(parse_url(Url)[\\\"Host\\\"]))\\n| summarize NameCount=count() by Name\\n| where Name has \\\".\\\"\\n| where Name !endswith \\\".home\\\" and Name !endswith \\\".lan\\\"\\n// extract DGA candidate\\n| extend DGADomain = extract(\\\"([^.]*).{0,7}$\\\", 1, Name)\\n| where strlen(DGADomain) \u003e dgaLengthThreshold\\n// throw out domains with number in them\\n| where DGADomain matches regex \\\"^[A-Za-z]{0,}$\\\"\\n// extract the tri grams from summarized data\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", DGADomain), extract_all(\\\"(...)\\\", substring(DGADomain, 1)), extract_all(\\\"(...)\\\", substring(DGADomain, 2)));\\n// throw out domains that have repeating tri\u0027s and/or \u003e=3 repeating letters\\nlet nonRepeatingTris = allDataSummarized\\n| join kind=leftanti\\n(\\n allDataSummarized\\n | mvexpand AllTriGrams\\n | summarize count() by tostring(AllTriGrams), DGADomain\\n | where count_ \u003e 1\\n | distinct DGADomain\\n)\\non DGADomain;\\n// find domains that do not have a common tri in the baseline\\nlet dataWithRareTris = nonRepeatingTris\\n| join kind=leftanti\\n(\\n nonRepeatingTris\\n | mvexpand AllTriGrams\\n | extend Trigram = tostring(AllTriGrams)\\n | distinct Trigram, DGADomain\\n | join kind=inner\\n (\\n triBaseline\\n )\\n on Trigram\\n | distinct DGADomain\\n)\\non DGADomain;\\ndataWithRareTris\\n// join DGAs back on connection data\\n| join kind=inner\\n(\\n _Im_WebSession\\n | where isnotempty(Url)\\n | extend Url = tolower(Url)\\n | summarize arg_max(TimeGenerated, EventVendor, SrcIpAddr) by Url\\n | extend Name=tostring(parse_url(Url)[\\\"Host\\\"])\\n | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) by Name, SrcIpAddr, Url\\n)\\non Name\\n| project StartTime, EndTime, Name, DGADomain, SrcIpAddr, Url, NameCount\",\"customDetails\":{\"DGAPattern\":\"DGADomain\",\"NameCount\":\"NameCount\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URL\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Potential communication from {{SrcIpAddr} with a Domain Generation Algorithm (DGA) based host {{Name}}\",\"alertDescriptionFormat\":\"A client with address {{SrcIpAddr}} communicated with host {{Name}} that have a domain name that might have been generated by a Domain Generation Algorithm (DGA), identified by the pattern {{DGADomain}}. DGAs are used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the top 1 million domain names to build a model of what normal domains look like and uses the model to identify domains that may have been randomly generated by an algorithm.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential communication with a Domain Generation Algorithm (DGA) based hostname (ASIM Web Session schema)\",\"description\":\"This rule identifies communication with hosts that have a domain name that might have been generated by a Domain Generation Algorithm (DGA). DGAs are used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the top 1 million domain names to build a model of what normal domains look like nad uses the model to identify domains that may have been randomly generated by an algorithm. You can modify the triThreshold and dgaLengthThreshold query parameters to change Analytic Rule sensitivity. The higher the numbers, the less noisy the rule is. \u003cbr\u003e\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f819c592-c5f9-4d5c-a79f-1e6819863533\",\"name\":\"f819c592-c5f9-4d5c-a79f-1e6819863533\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"// ADHealth Monitoring Agent Registry Key\\nlet aadHealthMonAgentRegKey = \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Microsoft Online\\\\\\\\Reporting\\\\\\\\MonitoringAgent\\\";\\n// Filter out known processes\\nlet aadConnectHealthProcs = dynamic ([\\n \u0027Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.InsightsService.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.Health.Adfs.PshSurrogate.exe\u0027,\\n \u0027Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe\u0027,\\n \u0027Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup.exe\u0027,\\n \u0027Microsoft.Identity.AadConnect.Health.AadSync.Host.exe\u0027,\\n \u0027Microsoft.Azure.ActiveDirectory.Synchronization.Upgrader.exe\u0027,\\n \u0027miiserver.exe\u0027\\n]);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == \u00274656\u0027\\n| where EventData has aadHealthMonAgentRegKey\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\\n| extend ObjectName = column_ifexists(\\\"ObjectName\\\", \\\"\\\"),\\n ObjectType = column_ifexists(\\\"ObjectType\\\", \\\"\\\")\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend SubjectUserName = column_ifexists(\\\"SubjectUserName\\\", \\\"\\\"),\\n SubjectDomainName = column_ifexists(\\\"SubjectDomainName\\\", \\\"\\\"),\\n ProcessName = column_ifexists(\\\"ProcessName\\\", \\\"\\\")\\n| extend Process = split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1],\\n Account = strcat(SubjectDomainName, \\\"\\\\\\\\\\\", SubjectUserName)\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n(\\nWindowsEvent\\n| where EventID == \u00274656\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00274663\u0027\\n| where ObjectType == \u0027Key\u0027\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027, -1)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n),\\n (\\nWindowsEvent\\n| where EventID == \u00274663\u0027 and EventData has aadHealthMonAgentRegKey\\n| extend ObjectType = tostring(EventData.ObjectType)\\n| where ObjectType == \u0027Key\u0027\\n| extend ObjectName = tostring(EventData.ObjectName)\\n| where ObjectName == aadHealthMonAgentRegKey\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| extend Process = tostring(split(ProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process !in (aadConnectHealthProcs)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by EventID, Account, Computer, Process, SubjectUserName, SubjectDomainName, ObjectName, ObjectType, ProcessName\\n)\\n)\\n// You can filter out potential machine accounts\\n//| where AccountType != \u0027Machine\u0027\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"Azure AD Health Monitoring Agent Registry Keys Access\",\"description\":\"This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.\\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\\\\SOFTWARE\\\\Microsoft\\\\Microsoft Online\\\\Reporting\\\\MonitoringAgent.\\nYou can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_monitoring_agent.yml\\n\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-08-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/066395ac-ef91-4993-8bf6-25c61ab0ca5a\",\"name\":\"066395ac-ef91-4993-8bf6-25c61ab0ca5a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\"| project IoC);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet file_path1 = (iocs | where Type =~ \\\"filepath1\\\" | project IoC);\\nlet file_path2 = (iocs | where Type =~ \\\"filepath2\\\" | project IoC);\\nlet file_path3 = (iocs | where Type =~ \\\"filepath3\\\" | project IoC);\\nlet reg_key = (iocs | where Type =~ \\\"regkey\\\" | project IoC);\\nWindowsEvent\\n| where EventID == 4688 and (EventData has_any (file_path1) or EventData has_any (file_path2) or EventData has_any (file_path3) or EventData has_any (\u0027reg add\u0027) or EventData has_any (reg_key) )\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where (CommandLine has_any (file_path1)) or\\n (CommandLine has_any (file_path3)) or\\n (CommandLine has \u0027reg add\u0027 and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) or \\n (NewProcessName has_any (file_path1)) or\\n (NewProcessName has_any (file_path3)) or\\n (ParentProcessName has_any (file_path1)) or \\n (ParentProcessName has_any (file_path3)) \\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend NewProcessId = tostring(EventData.NewProcessId)\\n| extend IPCustomEntity = tostring(EventData.IpAddress)\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, IPCustomEntity\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = \u0027SOURGUM IOC detected\u0027\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"SOURGUM Actor IOC - July 2021\",\"description\":\"Identifies a match across IOC\u0027s related to an actor tracked by Microsoft as SOURGUM\",\"lastUpdatedDateUTC\":\"2022-05-19T00:00:00Z\",\"createdDateUTC\":\"2022-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6116dc19-475a-4148-84b2-efe89c073e27\",\"name\":\"6116dc19-475a-4148-84b2-efe89c073e27\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetectionV2_CL\\n| extend Status = tostring(Status_s), Vulnerability = tostring(QID_s), Severity = tostring(Severity_s)\\n| where Status =~ \\\"New\\\" and Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(QID_s)\\n| where dcount_NetBios_s \u003e= threshold\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"tactics\":[\"InitialAccess\"],\"displayName\":\"New High Severity Vulnerability Detected Across Multiple Hosts\",\"description\":\"This creates an incident when a new high severity vulnerability is detected across multilple hosts\",\"lastUpdatedDateUTC\":\"2021-12-08T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\"name\":\"90d3f6ec-80fb-48e0-9937-2c70c9df9bad\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage), \\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage), \\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage), \\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \\\"200\\\"\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Squid proxy events for ToR proxies\",\"description\":\"Check for Squid proxy events associated with common ToR proxies. This query presumes the default squid log format is being used.\\nhttp://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-07-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/70fc7201-f28e-4ba7-b9ea-c04b96701f13\",\"name\":\"70fc7201-f28e-4ba7-b9ea-c04b96701f13\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let OperationList = dynamic([\\\"Add member to role\\\",\\\"Add member to role in PIM requested (permanent)\\\"]);\\nlet PrivilegedGroups = dynamic([\\\"UserAccountAdmins\\\",\\\"PrivilegedRoleAdmins\\\",\\\"TenantAdmins\\\"]);\\nAuditLogs\\n//| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"RoleManagement\\\"\\n| where OperationName in~ (OperationList)\\n| mv-expand TargetResources\\n| extend modProps = parse_json(TargetResources).modifiedProperties\\n| mv-expand bagexpansion=array modProps\\n| evaluate bag_unpack(modProps)\\n| extend displayName = column_ifexists(\\\"displayName\\\", \\\"NotAvailable\\\"), newValue = column_ifexists(\\\"newValue\\\", \\\"NotAvailable\\\")\\n| where displayName =~ \\\"Role.WellKnownObjectName\\\"\\n| extend DisplayName = displayName, GroupName = replace(\u0027\\\"\u0027,\u0027\u0027,newValue)\\n| extend initByApp = parse_json(InitiatedBy).app, initByUser = parse_json(InitiatedBy).user\\n| extend AppId = initByApp.appId,\\nInitiatedByDisplayName = case(isnotempty(initByApp.displayName), initByApp.displayName, isnotempty(initByUser.displayName), initByUser.displayName, \\\"not available\\\"),\\nServicePrincipalId = tostring(initByApp.servicePrincipalId),\\nServicePrincipalName = tostring(initByApp.servicePrincipalName),\\nUserId = initByUser.id,\\nUserIPAddress = initByUser.ipAddress,\\nUserRoles = initByUser.roles,\\nUserPrincipalName = tostring(initByUser.userPrincipalName),\\nTargetUserPrincipalName = tostring(TargetResources.userPrincipalName)\\n| where GroupName in~ (PrivilegedGroups)\\n// If you don\u0027t want to alert for operations from PIM, remove below filtering for MS-PIM.\\n//| where InitiatedByDisplayName != \\\"MS-PIM\\\"\\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName\\n| extend AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, isnotempty(ServicePrincipalId), ServicePrincipalId, isnotempty(UserPrincipalName), UserPrincipalName, \\\"not available\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserPrincipalName\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"NRT User added to Azure Active Directory Privileged Groups\",\"description\":\"This will alert when a user is added to any of the Privileged Groups.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\\nFor Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles\",\"lastUpdatedDateUTC\":\"2022-03-24T00:00:00Z\",\"createdDateUTC\":\"2020-07-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5239248b-abfb-4c6a-8177-b104ade5db56\",\"name\":\"5239248b-abfb-4c6a-8177-b104ade5db56\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Medium\",\"query\":\"let RunCommandData = materialize ( AzureActivity\\n// Isolate run command actions\\n| where OperationNameValue == \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\\\"\\n// Confirm that the operation impacted a virtual machine\\n| where Authorization has \\\"virtualMachines\\\"\\n// Each runcommand operation consists of three events when successful, StartTimeed, Accepted (or Rejected), Successful (or Failed).\\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), max(CallerIpAddress), make_list(ActivityStatusValue) by CorrelationId, Authorization, Caller\\n// Limit to Run Command executions that Succeeded\\n| where list_ActivityStatusValue has \\\"Success\\\"\\n// Extract data from the Authorization field, allowing us to later extract the Caller (UPN) and CallerIpAddress\\n| extend Authorization_d = parse_json(Authorization)\\n| extend Scope = Authorization_d.scope\\n| extend Scope_s = split(Scope, \\\"/\\\")\\n| extend Subscription = tostring(Scope_s[2])\\n| extend VirtualMachineName = tostring(Scope_s[-1])\\n| project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress\\n| join kind=leftouter (\\n DeviceFileEvents\\n | where InitiatingProcessFileName == \\\"RunCommandExtension.exe\\\"\\n | extend VirtualMachineName = tostring(split(DeviceName, \\\".\\\")[0])\\n | project VirtualMachineName, PowershellFileCreatedTimestamp=TimeGenerated, FileName, FileSize, InitiatingProcessAccountName, InitiatingProcessAccountDomain, InitiatingProcessFolderPath, InitiatingProcessId\\n) on VirtualMachineName\\n// We need to filter by time sadly, this is the only way to link events\\n| where PowershellFileCreatedTimestamp between (StartTime .. EndTime)\\n| project StartTime, EndTime, PowershellFileCreatedTimestamp, VirtualMachineName, Caller, CallerIpAddress, FileName, FileSize, InitiatingProcessId, InitiatingProcessAccountDomain, InitiatingProcessFolderPath\\n| join kind=inner(\\n DeviceEvents\\n | extend VirtualMachineName = tostring(split(DeviceName, \\\".\\\")[0])\\n | where InitiatingProcessCommandLine has \\\"-File\\\"\\n // Extract the script name based on the structure used by the RunCommand extension\\n | extend PowershellFileName = extract(@\\\"\\\\-File\\\\s(script[0-9]{1,9}\\\\.ps1)\\\", 1, InitiatingProcessCommandLine)\\n // Discard results that didn\u0027t successfully extract, these are not run command related\\n | where isnotempty(PowershellFileName)\\n | extend PSCommand = tostring(parse_json(AdditionalFields).Command)\\n // The first execution of PowerShell will be the RunCommand script itself, we can discard this as it will break our hash later\\n | where PSCommand != PowershellFileName \\n // Now we normalise the cmdlets, we\u0027re aiming to hash them to find scripts using rare combinations\\n | extend PSCommand = toupper(PSCommand)\\n | order by PSCommand asc\\n | summarize PowershellExecStartTime=min(TimeGenerated), PowershellExecEnd=max(TimeGenerated), make_list(PSCommand) by PowershellFileName, InitiatingProcessCommandLine\\n) on $left.FileName == $right.PowershellFileName\\n| project StartTime, EndTime, PowershellFileCreatedTimestamp, PowershellExecStartTime, PowershellExecEnd, PowershellFileName, PowershellScriptCommands=list_PSCommand, Caller, CallerIpAddress, InitiatingProcessCommandLine, PowershellFileSize=FileSize, VirtualMachineName\\n| order by StartTime asc \\n// We generate the hash based on the cmdlets called and the size of the powershell script\\n| extend TempFingerprintString = strcat(PowershellScriptCommands, PowershellFileSize)\\n| extend ScriptFingerprintHash = hash_sha256(tostring(PowershellScriptCommands)));\\nlet totals = toscalar (RunCommandData\\n| summarize count());\\nlet hashTotals = RunCommandData\\n| summarize HashCount=count() by ScriptFingerprintHash;\\nRunCommandData\\n| join kind=leftouter (\\nhashTotals\\n) on ScriptFingerprintHash\\n// Calculate prevalence, while we don\u0027t need this, it may be useful for responders to know how rare this script is in relation to normal activity\\n| extend Prevalence = toreal(HashCount) / toreal(totals) * 100\\n// Where the hash was only ever seen once.\\n| where HashCount == 1\\n| extend timestamp = StartTime, IPCustomEntity=CallerIpAddress, AccountCustomEntity=Caller, HostCustomEntity=VirtualMachineName\\n| project timestamp, StartTime, EndTime, PowershellFileName, VirtualMachineName, Caller, CallerIpAddress, PowershellScriptCommands, PowershellFileSize, ScriptFingerprintHash, Prevalence, IPCustomEntity, AccountCustomEntity, HostCustomEntity\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"LateralMovement\",\"Execution\"],\"displayName\":\"Azure VM Run Command operations executing a unique PowerShell script\",\"description\":\"Identifies when Azure Run command is used to execute a PowerShell script on a VM that is unique.\\nThe uniqueness of the PowerShell script is determined by taking a combined hash of the cmdLets it imports\\nand the file size of the PowerShell script. Alerts from this detection indicate a unique PowerShell was executed\\nin your environment.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f15370f4-c6fa-42c5-9be4-1d308f40284e\",\"name\":\"f15370f4-c6fa-42c5-9be4-1d308f40284e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n OfficeActivity\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(ClientIP)\\n | extend ClientIPValues = extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]%]+)(%\\\\d+)?\\\\]?([-:](?P\u003cPort\u003e\\\\d+))?\u0027, dynamic([\\\"IPAddress\\\", \\\"Port\\\"]), ClientIP)[0]\\n | extend IPAddress = tostring(ClientIPValues[0])\\n // renaming time column so it is clear the log this came from\\n | extend OfficeActivity_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.IPAddress\\n| where OfficeActivity_TimeGenerated \u003c ExpirationDateTime\\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId\\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = OfficeActivity_TimeGenerated, IPCustomEntity = TI_ipEntity, AccountCustomEntity = UserId, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to OfficeActivity\",\"description\":\"Identifies a match in OfficeActivity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a4ce20ae-a2e4-4d50-b40d-d49f1353b6cc\",\"name\":\"a4ce20ae-a2e4-4d50-b40d-d49f1353b6cc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Extracts plaintext IPv4 addresses\\nlet ipv4_plaintext_extraction_regex = @\\\"((?:(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])(?:\\\\.)){3}(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]){1,3})\\\";\\n// Identified base64 encoded IPv4 addresses\\nlet ipv4_encoded_identification_regex = @\\\"\\\\=([a-zA-Z0-9\\\\/\\\\+]*(?:(?:MC|Au|wL|MS|Eu|xL|Mi|Iu|yL|My|Mu|zL|NC|Qu|0L|NS|Uu|1L|Ni|Yu|2L|Ny|cu|3L|OC|gu|4L|OS|ku|5L){1}[a-zA-Z0-9\\\\/\\\\+]{2,4}){3}[a-zA-Z0-9\\\\/\\\\+\\\\=]*)\\\";\\n// Extractes IPv4 addresses as hex values\\nlet ipv4_decoded_hex_extract = @\\\"((?:(?:61|62|63|64|65|66|67|68|69|6a|6b|6c|6d|6e|6f|70|71|72|73|74|75|76|77|78|79|7a|41|42|43|44|45|46|47|48|49|4a|4b|4c|4d|4e|4f|50|51|52|53|54|55|56|57|58|59|5a|2f|2b|3d),){7,15})\\\";\\nCommonSecurityLog\\n| where isnotempty(RequestURL)\\n// Identify requests with encoded IPv4 addresses\\n| where RequestURL matches regex ipv4_encoded_identification_regex\\n| project TimeGenerated, RequestURL\\n// Extract IP candidates in their base64 encoded format, significantly reducing the dataset\\n| extend extracted_encoded_ip_candidate = extract_all(ipv4_encoded_identification_regex, RequestURL)\\n// We could have more than one candidate, expand them out\\n| mv-expand extracted_encoded_ip_candidate to typeof(string)\\n| summarize Start=min(TimeGenerated), End=max(TimeGenerated), make_set(RequestURL) by extracted_encoded_ip_candidate\\n// Pad if we need to\\n| extend extracted_encoded_ip_candidate = iff(strlen(extracted_encoded_ip_candidate) % 2 == 0, extracted_encoded_ip_candidate, strcat(extracted_encoded_ip_candidate, \\\"=\\\"))\\n// Now decode the candidate to a long array, we cannot go straight to string as it cannot handle non-UTF8, we need to strip that first\\n| extend extracted_encoded_ip_candidate = tostring(base64_decode_toarray(extracted_encoded_ip_candidate))\\n// Extract the IP candidates from the array\\n| extend hex_extracted = extract_all(ipv4_decoded_hex_extract, extracted_encoded_ip_candidate)\\n// Expand, it\u0027s still possible that we might have more than 1 IP\\n| mv-expand hex_extracted\\n// Now we should have a clean string. We need to put it back into a dynamic array to convert back to a string.\\n| extend hex_extracted = trim_end(\\\",\\\", tostring(hex_extracted))\\n| extend hex_extracted = strcat(\\\"[\\\",hex_extracted,\\\"]\\\")\\n| extend hex_extracted = todynamic(hex_extracted)\\n| extend extracted_encoded_ip_candidate = todynamic(extracted_encoded_ip_candidate)\\n// Convert the array back into a string\\n| extend decoded_ip_candidate = make_string(hex_extracted)\\n| summarize by decoded_ip_candidate, tostring(set_RequestURL), Start, End\\n// Now the IP candidates will be in plaintext, extract the IPs using a regex\\n| extend ipmatch = extract_all(ipv4_plaintext_extraction_regex, decoded_ip_candidate)\\n// If it\u0027s not an IP, throw it out\\n| where isnotnull(ipmatch)\\n| mv-expand ipmatch to typeof(string)\\n// Join with DeviceNetworkEvents to find instances where an IP of a machine in our MDE estate sent it\u0027s IP in a base64 encoded string\\n| join (\\n DeviceNetworkEvents\\n | summarize make_set(DeviceId), make_set(DeviceName) by RemoteIP\\n) on $left.ipmatch == $right.RemoteIP\\n| project Start, End, IPmatch=ipmatch, RequestURL=set_RequestURL, DeviceNames=set_DeviceName, DeviceIds=set_DeviceId, RemoteIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPmatch\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"DeviceNames\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"IP address of Windows host encoded in web request\",\"description\":\"This detection will identify network requests in HTTP proxy data that contains Base64 encoded IP addresses. After identifying candidates the query\\njoins with DeviceNetworkEvents to idnetify any machine within the network using that IP address. Alerts indicate that the IP address of a machine\\nwithin your network was seen with it\u0027s IP address base64 encoded in an outbounf web request. This method of egressing the IP was seen used in POLONIUM\u0027s\\nRunningRAT tool, however the detection is generic.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cbf6ad48-fa5c-4bf7-b205-28dbadb91255\",\"name\":\"cbf6ad48-fa5c-4bf7-b205-28dbadb91255\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let procList = externaldata(Process:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Microsoft_Lolbas_Execution_Binaries.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nEvent\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==1\\n| parse EventData with * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" * \u0027OriginalFileName\\\"\u003e\u0027 OriginalFileName \\\"\u003c\\\" *\\n| where OriginalFileName has_any (procList) and not (Image has_any (procList))\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Description\\\"\u003e\u0027 Description \\\"\u003c\\\" * \u0027CommandLine\\\"\u003e\u0027 CommandLine \\\"\u003c\\\" * \u0027CurrentDirectory\\\"\u003e\u0027 CurrentDirectory \\\"\u003c\\\" * \u0027User\\\"\u003e\u0027 User \\\"\u003c\\\" * \u0027LogonGuid\\\"\u003e\u0027 LogonGuid \\\"\u003c\\\" * \u0027Hashes\\\"\u003e\u0027 Hashes \\\"\u003c\\\" * \u0027ParentProcessGuid\\\"\u003e\u0027 ParentProcessGuid \\\"\u003c\\\" * \u0027ParentImage\\\"\u003e\u0027 ParentImage \\\"\u003c\\\" * \u0027ParentCommandLine\\\"\u003e\u0027 ParentCommandLine \\\"\u003c\\\" * \u0027ParentUser\\\"\u003e\u0027 ParentUser \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description, OriginalFileName, CurrentDirectory, Hashes\",\"entityMappings\":[{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Windows Binaries Lolbins Renamed\",\"description\":\"This query detects the execution of renamed Windows binaries (Lolbins). This is a common technique used by adversaries to evade detection. \\nRef: https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/execution-of-renamed-lolbin.html\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3a9d5ede-2b9d-43a2-acc4-d272321ff77c\",\"name\":\"3a9d5ede-2b9d-43a2-acc4-d272321ff77c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 50;\\nlet aadFunc = (tableName:string){\\n // Failed Signins attempts with reasoning related to conditional access policies.\\n table(tableName)\\n | where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n | where ResultDescription has_any (\\\"conditional access\\\", \\\"CA\\\") or ResultType in (50005, 50131, 53000, 53001, 53002, 52003, 70044)\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt;\\nlet TimeSeriesAlerts = \\nallSignins\\n| make-series DailyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step 1d by UserPrincipalName\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(DailyCount, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand DailyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n// Filtering low count events per baselinethreshold\\n| where anomalies \u003e 0 and baseline \u003e baselinethreshold\\n| extend AnomalyHour = TimeGenerated\\n| project UserPrincipalName, AnomalyHour, TimeGenerated, DailyCount, baseline, anomalies, score;\\n// Filter the alerts for specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e startofday(ago(timeframe))\\n| join kind=inner ( \\n allSignins\\n | where TimeGenerated \u003e startofday(ago(timeframe))\\n // create a new column and round to hour\\n | extend DateHour = bin(TimeGenerated, 1h)\\n | summarize PartialFailedSignins = count(), LatestAnomalyTime = arg_max(TimeGenerated, *) by bin(TimeGenerated, 1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\\n) on UserPrincipalName, $left.AnomalyHour == $right.DateHour\\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, PartialFailedSignins, TotalFailedSignins = DailyCount, baseline, anomalies, score\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"User Accounts - Sign in Failure due to CA Spikes\",\"description\":\" Identifies spike in failed sign-ins from user accounts due to conditional access policied.\\nSpike is determined based on Time series anomaly which will look at historical baseline values.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b6d03b88-4d27-49a2-9c1c-29f1ad2842dc\",\"name\":\"b6d03b88-4d27-49a2-9c1c-29f1ad2842dc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let oneDriveCalls = dynamic([\u0027graph.microsoft.com/v1.0/me/drive/root:/Documents/data.txt:/content\u0027,\u0027graph.microsoft.com/v1.0/me/drive/root:/Documents/response.json:/content\u0027]);\\nlet oneDriveCallsRegex = dynamic([@\u0027graph\\\\.microsoft\\\\.com\\\\/v1\\\\.0\\\\/me\\\\/drive\\\\/root\\\\:\\\\/Uploaded\\\\/.*\\\\:\\\\/content\u0027,@\u0027graph\\\\.microsoft\\\\.com\\\\/v1\\\\.0\\\\/me\\\\/drive\\\\/root\\\\:\\\\/Downloaded\\\\/.*\\\\:\\\\/content\u0027]);\\nCommonSecurityLog\\n| where RequestURL has_any (oneDriveCalls) or RequestURL matches regex tostring(oneDriveCallsRegex[0]) or RequestURL matches regex tostring(oneDriveCallsRegex[1])\\n| project TimeGenerated, DeviceVendor, DeviceProduct, DeviceAction, DestinationDnsDomain, DestinationIP, RequestURL, SourceIP, SourceHostName, RequestClientApplication\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"SourceHostName\"}]}],\"tactics\":[\"Exfiltration\",\"CommandAndControl\"],\"displayName\":\"CreepyDrive URLs\",\"description\":\"CreepyDrive uses OneDrive for command and control. This detection identifies URLs specific to CreepyDrive.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2022-05-31T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/011c84d8-85f0-4370-b864-24c13455aa94\",\"name\":\"011c84d8-85f0-4370-b864-24c13455aa94\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityAlert\\n| extend Extprop = parse_json(ExtendedProperties)\\n| extend Computer = iff(isnotempty(toupper(tostring(Extprop[\\\"Compromised Host\\\"]))), toupper(tostring(Extprop[\\\"Compromised Host\\\"])), tostring(parse_json(Entities)[0].HostName))\\n| extend Account = iff(isnotempty(tolower(tostring(Extprop[\\\"User Name\\\"]))), tolower(tostring(Extprop[\\\"User Name\\\"])), tolower(tostring(Extprop[\\\"user name\\\"])))\\n| extend IpAddress = tostring(parse_json(ExtendedProperties).[\\\"IpAddress\\\"]) \\n| project TimeGenerated, AlertName, Computer, Account, IpAddress, ExtendedProperties\\n| extend timestamp = TimeGenerated, Account, MachineName = Computer, IpAddress\\n| join kind=inner\\n(\\nCoreAzureBackup\\n| where State =~ \\\"Deleted\\\"\\n| where OperationName =~ \\\"BackupItem\\\"\\n| extend data = split(BackupItemUniqueId, \\\";\\\")\\n| extend AzureLocation = data[0], VaultId=data[1], MachineName=data[2], DrivesBackedUp=data[3]\\n| project timestamp = TimeGenerated, AzureLocation, VaultId, tostring(MachineName), DrivesBackedUp, State, BackupItemUniqueId, _ResourceId, OperationName, BackupItemFriendlyName\\n)\\non MachineName\\n| project timestamp, AlertName, HostCustomEntity = MachineName, AccountCustomEntity = Account, ResourceCustomEntity = _ResourceId, IPCustomEntity = IpAddress, VaultId, AzureLocation, DrivesBackedUp, State, BackupItemUniqueId, OperationName, BackupItemFriendlyName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"CoreBackUp Deletion in correlation with other related security alerts\",\"description\":\"This query will help detect attackers attempt to delete backup containers in correlation with other alerts that could have triggered to help possibly reveal more details of attacker activity. \\nThough such an activity could be legitimate as part of business operation, some ransomware actors may perform such operation to cause interruption to regular business services.\",\"lastUpdatedDateUTC\":\"2021-11-05T00:00:00Z\",\"createdDateUTC\":\"2021-11-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1218175f-c534-421c-8070-5dcaabf28067\",\"name\":\"1218175f-c534-421c-8070-5dcaabf28067\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let threshold = 3; \\nZoomLogs \\n| where Event =~ \\\"chat_message.sent\\\" \\n| extend Channel = tostring(parse_json(ChatEvents).Channel) \\n| extend Message = tostring(parse_json(ChatEvents).Message) \\n| where Message matches regex \\\"http(s?):\\\\\\\\/\\\\\\\\/\\\" \\n| summarize Channels = makeset(Channel), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Message, User, UserId\\n| extend ChannelCount = arraylength(Channels) \\n| where ChannelCount \u003e threshold\\n| extend timestamp = StartTime, AccountCustomEntity = User\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"Suspicious link sharing pattern\",\"description\":\"Alerts in links that have been shared across multiple Zoom chat channels by the same user in a short space if time. \\nAdjust the threshold figure to change the number of channels a message needs to be posted in before an alert is raised.\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2020-04-24T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\"name\":\"0d76e9cf-788d-4a69-ac7d-f234826b5bed\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\")\\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"DNS events related to mining pools\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95a15f39-d9cc-4667-8cdd-58f3113691c9\",\"name\":\"95a15f39-d9cc-4667-8cdd-58f3113691c9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where EventID == 4688\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| join kind=rightanti (\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| where EventID == 4688) on NewProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where EventID == 4688 and EventData has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| join kind=rightanti (\\nWindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventID == 4688 and EventData has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where ParentProcessName has_any (\\\"umworkerprocess.exe\\\", \\\"UMService.exe\\\")\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend IpAddress = tostring(EventData.IpAddress)) on NewProcessName\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM New UM Service Child Process\",\"description\":\"This query looks for new processes being spawned by the Exchange UM service where that process has not previously been observed before. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f845881e-2500-44dc-8ed7-b372af3e1e25\",\"name\":\"f845881e-2500-44dc-8ed7-b372af3e1e25\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let short_uaLength = 5;\\nlet long_uaLength = 1000;\\nlet c_threshold = 100;\\nW3CIISLog \\n// Exclude local IPs as these create noise\\n| where cIP !startswith \\\"192.168.\\\" and cIP != \\\"::1\\\"\\n| where isnotempty(csUserAgent) and csUserAgent !in~ (\\\"-\\\", \\\"MSRPC\\\") and (string_size(csUserAgent) \u003c= short_uaLength or string_size(csUserAgent) \u003e= long_uaLength)\\n| extend csUserAgent_size = string_size(csUserAgent)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ConnectionCount = count() by Computer, sSiteName, sPort, csUserAgent, csUserAgent_size, csUserName , csMethod, csUriStem, sIP, cIP, scStatus, scSubStatus, scWin32Status\\n| where ConnectionCount \u003c c_threshold\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Anomalous User Agent connection attempt\",\"description\":\"Identifies connection attempts (success or fail) from clients with very short or very long User Agent strings and with less than 100 connection attempts.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\"name\":\"a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n SecurityAlert \\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MSTI = case(AlertName has \\\"TI map\\\" and VendorName == \\\"Microsoft\\\" and ProductName == \u0027Azure Sentinel\u0027, true, false)\\n | where MSTI == false\\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\\n | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray\\n // Parsing relevant entity column to filter type account and creating new column by combining account and UPNSuffix\\n | extend Entitytype = tostring(parse_json(EntitiesDynamicArray).Type), EntityName = tostring(parse_json(EntitiesDynamicArray).Name),\\n EntityUPNSuffix = tostring(parse_json(EntitiesDynamicArray).UPNSuffix)\\n | where Entitytype =~ \\\"account\\\"\\n | extend EntityEmail = tolower(strcat(EntityName, \\\"@\\\", EntityUPNSuffix))\\n | where EntityEmail matches regex emailregex\\n | extend Alert_TimeGenerated = TimeGenerated\\n)\\non $left.EmailSenderAddress == $right.EntityEmail\\n| where Alert_TimeGenerated \u003c ExpirationDateTime\\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\\n| project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, \\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, EntityEmail, AlertName, AlertType,\\nAlertSeverity, Entities, ProviderName, VendorName\\n| extend timestamp = Alert_TimeGenerated, AccountCustomEntity = EntityEmail, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SecurityAlert\",\"description\":\"Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c9b6d281-b96b-4763-b728-9a04b9fe1246\",\"name\":\"c9b6d281-b96b-4763-b728-9a04b9fe1246\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlCategory has_any (\u0027Dynamic and Residential\u0027, \u0027Personal VPN\u0027)\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"Exfiltration\"],\"displayName\":\"Cisco Umbrella - Connection to non-corporate private network\",\"description\":\"IP addresses of broadband links that usually indicates users attempting to access their home network, for example for a remote session to a home computer.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/631d02df-ab51-46c1-8d72-32d0cfec0720\",\"name\":\"631d02df-ab51-46c1-8d72-32d0cfec0720\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let excludeProcs = dynamic([@\\\"\\\\SolarWinds\\\\Orion\\\\APM\\\\APMServiceControl.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\ExportToPDFCmd.Exe\\\", @\\\"\\\\SolarWinds.Credentials\\\\SolarWinds.Credentials.Orion.WebApi.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Topology\\\\SolarWinds.Orion.Topology.Calculator.exe\\\", @\\\"\\\\SolarWinds\\\\Orion\\\\Database-Maint.exe\\\", @\\\"\\\\SolarWinds.Orion.ApiPoller.Service\\\\SolarWinds.Orion.ApiPoller.Service.exe\\\", @\\\"\\\\Windows\\\\SysWOW64\\\\WerFault.exe\\\"]);\\nimProcessCreate\\n| where Process hassuffix \u0027solarwinds.businesslayerhost.exe\u0027\\n| where not(Process has_any (excludeProcs))\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = ActorUsername,\\n HostCustomEntity = User,\\n AlgorithmCustomEntity = \\\"MD5\\\",\\n FileHashCustomEntity = TargetProcessMD5 // Change to *hash* once implemented\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\"],\"displayName\":\"SUNBURST suspicious SolarWinds child processes (Normalized Process Events)\",\"description\":\"Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0bd65651-1404-438b-8f63-eecddcec87b4\",\"name\":\"0bd65651-1404-438b-8f63-eecddcec87b4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\n// Adjust for a longer timeframe for identifying ADFS Servers\\nlet lookback = 6d;\\n// Identify ADFS Servers\\nlet ADFS_Servers = ( union isfuzzy=true\\n( Event\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n),\\n( SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and EventData has \\\"0x3e4\\\" and EventData has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| where SubjectLogonId != \\\"0x3e4\\\"\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n)\\n| distinct Computer);\\n(union isfuzzy=true\\n(\\nSecurityEvent\\n| where EventID == 4688\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where ParentProcessName has \u0027wmiprvse.exe\u0027\\n// Looking for rundll32.exe is based on intel from the blog linked in the description\\n// This can be commented out or altered to filter out known internal uses\\n| where CommandLine has_any (\u0027rundll32\u0027) \\n| project TimeGenerated, TargetAccount, CommandLine, Computer, Account, TargetLogonId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n// Search for recent logons to identify lateral movement\\n| join kind= inner\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventID == 4624 and LogonType == 3\\n| where Account !endswith \\\"$\\\"\\n| project TargetLogonId\\n) on TargetLogonId\\n),\\n(\\nWindowsEvent\\n| where EventID == 4688\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where EventData has \u0027wmiprvse.exe\u0027 and EventData has_any (\u0027rundll32\u0027) \\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| where ParentProcessName has \u0027wmiprvse.exe\u0027\\n// Looking for rundll32.exe is based on intel from the blog linked in the description\\n// This can be commented out or altered to filter out known internal uses\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has_any (\u0027rundll32\u0027) \\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend Account = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend TargetLogonId = tostring(EventData.TargetLogonId)\\n| project TimeGenerated, TargetAccount, CommandLine, Computer, Account, TargetLogonId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n// Search for recent logons to identify lateral movement\\n| join kind= inner\\n(WindowsEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where EventID == 4624 \\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType == 3\\n| extend Account = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| where Account !endswith \\\"$\\\"\\n| extend TargetLogonId = tostring(EventData.TargetLogonId)\\n| project TargetLogonId\\n) on TargetLogonId\\n),\\n(\\nEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n// Check for WMI Events\\n| where Computer in~ (ADFS_Servers) and EventID in (19, 20, 21)\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| project TimeGenerated, EventType, Image, Computer, UserName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = UserName\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Gain Code Execution on ADFS Server via Remote WMI Execution\",\"description\":\"This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through remote WMI Execution.\\nIn order to use this query you need to be collecting Sysmon EventIDs 19, 20, and 21.\\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\\n Failed to resolve scalar expression named \\\"[@Name]\\\"\\nFor more on how WMI was used in Solorigate see https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/.\\nThe query contains some features from the following detections to look for potentially malicious ADFS activity. See them for more details.\\n- ADFS Key Export (Sysmon): https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSKeyExportSysmon.yaml\\n- ADFS DKM Master Key Export: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-02-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3d71fc38-f249-454e-8479-0a358382ef9a\",\"name\":\"3d71fc38-f249-454e-8479-0a358382ef9a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"SecurityNestedRecommendation\\n| where RemediationDescription has \u0027CVE-2021-44228\u0027\\n| parse ResourceDetails with * \u0027virtualMachines/\u0027 VirtualMAchine \u0027\\\"\u0027 *\\n| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId\\n| extend Timestamp = TimeGenerated, HostCustomEntity = VirtualMAchine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Execution\"],\"displayName\":\"Vulnerable Machines related to log4j CVE-2021-44228\",\"description\":\"This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to log4j CVE-2021-44228. Log4j is an open-source Apache logging library that is used in \\n many Java-based applications. Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).\\n Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/\\n Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal\\n Reference: https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/how-defender-for-cloud-displays-machines-affected-by-log4j/ba-p/3037271\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-09-17T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\"name\":\"a2e0eb51-1f11-461a-999b-cd0ebe5c7a72\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Security Center for IoT\",\"displayName\":\"Create incidents based on Microsoft Defender for IOT alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for IOT\",\"lastUpdatedDateUTC\":\"2019-12-24T00:00:00Z\",\"createdDateUTC\":\"2019-12-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"IoT\",\"dataTypes\":[\"SecurityAlert (ASC for IoT)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d2e8fd50-8d66-11ec-b909-0242ac120002\",\"name\":\"d2e8fd50-8d66-11ec-b909-0242ac120002\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID in (4624,4625) and LogonType in (10) and IpAddress in (\\\"::1\\\",\\\"127.0.0.1\\\")\\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, TargetUserName, TargetLogonId, LogonType, IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IpAddress\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential Remote Desktop Tunneling\",\"description\":\"This query detects remote desktop authentication attempts with a localhost source address which can indicate a tunneled login.\\nRef: https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling\",\"lastUpdatedDateUTC\":\"2022-02-15T00:00:00Z\",\"createdDateUTC\":\"2022-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c37711a4-5f44-4472-8afc-0679bc0ef966\",\"name\":\"c37711a4-5f44-4472-8afc-0679bc0ef966\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.1.1\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/FoggyWebIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type == \\\"sha256\\\" | project IoC);\\nlet FilePaths = (iocs | where Type =~ \\\"FilePath\\\" | project IoC);\\nlet POST_URI = (iocs | where Type =~ \\\"URI1\\\" | project IoC);\\nlet GET_URI = (iocs | where Type =~ \\\"URI2\\\" | project IoC);\\n//Include in the list below, the ADFS servers you know about in your environment. In the next part of the query, we will try to identify them for you if you have the telemetry.\\nlet ADFS_Servers1 = datatable(Computer:string)\\n[ \\\"\u003cADFS01\u003e.\u003cDOMAIN\u003e.\u003cCOM\u003e\\\",\\n\\\"\u003cADFS02\u003e.\u003cDOMAIN\u003e.\u003cCOM\u003e\\\"\\n];\\n// Automatically identify potential ADFS services in your environment by searching process event telemetry for \\\"Microsoft.IdentityServer.ServiceHost.exe\\\".\\nlet ADFS_Servers2 = \\n(union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where ProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n),\\n( WindowsEvent\\n| where EventID == 4688 and EventData has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\" and EventData has \\\"0x3e4\\\"\\n| extend ProcessName = tostring(EventData.ProcessName)\\n| where ProcessName == \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| extend SubjectLogonId = tostring(EventData.SubjectLogonId)\\n| where SubjectLogonId != \\\"0x3e4\\\"\\n| distinct Computer\\n),\\n(DeviceProcessEvents\\n| where InitiatingProcessFileName == \u0027Microsoft.IdentityServer.ServiceHost.exe\u0027\\n| extend Computer = DeviceName\\n| distinct Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key=tostring([\u0027@Name\u0027]), Value=[\u0027#text\u0027]\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n)\\n);\\nlet ADFS_Servers =\\nADFS_Servers1\\n| union (ADFS_Servers2 | distinct Computer);\\n(union isfuzzy=true\\n(DeviceNetworkEvents\\n| where DeviceName in (ADFS_Servers)\\n| where isnotempty(InitiatingProcessSHA256) or isnotempty(InitiatingProcessFolderPath)\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or InitiatingProcessFolderPath has_any (FilePaths)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\" and EventID == \u00277\u0027\\n| where Computer in (ADFS_Servers)\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend ImageLoaded = EventDetail.[5].[\\\"#text\\\"], Hashes = EventDetail.[11].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| where ImageLoaded has_any (FilePaths) or SHA256 has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, ImageLoaded, EventID\\n| extend Type = strcat(Type,\\\":\\\",EventID, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\\\"#text\\\"] \\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceEvents\\n| where DeviceName in (ADFS_Servers)\\n| extend FilePath = strcat(FolderPath, \u0027\\\\\\\\\u0027, FileName)\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceFileEvents\\n| where DeviceName in (ADFS_Servers)\\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(DeviceImageLoadEvents\\n| where DeviceName in (ADFS_Servers)\\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where Computer in (ADFS_Servers)\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| parse EventDetail with * \u0027SHA256=\u0027 SHA256 \u0027\\\",\u0027 *\\n| where EventDetail has_any (sha256Hashes) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\\\"#text\\\"] \\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = FileHash\\n),\\n(W3CIISLog \\n| where ( csMethod == \u0027GET\u0027 and csUriStem has_any (GET_URI)) or (csMethod == \u0027POST\u0027 and csUriStem has_any (POST_URI))\\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), cIP_MethodCount = count() \\nby cIP, cIP_MethodCountType = \\\"Count of repeated entries, this is to reduce rowsets returned\\\", csMethod, \\ncsHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, csReferer\\n| extend timestamp = StartTime, IPCustomEntity = cIP, HostCustomEntity = csHost, AccountCustomEntity = csUserName\\n),\\n(imFileEvent\\n| where DvcHostname in (ADFS_Servers)\\n| where TargetFileSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"NOBELIUM IOCs related to FoggyWeb backdoor\",\"description\":\"Identifies a match across various data feeds for IOCs related to FoggyWeb backdoor by the threat actor NOBELIUM.\\n FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server.\\n It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server.\\n Reference: https://aka.ms/nobelium-foggy-web\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\",\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/61988db3-0565-49b5-b8e3-747195baac6e\",\"name\":\"61988db3-0565-49b5-b8e3-747195baac6e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let procList = dynamic([\\\"cmd.exe\\\",\\\"ftp.exe\\\",\\\"schtasks.exe\\\",\\\"powershell.exe\\\",\\\"rundll32.exe\\\",\\\"regsvr32.exe\\\",\\\"msiexec.exe\\\"]); \\nimProcessCreate\\n| where CommandLine has \\\"recycler\\\"\\n| where Process has_any (procList)\\n| extend FileName = tostring(split(Process, \u0027\\\\\\\\\u0027)[-1])\\n| where FileName in~ (procList)\\n| project StartTimeUtc = TimeGenerated, Dvc, User, Process, FileName, CommandLine, ActingProcessName, EventVendor, EventProduct\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Malware in the recycle bin (Normalized Process Events)\",\"description\":\"Identifies malware that has been hidden in the recycle bin.\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)\",\"lastUpdatedDateUTC\":\"2022-02-23T00:00:00Z\",\"createdDateUTC\":\"2021-06-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ec491363-5fe7-4eff-b68e-f42dcb76fcf6\",\"name\":\"ec491363-5fe7-4eff-b68e-f42dcb76fcf6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue =~ \u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| project-away claimsJson\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIpAddress\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"NRT Azure Active Directory Hybrid Health AD FS New Server\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.\\nA threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.\\nThis can be done programmatically via HTTP requests to Azure. More information in this blog: https://o365blog.com/post/hybridhealthagent/\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/32ffb19e-8ed8-40ed-87a0-1adb4746b7c4\",\"name\":\"32ffb19e-8ed8-40ed-87a0-1adb4746b7c4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"// Enter a reference list of malicious file artifacts\\nlet MaliciousFileArtifacts = dynamic ([\\\"lsass.dmp\\\",\\\"test.pwd\\\",\\\"lsremora.dll\\\",\\\"lsremora64.dll\\\",\\\"fgexec.exe\\\",\\\"pwdump\\\",\\\"kirbi\\\",\\\"wce_ccache\\\",\\\"wce_krbtkts\\\",\\\"wceaux.dll\\\",\\\"PwHashes\\\",\\\"SAM.out\\\",\\\"SECURITY.out\\\",\\\"SYSTEM.out\\\",\\\"NTDS.out\\\" \\\"DumpExt.dll\\\",\\\"DumpSvc.exe\\\",\\\"cachedump64.exe\\\",\\\"cachedump.exe\\\",\\\"pstgdump.exe\\\",\\\"servpw64.exe\\\",\\\"servpw.exe\\\",\\\"pwdump.exe\\\",\\\"fgdump-log\\\"]);\\nEvent\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID==11\\n| parse EventData with * \u0027TargetFilename\\\"\u003e\u0027 TargetFilename \\\"\u003c\\\" *\\n| where TargetFilename has_any (MaliciousFileArtifacts)\\n| parse EventData with * \u0027ProcessGuid\\\"\u003e\u0027 ProcessGuid \\\"\u003c\\\" * \u0027Image\\\"\u003e\u0027 Image \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, Image, ProcessGuid, TargetFilename\",\"entityMappings\":[{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"TargetFilename\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"CommandLine\",\"columnName\":\"Image\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Credential Dumping Tools - File Artifacts\",\"description\":\"This query detects the creation of credential dumping tools files. Several credential dumping tools export files with hardcoded file names.\\nRef: https://jpcertcc.github.io/ToolAnalysisResultSheet/\",\"lastUpdatedDateUTC\":\"2022-04-22T00:00:00Z\",\"createdDateUTC\":\"2022-02-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"Event\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/983a6922-894d-413c-9f04-d7add0ecc307\",\"name\":\"983a6922-894d-413c-9f04-d7add0ecc307\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P10D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Medium\",\"query\":\"let referencestarttime = 10d;\\nlet referenceendtime = 1d;\\nlet threshold = 100;\\nlet nxDomainDnsEvents = (stime:datetime, etime:datetime) \\n {_Im_Dns(responsecodename=\u0027NXDOMAIN\u0027, starttime=stime, endtime=etime)\\n | where DnsQueryTypeName in (\\\"A\\\", \\\"AAAA\\\")\\n | where ipv4_is_match(\\\"127.0.0.1\\\", SrcIpAddr) == False\\n | where DnsQuery !contains \\\"/\\\" and DnsQuery contains \\\".\\\"};\\nnxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now())\\n | extend sld = tostring(split(DnsQuery, \\\".\\\")[-2])\\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld) by SrcIpAddr\\n | where dcount_sld \u003e threshold\\n // Filter out previously seen IPs\\n | join kind=leftanti (nxDomainDnsEvents (stime=ago(referencestarttime), etime=ago(referenceendtime))\\n | extend sld = tostring(split(DnsQuery, \\\".\\\")[-2])\\n | summarize dcount(sld) by SrcIpAddr\\n | where dcount_sld \u003e threshold ) on SrcIpAddr\\n// Pull out sample NXDomain responses for those remaining potentially infected IPs\\n| join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential DGA detected (ASIM DNS Schema)\",\"description\":\"Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains\\nwhere most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with \\nNXDomain records in prior 10-day baseline period).\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2021-09-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/18dbdc22-b69f-4109-9e39-723d9465f45f\",\"name\":\"18dbdc22-b69f-4109-9e39-723d9465f45f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ActiniumIOC.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet AVHits = (iocs | where Type =~ \\\"AVDetection\\\"| project IoC);\\nSecurityAlert\\n| where ProviderName == \u0027MDATP\u0027\\n| extend ThreatName_ = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where ThreatName_ has_any (AVHits)\\n| extend Directory = tostring(parse_json(Entities)[0].Directory), SHA256 = tostring(parse_json(tostring(parse_json(Entities)[0].FileHashes))[2].Value), FileName = tostring(parse_json(Entities)[0].Name), Hostname = tostring(parse_json(Entities)[6].FQDN)| extend AccountName = tostring(parse_json(tostring(parse_json(Entities)[6].LoggedOnUsers))[0].AccountName)\\n| project TimeGenerated, AlertName, ThreatName_, ProviderName, AlertSeverity, Description, RemediationSteps, ExtendedProperties, Entities, FileName,SHA256, Directory, Hostname, AccountName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Hostname , AccountCustomEntity = AccountName, FileHashCustomEntity = SHA256\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"ACTINIUM AV hits - Feb 2022\",\"description\":\"Identifies a match in the Security Alert table for MDATP hits related to the ACTINIUM actor\",\"lastUpdatedDateUTC\":\"2022-02-04T00:00:00Z\",\"createdDateUTC\":\"2022-02-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f6a51e2c-2d6a-4f92-a090-cfb002ca611f\",\"name\":\"f6a51e2c-2d6a-4f92-a090-cfb002ca611f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nlet disallowed_ext = dynamic([\u0027ps1\u0027, \u0027exe\u0027, \u0027vbs\u0027, \u0027js\u0027, \u0027scr\u0027]);\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| extend attachedExt = todynamic(MsgParts)[0][\u0027detectedExt\u0027]\\n| where attachedExt in (disallowed_ext)\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = DstUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Suspicious attachment\",\"description\":\"Detects when email contains suspicious attachment (file type).\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/707494a5-8e44-486b-90f8-155d1797a8eb\",\"name\":\"707494a5-8e44-486b-90f8-155d1797a8eb\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let auditLookbackStart = 2d;\\nlet auditLookbackEnd = 1d;\\nAuditLogs\\n| where TimeGenerated \u003e= ago(auditLookbackStart)\\n| where OperationName =~ \\\"Consent to application\\\" \\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| extend targetResourceName = tostring(target.displayName)\\n| extend targetResourceID = tostring(target.id)\\n| extend targetResourceType = tostring(target.type)\\n| extend targetModifiedProp = TargetResources[0].modifiedProperties\\n| extend isAdminConsent = targetModifiedProp[0].newValue\\n| extend Consent_ServicePrincipalNames = targetModifiedProp[5].newValue\\n| extend Consent_Permissions = targetModifiedProp[4].newValue\\n| extend Consent_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend Consent_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| join ( \\nAuditLogs\\n| where TimeGenerated \u003e= ago(auditLookbackEnd)\\n| where OperationName =~ \\\"Add service principal credentials\\\"\\n| where Result =~ \\\"success\\\"\\n| mv-expand target = TargetResources\\n| extend targetResourceName = tostring(target.displayName)\\n| extend targetResourceID = tostring(target.id)\\n| extend targetModifiedProp = TargetResources[0].modifiedProperties\\n| extend Credential_KeyDescription = targetModifiedProp[0].newValue\\n| extend UpdatedProperties = targetModifiedProp[1].newValue\\n| extend Credential_ServicePrincipalNames = targetModifiedProp[2].newValue\\n| extend Credential_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend Credential_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n) on targetResourceName, targetResourceID\\n| extend TimeConsent = TimeGenerated, TimeCred = TimeGenerated1\\n| where TimeConsent \u003e TimeCred \\n| project TimeConsent, TimeCred, Consent_InitiatingUserOrApp, Credential_InitiatingUserOrApp, targetResourceName, targetResourceType, isAdminConsent, Consent_ServicePrincipalNames, Credential_ServicePrincipalNames, Consent_Permissions, Credential_KeyDescription, Consent_InitiatingIpAddress, Credential_InitiatingIpAddress\\n| extend timestamp = TimeConsent, AccountCustomEntity = Consent_InitiatingUserOrApp, IPCustomEntity = Consent_InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Credential added after admin consented to Application\",\"description\":\"This query will identify instances where Service Principal credentials were added to an application by one user after the application was granted admin consent rights by another user.\\n If a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\n Additional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow.\\n For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2021-02-12T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/11bda520-a965-4654-9a45-d09f372f71aa\",\"name\":\"11bda520-a965-4654-9a45-d09f372f71aa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.5\",\"severity\":\"High\",\"query\":\"AzureActivity\\n// Isolate run command actions\\n| where OperationNameValue == \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\\\"\\n// Confirm that the operation impacted a virtual machine\\n| where Authorization has \\\"virtualMachines\\\"\\n// Each runcommand operation consists of three events when successful, Started, Accepted (or Rejected), Successful (or Failed).\\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), max(CallerIpAddress), make_list(ActivityStatusValue) by CorrelationId, Authorization, Caller\\n// Limit to Run Command executions that Succeeded\\n| where list_ActivityStatusValue has \\\"Success\\\"\\n// Extract data from the Authorization field\\n| extend Authorization_d = parse_json(Authorization)\\n| extend Scope = Authorization_d.scope\\n| extend Scope_s = split(Scope, \\\"/\\\")\\n| extend Subscription = tostring(Scope_s[2])\\n| extend VirtualMachineName = tostring(Scope_s[-1])\\n| project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress\\n// Create a join key using the Caller (UPN)\\n| extend joinkey = tolower(Caller)\\n// Join the Run Command actions to UEBA data\\n| join kind = inner (\\n BehaviorAnalytics\\n // We are specifically interested in unusual logins\\n | where EventSource == \\\"Azure AD\\\" and ActivityInsights.ActionUncommonlyPerformedByUser == \\\"True\\\"\\n | project UEBAEventTime=TimeGenerated, UEBAActionType=ActionType, UserPrincipalName, UEBASourceIPLocation=SourceIPLocation, UEBAActivityInsights=ActivityInsights, UEBAUsersInsights=UsersInsights\\n | where isnotempty(UserPrincipalName) and isnotempty(UEBASourceIPLocation)\\n | extend joinkey = tolower(UserPrincipalName)\\n) on joinkey\\n// Create a window around the UEBA event times, check to see if the Run Command action was performed within them\\n| extend UEBAWindowStart = UEBAEventTime - 1h, UEBAWindowEnd = UEBAEventTime + 6h\\n| where StartTime between (UEBAWindowStart .. UEBAWindowEnd)\\n| project StartTime, EndTime, Subscription, VirtualMachineName, Caller, CallerIpAddress, UEBAEventTime, UEBAActionType, UEBASourceIPLocation, UEBAActivityInsights, UEBAUsersInsights\\n| extend timestamp = StartTime, AccountCustomEntity=Caller, IPCustomEntity=CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"LateralMovement\",\"CredentialAccess\"],\"displayName\":\"Azure VM Run Command operation executed during suspicious login window\",\"description\":\"Identifies when the Azure Run Command operation is executed by a UserPrincipalName and IP Address \\nthat has resulted in a recent user entity behaviour alert.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3fe3c520-04f1-44b8-8398-782ed21435f8\",\"name\":\"3fe3c520-04f1-44b8-8398-782ed21435f8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Low\",\"query\":\"let torProxies=dynamic([\\\"tor2web.org\\\", \\\"tor2web.com\\\", \\\"torlink.co\\\", \\\"onion.to\\\", \\\"onion.ink\\\", \\\"onion.cab\\\", \\\"onion.nu\\\", \\\"onion.link\\\", \\n\\\"onion.it\\\", \\\"onion.city\\\", \\\"onion.direct\\\", \\\"onion.top\\\", \\\"onion.casa\\\", \\\"onion.plus\\\", \\\"onion.rip\\\", \\\"onion.dog\\\", \\\"tor2web.fi\\\", \\n\\\"tor2web.blutmagie.de\\\", \\\"onion.sh\\\", \\\"onion.lu\\\", \\\"onion.pet\\\", \\\"t2w.pw\\\", \\\"tor2web.ae.org\\\", \\\"tor2web.io\\\", \\\"tor2web.xyz\\\", \\\"onion.lt\\\", \\n\\\"s1.tor-gateways.de\\\", \\\"s2.tor-gateways.de\\\", \\\"s3.tor-gateways.de\\\", \\\"s4.tor-gateways.de\\\", \\\"s5.tor-gateways.de\\\", \\\"hiddenservice.net\\\"]);\\n_Im_Dns(domain_has_any=torProxies)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"DNS events related to ToR proxies (ASIM DNS Schema)\",\"description\":\"Identifies IP addresses performing DNS lookups associated with common ToR proxies.\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d9938c3b-16f9-444d-bc22-ea9a9110e0fd\",\"name\":\"d9938c3b-16f9-444d-bc22-ea9a9110e0fd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Azure AD Connect Health Agent - cf6d7e68-f018-4e0a-a7b3-126e053fb88d\\n// Azure Active Directory Connect - cb1056e2-e479-49de-ae31-7812af012ed8\\nlet appList = dynamic([\u0027cf6d7e68-f018-4e0a-a7b3-126e053fb88d\u0027,\u0027cb1056e2-e479-49de-ae31-7812af012ed8\u0027]);\\nlet operationNamesList = dynamic([\u0027Microsoft.ADHybridHealthService/services/servicemembers/action\u0027,\u0027Microsoft.ADHybridHealthService/services/delete\u0027]);\\nAzureActivity\\n| where CategoryValue == \u0027Administrative\u0027\\n| where ResourceProviderValue =~ \u0027Microsoft.ADHybridHealthService\u0027\\n| where _ResourceId contains \u0027AdFederationService\u0027\\n| where OperationNameValue in~ (operationNamesList)\\n| extend claimsJson = parse_json(Claims)\\n| extend AppId = tostring(claimsJson.appid)\\n| extend AccountName = tostring(claimsJson.name)\\n| where AppId !in (appList)\\n| project-away claimsJson\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"DefenseEvasion\"],\"displayName\":\"Azure Active Directory Hybrid Health AD FS Suspicious Application\",\"description\":\"This detection uses AzureActivity logs (Administrative category) to a suspicious application adding a server instance to an Azure AD Hybrid health AD FS service or deleting the AD FS service instance.\\nUsually the Azure AD Connect Health Agent application with ID cf6d7e68-f018-4e0a-a7b3-126e053fb88d is used to perform those operations.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-08-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9d0295ee-cb75-4f2c-9952-e5acfbb67036\",\"name\":\"9d0295ee-cb75-4f2c-9952-e5acfbb67036\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"version\":\"1.0.0\",\"severity\":\"Informational\",\"query\":\"let timeframe = ago(1d);\\nAppServiceAntivirusScanAuditLogs\\n| where NumberOfInfectedFiles \u003e 0\\n| extend HostCustomEntity = _ResourceId, timestamp = TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"displayName\":\"AppServices AV Scan with Infected Files\",\"description\":\"Identifies if an AV scan finds infected files in Azure App Services.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b2199398-8942-4b8c-91a9-b0a707c5d147\",\"name\":\"b2199398-8942-4b8c-91a9-b0a707c5d147\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/HiveRansomwareJuly2022.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n(imFileEvent\\n| where TargetFileSHA256 has_any (sha256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceImageLoadEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Hive Ransomware IOC - July 2022\",\"description\":\"Identifies a hash match related to Hive Ransomware across various data sources.\",\"lastUpdatedDateUTC\":\"2022-07-05T00:00:00Z\",\"createdDateUTC\":\"2022-01-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1ff56009-db01-4615-8211-d4fda21da02d\",\"name\":\"1ff56009-db01-4615-8211-d4fda21da02d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where AADOperationType =~ \\\"Assign\\\"\\n| where ActivityDisplayName has_any (\\\"Add delegated permission grant\\\",\\\"Add app role assignment to service principal\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ has_any (\\\"AppRole.Value\\\",\\\"DelegatedPermissionGrant.Scope\\\")\\n| extend Permission = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where Permission has \\\"RoleManagement.ReadWrite.Directory\\\"\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n| extend Target = tostring(parse_json(tostring(TargetResources.modifiedProperties[4].newValue)))\\n| extend TargetId = iif(displayName_ =~ \u0027DelegatedPermissionGrant.Scope\u0027,\\n tostring(parse_json(tostring(TargetResources.modifiedProperties[2].newValue))),\\n tostring(parse_json(tostring(TargetResources.modifiedProperties[3].newValue))))\\n| summarize by bin(TimeGenerated, 1h), OperationName, Initiator, Target, TargetId, Result\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Initiator\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Target\"}]}],\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure AD Role Management Permission Grant\",\"description\":\"Identifies when the Microsoft Graph RoleManagement.ReadWrite.Directory (Delegated or Application) permission is granted to a service principal.\\nThis permission allows an application to read and manage the role-based access control (RBAC) settings for your company\u0027s directory.\\nAn adversary could use this permission to add an Azure AD object to an Admin directory role and escalate privileges.\\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions\\nRef : https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0\u0026tabs=http\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/71d374e0-1cf8-4e50-aecd-ab6c519795c2\",\"name\":\"71d374e0-1cf8-4e50-aecd-ab6c519795c2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"AzureDevOpsAuditing\\n| where OperationName =~ \\\"Pipelines.PipelineRetentionSettingChanged\\\"\\n| where Data.SettingName in (\\\"PurgeArtifacts\\\", \\\"PurgeRuns\\\")\\n| where Data.NewValue == 1 or Data.NewValue \u003c Data.OldValue/2\\n| project-reorder TimeGenerated, OperationName, ActorUPN, IpAddress, UserAgent, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Retention Reduced\",\"description\":\"AzureDevOps retains items such as run records and produced artifacts for a configurable amount of time. An attacker looking to reduce the footprint left by their malicious activity may look to reduce the retention time for artifacts and runs.\\nThis query will look for where retention has been reduced to the minimum level - 1, or reduced by more than half.\",\"lastUpdatedDateUTC\":\"2021-11-02T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/979c42dd-533e-4ede-b18b-31a84ba8b3d6\",\"name\":\"979c42dd-533e-4ede-b18b-31a84ba8b3d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \\n| where TargetObject has (\\\"HKLM\\\\\\\\System\\\\\\\\CurrentControlSet\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\DsrmAdminLogonBehavior\\\") and Details == \\\"DWORD (0x00000002)\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"DSRM Account Abuse\",\"description\":\"This query detects an abuse of the DSRM account in order to maintain persistence and access to the organization\u0027s Active Directory.\\nRef: https://adsecurity.org/?p=1785\",\"lastUpdatedDateUTC\":\"2022-03-11T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d82eb796-d1eb-43c8-a813-325ce3417cef\",\"name\":\"d82eb796-d1eb-43c8-a813-325ce3417cef\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(DeviceFileEvents\\n| where ActionType == \\\"FileCreated\\\"\\n| where FileName endswith \\\".h0lyenc\\\" or FolderPath == \\\"C:\\\\\\\\FOR_DECRYPT.html\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName), HostCustomEntity = DeviceName, Type, InitiatingProcessId, FileName, FolderPath, EventType = ActionType, Commandline = InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessSHA256, FileHashCustomEntity = SHA256\\n),\\n(imFileEvent\\n| where EventType == \\\"FileCreated\\\" \\n| where TargetFilePath endswith \\\".h0lyenc\\\" or TargetFilePath == \\\"C:\\\\\\\\FOR_DECRYPT.html\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname, DvcId, Type, EventType, FileHashCustomEntity = TargetFileSHA256, Hash, TargetFilePath, Commandline = ActingProcessCommandLine\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Dev-0530 File Extension Rename\",\"description\":\"Dev-0530 actors are known to encrypt the contents of the victims device as well as renaming the file extensions. This query looks for the creation of files with .h0lyenc extension or presence of ransom note.\",\"lastUpdatedDateUTC\":\"2022-07-14T00:00:00Z\",\"createdDateUTC\":\"2022-07-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ba144bf8-75b8-406f-9420-ed74397f9479\",\"name\":\"ba144bf8-75b8-406f-9420-ed74397f9479\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"//Set a threshold of failed AAD signins from an IP address within 1 day above which we want to deem those logins suspicious.\\nlet signin_threshold = 5; \\n//Make a list of IPs with AAD signin failures above our threshold.\\nlet aadFunc = (tableName:string){\\nlet suspicious_signins = \\n table(tableName)\\n //Looking for logon failure results\\n | where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n //Exclude localhost addresses to reduce the chance of FPs\\n | where IPAddress !in (\\\"127.0.0.1\\\", \\\"::1\\\")\\n | summarize count() by IPAddress\\n | where count_ \u003e signin_threshold\\n | summarize make_set(IPAddress);\\n suspicious_signins\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet suspicious_signins = \\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize make_set(set_IPAddress);\\n//See if any of those IPs have sucessfully logged into PA VPNs during the same timeperiod\\nCommonSecurityLog\\n //Select only PA VPN sucessful logons\\n | where DeviceVendor == \\\"Palo Alto Networks\\\" and DeviceEventClassID == \\\"globalprotect\\\"\\n | where Message has \\\"GlobalProtect gateway user authentication succeeded\\\"\\n //Parse out the logon source IP from the Message field to match on\\n | extend SourceIP = extract(\\\"Login from: ([^,]+)\\\", 1, Message) \\n | where SourceIP in (suspicious_signins)\\n | extend Reason = \\\"Multiple failed AAD logins from SourceIP\\\"\\n //Parse out other useful information from Message field\\n | extend User = extract(\u0027User name: ([^,]+)\u0027, 1, Message) \\n | extend ClientOS = extract(\u0027Client OS version: ([^,\\\\\\\"]+)\u0027, 1, Message)\\n | extend Location = extract(\u0027Source region: ([^,]{2})\u0027,1, Message)\\n | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName\\n | extend AccountCustomEntity = User, IPCustomEntity = SourceIP, timestamp = TimeGenerated, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN\",\"description\":\"This query creates a list of IP addresses with a number failed login attempts to AAD \\nabove a set threshold. It then looks for any successful Palo Alto VPN logins from any\\nof these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-09-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/32555639-b639-4c2b-afda-c0ae0abefa55\",\"name\":\"32555639-b639-4c2b-afda-c0ae0abefa55\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AWSCloudTrail\\n| where EventName =~ \\\"GetCallerIdentity\\\" and UserIdentityType =~ \\\"AssumedRole\\\" \\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by SourceIpAddress, EventName, EventTypeName, UserIdentityType, UserIdentityAccountId, UserIdentityPrincipalid, \\nUserAgent, UserIdentityUserName, SessionMfaAuthenticated,AWSRegion, EventSource, AdditionalEventData, ResponseElements\\n| extend timestamp = StartTime, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\\n| sort by EndTime desc nulls last\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Monitor AWS Credential abuse or hijacking\",\"description\":\"Looking for GetCallerIdentity Events where the UserID Type is AssumedRole \\nAn attacker who has assumed the role of a legitimate account can call the GetCallerIdentity function to determine what account they are using.\\nA legitimate user using legitimate credentials would not need to call GetCallerIdentity since they should already know what account they are using.\\nMore Information: https://duo.com/decipher/trailblazer-hunts-compromised-credentials-in-aws\\nAWS STS GetCallerIdentity API: https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html \",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/53e936c6-6c30-4d12-8343-b8a0456e8429\",\"name\":\"53e936c6-6c30-4d12-8343-b8a0456e8429\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let SUNSPOT_Hashes = dynamic([\\\"c45c9bda8db1d470f1fd0dcc346dc449839eb5ce9a948c70369230af0b3ef168\\\", \\\"0819db19be479122c1d48743e644070a8dc9a1c852df9a8c0dc2343e904da389\\\"]);\\nunion isfuzzy=true(\\nDeviceEvents\\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes)),\\n(DeviceImageLoadEvents\\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes))\\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"SUNSPOT malware hashes\",\"description\":\"This query uses Microsoft Defender for Endpoint data to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\\nMore details: \\n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \\n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceImageLoadEvents\",\"DeviceEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fcb9d75c-c3c1-4910-8697-f136bfef2363\",\"name\":\"fcb9d75c-c3c1-4910-8697-f136bfef2363\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P2D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Low\",\"query\":\"let querystarttime = 2d;\\nlet queryendtime = 1d;\\nlet TimeDeltaThreshold = 10;\\nlet TotalEventsThreshold = 15;\\nlet PercentBeaconThreshold = 80;\\n_Im_NetworkSession(starttime=querystarttime, endtime=queryendtime)\\n| where not(ipv4_is_private(DstIpAddr))\\n| project TimeGenerated, SrcIpAddr, SrcPortNumber, DstIpAddr, DstPortNumber, DstBytes, SrcBytes\\n| sort by SrcIpAddr asc,TimeGenerated asc, DstIpAddr asc, DstPortNumber asc\\n| serialize\\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSrcIpAddr = next(SrcIpAddr, 1)\\n| extend TimeDeltainSeconds = datetime_diff(\u0027second\u0027,nextTimeGenerated,TimeGenerated)\\n| where SrcIpAddr == nextSrcIpAddr\\n//Whitelisting criteria/ threshold criteria\\n| where TimeDeltainSeconds \u003e TimeDeltaThreshold \\n| project TimeGenerated, TimeDeltainSeconds, SrcIpAddr, SrcPortNumber, DstIpAddr, DstPortNumber, DstBytes, SrcBytes\\n| summarize count(), sum(DstBytes), sum(SrcBytes), make_list(TimeDeltainSeconds) \\nby TimeDeltainSeconds, bin(TimeGenerated, 1h), SrcIpAddr, DstIpAddr, DstPortNumber\\n| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSrcBytes = sum(sum_SrcBytes), TotalDstBytes = sum(sum_DstBytes) \\nby bin(TimeGenerated, 1h), SrcIpAddr, DstIpAddr, DstPortNumber\\n| where TotalEvents \u003e TotalEventsThreshold \\n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\\n| where BeaconPercent \u003e PercentBeaconThreshold\",\"customDetails\":{\"DstPortNumber\":\"DstPortNumber\",\"FrequencyCount\":\"TotalSrcBytes\",\"FrequencyTime\":\"MostFrequentTimeDeltaCount\",\"TotalDstBytes\":\"TotalDstBytes\"},\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DstIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Potential beaconing from {{SrcIpAddr}} to {{DstIpAddr}} over port {{DstPortNumber}}\",\"alertDescriptionFormat\":\"Potential beaconing pattern from a client at address {{SrcIpAddr}} to a server at address {{DstIpAddr}} over port {{DstPortNumber}} identified. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/). The recurring frequency, reported as FrequencyTime in the custom details, and the total transferred volume reported as TotalDstBytes in the custom details, can help to determine the significance of this incident.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential beaconing activity (ASIM Network Session schema)\",\"description\":\"This rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/).\\\\\u003cbr\u003e\u003cbr\u003e\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b8b8ba09-1e89-45a1-8bd7-691cd23bfa32\",\"name\":\"b8b8ba09-1e89-45a1-8bd7-691cd23bfa32\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let query_frequency = 15m;\\nlet missing_period = 1h;\\n//Enter a reference list of hostnames for your DC servers\\nlet DCServersList = dynamic ([\\\"DC01.simulandlabs.com\\\",\\\"DC02.simulandlabs.com\\\"]);\\n//Alternatively, a Watchlist can be used\\n//let DCServersList = _GetWatchlist(\u0027HostName-DomainControllers\u0027) | project HostName;\\nHeartbeat\\n| summarize arg_max(TimeGenerated, *) by Computer\\n| where Computer in (DCServersList)\\n//You may specify the OS type of your Domain Controllers\\n//| where OSType == \u0027Windows\u0027\\n| where TimeGenerated between (ago(query_frequency + missing_period) .. ago(missing_period))\\n| project TimeGenerated, Computer, OSType, Version, ComputerEnvironment, Type, Solutions\\n| sort by TimeGenerated asc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Impact\",\"DefenseEvasion\"],\"displayName\":\"Missing Domain Controller Heartbeat\",\"description\":\"This detection will go over the heartbeats received from the agents of Domain Controllers over the last hour, and will create alerts if the last heartbeats were received an hour ago.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-11-23T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/737a2ce1-70a3-4968-9e90-3e6aca836abf\",\"name\":\"737a2ce1-70a3-4968-9e90-3e6aca836abf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MLBehaviorAnalytics\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous RDP Login Detections\",\"description\":\"This detection uses machine learning (ML) to identify anomalous Remote Desktop Protocol (RDP) login activity, based on Windows Security Event data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Microsoft Sentinel to build a profile of normal activity for your environment.\\t\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events)\\n\\nBy enabling this rule, you give Microsoft permission to copy ingested data outside of your Microsoft Sentinel workspace\u0027s geography as necessary for processing by the machine learning engine.\",\"lastUpdatedDateUTC\":\"2021-03-26T00:00:00Z\",\"createdDateUTC\":\"2020-04-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/85aca4d1-5d15-4001-abd9-acb86ca1786a\",\"name\":\"85aca4d1-5d15-4001-abd9-acb86ca1786a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n DnsEvents\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n //Extract domain patterns from syslog message\\n | where isnotempty(Name)\\n | extend parts = split(Name, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend DNS_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.Name\\n| where DNS_TimeGenerated \u003c ExpirationDateTime\\n| summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated , *) by IndicatorId, Name\\n| project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, Computer, ClientIP, Name, QueryType\\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = ClientIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to DnsEvents\",\"description\":\"Identifies a match in DnsEvents from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2022-02-15T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\"name\":\"5e45930c-09b1-4430-b2d1-cc75ada0dc0f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.2\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n//Exclude local addresses, using the ipv4_is_private operator\\n| where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \\\"fe80\\\" and TI_ipEntity !startswith \\\"::\\\" and TI_ipEntity !startswith \\\"127.\\\"\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n W3CIISLog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(cIP)\\n //Exclude local addresses, using the ipv4_is_private operator\\n | where ipv4_is_private(cIP) == false and cIP !startswith \\\"fe80\\\" and cIP !startswith \\\"::\\\" and cIP !startswith \\\"127.\\\"\\n // renaming time column so it is clear the log this came from\\n | extend W3CIISLog_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.cIP\\n| where W3CIISLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize W3CIISLog_TimeGenerated = arg_max(W3CIISLog_TimeGenerated, *) by IndicatorId, cIP\\n| project W3CIISLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, sSiteName, cIP, sIP, sPort, csMethod, csUserName, scStatus, scSubStatus, scWin32Status,\\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = W3CIISLog_TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to W3CIISLog\",\"description\":\"Identifies a match in W3CIISLog from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-04-26T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d564ff12-8f53-41b8-8649-44f76b37b99f\",\"name\":\"d564ff12-8f53-41b8-8649-44f76b37b99f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// How many greater than Service Connections you want to view per build/release\\nlet ServiceConnectionThreshold = 4;\\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\\n[\\n//\\\"103\\\", \\\"Release\\\", \\\"ProjectA\\\",\\n//\\\"42\\\", \\\"Release\\\", \\\"ProjectB\\\",\\n//\\\"122\\\", \\\"Build\\\", \\\"ProjectB\\\"\\n];\\nAzureDevOpsAuditing\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| parse ScopeDisplayName with OrganizationName \u0027 (Organization)\u0027\\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) \\n by OrganizationName, tostring(DefId), tostring(Type), ProjectId, ProjectName\\n| where CurrentCount \u003e ServiceConnectionThreshold\\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\\n| extend link = iif(\\n Type == \\\"Build\\\", strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_build?definitionId=\u0027, DefId),\\n strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_release?_a=releases\u0026view=mine\u0026definitionId=\u0027, DefId))\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure DevOps Service Connection Abuse\",\"description\":\"Flags builds/releases that use a large number of service connections if they aren\u0027t manually in the allow list.\\nThis is to determine if someone is hijacking a build/release and adding many service connections in order to abuse \\nor dump credentials from service connections.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/01e8ffff-dc0c-43fe-aa22-d459c4204553\",\"name\":\"01e8ffff-dc0c-43fe-aa22-d459c4204553\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let discord=dynamic([\\\"cdn.discordapp.com\\\", \\\"media.discordapp.com\\\"]);\\n _Im_WebSession(url_has_any=discord, eventresult=\u0027Success\u0027)\\n | where Url has \\\"attachments\\\"\\n | extend DiscordServerId = extract(@\\\"\\\\/attachments\\\\/([0-9]+)\\\\/\\\", 1, Url)\\n | summarize dcount(Url), make_set(SrcUsername), make_set(SrcIpAddr), make_set(Url), min(TimeGenerated), max(TimeGenerated), make_set(EventResult) by DiscordServerId\\n | mv-expand set_SrcUsername to typeof(string), set_Url to typeof(string), set_EventResult to typeof(string), set_SrcIpAddr to typeof(string)\\n | summarize by DiscordServerId, dcount_Url, set_SrcUsername, min_TimeGenerated, max_TimeGenerated, set_EventResult, set_SrcIpAddr, set_Url\\n | project StartTime=min_TimeGenerated, EndTime=max_TimeGenerated, Result=set_EventResult, SourceUser=set_SrcUsername, SourceIP=set_SrcIpAddr, RequestURL=set_Url\\n | where RequestURL has_any (\\\".bin\\\",\\\".exe\\\",\\\".dll\\\",\\\".bin\\\",\\\".msi\\\")\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SourceUser\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"RequestURL\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Discord CDN Risky File Download (ASIM Web Session Schema)\",\"description\":\"Identifies callouts to Discord CDN addresses for risky file extensions. This detection will trigger when a callout for a risky file is made to a discord server that has only been seen once in your environment. Unique discord servers are identified using the server ID that is included in the request URL (DiscordServerId in query). Discord CDN has been used in multiple campaigns to download additional payloads.\\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4e5914a4-2ccd-429d-a845-fa597f0bd8c5\",\"name\":\"4e5914a4-2ccd-429d-a845-fa597f0bd8c5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let Hive_threats = dynamic([\\\"Ransom:Win64/Hive\\\", \\\"Ransom:Win32/Hive\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (Hive_threats) or ThreatFamilyName in~ (Hive_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"AV detections related to Hive Ransomware\",\"description\":\"This query looks for Microsoft Defender AV detections related to Hive Ransomware . In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device,\\n this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\",\"lastUpdatedDateUTC\":\"2022-07-11T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\"name\":\"361dd1e3-1c11-491e-82a3-bb2e44ac36ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let szOperationNames = dynamic([\\\"microsoft.compute/virtualMachines/write\\\", \\\"microsoft.resources/deployments/write\\\"]);\\nlet starttime = 7d;\\nlet endtime = 1d;\\nAzureActivity\\n| where TimeGenerated between (startofday(ago(starttime)) .. startofday(ago(endtime)))\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress)\\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(7d)), now(), 1d) \\nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatusValue), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationNameValue , Resource, ResourceGroup\\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\\n| where Slope \u003e 0.2\\n| join kind=leftsemi (\\n// Last day\u0027s activity is anomalous\\nAzureActivity\\n| where TimeGenerated \u003e= startofday(ago(endtime))\\n| where OperationNameValue in~ (szOperationNames)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \\nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\\n| mvexpand CallerIpAddress\\n| where isnotempty(CallerIpAddress)\\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(1d)), now(), 1d) \\nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatusValue), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationNameValue , Resource, ResourceGroup\\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\\n| where Slope \u003e 0.2 \\n) on Caller, CallerIpAddress \\n| mvexpand todynamic(ActivityTimeStamp), todynamic(ActivityStatusValue), todynamic(OperationIds), todynamic(CorrelationId)\\n| extend timestamp = ActivityTimeStamp, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Suspicious number of resource creation or deployment activities\",\"description\":\"Indicates when an anomalous number of VM creations or deployment activities occur in Azure via the AzureActivity log.\\nThe anomaly detection identifies activities that have occurred both since the start of the day 1 day ago and the start of the day 7 days ago.\\nThe start of the day is considered 12am UTC time.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/050b9b3d-53d0-4364-a3da-1b678b8211ec\",\"name\":\"050b9b3d-53d0-4364-a3da-1b678b8211ec\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\")\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where RoleName contains \\\"Admin\\\"\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n// Uncomment below to not alert for PIM activations\\n//| where Initiator != \\\"MS-PIM\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| summarize by bin(TimeGenerated, 1h), OperationName, RoleName, Target, Initiator, Result\\n| extend AccountCustomEntity = Target\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Initiator\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User Assigned Privileged Role\",\"description\":\"Identifies when a new privileged role is assigned to a user. Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn\u0027t the responsibility of the account holder, investigate.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/48607a29-a26a-4abf-8078-a06dbdd174a4\",\"name\":\"48607a29-a26a-4abf-8078-a06dbdd174a4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let timeRange = 3d;\\nlet lookBack = 7d;\\nlet authenticationWindow = 20m;\\nlet authenticationThreshold = 5;\\nlet isGUID = \\\"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\\\";\\nlet failureCodes = dynamic([50053, 50126, 50055]); // invalid password, account is locked - too many sign ins, expired password\\nlet successCodes = dynamic([0, 50055, 50057, 50155, 50105, 50133, 50005, 50076, 50079, 50173, 50158, 50072, 50074, 53003, 53000, 53001, 50129]);\\n// Lookup up resolved identities from last 7 days\\nlet aadFunc = (tableName:string){\\nlet identityLookup = table(tableName)\\n| where TimeGenerated \u003e= ago(lookBack)\\n| where not(Identity matches regex isGUID)\\n| where isnotempty(UserId)\\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName, Type;\\n// collect window threshold breaches\\ntable(tableName)\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(failureCodes)\\n| summarize FailedPrincipalCount = dcount(UserPrincipalName) by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName, Type\\n| where FailedPrincipalCount \u003e= authenticationThreshold\\n| summarize WindowThresholdBreaches = count() by IPAddress, Type\\n| join kind= inner (\\n// where we breached a threshold, join the details back on all failure data\\ntable(tableName)\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(failureCodes)\\n| extend LocationDetails = todynamic(LocationDetails)\\n| extend FullLocation = strcat(LocationDetails.countryOrRegion,\u0027|\u0027, LocationDetails.state, \u0027|\u0027, LocationDetails.city)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed), make_set(FullLocation), FailureCount = count() by IPAddress, AppDisplayName, UserPrincipalName, UserDisplayName, Identity, UserId, Type\\n// lookup any unresolved identities\\n| extend UnresolvedUserId = iff(Identity matches regex isGUID, UserId, \\\"\\\")\\n| join kind= leftouter (\\n identityLookup \\n) on $left.UnresolvedUserId==$right.UserId\\n| extend UserDisplayName=iff(isempty(lu_UserDisplayName), UserDisplayName, lu_UserDisplayName)\\n| extend UserPrincipalName=iff(isempty(lu_UserPrincipalName), UserPrincipalName, lu_UserPrincipalName)\\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), make_set(UserPrincipalName), make_set(UserDisplayName), make_set(set_ClientAppUsed), make_set(set_FullLocation), make_list(FailureCount) by IPAddress, AppDisplayName, Type\\n| extend FailedPrincipalCount = arraylength(set_UserPrincipalName)\\n) on IPAddress\\n| project IPAddress, StartTime, EndTime, TargetedApplication=AppDisplayName, FailedPrincipalCount, UserPrincipalNames=set_UserPrincipalName, UserDisplayNames=set_UserDisplayName, ClientAppsUsed=set_set_ClientAppUsed, Locations=set_set_FullLocation, FailureCountByPrincipal=list_FailureCount, WindowThresholdBreaches, Type\\n| join kind= inner (\\ntable(tableName) // get data on success vs. failure history for each IP\\n| where TimeGenerated \u003e ago(timeRange)\\n| where ResultType in(successCodes) or ResultType in(failureCodes) // success or failure types\\n| summarize GlobalSuccessPrincipalCount = dcountif(UserPrincipalName, (ResultType in(successCodes))), ResultTypeSuccesses = make_set_if(ResultType, (ResultType in(successCodes))), GlobalFailPrincipalCount = dcountif(UserPrincipalName, (ResultType in(failureCodes))), ResultTypeFailures = make_set_if(ResultType, (ResultType in(failureCodes))) by IPAddress, Type\\n| where GlobalFailPrincipalCount \u003e GlobalSuccessPrincipalCount // where the number of failed principals is greater than success - eliminates FPs from IPs who authenticate successfully alot and as a side effect have alot of failures\\n) on IPAddress\\n| project-away IPAddress1\\n| extend timestamp=StartTime, IPCustomEntity = IPAddress\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Password spray attack against Azure AD application\",\"description\":\"Identifies evidence of password spray activity against Azure AD applications by looking for failures from multiple accounts from the same\\nIP address within a time window. If the number of accounts breaches the threshold just once, all failures from the IP address within the time range\\nare bought into the result. Details on whether there were successful authentications by the IP address within the time window are also included.\\nThis can be an indicator that an attack was successful.\\nThe default failure acccount threshold is 5, Default time window for failures is 20m and default look back window is 3 days\\nNote: Due to the number of possible accounts involved in a password spray it is not possible to map identities to a custom entity.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\"lastUpdatedDateUTC\":\"2022-02-16T00:00:00Z\",\"createdDateUTC\":\"2020-03-26T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\"name\":\"7ee72a9e-2e54-459c-bc8a-8c08a6532a63\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let IPList = dynamic([\\\"154.223.45.38\\\",\\\"185.141.207.140\\\",\\\"185.234.73.19\\\",\\\"216.245.210.106\\\",\\\"51.91.48.210\\\",\\\"46.255.230.229\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList)\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"Message\\\") \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\") \\n),\\n(OfficeActivity\\n|extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account\\n),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DnsResponseName, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host, AccountCustomEntity=User\\n),\\n(_Im_WebSession (srcipaddr_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DstIpAddr, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(_Im_NetworkSession (srcipaddr_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DstIpAddr, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(_Im_NetworkSession (dstipaddr_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DstIpAddr, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\\n),\\n(SigninLogs\\n| where isnotempty(IPAddress)\\n| where IPAddress in (IPList)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(AADNonInteractiveUserSignInLogs\\n| where isnotempty(IPAddress)\\n| where IPAddress in (IPList)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\\n),\\n(W3CIISLog \\n| where isnotempty(cIP)\\n| where cIP in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(AzureActivity \\n| where isnotempty(CallerIpAddress)\\n| where CallerIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller\\n),\\n(\\nAWSCloudTrail\\n| where isnotempty(SourceIpAddress)\\n| where SourceIpAddress in (IPList)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\\n),\\n(\\nAzureDiagnostics\\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (IPList) \\n| extend DestinationIP = DestinationHost \\n| extend IPCustomEntity = SourceHost\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (IPList) or DestinationIP in (IPList) \\n| extend IPMatch = case( SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known IRIDIUM IP\",\"description\":\"IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2019-12-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d7424fd9-abb3-4ded-a723-eebe023aaa0b\",\"name\":\"d7424fd9-abb3-4ded-a723-eebe023aaa0b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Administrative roles to look for, default is all admin roles\\nlet roles = dynamic([\\\"Administrator\\\", \\\"Admin\\\"]);\\n// The maximum distances between and invite and acceptance\\nlet maxTimeBetweenInviteAccept = 30min;\\n// The delta (minutes) between the invite being sent and the account being escalated\\nlet deltaBetweenInviteEscalation = 60;\\n// Collect external user invitations\\nlet invite = AuditLogs\\n| where Category =~ \\\"UserManagement\\\"\\n| where OperationName =~ \\\"Invite external user\\\"\\n| extend Target = tostring(TargetResources[0].[\\\"userPrincipalName\\\"])\\n| extend InviteInitiator = tostring(InitiatedBy.[\\\"user\\\"].[\\\"userPrincipalName\\\"])\\n| where isnotempty(InviteInitiator);\\n// Collect redeem events\\nlet redeem = AuditLogs\\n| where Category =~ \\\"UserManagement\\\"\\n| where OperationName =~ \\\"Redeem external user invite\\\"\\n| where Result =~ \\\"success\\\"\\n| extend Target = tostring(TargetResources[0].[\\\"displayName\\\"]) | extend Target = tostring(extract(@\\\"UPN\\\\:\\\\s(.+)\\\\,\\\\sEmail\\\",1,Target))\\n| where isnotempty(Target);\\n// Union the inivtation and redeem data then run the sequence_detect kusto plugin\\ninvite\\n| union redeem\\n| order by TimeGenerated\\n| project TimeGenerated, Target, InviteInitiator, OperationName, TenantId\\n| evaluate sequence_detect(TimeGenerated, maxTimeBetweenInviteAccept, maxTimeBetweenInviteAccept, invite=(OperationName has \\\"Invite external user\\\"), redeem=(OperationName has \\\"Redeem external user invite\\\"), Target)\\n| join (\\nAuditLogs\\n| where Category =~ \\\"RoleManagement\\\"\\n| where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\")\\n| where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n| mv-expand TargetResources\\n// Limit to external accounts\\n| where TargetResources.userPrincipalName has \\\"EXT\\\"\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"Role.DisplayName\\\"\\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n// Perform check for admin roles\\n| where RoleName has_any(roles)\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n| where Initiator != \\\"MS-PIM\\\"\\n| extend Target = tostring(TargetResources.userPrincipalName)\\n| summarize by TimeGenerated, OperationName, RoleName, Target, Initiator, Result\\n) on Target\\n// Calculate delta between the invite and the account escalation\\n| extend delta = datetime_diff(\\\"minute\\\", TimeGenerated, invite_TimeGenerated)\\n| where delta \u003c= deltaBetweenInviteEscalation\\n| project InvitationTime=invite_TimeGenerated, RedeemTime=redeem_TimeGenerated, GrantTime=TimeGenerated, ExternalUser=Target, RoleGranted=RoleName, AdminInitiator=Initiator, MinsBetweenInviteAndEscalation=delta\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ExternalUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AdminInitiator\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"New External User Granted Admin\",\"description\":\"This query will detect instances where a newly invited external user is granted an administrative role. By default this query\\nwill alert on any granted administrative role, however this can be modified using the roles variable if false positives occur\\nin your environment. The maximum delta between invite and escalation to admin is 60 minues, this can be configured using the \\ndeltaBetweenInviteEscalation variable.\",\"lastUpdatedDateUTC\":\"2022-06-16T00:00:00Z\",\"createdDateUTC\":\"2022-06-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d6bf1931-b1eb-448d-90b2-de118559c7ce\",\"name\":\"d6bf1931-b1eb-448d-90b2-de118559c7ce\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlCategory contains \u0027Adult Themes\u0027 or\\n UrlCategory contains \u0027Adware\u0027 or\\n UrlCategory contains \u0027Alcohol\u0027 or\\n UrlCategory contains \u0027Illegal Downloads\u0027 or\\n UrlCategory contains \u0027Drugs\u0027 or\\n UrlCategory contains \u0027Child Abuse Content\u0027 or\\n UrlCategory contains \u0027Hate/Discrimination\u0027 or\\n UrlCategory contains \u0027Nudity\u0027 or\\n UrlCategory contains \u0027Pornography\u0027 or\\n UrlCategory contains \u0027Proxy/Anonymizer\u0027 or\\n UrlCategory contains \u0027Sexuality\u0027 or\\n UrlCategory contains \u0027Tasteless\u0027 or\\n UrlCategory contains \u0027Terrorism\u0027 or\\n UrlCategory contains \u0027Web Spam\u0027 or\\n UrlCategory contains \u0027German Youth Protection\u0027 or\\n UrlCategory contains \u0027Illegal Activities\u0027 or\\n UrlCategory contains \u0027Lingerie/Bikini\u0027 or\\n UrlCategory contains \u0027Weapons\u0027\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"InitialAccess\"],\"displayName\":\"Cisco Umbrella - Request Allowed to harmful/malicious URI category\",\"description\":\"It is reccomended that these Categories shoud be blocked by policies because they provide harmful/malicious content..\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee55dc85-d2da-48c1-a6c0-3eaee62a8d56\",\"name\":\"ee55dc85-d2da-48c1-a6c0-3eaee62a8d56\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"// Add the environments expected username format regex below before deploying\\n let user_regex = \\\"\\\";\\n AuditLogs\\n | where OperationName =~ \\\"Add user\\\"\\n | where Result =~ \\\"success\\\"\\n | extend userAgent = tostring(AdditionalDetails[0].value)\\n | extend addingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend addingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend AddedBy = iif(isnotempty(addingUser), addingUser, addingApp)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | extend AddedUser = tostring(TargetResources[0].userPrincipalName)\\n | where AddedUser matches regex user_regex\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedUser\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User Account Created Using Incorrect Naming Format\",\"description\":\"This query looks for accounts being created where the name does not match a defined pattern.\\n Attackers may attempt to add accounts as a means of establishing persistant access to an environment, looking for anomalies in created accounts may help identify illegitimately created accounts.\\n Created accounts should be investigated to ensure they were legitimated created.\\n The user_regex field in the query needs to be populated with the expected pattern for the environment before deployment.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#accounts-not-following-naming-policies\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\"name\":\"0777f138-e5d8-4eab-bec1-e11ddfbc2be2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"let threshold = 20;\\nlet ReasontoSubStatus = datatable(SubStatus:string,Reason:string) [\\n\\\"0xC000005E\\\", \\\"There are currently no logon servers available to service the logon request.\\\",\\n\\\"0xC0000064\\\", \\\"User logon with misspelled or bad user account\\\", \\n\\\"0xC000006A\\\", \\\"User logon with misspelled or bad password\\\",\\n\\\"0xC000006D\\\", \\\"Bad user name or password\\\",\\n\\\"0xC000006E\\\", \\\"Unknown user name or bad password\\\",\\n\\\"0xC000006F\\\", \\\"User logon outside authorized hours\\\",\\n\\\"0xC0000070\\\", \\\"User logon from unauthorized workstation\\\",\\n\\\"0xC0000071\\\", \\\"User logon with expired password\\\",\\n\\\"0xC0000072\\\", \\\"User logon to account disabled by administrator\\\",\\n\\\"0xC00000DC\\\", \\\"Indicates the Sam Server was in the wrong state to perform the desired operation\\\",\\n\\\"0xC0000133\\\", \\\"Clocks between DC and other computer too far out of sync\\\",\\n\\\"0xC000015B\\\", \\\"The user has not been granted the requested logon type (aka logon right) at this machine\\\",\\n\\\"0xC000018C\\\", \\\"The logon request failed because the trust relationship between the primary domain and the trusted domain failed\\\",\\n\\\"0xC0000192\\\", \\\"An attempt was made to logon, but the Netlogon service was not started\\\",\\n\\\"0xC0000193\\\", \\\"User logon with expired account\\\",\\n\\\"0xC0000224\\\", \\\"User is required to change password at next logon\\\",\\n\\\"0xC0000225\\\", \\\"Evidently a bug in Windows and not a risk\\\",\\n\\\"0xC0000234\\\", \\\"User logon with account locked\\\",\\n\\\"0xC00002EE\\\", \\\"Failure Reason: An Error occurred during Logon\\\",\\n\\\"0xC0000413\\\", \\\"Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine\\\"\\n];\\n(union isfuzzy=true\\n(SecurityEvent \\n| where EventID == 4625\\n| where AccountType =~ \\\"User\\\"\\n| where SubStatus !=\u00270xc0000064\u0027 and Account !in (\u0027\\\\\\\\\u0027, \u0027-\\\\\\\\-\u0027)\\n// SubStatus \u00270xc0000064\u0027 signifies \u0027Account name does not exist\u0027\\n| extend ResourceId = column_ifexists(\\\"_ResourceId\\\", _ResourceId), SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", SourceComputerId)\\n| lookup ReasontoSubStatus on SubStatus\\n| extend coalesce(Reason, strcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), FailedLogonCount = count() by EventID, \\nActivity, Computer, Account, TargetAccount, TargetUserName, TargetDomainName, \\nLogonType, LogonTypeName, LogonProcessName, Status, SubStatus, Reason, ResourceId, SourceComputerId, WorkstationName, IpAddress\\n| where FailedLogonCount \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n),\\n(\\n(WindowsEvent \\n| where EventID == 4625 and not(EventData has \u00270xc0000064\u0027)\\n| extend TargetAccount = strcat(tostring(EventData.TargetDomainName),\\\"\\\\\\\\\\\", tostring(EventData.TargetUserName))\\n| extend TargetUserSid = tostring(EventData.TargetUserSid)\\n| extend AccountType=case(EventData.TargetUserName endswith \\\"$\\\" or TargetUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(TargetUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType =~ \\\"User\\\"\\n| extend SubStatus = tostring(EventData.SubStatus)\\n| where SubStatus !=\u00270xc0000064\u0027 and TargetAccount !in (\u0027\\\\\\\\\u0027, \u0027-\\\\\\\\-\u0027)\\n// SubStatus \u00270xc0000064\u0027 signifies \u0027Account name does not exist\u0027\\n| extend ResourceId = column_ifexists(\\\"_ResourceId\\\", _ResourceId), SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", \\\"\\\")\\n| lookup ReasontoSubStatus on SubStatus\\n| extend coalesce(Reason, strcat(\u0027Unknown reason substatus: \u0027, SubStatus))\\n| extend Activity=\\\"4625 - An account failed to log on.\\\"\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend TargetDomainName = tostring(EventData.TargetDomainName)\\n| extend LogonType = tostring(EventData.LogonType)\\n| extend Status= tostring(EventData.Status)\\n| extend LogonProcessName = tostring(EventData.LogonProcessName)\\n| extend WorkstationName = tostring(EventData.WorkstationName)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| extend LogonTypeName=case(LogonType==2,\\\"2 - Interactive\\\", LogonType==3,\\\"3 - Network\\\", LogonType==4, \\\"4 - Batch\\\",LogonType==5, \\\"5 - Service\\\", LogonType==7, \\\"7 - Unlock\\\", LogonType==8, \\\"8 - NetworkCleartext\\\", LogonType==9, \\\"9 - NewCredentials\\\", LogonType==10, \\\"10 - RemoteInteractive\\\", LogonType==11, \\\"11 - CachedInteractive\\\",tostring(LogonType))\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), FailedLogonCount = count() by EventID, \\nActivity, Computer, TargetAccount, TargetUserName, TargetDomainName, \\nLogonType, LogonTypeName, LogonProcessName, Status, SubStatus, Reason, ResourceId, SourceComputerId, WorkstationName, IpAddress\\n| where FailedLogonCount \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer, IPCustomEntity = IpAddress\\n)))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Failed logon attempts by valid accounts within 10 mins\",\"description\":\"Identifies when failed logon attempts are 20 or higher during a 10 minute period (2 failed logons per minute minimum) from valid account.\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2019-02-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3b9a44d7-c651-45ed-816c-eae583a6f2f1\",\"name\":\"3b9a44d7-c651-45ed-816c-eae583a6f2f1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let lookback = 14d;\\nlet timeframe = 1d;\\nlet historical_data =\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback) and TimeGenerated \u003c ago(timeframe)\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend variables = Data.Variables\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend UserKey = strcat(VariableGroupId, \\\"-\\\", ActorUserId)\\n| project UserKey;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Library.VariableGroupModified\\\"\\n| extend VariableGroupName = tostring(Data.VariableGroupName)\\n| extend VariableGroupId = tostring(Data.VariableGroupId)\\n| extend UserKey = strcat(VariableGroupId, \\\"-\\\", ActorUserId)\\n| where UserKey !in (historical_data)\\n| project-away UserKey\\n| project-reorder TimeGenerated, VariableGroupName, ActorUPN, IpAddress, UserAgent\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Build Variable Modified by New User.\",\"description\":\"Variables can be configured and used at any stage of the build process in Azure DevOps to inject values. An attacker with the required permissions could modify \\nor add to these variables to conduct malicious activity such as changing paths or remote endpoints called during the build. As variables are often changed by users, \\njust detecting these changes would have a high false positive rate. This detection looks for modifications to variable groups where that user has not been observed \\nmodifying them before.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f8127962-7739-4211-a4a9-390a7a00e91f\",\"name\":\"f8127962-7739-4211-a4a9-390a7a00e91f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT30M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let lbtime = 30m;\\nlet lbperiod = 14d;\\nlet knownrecipients = ProofpointPOD\\n| where TimeGenerated \u003e ago(lbperiod)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| where SrcUserUpn != \u0027\u0027\\n| where array_length(todynamic(DstUserUpn)) == 1\\n| summarize recipients = make_set(tostring(todynamic(DstUserUpn)[0])) by SrcUserUpn\\n| extend commcol = SrcUserUpn;\\nProofpointPOD\\n| where TimeGenerated between (ago(lbtime) .. now())\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027outbound\u0027\\n| extend isProtected = todynamic(MsgParts)[0][\u0027isProtected\u0027]\\n| extend mimePgp = todynamic(MsgParts)[0][\u0027detectedMime\u0027]\\n| where isProtected == \u0027true\u0027 or mimePgp == \u0027application/pgp-encrypted\u0027\\n| extend DstUserMail = tostring(todynamic(DstUserUpn)[0])\\n| extend commcol = tostring(todynamic(DstUserUpn)[0])\\n| join knownrecipients on commcol\\n| where recipients !contains DstUserMail\\n| project SrcUserUpn, DstUserMail\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"ProofpointPOD - Multiple protected emails to unknown recipient\",\"description\":\"Detects when multiple protected messages where sent to early not seen recipient.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee1818ec-5f65-4991-b711-bcf2ab7e36c3\",\"name\":\"ee1818ec-5f65-4991-b711-bcf2ab7e36c3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| where UrlOriginal matches regex @\u0027\\\\Ahttp:\\\\/\\\\/\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}.*\u0027\\n| project TimeGenerated, SrcIpAddr, Identities\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - URI contains IP address\",\"description\":\"Malware can use IP address to communicate with C2.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23005e87-2d3a-482b-b03d-edbebd1ae151\",\"name\":\"23005e87-2d3a-482b-b03d-edbebd1ae151\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let exchange_servers = (\\nW3CIISLog\\n| where TimeGenerated \u003e ago(14d)\\n| where sSiteName =~ \\\"Exchange Back End\\\"\\n| summarize by Computer);\\nW3CIISLog\\n| where TimeGenerated \u003e ago(1d)\\n| where Computer in (exchange_servers)\\n| where csUriQuery startswith \\\"t=\\\"\\n| project-reorder TimeGenerated, Computer, csUriStem, csUriQuery, csUserName, csUserAgent, cIP\\n| extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious Exchange Request\",\"description\":\"This query looks for suspicious request patterns to Exchange servers that fit a pattern observed by HAFNIUM actors.\\nThe same query can be run on HTTPProxy logs from on-premise hosted Exchange servers.\\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ac9e233e-44d4-45eb-b522-6e47445f6582\",\"name\":\"ac9e233e-44d4-45eb-b522-6e47445f6582\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"Medium\",\"query\":\"imRegistry\\n | where EventType in (\\\"RegistryValueSet\\\", \\\"RegistryKeyCreated\\\")\\n | where RegistryKey has \\\"Software\\\\\\\\Classes\\\\\\\\ms-settings\\\\\\\\shell\\\\\\\\open\\\\\\\\command\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)\\n | join (imProcess\\n | where Process endswith \\\"fodhelper.exe\\\"\\n | where ParentProcessName endswith \\\"cmd.exe\\\" or ParentProcessName endswith \\\"powershell.exe\\\" or ParentProcessName endswith \\\"powershell_ise.exe\\\"\\n | extend TimeKey = bin(TimeGenerated, 1h)) on TimeKey, Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DvcHostname\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DvcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Potential Fodhelper UAC Bypass (ASIM Version)\",\"description\":\"This detection looks for the steps required to conduct a UAC bypass using Fodhelper.exe. By default this detection looks for the setting of the required registry keys and the invoking of the process within 1 hour - this can be tweaked as required.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-02-25T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\"name\":\"ee1d718b-9ed9-4a71-90cd-a483a4f008df\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Office 365 Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Office 365 alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Office 365\",\"lastUpdatedDateUTC\":\"2020-09-01T00:00:00Z\",\"createdDateUTC\":\"2020-04-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"OfficeATP\",\"dataTypes\":[\"SecurityAlert (OATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a333d8bf-22a3-4c55-a1e9-5f0a135c0253\",\"name\":\"a333d8bf-22a3-4c55-a1e9-5f0a135c0253\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let mde_threats = dynamic([\\\"Behavior:Win32/SuspAzureRequest.A\\\", \\\"Behavior:Win32/SuspAzureRequest.B\\\", \\\"Behavior:Win32/SuspAzureRequest.C\\\", \\\"Behavior:Win32/LaunchingSuspCMD.B\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (mde_threats) or ThreatFamilyName in~ (mde_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Microsoft Defender for Endpoint (MDE) signatures for Azure Synapse pipelines and Azure Data Factory\",\"description\":\"This query looks for Microsoft Defender for Endpoint detections related to the remote command execution attempts on Azure IR with Managed VNet or SHIR. \\nIn Microsoft Sentinel, the SecurityAlerts table includes the name of the impacted device. Additionally, this query joins the DeviceInfo table to connect other information such as device group, \\nIP address, signed in users, and others allowing analysts using Microsoft Sentinel to have more context related to the alert. \\nReference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29972 , \\nhttps://msrc-blog.microsoft.com/2022/05/09/vulnerability-mitigated-in-the-third-party-data-connector-used-in-azure-synapse-pipelines-and-azure-data-factory-cve-2022-29972\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5db427b2-f406-4274-b413-e9fcb29412f8\",\"name\":\"5db427b2-f406-4274-b413-e9fcb29412f8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where ActivityDisplayName =~\u0027Add member to role completed (PIM activation)\u0027\\n| where Result == \\\"failure\\\"\\n| extend Role = tostring(TargetResources[3].displayName)\\n| extend User = tostring(TargetResources[2].displayName)\\n| project-reorder TimeGenerated, User, Role, OperationName, Result, ResultDescription\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| extend IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"NRT PIM Elevation Request Rejected\",\"description\":\"Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/03e04c97-8cae-48b3-9d2f-4ab262e4ffff\",\"name\":\"03e04c97-8cae-48b3-9d2f-4ab262e4ffff\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let scriptExtensions = dynamic([\\\".php\\\", \\\".jsp\\\", \\\".js\\\", \\\".aspx\\\", \\\".asmx\\\", \\\".asax\\\", \\\".cfm\\\", \\\".shtml\\\"]);\\nhttp_proxy_oab_CL\\n| where RawData contains \\\"Download failed and temporary file\\\"\\n| extend File = extract(\\\"([^\\\\\\\\\\\\\\\\]*)(\\\\\\\\\\\\\\\\[^\u0027]*)\\\",2,RawData)\\n| extend Extension = strcat(\\\".\\\",split(File, \\\".\\\")[-1])\\n| extend InteractiveFile = iif(Extension in (scriptExtensions), \\\"Yes\\\", \\\"No\\\")\\n// Uncomment the following line to alert only on interactive file download type\\n//| where InteractiveFile =~ \\\"Yes\\\"\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"HAFNIUM Suspicious File Downloads.\",\"description\":\"This query looks for messages related to file downloads of suspicious file types. This query uses the Exchange HttpProxy AOBGeneratorLog, you will need to onboard this log as a custom log under the table http_proxy_oab_CL before using this query. \\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-03-02T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d5b32cd4-2328-43da-ab47-cd289c1f5efc\",\"name\":\"d5b32cd4-2328-43da-ab47-cd289c1f5efc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"DnsEvents\\n| where Name contains \\\".\\\"\\n| where Name has_any (\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\",\\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\",\\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\",\\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\",\\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\",\\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\",\\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\",\\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\",\\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\")\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"NRT DNS events related to mining pools\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/de58ee9e-b229-4252-8537-41a4c2f4045e\",\"name\":\"de58ee9e-b229-4252-8537-41a4c2f4045e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let file_ext_blocklist = dynamic([\u0027.ps1\u0027, \u0027.vbs\u0027, \u0027.bat\u0027, \u0027.scr\u0027]);\\nlet lbtime = 10m;\\nCisco_Umbrella\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027proxylogs\u0027\\n| where DvcAction =~ \u0027Allowed\u0027\\n| extend file_ext = extract(@\u0027.*(\\\\.\\\\w+)$\u0027, 1, UrlOriginal)\\n| extend Filename = extract(@\u0027.*\\\\/*\\\\/(.*\\\\.\\\\w+)$\u0027, 1, UrlOriginal)\\n| where file_ext in (file_ext_blocklist)\\n| project TimeGenerated, SrcIpAddr, Identities, Filename\\n| extend IPCustomEntity = SrcIpAddr\\n| extend AccountCustomEntity = Identities\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Cisco Umbrella - Request to blocklisted file type\",\"description\":\"Detects request to potentially harmful file types (.ps1, .bat, .vbs, etc.).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\"name\":\"97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let LearningPeriod = 7d; \\nlet BinTime = 1h; \\nlet RunTime = 1h; \\nlet StartTime = 1h; \\nlet NumberOfStds = 3; \\nlet MinThreshold = 10.0; \\nlet EndRunTime = StartTime - RunTime; \\nlet EndLearningTime = StartTime + LearningPeriod;\\nlet aadFunc = (tableName:string){\\nlet GitHubFailedSSOLogins = (table(tableName) \\n| where AppDisplayName == \\\"GitHub.com\\\" \\n| where ResultType != 0); \\nGitHubFailedSSOLogins \\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime)) \\n| summarize FailedLoginsCountInBinTime = count() by UserPrincipalName, bin(TimeGenerated, BinTime), Type\\n| summarize AvgOfFailedLoginsInLearning = avg(FailedLoginsCountInBinTime), StdOfFailedLoginsInLearning = stdev(FailedLoginsCountInBinTime) by UserPrincipalName, Type\\n| extend LearningThreshold = max_of(AvgOfFailedLoginsInLearning + StdOfFailedLoginsInLearning * NumberOfStds, MinThreshold) \\n| join kind=innerunique ( \\n GitHubFailedSSOLogins \\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime)) \\n | summarize FailedLoginsCountInRunTime = count() by User = Identity, UserPrincipalName, bin(TimeGenerated, BinTime), Type\\n) on UserPrincipalName \\n| where FailedLoginsCountInRunTime \u003e LearningThreshold\\n| extend AccountCustomEntity = UserPrincipalName , timestamp = TimeGenerated\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute Force Attack against GitHub Account\",\"description\":\"Attackers who are trying to guess your users\u0027 passwords or use brute-force methods to get in. If your organization is using SSO with Azure Active Directory, authentication logs to GitHub.com will be generated. Using the following query can help you identify a sudden increase in failed logon attempt of users.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/12dcea64-bec2-41c9-9df2-9f28461b1295\",\"name\":\"12dcea64-bec2-41c9-9df2-9f28461b1295\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 1d;\\n// Adjust for a longer timeframe for identifying ADFS Servers\\nlet lookback = 6d;\\n// Identify ADFS Servers\\nlet ADFS_Servers = (\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where EventID == 4688 and SubjectLogonId != \\\"0x3e4\\\"\\n| where NewProcessName has \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| distinct Computer\\n);\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Computer in~ (ADFS_Servers)\\n| where Account !endswith \\\"$\\\"\\n// Check for scheduled task events\\n| where EventID in (4697, 4698, 4699, 4700, 4701, 4702)\\n| extend EventDataParsed = parse_xml(EventData)\\n| extend SubjectLogonId = tostring(EventDataParsed.EventData.Data[3][\\\"#text\\\"])\\n// Check specifically for access to IPC$ share and PIPE\\\\svcctl and PIPE\\\\atsvc for Service Control Services and Schedule Control Services\\n| union (\\n SecurityEvent\\n | where TimeGenerated \u003e ago(timeframe)\\n | where Computer in~ (ADFS_Servers)\\n | where Account !endswith \\\"$\\\"\\n | where EventID == 5145\\n | where RelativeTargetName =~ \\\"svcctl\\\" or RelativeTargetName =~ \\\"atsvc\\\"\\n)\\n// Check for lateral movement\\n| join kind=inner\\n(SecurityEvent\\n| where TimeGenerated \u003e ago(timeframe)\\n| where Account !endswith \\\"$\\\"\\n| where EventID == 4624 and LogonType == 3\\n) on $left.SubjectLogonId == $right.TargetLogonId\\n| project TimeGenerated, Account, Computer, EventID, RelativeTargetName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"LateralMovement\"],\"displayName\":\"Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task\",\"description\":\"This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through SMB and Remote Service or Scheduled Task.\",\"lastUpdatedDateUTC\":\"2022-01-30T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/155f40c6-610d-497d-85fc-3cf06ec13256\",\"name\":\"155f40c6-610d-497d-85fc-3cf06ec13256\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"yahoo-verification.org\\\",\\\"support-servics.com\\\",\\\"verification-live.com\\\",\\\"com-mailbox.com\\\",\\\"com-myaccuants.com\\\",\\\"notification-accountservice.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\\"verify-linkedin.net\\\", \\n\\\"yahoo-verification.net\\\",\\\"yahoo-verify.net\\\",\\\"outlook-verify.net\\\",\\\"com-users.net\\\",\\\"verifiy-account.net\\\",\\\"te1egram.net\\\",\\\"account-verifiy.net\\\",\\\"myaccount-services.net\\\",\\n\\\"com-identifier-servicelog.name\\\",\\\"microsoft-update.bid\\\",\\\"outlook-livecom.bid\\\",\\\"update-microsoft.bid\\\",\\\"documentsfilesharing.cloud\\\",\\\"com-microsoftonline.club\\\",\\n\\\"confirm-session-identifier.info\\\",\\\"session-management.info\\\",\\\"confirmation-service.info\\\",\\\"document-share.info\\\",\\\"broadcast-news.info\\\",\\\"customize-identity.info\\\",\\\"webemail.info\\\",\\n\\\"com-identifier-servicelog.info\\\",\\\"documentsharing.info\\\",\\\"notification-accountservice.info\\\",\\\"identifier-activities.info\\\",\\\"documentofficupdate.info\\\",\\\"recoveryusercustomer.info\\\",\\n\\\"serverbroadcast.info\\\",\\\"account-profile-users.info\\\",\\\"account-service-management.info\\\",\\\"accounts-manager.info\\\",\\\"activity-confirmation-service.info\\\",\\\"com-accountidentifier.info\\\",\\n\\\"com-privacy-help.info\\\",\\\"com-sessionidentifier.info\\\",\\\"com-useraccount.info\\\",\\\"confirmation-users-service.info\\\",\\\"confirm-identity.info\\\",\\\"confirm-session-identification.info\\\",\\n\\\"continue-session-identifier.info\\\",\\\"customer-recovery.info\\\",\\\"customers-activities.info\\\",\\\"elitemaildelivery.info\\\",\\\"email-delivery.info\\\",\\\"identify-user-session.info\\\",\\n\\\"message-serviceprovider.info\\\",\\\"notificationapp.info\\\",\\\"notification-manager.info\\\",\\\"recognized-activity.info\\\",\\\"recover-customers-service.info\\\",\\\"recovery-session-change.info\\\",\\n\\\"service-recovery-session.info\\\",\\\"service-session-continue.info\\\",\\\"session-mail-customers.info\\\",\\\"session-managment.info\\\",\\\"session-verify-user.info\\\",\\\"shop-sellwear.info\\\",\\n\\\"supportmailservice.info\\\",\\\"terms-service-notification.info\\\",\\\"user-activity-issues.info\\\",\\\"useridentity-confirm.info\\\",\\\"users-issue-services.info\\\",\\\"verify-user-session.info\\\",\\n\\\"login-gov.info\\\",\\\"notification-signal-agnecy.info\\\",\\\"notifications-center.info\\\",\\\"identifier-services-sessions.info\\\",\\\"customers-manager.info\\\",\\\"session-manager.info\\\",\\n\\\"customer-managers.info\\\",\\\"confirmation-recovery-options.info\\\",\\\"service-session-confirm.info\\\",\\\"session-recovery-options.info\\\",\\\"services-session-confirmation.info\\\",\\n\\\"notification-managers.info\\\",\\\"activities-services-notification.info\\\",\\\"activities-recovery-options.info\\\",\\\"activity-session-recovery.info\\\",\\\"customers-services.info\\\",\\n\\\"sessions-notification.info\\\",\\\"download-teamspeak.info\\\",\\\"services-issue-notification.info\\\",\\\"microsoft-upgrade.mobi\\\",\\\"broadcastnews.pro\\\",\\\"mobile-messengerplus.network\\\"]);\\nlet IPList = dynamic([\\\"51.91.200.147\\\"]);\\nlet IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| extend MessageIP = extract(IPRegex, 0, Message)\\n| extend RequestURLIP = extract(IPRegex, 0, Message)\\n| where (isnotempty(SourceIP) and SourceIP in (IPList)) or (isnotempty(DestinationIP) and DestinationIP in (IPList)) \\nor (isnotempty(DNSName) and DNSName in~ (DomainNames)) or (isnotempty(DestinationHostName) and DestinationHostName in~ (DomainNames)) or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames) or RequestURLIP in (IPList))) \\nor (isnotempty(Message) and MessageIP in (IPList))\\n| extend IPMatch = case(SourceIP in (IPList), \\\"SourceIP\\\", DestinationIP in (IPList), \\\"DestinationIP\\\", MessageIP in (IPList), \\\"Message\\\", RequestURLIP in (IPList), \\\"RequestUrl\\\", \\\"NoMatch\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP,IPMatch == \\\"Message\\\", MessageIP,\\nIPMatch == \\\"RequestUrl\\\", RequestURLIP,\\\"NoMatch\\\"), Account = SourceUserID, Host = DeviceName\\n),\\n(_Im_Dns (domain_has_any=DomainNames)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\\n(_Im_Dns (response_has_any_prefix=IPList)\\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\\n(_Im_WebSession(url_has_any=DomainNames)\\n| extend DestinationIPAddress = DstIpAddr, DNSName = tostring(parse_url(Url)[\\\"Host\\\"]), Host = Dvc\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) or isnotempty(DNSName)\\n| where SourceIp in (IPList) or DestinationIp in (IPList) or DNSName in~ (DomainNames)\\n| extend IPMatch = case( SourceIp in (IPList), \\\"SourceIP\\\", DestinationIp in (IPList), \\\"DestinationIP\\\", \\\"None\\\") \\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIp, IPMatch == \\\"DestinationIP\\\", DestinationIp, \\\"None\\\"), Host = Computer),\\n(OfficeActivity\\n| extend SourceIPAddress = ClientIP, Account = UserId\\n| where SourceIPAddress in (IPList)\\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPCustomEntity = SourceHost \\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known Phosphorus group domains/IP\",\"description\":\"Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-10-20T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a1bddaf8-982b-4089-ba9e-6590dfcf80ea\",\"name\":\"a1bddaf8-982b-4089-ba9e-6590dfcf80ea\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let error403_count_threshold=200;\\n_Im_WebSession(eventresultdetails_in=\\\"403\\\")\\n| extend ParsedUrl=parse_url(Url)\\n| extend UrlHost=tostring(ParsedUrl[\\\"Host\\\"]), UrlSchema=tostring(ParsedUrl[\\\"Schema\\\"])\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = count(), Urls=makeset(Url) by UrlHost, SrcIpAddr\\n| where NumberOfErrors \u003e error403_count_threshold\\n| sort by NumberOfErrors desc\\n| extend Url=tostring(Urls[0])\",\"customDetails\":{\"NumberOfErrors\":\"NumberOfErrors\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URL\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"Excessive number of HTTP authentication failures from {{SrcIpAddr}\",\"alertDescriptionFormat\":\"A client with address {{SrcIpAddr}} generated a large number of failed authentication HTTP requests. This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"Persistence\",\"CredentialAccess\"],\"displayName\":\"Excessive number of HTTP authentication failures from a source (ASIM Web Session schema)\",\"description\":\"This rule identifies a source that repeatedly fails to authenticate to a web service (HTTP response code 403). This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.\u003cbr\u003e\u003cbr\u003e\\nThis rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutSIM) and supports any web session source that complies with ASIM. \",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2022-03-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2a09f8cb-deb7-4c40-b08b-9137667f1c0b\",\"name\":\"2a09f8cb-deb7-4c40-b08b-9137667f1c0b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"AuditLogs\\n | where OperationName in (\\\"Add eligible member (permanent)\\\", \\\"Add eligible member (eligible)\\\")\\n | extend Role = tostring(TargetResources[0].displayName)\\n | where Role contains \\\"admin\\\"\\n | extend AddedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend AddedUser = tostring(TargetResources[2].userPrincipalName)\\n | project-reorder TimeGenerated, AddedUser, Role, AddedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedUser\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"User Added to Admin Role\",\"description\":\"Detects a user being added to a new privileged role. Monitor these additions to ensure the users are made eligible for these roles are intended to have these levels of access.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dc99e38c-f4e9-4837-94d7-353ac0b01a77\",\"name\":\"dc99e38c-f4e9-4837-94d7-353ac0b01a77\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let threshold = 10;\\n let default_ad_attributes = dynamic([\\\"LastDirSyncTime\\\", \\\"StsRefreshTokensValidFrom\\\", \\\"Included Updated Properties\\\", \\\"AccountEnabled\\\", \\\"Action Client Name\\\", \\\"SourceAnchor\\\"]);\\n AuditLogs\\n | where OperationName =~ \\\"Add user\\\"\\n | where Result =~ \\\"success\\\"\\n | extend properties = TargetResources[0].modifiedProperties\\n | mv-expand properties\\n | evaluate bag_unpack(properties)\\n | summarize count() by displayName, TenantId\\n | where displayName !in (default_ad_attributes)\\n | top threshold by count_ desc\\n | summarize make_set(displayName) by TenantId\\n | join kind=inner (AuditLogs\\n | where Result =~ \\\"success\\\"\\n | where OperationName =~ \\\"Add user\\\"\\n | extend CreatingUserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend CreatedUserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | extend AccountProperties = TargetResources[0].modifiedProperties\\n | mv-expand AccountProperties\\n | extend PropName = tostring(AccountProperties.displayName)) on TenantId\\n | summarize makeset(PropName) by TimeGenerated, CorrelationId, CreatedUserPrincipalName, CreatingUserPrincipalName, tostring(set_displayName)\\n | extend missing_props = set_difference(todynamic(set_displayName), set_PropName)\\n | where array_length(missing_props) \u003e 0\\n | join kind=innerunique (AuditLogs\\n | where Result =~ \\\"success\\\"\\n | where OperationName =~ \\\"Add user\\\"\\n | extend CreatedUserPrincipalName = tostring(TargetResources[0].userPrincipalName)) on CorrelationId, CreatedUserPrincipalName\\n | extend ExpectedProperties = set_displayName\\n | project-away set_displayName, set_PropName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CreatingUserPrincipalName\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CreatedUserPrincipalName\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"User account created without expected attributes defined\",\"description\":\"This query looks for accounts being created that do not have attributes populated that are commonly populated in the tenant.\\n Attackers may attempt to add accounts as a means of establishing persistant access to an environment, looking for anomalies in created accounts may help identify illegitimately created accounts.\\n Created accounts should be investigated to ensure they were legitimated created.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#accounts-not-following-naming-policies\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aa1eff90-29d4-49dc-a3ea-b65199f516db\",\"name\":\"aa1eff90-29d4-49dc-a3ea-b65199f516db\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Low\",\"query\":\"(union isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4720\\n| where AccountType == \\\"User\\\"\\n| project CreatedUserTime = TimeGenerated, CreatedUserEventID = EventID, CreatedUserActivity = Activity, Computer = toupper(Computer), \\nCreatedUser = tolower(TargetAccount), CreatedUserSid = TargetSid, AccountUsedToCreateUser = strcat(SubjectAccount), SidofAccountUsedToCreateUser = SubjectUserSid\\n),\\n(WindowsEvent\\n| where EventID == 4720\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType == \\\"User\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend Activity=\\\"4720 - A user account was created.\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| project CreatedUserTime = TimeGenerated, CreatedUserEventID = EventID, CreatedUserActivity = Activity, Computer = toupper(Computer), \\nCreatedUser = tolower(TargetAccount), CreatedUserSid = TargetSid, AccountUsedToCreateUser = strcat(SubjectAccount), SidofAccountUsedToCreateUser = SubjectUserSid\\n))\\n| join ((union isfuzzy=true\\n(SecurityEvent \\n| where AccountType == \\\"User\\\"\\n// 4732 - A member was added to a security-enabled local group\\n| where EventID == 4732\\n// TargetSid is the builin Admins group: S-1-5-32-544\\n| where TargetSid == \\\"S-1-5-32-544\\\"\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, Computer = toupper(Computer), GroupName = tolower(TargetAccount), \\nGroupSid = TargetSid, AccountThatAddedUser = SubjectAccount, SIDofAccountThatAddedUser = SubjectUserSid, CreatedUserSid = MemberSid\\n),\\n( WindowsEvent \\n// 4732 - A member was added to a security-enabled local group\\n| where EventID == 4732 and EventData has \\\"S-1-5-32-544\\\"\\n//TargetSid is the builin Admins group: S-1-5-32-544\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend AccountType=case(EventData.SubjectUserName endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| where AccountType == \\\"User\\\"\\n| extend TargetSid = tostring(EventData.TargetSid)\\n| where TargetSid == \\\"S-1-5-32-544\\\"\\n| extend SubjectAccount = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend TargetAccount = strcat(EventData.TargetDomainName,\\\"\\\\\\\\\\\", EventData.TargetUserName)\\n| extend Activity=\\\"4732 - A member was added to a security-enabled local group.\\\"\\n| extend MemberSid = tostring(EventData.MemberSid)\\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, Computer = toupper(Computer), GroupName = tolower(TargetAccount), \\nGroupSid = TargetSid, AccountThatAddedUser = SubjectAccount, SIDofAccountThatAddedUser = SubjectUserSid, CreatedUserSid = MemberSid)\\n))\\non CreatedUserSid\\n//Create User first, then the add to the group.\\n| project Computer, CreatedUserTime, CreatedUserEventID, CreatedUserActivity, CreatedUser, CreatedUserSid, GroupAddTime, GroupAddEventID, \\nGroupAddActivity, AccountUsedToCreateUser, GroupName, GroupSid, AccountThatAddedUser, SIDofAccountThatAddedUser \\n| extend timestamp = CreatedUserTime, AccountCustomEntity = CreatedUser, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"},{\"identifier\":\"Sid\",\"columnName\":\"CreatedUserSid\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"New user created and added to the built-in administrators group\",\"description\":\"Identifies when a user account was created and then added to the builtin Administrators group in the same day.\\nThis should be monitored closely and all additions reviewed.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d23ed927-5be3-4902-a9c1-85f841eb4fa1\",\"name\":\"d23ed927-5be3-4902-a9c1-85f841eb4fa1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n DuoSecurityAuthentication_CL\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(access_device_ip_s)\\n // renaming time column so it is clear the log this came from\\n | extend Duo_TimeGenerated = isotimestamp_t\\n)\\non $left.TI_ipEntity == $right.access_device_ip_s\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Duo_TimeGenerated,\\nTI_ipEntity, user_name_s, factor_s, result_s, application_name_s, event_type_s, txid_g, user_key_s, access_device_ip_s, access_device_location_city_s, access_device_location_state_s, access_device_location_country_s\\n| extend timestamp = Duo_TimeGenerated, IPCustomEntity = access_device_ip_s, AccountCustomEntity = user_name_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to Duo Security\",\"description\":\"Identifies a match in DuoSecurity from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae\",\"name\":\"2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 4656\\n| extend EventData = parse_xml(EventData).EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, TargetAccount, Computer, EventSourceName, Channel, Task, Level, EventID, Activity, TargetLogonId, SourceComputerId, EventOriginId, Type, _ResourceId, TenantId, SourceSystem, ManagementGroupName, IpAddress, Account)\\n| extend ObjectServer = column_ifexists(\u0027ObjectServer\u0027, \\\"\\\"), ObjectType = column_ifexists(\u0027ObjectType\u0027, \\\"\\\"), ObjectName = column_ifexists(\u0027ObjectName\u0027, \\\"\\\")\\n| where isnotempty(ObjectServer) and isnotempty(ObjectType) and isnotempty(ObjectName)\\n| where ObjectServer =~ \\\"SC Manager\\\" and ObjectType =~ \\\"SERVICE OBJECT\\\" and ObjectName =~ \\\"HealthService\\\"\\n// Comment out the join below if the SACL only audits users that are part of the Network logon users, i.e. with user/group target pointing to \\\"NU.\\\"\\n| join kind=leftouter (\\n SecurityEvent\\n | where EventID == 4624\\n) on TargetLogonId\\n| project TimeGenerated, Computer, Account, TargetAccount, IpAddress,TargetLogonId, ObjectServer, ObjectType, ObjectName\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Starting or Stopping HealthService to Avoid Detection\",\"description\":\"This query detects events where an actor is stopping or starting HealthService to disable telemetry collection/detection from the agent.\\n The query requires a SACL to audit for access request to the service.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-03-15T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bff093b2-500e-4ae5-bb49-a5b1423cbd5b\",\"name\":\"bff093b2-500e-4ae5-bb49-a5b1423cbd5b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n| where Operation =~ \\\"MemberAdded\\\"\\n| extend UPN = tostring(parse_json(Members)[0].UPN)\\n| where UPN contains (\\\"#EXT#\\\")\\n| project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName\\n| join (\\n OfficeActivity\\n| where OfficeWorkload =~ \\\"MicrosoftTeams\\\"\\n| where Operation =~ \\\"MemberRemoved\\\"\\n| extend UPN = tostring(parse_json(Members)[0].UPN)\\n| where UPN contains (\\\"#EXT#\\\")\\n| project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName\\n) on UPN\\n| where TimeDeleted \u003e TimeAdded\\n| project TimeAdded, TimeDeleted, UPN, UserWhoAdded, UserWhoDeleted, TeamName\\n| extend timestamp = TimeAdded, AccountCustomEntity = UPN\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"External user added and removed in short timeframe\",\"description\":\"This detection flags the occurances of external user accounts that are added to a Team and then removed within\\none hour.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity (Teams)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9367dff0-941d-44e2-8875-cb48570c7add\",\"name\":\"9367dff0-941d-44e2-8875-cb48570c7add\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"Event\\n| where EventLog == \\\"Microsoft-Windows-Sysmon/Operational\\\" and EventID in (13)\\n| parse EventData with * \u0027TargetObject\\\"\u003e\u0027 TargetObject \\\"\u003c\\\" * \u0027Details\\\"\u003e\u0027 Details \\\"\u003c\\\" * \\n| where TargetObject has \\\"\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_DLLs\\\"\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventID, Computer, TargetObject, Details\",\"entityMappings\":[{\"entityType\":\"RegistryKey\",\"fieldMappings\":[{\"identifier\":\"Key\",\"columnName\":\"TargetObject\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Registry Persistence via AppInit DLLs Modification\",\"description\":\"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. \\nDynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows or HKEY_LOCAL_MACHINE\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library.\\nRef: https://attack.mitre.org/techniques/T1546/010/\",\"lastUpdatedDateUTC\":\"2022-03-21T00:00:00Z\",\"createdDateUTC\":\"2022-03-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8d537f3c-094f-430c-a588-8a87da36ee3a\",\"name\":\"8d537f3c-094f-430c-a588-8a87da36ee3a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nlet user_agents=dynamic([\\n \u0027(hydra)\u0027,\\n \u0027 arachni/\u0027,\\n \u0027 BFAC \u0027,\\n \u0027 brutus \u0027,\\n \u0027 cgichk \u0027,\\n \u0027core-project/1.0\u0027,\\n \u0027 crimscanner/\u0027,\\n \u0027datacha0s\u0027,\\n \u0027dirbuster\u0027,\\n \u0027domino hunter\u0027,\\n \u0027dotdotpwn\u0027,\\n \u0027FHScan Core\u0027,\\n \u0027floodgate\u0027,\\n \u0027get-minimal\u0027,\\n \u0027gootkit auto-rooter scanner\u0027,\\n \u0027grendel-scan\u0027,\\n \u0027 inspath \u0027,\\n \u0027internet ninja\u0027,\\n \u0027jaascois\u0027,\\n \u0027 zmeu \u0027,\\n \u0027masscan\u0027,\\n \u0027 metis \u0027,\\n \u0027morfeus fucking scanner\u0027,\\n \u0027n-stealth\u0027,\\n \u0027nsauditor\u0027,\\n \u0027pmafind\u0027,\\n \u0027security scan\u0027,\\n \u0027springenwerk\u0027,\\n \u0027teh forest lobster\u0027,\\n \u0027toata dragostea\u0027,\\n \u0027 vega/\u0027,\\n \u0027voideye\u0027,\\n \u0027webshag\u0027,\\n \u0027webvulnscan\u0027,\\n \u0027 whcc/\u0027,\\n \u0027 Havij\u0027,\\n \u0027absinthe\u0027,\\n \u0027bsqlbf\u0027,\\n \u0027mysqloit\u0027,\\n \u0027pangolin\u0027,\\n \u0027sql power injector\u0027,\\n \u0027sqlmap\u0027,\\n \u0027sqlninja\u0027,\\n \u0027uil2pn\u0027,\\n \u0027ruler\u0027,\\n \u0027Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)\u0027\\n ]);\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal has_any (user_agents)\\n| extend Message = \\\"Hack Tool User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Hack Tool User-Agent Detected\",\"description\":\"Detects suspicious user agent strings used by known hack tools\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/30c8b802-ace1-4408-bc29-4c5c5afb49e1\",\"name\":\"30c8b802-ace1-4408-bc29-4c5c5afb49e1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"imProcess\\n | where EventType =~ \\\"ProcessCreated\\\"\\n | where Process endswith \\\"svchost.exe\\\"\\n | where CommandLine has \\\"-k GPSvcGroup\\\" or CommandLine has \\\"-s gpsvc\\\"\\n | extend timekey = bin(TimeGenerated, 1m)\\n | project timekey, ActingProcessId, Dvc\\n | join kind=inner (imProcess\\n | where EventType =~ \\\"ProcessCreated\\\"\\n | where Process =~ \\\"sdelete.exe\\\" or CommandLine has \\\"sdelete\\\"\\n | where ActingProcessName endswith \\\"svchost.exe\\\"\\n | where CommandLine has_all (\\\"-s\\\", \\\"-r\\\")\\n | extend timekey = bin(TimeGenerated, 1m)\\n ) on $left.ActingProcessId == $right.ParentProcessId, timekey, Dvc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ActorUsername\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DvcIpAddr\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Dvc\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Sdelete deployed via GPO and run recursively (ASIM Version)\",\"description\":\"This query looks for the Sdelete process being run recursively after being deployed to a host via GPO. Attackers could use this technique to deploy Sdelete to multiple host and delete data on them.\\n This query uses the Advanced Security Information Model. Parsers will need to be deployed before use: https://docs.microsoft.com/azure/sentinel/normalization\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84cccc86-5c11-4b3a-aca6-7c8f738ed0f7\",\"name\":\"84cccc86-5c11-4b3a-aca6-7c8f738ed0f7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where OperationName has_all (\\\"member to role\\\", \\\"add\\\")\\n | where Result =~ \\\"Success\\\"\\n | extend type_ = tostring(TargetResources[0].type)\\n | where type_ =~ \\\"ServicePrincipal\\\"\\n | where isnotempty(TargetResources)\\n | extend ServicePrincipal = tostring(TargetResources[0].displayName)\\n | extend SPID = tostring(TargetResources[0].id)\\n | mv-expand TargetResources[0].modifiedProperties\\n | extend TargetResources_0_modifiedProperties = columnifexists(\\\"TargetResources_0_modifiedProperties\\\", \u0027\u0027)\\n | where isnotempty(TargetResources_0_modifiedProperties)\\n | where TargetResources_0_modifiedProperties.displayName =~ \\\"Role.DisplayName\\\"\\n | extend TargetRole = parse_json(tostring(TargetResources_0_modifiedProperties.newValue))\\n | where TargetRole contains \\\"admin\\\"\\n | extend AddedByApp = iif(\\n isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName)),\\n tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName),\\n tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n )\\n | extend AddedByUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend AddedBy = iif(isnotempty(AddedByApp), AddedByApp, AddedByUser)\\n | extend IpAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | project-reorder TimeGenerated, ServicePrincipal, SPID, TargetRole, AddedBy, IpAddress\\n | project-away AddedByApp, AddedByUser\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"SPID\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Service Principal Assigned Privileged Role\",\"description\":\"Detects a privileged role being added to a Service Principal.\\n Ensure that any assignment to a Service Principal is valid and appropriate - Service Principals should not be assigned to very highly privileged roles such as Global Admin.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182\",\"name\":\"8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5M\",\"queryPeriod\":\"PT5M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = ago(5m);\\nDuoSecurityTrustMonitor_CL\\n| where TimeGenerated \u003e= timeframe\\n| extend AccountCustomEntity = surfaced_auth_user_name_s, IPCustomEntity = surfaced_auth_access_device_ip_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Trust Monitor Event\",\"description\":\"This query identifies when a new trust monitor event is detected.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-13T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dcdf9bfc-c239-4764-a9f9-3612e6dff49c\",\"name\":\"dcdf9bfc-c239-4764-a9f9-3612e6dff49c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 6d;\\n// Adjust this to adjust the key export detection timeframe\\n//let timeframe = 1d;\\n// Start be identifying ADFS servers to reduce FP chance\\nlet ADFS_Servers = (\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\")\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| summarize by Computer);\\n// Look for ADFS servers where Named Pipes event are present\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| where Computer in~ (ADFS_Servers)\\n| extend RenderedDescription = tostring(split(RenderedDescription, \\\":\\\")[0])\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\\n| extend RuleName = column_ifexists(\\\"RuleName\\\", \\\"\\\"),\\n TechniqueId = column_ifexists(\\\"TechniqueId\\\", \\\"\\\"),\\n TechniqueName = column_ifexists(\\\"TechniqueName\\\", \\\"\\\"),\\n Image = column_ifexists(\\\"Image\\\", \\\"\\\"),\\n PipeName = column_ifexists(\\\"PipeName\\\", \\\"\\\"),\\n EventType = column_ifexists(\\\"EventType\\\", \\\"\\\")\\n| parse RuleName with * \u0027technique_id=\u0027 TechniqueId \u0027,\u0027 * \u0027technique_name=\u0027 TechniqueName\\n// Look for Pipe related to querying the WID\\n| where PipeName == \\\"\\\\\\\\MICROSOFT##WID\\\\\\\\tsql\\\\\\\\query\\\"\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n// Exclude expected processes\\n| where process !in (\\\"Microsoft.IdentityServer.ServiceHost.exe\\\", \\\"Microsoft.Identity.Health.Adfs.PshSurrogate.exe\\\", \\\"AzureADConnect.exe\\\", \\\"Microsoft.Tri.Sensor.exe\\\", \\\"wsmprovhost.exe\\\",\\\"mmc.exe\\\", \\\"sqlservr.exe\\\")\\n| extend Operation = RenderedDescription\\n| project-reorder TimeGenerated, EventType, Operation, process, Image, Computer, UserName\\n| extend HostCustomEntity = Computer, AccountCustomEntity = UserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"ADFS Database Named Pipe Connection\",\"description\":\"This detection uses Sysmon telemetry to detect suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).\\nIn order to use this query you need to be collecting Sysmon EventIdD 18 (Pipe Connected).\\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\\nFailed to resolve scalar expression named \\\"[@Name]\",\"lastUpdatedDateUTC\":\"2021-11-23T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3617d76d-b15e-4c6f-985e-a1dac73c592d\",\"name\":\"3617d76d-b15e-4c6f-985e-a1dac73c592d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SigninLogs\\n| where ResultType == 500121\\n| extend additionalDetails_ = tostring(Status.additionalDetails)\\n| where additionalDetails_ =~ \\\"MFA denied; user declined the authentication\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"NRT MFA Rejected by User\",\"description\":\"Identifies occurrences where a user has rejected an MFA prompt. This could be an indicator that a threat actor has compromised the username and password of this user account and is using it to try and log into the account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-02-08T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5436f471-b03d-41cb-b333-65891f887c43\",\"name\":\"5436f471-b03d-41cb-b333-65891f887c43\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Informational\",\"query\":\"GitHubRepo\\n| where Action == \\\"vulnerabilityAlert\\\"\\n| project TimeGenerated, DismmisedAt, Reason, vulnerableManifestFilename, Description, Link, PublishedAt, Severity, Summary\",\"entityMappings\":[],\"displayName\":\"GitHub Security Vulnerability in Repository\",\"description\":\"This alerts when there is a new security vulnerability in a GitHub repository.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-10T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d82e1987-4356-4a7b-bc5e-064f29b143c0\",\"name\":\"d82e1987-4356-4a7b-bc5e-064f29b143c0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true \\n(SecurityEvent\\n| where EventID == 4688\\n| where Process =~ \u0027rundll32.exe\u0027 \\n| where CommandLine has_all (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n),\\n(WindowsEvent\\n| where EventID == 4688 and EventData has \u0027rundll32.exe\u0027 and EventData has_any (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| where Process =~ \u0027rundll32.exe\u0027 \\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has_all (\u0027Execute\u0027,\u0027RegRead\u0027,\u0027window.close\u0027)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName) \\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n) )\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"NOBELIUM - suspicious rundll32.exe execution of vbscript\",\"description\":\"This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/961b6a81-5c53-40b6-9800-4f661a8faea7\",\"name\":\"961b6a81-5c53-40b6-9800-4f661a8faea7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0586.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet Command_Line = (iocs | where Type =~ \\\"CommandLine\\\" | project IoC);\\n(union isfuzzy=true\\n(DeviceProcessEvents\\n| where InitiatingProcessSHA256 in (sha256Hashes) or SHA256 in (sha256Hashes) or ( InitiatingProcessCommandLine has (\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and InitiatingProcessCommandLine has_any (Command_Line))\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, AccountName, SHA256\\n| extend Account = AccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = case(InitiatingProcessSHA256 in (sha256Hashes), \\\"InitiatingProcessSHA256\\\", SHA256 in (sha256Hashes), \\\"SHA256\\\", \\\"No Match\\\")\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, FileHashCustomEntity = case(FileHash == \\\"InitiatingProcessSHA256\\\", InitiatingProcessSHA256, FileHash == \\\"SHA256\\\", SHA256, \\\"No Match\\\")\\n),\\n( SecurityEvent\\n| where EventID == 4688\\n| where ( CommandLine has (@\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and CommandLine has_any (Command_Line))\\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, EventID\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\\n),\\n( CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n( imFileEvent\\n| where Hash in~ (sha256Hashes) or ( ActingProcessCommandLine has (\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and ActingProcessCommandLine has_any (Command_Line))\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) or ( CommandLine has (\u0027127.0.0.1\\\\\\\\ADMIN$\u0027) and CommandLine has_any (Command_Line)) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashAlgo\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"DEV-0586 Actor IOC - January 2022\",\"description\":\"Identifies a match across IOC\u0027s related to an actor tracked by Microsoft as DEV-0586\\n Refrence: https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2022-01-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/66c81ae2-1f89-4433-be00-2fbbd9ba5ebe\",\"name\":\"66c81ae2-1f89-4433-be00-2fbbd9ba5ebe\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let IPRegex = \u0027[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\\\\\\\\.[0-9]{1,3}\u0027;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | extend MessageIP = extract(IPRegex, 0, Message)\\n | extend CS_ipEntity = iff(isnotempty(SourceIP), SourceIP, DestinationIP)\\n | extend CS_ipEntity = iff(isempty(CS_ipEntity) and isnotempty(MessageIP), MessageIP, CS_ipEntity)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.CS_ipEntity\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, CS_ipEntity\\n| project CommonSecurityLog_TimeGenerated, SourceIP, DestinationIP, MessageIP, Message, DeviceVendor, DeviceProduct, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CS_ipEntity, LogSeverity, DeviceAction\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = CS_ipEntity\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to CommonSecurityLog\",\"description\":\"Identifies a match in CommonSecurityLog from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/17f23fbe-bb73-4324-8ecf-a18545a5dc26\",\"name\":\"17f23fbe-bb73-4324-8ecf-a18545a5dc26\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P3D\",\"queryPeriod\":\"P3D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 3d;\\n// Get Release Pipeline Creation Events and group by day\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineCreated\\\"\\n// Group by day\\n| extend timekey = bin(TimeGenerated, 1d)\\n| extend PipelineId = tostring(Data.PipelineId)\\n| extend PipelineName = tostring(Data.PipelineName)\\n// Rename some columns to make output clearer\\n| project-rename TimeCreated = TimeGenerated, CreatingUser = ActorUPN, CreatingUserAgent = UserAgent, CreatingIP = IpAddress\\n// Join with Release Pipeline Deletions where Pipeline ID is the same and deletion occurred on same day as creation\\n| join (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(timeframe)\\n| where OperationName =~ \\\"Release.ReleasePipelineDeleted\\\"\\n// Group by day\\n| extend timekey = bin(TimeGenerated, 1d)\\n| extend PipelineId = tostring(Data.PipelineId)\\n| extend PipelineName = tostring(Data.PipelineName)\\n// Rename some things to make the output clearer\\n| project-rename TimeDeleted = TimeGenerated, DeletingUser = ActorUPN, DeletingUserAgent = UserAgent, DeletingIP = IpAddress) on PipelineId, timekey\\n| project TimeCreated, TimeDeleted, PipelineName, PipelineId, CreatingUser, CreatingIP, CreatingUserAgent, DeletingUser, DeletingIP, DeletingUserAgent, ScopeDisplayName, ProjectName, Data, OperationName, OperationName1\\n| extend timestamp = TimeCreated, AccountCustomEntity = CreatingUser, IPCustomEntity = CreatingIP\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"DeletingUser\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"DeletingIP\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Azure DevOps Pipeline Created and Deleted on the Same Day\",\"description\":\"An attacker with access to Azure DevOps could create a pipeline to inject artifacts used by other pipelines, \\nor to create a malicious software build that looks legitimate by using a pipeline that incorporates legitimate elements. \\nAn attacker would also likely want to cover their tracks once conducting such activity. This query looks for Pipelines \\ncreated and deleted within the same day, this is unlikely to be legitimate user activity in the majority of cases.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\"name\":\"83ba3057-9ea3-4759-bf6a-933f2e5bc7ee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":3,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let current = 1d;\\nlet auditLookback = 7d;\\n// Setting threshold to 3 as a default, change as needed. \\n// Any operation that has been initiated by a user or app more than 3 times in the past 7 days will be excluded\\nlet threshold = 3;\\n// Gather initial data from lookback period, excluding current, adjust current to more than a single day if no results\\nlet AuditTrail = AuditLogs | where TimeGenerated \u003e= ago(auditLookback) and TimeGenerated \u003c ago(current)\\n// 2 other operations that can be part of malicious activity in this situation are \\n// \\\"Add OAuth2PermissionGrant\\\" and \\\"Add service principal\\\", extend the filter below to capture these too\\n| where OperationName has \\\"Consent to application\\\"\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\n| summarize max(TimeGenerated), OperationCount = count() by OperationName, InitiatedBy, TargetResourceName\\n// only including operations by initiated by a user or app that is above the threshold so we produce only rare and has not occurred in last 7 days\\n| where OperationCount \u003e threshold\\n;\\n// Gather current period of audit data\\nlet RecentConsent = AuditLogs | where TimeGenerated \u003e= ago(current)\\n| where OperationName has \\\"Consent to application\\\"\\n| extend IpAddress = case(\\nisnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), \\nisnotempty(tostring(parse_json(tostring(InitiatedBy.app)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.app)).ipAddress) != \u0027null\u0027, tostring(parse_json(tostring(InitiatedBy.app)).ipAddress),\\n\u0027Not Available\u0027)\\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \\ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\\n| parse TargetResources.[0].modifiedProperties with * \\\"ConsentType: \\\" ConsentType \\\"]\\\" *\\n| mv-expand AdditionalDetails\\n| extend UserAgent = iff(AdditionalDetails.key == \\\"User-Agent\\\",tostring(AdditionalDetails.value),\\\"\\\")\\n| project TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type;\\n// Exclude previously seen audit activity for \\\"Consent to application\\\" that was seen in the lookback period\\n// First for rare InitiatedBy\\nlet RareConsentBy = RecentConsent | join kind= leftanti AuditTrail on OperationName, InitiatedBy \\n| extend Reason = \\\"Previously unseen user consenting\\\";\\n// Second for rare TargetResourceName\\nlet RareConsentApp = RecentConsent | join kind= leftanti AuditTrail on OperationName, TargetResourceName\\n| extend Reason = \\\"Previously unseen app granted consent\\\";\\nRareConsentBy | union RareConsentApp\\n| summarize Reason = makeset(Reason) by TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatedBy, HostCustomEntity = TargetResourceName, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Rare application consent\",\"description\":\"This will alert when the \\\"Consent to application\\\" operation occurs by a user that has not done this operation before or rarely does this.\\nThis could indicate that permissions to access the listed Azure App were provided to a malicious actor. \\nConsent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events. \\nThis may help detect the Oauth2 attack that can be initiated by this publicly available tool - https://github.com/fireeye/PwnAuth\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-07-04T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/69b7723c-2889-469f-8b55-a2d355ed9c87\",\"name\":\"69b7723c-2889-469f-8b55-a2d355ed9c87\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.3\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n DnsEvents\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where SubType =~ \\\"LookupQuery\\\" and isnotempty(IPAddresses)\\n | mv-expand SingleIP = split(IPAddresses, \\\", \\\") to typeof(string)\\n // renaming time column so it is clear the log this came from\\n | extend DNS_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.SingleIP\\n| where DNS_TimeGenerated \u003c ExpirationDateTime\\n| summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated , *) by IndicatorId, SingleIP\\n| project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = DNS_TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to DnsEvents\",\"description\":\"Identifies a match in DnsEvents from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2022-06-27T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd\",\"name\":\"c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let args = dynamic([\\\"objectcategory\\\",\\\"domainlist\\\",\\\"dcmodes\\\",\\\"adinfo\\\",\\\"trustdmp\\\",\\\"computers_pwdnotreqd\\\",\\\"Domain Admins\\\", \\\"objectcategory=person\\\", \\\"objectcategory=computer\\\", \\\"objectcategory=*\\\",\\\"dclist\\\"]);\\nlet parentProcesses = dynamic([\\\"pwsh.exe\\\",\\\"powershell.exe\\\",\\\"cmd.exe\\\"]);\\nDeviceProcessEvents\\n//looks for execution from a shell\\n| where InitiatingProcessFileName in (parentProcesses)\\n// main filter\\n| where FileName =~ \\\"AdFind.exe\\\" or SHA256 == \\\"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\\\"\\n // AdFind common Flags to check for from various threat actor TTPs\\n or ProcessCommandLine has_any (args)\\n| extend AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, ProcessCustomEntity = InitiatingProcessFileName, CommandLineCustomEntity = ProcessCommandLine, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = SHA256\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"},{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLineCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Probable AdFind Recon Tool Usage\",\"description\":\"Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.\",\"lastUpdatedDateUTC\":\"2021-11-30T00:00:00Z\",\"createdDateUTC\":\"2021-04-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\"name\":\"b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n Syslog\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // Extract URL from the Syslog message but only take messages that include URLs\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\\\", 1,SyslogMessage)\\n | where isnotempty(Url)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n) on Url\\n| where Syslog_TimeGenerated \u003c ExpirationDateTime\\n| summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, Url\\n| project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, Url, HostIP\\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to Syslog data\",\"description\":\"Identifies a match in Syslog data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/af435ca1-fb70-4de1-92c1-7435c48482a9\",\"name\":\"af435ca1-fb70-4de1-92c1-7435c48482a9\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let admin_users = (IdentityInfo\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | where AssignedRoles contains \\\"admin\\\"\\n | summarize by tolower(AccountUPN));\\n let admin_asn = (SigninLogs\\n | where TimeGenerated between (ago(7d)..ago(1d))\\n | where tolower(UserPrincipalName) in (admin_users)\\n | summarize by AutonomousSystemNumber);\\n let admin_locations = (SigninLogs\\n | where TimeGenerated between (ago(7d)..ago(1d))\\n | where tolower(UserPrincipalName) in (admin_users)\\n | summarize by Location);\\n let admin_devices = (SigninLogs\\n | where TimeGenerated between (ago(7d)..ago(1d))\\n | where tolower(UserPrincipalName) in (admin_users)\\n | extend deviceId = tostring(DeviceDetail.deviceId)\\n | where isnotempty(deviceId)\\n | summarize by deviceId);\\n SigninLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType == 0\\n | where tolower(UserPrincipalName) in (admin_users)\\n | extend deviceId = tostring(DeviceDetail.deviceId)\\n | where AutonomousSystemNumber !in (admin_asn) and deviceId !in (admin_devices) and Location !in (admin_locations)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Authentications of Privileged Accounts Outside of Expected Controls\",\"description\":\"Detects when a privileged user account successfully authenticates from a location, device or ASN that another admin has not logged in from in the last 7 days.\\n Privileged accounts are a key target for threat actors, monitoring for logins from these accounts that deviate from normal activity can help identify compromised accounts.\\n Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"BehaviorAnalytics\",\"dataTypes\":[\"BehaviorAnalytics\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a357535e-f722-4afe-b375-cff362b2b376\",\"name\":\"a357535e-f722-4afe-b375-cff362b2b376\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"(union isfuzzy=true\\n(OfficeActivity | where UserAgent != \\\"\\\"),\\n(OfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectory\\\", \\\"AzureActiveDirectoryStsLogon\\\")\\n| extend OperationName = Operation\\n| parse ExtendedProperties with * \u0027User-Agent\\\\\\\\\\\":\\\\\\\\\\\"\u0027 UserAgent2 \u0027\\\\\\\\\u0027 *\\n| parse ExtendedProperties with * \u0027UserAgent\\\", \\\"Value\\\": \\\"\u0027 UserAgent1 \u0027\\\"\u0027 *\\n| where isnotempty(UserAgent1) or isnotempty(UserAgent2)\\n| extend UserAgent = iff( RecordType == \u0027AzureActiveDirectoryStsLogon\u0027, UserAgent1, UserAgent2)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\\n),\\n(AzureDiagnostics\\n| where ResourceType =~ \\\"APPLICATIONGATEWAYS\\\" \\n| where OperationName =~ \\\"ApplicationGatewayAccess\\\" \\n| extend ClientIP = columnifexists(\\\"clientIP_s\\\", \\\"None\\\"), UserAgent = columnifexists(\\\"userAgent_s\\\", \\\"None\\\")\\n| where UserAgent != \u0027-\u0027\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, requestUri_s, httpMethod_s, host_s, requestQuery_s, Type\\n),\\n(\\nW3CIISLog\\n| where isnotempty(csUserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\\n),\\n(\\nAWSCloudTrail\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\\n),\\n(SigninLogs\\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n),\\n(AADNonInteractiveUserSignInLogs \\n| where isnotempty(UserAgent)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\\n)\\n)\\n// Likely artefact of hardcoding\\n| where UserAgent startswith \\\"User\\\" or UserAgent startswith \u0027\\\\\\\"\u0027\\n// Incorrect casing\\nor (UserAgent startswith \\\"Mozilla\\\" and not(UserAgent containscs \\\"Mozilla\\\"))\\n// Incorrect casing\\nor UserAgent containscs \\\"(Compatible;\\\"\\n// Missing MSIE version\\nor UserAgent matches regex @\\\"MSIE\\\\s?;\\\"\\n// Incorrect spacing around MSIE version\\nor UserAgent matches regex @\\\"MSIE(?:\\\\d|.{1,5}?\\\\d\\\\s;)\\\"\\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CommandAndControl\",\"Execution\"],\"displayName\":\"Malformed user agent\",\"description\":\"Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware.\\nMalformed user agents can be an indication of such malware.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-01-25T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WAF\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/4acd3a04-2fad-4efc-8a4b-51476594cec4\",\"name\":\"4acd3a04-2fad-4efc-8a4b-51476594cec4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let triThreshold = 500;\\nlet startTime = 6h;\\nlet dgaLengthThreshold = 8;\\n// fetch the alexa top 1M domains\\nlet top1M = (externaldata (Position:int, Domain:string) [@\\\"http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip\\\"] with (format=\\\"csv\\\", zipPattern=\\\"*.csv\\\"));\\n// extract tri grams that are above our threshold - i.e. are common\\nlet triBaseline = top1M\\n| extend Domain = tolower(extract(\\\"([^.]*).{0,7}$\\\", 1, Domain))\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", Domain), extract_all(\\\"(...)\\\", substring(Domain, 1)), extract_all(\\\"(...)\\\", substring(Domain, 2)))\\n| mvexpand Trigram=AllTriGrams\\n| summarize triCount=count() by tostring(Trigram)\\n| sort by triCount desc\\n| where triCount \u003e triThreshold\\n| distinct Trigram;\\n// collect domain information from common security log, filter and extract the DGA candidate and its trigrams\\nlet allDataSummarized = CommonSecurityLog\\n| where TimeGenerated \u003e ago(startTime)\\n| where isnotempty(DestinationHostName)\\n| extend Name = tolower(DestinationHostName)\\n| distinct Name\\n| where Name has \\\".\\\"\\n| where Name !endswith \\\".home\\\" and Name !endswith \\\".lan\\\"\\n// extract DGA candidate\\n| extend DGADomain = extract(\\\"([^.]*).{0,7}$\\\", 1, Name)\\n| where strlen(DGADomain) \u003e dgaLengthThreshold\\n// throw out domains with number in them\\n| where DGADomain matches regex \\\"^[A-Za-z]{0,}$\\\"\\n// extract the tri grams from summarized data\\n| extend AllTriGrams = array_concat(extract_all(\\\"(...)\\\", DGADomain), extract_all(\\\"(...)\\\", substring(DGADomain, 1)), extract_all(\\\"(...)\\\", substring(DGADomain, 2)));\\n// throw out domains that have repeating tri\u0027s and/or \u003e=3 repeating letters\\nlet nonRepeatingTris = allDataSummarized\\n| join kind=leftanti\\n(\\n allDataSummarized\\n | mvexpand AllTriGrams\\n | summarize count() by tostring(AllTriGrams), DGADomain\\n | where count_ \u003e 1\\n | distinct DGADomain\\n)\\non DGADomain;\\n// find domains that do not have a common tri in the baseline\\nlet dataWithRareTris = nonRepeatingTris\\n| join kind=leftanti\\n(\\n nonRepeatingTris\\n | mvexpand AllTriGrams\\n | extend Trigram = tostring(AllTriGrams)\\n | distinct Trigram, DGADomain\\n | join kind=inner\\n (\\n triBaseline\\n )\\n on Trigram\\n | distinct DGADomain\\n)\\non DGADomain;\\ndataWithRareTris\\n// join DGAs back on connection data\\n| join kind=inner\\n(\\n CommonSecurityLog\\n | where TimeGenerated \u003e ago(startTime)\\n | where isnotempty(DestinationHostName)\\n | extend DestinationHostName = tolower(DestinationHostName)\\n | project-rename Name=DestinationHostName, DataSource=DeviceVendor\\n | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) by Name, SourceIP, DestinationIP, DataSource\\n)\\non Name\\n| project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, DataSource\\n| extend timestamp=StartTime, IPCustomEntity=SourceIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"Name\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Possible contact with a domain generated by a DGA\",\"description\":\"Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used\\nby malware to generate rendezvous points that are difficult to predict in advance. This detection uses the Alexa Top 1 million domain names to build a model\\nof what normal domains look like. It uses this to identify domains that may have been randomly generated by an algorithm.\\nThe triThreshold is set to 500 - increase this to report on domains that are less likely to have been randomly generated, decrease it for more likely.\\nThe start time and end time look back over 6 hours of data and the dgaLengthThreshold is set to 8 - meaning domains whose length is 8 or more are reported.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-03-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Barracuda\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/aac495a9-feb1-446d-b08e-a1164a539452\",\"name\":\"aac495a9-feb1-446d-b08e-a1164a539452\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"ThreatIntelligenceIndicator\\n| where Action == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| join (\\n GitHubAudit\\n | extend GitHubAudit_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.IPaddress\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, GitHubAudit_TimeGenerated, TI_ipEntity, IPaddress, Actor, Action, Country, OperationType, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = GitHubAudit_TimeGenerated, IPCustomEntity = IPaddress, AccountCustomEntity = Actor\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to GitHub_CL\",\"description\":\"Identifies a match in GitHub_CL table from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2cfc3c6e-f424-4b88-9cc9-c89f482d016a\",\"name\":\"2cfc3c6e-f424-4b88-9cc9-c89f482d016a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where OperationName has_any (\\\"Add service principal\\\", \\\"Certificates and secrets management\\\") // captures \\\"Add service principal\\\", \\\"Add service principal credentials\\\", and \\\"Update application - Certificates and secrets management\\\" events\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\\n| extend targetId = tostring(TargetResources[0].id)\\n| extend targetType = tostring(TargetResources[0].type)\\n| extend keyEvents = TargetResources[0].modifiedProperties\\n| mv-expand keyEvents\\n| where keyEvents.displayName =~ \\\"KeyDescription\\\"\\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\\n| where old_value_set == \\\"[]\\\"\\n| mv-expand new_value_set\\n| parse new_value_set with * \\\"KeyIdentifier=\\\" keyIdentifier:string \\\",KeyType=\\\" keyType:string \\\",KeyUsage=\\\" keyUsage:string \\\",DisplayName=\\\" keyDisplayName:string \\\"]\\\" *\\n| where keyUsage == \\\"Verify\\\" or keyUsage == \\\"\\\"\\n| extend UserAgent = iff(AdditionalDetails[0].key == \\\"User-Agent\\\",tostring(AdditionalDetails[0].value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\\n//| where targetType =~ \\\"Application\\\" // or targetType =~ \\\"ServicePrincipal\\\"\\n| project-away new_value_set, old_value_set\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"First access credential added to Application or Service Principal where no credential was present\",\"description\":\"This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-02-11T00:00:00Z\",\"createdDateUTC\":\"2020-11-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0dd422ee-e6af-4204-b219-f59ac172e4c6\",\"name\":\"0dd422ee-e6af-4204-b219-f59ac172e4c6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"ThreatIntelligence\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"Persistence\",\"LateralMovement\"],\"displayName\":\"(Preview) Microsoft Threat Intelligence Analytics\",\"description\":\"This rule generates an alert when a Microsoft Threat Intelligence Indicator gets matched with your event logs. The alerts are very high fidelity.\\n\\nNote : It is advised to turn off any custom alert rules which match the threat intelligence indicators with the same event logs matched by this analytics to prevent duplicate alerts.\",\"lastUpdatedDateUTC\":\"2021-07-28T00:00:00Z\",\"createdDateUTC\":\"2020-06-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/074ce265-f684-41cd-af07-613c5f3e6d0d\",\"name\":\"074ce265-f684-41cd-af07-613c5f3e6d0d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"irf.services\\\",\\\"microsoft-onthehub.com\\\",\\\"msofficelab.com\\\",\\\"com-mailbox.com\\\",\\\"my-sharefile.com\\\",\\\"my-sharepoints.com\\\",\\n\\\"accounts-web-mail.com\\\",\\\"customer-certificate.com\\\",\\\"session-users-activities.com\\\",\\\"user-profile-credentials.com\\\",\\\"verify-linke.com\\\",\\\"support-servics.net\\\",\\n\\\"onedrive-sharedfile.com\\\",\\\"onedrv-live.com\\\",\\\"transparencyinternational-my-sharepoint.com\\\",\\\"transparencyinternational-my-sharepoints.com\\\",\\\"soros-my-sharepoint.com\\\"]);\\n(union isfuzzy=true\\n (CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | extend Account = SourceUserID, Host = DeviceName, IPAddress = SourceIP\\n ),\\n (_Im_Dns(domain_has_any=DomainNames)\\n | extend IPAddress = SrcIpAddr, DNSName = DnsQuery, Host = Dvc),\\n (VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n | extend IPAddress = RemoteIp, Host = Computer\\n ),\\n (AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | extend DNSName = DestinationHost \\n | extend IPAddress = SourceHost\\n ),\\n (\\n _Im_WebSession(url_has_any=DomainNames)\\n | extend IPCustomEntity=IpAddr, HostCustomEntity=Hostname, AccoutCustomEntity=User\\n )\\n)\\n| where isnotempty(DNSName)\\n| where DNSName has_any (DomainNames)\\n| extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = Account, HostCustomEntity = Host\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Known STRONTIUM group domains - July 2019\",\"description\":\"Matches domain name IOCs related to Strontium group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes.\\nReferences: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2019-07-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a50766a7-0674-4ccb-8845-15dc55a80ba1\",\"name\":\"a50766a7-0674-4ccb-8845-15dc55a80ba1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n WireData | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(RemoteIP)\\n // renaming time column so it is clear the log this came from\\n | extend WireData_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIP\\n| where WireData_TimeGenerated \u003c ExpirationDateTime\\n| summarize WireData_TimeGenerated = arg_max(WireData_TimeGenerated, *) by IndicatorId, RemoteIP\\n| project WireData_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, LocalIP, RemoteIP, ProcessName, ApplicationProtocol, LocalPortNumber, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = WireData_TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to WireData\",\"description\":\"Identifies a match in WireData from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6d7214d9-4a28-44df-aafb-0910b9e6ae3e\",\"name\":\"6d7214d9-4a28-44df-aafb-0910b9e6ae3e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Low\",\"query\":\"let match_window = 3m;\\nAzureActivity\\n| where ResourceGroup has \\\"cloud-shell\\\"\\n| where (OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/listKeys/action\\\") \\n| where ActivityStatusValue == \\\"Success\\\"\\n| extend TimeKey = bin(TimeGenerated, match_window), AzureIP = CallerIpAddress\\n| join kind = inner\\n(AzureActivity\\n| where ResourceGroup has \\\"cloud-shell\\\"\\n| where (OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/write\\\") \\n| extend TimeKey = bin(TimeGenerated, match_window), UserIP = CallerIpAddress\\n) on Caller, TimeKey\\n| summarize count() by TimeKey, Caller, ResourceGroup, SubscriptionId, TenantId, AzureIP, UserIP, HTTPRequest, Type, Properties, CategoryValue, OperationList = strcat(OperationNameValue, \u0027 , \u0027, OperationNameValue1)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Caller\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"UserIP\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"New CloudShell User\",\"description\":\"Identifies when a user creates an Azure CloudShell for the first time.\\nMonitor this activity to ensure only expected user are using CloudShell\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5170c3c4-b8c9-485c-910d-a21d965ee181\",\"name\":\"5170c3c4-b8c9-485c-910d-a21d965ee181\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT30M\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let queryfrequency = 30m;\\nlet accountthreshold = 10;\\nlet successCodes = dynamic([0, 50144]);\\nADFSSignInLogs\\n| extend IngestionTime = ingestion_time()\\n| where IngestionTime \u003e ago(queryfrequency)\\n| where not(todynamic(AuthenticationDetails)[0].authenticationMethod == \\\"Integrated Windows Authentication\\\")\\n| summarize\\n DistinctFailureCount = dcountif(UserPrincipalName, ResultType !in (successCodes)),\\n DistinctSuccessCount = dcountif(UserPrincipalName, ResultType in (successCodes)),\\n SuccessAccounts = make_set_if(UserPrincipalName, ResultType in (successCodes), 250),\\n arg_min(TimeGenerated, *)\\n by IPAddress\\n| where DistinctFailureCount \u003e DistinctSuccessCount and DistinctFailureCount \u003e= accountthreshold\\n//| extend SuccessAccounts = iff(array_length(SuccessAccounts) != 0, SuccessAccounts, dynamic([\\\"null\\\"]))\\n//| mv-expand SuccessAccounts\\n| project TimeGenerated, Category, OperationName, IPAddress, DistinctFailureCount, DistinctSuccessCount, SuccessAccounts, AuthenticationRequirement, ConditionalAccessStatus, IsInteractive, UserAgent, NetworkLocationDetails, DeviceDetail, TokenIssuerType, TokenIssuerName, ResourceIdentity\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Password spray attack against ADFSSignInLogs\",\"description\":\"Identifies evidence of password spray activity against Connect Health for AD FS sign-in events by looking for failures from multiple accounts from the same IP address within a time window.\\nReference: https://adfshelp.microsoft.com/References/ConnectHealthErrorCodeReference\",\"lastUpdatedDateUTC\":\"2022-05-04T00:00:00Z\",\"createdDateUTC\":\"2022-03-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"ADFSSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6d63efa6-7c25-4bd4-a486-aa6bf50fde8a\",\"name\":\"6d63efa6-7c25-4bd4-a486-aa6bf50fde8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"// Add non-approved user principal names to the list below to search for their account creation/deletion activity\\n// ex: dynamic([\\\"UPN1\\\", \\\"upn123\\\"])\\nlet nonapproved_users = dynamic([]);\\nAuditLogs\\n| where OperationName == \\\"Add user\\\" or OperationName == \\\"Delete user\\\"\\n| where Result == \\\"success\\\"\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| where InitiatingUser has_any (nonapproved_users)\\n| project-reorder TimeGenerated, ResourceId, OperationName, InitiatingUser, TargetResources\\n| extend AccountCustomEntity = InitiatingUser, IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Account created or deleted by non-approved user\",\"description\":\"Identifies accounts that were created or deleted by a defined list of non-approved user principal names. Add to this list before running the query for accurate results.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/11b4c19d-2a79-4da3-af38-b067e1273dee\",\"name\":\"11b4c19d-2a79-4da3-af38-b067e1273dee\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID in (17,18)\\n| where EventData has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend PipeName = column_ifexists(\\\"PipeName\\\", \\\"\\\")\\n| extend Account = UserName\\n),\\n(\\nSecurityEvent\\n| where EventID == \u00275145\u0027\\n// %%4418 looks for presence of CreatePipeInstance value \\n| where AccessList has \u0027%%4418\u0027 \\n| where RelativeTargetName has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n),\\n(\\nWindowsEvent\\n| where EventID == \u00275145\u0027 and EventData has \u0027%%4418\u0027 and EventData has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027 \\n// %%4418 looks for presence of CreatePipeInstance value \\n| extend AccessList= tostring(EventData.AccessList)\\n| where AccessList has \u0027%%4418\u0027 \\n| extend RelativeTargetName= tostring(EventData.RelativeTargetName)\\n| where RelativeTargetName has \u0027583da945-62af-10e8-4902-a8f205c72b2e\u0027\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\",\"PrivilegeEscalation\"],\"displayName\":\"Solorigate Named Pipe\",\"description\":\"Identifies a match across various data feeds for named pipe IOCs related to the Solorigate incident.\\n For the sysmon events required for this detection, logging for Named Pipe Events needs to be configured in Sysmon config (Event ID 17 and Event ID 18)\\n Reference: https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095\",\"lastUpdatedDateUTC\":\"2022-03-16T00:00:00Z\",\"createdDateUTC\":\"2020-12-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\"name\":\"532f62c1-fba6-4baa-bbb6-4a32a4ef32fa\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation\\nlet list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e ago(ioc_lookBack)\\n| where isnotempty(DomainName)\\n| extend parts = split(DomainName, \u0027.\u0027)\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(DomainName)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n Syslog\\n | where TimeGenerated \u003e ago(dt_lookBack)\\n //Extract domain patterns from syslog message\\n | extend domain = extract(\\\"(([a-z0-9]+(-[a-z0-9]+)*\\\\\\\\.)+[a-z]{2,})\\\",1, tolower(SyslogMessage))\\n | where isnotempty(domain)\\n | extend parts = split(domain, \u0027.\u0027)\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend Syslog_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.domain\\n| where Syslog_TimeGenerated \u003c ExpirationDateTime\\n| summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, domain\\n| project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, domain, HostIP, Url\\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to Syslog\",\"description\":\"Identifies a match in Syslog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/19e01883-15d8-4eb6-a7a5-3276cd668388\",\"name\":\"19e01883-15d8-4eb6-a7a5-3276cd668388\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let timeBin = 1m;\\nlet failedThreshold = 20;\\nW3CIISLog\\n| where scStatus in (\\\"401\\\",\\\"403\\\")\\n| where csUserName != \\\"-\\\"\\n| extend scStatusFull = strcat(scStatus, \\\".\\\",scSubStatus) \\n// Map common IIS codes\\n| extend scStatusFull_Friendly = case(\\nscStatusFull == \\\"401.0\\\", \\\"Access denied.\\\",\\nscStatusFull == \\\"401.1\\\", \\\"Logon failed.\\\",\\nscStatusFull == \\\"401.2\\\", \\\"Logon failed due to server configuration.\\\",\\nscStatusFull == \\\"401.3\\\", \\\"Unauthorized due to ACL on resource.\\\",\\nscStatusFull == \\\"401.4\\\", \\\"Authorization failed by filter.\\\",\\nscStatusFull == \\\"401.5\\\", \\\"Authorization failed by ISAPI/CGI application.\\\",\\nscStatusFull == \\\"403.0\\\", \\\"Forbidden.\\\",\\nscStatusFull == \\\"403.4\\\", \\\"SSL required.\\\",\\n\\\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\\")\\n// Mapping to Hex so can be mapped using website in comments above\\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \\n// Map common win32 codes\\n| extend scWin32Status_Friendly = case(\\nscWin32Status_Hex =~ \\\"775\\\", \\\"The referenced account is currently locked out and cannot be logged on to.\\\",\\nscWin32Status_Hex =~ \\\"52e\\\", \\\"Logon failure: Unknown user name or bad password.\\\",\\nscWin32Status_Hex =~ \\\"532\\\", \\\"Logon failure: The specified account password has expired.\\\",\\nscWin32Status_Hex =~ \\\"533\\\", \\\"Logon failure: Account currently disabled.\\\", \\nscWin32Status_Hex =~ \\\"2ee2\\\", \\\"The request has timed out.\\\", \\nscWin32Status_Hex =~ \\\"0\\\", \\\"The operation completed successfully.\\\", \\nscWin32Status_Hex =~ \\\"1\\\", \\\"Incorrect function.\\\", \\nscWin32Status_Hex =~ \\\"2\\\", \\\"The system cannot find the file specified.\\\", \\nscWin32Status_Hex =~ \\\"3\\\", \\\"The system cannot find the path specified.\\\", \\nscWin32Status_Hex =~ \\\"4\\\", \\\"The system cannot open the file.\\\", \\nscWin32Status_Hex =~ \\\"5\\\", \\\"Access is denied.\\\", \\nscWin32Status_Hex =~ \\\"8009030e\\\", \\\"SEC_E_NO_CREDENTIALS\\\", \\nscWin32Status_Hex =~ \\\"8009030C\\\", \\\"SEC_E_LOGON_DENIED\\\", \\n\\\"See - https://msdn.microsoft.com/library/cc231199.aspx\\\")\\n// decode URI when available\\n| extend decodedUriQuery = url_decode(csUriQuery)\\n// Count of failed attempts from same client IP\\n| summarize makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\\n| where FailedConnectionsCount \u003e= failedThreshold\\n| project TimeGenerated, cIP, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\\n| order by FailedConnectionsCount\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"High count of failed attempts from same client IP\",\"description\":\"Identifies when 20 or more failed attempts from a given client IP in 1 minute occur on the IIS server.\\nThis could be indicative of an attempted brute force. This could also simply indicate a misconfigured service or device.\\nRecommendations: Validate that these are expected connections from the given Client IP. If the client IP is not recognized, \\npotentially block these connections at the edge device.\\nIf these are expected connections, verify the credentials are properly configured on the system, service, application or device \\nthat is associated with the client IP.\\nReferences:\\nIIS status code mapping: https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\\nWin32 Status code mapping: https://msdn.microsoft.com/library/cc231199.aspx\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-03-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd78a122-d377-415a-afe9-f22e08d2112c\",\"name\":\"dd78a122-d377-415a-afe9-f22e08d2112c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Add other permissions to this list as needed\\n let permissions = dynamic([\\\"Mail.Read\\\", \\\"offline_access\\\", \\\"Files.Read\\\", \\\"Notes.Read\\\", \\\"ChannelMessage.Read\\\", \\\"Chat.Read\\\", \\\"TeamsActivity.Read\\\",\\n \\\"Group.Read\\\", \\\"EWS.AccessAsUser.All\\\", \\\"EAS.AccessAsUser.All\\\"]);\\n AuditLogs\\n | where OperationName =~ \\\"Add app role assignment to service principal\\\"\\n | mv-expand TargetResources[0].modifiedProperties\\n | extend TargetResources_0_modifiedProperties = columnifexists(\\\"TargetResources_0_modifiedProperties\\\", \u0027\u0027)\\n | where isnotempty(TargetResources_0_modifiedProperties)\\n | where TargetResources_0_modifiedProperties.displayName =~ \\\"AppRole.Value\\\" or TargetResources_0_modifiedProperties.displayName =~ \\\"DelegatedPermissionGrant.Scope\\\"\\n | extend Permissions = split((parse_json(tostring(TargetResources_0_modifiedProperties.newValue))), \\\" \\\")\\n | where Permissions has_any (permissions)\\n | summarize AddedPermissions=make_set(Permissions) by CorrelationId\\n | join kind=inner (AuditLogs\\n | where OperationName =~ \\\"Add app role assignment to service principal\\\") on CorrelationId\\n | extend InitiatedBy = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))\\n | extend ServicePrincipal = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[4].newValue)))\\n | extend SPID = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[6].newValue)))\\n | extend InitiatedBy = pack(\\\"User\\\", InitiatedBy, \\\"UA\\\", UserAgent, \\\"IPAddress\\\", IpAddress)\\n | mv-expand kind=array AddedPermissions\\n | summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), make_set(InitiatedBy), make_set(AddedPermissions) by SPID, ServicePrincipal\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"ServicePrincipal\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"AadUserId\",\"columnName\":\"SPID\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Service Principal Assigned App Role With Sensitive Access\",\"description\":\"Detects a Service Principal being assigned an app role that has sensitive access such as Mail.Read.\\n A threat actor who compromises a Service Principal may assign it an app role to allow it to access sensitive data, or to perform other actions.\\n Ensure that any assignment to a Service Principal is valid and appropriate.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions\",\"lastUpdatedDateUTC\":\"2022-07-09T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d9f28fdf-abc8-4f1a-a7e7-1aaec87a2fc5\",\"name\":\"d9f28fdf-abc8-4f1a-a7e7-1aaec87a2fc5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n | where EventID == 4688\\n | where Process =~ \\\"svchost.exe\\\"\\n | where CommandLine has \\\"-k GPSvcGroup\\\" or CommandLine has \\\"-s gpsvc\\\"\\n | extend timekey = bin(TimeGenerated, 1m)\\n | project timekey, NewProcessId, Computer\\n | join kind=inner (SecurityEvent\\n | where EventID == 4688\\n | where Process =~ \\\"sdelete.exe\\\" or CommandLine has \\\"sdelete\\\"\\n | where ParentProcessName endswith \\\"svchost.exe\\\"\\n | where CommandLine has_all (\\\"-s\\\", \\\"-r\\\")\\n | extend newProcess = Process\\n | extend timekey = bin(TimeGenerated, 1m)\\n ) on $left.NewProcessId == $right.ProcessId, timekey, Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Account\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"Sdelete deployed via GPO and run recursively\",\"description\":\"This query looks for the Sdelete process being run recursively after being deployed to a host via GPO. Attackers could use this technique to deploy Sdelete to multiple host and delete data on them.\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5dd76a87-9f87-4576-bab3-268b0e2b338b\",\"name\":\"5dd76a87-9f87-4576-bab3-268b0e2b338b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 5;\\nlet szSharePointFileOperation = \\\"SharePointFileOperation\\\";\\nlet szOperations = dynamic([\\\"FileDownloaded\\\", \\\"FileUploaded\\\"]);\\nlet starttime = 14d;\\nlet endtime = 1d;\\nlet historicalActivity =\\nOfficeActivity\\n| where TimeGenerated between(ago(starttime)..ago(endtime))\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| summarize historicalCount = count() by UserAgent, RecordType, Operation;\\nlet recentActivity = OfficeActivity\\n| where RecordType =~ szSharePointFileOperation\\n| where Operation in~ (szOperations)\\n| where TimeGenerated \u003e ago(endtime)\\n| where isnotempty(UserAgent)\\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by UserAgent, RecordType, Operation;\\nlet RareUserAgent = recentActivity | join kind = leftanti (historicalActivity) on UserAgent\\n| order by recentCount desc, UserAgent\\n// More than 5 downloads/uploads from a new user agent today\\n| where recentCount \u003e threshold;\\nOfficeActivity \\n| where TimeGenerated \u003e ago(endtime) \\n| where RecordType =~ szSharePointFileOperation \\n| where Operation in~ (szOperations)\\n| where isnotempty(UserAgent)\\n| join kind= inner (RareUserAgent)\\non UserAgent, RecordType, Operation \\n| where Start_Time between(min_Start_Time .. max_Start_Time)\\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserAgent, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgentSeenCount = recentCount\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\\n| order by UserAgentSeenCount desc, UserAgent asc, Operation asc, UserId asc\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Exfiltration\"],\"displayName\":\"SharePointFileOperation via devices with previously unseen user agents\",\"description\":\"Identifies if the number of documents uploaded or downloaded from device(s) associated\\nwith a previously unseen user agent exceeds a threshold (default is 5).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f80d951a-eddc-4171-b9d0-d616bb83efdc\",\"name\":\"f80d951a-eddc-4171-b9d0-d616bb83efdc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where LoggedByService =~ \\\"Core Directory\\\"\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where AADOperationType =~ \\\"Assign\\\"\\n| where ActivityDisplayName =~ \\\"Add app role assignment to service principal\\\"\\n| mv-expand TargetResources\\n| mv-expand TargetResources.modifiedProperties\\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n| where displayName_ =~ \\\"AppRole.Value\\\"\\n| extend AppRole = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n| where AppRole has \\\"RoleManagement.ReadWrite.Directory\\\"\\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\\n| extend Target = tostring(parse_json(tostring(TargetResources.modifiedProperties[4].newValue)))\\n| extend TargetId = tostring(parse_json(tostring(TargetResources.modifiedProperties[3].newValue)))\\n| project TimeGenerated, OperationName, Initiator, Target, TargetId, Result\\n| join kind=innerunique (\\n AuditLogs\\n | where LoggedByService =~ \\\"Core Directory\\\"\\n | where Category =~ \\\"RoleManagement\\\"\\n | where AADOperationType in (\\\"Assign\\\", \\\"AssignEligibleRole\\\")\\n | where ActivityDisplayName has_any (\\\"Add eligible member to role\\\", \\\"Add member to role\\\")\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\\n | where displayName_ =~ \\\"Role.DisplayName\\\"\\n | extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\\n | where RoleName contains \\\"Admin\\\"\\n | extend Initiator = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\\n | extend InitiatorId = tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalId)\\n | extend TargetUser = tostring(TargetResources.userPrincipalName)\\n | extend Target = iif(isnotempty(TargetUser), TargetUser, tostring(TargetResources.displayName))\\n | extend TargetType = tostring(TargetResources.type)\\n | extend TargetId = tostring(TargetResources.id)\\n | project TimeGenerated, OperationName, RoleName, Initiator, InitiatorId, Target, TargetId, TargetType, Result\\n) on $left.TargetId == $right.InitiatorId\\n| extend TimeRoleMgGrant = TimeGenerated, TimeAdminPromo = TimeGenerated1, ServicePrincipal = Initiator1, ServicePrincipalId = InitiatorId,\\n TargetObject = Target1, TargetObjectId = TargetId1, TargetObjectType = TargetType\\n| where TimeRoleMgGrant \u003c TimeAdminPromo\\n| project TimeRoleMgGrant, TimeAdminPromo, RoleName, ServicePrincipal, ServicePrincipalId, TargetObject, TargetObjectId, TargetObjectType\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ServicePrincipal\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetObject\"}]}],\"tactics\":[\"PrivilegeEscalation\",\"Persistence\"],\"displayName\":\"Admin promotion after Role Management Application Permission Grant\",\"description\":\"This rule looks for a service principal being granted the Microsoft Graph RoleManagement.ReadWrite.Directory (application) permission before being used to add an Azure AD object or user account to an Admin directory role (i.e. Global Administrators).\\nThis is a known attack path that is usually abused when a service principal already has the AppRoleAssignment.ReadWrite.All permission granted. This permission Allows an app to manage permission grants for application permissions to any API.\\nA service principal can promote itself or other service principals to admin roles (i.e. Global Administrators). This would be considered a privilege escalation technique.\\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions, https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0\u0026tabs=http\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-11-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\"name\":\"79f29feb-6a9d-4cdf-baaa-2daf480a5da1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let timeframe = 1h;\\nlet last1h = CommonSecurityLog \\n| where TimeGenerated \u003e= ago(timeframe)\\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend CurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend CurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend MaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend CumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize last1hCumTotal = sum(CumulativeTotal), last1hAvgRatePerSec = avg(CurrentAvgRatePerSec), last1hAvgBurstRatePerSec = avg(CurrentBurstRatePerSec) by DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlet prev6h = CommonSecurityLog \\n| where TimeGenerated between (ago(6h) .. ago(1h))\\n| where isempty(CommunicationDirection) \\n| where DeviceEventClassID == \\\"733100\\\"\\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \\\"]\\\")[0]),\\\"[ \\\")[1])\\n| extend splitMessage = split(Message, \\\".\\\")\\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\\\"] \\\")[1])\\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[0]),\\\"is \\\")\\n| extend prevCurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredBurstRate = toint(CurrentBurstRate[2])\\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[1]),\\\"is \\\")\\n| extend prevCurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\\\" \\\")[0])\\n| extend prevMaxConfiguredAvgRate = toint(CurrentAvgRate[2])\\n| extend prevCumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\\\" \\\")[2]),\\\"is \\\")[1])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), prev6hCumTotal = sum(prevCumulativeTotal), prev6hAvgRatePerSec = avg(prevCurrentAvgRatePerSec), prev6hAvgBurstRatePerSec = avg(prevCurrentBurstRatePerSec) \\nby DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\\nlast1h | join (\\n prev6h \\n) on DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate\\n| project StartTimeUtc, EndTimeUtc, DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate, last1hCumTotal, prev6hCumTotal, prev6hAvgCumTotal = prev6hCumTotal/6, last1hAvgRatePerSec, prev6hAvgRatePerSec, last1hAvgBurstRatePerSec, prev6hAvgBurstRatePerSec\\n// Select only events that indicate a doubling of the expected rate in the last hour over the previous 6 hours\\n| where last1hCumTotal \u003e 2*prev6hAvgCumTotal or last1hAvgRatePerSec \u003e 2*prev6hAvgRatePerSec or last1hAvgBurstRatePerSec \u003e 2*prev6hAvgBurstRatePerSec\\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\",\"Impact\"],\"displayName\":\"Cisco ASA - average attack detection rate increase\",\"description\":\"This will help you determine if Cisco ASA devices are under heavier attack than normal over the last hour versus the previous 6 hours based on DeviceEventClassID 733100\\nReferences: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/826bb2f8-7894-4785-9a6b-a8a855d8366f\",\"name\":\"826bb2f8-7894-4785-9a6b-a8a855d8366f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let EventNameList = dynamic([\\\"AttachUserPolicy\\\",\\\"AttachRolePolicy\\\",\\\"AttachGroupPolicy\\\"]);\\nlet createPolicy = \\\"CreatePolicy\\\";\\nlet timeframe = 1d;\\nlet lookback = 14d;\\n// Creating Master table with all the events to use with materialize for better performance\\nlet EventInfo = AWSCloudTrail\\n| where TimeGenerated \u003e= ago(lookback)\\n| where EventName in (EventNameList) or EventName == createPolicy;\\n//Checking for Policy creation event with Full Admin Privileges since lookback period.\\nlet FullAdminPolicyEvents = materialize( EventInfo\\n| where TimeGenerated \u003e= ago(lookback)\\n| where EventName == createPolicy\\n| extend PolicyName = tostring(parse_json(RequestParameters).policyName)\\n| extend Statement = parse_json(tostring((parse_json(RequestParameters).policyDocument))).Statement\\n| mvexpand Statement\\n| extend Action = parse_json(Statement).Action , Effect = tostring(parse_json(Statement).Effect), Resource = tostring(parse_json(Statement).Resource)\\n| mvexpand Action\\n| extend Action = tostring(Action)\\n| where Effect =~ \\\"Allow\\\" and Action == \\\"*\\\" and Resource == \\\"*\\\"\\n| distinct TimeGenerated, EventName, PolicyName, SourceIpAddress, UserIdentityArn, UserIdentityUserName\\n| extend UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,\u0027/\u0027)[-1]))\\n| project-rename StartTime = TimeGenerated );\\nlet PolicyAttach = materialize( EventInfo\\n| where TimeGenerated \u003e= ago(timeframe)\\n| where EventName in (EventNameList)\\n| extend PolicyName = tostring(split(tostring(parse_json(RequestParameters).policyArn),\\\"/\\\")[1])\\n| summarize AttachEventCount=count(), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventSource, EventName, UserIdentityType , UserIdentityArn, SourceIpAddress, UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,\u0027/\u0027)[-1])), PolicyName\\n| extend AttachEvent = pack(\\\"StartTime\\\", StartTime, \\\"EndTime\\\", EndTime, \\\"EventName\\\", EventName, \\\"UserIdentityType\\\", UserIdentityType, \\\"UserIdentityArn\\\", UserIdentityArn, \\\"SourceIpAddress\\\", SourceIpAddress, \\\"UserIdentityUserName\\\", UserIdentityUserName)\\n| project EventSource, PolicyName, AttachEvent, AttachEventCount\\n);\\n// Joining the list of PolicyNames and checking if it has been attached to any Roles/Users/Groups.\\n// These Roles/Users/Groups will be Privileged and can be used by adversaries as pivot point for privilege escalation via multiple ways.\\nFullAdminPolicyEvents\\n| join kind=leftouter\\n(\\n PolicyAttach\\n)\\non PolicyName\\n| project-away PolicyName1\\n| extend timestamp = StartTime, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"PrivilegeEscalation\"],\"displayName\":\"Full Admin policy created and then attached to Roles, Users or Groups\",\"description\":\"Identity and Access Management (IAM) securely manages access to AWS services and resources. \\nIdentifies when a policy is created with Full Administrators Access (Allow-Action:*,Resource:*). \\nThis policy can be attached to role,user or group and may be used by an adversary to escalate a normal user privileges to an adminsitrative level.\\nAWS IAM Policy Grammar: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html\\nand AWS IAM API at https://docs.aws.amazon.com/IAM/latest/APIReference/API_Operations.html\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2020-04-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWS\",\"dataTypes\":[\"AWSCloudTrail\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/34c5aff9-a8c2-4601-9654-c7e46342d03b\",\"name\":\"34c5aff9-a8c2-4601-9654-c7e46342d03b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let starttime = 14d;\\nlet timeframe = 1d;\\nlet scorethreshold = 3;\\nlet baselinethreshold = 5;\\nlet aadFunc = (tableName:string){\\n IdentityInfo\\n | where TimeGenerated \u003e ago(starttime)\\n | summarize arg_max(TimeGenerated, *) by AccountUPN\\n | mv-expand AssignedRoles\\n | where AssignedRoles matches regex \u0027Admin\u0027\\n | summarize Roles = make_list(AssignedRoles) by AccountUPN = tolower(AccountUPN)\\n | join kind=inner (\\n table(tableName)\\n | where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\\n | where ResultType != 0\\n | extend UserPrincipalName = tolower(UserPrincipalName)\\n ) on $left.AccountUPN == $right.UserPrincipalName\\n | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, Roles = tostring(Roles)\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt;\\nlet TimeSeriesAlerts = \\n allSignins\\n | make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step 1h by UserPrincipalName, Roles\\n | extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, \u0027linefit\u0027)\\n | mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n // Filtering low count events per baselinethreshold\\n | where anomalies \u003e 0 and baseline \u003e baselinethreshold\\n | extend AnomalyHour = TimeGenerated\\n | project UserPrincipalName, Roles, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\\n// Filter the alerts for specified timeframe\\nTimeSeriesAlerts\\n| where TimeGenerated \u003e startofday(ago(timeframe))\\n| join kind=inner ( \\n allSignins\\n | where TimeGenerated \u003e startofday(ago(timeframe))\\n // create a new column and round to hour\\n | extend DateHour = bin(TimeGenerated, 1h)\\n | summarize PartialFailedSignins = count(), LatestAnomalyTime = arg_max(TimeGenerated, *) by bin(TimeGenerated, 1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, Roles, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\\n) on UserPrincipalName, $left.AnomalyHour == $right.DateHour\\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, Roles = todynamic(Roles), UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, PartialFailedSignins, TotalFailedSignins = HourlyCount, baseline, anomalies, score\\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Privileged Accounts - Sign in Failure Spikes\",\"description\":\" Identifies spike in failed sign-ins from Privileged accounts. Privileged accounts list can be based on IdentityInfo UEBA table or built-in watchlist.\\nSpike is determined based on Time series anomaly which will look at historical baseline values.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor\",\"lastUpdatedDateUTC\":\"2022-01-25T00:00:00Z\",\"createdDateUTC\":\"2021-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/106813db-679e-4382-a51b-1bfc463befc3\",\"name\":\"106813db-679e-4382-a51b-1bfc463befc3\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n // Select on Palo Alto logs\\n | where DeviceVendor =~ \\\"Palo Alto Networks\\\"\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Select logs where URL data is populated\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url), extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | where isnotempty(PA_Url)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n) on $left.Url == $right.PA_Url\\n| where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, PA_Url\\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, SourceIP, PA_Url, DeviceName\\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to PaloAlto data\",\"description\":\"Identifies a match in PaloAlto data from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/884ead54-cb3f-4676-a1eb-b26532d6cbfd\",\"name\":\"884ead54-cb3f-4676-a1eb-b26532d6cbfd\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let SensitiveOperationList = dynamic(\\n[\\\"VaultDelete\\\", \\\"KeyDelete\\\", \\\"SecretDelete\\\", \\\"SecretPurge\\\", \\\"KeyPurge\\\", \\\"SecretBackup\\\", \\\"KeyBackup\\\"]);\\nAzureDiagnostics\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in~ (SensitiveOperationList)\\n| summarize EventCount=count(), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"CallerIPMax\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"NRT Sensitive Azure Key Vault operations\",\"description\":\"Identifies when sensitive Azure Key Vault operations are used. This includes: VaultDelete, KeyDelete, SecretDelete, SecretPurge, KeyPurge, SecretBackup, KeyBackup.\\nAny Backup operations should match with expected scheduled backup activity.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/95dc4ae3-e0f2-48bd-b996-cdd22b90f9af\",\"name\":\"95dc4ae3-e0f2-48bd-b996-cdd22b90f9af\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"(union isfuzzy=true\\n(\\nAuditLogs\\n| where OperationName =~ \\\"Set federation settings on domain\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName)\\n| mv-expand AdditionalDetails\\n),\\n(\\nAuditLogs\\n| where OperationName =~ \\\"Set domain authentication\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName), NewDomainValue=tostring(parse_json(modifiedProperties).newValue)\\n| where NewDomainValue has \\\"Federated\\\"\\n)\\n)\\n| extend UserAgent = iff(AdditionalDetails.key == \\\"User-Agent\\\",tostring(AdditionalDetails.value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Modified domain federation trust settings\",\"description\":\"This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ac891683-53c3-4f86-86b4-c361708e2b2b\",\"name\":\"ac891683-53c3-4f86-86b4-c361708e2b2b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"// Allowlisted UPNs should likely stay empty\\nlet AllowlistedUpns = datatable(UPN:string)[\u0027foo@bar.com\u0027, \u0027test@foo.com\u0027];\\n// Operation Name parts that will alert\\nlet HasAnyBlocklist = datatable(OperationNamePart:string)[\u0027Security.\u0027,\u0027Project.\u0027,\u0027AuditLog.\u0027,\u0027Extension.\u0027];\\n// Distinct Operation Names that will flag\\nlet HasExactBlocklist = datatable(OperationName:string)[\u0027Group.UpdateGroupMembership.Add\u0027,\u0027Library.ServiceConnectionExecuted\u0027,\u0027Pipelines.PipelineModified\u0027,\\n\u0027Release.ReleasePipelineModified\u0027, \u0027Git.RefUpdatePoliciesBypassed\u0027];\\nAzureDevOpsAuditing\\n| where AuthenticationMechanism startswith \\\"PAT\\\" and (OperationName has_any (HasAnyBlocklist) or OperationName in (HasExactBlocklist))\\n and ActorUPN !in (AllowlistedUpns)\\n| project TimeGenerated, AuthenticationMechanism, ProjectName, ActorUPN, ActorDisplayName, IpAddress, UserAgent, OperationName, Details, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Impact\"],\"displayName\":\"Azure DevOps Personal Access Token (PAT) misuse\",\"description\":\"This Alert detects whenever a PAT is used in ways that PATs are not normally used. May require an allow list and baselining.\\nReference - https://docs.microsoft.com/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops\u0026tabs=preview-page\\nUse this query for baselining:\\nAzureDevOpsAuditing\\n| distinct OperationName\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-06-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/acfdee3f-b794-404a-aeba-ef6a1fa08ad1\",\"name\":\"acfdee3f-b794-404a-aeba-ef6a1fa08ad1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let lookback = 14d;\\nlet timewindow = 7d;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback)\\n| where OperationName =~ \\\"Library.AgentPoolCreated\\\"\\n| extend AgentCloudId = tostring(Data.AgentCloudId)\\n| extend PoolType = iif(isnotempty(AgentCloudId), \\\"Azure VMs\\\", \\\"Self Hosted\\\")\\n// Comment this line out to include cloud pools as well\\n| where PoolType == \\\"Self Hosted\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend AgentPoolId = tostring(Data.AgentPoolId)\\n| extend IsHosted = tostring(Data.IsHosted)\\n| extend IsLegacy = tostring(Data.IsLegacy)\\n| extend timekey = bin(TimeGenerated, timewindow)\\n// Join only with pools deleted in the same window\\n| join (AzureDevOpsAuditing\\n| where TimeGenerated \u003e ago(lookback)\\n| where OperationName =~ \\\"Library.AgentPoolDeleted\\\"\\n| extend AgentPoolName = tostring(Data.AgentPoolName)\\n| extend AgentPoolId = tostring(Data.AgentPoolId)\\n| extend timekey = bin(TimeGenerated, timewindow)) on AgentPoolId, timekey\\n| project-reorder TimeGenerated, ActorUPN, UserAgent, IpAddress, AuthenticationMechanism, OperationName, AgentPoolName, IsHosted, IsLegacy, Data\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Azure DevOps Agent Pool Created Then Deleted\",\"description\":\"As well as adding build agents to an existing pool to execute malicious activity within a pipeline, an attacker could create a complete new agent pool and use this for execution.\\nAzure DevOps allows for the creation of agent pools with Azure hosted infrastructure or self-hosted infrastructure. Given the additional customizability of self-hosted agents this \\ndetection focuses on the creation of new self-hosted pools. To further reduce false positive rates the detection looks for pools created and deleted relatively quickly (within 7 days by default), \\nas an attacker is likely to remove a malicious pool once used in order to reduce/remove evidence of their activity.\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-02-05T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/26a3b261-b997-4374-94ea-6c37f67f4f39\",\"name\":\"26a3b261-b997-4374-94ea-6c37f67f4f39\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.5.1\",\"severity\":\"High\",\"query\":\"let DomainNames = dynamic([\\\"asyspy256.ddns.net\\\",\\\"hotkillmail9sddcc.ddns.net\\\",\\\"rosaf112.ddns.net\\\",\\\"cvdfhjh1231.myftp.biz\\\",\\\"sz2016rose.ddns.net\\\",\\\"dffwescwer4325.myftp.biz\\\",\\\"cvdfhjh1231.ddns.net\\\"]);\\nlet SHA1Hash = dynamic ([\\\"53a44c2396d15c3a03723fa5e5db54cafd527635\\\", \\\"9c5e496921e3bc882dc40694f1dcc3746a75db19\\\", \\\"aeb573accfd95758550cf30bf04f389a92922844\\\", \\\"79ef78a797403a4ed1a616c68e07fff868a8650a\\\", \\\"4f6f38b4cec35e895d91c052b1f5a83d665c2196\\\", \\\"1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d\\\", \\\"e841a63e47361a572db9a7334af459ddca11347a\\\", \\\"c28f606df28a9bc8df75a4d5e5837fc5522dd34d\\\", \\\"2e94b305d6812a9f96e6781c888e48c7fb157b6b\\\", \\\"dd44133716b8a241957b912fa6a02efde3ce3025\\\", \\\"8793bf166cb89eb55f0593404e4e933ab605e803\\\", \\\"a39b57032dbb2335499a51e13470a7cd5d86b138\\\", \\\"41cc2b15c662bc001c0eb92f6cc222934f0beeea\\\", \\\"d209430d6af54792371174e70e27dd11d3def7a7\\\", \\\"1c6452026c56efd2c94cea7e0f671eb55515edb0\\\", \\\"c6b41d3afdcdcaf9f442bbe772f5da871801fd5a\\\", \\\"4923d460e22fbbf165bbbaba168e5a46b8157d9f\\\", \\\"f201504bd96e81d0d350c3a8332593ee1c9e09de\\\", \\\"ddd2db1127632a2a52943a2fe516a2e7d05d70d2\\\"]);\\nlet SHA256Hash = dynamic ([\\\"9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd\\\", \\\"7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b\\\", \\\"657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5\\\", \\\"2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29\\\", \\\"52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77\\\", \\\"a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3\\\", \\\"5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022\\\", \\\"6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883\\\", \\\"3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e\\\", \\\"1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7\\\", \\\"fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1\\\", \\\"7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c\\\", \\\"178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945\\\", \\\"51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9\\\", \\\"889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79\\\", \\\"332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf\\\", \\\"44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08\\\", \\\"63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef\\\", \\\"056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070\\\"]);\\nlet SigNames = dynamic([\\\"TrojanDropper:Win32/BlackMould.A!dha\\\", \\\"Trojan:Win32/BlackMould.B!dha\\\", \\\"Trojan:Win32/QuarkBandit.A!dha\\\", \\\"Trojan:Win32/Sidelod.A!dha\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName in~ (DomainNames)\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n( _Im_Dns(domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery\\n| extend IPAddress = SrcIpAddr\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName in~ (DomainNames)\\n| extend IPAddress = RemoteIp\\n),\\n(Event\\n//This query uses sysmon data depending on table name used this may need updataing\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| parse Hashes with * \u0027SHA1=\u0027 SHA1 \u0027,\u0027 * \\n| where isnotempty(Hashes)\\n| where Hashes in (SHA1Hash) \\n| extend Account = UserName\\n),\\n(SecurityAlert\\n| where ProductName == \\\"Microsoft Defender Advanced Threat Protection\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| where isnotempty(ThreatName)\\n| where ThreatName has_any (SigNames)\\n| extend Computer = tostring(parse_json(Entities)[0].HostName)\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known GALLIUM domains and hashes\",\"description\":\"GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. \\n Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\\n References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ \",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2019-12-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/52aec824-96c1-4a03-8e44-bb70532e6cea\",\"name\":\"52aec824-96c1-4a03-8e44-bb70532e6cea\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"SecurityEvent\\n| where EventID == 5136 and EventData contains \\\"\u003cData Name=\\\\\\\"ObjectDN\\\\\\\"\u003eCN=AdminSDHolder,CN=System\\\"\\n| parse EventData with * \u0027ObjectDN\\\"\u003e\u0027 ObjectDN \\\"\u003c\\\" *\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, SubjectUserSid, SubjectLogonId, ObjectDN\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectAccount\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"AdminSDHolder Modifications\",\"description\":\"This query detects modification in the AdminSDHolder in the Active Directory which could indicate an attempt for persistence. \\nAdminSDHolder Modification is a persistence technique in which an attacker abuses the SDProp process in Active Directory to establish a persistent backdoor to Active Directory.\\nThis query searches for the event id 5136 where the Object DN is AdminSDHolder.\\nRef: https://attack.stealthbits.com/adminsdholder-modification-ad-persistence\",\"lastUpdatedDateUTC\":\"2022-01-20T00:00:00Z\",\"createdDateUTC\":\"2021-12-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8540c842-5bbc-4a24-9fb2-a836c0e55a51\",\"name\":\"8540c842-5bbc-4a24-9fb2-a836c0e55a51\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where OperationName =~ \\\"Set federation settings on domain\\\" or OperationName =~ \\\"Set domain authentication\\\"\\n//| where Result =~ \\\"success\\\" // commenting out, as it may be interesting to capture failed attempts\\n| mv-expand TargetResources\\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\\n| mv-expand modifiedProperties\\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName), NewDomainValue=tostring(parse_json(modifiedProperties).newValue)\\n| extend Federated = iif(OperationName =~ \\\"Set domain authentication\\\", iif(NewDomainValue has \\\"Federated\\\", True, False), True)\\n| where Federated == True\\n| mv-expand AdditionalDetails\\n| extend UserAgent = iff(AdditionalDetails.key == \\\"User-Agent\\\",tostring(AdditionalDetails.value),\\\"\\\")\\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUserOrApp\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"InitiatingIpAddress\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"NRT Modified domain federation trust settings\",\"description\":\"This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\",\"lastUpdatedDateUTC\":\"2022-02-07T00:00:00Z\",\"createdDateUTC\":\"2020-12-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/327cd4ed-ca42-454b-887c-54e1c91363c6\",\"name\":\"327cd4ed-ca42-454b-887c-54e1c91363c6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Microsoft Defender Advanced Threat Protection\",\"displayName\":\"Create incidents based on Microsoft Defender for Endpoint alerts\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Endpoint\",\"lastUpdatedDateUTC\":\"2019-10-24T00:00:00Z\",\"createdDateUTC\":\"2019-10-24T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftDefenderAdvancedThreatProtection\",\"dataTypes\":[\"SecurityAlert (MDATP)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\"name\":\"0b9ae89d-8cad-461c-808f-0494f70ad5c4\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.1.1\",\"severity\":\"Low\",\"query\":\"let PerUserThreshold = 5;\\nlet TotalThreshold = 100;\\nlet action = dynamic([\\\"change\\\", \\\"changed\\\", \\\"reset\\\"]);\\nlet pWord = dynamic([\\\"password\\\", \\\"credentials\\\"]);\\nlet PasswordResetMultiDataSource =\\n(union isfuzzy=true\\n(//Password reset events\\n//4723: An attempt was made to change an account\u0027s password\\n//4724: An attempt was made to reset an accounts password\\nSecurityEvent\\n| where EventID in (\\\"4723\\\",\\\"4724\\\")\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName),\\n(//Password reset events\\n//4723: An attempt was made to change an account\u0027s password\\n//4724: An attempt was made to reset an accounts password\\nWindowsEvent\\n| where EventID in (\\\"4723\\\",\\\"4724\\\")\\n| extend SubjectUserSid = tostring(EventData.SubjectUserSid)\\n| extend TargetUserName = tostring(EventData.TargetUserName)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend AccountType=case(Account endswith \\\"$\\\" or SubjectUserSid in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"), \\\"Machine\\\", isempty(SubjectUserSid), \\\"\\\", \\\"User\\\")\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName),\\n(//Azure Active Directory Password reset events\\nAuditLogs\\n| where OperationName has_any (pWord) and OperationName has_any (action) and Result =~ \\\"success\\\"\\n| extend AccountType = tostring(TargetResources[0].type), Account = tostring(TargetResources[0].userPrincipalName), \\nTargetUserName = tolower(tostring(TargetResources[0].displayName))\\n| project TimeGenerated, AccountType, Account, Computer = \\\"\\\", Type),\\n(//OfficeActive ActiveDirectory Password reset events\\nOfficeActivity\\n| where OfficeWorkload == \\\"AzureActiveDirectory\\\" \\n| where (ExtendedProperties has_any (pWord) or ModifiedProperties has_any (pWord)) and (ExtendedProperties has_any (action) or ModifiedProperties has_any (action))\\n| extend AccountType = UserType, Account = OfficeObjectId \\n| project TimeGenerated, AccountType, Account, Type, Computer = \\\"\\\"),\\n(// Unix syslog password reset events\\nSyslog\\n| where Facility in (\\\"auth\\\",\\\"authpriv\\\")\\n| where SyslogMessage has_any (pWord) and SyslogMessage has_any (action)\\n| extend AccountType = iif(SyslogMessage contains \\\"root\\\", \\\"Root\\\", \\\"Non-Root\\\")\\n| where SyslogMessage matches regex \\\".*password changed for.*\\\"\\n| parse SyslogMessage with * \\\"password changed for\\\" Account\\n| project TimeGenerated, AccountType, Account, Computer = HostName, Type)\\n);\\nlet pwrmd = PasswordResetMultiDataSource\\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName;\\n(union isfuzzy=true \\n(pwrmd\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Computerlist = make_set(Computer, 25), AccountType = make_set(AccountType, 25), Computer = arg_max(Computer , TimeGenerated), TargetUserList = make_set(TargetUserName, 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), Total=count() by Account, Type\\n| where Total \u003e PerUserThreshold\\n| extend ResetPivot = \\\"PerUserReset\\\"), \\n(pwrmd\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerList = make_set(Computer, 25), AccountList = make_set(Account, 25), AccountType = make_set(AccountType, 25), Computer = arg_max(Computer , TimeGenerated), TargetUserList = make_set(TargetUserName, 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), Total=count() by Type\\n| where Total \u003e TotalThreshold\\n| extend ResetPivot = \\\"TotalUserReset\\\")\\n)\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"TargetUserName\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Multiple Password Reset by user\",\"description\":\"This query will determine multiple password resets by user across multiple data sources. \\nAccount manipulation including password reset may aid adversaries in maintaining access to credentials \\nand certain permission levels within an environment.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-09-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d804b39c-03a4-417c-a949-bdbf21fa3305\",\"name\":\"d804b39c-03a4-417c-a949-bdbf21fa3305\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.7.2\",\"severity\":\"Medium\",\"query\":\"let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\\n[@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet file_paths = (iocs | where Type =~ \\\"filepath\\\" | project IoC);\\nlet sha256s = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\nlet ips = (iocs | where Type =~ \\\"ip\\\" | project IoC);\\nlet domains = (iocs | where Type =~ \\\"domainname\\\" | project IoC);\\nlet dyndomains = todynamic(toscalar((domains | summarize make_set(IoC))));\\nunion isfuzzy=true\\n(SecurityEvent\\n| where EventID == 4663\\n| where ObjectName in (file_paths)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(WindowsEvent\\n| where EventID == 4663 and EventData has_any (file_paths)\\n| extend ObjectName = tostring(EventData.ObjectName) \\n| where ObjectName in (file_paths)\\n| extend Account = strcat(tostring(EventData.SubjectDomainName), \\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(imFileEvent\\n| where TargetFileName in (file_paths)\\n or\\n TargetFileSHA256 in (sha256s)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\\n),\\n(DeviceFileEvents\\n| where FolderPath in (file_paths)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 in (sha256s)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\\n),\\n (CommonSecurityLog\\n| where FileHash in (sha256s)\\n| extend timestamp = TimeGenerated\\n),\\n(Event // File iocs\\n//This query uses sysmon data depending on table name used this may need updating\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Hashes = EventDetail.[16].[\\\"#text\\\"]\\n| where isnotempty(Hashes)\\n| parse Hashes with * \u0027SHA256=\u0027 SHA256 \u0027,\u0027 *\\n| where SHA256 in~ (sha256s)\\n| extend Type = strcat(Type, \\\": \\\", Source), Account = UserName, FileHash = Hashes\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\\n),\\n(CommonSecurityLog\\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\\n| where (SourceIP in (ips) or DestinationIP in (ips) or Message has_any (ips)) or (RequestURL has_any (domains))\\n| extend IPMatch = case(SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"Message\\\")\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"IP in Message Field\\\")\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 3\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend SourceIP = EventDetail.[9].[\\\"#text\\\"], DestinationIP = EventDetail.[14].[\\\"#text\\\"]\\n| where SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \\\"SourceIP\\\", SourceIP, IPMatch == \\\"DestinationIP\\\", DestinationIP, \\\"None\\\")\\n),\\n(WireData\\n| where isnotempty(RemoteIP)\\n| where RemoteIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer\\n),\\n(W3CIISLog\\n| where isnotempty(cIP)\\n| where cIP in (ips)\\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\\n),\\n(\\nWindowsFirewall\\n| where SourceIP in (ips) or DestinationIP in (ips)\\n| extend IPMatch = case( SourceIP in (ips), \\\"SourceIP\\\", DestinationIP in (ips), \\\"DestinationIP\\\", \\\"None\\\")\\n),\\n(\\n _Im_NetworkSession(srcipaddr_has_any_prefix=ips) \\n | extend IPCustomEntity = SrcIpAddr, AccountCustomEntity= User, HostCustomEntity=Hostname\\n),\\n (\\n _Im_NetworkSession(dstipaddr_has_any_prefix=ips) \\n | extend IPCustomEntity = DstIpAddr, AccountCustomEntity= User, HostCustomEntity=Hostname\\n),\\n(_Im_Dns(domain_has_any=dyndomains)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\\n)\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Exchange Server Vulnerabilities Disclosed March 2021 IoC Match\",\"description\":\"This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements.\\nRef: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2021-03-06T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSVPCFlow\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"AzureMonitor(IIS)\",\"dataTypes\":[\"W3CIISLog\"]},{\"connectorId\":\"AzureMonitor(WireData)\",\"dataTypes\":[\"WireData\"]},{\"connectorId\":\"CheckPoint\",\"dataTypes\":[\"CommonSecurityLog (CheckPoint)\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog (Cisco)\"]},{\"connectorId\":\"CEF\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"F5\",\"dataTypes\":[\"CommonSecurityLog (F5)\"]},{\"connectorId\":\"Fortinet\",\"dataTypes\":[\"CommonSecurityLog (Fortinet)\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog (PaloAlto)\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsFirewall\",\"dataTypes\":[\"WindowsFirewall\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"MicrosoftSysmonForLinux\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/09ec8fa2-b25f-4696-bfae-05a7b85d7b9e\",\"name\":\"09ec8fa2-b25f-4696-bfae-05a7b85d7b9e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT3H\",\"queryPeriod\":\"PT3H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"let timeframe = ago(3h);\\nlet threshold = 2;\\nimAuthentication\\n| where TimeGenerated \u003e timeframe\\n| where EventType==\u0027Logon\u0027 and EventResult==\u0027Success\u0027\\n| where isnotempty(SrcGeoCountry)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Vendors=make_set(EventVendor), Products=make_set(EventProduct)\\n , NumOfCountries = dcount(SrcGeoCountry)\\n by TargetUserId, TargetUsername, TargetUserType\\n| where NumOfCountries \u003e= threshold\\n| extend timestamp = StartTime, AccountCustomEntity = TargetUsername\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"User login from different countries within 3 hours (Uses Authentication Normalization)\",\"description\":\"This query searches for successful user logins from different countries within 3 hours.\\n To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)\",\"lastUpdatedDateUTC\":\"2022-02-14T00:00:00Z\",\"createdDateUTC\":\"2021-06-14T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/67775878-7f8b-4380-ac54-115e1e828901\",\"name\":\"67775878-7f8b-4380-ac54-115e1e828901\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let HAS_ANY_MAX=10000;\\nlet dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet IP_TI = (ThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\\\"\\\")\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true);\\nlet TI_IP_List=IP_TI | summarize NIPs=dcount(TI_ipEntity), IP_List=make_set( TI_ipEntity) \\n| project IP_List=iff(NIPs \u003e HAS_ANY_MAX, dynamic([]), IP_List);\\n_Im_Dns(starttime=ago(dt_lookBack), response_has_any_prefix=todynamic(toscalar(TI_IP_List)))\\n | extend tilist = toscalar(TI_IP_List)\\n | mv-expand tilist\\n | extend SingleIP=tostring(tilist)\\n | project-away tilist\\n | where has_ipv4(DnsResponseName, SingleIP)\\n | extend DNS_TimeGenerated = TimeGenerated\\n| join IP_TI\\n on $left.SingleIP == $right.TI_ipEntity\\n| where DNS_TimeGenerated \u003e= TimeGenerated and DNS_TimeGenerated \u003c ExpirationDateTime\\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated,\\nTI_ipEntity, Dvc, EventSubType, SrcIpAddr, DnsQuery, DnsResponseName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = DNS_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Dvc, URLCustomEntity = Url\",\"customDetails\":{\"LatestIndicatorTime\":\"LatestIndicatorTime\",\"Description\":\"Description\",\"ActivityGroupNames\":\"ActivityGroupNames\",\"IndicatorId\":\"IndicatorId\",\"ThreatType\":\"ThreatType\",\"ExpirationDateTime\":\"ExpirationDateTime\",\"ConfidenceScore\":\"ConfidenceScore\",\"DNSRequestTime\":\"DNS_TimeGenerated\",\"SourceIPAddress\":\"SrcIpAddr\",\"SubType\":\"EventSubType\",\"DnsQuery\":\"DnsQuery\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"(Preview) TI map IP entity to Dns Events (ASIM DNS Schema)\",\"description\":\"Identifies a match in DNS events from any IP IOC from TI\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-27T00:00:00Z\",\"createdDateUTC\":\"2021-09-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\"name\":\"ca67c83e-7fff-4127-a3e3-1af66d6d4cad\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let ProcessCreationEvents=() {\\nlet processEvents=(union isfuzzy=true\\n(SecurityEvent\\n| where EventID==4688\\n| where isnotempty(CommandLine)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,\\nFileName = Process, CommandLine, ParentProcessName\\n),\\n(WindowsEvent\\n| where EventID==4688\\n| where EventData has \\\"TVqQAAMAAAAEAAA\\\"\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where isnotempty(CommandLine)\\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend SubjectUserName = tostring(EventData.SubjectUserName)\\n| extend SubjectDomainName = tostring(EventData.SubjectDomainName)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,\\nFileName = Process, CommandLine, ParentProcessName));\\nprocessEvents};\\nProcessCreationEvents\\n| where CommandLine contains \\\"TVqQAAMAAAAEAAA\\\"\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\",\"DefenseEvasion\"],\"displayName\":\"Base64 encoded Windows process command-lines\",\"description\":\"Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2018-09-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\"name\":\"90586451-7ba8-4c1e-9904-7d1b7c3cc4d6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Security Center\",\"severitiesFilter\":[\"Low\",\"Medium\",\"High\"],\"displayName\":\"Create incidents based on Microsoft Defender for Cloud\",\"description\":\"Create incidents based on all alerts generated in Microsoft Defender for Cloud\",\"lastUpdatedDateUTC\":\"2021-07-25T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureSecurityCenter\",\"dataTypes\":[\"SecurityAlert (ASC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d57c33a9-76b9-40e0-9dfa-ff0404546410\",\"name\":\"d57c33a9-76b9-40e0-9dfa-ff0404546410\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// Adjust this to use a longer timeframe to identify ADFS servers\\n//let lookback = 0d;\\n// Adjust this to adjust detection timeframe\\n//let timeframe = 1d;\\n// Filter out other servers in the AD FS farm\\nlet ADFSServersList = dynamic([\\\"ADFS02.domain.com\\\",\\\"ADFS03.domain.com\\\"]);\\n// Start by identifying ADFS servers to reduce FP chance\\nlet ADFS_Servers = (\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe+lookback)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 18\\n| where Computer !in (ADFSServersList)\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\\n| extend Image = column_ifexists(\\\"Image\\\", \\\"\\\")\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n| where process =~ \\\"Microsoft.IdentityServer.ServiceHost.exe\\\"\\n| summarize by Computer\\n);\\n// Look for ADFS servers receiving connections over port 80\\nEvent\\n//| where TimeGenerated \u003e ago(timeframe)\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where Computer in~ (ADFS_Servers)\\n| extend RenderedDescription = tostring(split(RenderedDescription, \\\":\\\")[0])\\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\\n| mv-expand bagexpansion=array EventData\\n| evaluate bag_unpack(EventData)\\n| extend Key = tostring(column_ifexists(\u0027@Name\u0027, \\\"\\\")), Value = column_ifexists(\u0027#text\u0027, \\\"\\\")\\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, _ResourceId)\\n| extend RuleName = column_ifexists(\\\"RuleName\\\", \\\"\\\"), TechniqueId = column_ifexists(\\\"TechniqueId\\\", \\\"\\\"), TechniqueName = column_ifexists(\\\"TechniqueName\\\", \\\"\\\")\\n| parse RuleName with * \u0027technique_id=\u0027 TechniqueId \u0027,\u0027 * \u0027technique_name=\u0027 TechniqueName\\n| where EventID == 3\\n// Look for endpoints connecting to the AD FS server over port 80\\n| extend DestinationPort = column_ifexists(\\\"DestinationPort\\\", \\\"\\\"), Image = column_ifexists(\\\"Image\\\", \\\"\\\"), Initiated = column_ifexists(\\\"Initiated\\\", \\\"\\\"), SourceIp = column_ifexists(\\\"DestinationIp\\\", \\\"\\\"), DestinationIp = column_ifexists(\\\"DestinationIp\\\", \\\"\\\")\\n| where DestinationPort == 80\\n| extend process = split(Image, \u0027\\\\\\\\\u0027, -1)[-1]\\n// Look for the System process receiving connections\\n| where process == \u0027System\u0027 and Initiated == \u0027false\u0027\\n| where DestinationIp !in (\u0027::1\u0027,\u00270:0:0:0:0:0:0:1\u0027)\\n| extend Operation = RenderedDescription\\n| project-reorder TimeGenerated, Operation, Image, Computer, UserName\\n| extend HostCustomEntity = Computer, AccountCustomEntity = UserName, IPCustomEntity = SourceIp\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"AD FS Remote HTTP Network Connection\",\"description\":\"This detection uses Sysmon events (NetworkConnect events) to detect incoming network traffic on port 80 on AD FS servers. This could be a sign of a threat actor\\ntrying to use replication services on the AD FS server to get its configuration settings and extract sensitive information such as AD FS certificates.\\nIn order to use this query you need to enable Sysmon telemetry on the AD FS Server.\\nReference: https://twitter.com/OTR_Community/status/1387038995016732672\\n\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c1faf5e8-6958-11ec-90d6-0242ac120003\",\"name\":\"c1faf5e8-6958-11ec-90d6-0242ac120003\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"SecurityEvent\\n| where EventID == 4720 and TargetUserName endswith \\\"$\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectUserName, SubjectUserSid, SubjectLogonId, TargetUserName, TargetSid\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SubjectUserName\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"Computer\"}]}],\"tactics\":[\"DefenseEvasion\"],\"displayName\":\"Fake computer account created\",\"description\":\"This query detects domain user accounts creation (event ID 4720) where the username ends with $. \\nAccounts that end with $ are normally domain computer accounts and when they are created the event ID 4741 is generated instead.\\nRef: https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights.html\",\"lastUpdatedDateUTC\":\"2022-01-19T00:00:00Z\",\"createdDateUTC\":\"2021-12-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/04384937-e927-4595-8f3c-89ff58ed231f\",\"name\":\"04384937-e927-4595-8f3c-89ff58ed231f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P7D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let IPs = dynamic ([\\\"199.249.230.\\\",\\\"185.220.101.\\\",\\\"23.129.64.\\\",\\\"109.70.100.\\\",\\\"185.220.102.\\\"]);\\nOfficeActivity\\n| where RecordType in (\\\"AzureActiveDirectoryAccountLogon\\\", \\\"AzureActiveDirectoryStsLogon\\\") \\n| where Operation != \u0027UserLoggedIn\u0027\\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \\\"UserAgent\\\", extractjson(\\\"$[0].Value\\\", ExtendedProperties, typeof(string)),\\\"\\\")\\n| mv-expand parse_json(ExtendedProperties)\\n| where ExtendedProperties.Name =~ \\\"RequestType\\\"\\n| extend RequestType = ExtendedProperties.Value\\n| where ClientIP has_any (IPs)\\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\\n| where authAttempts \u003e 2500\\n| extend timestamp = firstAttempt\\n| sort by uniqueAccounts\",\"entityMappings\":[],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Possible STRONTIUM attempted credential harvesting - Sept 2020\",\"description\":\"Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.\\nReferences: https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-09-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/7d7e20f8-3384-4b71-811c-f5e950e8306c\",\"name\":\"7d7e20f8-3384-4b71-811c-f5e950e8306c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT2H\",\"queryPeriod\":\"PT2H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"AuditLogs\\n| where ActivityDisplayName =~\u0027Add member to role completed (PIM activation)\u0027\\n| where Result == \\\"failure\\\"\\n| extend Role = tostring(TargetResources[3].displayName)\\n| extend User = tostring(TargetResources[2].displayName)\\n| project-reorder TimeGenerated, User, Role, OperationName, Result, ResultDescription\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| extend AccountCustomEntity = User, IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"InitiatingUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"PIM Elevation Request Rejected\",\"description\":\"Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/6852d9da-8015-4b95-8ecf-d9572ee0395d\",\"name\":\"6852d9da-8015-4b95-8ecf-d9572ee0395d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Low\",\"query\":\"let queryfrequency = 1h;\\nlet wait_for_deletion = 10m;\\nlet account_created =\\n AuditLogs \\n | where ActivityDisplayName == \\\"Add service principal\\\"\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend creationTime = ActivityDateTime\\n | extend userPrincipalName_creator = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend ipAddress_creator = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\\nlet account_activity =\\n AADServicePrincipalSignInLogs\\n | extend Activities = pack(\\\"ActivityTime\\\", TimeGenerated ,\\\"IpAddress\\\", IPAddress, \\\"ResourceDisplayName\\\", ResourceDisplayName)\\n | extend AppID = AppId\\n | summarize make_list(Activities) by AppID;\\nlet account_deleted =\\n AuditLogs \\n | where OperationName == \\\"Remove service principal\\\"\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend deletionTime = ActivityDateTime\\n | extend userPrincipalName_deleter = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend ipAddress_deleter = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\\nlet account_credentials =\\n AuditLogs\\n | where OperationName has_all (\\\"Update application\\\", \\\"Certificates and secrets management\\\")\\n | where Result == \\\"success\\\"\\n | extend AppID = tostring(AdditionalDetails[1].value)\\n | extend credentialCreationTime = ActivityDateTime;\\nlet roles_assigned =\\n AuditLogs\\n | where ActivityDisplayName == \\\"Add app role assignment to service principal\\\"\\n | extend AppID = tostring(TargetResources[1].displayName)\\n | extend AssignedRole = iff(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].displayName)==\\\"AppRole.Value\\\", tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue))),\\\"\\\")\\n | extend AssignedRoles = pack(\\\"Role\\\", AssignedRole)\\n | summarize make_list(AssignedRoles) by AppID;\\naccount_created\\n| where TimeGenerated between (ago(wait_for_deletion+queryfrequency)..ago(wait_for_deletion))\\n| join kind= inner (account_activity) on AppID\\n| join kind= inner (account_deleted) on AppID\\n| join kind= inner (account_credentials) on AppID\\n| join kind= inner (roles_assigned) on AppID\\n| where deletionTime - creationTime between (time(0s)..wait_for_deletion)\\n| extend AliveTime = deletionTime - creationTime\\n| project AADTenantId, AppID, creationTime, deletionTime, userPrincipalName_creator, userPrincipalName_deleter, ipAddress_creator, ipAddress_deleter, list_Activities, list_AssignedRoles, AliveTime\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName_creator\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"userPrincipalName_deleter\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress_creator\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress_deleter\"}]}],\"tactics\":[\"CredentialAccess\",\"PrivilegeEscalation\",\"InitialAccess\"],\"displayName\":\"Suspicious Service Principal creation activity\",\"description\":\"This alert will detect creation of an SPN, permissions granted, credentials created, activity and deletion of the SPN in a time frame (default 10 minutes)\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-11-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\",\"AADServicePrincipalSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ec21493c-2684-4acd-9bc2-696dbad72426\",\"name\":\"ec21493c-2684-4acd-9bc2-696dbad72426\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\n//Create a list of TLDs in our threat feed for later validation of extracted domains\\nlet list_tlds = ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e ago(ioc_lookBack)\\n | where isnotempty(DomainName)\\n | extend DomainName = tolower(DomainName)\\n | extend parts = split(DomainName, \u0027.\u0027)\\n | extend tld = parts[(array_length(parts)-1)]\\n | summarize count() by tostring(tld)\\n | summarize make_list(tld);\\n ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true\\n // Picking up only IOC\u0027s that contain the entities we want\\n | where isnotempty(DomainName)\\n // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n | join kind=innerunique (\\n CommonSecurityLog\\n | extend IngestionTime = ingestion_time()\\n | where IngestionTime \u003e ago(dt_lookBack)\\n | where DeviceVendor =~ \u0027Palo Alto Networks\u0027\\n | where DeviceEventClassID =~ \u0027url\u0027\\n //Uncomment the line below to only alert on allowed connections\\n //| where DeviceAction !~ \\\"block-url\\\"\\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\\n | extend PA_Url = columnifexists(\\\"RequestURL\\\", \\\"None\\\")\\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \\\"PanOS\\\", extract(\\\"([^\\\\\\\"]+)\\\", 1, tolower(AdditionalExtensions)), trim(\u0027\\\"\u0027, PA_Url))\\n | extend PA_Url = iif(PA_Url !startswith \\\"http://\\\" and ApplicationProtocol !~ \\\"ssl\\\", strcat(\u0027http://\u0027, PA_Url), iif(PA_Url !startswith \\\"https://\\\" and ApplicationProtocol =~ \\\"ssl\\\", strcat(\u0027https://\u0027, PA_Url), PA_Url))\\n | extend Domain = trim(@\\\"\\\"\\\"\\\",tostring(parse_url(PA_Url).Host))\\n | where isnotempty(Domain)\\n | extend Domain = tolower(Domain)\\n | extend parts = split(Domain, \u0027.\u0027)\\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\\n | where tld in~ (list_tlds)\\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\\n ) on $left.DomainName==$right.Domain\\n | where CommonSecurityLog_TimeGenerated \u003c ExpirationDateTime\\n | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, Domain\\n | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, \\n DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\\n | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Domain entity to PaloAlto\",\"description\":\"Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/caf78b95-d886-4ac3-957a-a7a3691ff4ed\",\"name\":\"caf78b95-d886-4ac3-957a-a7a3691ff4ed\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT12H\",\"queryPeriod\":\"PT12H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Tarrask.csv\\\"] with (format=\\\"csv\\\", ignoreFirstRecord=True);\\nlet sha256Hashes = (iocs | where Type =~ \\\"sha256\\\" | project IoC);\\n(union isfuzzy=true\\n(CommonSecurityLog\\n| where FileHash in (sha256Hashes)\\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\\n| extend timestamp = TimeGenerated, FileHashCustomEntity = \u0027SHA256\u0027, Account = SourceUserID\\n),\\n(imFileEvent\\n| where TargetFileSHA256 has_any (sha256Hashes)\\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\\n),\\n(Event\\n| where Source == \\\"Microsoft-Windows-Sysmon\\\"\\n| where EventID == 1\\n| extend EvData = parse_xml(EventData)\\n| extend EventDetail = EvData.DataItem.EventData.Data\\n| extend Image = EventDetail.[4].[\\\"#text\\\"], CommandLine = EventDetail.[10].[\\\"#text\\\"], Hashes = tostring(EventDetail.[17].[\\\"#text\\\"])\\n| extend Hashes = extract_all(@\\\"(?P\u003ckey\u003e\\\\w+)=(?P\u003cvalue\u003e[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), Hashes)\\n| extend Hashes = column_ifexists(\\\"Hashes\\\", \\\"\\\"), CommandLine = column_ifexists(\\\"CommandLine\\\", \\\"\\\")\\n| where (Hashes has_any (sha256Hashes) ) \\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, Hashes, CommandLine, Image\\n| extend Type = strcat(Type, \\\": \\\", Source)\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, \u0027\\\\\\\\\u0027, -1)[-1]), FileHashCustomEntity = Hashes\\n),\\n(DeviceEvents\\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceFileEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n),\\n(DeviceImageLoadEvents\\n| where SHA256 has_any (sha256Hashes)\\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \\\"SHA256\\\", FileHashCustomEntity = InitiatingProcessSHA256, CommandLine = InitiatingProcessCommandLine,Image = InitiatingProcessFolderPath\\n)\\n)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"ProcessCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Tarrask malware IOC - April 2022\",\"description\":\"Identifies a hash match related to Tarrask malware across various data sources.\\n Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/\",\"lastUpdatedDateUTC\":\"2022-04-12T00:00:00Z\",\"createdDateUTC\":\"2022-01-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceFileEvents\",\"DeviceEvents\",\"DeviceImageLoadEvents\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2560515c-07d1-434e-87fb-ebe3af267760\",\"name\":\"2560515c-07d1-434e-87fb-ebe3af267760\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n| where Category =~ \\\"ApplicationManagement\\\"\\n| where ActivityDisplayName has_any (\\\"Add delegated permission grant\\\",\\\"Add app role assignment to service principal\\\")\\n| where Result =~ \\\"success\\\"\\n| where tostring(InitiatedBy.user.userPrincipalName) has \\\"@\\\" or tostring(InitiatedBy.app.displayName) has \\\"@\\\"\\n| extend props = parse_json(tostring(TargetResources[0].modifiedProperties))\\n| mv-expand props\\n| extend UserAgent = tostring(AdditionalDetails[0].value)\\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n| extend UserIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n| extend DisplayName = tostring(props.displayName)\\n| extend Permissions = tostring(parse_json(tostring(props.newValue)))\\n| where Permissions has_any (\\\"Mail.Read\\\", \\\"Mail.ReadWrite\\\")\\n| extend PermissionsAddedTo = tostring(TargetResources[0].displayName)\\n| extend Type = tostring(TargetResources[0].type)\\n| project-away props\\n| join kind=leftouter(\\n AuditLogs\\n | where ActivityDisplayName has \\\"Consent to application\\\"\\n | extend AppName = tostring(TargetResources[0].displayName)\\n | extend AppId = tostring(TargetResources[0].id)\\n | project AppName, AppId, CorrelationId) on CorrelationId\\n| project-reorder TimeGenerated, OperationName, InitiatingUser, UserIPAddress, UserAgent, PermissionsAddedTo, Permissions, AppName, AppId, CorrelationId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUser, IPCustomEntity = UserIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Mail.Read Permissions Granted to Application\",\"description\":\"This query look for applications that have been granted (Delegated or App/Role) permissions to Read Mail (Permissions field has Mail.Read) and subsequently has been consented to. This can help identify applications that have been abused to gain access to mailboxes.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/532c1811-79ee-4d9f-8d4d-6304c840daa1\",\"name\":\"532c1811-79ee-4d9f-8d4d-6304c840daa1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MicrosoftSecurityIncidentCreation\",\"properties\":{\"productFilter\":\"Azure Active Directory Identity Protection\",\"displayName\":\"Create incidents based on Azure Active Directory Identity Protection alerts\",\"description\":\"Create incidents based on all alerts generated in Azure Active Directory Identity Protection\",\"lastUpdatedDateUTC\":\"2019-07-16T00:00:00Z\",\"createdDateUTC\":\"2019-07-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectoryIdentityProtection\",\"dataTypes\":[\"SecurityAlert (IPC)\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bb616d82-108f-47d3-9dec-9652ea0d3bf6\",\"name\":\"bb616d82-108f-47d3-9dec-9652ea0d3bf6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"High\",\"query\":\"let queryfrequency = 1h;\\nlet queryperiod = 1d;\\nAuditLogs\\n| where TimeGenerated \u003e ago(queryfrequency)\\n| where OperationName =~ \\\"Delete user\\\"\\n//extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n| extend UserPrincipalName = extract(@\u0027([a-f0-9]{32})?(.*)\u0027, 2, tostring(TargetResources[0].userPrincipalName))\\n| extend DeletedByUser = tostring(InitiatedBy.user.userPrincipalName), DeletedByIPAddress = tostring(InitiatedBy.user.ipAddress)\\n| extend DeletedByApp = tostring(InitiatedBy.app.displayName)\\n| project Deletion_TimeGenerated = TimeGenerated, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, Deletion_AdditionalDetails = AdditionalDetails, Deletion_InitiatedBy = InitiatedBy, Deletion_TargetResources = TargetResources\\n| join kind=inner (\\n AuditLogs\\n | where TimeGenerated \u003e ago(queryperiod)\\n | where OperationName =~ \\\"Add user\\\"\\n | extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)\\n | project-rename Creation_TimeGenerated = TimeGenerated\\n) on UserPrincipalName\\n| extend TimeDelta = Deletion_TimeGenerated - Creation_TimeGenerated\\n| where TimeDelta between (time(0s) .. queryperiod)\\n| extend CreatedByUser = tostring(InitiatedBy.user.userPrincipalName), CreatedByIPAddress = tostring(InitiatedBy.user.ipAddress)\\n| extend CreatedByApp = tostring(InitiatedBy.app.displayName)\\n| project Creation_TimeGenerated, Deletion_TimeGenerated, TimeDelta, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, CreatedByUser, CreatedByIPAddress, CreatedByApp, Creation_AdditionalDetails = AdditionalDetails, Creation_InitiatedBy = InitiatedBy, Creation_TargetResources = TargetResources, Deletion_AdditionalDetails, Deletion_InitiatedBy, Deletion_TargetResources\\n| extend timestamp = Deletion_TimeGenerated, CustomAccountEntity = UserPrincipalName, IPCustomEntity = DeletedByIPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CustomAccountEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Account Created and Deleted in Short Timeframe\",\"description\":\"Search for user principal name (UPN) events. Look for accounts created and then deleted in under 24 hours. Attackers may create an account for their use, and then remove the account when no longer needed.\\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-account\",\"lastUpdatedDateUTC\":\"2022-01-17T00:00:00Z\",\"createdDateUTC\":\"2021-10-28T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a0907abe-6925-4d90-af2b-c7e89dc201a6\",\"name\":\"a0907abe-6925-4d90-af2b-c7e89dc201a6\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P10D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 10d;\\nlet endtime = 1d;\\nlet threshold = 100;\\nlet nxDomainDnsEvents = DnsEvents \\n| where ResultCode == 3 \\n| where QueryType in (\\\"A\\\", \\\"AAAA\\\")\\n| where ipv4_is_match(\\\"127.0.0.1\\\", ClientIP) == False\\n| where Name !contains \\\"/\\\"\\n| where Name contains \\\".\\\";\\nnxDomainDnsEvents\\n| where TimeGenerated \u003e ago(endtime)\\n| extend sld = tostring(split(Name, \\\".\\\")[-2])\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld) by ClientIP\\n| where dcount_sld \u003e threshold\\n// Filter out previously seen IPs\\n| join kind=leftanti (nxDomainDnsEvents\\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | extend sld = tostring(split(Name, \\\".\\\")[-2])\\n | summarize dcount(sld) by ClientIP\\n | where dcount_sld \u003e threshold ) on ClientIP\\n// Pull out sample NXDomain responses for those remaining potentially infected IPs\\n| join kind = inner (nxDomainDnsEvents | summarize by Name, ClientIP) on ClientIP\\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(Name, 100) by ClientIP, dcount_sld\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Potential DGA detected\",\"description\":\"Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains\\nwhere most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with \\nNXDomain records in prior 10-day baseline period).\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ef895ada-e8e8-4cf0-9313-b1ab67fab69f\",\"name\":\"ef895ada-e8e8-4cf0-9313-b1ab67fab69f\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let known_locations =\\n union isfuzzy=True AADNonInteractiveUserSignInLogs, SigninLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where ResultType == 0\\n | summarize by Location;\\n union isfuzzy=True AADNonInteractiveUserSignInLogs, SigninLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where ResultType != 50126\\n | where Location !in (known_locations)\\n | extend LocationDetails_dynamic = column_ifexists(\\\"LocationDetails_dynamic\\\", \\\"\\\")\\n | extend DeviceDetail_dynamic = column_ifexists(\\\"DeviceDetail_dynamic\\\", \\\"\\\")\\n | extend LocationDetails = iif(isnotempty(LocationDetails_dynamic), LocationDetails_dynamic, parse_json(LocationDetails_string))\\n | extend DeviceDetail = iif(isnotempty(DeviceDetail_dynamic), DeviceDetail_dynamic, parse_json(DeviceDetail_string))\\n | extend City = tostring(LocationDetails.city)\\n | extend State = tostring(LocationDetails.state)\\n | extend Place = strcat(City, \\\" - \\\", State)\\n | extend DeviceId = tostring(DeviceDetail.deviceId)\\n | extend Result = strcat(tostring(ResultType), \\\" - \\\", ResultDescription)\\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), make_set(Result), make_set(IPAddress), make_set(UserAgent), make_set(Place), make_set(DeviceId) by UserPrincipalName, Location, Category\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserPrincipalName\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"Authentication Attempt from New Country\",\"description\":\"Detects when there is a log in attempt from a country that has not seen a successful login in the previous 14 days.\\n Threat actors may attempt to authenticate with credentials from compromised accounts - monitoring attempts from anomalous locations may help identify these attempts.\\n Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\",\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/9713e3c0-1410-468d-b79e-383448434b2d\",\"name\":\"9713e3c0-1410-468d-b79e-383448434b2d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\\n// Taking the first non-empty value based on potential IOC match availability\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n VMConnection\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // renaming time column so it is clear the log this came from\\n | extend VMConnection_TimeGenerated = TimeGenerated\\n)\\non $left.TI_ipEntity == $right.RemoteIp\\n| where VMConnection_TimeGenerated \u003c ExpirationDateTime\\n| summarize VMConnection_TimeGenerated = arg_max(VMConnection_TimeGenerated, *) by IndicatorId, RemoteIp\\n| project VMConnection_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\\n| extend timestamp = VMConnection_TimeGenerated, IPCustomEntity = RemoteIp, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map IP entity to VMConnection\",\"description\":\"Identifies a match in VMConnection from any IP IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/017e095a-94d8-430c-a047-e51a11fb737b\",\"name\":\"017e095a-94d8-430c-a047-e51a11fb737b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let domains =\\n SigninLogs\\n | where ResultType == 0\\n | extend domain = split(UserPrincipalName, \\\"@\\\")[1]\\n | extend domain = tostring(split(UserPrincipalName, \\\"@\\\")[1])\\n | summarize by tolower(tostring(domain));\\n AuditLogs\\n | where Category =~ \\\"ApplicationManagement\\\"\\n | where Result =~ \\\"success\\\"\\n | where OperationName =~ \u0027Update Application\u0027\\n | mv-expand TargetResources\\n | mv-expand TargetResources.modifiedProperties\\n | where TargetResources_modifiedProperties.displayName =~ \\\"AppAddress\\\"\\n | extend Key = tostring(TargetResources_modifiedProperties.displayName)\\n | extend NewValue = TargetResources_modifiedProperties.newValue\\n | extend OldValue = TargetResources_modifiedProperties.oldValue\\n | where isnotempty(Key) and isnotempty(NewValue)\\n | project-reorder Key, NewValue, OldValue\\n | extend NewUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(NewValue))\\n | extend OldUrls = extract_all(\u0027\\\"Address\\\":([^,]*)\u0027, tostring(OldValue))\\n | extend AddedUrls = set_difference(NewUrls, OldUrls)\\n | where array_length(AddedUrls) \u003e 0\\n | extend UserAgent = iif(tostring(AdditionalDetails[0].key) == \\\"User-Agent\\\", tostring(AdditionalDetails[0].value), \\\"\\\")\\n | extend AddingUser = iif(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) , tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), \\\"\\\")\\n | extend AddingApp = iif(isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName)) , tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName), \\\"\\\")\\n | extend AddedBy = iif(isnotempty(AddingUser), AddingUser, AddingApp)\\n | project-away AddingApp, AddingUser\\n | extend AppDisplayName = tostring(TargetResources.displayName)\\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\\n | where isnotempty(AddedUrls)\\n | mv-expand AddedUrls\\n | extend Domain = extract(\\\"^(?:https?:\\\\\\\\/\\\\\\\\/)?(?:[^@\\\\\\\\/\\\\\\\\n]+@)?(?:www\\\\\\\\.)?([^:\\\\\\\\/?\\\\\\\\n]+)/\\\", 1, replace_string(tolower(tostring(AddedUrls)), \u0027\\\"\u0027, \\\"\\\"))\\n | where isnotempty(Domain)\\n | extend Domain = strcat(split(Domain, \\\".\\\")[-2], \\\".\\\", split(Domain, \\\".\\\")[-1])\\n | where Domain !in (domains)\\n | project-reorder TimeGenerated, AppDisplayName, AddedUrls, AddedBy, UserAgent, ipAddress\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"AddedUrls\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ipAddress\"}]}],\"tactics\":[\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"URL Added to Application from Unknown Domain\",\"description\":\"Detects a URL being added to an application where the domain is not one that is associated with the tenant.\\n The query uses domains seen in sign in logs to determine if the domain is associated with the tenant.\\n Applications associated with URLs not controlled by the organization can pose a security risk.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#application-configuration-changes\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d\",\"name\":\"b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"//Collect the alert events\\nlet alertData = SecurityAlert \\n| where DisplayName has \\\"Potential malware uploaded to\\\" \\n| extend Entities = parse_json(Entities) \\n| mv-expand Entities;\\n//Parse the IP address data\\nlet ipData = alertData \\n| where Entities[\u0027Type\u0027] =~ \\\"ip\\\" \\n| extend AttackerIP = tostring(Entities[\u0027Address\u0027]), AttackerCountry = tostring(Entities[\u0027Location\u0027][\u0027CountryName\u0027]);\\n//Parse the file data\\nlet FileData = alertData \\n| where Entities[\u0027Type\u0027] =~ \\\"file\\\" \\n| extend MaliciousFileDirectory = tostring(Entities[\u0027Directory\u0027]), MaliciousFileName = tostring(Entities[\u0027Name\u0027]), MaliciousFileHashes = tostring(Entities[\u0027FileHashes\u0027]);\\n//Combine the File and IP data together\\nipData \\n| join (FileData) on VendorOriginalId \\n| summarize by TimeGenerated, AttackerIP, AttackerCountry, DisplayName, ResourceId, AlertType, MaliciousFileDirectory, MaliciousFileName, MaliciousFileHashes\\n//Create a type column so we can track if it was a File storage or blobl storage upload \\n| extend type = iff(DisplayName has \\\"file\\\", \\\"File\\\", \\\"Blob\\\") \\n| join (\\n union\\n StorageFileLogs, \\n StorageBlobLogs \\n //File upload operations \\n | where OperationName =~ \\\"PutBlob\\\" or OperationName =~ \\\"PutRange\\\"\\n //Parse out the uploader IP \\n | extend ClientIP = tostring(split(CallerIpAddress, \\\":\\\", 0)[0])\\n //Extract the filename from the Uri \\n | extend FileName = extract(@\\\"\\\\/([\\\\w\\\\-. ]+)\\\\?\\\", 1, Uri)\\n //Base64 decode the MD5 filehash, we will encounter non-ascii hex so string operations don\u0027t work\\n //We can work around this by making it an array then converting it to hex from an int \\n | extend base64Char = base64_decode_toarray(ResponseMd5) \\n | mv-expand base64Char \\n | extend hexChar = tohex(toint(base64Char))\\n | extend hexChar = iff(strlen(hexChar) \u003c 2, strcat(\\\"0\\\", hexChar), hexChar) \\n | extend SourceTable = iff(OperationName has \\\"range\\\", \\\"StorageFileLogs\\\", \\\"StorageBlobLogs\\\") \\n | summarize make_list(hexChar) by CorrelationId, ResponseMd5, FileName, AccountName, TimeGenerated, RequestBodySize, ClientIP, SourceTable \\n | extend Md5Hash = strcat_array(list_hexChar, \\\"\\\")\\n //Pack the file information the summarise into a ClientIP row \\n | extend p = pack(\\\"FileName\\\", FileName, \\\"FileSize\\\", RequestBodySize, \\\"Md5Hash\\\", Md5Hash, \\\"Time\\\", TimeGenerated, \\\"SourceTable\\\", SourceTable) \\n | summarize UploadedFileInfo=make_list(p), FilesUploaded=count() by ClientIP \\n | join kind=leftouter (\\n union\\n StorageFileLogs,\\n StorageBlobLogs \\n | where OperationName =~ \\\"DeleteFile\\\" or OperationName =~ \\\"DeleteBlob\\\" \\n | extend ClientIP = tostring(split(CallerIpAddress, \\\":\\\", 0)[0]) \\n | extend FileName = extract(@\\\"\\\\/([\\\\w\\\\-. ]+)\\\\?\\\", 1, Uri) \\n | extend SourceTable = iff(OperationName has \\\"range\\\", \\\"StorageFileLogs\\\", \\\"StorageBlobLogs\\\") \\n | extend p = pack(\\\"FileName\\\", FileName, \\\"Time\\\", TimeGenerated, \\\"SourceTable\\\", SourceTable) \\n | summarize DeletedFileInfo=make_list(p), FilesDeleted=count() by ClientIP\\n ) on ClientIP\\n ) on $left.AttackerIP == $right.ClientIP \\n| mvexpand UploadedFileInfo \\n| extend LinkedMaliciousFileName = UploadedFileInfo.FileName \\n| extend LinkedMaliciousFileHash = UploadedFileInfo.Md5Hash \\n| project AlertTimeGenerated = TimeGenerated, tostring(LinkedMaliciousFileName), tostring(LinkedMaliciousFileHash), AlertType, AttackerIP, AttackerCountry, MaliciousFileDirectory, MaliciousFileName, FilesUploaded, UploadedFileInfo \\n| extend FileHashCustomEntity = LinkedMaliciousFileName, HashAlgorithm = \\\"MD5\\\", IPCustomEntity = AttackerIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"HashAlgorithm\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"Exfiltration\"],\"displayName\":\"Linked Malicious Storage Artifacts\",\"description\":\"An IP address which uploaded malicious content to an Azure Blob or File Storage container (triggering a malware alert) also uploaded additional files.\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2021-02-22T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftCloudAppSecurity\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c7cd6073-6d2c-4284-a5c8-da27605bdfde\",\"name\":\"c7cd6073-6d2c-4284-a5c8-da27605bdfde\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT10M\",\"queryPeriod\":\"PT10M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Low\",\"query\":\"let lbtime = 10m;\\nProofpointPOD\\n| where TimeGenerated \u003e ago(lbtime)\\n| where EventType == \u0027message\u0027\\n| where NetworkDirection == \u0027inbound\u0027\\n| where FilterDisposition !in (\u0027reject\u0027, \u0027discard\u0027)\\n| where FilterModulesSpamScoresOverall == \u0027100\u0027\\n| project SrcUserUpn, DstUserUpn\\n| extend AccountCustomEntity = SrcUserUpn\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"ProofpointPOD - High risk message not discarded\",\"description\":\"Detects when email with high risk score was not rejected or discarded by filters.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_message_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\"name\":\"c87fb346-ea3a-4c64-ba92-3dd383e0f0b5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"High\",\"query\":\"let DomainNames = \\\"miniodaum.ml\\\";\\nlet SHA256Hash = dynamic ([\\\"53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0dfd44771762257\\\", \\\"0897c80df8b80b4c49bf1ccf876f5f782849608b830c3b5cb3ad212dc3e19eff\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n| parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n| where isnotempty(FileHash)\\n| where FileHash in (SHA256Hash) or DNSName =~ DomainNames\\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\\n),\\n (_Im_Dns (domain_has_any=DomainNames)\\n| extend DNSName = DnsQuery \\n| extend IPAddress = SrcIpAddr, Computer = Dvc\\n), \\n(_Im_WebSession(url_has_any=DomainNames) \\n| extend DNSName = tostring(parse_url(Url)[\\\"Host\\\"])\\n| extend IPAddress = SrcIpAddr, Account=User\\n),\\n(VMConnection \\n| parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n| where isnotempty(DNSName)\\n| where DNSName =~ DomainNames\\n| extend IPAddress = RemoteIp\\n),\\n(AzureDiagnostics \\n| where ResourceType == \\\"AZUREFIREWALLS\\\"\\n| where Category == \\\"AzureFirewallApplicationRule\\\"\\n| parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n| where isnotempty(DestinationHost)\\n| where DestinationHost has_any (DomainNames) \\n| extend DNSName = DestinationHost \\n| extend IPAddress = SourceHost\\n)\\n)\\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\",\"CredentialAccess\"],\"displayName\":\"Known CERIUM domains and hashes\",\"description\":\"CERIUM malicious webserver and hash values for maldocs and malware. \\n Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-10-29T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/712fab52-2a7d-401e-a08c-ff939cc7c25e\",\"name\":\"712fab52-2a7d-401e-a08c-ff939cc7c25e\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.2.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// Picking up only IOC\u0027s that contain the entities we want\\n| where isnotempty(Url)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n AuditLogs\\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n // Extract the URL that is contained within the JSON data\\n | extend Url = extract(\\\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.\u0026+]|[!*\\\\\\\\(\\\\\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\\\", 1,tostring(TargetResources))\\n | where isnotempty(Url)\\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend TargetResourceDisplayName = tostring(TargetResources[0].displayName)\\n | extend Audit_TimeGenerated = TimeGenerated\\n) on Url\\n| where Audit_TimeGenerated \u003c ExpirationDateTime\\n| summarize Audit_TimeGenerated = arg_max(Audit_TimeGenerated, *) by IndicatorId, Url\\n| project Audit_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nOperationName, Identity, userPrincipalName, TargetResourceDisplayName, Url\\n| extend timestamp = Audit_TimeGenerated, AccountCustomEntity = userPrincipalName, HostCustomEntity = TargetResourceDisplayName, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map URL entity to AuditLogs\",\"description\":\"Identifies a match in AuditLogs from any URL IOC from TI\",\"lastUpdatedDateUTC\":\"2021-11-29T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/ab4b6944-a20d-42ab-8b63-238426525801\",\"name\":\"ab4b6944-a20d-42ab-8b63-238426525801\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\nlet timeframe = 1h;\\nlet connections = VMConnection \\n | where TimeGenerated \u003e= ago(timeframe)\\n | extend DNSName = set_union(todynamic(RemoteDnsCanonicalNames),todynamic(RemoteDnsQuestions))\\n | mv-expand DNSName\\n | where isnotempty(DNSName)\\n | where DNSName has_any (domains)\\n | extend IPCustomEntity = RemoteIp\\n | summarize TimeGenerated = arg_min(TimeGenerated, *), requests = count() by IPCustomEntity, DNSName = tostring(DNSName), AgentId, Machine, Process;\\nlet processes = VMProcess\\n | where TimeGenerated \u003e= ago(timeframe)\\n | project AgentId, Machine, Process, UserName, UserDomain, ExecutablePath, CommandLine, FirstPid\\n | extend exePathArr = split(ExecutablePath, \\\"\\\\\\\\\\\")\\n | extend DirectoryName = array_strcat(array_slice(exePathArr, 0, array_length(exePathArr) - 2), \\\"\\\\\\\\\\\")\\n | extend Filename = array_strcat(array_slice(exePathArr, array_length(exePathArr) - 1, array_length(exePathArr)), \\\"\\\\\\\\\\\")\\n | project-away exePathArr;\\nlet computers = VMComputer\\n | where TimeGenerated \u003e= ago(timeframe)\\n | project HostCustomEntity = HostName, AzureResourceId = _ResourceId, AgentId, Machine;\\nconnections | join kind = inner (processes) on AgentId, Machine, Process\\n | join kind = inner (computers) on AgentId, Machine\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]},{\"entityType\":\"Process\",\"fieldMappings\":[{\"identifier\":\"ProcessId\",\"columnName\":\"FirstPid\"},{\"identifier\":\"CommandLine\",\"columnName\":\"CommandLine\"}]},{\"entityType\":\"File\",\"fieldMappings\":[{\"identifier\":\"Directory\",\"columnName\":\"DirectoryName\"},{\"identifier\":\"Name\",\"columnName\":\"Filename\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Solorigate Domains Found in VM Insights\",\"description\":\"Identifies connections to Solorigate-related DNS records based on VM insights data\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMProcess\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMComputer\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\"name\":\"1ce5e766-26ab-4616-b7c8-3b33ae321e80\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"//Adjust this threshold to fit environment\\nlet signin_threshold = 5; \\n//Make a list of IPs with failed Windows host logins above threshold\\nlet win_fails = \\nSecurityEvent\\n| where EventID == 4625\\n| where LogonType in (10, 7, 3)\\n| where IpAddress != \\\"-\\\"\\n| summarize count() by IpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_list(IpAddress);\\nlet wef_fails =\\nWindowsEvent\\n| where EventID == 4625\\n| extend LogonType = tostring(EventData.LogonType)\\n| where LogonType in (10, 7, 3)\\n| extend IpAddress = tostring(EventData.IpAddress)\\n| where IpAddress != \\\"-\\\"\\n| summarize count() by IpAddress\\n| where count_ \u003e signin_threshold\\n| summarize make_list(IpAddress);\\n//Make a list of IPs with failed *nix host logins above threshold\\nlet nix_fails = \\nSyslog\\n| where Facility contains \u0027auth\u0027 and ProcessName != \u0027sudo\u0027\\n| extend SourceIP = extract(\\\"(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.(([0-9]{1,3})))\\\",1,SyslogMessage)\\n| where SourceIP != \\\"\\\" and SourceIP != \\\"127.0.0.1\\\"\\n| summarize count() by SourceIP\\n| where count_ \u003e signin_threshold\\n| summarize make_list(SourceIP);\\n//See if any of the IPs with failed host logins hve had a sucessful Azure AD login\\nlet aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType !in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\")\\n| where IPAddress in (win_fails) or IPAddress in (nix_fails) or IPAddress in (wef_fails)\\n| extend Reason= \\\"Multiple failed host logins from IP address with successful Azure AD login\\\"\\n| extend timstamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, Type = Type\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"CredentialAccess\"],\"displayName\":\"Failed host logons but success logon to AzureAD\",\"description\":\"Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts.\\nUses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\"name\":\"28b42356-45af-40a6-a0b4-a554cdfd5d8a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"2.0.0\",\"severity\":\"Medium\",\"query\":\"let timeRange = 24h;\\nlet failureCountThreshold = 5;\\nlet authenticationWindow = 20m;\\nlet aadFunc = (tableName:string){\\n table(tableName)\\n| where AppDisplayName has \\\"Azure Portal\\\"\\n| extend\\n DeviceDetail = todynamic(DeviceDetail),\\n //Status = todynamic(Status),\\n LocationDetails = todynamic(LocationDetails)\\n| extend\\n OS = tostring(DeviceDetail.operatingSystem),\\n Browser = tostring(DeviceDetail.browser),\\n //StatusCode = tostring(Status.errorCode),\\n //StatusDetails = tostring(Status.additionalDetails),\\n State = tostring(LocationDetails.state),\\n City = tostring(LocationDetails.city),\\n Region = tostring(LocationDetails.countryOrRegion)\\n// Split out failure versus non-failure types\\n| extend FailureOrSuccess = iff(ResultType in (\\\"0\\\", \\\"50125\\\", \\\"50140\\\", \\\"70043\\\", \\\"70044\\\"), \\\"Success\\\", \\\"Failure\\\") \\n// bin outcomes based on authenticationWindow\\n| summarize take_anyif(UserPrincipalName, not(UserPrincipalName matches regex @\\\"[a-f\\\\d]+\\\\-[a-f\\\\d]+\\\\-[a-f\\\\d]+\\\\-[a-f\\\\d]+\\\\-[a-f\\\\d]+\\\")),\\n take_anyif(UserDisplayName, isnotempty(UserDisplayName)), FailureOrSuccessCount = count() by FailureOrSuccess, UserId, UserDisplayName, AppDisplayName, IPAddress, Browser, OS, State, City, Region, Type, CorrelationId, bin(TimeGenerated, authenticationWindow), ResultType\\n// sort for sessionizing - by UserPrincipalName and time of the authentication outcome\\n| sort by UserPrincipalName asc, TimeGenerated asc\\n| serialize \\n// sessionize into failure groupings until either the account changes or there is a success\\n| extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, UserPrincipalName != prev(UserPrincipalName) or prev(FailureOrSuccess) == \\\"Success\\\")\\n// count the failures in each session\\n| summarize FailureCountBeforeSuccess=sumif(FailureOrSuccessCount, FailureOrSuccess == \\\"Failure\\\"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), makelist(FailureOrSuccess), IPAddress = make_set(IPAddress), make_set(Browser), make_set(City), make_set(State), make_set(Region), make_set(ResultType) by SessionStartedUtc, UserPrincipalName, CorrelationId, AppDisplayName, UserId, Type\\n// the session must not start with a success, and must end with one\\n| where array_index_of(list_FailureOrSuccess, \\\"Success\\\") != 0\\n| where array_index_of(list_FailureOrSuccess, \\\"Success\\\") == array_length(list_FailureOrSuccess) - 1\\n| project-away SessionStartedUtc, list_FailureOrSuccess\\n// where the number of failures before the success is above the threshold \\n| where FailureCountBeforeSuccess \u003e= failureCountThreshold \\n// expand out ip for entity assignment\\n| mv-expand IPAddress\\n| extend IPAddress = tostring(IPAddress)\\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \\n};\\n let aadSignin = aadFunc(\\\"SigninLogs\\\");\\n let aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\n union isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Brute force attack against Azure Portal\",\"description\":\"Identifies evidence of brute force activity against Azure Portal by highlighting multiple authentication failures \\nand by a successful authentication within a given time window. \\nDefault Failure count is 5 and default Time Window is 20 minutes.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2019-04-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/23de46ea-c425-4a77-b456-511ae4855d69\",\"name\":\"23de46ea-c425-4a77-b456-511ae4855d69\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Low\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\\nlet alertOperationThreshold = 5;\\nlet SensitiveOperationList = dynamic([\\\"microsoft.compute/snapshots/write\\\", \\\"microsoft.network/networksecuritygroups/write\\\", \\\"microsoft.storage/storageaccounts/listkeys/action\\\"]);\\nlet SensitiveActivity = AzureActivity\\n| where OperationNameValue in~ (SensitiveOperationList) or OperationNameValue hassuffix \\\"listkeys/action\\\"\\n| where ActivityStatusValue =~ \\\"Success\\\";\\nSensitiveActivity\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| summarize count() by CallerIpAddress, Caller, OperationNameValue\\n| where count_ \u003e= alertOperationThreshold\\n| join kind = rightanti ( \\nSensitiveActivity\\n| where TimeGenerated \u003e= ago(endtime)\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \\nOperationIds = makelist(OperationId), CorrelationIds = makelist(CorrelationId), Resources = makelist(Resource), ResourceGroups = makelist(ResourceGroup), ResourceIds = makelist(ResourceId), ActivityCountByCallerIPAddress = count() \\nby CallerIpAddress, Caller, OperationNameValue\\n) on CallerIpAddress, Caller, OperationNameValue\\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\",\"Persistence\"],\"displayName\":\"Rare subscription-level operations in Azure\",\"description\":\"This query looks for a few sensitive subscription-level events based on Azure Activity Logs. \\n For example this monitors for the operation name \u0027Create or Update Snapshot\u0027 which is used for creating backups but could be misused by attackers \\n to dump hashes or extract sensitive information from the disk.\",\"lastUpdatedDateUTC\":\"2022-03-15T00:00:00Z\",\"createdDateUTC\":\"2019-08-23T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActivity\",\"dataTypes\":[\"AzureActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/84cf1d59-f620-4fee-b569-68daf7008b7b\",\"name\":\"84cf1d59-f620-4fee-b569-68daf7008b7b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let threshold = 10;\\nQualysHostDetection_CL\\n| mv-expand todynamic(Detections_s)\\n| extend Status = tostring(Detections_s.Status), Vulnerability = tostring(Detections_s.Results), Severity = tostring(Detections_s.Severity)\\n| where Status =~ \\\"New\\\" and Severity == \\\"5\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(Detections_s.QID)\\n| where dcount_NetBios_s \u003e= threshold\\n| extend timestamp = StartTime\",\"entityMappings\":[],\"tactics\":[\"InitialAccess\"],\"displayName\":\"New High Severity Vulnerability Detected Across Multiple Hosts\",\"description\":\"This creates an incident when a new high severity vulnerability is detected across multilple hosts\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-06-19T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"QualysVulnerabilityManagement\",\"dataTypes\":[\"QualysHostDetection_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bc5ffe2a-84d6-48fe-bc7b-1055100469bc\",\"name\":\"bc5ffe2a-84d6-48fe-bc7b-1055100469bc\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.4\",\"severity\":\"High\",\"query\":\"let SunburstMD5=dynamic([\\\"b91ce2fa41029f6955bff20079468448\\\",\\\"02af7cec58b9a5da1c542b5a32151ba1\\\",\\\"2c4a910a1299cdae2a4e55988a2f102e\\\",\\\"846e27a652a5e1bfbd0ddd38a16dc865\\\",\\\"4f2eb62fa529c0283b28d05ddd311fae\\\"]);\\nlet SupernovaMD5=\\\"56ceb6d0011d87b6e4d7023d7ef85676\\\";\\nimFileEvent\\n| where TargetFileMD5 in(SunburstMD5) or TargetFileMD5 in(SupernovaMD5)\\n| extend\\n timestamp = TimeGenerated,\\n AccountCustomEntity = User, \\n HostCustomEntity = DvcHostname,\\n FileHashCustomEntity = TargetFileMD5,\\n AlgorithmCustomEntity = \\\"MD5\\\"\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Algorithm\",\"columnName\":\"AlgorithmCustomEntity\"},{\"identifier\":\"Value\",\"columnName\":\"FileHashCustomEntity\"}]}],\"tactics\":[\"Execution\",\"Persistence\",\"InitialAccess\"],\"displayName\":\"SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events)\",\"description\":\"Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in File Events\\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimFileEvent)\\nReferences:\\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2020-12-15T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/8cbc3215-fa58-4bd6-aaaa-f0029c351730\",\"name\":\"8cbc3215-fa58-4bd6-aaaa-f0029c351730\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"AlertPerResult\"},\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let threatCategory=\\\"Cryptominer\\\";\\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\\n [ @\\\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\\\"] \\n with(format=\\\"csv\\\", ignoreFirstRecord=True));\\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet customUserAgents=toscalar(_GetWatchlist(\\\"UnusualUserAgents\\\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\\\"UserAgent\\\",\\\"\\\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\\nlet fullUAList = array_concat(knownUserAgents,customUserAgents);\\n_Im_WebSession(httpuseragent_has_any=fullUAList)\\n| summarize N_Events=count() by SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername\",\"customDetails\":{\"UserAgent\":\"HttpUserAgent\"},\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"Url\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SrcIpAddr\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"SrcUsername\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"The host {{SrcIpAddr}} is potentially running a crypto miner\",\"alertDescriptionFormat\":\"The host at address {{SrcIpAddr}} sent an HTTP request to the URL {{Url}} with the HTTP user agent header {{HttpUserAgent}}. This user agent is known to be used by crypto miners and indicates crypto mining activity on the client.\",\"alertTacticsColumnName\":null,\"alertSeverityColumnName\":null},\"tactics\":[\"CommandAndControl\"],\"displayName\":\"A host is potentially running a crypto miner (ASIM Web Session schema)\",\"description\":\"This rule identifies a web request with a user agent header known to belong to a crypto miner. This indicates a crypto miner may have infected the client machine.\u003cbr\u003eYou can add custom crypto mining indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).\u003cbr\u003e\u003cbr\u003e This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)\",\"lastUpdatedDateUTC\":\"2022-03-14T00:00:00Z\",\"createdDateUTC\":\"2021-12-02T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SquidProxy\",\"dataTypes\":[\"SquidProxy_CL\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\"name\":\"24f8c234-d1ff-40ec-8b73-96b17a3a9c1c\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"let EventCountThreshold = 25;\\n// To avoid any False Positives, filtering using AppId is recommended.\\n// For example the AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds \\n// to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\\n// The AppId 8cae6e77-e04e-42ce-b5cb-50d82bce26b1 has been added as it correspond to Microsoft Policy Insights Provider Data Plane performing VaultGet operations for policies checks.\\nlet Allowedappid = dynamic([\\\"509e4652-da8d-478d-a730-e9d4a1996ca4\\\",\\\"8cae6e77-e04e-42ce-b5cb-50d82bce26b1\\\"]);\\nlet OperationList = dynamic(\\n[\\\"SecretGet\\\", \\\"KeyGet\\\", \\\"VaultGet\\\"]);\\nAzureDiagnostics\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where ResourceType =~ \\\"VAULTS\\\" and ResultType =~ \\\"Success\\\"\\n| where OperationName in (OperationList) \\n| summarize count() by identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, OperationName\\n| where count_ \u003e EventCountThreshold \\n| join (\\nAzureDiagnostics\\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == \u0027VaultGet\u0027)\\n| extend ResultType = columnifexists(\\\"ResultType\\\", \\\"NoResultType\\\")\\n| extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n| extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n| where ResultType !~ \\\"None\\\" and isnotempty(ResultType)\\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n| where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n| where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n| where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n| where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n| where OperationName in~ (OperationList) \\n) on identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g \\n| summarize EventCount=sum(count_), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\\n| extend timestamp = EndTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Mass secret retrieval from Azure Key Vault\",\"description\":\"Identifies mass secret retrieval from Azure Key Vault observed by a single user. \\nMass secret retrival crossing a certain threshold is an indication of credential dump operations or mis-configured applications. \\nYou can tweak the EventCountThreshold based on average count seen in your environment \\nand also filter any known sources (IP/Account) and useragent combinations based on historical analysis to further reduce noise\",\"lastUpdatedDateUTC\":\"2022-07-04T00:00:00Z\",\"createdDateUTC\":\"2019-07-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureKeyVault\",\"dataTypes\":[\"KeyVaultData\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b619d1f1-7f39-4c7e-bf9e-afbb46457997\",\"name\":\"b619d1f1-7f39-4c7e-bf9e-afbb46457997\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal contains \\\"XMRig\\\" or HttpUserAgentOriginal contains \\\"ccminer\\\"\\n| extend Message = \\\"Crypto Miner User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Crypto Miner User-Agent Detected\",\"description\":\"Detects suspicious user agent strings used by crypto miners in proxy logs.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/dd03057e-4347-4853-bf1e-2b2d21eb4e59\",\"name\":\"dd03057e-4347-4853-bf1e-2b2d21eb4e59\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"NRT\",\"properties\":{\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let DomainList = dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\\"xmrget.com\\\",\\n\\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\\"supportxmr.com\\\",\\n\\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\\"gntl.co.uk\\\", \\\"semipool.com\\\",\\n\\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\",\\n\\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\\"extrmepool.org\\\", \\\"webcoin.me\\\",\\n\\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\",\\n\\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\",\\n\\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\",\\n\\\"shscrypto.net\\\"]);\\nSyslog\\n| where ProcessName contains \\\"squid\\\"\\n| extend URL = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :]*)\\\",3,SyslogMessage),\\n SourceIP = extract(\\\"([0-9]+ )(([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3})\\\\\\\\.([0-9]{1,3}))\\\",2,SyslogMessage),\\n Status = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\\\",1,SyslogMessage),\\n HTTP_Status_Code = extract(\\\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\\\",8,SyslogMessage),\\n User = extract(\\\"(CONNECT |GET )([^ ]* )([^ ]+)\\\",3,SyslogMessage),\\n RemotePort = extract(\\\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\\\",4,SyslogMessage),\\n Domain = extract(\\\"(([A-Z]+ [a-z]{4,5}:\\\\\\\\/\\\\\\\\/)|[A-Z]+ )([^ :\\\\\\\\/]*)\\\",3,SyslogMessage),\\n Bytes = toint(extract(\\\"([A-Z]+\\\\\\\\/[0-9]{3} )([0-9]+)\\\",2,SyslogMessage)),\\n contentType = extract(\\\"([a-z/]+$)\\\",1,SyslogMessage)\\n| extend TLD = extract(\\\"\\\\\\\\.[a-z]*$\\\",0,Domain)\\n| where HTTP_Status_Code == \u0027200\u0027\\n| where Domain contains \\\".\\\"\\n| where Domain has_any (DomainList)\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"User\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"SourceIP\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URL\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"NRT Squid proxy events related to mining pools\",\"description\":\"Checks for Squid proxy events in Syslog associated with common mining pools .This query presumes the default Squid log format is being used.\\n http://www.squid-cache.org/Doc/config/access_log/\",\"lastUpdatedDateUTC\":\"2022-05-31T00:00:00Z\",\"createdDateUTC\":\"2019-07-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2b701288-b428-4fb8-805e-e4372c574786\",\"name\":\"2b701288-b428-4fb8-805e-e4372c574786\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"//The bigger the window the better the data sample size, as we use IP prevalence, more sample data is better.\\n//The minimum number of countries that the account has been accessed from [default: 2]\\nlet minimumCountries = 2;\\n//The delta (%) between the largest in-use IP and the smallest [default: 95]\\nlet deltaThreshold = 95;\\n//The maximum (%) threshold that the country appears in login data [default: 10]\\nlet countryPrevalenceThreshold = 10;\\n//The time to project forward after the last login activity [default: 60min]\\nlet projectedEndTime = 60m;\\nlet queryfrequency = 1d;\\nlet queryperiod = 14d;\\nlet aadFunc = (tableName: string) {\\n // Get successful signins to Teams\\n let signinData =\\n table(tableName)\\n | where TimeGenerated \u003e ago(queryperiod)\\n | where AppDisplayName has \\\"Teams\\\" and ConditionalAccessStatus =~ \\\"success\\\"\\n | extend Country = tostring(todynamic(LocationDetails)[\u0027countryOrRegion\u0027])\\n | where isnotempty(Country) and isnotempty(IPAddress);\\n // Calculate prevalence of countries\\n let countryPrevalence =\\n signinData\\n | summarize CountCountrySignin = count() by Country\\n | extend TotalSignin = toscalar(signinData | summarize count())\\n | extend CountryPrevalence = toreal(CountCountrySignin) / toreal(TotalSignin) * 100;\\n // Count signins by user and IP address\\n let userIpSignin =\\n signinData\\n | summarize CountIPSignin = count(), Country = any(Country), ListSigninTimeGenerated = make_list(TimeGenerated) by IPAddress, UserPrincipalName;\\n // Calculate delta between the IP addresses with the most and minimum activity by user\\n let userIpDelta =\\n userIpSignin\\n | summarize MaxIPSignin = max(CountIPSignin), MinIPSignin = min(CountIPSignin), DistinctCountries = dcount(Country), make_set(Country) by UserPrincipalName\\n | extend UserIPDelta = toreal(MaxIPSignin - MinIPSignin) / toreal(MaxIPSignin) * 100;\\n // Collect Team operations the user account has performed within a time range of the suspicious signins\\n OfficeActivity\\n | where TimeGenerated \u003e ago(queryfrequency)\\n | where Operation in~ (\\\"TeamsAdminAction\\\", \\\"MemberAdded\\\", \\\"MemberRemoved\\\", \\\"MemberRoleChanged\\\", \\\"AppInstalled\\\", \\\"BotAddedToTeam\\\")\\n | project OperationTimeGenerated = TimeGenerated, UserId = tolower(UserId), Operation\\n | join kind = inner(\\n userIpDelta\\n // Check users with activity from distinct countries\\n | where DistinctCountries \u003e= minimumCountries\\n // Check users with high IP delta\\n | where UserIPDelta \u003e= deltaThreshold\\n // Add information about signins and countries\\n | join kind = leftouter userIpSignin on UserPrincipalName\\n | join kind = leftouter countryPrevalence on Country\\n // Check activity that comes from nonprevalent countries\\n | where CountryPrevalence \u003c countryPrevalenceThreshold\\n | project\\n UserPrincipalName,\\n SuspiciousIP = IPAddress,\\n UserIPDelta,\\n SuspiciousSigninCountry = Country,\\n SuspiciousCountryPrevalence = CountryPrevalence,\\n EventTimes = ListSigninTimeGenerated\\n ) on $left.UserId == $right.UserPrincipalName\\n // Check the signins occured 60 min before the Teams operations\\n | mv-expand SigninTimeGenerated = EventTimes\\n | extend SigninTimeGenerated = todatetime(SigninTimeGenerated)\\n | where OperationTimeGenerated between (SigninTimeGenerated .. (SigninTimeGenerated + projectedEndTime))\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\\n| summarize arg_max(SigninTimeGenerated, *) by UserPrincipalName, SuspiciousIP, OperationTimeGenerated\\n| summarize\\n ActivitySummary = make_bag(pack(tostring(SigninTimeGenerated), pack(\\\"Operation\\\", tostring(Operation), \\\"OperationTime\\\", OperationTimeGenerated)))\\n by UserPrincipalName, SuspiciousIP, SuspiciousSigninCountry, SuspiciousCountryPrevalence\\n| extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\",\"Persistence\"],\"displayName\":\"Anomalous login followed by Teams action\",\"description\":\"Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed.\\nQuery calculates IP usage Delta for each user account and selects accounts where a delta \u003e= 90% is observed between the most and least used IP.\\nTo further reduce results the query performs a prevalence check on the lowest used IP\u0027s country, only keeping IP\u0027s where the country is unusual for the tenant (dynamic ranges)\\nFinally the user accounts activity within Teams logs is checked for suspicious commands (modifying user privileges or admin actions) during the period the suspicious IP was active.\",\"lastUpdatedDateUTC\":\"2022-03-21T00:00:00Z\",\"createdDateUTC\":\"2020-06-30T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/fa118b98-de46-4e94-87f9-8e6d5060b60b\",\"name\":\"fa118b98-de46-4e94-87f9-8e6d5060b60b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"MLBehaviorAnalytics\",\"properties\":{\"severity\":\"Medium\",\"tactics\":[\"InitialAccess\"],\"displayName\":\"(Preview) Anomalous SSH Login Detection\",\"description\":\"This detection uses machine learning (ML) to identify anomalous Secure Shell (SSH) login activity, based on syslog data. Scenarios include:\\n\\n*\\tUnusual IP - This IP address has not or has rarely been seen in last 30 days.\\n*\\tUnusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.\\n*\\tNew user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.\\n\\nAllow 7 days after this alert is enabled for Microsoft Sentinel to build a profile of normal activity for your environment.\\n\\nThis detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-syslog#configure-the-syslog-connector-for-anomalous-ssh-login-detection)\\n\\nBy enabling this rule, you give Microsoft permission to copy ingested data outside of your Microsoft Sentinel workspace\u0027s geography as necessary for processing by the machine learning engine.\",\"lastUpdatedDateUTC\":\"2021-03-26T00:00:00Z\",\"createdDateUTC\":\"2019-08-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Syslog\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c094384d-7ea7-4091-83be-18706ecca981\",\"name\":\"c094384d-7ea7-4091-83be-18706ecca981\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Low\",\"query\":\"let minersDomains=dynamic([\\\"monerohash.com\\\", \\\"do-dear.com\\\", \\\"xmrminerpro.com\\\", \\\"secumine.net\\\", \\\"xmrpool.com\\\", \\\"minexmr.org\\\", \\\"hashanywhere.com\\\", \\n\\\"xmrget.com\\\", \\\"mininglottery.eu\\\", \\\"minergate.com\\\", \\\"moriaxmr.com\\\", \\\"multipooler.com\\\", \\\"moneropools.com\\\", \\\"xmrpool.eu\\\", \\\"coolmining.club\\\", \\n\\\"supportxmr.com\\\", \\\"minexmr.com\\\", \\\"hashvault.pro\\\", \\\"xmrpool.net\\\", \\\"crypto-pool.fr\\\", \\\"xmr.pt\\\", \\\"miner.rocks\\\", \\\"walpool.com\\\", \\\"herominers.com\\\", \\n\\\"gntl.co.uk\\\", \\\"semipool.com\\\", \\\"coinfoundry.org\\\", \\\"cryptoknight.cc\\\", \\\"fairhash.org\\\", \\\"baikalmine.com\\\", \\\"tubepool.xyz\\\", \\\"fairpool.xyz\\\", \\\"asiapool.io\\\", \\n\\\"coinpoolit.webhop.me\\\", \\\"nanopool.org\\\", \\\"moneropool.com\\\", \\\"miner.center\\\", \\\"prohash.net\\\", \\\"poolto.be\\\", \\\"cryptoescrow.eu\\\", \\\"monerominers.net\\\", \\\"cryptonotepool.org\\\", \\n\\\"extrmepool.org\\\", \\\"webcoin.me\\\", \\\"kippo.eu\\\", \\\"hashinvest.ws\\\", \\\"monero.farm\\\", \\\"supportxmr.com\\\", \\\"xmrpool.eu\\\", \\\"linux-repository-updates.com\\\", \\\"1gh.com\\\", \\n\\\"dwarfpool.com\\\", \\\"hash-to-coins.com\\\", \\\"hashvault.pro\\\", \\\"pool-proxy.com\\\", \\\"hashfor.cash\\\", \\\"fairpool.cloud\\\", \\\"litecoinpool.org\\\", \\\"mineshaft.ml\\\", \\\"abcxyz.stream\\\", \\n\\\"moneropool.ru\\\", \\\"cryptonotepool.org.uk\\\", \\\"extremepool.org\\\", \\\"extremehash.com\\\", \\\"hashinvest.net\\\", \\\"unipool.pro\\\", \\\"crypto-pools.org\\\", \\\"monero.net\\\", \\n\\\"backup-pool.com\\\", \\\"mooo.com\\\", \\\"freeyy.me\\\", \\\"cryptonight.net\\\", \\\"shscrypto.net\\\"]);\\n_Im_Dns(domain_has_any=minersDomains)\\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"DNS events related to mining pools (ASIM DNS Schema)\",\"description\":\"Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema\",\"lastUpdatedDateUTC\":\"2022-04-10T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/99d589fa-7337-40d7-91a0-c96d0c4fa437\",\"name\":\"99d589fa-7337-40d7-91a0-c96d0c4fa437\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P7D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let core_domains = (SigninLogs\\n | where TimeGenerated \u003e ago(7d)\\n | where ResultType == 0\\n | extend domain = tolower(split(UserPrincipalName, \\\"@\\\")[1])\\n | summarize by tostring(domain));\\n let alternative_domains = (SigninLogs\\n | where TimeGenerated \u003e ago(7d)\\n | where isnotempty(AlternateSignInName)\\n | where ResultType == 0\\n | extend domain = tolower(split(AlternateSignInName, \\\"@\\\")[1])\\n | summarize by tostring(domain));\\n AuditLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where OperationName =~ \\\"Add User\\\"\\n | extend AddingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | extend AddingSPN = tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName)\\n | extend AddedBy = iif(isnotempty(AddingUser), AddingUser, AddingSPN)\\n | extend UserAdded = tostring(TargetResources[0].userPrincipalName)\\n | extend Domain = tolower(split(UserAdded, \\\"@\\\")[1])\\n | where Domain !in (core_domains) and Domain !in (alternative_domains)\\n | project-away AddingUser\\n | project-reorder TimeGenerated, UserAdded, Domain, AddedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AddedBy\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"UserAdded\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Account created from non-approved sources\",\"description\":\"This query looks for account being created from a domain that is not regularly seen in a tenant.\\n Attackers may attempt to add accounts from these sources as a means of establishing persistant access to an environment.\\n Created accounts should be investigated to ensure they were legitimated created.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\",\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/15ae38a2-2e29-48f7-883f-863fb25a5a06\",\"name\":\"15ae38a2-2e29-48f7-883f-863fb25a5a06\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P8D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 8d;\\nlet endtime = 1d;\\nlet threshold = 10;\\nDnsEvents \\n| where TimeGenerated \u003e ago(endtime)\\n| where Name contains \\\"in-addr.arpa\\\" \\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(Name) by ClientIP\\n| where dcount_Name \u003e threshold\\n| project StartTimeUtc, EndTimeUtc, ClientIP , dcount_Name \\n| join kind=leftanti (DnsEvents \\n | where TimeGenerated between(ago(starttime)..ago(endtime))\\n | where Name contains \\\"in-addr.arpa\\\" \\n | summarize dcount(Name) by ClientIP, bin(TimeGenerated, 1d)\\n | where dcount_Name \u003e threshold\\n | project ClientIP , dcount_Name \\n) on ClientIP\\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Discovery\"],\"displayName\":\"Rare client observed with high reverse DNS lookup count\",\"description\":\"Identifies clients with a high reverse DNS counts which could be carrying out reconnaissance or discovery activity.\\nAlert is generated if the IP performing such reverse DNS lookups was not seen doing so in the preceding 7-day period.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2019-02-07T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\"name\":\"a7427ed7-04b4-4e3b-b323-08b981b9b4bf\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.0\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\n let ioc_lookBack = 14d;\\n ThreatIntelligenceIndicator\\n | where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n | where Active == true\\n | where isnotempty(FileHashValue)\\n | extend FileHashValue = toupper(FileHashValue)\\n // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n | join kind=innerunique ( union isfuzzy=true \\n (SecurityEvent | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where EventID in (\\\"8003\\\",\\\"8002\\\",\\\"8005\\\")\\n | where isnotempty(FileHash)\\n | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID, FileHash = toupper(FileHash)\\n ),\\n (WindowsEvent | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where EventID in (\\\"8003\\\",\\\"8002\\\",\\\"8005\\\")\\n | where isnotempty(EventData.FileHash)\\n | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID, FileHash = toupper(EventData.FileHash)\\n )\\n )\\n on $left.FileHashValue == $right.FileHash\\n | where SecurityEvent_TimeGenerated \u003c ExpirationDateTime\\n | summarize SecurityEvent_TimeGenerated = arg_max(SecurityEvent_TimeGenerated, *) by IndicatorId, FileHash\\n | project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\n Process, FileHash, Computer, Account, Event, FileHashValue, FileHashType\\n | extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, URLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]},{\"entityType\":\"FileHash\",\"fieldMappings\":[{\"identifier\":\"Value\",\"columnName\":\"FileHashValue\"},{\"identifier\":\"Algorithm\",\"columnName\":\"FileHashType\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map File Hash to Security Event\",\"description\":\"Identifies a match in Security Event data from any File Hash IOC from TI\",\"lastUpdatedDateUTC\":\"2022-07-07T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]},{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/1bf6e165-5e32-420e-ab4f-0da8558a8be2\",\"name\":\"1bf6e165-5e32-420e-ab4f-0da8558a8be2\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"// How far back to look for events from\\nlet timeframe = 1d;\\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\\nlet time_window = 5m;\\n// Edit this to include build processes used\\nlet build_processes = dynamic([\\\"MSBuild.exe\\\", \\\"dotnet.exe\\\", \\\"VBCSCompiler.exe\\\"]);\\n// Include any processes that you want to allow to edit files during/around the build process\\nlet allow_list = dynamic([]);\\nDeviceProcessEvents\\n| where TimeGenerated \u003e ago(timeframe)\\n// Look for build process starts\\n| where FileName has_any (build_processes)\\n| summarize by BuildParentProcess=InitiatingProcessFileName, BuildProcess=FileName, BuildAccount = AccountName, DeviceName, BuildCommand=ProcessCommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\\n| join kind=inner(\\nDeviceFileEvents\\n| where TimeGenerated \u003e ago(timeframe)\\n| where InitiatingProcessFileName !in (allow_list)\\n| where ActionType == \\\"FileCreated\\\" or ActionType == \\\"FileModified\\\"\\n// Look for code files, edit this to include file extensions used in build.\\n| where FileName endswith \\\".cs\\\" or FileName endswith \\\".cpp\\\"\\n| summarize by FileEditParentProcess=InitiatingProcessParentFileName, FileEditAccount = InitiatingProcessAccountName, DeviceName, FileEdited=FileName, FileEditProcess=InitiatingProcessFileName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\\n// join where build processes and file modifications seen at same time on same host\\non timekey, DeviceName\\n// Limit to only where the file edit happens after the build process starts\\n| where BuildProcessTime \u003c= FileEditTime\\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, DeviceName, BuildParentProcess, BuildProcess\\n| extend HostCustomEntity=DeviceName, timestamp=timekey\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Potential Build Process Compromise - MDE\",\"description\":\"The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process. This query uses Microsoft Defender for Endpoint telemetry.\\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2021-02-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceProcessEvents\",\"DeviceFileEvents\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/957cb240-f45d-4491-9ba5-93430a3c08be\",\"name\":\"957cb240-f45d-4491-9ba5-93430a3c08be\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.3\",\"severity\":\"Low\",\"query\":\"OfficeActivity\\n| where Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Add-MailboxFolderPermission\\\", \\\"Set-Mailbox\\\", \\\"New-ManagementRoleAssignment\\\", \\\"New-InboxRule\\\", \\\"Set-InboxRule\\\", \\\"Set-TransportRule\\\")\\nand not(UserId has_any (\u0027NT AUTHORITY\\\\\\\\SYSTEM (Microsoft.Exchange.ServiceHost)\u0027, \u0027NT AUTHORITY\\\\\\\\SYSTEM (w3wp)\u0027, \u0027devilfish-applicationaccount\u0027) and Operation in~ ( \\\"Add-MailboxPermission\\\", \\\"Set-Mailbox\\\"))\\n| extend ClientIPOnly = tostring(extract_all(@\u0027\\\\[?(::ffff:)?(?P\u003cIPAddress\u003e(\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+)|[^\\\\]]+)\\\\]?\u0027, dynamic([\\\"IPAddress\\\"]), ClientIP)[0][0])\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIPOnly\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"Collection\"],\"displayName\":\"Rare and potentially high-risk Office operations\",\"description\":\"Identifies Office operations that are typically rare and can provide capabilities useful to attackers.\",\"lastUpdatedDateUTC\":\"2022-05-24T00:00:00Z\",\"createdDateUTC\":\"2019-02-13T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2fc5d810-c9cc-491a-b564-841427ae0e50\",\"name\":\"2fc5d810-c9cc-491a-b564-841427ae0e50\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.3.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nlet emailregex = @\u0027^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\\\.[a-zA-Z0-9-.]+$\u0027;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n//Filtering the table for Email related IOCs\\n| where isnotempty(EmailSenderAddress)\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique ( \\n(union isfuzzy=true\\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(dt_lookBack) and isnotempty(TargetUserName)\\n//Normalizing the column to lower case for exact match with EmailSenderAddress column\\n| extend TargetUserName = tolower(TargetUserName)\\n// renaming timestamp column so it is clear the log this came from SecurityEvent table\\n| extend SecurityEvent_TimeGenerated = TimeGenerated\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(dt_lookBack) \\n| extend TargetUserName = tostring(EventData.TargetUserName) \\n| where isnotempty(TargetUserName)\\n//Normalizing the column to lower case for exact match with EmailSenderAddress column\\n| extend TargetUserName = tolower(TargetUserName)\\n// renaming timestamp column so it is clear the log this came from SecurityEvent table\\n| extend SecurityEvent_TimeGenerated = TimeGenerated\\n))\\n)\\non $left.EmailSenderAddress == $right.TargetUserName\\n| where SecurityEvent_TimeGenerated \u003c ExpirationDateTime\\n| summarize SecurityEvent_TimeGenerated = arg_max(SecurityEvent_TimeGenerated, *) by IndicatorId, TargetUserName\\n| project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Computer, EventID, TargetUserName, Activity, IpAddress, AccountType,\\nLogonTypeName, LogonProcessName, Status, SubStatus\\n| extend\\ntimestamp = SecurityEvent_TimeGenerated,\\nAccountCustomEntity = TargetUserName,\\nIPCustomEntity = IpAddress,\\nHostCustomEntity = Computer,\\nURLCustomEntity = Url\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"TI map Email entity to SecurityEvent\",\"description\":\"Identifies a match in SecurityEvent table from any Email IOC from TI\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-08-27T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/01f64465-b1ef-41ea-a7f5-31553a11ad43\",\"name\":\"01f64465-b1ef-41ea-a7f5-31553a11ad43\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let endpointData = \\n(union isfuzzy=true\\n(SecurityEvent\\n | where EventID == 4688\\n | extend shortFileName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n ),\\n (WindowsEvent\\n | where EventID == 4688\\n | extend NewProcessName = tostring(EventData.NewProcessName)\\n | extend shortFileName = tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n | extend TargetUserName = tostring(EventData.TargetUserName)\\n ));\\n// Correlate suspect executables seen in TrendMicro rule updates with similar activity on endpoints\\nCommonSecurityLog\\n| where DeviceVendor =~ \\\"Trend Micro\\\"\\n| where Activity =~ \\\"Deny List updated\\\" \\n| where RequestURL endswith \\\".exe\\\"\\n| project TimeGenerated, Activity , RequestURL , SourceIP, DestinationIP\\n| extend suspectExeName = tolower(tostring(split(RequestURL, \u0027/\u0027)[-1]))\\n| join (endpointData) on $left.suspectExeName == $right.shortFileName \\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = TargetUserName, HostCustomEntity = Computer, URLCustomEntity = RequestURL\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"Network endpoint to host executable correlation\",\"description\":\"Correlates blocked URLs hosting [malicious] executables with host endpoint data\\nto identify potential instances of executables of the same name having been recently run.\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2019-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"TrendMicro\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/5efb0cfd-063d-417a-803b-562eae5b0301\",\"name\":\"5efb0cfd-063d-417a-803b-562eae5b0301\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 6h;\\n// Ignore Build/Releases with less/equal this number\\nlet ServiceConnectionThreshold = 3;\\n// New Connections need to exhibit execution of more \\\"new\\\" connections than this number.\\nlet NewConnectionThreshold = 1;\\n// List of Builds/Releases to ignore in your space\\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\\n[\\n//\\\"103\\\", \\\"Release\\\", \\\"ProjectA\\\",\\n//\\\"42\\\", \\\"Release\\\", \\\"ProjectB\\\",\\n//\\\"122\\\", \\\"Build\\\", \\\"ProjectB\\\"\\n];\\nlet HistoricDefs = AzureDevOpsAuditing\\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| summarize HistoricCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)) \\n by DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN;\\nAzureDevOpsAuditing\\n| where TimeGenerated \u003e= ago(endtime)\\n| where OperationName == \\\"Library.ServiceConnectionExecuted\\\" \\n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\\n| parse ScopeDisplayName with OrganizationName \u0027 (Organization)\u0027\\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) \\n by OrganizationName, DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN\\n| where CurrentCount \u003e ServiceConnectionThreshold\\n| join (HistoricDefs) on ProjectId, DefId, Type, ActorUPN\\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\\n| extend link = iff(\\nType == \\\"Build\\\", strcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_build?definitionId=\u0027, DefId),\\nstrcat(\u0027https://dev.azure.com/\u0027, OrganizationName, \u0027/\u0027, ProjectName, \u0027/_release?_a=releases\u0026view=mine\u0026definitionId=\u0027, DefId))\\n| where CurrentCount \u003e= HistoricCount + NewConnectionThreshold\\n| project StartTime, OrganizationName, ProjectName, DefId, link, RecentDistinctServiceConnections = CurrentCount, HistoricDistinctServiceConnections = HistoricCount, \\n RecentConnections = ConnectionNames, HistoricConnections = ConnectionNames1, ActorUPN\\n| extend timestamp = StartTime, AccountCustomEntity = ActorUPN\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Persistence\",\"Impact\"],\"displayName\":\"Azure DevOps Service Connection Addition/Abuse - Historic allow list\",\"description\":\"This detection builds an allow list of historic service connection use by Builds and Releases and compares to recent history, flagging growth of service connection use which are not manually included in the allow list and \\nnot historically included in the allow list Build/Release runs. This is to determine if someone is hijacking a build/release and adding many service connections in order to abuse or dump credentials from service connections.\",\"lastUpdatedDateUTC\":\"2021-10-20T00:00:00Z\",\"createdDateUTC\":\"2020-06-04T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3bd33158-3f0b-47e3-a50f-7c20a1b88038\",\"name\":\"3bd33158-3f0b-47e3-a50f-7c20a1b88038\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"High\",\"query\":\"let SpringShell_threats = dynamic([\\\"Trojan:Python/SpringShellExpl\\\", \\\"Exploit:Python/SpringShell\\\", \\\"Backdoor:PHP/Remoteshell.V\\\", \\\"SpringShell\\\"]);\\nDeviceInfo\\n| extend DeviceName = tolower(DeviceName)\\n| join kind=inner ( SecurityAlert\\n| where ProviderName == \\\"MDATP\\\"\\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n| where ThreatName in~ (SpringShell_threats) or ThreatFamilyName in~ (SpringShell_threats)\\n| extend CompromisedEntity = tolower(CompromisedEntity)\\n) on $left.DeviceName == $right.CompromisedEntity\\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"PublicIP\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"AV detections related to SpringShell Vulnerability\",\"description\":\"This query looks for Microsoft Defender AV detections related to SpringShell Vulnerability. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, \\n this query joins the DeviceInfo table to clearly connect other information such as Device group, ip, logged on users etc. This would allow the Microsoft Sentinel analyst to have more context related to the alert, if available.\\n Reference: https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/\",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-04-05T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b4ceb583-4c44-4555-8ecf-39f572e827ba\",\"name\":\"b4ceb583-4c44-4555-8ecf-39f572e827ba\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"let starttime = 14d;\\nlet endtime = 1d;\\nlet timeframe = 1h;\\nlet scorethreshold = 1.5;\\nlet percentthreshold = 50;\\n// Preparing the time series data aggregated hourly count of MailItemsAccessd Operation in the form of multi-value array to use with time series anomaly function.\\nlet TimeSeriesData =\\nOfficeActivity\\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\\n| where OfficeWorkload=~ \\\"Exchange\\\" and Operation =~ \\\"MailItemsAccessed\\\" and ResultStatus =~ \\\"Succeeded\\\"\\n| project TimeGenerated, Operation, MailboxOwnerUPN\\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe;\\nlet TimeSeriesAlerts = TimeSeriesData\\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, \u0027linefit\u0027)\\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\\n| where anomalies \u003e 0\\n| project TimeGenerated, Total, baseline, anomalies, score;\\n// Joining the flagged outlier from the previous step with the original dataset to present contextual information\\n// during the anomalyhour to analysts to conduct investigation or informed decisions.\\nTimeSeriesAlerts | where TimeGenerated \u003e ago(2d)\\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\\n| join (\\n OfficeActivity\\n | where TimeGenerated \u003e ago(2d)\\n | extend DateHour = bin(TimeGenerated, 1h)\\n | where OfficeWorkload=~ \\\"Exchange\\\" and Operation =~ \\\"MailItemsAccessed\\\" and ResultStatus =~ \\\"Succeeded\\\"\\n | summarize HourlyCount=count(), TimeGeneratedMax = arg_max(TimeGenerated, *), IPAdressList = make_set(Client_IPAddress), SourceIPMax= arg_max(Client_IPAddress, *), ClientInfoStringList= make_set(ClientInfoString) by MailboxOwnerUPN, Logon_Type, TenantId, UserType, TimeGenerated = bin(TimeGenerated, 1h) \\n | where HourlyCount \u003e 25 // Only considering operations with more than 25 hourly count to reduce False Positivies\\n | order by HourlyCount desc \\n) on TimeGenerated\\n| extend PercentofTotal = round(HourlyCount/Total, 2) * 100 \\n| where PercentofTotal \u003e percentthreshold // Filter Users with count of less than 5 percent of TotalEvents per Hour to remove FPs/ users with very low count of MailItemsAccessed events\\n| order by PercentofTotal desc \\n| project-reorder TimeGeneratedMax, Type, OfficeWorkload, Operation, UserId,SourceIPMax ,IPAdressList, ClientInfoStringList, HourlyCount, PercentofTotal, Total, baseline, score, anomalies\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]}],\"tactics\":[\"Collection\"],\"displayName\":\"Exchange workflow MailItemsAccessed operation anomaly\",\"description\":\"Identifies anomalous increases in Exchange mail items accessed operations.\\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\\nSudden increases in execution frequency of sensitive actions should be further investigated for malicious activity.\\nManually change scorethreshold from 1.5 to 3 or higher to reduce the noise based on outliers flagged from the query criteria.\\nRead more about MailItemsAccessed- https://docs.microsoft.com/microsoft-365/compliance/advanced-audit?view=o365-worldwide#mailitemsaccessed\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-12-10T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"Office365\",\"dataTypes\":[\"OfficeActivity\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/00cb180c-08a8-4e55-a276-63fb1442d5b5\",\"name\":\"00cb180c-08a8-4e55-a276-63fb1442d5b5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let cmdTokens0 = dynamic([\u0027vbscript\u0027,\u0027jscript\u0027]);\\nlet cmdTokens1 = dynamic([\u0027mshtml\u0027,\u0027RunHTMLApplication\u0027]);\\nlet cmdTokens2 = dynamic([\u0027Execute\u0027,\u0027CreateObject\u0027,\u0027RegRead\u0027,\u0027window.close\u0027]);\\n(union isfuzzy=true \\n(SecurityEvent\\n| where TimeGenerated \u003e= ago(14d)\\n| where EventID == 4688\\n| where CommandLine has @\u0027\\\\Microsoft\\\\Windows\\\\CurrentVersion\u0027\\n| where not(CommandLine has_any (@\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\u0027, @\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\u0027))\\n// If you are receiving false positives, then it may help to make the query more strict by uncommenting one or both of the lines below to refine the matches\\n//| where CommandLine has_any (cmdTokens0)\\n//| where CommandLine has_all (cmdTokens1)\\n| where CommandLine has_all (cmdTokens2)\\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\\n),\\n(WindowsEvent\\n| where TimeGenerated \u003e= ago(14d)\\n| where EventID == 4688 and EventData has_all(cmdTokens2) and EventData has @\u0027\\\\Microsoft\\\\Windows\\\\CurrentVersion\u0027\\n| where not(EventData has_any (@\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\u0027, @\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\u0027))\\n| extend CommandLine = tostring(EventData.CommandLine)\\n| where CommandLine has @\u0027\\\\Microsoft\\\\Windows\\\\CurrentVersion\u0027\\n| where not(CommandLine has_any (@\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\u0027, @\u0027\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\u0027))\\n// If you are receiving false positives, then it may help to make the query more strict by uncommenting one or both of the lines below to refine the matches\\n//| where CommandLine has_any (cmdTokens0)\\n//| where CommandLine has_all (cmdTokens1)\\n| where CommandLine has_all (cmdTokens2)\\n| extend Account = strcat(EventData.SubjectDomainName,\\\"\\\\\\\\\\\", EventData.SubjectUserName)\\n| extend NewProcessName = tostring(EventData.NewProcessName)\\n| extend Process=tostring(split(NewProcessName, \u0027\\\\\\\\\u0027)[-1])\\n| extend ParentProcessName = tostring(EventData.ParentProcessName) \\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account))\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]}],\"tactics\":[\"Execution\"],\"displayName\":\"NOBELIUM - Script payload stored in Registry\",\"description\":\"This query idenifies when a process execution commandline indicates that a registry value is written to allow for later execution a malicious script\\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\",\"lastUpdatedDateUTC\":\"2022-03-10T00:00:00Z\",\"createdDateUTC\":\"2021-03-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvents\"]},{\"connectorId\":\"WindowsForwardedEvents\",\"dataTypes\":[\"WindowsEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/3cc5ccd8-b416-4141-bb2d-4eba370e37a5\",\"name\":\"3cc5ccd8-b416-4141-bb2d-4eba370e37a5\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.2\",\"severity\":\"Medium\",\"query\":\"let OMIVulnerabilityPatchVersion = \\\"OMIVulnerabilityPatchVersion:1.13.40-0\\\";\\nHeartbeat\\n| where Category == \\\"Direct Agent\\\"\\n| summarize arg_max(TimeGenerated,*) by Computer\\n| parse strcat(\\\"Version:\\\" , Version) with * \\\"Version:\\\" Major:long \\\".\\\"\\nMinor:long \\\".\\\" Patch:long \\\"-\\\" *\\n| parse OMIVulnerabilityPatchVersion with * \\\"OMIVulnerabilityPatchVersion:\\\"\\nOMIVersionMajor:long \\\".\\\" OMIVersionMinor:long \\\".\\\" OMIVersionPatch:long \\\"-\\\" *\\n| where Major \u003cOMIVersionMajor or (Major==OMIVersionMajor and Minor\\n\u003cOMIVersionMinor) or (Major==OMIVersionMajor and Minor==OMIVersionMinor and\\nPatch\u003cOMIVersionPatch) \\n| project Version, Major,Minor,Patch,\\nComputer,ComputerIP,OSType,OSName,ResourceId\",\"customDetails\":{\"HostIp\":\"ComputerIP\",\"OSType\":\"OSType\",\"OSName\":\"OSName\"},\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"HostName\",\"columnName\":\"Computer\"}]},{\"entityType\":\"AzureResource\",\"fieldMappings\":[{\"identifier\":\"ResourceId\",\"columnName\":\"ResourceId\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"OMI Vulnerability Exploitation\",\"description\":\"Following the September 14th, 2021 release of three Elevation of Privilege\\n(EoP) vulnerabilities (CVE-2021-38645, CVE-2021-38649, CVE-2021-38648) and one\\nunauthenticated Remote Code Execution (RCE) vulnerability (CVE-2021-38647) in\\nthe Open Management Infrastructure (OMI) Framework.\\nThis detection validates that any OMS-agent that is reporting to the Microsoft\\nSentinel workspace is updated with the patch. The detection will go over the\\nheartbeats received from all agents over the last day and will create alert\\nfor those agents who are not updated.\",\"lastUpdatedDateUTC\":\"2022-06-22T00:00:00Z\",\"createdDateUTC\":\"2021-09-23T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/c1c66f0b-5531-4a3e-a619-9d2f770ef730\",\"name\":\"c1c66f0b-5531-4a3e-a619-9d2f770ef730\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Medium\",\"query\":\"AuditLogs\\n | where TimeGenerated between(ago(14d)..ago(1d))\\n | where OperationName =~ \\\"Add member to role completed (PIM activation)\\\"\\n | where Result =~ \\\"success\\\"\\n | extend ElevatedUser = tostring(TargetResources[2].userPrincipalName)\\n | extend displayName = tostring(TargetResources[0].displayName)\\n | extend displayName2 = tostring(TargetResources[3].displayName)\\n | extend ElevatedRole = iif(displayName =~ \\\"Member\\\", displayName2, displayName)\\n | join kind = rightanti (AuditLogs\\n | where TimeGenerated \u003e ago(1d)\\n | where OperationName =~ \\\"Add member to role completed (PIM activation)\\\"\\n | where Result =~ \\\"success\\\"\\n | extend ElevatedUser = tostring(TargetResources[2].userPrincipalName)\\n | extend displayName = tostring(TargetResources[0].displayName)\\n | extend displayName2 = tostring(TargetResources[3].displayName)\\n | extend ElevatedRole = iif(displayName =~ \\\"Member\\\", displayName2, displayName)\\n | extend ElevatedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) on ElevatedRole, ElevatedUser\\n | project-reorder ElevatedUser, ElevatedRole, ResultReason,ElevatedBy\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ElevatedUser\"}]},{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"ElevatedBy\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Account Elevated to New Role\",\"description\":\"Detects an account that is elevated to a new role where that account has not had that role in the last 14 days.\\n Role elevations are a key mechanism for gaining permissions, monitoring which users have which roles, and for anomalies in those roles is useful for finding suspicious activity.\\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\",\"lastUpdatedDateUTC\":\"2022-07-08T00:00:00Z\",\"createdDateUTC\":\"2022-07-08T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AuditLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/d0c82b7f-40b2-4180-a4d6-7aa0541b7599\",\"name\":\"d0c82b7f-40b2-4180-a4d6-7aa0541b7599\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"PT1H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"High\",\"query\":\"let threshold = 3;\\nPulseConnectSecure\\n| where Messages contains \\\"Unauthenticated request url /dana-na/\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by Source_IP\\n| where count_ \u003e threshold\\n| extend timestamp = StartTime, IPCustomEntity = Source_IP\",\"entityMappings\":[{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"InitialAccess\"],\"displayName\":\"PulseConnectSecure - CVE-2021-22893 Possible Pulse Connect Secure RCE Vulnerability Attack\",\"description\":\"This query identifies exploitation attempts using Pulse Connect Secure(PCS) vulnerability (CVE-2021-22893) to the VPN server\",\"lastUpdatedDateUTC\":\"2022-05-11T00:00:00Z\",\"createdDateUTC\":\"2022-05-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"PulseConnectSecure\",\"dataTypes\":[\"Syslog\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/bf0cde21-0c41-48f6-a40c-6b5bd71fa106\",\"name\":\"bf0cde21-0c41-48f6-a40c-6b5bd71fa106\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT5H\",\"queryPeriod\":\"PT5H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.2\",\"severity\":\"Medium\",\"query\":\"AWSGuardDuty | extend tokens = split(ActivityType,\\\":\\\") | extend ThreatPurpose = tokens[0], tokens= split(tokens[1],\\\"/\\\") | extend ResourceTypeAffected = tokens[0], ThreatFamilyName= tokens[1] | extend UniqueFindingId = Id | extend AWSAcoundId = AccountId | project-away tokens,ActivityType, Id, AccountId | project-away TimeGenerated, TenantId, SchemaVersion, Region, Partition | extend Severity= iff(Severity between (7.0..8.9),\\\"High\\\",iff(Severity between (4.0..6.9), \\\"Medium\\\", iff(Severity between (1.0..3.9),\\\"Low\\\",\\\"Unknown\\\")))\",\"customDetails\":{\"ThreatPurpose\":\"ThreatPurpose\",\"ResourceTypeAffected\":\"ResourceTypeAffected\",\"UniqueFindingId\":\"UniqueFindingId\"},\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"Name\",\"columnName\":\"Arn\"},{\"identifier\":\"ObjectGuid\",\"columnName\":\"AWSAcoundId\"}]}],\"alertDetailsOverride\":{\"alertDisplayNameFormat\":\"{{Title}}\",\"alertDescriptionFormat\":\"{{Description}}\",\"alertTacticsColumnName\":\"ThreatPurpose\",\"alertSeverityColumnName\":\"Severity\"},\"displayName\":\"AWS Guard Duty Alert\",\"description\":\"Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. This templates create an alert for each Amazon GuardDuty finding.\",\"lastUpdatedDateUTC\":\"2022-02-08T00:00:00Z\",\"createdDateUTC\":\"2021-11-16T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AWSS3\",\"dataTypes\":[\"AWSGuardDuty\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/b6685757-3ed1-4b05-a5bd-2cacadc86c2a\",\"name\":\"b6685757-3ed1-4b05-a5bd-2cacadc86c2a\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"High\",\"query\":\"let UA_threats = dynamic([\\\"FoxBlade\\\", \\\"WhisperGate\\\", \\\"Lasainraw\\\", \\\"SonicVote\\\"]);\\n SecurityAlert\\n | where ProviderName == \\\"MDATP\\\"\\n | extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\\n | where ThreatFamilyName in (UA_threats)\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"CompromisedEntity\"}]}],\"tactics\":[\"Impact\"],\"displayName\":\"AV detections related to Ukraine threats\",\"description\":\"This query looks for Microsoft Defender AV detections for malware observed in relation to the war in Ukraine.\\n Ref: https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/ \",\"lastUpdatedDateUTC\":\"2022-07-06T00:00:00Z\",\"createdDateUTC\":\"2022-03-01T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"SecurityAlert\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cf3ede88-a429-493b-9108-3e46d3c741f7\",\"name\":\"cf3ede88-a429-493b-9108-3e46d3c741f7\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"let timeRange = 6h;\\nlet authenticationWindow = 1h;\\nlet authenticationThreshold = 5;\\nSecurityEvent\\n| where TimeGenerated \u003e ago(timeRange)\\n| where EventID == 4624 or EventID == 4625\\n| where IpAddress != \\\"-\\\" and isnotempty(Account)\\n| extend Outcome = iff(EventID == 4624, \\\"Success\\\", \\\"Failure\\\")\\n// bin outcomes into 5 minute windows to reduce the volume of data\\n| summarize OutcomeCount=count() by Account, IpAddress, Computer, Outcome, bin(TimeGenerated, 5m)\\n| project TimeGenerated, Account, IpAddress, Computer, Outcome, OutcomeCount\\n// sort ready for sessionizing - by account and time of the authentication outcome\\n| sort by Account asc, TimeGenerated asc\\n| serialize \\n// sessionize into failure groupings until either the account changes or there is a success\\n| extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, Account != prev(Account) or prev(Outcome) == \\\"Success\\\")\\n// count the failures in each session\\n| summarize FailureCountBeforeSuccess=sumif(OutcomeCount, Outcome == \\\"Failure\\\"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), makelist(Outcome), makeset(Computer), makeset(IpAddress) by SessionStartedUtc, Account\\n// the session must not start with a success, and must end with one\\n| where array_index_of(list_Outcome, \\\"Success\\\") != 0\\n| where array_index_of(list_Outcome, \\\"Success\\\") == array_length(list_Outcome) - 1\\n| project-away SessionStartedUtc, list_Outcome \\n// where the number of failures before the success is above the threshold \\n| where FailureCountBeforeSuccess \u003e= authenticationThreshold\\n// expand out ip and computer for customer entity assignment\\n| mvexpand set_IpAddress, set_Computer\\n| extend IpAddress = tostring(set_IpAddress), Computer = tostring(set_Computer)\\n| extend timestamp=StartTime, AccountCustomEntity=Account, HostCustomEntity=Computer, IPCustomEntity=IpAddress\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"SecurityEvent - Multiple authentication failures followed by a success\",\"description\":\"Identifies accounts who have failed to logon to the domain multiple times in a row, followed by a successful authentication\\nwithin a short time frame. Multiple failed attempts followed by a success can be an indication of a brute force attempt or\\npossible mis-configuration of a service account within an environment.\\nThe lookback is set to 6h and the authentication window and threshold are set to 1h and 5, meaning we need to see a minimum\\nof 5 failures followed by a success for an account within 1 hour to surface an alert.\",\"lastUpdatedDateUTC\":\"2021-10-19T00:00:00Z\",\"createdDateUTC\":\"2020-04-03T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"SecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]},{\"connectorId\":\"WindowsSecurityEvents\",\"dataTypes\":[\"SecurityEvent\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"name\":\"cecdbd4c-4902-403c-8d4b-32eb1efe460b\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT6H\",\"queryPeriod\":\"PT6H\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.4.1\",\"severity\":\"High\",\"query\":\"let domains = dynamic([\\\"incomeupdate.com\\\",\\\"zupertech.com\\\",\\\"databasegalore.com\\\",\\\"panhardware.com\\\",\\\"avsvmcloud.com\\\",\\\"digitalcollege.org\\\",\\\"freescanonline.com\\\",\\\"deftsecurity.com\\\",\\\"thedoccloud.com\\\",\\\"virtualdataserver.com\\\",\\\"lcomputers.com\\\",\\\"webcodez.com\\\",\\\"globalnetworkissues.com\\\",\\\"kubecloud.com\\\",\\\"seobundlekit.com\\\",\\\"solartrackingsystem.net\\\",\\\"virtualwebdata.com\\\"]);\\n(union isfuzzy=true\\n(CommonSecurityLog \\n | parse Message with * \u0027(\u0027 DNSName \u0027)\u0027 * \\n | where DNSName in~ (domains) or DestinationHostName has_any (domains) or RequestURL has_any(domains)\\n | extend AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName, IPCustomEntity = SourceIP\\n ),\\n(_Im_Dns (domain_has_any=domains)\\n | extend DNSName = DnsQuery\\n | extend IPCustomEntity = SrcIpAddr\\n ),\\n(VMConnection \\n | parse RemoteDnsCanonicalNames with * \u0027[\\\"\u0027 DNSName \u0027\\\"]\u0027 *\\n | where isnotempty(DNSName)\\n | where DNSName in~ (domains)\\n | extend IPCustomEntity = RemoteIp\\n ),\\n(DeviceNetworkEvents \\n | where isnotempty(RemoteUrl) \\n | where RemoteUrl has_any (domains) \\n | extend DNSName = RemoteUrl\\n | extend IPCustomEntity = RemoteIP \\n | extend HostCustomEntity = DeviceName \\n ),\\n(AzureDiagnostics \\n | where ResourceType == \\\"AZUREFIREWALLS\\\"\\n | where Category == \\\"AzureFirewallApplicationRule\\\"\\n | parse msg_s with Protocol \u0027request from \u0027 SourceHost \u0027:\u0027 SourcePort \u0027to \u0027 DestinationHost \u0027:\u0027 DestinationPort \u0027. Action:\u0027 Action\\n | where isnotempty(DestinationHost)\\n | where DestinationHost has_any (domains) \\n | extend DNSName = DestinationHost \\n | extend IPCustomEntity = SourceHost\\n ) \\n )\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"DNS\",\"fieldMappings\":[{\"identifier\":\"DomainName\",\"columnName\":\"DNSName\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Solorigate Network Beacon\",\"description\":\"Identifies a match across various data feeds for domains IOCs related to the Solorigate incident.\\n References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \\n https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-12-17T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"DNS\",\"dataTypes\":[\"DnsEvents\"]},{\"connectorId\":\"AzureMonitor(VMInsights)\",\"dataTypes\":[\"VMConnection\"]},{\"connectorId\":\"CiscoASA\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"PaloAltoNetworks\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"MicrosoftThreatProtection\",\"dataTypes\":[\"DeviceNetworkEvents\"]},{\"connectorId\":\"AzureFirewall\",\"dataTypes\":[\"AzureDiagnostics\"]},{\"connectorId\":\"Zscaler\",\"dataTypes\":[\"CommonSecurityLog\"]},{\"connectorId\":\"InfobloxNIOS\",\"dataTypes\":[\"Syslog\"]},{\"connectorId\":\"GCPDNSDataConnector\",\"dataTypes\":[\"GCP_DNS_CL\"]},{\"connectorId\":\"NXLogDnsLogs\",\"dataTypes\":[\"NXLog_DNS_Server_CL\"]},{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_dns_CL\"]},{\"connectorId\":\"Corelight\",\"dataTypes\":[\"Corelight_CL\"]}],\"alertRulesCreatedByTemplateCount\":1}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2790795b-7dba-483e-853f-44aa0bc9c985\",\"name\":\"2790795b-7dba-483e-853f-44aa0bc9c985\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.0\",\"severity\":\"Low\",\"query\":\"CommonSecurityLog\\n| where DeviceProduct =~ \\\"Wazuh\\\"\\n| where Activity has \\\"Web server 400 error code.\\\"\\n| where Message has \\\"403\\\"\\n| extend HostName=substring(split(DeviceCustomString1,\\\")\\\")[0],1)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = dcount(SourceIP) by HostName, SourceIP\\n| where NumberOfErrors \u003e 400\\n| sort by NumberOfErrors desc\\n| extend timestamp = StartTime, HostCustomEntity = HostName, IPCustomEntity = SourceIP\",\"entityMappings\":[{\"entityType\":\"Host\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"HostCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"Persistence\"],\"displayName\":\"Wazuh - Large Number of Web errors from an IP\",\"description\":\"Identifies instances where Wazuh logged over 400 \u0027403\u0027 Web Errors from one IP Address. To onboard Wazuh data into Sentinel please view: https://github.com/wazuh/wazuh-documentation/blob/master/source/azure/monitoring%20activity.rst\",\"lastUpdatedDateUTC\":\"2022-01-16T00:00:00Z\",\"createdDateUTC\":\"2020-04-21T00:00:00Z\",\"status\":\"Available\",\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/78979d32-e63f-4740-b206-cfb300c735e0\",\"name\":\"78979d32-e63f-4740-b206-cfb300c735e0\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P14D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.1\",\"severity\":\"Medium\",\"query\":\"let dt_lookBack = 1h;\\nlet ioc_lookBack = 14d;\\nThreatIntelligenceIndicator\\n| where TimeGenerated \u003e= ago(ioc_lookBack) and ExpirationDateTime \u003e now()\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\\n| where Active == true\\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\\n| join kind=innerunique (\\n ProofpointPOD \\n | where TimeGenerated \u003e= ago(dt_lookBack)\\n | where isnotempty(SrcIpAddr)\\n | extend ProofpointPOD_TimeGenerated = TimeGenerated, ClientIP = SrcIpAddr\\n )\\non $left.TI_ipEntity == $right.ClientIP\\n| where ProofpointPOD_TimeGenerated \u003c ExpirationDateTime\\n| summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientIP\\n| project ProofpointPOD_TimeGenerated, SrcUserUpn, DstUserUpn, SrcIpAddr, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\\nTI_ipEntity, ClientIP\\n| extend timestamp = ProofpointPOD_TimeGenerated\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"SrcUserUpn\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"ClientIP\"}]}],\"tactics\":[\"Exfiltration\",\"InitialAccess\"],\"displayName\":\"ProofpointPOD - Email sender IP in TI list\",\"description\":\"Email sender IP in TI list.\",\"lastUpdatedDateUTC\":\"2022-06-30T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"ThreatIntelligence\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ThreatIntelligenceTaxii\",\"dataTypes\":[\"ThreatIntelligenceIndicator\"]},{\"connectorId\":\"ProofpointPOD\",\"dataTypes\":[\"ProofpointPOD_maillog_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/2b328487-162d-4034-b472-59f1d53684a1\",\"name\":\"2b328487-162d-4034-b472-59f1d53684a1\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"PT15M\",\"queryPeriod\":\"PT15M\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.1.0\",\"severity\":\"Medium\",\"query\":\"let timeframe = 15m;\\nCisco_Umbrella\\n| where EventType == \\\"proxylogs\\\"\\n| where TimeGenerated \u003e ago(timeframe)\\n| where HttpUserAgentOriginal == \u0027\u0027\\n| extend Message = \\\"Empty User Agent\\\"\\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated\\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\",\"entityMappings\":[{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"UrlCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]}],\"tactics\":[\"CommandAndControl\"],\"displayName\":\"Cisco Umbrella - Empty User Agent Detected\",\"description\":\"Rule helps to detect empty and unusual user agent indicating web browsing activity by an unusual process other than a web browser.\",\"lastUpdatedDateUTC\":\"2022-01-03T00:00:00Z\",\"createdDateUTC\":\"2021-01-11T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"CiscoUmbrellaDataConnector\",\"dataTypes\":[\"Cisco_Umbrella_proxy_CL\"]}],\"alertRulesCreatedByTemplateCount\":0}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\"name\":\"a22740ec-fc1e-4c91-8de6-c29c6450ad00\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Scheduled\",\"properties\":{\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"version\":\"1.0.1\",\"severity\":\"Medium\",\"query\":\"let aadFunc = (tableName:string){\\ntable(tableName)\\n| where ResultType == 500121\\n| where Status has \\\"MFA Denied; user declined the authentication\\\" or Status has \\\"MFA denied; Phone App Reported Fraud\\\"\\n| extend Type = Type\\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = ClientAppUsed\\n};\\nlet aadSignin = aadFunc(\\\"SigninLogs\\\");\\nlet aadNonInt = aadFunc(\\\"AADNonInteractiveUserSignInLogs\\\");\\nunion isfuzzy=true aadSignin, aadNonInt\",\"entityMappings\":[{\"entityType\":\"Account\",\"fieldMappings\":[{\"identifier\":\"FullName\",\"columnName\":\"AccountCustomEntity\"}]},{\"entityType\":\"IP\",\"fieldMappings\":[{\"identifier\":\"Address\",\"columnName\":\"IPCustomEntity\"}]},{\"entityType\":\"URL\",\"fieldMappings\":[{\"identifier\":\"Url\",\"columnName\":\"URLCustomEntity\"}]}],\"tactics\":[\"CredentialAccess\"],\"displayName\":\"Explicit MFA Deny\",\"description\":\"User explicitly denies MFA push, indicating that login was not expected and the account\u0027s password may be compromised.\",\"lastUpdatedDateUTC\":\"2022-04-04T00:00:00Z\",\"createdDateUTC\":\"2020-10-14T00:00:00Z\",\"status\":\"Available\",\"requiredDataConnectors\":[{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"SigninLogs\"]},{\"connectorId\":\"AzureActiveDirectory\",\"dataTypes\":[\"AADNonInteractiveUserSignInLogs\"]}],\"alertRulesCreatedByTemplateCount\":0}}]}", "isContentBase64": false } }, - "Get-AzSentinelAlertRuleTemplate+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8?api-version=2021-09-01-preview+2": { + "Get-AzSentinelAlertRuleTemplate+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8?api-version=2021-09-01-preview+2": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "171" ], - "x-ms-client-request-id": [ "7292037b-c81e-4636-b914-ae3bfa13f78f" ], + "x-ms-unique-id": [ "169" ], + "x-ms-client-request-id": [ "20109495-8ebf-42a5-ad49-66ec6d5ba426" ], "CommandName": [ "Get-AzSentinelAlertRuleTemplate" ], "FullCommandName": [ "Get-AzSentinelAlertRuleTemplate_GetViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -147,19 +147,19 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-reads": [ "11988" ], - "x-ms-request-id": [ "3c561ab7-c065-4b7f-a4f1-4a3b07cc84dc" ], - "x-ms-correlation-request-id": [ "3c561ab7-c065-4b7f-a4f1-4a3b07cc84dc" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183115Z:3c561ab7-c065-4b7f-a4f1-4a3b07cc84dc" ], + "x-ms-request-id": [ "55d09391-80ea-4771-ac13-33afa8f5f9aa" ], + "x-ms-correlation-request-id": [ "55d09391-80ea-4771-ac13-33afa8f5f9aa" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160657Z:55d09391-80ea-4771-ac13-33afa8f5f9aa" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:31:15 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:06:57 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2408" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8\",\"name\":\"f71aba3d-28fb-450b-b192-4e76a83015c8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Fusion\",\"properties\":{\"severity\":\"High\",\"tactics\":[\"Collection\",\"CommandAndControl\",\"CredentialAccess\",\"DefenseEvasion\",\"Discovery\",\"Execution\",\"Exfiltration\",\"Impact\",\"InitialAccess\",\"LateralMovement\",\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Advanced Multistage Attack Detection\",\"description\":\"Microsoft Sentinel uses Fusion, a correlation engine based on scalable machine learning algorithms, to automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.\\n\\nSince Fusion correlates multiple signals from various products to detect advanced multistage attacks, successful Fusion detections are presented as Fusion incidents on the Microsoft Sentinel Incidents page. This rule covers the following detections:\\n- Fusion for emerging threats\\n- Fusion for ransomware\\n- Scenario-based Fusion detections (122 scenarios)\\n\\nTo enable these detections, we recommend you configure the following data connectors for best results:\\n- Out-of-the-box anomaly detections\\n- Azure Active Directory Identity Protection\\n- Azure Defender\\n- Azure Defender for IoT\\n- Microsoft 365 Defender\\n- Microsoft Cloud App Security \\n- Microsoft Defender for Endpoint\\n- Microsoft Defender for Identity\\n- Microsoft Defender for Office 365\\n- Scheduled analytics rules, both built-in and those created by your security analysts. Analytics rules must contain kill-chain (tactics) and entity mapping information in order to be used by Fusion.\\n\\nFor the full description of each detection that is supported by Fusion, go to https://aka.ms/SentinelFusion.\",\"lastUpdatedDateUTC\":\"2021-06-09T00:00:00Z\",\"createdDateUTC\":\"2019-07-25T00:00:00Z\",\"status\":\"Installed\",\"alertRulesCreatedByTemplateCount\":1}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AlertRuleTemplates/f71aba3d-28fb-450b-b192-4e76a83015c8\",\"name\":\"f71aba3d-28fb-450b-b192-4e76a83015c8\",\"type\":\"Microsoft.SecurityInsights/AlertRuleTemplates\",\"kind\":\"Fusion\",\"properties\":{\"severity\":\"High\",\"tactics\":[\"Collection\",\"CommandAndControl\",\"CredentialAccess\",\"DefenseEvasion\",\"Discovery\",\"Execution\",\"Exfiltration\",\"Impact\",\"InitialAccess\",\"LateralMovement\",\"Persistence\",\"PrivilegeEscalation\"],\"displayName\":\"Advanced Multistage Attack Detection\",\"description\":\"Microsoft Sentinel uses Fusion, a correlation engine based on scalable machine learning algorithms, to automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.\\n\\nSince Fusion correlates multiple signals from various products to detect advanced multistage attacks, successful Fusion detections are presented as Fusion incidents on the Microsoft Sentinel Incidents page. This rule covers the following detections:\\n- Fusion for emerging threats\\n- Fusion for ransomware\\n- Scenario-based Fusion detections (122 scenarios)\\n\\nTo enable these detections, we recommend you configure the following data connectors for best results:\\n- Out-of-the-box anomaly detections\\n- Azure Active Directory Identity Protection\\n- Azure Defender\\n- Azure Defender for IoT\\n- Microsoft 365 Defender\\n- Microsoft Cloud App Security \\n- Microsoft Defender for Endpoint\\n- Microsoft Defender for Identity\\n- Microsoft Defender for Office 365\\n- Scheduled analytics rules, both built-in and those created by your security analysts. Analytics rules must contain kill-chain (tactics) and entity mapping information in order to be used by Fusion.\\n\\nFor the full description of each detection that is supported by Fusion, go to https://aka.ms/SentinelFusion.\",\"lastUpdatedDateUTC\":\"2021-06-09T00:00:00Z\",\"createdDateUTC\":\"2019-07-25T00:00:00Z\",\"status\":\"Installed\",\"alertRulesCreatedByTemplateCount\":1}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Get-AzSentinelAutomationRule.Recording.json b/src/SecurityInsights/test/Get-AzSentinelAutomationRule.Recording.json index 43ff3e74f9dd..377d2e1c52ab 100644 --- a/src/SecurityInsights/test/Get-AzSentinelAutomationRule.Recording.json +++ b/src/SecurityInsights/test/Get-AzSentinelAutomationRule.Recording.json @@ -1,13 +1,13 @@ { - "Get-AzSentinelAutomationRule+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/automationRules?api-version=2021-09-01-preview+1": { + "Get-AzSentinelAutomationRule+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/automationRules?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/automationRules?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/automationRules?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "172" ], - "x-ms-client-request-id": [ "a82481c7-3284-48c3-81c3-78e40efd704b" ], + "x-ms-unique-id": [ "170" ], + "x-ms-client-request-id": [ "dc3ac4b0-f074-4faa-9d8e-bca5902409b5" ], "CommandName": [ "Get-AzSentinelAutomationRule" ], "FullCommandName": [ "Get-AzSentinelAutomationRule_List" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -24,31 +24,31 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], - "x-ms-request-id": [ "af94b9af-c24c-4bed-87a3-008616e11d79" ], - "x-ms-correlation-request-id": [ "af94b9af-c24c-4bed-87a3-008616e11d79" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183117Z:af94b9af-c24c-4bed-87a3-008616e11d79" ], + "x-ms-request-id": [ "180d1e29-97ce-44fa-8a6d-b47ab9835792" ], + "x-ms-correlation-request-id": [ "180d1e29-97ce-44fa-8a6d-b47ab9835792" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160659Z:180d1e29-97ce-44fa-8a6d-b47ab9835792" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:31:16 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:06:59 GMT" ] }, "ContentHeaders": { "Content-Length": [ "6468" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AutomationRules/2f630cbc-756d-4cfc-a1e8-95ccdaf5253e\",\"name\":\"2f630cbc-756d-4cfc-a1e8-95ccdaf5253e\",\"etag\":\"\\\"030048b1-0000-0100-0000-62e4217f0000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"GetAutomationRulemisk67\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}],\"lastModifiedTimeUtc\":\"2022-07-29T18:05:51Z\",\"createdTimeUtc\":\"2022-07-29T18:05:51Z\",\"lastModifiedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"},\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AutomationRules/632f22f0-6b77-433b-bc93-6e56ae21a844\",\"name\":\"632f22f0-6b77-433b-bc93-6e56ae21a844\",\"etag\":\"\\\"030052b1-0000-0100-0000-62e422020000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"RemoveAutomationRuletdnlpa\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}],\"lastModifiedTimeUtc\":\"2022-07-29T18:08:02Z\",\"createdTimeUtc\":\"2022-07-29T18:08:02Z\",\"lastModifiedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"},\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AutomationRules/c3503a3a-93d6-4aa8-b557-d2f4ac6cfa00\",\"name\":\"c3503a3a-93d6-4aa8-b557-d2f4ac6cfa00\",\"etag\":\"\\\"030056b1-0000-0100-0000-62e422200000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"RemoveViaIdAutomationRuledlcn6a\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}],\"lastModifiedTimeUtc\":\"2022-07-29T18:08:32Z\",\"createdTimeUtc\":\"2022-07-29T18:08:32Z\",\"lastModifiedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"},\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AutomationRules/5d9b905b-1fc5-459f-b9fd-5836c565dc34\",\"name\":\"5d9b905b-1fc5-459f-b9fd-5836c565dc34\",\"etag\":\"\\\"030058b1-0000-0100-0000-62e422460000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"UpdateAutomationRulek1wb4p\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}],\"lastModifiedTimeUtc\":\"2022-07-29T18:09:10Z\",\"createdTimeUtc\":\"2022-07-29T18:09:10Z\",\"lastModifiedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"},\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AutomationRules/21451d32-deaf-4698-9f46-8fc02bc5e632\",\"name\":\"21451d32-deaf-4698-9f46-8fc02bc5e632\",\"etag\":\"\\\"03005fb1-0000-0100-0000-62e422690000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"UpdateViaIdAutomationRules3o6wd\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}],\"lastModifiedTimeUtc\":\"2022-07-29T18:09:45Z\",\"createdTimeUtc\":\"2022-07-29T18:09:45Z\",\"lastModifiedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"},\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AutomationRules/83662309-d398-4ec5-b6e7-d70c75bb78ac\",\"name\":\"83662309-d398-4ec5-b6e7-d70c75bb78ac\",\"etag\":\"\\\"250093dd-0000-0100-0000-62fbbbc20000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"GetAutomationRulewp8nv3\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}],\"lastModifiedTimeUtc\":\"2022-08-16T15:46:10Z\",\"createdTimeUtc\":\"2022-08-16T15:46:10Z\",\"lastModifiedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"},\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AutomationRules/6e8b42ff-dab7-481f-b764-f853700cc536\",\"name\":\"6e8b42ff-dab7-481f-b764-f853700cc536\",\"etag\":\"\\\"25005be1-0000-0100-0000-62fbbbdf0000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"RemoveAutomationRule57nxry\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}],\"lastModifiedTimeUtc\":\"2022-08-16T15:46:39Z\",\"createdTimeUtc\":\"2022-08-16T15:46:39Z\",\"lastModifiedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"},\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AutomationRules/ab65a956-23b7-44a0-8a32-cb8d62d389d8\",\"name\":\"ab65a956-23b7-44a0-8a32-cb8d62d389d8\",\"etag\":\"\\\"250021e5-0000-0100-0000-62fbbbfe0000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"RemoveViaIdAutomationRule7s6m8t\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}],\"lastModifiedTimeUtc\":\"2022-08-16T15:47:10Z\",\"createdTimeUtc\":\"2022-08-16T15:47:10Z\",\"lastModifiedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"},\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AutomationRules/904a62c7-a082-4674-a749-8dfae3498a35\",\"name\":\"904a62c7-a082-4674-a749-8dfae3498a35\",\"etag\":\"\\\"25003fe8-0000-0100-0000-62fbbc1e0000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"UpdateAutomationRulefrz5oc\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}],\"lastModifiedTimeUtc\":\"2022-08-16T15:47:42Z\",\"createdTimeUtc\":\"2022-08-16T15:47:42Z\",\"lastModifiedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"},\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AutomationRules/409ddeff-88f2-48de-8459-d9170cd1530b\",\"name\":\"409ddeff-88f2-48de-8459-d9170cd1530b\",\"etag\":\"\\\"25008deb-0000-0100-0000-62fbbc480000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"UpdateViaIdAutomationRulef8mk3y\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}],\"lastModifiedTimeUtc\":\"2022-08-16T15:48:24Z\",\"createdTimeUtc\":\"2022-08-16T15:48:24Z\",\"lastModifiedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"},\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}]}", "isContentBase64": false } }, - "Get-AzSentinelAutomationRule+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/automationRules/2f630cbc-756d-4cfc-a1e8-95ccdaf5253e?api-version=2021-09-01-preview+1": { + "Get-AzSentinelAutomationRule+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/automationRules/83662309-d398-4ec5-b6e7-d70c75bb78ac?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/automationRules/2f630cbc-756d-4cfc-a1e8-95ccdaf5253e?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/automationRules/83662309-d398-4ec5-b6e7-d70c75bb78ac?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "173" ], - "x-ms-client-request-id": [ "1c8e25e2-b597-49cc-bb3f-bb666affca08" ], + "x-ms-unique-id": [ "171" ], + "x-ms-client-request-id": [ "dc4b15ec-d225-4e94-92ef-fb2d0641bfc7" ], "CommandName": [ "Get-AzSentinelAutomationRule" ], "FullCommandName": [ "Get-AzSentinelAutomationRule_Get" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -65,31 +65,31 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], - "x-ms-request-id": [ "7b68d952-0c12-4bce-a4ab-d724e878add6" ], - "x-ms-correlation-request-id": [ "7b68d952-0c12-4bce-a4ab-d724e878add6" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183117Z:7b68d952-0c12-4bce-a4ab-d724e878add6" ], + "x-ms-request-id": [ "e1424f45-4ab1-4a29-8723-1e391f1dc9fd" ], + "x-ms-correlation-request-id": [ "e1424f45-4ab1-4a29-8723-1e391f1dc9fd" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160659Z:e1424f45-4ab1-4a29-8723-1e391f1dc9fd" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:31:17 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:06:59 GMT" ] }, "ContentHeaders": { "Content-Length": [ "1286" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AutomationRules/2f630cbc-756d-4cfc-a1e8-95ccdaf5253e\",\"name\":\"2f630cbc-756d-4cfc-a1e8-95ccdaf5253e\",\"etag\":\"\\\"030048b1-0000-0100-0000-62e4217f0000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"GetAutomationRulemisk67\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}],\"lastModifiedTimeUtc\":\"2022-07-29T18:05:51Z\",\"createdTimeUtc\":\"2022-07-29T18:05:51Z\",\"lastModifiedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"},\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AutomationRules/83662309-d398-4ec5-b6e7-d70c75bb78ac\",\"name\":\"83662309-d398-4ec5-b6e7-d70c75bb78ac\",\"etag\":\"\\\"250093dd-0000-0100-0000-62fbbbc20000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"GetAutomationRulewp8nv3\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}],\"lastModifiedTimeUtc\":\"2022-08-16T15:46:10Z\",\"createdTimeUtc\":\"2022-08-16T15:46:10Z\",\"lastModifiedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"},\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}", "isContentBase64": false } }, - "Get-AzSentinelAutomationRule+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/automationRules/2f630cbc-756d-4cfc-a1e8-95ccdaf5253e?api-version=2021-09-01-preview+1": { + "Get-AzSentinelAutomationRule+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/automationRules/83662309-d398-4ec5-b6e7-d70c75bb78ac?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/automationRules/2f630cbc-756d-4cfc-a1e8-95ccdaf5253e?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/automationRules/83662309-d398-4ec5-b6e7-d70c75bb78ac?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "174" ], - "x-ms-client-request-id": [ "2c9eb621-d3fc-4173-982c-216113c027cc" ], + "x-ms-unique-id": [ "172" ], + "x-ms-client-request-id": [ "ac1cd412-7f15-4a1c-95e8-0f97acb6615d" ], "CommandName": [ "Get-AzSentinelAutomationRule" ], "FullCommandName": [ "Get-AzSentinelAutomationRule_Get" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -106,31 +106,31 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "497" ], - "x-ms-request-id": [ "e0e5ebf6-a18a-4763-a9a9-480c37b13deb" ], - "x-ms-correlation-request-id": [ "e0e5ebf6-a18a-4763-a9a9-480c37b13deb" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183117Z:e0e5ebf6-a18a-4763-a9a9-480c37b13deb" ], + "x-ms-request-id": [ "c93d478e-c24d-4a3c-9157-e4527d2c476e" ], + "x-ms-correlation-request-id": [ "c93d478e-c24d-4a3c-9157-e4527d2c476e" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160659Z:c93d478e-c24d-4a3c-9157-e4527d2c476e" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:31:17 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:06:59 GMT" ] }, "ContentHeaders": { "Content-Length": [ "1286" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AutomationRules/2f630cbc-756d-4cfc-a1e8-95ccdaf5253e\",\"name\":\"2f630cbc-756d-4cfc-a1e8-95ccdaf5253e\",\"etag\":\"\\\"030048b1-0000-0100-0000-62e4217f0000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"GetAutomationRulemisk67\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}],\"lastModifiedTimeUtc\":\"2022-07-29T18:05:51Z\",\"createdTimeUtc\":\"2022-07-29T18:05:51Z\",\"lastModifiedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"},\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AutomationRules/83662309-d398-4ec5-b6e7-d70c75bb78ac\",\"name\":\"83662309-d398-4ec5-b6e7-d70c75bb78ac\",\"etag\":\"\\\"250093dd-0000-0100-0000-62fbbbc20000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"GetAutomationRulewp8nv3\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}],\"lastModifiedTimeUtc\":\"2022-08-16T15:46:10Z\",\"createdTimeUtc\":\"2022-08-16T15:46:10Z\",\"lastModifiedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"},\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}", "isContentBase64": false } }, - "Get-AzSentinelAutomationRule+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/automationRules/2f630cbc-756d-4cfc-a1e8-95ccdaf5253e?api-version=2021-09-01-preview+2": { + "Get-AzSentinelAutomationRule+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/automationRules/83662309-d398-4ec5-b6e7-d70c75bb78ac?api-version=2021-09-01-preview+2": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/automationRules/2f630cbc-756d-4cfc-a1e8-95ccdaf5253e?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/automationRules/83662309-d398-4ec5-b6e7-d70c75bb78ac?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "175" ], - "x-ms-client-request-id": [ "f1438bec-49a4-47d6-a042-84ebe9e0e494" ], + "x-ms-unique-id": [ "173" ], + "x-ms-client-request-id": [ "543f96e3-02c1-41e3-b91f-a3c3ff380a23" ], "CommandName": [ "Get-AzSentinelAutomationRule" ], "FullCommandName": [ "Get-AzSentinelAutomationRule_GetViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -147,19 +147,19 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "496" ], - "x-ms-request-id": [ "271f5497-9234-4d3d-850a-bff63b2d00a3" ], - "x-ms-correlation-request-id": [ "271f5497-9234-4d3d-850a-bff63b2d00a3" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183118Z:271f5497-9234-4d3d-850a-bff63b2d00a3" ], + "x-ms-request-id": [ "79d2c7b5-2a97-400d-9164-e541e7e02f30" ], + "x-ms-correlation-request-id": [ "79d2c7b5-2a97-400d-9164-e541e7e02f30" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160700Z:79d2c7b5-2a97-400d-9164-e541e7e02f30" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:31:17 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:06:59 GMT" ] }, "ContentHeaders": { "Content-Length": [ "1286" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AutomationRules/2f630cbc-756d-4cfc-a1e8-95ccdaf5253e\",\"name\":\"2f630cbc-756d-4cfc-a1e8-95ccdaf5253e\",\"etag\":\"\\\"030048b1-0000-0100-0000-62e4217f0000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"GetAutomationRulemisk67\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}],\"lastModifiedTimeUtc\":\"2022-07-29T18:05:51Z\",\"createdTimeUtc\":\"2022-07-29T18:05:51Z\",\"lastModifiedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"},\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AutomationRules/83662309-d398-4ec5-b6e7-d70c75bb78ac\",\"name\":\"83662309-d398-4ec5-b6e7-d70c75bb78ac\",\"etag\":\"\\\"250093dd-0000-0100-0000-62fbbbc20000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"GetAutomationRulewp8nv3\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}],\"lastModifiedTimeUtc\":\"2022-08-16T15:46:10Z\",\"createdTimeUtc\":\"2022-08-16T15:46:10Z\",\"lastModifiedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"},\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Get-AzSentinelBookmark.Recording.json b/src/SecurityInsights/test/Get-AzSentinelBookmark.Recording.json index 9a23bb6f8fab..804ce46ed545 100644 --- a/src/SecurityInsights/test/Get-AzSentinelBookmark.Recording.json +++ b/src/SecurityInsights/test/Get-AzSentinelBookmark.Recording.json @@ -1,13 +1,13 @@ { - "Get-AzSentinelBookmark+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks?api-version=2021-09-01-preview+1": { + "Get-AzSentinelBookmark+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "176" ], - "x-ms-client-request-id": [ "fa019330-1d79-4c09-9803-f02f8e9c2a23" ], + "x-ms-unique-id": [ "174" ], + "x-ms-client-request-id": [ "a5661d2e-bab0-4a03-8f01-b15406bf9c8f" ], "CommandName": [ "Get-AzSentinelbookmark" ], "FullCommandName": [ "Get-AzSentinelBookmark_List" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -24,31 +24,31 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-reads": [ "11987" ], - "x-ms-request-id": [ "68fd7679-c950-4056-a487-cffbdeb6962a" ], - "x-ms-correlation-request-id": [ "68fd7679-c950-4056-a487-cffbdeb6962a" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183119Z:68fd7679-c950-4056-a487-cffbdeb6962a" ], + "x-ms-request-id": [ "123ed641-d054-405d-bf06-d674d5838eca" ], + "x-ms-correlation-request-id": [ "123ed641-d054-405d-bf06-d674d5838eca" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160700Z:123ed641-d054-405d-bf06-d674d5838eca" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:31:18 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:00 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "43830" ], + "Content-Length": [ "43838" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/cf23ef92-aa60-4e4a-9598-c30417b601db\",\"name\":\"cf23ef92-aa60-4e4a-9598-c30417b601db\",\"etag\":\"\\\"01006993-0000-0100-0000-62e422850000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Getbookmarks1c0pz\",\"created\":\"2022-07-29T18:10:13.2097324+00:00\",\"updated\":\"2022-07-29T18:10:13.2097324+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-07-29T06:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2022-07-28T06:00:00+00:00\",\"queryEndTime\":\"2022-07-29T06:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/a8dfd8ae-256a-44fb-a72c-0fb43307c128\",\"name\":\"a8dfd8ae-256a-44fb-a72c-0fb43307c128\",\"etag\":\"\\\"01007093-0000-0100-0000-62e422a30000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Removebookmarkbu2rns\",\"created\":\"2022-07-29T18:10:43.713377+00:00\",\"updated\":\"2022-07-29T18:10:43.713377+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-07-29T06:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2022-07-28T06:00:00+00:00\",\"queryEndTime\":\"2022-07-29T06:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/1064e218-7849-4caf-993c-93373d0c6ce5\",\"name\":\"1064e218-7849-4caf-993c-93373d0c6ce5\",\"etag\":\"\\\"01007193-0000-0100-0000-62e422c30000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"RemoveViaIdbookmarkdr69tz\",\"created\":\"2022-07-29T18:11:15.4410362+00:00\",\"updated\":\"2022-07-29T18:11:15.4410362+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-07-29T06:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2022-07-28T06:00:00+00:00\",\"queryEndTime\":\"2022-07-29T06:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/8a947749-f012-465f-b5fd-cb60e5eae27d\",\"name\":\"8a947749-f012-465f-b5fd-cb60e5eae27d\",\"etag\":\"\\\"01007393-0000-0100-0000-62e422e40000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Updatebookmarkdytufp\",\"created\":\"2022-07-29T18:11:48.096609+00:00\",\"updated\":\"2022-07-29T18:11:48.096609+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-07-29T06:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2022-07-28T06:00:00+00:00\",\"queryEndTime\":\"2022-07-29T06:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/f73c7f57-f526-4119-9dc6-07c693c5309b\",\"name\":\"f73c7f57-f526-4119-9dc6-07c693c5309b\",\"etag\":\"\\\"01007493-0000-0100-0000-62e423030000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateViaIdbookmarkpulz5j\",\"created\":\"2022-07-29T18:12:19.6896524+00:00\",\"updated\":\"2022-07-29T18:12:19.6896524+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-07-29T06:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2022-07-28T06:00:00+00:00\",\"queryEndTime\":\"2022-07-29T06:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/2aadadc6-6e10-4a92-99df-4ac9c6ebdb6c\",\"name\":\"2aadadc6-6e10-4a92-99df-4ac9c6ebdb6c\",\"etag\":\"\\\"01007793-0000-0100-0000-62e423240000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Expandbookmarko9kf32\",\"created\":\"2022-07-29T18:12:52.2378424+00:00\",\"updated\":\"2022-07-29T18:12:52.2378424+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-07-29T06:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2022-07-28T06:00:00+00:00\",\"queryEndTime\":\"2022-07-29T06:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/72c19fb6-dca6-4381-9175-229d52e8908a\",\"name\":\"72c19fb6-dca6-4381-9175-229d52e8908a\",\"etag\":\"\\\"01008093-0000-0100-0000-62e423420000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"GetbookmarkRelationBookmarkNameqen0ym\",\"created\":\"2022-07-29T18:13:22.0780891+00:00\",\"updated\":\"2022-07-29T18:13:22.0780891+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-07-29T06:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2022-07-28T06:00:00+00:00\",\"queryEndTime\":\"2022-07-29T06:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"e31f4f52-858c-4a29-bacc-b0b91ca86f43\",\"title\":\"GetbookmarkRelationIncidentName5jgmqo\",\"relationName\":\"eacf9694-518d-404c-85a0-6703db574c22\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/3e29d94a-e491-42d0-97d4-7a7f3e4725b4\",\"name\":\"3e29d94a-e491-42d0-97d4-7a7f3e4725b4\",\"etag\":\"\\\"01008393-0000-0100-0000-62e423600000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"RemovebookmarkRelationBookmarkNamej8c2iu\",\"created\":\"2022-07-29T18:13:52.4505914+00:00\",\"updated\":\"2022-07-29T18:13:52.4505914+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-07-29T06:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2022-07-28T06:00:00+00:00\",\"queryEndTime\":\"2022-07-29T06:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"d30f1432-3e76-4b4b-bb30-f62eb4ee3611\",\"title\":\"RemovebookmarkRelationIncidentNameljqs90\",\"relationName\":\"edcd0fb3-81ce-42e0-b54f-e753ea3c6fdb\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/a34d217c-2b9d-4b72-b7d9-5a3850f0f17c\",\"name\":\"a34d217c-2b9d-4b72-b7d9-5a3850f0f17c\",\"etag\":\"\\\"01008593-0000-0100-0000-62e423810000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"RemoveViaIdbookmarkRelationBookmarkNameu6v1fs\",\"created\":\"2022-07-29T18:14:24.4254193+00:00\",\"updated\":\"2022-07-29T18:14:24.4254193+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-07-29T06:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2022-07-28T06:00:00+00:00\",\"queryEndTime\":\"2022-07-29T06:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"68159ff1-4122-4fc3-9152-8bf489a4304d\",\"title\":\"RemoveViaIdbookmarkRelationIncidentName3tykhx\",\"relationName\":\"3416cbe9-ea30-4e98-aead-419270c45bf8\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/9b38dab1-2c2e-4c71-809d-95301194aa91\",\"name\":\"9b38dab1-2c2e-4c71-809d-95301194aa91\",\"etag\":\"\\\"01008793-0000-0100-0000-62e4239f0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdatebookmarkRelationBookmarkNameuxbzmh\",\"created\":\"2022-07-29T18:14:55.6456911+00:00\",\"updated\":\"2022-07-29T18:14:55.6456911+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-07-29T06:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2022-07-28T06:00:00+00:00\",\"queryEndTime\":\"2022-07-29T06:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"0f49b19c-24d3-4775-92ae-dc0ecd5e1ace\",\"title\":\"UpdatebookmarkRelationIncidentNamern5xam\",\"relationName\":\"382966e8-f4b2-444c-b4e8-514194ff8544\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/04b58a5a-2a5e-47e2-9c22-3cd6229599ec\",\"name\":\"04b58a5a-2a5e-47e2-9c22-3cd6229599ec\",\"etag\":\"\\\"01008993-0000-0100-0000-62e423bf0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateViaIdbookmarkRelationBookmarkNamelv8k2z\",\"created\":\"2022-07-29T18:15:27.205325+00:00\",\"updated\":\"2022-07-29T18:15:27.205325+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-07-29T06:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2022-07-28T06:00:00+00:00\",\"queryEndTime\":\"2022-07-29T06:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"75bd63a7-0ac6-4f43-8a15-18ff73172bb5\",\"title\":\"UpdateViaIdbookmarkRelationIncidentNamejdsg8m\",\"relationName\":\"c36ddb20-11ec-4179-a995-51e6fcfd1e58\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/e809aa96-66b0-4c25-83cc-f6a969445995\",\"name\":\"e809aa96-66b0-4c25-83cc-f6a969445995\",\"etag\":\"\\\"0100b593-0000-0100-0000-62e426930000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"GetincidentRelationBookmarkName0eyhda\",\"created\":\"2022-07-29T18:27:31.0896601+00:00\",\"updated\":\"2022-07-29T18:27:31.0896601+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-07-29T06:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2022-07-28T06:00:00+00:00\",\"queryEndTime\":\"2022-07-29T06:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"ccca6513-b2b1-46be-925b-40f25e28a448\",\"title\":\"GetincidentRelationIncidentNamentimyo\",\"relationName\":\"38ffa7b2-a413-4ab4-979f-8ec4ca096552\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/5c0c39f4-96c8-4054-8b78-69edbf33a92f\",\"name\":\"5c0c39f4-96c8-4054-8b78-69edbf33a92f\",\"etag\":\"\\\"0100b893-0000-0100-0000-62e426b20000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"RemoveincidentRelationBookmarkNamem6df2w\",\"created\":\"2022-07-29T18:28:02.3972388+00:00\",\"updated\":\"2022-07-29T18:28:02.3972388+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-07-29T06:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2022-07-28T06:00:00+00:00\",\"queryEndTime\":\"2022-07-29T06:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"da728eb4-6e7e-4be8-8397-cb2b45877bf9\",\"title\":\"RemoveincidentRelationIncidentName01bqho\",\"relationName\":\"33ce22e5-46d5-4249-9e1a-06495ad77a1a\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/e4d28edd-4f20-45f9-9c8c-6b7e97f4fa8a\",\"name\":\"e4d28edd-4f20-45f9-9c8c-6b7e97f4fa8a\",\"etag\":\"\\\"0100c493-0000-0100-0000-62e426d30000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"RemoveViaIdincidentRelationBookmarkName32qtdl\",\"created\":\"2022-07-29T18:28:34.4037226+00:00\",\"updated\":\"2022-07-29T18:28:34.4037226+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-07-29T06:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2022-07-28T06:00:00+00:00\",\"queryEndTime\":\"2022-07-29T06:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"095d8360-b30b-4f75-804d-8837b78db3ed\",\"title\":\"RemoveViaIdincidentRelationIncidentNameqm47li\",\"relationName\":\"fa2cc2d8-13f8-4ea6-b2ce-6fdea28a0790\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/f2f5a5bb-f894-4441-b6c7-b7c9d95193d1\",\"name\":\"f2f5a5bb-f894-4441-b6c7-b7c9d95193d1\",\"etag\":\"\\\"0100c793-0000-0100-0000-62e426f20000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateincidentRelationBookmarkName0rvjph\",\"created\":\"2022-07-29T18:29:05.846489+00:00\",\"updated\":\"2022-07-29T18:29:05.846489+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-07-29T06:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2022-07-28T06:00:00+00:00\",\"queryEndTime\":\"2022-07-29T06:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"bf284b9a-a101-4094-9387-503fd6afb8db\",\"title\":\"UpdateincidentRelationIncidentNamey5sjd6\",\"relationName\":\"986b271a-b0de-4c02-bb6a-f7df9e484025\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/90ad9f1f-1d2d-4360-b617-cf345b5c4f58\",\"name\":\"90ad9f1f-1d2d-4360-b617-cf345b5c4f58\",\"etag\":\"\\\"0100c993-0000-0100-0000-62e427110000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateViaIdincidentRelationBookmarkName0wac48\",\"created\":\"2022-07-29T18:29:37.1166016+00:00\",\"updated\":\"2022-07-29T18:29:37.1166016+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-07-29T06:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2022-07-28T06:00:00+00:00\",\"queryEndTime\":\"2022-07-29T06:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"854d68b0-7cef-4c43-a0f3-03df09f60906\",\"title\":\"UpdateViaIdincidentRelationIncidentName17euac\",\"relationName\":\"da90eff1-20a8-49a2-8392-57e18de4707a\",\"severity\":\"Informational\"}}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/52f3c78c-cfbe-42f8-bc38-b87fc8a1d9af\",\"name\":\"52f3c78c-cfbe-42f8-bc38-b87fc8a1d9af\",\"etag\":\"\\\"3c00458a-0000-0100-0000-62fbbc670000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Getbookmarkzl3she\",\"created\":\"2022-08-16T15:48:55.7948149+00:00\",\"updated\":\"2022-08-16T15:48:55.7948149+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-08-16T03:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2022-08-15T03:00:00+00:00\",\"queryEndTime\":\"2022-08-16T03:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/08b39573-4a73-4ac3-a733-8cd78a538c72\",\"name\":\"08b39573-4a73-4ac3-a733-8cd78a538c72\",\"etag\":\"\\\"3c00488a-0000-0100-0000-62fbbc870000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Removebookmark2tw3fg\",\"created\":\"2022-08-16T15:49:27.7269514+00:00\",\"updated\":\"2022-08-16T15:49:27.7269514+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-08-16T03:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2022-08-15T03:00:00+00:00\",\"queryEndTime\":\"2022-08-16T03:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/373872c1-6eda-475c-a5ec-f0bfbd39fdf6\",\"name\":\"373872c1-6eda-475c-a5ec-f0bfbd39fdf6\",\"etag\":\"\\\"3c004e8a-0000-0100-0000-62fbbca70000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"RemoveViaIdbookmark1daqtg\",\"created\":\"2022-08-16T15:49:58.9862689+00:00\",\"updated\":\"2022-08-16T15:49:58.9862689+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-08-16T03:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2022-08-15T03:00:00+00:00\",\"queryEndTime\":\"2022-08-16T03:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/4a1c3550-81e9-42ae-8302-a2234a8d3168\",\"name\":\"4a1c3550-81e9-42ae-8302-a2234a8d3168\",\"etag\":\"\\\"3c005b8a-0000-0100-0000-62fbbcc60000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Updatebookmarkd4t6g3\",\"created\":\"2022-08-16T15:50:30.6003748+00:00\",\"updated\":\"2022-08-16T15:50:30.6003748+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-08-16T03:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2022-08-15T03:00:00+00:00\",\"queryEndTime\":\"2022-08-16T03:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/f568e39a-6323-41ca-ac8e-d240ea7d80f6\",\"name\":\"f568e39a-6323-41ca-ac8e-d240ea7d80f6\",\"etag\":\"\\\"3c00708a-0000-0100-0000-62fbbce50000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateViaIdbookmarkepkaci\",\"created\":\"2022-08-16T15:51:01.2534922+00:00\",\"updated\":\"2022-08-16T15:51:01.2534922+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-08-16T03:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2022-08-15T03:00:00+00:00\",\"queryEndTime\":\"2022-08-16T03:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/378719c3-1c49-43c4-b5c6-21b943f2139e\",\"name\":\"378719c3-1c49-43c4-b5c6-21b943f2139e\",\"etag\":\"\\\"3c009d8a-0000-0100-0000-62fbbd030000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Expandbookmarkvclw27\",\"created\":\"2022-08-16T15:51:31.9243187+00:00\",\"updated\":\"2022-08-16T15:51:31.9243187+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-08-16T03:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2022-08-15T03:00:00+00:00\",\"queryEndTime\":\"2022-08-16T03:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/a1dded2a-ff31-44d4-b554-c43992597473\",\"name\":\"a1dded2a-ff31-44d4-b554-c43992597473\",\"etag\":\"\\\"3c00d78a-0000-0100-0000-62fbbd240000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"GetbookmarkRelationBookmarkNamex1qm5r\",\"created\":\"2022-08-16T15:52:04.1929102+00:00\",\"updated\":\"2022-08-16T15:52:04.1929102+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-08-16T03:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2022-08-15T03:00:00+00:00\",\"queryEndTime\":\"2022-08-16T03:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"7feca4d4-3414-403b-96ad-4cb1d105fec2\",\"title\":\"GetbookmarkRelationIncidentName75xtbo\",\"relationName\":\"01c3e510-2a6e-4d12-8289-7e039cd8af1e\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/b3693620-4305-45cb-97f3-a6894f82288e\",\"name\":\"b3693620-4305-45cb-97f3-a6894f82288e\",\"etag\":\"\\\"3c00eb8a-0000-0100-0000-62fbbd560000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"RemovebookmarkRelationBookmarkNamedz07r4\",\"created\":\"2022-08-16T15:52:53.5670701+00:00\",\"updated\":\"2022-08-16T15:52:53.5670701+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-08-16T03:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2022-08-15T03:00:00+00:00\",\"queryEndTime\":\"2022-08-16T03:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"fba327a0-b301-4d1c-918c-23aec8e03323\",\"title\":\"RemovebookmarkRelationIncidentNamebfrwvc\",\"relationName\":\"ef983c5e-fe25-44b2-ad14-f37a30558d24\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/72eeef12-d9c9-43e4-9f0c-8b117465ccb9\",\"name\":\"72eeef12-d9c9-43e4-9f0c-8b117465ccb9\",\"etag\":\"\\\"3c00f68a-0000-0100-0000-62fbbd690000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"RemoveViaIdbookmarkRelationBookmarkNamewn153e\",\"created\":\"2022-08-16T15:53:13.2108641+00:00\",\"updated\":\"2022-08-16T15:53:13.2108641+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-08-16T03:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2022-08-15T03:00:00+00:00\",\"queryEndTime\":\"2022-08-16T03:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"62ce8785-21b2-4262-be4d-5208b35d255a\",\"title\":\"RemoveViaIdbookmarkRelationIncidentName5g6qnd\",\"relationName\":\"c77c1bd8-ffc8-4467-a549-e9114f8913d8\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/a6be05a8-9ad5-44c4-89c5-a9df845dca7e\",\"name\":\"a6be05a8-9ad5-44c4-89c5-a9df845dca7e\",\"etag\":\"\\\"3c00148b-0000-0100-0000-62fbbd8a0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdatebookmarkRelationBookmarkNamedven41\",\"created\":\"2022-08-16T15:53:45.3603597+00:00\",\"updated\":\"2022-08-16T15:53:45.3603597+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-08-16T03:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2022-08-15T03:00:00+00:00\",\"queryEndTime\":\"2022-08-16T03:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"6f90c814-29fb-4d2d-8188-360a8df4a559\",\"title\":\"UpdatebookmarkRelationIncidentNamedejagn\",\"relationName\":\"17cbbab8-7829-4e80-8775-f71ebcd2ceea\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/327d3f42-a5d6-4bc8-99bc-93cf7b2942c7\",\"name\":\"327d3f42-a5d6-4bc8-99bc-93cf7b2942c7\",\"etag\":\"\\\"3c003a8b-0000-0100-0000-62fbbda80000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateViaIdbookmarkRelationBookmarkNameconrl0\",\"created\":\"2022-08-16T15:54:16.1711242+00:00\",\"updated\":\"2022-08-16T15:54:16.1711242+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-08-16T03:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2022-08-15T03:00:00+00:00\",\"queryEndTime\":\"2022-08-16T03:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"68e94645-a3b4-4595-9bfe-0d5370f5c8dd\",\"title\":\"UpdateViaIdbookmarkRelationIncidentNamel2rnui\",\"relationName\":\"5c7863c4-3fba-4c60-87f0-88e5c33a5df8\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/40c54fdc-490c-4164-901e-b95ca08e0a88\",\"name\":\"40c54fdc-490c-4164-901e-b95ca08e0a88\",\"etag\":\"\\\"3c00618c-0000-0100-0000-62fbbfc70000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"GetincidentRelationBookmarkNameu4dakt\",\"created\":\"2022-08-16T16:03:18.3793809+00:00\",\"updated\":\"2022-08-16T16:03:18.3793809+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-08-16T04:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2022-08-15T04:00:00+00:00\",\"queryEndTime\":\"2022-08-16T04:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"524da4fb-3888-4446-9e92-12183ac2eaab\",\"title\":\"GetincidentRelationIncidentName8sjnvu\",\"relationName\":\"d8e7ac2f-7b68-4110-a408-6dda491cd5d0\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/47097af5-9e05-4584-9e64-99622ff06010\",\"name\":\"47097af5-9e05-4584-9e64-99622ff06010\",\"etag\":\"\\\"3c006e8c-0000-0100-0000-62fbbfe70000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"RemoveincidentRelationBookmarkNamea597s0\",\"created\":\"2022-08-16T16:03:50.4826287+00:00\",\"updated\":\"2022-08-16T16:03:50.4826287+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-08-16T04:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2022-08-15T04:00:00+00:00\",\"queryEndTime\":\"2022-08-16T04:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"bd3104a8-2b2d-4934-bef4-5fc4c04ef055\",\"title\":\"RemoveincidentRelationIncidentNamecz4ioj\",\"relationName\":\"f05d7fb2-c166-4ecb-aa6b-b97479976971\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/8b4c7333-a754-463f-abd4-0b5b023fb24c\",\"name\":\"8b4c7333-a754-463f-abd4-0b5b023fb24c\",\"etag\":\"\\\"3c007c8c-0000-0100-0000-62fbc0060000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"RemoveViaIdincidentRelationBookmarkNamewtphg4\",\"created\":\"2022-08-16T16:04:22.2932502+00:00\",\"updated\":\"2022-08-16T16:04:22.2932502+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-08-16T04:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2022-08-15T04:00:00+00:00\",\"queryEndTime\":\"2022-08-16T04:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"b2ae0920-7287-4d85-a609-bf6c7e651630\",\"title\":\"RemoveViaIdincidentRelationIncidentNameg1b6wx\",\"relationName\":\"95c1d6e0-5c11-4329-b715-f24c959f7b04\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/16d92023-404a-4ccb-8e88-9c0522e53419\",\"name\":\"16d92023-404a-4ccb-8e88-9c0522e53419\",\"etag\":\"\\\"3c00808c-0000-0100-0000-62fbc0260000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateincidentRelationBookmarkName9ayfhe\",\"created\":\"2022-08-16T16:04:54.1199731+00:00\",\"updated\":\"2022-08-16T16:04:54.1199731+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-08-16T04:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2022-08-15T04:00:00+00:00\",\"queryEndTime\":\"2022-08-16T04:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"20c587be-2ccb-4fd4-aea6-cce3754722dd\",\"title\":\"UpdateincidentRelationIncidentNamegz4803\",\"relationName\":\"f56dcb87-d5c9-4996-9916-6502828a3ae2\",\"severity\":\"Informational\"}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/00406d21-02f5-485c-a859-19a592ab3f1b\",\"name\":\"00406d21-02f5-485c-a859-19a592ab3f1b\",\"etag\":\"\\\"3c00898c-0000-0100-0000-62fbc0450000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateViaIdincidentRelationBookmarkName635lxu\",\"created\":\"2022-08-16T16:05:24.7436939+00:00\",\"updated\":\"2022-08-16T16:05:24.7436939+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-08-16T04:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"queryStartTime\":\"2022-08-15T04:00:00+00:00\",\"queryEndTime\":\"2022-08-16T04:00:00+00:00\",\"incidentInfo\":{\"incidentId\":\"e6be0e56-c636-4b4b-9793-6f3c0f345a46\",\"title\":\"UpdateViaIdincidentRelationIncidentNames9xv50\",\"relationName\":\"903fe51d-b375-49c3-bf17-02b25fab1aa4\",\"severity\":\"Informational\"}}}]}", "isContentBase64": false } }, - "Get-AzSentinelBookmark+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/cf23ef92-aa60-4e4a-9598-c30417b601db?api-version=2021-09-01-preview+1": { + "Get-AzSentinelBookmark+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/52f3c78c-cfbe-42f8-bc38-b87fc8a1d9af?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/cf23ef92-aa60-4e4a-9598-c30417b601db?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/52f3c78c-cfbe-42f8-bc38-b87fc8a1d9af?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "177" ], - "x-ms-client-request-id": [ "a044777f-5113-46ca-b173-a41f0fae1949" ], + "x-ms-unique-id": [ "175" ], + "x-ms-client-request-id": [ "15550d69-e1ae-414e-bbf9-c76c63113ec4" ], "CommandName": [ "Get-AzSentinelbookmark" ], "FullCommandName": [ "Get-AzSentinelBookmark_Get" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -65,31 +65,31 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-reads": [ "11986" ], - "x-ms-request-id": [ "fed89bac-d640-4012-b30a-b8c0065bcbad" ], - "x-ms-correlation-request-id": [ "fed89bac-d640-4012-b30a-b8c0065bcbad" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183119Z:fed89bac-d640-4012-b30a-b8c0065bcbad" ], + "x-ms-request-id": [ "4e7e5b78-7d62-47aa-ae05-b1306f398784" ], + "x-ms-correlation-request-id": [ "4e7e5b78-7d62-47aa-ae05-b1306f398784" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160701Z:4e7e5b78-7d62-47aa-ae05-b1306f398784" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:31:19 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:00 GMT" ] }, "ContentHeaders": { "Content-Length": [ "5288" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/cf23ef92-aa60-4e4a-9598-c30417b601db\",\"name\":\"cf23ef92-aa60-4e4a-9598-c30417b601db\",\"etag\":\"\\\"01006993-0000-0100-0000-62e422850000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Getbookmarks1c0pz\",\"created\":\"2022-07-29T18:10:13.2097324+00:00\",\"updated\":\"2022-07-29T18:10:13.2097324+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-07-29T06:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2022-07-28T06:00:00+00:00\",\"queryEndTime\":\"2022-07-29T06:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/52f3c78c-cfbe-42f8-bc38-b87fc8a1d9af\",\"name\":\"52f3c78c-cfbe-42f8-bc38-b87fc8a1d9af\",\"etag\":\"\\\"3c00458a-0000-0100-0000-62fbbc670000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Getbookmarkzl3she\",\"created\":\"2022-08-16T15:48:55.7948149+00:00\",\"updated\":\"2022-08-16T15:48:55.7948149+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-08-16T03:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2022-08-15T03:00:00+00:00\",\"queryEndTime\":\"2022-08-16T03:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", "isContentBase64": false } }, - "Get-AzSentinelBookmark+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/cf23ef92-aa60-4e4a-9598-c30417b601db?api-version=2021-09-01-preview+1": { + "Get-AzSentinelBookmark+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/52f3c78c-cfbe-42f8-bc38-b87fc8a1d9af?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/cf23ef92-aa60-4e4a-9598-c30417b601db?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/52f3c78c-cfbe-42f8-bc38-b87fc8a1d9af?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "178" ], - "x-ms-client-request-id": [ "7f17c942-dda4-41fd-a508-b8da604eb080" ], + "x-ms-unique-id": [ "176" ], + "x-ms-client-request-id": [ "fc9a3c26-e58e-4155-8f5c-472b52e1b331" ], "CommandName": [ "Get-AzSentinelbookmark" ], "FullCommandName": [ "Get-AzSentinelBookmark_Get" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -106,31 +106,31 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-reads": [ "11985" ], - "x-ms-request-id": [ "8840281d-4aac-447e-b560-b44205e245a7" ], - "x-ms-correlation-request-id": [ "8840281d-4aac-447e-b560-b44205e245a7" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183119Z:8840281d-4aac-447e-b560-b44205e245a7" ], + "x-ms-request-id": [ "cf47f3cd-c9c8-4f61-8188-d74243ed15f7" ], + "x-ms-correlation-request-id": [ "cf47f3cd-c9c8-4f61-8188-d74243ed15f7" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160701Z:cf47f3cd-c9c8-4f61-8188-d74243ed15f7" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:31:19 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:01 GMT" ] }, "ContentHeaders": { "Content-Length": [ "5288" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/cf23ef92-aa60-4e4a-9598-c30417b601db\",\"name\":\"cf23ef92-aa60-4e4a-9598-c30417b601db\",\"etag\":\"\\\"01006993-0000-0100-0000-62e422850000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Getbookmarks1c0pz\",\"created\":\"2022-07-29T18:10:13.2097324+00:00\",\"updated\":\"2022-07-29T18:10:13.2097324+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-07-29T06:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2022-07-28T06:00:00+00:00\",\"queryEndTime\":\"2022-07-29T06:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/52f3c78c-cfbe-42f8-bc38-b87fc8a1d9af\",\"name\":\"52f3c78c-cfbe-42f8-bc38-b87fc8a1d9af\",\"etag\":\"\\\"3c00458a-0000-0100-0000-62fbbc670000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Getbookmarkzl3she\",\"created\":\"2022-08-16T15:48:55.7948149+00:00\",\"updated\":\"2022-08-16T15:48:55.7948149+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-08-16T03:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2022-08-15T03:00:00+00:00\",\"queryEndTime\":\"2022-08-16T03:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", "isContentBase64": false } }, - "Get-AzSentinelBookmark+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/cf23ef92-aa60-4e4a-9598-c30417b601db?api-version=2021-09-01-preview+2": { + "Get-AzSentinelBookmark+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/52f3c78c-cfbe-42f8-bc38-b87fc8a1d9af?api-version=2021-09-01-preview+2": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/cf23ef92-aa60-4e4a-9598-c30417b601db?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/52f3c78c-cfbe-42f8-bc38-b87fc8a1d9af?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "179" ], - "x-ms-client-request-id": [ "fa1debc2-995e-473d-9a24-8d943eff80cf" ], + "x-ms-unique-id": [ "177" ], + "x-ms-client-request-id": [ "e4985794-1f6c-486a-83f9-d1d5ac7892f3" ], "CommandName": [ "Get-AzSentinelbookmark" ], "FullCommandName": [ "Get-AzSentinelBookmark_GetViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -147,19 +147,19 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-reads": [ "11984" ], - "x-ms-request-id": [ "b6a5069a-dac9-438a-8829-d574d1de3a82" ], - "x-ms-correlation-request-id": [ "b6a5069a-dac9-438a-8829-d574d1de3a82" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183119Z:b6a5069a-dac9-438a-8829-d574d1de3a82" ], + "x-ms-request-id": [ "e0aa37c3-eb91-4682-8158-950084e42e49" ], + "x-ms-correlation-request-id": [ "e0aa37c3-eb91-4682-8158-950084e42e49" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160701Z:e0aa37c3-eb91-4682-8158-950084e42e49" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:31:19 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:01 GMT" ] }, "ContentHeaders": { "Content-Length": [ "5288" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/cf23ef92-aa60-4e4a-9598-c30417b601db\",\"name\":\"cf23ef92-aa60-4e4a-9598-c30417b601db\",\"etag\":\"\\\"01006993-0000-0100-0000-62e422850000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Getbookmarks1c0pz\",\"created\":\"2022-07-29T18:10:13.2097324+00:00\",\"updated\":\"2022-07-29T18:10:13.2097324+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-07-29T06:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2022-07-28T06:00:00+00:00\",\"queryEndTime\":\"2022-07-29T06:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/52f3c78c-cfbe-42f8-bc38-b87fc8a1d9af\",\"name\":\"52f3c78c-cfbe-42f8-bc38-b87fc8a1d9af\",\"etag\":\"\\\"3c00458a-0000-0100-0000-62fbbc670000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Getbookmarkzl3she\",\"created\":\"2022-08-16T15:48:55.7948149+00:00\",\"updated\":\"2022-08-16T15:48:55.7948149+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-08-16T03:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2022-08-15T03:00:00+00:00\",\"queryEndTime\":\"2022-08-16T03:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Get-AzSentinelBookmarkRelation.Recording.json b/src/SecurityInsights/test/Get-AzSentinelBookmarkRelation.Recording.json index 117ffd3cc6fa..85a8c9b636f5 100644 --- a/src/SecurityInsights/test/Get-AzSentinelBookmarkRelation.Recording.json +++ b/src/SecurityInsights/test/Get-AzSentinelBookmarkRelation.Recording.json @@ -1,13 +1,13 @@ { - "Get-AzSentinelBookmarkRelation+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/72c19fb6-dca6-4381-9175-229d52e8908a/relations?api-version=2021-09-01-preview+1": { + "Get-AzSentinelBookmarkRelation+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/a1dded2a-ff31-44d4-b554-c43992597473/relations?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/72c19fb6-dca6-4381-9175-229d52e8908a/relations?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/a1dded2a-ff31-44d4-b554-c43992597473/relations?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "180" ], - "x-ms-client-request-id": [ "5bbdb4ac-027a-4224-af6a-0504b06b47d2" ], + "x-ms-unique-id": [ "178" ], + "x-ms-client-request-id": [ "23780903-ee14-4753-8f08-e230569be4e9" ], "CommandName": [ "Get-AzSentinelbookmarkRelation" ], "FullCommandName": [ "Get-AzSentinelBookmarkRelation_List" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -24,31 +24,31 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-reads": [ "11983" ], - "x-ms-request-id": [ "164cd14c-55a1-41a8-870b-a741ab0535ea" ], - "x-ms-correlation-request-id": [ "164cd14c-55a1-41a8-870b-a741ab0535ea" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183120Z:164cd14c-55a1-41a8-870b-a741ab0535ea" ], + "x-ms-request-id": [ "02963b6c-1e22-41ee-a714-0f59d8655492" ], + "x-ms-correlation-request-id": [ "02963b6c-1e22-41ee-a714-0f59d8655492" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160702Z:02963b6c-1e22-41ee-a714-0f59d8655492" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:31:20 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:02 GMT" ] }, "ContentHeaders": { "Content-Length": [ "840" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/72c19fb6-dca6-4381-9175-229d52e8908a/relations/eacf9694-518d-404c-85a0-6703db574c22\",\"name\":\"eacf9694-518d-404c-85a0-6703db574c22\",\"etag\":\"\\\"01008093-0000-0100-0000-62e423420000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/e31f4f52-858c-4a29-bacc-b0b91ca86f43\",\"relatedResourceName\":\"e31f4f52-858c-4a29-bacc-b0b91ca86f43\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/a1dded2a-ff31-44d4-b554-c43992597473/relations/01c3e510-2a6e-4d12-8289-7e039cd8af1e\",\"name\":\"01c3e510-2a6e-4d12-8289-7e039cd8af1e\",\"etag\":\"\\\"3c00d78a-0000-0100-0000-62fbbd240000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/7feca4d4-3414-403b-96ad-4cb1d105fec2\",\"relatedResourceName\":\"7feca4d4-3414-403b-96ad-4cb1d105fec2\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}]}", "isContentBase64": false } }, - "Get-AzSentinelBookmarkRelation+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/72c19fb6-dca6-4381-9175-229d52e8908a/relations/eacf9694-518d-404c-85a0-6703db574c22?api-version=2021-09-01-preview+1": { + "Get-AzSentinelBookmarkRelation+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/a1dded2a-ff31-44d4-b554-c43992597473/relations/01c3e510-2a6e-4d12-8289-7e039cd8af1e?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/72c19fb6-dca6-4381-9175-229d52e8908a/relations/eacf9694-518d-404c-85a0-6703db574c22?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/a1dded2a-ff31-44d4-b554-c43992597473/relations/01c3e510-2a6e-4d12-8289-7e039cd8af1e?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "181" ], - "x-ms-client-request-id": [ "30bead21-c0ce-4d9d-848f-1713ae4d6823" ], + "x-ms-unique-id": [ "179" ], + "x-ms-client-request-id": [ "5790594e-3c05-4cd1-b9c1-caa945ac1e01" ], "CommandName": [ "Get-AzSentinelbookmarkRelation" ], "FullCommandName": [ "Get-AzSentinelBookmarkRelation_Get" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -65,31 +65,31 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-reads": [ "11982" ], - "x-ms-request-id": [ "5a11baea-3fc4-49e3-a5ad-f2bcbfe4a8cd" ], - "x-ms-correlation-request-id": [ "5a11baea-3fc4-49e3-a5ad-f2bcbfe4a8cd" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183121Z:5a11baea-3fc4-49e3-a5ad-f2bcbfe4a8cd" ], + "x-ms-request-id": [ "e11766e3-106c-4c92-b5ae-2cac460564d1" ], + "x-ms-correlation-request-id": [ "e11766e3-106c-4c92-b5ae-2cac460564d1" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160702Z:e11766e3-106c-4c92-b5ae-2cac460564d1" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:31:20 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:02 GMT" ] }, "ContentHeaders": { "Content-Length": [ "828" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/72c19fb6-dca6-4381-9175-229d52e8908a/relations/eacf9694-518d-404c-85a0-6703db574c22\",\"name\":\"eacf9694-518d-404c-85a0-6703db574c22\",\"etag\":\"\\\"01008093-0000-0100-0000-62e423420000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/e31f4f52-858c-4a29-bacc-b0b91ca86f43\",\"relatedResourceName\":\"e31f4f52-858c-4a29-bacc-b0b91ca86f43\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/a1dded2a-ff31-44d4-b554-c43992597473/relations/01c3e510-2a6e-4d12-8289-7e039cd8af1e\",\"name\":\"01c3e510-2a6e-4d12-8289-7e039cd8af1e\",\"etag\":\"\\\"3c00d78a-0000-0100-0000-62fbbd240000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/7feca4d4-3414-403b-96ad-4cb1d105fec2\",\"relatedResourceName\":\"7feca4d4-3414-403b-96ad-4cb1d105fec2\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", "isContentBase64": false } }, - "Get-AzSentinelBookmarkRelation+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/72c19fb6-dca6-4381-9175-229d52e8908a/relations/eacf9694-518d-404c-85a0-6703db574c22?api-version=2021-09-01-preview+1": { + "Get-AzSentinelBookmarkRelation+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/a1dded2a-ff31-44d4-b554-c43992597473/relations/01c3e510-2a6e-4d12-8289-7e039cd8af1e?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/72c19fb6-dca6-4381-9175-229d52e8908a/relations/eacf9694-518d-404c-85a0-6703db574c22?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/a1dded2a-ff31-44d4-b554-c43992597473/relations/01c3e510-2a6e-4d12-8289-7e039cd8af1e?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "182" ], - "x-ms-client-request-id": [ "05d5e748-190e-4048-ad11-44853e2f455d" ], + "x-ms-unique-id": [ "180" ], + "x-ms-client-request-id": [ "010424c0-2f8a-49b6-9a63-b0a1b291a0e4" ], "CommandName": [ "Get-AzSentinelbookmarkRelation" ], "FullCommandName": [ "Get-AzSentinelBookmarkRelation_Get" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -106,31 +106,31 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-reads": [ "11981" ], - "x-ms-request-id": [ "26ea4362-d477-4cb2-a986-e9a8dd2ed2bf" ], - "x-ms-correlation-request-id": [ "26ea4362-d477-4cb2-a986-e9a8dd2ed2bf" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183121Z:26ea4362-d477-4cb2-a986-e9a8dd2ed2bf" ], + "x-ms-request-id": [ "31db6efa-501d-4865-b7ca-1e9022eb67c9" ], + "x-ms-correlation-request-id": [ "31db6efa-501d-4865-b7ca-1e9022eb67c9" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160702Z:31db6efa-501d-4865-b7ca-1e9022eb67c9" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:31:20 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:02 GMT" ] }, "ContentHeaders": { "Content-Length": [ "828" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/72c19fb6-dca6-4381-9175-229d52e8908a/relations/eacf9694-518d-404c-85a0-6703db574c22\",\"name\":\"eacf9694-518d-404c-85a0-6703db574c22\",\"etag\":\"\\\"01008093-0000-0100-0000-62e423420000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/e31f4f52-858c-4a29-bacc-b0b91ca86f43\",\"relatedResourceName\":\"e31f4f52-858c-4a29-bacc-b0b91ca86f43\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/a1dded2a-ff31-44d4-b554-c43992597473/relations/01c3e510-2a6e-4d12-8289-7e039cd8af1e\",\"name\":\"01c3e510-2a6e-4d12-8289-7e039cd8af1e\",\"etag\":\"\\\"3c00d78a-0000-0100-0000-62fbbd240000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/7feca4d4-3414-403b-96ad-4cb1d105fec2\",\"relatedResourceName\":\"7feca4d4-3414-403b-96ad-4cb1d105fec2\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", "isContentBase64": false } }, - "Get-AzSentinelBookmarkRelation+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/72c19fb6-dca6-4381-9175-229d52e8908a/relations/eacf9694-518d-404c-85a0-6703db574c22?api-version=2021-09-01-preview+2": { + "Get-AzSentinelBookmarkRelation+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/a1dded2a-ff31-44d4-b554-c43992597473/relations/01c3e510-2a6e-4d12-8289-7e039cd8af1e?api-version=2021-09-01-preview+2": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/72c19fb6-dca6-4381-9175-229d52e8908a/relations/eacf9694-518d-404c-85a0-6703db574c22?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/a1dded2a-ff31-44d4-b554-c43992597473/relations/01c3e510-2a6e-4d12-8289-7e039cd8af1e?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "183" ], - "x-ms-client-request-id": [ "0f30c4d5-7a40-4f24-b044-8f6a0baf278e" ], + "x-ms-unique-id": [ "181" ], + "x-ms-client-request-id": [ "b558dcee-1f3f-4700-b1a1-2cdb3e64941f" ], "CommandName": [ "Get-AzSentinelbookmarkRelation" ], "FullCommandName": [ "Get-AzSentinelBookmarkRelation_GetViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -147,19 +147,19 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-reads": [ "11980" ], - "x-ms-request-id": [ "d8056e50-a564-4c3f-a370-acf5e04170c5" ], - "x-ms-correlation-request-id": [ "d8056e50-a564-4c3f-a370-acf5e04170c5" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183121Z:d8056e50-a564-4c3f-a370-acf5e04170c5" ], + "x-ms-request-id": [ "d326d58d-454d-4f20-8e7b-e0ac4feb9cf9" ], + "x-ms-correlation-request-id": [ "d326d58d-454d-4f20-8e7b-e0ac4feb9cf9" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160702Z:d326d58d-454d-4f20-8e7b-e0ac4feb9cf9" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:31:21 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:02 GMT" ] }, "ContentHeaders": { "Content-Length": [ "828" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/72c19fb6-dca6-4381-9175-229d52e8908a/relations/eacf9694-518d-404c-85a0-6703db574c22\",\"name\":\"eacf9694-518d-404c-85a0-6703db574c22\",\"etag\":\"\\\"01008093-0000-0100-0000-62e423420000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/e31f4f52-858c-4a29-bacc-b0b91ca86f43\",\"relatedResourceName\":\"e31f4f52-858c-4a29-bacc-b0b91ca86f43\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/a1dded2a-ff31-44d4-b554-c43992597473/relations/01c3e510-2a6e-4d12-8289-7e039cd8af1e\",\"name\":\"01c3e510-2a6e-4d12-8289-7e039cd8af1e\",\"etag\":\"\\\"3c00d78a-0000-0100-0000-62fbbd240000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/7feca4d4-3414-403b-96ad-4cb1d105fec2\",\"relatedResourceName\":\"7feca4d4-3414-403b-96ad-4cb1d105fec2\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Get-AzSentinelDataConnector.Recording.json b/src/SecurityInsights/test/Get-AzSentinelDataConnector.Recording.json index 7eaf3c67688d..b49b30893230 100644 --- a/src/SecurityInsights/test/Get-AzSentinelDataConnector.Recording.json +++ b/src/SecurityInsights/test/Get-AzSentinelDataConnector.Recording.json @@ -1,13 +1,13 @@ { - "Get-AzSentinelDataConnector+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors?api-version=2021-09-01-preview+1": { + "Get-AzSentinelDataConnector+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "184" ], - "x-ms-client-request-id": [ "bb46760f-7041-4532-ab46-b832679b1954" ], + "x-ms-unique-id": [ "182" ], + "x-ms-client-request-id": [ "f27d39e0-d37d-44ff-9663-1479b8cb7b18" ], "CommandName": [ "Get-AzSentineldataConnector" ], "FullCommandName": [ "Get-AzSentinelDataConnector_List" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -24,31 +24,31 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], - "x-ms-request-id": [ "016cb2a0-f878-4631-bc3e-b73fa09907a4" ], - "x-ms-correlation-request-id": [ "016cb2a0-f878-4631-bc3e-b73fa09907a4" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183122Z:016cb2a0-f878-4631-bc3e-b73fa09907a4" ], + "x-ms-request-id": [ "986c6dd9-77c4-4410-84b3-2fe4bb2a4bd7" ], + "x-ms-correlation-request-id": [ "986c6dd9-77c4-4410-84b3-2fe4bb2a4bd7" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160703Z:986c6dd9-77c4-4410-84b3-2fe4bb2a4bd7" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:31:21 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:03 GMT" ] }, "ContentHeaders": { "Content-Length": [ "1122" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/8fee2c52-7010-4d95-a6ce-eb73f2921e20\",\"name\":\"8fee2c52-7010-4d95-a6ce-eb73f2921e20\",\"etag\":\"21402add-7ae9-4da3-90ab-c0fd725e7818\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"AzureSecurityCenter\",\"properties\":{\"subscriptionId\":\"51a36d38-3b14-471f-8dde-a5867f5e51eb\",\"dataTypes\":{\"alerts\":{\"state\":\"enabled\"}}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/0c45acce-4689-4024-8bfa-4ff3b300e29a\",\"name\":\"0c45acce-4689-4024-8bfa-4ff3b300e29a\",\"etag\":\"e6fe5716-cd55-4449-8cfc-8949597baddd\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"Office365\",\"properties\":{\"dataTypes\":{\"sharePoint\":{\"state\":\"disabled\"},\"exchange\":{\"state\":\"enabled\"},\"teams\":{\"state\":\"disabled\"}},\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/ef0ed2f1-dd75-4d02-afef-5fc84ded8e03\",\"name\":\"ef0ed2f1-dd75-4d02-afef-5fc84ded8e03\",\"etag\":\"343f5beb-3f53-4c32-adec-6d96dd1a719e\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"AzureSecurityCenter\",\"properties\":{\"subscriptionId\":\"51a36d38-3b14-471f-8dde-a5867f5e51eb\",\"dataTypes\":{\"alerts\":{\"state\":\"enabled\"}}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/6d021fce-8f39-437c-9fb4-fc0a3794402d\",\"name\":\"6d021fce-8f39-437c-9fb4-fc0a3794402d\",\"etag\":\"7e7b29f8-4921-4f6a-ac9f-288d54eb8cd9\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"Office365\",\"properties\":{\"dataTypes\":{\"sharePoint\":{\"state\":\"disabled\"},\"exchange\":{\"state\":\"enabled\"},\"teams\":{\"state\":\"disabled\"}},\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}]}", "isContentBase64": false } }, - "Get-AzSentinelDataConnector+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/8fee2c52-7010-4d95-a6ce-eb73f2921e20?api-version=2021-09-01-preview+1": { + "Get-AzSentinelDataConnector+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/ef0ed2f1-dd75-4d02-afef-5fc84ded8e03?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/8fee2c52-7010-4d95-a6ce-eb73f2921e20?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/ef0ed2f1-dd75-4d02-afef-5fc84ded8e03?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "185" ], - "x-ms-client-request-id": [ "07599939-75b5-43df-9307-d400605393d6" ], + "x-ms-unique-id": [ "183" ], + "x-ms-client-request-id": [ "fbf10869-7f00-4cc0-8e29-e2e475dd2c38" ], "CommandName": [ "Get-AzSentineldataConnector" ], "FullCommandName": [ "Get-AzSentinelDataConnector_Get" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -65,31 +65,31 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], - "x-ms-request-id": [ "768c429e-c74a-4ae2-9b24-deb0eedd196f" ], - "x-ms-correlation-request-id": [ "768c429e-c74a-4ae2-9b24-deb0eedd196f" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183122Z:768c429e-c74a-4ae2-9b24-deb0eedd196f" ], + "x-ms-request-id": [ "3d032294-c79d-470d-b598-4c710aa21ae2" ], + "x-ms-correlation-request-id": [ "3d032294-c79d-470d-b598-4c710aa21ae2" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160703Z:3d032294-c79d-470d-b598-4c710aa21ae2" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:31:22 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:03 GMT" ] }, "ContentHeaders": { "Content-Length": [ "530" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/8fee2c52-7010-4d95-a6ce-eb73f2921e20\",\"name\":\"8fee2c52-7010-4d95-a6ce-eb73f2921e20\",\"etag\":\"21402add-7ae9-4da3-90ab-c0fd725e7818\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"AzureSecurityCenter\",\"properties\":{\"subscriptionId\":\"51a36d38-3b14-471f-8dde-a5867f5e51eb\",\"dataTypes\":{\"alerts\":{\"state\":\"enabled\"}}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/ef0ed2f1-dd75-4d02-afef-5fc84ded8e03\",\"name\":\"ef0ed2f1-dd75-4d02-afef-5fc84ded8e03\",\"etag\":\"343f5beb-3f53-4c32-adec-6d96dd1a719e\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"AzureSecurityCenter\",\"properties\":{\"subscriptionId\":\"51a36d38-3b14-471f-8dde-a5867f5e51eb\",\"dataTypes\":{\"alerts\":{\"state\":\"enabled\"}}}}", "isContentBase64": false } }, - "Get-AzSentinelDataConnector+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/8fee2c52-7010-4d95-a6ce-eb73f2921e20?api-version=2021-09-01-preview+1": { + "Get-AzSentinelDataConnector+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/ef0ed2f1-dd75-4d02-afef-5fc84ded8e03?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/8fee2c52-7010-4d95-a6ce-eb73f2921e20?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/ef0ed2f1-dd75-4d02-afef-5fc84ded8e03?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "186" ], - "x-ms-client-request-id": [ "3eaedcab-eab5-4cb0-8921-42731fc4a901" ], + "x-ms-unique-id": [ "184" ], + "x-ms-client-request-id": [ "397ed35e-0679-4aa1-89cb-7ee3cb337ce6" ], "CommandName": [ "Get-AzSentineldataConnector" ], "FullCommandName": [ "Get-AzSentinelDataConnector_Get" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -106,31 +106,31 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "497" ], - "x-ms-request-id": [ "1a04a512-d681-47a6-813e-d479fb807684" ], - "x-ms-correlation-request-id": [ "1a04a512-d681-47a6-813e-d479fb807684" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183122Z:1a04a512-d681-47a6-813e-d479fb807684" ], + "x-ms-request-id": [ "9152283c-36cf-48b1-8e18-88e04dcd987b" ], + "x-ms-correlation-request-id": [ "9152283c-36cf-48b1-8e18-88e04dcd987b" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160704Z:9152283c-36cf-48b1-8e18-88e04dcd987b" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:31:22 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:04 GMT" ] }, "ContentHeaders": { "Content-Length": [ "530" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/8fee2c52-7010-4d95-a6ce-eb73f2921e20\",\"name\":\"8fee2c52-7010-4d95-a6ce-eb73f2921e20\",\"etag\":\"21402add-7ae9-4da3-90ab-c0fd725e7818\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"AzureSecurityCenter\",\"properties\":{\"subscriptionId\":\"51a36d38-3b14-471f-8dde-a5867f5e51eb\",\"dataTypes\":{\"alerts\":{\"state\":\"enabled\"}}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/ef0ed2f1-dd75-4d02-afef-5fc84ded8e03\",\"name\":\"ef0ed2f1-dd75-4d02-afef-5fc84ded8e03\",\"etag\":\"343f5beb-3f53-4c32-adec-6d96dd1a719e\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"AzureSecurityCenter\",\"properties\":{\"subscriptionId\":\"51a36d38-3b14-471f-8dde-a5867f5e51eb\",\"dataTypes\":{\"alerts\":{\"state\":\"enabled\"}}}}", "isContentBase64": false } }, - "Get-AzSentinelDataConnector+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/8fee2c52-7010-4d95-a6ce-eb73f2921e20?api-version=2021-09-01-preview+2": { + "Get-AzSentinelDataConnector+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/ef0ed2f1-dd75-4d02-afef-5fc84ded8e03?api-version=2021-09-01-preview+2": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/8fee2c52-7010-4d95-a6ce-eb73f2921e20?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/ef0ed2f1-dd75-4d02-afef-5fc84ded8e03?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "187" ], - "x-ms-client-request-id": [ "0d7c4957-fbd4-47a1-8d64-6e82988463ee" ], + "x-ms-unique-id": [ "185" ], + "x-ms-client-request-id": [ "8cd3b815-b5ea-4147-97ff-d1f6b3cde271" ], "CommandName": [ "Get-AzSentineldataConnector" ], "FullCommandName": [ "Get-AzSentinelDataConnector_GetViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -147,19 +147,19 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "496" ], - "x-ms-request-id": [ "02e27ddd-e5ee-4599-8500-f0fcb0a7d5b6" ], - "x-ms-correlation-request-id": [ "02e27ddd-e5ee-4599-8500-f0fcb0a7d5b6" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183123Z:02e27ddd-e5ee-4599-8500-f0fcb0a7d5b6" ], + "x-ms-request-id": [ "26d74272-4c67-4971-8cc5-793715d75559" ], + "x-ms-correlation-request-id": [ "26d74272-4c67-4971-8cc5-793715d75559" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160704Z:26d74272-4c67-4971-8cc5-793715d75559" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:31:22 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:04 GMT" ] }, "ContentHeaders": { "Content-Length": [ "530" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/8fee2c52-7010-4d95-a6ce-eb73f2921e20\",\"name\":\"8fee2c52-7010-4d95-a6ce-eb73f2921e20\",\"etag\":\"21402add-7ae9-4da3-90ab-c0fd725e7818\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"AzureSecurityCenter\",\"properties\":{\"subscriptionId\":\"51a36d38-3b14-471f-8dde-a5867f5e51eb\",\"dataTypes\":{\"alerts\":{\"state\":\"enabled\"}}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/ef0ed2f1-dd75-4d02-afef-5fc84ded8e03\",\"name\":\"ef0ed2f1-dd75-4d02-afef-5fc84ded8e03\",\"etag\":\"343f5beb-3f53-4c32-adec-6d96dd1a719e\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"AzureSecurityCenter\",\"properties\":{\"subscriptionId\":\"51a36d38-3b14-471f-8dde-a5867f5e51eb\",\"dataTypes\":{\"alerts\":{\"state\":\"enabled\"}}}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Get-AzSentinelEnrichment.Recording.json b/src/SecurityInsights/test/Get-AzSentinelEnrichment.Recording.json index 74c0cde9dad3..0dce03291357 100644 --- a/src/SecurityInsights/test/Get-AzSentinelEnrichment.Recording.json +++ b/src/SecurityInsights/test/Get-AzSentinelEnrichment.Recording.json @@ -1,13 +1,13 @@ { - "Get-AzSentinelEnrichment+[NoContext]+Get_IP+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.SecurityInsights/enrichment/ip/geodata/?api-version=2021-09-01-preview\u0026ipAddress=8.8.8.8+1": { + "Get-AzSentinelEnrichment+[NoContext]+Get_IP+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.SecurityInsights/enrichment/ip/geodata/?api-version=2021-09-01-preview\u0026ipAddress=8.8.8.8+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.SecurityInsights/enrichment/ip/geodata/?api-version=2021-09-01-preview\u0026ipAddress=8.8.8.8", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.SecurityInsights/enrichment/ip/geodata/?api-version=2021-09-01-preview\u0026ipAddress=8.8.8.8", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "188" ], - "x-ms-client-request-id": [ "cdb526a4-224f-405e-9446-a30f480cbb5d" ], + "x-ms-unique-id": [ "186" ], + "x-ms-client-request-id": [ "6b6ded5e-93a2-4fb3-acb3-92d003883b60" ], "CommandName": [ "Get-AzSentinelEnrichment" ], "FullCommandName": [ "Get-AzSentinelEnrichment_Get" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -24,12 +24,12 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-reads": [ "11979" ], - "x-ms-request-id": [ "dd4c8ada-84ec-45db-948e-673d38c35129" ], - "x-ms-correlation-request-id": [ "dd4c8ada-84ec-45db-948e-673d38c35129" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183123Z:dd4c8ada-84ec-45db-948e-673d38c35129" ], + "x-ms-request-id": [ "ed65f374-acca-48d4-94ea-aac9696bfbaf" ], + "x-ms-correlation-request-id": [ "ed65f374-acca-48d4-94ea-aac9696bfbaf" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160705Z:ed65f374-acca-48d4-94ea-aac9696bfbaf" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:31:23 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:04 GMT" ] }, "ContentHeaders": { "Content-Length": [ "363" ], @@ -40,15 +40,15 @@ "isContentBase64": false } }, - "Get-AzSentinelEnrichment+[NoContext]+Get_Domain+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.SecurityInsights/enrichment/domain/whois/?api-version=2021-09-01-preview\u0026domain=google.com+1": { + "Get-AzSentinelEnrichment+[NoContext]+Get_Domain+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.SecurityInsights/enrichment/domain/whois/?api-version=2021-09-01-preview\u0026domain=google.com+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.SecurityInsights/enrichment/domain/whois/?api-version=2021-09-01-preview\u0026domain=google.com", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.SecurityInsights/enrichment/domain/whois/?api-version=2021-09-01-preview\u0026domain=google.com", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "189" ], - "x-ms-client-request-id": [ "f2467200-22e1-4c1e-bb81-7f533b898379" ], + "x-ms-unique-id": [ "187" ], + "x-ms-client-request-id": [ "b08a6bc7-59c5-425a-9421-70cbac317927" ], "CommandName": [ "Get-AzSentinelEnrichment" ], "FullCommandName": [ "Get-AzSentinelEnrichment_Get1" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -65,19 +65,19 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-reads": [ "11978" ], - "x-ms-request-id": [ "a813e2c5-2550-4866-a948-92b0d717d8f3" ], - "x-ms-correlation-request-id": [ "a813e2c5-2550-4866-a948-92b0d717d8f3" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183124Z:a813e2c5-2550-4866-a948-92b0d717d8f3" ], + "x-ms-request-id": [ "e60ecf7c-abb2-4a3c-aef4-bb17dd8703d8" ], + "x-ms-correlation-request-id": [ "e60ecf7c-abb2-4a3c-aef4-bb17dd8703d8" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160705Z:e60ecf7c-abb2-4a3c-aef4-bb17dd8703d8" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:31:23 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:05 GMT" ] }, "ContentHeaders": { "Content-Length": [ "1403" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"domain\":\"google.com\",\"server\":\"whois.markmonitor.com\",\"created\":\"1997-09-15T00:00:00Z\",\"updated\":\"2019-09-09T00:00:00Z\",\"expires\":\"2028-09-14T00:00:00Z\",\"parsedWhois\":{\"registrar\":{\"name\":\"MarkMonitor, Inc.\",\"abuseContactPhone\":\"12086851750\",\"abuseContactEmail\":\"abusecomplaints@markmonitor.com\",\"ianaId\":\"292\",\"url\":\"http://www.markmonitor.com\",\"whoisServer\":\"whois.markmonitor.com\"},\"contacts\":{\"admin\":{\"name\":\"\",\"org\":\"Google LLC\",\"street\":[],\"city\":\"\",\"state\":\"CA\",\"postal\":\"\",\"country\":\"us\",\"phone\":\"\",\"fax\":\"\",\"email\":\"Select Request Email Form at https://domains.markmonitor.com/whois/google.com\"},\"registrant\":{\"name\":\"\",\"org\":\"Google LLC\",\"street\":[],\"city\":\"\",\"state\":\"CA\",\"postal\":\"\",\"country\":\"us\",\"phone\":\"\",\"fax\":\"\",\"email\":\"Select Request Email Form at https://domains.markmonitor.com/whois/google.com\"},\"billing\":{\"name\":\"\",\"org\":\"\",\"street\":[],\"city\":\"\",\"state\":\"\",\"postal\":\"\",\"country\":\"\",\"phone\":\"\",\"fax\":\"\",\"email\":\"\"},\"tech\":{\"name\":\"\",\"org\":\"Google LLC\",\"street\":[],\"city\":\"\",\"state\":\"CA\",\"postal\":\"\",\"country\":\"us\",\"phone\":\"\",\"fax\":\"\",\"email\":\"Select Request Email Form at https://domains.markmonitor.com/whois/google.com\"}},\"nameServers\":[\"ns1.google.com\",\"ns2.google.com\",\"ns3.google.com\",\"ns4.google.com\"],\"statuses\":[\"clientUpdateProhibited\",\"clientTransferProhibited\",\"clientDeleteProhibited\",\"serverUpdateProhibited\",\"serverTransferProhibited\",\"serverDeleteProhibited\"]}}", + "Content": "{\"domain\":\"google.com\",\"server\":\"whois.markmonitor.com\",\"created\":\"1997-09-15T00:00:00Z\",\"updated\":\"2019-09-09T00:00:00Z\",\"expires\":\"2028-09-14T00:00:00Z\",\"parsedWhois\":{\"registrar\":{\"name\":\"MarkMonitor, Inc.\",\"abuseContactPhone\":\"12083895770\",\"abuseContactEmail\":\"abusecomplaints@markmonitor.com\",\"ianaId\":\"292\",\"url\":\"http://www.markmonitor.com\",\"whoisServer\":\"whois.markmonitor.com\"},\"contacts\":{\"admin\":{\"name\":\"\",\"org\":\"Google LLC\",\"street\":[],\"city\":\"\",\"state\":\"CA\",\"postal\":\"\",\"country\":\"us\",\"phone\":\"\",\"fax\":\"\",\"email\":\"Select Request Email Form at https://domains.markmonitor.com/whois/google.com\"},\"registrant\":{\"name\":\"\",\"org\":\"Google LLC\",\"street\":[],\"city\":\"\",\"state\":\"CA\",\"postal\":\"\",\"country\":\"us\",\"phone\":\"\",\"fax\":\"\",\"email\":\"Select Request Email Form at https://domains.markmonitor.com/whois/google.com\"},\"billing\":{\"name\":\"\",\"org\":\"\",\"street\":[],\"city\":\"\",\"state\":\"\",\"postal\":\"\",\"country\":\"\",\"phone\":\"\",\"fax\":\"\",\"email\":\"\"},\"tech\":{\"name\":\"\",\"org\":\"Google LLC\",\"street\":[],\"city\":\"\",\"state\":\"CA\",\"postal\":\"\",\"country\":\"us\",\"phone\":\"\",\"fax\":\"\",\"email\":\"Select Request Email Form at https://domains.markmonitor.com/whois/google.com\"}},\"nameServers\":[\"ns1.google.com\",\"ns2.google.com\",\"ns3.google.com\",\"ns4.google.com\"],\"statuses\":[\"clientUpdateProhibited\",\"clientTransferProhibited\",\"clientDeleteProhibited\",\"serverUpdateProhibited\",\"serverTransferProhibited\",\"serverDeleteProhibited\"]}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Get-AzSentinelEntity.Recording.json b/src/SecurityInsights/test/Get-AzSentinelEntity.Recording.json index 885c98a24435..35f9cbdd6797 100644 --- a/src/SecurityInsights/test/Get-AzSentinelEntity.Recording.json +++ b/src/SecurityInsights/test/Get-AzSentinelEntity.Recording.json @@ -1,13 +1,13 @@ { - "Get-AzSentinelEntity+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview+1": { + "Get-AzSentinelEntity+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "190" ], - "x-ms-client-request-id": [ "484b44a2-7a87-4eeb-be91-e117c8c05e65" ], + "x-ms-unique-id": [ "188" ], + "x-ms-client-request-id": [ "cedbed8a-00cf-49e1-9e0c-7a9f877c2bec" ], "CommandName": [ "Get-AzSentinelentity" ], "FullCommandName": [ "Get-AzSentinelEntity_List" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -24,31 +24,31 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-reads": [ "11977" ], - "x-ms-request-id": [ "d8862eed-373d-4d86-8e82-c0228549c30e" ], - "x-ms-correlation-request-id": [ "d8862eed-373d-4d86-8e82-c0228549c30e" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183125Z:d8862eed-373d-4d86-8e82-c0228549c30e" ], + "x-ms-request-id": [ "e72192da-2eac-471f-a29d-825e10ee9789" ], + "x-ms-correlation-request-id": [ "e72192da-2eac-471f-a29d-825e10ee9789" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160706Z:e72192da-2eac-471f-a29d-825e10ee9789" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:31:25 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:06 GMT" ] }, "ContentHeaders": { "Content-Length": [ "461" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"additionalData\":{\"AlertCount\":\"6\"},\"friendlyName\":\"175.45.176.99\"}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"additionalData\":{\"AlertCount\":\"5\"},\"friendlyName\":\"175.45.176.99\"}}]}", "isContentBase64": false } }, - "Get-AzSentinelEntity+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview+1": { + "Get-AzSentinelEntity+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "191" ], - "x-ms-client-request-id": [ "5b12f79a-13e7-4e55-bf13-c57c555a3029" ], + "x-ms-unique-id": [ "189" ], + "x-ms-client-request-id": [ "2c8aa239-c329-4051-a5fe-6b630d2bbeed" ], "CommandName": [ "Get-AzSentinelentity" ], "FullCommandName": [ "Get-AzSentinelEntity_List" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -65,31 +65,31 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-reads": [ "11976" ], - "x-ms-request-id": [ "409cbd21-a823-4ff3-afc1-c5d676b27496" ], - "x-ms-correlation-request-id": [ "409cbd21-a823-4ff3-afc1-c5d676b27496" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183125Z:409cbd21-a823-4ff3-afc1-c5d676b27496" ], + "x-ms-request-id": [ "c437a67b-1afd-4881-a87c-ca52af4ed020" ], + "x-ms-correlation-request-id": [ "c437a67b-1afd-4881-a87c-ca52af4ed020" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160706Z:c437a67b-1afd-4881-a87c-ca52af4ed020" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:31:25 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:06 GMT" ] }, "ContentHeaders": { "Content-Length": [ "461" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"additionalData\":{\"AlertCount\":\"6\"},\"friendlyName\":\"175.45.176.99\"}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"additionalData\":{\"AlertCount\":\"5\"},\"friendlyName\":\"175.45.176.99\"}}]}", "isContentBase64": false } }, - "Get-AzSentinelEntity+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d?api-version=2021-09-01-preview+2": { + "Get-AzSentinelEntity+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d?api-version=2021-09-01-preview+2": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "192" ], - "x-ms-client-request-id": [ "48423662-7c77-4fec-9bea-e567a8df0432" ], + "x-ms-unique-id": [ "190" ], + "x-ms-client-request-id": [ "6696cfc8-f953-41f1-999d-7c8df44e9bef" ], "CommandName": [ "Get-AzSentinelentity" ], "FullCommandName": [ "Get-AzSentinelEntity_Get" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -106,31 +106,31 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-reads": [ "11975" ], - "x-ms-request-id": [ "17e0f0f0-34b8-4666-b216-40deb881e509" ], - "x-ms-correlation-request-id": [ "17e0f0f0-34b8-4666-b216-40deb881e509" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183126Z:17e0f0f0-34b8-4666-b216-40deb881e509" ], + "x-ms-request-id": [ "09105238-41f6-4511-a5d6-325a30c28ffc" ], + "x-ms-correlation-request-id": [ "09105238-41f6-4511-a5d6-325a30c28ffc" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160708Z:09105238-41f6-4511-a5d6-325a30c28ffc" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:31:26 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:07 GMT" ] }, "ContentHeaders": { "Content-Length": [ "413" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"friendlyName\":\"175.45.176.99\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"friendlyName\":\"175.45.176.99\"}}", "isContentBase64": false } }, - "Get-AzSentinelEntity+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview+1": { + "Get-AzSentinelEntity+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "193" ], - "x-ms-client-request-id": [ "f876cb3e-bce4-490b-b25f-bf6d90c82030" ], + "x-ms-unique-id": [ "191" ], + "x-ms-client-request-id": [ "b8409c32-04fa-4331-b0c2-de9729f742ae" ], "CommandName": [ "Get-AzSentinelentity" ], "FullCommandName": [ "Get-AzSentinelEntity_List" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -147,31 +147,31 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-reads": [ "11974" ], - "x-ms-request-id": [ "645e5bd4-0485-47fc-a961-cfaa70723375" ], - "x-ms-correlation-request-id": [ "645e5bd4-0485-47fc-a961-cfaa70723375" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183126Z:645e5bd4-0485-47fc-a961-cfaa70723375" ], + "x-ms-request-id": [ "105d944b-e949-47a1-ab99-36782ac161b7" ], + "x-ms-correlation-request-id": [ "105d944b-e949-47a1-ab99-36782ac161b7" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160708Z:105d944b-e949-47a1-ab99-36782ac161b7" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:31:26 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:08 GMT" ] }, "ContentHeaders": { "Content-Length": [ "461" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"additionalData\":{\"AlertCount\":\"6\"},\"friendlyName\":\"175.45.176.99\"}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"additionalData\":{\"AlertCount\":\"5\"},\"friendlyName\":\"175.45.176.99\"}}]}", "isContentBase64": false } }, - "Get-AzSentinelEntity+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d?api-version=2021-09-01-preview+2": { + "Get-AzSentinelEntity+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d?api-version=2021-09-01-preview+2": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "194" ], - "x-ms-client-request-id": [ "5a0d9eab-13c4-4113-a579-bd0ea3b6b08d" ], + "x-ms-unique-id": [ "192" ], + "x-ms-client-request-id": [ "41bab93e-87d5-4e74-88cd-2219a0f93337" ], "CommandName": [ "Get-AzSentinelentity" ], "FullCommandName": [ "Get-AzSentinelEntity_Get" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -188,31 +188,31 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-reads": [ "11973" ], - "x-ms-request-id": [ "bfca1590-fe6d-43c6-adec-58eead231d44" ], - "x-ms-correlation-request-id": [ "bfca1590-fe6d-43c6-adec-58eead231d44" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183127Z:bfca1590-fe6d-43c6-adec-58eead231d44" ], + "x-ms-request-id": [ "192fa77e-ac6a-4239-aa2f-6dbd9c4cbe6e" ], + "x-ms-correlation-request-id": [ "192fa77e-ac6a-4239-aa2f-6dbd9c4cbe6e" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160708Z:192fa77e-ac6a-4239-aa2f-6dbd9c4cbe6e" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:31:26 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:08 GMT" ] }, "ContentHeaders": { "Content-Length": [ "413" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"friendlyName\":\"175.45.176.99\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"friendlyName\":\"175.45.176.99\"}}", "isContentBase64": false } }, - "Get-AzSentinelEntity+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d?api-version=2021-09-01-preview+3": { + "Get-AzSentinelEntity+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d?api-version=2021-09-01-preview+3": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "195" ], - "x-ms-client-request-id": [ "706d4b7a-d46e-4ef2-8c28-ce6fec044bc7" ], + "x-ms-unique-id": [ "193" ], + "x-ms-client-request-id": [ "a1ba90cb-118e-458c-994c-cb079c780958" ], "CommandName": [ "Get-AzSentinelentity" ], "FullCommandName": [ "Get-AzSentinelEntity_GetViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -229,19 +229,19 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-reads": [ "11972" ], - "x-ms-request-id": [ "a32df2cc-93ab-4063-9521-4d262c7fb624" ], - "x-ms-correlation-request-id": [ "a32df2cc-93ab-4063-9521-4d262c7fb624" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183127Z:a32df2cc-93ab-4063-9521-4d262c7fb624" ], + "x-ms-request-id": [ "f0867a60-b546-4309-aec7-04c40ec441fc" ], + "x-ms-correlation-request-id": [ "f0867a60-b546-4309-aec7-04c40ec441fc" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160710Z:f0867a60-b546-4309-aec7-04c40ec441fc" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:31:26 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:10 GMT" ] }, "ContentHeaders": { "Content-Length": [ "413" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"friendlyName\":\"175.45.176.99\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"friendlyName\":\"175.45.176.99\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Get-AzSentinelEntityActivity.Recording.json b/src/SecurityInsights/test/Get-AzSentinelEntityActivity.Recording.json index 915887806150..544dd15e81c8 100644 --- a/src/SecurityInsights/test/Get-AzSentinelEntityActivity.Recording.json +++ b/src/SecurityInsights/test/Get-AzSentinelEntityActivity.Recording.json @@ -1,13 +1,13 @@ { - "Get-AzSentinelEntityActivity+[NoContext]+Queries+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview+1": { + "Get-AzSentinelEntityActivity+[NoContext]+Queries+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "196" ], - "x-ms-client-request-id": [ "c14ef63e-2349-4660-91ad-28d0921af51e" ], + "x-ms-unique-id": [ "194" ], + "x-ms-client-request-id": [ "f11f310f-eb7d-4494-8cbf-a3b00a40d82e" ], "CommandName": [ "Get-AzSentinelentity" ], "FullCommandName": [ "Get-AzSentinelEntity_List" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -24,31 +24,31 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-reads": [ "11971" ], - "x-ms-request-id": [ "a27023a0-6f7b-4ab4-b614-78ec88518182" ], - "x-ms-correlation-request-id": [ "a27023a0-6f7b-4ab4-b614-78ec88518182" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183128Z:a27023a0-6f7b-4ab4-b614-78ec88518182" ], + "x-ms-request-id": [ "c2ad44cd-756f-4644-bf04-e38bebf85c67" ], + "x-ms-correlation-request-id": [ "c2ad44cd-756f-4644-bf04-e38bebf85c67" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160711Z:c2ad44cd-756f-4644-bf04-e38bebf85c67" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:31:27 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:10 GMT" ] }, "ContentHeaders": { "Content-Length": [ "461" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"additionalData\":{\"AlertCount\":\"6\"},\"friendlyName\":\"175.45.176.99\"}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"additionalData\":{\"AlertCount\":\"5\"},\"friendlyName\":\"175.45.176.99\"}}]}", "isContentBase64": false } }, - "Get-AzSentinelEntityActivity+[NoContext]+Queries+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/queries?api-version=2021-09-01-preview\u0026kind=Insight+2": { + "Get-AzSentinelEntityActivity+[NoContext]+Queries+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/queries?api-version=2021-09-01-preview\u0026kind=Insight+2": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/queries?api-version=2021-09-01-preview\u0026kind=Insight", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/queries?api-version=2021-09-01-preview\u0026kind=Insight", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "197" ], - "x-ms-client-request-id": [ "16990f62-534d-4d5b-8f31-faa95508f1f4" ], + "x-ms-unique-id": [ "195" ], + "x-ms-client-request-id": [ "bfeccd56-c4b4-428f-8585-2431d50ce612" ], "CommandName": [ "Get-AzSentinelEntityActivity" ], "FullCommandName": [ "Get-AzSentinelEntityActivity_Queries" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -65,19 +65,19 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-reads": [ "11970" ], - "x-ms-request-id": [ "e71c3158-f301-44c2-a8df-7ffeeb832c06" ], - "x-ms-correlation-request-id": [ "e71c3158-f301-44c2-a8df-7ffeeb832c06" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183131Z:e71c3158-f301-44c2-a8df-7ffeeb832c06" ], + "x-ms-request-id": [ "4603fdc7-eb0f-404f-bf45-a28a23f6e307" ], + "x-ms-correlation-request-id": [ "4603fdc7-eb0f-404f-bf45-a28a23f6e307" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160713Z:4603fdc7-eb0f-404f-bf45-a28a23f6e307" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:31:30 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:13 GMT" ] }, "ContentHeaders": { "Content-Length": [ "20801" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/queries/b8e2df44-f98f-4c95-bcbe-f8210f3e0f23\",\"name\":\"b8e2df44-f98f-4c95-bcbe-f8210f3e0f23\",\"type\":\"Microsoft.SecurityInsights/entities/queries\",\"kind\":\"Insight\",\"properties\":{\"displayName\":\"IP address remote connections\",\"description\":\"\u0027Provides the remote IP connection count information for outbound and inbound connections to an IP address. Note due to potential performance impact, data is limited to a 7 day max window.\u0027\\n\",\"baseQuery\":\"let GetIPStats = (Ip_Address:string){\\n//checking time span to lock to 7 days or less for Entity page usage\\nlet start = datetime(\u0027{{StartTimeISO}}\u0027);\\nlet end = datetime(\u0027{{EndTimeISO}}\u0027);\\nlet end_start = datetime_diff(\u0027day\u0027,end,start);\\nlet start_time = iff(end_start \u003e 7, end - 7d, start);\\nlet end_time = end;\\nlet IpStats = (union isfuzzy=true\\n(\\nVMConnection\\n| where TimeGenerated between (start_time..end_time)\\n| where SourceIp =~ Ip_Address\\n| where SourceIp != DestinationIp\\n| where Direction =~ \\\"outbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), OutboundCount = countif(Direction =~ \\\"outbound\\\") by IPAddress = SourceIp, Type, RemoteIPAddress = DestinationIp, Direction, SentBytes = tolong(BytesSent), ReceivedBytes = tolong(BytesReceived)\\n),\\n(\\nVMConnection\\n| where TimeGenerated between (start_time..end_time)\\n| where DestinationIp =~ Ip_Address\\n| where SourceIp != DestinationIp\\n| where Direction =~ \\\"inbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(Direction =~ \\\"inbound\\\") by IPAddress = DestinationIp, Type, RemoteIPAddress = SourceIp, Direction, SentBytes = tolong(BytesSent), ReceivedBytes = tolong(BytesReceived)\\n),\\n(\\nWireData\\n| where TimeGenerated between (start_time..end_time)\\n| where LocalIP =~ Ip_Address\\n| where LocalIP != RemoteIP\\n| where Direction =~ \\\"outbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), OutboundCount = countif(Direction =~ \\\"outbound\\\") by IPAddress = LocalIP, Type, RemoteIPAddress = RemoteIP, Direction\\n),\\n(\\nWireData\\n| where TimeGenerated between (start_time..end_time)\\n| where RemoteIP =~ Ip_Address\\n| where LocalIP != RemoteIP\\n| where Direction =~ \\\"inbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(Direction =~ \\\"inbound\\\") by IPAddress = RemoteIP, Type, RemoteIPAddress = LocalIP, Direction\\n),\\n(\\nDeviceNetworkEvents\\n| where TimeGenerated between (start_time..end_time)\\n| where LocalIP =~ Ip_Address\\n| where LocalIP != RemoteIP\\n| extend Direction = \\\"outbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), OutboundCount = countif(ActionType =~ \\\"ConnectionSuccess\\\") by IPAddress = LocalIP, Type, RemoteIPAddress = RemoteIP, Direction\\n),\\n(\\nDeviceNetworkEvents\\n| where TimeGenerated between (start_time..end_time)\\n| where RemoteIP =~ Ip_Address\\n| where LocalIP != RemoteIP\\n| extend Direction = \\\"inbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(ActionType =~ \\\"InboundConnectionAccepted\\\") by IPAddress = RemoteIP, Type, RemoteIPAddress = LocalIP, Direction\\n),\\n(\\nCommonSecurityLog\\n| where TimeGenerated between (start_time..end_time)\\n| where SourceIP =~ Ip_Address\\n| where SourceIP != DestinationIP\\n//| where DeviceAction has_any (\u0027allow\u0027, \u0027allowed\u0027, \u0027accept\u0027, \u0027built\u0027, \u0027start\u0027, \u0027connect\u0027, \u0027\u0027)\\n//| where not(DeviceAction has_any (\u0027built\u0027,\u0027deny\u0027, \u0027denied\u0027, \u0027rst\u0027, \u0027blocked\u0027, \u0027teardown\u0027))\\n| extend Direction = iff(CommunicationDirection !in~ (\u0027outbound\u0027,\u00270\u0027) or CommunicationDirection !in~ (\u0027inbound\u0027,\u00271\u0027), \u0027NotAvailable\u0027, CommunicationDirection)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(Direction in~ (\u0027Inbound\u0027,\u00271\u0027)), OutboundCount = countif(Direction in~ (\u0027Outbound\u0027, \u00270\u0027)), UnknownDirection = countif(Direction =~ \u0027NotAvailable\u0027) by IPAddress = SourceIP, Type = strcat(Type,\u0027:\u0027, DeviceVendor,\u0027-\u0027, DeviceProduct), RemoteIPAddress = DestinationIP, Direction, SentBytes = tolong(SentBytes), ReceivedBytes = tolong(ReceivedBytes)\\n),\\n(\\nCommonSecurityLog\\n| where TimeGenerated between (start_time..end_time)\\n| where DestinationIP =~ Ip_Address\\n| where SourceIP != DestinationIP\\n//| where DeviceAction has_any (\u0027allow\u0027, \u0027allowed\u0027, \u0027accept\u0027, \u0027built\u0027, \u0027start\u0027, \u0027connect\u0027, \u0027\u0027)\\n//| where not(DeviceAction has_any (\u0027built\u0027,\u0027deny\u0027, \u0027denied\u0027, \u0027rst\u0027, \u0027blocked\u0027, \u0027teardown\u0027))\\n| extend Direction = iff(CommunicationDirection !in~ (\u0027outbound\u0027,\u00270\u0027) or CommunicationDirection !in~ (\u0027inbound\u0027,\u00271\u0027), \u0027NotAvailable\u0027, CommunicationDirection)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(Direction in~ (\u0027Inbound\u0027,\u00271\u0027)), OutboundCount = countif(Direction in~ (\u0027Outbound\u0027, \u00270\u0027)), UnknownDirection = countif(Direction =~ \u0027NotAvailable\u0027) by IPAddress = DestinationIP, Type = strcat(Type,\u0027:\u0027, DeviceVendor,\u0027-\u0027, DeviceProduct), RemoteIPAddress = SourceIP, Direction, SentBytes = tolong(SentBytes), ReceivedBytes = tolong(ReceivedBytes)\\n)\\n);\\nIpStats\\n};\\nGetIPStats(\u0027175.45.176.99\u0027)\",\"tableQuery\":{\"columnsDefinitions\":[{\"header\":\"Direction\",\"outputType\":\"String\",\"supportDeepLink\":false},{\"header\":\"IPAddress\",\"outputType\":\"String\",\"supportDeepLink\":true},{\"header\":\"RemoteIP/Count\",\"outputType\":\"String\",\"supportDeepLink\":true},{\"header\":\"Total\",\"outputType\":\"Number\",\"supportDeepLink\":true}],\"queriesDefinitions\":[{\"filter\":\"where InboundCount \u003e 0\",\"summarize\":\"summarize Total = sum(InboundCount) by IPAddress, RemoteIPAddress | top 1 by Total\",\"project\":\"project Direction = \u0027Top In\u0027, IPAddress, RemoteIP = RemoteIPAddress, Total\",\"linkColumnsDefinitions\":[{\"projectedName\":\"Direction\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"IPAddress\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"RemoteIP\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"Total\",\"Query\":\"{{BaseQuery}} | \"}]},{\"filter\":\"where OutboundCount \u003e 0\",\"summarize\":\"summarize Total = sum(OutboundCount) by IPAddress, RemoteIPAddress | top 1 by Total\",\"project\":\"project Direction = \u0027Top Out\u0027, IPAddress, RemoteIP = RemoteIPAddress, Total\",\"linkColumnsDefinitions\":[{\"projectedName\":\"Direction\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"IPAddress\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"RemoteIP\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"Total\",\"Query\":\"{{BaseQuery}} | \"}]},{\"filter\":\"where UnknownDirection \u003e 0\",\"summarize\":\"summarize Total = sum(UnknownDirection) by IPAddress, RemoteIPAddress | top 1 by Total\",\"project\":\"project Direction = \u0027Top Unknown\u0027, IPAddress, RemoteIP = RemoteIPAddress, Total\",\"linkColumnsDefinitions\":[{\"projectedName\":\"Direction\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"IPAddress\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"RemoteIP\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"Total\",\"Query\":\"{{BaseQuery}} | \"}]},{\"filter\":\"project IPAddress, RemoteIPAddress, InboundCount, OutboundCount, UnknownDirection\",\"summarize\":\"summarize Inbound = sum(InboundCount), Outbound = sum(OutboundCount), Unknown = sum(UnknownDirection), RemIPs = make_set(RemoteIPAddress) by IPAddress | extend Total = tolong(Inbound + Outbound + Unknown)\",\"project\":\"project Direction = \u0027All\u0027, IPAddress, RemoteIP = case(array_length(RemIPs) == 1, tostring(RemIPs[0]), array_length(RemIPs) \u003e 1 and array_length(RemIPs) \u003c= 100, strcat(tostring(array_length(RemIPs)),\u0027 IPs\u0027), array_length(RemIPs) \u003e= 101, \u0027\u003e 100 IPs\u0027 , \u0027None\u0027), Total\",\"linkColumnsDefinitions\":[{\"projectedName\":\"Direction\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"IPAddress\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"RemoteIP\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"Total\",\"Query\":\"{{BaseQuery}} | \"}]}]},\"chartQuery\":null,\"additionalQuery\":{\"text\":\"See All connections\",\"query\":\"summarize StartTime = min(StartTime), EndTime = max(EndTime), InboundTotal = sum(InboundCount), OutboundTotal = sum(OutboundCount), ReceivedBytesTotal = sum(ReceivedBytes), SentBytesTotal = sum(SentBytes), UnknownDirectionBytesTotal = sum(UnknownDirection) by IPAddress, RemoteIPAddress, Type\"},\"defaultTimeRange\":{\"beforeRange\":\"12h\",\"afterRange\":\"12h\"},\"referenceTimeRange\":null,\"dataTypes\":[{\"dataType\":\"Heartbeat\"},{\"dataType\":\"VMConnection\"},{\"dataType\":\"VMComputer\"},{\"dataType\":\"WireData\"},{\"dataType\":\"ProtectionStatus\"},{\"dataType\":\"DeviceNetworkInfo\"},{\"dataType\":\"DeviceNetworkEvents\"},{\"dataType\":\"DnsEvents\"},{\"dataType\":\"CommonSecurityLog\"},{\"dataType\":\"Event\"},{\"dataType\":\"SecurityEvent\"},{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Ip\",\"requiredInputFieldsSets\":[[\"Ip_Address\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/queries/340e5f6f-d218-4a11-8638-09e1af7847cc\",\"name\":\"340e5f6f-d218-4a11-8638-09e1af7847cc\",\"type\":\"Microsoft.SecurityInsights/entities/queries\",\"kind\":\"Insight\",\"properties\":{\"displayName\":\"IP address remote connections with TI match\",\"description\":\"\u0027Provides the threat intelligence related hits for the remote IP address. Note due to potential performance impact, data is limited to a 7 day max window.\u0027\\n\",\"baseQuery\":\"let GetIPStats = (Ip_Address:string){\\n//checking time span to lock to 7 days or less for Entity page usage\\nlet start = datetime(\u0027{{StartTimeISO}}\u0027);\\nlet end = datetime(\u0027{{EndTimeISO}}\u0027);\\nlet end_start = datetime_diff(\u0027day\u0027,end,start);\\nlet start_time = iff(end_start \u003e 7, end - 7d, start);\\nlet end_time = end;\\nlet IpStats = (union isfuzzy=true\\n(\\nVMConnection\\n| where TimeGenerated between (start_time..end_time)\\n| where SourceIp =~ Ip_Address\\n| where SourceIp != DestinationIp\\n| where Direction =~ \\\"outbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), OutboundCount = countif(Direction =~ \\\"outbound\\\") by IPAddress = SourceIp, Type, RemoteIPAddress = DestinationIp, Direction, SentBytes = tolong(BytesSent), ReceivedBytes = tolong(BytesReceived)\\n),\\n(\\nVMConnection\\n| where TimeGenerated between (start_time..end_time)\\n| where DestinationIp =~ Ip_Address\\n| where SourceIp != DestinationIp\\n| where Direction =~ \\\"inbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(Direction =~ \\\"inbound\\\") by IPAddress = DestinationIp, Type, RemoteIPAddress = SourceIp, Direction, SentBytes = tolong(BytesSent), ReceivedBytes = tolong(BytesReceived)\\n),\\n(\\nWireData\\n| where TimeGenerated between (start_time..end_time)\\n| where LocalIP =~ Ip_Address\\n| where LocalIP != RemoteIP\\n| where Direction =~ \\\"outbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), OutboundCount = countif(Direction =~ \\\"outbound\\\") by IPAddress = LocalIP, Type, RemoteIPAddress = RemoteIP, Direction\\n),\\n(\\nWireData\\n| where TimeGenerated between (start_time..end_time)\\n| where RemoteIP =~ Ip_Address\\n| where LocalIP != RemoteIP\\n| where Direction =~ \\\"inbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(Direction =~ \\\"inbound\\\") by IPAddress = RemoteIP, Type, RemoteIPAddress = LocalIP, Direction\\n),\\n(\\nDeviceNetworkEvents\\n| where TimeGenerated between (start_time..end_time)\\n| where LocalIP =~ Ip_Address\\n| where LocalIP != RemoteIP\\n| extend Direction = \\\"outbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), OutboundCount = countif(ActionType =~ \\\"ConnectionSuccess\\\") by IPAddress = LocalIP, Type, RemoteIPAddress = RemoteIP, Direction\\n),\\n(\\nDeviceNetworkEvents\\n| where TimeGenerated between (start_time..end_time)\\n| where RemoteIP =~ Ip_Address\\n| where LocalIP != RemoteIP\\n| extend Direction = \\\"inbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(ActionType =~ \\\"InboundConnectionAccepted\\\") by IPAddress = RemoteIP, Type, RemoteIPAddress = LocalIP, Direction\\n),\\n(\\nCommonSecurityLog\\n| where TimeGenerated between (start_time..end_time)\\n| where SourceIP =~ Ip_Address\\n| where SourceIP != DestinationIP\\n| extend Direction = iff(CommunicationDirection !in~ (\u0027outbound\u0027,\u00270\u0027) or CommunicationDirection !in~ (\u0027inbound\u0027,\u00271\u0027), \u0027NotAvailable\u0027, CommunicationDirection)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(Direction in~ (\u0027Inbound\u0027,\u00271\u0027)), OutboundCount = countif(Direction in~ (\u0027Outbound\u0027, \u00270\u0027)), UnknownDirection = countif(Direction =~ \u0027NotAvailable\u0027) by IPAddress = SourceIP, Type = strcat(Type,\u0027:\u0027, DeviceVendor,\u0027-\u0027, DeviceProduct), RemoteIPAddress = DestinationIP, Direction, SentBytes = tolong(SentBytes), ReceivedBytes = tolong(ReceivedBytes)\\n),\\n(\\nCommonSecurityLog\\n| where TimeGenerated between (start_time..end_time)\\n| where DestinationIP =~ Ip_Address\\n| where SourceIP != DestinationIP\\n| extend Direction = iff(CommunicationDirection !in~ (\u0027outbound\u0027,\u00270\u0027) or CommunicationDirection !in~ (\u0027inbound\u0027,\u00271\u0027), \u0027NotAvailable\u0027, CommunicationDirection)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(Direction in~ (\u0027Inbound\u0027,\u00271\u0027)), OutboundCount = countif(Direction in~ (\u0027Outbound\u0027, \u00270\u0027)), UnknownDirection = countif(Direction =~ \u0027NotAvailable\u0027) by IPAddress = DestinationIP, Type = strcat(Type,\u0027:\u0027, DeviceVendor,\u0027-\u0027, DeviceProduct), RemoteIPAddress = SourceIP, Direction, SentBytes = tolong(SentBytes), ReceivedBytes = tolong(ReceivedBytes)\\n)\\n);\\nIpStats\\n| join kind=inner (ThreatIntelligenceIndicator | where TimeGenerated \u003c ago(1m)\\n| where Active = true\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = case(\\nisnotempty(NetworkIP), NetworkIP,\\nisempty(NetworkIP) and isnotempty(NetworkSourceIP), NetworkSourceIP,\\nisempty(NetworkIP) and isempty(NetworkSourceIP) and isnotempty(NetworkDestinationIP), NetworkDestinationIP,\\nisempty(NetworkIP) and isempty(NetworkSourceIP) and isempty(NetworkDestinationIP), EmailSourceIpAddress,\\n\\\"NotAvailable\\\"\\n)\\n| summarize arg_max(TimeGenerated, *) by ThreatIntelMatch = Description, ThreatType, TI_ipEntity) on $left.RemoteIPAddress == $right.TI_ipEntity\\n};\\nGetIPStats(\u0027175.45.176.99\u0027)\",\"tableQuery\":{\"columnsDefinitions\":[{\"header\":\"Direction\",\"outputType\":\"String\",\"supportDeepLink\":false},{\"header\":\"IPAddress\",\"outputType\":\"String\",\"supportDeepLink\":true},{\"header\":\"RemoteIP\",\"outputType\":\"String\",\"supportDeepLink\":true},{\"header\":\"ThreatType\",\"outputType\":\"String\",\"supportDeepLink\":false}],\"queriesDefinitions\":[{\"filter\":\"project IPAddress, RemoteIPAddress, InboundCount, ThreatType\",\"summarize\":\"summarize Inbound = sum(InboundCount) by IPAddress, RemoteIPAddress, ThreatType | where Inbound \u003e 0\",\"project\":\"project Direction = \u0027In\u0027, IPAddress, RemoteIP = RemoteIPAddress, ThreatType\",\"linkColumnsDefinitions\":[{\"projectedName\":\"Direction\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"IPAddress\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"RemoteIP\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"ThreatType\",\"Query\":\"{{BaseQuery}} | \"}]},{\"filter\":\"project IPAddress, RemoteIPAddress, OutboundCount, ThreatType\",\"summarize\":\"summarize Outbound = sum(OutboundCount) by IPAddress, RemoteIPAddress, ThreatType | where Outbound \u003e 0\",\"project\":\"project Direction = \u0027Out\u0027, IPAddress, RemoteIP = RemoteIPAddress, ThreatType\",\"linkColumnsDefinitions\":[{\"projectedName\":\"Direction\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"IPAddress\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"RemoteIP\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"ThreatType\",\"Query\":\"{{BaseQuery}} | \"}]},{\"filter\":\"project IPAddress, RemoteIPAddress, UnknownDirection, ThreatType\",\"summarize\":\"summarize UnknownCount = sum(UnknownDirection) by IPAddress, RemoteIPAddress, ThreatType | where UnknownCount \u003e 0\",\"project\":\"project Direction = \u0027Unknown\u0027, IPAddress, RemoteIP = RemoteIPAddress, ThreatType\",\"linkColumnsDefinitions\":[{\"projectedName\":\"Direction\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"IPAddress\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"RemoteIP\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"ThreatType\",\"Query\":\"{{BaseQuery}} | \"}]}]},\"chartQuery\":{\"title\":\"Connection Count to IP in TI\",\"dataSets\":[{\"query\":\"summarize Count = max(InboundCount) by Time = bin(StartTime, 1d), RemoteIPAddress = strcat(RemoteIPAddress,\u0027 - In\u0027) | where isnotempty(Count) and Count \u003e 0\",\"xColumnName\":\"Time\",\"yColumnName\":\"Count\",\"legendColumnName\":\"RemoteIPAddress\"},{\"query\":\"summarize Count = max(OutboundCount) by Time = bin(StartTime, 1d), RemoteIPAddress = strcat(RemoteIPAddress,\u0027 - Out\u0027) | where isnotempty(Count) and Count \u003e 0\",\"xColumnName\":\"Time\",\"yColumnName\":\"Count\",\"legendColumnName\":\"RemoteIPAddress\"},{\"query\":\"summarize Count = max(UnknownDirection) by Time = bin(StartTime, 1d), RemoteIPAddress = strcat(RemoteIPAddress,\u0027 - UnknownDirection\u0027) | where isnotempty(Count) and Count \u003e 0\",\"xColumnName\":\"Time\",\"yColumnName\":\"Count\",\"legendColumnName\":\"RemoteIPAddress\"}],\"type\":\"BarChart\"},\"additionalQuery\":{\"text\":\"See All connections\",\"query\":\"project StartTime, EndTime, IPAddress, RemoteIPAddress, InboundCount, OutboundCount, ReceivedBytes, SentBytes, UnknownDirection, Type, ThreatType, ThreatIntelMatch\"},\"defaultTimeRange\":{\"beforeRange\":\"12h\",\"afterRange\":\"12h\"},\"referenceTimeRange\":null,\"dataTypes\":[{\"dataType\":\"Heartbeat\"},{\"dataType\":\"VMConnection\"},{\"dataType\":\"VMComputer\"},{\"dataType\":\"WireData\"},{\"dataType\":\"ProtectionStatus\"},{\"dataType\":\"DeviceNetworkInfo\"},{\"dataType\":\"DeviceNetworkEvents\"},{\"dataType\":\"DnsEvents\"},{\"dataType\":\"CommonSecurityLog\"},{\"dataType\":\"Event\"},{\"dataType\":\"SecurityEvent\"},{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Ip\",\"requiredInputFieldsSets\":[[\"Ip_Address\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/queries/3834647e-ac3e-4fb4-a5f8-0dd50ba2b66c\",\"name\":\"3834647e-ac3e-4fb4-a5f8-0dd50ba2b66c\",\"type\":\"Microsoft.SecurityInsights/entities/queries\",\"kind\":\"Insight\",\"properties\":{\"displayName\":\"Watchlist Insights (Preview)\",\"description\":\"### Description\\n ___\\nThis insight aggregates data from the watchlists templates (Network Addresses) regarding the IP address.\",\"baseQuery\":\"let defaultValue = \u0027defaultValue\u0027; \\n let myIP = \u0027175.45.176.99\u0027; \\n let ips = _GetWatchlist(\u0027NetworkAddresses\u0027); \\n ips | extend IPSubnet = column_ifexists(\u0027IP Subnet\u0027, defaultValue) | extend FirstIP = split(IPSubnet , \u0027-\u0027).[0], SecondIP = split(IPSubnet, \u0027-\u0027).[1], checkIPv4 = parse_ipv4(myIP) | extend myIPnum = iff(isempty(checkIPv4), (parse_ipv6(myIP)), tostring(checkIPv4)) | extend firstIPparsed = iff(isempty(checkIPv4), parse_ipv6(tostring(FirstIP)), tostring(parse_ipv4(tostring(FirstIP)))), secondIPparsed = iff(isempty(checkIPv4), parse_ipv6(tostring(SecondIP)), tostring(parse_ipv4(tostring(SecondIP)))) | extend results = iff((isnotempty(checkIPv4) and tolong(firstIPparsed) \u003c= tolong(myIPnum) and (tolong(myIPnum) \u003c= tolong(secondIPparsed)) or (ipv4_is_in_range(myIP, tostring(SecondIP)) or (ipv6_compare(myIP, tostring(FirstIP)) == 0) or (ipv6_compare(myIP, tostring(SecondIP))==0))), True, false) | where results == true | extend RangeName = column_ifexists(\u0027Range Name\u0027, defaultValue) | extend IPSubnet = column_ifexists(\u0027IP Subnet\u0027, defaultValue) | extend Tags = column_ifexists(\u0027Tags\u0027, defaultValue) | extend [\u0027Watchlist Insight\u0027] = \u0027IP Address is within a known range\u0027 | extend [\u0027Additional Data\u0027] = strcat(\u0027Range Name: \u0027, RangeName,\u0027, \u0027,\u0027IP Range: \u0027, IPSubnet) | project [\u0027Watchlist Insight\u0027],[\u0027Additional Data\u0027], Tags\",\"tableQuery\":{\"columnsDefinitions\":[{\"header\":\"Watchlist Insight\",\"outputType\":\"String\",\"supportDeepLink\":false},{\"header\":\"Additional Data\",\"outputType\":\"String\",\"supportDeepLink\":false},{\"header\":\"Tags\",\"outputType\":\"String\",\"supportDeepLink\":false}],\"queriesDefinitions\":[{\"filter\":\" where 1 == 1\",\"summarize\":\" summarize count() by [\u0027Watchlist Insight\u0027], [\u0027Additional Data\u0027], Tags\",\"project\":\" project [\u0027Watchlist Insight\u0027], [\u0027Additional Data\u0027], Tags\",\"linkColumnsDefinitions\":[]}]},\"chartQuery\":null,\"additionalQuery\":null,\"defaultTimeRange\":{\"beforeRange\":\"0d\",\"afterRange\":\"0d\"},\"referenceTimeRange\":{\"beforeRange\":\"0d\"},\"dataTypes\":[{\"dataType\":\"Watchlist templates\"}],\"inputEntityType\":\"Ip\",\"requiredInputFieldsSets\":[[\"IP_Address\"]],\"entitiesFilter\":{}}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/queries/b8e2df44-f98f-4c95-bcbe-f8210f3e0f23\",\"name\":\"b8e2df44-f98f-4c95-bcbe-f8210f3e0f23\",\"type\":\"Microsoft.SecurityInsights/entities/queries\",\"kind\":\"Insight\",\"properties\":{\"displayName\":\"IP address remote connections\",\"description\":\"\u0027Provides the remote IP connection count information for outbound and inbound connections to an IP address. Note due to potential performance impact, data is limited to a 7 day max window.\u0027\\n\",\"baseQuery\":\"let GetIPStats = (Ip_Address:string){\\n//checking time span to lock to 7 days or less for Entity page usage\\nlet start = datetime(\u0027{{StartTimeISO}}\u0027);\\nlet end = datetime(\u0027{{EndTimeISO}}\u0027);\\nlet end_start = datetime_diff(\u0027day\u0027,end,start);\\nlet start_time = iff(end_start \u003e 7, end - 7d, start);\\nlet end_time = end;\\nlet IpStats = (union isfuzzy=true\\n(\\nVMConnection\\n| where TimeGenerated between (start_time..end_time)\\n| where SourceIp =~ Ip_Address\\n| where SourceIp != DestinationIp\\n| where Direction =~ \\\"outbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), OutboundCount = countif(Direction =~ \\\"outbound\\\") by IPAddress = SourceIp, Type, RemoteIPAddress = DestinationIp, Direction, SentBytes = tolong(BytesSent), ReceivedBytes = tolong(BytesReceived)\\n),\\n(\\nVMConnection\\n| where TimeGenerated between (start_time..end_time)\\n| where DestinationIp =~ Ip_Address\\n| where SourceIp != DestinationIp\\n| where Direction =~ \\\"inbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(Direction =~ \\\"inbound\\\") by IPAddress = DestinationIp, Type, RemoteIPAddress = SourceIp, Direction, SentBytes = tolong(BytesSent), ReceivedBytes = tolong(BytesReceived)\\n),\\n(\\nWireData\\n| where TimeGenerated between (start_time..end_time)\\n| where LocalIP =~ Ip_Address\\n| where LocalIP != RemoteIP\\n| where Direction =~ \\\"outbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), OutboundCount = countif(Direction =~ \\\"outbound\\\") by IPAddress = LocalIP, Type, RemoteIPAddress = RemoteIP, Direction\\n),\\n(\\nWireData\\n| where TimeGenerated between (start_time..end_time)\\n| where RemoteIP =~ Ip_Address\\n| where LocalIP != RemoteIP\\n| where Direction =~ \\\"inbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(Direction =~ \\\"inbound\\\") by IPAddress = RemoteIP, Type, RemoteIPAddress = LocalIP, Direction\\n),\\n(\\nDeviceNetworkEvents\\n| where TimeGenerated between (start_time..end_time)\\n| where LocalIP =~ Ip_Address\\n| where LocalIP != RemoteIP\\n| extend Direction = \\\"outbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), OutboundCount = countif(ActionType =~ \\\"ConnectionSuccess\\\") by IPAddress = LocalIP, Type, RemoteIPAddress = RemoteIP, Direction\\n),\\n(\\nDeviceNetworkEvents\\n| where TimeGenerated between (start_time..end_time)\\n| where RemoteIP =~ Ip_Address\\n| where LocalIP != RemoteIP\\n| extend Direction = \\\"inbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(ActionType =~ \\\"InboundConnectionAccepted\\\") by IPAddress = RemoteIP, Type, RemoteIPAddress = LocalIP, Direction\\n),\\n(\\nCommonSecurityLog\\n| where TimeGenerated between (start_time..end_time)\\n| where SourceIP =~ Ip_Address\\n| where SourceIP != DestinationIP\\n//| where DeviceAction has_any (\u0027allow\u0027, \u0027allowed\u0027, \u0027accept\u0027, \u0027built\u0027, \u0027start\u0027, \u0027connect\u0027, \u0027\u0027)\\n//| where not(DeviceAction has_any (\u0027built\u0027,\u0027deny\u0027, \u0027denied\u0027, \u0027rst\u0027, \u0027blocked\u0027, \u0027teardown\u0027))\\n| extend Direction = iff(CommunicationDirection !in~ (\u0027outbound\u0027,\u00270\u0027) or CommunicationDirection !in~ (\u0027inbound\u0027,\u00271\u0027), \u0027NotAvailable\u0027, CommunicationDirection)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(Direction in~ (\u0027Inbound\u0027,\u00271\u0027)), OutboundCount = countif(Direction in~ (\u0027Outbound\u0027, \u00270\u0027)), UnknownDirection = countif(Direction =~ \u0027NotAvailable\u0027) by IPAddress = SourceIP, Type = strcat(Type,\u0027:\u0027, DeviceVendor,\u0027-\u0027, DeviceProduct), RemoteIPAddress = DestinationIP, Direction, SentBytes = tolong(SentBytes), ReceivedBytes = tolong(ReceivedBytes)\\n),\\n(\\nCommonSecurityLog\\n| where TimeGenerated between (start_time..end_time)\\n| where DestinationIP =~ Ip_Address\\n| where SourceIP != DestinationIP\\n//| where DeviceAction has_any (\u0027allow\u0027, \u0027allowed\u0027, \u0027accept\u0027, \u0027built\u0027, \u0027start\u0027, \u0027connect\u0027, \u0027\u0027)\\n//| where not(DeviceAction has_any (\u0027built\u0027,\u0027deny\u0027, \u0027denied\u0027, \u0027rst\u0027, \u0027blocked\u0027, \u0027teardown\u0027))\\n| extend Direction = iff(CommunicationDirection !in~ (\u0027outbound\u0027,\u00270\u0027) or CommunicationDirection !in~ (\u0027inbound\u0027,\u00271\u0027), \u0027NotAvailable\u0027, CommunicationDirection)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(Direction in~ (\u0027Inbound\u0027,\u00271\u0027)), OutboundCount = countif(Direction in~ (\u0027Outbound\u0027, \u00270\u0027)), UnknownDirection = countif(Direction =~ \u0027NotAvailable\u0027) by IPAddress = DestinationIP, Type = strcat(Type,\u0027:\u0027, DeviceVendor,\u0027-\u0027, DeviceProduct), RemoteIPAddress = SourceIP, Direction, SentBytes = tolong(SentBytes), ReceivedBytes = tolong(ReceivedBytes)\\n)\\n);\\nIpStats\\n};\\nGetIPStats(\u0027175.45.176.99\u0027)\",\"tableQuery\":{\"columnsDefinitions\":[{\"header\":\"Direction\",\"outputType\":\"String\",\"supportDeepLink\":false},{\"header\":\"IPAddress\",\"outputType\":\"String\",\"supportDeepLink\":true},{\"header\":\"RemoteIP/Count\",\"outputType\":\"String\",\"supportDeepLink\":true},{\"header\":\"Total\",\"outputType\":\"Number\",\"supportDeepLink\":true}],\"queriesDefinitions\":[{\"filter\":\"where InboundCount \u003e 0\",\"summarize\":\"summarize Total = sum(InboundCount) by IPAddress, RemoteIPAddress | top 1 by Total\",\"project\":\"project Direction = \u0027Top In\u0027, IPAddress, RemoteIP = RemoteIPAddress, Total\",\"linkColumnsDefinitions\":[{\"projectedName\":\"Direction\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"IPAddress\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"RemoteIP\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"Total\",\"Query\":\"{{BaseQuery}} | \"}]},{\"filter\":\"where OutboundCount \u003e 0\",\"summarize\":\"summarize Total = sum(OutboundCount) by IPAddress, RemoteIPAddress | top 1 by Total\",\"project\":\"project Direction = \u0027Top Out\u0027, IPAddress, RemoteIP = RemoteIPAddress, Total\",\"linkColumnsDefinitions\":[{\"projectedName\":\"Direction\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"IPAddress\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"RemoteIP\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"Total\",\"Query\":\"{{BaseQuery}} | \"}]},{\"filter\":\"where UnknownDirection \u003e 0\",\"summarize\":\"summarize Total = sum(UnknownDirection) by IPAddress, RemoteIPAddress | top 1 by Total\",\"project\":\"project Direction = \u0027Top Unknown\u0027, IPAddress, RemoteIP = RemoteIPAddress, Total\",\"linkColumnsDefinitions\":[{\"projectedName\":\"Direction\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"IPAddress\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"RemoteIP\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"Total\",\"Query\":\"{{BaseQuery}} | \"}]},{\"filter\":\"project IPAddress, RemoteIPAddress, InboundCount, OutboundCount, UnknownDirection\",\"summarize\":\"summarize Inbound = sum(InboundCount), Outbound = sum(OutboundCount), Unknown = sum(UnknownDirection), RemIPs = make_set(RemoteIPAddress) by IPAddress | extend Total = tolong(Inbound + Outbound + Unknown)\",\"project\":\"project Direction = \u0027All\u0027, IPAddress, RemoteIP = case(array_length(RemIPs) == 1, tostring(RemIPs[0]), array_length(RemIPs) \u003e 1 and array_length(RemIPs) \u003c= 100, strcat(tostring(array_length(RemIPs)),\u0027 IPs\u0027), array_length(RemIPs) \u003e= 101, \u0027\u003e 100 IPs\u0027 , \u0027None\u0027), Total\",\"linkColumnsDefinitions\":[{\"projectedName\":\"Direction\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"IPAddress\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"RemoteIP\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"Total\",\"Query\":\"{{BaseQuery}} | \"}]}]},\"chartQuery\":null,\"additionalQuery\":{\"text\":\"See All connections\",\"query\":\"summarize StartTime = min(StartTime), EndTime = max(EndTime), InboundTotal = sum(InboundCount), OutboundTotal = sum(OutboundCount), ReceivedBytesTotal = sum(ReceivedBytes), SentBytesTotal = sum(SentBytes), UnknownDirectionBytesTotal = sum(UnknownDirection) by IPAddress, RemoteIPAddress, Type\"},\"defaultTimeRange\":{\"beforeRange\":\"12h\",\"afterRange\":\"12h\"},\"referenceTimeRange\":null,\"dataTypes\":[{\"dataType\":\"Heartbeat\"},{\"dataType\":\"VMConnection\"},{\"dataType\":\"VMComputer\"},{\"dataType\":\"WireData\"},{\"dataType\":\"ProtectionStatus\"},{\"dataType\":\"DeviceNetworkInfo\"},{\"dataType\":\"DeviceNetworkEvents\"},{\"dataType\":\"DnsEvents\"},{\"dataType\":\"CommonSecurityLog\"},{\"dataType\":\"Event\"},{\"dataType\":\"SecurityEvent\"},{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Ip\",\"requiredInputFieldsSets\":[[\"Ip_Address\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/queries/340e5f6f-d218-4a11-8638-09e1af7847cc\",\"name\":\"340e5f6f-d218-4a11-8638-09e1af7847cc\",\"type\":\"Microsoft.SecurityInsights/entities/queries\",\"kind\":\"Insight\",\"properties\":{\"displayName\":\"IP address remote connections with TI match\",\"description\":\"\u0027Provides the threat intelligence related hits for the remote IP address. Note due to potential performance impact, data is limited to a 7 day max window.\u0027\\n\",\"baseQuery\":\"let GetIPStats = (Ip_Address:string){\\n//checking time span to lock to 7 days or less for Entity page usage\\nlet start = datetime(\u0027{{StartTimeISO}}\u0027);\\nlet end = datetime(\u0027{{EndTimeISO}}\u0027);\\nlet end_start = datetime_diff(\u0027day\u0027,end,start);\\nlet start_time = iff(end_start \u003e 7, end - 7d, start);\\nlet end_time = end;\\nlet IpStats = (union isfuzzy=true\\n(\\nVMConnection\\n| where TimeGenerated between (start_time..end_time)\\n| where SourceIp =~ Ip_Address\\n| where SourceIp != DestinationIp\\n| where Direction =~ \\\"outbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), OutboundCount = countif(Direction =~ \\\"outbound\\\") by IPAddress = SourceIp, Type, RemoteIPAddress = DestinationIp, Direction, SentBytes = tolong(BytesSent), ReceivedBytes = tolong(BytesReceived)\\n),\\n(\\nVMConnection\\n| where TimeGenerated between (start_time..end_time)\\n| where DestinationIp =~ Ip_Address\\n| where SourceIp != DestinationIp\\n| where Direction =~ \\\"inbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(Direction =~ \\\"inbound\\\") by IPAddress = DestinationIp, Type, RemoteIPAddress = SourceIp, Direction, SentBytes = tolong(BytesSent), ReceivedBytes = tolong(BytesReceived)\\n),\\n(\\nWireData\\n| where TimeGenerated between (start_time..end_time)\\n| where LocalIP =~ Ip_Address\\n| where LocalIP != RemoteIP\\n| where Direction =~ \\\"outbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), OutboundCount = countif(Direction =~ \\\"outbound\\\") by IPAddress = LocalIP, Type, RemoteIPAddress = RemoteIP, Direction\\n),\\n(\\nWireData\\n| where TimeGenerated between (start_time..end_time)\\n| where RemoteIP =~ Ip_Address\\n| where LocalIP != RemoteIP\\n| where Direction =~ \\\"inbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(Direction =~ \\\"inbound\\\") by IPAddress = RemoteIP, Type, RemoteIPAddress = LocalIP, Direction\\n),\\n(\\nDeviceNetworkEvents\\n| where TimeGenerated between (start_time..end_time)\\n| where LocalIP =~ Ip_Address\\n| where LocalIP != RemoteIP\\n| extend Direction = \\\"outbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), OutboundCount = countif(ActionType =~ \\\"ConnectionSuccess\\\") by IPAddress = LocalIP, Type, RemoteIPAddress = RemoteIP, Direction\\n),\\n(\\nDeviceNetworkEvents\\n| where TimeGenerated between (start_time..end_time)\\n| where RemoteIP =~ Ip_Address\\n| where LocalIP != RemoteIP\\n| extend Direction = \\\"inbound\\\"\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(ActionType =~ \\\"InboundConnectionAccepted\\\") by IPAddress = RemoteIP, Type, RemoteIPAddress = LocalIP, Direction\\n),\\n(\\nCommonSecurityLog\\n| where TimeGenerated between (start_time..end_time)\\n| where SourceIP =~ Ip_Address\\n| where SourceIP != DestinationIP\\n| extend Direction = iff(CommunicationDirection !in~ (\u0027outbound\u0027,\u00270\u0027) or CommunicationDirection !in~ (\u0027inbound\u0027,\u00271\u0027), \u0027NotAvailable\u0027, CommunicationDirection)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(Direction in~ (\u0027Inbound\u0027,\u00271\u0027)), OutboundCount = countif(Direction in~ (\u0027Outbound\u0027, \u00270\u0027)), UnknownDirection = countif(Direction =~ \u0027NotAvailable\u0027) by IPAddress = SourceIP, Type = strcat(Type,\u0027:\u0027, DeviceVendor,\u0027-\u0027, DeviceProduct), RemoteIPAddress = DestinationIP, Direction, SentBytes = tolong(SentBytes), ReceivedBytes = tolong(ReceivedBytes)\\n),\\n(\\nCommonSecurityLog\\n| where TimeGenerated between (start_time..end_time)\\n| where DestinationIP =~ Ip_Address\\n| where SourceIP != DestinationIP\\n| extend Direction = iff(CommunicationDirection !in~ (\u0027outbound\u0027,\u00270\u0027) or CommunicationDirection !in~ (\u0027inbound\u0027,\u00271\u0027), \u0027NotAvailable\u0027, CommunicationDirection)\\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), InboundCount = countif(Direction in~ (\u0027Inbound\u0027,\u00271\u0027)), OutboundCount = countif(Direction in~ (\u0027Outbound\u0027, \u00270\u0027)), UnknownDirection = countif(Direction =~ \u0027NotAvailable\u0027) by IPAddress = DestinationIP, Type = strcat(Type,\u0027:\u0027, DeviceVendor,\u0027-\u0027, DeviceProduct), RemoteIPAddress = SourceIP, Direction, SentBytes = tolong(SentBytes), ReceivedBytes = tolong(ReceivedBytes)\\n)\\n);\\nIpStats\\n| join kind=inner (ThreatIntelligenceIndicator | where TimeGenerated \u003c ago(1m)\\n| where Active = true\\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\\n| extend TI_ipEntity = case(\\nisnotempty(NetworkIP), NetworkIP,\\nisempty(NetworkIP) and isnotempty(NetworkSourceIP), NetworkSourceIP,\\nisempty(NetworkIP) and isempty(NetworkSourceIP) and isnotempty(NetworkDestinationIP), NetworkDestinationIP,\\nisempty(NetworkIP) and isempty(NetworkSourceIP) and isempty(NetworkDestinationIP), EmailSourceIpAddress,\\n\\\"NotAvailable\\\"\\n)\\n| summarize arg_max(TimeGenerated, *) by ThreatIntelMatch = Description, ThreatType, TI_ipEntity) on $left.RemoteIPAddress == $right.TI_ipEntity\\n};\\nGetIPStats(\u0027175.45.176.99\u0027)\",\"tableQuery\":{\"columnsDefinitions\":[{\"header\":\"Direction\",\"outputType\":\"String\",\"supportDeepLink\":false},{\"header\":\"IPAddress\",\"outputType\":\"String\",\"supportDeepLink\":true},{\"header\":\"RemoteIP\",\"outputType\":\"String\",\"supportDeepLink\":true},{\"header\":\"ThreatType\",\"outputType\":\"String\",\"supportDeepLink\":false}],\"queriesDefinitions\":[{\"filter\":\"project IPAddress, RemoteIPAddress, InboundCount, ThreatType\",\"summarize\":\"summarize Inbound = sum(InboundCount) by IPAddress, RemoteIPAddress, ThreatType | where Inbound \u003e 0\",\"project\":\"project Direction = \u0027In\u0027, IPAddress, RemoteIP = RemoteIPAddress, ThreatType\",\"linkColumnsDefinitions\":[{\"projectedName\":\"Direction\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"IPAddress\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"RemoteIP\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"ThreatType\",\"Query\":\"{{BaseQuery}} | \"}]},{\"filter\":\"project IPAddress, RemoteIPAddress, OutboundCount, ThreatType\",\"summarize\":\"summarize Outbound = sum(OutboundCount) by IPAddress, RemoteIPAddress, ThreatType | where Outbound \u003e 0\",\"project\":\"project Direction = \u0027Out\u0027, IPAddress, RemoteIP = RemoteIPAddress, ThreatType\",\"linkColumnsDefinitions\":[{\"projectedName\":\"Direction\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"IPAddress\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"RemoteIP\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"ThreatType\",\"Query\":\"{{BaseQuery}} | \"}]},{\"filter\":\"project IPAddress, RemoteIPAddress, UnknownDirection, ThreatType\",\"summarize\":\"summarize UnknownCount = sum(UnknownDirection) by IPAddress, RemoteIPAddress, ThreatType | where UnknownCount \u003e 0\",\"project\":\"project Direction = \u0027Unknown\u0027, IPAddress, RemoteIP = RemoteIPAddress, ThreatType\",\"linkColumnsDefinitions\":[{\"projectedName\":\"Direction\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"IPAddress\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"RemoteIP\",\"Query\":\"{{BaseQuery}} | \"},{\"projectedName\":\"ThreatType\",\"Query\":\"{{BaseQuery}} | \"}]}]},\"chartQuery\":{\"title\":\"Connection Count to IP in TI\",\"dataSets\":[{\"query\":\"summarize Count = max(InboundCount) by Time = bin(StartTime, 1d), RemoteIPAddress = strcat(RemoteIPAddress,\u0027 - In\u0027) | where isnotempty(Count) and Count \u003e 0\",\"xColumnName\":\"Time\",\"yColumnName\":\"Count\",\"legendColumnName\":\"RemoteIPAddress\"},{\"query\":\"summarize Count = max(OutboundCount) by Time = bin(StartTime, 1d), RemoteIPAddress = strcat(RemoteIPAddress,\u0027 - Out\u0027) | where isnotempty(Count) and Count \u003e 0\",\"xColumnName\":\"Time\",\"yColumnName\":\"Count\",\"legendColumnName\":\"RemoteIPAddress\"},{\"query\":\"summarize Count = max(UnknownDirection) by Time = bin(StartTime, 1d), RemoteIPAddress = strcat(RemoteIPAddress,\u0027 - UnknownDirection\u0027) | where isnotempty(Count) and Count \u003e 0\",\"xColumnName\":\"Time\",\"yColumnName\":\"Count\",\"legendColumnName\":\"RemoteIPAddress\"}],\"type\":\"BarChart\"},\"additionalQuery\":{\"text\":\"See All connections\",\"query\":\"project StartTime, EndTime, IPAddress, RemoteIPAddress, InboundCount, OutboundCount, ReceivedBytes, SentBytes, UnknownDirection, Type, ThreatType, ThreatIntelMatch\"},\"defaultTimeRange\":{\"beforeRange\":\"12h\",\"afterRange\":\"12h\"},\"referenceTimeRange\":null,\"dataTypes\":[{\"dataType\":\"Heartbeat\"},{\"dataType\":\"VMConnection\"},{\"dataType\":\"VMComputer\"},{\"dataType\":\"WireData\"},{\"dataType\":\"ProtectionStatus\"},{\"dataType\":\"DeviceNetworkInfo\"},{\"dataType\":\"DeviceNetworkEvents\"},{\"dataType\":\"DnsEvents\"},{\"dataType\":\"CommonSecurityLog\"},{\"dataType\":\"Event\"},{\"dataType\":\"SecurityEvent\"},{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Ip\",\"requiredInputFieldsSets\":[[\"Ip_Address\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/queries/3834647e-ac3e-4fb4-a5f8-0dd50ba2b66c\",\"name\":\"3834647e-ac3e-4fb4-a5f8-0dd50ba2b66c\",\"type\":\"Microsoft.SecurityInsights/entities/queries\",\"kind\":\"Insight\",\"properties\":{\"displayName\":\"Watchlist Insights (Preview)\",\"description\":\"### Description\\n ___\\nThis insight aggregates data from the watchlists templates (Network Addresses) regarding the IP address.\",\"baseQuery\":\"let defaultValue = \u0027defaultValue\u0027; \\n let myIP = \u0027175.45.176.99\u0027; \\n let ips = _GetWatchlist(\u0027NetworkAddresses\u0027); \\n ips | extend IPSubnet = column_ifexists(\u0027IP Subnet\u0027, defaultValue) | extend FirstIP = split(IPSubnet , \u0027-\u0027).[0], SecondIP = split(IPSubnet, \u0027-\u0027).[1], checkIPv4 = parse_ipv4(myIP) | extend myIPnum = iff(isempty(checkIPv4), (parse_ipv6(myIP)), tostring(checkIPv4)) | extend firstIPparsed = iff(isempty(checkIPv4), parse_ipv6(tostring(FirstIP)), tostring(parse_ipv4(tostring(FirstIP)))), secondIPparsed = iff(isempty(checkIPv4), parse_ipv6(tostring(SecondIP)), tostring(parse_ipv4(tostring(SecondIP)))) | extend results = iff((isnotempty(checkIPv4) and tolong(firstIPparsed) \u003c= tolong(myIPnum) and (tolong(myIPnum) \u003c= tolong(secondIPparsed)) or (ipv4_is_in_range(myIP, tostring(SecondIP)) or (ipv6_compare(myIP, tostring(FirstIP)) == 0) or (ipv6_compare(myIP, tostring(SecondIP))==0))), True, false) | where results == true | extend RangeName = column_ifexists(\u0027Range Name\u0027, defaultValue) | extend IPSubnet = column_ifexists(\u0027IP Subnet\u0027, defaultValue) | extend Tags = column_ifexists(\u0027Tags\u0027, defaultValue) | extend [\u0027Watchlist Insight\u0027] = \u0027IP Address is within a known range\u0027 | extend [\u0027Additional Data\u0027] = strcat(\u0027Range Name: \u0027, RangeName,\u0027, \u0027,\u0027IP Range: \u0027, IPSubnet) | project [\u0027Watchlist Insight\u0027],[\u0027Additional Data\u0027], Tags\",\"tableQuery\":{\"columnsDefinitions\":[{\"header\":\"Watchlist Insight\",\"outputType\":\"String\",\"supportDeepLink\":false},{\"header\":\"Additional Data\",\"outputType\":\"String\",\"supportDeepLink\":false},{\"header\":\"Tags\",\"outputType\":\"String\",\"supportDeepLink\":false}],\"queriesDefinitions\":[{\"filter\":\" where 1 == 1\",\"summarize\":\" summarize count() by [\u0027Watchlist Insight\u0027], [\u0027Additional Data\u0027], Tags\",\"project\":\" project [\u0027Watchlist Insight\u0027], [\u0027Additional Data\u0027], Tags\",\"linkColumnsDefinitions\":[]}]},\"chartQuery\":null,\"additionalQuery\":null,\"defaultTimeRange\":{\"beforeRange\":\"0d\",\"afterRange\":\"0d\"},\"referenceTimeRange\":{\"beforeRange\":\"0d\"},\"dataTypes\":[{\"dataType\":\"Watchlist templates\"}],\"inputEntityType\":\"Ip\",\"requiredInputFieldsSets\":[[\"IP_Address\"]],\"entitiesFilter\":{}}}]}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Get-AzSentinelEntityInsight.Recording.json b/src/SecurityInsights/test/Get-AzSentinelEntityInsight.Recording.json index c37c7f3c4d70..c2038891bcfe 100644 --- a/src/SecurityInsights/test/Get-AzSentinelEntityInsight.Recording.json +++ b/src/SecurityInsights/test/Get-AzSentinelEntityInsight.Recording.json @@ -1,13 +1,13 @@ { - "Get-AzSentinelEntityInsight+[NoContext]+GetExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview+1": { + "Get-AzSentinelEntityInsight+[NoContext]+GetExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "198" ], - "x-ms-client-request-id": [ "224e476f-5445-42cb-a2bb-2d38e2428610" ], + "x-ms-unique-id": [ "196" ], + "x-ms-client-request-id": [ "4df3c847-e6b8-45da-b944-807a0520c1ed" ], "CommandName": [ "Get-AzSentinelentity" ], "FullCommandName": [ "Get-AzSentinelEntity_List" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -24,27 +24,27 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-reads": [ "11969" ], - "x-ms-request-id": [ "f532cced-8e20-4dac-a823-cd27456e421d" ], - "x-ms-correlation-request-id": [ "f532cced-8e20-4dac-a823-cd27456e421d" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183131Z:f532cced-8e20-4dac-a823-cd27456e421d" ], + "x-ms-request-id": [ "c31f8f05-40c1-4ae6-bfc6-9fd835eee4c2" ], + "x-ms-correlation-request-id": [ "c31f8f05-40c1-4ae6-bfc6-9fd835eee4c2" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160714Z:c31f8f05-40c1-4ae6-bfc6-9fd835eee4c2" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:31:31 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:14 GMT" ] }, "ContentHeaders": { "Content-Length": [ "461" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"additionalData\":{\"AlertCount\":\"6\"},\"friendlyName\":\"175.45.176.99\"}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"additionalData\":{\"AlertCount\":\"5\"},\"friendlyName\":\"175.45.176.99\"}}]}", "isContentBase64": false } }, - "Get-AzSentinelEntityInsight+[NoContext]+GetExpanded+$POST+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/getInsights?api-version=2021-09-01-preview+2": { + "Get-AzSentinelEntityInsight+[NoContext]+GetExpanded+$POST+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/getInsights?api-version=2021-09-01-preview+2": { "Request": { "Method": "POST", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/getInsights?api-version=2021-09-01-preview", - "Content": "{\n \"startTime\": \"2022-07-28T06:00:00.0000000+00:00\",\n \"endTime\": \"2022-07-29T06:00:00.0000000+00:00\"\n}", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/getInsights?api-version=2021-09-01-preview", + "Content": "{\n \"startTime\": \"2022-08-15T04:00:00.0000000+00:00\",\n \"endTime\": \"2022-08-16T04:00:00.0000000+00:00\"\n}", "isContentBase64": false, "Headers": { }, @@ -60,19 +60,19 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-reads": [ "11968" ], - "x-ms-request-id": [ "a983f815-234e-4a13-a0b9-b6be3f9e738c" ], - "x-ms-correlation-request-id": [ "a983f815-234e-4a13-a0b9-b6be3f9e738c" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183138Z:a983f815-234e-4a13-a0b9-b6be3f9e738c" ], + "x-ms-request-id": [ "3e7d60ca-4911-4419-8092-c1a1a55a27a9" ], + "x-ms-correlation-request-id": [ "3e7d60ca-4911-4419-8092-c1a1a55a27a9" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160718Z:3e7d60ca-4911-4419-8092-c1a1a55a27a9" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:31:37 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:18 GMT" ] }, "ContentHeaders": { "Content-Length": [ "1719" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"tableQueryResults\":{\"columns\":[{\"name\":\"Direction\",\"type\":\"string\"},{\"name\":\"IPAddress\",\"type\":\"string\"},{\"name\":\"RemoteIP\",\"type\":\"string\"},{\"name\":\"Total\",\"type\":\"long\"},{\"name\":\"InternalOrder\",\"type\":\"long\"},{\"name\":\"Index\",\"type\":\"long\"}],\"rows\":[]},\"chartQueryResults\":[],\"queryTimeInterval\":{\"startTime\":\"2022-07-28T06:00:00+00:00\",\"endTime\":\"2022-07-29T06:00:00+00:00\"},\"queryId\":\"b8e2df44-f98f-4c95-bcbe-f8210f3e0f23\"},{\"tableQueryResults\":{\"columns\":[{\"name\":\"Direction\",\"type\":\"string\"},{\"name\":\"IPAddress\",\"type\":\"string\"},{\"name\":\"RemoteIP\",\"type\":\"string\"},{\"name\":\"ThreatType\",\"type\":\"string\"},{\"name\":\"InternalOrder\",\"type\":\"long\"},{\"name\":\"Index\",\"type\":\"long\"}],\"rows\":[]},\"chartQueryResults\":[{\"columns\":[{\"name\":\"Time\",\"type\":\"datetime\"},{\"name\":\"RemoteIPAddress\",\"type\":\"string\"},{\"name\":\"Count\",\"type\":\"long\"}],\"rows\":[]},{\"columns\":[{\"name\":\"Time\",\"type\":\"datetime\"},{\"name\":\"RemoteIPAddress\",\"type\":\"string\"},{\"name\":\"Count\",\"type\":\"long\"}],\"rows\":[]},{\"columns\":[{\"name\":\"Time\",\"type\":\"datetime\"},{\"name\":\"RemoteIPAddress\",\"type\":\"string\"},{\"name\":\"Count\",\"type\":\"long\"}],\"rows\":[]}],\"queryTimeInterval\":{\"startTime\":\"2022-07-28T06:00:00+00:00\",\"endTime\":\"2022-07-29T06:00:00+00:00\"},\"queryId\":\"340e5f6f-d218-4a11-8638-09e1af7847cc\"},{\"tableQueryResults\":{\"columns\":[{\"name\":\"Watchlist Insight\",\"type\":\"string\"},{\"name\":\"Additional Data\",\"type\":\"string\"},{\"name\":\"Tags\",\"type\":\"string\"},{\"name\":\"InternalOrder\",\"type\":\"long\"},{\"name\":\"Index\",\"type\":\"long\"}],\"rows\":[]},\"chartQueryResults\":[],\"queryTimeInterval\":{\"startTime\":\"2022-07-28T06:00:00+00:00\",\"endTime\":\"2022-07-29T06:00:00+00:00\"},\"queryId\":\"3834647e-ac3e-4fb4-a5f8-0dd50ba2b66c\"}],\"metaData\":{\"totalCount\":3,\"errors\":[]}}", + "Content": "{\"value\":[{\"tableQueryResults\":{\"columns\":[{\"name\":\"Direction\",\"type\":\"string\"},{\"name\":\"IPAddress\",\"type\":\"string\"},{\"name\":\"RemoteIP\",\"type\":\"string\"},{\"name\":\"Total\",\"type\":\"long\"},{\"name\":\"InternalOrder\",\"type\":\"long\"},{\"name\":\"Index\",\"type\":\"long\"}],\"rows\":[]},\"chartQueryResults\":[],\"queryTimeInterval\":{\"startTime\":\"2022-08-15T04:00:00+00:00\",\"endTime\":\"2022-08-16T04:00:00+00:00\"},\"queryId\":\"b8e2df44-f98f-4c95-bcbe-f8210f3e0f23\"},{\"tableQueryResults\":{\"columns\":[{\"name\":\"Direction\",\"type\":\"string\"},{\"name\":\"IPAddress\",\"type\":\"string\"},{\"name\":\"RemoteIP\",\"type\":\"string\"},{\"name\":\"ThreatType\",\"type\":\"string\"},{\"name\":\"InternalOrder\",\"type\":\"long\"},{\"name\":\"Index\",\"type\":\"long\"}],\"rows\":[]},\"chartQueryResults\":[{\"columns\":[{\"name\":\"Time\",\"type\":\"datetime\"},{\"name\":\"RemoteIPAddress\",\"type\":\"string\"},{\"name\":\"Count\",\"type\":\"long\"}],\"rows\":[]},{\"columns\":[{\"name\":\"Time\",\"type\":\"datetime\"},{\"name\":\"RemoteIPAddress\",\"type\":\"string\"},{\"name\":\"Count\",\"type\":\"long\"}],\"rows\":[]},{\"columns\":[{\"name\":\"Time\",\"type\":\"datetime\"},{\"name\":\"RemoteIPAddress\",\"type\":\"string\"},{\"name\":\"Count\",\"type\":\"long\"}],\"rows\":[]}],\"queryTimeInterval\":{\"startTime\":\"2022-08-15T04:00:00+00:00\",\"endTime\":\"2022-08-16T04:00:00+00:00\"},\"queryId\":\"340e5f6f-d218-4a11-8638-09e1af7847cc\"},{\"tableQueryResults\":{\"columns\":[{\"name\":\"Watchlist Insight\",\"type\":\"string\"},{\"name\":\"Additional Data\",\"type\":\"string\"},{\"name\":\"Tags\",\"type\":\"string\"},{\"name\":\"InternalOrder\",\"type\":\"long\"},{\"name\":\"Index\",\"type\":\"long\"}],\"rows\":[]},\"chartQueryResults\":[],\"queryTimeInterval\":{\"startTime\":\"2022-08-15T04:00:00+00:00\",\"endTime\":\"2022-08-16T04:00:00+00:00\"},\"queryId\":\"3834647e-ac3e-4fb4-a5f8-0dd50ba2b66c\"}],\"metaData\":{\"totalCount\":3,\"errors\":[]}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Get-AzSentinelEntityQuery.Recording.json b/src/SecurityInsights/test/Get-AzSentinelEntityQuery.Recording.json index 9e86177cadfe..b6ad0ed3a9d6 100644 --- a/src/SecurityInsights/test/Get-AzSentinelEntityQuery.Recording.json +++ b/src/SecurityInsights/test/Get-AzSentinelEntityQuery.Recording.json @@ -1,17 +1,17 @@ { - "Get-AzSentinelEntityQuery+[NoContext]+List+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries?api-version=2021-09-01-preview+1": { + "Get-AzSentinelEntityQuery+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "199" ], - "x-ms-client-request-id": [ "f9562eb3-7e8c-4c59-9683-f8d910ad9bb0" ], + "x-ms-unique-id": [ "198" ], + "x-ms-client-request-id": [ "139b8db9-9503-4161-976d-08d1ff534e15" ], "CommandName": [ "Get-AzSentinelentityQuery" ], "FullCommandName": [ "Get-AzSentinelEntityQuery_List" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -23,36 +23,36 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11963" ], - "x-ms-request-id": [ "76d36b59-9041-4922-a0dd-869b8636a8c5" ], - "x-ms-correlation-request-id": [ "76d36b59-9041-4922-a0dd-869b8636a8c5" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T015745Z:76d36b59-9041-4922-a0dd-869b8636a8c5" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11967" ], + "x-ms-request-id": [ "1c231c1b-2b9f-49c5-9dde-50db33c5bfdf" ], + "x-ms-correlation-request-id": [ "1c231c1b-2b9f-49c5-9dde-50db33c5bfdf" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160719Z:1c231c1b-2b9f-49c5-9dde-50db33c5bfdf" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 01:57:44 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:19 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "163861" ], + "Content-Length": [ "156647" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/98b974fd-cc64-48b8-9bd0-3a209f5b944b\",\"name\":\"98b974fd-cc64-48b8-9bd0-3a209f5b944b\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related entities\",\"queryTemplate\":\"let GetAlertRelatedEntities = (v_SecurityAlert_SystemAlertId:string){\\n SecurityAlert\\n | where SystemAlertId == v_SecurityAlert_SystemAlertId\\n | project entities = todynamic(Entities)\\n | mv-expand entities\\n | project-rename entity=entities};\\n GetAlertRelatedEntities(\u0027\u003csystemAlertId\u003e\u0027)\",\"inputFields\":[\"systemAlertId\"],\"outputEntityTypes\":[],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"SecurityAlert\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/27f76e63-c41b-480f-bb18-12ad2e011d49\",\"name\":\"27f76e63-c41b-480f-bb18-12ad2e011d49\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related entities\",\"queryTemplate\":\"\",\"inputFields\":[],\"outputEntityTypes\":[],\"dataSources\":[],\"inputEntityType\":\"HuntingBookmark\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/055a5692-555f-42bd-ac17-923a5a9994ed\",\"name\":\"055a5692-555f-42bd-ac17-923a5a9994ed\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetHostRelatedAlerts = (v_Host_HostName:string){\\n SecurityAlert\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\n | extend entities = todynamic(Entities) \\n | mv-expand entities\\n | project-rename entity=entities\\n | where entity[\u0027Type\u0027] == \u0027host\u0027 and entity[\u0027HostName\u0027] =~ v_Host_HostName\\n | project-away entity};\\n GetHostRelatedAlerts(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/e36c2ceb-4caf-4919-8433-d61dbc3e294a\",\"name\":\"e36c2ceb-4caf-4919-8433-d61dbc3e294a\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related bookmarks\",\"queryTemplate\":\"\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"HuntingBookmark\"],\"dataSources\":[],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/a77992f3-25e9-4d01-99a4-5ff606cc410a\",\"name\":\"a77992f3-25e9-4d01-99a4-5ff606cc410a\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetAccountRelatedAlerts = (v_Account_Name:string){\\n SecurityAlert\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\n | extend entities = todynamic(Entities) \\n | mv-expand entities\\n | project-rename entity=entities\\n | where entity[\u0027Type\u0027] == \u0027account\u0027 and entity[\u0027Name\u0027] =~ v_Account_Name\\n | project-away entity};\\n GetAccountRelatedAlerts(\u0027\u003caccountName\u003e\u0027)\",\"inputFields\":[\"accountName\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/504ea455-3bf7-47ef-8555-dc747b465f99\",\"name\":\"504ea455-3bf7-47ef-8555-dc747b465f99\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related bookmarks\",\"queryTemplate\":\"\",\"inputFields\":[\"accountName\"],\"outputEntityTypes\":[\"HuntingBookmark\"],\"dataSources\":[],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/4a014a1b-c5a1-499f-9f54-3f7b99b0a675\",\"name\":\"4a014a1b-c5a1-499f-9f54-3f7b99b0a675\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetAzureResourceRelatedAlerts = (v_AzureResource_ResourceId:string){\\n SecurityAlert\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\n | extend entities = todynamic(Entities) \\n | mv-expand entities\\n | project-rename entity=entities\\n | where entity[\u0027Type\u0027] == \u0027azure-resource\u0027 and entity[\u0027ResourceId\u0027] =~ v_AzureResource_ResourceId\\n | project-away entity};\\n GetAzureResourceRelatedAlerts(\u0027\u003cresourceId\u003e\u0027)\",\"inputFields\":[\"resourceId\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"AzureResource\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/f74ad13a-ae93-47b9-8782-b1142b95d046\",\"name\":\"f74ad13a-ae93-47b9-8782-b1142b95d046\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetCloudApplicationRelatedAlerts = (v_CloudApplication_AppId:string){\\n SecurityAlert\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\n | extend entities = todynamic(Entities) \\n | mv-expand entities\\n | project-rename entity=entities\\n | where entity[\u0027Type\u0027] == \u0027cloud-application\u0027 and entity[\u0027AppId\u0027] =~ v_CloudApplication_AppId\\n | project-away entity};\\n GetCloudApplicationRelatedAlerts(\u0027\u003cappId\u003e\u0027)\",\"inputFields\":[\"appId\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"CloudApplication\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/80218599-45b4-4402-95cc-86f9929dd43d\",\"name\":\"80218599-45b4-4402-95cc-86f9929dd43d\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetDNSRelatedAlerts = (v_DNS_DomainName:string){\\n SecurityAlert\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\n | extend entities = todynamic(Entities) \\n | mv-expand entities\\n | project-rename entity=entities\\n | where entity[\u0027Type\u0027] == \u0027dns\u0027 and entity[\u0027DomainName\u0027] =~ v_DNS_DomainName\\n | project-away entity};\\n GetDNSRelatedAlerts(\u0027\u003cdomainName\u003e\u0027)\",\"inputFields\":[\"domainName\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"DNS\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/0f0bccef-4512-4530-a866-27056a39dcd6\",\"name\":\"0f0bccef-4512-4530-a866-27056a39dcd6\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetFileRelatedAlerts = (v_File_Name:string){\\n SecurityAlert\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\n | extend entities = todynamic(Entities) \\n | mv-expand entities\\n | project-rename entity=entities\\n | where entity[\u0027Type\u0027] == \u0027file\u0027 and entity[\u0027Name\u0027] =~ v_File_Name\\n | project-away entity};\\n GetFileRelatedAlerts(\u0027\u003cfileName\u003e\u0027)\",\"inputFields\":[\"fileName\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"File\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/b6eaa3ad-e69b-437e-9c13-bb5273dd34ab\",\"name\":\"b6eaa3ad-e69b-437e-9c13-bb5273dd34ab\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetFileHashRelatedAlerts = (v_FileHash_Value:string){\\n SecurityAlert\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\n | extend entities = todynamic(Entities) \\n | mv-expand entities\\n | project-rename entity=entities\\n | where entity[\u0027Type\u0027] == \u0027filehash\u0027 and entity[\u0027Value\u0027] =~ v_FileHash_Value\\n | project-away entity};\\n GetFileHashRelatedAlerts(\u0027\u003chashValue\u003e\u0027)\",\"inputFields\":[\"hashValue\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"FileHash\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/58c1516f-b78a-4d78-9e71-77c40849c27b\",\"name\":\"58c1516f-b78a-4d78-9e71-77c40849c27b\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetIPRelatedAlerts = (v_IP_Address:string){\\n SecurityAlert\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\n | extend entities = todynamic(Entities) \\n | mv-expand entities\\n | project-rename entity=entities\\n | where entity[\u0027Type\u0027] == \u0027ip\u0027 and entity[\u0027Address\u0027] =~ v_IP_Address\\n | project-away entity};\\n GetIPRelatedAlerts(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/6a6a5dcb-605c-4dad-8bb6-c8c439db4f0a\",\"name\":\"6a6a5dcb-605c-4dad-8bb6-c8c439db4f0a\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related bookmarks\",\"queryTemplate\":\"\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"HuntingBookmark\"],\"dataSources\":[],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/b8407195-b9a3-4565-bf08-7b23e5c57e3a\",\"name\":\"b8407195-b9a3-4565-bf08-7b23e5c57e3a\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetMalwareRelatedAlerts = (v_Malware_Name:string){\\n SecurityAlert\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\n | extend entities = todynamic(Entities) \\n | mv-expand entities\\n | project-rename entity=entities\\n | where entity[\u0027Type\u0027] == \u0027malware\u0027 and entity[\u0027Name\u0027] =~ v_Malware_Name\\n | project-away entity};\\n GetMalwareRelatedAlerts(\u0027\u003cmalwareName\u003e\u0027)\",\"inputFields\":[\"malwareName\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"Malware\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/63a4fa2f-f89d-4cf5-96a2-cb2479e49731\",\"name\":\"63a4fa2f-f89d-4cf5-96a2-cb2479e49731\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetProcessRelatedAlerts = (v_Process_ProcessId:string){\\n SecurityAlert\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\n | extend entities = todynamic(Entities) \\n | mv-expand entities\\n | project-rename entity=entities\\n | where entity[\u0027Type\u0027] == \u0027process\u0027 and entity[\u0027ProcessId\u0027] =~ v_Process_ProcessId\\n | project-away entity};\\n GetProcessRelatedAlerts(\u0027\u003cprocessId\u003e\u0027)\",\"inputFields\":[\"processId\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"Process\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/d788cd65-a7ef-448e-aa34-81185ac0e611\",\"name\":\"d788cd65-a7ef-448e-aa34-81185ac0e611\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetRegistryKeyRelatedAlerts = (v_RegistryKey_Key:string){\\n SecurityAlert\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\n | extend entities = todynamic(Entities) \\n | mv-expand entities\\n | project-rename entity=entities\\n | where entity[\u0027Type\u0027] == \u0027registry-key\u0027 and entity[\u0027Key\u0027] =~ v_RegistryKey_Key\\n | project-away entity};\\n GetRegistryKeyRelatedAlerts(\u0027\u003ckey\u003e\u0027)\",\"inputFields\":[\"key\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"RegistryKey\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/3a45a7e3-80e0-4e05-84db-b97bd1ae452b\",\"name\":\"3a45a7e3-80e0-4e05-84db-b97bd1ae452b\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetRegistryValueRelatedAlerts = (v_RegistryValue_Name:string){\\n SecurityAlert\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\n | extend entities = todynamic(Entities) \\n | mv-expand entities\\n | project-rename entity=entities\\n | where entity[\u0027Type\u0027] == \u0027registry-value\u0027 and entity[\u0027Name\u0027] =~ v_RegistryValue_Name\\n | project-away entity};\\n GetRegistryValueRelatedAlerts(\u0027\u003cvalueName\u003e\u0027)\",\"inputFields\":[\"valueName\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"RegistryValue\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/43c07636-6be0-4c62-8c62-9a6040a98821\",\"name\":\"43c07636-6be0-4c62-8c62-9a6040a98821\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetSecurityGroupRelatedAlerts = (v_SecurityGroup_DistinguishedName:string){\\n SecurityAlert\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\n | extend entities = todynamic(Entities) \\n | mv-expand entities\\n | project-rename entity=entities\\n | where entity[\u0027Type\u0027] == \u0027security-group\u0027 and entity[\u0027DistinguishedName\u0027] =~ v_SecurityGroup_DistinguishedName\\n | project-away entity};\\n GetSecurityGroupRelatedAlerts(\u0027\u003cdistinguishedName\u003e\u0027)\",\"inputFields\":[\"distinguishedName\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"SecurityGroup\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/7b61d5e2-4b66-40a7-bb0f-9145b445104e\",\"name\":\"7b61d5e2-4b66-40a7-bb0f-9145b445104e\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetURLRelatedAlerts = (v_URL_Url:string){\\n SecurityAlert\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\n | extend entities = todynamic(Entities) \\n | mv-expand entities\\n | project-rename entity=entities\\n | where entity[\u0027Type\u0027] == \u0027url\u0027 and entity[\u0027Url\u0027] =~ v_URL_Url\\n | project-away entity};\\n GetURLRelatedAlerts(\u0027\u003curl\u003e\u0027)\",\"inputFields\":[\"url\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"URL\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/855ea9fe-2fdd-4890-8daa-c895c136eef3\",\"name\":\"855ea9fe-2fdd-4890-8daa-c895c136eef3\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related bookmarks\",\"queryTemplate\":\"\",\"inputFields\":[\"url\"],\"outputEntityTypes\":[\"HuntingBookmark\"],\"dataSources\":[],\"inputEntityType\":\"URL\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/4daeed0e-0e74-4f2d-990c-a958210e9dd7\",\"name\":\"4daeed0e-0e74-4f2d-990c-a958210e9dd7\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetIoTDeviceRelatedAlerts = (v_IoTDevice_DeviceId:string){\\n SecurityAlert\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\n | extend entities = todynamic(Entities) \\n | mv-expand entities\\n | project-rename entity=entities\\n | where entity[\u0027Type\u0027] == \u0027iotdevice\u0027 and entity[\u0027DeviceId\u0027] =~ v_IoTDevice_DeviceId\\n | project-away entity};\\n GetIoTDeviceRelatedAlerts(\u0027\u003cdeviceId\u003e\u0027)\",\"inputFields\":[\"deviceId\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"IoTDevice\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/fb123681-fb7e-4684-86fd-3866df84ac2f\",\"name\":\"fb123681-fb7e-4684-86fd-3866df84ac2f\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Assigned IPs\",\"queryTemplate\":\"let GetIPsForHost = (v_Host_HostName:string){\\n Heartbeat\\r\\n | where Computer =~ v_Host_HostName\\r\\n | summarize arg_max(TimeGenerated, *) by ComputerIP\\r\\n };\\n GetIPsForHost(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"IP\"],\"dataSources\":[],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/fa16a940-53cc-4e45-9e6f-d8409cb42390\",\"name\":\"fa16a940-53cc-4e45-9e6f-d8409cb42390\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Host assigned with IP\",\"queryTemplate\":\"let GetHostsForIp = (v_IP_Address:string){\\r\\n Heartbeat\\r\\n | where ComputerIP =~ v_IP_Address\\r\\n | summarize arg_max(TimeGenerated, *) by Computer\\r\\n };\\n GetHostsForIp(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/0a691e7d-a9bb-4a80-8591-2cc0b5094298\",\"name\":\"0a691e7d-a9bb-4a80-8591-2cc0b5094298\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetMailboxRelatedAlerts = (v_Mailbox_MailboxPrimaryAddress:string){\\n SecurityAlert\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\n | extend entities = todynamic(Entities) \\n | mv-expand entities\\n | project-rename entity=entities\\n | where entity[\u0027Type\u0027] == \u0027mailbox\u0027 and entity[\u0027MailboxPrimaryAddress\u0027] =~ v_Mailbox_MailboxPrimaryAddress\\n | project-away entity};\\n GetMailboxRelatedAlerts(\u0027\u003cmailboxPrimaryAddress\u003e\u0027)\",\"inputFields\":[\"mailboxPrimaryAddress\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"Mailbox\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/cf68388a-a0db-41d5-969f-919f7a2e47bc\",\"name\":\"cf68388a-a0db-41d5-969f-919f7a2e47bc\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetMailClusterRelatedAlerts = (v_MailCluster_Query:string){\\n SecurityAlert\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\n | extend entities = todynamic(Entities) \\n | mv-expand entities\\n | project-rename entity=entities\\n | where entity[\u0027Type\u0027] == \u0027mailCluster\u0027 and entity[\u0027Query\u0027] =~ v_MailCluster_Query\\n | project-away entity};\\n GetMailClusterRelatedAlerts(\u0027\u003cquery\u003e\u0027)\",\"inputFields\":[\"query\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"MailCluster\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/33fbca35-93cf-45f8-864f-eb3d553d5bb8\",\"name\":\"33fbca35-93cf-45f8-864f-eb3d553d5bb8\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetMailMessageRelatedAlerts = (v_MailMessage_NetworkMessageId:string){\\n SecurityAlert\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\n | extend entities = todynamic(Entities) \\n | mv-expand entities\\n | project-rename entity=entities\\n | where entity[\u0027Type\u0027] == \u0027mailMessage\u0027 and entity[\u0027NetworkMessageId\u0027] =~ v_MailMessage_NetworkMessageId\\n | project-away entity};\\n GetMailMessageRelatedAlerts(\u0027\u003cnetworkMessageId\u003e\u0027)\",\"inputFields\":[\"networkMessageId\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"MailMessage\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/d215b047-259d-40b4-843c-4d509b013525\",\"name\":\"d215b047-259d-40b4-843c-4d509b013525\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetSubmissionMailRelatedAlerts = (v_SubmissionMail_SubmissionId:string){\\n SecurityAlert\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\n | extend entities = todynamic(Entities) \\n | mv-expand entities\\n | project-rename entity=entities\\n | where entity[\u0027Type\u0027] == \u0027SubmissionMail\u0027 and entity[\u0027SubmissionId\u0027] =~ v_SubmissionMail_SubmissionId\\n | project-away entity};\\n GetSubmissionMailRelatedAlerts(\u0027\u003csubmissionId\u003e\u0027)\",\"inputFields\":[\"submissionId\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"SubmissionMail\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/4c541df8-a680-4da5-96c9-74456927213f\",\"name\":\"4c541df8-a680-4da5-96c9-74456927213f\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Hosts the account failed to log in to the most\",\"queryTemplate\":\"let SuccessfulLoginEventId = 4624;\\r\\n\\t\\t\\t\\t\\t\\t\\tlet FailedLoginEventId = 4625;\\r\\n\\t\\t\\t\\t\\t\\t\\tlet MostFailedLogins = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_UPNSuffix:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tSecurityEvent\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend p_Account_Name = case(\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name\\r\\n\\t\\t\\t\\t\\t\\t\\t)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend p_Account_UPNSuffix = case(\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_UPNSuffix has \u0027@\u0027, tostring(split(v_Account_UPNSuffix, \u0027@\u0027)[1]),\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_UPNSuffix has \u0027\\\\\\\\\u0027, tostring(split(v_Account_UPNSuffix, \u0027\\\\\\\\\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_UPNSuffix\\r\\n\\t\\t\\t\\t\\t\\t\\t)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend p_Account_NTDomain = case(\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_UPNSuffix, \u0027\\\\\\\\\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_NTDomain\\r\\n\\t\\t\\t\\t\\t\\t\\t)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Account_UPNSuffix = iff(Account has \u0027@\u0027, tostring(split(Account,\u0027@\u0027)[1]),\u0027\u0027)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Account_NTDomain = iff(Account has \u0027\\\\\\\\\u0027, tostring(split(Account,\u0027\\\\\\\\\u0027)[0]),\u0027\u0027)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Account_Name = extract(@\u0027^([^\\\\\\\\]*\\\\\\\\)?([^@]+)@?\u0027,2,Account)\\r\\n\\t\\t\\t\\t\\t\\t\\t| where ( (isnotempty(Account_Name) and Account_Name==p_Account_Name)\\r\\n\\t\\t\\t\\t\\t\\t\\t and\\r\\n\\t\\t\\t\\t\\t\\t\\t iff(isnotempty(p_Account_NTDomain) and isnotempty(Account_NTDomain) ,p_Account_NTDomain==Account_NTDomain,true )\\r\\n\\t\\t\\t\\t\\t\\t\\t and\\r\\n\\t\\t\\t\\t\\t\\t\\t iff(isnotempty(p_Account_UPNSuffix) and isnotempty(Account_UPNSuffix) ,p_Account_UPNSuffix==Account_UPNSuffix,true )\\r\\n\\t\\t\\t\\t\\t\\t\\t )\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize Host_Aux_SuccessfulLoginCount = countif(EventID==SuccessfulLoginEventId), Host_Aux_FailedLoginsCount\\t= countif(EventID==FailedLoginEventId), Host_Aux_LogonTypes=make_set(LogonType)\\r\\n\\t\\t\\t\\t\\t\\t\\t by Computer, Account, SourceComputerId, _ResourceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_FailedLoginsCount\\r\\n\\t\\t\\t\\t\\t\\t\\t| parse Computer with Host_NTDomain \u0027\\\\\\\\\u0027 *\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Host_HostName = tostring(split(Computer,\u0027.\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\t Host_DnsDomain = strcat_array(array_slice(split(Computer,\u0027.\u0027),1,256),\u0027.\u0027), Host_OMSAgentID=SourceComputerId, Host_AzureID = _ResourceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-away Computer, Account, _ResourceId, SourceComputerId\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tMostFailedLogins(\u0027\u003caccountName\u003e\u0027,\u0027\u003cntDomain\u003e\u0027,\u0027\u003cupnSuffix\u003e\u0027)\",\"inputFields\":[\"accountName\",\"upnSuffix\",\"ntDomain\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"SecurityEvent\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/2db8cac9-d2ce-4494-93bf-4678cd872ce4\",\"name\":\"2db8cac9-d2ce-4494-93bf-4678cd872ce4\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"IPs from rare locations used by account\",\"queryTemplate\":\"let IPsFromRareLocations = (v_Account_Name:string, v_Account_UPNSuffix:string, v_Account_AadUserId:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tlet LocationPrevalence =\\r\\n\\t\\t\\t\\t\\t\\t\\tSigninLogs\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend p_Account_Name = case(\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name\\r\\n\\t\\t\\t\\t\\t\\t\\t)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend p_Account_UPNSuffix = case(\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_UPNSuffix has \u0027@\u0027, tostring(split(v_Account_UPNSuffix, \u0027@\u0027)[1]),\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_UPNSuffix has \u0027\\\\\\\\\u0027, tostring(split(v_Account_UPNSuffix, \u0027\\\\\\\\\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_UPNSuffix\\r\\n\\t\\t\\t\\t\\t\\t\\t)\\r\\n\\t\\t\\t\\t\\t\\t\\t| parse UserPrincipalName with Account_Name \u0027@\u0027 Account_UPNSuffix\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Account_AadUserId = toguid(UserId)\\r\\n\\t\\t\\t\\t\\t\\t\\t| where (isnotempty(Account_Name) and Account_Name =~ p_Account_Name and isnotempty(Account_UPNSuffix) and Account_UPNSuffix =~ p_Account_UPNSuffix)\\r\\n\\t\\t\\t\\t\\t\\t\\tor (isnotempty(Account_AadUserId) and Account_AadUserId == toguid(v_Account_AadUserId))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend FullLocation = strcat(Location,\u0027|\u0027, LocationDetails.state, \u0027|\u0027, LocationDetails.city)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize ConnectionCount = count() by FullLocation, UserPrincipalName, IPAddress, Account_Name, Account_UPNSuffix, Account_AadUserId;\\r\\n\\t\\t\\t\\t\\t\\t\\tLocationPrevalence\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize make_list(IPAddress), make_list(FullLocation), make_list(ConnectionCount), dcount(FullLocation), totalActivity = sum(ConnectionCount) by UserPrincipalName, Account_Name, Account_UPNSuffix, Account_AadUserId\\r\\n\\t\\t\\t\\t\\t\\t\\t| mvexpand Location = list_FullLocation, ConnectionCount = list_ConnectionCount, IPAddress = list_IPAddress\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Location = tostring(Location), ConnectionCount = toint(ConnectionCount), IPAddress = tostring(IPAddress)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend percentOfActivity = 100*round(todouble(ConnectionCount)/totalActivity,4)\\r\\n\\t\\t\\t\\t\\t\\t\\t| where percentOfActivity \u003c 10\\r\\n\\t\\t\\t\\t\\t\\t\\t| project UserPrincipalName, Account_Name, Account_UPNSuffix, Account_AadUserId, IPAddress, Location, ConnectionCount, percentOfActivity\\r\\n\\t\\t\\t\\t\\t\\t\\t| sort by percentOfActivity asc, ConnectionCount desc\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by percentOfActivity asc\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend IP_Location_Country = tostring(split(Location,\u0027|\u0027)[0]), IP_Location_Region = tostring(split(Location,\u0027|\u0027)[1]), IP_Location_City = tostring(split(Location,\u0027|\u0027)[2])\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Account_Aux_info = pack(\u0027PercentOfActivity\u0027, percentOfActivity, \u0027ConnectionCount\u0027, ConnectionCount)\\r\\n\\t\\t\\t\\t\\t\\t\\t| parse UserPrincipalName with Account_NTDomain \u0027\\\\\\\\\u0027 *\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Account_UnstructuredName = UserPrincipalName, Account_Name, Account_NTDomain, Account_UPNSuffix, Account_AadUserId, IP_Address = IPAddress, IP_Location_Country, IP_Location_Region, IP_Location_City, Account_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tIPsFromRareLocations(\u0027\u003caccountName\u003e\u0027, \u0027\u003cupnSuffix\u003e\u0027, \u0027\u003caadUserId\u003e\u0027)\",\"inputFields\":[\"accountName\",\"upnSuffix\",\"aadUserId\"],\"outputEntityTypes\":[\"IP\"],\"dataSources\":[\"SigninLogs\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/160c7513-f704-46b7-adf9-d9c4176a44a3\",\"name\":\"160c7513-f704-46b7-adf9-d9c4176a44a3\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Hosts triggering Microsoft Defender Application Control\",\"queryTemplate\":\"let AppControlEvents=(v_Account_Name:string, v_Account_UPNSuffix:string, v_Account_Sid:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tlet p_Account_UPN = iff(isnotempty(v_Account_Name) and isnotempty(v_Account_UPNSuffix), strcat(v_Account_Name,\u0027@\u0027,v_Account_UPNSuffix), \\\"\\\");\\r\\n\\t\\t\\t\\t\\t\\t\\tlet AppControls=datatable(ActionType:string, Description:string, FriendlyActivityName:string)\\r\\n\\t\\t\\t\\t\\t\\t\\t [\\\"AppControlAppInstallationAudited\\\", \\\"Application control detected the installation of an untrusted app.\\\",\\\"Untrusted app installed\\\"\\r\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlAppInstallationBlocked\\\", \\\"Application control blocked the installation of an untrusted app.\\\", \\\"Untrusted app installation blocked\\\"\\r\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlCodeIntegrityDriverRevoked\\\", \\\"Application control found a driver with a revoked certificate.\\\", \\\"Driver with revoked certificate detected\\\"\\r\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlCodeIntegrityImageRevoked\\\", \\\"Application control found an executable file with a revoked certificate.\\\", \\\"Executable with revoked certificate detected\\\"\\r\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlExecutableAudited\\\",\\\"Application control detected the use of an untrusted executable.\\\",\\\"Untrusted executable used\\\"\\r\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlExecutableClocked\\\",\\\"Application control blocked the use of an untrusted executable.\\\",\\\"Untrusted executable blocked\\\"\\r\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlScriptAudited\\\", \\\"Application control detected the use of an untrusted script.\\\", \\\"Untrusted script detected\\\"\\r\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlScriptBlocked\\\", \\\"Application control blocked the use of an untrusted script.\\\", \\\"Untrusted script blocked\\\" ];\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceEvents\\r\\n\\t\\t\\t\\t\\t\\t\\t| where ActionType in (AppControls)\\r\\n\\t\\t\\t\\t\\t\\t\\t| where isnotempty(p_Account_UPN) and p_Account_UPN =~ InitiatingProcessAccountUpn\\r\\n\\t\\t\\t\\t\\t\\t\\t or\\r\\n\\t\\t\\t\\t\\t\\t\\t isnotempty(v_Account_Sid) and v_Account_Sid =~ InitiatingProcessAccountSid\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Host_UnstructuredName = DeviceName\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize Host_Aux_AppConCount=count() by Host_UnstructuredName\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_AppConCount desc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tAppControlEvents(\u0027\u003caccountName\u003e\u0027,\u0027\u003cupnSuffix\u003e\u0027,\u0027\u003csid\u003e\u0027)\",\"inputFields\":[\"accountName\",\"upnSuffix\",\"sid\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"DeviceEvents\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/f89061dd-e6d6-4553-9c88-301a7360fc14\",\"name\":\"f89061dd-e6d6-4553-9c88-301a7360fc14\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent processes for this account\",\"queryTemplate\":\"let GetSysLogEventsByAccount = (v_Account_Name:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tSyslog\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend v_Account_Name = case(\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name\\r\\n\\t\\t\\t\\t\\t\\t\\t)\\r\\n\\t\\t\\t\\t\\t\\t\\t| where SyslogMessage has v_Account_Name\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027HostName\u0027, HostName, \u0027HostIP\u0027, HostIP)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize Process_Aux_StartTime=min(EventTime), Process_Aux_EndTime=max(EventTime), count(), Process_Aux_info = makeset(info) by Computer, ProcessName, ProcessID\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ asc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Process_Aux_StartTime, Process_Aux_EndTime, Process_Host_UnstructuredName=Computer, Process_ImageFile_FullPath=ProcessName, Process_ProcessId=tostring(ProcessID), Process_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetSysLogEventsByAccount(\u0027\u003caccountName\u003e\u0027)\",\"inputFields\":[\"accountName\"],\"outputEntityTypes\":[\"Process\"],\"dataSources\":[\"Syslog\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/dd8f30e4-8171-452e-84a0-99bcd570bd08\",\"name\":\"dd8f30e4-8171-452e-84a0-99bcd570bd08\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Services created by account\",\"queryTemplate\":\"let GetServiceCreationsByAccount = (v_Account_Name:string, v_Account_NTDomain:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tEvent\\r\\n\\t\\t\\t\\t\\t\\t\\t| where EventID == 7045\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend p_Account_Name = case(\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name\\r\\n\\t\\t\\t\\t\\t\\t\\t)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend p_Account_NTDomain = case(\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_NTDomain\\r\\n\\t\\t\\t\\t\\t\\t\\t)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_Account_Name = tostring(split(UserName, \u0027\\\\\\\\\u0027)[1]), Process_Account_NTDomain = tostring(split(UserName, \u0027\\\\\\\\\u0027)[0])\\r\\n\\t\\t\\t\\t\\t\\t\\t| where Process_Account_Name =~ p_Account_Name and Process_Account_NTDomain =~ p_Account_NTDomain\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend EventDataParse = parse_xml(EventData)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServiceName = tostring(EventDataParse.DataItem.EventData.Data[0][\u0027#text\u0027])\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ImagePath = tostring(EventDataParse.DataItem.EventData.Data[1][\u0027#text\u0027])\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServiceType = tostring(EventDataParse.DataItem.EventData.Data[2][\u0027#text\u0027])\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend StartType = tostring(EventDataParse.DataItem.EventData.Data[3][\u0027#text\u0027])\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServiceAccount = tostring(EventDataParse.DataItem.EventData.Data[4][\u0027#text\u0027])\\r\\n\\t\\t\\t\\t\\t\\t\\t| where ImagePath !has \u0027\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Definition Updates\\\\\\\\\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_Aux_Account_info = pack(\u0027ServiceName\u0027, ServiceName, \u0027ServiceType\u0027, ServiceType, \u0027StartType\u0027, StartType, \u0027ServiceAccount\u0027, ServiceAccount)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize Process_Host_Aux_StartTimeUtc = min(TimeGenerated), Process_Host_Aux_EndTimeUtc = max(TimeGenerated) by Process_Host_UnstructuredName = Computer, Process_Account_Name,\\r\\n\\t\\t\\t\\t\\t\\t\\tProcess_Account_NTDomain, Process_Account_UnstructuredName = UserName, Process_ImageFile_FullPath = ImagePath, tostring(Process_Aux_Account_info)\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Process_Host_Aux_StartTimeUtc desc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetServiceCreationsByAccount(\u0027\u003caccountName\u003e\u0027, \u0027\u003cntDomain\u003e\u0027)\",\"inputFields\":[\"accountName\",\"ntDomain\"],\"outputEntityTypes\":[\"Process\"],\"dataSources\":[\"SecurityEvent\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/84375346-c3f0-4926-ae48-a156010c67e3\",\"name\":\"84375346-c3f0-4926-ae48-a156010c67e3\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"User account failed logons\",\"queryTemplate\":\"let GetAllLogonsForUser = (v_Account_Name:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tSecurityEvent\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend v_Account_Name = case(\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name\\r\\n\\t\\t\\t\\t\\t\\t\\t)\\r\\n\\t\\t\\t\\t\\t\\t\\t| where EventID == 4625\\r\\n\\t\\t\\t\\t\\t\\t\\t| where AccountType == \u0027User\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t| where tolower(Account) contains tolower(v_Account_Name)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027EventID\u0027, EventID, \u0027Account\u0027, Account, \u0027LogonTypeName\u0027, LogonTypeName, \u0027SubStatus\u0027, SubStatus, \u0027AccountType\u0027, AccountType, \u0027WorkstationName\u0027, WorkstationName, \u0027IpAddress\u0027, IpAddress)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), Host_Aux_info = makeset(info) by Computer, SourceComputerId\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Host_Aux_StartTime=min_TimeGenerated, Host_Aux_EndTime = max_TimeGenerated, Host_UnstructuredName=Computer, Host_Aux_info, Host_OMSAgentID=SourceComputerId\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_StartTime asc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetAllLogonsForUser(tolower(\u0027\u003caccountName\u003e\u0027))\",\"inputFields\":[\"accountName\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"SecurityEvent\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/7f3989bf-1558-4d3c-bb5e-e17ac2a67a87\",\"name\":\"7f3989bf-1558-4d3c-bb5e-e17ac2a67a87\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Office activity IPs for this account\",\"queryTemplate\":\"let GetAllIPbyAccount = (v_Account_Name:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tOfficeActivity\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend v_Account_Name = case(\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name\\r\\n\\t\\t\\t\\t\\t\\t\\t )\\r\\n\\t\\t\\t\\t\\t\\t\\t| where UserId contains v_Account_Name\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027ClientIP\u0027, ClientIP, \u0027UserType\u0027, UserType, \u0027Operation\u0027, Operation, \u0027OfficeWorkload\u0027, OfficeWorkload, \u0027ResultStatus\u0027, ResultStatus)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), IP_Aux_info = makeset(info) by ClientIP\\r\\n\\t\\t\\t\\t\\t\\t\\t| project IP_Aux_StartTime = min_TimeGenerated, IP_Aux_EndTime = max_TimeGenerated, ClientIP, IP_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename IP_Address=ClientIP\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by IP_Aux_StartTime desc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetAllIPbyAccount (\u0027\u003caccountName\u003e\u0027)\",\"inputFields\":[\"accountName\"],\"outputEntityTypes\":[\"IP\"],\"dataSources\":[\"OfficeActivity\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/6d1c2ca8-8efe-4fa2-bea6-fa582c03637c\",\"name\":\"6d1c2ca8-8efe-4fa2-bea6-fa582c03637c\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"User account interactive logon to new devices\",\"queryTemplate\":\"let GetNewInteractiveLogonsForUser = (v_Account_Name:string, v_Account_Sid:string, v_Account_AadUserId:string)\\r\\n\\t\\t\\t\\t\\t\\t\\t{\\r\\n\\t\\t\\t\\t\\t\\t\\t BehaviorAnalytics\\r\\n\\t\\t\\t\\t\\t\\t\\t | extend v_Account_Name = case(\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name)\\r\\n\\t\\t\\t\\t\\t\\t\\t | where ActionType == \\\"InteractiveLogon\\\" and\\r\\n\\t\\t\\t\\t\\t\\t\\t tobool(ActivityInsights.FirstTimeUserLoggedOnToDevice) and\\r\\n\\t\\t\\t\\t\\t\\t\\t (\\r\\n\\t\\t\\t\\t\\t\\t\\t (isnotempty(UserName) and UserName =~ v_Account_Name) or\\r\\n\\t\\t\\t\\t\\t\\t\\t (isnotempty(UsersInsights.AccountObjectID) and UsersInsights.AccountObjectID == v_Account_AadUserId) or\\r\\n\\t\\t\\t\\t\\t\\t\\t (isnotempty(UsersInsights.OnPremisesSID) and UsersInsights.OnPremisesSID =~ v_Account_Sid)\\r\\n\\t\\t\\t\\t\\t\\t\\t )\\r\\n\\t\\t\\t\\t\\t\\t\\t | extend device_info = pack(\u0027DevicesInsights\u0027, DevicesInsights, \u0027ActivityInsights\u0027, ActivityInsights)\\r\\n\\t\\t\\t\\t\\t\\t\\t | project Host_Aux_TimeGenerated = TimeGenerated,\\r\\n\\t\\t\\t\\t\\t\\t\\t Host_UnstructuredName = DestinationDevice,\\r\\n\\t\\t\\t\\t\\t\\t\\t Host_Aux_Insights = device_info,\\r\\n\\t\\t\\t\\t\\t\\t\\t Account_Name = UserName,\\r\\n\\t\\t\\t\\t\\t\\t\\t Account_Sid = v_Account_Sid,\\r\\n\\t\\t\\t\\t\\t\\t\\t Account_AadUserId = toguid(UsersInsights.AccountObjectID),\\r\\n\\t\\t\\t\\t\\t\\t\\t Account_Aux_Insights = UsersInsights\\r\\n\\t\\t\\t\\t\\t\\t\\t | top 10 by Host_Aux_TimeGenerated asc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetNewInteractiveLogonsForUser(\u0027\u003caccountName\u003e\u0027, \u0027\u003csid\u003e\u0027, \u0027\u003caadUserId\u003e\u0027)\",\"inputFields\":[\"accountName\",\"sid\",\"aadUserId\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"BehaviorAnalytics\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/b66ab2aa-cd31-43b9-82a2-dd5f0ee9ca81\",\"name\":\"b66ab2aa-cd31-43b9-82a2-dd5f0ee9ca81\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"User account remote interactive logon to new devices\",\"queryTemplate\":\"let GetAllNewRemoteInteractiveLogonForUser = (v_Account_Name:string, v_Account_Sid:string, v_Account_AadUserId:string)\\r\\n\\t\\t\\t\\t\\t\\t\\t{\\r\\n\\t\\t\\t\\t\\t\\t\\t BehaviorAnalytics\\r\\n\\t\\t\\t\\t\\t\\t\\t | extend v_Account_Name = case(\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name)\\r\\n\\t\\t\\t\\t\\t\\t\\t | where ActionType == \\\"RemoteInteractiveLogon\\\" and\\r\\n\\t\\t\\t\\t\\t\\t\\t tobool(ActivityInsights.FirstTimeUserLoggedOnToDevice) and\\r\\n\\t\\t\\t\\t\\t\\t\\t (\\r\\n\\t\\t\\t\\t\\t\\t\\t (isnotempty(UserName) and UserName =~ v_Account_Name) or\\r\\n\\t\\t\\t\\t\\t\\t\\t (isnotempty(UsersInsights.AccountObjectID) and UsersInsights.AccountObjectID == v_Account_AadUserId) or\\r\\n\\t\\t\\t\\t\\t\\t\\t (isnotempty(UsersInsights.OnPremisesSID) and UsersInsights.OnPremisesSID =~ v_Account_Sid)\\r\\n\\t\\t\\t\\t\\t\\t\\t )\\r\\n\\t\\t\\t\\t\\t\\t\\t | extend device_info = pack(\u0027DevicesInsights\u0027, DevicesInsights, \u0027ActivityInsights\u0027, ActivityInsights)\\r\\n\\t\\t\\t\\t\\t\\t\\t | project Host_Aux_TimeGenerated = TimeGenerated,\\r\\n\\t\\t\\t\\t\\t\\t\\t Host_UnstructuredName = DestinationDevice,\\r\\n\\t\\t\\t\\t\\t\\t\\t Host_Aux_Insights = device_info,\\r\\n\\t\\t\\t\\t\\t\\t\\t Account_Name = UserName,\\r\\n\\t\\t\\t\\t\\t\\t\\t Account_Sid = v_Account_Sid,\\r\\n\\t\\t\\t\\t\\t\\t\\t Account_AadUserId = toguid(UsersInsights.AccountObjectID),\\r\\n\\t\\t\\t\\t\\t\\t\\t Account_Aux_Insights = UsersInsights\\r\\n\\t\\t\\t\\t\\t\\t\\t | top 10 by Host_Aux_TimeGenerated asc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetAllNewRemoteInteractiveLogonForUser(\u0027\u003caccountName\u003e\u0027, \u0027\u003csid\u003e\u0027, \u0027\u003caadUserId\u003e\u0027)\",\"inputFields\":[\"accountName\",\"sid\",\"aadUserId\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"BehaviorAnalytics\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/82cdcee5-cc2e-4e9f-a235-357159c60c8c\",\"name\":\"82cdcee5-cc2e-4e9f-a235-357159c60c8c\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"User account access to new resources\",\"queryTemplate\":\"let GetAllNewResourceAccessForUser = (v_Account_Name:string, v_Account_Sid:string, v_Account_AadUserId:string)\\r\\n\\t\\t\\t\\t\\t\\t\\t{\\r\\n\\t\\t\\t\\t\\t\\t\\t BehaviorAnalytics\\r\\n\\t\\t\\t\\t\\t\\t\\t | extend v_Account_Name = case(\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\r\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name)\\r\\n\\t\\t\\t\\t\\t\\t\\t | where ActionType == \\\"ResourceAccess\\\" and\\r\\n\\t\\t\\t\\t\\t\\t\\t tobool(ActivityInsights.FirstTimeUserLoggedOnToDevice) and\\r\\n\\t\\t\\t\\t\\t\\t\\t (\\r\\n\\t\\t\\t\\t\\t\\t\\t (isnotempty(UserName) and UserName =~ v_Account_Name) or\\r\\n\\t\\t\\t\\t\\t\\t\\t (isnotempty(UsersInsights.AccountObjectID) and UsersInsights.AccountObjectID == v_Account_AadUserId) or\\r\\n\\t\\t\\t\\t\\t\\t\\t (isnotempty(UsersInsights.OnPremisesSID) and UsersInsights.OnPremisesSID =~ v_Account_Sid)\\r\\n\\t\\t\\t\\t\\t\\t\\t )\\r\\n\\t\\t\\t\\t\\t\\t\\t | extend device_info = pack(\u0027DevicesInsights\u0027, DevicesInsights, \u0027ActivityInsights\u0027, ActivityInsights)\\r\\n\\t\\t\\t\\t\\t\\t\\t | project Host_Aux_TimeGenerated = TimeGenerated,\\r\\n\\t\\t\\t\\t\\t\\t\\t Host_UnstructuredName = DestinationDevice,\\r\\n\\t\\t\\t\\t\\t\\t\\t Host_Aux_Insights = device_info,\\r\\n\\t\\t\\t\\t\\t\\t\\t Account_Name = UserName,\\r\\n\\t\\t\\t\\t\\t\\t\\t Account_Sid = v_Account_Sid,\\r\\n\\t\\t\\t\\t\\t\\t\\t Account_AadUserId = UsersInsights.AccountObjectID,\\r\\n\\t\\t\\t\\t\\t\\t\\t Account_Aux_Insights = UsersInsights\\r\\n\\t\\t\\t\\t\\t\\t\\t | top 10 by Host_Aux_TimeGenerated asc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetAllNewResourceAccessForUser(\u0027\u003caccountName\u003e\u0027, \u0027\u003csid\u003e\u0027, \u0027\u003caadUserId\u003e\u0027)\",\"inputFields\":[\"accountName\",\"sid\",\"aadUserId\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"BehaviorAnalytics\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/18b7e4e3-5b57-4924-b3cd-7e9a5a143521\",\"name\":\"18b7e4e3-5b57-4924-b3cd-7e9a5a143521\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Peers with a recent alert\",\"queryTemplate\":\"let GetUserPeersWithAlerts = (v_Account_Name:string, v_Account_UPNSuffix:string, v_Account_AadUserId:string) {\\r\\n\\t\\t\\t\\t\\t\\t\\t let Account_UPN = strcat(v_Account_Name, \u0027@\u0027,v_Account_UPNSuffix);\\r\\n\\t\\t\\t\\t\\t\\t\\t let Peers= UserPeerAnalytics\\r\\n\\t\\t\\t\\t\\t\\t\\t | where UserPrincipalName =~ Account_UPN or UserId =~ v_Account_AadUserId\\r\\n\\t\\t\\t\\t\\t\\t\\t | where TimeGenerated == toscalar (UserPeerAnalytics | summarize max(TimeGenerated))\\r\\n\\t\\t\\t\\t\\t\\t\\t | project PeerUserPrincipalName, PeerUserId, Rank\\r\\n\\t\\t\\t\\t\\t\\t\\t | extend PeerUserPrincipalName=tolower(PeerUserPrincipalName)\\r\\n\\t\\t\\t\\t\\t\\t\\t | parse PeerUserPrincipalName with Account_Name \u0027@\u0027 Account_UPNSuffix;\\r\\n\\t\\t\\t\\t\\t\\t\\t let PeerNames= Peers | summarize make_set_if(Account_Name, isnotempty(Account_Name));\\r\\n\\t\\t\\t\\t\\t\\t\\t let PeerIds = Peers | summarize make_set_if(PeerUserId , isnotempty(PeerUserId));\\r\\n\\t\\t\\t\\t\\t\\t\\t let PeersWithSecAlert=SecurityAlert\\r\\n\\t\\t\\t\\t\\t\\t\\t | where Entities has \\\"account\\\"\\r\\n\\t\\t\\t\\t\\t\\t\\t | where Entities has_any (PeerNames) or Entities has_any (PeerIds)\\r\\n\\t\\t\\t\\t\\t\\t\\t | mvexpand todynamic(Entities)\\r\\n\\t\\t\\t\\t\\t\\t\\t | where tostring(parsejson(Entities).Type) ==\\\"account\\\"\\r\\n\\t\\t\\t\\t\\t\\t\\t | where tostring(parsejson(Entities).Name) has_any (PeerNames) or tostring(parsejson(Entities).AadUserId) has_any (PeerIds)\\r\\n\\t\\t\\t\\t\\t\\t\\t | summarize Account_Aux_AlertCount = count()\\r\\n\\t\\t\\t\\t\\t\\t\\t by Account_Name=tolower(tostring(parsejson(Entities).Name))\\r\\n\\t\\t\\t\\t\\t\\t\\t , Account_UPNSuffix=tolower(tostring(parsejson(Entities).UPNSuffix));\\r\\n\\t\\t\\t\\t\\t\\t\\t PeersWithSecAlert\\r\\n\\t\\t\\t\\t\\t\\t\\t | join kind=innerunique\\r\\n\\t\\t\\t\\t\\t\\t\\t Peers\\r\\n\\t\\t\\t\\t\\t\\t\\t on Account_Name, Account_UPNSuffix\\r\\n\\t\\t\\t\\t\\t\\t\\t | project Account_Name, Account_UPNSuffix, Account_Aux_AlertCount\\r\\n\\t\\t\\t\\t\\t\\t\\t };\\r\\n\\t\\t\\t\\t\\t\\t\\t GetUserPeersWithAlerts(\\\"{{Account_Name}}\\\",\\\"{{Account_UPNSuffix}}\\\", \\\"{{Account_AadUserId}}\\\")\",\"inputFields\":[\"accountName\",\"upnSuffix\"],\"outputEntityTypes\":[\"Account\"],\"dataSources\":[\"UserPeerAnalytics SecurityAlert\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/c34bf507-cedf-4120-bf41-f835dd68b0d9\",\"name\":\"c34bf507-cedf-4120-bf41-f835dd68b0d9\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Hosts which the account logged on to\",\"queryTemplate\":\"let GetAllHostsbyAccount = (v_Account_Name:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tSigninLogs\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend v_Account_Name = case(\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name\\r\\n\\t\\t\\t\\t\\t\\t\\t)\\r\\n\\t\\t\\t\\t\\t\\t\\t| where UserPrincipalName contains v_Account_Name\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend RemoteHost = tolower(tostring(parsejson(DeviceDetail[\u0027displayName\u0027])))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027UserDisplayName\u0027, UserDisplayName, \u0027UserPrincipalName\u0027, UserPrincipalName, \u0027AppDisplayName\u0027, AppDisplayName, \u0027ClientAppUsed\u0027, ClientAppUsed, \u0027Browser\u0027, tostring(Browser), \u0027IPAddress\u0027, IPAddress, \u0027ResultType\u0027, ResultType, \u0027ResultDescription\u0027, ResultDescription, \u0027Location\u0027, Location, \u0027State\u0027, State, \u0027City\u0027, City, \u0027StatusCode\u0027, StatusCode, \u0027StatusDetails\u0027, StatusDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), Host_Aux_info = makeset(info) by RemoteHost , tostring(OS)\\r\\n\\t\\t\\t\\t\\t\\t\\t| project min_TimeGenerated, max_TimeGenerated, RemoteHost, OS, Host_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by min_TimeGenerated desc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Host_UnstructuredName=RemoteHost, Host_OSVersion=OS, Host_Aux_StartTime=min_TimeGenerated, Host_Aux_EndTime=max_TimeGenerated\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetAllHostsbyAccount(\u0027\u003caccountName\u003e\u0027)\",\"inputFields\":[\"accountName\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"SigninLogs\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/81d63625-6617-455d-b1e3-ee5ed989e5f8\",\"name\":\"81d63625-6617-455d-b1e3-ee5ed989e5f8\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Screenshots taken\",\"queryTemplate\":\"let HostScreenshot= (Account_Name:string, Account_UPNSuffix:string){\\r\\n\\t\\t\\t\\t\\t\\t\\t let p_Account_UPN = strcat(Account_Name,\u0027@\u0027,Account_UPNSuffix);\\r\\n\\t\\t\\t\\t\\t\\t\\t DeviceEvents\\r\\n\\t\\t\\t\\t\\t\\t\\t | where ActionType ==\u0027ScreenshotTaken\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t | where InitiatingProcessAccountUpn =~ p_Account_UPN\\r\\n\\t\\t\\t\\t\\t\\t\\t | summarize Count=count() by DeviceName\\r\\n\\t\\t\\t\\t\\t\\t\\t | top 10 by Count desc\\r\\n\\t\\t\\t\\t\\t\\t\\t | project Host_UnstructuredName=DeviceName\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tHostScreenshot(\u0027\u003cAccount_Name\u003e\u0027, \u0027\u003cAccount_UPNSuffix\u003e\u0027)\",\"inputFields\":[\"accountName\",\"upnSuffix\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"DeviceEvents\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/8a697f4c-04af-4198-a6d3-ce5dc3acc8dd\",\"name\":\"8a697f4c-04af-4198-a6d3-ce5dc3acc8dd\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"User account successful logons\",\"queryTemplate\":\"let GetAllLogonsForUser = (v_Account_Name:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tSecurityEvent\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend v_Account_Name = case(\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\r\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name\\r\\n\\t\\t\\t\\t\\t\\t\\t)\\r\\n\\t\\t\\t\\t\\t\\t\\t| where EventID == 4624\\r\\n\\t\\t\\t\\t\\t\\t\\t| where AccountType == \u0027User\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t| where tolower(Account) contains tolower(v_Account_Name)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027EventID\u0027, EventID, \u0027Account\u0027, Account, \u0027LogonTypeName\u0027, LogonTypeName, \u0027SubStatus\u0027, SubStatus, \u0027AccountType\u0027, AccountType, \u0027WorkstationName\u0027, WorkstationName, \u0027IpAddress\u0027, IpAddress)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), Host_Aux_info = makeset(info) by Computer, SourceComputerId, _ResourceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| project min_TimeGenerated, max_TimeGenerated, Computer, Host_Aux_info, Host_OMSAgentID=SourceComputerId, Host_AzureID=_ResourceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Host_UnstructuredName=Computer, Host_Aux_StartTime=min_TimeGenerated, Host_Aux_EndTime=max_TimeGenerated\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_StartTime asc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetAllLogonsForUser(tolower(\u0027\u003caccountName\u003e\u0027))\",\"inputFields\":[\"accountName\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"SecurityEvent\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/62527635-bc5a-4233-bb93-e4eb4e60bb70\",\"name\":\"62527635-bc5a-4233-bb93-e4eb4e60bb70\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Hosts where this file was mentioned\",\"queryTemplate\":\"let GetFilesHost = (v_File_Name:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tSecurityEvent\\r\\n\\t\\t\\t\\t\\t\\t\\t| where CommandLine contains v_File_Name or ServiceFileName contains v_File_Name or ServiceName contains v_File_Name\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated) by Computer, Host_OMSAgentID=SourceComputerId, Host_AzureID = _ResourceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| project min_TimeGenerated, max_TimeGenerated, Computer, Host_OMSAgentID, Host_AzureID\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Host_UnstructuredName=Computer, Host_Aux_min_TimeGenerated=min_TimeGenerated, Host_Aux_max_TimeGenerated=max_TimeGenerated\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_min_TimeGenerated desc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetFilesHost(\u0027\u003cfileName\u003e\u0027)\",\"inputFields\":[\"fileName\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"SecurityEvent\"],\"inputEntityType\":\"File\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/4e0d1f17-e3a9-4c1a-aa7d-3842828c10a2\",\"name\":\"4e0d1f17-e3a9-4c1a-aa7d-3842828c10a2\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"DefenderForIoT - Hosts communicating the most amount of data with this Host\",\"queryTemplate\":\"let ConnectionData_DefenderForIoT_GetHost2Host = (v_Host_HostName:string) {\\r\\n\\t\\t\\t\\t\\t\\t\\tlet connectionData = SecurityIoTRawEvent\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceType = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceType\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceId = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientIpAddress = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).ipAddress\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientisExternal = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).isExternal\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceType = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceType\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceId = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerIpAddress = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).ipAddress\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerisExternal = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).isExternal\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceName = tostring(todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceName)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceName = tostring(todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceName)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Bandwidth = todynamic(extractjson(\\\"$Bandwidth\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend LastActivity = todynamic(extractjson(\\\"$LastActivity\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Protocol = todynamic(extractjson(\\\"$Protocol\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerPort = todynamic(extractjson(\\\"$ServerPort\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDevice = extractjson(\\\"$ServerDevice\\\", EventDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDevice = extractjson(\\\"$ClientDevice\\\", EventDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend SensorId = DeviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceGUID = strcat(SensorId, \\\"_\\\", ClientDeviceId), ServerDeviceGUID = strcat(SensorId, \\\"_\\\", ServerDeviceId);\\r\\n\\t\\t\\t\\t\\t\\t\\tconnectionData\\r\\n\\t\\t\\t\\t\\t\\t\\t| where ClientDeviceName == v_Host_HostName or ServerDeviceName == v_Host_HostName\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Direction = iff(ClientDeviceName == v_Host_HostName, \\\"Outbound\\\", \\\"Inbound\\\")\\r\\n\\t\\t\\t\\t\\t\\t\\t| project DeviceGUID = iff(Direction == \\\"Outbound\\\", ServerDeviceGUID, ClientDeviceGUID),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceType = iff(Direction == \\\"Outbound\\\", ServerDeviceType, ClientDeviceType),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceIp = iff(Direction == \\\"Outbound\\\", ServerIpAddress, ClientIpAddress),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceName = iff(Direction == \\\"Outbound\\\", ServerDeviceName, ClientDeviceName),\\r\\n\\t\\t\\t\\t\\t\\t\\tSensorId, LastActivity = todatetime(LastActivity), Bandwidth = todouble(Bandwidth), Protocol, ServerPort\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize TotalBandwidth = sum(Bandwidth), LastActivity = max(LastActivity), Protocols = make_set(Protocol), ServerPorts = make_set(ServerPort) by DeviceGUID, DeviceName, IpAddress = tostring(DeviceIp), IoTDevice_DeviceType = tostring(DeviceType)\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename TotalBandwidth_MB = TotalBandwidth\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend TotalBandwidth_MB = floor(todecimal(TotalBandwidth_MB / 1000), 0.1)\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Host_HostName = DeviceName, Host_Aux_IpAddress = IpAddress,Host_Aux_Type = IoTDevice_DeviceType, Host_Aux_LastActivity = LastActivity, Host_Aux_Protocols = Protocols, Host_Aux_ServerPorts = ServerPorts, Host_Aux_TotalBandwidth_MB = TotalBandwidth_MB\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_TotalBandwidth_MB\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tConnectionData_DefenderForIoT_GetHost2Host(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"SecurityIoTRawEvent\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/ec41f36e-3fbe-44e3-a09e-adf99bc87dcb\",\"name\":\"ec41f36e-3fbe-44e3-a09e-adf99bc87dcb\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"DefenderForIoT - IoT Devices communicating the most amount of data with this Host\",\"queryTemplate\":\"let ConnectionData_DefenderForIoT_GetHost2IoTDevice = (v_Host_HostName:string) {\\r\\n\\t\\t\\t\\t\\t\\t\\tSecurityIoTRawEvent\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceType = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceType\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceId = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientIpAddress = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).ipAddress\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientisExternal = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).isExternal\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceType = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceType\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceId = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerIpAddress = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).ipAddress\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerisExternal = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).isExternal\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceName = tostring(todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceName)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceName = tostring(todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceName)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Bandwidth = todynamic(extractjson(\\\"$Bandwidth\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend LastActivity = todynamic(extractjson(\\\"$LastActivity\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Protocol = todynamic(extractjson(\\\"$Protocol\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerPort = todynamic(extractjson(\\\"$ServerPort\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDevice = extractjson(\\\"$ServerDevice\\\", EventDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDevice = extractjson(\\\"$ClientDevice\\\", EventDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend SensorId = DeviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceGUID = strcat(SensorId, \\\"_\\\", ClientDeviceId), ServerDeviceGUID = strcat(SensorId, \\\"_\\\", ServerDeviceId)\\r\\n\\t\\t\\t\\t\\t\\t\\t| where ClientDeviceName == v_Host_HostName or ServerDeviceName == v_Host_HostName\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Direction = iff(ClientDeviceName == v_Host_HostName, \\\"Outbound\\\", \\\"Inbound\\\")\\r\\n\\t\\t\\t\\t\\t\\t\\t| project DeviceGUID = iff(Direction == \\\"Outbound\\\", ServerDeviceGUID, ClientDeviceGUID),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceType = iff(Direction == \\\"Outbound\\\", ServerDeviceType, ClientDeviceType),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceIp = iff(Direction == \\\"Outbound\\\", ServerIpAddress, ClientIpAddress),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceName = iff(Direction == \\\"Outbound\\\", ServerDeviceName, ClientDeviceName),\\r\\n\\t\\t\\t\\t\\t\\t\\tSensorId, LastActivity = todatetime(LastActivity), Bandwidth = todouble(Bandwidth), Protocol, ServerPort\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize TotalBandwidth = sum(Bandwidth), IoTDevice_Aux_LastActivity = max(LastActivity), IoTDevice_Aux_Protocols = make_set(Protocol), IoTDevice_Aux_ServerPorts = make_set(ServerPort) by IoTDevice_DeviceId = DeviceGUID, IoTDevice_DeviceName = DeviceName, IoTDevice_IpAddress = tostring(pack(\u0027Address\u0027,tostring(DeviceIp))), IoTDevice_DeviceType = tostring(DeviceType)\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename IoTDevice_Aux_TotalBandwidth_MB = TotalBandwidth\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend IoTDevice_Aux_TotalBandwidth_MB = floor(todecimal(IoTDevice_Aux_TotalBandwidth_MB / 1000), 0.1), IoTDevice_IpAddress=todynamic(IoTDevice_IpAddress)\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by IoTDevice_Aux_TotalBandwidth_MB\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tConnectionData_DefenderForIoT_GetHost2IoTDevice(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"IoTDevice\"],\"dataSources\":[\"SecurityIoTRawEvent\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/cc942838-2ce5-4a05-8bf9-25a00102a7b7\",\"name\":\"cc942838-2ce5-4a05-8bf9-25a00102a7b7\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"DefenderForIoT - IP Addresses communicating the most amount of data with this Host\",\"queryTemplate\":\"let ConnectionData_DefenderForIoT_GetHost2IP = (v_Host_HostName: string) {\\r\\n\\t\\t\\t\\t\\t\\t\\tlet connectionData = SecurityIoTRawEvent\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceType = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceType\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceId = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientIpAddress = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).ipAddress\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientisExternal = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).isExternal\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceType = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceType\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceId = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerIpAddress = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).ipAddress\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerisExternal = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).isExternal\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceName = tostring(todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceName)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceName = tostring(todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceName)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Bandwidth = todynamic(extractjson(\\\"$Bandwidth\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend LastActivity = todynamic(extractjson(\\\"$LastActivity\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Protocol = todynamic(extractjson(\\\"$Protocol\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerPort = todynamic(extractjson(\\\"$ServerPort\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDevice = extractjson(\\\"$ServerDevice\\\", EventDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDevice = extractjson(\\\"$ClientDevice\\\", EventDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend SensorId = DeviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceGUID = strcat(SensorId, \\\"_\\\", ClientDeviceId), ServerDeviceGUID = strcat(SensorId, \\\"_\\\", ServerDeviceId);\\r\\n\\t\\t\\t\\t\\t\\t\\tconnectionData\\r\\n\\t\\t\\t\\t\\t\\t\\t| where ClientDeviceName == v_Host_HostName or ServerDeviceName == v_Host_HostName\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Direction = iff(ClientDeviceName == v_Host_HostName, \\\"Outbound\\\", \\\"Inbound\\\")\\r\\n\\t\\t\\t\\t\\t\\t\\t| project DeviceGUID = iff(Direction == \\\"Outbound\\\", ServerDeviceGUID, ClientDeviceGUID),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceType = iff(Direction == \\\"Outbound\\\", ServerDeviceType, ClientDeviceType),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceIp = iff(Direction == \\\"Outbound\\\", ServerIpAddress, ClientIpAddress),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceIsExternal = iff(Direction == \\\"Outbound\\\", ServerisExternal, ClientisExternal),\\r\\n\\t\\t\\t\\t\\t\\t\\tSensorId, LastActivity = todatetime(LastActivity), Bandwidth = todouble(Bandwidth), Protocol, ServerPort, Direction\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize TotalBandwidth = sum(Bandwidth), LastActivity = max(LastActivity), Protocols = make_set(Protocol), ServerPorts = make_set(ServerPort) by IoTDevice_DeviceId = DeviceGUID, IoTDevice_IpAddress = tostring(DeviceIp), IoTDevice_DeviceType = tostring(DeviceType), DeviceIsExternal = tostring(DeviceIsExternal)\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename TotalBandwidth_MB = TotalBandwidth\\r\\n\\t\\t\\t\\t\\t\\t\\t| project IP_Address = IoTDevice_IpAddress, IP_Aux_DeviceType = IoTDevice_DeviceType, IP_Aux_LastActivity = LastActivity, IP_Aux_Protocols = Protocols, IP_Aux_ServerPorts = ServerPorts, IP_Aux_TotalBandwidth_MB = TotalBandwidth_MB, IP_Aux_IsExternal = DeviceIsExternal\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend IP_Aux_TotalBandwidth_MB = floor(todecimal(IP_Aux_TotalBandwidth_MB / 1000), 0.1)\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by IP_Aux_TotalBandwidth_MB\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tConnectionData_DefenderForIoT_GetHost2IP(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"IP\"],\"dataSources\":[\"SecurityIoTRawEvent\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/98b2ce21-167d-43bd-a496-9f2c85c5f95b\",\"name\":\"98b2ce21-167d-43bd-a496-9f2c85c5f95b\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Accounts with several failed logins immediately followed by a successful login\",\"queryTemplate\":\"let BRUTEFORCE_THRESHOLD = 10;\\r\\n\\t\\t\\t\\t\\t\\t\\tlet SuccessfulLoginEventId = 4624;\\r\\n\\t\\t\\t\\t\\t\\t\\tlet FailedLoginEventId = 4625;\\r\\n\\t\\t\\t\\t\\t\\t\\tlet AccountsPossibleSuccessfulBruteForce = (v_Host_HostName:string, v_Host_DnsDomain:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tSecurityEvent\\r\\n\\t\\t\\t\\t\\t\\t\\t| where AccountType == \u0027User\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend p_Host_HostName=tostring(split(v_Host_HostName,\u0027.\u0027)[0])\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend p_Host_DnsDomain=case (isnotempty(v_Host_DnsDomain),v_Host_DnsDomain\\r\\n\\t\\t\\t\\t\\t\\t\\t ,v_Host_HostName has \u0027.\u0027, extract(@\u0027\\\\.(.+$)\u0027,1,v_Host_HostName)\\r\\n\\t\\t\\t\\t\\t\\t\\t , \u0027\u0027)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Host_HostName=tostring(split(Computer,\u0027.\u0027)[0])\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Host_DnsDomain=iff(Computer has \u0027.\u0027, extract(@\u0027\\\\.(.+$)\u0027,1,Computer) ,\\\"\\\")\\r\\n\\t\\t\\t\\t\\t\\t\\t| where p_Host_HostName=~Host_HostName and (isempty(p_Host_DnsDomain) or isempty(Host_DnsDomain) or p_Host_DnsDomain=~Host_DnsDomain)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Fails = (EventID == FailedLoginEventId), Success = (EventID == SuccessfulLoginEventId)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Account = tolower(Account)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize Account_Aux_SuccessPerMin = countif(Success), Account_Aux_FailPerMin = countif(Fails) by Account, bin(TimeGenerated, 1m)\\r\\n\\t\\t\\t\\t\\t\\t\\t| where Account_Aux_FailPerMin\\t\u003e BRUTEFORCE_THRESHOLD and Account_Aux_SuccessPerMin \u003e 0\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend EventData = pack(\u0027FailPerMin\u0027,Account_Aux_FailPerMin, \u0027SuccessPerMin\u0027, Account_Aux_SuccessPerMin, \u0027Time\u0027, TimeGenerated )\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize Max = max(Account_Aux_FailPerMin), Account_Aux_EventsData=makeset(EventData) by Account\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Max\\r\\n\\t\\t\\t\\t\\t\\t\\t| parse Account with Account_NTDomain \u0027\\\\\\\\\u0027 *\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Account_Name = extract(@\u0027^([^\\\\\\\\]*\\\\\\\\)?([^@]+)(@.*)?$\u0027,2,Account),\\r\\n\\t\\t\\t\\t\\t\\t\\t Account_UPNSuffix = extract(@\u0027^([^\\\\\\\\]*\\\\\\\\)?([^@]+)(@(.*))?$\u0027,4,Account)\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Account_Name, Account_NTDomain, Account_UPNSuffix, Account_Aux_EventsData\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tAccountsPossibleSuccessfulBruteForce(\u0027\u003chostName\u003e\u0027, \u0027\u003cdnsDomain\u003e\u0027)\",\"inputFields\":[\"hostName\",\"dnsDomain\"],\"outputEntityTypes\":[\"Account\"],\"dataSources\":[\"SecurityEvent\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/bb6100ee-ae38-41b5-8457-88d503a3bf8f\",\"name\":\"bb6100ee-ae38-41b5-8457-88d503a3bf8f\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent inbound WireData connections\",\"queryTemplate\":\"let GetWireDataInboundWithHost = (v_Host_HostName:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tWireData\\r\\n\\t\\t\\t\\t\\t\\t\\t| where Direction == \u0027Inbound\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t| where Computer has v_Host_HostName\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027Computer\u0027, Computer, \u0027LocalPortNumber\u0027, LocalPortNumber, \u0027RemoteIP\u0027, RemoteIP, \u0027Direction\u0027, Direction, \u0027ApplicationProtocol\u0027, ApplicationProtocol)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize Process_Aux_Min_SessionStartTime=min(SessionStartTime), count(), IP_Aux_info = makeset(info) by ProcessName , LocalIP, ProcessID\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_Aux_info = IP_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ asc\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Process_Aux_Min_SessionStartTime, ProcessName , LocalIP, IP_Aux_info, Process_Aux_info, Process_ProcessId=tostring(ProcessID)\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename IP_Address=LocalIP, Process_ImageFile_FullPath=ProcessName\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetWireDataInboundWithHost(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"IP\",\"Process\"],\"dataSources\":[\"WireData\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/8c00a2a0-43d3-45a9-aa2e-f73deb0abfbb\",\"name\":\"8c00a2a0-43d3-45a9-aa2e-f73deb0abfbb\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent outbound WireData connections\",\"queryTemplate\":\"let GetWireDataOutboundWithHost = (v_Host_HostName:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tWireData\\r\\n\\t\\t\\t\\t\\t\\t\\t| where Direction == \u0027Outbound\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t| where Computer has v_Host_HostName\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027Computer\u0027, Computer, \u0027LocalIP\u0027, LocalIP, \u0027LocalPortNumber\u0027, LocalPortNumber, \u0027Direction\u0027, Direction, \u0027ApplicationProtocol\u0027, ApplicationProtocol)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize Process_Aux_Min_SessionStartTime=min(SessionStartTime), count(), IP_Aux_info = makeset(info) by ProcessName, RemoteIP, ProcessID\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_Aux_info = IP_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ asc\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Process_Aux_Min_SessionStartTime, ProcessName, RemoteIP, IP_Aux_info, Process_Aux_info, Process_ProcessId=tostring(ProcessID)\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename IP_Address=RemoteIP, Process_ImageFile_FullPath=ProcessName\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetWireDataOutboundWithHost(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"IP\",\"Process\"],\"dataSources\":[\"WireData\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/ea747f91-23f9-425a-baa8-628f30193888\",\"name\":\"ea747f91-23f9-425a-baa8-628f30193888\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent processes for this host\",\"queryTemplate\":\"let GetSysLogEventsOnHost = (v_Host_HostName:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tSyslog\\r\\n\\t\\t\\t\\t\\t\\t\\t| where Computer has v_Host_HostName\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027HostName\u0027, HostName, \u0027HostIP\u0027, HostIP)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize Process_Aux_StartTime=min(EventTime), Process_Aux_EndTime=max(EventTime), count(), Process_Aux_info = makeset(info) by Computer, ProcessName, ProcessID\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ asc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Process_Aux_StartTime, Process_Aux_EndTime, Process_Host_UnstructuredName=Computer, Process_ProcessId=tostring(ProcessID), Process_ImageFile_FullPath=ProcessName, Process_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetSysLogEventsOnHost(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"Process\"],\"dataSources\":[\"Syslog\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/07da3cc8-c8ad-4710-a44e-334cdcb7882b\",\"name\":\"07da3cc8-c8ad-4710-a44e-334cdcb7882b\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Parent processes running on host\",\"queryTemplate\":\"let GetParentProcessesOnHost = (v_Host_HostName:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tSecurityEvent\\r\\n\\t\\t\\t\\t\\t\\t\\t| where EventID == 4688\\r\\n\\t\\t\\t\\t\\t\\t\\t| where isnotempty(ParentProcessName)\\r\\n\\t\\t\\t\\t\\t\\t\\t| where NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\conhost.exe\u0027 and ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\conhost.exe\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t and NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework64\\\\\\\\v2.0.50727\\\\\\\\csc.exe\u0027 and ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework64\\\\\\\\v2.0.50727\\\\\\\\csc.exe\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t and NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework64\\\\\\\\v2.0.50727\\\\\\\\cvtres.exe\u0027 and ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework64\\\\\\\\v2.0.50727\\\\\\\\cvtres.exe\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t and NewProcessName!contains \u0027:\\\\\\\\Program Files\\\\\\\\Microsoft Monitoring Agent\\\\\\\\Agent\\\\\\\\MonitoringHost.exe\u0027 and ParentProcessName !contains \u0027:\\\\\\\\Program Files\\\\\\\\Microsoft Monitoring Agent\\\\\\\\Agent\\\\\\\\MonitoringHost.exe\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t and ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\CCM\\\\\\\\CcmExec.exe\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t| where(ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\u0027 and (NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe\u0027 or NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe\u0027))\\r\\n\\t\\t\\t\\t\\t\\t\\t| where(ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\services.exe\u0027 and NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\TrustedInstaller.exe\u0027)\\r\\n\\t\\t\\t\\t\\t\\t\\t| where toupper(Computer) contains v_Host_HostName or toupper(WorkstationName) contains v_Host_HostName\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027EventID\u0027, EventID, \u0027TargetAccount\u0027, TargetAccount)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), Process_Aux_info = makeset(info) by Account, Computer, ParentProcessName, NewProcessName, CommandLine, ProcessId\\r\\n\\t\\t\\t\\t\\t\\t\\t| project min_TimeGenerated, max_TimeGenerated, Account, Computer, ParentProcessName, NewProcessName, CommandLine, ProcessId, Process_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Process_Host_UnstructuredName=Computer, Process_Account_UnstructuredName=Account, Process_CommandLine=CommandLine, Process_ProcessId=ProcessId, Process_ImageFile_FullPath=NewProcessName, Process_ParentProcess_ImageFile_FullPath=ParentProcessName, Process_Aux_StartTime = min_TimeGenerated, Process_Aux_EndTime= max_TimeGenerated\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Process_Aux_StartTime asc\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetParentProcessesOnHost(toupper(\u0027\u003chostName\u003e\u0027))\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"Process\"],\"dataSources\":[\"SecurityEvent\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/f87b2afb-068f-4734-88a0-94560309f9d7\",\"name\":\"f87b2afb-068f-4734-88a0-94560309f9d7\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Processes on Host blocked from loading non-Microsoft-signed binaries\",\"queryTemplate\":\"let BlockedUnsigned = (v_Host_HostName:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceEvents\\r\\n\\t\\t\\t\\t\\t\\t\\t| where ActionType == \\\"ExploitGuardNonMicrosoftSignedBlocked\\\" and FileName !hassuffix \\\".ni.dll\\\"\\r\\n\\t\\t\\t\\t\\t\\t\\t| where v_Host_HostName =~ tostring(split(DeviceName, \u0027.\u0027)[0])\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize Process_Aux_Count=count() by Process_ProcessId=InitiatingProcessId, Process_CommandLine=InitiatingProcessCommandLine, Process_Host_UnstructuredName=DeviceName\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Process_Aux_Count desc\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tBlockedUnsigned(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"Process\"],\"dataSources\":[\"DeviceEvents\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/d3393571-0533-4127-bfe1-6b1de4ab126e\",\"name\":\"d3393571-0533-4127-bfe1-6b1de4ab126e\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Processes running on Host\",\"queryTemplate\":\"let GetActiveProcessesOnHost = (v_Host_HostName:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tSecurityEvent\\r\\n\\t\\t\\t\\t\\t\\t\\t| where EventID == 4688\\r\\n\\t\\t\\t\\t\\t\\t\\t| where NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\conhost.exe\u0027 and ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\conhost.exe\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t and NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework64\\\\\\\\v2.0.50727\\\\\\\\csc.exe\u0027 and ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework64\\\\\\\\v2.0.50727\\\\\\\\csc.exe\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t and NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework64\\\\\\\\v2.0.50727\\\\\\\\cvtres.exe\u0027 and ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework64\\\\\\\\v2.0.50727\\\\\\\\cvtres.exe\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t and NewProcessName!contains \u0027:\\\\\\\\Program Files\\\\\\\\Microsoft Monitoring Agent\\\\\\\\Agent\\\\\\\\MonitoringHost.exe\u0027 and ParentProcessName !contains \u0027:\\\\\\\\Program Files\\\\\\\\Microsoft Monitoring Agent\\\\\\\\Agent\\\\\\\\MonitoringHost.exe\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t and ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\CCM\\\\\\\\CcmExec.exe\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t| where (ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\u0027 and (NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe\u0027 or NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe\u0027))\\r\\n\\t\\t\\t\\t\\t\\t\\t| where (ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\services.exe\u0027 and NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\TrustedInstaller.exe\u0027)\\r\\n\\t\\t\\t\\t\\t\\t\\t| where toupper(Computer) contains v_Host_HostName or toupper(WorkstationName) contains v_Host_HostName\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize Process_Aux_StartTime=min(TimeGenerated), Process_Aux_EndTime=max(TimeGenerated) by Computer, Account, NewProcessName, CommandLine, ProcessId, ParentProcessName\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Process_Aux_StartTime, Process_Aux_EndTime, Computer, Account, NewProcessName, CommandLine, ProcessId, Process_ParentProcess_ImageFile_FullPath=ParentProcessName\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Process_Host_UnstructuredName=Computer, Process_Account_UnstructuredName=Account, Process_CommandLine=CommandLine, Process_ProcessId=ProcessId, Process_ImageFile_FullPath=NewProcessName\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Process_Aux_StartTime desc\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetActiveProcessesOnHost(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"Process\"],\"dataSources\":[\"SecurityEvent\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/6537a8c3-a269-4b2f-8c70-3824c23fef7b\",\"name\":\"6537a8c3-a269-4b2f-8c70-3824c23fef7b\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Services created on host\",\"queryTemplate\":\"let GetServiceCreationsOnHost = (v_Host_HostName:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tEvent\\r\\n\\t\\t\\t\\t\\t\\t\\t| where EventID == 7045\\r\\n\\t\\t\\t\\t\\t\\t\\t| where Computer =~ v_Host_HostName\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend EventDataParse = parse_xml(EventData)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_Aux_ServiceName = tostring(EventDataParse.DataItem.EventData.Data[0][\u0027#text\u0027])\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ImagePath = tostring(EventDataParse.DataItem.EventData.Data[1][\u0027#text\u0027])\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServiceType = tostring(EventDataParse.DataItem.EventData.Data[2][\u0027#text\u0027])\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend StartType = tostring(EventDataParse.DataItem.EventData.Data[3][\u0027#text\u0027])\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServiceAccount = tostring(EventDataParse.DataItem.EventData.Data[4][\u0027#text\u0027])\\r\\n\\t\\t\\t\\t\\t\\t\\t| where ImagePath !has \u0027\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Definition Updates\\\\\\\\\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\tand ImagePath !has \u0027\\\\\\\\Packages\\\\\\\\Plugins\\\\\\\\Microsoft.EnterpriseCloud.Monitoring.MicrosoftMonitoringAgent\\\\\\\\\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\tand not(ImagePath has \u0027\\\\\\\\WindowsAzure\\\\\\\\GuestAgent_\u0027 and ImagePath has \u0027\\\\\\\\Telemetry\\\\\\\\WindowsAzureTelemetryService.exe\u0027)\\r\\n\\t\\t\\t\\t\\t\\t\\tand not(ImagePath has \u0027\\\\\\\\WindowsAzure\\\\\\\\GuestAgent_\u0027 and ImagePath has \u0027\\\\\\\\GuestAgent\\\\\\\\WindowsAzureGuestAgent.exe\u0027)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_Aux_Service_info = pack(\u0027ServiceName\u0027, Process_Aux_ServiceName, \u0027ServiceType\u0027, ServiceType, \u0027StartType\u0027, StartType, \u0027ServiceAccount\u0027, ServiceAccount)\\r\\n\\t\\t\\t\\t\\t\\t\\t| project TimeGenerated, Computer, UserName, Process_Aux_ServiceName, ImagePath, Process_Aux_Service_info\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Process_Host_UnstructuredName=Computer, Process_Account_UnstructuredName=UserName, Process_ImageFile_FullPath=ImagePath, Process_CreationTimeUtc=TimeGenerated\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Process_CreationTimeUtc desc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetServiceCreationsOnHost(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"Process\"],\"dataSources\":[\"Event\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/3aed43db-e358-4952-a5cd-a10f00d90af4\",\"name\":\"3aed43db-e358-4952-a5cd-a10f00d90af4\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"User accounts created or deleted on host\",\"queryTemplate\":\"let GetAccountChangesOnHost = (v_Host_HostName:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tSecurityEvent\\r\\n\\t\\t\\t\\t\\t\\t\\t| where EventID == 4720 or EventID == 4726\\r\\n\\t\\t\\t\\t\\t\\t\\t| where AccountType == \u0027User\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t| where Computer contains v_Host_HostName or WorkstationName contains v_Host_HostName\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027TargetAccount\u0027, TargetAccount, \u0027SubjectAccount\u0027, SubjectAccount, \u0027Activity\u0027, Activity)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), Account_Aux_info = makeset(info) by Computer, TargetAccount\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Account_Aux_StartTime=min_TimeGenerated, Account_Aux_EndTime=max_TimeGenerated, Account_Host_UnstructuredName=Computer, Account_UnstructuredName=TargetAccount, Account_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Account_Aux_StartTime asc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetAccountChangesOnHost(toupper(\u0027\u003chostName\u003e\u0027))\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"Account\"],\"dataSources\":[\"SecurityEvent\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/37fdc179-d35c-4dcd-b6ff-6cf02248d8f9\",\"name\":\"37fdc179-d35c-4dcd-b6ff-6cf02248d8f9\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Accounts which logged onto this host and their IPs\",\"queryTemplate\":\"let GetAccountsFromHost = (v_Host_HostName:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tSigninLogs\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend RemoteHost = tolower(tostring(DeviceDetail.displayName))\\r\\n\\t\\t\\t\\t\\t\\t\\t| where RemoteHost == tolower(v_Host_HostName)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend OS = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser), TrustType = tostring(DeviceDetail.trustType)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Latitude = tostring(LocationDetails.geoCoordinates.latitude), Longitude = tostring(LocationDetails.geoCoordinates.longitude)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027UserPrincipalName\u0027, UserPrincipalName, \u0027AppDisplayName\u0027, AppDisplayName, \u0027ClientAppUsed\u0027, ClientAppUsed, \u0027Browser\u0027, tostring(Browser), \u0027ResultType\u0027, ResultType, \u0027ResultDescription\u0027, ResultDescription, \u0027Location\u0027, Location, \u0027StatusCode\u0027, StatusCode, \u0027StatusDetails\u0027, StatusDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), count(), Account_Aux_info = makeset(info) by RemoteHost , UserDisplayName, OS, IPAddress, State, City, Latitude, Longitude\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend IP_Aux_info = Account_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Account_Aux_StartTimeUtc = min_TimeGenerated, Account_Aux_EndTimeUtc = max_TimeGenerated, RemoteHost, UserDisplayName, OS, IPAddress, State, City, Latitude, Longitude, Account_Aux_info, IP_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Account_Aux_StartTimeUtc desc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Account_UnstructuredName=UserDisplayName, Account_Host_UnstructuredName=RemoteHost, Account_Host_OSVersion=OS, IP_Address=IPAddress, IP_Location_State=State, IP_Location_City=City, IP_Location_Latitude=Latitude, IP_Location_Longitude=Longitude\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetAccountsFromHost(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"Account\",\"IP\"],\"dataSources\":[\"SigninLogs\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/b8de20fa-d96e-4fe0-84b3-8477ca29b04a\",\"name\":\"b8de20fa-d96e-4fe0-84b3-8477ca29b04a\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Accounts triggering Microsoft Defender Application Control\",\"queryTemplate\":\"let AppControlEvents=(v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tlet p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain));\\r\\n\\t\\t\\t\\t\\t\\t\\tlet AppControls=datatable(ActionType:string, Description:string, FriendlyActivityName:string)\\r\\n\\t\\t\\t\\t\\t\\t\\t [\\\"AppControlAppInstallationAudited\\\", \\\"Application control detected the installation of an untrusted app.\\\",\\\"Untrusted app installed\\\"\\r\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlAppInstallationBlocked\\\", \\\"Application control blocked the installation of an untrusted app.\\\", \\\"Untrusted app installation blocked\\\"\\r\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlCodeIntegrityDriverRevoked\\\", \\\"Application control found a driver with a revoked certificate.\\\", \\\"Driver with revoked certificate detected\\\"\\r\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlCodeIntegrityImageRevoked\\\", \\\"Application control found an executable file with a revoked certificate.\\\", \\\"Executable with revoked certificate detected\\\"\\r\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlExecutableAudited\\\",\\\"Application control detected the use of an untrusted executable.\\\",\\\"Untrusted executable used\\\"\\r\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlExecutableClocked\\\",\\\"Application control blocked the use of an untrusted executable.\\\",\\\"Untrusted executable blocked\\\"\\r\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlScriptAudited\\\", \\\"Application control detected the use of an untrusted script.\\\", \\\"Untrusted script detected\\\"\\r\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlScriptBlocked\\\", \\\"Application control blocked the use of an untrusted script.\\\", \\\"Untrusted script blocked\\\" ];\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceEvents\\r\\n\\t\\t\\t\\t\\t\\t\\t| where ActionType in (AppControls)\\r\\n\\t\\t\\t\\t\\t\\t\\t| where DeviceName ==p_FullDeviceName\\r\\n\\t\\t\\t\\t\\t\\t\\t| parse InitiatingProcessAccountUpn with Account_Name \u0027@\u0027 Account_UPNSuffix\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Account_Name, Account_UPNSuffix, Account_Sid=InitiatingProcessAccountSid\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize Account_Aux_AppConCount=count() by Account_Name, Account_UPNSuffix, Account_Sid\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Account_Aux_AppConCount desc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tAppControlEvents(\u0027\u003chostName\u003e\u0027,\u0027\u003cntDomain\u003e\u0027,\u0027\u003cdnsDomain\u003e\u0027)\",\"inputFields\":[\"hostName\",\"dnsDomain\",\"ntDomain\"],\"outputEntityTypes\":[\"Account\"],\"dataSources\":[\"DeviceEvents\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/b66111f6-42ff-4f5a-8e3e-66ca1a71a758\",\"name\":\"b66111f6-42ff-4f5a-8e3e-66ca1a71a758\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"DefenderForIoT - Hosts communicating the most amount of data with this IP Address\",\"queryTemplate\":\"let ConnectionData_DefenderForIoT_GetIP2Host = (v_IP_Address:string) {\\r\\n\\t\\t\\t\\t\\t\\t\\tlet connectionData = SecurityIoTRawEvent\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceType = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceType\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceId = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientIpAddress = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).ipAddress\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientisExternal = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).isExternal\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceType = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceType\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceId = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerIpAddress = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).ipAddress\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerisExternal = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).isExternal\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceName = tostring(todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceName)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceName = tostring(todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceName)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Bandwidth = todynamic(extractjson(\\\"$Bandwidth\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend LastActivity = todynamic(extractjson(\\\"$LastActivity\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Protocol = todynamic(extractjson(\\\"$Protocol\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerPort = todynamic(extractjson(\\\"$ServerPort\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDevice = extractjson(\\\"$ServerDevice\\\", EventDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDevice = extractjson(\\\"$ClientDevice\\\", EventDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend SensorId = DeviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceGUID = strcat(SensorId, \\\"_\\\", ClientDeviceId), ServerDeviceGUID = strcat(SensorId, \\\"_\\\", ServerDeviceId);\\r\\n\\t\\t\\t\\t\\t\\t\\tconnectionData\\r\\n\\t\\t\\t\\t\\t\\t\\t| where ClientIpAddress == v_IP_Address or ServerIpAddress == v_IP_Address\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Direction = iff(ClientIpAddress == v_IP_Address, \\\"Outbound\\\", \\\"Inbound\\\")\\r\\n\\t\\t\\t\\t\\t\\t\\t| project DeviceGUID = iff(Direction == \\\"Outbound\\\", ServerDeviceGUID, ClientDeviceGUID),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceType = iff(Direction == \\\"Outbound\\\", ServerDeviceType, ClientDeviceType),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceIp = iff(Direction == \\\"Outbound\\\", ServerIpAddress, ClientIpAddress),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceName = iff(Direction == \\\"Outbound\\\", ServerDeviceName, ClientDeviceName),\\r\\n\\t\\t\\t\\t\\t\\t\\tSensorId, LastActivity = todatetime(LastActivity), Bandwidth = todouble(Bandwidth), Protocol, ServerPort\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize TotalBandwidth = sum(Bandwidth), LastActivity = max(LastActivity), Protocols = make_set(Protocol), ServerPorts = make_set(ServerPort) by DeviceGUID, DeviceName, IpAddress = tostring(DeviceIp), IoTDevice_DeviceType = tostring(DeviceType)\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename TotalBandwidth_MB = TotalBandwidth\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend TotalBandwidth_MB = floor(todecimal(TotalBandwidth_MB / 1000), 0.1)\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Host_HostName = DeviceName, Host_Aux_IpAddress = IpAddress, Host_Aux_Type = IoTDevice_DeviceType, Host_Aux_LastActivity = LastActivity, Host_Aux_Protocols = Protocols, Host_Aux_ServerPorts = ServerPorts, Host_Aux_TotalBandwidth_MB = TotalBandwidth_MB\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_TotalBandwidth_MB\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tConnectionData_DefenderForIoT_GetIP2Host(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"SecurityIoTRawEvent\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/3d110544-328c-4c02-ad49-eabc2b69f26d\",\"name\":\"3d110544-328c-4c02-ad49-eabc2b69f26d\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"DefenderForIoT - IoT Devices communicating the most amount of data with this IP Address\",\"queryTemplate\":\"let ConnectionData_DefenderForIoT_GetIP2IoTDevice = (v_IP_Address:string) {\\r\\n\\t\\t\\t\\t\\t\\t\\tlet connectionData = SecurityIoTRawEvent\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceType = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceType\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceId = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientIpAddress = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).ipAddress\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientisExternal = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).isExternal\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceType = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceType\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceId = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerIpAddress = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).ipAddress\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerisExternal = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).isExternal\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceName = tostring(todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceName)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceName = tostring(todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceName)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Bandwidth = todynamic(extractjson(\\\"$Bandwidth\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend LastActivity = todynamic(extractjson(\\\"$LastActivity\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Protocol = todynamic(extractjson(\\\"$Protocol\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerPort = todynamic(extractjson(\\\"$ServerPort\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDevice = extractjson(\\\"$ServerDevice\\\", EventDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDevice = extractjson(\\\"$ClientDevice\\\", EventDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend SensorId = DeviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceGUID = strcat(SensorId, \\\"_\\\", ClientDeviceId), ServerDeviceGUID = strcat(SensorId, \\\"_\\\", ServerDeviceId);\\r\\n\\t\\t\\t\\t\\t\\t\\tconnectionData\\r\\n\\t\\t\\t\\t\\t\\t\\t| where ClientIpAddress == v_IP_Address or ServerIpAddress == v_IP_Address\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Direction = iff(ClientIpAddress == v_IP_Address, \\\"Outbound\\\", \\\"Inbound\\\")\\r\\n\\t\\t\\t\\t\\t\\t\\t| project DeviceGUID = iff(Direction == \\\"Outbound\\\", ServerDeviceGUID, ClientDeviceGUID),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceType = iff(Direction == \\\"Outbound\\\", ServerDeviceType, ClientDeviceType),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceIp = iff(Direction == \\\"Outbound\\\", ServerIpAddress, ClientIpAddress),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceName = iff(Direction == \\\"Outbound\\\", ServerDeviceName, ClientDeviceName),\\r\\n\\t\\t\\t\\t\\t\\t\\tSensorId, LastActivity = todatetime(LastActivity), Bandwidth = todouble(Bandwidth), Protocol, ServerPort\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize TotalBandwidth = sum(Bandwidth), IoTDevice_Aux_LastActivity = max(LastActivity), IoTDevice_Aux_Protocols = make_set(Protocol), IoTDevice_Aux_ServerPorts = make_set(ServerPort) by IoTDevice_DeviceId = DeviceGUID, IoTDevice_DeviceName = DeviceName, IoTDevice_IpAddress = tostring(pack(\u0027Address\u0027,tostring(DeviceIp))), IoTDevice_DeviceType = tostring(DeviceType)\\r\\n\\t\\t\\t\\t\\t\\t\\t | project-rename IoTDevice_Aux_TotalBandwidth_MB = TotalBandwidth\\r\\n\\t\\t\\t\\t\\t\\t\\t | extend IoTDevice_Aux_TotalBandwidth_MB = floor(todecimal(IoTDevice_Aux_TotalBandwidth_MB / 1000), 0.1), IoTDevice_IpAddress=todynamic(IoTDevice_IpAddress)\\r\\n\\t\\t\\t\\t\\t\\t\\t | top 10 by IoTDevice_Aux_TotalBandwidth_MB\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tConnectionData_DefenderForIoT_GetIP2IoTDevice(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"IoTDevice\"],\"dataSources\":[\"SecurityIoTRawEvent\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/b7bd2812-f485-4430-bfac-6b0a1dd4c3f7\",\"name\":\"b7bd2812-f485-4430-bfac-6b0a1dd4c3f7\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"DefenderForIoT - IP Addresses communicating the most amount of data with this IP Address\",\"queryTemplate\":\"let ConnectionData_DefenderForIoT_GetIP2IP = (v_IP_Address:string) {\\r\\n\\t\\t\\t\\t\\t\\t\\tlet connectionData = SecurityIoTRawEvent\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceType = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceType\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceId = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientIpAddress = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).ipAddress\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientisExternal = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).isExternal\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceType = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceType\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceId = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerIpAddress = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).ipAddress\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerisExternal = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).isExternal\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Bandwidth = todynamic(extractjson(\\\"$Bandwidth\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend LastActivity = todynamic(extractjson(\\\"$LastActivity\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Protocol = todynamic(extractjson(\\\"$Protocol\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerPort = todynamic(extractjson(\\\"$ServerPort\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDevice = extractjson(\\\"$ServerDevice\\\", EventDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDevice = extractjson(\\\"$ClientDevice\\\", EventDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend SensorId = DeviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceGUID = strcat(SensorId, \\\"_\\\", ClientDeviceId), ServerDeviceGUID = strcat(SensorId, \\\"_\\\", ServerDeviceId);\\r\\n\\t\\t\\t\\t\\t\\t\\tconnectionData\\r\\n\\t\\t\\t\\t\\t\\t\\t| where ClientIpAddress == v_IP_Address or ServerIpAddress == v_IP_Address\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Direction = iff(ClientIpAddress == v_IP_Address, \\\"Outbound\\\", \\\"Inbound\\\")\\r\\n\\t\\t\\t\\t\\t\\t\\t| project DeviceGUID = iff(Direction == \\\"Outbound\\\", ServerDeviceGUID, ClientDeviceGUID),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceType = iff(Direction == \\\"Outbound\\\", ServerDeviceType, ClientDeviceType),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceIp = iff(Direction == \\\"Outbound\\\", ServerIpAddress, ClientIpAddress),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceIsExternal = iff(Direction == \\\"Outbound\\\", ServerisExternal, ClientisExternal),\\r\\n\\t\\t\\t\\t\\t\\t\\tSensorId, LastActivity = todatetime(LastActivity), Bandwidth = todouble(Bandwidth), Protocol, ServerPort, Direction\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize TotalBandwidth = sum(Bandwidth), LastActivity = max(LastActivity), Protocols = make_set(Protocol), ServerPorts = make_set(ServerPort) by IoTDevice_DeviceId = DeviceGUID, IoTDevice_IpAddress = tostring(DeviceIp), IoTDevice_DeviceType = tostring(DeviceType), DeviceIsExternal = tostring(DeviceIsExternal)\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename TotalBandwidth_MB = TotalBandwidth\\r\\n\\t\\t\\t\\t\\t\\t\\t| project IP_Address = IoTDevice_IpAddress, IP_Aux_DeviceType = IoTDevice_DeviceType, IP_Aux_LastActivity = LastActivity, IP_Aux_Protocols = Protocols, IP_Aux_ServerPorts = ServerPorts, IP_Aux_TotalBandwidth_MB = TotalBandwidth_MB, IP_Aux_IsExternal = DeviceIsExternal\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend IP_Aux_TotalBandwidth_MB = floor(todecimal(IP_Aux_TotalBandwidth_MB / 1000), 0.1)\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by IP_Aux_TotalBandwidth_MB\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tConnectionData_DefenderForIoT_GetIP2IP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"IP\"],\"dataSources\":[\"SecurityIoTRawEvent\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/37ca3555-c135-4a73-a65e-9c1d00323f5d\",\"name\":\"37ca3555-c135-4a73-a65e-9c1d00323f5d\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"The least active accounts on Azure from this IP\",\"queryTemplate\":\"let AccountActivity_byIP = (v_IP_Address:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tAzureActivity\\r\\n\\t\\t\\t\\t\\t\\t\\t| where Caller != \u0027\u0027 and CallerIpAddress =~ v_IP_Address\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize Account_Aux_StartTime = min(TimeGenerated),\\r\\n\\t\\t\\t\\t\\t\\t\\t Account_Aux_EndTime = max(TimeGenerated),\\r\\n\\t\\t\\t\\t\\t\\t\\t Count = count() by\\r\\n\\t\\t\\t\\t\\t\\t\\t Caller, TenantId\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Count asc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend UPN = iff(Caller contains \u0027@\u0027, Caller, \u0027\u0027), Account_AadUserId = toguid(iff(Caller !contains \u0027@\u0027, Caller,\u0027\u0027))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Account_Name = split(UPN,\u0027@\u0027)[0] , Account_UPNSuffix = split(UPN,\u0027@\u0027)[1]\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Account_Name, Account_UPNSuffix, Account_AadUserId, Account_AadTenantId=TenantId, Account_Aux_StartTime , Account_Aux_EndTime\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tAccountActivity_byIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Account\"],\"dataSources\":[\"AzureActivity\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/97a1d515-abf2-4231-9a35-985f9de0bb91\",\"name\":\"97a1d515-abf2-4231-9a35-985f9de0bb91\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"The most active accounts on Azure from this IP\",\"queryTemplate\":\"let AccountActivity_byIP = (v_IP_Address:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tAzureActivity\\r\\n\\t\\t\\t\\t\\t\\t\\t| where Caller != \u0027\u0027 and CallerIpAddress =~ v_IP_Address\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize Account_Aux_StartTime = min(TimeGenerated),\\r\\n\\t\\t\\t\\t\\t\\t\\t Account_Aux_EndTime = max(TimeGenerated),\\r\\n\\t\\t\\t\\t\\t\\t\\t Count = count() by\\r\\n\\t\\t\\t\\t\\t\\t\\t Caller, TenantId\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Count desc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend UPN = iff(Caller contains \u0027@\u0027, Caller, \u0027\u0027), Account_AadUserId = toguid(iff(Caller !contains \u0027@\u0027, Caller,\u0027\u0027))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Account_Name = split(UPN,\u0027@\u0027)[0] , Account_UPNSuffix = split(UPN,\u0027@\u0027)[1]\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Account_Name, Account_UPNSuffix, Account_AadUserId, Account_AadTenantId=TenantId, Account_Aux_StartTime , Account_Aux_EndTime\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tAccountActivity_byIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Account\"],\"dataSources\":[\"AzureActivity\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/aa497951-c779-4ea2-be2a-127ea66c5fba\",\"name\":\"aa497951-c779-4ea2-be2a-127ea66c5fba\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Hosts receiving the least amount of data from this IP\",\"queryTemplate\":\"let HostsReceivingDatafromIP = (v_IP_Address:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tWireData\\r\\n\\t\\t\\t\\t\\t\\t\\t| parse Computer with HostName \u0027.\u0027 Host_DnsDomain\\r\\n\\t\\t\\t\\t\\t\\t\\t| where SessionState == \u0027Disconnected\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t| where RemoteIP =~ v_IP_Address\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Host_HostName = iff(Computer has \u0027.\u0027, HostName, Computer)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize Host_Aux_BytesReceived = sum(ReceivedBytes), Host_Aux_LocalIPs=make_set(LocalIP) by Host_HostName, Host_DnsDomain\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_BytesReceived asc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tHostsReceivingDatafromIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"WireData\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/73fb9b8d-fd13-4c43-8136-6d693cafaa23\",\"name\":\"73fb9b8d-fd13-4c43-8136-6d693cafaa23\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Hosts receiving the most amount of data from this IP\",\"queryTemplate\":\"let HostsReceivingDatafromIP = (v_IP_Address:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tWireData\\r\\n\\t\\t\\t\\t\\t\\t\\t| parse Computer with HostName \u0027.\u0027 Host_DnsDomain\\r\\n\\t\\t\\t\\t\\t\\t\\t| where SessionState == \u0027Disconnected\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t| where RemoteIP =~ v_IP_Address\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Host_HostName = iff(Computer has \u0027.\u0027, HostName, Computer)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize Host_Aux_BytesReceived = sum(ReceivedBytes), Host_Aux_LocalIPs=make_set(LocalIP) by Host_HostName, Host_DnsDomain\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_BytesReceived desc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tHostsReceivingDatafromIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"WireData\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/ab597a67-352e-4914-b2e6-d64919a910a8\",\"name\":\"ab597a67-352e-4914-b2e6-d64919a910a8\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Hosts sending the least amount of data to this IP\",\"queryTemplate\":\"let HostsSendingDatatoIP = (v_IP_Address:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tWireData\\r\\n\\t\\t\\t\\t\\t\\t\\t| where SessionState == \u0027Disconnected\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t| where RemoteIP =~ v_IP_Address\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize Host_Aux_BytesSent = sum(SentBytes) by Computer, LocalIP\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_BytesSent asc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Host_UnstructuredName=Computer, Host_Aux_LocalIP=LocalIP\\r\\n\\t\\t\\t\\t\\t\\t\\t };\\r\\n\\t\\t\\t\\t\\t\\t\\tHostsSendingDatatoIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"WireData\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/5b57680b-d60a-42a5-9cd5-17e499834f8e\",\"name\":\"5b57680b-d60a-42a5-9cd5-17e499834f8e\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Hosts sending the most amount of data to this IP\",\"queryTemplate\":\"let HostsSendingDatatoIP = (v_IP_Address:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tWireData\\r\\n\\t\\t\\t\\t\\t\\t\\t| where SessionState == \u0027Disconnected\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t| where RemoteIP =~ v_IP_Address\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize Host_Aux_BytesSent = sum(SentBytes) by Computer, LocalIP\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_BytesSent desc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Host_UnstructuredName=Computer, Host_Aux_LocalIP=LocalIP\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tHostsSendingDatatoIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"WireData\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/980762f8-014e-4439-8840-5f0a90285dce\",\"name\":\"980762f8-014e-4439-8840-5f0a90285dce\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Destination IPs with the greatest number of dropped sessions\",\"queryTemplate\":\"let MostDroppedDestIP = (v_IP_Address:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tWindowsFirewall\\r\\n\\t\\t\\t\\t\\t\\t\\t| where FirewallAction == \u0027DROP\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t and SourceIP =~ v_IP_Address\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize DropCount = count(), Ports = makeset(DestinationPort) by DestinationIP\\r\\n\\t\\t\\t\\t\\t\\t\\t| sort by array_length(Ports), DropCount\\r\\n\\t\\t\\t\\t\\t\\t\\t| serialize rn=row_number()\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by rn asc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename IP_Address = DestinationIP, IP_Aux_DropCount = DropCount, IP_Aux_DroppedSessionPorts = Ports\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-away rn\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tMostDroppedDestIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"IP\"],\"dataSources\":[\"WindowsFirewall\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/935ab312-cb52-42a5-b296-548f21786102\",\"name\":\"935ab312-cb52-42a5-b296-548f21786102\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Source IPs with the greatest number of dropped sessions\",\"queryTemplate\":\"let MostDroppedSourceIP = (v_IP_Address:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tWindowsFirewall\\r\\n\\t\\t\\t\\t\\t\\t\\t| where FirewallAction == \u0027DROP\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t and DestinationIP =~ v_IP_Address\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize IP_Aux_DropCount = count(), IP_Aux_DestPorts = makeset(DestinationPort) by SourceIP\\r\\n\\t\\t\\t\\t\\t\\t\\t| sort by IP_Aux_DropCount\\r\\n\\t\\t\\t\\t\\t\\t\\t| serialize rn=row_number()\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by rn asc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t| project IP_Address = SourceIP, IP_Aux_DropCount, IP_Aux_DestPorts\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tMostDroppedSourceIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"IP\"],\"dataSources\":[\"WindowsFirewall\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/588f5d9f-3380-4eff-9983-e61d62fdd172\",\"name\":\"588f5d9f-3380-4eff-9983-e61d62fdd172\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Office activity accounts with this IP\",\"queryTemplate\":\"let GetAllAccountByIP = (v_IP_Address:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tOfficeActivity\\r\\n\\t\\t\\t\\t\\t\\t\\t| where ClientIP =~ v_IP_Address\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027ClientIP\u0027, ClientIP, \u0027UserType\u0027, UserType, \u0027Operation\u0027, Operation, \u0027OfficeWorkload\u0027, OfficeWorkload, \u0027ResultStatus\u0027, ResultStatus)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), Account_Aux_Count=count(), Account_Aux_info = makeset(info) by UserId\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Account_Aux_StartTime = min_TimeGenerated, Account_Aux_EndTime = max_TimeGenerated, UserId, Account_Aux_Count, Account_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Account_UnstructuredName=UserId\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Account_Aux_Count desc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetAllAccountByIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Account\"],\"dataSources\":[\"OfficeActivity\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/801bacb0-612a-4195-a84f-7939cca63b92\",\"name\":\"801bacb0-612a-4195-a84f-7939cca63b92\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent client IPs with DNS name lookup query for this IP\",\"queryTemplate\":\"let GetAllIPByClientIP = (v_IP_Address:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tDnsEvents\\r\\n\\t\\t\\t\\t\\t\\t\\t| where SubType == \u0027LookupQuery\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t| where IPAddresses has v_IP_Address\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend IP_Aux_IPAddresses = split(IPAddresses,\u0027,\u0027), IP_Address=ClientIP\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize IP_Aux_StartTime=min(TimeGenerated), IP_Aux_EndTime=max(TimeGenerated), IP_Aux_DomainNames=makeset(Name), IP_Aux_Count= count() by IP_Address, IPAddresses\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-away IPAddresses\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by IP_Aux_Count asc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetAllIPByClientIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"IP\"],\"dataSources\":[\"DnsEvents\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/188ff904-e3c3-4253-9326-e0190b4b7a01\",\"name\":\"188ff904-e3c3-4253-9326-e0190b4b7a01\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent inbound WireData connections\",\"queryTemplate\":\"let GetWireDataInboundWithIp = (v_IPAddress:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tWireData\\r\\n\\t\\t\\t\\t\\t\\t\\t| where Direction == \u0027Inbound\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t| where RemoteIP has v_IPAddress\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027LocalPortNumber\u0027, LocalPortNumber, \u0027RemoteIP\u0027, RemoteIP, \u0027Direction\u0027, Direction, \u0027ApplicationProtocol\u0027, ApplicationProtocol)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize Process_Aux_EarliestSessionStartTime=min(SessionStartTime), count(), IP_Aux_info = makeset(info) by Computer, ProcessName , LocalIP, ProcessID\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_Aux_info = IP_Aux_info, Host_Aux_info = IP_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ asc\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Process_Aux_EarliestSessionStartTime, Computer, ProcessName , LocalIP, Process_ProcessId=tostring(ProcessID), IP_Aux_info, Process_Aux_info, Host_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename IP_Address=LocalIP, Process_ImageFile_FullPath=ProcessName, Host_UnstructuredName=Computer\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetWireDataInboundWithIp(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"IP\",\"Process\",\"Host\"],\"dataSources\":[\"WireData\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/897267e4-68e1-4827-b318-7fb055b52fc0\",\"name\":\"897267e4-68e1-4827-b318-7fb055b52fc0\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent outbound WireData connections\",\"queryTemplate\":\"let GetWireDataOutboundWithIp = (v_IP_Address:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tWireData\\r\\n\\t\\t\\t\\t\\t\\t\\t| where Direction == \u0027Outbound\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t| where LocalIP has v_IP_Address\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027LocalIP\u0027, LocalIP, \u0027LocalPortNumber\u0027, LocalPortNumber, \u0027Direction\u0027, Direction, \u0027ApplicationProtocol\u0027, ApplicationProtocol)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize count(), IP_Aux_info = makeset(info) by Computer, ProcessName, RemoteIP, ProcessID\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_Aux_info = IP_Aux_info, Host_Aux_info = IP_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ asc\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Computer, ProcessName, RemoteIP, Process_ProcessId=tostring(ProcessID), IP_Aux_info, Process_Aux_info, Host_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename IP_Address=RemoteIP, Process_ImageFile_FullPath=ProcessName, Host_UnstructuredName=Computer\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetWireDataOutboundWithIp(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"IP\",\"Process\",\"Host\"],\"dataSources\":[\"WireData\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/fdb3e714-c036-4708-a0eb-6ae10a1912a1\",\"name\":\"fdb3e714-c036-4708-a0eb-6ae10a1912a1\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent accounts associated with this IP\",\"queryTemplate\":\"let GetLeastPrevUsersbyIP = (v_IP_Address:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tSigninLogs\\r\\n\\t\\t\\t\\t\\t\\t\\t| where IPAddress contains v_IP_Address\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend RemoteHost = tolower(tostring(parsejson(DeviceDetail[\u0027displayName\u0027])))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027AppDisplayName\u0027, AppDisplayName, \u0027ClientAppUsed\u0027, ClientAppUsed, \u0027Browser\u0027, tostring(Browser), \u0027IPAddress\u0027, IPAddress, \u0027ResultType\u0027, ResultType, \u0027ResultDescription\u0027, ResultDescription, \u0027Location\u0027, Location, \u0027State\u0027, State, \u0027City\u0027, City, \u0027StatusCode\u0027, StatusCode, \u0027StatusDetails\u0027, StatusDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), count(), Account_Aux_info = makeset(info) by RemoteHost , UserDisplayName, tostring(OS), UserPrincipalName, AADTenantId, UserId\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ asc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Account_Aux_StartTime = min_TimeGenerated, Account_Aux_EndTime = max_TimeGenerated, RemoteHost, UserDisplayName, OS, UserPrincipalName, AADTenantId, Account_AadUserId=toguid(UserId), Account_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Account_UnstructuredName=UserPrincipalName, Account_DisplayName=UserDisplayName, Account_AadTenantId=AADTenantId , Account_Host_UnstructuredName=RemoteHost, Account_Host_OSVersion=OS };\\r\\n\\t\\t\\t\\t\\t\\t\\tGetLeastPrevUsersbyIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Account\"],\"dataSources\":[\"SigninLogs\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/0cb64e03-8534-47b6-9094-7de2d018fd7a\",\"name\":\"0cb64e03-8534-47b6-9094-7de2d018fd7a\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Most prevalent client IPs with DNS name lookup query for this IP\",\"queryTemplate\":\"let GetAllIPByClientIP = (v_IP_Address:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tDnsEvents\\r\\n\\t\\t\\t\\t\\t\\t\\t| where SubType == \u0027LookupQuery\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t| where IPAddresses has v_IP_Address\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend IP_Aux_IPAddresses = split(IPAddresses,\u0027,\u0027), IP_Address=ClientIP\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize IP_Aux_StartTime=min(TimeGenerated), IP_Aux_EndTime=max(TimeGenerated), IP_Aux_DomainNames=makeset(Name), IP_Aux_Count= count() by IP_Address, IPAddresses\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-away IPAddresses\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by IP_Aux_Count desc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetAllIPByClientIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"IP\"],\"dataSources\":[\"DnsEvents\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/41146c58-ffc6-47ff-975e-f85013629dfd\",\"name\":\"41146c58-ffc6-47ff-975e-f85013629dfd\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Most prevalent Linux hosts with this IP\",\"queryTemplate\":\"let GetSysLogEventsWithIP = (v_IP_Address:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tSyslog\\r\\n\\t\\t\\t\\t\\t\\t\\t| where HostIP has v_IP_Address\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027HostIP\u0027, HostIP, \u0027ProcessName\u0027, ProcessName, \u0027SeverityLevel\u0027, SeverityLevel)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(EventTime), max(EventTime), count(), Host_Aux_info = makeset(info) by Computer\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ desc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Host_Aux_StartTime = min_EventTime, Host_Aux_EndTime = max_EventTime, Computer, Host_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Host_UnstructuredName=Computer\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetSysLogEventsWithIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"Syslog\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/bc6c7cc9-da18-4afd-8fda-d201f13b54a4\",\"name\":\"bc6c7cc9-da18-4afd-8fda-d201f13b54a4\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Most prevalent accounts associated with this IP\",\"queryTemplate\":\"let GetMostPrevUsersbyIP = (v_IP_Address:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tSigninLogs\\r\\n\\t\\t\\t\\t\\t\\t\\t| where IPAddress contains v_IP_Address\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend RemoteHost = tolower(tostring(parsejson(DeviceDetail[\u0027displayName\u0027])))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027AppDisplayName\u0027, AppDisplayName, \u0027ClientAppUsed\u0027, ClientAppUsed, \u0027Browser\u0027, tostring(Browser), \u0027IPAddress\u0027, IPAddress, \u0027ResultType\u0027, ResultType, \u0027ResultDescription\u0027, ResultDescription, \u0027Location\u0027, Location, \u0027State\u0027, State, \u0027City\u0027, City, \u0027StatusCode\u0027, StatusCode, \u0027StatusDetails\u0027, StatusDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), count(), Account_Aux_info = makeset(info) by RemoteHost , UserDisplayName, tostring(OS), UserPrincipalName, AADTenantId, UserId\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ desc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Account_Aux_StartTimeUtc = min_TimeGenerated, Account_Aux_EndTimeUtc = max_TimeGenerated, RemoteHost, UserDisplayName, OS, UserPrincipalName, AADTenantId, Account_Aux_info, Account_AadUserId=toguid(UserId)\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Account_UnstructuredName=UserPrincipalName, Account_DisplayName=UserDisplayName, Account_AadTenantId=AADTenantId, Account_Host_UnstructuredName=RemoteHost, Account_Host_OSVersion=OS\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetMostPrevUsersbyIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Account\"],\"dataSources\":[\"SigninLogs\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/f87b2afb-068f-4734-88a0-94560309f9c7\",\"name\":\"f87b2afb-068f-4734-88a0-94560309f9c7\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Processes blocked from loading non-Microsoft-signed binaries\",\"queryTemplate\":\"let BlockedUnsignedFile = (v_Process_ProcessId:int, v_Process_ImageFile:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tlet p_Process_ImageFile_Name = tostring(parse_json(v_Process_ImageFile)[\u0027Name\u0027]);\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceEvents\\r\\n\\t\\t\\t\\t\\t\\t\\t| where ActionType == \\\"ExploitGuardNonMicrosoftSignedBlocked\\\" and FileName !hassuffix \\\".ni.dll\\\"\\r\\n\\t\\t\\t\\t\\t\\t\\t| where InitiatingProcessId == v_Process_ProcessId and InitiatingProcessFileName =~ p_Process_ImageFile_Name\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize Count=count() by FileName\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 15 by Count desc\\r\\n\\t\\t\\t\\t\\t\\t\\t| project File_Name=FileName\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tBlockedUnsignedFile(\u0027\u003cv_Process_ProcessId\u003e\u0027,\u0027\u003cv_Process_ImageFile\u003e\u0027)\",\"inputFields\":[\"processId\",\"ImageFile\"],\"outputEntityTypes\":[\"File\"],\"dataSources\":[\"DeviceEvents\"],\"inputEntityType\":\"Process\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/77f9839a-1c03-49e2-803e-72b97042fc05\",\"name\":\"77f9839a-1c03-49e2-803e-72b97042fc05\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent inbound WireData connections\",\"queryTemplate\":\"let GetWireDataInboundWithProcess = (v_Process_CommandLine:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tlet tempFullPath = tostring(split(v_Process_CommandLine, \u0027 \u0027)[0]);\\r\\n\\t\\t\\t\\t\\t\\t\\tlet tempFullPath2 = iff(tempFullPath startswith \u0027\\\"\u0027, substring(tempFullPath, 1, strlen(tempFullPath)-2), tempFullPath);\\r\\n\\t\\t\\t\\t\\t\\t\\tlet v_Process_ImageFile_FullPath = iff(tempFullPath2 startswith \u0027\\\\\\\\??\\\\\\\\\u0027, substring(tempFullPath2, 4, strlen(tempFullPath2)-1), tempFullPath2);\\r\\n\\t\\t\\t\\t\\t\\t\\tWireData\\r\\n\\t\\t\\t\\t\\t\\t\\t| where Direction == \u0027Inbound\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t| where ProcessName has v_Process_ImageFile_FullPath\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027ProcessName\u0027, ProcessName, \u0027LocalPortNumber\u0027, LocalPortNumber, \u0027RemoteIP\u0027, RemoteIP, \u0027Direction\u0027, Direction, \u0027ApplicationProtocol\u0027, ApplicationProtocol)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(SessionStartTime), count(), IP_Aux_info = makeset(info) by Computer, LocalIP\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Host_Aux_info = IP_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ asc\\r\\n\\t\\t\\t\\t\\t\\t\\t| project min_SessionStartTime, Computer, LocalIP, IP_Aux_info, Host_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename IP_Address=LocalIP, Host_UnstructuredName=Computer, Host_Aux_min_SessionStartTime=min_SessionStartTime\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetWireDataInboundWithProcess(\u0027\u003ccommandLine\u003e\u0027)\",\"inputFields\":[\"commandLine\"],\"outputEntityTypes\":[\"IP\",\"Host\"],\"dataSources\":[\"WireData\"],\"inputEntityType\":\"Process\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/def383f2-dff3-4f5b-9416-aca8dca39812\",\"name\":\"def383f2-dff3-4f5b-9416-aca8dca39812\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent Linux hosts with this process\",\"queryTemplate\":\"let GetSysLogEventsWithProcess = (v_Process_CommandLine:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tlet tempFullPath = tostring(split(v_Process_CommandLine, \u0027 \u0027)[0]);\\r\\n\\t\\t\\t\\t\\t\\t\\tlet tempFullPath2 = iff(tempFullPath startswith \u0027\\\"\u0027, substring(tempFullPath, 1, strlen(tempFullPath)-2), tempFullPath);\\r\\n\\t\\t\\t\\t\\t\\t\\tlet v_Process_ImageFile_FullPath = iff(tempFullPath2 startswith \u0027\\\\\\\\??\\\\\\\\\u0027, substring(tempFullPath2, 4, strlen(tempFullPath2)-1), tempFullPath2);\\r\\n\\t\\t\\t\\t\\t\\t\\tSyslog\\r\\n\\t\\t\\t\\t\\t\\t\\t| where ProcessName has v_Process_ImageFile_FullPath\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027HostName\u0027, HostName, \u0027HostIP\u0027, HostIP, \u0027ProcessName\u0027, ProcessName, \u0027SyslogMessage\u0027, SyslogMessage)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(EventTime), max(EventTime), count(), Host_Aux_info = makeset(info) by Computer\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ asc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Host_Aux_StartTime=min_EventTime, Host_Aux_EndTime=max_EventTime, Computer, Host_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Host_UnstructuredName=Computer\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetSysLogEventsWithProcess(\u0027\u003ccommandLine\u003e\u0027)\",\"inputFields\":[\"commandLine\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"Syslog\"],\"inputEntityType\":\"Process\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/39df618a-684d-402d-b096-6f505a8e741e\",\"name\":\"39df618a-684d-402d-b096-6f505a8e741e\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent outbound WireData connections\",\"queryTemplate\":\"let GetWireDataOutboundWithProcess = (v_Process_CommandLine:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tlet tempFullPath = tostring(split(v_Process_CommandLine, \u0027 \u0027)[0]);\\r\\n\\t\\t\\t\\t\\t\\t\\tlet tempFullPath2 = iff(tempFullPath startswith \u0027\\\"\u0027, substring(tempFullPath, 1, strlen(tempFullPath)-2), tempFullPath);\\r\\n\\t\\t\\t\\t\\t\\t\\tlet v_Process_ImageFile_FullPath = iff(tempFullPath2 startswith \u0027\\\\\\\\??\\\\\\\\\u0027, substring(tempFullPath2, 4, strlen(tempFullPath2)-1), tempFullPath2);\\r\\n\\t\\t\\t\\t\\t\\t\\tWireData\\r\\n\\t\\t\\t\\t\\t\\t\\t| where Direction == \u0027Outbound\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t| where ProcessName has v_Process_ImageFile_FullPath\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027ProcessName\u0027, ProcessName, \u0027LocalIP\u0027, LocalIP, \u0027LocalPortNumber\u0027, LocalPortNumber, \u0027Direction\u0027, Direction, \u0027ApplicationProtocol\u0027, ApplicationProtocol)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(SessionStartTime), count(), IP_Aux_info = makeset(info) by Computer, RemoteIP\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Host_Aux_info = IP_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ asc\\r\\n\\t\\t\\t\\t\\t\\t\\t| project min_SessionStartTime, Computer, RemoteIP, IP_Aux_info, Host_Aux_info\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename IP_Address=RemoteIP, Host_UnstructuredName=Computer, Host_Aux_min_SessionStartTime=min_SessionStartTime\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetWireDataOutboundWithProcess(\u0027\u003ccommandLine\u003e\u0027)\",\"inputFields\":[\"commandLine\"],\"outputEntityTypes\":[\"IP\",\"Host\"],\"dataSources\":[\"WireData\"],\"inputEntityType\":\"Process\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/e32a48a9-bf82-4cec-ba94-9ec406a69ef8\",\"name\":\"e32a48a9-bf82-4cec-ba94-9ec406a69ef8\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"10 most recent VM configuration changes based on process\",\"queryTemplate\":\"let exclude = dynamic([\u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\u0027, \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\sppsvc.exe\u0027, \u0027:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\wbem\\\\\\\\WmiApSrv.exe\u0027, \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\conhost.exe\u0027, \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wuauclt.exe\u0027, \u0027:\\\\\\\\Windows\\\\\\\\SoftwareDistribution\\\\\\\\Download\\\\\\\\Install\\\\\\\\\u0027, \u0027:\\\\\\\\WindowsAzure\\\\\\\\GuestAgent_\u0027, \u0027:\\\\\\\\WindowsAzure\\\\\\\\WindowsAzureNetAgent_\u0027,\\r\\n\\t\\t\\t\\t\\t\\t\\t\u0027:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\platform\\\\\\\\\u0027, \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\taskhostw.exe\u0027, \u0027\\\\\\\\MpSigStub.exe\u0027,\u0027:\\\\\\\\Program Files\\\\\\\\Microsoft Monitoring Agent\\\\\\\\Agent\\\\\\\\MonitoringHost.exe\u0027, \u0027:\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\trustedinstaller.exe\u0027, \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFault.exe\u0027, \u0027:\\\\\\\\Windows\\\\\\\\CCM\\\\\\\\CcmExec.exe\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t\\\"HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Active Setup\\\\\\\\Installed Components\\\\\\\\\\\"]);\\r\\n\\t\\t\\t\\t\\t\\t\\tlet ConfigChange = (v_Process_ImageFile:string )\\r\\n\\t\\t\\t\\t\\t\\t\\t{let Process_ImageFile_Name = tostring(parse_json(v_Process_ImageFile)[\u0027Name\u0027]);\\r\\n\\t\\t\\t\\t\\t\\t\\tConfigurationChange\\r\\n\\t\\t\\t\\t\\t\\t\\t| where ConfigChangeType != \\\"Software\\\"\\r\\n\\t\\t\\t\\t\\t\\t\\t| where isnotempty(ValueData) or isnotempty(SvcPath) or isnotempty(FileSystemPath)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Process = case(\\r\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType == \\\"Registry\\\" and (ValueData has \\\".exe\\\" or ValueData has \\\".bat\\\" or ValueData has \\\".cmd\\\"), ValueData,\\r\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType == \\\"WindowsServices\\\", SvcPath,\\r\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType == \\\"Files\\\" and ((FileSystemPath has \\\".exe\\\" or FileSystemPath has \\\".bat\\\" or FileSystemPath has \\\".cmd\\\") or FileSystemPath has \u0027/\u0027), FileSystemPath,\\r\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType == \\\"Daemons\\\", SvcPath,\\r\\n\\t\\t\\t\\t\\t\\t\\t\\\"ProcessNotAvailable\\\"\\r\\n\\t\\t\\t\\t\\t\\t\\t)\\r\\n\\t\\t\\t\\t\\t\\t\\t| where not(Process has_any (exclude)) and (Process !has \u0027:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework\u0027 and not(Process has_any (\u0027\\\\\\\\ngentask.exe\u0027, \u0027\\\\\\\\ngen.exe\u0027)))\\r\\n\\t\\t\\t\\t\\t\\t\\t| where iff(Process_ImageFile_Name == \\\"\\\", false, Process has Process_ImageFile_Name)\\r\\n\\t\\t\\t\\t\\t\\t\\t| parse FileContentChecksum with * \\\"Hash=\\\" Hash \\\" \\\" *\\r\\n\\t\\t\\t\\t\\t\\t\\t| parse PreviousFileContentChecksum with * \\\"Hash=\\\" Hash \\\" \\\" *\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Changes = case(\\r\\n\\t\\t\\t\\t\\t\\t\\t ConfigChangeType == \\\"Registry\\\" and ChangeCategory == \\\"Modified\\\",\\r\\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"RegistryKey\\\" , RegistryKey, \\\"ValueName\\\", ValueName, \\\"ValueData\\\", ValueData, \\\"PreviousValueData\\\", PreviousValueData),\\r\\n\\t\\t\\t\\t\\t\\t\\t ConfigChangeType == \\\"Registry\\\" and ChangeCategory == \\\"Added\\\",\\r\\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"RegistryKey\\\" , RegistryKey, \\\"ValueName\\\", ValueName, \\\"ValueData\\\", ValueData),\\r\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType == \\\"Registry\\\" and ChangeCategory == \\\"Removed\\\",\\r\\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"RegistryKey\\\" , RegistryKey, \\\"ValueName\\\", ValueName, \\\"PreviousValueData\\\", PreviousValueData),\\r\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType in (\\\"WindowsServices\\\",\\\"Daemons\\\") and ChangeCategory == \\\"Modified\\\" and SvcChangeType == \\\"Path\\\",\\r\\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"SvcChangeType\\\", SvcChangeType, \\\"SvcName\\\", SvcName, \\\"SvcPath\\\", SvcPath, \\\"SvcPreviousPath\\\", SvcPreviousPath),\\r\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType in (\\\"WindowsServices\\\",\\\"Daemons\\\") and ChangeCategory == \\\"Modified\\\" and SvcChangeType == \\\"Runlevels\\\",\\r\\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"SvcChangeType\\\", SvcChangeType, \\\"SvcName\\\", SvcName, \\\"SvcPath\\\", SvcPath, \\\"SvcRunlevels\\\", SvcRunlevels,\\\"SvcPreviousRunlevels\\\", SvcPreviousRunlevels),\\r\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType in (\\\"WindowsServices\\\",\\\"Daemons\\\") and ChangeCategory == \\\"Modified\\\" and SvcChangeType == \\\"StartupType\\\",\\r\\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"SvcChangeType\\\", SvcChangeType, \\\"SvcName\\\", SvcName, \\\"SvcPath\\\", SvcPath, \\\"SvcStartupType\\\", SvcStartupType, \\\"SvcPreviousStartupType\\\", SvcPreviousStartupType),\\r\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType in (\\\"WindowsServices\\\",\\\"Daemons\\\") and ChangeCategory == \\\"Modified\\\" and SvcChangeType == \\\"State\\\",\\r\\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"SvcChangeType\\\", SvcChangeType, \\\"SvcName\\\", SvcName, \\\"SvcPath\\\", SvcPath, \\\"SvcState\\\", SvcState, \\\"SvcPreviousState\\\", SvcPreviousState),\\r\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType in (\\\"WindowsServices\\\",\\\"Daemons\\\") and ChangeCategory == \\\"Modified\\\" and SvcChangeType == \\\"State StartupType\\\",\\r\\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"SvcChangeType\\\", SvcChangeType, \\\"SvcName\\\", SvcName, \\\"SvcPath\\\", SvcPath, \\\"SvcState\\\", SvcState, \\\"SvcPreviousState\\\", SvcPreviousState, \\\"SvcStartupType\\\", SvcStartupType, \\\"SvcPreviousStartupType\\\", SvcPreviousStartupType),\\r\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType in (\\\"WindowsServices\\\",\\\"Daemons\\\") and ChangeCategory == \\\"Added\\\",\\r\\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"SvcName\\\", SvcName, \\\"SvcPath\\\", SvcPath, \\\"SvcState\\\", SvcState, \\\"SvcStartupType\\\", SvcStartupType),\\r\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType in (\\\"WindowsServices\\\",\\\"Daemons\\\") and ChangeCategory == \\\"Removed\\\",\\r\\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"SvcName\\\", SvcName, \\\"SvcPreviousPath\\\", SvcPreviousPath, \\\"SvcPreviousState\\\", SvcPreviousState, \\\"SvcPreviousStartupType\\\", SvcPreviousStartupType),\\r\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType == \\\"Files\\\" and ChangeCategory == \\\"Added\\\",\\r\\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"FileSystemPath\\\", FileSystemPath, \\\"DateCreated\\\", DateCreated, \\\"DateModified\\\", DateModified, \\\"Hash\\\", Hash),\\r\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType == \\\"Files\\\" and ChangeCategory == \\\"Removed\\\",\\r\\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"FileSystemPath\\\", FileSystemPath, \\\"DateCreated\\\", PreviousDateCreated, \\\"DateModified\\\", PreviousDateModified, \\\"Hash\\\", Hash),\\r\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType == \\\"Files\\\" and ChangeCategory == \\\"Modified\\\",\\r\\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"FileSystemPath\\\", FileSystemPath, \\\"FieldsChanged\\\", FieldsChanged, \\\"DateCreated\\\", PreviousDateCreated, \\\"DateModified\\\", PreviousDateModified, \\\"Hash\\\", Hash),\\r\\n\\t\\t\\t\\t\\t\\t\\t\\\"\\\")\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Host_HostName = tostring(split(Computer, \\\".\\\")[0]), Host_DnsDomain = strcat_array(array_slice(split(Computer,\u0027.\u0027),1,256),\u0027.\u0027)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize Host_Aux_StartTimeUtc = min(TimeGenerated), Host_Aux_EndTimeUtc = max(TimeGenerated), Host_Aux_ConfigChangeDetail = makeset(Changes) by Host_HostName, Host_DnsDomain\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_StartTimeUtc desc};\\r\\n\\t\\t\\t\\t\\t\\t\\tConfigChange(\u0027\u003cImageFile\u003e\u0027)\",\"inputFields\":[\"ImageFile\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"ConfigurationChange\"],\"inputEntityType\":\"Process\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/0880a6d7-d914-40f6-91bc-150de4810e4e\",\"name\":\"0880a6d7-d914-40f6-91bc-150de4810e4e\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Windows hosts with this process\",\"queryTemplate\":\"let GetHostsWithProcess = (v_Process_CommandLine:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tlet tempFullPath = tostring(split(v_Process_CommandLine, \u0027 \u0027)[0]);\\r\\n\\t\\t\\t\\t\\t\\t\\tlet tempFullPath2 = iff(tempFullPath startswith \u0027\\\"\u0027, substring(tempFullPath, 1, strlen(tempFullPath)-2), tempFullPath);\\r\\n\\t\\t\\t\\t\\t\\t\\tlet v_Process_ImageFile_FullPath = iff(tempFullPath2 startswith \u0027\\\\\\\\??\\\\\\\\\u0027, substring(tempFullPath2, 4, strlen(tempFullPath2)-1), tempFullPath2);\\r\\n\\t\\t\\t\\t\\t\\t\\tSecurityEvent\\r\\n\\t\\t\\t\\t\\t\\t\\t| where EventID == 4688\\r\\n\\t\\t\\t\\t\\t\\t\\t| where NewProcessName has v_Process_ImageFile_FullPath\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027Account\u0027, Account, \u0027NewProcessName\u0027, NewProcessName, \u0027CommandLine\u0027, CommandLine)\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), Host_Aux_info = makeset(info) by Computer, SourceComputerId, _ResourceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| project min_TimeGenerated, max_TimeGenerated, Computer, Host_Aux_info, Host_OMSAgentID=SourceComputerId\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by min_TimeGenerated asc nulls last\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Host_UnstructuredName=Computer, Host_Aux_StartTime=min_TimeGenerated, Host_Aux_EndTime=max_TimeGenerated\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tGetHostsWithProcess(\u0027\u003ccommandLine\u003e\u0027)\",\"inputFields\":[\"commandLine\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"SecurityEvent\"],\"inputEntityType\":\"Process\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/c07c8936-d2a7-41a7-97d2-d3afdf267da4\",\"name\":\"c07c8936-d2a7-41a7-97d2-d3afdf267da4\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"DefenderForIoT - Hosts communicating the most amount of data with this IoT Device\",\"queryTemplate\":\"let ConnectionData_DefenderForIoT_GetIoTDevice2Host = (v_IoTDevice_DeviceId:string) {\\r\\n\\t\\t\\t\\t\\t\\t\\tlet connectionData = SecurityIoTRawEvent\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceType = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceType\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceId = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientIpAddress = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).ipAddress\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientisExternal = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).isExternal\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceType = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceType\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceId = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerIpAddress = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).ipAddress\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerisExternal = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).isExternal\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceName = tostring(todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceName)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceName = tostring(todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceName)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Bandwidth = todynamic(extractjson(\\\"$Bandwidth\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend LastActivity = todynamic(extractjson(\\\"$LastActivity\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Protocol = todynamic(extractjson(\\\"$Protocol\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerPort = todynamic(extractjson(\\\"$ServerPort\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDevice = extractjson(\\\"$ServerDevice\\\", EventDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDevice = extractjson(\\\"$ClientDevice\\\", EventDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend SensorId = DeviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceGUID = strcat(SensorId, \\\"_\\\", ClientDeviceId), ServerDeviceGUID = strcat(SensorId, \\\"_\\\", ServerDeviceId);\\r\\n\\t\\t\\t\\t\\t\\t\\tconnectionData\\r\\n\\t\\t\\t\\t\\t\\t\\t| where ClientDeviceGUID == v_IoTDevice_DeviceId or ServerDeviceGUID == v_IoTDevice_DeviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Direction = iff(ClientDeviceGUID == v_IoTDevice_DeviceId, \\\"Outbound\\\", \\\"Inbound\\\")\\r\\n\\t\\t\\t\\t\\t\\t\\t| project DeviceGUID = iff(Direction == \\\"Outbound\\\", ServerDeviceGUID, ClientDeviceGUID),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceType = iff(Direction == \\\"Outbound\\\", ServerDeviceType, ClientDeviceType),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceIp = iff(Direction == \\\"Outbound\\\", ServerIpAddress, ClientIpAddress),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceName = iff(Direction == \\\"Outbound\\\", ServerDeviceName, ClientDeviceName),\\r\\n\\t\\t\\t\\t\\t\\t\\tSensorId, LastActivity = todatetime(LastActivity), Bandwidth = todouble(Bandwidth), Protocol, ServerPort\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize TotalBandwidth = sum(Bandwidth), LastActivity = max(LastActivity), Protocols = make_set(Protocol), ServerPorts = make_set(ServerPort) by DeviceGUID, DeviceName, IpAddress = tostring(DeviceIp), IoTDevice_DeviceType = tostring(DeviceType)\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename TotalBandwidth_MB = TotalBandwidth\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend TotalBandwidth_MB = floor(todecimal(TotalBandwidth_MB / 1000), 0.1)\\r\\n\\t\\t\\t\\t\\t\\t\\t| project Host_HostName = DeviceName, Host_Aux_IpAddress = IpAddress, Host_Aux_Type = IoTDevice_DeviceType, Host_Aux_LastActivity = LastActivity, Host_Aux_Protocols = Protocols, Host_Aux_ServerPorts = ServerPorts, Host_Aux_TotalBandwidth_MB = TotalBandwidth_MB\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_TotalBandwidth_MB\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tConnectionData_DefenderForIoT_GetIoTDevice2Host(\u0027\u003cdeviceId\u003e\u0027)\",\"inputFields\":[\"deviceId\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"SecurityIoTRawEvent\"],\"inputEntityType\":\"IoTDevice\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/233eaf89-cbb0-461a-bc45-e0f873ad6b15\",\"name\":\"233eaf89-cbb0-461a-bc45-e0f873ad6b15\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"DefenderForIoT - IoT Devices communicating the most amount of data with this IoT Device\",\"queryTemplate\":\"let ConnectionData_DefenderForIoT_GetIoTDevice2IoTDevice = (v_IoTDevice_DeviceId:string) {\\r\\n\\t\\t\\t\\t\\t\\t\\tlet connectionData = SecurityIoTRawEvent\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceType = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceType\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceId = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientIpAddress = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).ipAddress\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientisExternal = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).isExternal\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceType = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceType\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceId = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerIpAddress = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).ipAddress\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerisExternal = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).isExternal\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceName = tostring(todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceName)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceName = tostring(todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceName)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Bandwidth = todynamic(extractjson(\\\"$Bandwidth\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend LastActivity = todynamic(extractjson(\\\"$LastActivity\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Protocol = todynamic(extractjson(\\\"$Protocol\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerPort = todynamic(extractjson(\\\"$ServerPort\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDevice = extractjson(\\\"$ServerDevice\\\", EventDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDevice = extractjson(\\\"$ClientDevice\\\", EventDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend SensorId = DeviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceGUID = strcat(SensorId, \\\"_\\\", ClientDeviceId), ServerDeviceGUID = strcat(SensorId, \\\"_\\\", ServerDeviceId);\\r\\n\\t\\t\\t\\t\\t\\t\\tconnectionData\\r\\n\\t\\t\\t\\t\\t\\t\\t| where ClientDeviceGUID == v_IoTDevice_DeviceId or ServerDeviceGUID == v_IoTDevice_DeviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Direction = iff(ClientDeviceGUID == v_IoTDevice_DeviceId, \\\"Outbound\\\", \\\"Inbound\\\")\\r\\n\\t\\t\\t\\t\\t\\t\\t| project DeviceGUID = iff(Direction == \\\"Outbound\\\", ServerDeviceGUID, ClientDeviceGUID),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceType = iff(Direction == \\\"Outbound\\\", ServerDeviceType, ClientDeviceType),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceIp = iff(Direction == \\\"Outbound\\\", ServerIpAddress, ClientIpAddress),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceName = iff(Direction == \\\"Outbound\\\", ServerDeviceName, ClientDeviceName),\\r\\n\\t\\t\\t\\t\\t\\t\\tSensorId, LastActivity = todatetime(LastActivity), Bandwidth = todouble(Bandwidth), Protocol, ServerPort\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize TotalBandwidth = sum(Bandwidth), IoTDevice_Aux_LastActivity = max(LastActivity), IoTDevice_Aux_Protocols = make_set(Protocol), IoTDevice_Aux_ServerPorts = make_set(ServerPort) by IoTDevice_DeviceId = DeviceGUID, IoTDevice_DeviceName = DeviceName, IoTDevice_IpAddress = tostring(pack(\u0027Address\u0027,tostring(DeviceIp))), IoTDevice_DeviceType = tostring(DeviceType)\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename IoTDevice_Aux_TotalBandwidth_MB = TotalBandwidth\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend IoTDevice_Aux_TotalBandwidth_MB = floor(todecimal(IoTDevice_Aux_TotalBandwidth_MB / 1000), 0.1), IoTDevice_IpAddress=todynamic(IoTDevice_IpAddress)\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by IoTDevice_Aux_TotalBandwidth_MB\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tConnectionData_DefenderForIoT_GetIoTDevice2IoTDevice(\u0027\u003cdeviceId\u003e\u0027)\",\"inputFields\":[\"deviceId\"],\"outputEntityTypes\":[\"IoTDevice\"],\"dataSources\":[\"SecurityIoTRawEvent\"],\"inputEntityType\":\"IoTDevice\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/f1cce474-7a4f-435c-a7ee-3d5a800a6df4\",\"name\":\"f1cce474-7a4f-435c-a7ee-3d5a800a6df4\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"DefenderForIoT - IP Addresses communicating the most amount of data with this IoT Device\",\"queryTemplate\":\"let ConnectionData_DefenderForIoT_GetIoTDevice2IP = (v_IoTDevice_DeviceId:string) {\\r\\n\\t\\t\\t\\t\\t\\t\\tlet connectionData = SecurityIoTRawEvent\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceType = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceType\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceId = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientIpAddress = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).ipAddress\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientisExternal = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).isExternal\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceType = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceType\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceId = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerIpAddress = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).ipAddress\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerisExternal = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).isExternal\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Bandwidth = todynamic(extractjson(\\\"$Bandwidth\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend LastActivity = todynamic(extractjson(\\\"$LastActivity\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Protocol = todynamic(extractjson(\\\"$Protocol\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDevice = extractjson(\\\"$ServerDevice\\\", EventDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerPort = todynamic(extractjson(\\\"$ServerPort\\\", EventDetails))\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDevice = extractjson(\\\"$ClientDevice\\\", EventDetails)\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend SensorId = DeviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceGUID = strcat(SensorId, \\\"_\\\", ClientDeviceId), ServerDeviceGUID = strcat(SensorId, \\\"_\\\", ServerDeviceId);\\r\\n\\t\\t\\t\\t\\t\\t\\tconnectionData\\r\\n\\t\\t\\t\\t\\t\\t\\t| where ClientDeviceGUID == v_IoTDevice_DeviceId or ServerDeviceGUID == v_IoTDevice_DeviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Direction = iff(ClientDeviceGUID == v_IoTDevice_DeviceId, \\\"Outbound\\\", \\\"Inbound\\\")\\r\\n\\t\\t\\t\\t\\t\\t\\t| project DeviceGUID = iff(Direction == \\\"Outbound\\\", ServerDeviceGUID, ClientDeviceGUID),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceType = iff(Direction == \\\"Outbound\\\", ServerDeviceType, ClientDeviceType),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceIp = iff(Direction == \\\"Outbound\\\", ServerIpAddress, ClientIpAddress),\\r\\n\\t\\t\\t\\t\\t\\t\\tDeviceIsExternal = iff(Direction == \\\"Outbound\\\", ServerisExternal, ClientisExternal),\\r\\n\\t\\t\\t\\t\\t\\t\\tSensorId, LastActivity = todatetime(LastActivity), Bandwidth = todouble(Bandwidth), Protocol, ServerPort\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize TotalBandwidth = sum(Bandwidth), LastActivity = max(LastActivity), Protocols = make_set(Protocol), ServerPorts = make_set(ServerPort) by DeviceGUID, IpAddress = tostring(DeviceIp), IoTDevice_DeviceType = tostring(DeviceType), DeviceIsExternal = tostring(DeviceIsExternal)\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-rename TotalBandwidth_MB = TotalBandwidth\\r\\n\\t\\t\\t\\t\\t\\t\\t| project IP_Address = IpAddress, IP_Aux_DeviceType = IoTDevice_DeviceType, IP_Aux_LastActivity = LastActivity, IP_Aux_Protocols = Protocols, IP_Aux_ServerPorts = ServerPorts, IP_Aux_TotalBandwidth_MB = TotalBandwidth_MB, IP_Aux_IsExternal = DeviceIsExternal\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend IP_Aux_TotalBandwidth_MB = floor(todecimal(IP_Aux_TotalBandwidth_MB / 1000), 0.1)\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by IP_Aux_TotalBandwidth_MB\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tConnectionData_DefenderForIoT_GetIoTDevice2IP(\u0027\u003cdeviceId\u003e\u0027)\",\"inputFields\":[\"deviceId\"],\"outputEntityTypes\":[\"IP\"],\"dataSources\":[\"SecurityIoTRawEvent\"],\"inputEntityType\":\"IoTDevice\"}},{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/1f3ecde7-5c69-4d44-ac93-5feac6d1cd2f\",\"name\":\"1f3ecde7-5c69-4d44-ac93-5feac6d1cd2f\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Most frequent command executions on the device\",\"queryTemplate\":\"let Process_byIoTDevice = (v_IotDevice_DeviceId:string, v_IoTDevice_IoTHub:string){\\r\\n\\t\\t\\t\\t\\t\\t\\tSecurityIoTRawEvent\\r\\n\\t\\t\\t\\t\\t\\t\\t| where RawEventName =~ \u0027ProcessCreate\u0027\\r\\n\\t\\t\\t\\t\\t\\t\\t| where AssociatedResourceId =~ parse_json(v_IoTDevice_IoTHub)[\u0027ResourceId\u0027] and DeviceId =~ v_IotDevice_DeviceId\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_CommandLine = tostring(parse_json(EventDetails)[\u0027CommandLine\u0027])\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_ProcessId = tostring(parse_json(EventDetails)[\u0027ProcessId\u0027])\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_ParentProcess_ProcessId = tostring(parse_json(EventDetails)[\u0027ParentProcessId\u0027])\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_CreationTimeUtc = TimeStamp\\r\\n\\t\\t\\t\\t\\t\\t\\t| summarize procCount = count() by Process_CommandLine, Process_ProcessId, Process_ParentProcess_ProcessId, Process_CreationTimeUtc\\r\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by procCount\\r\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_Aux_Count = procCount\\r\\n\\t\\t\\t\\t\\t\\t\\t| project-away procCount\\r\\n\\t\\t\\t\\t\\t\\t\\t};\\r\\n\\t\\t\\t\\t\\t\\t\\tProcess_byIoTDevice(\u0027\u003cdeviceId\u003e\u0027, \u0027\u003cIoTHub\u003e\u0027)\",\"inputFields\":[\"deviceId\",\"IoTHub\"],\"outputEntityTypes\":[\"Process\"],\"dataSources\":[\"SecurityIoTRawEvent\"],\"inputEntityType\":\"IoTDevice\"}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/98b974fd-cc64-48b8-9bd0-3a209f5b944b\",\"name\":\"98b974fd-cc64-48b8-9bd0-3a209f5b944b\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related entities\",\"queryTemplate\":\"let GetAlertRelatedEntities = (v_SecurityAlert_SystemAlertId:string){\\r\\n SecurityAlert\\r\\n | where SystemAlertId == v_SecurityAlert_SystemAlertId\\r\\n | project entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities};\\r\\n GetAlertRelatedEntities(\u0027\u003csystemAlertId\u003e\u0027)\",\"inputFields\":[\"systemAlertId\"],\"outputEntityTypes\":[],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"SecurityAlert\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/27f76e63-c41b-480f-bb18-12ad2e011d49\",\"name\":\"27f76e63-c41b-480f-bb18-12ad2e011d49\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related entities\",\"queryTemplate\":\"\",\"inputFields\":[],\"outputEntityTypes\":[],\"dataSources\":[],\"inputEntityType\":\"HuntingBookmark\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/055a5692-555f-42bd-ac17-923a5a9994ed\",\"name\":\"055a5692-555f-42bd-ac17-923a5a9994ed\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetHostRelatedAlerts = (v_Host_HostName:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] == \u0027host\u0027 and entity[\u0027HostName\u0027] =~ v_Host_HostName\\r\\n | project-away entity};\\r\\n GetHostRelatedAlerts(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/e36c2ceb-4caf-4919-8433-d61dbc3e294a\",\"name\":\"e36c2ceb-4caf-4919-8433-d61dbc3e294a\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related bookmarks\",\"queryTemplate\":\"\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"HuntingBookmark\"],\"dataSources\":[],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/a77992f3-25e9-4d01-99a4-5ff606cc410a\",\"name\":\"a77992f3-25e9-4d01-99a4-5ff606cc410a\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetAccountRelatedAlerts = (v_Account_Name:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] == \u0027account\u0027 and entity[\u0027Name\u0027] =~ v_Account_Name\\r\\n | project-away entity};\\r\\n GetAccountRelatedAlerts(\u0027\u003caccountName\u003e\u0027)\",\"inputFields\":[\"accountName\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/504ea455-3bf7-47ef-8555-dc747b465f99\",\"name\":\"504ea455-3bf7-47ef-8555-dc747b465f99\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related bookmarks\",\"queryTemplate\":\"\",\"inputFields\":[\"accountName\"],\"outputEntityTypes\":[\"HuntingBookmark\"],\"dataSources\":[],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/4a014a1b-c5a1-499f-9f54-3f7b99b0a675\",\"name\":\"4a014a1b-c5a1-499f-9f54-3f7b99b0a675\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetAzureResourceRelatedAlerts = (v_AzureResource_ResourceId:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] == \u0027azure-resource\u0027 and entity[\u0027ResourceId\u0027] =~ v_AzureResource_ResourceId\\r\\n | project-away entity};\\r\\n GetAzureResourceRelatedAlerts(\u0027\u003cresourceId\u003e\u0027)\",\"inputFields\":[\"resourceId\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"AzureResource\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/f74ad13a-ae93-47b9-8782-b1142b95d046\",\"name\":\"f74ad13a-ae93-47b9-8782-b1142b95d046\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetCloudApplicationRelatedAlerts = (v_CloudApplication_AppId:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] == \u0027cloud-application\u0027 and entity[\u0027AppId\u0027] =~ v_CloudApplication_AppId\\r\\n | project-away entity};\\r\\n GetCloudApplicationRelatedAlerts(\u0027\u003cappId\u003e\u0027)\",\"inputFields\":[\"appId\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"CloudApplication\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/80218599-45b4-4402-95cc-86f9929dd43d\",\"name\":\"80218599-45b4-4402-95cc-86f9929dd43d\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetDNSRelatedAlerts = (v_DNS_DomainName:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] == \u0027dns\u0027 and entity[\u0027DomainName\u0027] =~ v_DNS_DomainName\\r\\n | project-away entity};\\r\\n GetDNSRelatedAlerts(\u0027\u003cdomainName\u003e\u0027)\",\"inputFields\":[\"domainName\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"DNS\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/0f0bccef-4512-4530-a866-27056a39dcd6\",\"name\":\"0f0bccef-4512-4530-a866-27056a39dcd6\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetFileRelatedAlerts = (v_File_Name:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] == \u0027file\u0027 and entity[\u0027Name\u0027] =~ v_File_Name\\r\\n | project-away entity};\\r\\n GetFileRelatedAlerts(\u0027\u003cfileName\u003e\u0027)\",\"inputFields\":[\"fileName\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"File\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/b6eaa3ad-e69b-437e-9c13-bb5273dd34ab\",\"name\":\"b6eaa3ad-e69b-437e-9c13-bb5273dd34ab\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetFileHashRelatedAlerts = (v_FileHash_Value:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] == \u0027filehash\u0027 and entity[\u0027Value\u0027] =~ v_FileHash_Value\\r\\n | project-away entity};\\r\\n GetFileHashRelatedAlerts(\u0027\u003chashValue\u003e\u0027)\",\"inputFields\":[\"hashValue\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"FileHash\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/58c1516f-b78a-4d78-9e71-77c40849c27b\",\"name\":\"58c1516f-b78a-4d78-9e71-77c40849c27b\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetIPRelatedAlerts = (v_IP_Address:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] == \u0027ip\u0027 and entity[\u0027Address\u0027] =~ v_IP_Address\\r\\n | project-away entity};\\r\\n GetIPRelatedAlerts(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/6a6a5dcb-605c-4dad-8bb6-c8c439db4f0a\",\"name\":\"6a6a5dcb-605c-4dad-8bb6-c8c439db4f0a\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related bookmarks\",\"queryTemplate\":\"\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"HuntingBookmark\"],\"dataSources\":[],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/b8407195-b9a3-4565-bf08-7b23e5c57e3a\",\"name\":\"b8407195-b9a3-4565-bf08-7b23e5c57e3a\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetMalwareRelatedAlerts = (v_Malware_Name:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] == \u0027malware\u0027 and entity[\u0027Name\u0027] =~ v_Malware_Name\\r\\n | project-away entity};\\r\\n GetMalwareRelatedAlerts(\u0027\u003cmalwareName\u003e\u0027)\",\"inputFields\":[\"malwareName\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"Malware\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/63a4fa2f-f89d-4cf5-96a2-cb2479e49731\",\"name\":\"63a4fa2f-f89d-4cf5-96a2-cb2479e49731\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetProcessRelatedAlerts = (v_Process_ProcessId:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] == \u0027process\u0027 and entity[\u0027ProcessId\u0027] =~ v_Process_ProcessId\\r\\n | project-away entity};\\r\\n GetProcessRelatedAlerts(\u0027\u003cprocessId\u003e\u0027)\",\"inputFields\":[\"processId\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"Process\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/d788cd65-a7ef-448e-aa34-81185ac0e611\",\"name\":\"d788cd65-a7ef-448e-aa34-81185ac0e611\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetRegistryKeyRelatedAlerts = (v_RegistryKey_Key:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] == \u0027registry-key\u0027 and entity[\u0027Key\u0027] =~ v_RegistryKey_Key\\r\\n | project-away entity};\\r\\n GetRegistryKeyRelatedAlerts(\u0027\u003ckey\u003e\u0027)\",\"inputFields\":[\"key\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"RegistryKey\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/3a45a7e3-80e0-4e05-84db-b97bd1ae452b\",\"name\":\"3a45a7e3-80e0-4e05-84db-b97bd1ae452b\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetRegistryValueRelatedAlerts = (v_RegistryValue_Name:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] == \u0027registry-value\u0027 and entity[\u0027Name\u0027] =~ v_RegistryValue_Name\\r\\n | project-away entity};\\r\\n GetRegistryValueRelatedAlerts(\u0027\u003cvalueName\u003e\u0027)\",\"inputFields\":[\"valueName\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"RegistryValue\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/43c07636-6be0-4c62-8c62-9a6040a98821\",\"name\":\"43c07636-6be0-4c62-8c62-9a6040a98821\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetSecurityGroupRelatedAlerts = (v_SecurityGroup_DistinguishedName:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] == \u0027security-group\u0027 and entity[\u0027DistinguishedName\u0027] =~ v_SecurityGroup_DistinguishedName\\r\\n | project-away entity};\\r\\n GetSecurityGroupRelatedAlerts(\u0027\u003cdistinguishedName\u003e\u0027)\",\"inputFields\":[\"distinguishedName\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"SecurityGroup\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/7b61d5e2-4b66-40a7-bb0f-9145b445104e\",\"name\":\"7b61d5e2-4b66-40a7-bb0f-9145b445104e\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetURLRelatedAlerts = (v_URL_Url:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] == \u0027url\u0027 and entity[\u0027Url\u0027] =~ v_URL_Url\\r\\n | project-away entity};\\r\\n GetURLRelatedAlerts(\u0027\u003curl\u003e\u0027)\",\"inputFields\":[\"url\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"URL\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/855ea9fe-2fdd-4890-8daa-c895c136eef3\",\"name\":\"855ea9fe-2fdd-4890-8daa-c895c136eef3\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related bookmarks\",\"queryTemplate\":\"\",\"inputFields\":[\"url\"],\"outputEntityTypes\":[\"HuntingBookmark\"],\"dataSources\":[],\"inputEntityType\":\"URL\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/4daeed0e-0e74-4f2d-990c-a958210e9dd7\",\"name\":\"4daeed0e-0e74-4f2d-990c-a958210e9dd7\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetIoTDeviceRelatedAlerts = (v_IoTDevice_DeviceId:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] == \u0027iotdevice\u0027 and entity[\u0027DeviceId\u0027] =~ v_IoTDevice_DeviceId\\r\\n | project-away entity};\\r\\n GetIoTDeviceRelatedAlerts(\u0027\u003cdeviceId\u003e\u0027)\",\"inputFields\":[\"deviceId\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"IoTDevice\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/fb123681-fb7e-4684-86fd-3866df84ac2f\",\"name\":\"fb123681-fb7e-4684-86fd-3866df84ac2f\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Assigned IPs\",\"queryTemplate\":\"let GetIPsForHost = (v_Host_HostName:string){\\r\\n Heartbeat\\r\\n | where Computer =~ v_Host_HostName\\r\\n | summarize arg_max(TimeGenerated, *) by ComputerIP\\r\\n };\\r\\n GetIPsForHost(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"IP\"],\"dataSources\":[],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/fa16a940-53cc-4e45-9e6f-d8409cb42390\",\"name\":\"fa16a940-53cc-4e45-9e6f-d8409cb42390\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Host assigned with IP\",\"queryTemplate\":\"let GetHostsForIp = (v_IP_Address:string){\\r\\n Heartbeat\\r\\n | where ComputerIP =~ v_IP_Address\\r\\n | summarize arg_max(TimeGenerated, *) by Computer\\r\\n };\\r\\n GetHostsForIp(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/0a691e7d-a9bb-4a80-8591-2cc0b5094298\",\"name\":\"0a691e7d-a9bb-4a80-8591-2cc0b5094298\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetMailboxRelatedAlerts = (v_Mailbox_MailboxPrimaryAddress:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] == \u0027mailbox\u0027 and entity[\u0027MailboxPrimaryAddress\u0027] =~ v_Mailbox_MailboxPrimaryAddress\\r\\n | project-away entity};\\r\\n GetMailboxRelatedAlerts(\u0027\u003cmailboxPrimaryAddress\u003e\u0027)\",\"inputFields\":[\"mailboxPrimaryAddress\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"Mailbox\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/cf68388a-a0db-41d5-969f-919f7a2e47bc\",\"name\":\"cf68388a-a0db-41d5-969f-919f7a2e47bc\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetMailClusterRelatedAlerts = (v_MailCluster_Query:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] == \u0027mailCluster\u0027 and entity[\u0027Query\u0027] =~ v_MailCluster_Query\\r\\n | project-away entity};\\r\\n GetMailClusterRelatedAlerts(\u0027\u003cquery\u003e\u0027)\",\"inputFields\":[\"query\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"MailCluster\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/33fbca35-93cf-45f8-864f-eb3d553d5bb8\",\"name\":\"33fbca35-93cf-45f8-864f-eb3d553d5bb8\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetMailMessageRelatedAlerts = (v_MailMessage_NetworkMessageId:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] == \u0027mailMessage\u0027 and entity[\u0027NetworkMessageId\u0027] =~ v_MailMessage_NetworkMessageId\\r\\n | project-away entity};\\r\\n GetMailMessageRelatedAlerts(\u0027\u003cnetworkMessageId\u003e\u0027)\",\"inputFields\":[\"networkMessageId\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"MailMessage\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/d215b047-259d-40b4-843c-4d509b013525\",\"name\":\"d215b047-259d-40b4-843c-4d509b013525\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Related alerts\",\"queryTemplate\":\"let GetSubmissionMailRelatedAlerts = (v_SubmissionMail_SubmissionId:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] == \u0027SubmissionMail\u0027 and entity[\u0027SubmissionId\u0027] =~ v_SubmissionMail_SubmissionId\\r\\n | project-away entity};\\r\\n GetSubmissionMailRelatedAlerts(\u0027\u003csubmissionId\u003e\u0027)\",\"inputFields\":[\"submissionId\"],\"outputEntityTypes\":[\"SecurityAlert\"],\"dataSources\":[\"SecurityAlert\"],\"inputEntityType\":\"SubmissionMail\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/6168f65c-448f-4732-8b6c-10e5693de946\",\"name\":\"6168f65c-448f-4732-8b6c-10e5693de946\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"IoTDevice related Nics\",\"queryTemplate\":\"let GetIoTDeviceRelatedNics = (v_IoTDevice_DeviceId:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] == \u0027iotdevice\u0027\\r\\n and entity[\u0027DeviceId\u0027] =~ v_IoTDevice_DeviceId\\r\\n | project Nic = entity[\u0027Nics\u0027]\\r\\n | mv-expand Nic\\r\\n | where isnotempty(Nic)\\r\\n };\\r\\n GetIoTDeviceRelatedNics(\u0027\u003cdeviceId\u003e\u0027)\",\"inputFields\":[\"deviceId\"],\"outputEntityTypes\":[\"Nic\"],\"dataSources\":[],\"inputEntityType\":\"IoTDevice\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/887b5f82-f5a8-4735-bec9-1e563ced0f9f\",\"name\":\"887b5f82-f5a8-4735-bec9-1e563ced0f9f\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"IoTDevice related Azure Resources\",\"queryTemplate\":\"let GetIoTDeviceRelatedIoTHub = (v_IoTDevice_DeviceId:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] =~ \u0027iotdevice\u0027\\r\\n and entity[\u0027DeviceId\u0027] =~ v_IoTDevice_DeviceId\\r\\n | project IoTHub = entity[\u0027IoTHub\u0027]\\r\\n | mv-expand IoTHub\\r\\n | where isnotempty(IoTHub)\\r\\n };\\r\\n GetIoTDeviceRelatedIoTHub(\u0027\u003cdeviceId\u003e\u0027)\",\"inputFields\":[\"deviceId\"],\"outputEntityTypes\":[\"AzureResource\"],\"dataSources\":[],\"inputEntityType\":\"IoTDevice\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/f70e333a-fc67-445f-88db-e4665a3425e4\",\"name\":\"f70e333a-fc67-445f-88db-e4665a3425e4\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Nic related Ip\",\"queryTemplate\":\"let GetNicRelatedIpAddress = (v_Nic_MacAddress:string){\\r\\n SecurityAlert\\r\\n | summarize arg_max(TimeGenerated, *) by SystemAlertId\\r\\n | extend entities = todynamic(Entities)\\r\\n | mv-expand entities\\r\\n | project-rename entity=entities\\r\\n | where entity[\u0027Type\u0027] =~ \u0027nic\u0027\\r\\n and entity[\u0027MacAddress\u0027] =~ v_Nic_MacAddress\\r\\n | project IpAddress = entity[\u0027IpAddress\u0027]\\r\\n | mv-expand IpAddress\\r\\n | where isnotempty(IpAddress)\\r\\n };\\r\\n GetNicRelatedIpAddress(\u0027\u003cMacAddress\u003e\u0027)\",\"inputFields\":[\"MacAddress\"],\"outputEntityTypes\":[\"IP\"],\"dataSources\":[],\"inputEntityType\":\"Nic\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/4c541df8-a680-4da5-96c9-74456927213f\",\"name\":\"4c541df8-a680-4da5-96c9-74456927213f\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Hosts the account failed to log in to the most\",\"queryTemplate\":\"let FailedLoginEventId = 4625;\\r\\n let SuccessfulLoginEventId = 4624;\\n\\t\\t\\t\\t\\t\\t\\tlet isimAuthenticationInstalled=toscalar(union isfuzzy=true (datatable(Test:string)[]), (imAuthentication| take 0) | getschema | count | project Exists=(Count\u003e1));\\n\\t\\t\\t\\t\\t\\t\\tlet Legacy = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_UPNSuffix:string){\\n\\t\\t\\t\\t\\t\\t\\t (datatable(exists:int)[1] | where not(isimAuthenticationInstalled)) | join\\n\\t\\t\\t\\t\\t\\t\\t ( \\n\\t\\t\\t\\t\\t\\t\\t SecurityEvent\\n\\t\\t\\t\\t\\t\\t\\t | extend p_Account_Name = case(\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name\\n\\t\\t\\t\\t\\t\\t\\t )\\n\\t\\t\\t\\t\\t\\t\\t | extend p_Account_UPNSuffix = case(\\n\\t\\t\\t\\t\\t\\t\\t v_Account_UPNSuffix has \u0027@\u0027, tostring(split(v_Account_UPNSuffix, \u0027@\u0027)[1]),\\n\\t\\t\\t\\t\\t\\t\\t v_Account_UPNSuffix has \u0027\\\\\\\\\u0027, tostring(split(v_Account_UPNSuffix, \u0027\\\\\\\\\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\t v_Account_UPNSuffix\\n\\t\\t\\t\\t\\t\\t\\t )\\n\\t\\t\\t\\t\\t\\t\\t | extend p_Account_NTDomain = case(\\n\\t\\t\\t\\t\\t\\t\\t v_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_UPNSuffix, \u0027\\\\\\\\\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\t v_Account_NTDomain\\n\\t\\t\\t\\t\\t\\t\\t ) \\n\\t\\t\\t\\t\\t\\t\\t | extend Account_UPNSuffix = iff(Account has \u0027@\u0027, tostring(split(Account,\u0027@\u0027)[1]),\u0027\u0027)\\n\\t\\t\\t\\t\\t\\t\\t | extend Account_NTDomain = iff(Account has \u0027\\\\\\\\\u0027, tostring(split(Account,\u0027\\\\\\\\\u0027)[0]),\u0027\u0027)\\n\\t\\t\\t\\t\\t\\t\\t | extend Account_Name = extract(@\u0027^([^\\\\\\\\]*\\\\\\\\)?([^@]+)@?\u0027,2,Account)\\n\\t\\t\\t\\t\\t\\t\\t | where ( (isnotempty(Account_Name) and Account_Name==p_Account_Name) \\n\\t\\t\\t\\t\\t\\t\\t and \\n\\t\\t\\t\\t\\t\\t\\t iff(isnotempty(p_Account_NTDomain) and isnotempty(Account_NTDomain) ,p_Account_NTDomain==Account_NTDomain,true )\\n\\t\\t\\t\\t\\t\\t\\t and\\n\\t\\t\\t\\t\\t\\t\\t iff(isnotempty(p_Account_UPNSuffix) and isnotempty(Account_UPNSuffix) ,p_Account_UPNSuffix==Account_UPNSuffix,true )\\n\\t\\t\\t\\t\\t\\t\\t )\\n\\t\\t\\t\\t\\t\\t\\t | summarize Host_Aux_SuccessfulLoginCount = countif(EventID==SuccessfulLoginEventId)\\n\\t\\t\\t\\t\\t\\t\\t , Host_Aux_FailedLoginsCount\\t= countif(EventID==FailedLoginEventId)\\n\\t\\t\\t\\t\\t\\t\\t , Host_Aux_LogonTypes=make_set(LogonType)\\n\\t\\t\\t\\t\\t\\t\\t by Computer, Account, SourceComputerId, _ResourceId\\n\\t\\t\\t\\t\\t\\t\\t | top 10 by Host_Aux_FailedLoginsCount\\n\\t\\t\\t\\t\\t\\t\\t | parse Computer with Host_NTDomain \u0027\\\\\\\\\u0027 *\\n\\t\\t\\t\\t\\t\\t\\t | extend Host_HostName = tostring(split(Computer,\u0027.\u0027)[0]), \\n\\t\\t\\t\\t\\t\\t\\t Host_DnsDomain = strcat_array(array_slice(split(Computer,\u0027.\u0027),1,256),\u0027.\u0027)\\n\\t\\t\\t\\t\\t\\t\\t , Host_OMSAgentID=SourceComputerId, Host_AzureID = _ResourceId\\n\\t\\t\\t\\t\\t\\t\\t | project-away Computer, Account, _ResourceId, SourceComputerId\\n\\t\\t\\t\\t\\t\\t\\t | extend exists=int(1) ) on exists | project-away exists, exists1 \\n\\t\\t\\t\\t\\t\\t\\t };\\n\\t\\t\\t\\t\\t\\t\\t let Normalized = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_UPNSuffix:string){\\n\\t\\t\\t\\t\\t\\t\\t (datatable(exists:int)[1] | where isimAuthenticationInstalled) | join \\n\\t\\t\\t\\t\\t\\t\\t (\\n\\t\\t\\t\\t\\t\\t\\t imAuthentication(starttime=ago(24h),targetusername_has=v_Account_Name) \\n\\t\\t\\t\\t\\t\\t\\t | where isnotempty(TargetDvcHostname)\\n\\t\\t\\t\\t\\t\\t\\t //* postfiltering *\\n\\t\\t\\t\\t\\t\\t\\t | where TargetUsername has v_Account_Name\\n\\t\\t\\t\\t\\t\\t\\t | summarize Host_Aux_SuccessfulLoginCount = countif(EventResult==\u0027Success\u0027)\\n\\t\\t\\t\\t\\t\\t\\t , Host_Aux_FailedLoginsCount\\t= countif(EventResult==\u0027Failure\u0027)\\n\\t\\t\\t\\t\\t\\t\\t , Host_Aux_LogonTypes=make_set(EventSubType)\\n\\t\\t\\t\\t\\t\\t\\t by TargetDvcHostname, TargetDvcId\\n\\t\\t\\t\\t\\t\\t\\t | top 10 by Host_Aux_FailedLoginsCount\\n\\t\\t\\t\\t\\t\\t\\t | parse TargetDvcHostname with Host_NTDomain \u0027\\\\\\\\\u0027 *\\n\\t\\t\\t\\t\\t\\t\\t | extend Host_UnstructuredName = TargetDvcHostname\\n\\t\\t\\t\\t\\t\\t\\t | project-keep Host_*\\n\\t\\t\\t\\t\\t\\t\\t | extend exists=int(1) ) on exists | project-away exists, exists1 \\n\\t\\t\\t\\t\\t\\t\\t };\\n\\t\\t\\t\\t\\t\\t\\t union isfuzzy=true Legacy(\u0027\u003caccountName\u003e\u0027,\u0027\u003cntDomain\u003e\u0027,\u0027\u003cupnSuffix\u003e\u0027),Normalized(\u0027\u003caccountName\u003e\u0027,\u0027\u003cntDomain\u003e\u0027,\u0027\u003cupnSuffix\u003e\u0027)\",\"inputFields\":[\"accountName\",\"upnSuffix\",\"ntDomain\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"SecurityEvent\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/2db8cac9-d2ce-4494-93bf-4678cd872ce4\",\"name\":\"2db8cac9-d2ce-4494-93bf-4678cd872ce4\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"IPs from rare locations used by account\",\"queryTemplate\":\"let IPsFromRareLocations = (v_Account_Name:string, v_Account_UPNSuffix:string, v_Account_AadUserId:string){\\n\\t\\t\\t\\t\\t\\t\\tlet LocationPrevalence =\\n\\t\\t\\t\\t\\t\\t\\tSigninLogs\\n\\t\\t\\t\\t\\t\\t\\t| extend p_Account_Name = case(\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name\\n\\t\\t\\t\\t\\t\\t\\t)\\n\\t\\t\\t\\t\\t\\t\\t| extend p_Account_UPNSuffix = case(\\n\\t\\t\\t\\t\\t\\t\\tv_Account_UPNSuffix has \u0027@\u0027, tostring(split(v_Account_UPNSuffix, \u0027@\u0027)[1]),\\n\\t\\t\\t\\t\\t\\t\\tv_Account_UPNSuffix has \u0027\\\\\\\\\u0027, tostring(split(v_Account_UPNSuffix, \u0027\\\\\\\\\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\tv_Account_UPNSuffix\\n\\t\\t\\t\\t\\t\\t\\t)\\n\\t\\t\\t\\t\\t\\t\\t| parse UserPrincipalName with Account_Name \u0027@\u0027 Account_UPNSuffix\\n\\t\\t\\t\\t\\t\\t\\t| extend Account_AadUserId = toguid(UserId)\\n\\t\\t\\t\\t\\t\\t\\t| where (isnotempty(Account_Name) and Account_Name =~ p_Account_Name and isnotempty(Account_UPNSuffix) and Account_UPNSuffix =~ p_Account_UPNSuffix)\\n\\t\\t\\t\\t\\t\\t\\tor (isnotempty(Account_AadUserId) and Account_AadUserId == toguid(v_Account_AadUserId))\\n\\t\\t\\t\\t\\t\\t\\t| extend FullLocation = strcat(Location,\u0027|\u0027, LocationDetails.state, \u0027|\u0027, LocationDetails.city)\\n\\t\\t\\t\\t\\t\\t\\t| summarize ConnectionCount = count() by FullLocation, UserPrincipalName, IPAddress, Account_Name, Account_UPNSuffix, Account_AadUserId;\\n\\t\\t\\t\\t\\t\\t\\tLocationPrevalence\\n\\t\\t\\t\\t\\t\\t\\t| summarize make_list(IPAddress), make_list(FullLocation), make_list(ConnectionCount), dcount(FullLocation), totalActivity = sum(ConnectionCount) by UserPrincipalName, Account_Name, Account_UPNSuffix, Account_AadUserId\\n\\t\\t\\t\\t\\t\\t\\t| mvexpand Location = list_FullLocation, ConnectionCount = list_ConnectionCount, IPAddress = list_IPAddress\\n\\t\\t\\t\\t\\t\\t\\t| extend Location = tostring(Location), ConnectionCount = toint(ConnectionCount), IPAddress = tostring(IPAddress)\\n\\t\\t\\t\\t\\t\\t\\t| extend percentOfActivity = 100*round(todouble(ConnectionCount)/totalActivity,4)\\n\\t\\t\\t\\t\\t\\t\\t| where percentOfActivity \u003c 10\\n\\t\\t\\t\\t\\t\\t\\t| project UserPrincipalName, Account_Name, Account_UPNSuffix, Account_AadUserId, IPAddress, Location, ConnectionCount, percentOfActivity\\n\\t\\t\\t\\t\\t\\t\\t| sort by percentOfActivity asc, ConnectionCount desc\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by percentOfActivity asc\\n\\t\\t\\t\\t\\t\\t\\t| extend IP_Location_Country = tostring(split(Location,\u0027|\u0027)[0]), IP_Location_Region = tostring(split(Location,\u0027|\u0027)[1]), IP_Location_City = tostring(split(Location,\u0027|\u0027)[2])\\n\\t\\t\\t\\t\\t\\t\\t| extend Account_Aux_info = pack(\u0027PercentOfActivity\u0027, percentOfActivity, \u0027ConnectionCount\u0027, ConnectionCount)\\n\\t\\t\\t\\t\\t\\t\\t| parse UserPrincipalName with Account_NTDomain \u0027\\\\\\\\\u0027 *\\n\\t\\t\\t\\t\\t\\t\\t| project Account_UnstructuredName = UserPrincipalName, Account_Name, Account_NTDomain, Account_UPNSuffix, Account_AadUserId, IP_Address = IPAddress, IP_Location_Country, IP_Location_Region, IP_Location_City, Account_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tIPsFromRareLocations(\u0027\u003caccountName\u003e\u0027, \u0027\u003cupnSuffix\u003e\u0027, \u0027\u003caadUserId\u003e\u0027)\",\"inputFields\":[\"accountName\",\"upnSuffix\",\"aadUserId\"],\"outputEntityTypes\":[\"IP\"],\"dataSources\":[\"SigninLogs\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/160c7513-f704-46b7-adf9-d9c4176a44a3\",\"name\":\"160c7513-f704-46b7-adf9-d9c4176a44a3\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Hosts triggering Microsoft Defender Application Control\",\"queryTemplate\":\"let AppControlEvents=(v_Account_Name:string, v_Account_UPNSuffix:string, v_Account_Sid:string){\\n\\t\\t\\t\\t\\t\\t\\tlet p_Account_UPN = iff(isnotempty(v_Account_Name) and isnotempty(v_Account_UPNSuffix), strcat(v_Account_Name,\u0027@\u0027,v_Account_UPNSuffix), \\\"\\\");\\n\\t\\t\\t\\t\\t\\t\\tlet AppControls=datatable(ActionType:string, Description:string, FriendlyActivityName:string)\\n\\t\\t\\t\\t\\t\\t\\t [\\\"AppControlAppInstallationAudited\\\", \\\"Application control detected the installation of an untrusted app.\\\",\\\"Untrusted app installed\\\"\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlAppInstallationBlocked\\\", \\\"Application control blocked the installation of an untrusted app.\\\", \\\"Untrusted app installation blocked\\\"\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlCodeIntegrityDriverRevoked\\\", \\\"Application control found a driver with a revoked certificate.\\\", \\\"Driver with revoked certificate detected\\\"\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlCodeIntegrityImageRevoked\\\", \\\"Application control found an executable file with a revoked certificate.\\\", \\\"Executable with revoked certificate detected\\\"\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlExecutableAudited\\\",\\\"Application control detected the use of an untrusted executable.\\\",\\\"Untrusted executable used\\\"\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlExecutableClocked\\\",\\\"Application control blocked the use of an untrusted executable.\\\",\\\"Untrusted executable blocked\\\"\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlScriptAudited\\\", \\\"Application control detected the use of an untrusted script.\\\", \\\"Untrusted script detected\\\"\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlScriptBlocked\\\", \\\"Application control blocked the use of an untrusted script.\\\", \\\"Untrusted script blocked\\\" ];\\n\\t\\t\\t\\t\\t\\t\\tDeviceEvents\\n\\t\\t\\t\\t\\t\\t\\t| where ActionType in (AppControls) \\n\\t\\t\\t\\t\\t\\t\\t| where isnotempty(p_Account_UPN) and p_Account_UPN =~ InitiatingProcessAccountUpn \\n\\t\\t\\t\\t\\t\\t\\t or\\n\\t\\t\\t\\t\\t\\t\\t isnotempty(v_Account_Sid) and v_Account_Sid =~ InitiatingProcessAccountSid\\n\\t\\t\\t\\t\\t\\t\\t| project Host_UnstructuredName = DeviceName\\n\\t\\t\\t\\t\\t\\t\\t| summarize Host_Aux_AppConCount=count() by Host_UnstructuredName\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_AppConCount desc nulls last\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tAppControlEvents(\u0027\u003caccountName\u003e\u0027,\u0027\u003cupnSuffix\u003e\u0027,\u0027\u003csid\u003e\u0027)\",\"inputFields\":[\"accountName\",\"upnSuffix\",\"sid\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"DeviceEvents\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/f89061dd-e6d6-4553-9c88-301a7360fc14\",\"name\":\"f89061dd-e6d6-4553-9c88-301a7360fc14\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent processes for this account\",\"queryTemplate\":\"let GetSysLogEventsByAccount = (v_Account_Name:string){\\n\\t\\t\\t\\t\\t\\t\\tSyslog\\n\\t\\t\\t\\t\\t\\t\\t| extend v_Account_Name = case(\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name\\n\\t\\t\\t\\t\\t\\t\\t)\\n\\t\\t\\t\\t\\t\\t\\t| where SyslogMessage has v_Account_Name\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027HostName\u0027, HostName, \u0027HostIP\u0027, HostIP)\\n\\t\\t\\t\\t\\t\\t\\t| summarize Process_Aux_StartTime=min(EventTime), Process_Aux_EndTime=max(EventTime), count(), Process_Aux_info = makeset(info) by Computer, ProcessName, ProcessID\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ asc nulls last \\n\\t\\t\\t\\t\\t\\t\\t| project Process_Aux_StartTime, Process_Aux_EndTime, Process_Host_UnstructuredName=Computer, Process_ImageFile_FullPath=ProcessName, Process_ProcessId=tostring(ProcessID), Process_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetSysLogEventsByAccount(\u0027\u003caccountName\u003e\u0027)\",\"inputFields\":[\"accountName\"],\"outputEntityTypes\":[\"Process\"],\"dataSources\":[\"Syslog\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/dd8f30e4-8171-452e-84a0-99bcd570bd08\",\"name\":\"dd8f30e4-8171-452e-84a0-99bcd570bd08\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Services created by account\",\"queryTemplate\":\"let GetServiceCreationsByAccount = (v_Account_Name:string, v_Account_NTDomain:string){\\n\\t\\t\\t\\t\\t\\t\\tEvent\\n\\t\\t\\t\\t\\t\\t\\t| where EventID == 7045\\n\\t\\t\\t\\t\\t\\t\\t| extend p_Account_Name = case(\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name\\n\\t\\t\\t\\t\\t\\t\\t)\\n\\t\\t\\t\\t\\t\\t\\t| extend p_Account_NTDomain = case(\\n\\t\\t\\t\\t\\t\\t\\tv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\tv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\tv_Account_NTDomain\\n\\t\\t\\t\\t\\t\\t\\t)\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_Account_Name = tostring(split(UserName, \u0027\\\\\\\\\u0027)[1]), Process_Account_NTDomain = tostring(split(UserName, \u0027\\\\\\\\\u0027)[0])\\n\\t\\t\\t\\t\\t\\t\\t| where Process_Account_Name =~ p_Account_Name and Process_Account_NTDomain =~ p_Account_NTDomain\\n\\t\\t\\t\\t\\t\\t\\t| extend EventDataParse = parse_xml(EventData)\\n\\t\\t\\t\\t\\t\\t\\t| extend ServiceName = tostring(EventDataParse.DataItem.EventData.Data[0][\u0027#text\u0027])\\n\\t\\t\\t\\t\\t\\t\\t| extend ImagePath = tostring(EventDataParse.DataItem.EventData.Data[1][\u0027#text\u0027])\\n\\t\\t\\t\\t\\t\\t\\t| extend ServiceType = tostring(EventDataParse.DataItem.EventData.Data[2][\u0027#text\u0027])\\n\\t\\t\\t\\t\\t\\t\\t| extend StartType = tostring(EventDataParse.DataItem.EventData.Data[3][\u0027#text\u0027])\\n\\t\\t\\t\\t\\t\\t\\t| extend ServiceAccount = tostring(EventDataParse.DataItem.EventData.Data[4][\u0027#text\u0027])\\n\\t\\t\\t\\t\\t\\t\\t| where ImagePath !has \u0027\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Definition Updates\\\\\\\\\u0027\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_Aux_Account_info = pack(\u0027ServiceName\u0027, ServiceName, \u0027ServiceType\u0027, ServiceType, \u0027StartType\u0027, StartType, \u0027ServiceAccount\u0027, ServiceAccount)\\n\\t\\t\\t\\t\\t\\t\\t| summarize Process_Host_Aux_StartTimeUtc = min(TimeGenerated), Process_Host_Aux_EndTimeUtc = max(TimeGenerated) by Process_Host_UnstructuredName = Computer, Process_Account_Name, \\n\\t\\t\\t\\t\\t\\t\\tProcess_Account_NTDomain, Process_Account_UnstructuredName = UserName, Process_ImageFile_FullPath = ImagePath, tostring(Process_Aux_Account_info)\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Process_Host_Aux_StartTimeUtc desc nulls last\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetServiceCreationsByAccount(\u0027\u003caccountName\u003e\u0027, \u0027\u003cntDomain\u003e\u0027)\",\"inputFields\":[\"accountName\",\"ntDomain\"],\"outputEntityTypes\":[\"Process\"],\"dataSources\":[\"SecurityEvent\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/84375346-c3f0-4926-ae48-a156010c67e3\",\"name\":\"84375346-c3f0-4926-ae48-a156010c67e3\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"User account failed logons\",\"queryTemplate\":\"let GetAllLogonsForUser = (v_Account_Name:string){\\n\\t\\t\\t\\t\\t\\t\\tSecurityEvent\\n\\t\\t\\t\\t\\t\\t\\t| extend v_Account_Name = case(\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name\\n\\t\\t\\t\\t\\t\\t\\t)\\n\\t\\t\\t\\t\\t\\t\\t| where EventID == 4625\\n\\t\\t\\t\\t\\t\\t\\t| where AccountType == \u0027User\u0027\\n\\t\\t\\t\\t\\t\\t\\t| where tolower(Account) contains tolower(v_Account_Name)\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027EventID\u0027, EventID, \u0027Account\u0027, Account, \u0027LogonTypeName\u0027, LogonTypeName, \u0027SubStatus\u0027, SubStatus, \u0027AccountType\u0027, AccountType, \u0027WorkstationName\u0027, WorkstationName, \u0027IpAddress\u0027, IpAddress)\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), Host_Aux_info = makeset(info) by Computer, SourceComputerId\\n\\t\\t\\t\\t\\t\\t\\t| project Host_Aux_StartTime=min_TimeGenerated, Host_Aux_EndTime = max_TimeGenerated, Host_UnstructuredName=Computer, Host_Aux_info, Host_OMSAgentID=SourceComputerId\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_StartTime asc nulls last\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetAllLogonsForUser(tolower(\u0027\u003caccountName\u003e\u0027))\",\"inputFields\":[\"accountName\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"SecurityEvent\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/7f3989bf-1558-4d3c-bb5e-e17ac2a67a87\",\"name\":\"7f3989bf-1558-4d3c-bb5e-e17ac2a67a87\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Office activity IPs for this account\",\"queryTemplate\":\"let isimAuthenticationInstalled=toscalar(union isfuzzy=true (datatable(Test:string)[]), (imAuthentication| take 0) | getschema | count | project Exists=(Count\u003e1));\\n\\t\\t\\t\\t\\t\\t\\tlet Legacy = (v_Account_Name:string){\\n\\t\\t\\t\\t\\t\\t\\t(datatable(exists:int)[1] | where not(isimAuthenticationInstalled)) \\n\\t\\t\\t\\t\\t\\t\\t| join\\n\\t\\t\\t\\t\\t\\t\\t(OfficeActivity\\n\\t\\t\\t\\t\\t\\t\\t| extend v_Account_Name = case(\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name\\n\\t\\t\\t\\t\\t\\t\\t )\\n\\t\\t\\t\\t\\t\\t\\t| where UserId contains v_Account_Name\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027ClientIP\u0027, ClientIP, \u0027UserType\u0027, UserType, \u0027Operation\u0027, Operation, \u0027OfficeWorkload\u0027, OfficeWorkload, \u0027ResultStatus\u0027, ResultStatus)\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), IP_Aux_info = makeset(info) by ClientIP\\n\\t\\t\\t\\t\\t\\t\\t| project IP_Aux_StartTime = min_TimeGenerated, IP_Aux_EndTime = max_TimeGenerated, ClientIP, IP_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t| project-rename IP_Address=ClientIP\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by IP_Aux_StartTime desc nulls last | extend exists=int(1)) on exists\\n\\t\\t\\t\\t\\t\\t\\t| project-away exists, exists1 \\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tlet Normalized = (v_Account_Name:string){\\n\\t\\t\\t\\t\\t\\t\\t(datatable(exists:int)[1] | where isimAuthenticationInstalled)\\n\\t\\t\\t\\t\\t\\t\\t| join (\\n\\t\\t\\t\\t\\t\\t\\t imAuthentication(targetusername_has=v_Account_Name)\\n\\t\\t\\t\\t\\t\\t\\t| summarize IP_Aux_StartTime=min(TimeGenerated), IP_Aux_EndTime=max(TimeGenerated) by SrcDvcIpAddr\\n\\t\\t\\t\\t\\t\\t\\t| project-rename IP_Address=SrcDvcIpAddr\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by IP_Aux_StartTime desc nulls last | extend exists=int(1)) on exists | project-away exists, exists1 \\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tunion isfuzzy=true Legacy(\u0027\u003caccountName\u003e\u0027), Normalized(\u0027\u003caccountName\u003e\u0027)\",\"inputFields\":[\"accountName\"],\"outputEntityTypes\":[\"IP\"],\"dataSources\":[\"OfficeActivity\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/6d1c2ca8-8efe-4fa2-bea6-fa582c03637c\",\"name\":\"6d1c2ca8-8efe-4fa2-bea6-fa582c03637c\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"User account interactive logon to new devices\",\"queryTemplate\":\"let GetNewInteractiveLogonsForUser = (v_Account_Name:string, v_Account_Sid:string, v_Account_AadUserId:string)\\n\\t\\t\\t\\t\\t\\t\\t{\\n\\t\\t\\t\\t\\t\\t\\t BehaviorAnalytics\\n\\t\\t\\t\\t\\t\\t\\t | extend v_Account_Name = case(\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name)\\n\\t\\t\\t\\t\\t\\t\\t | where ActionType == \\\"InteractiveLogon\\\" and \\n\\t\\t\\t\\t\\t\\t\\t tobool(ActivityInsights.FirstTimeUserLoggedOnToDevice) and \\n\\t\\t\\t\\t\\t\\t\\t (\\n\\t\\t\\t\\t\\t\\t\\t (isnotempty(UserName) and UserName =~ v_Account_Name) or \\n\\t\\t\\t\\t\\t\\t\\t (isnotempty(UsersInsights.AccountObjectID) and UsersInsights.AccountObjectID == v_Account_AadUserId) or\\n\\t\\t\\t\\t\\t\\t\\t (isnotempty(UsersInsights.OnPremisesSID) and UsersInsights.OnPremisesSID =~ v_Account_Sid)\\n\\t\\t\\t\\t\\t\\t\\t )\\n\\t\\t\\t\\t\\t\\t\\t | extend device_info = pack(\u0027DevicesInsights\u0027, DevicesInsights, \u0027ActivityInsights\u0027, ActivityInsights)\\n\\t\\t\\t\\t\\t\\t\\t | project Host_Aux_TimeGenerated = TimeGenerated,\\n\\t\\t\\t\\t\\t\\t\\t Host_UnstructuredName = DestinationDevice,\\n\\t\\t\\t\\t\\t\\t\\t Host_Aux_Insights = device_info,\\n\\t\\t\\t\\t\\t\\t\\t Account_Name = UserName,\\n\\t\\t\\t\\t\\t\\t\\t Account_Sid = v_Account_Sid,\\n\\t\\t\\t\\t\\t\\t\\t Account_AadUserId = toguid(UsersInsights.AccountObjectID),\\n\\t\\t\\t\\t\\t\\t\\t Account_Aux_Insights = UsersInsights\\n\\t\\t\\t\\t\\t\\t\\t | top 10 by Host_Aux_TimeGenerated asc nulls last\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetNewInteractiveLogonsForUser(\u0027\u003caccountName\u003e\u0027, \u0027\u003csid\u003e\u0027, \u0027\u003caadUserId\u003e\u0027)\",\"inputFields\":[\"accountName\",\"sid\",\"aadUserId\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"BehaviorAnalytics\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/b66ab2aa-cd31-43b9-82a2-dd5f0ee9ca81\",\"name\":\"b66ab2aa-cd31-43b9-82a2-dd5f0ee9ca81\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"User account remote interactive logon to new devices\",\"queryTemplate\":\"let GetAllNewRemoteInteractiveLogonForUser = (v_Account_Name:string, v_Account_Sid:string, v_Account_AadUserId:string)\\n\\t\\t\\t\\t\\t\\t\\t{\\n\\t\\t\\t\\t\\t\\t\\t BehaviorAnalytics\\n\\t\\t\\t\\t\\t\\t\\t | extend v_Account_Name = case(\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name)\\n\\t\\t\\t\\t\\t\\t\\t | where ActionType == \\\"RemoteInteractiveLogon\\\" and \\n\\t\\t\\t\\t\\t\\t\\t tobool(ActivityInsights.FirstTimeUserLoggedOnToDevice) and \\n\\t\\t\\t\\t\\t\\t\\t (\\n\\t\\t\\t\\t\\t\\t\\t (isnotempty(UserName) and UserName =~ v_Account_Name) or \\n\\t\\t\\t\\t\\t\\t\\t (isnotempty(UsersInsights.AccountObjectID) and UsersInsights.AccountObjectID == v_Account_AadUserId) or\\n\\t\\t\\t\\t\\t\\t\\t (isnotempty(UsersInsights.OnPremisesSID) and UsersInsights.OnPremisesSID =~ v_Account_Sid)\\n\\t\\t\\t\\t\\t\\t\\t )\\n\\t\\t\\t\\t\\t\\t\\t | extend device_info = pack(\u0027DevicesInsights\u0027, DevicesInsights, \u0027ActivityInsights\u0027, ActivityInsights)\\n\\t\\t\\t\\t\\t\\t\\t | project Host_Aux_TimeGenerated = TimeGenerated,\\n\\t\\t\\t\\t\\t\\t\\t Host_UnstructuredName = DestinationDevice,\\n\\t\\t\\t\\t\\t\\t\\t Host_Aux_Insights = device_info,\\n\\t\\t\\t\\t\\t\\t\\t Account_Name = UserName,\\n\\t\\t\\t\\t\\t\\t\\t Account_Sid = v_Account_Sid,\\n\\t\\t\\t\\t\\t\\t\\t Account_AadUserId = toguid(UsersInsights.AccountObjectID),\\n\\t\\t\\t\\t\\t\\t\\t Account_Aux_Insights = UsersInsights\\n\\t\\t\\t\\t\\t\\t\\t | top 10 by Host_Aux_TimeGenerated asc nulls last\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetAllNewRemoteInteractiveLogonForUser(\u0027\u003caccountName\u003e\u0027, \u0027\u003csid\u003e\u0027, \u0027\u003caadUserId\u003e\u0027)\",\"inputFields\":[\"accountName\",\"sid\",\"aadUserId\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"BehaviorAnalytics\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/82cdcee5-cc2e-4e9f-a235-357159c60c8c\",\"name\":\"82cdcee5-cc2e-4e9f-a235-357159c60c8c\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"User account access to new resources\",\"queryTemplate\":\"let GetAllNewResourceAccessForUser = (v_Account_Name:string, v_Account_Sid:string, v_Account_AadUserId:string)\\n\\t\\t\\t\\t\\t\\t\\t{\\n\\t\\t\\t\\t\\t\\t\\t BehaviorAnalytics\\n\\t\\t\\t\\t\\t\\t\\t | extend v_Account_Name = case(\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\n\\t\\t\\t\\t\\t\\t\\t v_Account_Name)\\n\\t\\t\\t\\t\\t\\t\\t | where ActionType == \\\"ResourceAccess\\\" and \\n\\t\\t\\t\\t\\t\\t\\t tobool(ActivityInsights.FirstTimeUserLoggedOnToDevice) and \\n\\t\\t\\t\\t\\t\\t\\t (\\n\\t\\t\\t\\t\\t\\t\\t (isnotempty(UserName) and UserName =~ v_Account_Name) or \\n\\t\\t\\t\\t\\t\\t\\t (isnotempty(UsersInsights.AccountObjectID) and UsersInsights.AccountObjectID == v_Account_AadUserId) or\\n\\t\\t\\t\\t\\t\\t\\t (isnotempty(UsersInsights.OnPremisesSID) and UsersInsights.OnPremisesSID =~ v_Account_Sid)\\n\\t\\t\\t\\t\\t\\t\\t )\\n\\t\\t\\t\\t\\t\\t\\t | extend device_info = pack(\u0027DevicesInsights\u0027, DevicesInsights, \u0027ActivityInsights\u0027, ActivityInsights)\\n\\t\\t\\t\\t\\t\\t\\t | project Host_Aux_TimeGenerated = TimeGenerated,\\n\\t\\t\\t\\t\\t\\t\\t Host_UnstructuredName = DestinationDevice,\\n\\t\\t\\t\\t\\t\\t\\t Host_Aux_Insights = device_info,\\n\\t\\t\\t\\t\\t\\t\\t Account_Name = UserName,\\n\\t\\t\\t\\t\\t\\t\\t Account_Sid = v_Account_Sid,\\n\\t\\t\\t\\t\\t\\t\\t Account_AadUserId = UsersInsights.AccountObjectID,\\n\\t\\t\\t\\t\\t\\t\\t Account_Aux_Insights = UsersInsights\\n\\t\\t\\t\\t\\t\\t\\t | top 10 by Host_Aux_TimeGenerated asc nulls last\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetAllNewResourceAccessForUser(\u0027\u003caccountName\u003e\u0027, \u0027\u003csid\u003e\u0027, \u0027\u003caadUserId\u003e\u0027)\",\"inputFields\":[\"accountName\",\"sid\",\"aadUserId\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"BehaviorAnalytics\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/18b7e4e3-5b57-4924-b3cd-7e9a5a143521\",\"name\":\"18b7e4e3-5b57-4924-b3cd-7e9a5a143521\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Peers with a recent alert\",\"queryTemplate\":\"let GetUserPeersWithAlerts = (v_Account_Name:string, v_Account_UPNSuffix:string, v_Account_AadUserId:string) { \\n\\t\\t\\t\\t\\t\\t\\t let Account_UPN = strcat(v_Account_Name, \u0027@\u0027,v_Account_UPNSuffix);\\n\\t\\t\\t\\t\\t\\t\\t let Peers= UserPeerAnalytics \\n\\t\\t\\t\\t\\t\\t\\t | where UserPrincipalName =~ Account_UPN or UserId =~ v_Account_AadUserId\\n\\t\\t\\t\\t\\t\\t\\t | where TimeGenerated == toscalar (UserPeerAnalytics | summarize max(TimeGenerated))\\n\\t\\t\\t\\t\\t\\t\\t | project PeerUserPrincipalName, PeerUserId, Rank\\n\\t\\t\\t\\t\\t\\t\\t | extend PeerUserPrincipalName=tolower(PeerUserPrincipalName)\\n\\t\\t\\t\\t\\t\\t\\t | parse PeerUserPrincipalName with Account_Name \u0027@\u0027 Account_UPNSuffix;\\n\\t\\t\\t\\t\\t\\t\\t let PeerNames= Peers | summarize make_set_if(Account_Name, isnotempty(Account_Name));\\n\\t\\t\\t\\t\\t\\t\\t let PeerIds = Peers | summarize make_set_if(PeerUserId , isnotempty(PeerUserId));\\n\\t\\t\\t\\t\\t\\t\\t let PeersWithSecAlert=SecurityAlert\\n\\t\\t\\t\\t\\t\\t\\t | where Entities has \\\"account\\\"\\n\\t\\t\\t\\t\\t\\t\\t | where Entities has_any (PeerNames) or Entities has_any (PeerIds)\\n\\t\\t\\t\\t\\t\\t\\t | mvexpand todynamic(Entities) \\n\\t\\t\\t\\t\\t\\t\\t | where tostring(parse_json(Entities).Type) ==\\\"account\\\" \\n\\t\\t\\t\\t\\t\\t\\t | where tostring(parse_json(Entities).Name) has_any (PeerNames) or tostring(parse_json(Entities).AadUserId) has_any (PeerIds)\\n\\t\\t\\t\\t\\t\\t\\t | summarize Account_Aux_AlertCount = count() \\n\\t\\t\\t\\t\\t\\t\\t by Account_Name=tolower(tostring(parse_json(Entities).Name))\\n\\t\\t\\t\\t\\t\\t\\t , Account_UPNSuffix=tolower(tostring(parse_json(Entities).UPNSuffix));\\n\\t\\t\\t\\t\\t\\t\\t PeersWithSecAlert \\n\\t\\t\\t\\t\\t\\t\\t | join kind=innerunique\\n\\t\\t\\t\\t\\t\\t\\t Peers \\n\\t\\t\\t\\t\\t\\t\\t on Account_Name, Account_UPNSuffix\\n\\t\\t\\t\\t\\t\\t\\t | project Account_Name, Account_UPNSuffix, Account_Aux_AlertCount\\n\\t\\t\\t\\t\\t\\t\\t };\\n\\t\\t\\t\\t\\t\\t\\t GetUserPeersWithAlerts(\\\"{{Account_Name}}\\\",\\\"{{Account_UPNSuffix}}\\\", \\\"{{Account_AadUserId}}\\\")\",\"inputFields\":[\"accountName\",\"upnSuffix\"],\"outputEntityTypes\":[\"Account\"],\"dataSources\":[\"UserPeerAnalytics SecurityAlert\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/c34bf507-cedf-4120-bf41-f835dd68b0d9\",\"name\":\"c34bf507-cedf-4120-bf41-f835dd68b0d9\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Hosts which the account logged on to\",\"queryTemplate\":\"let GetAllHostsbyAccount = (v_Account_Name:string){\\n\\t\\t\\t\\t\\t\\t\\tSigninLogs\\n\\t\\t\\t\\t\\t\\t\\t| extend v_Account_Name = case(\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name\\n\\t\\t\\t\\t\\t\\t\\t)\\n\\t\\t\\t\\t\\t\\t\\t| where UserPrincipalName contains v_Account_Name\\n\\t\\t\\t\\t\\t\\t\\t| extend RemoteHost = tolower(tostring(parsejson(DeviceDetail[\u0027displayName\u0027])))\\n\\t\\t\\t\\t\\t\\t\\t| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n\\t\\t\\t\\t\\t\\t\\t| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n\\t\\t\\t\\t\\t\\t\\t| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027UserDisplayName\u0027, UserDisplayName, \u0027UserPrincipalName\u0027, UserPrincipalName, \u0027AppDisplayName\u0027, AppDisplayName, \u0027ClientAppUsed\u0027, ClientAppUsed, \u0027Browser\u0027, tostring(Browser), \u0027IPAddress\u0027, IPAddress, \u0027ResultType\u0027, ResultType, \u0027ResultDescription\u0027, ResultDescription, \u0027Location\u0027, Location, \u0027State\u0027, State, \u0027City\u0027, City, \u0027StatusCode\u0027, StatusCode, \u0027StatusDetails\u0027, StatusDetails)\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), Host_Aux_info = makeset(info) by RemoteHost , tostring(OS)\\n\\t\\t\\t\\t\\t\\t\\t| project min_TimeGenerated, max_TimeGenerated, RemoteHost, OS, Host_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by min_TimeGenerated desc nulls last \\n\\t\\t\\t\\t\\t\\t\\t| project-rename Host_UnstructuredName=RemoteHost, Host_OSVersion=OS, Host_Aux_StartTime=min_TimeGenerated, Host_Aux_EndTime=max_TimeGenerated\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetAllHostsbyAccount(\u0027\u003caccountName\u003e\u0027)\",\"inputFields\":[\"accountName\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"SigninLogs\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/81d63625-6617-455d-b1e3-ee5ed989e5f8\",\"name\":\"81d63625-6617-455d-b1e3-ee5ed989e5f8\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Screenshots taken\",\"queryTemplate\":\"let HostScreenshot= (Account_Name:string, Account_UPNSuffix:string){\\n\\t\\t\\t\\t\\t\\t\\t let p_Account_UPN = strcat(Account_Name,\u0027@\u0027,Account_UPNSuffix);\\n\\t\\t\\t\\t\\t\\t\\t DeviceEvents \\n\\t\\t\\t\\t\\t\\t\\t | where ActionType ==\u0027ScreenshotTaken\u0027 \\n\\t\\t\\t\\t\\t\\t\\t | where InitiatingProcessAccountUpn =~ p_Account_UPN\\n\\t\\t\\t\\t\\t\\t\\t | summarize Count=count() by DeviceName\\n\\t\\t\\t\\t\\t\\t\\t | top 10 by Count desc\\n\\t\\t\\t\\t\\t\\t\\t | project Host_UnstructuredName=DeviceName\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tHostScreenshot(\u0027\u003cAccount_Name\u003e\u0027, \u0027\u003cAccount_UPNSuffix\u003e\u0027)\",\"inputFields\":[\"accountName\",\"upnSuffix\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"DeviceEvents\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/8a697f4c-04af-4198-a6d3-ce5dc3acc8dd\",\"name\":\"8a697f4c-04af-4198-a6d3-ce5dc3acc8dd\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"User account successful logons\",\"queryTemplate\":\"let GetAllLogonsForUser = (v_Account_Name:string){\\n\\t\\t\\t\\t\\t\\t\\tSecurityEvent\\n\\t\\t\\t\\t\\t\\t\\t| extend v_Account_Name = case(\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\n\\t\\t\\t\\t\\t\\t\\tv_Account_Name\\n\\t\\t\\t\\t\\t\\t\\t)\\n\\t\\t\\t\\t\\t\\t\\t| where EventID == 4624\\n\\t\\t\\t\\t\\t\\t\\t| where AccountType == \u0027User\u0027\\n\\t\\t\\t\\t\\t\\t\\t| where tolower(Account) contains tolower(v_Account_Name)\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027EventID\u0027, EventID, \u0027Account\u0027, Account, \u0027LogonTypeName\u0027, LogonTypeName, \u0027SubStatus\u0027, SubStatus, \u0027AccountType\u0027, AccountType, \u0027WorkstationName\u0027, WorkstationName, \u0027IpAddress\u0027, IpAddress)\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), Host_Aux_info = makeset(info) by Computer, SourceComputerId, _ResourceId\\n\\t\\t\\t\\t\\t\\t\\t| project min_TimeGenerated, max_TimeGenerated, Computer, Host_Aux_info, Host_OMSAgentID=SourceComputerId, Host_AzureID=_ResourceId\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Host_UnstructuredName=Computer, Host_Aux_StartTime=min_TimeGenerated, Host_Aux_EndTime=max_TimeGenerated\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_StartTime asc nulls last\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetAllLogonsForUser(tolower(\u0027\u003caccountName\u003e\u0027))\",\"inputFields\":[\"accountName\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"SecurityEvent\"],\"inputEntityType\":\"Account\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/62527635-bc5a-4233-bb93-e4eb4e60bb70\",\"name\":\"62527635-bc5a-4233-bb93-e4eb4e60bb70\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Hosts where this file was mentioned\",\"queryTemplate\":\"let GetFilesHost = (v_File_Name:string){\\n\\t\\t\\t\\t\\t\\t\\tSecurityEvent\\n\\t\\t\\t\\t\\t\\t\\t| where CommandLine contains v_File_Name or ServiceFileName contains v_File_Name or ServiceName contains v_File_Name\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated) by Computer, Host_OMSAgentID=SourceComputerId, Host_AzureID = _ResourceId\\n\\t\\t\\t\\t\\t\\t\\t| project min_TimeGenerated, max_TimeGenerated, Computer, Host_OMSAgentID, Host_AzureID\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Host_UnstructuredName=Computer, Host_Aux_min_TimeGenerated=min_TimeGenerated, Host_Aux_max_TimeGenerated=max_TimeGenerated\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_min_TimeGenerated desc nulls last\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetFilesHost(\u0027\u003cfileName\u003e\u0027)\",\"inputFields\":[\"fileName\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"SecurityEvent\"],\"inputEntityType\":\"File\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/4e0d1f17-e3a9-4c1a-aa7d-3842828c10a2\",\"name\":\"4e0d1f17-e3a9-4c1a-aa7d-3842828c10a2\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"DefenderForIoT - Hosts communicating the most amount of data with this Host\",\"queryTemplate\":\"let ConnectionData_DefenderForIoT_GetHost2Host = (v_Host_HostName:string) {\\n\\t\\t\\t\\t\\t\\t\\tlet connectionData = SecurityIoTRawEvent \\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceType = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceType\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceId = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceId\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientIpAddress = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).ipAddress\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientisExternal = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).isExternal\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceType = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceType\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceId = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceId\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerIpAddress = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).ipAddress\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerisExternal = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).isExternal\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceName = tostring(todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceName)\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceName = tostring(todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceName)\\n\\t\\t\\t\\t\\t\\t\\t| extend Bandwidth = todynamic(extractjson(\\\"$Bandwidth\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend LastActivity = todynamic(extractjson(\\\"$LastActivity\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend Protocol = todynamic(extractjson(\\\"$Protocol\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerPort = todynamic(extractjson(\\\"$ServerPort\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDevice = extractjson(\\\"$ServerDevice\\\", EventDetails)\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDevice = extractjson(\\\"$ClientDevice\\\", EventDetails)\\n\\t\\t\\t\\t\\t\\t\\t| extend SensorId = DeviceId\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceGUID = strcat(SensorId, \\\"_\\\", ClientDeviceId), ServerDeviceGUID = strcat(SensorId, \\\"_\\\", ServerDeviceId);\\n\\t\\t\\t\\t\\t\\t\\tconnectionData\\n\\t\\t\\t\\t\\t\\t\\t| where ClientDeviceName == v_Host_HostName or ServerDeviceName == v_Host_HostName\\n\\t\\t\\t\\t\\t\\t\\t| extend Direction = iff(ClientDeviceName == v_Host_HostName, \\\"Outbound\\\", \\\"Inbound\\\")\\n\\t\\t\\t\\t\\t\\t\\t| project DeviceGUID = iff(Direction == \\\"Outbound\\\", ServerDeviceGUID, ClientDeviceGUID), \\n\\t\\t\\t\\t\\t\\t\\tDeviceType = iff(Direction == \\\"Outbound\\\", ServerDeviceType, ClientDeviceType),\\n\\t\\t\\t\\t\\t\\t\\tDeviceIp = iff(Direction == \\\"Outbound\\\", ServerIpAddress, ClientIpAddress),\\n\\t\\t\\t\\t\\t\\t\\tDeviceName = iff(Direction == \\\"Outbound\\\", ServerDeviceName, ClientDeviceName),\\n\\t\\t\\t\\t\\t\\t\\tSensorId, LastActivity = todatetime(LastActivity), Bandwidth = todouble(Bandwidth), Protocol, ServerPort\\n\\t\\t\\t\\t\\t\\t\\t| summarize TotalBandwidth = sum(Bandwidth), LastActivity = max(LastActivity), Protocols = make_set(Protocol), ServerPorts = make_set(ServerPort) by DeviceGUID, DeviceName, IpAddress = tostring(DeviceIp), IoTDevice_DeviceType = tostring(DeviceType)\\n\\t\\t\\t\\t\\t\\t\\t| project-rename TotalBandwidth_MB = TotalBandwidth\\n\\t\\t\\t\\t\\t\\t\\t| extend TotalBandwidth_MB = floor(todecimal(TotalBandwidth_MB / 1000), 0.1)\\n\\t\\t\\t\\t\\t\\t\\t| project Host_HostName = DeviceName, Host_Aux_IpAddress = IpAddress,Host_Aux_Type = IoTDevice_DeviceType, Host_Aux_LastActivity = LastActivity, Host_Aux_Protocols = Protocols, Host_Aux_ServerPorts = ServerPorts, Host_Aux_TotalBandwidth_MB = TotalBandwidth_MB\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_TotalBandwidth_MB\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tConnectionData_DefenderForIoT_GetHost2Host(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"SecurityIoTRawEvent\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/cc942838-2ce5-4a05-8bf9-25a00102a7b7\",\"name\":\"cc942838-2ce5-4a05-8bf9-25a00102a7b7\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"DefenderForIoT - IP Addresses communicating the most amount of data with this Host\",\"queryTemplate\":\"let ConnectionData_DefenderForIoT_GetHost2IP = (v_Host_HostName: string) {\\n\\t\\t\\t\\t\\t\\t\\tlet connectionData = SecurityIoTRawEvent \\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceType = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceType\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceId = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceId\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientIpAddress = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).ipAddress\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientisExternal = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).isExternal\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceType = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceType\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceId = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceId\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerIpAddress = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).ipAddress\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerisExternal = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).isExternal\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceName = tostring(todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceName)\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceName = tostring(todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceName)\\n\\t\\t\\t\\t\\t\\t\\t| extend Bandwidth = todynamic(extractjson(\\\"$Bandwidth\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend LastActivity = todynamic(extractjson(\\\"$LastActivity\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend Protocol = todynamic(extractjson(\\\"$Protocol\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerPort = todynamic(extractjson(\\\"$ServerPort\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDevice = extractjson(\\\"$ServerDevice\\\", EventDetails)\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDevice = extractjson(\\\"$ClientDevice\\\", EventDetails)\\n\\t\\t\\t\\t\\t\\t\\t| extend SensorId = DeviceId\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceGUID = strcat(SensorId, \\\"_\\\", ClientDeviceId), ServerDeviceGUID = strcat(SensorId, \\\"_\\\", ServerDeviceId);\\n\\t\\t\\t\\t\\t\\t\\tconnectionData\\n\\t\\t\\t\\t\\t\\t\\t| where ClientDeviceName == v_Host_HostName or ServerDeviceName == v_Host_HostName\\n\\t\\t\\t\\t\\t\\t\\t| extend Direction = iff(ClientDeviceName == v_Host_HostName, \\\"Outbound\\\", \\\"Inbound\\\")\\n\\t\\t\\t\\t\\t\\t\\t| project DeviceGUID = iff(Direction == \\\"Outbound\\\", ServerDeviceGUID, ClientDeviceGUID), \\n\\t\\t\\t\\t\\t\\t\\tDeviceType = iff(Direction == \\\"Outbound\\\", ServerDeviceType, ClientDeviceType),\\n\\t\\t\\t\\t\\t\\t\\tDeviceIp = iff(Direction == \\\"Outbound\\\", ServerIpAddress, ClientIpAddress),\\n\\t\\t\\t\\t\\t\\t\\tDeviceIsExternal = iff(Direction == \\\"Outbound\\\", ServerisExternal, ClientisExternal),\\n\\t\\t\\t\\t\\t\\t\\tSensorId, LastActivity = todatetime(LastActivity), Bandwidth = todouble(Bandwidth), Protocol, ServerPort, Direction\\n\\t\\t\\t\\t\\t\\t\\t| summarize TotalBandwidth = sum(Bandwidth), LastActivity = max(LastActivity), Protocols = make_set(Protocol), ServerPorts = make_set(ServerPort) by IoTDevice_DeviceId = DeviceGUID, IoTDevice_IpAddress = tostring(DeviceIp), IoTDevice_DeviceType = tostring(DeviceType), DeviceIsExternal = tostring(DeviceIsExternal)\\n\\t\\t\\t\\t\\t\\t\\t| project-rename TotalBandwidth_MB = TotalBandwidth\\n\\t\\t\\t\\t\\t\\t\\t| project IP_Address = IoTDevice_IpAddress, IP_Aux_DeviceType = IoTDevice_DeviceType, IP_Aux_LastActivity = LastActivity, IP_Aux_Protocols = Protocols, IP_Aux_ServerPorts = ServerPorts, IP_Aux_TotalBandwidth_MB = TotalBandwidth_MB, IP_Aux_IsExternal = DeviceIsExternal\\n\\t\\t\\t\\t\\t\\t\\t| extend IP_Aux_TotalBandwidth_MB = floor(todecimal(IP_Aux_TotalBandwidth_MB / 1000), 0.1)\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by IP_Aux_TotalBandwidth_MB\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tConnectionData_DefenderForIoT_GetHost2IP(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"IP\"],\"dataSources\":[\"SecurityIoTRawEvent\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/98b2ce21-167d-43bd-a496-9f2c85c5f95b\",\"name\":\"98b2ce21-167d-43bd-a496-9f2c85c5f95b\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Accounts with several failed logins immediately followed by a successful login\",\"queryTemplate\":\"let BRUTEFORCE_THRESHOLD = 10;\\n\\t\\t\\t\\t\\t\\t\\tlet SuccessfulLoginEventId = 4624;\\n\\t\\t\\t\\t\\t\\t\\tlet FailedLoginEventId = 4625;\\n\\t\\t\\t\\t\\t\\t\\tlet AccountsPossibleSuccessfulBruteForce = (v_Host_HostName:string, v_Host_DnsDomain:string){\\n\\t\\t\\t\\t\\t\\t\\tSecurityEvent\\n\\t\\t\\t\\t\\t\\t\\t| where AccountType == \u0027User\u0027\\n\\t\\t\\t\\t\\t\\t\\t| extend p_Host_HostName=tostring(split(v_Host_HostName,\u0027.\u0027)[0])\\n\\t\\t\\t\\t\\t\\t\\t| extend p_Host_DnsDomain=case (isnotempty(v_Host_DnsDomain),v_Host_DnsDomain\\n\\t\\t\\t\\t\\t\\t\\t ,v_Host_HostName has \u0027.\u0027, extract(@\u0027\\\\.(.+$)\u0027,1,v_Host_HostName)\\n\\t\\t\\t\\t\\t\\t\\t , \u0027\u0027)\\n\\t\\t\\t\\t\\t\\t\\t| extend Host_HostName=tostring(split(Computer,\u0027.\u0027)[0])\\n\\t\\t\\t\\t\\t\\t\\t| extend Host_DnsDomain=iff(Computer has \u0027.\u0027, extract(@\u0027\\\\.(.+$)\u0027,1,Computer) ,\\\"\\\")\\n\\t\\t\\t\\t\\t\\t\\t| where p_Host_HostName=~Host_HostName and (isempty(p_Host_DnsDomain) or isempty(Host_DnsDomain) or p_Host_DnsDomain=~Host_DnsDomain)\\n\\t\\t\\t\\t\\t\\t\\t| extend Fails = (EventID == FailedLoginEventId), Success = (EventID == SuccessfulLoginEventId)\\n\\t\\t\\t\\t\\t\\t\\t| extend Account = tolower(Account)\\n\\t\\t\\t\\t\\t\\t\\t| summarize Account_Aux_SuccessPerMin = countif(Success), Account_Aux_FailPerMin = countif(Fails) by Account, bin(TimeGenerated, 1m) \\n\\t\\t\\t\\t\\t\\t\\t| where Account_Aux_FailPerMin\\t\u003e BRUTEFORCE_THRESHOLD and Account_Aux_SuccessPerMin \u003e 0\\n\\t\\t\\t\\t\\t\\t\\t| extend EventData = pack(\u0027FailPerMin\u0027,Account_Aux_FailPerMin, \u0027SuccessPerMin\u0027, Account_Aux_SuccessPerMin, \u0027Time\u0027, TimeGenerated )\\n\\t\\t\\t\\t\\t\\t\\t| summarize Max = max(Account_Aux_FailPerMin), Account_Aux_EventsData=makeset(EventData) by Account\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Max\\n\\t\\t\\t\\t\\t\\t\\t| parse Account with Account_NTDomain \u0027\\\\\\\\\u0027 *\\n\\t\\t\\t\\t\\t\\t\\t| extend Account_Name = extract(@\u0027^([^\\\\\\\\]*\\\\\\\\)?([^@]+)(@.*)?$\u0027,2,Account), \\n\\t\\t\\t\\t\\t\\t\\t Account_UPNSuffix = extract(@\u0027^([^\\\\\\\\]*\\\\\\\\)?([^@]+)(@(.*))?$\u0027,4,Account)\\n\\t\\t\\t\\t\\t\\t\\t| project Account_Name, Account_NTDomain, Account_UPNSuffix, Account_Aux_EventsData\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tAccountsPossibleSuccessfulBruteForce(\u0027\u003chostName\u003e\u0027, \u0027\u003cdnsDomain\u003e\u0027)\",\"inputFields\":[\"hostName\",\"dnsDomain\"],\"outputEntityTypes\":[\"Account\"],\"dataSources\":[\"SecurityEvent\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/bb6100ee-ae38-41b5-8457-88d503a3bf8f\",\"name\":\"bb6100ee-ae38-41b5-8457-88d503a3bf8f\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent inbound WireData connections\",\"queryTemplate\":\"let GetWireDataInboundWithHost = (v_Host_HostName:string){\\n\\t\\t\\t\\t\\t\\t\\tWireData\\n\\t\\t\\t\\t\\t\\t\\t| where Direction == \u0027Inbound\u0027 \\n\\t\\t\\t\\t\\t\\t\\t| where Computer has v_Host_HostName\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027Computer\u0027, Computer, \u0027LocalPortNumber\u0027, LocalPortNumber, \u0027RemoteIP\u0027, RemoteIP, \u0027Direction\u0027, Direction, \u0027ApplicationProtocol\u0027, ApplicationProtocol)\\n\\t\\t\\t\\t\\t\\t\\t| summarize Process_Aux_Min_SessionStartTime=min(SessionStartTime), count(), IP_Aux_info = makeset(info) by ProcessName , LocalIP, ProcessID\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_Aux_info = IP_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ asc\\n\\t\\t\\t\\t\\t\\t\\t| project Process_Aux_Min_SessionStartTime, ProcessName , LocalIP, IP_Aux_info, Process_Aux_info, Process_ProcessId=tostring(ProcessID)\\n\\t\\t\\t\\t\\t\\t\\t| project-rename IP_Address=LocalIP, Process_ImageFile_FullPath=ProcessName\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetWireDataInboundWithHost(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"IP\",\"Process\"],\"dataSources\":[\"WireData\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/8c00a2a0-43d3-45a9-aa2e-f73deb0abfbb\",\"name\":\"8c00a2a0-43d3-45a9-aa2e-f73deb0abfbb\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent outbound WireData connections\",\"queryTemplate\":\"let GetWireDataOutboundWithHost = (v_Host_HostName:string){\\n\\t\\t\\t\\t\\t\\t\\tWireData\\n\\t\\t\\t\\t\\t\\t\\t| where Direction == \u0027Outbound\u0027 \\n\\t\\t\\t\\t\\t\\t\\t| where Computer has v_Host_HostName\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027Computer\u0027, Computer, \u0027LocalIP\u0027, LocalIP, \u0027LocalPortNumber\u0027, LocalPortNumber, \u0027Direction\u0027, Direction, \u0027ApplicationProtocol\u0027, ApplicationProtocol)\\n\\t\\t\\t\\t\\t\\t\\t| summarize Process_Aux_Min_SessionStartTime=min(SessionStartTime), count(), IP_Aux_info = makeset(info) by ProcessName, RemoteIP, ProcessID\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_Aux_info = IP_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ asc\\n\\t\\t\\t\\t\\t\\t\\t| project Process_Aux_Min_SessionStartTime, ProcessName, RemoteIP, IP_Aux_info, Process_Aux_info, Process_ProcessId=tostring(ProcessID)\\n\\t\\t\\t\\t\\t\\t\\t| project-rename IP_Address=RemoteIP, Process_ImageFile_FullPath=ProcessName\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetWireDataOutboundWithHost(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"IP\",\"Process\"],\"dataSources\":[\"WireData\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/ea747f91-23f9-425a-baa8-628f30193888\",\"name\":\"ea747f91-23f9-425a-baa8-628f30193888\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent processes for this host\",\"queryTemplate\":\"let GetSysLogEventsOnHost = (v_Host_HostName:string){\\n\\t\\t\\t\\t\\t\\t\\tSyslog\\n\\t\\t\\t\\t\\t\\t\\t| where Computer has v_Host_HostName\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027HostName\u0027, HostName, \u0027HostIP\u0027, HostIP)\\n\\t\\t\\t\\t\\t\\t\\t| summarize Process_Aux_StartTime=min(EventTime), Process_Aux_EndTime=max(EventTime), count(), Process_Aux_info = makeset(info) by Computer, ProcessName, ProcessID\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ asc nulls last \\n\\t\\t\\t\\t\\t\\t\\t| project Process_Aux_StartTime, Process_Aux_EndTime, Process_Host_UnstructuredName=Computer, Process_ProcessId=tostring(ProcessID), Process_ImageFile_FullPath=ProcessName, Process_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetSysLogEventsOnHost(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"Process\"],\"dataSources\":[\"Syslog\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/07da3cc8-c8ad-4710-a44e-334cdcb7882b\",\"name\":\"07da3cc8-c8ad-4710-a44e-334cdcb7882b\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Parent processes running on host\",\"queryTemplate\":\"let GetParentProcessesOnHost = (v_Host_HostName:string){\\n\\t\\t\\t\\t\\t\\t\\tSecurityEvent \\n\\t\\t\\t\\t\\t\\t\\t| where EventID == 4688 \\n\\t\\t\\t\\t\\t\\t\\t| where isnotempty(ParentProcessName)\\n\\t\\t\\t\\t\\t\\t\\t| where NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\conhost.exe\u0027 and ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\conhost.exe\u0027\\n\\t\\t\\t\\t\\t\\t\\t and NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework64\\\\\\\\v2.0.50727\\\\\\\\csc.exe\u0027 and ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework64\\\\\\\\v2.0.50727\\\\\\\\csc.exe\u0027\\n\\t\\t\\t\\t\\t\\t\\t and NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework64\\\\\\\\v2.0.50727\\\\\\\\cvtres.exe\u0027 and ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework64\\\\\\\\v2.0.50727\\\\\\\\cvtres.exe\u0027\\n\\t\\t\\t\\t\\t\\t\\t and NewProcessName!contains \u0027:\\\\\\\\Program Files\\\\\\\\Microsoft Monitoring Agent\\\\\\\\Agent\\\\\\\\MonitoringHost.exe\u0027 and ParentProcessName !contains \u0027:\\\\\\\\Program Files\\\\\\\\Microsoft Monitoring Agent\\\\\\\\Agent\\\\\\\\MonitoringHost.exe\u0027\\n\\t\\t\\t\\t\\t\\t\\t and ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\CCM\\\\\\\\CcmExec.exe\u0027\\n\\t\\t\\t\\t\\t\\t\\t| where(ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\u0027 and (NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe\u0027 or NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe\u0027))\\n\\t\\t\\t\\t\\t\\t\\t| where(ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\services.exe\u0027 and NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\TrustedInstaller.exe\u0027)\\n\\t\\t\\t\\t\\t\\t\\t| where toupper(Computer) contains v_Host_HostName or toupper(WorkstationName) contains v_Host_HostName\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027EventID\u0027, EventID, \u0027TargetAccount\u0027, TargetAccount)\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), Process_Aux_info = makeset(info) by Account, Computer, ParentProcessName, NewProcessName, CommandLine, ProcessId\\n\\t\\t\\t\\t\\t\\t\\t| project min_TimeGenerated, max_TimeGenerated, Account, Computer, ParentProcessName, NewProcessName, CommandLine, ProcessId, Process_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Process_Host_UnstructuredName=Computer, Process_Account_UnstructuredName=Account, Process_CommandLine=CommandLine, Process_ProcessId=ProcessId, Process_ImageFile_FullPath=NewProcessName, Process_ParentProcess_ImageFile_FullPath=ParentProcessName, Process_Aux_StartTime = min_TimeGenerated, Process_Aux_EndTime= max_TimeGenerated\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Process_Aux_StartTime asc\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetParentProcessesOnHost(toupper(\u0027\u003chostName\u003e\u0027))\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"Process\"],\"dataSources\":[\"SecurityEvent\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/f87b2afb-068f-4734-88a0-94560309f9d7\",\"name\":\"f87b2afb-068f-4734-88a0-94560309f9d7\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Processes on Host blocked from loading non-Microsoft-signed binaries\",\"queryTemplate\":\"let BlockedUnsigned = (v_Host_HostName:string){\\n\\t\\t\\t\\t\\t\\t\\tDeviceEvents\\n\\t\\t\\t\\t\\t\\t\\t| where ActionType == \\\"ExploitGuardNonMicrosoftSignedBlocked\\\" and FileName !hassuffix \\\".ni.dll\\\"\\n\\t\\t\\t\\t\\t\\t\\t| where v_Host_HostName =~ tostring(split(DeviceName, \u0027.\u0027)[0])\\n\\t\\t\\t\\t\\t\\t\\t| summarize Process_Aux_Count=count() by Process_ProcessId=InitiatingProcessId, Process_CommandLine=InitiatingProcessCommandLine, Process_Host_UnstructuredName=DeviceName\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Process_Aux_Count desc\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tBlockedUnsigned(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"Process\"],\"dataSources\":[\"DeviceEvents\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/d3393571-0533-4127-bfe1-6b1de4ab126e\",\"name\":\"d3393571-0533-4127-bfe1-6b1de4ab126e\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Processes running on Host\",\"queryTemplate\":\"let GetActiveProcessesOnHost = (v_Host_HostName:string){\\n\\t\\t\\t\\t\\t\\t\\tSecurityEvent \\n\\t\\t\\t\\t\\t\\t\\t| where EventID == 4688\\n\\t\\t\\t\\t\\t\\t\\t| where NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\conhost.exe\u0027 and ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\conhost.exe\u0027\\n\\t\\t\\t\\t\\t\\t\\t and NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework64\\\\\\\\v2.0.50727\\\\\\\\csc.exe\u0027 and ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework64\\\\\\\\v2.0.50727\\\\\\\\csc.exe\u0027\\n\\t\\t\\t\\t\\t\\t\\t and NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework64\\\\\\\\v2.0.50727\\\\\\\\cvtres.exe\u0027 and ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework64\\\\\\\\v2.0.50727\\\\\\\\cvtres.exe\u0027\\n\\t\\t\\t\\t\\t\\t\\t and NewProcessName!contains \u0027:\\\\\\\\Program Files\\\\\\\\Microsoft Monitoring Agent\\\\\\\\Agent\\\\\\\\MonitoringHost.exe\u0027 and ParentProcessName !contains \u0027:\\\\\\\\Program Files\\\\\\\\Microsoft Monitoring Agent\\\\\\\\Agent\\\\\\\\MonitoringHost.exe\u0027\\n\\t\\t\\t\\t\\t\\t\\t and ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\CCM\\\\\\\\CcmExec.exe\u0027\\n\\t\\t\\t\\t\\t\\t\\t| where (ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\u0027 and (NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe\u0027 or NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe\u0027))\\n\\t\\t\\t\\t\\t\\t\\t| where (ParentProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\services.exe\u0027 and NewProcessName !contains \u0027:\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\TrustedInstaller.exe\u0027)\\n\\t\\t\\t\\t\\t\\t\\t| where toupper(Computer) contains v_Host_HostName or toupper(WorkstationName) contains v_Host_HostName\\n\\t\\t\\t\\t\\t\\t\\t| summarize Process_Aux_StartTime=min(TimeGenerated), Process_Aux_EndTime=max(TimeGenerated) by Computer, Account, NewProcessName, CommandLine, ProcessId, ParentProcessName\\n\\t\\t\\t\\t\\t\\t\\t| project Process_Aux_StartTime, Process_Aux_EndTime, Computer, Account, NewProcessName, CommandLine, ProcessId, Process_ParentProcess_ImageFile_FullPath=ParentProcessName\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Process_Host_UnstructuredName=Computer, Process_Account_UnstructuredName=Account, Process_CommandLine=CommandLine, Process_ProcessId=ProcessId, Process_ImageFile_FullPath=NewProcessName\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Process_Aux_StartTime desc\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetActiveProcessesOnHost(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"Process\"],\"dataSources\":[\"SecurityEvent\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/6537a8c3-a269-4b2f-8c70-3824c23fef7b\",\"name\":\"6537a8c3-a269-4b2f-8c70-3824c23fef7b\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Services created on host\",\"queryTemplate\":\"let GetServiceCreationsOnHost = (v_Host_HostName:string){\\n\\t\\t\\t\\t\\t\\t\\tEvent \\n\\t\\t\\t\\t\\t\\t\\t| where EventID == 7045\\n\\t\\t\\t\\t\\t\\t\\t| where Computer =~ v_Host_HostName\\n\\t\\t\\t\\t\\t\\t\\t| extend EventDataParse = parse_xml(EventData)\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_Aux_ServiceName = tostring(EventDataParse.DataItem.EventData.Data[0][\u0027#text\u0027])\\n\\t\\t\\t\\t\\t\\t\\t| extend ImagePath = tostring(EventDataParse.DataItem.EventData.Data[1][\u0027#text\u0027])\\n\\t\\t\\t\\t\\t\\t\\t| extend ServiceType = tostring(EventDataParse.DataItem.EventData.Data[2][\u0027#text\u0027])\\n\\t\\t\\t\\t\\t\\t\\t| extend StartType = tostring(EventDataParse.DataItem.EventData.Data[3][\u0027#text\u0027])\\n\\t\\t\\t\\t\\t\\t\\t| extend ServiceAccount = tostring(EventDataParse.DataItem.EventData.Data[4][\u0027#text\u0027])\\n\\t\\t\\t\\t\\t\\t\\t| where ImagePath !has \u0027\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Definition Updates\\\\\\\\\u0027 \\n\\t\\t\\t\\t\\t\\t\\tand ImagePath !has \u0027\\\\\\\\Packages\\\\\\\\Plugins\\\\\\\\Microsoft.EnterpriseCloud.Monitoring.MicrosoftMonitoringAgent\\\\\\\\\u0027\\n\\t\\t\\t\\t\\t\\t\\tand not(ImagePath has \u0027\\\\\\\\WindowsAzure\\\\\\\\GuestAgent_\u0027 and ImagePath has \u0027\\\\\\\\Telemetry\\\\\\\\WindowsAzureTelemetryService.exe\u0027) \\n\\t\\t\\t\\t\\t\\t\\tand not(ImagePath has \u0027\\\\\\\\WindowsAzure\\\\\\\\GuestAgent_\u0027 and ImagePath has \u0027\\\\\\\\GuestAgent\\\\\\\\WindowsAzureGuestAgent.exe\u0027)\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_Aux_Service_info = pack(\u0027ServiceName\u0027, Process_Aux_ServiceName, \u0027ServiceType\u0027, ServiceType, \u0027StartType\u0027, StartType, \u0027ServiceAccount\u0027, ServiceAccount)\\n\\t\\t\\t\\t\\t\\t\\t| project TimeGenerated, Computer, UserName, Process_Aux_ServiceName, ImagePath, Process_Aux_Service_info\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Process_Host_UnstructuredName=Computer, Process_Account_UnstructuredName=UserName, Process_ImageFile_FullPath=ImagePath, Process_CreationTimeUtc=TimeGenerated\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Process_CreationTimeUtc desc nulls last\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetServiceCreationsOnHost(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"Process\"],\"dataSources\":[\"Event\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/3aed43db-e358-4952-a5cd-a10f00d90af4\",\"name\":\"3aed43db-e358-4952-a5cd-a10f00d90af4\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"User accounts created or deleted on host\",\"queryTemplate\":\"let GetAccountChangesOnHost = (v_Host_HostName:string){\\n\\t\\t\\t\\t\\t\\t\\tSecurityEvent\\n\\t\\t\\t\\t\\t\\t\\t| where EventID == 4720 or EventID == 4726\\n\\t\\t\\t\\t\\t\\t\\t| where AccountType == \u0027User\u0027\\n\\t\\t\\t\\t\\t\\t\\t| where Computer contains v_Host_HostName or WorkstationName contains v_Host_HostName\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027TargetAccount\u0027, TargetAccount, \u0027SubjectAccount\u0027, SubjectAccount, \u0027Activity\u0027, Activity)\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), Account_Aux_info = makeset(info) by Computer, TargetAccount\\n\\t\\t\\t\\t\\t\\t\\t| project Account_Aux_StartTime=min_TimeGenerated, Account_Aux_EndTime=max_TimeGenerated, Account_Host_UnstructuredName=Computer, Account_UnstructuredName=TargetAccount, Account_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Account_Aux_StartTime asc nulls last\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetAccountChangesOnHost(toupper(\u0027\u003chostName\u003e\u0027))\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"Account\"],\"dataSources\":[\"SecurityEvent\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/37fdc179-d35c-4dcd-b6ff-6cf02248d8f9\",\"name\":\"37fdc179-d35c-4dcd-b6ff-6cf02248d8f9\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Accounts which logged onto this host and their IPs\",\"queryTemplate\":\"let GetAccountsFromHost = (v_Host_HostName:string){\\n\\t\\t\\t\\t\\t\\t\\tSigninLogs\\n\\t\\t\\t\\t\\t\\t\\t| extend RemoteHost = tolower(tostring(DeviceDetail.displayName))\\n\\t\\t\\t\\t\\t\\t\\t| where RemoteHost == tolower(v_Host_HostName)\\n\\t\\t\\t\\t\\t\\t\\t| extend OS = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser), TrustType = tostring(DeviceDetail.trustType)\\n\\t\\t\\t\\t\\t\\t\\t| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n\\t\\t\\t\\t\\t\\t\\t| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\\n\\t\\t\\t\\t\\t\\t\\t| extend Latitude = tostring(LocationDetails.geoCoordinates.latitude), Longitude = tostring(LocationDetails.geoCoordinates.longitude)\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027UserPrincipalName\u0027, UserPrincipalName, \u0027AppDisplayName\u0027, AppDisplayName, \u0027ClientAppUsed\u0027, ClientAppUsed, \u0027Browser\u0027, tostring(Browser), \u0027ResultType\u0027, ResultType, \u0027ResultDescription\u0027, ResultDescription, \u0027Location\u0027, Location, \u0027StatusCode\u0027, StatusCode, \u0027StatusDetails\u0027, StatusDetails)\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), count(), Account_Aux_info = makeset(info) by RemoteHost , UserDisplayName, OS, IPAddress, State, City, Latitude, Longitude\\n\\t\\t\\t\\t\\t\\t\\t| extend IP_Aux_info = Account_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t| project Account_Aux_StartTimeUtc = min_TimeGenerated, Account_Aux_EndTimeUtc = max_TimeGenerated, RemoteHost, UserDisplayName, OS, IPAddress, State, City, Latitude, Longitude, Account_Aux_info, IP_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Account_Aux_StartTimeUtc desc nulls last \\n\\t\\t\\t\\t\\t\\t\\t| project-rename Account_UnstructuredName=UserDisplayName, Account_Host_UnstructuredName=RemoteHost, Account_Host_OSVersion=OS, IP_Address=IPAddress, IP_Location_State=State, IP_Location_City=City, IP_Location_Latitude=Latitude, IP_Location_Longitude=Longitude\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetAccountsFromHost(\u0027\u003chostName\u003e\u0027)\",\"inputFields\":[\"hostName\"],\"outputEntityTypes\":[\"Account\",\"IP\"],\"dataSources\":[\"SigninLogs\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/b8de20fa-d96e-4fe0-84b3-8477ca29b04a\",\"name\":\"b8de20fa-d96e-4fe0-84b3-8477ca29b04a\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Accounts triggering Microsoft Defender Application Control\",\"queryTemplate\":\"let AppControlEvents=(v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\n\\t\\t\\t\\t\\t\\t\\tlet p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain));\\n\\t\\t\\t\\t\\t\\t\\tlet AppControls=datatable(ActionType:string, Description:string, FriendlyActivityName:string)\\n\\t\\t\\t\\t\\t\\t\\t [\\\"AppControlAppInstallationAudited\\\", \\\"Application control detected the installation of an untrusted app.\\\",\\\"Untrusted app installed\\\"\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlAppInstallationBlocked\\\", \\\"Application control blocked the installation of an untrusted app.\\\", \\\"Untrusted app installation blocked\\\"\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlCodeIntegrityDriverRevoked\\\", \\\"Application control found a driver with a revoked certificate.\\\", \\\"Driver with revoked certificate detected\\\"\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlCodeIntegrityImageRevoked\\\", \\\"Application control found an executable file with a revoked certificate.\\\", \\\"Executable with revoked certificate detected\\\"\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlExecutableAudited\\\",\\\"Application control detected the use of an untrusted executable.\\\",\\\"Untrusted executable used\\\"\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlExecutableClocked\\\",\\\"Application control blocked the use of an untrusted executable.\\\",\\\"Untrusted executable blocked\\\"\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlScriptAudited\\\", \\\"Application control detected the use of an untrusted script.\\\", \\\"Untrusted script detected\\\"\\n\\t\\t\\t\\t\\t\\t\\t ,\\\"AppControlScriptBlocked\\\", \\\"Application control blocked the use of an untrusted script.\\\", \\\"Untrusted script blocked\\\" ];\\n\\t\\t\\t\\t\\t\\t\\tDeviceEvents\\n\\t\\t\\t\\t\\t\\t\\t| where ActionType in (AppControls) \\n\\t\\t\\t\\t\\t\\t\\t| where DeviceName ==p_FullDeviceName\\n\\t\\t\\t\\t\\t\\t\\t| parse InitiatingProcessAccountUpn with Account_Name \u0027@\u0027 Account_UPNSuffix\\n\\t\\t\\t\\t\\t\\t\\t| project Account_Name, Account_UPNSuffix, Account_Sid=InitiatingProcessAccountSid\\n\\t\\t\\t\\t\\t\\t\\t| summarize Account_Aux_AppConCount=count() by Account_Name, Account_UPNSuffix, Account_Sid\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Account_Aux_AppConCount desc nulls last\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tAppControlEvents(\u0027\u003chostName\u003e\u0027,\u0027\u003cntDomain\u003e\u0027,\u0027\u003cdnsDomain\u003e\u0027)\",\"inputFields\":[\"hostName\",\"dnsDomain\",\"ntDomain\"],\"outputEntityTypes\":[\"Account\"],\"dataSources\":[\"DeviceEvents\"],\"inputEntityType\":\"Host\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/b66111f6-42ff-4f5a-8e3e-66ca1a71a758\",\"name\":\"b66111f6-42ff-4f5a-8e3e-66ca1a71a758\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"DefenderForIoT - Hosts communicating the most amount of data with this IP Address\",\"queryTemplate\":\"let ConnectionData_DefenderForIoT_GetIP2Host = (v_IP_Address:string) {\\n\\t\\t\\t\\t\\t\\t\\tlet connectionData = SecurityIoTRawEvent \\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceType = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceType\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceId = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceId\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientIpAddress = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).ipAddress\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientisExternal = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).isExternal\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceType = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceType\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceId = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceId\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerIpAddress = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).ipAddress\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerisExternal = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).isExternal\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceName = tostring(todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceName)\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceName = tostring(todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceName)\\n\\t\\t\\t\\t\\t\\t\\t| extend Bandwidth = todynamic(extractjson(\\\"$Bandwidth\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend LastActivity = todynamic(extractjson(\\\"$LastActivity\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend Protocol = todynamic(extractjson(\\\"$Protocol\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerPort = todynamic(extractjson(\\\"$ServerPort\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDevice = extractjson(\\\"$ServerDevice\\\", EventDetails)\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDevice = extractjson(\\\"$ClientDevice\\\", EventDetails)\\n\\t\\t\\t\\t\\t\\t\\t| extend SensorId = DeviceId\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceGUID = strcat(SensorId, \\\"_\\\", ClientDeviceId), ServerDeviceGUID = strcat(SensorId, \\\"_\\\", ServerDeviceId);\\n\\t\\t\\t\\t\\t\\t\\tconnectionData\\n\\t\\t\\t\\t\\t\\t\\t| where ClientIpAddress == v_IP_Address or ServerIpAddress == v_IP_Address\\n\\t\\t\\t\\t\\t\\t\\t| extend Direction = iff(ClientIpAddress == v_IP_Address, \\\"Outbound\\\", \\\"Inbound\\\")\\n\\t\\t\\t\\t\\t\\t\\t| project DeviceGUID = iff(Direction == \\\"Outbound\\\", ServerDeviceGUID, ClientDeviceGUID), \\n\\t\\t\\t\\t\\t\\t\\tDeviceType = iff(Direction == \\\"Outbound\\\", ServerDeviceType, ClientDeviceType),\\n\\t\\t\\t\\t\\t\\t\\tDeviceIp = iff(Direction == \\\"Outbound\\\", ServerIpAddress, ClientIpAddress),\\n\\t\\t\\t\\t\\t\\t\\tDeviceName = iff(Direction == \\\"Outbound\\\", ServerDeviceName, ClientDeviceName),\\n\\t\\t\\t\\t\\t\\t\\tSensorId, LastActivity = todatetime(LastActivity), Bandwidth = todouble(Bandwidth), Protocol, ServerPort\\n\\t\\t\\t\\t\\t\\t\\t| summarize TotalBandwidth = sum(Bandwidth), LastActivity = max(LastActivity), Protocols = make_set(Protocol), ServerPorts = make_set(ServerPort) by DeviceGUID, DeviceName, IpAddress = tostring(DeviceIp), IoTDevice_DeviceType = tostring(DeviceType)\\n\\t\\t\\t\\t\\t\\t\\t| project-rename TotalBandwidth_MB = TotalBandwidth\\n\\t\\t\\t\\t\\t\\t\\t| extend TotalBandwidth_MB = floor(todecimal(TotalBandwidth_MB / 1000), 0.1)\\n\\t\\t\\t\\t\\t\\t\\t| project Host_HostName = DeviceName, Host_Aux_IpAddress = IpAddress, Host_Aux_Type = IoTDevice_DeviceType, Host_Aux_LastActivity = LastActivity, Host_Aux_Protocols = Protocols, Host_Aux_ServerPorts = ServerPorts, Host_Aux_TotalBandwidth_MB = TotalBandwidth_MB\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_TotalBandwidth_MB\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tConnectionData_DefenderForIoT_GetIP2Host(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"SecurityIoTRawEvent\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/b7bd2812-f485-4430-bfac-6b0a1dd4c3f7\",\"name\":\"b7bd2812-f485-4430-bfac-6b0a1dd4c3f7\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"DefenderForIoT - IP Addresses communicating the most amount of data with this IP Address\",\"queryTemplate\":\"let ConnectionData_DefenderForIoT_GetIP2IP = (v_IP_Address:string) {\\n\\t\\t\\t\\t\\t\\t\\tlet connectionData = SecurityIoTRawEvent \\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceType = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceType\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceId = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceId\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientIpAddress = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).ipAddress\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientisExternal = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).isExternal\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceType = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceType\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceId = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceId\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerIpAddress = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).ipAddress\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerisExternal = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).isExternal\\n\\t\\t\\t\\t\\t\\t\\t| extend Bandwidth = todynamic(extractjson(\\\"$Bandwidth\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend LastActivity = todynamic(extractjson(\\\"$LastActivity\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend Protocol = todynamic(extractjson(\\\"$Protocol\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerPort = todynamic(extractjson(\\\"$ServerPort\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDevice = extractjson(\\\"$ServerDevice\\\", EventDetails)\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDevice = extractjson(\\\"$ClientDevice\\\", EventDetails)\\n\\t\\t\\t\\t\\t\\t\\t| extend SensorId = DeviceId\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceGUID = strcat(SensorId, \\\"_\\\", ClientDeviceId), ServerDeviceGUID = strcat(SensorId, \\\"_\\\", ServerDeviceId);\\n\\t\\t\\t\\t\\t\\t\\tconnectionData\\n\\t\\t\\t\\t\\t\\t\\t| where ClientIpAddress == v_IP_Address or ServerIpAddress == v_IP_Address\\n\\t\\t\\t\\t\\t\\t\\t| extend Direction = iff(ClientIpAddress == v_IP_Address, \\\"Outbound\\\", \\\"Inbound\\\")\\n\\t\\t\\t\\t\\t\\t\\t| project DeviceGUID = iff(Direction == \\\"Outbound\\\", ServerDeviceGUID, ClientDeviceGUID), \\n\\t\\t\\t\\t\\t\\t\\tDeviceType = iff(Direction == \\\"Outbound\\\", ServerDeviceType, ClientDeviceType),\\n\\t\\t\\t\\t\\t\\t\\tDeviceIp = iff(Direction == \\\"Outbound\\\", ServerIpAddress, ClientIpAddress),\\n\\t\\t\\t\\t\\t\\t\\tDeviceIsExternal = iff(Direction == \\\"Outbound\\\", ServerisExternal, ClientisExternal),\\n\\t\\t\\t\\t\\t\\t\\tSensorId, LastActivity = todatetime(LastActivity), Bandwidth = todouble(Bandwidth), Protocol, ServerPort, Direction\\n\\t\\t\\t\\t\\t\\t\\t| summarize TotalBandwidth = sum(Bandwidth), LastActivity = max(LastActivity), Protocols = make_set(Protocol), ServerPorts = make_set(ServerPort) by IoTDevice_DeviceId = DeviceGUID, IoTDevice_IpAddress = tostring(DeviceIp), IoTDevice_DeviceType = tostring(DeviceType), DeviceIsExternal = tostring(DeviceIsExternal)\\n\\t\\t\\t\\t\\t\\t\\t| project-rename TotalBandwidth_MB = TotalBandwidth\\n\\t\\t\\t\\t\\t\\t\\t| project IP_Address = IoTDevice_IpAddress, IP_Aux_DeviceType = IoTDevice_DeviceType, IP_Aux_LastActivity = LastActivity, IP_Aux_Protocols = Protocols, IP_Aux_ServerPorts = ServerPorts, IP_Aux_TotalBandwidth_MB = TotalBandwidth_MB, IP_Aux_IsExternal = DeviceIsExternal\\n\\t\\t\\t\\t\\t\\t\\t| extend IP_Aux_TotalBandwidth_MB = floor(todecimal(IP_Aux_TotalBandwidth_MB / 1000), 0.1)\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by IP_Aux_TotalBandwidth_MB\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tConnectionData_DefenderForIoT_GetIP2IP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"IP\"],\"dataSources\":[\"SecurityIoTRawEvent\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/37ca3555-c135-4a73-a65e-9c1d00323f5d\",\"name\":\"37ca3555-c135-4a73-a65e-9c1d00323f5d\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"The least active accounts on Azure from this IP\",\"queryTemplate\":\"let AccountActivity_byIP = (v_IP_Address:string){\\n\\t\\t\\t\\t\\t\\t\\tAzureActivity\\n\\t\\t\\t\\t\\t\\t\\t| where Caller != \u0027\u0027 and CallerIpAddress =~ v_IP_Address\\n\\t\\t\\t\\t\\t\\t\\t| summarize Account_Aux_StartTime = min(TimeGenerated), \\n\\t\\t\\t\\t\\t\\t\\t Account_Aux_EndTime = max(TimeGenerated), \\n\\t\\t\\t\\t\\t\\t\\t Count = count() by \\n\\t\\t\\t\\t\\t\\t\\t Caller, TenantId\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Count asc nulls last \\n\\t\\t\\t\\t\\t\\t\\t| extend UPN = iff(Caller contains \u0027@\u0027, Caller, \u0027\u0027), Account_AadUserId = toguid(iff(Caller !contains \u0027@\u0027, Caller,\u0027\u0027))\\n\\t\\t\\t\\t\\t\\t\\t| extend Account_Name = split(UPN,\u0027@\u0027)[0] , Account_UPNSuffix = split(UPN,\u0027@\u0027)[1]\\n\\t\\t\\t\\t\\t\\t\\t| project Account_Name, Account_UPNSuffix, Account_AadUserId, Account_AadTenantId=TenantId, Account_Aux_StartTime , Account_Aux_EndTime \\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tAccountActivity_byIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Account\"],\"dataSources\":[\"AzureActivity\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/97a1d515-abf2-4231-9a35-985f9de0bb91\",\"name\":\"97a1d515-abf2-4231-9a35-985f9de0bb91\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"The most active accounts on Azure from this IP\",\"queryTemplate\":\"let AccountActivity_byIP = (v_IP_Address:string){\\n\\t\\t\\t\\t\\t\\t\\tAzureActivity\\n\\t\\t\\t\\t\\t\\t\\t| where Caller != \u0027\u0027 and CallerIpAddress =~ v_IP_Address\\n\\t\\t\\t\\t\\t\\t\\t| summarize Account_Aux_StartTime = min(TimeGenerated), \\n\\t\\t\\t\\t\\t\\t\\t Account_Aux_EndTime = max(TimeGenerated), \\n\\t\\t\\t\\t\\t\\t\\t Count = count() by \\n\\t\\t\\t\\t\\t\\t\\t Caller, TenantId\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Count desc nulls last \\n\\t\\t\\t\\t\\t\\t\\t| extend UPN = iff(Caller contains \u0027@\u0027, Caller, \u0027\u0027), Account_AadUserId = toguid(iff(Caller !contains \u0027@\u0027, Caller,\u0027\u0027))\\n\\t\\t\\t\\t\\t\\t\\t| extend Account_Name = split(UPN,\u0027@\u0027)[0] , Account_UPNSuffix = split(UPN,\u0027@\u0027)[1]\\n\\t\\t\\t\\t\\t\\t\\t| project Account_Name, Account_UPNSuffix, Account_AadUserId, Account_AadTenantId=TenantId, Account_Aux_StartTime , Account_Aux_EndTime \\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tAccountActivity_byIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Account\"],\"dataSources\":[\"AzureActivity\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/aa497951-c779-4ea2-be2a-127ea66c5fba\",\"name\":\"aa497951-c779-4ea2-be2a-127ea66c5fba\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Hosts receiving the least amount of data from this IP\",\"queryTemplate\":\"let HostsReceivingDatafromIP = (v_IP_Address:string){\\n\\t\\t\\t\\t\\t\\t\\tWireData\\n\\t\\t\\t\\t\\t\\t\\t| parse Computer with HostName \u0027.\u0027 Host_DnsDomain\\n\\t\\t\\t\\t\\t\\t\\t| where SessionState == \u0027Disconnected\u0027 \\n\\t\\t\\t\\t\\t\\t\\t| where RemoteIP =~ v_IP_Address\\n\\t\\t\\t\\t\\t\\t\\t| extend Host_HostName = iff(Computer has \u0027.\u0027, HostName, Computer)\\n\\t\\t\\t\\t\\t\\t\\t| summarize Host_Aux_BytesReceived = sum(ReceivedBytes), Host_Aux_LocalIPs=make_set(LocalIP) by Host_HostName, Host_DnsDomain\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_BytesReceived asc nulls last\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tHostsReceivingDatafromIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"WireData\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/73fb9b8d-fd13-4c43-8136-6d693cafaa23\",\"name\":\"73fb9b8d-fd13-4c43-8136-6d693cafaa23\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Hosts receiving the most amount of data from this IP\",\"queryTemplate\":\"let HostsReceivingDatafromIP = (v_IP_Address:string){\\n\\t\\t\\t\\t\\t\\t\\tWireData\\n\\t\\t\\t\\t\\t\\t\\t| parse Computer with HostName \u0027.\u0027 Host_DnsDomain\\n\\t\\t\\t\\t\\t\\t\\t| where SessionState == \u0027Disconnected\u0027\\n\\t\\t\\t\\t\\t\\t\\t| where RemoteIP =~ v_IP_Address\\n\\t\\t\\t\\t\\t\\t\\t| extend Host_HostName = iff(Computer has \u0027.\u0027, HostName, Computer)\\n\\t\\t\\t\\t\\t\\t\\t| summarize Host_Aux_BytesReceived = sum(ReceivedBytes), Host_Aux_LocalIPs=make_set(LocalIP) by Host_HostName, Host_DnsDomain\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_BytesReceived desc nulls last\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tHostsReceivingDatafromIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"WireData\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/ab597a67-352e-4914-b2e6-d64919a910a8\",\"name\":\"ab597a67-352e-4914-b2e6-d64919a910a8\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Hosts sending the least amount of data to this IP\",\"queryTemplate\":\"let HostsSendingDatatoIP = (v_IP_Address:string){\\n\\t\\t\\t\\t\\t\\t\\tWireData\\n\\t\\t\\t\\t\\t\\t\\t| where SessionState == \u0027Disconnected\u0027 \\n\\t\\t\\t\\t\\t\\t\\t| where RemoteIP =~ v_IP_Address\\n\\t\\t\\t\\t\\t\\t\\t| summarize Host_Aux_BytesSent = sum(SentBytes) by Computer, LocalIP\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_BytesSent asc nulls last \\n\\t\\t\\t\\t\\t\\t\\t| project-rename Host_UnstructuredName=Computer, Host_Aux_LocalIP=LocalIP\\n\\t\\t\\t\\t\\t\\t\\t };\\n\\t\\t\\t\\t\\t\\t\\tHostsSendingDatatoIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"WireData\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/5b57680b-d60a-42a5-9cd5-17e499834f8e\",\"name\":\"5b57680b-d60a-42a5-9cd5-17e499834f8e\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Hosts sending the most amount of data to this IP\",\"queryTemplate\":\"let HostsSendingDatatoIP = (v_IP_Address:string){\\n\\t\\t\\t\\t\\t\\t\\tWireData\\n\\t\\t\\t\\t\\t\\t\\t| where SessionState == \u0027Disconnected\u0027 \\n\\t\\t\\t\\t\\t\\t\\t| where RemoteIP =~ v_IP_Address\\n\\t\\t\\t\\t\\t\\t\\t| summarize Host_Aux_BytesSent = sum(SentBytes) by Computer, LocalIP\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_BytesSent desc nulls last \\n\\t\\t\\t\\t\\t\\t\\t| project-rename Host_UnstructuredName=Computer, Host_Aux_LocalIP=LocalIP \\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tHostsSendingDatatoIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"WireData\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/980762f8-014e-4439-8840-5f0a90285dce\",\"name\":\"980762f8-014e-4439-8840-5f0a90285dce\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Destination IPs with the greatest number of dropped sessions\",\"queryTemplate\":\"let MostDroppedDestIP = (v_IP_Address:string){\\n\\t\\t\\t\\t\\t\\t\\tWindowsFirewall\\n\\t\\t\\t\\t\\t\\t\\t| where FirewallAction == \u0027DROP\u0027\\n\\t\\t\\t\\t\\t\\t\\t and SourceIP =~ v_IP_Address\\n\\t\\t\\t\\t\\t\\t\\t| summarize DropCount = count(), Ports = makeset(DestinationPort) by DestinationIP\\n\\t\\t\\t\\t\\t\\t\\t| sort by array_length(Ports), DropCount\\n\\t\\t\\t\\t\\t\\t\\t| serialize rn=row_number()\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by rn asc nulls last\\n\\t\\t\\t\\t\\t\\t\\t| project-rename IP_Address = DestinationIP, IP_Aux_DropCount = DropCount, IP_Aux_DroppedSessionPorts = Ports\\n\\t\\t\\t\\t\\t\\t\\t| project-away rn\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tMostDroppedDestIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"IP\"],\"dataSources\":[\"WindowsFirewall\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/935ab312-cb52-42a5-b296-548f21786102\",\"name\":\"935ab312-cb52-42a5-b296-548f21786102\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Source IPs with the greatest number of dropped sessions\",\"queryTemplate\":\"let MostDroppedSourceIP = (v_IP_Address:string){\\n\\t\\t\\t\\t\\t\\t\\tWindowsFirewall\\n\\t\\t\\t\\t\\t\\t\\t| where FirewallAction == \u0027DROP\u0027\\n\\t\\t\\t\\t\\t\\t\\t and DestinationIP =~ v_IP_Address\\n\\t\\t\\t\\t\\t\\t\\t| summarize IP_Aux_DropCount = count(), IP_Aux_DestPorts = makeset(DestinationPort) by SourceIP\\n\\t\\t\\t\\t\\t\\t\\t| sort by IP_Aux_DropCount\\n\\t\\t\\t\\t\\t\\t\\t| serialize rn=row_number()\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by rn asc nulls last\\n\\t\\t\\t\\t\\t\\t\\t| project IP_Address = SourceIP, IP_Aux_DropCount, IP_Aux_DestPorts\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tMostDroppedSourceIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"IP\"],\"dataSources\":[\"WindowsFirewall\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/588f5d9f-3380-4eff-9983-e61d62fdd172\",\"name\":\"588f5d9f-3380-4eff-9983-e61d62fdd172\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Office activity accounts with this IP\",\"queryTemplate\":\"let GetAllAccountByIP = (v_IP_Address:string){\\n\\t\\t\\t\\t\\t\\t\\tOfficeActivity \\n\\t\\t\\t\\t\\t\\t\\t| where ClientIP =~ v_IP_Address\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027ClientIP\u0027, ClientIP, \u0027UserType\u0027, UserType, \u0027Operation\u0027, Operation, \u0027OfficeWorkload\u0027, OfficeWorkload, \u0027ResultStatus\u0027, ResultStatus)\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), Account_Aux_Count=count(), Account_Aux_info = makeset(info) by UserId\\n\\t\\t\\t\\t\\t\\t\\t| project Account_Aux_StartTime = min_TimeGenerated, Account_Aux_EndTime = max_TimeGenerated, UserId, Account_Aux_Count, Account_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Account_UnstructuredName=UserId\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Account_Aux_Count desc nulls last\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetAllAccountByIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Account\"],\"dataSources\":[\"OfficeActivity\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/801bacb0-612a-4195-a84f-7939cca63b92\",\"name\":\"801bacb0-612a-4195-a84f-7939cca63b92\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent client IPs with DNS name lookup query for this IP\",\"queryTemplate\":\"let GetAllIPByClientIP = (v_IP_Address:string){\\n\\t\\t\\t\\t\\t\\t\\t _Im_Dns(response_has_ipv4=v_IP_Address)\\n\\t\\t\\t\\t\\t\\t\\t | extend IP_Address=SrcIpAddr\\n\\t\\t\\t\\t\\t\\t\\t | summarize IP_Aux_StartTime=min(TimeGenerated), IP_Aux_EndTime=max(TimeGenerated), IP_Aux_DomainNames=make_set(DnsQuery), IP_Aux_Count= count() by IP_Address\\n\\t\\t\\t\\t\\t\\t\\t | top 10 by IP_Aux_Count asc nulls last\\n\\t\\t\\t\\t\\t\\t\\t };\\n\\t\\t\\t\\t\\t\\t\\t GetAllIPByClientIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"IP\"],\"dataSources\":[\"DnsEvents\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/188ff904-e3c3-4253-9326-e0190b4b7a01\",\"name\":\"188ff904-e3c3-4253-9326-e0190b4b7a01\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent inbound WireData connections\",\"queryTemplate\":\"let GetWireDataInboundWithIp = (v_IPAddress:string){\\n\\t\\t\\t\\t\\t\\t\\tWireData\\n\\t\\t\\t\\t\\t\\t\\t| where Direction == \u0027Inbound\u0027 \\n\\t\\t\\t\\t\\t\\t\\t| where RemoteIP has v_IPAddress\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027LocalPortNumber\u0027, LocalPortNumber, \u0027RemoteIP\u0027, RemoteIP, \u0027Direction\u0027, Direction, \u0027ApplicationProtocol\u0027, ApplicationProtocol)\\n\\t\\t\\t\\t\\t\\t\\t| summarize Process_Aux_EarliestSessionStartTime=min(SessionStartTime), count(), IP_Aux_info = makeset(info) by Computer, ProcessName , LocalIP, ProcessID\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_Aux_info = IP_Aux_info, Host_Aux_info = IP_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ asc\\n\\t\\t\\t\\t\\t\\t\\t| project Process_Aux_EarliestSessionStartTime, Computer, ProcessName , LocalIP, Process_ProcessId=tostring(ProcessID), IP_Aux_info, Process_Aux_info, Host_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t| project-rename IP_Address=LocalIP, Process_ImageFile_FullPath=ProcessName, Host_UnstructuredName=Computer\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetWireDataInboundWithIp(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"IP\",\"Process\",\"Host\"],\"dataSources\":[\"WireData\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/897267e4-68e1-4827-b318-7fb055b52fc0\",\"name\":\"897267e4-68e1-4827-b318-7fb055b52fc0\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent outbound WireData connections\",\"queryTemplate\":\"let GetWireDataOutboundWithIp = (v_IP_Address:string){\\n\\t\\t\\t\\t\\t\\t\\tWireData\\n\\t\\t\\t\\t\\t\\t\\t| where Direction == \u0027Outbound\u0027\\n\\t\\t\\t\\t\\t\\t\\t| where LocalIP has v_IP_Address\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027LocalIP\u0027, LocalIP, \u0027LocalPortNumber\u0027, LocalPortNumber, \u0027Direction\u0027, Direction, \u0027ApplicationProtocol\u0027, ApplicationProtocol)\\n\\t\\t\\t\\t\\t\\t\\t| summarize count(), IP_Aux_info = makeset(info) by Computer, ProcessName, RemoteIP, ProcessID\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_Aux_info = IP_Aux_info, Host_Aux_info = IP_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ asc\\n\\t\\t\\t\\t\\t\\t\\t| project Computer, ProcessName, RemoteIP, Process_ProcessId=tostring(ProcessID), IP_Aux_info, Process_Aux_info, Host_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t| project-rename IP_Address=RemoteIP, Process_ImageFile_FullPath=ProcessName, Host_UnstructuredName=Computer\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetWireDataOutboundWithIp(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"IP\",\"Process\",\"Host\"],\"dataSources\":[\"WireData\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/fdb3e714-c036-4708-a0eb-6ae10a1912a1\",\"name\":\"fdb3e714-c036-4708-a0eb-6ae10a1912a1\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent accounts associated with this IP\",\"queryTemplate\":\"let GetLeastPrevUsersbyIP = (v_IP_Address:string){\\n\\t\\t\\t\\t\\t\\t\\tSigninLogs\\n\\t\\t\\t\\t\\t\\t\\t| where IPAddress contains v_IP_Address\\n\\t\\t\\t\\t\\t\\t\\t| extend RemoteHost = tolower(tostring(parse_json(DeviceDetail[\u0027displayName\u0027])))\\n\\t\\t\\t\\t\\t\\t\\t| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n\\t\\t\\t\\t\\t\\t\\t| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n\\t\\t\\t\\t\\t\\t\\t| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027AppDisplayName\u0027, AppDisplayName, \u0027ClientAppUsed\u0027, ClientAppUsed, \u0027Browser\u0027, tostring(Browser), \u0027IPAddress\u0027, IPAddress, \u0027ResultType\u0027, ResultType, \u0027ResultDescription\u0027, ResultDescription, \u0027Location\u0027, Location, \u0027State\u0027, State, \u0027City\u0027, City, \u0027StatusCode\u0027, StatusCode, \u0027StatusDetails\u0027, StatusDetails)\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), count(), Account_Aux_info = makeset(info) by RemoteHost , UserDisplayName, tostring(OS), UserPrincipalName, AADTenantId, UserId\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ asc nulls last \\n\\t\\t\\t\\t\\t\\t\\t| project Account_Aux_StartTime = min_TimeGenerated, Account_Aux_EndTime = max_TimeGenerated, RemoteHost, UserDisplayName, OS, UserPrincipalName, AADTenantId, Account_AadUserId=toguid(UserId), Account_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Account_UnstructuredName=UserPrincipalName, Account_DisplayName=UserDisplayName, Account_AadTenantId=AADTenantId , Account_Host_UnstructuredName=RemoteHost, Account_Host_OSVersion=OS };\\n\\t\\t\\t\\t\\t\\t\\tGetLeastPrevUsersbyIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Account\"],\"dataSources\":[\"SigninLogs\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/0cb64e03-8534-47b6-9094-7de2d018fd7a\",\"name\":\"0cb64e03-8534-47b6-9094-7de2d018fd7a\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Most prevalent client IPs with DNS name lookup query for this IP\",\"queryTemplate\":\"let GetAllIPByClientIP = (v_IP_Address:string){\\n\\t\\t\\t\\t\\t\\t\\t _Im_Dns(response_has_ipv4=v_IP_Address)\\n\\t\\t\\t\\t\\t\\t\\t | extend IP_Address=SrcIpAddr\\n\\t\\t\\t\\t\\t\\t\\t | summarize IP_Aux_StartTime=min(TimeGenerated), IP_Aux_EndTime=max(TimeGenerated), IP_Aux_DomainNames=make_set(DnsQuery), IP_Aux_Count= count() by IP_Address\\n\\t\\t\\t\\t\\t\\t\\t | top 10 by IP_Aux_Count desc nulls last\\n\\t\\t\\t\\t\\t\\t\\t };\\n\\t\\t\\t\\t\\t\\t\\t GetAllIPByClientIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"IP\"],\"dataSources\":[\"DnsEvents\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/41146c58-ffc6-47ff-975e-f85013629dfd\",\"name\":\"41146c58-ffc6-47ff-975e-f85013629dfd\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Most prevalent Linux hosts with this IP\",\"queryTemplate\":\"let GetSysLogEventsWithIP = (v_IP_Address:string){\\n\\t\\t\\t\\t\\t\\t\\tSyslog\\n\\t\\t\\t\\t\\t\\t\\t| where HostIP has v_IP_Address\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027HostIP\u0027, HostIP, \u0027ProcessName\u0027, ProcessName, \u0027SeverityLevel\u0027, SeverityLevel)\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(EventTime), max(EventTime), count(), Host_Aux_info = makeset(info) by Computer\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ desc nulls last \\n\\t\\t\\t\\t\\t\\t\\t| project Host_Aux_StartTime = min_EventTime, Host_Aux_EndTime = max_EventTime, Computer, Host_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Host_UnstructuredName=Computer\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetSysLogEventsWithIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"Syslog\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/bc6c7cc9-da18-4afd-8fda-d201f13b54a4\",\"name\":\"bc6c7cc9-da18-4afd-8fda-d201f13b54a4\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Most prevalent accounts associated with this IP\",\"queryTemplate\":\"let GetMostPrevUsersbyIP = (v_IP_Address:string){\\n\\t\\t\\t\\t\\t\\t\\tSigninLogs\\n\\t\\t\\t\\t\\t\\t\\t| where IPAddress contains v_IP_Address\\n\\t\\t\\t\\t\\t\\t\\t| extend RemoteHost = tolower(tostring(parse_json(DeviceDetail[\u0027displayName\u0027])))\\n\\t\\t\\t\\t\\t\\t\\t| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\\n\\t\\t\\t\\t\\t\\t\\t| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\\n\\t\\t\\t\\t\\t\\t\\t| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027AppDisplayName\u0027, AppDisplayName, \u0027ClientAppUsed\u0027, ClientAppUsed, \u0027Browser\u0027, tostring(Browser), \u0027IPAddress\u0027, IPAddress, \u0027ResultType\u0027, ResultType, \u0027ResultDescription\u0027, ResultDescription, \u0027Location\u0027, Location, \u0027State\u0027, State, \u0027City\u0027, City, \u0027StatusCode\u0027, StatusCode, \u0027StatusDetails\u0027, StatusDetails)\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), count(), Account_Aux_info = makeset(info) by RemoteHost , UserDisplayName, tostring(OS), UserPrincipalName, AADTenantId, UserId\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ desc nulls last \\n\\t\\t\\t\\t\\t\\t\\t| project Account_Aux_StartTimeUtc = min_TimeGenerated, Account_Aux_EndTimeUtc = max_TimeGenerated, RemoteHost, UserDisplayName, OS, UserPrincipalName, AADTenantId, Account_Aux_info, Account_AadUserId=toguid(UserId)\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Account_UnstructuredName=UserPrincipalName, Account_DisplayName=UserDisplayName, Account_AadTenantId=AADTenantId, Account_Host_UnstructuredName=RemoteHost, Account_Host_OSVersion=OS\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetMostPrevUsersbyIP(\u0027\u003caddress\u003e\u0027)\",\"inputFields\":[\"address\"],\"outputEntityTypes\":[\"Account\"],\"dataSources\":[\"SigninLogs\"],\"inputEntityType\":\"IP\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/f87b2afb-068f-4734-88a0-94560309f9c7\",\"name\":\"f87b2afb-068f-4734-88a0-94560309f9c7\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Processes blocked from loading non-Microsoft-signed binaries\",\"queryTemplate\":\"let BlockedUnsignedFile = (v_Process_ProcessId:int, v_Process_ImageFile:string){\\n\\t\\t\\t\\t\\t\\t\\tlet p_Process_ImageFile_Name = tostring(parse_json(v_Process_ImageFile)[\u0027Name\u0027]);\\n\\t\\t\\t\\t\\t\\t\\tDeviceEvents\\n\\t\\t\\t\\t\\t\\t\\t| where ActionType == \\\"ExploitGuardNonMicrosoftSignedBlocked\\\" and FileName !hassuffix \\\".ni.dll\\\"\\n\\t\\t\\t\\t\\t\\t\\t| where InitiatingProcessId == v_Process_ProcessId and InitiatingProcessFileName =~ p_Process_ImageFile_Name\\n\\t\\t\\t\\t\\t\\t\\t| summarize Count=count() by FileName\\n\\t\\t\\t\\t\\t\\t\\t| top 15 by Count desc\\n\\t\\t\\t\\t\\t\\t\\t| project File_Name=FileName\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tBlockedUnsignedFile(\u0027\u003cv_Process_ProcessId\u003e\u0027,\u0027\u003cv_Process_ImageFile\u003e\u0027)\",\"inputFields\":[\"processId\",\"ImageFile\"],\"outputEntityTypes\":[\"File\"],\"dataSources\":[\"DeviceEvents\"],\"inputEntityType\":\"Process\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/77f9839a-1c03-49e2-803e-72b97042fc05\",\"name\":\"77f9839a-1c03-49e2-803e-72b97042fc05\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent inbound WireData connections\",\"queryTemplate\":\"let GetWireDataInboundWithProcess = (v_Process_CommandLine:string){\\n\\t\\t\\t\\t\\t\\t\\tlet tempFullPath = tostring(split(v_Process_CommandLine, \u0027 \u0027)[0]);\\n\\t\\t\\t\\t\\t\\t\\tlet tempFullPath2 = iff(tempFullPath startswith \u0027\\\"\u0027, substring(tempFullPath, 1, strlen(tempFullPath)-2), tempFullPath);\\n\\t\\t\\t\\t\\t\\t\\tlet v_Process_ImageFile_FullPath = iff(tempFullPath2 startswith \u0027\\\\\\\\??\\\\\\\\\u0027, substring(tempFullPath2, 4, strlen(tempFullPath2)-1), tempFullPath2);\\n\\t\\t\\t\\t\\t\\t\\tWireData\\n\\t\\t\\t\\t\\t\\t\\t| where Direction == \u0027Inbound\u0027\\n\\t\\t\\t\\t\\t\\t\\t| where ProcessName has v_Process_ImageFile_FullPath\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027ProcessName\u0027, ProcessName, \u0027LocalPortNumber\u0027, LocalPortNumber, \u0027RemoteIP\u0027, RemoteIP, \u0027Direction\u0027, Direction, \u0027ApplicationProtocol\u0027, ApplicationProtocol)\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(SessionStartTime), count(), IP_Aux_info = makeset(info) by Computer, LocalIP\\n\\t\\t\\t\\t\\t\\t\\t| extend Host_Aux_info = IP_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ asc\\n\\t\\t\\t\\t\\t\\t\\t| project min_SessionStartTime, Computer, LocalIP, IP_Aux_info, Host_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t| project-rename IP_Address=LocalIP, Host_UnstructuredName=Computer, Host_Aux_min_SessionStartTime=min_SessionStartTime\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetWireDataInboundWithProcess(\u0027\u003ccommandLine\u003e\u0027)\",\"inputFields\":[\"commandLine\"],\"outputEntityTypes\":[\"IP\",\"Host\"],\"dataSources\":[\"WireData\"],\"inputEntityType\":\"Process\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/def383f2-dff3-4f5b-9416-aca8dca39812\",\"name\":\"def383f2-dff3-4f5b-9416-aca8dca39812\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent Linux hosts with this process\",\"queryTemplate\":\"let GetSysLogEventsWithProcess = (v_Process_CommandLine:string){\\n\\t\\t\\t\\t\\t\\t\\tlet tempFullPath = tostring(split(v_Process_CommandLine, \u0027 \u0027)[0]);\\n\\t\\t\\t\\t\\t\\t\\tlet tempFullPath2 = iff(tempFullPath startswith \u0027\\\"\u0027, substring(tempFullPath, 1, strlen(tempFullPath)-2), tempFullPath);\\n\\t\\t\\t\\t\\t\\t\\tlet v_Process_ImageFile_FullPath = iff(tempFullPath2 startswith \u0027\\\\\\\\??\\\\\\\\\u0027, substring(tempFullPath2, 4, strlen(tempFullPath2)-1), tempFullPath2);\\n\\t\\t\\t\\t\\t\\t\\tSyslog\\n\\t\\t\\t\\t\\t\\t\\t| where ProcessName has v_Process_ImageFile_FullPath\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027HostName\u0027, HostName, \u0027HostIP\u0027, HostIP, \u0027ProcessName\u0027, ProcessName, \u0027SyslogMessage\u0027, SyslogMessage)\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(EventTime), max(EventTime), count(), Host_Aux_info = makeset(info) by Computer\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ asc nulls last \\n\\t\\t\\t\\t\\t\\t\\t| project Host_Aux_StartTime=min_EventTime, Host_Aux_EndTime=max_EventTime, Computer, Host_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Host_UnstructuredName=Computer\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetSysLogEventsWithProcess(\u0027\u003ccommandLine\u003e\u0027)\",\"inputFields\":[\"commandLine\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"Syslog\"],\"inputEntityType\":\"Process\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/39df618a-684d-402d-b096-6f505a8e741e\",\"name\":\"39df618a-684d-402d-b096-6f505a8e741e\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Least prevalent outbound WireData connections\",\"queryTemplate\":\"let GetWireDataOutboundWithProcess = (v_Process_CommandLine:string){\\n\\t\\t\\t\\t\\t\\t\\tlet tempFullPath = tostring(split(v_Process_CommandLine, \u0027 \u0027)[0]);\\n\\t\\t\\t\\t\\t\\t\\tlet tempFullPath2 = iff(tempFullPath startswith \u0027\\\"\u0027, substring(tempFullPath, 1, strlen(tempFullPath)-2), tempFullPath);\\n\\t\\t\\t\\t\\t\\t\\tlet v_Process_ImageFile_FullPath = iff(tempFullPath2 startswith \u0027\\\\\\\\??\\\\\\\\\u0027, substring(tempFullPath2, 4, strlen(tempFullPath2)-1), tempFullPath2);\\n\\t\\t\\t\\t\\t\\t\\tWireData\\n\\t\\t\\t\\t\\t\\t\\t| where Direction == \u0027Outbound\u0027\\n\\t\\t\\t\\t\\t\\t\\t| where ProcessName has v_Process_ImageFile_FullPath\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027ProcessName\u0027, ProcessName, \u0027LocalIP\u0027, LocalIP, \u0027LocalPortNumber\u0027, LocalPortNumber, \u0027Direction\u0027, Direction, \u0027ApplicationProtocol\u0027, ApplicationProtocol)\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(SessionStartTime), count(), IP_Aux_info = makeset(info) by Computer, RemoteIP\\n\\t\\t\\t\\t\\t\\t\\t| extend Host_Aux_info = IP_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by count_ asc\\n\\t\\t\\t\\t\\t\\t\\t| project min_SessionStartTime, Computer, RemoteIP, IP_Aux_info, Host_Aux_info\\n\\t\\t\\t\\t\\t\\t\\t| project-rename IP_Address=RemoteIP, Host_UnstructuredName=Computer, Host_Aux_min_SessionStartTime=min_SessionStartTime\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetWireDataOutboundWithProcess(\u0027\u003ccommandLine\u003e\u0027)\",\"inputFields\":[\"commandLine\"],\"outputEntityTypes\":[\"IP\",\"Host\"],\"dataSources\":[\"WireData\"],\"inputEntityType\":\"Process\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/e32a48a9-bf82-4cec-ba94-9ec406a69ef8\",\"name\":\"e32a48a9-bf82-4cec-ba94-9ec406a69ef8\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"10 most recent VM configuration changes based on process\",\"queryTemplate\":\"let exclude = dynamic([\u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\u0027, \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\sppsvc.exe\u0027, \u0027:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\wbem\\\\\\\\WmiApSrv.exe\u0027, \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\conhost.exe\u0027, \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wuauclt.exe\u0027, \u0027:\\\\\\\\Windows\\\\\\\\SoftwareDistribution\\\\\\\\Download\\\\\\\\Install\\\\\\\\\u0027, \u0027:\\\\\\\\WindowsAzure\\\\\\\\GuestAgent_\u0027, \u0027:\\\\\\\\WindowsAzure\\\\\\\\WindowsAzureNetAgent_\u0027, \\n\\t\\t\\t\\t\\t\\t\\t\u0027:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\platform\\\\\\\\\u0027, \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\taskhostw.exe\u0027, \u0027\\\\\\\\MpSigStub.exe\u0027,\u0027:\\\\\\\\Program Files\\\\\\\\Microsoft Monitoring Agent\\\\\\\\Agent\\\\\\\\MonitoringHost.exe\u0027, \u0027:\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\trustedinstaller.exe\u0027, \u0027:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFault.exe\u0027, \u0027:\\\\\\\\Windows\\\\\\\\CCM\\\\\\\\CcmExec.exe\u0027\\n\\t\\t\\t\\t\\t\\t\\t\\\"HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Active Setup\\\\\\\\Installed Components\\\\\\\\\\\"]);\\n\\t\\t\\t\\t\\t\\t\\tlet ConfigChange = (v_Process_ImageFile:string ) \\n\\t\\t\\t\\t\\t\\t\\t{let Process_ImageFile_Name = tostring(parse_json(v_Process_ImageFile)[\u0027Name\u0027]);\\n\\t\\t\\t\\t\\t\\t\\tConfigurationChange\\n\\t\\t\\t\\t\\t\\t\\t| where ConfigChangeType != \\\"Software\\\"\\n\\t\\t\\t\\t\\t\\t\\t| where isnotempty(ValueData) or isnotempty(SvcPath) or isnotempty(FileSystemPath)\\n\\t\\t\\t\\t\\t\\t\\t| extend Process = case(\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType == \\\"Registry\\\" and (ValueData has \\\".exe\\\" or ValueData has \\\".bat\\\" or ValueData has \\\".cmd\\\"), ValueData,\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType == \\\"WindowsServices\\\", SvcPath,\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType == \\\"Files\\\" and ((FileSystemPath has \\\".exe\\\" or FileSystemPath has \\\".bat\\\" or FileSystemPath has \\\".cmd\\\") or FileSystemPath has \u0027/\u0027), FileSystemPath,\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType == \\\"Daemons\\\", SvcPath,\\n\\t\\t\\t\\t\\t\\t\\t\\\"ProcessNotAvailable\\\"\\n\\t\\t\\t\\t\\t\\t\\t)\\n\\t\\t\\t\\t\\t\\t\\t| where not(Process has_any (exclude)) and (Process !has \u0027:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework\u0027 and not(Process has_any (\u0027\\\\\\\\ngentask.exe\u0027, \u0027\\\\\\\\ngen.exe\u0027)))\\n\\t\\t\\t\\t\\t\\t\\t| where iff(Process_ImageFile_Name == \\\"\\\", false, Process has Process_ImageFile_Name) \\n\\t\\t\\t\\t\\t\\t\\t| parse FileContentChecksum with * \\\"Hash=\\\" Hash \\\" \\\" *\\n\\t\\t\\t\\t\\t\\t\\t| parse PreviousFileContentChecksum with * \\\"Hash=\\\" Hash \\\" \\\" *\\n\\t\\t\\t\\t\\t\\t\\t| extend Changes = case( \\n\\t\\t\\t\\t\\t\\t\\t ConfigChangeType == \\\"Registry\\\" and ChangeCategory == \\\"Modified\\\", \\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"RegistryKey\\\" , RegistryKey, \\\"ValueName\\\", ValueName, \\\"ValueData\\\", ValueData, \\\"PreviousValueData\\\", PreviousValueData),\\n\\t\\t\\t\\t\\t\\t\\t ConfigChangeType == \\\"Registry\\\" and ChangeCategory == \\\"Added\\\", \\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"RegistryKey\\\" , RegistryKey, \\\"ValueName\\\", ValueName, \\\"ValueData\\\", ValueData),\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType == \\\"Registry\\\" and ChangeCategory == \\\"Removed\\\", \\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"RegistryKey\\\" , RegistryKey, \\\"ValueName\\\", ValueName, \\\"PreviousValueData\\\", PreviousValueData),\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType in (\\\"WindowsServices\\\",\\\"Daemons\\\") and ChangeCategory == \\\"Modified\\\" and SvcChangeType == \\\"Path\\\", \\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"SvcChangeType\\\", SvcChangeType, \\\"SvcName\\\", SvcName, \\\"SvcPath\\\", SvcPath, \\\"SvcPreviousPath\\\", SvcPreviousPath),\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType in (\\\"WindowsServices\\\",\\\"Daemons\\\") and ChangeCategory == \\\"Modified\\\" and SvcChangeType == \\\"Runlevels\\\", \\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"SvcChangeType\\\", SvcChangeType, \\\"SvcName\\\", SvcName, \\\"SvcPath\\\", SvcPath, \\\"SvcRunlevels\\\", SvcRunlevels,\\\"SvcPreviousRunlevels\\\", SvcPreviousRunlevels),\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType in (\\\"WindowsServices\\\",\\\"Daemons\\\") and ChangeCategory == \\\"Modified\\\" and SvcChangeType == \\\"StartupType\\\", \\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"SvcChangeType\\\", SvcChangeType, \\\"SvcName\\\", SvcName, \\\"SvcPath\\\", SvcPath, \\\"SvcStartupType\\\", SvcStartupType, \\\"SvcPreviousStartupType\\\", SvcPreviousStartupType),\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType in (\\\"WindowsServices\\\",\\\"Daemons\\\") and ChangeCategory == \\\"Modified\\\" and SvcChangeType == \\\"State\\\", \\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"SvcChangeType\\\", SvcChangeType, \\\"SvcName\\\", SvcName, \\\"SvcPath\\\", SvcPath, \\\"SvcState\\\", SvcState, \\\"SvcPreviousState\\\", SvcPreviousState),\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType in (\\\"WindowsServices\\\",\\\"Daemons\\\") and ChangeCategory == \\\"Modified\\\" and SvcChangeType == \\\"State StartupType\\\", \\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"SvcChangeType\\\", SvcChangeType, \\\"SvcName\\\", SvcName, \\\"SvcPath\\\", SvcPath, \\\"SvcState\\\", SvcState, \\\"SvcPreviousState\\\", SvcPreviousState, \\\"SvcStartupType\\\", SvcStartupType, \\\"SvcPreviousStartupType\\\", SvcPreviousStartupType),\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType in (\\\"WindowsServices\\\",\\\"Daemons\\\") and ChangeCategory == \\\"Added\\\", \\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"SvcName\\\", SvcName, \\\"SvcPath\\\", SvcPath, \\\"SvcState\\\", SvcState, \\\"SvcStartupType\\\", SvcStartupType),\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType in (\\\"WindowsServices\\\",\\\"Daemons\\\") and ChangeCategory == \\\"Removed\\\", \\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"SvcName\\\", SvcName, \\\"SvcPreviousPath\\\", SvcPreviousPath, \\\"SvcPreviousState\\\", SvcPreviousState, \\\"SvcPreviousStartupType\\\", SvcPreviousStartupType),\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType == \\\"Files\\\" and ChangeCategory == \\\"Added\\\", \\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"FileSystemPath\\\", FileSystemPath, \\\"DateCreated\\\", DateCreated, \\\"DateModified\\\", DateModified, \\\"Hash\\\", Hash),\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType == \\\"Files\\\" and ChangeCategory == \\\"Removed\\\", \\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"FileSystemPath\\\", FileSystemPath, \\\"DateCreated\\\", PreviousDateCreated, \\\"DateModified\\\", PreviousDateModified, \\\"Hash\\\", Hash),\\n\\t\\t\\t\\t\\t\\t\\tConfigChangeType == \\\"Files\\\" and ChangeCategory == \\\"Modified\\\", \\n\\t\\t\\t\\t\\t\\t\\t pack(\\\"ConfigChangeType\\\", ConfigChangeType, \\\"ChangeCategory\\\", ChangeCategory, \\\"FileSystemPath\\\", FileSystemPath, \\\"FieldsChanged\\\", FieldsChanged, \\\"DateCreated\\\", PreviousDateCreated, \\\"DateModified\\\", PreviousDateModified, \\\"Hash\\\", Hash),\\n\\t\\t\\t\\t\\t\\t\\t\\\"\\\")\\n\\t\\t\\t\\t\\t\\t\\t| extend Host_HostName = tostring(split(Computer, \\\".\\\")[0]), Host_DnsDomain = strcat_array(array_slice(split(Computer,\u0027.\u0027),1,256),\u0027.\u0027)\\n\\t\\t\\t\\t\\t\\t\\t| summarize Host_Aux_StartTimeUtc = min(TimeGenerated), Host_Aux_EndTimeUtc = max(TimeGenerated), Host_Aux_ConfigChangeDetail = makeset(Changes) by Host_HostName, Host_DnsDomain\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_StartTimeUtc desc};\\n\\t\\t\\t\\t\\t\\t\\tConfigChange(\u0027\u003cImageFile\u003e\u0027)\",\"inputFields\":[\"ImageFile\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"ConfigurationChange\"],\"inputEntityType\":\"Process\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/0880a6d7-d914-40f6-91bc-150de4810e4e\",\"name\":\"0880a6d7-d914-40f6-91bc-150de4810e4e\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Windows hosts with this process\",\"queryTemplate\":\"let GetHostsWithProcess = (v_Process_CommandLine:string){\\n\\t\\t\\t\\t\\t\\t\\tlet tempFullPath = tostring(split(v_Process_CommandLine, \u0027 \u0027)[0]);\\n\\t\\t\\t\\t\\t\\t\\tlet tempFullPath2 = iff(tempFullPath startswith \u0027\\\"\u0027, substring(tempFullPath, 1, strlen(tempFullPath)-2), tempFullPath);\\n\\t\\t\\t\\t\\t\\t\\tlet v_Process_ImageFile_FullPath = iff(tempFullPath2 startswith \u0027\\\\\\\\??\\\\\\\\\u0027, substring(tempFullPath2, 4, strlen(tempFullPath2)-1), tempFullPath2);\\n\\t\\t\\t\\t\\t\\t\\tSecurityEvent\\n\\t\\t\\t\\t\\t\\t\\t| where EventID == 4688\\n\\t\\t\\t\\t\\t\\t\\t| where NewProcessName has v_Process_ImageFile_FullPath\\n\\t\\t\\t\\t\\t\\t\\t| extend info = pack(\u0027Account\u0027, Account, \u0027NewProcessName\u0027, NewProcessName, \u0027CommandLine\u0027, CommandLine)\\n\\t\\t\\t\\t\\t\\t\\t| summarize min(TimeGenerated), max(TimeGenerated), Host_Aux_info = makeset(info) by Computer, SourceComputerId, _ResourceId\\n\\t\\t\\t\\t\\t\\t\\t| project min_TimeGenerated, max_TimeGenerated, Computer, Host_Aux_info, Host_OMSAgentID=SourceComputerId\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by min_TimeGenerated asc nulls last\\n\\t\\t\\t\\t\\t\\t\\t| project-rename Host_UnstructuredName=Computer, Host_Aux_StartTime=min_TimeGenerated, Host_Aux_EndTime=max_TimeGenerated\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tGetHostsWithProcess(\u0027\u003ccommandLine\u003e\u0027)\",\"inputFields\":[\"commandLine\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"SecurityEvent\"],\"inputEntityType\":\"Process\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/c07c8936-d2a7-41a7-97d2-d3afdf267da4\",\"name\":\"c07c8936-d2a7-41a7-97d2-d3afdf267da4\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"DefenderForIoT - Hosts communicating the most amount of data with this IoT Device\",\"queryTemplate\":\"let ConnectionData_DefenderForIoT_GetIoTDevice2Host = (v_IoTDevice_DeviceId:string) {\\n\\t\\t\\t\\t\\t\\t\\tlet connectionData = SecurityIoTRawEvent \\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceType = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceType\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceId = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceId\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientIpAddress = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).ipAddress\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientisExternal = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).isExternal\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceType = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceType\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceId = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceId\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerIpAddress = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).ipAddress\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerisExternal = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).isExternal\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceName = tostring(todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceName)\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceName = tostring(todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceName)\\n\\t\\t\\t\\t\\t\\t\\t| extend Bandwidth = todynamic(extractjson(\\\"$Bandwidth\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend LastActivity = todynamic(extractjson(\\\"$LastActivity\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend Protocol = todynamic(extractjson(\\\"$Protocol\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerPort = todynamic(extractjson(\\\"$ServerPort\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDevice = extractjson(\\\"$ServerDevice\\\", EventDetails)\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDevice = extractjson(\\\"$ClientDevice\\\", EventDetails)\\n\\t\\t\\t\\t\\t\\t\\t| extend SensorId = DeviceId\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceGUID = strcat(SensorId, \\\"_\\\", ClientDeviceId), ServerDeviceGUID = strcat(SensorId, \\\"_\\\", ServerDeviceId);\\n\\t\\t\\t\\t\\t\\t\\tconnectionData\\n\\t\\t\\t\\t\\t\\t\\t| where ClientDeviceGUID == v_IoTDevice_DeviceId or ServerDeviceGUID == v_IoTDevice_DeviceId\\n\\t\\t\\t\\t\\t\\t\\t| extend Direction = iff(ClientDeviceGUID == v_IoTDevice_DeviceId, \\\"Outbound\\\", \\\"Inbound\\\")\\n\\t\\t\\t\\t\\t\\t\\t| project DeviceGUID = iff(Direction == \\\"Outbound\\\", ServerDeviceGUID, ClientDeviceGUID), \\n\\t\\t\\t\\t\\t\\t\\tDeviceType = iff(Direction == \\\"Outbound\\\", ServerDeviceType, ClientDeviceType),\\n\\t\\t\\t\\t\\t\\t\\tDeviceIp = iff(Direction == \\\"Outbound\\\", ServerIpAddress, ClientIpAddress),\\n\\t\\t\\t\\t\\t\\t\\tDeviceName = iff(Direction == \\\"Outbound\\\", ServerDeviceName, ClientDeviceName),\\n\\t\\t\\t\\t\\t\\t\\tSensorId, LastActivity = todatetime(LastActivity), Bandwidth = todouble(Bandwidth), Protocol, ServerPort\\n\\t\\t\\t\\t\\t\\t\\t| summarize TotalBandwidth = sum(Bandwidth), LastActivity = max(LastActivity), Protocols = make_set(Protocol), ServerPorts = make_set(ServerPort) by DeviceGUID, DeviceName, IpAddress = tostring(DeviceIp), IoTDevice_DeviceType = tostring(DeviceType)\\n\\t\\t\\t\\t\\t\\t\\t| project-rename TotalBandwidth_MB = TotalBandwidth\\n\\t\\t\\t\\t\\t\\t\\t| extend TotalBandwidth_MB = floor(todecimal(TotalBandwidth_MB / 1000), 0.1)\\n\\t\\t\\t\\t\\t\\t\\t| project Host_HostName = DeviceName, Host_Aux_IpAddress = IpAddress, Host_Aux_Type = IoTDevice_DeviceType, Host_Aux_LastActivity = LastActivity, Host_Aux_Protocols = Protocols, Host_Aux_ServerPorts = ServerPorts, Host_Aux_TotalBandwidth_MB = TotalBandwidth_MB\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by Host_Aux_TotalBandwidth_MB\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tConnectionData_DefenderForIoT_GetIoTDevice2Host(\u0027\u003cdeviceId\u003e\u0027)\",\"inputFields\":[\"deviceId\"],\"outputEntityTypes\":[\"Host\"],\"dataSources\":[\"SecurityIoTRawEvent\"],\"inputEntityType\":\"IoTDevice\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/f1cce474-7a4f-435c-a7ee-3d5a800a6df4\",\"name\":\"f1cce474-7a4f-435c-a7ee-3d5a800a6df4\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"DefenderForIoT - IP Addresses communicating the most amount of data with this IoT Device\",\"queryTemplate\":\"let ConnectionData_DefenderForIoT_GetIoTDevice2IP = (v_IoTDevice_DeviceId:string) {\\n\\t\\t\\t\\t\\t\\t\\tlet connectionData = SecurityIoTRawEvent \\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceType = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceType\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceId = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).deviceId\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientIpAddress = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).ipAddress\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientisExternal = todynamic(extractjson(\\\"$ClientDevice\\\", EventDetails)).isExternal\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceType = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceType\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDeviceId = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).deviceId\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerIpAddress = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).ipAddress\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerisExternal = todynamic(extractjson(\\\"$ServerDevice\\\", EventDetails)).isExternal\\n\\t\\t\\t\\t\\t\\t\\t| extend Bandwidth = todynamic(extractjson(\\\"$Bandwidth\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend LastActivity = todynamic(extractjson(\\\"$LastActivity\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend Protocol = todynamic(extractjson(\\\"$Protocol\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerDevice = extractjson(\\\"$ServerDevice\\\", EventDetails)\\n\\t\\t\\t\\t\\t\\t\\t| extend ServerPort = todynamic(extractjson(\\\"$ServerPort\\\", EventDetails))\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDevice = extractjson(\\\"$ClientDevice\\\", EventDetails)\\n\\t\\t\\t\\t\\t\\t\\t| extend SensorId = DeviceId\\n\\t\\t\\t\\t\\t\\t\\t| extend ClientDeviceGUID = strcat(SensorId, \\\"_\\\", ClientDeviceId), ServerDeviceGUID = strcat(SensorId, \\\"_\\\", ServerDeviceId);\\n\\t\\t\\t\\t\\t\\t\\tconnectionData\\n\\t\\t\\t\\t\\t\\t\\t| where ClientDeviceGUID == v_IoTDevice_DeviceId or ServerDeviceGUID == v_IoTDevice_DeviceId\\n\\t\\t\\t\\t\\t\\t\\t| extend Direction = iff(ClientDeviceGUID == v_IoTDevice_DeviceId, \\\"Outbound\\\", \\\"Inbound\\\")\\n\\t\\t\\t\\t\\t\\t\\t| project DeviceGUID = iff(Direction == \\\"Outbound\\\", ServerDeviceGUID, ClientDeviceGUID), \\n\\t\\t\\t\\t\\t\\t\\tDeviceType = iff(Direction == \\\"Outbound\\\", ServerDeviceType, ClientDeviceType),\\n\\t\\t\\t\\t\\t\\t\\tDeviceIp = iff(Direction == \\\"Outbound\\\", ServerIpAddress, ClientIpAddress),\\n\\t\\t\\t\\t\\t\\t\\tDeviceIsExternal = iff(Direction == \\\"Outbound\\\", ServerisExternal, ClientisExternal),\\n\\t\\t\\t\\t\\t\\t\\tSensorId, LastActivity = todatetime(LastActivity), Bandwidth = todouble(Bandwidth), Protocol, ServerPort\\n\\t\\t\\t\\t\\t\\t\\t| summarize TotalBandwidth = sum(Bandwidth), LastActivity = max(LastActivity), Protocols = make_set(Protocol), ServerPorts = make_set(ServerPort) by DeviceGUID, IpAddress = tostring(DeviceIp), IoTDevice_DeviceType = tostring(DeviceType), DeviceIsExternal = tostring(DeviceIsExternal)\\n\\t\\t\\t\\t\\t\\t\\t| project-rename TotalBandwidth_MB = TotalBandwidth\\n\\t\\t\\t\\t\\t\\t\\t| project IP_Address = IpAddress, IP_Aux_DeviceType = IoTDevice_DeviceType, IP_Aux_LastActivity = LastActivity, IP_Aux_Protocols = Protocols, IP_Aux_ServerPorts = ServerPorts, IP_Aux_TotalBandwidth_MB = TotalBandwidth_MB, IP_Aux_IsExternal = DeviceIsExternal\\n\\t\\t\\t\\t\\t\\t\\t| extend IP_Aux_TotalBandwidth_MB = floor(todecimal(IP_Aux_TotalBandwidth_MB / 1000), 0.1)\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by IP_Aux_TotalBandwidth_MB\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tConnectionData_DefenderForIoT_GetIoTDevice2IP(\u0027\u003cdeviceId\u003e\u0027)\",\"inputFields\":[\"deviceId\"],\"outputEntityTypes\":[\"IP\"],\"dataSources\":[\"SecurityIoTRawEvent\"],\"inputEntityType\":\"IoTDevice\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/1f3ecde7-5c69-4d44-ac93-5feac6d1cd2f\",\"name\":\"1f3ecde7-5c69-4d44-ac93-5feac6d1cd2f\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Expansion\",\"properties\":{\"displayName\":\"Most frequent command executions on the device\",\"queryTemplate\":\"let Process_byIoTDevice = (v_IotDevice_DeviceId:string, v_IoTDevice_IoTHub:string){\\n\\t\\t\\t\\t\\t\\t\\tSecurityIoTRawEvent \\n\\t\\t\\t\\t\\t\\t\\t| where RawEventName =~ \u0027ProcessCreate\u0027\\n\\t\\t\\t\\t\\t\\t\\t| where AssociatedResourceId =~ parse_json(v_IoTDevice_IoTHub)[\u0027ResourceId\u0027] and DeviceId =~ v_IotDevice_DeviceId\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_CommandLine = tostring(parse_json(EventDetails)[\u0027CommandLine\u0027])\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_ProcessId = tostring(parse_json(EventDetails)[\u0027ProcessId\u0027])\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_ParentProcess_ProcessId = tostring(parse_json(EventDetails)[\u0027ParentProcessId\u0027])\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_CreationTimeUtc = TimeStamp\\n\\t\\t\\t\\t\\t\\t\\t| summarize procCount = count() by Process_CommandLine, Process_ProcessId, Process_ParentProcess_ProcessId, Process_CreationTimeUtc\\n\\t\\t\\t\\t\\t\\t\\t| top 10 by procCount\\n\\t\\t\\t\\t\\t\\t\\t| extend Process_Aux_Count = procCount\\n\\t\\t\\t\\t\\t\\t\\t| project-away procCount\\n\\t\\t\\t\\t\\t\\t\\t};\\n\\t\\t\\t\\t\\t\\t\\tProcess_byIoTDevice(\u0027\u003cdeviceId\u003e\u0027, \u0027\u003cIoTHub\u003e\u0027)\",\"inputFields\":[\"deviceId\",\"IoTHub\"],\"outputEntityTypes\":[\"Process\"],\"dataSources\":[\"SecurityIoTRawEvent\"],\"inputEntityType\":\"IoTDevice\"}}]}", "isContentBase64": false } }, - "Get-AzSentinelEntityQuery+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/1a4fe801-0031-4965-a4a1-5c68929b6d76?api-version=2021-09-01-preview+1": { + "Get-AzSentinelEntityQuery+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/5f4b614d-f1e7-46f5-a0f4-41e428c2237e?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/1a4fe801-0031-4965-a4a1-5c68929b6d76?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/5f4b614d-f1e7-46f5-a0f4-41e428c2237e?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "200" ], - "x-ms-client-request-id": [ "02e528c7-7971-4a86-9a7f-03105bcc360f" ], + "x-ms-unique-id": [ "199" ], + "x-ms-client-request-id": [ "e6f0b7db-1283-44b4-9e6f-50aed99b0ad3" ], "CommandName": [ "Get-AzSentinelentityQuery" ], "FullCommandName": [ "Get-AzSentinelEntityQuery_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -64,36 +64,36 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11962" ], - "x-ms-request-id": [ "6019dc0a-ab4e-4e02-a402-0623b982620a" ], - "x-ms-correlation-request-id": [ "6019dc0a-ab4e-4e02-a402-0623b982620a" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T015746Z:6019dc0a-ab4e-4e02-a402-0623b982620a" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11966" ], + "x-ms-request-id": [ "659ad9d1-ba11-4159-9c16-96d69ae46497" ], + "x-ms-correlation-request-id": [ "659ad9d1-ba11-4159-9c16-96d69ae46497" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160720Z:659ad9d1-ba11-4159-9c16-96d69ae46497" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 01:57:45 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:19 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2326" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/1a4fe801-0031-4965-a4a1-5c68929b6d76\",\"name\":\"1a4fe801-0031-4965-a4a1-5c68929b6d76\",\"etag\":\"\\\"5001e9de-0000-0100-0000-61b5531f0000\\\"\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was deleted by \",\"description\":\"Account deleted on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027)\\n \\n| where EventID == 4726 \"},\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]},\"enabled\":true,\"createdTimeUtc\":\"2021-12-12T01:40:47.0564999Z\",\"lastModifiedTimeUtc\":\"2021-12-12T01:40:47.0564999Z\",\"inputEntityType\":\"Host\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/5f4b614d-f1e7-46f5-a0f4-41e428c2237e\",\"name\":\"5f4b614d-f1e7-46f5-a0f4-41e428c2237e\",\"etag\":\"\\\"0c00410f-0000-0100-0000-62fbbde70000\\\"\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was deleted by \",\"description\":\"Account deleted on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027)\\n \\n| where EventID == 4726 \"},\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]},\"enabled\":true,\"createdTimeUtc\":\"2022-08-16T15:55:19.0590224Z\",\"lastModifiedTimeUtc\":\"2022-08-16T15:55:19.0590224Z\",\"inputEntityType\":\"Host\"}}", "isContentBase64": false } }, - "Get-AzSentinelEntityQuery+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/1a4fe801-0031-4965-a4a1-5c68929b6d76?api-version=2021-09-01-preview+1": { + "Get-AzSentinelEntityQuery+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/5f4b614d-f1e7-46f5-a0f4-41e428c2237e?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/1a4fe801-0031-4965-a4a1-5c68929b6d76?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/5f4b614d-f1e7-46f5-a0f4-41e428c2237e?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "201" ], - "x-ms-client-request-id": [ "ea04149a-ed83-4baf-acf8-736472c4560b" ], + "x-ms-unique-id": [ "200" ], + "x-ms-client-request-id": [ "ca3cf826-7170-40bc-b0ca-7bf819f6cc8f" ], "CommandName": [ "Get-AzSentinelentityQuery" ], "FullCommandName": [ "Get-AzSentinelEntityQuery_Get" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -105,36 +105,36 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11961" ], - "x-ms-request-id": [ "a8f3f90f-88ca-46ea-928f-fd5ede3e8aa3" ], - "x-ms-correlation-request-id": [ "a8f3f90f-88ca-46ea-928f-fd5ede3e8aa3" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T015746Z:a8f3f90f-88ca-46ea-928f-fd5ede3e8aa3" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11965" ], + "x-ms-request-id": [ "ff0b1bab-3289-40bd-a488-a8c23ec159e8" ], + "x-ms-correlation-request-id": [ "ff0b1bab-3289-40bd-a488-a8c23ec159e8" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160720Z:ff0b1bab-3289-40bd-a488-a8c23ec159e8" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 01:57:45 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:20 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2326" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/1a4fe801-0031-4965-a4a1-5c68929b6d76\",\"name\":\"1a4fe801-0031-4965-a4a1-5c68929b6d76\",\"etag\":\"\\\"5001e9de-0000-0100-0000-61b5531f0000\\\"\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was deleted by \",\"description\":\"Account deleted on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027)\\n \\n| where EventID == 4726 \"},\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]},\"enabled\":true,\"createdTimeUtc\":\"2021-12-12T01:40:47.0564999Z\",\"lastModifiedTimeUtc\":\"2021-12-12T01:40:47.0564999Z\",\"inputEntityType\":\"Host\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/5f4b614d-f1e7-46f5-a0f4-41e428c2237e\",\"name\":\"5f4b614d-f1e7-46f5-a0f4-41e428c2237e\",\"etag\":\"\\\"0c00410f-0000-0100-0000-62fbbde70000\\\"\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was deleted by \",\"description\":\"Account deleted on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027)\\n \\n| where EventID == 4726 \"},\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]},\"enabled\":true,\"createdTimeUtc\":\"2022-08-16T15:55:19.0590224Z\",\"lastModifiedTimeUtc\":\"2022-08-16T15:55:19.0590224Z\",\"inputEntityType\":\"Host\"}}", "isContentBase64": false } }, - "Get-AzSentinelEntityQuery+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/1a4fe801-0031-4965-a4a1-5c68929b6d76?api-version=2021-09-01-preview+2": { + "Get-AzSentinelEntityQuery+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/5f4b614d-f1e7-46f5-a0f4-41e428c2237e?api-version=2021-09-01-preview+2": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/1a4fe801-0031-4965-a4a1-5c68929b6d76?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/5f4b614d-f1e7-46f5-a0f4-41e428c2237e?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "202" ], - "x-ms-client-request-id": [ "b6d33220-31bf-433b-a328-453bf3ad00ee" ], + "x-ms-unique-id": [ "201" ], + "x-ms-client-request-id": [ "27b71b02-e082-4fef-a923-2a770ba6ffbd" ], "CommandName": [ "Get-AzSentinelentityQuery" ], "FullCommandName": [ "Get-AzSentinelEntityQuery_GetViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], - "User-Agent": [ "AzurePowershell/Az4.0.0-preview" ], + "User-Agent": [ "AzurePowershell/v0.0.0", "PSVersion/v7.1.3", "Az.SecurityInsights/1.2.0" ], "Authorization": [ "[Filtered]" ] }, "ContentHeaders": { @@ -146,20 +146,20 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11960" ], - "x-ms-request-id": [ "0841672c-7b3a-4843-ba83-3e237ad2cf37" ], - "x-ms-correlation-request-id": [ "0841672c-7b3a-4843-ba83-3e237ad2cf37" ], - "x-ms-routing-request-id": [ "WESTUS2:20211212T015746Z:0841672c-7b3a-4843-ba83-3e237ad2cf37" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11964" ], + "x-ms-request-id": [ "54f244cd-5caf-4657-b1d8-e0e082daadfa" ], + "x-ms-correlation-request-id": [ "54f244cd-5caf-4657-b1d8-e0e082daadfa" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160720Z:54f244cd-5caf-4657-b1d8-e0e082daadfa" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Sun, 12 Dec 2021 01:57:46 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:20 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2326" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstest91v7fr/providers/Microsoft.OperationalInsights/workspaces/asptest8xu4wd/providers/Microsoft.SecurityInsights/entityQueries/1a4fe801-0031-4965-a4a1-5c68929b6d76\",\"name\":\"1a4fe801-0031-4965-a4a1-5c68929b6d76\",\"etag\":\"\\\"5001e9de-0000-0100-0000-61b5531f0000\\\"\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was deleted by \",\"description\":\"Account deleted on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027)\\n \\n| where EventID == 4726 \"},\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]},\"enabled\":true,\"createdTimeUtc\":\"2021-12-12T01:40:47.0564999Z\",\"lastModifiedTimeUtc\":\"2021-12-12T01:40:47.0564999Z\",\"inputEntityType\":\"Host\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/5f4b614d-f1e7-46f5-a0f4-41e428c2237e\",\"name\":\"5f4b614d-f1e7-46f5-a0f4-41e428c2237e\",\"etag\":\"\\\"0c00410f-0000-0100-0000-62fbbde70000\\\"\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was deleted by \",\"description\":\"Account deleted on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027)\\n \\n| where EventID == 4726 \"},\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]},\"enabled\":true,\"createdTimeUtc\":\"2022-08-16T15:55:19.0590224Z\",\"lastModifiedTimeUtc\":\"2022-08-16T15:55:19.0590224Z\",\"inputEntityType\":\"Host\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Get-AzSentinelEntityQueryTemplate.Recording.json b/src/SecurityInsights/test/Get-AzSentinelEntityQueryTemplate.Recording.json index d0ba6c0baafa..8fbc2a62bf04 100644 --- a/src/SecurityInsights/test/Get-AzSentinelEntityQueryTemplate.Recording.json +++ b/src/SecurityInsights/test/Get-AzSentinelEntityQueryTemplate.Recording.json @@ -1,13 +1,13 @@ { - "Get-AzSentinelEntityQueryTemplate+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates?api-version=2021-09-01-preview+1": { + "Get-AzSentinelEntityQueryTemplate+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "201" ], - "x-ms-client-request-id": [ "7d1ed0f0-2147-4db1-8419-7ad1d7cd487e" ], + "x-ms-unique-id": [ "202" ], + "x-ms-client-request-id": [ "bcf85ca0-1554-47cd-beb1-0954b8ba89f8" ], "CommandName": [ "Get-AzSentinelentityQueryTemplate" ], "FullCommandName": [ "Get-AzSentinelEntityQueryTemplate_List" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -23,32 +23,32 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11966" ], - "x-ms-request-id": [ "a9d33b1e-0d89-40ac-98fa-8ece51022f58" ], - "x-ms-correlation-request-id": [ "a9d33b1e-0d89-40ac-98fa-8ece51022f58" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183143Z:a9d33b1e-0d89-40ac-98fa-8ece51022f58" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11963" ], + "x-ms-request-id": [ "7b428a9a-eecf-45be-a006-30bd246b703a" ], + "x-ms-correlation-request-id": [ "7b428a9a-eecf-45be-a006-30bd246b703a" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160724Z:7b428a9a-eecf-45be-a006-30bd246b703a" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:31:42 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:24 GMT" ] }, "ContentHeaders": { "Content-Length": [ "191910" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/d6d08c94-455f-4ea5-8f76-fc6c0c442cfa\",\"name\":\"d6d08c94-455f-4ea5-8f76-fc6c0c442cfa\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has created an account\",\"content\":\"The user {{InitiatedByAccount}} has created the account {{TargetAccount}} {{Count}} time(s)\",\"description\":\"This activity displays account creation events performed by the user\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) or Account_AadUserId =~ tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ SubjectAccount or Account_Sid =~ SubjectUserSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Add user\u0027, \u00274720\u0027) \\n| project InitiatedByAccount, TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/e0459780-ac9d-4b72-8bd4-fecf6b46a0a1\",\"name\":\"e0459780-ac9d-4b72-8bd4-fecf6b46a0a1\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has deleted an account\",\"content\":\"The user {{InitiatedByAccount}} has deleted the account {{TargetAccount}} {{Count}} time(s)\",\"description\":\"This activity displays account deletion events performed by the user\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) or Account_AadUserId =~ tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ SubjectAccount or Account_Sid =~ SubjectUserSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Delete user\u0027, \u00274726\u0027) \\n| project InitiatedByAccount, TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/ad1f4269-5418-4c46-a3b6-4ec01031de60\",\"name\":\"ad1f4269-5418-4c46-a3b6-4ec01031de60\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has reset an account\u0027s password\",\"content\":\"The password for account {{TargetAccount}} was reset by the user {{InitiatedByAccount}} {{Count}} time(s)\",\"description\":\"This activity displays password reset events performed by the user\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) or Account_AadUserId =~ tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ SubjectAccount or Account_Sid =~ SubjectUserSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (by admin)\u0027, \u0027Reset password (self-service)\u0027, \u00274724\u0027, \u00274723\u0027) \\n| project InitiatedByAccount, TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/fde1b9cc-9480-4418-ae21-91723d16b24d\",\"name\":\"fde1b9cc-9480-4418-ae21-91723d16b24d\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user account was created\",\"content\":\"The user account {{TargetAccount}} was created\",\"description\":\"This activity displays the user account events for when it was created\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(TargetResources[0].userPrincipalName) or Account_AadUserId =~ tostring(TargetResources[0].id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ TargetAccount or Account_Sid =~ TargetSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Add user\u0027, \u00274720\u0027) \\n| project TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/b15901ba-8679-4f6a-b312-722031ab58f2\",\"name\":\"b15901ba-8679-4f6a-b312-722031ab58f2\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user account was deleted\",\"content\":\"The user account {{TargetAccount}} was deleted\",\"description\":\"This activity displays the user account events for when it was deleted\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(TargetResources[0].userPrincipalName) or Account_AadUserId =~ tostring(TargetResources[0].id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ TargetAccount or Account_Sid =~ TargetSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Delete user\u0027, \u00274726\u0027) \\n| project TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/c07d1d02-0a06-455e-add9-12c5a5e426f3\",\"name\":\"c07d1d02-0a06-455e-add9-12c5a5e426f3\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user account password was reset\",\"content\":\"The user account {{TargetAccount}} had a password reset\",\"description\":\"This activity displays the user account events for when the password was reset\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(TargetResources[0].userPrincipalName) or Account_AadUserId =~ tostring(TargetResources[0].id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ TargetAccount or Account_Sid =~ TargetSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (by admin)\u0027, \u0027Reset password (self-service)\u0027, \u00274723\u0027, \u00274724\u0027) \\n| project TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/5e9ecee5-e7a4-4a2a-94c4-9c0e22e1b673\",\"name\":\"5e9ecee5-e7a4-4a2a-94c4-9c0e22e1b673\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user consented to OAuth application\",\"content\":\"The user consented to the OAuth application named {{Target_CloudApplication_Name}} {{Count}} time(s)\",\"description\":\"This activity lists user\u0027s consents to an OAuth applications.\",\"queryDefinitions\":{\"query\":\"let UserConsentToApplication = (Account_Name:string, Account_UPNSuffix:string, Account_AadUserId:string){\\nlet account_upn = iff(Account_Name != \\\"\\\" and Account_UPNSuffix != \\\"\\\"\\n, strcat(Account_Name,\\\"@\\\",Account_UPNSuffix)\\n,\\\"\\\" );\\nAuditLogs\\n| where OperationName == \\\"Consent to application\\\"\\n| extend Source_Account_UPNSuffix = tostring(todynamic(InitiatedBy) [\\\"user\\\"][\\\"userPrincipalName\\\"]), Source_Account_AadUserId = tostring(todynamic(InitiatedBy) [\\\"user\\\"][\\\"id\\\"])\\n| where (account_upn != \\\"\\\" and account_upn =~ Source_Account_UPNSuffix) \\nor (Account_AadUserId != \\\"\\\" and Account_AadUserId =~ Source_Account_AadUserId)\\n| extend Target_CloudApplication_Name = tostring(todynamic(TargetResources)[0][\\\"displayName\\\"]), Target_CloudApplication_AppId = tostring(todynamic(TargetResources)[0][\\\"id\\\"])\\n};\\nUserConsentToApplication(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027) \\n| project Target_CloudApplication_AppId, Target_CloudApplication_Name, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/cab4058a-0707-4a02-b76f-cf96270823ed\",\"name\":\"cab4058a-0707-4a02-b76f-cf96270823ed\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"User performed operation on azure resource from IP\",\"content\":\"User performed operation {{OperationNameValue}} on azure resource: {{shortResourceId}} from IP {{Source_IP_Address}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s activities on Azure.\",\"queryDefinitions\":{\"query\":\"let AzureRunProcess = (Account_Name:string, Account_UPNSuffix:string,Account_AadUserId:string){\\nlet upn = strcat(Account_Name,\\\"@\\\",Account_UPNSuffix);\\nAzureActivity\\n| where (isnotempty(Account_AadUserId) and Caller =~ Account_AadUserId) or Caller =~ upn\\n| where OperationNameValue contains \\\"Run Command on Virtual Machine\\\"\\n or (OperationNameValue == \\\"List Storage Account Keys\\\" and ActivityStatusValue == \\\"Succeeded\\\")\\n or OperationNameValue == \\\"Create or Update Virtual Machine\\\"\\n or OperationNameValue == \\\"Create Deployment\\\"\\n or OperationNameValue == \\\"Create role assignment\\\"\\n| project-rename Target_AzureResource_ResourceId = _ResourceId, Source_IP_Address = CallerIpAddress\\n| extend shortResourceId = tostring(split(ResourceId,\u0027/\u0027)[-1])\\n};\\nAzureRunProcess(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027) \\n| project Target_AzureResource_ResourceId, Source_IP_Address, shortResourceId, OperationNameValue, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/febba410-e7d6-4c63-8fe5-2b93f448b7a1\",\"name\":\"febba410-e7d6-4c63-8fe5-2b93f448b7a1\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added accounts to a local privileged group\",\"content\":\"The user has added accounts to the local privileged group, {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays the user that added accounts to a local privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == false and MemberNTDomainMatch == false) or MemberSidMatch == false) and TargetSid matches regex WellKnownLocalGroupSID | where TargetSid !in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/0e98c61c-6ae0-4e13-8071-d807dc25082a\",\"name\":\"0e98c61c-6ae0-4e13-8071-d807dc25082a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added accounts to a domain privileged group\",\"content\":\"The user has added accounts to the domain privileged group, {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays the user that added accounts to a domain privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == false and MemberNTDomainMatch == false) or MemberSidMatch == false) and TargetSid matches regex WellKnownDomainGroupSID \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/0caf9819-3269-48ac-b162-eeee638e4aa9\",\"name\":\"0caf9819-3269-48ac-b162-eeee638e4aa9\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to a local privileged group\",\"content\":\"This user was added to the local privileged group {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays that this user was added to a local privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and TargetSid matches regex WellKnownLocalGroupSID | where TargetSid !in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/d57681e4-18e6-459f-b61d-4d4a1f205b70\",\"name\":\"d57681e4-18e6-459f-b61d-4d4a1f205b70\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to a domain privileged group\",\"content\":\"This user was added to the domain privileged group {{TargetAccount}}\",\"description\":\"This activity displays that this user was added to a domain privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and TargetSid matches regex WellKnownDomainGroupSID \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/5ae2baf4-de7b-40f0-a861-8852266bfcd0\",\"name\":\"5ae2baf4-de7b-40f0-a861-8852266bfcd0\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added accounts to the Remote Desktop Users group\",\"content\":\"The user has added accounts to the {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays the user that added accounts to Remote Desktop group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == false and MemberNTDomainMatch == false) or MemberSidMatch == false) and TargetSid in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/60ef2e21-5f90-48bf-9bbc-d2a1829c3861\",\"name\":\"60ef2e21-5f90-48bf-9bbc-d2a1829c3861\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to the Remote Desktop Users group\",\"content\":\"This user was added to the {{TargetAccount}} group\",\"description\":\"This activity displays that this user was added to the Remote Desktop group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and TargetSid in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/bf56473d-b9bd-4eb1-96d0-8569ec7a9003\",\"name\":\"bf56473d-b9bd-4eb1-96d0-8569ec7a9003\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added an account to a security group\",\"content\":\"The user has added {{MemberAdded}} to the {{TargetAccount}} group\",\"description\":\"This activity displays the user that added an account and the account that was added to a security group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true) and not(TargetSid matches regex WellKnownLocalGroupSID or TargetSid matches regex WellKnownDomainGroupSID) \\n| project SubjectAccount, MemberAdded, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/252c9ad7-2957-43cd-8f33-4ac4bb56e119\",\"name\":\"252c9ad7-2957-43cd-8f33-4ac4bb56e119\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to a security group\",\"content\":\"This user was added to the {{TargetAccount}} group, {{Count}} time(s)\",\"description\":\"This activity displays that this user was added to a security group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and not(TargetSid matches regex WellKnownLocalGroupSID or TargetSid matches regex WellKnownDomainGroupSID) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/1f82f263-d694-469a-9717-1b3edf9d3bb2\",\"name\":\"1f82f263-d694-469a-9717-1b3edf9d3bb2\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user acted on another accounts mailbox\",\"content\":\"The user acted on mailbox {{MailboxOwnerUPN}} {{Count}} time(s)\",\"description\":\"This activity lists user\u0027s activities on others\u0027 mailbox\",\"queryDefinitions\":{\"query\":\"let TLQ_UserActedOnForeignMailbox = (Account_Name:string, Account_UPNSuffix:string, account_sid:string){\\nlet account_upn = iff(Account_Name!=\\\"\\\" and Account_UPNSuffix != \\\"\\\"\\n,strcat(Account_Name,\\\"@\\\",Account_UPNSuffix)\\n,\\\"\\\");\\nOfficeActivity\\n| where RecordType == \\\"ExchangeItem\\\" and UserType ==\\\"Regular\\\" and Operation !contains \\\"InboxRule\\\"\\n| where LogonUserSid != MailboxOwnerSid \\n| where ((account_sid != \\\"\\\" and LogonUserSid =~ account_sid)\\n or ( account_upn != \\\"\\\" and UserId =~ account_upn ))\\n};\\nTLQ_UserActedOnForeignMailbox(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| project MailboxOwnerSid, MailboxOwnerUPN, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/e480efd0-016d-428e-b892-84b9d586d004\",\"name\":\"e480efd0-016d-428e-b892-84b9d586d004\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user modified inbox rules on another accounts mailbox\",\"content\":\"User Modified {{Count}} inbox rules on {{MailboxOwnerUPN}}\u0027s Mailbox\",\"description\":\"User modified inbox rules on a mailbox\",\"queryDefinitions\":{\"query\":\"let ruleChangeRecordTypes = dynamic( [\\\"ExchangeAdmin\\\", \\\"ExchangeItem\\\"]);\\nlet TLQ_UserModifiedinboxRules = (Account_Name: string, Account_UPNSuffix: string, Account_Sid: string){\\nlet upn = iff(Account_Name != \\\"\\\" and Account_UPNSuffix != \\\"\\\"\\n, strcat(Account_Name, \\\"@\\\", Account_UPNSuffix)\\n, \\\"\\\");\\nOfficeActivity\\n| where RecordType in~ (ruleChangeRecordTypes) and Operation contains \\\"InboxRule\\\"\\n| where((Account_Sid != \\\"\\\" and LogonUserSid == Account_Sid)\\nor(upn != \\\"\\\" and UserId == upn )\\n)\\n};\\nTLQ_UserModifiedinboxRules(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| project MailboxOwnerSid, MailboxOwnerUPN, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/0eabec03-51e7-4909-b0cb-1adc76759e93\",\"name\":\"0eabec03-51e7-4909-b0cb-1adc76759e93\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"User uploaded files to SharePoint\",\"content\":\"User uploaded {{Count}} file(s) To SharePoint from {{Source_IP_Address}}\",\"description\":\"This activity lists the user\u0027s SharePoint uploads.\",\"queryDefinitions\":{\"query\":\"let TLQ_UserUploadFiles = (Account_Name:string, Account_UPNSuffix:string){\\nlet upn = strcat(Account_Name,\\\"@\\\",Account_UPNSuffix);\\nOfficeActivity\\n| where RecordType =~ \\\"SharePointFileOperation\\\" and Operation in~ (\\\"FileUploaded\\\", \\\"FileDownloaded\\\")\\n| where upn =~UserId\\n| extend Subject_File_Directory = tostring(split(OfficeObjectId,SourceFileName)[0])\\n| project-rename Source_IP_Address = ClientIP\\n};\\nTLQ_UserUploadFiles(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027) \\n| where Operation =~ \\\"FileUploaded\\\" \\n| project Source_IP_Address, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/df564e7b-bf6d-4dc4-a32d-79b00bd2cc7b\",\"name\":\"df564e7b-bf6d-4dc4-a32d-79b00bd2cc7b\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"User downloaded files from SharePoint\",\"content\":\"User downloaded {{Count}} File(s) from SharePoint from {{Source_IP_Address}}\",\"description\":\"This activity lists the user\u0027s SharePoint downloads.\",\"queryDefinitions\":{\"query\":\"let TLQ_UserUploadFiles = (Account_Name:string, Account_UPNSuffix:string){\\nlet upn = strcat(Account_Name,\\\"@\\\",Account_UPNSuffix);\\nOfficeActivity\\n| where RecordType =~ \\\"SharePointFileOperation\\\" and Operation in~ (\\\"FileUploaded\\\", \\\"FileDownloaded\\\")\\n| where upn =~UserId\\n| extend Subject_File_Directory = tostring(split(OfficeObjectId,SourceFileName)[0])\\n| project-rename Source_IP_Address = ClientIP\\n};\\nTLQ_UserUploadFiles(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027) \\n| where Operation =~ \\\"FileDownloaded\\\" \\n| project Source_IP_Address, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/0f328f28-7e21-4596-b71c-54309fee5551\",\"name\":\"0f328f28-7e21-4596-b71c-54309fee5551\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user signed in to an Azure resource\",\"content\":\"The user signed in to {{shortResourceId}} {{Count}} time(s)\",\"description\":\"This activity lists user\u0027s sign ins to Azure Resources\",\"queryDefinitions\":{\"query\":\"let SignInsByResource = (Account_Name:string, Account_UPNSuffix:string, Account_AadUserId:string){\\nlet acc_upn = iff(Account_Name != \\\"\\\" and Account_UPNSuffix != \\\"\\\" ,strcat(Account_Name,\\\"@\\\" ,Account_UPNSuffix),\\\"\\\");\\nSigninLogs\\n| where (acc_upn != \\\"\\\" and UserPrincipalName =~ acc_upn) or\\n   (Account_AadUserId != \\\"\\\" and Account_AadUserId =~ UserId) // UserPrincipalName, UserId\\n| extend shortResourceId = tostring(split(ResourceId,\\\"/\\\")[-1])\\n};\\nSignInsByResource(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027) \\n| project shortResourceId, ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SigninLogs\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/0d4ec12e-e44a-40a4-bb87-3db84d2a8057\",\"name\":\"0d4ec12e-e44a-40a4-bb87-3db84d2a8057\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s interactive log-ins grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID==4624 and LogonTypeName == \u00272 - Interactive\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/c9da5786-6c3c-45b5-9a46-53200ed9df09\",\"name\":\"c9da5786-6c3c-45b5-9a46-53200ed9df09\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Network log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s network log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID ==4624 and LogonTypeName == \u00273 - Network\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/8a302bfc-00e3-43b3-a516-102fd0cb0dbc\",\"name\":\"8a302bfc-00e3-43b3-a516-102fd0cb0dbc\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Remote interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s remote interactive log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID ==4624 and LogonTypeName == \u002710 - RemoteInteractive\u0027| extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/ec87b066-17ad-4f9b-97c2-c2f2ee2d99e0\",\"name\":\"ec87b066-17ad-4f9b-97c2-c2f2ee2d99e0\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"New credentials log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s log-ins with new credentials, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID ==4624 and LogonTypeName == \u00279 - NewCredentials\u0027| extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/e1c4c03c-2b40-47cf-9b8c-49e0a37a6da6\",\"name\":\"e1c4c03c-2b40-47cf-9b8c-49e0a37a6da6\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Privileged log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s privileged log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID == 4672 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/a6fc3ad9-1a61-41f5-a5e2-bd1f5a6fe44d\",\"name\":\"a6fc3ad9-1a61-41f5-a5e2-bd1f5a6fe44d\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Failed interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s failed interactive log-ins grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet =~ \u0027AllEvents\u0027 and EventID == 4625 and LogonTypeName == \u00272 - Interactive\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/11449689-6542-4867-86dc-56264abbd90c\",\"name\":\"11449689-6542-4867-86dc-56264abbd90c\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Failed network log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s failed network log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet =~ \u0027AllEvents\u0027 and EventID == 4625 and LogonTypeName == \u00273 - Network\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/686cf7e8-87c7-4391-8898-25adf1033a54\",\"name\":\"686cf7e8-87c7-4391-8898-25adf1033a54\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Failed remote interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} failed to logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s failed remote interactive log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet =~ \u0027AllEvents\u0027 and EventID == 4625 and LogonTypeName == \u002710 - RemoteInteractive\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/c6523929-5696-4e94-8a61-61aeb1c953d1\",\"name\":\"c6523929-5696-4e94-8a61-61aeb1c953d1\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Custom Script Extension execution (Preview)\",\"content\":\"The account {{Caller}} ran the custom script extension {{extName}} {{Count}} time(s)\",\"description\":\"This activity indicated Custom Script Extension execution\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| extend resBody = parse_json(Properties).responseBody\\n| where resBody != \\\"\\\"\\n| extend resBody = parse_json(tostring(resBody))\\n| extend extName = tostring(resBody.name), extType = resBody.properties.type\\n| where extType in (\\\"CustomScriptExtension\\\", \\\"CustomScript\\\", \\\"CustomScriptForLinux\\\")\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource, extType, extName \\n| project Caller, _ResourceId, extName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/5a2b8371-8708-4e41-8613-b64bbcbd0199\",\"name\":\"5a2b8371-8708-4e41-8613-b64bbcbd0199\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Azure Key Vault sensitive operation\",\"content\":\"The operation {{OperationName}} was observed from the IP {{CallerIPAddress}} {{Count}} time(s)\",\"description\":\"This activity indicated sensitive operation of Azure Key Valut\",\"queryDefinitions\":{\"query\":\"let SensitiveOperationList = dynamic([\\\"VaultDelete\\\", \\\"KeyDelete\\\", \\\"SecretDelete\\\", \\\"SecretPurge\\\", \\\"KeyPurge\\\", \\\"SecretBackup\\\", \\\"KeyBackup\\\"]);\\n AzureDiagnostics\\n | where ResourceType == \\\"VAULTS\\\"\\n | where Category == \\\"AuditEvent\\\"\\n | where ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n | extend Result = columnifexists(\\\"ResultType\\\", \\\"NoResult\\\")\\n | extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n | extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n | where Result !~ \\\"None\\\" and isnotempty(Result)\\n | where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n | where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n | where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n | where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n | where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n | where ResourceType =~ \\\"VAULTS\\\" and Result =~ \\\"Success\\\"\\n | where OperationName in~ (SensitiveOperationList)\\n | project TimeGenerated, ResourceId, Result, OperationName, CallerIPAddress \\n| project ResourceId, OperationName, CallerIPAddress, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureDiagnostics\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/a8b50062-f80e-4331-a247-de0e10d7b83f\",\"name\":\"a8b50062-f80e-4331-a247-de0e10d7b83f\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Storage account keys list (Preview)\",\"content\":\"The account {{Caller}} retrieved the keys of the storage account {{_ResourceId}} {{Count}} time(s)\",\"description\":\"This activity indicated storage account keys list operation\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/listKeys/action\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/e24d372a-ce9a-424e-99ba-5894177365a0\",\"name\":\"e24d372a-ce9a-424e-99ba-5894177365a0\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Storage account keys list were regenerated (Preview)\",\"content\":\"The account {{Caller}} regenerated the keys of the storage account {{_ResourceId}} {{Count}} time(s)\",\"description\":\"This activity indicated storage account keys list regeneration\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/2276eacb-9400-47e9-88c9-600b9b04ad81\",\"name\":\"2276eacb-9400-47e9-88c9-600b9b04ad81\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"VM Run Command execution (Preview)\",\"content\":\"The account {{Caller}} used Run Command on the VM {{Count}} time(s)\",\"description\":\"This activity indicates usage of Run Command\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/0aa3626b-30dd-4731-9d1e-39872a73949c\",\"name\":\"0aa3626b-30dd-4731-9d1e-39872a73949c\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"VM access extension execution (Preview)\",\"content\":\"The account {{Caller}} ran VM Access extension on the VM {{Count}} time(s)\",\"description\":\"This activity indicated VM access extension execution\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| extend resBody = parse_json(Properties).responseBody\\n| where resBody != \\\"\\\"\\n| extend resBody = parse_json(tostring(resBody))\\n| extend extName = resBody.name, extType = resBody.properties.type\\n| where extType in (\\\"VMAccessAgent\\\", \\\"VMAccessForLinux\\\")\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/307c85ee-39a2-4da3-952e-4fd79aa46d3a\",\"name\":\"307c85ee-39a2-4da3-952e-4fd79aa46d3a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was created on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was created by \u0027{{AddedBy}}\u0027\",\"description\":\"Account created on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId\\n| extend AddedBy = SubjectUserName\\n// Future support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount\\n};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where EventID == 4720 \\n| project Computer, TargetAccount, AddedBy, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/31529548-dbd2-4d5d-8270-710330cdcec7\",\"name\":\"31529548-dbd2-4d5d-8270-710330cdcec7\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was deleted by \u0027{{AddedBy}}\u0027\",\"description\":\"Account deleted on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId\\n| extend AddedBy = SubjectUserName\\n// Future support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount\\n};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where EventID == 4726 \\n| project Computer, TargetAccount, AddedBy, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/2fcda698-9526-454f-8fe0-4a0fd7af13f2\",\"name\":\"2fcda698-9526-454f-8fe0-4a0fd7af13f2\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Security Event log cleared by account on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{SubjectAccount}}\u0027 cleared the \u0027{{LogName}}\u0027 log, EventID: \u0027{{EventID}}\u0027\",\"description\":\"Security Event log cleared by account\",\"queryDefinitions\":{\"query\":\"let SystemAccount = datatable(AccountName:string)[\u0027NT AUTHORITY\\\\\\\\SYSTEM\u0027, \u0027NT AUTHORITY\\\\\\\\NETWORK SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\LOCAL SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\IUSR\u0027, \u0027NTAUTHORITY\\\\\\\\ANONYMOUS LOGON\u0027];\\nlet SvcAcctList = dynamic([\\\"Local SYSTEM\\\",\\\"Local SERVICE\\\",\\\"Network SERVICE\\\",\\\"NT AUTHORITY\\\"]);\\nlet ServiceAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and LogonType == \u00275\u0027 and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet MachineAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and AccountType == \\\"Machine\\\" and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet Accounts = union isfuzzy=true SystemAccount, ServiceAccount, MachineAccount;\\nlet source = \u0027Microsoft-Windows-Eventlog\u0027;\\nlet tableFunc = (tableName:string, event:int){\\ntable(tableName) \\n| where EventID == event\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| extend SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", \\\"NotAvailable\\\"), EventOriginId = column_ifexists(\\\"EventOriginId\\\", \\\"NotAvailable\\\")\\n| parse EventData with * \u0027SubjectUserName\u003e\u0027 SubjectUserName \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectUserSid\u003e\u0027 SubjectUserSid \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectLogonId\u003e\u0027 SubjectLogonId \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectDomainName\u003e\u0027 SubjectDomainName \u0027\u003c\u0027 *\\n| extend SubjectAccount = strcat(SubjectDomainName, \u0027\\\\\\\\\u0027, SubjectUserName)\\n};\\nlet HostClearedEventLog = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string)\\n{\\nlet Event104 = tableFunc(\u0027Event\u0027, event=104)\\n| where Source =~ source\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| parse RenderedDescription with * \u0027The\u0027 LogName \u0027log\u0027 *\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nlet Event1102 = tableFunc(\u0027SecurityEvent\u0027, event=1102)\\n| where EventSourceName == source\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| extend LogName = \u0027Security\u0027\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nunion isfuzzy=true Event104, Event1102\\n};\\nHostClearedEventLog(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where LogName =~ \u0027Security\u0027 \\n| project Computer, SubjectAccount, LogName, EventID, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"},{\"dataType\":\"Event\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/3ff675ee-3052-4e0b-88ad-f34ed1732adc\",\"name\":\"3ff675ee-3052-4e0b-88ad-f34ed1732adc\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Event log(s) cleared by account on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{SubjectAccount}}\u0027 cleared the \u0027{{LogName}}\u0027 log, EventID: \u0027{{EventID}}\u0027\",\"description\":\"Event logs cleared by account\",\"queryDefinitions\":{\"query\":\"let SystemAccount = datatable(AccountName:string)[\u0027NT AUTHORITY\\\\\\\\SYSTEM\u0027, \u0027NT AUTHORITY\\\\\\\\NETWORK SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\LOCAL SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\IUSR\u0027, \u0027NTAUTHORITY\\\\\\\\ANONYMOUS LOGON\u0027];\\nlet SvcAcctList = dynamic([\\\"Local SYSTEM\\\",\\\"Local SERVICE\\\",\\\"Network SERVICE\\\",\\\"NT AUTHORITY\\\"]);\\nlet ServiceAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and LogonType == \u00275\u0027 and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet MachineAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and AccountType == \\\"Machine\\\" and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet Accounts = union isfuzzy=true SystemAccount, ServiceAccount, MachineAccount;\\nlet source = \u0027Microsoft-Windows-Eventlog\u0027;\\nlet tableFunc = (tableName:string, event:int){\\ntable(tableName) \\n| where EventID == event\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| extend SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", \\\"NotAvailable\\\"), EventOriginId = column_ifexists(\\\"EventOriginId\\\", \\\"NotAvailable\\\")\\n| parse EventData with * \u0027SubjectUserName\u003e\u0027 SubjectUserName \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectUserSid\u003e\u0027 SubjectUserSid \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectLogonId\u003e\u0027 SubjectLogonId \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectDomainName\u003e\u0027 SubjectDomainName \u0027\u003c\u0027 *\\n| extend SubjectAccount = strcat(SubjectDomainName, \u0027\\\\\\\\\u0027, SubjectUserName)\\n};\\nlet HostClearedEventLog = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string)\\n{\\nlet Event104 = tableFunc(\u0027Event\u0027, event=104)\\n| where Source =~ source\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| parse RenderedDescription with * \u0027The\u0027 LogName \u0027log\u0027 *\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nlet Event1102 = tableFunc(\u0027SecurityEvent\u0027, event=1102)\\n| where EventSourceName == source\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| extend LogName = \u0027Security\u0027\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nunion isfuzzy=true Event104, Event1102\\n};\\nHostClearedEventLog(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where LogName !~ \u0027Security\u0027 \\n| project Computer, SubjectAccount, LogName, EventID, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"},{\"dataType\":\"Event\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/b880ad94-f905-4ba8-8a3f-9088b19b12fa\",\"name\":\"b880ad94-f905-4ba8-8a3f-9088b19b12fa\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the local Administrators group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to local Administrators group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where TargetSid == \u0027S-1-5-32-544\u0027 \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/aaad22c3-be50-465f-b258-8570d629c3db\",\"name\":\"aaad22c3-be50-465f-b258-8570d629c3db\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the Domain Admins group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to the Domain Admins group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-512$\u0027 \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/cf3469b3-f64c-4ae2-9900-289617443d74\",\"name\":\"cf3469b3-f64c-4ae2-9900-289617443d74\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the Enterprise Admins group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to the Enterprise Admins group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-519$\u0027 \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/5ba7b064-c667-4bb9-b8ac-7e87872ae479\",\"name\":\"5ba7b064-c667-4bb9-b8ac-7e87872ae479\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Account added to a privileged group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to privileged group.\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where (TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID) and TargetSid != \u0027S-1-5-32-544\u0027 and not(TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-512$\u0027) and not(TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-519$\u0027) \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/290032e9-c52e-4e66-841a-7428f0b356bb\",\"name\":\"290032e9-c52e-4e66-841a-7428f0b356bb\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was created on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{User}}\u0027 was created by sudo\",\"description\":\"Account created on Host\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where ProcessName in~ (\u0027useradd\u0027,\u0027userdel\u0027)\\n| where SyslogMessage startswith \u0027new user:\u0027 or SyslogMessage startswith \u0027delete user \u0027\\n| extend User = case(SyslogMessage startswith \u0027new user:\u0027, tostring(split(tostring(split(SyslogMessage, \u0027name=\u0027)[1]), \u0027,\u0027)[0]),\\nSyslogMessage startswith \u0027delete user \u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]),\\n\u0027Not Available\u0027)\\n| extend Action = case( SyslogMessage startswith \u0027new user\u0027, \u0027new user\u0027, SyslogMessage startswith \u0027delete user\u0027, \u0027delete user\u0027, \u0027None\u0027)\\n| project TimeGenerated, Computer, HostIP, User, Facility, ProcessName, Action, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action == \u0027new user\u0027 \\n| project Computer, User, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/ce9e87c7-2ffa-42cb-92e5-f1a4f21f007a\",\"name\":\"ce9e87c7-2ffa-42cb-92e5-f1a4f21f007a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{User}}\u0027 was deleted by sudo\",\"description\":\"Account deleted on Host\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where ProcessName in~ (\u0027useradd\u0027,\u0027userdel\u0027)\\n| where SyslogMessage startswith \u0027new user:\u0027 or SyslogMessage startswith \u0027delete user \u0027\\n| extend User = case(SyslogMessage startswith \u0027new user:\u0027, tostring(split(tostring(split(SyslogMessage, \u0027name=\u0027)[1]), \u0027,\u0027)[0]),\\nSyslogMessage startswith \u0027delete user \u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]),\\n\u0027Not Available\u0027)\\n| extend Action = case( SyslogMessage startswith \u0027new user\u0027, \u0027new user\u0027, SyslogMessage startswith \u0027delete user\u0027, \u0027delete user\u0027, \u0027None\u0027)\\n| project TimeGenerated, Computer, HostIP, User, Facility, ProcessName, Action, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action == \u0027delete user\u0027 \\n| project Computer, User, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/46aeae2d-187c-41f9-b8d6-9d75c43bce0a\",\"name\":\"46aeae2d-187c-41f9-b8d6-9d75c43bce0a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the sudo group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{User}}\u0027 was added by \u0027{{AcctMakingChange}}\u0027 to group: \u0027{{Group}}\u0027\",\"description\":\"Account added to the sudo group\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where SyslogMessage !startswith \\\"omsagent\\\"\\n| where SyslogMessage has \u0027COMMAND\u0027 or ProcessName in~ (\u0027gpasswd\u0027, \u0027useradd\u0027, \u0027userdel\u0027)\\n| parse SyslogMessage with * \u0027user \u0027 User \u0027 \u0027 Verb \u0027 by \u0027 AcctMakingChange \u0027 \u0027 Preposition \u0027 group \u0027 Group\\n| extend Group = case(\\nSyslogMessage startswith \u0027removed group\u0027 or SyslogMessage startswith \u0027removed shadow group\u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]), \\nSyslogMessage startswith \u0027new group\u0027, tostring(split(tostring(split(SyslogMessage, \u0027=\u0027)[1]),\u0027,\u0027)[0]),\\nGroup)\\n| extend Action = case(\\nisnotempty(Verb) or isnotempty(Preposition), strcat(Verb, \u0027 \u0027, Preposition),\\nSyslogMessage startswith \u0027new group\u0027, \u0027new group\u0027,\\nSyslogMessage startswith \u0027removed group\u0027, \u0027removed group\u0027,\\nSyslogMessage startswith \u0027removed shadow group\u0027, \u0027removed shadow group\u0027,\\n\u0027None\u0027)\\n| where isnotempty(Action) and Action != \u0027None\u0027 and isnotempty(Group)\\n| project TimeGenerated, Computer, HostIP, User, Action, Group, Facility, ProcessName, AcctMakingChange, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action =~ \u0027added to\u0027 and Group =~ \u0027sudo\u0027 \\n| project Computer, User, AcctMakingChange, Group, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/e24dd437-c65e-40e1-8d59-cd303ad4496a\",\"name\":\"e24dd437-c65e-40e1-8d59-cd303ad4496a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was removed from the sudo group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{User}}\u0027 was added by \u0027{{AcctMakingChange}}\u0027 to group: \u0027{{Group}}\u0027\",\"description\":\"Account removed from sudo group\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where SyslogMessage !startswith \\\"omsagent\\\"\\n| where SyslogMessage has \u0027COMMAND\u0027 or ProcessName in~ (\u0027gpasswd\u0027, \u0027useradd\u0027, \u0027userdel\u0027)\\n| parse SyslogMessage with * \u0027user \u0027 User \u0027 \u0027 Verb \u0027 by \u0027 AcctMakingChange \u0027 \u0027 Preposition \u0027 group \u0027 Group\\n| extend Group = case(\\nSyslogMessage startswith \u0027removed group\u0027 or SyslogMessage startswith \u0027removed shadow group\u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]), \\nSyslogMessage startswith \u0027new group\u0027, tostring(split(tostring(split(SyslogMessage, \u0027=\u0027)[1]),\u0027,\u0027)[0]),\\nGroup)\\n| extend Action = case(\\nisnotempty(Verb) or isnotempty(Preposition), strcat(Verb, \u0027 \u0027, Preposition),\\nSyslogMessage startswith \u0027new group\u0027, \u0027new group\u0027,\\nSyslogMessage startswith \u0027removed group\u0027, \u0027removed group\u0027,\\nSyslogMessage startswith \u0027removed shadow group\u0027, \u0027removed shadow group\u0027,\\n\u0027None\u0027)\\n| where isnotempty(Action) and Action != \u0027None\u0027 and isnotempty(Group)\\n| project TimeGenerated, Computer, HostIP, User, Action, Group, Facility, ProcessName, AcctMakingChange, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action =~ \u0027removed from\u0027 and Group =~ \u0027sudo\u0027 \\n| project Computer, User, AcctMakingChange, Group, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/c91cb743-7c6c-4ccf-b066-13448c9c085c\",\"name\":\"c91cb743-7c6c-4ccf-b066-13448c9c085c\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Windows Defender Application Control activities on this host\",\"content\":\"{{FriendlyActivityName}} by {{InitiatingProcessAccountUpn}} {{Count}} time(s)\",\"description\":\"Microsoft Defender Application Control activities\",\"queryDefinitions\":{\"query\":\"let AppControlEvents=(v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\nlet p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain));\\nlet AppControls=datatable(ActionType:string, Description:string, FriendlyActivityName:string)\\n [\\\"AppControlAppInstallationAudited\\\", \\\"Application control detected the installation of an untrusted app.\\\",\\\"Untrusted app installed\\\"\\n ,\\\"AppControlAppInstallationBlocked\\\", \\\"Application control blocked the installation of an untrusted app.\\\", \\\"Untrusted app installation blocked\\\"\\n ,\\\"AppControlCodeIntegrityDriverRevoked\\\", \\\"Application control found a driver with a revoked certificate.\\\", \\\"Driver with revoked certificate detected\\\"\\n ,\\\"AppControlCodeIntegrityImageRevoked\\\", \\\"Application control found an executable file with a revoked certificate.\\\", \\\"Executable with revoked certificate detected\\\"\\n ,\\\"AppControlExecutableAudited\\\",\\\"Application control detected the use of an untrusted executable.\\\",\\\"Untrusted executable used\\\"\\n ,\\\"AppControlExecutableBlocked\\\",\\\"Application control blocked the use of an untrusted executable.\\\",\\\"Untrusted executable blocked\\\"\\n ,\\\"AppControlScriptAudited\\\", \\\"Application control detected the use of an untrusted script.\\\", \\\"Untrusted script detected\\\"\\n ,\\\"AppControlScriptBlocked\\\", \\\"Application control blocked the use of an untrusted script.\\\", \\\"Untrusted script blocked\\\" ];\\nDeviceEvents\\n| where ActionType in (AppControls) \\n| where DeviceName ==p_FullDeviceName\\n| lookup AppControls on ActionType\\n};\\nAppControlEvents(\u0027{{Host_HostName}}\u0027,\u0027{{Host_NTDomain}}\u0027,\u0027{{Host_DnsDomain}}\u0027) \\n| project DeviceName, ActionType, FriendlyActivityName, InitiatingProcessAccountUpn, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/c7def1db-6a27-45dc-bee0-0c5fd5e7f1fe\",\"name\":\"c7def1db-6a27-45dc-bee0-0c5fd5e7f1fe\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Screenshot taken\",\"content\":\"The user \u0027{{InitiatingProcessAccountUpn}}\u0027 has taken {{Count}} screenshot(s) on the host\",\"description\":\"A screenshot was taken on the host\",\"queryDefinitions\":{\"query\":\"let ScreenshotTakers= (v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\n let p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain) );\\n DeviceEvents \\n | where ActionType ==\u0027ScreenshotTaken\u0027 \\n | where DeviceName =~ p_FullDeviceName\\n};\\nScreenshotTakers(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027) \\n| where 1==1 \\n| project InitiatingProcessAccountName, InitiatingProcessAccountUpn, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/8d0e9356-be1e-45ac-9403-d0ac3f1605b7\",\"name\":\"8d0e9356-be1e-45ac-9403-d0ac3f1605b7\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Exploit protection blocked the launch of a process from an image file that is not signed by Microsoft\",\"content\":\"Launch of unsigned file \u0027{{FileName}}\u0027 by process \u0027{{InitiatingProcessFileName}}\u0027 initiated by \u0027{{InitiatingProcessAccountName}}\u0027 was blocked. \",\"description\":\"Exploit protection blocked the launch of a process from an image file that is not signed by Microsoft\",\"queryDefinitions\":{\"query\":\"let NonMSSignedBlocked= (v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\n let p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain) );\\n DeviceEvents\\n | where ActionType in (\\\"ExploitGuardNonMicrosoftSignedBlocked\\\", \\\"ExploitGuardNonMicrosoftSignedAudited\\\") \\n and FileName !hassuffix \u0027.ni.dll\u0027\\n | where DeviceName =~ p_FullDeviceName\\n | project TimeGenerated\\n , FileName\\n ,InitiatingProcessFileName\\n , InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid\\n , DeviceName , ActionType\\n};\\nNonMSSignedBlocked(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027) \\n| where ActionType =~ \u0027ExploitGuardNonMicrosoftSignedBlocked\u0027 \\n| project FileName, InitiatingProcessFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/3ff80327-7c54-449d-95d4-613848f7d60b\",\"name\":\"3ff80327-7c54-449d-95d4-613848f7d60b\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Exploit protection detected the launch of a process from an image file that is not signed by Microsoft\",\"content\":\"Launch of unsigned file \u0027{{FileName}}\u0027 by process \u0027{{InitiatingProcessFileName}}\u0027 initiated by \u0027{{InitiatingProcessAccountName}}\u0027 was audited.\",\"description\":\"Exploit protection detected the launch of a process from an image file that is not signed by Microsoft\",\"queryDefinitions\":{\"query\":\"let NonMSSignedBlocked= (v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\n let p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain) );\\n DeviceEvents\\n | where ActionType in (\\\"ExploitGuardNonMicrosoftSignedBlocked\\\", \\\"ExploitGuardNonMicrosoftSignedAudited\\\") \\n and FileName !hassuffix \u0027.ni.dll\u0027\\n | where DeviceName =~ p_FullDeviceName\\n | project TimeGenerated\\n , FileName\\n ,InitiatingProcessFileName\\n , InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid\\n , DeviceName , ActionType\\n};\\nNonMSSignedBlocked(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027) \\n| where ActionType =~ \u0027ExploitGuardNonMicrosoftSignedAudited\u0027 \\n| project FileName, InitiatingProcessFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/3f7059b2-67ea-4fc1-af34-37f5fc69a630\",\"name\":\"3f7059b2-67ea-4fc1-af34-37f5fc69a630\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Windows Defender Antivirus activities on this host\",\"content\":\"Window Defender Antivirus \u0027{{ActionType}}\u0027 activity was spotted on Host {{Host_HostName}}\",\"description\":\"Windows Defender Antivirus activities\",\"queryDefinitions\":{\"query\":\"let AntivirusEvents=(v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\nlet Severity= datatable(ActionType:string, Severity:int)[\\\"AntivirusMalwareActionFailed\\\",1,\\\"AntivirusDetection\\\",2,\\\"AntivirusScanFailed\\\",3, \\\"AntivirusError\\\",4, \\\"AntivirusDefinitionsUpdateFailed\\\",5];\\nlet p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain));\\nDeviceEvents\\n| where ActionType hasprefix \\\"Antivirus\\\" and ActionType !in( \\\"AntivirusReport\\\", \\\"AntivirusScanCompleted\\\", \\\"AntivirusDefinitionsUpdated\\\",\\\"AntivirusEmergencyUpdatesInstalled\\\")\\n| where DeviceName ==p_FullDeviceName\\n| lookup Severity on ActionType};\\nAntivirusEvents(\u0027{{Host_HostName}}\u0027,\u0027{{Host_NTDomain}}\u0027,\u0027{{Host_DnsDomain}}\u0027) \\n| where ActionType !in( \\\"AntivirusReport\\\", \\\"AntivirusScanCompleted\\\", \\\"AntivirusDefinitionsUpdated\\\",\\\"AntivirusEmergencyUpdatesInstalled\\\") \\n| project ActionType, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/d6d08c94-455f-4ea5-8f76-fc6c0c442cfa\",\"name\":\"d6d08c94-455f-4ea5-8f76-fc6c0c442cfa\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has created an account\",\"content\":\"The user {{InitiatedByAccount}} has created the account {{TargetAccount}} {{Count}} time(s)\",\"description\":\"This activity displays account creation events performed by the user\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) or Account_AadUserId =~ tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ SubjectAccount or Account_Sid =~ SubjectUserSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Add user\u0027, \u00274720\u0027) \\n| project InitiatedByAccount, TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/e0459780-ac9d-4b72-8bd4-fecf6b46a0a1\",\"name\":\"e0459780-ac9d-4b72-8bd4-fecf6b46a0a1\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has deleted an account\",\"content\":\"The user {{InitiatedByAccount}} has deleted the account {{TargetAccount}} {{Count}} time(s)\",\"description\":\"This activity displays account deletion events performed by the user\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) or Account_AadUserId =~ tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ SubjectAccount or Account_Sid =~ SubjectUserSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Delete user\u0027, \u00274726\u0027) \\n| project InitiatedByAccount, TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/ad1f4269-5418-4c46-a3b6-4ec01031de60\",\"name\":\"ad1f4269-5418-4c46-a3b6-4ec01031de60\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has reset an account\u0027s password\",\"content\":\"The password for account {{TargetAccount}} was reset by the user {{InitiatedByAccount}} {{Count}} time(s)\",\"description\":\"This activity displays password reset events performed by the user\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) or Account_AadUserId =~ tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ SubjectAccount or Account_Sid =~ SubjectUserSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (by admin)\u0027, \u0027Reset password (self-service)\u0027, \u00274724\u0027, \u00274723\u0027) \\n| project InitiatedByAccount, TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/fde1b9cc-9480-4418-ae21-91723d16b24d\",\"name\":\"fde1b9cc-9480-4418-ae21-91723d16b24d\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user account was created\",\"content\":\"The user account {{TargetAccount}} was created\",\"description\":\"This activity displays the user account events for when it was created\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(TargetResources[0].userPrincipalName) or Account_AadUserId =~ tostring(TargetResources[0].id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ TargetAccount or Account_Sid =~ TargetSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Add user\u0027, \u00274720\u0027) \\n| project TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/b15901ba-8679-4f6a-b312-722031ab58f2\",\"name\":\"b15901ba-8679-4f6a-b312-722031ab58f2\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user account was deleted\",\"content\":\"The user account {{TargetAccount}} was deleted\",\"description\":\"This activity displays the user account events for when it was deleted\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(TargetResources[0].userPrincipalName) or Account_AadUserId =~ tostring(TargetResources[0].id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ TargetAccount or Account_Sid =~ TargetSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Delete user\u0027, \u00274726\u0027) \\n| project TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/c07d1d02-0a06-455e-add9-12c5a5e426f3\",\"name\":\"c07d1d02-0a06-455e-add9-12c5a5e426f3\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user account password was reset\",\"content\":\"The user account {{TargetAccount}} had a password reset\",\"description\":\"This activity displays the user account events for when the password was reset\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(TargetResources[0].userPrincipalName) or Account_AadUserId =~ tostring(TargetResources[0].id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ TargetAccount or Account_Sid =~ TargetSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (by admin)\u0027, \u0027Reset password (self-service)\u0027, \u00274723\u0027, \u00274724\u0027) \\n| project TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/5e9ecee5-e7a4-4a2a-94c4-9c0e22e1b673\",\"name\":\"5e9ecee5-e7a4-4a2a-94c4-9c0e22e1b673\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user consented to OAuth application\",\"content\":\"The user consented to the OAuth application named {{Target_CloudApplication_Name}} {{Count}} time(s)\",\"description\":\"This activity lists user\u0027s consents to an OAuth applications.\",\"queryDefinitions\":{\"query\":\"let UserConsentToApplication = (Account_Name:string, Account_UPNSuffix:string, Account_AadUserId:string){\\nlet account_upn = iff(Account_Name != \\\"\\\" and Account_UPNSuffix != \\\"\\\"\\n, strcat(Account_Name,\\\"@\\\",Account_UPNSuffix)\\n,\\\"\\\" );\\nAuditLogs\\n| where OperationName == \\\"Consent to application\\\"\\n| extend Source_Account_UPNSuffix = tostring(todynamic(InitiatedBy) [\\\"user\\\"][\\\"userPrincipalName\\\"]), Source_Account_AadUserId = tostring(todynamic(InitiatedBy) [\\\"user\\\"][\\\"id\\\"])\\n| where (account_upn != \\\"\\\" and account_upn =~ Source_Account_UPNSuffix) \\nor (Account_AadUserId != \\\"\\\" and Account_AadUserId =~ Source_Account_AadUserId)\\n| extend Target_CloudApplication_Name = tostring(todynamic(TargetResources)[0][\\\"displayName\\\"]), Target_CloudApplication_AppId = tostring(todynamic(TargetResources)[0][\\\"id\\\"])\\n};\\nUserConsentToApplication(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027) \\n| project Target_CloudApplication_AppId, Target_CloudApplication_Name, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/cab4058a-0707-4a02-b76f-cf96270823ed\",\"name\":\"cab4058a-0707-4a02-b76f-cf96270823ed\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"User performed operation on azure resource from IP\",\"content\":\"User performed operation {{OperationNameValue}} on azure resource: {{shortResourceId}} from IP {{Source_IP_Address}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s activities on Azure.\",\"queryDefinitions\":{\"query\":\"let AzureRunProcess = (Account_Name:string, Account_UPNSuffix:string,Account_AadUserId:string){\\nlet upn = strcat(Account_Name,\\\"@\\\",Account_UPNSuffix);\\nAzureActivity\\n| where (isnotempty(Account_AadUserId) and Caller =~ Account_AadUserId) or Caller =~ upn\\n| where OperationNameValue contains \\\"Run Command on Virtual Machine\\\"\\n or (OperationNameValue == \\\"List Storage Account Keys\\\" and ActivityStatusValue == \\\"Succeeded\\\")\\n or OperationNameValue == \\\"Create or Update Virtual Machine\\\"\\n or OperationNameValue == \\\"Create Deployment\\\"\\n or OperationNameValue == \\\"Create role assignment\\\"\\n| project-rename Target_AzureResource_ResourceId = _ResourceId, Source_IP_Address = CallerIpAddress\\n| extend shortResourceId = tostring(split(ResourceId,\u0027/\u0027)[-1])\\n};\\nAzureRunProcess(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027) \\n| project Target_AzureResource_ResourceId, Source_IP_Address, shortResourceId, OperationNameValue, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/febba410-e7d6-4c63-8fe5-2b93f448b7a1\",\"name\":\"febba410-e7d6-4c63-8fe5-2b93f448b7a1\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added accounts to a local privileged group\",\"content\":\"The user has added accounts to the local privileged group, {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays the user that added accounts to a local privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == false and MemberNTDomainMatch == false) or MemberSidMatch == false) and TargetSid matches regex WellKnownLocalGroupSID | where TargetSid !in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/0e98c61c-6ae0-4e13-8071-d807dc25082a\",\"name\":\"0e98c61c-6ae0-4e13-8071-d807dc25082a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added accounts to a domain privileged group\",\"content\":\"The user has added accounts to the domain privileged group, {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays the user that added accounts to a domain privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == false and MemberNTDomainMatch == false) or MemberSidMatch == false) and TargetSid matches regex WellKnownDomainGroupSID \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/0caf9819-3269-48ac-b162-eeee638e4aa9\",\"name\":\"0caf9819-3269-48ac-b162-eeee638e4aa9\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to a local privileged group\",\"content\":\"This user was added to the local privileged group {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays that this user was added to a local privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and TargetSid matches regex WellKnownLocalGroupSID | where TargetSid !in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/d57681e4-18e6-459f-b61d-4d4a1f205b70\",\"name\":\"d57681e4-18e6-459f-b61d-4d4a1f205b70\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to a domain privileged group\",\"content\":\"This user was added to the domain privileged group {{TargetAccount}}\",\"description\":\"This activity displays that this user was added to a domain privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and TargetSid matches regex WellKnownDomainGroupSID \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/5ae2baf4-de7b-40f0-a861-8852266bfcd0\",\"name\":\"5ae2baf4-de7b-40f0-a861-8852266bfcd0\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added accounts to the Remote Desktop Users group\",\"content\":\"The user has added accounts to the {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays the user that added accounts to Remote Desktop group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == false and MemberNTDomainMatch == false) or MemberSidMatch == false) and TargetSid in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/60ef2e21-5f90-48bf-9bbc-d2a1829c3861\",\"name\":\"60ef2e21-5f90-48bf-9bbc-d2a1829c3861\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to the Remote Desktop Users group\",\"content\":\"This user was added to the {{TargetAccount}} group\",\"description\":\"This activity displays that this user was added to the Remote Desktop group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and TargetSid in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/bf56473d-b9bd-4eb1-96d0-8569ec7a9003\",\"name\":\"bf56473d-b9bd-4eb1-96d0-8569ec7a9003\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added an account to a security group\",\"content\":\"The user has added {{MemberAdded}} to the {{TargetAccount}} group\",\"description\":\"This activity displays the user that added an account and the account that was added to a security group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true) and not(TargetSid matches regex WellKnownLocalGroupSID or TargetSid matches regex WellKnownDomainGroupSID) \\n| project SubjectAccount, MemberAdded, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/252c9ad7-2957-43cd-8f33-4ac4bb56e119\",\"name\":\"252c9ad7-2957-43cd-8f33-4ac4bb56e119\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to a security group\",\"content\":\"This user was added to the {{TargetAccount}} group, {{Count}} time(s)\",\"description\":\"This activity displays that this user was added to a security group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and not(TargetSid matches regex WellKnownLocalGroupSID or TargetSid matches regex WellKnownDomainGroupSID) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/1f82f263-d694-469a-9717-1b3edf9d3bb2\",\"name\":\"1f82f263-d694-469a-9717-1b3edf9d3bb2\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user acted on another accounts mailbox\",\"content\":\"The user acted on mailbox {{MailboxOwnerUPN}} {{Count}} time(s)\",\"description\":\"This activity lists user\u0027s activities on others\u0027 mailbox\",\"queryDefinitions\":{\"query\":\"let TLQ_UserActedOnForeignMailbox = (Account_Name:string, Account_UPNSuffix:string, account_sid:string){\\nlet account_upn = iff(Account_Name!=\\\"\\\" and Account_UPNSuffix != \\\"\\\"\\n,strcat(Account_Name,\\\"@\\\",Account_UPNSuffix)\\n,\\\"\\\");\\nOfficeActivity\\n| where RecordType == \\\"ExchangeItem\\\" and UserType ==\\\"Regular\\\" and Operation !contains \\\"InboxRule\\\"\\n| where LogonUserSid != MailboxOwnerSid \\n| where ((account_sid != \\\"\\\" and LogonUserSid =~ account_sid)\\n or ( account_upn != \\\"\\\" and UserId =~ account_upn ))\\n};\\nTLQ_UserActedOnForeignMailbox(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| project MailboxOwnerSid, MailboxOwnerUPN, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/e480efd0-016d-428e-b892-84b9d586d004\",\"name\":\"e480efd0-016d-428e-b892-84b9d586d004\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user modified inbox rules on another accounts mailbox\",\"content\":\"User Modified {{Count}} inbox rules on {{MailboxOwnerUPN}}\u0027s Mailbox\",\"description\":\"User modified inbox rules on a mailbox\",\"queryDefinitions\":{\"query\":\"let ruleChangeRecordTypes = dynamic( [\\\"ExchangeAdmin\\\", \\\"ExchangeItem\\\"]);\\nlet TLQ_UserModifiedinboxRules = (Account_Name: string, Account_UPNSuffix: string, Account_Sid: string){\\nlet upn = iff(Account_Name != \\\"\\\" and Account_UPNSuffix != \\\"\\\"\\n, strcat(Account_Name, \\\"@\\\", Account_UPNSuffix)\\n, \\\"\\\");\\nOfficeActivity\\n| where RecordType in~ (ruleChangeRecordTypes) and Operation contains \\\"InboxRule\\\"\\n| where((Account_Sid != \\\"\\\" and LogonUserSid == Account_Sid)\\nor(upn != \\\"\\\" and UserId == upn )\\n)\\n};\\nTLQ_UserModifiedinboxRules(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| project MailboxOwnerSid, MailboxOwnerUPN, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/0eabec03-51e7-4909-b0cb-1adc76759e93\",\"name\":\"0eabec03-51e7-4909-b0cb-1adc76759e93\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"User uploaded files to SharePoint\",\"content\":\"User uploaded {{Count}} file(s) To SharePoint from {{Source_IP_Address}}\",\"description\":\"This activity lists the user\u0027s SharePoint uploads.\",\"queryDefinitions\":{\"query\":\"let TLQ_UserUploadFiles = (Account_Name:string, Account_UPNSuffix:string){\\nlet upn = strcat(Account_Name,\\\"@\\\",Account_UPNSuffix);\\nOfficeActivity\\n| where RecordType =~ \\\"SharePointFileOperation\\\" and Operation in~ (\\\"FileUploaded\\\", \\\"FileDownloaded\\\")\\n| where upn =~UserId\\n| extend Subject_File_Directory = tostring(split(OfficeObjectId,SourceFileName)[0])\\n| project-rename Source_IP_Address = ClientIP\\n};\\nTLQ_UserUploadFiles(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027) \\n| where Operation =~ \\\"FileUploaded\\\" \\n| project Source_IP_Address, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/df564e7b-bf6d-4dc4-a32d-79b00bd2cc7b\",\"name\":\"df564e7b-bf6d-4dc4-a32d-79b00bd2cc7b\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"User downloaded files from SharePoint\",\"content\":\"User downloaded {{Count}} File(s) from SharePoint from {{Source_IP_Address}}\",\"description\":\"This activity lists the user\u0027s SharePoint downloads.\",\"queryDefinitions\":{\"query\":\"let TLQ_UserUploadFiles = (Account_Name:string, Account_UPNSuffix:string){\\nlet upn = strcat(Account_Name,\\\"@\\\",Account_UPNSuffix);\\nOfficeActivity\\n| where RecordType =~ \\\"SharePointFileOperation\\\" and Operation in~ (\\\"FileUploaded\\\", \\\"FileDownloaded\\\")\\n| where upn =~UserId\\n| extend Subject_File_Directory = tostring(split(OfficeObjectId,SourceFileName)[0])\\n| project-rename Source_IP_Address = ClientIP\\n};\\nTLQ_UserUploadFiles(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027) \\n| where Operation =~ \\\"FileDownloaded\\\" \\n| project Source_IP_Address, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/0f328f28-7e21-4596-b71c-54309fee5551\",\"name\":\"0f328f28-7e21-4596-b71c-54309fee5551\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user signed in to an Azure resource\",\"content\":\"The user signed in to {{shortResourceId}} {{Count}} time(s)\",\"description\":\"This activity lists user\u0027s sign ins to Azure Resources\",\"queryDefinitions\":{\"query\":\"let SignInsByResource = (Account_Name:string, Account_UPNSuffix:string, Account_AadUserId:string){\\nlet acc_upn = iff(Account_Name != \\\"\\\" and Account_UPNSuffix != \\\"\\\" ,strcat(Account_Name,\\\"@\\\" ,Account_UPNSuffix),\\\"\\\");\\nSigninLogs\\n| where (acc_upn != \\\"\\\" and UserPrincipalName =~ acc_upn) or\\n   (Account_AadUserId != \\\"\\\" and Account_AadUserId =~ UserId) // UserPrincipalName, UserId\\n| extend shortResourceId = tostring(split(ResourceId,\\\"/\\\")[-1])\\n};\\nSignInsByResource(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027) \\n| project shortResourceId, ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SigninLogs\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/0d4ec12e-e44a-40a4-bb87-3db84d2a8057\",\"name\":\"0d4ec12e-e44a-40a4-bb87-3db84d2a8057\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s interactive log-ins grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID==4624 and LogonTypeName == \u00272 - Interactive\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/c9da5786-6c3c-45b5-9a46-53200ed9df09\",\"name\":\"c9da5786-6c3c-45b5-9a46-53200ed9df09\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Network log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s network log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID ==4624 and LogonTypeName == \u00273 - Network\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/8a302bfc-00e3-43b3-a516-102fd0cb0dbc\",\"name\":\"8a302bfc-00e3-43b3-a516-102fd0cb0dbc\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Remote interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s remote interactive log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID ==4624 and LogonTypeName == \u002710 - RemoteInteractive\u0027| extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/ec87b066-17ad-4f9b-97c2-c2f2ee2d99e0\",\"name\":\"ec87b066-17ad-4f9b-97c2-c2f2ee2d99e0\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"New credentials log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s log-ins with new credentials, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID ==4624 and LogonTypeName == \u00279 - NewCredentials\u0027| extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/e1c4c03c-2b40-47cf-9b8c-49e0a37a6da6\",\"name\":\"e1c4c03c-2b40-47cf-9b8c-49e0a37a6da6\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Privileged log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s privileged log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID == 4672 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/a6fc3ad9-1a61-41f5-a5e2-bd1f5a6fe44d\",\"name\":\"a6fc3ad9-1a61-41f5-a5e2-bd1f5a6fe44d\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Failed interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s failed interactive log-ins grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet =~ \u0027AllEvents\u0027 and EventID == 4625 and LogonTypeName == \u00272 - Interactive\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/11449689-6542-4867-86dc-56264abbd90c\",\"name\":\"11449689-6542-4867-86dc-56264abbd90c\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Failed network log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s failed network log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet =~ \u0027AllEvents\u0027 and EventID == 4625 and LogonTypeName == \u00273 - Network\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/686cf7e8-87c7-4391-8898-25adf1033a54\",\"name\":\"686cf7e8-87c7-4391-8898-25adf1033a54\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Failed remote interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} failed to logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s failed remote interactive log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet =~ \u0027AllEvents\u0027 and EventID == 4625 and LogonTypeName == \u002710 - RemoteInteractive\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/c6523929-5696-4e94-8a61-61aeb1c953d1\",\"name\":\"c6523929-5696-4e94-8a61-61aeb1c953d1\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Custom Script Extension execution (Preview)\",\"content\":\"The account {{Caller}} ran the custom script extension {{extName}} {{Count}} time(s)\",\"description\":\"This activity indicated Custom Script Extension execution\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| extend resBody = parse_json(Properties).responseBody\\n| where resBody != \\\"\\\"\\n| extend resBody = parse_json(tostring(resBody))\\n| extend extName = tostring(resBody.name), extType = resBody.properties.type\\n| where extType in (\\\"CustomScriptExtension\\\", \\\"CustomScript\\\", \\\"CustomScriptForLinux\\\")\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource, extType, extName \\n| project Caller, _ResourceId, extName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/5a2b8371-8708-4e41-8613-b64bbcbd0199\",\"name\":\"5a2b8371-8708-4e41-8613-b64bbcbd0199\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Azure Key Vault sensitive operation\",\"content\":\"The operation {{OperationName}} was observed from the IP {{CallerIPAddress}} {{Count}} time(s)\",\"description\":\"This activity indicated sensitive operation of Azure Key Valut\",\"queryDefinitions\":{\"query\":\"let SensitiveOperationList = dynamic([\\\"VaultDelete\\\", \\\"KeyDelete\\\", \\\"SecretDelete\\\", \\\"SecretPurge\\\", \\\"KeyPurge\\\", \\\"SecretBackup\\\", \\\"KeyBackup\\\"]);\\n AzureDiagnostics\\n | where ResourceType == \\\"VAULTS\\\"\\n | where Category == \\\"AuditEvent\\\"\\n | where ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n | extend Result = columnifexists(\\\"ResultType\\\", \\\"NoResult\\\")\\n | extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n | extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n | where Result !~ \\\"None\\\" and isnotempty(Result)\\n | where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n | where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n | where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n | where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n | where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n | where ResourceType =~ \\\"VAULTS\\\" and Result =~ \\\"Success\\\"\\n | where OperationName in~ (SensitiveOperationList)\\n | project TimeGenerated, ResourceId, Result, OperationName, CallerIPAddress \\n| project ResourceId, OperationName, CallerIPAddress, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureDiagnostics\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/a8b50062-f80e-4331-a247-de0e10d7b83f\",\"name\":\"a8b50062-f80e-4331-a247-de0e10d7b83f\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Storage account keys list (Preview)\",\"content\":\"The account {{Caller}} retrieved the keys of the storage account {{_ResourceId}} {{Count}} time(s)\",\"description\":\"This activity indicated storage account keys list operation\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/listKeys/action\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/e24d372a-ce9a-424e-99ba-5894177365a0\",\"name\":\"e24d372a-ce9a-424e-99ba-5894177365a0\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Storage account keys list were regenerated (Preview)\",\"content\":\"The account {{Caller}} regenerated the keys of the storage account {{_ResourceId}} {{Count}} time(s)\",\"description\":\"This activity indicated storage account keys list regeneration\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/2276eacb-9400-47e9-88c9-600b9b04ad81\",\"name\":\"2276eacb-9400-47e9-88c9-600b9b04ad81\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"VM Run Command execution (Preview)\",\"content\":\"The account {{Caller}} used Run Command on the VM {{Count}} time(s)\",\"description\":\"This activity indicates usage of Run Command\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/0aa3626b-30dd-4731-9d1e-39872a73949c\",\"name\":\"0aa3626b-30dd-4731-9d1e-39872a73949c\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"VM access extension execution (Preview)\",\"content\":\"The account {{Caller}} ran VM Access extension on the VM {{Count}} time(s)\",\"description\":\"This activity indicated VM access extension execution\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| extend resBody = parse_json(Properties).responseBody\\n| where resBody != \\\"\\\"\\n| extend resBody = parse_json(tostring(resBody))\\n| extend extName = resBody.name, extType = resBody.properties.type\\n| where extType in (\\\"VMAccessAgent\\\", \\\"VMAccessForLinux\\\")\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/307c85ee-39a2-4da3-952e-4fd79aa46d3a\",\"name\":\"307c85ee-39a2-4da3-952e-4fd79aa46d3a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was created on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was created by \u0027{{AddedBy}}\u0027\",\"description\":\"Account created on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId\\n| extend AddedBy = SubjectUserName\\n// Future support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount\\n};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where EventID == 4720 \\n| project Computer, TargetAccount, AddedBy, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/31529548-dbd2-4d5d-8270-710330cdcec7\",\"name\":\"31529548-dbd2-4d5d-8270-710330cdcec7\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was deleted by \u0027{{AddedBy}}\u0027\",\"description\":\"Account deleted on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId\\n| extend AddedBy = SubjectUserName\\n// Future support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount\\n};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where EventID == 4726 \\n| project Computer, TargetAccount, AddedBy, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/2fcda698-9526-454f-8fe0-4a0fd7af13f2\",\"name\":\"2fcda698-9526-454f-8fe0-4a0fd7af13f2\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Security Event log cleared by account on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{SubjectAccount}}\u0027 cleared the \u0027{{LogName}}\u0027 log, EventID: \u0027{{EventID}}\u0027\",\"description\":\"Security Event log cleared by account\",\"queryDefinitions\":{\"query\":\"let SystemAccount = datatable(AccountName:string)[\u0027NT AUTHORITY\\\\\\\\SYSTEM\u0027, \u0027NT AUTHORITY\\\\\\\\NETWORK SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\LOCAL SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\IUSR\u0027, \u0027NTAUTHORITY\\\\\\\\ANONYMOUS LOGON\u0027];\\nlet SvcAcctList = dynamic([\\\"Local SYSTEM\\\",\\\"Local SERVICE\\\",\\\"Network SERVICE\\\",\\\"NT AUTHORITY\\\"]);\\nlet ServiceAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and LogonType == \u00275\u0027 and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet MachineAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and AccountType == \\\"Machine\\\" and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet Accounts = union isfuzzy=true SystemAccount, ServiceAccount, MachineAccount;\\nlet source = \u0027Microsoft-Windows-Eventlog\u0027;\\nlet tableFunc = (tableName:string, event:int){\\ntable(tableName) \\n| where EventID == event\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| extend SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", \\\"NotAvailable\\\"), EventOriginId = column_ifexists(\\\"EventOriginId\\\", \\\"NotAvailable\\\")\\n| parse EventData with * \u0027SubjectUserName\u003e\u0027 SubjectUserName \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectUserSid\u003e\u0027 SubjectUserSid \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectLogonId\u003e\u0027 SubjectLogonId \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectDomainName\u003e\u0027 SubjectDomainName \u0027\u003c\u0027 *\\n| extend SubjectAccount = strcat(SubjectDomainName, \u0027\\\\\\\\\u0027, SubjectUserName)\\n};\\nlet HostClearedEventLog = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string)\\n{\\nlet Event104 = tableFunc(\u0027Event\u0027, event=104)\\n| where Source =~ source\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| parse RenderedDescription with * \u0027The\u0027 LogName \u0027log\u0027 *\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nlet Event1102 = tableFunc(\u0027SecurityEvent\u0027, event=1102)\\n| where EventSourceName == source\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| extend LogName = \u0027Security\u0027\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nunion isfuzzy=true Event104, Event1102\\n};\\nHostClearedEventLog(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where LogName =~ \u0027Security\u0027 \\n| project Computer, SubjectAccount, LogName, EventID, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"},{\"dataType\":\"Event\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/3ff675ee-3052-4e0b-88ad-f34ed1732adc\",\"name\":\"3ff675ee-3052-4e0b-88ad-f34ed1732adc\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Event log(s) cleared by account on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{SubjectAccount}}\u0027 cleared the \u0027{{LogName}}\u0027 log, EventID: \u0027{{EventID}}\u0027\",\"description\":\"Event logs cleared by account\",\"queryDefinitions\":{\"query\":\"let SystemAccount = datatable(AccountName:string)[\u0027NT AUTHORITY\\\\\\\\SYSTEM\u0027, \u0027NT AUTHORITY\\\\\\\\NETWORK SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\LOCAL SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\IUSR\u0027, \u0027NTAUTHORITY\\\\\\\\ANONYMOUS LOGON\u0027];\\nlet SvcAcctList = dynamic([\\\"Local SYSTEM\\\",\\\"Local SERVICE\\\",\\\"Network SERVICE\\\",\\\"NT AUTHORITY\\\"]);\\nlet ServiceAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and LogonType == \u00275\u0027 and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet MachineAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and AccountType == \\\"Machine\\\" and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet Accounts = union isfuzzy=true SystemAccount, ServiceAccount, MachineAccount;\\nlet source = \u0027Microsoft-Windows-Eventlog\u0027;\\nlet tableFunc = (tableName:string, event:int){\\ntable(tableName) \\n| where EventID == event\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| extend SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", \\\"NotAvailable\\\"), EventOriginId = column_ifexists(\\\"EventOriginId\\\", \\\"NotAvailable\\\")\\n| parse EventData with * \u0027SubjectUserName\u003e\u0027 SubjectUserName \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectUserSid\u003e\u0027 SubjectUserSid \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectLogonId\u003e\u0027 SubjectLogonId \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectDomainName\u003e\u0027 SubjectDomainName \u0027\u003c\u0027 *\\n| extend SubjectAccount = strcat(SubjectDomainName, \u0027\\\\\\\\\u0027, SubjectUserName)\\n};\\nlet HostClearedEventLog = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string)\\n{\\nlet Event104 = tableFunc(\u0027Event\u0027, event=104)\\n| where Source =~ source\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| parse RenderedDescription with * \u0027The\u0027 LogName \u0027log\u0027 *\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nlet Event1102 = tableFunc(\u0027SecurityEvent\u0027, event=1102)\\n| where EventSourceName == source\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| extend LogName = \u0027Security\u0027\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nunion isfuzzy=true Event104, Event1102\\n};\\nHostClearedEventLog(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where LogName !~ \u0027Security\u0027 \\n| project Computer, SubjectAccount, LogName, EventID, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"},{\"dataType\":\"Event\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/b880ad94-f905-4ba8-8a3f-9088b19b12fa\",\"name\":\"b880ad94-f905-4ba8-8a3f-9088b19b12fa\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the local Administrators group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to local Administrators group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where TargetSid == \u0027S-1-5-32-544\u0027 \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/aaad22c3-be50-465f-b258-8570d629c3db\",\"name\":\"aaad22c3-be50-465f-b258-8570d629c3db\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the Domain Admins group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to the Domain Admins group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-512$\u0027 \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/cf3469b3-f64c-4ae2-9900-289617443d74\",\"name\":\"cf3469b3-f64c-4ae2-9900-289617443d74\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the Enterprise Admins group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to the Enterprise Admins group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-519$\u0027 \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/5ba7b064-c667-4bb9-b8ac-7e87872ae479\",\"name\":\"5ba7b064-c667-4bb9-b8ac-7e87872ae479\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Account added to a privileged group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to privileged group.\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where (TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID) and TargetSid != \u0027S-1-5-32-544\u0027 and not(TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-512$\u0027) and not(TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-519$\u0027) \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/290032e9-c52e-4e66-841a-7428f0b356bb\",\"name\":\"290032e9-c52e-4e66-841a-7428f0b356bb\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was created on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{User}}\u0027 was created by sudo\",\"description\":\"Account created on Host\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where ProcessName in~ (\u0027useradd\u0027,\u0027userdel\u0027)\\n| where SyslogMessage startswith \u0027new user:\u0027 or SyslogMessage startswith \u0027delete user \u0027\\n| extend User = case(SyslogMessage startswith \u0027new user:\u0027, tostring(split(tostring(split(SyslogMessage, \u0027name=\u0027)[1]), \u0027,\u0027)[0]),\\nSyslogMessage startswith \u0027delete user \u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]),\\n\u0027Not Available\u0027)\\n| extend Action = case( SyslogMessage startswith \u0027new user\u0027, \u0027new user\u0027, SyslogMessage startswith \u0027delete user\u0027, \u0027delete user\u0027, \u0027None\u0027)\\n| project TimeGenerated, Computer, HostIP, User, Facility, ProcessName, Action, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action == \u0027new user\u0027 \\n| project Computer, User, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/ce9e87c7-2ffa-42cb-92e5-f1a4f21f007a\",\"name\":\"ce9e87c7-2ffa-42cb-92e5-f1a4f21f007a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{User}}\u0027 was deleted by sudo\",\"description\":\"Account deleted on Host\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where ProcessName in~ (\u0027useradd\u0027,\u0027userdel\u0027)\\n| where SyslogMessage startswith \u0027new user:\u0027 or SyslogMessage startswith \u0027delete user \u0027\\n| extend User = case(SyslogMessage startswith \u0027new user:\u0027, tostring(split(tostring(split(SyslogMessage, \u0027name=\u0027)[1]), \u0027,\u0027)[0]),\\nSyslogMessage startswith \u0027delete user \u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]),\\n\u0027Not Available\u0027)\\n| extend Action = case( SyslogMessage startswith \u0027new user\u0027, \u0027new user\u0027, SyslogMessage startswith \u0027delete user\u0027, \u0027delete user\u0027, \u0027None\u0027)\\n| project TimeGenerated, Computer, HostIP, User, Facility, ProcessName, Action, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action == \u0027delete user\u0027 \\n| project Computer, User, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/46aeae2d-187c-41f9-b8d6-9d75c43bce0a\",\"name\":\"46aeae2d-187c-41f9-b8d6-9d75c43bce0a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the sudo group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{User}}\u0027 was added by \u0027{{AcctMakingChange}}\u0027 to group: \u0027{{Group}}\u0027\",\"description\":\"Account added to the sudo group\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where SyslogMessage !startswith \\\"omsagent\\\"\\n| where SyslogMessage has \u0027COMMAND\u0027 or ProcessName in~ (\u0027gpasswd\u0027, \u0027useradd\u0027, \u0027userdel\u0027)\\n| parse SyslogMessage with * \u0027user \u0027 User \u0027 \u0027 Verb \u0027 by \u0027 AcctMakingChange \u0027 \u0027 Preposition \u0027 group \u0027 Group\\n| extend Group = case(\\nSyslogMessage startswith \u0027removed group\u0027 or SyslogMessage startswith \u0027removed shadow group\u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]), \\nSyslogMessage startswith \u0027new group\u0027, tostring(split(tostring(split(SyslogMessage, \u0027=\u0027)[1]),\u0027,\u0027)[0]),\\nGroup)\\n| extend Action = case(\\nisnotempty(Verb) or isnotempty(Preposition), strcat(Verb, \u0027 \u0027, Preposition),\\nSyslogMessage startswith \u0027new group\u0027, \u0027new group\u0027,\\nSyslogMessage startswith \u0027removed group\u0027, \u0027removed group\u0027,\\nSyslogMessage startswith \u0027removed shadow group\u0027, \u0027removed shadow group\u0027,\\n\u0027None\u0027)\\n| where isnotempty(Action) and Action != \u0027None\u0027 and isnotempty(Group)\\n| project TimeGenerated, Computer, HostIP, User, Action, Group, Facility, ProcessName, AcctMakingChange, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action =~ \u0027added to\u0027 and Group =~ \u0027sudo\u0027 \\n| project Computer, User, AcctMakingChange, Group, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/e24dd437-c65e-40e1-8d59-cd303ad4496a\",\"name\":\"e24dd437-c65e-40e1-8d59-cd303ad4496a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was removed from the sudo group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{User}}\u0027 was added by \u0027{{AcctMakingChange}}\u0027 to group: \u0027{{Group}}\u0027\",\"description\":\"Account removed from sudo group\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where SyslogMessage !startswith \\\"omsagent\\\"\\n| where SyslogMessage has \u0027COMMAND\u0027 or ProcessName in~ (\u0027gpasswd\u0027, \u0027useradd\u0027, \u0027userdel\u0027)\\n| parse SyslogMessage with * \u0027user \u0027 User \u0027 \u0027 Verb \u0027 by \u0027 AcctMakingChange \u0027 \u0027 Preposition \u0027 group \u0027 Group\\n| extend Group = case(\\nSyslogMessage startswith \u0027removed group\u0027 or SyslogMessage startswith \u0027removed shadow group\u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]), \\nSyslogMessage startswith \u0027new group\u0027, tostring(split(tostring(split(SyslogMessage, \u0027=\u0027)[1]),\u0027,\u0027)[0]),\\nGroup)\\n| extend Action = case(\\nisnotempty(Verb) or isnotempty(Preposition), strcat(Verb, \u0027 \u0027, Preposition),\\nSyslogMessage startswith \u0027new group\u0027, \u0027new group\u0027,\\nSyslogMessage startswith \u0027removed group\u0027, \u0027removed group\u0027,\\nSyslogMessage startswith \u0027removed shadow group\u0027, \u0027removed shadow group\u0027,\\n\u0027None\u0027)\\n| where isnotempty(Action) and Action != \u0027None\u0027 and isnotempty(Group)\\n| project TimeGenerated, Computer, HostIP, User, Action, Group, Facility, ProcessName, AcctMakingChange, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action =~ \u0027removed from\u0027 and Group =~ \u0027sudo\u0027 \\n| project Computer, User, AcctMakingChange, Group, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/c91cb743-7c6c-4ccf-b066-13448c9c085c\",\"name\":\"c91cb743-7c6c-4ccf-b066-13448c9c085c\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Windows Defender Application Control activities on this host\",\"content\":\"{{FriendlyActivityName}} by {{InitiatingProcessAccountUpn}} {{Count}} time(s)\",\"description\":\"Microsoft Defender Application Control activities\",\"queryDefinitions\":{\"query\":\"let AppControlEvents=(v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\nlet p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain));\\nlet AppControls=datatable(ActionType:string, Description:string, FriendlyActivityName:string)\\n [\\\"AppControlAppInstallationAudited\\\", \\\"Application control detected the installation of an untrusted app.\\\",\\\"Untrusted app installed\\\"\\n ,\\\"AppControlAppInstallationBlocked\\\", \\\"Application control blocked the installation of an untrusted app.\\\", \\\"Untrusted app installation blocked\\\"\\n ,\\\"AppControlCodeIntegrityDriverRevoked\\\", \\\"Application control found a driver with a revoked certificate.\\\", \\\"Driver with revoked certificate detected\\\"\\n ,\\\"AppControlCodeIntegrityImageRevoked\\\", \\\"Application control found an executable file with a revoked certificate.\\\", \\\"Executable with revoked certificate detected\\\"\\n ,\\\"AppControlExecutableAudited\\\",\\\"Application control detected the use of an untrusted executable.\\\",\\\"Untrusted executable used\\\"\\n ,\\\"AppControlExecutableBlocked\\\",\\\"Application control blocked the use of an untrusted executable.\\\",\\\"Untrusted executable blocked\\\"\\n ,\\\"AppControlScriptAudited\\\", \\\"Application control detected the use of an untrusted script.\\\", \\\"Untrusted script detected\\\"\\n ,\\\"AppControlScriptBlocked\\\", \\\"Application control blocked the use of an untrusted script.\\\", \\\"Untrusted script blocked\\\" ];\\nDeviceEvents\\n| where ActionType in (AppControls) \\n| where DeviceName ==p_FullDeviceName\\n| lookup AppControls on ActionType\\n};\\nAppControlEvents(\u0027{{Host_HostName}}\u0027,\u0027{{Host_NTDomain}}\u0027,\u0027{{Host_DnsDomain}}\u0027) \\n| project DeviceName, ActionType, FriendlyActivityName, InitiatingProcessAccountUpn, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/c7def1db-6a27-45dc-bee0-0c5fd5e7f1fe\",\"name\":\"c7def1db-6a27-45dc-bee0-0c5fd5e7f1fe\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Screenshot taken\",\"content\":\"The user \u0027{{InitiatingProcessAccountUpn}}\u0027 has taken {{Count}} screenshot(s) on the host\",\"description\":\"A screenshot was taken on the host\",\"queryDefinitions\":{\"query\":\"let ScreenshotTakers= (v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\n let p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain) );\\n DeviceEvents \\n | where ActionType ==\u0027ScreenshotTaken\u0027 \\n | where DeviceName =~ p_FullDeviceName\\n};\\nScreenshotTakers(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027) \\n| where 1==1 \\n| project InitiatingProcessAccountName, InitiatingProcessAccountUpn, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/8d0e9356-be1e-45ac-9403-d0ac3f1605b7\",\"name\":\"8d0e9356-be1e-45ac-9403-d0ac3f1605b7\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Exploit protection blocked the launch of a process from an image file that is not signed by Microsoft\",\"content\":\"Launch of unsigned file \u0027{{FileName}}\u0027 by process \u0027{{InitiatingProcessFileName}}\u0027 initiated by \u0027{{InitiatingProcessAccountName}}\u0027 was blocked. \",\"description\":\"Exploit protection blocked the launch of a process from an image file that is not signed by Microsoft\",\"queryDefinitions\":{\"query\":\"let NonMSSignedBlocked= (v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\n let p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain) );\\n DeviceEvents\\n | where ActionType in (\\\"ExploitGuardNonMicrosoftSignedBlocked\\\", \\\"ExploitGuardNonMicrosoftSignedAudited\\\") \\n and FileName !hassuffix \u0027.ni.dll\u0027\\n | where DeviceName =~ p_FullDeviceName\\n | project TimeGenerated\\n , FileName\\n ,InitiatingProcessFileName\\n , InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid\\n , DeviceName , ActionType\\n};\\nNonMSSignedBlocked(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027) \\n| where ActionType =~ \u0027ExploitGuardNonMicrosoftSignedBlocked\u0027 \\n| project FileName, InitiatingProcessFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/3ff80327-7c54-449d-95d4-613848f7d60b\",\"name\":\"3ff80327-7c54-449d-95d4-613848f7d60b\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Exploit protection detected the launch of a process from an image file that is not signed by Microsoft\",\"content\":\"Launch of unsigned file \u0027{{FileName}}\u0027 by process \u0027{{InitiatingProcessFileName}}\u0027 initiated by \u0027{{InitiatingProcessAccountName}}\u0027 was audited.\",\"description\":\"Exploit protection detected the launch of a process from an image file that is not signed by Microsoft\",\"queryDefinitions\":{\"query\":\"let NonMSSignedBlocked= (v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\n let p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain) );\\n DeviceEvents\\n | where ActionType in (\\\"ExploitGuardNonMicrosoftSignedBlocked\\\", \\\"ExploitGuardNonMicrosoftSignedAudited\\\") \\n and FileName !hassuffix \u0027.ni.dll\u0027\\n | where DeviceName =~ p_FullDeviceName\\n | project TimeGenerated\\n , FileName\\n ,InitiatingProcessFileName\\n , InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid\\n , DeviceName , ActionType\\n};\\nNonMSSignedBlocked(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027) \\n| where ActionType =~ \u0027ExploitGuardNonMicrosoftSignedAudited\u0027 \\n| project FileName, InitiatingProcessFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/3f7059b2-67ea-4fc1-af34-37f5fc69a630\",\"name\":\"3f7059b2-67ea-4fc1-af34-37f5fc69a630\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Windows Defender Antivirus activities on this host\",\"content\":\"Window Defender Antivirus \u0027{{ActionType}}\u0027 activity was spotted on Host {{Host_HostName}}\",\"description\":\"Windows Defender Antivirus activities\",\"queryDefinitions\":{\"query\":\"let AntivirusEvents=(v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\nlet Severity= datatable(ActionType:string, Severity:int)[\\\"AntivirusMalwareActionFailed\\\",1,\\\"AntivirusDetection\\\",2,\\\"AntivirusScanFailed\\\",3, \\\"AntivirusError\\\",4, \\\"AntivirusDefinitionsUpdateFailed\\\",5];\\nlet p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain));\\nDeviceEvents\\n| where ActionType hasprefix \\\"Antivirus\\\" and ActionType !in( \\\"AntivirusReport\\\", \\\"AntivirusScanCompleted\\\", \\\"AntivirusDefinitionsUpdated\\\",\\\"AntivirusEmergencyUpdatesInstalled\\\")\\n| where DeviceName ==p_FullDeviceName\\n| lookup Severity on ActionType};\\nAntivirusEvents(\u0027{{Host_HostName}}\u0027,\u0027{{Host_NTDomain}}\u0027,\u0027{{Host_DnsDomain}}\u0027) \\n| where ActionType !in( \\\"AntivirusReport\\\", \\\"AntivirusScanCompleted\\\", \\\"AntivirusDefinitionsUpdated\\\",\\\"AntivirusEmergencyUpdatesInstalled\\\") \\n| project ActionType, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}}]}", "isContentBase64": false } }, - "Get-AzSentinelEntityQueryTemplate+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates?api-version=2021-09-01-preview+1": { + "Get-AzSentinelEntityQueryTemplate+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "202" ], - "x-ms-client-request-id": [ "cb88b9be-dc63-421d-9e4b-2c9018c7be91" ], + "x-ms-unique-id": [ "203" ], + "x-ms-client-request-id": [ "193b8b1a-f0fa-4622-a86a-52814dcae365" ], "CommandName": [ "Get-AzSentinelentityQueryTemplate" ], "FullCommandName": [ "Get-AzSentinelEntityQueryTemplate_List" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -64,32 +64,32 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11965" ], - "x-ms-request-id": [ "269e98af-8375-48ac-a5f2-f9e5f910ec5f" ], - "x-ms-correlation-request-id": [ "269e98af-8375-48ac-a5f2-f9e5f910ec5f" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183146Z:269e98af-8375-48ac-a5f2-f9e5f910ec5f" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11962" ], + "x-ms-request-id": [ "f0002f43-7c08-4eeb-b796-e0af78396477" ], + "x-ms-correlation-request-id": [ "f0002f43-7c08-4eeb-b796-e0af78396477" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160726Z:f0002f43-7c08-4eeb-b796-e0af78396477" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:31:45 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:26 GMT" ] }, "ContentHeaders": { "Content-Length": [ "191910" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/d6d08c94-455f-4ea5-8f76-fc6c0c442cfa\",\"name\":\"d6d08c94-455f-4ea5-8f76-fc6c0c442cfa\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has created an account\",\"content\":\"The user {{InitiatedByAccount}} has created the account {{TargetAccount}} {{Count}} time(s)\",\"description\":\"This activity displays account creation events performed by the user\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) or Account_AadUserId =~ tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ SubjectAccount or Account_Sid =~ SubjectUserSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Add user\u0027, \u00274720\u0027) \\n| project InitiatedByAccount, TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/e0459780-ac9d-4b72-8bd4-fecf6b46a0a1\",\"name\":\"e0459780-ac9d-4b72-8bd4-fecf6b46a0a1\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has deleted an account\",\"content\":\"The user {{InitiatedByAccount}} has deleted the account {{TargetAccount}} {{Count}} time(s)\",\"description\":\"This activity displays account deletion events performed by the user\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) or Account_AadUserId =~ tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ SubjectAccount or Account_Sid =~ SubjectUserSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Delete user\u0027, \u00274726\u0027) \\n| project InitiatedByAccount, TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/ad1f4269-5418-4c46-a3b6-4ec01031de60\",\"name\":\"ad1f4269-5418-4c46-a3b6-4ec01031de60\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has reset an account\u0027s password\",\"content\":\"The password for account {{TargetAccount}} was reset by the user {{InitiatedByAccount}} {{Count}} time(s)\",\"description\":\"This activity displays password reset events performed by the user\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) or Account_AadUserId =~ tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ SubjectAccount or Account_Sid =~ SubjectUserSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (by admin)\u0027, \u0027Reset password (self-service)\u0027, \u00274724\u0027, \u00274723\u0027) \\n| project InitiatedByAccount, TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/fde1b9cc-9480-4418-ae21-91723d16b24d\",\"name\":\"fde1b9cc-9480-4418-ae21-91723d16b24d\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user account was created\",\"content\":\"The user account {{TargetAccount}} was created\",\"description\":\"This activity displays the user account events for when it was created\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(TargetResources[0].userPrincipalName) or Account_AadUserId =~ tostring(TargetResources[0].id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ TargetAccount or Account_Sid =~ TargetSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Add user\u0027, \u00274720\u0027) \\n| project TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/b15901ba-8679-4f6a-b312-722031ab58f2\",\"name\":\"b15901ba-8679-4f6a-b312-722031ab58f2\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user account was deleted\",\"content\":\"The user account {{TargetAccount}} was deleted\",\"description\":\"This activity displays the user account events for when it was deleted\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(TargetResources[0].userPrincipalName) or Account_AadUserId =~ tostring(TargetResources[0].id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ TargetAccount or Account_Sid =~ TargetSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Delete user\u0027, \u00274726\u0027) \\n| project TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/c07d1d02-0a06-455e-add9-12c5a5e426f3\",\"name\":\"c07d1d02-0a06-455e-add9-12c5a5e426f3\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user account password was reset\",\"content\":\"The user account {{TargetAccount}} had a password reset\",\"description\":\"This activity displays the user account events for when the password was reset\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(TargetResources[0].userPrincipalName) or Account_AadUserId =~ tostring(TargetResources[0].id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ TargetAccount or Account_Sid =~ TargetSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (by admin)\u0027, \u0027Reset password (self-service)\u0027, \u00274723\u0027, \u00274724\u0027) \\n| project TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/5e9ecee5-e7a4-4a2a-94c4-9c0e22e1b673\",\"name\":\"5e9ecee5-e7a4-4a2a-94c4-9c0e22e1b673\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user consented to OAuth application\",\"content\":\"The user consented to the OAuth application named {{Target_CloudApplication_Name}} {{Count}} time(s)\",\"description\":\"This activity lists user\u0027s consents to an OAuth applications.\",\"queryDefinitions\":{\"query\":\"let UserConsentToApplication = (Account_Name:string, Account_UPNSuffix:string, Account_AadUserId:string){\\nlet account_upn = iff(Account_Name != \\\"\\\" and Account_UPNSuffix != \\\"\\\"\\n, strcat(Account_Name,\\\"@\\\",Account_UPNSuffix)\\n,\\\"\\\" );\\nAuditLogs\\n| where OperationName == \\\"Consent to application\\\"\\n| extend Source_Account_UPNSuffix = tostring(todynamic(InitiatedBy) [\\\"user\\\"][\\\"userPrincipalName\\\"]), Source_Account_AadUserId = tostring(todynamic(InitiatedBy) [\\\"user\\\"][\\\"id\\\"])\\n| where (account_upn != \\\"\\\" and account_upn =~ Source_Account_UPNSuffix) \\nor (Account_AadUserId != \\\"\\\" and Account_AadUserId =~ Source_Account_AadUserId)\\n| extend Target_CloudApplication_Name = tostring(todynamic(TargetResources)[0][\\\"displayName\\\"]), Target_CloudApplication_AppId = tostring(todynamic(TargetResources)[0][\\\"id\\\"])\\n};\\nUserConsentToApplication(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027) \\n| project Target_CloudApplication_AppId, Target_CloudApplication_Name, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/cab4058a-0707-4a02-b76f-cf96270823ed\",\"name\":\"cab4058a-0707-4a02-b76f-cf96270823ed\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"User performed operation on azure resource from IP\",\"content\":\"User performed operation {{OperationNameValue}} on azure resource: {{shortResourceId}} from IP {{Source_IP_Address}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s activities on Azure.\",\"queryDefinitions\":{\"query\":\"let AzureRunProcess = (Account_Name:string, Account_UPNSuffix:string,Account_AadUserId:string){\\nlet upn = strcat(Account_Name,\\\"@\\\",Account_UPNSuffix);\\nAzureActivity\\n| where (isnotempty(Account_AadUserId) and Caller =~ Account_AadUserId) or Caller =~ upn\\n| where OperationNameValue contains \\\"Run Command on Virtual Machine\\\"\\n or (OperationNameValue == \\\"List Storage Account Keys\\\" and ActivityStatusValue == \\\"Succeeded\\\")\\n or OperationNameValue == \\\"Create or Update Virtual Machine\\\"\\n or OperationNameValue == \\\"Create Deployment\\\"\\n or OperationNameValue == \\\"Create role assignment\\\"\\n| project-rename Target_AzureResource_ResourceId = _ResourceId, Source_IP_Address = CallerIpAddress\\n| extend shortResourceId = tostring(split(ResourceId,\u0027/\u0027)[-1])\\n};\\nAzureRunProcess(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027) \\n| project Target_AzureResource_ResourceId, Source_IP_Address, shortResourceId, OperationNameValue, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/febba410-e7d6-4c63-8fe5-2b93f448b7a1\",\"name\":\"febba410-e7d6-4c63-8fe5-2b93f448b7a1\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added accounts to a local privileged group\",\"content\":\"The user has added accounts to the local privileged group, {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays the user that added accounts to a local privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == false and MemberNTDomainMatch == false) or MemberSidMatch == false) and TargetSid matches regex WellKnownLocalGroupSID | where TargetSid !in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/0e98c61c-6ae0-4e13-8071-d807dc25082a\",\"name\":\"0e98c61c-6ae0-4e13-8071-d807dc25082a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added accounts to a domain privileged group\",\"content\":\"The user has added accounts to the domain privileged group, {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays the user that added accounts to a domain privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == false and MemberNTDomainMatch == false) or MemberSidMatch == false) and TargetSid matches regex WellKnownDomainGroupSID \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/0caf9819-3269-48ac-b162-eeee638e4aa9\",\"name\":\"0caf9819-3269-48ac-b162-eeee638e4aa9\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to a local privileged group\",\"content\":\"This user was added to the local privileged group {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays that this user was added to a local privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and TargetSid matches regex WellKnownLocalGroupSID | where TargetSid !in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/d57681e4-18e6-459f-b61d-4d4a1f205b70\",\"name\":\"d57681e4-18e6-459f-b61d-4d4a1f205b70\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to a domain privileged group\",\"content\":\"This user was added to the domain privileged group {{TargetAccount}}\",\"description\":\"This activity displays that this user was added to a domain privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and TargetSid matches regex WellKnownDomainGroupSID \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/5ae2baf4-de7b-40f0-a861-8852266bfcd0\",\"name\":\"5ae2baf4-de7b-40f0-a861-8852266bfcd0\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added accounts to the Remote Desktop Users group\",\"content\":\"The user has added accounts to the {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays the user that added accounts to Remote Desktop group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == false and MemberNTDomainMatch == false) or MemberSidMatch == false) and TargetSid in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/60ef2e21-5f90-48bf-9bbc-d2a1829c3861\",\"name\":\"60ef2e21-5f90-48bf-9bbc-d2a1829c3861\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to the Remote Desktop Users group\",\"content\":\"This user was added to the {{TargetAccount}} group\",\"description\":\"This activity displays that this user was added to the Remote Desktop group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and TargetSid in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/bf56473d-b9bd-4eb1-96d0-8569ec7a9003\",\"name\":\"bf56473d-b9bd-4eb1-96d0-8569ec7a9003\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added an account to a security group\",\"content\":\"The user has added {{MemberAdded}} to the {{TargetAccount}} group\",\"description\":\"This activity displays the user that added an account and the account that was added to a security group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true) and not(TargetSid matches regex WellKnownLocalGroupSID or TargetSid matches regex WellKnownDomainGroupSID) \\n| project SubjectAccount, MemberAdded, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/252c9ad7-2957-43cd-8f33-4ac4bb56e119\",\"name\":\"252c9ad7-2957-43cd-8f33-4ac4bb56e119\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to a security group\",\"content\":\"This user was added to the {{TargetAccount}} group, {{Count}} time(s)\",\"description\":\"This activity displays that this user was added to a security group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and not(TargetSid matches regex WellKnownLocalGroupSID or TargetSid matches regex WellKnownDomainGroupSID) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/1f82f263-d694-469a-9717-1b3edf9d3bb2\",\"name\":\"1f82f263-d694-469a-9717-1b3edf9d3bb2\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user acted on another accounts mailbox\",\"content\":\"The user acted on mailbox {{MailboxOwnerUPN}} {{Count}} time(s)\",\"description\":\"This activity lists user\u0027s activities on others\u0027 mailbox\",\"queryDefinitions\":{\"query\":\"let TLQ_UserActedOnForeignMailbox = (Account_Name:string, Account_UPNSuffix:string, account_sid:string){\\nlet account_upn = iff(Account_Name!=\\\"\\\" and Account_UPNSuffix != \\\"\\\"\\n,strcat(Account_Name,\\\"@\\\",Account_UPNSuffix)\\n,\\\"\\\");\\nOfficeActivity\\n| where RecordType == \\\"ExchangeItem\\\" and UserType ==\\\"Regular\\\" and Operation !contains \\\"InboxRule\\\"\\n| where LogonUserSid != MailboxOwnerSid \\n| where ((account_sid != \\\"\\\" and LogonUserSid =~ account_sid)\\n or ( account_upn != \\\"\\\" and UserId =~ account_upn ))\\n};\\nTLQ_UserActedOnForeignMailbox(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| project MailboxOwnerSid, MailboxOwnerUPN, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/e480efd0-016d-428e-b892-84b9d586d004\",\"name\":\"e480efd0-016d-428e-b892-84b9d586d004\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user modified inbox rules on another accounts mailbox\",\"content\":\"User Modified {{Count}} inbox rules on {{MailboxOwnerUPN}}\u0027s Mailbox\",\"description\":\"User modified inbox rules on a mailbox\",\"queryDefinitions\":{\"query\":\"let ruleChangeRecordTypes = dynamic( [\\\"ExchangeAdmin\\\", \\\"ExchangeItem\\\"]);\\nlet TLQ_UserModifiedinboxRules = (Account_Name: string, Account_UPNSuffix: string, Account_Sid: string){\\nlet upn = iff(Account_Name != \\\"\\\" and Account_UPNSuffix != \\\"\\\"\\n, strcat(Account_Name, \\\"@\\\", Account_UPNSuffix)\\n, \\\"\\\");\\nOfficeActivity\\n| where RecordType in~ (ruleChangeRecordTypes) and Operation contains \\\"InboxRule\\\"\\n| where((Account_Sid != \\\"\\\" and LogonUserSid == Account_Sid)\\nor(upn != \\\"\\\" and UserId == upn )\\n)\\n};\\nTLQ_UserModifiedinboxRules(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| project MailboxOwnerSid, MailboxOwnerUPN, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/0eabec03-51e7-4909-b0cb-1adc76759e93\",\"name\":\"0eabec03-51e7-4909-b0cb-1adc76759e93\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"User uploaded files to SharePoint\",\"content\":\"User uploaded {{Count}} file(s) To SharePoint from {{Source_IP_Address}}\",\"description\":\"This activity lists the user\u0027s SharePoint uploads.\",\"queryDefinitions\":{\"query\":\"let TLQ_UserUploadFiles = (Account_Name:string, Account_UPNSuffix:string){\\nlet upn = strcat(Account_Name,\\\"@\\\",Account_UPNSuffix);\\nOfficeActivity\\n| where RecordType =~ \\\"SharePointFileOperation\\\" and Operation in~ (\\\"FileUploaded\\\", \\\"FileDownloaded\\\")\\n| where upn =~UserId\\n| extend Subject_File_Directory = tostring(split(OfficeObjectId,SourceFileName)[0])\\n| project-rename Source_IP_Address = ClientIP\\n};\\nTLQ_UserUploadFiles(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027) \\n| where Operation =~ \\\"FileUploaded\\\" \\n| project Source_IP_Address, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/df564e7b-bf6d-4dc4-a32d-79b00bd2cc7b\",\"name\":\"df564e7b-bf6d-4dc4-a32d-79b00bd2cc7b\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"User downloaded files from SharePoint\",\"content\":\"User downloaded {{Count}} File(s) from SharePoint from {{Source_IP_Address}}\",\"description\":\"This activity lists the user\u0027s SharePoint downloads.\",\"queryDefinitions\":{\"query\":\"let TLQ_UserUploadFiles = (Account_Name:string, Account_UPNSuffix:string){\\nlet upn = strcat(Account_Name,\\\"@\\\",Account_UPNSuffix);\\nOfficeActivity\\n| where RecordType =~ \\\"SharePointFileOperation\\\" and Operation in~ (\\\"FileUploaded\\\", \\\"FileDownloaded\\\")\\n| where upn =~UserId\\n| extend Subject_File_Directory = tostring(split(OfficeObjectId,SourceFileName)[0])\\n| project-rename Source_IP_Address = ClientIP\\n};\\nTLQ_UserUploadFiles(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027) \\n| where Operation =~ \\\"FileDownloaded\\\" \\n| project Source_IP_Address, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/0f328f28-7e21-4596-b71c-54309fee5551\",\"name\":\"0f328f28-7e21-4596-b71c-54309fee5551\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user signed in to an Azure resource\",\"content\":\"The user signed in to {{shortResourceId}} {{Count}} time(s)\",\"description\":\"This activity lists user\u0027s sign ins to Azure Resources\",\"queryDefinitions\":{\"query\":\"let SignInsByResource = (Account_Name:string, Account_UPNSuffix:string, Account_AadUserId:string){\\nlet acc_upn = iff(Account_Name != \\\"\\\" and Account_UPNSuffix != \\\"\\\" ,strcat(Account_Name,\\\"@\\\" ,Account_UPNSuffix),\\\"\\\");\\nSigninLogs\\n| where (acc_upn != \\\"\\\" and UserPrincipalName =~ acc_upn) or\\n   (Account_AadUserId != \\\"\\\" and Account_AadUserId =~ UserId) // UserPrincipalName, UserId\\n| extend shortResourceId = tostring(split(ResourceId,\\\"/\\\")[-1])\\n};\\nSignInsByResource(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027) \\n| project shortResourceId, ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SigninLogs\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/0d4ec12e-e44a-40a4-bb87-3db84d2a8057\",\"name\":\"0d4ec12e-e44a-40a4-bb87-3db84d2a8057\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s interactive log-ins grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID==4624 and LogonTypeName == \u00272 - Interactive\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/c9da5786-6c3c-45b5-9a46-53200ed9df09\",\"name\":\"c9da5786-6c3c-45b5-9a46-53200ed9df09\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Network log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s network log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID ==4624 and LogonTypeName == \u00273 - Network\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/8a302bfc-00e3-43b3-a516-102fd0cb0dbc\",\"name\":\"8a302bfc-00e3-43b3-a516-102fd0cb0dbc\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Remote interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s remote interactive log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID ==4624 and LogonTypeName == \u002710 - RemoteInteractive\u0027| extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/ec87b066-17ad-4f9b-97c2-c2f2ee2d99e0\",\"name\":\"ec87b066-17ad-4f9b-97c2-c2f2ee2d99e0\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"New credentials log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s log-ins with new credentials, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID ==4624 and LogonTypeName == \u00279 - NewCredentials\u0027| extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/e1c4c03c-2b40-47cf-9b8c-49e0a37a6da6\",\"name\":\"e1c4c03c-2b40-47cf-9b8c-49e0a37a6da6\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Privileged log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s privileged log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID == 4672 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/a6fc3ad9-1a61-41f5-a5e2-bd1f5a6fe44d\",\"name\":\"a6fc3ad9-1a61-41f5-a5e2-bd1f5a6fe44d\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Failed interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s failed interactive log-ins grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet =~ \u0027AllEvents\u0027 and EventID == 4625 and LogonTypeName == \u00272 - Interactive\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/11449689-6542-4867-86dc-56264abbd90c\",\"name\":\"11449689-6542-4867-86dc-56264abbd90c\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Failed network log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s failed network log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet =~ \u0027AllEvents\u0027 and EventID == 4625 and LogonTypeName == \u00273 - Network\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/686cf7e8-87c7-4391-8898-25adf1033a54\",\"name\":\"686cf7e8-87c7-4391-8898-25adf1033a54\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Failed remote interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} failed to logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s failed remote interactive log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet =~ \u0027AllEvents\u0027 and EventID == 4625 and LogonTypeName == \u002710 - RemoteInteractive\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/c6523929-5696-4e94-8a61-61aeb1c953d1\",\"name\":\"c6523929-5696-4e94-8a61-61aeb1c953d1\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Custom Script Extension execution (Preview)\",\"content\":\"The account {{Caller}} ran the custom script extension {{extName}} {{Count}} time(s)\",\"description\":\"This activity indicated Custom Script Extension execution\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| extend resBody = parse_json(Properties).responseBody\\n| where resBody != \\\"\\\"\\n| extend resBody = parse_json(tostring(resBody))\\n| extend extName = tostring(resBody.name), extType = resBody.properties.type\\n| where extType in (\\\"CustomScriptExtension\\\", \\\"CustomScript\\\", \\\"CustomScriptForLinux\\\")\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource, extType, extName \\n| project Caller, _ResourceId, extName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/5a2b8371-8708-4e41-8613-b64bbcbd0199\",\"name\":\"5a2b8371-8708-4e41-8613-b64bbcbd0199\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Azure Key Vault sensitive operation\",\"content\":\"The operation {{OperationName}} was observed from the IP {{CallerIPAddress}} {{Count}} time(s)\",\"description\":\"This activity indicated sensitive operation of Azure Key Valut\",\"queryDefinitions\":{\"query\":\"let SensitiveOperationList = dynamic([\\\"VaultDelete\\\", \\\"KeyDelete\\\", \\\"SecretDelete\\\", \\\"SecretPurge\\\", \\\"KeyPurge\\\", \\\"SecretBackup\\\", \\\"KeyBackup\\\"]);\\n AzureDiagnostics\\n | where ResourceType == \\\"VAULTS\\\"\\n | where Category == \\\"AuditEvent\\\"\\n | where ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n | extend Result = columnifexists(\\\"ResultType\\\", \\\"NoResult\\\")\\n | extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n | extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n | where Result !~ \\\"None\\\" and isnotempty(Result)\\n | where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n | where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n | where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n | where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n | where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n | where ResourceType =~ \\\"VAULTS\\\" and Result =~ \\\"Success\\\"\\n | where OperationName in~ (SensitiveOperationList)\\n | project TimeGenerated, ResourceId, Result, OperationName, CallerIPAddress \\n| project ResourceId, OperationName, CallerIPAddress, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureDiagnostics\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/a8b50062-f80e-4331-a247-de0e10d7b83f\",\"name\":\"a8b50062-f80e-4331-a247-de0e10d7b83f\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Storage account keys list (Preview)\",\"content\":\"The account {{Caller}} retrieved the keys of the storage account {{_ResourceId}} {{Count}} time(s)\",\"description\":\"This activity indicated storage account keys list operation\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/listKeys/action\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/e24d372a-ce9a-424e-99ba-5894177365a0\",\"name\":\"e24d372a-ce9a-424e-99ba-5894177365a0\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Storage account keys list were regenerated (Preview)\",\"content\":\"The account {{Caller}} regenerated the keys of the storage account {{_ResourceId}} {{Count}} time(s)\",\"description\":\"This activity indicated storage account keys list regeneration\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/2276eacb-9400-47e9-88c9-600b9b04ad81\",\"name\":\"2276eacb-9400-47e9-88c9-600b9b04ad81\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"VM Run Command execution (Preview)\",\"content\":\"The account {{Caller}} used Run Command on the VM {{Count}} time(s)\",\"description\":\"This activity indicates usage of Run Command\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/0aa3626b-30dd-4731-9d1e-39872a73949c\",\"name\":\"0aa3626b-30dd-4731-9d1e-39872a73949c\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"VM access extension execution (Preview)\",\"content\":\"The account {{Caller}} ran VM Access extension on the VM {{Count}} time(s)\",\"description\":\"This activity indicated VM access extension execution\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| extend resBody = parse_json(Properties).responseBody\\n| where resBody != \\\"\\\"\\n| extend resBody = parse_json(tostring(resBody))\\n| extend extName = resBody.name, extType = resBody.properties.type\\n| where extType in (\\\"VMAccessAgent\\\", \\\"VMAccessForLinux\\\")\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/307c85ee-39a2-4da3-952e-4fd79aa46d3a\",\"name\":\"307c85ee-39a2-4da3-952e-4fd79aa46d3a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was created on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was created by \u0027{{AddedBy}}\u0027\",\"description\":\"Account created on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId\\n| extend AddedBy = SubjectUserName\\n// Future support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount\\n};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where EventID == 4720 \\n| project Computer, TargetAccount, AddedBy, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/31529548-dbd2-4d5d-8270-710330cdcec7\",\"name\":\"31529548-dbd2-4d5d-8270-710330cdcec7\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was deleted by \u0027{{AddedBy}}\u0027\",\"description\":\"Account deleted on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId\\n| extend AddedBy = SubjectUserName\\n// Future support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount\\n};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where EventID == 4726 \\n| project Computer, TargetAccount, AddedBy, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/2fcda698-9526-454f-8fe0-4a0fd7af13f2\",\"name\":\"2fcda698-9526-454f-8fe0-4a0fd7af13f2\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Security Event log cleared by account on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{SubjectAccount}}\u0027 cleared the \u0027{{LogName}}\u0027 log, EventID: \u0027{{EventID}}\u0027\",\"description\":\"Security Event log cleared by account\",\"queryDefinitions\":{\"query\":\"let SystemAccount = datatable(AccountName:string)[\u0027NT AUTHORITY\\\\\\\\SYSTEM\u0027, \u0027NT AUTHORITY\\\\\\\\NETWORK SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\LOCAL SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\IUSR\u0027, \u0027NTAUTHORITY\\\\\\\\ANONYMOUS LOGON\u0027];\\nlet SvcAcctList = dynamic([\\\"Local SYSTEM\\\",\\\"Local SERVICE\\\",\\\"Network SERVICE\\\",\\\"NT AUTHORITY\\\"]);\\nlet ServiceAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and LogonType == \u00275\u0027 and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet MachineAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and AccountType == \\\"Machine\\\" and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet Accounts = union isfuzzy=true SystemAccount, ServiceAccount, MachineAccount;\\nlet source = \u0027Microsoft-Windows-Eventlog\u0027;\\nlet tableFunc = (tableName:string, event:int){\\ntable(tableName) \\n| where EventID == event\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| extend SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", \\\"NotAvailable\\\"), EventOriginId = column_ifexists(\\\"EventOriginId\\\", \\\"NotAvailable\\\")\\n| parse EventData with * \u0027SubjectUserName\u003e\u0027 SubjectUserName \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectUserSid\u003e\u0027 SubjectUserSid \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectLogonId\u003e\u0027 SubjectLogonId \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectDomainName\u003e\u0027 SubjectDomainName \u0027\u003c\u0027 *\\n| extend SubjectAccount = strcat(SubjectDomainName, \u0027\\\\\\\\\u0027, SubjectUserName)\\n};\\nlet HostClearedEventLog = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string)\\n{\\nlet Event104 = tableFunc(\u0027Event\u0027, event=104)\\n| where Source =~ source\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| parse RenderedDescription with * \u0027The\u0027 LogName \u0027log\u0027 *\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nlet Event1102 = tableFunc(\u0027SecurityEvent\u0027, event=1102)\\n| where EventSourceName == source\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| extend LogName = \u0027Security\u0027\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nunion isfuzzy=true Event104, Event1102\\n};\\nHostClearedEventLog(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where LogName =~ \u0027Security\u0027 \\n| project Computer, SubjectAccount, LogName, EventID, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"},{\"dataType\":\"Event\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/3ff675ee-3052-4e0b-88ad-f34ed1732adc\",\"name\":\"3ff675ee-3052-4e0b-88ad-f34ed1732adc\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Event log(s) cleared by account on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{SubjectAccount}}\u0027 cleared the \u0027{{LogName}}\u0027 log, EventID: \u0027{{EventID}}\u0027\",\"description\":\"Event logs cleared by account\",\"queryDefinitions\":{\"query\":\"let SystemAccount = datatable(AccountName:string)[\u0027NT AUTHORITY\\\\\\\\SYSTEM\u0027, \u0027NT AUTHORITY\\\\\\\\NETWORK SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\LOCAL SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\IUSR\u0027, \u0027NTAUTHORITY\\\\\\\\ANONYMOUS LOGON\u0027];\\nlet SvcAcctList = dynamic([\\\"Local SYSTEM\\\",\\\"Local SERVICE\\\",\\\"Network SERVICE\\\",\\\"NT AUTHORITY\\\"]);\\nlet ServiceAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and LogonType == \u00275\u0027 and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet MachineAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and AccountType == \\\"Machine\\\" and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet Accounts = union isfuzzy=true SystemAccount, ServiceAccount, MachineAccount;\\nlet source = \u0027Microsoft-Windows-Eventlog\u0027;\\nlet tableFunc = (tableName:string, event:int){\\ntable(tableName) \\n| where EventID == event\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| extend SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", \\\"NotAvailable\\\"), EventOriginId = column_ifexists(\\\"EventOriginId\\\", \\\"NotAvailable\\\")\\n| parse EventData with * \u0027SubjectUserName\u003e\u0027 SubjectUserName \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectUserSid\u003e\u0027 SubjectUserSid \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectLogonId\u003e\u0027 SubjectLogonId \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectDomainName\u003e\u0027 SubjectDomainName \u0027\u003c\u0027 *\\n| extend SubjectAccount = strcat(SubjectDomainName, \u0027\\\\\\\\\u0027, SubjectUserName)\\n};\\nlet HostClearedEventLog = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string)\\n{\\nlet Event104 = tableFunc(\u0027Event\u0027, event=104)\\n| where Source =~ source\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| parse RenderedDescription with * \u0027The\u0027 LogName \u0027log\u0027 *\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nlet Event1102 = tableFunc(\u0027SecurityEvent\u0027, event=1102)\\n| where EventSourceName == source\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| extend LogName = \u0027Security\u0027\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nunion isfuzzy=true Event104, Event1102\\n};\\nHostClearedEventLog(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where LogName !~ \u0027Security\u0027 \\n| project Computer, SubjectAccount, LogName, EventID, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"},{\"dataType\":\"Event\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/b880ad94-f905-4ba8-8a3f-9088b19b12fa\",\"name\":\"b880ad94-f905-4ba8-8a3f-9088b19b12fa\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the local Administrators group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to local Administrators group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where TargetSid == \u0027S-1-5-32-544\u0027 \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/aaad22c3-be50-465f-b258-8570d629c3db\",\"name\":\"aaad22c3-be50-465f-b258-8570d629c3db\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the Domain Admins group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to the Domain Admins group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-512$\u0027 \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/cf3469b3-f64c-4ae2-9900-289617443d74\",\"name\":\"cf3469b3-f64c-4ae2-9900-289617443d74\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the Enterprise Admins group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to the Enterprise Admins group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-519$\u0027 \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/5ba7b064-c667-4bb9-b8ac-7e87872ae479\",\"name\":\"5ba7b064-c667-4bb9-b8ac-7e87872ae479\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Account added to a privileged group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to privileged group.\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where (TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID) and TargetSid != \u0027S-1-5-32-544\u0027 and not(TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-512$\u0027) and not(TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-519$\u0027) \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/290032e9-c52e-4e66-841a-7428f0b356bb\",\"name\":\"290032e9-c52e-4e66-841a-7428f0b356bb\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was created on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{User}}\u0027 was created by sudo\",\"description\":\"Account created on Host\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where ProcessName in~ (\u0027useradd\u0027,\u0027userdel\u0027)\\n| where SyslogMessage startswith \u0027new user:\u0027 or SyslogMessage startswith \u0027delete user \u0027\\n| extend User = case(SyslogMessage startswith \u0027new user:\u0027, tostring(split(tostring(split(SyslogMessage, \u0027name=\u0027)[1]), \u0027,\u0027)[0]),\\nSyslogMessage startswith \u0027delete user \u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]),\\n\u0027Not Available\u0027)\\n| extend Action = case( SyslogMessage startswith \u0027new user\u0027, \u0027new user\u0027, SyslogMessage startswith \u0027delete user\u0027, \u0027delete user\u0027, \u0027None\u0027)\\n| project TimeGenerated, Computer, HostIP, User, Facility, ProcessName, Action, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action == \u0027new user\u0027 \\n| project Computer, User, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/ce9e87c7-2ffa-42cb-92e5-f1a4f21f007a\",\"name\":\"ce9e87c7-2ffa-42cb-92e5-f1a4f21f007a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{User}}\u0027 was deleted by sudo\",\"description\":\"Account deleted on Host\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where ProcessName in~ (\u0027useradd\u0027,\u0027userdel\u0027)\\n| where SyslogMessage startswith \u0027new user:\u0027 or SyslogMessage startswith \u0027delete user \u0027\\n| extend User = case(SyslogMessage startswith \u0027new user:\u0027, tostring(split(tostring(split(SyslogMessage, \u0027name=\u0027)[1]), \u0027,\u0027)[0]),\\nSyslogMessage startswith \u0027delete user \u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]),\\n\u0027Not Available\u0027)\\n| extend Action = case( SyslogMessage startswith \u0027new user\u0027, \u0027new user\u0027, SyslogMessage startswith \u0027delete user\u0027, \u0027delete user\u0027, \u0027None\u0027)\\n| project TimeGenerated, Computer, HostIP, User, Facility, ProcessName, Action, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action == \u0027delete user\u0027 \\n| project Computer, User, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/46aeae2d-187c-41f9-b8d6-9d75c43bce0a\",\"name\":\"46aeae2d-187c-41f9-b8d6-9d75c43bce0a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the sudo group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{User}}\u0027 was added by \u0027{{AcctMakingChange}}\u0027 to group: \u0027{{Group}}\u0027\",\"description\":\"Account added to the sudo group\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where SyslogMessage !startswith \\\"omsagent\\\"\\n| where SyslogMessage has \u0027COMMAND\u0027 or ProcessName in~ (\u0027gpasswd\u0027, \u0027useradd\u0027, \u0027userdel\u0027)\\n| parse SyslogMessage with * \u0027user \u0027 User \u0027 \u0027 Verb \u0027 by \u0027 AcctMakingChange \u0027 \u0027 Preposition \u0027 group \u0027 Group\\n| extend Group = case(\\nSyslogMessage startswith \u0027removed group\u0027 or SyslogMessage startswith \u0027removed shadow group\u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]), \\nSyslogMessage startswith \u0027new group\u0027, tostring(split(tostring(split(SyslogMessage, \u0027=\u0027)[1]),\u0027,\u0027)[0]),\\nGroup)\\n| extend Action = case(\\nisnotempty(Verb) or isnotempty(Preposition), strcat(Verb, \u0027 \u0027, Preposition),\\nSyslogMessage startswith \u0027new group\u0027, \u0027new group\u0027,\\nSyslogMessage startswith \u0027removed group\u0027, \u0027removed group\u0027,\\nSyslogMessage startswith \u0027removed shadow group\u0027, \u0027removed shadow group\u0027,\\n\u0027None\u0027)\\n| where isnotempty(Action) and Action != \u0027None\u0027 and isnotempty(Group)\\n| project TimeGenerated, Computer, HostIP, User, Action, Group, Facility, ProcessName, AcctMakingChange, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action =~ \u0027added to\u0027 and Group =~ \u0027sudo\u0027 \\n| project Computer, User, AcctMakingChange, Group, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/e24dd437-c65e-40e1-8d59-cd303ad4496a\",\"name\":\"e24dd437-c65e-40e1-8d59-cd303ad4496a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was removed from the sudo group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{User}}\u0027 was added by \u0027{{AcctMakingChange}}\u0027 to group: \u0027{{Group}}\u0027\",\"description\":\"Account removed from sudo group\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where SyslogMessage !startswith \\\"omsagent\\\"\\n| where SyslogMessage has \u0027COMMAND\u0027 or ProcessName in~ (\u0027gpasswd\u0027, \u0027useradd\u0027, \u0027userdel\u0027)\\n| parse SyslogMessage with * \u0027user \u0027 User \u0027 \u0027 Verb \u0027 by \u0027 AcctMakingChange \u0027 \u0027 Preposition \u0027 group \u0027 Group\\n| extend Group = case(\\nSyslogMessage startswith \u0027removed group\u0027 or SyslogMessage startswith \u0027removed shadow group\u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]), \\nSyslogMessage startswith \u0027new group\u0027, tostring(split(tostring(split(SyslogMessage, \u0027=\u0027)[1]),\u0027,\u0027)[0]),\\nGroup)\\n| extend Action = case(\\nisnotempty(Verb) or isnotempty(Preposition), strcat(Verb, \u0027 \u0027, Preposition),\\nSyslogMessage startswith \u0027new group\u0027, \u0027new group\u0027,\\nSyslogMessage startswith \u0027removed group\u0027, \u0027removed group\u0027,\\nSyslogMessage startswith \u0027removed shadow group\u0027, \u0027removed shadow group\u0027,\\n\u0027None\u0027)\\n| where isnotempty(Action) and Action != \u0027None\u0027 and isnotempty(Group)\\n| project TimeGenerated, Computer, HostIP, User, Action, Group, Facility, ProcessName, AcctMakingChange, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action =~ \u0027removed from\u0027 and Group =~ \u0027sudo\u0027 \\n| project Computer, User, AcctMakingChange, Group, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/c91cb743-7c6c-4ccf-b066-13448c9c085c\",\"name\":\"c91cb743-7c6c-4ccf-b066-13448c9c085c\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Windows Defender Application Control activities on this host\",\"content\":\"{{FriendlyActivityName}} by {{InitiatingProcessAccountUpn}} {{Count}} time(s)\",\"description\":\"Microsoft Defender Application Control activities\",\"queryDefinitions\":{\"query\":\"let AppControlEvents=(v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\nlet p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain));\\nlet AppControls=datatable(ActionType:string, Description:string, FriendlyActivityName:string)\\n [\\\"AppControlAppInstallationAudited\\\", \\\"Application control detected the installation of an untrusted app.\\\",\\\"Untrusted app installed\\\"\\n ,\\\"AppControlAppInstallationBlocked\\\", \\\"Application control blocked the installation of an untrusted app.\\\", \\\"Untrusted app installation blocked\\\"\\n ,\\\"AppControlCodeIntegrityDriverRevoked\\\", \\\"Application control found a driver with a revoked certificate.\\\", \\\"Driver with revoked certificate detected\\\"\\n ,\\\"AppControlCodeIntegrityImageRevoked\\\", \\\"Application control found an executable file with a revoked certificate.\\\", \\\"Executable with revoked certificate detected\\\"\\n ,\\\"AppControlExecutableAudited\\\",\\\"Application control detected the use of an untrusted executable.\\\",\\\"Untrusted executable used\\\"\\n ,\\\"AppControlExecutableBlocked\\\",\\\"Application control blocked the use of an untrusted executable.\\\",\\\"Untrusted executable blocked\\\"\\n ,\\\"AppControlScriptAudited\\\", \\\"Application control detected the use of an untrusted script.\\\", \\\"Untrusted script detected\\\"\\n ,\\\"AppControlScriptBlocked\\\", \\\"Application control blocked the use of an untrusted script.\\\", \\\"Untrusted script blocked\\\" ];\\nDeviceEvents\\n| where ActionType in (AppControls) \\n| where DeviceName ==p_FullDeviceName\\n| lookup AppControls on ActionType\\n};\\nAppControlEvents(\u0027{{Host_HostName}}\u0027,\u0027{{Host_NTDomain}}\u0027,\u0027{{Host_DnsDomain}}\u0027) \\n| project DeviceName, ActionType, FriendlyActivityName, InitiatingProcessAccountUpn, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/c7def1db-6a27-45dc-bee0-0c5fd5e7f1fe\",\"name\":\"c7def1db-6a27-45dc-bee0-0c5fd5e7f1fe\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Screenshot taken\",\"content\":\"The user \u0027{{InitiatingProcessAccountUpn}}\u0027 has taken {{Count}} screenshot(s) on the host\",\"description\":\"A screenshot was taken on the host\",\"queryDefinitions\":{\"query\":\"let ScreenshotTakers= (v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\n let p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain) );\\n DeviceEvents \\n | where ActionType ==\u0027ScreenshotTaken\u0027 \\n | where DeviceName =~ p_FullDeviceName\\n};\\nScreenshotTakers(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027) \\n| where 1==1 \\n| project InitiatingProcessAccountName, InitiatingProcessAccountUpn, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/8d0e9356-be1e-45ac-9403-d0ac3f1605b7\",\"name\":\"8d0e9356-be1e-45ac-9403-d0ac3f1605b7\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Exploit protection blocked the launch of a process from an image file that is not signed by Microsoft\",\"content\":\"Launch of unsigned file \u0027{{FileName}}\u0027 by process \u0027{{InitiatingProcessFileName}}\u0027 initiated by \u0027{{InitiatingProcessAccountName}}\u0027 was blocked. \",\"description\":\"Exploit protection blocked the launch of a process from an image file that is not signed by Microsoft\",\"queryDefinitions\":{\"query\":\"let NonMSSignedBlocked= (v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\n let p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain) );\\n DeviceEvents\\n | where ActionType in (\\\"ExploitGuardNonMicrosoftSignedBlocked\\\", \\\"ExploitGuardNonMicrosoftSignedAudited\\\") \\n and FileName !hassuffix \u0027.ni.dll\u0027\\n | where DeviceName =~ p_FullDeviceName\\n | project TimeGenerated\\n , FileName\\n ,InitiatingProcessFileName\\n , InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid\\n , DeviceName , ActionType\\n};\\nNonMSSignedBlocked(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027) \\n| where ActionType =~ \u0027ExploitGuardNonMicrosoftSignedBlocked\u0027 \\n| project FileName, InitiatingProcessFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/3ff80327-7c54-449d-95d4-613848f7d60b\",\"name\":\"3ff80327-7c54-449d-95d4-613848f7d60b\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Exploit protection detected the launch of a process from an image file that is not signed by Microsoft\",\"content\":\"Launch of unsigned file \u0027{{FileName}}\u0027 by process \u0027{{InitiatingProcessFileName}}\u0027 initiated by \u0027{{InitiatingProcessAccountName}}\u0027 was audited.\",\"description\":\"Exploit protection detected the launch of a process from an image file that is not signed by Microsoft\",\"queryDefinitions\":{\"query\":\"let NonMSSignedBlocked= (v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\n let p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain) );\\n DeviceEvents\\n | where ActionType in (\\\"ExploitGuardNonMicrosoftSignedBlocked\\\", \\\"ExploitGuardNonMicrosoftSignedAudited\\\") \\n and FileName !hassuffix \u0027.ni.dll\u0027\\n | where DeviceName =~ p_FullDeviceName\\n | project TimeGenerated\\n , FileName\\n ,InitiatingProcessFileName\\n , InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid\\n , DeviceName , ActionType\\n};\\nNonMSSignedBlocked(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027) \\n| where ActionType =~ \u0027ExploitGuardNonMicrosoftSignedAudited\u0027 \\n| project FileName, InitiatingProcessFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/3f7059b2-67ea-4fc1-af34-37f5fc69a630\",\"name\":\"3f7059b2-67ea-4fc1-af34-37f5fc69a630\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Windows Defender Antivirus activities on this host\",\"content\":\"Window Defender Antivirus \u0027{{ActionType}}\u0027 activity was spotted on Host {{Host_HostName}}\",\"description\":\"Windows Defender Antivirus activities\",\"queryDefinitions\":{\"query\":\"let AntivirusEvents=(v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\nlet Severity= datatable(ActionType:string, Severity:int)[\\\"AntivirusMalwareActionFailed\\\",1,\\\"AntivirusDetection\\\",2,\\\"AntivirusScanFailed\\\",3, \\\"AntivirusError\\\",4, \\\"AntivirusDefinitionsUpdateFailed\\\",5];\\nlet p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain));\\nDeviceEvents\\n| where ActionType hasprefix \\\"Antivirus\\\" and ActionType !in( \\\"AntivirusReport\\\", \\\"AntivirusScanCompleted\\\", \\\"AntivirusDefinitionsUpdated\\\",\\\"AntivirusEmergencyUpdatesInstalled\\\")\\n| where DeviceName ==p_FullDeviceName\\n| lookup Severity on ActionType};\\nAntivirusEvents(\u0027{{Host_HostName}}\u0027,\u0027{{Host_NTDomain}}\u0027,\u0027{{Host_DnsDomain}}\u0027) \\n| where ActionType !in( \\\"AntivirusReport\\\", \\\"AntivirusScanCompleted\\\", \\\"AntivirusDefinitionsUpdated\\\",\\\"AntivirusEmergencyUpdatesInstalled\\\") \\n| project ActionType, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/d6d08c94-455f-4ea5-8f76-fc6c0c442cfa\",\"name\":\"d6d08c94-455f-4ea5-8f76-fc6c0c442cfa\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has created an account\",\"content\":\"The user {{InitiatedByAccount}} has created the account {{TargetAccount}} {{Count}} time(s)\",\"description\":\"This activity displays account creation events performed by the user\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) or Account_AadUserId =~ tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ SubjectAccount or Account_Sid =~ SubjectUserSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Add user\u0027, \u00274720\u0027) \\n| project InitiatedByAccount, TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/e0459780-ac9d-4b72-8bd4-fecf6b46a0a1\",\"name\":\"e0459780-ac9d-4b72-8bd4-fecf6b46a0a1\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has deleted an account\",\"content\":\"The user {{InitiatedByAccount}} has deleted the account {{TargetAccount}} {{Count}} time(s)\",\"description\":\"This activity displays account deletion events performed by the user\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) or Account_AadUserId =~ tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ SubjectAccount or Account_Sid =~ SubjectUserSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Delete user\u0027, \u00274726\u0027) \\n| project InitiatedByAccount, TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/ad1f4269-5418-4c46-a3b6-4ec01031de60\",\"name\":\"ad1f4269-5418-4c46-a3b6-4ec01031de60\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has reset an account\u0027s password\",\"content\":\"The password for account {{TargetAccount}} was reset by the user {{InitiatedByAccount}} {{Count}} time(s)\",\"description\":\"This activity displays password reset events performed by the user\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) or Account_AadUserId =~ tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ SubjectAccount or Account_Sid =~ SubjectUserSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (by admin)\u0027, \u0027Reset password (self-service)\u0027, \u00274724\u0027, \u00274723\u0027) \\n| project InitiatedByAccount, TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/fde1b9cc-9480-4418-ae21-91723d16b24d\",\"name\":\"fde1b9cc-9480-4418-ae21-91723d16b24d\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user account was created\",\"content\":\"The user account {{TargetAccount}} was created\",\"description\":\"This activity displays the user account events for when it was created\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(TargetResources[0].userPrincipalName) or Account_AadUserId =~ tostring(TargetResources[0].id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ TargetAccount or Account_Sid =~ TargetSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Add user\u0027, \u00274720\u0027) \\n| project TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/b15901ba-8679-4f6a-b312-722031ab58f2\",\"name\":\"b15901ba-8679-4f6a-b312-722031ab58f2\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user account was deleted\",\"content\":\"The user account {{TargetAccount}} was deleted\",\"description\":\"This activity displays the user account events for when it was deleted\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(TargetResources[0].userPrincipalName) or Account_AadUserId =~ tostring(TargetResources[0].id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ TargetAccount or Account_Sid =~ TargetSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Delete user\u0027, \u00274726\u0027) \\n| project TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/c07d1d02-0a06-455e-add9-12c5a5e426f3\",\"name\":\"c07d1d02-0a06-455e-add9-12c5a5e426f3\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user account password was reset\",\"content\":\"The user account {{TargetAccount}} had a password reset\",\"description\":\"This activity displays the user account events for when the password was reset\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(TargetResources[0].userPrincipalName) or Account_AadUserId =~ tostring(TargetResources[0].id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ TargetAccount or Account_Sid =~ TargetSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (by admin)\u0027, \u0027Reset password (self-service)\u0027, \u00274723\u0027, \u00274724\u0027) \\n| project TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/5e9ecee5-e7a4-4a2a-94c4-9c0e22e1b673\",\"name\":\"5e9ecee5-e7a4-4a2a-94c4-9c0e22e1b673\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user consented to OAuth application\",\"content\":\"The user consented to the OAuth application named {{Target_CloudApplication_Name}} {{Count}} time(s)\",\"description\":\"This activity lists user\u0027s consents to an OAuth applications.\",\"queryDefinitions\":{\"query\":\"let UserConsentToApplication = (Account_Name:string, Account_UPNSuffix:string, Account_AadUserId:string){\\nlet account_upn = iff(Account_Name != \\\"\\\" and Account_UPNSuffix != \\\"\\\"\\n, strcat(Account_Name,\\\"@\\\",Account_UPNSuffix)\\n,\\\"\\\" );\\nAuditLogs\\n| where OperationName == \\\"Consent to application\\\"\\n| extend Source_Account_UPNSuffix = tostring(todynamic(InitiatedBy) [\\\"user\\\"][\\\"userPrincipalName\\\"]), Source_Account_AadUserId = tostring(todynamic(InitiatedBy) [\\\"user\\\"][\\\"id\\\"])\\n| where (account_upn != \\\"\\\" and account_upn =~ Source_Account_UPNSuffix) \\nor (Account_AadUserId != \\\"\\\" and Account_AadUserId =~ Source_Account_AadUserId)\\n| extend Target_CloudApplication_Name = tostring(todynamic(TargetResources)[0][\\\"displayName\\\"]), Target_CloudApplication_AppId = tostring(todynamic(TargetResources)[0][\\\"id\\\"])\\n};\\nUserConsentToApplication(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027) \\n| project Target_CloudApplication_AppId, Target_CloudApplication_Name, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/cab4058a-0707-4a02-b76f-cf96270823ed\",\"name\":\"cab4058a-0707-4a02-b76f-cf96270823ed\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"User performed operation on azure resource from IP\",\"content\":\"User performed operation {{OperationNameValue}} on azure resource: {{shortResourceId}} from IP {{Source_IP_Address}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s activities on Azure.\",\"queryDefinitions\":{\"query\":\"let AzureRunProcess = (Account_Name:string, Account_UPNSuffix:string,Account_AadUserId:string){\\nlet upn = strcat(Account_Name,\\\"@\\\",Account_UPNSuffix);\\nAzureActivity\\n| where (isnotempty(Account_AadUserId) and Caller =~ Account_AadUserId) or Caller =~ upn\\n| where OperationNameValue contains \\\"Run Command on Virtual Machine\\\"\\n or (OperationNameValue == \\\"List Storage Account Keys\\\" and ActivityStatusValue == \\\"Succeeded\\\")\\n or OperationNameValue == \\\"Create or Update Virtual Machine\\\"\\n or OperationNameValue == \\\"Create Deployment\\\"\\n or OperationNameValue == \\\"Create role assignment\\\"\\n| project-rename Target_AzureResource_ResourceId = _ResourceId, Source_IP_Address = CallerIpAddress\\n| extend shortResourceId = tostring(split(ResourceId,\u0027/\u0027)[-1])\\n};\\nAzureRunProcess(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027) \\n| project Target_AzureResource_ResourceId, Source_IP_Address, shortResourceId, OperationNameValue, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/febba410-e7d6-4c63-8fe5-2b93f448b7a1\",\"name\":\"febba410-e7d6-4c63-8fe5-2b93f448b7a1\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added accounts to a local privileged group\",\"content\":\"The user has added accounts to the local privileged group, {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays the user that added accounts to a local privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == false and MemberNTDomainMatch == false) or MemberSidMatch == false) and TargetSid matches regex WellKnownLocalGroupSID | where TargetSid !in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/0e98c61c-6ae0-4e13-8071-d807dc25082a\",\"name\":\"0e98c61c-6ae0-4e13-8071-d807dc25082a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added accounts to a domain privileged group\",\"content\":\"The user has added accounts to the domain privileged group, {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays the user that added accounts to a domain privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == false and MemberNTDomainMatch == false) or MemberSidMatch == false) and TargetSid matches regex WellKnownDomainGroupSID \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/0caf9819-3269-48ac-b162-eeee638e4aa9\",\"name\":\"0caf9819-3269-48ac-b162-eeee638e4aa9\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to a local privileged group\",\"content\":\"This user was added to the local privileged group {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays that this user was added to a local privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and TargetSid matches regex WellKnownLocalGroupSID | where TargetSid !in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/d57681e4-18e6-459f-b61d-4d4a1f205b70\",\"name\":\"d57681e4-18e6-459f-b61d-4d4a1f205b70\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to a domain privileged group\",\"content\":\"This user was added to the domain privileged group {{TargetAccount}}\",\"description\":\"This activity displays that this user was added to a domain privileged group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and TargetSid matches regex WellKnownDomainGroupSID \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/5ae2baf4-de7b-40f0-a861-8852266bfcd0\",\"name\":\"5ae2baf4-de7b-40f0-a861-8852266bfcd0\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added accounts to the Remote Desktop Users group\",\"content\":\"The user has added accounts to the {{TargetAccount}}, {{Count}} time(s)\",\"description\":\"This activity displays the user that added accounts to Remote Desktop group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == false and MemberNTDomainMatch == false) or MemberSidMatch == false) and TargetSid in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/60ef2e21-5f90-48bf-9bbc-d2a1829c3861\",\"name\":\"60ef2e21-5f90-48bf-9bbc-d2a1829c3861\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to the Remote Desktop Users group\",\"content\":\"This user was added to the {{TargetAccount}} group\",\"description\":\"This activity displays that this user was added to the Remote Desktop group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and TargetSid in (\u0027S-1-5-32-555\u0027) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/bf56473d-b9bd-4eb1-96d0-8569ec7a9003\",\"name\":\"bf56473d-b9bd-4eb1-96d0-8569ec7a9003\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has added an account to a security group\",\"content\":\"The user has added {{MemberAdded}} to the {{TargetAccount}} group\",\"description\":\"This activity displays the user that added an account and the account that was added to a security group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true) and not(TargetSid matches regex WellKnownLocalGroupSID or TargetSid matches regex WellKnownDomainGroupSID) \\n| project SubjectAccount, MemberAdded, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/252c9ad7-2957-43cd-8f33-4ac4bb56e119\",\"name\":\"252c9ad7-2957-43cd-8f33-4ac4bb56e119\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"This user was added to a security group\",\"content\":\"This user was added to the {{TargetAccount}} group, {{Count}} time(s)\",\"description\":\"This activity displays that this user was added to a security group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalGroupSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownDomainGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForUser = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_SID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n| where AccountType =~ \u0027User\u0027\\n| extend Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nSubjectUserName has \u0027@\u0027 and SubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nSubjectUserName has \u0027@\u0027, tostring(split(SubjectUserName, \u0027@\u0027)[0]),\\nSubjectUserName has \u0027\\\\\\\\\u0027, tostring(split(SubjectUserName, \u0027\\\\\\\\\u0027)[1]),\\nSubjectUserName\\n)\\n| extend Account_NTDomain = case(\\nSubjectDomainName has \u0027\\\\\\\\\u0027, tostring(split(SubjectDomainName, \u0027\\\\\\\\\u0027)[0]),\\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nSubjectDomainName has \u0027@\u0027, tostring(split(tostring(split(SubjectDomainName, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nSubjectDomainName\\n)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName)\\n| extend MemberNameMatch = iff(isnotempty(v_Account_Name) and MemberAdded has v_Account_Name, true, false)\\n| extend MemberNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and MemberAdded has v_Account_NTDomain, true, false)\\n| extend MemberSidMatch = iff(isnotempty(v_Account_SID) and MemberSid =~ v_Account_SID, true, false)\\n| extend SubjectNameMatch = iff(isnotempty(v_Account_Name) and SubjectUserName =~ v_Account_Name, true, false)\\n| extend SubjectNTDomainMatch = iff(isnotempty(v_Account_NTDomain) and SubjectDomainName =~ v_Account_NTDomain, true, false)\\n| extend SubjectSidMatch = iff(isnotempty(v_Account_SID) and SubjectUserSid has v_Account_SID, true, false)\\n| where (MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true or (SubjectNameMatch == true and SubjectNTDomainMatch == true) or SubjectSidMatch == true \\n| project TimeGenerated, EventID, Activity, Computer, MemberName, MemberAdded, MemberSid, TargetAccount, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectAccount, SubjectDomainName, SubjectUserName, SubjectUserSid, WellKnownDomainGroupSID, WellKnownLocalGroupSID, \\nMemberNameMatch, MemberNTDomainMatch, MemberSidMatch, SubjectNameMatch, SubjectNTDomainMatch, SubjectSidMatch \\n| extend GroupName = TargetUserName, AddedBy = SubjectAccount\\n//support for Activities\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount\\n};\\nGetGroupAddForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_SID}}\u0027) \\n| where ((MemberNameMatch == true and MemberNTDomainMatch == true) or MemberSidMatch == true) and not(TargetSid matches regex WellKnownLocalGroupSID or TargetSid matches regex WellKnownDomainGroupSID) \\n| project SubjectAccount, TargetAccount, TargetSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_SID\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/1f82f263-d694-469a-9717-1b3edf9d3bb2\",\"name\":\"1f82f263-d694-469a-9717-1b3edf9d3bb2\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user acted on another accounts mailbox\",\"content\":\"The user acted on mailbox {{MailboxOwnerUPN}} {{Count}} time(s)\",\"description\":\"This activity lists user\u0027s activities on others\u0027 mailbox\",\"queryDefinitions\":{\"query\":\"let TLQ_UserActedOnForeignMailbox = (Account_Name:string, Account_UPNSuffix:string, account_sid:string){\\nlet account_upn = iff(Account_Name!=\\\"\\\" and Account_UPNSuffix != \\\"\\\"\\n,strcat(Account_Name,\\\"@\\\",Account_UPNSuffix)\\n,\\\"\\\");\\nOfficeActivity\\n| where RecordType == \\\"ExchangeItem\\\" and UserType ==\\\"Regular\\\" and Operation !contains \\\"InboxRule\\\"\\n| where LogonUserSid != MailboxOwnerSid \\n| where ((account_sid != \\\"\\\" and LogonUserSid =~ account_sid)\\n or ( account_upn != \\\"\\\" and UserId =~ account_upn ))\\n};\\nTLQ_UserActedOnForeignMailbox(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| project MailboxOwnerSid, MailboxOwnerUPN, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/e480efd0-016d-428e-b892-84b9d586d004\",\"name\":\"e480efd0-016d-428e-b892-84b9d586d004\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user modified inbox rules on another accounts mailbox\",\"content\":\"User Modified {{Count}} inbox rules on {{MailboxOwnerUPN}}\u0027s Mailbox\",\"description\":\"User modified inbox rules on a mailbox\",\"queryDefinitions\":{\"query\":\"let ruleChangeRecordTypes = dynamic( [\\\"ExchangeAdmin\\\", \\\"ExchangeItem\\\"]);\\nlet TLQ_UserModifiedinboxRules = (Account_Name: string, Account_UPNSuffix: string, Account_Sid: string){\\nlet upn = iff(Account_Name != \\\"\\\" and Account_UPNSuffix != \\\"\\\"\\n, strcat(Account_Name, \\\"@\\\", Account_UPNSuffix)\\n, \\\"\\\");\\nOfficeActivity\\n| where RecordType in~ (ruleChangeRecordTypes) and Operation contains \\\"InboxRule\\\"\\n| where((Account_Sid != \\\"\\\" and LogonUserSid == Account_Sid)\\nor(upn != \\\"\\\" and UserId == upn )\\n)\\n};\\nTLQ_UserModifiedinboxRules(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| project MailboxOwnerSid, MailboxOwnerUPN, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/0eabec03-51e7-4909-b0cb-1adc76759e93\",\"name\":\"0eabec03-51e7-4909-b0cb-1adc76759e93\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"User uploaded files to SharePoint\",\"content\":\"User uploaded {{Count}} file(s) To SharePoint from {{Source_IP_Address}}\",\"description\":\"This activity lists the user\u0027s SharePoint uploads.\",\"queryDefinitions\":{\"query\":\"let TLQ_UserUploadFiles = (Account_Name:string, Account_UPNSuffix:string){\\nlet upn = strcat(Account_Name,\\\"@\\\",Account_UPNSuffix);\\nOfficeActivity\\n| where RecordType =~ \\\"SharePointFileOperation\\\" and Operation in~ (\\\"FileUploaded\\\", \\\"FileDownloaded\\\")\\n| where upn =~UserId\\n| extend Subject_File_Directory = tostring(split(OfficeObjectId,SourceFileName)[0])\\n| project-rename Source_IP_Address = ClientIP\\n};\\nTLQ_UserUploadFiles(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027) \\n| where Operation =~ \\\"FileUploaded\\\" \\n| project Source_IP_Address, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/df564e7b-bf6d-4dc4-a32d-79b00bd2cc7b\",\"name\":\"df564e7b-bf6d-4dc4-a32d-79b00bd2cc7b\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"User downloaded files from SharePoint\",\"content\":\"User downloaded {{Count}} File(s) from SharePoint from {{Source_IP_Address}}\",\"description\":\"This activity lists the user\u0027s SharePoint downloads.\",\"queryDefinitions\":{\"query\":\"let TLQ_UserUploadFiles = (Account_Name:string, Account_UPNSuffix:string){\\nlet upn = strcat(Account_Name,\\\"@\\\",Account_UPNSuffix);\\nOfficeActivity\\n| where RecordType =~ \\\"SharePointFileOperation\\\" and Operation in~ (\\\"FileUploaded\\\", \\\"FileDownloaded\\\")\\n| where upn =~UserId\\n| extend Subject_File_Directory = tostring(split(OfficeObjectId,SourceFileName)[0])\\n| project-rename Source_IP_Address = ClientIP\\n};\\nTLQ_UserUploadFiles(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027) \\n| where Operation =~ \\\"FileDownloaded\\\" \\n| project Source_IP_Address, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"OfficeActivity\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/0f328f28-7e21-4596-b71c-54309fee5551\",\"name\":\"0f328f28-7e21-4596-b71c-54309fee5551\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user signed in to an Azure resource\",\"content\":\"The user signed in to {{shortResourceId}} {{Count}} time(s)\",\"description\":\"This activity lists user\u0027s sign ins to Azure Resources\",\"queryDefinitions\":{\"query\":\"let SignInsByResource = (Account_Name:string, Account_UPNSuffix:string, Account_AadUserId:string){\\nlet acc_upn = iff(Account_Name != \\\"\\\" and Account_UPNSuffix != \\\"\\\" ,strcat(Account_Name,\\\"@\\\" ,Account_UPNSuffix),\\\"\\\");\\nSigninLogs\\n| where (acc_upn != \\\"\\\" and UserPrincipalName =~ acc_upn) or\\n   (Account_AadUserId != \\\"\\\" and Account_AadUserId =~ UserId) // UserPrincipalName, UserId\\n| extend shortResourceId = tostring(split(ResourceId,\\\"/\\\")[-1])\\n};\\nSignInsByResource(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027) \\n| project shortResourceId, ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SigninLogs\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/0d4ec12e-e44a-40a4-bb87-3db84d2a8057\",\"name\":\"0d4ec12e-e44a-40a4-bb87-3db84d2a8057\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s interactive log-ins grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID==4624 and LogonTypeName == \u00272 - Interactive\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/c9da5786-6c3c-45b5-9a46-53200ed9df09\",\"name\":\"c9da5786-6c3c-45b5-9a46-53200ed9df09\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Network log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s network log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID ==4624 and LogonTypeName == \u00273 - Network\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/8a302bfc-00e3-43b3-a516-102fd0cb0dbc\",\"name\":\"8a302bfc-00e3-43b3-a516-102fd0cb0dbc\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Remote interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s remote interactive log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID ==4624 and LogonTypeName == \u002710 - RemoteInteractive\u0027| extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/ec87b066-17ad-4f9b-97c2-c2f2ee2d99e0\",\"name\":\"ec87b066-17ad-4f9b-97c2-c2f2ee2d99e0\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"New credentials log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s log-ins with new credentials, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID ==4624 and LogonTypeName == \u00279 - NewCredentials\u0027| extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/e1c4c03c-2b40-47cf-9b8c-49e0a37a6da6\",\"name\":\"e1c4c03c-2b40-47cf-9b8c-49e0a37a6da6\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Privileged log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s privileged log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet == \u0027AllEvents\u0027 and EventID == 4672 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/a6fc3ad9-1a61-41f5-a5e2-bd1f5a6fe44d\",\"name\":\"a6fc3ad9-1a61-41f5-a5e2-bd1f5a6fe44d\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Failed interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s failed interactive log-ins grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet =~ \u0027AllEvents\u0027 and EventID == 4625 and LogonTypeName == \u00272 - Interactive\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/11449689-6542-4867-86dc-56264abbd90c\",\"name\":\"11449689-6542-4867-86dc-56264abbd90c\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Failed network log-ins to a host\",\"content\":\"The user {{Account_Name}} logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s failed network log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet =~ \u0027AllEvents\u0027 and EventID == 4625 and LogonTypeName == \u00273 - Network\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/686cf7e8-87c7-4391-8898-25adf1033a54\",\"name\":\"686cf7e8-87c7-4391-8898-25adf1033a54\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Failed remote interactive log-ins to a host\",\"content\":\"The user {{Account_Name}} failed to logged on to host {{Computer}} {{Count}} time(s)\",\"description\":\"This activity lists the user\u0027s failed remote interactive log-ins, grouped by Host.\",\"queryDefinitions\":{\"query\":\"let GetAllLogonsForUser = (v_Account_Name:string, v_Account_NTDomain:string){\\nlet AllEvents = SecurityEvent\\n| extend p_Account_Name = case(\\n// Handles mixed use scenario of NTDomain\\\\AccountName@UPNSuffix\\nv_Account_Name has \u0027@\u0027 and v_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\u0027@\u0027)[0]),\\nv_Account_Name has \u0027@\u0027, tostring(split(v_Account_Name, \u0027@\u0027)[0]),\\nv_Account_Name has \u0027\\\\\\\\\u0027, tostring(split(v_Account_Name, \u0027\\\\\\\\\u0027)[1]),\\nv_Account_Name\\n)\\n| extend p_Account_NTDomain = case(\\nv_Account_NTDomain has \u0027\\\\\\\\\u0027, tostring(split(v_Account_NTDomain, \u0027\\\\\\\\\u0027)[0]), \\n// Handles UPN scenario of AccountName@UPNSuffix to pull potential NTDomain from\\nv_Account_NTDomain has \u0027@\u0027, tostring(split(tostring(split(v_Account_NTDomain, \u0027@\u0027)[1]),\u0027.\u0027)[0]),\\nv_Account_NTDomain\\n)\\n| where EventID in (4624, 4625, 4672)\\n| where AccountType =~ \u0027User\u0027\\n| where TargetUserName =~ p_Account_Name and TargetDomainName =~ p_Account_NTDomain\\n| extend PassedInAccountName = p_Account_Name, PassedInNTDomain = p_Account_NTDomain, RelatedRowSet = \u0027AllEvents\u0027\\n| extend HourOfLogin = hourofday(TimeGenerated), DayNumberofWeek = dayofweek(TimeGenerated)\\n| extend DayofWeek = case(\\nDayNumberofWeek == \\\"00:00:00\\\", \\\"Sunday\\\", \\nDayNumberofWeek == \\\"1.00:00:00\\\", \\\"Monday\\\", \\nDayNumberofWeek == \\\"2.00:00:00\\\", \\\"Tuesday\\\", \\nDayNumberofWeek == \\\"3.00:00:00\\\", \\\"Wednesday\\\", \\nDayNumberofWeek == \\\"4.00:00:00\\\", \\\"Thursday\\\", \\nDayNumberofWeek == \\\"5.00:00:00\\\", \\\"Friday\\\", \\nDayNumberofWeek == \\\"6.00:00:00\\\", \\\"Saturday\\\",\\\"InvalidTimeStamp\\\")\\n// map the most common ntstatus codes\\n| extend StatusDesc = case(\\nStatus =~ \\\"0x80090302\\\", \\\"SEC_E_UNSUPPORTED_FUNCTION\\\",\\nStatus =~ \\\"0x80090308\\\", \\\"SEC_E_INVALID_TOKEN\\\",\\nStatus =~ \\\"0x8009030E\\\", \\\"SEC_E_NO_CREDENTIALS\\\",\\nStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nStatus =~ \\\"0xC0000017\\\", \\\"STATUS_NO_MEMORY\\\",\\nStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nStatus =~ \\\"0xC0000034\\\", \\\"STATUS_OBJECT_NAME_NOT_FOUND\\\",\\nStatus =~ \\\"0xC000005E\\\", \\\"STATUS_NO_LOGON_SERVERS\\\",\\nStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nStatus =~ \\\"0xC00000FE\\\", \\\"STATUS_NO_SUCH_PACKAGE\\\",\\nStatus =~ \\\"0xC000009A\\\", \\\"STATUS_INSUFFICIENT_RESOURCES\\\",\\nStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nStatus =~ \\\"0xC0000106\\\", \\\"STATUS_NAME_TOO_LONG\\\",\\nStatus =~ \\\"0xC000010B\\\", \\\"STATUS_INVALID_LOGON_TYPE\\\",\\nStatus =~ \\\"0xC000015B\\\", \\\"STATUS_LOGON_TYPE_NOT_GRANTED\\\",\\nStatus =~ \\\"0xC000018B\\\", \\\"STATUS_NO_TRUST_SAM_ACCOUNT\\\",\\nStatus =~ \\\"0xC0000224\\\", \\\"STATUS_PASSWORD_MUST_CHANGE\\\",\\nStatus =~ \\\"0xC0000234\\\", \\\"STATUS_ACCOUNT_LOCKED_OUT\\\",\\nStatus =~ \\\"0xC00002EE\\\", \\\"STATUS_UNFINISHED_CONTEXT_DELETED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| extend SubStatusDesc = case(\\nSubStatus =~ \\\"0x80090325\\\", \\\"SEC_E_UNTRUSTED_ROOT\\\",\\nSubStatus =~ \\\"0xC0000008\\\", \\\"STATUS_INVALID_HANDLE\\\",\\nSubStatus =~ \\\"0xC0000022\\\", \\\"STATUS_ACCESS_DENIED\\\",\\nSubStatus =~ \\\"0xC0000064\\\", \\\"STATUS_NO_SUCH_USER\\\",\\nSubStatus =~ \\\"0xC000006A\\\", \\\"STATUS_WRONG_PASSWORD\\\",\\nSubStatus =~ \\\"0xC000006D\\\", \\\"STATUS_LOGON_FAILURE\\\",\\nSubStatus =~ \\\"0xC000006E\\\", \\\"STATUS_ACCOUNT_RESTRICTION\\\",\\nSubStatus =~ \\\"0xC000006F\\\", \\\"STATUS_INVALID_LOGON_HOURS\\\",\\nSubStatus =~ \\\"0xC0000070\\\", \\\"STATUS_INVALID_WORKSTATION\\\",\\nSubStatus =~ \\\"0xC0000071\\\", \\\"STATUS_PASSWORD_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000072\\\", \\\"STATUS_ACCOUNT_DISABLED\\\",\\nSubStatus =~ \\\"0xC0000073\\\", \\\"STATUS_NONE_MAPPED\\\",\\nSubStatus =~ \\\"0xC00000DC\\\", \\\"STATUS_INVALID_SERVER_STATE\\\",\\nSubStatus =~ \\\"0xC0000133\\\", \\\"STATUS_TIME_DIFFERENCE_AT_DC\\\",\\nSubStatus =~ \\\"0xC000018D\\\", \\\"STATUS_TRUSTED_RELATIONSHIP_FAILURE\\\",\\nSubStatus =~ \\\"0xC0000193\\\", \\\"STATUS_ACCOUNT_EXPIRED\\\",\\nSubStatus =~ \\\"0xC0000380\\\", \\\"STATUS_SMARTCARD_WRONG_PIN\\\",\\nSubStatus =~ \\\"0xC0000381\\\", \\\"STATUS_SMARTCARD_CARD_BLOCKED\\\",\\nSubStatus =~ \\\"0xC0000382\\\", \\\"STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED\\\",\\nSubStatus =~ \\\"0xC0000383\\\", \\\"STATUS_SMARTCARD_NO_CARD\\\",\\nSubStatus =~ \\\"0xC0000384\\\", \\\"STATUS_SMARTCARD_NO_KEY_CONTAINER\\\",\\nSubStatus =~ \\\"0xC0000385\\\", \\\"STATUS_SMARTCARD_NO_CERTIFICATE\\\",\\nSubStatus =~ \\\"0xC0000386\\\", \\\"STATUS_SMARTCARD_NO_KEYSET\\\",\\nSubStatus =~ \\\"0xC0000387\\\", \\\"STATUS_SMARTCARD_IO_ERROR\\\",\\nSubStatus =~ \\\"0xC0000388\\\", \\\"STATUS_DOWNGRADE_DETECTED\\\",\\nSubStatus =~ \\\"0xC0000389\\\", \\\"STATUS_SMARTCARD_CERT_REVOKED\\\",\\nEventID == 4624 or EventID == 4672, \\\"Success\\\",\\n\\\"See - https://docs.microsoft.com/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\\\"\\n)\\n| project StartTime = TimeGenerated, DayofWeek, HourOfLogin, EventID, Activity, IpAddress, WorkstationName, Computer, TargetUserName, TargetDomainName, ProcessName, SubjectUserName, PrivilegeList, PassedInAccountName, PassedInNTDomain, LogonTypeName, StatusDesc, SubStatusDesc, RelatedRowSet \\n;\\nlet UserSigninToSystems = AllEvents\\n| where EventID == 4624\\n| project-away StatusDesc, SubStatusDesc, PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserSigninToSystems\u0027 ;\\nlet UserFailedSigninToSystems = AllEvents\\n| where EventID == 4625\\n| project-away PrivilegeList\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName\\n| extend RelatedRowSet = \u0027UserFailedSigninToSystems\u0027 ;\\nlet UserSigninDuringAbnormalHours = AllEvents\\n| where StartTime between (ago(14d)..ago(2d))\\n| where EventID in (4624,4625)\\n| where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n| summarize max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek) by TargetUserName\\n| join kind= inner\\n(\\n AllEvents\\n | where StartTime \u003e ago(2d)\\n | where LogonTypeName in~ (\u00272 - Interactive\u0027,\u002710 - RemoteInteractive\u0027)\\n)\\non TargetUserName\\n| where HourOfLogin \u003e max_HourOfLogin or HourOfLogin \u003c min_HourOfLogin\\n| extend historical_DayofWeek = tostring(historical_DayofWeek)\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), current_DayofWeek =make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, TargetDomainName, TargetUserName , ProcessName , LogonTypeName, StatusDesc, SubStatusDesc, historical_DayofWeek\\n| extend historical_DayofWeek = todynamic(historical_DayofWeek) \\n| extend RelatedRowSet = \u0027UserSigninDuringAbnormalHour\u0027; \\nlet UserHadPrivilegedLogonSessions = AllEvents\\n| where EventID == 4672\\n| where PrivilegeList contains \u0027SeDebugPrivilege\u0027\\n| project-away StatusDesc, SubStatusDesc\\n| summarize Total= count(), max(HourOfLogin), min(HourOfLogin), historical_DayofWeek=make_set(DayofWeek), StartTime=max(StartTime), EndTime = min(StartTime), SourceIP = make_set(IpAddress), SourceHost = make_set(WorkstationName), SubjectUserName = make_set(SubjectUserName), HostLoggedOn = make_set(Computer) by EventID, Activity, PrivilegeList\\n// Notice! summarize removes the TimeGenerated field, which is required for Activities.\\n| extend RelatedRowSet = \u0027UserHadPrivilegedLogonSessions\u0027 ;\\nunion isfuzzy=true AllEvents, UserSigninToSystems, UserFailedSigninToSystems, UserSigninDuringAbnormalHours, UserHadPrivilegedLogonSessions\\n};\\n// change {{Account_Name}} value below to the username you are interested in and {{Account_NTDomain}} to the domain of the user you are interested in\\nGetAllLogonsForUser(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027) \\n| where RelatedRowSet =~ \u0027AllEvents\u0027 and EventID == 4625 and LogonTypeName == \u002710 - RemoteInteractive\u0027 | extend TimeGenerated=StartTime \\n| project Computer, WorkstationName, LogonTypeName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/c6523929-5696-4e94-8a61-61aeb1c953d1\",\"name\":\"c6523929-5696-4e94-8a61-61aeb1c953d1\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Custom Script Extension execution (Preview)\",\"content\":\"The account {{Caller}} ran the custom script extension {{extName}} {{Count}} time(s)\",\"description\":\"This activity indicated Custom Script Extension execution\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| extend resBody = parse_json(Properties).responseBody\\n| where resBody != \\\"\\\"\\n| extend resBody = parse_json(tostring(resBody))\\n| extend extName = tostring(resBody.name), extType = resBody.properties.type\\n| where extType in (\\\"CustomScriptExtension\\\", \\\"CustomScript\\\", \\\"CustomScriptForLinux\\\")\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource, extType, extName \\n| project Caller, _ResourceId, extName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/5a2b8371-8708-4e41-8613-b64bbcbd0199\",\"name\":\"5a2b8371-8708-4e41-8613-b64bbcbd0199\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Azure Key Vault sensitive operation\",\"content\":\"The operation {{OperationName}} was observed from the IP {{CallerIPAddress}} {{Count}} time(s)\",\"description\":\"This activity indicated sensitive operation of Azure Key Valut\",\"queryDefinitions\":{\"query\":\"let SensitiveOperationList = dynamic([\\\"VaultDelete\\\", \\\"KeyDelete\\\", \\\"SecretDelete\\\", \\\"SecretPurge\\\", \\\"KeyPurge\\\", \\\"SecretBackup\\\", \\\"KeyBackup\\\"]);\\n AzureDiagnostics\\n | where ResourceType == \\\"VAULTS\\\"\\n | where Category == \\\"AuditEvent\\\"\\n | where ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n | extend Result = columnifexists(\\\"ResultType\\\", \\\"NoResult\\\")\\n | extend requestUri_s = columnifexists(\\\"requestUri_s\\\", \\\"None\\\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\\\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\\\", \\\"None\\\")\\n | extend id_s = columnifexists(\\\"id_s\\\", \\\"None\\\"), CallerIPAddress = columnifexists(\\\"CallerIPAddress\\\", \\\"None\\\"), clientInfo_s = columnifexists(\\\"clientInfo_s\\\", \\\"None\\\")\\n | where Result !~ \\\"None\\\" and isnotempty(Result)\\n | where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \\\"None\\\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\\n | where id_s !~ \\\"None\\\" and isnotempty(id_s)\\n | where CallerIPAddress !~ \\\"None\\\" and isnotempty(CallerIPAddress)\\n | where clientInfo_s !~ \\\"None\\\" and isnotempty(clientInfo_s)\\n | where requestUri_s !~ \\\"None\\\" and isnotempty(requestUri_s)\\n | where ResourceType =~ \\\"VAULTS\\\" and Result =~ \\\"Success\\\"\\n | where OperationName in~ (SensitiveOperationList)\\n | project TimeGenerated, ResourceId, Result, OperationName, CallerIPAddress \\n| project ResourceId, OperationName, CallerIPAddress, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureDiagnostics\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/a8b50062-f80e-4331-a247-de0e10d7b83f\",\"name\":\"a8b50062-f80e-4331-a247-de0e10d7b83f\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Storage account keys list (Preview)\",\"content\":\"The account {{Caller}} retrieved the keys of the storage account {{_ResourceId}} {{Count}} time(s)\",\"description\":\"This activity indicated storage account keys list operation\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"Microsoft.Storage/storageAccounts/listKeys/action\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/e24d372a-ce9a-424e-99ba-5894177365a0\",\"name\":\"e24d372a-ce9a-424e-99ba-5894177365a0\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Storage account keys list were regenerated (Preview)\",\"content\":\"The account {{Caller}} regenerated the keys of the storage account {{_ResourceId}} {{Count}} time(s)\",\"description\":\"This activity indicated storage account keys list regeneration\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/2276eacb-9400-47e9-88c9-600b9b04ad81\",\"name\":\"2276eacb-9400-47e9-88c9-600b9b04ad81\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"VM Run Command execution (Preview)\",\"content\":\"The account {{Caller}} used Run Command on the VM {{Count}} time(s)\",\"description\":\"This activity indicates usage of Run Command\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/0aa3626b-30dd-4731-9d1e-39872a73949c\",\"name\":\"0aa3626b-30dd-4731-9d1e-39872a73949c\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"VM access extension execution (Preview)\",\"content\":\"The account {{Caller}} ran VM Access extension on the VM {{Count}} time(s)\",\"description\":\"This activity indicated VM access extension execution\",\"queryDefinitions\":{\"query\":\"AzureActivity\\n| where OperationNameValue =~ \\\"MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS/WRITE\\\"\\n| where _ResourceId =~ \u0027{{AzureResource_ResourceId}}\u0027\\n| extend resBody = parse_json(Properties).responseBody\\n| where resBody != \\\"\\\"\\n| extend resBody = parse_json(tostring(resBody))\\n| extend extName = resBody.name, extType = resBody.properties.type\\n| where extType in (\\\"VMAccessAgent\\\", \\\"VMAccessForLinux\\\")\\n| project TimeGenerated, Caller, _ResourceId, OperationNameValue, Resource \\n| project Caller, _ResourceId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AzureActivity\"}],\"inputEntityType\":\"AzureResource\",\"requiredInputFieldsSets\":[[\"AzureResource_ResourceId\"]],\"entitiesFilter\":{}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/307c85ee-39a2-4da3-952e-4fd79aa46d3a\",\"name\":\"307c85ee-39a2-4da3-952e-4fd79aa46d3a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was created on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was created by \u0027{{AddedBy}}\u0027\",\"description\":\"Account created on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId\\n| extend AddedBy = SubjectUserName\\n// Future support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount\\n};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where EventID == 4720 \\n| project Computer, TargetAccount, AddedBy, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/31529548-dbd2-4d5d-8270-710330cdcec7\",\"name\":\"31529548-dbd2-4d5d-8270-710330cdcec7\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was deleted by \u0027{{AddedBy}}\u0027\",\"description\":\"Account deleted on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId\\n| extend AddedBy = SubjectUserName\\n// Future support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount\\n};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where EventID == 4726 \\n| project Computer, TargetAccount, AddedBy, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/2fcda698-9526-454f-8fe0-4a0fd7af13f2\",\"name\":\"2fcda698-9526-454f-8fe0-4a0fd7af13f2\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Security Event log cleared by account on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{SubjectAccount}}\u0027 cleared the \u0027{{LogName}}\u0027 log, EventID: \u0027{{EventID}}\u0027\",\"description\":\"Security Event log cleared by account\",\"queryDefinitions\":{\"query\":\"let SystemAccount = datatable(AccountName:string)[\u0027NT AUTHORITY\\\\\\\\SYSTEM\u0027, \u0027NT AUTHORITY\\\\\\\\NETWORK SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\LOCAL SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\IUSR\u0027, \u0027NTAUTHORITY\\\\\\\\ANONYMOUS LOGON\u0027];\\nlet SvcAcctList = dynamic([\\\"Local SYSTEM\\\",\\\"Local SERVICE\\\",\\\"Network SERVICE\\\",\\\"NT AUTHORITY\\\"]);\\nlet ServiceAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and LogonType == \u00275\u0027 and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet MachineAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and AccountType == \\\"Machine\\\" and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet Accounts = union isfuzzy=true SystemAccount, ServiceAccount, MachineAccount;\\nlet source = \u0027Microsoft-Windows-Eventlog\u0027;\\nlet tableFunc = (tableName:string, event:int){\\ntable(tableName) \\n| where EventID == event\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| extend SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", \\\"NotAvailable\\\"), EventOriginId = column_ifexists(\\\"EventOriginId\\\", \\\"NotAvailable\\\")\\n| parse EventData with * \u0027SubjectUserName\u003e\u0027 SubjectUserName \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectUserSid\u003e\u0027 SubjectUserSid \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectLogonId\u003e\u0027 SubjectLogonId \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectDomainName\u003e\u0027 SubjectDomainName \u0027\u003c\u0027 *\\n| extend SubjectAccount = strcat(SubjectDomainName, \u0027\\\\\\\\\u0027, SubjectUserName)\\n};\\nlet HostClearedEventLog = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string)\\n{\\nlet Event104 = tableFunc(\u0027Event\u0027, event=104)\\n| where Source =~ source\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| parse RenderedDescription with * \u0027The\u0027 LogName \u0027log\u0027 *\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nlet Event1102 = tableFunc(\u0027SecurityEvent\u0027, event=1102)\\n| where EventSourceName == source\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| extend LogName = \u0027Security\u0027\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nunion isfuzzy=true Event104, Event1102\\n};\\nHostClearedEventLog(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where LogName =~ \u0027Security\u0027 \\n| project Computer, SubjectAccount, LogName, EventID, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"},{\"dataType\":\"Event\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/3ff675ee-3052-4e0b-88ad-f34ed1732adc\",\"name\":\"3ff675ee-3052-4e0b-88ad-f34ed1732adc\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Event log(s) cleared by account on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{SubjectAccount}}\u0027 cleared the \u0027{{LogName}}\u0027 log, EventID: \u0027{{EventID}}\u0027\",\"description\":\"Event logs cleared by account\",\"queryDefinitions\":{\"query\":\"let SystemAccount = datatable(AccountName:string)[\u0027NT AUTHORITY\\\\\\\\SYSTEM\u0027, \u0027NT AUTHORITY\\\\\\\\NETWORK SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\LOCAL SERVICE\u0027, \u0027NT AUTHORITY\\\\\\\\IUSR\u0027, \u0027NTAUTHORITY\\\\\\\\ANONYMOUS LOGON\u0027];\\nlet SvcAcctList = dynamic([\\\"Local SYSTEM\\\",\\\"Local SERVICE\\\",\\\"Network SERVICE\\\",\\\"NT AUTHORITY\\\"]);\\nlet ServiceAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and LogonType == \u00275\u0027 and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet MachineAccount = SecurityEvent\\n| where EventID == \u00274624\u0027 and AccountType == \\\"Machine\\\" and not(Account has_any (SvcAcctList))\\n| extend AccountName = Account\\n| distinct AccountName;\\nlet Accounts = union isfuzzy=true SystemAccount, ServiceAccount, MachineAccount;\\nlet source = \u0027Microsoft-Windows-Eventlog\u0027;\\nlet tableFunc = (tableName:string, event:int){\\ntable(tableName) \\n| where EventID == event\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| extend SourceComputerId = column_ifexists(\\\"SourceComputerId\\\", \\\"NotAvailable\\\"), EventOriginId = column_ifexists(\\\"EventOriginId\\\", \\\"NotAvailable\\\")\\n| parse EventData with * \u0027SubjectUserName\u003e\u0027 SubjectUserName \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectUserSid\u003e\u0027 SubjectUserSid \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectLogonId\u003e\u0027 SubjectLogonId \u0027\u003c\u0027 *\\n| parse EventData with * \u0027SubjectDomainName\u003e\u0027 SubjectDomainName \u0027\u003c\u0027 *\\n| extend SubjectAccount = strcat(SubjectDomainName, \u0027\\\\\\\\\u0027, SubjectUserName)\\n};\\nlet HostClearedEventLog = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string)\\n{\\nlet Event104 = tableFunc(\u0027Event\u0027, event=104)\\n| where Source =~ source\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| parse RenderedDescription with * \u0027The\u0027 LogName \u0027log\u0027 *\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nlet Event1102 = tableFunc(\u0027SecurityEvent\u0027, event=1102)\\n| where EventSourceName == source\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| extend LogName = \u0027Security\u0027\\n| project TimeGenerated, Computer, EventID, SubjectAccount, SubjectUserName, SubjectDomainName, LogName, SubjectUserSid, SubjectLogonId, SourceComputerId, EventOriginId, _ResourceId\\n| extend timestamp = TimeGenerated, AccountCustomEntity = SubjectAccount, HostCustomEntity = Computer;\\nunion isfuzzy=true Event104, Event1102\\n};\\nHostClearedEventLog(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where LogName !~ \u0027Security\u0027 \\n| project Computer, SubjectAccount, LogName, EventID, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"},{\"dataType\":\"Event\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/b880ad94-f905-4ba8-8a3f-9088b19b12fa\",\"name\":\"b880ad94-f905-4ba8-8a3f-9088b19b12fa\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the local Administrators group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to local Administrators group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where TargetSid == \u0027S-1-5-32-544\u0027 \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/aaad22c3-be50-465f-b258-8570d629c3db\",\"name\":\"aaad22c3-be50-465f-b258-8570d629c3db\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the Domain Admins group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to the Domain Admins group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-512$\u0027 \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/cf3469b3-f64c-4ae2-9900-289617443d74\",\"name\":\"cf3469b3-f64c-4ae2-9900-289617443d74\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the Enterprise Admins group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to the Enterprise Admins group\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-519$\u0027 \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/5ba7b064-c667-4bb9-b8ac-7e87872ae479\",\"name\":\"5ba7b064-c667-4bb9-b8ac-7e87872ae479\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Account added to a privileged group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{MemberAdded}}\u0027 was added by \u0027{{AddedBy}}\u0027 to group: \u0027{{GroupName}}\u0027\",\"description\":\"Account added to privileged group.\",\"queryDefinitions\":{\"query\":\"let WellKnownLocalSID = \u0027S-1-5-32-5[0-9][0-9]$\u0027;\\nlet WellKnownGroupSID = \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\u0027;\\nlet GetGroupAddForHost = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4728, 4732, 4756)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (isnotempty(v_Host_Name) and Host_HostName=~ v_Host_Name and isnotempty(v_Host_NTDomain) and Host_NTDomain =~ v_Host_NTDomain) \\nor (isnotempty(v_Host_Name) and Host_HostName =~ v_Host_Name and isnotempty(v_Host_NTDomain) and isnotempty(v_Host_DnsDomain) and Host_DnsDomain =~ v_Host_DnsDomain) \\nor (isnotempty(v_Host_AzureID) and v_Host_AzureID =~ _ResourceId)\\nor (isnotempty(v_Host_OMSAgentID) and v_Host_OMSAgentID == SourceComputerId)\\n| extend MemberAdded = case( MemberName has \u0027CN=\u0027, tostring(split(tostring(split(MemberName, \u0027,\u0027)[0]),\u0027CN=\u0027)[1]), MemberName == \u0027-\u0027, MemberSid, MemberName) \\n| project TimeGenerated, EventID, Activity, Computer, MemberAdded, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid, WellKnownGroupSID, WellKnownLocalSID, _ResourceId, SourceComputerId\\n| extend GroupName = TargetUserName, AddedBy = SubjectUserName\\n//support for Activities\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\\n};\\nGetGroupAddForHost(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027) \\n| where (TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID) and TargetSid != \u0027S-1-5-32-544\u0027 and not(TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-512$\u0027) and not(TargetSid matches regex \u0027S-1-5-21-[0-9]*-[0-9]*-[0-9]*-519$\u0027) \\n| project Computer, MemberAdded, AddedBy, GroupName, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/290032e9-c52e-4e66-841a-7428f0b356bb\",\"name\":\"290032e9-c52e-4e66-841a-7428f0b356bb\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was created on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{User}}\u0027 was created by sudo\",\"description\":\"Account created on Host\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where ProcessName in~ (\u0027useradd\u0027,\u0027userdel\u0027)\\n| where SyslogMessage startswith \u0027new user:\u0027 or SyslogMessage startswith \u0027delete user \u0027\\n| extend User = case(SyslogMessage startswith \u0027new user:\u0027, tostring(split(tostring(split(SyslogMessage, \u0027name=\u0027)[1]), \u0027,\u0027)[0]),\\nSyslogMessage startswith \u0027delete user \u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]),\\n\u0027Not Available\u0027)\\n| extend Action = case( SyslogMessage startswith \u0027new user\u0027, \u0027new user\u0027, SyslogMessage startswith \u0027delete user\u0027, \u0027delete user\u0027, \u0027None\u0027)\\n| project TimeGenerated, Computer, HostIP, User, Facility, ProcessName, Action, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action == \u0027new user\u0027 \\n| project Computer, User, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/ce9e87c7-2ffa-42cb-92e5-f1a4f21f007a\",\"name\":\"ce9e87c7-2ffa-42cb-92e5-f1a4f21f007a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{User}}\u0027 was deleted by sudo\",\"description\":\"Account deleted on Host\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where ProcessName in~ (\u0027useradd\u0027,\u0027userdel\u0027)\\n| where SyslogMessage startswith \u0027new user:\u0027 or SyslogMessage startswith \u0027delete user \u0027\\n| extend User = case(SyslogMessage startswith \u0027new user:\u0027, tostring(split(tostring(split(SyslogMessage, \u0027name=\u0027)[1]), \u0027,\u0027)[0]),\\nSyslogMessage startswith \u0027delete user \u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]),\\n\u0027Not Available\u0027)\\n| extend Action = case( SyslogMessage startswith \u0027new user\u0027, \u0027new user\u0027, SyslogMessage startswith \u0027delete user\u0027, \u0027delete user\u0027, \u0027None\u0027)\\n| project TimeGenerated, Computer, HostIP, User, Facility, ProcessName, Action, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action == \u0027delete user\u0027 \\n| project Computer, User, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/46aeae2d-187c-41f9-b8d6-9d75c43bce0a\",\"name\":\"46aeae2d-187c-41f9-b8d6-9d75c43bce0a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was added to the sudo group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{User}}\u0027 was added by \u0027{{AcctMakingChange}}\u0027 to group: \u0027{{Group}}\u0027\",\"description\":\"Account added to the sudo group\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where SyslogMessage !startswith \\\"omsagent\\\"\\n| where SyslogMessage has \u0027COMMAND\u0027 or ProcessName in~ (\u0027gpasswd\u0027, \u0027useradd\u0027, \u0027userdel\u0027)\\n| parse SyslogMessage with * \u0027user \u0027 User \u0027 \u0027 Verb \u0027 by \u0027 AcctMakingChange \u0027 \u0027 Preposition \u0027 group \u0027 Group\\n| extend Group = case(\\nSyslogMessage startswith \u0027removed group\u0027 or SyslogMessage startswith \u0027removed shadow group\u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]), \\nSyslogMessage startswith \u0027new group\u0027, tostring(split(tostring(split(SyslogMessage, \u0027=\u0027)[1]),\u0027,\u0027)[0]),\\nGroup)\\n| extend Action = case(\\nisnotempty(Verb) or isnotempty(Preposition), strcat(Verb, \u0027 \u0027, Preposition),\\nSyslogMessage startswith \u0027new group\u0027, \u0027new group\u0027,\\nSyslogMessage startswith \u0027removed group\u0027, \u0027removed group\u0027,\\nSyslogMessage startswith \u0027removed shadow group\u0027, \u0027removed shadow group\u0027,\\n\u0027None\u0027)\\n| where isnotempty(Action) and Action != \u0027None\u0027 and isnotempty(Group)\\n| project TimeGenerated, Computer, HostIP, User, Action, Group, Facility, ProcessName, AcctMakingChange, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action =~ \u0027added to\u0027 and Group =~ \u0027sudo\u0027 \\n| project Computer, User, AcctMakingChange, Group, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/e24dd437-c65e-40e1-8d59-cd303ad4496a\",\"name\":\"e24dd437-c65e-40e1-8d59-cd303ad4496a\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was removed from the sudo group\",\"content\":\"On \u0027{{Computer}}\u0027 the user \u0027{{User}}\u0027 was added by \u0027{{AcctMakingChange}}\u0027 to group: \u0027{{Group}}\u0027\",\"description\":\"Account removed from sudo group\",\"queryDefinitions\":{\"query\":\"let AllUserEvents = (v_Host_Name:string, v_Host_AzureID:string) {\\nSyslog\\n| where Computer == v_Host_Name or v_Host_AzureID == _ResourceId\\n| where Facility == \u0027authpriv\u0027\\n| where SyslogMessage !startswith \\\"omsagent\\\"\\n| where SyslogMessage has \u0027COMMAND\u0027 or ProcessName in~ (\u0027gpasswd\u0027, \u0027useradd\u0027, \u0027userdel\u0027)\\n| parse SyslogMessage with * \u0027user \u0027 User \u0027 \u0027 Verb \u0027 by \u0027 AcctMakingChange \u0027 \u0027 Preposition \u0027 group \u0027 Group\\n| extend Group = case(\\nSyslogMessage startswith \u0027removed group\u0027 or SyslogMessage startswith \u0027removed shadow group\u0027, tostring(split(SyslogMessage, \\\"\u0027\\\")[1]), \\nSyslogMessage startswith \u0027new group\u0027, tostring(split(tostring(split(SyslogMessage, \u0027=\u0027)[1]),\u0027,\u0027)[0]),\\nGroup)\\n| extend Action = case(\\nisnotempty(Verb) or isnotempty(Preposition), strcat(Verb, \u0027 \u0027, Preposition),\\nSyslogMessage startswith \u0027new group\u0027, \u0027new group\u0027,\\nSyslogMessage startswith \u0027removed group\u0027, \u0027removed group\u0027,\\nSyslogMessage startswith \u0027removed shadow group\u0027, \u0027removed shadow group\u0027,\\n\u0027None\u0027)\\n| where isnotempty(Action) and Action != \u0027None\u0027 and isnotempty(Group)\\n| project TimeGenerated, Computer, HostIP, User, Action, Group, Facility, ProcessName, AcctMakingChange, SyslogMessage, _ResourceId\\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, AccountCustomEntity = User\\n};\\nAllUserEvents(\u0027{{Host_HostName}}\u0027, \u0027{{Host_AzureID}}\u0027) \\n| where Action =~ \u0027removed from\u0027 and Group =~ \u0027sudo\u0027 \\n| project Computer, User, AcctMakingChange, Group, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"Syslog\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\"],[\"Host_AzureID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Linux\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/c91cb743-7c6c-4ccf-b066-13448c9c085c\",\"name\":\"c91cb743-7c6c-4ccf-b066-13448c9c085c\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Windows Defender Application Control activities on this host\",\"content\":\"{{FriendlyActivityName}} by {{InitiatingProcessAccountUpn}} {{Count}} time(s)\",\"description\":\"Microsoft Defender Application Control activities\",\"queryDefinitions\":{\"query\":\"let AppControlEvents=(v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\nlet p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain));\\nlet AppControls=datatable(ActionType:string, Description:string, FriendlyActivityName:string)\\n [\\\"AppControlAppInstallationAudited\\\", \\\"Application control detected the installation of an untrusted app.\\\",\\\"Untrusted app installed\\\"\\n ,\\\"AppControlAppInstallationBlocked\\\", \\\"Application control blocked the installation of an untrusted app.\\\", \\\"Untrusted app installation blocked\\\"\\n ,\\\"AppControlCodeIntegrityDriverRevoked\\\", \\\"Application control found a driver with a revoked certificate.\\\", \\\"Driver with revoked certificate detected\\\"\\n ,\\\"AppControlCodeIntegrityImageRevoked\\\", \\\"Application control found an executable file with a revoked certificate.\\\", \\\"Executable with revoked certificate detected\\\"\\n ,\\\"AppControlExecutableAudited\\\",\\\"Application control detected the use of an untrusted executable.\\\",\\\"Untrusted executable used\\\"\\n ,\\\"AppControlExecutableBlocked\\\",\\\"Application control blocked the use of an untrusted executable.\\\",\\\"Untrusted executable blocked\\\"\\n ,\\\"AppControlScriptAudited\\\", \\\"Application control detected the use of an untrusted script.\\\", \\\"Untrusted script detected\\\"\\n ,\\\"AppControlScriptBlocked\\\", \\\"Application control blocked the use of an untrusted script.\\\", \\\"Untrusted script blocked\\\" ];\\nDeviceEvents\\n| where ActionType in (AppControls) \\n| where DeviceName ==p_FullDeviceName\\n| lookup AppControls on ActionType\\n};\\nAppControlEvents(\u0027{{Host_HostName}}\u0027,\u0027{{Host_NTDomain}}\u0027,\u0027{{Host_DnsDomain}}\u0027) \\n| project DeviceName, ActionType, FriendlyActivityName, InitiatingProcessAccountUpn, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/c7def1db-6a27-45dc-bee0-0c5fd5e7f1fe\",\"name\":\"c7def1db-6a27-45dc-bee0-0c5fd5e7f1fe\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Screenshot taken\",\"content\":\"The user \u0027{{InitiatingProcessAccountUpn}}\u0027 has taken {{Count}} screenshot(s) on the host\",\"description\":\"A screenshot was taken on the host\",\"queryDefinitions\":{\"query\":\"let ScreenshotTakers= (v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\n let p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain) );\\n DeviceEvents \\n | where ActionType ==\u0027ScreenshotTaken\u0027 \\n | where DeviceName =~ p_FullDeviceName\\n};\\nScreenshotTakers(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027) \\n| where 1==1 \\n| project InitiatingProcessAccountName, InitiatingProcessAccountUpn, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/8d0e9356-be1e-45ac-9403-d0ac3f1605b7\",\"name\":\"8d0e9356-be1e-45ac-9403-d0ac3f1605b7\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Exploit protection blocked the launch of a process from an image file that is not signed by Microsoft\",\"content\":\"Launch of unsigned file \u0027{{FileName}}\u0027 by process \u0027{{InitiatingProcessFileName}}\u0027 initiated by \u0027{{InitiatingProcessAccountName}}\u0027 was blocked. \",\"description\":\"Exploit protection blocked the launch of a process from an image file that is not signed by Microsoft\",\"queryDefinitions\":{\"query\":\"let NonMSSignedBlocked= (v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\n let p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain) );\\n DeviceEvents\\n | where ActionType in (\\\"ExploitGuardNonMicrosoftSignedBlocked\\\", \\\"ExploitGuardNonMicrosoftSignedAudited\\\") \\n and FileName !hassuffix \u0027.ni.dll\u0027\\n | where DeviceName =~ p_FullDeviceName\\n | project TimeGenerated\\n , FileName\\n ,InitiatingProcessFileName\\n , InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid\\n , DeviceName , ActionType\\n};\\nNonMSSignedBlocked(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027) \\n| where ActionType =~ \u0027ExploitGuardNonMicrosoftSignedBlocked\u0027 \\n| project FileName, InitiatingProcessFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/3ff80327-7c54-449d-95d4-613848f7d60b\",\"name\":\"3ff80327-7c54-449d-95d4-613848f7d60b\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Exploit protection detected the launch of a process from an image file that is not signed by Microsoft\",\"content\":\"Launch of unsigned file \u0027{{FileName}}\u0027 by process \u0027{{InitiatingProcessFileName}}\u0027 initiated by \u0027{{InitiatingProcessAccountName}}\u0027 was audited.\",\"description\":\"Exploit protection detected the launch of a process from an image file that is not signed by Microsoft\",\"queryDefinitions\":{\"query\":\"let NonMSSignedBlocked= (v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\n let p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain) );\\n DeviceEvents\\n | where ActionType in (\\\"ExploitGuardNonMicrosoftSignedBlocked\\\", \\\"ExploitGuardNonMicrosoftSignedAudited\\\") \\n and FileName !hassuffix \u0027.ni.dll\u0027\\n | where DeviceName =~ p_FullDeviceName\\n | project TimeGenerated\\n , FileName\\n ,InitiatingProcessFileName\\n , InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid\\n , DeviceName , ActionType\\n};\\nNonMSSignedBlocked(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027) \\n| where ActionType =~ \u0027ExploitGuardNonMicrosoftSignedAudited\u0027 \\n| project FileName, InitiatingProcessFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountSid, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/3f7059b2-67ea-4fc1-af34-37f5fc69a630\",\"name\":\"3f7059b2-67ea-4fc1-af34-37f5fc69a630\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"Windows Defender Antivirus activities on this host\",\"content\":\"Window Defender Antivirus \u0027{{ActionType}}\u0027 activity was spotted on Host {{Host_HostName}}\",\"description\":\"Windows Defender Antivirus activities\",\"queryDefinitions\":{\"query\":\"let AntivirusEvents=(v_Host_HostName:string, v_Host_NTDomain:string, v_Host_DnsDomain:string){\\nlet Severity= datatable(ActionType:string, Severity:int)[\\\"AntivirusMalwareActionFailed\\\",1,\\\"AntivirusDetection\\\",2,\\\"AntivirusScanFailed\\\",3, \\\"AntivirusError\\\",4, \\\"AntivirusDefinitionsUpdateFailed\\\",5];\\nlet p_FullDeviceName = iff(isnotempty(v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_DnsDomain), strcat(v_Host_HostName,\u0027.\u0027,v_Host_NTDomain));\\nDeviceEvents\\n| where ActionType hasprefix \\\"Antivirus\\\" and ActionType !in( \\\"AntivirusReport\\\", \\\"AntivirusScanCompleted\\\", \\\"AntivirusDefinitionsUpdated\\\",\\\"AntivirusEmergencyUpdatesInstalled\\\")\\n| where DeviceName ==p_FullDeviceName\\n| lookup Severity on ActionType};\\nAntivirusEvents(\u0027{{Host_HostName}}\u0027,\u0027{{Host_NTDomain}}\u0027,\u0027{{Host_DnsDomain}}\u0027) \\n| where ActionType !in( \\\"AntivirusReport\\\", \\\"AntivirusScanCompleted\\\", \\\"AntivirusDefinitionsUpdated\\\",\\\"AntivirusEmergencyUpdatesInstalled\\\") \\n| project ActionType, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"DeviceEvents\"}],\"inputEntityType\":\"Host\",\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]}}}]}", "isContentBase64": false } }, - "Get-AzSentinelEntityQueryTemplate+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/d6d08c94-455f-4ea5-8f76-fc6c0c442cfa?api-version=2021-09-01-preview+2": { + "Get-AzSentinelEntityQueryTemplate+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/d6d08c94-455f-4ea5-8f76-fc6c0c442cfa?api-version=2021-09-01-preview+2": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/d6d08c94-455f-4ea5-8f76-fc6c0c442cfa?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/d6d08c94-455f-4ea5-8f76-fc6c0c442cfa?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "203" ], - "x-ms-client-request-id": [ "dec0b5ca-8c7b-4a04-a8c5-1cda44704fbe" ], + "x-ms-unique-id": [ "204" ], + "x-ms-client-request-id": [ "bf1f16ba-68bf-4f44-a7f1-d6fff69d2bea" ], "CommandName": [ "Get-AzSentinelentityQueryTemplate" ], "FullCommandName": [ "Get-AzSentinelEntityQueryTemplate_Get" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -105,20 +105,20 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11964" ], - "x-ms-request-id": [ "1c120dc5-4267-4b5a-8bc1-92198cacac56" ], - "x-ms-correlation-request-id": [ "1c120dc5-4267-4b5a-8bc1-92198cacac56" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183149Z:1c120dc5-4267-4b5a-8bc1-92198cacac56" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11961" ], + "x-ms-request-id": [ "2e400cd0-12a6-472c-9458-afbcc31a2a31" ], + "x-ms-correlation-request-id": [ "2e400cd0-12a6-472c-9458-afbcc31a2a31" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160729Z:2e400cd0-12a6-472c-9458-afbcc31a2a31" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:31:48 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:29 GMT" ] }, "ContentHeaders": { "Content-Length": [ "3224" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueryTemplates/d6d08c94-455f-4ea5-8f76-fc6c0c442cfa\",\"name\":\"d6d08c94-455f-4ea5-8f76-fc6c0c442cfa\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has created an account\",\"content\":\"The user {{InitiatedByAccount}} has created the account {{TargetAccount}} {{Count}} time(s)\",\"description\":\"This activity displays account creation events performed by the user\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) or Account_AadUserId =~ tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ SubjectAccount or Account_Sid =~ SubjectUserSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Add user\u0027, \u00274720\u0027) \\n| project InitiatedByAccount, TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueryTemplates/d6d08c94-455f-4ea5-8f76-fc6c0c442cfa\",\"name\":\"d6d08c94-455f-4ea5-8f76-fc6c0c442cfa\",\"type\":\"Microsoft.SecurityInsights/entityQueryTemplates\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user has created an account\",\"content\":\"The user {{InitiatedByAccount}} has created the account {{TargetAccount}} {{Count}} time(s)\",\"description\":\"This activity displays account creation events performed by the user\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (Account_Name:string, Account_NTDomain:string, Account_UPNSuffix:string, Account_AadUserId:string, Account_Sid:string){\\nlet Account_UPN = strcat(Account_Name, \u0027@\u0027, Account_UPNSuffix);\\nlet Account_Win = strcat(Account_NTDomain,\u0027\\\\\\\\\u0027, Account_Name);\\nunion isfuzzy=true\\n(AuditLogs\\n | where tostring(bag_keys(InitiatedBy)[0]) == \\\"user\\\"\\n | where OperationName in~ (\u0027Add user\u0027, \u0027Update user\u0027, \u0027Delete user\u0027, \u0027Change user password\u0027, \u0027Reset user password\u0027, \u0027Reset password (by admin)\u0027, \u0027Change password (self-service)\u0027, \u0027Reset password (self-service)\u0027)\\n | where Account_UPN =~ tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) or Account_AadUserId =~ tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend InitiatedByAccount = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\\n | parse InitiatedByAccount with userName:string \u0027@\u0027 userUpnSuffix:string\\n | extend InitiatedByAADUserId = tostring(parse_json(tostring(InitiatedBy.user)).id)\\n | extend TargetAccount = tostring(TargetResources[0].userPrincipalName)\\n | parse TargetAccount with TargetAccountName:string \u0027@\u0027 TargetAccountUPNSuffix:string\\n | extend TargetAADUserId = tostring(TargetResources[0].id)\\n | extend Action = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0])))\\n | extend ModifiedProperty = tostring(parse_json(Action).displayName), ModifiedValue = tostring(parse_json(Action).newValue)\\n | extend DisableUser = iif(ModifiedProperty =~ \u0027AccountEnabled\u0027 and ModifiedValue =~ \u0027[false]\u0027, \u0027True\u0027, \u0027False\u0027)\\n),\\n(SecurityEvent\\n | where AccountType =~ \\\"user\\\" or isempty(AccountType)\\n | where EventID in (4720, 4722, 4723, 4724, 4725, 4726, 4740)\\n | where Account_Win =~ SubjectAccount or Account_Sid =~ SubjectUserSid\\n | parse TargetAccount with TargetAccountNTDomain \u0027\\\\\\\\\u0027 TargetAccountName\\n | extend InitiatedByAccount = SubjectAccount, InitiatedByUserSid = SubjectUserSid, OperationName = tostring(EventID), ModifiedProperty = Activity\\n)\\n};\\nGetAccountActions(\u0027{{Account_Name}}\u0027, \u0027{{Account_NTDomain}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027, \u0027{{Account_Sid}}\u0027) \\n| where OperationName in~ (\u0027Add user\u0027, \u00274720\u0027) \\n| project InitiatedByAccount, TargetAccount, TargetSid, TargetAADUserId, TimeGenerated\"},\"dataTypes\":[{\"dataType\":\"AuditLogs\"},{\"dataType\":\"SecurityEvent\"}],\"inputEntityType\":\"Account\",\"requiredInputFieldsSets\":[[\"Account_Name\",\"Account_NTDomain\"],[\"Account_Name\",\"Account_UPNSuffix\"],[\"Account_AadUserId\"],[\"Account_Sid\"]],\"entitiesFilter\":{}}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Get-AzSentinelEntityTimeline.Recording.json b/src/SecurityInsights/test/Get-AzSentinelEntityTimeline.Recording.json index 09caa8858e7f..b47fcd0a430d 100644 --- a/src/SecurityInsights/test/Get-AzSentinelEntityTimeline.Recording.json +++ b/src/SecurityInsights/test/Get-AzSentinelEntityTimeline.Recording.json @@ -1,13 +1,13 @@ { - "Get-AzSentinelEntityTimeline+[NoContext]+ListExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview+1": { + "Get-AzSentinelEntityTimeline+[NoContext]+ListExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "204" ], - "x-ms-client-request-id": [ "e2058862-1df8-46b3-8f8a-08ab726199fa" ], + "x-ms-unique-id": [ "205" ], + "x-ms-client-request-id": [ "2ec57016-bc84-4571-8584-02edd5bdab17" ], "CommandName": [ "Get-AzSentinelentity" ], "FullCommandName": [ "Get-AzSentinelEntity_List" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -23,28 +23,28 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11963" ], - "x-ms-request-id": [ "5b800789-ae4f-443a-adf8-0c4f5eef055b" ], - "x-ms-correlation-request-id": [ "5b800789-ae4f-443a-adf8-0c4f5eef055b" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183150Z:5b800789-ae4f-443a-adf8-0c4f5eef055b" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11960" ], + "x-ms-request-id": [ "fbffee43-bc69-4dda-b717-fddd3a2a68db" ], + "x-ms-correlation-request-id": [ "fbffee43-bc69-4dda-b717-fddd3a2a68db" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160730Z:fbffee43-bc69-4dda-b717-fddd3a2a68db" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:31:50 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:30 GMT" ] }, "ContentHeaders": { "Content-Length": [ "461" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"additionalData\":{\"AlertCount\":\"6\"},\"friendlyName\":\"175.45.176.99\"}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"additionalData\":{\"AlertCount\":\"5\"},\"friendlyName\":\"175.45.176.99\"}}]}", "isContentBase64": false } }, - "Get-AzSentinelEntityTimeline+[NoContext]+ListExpanded+$POST+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/getTimeline?api-version=2021-09-01-preview+2": { + "Get-AzSentinelEntityTimeline+[NoContext]+ListExpanded+$POST+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/getTimeline?api-version=2021-09-01-preview+2": { "Request": { "Method": "POST", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/getTimeline?api-version=2021-09-01-preview", - "Content": "{\n \"startTime\": \"2022-07-28T06:00:00.0000000+00:00\",\n \"endTime\": \"2022-07-29T06:00:00.0000000+00:00\"\n}", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entities/f76e8451-9f40-544f-61e4-33a50dca269d/getTimeline?api-version=2021-09-01-preview", + "Content": "{\n \"startTime\": \"2022-08-15T04:00:00.0000000+00:00\",\n \"endTime\": \"2022-08-16T04:00:00.0000000+00:00\"\n}", "isContentBase64": false, "Headers": { }, @@ -59,13 +59,13 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11962" ], - "x-ms-request-id": [ "161e1150-5a91-4d95-b7af-378dda71d4c7" ], - "x-ms-correlation-request-id": [ "161e1150-5a91-4d95-b7af-378dda71d4c7" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183153Z:161e1150-5a91-4d95-b7af-378dda71d4c7" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11959" ], + "x-ms-request-id": [ "1b8c739e-1bd8-422d-a3f5-fd5933df6785" ], + "x-ms-correlation-request-id": [ "1b8c739e-1bd8-422d-a3f5-fd5933df6785" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160733Z:1b8c739e-1bd8-422d-a3f5-fd5933df6785" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:31:52 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:32 GMT" ] }, "ContentHeaders": { "Content-Length": [ "152" ], diff --git a/src/SecurityInsights/test/Get-AzSentinelIncident.Recording.json b/src/SecurityInsights/test/Get-AzSentinelIncident.Recording.json index 03ea77af4bcf..9b420cb75828 100644 --- a/src/SecurityInsights/test/Get-AzSentinelIncident.Recording.json +++ b/src/SecurityInsights/test/Get-AzSentinelIncident.Recording.json @@ -1,13 +1,13 @@ { - "Get-AzSentinelIncident+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents?api-version=2021-09-01-preview+1": { + "Get-AzSentinelIncident+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "206" ], - "x-ms-client-request-id": [ "ab1aa0d8-640b-4798-9f42-f68c10ca51a7" ], + "x-ms-unique-id": [ "207" ], + "x-ms-client-request-id": [ "0c9d6dcb-80c0-4733-8b09-9f326f1824b9" ], "CommandName": [ "Get-AzSentinelincident" ], "FullCommandName": [ "Get-AzSentinelIncident_List" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -23,32 +23,32 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11961" ], - "x-ms-request-id": [ "6fd5801e-1258-48b9-b3ee-367efcc124b8" ], - "x-ms-correlation-request-id": [ "6fd5801e-1258-48b9-b3ee-367efcc124b8" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183154Z:6fd5801e-1258-48b9-b3ee-367efcc124b8" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11958" ], + "x-ms-request-id": [ "739fa3e1-03f6-41c7-bf18-3f2c1870488d" ], + "x-ms-correlation-request-id": [ "739fa3e1-03f6-41c7-bf18-3f2c1870488d" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160733Z:739fa3e1-03f6-41c7-bf18-3f2c1870488d" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:31:53 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:33 GMT" ] }, "ContentHeaders": { "Content-Length": [ "26513" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/854d68b0-7cef-4c43-a0f3-03df09f60906\",\"name\":\"854d68b0-7cef-4c43-a0f3-03df09f60906\",\"etag\":\"\\\"12009b0b-0000-0100-0000-62e427110000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdincidentRelationIncidentName17euac\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:29:37.6445076Z\",\"createdTimeUtc\":\"2022-07-29T18:29:37.3993248Z\",\"incidentNumber\":21,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/854d68b0-7cef-4c43-a0f3-03df09f60906\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"21\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/bf284b9a-a101-4094-9387-503fd6afb8db\",\"name\":\"bf284b9a-a101-4094-9387-503fd6afb8db\",\"etag\":\"\\\"1200960b-0000-0100-0000-62e426f20000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateincidentRelationIncidentNamey5sjd6\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:29:06.559002Z\",\"createdTimeUtc\":\"2022-07-29T18:29:06.1809341Z\",\"incidentNumber\":20,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/bf284b9a-a101-4094-9387-503fd6afb8db\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"20\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/095d8360-b30b-4f75-804d-8837b78db3ed\",\"name\":\"095d8360-b30b-4f75-804d-8837b78db3ed\",\"etag\":\"\\\"12008a0b-0000-0100-0000-62e426d30000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdincidentRelationIncidentNameqm47li\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:28:35.4952307Z\",\"createdTimeUtc\":\"2022-07-29T18:28:34.9586136Z\",\"incidentNumber\":19,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/095d8360-b30b-4f75-804d-8837b78db3ed\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"19\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/da728eb4-6e7e-4be8-8397-cb2b45877bf9\",\"name\":\"da728eb4-6e7e-4be8-8397-cb2b45877bf9\",\"etag\":\"\\\"1200860b-0000-0100-0000-62e426b20000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveincidentRelationIncidentName01bqho\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:28:02.8745162Z\",\"createdTimeUtc\":\"2022-07-29T18:28:02.6751341Z\",\"incidentNumber\":18,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/da728eb4-6e7e-4be8-8397-cb2b45877bf9\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"18\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/ccca6513-b2b1-46be-925b-40f25e28a448\",\"name\":\"ccca6513-b2b1-46be-925b-40f25e28a448\",\"etag\":\"\\\"1200760b-0000-0100-0000-62e426930000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetincidentRelationIncidentNamentimyo\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:27:31.6228258Z\",\"createdTimeUtc\":\"2022-07-29T18:27:31.3953919Z\",\"incidentNumber\":17,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/ccca6513-b2b1-46be-925b-40f25e28a448\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"17\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/7141874b-1f5d-4bf7-9e25-bb748ff70946\",\"name\":\"7141874b-1f5d-4bf7-9e25-bb748ff70946\",\"etag\":\"\\\"12005b0b-0000-0100-0000-62e426730000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdincidentCommentvuackw\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:26:59.8178224Z\",\"createdTimeUtc\":\"2022-07-29T18:26:59.4284144Z\",\"incidentNumber\":16,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/7141874b-1f5d-4bf7-9e25-bb748ff70946\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"16\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/a0b8657f-5c36-4cb2-8952-f90affa7e0da\",\"name\":\"a0b8657f-5c36-4cb2-8952-f90affa7e0da\",\"etag\":\"\\\"1200510b-0000-0100-0000-62e426540000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateincidentCommentzfpjdm\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:26:28.8086603Z\",\"createdTimeUtc\":\"2022-07-29T18:26:28.262521Z\",\"incidentNumber\":15,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/a0b8657f-5c36-4cb2-8952-f90affa7e0da\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"15\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/39c25766-18b0-4620-9a63-3dfb2144ddd9\",\"name\":\"39c25766-18b0-4620-9a63-3dfb2144ddd9\",\"etag\":\"\\\"12004d0b-0000-0100-0000-62e426330000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdincidentCommentximhku\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:25:55.0138633Z\",\"createdTimeUtc\":\"2022-07-29T18:25:54.4964012Z\",\"incidentNumber\":14,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/39c25766-18b0-4620-9a63-3dfb2144ddd9\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"14\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/08556638-7485-4a5e-afda-02c5f77474d7\",\"name\":\"08556638-7485-4a5e-afda-02c5f77474d7\",\"etag\":\"\\\"1200460b-0000-0100-0000-62e426120000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveincidentComment35ly2k\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:25:22.1480666Z\",\"createdTimeUtc\":\"2022-07-29T18:25:21.7590822Z\",\"incidentNumber\":13,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/08556638-7485-4a5e-afda-02c5f77474d7\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"13\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/36740e38-b328-4f70-a514-867d90c8361d\",\"name\":\"36740e38-b328-4f70-a514-867d90c8361d\",\"etag\":\"\\\"12003c0b-0000-0100-0000-62e425f20000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetincidentComment7wxaop\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:24:50.6557332Z\",\"createdTimeUtc\":\"2022-07-29T18:24:50.2248863Z\",\"incidentNumber\":12,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/36740e38-b328-4f70-a514-867d90c8361d\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"12\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/25b19fe9-0ff9-4267-8faa-ac26e7c7c6ae\",\"name\":\"25b19fe9-0ff9-4267-8faa-ac26e7c7c6ae\",\"etag\":\"\\\"1200370b-0000-0100-0000-62e425d30000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:24:19.3733002Z\",\"createdTimeUtc\":\"2022-07-29T18:24:19.3733002Z\",\"incidentNumber\":11,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/25b19fe9-0ff9-4267-8faa-ac26e7c7c6ae\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"11\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/c98e79b2-3851-4fe2-be7b-d02281b03ea8\",\"name\":\"c98e79b2-3851-4fe2-be7b-d02281b03ea8\",\"etag\":\"\\\"1200360b-0000-0100-0000-62e425b30000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:23:47.4434597Z\",\"createdTimeUtc\":\"2022-07-29T18:23:47.4434597Z\",\"incidentNumber\":10,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/c98e79b2-3851-4fe2-be7b-d02281b03ea8\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"10\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/4adb65b9-7def-47bb-9594-c1e1ca284952\",\"name\":\"4adb65b9-7def-47bb-9594-c1e1ca284952\",\"etag\":\"\\\"1200310b-0000-0100-0000-62e425930000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:23:15.5881312Z\",\"createdTimeUtc\":\"2022-07-29T18:23:15.5881312Z\",\"incidentNumber\":9,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/4adb65b9-7def-47bb-9594-c1e1ca284952\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"9\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/6bc1d179-d8b5-45ee-82d8-dc7f59b9168a\",\"name\":\"6bc1d179-d8b5-45ee-82d8-dc7f59b9168a\",\"etag\":\"\\\"12002a0b-0000-0100-0000-62e425730000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:22:43.5468872Z\",\"createdTimeUtc\":\"2022-07-29T18:22:43.5468872Z\",\"incidentNumber\":8,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/6bc1d179-d8b5-45ee-82d8-dc7f59b9168a\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"8\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/1db90f1b-ef78-4f10-afb8-7dc242e09ba1\",\"name\":\"1db90f1b-ef78-4f10-afb8-7dc242e09ba1\",\"etag\":\"\\\"12001a0b-0000-0100-0000-62e425540000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:22:12.4027907Z\",\"createdTimeUtc\":\"2022-07-29T18:22:12.4027907Z\",\"incidentNumber\":7,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/1db90f1b-ef78-4f10-afb8-7dc242e09ba1\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"7\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/75bd63a7-0ac6-4f43-8a15-18ff73172bb5\",\"name\":\"75bd63a7-0ac6-4f43-8a15-18ff73172bb5\",\"etag\":\"\\\"1200c50a-0000-0100-0000-62e423bf0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdbookmarkRelationIncidentNamejdsg8m\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:15:27.8216444Z\",\"createdTimeUtc\":\"2022-07-29T18:15:27.2119419Z\",\"incidentNumber\":6,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/75bd63a7-0ac6-4f43-8a15-18ff73172bb5\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"6\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/0f49b19c-24d3-4775-92ae-dc0ecd5e1ace\",\"name\":\"0f49b19c-24d3-4775-92ae-dc0ecd5e1ace\",\"etag\":\"\\\"1200c10a-0000-0100-0000-62e4239f0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdatebookmarkRelationIncidentNamern5xam\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:14:55.9126545Z\",\"createdTimeUtc\":\"2022-07-29T18:14:55.652449Z\",\"incidentNumber\":5,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/0f49b19c-24d3-4775-92ae-dc0ecd5e1ace\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"5\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/68159ff1-4122-4fc3-9152-8bf489a4304d\",\"name\":\"68159ff1-4122-4fc3-9152-8bf489a4304d\",\"etag\":\"\\\"1200b70a-0000-0100-0000-62e423810000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdbookmarkRelationIncidentName3tykhx\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:14:25.0070286Z\",\"createdTimeUtc\":\"2022-07-29T18:14:24.4686462Z\",\"incidentNumber\":4,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/68159ff1-4122-4fc3-9152-8bf489a4304d\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"4\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/d30f1432-3e76-4b4b-bb30-f62eb4ee3611\",\"name\":\"d30f1432-3e76-4b4b-bb30-f62eb4ee3611\",\"etag\":\"\\\"1200b50a-0000-0100-0000-62e423600000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemovebookmarkRelationIncidentNameljqs90\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:13:52.6650817Z\",\"createdTimeUtc\":\"2022-07-29T18:13:52.43298Z\",\"incidentNumber\":3,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/d30f1432-3e76-4b4b-bb30-f62eb4ee3611\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"3\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/e31f4f52-858c-4a29-bacc-b0b91ca86f43\",\"name\":\"e31f4f52-858c-4a29-bacc-b0b91ca86f43\",\"etag\":\"\\\"1200a80a-0000-0100-0000-62e423420000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetbookmarkRelationIncidentName5jgmqo\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:13:22.783952Z\",\"createdTimeUtc\":\"2022-07-29T18:13:22.0852Z\",\"incidentNumber\":2,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/e31f4f52-858c-4a29-bacc-b0b91ca86f43\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"2\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/b38b9337-951a-0983-3a4d-8c0a4a243798\",\"name\":\"b38b9337-951a-0983-3a4d-8c0a4a243798\",\"etag\":\"\\\"1200810b-0000-0100-0000-62e426b00000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"severity\":\"Medium\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"firstActivityTimeUtc\":\"2022-07-29T17:27:56.0097765Z\",\"lastActivityTimeUtc\":\"2022-07-29T18:22:56.0097765Z\",\"lastModifiedTimeUtc\":\"2022-07-29T18:28:00.0552776Z\",\"createdTimeUtc\":\"2022-07-29T18:02:59.5521439Z\",\"incidentNumber\":1,\"additionalData\":{\"alertsCount\":6,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[\"Azure Sentinel\"],\"tactics\":[\"InitialAccess\",\"Persistence\"]},\"relatedAnalyticRuleIds\":[\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/5c8dc0ac-8808-40f3-a6b4-1401369a9e1e\"],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/b38b9337-951a-0983-3a4d-8c0a4a243798\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"1\"}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/e6be0e56-c636-4b4b-9793-6f3c0f345a46\",\"name\":\"e6be0e56-c636-4b4b-9793-6f3c0f345a46\",\"etag\":\"\\\"4a005452-0000-0100-0000-62fbc0450000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdincidentRelationIncidentNames9xv50\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:05:25.2815442Z\",\"createdTimeUtc\":\"2022-08-16T16:05:25.0149382Z\",\"incidentNumber\":21,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/e6be0e56-c636-4b4b-9793-6f3c0f345a46\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"21\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/20c587be-2ccb-4fd4-aea6-cce3754722dd\",\"name\":\"20c587be-2ccb-4fd4-aea6-cce3754722dd\",\"etag\":\"\\\"4a004e52-0000-0100-0000-62fbc0260000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateincidentRelationIncidentNamegz4803\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:04:54.7835869Z\",\"createdTimeUtc\":\"2022-08-16T16:04:54.5583695Z\",\"incidentNumber\":20,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/20c587be-2ccb-4fd4-aea6-cce3754722dd\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"20\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/b2ae0920-7287-4d85-a609-bf6c7e651630\",\"name\":\"b2ae0920-7287-4d85-a609-bf6c7e651630\",\"etag\":\"\\\"4a004252-0000-0100-0000-62fbc0060000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdincidentRelationIncidentNameg1b6wx\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:04:22.942031Z\",\"createdTimeUtc\":\"2022-08-16T16:04:22.6913248Z\",\"incidentNumber\":19,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/b2ae0920-7287-4d85-a609-bf6c7e651630\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"19\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/bd3104a8-2b2d-4934-bef4-5fc4c04ef055\",\"name\":\"bd3104a8-2b2d-4934-bef4-5fc4c04ef055\",\"etag\":\"\\\"4a003652-0000-0100-0000-62fbbfe70000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveincidentRelationIncidentNamecz4ioj\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:03:51.5477653Z\",\"createdTimeUtc\":\"2022-08-16T16:03:51.0612525Z\",\"incidentNumber\":18,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/bd3104a8-2b2d-4934-bef4-5fc4c04ef055\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"18\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/524da4fb-3888-4446-9e92-12183ac2eaab\",\"name\":\"524da4fb-3888-4446-9e92-12183ac2eaab\",\"etag\":\"\\\"4a002d52-0000-0100-0000-62fbbfc70000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetincidentRelationIncidentName8sjnvu\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:03:19.056371Z\",\"createdTimeUtc\":\"2022-08-16T16:03:18.8268747Z\",\"incidentNumber\":17,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/524da4fb-3888-4446-9e92-12183ac2eaab\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"17\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/b5e65719-0b65-4dd0-a4b0-da2bbad915a5\",\"name\":\"b5e65719-0b65-4dd0-a4b0-da2bbad915a5\",\"etag\":\"\\\"4a00f351-0000-0100-0000-62fbbfa60000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdincidentCommentjf7t0g\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:02:46.970405Z\",\"createdTimeUtc\":\"2022-08-16T16:02:46.7008255Z\",\"incidentNumber\":16,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/b5e65719-0b65-4dd0-a4b0-da2bbad915a5\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"16\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/71e8df01-919c-45c1-b526-bc145e411eee\",\"name\":\"71e8df01-919c-45c1-b526-bc145e411eee\",\"etag\":\"\\\"4a00d951-0000-0100-0000-62fbbf870000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateincidentCommentgi1a7c\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:02:15.7570363Z\",\"createdTimeUtc\":\"2022-08-16T16:02:15.3377476Z\",\"incidentNumber\":15,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/71e8df01-919c-45c1-b526-bc145e411eee\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"15\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/ac97c565-75c1-40ab-a8e1-334c04dda7d0\",\"name\":\"ac97c565-75c1-40ab-a8e1-334c04dda7d0\",\"etag\":\"\\\"4a00c251-0000-0100-0000-62fbbf610000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdincidentCommentjd165a\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:01:37.6171004Z\",\"createdTimeUtc\":\"2022-08-16T16:01:37.1895215Z\",\"incidentNumber\":14,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/ac97c565-75c1-40ab-a8e1-334c04dda7d0\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"14\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/1f6bbf1d-7f2d-4435-84f7-2be61d9e090d\",\"name\":\"1f6bbf1d-7f2d-4435-84f7-2be61d9e090d\",\"etag\":\"\\\"4a00af51-0000-0100-0000-62fbbf410000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveincidentCommenteny0g2\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:01:05.7124022Z\",\"createdTimeUtc\":\"2022-08-16T16:01:05.3290956Z\",\"incidentNumber\":13,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/1f6bbf1d-7f2d-4435-84f7-2be61d9e090d\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"13\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/8b193352-f109-474f-84ce-3b3908d0e288\",\"name\":\"8b193352-f109-474f-84ce-3b3908d0e288\",\"etag\":\"\\\"4a009751-0000-0100-0000-62fbbf210000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetincidentCommentcpthi1\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:00:33.9316207Z\",\"createdTimeUtc\":\"2022-08-16T16:00:33.6021829Z\",\"incidentNumber\":12,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/8b193352-f109-474f-84ce-3b3908d0e288\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"12\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/c259dc23-cd2e-4b7f-bd9d-286e7cae6366\",\"name\":\"c259dc23-cd2e-4b7f-bd9d-286e7cae6366\",\"etag\":\"\\\"4a007051-0000-0100-0000-62fbbf000000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:00:00.5994057Z\",\"createdTimeUtc\":\"2022-08-16T16:00:00.5994057Z\",\"incidentNumber\":11,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/c259dc23-cd2e-4b7f-bd9d-286e7cae6366\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"11\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/905e7dec-fd14-42df-9ed5-c4df09445158\",\"name\":\"905e7dec-fd14-42df-9ed5-c4df09445158\",\"etag\":\"\\\"4a005e51-0000-0100-0000-62fbbee00000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:59:28.733771Z\",\"createdTimeUtc\":\"2022-08-16T15:59:28.733771Z\",\"incidentNumber\":10,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/905e7dec-fd14-42df-9ed5-c4df09445158\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"10\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/fdc66a29-9153-4079-894f-9d92f19fb0d9\",\"name\":\"fdc66a29-9153-4079-894f-9d92f19fb0d9\",\"etag\":\"\\\"4a004d51-0000-0100-0000-62fbbec10000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:58:57.2230955Z\",\"createdTimeUtc\":\"2022-08-16T15:58:57.2230955Z\",\"incidentNumber\":9,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/fdc66a29-9153-4079-894f-9d92f19fb0d9\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"9\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/3c0d63a6-5274-4c2c-82fa-d209415ca9bf\",\"name\":\"3c0d63a6-5274-4c2c-82fa-d209415ca9bf\",\"etag\":\"\\\"4a004151-0000-0100-0000-62fbbea10000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:58:25.8766719Z\",\"createdTimeUtc\":\"2022-08-16T15:58:25.8766719Z\",\"incidentNumber\":8,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/3c0d63a6-5274-4c2c-82fa-d209415ca9bf\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"8\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/3342699a-d07d-4c2d-964a-49e90b5c1e9f\",\"name\":\"3342699a-d07d-4c2d-964a-49e90b5c1e9f\",\"etag\":\"\\\"4a001651-0000-0100-0000-62fbbe820000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:57:54.290729Z\",\"createdTimeUtc\":\"2022-08-16T15:57:54.290729Z\",\"incidentNumber\":7,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/3342699a-d07d-4c2d-964a-49e90b5c1e9f\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"7\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/68e94645-a3b4-4595-9bfe-0d5370f5c8dd\",\"name\":\"68e94645-a3b4-4595-9bfe-0d5370f5c8dd\",\"etag\":\"\\\"4a00c950-0000-0100-0000-62fbbda80000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdbookmarkRelationIncidentNamel2rnui\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:54:16.8017033Z\",\"createdTimeUtc\":\"2022-08-16T15:54:16.168895Z\",\"incidentNumber\":6,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/68e94645-a3b4-4595-9bfe-0d5370f5c8dd\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"6\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/6f90c814-29fb-4d2d-8188-360a8df4a559\",\"name\":\"6f90c814-29fb-4d2d-8188-360a8df4a559\",\"etag\":\"\\\"4a00bd50-0000-0100-0000-62fbbd8a0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdatebookmarkRelationIncidentNamedejagn\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:53:46.0785179Z\",\"createdTimeUtc\":\"2022-08-16T15:53:45.3576615Z\",\"incidentNumber\":5,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/6f90c814-29fb-4d2d-8188-360a8df4a559\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"5\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/62ce8785-21b2-4262-be4d-5208b35d255a\",\"name\":\"62ce8785-21b2-4262-be4d-5208b35d255a\",\"etag\":\"\\\"4a00a950-0000-0100-0000-62fbbd690000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdbookmarkRelationIncidentName5g6qnd\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:53:13.4795073Z\",\"createdTimeUtc\":\"2022-08-16T15:53:13.2096924Z\",\"incidentNumber\":4,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/62ce8785-21b2-4262-be4d-5208b35d255a\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"4\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/fba327a0-b301-4d1c-918c-23aec8e03323\",\"name\":\"fba327a0-b301-4d1c-918c-23aec8e03323\",\"etag\":\"\\\"4a009250-0000-0100-0000-62fbbd560000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemovebookmarkRelationIncidentNamebfrwvc\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:52:54.1214758Z\",\"createdTimeUtc\":\"2022-08-16T15:52:41.6535212Z\",\"incidentNumber\":3,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/fba327a0-b301-4d1c-918c-23aec8e03323\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"3\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/7feca4d4-3414-403b-96ad-4cb1d105fec2\",\"name\":\"7feca4d4-3414-403b-96ad-4cb1d105fec2\",\"etag\":\"\\\"4a006950-0000-0100-0000-62fbbd240000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetbookmarkRelationIncidentName75xtbo\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:52:04.8090363Z\",\"createdTimeUtc\":\"2022-08-16T15:52:04.1891525Z\",\"incidentNumber\":2,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/7feca4d4-3414-403b-96ad-4cb1d105fec2\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"2\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/39f5326a-185e-e413-043e-89635f82507e\",\"name\":\"39f5326a-185e-e413-043e-89635f82507e\",\"etag\":\"\\\"4a002a52-0000-0100-0000-62fbbfbe0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"severity\":\"Medium\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"firstActivityTimeUtc\":\"2022-08-16T15:08:06.0646524Z\",\"lastActivityTimeUtc\":\"2022-08-16T15:58:06.0646524Z\",\"lastModifiedTimeUtc\":\"2022-08-16T16:03:10.634814Z\",\"createdTimeUtc\":\"2022-08-16T15:43:09.2489917Z\",\"incidentNumber\":1,\"additionalData\":{\"alertsCount\":5,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[\"Azure Sentinel\"],\"tactics\":[\"InitialAccess\",\"Persistence\"]},\"relatedAnalyticRuleIds\":[\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/53274afe-2640-4c50-bd36-78c1c79f102c\"],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/39f5326a-185e-e413-043e-89635f82507e\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"1\"}}]}", "isContentBase64": false } }, - "Get-AzSentinelIncident+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/1db90f1b-ef78-4f10-afb8-7dc242e09ba1?api-version=2021-09-01-preview+1": { + "Get-AzSentinelIncident+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/3342699a-d07d-4c2d-964a-49e90b5c1e9f?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/1db90f1b-ef78-4f10-afb8-7dc242e09ba1?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/3342699a-d07d-4c2d-964a-49e90b5c1e9f?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "207" ], - "x-ms-client-request-id": [ "5ebda592-7e87-402e-9cf2-d9f6696ae5f5" ], + "x-ms-unique-id": [ "208" ], + "x-ms-client-request-id": [ "a083b0ec-a9f1-4822-adc6-47f170a26acb" ], "CommandName": [ "Get-AzSentinelincident" ], "FullCommandName": [ "Get-AzSentinelIncident_Get" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -64,32 +64,32 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11960" ], - "x-ms-request-id": [ "27b11933-2550-428e-b345-0862f8b0aa08" ], - "x-ms-correlation-request-id": [ "27b11933-2550-428e-b345-0862f8b0aa08" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183154Z:27b11933-2550-428e-b345-0862f8b0aa08" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11957" ], + "x-ms-request-id": [ "c8c0f1a6-bb5f-482f-bebd-1adddde2c81e" ], + "x-ms-correlation-request-id": [ "c8c0f1a6-bb5f-482f-bebd-1adddde2c81e" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160734Z:c8c0f1a6-bb5f-482f-bebd-1adddde2c81e" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:31:54 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:33 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1206" ], + "Content-Length": [ "1204" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/1db90f1b-ef78-4f10-afb8-7dc242e09ba1\",\"name\":\"1db90f1b-ef78-4f10-afb8-7dc242e09ba1\",\"etag\":\"\\\"12001a0b-0000-0100-0000-62e425540000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:22:12.4027907Z\",\"createdTimeUtc\":\"2022-07-29T18:22:12.4027907Z\",\"incidentNumber\":7,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/1db90f1b-ef78-4f10-afb8-7dc242e09ba1\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"7\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/3342699a-d07d-4c2d-964a-49e90b5c1e9f\",\"name\":\"3342699a-d07d-4c2d-964a-49e90b5c1e9f\",\"etag\":\"\\\"4a001651-0000-0100-0000-62fbbe820000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:57:54.290729Z\",\"createdTimeUtc\":\"2022-08-16T15:57:54.290729Z\",\"incidentNumber\":7,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/3342699a-d07d-4c2d-964a-49e90b5c1e9f\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"7\"}}", "isContentBase64": false } }, - "Get-AzSentinelIncident+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/1db90f1b-ef78-4f10-afb8-7dc242e09ba1?api-version=2021-09-01-preview+1": { + "Get-AzSentinelIncident+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/3342699a-d07d-4c2d-964a-49e90b5c1e9f?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/1db90f1b-ef78-4f10-afb8-7dc242e09ba1?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/3342699a-d07d-4c2d-964a-49e90b5c1e9f?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "208" ], - "x-ms-client-request-id": [ "626b9165-7c71-4211-a86b-c46f1e140f58" ], + "x-ms-unique-id": [ "209" ], + "x-ms-client-request-id": [ "d4f376b6-c386-4f4d-81b9-0d20b0e3cfd6" ], "CommandName": [ "Get-AzSentinelincident" ], "FullCommandName": [ "Get-AzSentinelIncident_Get" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -105,32 +105,32 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11959" ], - "x-ms-request-id": [ "65673ccd-0b5c-4cc4-8dc2-af7af1405806" ], - "x-ms-correlation-request-id": [ "65673ccd-0b5c-4cc4-8dc2-af7af1405806" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183155Z:65673ccd-0b5c-4cc4-8dc2-af7af1405806" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11956" ], + "x-ms-request-id": [ "5c19c043-6b9a-434e-98e8-31f868227f4c" ], + "x-ms-correlation-request-id": [ "5c19c043-6b9a-434e-98e8-31f868227f4c" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160734Z:5c19c043-6b9a-434e-98e8-31f868227f4c" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:31:54 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:34 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1206" ], + "Content-Length": [ "1204" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/1db90f1b-ef78-4f10-afb8-7dc242e09ba1\",\"name\":\"1db90f1b-ef78-4f10-afb8-7dc242e09ba1\",\"etag\":\"\\\"12001a0b-0000-0100-0000-62e425540000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:22:12.4027907Z\",\"createdTimeUtc\":\"2022-07-29T18:22:12.4027907Z\",\"incidentNumber\":7,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/1db90f1b-ef78-4f10-afb8-7dc242e09ba1\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"7\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/3342699a-d07d-4c2d-964a-49e90b5c1e9f\",\"name\":\"3342699a-d07d-4c2d-964a-49e90b5c1e9f\",\"etag\":\"\\\"4a001651-0000-0100-0000-62fbbe820000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:57:54.290729Z\",\"createdTimeUtc\":\"2022-08-16T15:57:54.290729Z\",\"incidentNumber\":7,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/3342699a-d07d-4c2d-964a-49e90b5c1e9f\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"7\"}}", "isContentBase64": false } }, - "Get-AzSentinelIncident+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/1db90f1b-ef78-4f10-afb8-7dc242e09ba1?api-version=2021-09-01-preview+2": { + "Get-AzSentinelIncident+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/3342699a-d07d-4c2d-964a-49e90b5c1e9f?api-version=2021-09-01-preview+2": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/1db90f1b-ef78-4f10-afb8-7dc242e09ba1?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/3342699a-d07d-4c2d-964a-49e90b5c1e9f?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "209" ], - "x-ms-client-request-id": [ "2f0fb3e8-9f61-463d-a5ec-d9f2c5ada7f0" ], + "x-ms-unique-id": [ "210" ], + "x-ms-client-request-id": [ "c002c776-f5b7-4f11-8c23-9d49885590b3" ], "CommandName": [ "Get-AzSentinelincident" ], "FullCommandName": [ "Get-AzSentinelIncident_GetViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -146,20 +146,20 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11958" ], - "x-ms-request-id": [ "90586b8e-5ba7-4b8c-b063-b561123a89ab" ], - "x-ms-correlation-request-id": [ "90586b8e-5ba7-4b8c-b063-b561123a89ab" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183155Z:90586b8e-5ba7-4b8c-b063-b561123a89ab" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11955" ], + "x-ms-request-id": [ "74b242ad-227d-4ae0-a964-81c2eae1ec75" ], + "x-ms-correlation-request-id": [ "74b242ad-227d-4ae0-a964-81c2eae1ec75" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160734Z:74b242ad-227d-4ae0-a964-81c2eae1ec75" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:31:54 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:34 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1206" ], + "Content-Length": [ "1204" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/1db90f1b-ef78-4f10-afb8-7dc242e09ba1\",\"name\":\"1db90f1b-ef78-4f10-afb8-7dc242e09ba1\",\"etag\":\"\\\"12001a0b-0000-0100-0000-62e425540000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:22:12.4027907Z\",\"createdTimeUtc\":\"2022-07-29T18:22:12.4027907Z\",\"incidentNumber\":7,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/1db90f1b-ef78-4f10-afb8-7dc242e09ba1\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"7\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/3342699a-d07d-4c2d-964a-49e90b5c1e9f\",\"name\":\"3342699a-d07d-4c2d-964a-49e90b5c1e9f\",\"etag\":\"\\\"4a001651-0000-0100-0000-62fbbe820000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:57:54.290729Z\",\"createdTimeUtc\":\"2022-08-16T15:57:54.290729Z\",\"incidentNumber\":7,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/3342699a-d07d-4c2d-964a-49e90b5c1e9f\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"7\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Get-AzSentinelIncidentAlert.Recording.json b/src/SecurityInsights/test/Get-AzSentinelIncidentAlert.Recording.json index dee386401470..4cc56e8b894e 100644 --- a/src/SecurityInsights/test/Get-AzSentinelIncidentAlert.Recording.json +++ b/src/SecurityInsights/test/Get-AzSentinelIncidentAlert.Recording.json @@ -1,13 +1,13 @@ { - "Get-AzSentinelIncidentAlert+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents?api-version=2021-09-01-preview+1": { + "Get-AzSentinelIncidentAlert+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "210" ], - "x-ms-client-request-id": [ "ad992083-3cc0-4443-8ab7-6eaf72295d20" ], + "x-ms-unique-id": [ "211" ], + "x-ms-client-request-id": [ "652aba39-20ba-48a2-891d-471c992f1ce0" ], "CommandName": [ "Get-AzSentinelIncident" ], "FullCommandName": [ "Get-AzSentinelIncident_List" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -23,32 +23,32 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11957" ], - "x-ms-request-id": [ "6d92668b-dfc4-460c-ae57-227c6f4a9844" ], - "x-ms-correlation-request-id": [ "6d92668b-dfc4-460c-ae57-227c6f4a9844" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183156Z:6d92668b-dfc4-460c-ae57-227c6f4a9844" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11954" ], + "x-ms-request-id": [ "e12fa222-e494-4bbd-a4f6-a8116a263afa" ], + "x-ms-correlation-request-id": [ "e12fa222-e494-4bbd-a4f6-a8116a263afa" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160735Z:e12fa222-e494-4bbd-a4f6-a8116a263afa" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:31:55 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:35 GMT" ] }, "ContentHeaders": { "Content-Length": [ "26513" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/854d68b0-7cef-4c43-a0f3-03df09f60906\",\"name\":\"854d68b0-7cef-4c43-a0f3-03df09f60906\",\"etag\":\"\\\"12009b0b-0000-0100-0000-62e427110000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdincidentRelationIncidentName17euac\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:29:37.6445076Z\",\"createdTimeUtc\":\"2022-07-29T18:29:37.3993248Z\",\"incidentNumber\":21,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/854d68b0-7cef-4c43-a0f3-03df09f60906\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"21\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/bf284b9a-a101-4094-9387-503fd6afb8db\",\"name\":\"bf284b9a-a101-4094-9387-503fd6afb8db\",\"etag\":\"\\\"1200960b-0000-0100-0000-62e426f20000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateincidentRelationIncidentNamey5sjd6\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:29:06.559002Z\",\"createdTimeUtc\":\"2022-07-29T18:29:06.1809341Z\",\"incidentNumber\":20,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/bf284b9a-a101-4094-9387-503fd6afb8db\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"20\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/095d8360-b30b-4f75-804d-8837b78db3ed\",\"name\":\"095d8360-b30b-4f75-804d-8837b78db3ed\",\"etag\":\"\\\"12008a0b-0000-0100-0000-62e426d30000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdincidentRelationIncidentNameqm47li\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:28:35.4952307Z\",\"createdTimeUtc\":\"2022-07-29T18:28:34.9586136Z\",\"incidentNumber\":19,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/095d8360-b30b-4f75-804d-8837b78db3ed\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"19\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/da728eb4-6e7e-4be8-8397-cb2b45877bf9\",\"name\":\"da728eb4-6e7e-4be8-8397-cb2b45877bf9\",\"etag\":\"\\\"1200860b-0000-0100-0000-62e426b20000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveincidentRelationIncidentName01bqho\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:28:02.8745162Z\",\"createdTimeUtc\":\"2022-07-29T18:28:02.6751341Z\",\"incidentNumber\":18,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/da728eb4-6e7e-4be8-8397-cb2b45877bf9\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"18\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/ccca6513-b2b1-46be-925b-40f25e28a448\",\"name\":\"ccca6513-b2b1-46be-925b-40f25e28a448\",\"etag\":\"\\\"1200760b-0000-0100-0000-62e426930000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetincidentRelationIncidentNamentimyo\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:27:31.6228258Z\",\"createdTimeUtc\":\"2022-07-29T18:27:31.3953919Z\",\"incidentNumber\":17,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/ccca6513-b2b1-46be-925b-40f25e28a448\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"17\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/7141874b-1f5d-4bf7-9e25-bb748ff70946\",\"name\":\"7141874b-1f5d-4bf7-9e25-bb748ff70946\",\"etag\":\"\\\"12005b0b-0000-0100-0000-62e426730000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdincidentCommentvuackw\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:26:59.8178224Z\",\"createdTimeUtc\":\"2022-07-29T18:26:59.4284144Z\",\"incidentNumber\":16,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/7141874b-1f5d-4bf7-9e25-bb748ff70946\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"16\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/a0b8657f-5c36-4cb2-8952-f90affa7e0da\",\"name\":\"a0b8657f-5c36-4cb2-8952-f90affa7e0da\",\"etag\":\"\\\"1200510b-0000-0100-0000-62e426540000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateincidentCommentzfpjdm\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:26:28.8086603Z\",\"createdTimeUtc\":\"2022-07-29T18:26:28.262521Z\",\"incidentNumber\":15,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/a0b8657f-5c36-4cb2-8952-f90affa7e0da\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"15\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/39c25766-18b0-4620-9a63-3dfb2144ddd9\",\"name\":\"39c25766-18b0-4620-9a63-3dfb2144ddd9\",\"etag\":\"\\\"12004d0b-0000-0100-0000-62e426330000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdincidentCommentximhku\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:25:55.0138633Z\",\"createdTimeUtc\":\"2022-07-29T18:25:54.4964012Z\",\"incidentNumber\":14,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/39c25766-18b0-4620-9a63-3dfb2144ddd9\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"14\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/08556638-7485-4a5e-afda-02c5f77474d7\",\"name\":\"08556638-7485-4a5e-afda-02c5f77474d7\",\"etag\":\"\\\"1200460b-0000-0100-0000-62e426120000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveincidentComment35ly2k\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:25:22.1480666Z\",\"createdTimeUtc\":\"2022-07-29T18:25:21.7590822Z\",\"incidentNumber\":13,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/08556638-7485-4a5e-afda-02c5f77474d7\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"13\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/36740e38-b328-4f70-a514-867d90c8361d\",\"name\":\"36740e38-b328-4f70-a514-867d90c8361d\",\"etag\":\"\\\"12003c0b-0000-0100-0000-62e425f20000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetincidentComment7wxaop\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:24:50.6557332Z\",\"createdTimeUtc\":\"2022-07-29T18:24:50.2248863Z\",\"incidentNumber\":12,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/36740e38-b328-4f70-a514-867d90c8361d\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"12\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/25b19fe9-0ff9-4267-8faa-ac26e7c7c6ae\",\"name\":\"25b19fe9-0ff9-4267-8faa-ac26e7c7c6ae\",\"etag\":\"\\\"1200370b-0000-0100-0000-62e425d30000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:24:19.3733002Z\",\"createdTimeUtc\":\"2022-07-29T18:24:19.3733002Z\",\"incidentNumber\":11,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/25b19fe9-0ff9-4267-8faa-ac26e7c7c6ae\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"11\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/c98e79b2-3851-4fe2-be7b-d02281b03ea8\",\"name\":\"c98e79b2-3851-4fe2-be7b-d02281b03ea8\",\"etag\":\"\\\"1200360b-0000-0100-0000-62e425b30000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:23:47.4434597Z\",\"createdTimeUtc\":\"2022-07-29T18:23:47.4434597Z\",\"incidentNumber\":10,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/c98e79b2-3851-4fe2-be7b-d02281b03ea8\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"10\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/4adb65b9-7def-47bb-9594-c1e1ca284952\",\"name\":\"4adb65b9-7def-47bb-9594-c1e1ca284952\",\"etag\":\"\\\"1200310b-0000-0100-0000-62e425930000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:23:15.5881312Z\",\"createdTimeUtc\":\"2022-07-29T18:23:15.5881312Z\",\"incidentNumber\":9,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/4adb65b9-7def-47bb-9594-c1e1ca284952\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"9\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/6bc1d179-d8b5-45ee-82d8-dc7f59b9168a\",\"name\":\"6bc1d179-d8b5-45ee-82d8-dc7f59b9168a\",\"etag\":\"\\\"12002a0b-0000-0100-0000-62e425730000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:22:43.5468872Z\",\"createdTimeUtc\":\"2022-07-29T18:22:43.5468872Z\",\"incidentNumber\":8,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/6bc1d179-d8b5-45ee-82d8-dc7f59b9168a\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"8\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/1db90f1b-ef78-4f10-afb8-7dc242e09ba1\",\"name\":\"1db90f1b-ef78-4f10-afb8-7dc242e09ba1\",\"etag\":\"\\\"12001a0b-0000-0100-0000-62e425540000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:22:12.4027907Z\",\"createdTimeUtc\":\"2022-07-29T18:22:12.4027907Z\",\"incidentNumber\":7,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/1db90f1b-ef78-4f10-afb8-7dc242e09ba1\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"7\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/75bd63a7-0ac6-4f43-8a15-18ff73172bb5\",\"name\":\"75bd63a7-0ac6-4f43-8a15-18ff73172bb5\",\"etag\":\"\\\"1200c50a-0000-0100-0000-62e423bf0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdbookmarkRelationIncidentNamejdsg8m\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:15:27.8216444Z\",\"createdTimeUtc\":\"2022-07-29T18:15:27.2119419Z\",\"incidentNumber\":6,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/75bd63a7-0ac6-4f43-8a15-18ff73172bb5\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"6\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/0f49b19c-24d3-4775-92ae-dc0ecd5e1ace\",\"name\":\"0f49b19c-24d3-4775-92ae-dc0ecd5e1ace\",\"etag\":\"\\\"1200c10a-0000-0100-0000-62e4239f0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdatebookmarkRelationIncidentNamern5xam\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:14:55.9126545Z\",\"createdTimeUtc\":\"2022-07-29T18:14:55.652449Z\",\"incidentNumber\":5,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/0f49b19c-24d3-4775-92ae-dc0ecd5e1ace\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"5\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/68159ff1-4122-4fc3-9152-8bf489a4304d\",\"name\":\"68159ff1-4122-4fc3-9152-8bf489a4304d\",\"etag\":\"\\\"1200b70a-0000-0100-0000-62e423810000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdbookmarkRelationIncidentName3tykhx\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:14:25.0070286Z\",\"createdTimeUtc\":\"2022-07-29T18:14:24.4686462Z\",\"incidentNumber\":4,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/68159ff1-4122-4fc3-9152-8bf489a4304d\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"4\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/d30f1432-3e76-4b4b-bb30-f62eb4ee3611\",\"name\":\"d30f1432-3e76-4b4b-bb30-f62eb4ee3611\",\"etag\":\"\\\"1200b50a-0000-0100-0000-62e423600000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemovebookmarkRelationIncidentNameljqs90\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:13:52.6650817Z\",\"createdTimeUtc\":\"2022-07-29T18:13:52.43298Z\",\"incidentNumber\":3,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/d30f1432-3e76-4b4b-bb30-f62eb4ee3611\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"3\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/e31f4f52-858c-4a29-bacc-b0b91ca86f43\",\"name\":\"e31f4f52-858c-4a29-bacc-b0b91ca86f43\",\"etag\":\"\\\"1200a80a-0000-0100-0000-62e423420000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetbookmarkRelationIncidentName5jgmqo\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:13:22.783952Z\",\"createdTimeUtc\":\"2022-07-29T18:13:22.0852Z\",\"incidentNumber\":2,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/e31f4f52-858c-4a29-bacc-b0b91ca86f43\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"2\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/b38b9337-951a-0983-3a4d-8c0a4a243798\",\"name\":\"b38b9337-951a-0983-3a4d-8c0a4a243798\",\"etag\":\"\\\"1200810b-0000-0100-0000-62e426b00000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"severity\":\"Medium\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"firstActivityTimeUtc\":\"2022-07-29T17:27:56.0097765Z\",\"lastActivityTimeUtc\":\"2022-07-29T18:22:56.0097765Z\",\"lastModifiedTimeUtc\":\"2022-07-29T18:28:00.0552776Z\",\"createdTimeUtc\":\"2022-07-29T18:02:59.5521439Z\",\"incidentNumber\":1,\"additionalData\":{\"alertsCount\":6,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[\"Azure Sentinel\"],\"tactics\":[\"InitialAccess\",\"Persistence\"]},\"relatedAnalyticRuleIds\":[\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/5c8dc0ac-8808-40f3-a6b4-1401369a9e1e\"],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/b38b9337-951a-0983-3a4d-8c0a4a243798\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"1\"}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/e6be0e56-c636-4b4b-9793-6f3c0f345a46\",\"name\":\"e6be0e56-c636-4b4b-9793-6f3c0f345a46\",\"etag\":\"\\\"4a005452-0000-0100-0000-62fbc0450000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdincidentRelationIncidentNames9xv50\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:05:25.2815442Z\",\"createdTimeUtc\":\"2022-08-16T16:05:25.0149382Z\",\"incidentNumber\":21,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/e6be0e56-c636-4b4b-9793-6f3c0f345a46\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"21\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/20c587be-2ccb-4fd4-aea6-cce3754722dd\",\"name\":\"20c587be-2ccb-4fd4-aea6-cce3754722dd\",\"etag\":\"\\\"4a004e52-0000-0100-0000-62fbc0260000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateincidentRelationIncidentNamegz4803\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:04:54.7835869Z\",\"createdTimeUtc\":\"2022-08-16T16:04:54.5583695Z\",\"incidentNumber\":20,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/20c587be-2ccb-4fd4-aea6-cce3754722dd\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"20\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/b2ae0920-7287-4d85-a609-bf6c7e651630\",\"name\":\"b2ae0920-7287-4d85-a609-bf6c7e651630\",\"etag\":\"\\\"4a004252-0000-0100-0000-62fbc0060000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdincidentRelationIncidentNameg1b6wx\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:04:22.942031Z\",\"createdTimeUtc\":\"2022-08-16T16:04:22.6913248Z\",\"incidentNumber\":19,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/b2ae0920-7287-4d85-a609-bf6c7e651630\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"19\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/bd3104a8-2b2d-4934-bef4-5fc4c04ef055\",\"name\":\"bd3104a8-2b2d-4934-bef4-5fc4c04ef055\",\"etag\":\"\\\"4a003652-0000-0100-0000-62fbbfe70000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveincidentRelationIncidentNamecz4ioj\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:03:51.5477653Z\",\"createdTimeUtc\":\"2022-08-16T16:03:51.0612525Z\",\"incidentNumber\":18,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/bd3104a8-2b2d-4934-bef4-5fc4c04ef055\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"18\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/524da4fb-3888-4446-9e92-12183ac2eaab\",\"name\":\"524da4fb-3888-4446-9e92-12183ac2eaab\",\"etag\":\"\\\"4a002d52-0000-0100-0000-62fbbfc70000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetincidentRelationIncidentName8sjnvu\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:03:19.056371Z\",\"createdTimeUtc\":\"2022-08-16T16:03:18.8268747Z\",\"incidentNumber\":17,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/524da4fb-3888-4446-9e92-12183ac2eaab\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"17\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/b5e65719-0b65-4dd0-a4b0-da2bbad915a5\",\"name\":\"b5e65719-0b65-4dd0-a4b0-da2bbad915a5\",\"etag\":\"\\\"4a00f351-0000-0100-0000-62fbbfa60000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdincidentCommentjf7t0g\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:02:46.970405Z\",\"createdTimeUtc\":\"2022-08-16T16:02:46.7008255Z\",\"incidentNumber\":16,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/b5e65719-0b65-4dd0-a4b0-da2bbad915a5\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"16\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/71e8df01-919c-45c1-b526-bc145e411eee\",\"name\":\"71e8df01-919c-45c1-b526-bc145e411eee\",\"etag\":\"\\\"4a00d951-0000-0100-0000-62fbbf870000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateincidentCommentgi1a7c\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:02:15.7570363Z\",\"createdTimeUtc\":\"2022-08-16T16:02:15.3377476Z\",\"incidentNumber\":15,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/71e8df01-919c-45c1-b526-bc145e411eee\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"15\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/ac97c565-75c1-40ab-a8e1-334c04dda7d0\",\"name\":\"ac97c565-75c1-40ab-a8e1-334c04dda7d0\",\"etag\":\"\\\"4a00c251-0000-0100-0000-62fbbf610000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdincidentCommentjd165a\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:01:37.6171004Z\",\"createdTimeUtc\":\"2022-08-16T16:01:37.1895215Z\",\"incidentNumber\":14,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/ac97c565-75c1-40ab-a8e1-334c04dda7d0\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"14\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/1f6bbf1d-7f2d-4435-84f7-2be61d9e090d\",\"name\":\"1f6bbf1d-7f2d-4435-84f7-2be61d9e090d\",\"etag\":\"\\\"4a00af51-0000-0100-0000-62fbbf410000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveincidentCommenteny0g2\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:01:05.7124022Z\",\"createdTimeUtc\":\"2022-08-16T16:01:05.3290956Z\",\"incidentNumber\":13,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/1f6bbf1d-7f2d-4435-84f7-2be61d9e090d\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"13\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/8b193352-f109-474f-84ce-3b3908d0e288\",\"name\":\"8b193352-f109-474f-84ce-3b3908d0e288\",\"etag\":\"\\\"4a009751-0000-0100-0000-62fbbf210000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetincidentCommentcpthi1\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:00:33.9316207Z\",\"createdTimeUtc\":\"2022-08-16T16:00:33.6021829Z\",\"incidentNumber\":12,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/8b193352-f109-474f-84ce-3b3908d0e288\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"12\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/c259dc23-cd2e-4b7f-bd9d-286e7cae6366\",\"name\":\"c259dc23-cd2e-4b7f-bd9d-286e7cae6366\",\"etag\":\"\\\"4a007051-0000-0100-0000-62fbbf000000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:00:00.5994057Z\",\"createdTimeUtc\":\"2022-08-16T16:00:00.5994057Z\",\"incidentNumber\":11,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/c259dc23-cd2e-4b7f-bd9d-286e7cae6366\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"11\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/905e7dec-fd14-42df-9ed5-c4df09445158\",\"name\":\"905e7dec-fd14-42df-9ed5-c4df09445158\",\"etag\":\"\\\"4a005e51-0000-0100-0000-62fbbee00000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:59:28.733771Z\",\"createdTimeUtc\":\"2022-08-16T15:59:28.733771Z\",\"incidentNumber\":10,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/905e7dec-fd14-42df-9ed5-c4df09445158\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"10\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/fdc66a29-9153-4079-894f-9d92f19fb0d9\",\"name\":\"fdc66a29-9153-4079-894f-9d92f19fb0d9\",\"etag\":\"\\\"4a004d51-0000-0100-0000-62fbbec10000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:58:57.2230955Z\",\"createdTimeUtc\":\"2022-08-16T15:58:57.2230955Z\",\"incidentNumber\":9,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/fdc66a29-9153-4079-894f-9d92f19fb0d9\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"9\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/3c0d63a6-5274-4c2c-82fa-d209415ca9bf\",\"name\":\"3c0d63a6-5274-4c2c-82fa-d209415ca9bf\",\"etag\":\"\\\"4a004151-0000-0100-0000-62fbbea10000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:58:25.8766719Z\",\"createdTimeUtc\":\"2022-08-16T15:58:25.8766719Z\",\"incidentNumber\":8,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/3c0d63a6-5274-4c2c-82fa-d209415ca9bf\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"8\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/3342699a-d07d-4c2d-964a-49e90b5c1e9f\",\"name\":\"3342699a-d07d-4c2d-964a-49e90b5c1e9f\",\"etag\":\"\\\"4a001651-0000-0100-0000-62fbbe820000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:57:54.290729Z\",\"createdTimeUtc\":\"2022-08-16T15:57:54.290729Z\",\"incidentNumber\":7,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/3342699a-d07d-4c2d-964a-49e90b5c1e9f\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"7\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/68e94645-a3b4-4595-9bfe-0d5370f5c8dd\",\"name\":\"68e94645-a3b4-4595-9bfe-0d5370f5c8dd\",\"etag\":\"\\\"4a00c950-0000-0100-0000-62fbbda80000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdbookmarkRelationIncidentNamel2rnui\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:54:16.8017033Z\",\"createdTimeUtc\":\"2022-08-16T15:54:16.168895Z\",\"incidentNumber\":6,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/68e94645-a3b4-4595-9bfe-0d5370f5c8dd\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"6\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/6f90c814-29fb-4d2d-8188-360a8df4a559\",\"name\":\"6f90c814-29fb-4d2d-8188-360a8df4a559\",\"etag\":\"\\\"4a00bd50-0000-0100-0000-62fbbd8a0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdatebookmarkRelationIncidentNamedejagn\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:53:46.0785179Z\",\"createdTimeUtc\":\"2022-08-16T15:53:45.3576615Z\",\"incidentNumber\":5,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/6f90c814-29fb-4d2d-8188-360a8df4a559\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"5\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/62ce8785-21b2-4262-be4d-5208b35d255a\",\"name\":\"62ce8785-21b2-4262-be4d-5208b35d255a\",\"etag\":\"\\\"4a00a950-0000-0100-0000-62fbbd690000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdbookmarkRelationIncidentName5g6qnd\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:53:13.4795073Z\",\"createdTimeUtc\":\"2022-08-16T15:53:13.2096924Z\",\"incidentNumber\":4,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/62ce8785-21b2-4262-be4d-5208b35d255a\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"4\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/fba327a0-b301-4d1c-918c-23aec8e03323\",\"name\":\"fba327a0-b301-4d1c-918c-23aec8e03323\",\"etag\":\"\\\"4a009250-0000-0100-0000-62fbbd560000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemovebookmarkRelationIncidentNamebfrwvc\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:52:54.1214758Z\",\"createdTimeUtc\":\"2022-08-16T15:52:41.6535212Z\",\"incidentNumber\":3,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/fba327a0-b301-4d1c-918c-23aec8e03323\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"3\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/7feca4d4-3414-403b-96ad-4cb1d105fec2\",\"name\":\"7feca4d4-3414-403b-96ad-4cb1d105fec2\",\"etag\":\"\\\"4a006950-0000-0100-0000-62fbbd240000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetbookmarkRelationIncidentName75xtbo\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:52:04.8090363Z\",\"createdTimeUtc\":\"2022-08-16T15:52:04.1891525Z\",\"incidentNumber\":2,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/7feca4d4-3414-403b-96ad-4cb1d105fec2\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"2\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/39f5326a-185e-e413-043e-89635f82507e\",\"name\":\"39f5326a-185e-e413-043e-89635f82507e\",\"etag\":\"\\\"4a002a52-0000-0100-0000-62fbbfbe0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"severity\":\"Medium\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"firstActivityTimeUtc\":\"2022-08-16T15:08:06.0646524Z\",\"lastActivityTimeUtc\":\"2022-08-16T15:58:06.0646524Z\",\"lastModifiedTimeUtc\":\"2022-08-16T16:03:10.634814Z\",\"createdTimeUtc\":\"2022-08-16T15:43:09.2489917Z\",\"incidentNumber\":1,\"additionalData\":{\"alertsCount\":5,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[\"Azure Sentinel\"],\"tactics\":[\"InitialAccess\",\"Persistence\"]},\"relatedAnalyticRuleIds\":[\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/53274afe-2640-4c50-bd36-78c1c79f102c\"],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/39f5326a-185e-e413-043e-89635f82507e\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"1\"}}]}", "isContentBase64": false } }, - "Get-AzSentinelIncidentAlert+[NoContext]+List+$POST+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/b38b9337-951a-0983-3a4d-8c0a4a243798/alerts?api-version=2021-09-01-preview+2": { + "Get-AzSentinelIncidentAlert+[NoContext]+List+$POST+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/39f5326a-185e-e413-043e-89635f82507e/alerts?api-version=2021-09-01-preview+2": { "Request": { "Method": "POST", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/b38b9337-951a-0983-3a4d-8c0a4a243798/alerts?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/39f5326a-185e-e413-043e-89635f82507e/alerts?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "211" ], - "x-ms-client-request-id": [ "3235ac5e-2f7f-4c39-9d87-78779c1b3b0f" ], + "x-ms-unique-id": [ "212" ], + "x-ms-client-request-id": [ "ac59b75a-8066-425b-b618-acf3b1f266f3" ], "CommandName": [ "Get-AzSentinelIncidentAlert" ], "FullCommandName": [ "Get-AzSentinelIncidentAlert_List" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -65,19 +65,19 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], - "x-ms-request-id": [ "e2182d8f-8274-489e-b028-a190182e174e" ], - "x-ms-correlation-request-id": [ "e2182d8f-8274-489e-b028-a190182e174e" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183156Z:e2182d8f-8274-489e-b028-a190182e174e" ], + "x-ms-request-id": [ "248cfd9a-b247-40ec-9ca7-2c0e944d46d5" ], + "x-ms-correlation-request-id": [ "248cfd9a-b247-40ec-9ca7-2c0e944d46d5" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160735Z:248cfd9a-b247-40ec-9ca7-2c0e944d46d5" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:31:55 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:35 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "11105" ], + "Content-Length": [ "9254" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Entities/c5473b1d-f6c7-85ec-1aaf-ee751028529e\",\"name\":\"c5473b1d-f6c7-85ec-1aaf-ee751028529e\",\"type\":\"Microsoft.SecurityInsights/Entities\",\"kind\":\"SecurityAlert\",\"properties\":{\"systemAlertId\":\"c5473b1d-f6c7-85ec-1aaf-ee751028529e\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"alertDisplayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"confidenceLevel\":\"Unknown\",\"severity\":\"Medium\",\"vendorName\":\"Microsoft\",\"productName\":\"Azure Sentinel\",\"productComponentName\":\"Scheduled Alerts\",\"alertType\":\"24e84d4f-281e-4a2d-8963-f554a6812d57_5c8dc0ac-8808-40f3-a6b4-1401369a9e1e\",\"processingEndTime\":\"2022-07-29T18:02:59.2250498Z\",\"status\":\"New\",\"endTimeUtc\":\"2022-07-29T17:57:56.0097765Z\",\"startTimeUtc\":\"2022-07-29T17:27:56.0097765Z\",\"timeGenerated\":\"2022-07-29T18:02:59.2915043Z\",\"providerAlertId\":\"b9bd472b-d65f-48c4-abcf-0e2fca5fa2ba\",\"resourceIdentifiers\":[{\"type\":\"LogAnalytics\",\"workspaceId\":\"24e84d4f-281e-4a2d-8963-f554a6812d57\",\"subscriptionId\":\"51a36d38-3b14-471f-8dde-a5867f5e51eb\",\"resourceGroup\":\"aspstestt6jdws\"}],\"additionalData\":{\"AlertMessageEnqueueTime\":\"2022-07-29T18:02:59.352Z\",\"Search Query Results Overall Count\":\"1\",\"OriginalProductName\":\"Azure Sentinel\",\"OriginalProductComponentName\":\"Scheduled Alerts\"},\"friendlyName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Entities/9df5d2ab-8d32-9cd6-feca-0bd1208a9a44\",\"name\":\"9df5d2ab-8d32-9cd6-feca-0bd1208a9a44\",\"type\":\"Microsoft.SecurityInsights/Entities\",\"kind\":\"SecurityAlert\",\"properties\":{\"systemAlertId\":\"9df5d2ab-8d32-9cd6-feca-0bd1208a9a44\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"alertDisplayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"confidenceLevel\":\"Unknown\",\"severity\":\"Medium\",\"vendorName\":\"Microsoft\",\"productName\":\"Azure Sentinel\",\"productComponentName\":\"Scheduled Alerts\",\"alertType\":\"24e84d4f-281e-4a2d-8963-f554a6812d57_5c8dc0ac-8808-40f3-a6b4-1401369a9e1e\",\"processingEndTime\":\"2022-07-29T18:07:59.7428619Z\",\"status\":\"New\",\"endTimeUtc\":\"2022-07-29T18:02:56.0097765Z\",\"startTimeUtc\":\"2022-07-29T17:32:56.0097765Z\",\"timeGenerated\":\"2022-07-29T18:07:59.8512573Z\",\"providerAlertId\":\"f815afc1-a677-4b8d-be70-088946d29a6f\",\"resourceIdentifiers\":[{\"type\":\"LogAnalytics\",\"workspaceId\":\"24e84d4f-281e-4a2d-8963-f554a6812d57\",\"subscriptionId\":\"51a36d38-3b14-471f-8dde-a5867f5e51eb\",\"resourceGroup\":\"aspstestt6jdws\"}],\"additionalData\":{\"AlertMessageEnqueueTime\":\"2022-07-29T18:07:59.885Z\",\"Search Query Results Overall Count\":\"1\",\"OriginalProductName\":\"Azure Sentinel\",\"OriginalProductComponentName\":\"Scheduled Alerts\"},\"friendlyName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Entities/7fba227d-ce32-d21c-ea99-cd7d1502b305\",\"name\":\"7fba227d-ce32-d21c-ea99-cd7d1502b305\",\"type\":\"Microsoft.SecurityInsights/Entities\",\"kind\":\"SecurityAlert\",\"properties\":{\"systemAlertId\":\"7fba227d-ce32-d21c-ea99-cd7d1502b305\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"alertDisplayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"confidenceLevel\":\"Unknown\",\"severity\":\"Medium\",\"vendorName\":\"Microsoft\",\"productName\":\"Azure Sentinel\",\"productComponentName\":\"Scheduled Alerts\",\"alertType\":\"24e84d4f-281e-4a2d-8963-f554a6812d57_5c8dc0ac-8808-40f3-a6b4-1401369a9e1e\",\"processingEndTime\":\"2022-07-29T18:13:01.6548178Z\",\"status\":\"New\",\"endTimeUtc\":\"2022-07-29T18:07:56.0097765Z\",\"startTimeUtc\":\"2022-07-29T17:37:56.0097765Z\",\"timeGenerated\":\"2022-07-29T18:13:01.7730875Z\",\"providerAlertId\":\"38bfbcc6-4481-48f8-840e-3bf86e9077d1\",\"resourceIdentifiers\":[{\"type\":\"LogAnalytics\",\"workspaceId\":\"24e84d4f-281e-4a2d-8963-f554a6812d57\",\"subscriptionId\":\"51a36d38-3b14-471f-8dde-a5867f5e51eb\",\"resourceGroup\":\"aspstestt6jdws\"}],\"additionalData\":{\"AlertMessageEnqueueTime\":\"2022-07-29T18:13:01.808Z\",\"Search Query Results Overall Count\":\"1\",\"OriginalProductName\":\"Azure Sentinel\",\"OriginalProductComponentName\":\"Scheduled Alerts\"},\"friendlyName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Entities/a9de18cf-740d-4ed6-e4e7-994ccaf989ed\",\"name\":\"a9de18cf-740d-4ed6-e4e7-994ccaf989ed\",\"type\":\"Microsoft.SecurityInsights/Entities\",\"kind\":\"SecurityAlert\",\"properties\":{\"systemAlertId\":\"a9de18cf-740d-4ed6-e4e7-994ccaf989ed\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"alertDisplayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"confidenceLevel\":\"Unknown\",\"severity\":\"Medium\",\"vendorName\":\"Microsoft\",\"productName\":\"Azure Sentinel\",\"productComponentName\":\"Scheduled Alerts\",\"alertType\":\"24e84d4f-281e-4a2d-8963-f554a6812d57_5c8dc0ac-8808-40f3-a6b4-1401369a9e1e\",\"processingEndTime\":\"2022-07-29T18:17:59.4082677Z\",\"status\":\"New\",\"endTimeUtc\":\"2022-07-29T18:12:56.0097765Z\",\"startTimeUtc\":\"2022-07-29T17:42:56.0097765Z\",\"timeGenerated\":\"2022-07-29T18:17:59.5014214Z\",\"providerAlertId\":\"28477268-d598-4447-950d-0de29137faa0\",\"resourceIdentifiers\":[{\"type\":\"LogAnalytics\",\"workspaceId\":\"24e84d4f-281e-4a2d-8963-f554a6812d57\",\"subscriptionId\":\"51a36d38-3b14-471f-8dde-a5867f5e51eb\",\"resourceGroup\":\"aspstestt6jdws\"}],\"additionalData\":{\"AlertMessageEnqueueTime\":\"2022-07-29T18:17:59.531Z\",\"Search Query Results Overall Count\":\"1\",\"OriginalProductName\":\"Azure Sentinel\",\"OriginalProductComponentName\":\"Scheduled Alerts\"},\"friendlyName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Entities/66e0a2c7-c7de-7487-fc4f-994484f615d3\",\"name\":\"66e0a2c7-c7de-7487-fc4f-994484f615d3\",\"type\":\"Microsoft.SecurityInsights/Entities\",\"kind\":\"SecurityAlert\",\"properties\":{\"systemAlertId\":\"66e0a2c7-c7de-7487-fc4f-994484f615d3\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"alertDisplayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"confidenceLevel\":\"Unknown\",\"severity\":\"Medium\",\"vendorName\":\"Microsoft\",\"productName\":\"Azure Sentinel\",\"productComponentName\":\"Scheduled Alerts\",\"alertType\":\"24e84d4f-281e-4a2d-8963-f554a6812d57_5c8dc0ac-8808-40f3-a6b4-1401369a9e1e\",\"processingEndTime\":\"2022-07-29T18:22:59.3022284Z\",\"status\":\"New\",\"endTimeUtc\":\"2022-07-29T18:17:56.0097765Z\",\"startTimeUtc\":\"2022-07-29T17:47:56.0097765Z\",\"timeGenerated\":\"2022-07-29T18:22:59.3995318Z\",\"providerAlertId\":\"f3922aba-2438-461b-9966-ffb2cbbe0638\",\"resourceIdentifiers\":[{\"type\":\"LogAnalytics\",\"workspaceId\":\"24e84d4f-281e-4a2d-8963-f554a6812d57\",\"subscriptionId\":\"51a36d38-3b14-471f-8dde-a5867f5e51eb\",\"resourceGroup\":\"aspstestt6jdws\"}],\"additionalData\":{\"AlertMessageEnqueueTime\":\"2022-07-29T18:22:59.447Z\",\"Search Query Results Overall Count\":\"1\",\"OriginalProductName\":\"Azure Sentinel\",\"OriginalProductComponentName\":\"Scheduled Alerts\"},\"friendlyName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Entities/8b522632-83f2-bd35-bf66-7adf568ad274\",\"name\":\"8b522632-83f2-bd35-bf66-7adf568ad274\",\"type\":\"Microsoft.SecurityInsights/Entities\",\"kind\":\"SecurityAlert\",\"properties\":{\"systemAlertId\":\"8b522632-83f2-bd35-bf66-7adf568ad274\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"alertDisplayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"confidenceLevel\":\"Unknown\",\"severity\":\"Medium\",\"vendorName\":\"Microsoft\",\"productName\":\"Azure Sentinel\",\"productComponentName\":\"Scheduled Alerts\",\"alertType\":\"24e84d4f-281e-4a2d-8963-f554a6812d57_5c8dc0ac-8808-40f3-a6b4-1401369a9e1e\",\"processingEndTime\":\"2022-07-29T18:27:59.7225921Z\",\"status\":\"New\",\"endTimeUtc\":\"2022-07-29T18:22:56.0097765Z\",\"startTimeUtc\":\"2022-07-29T17:52:56.0097765Z\",\"timeGenerated\":\"2022-07-29T18:27:59.8098849Z\",\"providerAlertId\":\"9f02c11e-148c-4209-bfd3-ba79c38dba88\",\"resourceIdentifiers\":[{\"type\":\"LogAnalytics\",\"workspaceId\":\"24e84d4f-281e-4a2d-8963-f554a6812d57\",\"subscriptionId\":\"51a36d38-3b14-471f-8dde-a5867f5e51eb\",\"resourceGroup\":\"aspstestt6jdws\"}],\"additionalData\":{\"AlertMessageEnqueueTime\":\"2022-07-29T18:27:59.813Z\",\"Search Query Results Overall Count\":\"1\",\"OriginalProductName\":\"Azure Sentinel\",\"OriginalProductComponentName\":\"Scheduled Alerts\"},\"friendlyName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\"}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Entities/0b3a9cb4-ef3f-fb30-9773-f8046dc635ee\",\"name\":\"0b3a9cb4-ef3f-fb30-9773-f8046dc635ee\",\"type\":\"Microsoft.SecurityInsights/Entities\",\"kind\":\"SecurityAlert\",\"properties\":{\"systemAlertId\":\"0b3a9cb4-ef3f-fb30-9773-f8046dc635ee\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"alertDisplayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"confidenceLevel\":\"Unknown\",\"severity\":\"Medium\",\"vendorName\":\"Microsoft\",\"productName\":\"Azure Sentinel\",\"productComponentName\":\"Scheduled Alerts\",\"alertType\":\"97475cd1-3a32-4e3c-89c4-6087e71316ed_53274afe-2640-4c50-bd36-78c1c79f102c\",\"processingEndTime\":\"2022-08-16T15:43:08.9677133Z\",\"status\":\"New\",\"endTimeUtc\":\"2022-08-16T15:38:06.0646524Z\",\"startTimeUtc\":\"2022-08-16T15:08:06.0646524Z\",\"timeGenerated\":\"2022-08-16T15:43:09.073943Z\",\"providerAlertId\":\"7ceadc78-39ab-40b6-8ef5-be72c6f66e47\",\"resourceIdentifiers\":[{\"type\":\"LogAnalytics\",\"workspaceId\":\"97475cd1-3a32-4e3c-89c4-6087e71316ed\",\"subscriptionId\":\"51a36d38-3b14-471f-8dde-a5867f5e51eb\",\"resourceGroup\":\"aspstest7ptmcr\"}],\"additionalData\":{\"AlertMessageEnqueueTime\":\"2022-08-16T15:43:09.111Z\",\"Search Query Results Overall Count\":\"1\",\"OriginalProductName\":\"Azure Sentinel\",\"OriginalProductComponentName\":\"Scheduled Alerts\"},\"friendlyName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Entities/933d404c-277b-ab1c-b77d-7933325e068b\",\"name\":\"933d404c-277b-ab1c-b77d-7933325e068b\",\"type\":\"Microsoft.SecurityInsights/Entities\",\"kind\":\"SecurityAlert\",\"properties\":{\"systemAlertId\":\"933d404c-277b-ab1c-b77d-7933325e068b\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"alertDisplayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"confidenceLevel\":\"Unknown\",\"severity\":\"Medium\",\"vendorName\":\"Microsoft\",\"productName\":\"Azure Sentinel\",\"productComponentName\":\"Scheduled Alerts\",\"alertType\":\"97475cd1-3a32-4e3c-89c4-6087e71316ed_53274afe-2640-4c50-bd36-78c1c79f102c\",\"processingEndTime\":\"2022-08-16T15:48:09.1596878Z\",\"status\":\"New\",\"endTimeUtc\":\"2022-08-16T15:43:06.0646524Z\",\"startTimeUtc\":\"2022-08-16T15:13:06.0646524Z\",\"timeGenerated\":\"2022-08-16T15:48:09.2530745Z\",\"providerAlertId\":\"791c5ad6-36e0-45c8-a1a7-c4ec72cd1a9d\",\"resourceIdentifiers\":[{\"type\":\"LogAnalytics\",\"workspaceId\":\"97475cd1-3a32-4e3c-89c4-6087e71316ed\",\"subscriptionId\":\"51a36d38-3b14-471f-8dde-a5867f5e51eb\",\"resourceGroup\":\"aspstest7ptmcr\"}],\"additionalData\":{\"AlertMessageEnqueueTime\":\"2022-08-16T15:48:09.273Z\",\"Search Query Results Overall Count\":\"1\",\"OriginalProductName\":\"Azure Sentinel\",\"OriginalProductComponentName\":\"Scheduled Alerts\"},\"friendlyName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Entities/186781d4-d418-8372-9c2a-6dc0f76f60fd\",\"name\":\"186781d4-d418-8372-9c2a-6dc0f76f60fd\",\"type\":\"Microsoft.SecurityInsights/Entities\",\"kind\":\"SecurityAlert\",\"properties\":{\"systemAlertId\":\"186781d4-d418-8372-9c2a-6dc0f76f60fd\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"alertDisplayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"confidenceLevel\":\"Unknown\",\"severity\":\"Medium\",\"vendorName\":\"Microsoft\",\"productName\":\"Azure Sentinel\",\"productComponentName\":\"Scheduled Alerts\",\"alertType\":\"97475cd1-3a32-4e3c-89c4-6087e71316ed_53274afe-2640-4c50-bd36-78c1c79f102c\",\"processingEndTime\":\"2022-08-16T15:53:09.0879803Z\",\"status\":\"New\",\"endTimeUtc\":\"2022-08-16T15:48:06.0646524Z\",\"startTimeUtc\":\"2022-08-16T15:18:06.0646524Z\",\"timeGenerated\":\"2022-08-16T15:53:09.1647755Z\",\"providerAlertId\":\"54ca1209-3b91-462a-9641-d617f9e09117\",\"resourceIdentifiers\":[{\"type\":\"LogAnalytics\",\"workspaceId\":\"97475cd1-3a32-4e3c-89c4-6087e71316ed\",\"subscriptionId\":\"51a36d38-3b14-471f-8dde-a5867f5e51eb\",\"resourceGroup\":\"aspstest7ptmcr\"}],\"additionalData\":{\"AlertMessageEnqueueTime\":\"2022-08-16T15:53:09.19Z\",\"Search Query Results Overall Count\":\"1\",\"OriginalProductName\":\"Azure Sentinel\",\"OriginalProductComponentName\":\"Scheduled Alerts\"},\"friendlyName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Entities/aa2a6297-8084-a8d5-e9f5-62b9e9f2e4a9\",\"name\":\"aa2a6297-8084-a8d5-e9f5-62b9e9f2e4a9\",\"type\":\"Microsoft.SecurityInsights/Entities\",\"kind\":\"SecurityAlert\",\"properties\":{\"systemAlertId\":\"aa2a6297-8084-a8d5-e9f5-62b9e9f2e4a9\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"alertDisplayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"confidenceLevel\":\"Unknown\",\"severity\":\"Medium\",\"vendorName\":\"Microsoft\",\"productName\":\"Azure Sentinel\",\"productComponentName\":\"Scheduled Alerts\",\"alertType\":\"97475cd1-3a32-4e3c-89c4-6087e71316ed_53274afe-2640-4c50-bd36-78c1c79f102c\",\"processingEndTime\":\"2022-08-16T15:58:10.9403489Z\",\"status\":\"New\",\"endTimeUtc\":\"2022-08-16T15:53:06.0646524Z\",\"startTimeUtc\":\"2022-08-16T15:23:06.0646524Z\",\"timeGenerated\":\"2022-08-16T15:58:11.0568146Z\",\"providerAlertId\":\"dbe9d88f-ab63-4308-8f11-49504ef6dcfa\",\"resourceIdentifiers\":[{\"type\":\"LogAnalytics\",\"workspaceId\":\"97475cd1-3a32-4e3c-89c4-6087e71316ed\",\"subscriptionId\":\"51a36d38-3b14-471f-8dde-a5867f5e51eb\",\"resourceGroup\":\"aspstest7ptmcr\"}],\"additionalData\":{\"AlertMessageEnqueueTime\":\"2022-08-16T15:58:11.155Z\",\"Search Query Results Overall Count\":\"1\",\"OriginalProductName\":\"Azure Sentinel\",\"OriginalProductComponentName\":\"Scheduled Alerts\"},\"friendlyName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Entities/3d80764e-2431-5938-d868-b39c037ade7d\",\"name\":\"3d80764e-2431-5938-d868-b39c037ade7d\",\"type\":\"Microsoft.SecurityInsights/Entities\",\"kind\":\"SecurityAlert\",\"properties\":{\"systemAlertId\":\"3d80764e-2431-5938-d868-b39c037ade7d\",\"tactics\":[\"InitialAccess\",\"Persistence\"],\"alertDisplayName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"confidenceLevel\":\"Unknown\",\"severity\":\"Medium\",\"vendorName\":\"Microsoft\",\"productName\":\"Azure Sentinel\",\"productComponentName\":\"Scheduled Alerts\",\"alertType\":\"97475cd1-3a32-4e3c-89c4-6087e71316ed_53274afe-2640-4c50-bd36-78c1c79f102c\",\"processingEndTime\":\"2022-08-16T16:03:10.3447369Z\",\"status\":\"New\",\"endTimeUtc\":\"2022-08-16T15:58:06.0646524Z\",\"startTimeUtc\":\"2022-08-16T15:28:06.0646524Z\",\"timeGenerated\":\"2022-08-16T16:03:10.4902613Z\",\"providerAlertId\":\"8c102508-1690-4800-9b13-95fa7ff021ec\",\"resourceIdentifiers\":[{\"type\":\"LogAnalytics\",\"workspaceId\":\"97475cd1-3a32-4e3c-89c4-6087e71316ed\",\"subscriptionId\":\"51a36d38-3b14-471f-8dde-a5867f5e51eb\",\"resourceGroup\":\"aspstest7ptmcr\"}],\"additionalData\":{\"AlertMessageEnqueueTime\":\"2022-08-16T16:03:10.484Z\",\"Search Query Results Overall Count\":\"1\",\"OriginalProductName\":\"Azure Sentinel\",\"OriginalProductComponentName\":\"Scheduled Alerts\"},\"friendlyName\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\"}}]}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Get-AzSentinelIncidentBookmark.Recording.json b/src/SecurityInsights/test/Get-AzSentinelIncidentBookmark.Recording.json index 96df19f04187..6dea04b46704 100644 --- a/src/SecurityInsights/test/Get-AzSentinelIncidentBookmark.Recording.json +++ b/src/SecurityInsights/test/Get-AzSentinelIncidentBookmark.Recording.json @@ -1,13 +1,13 @@ { - "Get-AzSentinelIncidentBookmark+[NoContext]+List+$POST+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/ccca6513-b2b1-46be-925b-40f25e28a448/bookmarks?api-version=2021-09-01-preview+1": { + "Get-AzSentinelIncidentBookmark+[NoContext]+List+$POST+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/524da4fb-3888-4446-9e92-12183ac2eaab/bookmarks?api-version=2021-09-01-preview+1": { "Request": { "Method": "POST", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/ccca6513-b2b1-46be-925b-40f25e28a448/bookmarks?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/524da4fb-3888-4446-9e92-12183ac2eaab/bookmarks?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "212" ], - "x-ms-client-request-id": [ "1b11c0a7-6bff-4779-88ac-bbf8518ab12e" ], + "x-ms-unique-id": [ "213" ], + "x-ms-client-request-id": [ "937f1661-977f-4695-8a28-6f150ead213a" ], "CommandName": [ "Get-AzSentinelIncidentBookmark" ], "FullCommandName": [ "Get-AzSentinelIncidentBookmark_List" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -24,19 +24,19 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], - "x-ms-request-id": [ "544a6797-dec1-42b5-a4bd-0bc48bee50d8" ], - "x-ms-correlation-request-id": [ "544a6797-dec1-42b5-a4bd-0bc48bee50d8" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183157Z:544a6797-dec1-42b5-a4bd-0bc48bee50d8" ], + "x-ms-request-id": [ "874c5be9-5668-4529-b9dd-99d1eef583b1" ], + "x-ms-correlation-request-id": [ "874c5be9-5668-4529-b9dd-99d1eef583b1" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160736Z:874c5be9-5668-4529-b9dd-99d1eef583b1" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:31:56 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:36 GMT" ] }, "ContentHeaders": { "Content-Length": [ "1118" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Entities/e809aa96-66b0-4c25-83cc-f6a969445995\",\"name\":\"e809aa96-66b0-4c25-83cc-f6a969445995\",\"type\":\"Microsoft.SecurityInsights/Entities\",\"kind\":\"Bookmark\",\"properties\":{\"displayName\":\"GetincidentRelationBookmarkName0eyhda\",\"created\":\"2022-07-29T18:27:31.0896601+00:00\",\"updated\":\"2022-07-29T18:27:31.0896601+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-07-29T06:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"additionalData\":{\"EntityMappings\":\"[]\",\"Tactics\":\"[]\",\"Techniques\":\"[]\",\"ETag\":\"\\\"0100b593-0000-0100-0000-62e426930000\\\"\",\"EntityId\":\"e809aa96-66b0-4c25-83cc-f6a969445995\"},\"friendlyName\":\"GetincidentRelationBookmarkName0eyhda\"}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Entities/40c54fdc-490c-4164-901e-b95ca08e0a88\",\"name\":\"40c54fdc-490c-4164-901e-b95ca08e0a88\",\"type\":\"Microsoft.SecurityInsights/Entities\",\"kind\":\"Bookmark\",\"properties\":{\"displayName\":\"GetincidentRelationBookmarkNameu4dakt\",\"created\":\"2022-08-16T16:03:18.3793809+00:00\",\"updated\":\"2022-08-16T16:03:18.3793809+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-08-16T04:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SecurityEvent\\n| take 1\",\"additionalData\":{\"EntityMappings\":\"[]\",\"Tactics\":\"[]\",\"Techniques\":\"[]\",\"ETag\":\"\\\"3c00618c-0000-0100-0000-62fbbfc70000\\\"\",\"EntityId\":\"40c54fdc-490c-4164-901e-b95ca08e0a88\"},\"friendlyName\":\"GetincidentRelationBookmarkNameu4dakt\"}}]}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Get-AzSentinelIncidentComment.Recording.json b/src/SecurityInsights/test/Get-AzSentinelIncidentComment.Recording.json index 5e8e87678414..494ea8211c90 100644 --- a/src/SecurityInsights/test/Get-AzSentinelIncidentComment.Recording.json +++ b/src/SecurityInsights/test/Get-AzSentinelIncidentComment.Recording.json @@ -1,13 +1,13 @@ { - "Get-AzSentinelIncidentComment+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/36740e38-b328-4f70-a514-867d90c8361d/comments?api-version=2021-09-01-preview+1": { + "Get-AzSentinelIncidentComment+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/8b193352-f109-474f-84ce-3b3908d0e288/comments?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/36740e38-b328-4f70-a514-867d90c8361d/comments?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/8b193352-f109-474f-84ce-3b3908d0e288/comments?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "213" ], - "x-ms-client-request-id": [ "56a7dfbc-5edb-417e-9a50-8388b58007bd" ], + "x-ms-unique-id": [ "214" ], + "x-ms-client-request-id": [ "f52e54b6-629b-451f-8d32-f91c1754940a" ], "CommandName": [ "Get-AzSentinelincidentComment" ], "FullCommandName": [ "Get-AzSentinelIncidentComment_List" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -24,31 +24,31 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], - "x-ms-request-id": [ "5792f431-610a-4792-8313-2bc1bbd64310" ], - "x-ms-correlation-request-id": [ "5792f431-610a-4792-8313-2bc1bbd64310" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183158Z:5792f431-610a-4792-8313-2bc1bbd64310" ], + "x-ms-request-id": [ "08413111-5582-4f50-951b-592bac34520b" ], + "x-ms-correlation-request-id": [ "08413111-5582-4f50-951b-592bac34520b" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160737Z:08413111-5582-4f50-951b-592bac34520b" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:31:57 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:36 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "771" ], + "Content-Length": [ "769" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/36740e38-b328-4f70-a514-867d90c8361d/Comments/15f33241-6289-4a35-a84a-ae4d9f5f0d31\",\"name\":\"15f33241-6289-4a35-a84a-ae4d9f5f0d31\",\"etag\":\"\\\"12003b0b-0000-0100-0000-62e425f20000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/Comments\",\"properties\":{\"message\":\"GetincidentComment7wxaop\",\"createdTimeUtc\":\"2022-07-29T18:24:50.6368637Z\",\"lastModifiedTimeUtc\":\"2022-07-29T18:24:50.6368637Z\",\"author\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/8b193352-f109-474f-84ce-3b3908d0e288/Comments/fbb0c47c-a502-43d0-8a55-ee55a799bb1b\",\"name\":\"fbb0c47c-a502-43d0-8a55-ee55a799bb1b\",\"etag\":\"\\\"4a009651-0000-0100-0000-62fbbf210000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/Comments\",\"properties\":{\"message\":\"GetincidentCommentcpthi1\",\"createdTimeUtc\":\"2022-08-16T16:00:33.900596Z\",\"lastModifiedTimeUtc\":\"2022-08-16T16:00:33.900596Z\",\"author\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}]}", "isContentBase64": false } }, - "Get-AzSentinelIncidentComment+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/36740e38-b328-4f70-a514-867d90c8361d/comments/15f33241-6289-4a35-a84a-ae4d9f5f0d31?api-version=2021-09-01-preview+1": { + "Get-AzSentinelIncidentComment+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/8b193352-f109-474f-84ce-3b3908d0e288/comments/fbb0c47c-a502-43d0-8a55-ee55a799bb1b?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/36740e38-b328-4f70-a514-867d90c8361d/comments/15f33241-6289-4a35-a84a-ae4d9f5f0d31?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/8b193352-f109-474f-84ce-3b3908d0e288/comments/fbb0c47c-a502-43d0-8a55-ee55a799bb1b?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "214" ], - "x-ms-client-request-id": [ "fc59bcb9-f76b-4d0e-aa76-f8d6ca4087e9" ], + "x-ms-unique-id": [ "215" ], + "x-ms-client-request-id": [ "710302de-ea95-4592-8893-82662f77f6de" ], "CommandName": [ "Get-AzSentinelincidentComment" ], "FullCommandName": [ "Get-AzSentinelIncidentComment_Get" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -65,19 +65,19 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], - "x-ms-request-id": [ "57d621ed-ecfa-45b3-bf48-30502437a34a" ], - "x-ms-correlation-request-id": [ "57d621ed-ecfa-45b3-bf48-30502437a34a" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183158Z:57d621ed-ecfa-45b3-bf48-30502437a34a" ], + "x-ms-request-id": [ "b928dd75-8abf-4018-a5c3-ad2fd556704c" ], + "x-ms-correlation-request-id": [ "b928dd75-8abf-4018-a5c3-ad2fd556704c" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160737Z:b928dd75-8abf-4018-a5c3-ad2fd556704c" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:31:57 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:37 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "759" ], + "Content-Length": [ "757" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/36740e38-b328-4f70-a514-867d90c8361d/Comments/15f33241-6289-4a35-a84a-ae4d9f5f0d31\",\"name\":\"15f33241-6289-4a35-a84a-ae4d9f5f0d31\",\"etag\":\"\\\"12003b0b-0000-0100-0000-62e425f20000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/Comments\",\"properties\":{\"message\":\"GetincidentComment7wxaop\",\"createdTimeUtc\":\"2022-07-29T18:24:50.6368637Z\",\"lastModifiedTimeUtc\":\"2022-07-29T18:24:50.6368637Z\",\"author\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/8b193352-f109-474f-84ce-3b3908d0e288/Comments/fbb0c47c-a502-43d0-8a55-ee55a799bb1b\",\"name\":\"fbb0c47c-a502-43d0-8a55-ee55a799bb1b\",\"etag\":\"\\\"4a009651-0000-0100-0000-62fbbf210000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/Comments\",\"properties\":{\"message\":\"GetincidentCommentcpthi1\",\"createdTimeUtc\":\"2022-08-16T16:00:33.900596Z\",\"lastModifiedTimeUtc\":\"2022-08-16T16:00:33.900596Z\",\"author\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Get-AzSentinelIncidentEntity.Recording.json b/src/SecurityInsights/test/Get-AzSentinelIncidentEntity.Recording.json index 22840934f8d9..c6aba23e8c2b 100644 --- a/src/SecurityInsights/test/Get-AzSentinelIncidentEntity.Recording.json +++ b/src/SecurityInsights/test/Get-AzSentinelIncidentEntity.Recording.json @@ -1,13 +1,13 @@ { - "Get-AzSentinelIncidentEntity+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents?api-version=2021-09-01-preview+1": { + "Get-AzSentinelIncidentEntity+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "215" ], - "x-ms-client-request-id": [ "a3901740-0108-4cbf-a78d-1b4bcd6f131c" ], + "x-ms-unique-id": [ "216" ], + "x-ms-client-request-id": [ "8d1075aa-475a-449a-8ecc-359d0fa1e3b8" ], "CommandName": [ "Get-AzSentinelIncident" ], "FullCommandName": [ "Get-AzSentinelIncident_List" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -23,32 +23,32 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11956" ], - "x-ms-request-id": [ "b82f052a-4f67-43de-ac19-75aff2105807" ], - "x-ms-correlation-request-id": [ "b82f052a-4f67-43de-ac19-75aff2105807" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183159Z:b82f052a-4f67-43de-ac19-75aff2105807" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11953" ], + "x-ms-request-id": [ "c8d0c8b7-2142-4c6d-b94e-71a1e83bfb8a" ], + "x-ms-correlation-request-id": [ "c8d0c8b7-2142-4c6d-b94e-71a1e83bfb8a" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160738Z:c8d0c8b7-2142-4c6d-b94e-71a1e83bfb8a" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:31:58 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:37 GMT" ] }, "ContentHeaders": { "Content-Length": [ "26513" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/854d68b0-7cef-4c43-a0f3-03df09f60906\",\"name\":\"854d68b0-7cef-4c43-a0f3-03df09f60906\",\"etag\":\"\\\"12009b0b-0000-0100-0000-62e427110000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdincidentRelationIncidentName17euac\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:29:37.6445076Z\",\"createdTimeUtc\":\"2022-07-29T18:29:37.3993248Z\",\"incidentNumber\":21,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/854d68b0-7cef-4c43-a0f3-03df09f60906\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"21\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/bf284b9a-a101-4094-9387-503fd6afb8db\",\"name\":\"bf284b9a-a101-4094-9387-503fd6afb8db\",\"etag\":\"\\\"1200960b-0000-0100-0000-62e426f20000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateincidentRelationIncidentNamey5sjd6\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:29:06.559002Z\",\"createdTimeUtc\":\"2022-07-29T18:29:06.1809341Z\",\"incidentNumber\":20,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/bf284b9a-a101-4094-9387-503fd6afb8db\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"20\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/095d8360-b30b-4f75-804d-8837b78db3ed\",\"name\":\"095d8360-b30b-4f75-804d-8837b78db3ed\",\"etag\":\"\\\"12008a0b-0000-0100-0000-62e426d30000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdincidentRelationIncidentNameqm47li\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:28:35.4952307Z\",\"createdTimeUtc\":\"2022-07-29T18:28:34.9586136Z\",\"incidentNumber\":19,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/095d8360-b30b-4f75-804d-8837b78db3ed\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"19\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/da728eb4-6e7e-4be8-8397-cb2b45877bf9\",\"name\":\"da728eb4-6e7e-4be8-8397-cb2b45877bf9\",\"etag\":\"\\\"1200860b-0000-0100-0000-62e426b20000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveincidentRelationIncidentName01bqho\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:28:02.8745162Z\",\"createdTimeUtc\":\"2022-07-29T18:28:02.6751341Z\",\"incidentNumber\":18,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/da728eb4-6e7e-4be8-8397-cb2b45877bf9\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"18\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/ccca6513-b2b1-46be-925b-40f25e28a448\",\"name\":\"ccca6513-b2b1-46be-925b-40f25e28a448\",\"etag\":\"\\\"1200760b-0000-0100-0000-62e426930000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetincidentRelationIncidentNamentimyo\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:27:31.6228258Z\",\"createdTimeUtc\":\"2022-07-29T18:27:31.3953919Z\",\"incidentNumber\":17,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/ccca6513-b2b1-46be-925b-40f25e28a448\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"17\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/7141874b-1f5d-4bf7-9e25-bb748ff70946\",\"name\":\"7141874b-1f5d-4bf7-9e25-bb748ff70946\",\"etag\":\"\\\"12005b0b-0000-0100-0000-62e426730000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdincidentCommentvuackw\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:26:59.8178224Z\",\"createdTimeUtc\":\"2022-07-29T18:26:59.4284144Z\",\"incidentNumber\":16,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/7141874b-1f5d-4bf7-9e25-bb748ff70946\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"16\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/a0b8657f-5c36-4cb2-8952-f90affa7e0da\",\"name\":\"a0b8657f-5c36-4cb2-8952-f90affa7e0da\",\"etag\":\"\\\"1200510b-0000-0100-0000-62e426540000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateincidentCommentzfpjdm\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:26:28.8086603Z\",\"createdTimeUtc\":\"2022-07-29T18:26:28.262521Z\",\"incidentNumber\":15,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/a0b8657f-5c36-4cb2-8952-f90affa7e0da\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"15\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/39c25766-18b0-4620-9a63-3dfb2144ddd9\",\"name\":\"39c25766-18b0-4620-9a63-3dfb2144ddd9\",\"etag\":\"\\\"12004d0b-0000-0100-0000-62e426330000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdincidentCommentximhku\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:25:55.0138633Z\",\"createdTimeUtc\":\"2022-07-29T18:25:54.4964012Z\",\"incidentNumber\":14,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/39c25766-18b0-4620-9a63-3dfb2144ddd9\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"14\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/08556638-7485-4a5e-afda-02c5f77474d7\",\"name\":\"08556638-7485-4a5e-afda-02c5f77474d7\",\"etag\":\"\\\"1200460b-0000-0100-0000-62e426120000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveincidentComment35ly2k\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:25:22.1480666Z\",\"createdTimeUtc\":\"2022-07-29T18:25:21.7590822Z\",\"incidentNumber\":13,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/08556638-7485-4a5e-afda-02c5f77474d7\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"13\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/36740e38-b328-4f70-a514-867d90c8361d\",\"name\":\"36740e38-b328-4f70-a514-867d90c8361d\",\"etag\":\"\\\"12003c0b-0000-0100-0000-62e425f20000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetincidentComment7wxaop\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:24:50.6557332Z\",\"createdTimeUtc\":\"2022-07-29T18:24:50.2248863Z\",\"incidentNumber\":12,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/36740e38-b328-4f70-a514-867d90c8361d\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"12\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/25b19fe9-0ff9-4267-8faa-ac26e7c7c6ae\",\"name\":\"25b19fe9-0ff9-4267-8faa-ac26e7c7c6ae\",\"etag\":\"\\\"1200370b-0000-0100-0000-62e425d30000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:24:19.3733002Z\",\"createdTimeUtc\":\"2022-07-29T18:24:19.3733002Z\",\"incidentNumber\":11,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/25b19fe9-0ff9-4267-8faa-ac26e7c7c6ae\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"11\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/c98e79b2-3851-4fe2-be7b-d02281b03ea8\",\"name\":\"c98e79b2-3851-4fe2-be7b-d02281b03ea8\",\"etag\":\"\\\"1200360b-0000-0100-0000-62e425b30000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:23:47.4434597Z\",\"createdTimeUtc\":\"2022-07-29T18:23:47.4434597Z\",\"incidentNumber\":10,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/c98e79b2-3851-4fe2-be7b-d02281b03ea8\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"10\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/4adb65b9-7def-47bb-9594-c1e1ca284952\",\"name\":\"4adb65b9-7def-47bb-9594-c1e1ca284952\",\"etag\":\"\\\"1200310b-0000-0100-0000-62e425930000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:23:15.5881312Z\",\"createdTimeUtc\":\"2022-07-29T18:23:15.5881312Z\",\"incidentNumber\":9,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/4adb65b9-7def-47bb-9594-c1e1ca284952\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"9\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/6bc1d179-d8b5-45ee-82d8-dc7f59b9168a\",\"name\":\"6bc1d179-d8b5-45ee-82d8-dc7f59b9168a\",\"etag\":\"\\\"12002a0b-0000-0100-0000-62e425730000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:22:43.5468872Z\",\"createdTimeUtc\":\"2022-07-29T18:22:43.5468872Z\",\"incidentNumber\":8,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/6bc1d179-d8b5-45ee-82d8-dc7f59b9168a\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"8\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/1db90f1b-ef78-4f10-afb8-7dc242e09ba1\",\"name\":\"1db90f1b-ef78-4f10-afb8-7dc242e09ba1\",\"etag\":\"\\\"12001a0b-0000-0100-0000-62e425540000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:22:12.4027907Z\",\"createdTimeUtc\":\"2022-07-29T18:22:12.4027907Z\",\"incidentNumber\":7,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/1db90f1b-ef78-4f10-afb8-7dc242e09ba1\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"7\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/75bd63a7-0ac6-4f43-8a15-18ff73172bb5\",\"name\":\"75bd63a7-0ac6-4f43-8a15-18ff73172bb5\",\"etag\":\"\\\"1200c50a-0000-0100-0000-62e423bf0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdbookmarkRelationIncidentNamejdsg8m\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:15:27.8216444Z\",\"createdTimeUtc\":\"2022-07-29T18:15:27.2119419Z\",\"incidentNumber\":6,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/75bd63a7-0ac6-4f43-8a15-18ff73172bb5\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"6\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/0f49b19c-24d3-4775-92ae-dc0ecd5e1ace\",\"name\":\"0f49b19c-24d3-4775-92ae-dc0ecd5e1ace\",\"etag\":\"\\\"1200c10a-0000-0100-0000-62e4239f0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdatebookmarkRelationIncidentNamern5xam\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:14:55.9126545Z\",\"createdTimeUtc\":\"2022-07-29T18:14:55.652449Z\",\"incidentNumber\":5,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/0f49b19c-24d3-4775-92ae-dc0ecd5e1ace\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"5\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/68159ff1-4122-4fc3-9152-8bf489a4304d\",\"name\":\"68159ff1-4122-4fc3-9152-8bf489a4304d\",\"etag\":\"\\\"1200b70a-0000-0100-0000-62e423810000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdbookmarkRelationIncidentName3tykhx\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:14:25.0070286Z\",\"createdTimeUtc\":\"2022-07-29T18:14:24.4686462Z\",\"incidentNumber\":4,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/68159ff1-4122-4fc3-9152-8bf489a4304d\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"4\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/d30f1432-3e76-4b4b-bb30-f62eb4ee3611\",\"name\":\"d30f1432-3e76-4b4b-bb30-f62eb4ee3611\",\"etag\":\"\\\"1200b50a-0000-0100-0000-62e423600000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemovebookmarkRelationIncidentNameljqs90\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:13:52.6650817Z\",\"createdTimeUtc\":\"2022-07-29T18:13:52.43298Z\",\"incidentNumber\":3,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/d30f1432-3e76-4b4b-bb30-f62eb4ee3611\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"3\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/e31f4f52-858c-4a29-bacc-b0b91ca86f43\",\"name\":\"e31f4f52-858c-4a29-bacc-b0b91ca86f43\",\"etag\":\"\\\"1200a80a-0000-0100-0000-62e423420000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetbookmarkRelationIncidentName5jgmqo\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:13:22.783952Z\",\"createdTimeUtc\":\"2022-07-29T18:13:22.0852Z\",\"incidentNumber\":2,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/e31f4f52-858c-4a29-bacc-b0b91ca86f43\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"2\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/b38b9337-951a-0983-3a4d-8c0a4a243798\",\"name\":\"b38b9337-951a-0983-3a4d-8c0a4a243798\",\"etag\":\"\\\"1200810b-0000-0100-0000-62e426b00000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"severity\":\"Medium\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"firstActivityTimeUtc\":\"2022-07-29T17:27:56.0097765Z\",\"lastActivityTimeUtc\":\"2022-07-29T18:22:56.0097765Z\",\"lastModifiedTimeUtc\":\"2022-07-29T18:28:00.0552776Z\",\"createdTimeUtc\":\"2022-07-29T18:02:59.5521439Z\",\"incidentNumber\":1,\"additionalData\":{\"alertsCount\":6,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[\"Azure Sentinel\"],\"tactics\":[\"InitialAccess\",\"Persistence\"]},\"relatedAnalyticRuleIds\":[\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/5c8dc0ac-8808-40f3-a6b4-1401369a9e1e\"],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/b38b9337-951a-0983-3a4d-8c0a4a243798\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"1\"}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/e6be0e56-c636-4b4b-9793-6f3c0f345a46\",\"name\":\"e6be0e56-c636-4b4b-9793-6f3c0f345a46\",\"etag\":\"\\\"4a005452-0000-0100-0000-62fbc0450000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdincidentRelationIncidentNames9xv50\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:05:25.2815442Z\",\"createdTimeUtc\":\"2022-08-16T16:05:25.0149382Z\",\"incidentNumber\":21,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/e6be0e56-c636-4b4b-9793-6f3c0f345a46\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"21\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/20c587be-2ccb-4fd4-aea6-cce3754722dd\",\"name\":\"20c587be-2ccb-4fd4-aea6-cce3754722dd\",\"etag\":\"\\\"4a004e52-0000-0100-0000-62fbc0260000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateincidentRelationIncidentNamegz4803\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:04:54.7835869Z\",\"createdTimeUtc\":\"2022-08-16T16:04:54.5583695Z\",\"incidentNumber\":20,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/20c587be-2ccb-4fd4-aea6-cce3754722dd\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"20\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/b2ae0920-7287-4d85-a609-bf6c7e651630\",\"name\":\"b2ae0920-7287-4d85-a609-bf6c7e651630\",\"etag\":\"\\\"4a004252-0000-0100-0000-62fbc0060000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdincidentRelationIncidentNameg1b6wx\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:04:22.942031Z\",\"createdTimeUtc\":\"2022-08-16T16:04:22.6913248Z\",\"incidentNumber\":19,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/b2ae0920-7287-4d85-a609-bf6c7e651630\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"19\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/bd3104a8-2b2d-4934-bef4-5fc4c04ef055\",\"name\":\"bd3104a8-2b2d-4934-bef4-5fc4c04ef055\",\"etag\":\"\\\"4a003652-0000-0100-0000-62fbbfe70000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveincidentRelationIncidentNamecz4ioj\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:03:51.5477653Z\",\"createdTimeUtc\":\"2022-08-16T16:03:51.0612525Z\",\"incidentNumber\":18,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/bd3104a8-2b2d-4934-bef4-5fc4c04ef055\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"18\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/524da4fb-3888-4446-9e92-12183ac2eaab\",\"name\":\"524da4fb-3888-4446-9e92-12183ac2eaab\",\"etag\":\"\\\"4a002d52-0000-0100-0000-62fbbfc70000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetincidentRelationIncidentName8sjnvu\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:03:19.056371Z\",\"createdTimeUtc\":\"2022-08-16T16:03:18.8268747Z\",\"incidentNumber\":17,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/524da4fb-3888-4446-9e92-12183ac2eaab\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"17\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/b5e65719-0b65-4dd0-a4b0-da2bbad915a5\",\"name\":\"b5e65719-0b65-4dd0-a4b0-da2bbad915a5\",\"etag\":\"\\\"4a00f351-0000-0100-0000-62fbbfa60000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdincidentCommentjf7t0g\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:02:46.970405Z\",\"createdTimeUtc\":\"2022-08-16T16:02:46.7008255Z\",\"incidentNumber\":16,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/b5e65719-0b65-4dd0-a4b0-da2bbad915a5\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"16\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/71e8df01-919c-45c1-b526-bc145e411eee\",\"name\":\"71e8df01-919c-45c1-b526-bc145e411eee\",\"etag\":\"\\\"4a00d951-0000-0100-0000-62fbbf870000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateincidentCommentgi1a7c\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:02:15.7570363Z\",\"createdTimeUtc\":\"2022-08-16T16:02:15.3377476Z\",\"incidentNumber\":15,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/71e8df01-919c-45c1-b526-bc145e411eee\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"15\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/ac97c565-75c1-40ab-a8e1-334c04dda7d0\",\"name\":\"ac97c565-75c1-40ab-a8e1-334c04dda7d0\",\"etag\":\"\\\"4a00c251-0000-0100-0000-62fbbf610000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdincidentCommentjd165a\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:01:37.6171004Z\",\"createdTimeUtc\":\"2022-08-16T16:01:37.1895215Z\",\"incidentNumber\":14,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/ac97c565-75c1-40ab-a8e1-334c04dda7d0\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"14\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/1f6bbf1d-7f2d-4435-84f7-2be61d9e090d\",\"name\":\"1f6bbf1d-7f2d-4435-84f7-2be61d9e090d\",\"etag\":\"\\\"4a00af51-0000-0100-0000-62fbbf410000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveincidentCommenteny0g2\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:01:05.7124022Z\",\"createdTimeUtc\":\"2022-08-16T16:01:05.3290956Z\",\"incidentNumber\":13,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/1f6bbf1d-7f2d-4435-84f7-2be61d9e090d\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"13\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/8b193352-f109-474f-84ce-3b3908d0e288\",\"name\":\"8b193352-f109-474f-84ce-3b3908d0e288\",\"etag\":\"\\\"4a009751-0000-0100-0000-62fbbf210000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetincidentCommentcpthi1\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:00:33.9316207Z\",\"createdTimeUtc\":\"2022-08-16T16:00:33.6021829Z\",\"incidentNumber\":12,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":1,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/8b193352-f109-474f-84ce-3b3908d0e288\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"12\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/c259dc23-cd2e-4b7f-bd9d-286e7cae6366\",\"name\":\"c259dc23-cd2e-4b7f-bd9d-286e7cae6366\",\"etag\":\"\\\"4a007051-0000-0100-0000-62fbbf000000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:00:00.5994057Z\",\"createdTimeUtc\":\"2022-08-16T16:00:00.5994057Z\",\"incidentNumber\":11,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/c259dc23-cd2e-4b7f-bd9d-286e7cae6366\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"11\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/905e7dec-fd14-42df-9ed5-c4df09445158\",\"name\":\"905e7dec-fd14-42df-9ed5-c4df09445158\",\"etag\":\"\\\"4a005e51-0000-0100-0000-62fbbee00000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:59:28.733771Z\",\"createdTimeUtc\":\"2022-08-16T15:59:28.733771Z\",\"incidentNumber\":10,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/905e7dec-fd14-42df-9ed5-c4df09445158\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"10\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/fdc66a29-9153-4079-894f-9d92f19fb0d9\",\"name\":\"fdc66a29-9153-4079-894f-9d92f19fb0d9\",\"etag\":\"\\\"4a004d51-0000-0100-0000-62fbbec10000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:58:57.2230955Z\",\"createdTimeUtc\":\"2022-08-16T15:58:57.2230955Z\",\"incidentNumber\":9,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/fdc66a29-9153-4079-894f-9d92f19fb0d9\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"9\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/3c0d63a6-5274-4c2c-82fa-d209415ca9bf\",\"name\":\"3c0d63a6-5274-4c2c-82fa-d209415ca9bf\",\"etag\":\"\\\"4a004151-0000-0100-0000-62fbbea10000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:58:25.8766719Z\",\"createdTimeUtc\":\"2022-08-16T15:58:25.8766719Z\",\"incidentNumber\":8,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/3c0d63a6-5274-4c2c-82fa-d209415ca9bf\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"8\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/3342699a-d07d-4c2d-964a-49e90b5c1e9f\",\"name\":\"3342699a-d07d-4c2d-964a-49e90b5c1e9f\",\"etag\":\"\\\"4a001651-0000-0100-0000-62fbbe820000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:57:54.290729Z\",\"createdTimeUtc\":\"2022-08-16T15:57:54.290729Z\",\"incidentNumber\":7,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/3342699a-d07d-4c2d-964a-49e90b5c1e9f\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"7\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/68e94645-a3b4-4595-9bfe-0d5370f5c8dd\",\"name\":\"68e94645-a3b4-4595-9bfe-0d5370f5c8dd\",\"etag\":\"\\\"4a00c950-0000-0100-0000-62fbbda80000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdbookmarkRelationIncidentNamel2rnui\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:54:16.8017033Z\",\"createdTimeUtc\":\"2022-08-16T15:54:16.168895Z\",\"incidentNumber\":6,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/68e94645-a3b4-4595-9bfe-0d5370f5c8dd\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"6\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/6f90c814-29fb-4d2d-8188-360a8df4a559\",\"name\":\"6f90c814-29fb-4d2d-8188-360a8df4a559\",\"etag\":\"\\\"4a00bd50-0000-0100-0000-62fbbd8a0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdatebookmarkRelationIncidentNamedejagn\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:53:46.0785179Z\",\"createdTimeUtc\":\"2022-08-16T15:53:45.3576615Z\",\"incidentNumber\":5,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/6f90c814-29fb-4d2d-8188-360a8df4a559\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"5\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/62ce8785-21b2-4262-be4d-5208b35d255a\",\"name\":\"62ce8785-21b2-4262-be4d-5208b35d255a\",\"etag\":\"\\\"4a00a950-0000-0100-0000-62fbbd690000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemoveViaIdbookmarkRelationIncidentName5g6qnd\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:53:13.4795073Z\",\"createdTimeUtc\":\"2022-08-16T15:53:13.2096924Z\",\"incidentNumber\":4,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/62ce8785-21b2-4262-be4d-5208b35d255a\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"4\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/fba327a0-b301-4d1c-918c-23aec8e03323\",\"name\":\"fba327a0-b301-4d1c-918c-23aec8e03323\",\"etag\":\"\\\"4a009250-0000-0100-0000-62fbbd560000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"RemovebookmarkRelationIncidentNamebfrwvc\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:52:54.1214758Z\",\"createdTimeUtc\":\"2022-08-16T15:52:41.6535212Z\",\"incidentNumber\":3,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/fba327a0-b301-4d1c-918c-23aec8e03323\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"3\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/7feca4d4-3414-403b-96ad-4cb1d105fec2\",\"name\":\"7feca4d4-3414-403b-96ad-4cb1d105fec2\",\"etag\":\"\\\"4a006950-0000-0100-0000-62fbbd240000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"GetbookmarkRelationIncidentName75xtbo\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:52:04.8090363Z\",\"createdTimeUtc\":\"2022-08-16T15:52:04.1891525Z\",\"incidentNumber\":2,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":1,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/7feca4d4-3414-403b-96ad-4cb1d105fec2\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"2\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/39f5326a-185e-e413-043e-89635f82507e\",\"name\":\"39f5326a-185e-e413-043e-89635f82507e\",\"etag\":\"\\\"4a002a52-0000-0100-0000-62fbbfbe0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"Sign-ins from IPs that attempt sign-ins to disabled accounts\",\"description\":\"Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\\n50057 - User account is disabled. The account has been disabled by an administrator.\",\"severity\":\"Medium\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"firstActivityTimeUtc\":\"2022-08-16T15:08:06.0646524Z\",\"lastActivityTimeUtc\":\"2022-08-16T15:58:06.0646524Z\",\"lastModifiedTimeUtc\":\"2022-08-16T16:03:10.634814Z\",\"createdTimeUtc\":\"2022-08-16T15:43:09.2489917Z\",\"incidentNumber\":1,\"additionalData\":{\"alertsCount\":5,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[\"Azure Sentinel\"],\"tactics\":[\"InitialAccess\",\"Persistence\"]},\"relatedAnalyticRuleIds\":[\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/53274afe-2640-4c50-bd36-78c1c79f102c\"],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/39f5326a-185e-e413-043e-89635f82507e\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"1\"}}]}", "isContentBase64": false } }, - "Get-AzSentinelIncidentEntity+[NoContext]+List+$POST+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/b38b9337-951a-0983-3a4d-8c0a4a243798/entities?api-version=2021-09-01-preview+2": { + "Get-AzSentinelIncidentEntity+[NoContext]+List+$POST+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/39f5326a-185e-e413-043e-89635f82507e/entities?api-version=2021-09-01-preview+2": { "Request": { "Method": "POST", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/b38b9337-951a-0983-3a4d-8c0a4a243798/entities?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/39f5326a-185e-e413-043e-89635f82507e/entities?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "216" ], - "x-ms-client-request-id": [ "9a4d97de-63cc-4f21-bef3-898a539b0e6e" ], + "x-ms-unique-id": [ "217" ], + "x-ms-client-request-id": [ "f979e4ab-cb9c-4bd0-8c8d-906824edbeae" ], "CommandName": [ "Get-AzSentinelIncidentEntity" ], "FullCommandName": [ "Get-AzSentinelIncidentEntity_List" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -65,19 +65,19 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], - "x-ms-request-id": [ "a9bd12e2-b0d3-4e2b-b283-3e072f1b198a" ], - "x-ms-correlation-request-id": [ "a9bd12e2-b0d3-4e2b-b283-3e072f1b198a" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183200Z:a9bd12e2-b0d3-4e2b-b283-3e072f1b198a" ], + "x-ms-request-id": [ "ac8f0b18-713d-41a6-b357-45625645d965" ], + "x-ms-correlation-request-id": [ "ac8f0b18-713d-41a6-b357-45625645d965" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160739Z:ac8f0b18-713d-41a6-b357-45625645d965" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:31:59 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:38 GMT" ] }, "ContentHeaders": { "Content-Length": [ "471" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"entities\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/Entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"friendlyName\":\"175.45.176.99\"}}],\"metaData\":[{\"entityKind\":\"Ip\",\"count\":1}]}", + "Content": "{\"entities\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Entities/f76e8451-9f40-544f-61e4-33a50dca269d\",\"name\":\"f76e8451-9f40-544f-61e4-33a50dca269d\",\"type\":\"Microsoft.SecurityInsights/Entities\",\"kind\":\"Ip\",\"properties\":{\"address\":\"175.45.176.99\",\"friendlyName\":\"175.45.176.99\"}}],\"metaData\":[{\"entityKind\":\"Ip\",\"count\":1}]}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Get-AzSentinelIncidentRelation.Recording.json b/src/SecurityInsights/test/Get-AzSentinelIncidentRelation.Recording.json index 2c2e4ffbd04f..a4603bcbc967 100644 --- a/src/SecurityInsights/test/Get-AzSentinelIncidentRelation.Recording.json +++ b/src/SecurityInsights/test/Get-AzSentinelIncidentRelation.Recording.json @@ -1,13 +1,13 @@ { - "Get-AzSentinelIncidentRelation+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/ccca6513-b2b1-46be-925b-40f25e28a448/relations?api-version=2021-09-01-preview+1": { + "Get-AzSentinelIncidentRelation+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/524da4fb-3888-4446-9e92-12183ac2eaab/relations?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/ccca6513-b2b1-46be-925b-40f25e28a448/relations?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/524da4fb-3888-4446-9e92-12183ac2eaab/relations?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "217" ], - "x-ms-client-request-id": [ "2cbe0942-9ba8-476d-852b-df36af4e2621" ], + "x-ms-unique-id": [ "218" ], + "x-ms-client-request-id": [ "4d745071-e0b6-4819-a7e7-ed0b08c97429" ], "CommandName": [ "Get-AzSentinelincidentRelation" ], "FullCommandName": [ "Get-AzSentinelIncidentRelation_List" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -24,31 +24,31 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], - "x-ms-request-id": [ "23ff53a2-15c4-4746-8abd-64854ae974a4" ], - "x-ms-correlation-request-id": [ "23ff53a2-15c4-4746-8abd-64854ae974a4" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183201Z:23ff53a2-15c4-4746-8abd-64854ae974a4" ], + "x-ms-request-id": [ "69b938d7-9eb3-413a-b8ad-458700556d23" ], + "x-ms-correlation-request-id": [ "69b938d7-9eb3-413a-b8ad-458700556d23" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160739Z:69b938d7-9eb3-413a-b8ad-458700556d23" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:32:00 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:39 GMT" ] }, "ContentHeaders": { "Content-Length": [ "840" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/ccca6513-b2b1-46be-925b-40f25e28a448/relations/38ffa7b2-a413-4ab4-979f-8ec4ca096552\",\"name\":\"38ffa7b2-a413-4ab4-979f-8ec4ca096552\",\"etag\":\"\\\"1200760b-0000-0100-0000-62e426930000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/e809aa96-66b0-4c25-83cc-f6a969445995\",\"relatedResourceName\":\"e809aa96-66b0-4c25-83cc-f6a969445995\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/524da4fb-3888-4446-9e92-12183ac2eaab/relations/d8e7ac2f-7b68-4110-a408-6dda491cd5d0\",\"name\":\"d8e7ac2f-7b68-4110-a408-6dda491cd5d0\",\"etag\":\"\\\"4a002d52-0000-0100-0000-62fbbfc70000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/40c54fdc-490c-4164-901e-b95ca08e0a88\",\"relatedResourceName\":\"40c54fdc-490c-4164-901e-b95ca08e0a88\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}]}", "isContentBase64": false } }, - "Get-AzSentinelIncidentRelation+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/ccca6513-b2b1-46be-925b-40f25e28a448/relations/38ffa7b2-a413-4ab4-979f-8ec4ca096552?api-version=2021-09-01-preview+1": { + "Get-AzSentinelIncidentRelation+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/524da4fb-3888-4446-9e92-12183ac2eaab/relations/d8e7ac2f-7b68-4110-a408-6dda491cd5d0?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/ccca6513-b2b1-46be-925b-40f25e28a448/relations/38ffa7b2-a413-4ab4-979f-8ec4ca096552?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/524da4fb-3888-4446-9e92-12183ac2eaab/relations/d8e7ac2f-7b68-4110-a408-6dda491cd5d0?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "218" ], - "x-ms-client-request-id": [ "4f008b1c-faff-4b49-90b2-01db7519eea4" ], + "x-ms-unique-id": [ "219" ], + "x-ms-client-request-id": [ "2a132920-aa8f-49c4-bb15-db1b74de8fe6" ], "CommandName": [ "Get-AzSentinelincidentRelation" ], "FullCommandName": [ "Get-AzSentinelIncidentRelation_Get" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -65,31 +65,31 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], - "x-ms-request-id": [ "16d368ca-2fef-46b4-b85a-c1288786951c" ], - "x-ms-correlation-request-id": [ "16d368ca-2fef-46b4-b85a-c1288786951c" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183201Z:16d368ca-2fef-46b4-b85a-c1288786951c" ], + "x-ms-request-id": [ "b68e95a2-6f5b-4e75-8144-10ad515e3ef0" ], + "x-ms-correlation-request-id": [ "b68e95a2-6f5b-4e75-8144-10ad515e3ef0" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160740Z:b68e95a2-6f5b-4e75-8144-10ad515e3ef0" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:32:00 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:39 GMT" ] }, "ContentHeaders": { "Content-Length": [ "828" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/ccca6513-b2b1-46be-925b-40f25e28a448/relations/38ffa7b2-a413-4ab4-979f-8ec4ca096552\",\"name\":\"38ffa7b2-a413-4ab4-979f-8ec4ca096552\",\"etag\":\"\\\"1200760b-0000-0100-0000-62e426930000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/e809aa96-66b0-4c25-83cc-f6a969445995\",\"relatedResourceName\":\"e809aa96-66b0-4c25-83cc-f6a969445995\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/524da4fb-3888-4446-9e92-12183ac2eaab/relations/d8e7ac2f-7b68-4110-a408-6dda491cd5d0\",\"name\":\"d8e7ac2f-7b68-4110-a408-6dda491cd5d0\",\"etag\":\"\\\"4a002d52-0000-0100-0000-62fbbfc70000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/40c54fdc-490c-4164-901e-b95ca08e0a88\",\"relatedResourceName\":\"40c54fdc-490c-4164-901e-b95ca08e0a88\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", "isContentBase64": false } }, - "Get-AzSentinelIncidentRelation+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/ccca6513-b2b1-46be-925b-40f25e28a448/relations/38ffa7b2-a413-4ab4-979f-8ec4ca096552?api-version=2021-09-01-preview+1": { + "Get-AzSentinelIncidentRelation+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/524da4fb-3888-4446-9e92-12183ac2eaab/relations/d8e7ac2f-7b68-4110-a408-6dda491cd5d0?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/ccca6513-b2b1-46be-925b-40f25e28a448/relations/38ffa7b2-a413-4ab4-979f-8ec4ca096552?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/524da4fb-3888-4446-9e92-12183ac2eaab/relations/d8e7ac2f-7b68-4110-a408-6dda491cd5d0?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "219" ], - "x-ms-client-request-id": [ "6cebddaa-f855-4a2e-8f7a-b4dea44f6343" ], + "x-ms-unique-id": [ "220" ], + "x-ms-client-request-id": [ "a64a76d4-85c4-451e-b33e-3b5de2ca635b" ], "CommandName": [ "Get-AzSentinelincidentRelation" ], "FullCommandName": [ "Get-AzSentinelIncidentRelation_Get" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -106,31 +106,31 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "497" ], - "x-ms-request-id": [ "5778a143-2fb7-48b9-b812-36a505cad98b" ], - "x-ms-correlation-request-id": [ "5778a143-2fb7-48b9-b812-36a505cad98b" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183201Z:5778a143-2fb7-48b9-b812-36a505cad98b" ], + "x-ms-request-id": [ "62d87c59-c438-4f6b-a6a9-fcb44410ff10" ], + "x-ms-correlation-request-id": [ "62d87c59-c438-4f6b-a6a9-fcb44410ff10" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160740Z:62d87c59-c438-4f6b-a6a9-fcb44410ff10" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:32:00 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:39 GMT" ] }, "ContentHeaders": { "Content-Length": [ "828" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/ccca6513-b2b1-46be-925b-40f25e28a448/relations/38ffa7b2-a413-4ab4-979f-8ec4ca096552\",\"name\":\"38ffa7b2-a413-4ab4-979f-8ec4ca096552\",\"etag\":\"\\\"1200760b-0000-0100-0000-62e426930000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/e809aa96-66b0-4c25-83cc-f6a969445995\",\"relatedResourceName\":\"e809aa96-66b0-4c25-83cc-f6a969445995\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/524da4fb-3888-4446-9e92-12183ac2eaab/relations/d8e7ac2f-7b68-4110-a408-6dda491cd5d0\",\"name\":\"d8e7ac2f-7b68-4110-a408-6dda491cd5d0\",\"etag\":\"\\\"4a002d52-0000-0100-0000-62fbbfc70000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/40c54fdc-490c-4164-901e-b95ca08e0a88\",\"relatedResourceName\":\"40c54fdc-490c-4164-901e-b95ca08e0a88\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", "isContentBase64": false } }, - "Get-AzSentinelIncidentRelation+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/ccca6513-b2b1-46be-925b-40f25e28a448/relations/38ffa7b2-a413-4ab4-979f-8ec4ca096552?api-version=2021-09-01-preview+2": { + "Get-AzSentinelIncidentRelation+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/524da4fb-3888-4446-9e92-12183ac2eaab/relations/d8e7ac2f-7b68-4110-a408-6dda491cd5d0?api-version=2021-09-01-preview+2": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/ccca6513-b2b1-46be-925b-40f25e28a448/relations/38ffa7b2-a413-4ab4-979f-8ec4ca096552?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/524da4fb-3888-4446-9e92-12183ac2eaab/relations/d8e7ac2f-7b68-4110-a408-6dda491cd5d0?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "220" ], - "x-ms-client-request-id": [ "17c638f5-e5b1-4590-8413-e629440a6045" ], + "x-ms-unique-id": [ "221" ], + "x-ms-client-request-id": [ "3f500359-1c75-4a7f-890b-1c60bef30b53" ], "CommandName": [ "Get-AzSentinelincidentRelation" ], "FullCommandName": [ "Get-AzSentinelIncidentRelation_GetViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -147,19 +147,19 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "496" ], - "x-ms-request-id": [ "7477d45b-6161-4853-a463-8dc1590fc0e5" ], - "x-ms-correlation-request-id": [ "7477d45b-6161-4853-a463-8dc1590fc0e5" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183201Z:7477d45b-6161-4853-a463-8dc1590fc0e5" ], + "x-ms-request-id": [ "7a6846fd-537b-47cd-801b-d5484244717b" ], + "x-ms-correlation-request-id": [ "7a6846fd-537b-47cd-801b-d5484244717b" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160743Z:7a6846fd-537b-47cd-801b-d5484244717b" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:32:01 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:42 GMT" ] }, "ContentHeaders": { "Content-Length": [ "828" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/ccca6513-b2b1-46be-925b-40f25e28a448/relations/38ffa7b2-a413-4ab4-979f-8ec4ca096552\",\"name\":\"38ffa7b2-a413-4ab4-979f-8ec4ca096552\",\"etag\":\"\\\"1200760b-0000-0100-0000-62e426930000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/e809aa96-66b0-4c25-83cc-f6a969445995\",\"relatedResourceName\":\"e809aa96-66b0-4c25-83cc-f6a969445995\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/524da4fb-3888-4446-9e92-12183ac2eaab/relations/d8e7ac2f-7b68-4110-a408-6dda491cd5d0\",\"name\":\"d8e7ac2f-7b68-4110-a408-6dda491cd5d0\",\"etag\":\"\\\"4a002d52-0000-0100-0000-62fbbfc70000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/40c54fdc-490c-4164-901e-b95ca08e0a88\",\"relatedResourceName\":\"40c54fdc-490c-4164-901e-b95ca08e0a88\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Get-AzSentinelMetadata.Recording.json b/src/SecurityInsights/test/Get-AzSentinelMetadata.Recording.json index 47e032457f69..a5f15b2f40cb 100644 --- a/src/SecurityInsights/test/Get-AzSentinelMetadata.Recording.json +++ b/src/SecurityInsights/test/Get-AzSentinelMetadata.Recording.json @@ -1,13 +1,13 @@ { - "Get-AzSentinelMetadata+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/metadata?api-version=2021-09-01-preview+1": { + "Get-AzSentinelMetadata+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/metadata?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/metadata?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/metadata?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "221" ], - "x-ms-client-request-id": [ "35c2d85d-23de-4255-858a-3b977b17397c" ], + "x-ms-unique-id": [ "222" ], + "x-ms-client-request-id": [ "4679d405-1c0d-4fce-abec-597f4c16d65c" ], "CommandName": [ "Get-AzSentinelMetadata" ], "FullCommandName": [ "Get-AzSentinelMetadata_List" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -23,32 +23,32 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11955" ], - "x-ms-request-id": [ "ca5256e0-f15a-40d4-94b8-fecee8db0f16" ], - "x-ms-correlation-request-id": [ "ca5256e0-f15a-40d4-94b8-fecee8db0f16" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183202Z:ca5256e0-f15a-40d4-94b8-fecee8db0f16" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11952" ], + "x-ms-request-id": [ "7065808a-cc9a-4985-8201-473881861d6e" ], + "x-ms-correlation-request-id": [ "7065808a-cc9a-4985-8201-473881861d6e" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160744Z:7065808a-cc9a-4985-8201-473881861d6e" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:32:02 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:44 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2645" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourcegroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust\",\"name\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"type\":\"Microsoft.SecurityInsights/metadata\",\"systemData\":{\"createdAt\":\"2022-07-29T18:30:08.5807719Z\",\"createdBy\":\"nicholas@zeronetworks.com\",\"createdByType\":\"User\",\"lastModifiedAt\":\"2022-07-29T18:30:08.5807719Z\",\"lastModifiedBy\":\"nicholas@zeronetworks.com\",\"lastModifiedByType\":\"User\"},\"properties\":{\"contentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"parentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"kind\":\"Solution\",\"version\":\"1.0.5\",\"source\":{\"kind\":\"Solution\",\"name\":\"ZeroTrust(TIC3.0)\",\"sourceId\":\"azuresentinel.azure-sentinel-solution-zerotrust\"},\"author\":{\"name\":\"Nikhil Tripathi\",\"email\":\"v-ntripathi@microsoft.com\"},\"support\":{\"tier\":\"Microsoft\",\"name\":\"Microsoft Corporation\",\"email\":\"support@microsoft.com\",\"link\":\"https://support.microsoft.com\"},\"dependencies\":{\"criteria\":[{\"contentId\":\"ZeroTrustTIC3.0_workbook\",\"kind\":\"Workbook\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDNSFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDataProtectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEmailFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEnterpriseFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustFilesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustIntrusionDetectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustNetworkingFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustResiliencyFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUCCFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUniversalSecurityCapabilitiesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustWebFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"}],\"operator\":\"AND\"},\"providers\":[\"Microsoft\"],\"categories\":{\"domains\":[\"Identity\",\"Security - Others\"],\"verticals\":null},\"firstPublishDate\":\"2021-10-20\"}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourcegroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust\",\"name\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"type\":\"Microsoft.SecurityInsights/metadata\",\"systemData\":{\"createdAt\":\"2022-08-16T16:05:56.4459878Z\",\"createdBy\":\"nicholas@zeronetworks.com\",\"createdByType\":\"User\",\"lastModifiedAt\":\"2022-08-16T16:05:56.4459878Z\",\"lastModifiedBy\":\"nicholas@zeronetworks.com\",\"lastModifiedByType\":\"User\"},\"properties\":{\"contentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"parentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"kind\":\"Solution\",\"version\":\"1.0.5\",\"source\":{\"kind\":\"Solution\",\"name\":\"ZeroTrust(TIC3.0)\",\"sourceId\":\"azuresentinel.azure-sentinel-solution-zerotrust\"},\"author\":{\"name\":\"Nikhil Tripathi\",\"email\":\"v-ntripathi@microsoft.com\"},\"support\":{\"tier\":\"Microsoft\",\"name\":\"Microsoft Corporation\",\"email\":\"support@microsoft.com\",\"link\":\"https://support.microsoft.com\"},\"dependencies\":{\"criteria\":[{\"contentId\":\"ZeroTrustTIC3.0_workbook\",\"kind\":\"Workbook\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDNSFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDataProtectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEmailFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEnterpriseFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustFilesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustIntrusionDetectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustNetworkingFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustResiliencyFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUCCFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUniversalSecurityCapabilitiesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustWebFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"}],\"operator\":\"AND\"},\"providers\":[\"Microsoft\"],\"categories\":{\"domains\":[\"Identity\",\"Security - Others\"],\"verticals\":null},\"firstPublishDate\":\"2021-10-20\"}}]}", "isContentBase64": false } }, - "Get-AzSentinelMetadata+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust?api-version=2021-09-01-preview+1": { + "Get-AzSentinelMetadata+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "222" ], - "x-ms-client-request-id": [ "dceec427-b930-4121-a106-c605c8bcb034" ], + "x-ms-unique-id": [ "223" ], + "x-ms-client-request-id": [ "90a01563-b597-4c43-9c7a-c720e87a4901" ], "CommandName": [ "Get-AzSentinelMetadata" ], "FullCommandName": [ "Get-AzSentinelMetadata_Get" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -64,32 +64,32 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11954" ], - "x-ms-request-id": [ "b37c65b8-973f-4360-9627-207c7c061fdf" ], - "x-ms-correlation-request-id": [ "b37c65b8-973f-4360-9627-207c7c061fdf" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183203Z:b37c65b8-973f-4360-9627-207c7c061fdf" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11951" ], + "x-ms-request-id": [ "207cab83-2656-41a1-a92c-fe6cb4e8ca21" ], + "x-ms-correlation-request-id": [ "207cab83-2656-41a1-a92c-fe6cb4e8ca21" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160745Z:207cab83-2656-41a1-a92c-fe6cb4e8ca21" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:32:02 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:44 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2633" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourcegroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust\",\"name\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"type\":\"Microsoft.SecurityInsights/metadata\",\"systemData\":{\"createdAt\":\"2022-07-29T18:30:08.5807719Z\",\"createdBy\":\"nicholas@zeronetworks.com\",\"createdByType\":\"User\",\"lastModifiedAt\":\"2022-07-29T18:30:08.5807719Z\",\"lastModifiedBy\":\"nicholas@zeronetworks.com\",\"lastModifiedByType\":\"User\"},\"properties\":{\"contentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"parentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"kind\":\"Solution\",\"version\":\"1.0.5\",\"source\":{\"kind\":\"Solution\",\"name\":\"ZeroTrust(TIC3.0)\",\"sourceId\":\"azuresentinel.azure-sentinel-solution-zerotrust\"},\"author\":{\"name\":\"Nikhil Tripathi\",\"email\":\"v-ntripathi@microsoft.com\"},\"support\":{\"tier\":\"Microsoft\",\"name\":\"Microsoft Corporation\",\"email\":\"support@microsoft.com\",\"link\":\"https://support.microsoft.com\"},\"dependencies\":{\"criteria\":[{\"contentId\":\"ZeroTrustTIC3.0_workbook\",\"kind\":\"Workbook\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDNSFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDataProtectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEmailFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEnterpriseFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustFilesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustIntrusionDetectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustNetworkingFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustResiliencyFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUCCFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUniversalSecurityCapabilitiesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustWebFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"}],\"operator\":\"AND\"},\"providers\":[\"Microsoft\"],\"categories\":{\"domains\":[\"Identity\",\"Security - Others\"],\"verticals\":null},\"firstPublishDate\":\"2021-10-20\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourcegroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust\",\"name\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"type\":\"Microsoft.SecurityInsights/metadata\",\"systemData\":{\"createdAt\":\"2022-08-16T16:05:56.4459878Z\",\"createdBy\":\"nicholas@zeronetworks.com\",\"createdByType\":\"User\",\"lastModifiedAt\":\"2022-08-16T16:05:56.4459878Z\",\"lastModifiedBy\":\"nicholas@zeronetworks.com\",\"lastModifiedByType\":\"User\"},\"properties\":{\"contentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"parentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"kind\":\"Solution\",\"version\":\"1.0.5\",\"source\":{\"kind\":\"Solution\",\"name\":\"ZeroTrust(TIC3.0)\",\"sourceId\":\"azuresentinel.azure-sentinel-solution-zerotrust\"},\"author\":{\"name\":\"Nikhil Tripathi\",\"email\":\"v-ntripathi@microsoft.com\"},\"support\":{\"tier\":\"Microsoft\",\"name\":\"Microsoft Corporation\",\"email\":\"support@microsoft.com\",\"link\":\"https://support.microsoft.com\"},\"dependencies\":{\"criteria\":[{\"contentId\":\"ZeroTrustTIC3.0_workbook\",\"kind\":\"Workbook\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDNSFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDataProtectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEmailFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEnterpriseFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustFilesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustIntrusionDetectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustNetworkingFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustResiliencyFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUCCFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUniversalSecurityCapabilitiesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustWebFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"}],\"operator\":\"AND\"},\"providers\":[\"Microsoft\"],\"categories\":{\"domains\":[\"Identity\",\"Security - Others\"],\"verticals\":null},\"firstPublishDate\":\"2021-10-20\"}}", "isContentBase64": false } }, - "Get-AzSentinelMetadata+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust?api-version=2021-09-01-preview+1": { + "Get-AzSentinelMetadata+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "223" ], - "x-ms-client-request-id": [ "8055dd57-1179-476a-8c52-c3cabd7deb47" ], + "x-ms-unique-id": [ "224" ], + "x-ms-client-request-id": [ "aab796cf-f660-40e5-b466-1216e864d305" ], "CommandName": [ "Get-AzSentinelMetadata" ], "FullCommandName": [ "Get-AzSentinelMetadata_Get" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -105,32 +105,32 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11953" ], - "x-ms-request-id": [ "216f1c37-56e0-46cd-b27f-ceaf61f4a994" ], - "x-ms-correlation-request-id": [ "216f1c37-56e0-46cd-b27f-ceaf61f4a994" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183203Z:216f1c37-56e0-46cd-b27f-ceaf61f4a994" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11950" ], + "x-ms-request-id": [ "21cf9504-1551-4ad2-8c89-1557d1ebfff4" ], + "x-ms-correlation-request-id": [ "21cf9504-1551-4ad2-8c89-1557d1ebfff4" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160745Z:21cf9504-1551-4ad2-8c89-1557d1ebfff4" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:32:02 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:45 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2633" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourcegroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust\",\"name\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"type\":\"Microsoft.SecurityInsights/metadata\",\"systemData\":{\"createdAt\":\"2022-07-29T18:30:08.5807719Z\",\"createdBy\":\"nicholas@zeronetworks.com\",\"createdByType\":\"User\",\"lastModifiedAt\":\"2022-07-29T18:30:08.5807719Z\",\"lastModifiedBy\":\"nicholas@zeronetworks.com\",\"lastModifiedByType\":\"User\"},\"properties\":{\"contentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"parentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"kind\":\"Solution\",\"version\":\"1.0.5\",\"source\":{\"kind\":\"Solution\",\"name\":\"ZeroTrust(TIC3.0)\",\"sourceId\":\"azuresentinel.azure-sentinel-solution-zerotrust\"},\"author\":{\"name\":\"Nikhil Tripathi\",\"email\":\"v-ntripathi@microsoft.com\"},\"support\":{\"tier\":\"Microsoft\",\"name\":\"Microsoft Corporation\",\"email\":\"support@microsoft.com\",\"link\":\"https://support.microsoft.com\"},\"dependencies\":{\"criteria\":[{\"contentId\":\"ZeroTrustTIC3.0_workbook\",\"kind\":\"Workbook\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDNSFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDataProtectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEmailFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEnterpriseFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustFilesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustIntrusionDetectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustNetworkingFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustResiliencyFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUCCFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUniversalSecurityCapabilitiesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustWebFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"}],\"operator\":\"AND\"},\"providers\":[\"Microsoft\"],\"categories\":{\"domains\":[\"Identity\",\"Security - Others\"],\"verticals\":null},\"firstPublishDate\":\"2021-10-20\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourcegroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust\",\"name\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"type\":\"Microsoft.SecurityInsights/metadata\",\"systemData\":{\"createdAt\":\"2022-08-16T16:05:56.4459878Z\",\"createdBy\":\"nicholas@zeronetworks.com\",\"createdByType\":\"User\",\"lastModifiedAt\":\"2022-08-16T16:05:56.4459878Z\",\"lastModifiedBy\":\"nicholas@zeronetworks.com\",\"lastModifiedByType\":\"User\"},\"properties\":{\"contentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"parentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"kind\":\"Solution\",\"version\":\"1.0.5\",\"source\":{\"kind\":\"Solution\",\"name\":\"ZeroTrust(TIC3.0)\",\"sourceId\":\"azuresentinel.azure-sentinel-solution-zerotrust\"},\"author\":{\"name\":\"Nikhil Tripathi\",\"email\":\"v-ntripathi@microsoft.com\"},\"support\":{\"tier\":\"Microsoft\",\"name\":\"Microsoft Corporation\",\"email\":\"support@microsoft.com\",\"link\":\"https://support.microsoft.com\"},\"dependencies\":{\"criteria\":[{\"contentId\":\"ZeroTrustTIC3.0_workbook\",\"kind\":\"Workbook\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDNSFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDataProtectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEmailFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEnterpriseFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustFilesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustIntrusionDetectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustNetworkingFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustResiliencyFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUCCFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUniversalSecurityCapabilitiesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustWebFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"}],\"operator\":\"AND\"},\"providers\":[\"Microsoft\"],\"categories\":{\"domains\":[\"Identity\",\"Security - Others\"],\"verticals\":null},\"firstPublishDate\":\"2021-10-20\"}}", "isContentBase64": false } }, - "Get-AzSentinelMetadata+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust?api-version=2021-09-01-preview+2": { + "Get-AzSentinelMetadata+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust?api-version=2021-09-01-preview+2": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "224" ], - "x-ms-client-request-id": [ "7277403c-8857-4234-8582-347455015b1e" ], + "x-ms-unique-id": [ "225" ], + "x-ms-client-request-id": [ "dff0d8f9-4ce3-48a7-b53b-5cdffe2e3d6d" ], "CommandName": [ "Get-AzSentinelMetadata" ], "FullCommandName": [ "Get-AzSentinelMetadata_GetViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -146,20 +146,20 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11952" ], - "x-ms-request-id": [ "325fb1cb-2cdb-4e6b-92f8-e66580243723" ], - "x-ms-correlation-request-id": [ "325fb1cb-2cdb-4e6b-92f8-e66580243723" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183203Z:325fb1cb-2cdb-4e6b-92f8-e66580243723" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11949" ], + "x-ms-request-id": [ "68e5f81c-058a-4a4a-8cd6-890d71b3dbab" ], + "x-ms-correlation-request-id": [ "68e5f81c-058a-4a4a-8cd6-890d71b3dbab" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160746Z:68e5f81c-058a-4a4a-8cd6-890d71b3dbab" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:32:03 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:45 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2633" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourcegroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust\",\"name\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"type\":\"Microsoft.SecurityInsights/metadata\",\"systemData\":{\"createdAt\":\"2022-07-29T18:30:08.5807719Z\",\"createdBy\":\"nicholas@zeronetworks.com\",\"createdByType\":\"User\",\"lastModifiedAt\":\"2022-07-29T18:30:08.5807719Z\",\"lastModifiedBy\":\"nicholas@zeronetworks.com\",\"lastModifiedByType\":\"User\"},\"properties\":{\"contentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"parentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"kind\":\"Solution\",\"version\":\"1.0.5\",\"source\":{\"kind\":\"Solution\",\"name\":\"ZeroTrust(TIC3.0)\",\"sourceId\":\"azuresentinel.azure-sentinel-solution-zerotrust\"},\"author\":{\"name\":\"Nikhil Tripathi\",\"email\":\"v-ntripathi@microsoft.com\"},\"support\":{\"tier\":\"Microsoft\",\"name\":\"Microsoft Corporation\",\"email\":\"support@microsoft.com\",\"link\":\"https://support.microsoft.com\"},\"dependencies\":{\"criteria\":[{\"contentId\":\"ZeroTrustTIC3.0_workbook\",\"kind\":\"Workbook\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDNSFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDataProtectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEmailFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEnterpriseFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustFilesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustIntrusionDetectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustNetworkingFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustResiliencyFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUCCFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUniversalSecurityCapabilitiesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustWebFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"}],\"operator\":\"AND\"},\"providers\":[\"Microsoft\"],\"categories\":{\"domains\":[\"Identity\",\"Security - Others\"],\"verticals\":null},\"firstPublishDate\":\"2021-10-20\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourcegroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/metadata/azuresentinel.azure-sentinel-solution-zerotrust\",\"name\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"type\":\"Microsoft.SecurityInsights/metadata\",\"systemData\":{\"createdAt\":\"2022-08-16T16:05:56.4459878Z\",\"createdBy\":\"nicholas@zeronetworks.com\",\"createdByType\":\"User\",\"lastModifiedAt\":\"2022-08-16T16:05:56.4459878Z\",\"lastModifiedBy\":\"nicholas@zeronetworks.com\",\"lastModifiedByType\":\"User\"},\"properties\":{\"contentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"parentId\":\"azuresentinel.azure-sentinel-solution-zerotrust\",\"kind\":\"Solution\",\"version\":\"1.0.5\",\"source\":{\"kind\":\"Solution\",\"name\":\"ZeroTrust(TIC3.0)\",\"sourceId\":\"azuresentinel.azure-sentinel-solution-zerotrust\"},\"author\":{\"name\":\"Nikhil Tripathi\",\"email\":\"v-ntripathi@microsoft.com\"},\"support\":{\"tier\":\"Microsoft\",\"name\":\"Microsoft Corporation\",\"email\":\"support@microsoft.com\",\"link\":\"https://support.microsoft.com\"},\"dependencies\":{\"criteria\":[{\"contentId\":\"ZeroTrustTIC3.0_workbook\",\"kind\":\"Workbook\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDNSFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustDataProtectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEmailFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustEnterpriseFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustFilesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustIntrusionDetectionFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustNetworkingFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustResiliencyFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUCCFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustUniversalSecurityCapabilitiesFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"},{\"contentId\":\"ZeroTrustWebFamilyControlsMonitoring_AnalyticalRules\",\"kind\":\"AnalyticsRule\",\"version\":\"1.0.5\"}],\"operator\":\"AND\"},\"providers\":[\"Microsoft\"],\"categories\":{\"domains\":[\"Identity\",\"Security - Others\"],\"verticals\":null},\"firstPublishDate\":\"2021-10-20\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Get-AzSentinelOnboardingState.Recording.json b/src/SecurityInsights/test/Get-AzSentinelOnboardingState.Recording.json index fe8ac921fb52..1fb3b6afa9ce 100644 --- a/src/SecurityInsights/test/Get-AzSentinelOnboardingState.Recording.json +++ b/src/SecurityInsights/test/Get-AzSentinelOnboardingState.Recording.json @@ -1,13 +1,13 @@ { - "Get-AzSentinelOnboardingState+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/onboardingStates?api-version=2021-09-01-preview+1": { + "Get-AzSentinelOnboardingState+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/onboardingStates?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/onboardingStates?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/onboardingStates?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "225" ], - "x-ms-client-request-id": [ "1e40b73a-7084-4c64-b548-27396a5fb135" ], + "x-ms-unique-id": [ "226" ], + "x-ms-client-request-id": [ "f3af40b9-f4cf-4c18-99a0-aedb3f1d2fad" ], "CommandName": [ "Get-AzSentinelonboardingState" ], "FullCommandName": [ "Get-AzSentinelOnboardingState_List" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -24,31 +24,31 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "11" ], - "x-ms-request-id": [ "caa50af3-8252-4723-8589-345b81169659" ], - "x-ms-correlation-request-id": [ "caa50af3-8252-4723-8589-345b81169659" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183205Z:caa50af3-8252-4723-8589-345b81169659" ], + "x-ms-request-id": [ "015e4cad-056f-48dc-8b2e-59bf2de87ebe" ], + "x-ms-correlation-request-id": [ "015e4cad-056f-48dc-8b2e-59bf2de87ebe" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160747Z:015e4cad-056f-48dc-8b2e-59bf2de87ebe" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:32:04 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:46 GMT" ] }, "ContentHeaders": { "Content-Length": [ "331" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"properties\":{},\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/onboardingStates/default\",\"name\":\"default\",\"type\":\"Microsoft.SecurityInsights/onboardingStates\",\"systemData\":{}}]}", + "Content": "{\"value\":[{\"properties\":{},\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/onboardingStates/default\",\"name\":\"default\",\"type\":\"Microsoft.SecurityInsights/onboardingStates\",\"systemData\":{}}]}", "isContentBase64": false } }, - "Get-AzSentinelOnboardingState+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview+1": { + "Get-AzSentinelOnboardingState+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "226" ], - "x-ms-client-request-id": [ "28c05e08-7327-4140-9161-4b08bc42cd0c" ], + "x-ms-unique-id": [ "227" ], + "x-ms-client-request-id": [ "32995150-e783-4002-9b8f-ebbb239f27a4" ], "CommandName": [ "Get-AzSentinelonboardingState" ], "FullCommandName": [ "Get-AzSentinelOnboardingState_Get" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -65,31 +65,31 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "10" ], - "x-ms-request-id": [ "60ac84ea-eeec-4fc8-8dd6-7583e0e5068d" ], - "x-ms-correlation-request-id": [ "60ac84ea-eeec-4fc8-8dd6-7583e0e5068d" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183206Z:60ac84ea-eeec-4fc8-8dd6-7583e0e5068d" ], + "x-ms-request-id": [ "439d3442-a04d-431c-b7ca-1e196c67dd70" ], + "x-ms-correlation-request-id": [ "439d3442-a04d-431c-b7ca-1e196c67dd70" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160747Z:439d3442-a04d-431c-b7ca-1e196c67dd70" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:32:05 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:47 GMT" ] }, "ContentHeaders": { "Content-Length": [ "319" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"properties\":{},\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/onboardingStates/default\",\"name\":\"default\",\"type\":\"Microsoft.SecurityInsights/onboardingStates\",\"systemData\":{}}", + "Content": "{\"properties\":{},\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/onboardingStates/default\",\"name\":\"default\",\"type\":\"Microsoft.SecurityInsights/onboardingStates\",\"systemData\":{}}", "isContentBase64": false } }, - "Get-AzSentinelOnboardingState+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview+1": { + "Get-AzSentinelOnboardingState+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "227" ], - "x-ms-client-request-id": [ "5ab4483f-c530-4f49-9a4d-ac4a5a4c39db" ], + "x-ms-unique-id": [ "228" ], + "x-ms-client-request-id": [ "77e679dc-ac21-46c6-986b-ae51c210b0bf" ], "CommandName": [ "Get-AzSentinelonboardingState" ], "FullCommandName": [ "Get-AzSentinelOnboardingState_Get" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -106,31 +106,31 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "9" ], - "x-ms-request-id": [ "29c1bd05-1dd6-45ff-8862-34865bb5a6b0" ], - "x-ms-correlation-request-id": [ "29c1bd05-1dd6-45ff-8862-34865bb5a6b0" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183206Z:29c1bd05-1dd6-45ff-8862-34865bb5a6b0" ], + "x-ms-request-id": [ "0d956850-64f2-46d4-8b73-1945eb241cfd" ], + "x-ms-correlation-request-id": [ "0d956850-64f2-46d4-8b73-1945eb241cfd" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160747Z:0d956850-64f2-46d4-8b73-1945eb241cfd" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:32:05 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:47 GMT" ] }, "ContentHeaders": { "Content-Length": [ "319" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"properties\":{},\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/onboardingStates/default\",\"name\":\"default\",\"type\":\"Microsoft.SecurityInsights/onboardingStates\",\"systemData\":{}}", + "Content": "{\"properties\":{},\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/onboardingStates/default\",\"name\":\"default\",\"type\":\"Microsoft.SecurityInsights/onboardingStates\",\"systemData\":{}}", "isContentBase64": false } }, - "Get-AzSentinelOnboardingState+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview+2": { + "Get-AzSentinelOnboardingState+[NoContext]+GetViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview+2": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "228" ], - "x-ms-client-request-id": [ "dcdad4b7-b7c2-4e03-b029-3d1bf171d24c" ], + "x-ms-unique-id": [ "229" ], + "x-ms-client-request-id": [ "4188d068-5f91-423a-8384-f7ea324c46a3" ], "CommandName": [ "Get-AzSentinelonboardingState" ], "FullCommandName": [ "Get-AzSentinelOnboardingState_GetViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -147,19 +147,19 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "8" ], - "x-ms-request-id": [ "e1b47ec6-4dc2-4a5d-935d-76615f7bb2dc" ], - "x-ms-correlation-request-id": [ "e1b47ec6-4dc2-4a5d-935d-76615f7bb2dc" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183206Z:e1b47ec6-4dc2-4a5d-935d-76615f7bb2dc" ], + "x-ms-request-id": [ "bbe6b5de-7ac4-41ff-8d3e-44c182030343" ], + "x-ms-correlation-request-id": [ "bbe6b5de-7ac4-41ff-8d3e-44c182030343" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160748Z:bbe6b5de-7ac4-41ff-8d3e-44c182030343" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:32:06 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:47 GMT" ] }, "ContentHeaders": { "Content-Length": [ "319" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"properties\":{},\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/onboardingStates/default\",\"name\":\"default\",\"type\":\"Microsoft.SecurityInsights/onboardingStates\",\"systemData\":{}}", + "Content": "{\"properties\":{},\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/onboardingStates/default\",\"name\":\"default\",\"type\":\"Microsoft.SecurityInsights/onboardingStates\",\"systemData\":{}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Get-AzSentinelSetting.Recording.json b/src/SecurityInsights/test/Get-AzSentinelSetting.Recording.json index 043083a54547..248630d4a85e 100644 --- a/src/SecurityInsights/test/Get-AzSentinelSetting.Recording.json +++ b/src/SecurityInsights/test/Get-AzSentinelSetting.Recording.json @@ -1,13 +1,13 @@ { - "Get-AzSentinelSetting+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/settings?api-version=2021-09-01-preview+1": { + "Get-AzSentinelSetting+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/settings?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/settings?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/settings?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "229" ], - "x-ms-client-request-id": [ "16dd286b-bd92-4cd0-9c9d-0d8c41978d92" ], + "x-ms-unique-id": [ "230" ], + "x-ms-client-request-id": [ "fc4b66a1-a8bf-4b30-8286-3fa447c99e43" ], "CommandName": [ "Get-AzSentinelSetting" ], "FullCommandName": [ "Get-AzSentinelSetting_List" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -23,32 +23,32 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11951" ], - "x-ms-request-id": [ "5c7d4497-db3c-4582-94e6-906901577cdf" ], - "x-ms-correlation-request-id": [ "5c7d4497-db3c-4582-94e6-906901577cdf" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183207Z:5c7d4497-db3c-4582-94e6-906901577cdf" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11948" ], + "x-ms-request-id": [ "a0644e0a-bcc7-4164-aaca-c635992e2388" ], + "x-ms-correlation-request-id": [ "a0644e0a-bcc7-4164-aaca-c635992e2388" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160749Z:a0644e0a-bcc7-4164-aaca-c635992e2388" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:32:06 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:48 GMT" ] }, "ContentHeaders": { "Content-Length": [ "1178" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/settings/EyesOn\",\"name\":\"EyesOn\",\"etag\":\"\\\"10001a5a-0000-0300-0000-62e41cb50000\\\"\",\"type\":\"Microsoft.SecurityInsights/settings\",\"kind\":\"EyesOn\",\"systemData\":{},\"properties\":{\"isEnabled\":true}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/settings/IPSyncer\",\"name\":\"IPSyncer\",\"etag\":\"\\\"1000155a-0000-0300-0000-62e41cb50000\\\"\",\"type\":\"Microsoft.SecurityInsights/settings\",\"kind\":\"IPSyncer\",\"systemData\":{},\"properties\":{\"isEnabled\":true}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/settings/Anomalies\",\"name\":\"Anomalies\",\"etag\":\"\\\"1000165a-0000-0300-0000-62e41cb50000\\\"\",\"type\":\"Microsoft.SecurityInsights/settings\",\"kind\":\"Anomalies\",\"systemData\":{},\"properties\":{\"isEnabled\":true}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/settings/EyesOn\",\"name\":\"EyesOn\",\"etag\":\"\\\"300268ed-0000-0300-0000-62fbb75e0000\\\"\",\"type\":\"Microsoft.SecurityInsights/settings\",\"kind\":\"EyesOn\",\"systemData\":{},\"properties\":{\"isEnabled\":true}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/settings/IPSyncer\",\"name\":\"IPSyncer\",\"etag\":\"\\\"300210ec-0000-0300-0000-62fbb75b0000\\\"\",\"type\":\"Microsoft.SecurityInsights/settings\",\"kind\":\"IPSyncer\",\"systemData\":{},\"properties\":{\"isEnabled\":true}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/settings/Anomalies\",\"name\":\"Anomalies\",\"etag\":\"\\\"300235ec-0000-0300-0000-62fbb75c0000\\\"\",\"type\":\"Microsoft.SecurityInsights/settings\",\"kind\":\"Anomalies\",\"systemData\":{},\"properties\":{\"isEnabled\":true}}]}", "isContentBase64": false } }, - "Get-AzSentinelSetting+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/settings/Anomalies?api-version=2021-09-01-preview+1": { + "Get-AzSentinelSetting+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/settings/Anomalies?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/settings/Anomalies?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/settings/Anomalies?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "230" ], - "x-ms-client-request-id": [ "aaa14d5a-8cc2-4b18-a1e6-61f56f205173" ], + "x-ms-unique-id": [ "231" ], + "x-ms-client-request-id": [ "fe2af9af-3f72-499f-9919-608f8fa92d19" ], "CommandName": [ "Get-AzSentinelSetting" ], "FullCommandName": [ "Get-AzSentinelSetting_Get" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -64,20 +64,20 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11950" ], - "x-ms-request-id": [ "97f99953-2aaf-4b62-9bb9-1156f91d4bd6" ], - "x-ms-correlation-request-id": [ "97f99953-2aaf-4b62-9bb9-1156f91d4bd6" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183208Z:97f99953-2aaf-4b62-9bb9-1156f91d4bd6" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11947" ], + "x-ms-request-id": [ "f9bf9534-dc4e-4aaf-9dfc-3ca150643f42" ], + "x-ms-correlation-request-id": [ "f9bf9534-dc4e-4aaf-9dfc-3ca150643f42" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160749Z:f9bf9534-dc4e-4aaf-9dfc-3ca150643f42" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:32:07 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:48 GMT" ] }, "ContentHeaders": { "Content-Length": [ "392" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/settings/Anomalies\",\"name\":\"Anomalies\",\"etag\":\"\\\"1000165a-0000-0300-0000-62e41cb50000\\\"\",\"type\":\"Microsoft.SecurityInsights/settings\",\"kind\":\"Anomalies\",\"systemData\":{},\"properties\":{\"isEnabled\":true}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/settings/Anomalies\",\"name\":\"Anomalies\",\"etag\":\"\\\"300235ec-0000-0300-0000-62fbb75c0000\\\"\",\"type\":\"Microsoft.SecurityInsights/settings\",\"kind\":\"Anomalies\",\"systemData\":{},\"properties\":{\"isEnabled\":true}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Get-AzSentinelThreatIntelligenceIndicator.Recording.json b/src/SecurityInsights/test/Get-AzSentinelThreatIntelligenceIndicator.Recording.json index be054afc992e..3ba0ff369571 100644 --- a/src/SecurityInsights/test/Get-AzSentinelThreatIntelligenceIndicator.Recording.json +++ b/src/SecurityInsights/test/Get-AzSentinelThreatIntelligenceIndicator.Recording.json @@ -1,13 +1,13 @@ { - "Get-AzSentinelThreatIntelligenceIndicator+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators?api-version=2021-09-01-preview+1": { + "Get-AzSentinelThreatIntelligenceIndicator+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "231" ], - "x-ms-client-request-id": [ "700dc6ff-6327-4f53-93b3-8df3fccae5a3" ], + "x-ms-unique-id": [ "232" ], + "x-ms-client-request-id": [ "bb37cf43-c191-49bb-8650-a1e840e60db1" ], "CommandName": [ "Get-AzSentinelthreatIntelligenceIndicator" ], "FullCommandName": [ "Get-AzSentinelThreatIntelligenceIndicator_List" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -23,32 +23,32 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11949" ], - "x-ms-request-id": [ "938a5d75-8876-4665-ab9e-a2f84bd5076b" ], - "x-ms-correlation-request-id": [ "938a5d75-8876-4665-ab9e-a2f84bd5076b" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183210Z:938a5d75-8876-4665-ab9e-a2f84bd5076b" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11946" ], + "x-ms-request-id": [ "ce83e5e5-9186-4a5b-9f09-12634870fec9" ], + "x-ms-correlation-request-id": [ "ce83e5e5-9186-4a5b-9f09-12634870fec9" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160751Z:ce83e5e5-9186-4a5b-9f09-12634870fec9" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:32:09 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:51 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "5013" ], + "Content-Length": [ "5012" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/threatIntelligence/4b4270c1-7b75-b9ba-58c7-b8420b7e6291\",\"name\":\"4b4270c1-7b75-b9ba-58c7-b8420b7e6291\",\"etag\":\"\\\"1200f4ed-0000-0100-0000-62e4275b0000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2022-07-29T18:30:51.1335761Z\",\"extensions\":{\"sentinel-ext\":{\"severity\":null}},\"externalId\":\"indicator--e6a04e80-47b0-6528-bd57-ed3840d7e56a\",\"lastUpdatedTimeUtc\":\"2022-07-29T18:30:51.1359187Z\",\"revoked\":false,\"source\":\"Microsoft Sentinel\",\"displayName\":\"UpdateViaIdthreatIntelligenceIndicatorftrdne\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.5\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.5\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2022-07-29T06:00:00Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/threatIntelligence/a40d90cd-3425-dcc7-87c9-8c9298f3641d\",\"name\":\"a40d90cd-3425-dcc7-87c9-8c9298f3641d\",\"etag\":\"\\\"6f007aa7-0000-0500-0000-62e4275a0000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2022-07-29T18:30:50.5129497Z\",\"extensions\":{\"sentinel-ext\":{\"severity\":null}},\"externalId\":\"indicator--829fe799-e4bd-6619-9c4d-3947faf519ca\",\"lastUpdatedTimeUtc\":\"2022-07-29T18:30:50.5154541Z\",\"revoked\":false,\"source\":\"Microsoft Sentinel\",\"displayName\":\"UpdatethreatIntelligenceIndicator2fbu57\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.4\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.4\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2022-07-29T06:00:00Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/threatIntelligence/8bc7c1a2-ceb7-dea2-025b-a90dc873bf63\",\"name\":\"8bc7c1a2-ceb7-dea2-025b-a90dc873bf63\",\"etag\":\"\\\"1200efed-0000-0100-0000-62e4275a0000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2022-07-29T18:30:49.8829555Z\",\"extensions\":{\"sentinel-ext\":{\"severity\":null}},\"externalId\":\"indicator--2980def0-bd4a-78b5-1fa4-1be337609a85\",\"lastUpdatedTimeUtc\":\"2022-07-29T18:30:49.8876488Z\",\"revoked\":false,\"source\":\"Microsoft Sentinel\",\"displayName\":\"RemoveViaIdthreatIntelligenceIndicator8hwpzl\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.3\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.3\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2022-07-29T06:00:00Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/threatIntelligence/aba922f2-cd9e-75df-4232-a8d47c94bc03\",\"name\":\"aba922f2-cd9e-75df-4232-a8d47c94bc03\",\"etag\":\"\\\"1200eced-0000-0100-0000-62e427590000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2022-07-29T18:30:48.7921022Z\",\"extensions\":{\"sentinel-ext\":{\"severity\":null}},\"externalId\":\"indicator--d4498499-c9ed-7c0e-0fc3-92fb16d27879\",\"lastUpdatedTimeUtc\":\"2022-07-29T18:30:49.1618991Z\",\"revoked\":false,\"source\":\"Microsoft Sentinel\",\"displayName\":\"RemovethreatIntelligenceIndicatorlzk6wg\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.2\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.2\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2022-07-29T06:00:00Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/threatIntelligence/bd45b979-3f35-b698-a82a-23f3058f60bc\",\"name\":\"bd45b979-3f35-b698-a82a-23f3058f60bc\",\"etag\":\"\\\"1200e5ed-0000-0100-0000-62e427580000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2022-07-29T18:30:39.8736843Z\",\"extensions\":{\"sentinel-ext\":{\"severity\":null}},\"externalId\":\"indicator--f894ccd9-d5a5-b553-4496-649bd57372ad\",\"lastUpdatedTimeUtc\":\"2022-07-29T18:30:43.3438345Z\",\"revoked\":false,\"source\":\"Microsoft Sentinel\",\"displayName\":\"GetthreatIntelligenceIndicator3o7nfw\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.1\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.1\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2022-07-29T06:00:00Z\"}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/threatIntelligence/4b4270c1-7b75-b9ba-58c7-b8420b7e6291\",\"name\":\"4b4270c1-7b75-b9ba-58c7-b8420b7e6291\",\"etag\":\"\\\"f201820f-0000-0100-0000-62fbc0990000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2022-08-16T16:06:44.5967724Z\",\"extensions\":{\"sentinel-ext\":{\"severity\":null}},\"externalId\":\"indicator--e6a04e80-47b0-6528-bd57-ed3840d7e56a\",\"lastUpdatedTimeUtc\":\"2022-08-16T16:06:44.6006111Z\",\"revoked\":false,\"source\":\"Microsoft Sentinel\",\"displayName\":\"UpdateViaIdthreatIntelligenceIndicatortefl3d\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.5\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.5\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2022-08-16T04:00:00Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/threatIntelligence/a40d90cd-3425-dcc7-87c9-8c9298f3641d\",\"name\":\"a40d90cd-3425-dcc7-87c9-8c9298f3641d\",\"etag\":\"\\\"f201c40e-0000-0100-0000-62fbc0960000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2022-08-16T16:06:44.0501277Z\",\"extensions\":{\"sentinel-ext\":{\"severity\":null}},\"externalId\":\"indicator--829fe799-e4bd-6619-9c4d-3947faf519ca\",\"lastUpdatedTimeUtc\":\"2022-08-16T16:06:44.0682385Z\",\"revoked\":false,\"source\":\"Microsoft Sentinel\",\"displayName\":\"UpdatethreatIntelligenceIndicator6zjacg\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.4\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.4\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2022-08-16T04:00:00Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/threatIntelligence/8bc7c1a2-ceb7-dea2-025b-a90dc873bf63\",\"name\":\"8bc7c1a2-ceb7-dea2-025b-a90dc873bf63\",\"etag\":\"\\\"f201060e-0000-0100-0000-62fbc0930000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2022-08-16T16:06:43.3658923Z\",\"extensions\":{\"sentinel-ext\":{\"severity\":null}},\"externalId\":\"indicator--2980def0-bd4a-78b5-1fa4-1be337609a85\",\"lastUpdatedTimeUtc\":\"2022-08-16T16:06:43.4186153Z\",\"revoked\":false,\"source\":\"Microsoft Sentinel\",\"displayName\":\"RemoveViaIdthreatIntelligenceIndicatorty5w74\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.3\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.3\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2022-08-16T04:00:00Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/threatIntelligence/aba922f2-cd9e-75df-4232-a8d47c94bc03\",\"name\":\"aba922f2-cd9e-75df-4232-a8d47c94bc03\",\"etag\":\"\\\"1800a99f-0000-0500-0000-62fbc09a0000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2022-08-16T16:06:42.720134Z\",\"extensions\":{\"sentinel-ext\":{\"severity\":null}},\"externalId\":\"indicator--d4498499-c9ed-7c0e-0fc3-92fb16d27879\",\"lastUpdatedTimeUtc\":\"2022-08-16T16:06:42.7395321Z\",\"revoked\":false,\"source\":\"Microsoft Sentinel\",\"displayName\":\"RemovethreatIntelligenceIndicatorzeqho5\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.2\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.2\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2022-08-16T04:00:00Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/threatIntelligence/bd45b979-3f35-b698-a82a-23f3058f60bc\",\"name\":\"bd45b979-3f35-b698-a82a-23f3058f60bc\",\"etag\":\"\\\"1800899f-0000-0500-0000-62fbc0920000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2022-08-16T16:06:33.5767612Z\",\"extensions\":{\"sentinel-ext\":{\"severity\":null}},\"externalId\":\"indicator--f894ccd9-d5a5-b553-4496-649bd57372ad\",\"lastUpdatedTimeUtc\":\"2022-08-16T16:06:37.7160124Z\",\"revoked\":false,\"source\":\"Microsoft Sentinel\",\"displayName\":\"GetthreatIntelligenceIndicatoro4mh0q\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.1\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.1\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2022-08-16T04:00:00Z\"}}]}", "isContentBase64": false } }, - "Get-AzSentinelThreatIntelligenceIndicator+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/bd45b979-3f35-b698-a82a-23f3058f60bc?api-version=2021-09-01-preview+1": { + "Get-AzSentinelThreatIntelligenceIndicator+[NoContext]+Get+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/bd45b979-3f35-b698-a82a-23f3058f60bc?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/bd45b979-3f35-b698-a82a-23f3058f60bc?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/bd45b979-3f35-b698-a82a-23f3058f60bc?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "232" ], - "x-ms-client-request-id": [ "31dce92b-2325-4e46-91f7-a2312818031a" ], + "x-ms-unique-id": [ "233" ], + "x-ms-client-request-id": [ "b82efd34-e236-49ac-a78d-76c9b2c40f23" ], "CommandName": [ "Get-AzSentinelthreatIntelligenceIndicator" ], "FullCommandName": [ "Get-AzSentinelThreatIntelligenceIndicator_Get" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -64,20 +64,20 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11948" ], - "x-ms-request-id": [ "1d8c9f1e-e510-4d79-a10f-a3518771823a" ], - "x-ms-correlation-request-id": [ "1d8c9f1e-e510-4d79-a10f-a3518771823a" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183210Z:1d8c9f1e-e510-4d79-a10f-a3518771823a" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11945" ], + "x-ms-request-id": [ "20e512c2-0dbe-4c9d-954f-e9dece46ed62" ], + "x-ms-correlation-request-id": [ "20e512c2-0dbe-4c9d-954f-e9dece46ed62" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160751Z:20e512c2-0dbe-4c9d-954f-e9dece46ed62" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:32:09 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:51 GMT" ] }, "ContentHeaders": { "Content-Length": [ "995" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/threatIntelligence/bd45b979-3f35-b698-a82a-23f3058f60bc\",\"name\":\"bd45b979-3f35-b698-a82a-23f3058f60bc\",\"etag\":\"\\\"1200e5ed-0000-0100-0000-62e427580000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2022-07-29T18:30:39.8736843Z\",\"extensions\":{\"sentinel-ext\":{\"severity\":null}},\"externalId\":\"indicator--f894ccd9-d5a5-b553-4496-649bd57372ad\",\"lastUpdatedTimeUtc\":\"2022-07-29T18:30:43.3438345Z\",\"revoked\":false,\"source\":\"Microsoft Sentinel\",\"displayName\":\"GetthreatIntelligenceIndicator3o7nfw\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.1\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.1\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2022-07-29T06:00:00Z\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/threatIntelligence/bd45b979-3f35-b698-a82a-23f3058f60bc\",\"name\":\"bd45b979-3f35-b698-a82a-23f3058f60bc\",\"etag\":\"\\\"1800899f-0000-0500-0000-62fbc0920000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2022-08-16T16:06:33.5767612Z\",\"extensions\":{\"sentinel-ext\":{\"severity\":null}},\"externalId\":\"indicator--f894ccd9-d5a5-b553-4496-649bd57372ad\",\"lastUpdatedTimeUtc\":\"2022-08-16T16:06:37.7160124Z\",\"revoked\":false,\"source\":\"Microsoft Sentinel\",\"displayName\":\"GetthreatIntelligenceIndicatoro4mh0q\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.1\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.1\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2022-08-16T04:00:00Z\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Get-AzSentinelThreatIntelligenceIndicatorMetric.Recording.json b/src/SecurityInsights/test/Get-AzSentinelThreatIntelligenceIndicatorMetric.Recording.json index 343076b4846c..51ca6f697242 100644 --- a/src/SecurityInsights/test/Get-AzSentinelThreatIntelligenceIndicatorMetric.Recording.json +++ b/src/SecurityInsights/test/Get-AzSentinelThreatIntelligenceIndicatorMetric.Recording.json @@ -1,13 +1,13 @@ { - "Get-AzSentinelThreatIntelligenceIndicatorMetric+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/threatIntelligence/main/metrics?api-version=2021-09-01-preview+1": { + "Get-AzSentinelThreatIntelligenceIndicatorMetric+[NoContext]+List+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/threatIntelligence/main/metrics?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/threatIntelligence/main/metrics?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/threatIntelligence/main/metrics?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "233" ], - "x-ms-client-request-id": [ "73164ebf-7ab5-4aa2-b857-973428e1e433" ], + "x-ms-unique-id": [ "234" ], + "x-ms-client-request-id": [ "07d98062-c08a-4688-902e-85c26b209796" ], "CommandName": [ "Get-AzSentinelthreatIntelligenceIndicatorMetric" ], "FullCommandName": [ "Get-AzSentinelThreatIntelligenceIndicatorMetric_List" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -23,20 +23,20 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11947" ], - "x-ms-request-id": [ "02893eb6-c78c-4dc4-9786-77e8b20243e5" ], - "x-ms-correlation-request-id": [ "02893eb6-c78c-4dc4-9786-77e8b20243e5" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183211Z:02893eb6-c78c-4dc4-9786-77e8b20243e5" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11944" ], + "x-ms-request-id": [ "7a9bc93d-0d83-4bd1-b3fd-502c8102036f" ], + "x-ms-correlation-request-id": [ "7a9bc93d-0d83-4bd1-b3fd-502c8102036f" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160752Z:7a9bc93d-0d83-4bd1-b3fd-502c8102036f" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:32:10 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:52 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "279" ], + "Content-Length": [ "278" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"properties\":{\"lastUpdatedTimeUtc\":\"2022-07-29T18:32:11.3523407Z\",\"threatTypeMetrics\":[{\"metricName\":\"unknown\",\"metricValue\":5}],\"patternTypeMetrics\":[{\"metricName\":\"ipv4-addr\",\"metricValue\":5}],\"sourceMetrics\":[{\"metricName\":\"Microsoft Sentinel\",\"metricValue\":5}]}}]}", + "Content": "{\"value\":[{\"properties\":{\"lastUpdatedTimeUtc\":\"2022-08-16T16:07:52.700472Z\",\"threatTypeMetrics\":[{\"metricName\":\"unknown\",\"metricValue\":5}],\"patternTypeMetrics\":[{\"metricName\":\"ipv4-addr\",\"metricValue\":5}],\"sourceMetrics\":[{\"metricName\":\"Microsoft Sentinel\",\"metricValue\":5}]}}]}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Invoke-AzSentinelThreatIntelligenceIndicatorQuery.Recording.json b/src/SecurityInsights/test/Invoke-AzSentinelThreatIntelligenceIndicatorQuery.Recording.json index 18a5bb2dbdb4..f7c10a73344a 100644 --- a/src/SecurityInsights/test/Invoke-AzSentinelThreatIntelligenceIndicatorQuery.Recording.json +++ b/src/SecurityInsights/test/Invoke-AzSentinelThreatIntelligenceIndicatorQuery.Recording.json @@ -1,8 +1,8 @@ { - "Invoke-AzSentinelThreatIntelligenceIndicatorQuery+[NoContext]+QueryExpanded+$POST+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/threatIntelligence/main/queryIndicators?api-version=2021-09-01-preview+1": { + "Invoke-AzSentinelThreatIntelligenceIndicatorQuery+[NoContext]+QueryExpanded+$POST+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/threatIntelligence/main/queryIndicators?api-version=2021-09-01-preview+1": { "Request": { "Method": "POST", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/threatIntelligence/main/queryIndicators?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/threatIntelligence/main/queryIndicators?api-version=2021-09-01-preview", "Content": "{\n \"pageSize\": 10,\n \"includeDisabled\": true\n}", "isContentBase64": false, "Headers": { @@ -18,20 +18,20 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11946" ], - "x-ms-request-id": [ "8843fc5d-9a2a-46b5-93bc-121567004e12" ], - "x-ms-correlation-request-id": [ "8843fc5d-9a2a-46b5-93bc-121567004e12" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183212Z:8843fc5d-9a2a-46b5-93bc-121567004e12" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11943" ], + "x-ms-request-id": [ "5c61c462-0aaf-44d8-9cf7-a1e17c413736" ], + "x-ms-correlation-request-id": [ "5c61c462-0aaf-44d8-9cf7-a1e17c413736" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160753Z:5c61c462-0aaf-44d8-9cf7-a1e17c413736" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:32:11 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:52 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "5013" ], + "Content-Length": [ "5012" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/threatIntelligence/4b4270c1-7b75-b9ba-58c7-b8420b7e6291\",\"name\":\"4b4270c1-7b75-b9ba-58c7-b8420b7e6291\",\"etag\":\"\\\"1200f4ed-0000-0100-0000-62e4275b0000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2022-07-29T18:30:51.1335761Z\",\"extensions\":{\"sentinel-ext\":{\"severity\":null}},\"externalId\":\"indicator--e6a04e80-47b0-6528-bd57-ed3840d7e56a\",\"lastUpdatedTimeUtc\":\"2022-07-29T18:30:51.1359187Z\",\"revoked\":false,\"source\":\"Microsoft Sentinel\",\"displayName\":\"UpdateViaIdthreatIntelligenceIndicatorftrdne\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.5\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.5\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2022-07-29T06:00:00Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/threatIntelligence/a40d90cd-3425-dcc7-87c9-8c9298f3641d\",\"name\":\"a40d90cd-3425-dcc7-87c9-8c9298f3641d\",\"etag\":\"\\\"6f007aa7-0000-0500-0000-62e4275a0000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2022-07-29T18:30:50.5129497Z\",\"extensions\":{\"sentinel-ext\":{\"severity\":null}},\"externalId\":\"indicator--829fe799-e4bd-6619-9c4d-3947faf519ca\",\"lastUpdatedTimeUtc\":\"2022-07-29T18:30:50.5154541Z\",\"revoked\":false,\"source\":\"Microsoft Sentinel\",\"displayName\":\"UpdatethreatIntelligenceIndicator2fbu57\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.4\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.4\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2022-07-29T06:00:00Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/threatIntelligence/8bc7c1a2-ceb7-dea2-025b-a90dc873bf63\",\"name\":\"8bc7c1a2-ceb7-dea2-025b-a90dc873bf63\",\"etag\":\"\\\"1200efed-0000-0100-0000-62e4275a0000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2022-07-29T18:30:49.8829555Z\",\"extensions\":{\"sentinel-ext\":{\"severity\":null}},\"externalId\":\"indicator--2980def0-bd4a-78b5-1fa4-1be337609a85\",\"lastUpdatedTimeUtc\":\"2022-07-29T18:30:49.8876488Z\",\"revoked\":false,\"source\":\"Microsoft Sentinel\",\"displayName\":\"RemoveViaIdthreatIntelligenceIndicator8hwpzl\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.3\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.3\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2022-07-29T06:00:00Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/threatIntelligence/aba922f2-cd9e-75df-4232-a8d47c94bc03\",\"name\":\"aba922f2-cd9e-75df-4232-a8d47c94bc03\",\"etag\":\"\\\"1200eced-0000-0100-0000-62e427590000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2022-07-29T18:30:48.7921022Z\",\"extensions\":{\"sentinel-ext\":{\"severity\":null}},\"externalId\":\"indicator--d4498499-c9ed-7c0e-0fc3-92fb16d27879\",\"lastUpdatedTimeUtc\":\"2022-07-29T18:30:49.1618991Z\",\"revoked\":false,\"source\":\"Microsoft Sentinel\",\"displayName\":\"RemovethreatIntelligenceIndicatorlzk6wg\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.2\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.2\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2022-07-29T06:00:00Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/threatIntelligence/bd45b979-3f35-b698-a82a-23f3058f60bc\",\"name\":\"bd45b979-3f35-b698-a82a-23f3058f60bc\",\"etag\":\"\\\"1200e5ed-0000-0100-0000-62e427580000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2022-07-29T18:30:39.8736843Z\",\"extensions\":{\"sentinel-ext\":{\"severity\":null}},\"externalId\":\"indicator--f894ccd9-d5a5-b553-4496-649bd57372ad\",\"lastUpdatedTimeUtc\":\"2022-07-29T18:30:43.3438345Z\",\"revoked\":false,\"source\":\"Microsoft Sentinel\",\"displayName\":\"GetthreatIntelligenceIndicator3o7nfw\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.1\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.1\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2022-07-29T06:00:00Z\"}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/threatIntelligence/4b4270c1-7b75-b9ba-58c7-b8420b7e6291\",\"name\":\"4b4270c1-7b75-b9ba-58c7-b8420b7e6291\",\"etag\":\"\\\"f201820f-0000-0100-0000-62fbc0990000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2022-08-16T16:06:44.5967724Z\",\"extensions\":{\"sentinel-ext\":{\"severity\":null}},\"externalId\":\"indicator--e6a04e80-47b0-6528-bd57-ed3840d7e56a\",\"lastUpdatedTimeUtc\":\"2022-08-16T16:06:44.6006111Z\",\"revoked\":false,\"source\":\"Microsoft Sentinel\",\"displayName\":\"UpdateViaIdthreatIntelligenceIndicatortefl3d\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.5\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.5\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2022-08-16T04:00:00Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/threatIntelligence/a40d90cd-3425-dcc7-87c9-8c9298f3641d\",\"name\":\"a40d90cd-3425-dcc7-87c9-8c9298f3641d\",\"etag\":\"\\\"f201c40e-0000-0100-0000-62fbc0960000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2022-08-16T16:06:44.0501277Z\",\"extensions\":{\"sentinel-ext\":{\"severity\":null}},\"externalId\":\"indicator--829fe799-e4bd-6619-9c4d-3947faf519ca\",\"lastUpdatedTimeUtc\":\"2022-08-16T16:06:44.0682385Z\",\"revoked\":false,\"source\":\"Microsoft Sentinel\",\"displayName\":\"UpdatethreatIntelligenceIndicator6zjacg\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.4\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.4\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2022-08-16T04:00:00Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/threatIntelligence/8bc7c1a2-ceb7-dea2-025b-a90dc873bf63\",\"name\":\"8bc7c1a2-ceb7-dea2-025b-a90dc873bf63\",\"etag\":\"\\\"f201060e-0000-0100-0000-62fbc0930000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2022-08-16T16:06:43.3658923Z\",\"extensions\":{\"sentinel-ext\":{\"severity\":null}},\"externalId\":\"indicator--2980def0-bd4a-78b5-1fa4-1be337609a85\",\"lastUpdatedTimeUtc\":\"2022-08-16T16:06:43.4186153Z\",\"revoked\":false,\"source\":\"Microsoft Sentinel\",\"displayName\":\"RemoveViaIdthreatIntelligenceIndicatorty5w74\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.3\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.3\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2022-08-16T04:00:00Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/threatIntelligence/aba922f2-cd9e-75df-4232-a8d47c94bc03\",\"name\":\"aba922f2-cd9e-75df-4232-a8d47c94bc03\",\"etag\":\"\\\"1800a99f-0000-0500-0000-62fbc09a0000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2022-08-16T16:06:42.720134Z\",\"extensions\":{\"sentinel-ext\":{\"severity\":null}},\"externalId\":\"indicator--d4498499-c9ed-7c0e-0fc3-92fb16d27879\",\"lastUpdatedTimeUtc\":\"2022-08-16T16:06:42.7395321Z\",\"revoked\":false,\"source\":\"Microsoft Sentinel\",\"displayName\":\"RemovethreatIntelligenceIndicatorzeqho5\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.2\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.2\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2022-08-16T04:00:00Z\"}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/threatIntelligence/bd45b979-3f35-b698-a82a-23f3058f60bc\",\"name\":\"bd45b979-3f35-b698-a82a-23f3058f60bc\",\"etag\":\"\\\"1800899f-0000-0500-0000-62fbc0920000\\\"\",\"type\":\"Microsoft.SecurityInsights/threatIntelligence\",\"kind\":\"indicator\",\"properties\":{\"confidence\":0,\"created\":\"2022-08-16T16:06:33.5767612Z\",\"extensions\":{\"sentinel-ext\":{\"severity\":null}},\"externalId\":\"indicator--f894ccd9-d5a5-b553-4496-649bd57372ad\",\"lastUpdatedTimeUtc\":\"2022-08-16T16:06:37.7160124Z\",\"revoked\":false,\"source\":\"Microsoft Sentinel\",\"displayName\":\"GetthreatIntelligenceIndicatoro4mh0q\",\"threatTypes\":[\"unknown\"],\"parsedPattern\":[{\"patternTypeKey\":\"ipv4-addr\",\"patternTypeValues\":[{\"valueType\":\"ipv4-addr\",\"value\":\"8.8.8.1\"}]}],\"pattern\":\"[ipv4-addr:value = \u00278.8.8.1\u0027]\",\"patternType\":\"ipv4-addr\",\"validFrom\":\"2022-08-16T04:00:00Z\"}}]}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/New-AzSentinelAlertRule.Recording.json b/src/SecurityInsights/test/New-AzSentinelAlertRule.Recording.json index d956dc56f43b..089b7fc1d6c8 100644 --- a/src/SecurityInsights/test/New-AzSentinelAlertRule.Recording.json +++ b/src/SecurityInsights/test/New-AzSentinelAlertRule.Recording.json @@ -1,9 +1,9 @@ { - "New-AzSentinelAlertRule+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/5a84cae5-b8d3-49c5-9418-9f3d635d30b8?api-version=2021-09-01-preview+1": { + "New-AzSentinelAlertRule+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/12d8cb29-d001-4576-a336-77050c60a1f3?api-version=2021-09-01-preview+1": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/5a84cae5-b8d3-49c5-9418-9f3d635d30b8?api-version=2021-09-01-preview", - "Content": "{\n \"kind\": \"Scheduled\",\n \"properties\": {\n \"queryFrequency\": \"PT1H\",\n \"queryPeriod\": \"P1D\",\n \"triggerOperator\": \"GreaterThan\",\n \"triggerThreshold\": 1,\n \"incidentConfiguration\": {\n \"groupingConfiguration\": {\n \"enabled\": false,\n \"reopenClosedIncident\": false,\n \"lookbackDuration\": \"PT5H\",\n \"matchingMethod\": \"AllEntities\"\n },\n \"createIncident\": false\n },\n \"query\": \"SecurityEvent | take 1\",\n \"displayName\": \"NewAlertRulePSTest\",\n \"enabled\": false,\n \"suppressionDuration\": \"PT5H\",\n \"suppressionEnabled\": false,\n \"severity\": \"Informational\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/12d8cb29-d001-4576-a336-77050c60a1f3?api-version=2021-09-01-preview", + "Content": "{\n \"kind\": \"Scheduled\",\n \"properties\": {\n \"queryFrequency\": \"PT1H\",\n \"queryPeriod\": \"P1D\",\n \"triggerOperator\": \"GreaterThan\",\n \"triggerThreshold\": 1,\n \"incidentConfiguration\": {\n \"groupingConfiguration\": {\n \"enabled\": false,\n \"reopenClosedIncident\": false,\n \"lookbackDuration\": \"PT5H\",\n \"matchingMethod\": \"AllEntities\"\n },\n \"createIncident\": false\n },\n \"query\": \"SecurityEvent | take 1\",\n \"displayName\": \"NewAlertRulel98w03\",\n \"enabled\": false,\n \"suppressionDuration\": \"PT5H\",\n \"suppressionEnabled\": false,\n \"severity\": \"Informational\"\n }\n}", "isContentBase64": false, "Headers": { }, @@ -19,19 +19,19 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-writes": [ "1199" ], - "x-ms-request-id": [ "6bbc7bc0-800d-4e23-9dc9-23def5929916" ], - "x-ms-correlation-request-id": [ "6bbc7bc0-800d-4e23-9dc9-23def5929916" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183213Z:6bbc7bc0-800d-4e23-9dc9-23def5929916" ], + "x-ms-request-id": [ "fe16e0a3-61ba-4872-be3f-044a0eb6ffbd" ], + "x-ms-correlation-request-id": [ "fe16e0a3-61ba-4872-be3f-044a0eb6ffbd" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160754Z:fe16e0a3-61ba-4872-be3f-044a0eb6ffbd" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:32:12 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:54 GMT" ] }, "ContentHeaders": { "Content-Length": [ "1048" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/5a84cae5-b8d3-49c5-9418-9f3d635d30b8\",\"name\":\"5a84cae5-b8d3-49c5-9418-9f3d635d30b8\",\"etag\":\"\\\"2e00873f-0000-0100-0000-62e427ad0000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":false,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":null,\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Informational\",\"query\":\"SecurityEvent | take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":null,\"displayName\":\"NewAlertRulePSTest\",\"enabled\":false,\"description\":null,\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-07-29T18:32:13.2109287Z\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/12d8cb29-d001-4576-a336-77050c60a1f3\",\"name\":\"12d8cb29-d001-4576-a336-77050c60a1f3\",\"etag\":\"\\\"06007d41-0000-0100-0000-62fbc0da0000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":false,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":null,\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Informational\",\"query\":\"SecurityEvent | take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":null,\"displayName\":\"NewAlertRulel98w03\",\"enabled\":false,\"description\":null,\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T16:07:54.7075662Z\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/New-AzSentinelAlertRule.Tests.ps1 b/src/SecurityInsights/test/New-AzSentinelAlertRule.Tests.ps1 index 99ef9a01265d..515044fc4b81 100644 --- a/src/SecurityInsights/test/New-AzSentinelAlertRule.Tests.ps1 +++ b/src/SecurityInsights/test/New-AzSentinelAlertRule.Tests.ps1 @@ -17,8 +17,8 @@ if(($null -eq $TestName) -or ($TestName -contains 'New-AzSentinelAlertRule')) Describe 'New-AzSentinelAlertRule' { It 'CreateExpanded' { $alertRule = New-AzSentinelAlertRule -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` - -Kind Scheduled -Query 'SecurityEvent | take 1' -DisplayName "NewAlertRulePSTest" -Severity Informational ` + -Kind Scheduled -RuleId $env.NewAlertRuleId -Query 'SecurityEvent | take 1' -DisplayName $env.NewAlertRuleName -Severity Informational ` -QueryFrequency (New-TimeSpan -Hours 1) -QueryPeriod (New-TimeSpan -Days 1) -TriggerOperator "GreaterThan" -TriggerThreshold 1 - $alertRule.DisplayName | Should -Be "NewAlertRulePSTest" + $alertRule.DisplayName | Should -Be $env.NewAlertRuleName } } diff --git a/src/SecurityInsights/test/New-AzSentinelAlertRuleAction.Recording.json b/src/SecurityInsights/test/New-AzSentinelAlertRuleAction.Recording.json index 68d82516d255..318f977eb2ae 100644 --- a/src/SecurityInsights/test/New-AzSentinelAlertRuleAction.Recording.json +++ b/src/SecurityInsights/test/New-AzSentinelAlertRuleAction.Recording.json @@ -1,15 +1,15 @@ { - "New-AzSentinelAlertRuleAction+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/2a06ef26-4b40-4fe2-b06c-35967b0b841a?api-version=2021-09-01-preview+1": { + "New-AzSentinelAlertRuleAction+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/257e1543-c5bf-47a0-a346-35a29c8a0d71?api-version=2021-09-01-preview+1": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/2a06ef26-4b40-4fe2-b06c-35967b0b841a?api-version=2021-09-01-preview", - "Content": "{\n \"kind\": \"Scheduled\",\n \"properties\": {\n \"queryFrequency\": \"PT1H\",\n \"queryPeriod\": \"P1D\",\n \"triggerOperator\": \"GreaterThan\",\n \"triggerThreshold\": 1,\n \"incidentConfiguration\": {\n \"groupingConfiguration\": {\n \"enabled\": false,\n \"reopenClosedIncident\": false,\n \"lookbackDuration\": \"PT5H\",\n \"matchingMethod\": \"AllEntities\"\n },\n \"createIncident\": false\n },\n \"query\": \"SecurityEvent | take 1\",\n \"displayName\": \"NewAlertRulePSTest\",\n \"enabled\": false,\n \"suppressionDuration\": \"PT5H\",\n \"suppressionEnabled\": false,\n \"severity\": \"Informational\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/257e1543-c5bf-47a0-a346-35a29c8a0d71?api-version=2021-09-01-preview", + "Content": "{\n \"kind\": \"Scheduled\",\n \"properties\": {\n \"queryFrequency\": \"PT1H\",\n \"queryPeriod\": \"P1D\",\n \"triggerOperator\": \"GreaterThan\",\n \"triggerThreshold\": 1,\n \"incidentConfiguration\": {\n \"groupingConfiguration\": {\n \"enabled\": false,\n \"reopenClosedIncident\": false,\n \"lookbackDuration\": \"PT5H\",\n \"matchingMethod\": \"AllEntities\"\n },\n \"createIncident\": false\n },\n \"query\": \"SecurityEvent | take 1\",\n \"displayName\": \"NewalertRuleActionRuleNamexmy37l\",\n \"enabled\": false,\n \"suppressionDuration\": \"PT5H\",\n \"suppressionEnabled\": false,\n \"severity\": \"Informational\"\n }\n}", "isContentBase64": false, "Headers": { }, "ContentHeaders": { "Content-Type": [ "application/json" ], - "Content-Length": [ "622" ] + "Content-Length": [ "636" ] } }, "Response": { @@ -19,27 +19,27 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-writes": [ "1198" ], - "x-ms-request-id": [ "44c8fefb-1964-4049-8644-a0a70e34d50a" ], - "x-ms-correlation-request-id": [ "44c8fefb-1964-4049-8644-a0a70e34d50a" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183214Z:44c8fefb-1964-4049-8644-a0a70e34d50a" ], + "x-ms-request-id": [ "bcbffb7e-80a2-41e7-9abf-1a9f8eb1eeb6" ], + "x-ms-correlation-request-id": [ "bcbffb7e-80a2-41e7-9abf-1a9f8eb1eeb6" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160755Z:bcbffb7e-80a2-41e7-9abf-1a9f8eb1eeb6" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:32:13 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:55 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1048" ], + "Content-Length": [ "1062" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/2a06ef26-4b40-4fe2-b06c-35967b0b841a\",\"name\":\"2a06ef26-4b40-4fe2-b06c-35967b0b841a\",\"etag\":\"\\\"2e00883f-0000-0100-0000-62e427ae0000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":false,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":null,\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Informational\",\"query\":\"SecurityEvent | take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":null,\"displayName\":\"NewAlertRulePSTest\",\"enabled\":false,\"description\":null,\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-07-29T18:32:14.0922704Z\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/257e1543-c5bf-47a0-a346-35a29c8a0d71\",\"name\":\"257e1543-c5bf-47a0-a346-35a29c8a0d71\",\"etag\":\"\\\"06007e41-0000-0100-0000-62fbc0db0000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":false,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":null,\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"PT1H\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":1,\"severity\":\"Informational\",\"query\":\"SecurityEvent | take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":null,\"displayName\":\"NewalertRuleActionRuleNamexmy37l\",\"enabled\":false,\"description\":null,\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T16:07:55.6806296Z\"}}", "isContentBase64": false } }, - "New-AzSentinelAlertRuleAction+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/2a06ef26-4b40-4fe2-b06c-35967b0b841a/actions/d5d437c2-9aaf-4704-95a8-a7b5f3f1b905?api-version=2021-09-01-preview+2": { + "New-AzSentinelAlertRuleAction+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/257e1543-c5bf-47a0-a346-35a29c8a0d71/actions/9c045509-e461-450d-bf07-d550536d3d95?api-version=2021-09-01-preview+2": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/2a06ef26-4b40-4fe2-b06c-35967b0b841a/actions/d5d437c2-9aaf-4704-95a8-a7b5f3f1b905?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"logicAppResourceId\": \"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\",\n \"triggerUri\": \"https://prod-26.centralus.logic.azure.com:443/workflows/e25a9538589f4273ac4b33c4251b7af4/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2016-06-01\\u0026sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun\\u0026sv=1.0\\u0026sig=Hj0XFCgxJZSvdepbdqqkhAyUOVNJNiGHf8Sbpdvny6k\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/257e1543-c5bf-47a0-a346-35a29c8a0d71/actions/9c045509-e461-450d-bf07-d550536d3d95?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"logicAppResourceId\": \"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\",\n \"triggerUri\": \"https://prod-05.centralus.logic.azure.com:443/workflows/eb03b1bc818942e0a642c05aeef2614b/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2016-06-01\\u0026sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun\\u0026sv=1.0\\u0026sig=BiTp33mQqq5owtlDqGQFUmo-TdKtHaQskA16bOn1p8g\"\n }\n}", "isContentBase64": false, "Headers": { }, @@ -55,19 +55,19 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], - "x-ms-request-id": [ "bf4dbfcf-a535-4bf4-be0d-dab4ab47230b" ], - "x-ms-correlation-request-id": [ "bf4dbfcf-a535-4bf4-be0d-dab4ab47230b" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183215Z:bf4dbfcf-a535-4bf4-be0d-dab4ab47230b" ], + "x-ms-request-id": [ "25ad87b8-a50f-41ee-8d0e-4d2fe7c03339" ], + "x-ms-correlation-request-id": [ "25ad87b8-a50f-41ee-8d0e-4d2fe7c03339" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160757Z:25ad87b8-a50f-41ee-8d0e-4d2fe7c03339" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:32:14 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:56 GMT" ] }, "ContentHeaders": { "Content-Length": [ "610" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/2a06ef26-4b40-4fe2-b06c-35967b0b841a/actions/d5d437c2-9aaf-4704-95a8-a7b5f3f1b905\",\"name\":\"d5d437c2-9aaf-4704-95a8-a7b5f3f1b905\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"e25a9538589f4273ac4b33c4251b7af4\",\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/257e1543-c5bf-47a0-a346-35a29c8a0d71/actions/9c045509-e461-450d-bf07-d550536d3d95\",\"name\":\"9c045509-e461-450d-bf07-d550536d3d95\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"eb03b1bc818942e0a642c05aeef2614b\",\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/New-AzSentinelAlertRuleAction.Tests.ps1 b/src/SecurityInsights/test/New-AzSentinelAlertRuleAction.Tests.ps1 index 24966ff8faee..1a6ba11bb983 100644 --- a/src/SecurityInsights/test/New-AzSentinelAlertRuleAction.Tests.ps1 +++ b/src/SecurityInsights/test/New-AzSentinelAlertRuleAction.Tests.ps1 @@ -17,10 +17,10 @@ if(($null -eq $TestName) -or ($TestName -contains 'New-AzSentinelAlertRuleAction Describe 'New-AzSentinelAlertRuleAction' { It 'CreateExpanded' { $alertRule = New-AzSentinelAlertRule -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` - -Kind Scheduled -Query "SecurityEvent | take 1" -DisplayName "NewAlertRulePSTest" -Severity Informational ` + -Kind Scheduled -RuleId $env.NewalertRuleActionRuleId -Query "SecurityEvent | take 1" -DisplayName $env.NewalertRuleActionRuleName -Severity Informational ` -QueryFrequency (New-TimeSpan -Hours 1) -QueryPeriod (New-TimeSpan -Days 1) -TriggerOperator "GreaterThan" -TriggerThreshold 1 $alertRuleAction = New-AzSentinelAlertRuleAction -ResourceGroupName $env.ResourceGroupName ` - -RuleId ($alertRule.Name) -WorkspaceName $env.workspaceName -LogicAppResourceId $env.Playbook1LogicAppResourceId ` + -Id $env.NewAlertRuleActionId -RuleId $env.NewalertRuleActionRuleId -WorkspaceName $env.workspaceName -LogicAppResourceId $env.Playbook1LogicAppResourceId ` -TriggerUri $env.Playbook1TriggerUrl $alertRuleAction.LogicAppResourceId | Should -Be $env.Playbook1LogicAppResourceId } diff --git a/src/SecurityInsights/test/New-AzSentinelAutomationRule.Recording.json b/src/SecurityInsights/test/New-AzSentinelAutomationRule.Recording.json index e2dc88a88c64..ec0933cd59b5 100644 --- a/src/SecurityInsights/test/New-AzSentinelAutomationRule.Recording.json +++ b/src/SecurityInsights/test/New-AzSentinelAutomationRule.Recording.json @@ -1,9 +1,9 @@ { - "New-AzSentinelAutomationRule+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/automationRules/c095abfc-e7b8-4556-907d-caa5e924e955?api-version=2021-09-01-preview+1": { + "New-AzSentinelAutomationRule+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/automationRules/a46bcfa9-0dd0-4856-8b10-10ec6bb12920?api-version=2021-09-01-preview+1": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/automationRules/c095abfc-e7b8-4556-907d-caa5e924e955?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"triggeringLogic\": {\n \"isEnabled\": true,\n \"triggersOn\": \"Incidents\",\n \"triggersWhen\": \"Created\"\n },\n \"displayName\": \"NewAutomationRulePSTest\",\n \"order\": 2,\n \"actions\": [\n {\n \"order\": 1,\n \"actionType\": \"RunPlaybook\",\n \"actionConfiguration\": {\n \"logicAppResourceId\": \"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\n \"tenantId\": \"d6eebbdd-d77c-465e-b008-4339027b4006\"\n }\n }\n ]\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/automationRules/a46bcfa9-0dd0-4856-8b10-10ec6bb12920?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"triggeringLogic\": {\n \"isEnabled\": true,\n \"triggersOn\": \"Incidents\",\n \"triggersWhen\": \"Created\"\n },\n \"displayName\": \"NewAutomationRuleaf2x1t\",\n \"order\": 2,\n \"actions\": [\n {\n \"order\": 1,\n \"actionType\": \"RunPlaybook\",\n \"actionConfiguration\": {\n \"logicAppResourceId\": \"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\n \"tenantId\": \"d6eebbdd-d77c-465e-b008-4339027b4006\"\n }\n }\n ]\n }\n}", "isContentBase64": false, "Headers": { }, @@ -19,19 +19,19 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], - "x-ms-request-id": [ "bf7cdb59-cde6-4c06-b32d-2de9097bf583" ], - "x-ms-correlation-request-id": [ "bf7cdb59-cde6-4c06-b32d-2de9097bf583" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183217Z:bf7cdb59-cde6-4c06-b32d-2de9097bf583" ], + "x-ms-request-id": [ "ef63a64c-65b7-4c2d-a51a-a727cdea42be" ], + "x-ms-correlation-request-id": [ "ef63a64c-65b7-4c2d-a51a-a727cdea42be" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160759Z:ef63a64c-65b7-4c2d-a51a-a727cdea42be" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:32:16 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:58 GMT" ] }, "ContentHeaders": { "Content-Length": [ "1286" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AutomationRules/c095abfc-e7b8-4556-907d-caa5e924e955\",\"name\":\"c095abfc-e7b8-4556-907d-caa5e924e955\",\"etag\":\"\\\"03009cb1-0000-0100-0000-62e427b10000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"NewAutomationRulePSTest\",\"order\":2,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}],\"lastModifiedTimeUtc\":\"2022-07-29T18:32:17Z\",\"createdTimeUtc\":\"2022-07-29T18:32:17Z\",\"lastModifiedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"},\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AutomationRules/a46bcfa9-0dd0-4856-8b10-10ec6bb12920\",\"name\":\"a46bcfa9-0dd0-4856-8b10-10ec6bb12920\",\"etag\":\"\\\"26002a5c-0000-0100-0000-62fbc0df0000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"NewAutomationRuleaf2x1t\",\"order\":2,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}],\"lastModifiedTimeUtc\":\"2022-08-16T16:07:59Z\",\"createdTimeUtc\":\"2022-08-16T16:07:59Z\",\"lastModifiedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"},\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/New-AzSentinelAutomationRule.Tests.ps1 b/src/SecurityInsights/test/New-AzSentinelAutomationRule.Tests.ps1 index e827b7d0fd75..41d8cba192cd 100644 --- a/src/SecurityInsights/test/New-AzSentinelAutomationRule.Tests.ps1 +++ b/src/SecurityInsights/test/New-AzSentinelAutomationRule.Tests.ps1 @@ -22,8 +22,8 @@ Describe 'New-AzSentinelAutomationRule' { $automationRuleAction.ActionConfigurationLogicAppResourceId = $env.Playbook2LogicAppResourceId $automationRuleAction.ActionConfigurationTenantId = $env.Tenant $automationRule = New-AzSentinelAutomationRule -ResourceGroupName $env.resourceGroupName ` - -WorkspaceName $env.workspaceName -Action $automationRuleAction -DisplayName "NewAutomationRulePSTest" -Order 2 ` + -WorkspaceName $env.workspaceName -Id $env.NewAutomationRuleId -Action $automationRuleAction -DisplayName $env.NewAutomationRule -Order 2 ` -TriggeringLogicIsEnabled - $automationRule.DisplayName | Should -Be "NewAutomationRulePSTest" + $automationRule.DisplayName | Should -Be $env.NewAutomationRule } } diff --git a/src/SecurityInsights/test/New-AzSentinelBookmark.Recording.json b/src/SecurityInsights/test/New-AzSentinelBookmark.Recording.json index e49f7723f16c..6f4b430825c2 100644 --- a/src/SecurityInsights/test/New-AzSentinelBookmark.Recording.json +++ b/src/SecurityInsights/test/New-AzSentinelBookmark.Recording.json @@ -1,9 +1,9 @@ { - "New-AzSentinelBookmark+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/c82c0df3-53fe-4bd4-8ac7-b47f3b7a1d1d?api-version=2021-09-01-preview+1": { + "New-AzSentinelBookmark+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/fa86b82d-4392-4288-846a-5d886fb4edce?api-version=2021-09-01-preview+1": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/c82c0df3-53fe-4bd4-8ac7-b47f3b7a1d1d?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"displayName\": \"NewBookmarkPSTest\",\n \"query\": \"SecurityEvent | take 1\",\n \"eventTime\": \"2022-07-29T18:32:17.8931904Z\",\n \"queryStartTime\": \"2022-07-28T18:32:17.8929330Z\",\n \"queryEndTime\": \"2022-07-29T18:32:17.8930837Z\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/fa86b82d-4392-4288-846a-5d886fb4edce?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"displayName\": \"Newbookmarkq1l5sv\",\n \"query\": \"SecurityEvent | take 1\",\n \"eventTime\": \"2022-08-16T16:07:59.7884184Z\",\n \"queryStartTime\": \"2022-08-15T16:07:59.7881515Z\",\n \"queryEndTime\": \"2022-08-16T16:07:59.7883120Z\"\n }\n}", "isContentBase64": false, "Headers": { }, @@ -19,19 +19,19 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-writes": [ "1197" ], - "x-ms-request-id": [ "bdec5dac-d068-440d-bc7e-3c5ab751527b" ], - "x-ms-correlation-request-id": [ "bdec5dac-d068-440d-bc7e-3c5ab751527b" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183218Z:bdec5dac-d068-440d-bc7e-3c5ab751527b" ], + "x-ms-request-id": [ "699e1226-1b61-4b72-891b-924e4c1d5230" ], + "x-ms-correlation-request-id": [ "699e1226-1b61-4b72-891b-924e4c1d5230" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160759Z:699e1226-1b61-4b72-891b-924e4c1d5230" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:32:17 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:07:59 GMT" ] }, "ContentHeaders": { "Content-Length": [ "1044" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/c82c0df3-53fe-4bd4-8ac7-b47f3b7a1d1d\",\"name\":\"c82c0df3-53fe-4bd4-8ac7-b47f3b7a1d1d\",\"etag\":\"\\\"0100d593-0000-0100-0000-62e427b20000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"NewBookmarkPSTest\",\"created\":\"2022-07-29T18:32:18.0693425+00:00\",\"updated\":\"2022-07-29T18:32:18+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-07-29T18:32:17.8931904+00:00\",\"labels\":[],\"query\":\"SecurityEvent | take 1\",\"queryStartTime\":\"2022-07-28T18:32:17.892933+00:00\",\"queryEndTime\":\"2022-07-29T18:32:17.8930837+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/fa86b82d-4392-4288-846a-5d886fb4edce\",\"name\":\"fa86b82d-4392-4288-846a-5d886fb4edce\",\"etag\":\"\\\"3c00b18c-0000-0100-0000-62fbc0df0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Newbookmarkq1l5sv\",\"created\":\"2022-08-16T16:07:59.9624975+00:00\",\"updated\":\"2022-08-16T16:07:59+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-08-16T16:07:59.7884184+00:00\",\"labels\":[],\"query\":\"SecurityEvent | take 1\",\"queryStartTime\":\"2022-08-15T16:07:59.7881515+00:00\",\"queryEndTime\":\"2022-08-16T16:07:59.788312+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/New-AzSentinelBookmark.Tests.ps1 b/src/SecurityInsights/test/New-AzSentinelBookmark.Tests.ps1 index 7d130f6bb69d..a431d5bdff97 100644 --- a/src/SecurityInsights/test/New-AzSentinelBookmark.Tests.ps1 +++ b/src/SecurityInsights/test/New-AzSentinelBookmark.Tests.ps1 @@ -17,8 +17,8 @@ if(($null -eq $TestName) -or ($TestName -contains 'New-AzSentinelBookmark')) Describe 'New-AzSentinelBookmark' { It 'CreateExpanded' { $bookmark = New-AzSentinelBookmark -ResourceGroupName $env.resourceGroupName ` - -WorkspaceName $env.workspaceName -DisplayName "NewBookmarkPSTest" -Query "SecurityEvent | take 1" ` + -Id $env.NewBookmarkId -WorkspaceName $env.workspaceName -DisplayName $env.NewBookmarkName -Query "SecurityEvent | take 1" ` -QueryStartTime (get-date).AddDays(-1).ToUniversalTime() -QueryEndTime (get-date).ToUniversalTime() -EventTime (get-date).ToUniversalTime() - $bookmark.DisplayName | Should -Be "NewBookmarkPSTest" + $bookmark.DisplayName | Should -Be $env.NewBookmarkName } } diff --git a/src/SecurityInsights/test/New-AzSentinelBookmarkRelation.Recording.json b/src/SecurityInsights/test/New-AzSentinelBookmarkRelation.Recording.json index 186dfb09fc52..2d92d9a182a0 100644 --- a/src/SecurityInsights/test/New-AzSentinelBookmarkRelation.Recording.json +++ b/src/SecurityInsights/test/New-AzSentinelBookmarkRelation.Recording.json @@ -1,15 +1,15 @@ { - "New-AzSentinelBookmarkRelation+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/24122f4f-0774-4453-bd32-f036e3c86ad2?api-version=2021-09-01-preview+1": { + "New-AzSentinelBookmarkRelation+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/d264025f-7598-40f3-8b21-a78f07d46056?api-version=2021-09-01-preview+1": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/24122f4f-0774-4453-bd32-f036e3c86ad2?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"displayName\": \"NewBookmarkRelationPSTest\",\n \"query\": \"SecurityEvent\\\\n| take 1\",\n \"eventTime\": \"2022-07-29T18:32:18.7020279Z\",\n \"queryStartTime\": \"2022-07-28T18:32:18.7017934Z\",\n \"queryEndTime\": \"2022-07-29T18:32:18.7019239Z\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/d264025f-7598-40f3-8b21-a78f07d46056?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"displayName\": \"NewbookmarkRelationBookmarkNameo9bngs\",\n \"query\": \"SecurityEvent\\\\n| take 1\",\n \"eventTime\": \"2022-08-16T16:08:00.5011008Z\",\n \"queryStartTime\": \"2022-08-15T16:08:00.5008418Z\",\n \"queryEndTime\": \"2022-08-16T16:08:00.5009934Z\"\n }\n}", "isContentBase64": false, "Headers": { }, "ContentHeaders": { "Content-Type": [ "application/json" ], - "Content-Length": [ "268" ] + "Content-Length": [ "280" ] } }, "Response": { @@ -19,33 +19,33 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-writes": [ "1196" ], - "x-ms-request-id": [ "a873c55d-260a-47f9-b260-bf7d852b6f03" ], - "x-ms-correlation-request-id": [ "a873c55d-260a-47f9-b260-bf7d852b6f03" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183218Z:a873c55d-260a-47f9-b260-bf7d852b6f03" ], + "x-ms-request-id": [ "381df517-5538-4a9f-983d-de8fcc21b3c5" ], + "x-ms-correlation-request-id": [ "381df517-5538-4a9f-983d-de8fcc21b3c5" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160800Z:381df517-5538-4a9f-983d-de8fcc21b3c5" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:32:17 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:00 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1055" ], + "Content-Length": [ "1067" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/24122f4f-0774-4453-bd32-f036e3c86ad2\",\"name\":\"24122f4f-0774-4453-bd32-f036e3c86ad2\",\"etag\":\"\\\"0100d693-0000-0100-0000-62e427b20000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"NewBookmarkRelationPSTest\",\"created\":\"2022-07-29T18:32:18.8385163+00:00\",\"updated\":\"2022-07-29T18:32:18+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-07-29T18:32:18.7020279+00:00\",\"labels\":[],\"query\":\"SecurityEvent\\\\n| take 1\",\"queryStartTime\":\"2022-07-28T18:32:18.7017934+00:00\",\"queryEndTime\":\"2022-07-29T18:32:18.7019239+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/d264025f-7598-40f3-8b21-a78f07d46056\",\"name\":\"d264025f-7598-40f3-8b21-a78f07d46056\",\"etag\":\"\\\"3c00b28c-0000-0100-0000-62fbc0e00000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"NewbookmarkRelationBookmarkNameo9bngs\",\"created\":\"2022-08-16T16:08:00.6638743+00:00\",\"updated\":\"2022-08-16T16:08:00+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-08-16T16:08:00.5011008+00:00\",\"labels\":[],\"query\":\"SecurityEvent\\\\n| take 1\",\"queryStartTime\":\"2022-08-15T16:08:00.5008418+00:00\",\"queryEndTime\":\"2022-08-16T16:08:00.5009934+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", "isContentBase64": false } }, - "New-AzSentinelBookmarkRelation+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/23a88e7f-7b54-4f34-87f6-7e28d9ffb8e6?api-version=2021-09-01-preview+2": { + "New-AzSentinelBookmarkRelation+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/b9e4ef3a-221a-49dc-98d8-9bdf1faf8a4f?api-version=2021-09-01-preview+2": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/23a88e7f-7b54-4f34-87f6-7e28d9ffb8e6?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"severity\": \"Informational\",\n \"status\": \"New\",\n \"title\": \"NewBookmarkRelationPSTest\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/b9e4ef3a-221a-49dc-98d8-9bdf1faf8a4f?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"severity\": \"Informational\",\n \"status\": \"New\",\n \"title\": \"NewbookmarkRelationIncidentName49uk0b\"\n }\n}", "isContentBase64": false, "Headers": { }, "ContentHeaders": { "Content-Type": [ "application/json" ], - "Content-Length": [ "120" ] + "Content-Length": [ "132" ] } }, "Response": { @@ -55,27 +55,27 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], - "x-ms-request-id": [ "16dc5e8a-031d-4e2e-a904-cab37bbedfb4" ], - "x-ms-correlation-request-id": [ "16dc5e8a-031d-4e2e-a904-cab37bbedfb4" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183219Z:16dc5e8a-031d-4e2e-a904-cab37bbedfb4" ], + "x-ms-request-id": [ "c4e19eb5-4e05-4132-8041-390377e2f46c" ], + "x-ms-correlation-request-id": [ "c4e19eb5-4e05-4132-8041-390377e2f46c" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160800Z:c4e19eb5-4e05-4132-8041-390377e2f46c" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:32:18 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:00 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1219" ], + "Content-Length": [ "1233" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/23a88e7f-7b54-4f34-87f6-7e28d9ffb8e6\",\"name\":\"23a88e7f-7b54-4f34-87f6-7e28d9ffb8e6\",\"etag\":\"\\\"1200b30b-0000-0100-0000-62e427b30000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"NewBookmarkRelationPSTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:32:19.183455Z\",\"createdTimeUtc\":\"2022-07-29T18:32:19.183455Z\",\"incidentNumber\":22,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/23a88e7f-7b54-4f34-87f6-7e28d9ffb8e6\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"22\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/b9e4ef3a-221a-49dc-98d8-9bdf1faf8a4f\",\"name\":\"b9e4ef3a-221a-49dc-98d8-9bdf1faf8a4f\",\"etag\":\"\\\"4a00a452-0000-0100-0000-62fbc0e00000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"NewbookmarkRelationIncidentName49uk0b\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:08:00.9081792Z\",\"createdTimeUtc\":\"2022-08-16T16:08:00.9081792Z\",\"incidentNumber\":22,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/b9e4ef3a-221a-49dc-98d8-9bdf1faf8a4f\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"22\"}}", "isContentBase64": false } }, - "New-AzSentinelBookmarkRelation+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/24122f4f-0774-4453-bd32-f036e3c86ad2/relations/5e7e189d-d2b3-421e-9552-a224176962bb?api-version=2021-09-01-preview+3": { + "New-AzSentinelBookmarkRelation+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/d264025f-7598-40f3-8b21-a78f07d46056/relations/f26c73a8-917d-4364-842e-8de0d3e9153b?api-version=2021-09-01-preview+3": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/24122f4f-0774-4453-bd32-f036e3c86ad2/relations/5e7e189d-d2b3-421e-9552-a224176962bb?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"relatedResourceId\": \"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/23a88e7f-7b54-4f34-87f6-7e28d9ffb8e6\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/d264025f-7598-40f3-8b21-a78f07d46056/relations/f26c73a8-917d-4364-842e-8de0d3e9153b?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"relatedResourceId\": \"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/b9e4ef3a-221a-49dc-98d8-9bdf1faf8a4f\"\n }\n}", "isContentBase64": false, "Headers": { }, @@ -91,19 +91,19 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-writes": [ "1195" ], - "x-ms-request-id": [ "09dbf693-010b-48cc-a1d1-989eaa712346" ], - "x-ms-correlation-request-id": [ "09dbf693-010b-48cc-a1d1-989eaa712346" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183219Z:09dbf693-010b-48cc-a1d1-989eaa712346" ], + "x-ms-request-id": [ "6b499681-301d-43d4-b4b7-2b6e301ce95f" ], + "x-ms-correlation-request-id": [ "6b499681-301d-43d4-b4b7-2b6e301ce95f" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160801Z:6b499681-301d-43d4-b4b7-2b6e301ce95f" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:32:18 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:00 GMT" ] }, "ContentHeaders": { "Content-Length": [ "828" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/24122f4f-0774-4453-bd32-f036e3c86ad2/relations/5e7e189d-d2b3-421e-9552-a224176962bb\",\"name\":\"5e7e189d-d2b3-421e-9552-a224176962bb\",\"etag\":\"\\\"0100d793-0000-0100-0000-62e427b30000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/23a88e7f-7b54-4f34-87f6-7e28d9ffb8e6\",\"relatedResourceName\":\"23a88e7f-7b54-4f34-87f6-7e28d9ffb8e6\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/d264025f-7598-40f3-8b21-a78f07d46056/relations/f26c73a8-917d-4364-842e-8de0d3e9153b\",\"name\":\"f26c73a8-917d-4364-842e-8de0d3e9153b\",\"etag\":\"\\\"3c00b38c-0000-0100-0000-62fbc0e10000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/b9e4ef3a-221a-49dc-98d8-9bdf1faf8a4f\",\"relatedResourceName\":\"b9e4ef3a-221a-49dc-98d8-9bdf1faf8a4f\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/New-AzSentinelBookmarkRelation.Tests.ps1 b/src/SecurityInsights/test/New-AzSentinelBookmarkRelation.Tests.ps1 index b9cb1b5bed27..ce3778f36a85 100644 --- a/src/SecurityInsights/test/New-AzSentinelBookmarkRelation.Tests.ps1 +++ b/src/SecurityInsights/test/New-AzSentinelBookmarkRelation.Tests.ps1 @@ -17,12 +17,12 @@ if(($null -eq $TestName) -or ($TestName -contains 'New-AzSentinelBookmarkRelatio Describe 'New-AzSentinelBookmarkRelation' { It 'CreateExpanded' { $bookmark = New-AzSentinelBookmark -ResourceGroupName $env.resourceGroupName ` - -WorkspaceName $env.workspaceName -DisplayName "NewBookmarkRelationPSTest" -Query "SecurityEvent\n| take 1" ` + -WorkspaceName $env.workspaceName -Id $env.NewbookmarkRelationBookmarkId -DisplayName $env.NewbookmarkRelationBookmarkName -Query "SecurityEvent\n| take 1" ` -QueryStartTime (get-date).AddDays(-1).ToUniversalTime() -QueryEndTime (get-date).ToUniversalTime() -EventTime (get-date).ToUniversalTime() $incident = New-AzSentinelIncident -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` - -Severity Informational -Status New -Title "NewBookmarkRelationPSTest" - $bookmarkRelation = New-AzSentinelBookmarkRelation -BookmarkId $bookmark.Name ` + -Id $env.NewBookmarkRelationIncidentId -Severity Informational -Status New -Title $env.NewbookmarkRelationIncidentName + $bookmarkRelation = New-AzSentinelBookmarkRelation -BookmarkId $bookmark.Name -RelationName $env.NewBookmarkRelationId ` -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -RelatedResourceId $incident.Id $bookmarkRelation.RelatedResourceId | Should -Be $incident.Id } -} +} diff --git a/src/SecurityInsights/test/New-AzSentinelDataConnector.Recording.json b/src/SecurityInsights/test/New-AzSentinelDataConnector.Recording.json index 6ace0d7c98cc..51b352008abf 100644 --- a/src/SecurityInsights/test/New-AzSentinelDataConnector.Recording.json +++ b/src/SecurityInsights/test/New-AzSentinelDataConnector.Recording.json @@ -1,8 +1,8 @@ { - "New-AzSentinelDataConnector+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/3b07915c-32d6-4bcc-a6f3-525cc869a8ef?api-version=2021-09-01-preview+1": { + "New-AzSentinelDataConnector+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/5fcca10d-4c38-42a7-b811-a33d367ef23f?api-version=2021-09-01-preview+1": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/3b07915c-32d6-4bcc-a6f3-525cc869a8ef?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/5fcca10d-4c38-42a7-b811-a33d367ef23f?api-version=2021-09-01-preview", "Content": "{\n \"kind\": \"MicrosoftThreatIntelligence\",\n \"properties\": {\n \"tenantId\": \"d6eebbdd-d77c-465e-b008-4339027b4006\",\n \"dataTypes\": {\n \"bingSafetyPhishingURL\": {\n \"state\": \"Enabled\",\n \"lookbackPeriod\": \"1970-01-01T00:00:00.000Z\"\n },\n \"microsoftEmergingThreatFeed\": {\n \"state\": \"Enabled\",\n \"lookbackPeriod\": \"1970-01-01T00:00:00.000Z\"\n }\n }\n }\n}", "isContentBase64": false, "Headers": { @@ -19,19 +19,19 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], - "x-ms-request-id": [ "d37a4f4f-63dd-41a1-b877-3731ea712f62" ], - "x-ms-correlation-request-id": [ "d37a4f4f-63dd-41a1-b877-3731ea712f62" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183220Z:d37a4f4f-63dd-41a1-b877-3731ea712f62" ], + "x-ms-request-id": [ "e69cbb16-8b5c-48cd-a25c-bd7b864943d3" ], + "x-ms-correlation-request-id": [ "e69cbb16-8b5c-48cd-a25c-bd7b864943d3" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160802Z:e69cbb16-8b5c-48cd-a25c-bd7b864943d3" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:32:19 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:01 GMT" ] }, "ContentHeaders": { "Content-Length": [ "675" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/3b07915c-32d6-4bcc-a6f3-525cc869a8ef\",\"name\":\"3b07915c-32d6-4bcc-a6f3-525cc869a8ef\",\"etag\":\"943180a1-92f2-4907-a28f-a66966a4505c\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"MicrosoftThreatIntelligence\",\"properties\":{\"dataTypes\":{\"bingSafetyPhishingURL\":{\"state\":\"enabled\",\"lookbackPeriod\":\"01/01/1970 00:00:00\"},\"microsoftEmergingThreatFeed\":{\"state\":\"enabled\",\"lookbackPeriod\":\"01/01/1970 00:00:00\"}},\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/5fcca10d-4c38-42a7-b811-a33d367ef23f\",\"name\":\"5fcca10d-4c38-42a7-b811-a33d367ef23f\",\"etag\":\"9a259b91-05b8-4378-a10c-38ece73d38f1\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"MicrosoftThreatIntelligence\",\"properties\":{\"dataTypes\":{\"bingSafetyPhishingURL\":{\"state\":\"enabled\",\"lookbackPeriod\":\"01/01/1970 00:00:00\"},\"microsoftEmergingThreatFeed\":{\"state\":\"enabled\",\"lookbackPeriod\":\"01/01/1970 00:00:00\"}},\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/New-AzSentinelDataConnector.Tests.ps1 b/src/SecurityInsights/test/New-AzSentinelDataConnector.Tests.ps1 index 4a3db9a436ea..a39098cec8da 100644 --- a/src/SecurityInsights/test/New-AzSentinelDataConnector.Tests.ps1 +++ b/src/SecurityInsights/test/New-AzSentinelDataConnector.Tests.ps1 @@ -17,7 +17,7 @@ if(($null -eq $TestName) -or ($TestName -contains 'New-AzSentinelDataConnector') Describe 'New-AzSentinelDataConnector' { It 'CreateExpanded' { $dataConnector = New-AzSentinelDataConnector -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` - -Kind 'MicrosoftThreatIntelligence' -BingSafetyPhishingURL Enabled -BingSafetyPhishingUrlLookbackPeriod All ` + -Id $env.NewDataConnectorId -Kind 'MicrosoftThreatIntelligence' -BingSafetyPhishingURL Enabled -BingSafetyPhishingUrlLookbackPeriod All ` -MicrosoftEmergingThreatFeed Enabled -MicrosoftEmergingThreatFeedLookbackPeriod All $dataConnector | Should -Not -Be $null } diff --git a/src/SecurityInsights/test/New-AzSentinelEntityQuery.Recording.json b/src/SecurityInsights/test/New-AzSentinelEntityQuery.Recording.json index 44917c205df0..409a8dd1f08d 100644 --- a/src/SecurityInsights/test/New-AzSentinelEntityQuery.Recording.json +++ b/src/SecurityInsights/test/New-AzSentinelEntityQuery.Recording.json @@ -1,8 +1,8 @@ { - "New-AzSentinelEntityQuery+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueries/97a72f13-f00c-4a70-9d9e-c06259cb1816?api-version=2021-09-01-preview+1": { + "New-AzSentinelEntityQuery+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/0e70df5c-6ced-4480-b336-bc8491f9cd33?api-version=2021-09-01-preview+1": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueries/97a72f13-f00c-4a70-9d9e-c06259cb1816?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/0e70df5c-6ced-4480-b336-bc8491f9cd33?api-version=2021-09-01-preview", "Content": "{\n \"kind\": \"Activity\",\n \"properties\": {\n \"queryDefinitions\": {\n \"query\": \"let UserConsentToApplication = (Account_Name:string, Account_UPNSuffix:string, Account_AadUserId:string){\\r\\n let account_upn = iff(Account_Name != \\\"\\\" and Account_UPNSuffix != \\\"\\\", strcat(Account_Name,\\\"@\\\",Account_UPNSuffix),\\\"\\\" );\\r\\n AuditLogs\\r\\n | where OperationName == \\\"Consent to application\\\"\\r\\n | extend Source_Account_UPNSuffix = tostring(todynamic(InitiatedBy) [\\\"user\\\"][\\\"userPrincipalName\\\"]), Source_Account_AadUserId = tostring(todynamic(InitiatedBy) [\\\"user\\\"][\\\"id\\\"])\\r\\n | where (account_upn != \\\"\\\" and account_upn =~ Source_Account_UPNSuffix) \\r\\n or (Account_AadUserId != \\\"\\\" and Account_AadUserId =~ Source_Account_AadUserId)\\r\\n | extend Target_CloudApplication_Name = tostring(todynamic(TargetResources)[0][\\\"displayName\\\"]), Target_CloudApplication_AppId = tostring(todynamic(TargetResources)[0][\\\"id\\\"])\\r\\n };\\r\\n UserConsentToApplication(\\u0027{{Account_Name}}\\u0027, \\u0027{{Account_UPNSuffix}}\\u0027, \\u0027{{Account_AadUserId}}\\u0027) \\r\\n | project Target_CloudApplication_AppId, Target_CloudApplication_Name, TimeGenerated\"\n },\n \"title\": \"The user consented to OAuth application\",\n \"content\": \"The user consented to the OAuth application named {{Target_CloudApplication_Name}} {{Count}} time(s)\",\n \"description\": \"This activity lists user\\u0027s consents to an OAuth applications.\",\n \"inputEntityType\": \"Account\"\n }\n}", "isContentBase64": false, "Headers": { @@ -19,19 +19,19 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-writes": [ "1194" ], - "x-ms-request-id": [ "44b3ffba-7387-47dc-959f-e5e1eff70287" ], - "x-ms-correlation-request-id": [ "44b3ffba-7387-47dc-959f-e5e1eff70287" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183222Z:44b3ffba-7387-47dc-959f-e5e1eff70287" ], + "x-ms-request-id": [ "4edc69b0-fe10-48dd-a514-dcaa8d620bc0" ], + "x-ms-correlation-request-id": [ "4edc69b0-fe10-48dd-a514-dcaa8d620bc0" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160804Z:4edc69b0-fe10-48dd-a514-dcaa8d620bc0" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:32:21 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:03 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "2032" ], + "Content-Length": [ "2034" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueries/97a72f13-f00c-4a70-9d9e-c06259cb1816\",\"name\":\"97a72f13-f00c-4a70-9d9e-c06259cb1816\",\"etag\":\"\\\"890061d5-0000-0100-0000-62e427b60000\\\"\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user consented to OAuth application\",\"content\":\"The user consented to the OAuth application named {{Target_CloudApplication_Name}} {{Count}} time(s)\",\"description\":\"This activity lists user\u0027s consents to an OAuth applications.\",\"queryDefinitions\":{\"query\":\"let UserConsentToApplication = (Account_Name:string, Account_UPNSuffix:string, Account_AadUserId:string){\\r\\n let account_upn = iff(Account_Name != \\\"\\\" and Account_UPNSuffix != \\\"\\\", strcat(Account_Name,\\\"@\\\",Account_UPNSuffix),\\\"\\\" );\\r\\n AuditLogs\\r\\n | where OperationName == \\\"Consent to application\\\"\\r\\n | extend Source_Account_UPNSuffix = tostring(todynamic(InitiatedBy) [\\\"user\\\"][\\\"userPrincipalName\\\"]), Source_Account_AadUserId = tostring(todynamic(InitiatedBy) [\\\"user\\\"][\\\"id\\\"])\\r\\n | where (account_upn != \\\"\\\" and account_upn =~ Source_Account_UPNSuffix) \\r\\n or (Account_AadUserId != \\\"\\\" and Account_AadUserId =~ Source_Account_AadUserId)\\r\\n | extend Target_CloudApplication_Name = tostring(todynamic(TargetResources)[0][\\\"displayName\\\"]), Target_CloudApplication_AppId = tostring(todynamic(TargetResources)[0][\\\"id\\\"])\\r\\n };\\r\\n UserConsentToApplication(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027) \\r\\n | project Target_CloudApplication_AppId, Target_CloudApplication_Name, TimeGenerated\"},\"requiredInputFieldsSets\":[],\"entitiesFilter\":{},\"enabled\":true,\"createdTimeUtc\":\"2022-07-29T18:32:22.163164Z\",\"lastModifiedTimeUtc\":\"2022-07-29T18:32:22.163164Z\",\"inputEntityType\":\"Account\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/0e70df5c-6ced-4480-b336-bc8491f9cd33\",\"name\":\"0e70df5c-6ced-4480-b336-bc8491f9cd33\",\"etag\":\"\\\"0c007c13-0000-0100-0000-62fbc0e40000\\\"\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Activity\",\"properties\":{\"title\":\"The user consented to OAuth application\",\"content\":\"The user consented to the OAuth application named {{Target_CloudApplication_Name}} {{Count}} time(s)\",\"description\":\"This activity lists user\u0027s consents to an OAuth applications.\",\"queryDefinitions\":{\"query\":\"let UserConsentToApplication = (Account_Name:string, Account_UPNSuffix:string, Account_AadUserId:string){\\r\\n let account_upn = iff(Account_Name != \\\"\\\" and Account_UPNSuffix != \\\"\\\", strcat(Account_Name,\\\"@\\\",Account_UPNSuffix),\\\"\\\" );\\r\\n AuditLogs\\r\\n | where OperationName == \\\"Consent to application\\\"\\r\\n | extend Source_Account_UPNSuffix = tostring(todynamic(InitiatedBy) [\\\"user\\\"][\\\"userPrincipalName\\\"]), Source_Account_AadUserId = tostring(todynamic(InitiatedBy) [\\\"user\\\"][\\\"id\\\"])\\r\\n | where (account_upn != \\\"\\\" and account_upn =~ Source_Account_UPNSuffix) \\r\\n or (Account_AadUserId != \\\"\\\" and Account_AadUserId =~ Source_Account_AadUserId)\\r\\n | extend Target_CloudApplication_Name = tostring(todynamic(TargetResources)[0][\\\"displayName\\\"]), Target_CloudApplication_AppId = tostring(todynamic(TargetResources)[0][\\\"id\\\"])\\r\\n };\\r\\n UserConsentToApplication(\u0027{{Account_Name}}\u0027, \u0027{{Account_UPNSuffix}}\u0027, \u0027{{Account_AadUserId}}\u0027) \\r\\n | project Target_CloudApplication_AppId, Target_CloudApplication_Name, TimeGenerated\"},\"requiredInputFieldsSets\":[],\"entitiesFilter\":{},\"enabled\":true,\"createdTimeUtc\":\"2022-08-16T16:08:04.5255986Z\",\"lastModifiedTimeUtc\":\"2022-08-16T16:08:04.5255986Z\",\"inputEntityType\":\"Account\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/New-AzSentinelEntityQuery.Tests.ps1 b/src/SecurityInsights/test/New-AzSentinelEntityQuery.Tests.ps1 index 93e231090527..773d17eacee1 100644 --- a/src/SecurityInsights/test/New-AzSentinelEntityQuery.Tests.ps1 +++ b/src/SecurityInsights/test/New-AzSentinelEntityQuery.Tests.ps1 @@ -28,7 +28,7 @@ Describe 'New-AzSentinelEntityQuery' { UserConsentToApplication(''{{Account_Name}}'', ''{{Account_UPNSuffix}}'', ''{{Account_AadUserId}}'') | project Target_CloudApplication_AppId, Target_CloudApplication_Name, TimeGenerated' $entityQuery = New-AzSentinelEntityQuery -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` - -Kind Activity -Title "The user consented to OAuth application" ` + -Id $env.NewentityQueryActivityId -Kind Activity -Title "The user consented to OAuth application" ` -InputEntityType "Account" -Content "The user consented to the OAuth application named {{Target_CloudApplication_Name}} {{Count}} time(s)" ` -Description "This activity lists user's consents to an OAuth applications." ` -QueryDefinitionQuery $query diff --git a/src/SecurityInsights/test/New-AzSentinelIncident.Recording.json b/src/SecurityInsights/test/New-AzSentinelIncident.Recording.json index b6498e367b67..2d4522f7e44a 100644 --- a/src/SecurityInsights/test/New-AzSentinelIncident.Recording.json +++ b/src/SecurityInsights/test/New-AzSentinelIncident.Recording.json @@ -1,9 +1,9 @@ { - "New-AzSentinelIncident+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/d6b3eed6-9e82-498d-9a8f-7da330698be6?api-version=2021-09-01-preview+1": { + "New-AzSentinelIncident+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/3eb00428-aed8-405a-a24b-b665c65173a1?api-version=2021-09-01-preview+1": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/d6b3eed6-9e82-498d-9a8f-7da330698be6?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"severity\": \"Informational\",\n \"status\": \"New\",\n \"title\": \"NewIncidentPSTest\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/3eb00428-aed8-405a-a24b-b665c65173a1?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"severity\": \"Informational\",\n \"status\": \"New\",\n \"title\": \"Newincidentx3os45\"\n }\n}", "isContentBase64": false, "Headers": { }, @@ -19,19 +19,19 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], - "x-ms-request-id": [ "65a14e82-fb19-46ef-8ef7-1c75229af55f" ], - "x-ms-correlation-request-id": [ "65a14e82-fb19-46ef-8ef7-1c75229af55f" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183223Z:65a14e82-fb19-46ef-8ef7-1c75229af55f" ], + "x-ms-request-id": [ "936998bd-2bda-40c1-a2fc-621b0d49091d" ], + "x-ms-correlation-request-id": [ "936998bd-2bda-40c1-a2fc-621b0d49091d" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160805Z:936998bd-2bda-40c1-a2fc-621b0d49091d" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:32:22 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:04 GMT" ] }, "ContentHeaders": { "Content-Length": [ "1213" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/d6b3eed6-9e82-498d-9a8f-7da330698be6\",\"name\":\"d6b3eed6-9e82-498d-9a8f-7da330698be6\",\"etag\":\"\\\"1200b50b-0000-0100-0000-62e427b70000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"NewIncidentPSTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:32:23.0283919Z\",\"createdTimeUtc\":\"2022-07-29T18:32:23.0283919Z\",\"incidentNumber\":23,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/d6b3eed6-9e82-498d-9a8f-7da330698be6\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"23\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/3eb00428-aed8-405a-a24b-b665c65173a1\",\"name\":\"3eb00428-aed8-405a-a24b-b665c65173a1\",\"etag\":\"\\\"4a00a752-0000-0100-0000-62fbc0e50000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"Newincidentx3os45\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:08:05.3571622Z\",\"createdTimeUtc\":\"2022-08-16T16:08:05.3571622Z\",\"incidentNumber\":23,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/3eb00428-aed8-405a-a24b-b665c65173a1\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"23\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/New-AzSentinelIncident.Tests.ps1 b/src/SecurityInsights/test/New-AzSentinelIncident.Tests.ps1 index ad82bfe68a6c..a0f74fd060f9 100644 --- a/src/SecurityInsights/test/New-AzSentinelIncident.Tests.ps1 +++ b/src/SecurityInsights/test/New-AzSentinelIncident.Tests.ps1 @@ -17,7 +17,7 @@ if(($null -eq $TestName) -or ($TestName -contains 'New-AzSentinelIncident')) Describe 'New-AzSentinelIncident' { It 'CreateExpanded' { $incident = New-AzSentinelIncident -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` - -Severity Informational -Status New -Title "NewIncidentPSTest" - $incident.Title | Should -Be "NewIncidentPSTest" + -Id $env.NewincidentId -Severity Informational -Status New -Title $env.NewincidentName + $incident.Title | Should -Be $env.NewincidentName } } diff --git a/src/SecurityInsights/test/New-AzSentinelIncidentComment.Recording.json b/src/SecurityInsights/test/New-AzSentinelIncidentComment.Recording.json index 37df8028ad63..2877b03f293d 100644 --- a/src/SecurityInsights/test/New-AzSentinelIncidentComment.Recording.json +++ b/src/SecurityInsights/test/New-AzSentinelIncidentComment.Recording.json @@ -1,15 +1,15 @@ { - "New-AzSentinelIncidentComment+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/9edc5c11-747d-4c8c-af05-299ab9499f5d?api-version=2021-09-01-preview+1": { + "New-AzSentinelIncidentComment+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/8633863a-bc7c-40b0-9ad1-59f72db97042?api-version=2021-09-01-preview+1": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/9edc5c11-747d-4c8c-af05-299ab9499f5d?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"severity\": \"Informational\",\n \"status\": \"New\",\n \"title\": \"NewIncidentCommentPSTest\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/8633863a-bc7c-40b0-9ad1-59f72db97042?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"severity\": \"Informational\",\n \"status\": \"New\",\n \"title\": \"NewincidentCommentIncident0xng1h\"\n }\n}", "isContentBase64": false, "Headers": { }, "ContentHeaders": { "Content-Type": [ "application/json" ], - "Content-Length": [ "119" ] + "Content-Length": [ "127" ] } }, "Response": { @@ -19,27 +19,27 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "497" ], - "x-ms-request-id": [ "a4084f2f-eb3d-4623-8c04-a769eac16f62" ], - "x-ms-correlation-request-id": [ "a4084f2f-eb3d-4623-8c04-a769eac16f62" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183224Z:a4084f2f-eb3d-4623-8c04-a769eac16f62" ], + "x-ms-request-id": [ "f1608e98-bb8f-4335-b80c-81ec8028f4c5" ], + "x-ms-correlation-request-id": [ "f1608e98-bb8f-4335-b80c-81ec8028f4c5" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160806Z:f1608e98-bb8f-4335-b80c-81ec8028f4c5" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:32:23 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:05 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1218" ], + "Content-Length": [ "1228" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/9edc5c11-747d-4c8c-af05-299ab9499f5d\",\"name\":\"9edc5c11-747d-4c8c-af05-299ab9499f5d\",\"etag\":\"\\\"1200b60b-0000-0100-0000-62e427b80000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"NewIncidentCommentPSTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:32:24.073146Z\",\"createdTimeUtc\":\"2022-07-29T18:32:24.073146Z\",\"incidentNumber\":24,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/9edc5c11-747d-4c8c-af05-299ab9499f5d\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"24\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/8633863a-bc7c-40b0-9ad1-59f72db97042\",\"name\":\"8633863a-bc7c-40b0-9ad1-59f72db97042\",\"etag\":\"\\\"4a00a852-0000-0100-0000-62fbc0e60000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"NewincidentCommentIncident0xng1h\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:08:06.1404374Z\",\"createdTimeUtc\":\"2022-08-16T16:08:06.1404374Z\",\"incidentNumber\":24,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/8633863a-bc7c-40b0-9ad1-59f72db97042\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"24\"}}", "isContentBase64": false } }, - "New-AzSentinelIncidentComment+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/9edc5c11-747d-4c8c-af05-299ab9499f5d/comments/eef705df-6d30-4c10-8727-98bae3da3b93?api-version=2021-09-01-preview+2": { + "New-AzSentinelIncidentComment+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/8633863a-bc7c-40b0-9ad1-59f72db97042/comments/e0d62b0f-55ba-423c-bd1c-13d72489e2c6?api-version=2021-09-01-preview+2": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/9edc5c11-747d-4c8c-af05-299ab9499f5d/comments/eef705df-6d30-4c10-8727-98bae3da3b93?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"message\": \"NewIncidentCommentPSTest\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/8633863a-bc7c-40b0-9ad1-59f72db97042/comments/e0d62b0f-55ba-423c-bd1c-13d72489e2c6?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"message\": \"NewincidentCommentyo7r3v\"\n }\n}", "isContentBase64": false, "Headers": { }, @@ -55,19 +55,19 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], - "x-ms-request-id": [ "dfffd8d8-0377-4134-998a-f4fb1ecb0e6a" ], - "x-ms-correlation-request-id": [ "dfffd8d8-0377-4134-998a-f4fb1ecb0e6a" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183224Z:dfffd8d8-0377-4134-998a-f4fb1ecb0e6a" ], + "x-ms-request-id": [ "72cfcaf2-f191-4260-9e31-e0871f2ad84f" ], + "x-ms-correlation-request-id": [ "72cfcaf2-f191-4260-9e31-e0871f2ad84f" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160806Z:72cfcaf2-f191-4260-9e31-e0871f2ad84f" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:32:23 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:05 GMT" ] }, "ContentHeaders": { "Content-Length": [ "759" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/9edc5c11-747d-4c8c-af05-299ab9499f5d/Comments/eef705df-6d30-4c10-8727-98bae3da3b93\",\"name\":\"eef705df-6d30-4c10-8727-98bae3da3b93\",\"etag\":\"\\\"1200b70b-0000-0100-0000-62e427b80000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/Comments\",\"properties\":{\"message\":\"NewIncidentCommentPSTest\",\"createdTimeUtc\":\"2022-07-29T18:32:24.6441099Z\",\"lastModifiedTimeUtc\":\"2022-07-29T18:32:24.6441099Z\",\"author\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/8633863a-bc7c-40b0-9ad1-59f72db97042/Comments/e0d62b0f-55ba-423c-bd1c-13d72489e2c6\",\"name\":\"e0d62b0f-55ba-423c-bd1c-13d72489e2c6\",\"etag\":\"\\\"4a00a952-0000-0100-0000-62fbc0e60000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/Comments\",\"properties\":{\"message\":\"NewincidentCommentyo7r3v\",\"createdTimeUtc\":\"2022-08-16T16:08:06.4231604Z\",\"lastModifiedTimeUtc\":\"2022-08-16T16:08:06.4231604Z\",\"author\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/New-AzSentinelIncidentComment.Tests.ps1 b/src/SecurityInsights/test/New-AzSentinelIncidentComment.Tests.ps1 index 2c2a85cdcd09..e6308ec25fb9 100644 --- a/src/SecurityInsights/test/New-AzSentinelIncidentComment.Tests.ps1 +++ b/src/SecurityInsights/test/New-AzSentinelIncidentComment.Tests.ps1 @@ -17,9 +17,9 @@ if(($null -eq $TestName) -or ($TestName -contains 'New-AzSentinelIncidentComment Describe 'New-AzSentinelIncidentComment' { It 'CreateExpanded' { $incident = New-AzSentinelIncident -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` - -Severity Informational -Status New -Title "NewIncidentCommentPSTest" + -Id $env.NewincidentCommentIncidentId -Severity Informational -Status New -Title $env.NewincidentCommentIncidentName $incidentComment = New-AzSentinelIncidentComment -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` - -IncidentId $incident.Name -Message "NewIncidentCommentPSTest" - $incidentComment.Message | Should -Be "NewIncidentCommentPSTest" + -Id $env.NewincidentCommentId -IncidentId $incident.Name -Message $env.NewincidentCommentName + $incidentComment.Message | Should -Be $env.NewincidentCommentName } } diff --git a/src/SecurityInsights/test/New-AzSentinelIncidentRelation.Recording.json b/src/SecurityInsights/test/New-AzSentinelIncidentRelation.Recording.json index b35468d72dba..ff7d9ff5bbe5 100644 --- a/src/SecurityInsights/test/New-AzSentinelIncidentRelation.Recording.json +++ b/src/SecurityInsights/test/New-AzSentinelIncidentRelation.Recording.json @@ -1,15 +1,15 @@ { - "New-AzSentinelIncidentRelation+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/b3ba187e-b3fb-40de-b20f-d04b03937f21?api-version=2021-09-01-preview+1": { + "New-AzSentinelIncidentRelation+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/bba93c64-4a68-46b3-8015-f129ad1597cf?api-version=2021-09-01-preview+1": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/b3ba187e-b3fb-40de-b20f-d04b03937f21?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"displayName\": \"NewIncidentRelationPSTest\",\n \"query\": \"SecurityEvent\\\\n| take 1\",\n \"eventTime\": \"2022-07-29T18:32:25.9295103Z\",\n \"queryStartTime\": \"2022-07-28T18:32:25.9292171Z\",\n \"queryEndTime\": \"2022-07-29T18:32:25.9293781Z\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/bba93c64-4a68-46b3-8015-f129ad1597cf?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"displayName\": \"NewincidentRelationBookmarkNamefjwc8p\",\n \"query\": \"SecurityEvent\\\\n| take 1\",\n \"eventTime\": \"2022-08-16T16:08:07.0287586Z\",\n \"queryStartTime\": \"2022-08-15T16:08:07.0283861Z\",\n \"queryEndTime\": \"2022-08-16T16:08:07.0286258Z\"\n }\n}", "isContentBase64": false, "Headers": { }, "ContentHeaders": { "Content-Type": [ "application/json" ], - "Content-Length": [ "268" ] + "Content-Length": [ "280" ] } }, "Response": { @@ -19,33 +19,33 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-writes": [ "1193" ], - "x-ms-request-id": [ "37deffd3-9f01-486b-9c07-a77b3a13211b" ], - "x-ms-correlation-request-id": [ "37deffd3-9f01-486b-9c07-a77b3a13211b" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183226Z:37deffd3-9f01-486b-9c07-a77b3a13211b" ], + "x-ms-request-id": [ "2672e821-018f-4b47-b0ea-59790aaf839b" ], + "x-ms-correlation-request-id": [ "2672e821-018f-4b47-b0ea-59790aaf839b" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160807Z:2672e821-018f-4b47-b0ea-59790aaf839b" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:32:26 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:06 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1055" ], + "Content-Length": [ "1067" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/b3ba187e-b3fb-40de-b20f-d04b03937f21\",\"name\":\"b3ba187e-b3fb-40de-b20f-d04b03937f21\",\"etag\":\"\\\"0100d893-0000-0100-0000-62e427ba0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"NewIncidentRelationPSTest\",\"created\":\"2022-07-29T18:32:26.1500016+00:00\",\"updated\":\"2022-07-29T18:32:26+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-07-29T18:32:25.9295103+00:00\",\"labels\":[],\"query\":\"SecurityEvent\\\\n| take 1\",\"queryStartTime\":\"2022-07-28T18:32:25.9292171+00:00\",\"queryEndTime\":\"2022-07-29T18:32:25.9293781+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/bba93c64-4a68-46b3-8015-f129ad1597cf\",\"name\":\"bba93c64-4a68-46b3-8015-f129ad1597cf\",\"etag\":\"\\\"3c00b48c-0000-0100-0000-62fbc0e70000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"NewincidentRelationBookmarkNamefjwc8p\",\"created\":\"2022-08-16T16:08:07.2011051+00:00\",\"updated\":\"2022-08-16T16:08:07+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-08-16T16:08:07.0287586+00:00\",\"labels\":[],\"query\":\"SecurityEvent\\\\n| take 1\",\"queryStartTime\":\"2022-08-15T16:08:07.0283861+00:00\",\"queryEndTime\":\"2022-08-16T16:08:07.0286258+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", "isContentBase64": false } }, - "New-AzSentinelIncidentRelation+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/6f3032ce-aec7-4bc2-9d19-0693f40ccd73?api-version=2021-09-01-preview+2": { + "New-AzSentinelIncidentRelation+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/a56f41af-0d66-44c8-90bc-c8b8e8116984?api-version=2021-09-01-preview+2": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/6f3032ce-aec7-4bc2-9d19-0693f40ccd73?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"severity\": \"Informational\",\n \"status\": \"New\",\n \"title\": \"NewIncidentRelationPSTest\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/a56f41af-0d66-44c8-90bc-c8b8e8116984?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"severity\": \"Informational\",\n \"status\": \"New\",\n \"title\": \"NewincidentRelationIncidentName9m3qew\"\n }\n}", "isContentBase64": false, "Headers": { }, "ContentHeaders": { "Content-Type": [ "application/json" ], - "Content-Length": [ "120" ] + "Content-Length": [ "132" ] } }, "Response": { @@ -55,27 +55,27 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "496" ], - "x-ms-request-id": [ "1ca228d1-cd5f-4b00-9c6e-0413abfd7d4f" ], - "x-ms-correlation-request-id": [ "1ca228d1-cd5f-4b00-9c6e-0413abfd7d4f" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183227Z:1ca228d1-cd5f-4b00-9c6e-0413abfd7d4f" ], + "x-ms-request-id": [ "1bf67a74-8d0f-4d43-a32b-32a3e77b8a69" ], + "x-ms-correlation-request-id": [ "1bf67a74-8d0f-4d43-a32b-32a3e77b8a69" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160807Z:1bf67a74-8d0f-4d43-a32b-32a3e77b8a69" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:32:27 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:06 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1221" ], + "Content-Length": [ "1233" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/6f3032ce-aec7-4bc2-9d19-0693f40ccd73\",\"name\":\"6f3032ce-aec7-4bc2-9d19-0693f40ccd73\",\"etag\":\"\\\"1200b90b-0000-0100-0000-62e427bb0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"NewIncidentRelationPSTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:32:27.0748517Z\",\"createdTimeUtc\":\"2022-07-29T18:32:27.0748517Z\",\"incidentNumber\":25,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/6f3032ce-aec7-4bc2-9d19-0693f40ccd73\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"25\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/a56f41af-0d66-44c8-90bc-c8b8e8116984\",\"name\":\"a56f41af-0d66-44c8-90bc-c8b8e8116984\",\"etag\":\"\\\"4a00ac52-0000-0100-0000-62fbc0e70000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"NewincidentRelationIncidentName9m3qew\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:08:07.4337561Z\",\"createdTimeUtc\":\"2022-08-16T16:08:07.4337561Z\",\"incidentNumber\":25,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/a56f41af-0d66-44c8-90bc-c8b8e8116984\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"25\"}}", "isContentBase64": false } }, - "New-AzSentinelIncidentRelation+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/6f3032ce-aec7-4bc2-9d19-0693f40ccd73/relations/0d41c976-cb1d-4723-bb04-7aabb2fc688b?api-version=2021-09-01-preview+3": { + "New-AzSentinelIncidentRelation+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/a56f41af-0d66-44c8-90bc-c8b8e8116984/relations/f4dd61ae-4c28-40ed-9e41-2285e59ec616?api-version=2021-09-01-preview+3": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/6f3032ce-aec7-4bc2-9d19-0693f40ccd73/relations/0d41c976-cb1d-4723-bb04-7aabb2fc688b?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"relatedResourceId\": \"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/b3ba187e-b3fb-40de-b20f-d04b03937f21\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/a56f41af-0d66-44c8-90bc-c8b8e8116984/relations/f4dd61ae-4c28-40ed-9e41-2285e59ec616?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"relatedResourceId\": \"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/bba93c64-4a68-46b3-8015-f129ad1597cf\"\n }\n}", "isContentBase64": false, "Headers": { }, @@ -91,19 +91,19 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], - "x-ms-request-id": [ "ac8f7ea2-badb-4fec-acce-89254f0aef8d" ], - "x-ms-correlation-request-id": [ "ac8f7ea2-badb-4fec-acce-89254f0aef8d" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183228Z:ac8f7ea2-badb-4fec-acce-89254f0aef8d" ], + "x-ms-request-id": [ "83602b22-e2a5-4e6c-8717-6cc34c2b151f" ], + "x-ms-correlation-request-id": [ "83602b22-e2a5-4e6c-8717-6cc34c2b151f" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160807Z:83602b22-e2a5-4e6c-8717-6cc34c2b151f" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:32:28 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:06 GMT" ] }, "ContentHeaders": { "Content-Length": [ "828" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/6f3032ce-aec7-4bc2-9d19-0693f40ccd73/relations/0d41c976-cb1d-4723-bb04-7aabb2fc688b\",\"name\":\"0d41c976-cb1d-4723-bb04-7aabb2fc688b\",\"etag\":\"\\\"1200ba0b-0000-0100-0000-62e427bc0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/b3ba187e-b3fb-40de-b20f-d04b03937f21\",\"relatedResourceName\":\"b3ba187e-b3fb-40de-b20f-d04b03937f21\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/a56f41af-0d66-44c8-90bc-c8b8e8116984/relations/f4dd61ae-4c28-40ed-9e41-2285e59ec616\",\"name\":\"f4dd61ae-4c28-40ed-9e41-2285e59ec616\",\"etag\":\"\\\"4a00ad52-0000-0100-0000-62fbc0e70000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/bba93c64-4a68-46b3-8015-f129ad1597cf\",\"relatedResourceName\":\"bba93c64-4a68-46b3-8015-f129ad1597cf\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/New-AzSentinelIncidentRelation.Tests.ps1 b/src/SecurityInsights/test/New-AzSentinelIncidentRelation.Tests.ps1 index 8c9d1a17559f..fe5fae4a0e54 100644 --- a/src/SecurityInsights/test/New-AzSentinelIncidentRelation.Tests.ps1 +++ b/src/SecurityInsights/test/New-AzSentinelIncidentRelation.Tests.ps1 @@ -17,12 +17,12 @@ if(($null -eq $TestName) -or ($TestName -contains 'New-AzSentinelIncidentRelatio Describe 'New-AzSentinelIncidentRelation' { It 'CreateExpanded' { $bookmark = New-AzSentinelBookmark -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` - -DisplayName "NewIncidentRelationPSTest" -Query "SecurityEvent\n| take 1" ` + -Id $env.NewincidentRelationBookmarkId -DisplayName $env.NewincidentRelationBookmarkName -Query "SecurityEvent\n| take 1" ` -QueryStartTime (get-date).AddDays(-1).ToUniversalTime() -QueryEndTime (get-date).ToUniversalTime() -EventTime (get-date).ToUniversalTime() $incident = New-AzSentinelIncident -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` - -Severity Informational -Status New -Title "NewIncidentRelationPSTest" + -Id $env.NewincidentRelationIncidentId -Severity Informational -Status New -Title $env.NewincidentRelationIncidentName $incidentRelation = New-AzSentinelIncidentRelation -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` - -IncidentId $incident.Name -RelatedResourceId $bookmark.Id + -RelationName $env.NewincidentRelationId -IncidentId $incident.Name -RelatedResourceId $bookmark.Id $incidentRelation.RelatedResourceId | Should -Be $bookmark.Id } } diff --git a/src/SecurityInsights/test/New-AzSentinelIncidentTeam.Recording.json b/src/SecurityInsights/test/New-AzSentinelIncidentTeam.Recording.json index 037fc6ca7346..d36517e3fe8e 100644 --- a/src/SecurityInsights/test/New-AzSentinelIncidentTeam.Recording.json +++ b/src/SecurityInsights/test/New-AzSentinelIncidentTeam.Recording.json @@ -1,15 +1,15 @@ { - "New-AzSentinelIncidentTeam+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/c49d13fe-bc00-46b4-9bcb-c750b9512d7e?api-version=2021-09-01-preview+1": { + "New-AzSentinelIncidentTeam+[NoContext]+CreateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/4354e208-22e9-4185-b549-2f958633bed6?api-version=2021-09-01-preview+1": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/c49d13fe-bc00-46b4-9bcb-c750b9512d7e?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"severity\": \"Informational\",\n \"status\": \"New\",\n \"title\": \"NITPSTest\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/4354e208-22e9-4185-b549-2f958633bed6?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"severity\": \"Informational\",\n \"status\": \"New\",\n \"title\": \"NewincidentTeamIncidentName1pg5hu\"\n }\n}", "isContentBase64": false, "Headers": { }, "ContentHeaders": { "Content-Type": [ "application/json" ], - "Content-Length": [ "104" ] + "Content-Length": [ "128" ] } }, "Response": { @@ -19,26 +19,26 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "495" ], - "x-ms-request-id": [ "0e8ba032-fc94-4c22-8627-fa9c231acba0" ], - "x-ms-correlation-request-id": [ "0e8ba032-fc94-4c22-8627-fa9c231acba0" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183230Z:0e8ba032-fc94-4c22-8627-fa9c231acba0" ], + "x-ms-request-id": [ "adbc6a77-6a49-4ce8-89da-aac2644f42e1" ], + "x-ms-correlation-request-id": [ "adbc6a77-6a49-4ce8-89da-aac2644f42e1" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160808Z:adbc6a77-6a49-4ce8-89da-aac2644f42e1" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:32:30 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:07 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1205" ], + "Content-Length": [ "1229" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/c49d13fe-bc00-46b4-9bcb-c750b9512d7e\",\"name\":\"c49d13fe-bc00-46b4-9bcb-c750b9512d7e\",\"etag\":\"\\\"1200bc0b-0000-0100-0000-62e427be0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"NITPSTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:32:30.2459595Z\",\"createdTimeUtc\":\"2022-07-29T18:32:30.2459595Z\",\"incidentNumber\":26,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/c49d13fe-bc00-46b4-9bcb-c750b9512d7e\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"26\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/4354e208-22e9-4185-b549-2f958633bed6\",\"name\":\"4354e208-22e9-4185-b549-2f958633bed6\",\"etag\":\"\\\"4a00ae52-0000-0100-0000-62fbc0e80000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"NewincidentTeamIncidentName1pg5hu\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:08:08.4803973Z\",\"createdTimeUtc\":\"2022-08-16T16:08:08.4803973Z\",\"incidentNumber\":26,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/4354e208-22e9-4185-b549-2f958633bed6\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"26\"}}", "isContentBase64": false } }, - "New-AzSentinelIncidentTeam+[NoContext]+CreateExpanded+$POST+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/c49d13fe-bc00-46b4-9bcb-c750b9512d7e/createTeam?api-version=2021-09-01-preview+2": { + "New-AzSentinelIncidentTeam+[NoContext]+CreateExpanded+$POST+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/4354e208-22e9-4185-b549-2f958633bed6/createTeam?api-version=2021-09-01-preview+2": { "Request": { "Method": "POST", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/c49d13fe-bc00-46b4-9bcb-c750b9512d7e/createTeam?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/4354e208-22e9-4185-b549-2f958633bed6/createTeam?api-version=2021-09-01-preview", "Content": "{\n \"teamName\": \"NITPSTest\"\n}", "isContentBase64": false, "Headers": { @@ -55,19 +55,19 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-writes": [ "1199" ], - "x-ms-request-id": [ "6f903f0c-41f4-482b-9454-dbceb731e2ac" ], - "x-ms-correlation-request-id": [ "6f903f0c-41f4-482b-9454-dbceb731e2ac" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183234Z:6f903f0c-41f4-482b-9454-dbceb731e2ac" ], + "x-ms-request-id": [ "ac4eebbb-1d24-44ec-9b41-a302e0e1e793" ], + "x-ms-correlation-request-id": [ "ac4eebbb-1d24-44ec-9b41-a302e0e1e793" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160814Z:ac4eebbb-1d24-44ec-9b41-a302e0e1e793" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:32:34 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:13 GMT" ] }, "ContentHeaders": { "Content-Length": [ "353" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"teamId\":\"e8abde8e-20bf-4d28-a0cf-a25b8ef731e5\",\"primaryChannelUrl\":\"https://teams.microsoft.com/l/team/19%3awAxTFtJrxhqz0Tl15zSTytL-_r6BsNe_mDZssyUE85Q1%40thread.tacv2/conversations?groupId=e8abde8e-20bf-4d28-a0cf-a25b8ef731e5\u0026tenantId=d6eebbdd-d77c-465e-b008-4339027b4006\",\"teamCreationTimeUtc\":\"2022-07-29T18:32:34.8930575+00:00\",\"name\":\"NITPSTest\"}", + "Content": "{\"teamId\":\"eb3db1ba-a3a3-4d76-90fe-606deb37edcf\",\"primaryChannelUrl\":\"https://teams.microsoft.com/l/team/19%3azDlBuh8NgSjPNVW91N7sSavKtEXjAVX69fhyWjLdBpY1%40thread.tacv2/conversations?groupId=eb3db1ba-a3a3-4d76-90fe-606deb37edcf\u0026tenantId=d6eebbdd-d77c-465e-b008-4339027b4006\",\"teamCreationTimeUtc\":\"2022-08-16T16:08:14.1063041+00:00\",\"name\":\"NITPSTest\"}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/New-AzSentinelIncidentTeam.Tests.ps1 b/src/SecurityInsights/test/New-AzSentinelIncidentTeam.Tests.ps1 index 8464f81abfbd..66f8f1f5cd3b 100644 --- a/src/SecurityInsights/test/New-AzSentinelIncidentTeam.Tests.ps1 +++ b/src/SecurityInsights/test/New-AzSentinelIncidentTeam.Tests.ps1 @@ -17,7 +17,7 @@ if(($null -eq $TestName) -or ($TestName -contains 'New-AzSentinelIncidentTeam')) Describe 'New-AzSentinelIncidentTeam' { It 'CreateExpanded' { $incident = New-AzSentinelIncident -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` - -Severity Informational -Status New -Title "NITPSTest" + -Id $env.NewincidentTeamIncidentId -Severity Informational -Status New -Title $env.NewincidentTeamIncidentName $team = New-AzSentinelIncidentTeam -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` -TeamName "NITPSTest" -IncidentId $incident.Name $team.Name | Should -Be "NITPSTest" diff --git a/src/SecurityInsights/test/Remove-AzSentinelAlertRule.Recording.json b/src/SecurityInsights/test/Remove-AzSentinelAlertRule.Recording.json index d83ce8cd2e4a..baa204dc2b5d 100644 --- a/src/SecurityInsights/test/Remove-AzSentinelAlertRule.Recording.json +++ b/src/SecurityInsights/test/Remove-AzSentinelAlertRule.Recording.json @@ -1,13 +1,13 @@ { - "Remove-AzSentinelAlertRule+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/c1c55dcf-8a31-4c94-93d7-bbb13c8da4c6?api-version=2021-09-01-preview+1": { + "Remove-AzSentinelAlertRule+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/90872ee6-8ed3-48b8-8e93-2bcb1aa6825d?api-version=2021-09-01-preview+1": { "Request": { "Method": "DELETE", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/c1c55dcf-8a31-4c94-93d7-bbb13c8da4c6?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/90872ee6-8ed3-48b8-8e93-2bcb1aa6825d?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "253" ], - "x-ms-client-request-id": [ "5551094d-fd43-455d-9df5-88df2e321c1f" ], + "x-ms-unique-id": [ "254" ], + "x-ms-client-request-id": [ "e7cc6364-bd07-4d6d-860d-7b5797f1def1" ], "CommandName": [ "Remove-AzSentinelAlertRule" ], "FullCommandName": [ "Remove-AzSentinelAlertRule_Delete" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -24,12 +24,12 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-deletes": [ "14999" ], - "x-ms-request-id": [ "645c97a6-773f-4c19-9241-89d0c21aefbe" ], - "x-ms-correlation-request-id": [ "645c97a6-773f-4c19-9241-89d0c21aefbe" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183237Z:645c97a6-773f-4c19-9241-89d0c21aefbe" ], + "x-ms-request-id": [ "0319fa21-03dd-4c15-a00c-0b1f4809629a" ], + "x-ms-correlation-request-id": [ "0319fa21-03dd-4c15-a00c-0b1f4809629a" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160815Z:0319fa21-03dd-4c15-a00c-0b1f4809629a" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:32:37 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:15 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2" ], @@ -40,15 +40,15 @@ "isContentBase64": false } }, - "Remove-AzSentinelAlertRule+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/c1a9cd5e-f882-4d57-b94f-742b0e2ae177?api-version=2021-09-01-preview+1": { + "Remove-AzSentinelAlertRule+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/b5daebea-1da1-45a1-abb5-94ad8c8da5cb?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/c1a9cd5e-f882-4d57-b94f-742b0e2ae177?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/b5daebea-1da1-45a1-abb5-94ad8c8da5cb?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "254" ], - "x-ms-client-request-id": [ "bde45a7f-c081-431d-8a8d-a67793d159d9" ], + "x-ms-unique-id": [ "255" ], + "x-ms-client-request-id": [ "693056ba-b7b7-416f-b94f-ef04ead55a34" ], "CommandName": [ "Get-AzSentinelAlertRule" ], "FullCommandName": [ "Get-AzSentinelAlertRule_Get" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -64,32 +64,32 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11945" ], - "x-ms-request-id": [ "0d8fb610-91c8-4b8e-ac71-564d1eff8379" ], - "x-ms-correlation-request-id": [ "0d8fb610-91c8-4b8e-ac71-564d1eff8379" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183238Z:0d8fb610-91c8-4b8e-ac71-564d1eff8379" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11942" ], + "x-ms-request-id": [ "8e2eec14-b59c-4bb3-8658-186cd39a5e96" ], + "x-ms-correlation-request-id": [ "8e2eec14-b59c-4bb3-8658-186cd39a5e96" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160816Z:8e2eec14-b59c-4bb3-8658-186cd39a5e96" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:32:37 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:15 GMT" ] }, "ContentHeaders": { "Content-Length": [ "1180" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/c1a9cd5e-f882-4d57-b94f-742b0e2ae177\",\"name\":\"c1a9cd5e-f882-4d57-b94f-742b0e2ae177\",\"etag\":\"\\\"2e00e832-0000-0100-0000-62e420250000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"RemoveViaIdAlertRuleg7sd5h\",\"enabled\":true,\"description\":\"RemoveViaIdAlertRuleg7sd5h c1a9cd5e-f882-4d57-b94f-742b0e2ae177\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-07-29T18:00:04.2817896Z\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/b5daebea-1da1-45a1-abb5-94ad8c8da5cb\",\"name\":\"b5daebea-1da1-45a1-abb5-94ad8c8da5cb\",\"etag\":\"\\\"0600ed40-0000-0100-0000-62fbba540000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":true,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"RemoveViaIdAlertRule81exqs\",\"enabled\":true,\"description\":\"RemoveViaIdAlertRule81exqs b5daebea-1da1-45a1-abb5-94ad8c8da5cb\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T15:40:04.5582676Z\"}}", "isContentBase64": false } }, - "Remove-AzSentinelAlertRule+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/c1a9cd5e-f882-4d57-b94f-742b0e2ae177?api-version=2021-09-01-preview+2": { + "Remove-AzSentinelAlertRule+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/b5daebea-1da1-45a1-abb5-94ad8c8da5cb?api-version=2021-09-01-preview+2": { "Request": { "Method": "DELETE", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/c1a9cd5e-f882-4d57-b94f-742b0e2ae177?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/b5daebea-1da1-45a1-abb5-94ad8c8da5cb?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "255" ], - "x-ms-client-request-id": [ "897599c6-3e8c-4ee0-b903-a432291a884d" ], + "x-ms-unique-id": [ "256" ], + "x-ms-client-request-id": [ "e4371b0a-cd89-4a1f-956c-4ca63105bf2c" ], "CommandName": [ "Remove-AzSentinelAlertRule" ], "FullCommandName": [ "Remove-AzSentinelAlertRule_DeleteViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -106,12 +106,12 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-deletes": [ "14998" ], - "x-ms-request-id": [ "b80a54bf-fdc5-44ce-90ff-c7181be1c005" ], - "x-ms-correlation-request-id": [ "b80a54bf-fdc5-44ce-90ff-c7181be1c005" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183238Z:b80a54bf-fdc5-44ce-90ff-c7181be1c005" ], + "x-ms-request-id": [ "776a6a11-80d5-400e-9589-7716676f0fed" ], + "x-ms-correlation-request-id": [ "776a6a11-80d5-400e-9589-7716676f0fed" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160816Z:776a6a11-80d5-400e-9589-7716676f0fed" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:32:38 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:15 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2" ], diff --git a/src/SecurityInsights/test/Remove-AzSentinelAlertRuleAction.Recording.json b/src/SecurityInsights/test/Remove-AzSentinelAlertRuleAction.Recording.json index 1ce9408269e7..ef56e9f01c9d 100644 --- a/src/SecurityInsights/test/Remove-AzSentinelAlertRuleAction.Recording.json +++ b/src/SecurityInsights/test/Remove-AzSentinelAlertRuleAction.Recording.json @@ -1,13 +1,13 @@ { - "Remove-AzSentinelAlertRuleAction+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/5259fc88-ad43-4c0f-8712-e276f794f08a/actions/f6e536dc-b77c-422c-b349-a58813fc9f17?api-version=2021-09-01-preview+1": { + "Remove-AzSentinelAlertRuleAction+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/7ebb90bb-a57a-42f6-8a23-a0393c176560/actions/91ce8ce7-c028-4a76-8271-ae20f477ed35?api-version=2021-09-01-preview+1": { "Request": { "Method": "DELETE", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/5259fc88-ad43-4c0f-8712-e276f794f08a/actions/f6e536dc-b77c-422c-b349-a58813fc9f17?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/7ebb90bb-a57a-42f6-8a23-a0393c176560/actions/91ce8ce7-c028-4a76-8271-ae20f477ed35?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "256" ], - "x-ms-client-request-id": [ "62da2c80-c345-415b-8088-d4b7aa782a43" ], + "x-ms-unique-id": [ "257" ], + "x-ms-client-request-id": [ "fa2b858c-7b51-41ae-be81-1a8942a45231" ], "CommandName": [ "Remove-AzSentinelAlertRuleAction" ], "FullCommandName": [ "Remove-AzSentinelAlertRuleAction_Delete" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -24,12 +24,12 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-deletes": [ "14997" ], - "x-ms-request-id": [ "b3eaf42e-2b96-4c9a-ad65-3408f0218814" ], - "x-ms-correlation-request-id": [ "b3eaf42e-2b96-4c9a-ad65-3408f0218814" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183239Z:b3eaf42e-2b96-4c9a-ad65-3408f0218814" ], + "x-ms-request-id": [ "7fccd190-1a4a-4a6f-9de4-32a485ddba40" ], + "x-ms-correlation-request-id": [ "7fccd190-1a4a-4a6f-9de4-32a485ddba40" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160817Z:7fccd190-1a4a-4a6f-9de4-32a485ddba40" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:32:39 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:16 GMT" ] }, "ContentHeaders": { "Expires": [ "-1" ], @@ -39,15 +39,15 @@ "isContentBase64": false } }, - "Remove-AzSentinelAlertRuleAction+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/61843a21-8ee0-4c56-bb89-a4a9b306b43d/actions/19e41336-dba7-4df1-94f6-075f34d10aae?api-version=2021-09-01-preview+1": { + "Remove-AzSentinelAlertRuleAction+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/e5a90aef-2e88-486c-a745-66f415230a61/actions/5945e422-0352-4aba-9fe7-fbf7567e44c2?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/61843a21-8ee0-4c56-bb89-a4a9b306b43d/actions/19e41336-dba7-4df1-94f6-075f34d10aae?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/e5a90aef-2e88-486c-a745-66f415230a61/actions/5945e422-0352-4aba-9fe7-fbf7567e44c2?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "257" ], - "x-ms-client-request-id": [ "dc233be7-aedc-45a5-b4f2-552658e5a2b1" ], + "x-ms-unique-id": [ "258" ], + "x-ms-client-request-id": [ "739ab722-946a-45f3-a5c6-ee1edbd63d88" ], "CommandName": [ "Get-AzSentinelAlertRuleAction" ], "FullCommandName": [ "Get-AzSentinelAlertRuleAction_Get" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -63,32 +63,32 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11944" ], - "x-ms-request-id": [ "a4ab316e-db63-4796-8d4c-9ad8ebecaf52" ], - "x-ms-correlation-request-id": [ "a4ab316e-db63-4796-8d4c-9ad8ebecaf52" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183240Z:a4ab316e-db63-4796-8d4c-9ad8ebecaf52" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11941" ], + "x-ms-request-id": [ "272ba220-690c-4666-a376-e70125ba6cf8" ], + "x-ms-correlation-request-id": [ "272ba220-690c-4666-a376-e70125ba6cf8" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160818Z:272ba220-690c-4666-a376-e70125ba6cf8" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:32:40 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:17 GMT" ] }, "ContentHeaders": { "Content-Length": [ "660" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/61843a21-8ee0-4c56-bb89-a4a9b306b43d/actions/19e41336-dba7-4df1-94f6-075f34d10aae\",\"name\":\"19e41336-dba7-4df1-94f6-075f34d10aae\",\"etag\":\"\\\"8a00a9c9-0000-0300-0000-62e420c30000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"e25a9538589f4273ac4b33c4251b7af4\",\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/e5a90aef-2e88-486c-a745-66f415230a61/actions/5945e422-0352-4aba-9fe7-fbf7567e44c2\",\"name\":\"5945e422-0352-4aba-9fe7-fbf7567e44c2\",\"etag\":\"\\\"be01481c-0000-0300-0000-62fbbb010000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"eb03b1bc818942e0a642c05aeef2614b\",\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}", "isContentBase64": false } }, - "Remove-AzSentinelAlertRuleAction+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/61843a21-8ee0-4c56-bb89-a4a9b306b43d/actions/19e41336-dba7-4df1-94f6-075f34d10aae?api-version=2021-09-01-preview+2": { + "Remove-AzSentinelAlertRuleAction+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/e5a90aef-2e88-486c-a745-66f415230a61/actions/5945e422-0352-4aba-9fe7-fbf7567e44c2?api-version=2021-09-01-preview+2": { "Request": { "Method": "DELETE", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/61843a21-8ee0-4c56-bb89-a4a9b306b43d/actions/19e41336-dba7-4df1-94f6-075f34d10aae?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/e5a90aef-2e88-486c-a745-66f415230a61/actions/5945e422-0352-4aba-9fe7-fbf7567e44c2?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "258" ], - "x-ms-client-request-id": [ "d38f5b83-fbec-48a0-bb84-fb4b59a4caa0" ], + "x-ms-unique-id": [ "259" ], + "x-ms-client-request-id": [ "a07309f1-c3d3-42fd-a660-d1ac8f40ec3a" ], "CommandName": [ "Remove-AzSentinelAlertRuleAction" ], "FullCommandName": [ "Remove-AzSentinelAlertRuleAction_DeleteViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -105,12 +105,12 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-deletes": [ "14996" ], - "x-ms-request-id": [ "0f5b6140-502f-4ad6-b551-ec719d6c6157" ], - "x-ms-correlation-request-id": [ "0f5b6140-502f-4ad6-b551-ec719d6c6157" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183241Z:0f5b6140-502f-4ad6-b551-ec719d6c6157" ], + "x-ms-request-id": [ "2d3a0b9d-415d-4def-a495-8fc049c379da" ], + "x-ms-correlation-request-id": [ "2d3a0b9d-415d-4def-a495-8fc049c379da" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160819Z:2d3a0b9d-415d-4def-a495-8fc049c379da" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:32:40 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:18 GMT" ] }, "ContentHeaders": { "Expires": [ "-1" ], diff --git a/src/SecurityInsights/test/Remove-AzSentinelAutomationRule.Recording.json b/src/SecurityInsights/test/Remove-AzSentinelAutomationRule.Recording.json index ac09f482a3ec..9edfaff39ef8 100644 --- a/src/SecurityInsights/test/Remove-AzSentinelAutomationRule.Recording.json +++ b/src/SecurityInsights/test/Remove-AzSentinelAutomationRule.Recording.json @@ -1,13 +1,13 @@ { - "Remove-AzSentinelAutomationRule+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/automationRules/632f22f0-6b77-433b-bc93-6e56ae21a844?api-version=2021-09-01-preview+1": { + "Remove-AzSentinelAutomationRule+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/automationRules/6e8b42ff-dab7-481f-b764-f853700cc536?api-version=2021-09-01-preview+1": { "Request": { "Method": "DELETE", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/automationRules/632f22f0-6b77-433b-bc93-6e56ae21a844?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/automationRules/6e8b42ff-dab7-481f-b764-f853700cc536?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "259" ], - "x-ms-client-request-id": [ "407c9d0f-7f05-4c07-b119-aeac71ded485" ], + "x-ms-unique-id": [ "260" ], + "x-ms-client-request-id": [ "e5f0974b-165c-4a72-85e7-a3147c35a459" ], "CommandName": [ "Remove-AzSentinelAutomationRule" ], "FullCommandName": [ "Remove-AzSentinelAutomationRule_Delete" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -24,12 +24,12 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-deletes": [ "14995" ], - "x-ms-request-id": [ "9aae58c7-2c3f-4688-b737-7f70429ba3f6" ], - "x-ms-correlation-request-id": [ "9aae58c7-2c3f-4688-b737-7f70429ba3f6" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183242Z:9aae58c7-2c3f-4688-b737-7f70429ba3f6" ], + "x-ms-request-id": [ "50114272-feab-4e00-aa98-1010c8004bdb" ], + "x-ms-correlation-request-id": [ "50114272-feab-4e00-aa98-1010c8004bdb" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160819Z:50114272-feab-4e00-aa98-1010c8004bdb" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:32:41 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:19 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2" ], @@ -40,15 +40,15 @@ "isContentBase64": false } }, - "Remove-AzSentinelAutomationRule+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/automationRules/c3503a3a-93d6-4aa8-b557-d2f4ac6cfa00?api-version=2021-09-01-preview+1": { + "Remove-AzSentinelAutomationRule+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/automationRules/ab65a956-23b7-44a0-8a32-cb8d62d389d8?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/automationRules/c3503a3a-93d6-4aa8-b557-d2f4ac6cfa00?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/automationRules/ab65a956-23b7-44a0-8a32-cb8d62d389d8?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "260" ], - "x-ms-client-request-id": [ "9b1cd28c-de40-4d50-80a5-f22beac2a491" ], + "x-ms-unique-id": [ "261" ], + "x-ms-client-request-id": [ "17cb2288-a7e9-493e-acf4-40e6212cd88b" ], "CommandName": [ "Get-AzSentinelAutomationRule" ], "FullCommandName": [ "Get-AzSentinelAutomationRule_Get" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -65,31 +65,31 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "495" ], - "x-ms-request-id": [ "82b66b0d-28aa-4862-9343-3ba68cc4e9be" ], - "x-ms-correlation-request-id": [ "82b66b0d-28aa-4862-9343-3ba68cc4e9be" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183242Z:82b66b0d-28aa-4862-9343-3ba68cc4e9be" ], + "x-ms-request-id": [ "6f4b4a10-70a4-4e92-9776-b956e7379d20" ], + "x-ms-correlation-request-id": [ "6f4b4a10-70a4-4e92-9776-b956e7379d20" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160820Z:6f4b4a10-70a4-4e92-9776-b956e7379d20" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:32:42 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:19 GMT" ] }, "ContentHeaders": { "Content-Length": [ "1294" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AutomationRules/c3503a3a-93d6-4aa8-b557-d2f4ac6cfa00\",\"name\":\"c3503a3a-93d6-4aa8-b557-d2f4ac6cfa00\",\"etag\":\"\\\"030056b1-0000-0100-0000-62e422200000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"RemoveViaIdAutomationRuledlcn6a\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}],\"lastModifiedTimeUtc\":\"2022-07-29T18:08:32Z\",\"createdTimeUtc\":\"2022-07-29T18:08:32Z\",\"lastModifiedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"},\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AutomationRules/ab65a956-23b7-44a0-8a32-cb8d62d389d8\",\"name\":\"ab65a956-23b7-44a0-8a32-cb8d62d389d8\",\"etag\":\"\\\"250021e5-0000-0100-0000-62fbbbfe0000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"RemoveViaIdAutomationRule7s6m8t\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}],\"lastModifiedTimeUtc\":\"2022-08-16T15:47:10Z\",\"createdTimeUtc\":\"2022-08-16T15:47:10Z\",\"lastModifiedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"},\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}", "isContentBase64": false } }, - "Remove-AzSentinelAutomationRule+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/automationRules/c3503a3a-93d6-4aa8-b557-d2f4ac6cfa00?api-version=2021-09-01-preview+2": { + "Remove-AzSentinelAutomationRule+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/automationRules/ab65a956-23b7-44a0-8a32-cb8d62d389d8?api-version=2021-09-01-preview+2": { "Request": { "Method": "DELETE", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/automationRules/c3503a3a-93d6-4aa8-b557-d2f4ac6cfa00?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/automationRules/ab65a956-23b7-44a0-8a32-cb8d62d389d8?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "261" ], - "x-ms-client-request-id": [ "d282f043-429c-462f-8a7e-ba9d97883e53" ], + "x-ms-unique-id": [ "262" ], + "x-ms-client-request-id": [ "773c7cc0-b075-4ac2-bf11-4f5d31b4fb17" ], "CommandName": [ "Remove-AzSentinelAutomationRule" ], "FullCommandName": [ "Remove-AzSentinelAutomationRule_DeleteViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -106,12 +106,12 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-deletes": [ "14994" ], - "x-ms-request-id": [ "aaea563c-9b90-4d40-844a-119464b85fdd" ], - "x-ms-correlation-request-id": [ "aaea563c-9b90-4d40-844a-119464b85fdd" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183243Z:aaea563c-9b90-4d40-844a-119464b85fdd" ], + "x-ms-request-id": [ "ca5505ae-7d96-4ebf-ab07-86ac3e66831d" ], + "x-ms-correlation-request-id": [ "ca5505ae-7d96-4ebf-ab07-86ac3e66831d" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160820Z:ca5505ae-7d96-4ebf-ab07-86ac3e66831d" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:32:42 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:19 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2" ], diff --git a/src/SecurityInsights/test/Remove-AzSentinelBookmark.Recording.json b/src/SecurityInsights/test/Remove-AzSentinelBookmark.Recording.json index 0ce5286a6ced..89bcf03c2bbe 100644 --- a/src/SecurityInsights/test/Remove-AzSentinelBookmark.Recording.json +++ b/src/SecurityInsights/test/Remove-AzSentinelBookmark.Recording.json @@ -1,13 +1,13 @@ { - "Remove-AzSentinelBookmark+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/a8dfd8ae-256a-44fb-a72c-0fb43307c128?api-version=2021-09-01-preview+1": { + "Remove-AzSentinelBookmark+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/08b39573-4a73-4ac3-a733-8cd78a538c72?api-version=2021-09-01-preview+1": { "Request": { "Method": "DELETE", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/a8dfd8ae-256a-44fb-a72c-0fb43307c128?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/08b39573-4a73-4ac3-a733-8cd78a538c72?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "262" ], - "x-ms-client-request-id": [ "76b93b88-2909-4552-8c2f-4511a4bedb0b" ], + "x-ms-unique-id": [ "263" ], + "x-ms-client-request-id": [ "b6675fae-b0a7-4535-8404-e7fc767ba948" ], "CommandName": [ "Remove-AzSentinelBookmark" ], "FullCommandName": [ "Remove-AzSentinelBookmark_Delete" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -24,12 +24,12 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-deletes": [ "14993" ], - "x-ms-request-id": [ "5e9eb770-0e69-4b72-b9bb-e509e25a273b" ], - "x-ms-correlation-request-id": [ "5e9eb770-0e69-4b72-b9bb-e509e25a273b" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183244Z:5e9eb770-0e69-4b72-b9bb-e509e25a273b" ], + "x-ms-request-id": [ "3a1dbe1c-8b94-4f46-92cf-634dc18c6675" ], + "x-ms-correlation-request-id": [ "3a1dbe1c-8b94-4f46-92cf-634dc18c6675" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160821Z:3a1dbe1c-8b94-4f46-92cf-634dc18c6675" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:32:43 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:20 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2" ], @@ -40,15 +40,15 @@ "isContentBase64": false } }, - "Remove-AzSentinelBookmark+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/1064e218-7849-4caf-993c-93373d0c6ce5?api-version=2021-09-01-preview+1": { + "Remove-AzSentinelBookmark+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/373872c1-6eda-475c-a5ec-f0bfbd39fdf6?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/1064e218-7849-4caf-993c-93373d0c6ce5?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/373872c1-6eda-475c-a5ec-f0bfbd39fdf6?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "263" ], - "x-ms-client-request-id": [ "b7f6514f-5e4e-4264-b807-b6dc0e9a2902" ], + "x-ms-unique-id": [ "264" ], + "x-ms-client-request-id": [ "b768533c-72b5-49fb-959a-156e7fae2f9c" ], "CommandName": [ "Get-AzSentinelBookmark" ], "FullCommandName": [ "Get-AzSentinelBookmark_Get" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -64,32 +64,32 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11943" ], - "x-ms-request-id": [ "23c1cb0f-2335-4eeb-a469-46bc6f487a4e" ], - "x-ms-correlation-request-id": [ "23c1cb0f-2335-4eeb-a469-46bc6f487a4e" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183244Z:23c1cb0f-2335-4eeb-a469-46bc6f487a4e" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11940" ], + "x-ms-request-id": [ "b9d75d8d-abd0-41eb-828c-2282f9ee2c94" ], + "x-ms-correlation-request-id": [ "b9d75d8d-abd0-41eb-828c-2282f9ee2c94" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160821Z:b9d75d8d-abd0-41eb-828c-2282f9ee2c94" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:32:44 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:20 GMT" ] }, "ContentHeaders": { "Content-Length": [ "5296" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/1064e218-7849-4caf-993c-93373d0c6ce5\",\"name\":\"1064e218-7849-4caf-993c-93373d0c6ce5\",\"etag\":\"\\\"01007193-0000-0100-0000-62e422c30000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"RemoveViaIdbookmarkdr69tz\",\"created\":\"2022-07-29T18:11:15.4410362+00:00\",\"updated\":\"2022-07-29T18:11:15.4410362+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-07-29T06:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2022-07-28T06:00:00+00:00\",\"queryEndTime\":\"2022-07-29T06:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/373872c1-6eda-475c-a5ec-f0bfbd39fdf6\",\"name\":\"373872c1-6eda-475c-a5ec-f0bfbd39fdf6\",\"etag\":\"\\\"3c004e8a-0000-0100-0000-62fbbca70000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"RemoveViaIdbookmark1daqtg\",\"created\":\"2022-08-16T15:49:58.9862689+00:00\",\"updated\":\"2022-08-16T15:49:58.9862689+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-08-16T03:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2022-08-15T03:00:00+00:00\",\"queryEndTime\":\"2022-08-16T03:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", "isContentBase64": false } }, - "Remove-AzSentinelBookmark+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/1064e218-7849-4caf-993c-93373d0c6ce5?api-version=2021-09-01-preview+2": { + "Remove-AzSentinelBookmark+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/373872c1-6eda-475c-a5ec-f0bfbd39fdf6?api-version=2021-09-01-preview+2": { "Request": { "Method": "DELETE", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/1064e218-7849-4caf-993c-93373d0c6ce5?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/373872c1-6eda-475c-a5ec-f0bfbd39fdf6?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "264" ], - "x-ms-client-request-id": [ "17c4aae1-389f-4fb9-808d-5ec4bac3f8c4" ], + "x-ms-unique-id": [ "265" ], + "x-ms-client-request-id": [ "438eceed-4cc8-4f2c-b9ea-9faac3a22465" ], "CommandName": [ "Remove-AzSentinelBookmark" ], "FullCommandName": [ "Remove-AzSentinelBookmark_DeleteViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -106,12 +106,12 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-deletes": [ "14992" ], - "x-ms-request-id": [ "6231fd02-a0e7-4bf0-80ac-1057ad618385" ], - "x-ms-correlation-request-id": [ "6231fd02-a0e7-4bf0-80ac-1057ad618385" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183245Z:6231fd02-a0e7-4bf0-80ac-1057ad618385" ], + "x-ms-request-id": [ "30ea2a99-c20b-495e-a085-a64ddf7e3354" ], + "x-ms-correlation-request-id": [ "30ea2a99-c20b-495e-a085-a64ddf7e3354" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160821Z:30ea2a99-c20b-495e-a085-a64ddf7e3354" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:32:45 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:20 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2" ], diff --git a/src/SecurityInsights/test/Remove-AzSentinelBookmarkRelation.Recording.json b/src/SecurityInsights/test/Remove-AzSentinelBookmarkRelation.Recording.json index 2d50babe2ac5..f5b5264c854e 100644 --- a/src/SecurityInsights/test/Remove-AzSentinelBookmarkRelation.Recording.json +++ b/src/SecurityInsights/test/Remove-AzSentinelBookmarkRelation.Recording.json @@ -1,13 +1,13 @@ { - "Remove-AzSentinelBookmarkRelation+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/3e29d94a-e491-42d0-97d4-7a7f3e4725b4/relations/edcd0fb3-81ce-42e0-b54f-e753ea3c6fdb?api-version=2021-09-01-preview+1": { + "Remove-AzSentinelBookmarkRelation+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/b3693620-4305-45cb-97f3-a6894f82288e/relations/ef983c5e-fe25-44b2-ad14-f37a30558d24?api-version=2021-09-01-preview+1": { "Request": { "Method": "DELETE", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/3e29d94a-e491-42d0-97d4-7a7f3e4725b4/relations/edcd0fb3-81ce-42e0-b54f-e753ea3c6fdb?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/b3693620-4305-45cb-97f3-a6894f82288e/relations/ef983c5e-fe25-44b2-ad14-f37a30558d24?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "265" ], - "x-ms-client-request-id": [ "4bd63219-9027-4f82-84e4-60c1cc4ca1e3" ], + "x-ms-unique-id": [ "266" ], + "x-ms-client-request-id": [ "74bca262-252b-4f5f-a778-14df7c968c9c" ], "CommandName": [ "Remove-AzSentinelBookmarkRelation" ], "FullCommandName": [ "Remove-AzSentinelBookmarkRelation_Delete" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -24,12 +24,12 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-deletes": [ "14991" ], - "x-ms-request-id": [ "e9c76e46-e657-44da-beb1-07967a20d11f" ], - "x-ms-correlation-request-id": [ "e9c76e46-e657-44da-beb1-07967a20d11f" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183247Z:e9c76e46-e657-44da-beb1-07967a20d11f" ], + "x-ms-request-id": [ "1b310174-2bc4-45b6-b028-f86f835e7ed5" ], + "x-ms-correlation-request-id": [ "1b310174-2bc4-45b6-b028-f86f835e7ed5" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160822Z:1b310174-2bc4-45b6-b028-f86f835e7ed5" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:32:47 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:21 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2" ], @@ -40,15 +40,15 @@ "isContentBase64": false } }, - "Remove-AzSentinelBookmarkRelation+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/a34d217c-2b9d-4b72-b7d9-5a3850f0f17c/relations/3416cbe9-ea30-4e98-aead-419270c45bf8?api-version=2021-09-01-preview+1": { + "Remove-AzSentinelBookmarkRelation+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/72eeef12-d9c9-43e4-9f0c-8b117465ccb9/relations/c77c1bd8-ffc8-4467-a549-e9114f8913d8?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/a34d217c-2b9d-4b72-b7d9-5a3850f0f17c/relations/3416cbe9-ea30-4e98-aead-419270c45bf8?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/72eeef12-d9c9-43e4-9f0c-8b117465ccb9/relations/c77c1bd8-ffc8-4467-a549-e9114f8913d8?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "266" ], - "x-ms-client-request-id": [ "c07d07ac-0a95-48b8-ab6c-9ae1ce376148" ], + "x-ms-unique-id": [ "267" ], + "x-ms-client-request-id": [ "88ba86fd-ee08-47ef-b123-efa73d1629a2" ], "CommandName": [ "Get-AzSentinelBookmarkRelation" ], "FullCommandName": [ "Get-AzSentinelBookmarkRelation_Get" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -64,32 +64,32 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11942" ], - "x-ms-request-id": [ "effd5894-5b8e-4687-9258-f23cdd008986" ], - "x-ms-correlation-request-id": [ "effd5894-5b8e-4687-9258-f23cdd008986" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183247Z:effd5894-5b8e-4687-9258-f23cdd008986" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11939" ], + "x-ms-request-id": [ "173cb668-ed47-41e4-9157-de6759f7e3f8" ], + "x-ms-correlation-request-id": [ "173cb668-ed47-41e4-9157-de6759f7e3f8" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160822Z:173cb668-ed47-41e4-9157-de6759f7e3f8" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:32:47 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:21 GMT" ] }, "ContentHeaders": { "Content-Length": [ "828" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/a34d217c-2b9d-4b72-b7d9-5a3850f0f17c/relations/3416cbe9-ea30-4e98-aead-419270c45bf8\",\"name\":\"3416cbe9-ea30-4e98-aead-419270c45bf8\",\"etag\":\"\\\"01008593-0000-0100-0000-62e423810000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/68159ff1-4122-4fc3-9152-8bf489a4304d\",\"relatedResourceName\":\"68159ff1-4122-4fc3-9152-8bf489a4304d\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/72eeef12-d9c9-43e4-9f0c-8b117465ccb9/relations/c77c1bd8-ffc8-4467-a549-e9114f8913d8\",\"name\":\"c77c1bd8-ffc8-4467-a549-e9114f8913d8\",\"etag\":\"\\\"3c00f68a-0000-0100-0000-62fbbd690000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/62ce8785-21b2-4262-be4d-5208b35d255a\",\"relatedResourceName\":\"62ce8785-21b2-4262-be4d-5208b35d255a\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", "isContentBase64": false } }, - "Remove-AzSentinelBookmarkRelation+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/a34d217c-2b9d-4b72-b7d9-5a3850f0f17c/relations/3416cbe9-ea30-4e98-aead-419270c45bf8?api-version=2021-09-01-preview+2": { + "Remove-AzSentinelBookmarkRelation+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/72eeef12-d9c9-43e4-9f0c-8b117465ccb9/relations/c77c1bd8-ffc8-4467-a549-e9114f8913d8?api-version=2021-09-01-preview+2": { "Request": { "Method": "DELETE", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/a34d217c-2b9d-4b72-b7d9-5a3850f0f17c/relations/3416cbe9-ea30-4e98-aead-419270c45bf8?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/72eeef12-d9c9-43e4-9f0c-8b117465ccb9/relations/c77c1bd8-ffc8-4467-a549-e9114f8913d8?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "267" ], - "x-ms-client-request-id": [ "e0224a2b-a910-4060-a02f-a1374c9fc3d6" ], + "x-ms-unique-id": [ "268" ], + "x-ms-client-request-id": [ "bf077025-8203-40e9-a31c-659d4c399ce0" ], "CommandName": [ "Remove-AzSentinelBookmarkRelation" ], "FullCommandName": [ "Remove-AzSentinelBookmarkRelation_DeleteViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -106,12 +106,12 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-deletes": [ "14990" ], - "x-ms-request-id": [ "ba4e9caa-6886-4f62-a5c9-912be8555175" ], - "x-ms-correlation-request-id": [ "ba4e9caa-6886-4f62-a5c9-912be8555175" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183248Z:ba4e9caa-6886-4f62-a5c9-912be8555175" ], + "x-ms-request-id": [ "401ff7d9-c978-4938-88e8-4227c3c428e0" ], + "x-ms-correlation-request-id": [ "401ff7d9-c978-4938-88e8-4227c3c428e0" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160822Z:401ff7d9-c978-4938-88e8-4227c3c428e0" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:32:48 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:21 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2" ], diff --git a/src/SecurityInsights/test/Remove-AzSentinelDataConnector.Recording.json b/src/SecurityInsights/test/Remove-AzSentinelDataConnector.Recording.json index c5cdecc007a8..2502e98df47c 100644 --- a/src/SecurityInsights/test/Remove-AzSentinelDataConnector.Recording.json +++ b/src/SecurityInsights/test/Remove-AzSentinelDataConnector.Recording.json @@ -1,8 +1,8 @@ { - "Remove-AzSentinelDataConnector+[NoContext]+Delete+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/b828ce66-b908-49fc-86a0-f881249cd9c5?api-version=2021-09-01-preview+1": { + "Remove-AzSentinelDataConnector+[NoContext]+Delete+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/fee9b467-294d-476a-a02c-93f178b75533?api-version=2021-09-01-preview+1": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/b828ce66-b908-49fc-86a0-f881249cd9c5?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/fee9b467-294d-476a-a02c-93f178b75533?api-version=2021-09-01-preview", "Content": "{\n \"kind\": \"MicrosoftCloudAppSecurity\",\n \"properties\": {\n \"tenantId\": \"d6eebbdd-d77c-465e-b008-4339027b4006\",\n \"dataTypes\": {\n \"alerts\": {\n \"state\": \"Enabled\"\n },\n \"discoveryLogs\": {\n \"state\": \"Disabled\"\n }\n }\n }\n}", "isContentBase64": false, "Headers": { @@ -19,31 +19,31 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], - "x-ms-request-id": [ "1795fef3-ca8c-4f02-8e1e-b666bcb44109" ], - "x-ms-correlation-request-id": [ "1795fef3-ca8c-4f02-8e1e-b666bcb44109" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183250Z:1795fef3-ca8c-4f02-8e1e-b666bcb44109" ], + "x-ms-request-id": [ "1224e725-0421-41c5-a77f-09c63e860977" ], + "x-ms-correlation-request-id": [ "1224e725-0421-41c5-a77f-09c63e860977" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160825Z:1224e725-0421-41c5-a77f-09c63e860977" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:32:50 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:24 GMT" ] }, "ContentHeaders": { "Content-Length": [ "567" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/b828ce66-b908-49fc-86a0-f881249cd9c5\",\"name\":\"b828ce66-b908-49fc-86a0-f881249cd9c5\",\"etag\":\"69db6e74-3bf1-4d9b-b726-391481846c74\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"MicrosoftCloudAppSecurity\",\"properties\":{\"dataTypes\":{\"discoveryLogs\":{\"state\":\"disabled\"},\"alerts\":{\"state\":\"enabled\"}},\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/fee9b467-294d-476a-a02c-93f178b75533\",\"name\":\"fee9b467-294d-476a-a02c-93f178b75533\",\"etag\":\"1df1f1f1-841a-4908-8656-d57520725fe0\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"MicrosoftCloudAppSecurity\",\"properties\":{\"dataTypes\":{\"discoveryLogs\":{\"state\":\"disabled\"},\"alerts\":{\"state\":\"enabled\"}},\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}", "isContentBase64": false } }, - "Remove-AzSentinelDataConnector+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/b828ce66-b908-49fc-86a0-f881249cd9c5?api-version=2021-09-01-preview+2": { + "Remove-AzSentinelDataConnector+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/fee9b467-294d-476a-a02c-93f178b75533?api-version=2021-09-01-preview+2": { "Request": { "Method": "DELETE", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/b828ce66-b908-49fc-86a0-f881249cd9c5?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/fee9b467-294d-476a-a02c-93f178b75533?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "269" ], - "x-ms-client-request-id": [ "11556ec0-a03a-4b99-8855-325a6e6b785c" ], + "x-ms-unique-id": [ "270" ], + "x-ms-client-request-id": [ "ca33115f-9e1e-4ab1-972b-29ad10bd9055" ], "CommandName": [ "Remove-AzSentinelDataConnector" ], "FullCommandName": [ "Remove-AzSentinelDataConnector_Delete" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -60,12 +60,12 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], - "x-ms-request-id": [ "2dfcd972-b58b-4016-9070-0eac96278560" ], - "x-ms-correlation-request-id": [ "2dfcd972-b58b-4016-9070-0eac96278560" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183251Z:2dfcd972-b58b-4016-9070-0eac96278560" ], + "x-ms-request-id": [ "a6704650-82a3-42a0-9a6c-da598caa2f25" ], + "x-ms-correlation-request-id": [ "a6704650-82a3-42a0-9a6c-da598caa2f25" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160826Z:a6704650-82a3-42a0-9a6c-da598caa2f25" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:32:51 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:25 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2" ], @@ -76,10 +76,10 @@ "isContentBase64": false } }, - "Remove-AzSentinelDataConnector+[NoContext]+DeleteViaIdentity+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/c83037e5-4501-44fb-b200-d63f1502c07d?api-version=2021-09-01-preview+1": { + "Remove-AzSentinelDataConnector+[NoContext]+DeleteViaIdentity+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/e5723525-11fc-45ee-901a-09bef4dcf3df?api-version=2021-09-01-preview+1": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/c83037e5-4501-44fb-b200-d63f1502c07d?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/e5723525-11fc-45ee-901a-09bef4dcf3df?api-version=2021-09-01-preview", "Content": "{\n \"kind\": \"MicrosoftCloudAppSecurity\",\n \"properties\": {\n \"tenantId\": \"d6eebbdd-d77c-465e-b008-4339027b4006\",\n \"dataTypes\": {\n \"alerts\": {\n \"state\": \"Enabled\"\n },\n \"discoveryLogs\": {\n \"state\": \"Disabled\"\n }\n }\n }\n}", "isContentBase64": false, "Headers": { @@ -96,31 +96,31 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "497" ], - "x-ms-request-id": [ "59f2e6be-36a9-41fa-a56f-3be19d291a65" ], - "x-ms-correlation-request-id": [ "59f2e6be-36a9-41fa-a56f-3be19d291a65" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183254Z:59f2e6be-36a9-41fa-a56f-3be19d291a65" ], + "x-ms-request-id": [ "b770a4f5-6ea5-4988-ad3e-54ff165ba3f3" ], + "x-ms-correlation-request-id": [ "b770a4f5-6ea5-4988-ad3e-54ff165ba3f3" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160827Z:b770a4f5-6ea5-4988-ad3e-54ff165ba3f3" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:32:54 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:26 GMT" ] }, "ContentHeaders": { "Content-Length": [ "567" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/c83037e5-4501-44fb-b200-d63f1502c07d\",\"name\":\"c83037e5-4501-44fb-b200-d63f1502c07d\",\"etag\":\"4a3a0aeb-4aa3-444a-9849-720261d65539\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"MicrosoftCloudAppSecurity\",\"properties\":{\"dataTypes\":{\"discoveryLogs\":{\"state\":\"disabled\"},\"alerts\":{\"state\":\"enabled\"}},\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/e5723525-11fc-45ee-901a-09bef4dcf3df\",\"name\":\"e5723525-11fc-45ee-901a-09bef4dcf3df\",\"etag\":\"526dfb41-1d23-426e-b711-7ccc39ba1b85\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"MicrosoftCloudAppSecurity\",\"properties\":{\"dataTypes\":{\"discoveryLogs\":{\"state\":\"disabled\"},\"alerts\":{\"state\":\"enabled\"}},\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}", "isContentBase64": false } }, - "Remove-AzSentinelDataConnector+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/c83037e5-4501-44fb-b200-d63f1502c07d?api-version=2021-09-01-preview+2": { + "Remove-AzSentinelDataConnector+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/e5723525-11fc-45ee-901a-09bef4dcf3df?api-version=2021-09-01-preview+2": { "Request": { "Method": "DELETE", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/c83037e5-4501-44fb-b200-d63f1502c07d?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/e5723525-11fc-45ee-901a-09bef4dcf3df?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "271" ], - "x-ms-client-request-id": [ "beb45709-0a6e-4bcf-a643-320028dd37ed" ], + "x-ms-unique-id": [ "272" ], + "x-ms-client-request-id": [ "e69209c0-e488-4cc2-8e2b-cbb15ec8a257" ], "CommandName": [ "Remove-AzSentinelDataConnector" ], "FullCommandName": [ "Remove-AzSentinelDataConnector_DeleteViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -137,12 +137,12 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], - "x-ms-request-id": [ "930f199f-38f1-426e-b3f1-055a81348fa2" ], - "x-ms-correlation-request-id": [ "930f199f-38f1-426e-b3f1-055a81348fa2" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183255Z:930f199f-38f1-426e-b3f1-055a81348fa2" ], + "x-ms-request-id": [ "74e34d89-e823-451e-bee7-4514f735fe6f" ], + "x-ms-correlation-request-id": [ "74e34d89-e823-451e-bee7-4514f735fe6f" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160828Z:74e34d89-e823-451e-bee7-4514f735fe6f" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:32:55 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:27 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2" ], diff --git a/src/SecurityInsights/test/Remove-AzSentinelDataConnector.Tests.ps1 b/src/SecurityInsights/test/Remove-AzSentinelDataConnector.Tests.ps1 index 16c1c6f08b2b..649445702a87 100644 --- a/src/SecurityInsights/test/Remove-AzSentinelDataConnector.Tests.ps1 +++ b/src/SecurityInsights/test/Remove-AzSentinelDataConnector.Tests.ps1 @@ -17,13 +17,13 @@ if(($null -eq $TestName) -or ($TestName -contains 'Remove-AzSentinelDataConnecto Describe 'Remove-AzSentinelDataConnector' { It 'Delete' { $dataConnector = New-AzSentinelDataConnector -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` - -Kind 'MicrosoftCloudAppSecurity' -Alerts "Enabled" -DiscoveryLog "Disabled" + -Id $env.RemoveDataConnectorId -Kind 'MicrosoftCloudAppSecurity' -Alerts "Enabled" -DiscoveryLog "Disabled" { Remove-AzSentinelDataConnector -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -Id $dataConnector.Name } | Should -Not -Throw } It 'DeleteViaIdentity' { $dataConnector = New-AzSentinelDataConnector -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` - -Kind 'MicrosoftCloudAppSecurity' -Alerts "Enabled" -DiscoveryLog "Disabled" + -Id $env.RemoveDataConnectorIdInputObject -Kind 'MicrosoftCloudAppSecurity' -Alerts "Enabled" -DiscoveryLog "Disabled" { Remove-AzSentinelDataConnector -InputObject $dataConnector } | Should -Not -Throw } } diff --git a/src/SecurityInsights/test/Remove-AzSentinelEntityQuery.Recording.json b/src/SecurityInsights/test/Remove-AzSentinelEntityQuery.Recording.json index 4347b4ee0a05..20ee31576fe6 100644 --- a/src/SecurityInsights/test/Remove-AzSentinelEntityQuery.Recording.json +++ b/src/SecurityInsights/test/Remove-AzSentinelEntityQuery.Recording.json @@ -1,13 +1,13 @@ { - "Remove-AzSentinelEntityQuery+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueries/27d20f12-f14e-48ae-a17a-51e823a08d54?api-version=2021-09-01-preview+1": { + "Remove-AzSentinelEntityQuery+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/803b23e8-9f87-4597-bc9c-d537930dea57?api-version=2021-09-01-preview+1": { "Request": { "Method": "DELETE", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueries/27d20f12-f14e-48ae-a17a-51e823a08d54?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/803b23e8-9f87-4597-bc9c-d537930dea57?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "272" ], - "x-ms-client-request-id": [ "50041e2d-9145-4ef6-b45c-b5ec682bf298" ], + "x-ms-unique-id": [ "273" ], + "x-ms-client-request-id": [ "84538b5e-dcdc-4d11-8621-824fb6d2bb3d" ], "CommandName": [ "Remove-AzSentinelEntityQuery" ], "FullCommandName": [ "Remove-AzSentinelEntityQuery_Delete" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -24,12 +24,12 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-deletes": [ "14989" ], - "x-ms-request-id": [ "541e3d21-e895-4aac-8f4e-7fc948da9e8d" ], - "x-ms-correlation-request-id": [ "541e3d21-e895-4aac-8f4e-7fc948da9e8d" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183256Z:541e3d21-e895-4aac-8f4e-7fc948da9e8d" ], + "x-ms-request-id": [ "608194ce-dca2-480b-afe8-595738431e12" ], + "x-ms-correlation-request-id": [ "608194ce-dca2-480b-afe8-595738431e12" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160829Z:608194ce-dca2-480b-afe8-595738431e12" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:32:56 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:28 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2" ], @@ -40,15 +40,15 @@ "isContentBase64": false } }, - "Remove-AzSentinelEntityQuery+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueries/56d115fc-3330-4d1a-82ce-c92ec67f38d6?api-version=2021-09-01-preview+1": { + "Remove-AzSentinelEntityQuery+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/a165eb76-24f9-47f4-92b2-1238aa5e4248?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueries/56d115fc-3330-4d1a-82ce-c92ec67f38d6?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/a165eb76-24f9-47f4-92b2-1238aa5e4248?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "273" ], - "x-ms-client-request-id": [ "ef69209a-251f-422e-b1cb-0a95ef7c7a5a" ], + "x-ms-unique-id": [ "274" ], + "x-ms-client-request-id": [ "4b71d915-a123-4cac-8ea9-e69e7da161e6" ], "CommandName": [ "Get-AzSentinelEntityQuery" ], "FullCommandName": [ "Get-AzSentinelEntityQuery_Get" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -64,32 +64,32 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11941" ], - "x-ms-request-id": [ "dc7d73fd-a836-4e5c-adb9-e13a144aec50" ], - "x-ms-correlation-request-id": [ "dc7d73fd-a836-4e5c-adb9-e13a144aec50" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183257Z:dc7d73fd-a836-4e5c-adb9-e13a144aec50" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11938" ], + "x-ms-request-id": [ "d25ccda5-863e-48ab-a949-233057279cea" ], + "x-ms-correlation-request-id": [ "d25ccda5-863e-48ab-a949-233057279cea" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160829Z:d25ccda5-863e-48ab-a949-233057279cea" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:32:56 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:28 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2326" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueries/56d115fc-3330-4d1a-82ce-c92ec67f38d6\",\"name\":\"56d115fc-3330-4d1a-82ce-c92ec67f38d6\",\"etag\":\"\\\"89000fa8-0000-0100-0000-62e424840000\\\"\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was deleted by \",\"description\":\"Account deleted on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027)\\n \\n| where EventID == 4726 \"},\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]},\"enabled\":true,\"createdTimeUtc\":\"2022-07-29T18:18:44.2828335Z\",\"lastModifiedTimeUtc\":\"2022-07-29T18:18:44.2828335Z\",\"inputEntityType\":\"Host\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/a165eb76-24f9-47f4-92b2-1238aa5e4248\",\"name\":\"a165eb76-24f9-47f4-92b2-1238aa5e4248\",\"etag\":\"\\\"0c00640f-0000-0100-0000-62fbbe270000\\\"\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was deleted by \",\"description\":\"Account deleted on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027)\\n \\n| where EventID == 4726 \"},\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]},\"enabled\":true,\"createdTimeUtc\":\"2022-08-16T15:56:23.6022565Z\",\"lastModifiedTimeUtc\":\"2022-08-16T15:56:23.6022565Z\",\"inputEntityType\":\"Host\"}}", "isContentBase64": false } }, - "Remove-AzSentinelEntityQuery+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueries/56d115fc-3330-4d1a-82ce-c92ec67f38d6?api-version=2021-09-01-preview+2": { + "Remove-AzSentinelEntityQuery+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/a165eb76-24f9-47f4-92b2-1238aa5e4248?api-version=2021-09-01-preview+2": { "Request": { "Method": "DELETE", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueries/56d115fc-3330-4d1a-82ce-c92ec67f38d6?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/a165eb76-24f9-47f4-92b2-1238aa5e4248?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "274" ], - "x-ms-client-request-id": [ "560fd2db-7d9d-4eda-93c1-be74d321dc59" ], + "x-ms-unique-id": [ "275" ], + "x-ms-client-request-id": [ "47f8178e-419a-4cfe-85bc-eac0b06e0a9e" ], "CommandName": [ "Remove-AzSentinelEntityQuery" ], "FullCommandName": [ "Remove-AzSentinelEntityQuery_DeleteViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -106,12 +106,12 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-deletes": [ "14988" ], - "x-ms-request-id": [ "095a75de-d167-4650-9dd4-18bf32c9600a" ], - "x-ms-correlation-request-id": [ "095a75de-d167-4650-9dd4-18bf32c9600a" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183257Z:095a75de-d167-4650-9dd4-18bf32c9600a" ], + "x-ms-request-id": [ "eeeb884d-6ba2-47ef-abd2-19e7a81fedb5" ], + "x-ms-correlation-request-id": [ "eeeb884d-6ba2-47ef-abd2-19e7a81fedb5" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160829Z:eeeb884d-6ba2-47ef-abd2-19e7a81fedb5" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:32:57 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:28 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2" ], diff --git a/src/SecurityInsights/test/Remove-AzSentinelIncident.Recording.json b/src/SecurityInsights/test/Remove-AzSentinelIncident.Recording.json index c567f75de903..ccb9b6291ce2 100644 --- a/src/SecurityInsights/test/Remove-AzSentinelIncident.Recording.json +++ b/src/SecurityInsights/test/Remove-AzSentinelIncident.Recording.json @@ -1,13 +1,13 @@ { - "Remove-AzSentinelIncident+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/6bc1d179-d8b5-45ee-82d8-dc7f59b9168a?api-version=2021-09-01-preview+1": { + "Remove-AzSentinelIncident+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/3c0d63a6-5274-4c2c-82fa-d209415ca9bf?api-version=2021-09-01-preview+1": { "Request": { "Method": "DELETE", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/6bc1d179-d8b5-45ee-82d8-dc7f59b9168a?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/3c0d63a6-5274-4c2c-82fa-d209415ca9bf?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "275" ], - "x-ms-client-request-id": [ "5faa3426-61b7-4f33-a3a3-ba779899c4b9" ], + "x-ms-unique-id": [ "276" ], + "x-ms-client-request-id": [ "5805b251-d51c-4a1d-8a4f-a126f0823fca" ], "CommandName": [ "Remove-AzSentinelIncident" ], "FullCommandName": [ "Remove-AzSentinelIncident_Delete" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -24,12 +24,12 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-deletes": [ "14987" ], - "x-ms-request-id": [ "d0d0918d-3fc7-40cc-9953-ac687592240d" ], - "x-ms-correlation-request-id": [ "d0d0918d-3fc7-40cc-9953-ac687592240d" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183258Z:d0d0918d-3fc7-40cc-9953-ac687592240d" ], + "x-ms-request-id": [ "0e1a72a8-4510-4de5-b74c-20b86e0185de" ], + "x-ms-correlation-request-id": [ "0e1a72a8-4510-4de5-b74c-20b86e0185de" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160830Z:0e1a72a8-4510-4de5-b74c-20b86e0185de" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:32:58 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:29 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2" ], @@ -40,15 +40,15 @@ "isContentBase64": false } }, - "Remove-AzSentinelIncident+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/4adb65b9-7def-47bb-9594-c1e1ca284952?api-version=2021-09-01-preview+1": { + "Remove-AzSentinelIncident+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/fdc66a29-9153-4079-894f-9d92f19fb0d9?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/4adb65b9-7def-47bb-9594-c1e1ca284952?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/fdc66a29-9153-4079-894f-9d92f19fb0d9?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "276" ], - "x-ms-client-request-id": [ "fbf2dd90-0807-43df-aef6-a43ace2fc3da" ], + "x-ms-unique-id": [ "277" ], + "x-ms-client-request-id": [ "cfbd7a57-7f1d-4b9d-ab11-0671b738e88b" ], "CommandName": [ "Get-AzSentinelIncident" ], "FullCommandName": [ "Get-AzSentinelIncident_Get" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -64,32 +64,32 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11940" ], - "x-ms-request-id": [ "04918f89-f715-4353-b7ac-52ec2bd0e388" ], - "x-ms-correlation-request-id": [ "04918f89-f715-4353-b7ac-52ec2bd0e388" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183258Z:04918f89-f715-4353-b7ac-52ec2bd0e388" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11937" ], + "x-ms-request-id": [ "ccc84795-bf95-42fb-96ff-869603c376d1" ], + "x-ms-correlation-request-id": [ "ccc84795-bf95-42fb-96ff-869603c376d1" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160830Z:ccc84795-bf95-42fb-96ff-869603c376d1" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:32:58 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:29 GMT" ] }, "ContentHeaders": { "Content-Length": [ "1206" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/4adb65b9-7def-47bb-9594-c1e1ca284952\",\"name\":\"4adb65b9-7def-47bb-9594-c1e1ca284952\",\"etag\":\"\\\"1200310b-0000-0100-0000-62e425930000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:23:15.5881312Z\",\"createdTimeUtc\":\"2022-07-29T18:23:15.5881312Z\",\"incidentNumber\":9,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/4adb65b9-7def-47bb-9594-c1e1ca284952\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"9\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/fdc66a29-9153-4079-894f-9d92f19fb0d9\",\"name\":\"fdc66a29-9153-4079-894f-9d92f19fb0d9\",\"etag\":\"\\\"4a004d51-0000-0100-0000-62fbbec10000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:58:57.2230955Z\",\"createdTimeUtc\":\"2022-08-16T15:58:57.2230955Z\",\"incidentNumber\":9,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/fdc66a29-9153-4079-894f-9d92f19fb0d9\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"9\"}}", "isContentBase64": false } }, - "Remove-AzSentinelIncident+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/4adb65b9-7def-47bb-9594-c1e1ca284952?api-version=2021-09-01-preview+2": { + "Remove-AzSentinelIncident+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/fdc66a29-9153-4079-894f-9d92f19fb0d9?api-version=2021-09-01-preview+2": { "Request": { "Method": "DELETE", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/4adb65b9-7def-47bb-9594-c1e1ca284952?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/fdc66a29-9153-4079-894f-9d92f19fb0d9?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "277" ], - "x-ms-client-request-id": [ "c88cd316-bf39-4214-b491-28d37ac17d3c" ], + "x-ms-unique-id": [ "278" ], + "x-ms-client-request-id": [ "e3d21c4c-45b9-4765-a505-2fac6bc08f63" ], "CommandName": [ "Remove-AzSentinelIncident" ], "FullCommandName": [ "Remove-AzSentinelIncident_DeleteViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -106,12 +106,12 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-deletes": [ "14986" ], - "x-ms-request-id": [ "b3079a31-5c8b-47a9-9650-17d3a6886105" ], - "x-ms-correlation-request-id": [ "b3079a31-5c8b-47a9-9650-17d3a6886105" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183259Z:b3079a31-5c8b-47a9-9650-17d3a6886105" ], + "x-ms-request-id": [ "85f5f223-0383-4d4d-b6f5-16dc81f1435f" ], + "x-ms-correlation-request-id": [ "85f5f223-0383-4d4d-b6f5-16dc81f1435f" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160830Z:85f5f223-0383-4d4d-b6f5-16dc81f1435f" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:32:58 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:29 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2" ], diff --git a/src/SecurityInsights/test/Remove-AzSentinelIncidentComment.Recording.json b/src/SecurityInsights/test/Remove-AzSentinelIncidentComment.Recording.json index 928babd58445..240041c981be 100644 --- a/src/SecurityInsights/test/Remove-AzSentinelIncidentComment.Recording.json +++ b/src/SecurityInsights/test/Remove-AzSentinelIncidentComment.Recording.json @@ -1,13 +1,13 @@ { - "Remove-AzSentinelIncidentComment+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/08556638-7485-4a5e-afda-02c5f77474d7/comments/f81c3566-1019-43de-8cee-9ba0d8f53028?api-version=2021-09-01-preview+1": { + "Remove-AzSentinelIncidentComment+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/1f6bbf1d-7f2d-4435-84f7-2be61d9e090d/comments/6a5e3b8c-f0f5-4bb7-8685-87961a8a21fe?api-version=2021-09-01-preview+1": { "Request": { "Method": "DELETE", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/08556638-7485-4a5e-afda-02c5f77474d7/comments/f81c3566-1019-43de-8cee-9ba0d8f53028?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/1f6bbf1d-7f2d-4435-84f7-2be61d9e090d/comments/6a5e3b8c-f0f5-4bb7-8685-87961a8a21fe?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "278" ], - "x-ms-client-request-id": [ "442e5ad3-20e8-4e08-8970-25983a09f9ff" ], + "x-ms-unique-id": [ "279" ], + "x-ms-client-request-id": [ "a4ee3027-00a0-42f3-b35c-ac1bfd5b67eb" ], "CommandName": [ "Remove-AzSentinelIncidentComment" ], "FullCommandName": [ "Remove-AzSentinelIncidentComment_Delete" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -24,12 +24,12 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], - "x-ms-request-id": [ "1bd370ad-5c4b-4dac-81dd-469df29536ef" ], - "x-ms-correlation-request-id": [ "1bd370ad-5c4b-4dac-81dd-469df29536ef" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183300Z:1bd370ad-5c4b-4dac-81dd-469df29536ef" ], + "x-ms-request-id": [ "5cab8b81-7614-491c-b17b-ace2dc26affb" ], + "x-ms-correlation-request-id": [ "5cab8b81-7614-491c-b17b-ace2dc26affb" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160831Z:5cab8b81-7614-491c-b17b-ace2dc26affb" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:33:00 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:30 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2" ], @@ -40,15 +40,15 @@ "isContentBase64": false } }, - "Remove-AzSentinelIncidentComment+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/39c25766-18b0-4620-9a63-3dfb2144ddd9/comments/1130726d-fadf-4bc2-a3c4-b4b78c20c22a?api-version=2021-09-01-preview+1": { + "Remove-AzSentinelIncidentComment+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/ac97c565-75c1-40ab-a8e1-334c04dda7d0/comments/e0931ced-55b8-4158-b9d7-16ba88c4936b?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/39c25766-18b0-4620-9a63-3dfb2144ddd9/comments/1130726d-fadf-4bc2-a3c4-b4b78c20c22a?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/ac97c565-75c1-40ab-a8e1-334c04dda7d0/comments/e0931ced-55b8-4158-b9d7-16ba88c4936b?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "279" ], - "x-ms-client-request-id": [ "8d114737-7f09-4827-af72-25f583cefcc8" ], + "x-ms-unique-id": [ "280" ], + "x-ms-client-request-id": [ "dec457bb-17df-465f-bcdb-e52d957f617a" ], "CommandName": [ "Get-AzSentinelIncidentComment" ], "FullCommandName": [ "Get-AzSentinelIncidentComment_Get" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -65,31 +65,31 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "497" ], - "x-ms-request-id": [ "a38c85fd-92e2-45e3-a970-41af88250005" ], - "x-ms-correlation-request-id": [ "a38c85fd-92e2-45e3-a970-41af88250005" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183300Z:a38c85fd-92e2-45e3-a970-41af88250005" ], + "x-ms-request-id": [ "9fa69391-082f-43d3-a51a-5fd85345e896" ], + "x-ms-correlation-request-id": [ "9fa69391-082f-43d3-a51a-5fd85345e896" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160831Z:9fa69391-082f-43d3-a51a-5fd85345e896" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:33:00 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:31 GMT" ] }, "ContentHeaders": { "Content-Length": [ "767" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/39c25766-18b0-4620-9a63-3dfb2144ddd9/Comments/1130726d-fadf-4bc2-a3c4-b4b78c20c22a\",\"name\":\"1130726d-fadf-4bc2-a3c4-b4b78c20c22a\",\"etag\":\"\\\"12004c0b-0000-0100-0000-62e426320000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/Comments\",\"properties\":{\"message\":\"RemoveViaIdincidentCommentximhku\",\"createdTimeUtc\":\"2022-07-29T18:25:54.9956015Z\",\"lastModifiedTimeUtc\":\"2022-07-29T18:25:54.9956015Z\",\"author\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/ac97c565-75c1-40ab-a8e1-334c04dda7d0/Comments/e0931ced-55b8-4158-b9d7-16ba88c4936b\",\"name\":\"e0931ced-55b8-4158-b9d7-16ba88c4936b\",\"etag\":\"\\\"4a00c151-0000-0100-0000-62fbbf610000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/Comments\",\"properties\":{\"message\":\"RemoveViaIdincidentCommentjd165a\",\"createdTimeUtc\":\"2022-08-16T16:01:37.5938694Z\",\"lastModifiedTimeUtc\":\"2022-08-16T16:01:37.5938694Z\",\"author\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}", "isContentBase64": false } }, - "Remove-AzSentinelIncidentComment+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/39c25766-18b0-4620-9a63-3dfb2144ddd9/comments/1130726d-fadf-4bc2-a3c4-b4b78c20c22a?api-version=2021-09-01-preview+2": { + "Remove-AzSentinelIncidentComment+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/ac97c565-75c1-40ab-a8e1-334c04dda7d0/comments/e0931ced-55b8-4158-b9d7-16ba88c4936b?api-version=2021-09-01-preview+2": { "Request": { "Method": "DELETE", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/39c25766-18b0-4620-9a63-3dfb2144ddd9/comments/1130726d-fadf-4bc2-a3c4-b4b78c20c22a?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/ac97c565-75c1-40ab-a8e1-334c04dda7d0/comments/e0931ced-55b8-4158-b9d7-16ba88c4936b?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "280" ], - "x-ms-client-request-id": [ "6f020725-93c8-4ddf-99bf-c66bff143acd" ], + "x-ms-unique-id": [ "281" ], + "x-ms-client-request-id": [ "71c231bf-ee58-462d-9523-c49819397164" ], "CommandName": [ "Remove-AzSentinelIncidentComment" ], "FullCommandName": [ "Remove-AzSentinelIncidentComment_DeleteViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -106,12 +106,12 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], - "x-ms-request-id": [ "fe701558-b5ce-4c81-97b5-d0899f3ac59f" ], - "x-ms-correlation-request-id": [ "fe701558-b5ce-4c81-97b5-d0899f3ac59f" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183301Z:fe701558-b5ce-4c81-97b5-d0899f3ac59f" ], + "x-ms-request-id": [ "d1c2f870-9e3b-4fb6-9531-274e49d121d4" ], + "x-ms-correlation-request-id": [ "d1c2f870-9e3b-4fb6-9531-274e49d121d4" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160832Z:d1c2f870-9e3b-4fb6-9531-274e49d121d4" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:33:00 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:31 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2" ], diff --git a/src/SecurityInsights/test/Remove-AzSentinelIncidentRelation.Recording.json b/src/SecurityInsights/test/Remove-AzSentinelIncidentRelation.Recording.json index d301795f9e13..2da486ee5cdd 100644 --- a/src/SecurityInsights/test/Remove-AzSentinelIncidentRelation.Recording.json +++ b/src/SecurityInsights/test/Remove-AzSentinelIncidentRelation.Recording.json @@ -1,13 +1,13 @@ { - "Remove-AzSentinelIncidentRelation+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/08556638-7485-4a5e-afda-02c5f77474d7/relations/33ce22e5-46d5-4249-9e1a-06495ad77a1a?api-version=2021-09-01-preview+1": { + "Remove-AzSentinelIncidentRelation+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/1f6bbf1d-7f2d-4435-84f7-2be61d9e090d/relations/f05d7fb2-c166-4ecb-aa6b-b97479976971?api-version=2021-09-01-preview+1": { "Request": { "Method": "DELETE", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/08556638-7485-4a5e-afda-02c5f77474d7/relations/33ce22e5-46d5-4249-9e1a-06495ad77a1a?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/1f6bbf1d-7f2d-4435-84f7-2be61d9e090d/relations/f05d7fb2-c166-4ecb-aa6b-b97479976971?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "281" ], - "x-ms-client-request-id": [ "42c386fb-1791-46a8-a827-bcdeb0400fff" ], + "x-ms-unique-id": [ "282" ], + "x-ms-client-request-id": [ "5e6c9ead-f7a3-421f-b737-0894faac0ef3" ], "CommandName": [ "Remove-AzSentinelIncidentRelation" ], "FullCommandName": [ "Remove-AzSentinelIncidentRelation_Delete" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -24,12 +24,12 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "499" ], - "x-ms-request-id": [ "8b4bea26-42f9-453b-88aa-fc41daba4bad" ], - "x-ms-correlation-request-id": [ "8b4bea26-42f9-453b-88aa-fc41daba4bad" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183302Z:8b4bea26-42f9-453b-88aa-fc41daba4bad" ], + "x-ms-request-id": [ "aee949a4-3ce0-4345-bd08-f074656c570b" ], + "x-ms-correlation-request-id": [ "aee949a4-3ce0-4345-bd08-f074656c570b" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160833Z:aee949a4-3ce0-4345-bd08-f074656c570b" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:33:01 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:32 GMT" ] }, "ContentHeaders": { "Expires": [ "-1" ] @@ -38,15 +38,15 @@ "isContentBase64": false } }, - "Remove-AzSentinelIncidentRelation+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/095d8360-b30b-4f75-804d-8837b78db3ed/relations/fa2cc2d8-13f8-4ea6-b2ce-6fdea28a0790?api-version=2021-09-01-preview+1": { + "Remove-AzSentinelIncidentRelation+[NoContext]+DeleteViaIdentity+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/b2ae0920-7287-4d85-a609-bf6c7e651630/relations/95c1d6e0-5c11-4329-b715-f24c959f7b04?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/095d8360-b30b-4f75-804d-8837b78db3ed/relations/fa2cc2d8-13f8-4ea6-b2ce-6fdea28a0790?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/b2ae0920-7287-4d85-a609-bf6c7e651630/relations/95c1d6e0-5c11-4329-b715-f24c959f7b04?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "282" ], - "x-ms-client-request-id": [ "6cbee9ca-7842-41d1-8df4-193146677f9c" ], + "x-ms-unique-id": [ "283" ], + "x-ms-client-request-id": [ "262ab63b-54d0-4140-b220-a8c88d25e9a9" ], "CommandName": [ "Get-AzSentinelIncidentRelation" ], "FullCommandName": [ "Get-AzSentinelIncidentRelation_Get" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -63,31 +63,31 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "495" ], - "x-ms-request-id": [ "124cb56e-40b0-41ee-a251-e55a3c8b2549" ], - "x-ms-correlation-request-id": [ "124cb56e-40b0-41ee-a251-e55a3c8b2549" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183302Z:124cb56e-40b0-41ee-a251-e55a3c8b2549" ], + "x-ms-request-id": [ "eafa5ac2-d831-4c17-84cb-84bf1c3e2012" ], + "x-ms-correlation-request-id": [ "eafa5ac2-d831-4c17-84cb-84bf1c3e2012" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160833Z:eafa5ac2-d831-4c17-84cb-84bf1c3e2012" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:33:02 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:32 GMT" ] }, "ContentHeaders": { "Content-Length": [ "828" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/095d8360-b30b-4f75-804d-8837b78db3ed/relations/fa2cc2d8-13f8-4ea6-b2ce-6fdea28a0790\",\"name\":\"fa2cc2d8-13f8-4ea6-b2ce-6fdea28a0790\",\"etag\":\"\\\"12008a0b-0000-0100-0000-62e426d30000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/e4d28edd-4f20-45f9-9c8c-6b7e97f4fa8a\",\"relatedResourceName\":\"e4d28edd-4f20-45f9-9c8c-6b7e97f4fa8a\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/b2ae0920-7287-4d85-a609-bf6c7e651630/relations/95c1d6e0-5c11-4329-b715-f24c959f7b04\",\"name\":\"95c1d6e0-5c11-4329-b715-f24c959f7b04\",\"etag\":\"\\\"4a004252-0000-0100-0000-62fbc0060000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/8b4c7333-a754-463f-abd4-0b5b023fb24c\",\"relatedResourceName\":\"8b4c7333-a754-463f-abd4-0b5b023fb24c\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", "isContentBase64": false } }, - "Remove-AzSentinelIncidentRelation+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/095d8360-b30b-4f75-804d-8837b78db3ed/relations/fa2cc2d8-13f8-4ea6-b2ce-6fdea28a0790?api-version=2021-09-01-preview+2": { + "Remove-AzSentinelIncidentRelation+[NoContext]+DeleteViaIdentity+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/b2ae0920-7287-4d85-a609-bf6c7e651630/relations/95c1d6e0-5c11-4329-b715-f24c959f7b04?api-version=2021-09-01-preview+2": { "Request": { "Method": "DELETE", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/095d8360-b30b-4f75-804d-8837b78db3ed/relations/fa2cc2d8-13f8-4ea6-b2ce-6fdea28a0790?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/b2ae0920-7287-4d85-a609-bf6c7e651630/relations/95c1d6e0-5c11-4329-b715-f24c959f7b04?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "283" ], - "x-ms-client-request-id": [ "fcbf495c-628d-40d0-8789-62b66a087abe" ], + "x-ms-unique-id": [ "284" ], + "x-ms-client-request-id": [ "99439908-37bf-4bdf-9efb-2ce4d4ba7bc6" ], "CommandName": [ "Remove-AzSentinelIncidentRelation" ], "FullCommandName": [ "Remove-AzSentinelIncidentRelation_DeleteViaIdentity" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -104,12 +104,12 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], - "x-ms-request-id": [ "5639a299-84a1-4fed-b011-3d039cdfc18b" ], - "x-ms-correlation-request-id": [ "5639a299-84a1-4fed-b011-3d039cdfc18b" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183303Z:5639a299-84a1-4fed-b011-3d039cdfc18b" ], + "x-ms-request-id": [ "2c37bd2b-189b-4e7a-8e09-c5c07e6c9719" ], + "x-ms-correlation-request-id": [ "2c37bd2b-189b-4e7a-8e09-c5c07e6c9719" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160833Z:2c37bd2b-189b-4e7a-8e09-c5c07e6c9719" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:33:02 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:32 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2" ], diff --git a/src/SecurityInsights/test/Remove-AzSentinelOnboardingState.Recording.json b/src/SecurityInsights/test/Remove-AzSentinelOnboardingState.Recording.json index 75ca4a7fd025..b56fd9552159 100644 --- a/src/SecurityInsights/test/Remove-AzSentinelOnboardingState.Recording.json +++ b/src/SecurityInsights/test/Remove-AzSentinelOnboardingState.Recording.json @@ -1,13 +1,13 @@ { - "Remove-AzSentinelOnboardingState+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptesty1avre/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview+1": { + "Remove-AzSentinelOnboardingState+[NoContext]+Delete+$DELETE+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptesthqat05/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview+1": { "Request": { "Method": "DELETE", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptesty1avre/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptesthqat05/providers/Microsoft.SecurityInsights/onboardingStates/default?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "284" ], - "x-ms-client-request-id": [ "2ec47508-a16d-4923-8aef-8c9c14406f48" ], + "x-ms-unique-id": [ "285" ], + "x-ms-client-request-id": [ "57921f9e-0e51-45b1-a4cc-459a46f2a6dc" ], "CommandName": [ "Remove-AzSentinelOnboardingState" ], "FullCommandName": [ "Remove-AzSentinelOnboardingState_Delete" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -24,12 +24,12 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-deletes": [ "14985" ], - "x-ms-request-id": [ "539bc935-743b-4c6a-bf20-13f0eeef63eb" ], - "x-ms-correlation-request-id": [ "539bc935-743b-4c6a-bf20-13f0eeef63eb" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183310Z:539bc935-743b-4c6a-bf20-13f0eeef63eb" ], + "x-ms-request-id": [ "1285dd3d-b5bb-4b31-8117-5405c53e981e" ], + "x-ms-correlation-request-id": [ "1285dd3d-b5bb-4b31-8117-5405c53e981e" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160839Z:1285dd3d-b5bb-4b31-8117-5405c53e981e" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:33:09 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:38 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2" ], diff --git a/src/SecurityInsights/test/Update-AzSentinelAlertRule.Recording.json b/src/SecurityInsights/test/Update-AzSentinelAlertRule.Recording.json index 41830f6a79e4..e686f6baa8be 100644 --- a/src/SecurityInsights/test/Update-AzSentinelAlertRule.Recording.json +++ b/src/SecurityInsights/test/Update-AzSentinelAlertRule.Recording.json @@ -1,9 +1,9 @@ { - "Update-AzSentinelAlertRule+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/a47d38eb-4d52-4b54-afaf-3f5ac2f847f9?api-version=2021-09-01-preview+1": { + "Update-AzSentinelAlertRule+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/e96e7960-a8a9-47a9-91f1-4207f5f82d88?api-version=2021-09-01-preview+1": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/a47d38eb-4d52-4b54-afaf-3f5ac2f847f9?api-version=2021-09-01-preview", - "Content": "{\n \"etag\": \"\\\"2e000233-0000-0100-0000-62e420440000\\\"\",\n \"kind\": \"Scheduled\",\n \"properties\": {\n \"eventGroupingSettings\": {\n \"aggregationKind\": \"SingleAlert\"\n },\n \"queryFrequency\": \"P1D\",\n \"queryPeriod\": \"P1D\",\n \"triggerOperator\": \"GreaterThan\",\n \"triggerThreshold\": 0,\n \"incidentConfiguration\": {\n \"groupingConfiguration\": {\n \"enabled\": false,\n \"reopenClosedIncident\": false,\n \"lookbackDuration\": \"PT5H\",\n \"matchingMethod\": \"AllEntities\",\n \"groupByEntities\": [ ]\n },\n \"createIncident\": false\n },\n \"description\": \"UpdateAlertRulet0r6jh a47d38eb-4d52-4b54-afaf-3f5ac2f847f9\",\n \"query\": \"SecurityEvent\\n| take 1\",\n \"displayName\": \"UpdateAlertRulet0r6jh\",\n \"enabled\": false,\n \"suppressionDuration\": \"PT5H\",\n \"suppressionEnabled\": false,\n \"severity\": \"Informational\",\n \"tactics\": [ \"Execution\" ]\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/e96e7960-a8a9-47a9-91f1-4207f5f82d88?api-version=2021-09-01-preview", + "Content": "{\n \"etag\": \"\\\"0600ef40-0000-0100-0000-62fbba750000\\\"\",\n \"kind\": \"Scheduled\",\n \"properties\": {\n \"eventGroupingSettings\": {\n \"aggregationKind\": \"SingleAlert\"\n },\n \"queryFrequency\": \"P1D\",\n \"queryPeriod\": \"P1D\",\n \"triggerOperator\": \"GreaterThan\",\n \"triggerThreshold\": 0,\n \"incidentConfiguration\": {\n \"groupingConfiguration\": {\n \"enabled\": false,\n \"reopenClosedIncident\": false,\n \"lookbackDuration\": \"PT5H\",\n \"matchingMethod\": \"AllEntities\",\n \"groupByEntities\": [ ]\n },\n \"createIncident\": false\n },\n \"description\": \"UpdateAlertRulejkg1z9 e96e7960-a8a9-47a9-91f1-4207f5f82d88\",\n \"query\": \"SecurityEvent\\n| take 1\",\n \"displayName\": \"UpdateAlertRulejkg1z9\",\n \"enabled\": false,\n \"suppressionDuration\": \"PT5H\",\n \"suppressionEnabled\": false,\n \"severity\": \"Informational\",\n \"tactics\": [ \"Execution\" ]\n }\n}", "isContentBase64": false, "Headers": { }, @@ -19,19 +19,19 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-writes": [ "1192" ], - "x-ms-request-id": [ "fccc44bb-4dbd-48db-b0aa-262b13557ddf" ], - "x-ms-correlation-request-id": [ "fccc44bb-4dbd-48db-b0aa-262b13557ddf" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183312Z:fccc44bb-4dbd-48db-b0aa-262b13557ddf" ], + "x-ms-request-id": [ "ec8f0280-2d0f-4357-9fe0-336f7a3a71a6" ], + "x-ms-correlation-request-id": [ "ec8f0280-2d0f-4357-9fe0-336f7a3a71a6" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160841Z:ec8f0280-2d0f-4357-9fe0-336f7a3a71a6" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:33:11 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:40 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1171" ], + "Content-Length": [ "1172" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/a47d38eb-4d52-4b54-afaf-3f5ac2f847f9\",\"name\":\"a47d38eb-4d52-4b54-afaf-3f5ac2f847f9\",\"etag\":\"\\\"2e00ac3f-0000-0100-0000-62e427e80000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":false,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"UpdateAlertRulet0r6jh\",\"enabled\":false,\"description\":\"UpdateAlertRulet0r6jh a47d38eb-4d52-4b54-afaf-3f5ac2f847f9\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-07-29T18:33:12.122441Z\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/e96e7960-a8a9-47a9-91f1-4207f5f82d88\",\"name\":\"e96e7960-a8a9-47a9-91f1-4207f5f82d88\",\"etag\":\"\\\"06008441-0000-0100-0000-62fbc1090000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules\",\"kind\":\"Scheduled\",\"properties\":{\"incidentConfiguration\":{\"createIncident\":false,\"groupingConfiguration\":{\"enabled\":false,\"reopenClosedIncident\":false,\"lookbackDuration\":\"PT5H\",\"matchingMethod\":\"AllEntities\",\"groupByEntities\":[],\"groupByAlertDetails\":null,\"groupByCustomDetails\":null}},\"queryFrequency\":\"P1D\",\"queryPeriod\":\"P1D\",\"triggerOperator\":\"GreaterThan\",\"triggerThreshold\":0,\"eventGroupingSettings\":{\"aggregationKind\":\"SingleAlert\"},\"severity\":\"Informational\",\"query\":\"SecurityEvent\\n| take 1\",\"suppressionDuration\":\"PT5H\",\"suppressionEnabled\":false,\"tactics\":[\"Execution\"],\"displayName\":\"UpdateAlertRulejkg1z9\",\"enabled\":false,\"description\":\"UpdateAlertRulejkg1z9 e96e7960-a8a9-47a9-91f1-4207f5f82d88\",\"alertRuleTemplateName\":null,\"lastModifiedUtc\":\"2022-08-16T16:08:41.1863083Z\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Update-AzSentinelAlertRuleAction.Recording.json b/src/SecurityInsights/test/Update-AzSentinelAlertRuleAction.Recording.json index d0aa1954ade7..b72ccc1ea10a 100644 --- a/src/SecurityInsights/test/Update-AzSentinelAlertRuleAction.Recording.json +++ b/src/SecurityInsights/test/Update-AzSentinelAlertRuleAction.Recording.json @@ -1,9 +1,9 @@ { - "Update-AzSentinelAlertRuleAction+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/c3f83b09-6bfc-4365-813e-56f9b186baac/actions/542659a3-3a74-4d87-8e04-a0e4fcbd5537?api-version=2021-09-01-preview+1": { + "Update-AzSentinelAlertRuleAction+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/f04b319e-dc64-427b-8640-eef21b6fb5cd/actions/39fd7829-116a-4fa3-8ec5-71501bc5ae11?api-version=2021-09-01-preview+1": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/c3f83b09-6bfc-4365-813e-56f9b186baac/actions/542659a3-3a74-4d87-8e04-a0e4fcbd5537?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"logicAppResourceId\": \"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Alert\",\n \"triggerUri\": \"https://prod-24.centralus.logic.azure.com:443/workflows/ab40a6a85a1740e6afde7c424b958360/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2016-06-01\\u0026sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun\\u0026sv=1.0\\u0026sig=kr0Vgz_1AOwo76EyJZOQH02w-49rIjGhEWCffgZeJKs\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/f04b319e-dc64-427b-8640-eef21b6fb5cd/actions/39fd7829-116a-4fa3-8ec5-71501bc5ae11?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"logicAppResourceId\": \"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Alert\",\n \"triggerUri\": \"https://prod-22.centralus.logic.azure.com:443/workflows/86d6ec0418794b35bb3b014e5448e0b6/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2016-06-01\\u0026sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun\\u0026sv=1.0\\u0026sig=fuFAHW0RWBesCKbfQlyAgswWDldw5fwJuUpzpVLjUQw\"\n }\n}", "isContentBase64": false, "Headers": { }, @@ -19,31 +19,31 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], - "x-ms-request-id": [ "d2c0d15f-052f-48ae-a7bc-051f7d6d080c" ], - "x-ms-correlation-request-id": [ "d2c0d15f-052f-48ae-a7bc-051f7d6d080c" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183313Z:d2c0d15f-052f-48ae-a7bc-051f7d6d080c" ], + "x-ms-request-id": [ "a3957690-155d-4d06-be70-eb2849e01b08" ], + "x-ms-correlation-request-id": [ "a3957690-155d-4d06-be70-eb2849e01b08" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160843Z:a3957690-155d-4d06-be70-eb2849e01b08" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:33:13 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:42 GMT" ] }, "ContentHeaders": { "Content-Length": [ "617" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/c3f83b09-6bfc-4365-813e-56f9b186baac/actions/542659a3-3a74-4d87-8e04-a0e4fcbd5537\",\"name\":\"542659a3-3a74-4d87-8e04-a0e4fcbd5537\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"ab40a6a85a1740e6afde7c424b958360\",\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Alert\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/f04b319e-dc64-427b-8640-eef21b6fb5cd/actions/39fd7829-116a-4fa3-8ec5-71501bc5ae11\",\"name\":\"39fd7829-116a-4fa3-8ec5-71501bc5ae11\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"86d6ec0418794b35bb3b014e5448e0b6\",\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Alert\"}}", "isContentBase64": false } }, - "Update-AzSentinelAlertRuleAction+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/1190f2a9-3661-474d-8c8a-cc808bce7b2e/actions/b3c6275b-ed98-4d51-a0f1-17c00cdbefd8?api-version=2021-09-01-preview+1": { + "Update-AzSentinelAlertRuleAction+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/90b62f2e-9b96-4bfb-a82a-5ceed7cd487e/actions/8f59d838-afdc-4ade-be00-58abc1f3a27f?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/1190f2a9-3661-474d-8c8a-cc808bce7b2e/actions/b3c6275b-ed98-4d51-a0f1-17c00cdbefd8?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/90b62f2e-9b96-4bfb-a82a-5ceed7cd487e/actions/8f59d838-afdc-4ade-be00-58abc1f3a27f?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "288" ], - "x-ms-client-request-id": [ "e9f700e4-9822-49dc-88b3-45425bad8457" ], + "x-ms-unique-id": [ "289" ], + "x-ms-client-request-id": [ "8e9be508-977d-4ba7-818f-1112c6040278" ], "CommandName": [ "Get-AzSentinelAlertRuleAction" ], "FullCommandName": [ "Get-AzSentinelAlertRuleAction_Get" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -59,28 +59,28 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11938" ], - "x-ms-request-id": [ "63229b65-dab6-4455-832c-409ee3810c1f" ], - "x-ms-correlation-request-id": [ "63229b65-dab6-4455-832c-409ee3810c1f" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183314Z:63229b65-dab6-4455-832c-409ee3810c1f" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11935" ], + "x-ms-request-id": [ "564bf585-ebe3-4e42-b764-72e6f393be44" ], + "x-ms-correlation-request-id": [ "564bf585-ebe3-4e42-b764-72e6f393be44" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160843Z:564bf585-ebe3-4e42-b764-72e6f393be44" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:33:13 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:42 GMT" ] }, "ContentHeaders": { "Content-Length": [ "660" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/1190f2a9-3661-474d-8c8a-cc808bce7b2e/actions/b3c6275b-ed98-4d51-a0f1-17c00cdbefd8\",\"name\":\"b3c6275b-ed98-4d51-a0f1-17c00cdbefd8\",\"etag\":\"\\\"8a009dec-0000-0300-0000-62e421010000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"e25a9538589f4273ac4b33c4251b7af4\",\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/90b62f2e-9b96-4bfb-a82a-5ceed7cd487e/actions/8f59d838-afdc-4ade-be00-58abc1f3a27f\",\"name\":\"8f59d838-afdc-4ade-be00-58abc1f3a27f\",\"etag\":\"\\\"be017323-0000-0300-0000-62fbbb420000\\\"\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"eb03b1bc818942e0a642c05aeef2614b\",\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Block-AADUser-Alert\"}}", "isContentBase64": false } }, - "Update-AzSentinelAlertRuleAction+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/1190f2a9-3661-474d-8c8a-cc808bce7b2e/actions/b3c6275b-ed98-4d51-a0f1-17c00cdbefd8?api-version=2021-09-01-preview+2": { + "Update-AzSentinelAlertRuleAction+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/90b62f2e-9b96-4bfb-a82a-5ceed7cd487e/actions/8f59d838-afdc-4ade-be00-58abc1f3a27f?api-version=2021-09-01-preview+2": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/1190f2a9-3661-474d-8c8a-cc808bce7b2e/actions/b3c6275b-ed98-4d51-a0f1-17c00cdbefd8?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"logicAppResourceId\": \"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Alert\",\n \"triggerUri\": \"https://prod-24.centralus.logic.azure.com:443/workflows/ab40a6a85a1740e6afde7c424b958360/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2016-06-01\\u0026sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun\\u0026sv=1.0\\u0026sig=kr0Vgz_1AOwo76EyJZOQH02w-49rIjGhEWCffgZeJKs\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/90b62f2e-9b96-4bfb-a82a-5ceed7cd487e/actions/8f59d838-afdc-4ade-be00-58abc1f3a27f?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"logicAppResourceId\": \"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Alert\",\n \"triggerUri\": \"https://prod-22.centralus.logic.azure.com:443/workflows/86d6ec0418794b35bb3b014e5448e0b6/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2016-06-01\\u0026sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun\\u0026sv=1.0\\u0026sig=fuFAHW0RWBesCKbfQlyAgswWDldw5fwJuUpzpVLjUQw\"\n }\n}", "isContentBase64": false, "Headers": { }, @@ -96,19 +96,19 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "497" ], - "x-ms-request-id": [ "0272d0fd-0e1d-4fa9-a792-fe3deb5ff9d3" ], - "x-ms-correlation-request-id": [ "0272d0fd-0e1d-4fa9-a792-fe3deb5ff9d3" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183315Z:0272d0fd-0e1d-4fa9-a792-fe3deb5ff9d3" ], + "x-ms-request-id": [ "3517170e-d239-467b-851c-54af87a66720" ], + "x-ms-correlation-request-id": [ "3517170e-d239-467b-851c-54af87a66720" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160844Z:3517170e-d239-467b-851c-54af87a66720" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:33:14 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:44 GMT" ] }, "ContentHeaders": { "Content-Length": [ "617" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/alertRules/1190f2a9-3661-474d-8c8a-cc808bce7b2e/actions/b3c6275b-ed98-4d51-a0f1-17c00cdbefd8\",\"name\":\"b3c6275b-ed98-4d51-a0f1-17c00cdbefd8\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"ab40a6a85a1740e6afde7c424b958360\",\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Alert\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/alertRules/90b62f2e-9b96-4bfb-a82a-5ceed7cd487e/actions/8f59d838-afdc-4ade-be00-58abc1f3a27f\",\"name\":\"8f59d838-afdc-4ade-be00-58abc1f3a27f\",\"type\":\"Microsoft.SecurityInsights/alertRules/actions\",\"properties\":{\"workflowId\":\"86d6ec0418794b35bb3b014e5448e0b6\",\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Alert\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Update-AzSentinelAutomationRule.Recording.json b/src/SecurityInsights/test/Update-AzSentinelAutomationRule.Recording.json index 6cb11c5a4145..55fa1c1ffbaf 100644 --- a/src/SecurityInsights/test/Update-AzSentinelAutomationRule.Recording.json +++ b/src/SecurityInsights/test/Update-AzSentinelAutomationRule.Recording.json @@ -1,13 +1,13 @@ { - "Update-AzSentinelAutomationRule+[NoContext]+UpdateExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/automationRules/5d9b905b-1fc5-459f-b9fd-5836c565dc34?api-version=2021-09-01-preview+1": { + "Update-AzSentinelAutomationRule+[NoContext]+UpdateExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/automationRules/904a62c7-a082-4674-a749-8dfae3498a35?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/automationRules/5d9b905b-1fc5-459f-b9fd-5836c565dc34?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/automationRules/904a62c7-a082-4674-a749-8dfae3498a35?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "290" ], - "x-ms-client-request-id": [ "49708c05-95bc-4abb-87c8-09bb7bda0d3f" ], + "x-ms-unique-id": [ "291" ], + "x-ms-client-request-id": [ "ce7cd84a-5210-4cce-a74e-d87d95b10679" ], "CommandName": [ "Get-AzSentinelAutomationRule" ], "FullCommandName": [ "Get-AzSentinelAutomationRule_Get" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -24,27 +24,27 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "494" ], - "x-ms-request-id": [ "9d088bdc-cd26-4727-9619-1115c038028b" ], - "x-ms-correlation-request-id": [ "9d088bdc-cd26-4727-9619-1115c038028b" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183316Z:9d088bdc-cd26-4727-9619-1115c038028b" ], + "x-ms-request-id": [ "cf58baf6-cefb-4b18-8055-c227e0eaed18" ], + "x-ms-correlation-request-id": [ "cf58baf6-cefb-4b18-8055-c227e0eaed18" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160845Z:cf58baf6-cefb-4b18-8055-c227e0eaed18" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:33:15 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:45 GMT" ] }, "ContentHeaders": { "Content-Length": [ "1289" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AutomationRules/5d9b905b-1fc5-459f-b9fd-5836c565dc34\",\"name\":\"5d9b905b-1fc5-459f-b9fd-5836c565dc34\",\"etag\":\"\\\"030058b1-0000-0100-0000-62e422460000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"UpdateAutomationRulek1wb4p\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}],\"lastModifiedTimeUtc\":\"2022-07-29T18:09:10Z\",\"createdTimeUtc\":\"2022-07-29T18:09:10Z\",\"lastModifiedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"},\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AutomationRules/904a62c7-a082-4674-a749-8dfae3498a35\",\"name\":\"904a62c7-a082-4674-a749-8dfae3498a35\",\"etag\":\"\\\"25003fe8-0000-0100-0000-62fbbc1e0000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"UpdateAutomationRulefrz5oc\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident\",\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}],\"lastModifiedTimeUtc\":\"2022-08-16T15:47:42Z\",\"createdTimeUtc\":\"2022-08-16T15:47:42Z\",\"lastModifiedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"},\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}", "isContentBase64": false } }, - "Update-AzSentinelAutomationRule+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/automationRules/5d9b905b-1fc5-459f-b9fd-5836c565dc34?api-version=2021-09-01-preview+2": { + "Update-AzSentinelAutomationRule+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/automationRules/904a62c7-a082-4674-a749-8dfae3498a35?api-version=2021-09-01-preview+2": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/automationRules/5d9b905b-1fc5-459f-b9fd-5836c565dc34?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"triggeringLogic\": {\n \"isEnabled\": true,\n \"triggersOn\": \"Incidents\",\n \"triggersWhen\": \"Created\"\n },\n \"displayName\": \"UpdateAutomationRulek1wb4p\",\n \"order\": 1,\n \"actions\": [\n {\n \"order\": 1,\n \"actionType\": \"RunPlaybook\",\n \"actionConfiguration\": {\n \"logicAppResourceId\": \"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Incident\",\n \"tenantId\": \"d6eebbdd-d77c-465e-b008-4339027b4006\"\n }\n }\n ]\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/automationRules/904a62c7-a082-4674-a749-8dfae3498a35?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"triggeringLogic\": {\n \"isEnabled\": true,\n \"triggersOn\": \"Incidents\",\n \"triggersWhen\": \"Created\"\n },\n \"displayName\": \"UpdateAutomationRulefrz5oc\",\n \"order\": 1,\n \"actions\": [\n {\n \"order\": 1,\n \"actionType\": \"RunPlaybook\",\n \"actionConfiguration\": {\n \"logicAppResourceId\": \"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Incident\",\n \"tenantId\": \"d6eebbdd-d77c-465e-b008-4339027b4006\"\n }\n }\n ]\n }\n}", "isContentBase64": false, "Headers": { }, @@ -60,31 +60,31 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], - "x-ms-request-id": [ "c5352c66-12ec-4a9b-ad77-3d7928010e26" ], - "x-ms-correlation-request-id": [ "c5352c66-12ec-4a9b-ad77-3d7928010e26" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183316Z:c5352c66-12ec-4a9b-ad77-3d7928010e26" ], + "x-ms-request-id": [ "b489a9c3-da19-4687-b80f-be2068a32efe" ], + "x-ms-correlation-request-id": [ "b489a9c3-da19-4687-b80f-be2068a32efe" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160846Z:b489a9c3-da19-4687-b80f-be2068a32efe" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:33:16 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:46 GMT" ] }, "ContentHeaders": { "Content-Length": [ "1296" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AutomationRules/5d9b905b-1fc5-459f-b9fd-5836c565dc34\",\"name\":\"5d9b905b-1fc5-459f-b9fd-5836c565dc34\",\"etag\":\"\\\"03009eb1-0000-0100-0000-62e427ec0000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"UpdateAutomationRulek1wb4p\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Incident\",\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}],\"lastModifiedTimeUtc\":\"2022-07-29T18:33:16Z\",\"createdTimeUtc\":\"2022-07-29T18:09:10Z\",\"lastModifiedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"},\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AutomationRules/904a62c7-a082-4674-a749-8dfae3498a35\",\"name\":\"904a62c7-a082-4674-a749-8dfae3498a35\",\"etag\":\"\\\"26003f5e-0000-0100-0000-62fbc10e0000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"UpdateAutomationRulefrz5oc\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Incident\",\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}],\"lastModifiedTimeUtc\":\"2022-08-16T16:08:46Z\",\"createdTimeUtc\":\"2022-08-16T15:47:42Z\",\"lastModifiedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"},\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}", "isContentBase64": false } }, - "Update-AzSentinelAutomationRule+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/automationRules/5d9b905b-1fc5-459f-b9fd-5836c565dc34?api-version=2021-09-01-preview+1": { + "Update-AzSentinelAutomationRule+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/automationRules/904a62c7-a082-4674-a749-8dfae3498a35?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/automationRules/5d9b905b-1fc5-459f-b9fd-5836c565dc34?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/automationRules/904a62c7-a082-4674-a749-8dfae3498a35?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "292" ], - "x-ms-client-request-id": [ "2db919c6-63ec-4a4b-a01e-6c2520806224" ], + "x-ms-unique-id": [ "293" ], + "x-ms-client-request-id": [ "95483300-317e-4655-9ac8-4951d21e2ee3" ], "CommandName": [ "Get-AzSentinelAutomationRule" ], "FullCommandName": [ "Get-AzSentinelAutomationRule_Get" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -101,27 +101,27 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "493" ], - "x-ms-request-id": [ "da1c553a-0bd6-4637-b755-c766ff8a9ee0" ], - "x-ms-correlation-request-id": [ "da1c553a-0bd6-4637-b755-c766ff8a9ee0" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183317Z:da1c553a-0bd6-4637-b755-c766ff8a9ee0" ], + "x-ms-request-id": [ "5a5d858b-0f57-4873-a80a-987672dfb04e" ], + "x-ms-correlation-request-id": [ "5a5d858b-0f57-4873-a80a-987672dfb04e" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160846Z:5a5d858b-0f57-4873-a80a-987672dfb04e" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:33:16 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:46 GMT" ] }, "ContentHeaders": { "Content-Length": [ "1296" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AutomationRules/5d9b905b-1fc5-459f-b9fd-5836c565dc34\",\"name\":\"5d9b905b-1fc5-459f-b9fd-5836c565dc34\",\"etag\":\"\\\"03009eb1-0000-0100-0000-62e427ec0000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"UpdateAutomationRulek1wb4p\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Incident\",\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}],\"lastModifiedTimeUtc\":\"2022-07-29T18:33:16Z\",\"createdTimeUtc\":\"2022-07-29T18:09:10Z\",\"lastModifiedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"},\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AutomationRules/904a62c7-a082-4674-a749-8dfae3498a35\",\"name\":\"904a62c7-a082-4674-a749-8dfae3498a35\",\"etag\":\"\\\"26003f5e-0000-0100-0000-62fbc10e0000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"UpdateAutomationRulefrz5oc\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Incident\",\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}],\"lastModifiedTimeUtc\":\"2022-08-16T16:08:46Z\",\"createdTimeUtc\":\"2022-08-16T15:47:42Z\",\"lastModifiedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"},\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}", "isContentBase64": false } }, - "Update-AzSentinelAutomationRule+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/automationRules/5d9b905b-1fc5-459f-b9fd-5836c565dc34?api-version=2021-09-01-preview+2": { + "Update-AzSentinelAutomationRule+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/automationRules/904a62c7-a082-4674-a749-8dfae3498a35?api-version=2021-09-01-preview+2": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/automationRules/5d9b905b-1fc5-459f-b9fd-5836c565dc34?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"triggeringLogic\": {\n \"isEnabled\": true,\n \"triggersOn\": \"Incidents\",\n \"triggersWhen\": \"Created\"\n },\n \"displayName\": \"UpdateAutomationRulek1wb4p\",\n \"order\": 1,\n \"actions\": [\n {\n \"order\": 1,\n \"actionType\": \"RunPlaybook\",\n \"actionConfiguration\": {\n \"logicAppResourceId\": \"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Incident\",\n \"tenantId\": \"d6eebbdd-d77c-465e-b008-4339027b4006\"\n }\n }\n ]\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/automationRules/904a62c7-a082-4674-a749-8dfae3498a35?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"triggeringLogic\": {\n \"isEnabled\": true,\n \"triggersOn\": \"Incidents\",\n \"triggersWhen\": \"Created\"\n },\n \"displayName\": \"UpdateAutomationRulefrz5oc\",\n \"order\": 1,\n \"actions\": [\n {\n \"order\": 1,\n \"actionType\": \"RunPlaybook\",\n \"actionConfiguration\": {\n \"logicAppResourceId\": \"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Incident\",\n \"tenantId\": \"d6eebbdd-d77c-465e-b008-4339027b4006\"\n }\n }\n ]\n }\n}", "isContentBase64": false, "Headers": { }, @@ -137,19 +137,19 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "497" ], - "x-ms-request-id": [ "3d44ad19-314f-4eee-99a6-22d1b9edc167" ], - "x-ms-correlation-request-id": [ "3d44ad19-314f-4eee-99a6-22d1b9edc167" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183317Z:3d44ad19-314f-4eee-99a6-22d1b9edc167" ], + "x-ms-request-id": [ "b16a3850-ef39-4bce-894a-aa8db051cf20" ], + "x-ms-correlation-request-id": [ "b16a3850-ef39-4bce-894a-aa8db051cf20" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160846Z:b16a3850-ef39-4bce-894a-aa8db051cf20" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:33:17 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:46 GMT" ] }, "ContentHeaders": { "Content-Length": [ "1296" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/AutomationRules/5d9b905b-1fc5-459f-b9fd-5836c565dc34\",\"name\":\"5d9b905b-1fc5-459f-b9fd-5836c565dc34\",\"etag\":\"\\\"03009fb1-0000-0100-0000-62e427ed0000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"UpdateAutomationRulek1wb4p\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Incident\",\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}],\"lastModifiedTimeUtc\":\"2022-07-29T18:33:17Z\",\"createdTimeUtc\":\"2022-07-29T18:09:10Z\",\"lastModifiedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"},\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/AutomationRules/904a62c7-a082-4674-a749-8dfae3498a35\",\"name\":\"904a62c7-a082-4674-a749-8dfae3498a35\",\"etag\":\"\\\"2600465e-0000-0100-0000-62fbc10e0000\\\"\",\"type\":\"Microsoft.SecurityInsights/AutomationRules\",\"properties\":{\"displayName\":\"UpdateAutomationRulefrz5oc\",\"order\":1,\"triggeringLogic\":{\"isEnabled\":true,\"triggersOn\":\"Incidents\",\"triggersWhen\":\"Created\",\"conditions\":[]},\"actions\":[{\"order\":1,\"actionType\":\"RunPlaybook\",\"actionConfiguration\":{\"logicAppResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Incident\",\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}],\"lastModifiedTimeUtc\":\"2022-08-16T16:08:46Z\",\"createdTimeUtc\":\"2022-08-16T15:47:42Z\",\"lastModifiedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"},\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Update-AzSentinelBookmark.Recording.json b/src/SecurityInsights/test/Update-AzSentinelBookmark.Recording.json index 8722b1cde6e8..fb36ffb542a3 100644 --- a/src/SecurityInsights/test/Update-AzSentinelBookmark.Recording.json +++ b/src/SecurityInsights/test/Update-AzSentinelBookmark.Recording.json @@ -1,13 +1,13 @@ { - "Update-AzSentinelBookmark+[NoContext]+UpdateExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/8a947749-f012-465f-b5fd-cb60e5eae27d?api-version=2021-09-01-preview+1": { + "Update-AzSentinelBookmark+[NoContext]+UpdateExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/4a1c3550-81e9-42ae-8302-a2234a8d3168?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/8a947749-f012-465f-b5fd-cb60e5eae27d?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/4a1c3550-81e9-42ae-8302-a2234a8d3168?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "294" ], - "x-ms-client-request-id": [ "9cdf260f-b962-4d87-b13e-ead28ce0110e" ], + "x-ms-unique-id": [ "295" ], + "x-ms-client-request-id": [ "165b612f-242b-49ea-827b-b12b2dfeda1a" ], "CommandName": [ "Get-AzSentinelBookmark" ], "FullCommandName": [ "Get-AzSentinelBookmark_Get" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -23,27 +23,27 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11937" ], - "x-ms-request-id": [ "43c5d2c4-c71d-4b3a-a28b-413bffed95e9" ], - "x-ms-correlation-request-id": [ "43c5d2c4-c71d-4b3a-a28b-413bffed95e9" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183318Z:43c5d2c4-c71d-4b3a-a28b-413bffed95e9" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11934" ], + "x-ms-request-id": [ "29d8829b-da75-405d-8b42-d6cf036d8e3f" ], + "x-ms-correlation-request-id": [ "29d8829b-da75-405d-8b42-d6cf036d8e3f" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160847Z:29d8829b-da75-405d-8b42-d6cf036d8e3f" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:33:18 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:47 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "5289" ], + "Content-Length": [ "5291" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/8a947749-f012-465f-b5fd-cb60e5eae27d\",\"name\":\"8a947749-f012-465f-b5fd-cb60e5eae27d\",\"etag\":\"\\\"01007393-0000-0100-0000-62e422e40000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Updatebookmarkdytufp\",\"created\":\"2022-07-29T18:11:48.096609+00:00\",\"updated\":\"2022-07-29T18:11:48.096609+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-07-29T06:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2022-07-28T06:00:00+00:00\",\"queryEndTime\":\"2022-07-29T06:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/4a1c3550-81e9-42ae-8302-a2234a8d3168\",\"name\":\"4a1c3550-81e9-42ae-8302-a2234a8d3168\",\"etag\":\"\\\"3c005b8a-0000-0100-0000-62fbbcc60000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"Updatebookmarkd4t6g3\",\"created\":\"2022-08-16T15:50:30.6003748+00:00\",\"updated\":\"2022-08-16T15:50:30.6003748+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-08-16T03:00:00+00:00\",\"notes\":\"Notes go here\",\"labels\":[\"asptest\"],\"query\":\"SigninLogs_CL\",\"queryResult\":\"{\\\"TenantId\\\":\\\"6ad64079-1c3e-4672-bc2d-08df98ad5751\\\",\\\"SourceSystem\\\":\\\"RestAPI\\\",\\\"MG\\\":\\\"\\\",\\\"ManagementGroupName\\\":\\\"\\\",\\\"TimeGenerated\\\":\\\"2021-12-08T03:59:19.262Z\\\",\\\"Computer\\\":\\\"\\\",\\\"RawData\\\":\\\"\\\",\\\"ResourceId\\\":\\\"/tenants/2ad3fc79-1859-42fa-9011-6f8df2251b22/providers/Microsoft.aadiam\\\",\\\"OperationName\\\":\\\"Sign-in activity\\\",\\\"OperationVersion\\\":\\\"1\\\",\\\"Category\\\":\\\"SignInLogs\\\",\\\"ResultType\\\":\\\"0\\\",\\\"ResultSignature\\\":\\\"None\\\",\\\"ResultDescription\\\":\\\"\\\",\\\"DurationMs\\\":0,\\\"CorrelationId\\\":\\\"f9ff9ee8-d565-478b-bc95-8b4f0d468fe1\\\",\\\"Resource\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceGroup\\\":\\\"Microsoft.aadiam\\\",\\\"ResourceProvider\\\":\\\"\\\",\\\"Identity_s\\\":\\\"Adele Vance\\\",\\\"Level\\\":\\\"4\\\",\\\"Location_s\\\":\\\"IL\\\",\\\"AlternateSignInName_s\\\":\\\"\\\",\\\"AppDisplayName_s\\\":\\\"Azure Portal\\\",\\\"AppId_g\\\":\\\"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\\\",\\\"AuthenticationDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"authenticationStepDateTime\\\\\\\": \\\\\\\"2021-04-28T14:08:45.2213421+00:00\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationMethod\\\\\\\": \\\\\\\"Previously satisfied\\\\\\\",\\\\r\\\\n \\\\\\\"succeeded\\\\\\\": true,\\\\r\\\\n \\\\\\\"authenticationStepResultDetail\\\\\\\": \\\\\\\"First factor requirement satisfied by claim in the token\\\\\\\",\\\\r\\\\n \\\\\\\"authenticationStepRequirement\\\\\\\": \\\\\\\"Primary authentication\\\\\\\",\\\\r\\\\n \\\\\\\"StatusSequence\\\\\\\": 0,\\\\r\\\\n \\\\\\\"RequestSequence\\\\\\\": 0\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationMethodsUsed_s\\\":\\\"\\\",\\\"AuthenticationProcessingDetails_s\\\":\\\"[\\\\r\\\\n {\\\\r\\\\n \\\\\\\"key\\\\\\\": \\\\\\\"IsCAEToken\\\\\\\",\\\\r\\\\n \\\\\\\"value\\\\\\\": \\\\\\\"False\\\\\\\"\\\\r\\\\n }\\\\r\\\\n]\\\",\\\"AuthenticationRequirement_s\\\":\\\"singleFactorAuthentication\\\",\\\"AuthenticationRequirementPolicies_s\\\":\\\"[]\\\",\\\"ClientAppUsed_s\\\":\\\"Browser\\\",\\\"ConditionalAccessPolicies_dynamic_s\\\":\\\"[{\\\\\\\"enforcedSessionControls\\\\\\\":[],\\\\\\\"conditionsNotSatisfied\\\\\\\":0,\\\\\\\"enforcedGrantControls\\\\\\\":[],\\\\\\\"conditionsSatisfied\\\\\\\":0,\\\\\\\"displayName\\\\\\\":\\\\\\\"Exchange Online Requires Compliant Device\\\\\\\",\\\\\\\"result\\\\\\\":\\\\\\\"notEnabled\\\\\\\",\\\\\\\"id\\\\\\\":\\\\\\\"defb835a-eb9f-4346-a2ca-7a9184867bf1\\\\\\\"}]\\\",\\\"ConditionalAccessPolicies_string_s\\\":\\\"\\\",\\\"ConditionalAccessStatus_s\\\":\\\"notApplied\\\",\\\"CreatedDateTime_UTC__s\\\":\\\"4/28/2021, 2:08:45.221 PM\\\",\\\"DeviceDetail_dynamic_s\\\":\\\"{\\\\\\\"operatingSystem\\\\\\\":\\\\\\\"Windows 10\\\\\\\",\\\\\\\"deviceId\\\\\\\":\\\\\\\"\\\\\\\",\\\\\\\"browser\\\\\\\":\\\\\\\"Edge 90.0.818\\\\\\\"}\\\",\\\"DeviceDetail_string_s\\\":\\\"\\\",\\\"IsInteractive_s\\\":\\\"TRUE\\\",\\\"Id_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"IPAddress\\\":\\\"175.45.176.99\\\",\\\"IsRisky_s\\\":\\\"\\\",\\\"LocationDetails_dynamic_s\\\":\\\"{\\\\\\\"countryOrRegion\\\\\\\":\\\\\\\"IL\\\\\\\",\\\\\\\"geoCoordinates\\\\\\\":{\\\\\\\"longitude\\\\\\\":34.79964828491211,\\\\\\\"latitude\\\\\\\":32.02956008911133},\\\\\\\"state\\\\\\\":\\\\\\\"Tel Aviv\\\\\\\",\\\\\\\"city\\\\\\\":\\\\\\\"Azor\\\\\\\"}\\\",\\\"LocationDetails_string_s\\\":\\\"\\\",\\\"MfaDetail_dynamic_s\\\":\\\"{}\\\",\\\"MfaDetail_string_s\\\":\\\"\\\",\\\"NetworkLocationDetails_s\\\":\\\"[]\\\",\\\"OriginalRequestId_g\\\":\\\"cfb68155-70f5-4e28-b046-0a3a7086c401\\\",\\\"ProcessingTimeInMilliseconds_s\\\":\\\"3535\\\",\\\"RiskDetail_s\\\":\\\"none\\\",\\\"RiskEventTypes_s\\\":\\\"[]\\\",\\\"RiskEventTypes_V2_s\\\":\\\"[]\\\",\\\"RiskLevelAggregated_s\\\":\\\"none\\\",\\\"RiskLevelDuringSignIn_s\\\":\\\"none\\\",\\\"RiskState_s\\\":\\\"none\\\",\\\"ResourceDisplayName_s\\\":\\\"Windows Azure Service Management API\\\",\\\"ResourceIdentity_g\\\":\\\"797f4846-ba00-4fd7-ba43-dac1f8f63013\\\",\\\"ServicePrincipalId_s\\\":\\\"\\\",\\\"ServicePrincipalName_s\\\":\\\"\\\",\\\"Status_dynamic_s\\\":\\\"{\\\\\\\"errorCode\\\\\\\":0}\\\",\\\"Status_string_s\\\":\\\"\\\",\\\"TokenIssuerName_s\\\":\\\"\\\",\\\"TokenIssuerType_s\\\":\\\"AzureAD\\\",\\\"UserAgent_s\\\":\\\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49\\\",\\\"UserDisplayName_s\\\":\\\"Adele Vance\\\",\\\"UserId_g\\\":\\\"9b117c67-170e-4aed-9702-658b3fddc889\\\",\\\"UserPrincipalName_s\\\":\\\"adelev@m365x816222.onmicrosoft.com\\\",\\\"AADTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"UserType_s\\\":\\\"Member\\\",\\\"FlaggedForReview_s\\\":\\\"\\\",\\\"SignInIdentifier_s\\\":\\\"\\\",\\\"SignInIdentifierType_s\\\":\\\"\\\",\\\"ResourceTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"HomeTenantId_g\\\":\\\"2ad3fc79-1859-42fa-9011-6f8df2251b22\\\",\\\"Type_s\\\":\\\"SigninLogs\\\",\\\"AdditionalDetails_s\\\":\\\"\\\",\\\"InitiatedBy_s\\\":\\\"\\\",\\\"ResourceIdentity_s\\\":\\\"\\\",\\\"HomeTenantId_s\\\":\\\"\\\",\\\"Type\\\":\\\"SigninLogs_CL\\\",\\\"_ResourceId\\\":\\\"\\\"}\",\"queryStartTime\":\"2022-08-15T03:00:00+00:00\",\"queryEndTime\":\"2022-08-16T03:00:00+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", "isContentBase64": false } }, - "Update-AzSentinelBookmark+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/8a947749-f012-465f-b5fd-cb60e5eae27d?api-version=2021-09-01-preview+2": { + "Update-AzSentinelBookmark+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/4a1c3550-81e9-42ae-8302-a2234a8d3168?api-version=2021-09-01-preview+2": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/8a947749-f012-465f-b5fd-cb60e5eae27d?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/4a1c3550-81e9-42ae-8302-a2234a8d3168?api-version=2021-09-01-preview", "Content": "{\n \"properties\": {\n \"displayName\": \"UpdateBookmarkPSTest\"\n }\n}", "isContentBase64": false, "Headers": { @@ -60,31 +60,31 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-writes": [ "1191" ], - "x-ms-request-id": [ "124b1f0e-9ed2-4e2e-82a3-88df491dbf46" ], - "x-ms-correlation-request-id": [ "124b1f0e-9ed2-4e2e-82a3-88df491dbf46" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183319Z:124b1f0e-9ed2-4e2e-82a3-88df491dbf46" ], + "x-ms-request-id": [ "2183b76b-1d63-47c8-9403-02c677093447" ], + "x-ms-correlation-request-id": [ "2183b76b-1d63-47c8-9403-02c677093447" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160847Z:2183b76b-1d63-47c8-9403-02c677093447" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:33:18 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:47 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "910" ], + "Content-Length": [ "911" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/8a947749-f012-465f-b5fd-cb60e5eae27d\",\"name\":\"8a947749-f012-465f-b5fd-cb60e5eae27d\",\"etag\":\"\\\"0100e393-0000-0100-0000-62e427ef0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateBookmarkPSTest\",\"created\":\"2022-07-29T18:11:48.096609+00:00\",\"updated\":\"2022-07-29T18:33:19+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-07-29T18:33:19.1654707+00:00\",\"labels\":[],\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/4a1c3550-81e9-42ae-8302-a2234a8d3168\",\"name\":\"4a1c3550-81e9-42ae-8302-a2234a8d3168\",\"etag\":\"\\\"3c00bf8c-0000-0100-0000-62fbc10f0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateBookmarkPSTest\",\"created\":\"2022-08-16T15:50:30.6003748+00:00\",\"updated\":\"2022-08-16T16:08:47+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-08-16T16:08:47.6051639+00:00\",\"labels\":[],\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", "isContentBase64": false } }, - "Update-AzSentinelBookmark+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/8a947749-f012-465f-b5fd-cb60e5eae27d?api-version=2021-09-01-preview+1": { + "Update-AzSentinelBookmark+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/4a1c3550-81e9-42ae-8302-a2234a8d3168?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/8a947749-f012-465f-b5fd-cb60e5eae27d?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/4a1c3550-81e9-42ae-8302-a2234a8d3168?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "296" ], - "x-ms-client-request-id": [ "16c9cdce-9ba1-460f-8eaa-29c8411917f6" ], + "x-ms-unique-id": [ "297" ], + "x-ms-client-request-id": [ "8eb31be2-b64e-4c46-a569-8f0038a4a6ad" ], "CommandName": [ "Get-AzSentinelBookmark" ], "FullCommandName": [ "Get-AzSentinelBookmark_Get" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -100,27 +100,27 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11936" ], - "x-ms-request-id": [ "44359b2e-ceed-4449-beae-316c1fd47f11" ], - "x-ms-correlation-request-id": [ "44359b2e-ceed-4449-beae-316c1fd47f11" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183319Z:44359b2e-ceed-4449-beae-316c1fd47f11" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11933" ], + "x-ms-request-id": [ "276c7dc4-1a62-49cc-b155-f0ab065800c9" ], + "x-ms-correlation-request-id": [ "276c7dc4-1a62-49cc-b155-f0ab065800c9" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160847Z:276c7dc4-1a62-49cc-b155-f0ab065800c9" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:33:19 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:47 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "918" ], + "Content-Length": [ "919" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/8a947749-f012-465f-b5fd-cb60e5eae27d\",\"name\":\"8a947749-f012-465f-b5fd-cb60e5eae27d\",\"etag\":\"\\\"0100e393-0000-0100-0000-62e427ef0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateBookmarkPSTest\",\"created\":\"2022-07-29T18:11:48.096609+00:00\",\"updated\":\"2022-07-29T18:33:19.1657829+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-07-29T18:33:19.1654707+00:00\",\"labels\":[],\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/4a1c3550-81e9-42ae-8302-a2234a8d3168\",\"name\":\"4a1c3550-81e9-42ae-8302-a2234a8d3168\",\"etag\":\"\\\"3c00bf8c-0000-0100-0000-62fbc10f0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateBookmarkPSTest\",\"created\":\"2022-08-16T15:50:30.6003748+00:00\",\"updated\":\"2022-08-16T16:08:47.6053435+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-08-16T16:08:47.6051639+00:00\",\"labels\":[],\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", "isContentBase64": false } }, - "Update-AzSentinelBookmark+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/8a947749-f012-465f-b5fd-cb60e5eae27d?api-version=2021-09-01-preview+2": { + "Update-AzSentinelBookmark+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/4a1c3550-81e9-42ae-8302-a2234a8d3168?api-version=2021-09-01-preview+2": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/8a947749-f012-465f-b5fd-cb60e5eae27d?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/4a1c3550-81e9-42ae-8302-a2234a8d3168?api-version=2021-09-01-preview", "Content": "{\n \"properties\": {\n \"displayName\": \"UpdateBookmarkPSTest\"\n }\n}", "isContentBase64": false, "Headers": { @@ -137,19 +137,19 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-writes": [ "1190" ], - "x-ms-request-id": [ "4e806084-e99b-4e92-9699-451f17bcb85d" ], - "x-ms-correlation-request-id": [ "4e806084-e99b-4e92-9699-451f17bcb85d" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183320Z:4e806084-e99b-4e92-9699-451f17bcb85d" ], + "x-ms-request-id": [ "09b10842-f1a5-4598-aef7-4fa3a54d0c6c" ], + "x-ms-correlation-request-id": [ "09b10842-f1a5-4598-aef7-4fa3a54d0c6c" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160848Z:09b10842-f1a5-4598-aef7-4fa3a54d0c6c" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:33:19 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:48 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "910" ], + "Content-Length": [ "911" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/8a947749-f012-465f-b5fd-cb60e5eae27d\",\"name\":\"8a947749-f012-465f-b5fd-cb60e5eae27d\",\"etag\":\"\\\"0100e493-0000-0100-0000-62e427ef0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateBookmarkPSTest\",\"created\":\"2022-07-29T18:11:48.096609+00:00\",\"updated\":\"2022-07-29T18:33:19+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-07-29T18:33:19.9639215+00:00\",\"labels\":[],\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/4a1c3550-81e9-42ae-8302-a2234a8d3168\",\"name\":\"4a1c3550-81e9-42ae-8302-a2234a8d3168\",\"etag\":\"\\\"3c00c08c-0000-0100-0000-62fbc1100000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateBookmarkPSTest\",\"created\":\"2022-08-16T15:50:30.6003748+00:00\",\"updated\":\"2022-08-16T16:08:48+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-08-16T16:08:48.0260156+00:00\",\"labels\":[],\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Update-AzSentinelBookmarkRelation.Recording.json b/src/SecurityInsights/test/Update-AzSentinelBookmarkRelation.Recording.json index 060d9c8769ac..ef36518f4ef4 100644 --- a/src/SecurityInsights/test/Update-AzSentinelBookmarkRelation.Recording.json +++ b/src/SecurityInsights/test/Update-AzSentinelBookmarkRelation.Recording.json @@ -1,15 +1,15 @@ { - "Update-AzSentinelBookmarkRelation+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/7681373f-76bc-43b2-8e7e-57eaef2f0e81?api-version=2021-09-01-preview+1": { + "Update-AzSentinelBookmarkRelation+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/260305a7-5d75-4eb9-bd1d-56d5bc54f96e?api-version=2021-09-01-preview+1": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/7681373f-76bc-43b2-8e7e-57eaef2f0e81?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"severity\": \"Informational\",\n \"status\": \"New\",\n \"title\": \"UpdateBookmarkRelationPSTest\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/260305a7-5d75-4eb9-bd1d-56d5bc54f96e?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"severity\": \"Informational\",\n \"status\": \"New\",\n \"title\": \"NewbookmarkRelationIncidentNamekefcy9\"\n }\n}", "isContentBase64": false, "Headers": { }, "ContentHeaders": { "Content-Type": [ "application/json" ], - "Content-Length": [ "123" ] + "Content-Length": [ "132" ] } }, "Response": { @@ -19,27 +19,27 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "494" ], - "x-ms-request-id": [ "efa81e6f-c33c-4279-ad5c-0fede556476c" ], - "x-ms-correlation-request-id": [ "efa81e6f-c33c-4279-ad5c-0fede556476c" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183320Z:efa81e6f-c33c-4279-ad5c-0fede556476c" ], + "x-ms-request-id": [ "d5f8b3f5-97a3-4e9f-bbde-33533f7b7257" ], + "x-ms-correlation-request-id": [ "d5f8b3f5-97a3-4e9f-bbde-33533f7b7257" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160848Z:d5f8b3f5-97a3-4e9f-bbde-33533f7b7257" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:33:20 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:48 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1222" ], + "Content-Length": [ "1233" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/7681373f-76bc-43b2-8e7e-57eaef2f0e81\",\"name\":\"7681373f-76bc-43b2-8e7e-57eaef2f0e81\",\"etag\":\"\\\"1200e30b-0000-0100-0000-62e427f00000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateBookmarkRelationPSTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:33:20.871293Z\",\"createdTimeUtc\":\"2022-07-29T18:33:20.871293Z\",\"incidentNumber\":27,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/7681373f-76bc-43b2-8e7e-57eaef2f0e81\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"27\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/260305a7-5d75-4eb9-bd1d-56d5bc54f96e\",\"name\":\"260305a7-5d75-4eb9-bd1d-56d5bc54f96e\",\"etag\":\"\\\"4a00c452-0000-0100-0000-62fbc1100000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"NewbookmarkRelationIncidentNamekefcy9\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:08:48.6722673Z\",\"createdTimeUtc\":\"2022-08-16T16:08:48.6722673Z\",\"incidentNumber\":27,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/260305a7-5d75-4eb9-bd1d-56d5bc54f96e\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"27\"}}", "isContentBase64": false } }, - "Update-AzSentinelBookmarkRelation+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/9b38dab1-2c2e-4c71-809d-95301194aa91/relations/382966e8-f4b2-444c-b4e8-514194ff8544?api-version=2021-09-01-preview+2": { + "Update-AzSentinelBookmarkRelation+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/a6be05a8-9ad5-44c4-89c5-a9df845dca7e/relations/17cbbab8-7829-4e80-8775-f71ebcd2ceea?api-version=2021-09-01-preview+2": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/9b38dab1-2c2e-4c71-809d-95301194aa91/relations/382966e8-f4b2-444c-b4e8-514194ff8544?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"relatedResourceId\": \"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/7681373f-76bc-43b2-8e7e-57eaef2f0e81\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/a6be05a8-9ad5-44c4-89c5-a9df845dca7e/relations/17cbbab8-7829-4e80-8775-f71ebcd2ceea?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"relatedResourceId\": \"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/260305a7-5d75-4eb9-bd1d-56d5bc54f96e\"\n }\n}", "isContentBase64": false, "Headers": { }, @@ -55,33 +55,33 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-writes": [ "1189" ], - "x-ms-request-id": [ "c16e93ad-f753-4ffe-ab11-f8b6df3aef4f" ], - "x-ms-correlation-request-id": [ "c16e93ad-f753-4ffe-ab11-f8b6df3aef4f" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183321Z:c16e93ad-f753-4ffe-ab11-f8b6df3aef4f" ], + "x-ms-request-id": [ "0cb984aa-ec08-4525-a665-cda64087a2e9" ], + "x-ms-correlation-request-id": [ "0cb984aa-ec08-4525-a665-cda64087a2e9" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160848Z:0cb984aa-ec08-4525-a665-cda64087a2e9" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:33:20 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:48 GMT" ] }, "ContentHeaders": { "Content-Length": [ "828" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/9b38dab1-2c2e-4c71-809d-95301194aa91/relations/382966e8-f4b2-444c-b4e8-514194ff8544\",\"name\":\"382966e8-f4b2-444c-b4e8-514194ff8544\",\"etag\":\"\\\"0100e593-0000-0100-0000-62e427f10000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/7681373f-76bc-43b2-8e7e-57eaef2f0e81\",\"relatedResourceName\":\"7681373f-76bc-43b2-8e7e-57eaef2f0e81\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/a6be05a8-9ad5-44c4-89c5-a9df845dca7e/relations/17cbbab8-7829-4e80-8775-f71ebcd2ceea\",\"name\":\"17cbbab8-7829-4e80-8775-f71ebcd2ceea\",\"etag\":\"\\\"3c00c38c-0000-0100-0000-62fbc1100000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/260305a7-5d75-4eb9-bd1d-56d5bc54f96e\",\"relatedResourceName\":\"260305a7-5d75-4eb9-bd1d-56d5bc54f96e\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", "isContentBase64": false } }, - "Update-AzSentinelBookmarkRelation+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/5ded4516-22d5-4a69-9e6f-d0ec7c2fcd82?api-version=2021-09-01-preview+1": { + "Update-AzSentinelBookmarkRelation+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/219862bd-299b-4e98-8dd1-149a26b76dfe?api-version=2021-09-01-preview+1": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/5ded4516-22d5-4a69-9e6f-d0ec7c2fcd82?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"severity\": \"Informational\",\n \"status\": \"New\",\n \"title\": \"UpdateViaIdBookmarkRelationPSTest\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/219862bd-299b-4e98-8dd1-149a26b76dfe?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"severity\": \"Informational\",\n \"status\": \"New\",\n \"title\": \"NewbookmarkRelationIncidentName7zq8cv\"\n }\n}", "isContentBase64": false, "Headers": { }, "ContentHeaders": { "Content-Type": [ "application/json" ], - "Content-Length": [ "128" ] + "Content-Length": [ "132" ] } }, "Response": { @@ -91,31 +91,31 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "493" ], - "x-ms-request-id": [ "e25b894a-6ab7-40b3-bc20-7121ab8a672d" ], - "x-ms-correlation-request-id": [ "e25b894a-6ab7-40b3-bc20-7121ab8a672d" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183321Z:e25b894a-6ab7-40b3-bc20-7121ab8a672d" ], + "x-ms-request-id": [ "c5fc1be9-1bf5-495d-bf9b-10831cc1ddfa" ], + "x-ms-correlation-request-id": [ "c5fc1be9-1bf5-495d-bf9b-10831cc1ddfa" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160849Z:c5fc1be9-1bf5-495d-bf9b-10831cc1ddfa" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:33:21 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:49 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1229" ], + "Content-Length": [ "1231" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/5ded4516-22d5-4a69-9e6f-d0ec7c2fcd82\",\"name\":\"5ded4516-22d5-4a69-9e6f-d0ec7c2fcd82\",\"etag\":\"\\\"1200e50b-0000-0100-0000-62e427f10000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"UpdateViaIdBookmarkRelationPSTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:33:21.6047137Z\",\"createdTimeUtc\":\"2022-07-29T18:33:21.6047137Z\",\"incidentNumber\":28,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/5ded4516-22d5-4a69-9e6f-d0ec7c2fcd82\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"28\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/219862bd-299b-4e98-8dd1-149a26b76dfe\",\"name\":\"219862bd-299b-4e98-8dd1-149a26b76dfe\",\"etag\":\"\\\"4a00c752-0000-0100-0000-62fbc1110000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"NewbookmarkRelationIncidentName7zq8cv\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:08:49.214241Z\",\"createdTimeUtc\":\"2022-08-16T16:08:49.214241Z\",\"incidentNumber\":28,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/219862bd-299b-4e98-8dd1-149a26b76dfe\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"28\"}}", "isContentBase64": false } }, - "Update-AzSentinelBookmarkRelation+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/04b58a5a-2a5e-47e2-9c22-3cd6229599ec/relations/c36ddb20-11ec-4179-a995-51e6fcfd1e58?api-version=2021-09-01-preview+2": { + "Update-AzSentinelBookmarkRelation+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/327d3f42-a5d6-4bc8-99bc-93cf7b2942c7/relations/5c7863c4-3fba-4c60-87f0-88e5c33a5df8?api-version=2021-09-01-preview+2": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/04b58a5a-2a5e-47e2-9c22-3cd6229599ec/relations/c36ddb20-11ec-4179-a995-51e6fcfd1e58?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/327d3f42-a5d6-4bc8-99bc-93cf7b2942c7/relations/5c7863c4-3fba-4c60-87f0-88e5c33a5df8?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "301" ], - "x-ms-client-request-id": [ "f72bd6aa-1366-4752-b2c3-dcefc8d4d314" ], + "x-ms-unique-id": [ "302" ], + "x-ms-client-request-id": [ "2f54d4b1-d64d-4d23-a9ca-76d5bfc28058" ], "CommandName": [ "Get-AzSentinelBookmarkRelation" ], "FullCommandName": [ "Get-AzSentinelBookmarkRelation_Get" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -131,28 +131,28 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11935" ], - "x-ms-request-id": [ "2af6e528-a4e7-4391-b21d-df1197d83c52" ], - "x-ms-correlation-request-id": [ "2af6e528-a4e7-4391-b21d-df1197d83c52" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183322Z:2af6e528-a4e7-4391-b21d-df1197d83c52" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11932" ], + "x-ms-request-id": [ "297c4d6c-3705-4c95-a46d-9d5e6cccc9da" ], + "x-ms-correlation-request-id": [ "297c4d6c-3705-4c95-a46d-9d5e6cccc9da" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160849Z:297c4d6c-3705-4c95-a46d-9d5e6cccc9da" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:33:22 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:49 GMT" ] }, "ContentHeaders": { "Content-Length": [ "828" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/04b58a5a-2a5e-47e2-9c22-3cd6229599ec/relations/c36ddb20-11ec-4179-a995-51e6fcfd1e58\",\"name\":\"c36ddb20-11ec-4179-a995-51e6fcfd1e58\",\"etag\":\"\\\"01008993-0000-0100-0000-62e423bf0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/75bd63a7-0ac6-4f43-8a15-18ff73172bb5\",\"relatedResourceName\":\"75bd63a7-0ac6-4f43-8a15-18ff73172bb5\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/327d3f42-a5d6-4bc8-99bc-93cf7b2942c7/relations/5c7863c4-3fba-4c60-87f0-88e5c33a5df8\",\"name\":\"5c7863c4-3fba-4c60-87f0-88e5c33a5df8\",\"etag\":\"\\\"3c003a8b-0000-0100-0000-62fbbda80000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/68e94645-a3b4-4595-9bfe-0d5370f5c8dd\",\"relatedResourceName\":\"68e94645-a3b4-4595-9bfe-0d5370f5c8dd\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", "isContentBase64": false } }, - "Update-AzSentinelBookmarkRelation+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/04b58a5a-2a5e-47e2-9c22-3cd6229599ec/relations/c36ddb20-11ec-4179-a995-51e6fcfd1e58?api-version=2021-09-01-preview+3": { + "Update-AzSentinelBookmarkRelation+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/327d3f42-a5d6-4bc8-99bc-93cf7b2942c7/relations/5c7863c4-3fba-4c60-87f0-88e5c33a5df8?api-version=2021-09-01-preview+3": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/04b58a5a-2a5e-47e2-9c22-3cd6229599ec/relations/c36ddb20-11ec-4179-a995-51e6fcfd1e58?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"relatedResourceId\": \"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/5ded4516-22d5-4a69-9e6f-d0ec7c2fcd82\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/327d3f42-a5d6-4bc8-99bc-93cf7b2942c7/relations/5c7863c4-3fba-4c60-87f0-88e5c33a5df8?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"relatedResourceId\": \"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/219862bd-299b-4e98-8dd1-149a26b76dfe\"\n }\n}", "isContentBase64": false, "Headers": { }, @@ -168,19 +168,19 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-writes": [ "1188" ], - "x-ms-request-id": [ "ea0e6164-1eeb-4712-82fb-e7679bac4bf9" ], - "x-ms-correlation-request-id": [ "ea0e6164-1eeb-4712-82fb-e7679bac4bf9" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183323Z:ea0e6164-1eeb-4712-82fb-e7679bac4bf9" ], + "x-ms-request-id": [ "5c411a39-95b1-4779-ba2b-148f02b85434" ], + "x-ms-correlation-request-id": [ "5c411a39-95b1-4779-ba2b-148f02b85434" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160849Z:5c411a39-95b1-4779-ba2b-148f02b85434" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:33:22 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:49 GMT" ] }, "ContentHeaders": { "Content-Length": [ "828" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/04b58a5a-2a5e-47e2-9c22-3cd6229599ec/relations/c36ddb20-11ec-4179-a995-51e6fcfd1e58\",\"name\":\"c36ddb20-11ec-4179-a995-51e6fcfd1e58\",\"etag\":\"\\\"0100e693-0000-0100-0000-62e427f30000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/5ded4516-22d5-4a69-9e6f-d0ec7c2fcd82\",\"relatedResourceName\":\"5ded4516-22d5-4a69-9e6f-d0ec7c2fcd82\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/327d3f42-a5d6-4bc8-99bc-93cf7b2942c7/relations/5c7863c4-3fba-4c60-87f0-88e5c33a5df8\",\"name\":\"5c7863c4-3fba-4c60-87f0-88e5c33a5df8\",\"etag\":\"\\\"3c00c68c-0000-0100-0000-62fbc1110000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/219862bd-299b-4e98-8dd1-149a26b76dfe\",\"relatedResourceName\":\"219862bd-299b-4e98-8dd1-149a26b76dfe\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Incidents\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Update-AzSentinelBookmarkRelation.Tests.ps1 b/src/SecurityInsights/test/Update-AzSentinelBookmarkRelation.Tests.ps1 index 6a093883f443..95e1f6bddabd 100644 --- a/src/SecurityInsights/test/Update-AzSentinelBookmarkRelation.Tests.ps1 +++ b/src/SecurityInsights/test/Update-AzSentinelBookmarkRelation.Tests.ps1 @@ -17,7 +17,7 @@ if(($null -eq $TestName) -or ($TestName -contains 'Update-AzSentinelBookmarkRela Describe 'Update-AzSentinelBookmarkRelation' { It 'UpdateExpanded' { $incident = New-AzSentinelIncident -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` - -Severity Informational -Status New -Title "UpdateBookmarkRelationPSTest" + -Id $env.UpdateBookmarkRelationIncidentId2 -Severity Informational -Status New -Title $env.UpdatebookmarkRelationIncidentName2 $bookmarkRelation = Update-AzSentinelBookmarkRelation -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` -BookmarkId $env.UpdatebookmarkRelationBookmarkId -RelationName $env.UpdateBookmarkRelationId -RelatedResourceId $incident.Id $bookmarkRelation.RelatedResourceId | Should -Be $incident.Id @@ -25,7 +25,7 @@ Describe 'Update-AzSentinelBookmarkRelation' { It 'UpdateViaIdentityExpanded' { $incident = New-AzSentinelIncident -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` - -Severity Informational -Status New -Title "UpdateViaIdBookmarkRelationPSTest" + -Id $env.UpdateViaIdBookmarkRelationIncidentId2 -Severity Informational -Status New -Title $env.UpdateViaIdbookmarkRelationIncidentName2 $bookmarkRelation = Get-AzSentinelBookmarkRelation -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` -BookmarkId $env.UpdateViaIdbookmarkRelationBookmarkId -RelationName $env.UpdateViaIdBookmarkRelationId $bookmarkRelationUpdate = Update-AzSentinelBookmarkRelation -InputObject $bookmarkRelation -RelatedResourceId $incident.Id diff --git a/src/SecurityInsights/test/Update-AzSentinelDataConnector.Recording.json b/src/SecurityInsights/test/Update-AzSentinelDataConnector.Recording.json index ee323db3da3f..25d69e966897 100644 --- a/src/SecurityInsights/test/Update-AzSentinelDataConnector.Recording.json +++ b/src/SecurityInsights/test/Update-AzSentinelDataConnector.Recording.json @@ -1,9 +1,9 @@ { - "Update-AzSentinelDataConnector+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/0c45acce-4689-4024-8bfa-4ff3b300e29a?api-version=2021-09-01-preview+1": { + "Update-AzSentinelDataConnector+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/6d021fce-8f39-437c-9fb4-fc0a3794402d?api-version=2021-09-01-preview+1": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/0c45acce-4689-4024-8bfa-4ff3b300e29a?api-version=2021-09-01-preview", - "Content": "{\n \"etag\": \"e6fe5716-cd55-4449-8cfc-8949597baddd\",\n \"kind\": \"Office365\",\n \"properties\": {\n \"tenantId\": \"d6eebbdd-d77c-465e-b008-4339027b4006\",\n \"dataTypes\": {\n \"exchange\": {\n \"state\": \"enabled\"\n },\n \"sharePoint\": {\n \"state\": \"Enabled\"\n },\n \"teams\": {\n \"state\": \"disabled\"\n }\n }\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/6d021fce-8f39-437c-9fb4-fc0a3794402d?api-version=2021-09-01-preview", + "Content": "{\n \"etag\": \"7e7b29f8-4921-4f6a-ac9f-288d54eb8cd9\",\n \"kind\": \"Office365\",\n \"properties\": {\n \"tenantId\": \"d6eebbdd-d77c-465e-b008-4339027b4006\",\n \"dataTypes\": {\n \"exchange\": {\n \"state\": \"enabled\"\n },\n \"sharePoint\": {\n \"state\": \"Enabled\"\n },\n \"teams\": {\n \"state\": \"disabled\"\n }\n }\n }\n}", "isContentBase64": false, "Headers": { }, @@ -19,31 +19,31 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "496" ], - "x-ms-request-id": [ "ad9520ae-76b5-4d8a-8b9c-6f86e405d79f" ], - "x-ms-correlation-request-id": [ "ad9520ae-76b5-4d8a-8b9c-6f86e405d79f" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183325Z:ad9520ae-76b5-4d8a-8b9c-6f86e405d79f" ], + "x-ms-request-id": [ "73ec966a-6d50-49a3-a84a-628a212109eb" ], + "x-ms-correlation-request-id": [ "73ec966a-6d50-49a3-a84a-628a212109eb" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160853Z:73ec966a-6d50-49a3-a84a-628a212109eb" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:33:24 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:53 GMT" ] }, "ContentHeaders": { "Content-Length": [ "578" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/0c45acce-4689-4024-8bfa-4ff3b300e29a\",\"name\":\"0c45acce-4689-4024-8bfa-4ff3b300e29a\",\"etag\":\"4460b801-38f2-4432-80bb-4aa9bb3fb7f3\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"Office365\",\"properties\":{\"dataTypes\":{\"sharePoint\":{\"state\":\"enabled\"},\"exchange\":{\"state\":\"enabled\"},\"teams\":{\"state\":\"disabled\"}},\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/6d021fce-8f39-437c-9fb4-fc0a3794402d\",\"name\":\"6d021fce-8f39-437c-9fb4-fc0a3794402d\",\"etag\":\"1d40953b-36aa-4fcb-8258-e3a0d8ea6268\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"Office365\",\"properties\":{\"dataTypes\":{\"sharePoint\":{\"state\":\"enabled\"},\"exchange\":{\"state\":\"enabled\"},\"teams\":{\"state\":\"disabled\"}},\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}", "isContentBase64": false } }, - "Update-AzSentinelDataConnector+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/0c45acce-4689-4024-8bfa-4ff3b300e29a?api-version=2021-09-01-preview+1": { + "Update-AzSentinelDataConnector+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/6d021fce-8f39-437c-9fb4-fc0a3794402d?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/0c45acce-4689-4024-8bfa-4ff3b300e29a?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/6d021fce-8f39-437c-9fb4-fc0a3794402d?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "305" ], - "x-ms-client-request-id": [ "abadd129-2601-4db3-8d8f-a6b9a7af145a" ], + "x-ms-unique-id": [ "306" ], + "x-ms-client-request-id": [ "6368faf2-761f-4833-8eb3-4410ed2583da" ], "CommandName": [ "Get-AzSentinelDataConnector" ], "FullCommandName": [ "Get-AzSentinelDataConnector_Get" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -60,27 +60,27 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "494" ], - "x-ms-request-id": [ "68627483-0b82-4213-8023-25e8e810dd9b" ], - "x-ms-correlation-request-id": [ "68627483-0b82-4213-8023-25e8e810dd9b" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183325Z:68627483-0b82-4213-8023-25e8e810dd9b" ], + "x-ms-request-id": [ "00d47fec-80f2-40a3-a54f-149cf314433d" ], + "x-ms-correlation-request-id": [ "00d47fec-80f2-40a3-a54f-149cf314433d" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160853Z:00d47fec-80f2-40a3-a54f-149cf314433d" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:33:25 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:53 GMT" ] }, "ContentHeaders": { "Content-Length": [ "578" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/0c45acce-4689-4024-8bfa-4ff3b300e29a\",\"name\":\"0c45acce-4689-4024-8bfa-4ff3b300e29a\",\"etag\":\"4460b801-38f2-4432-80bb-4aa9bb3fb7f3\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"Office365\",\"properties\":{\"dataTypes\":{\"sharePoint\":{\"state\":\"enabled\"},\"exchange\":{\"state\":\"enabled\"},\"teams\":{\"state\":\"disabled\"}},\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/6d021fce-8f39-437c-9fb4-fc0a3794402d\",\"name\":\"6d021fce-8f39-437c-9fb4-fc0a3794402d\",\"etag\":\"1d40953b-36aa-4fcb-8258-e3a0d8ea6268\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"Office365\",\"properties\":{\"dataTypes\":{\"sharePoint\":{\"state\":\"enabled\"},\"exchange\":{\"state\":\"enabled\"},\"teams\":{\"state\":\"disabled\"}},\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}", "isContentBase64": false } }, - "Update-AzSentinelDataConnector+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/0c45acce-4689-4024-8bfa-4ff3b300e29a?api-version=2021-09-01-preview+2": { + "Update-AzSentinelDataConnector+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/6d021fce-8f39-437c-9fb4-fc0a3794402d?api-version=2021-09-01-preview+2": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/0c45acce-4689-4024-8bfa-4ff3b300e29a?api-version=2021-09-01-preview", - "Content": "{\n \"etag\": \"4460b801-38f2-4432-80bb-4aa9bb3fb7f3\",\n \"kind\": \"Office365\",\n \"properties\": {\n \"tenantId\": \"d6eebbdd-d77c-465e-b008-4339027b4006\",\n \"dataTypes\": {\n \"exchange\": {\n \"state\": \"enabled\"\n },\n \"sharePoint\": {\n \"state\": \"enabled\"\n },\n \"teams\": {\n \"state\": \"Enabled\"\n }\n }\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/6d021fce-8f39-437c-9fb4-fc0a3794402d?api-version=2021-09-01-preview", + "Content": "{\n \"etag\": \"1d40953b-36aa-4fcb-8258-e3a0d8ea6268\",\n \"kind\": \"Office365\",\n \"properties\": {\n \"tenantId\": \"d6eebbdd-d77c-465e-b008-4339027b4006\",\n \"dataTypes\": {\n \"exchange\": {\n \"state\": \"enabled\"\n },\n \"sharePoint\": {\n \"state\": \"enabled\"\n },\n \"teams\": {\n \"state\": \"Enabled\"\n }\n }\n }\n}", "isContentBase64": false, "Headers": { }, @@ -96,19 +96,19 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "495" ], - "x-ms-request-id": [ "567b922e-55b4-43fa-bef3-a12751d04f70" ], - "x-ms-correlation-request-id": [ "567b922e-55b4-43fa-bef3-a12751d04f70" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183327Z:567b922e-55b4-43fa-bef3-a12751d04f70" ], + "x-ms-request-id": [ "bc7709c7-50eb-45be-a607-9c1dc492943e" ], + "x-ms-correlation-request-id": [ "bc7709c7-50eb-45be-a607-9c1dc492943e" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160856Z:bc7709c7-50eb-45be-a607-9c1dc492943e" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:33:27 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:08:56 GMT" ] }, "ContentHeaders": { "Content-Length": [ "577" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/dataConnectors/0c45acce-4689-4024-8bfa-4ff3b300e29a\",\"name\":\"0c45acce-4689-4024-8bfa-4ff3b300e29a\",\"etag\":\"46522b22-41b7-49db-aa42-9e7b270b9f98\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"Office365\",\"properties\":{\"dataTypes\":{\"sharePoint\":{\"state\":\"enabled\"},\"exchange\":{\"state\":\"enabled\"},\"teams\":{\"state\":\"enabled\"}},\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/dataConnectors/6d021fce-8f39-437c-9fb4-fc0a3794402d\",\"name\":\"6d021fce-8f39-437c-9fb4-fc0a3794402d\",\"etag\":\"cecb2be5-2866-4148-950d-3a35265b195f\",\"type\":\"Microsoft.SecurityInsights/dataConnectors\",\"kind\":\"Office365\",\"properties\":{\"dataTypes\":{\"sharePoint\":{\"state\":\"enabled\"},\"exchange\":{\"state\":\"enabled\"},\"teams\":{\"state\":\"enabled\"}},\"tenantId\":\"d6eebbdd-d77c-465e-b008-4339027b4006\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Update-AzSentinelEntityQuery.Recording.json b/src/SecurityInsights/test/Update-AzSentinelEntityQuery.Recording.json index 312eb94d40c1..bb994da53c1b 100644 --- a/src/SecurityInsights/test/Update-AzSentinelEntityQuery.Recording.json +++ b/src/SecurityInsights/test/Update-AzSentinelEntityQuery.Recording.json @@ -1,9 +1,9 @@ { - "Update-AzSentinelEntityQuery+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueries/27b638f3-fbfb-4387-bb6a-353001b9794a?api-version=2021-09-01-preview+1": { + "Update-AzSentinelEntityQuery+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/105c6ccb-e733-4602-ad28-20c44e2cf4ae?api-version=2021-09-01-preview+1": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueries/27b638f3-fbfb-4387-bb6a-353001b9794a?api-version=2021-09-01-preview", - "Content": "{\n \"etag\": \"\\\"890006ae-0000-0100-0000-62e425150000\\\"\",\n \"kind\": \"Activity\",\n \"properties\": {\n \"queryDefinitions\": {\n \"query\": \"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \\u0027@\\u0027, tostring(split(Computer, \\u0027@\\u0027)[0]),\\nComputer has \\u0027\\\\\\\\\\u0027, tostring(split(Computer, \\u0027\\\\\\\\\\u0027)[1]),\\nComputer has \\u0027.\\u0027, tostring(split(Computer, \\u0027.\\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \\u0027\\\\\\\\\\u0027, tostring(split(Computer, \\u0027\\\\\\\\\\u0027)[0]), \\nComputer has \\u0027.\\u0027, tostring(split(Computer, \\u0027.\\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \\u0027\\\\\\\\\\u0027, tostring(split(Computer, \\u0027\\\\\\\\\\u0027)[0]), \\nComputer has \\u0027.\\u0027, strcat_array(array_slice(split(Computer,\\u0027.\\u0027),-2,-1),\\u0027.\\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid};\\nGetAccountActions(\\u0027{{Host_HostName}}\\u0027, \\u0027{{Host_NTDomain}}\\u0027, \\u0027{{Host_DnsDomain}}\\u0027, \\u0027{{Host_AzureID}}\\u0027, \\u0027{{Host_OMSAgentID}}\\u0027)\\n \\n| where EventID == 4726 \"\n },\n \"title\": \"UpdateEntityQueryPSTest\",\n \"content\": \"On \\u0027{{Computer}}\\u0027 the account \\u0027{{TargetAccount}}\\u0027 was deleted by \",\n \"description\": \"Account deleted on host\",\n \"inputEntityType\": \"Host\",\n \"requiredInputFieldsSets\": [\n [ \"Host_HostName\", \"Host_NTDomain\" ],\n [ \"Host_HostName\", \"Host_DnsDomain\" ],\n [ \"Host_AzureID\" ],\n [ \"Host_OMSAgentID\" ]\n ],\n \"enabled\": true\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/105c6ccb-e733-4602-ad28-20c44e2cf4ae?api-version=2021-09-01-preview", + "Content": "{\n \"etag\": \"\\\"0c006a0f-0000-0100-0000-62fbbe440000\\\"\",\n \"kind\": \"Activity\",\n \"properties\": {\n \"queryDefinitions\": {\n \"query\": \"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \\u0027@\\u0027, tostring(split(Computer, \\u0027@\\u0027)[0]),\\nComputer has \\u0027\\\\\\\\\\u0027, tostring(split(Computer, \\u0027\\\\\\\\\\u0027)[1]),\\nComputer has \\u0027.\\u0027, tostring(split(Computer, \\u0027.\\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \\u0027\\\\\\\\\\u0027, tostring(split(Computer, \\u0027\\\\\\\\\\u0027)[0]), \\nComputer has \\u0027.\\u0027, tostring(split(Computer, \\u0027.\\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \\u0027\\\\\\\\\\u0027, tostring(split(Computer, \\u0027\\\\\\\\\\u0027)[0]), \\nComputer has \\u0027.\\u0027, strcat_array(array_slice(split(Computer,\\u0027.\\u0027),-2,-1),\\u0027.\\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid};\\nGetAccountActions(\\u0027{{Host_HostName}}\\u0027, \\u0027{{Host_NTDomain}}\\u0027, \\u0027{{Host_DnsDomain}}\\u0027, \\u0027{{Host_AzureID}}\\u0027, \\u0027{{Host_OMSAgentID}}\\u0027)\\n \\n| where EventID == 4726 \"\n },\n \"title\": \"UpdateEntityQueryPSTest\",\n \"content\": \"On \\u0027{{Computer}}\\u0027 the account \\u0027{{TargetAccount}}\\u0027 was deleted by \",\n \"description\": \"Account deleted on host\",\n \"inputEntityType\": \"Host\",\n \"requiredInputFieldsSets\": [\n [ \"Host_HostName\", \"Host_NTDomain\" ],\n [ \"Host_HostName\", \"Host_DnsDomain\" ],\n [ \"Host_AzureID\" ],\n [ \"Host_OMSAgentID\" ]\n ],\n \"enabled\": true\n }\n}", "isContentBase64": false, "Headers": { }, @@ -19,31 +19,31 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-writes": [ "1187" ], - "x-ms-request-id": [ "0a7fd701-72ba-401e-97c2-e8c4b2ab7550" ], - "x-ms-correlation-request-id": [ "0a7fd701-72ba-401e-97c2-e8c4b2ab7550" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183330Z:0a7fd701-72ba-401e-97c2-e8c4b2ab7550" ], + "x-ms-request-id": [ "30d8182a-90f6-4622-8f9a-665e3825b8b9" ], + "x-ms-correlation-request-id": [ "30d8182a-90f6-4622-8f9a-665e3825b8b9" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160900Z:30d8182a-90f6-4622-8f9a-665e3825b8b9" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:33:30 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:09:00 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2287" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueries/27b638f3-fbfb-4387-bb6a-353001b9794a\",\"name\":\"27b638f3-fbfb-4387-bb6a-353001b9794a\",\"etag\":\"\\\"890067d9-0000-0100-0000-62e427fa0000\\\"\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Activity\",\"properties\":{\"title\":\"UpdateEntityQueryPSTest\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was deleted by \",\"description\":\"Account deleted on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027)\\n \\n| where EventID == 4726 \"},\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{},\"enabled\":true,\"createdTimeUtc\":\"2022-07-29T18:21:09.2143131Z\",\"lastModifiedTimeUtc\":\"2022-07-29T18:33:30.5362686Z\",\"inputEntityType\":\"Host\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/105c6ccb-e733-4602-ad28-20c44e2cf4ae\",\"name\":\"105c6ccb-e733-4602-ad28-20c44e2cf4ae\",\"etag\":\"\\\"0c00d913-0000-0100-0000-62fbc11c0000\\\"\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Activity\",\"properties\":{\"title\":\"UpdateEntityQueryPSTest\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was deleted by \",\"description\":\"Account deleted on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027)\\n \\n| where EventID == 4726 \"},\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{},\"enabled\":true,\"createdTimeUtc\":\"2022-08-16T15:56:52.6157717Z\",\"lastModifiedTimeUtc\":\"2022-08-16T16:09:00.3224499Z\",\"inputEntityType\":\"Host\"}}", "isContentBase64": false } }, - "Update-AzSentinelEntityQuery+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueries/9934ce9e-b735-43ca-885c-729dc54cb4d1?api-version=2021-09-01-preview+1": { + "Update-AzSentinelEntityQuery+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/023cc70e-538f-416e-af6e-ec0833b69894?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueries/9934ce9e-b735-43ca-885c-729dc54cb4d1?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/023cc70e-538f-416e-af6e-ec0833b69894?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "310" ], - "x-ms-client-request-id": [ "0688d249-c2c3-4ca8-a289-8273d58aeb79" ], + "x-ms-unique-id": [ "311" ], + "x-ms-client-request-id": [ "93fd97ca-6b9b-4e41-9898-f234be1f46e9" ], "CommandName": [ "Get-AzSentinelEntityQuery" ], "FullCommandName": [ "Get-AzSentinelEntityQuery_Get" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -59,28 +59,28 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11933" ], - "x-ms-request-id": [ "af431aa5-2462-48a5-9f7d-a6ac7682504e" ], - "x-ms-correlation-request-id": [ "af431aa5-2462-48a5-9f7d-a6ac7682504e" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183331Z:af431aa5-2462-48a5-9f7d-a6ac7682504e" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11930" ], + "x-ms-request-id": [ "6fc14431-ca00-406a-853a-d24777fd1429" ], + "x-ms-correlation-request-id": [ "6fc14431-ca00-406a-853a-d24777fd1429" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160900Z:6fc14431-ca00-406a-853a-d24777fd1429" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:33:30 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:09:00 GMT" ] }, "ContentHeaders": { "Content-Length": [ "2326" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueries/9934ce9e-b735-43ca-885c-729dc54cb4d1\",\"name\":\"9934ce9e-b735-43ca-885c-729dc54cb4d1\",\"etag\":\"\\\"8900f2ae-0000-0100-0000-62e425340000\\\"\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was deleted by \",\"description\":\"Account deleted on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027)\\n \\n| where EventID == 4726 \"},\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]},\"enabled\":true,\"createdTimeUtc\":\"2022-07-29T18:21:40.2793364Z\",\"lastModifiedTimeUtc\":\"2022-07-29T18:21:40.2793364Z\",\"inputEntityType\":\"Host\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/023cc70e-538f-416e-af6e-ec0833b69894\",\"name\":\"023cc70e-538f-416e-af6e-ec0833b69894\",\"etag\":\"\\\"0c008f0f-0000-0100-0000-62fbbe630000\\\"\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Activity\",\"properties\":{\"title\":\"An account was deleted on this host\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was deleted by \",\"description\":\"Account deleted on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027)\\n \\n| where EventID == 4726 \"},\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{\"Host_OsFamily\":[\"Windows\"]},\"enabled\":true,\"createdTimeUtc\":\"2022-08-16T15:57:23.7657228Z\",\"lastModifiedTimeUtc\":\"2022-08-16T15:57:23.7657228Z\",\"inputEntityType\":\"Host\"}}", "isContentBase64": false } }, - "Update-AzSentinelEntityQuery+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueries/9934ce9e-b735-43ca-885c-729dc54cb4d1?api-version=2021-09-01-preview+2": { + "Update-AzSentinelEntityQuery+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/023cc70e-538f-416e-af6e-ec0833b69894?api-version=2021-09-01-preview+2": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueries/9934ce9e-b735-43ca-885c-729dc54cb4d1?api-version=2021-09-01-preview", - "Content": "{\n \"etag\": \"\\\"8900f2ae-0000-0100-0000-62e425340000\\\"\",\n \"kind\": \"Activity\",\n \"properties\": {\n \"queryDefinitions\": {\n \"query\": \"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \\u0027@\\u0027, tostring(split(Computer, \\u0027@\\u0027)[0]),\\nComputer has \\u0027\\\\\\\\\\u0027, tostring(split(Computer, \\u0027\\\\\\\\\\u0027)[1]),\\nComputer has \\u0027.\\u0027, tostring(split(Computer, \\u0027.\\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \\u0027\\\\\\\\\\u0027, tostring(split(Computer, \\u0027\\\\\\\\\\u0027)[0]), \\nComputer has \\u0027.\\u0027, tostring(split(Computer, \\u0027.\\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \\u0027\\\\\\\\\\u0027, tostring(split(Computer, \\u0027\\\\\\\\\\u0027)[0]), \\nComputer has \\u0027.\\u0027, strcat_array(array_slice(split(Computer,\\u0027.\\u0027),-2,-1),\\u0027.\\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid};\\nGetAccountActions(\\u0027{{Host_HostName}}\\u0027, \\u0027{{Host_NTDomain}}\\u0027, \\u0027{{Host_DnsDomain}}\\u0027, \\u0027{{Host_AzureID}}\\u0027, \\u0027{{Host_OMSAgentID}}\\u0027)\\n \\n| where EventID == 4726 \"\n },\n \"title\": \"UpdateEntityQueryPSTest\",\n \"content\": \"On \\u0027{{Computer}}\\u0027 the account \\u0027{{TargetAccount}}\\u0027 was deleted by \",\n \"description\": \"Account deleted on host\",\n \"inputEntityType\": \"Host\",\n \"requiredInputFieldsSets\": [\n [ \"Host_HostName\", \"Host_NTDomain\" ],\n [ \"Host_HostName\", \"Host_DnsDomain\" ],\n [ \"Host_AzureID\" ],\n [ \"Host_OMSAgentID\" ]\n ],\n \"enabled\": true\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/023cc70e-538f-416e-af6e-ec0833b69894?api-version=2021-09-01-preview", + "Content": "{\n \"etag\": \"\\\"0c008f0f-0000-0100-0000-62fbbe630000\\\"\",\n \"kind\": \"Activity\",\n \"properties\": {\n \"queryDefinitions\": {\n \"query\": \"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \\u0027@\\u0027, tostring(split(Computer, \\u0027@\\u0027)[0]),\\nComputer has \\u0027\\\\\\\\\\u0027, tostring(split(Computer, \\u0027\\\\\\\\\\u0027)[1]),\\nComputer has \\u0027.\\u0027, tostring(split(Computer, \\u0027.\\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \\u0027\\\\\\\\\\u0027, tostring(split(Computer, \\u0027\\\\\\\\\\u0027)[0]), \\nComputer has \\u0027.\\u0027, tostring(split(Computer, \\u0027.\\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \\u0027\\\\\\\\\\u0027, tostring(split(Computer, \\u0027\\\\\\\\\\u0027)[0]), \\nComputer has \\u0027.\\u0027, strcat_array(array_slice(split(Computer,\\u0027.\\u0027),-2,-1),\\u0027.\\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid};\\nGetAccountActions(\\u0027{{Host_HostName}}\\u0027, \\u0027{{Host_NTDomain}}\\u0027, \\u0027{{Host_DnsDomain}}\\u0027, \\u0027{{Host_AzureID}}\\u0027, \\u0027{{Host_OMSAgentID}}\\u0027)\\n \\n| where EventID == 4726 \"\n },\n \"title\": \"UpdateEntityQueryPSTest\",\n \"content\": \"On \\u0027{{Computer}}\\u0027 the account \\u0027{{TargetAccount}}\\u0027 was deleted by \",\n \"description\": \"Account deleted on host\",\n \"inputEntityType\": \"Host\",\n \"requiredInputFieldsSets\": [\n [ \"Host_HostName\", \"Host_NTDomain\" ],\n [ \"Host_HostName\", \"Host_DnsDomain\" ],\n [ \"Host_AzureID\" ],\n [ \"Host_OMSAgentID\" ]\n ],\n \"enabled\": true\n }\n}", "isContentBase64": false, "Headers": { }, @@ -96,19 +96,19 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-writes": [ "1186" ], - "x-ms-request-id": [ "751805b8-b26d-46bd-b438-75f77734d700" ], - "x-ms-correlation-request-id": [ "751805b8-b26d-46bd-b438-75f77734d700" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183333Z:751805b8-b26d-46bd-b438-75f77734d700" ], + "x-ms-request-id": [ "012499d2-6a05-4f48-ad75-54b6a68dd803" ], + "x-ms-correlation-request-id": [ "012499d2-6a05-4f48-ad75-54b6a68dd803" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160902Z:012499d2-6a05-4f48-ad75-54b6a68dd803" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:33:32 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:09:01 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "2287" ], + "Content-Length": [ "2286" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/entityQueries/9934ce9e-b735-43ca-885c-729dc54cb4d1\",\"name\":\"9934ce9e-b735-43ca-885c-729dc54cb4d1\",\"etag\":\"\\\"890093d9-0000-0100-0000-62e427fd0000\\\"\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Activity\",\"properties\":{\"title\":\"UpdateEntityQueryPSTest\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was deleted by \",\"description\":\"Account deleted on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027)\\n \\n| where EventID == 4726 \"},\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{},\"enabled\":true,\"createdTimeUtc\":\"2022-07-29T18:21:40.2793364Z\",\"lastModifiedTimeUtc\":\"2022-07-29T18:33:33.3131081Z\",\"inputEntityType\":\"Host\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/entityQueries/023cc70e-538f-416e-af6e-ec0833b69894\",\"name\":\"023cc70e-538f-416e-af6e-ec0833b69894\",\"etag\":\"\\\"0c00db13-0000-0100-0000-62fbc11e0000\\\"\",\"type\":\"Microsoft.SecurityInsights/entityQueries\",\"kind\":\"Activity\",\"properties\":{\"title\":\"UpdateEntityQueryPSTest\",\"content\":\"On \u0027{{Computer}}\u0027 the account \u0027{{TargetAccount}}\u0027 was deleted by \",\"description\":\"Account deleted on host\",\"queryDefinitions\":{\"query\":\"let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\\nSecurityEvent\\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\\n// parsing for Host to handle variety of conventions coming from data\\n| extend Host_HostName = case(\\nComputer has \u0027@\u0027, tostring(split(Computer, \u0027@\u0027)[0]),\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[1]),\\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[0]),\\nComputer\\n)\\n| extend Host_NTDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, tostring(split(Computer, \u0027.\u0027)[-2]), \\nComputer\\n)\\n| extend Host_DnsDomain = case(\\nComputer has \u0027\\\\\\\\\u0027, tostring(split(Computer, \u0027\\\\\\\\\u0027)[0]), \\nComputer has \u0027.\u0027, strcat_array(array_slice(split(Computer,\u0027.\u0027),-2,-1),\u0027.\u0027), \\nComputer\\n)\\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \\nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \\nor v_Host_AzureID =~ _ResourceId \\nor v_Host_OMSAgentID == SourceComputerId\\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid};\\nGetAccountActions(\u0027{{Host_HostName}}\u0027, \u0027{{Host_NTDomain}}\u0027, \u0027{{Host_DnsDomain}}\u0027, \u0027{{Host_AzureID}}\u0027, \u0027{{Host_OMSAgentID}}\u0027)\\n \\n| where EventID == 4726 \"},\"requiredInputFieldsSets\":[[\"Host_HostName\",\"Host_NTDomain\"],[\"Host_HostName\",\"Host_DnsDomain\"],[\"Host_AzureID\"],[\"Host_OMSAgentID\"]],\"entitiesFilter\":{},\"enabled\":true,\"createdTimeUtc\":\"2022-08-16T15:57:23.7657228Z\",\"lastModifiedTimeUtc\":\"2022-08-16T16:09:02.033204Z\",\"inputEntityType\":\"Host\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Update-AzSentinelIncident.Recording.json b/src/SecurityInsights/test/Update-AzSentinelIncident.Recording.json index 3cf775559a1a..9a8177b2f55f 100644 --- a/src/SecurityInsights/test/Update-AzSentinelIncident.Recording.json +++ b/src/SecurityInsights/test/Update-AzSentinelIncident.Recording.json @@ -1,13 +1,13 @@ { - "Update-AzSentinelIncident+[NoContext]+UpdateExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/c98e79b2-3851-4fe2-be7b-d02281b03ea8?api-version=2021-09-01-preview+1": { + "Update-AzSentinelIncident+[NoContext]+UpdateExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/905e7dec-fd14-42df-9ed5-c4df09445158?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/c98e79b2-3851-4fe2-be7b-d02281b03ea8?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/905e7dec-fd14-42df-9ed5-c4df09445158?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "313" ], - "x-ms-client-request-id": [ "6ba00cb2-f6c3-4045-88ed-0df432245c93" ], + "x-ms-unique-id": [ "314" ], + "x-ms-client-request-id": [ "f0c5dc37-8cb6-4f5e-bc0b-30b90442f3dd" ], "CommandName": [ "Get-AzSentinelIncident" ], "FullCommandName": [ "Get-AzSentinelIncident_Get" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -23,27 +23,27 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11931" ], - "x-ms-request-id": [ "37e310e4-695c-4569-aca9-03e3000b8dcf" ], - "x-ms-correlation-request-id": [ "37e310e4-695c-4569-aca9-03e3000b8dcf" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183334Z:37e310e4-695c-4569-aca9-03e3000b8dcf" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11928" ], + "x-ms-request-id": [ "edad1ccd-5052-46e5-933d-1831da0c9b6e" ], + "x-ms-correlation-request-id": [ "edad1ccd-5052-46e5-933d-1831da0c9b6e" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160902Z:edad1ccd-5052-46e5-933d-1831da0c9b6e" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:33:33 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:09:02 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1208" ], + "Content-Length": [ "1206" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/c98e79b2-3851-4fe2-be7b-d02281b03ea8\",\"name\":\"c98e79b2-3851-4fe2-be7b-d02281b03ea8\",\"etag\":\"\\\"1200360b-0000-0100-0000-62e425b30000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:23:47.4434597Z\",\"createdTimeUtc\":\"2022-07-29T18:23:47.4434597Z\",\"incidentNumber\":10,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/c98e79b2-3851-4fe2-be7b-d02281b03ea8\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"10\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/905e7dec-fd14-42df-9ed5-c4df09445158\",\"name\":\"905e7dec-fd14-42df-9ed5-c4df09445158\",\"etag\":\"\\\"4a005e51-0000-0100-0000-62fbbee00000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T15:59:28.733771Z\",\"createdTimeUtc\":\"2022-08-16T15:59:28.733771Z\",\"incidentNumber\":10,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/905e7dec-fd14-42df-9ed5-c4df09445158\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"10\"}}", "isContentBase64": false } }, - "Update-AzSentinelIncident+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/c98e79b2-3851-4fe2-be7b-d02281b03ea8?api-version=2021-09-01-preview+2": { + "Update-AzSentinelIncident+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/905e7dec-fd14-42df-9ed5-c4df09445158?api-version=2021-09-01-preview+2": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/c98e79b2-3851-4fe2-be7b-d02281b03ea8?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/905e7dec-fd14-42df-9ed5-c4df09445158?api-version=2021-09-01-preview", "Content": "{\n \"properties\": {\n \"severity\": \"Informational\",\n \"status\": \"Active\",\n \"title\": \"IncidentTest\"\n }\n}", "isContentBase64": false, "Headers": { @@ -60,31 +60,31 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "492" ], - "x-ms-request-id": [ "d90bc611-1d83-4b82-ad33-b78a872de298" ], - "x-ms-correlation-request-id": [ "d90bc611-1d83-4b82-ad33-b78a872de298" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183334Z:d90bc611-1d83-4b82-ad33-b78a872de298" ], + "x-ms-request-id": [ "4aad4a00-f361-49e5-b5e9-e0d2766f246b" ], + "x-ms-correlation-request-id": [ "4aad4a00-f361-49e5-b5e9-e0d2766f246b" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160902Z:4aad4a00-f361-49e5-b5e9-e0d2766f246b" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:33:34 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:09:02 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1211" ], + "Content-Length": [ "1210" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/c98e79b2-3851-4fe2-be7b-d02281b03ea8\",\"name\":\"c98e79b2-3851-4fe2-be7b-d02281b03ea8\",\"etag\":\"\\\"1200e80b-0000-0100-0000-62e427fe0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"Active\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:33:34.7072753Z\",\"createdTimeUtc\":\"2022-07-29T18:23:47.4434597Z\",\"incidentNumber\":10,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/c98e79b2-3851-4fe2-be7b-d02281b03ea8\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"10\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/905e7dec-fd14-42df-9ed5-c4df09445158\",\"name\":\"905e7dec-fd14-42df-9ed5-c4df09445158\",\"etag\":\"\\\"4a00cb52-0000-0100-0000-62fbc11e0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"Active\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:09:02.9008773Z\",\"createdTimeUtc\":\"2022-08-16T15:59:28.733771Z\",\"incidentNumber\":10,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/905e7dec-fd14-42df-9ed5-c4df09445158\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"10\"}}", "isContentBase64": false } }, - "Update-AzSentinelIncident+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/25b19fe9-0ff9-4267-8faa-ac26e7c7c6ae?api-version=2021-09-01-preview+1": { + "Update-AzSentinelIncident+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/c259dc23-cd2e-4b7f-bd9d-286e7cae6366?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/25b19fe9-0ff9-4267-8faa-ac26e7c7c6ae?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/c259dc23-cd2e-4b7f-bd9d-286e7cae6366?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "315" ], - "x-ms-client-request-id": [ "a2b3a508-8cd5-4383-b7cc-d3314d50fc1a" ], + "x-ms-unique-id": [ "316" ], + "x-ms-client-request-id": [ "3d11769c-3ade-488b-8584-a64fbaea1912" ], "CommandName": [ "Get-AzSentinelIncident" ], "FullCommandName": [ "Get-AzSentinelIncident_Get" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -100,27 +100,27 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11930" ], - "x-ms-request-id": [ "2027722e-3c68-4802-a04f-59d219757d68" ], - "x-ms-correlation-request-id": [ "2027722e-3c68-4802-a04f-59d219757d68" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183335Z:2027722e-3c68-4802-a04f-59d219757d68" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11927" ], + "x-ms-request-id": [ "b9e86a33-7c0b-464e-9d5c-c07aacdf7a27" ], + "x-ms-correlation-request-id": [ "b9e86a33-7c0b-464e-9d5c-c07aacdf7a27" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160903Z:b9e86a33-7c0b-464e-9d5c-c07aacdf7a27" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:33:34 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:09:02 GMT" ] }, "ContentHeaders": { "Content-Length": [ "1208" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/25b19fe9-0ff9-4267-8faa-ac26e7c7c6ae\",\"name\":\"25b19fe9-0ff9-4267-8faa-ac26e7c7c6ae\",\"etag\":\"\\\"1200370b-0000-0100-0000-62e425d30000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:24:19.3733002Z\",\"createdTimeUtc\":\"2022-07-29T18:24:19.3733002Z\",\"incidentNumber\":11,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/25b19fe9-0ff9-4267-8faa-ac26e7c7c6ae\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"11\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/c259dc23-cd2e-4b7f-bd9d-286e7cae6366\",\"name\":\"c259dc23-cd2e-4b7f-bd9d-286e7cae6366\",\"etag\":\"\\\"4a007051-0000-0100-0000-62fbbf000000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"New\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:00:00.5994057Z\",\"createdTimeUtc\":\"2022-08-16T16:00:00.5994057Z\",\"incidentNumber\":11,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/c259dc23-cd2e-4b7f-bd9d-286e7cae6366\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"11\"}}", "isContentBase64": false } }, - "Update-AzSentinelIncident+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/25b19fe9-0ff9-4267-8faa-ac26e7c7c6ae?api-version=2021-09-01-preview+2": { + "Update-AzSentinelIncident+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/c259dc23-cd2e-4b7f-bd9d-286e7cae6366?api-version=2021-09-01-preview+2": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/25b19fe9-0ff9-4267-8faa-ac26e7c7c6ae?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/c259dc23-cd2e-4b7f-bd9d-286e7cae6366?api-version=2021-09-01-preview", "Content": "{\n \"properties\": {\n \"severity\": \"Informational\",\n \"status\": \"Active\",\n \"title\": \"IncidentTest\"\n }\n}", "isContentBase64": false, "Headers": { @@ -137,19 +137,19 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "491" ], - "x-ms-request-id": [ "e457cf1e-0ac2-43aa-8fde-35858db68a3f" ], - "x-ms-correlation-request-id": [ "e457cf1e-0ac2-43aa-8fde-35858db68a3f" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183335Z:e457cf1e-0ac2-43aa-8fde-35858db68a3f" ], + "x-ms-request-id": [ "b9b1ff32-ee81-4645-ac03-25f058841ab9" ], + "x-ms-correlation-request-id": [ "b9b1ff32-ee81-4645-ac03-25f058841ab9" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160903Z:b9b1ff32-ee81-4645-ac03-25f058841ab9" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:33:35 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:09:03 GMT" ] }, "ContentHeaders": { "Content-Length": [ "1211" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/25b19fe9-0ff9-4267-8faa-ac26e7c7c6ae\",\"name\":\"25b19fe9-0ff9-4267-8faa-ac26e7c7c6ae\",\"etag\":\"\\\"1200e90b-0000-0100-0000-62e427ff0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"Active\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-07-29T18:33:35.5908141Z\",\"createdTimeUtc\":\"2022-07-29T18:24:19.3733002Z\",\"incidentNumber\":11,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/25b19fe9-0ff9-4267-8faa-ac26e7c7c6ae\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"11\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/c259dc23-cd2e-4b7f-bd9d-286e7cae6366\",\"name\":\"c259dc23-cd2e-4b7f-bd9d-286e7cae6366\",\"etag\":\"\\\"4a00ce52-0000-0100-0000-62fbc11f0000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents\",\"properties\":{\"title\":\"IncidentTest\",\"severity\":\"Informational\",\"status\":\"Active\",\"owner\":{\"objectId\":null,\"email\":null,\"assignedTo\":null,\"userPrincipalName\":null,\"ownerType\":null},\"labels\":[],\"lastModifiedTimeUtc\":\"2022-08-16T16:09:03.3227334Z\",\"createdTimeUtc\":\"2022-08-16T16:00:00.5994057Z\",\"incidentNumber\":11,\"additionalData\":{\"alertsCount\":0,\"bookmarksCount\":0,\"commentsCount\":0,\"alertProductNames\":[],\"tactics\":[]},\"relatedAnalyticRuleIds\":[],\"incidentUrl\":\"https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/c259dc23-cd2e-4b7f-bd9d-286e7cae6366\",\"providerName\":\"Azure Sentinel\",\"providerIncidentId\":\"11\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Update-AzSentinelIncidentComment.Recording.json b/src/SecurityInsights/test/Update-AzSentinelIncidentComment.Recording.json index 2040eea7b838..4c3916bbba17 100644 --- a/src/SecurityInsights/test/Update-AzSentinelIncidentComment.Recording.json +++ b/src/SecurityInsights/test/Update-AzSentinelIncidentComment.Recording.json @@ -1,8 +1,8 @@ { - "Update-AzSentinelIncidentComment+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/a0b8657f-5c36-4cb2-8952-f90affa7e0da/comments/8b70f251-25ad-4599-b45c-72c283b93732?api-version=2021-09-01-preview+1": { + "Update-AzSentinelIncidentComment+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/71e8df01-919c-45c1-b526-bc145e411eee/comments/7d4f4a64-ca42-4ab7-8385-f9c2b4d63434?api-version=2021-09-01-preview+1": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/a0b8657f-5c36-4cb2-8952-f90affa7e0da/comments/8b70f251-25ad-4599-b45c-72c283b93732?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/71e8df01-919c-45c1-b526-bc145e411eee/comments/7d4f4a64-ca42-4ab7-8385-f9c2b4d63434?api-version=2021-09-01-preview", "Content": "{\n \"properties\": {\n \"message\": \"UpdateIncidentCommentPSTest\"\n }\n}", "isContentBase64": false, "Headers": { @@ -19,31 +19,31 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], - "x-ms-request-id": [ "5bb7fbc7-f221-4767-b919-7068c51aac09" ], - "x-ms-correlation-request-id": [ "5bb7fbc7-f221-4767-b919-7068c51aac09" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183336Z:5bb7fbc7-f221-4767-b919-7068c51aac09" ], + "x-ms-request-id": [ "5a3e2c46-83b4-4873-9c41-2adf1bd8200b" ], + "x-ms-correlation-request-id": [ "5a3e2c46-83b4-4873-9c41-2adf1bd8200b" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160904Z:5a3e2c46-83b4-4873-9c41-2adf1bd8200b" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:33:36 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:09:04 GMT" ] }, "ContentHeaders": { "Content-Length": [ "762" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/a0b8657f-5c36-4cb2-8952-f90affa7e0da/Comments/8b70f251-25ad-4599-b45c-72c283b93732\",\"name\":\"8b70f251-25ad-4599-b45c-72c283b93732\",\"etag\":\"\\\"1200ea0b-0000-0100-0000-62e428000000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/Comments\",\"properties\":{\"message\":\"UpdateIncidentCommentPSTest\",\"createdTimeUtc\":\"2022-07-29T18:26:28.7906687Z\",\"lastModifiedTimeUtc\":\"2022-07-29T18:33:36.6408694Z\",\"author\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/71e8df01-919c-45c1-b526-bc145e411eee/Comments/7d4f4a64-ca42-4ab7-8385-f9c2b4d63434\",\"name\":\"7d4f4a64-ca42-4ab7-8385-f9c2b4d63434\",\"etag\":\"\\\"4a00cf52-0000-0100-0000-62fbc1200000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/Comments\",\"properties\":{\"message\":\"UpdateIncidentCommentPSTest\",\"createdTimeUtc\":\"2022-08-16T16:02:15.7412299Z\",\"lastModifiedTimeUtc\":\"2022-08-16T16:09:04.6584476Z\",\"author\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}", "isContentBase64": false } }, - "Update-AzSentinelIncidentComment+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/a0b8657f-5c36-4cb2-8952-f90affa7e0da/comments/8b70f251-25ad-4599-b45c-72c283b93732?api-version=2021-09-01-preview+1": { + "Update-AzSentinelIncidentComment+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/71e8df01-919c-45c1-b526-bc145e411eee/comments/7d4f4a64-ca42-4ab7-8385-f9c2b4d63434?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/a0b8657f-5c36-4cb2-8952-f90affa7e0da/comments/8b70f251-25ad-4599-b45c-72c283b93732?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/71e8df01-919c-45c1-b526-bc145e411eee/comments/7d4f4a64-ca42-4ab7-8385-f9c2b4d63434?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "318" ], - "x-ms-client-request-id": [ "d7ba1f36-786a-45ef-9a57-3f61204a5b40" ], + "x-ms-unique-id": [ "319" ], + "x-ms-client-request-id": [ "03c94171-f512-4113-bc5d-0e7963c3ef42" ], "CommandName": [ "Get-AzSentinelIncidentComment" ], "FullCommandName": [ "Get-AzSentinelIncidentComment_Get" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -60,26 +60,26 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "496" ], - "x-ms-request-id": [ "c02c524d-a2f7-4b0d-905b-91ddf3679bd5" ], - "x-ms-correlation-request-id": [ "c02c524d-a2f7-4b0d-905b-91ddf3679bd5" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183336Z:c02c524d-a2f7-4b0d-905b-91ddf3679bd5" ], + "x-ms-request-id": [ "12b64c63-a857-4546-9af5-97cb7a33acfc" ], + "x-ms-correlation-request-id": [ "12b64c63-a857-4546-9af5-97cb7a33acfc" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160904Z:12b64c63-a857-4546-9af5-97cb7a33acfc" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:33:36 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:09:04 GMT" ] }, "ContentHeaders": { "Content-Length": [ "762" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/a0b8657f-5c36-4cb2-8952-f90affa7e0da/Comments/8b70f251-25ad-4599-b45c-72c283b93732\",\"name\":\"8b70f251-25ad-4599-b45c-72c283b93732\",\"etag\":\"\\\"1200ea0b-0000-0100-0000-62e428000000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/Comments\",\"properties\":{\"message\":\"UpdateIncidentCommentPSTest\",\"createdTimeUtc\":\"2022-07-29T18:26:28.7906687Z\",\"lastModifiedTimeUtc\":\"2022-07-29T18:33:36.6408694Z\",\"author\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/71e8df01-919c-45c1-b526-bc145e411eee/Comments/7d4f4a64-ca42-4ab7-8385-f9c2b4d63434\",\"name\":\"7d4f4a64-ca42-4ab7-8385-f9c2b4d63434\",\"etag\":\"\\\"4a00cf52-0000-0100-0000-62fbc1200000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/Comments\",\"properties\":{\"message\":\"UpdateIncidentCommentPSTest\",\"createdTimeUtc\":\"2022-08-16T16:02:15.7412299Z\",\"lastModifiedTimeUtc\":\"2022-08-16T16:09:04.6584476Z\",\"author\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}", "isContentBase64": false } }, - "Update-AzSentinelIncidentComment+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/a0b8657f-5c36-4cb2-8952-f90affa7e0da/comments/8b70f251-25ad-4599-b45c-72c283b93732?api-version=2021-09-01-preview+2": { + "Update-AzSentinelIncidentComment+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/71e8df01-919c-45c1-b526-bc145e411eee/comments/7d4f4a64-ca42-4ab7-8385-f9c2b4d63434?api-version=2021-09-01-preview+2": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/a0b8657f-5c36-4cb2-8952-f90affa7e0da/comments/8b70f251-25ad-4599-b45c-72c283b93732?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/71e8df01-919c-45c1-b526-bc145e411eee/comments/7d4f4a64-ca42-4ab7-8385-f9c2b4d63434?api-version=2021-09-01-preview", "Content": "{\n \"properties\": {\n \"message\": \"UpdateIncidentCommentPSTest\"\n }\n}", "isContentBase64": false, "Headers": { @@ -96,19 +96,19 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "497" ], - "x-ms-request-id": [ "14dde734-0074-45ed-b10c-d31739690936" ], - "x-ms-correlation-request-id": [ "14dde734-0074-45ed-b10c-d31739690936" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183337Z:14dde734-0074-45ed-b10c-d31739690936" ], + "x-ms-request-id": [ "51a1fb01-a5e9-4b54-8d06-5f13b90570e1" ], + "x-ms-correlation-request-id": [ "51a1fb01-a5e9-4b54-8d06-5f13b90570e1" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160905Z:51a1fb01-a5e9-4b54-8d06-5f13b90570e1" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:33:36 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:09:04 GMT" ] }, "ContentHeaders": { "Content-Length": [ "762" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/a0b8657f-5c36-4cb2-8952-f90affa7e0da/Comments/8b70f251-25ad-4599-b45c-72c283b93732\",\"name\":\"8b70f251-25ad-4599-b45c-72c283b93732\",\"etag\":\"\\\"1200ec0b-0000-0100-0000-62e428010000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/Comments\",\"properties\":{\"message\":\"UpdateIncidentCommentPSTest\",\"createdTimeUtc\":\"2022-07-29T18:26:28.7906687Z\",\"lastModifiedTimeUtc\":\"2022-07-29T18:33:37.2234532Z\",\"author\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/71e8df01-919c-45c1-b526-bc145e411eee/Comments/7d4f4a64-ca42-4ab7-8385-f9c2b4d63434\",\"name\":\"7d4f4a64-ca42-4ab7-8385-f9c2b4d63434\",\"etag\":\"\\\"4a00d152-0000-0100-0000-62fbc1210000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/Comments\",\"properties\":{\"message\":\"UpdateIncidentCommentPSTest\",\"createdTimeUtc\":\"2022-08-16T16:02:15.7412299Z\",\"lastModifiedTimeUtc\":\"2022-08-16T16:09:05.0898616Z\",\"author\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\",\"userPrincipalName\":\"nicholas@zeronetworks.com\"}}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Update-AzSentinelIncidentRelation.Recording.json b/src/SecurityInsights/test/Update-AzSentinelIncidentRelation.Recording.json index 640ad1deba43..649bc3f4d93c 100644 --- a/src/SecurityInsights/test/Update-AzSentinelIncidentRelation.Recording.json +++ b/src/SecurityInsights/test/Update-AzSentinelIncidentRelation.Recording.json @@ -1,15 +1,15 @@ { - "Update-AzSentinelIncidentRelation+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/2b33e875-e817-46eb-8e55-c965e2be515d?api-version=2021-09-01-preview+1": { + "Update-AzSentinelIncidentRelation+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/7b6ab18b-3ae4-406a-ade2-d9b2b9cfb774?api-version=2021-09-01-preview+1": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/2b33e875-e817-46eb-8e55-c965e2be515d?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"displayName\": \"UpdateIncidentRelationPSTest\",\n \"query\": \"SecurityEvent\\\\n| take 1\",\n \"eventTime\": \"2022-07-29T18:33:38.0510972Z\",\n \"queryStartTime\": \"2022-07-29T18:33:38.0508576Z\",\n \"queryEndTime\": \"2022-07-28T18:33:38.0509851Z\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/7b6ab18b-3ae4-406a-ade2-d9b2b9cfb774?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"displayName\": \"NewincidentRelationBookmarkNames06o1l\",\n \"query\": \"SecurityEvent\\\\n| take 1\",\n \"eventTime\": \"2022-08-16T16:09:05.6524552Z\",\n \"queryStartTime\": \"2022-08-16T16:09:05.6522030Z\",\n \"queryEndTime\": \"2022-08-15T16:09:05.6523413Z\"\n }\n}", "isContentBase64": false, "Headers": { }, "ContentHeaders": { "Content-Type": [ "application/json" ], - "Content-Length": [ "271" ] + "Content-Length": [ "280" ] } }, "Response": { @@ -19,27 +19,27 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-writes": [ "1185" ], - "x-ms-request-id": [ "c1bcb13e-85ca-4ac0-bb10-bb50334dec43" ], - "x-ms-correlation-request-id": [ "c1bcb13e-85ca-4ac0-bb10-bb50334dec43" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183338Z:c1bcb13e-85ca-4ac0-bb10-bb50334dec43" ], + "x-ms-request-id": [ "054f7859-c0f1-4b37-85b1-db0fb165afc6" ], + "x-ms-correlation-request-id": [ "054f7859-c0f1-4b37-85b1-db0fb165afc6" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160905Z:054f7859-c0f1-4b37-85b1-db0fb165afc6" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:33:37 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:09:05 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1058" ], + "Content-Length": [ "1066" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/2b33e875-e817-46eb-8e55-c965e2be515d\",\"name\":\"2b33e875-e817-46eb-8e55-c965e2be515d\",\"etag\":\"\\\"0100e793-0000-0100-0000-62e428020000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateIncidentRelationPSTest\",\"created\":\"2022-07-29T18:33:38.2379258+00:00\",\"updated\":\"2022-07-29T18:33:38+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-07-29T18:33:38.0510972+00:00\",\"labels\":[],\"query\":\"SecurityEvent\\\\n| take 1\",\"queryStartTime\":\"2022-07-29T18:33:38.0508576+00:00\",\"queryEndTime\":\"2022-07-28T18:33:38.0509851+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/7b6ab18b-3ae4-406a-ade2-d9b2b9cfb774\",\"name\":\"7b6ab18b-3ae4-406a-ade2-d9b2b9cfb774\",\"etag\":\"\\\"3c00cc8c-0000-0100-0000-62fbc1210000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"NewincidentRelationBookmarkNames06o1l\",\"created\":\"2022-08-16T16:09:05.8209288+00:00\",\"updated\":\"2022-08-16T16:09:05+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-08-16T16:09:05.6524552+00:00\",\"labels\":[],\"query\":\"SecurityEvent\\\\n| take 1\",\"queryStartTime\":\"2022-08-16T16:09:05.652203+00:00\",\"queryEndTime\":\"2022-08-15T16:09:05.6523413+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", "isContentBase64": false } }, - "Update-AzSentinelIncidentRelation+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/bf284b9a-a101-4094-9387-503fd6afb8db/relations/986b271a-b0de-4c02-bb6a-f7df9e484025?api-version=2021-09-01-preview+2": { + "Update-AzSentinelIncidentRelation+[NoContext]+UpdateExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/20c587be-2ccb-4fd4-aea6-cce3754722dd/relations/f56dcb87-d5c9-4996-9916-6502828a3ae2?api-version=2021-09-01-preview+2": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/bf284b9a-a101-4094-9387-503fd6afb8db/relations/986b271a-b0de-4c02-bb6a-f7df9e484025?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"relatedResourceId\": \"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/2b33e875-e817-46eb-8e55-c965e2be515d\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/20c587be-2ccb-4fd4-aea6-cce3754722dd/relations/f56dcb87-d5c9-4996-9916-6502828a3ae2?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"relatedResourceId\": \"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/7b6ab18b-3ae4-406a-ade2-d9b2b9cfb774\"\n }\n}", "isContentBase64": false, "Headers": { }, @@ -55,33 +55,33 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "498" ], - "x-ms-request-id": [ "90a590bb-a5d7-4b55-b836-f25b8aec3cd2" ], - "x-ms-correlation-request-id": [ "90a590bb-a5d7-4b55-b836-f25b8aec3cd2" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183338Z:90a590bb-a5d7-4b55-b836-f25b8aec3cd2" ], + "x-ms-request-id": [ "10075444-109a-460b-b89d-7c5eb6c75174" ], + "x-ms-correlation-request-id": [ "10075444-109a-460b-b89d-7c5eb6c75174" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160906Z:10075444-109a-460b-b89d-7c5eb6c75174" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:33:38 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:09:05 GMT" ] }, "ContentHeaders": { "Content-Length": [ "828" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/bf284b9a-a101-4094-9387-503fd6afb8db/relations/986b271a-b0de-4c02-bb6a-f7df9e484025\",\"name\":\"986b271a-b0de-4c02-bb6a-f7df9e484025\",\"etag\":\"\\\"1200ee0b-0000-0100-0000-62e428020000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/2b33e875-e817-46eb-8e55-c965e2be515d\",\"relatedResourceName\":\"2b33e875-e817-46eb-8e55-c965e2be515d\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/20c587be-2ccb-4fd4-aea6-cce3754722dd/relations/f56dcb87-d5c9-4996-9916-6502828a3ae2\",\"name\":\"f56dcb87-d5c9-4996-9916-6502828a3ae2\",\"etag\":\"\\\"4a00d352-0000-0100-0000-62fbc1220000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/7b6ab18b-3ae4-406a-ade2-d9b2b9cfb774\",\"relatedResourceName\":\"7b6ab18b-3ae4-406a-ade2-d9b2b9cfb774\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", "isContentBase64": false } }, - "Update-AzSentinelIncidentRelation+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/958cde12-71d3-4587-b971-d45a8aad36e2?api-version=2021-09-01-preview+1": { + "Update-AzSentinelIncidentRelation+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/71b34ee4-7c1a-4508-82a4-1d59250f7821?api-version=2021-09-01-preview+1": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/bookmarks/958cde12-71d3-4587-b971-d45a8aad36e2?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"displayName\": \"UpdateIncidentRelationPSTest\",\n \"query\": \"SecurityEvent\\\\n| take 1\",\n \"eventTime\": \"2022-07-29T18:33:38.9917405Z\",\n \"queryStartTime\": \"2022-07-29T18:33:38.9913533Z\",\n \"queryEndTime\": \"2022-07-28T18:33:38.9915748Z\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/bookmarks/71b34ee4-7c1a-4508-82a4-1d59250f7821?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"displayName\": \"NewincidentRelationBookmarkNameszf359\",\n \"query\": \"SecurityEvent\\\\n| take 1\",\n \"eventTime\": \"2022-08-16T16:09:06.1743564Z\",\n \"queryStartTime\": \"2022-08-16T16:09:06.1737787Z\",\n \"queryEndTime\": \"2022-08-15T16:09:06.1741808Z\"\n }\n}", "isContentBase64": false, "Headers": { }, "ContentHeaders": { "Content-Type": [ "application/json" ], - "Content-Length": [ "271" ] + "Content-Length": [ "280" ] } }, "Response": { @@ -91,31 +91,31 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-writes": [ "1184" ], - "x-ms-request-id": [ "f0330b95-6a69-4854-aa36-54eb2bf196ee" ], - "x-ms-correlation-request-id": [ "f0330b95-6a69-4854-aa36-54eb2bf196ee" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183339Z:f0330b95-6a69-4854-aa36-54eb2bf196ee" ], + "x-ms-request-id": [ "79033b04-a0b5-4039-8ac5-35516ccd31ee" ], + "x-ms-correlation-request-id": [ "79033b04-a0b5-4039-8ac5-35516ccd31ee" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160906Z:79033b04-a0b5-4039-8ac5-35516ccd31ee" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:33:38 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:09:06 GMT" ] }, "ContentHeaders": { - "Content-Length": [ "1058" ], + "Content-Length": [ "1067" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/958cde12-71d3-4587-b971-d45a8aad36e2\",\"name\":\"958cde12-71d3-4587-b971-d45a8aad36e2\",\"etag\":\"\\\"0100e993-0000-0100-0000-62e428030000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"UpdateIncidentRelationPSTest\",\"created\":\"2022-07-29T18:33:39.1230505+00:00\",\"updated\":\"2022-07-29T18:33:39+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-07-29T18:33:38.9917405+00:00\",\"labels\":[],\"query\":\"SecurityEvent\\\\n| take 1\",\"queryStartTime\":\"2022-07-29T18:33:38.9913533+00:00\",\"queryEndTime\":\"2022-07-28T18:33:38.9915748+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/71b34ee4-7c1a-4508-82a4-1d59250f7821\",\"name\":\"71b34ee4-7c1a-4508-82a4-1d59250f7821\",\"etag\":\"\\\"3c00ce8c-0000-0100-0000-62fbc1220000\\\"\",\"type\":\"Microsoft.SecurityInsights/Bookmarks\",\"properties\":{\"displayName\":\"NewincidentRelationBookmarkNameszf359\",\"created\":\"2022-08-16T16:09:06.3276662+00:00\",\"updated\":\"2022-08-16T16:09:06+00:00\",\"createdBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"updatedBy\":{\"objectId\":\"9419133c-aaf2-4fe6-b8d9-dd32829396b9\",\"email\":\"nicholas@zeronetworks.com\",\"name\":\"Nicholas DiCola\"},\"eventTime\":\"2022-08-16T16:09:06.1743564+00:00\",\"labels\":[],\"query\":\"SecurityEvent\\\\n| take 1\",\"queryStartTime\":\"2022-08-16T16:09:06.1737787+00:00\",\"queryEndTime\":\"2022-08-15T16:09:06.1741808+00:00\",\"incidentInfo\":{\"incidentId\":null,\"title\":null,\"relationName\":null,\"severity\":null}}}", "isContentBase64": false } }, - "Update-AzSentinelIncidentRelation+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/854d68b0-7cef-4c43-a0f3-03df09f60906/relations/da90eff1-20a8-49a2-8392-57e18de4707a?api-version=2021-09-01-preview+2": { + "Update-AzSentinelIncidentRelation+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/e6be0e56-c636-4b4b-9793-6f3c0f345a46/relations/903fe51d-b375-49c3-bf17-02b25fab1aa4?api-version=2021-09-01-preview+2": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/854d68b0-7cef-4c43-a0f3-03df09f60906/relations/da90eff1-20a8-49a2-8392-57e18de4707a?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/e6be0e56-c636-4b4b-9793-6f3c0f345a46/relations/903fe51d-b375-49c3-bf17-02b25fab1aa4?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "323" ], - "x-ms-client-request-id": [ "a25d4a92-9bbf-455a-96d3-66c455f4e6bc" ], + "x-ms-unique-id": [ "324" ], + "x-ms-client-request-id": [ "48672146-5308-4b13-8cbc-22125c1697ef" ], "CommandName": [ "Get-AzSentinelIncidentRelation" ], "FullCommandName": [ "Get-AzSentinelIncidentRelation_Get" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -132,27 +132,27 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "494" ], - "x-ms-request-id": [ "a547f32e-c4ca-4a1b-94a5-2b76657b21eb" ], - "x-ms-correlation-request-id": [ "a547f32e-c4ca-4a1b-94a5-2b76657b21eb" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183339Z:a547f32e-c4ca-4a1b-94a5-2b76657b21eb" ], + "x-ms-request-id": [ "f77cc0e8-f5c9-4670-a240-d83bc75519c5" ], + "x-ms-correlation-request-id": [ "f77cc0e8-f5c9-4670-a240-d83bc75519c5" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160906Z:f77cc0e8-f5c9-4670-a240-d83bc75519c5" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:33:38 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:09:06 GMT" ] }, "ContentHeaders": { "Content-Length": [ "828" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/854d68b0-7cef-4c43-a0f3-03df09f60906/relations/da90eff1-20a8-49a2-8392-57e18de4707a\",\"name\":\"da90eff1-20a8-49a2-8392-57e18de4707a\",\"etag\":\"\\\"12009b0b-0000-0100-0000-62e427110000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/90ad9f1f-1d2d-4360-b617-cf345b5c4f58\",\"relatedResourceName\":\"90ad9f1f-1d2d-4360-b617-cf345b5c4f58\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/e6be0e56-c636-4b4b-9793-6f3c0f345a46/relations/903fe51d-b375-49c3-bf17-02b25fab1aa4\",\"name\":\"903fe51d-b375-49c3-bf17-02b25fab1aa4\",\"etag\":\"\\\"4a005452-0000-0100-0000-62fbc0450000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/00406d21-02f5-485c-a859-19a592ab3f1b\",\"relatedResourceName\":\"00406d21-02f5-485c-a859-19a592ab3f1b\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", "isContentBase64": false } }, - "Update-AzSentinelIncidentRelation+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/854d68b0-7cef-4c43-a0f3-03df09f60906/relations/da90eff1-20a8-49a2-8392-57e18de4707a?api-version=2021-09-01-preview+3": { + "Update-AzSentinelIncidentRelation+[NoContext]+UpdateViaIdentityExpanded+$PUT+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/e6be0e56-c636-4b4b-9793-6f3c0f345a46/relations/903fe51d-b375-49c3-bf17-02b25fab1aa4?api-version=2021-09-01-preview+3": { "Request": { "Method": "PUT", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/incidents/854d68b0-7cef-4c43-a0f3-03df09f60906/relations/da90eff1-20a8-49a2-8392-57e18de4707a?api-version=2021-09-01-preview", - "Content": "{\n \"properties\": {\n \"relatedResourceId\": \"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/958cde12-71d3-4587-b971-d45a8aad36e2\"\n }\n}", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/incidents/e6be0e56-c636-4b4b-9793-6f3c0f345a46/relations/903fe51d-b375-49c3-bf17-02b25fab1aa4?api-version=2021-09-01-preview", + "Content": "{\n \"properties\": {\n \"relatedResourceId\": \"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/71b34ee4-7c1a-4508-82a4-1d59250f7821\"\n }\n}", "isContentBase64": false, "Headers": { }, @@ -168,19 +168,19 @@ "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], "x-ms-ratelimit-remaining-subscription-resource-requests": [ "497" ], - "x-ms-request-id": [ "0f225807-900e-4a3c-9720-b6ab5ae5ccf4" ], - "x-ms-correlation-request-id": [ "0f225807-900e-4a3c-9720-b6ab5ae5ccf4" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183340Z:0f225807-900e-4a3c-9720-b6ab5ae5ccf4" ], + "x-ms-request-id": [ "11467e20-3139-46d4-9df4-b71b723b0506" ], + "x-ms-correlation-request-id": [ "11467e20-3139-46d4-9df4-b71b723b0506" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160906Z:11467e20-3139-46d4-9df4-b71b723b0506" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:33:39 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:09:06 GMT" ] }, "ContentHeaders": { "Content-Length": [ "828" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Incidents/854d68b0-7cef-4c43-a0f3-03df09f60906/relations/da90eff1-20a8-49a2-8392-57e18de4707a\",\"name\":\"da90eff1-20a8-49a2-8392-57e18de4707a\",\"etag\":\"\\\"1200ef0b-0000-0100-0000-62e428040000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/Bookmarks/958cde12-71d3-4587-b971-d45a8aad36e2\",\"relatedResourceName\":\"958cde12-71d3-4587-b971-d45a8aad36e2\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Incidents/e6be0e56-c636-4b4b-9793-6f3c0f345a46/relations/903fe51d-b375-49c3-bf17-02b25fab1aa4\",\"name\":\"903fe51d-b375-49c3-bf17-02b25fab1aa4\",\"etag\":\"\\\"4a00d452-0000-0100-0000-62fbc1220000\\\"\",\"type\":\"Microsoft.SecurityInsights/Incidents/relations\",\"properties\":{\"relatedResourceId\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/Bookmarks/71b34ee4-7c1a-4508-82a4-1d59250f7821\",\"relatedResourceName\":\"71b34ee4-7c1a-4508-82a4-1d59250f7821\",\"relatedResourceType\":\"Microsoft.SecurityInsights/Bookmarks\"}}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Update-AzSentinelIncidentRelation.Tests.ps1 b/src/SecurityInsights/test/Update-AzSentinelIncidentRelation.Tests.ps1 index c07f502822e3..c082af27030e 100644 --- a/src/SecurityInsights/test/Update-AzSentinelIncidentRelation.Tests.ps1 +++ b/src/SecurityInsights/test/Update-AzSentinelIncidentRelation.Tests.ps1 @@ -17,7 +17,7 @@ if(($null -eq $TestName) -or ($TestName -contains 'Update-AzSentinelIncidentRela Describe 'Update-AzSentinelIncidentRelation' { It 'UpdateExpanded' { $bookmark = New-AzSentinelBookmark -ResourceGroupName $env.resourceGroupName ` - -WorkspaceName $env.workspaceName -DisplayName "UpdateIncidentRelationPSTest" -Query "SecurityEvent\n| take 1" ` + -Id $env.UpdateincidentRelationBookmarkId2 -WorkspaceName $env.workspaceName -DisplayName $env.UpdateincidentRelationBookmarkName2 -Query "SecurityEvent\n| take 1" ` -QueryStartTime (get-date).ToUniversalTime() -QueryEndTime (get-date).AddDays(-1).ToUniversalTime() -EventTime (get-date).ToUniversalTime() $incidentRelation = Update-AzSentinelIncidentRelation -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` -IncidentId $env.UpdateincidentRelationIncidentId -RelationName $env.UpdateincidentRelationId -RelatedResourceId $bookmark.Id @@ -26,7 +26,7 @@ Describe 'Update-AzSentinelIncidentRelation' { It 'UpdateViaIdentityExpanded' { $bookmark = New-AzSentinelBookmark -ResourceGroupName $env.resourceGroupName ` - -WorkspaceName $env.workspaceName -DisplayName "UpdateIncidentRelationPSTest" -Query "SecurityEvent\n| take 1" ` + -Id $env.UpdateViaIdincidentRelationBookmarkId2 -WorkspaceName $env.workspaceName -DisplayName $env.UpdateViaIdincidentRelationBookmarkName2 -Query "SecurityEvent\n| take 1" ` -QueryStartTime (get-date).ToUniversalTime() -QueryEndTime (get-date).AddDays(-1).ToUniversalTime() -EventTime (get-date).ToUniversalTime() $incidentRelation = Get-AzSentinelIncidentRelation -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` -IncidentId $env.UpdateViaIdincidentRelationIncidentId -RelationName $env.UpdateViaIdincidentRelationId diff --git a/src/SecurityInsights/test/Update-AzSentinelSetting.Recording.json b/src/SecurityInsights/test/Update-AzSentinelSetting.Recording.json index b7a6cb1ed7c0..ad56b2b6f514 100644 --- a/src/SecurityInsights/test/Update-AzSentinelSetting.Recording.json +++ b/src/SecurityInsights/test/Update-AzSentinelSetting.Recording.json @@ -1,13 +1,13 @@ { - "Update-AzSentinelSetting+[NoContext]+UpdateExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/settings?api-version=2021-09-01-preview+1": { + "Update-AzSentinelSetting+[NoContext]+UpdateExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/settings?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/settings?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/settings?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "327" ], - "x-ms-client-request-id": [ "1ece0edd-f135-4f0f-aa0f-dc3693e69543" ], + "x-ms-unique-id": [ "328" ], + "x-ms-client-request-id": [ "f875d77a-232d-4fec-8900-6a26242465fd" ], "CommandName": [ "get-AzSentinelSetting" ], "FullCommandName": [ "Get-AzSentinelSetting_List" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -23,32 +23,32 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11928" ], - "x-ms-request-id": [ "bc546fa4-894c-4437-aab4-dfb7c037bbaf" ], - "x-ms-correlation-request-id": [ "bc546fa4-894c-4437-aab4-dfb7c037bbaf" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183342Z:bc546fa4-894c-4437-aab4-dfb7c037bbaf" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11925" ], + "x-ms-request-id": [ "79f1b651-bb33-460b-ad6b-d3a5769e56bb" ], + "x-ms-correlation-request-id": [ "79f1b651-bb33-460b-ad6b-d3a5769e56bb" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160908Z:79f1b651-bb33-460b-ad6b-d3a5769e56bb" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:33:42 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:09:08 GMT" ] }, "ContentHeaders": { "Content-Length": [ "785" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/settings/EyesOn\",\"name\":\"EyesOn\",\"etag\":\"\\\"10001a5a-0000-0300-0000-62e41cb50000\\\"\",\"type\":\"Microsoft.SecurityInsights/settings\",\"kind\":\"EyesOn\",\"systemData\":{},\"properties\":{\"isEnabled\":true}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/settings/IPSyncer\",\"name\":\"IPSyncer\",\"etag\":\"\\\"1000155a-0000-0300-0000-62e41cb50000\\\"\",\"type\":\"Microsoft.SecurityInsights/settings\",\"kind\":\"IPSyncer\",\"systemData\":{},\"properties\":{\"isEnabled\":true}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/settings/EyesOn\",\"name\":\"EyesOn\",\"etag\":\"\\\"300268ed-0000-0300-0000-62fbb75e0000\\\"\",\"type\":\"Microsoft.SecurityInsights/settings\",\"kind\":\"EyesOn\",\"systemData\":{},\"properties\":{\"isEnabled\":true}},{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/settings/IPSyncer\",\"name\":\"IPSyncer\",\"etag\":\"\\\"300210ec-0000-0300-0000-62fbb75b0000\\\"\",\"type\":\"Microsoft.SecurityInsights/settings\",\"kind\":\"IPSyncer\",\"systemData\":{},\"properties\":{\"isEnabled\":true}}]}", "isContentBase64": false } }, - "Update-AzSentinelSetting+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/settings/EyesOn?api-version=2021-09-01-preview+1": { + "Update-AzSentinelSetting+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/settings/EyesOn?api-version=2021-09-01-preview+1": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/settings/EyesOn?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/settings/EyesOn?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "328" ], - "x-ms-client-request-id": [ "e3f536b7-01e8-4f0c-8044-922d995ea1ac" ], + "x-ms-unique-id": [ "329" ], + "x-ms-client-request-id": [ "631eac2c-0fc8-4f88-ba70-fea89ff43d08" ], "CommandName": [ "Get-AzSentinelSetting" ], "FullCommandName": [ "Get-AzSentinelSetting_Get" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -64,32 +64,32 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11927" ], - "x-ms-request-id": [ "01d5e178-8826-4968-bef3-81ee57d98191" ], - "x-ms-correlation-request-id": [ "01d5e178-8826-4968-bef3-81ee57d98191" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183343Z:01d5e178-8826-4968-bef3-81ee57d98191" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11924" ], + "x-ms-request-id": [ "3e8fd1c9-37d6-4873-8640-b53d0acf0c47" ], + "x-ms-correlation-request-id": [ "3e8fd1c9-37d6-4873-8640-b53d0acf0c47" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160909Z:3e8fd1c9-37d6-4873-8640-b53d0acf0c47" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:33:42 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:09:08 GMT" ] }, "ContentHeaders": { "Content-Length": [ "383" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/settings/EyesOn\",\"name\":\"EyesOn\",\"etag\":\"\\\"10001a5a-0000-0300-0000-62e41cb50000\\\"\",\"type\":\"Microsoft.SecurityInsights/settings\",\"kind\":\"EyesOn\",\"systemData\":{},\"properties\":{\"isEnabled\":true}}", + "Content": "{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/settings/EyesOn\",\"name\":\"EyesOn\",\"etag\":\"\\\"300268ed-0000-0300-0000-62fbb75e0000\\\"\",\"type\":\"Microsoft.SecurityInsights/settings\",\"kind\":\"EyesOn\",\"systemData\":{},\"properties\":{\"isEnabled\":true}}", "isContentBase64": false } }, - "Update-AzSentinelSetting+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/settings?api-version=2021-09-01-preview+2": { + "Update-AzSentinelSetting+[NoContext]+UpdateViaIdentityExpanded+$GET+https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/settings?api-version=2021-09-01-preview+2": { "Request": { "Method": "GET", - "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/settings?api-version=2021-09-01-preview", + "RequestUri": "https://management.azure.com/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/settings?api-version=2021-09-01-preview", "Content": null, "isContentBase64": false, "Headers": { - "x-ms-unique-id": [ "331" ], - "x-ms-client-request-id": [ "2dbc230b-8823-4010-8f7d-5809fcf0e952" ], + "x-ms-unique-id": [ "332" ], + "x-ms-client-request-id": [ "668d2abd-0bca-4827-8389-393e0d21fbae" ], "CommandName": [ "get-AzSentinelSetting" ], "FullCommandName": [ "Get-AzSentinelSetting_List" ], "ParameterSetName": [ "__AllParameterSets" ], @@ -105,20 +105,20 @@ "Cache-Control": [ "no-cache" ], "Pragma": [ "no-cache" ], "Server": [ "Kestrel" ], - "x-ms-ratelimit-remaining-subscription-reads": [ "11925" ], - "x-ms-request-id": [ "adb5a825-d88c-4d43-bfd2-8dba814ac337" ], - "x-ms-correlation-request-id": [ "adb5a825-d88c-4d43-bfd2-8dba814ac337" ], - "x-ms-routing-request-id": [ "EASTUS2:20220729T183344Z:adb5a825-d88c-4d43-bfd2-8dba814ac337" ], + "x-ms-ratelimit-remaining-subscription-reads": [ "11922" ], + "x-ms-request-id": [ "74ad974d-81ed-46c3-a154-b989adda32ba" ], + "x-ms-correlation-request-id": [ "74ad974d-81ed-46c3-a154-b989adda32ba" ], + "x-ms-routing-request-id": [ "EASTUS2:20220816T160910Z:74ad974d-81ed-46c3-a154-b989adda32ba" ], "Strict-Transport-Security": [ "max-age=31536000; includeSubDomains" ], "X-Content-Type-Options": [ "nosniff" ], - "Date": [ "Fri, 29 Jul 2022 18:33:43 GMT" ] + "Date": [ "Tue, 16 Aug 2022 16:09:10 GMT" ] }, "ContentHeaders": { "Content-Length": [ "401" ], "Content-Type": [ "application/json; charset=utf-8" ], "Expires": [ "-1" ] }, - "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s/providers/Microsoft.SecurityInsights/settings/IPSyncer\",\"name\":\"IPSyncer\",\"etag\":\"\\\"1000155a-0000-0300-0000-62e41cb50000\\\"\",\"type\":\"Microsoft.SecurityInsights/settings\",\"kind\":\"IPSyncer\",\"systemData\":{},\"properties\":{\"isEnabled\":true}}]}", + "Content": "{\"value\":[{\"id\":\"/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui/providers/Microsoft.SecurityInsights/settings/IPSyncer\",\"name\":\"IPSyncer\",\"etag\":\"\\\"300210ec-0000-0300-0000-62fbb75b0000\\\"\",\"type\":\"Microsoft.SecurityInsights/settings\",\"kind\":\"IPSyncer\",\"systemData\":{},\"properties\":{\"isEnabled\":true}}]}", "isContentBase64": false } } diff --git a/src/SecurityInsights/test/Update-AzSentinelSetting.Tests.ps1 b/src/SecurityInsights/test/Update-AzSentinelSetting.Tests.ps1 index 43d3de433d63..7252b2afa025 100644 --- a/src/SecurityInsights/test/Update-AzSentinelSetting.Tests.ps1 +++ b/src/SecurityInsights/test/Update-AzSentinelSetting.Tests.ps1 @@ -16,14 +16,14 @@ if(($null -eq $TestName) -or ($TestName -contains 'Update-AzSentinelSetting')) Describe 'Update-AzSentinelSetting' { It 'UpdateExpanded' { - Update-AzSentinelSetting -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -SettingsName Anomalies -Disabled + Update-AzSentinelSetting -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -SettingsName Anomalies -Enabled $false $settings = get-AzSentinelSetting -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName $sttings.Name | Should -Not -Contain "Anomalies" } It 'UpdateViaIdentityExpanded' { $setting = Get-AzSentinelSetting -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -SettingsName EyesOn - Update-AzSentinelSetting -InputObject $setting -Disabled + Update-AzSentinelSetting -InputObject $setting -Enabled $false $settings = get-AzSentinelSetting -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName $sttings.Name | Should -Not -Contain "EyesOn" } diff --git a/src/SecurityInsights/test/common.ps1 b/src/SecurityInsights/test/common.ps1 index edffa16c4fbd..04d816bd4d07 100644 --- a/src/SecurityInsights/test/common.ps1 +++ b/src/SecurityInsights/test/common.ps1 @@ -349,7 +349,7 @@ Function Create-BookmarkRelation{ $null = $env.Add(($PSVerb+'bookmarkRelationIncidentName'), $bookmarkRelationIncidentName) } } - + Function Create-EntityQuery{ [cmdletbinding()] Param( diff --git a/src/SecurityInsights/test/env.json b/src/SecurityInsights/test/env.json index e1a37f6f766e..efa1be3ca5b5 100644 --- a/src/SecurityInsights/test/env.json +++ b/src/SecurityInsights/test/env.json @@ -1,182 +1,226 @@ { - "UpdateViaIdAutomationRule": "UpdateViaIdAutomationRules3o6wd", - "GetAutomationRuleId": "2f630cbc-756d-4cfc-a1e8-95ccdaf5253e", - "RemovethreatIntelligenceIndicatorId": "aba922f2-cd9e-75df-4232-a8d47c94bc03", - "RemoveBookmarkRelationIncidentId": "d30f1432-3e76-4b4b-bb30-f62eb4ee3611", - "UpdatebookmarkRelationIncidentName": "UpdatebookmarkRelationIncidentNamern5xam", - "RemoveViaIdAutomationRule": "RemoveViaIdAutomationRuledlcn6a", - "GetincidentCommentId": "15f33241-6289-4a35-a84a-ae4d9f5f0d31", - "GetBookmarkRelationName": "GetbookmarkRelationkygt9n", - "RemoveViaIdincidentRelationBookmarkId": "e4d28edd-4f20-45f9-9c8c-6b7e97f4fa8a", - "UpdateBookmarkName": "Updatebookmarkdytufp", - "UpdateViaIdAlertRuleName": "UpdateViaIdAlertRules7my5u", - "UpdateincidentRelationBookmarkId": "f2f5a5bb-f894-4441-b6c7-b7c9d95193d1", - "RemoveViaIdincidentId": "4adb65b9-7def-47bb-9594-c1e1ca284952", - "RemovebookmarkRelationBookmarkId": "3e29d94a-e491-42d0-97d4-7a7f3e4725b4", - "bookmarkExpansionId": "5ce54bfd-c953-41af-9ce6-04fe8382569b", - "UpdatethreatIntelligenceIndicatorName": "UpdatethreatIntelligenceIndicator2fbu57", - "UpdateViaIdthreatIntelligenceIndicatorName": "UpdateViaIdthreatIntelligenceIndicatorftrdne", - "RemoveViaIdentityQueryActivityName": "RemoveViaIdentityQueryActivitylr70cb", - "Tenant": "d6eebbdd-d77c-465e-b008-4339027b4006", - "UpdateincidentRelationIncidentName": "UpdateincidentRelationIncidentNamey5sjd6", - "GetincidentRelationBookmarkName": "GetincidentRelationBookmarkName0eyhda", - "GetincidentName": "Getincidental5x9z", - "UpdateViaIdAlertRuleActionId": "b3c6275b-ed98-4d51-a0f1-17c00cdbefd8", - "UpdateAlertRuleId": "a47d38eb-4d52-4b54-afaf-3f5ac2f847f9", - "UpdateViaIdthreatIntelligenceIndicatorId": "4b4270c1-7b75-b9ba-58c7-b8420b7e6291", - "RemoveincidentCommentName": "RemoveincidentComment35ly2k", - "workspaceName": "asptest1qlb2s", - "RemoveViaIdincidentRelationIncidentId": "095d8360-b30b-4f75-804d-8837b78db3ed", - "UpdateincidentCommentName": "UpdateincidentCommentzfpjdm", - "UpdateBookmarkRelationName": "UpdatebookmarkRelationfcns4a", - "RemoveincidentCommentIncidentId": "08556638-7485-4a5e-afda-02c5f77474d7", - "RemoveincidentRelationIncidentName": "RemoveincidentRelationIncidentName01bqho", - "UpdatebookmarkRelationBookmarkId": "9b38dab1-2c2e-4c71-809d-95301194aa91", - "UpdateViaIdBookmarkId": "f73c7f57-f526-4119-9dc6-07c693c5309b", - "UpdateViaIdincidentId": "25b19fe9-0ff9-4267-8faa-ac26e7c7c6ae", - "RemoveViaIdalertRuleActionRuleId": "61843a21-8ee0-4c56-bb89-a4a9b306b43d", - "ExpandBookmarkName": "Expandbookmarko9kf32", - "UpdateViaIdBookmarkRelationName": "UpdateViaIdbookmarkRelation7ncqz2", - "RemoveAlertRuleActionId": "f6e536dc-b77c-422c-b349-a58813fc9f17", - "GetbookmarkRelationBookmarkId": "72c19fb6-dca6-4381-9175-229d52e8908a", - "RemovethreatIntelligenceIndicatorName": "RemovethreatIntelligenceIndicatorlzk6wg", - "UpdatealertRuleActionRuleName": "UpdatealertRuleActionRuleName9zg8ih", - "GetincidentId": "1db90f1b-ef78-4f10-afb8-7dc242e09ba1", - "RemoveentityQueryActivityId": "27d20f12-f14e-48ae-a17a-51e823a08d54", - "GetincidentRelationBookmarkId": "e809aa96-66b0-4c25-83cc-f6a969445995", - "RemoveAutomationRuleId": "632f22f0-6b77-433b-bc93-6e56ae21a844", - "RemoveincidentRelationId": "33ce22e5-46d5-4249-9e1a-06495ad77a1a", - "UpdateViaIdbookmarkRelationBookmarkName": "UpdateViaIdbookmarkRelationBookmarkNamelv8k2z", - "UpdateViaIdalertRuleActionRuleName": "UpdateViaIdalertRuleActionRuleNametyup2k", - "UpdateincidentId": "c98e79b2-3851-4fe2-be7b-d02281b03ea8", - "Playbook4LogicAppResourceId": "/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Incident", - "RemoveincidentName": "Removeincidenti4dljg", - "Playbook3TriggerUrl": "https://prod-24.centralus.logic.azure.com:443/workflows/ab40a6a85a1740e6afde7c424b958360/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2016-06-01&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=kr0Vgz_1AOwo76EyJZOQH02w-49rIjGhEWCffgZeJKs", - "GetthreatIntelligenceIndicatorIP": "8.8.8.1", - "location": "Central US", - "RemoveAlertRuleName": "RemoveAlertRulex6lvwk", - "UpdateViaIdbookmarkRelationBookmarkId": "04b58a5a-2a5e-47e2-9c22-3cd6229599ec", - "UpdateViaIdincidentRelationId": "da90eff1-20a8-49a2-8392-57e18de4707a", - "GetalertRuleActionRuleId": "28d676f4-c9d3-465b-a7bf-b359b492f49d", - "GetincidentRelationName": "GetincidentRelationName86qok5", - "UpdateViaIdthreatIntelligenceIndicatorIP": "8.8.8.5", - "UpdateViaIdincidentRelationBookmarkId": "90ad9f1f-1d2d-4360-b617-cf345b5c4f58", - "UpdateincidentRelationId": "986b271a-b0de-4c02-bb6a-f7df9e484025", - "GetincidentCommentName": "GetincidentComment7wxaop", - "GetthreatIntelligenceIndicatorName": "GetthreatIntelligenceIndicator3o7nfw", - "GetAlertRuleName": "GetAlertRuler93k8j", - "UpdateViaIdincidentRelationName": "UpdateViaIdincidentRelationNamekax1li", - "RemoveViaIdincidentRelationBookmarkName": "RemoveViaIdincidentRelationBookmarkName32qtdl", - "workspaceResourceId": "/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.OperationalInsights/workspaces/asptest1qlb2s", - "GetBookmarkRelationIncidentId": "e31f4f52-858c-4a29-bacc-b0b91ca86f43", - "UpdateincidentRelationIncidentId": "bf284b9a-a101-4094-9387-503fd6afb8db", - "UpdateBookmarkRelationId": "382966e8-f4b2-444c-b4e8-514194ff8544", - "RemoveViaIdincidentCommentIncidentId": "39c25766-18b0-4620-9a63-3dfb2144ddd9", - "UpdateincidentName": "Updateincidentjspby6", - "UpdateViaIdBookmarkRelationIncidentId": "75bd63a7-0ac6-4f43-8a15-18ff73172bb5", - "UpdateViaIdincidentCommentId": "c6f306f8-0304-4f4d-8176-59df16a692fa", - "RemoveBookmarkRelationId": "edcd0fb3-81ce-42e0-b54f-e753ea3c6fdb", - "GetAutomationRule": "GetAutomationRulemisk67", - "RemoveViaIdincidentRelationIncidentName": "RemoveViaIdincidentRelationIncidentNameqm47li", - "RemoveViaIdincidentCommentName": "RemoveViaIdincidentCommentximhku", - "RemoveAutomationRule": "RemoveAutomationRuletdnlpa", - "newOnboardingStateWS": "asptest5jhi0p", - "workspaceId": "24e84d4f-281e-4a2d-8963-f554a6812d57", - "RemoveincidentRelationBookmarkId": "5c0c39f4-96c8-4054-8b78-69edbf33a92f", - "UpdateincidentRelationBookmarkName": "UpdateincidentRelationBookmarkName0rvjph", - "UpdateBookmarkId": "8a947749-f012-465f-b5fd-cb60e5eae27d", - "GetalertRuleActionRuleName": "GetalertRuleActionRuleNamelboi79", - "GetthreatIntelligenceIndicatorId": "bd45b979-3f35-b698-a82a-23f3058f60bc", - "UpdateViaIdincidentRelationBookmarkName": "UpdateViaIdincidentRelationBookmarkName0wac48", - "RemoveViaIdAutomationRuleId": "c3503a3a-93d6-4aa8-b557-d2f4ac6cfa00", + "GetBookmarkRelationId": "01c3e510-2a6e-4d12-8289-7e039cd8af1e", + "UpdateAlertRuleId": "e96e7960-a8a9-47a9-91f1-4207f5f82d88", + "GetAutomationRuleId": "83662309-d398-4ec5-b6e7-d70c75bb78ac", "SubscriptionId": "51a36d38-3b14-471f-8dde-a5867f5e51eb", - "UpdatethreatIntelligenceIndicatorId": "a40d90cd-3425-dcc7-87c9-8c9298f3641d", - "UpdateAutomationRule": "UpdateAutomationRulek1wb4p", - "GetincidentRelationIncidentName": "GetincidentRelationIncidentNamentimyo", - "RemoveViaIdBookmarkRelationId": "3416cbe9-ea30-4e98-aead-419270c45bf8", - "GetbookmarkRelationIncidentName": "GetbookmarkRelationIncidentName5jgmqo", + "RemoveViaIdalertRuleActionRuleId": "e5a90aef-2e88-486c-a745-66f415230a61", + "UpdateViaIdincidentRelationBookmarkName": "UpdateViaIdincidentRelationBookmarkName635lxu", + "UpdateBookmarkRelationName": "UpdatebookmarkRelationkd4b3g", + "UpdateViaIdincidentRelationIncidentName": "UpdateViaIdincidentRelationIncidentNames9xv50", + "UpdatealertRuleActionRuleId": "f04b319e-dc64-427b-8640-eef21b6fb5cd", + "RemoveViaIdincidentId": "fdc66a29-9153-4079-894f-9d92f19fb0d9", + "UpdateViaIdBookmarkRelationId": "5c7863c4-3fba-4c60-87f0-88e5c33a5df8", + "NewBookmarkRelationId": "f26c73a8-917d-4364-842e-8de0d3e9153b", + "NewDataConnectorId": "5fcca10d-4c38-42a7-b811-a33d367ef23f", + "NewincidentRelationName": "NewincidentRelationNamedwfay2", + "UpdateViaIdincidentRelationBookmarkName2": "NewincidentRelationBookmarkNameszf359", + "Playbook2LogicAppResourceId": "/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Block-AADUser-Incident", + "RemoveentityQueryActivityName": "RemoveentityQueryActivitye79b50", + "GetBookmarkRelationIncidentId": "7feca4d4-3414-403b-96ad-4cb1d105fec2", + "RemoveincidentId": "3c0d63a6-5274-4c2c-82fa-d209415ca9bf", + "UpdateAlertRuleName": "UpdateAlertRulejkg1z9", + "UpdateincidentRelationIncidentId": "20c587be-2ccb-4fd4-aea6-cce3754722dd", + "NewalertRuleActionRuleId": "257e1543-c5bf-47a0-a346-35a29c8a0d71", + "NewincidentCommentIncidentName": "NewincidentCommentIncident0xng1h", + "location": "Central US", + "RemoveincidentCommentName": "RemoveincidentCommenteny0g2", + "solarigateRuleGuid": "05cd1abd-2426-4d7e-be8a-cda489ed9cce", + "RemoveViaIdBookmarkRelationId": "c77c1bd8-ffc8-4467-a549-e9114f8913d8", + "RemoveViaIdBookmarkRelationIncidentId": "62ce8785-21b2-4262-be4d-5208b35d255a", + "RemoveincidentRelationBookmarkName": "RemoveincidentRelationBookmarkNamea597s0", + "NewincidentCommentId": "e0d62b0f-55ba-423c-bd1c-13d72489e2c6", + "RemoveAlertRuleActionId": "91ce8ce7-c028-4a76-8271-ae20f477ed35", + "UpdateViaIdAlertRuleName": "UpdateViaIdAlertRuler0cz6k", + "UpdateincidentRelationBookmarkName": "UpdateincidentRelationBookmarkName9ayfhe", + "RemoveViaIdalertRuleActionRuleName": "RemoveViaIdalertRuleActionRuleNametq71f5", + "RemoveViaIdbookmarkRelationIncidentName": "RemoveViaIdbookmarkRelationIncidentName5g6qnd", + "RemoveBookmarkRelationId": "ef983c5e-fe25-44b2-ad14-f37a30558d24", + "UpdateViaIdAlertRuleId": "658a3691-0950-4176-bc12-e3e4d4b52335", "metadataName": "azuresentinel.azure-sentinel-solution-zerotrust", - "ExpandBookmarkId": "2aadadc6-6e10-4a92-99df-4ac9c6ebdb6c", - "RemoveBookmarkRelationName": "RemovebookmarkRelationx31quz", - "UpdateincidentRelationName": "UpdateincidentRelationNamer9x8f6", - "GetincidentRelationId": "38ffa7b2-a413-4ab4-979f-8ec4ca096552", - "RemoveincidentId": "6bc1d179-d8b5-45ee-82d8-dc7f59b9168a", - "RemovethreatIntelligenceIndicatorIP": "8.8.8.2", - "RemoveincidentRelationIncidentId": "da728eb4-6e7e-4be8-8397-cb2b45877bf9", - "UpdateViaIdalertRuleActionRuleId": "1190f2a9-3661-474d-8c8a-cc808bce7b2e", - "UpdateentityQueryActivityName": "UpdateentityQueryActivityuzypgr", - "UpdateViaIdbookmarkRelationIncidentName": "UpdateViaIdbookmarkRelationIncidentNamejdsg8m", - "RemoveViaIdincidentCommentId": "1130726d-fadf-4bc2-a3c4-b4b78c20c22a", - "RemoveViaIdbookmarkRelationBookmarkName": "RemoveViaIdbookmarkRelationBookmarkNameu6v1fs", - "RemoveViaIdincidentRelationName": "RemoveViaIdincidentRelationNamea5qvsi", - "UpdateAlertRuleName": "UpdateAlertRulet0r6jh", - "RemoveincidentRelationName": "RemoveincidentRelationNamewj4fdx", - "RemoveViaIdBookmarkRelationIncidentId": "68159ff1-4122-4fc3-9152-8bf489a4304d", - "RemoveViaIdBookmarkId": "1064e218-7849-4caf-993c-93373d0c6ce5", - "RemoveViaIdincidentRelationId": "fa2cc2d8-13f8-4ea6-b2ce-6fdea28a0790", - "RemovealertRuleActionRuleName": "RemovealertRuleActionRuleNamegnwkmx", - "UpdateViaIdBookmarkRelationId": "c36ddb20-11ec-4179-a995-51e6fcfd1e58", - "RemoveViaIdincidentName": "RemoveViaIdincidentomsla7", - "RemoveBookmarkId": "a8dfd8ae-256a-44fb-a72c-0fb43307c128", - "disabledRuleGuid": "5c8dc0ac-8808-40f3-a6b4-1401369a9e1e", - "UpdateAlertRuleActionId": "542659a3-3a74-4d87-8e04-a0e4fcbd5537", - "RemoveentityQueryActivityName": "RemoveentityQueryActivity0xhu5l", - "GetAlertRuleId": "a7f0377a-a2ab-4a1c-9103-f59066cc6c61", - "RemoveViaIdthreatIntelligenceIndicatorName": "RemoveViaIdthreatIntelligenceIndicator8hwpzl", - "UpdateincidentCommentId": "8b70f251-25ad-4599-b45c-72c283b93732", - "UpdateAutomationRuleId": "5d9b905b-1fc5-459f-b9fd-5836c565dc34", - "RemoveViaIdentityQueryActivityId": "56d115fc-3330-4d1a-82ce-c92ec67f38d6", - "updateDataConnectorId": "0c45acce-4689-4024-8bfa-4ff3b300e29a", - "RemoveBookmarkName": "Removebookmarkbu2rns", - "RemoveViaIdthreatIntelligenceIndicatorIP": "8.8.8.3", - "Playbook1LogicAppResourceId": "/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Block-AADUser-Alert", - "GetincidentRelationIncidentId": "ccca6513-b2b1-46be-925b-40f25e28a448", - "UpdateentityQueryActivityId": "27b638f3-fbfb-4387-bb6a-353001b9794a", - "RemovebookmarkRelationBookmarkName": "RemovebookmarkRelationBookmarkNamej8c2iu", - "Playbook2LogicAppResourceId": "/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Block-AADUser-Incident", - "RemoveincidentRelationBookmarkName": "RemoveincidentRelationBookmarkNamem6df2w", - "RemoveViaIdalertRuleActionRuleName": "RemoveViaIdalertRuleActionRuleNamebokia1", - "RemoveViaIdBookmarkName": "RemoveViaIdbookmarkdr69tz", - "Playbook3LogicAppResourceId": "/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstestt6jdws/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Alert", + "UpdateincidentRelationBookmarkId": "16d92023-404a-4ccb-8e88-9c0522e53419", + "RemoveViaIdincidentRelationId": "95c1d6e0-5c11-4329-b715-f24c959f7b04", + "RemoveDataConnectorIdInputObject": "e5723525-11fc-45ee-901a-09bef4dcf3df", + "GetthreatIntelligenceIndicatorIP": "8.8.8.1", + "RemoveViaIdAlertRuleName": "RemoveViaIdAlertRule81exqs", + "GetAlertRuleId": "cab7d557-3de0-4043-8dd4-b83629755ab8", + "GetincidentRelationIncidentId": "524da4fb-3888-4446-9e92-12183ac2eaab", + "RemoveincidentName": "Removeincidentaf1btc", + "RemoveBookmarkId": "08b39573-4a73-4ac3-a733-8cd78a538c72", + "GetincidentId": "3342699a-d07d-4c2d-964a-49e90b5c1e9f", + "UpdateViaIdalertRuleActionRuleId": "90b62f2e-9b96-4bfb-a82a-5ceed7cd487e", + "RemoveViaIdBookmarkName": "RemoveViaIdbookmark1daqtg", + "ASIServicePrinicpal": "24594c91-ddc1-4a89-8ef7-4ab3e6ffad84", + "Playbook4TriggerUrl": "https://prod-17.centralus.logic.azure.com:443/workflows/08a9eff4677d4ab08cdbd40f68db2e52/triggers/When_Azure_Sentinel_incident_creation_rule_was_triggered/paths/invoke?api-version=2016-06-01&sp=%2Ftriggers%2FWhen_Azure_Sentinel_incident_creation_rule_was_triggered%2Frun&sv=1.0&sig=ZmEH11IXcDNFDzEynC2-Z9EtxQNMUefDV00M52nJChk", "UpdatethreatIntelligenceIndicatorIP": "8.8.8.4", - "UpdateViaIdincidentRelationIncidentName": "UpdateViaIdincidentRelationIncidentName17euac", - "UpdateViaIdAlertRuleId": "819c1dad-0658-4633-b80c-74cae574c0f7", - "UpdateViaIdentityQueryActivityName": "UpdateViaIdentityQueryActivitypltenj", - "UpdateViaIdAutomationRuleId": "21451d32-deaf-4698-9f46-8fc02bc5e632", - "UpdatebookmarkRelationBookmarkName": "UpdatebookmarkRelationBookmarkNameuxbzmh", - "RemoveincidentCommentId": "f81c3566-1019-43de-8cee-9ba0d8f53028", - "resourceGroupName": "aspstestt6jdws", - "RemoveViaIdAlertRuleActionId": "19e41336-dba7-4df1-94f6-075f34d10aae", - "mlRuleGuid": "75c9560c-ce08-4332-aa4a-0e675fc0b17c", + "RemovebookmarkRelationBookmarkName": "RemovebookmarkRelationBookmarkNamedz07r4", + "NewentityQueryActivityName": "NewentityQueryActivitydnieqc", + "RemoveViaIdincidentRelationBookmarkName": "RemoveViaIdincidentRelationBookmarkNamewtphg4", + "GetalertRuleActionRuleName": "GetalertRuleActionRuleName2iy1g6", + "GetbookmarkRelationBookmarkId": "a1dded2a-ff31-44d4-b554-c43992597473", + "NewbookmarkRelationBookmarkName": "NewbookmarkRelationBookmarkNameo9bngs", + "UpdateViaIdBookmarkRelationIncidentId2": "219862bd-299b-4e98-8dd1-149a26b76dfe", + "GetAutomationRule": "GetAutomationRulewp8nv3", + "GetBookmarkId": "52f3c78c-cfbe-42f8-bc38-b87fc8a1d9af", + "workspaceResourceId": "/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.OperationalInsights/workspaces/asptest4wysui", + "UpdateBookmarkRelationId": "17cbbab8-7829-4e80-8775-f71ebcd2ceea", + "UpdateViaIdbookmarkRelationBookmarkName": "UpdateViaIdbookmarkRelationBookmarkNameconrl0", + "RemoveBookmarkRelationName": "RemovebookmarkRelationm7dx6k", + "NewincidentCommentIncidentId": "8633863a-bc7c-40b0-9ad1-59f72db97042", + "NewincidentTeamIncidentId": "4354e208-22e9-4185-b549-2f958633bed6", + "NewincidentRelationId": "f4dd61ae-4c28-40ed-9e41-2285e59ec616", + "RemoveViaIdentityQueryActivityName": "RemoveViaIdentityQueryActivity6ox1fr", + "NewincidentTeamIncidentName": "NewincidentTeamIncidentName1pg5hu", + "RemoveViaIdbookmarkRelationBookmarkId": "72eeef12-d9c9-43e4-9f0c-8b117465ccb9", + "ExpandBookmarkId": "378719c3-1c49-43c4-b5c6-21b943f2139e", + "UpdateViaIdincidentId": "c259dc23-cd2e-4b7f-bd9d-286e7cae6366", + "RemoveViaIdincidentName": "RemoveViaIdincidentye6ar7", + "mlRuleGuid": "e1b7c244-83f3-4fbd-b2c9-d08eaa704a85", + "RemoveincidentRelationBookmarkId": "47097af5-9e05-4584-9e64-99622ff06010", + "UpdateincidentName": "Updateincidentmxdhrz", + "RemovebookmarkRelationBookmarkId": "b3693620-4305-45cb-97f3-a6894f82288e", + "GetalertRuleActionRuleId": "3f8b701e-a084-40d7-8f4b-a6b1482e8cc2", + "workspaceId": "97475cd1-3a32-4e3c-89c4-6087e71316ed", + "GetincidentRelationId": "d8e7ac2f-7b68-4110-a408-6dda491cd5d0", + "GetincidentName": "Getincidenth95l60", + "UpdatebookmarkRelationBookmarkId": "a6be05a8-9ad5-44c4-89c5-a9df845dca7e", + "RemoveAutomationRule": "RemoveAutomationRule57nxry", + "RemovebookmarkRelationIncidentName": "RemovebookmarkRelationIncidentNamebfrwvc", + "NewBookmarkName": "Newbookmarkq1l5sv", + "NewincidentRelationBookmarkName": "NewincidentRelationBookmarkNamefjwc8p", + "UpdateViaIdincidentRelationBookmarkId2": "71b34ee4-7c1a-4508-82a4-1d59250f7821", + "NewAlertRuleActionId": "9c045509-e461-450d-bf07-d550536d3d95", + "GetincidentCommentName": "GetincidentCommentcpthi1", + "RemovealertRuleActionRuleId": "7ebb90bb-a57a-42f6-8a23-a0393c176560", + "GetincidentCommentId": "fbb0c47c-a502-43d0-8a55-ee55a799bb1b", + "UpdatealertRuleActionRuleName": "UpdatealertRuleActionRuleNamehp3sur", + "UpdateViaIdBookmarkId": "f568e39a-6323-41ca-ac8e-d240ea7d80f6", + "RemoveViaIdincidentRelationName": "RemoveViaIdincidentRelationName4jcumi", + "GetentityQueryActivityName": "GetentityQueryActivitylu3sir", + "RemoveAutomationRuleId": "6e8b42ff-dab7-481f-b764-f853700cc536", + "NewAlertRuleName": "NewAlertRulel98w03", + "RemoveViaIdincidentCommentId": "e0931ced-55b8-4158-b9d7-16ba88c4936b", + "UpdateViaIdincidentCommentIncidentId": "b5e65719-0b65-4dd0-a4b0-da2bbad915a5", + "workspaceName": "asptest4wysui", + "NewincidentCommentName": "NewincidentCommentyo7r3v", + "NewalertRuleActionRuleName": "NewalertRuleActionRuleNamexmy37l", + "RemoveViaIdBookmarkRelationName": "RemoveViaIdbookmarkRelationruvd20", + "GetthreatIntelligenceIndicatorName": "GetthreatIntelligenceIndicatoro4mh0q", + "UpdateincidentId": "905e7dec-fd14-42df-9ed5-c4df09445158", + "disabledRuleGuid": "53274afe-2640-4c50-bd36-78c1c79f102c", + "RemoveDataConnectorId": "fee9b467-294d-476a-a02c-93f178b75533", + "GetincidentRelationName": "GetincidentRelationName8nzh36", + "UpdateViaIdbookmarkRelationIncidentName2": "NewbookmarkRelationIncidentName7zq8cv", + "UpdateBookmarkRelationIncidentId2": "260305a7-5d75-4eb9-bd1d-56d5bc54f96e", + "NewAutomationRule": "NewAutomationRuleaf2x1t", + "GetincidentRelationIncidentName": "GetincidentRelationIncidentName8sjnvu", + "NewbookmarkRelationBookmarkId": "d264025f-7598-40f3-8b21-a78f07d46056", + "GetincidentCommentIncidentId": "8b193352-f109-474f-84ce-3b3908d0e288", + "bookmarkExpansionId": "108e85be-884c-4957-9422-a91b04b9ae67", + "UpdateBookmarkName": "Updatebookmarkd4t6g3", + "UpdateentityQueryActivityId": "105c6ccb-e733-4602-ad28-20c44e2cf4ae", + "GetentityQueryActivityId": "5f4b614d-f1e7-46f5-a0f4-41e428c2237e", + "GetAlertRuleName": "GetAlertRulem37adr", + "UpdateAutomationRuleId": "904a62c7-a082-4674-a749-8dfae3498a35", + "RemoveViaIdthreatIntelligenceIndicatorName": "RemoveViaIdthreatIntelligenceIndicatorty5w74", + "NewBookmarkRelationIncidentId": "b9e4ef3a-221a-49dc-98d8-9bdf1faf8a4f", + "Playbook3LogicAppResourceId": "/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Alert", + "UpdateincidentCommentName": "UpdateincidentCommentgi1a7c", + "RemoveViaIdincidentCommentName": "RemoveViaIdincidentCommentjd165a", + "updateDataConnectorId": "6d021fce-8f39-437c-9fb4-fc0a3794402d", + "UpdateincidentCommentIncidentId": "71e8df01-919c-45c1-b526-bc145e411eee", + "UpdatebookmarkRelationIncidentName2": "NewbookmarkRelationIncidentNamekefcy9", + "NewincidentId": "3eb00428-aed8-405a-a24b-b665c65173a1", + "RemoveBookmarkRelationIncidentId": "fba327a0-b301-4d1c-918c-23aec8e03323", + "UpdateViaIdAutomationRule": "UpdateViaIdAutomationRulef8mk3y", + "UpdateViaIdthreatIntelligenceIndicatorIP": "8.8.8.5", + "UpdateViaIdincidentRelationName": "UpdateViaIdincidentRelationNamevahgl8", + "RemoveViaIdentityQueryActivityId": "a165eb76-24f9-47f4-92b2-1238aa5e4248", + "RemoveViaIdthreatIntelligenceIndicatorIP": "8.8.8.3", + "UpdatebookmarkRelationBookmarkName": "UpdatebookmarkRelationBookmarkNamedven41", "RemoveViaIdthreatIntelligenceIndicatorId": "8bc7c1a2-ceb7-dea2-025b-a90dc873bf63", - "RemovealertRuleActionRuleId": "5259fc88-ad43-4c0f-8712-e276f794f08a", - "GetBookmarkRelationId": "eacf9694-518d-404c-85a0-6703db574c22", - "UpdateViaIdBookmarkName": "UpdateViaIdbookmarkpulz5j", - "UpdateViaIdincidentName": "UpdateViaIdincident68knyo", - "UpdateViaIdincidentRelationIncidentId": "854d68b0-7cef-4c43-a0f3-03df09f60906", - "dataConnectorId": "8fee2c52-7010-4d95-a6ce-eb73f2921e20", - "RemovebookmarkRelationIncidentName": "RemovebookmarkRelationIncidentNameljqs90", - "UpdateViaIdincidentCommentIncidentId": "7141874b-1f5d-4bf7-9e25-bb748ff70946", - "Playbook1TriggerUrl": "https://prod-26.centralus.logic.azure.com:443/workflows/e25a9538589f4273ac4b33c4251b7af4/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2016-06-01&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=Hj0XFCgxJZSvdepbdqqkhAyUOVNJNiGHf8Sbpdvny6k", - "UpdateViaIdincidentCommentName": "UpdateViaIdincidentCommentvuackw", - "GetBookmarkId": "cf23ef92-aa60-4e4a-9598-c30417b601db", - "Playbook2TriggerUrl": "https://prod-00.centralus.logic.azure.com:443/workflows/ed17f475ab554ad9ac3e67e6aee5a2d5/triggers/When_Azure_Sentinel_incident_creation_rule_was_triggered/paths/invoke?api-version=2016-06-01&sp=%2Ftriggers%2FWhen_Azure_Sentinel_incident_creation_rule_was_triggered%2Frun&sv=1.0&sig=DLC4cfruVLDvzNIWR8pPUZlaSgMGuaPYXY42aYNj85w", - "RemoveViaIdBookmarkRelationName": "RemoveViaIdbookmarkRelationkyfai8", - "UpdatealertRuleActionRuleId": "c3f83b09-6bfc-4365-813e-56f9b186baac", - "GetbookmarkRelationBookmarkName": "GetbookmarkRelationBookmarkNameqen0ym", - "RemoveAlertRuleId": "c1c55dcf-8a31-4c94-93d7-bbb13c8da4c6", - "RemoveViaIdbookmarkRelationIncidentName": "RemoveViaIdbookmarkRelationIncidentName3tykhx", - "RemoveViaIdbookmarkRelationBookmarkId": "a34d217c-2b9d-4b72-b7d9-5a3850f0f17c", - "RemoveViaIdAlertRuleName": "RemoveViaIdAlertRuleg7sd5h", - "removeOnboardingStateWS": "asptesty1avre", - "UpdateincidentCommentIncidentId": "a0b8657f-5c36-4cb2-8952-f90affa7e0da", - "ASIServicePrinicpal": "24594c91-ddc1-4a89-8ef7-4ab3e6ffad84", - "GetincidentCommentIncidentId": "36740e38-b328-4f70-a514-867d90c8361d", - "solarigateRuleGuid": "6692b8a1-d2bc-4cd6-b724-5dd2e4293ab3", - "GetAlertRuleActionId": "fbc77ebc-03d2-4653-a435-f072687e1b97", - "GetBookmarkName": "Getbookmarks1c0pz", - "UpdateBookmarkRelationIncidentId": "0f49b19c-24d3-4775-92ae-dc0ecd5e1ace", - "RemoveViaIdAlertRuleId": "c1a9cd5e-f882-4d57-b94f-742b0e2ae177", - "UpdateViaIdentityQueryActivityId": "9934ce9e-b735-43ca-885c-729dc54cb4d1", - "Playbook4TriggerUrl": "https://prod-17.centralus.logic.azure.com:443/workflows/04d2704a1afb4570bdf87b0b4d785630/triggers/When_Azure_Sentinel_incident_creation_rule_was_triggered/paths/invoke?api-version=2016-06-01&sp=%2Ftriggers%2FWhen_Azure_Sentinel_incident_creation_rule_was_triggered%2Frun&sv=1.0&sig=cH1hGx080cqs2EiK4l4O5W0XsLE3_q7Pr6j0FX_AcM8" + "UpdateAlertRuleActionId": "39fd7829-116a-4fa3-8ec5-71501bc5ae11", + "NewAlertRuleId": "12d8cb29-d001-4576-a336-77050c60a1f3", + "UpdateentityQueryActivityName": "UpdateentityQueryActivityasx17y", + "RemoveViaIdBookmarkId": "373872c1-6eda-475c-a5ec-f0bfbd39fdf6", + "UpdateincidentRelationName": "UpdateincidentRelationNamed809fp", + "NewincidentRelationBookmarkId": "bba93c64-4a68-46b3-8015-f129ad1597cf", + "UpdateViaIdAlertRuleActionId": "8f59d838-afdc-4ade-be00-58abc1f3a27f", + "NewincidentRelationIncidentName": "NewincidentRelationIncidentName9m3qew", + "NewbookmarkRelationIncidentName": "NewbookmarkRelationIncidentName49uk0b", + "RemovethreatIntelligenceIndicatorName": "RemovethreatIntelligenceIndicatorzeqho5", + "GetAlertRuleActionId": "0ad3cc1a-0d2e-44cc-854a-f5fa08f86098", + "GetbookmarkRelationBookmarkName": "GetbookmarkRelationBookmarkNamex1qm5r", + "RemoveViaIdAlertRuleId": "b5daebea-1da1-45a1-abb5-94ad8c8da5cb", + "RemoveAlertRuleId": "90872ee6-8ed3-48b8-8e93-2bcb1aa6825d", + "GetBookmarkName": "Getbookmarkzl3she", + "UpdateViaIdincidentName": "UpdateViaIdincidentt6c37h", + "Playbook2TriggerUrl": "https://prod-24.centralus.logic.azure.com:443/workflows/cfea3db4d45a4962b87a8b9c3a8421e9/triggers/When_Azure_Sentinel_incident_creation_rule_was_triggered/paths/invoke?api-version=2016-06-01&sp=%2Ftriggers%2FWhen_Azure_Sentinel_incident_creation_rule_was_triggered%2Frun&sv=1.0&sig=QdzCxjenPF3s0HhC-EV6p-qpjLj_o0orZrj22vnCquc", + "UpdateincidentRelationIncidentName": "UpdateincidentRelationIncidentNamegz4803", + "RemoveentityQueryActivityId": "803b23e8-9f87-4597-bc9c-d537930dea57", + "UpdateincidentRelationBookmarkName2": "NewincidentRelationBookmarkNames06o1l", + "RemoveincidentRelationIncidentId": "bd3104a8-2b2d-4934-bef4-5fc4c04ef055", + "UpdateViaIdbookmarkRelationBookmarkId": "327d3f42-a5d6-4bc8-99bc-93cf7b2942c7", + "UpdateViaIdthreatIntelligenceIndicatorName": "UpdateViaIdthreatIntelligenceIndicatortefl3d", + "Tenant": "d6eebbdd-d77c-465e-b008-4339027b4006", + "RemoveAlertRuleName": "RemoveAlertRule1qafoy", + "removeOnboardingStateWS": "asptesthqat05", + "GetBookmarkRelationName": "GetbookmarkRelation7859zd", + "newOnboardingStateWS": "asptest15inly", + "UpdateincidentCommentId": "7d4f4a64-ca42-4ab7-8385-f9c2b4d63434", + "GetthreatIntelligenceIndicatorId": "bd45b979-3f35-b698-a82a-23f3058f60bc", + "RemovealertRuleActionRuleName": "RemovealertRuleActionRuleName1ui932", + "GetincidentRelationBookmarkId": "40c54fdc-490c-4164-901e-b95ca08e0a88", + "RemoveViaIdbookmarkRelationBookmarkName": "RemoveViaIdbookmarkRelationBookmarkNamewn153e", + "RemoveViaIdincidentRelationBookmarkId": "8b4c7333-a754-463f-abd4-0b5b023fb24c", + "UpdateViaIdentityQueryActivityId": "023cc70e-538f-416e-af6e-ec0833b69894", + "RemoveincidentCommentIncidentId": "1f6bbf1d-7f2d-4435-84f7-2be61d9e090d", + "NewBookmarkRelationName": "NewbookmarkRelation03ptng", + "UpdateViaIdAutomationRuleId": "409ddeff-88f2-48de-8459-d9170cd1530b", + "UpdateBookmarkId": "4a1c3550-81e9-42ae-8302-a2234a8d3168", + "UpdateViaIdincidentRelationBookmarkId": "00406d21-02f5-485c-a859-19a592ab3f1b", + "UpdateViaIdthreatIntelligenceIndicatorId": "4b4270c1-7b75-b9ba-58c7-b8420b7e6291", + "Playbook4LogicAppResourceId": "/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Incident", + "Playbook3TriggerUrl": "https://prod-22.centralus.logic.azure.com:443/workflows/86d6ec0418794b35bb3b014e5448e0b6/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2016-06-01&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=fuFAHW0RWBesCKbfQlyAgswWDldw5fwJuUpzpVLjUQw", + "RemovethreatIntelligenceIndicatorIP": "8.8.8.2", + "UpdateViaIdincidentCommentName": "UpdateViaIdincidentCommentjf7t0g", + "NewincidentRelationIncidentId": "a56f41af-0d66-44c8-90bc-c8b8e8116984", + "NewincidentName": "Newincidentx3os45", + "RemoveincidentCommentId": "6a5e3b8c-f0f5-4bb7-8685-87961a8a21fe", + "NewAutomationRuleId": "a46bcfa9-0dd0-4856-8b10-10ec6bb12920", + "NewBookmarkId": "fa86b82d-4392-4288-846a-5d886fb4edce", + "RemoveViaIdincidentCommentIncidentId": "ac97c565-75c1-40ab-a8e1-334c04dda7d0", + "UpdateViaIdBookmarkName": "UpdateViaIdbookmarkepkaci", + "UpdatebookmarkRelationIncidentName": "UpdatebookmarkRelationIncidentNamedejagn", + "RemoveincidentRelationId": "f05d7fb2-c166-4ecb-aa6b-b97479976971", + "UpdateViaIdbookmarkRelationIncidentName": "UpdateViaIdbookmarkRelationIncidentNamel2rnui", + "RemoveViaIdAutomationRule": "RemoveViaIdAutomationRule7s6m8t", + "NewentityQueryActivityId": "0e70df5c-6ced-4480-b336-bc8491f9cd33", + "UpdateincidentRelationId": "f56dcb87-d5c9-4996-9916-6502828a3ae2", + "RemovethreatIntelligenceIndicatorId": "aba922f2-cd9e-75df-4232-a8d47c94bc03", + "RemoveincidentRelationName": "RemoveincidentRelationNamebvk5qy", + "resourceGroupName": "aspstest7ptmcr", + "RemoveBookmarkName": "Removebookmark2tw3fg", + "UpdateViaIdincidentRelationIncidentId": "e6be0e56-c636-4b4b-9793-6f3c0f345a46", + "UpdateViaIdincidentRelationId": "903fe51d-b375-49c3-bf17-02b25fab1aa4", + "UpdateViaIdBookmarkRelationName": "UpdateViaIdbookmarkRelation9wj152", + "GetincidentRelationBookmarkName": "GetincidentRelationBookmarkNameu4dakt", + "GetbookmarkRelationIncidentName": "GetbookmarkRelationIncidentName75xtbo", + "RemoveViaIdincidentRelationIncidentId": "b2ae0920-7287-4d85-a609-bf6c7e651630", + "ExpandBookmarkName": "Expandbookmarkvclw27", + "UpdatethreatIntelligenceIndicatorName": "UpdatethreatIntelligenceIndicator6zjacg", + "Playbook1LogicAppResourceId": "/subscriptions/51a36d38-3b14-471f-8dde-a5867f5e51eb/resourceGroups/aspstest7ptmcr/providers/Microsoft.Logic/workflows/Block-AADUser-Alert", + "UpdateViaIdincidentCommentId": "9be40f82-9aea-4748-93e9-3899fd858d5c", + "UpdateBookmarkRelationIncidentId": "6f90c814-29fb-4d2d-8188-360a8df4a559", + "RemoveViaIdAlertRuleActionId": "5945e422-0352-4aba-9fe7-fbf7567e44c2", + "dataConnectorId": "ef0ed2f1-dd75-4d02-afef-5fc84ded8e03", + "UpdateViaIdalertRuleActionRuleName": "UpdateViaIdalertRuleActionRuleNameyb5ilx", + "UpdatethreatIntelligenceIndicatorId": "a40d90cd-3425-dcc7-87c9-8c9298f3641d", + "UpdateViaIdBookmarkRelationIncidentId": "68e94645-a3b4-4595-9bfe-0d5370f5c8dd", + "Playbook1TriggerUrl": "https://prod-05.centralus.logic.azure.com:443/workflows/eb03b1bc818942e0a642c05aeef2614b/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2016-06-01&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=BiTp33mQqq5owtlDqGQFUmo-TdKtHaQskA16bOn1p8g", + "RemoveViaIdincidentRelationIncidentName": "RemoveViaIdincidentRelationIncidentNameg1b6wx", + "RemoveincidentRelationIncidentName": "RemoveincidentRelationIncidentNamecz4ioj", + "UpdateViaIdentityQueryActivityName": "UpdateViaIdentityQueryActivityt5dm62", + "UpdateAutomationRule": "UpdateAutomationRulefrz5oc", + "UpdateincidentRelationBookmarkId2": "7b6ab18b-3ae4-406a-ade2-d9b2b9cfb774", + "RemoveViaIdAutomationRuleId": "ab65a956-23b7-44a0-8a32-cb8d62d389d8" } diff --git a/src/SecurityInsights/test/localEnv.json b/src/SecurityInsights/test/localEnv.json index e962799eccb0..9e26dfeeb6e6 100644 --- a/src/SecurityInsights/test/localEnv.json +++ b/src/SecurityInsights/test/localEnv.json @@ -1,184 +1 @@ -{ - "RemoveincidentName": "Removeincidentqlkgre", - "RemoveViaIdAutomationRuleId": "28b2a84c-15cb-4489-9653-060065dbb994", - "location": "Central US", - "ExpandBookmarkName": "Expandbookmarkt9lrd1", - "UpdateViaIdBookmarkRelationId": "e178d52f-0000-42ae-85a9-b4097cfa102f", - "UpdateBookmarkRelationIncidentId": "7333ddd9-da05-4e39-9e33-cb6891c08c0e", - "RemoveBookmarkName": "Removebookmarkcnu6jz", - "disabledRuleGuid": "7b87d568-20ef-40f8-b4f6-7b7815d1ae1c", - "UpdateincidentCommentIncidentId": "31707c99-9240-4185-9a17-f045c1d97e5d", - "GetincidentRelationBookmarkId": "8fdf4085-d70b-4f42-bc52-3247c106ec22", - "RemoveViaIdBookmarkId": "f2b22ba6-000a-4cf0-9d11-07bfd7105b2d", - "UpdateViaIdAutomationRuleId": "98d8b78a-ca81-4ced-bd2d-41f061158847", - "GetBookmarkRelationIncidentId": "c50576c1-8ae5-4d69-9c84-51b915442aee", - "Tenant": "5f1060f2-d9a4-4f59-bf9c-1dd8f3604a4b", - "UpdateViaIdBookmarkRelationName": "UpdateViaIdbookmarkRelationjkmlgd", - "GetBookmarkRelationId": "8982fd8b-83e6-45e0-9799-5868e0cb905f", - "GetincidentRelationId": "5eaf5909-4185-448d-bad3-ceb48bac3a74", - "GetbookmarkRelationBookmarkId": "23fd78f1-f483-4745-8108-a825fc54c668", - "GetthreatIntelligenceIndicatorId": "d1b1f160-d4aa-355f-8b9e-597adc93450a", - "UpdateViaIdAutomationRule": "UpdateViaIdAutomationRulezkfopl", - "workspaceResourceId": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstestsxeqa6/providers/Microsoft.OperationalInsights/workspaces/asptesttb8qd4", - "UpdateBookmarkRelationName": "UpdatebookmarkRelation6vhqpe", - "RemovethreatIntelligenceIndicatorId": "1b395a61-f885-1ab0-0a09-95821fa26aa7", - "GetBookmarkRelationName": "GetbookmarkRelationlfse2c", - "UpdatebookmarkRelationIncidentName": "UpdatebookmarkRelationIncidentNamelmuts7", - "UpdateViaIdincidentRelationBookmarkId": "4b202976-d8f7-494a-a224-39d45b7d0cff", - "RemoveViaIdbookmarkRelationBookmarkId": "594263e9-423e-4092-8ae8-0583423e4c8d", - "GetincidentCommentName": "GetincidentCommentgxebuw", - "RemoveAlertRuleActionId": "633b140d-ca59-4a48-8f9f-cd43f9b73261", - "GetalertRuleActionRuleId": "f101d542-c309-4567-a2e9-1cc325569b5d", - "UpdateViaIdthreatIntelligenceIndicatorId": "f030be42-7bcf-82fe-9fff-c79d02081c70", - "Playbook2TriggerUrl": "https://prod-31.centralus.logic.azure.com:443/workflows/fb7bc41bf47343e4b8f00f55feb90295/triggers/When_Azure_Sentinel_incident_creation_rule_was_triggered/paths/invoke?api-version=2016-06-01&sp=%2Ftriggers%2FWhen_Azure_Sentinel_incident_creation_rule_was_triggered%2Frun&sv=1.0&sig=ZKfu53ftc6aVUBP7k9OzIY94f_-0lHaxyi8eXboRHLQ", - "GetAutomationRule": "GetAutomationRuleuym980", - "resourceGroupName": "aspstestsxeqa6", - "solarigateRuleGuid": "2cb844f2-371c-4d04-aa0f-da7d8c1da714", - "UpdateincidentCommentId": "3cdc19ee-8fa9-4af7-9007-1d26a715c4c6", - "UpdateBookmarkId": "db7538eb-c83f-4329-86cf-52fc5c72aa6a", - "UpdateBookmarkRelationId": "848acdc1-cbf2-4cb5-841a-9c4e5cd18316", - "RemoveincidentRelationIncidentId": "c3d6462a-4906-4fdf-b6cd-f2bceb154012", - "Playbook4LogicAppResourceId": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstestsxeqa6/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Incident", - "UpdateViaIdincidentRelationIncidentId": "787c7546-c409-4fc6-8557-970600748338", - "UpdateincidentRelationId": "30d3137c-ca38-42fb-b1d1-dd26231c3464", - "ExpandBookmarkId": "89b10d75-fe89-44f5-aed9-bc10efe6885e", - "UpdateentityQueryActivityId": "5b4f4f50-5f46-4e63-8a36-d8dc4174f6cd", - "UpdatethreatIntelligenceIndicatorIP": "8.8.8.4", - "RemoveViaIdBookmarkRelationName": "RemoveViaIdbookmarkRelationogjnp8", - "GetBookmarkId": "85eabd01-5f4a-4c18-b19f-f56c4dce112e", - "GetincidentCommentIncidentId": "aba444f2-6a0b-4259-b0ab-1980b691b823", - "Playbook2LogicAppResourceId": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstestsxeqa6/providers/Microsoft.Logic/workflows/Block-AADUser-Incident", - "RemoveincidentId": "80072504-9637-4da1-92ee-f7bd513cb295", - "RemoveViaIdincidentRelationName": "RemoveViaIdincidentRelationNamenvqgmf", - "RemoveBookmarkRelationIncidentId": "a1c3e870-d61c-4937-b209-99f8d995e556", - "UpdateViaIdentityQueryActivityId": "8b85577f-e233-4b0d-aef6-9344ecc571aa", - "RemoveViaIdincidentRelationIncidentId": "5ca2173d-19be-41f5-a77b-a863fccd26ad", - "GetAlertRuleName": "GetAlertRuleyrgq5k", - "RemoveViaIdentityQueryActivityId": "a0cc7385-57ea-4037-ad6c-c9bb037eea5f", - "removeOnboardingStateWS": "asptestocpbvt", - "RemoveentityQueryActivityName": "RemoveentityQueryActivitypr8m91", - "GetincidentRelationIncidentId": "0a92e0ee-c2ec-46ba-972f-477097330ac0", - "mlRuleGuid": "3f4b8ca9-def5-4f66-afd5-2074a5bf0082", - "UpdateincidentName": "Updateincidentz5xmas", - "RemoveViaIdincidentRelationBookmarkName": "RemoveViaIdincidentRelationBookmarkNamem0uzno", - "UpdateViaIdalertRuleActionRuleId": "f3992c63-7d9d-4e0b-8721-b9be19a79eec", - "RemoveincidentRelationBookmarkId": "d0aa7348-155b-44c5-a248-3758caa8622b", - "UpdateViaIdAlertRuleActionId": "cdb065bf-5d8c-430d-bdd9-1b19fecaef78", - "UpdateViaIdincidentRelationId": "efe4cdcc-e040-4dba-a14d-f9b79cd060b7", - "RemoveViaIdthreatIntelligenceIndicatorIP": "8.8.8.3", - "Playbook4TriggerUrl": "https://prod-26.centralus.logic.azure.com:443/workflows/d11ac7194c4a439cbaab4fff7e1c2ad7/triggers/When_Azure_Sentinel_incident_creation_rule_was_triggered/paths/invoke?api-version=2016-06-01&sp=%2Ftriggers%2FWhen_Azure_Sentinel_incident_creation_rule_was_triggered%2Frun&sv=1.0&sig=OR8RFdoiKx_lO0u8Z71Yb-qUgOeDh1feyin0ZppXb3k", - "UpdateAutomationRuleId": "0b3b4818-7e4a-47ea-b1be-3dd02503ce7b", - "GetbookmarkRelationBookmarkName": "GetbookmarkRelationBookmarkNamep5q8gb", - "UpdateViaIdBookmarkName": "UpdateViaIdbookmarko0bj1a", - "UpdateViaIdbookmarkRelationBookmarkName": "UpdateViaIdbookmarkRelationBookmarkNamega43se", - "RemovealertRuleActionRuleId": "2e249e48-e8a7-4e47-b69b-c9d41f751b50", - "RemoveViaIdentityQueryActivityName": "RemoveViaIdentityQueryActivitycsp8zk", - "RemovethreatIntelligenceIndicatorName": "RemovethreatIntelligenceIndicator7odgnj", - "RemoveincidentCommentIncidentId": "ebcc4150-0a62-4c60-8c79-412d61397a0f", - "UpdateAlertRuleId": "bbbec7e8-5e76-4092-b183-9bdf001cc9e7", - "RemoveentityQueryActivityId": "6ed85318-1c68-4b9c-aed6-e721e3bbde9a", - "RemoveViaIdthreatIntelligenceIndicatorId": "712311c9-2f77-f167-7c61-62935fa5d49d", - "RemoveViaIdbookmarkRelationBookmarkName": "RemoveViaIdbookmarkRelationBookmarkName8tclhr", - "RemovebookmarkRelationBookmarkName": "RemovebookmarkRelationBookmarkNameg4jvqn", - "RemoveincidentCommentName": "RemoveincidentCommentchevml", - "RemoveincidentRelationName": "RemoveincidentRelationName81itvb", - "UpdateViaIdalertRuleActionRuleName": "UpdateViaIdalertRuleActionRuleNamebak41c", - "UpdateAlertRuleActionId": "020f10bb-9108-40b2-82b8-6c3d96150c24", - "RemoveBookmarkRelationId": "40999731-ca81-45ed-8323-7bdf8c8e0592", - "UpdateViaIdAlertRuleId": "0f2c489b-891e-47fe-a876-28a4dcae7129", - "UpdateViaIdincidentRelationName": "UpdateViaIdincidentRelationName1xd3of", - "UpdateincidentRelationBookmarkId": "702d8e66-6c4f-4285-8c54-3064c6713ee7", - "RemoveViaIdAutomationRule": "RemoveViaIdAutomationRulepb9037", - "UpdateViaIdincidentCommentName": "UpdateViaIdincidentCommentu07v8a", - "RemoveViaIdincidentId": "b96b299e-8a07-428c-90e8-a9925726ed45", - "UpdatethreatIntelligenceIndicatorName": "UpdatethreatIntelligenceIndicatoret45oy", - "metadataName": "azuresentinel.azure-sentinel-solution-zerotrust", - "ASIServicePrinicpal": "ffe300b4-cb65-4eb4-9d60-477cee66dd5e", - "GetincidentCommentId": "6754ad39-2e25-4b61-a931-8797fa4742cf", - "GetthreatIntelligenceIndicatorIP": "8.8.8.1", - "UpdateViaIdincidentCommentId": "7336a21d-525b-43f0-91cc-d58af6ebddcb", - "UpdatebookmarkRelationBookmarkId": "29a94766-52e8-46d4-90aa-3ece020b836a", - "GetincidentRelationIncidentName": "GetincidentRelationIncidentNameh8ixuv", - "UpdateViaIdbookmarkRelationIncidentName": "UpdateViaIdbookmarkRelationIncidentNamev7bxe6", - "RemoveViaIdincidentRelationBookmarkId": "8aa5fa2e-321e-4663-b1bc-1f73d73aedc7", - "RemoveAutomationRuleId": "94ca78d2-0bcf-4f44-aa36-136d40ec8a3a", - "RemoveincidentRelationBookmarkName": "RemoveincidentRelationBookmarkNameiux6cn", - "RemoveAlertRuleName": "RemoveAlertRuleiamp95", - "RemoveViaIdincidentRelationId": "fa4ec427-fc28-4926-a0ef-9300313c48e6", - "UpdateViaIdincidentId": "a4fff7db-5896-435a-91b8-4efa9f287eed", - "RemoveViaIdincidentCommentId": "afe1f474-cc63-4c1c-9198-952438781715", - "Playbook3LogicAppResourceId": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstestsxeqa6/providers/Microsoft.Logic/workflows/Confirm-AADRiskyUser-Alert", - "GetincidentRelationName": "GetincidentRelationNameclg6xw", - "GetbookmarkRelationIncidentName": "GetbookmarkRelationIncidentNamehks4oz", - "Playbook3TriggerUrl": "https://prod-02.centralus.logic.azure.com:443/workflows/0ccd0d021db94a059cff9733217f26dd/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2016-06-01&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=TOg5dFUmA5ar1zjTL85yE9WzxYlQBcxLOUiUe1LC06w", - "UpdatebookmarkRelationBookmarkName": "UpdatebookmarkRelationBookmarkName2xuftl", - "UpdateincidentCommentName": "UpdateincidentCommentlcjsfe", - "GetAutomationRuleId": "967770b5-4642-4d5f-865d-c9cd372c746e", - "UpdateViaIdthreatIntelligenceIndicatorIP": "8.8.8.5", - "UpdateViaIdincidentCommentIncidentId": "27a64d51-9f07-4451-ae16-976d68857423", - "RemoveBookmarkRelationName": "RemovebookmarkRelation7tspcu", - "Playbook1LogicAppResourceId": "/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/aspstestsxeqa6/providers/Microsoft.Logic/workflows/Block-AADUser-Alert", - "UpdateViaIdthreatIntelligenceIndicatorName": "UpdateViaIdthreatIntelligenceIndicator0ge1km", - "GetAlertRuleId": "4be22fd3-5d4f-4a29-a527-57f9a2dae2f0", - "GetincidentName": "Getincidentvmrcqe", - "RemovealertRuleActionRuleName": "RemovealertRuleActionRuleNamewukm9n", - "UpdateViaIdincidentRelationIncidentName": "UpdateViaIdincidentRelationIncidentName31yd8e", - "SubscriptionId": "1c61ccbf-70b3-45a3-a1fb-848ce46d70a6", - "UpdateViaIdincidentName": "UpdateViaIdincidentx791sq", - "newOnboardingStateWS": "asptestk42pgv", - "UpdateViaIdAlertRuleName": "UpdateViaIdAlertRule8whjl7", - "UpdateentityQueryActivityName": "UpdateentityQueryActivityj2x9oy", - "RemoveViaIdincidentName": "RemoveViaIdincidentqrg6vs", - "UpdateincidentRelationName": "UpdateincidentRelationName2xeun0", - "RemoveViaIdAlertRuleName": "RemoveViaIdAlertRulezk9y4v", - "UpdateViaIdBookmarkRelationIncidentId": "99d13007-8893-437d-b7d7-0c213ae7b3db", - "UpdateincidentRelationIncidentId": "ed0cfad2-f9e9-446c-a1ec-659194145750", - "RemoveBookmarkId": "3871571d-3110-4105-8104-e727f3b4d371", - "GetAlertRuleActionId": "3dd36704-ec12-4d83-87d1-f7e05bb46e26", - "UpdateViaIdentityQueryActivityName": "UpdateViaIdentityQueryActivityvwk3a6", - "UpdateViaIdBookmarkId": "18bd8f59-8475-412f-8ac6-5bda97dce895", - "RemovebookmarkRelationIncidentName": "RemovebookmarkRelationIncidentNamepo9tax", - "GetentityQueryActivityId": "9c01fde5-a458-4564-a710-3ec6afedc6ac", - "GetentityQueryActivityName": "GetentityQueryActivityaw7qsx", - "RemoveViaIdalertRuleActionRuleId": "9bed28fb-87c7-4530-b655-c3dcf14e637e", - "dataConnectorId": "f731f4fd-0336-445f-8672-8196f49236c6", - "RemoveAutomationRule": "RemoveAutomationRule7zhtoe", - "RemoveViaIdAlertRuleActionId": "865181a1-0f22-4a3c-a49f-c5e1af8b42ee", - "UpdateincidentRelationBookmarkName": "UpdateincidentRelationBookmarkName1pliw8", - "RemoveViaIdBookmarkName": "RemoveViaIdbookmarkf8byrj", - "RemoveViaIdAlertRuleId": "8b62bd9b-fdaf-4b8e-b141-9a102f054770", - "Playbook1TriggerUrl": "https://prod-08.centralus.logic.azure.com:443/workflows/062a9e68aa874175b8f47d291cb891fc/triggers/When_a_response_to_an_Azure_Sentinel_alert_is_triggered/paths/invoke?api-version=2016-06-01&sp=%2Ftriggers%2FWhen_a_response_to_an_Azure_Sentinel_alert_is_triggered%2Frun&sv=1.0&sig=48ORoEBUQ8w7epFI-VcmaNJNq7wu1kfdbI7A-jl267o", - "RemoveincidentRelationId": "09fd1812-cd51-4a0e-b6c8-2c68f4a489d3", - "RemoveViaIdalertRuleActionRuleName": "RemoveViaIdalertRuleActionRuleNamex28bvi", - "RemoveViaIdthreatIntelligenceIndicatorName": "RemoveViaIdthreatIntelligenceIndicatortmcixj", - "UpdateincidentRelationIncidentName": "UpdateincidentRelationIncidentNamep4hb2t", - "RemoveincidentCommentId": "927c5e0d-139f-4446-8ee5-27b139498267", - "RemoveViaIdincidentCommentName": "RemoveViaIdincidentCommentksd6cw", - "UpdateincidentId": "4f96f5d6-22c7-4ec1-bde0-da5502846eee", - "GetthreatIntelligenceIndicatorName": "GetthreatIntelligenceIndicatorcmxphj", - "UpdateViaIdbookmarkRelationBookmarkId": "ccb53d45-5a9c-4b72-a88e-fe90158d9642", - "RemoveViaIdincidentCommentIncidentId": "c8c2adc7-50aa-4ee7-9c90-972f547b0a19", - "UpdateBookmarkName": "Updatebookmarkt1wq40", - "UpdateAutomationRule": "UpdateAutomationRulen6cw3k", - "UpdatethreatIntelligenceIndicatorId": "aeb7c6c3-fb45-61a6-9453-d69f7e98ffa6", - "bookmarkExpansionId": "b6c6ba8e-3173-4784-b4d7-50d9c5dad904", - "GetBookmarkName": "Getbookmark2ywan5", - "UpdatealertRuleActionRuleId": "a4d250d6-460c-417a-952d-4c50f444165b", - "RemovethreatIntelligenceIndicatorIP": "8.8.8.2", - "RemovebookmarkRelationBookmarkId": "0fa74f90-4c76-4ba4-8ced-42557229bb0e", - "UpdateViaIdincidentRelationBookmarkName": "UpdateViaIdincidentRelationBookmarkNameyduxnr", - "workspaceName": "asptesttb8qd4", - "GetincidentId": "8701f6ec-cf8f-4c11-84dd-bc6c82d87a6e", - "RemoveViaIdBookmarkRelationId": "4d7b81af-e639-4a95-b5a4-21fc4418c656", - "GetalertRuleActionRuleName": "GetalertRuleActionRuleName94evnz", - "workspaceId": "e6526ca0-d207-42ee-b3ad-2f9bac77f370", - "updateDataConnectorId": "ceed24f3-9d49-446f-905f-be0edd531832", - "RemoveAlertRuleId": "524a0399-9e2c-4e79-9a72-c870910c6330", - "RemoveViaIdbookmarkRelationIncidentName": "RemoveViaIdbookmarkRelationIncidentNamelf0hcd", - "UpdatealertRuleActionRuleName": "UpdatealertRuleActionRuleNamexc0get", - "UpdateAlertRuleName": "UpdateAlertRulegi5cnk", - "RemoveincidentRelationIncidentName": "RemoveincidentRelationIncidentNameb4xl1t", - "GetincidentRelationBookmarkName": "GetincidentRelationBookmarkNameedqyn4", - "RemoveViaIdincidentRelationIncidentName": "RemoveViaIdincidentRelationIncidentName27k90i", - "RemoveViaIdBookmarkRelationIncidentId": "2c25ce36-be91-424b-9681-ae377e825b16" -} +{} \ No newline at end of file diff --git a/src/SecurityInsights/test/utils.ps1 b/src/SecurityInsights/test/utils.ps1 index 124f3c377516..bb441cf3c347 100644 --- a/src/SecurityInsights/test/utils.ps1 +++ b/src/SecurityInsights/test/utils.ps1 @@ -98,7 +98,7 @@ function setupEnv() { $null = $env.Add(("solarigateRuleGuid"), $solarigateRuleGuid) $null = $env.Add(("disabledRuleGuid"), $disabledRuleGuid) $null = $env.Add(("mlRuleGuid"), $mlRuleGuid) - } + } #Deploy Playbooks Write-Host "Start to create test playbooks" @@ -121,6 +121,8 @@ function setupEnv() { #Create Alert Rules Write-Host "Start to create test alert rules" + $null = $env.Add('NewAlertRuleName', ("NewAlertRule" + (RandomString -allChars $false -len 6))) + $null = $env.Add('NewAlertRuleId', ((New-Guid).Guid)) Create-AlertRule -PSVerb Get -WorkspaceName $env.workspaceName Create-AlertRule -PSVerb Remove -WorkspaceName $env.workspaceName Create-AlertRule -PSVerb RemoveViaId -WorkspaceName $env.workspaceName @@ -129,6 +131,9 @@ function setupEnv() { #Create AlertRuleAction Write-Host "Start to create test alert rule actions" + $null = $env.Add('NewalertRuleActionRuleId', (New-Guid).Guid) + $null = $env.Add('NewalertRuleActionRuleName', ("NewalertRuleActionRuleName" + (RandomString -allChars $false -len 6))) + $null = $env.Add('NewAlertRuleActionId', (New-Guid).Guid) Create-AlertRuleAction -PSVerb Get -WorkspaceName $env.workspaceName -logicAppResourceId $env.Playbook1LogicAppResourceId -triggerUrl $env.Playbook1TriggerUrl Create-AlertRuleAction -PSVerb Remove -WorkspaceName $env.workspaceName -logicAppResourceId $env.Playbook1LogicAppResourceId -triggerUrl $env.Playbook1TriggerUrl Create-AlertRuleAction -PSVerb RemoveViaId -WorkspaceName $env.workspaceName -logicAppResourceId $env.Playbook1LogicAppResourceId -triggerUrl $env.Playbook1TriggerUrl @@ -187,6 +192,8 @@ function setupEnv() { #Create Automation Rule Write-Host "Start to create test automation rule" + $null = $env.Add('NewAutomationRuleId', (New-Guid).Guid) + $null = $env.Add('NewAutomationRule', ("NewAutomationRule" + (RandomString -allChars $false -len 6))) Create-AutomationRule -PSVerb Get -WorkspaceName $env.workspaceName -logicAppResourceId $env.Playbook2LogicAppResourceId Create-AutomationRule -PSVerb Remove -WorkspaceName $env.workspaceName -logicAppResourceId $env.Playbook2LogicAppResourceId Create-AutomationRule -PSVerb RemoveViaId -WorkspaceName $env.workspaceName -logicAppResourceId $env.Playbook2LogicAppResourceId @@ -195,6 +202,8 @@ function setupEnv() { #Create Bookmark Write-Host "Start to create test bookmark" + $null = $env.Add(('NewBookmarkName'), ("Newbookmark"+ (RandomString -allChars $false -len 6))) + $null = $env.Add(('NewBookmarkId'), ((New-Guid).Guid)) Create-Bookmark -PSVerb Get -WorkspaceName $env.workspaceName Create-Bookmark -PSVerb Remove -WorkspaceName $env.workspaceName Create-Bookmark -PSVerb RemoveViaId -WorkspaceName $env.workspaceName @@ -208,14 +217,26 @@ function setupEnv() { #Create Bookmark Realtion Write-Host "Start to create test bookmark Relation" + $null = $env.Add('NewBookmarkRelationName', ("NewbookmarkRelation"+ (RandomString -allChars $false -len 6))) + $null = $env.Add('NewBookmarkRelationId', ((New-Guid).Guid)) + $null = $env.Add('NewbookmarkRelationBookmarkId', ((New-Guid).Guid)) + $null = $env.Add('NewbookmarkRelationBookmarkName', ("NewbookmarkRelationBookmarkName"+ (RandomString -allChars $false -len 6))) + $null = $env.Add('NewBookmarkRelationIncidentId', ((New-Guid).Guid)) + $null = $env.Add('NewbookmarkRelationIncidentName', ("NewbookmarkRelationIncidentName"+ (RandomString -allChars $false -len 6))) Create-BookmarkRelation -PSVerb Get -WorkspaceName $env.workspaceName Create-BookmarkRelation -PSVerb Remove -WorkspaceName $env.workspaceName Create-BookmarkRelation -PSVerb RemoveViaId -WorkspaceName $env.workspaceName Create-BookmarkRelation -PSVerb Update -WorkspaceName $env.workspaceName + $null = $env.Add('UpdateBookmarkRelationIncidentId2', ((New-Guid).Guid)) + $null = $env.Add('UpdatebookmarkRelationIncidentName2', ("NewbookmarkRelationIncidentName"+ (RandomString -allChars $false -len 6))) Create-BookmarkRelation -PSVerb UpdateViaId -WorkspaceName $env.workspaceName + $null = $env.Add('UpdateViaIdBookmarkRelationIncidentId2', ((New-Guid).Guid)) + $null = $env.Add('UpdateViaIdbookmarkRelationIncidentName2', ("NewbookmarkRelationIncidentName"+ (RandomString -allChars $false -len 6))) + #Create DataConnector Write-Host "Start to create test dataConnector" + $env.Add('NewDataConnectorId', ((New-Guid).Guid)) $dataConnectorId = (New-Guid).Guid $updateDataConnectorId = (New-Guid).Guid $dataConnectorParams = Get-Content .\test\deployment-templates\dataConnector\template.parameters.json | ConvertFrom-Json @@ -230,11 +251,17 @@ function setupEnv() { $null = $env.Add('dataConnectorId', $dataConnectorId) $null = $env.Add('updateDataConnectorId', $updateDataConnectorId) } + $null = $env.Add('RemoveDataConnectorId', ((New-Guid).Guid)) + $null = $env.Add('RemoveDataConnectorIdInputObject', ((New-Guid).Guid)) + + #Entity #imported fake data so nothing needed to create in arm. #Create Entity Queriers Write-Host "Start to create test entityQuery" + $null = $env.Add('NewentityQueryActivityName', ("NewentityQueryActivity"+ (RandomString -allChars $false -len 6))) + $null = $env.Add('NewentityQueryActivityId', ((New-Guid).Guid)) Create-EntityQuery -PSVerb Get -WorkspaceName $env.workspaceName Create-EntityQuery -PSVerb Remove -WorkspaceName $env.workspaceName Create-EntityQuery -PSVerb RemoveViaId -WorkspaceName $env.workspaceName @@ -248,7 +275,9 @@ function setupEnv() { #System built, can't test without data. Find way to import data? #Create Incident - Write-Host "Start to create test incident" + Write-Host "Start to create test incident" + $null = $env.Add('NewincidentName', ("Newincident"+ (RandomString -allChars $false -len 6))) + $null = $env.Add('NewincidentId', ((New-Guid).Guid)) Create-Incident -PSVerb Get -WorkspaceName $env.workspaceName Create-Incident -PSVerb Remove -WorkspaceName $env.workspaceName Create-Incident -PSVerb RemoveViaId -WorkspaceName $env.workspaceName @@ -263,6 +292,10 @@ function setupEnv() { #IncidentComment Write-Host "Start to create test incident comment" + $null = $env.Add('NewincidentCommentName', ("NewincidentComment"+ (RandomString -allChars $false -len 6))) + $null = $env.Add('NewincidentCommentId', ((New-Guid).Guid)) + $null = $env.Add('NewincidentCommentIncidentName', ("NewincidentCommentIncident"+ (RandomString -allChars $false -len 6))) + $null = $env.Add('NewincidentCommentIncidentId', ((New-Guid).Guid)) Create-IncidentComment -PSVerb Get -WorkspaceName $env.workspaceName Create-IncidentComment -PSVerb Remove -WorkspaceName $env.workspaceName Create-IncidentComment -PSVerb RemoveViaId -WorkspaceName $env.workspaceName @@ -274,12 +307,27 @@ function setupEnv() { #IncidentRelation Write-Host "Start to create test incident relation" + $null = $env.Add('NewincidentRelationName', ("NewincidentRelationName"+ (RandomString -allChars $false -len 6))) + $null = $env.Add('NewincidentRelationId', ((New-Guid).Guid)) + $null = $env.Add('NewincidentRelationIncidentId', ((New-Guid).Guid)) + $null = $env.Add('NewincidentRelationIncidentName', ("NewincidentRelationIncidentName"+ (RandomString -allChars $false -len 6))) + $null = $env.Add('NewincidentRelationBookmarkId', ((New-Guid).Guid)) + $null = $env.Add('NewincidentRelationBookmarkName', ("NewincidentRelationBookmarkName"+ (RandomString -allChars $false -len 6))) Create-IncidentRelation -PSVerb Get -WorkspaceName $env.workspaceName Create-IncidentRelation -PSVerb Remove -WorkspaceName $env.workspaceName Create-IncidentRelation -PSVerb RemoveViaId -WorkspaceName $env.workspaceName Create-IncidentRelation -PSVerb Update -WorkspaceName $env.workspaceName + $null = $env.Add('UpdateincidentRelationBookmarkId2', ((New-Guid).Guid)) + $null = $env.Add('UpdateincidentRelationBookmarkName2', ("NewincidentRelationBookmarkName"+ (RandomString -allChars $false -len 6))) Create-IncidentRelation -PSVerb UpdateViaId -WorkspaceName $env.workspaceName + $null = $env.Add('UpdateViaIdincidentRelationBookmarkId2', ((New-Guid).Guid)) + $null = $env.Add('UpdateViaIdincidentRelationBookmarkName2', ("NewincidentRelationBookmarkName"+ (RandomString -allChars $false -len 6))) + + #IncidentTeam + $null = $env.Add('NewincidentTeamIncidentId', ((New-Guid).Guid)) + $null = $env.Add('NewincidentTeamIncidentName', ("NewincidentTeamIncidentName"+ (RandomString -allChars $false -len 6))) + #Metadata #"sourceId": "azuresentinel.azure-sentinel-solution-zerotrust Write-Host "Start to create test MetaData" @@ -327,5 +375,15 @@ function setupEnv() { function cleanupEnv() { # Clean resources you create for testing # Remove-AzResourceGroup -Name $env.resourceGroupName + + #clean template parameter files. + #$files = Get-ChildItem -Path (Join-Path $PSScriptRoot "deployment-templates") -recurse *.parameters.json + #foreach($file in $files){ + # $content = Get-Content $file.FullName | ConvertFrom-Json + # foreach($param in $content.parameters.PSObject.Properties){ + # $param.Value = "null" + # } + # $content | convertto-json -depth 5 | set-content ($file.FullName) + #} } From d7213b5dda7a5092a97cf95c5d1e4e9a22c1623e Mon Sep 17 00:00:00 2001 From: Yabo Hu Date: Wed, 17 Aug 2022 14:37:03 +0800 Subject: [PATCH 14/24] Delete readme.md --- src/SecurityInsights/docs/readme.md | 11 ----------- 1 file changed, 11 deletions(-) delete mode 100644 src/SecurityInsights/docs/readme.md diff --git a/src/SecurityInsights/docs/readme.md b/src/SecurityInsights/docs/readme.md deleted file mode 100644 index f18a8fa38198..000000000000 --- a/src/SecurityInsights/docs/readme.md +++ /dev/null @@ -1,11 +0,0 @@ -# Docs -This directory contains the documentation of the cmdlets for the `Az.SecurityInsights` module. To run documentation generation, use the `generate-help.ps1` script at the root module folder. Files in this folder will *always be overriden on regeneration*. To update documentation examples, please use the `../examples` folder. - -## Info -- Modifiable: no -- Generated: all -- Committed: yes -- Packaged: yes - -## Details -The process of documentation generation loads `Az.SecurityInsights` and analyzes the exported cmdlets from the module. It recognizes the [help comments](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_comment_based_help) that are generated into the scripts in the `../exports` folder. Additionally, when writing custom cmdlets in the `../custom` folder, you can use the help comments syntax, which decorate the exported scripts at build-time. The documentation examples are taken from the `../examples` folder. \ No newline at end of file From bff9f7fcc727e9a46f6f5da2f476b5293117ae5c Mon Sep 17 00:00:00 2001 From: VeryEarly Date: Wed, 17 Aug 2022 19:09:49 +0800 Subject: [PATCH 15/24] mark update tests as liveonly --- src/SecurityInsights/test/Update-AzSentinelAlertRule.Tests.ps1 | 2 +- .../test/Update-AzSentinelDataConnector.Tests.ps1 | 2 +- .../test/Update-AzSentinelEntityQuery.Tests.ps1 | 2 +- src/SecurityInsights/test/Update-AzSentinelSetting.Tests.ps1 | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/SecurityInsights/test/Update-AzSentinelAlertRule.Tests.ps1 b/src/SecurityInsights/test/Update-AzSentinelAlertRule.Tests.ps1 index d9116207d6d7..98548db6ba27 100644 --- a/src/SecurityInsights/test/Update-AzSentinelAlertRule.Tests.ps1 +++ b/src/SecurityInsights/test/Update-AzSentinelAlertRule.Tests.ps1 @@ -14,7 +14,7 @@ if(($null -eq $TestName) -or ($TestName -contains 'Update-AzSentinelAlertRule')) . ($mockingPath | Select-Object -First 1).FullName } -Describe 'Update-AzSentinelAlertRule' { +Describe 'Update-AzSentinelAlertRule' -Tag 'LiveOnly' { It 'UpdateExpanded' { $alertRule = Update-AzSentinelAlertRule -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -RuleId $env.UpdateAlertRuleId -Scheduled -Disabled $alertRule.Enabled | Should -Be $false diff --git a/src/SecurityInsights/test/Update-AzSentinelDataConnector.Tests.ps1 b/src/SecurityInsights/test/Update-AzSentinelDataConnector.Tests.ps1 index e2129fb32c8e..94d786875204 100644 --- a/src/SecurityInsights/test/Update-AzSentinelDataConnector.Tests.ps1 +++ b/src/SecurityInsights/test/Update-AzSentinelDataConnector.Tests.ps1 @@ -14,7 +14,7 @@ if(($null -eq $TestName) -or ($TestName -contains 'Update-AzSentinelDataConnecto . ($mockingPath | Select-Object -First 1).FullName } -Describe 'Update-AzSentinelDataConnector' { +Describe 'Update-AzSentinelDataConnector' -Tag 'LiveOnly' { It 'UpdateExpanded' { $dataConnector = Update-AzSentinelDataConnector -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` -Id $env.updateDataConnectorId -Office365 -SharePoint "Enabled" diff --git a/src/SecurityInsights/test/Update-AzSentinelEntityQuery.Tests.ps1 b/src/SecurityInsights/test/Update-AzSentinelEntityQuery.Tests.ps1 index fa2df6f530c7..d5a0e01e8e71 100644 --- a/src/SecurityInsights/test/Update-AzSentinelEntityQuery.Tests.ps1 +++ b/src/SecurityInsights/test/Update-AzSentinelEntityQuery.Tests.ps1 @@ -14,7 +14,7 @@ if(($null -eq $TestName) -or ($TestName -contains 'Update-AzSentinelEntityQuery' . ($mockingPath | Select-Object -First 1).FullName } -Describe 'Update-AzSentinelEntityQuery' { +Describe 'Update-AzSentinelEntityQuery' -Tag 'LiveOnly' { It 'UpdateExpanded' { $entityQuery = Update-AzSentinelEntityQuery -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName ` -EntityQueryId $env.UpdateentityQueryActivityId -Title "UpdateEntityQueryPSTest" diff --git a/src/SecurityInsights/test/Update-AzSentinelSetting.Tests.ps1 b/src/SecurityInsights/test/Update-AzSentinelSetting.Tests.ps1 index 7252b2afa025..b9f464e3c0e1 100644 --- a/src/SecurityInsights/test/Update-AzSentinelSetting.Tests.ps1 +++ b/src/SecurityInsights/test/Update-AzSentinelSetting.Tests.ps1 @@ -14,7 +14,7 @@ if(($null -eq $TestName) -or ($TestName -contains 'Update-AzSentinelSetting')) . ($mockingPath | Select-Object -First 1).FullName } -Describe 'Update-AzSentinelSetting' { +Describe 'Update-AzSentinelSetting' -Tag 'LiveOnly' { It 'UpdateExpanded' { Update-AzSentinelSetting -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName -SettingsName Anomalies -Enabled $false $settings = get-AzSentinelSetting -ResourceGroupName $env.resourceGroupName -WorkspaceName $env.workspaceName From 358e8bb766cbcc6d7a08fe207c64af1d9da1f6b4 Mon Sep 17 00:00:00 2001 From: VeryEarly Date: Wed, 17 Aug 2022 19:27:04 +0800 Subject: [PATCH 16/24] fix examples --- .../docs/Get-AzSentinelAlertRule.md | 2 +- .../docs/Get-AzSentinelAlertRuleAction.md | 2 +- .../docs/Get-AzSentinelAlertRuleTemplate.md | 2 +- .../docs/Get-AzSentinelAutomationRule.md | 2 +- .../docs/Get-AzSentinelBookmark.md | 2 +- .../docs/Get-AzSentinelBookmarkRelation.md | 2 +- .../docs/Get-AzSentinelDataConnector.md | 2 +- .../docs/Get-AzSentinelEnrichment.md | 2 +- .../docs/Get-AzSentinelEntity.md | 2 +- .../docs/Get-AzSentinelEntityQuery.md | 2 +- .../docs/Get-AzSentinelEntityQueryTemplate.md | 2 +- .../docs/Get-AzSentinelEntityRelation.md | 2 +- .../docs/Get-AzSentinelIncident.md | 2 +- .../docs/Get-AzSentinelIncidentComment.md | 2 +- .../docs/Get-AzSentinelIncidentRelation.md | 2 +- .../docs/Get-AzSentinelMetadata.md | 2 +- .../docs/Get-AzSentinelOnboardingState.md | 2 +- .../docs/Get-AzSentinelSetting.md | 2 +- ...t-AzSentinelThreatIntelligenceIndicator.md | 2 +- ...entinelThreatIntelligenceIndicatorQuery.md | 2 +- .../docs/New-AzSentinelAlertRule.md | 2 +- .../docs/New-AzSentinelAlertRuleAction.md | 19 ++----------- .../docs/New-AzSentinelAutomationRule.md | 27 ++++-------------- .../docs/New-AzSentinelBookmark.md | 28 ++++--------------- .../docs/New-AzSentinelBookmarkRelation.md | 25 ++++------------- .../docs/New-AzSentinelDataConnector.md | 14 +++++----- .../docs/New-AzSentinelEntityQuery.md | 7 ++--- .../docs/New-AzSentinelIncident.md | 26 ++++------------- .../docs/New-AzSentinelIncidentComment.md | 27 ++++-------------- .../docs/New-AzSentinelIncidentRelation.md | 25 ++++------------- .../docs/New-AzSentinelIncidentTeam.md | 2 +- .../docs/New-AzSentinelOnboardingState.md | 2 +- .../docs/Remove-AzSentinelAlertRule.md | 2 +- .../docs/Remove-AzSentinelAlertRuleAction.md | 4 +-- .../docs/Remove-AzSentinelAutomationRule.md | 2 +- .../docs/Remove-AzSentinelBookmark.md | 2 +- .../docs/Remove-AzSentinelBookmarkRelation.md | 2 +- .../docs/Remove-AzSentinelDataConnector.md | 2 +- .../docs/Remove-AzSentinelEntityQuery.md | 2 +- .../docs/Remove-AzSentinelIncident.md | 2 +- .../docs/Remove-AzSentinelIncidentComment.md | 2 +- .../docs/Remove-AzSentinelIncidentRelation.md | 4 +-- .../docs/Remove-AzSentinelOnboardingState.md | 2 +- .../docs/Update-AzSentinelAlertRule.md | 4 +-- .../docs/Update-AzSentinelAlertRuleAction.md | 2 +- .../docs/Update-AzSentinelAutomationRule.md | 4 +-- .../docs/Update-AzSentinelBookmark.md | 2 +- .../docs/Update-AzSentinelBookmarkRelation.md | 2 +- .../docs/Update-AzSentinelDataConnector.md | 16 +++++------ .../docs/Update-AzSentinelEntityQuery.md | 4 +-- .../docs/Update-AzSentinelIncident.md | 4 +-- .../docs/Update-AzSentinelIncidentComment.md | 2 +- .../docs/Update-AzSentinelIncidentRelation.md | 2 +- .../docs/Update-AzSentinelSetting.md | 2 +- .../examples/New-AzSentinelBookmark.md | 4 +-- .../examples/New-AzSentinelEntityQuery.md | 8 ++---- .../examples/New-AzSentinelIncidentComment.md | 2 +- .../Remove-AzSentinelAlertRuleAction.md | 2 +- .../Remove-AzSentinelIncidentRelation.md | 2 +- 59 files changed, 111 insertions(+), 221 deletions(-) diff --git a/src/SecurityInsights/docs/Get-AzSentinelAlertRule.md b/src/SecurityInsights/docs/Get-AzSentinelAlertRule.md index cfc6b8728c36..90779dae796f 100644 --- a/src/SecurityInsights/docs/Get-AzSentinelAlertRule.md +++ b/src/SecurityInsights/docs/Get-AzSentinelAlertRule.md @@ -207,7 +207,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Get-AzSentinelAlertRuleAction.md b/src/SecurityInsights/docs/Get-AzSentinelAlertRuleAction.md index f6482fc95095..0cf1d83aeb61 100644 --- a/src/SecurityInsights/docs/Get-AzSentinelAlertRuleAction.md +++ b/src/SecurityInsights/docs/Get-AzSentinelAlertRuleAction.md @@ -181,7 +181,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Get-AzSentinelAlertRuleTemplate.md b/src/SecurityInsights/docs/Get-AzSentinelAlertRuleTemplate.md index 86b15193b94d..8f535b50f9d5 100644 --- a/src/SecurityInsights/docs/Get-AzSentinelAlertRuleTemplate.md +++ b/src/SecurityInsights/docs/Get-AzSentinelAlertRuleTemplate.md @@ -193,7 +193,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Get-AzSentinelAutomationRule.md b/src/SecurityInsights/docs/Get-AzSentinelAutomationRule.md index 43921221c76f..f4b76814a7f9 100644 --- a/src/SecurityInsights/docs/Get-AzSentinelAutomationRule.md +++ b/src/SecurityInsights/docs/Get-AzSentinelAutomationRule.md @@ -184,7 +184,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Get-AzSentinelBookmark.md b/src/SecurityInsights/docs/Get-AzSentinelBookmark.md index 51e41574b2b4..01fe1836136e 100644 --- a/src/SecurityInsights/docs/Get-AzSentinelBookmark.md +++ b/src/SecurityInsights/docs/Get-AzSentinelBookmark.md @@ -182,7 +182,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Get-AzSentinelBookmarkRelation.md b/src/SecurityInsights/docs/Get-AzSentinelBookmarkRelation.md index 29e9a3f98e06..6f22d30642c1 100644 --- a/src/SecurityInsights/docs/Get-AzSentinelBookmarkRelation.md +++ b/src/SecurityInsights/docs/Get-AzSentinelBookmarkRelation.md @@ -270,7 +270,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Get-AzSentinelDataConnector.md b/src/SecurityInsights/docs/Get-AzSentinelDataConnector.md index bdd246d7622c..45b3e1d4a717 100644 --- a/src/SecurityInsights/docs/Get-AzSentinelDataConnector.md +++ b/src/SecurityInsights/docs/Get-AzSentinelDataConnector.md @@ -181,7 +181,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Get-AzSentinelEnrichment.md b/src/SecurityInsights/docs/Get-AzSentinelEnrichment.md index 7797cbb23c00..5c84d74fb965 100644 --- a/src/SecurityInsights/docs/Get-AzSentinelEnrichment.md +++ b/src/SecurityInsights/docs/Get-AzSentinelEnrichment.md @@ -200,7 +200,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Get-AzSentinelEntity.md b/src/SecurityInsights/docs/Get-AzSentinelEntity.md index dd8e8b6380bf..4f18c8f67ceb 100644 --- a/src/SecurityInsights/docs/Get-AzSentinelEntity.md +++ b/src/SecurityInsights/docs/Get-AzSentinelEntity.md @@ -206,7 +206,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Get-AzSentinelEntityQuery.md b/src/SecurityInsights/docs/Get-AzSentinelEntityQuery.md index beef38e95c2b..e4b38711604b 100644 --- a/src/SecurityInsights/docs/Get-AzSentinelEntityQuery.md +++ b/src/SecurityInsights/docs/Get-AzSentinelEntityQuery.md @@ -226,7 +226,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Get-AzSentinelEntityQueryTemplate.md b/src/SecurityInsights/docs/Get-AzSentinelEntityQueryTemplate.md index defea674fb03..852d67205d98 100644 --- a/src/SecurityInsights/docs/Get-AzSentinelEntityQueryTemplate.md +++ b/src/SecurityInsights/docs/Get-AzSentinelEntityQueryTemplate.md @@ -214,7 +214,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Get-AzSentinelEntityRelation.md b/src/SecurityInsights/docs/Get-AzSentinelEntityRelation.md index 47df57a8d066..c7454f551b52 100644 --- a/src/SecurityInsights/docs/Get-AzSentinelEntityRelation.md +++ b/src/SecurityInsights/docs/Get-AzSentinelEntityRelation.md @@ -252,7 +252,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Get-AzSentinelIncident.md b/src/SecurityInsights/docs/Get-AzSentinelIncident.md index d03fb27d831b..fb959efeeafd 100644 --- a/src/SecurityInsights/docs/Get-AzSentinelIncident.md +++ b/src/SecurityInsights/docs/Get-AzSentinelIncident.md @@ -249,7 +249,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Get-AzSentinelIncidentComment.md b/src/SecurityInsights/docs/Get-AzSentinelIncidentComment.md index 17617fe272f0..988434c7439d 100644 --- a/src/SecurityInsights/docs/Get-AzSentinelIncidentComment.md +++ b/src/SecurityInsights/docs/Get-AzSentinelIncidentComment.md @@ -263,7 +263,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Get-AzSentinelIncidentRelation.md b/src/SecurityInsights/docs/Get-AzSentinelIncidentRelation.md index f88685604aa5..1eeca20f5536 100644 --- a/src/SecurityInsights/docs/Get-AzSentinelIncidentRelation.md +++ b/src/SecurityInsights/docs/Get-AzSentinelIncidentRelation.md @@ -278,7 +278,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Get-AzSentinelMetadata.md b/src/SecurityInsights/docs/Get-AzSentinelMetadata.md index 58447408cd4a..52ffb4547ae0 100644 --- a/src/SecurityInsights/docs/Get-AzSentinelMetadata.md +++ b/src/SecurityInsights/docs/Get-AzSentinelMetadata.md @@ -227,7 +227,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Get-AzSentinelOnboardingState.md b/src/SecurityInsights/docs/Get-AzSentinelOnboardingState.md index 77cbe4072e81..e9dba1a4da1e 100644 --- a/src/SecurityInsights/docs/Get-AzSentinelOnboardingState.md +++ b/src/SecurityInsights/docs/Get-AzSentinelOnboardingState.md @@ -174,7 +174,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Get-AzSentinelSetting.md b/src/SecurityInsights/docs/Get-AzSentinelSetting.md index a5c9f05dcc2f..9ea5481a88d4 100644 --- a/src/SecurityInsights/docs/Get-AzSentinelSetting.md +++ b/src/SecurityInsights/docs/Get-AzSentinelSetting.md @@ -205,7 +205,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Get-AzSentinelThreatIntelligenceIndicator.md b/src/SecurityInsights/docs/Get-AzSentinelThreatIntelligenceIndicator.md index 5fcf4043581b..0a3014bd751a 100644 --- a/src/SecurityInsights/docs/Get-AzSentinelThreatIntelligenceIndicator.md +++ b/src/SecurityInsights/docs/Get-AzSentinelThreatIntelligenceIndicator.md @@ -260,7 +260,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Invoke-AzSentinelThreatIntelligenceIndicatorQuery.md b/src/SecurityInsights/docs/Invoke-AzSentinelThreatIntelligenceIndicatorQuery.md index 3bf8cb69b0d5..d66fe5aa3422 100644 --- a/src/SecurityInsights/docs/Invoke-AzSentinelThreatIntelligenceIndicatorQuery.md +++ b/src/SecurityInsights/docs/Invoke-AzSentinelThreatIntelligenceIndicatorQuery.md @@ -347,7 +347,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`SORTBY `: Columns to sort by and sorting order +SORTBY : Columns to sort by and sorting order - `[ItemKey ]`: Column name - `[SortOrder ]`: Sorting order (ascending/descending/unsorted). diff --git a/src/SecurityInsights/docs/New-AzSentinelAlertRule.md b/src/SecurityInsights/docs/New-AzSentinelAlertRule.md index 22d572a9d818..5bef18b69398 100644 --- a/src/SecurityInsights/docs/New-AzSentinelAlertRule.md +++ b/src/SecurityInsights/docs/New-AzSentinelAlertRule.md @@ -764,7 +764,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`ENTITYMAPPING `: 'Account', 'Host', 'IP', 'Malware', 'File', 'Process', 'CloudApplication', 'DNS', 'AzureResource', 'FileHash', 'RegistryKey', 'RegistryValue', 'SecurityGroup', 'URL', 'Mailbox', 'MailCluster', 'MailMessage', 'SubmissionMail' +ENTITYMAPPING : 'Account', 'Host', 'IP', 'Malware', 'File', 'Process', 'CloudApplication', 'DNS', 'AzureResource', 'FileHash', 'RegistryKey', 'RegistryValue', 'SecurityGroup', 'URL', 'Mailbox', 'MailCluster', 'MailMessage', 'SubmissionMail' - `[EntityType ]`: The V3 type of the mapped entity - `[FieldMapping ]`: array of field mappings for the given entity mapping - `[ColumnName ]`: the column name to be mapped to the identifier diff --git a/src/SecurityInsights/docs/New-AzSentinelAlertRuleAction.md b/src/SecurityInsights/docs/New-AzSentinelAlertRuleAction.md index beefa37c1cc1..f11300427304 100644 --- a/src/SecurityInsights/docs/New-AzSentinelAlertRuleAction.md +++ b/src/SecurityInsights/docs/New-AzSentinelAlertRuleAction.md @@ -14,8 +14,8 @@ Creates or updates the action of alert rule. ``` New-AzSentinelAlertRuleAction -ResourceGroupName -RuleId -WorkspaceName - [-Id ] [-SubscriptionId ] [-LogicAppResourceId ] [-TriggerUri ] - [-DefaultProfile ] [-Confirm] [-WhatIf] [] + [-SubscriptionId ] [-LogicAppResourceId ] [-TriggerUri ] [-DefaultProfile ] + [-Confirm] [-WhatIf] [] ``` ## DESCRIPTION @@ -49,21 +49,6 @@ Accept pipeline input: False Accept wildcard characters: False ``` -### -Id -Action ID - -```yaml -Type: System.String -Parameter Sets: (All) -Aliases: ActionId - -Required: False -Position: Named -Default value: (New-Guid).Guid -Accept pipeline input: False -Accept wildcard characters: False -``` - ### -LogicAppResourceId Logic App Resource Id, /subscriptions/{my-subscription}/resourceGroups/{my-resource-group}/providers/Microsoft.Logic/workflows/{my-workflow-id}. diff --git a/src/SecurityInsights/docs/New-AzSentinelAutomationRule.md b/src/SecurityInsights/docs/New-AzSentinelAutomationRule.md index 02e04a2439a3..a0a1ba63a37e 100644 --- a/src/SecurityInsights/docs/New-AzSentinelAutomationRule.md +++ b/src/SecurityInsights/docs/New-AzSentinelAutomationRule.md @@ -14,8 +14,8 @@ Creates or updates the automation rule. ### CreateExpanded (Default) ``` -New-AzSentinelAutomationRule -ResourceGroupName -WorkspaceName [-Id ] - [-SubscriptionId ] [-Action ] [-DisplayName ] [-Order ] +New-AzSentinelAutomationRule -ResourceGroupName -WorkspaceName [-SubscriptionId ] + [-Action ] [-DisplayName ] [-Order ] [-TriggeringLogicCondition ] [-TriggeringLogicExpirationTimeUtc ] [-TriggeringLogicIsEnabled] [-DefaultProfile ] [-Confirm] [-WhatIf] [] ``` @@ -23,8 +23,8 @@ New-AzSentinelAutomationRule -ResourceGroupName -WorkspaceName ### Create ``` New-AzSentinelAutomationRule -ResourceGroupName -WorkspaceName - -AutomationRule [-Id ] [-SubscriptionId ] [-DefaultProfile ] - [-Confirm] [-WhatIf] [] + -AutomationRule [-SubscriptionId ] [-DefaultProfile ] [-Confirm] + [-WhatIf] [] ``` ## DESCRIPTION @@ -120,21 +120,6 @@ Accept pipeline input: False Accept wildcard characters: False ``` -### -Id -Automation rule ID - -```yaml -Type: System.String -Parameter Sets: (All) -Aliases: AutomationRuleId - -Required: False -Position: Named -Default value: (New-Guid).Guid -Accept pipeline input: False -Accept wildcard characters: False -``` - ### -Order The order of execution of the automation rule @@ -292,11 +277,11 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`ACTION `: The actions to execute when the automation rule is triggered +ACTION : The actions to execute when the automation rule is triggered - `ActionType `: The type of the automation rule action - `Order `: The order of execution of the automation rule action -`AUTOMATIONRULE `: Represents an automation rule. +AUTOMATIONRULE : Represents an automation rule. - `[Etag ]`: Etag of the azure resource - `[SystemDataCreatedAt ]`: The timestamp of resource creation (UTC). - `[SystemDataCreatedBy ]`: The identity that created the resource. diff --git a/src/SecurityInsights/docs/New-AzSentinelBookmark.md b/src/SecurityInsights/docs/New-AzSentinelBookmark.md index 1b08de77a6fb..d1cc7cb23f72 100644 --- a/src/SecurityInsights/docs/New-AzSentinelBookmark.md +++ b/src/SecurityInsights/docs/New-AzSentinelBookmark.md @@ -14,8 +14,8 @@ Creates or updates the bookmark. ### CreateExpanded (Default) ``` -New-AzSentinelBookmark -ResourceGroupName -WorkspaceName [-Id ] - [-SubscriptionId ] [-DisplayName ] [-EventTime ] [-IncidentInfoIncidentId ] +New-AzSentinelBookmark -ResourceGroupName -WorkspaceName [-SubscriptionId ] + [-DisplayName ] [-EventTime ] [-IncidentInfoIncidentId ] [-IncidentInfoRelationName ] [-IncidentInfoSeverity ] [-IncidentInfoTitle ] [-Label ] [-Note ] [-Query ] [-QueryEndTime ] [-QueryResult ] [-QueryStartTime ] [-DefaultProfile ] [-Confirm] [-WhatIf] [] @@ -24,8 +24,7 @@ New-AzSentinelBookmark -ResourceGroupName -WorkspaceName [-Id ### Create ``` New-AzSentinelBookmark -ResourceGroupName -WorkspaceName -Bookmark - [-Id ] [-SubscriptionId ] [-DefaultProfile ] [-Confirm] [-WhatIf] - [] + [-SubscriptionId ] [-DefaultProfile ] [-Confirm] [-WhatIf] [] ``` ## DESCRIPTION @@ -35,8 +34,8 @@ Creates or updates the bookmark. ### Example 1: Create a Bookmark ```powershell - $queryStartTime = (get-date).AddDays(-1).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" - $queryEndTime = (get-date).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + $queryStartTime = (Get-Date).AddDays(-1).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + $queryEndTime = (Get-Date).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" New-AzSentinelBookmark -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id ((New-Guid).Guid) -DisplayName "Incident Evidence" -Query "SecurityEvent | take 1" -QueryStartTime $queryStartTime -QueryEndTime $queryEndTime -EventTime $queryEndTime ``` @@ -113,21 +112,6 @@ Accept pipeline input: False Accept wildcard characters: False ``` -### -Id -Bookmark ID - -```yaml -Type: System.String -Parameter Sets: (All) -Aliases: BookmarkId - -Required: False -Position: Named -Default value: (New-Guid).Guid -Accept pipeline input: False -Accept wildcard characters: False -``` - ### -IncidentInfoIncidentId Incident Id @@ -375,7 +359,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`BOOKMARK `: Represents a bookmark in Azure Security Insights. +BOOKMARK : Represents a bookmark in Azure Security Insights. - `[Etag ]`: Etag of the azure resource - `[SystemDataCreatedAt ]`: The timestamp of resource creation (UTC). - `[SystemDataCreatedBy ]`: The identity that created the resource. diff --git a/src/SecurityInsights/docs/New-AzSentinelBookmarkRelation.md b/src/SecurityInsights/docs/New-AzSentinelBookmarkRelation.md index f8237ffb8f39..aefcac037817 100644 --- a/src/SecurityInsights/docs/New-AzSentinelBookmarkRelation.md +++ b/src/SecurityInsights/docs/New-AzSentinelBookmarkRelation.md @@ -15,15 +15,15 @@ Creates the bookmark relation. ### CreateExpanded (Default) ``` New-AzSentinelBookmarkRelation -BookmarkId -ResourceGroupName -WorkspaceName - [-RelationName ] [-SubscriptionId ] [-RelatedResourceId ] - [-DefaultProfile ] [-Confirm] [-WhatIf] [] + [-SubscriptionId ] [-RelatedResourceId ] [-DefaultProfile ] [-Confirm] [-WhatIf] + [] ``` ### Create ``` New-AzSentinelBookmarkRelation -BookmarkId -ResourceGroupName -WorkspaceName - -Relation [-RelationName ] [-SubscriptionId ] [-DefaultProfile ] - [-Confirm] [-WhatIf] [] + -Relation [-SubscriptionId ] [-DefaultProfile ] [-Confirm] [-WhatIf] + [] ``` ## DESCRIPTION @@ -102,21 +102,6 @@ Accept pipeline input: True (ByValue) Accept wildcard characters: False ``` -### -RelationName -Relation Name - -```yaml -Type: System.String -Parameter Sets: (All) -Aliases: - -Required: False -Position: Named -Default value: (New-Guid).Guid -Accept pipeline input: False -Accept wildcard characters: False -``` - ### -ResourceGroupName The name of the resource group. The name is case insensitive. @@ -214,7 +199,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`RELATION `: Represents a relation between two resources +RELATION : Represents a relation between two resources - `[Etag ]`: Etag of the azure resource - `[SystemDataCreatedAt ]`: The timestamp of resource creation (UTC). - `[SystemDataCreatedBy ]`: The identity that created the resource. diff --git a/src/SecurityInsights/docs/New-AzSentinelDataConnector.md b/src/SecurityInsights/docs/New-AzSentinelDataConnector.md index e3464d5119ca..f61fba1d6145 100644 --- a/src/SecurityInsights/docs/New-AzSentinelDataConnector.md +++ b/src/SecurityInsights/docs/New-AzSentinelDataConnector.md @@ -927,11 +927,11 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`PERMISSIONCUSTOM `: [Parameter(ParameterSetName = 'APIPolling')] +PERMISSIONCUSTOM : [Parameter(ParameterSetName = 'APIPolling')] - `[Description ]`: Customs permissions description - `[Name ]`: Customs permissions name -`PERMISSIONRESOURCEPROVIDER `: [Parameter(ParameterSetName = 'APIPolling')] +PERMISSIONRESOURCEPROVIDER : [Parameter(ParameterSetName = 'APIPolling')] - `[PermissionsDisplayText ]`: Permission description text - `[Provider ]`: Provider name - `[ProviderDisplayName ]`: Permission provider display name @@ -941,27 +941,27 @@ To create the parameters described below, construct a hash table containing the - `[RequiredPermissionWrite ]`: write permission - `[Scope ]`: Permission provider scope -`UICONFIGCONNECTIVITYCRITERION `: [Parameter(ParameterSetName = 'APIPolling', Mandatory)] +UICONFIGCONNECTIVITYCRITERION : [Parameter(ParameterSetName = 'APIPolling', Mandatory)] - `[Type ]`: type of connectivity - `[Value ]`: Queries for checking connectivity -`UICONFIGDATATYPE `: [Parameter(ParameterSetName = 'APIPolling', Mandatory)] +UICONFIGDATATYPE : [Parameter(ParameterSetName = 'APIPolling', Mandatory)] - `[LastDataReceivedQuery ]`: Query for indicate last data received - `[Name ]`: Name of the data type to show in the graph. can be use with {{graphQueriesTableName}} placeholder -`UICONFIGGRAPHQUERY `: [Parameter(ParameterSetName = 'APIPolling', Mandatory)] +UICONFIGGRAPHQUERY : [Parameter(ParameterSetName = 'APIPolling', Mandatory)] - `[BaseQuery ]`: The base query for the graph - `[Legend ]`: The legend for the graph - `[MetricName ]`: the metric that the query is checking -`UICONFIGINSTRUCTIONSTEP `: [Parameter(ParameterSetName = 'APIPolling', Mandatory)] +UICONFIGINSTRUCTIONSTEP : [Parameter(ParameterSetName = 'APIPolling', Mandatory)] - `[Description ]`: Instruction step description - `[Instruction ]`: Instruction step details - `Type `: The kind of the setting - `[Parameter ]`: The parameters for the setting - `[Title ]`: Instruction step title -`UICONFIGSAMPLEQUERY `: [Parameter(ParameterSetName = 'APIPolling', Mandatory)] +UICONFIGSAMPLEQUERY : [Parameter(ParameterSetName = 'APIPolling', Mandatory)] - `[Description ]`: The sample query description - `[Query ]`: the sample query diff --git a/src/SecurityInsights/docs/New-AzSentinelEntityQuery.md b/src/SecurityInsights/docs/New-AzSentinelEntityQuery.md index 9e1607760b6f..d84bdef3252b 100644 --- a/src/SecurityInsights/docs/New-AzSentinelEntityQuery.md +++ b/src/SecurityInsights/docs/New-AzSentinelEntityQuery.md @@ -41,14 +41,13 @@ Enabled : True Kind : Activity CreatedTimeUtc : 12/22/2021 11:44:34 AM LastModifiedTimeUtc : 12/22/2021 11:47:13 AM - ``` This command creates an Entity Query by using a Template. -### Example 2: Create Entity Query +### Example 2: Create Entity Query from cmdlet inputs ```powershell - New-AzSentinelEntityQuery -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -EntityQueryId ((New-Guid).Guid) -Kind Activity -Title 'An account was deleted on this host' -InputEntityType 'Host' -Content "On '{{Computer}}' the account '{{TargetAccount}}' was deleted by '{{AddedBy}}'" -Description "Account deleted on host" -QueryDefinitionQuery 'let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\nSecurityEvent\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\n// parsing for Host to handle variety of conventions coming from data\n| extend Host_HostName = case(\nComputer has ''@'', tostring(split(Computer, ''@'')[0]),\nComputer has ''\\'', tostring(split(Computer, ''\\'')[1]),\nComputer has ''.'', tostring(split(Computer, ''.'')[0]),\nComputer\n)\n| extend Host_NTDomain = case(\nComputer has ''\\'', tostring(split(Computer, ''\\'')[0]), \nComputer has ''.'', tostring(split(Computer, ''.'')[-2]), \nComputer\n)\n| extend Host_DnsDomain = case(\nComputer has ''\\'', tostring(split(Computer, ''\\'')[0]), \nComputer has ''.'', strcat_array(array_slice(split(Computer,''.''),-2,-1),''.''), \nComputer\n)\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \nor v_Host_AzureID =~ _ResourceId \nor v_Host_OMSAgentID == SourceComputerId\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId\n| extend AddedBy = SubjectUserName\n// Future support for Activities\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount\n};\nGetAccountActions(''{{Host_HostName}}'', ''{{Host_NTDomain}}'', ''{{Host_DnsDomain}}'', ''{{Host_AzureID}}'', ''{{Host_OMSAgentID}}'')\n \n| where EventID == 4726' -RequiredInputFieldsSet @(@("Host_HostName","Host_NTDomain"),@("Host_HostName","Host_DnsDomain"),@("Host_AzureID"),@("Host_OMSAgentID")) -EntitiesFilter @{"Host_OsFamily" = @("Windows")} + New-AzSentinelEntityQuery -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Id ((New-Guid).Guid) -Kind Activity -Title 'An account was deleted on this host' -InputEntityType 'Host' -Content "On '{{Computer}}' the account '{{TargetAccount}}' was deleted by '{{AddedBy}}'" -Description "Account deleted on host" -QueryDefinitionQuery 'let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\nSecurityEvent\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\n// parsing for Host to handle variety of conventions coming from data\n| extend Host_HostName = case(\nComputer has ''@'', tostring(split(Computer, ''@'')[0]),\nComputer has ''\\'', tostring(split(Computer, ''\\'')[1]),\nComputer has ''.'', tostring(split(Computer, ''.'')[0]),\nComputer\n)\n| extend Host_NTDomain = case(\nComputer has ''\\'', tostring(split(Computer, ''\\'')[0]), \nComputer has ''.'', tostring(split(Computer, ''.'')[-2]), \nComputer\n)\n| extend Host_DnsDomain = case(\nComputer has ''\\'', tostring(split(Computer, ''\\'')[0]), \nComputer has ''.'', strcat_array(array_slice(split(Computer,''.''),-2,-1),''.''), \nComputer\n)\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \nor v_Host_AzureID =~ _ResourceId \nor v_Host_OMSAgentID == SourceComputerId\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId\n| extend AddedBy = SubjectUserName\n// Future support for Activities\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount\n};\nGetAccountActions(''{{Host_HostName}}'', ''{{Host_NTDomain}}'', ''{{Host_DnsDomain}}'', ''{{Host_AzureID}}'', ''{{Host_OMSAgentID}}'')\n \n| where EventID == 4726' -RequiredInputFieldsSet @(@("Host_HostName","Host_NTDomain"),@("Host_HostName","Host_DnsDomain"),@("Host_AzureID"),@("Host_OMSAgentID")) -EntitiesFilter @{"Host_OsFamily" = @("Windows")} ``` This command creates an Entity Query. @@ -346,7 +345,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`ENTITIESFILTER `: +ENTITIESFILTER : - `[(Any) ]`: This indicates any property can be added to this object. ## RELATED LINKS diff --git a/src/SecurityInsights/docs/New-AzSentinelIncident.md b/src/SecurityInsights/docs/New-AzSentinelIncident.md index bc9622c222e9..be182c72c718 100644 --- a/src/SecurityInsights/docs/New-AzSentinelIncident.md +++ b/src/SecurityInsights/docs/New-AzSentinelIncident.md @@ -14,8 +14,8 @@ Creates or updates the incident. ### CreateExpanded (Default) ``` -New-AzSentinelIncident -ResourceGroupName -WorkspaceName [-Id ] - [-SubscriptionId ] [-Classification ] [-ClassificationComment ] +New-AzSentinelIncident -ResourceGroupName -WorkspaceName [-SubscriptionId ] + [-Classification ] [-ClassificationComment ] [-ClassificationReason ] [-Description ] [-FirstActivityTimeUtc ] [-Label ] [-LastActivityTimeUtc ] [-OwnerAssignedTo ] [-OwnerEmail ] [-OwnerObjectId ] @@ -27,8 +27,7 @@ New-AzSentinelIncident -ResourceGroupName -WorkspaceName [-Id ### Create ``` New-AzSentinelIncident -ResourceGroupName -WorkspaceName -Incident - [-Id ] [-SubscriptionId ] [-DefaultProfile ] [-Confirm] [-WhatIf] - [] + [-SubscriptionId ] [-DefaultProfile ] [-Confirm] [-WhatIf] [] ``` ## DESCRIPTION @@ -146,21 +145,6 @@ Accept pipeline input: False Accept wildcard characters: False ``` -### -Id -Incident ID - -```yaml -Type: System.String -Parameter Sets: (All) -Aliases: IncidentId - -Required: False -Position: Named -Default value: (New-Guid).Guid -Accept pipeline input: False -Accept wildcard characters: False -``` - ### -Incident Represents an incident in Azure Security Insights. To construct, see NOTES section for INCIDENT properties and create a hash table. @@ -440,7 +424,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INCIDENT `: Represents an incident in Azure Security Insights. +INCIDENT : Represents an incident in Azure Security Insights. - `[Etag ]`: Etag of the azure resource - `[SystemDataCreatedAt ]`: The timestamp of resource creation (UTC). - `[SystemDataCreatedBy ]`: The identity that created the resource. @@ -466,7 +450,7 @@ To create the parameters described below, construct a hash table containing the - `[Status ]`: The status of the incident - `[Title ]`: The title of the incident -`LABEL `: List of labels relevant to this incident +LABEL : List of labels relevant to this incident - `LabelName `: The name of the label ## RELATED LINKS diff --git a/src/SecurityInsights/docs/New-AzSentinelIncidentComment.md b/src/SecurityInsights/docs/New-AzSentinelIncidentComment.md index 814dc162f4f5..b840522096c1 100644 --- a/src/SecurityInsights/docs/New-AzSentinelIncidentComment.md +++ b/src/SecurityInsights/docs/New-AzSentinelIncidentComment.md @@ -15,15 +15,15 @@ Creates or updates the incident comment. ### CreateExpanded (Default) ``` New-AzSentinelIncidentComment -IncidentId -ResourceGroupName -WorkspaceName - [-Id ] [-SubscriptionId ] [-Message ] [-DefaultProfile ] [-Confirm] - [-WhatIf] [] + [-SubscriptionId ] [-Message ] [-DefaultProfile ] [-Confirm] [-WhatIf] + [] ``` ### Create ``` New-AzSentinelIncidentComment -IncidentId -ResourceGroupName -WorkspaceName - -IncidentComment [-Id ] [-SubscriptionId ] [-DefaultProfile ] - [-Confirm] [-WhatIf] [] + -IncidentComment [-SubscriptionId ] [-DefaultProfile ] [-Confirm] + [-WhatIf] [] ``` ## DESCRIPTION @@ -33,7 +33,7 @@ Creates or updates the incident comment. ### Example 1: Create an Incident Comment ```powershell - New-AzSentinelIncident -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -IncidentId "myIncidentId" -Id ((New-Guid).Guid) -Message "IncidentCommentGoesHere" + New-AzSentinelIncident -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -IncidentId "myIncidentId" -Message "IncidentCommentGoesHere" ``` This command creates an Incident Comment. @@ -55,21 +55,6 @@ Accept pipeline input: False Accept wildcard characters: False ``` -### -Id -Incident comment ID - -```yaml -Type: System.String -Parameter Sets: (All) -Aliases: IncidentCommentId - -Required: False -Position: Named -Default value: (New-Guid).Guid -Accept pipeline input: False -Accept wildcard characters: False -``` - ### -IncidentComment Represents an incident comment To construct, see NOTES section for INCIDENTCOMMENT properties and create a hash table. @@ -213,7 +198,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INCIDENTCOMMENT `: Represents an incident comment +INCIDENTCOMMENT : Represents an incident comment - `[Etag ]`: Etag of the azure resource - `[SystemDataCreatedAt ]`: The timestamp of resource creation (UTC). - `[SystemDataCreatedBy ]`: The identity that created the resource. diff --git a/src/SecurityInsights/docs/New-AzSentinelIncidentRelation.md b/src/SecurityInsights/docs/New-AzSentinelIncidentRelation.md index 200dab9cfbfc..2147fdc50602 100644 --- a/src/SecurityInsights/docs/New-AzSentinelIncidentRelation.md +++ b/src/SecurityInsights/docs/New-AzSentinelIncidentRelation.md @@ -15,15 +15,15 @@ Creates or updates the incident relation. ### CreateExpanded (Default) ``` New-AzSentinelIncidentRelation -IncidentId -ResourceGroupName -WorkspaceName - [-RelationName ] [-SubscriptionId ] [-RelatedResourceId ] - [-DefaultProfile ] [-Confirm] [-WhatIf] [] + [-SubscriptionId ] [-RelatedResourceId ] [-DefaultProfile ] [-Confirm] [-WhatIf] + [] ``` ### Create ``` New-AzSentinelIncidentRelation -IncidentId -ResourceGroupName -WorkspaceName - -Relation [-RelationName ] [-SubscriptionId ] [-DefaultProfile ] - [-Confirm] [-WhatIf] [] + -Relation [-SubscriptionId ] [-DefaultProfile ] [-Confirm] [-WhatIf] + [] ``` ## DESCRIPTION @@ -109,21 +109,6 @@ Accept pipeline input: True (ByValue) Accept wildcard characters: False ``` -### -RelationName -Relation Name - -```yaml -Type: System.String -Parameter Sets: (All) -Aliases: - -Required: False -Position: Named -Default value: (New-Guid).Guid -Accept pipeline input: False -Accept wildcard characters: False -``` - ### -ResourceGroupName The name of the resource group. The name is case insensitive. @@ -221,7 +206,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`RELATION `: Represents a relation between two resources +RELATION : Represents a relation between two resources - `[Etag ]`: Etag of the azure resource - `[SystemDataCreatedAt ]`: The timestamp of resource creation (UTC). - `[SystemDataCreatedBy ]`: The identity that created the resource. diff --git a/src/SecurityInsights/docs/New-AzSentinelIncidentTeam.md b/src/SecurityInsights/docs/New-AzSentinelIncidentTeam.md index 69355576dcce..10cdbcacddeb 100644 --- a/src/SecurityInsights/docs/New-AzSentinelIncidentTeam.md +++ b/src/SecurityInsights/docs/New-AzSentinelIncidentTeam.md @@ -253,7 +253,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`TEAMPROPERTY `: Describes team properties +TEAMPROPERTY : Describes team properties - `TeamName `: The name of the team - `[GroupId ]`: List of group IDs to add their members to the team - `[MemberId ]`: List of member IDs to add to the team diff --git a/src/SecurityInsights/docs/New-AzSentinelOnboardingState.md b/src/SecurityInsights/docs/New-AzSentinelOnboardingState.md index f88917a5c857..648a211c7449 100644 --- a/src/SecurityInsights/docs/New-AzSentinelOnboardingState.md +++ b/src/SecurityInsights/docs/New-AzSentinelOnboardingState.md @@ -199,7 +199,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`SENTINELONBOARDINGSTATEPARAMETER `: Sentinel onboarding state +SENTINELONBOARDINGSTATEPARAMETER : Sentinel onboarding state - `[Etag ]`: Etag of the azure resource - `[SystemDataCreatedAt ]`: The timestamp of resource creation (UTC). - `[SystemDataCreatedBy ]`: The identity that created the resource. diff --git a/src/SecurityInsights/docs/Remove-AzSentinelAlertRule.md b/src/SecurityInsights/docs/Remove-AzSentinelAlertRule.md index ce4fd9a86de7..ad497279d3ed 100644 --- a/src/SecurityInsights/docs/Remove-AzSentinelAlertRule.md +++ b/src/SecurityInsights/docs/Remove-AzSentinelAlertRule.md @@ -196,7 +196,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Remove-AzSentinelAlertRuleAction.md b/src/SecurityInsights/docs/Remove-AzSentinelAlertRuleAction.md index 5fb49cc4016c..328e5f4b4c93 100644 --- a/src/SecurityInsights/docs/Remove-AzSentinelAlertRuleAction.md +++ b/src/SecurityInsights/docs/Remove-AzSentinelAlertRuleAction.md @@ -32,7 +32,7 @@ Delete the action of alert rule. ### Example 1: Removes an alert rule action ```powershell -Remove-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -RuleId 29d2523f-84ce-42d3-b5f1-9e63c85aaed1 -Id 1a33301b-fb83-416a-8d58-3873c7c2dc86 +Remove-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -RuleId "29d2523f-84ce-42d3-b5f1-9e63c85aaed1" -Id "1a33301b-fb83-416a-8d58-3873c7c2dc86" ``` This command removes an alert rule action. @@ -212,7 +212,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Remove-AzSentinelAutomationRule.md b/src/SecurityInsights/docs/Remove-AzSentinelAutomationRule.md index 4922397961f7..c45b896ded12 100644 --- a/src/SecurityInsights/docs/Remove-AzSentinelAutomationRule.md +++ b/src/SecurityInsights/docs/Remove-AzSentinelAutomationRule.md @@ -196,7 +196,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Remove-AzSentinelBookmark.md b/src/SecurityInsights/docs/Remove-AzSentinelBookmark.md index 17bd7e967358..5f7d69f2e884 100644 --- a/src/SecurityInsights/docs/Remove-AzSentinelBookmark.md +++ b/src/SecurityInsights/docs/Remove-AzSentinelBookmark.md @@ -196,7 +196,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Remove-AzSentinelBookmarkRelation.md b/src/SecurityInsights/docs/Remove-AzSentinelBookmarkRelation.md index 3deb9a5537d2..b4e730b88644 100644 --- a/src/SecurityInsights/docs/Remove-AzSentinelBookmarkRelation.md +++ b/src/SecurityInsights/docs/Remove-AzSentinelBookmarkRelation.md @@ -212,7 +212,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Remove-AzSentinelDataConnector.md b/src/SecurityInsights/docs/Remove-AzSentinelDataConnector.md index 95bbec95565b..8fdb2b22f520 100644 --- a/src/SecurityInsights/docs/Remove-AzSentinelDataConnector.md +++ b/src/SecurityInsights/docs/Remove-AzSentinelDataConnector.md @@ -196,7 +196,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Remove-AzSentinelEntityQuery.md b/src/SecurityInsights/docs/Remove-AzSentinelEntityQuery.md index 89ce6c20501a..7f54196cc2af 100644 --- a/src/SecurityInsights/docs/Remove-AzSentinelEntityQuery.md +++ b/src/SecurityInsights/docs/Remove-AzSentinelEntityQuery.md @@ -204,7 +204,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Remove-AzSentinelIncident.md b/src/SecurityInsights/docs/Remove-AzSentinelIncident.md index 07ae5c6e957d..8d669823974e 100644 --- a/src/SecurityInsights/docs/Remove-AzSentinelIncident.md +++ b/src/SecurityInsights/docs/Remove-AzSentinelIncident.md @@ -203,7 +203,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Remove-AzSentinelIncidentComment.md b/src/SecurityInsights/docs/Remove-AzSentinelIncidentComment.md index 256bcc7b2f20..a820724e2316 100644 --- a/src/SecurityInsights/docs/Remove-AzSentinelIncidentComment.md +++ b/src/SecurityInsights/docs/Remove-AzSentinelIncidentComment.md @@ -212,7 +212,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Remove-AzSentinelIncidentRelation.md b/src/SecurityInsights/docs/Remove-AzSentinelIncidentRelation.md index e815c0640f32..4df196219756 100644 --- a/src/SecurityInsights/docs/Remove-AzSentinelIncidentRelation.md +++ b/src/SecurityInsights/docs/Remove-AzSentinelIncidentRelation.md @@ -39,7 +39,7 @@ Delete the incident relation. ### Example 1: Delete an Incident relation ```powershell -Remove-AzSentinelIncidentRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId 7cc984fe-61a2-43c2-a1a4-3583c8a89da2 -RelatedResourceId 7cc984fe-61a2-43c2-a1a4-3583c8a89db4 +Remove-AzSentinelIncidentRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId "7cc984fe-61a2-43c2-a1a4-3583c8a89da2" -RelatedResourceId "7cc984fe-61a2-43c2-a1a4-3583c8a89db4" ``` This command removes the incident relation @@ -219,7 +219,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Remove-AzSentinelOnboardingState.md b/src/SecurityInsights/docs/Remove-AzSentinelOnboardingState.md index ef99ec749e63..a7621e87efd9 100644 --- a/src/SecurityInsights/docs/Remove-AzSentinelOnboardingState.md +++ b/src/SecurityInsights/docs/Remove-AzSentinelOnboardingState.md @@ -197,7 +197,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Update-AzSentinelAlertRule.md b/src/SecurityInsights/docs/Update-AzSentinelAlertRule.md index 0a40bc09c36b..a00ea8122723 100644 --- a/src/SecurityInsights/docs/Update-AzSentinelAlertRule.md +++ b/src/SecurityInsights/docs/Update-AzSentinelAlertRule.md @@ -828,13 +828,13 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`ENTITYMAPPING `: 'Account', 'Host', 'IP', 'Malware', 'File', 'Process', 'CloudApplication', 'DNS', 'AzureResource', 'FileHash', 'RegistryKey', 'RegistryValue', 'SecurityGroup', 'URL', 'Mailbox', 'MailCluster', 'MailMessage', 'SubmissionMail' +ENTITYMAPPING : 'Account', 'Host', 'IP', 'Malware', 'File', 'Process', 'CloudApplication', 'DNS', 'AzureResource', 'FileHash', 'RegistryKey', 'RegistryValue', 'SecurityGroup', 'URL', 'Mailbox', 'MailCluster', 'MailMessage', 'SubmissionMail' - `[EntityType ]`: The V3 type of the mapped entity - `[FieldMapping ]`: array of field mappings for the given entity mapping - `[ColumnName ]`: the column name to be mapped to the identifier - `[Identifier ]`: the V3 identifier of the entity -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Update-AzSentinelAlertRuleAction.md b/src/SecurityInsights/docs/Update-AzSentinelAlertRuleAction.md index ca398883be6e..3d0a0db3c294 100644 --- a/src/SecurityInsights/docs/Update-AzSentinelAlertRuleAction.md +++ b/src/SecurityInsights/docs/Update-AzSentinelAlertRuleAction.md @@ -229,7 +229,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Update-AzSentinelAutomationRule.md b/src/SecurityInsights/docs/Update-AzSentinelAutomationRule.md index 2711e5f5c00f..33f83c805f22 100644 --- a/src/SecurityInsights/docs/Update-AzSentinelAutomationRule.md +++ b/src/SecurityInsights/docs/Update-AzSentinelAutomationRule.md @@ -282,11 +282,11 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`ACTION `: The actions to execute when the automation rule is triggered +ACTION : The actions to execute when the automation rule is triggered - `ActionType `: The type of the automation rule action - `Order `: The order of execution of the automation rule action -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Update-AzSentinelBookmark.md b/src/SecurityInsights/docs/Update-AzSentinelBookmark.md index 88b71157ced8..2e81fc3913f0 100644 --- a/src/SecurityInsights/docs/Update-AzSentinelBookmark.md +++ b/src/SecurityInsights/docs/Update-AzSentinelBookmark.md @@ -369,7 +369,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Update-AzSentinelBookmarkRelation.md b/src/SecurityInsights/docs/Update-AzSentinelBookmarkRelation.md index e9a3b4f57a98..c25c247adf6c 100644 --- a/src/SecurityInsights/docs/Update-AzSentinelBookmarkRelation.md +++ b/src/SecurityInsights/docs/Update-AzSentinelBookmarkRelation.md @@ -212,7 +212,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Update-AzSentinelDataConnector.md b/src/SecurityInsights/docs/Update-AzSentinelDataConnector.md index 8faa21daa939..7aecc29c3297 100644 --- a/src/SecurityInsights/docs/Update-AzSentinelDataConnector.md +++ b/src/SecurityInsights/docs/Update-AzSentinelDataConnector.md @@ -1250,7 +1250,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: [Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI', Mandatory, ValueFromPipeline)] Identity Parameter +INPUTOBJECT : [Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI', Mandatory, ValueFromPipeline)] Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID @@ -1274,11 +1274,11 @@ To create the parameters described below, construct a hash table containing the - `[SubscriptionId ]`: The ID of the target subscription. - `[WorkspaceName ]`: The name of the workspace. -`PERMISSIONCUSTOM `: +PERMISSIONCUSTOM : - `[Description ]`: Customs permissions description - `[Name ]`: Customs permissions name -`PERMISSIONRESOURCEPROVIDER `: +PERMISSIONRESOURCEPROVIDER : - `[PermissionsDisplayText ]`: Permission description text - `[Provider ]`: Provider name - `[ProviderDisplayName ]`: Permission provider display name @@ -1288,27 +1288,27 @@ To create the parameters described below, construct a hash table containing the - `[RequiredPermissionWrite ]`: write permission - `[Scope ]`: Permission provider scope -`UICONFIGCONNECTIVITYCRITERION `: +UICONFIGCONNECTIVITYCRITERION : - `[Type ]`: type of connectivity - `[Value ]`: Queries for checking connectivity -`UICONFIGDATATYPE `: +UICONFIGDATATYPE : - `[LastDataReceivedQuery ]`: Query for indicate last data received - `[Name ]`: Name of the data type to show in the graph. can be use with {{graphQueriesTableName}} placeholder -`UICONFIGGRAPHQUERY `: +UICONFIGGRAPHQUERY : - `[BaseQuery ]`: The base query for the graph - `[Legend ]`: The legend for the graph - `[MetricName ]`: the metric that the query is checking -`UICONFIGINSTRUCTIONSTEP `: +UICONFIGINSTRUCTIONSTEP : - `[Description ]`: Instruction step description - `[Instruction ]`: Instruction step details - `Type `: The kind of the setting - `[Parameter ]`: The parameters for the setting - `[Title ]`: Instruction step title -`UICONFIGSAMPLEQUERY `: +UICONFIGSAMPLEQUERY : - `[Description ]`: The sample query description - `[Query ]`: the sample query diff --git a/src/SecurityInsights/docs/Update-AzSentinelEntityQuery.md b/src/SecurityInsights/docs/Update-AzSentinelEntityQuery.md index 6a008930da44..cdbf65fc62fc 100644 --- a/src/SecurityInsights/docs/Update-AzSentinelEntityQuery.md +++ b/src/SecurityInsights/docs/Update-AzSentinelEntityQuery.md @@ -368,10 +368,10 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`ENTITIESFILTER `: +ENTITIESFILTER : - `[(Any) ]`: This indicates any property can be added to this object. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Update-AzSentinelIncident.md b/src/SecurityInsights/docs/Update-AzSentinelIncident.md index 14025d559f22..111281eb86ec 100644 --- a/src/SecurityInsights/docs/Update-AzSentinelIncident.md +++ b/src/SecurityInsights/docs/Update-AzSentinelIncident.md @@ -433,7 +433,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID @@ -457,7 +457,7 @@ To create the parameters described below, construct a hash table containing the - `[SubscriptionId ]`: The ID of the target subscription. - `[WorkspaceName ]`: The name of the workspace. -`LABEL `: List of labels relevant to this incident +LABEL : List of labels relevant to this incident - `LabelName `: The name of the label ## RELATED LINKS diff --git a/src/SecurityInsights/docs/Update-AzSentinelIncidentComment.md b/src/SecurityInsights/docs/Update-AzSentinelIncidentComment.md index 114fa7c871cb..bf351701ca04 100644 --- a/src/SecurityInsights/docs/Update-AzSentinelIncidentComment.md +++ b/src/SecurityInsights/docs/Update-AzSentinelIncidentComment.md @@ -212,7 +212,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Update-AzSentinelIncidentRelation.md b/src/SecurityInsights/docs/Update-AzSentinelIncidentRelation.md index 8c3476bb9360..d05e67632af1 100644 --- a/src/SecurityInsights/docs/Update-AzSentinelIncidentRelation.md +++ b/src/SecurityInsights/docs/Update-AzSentinelIncidentRelation.md @@ -213,7 +213,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/docs/Update-AzSentinelSetting.md b/src/SecurityInsights/docs/Update-AzSentinelSetting.md index fbf9d7bb2010..d7c711d746c3 100644 --- a/src/SecurityInsights/docs/Update-AzSentinelSetting.md +++ b/src/SecurityInsights/docs/Update-AzSentinelSetting.md @@ -257,7 +257,7 @@ COMPLEX PARAMETER PROPERTIES To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables. -`INPUTOBJECT `: Identity Parameter +INPUTOBJECT : Identity Parameter - `[ActionId ]`: Action ID - `[AlertRuleTemplateId ]`: Alert rule template ID - `[AutomationRuleId ]`: Automation rule ID diff --git a/src/SecurityInsights/examples/New-AzSentinelBookmark.md b/src/SecurityInsights/examples/New-AzSentinelBookmark.md index af53a80e922d..a1b72aab53aa 100644 --- a/src/SecurityInsights/examples/New-AzSentinelBookmark.md +++ b/src/SecurityInsights/examples/New-AzSentinelBookmark.md @@ -1,7 +1,7 @@ ### Example 1: Create a Bookmark ```powershell - $queryStartTime = (get-date).AddDays(-1).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" - $queryEndTime = (get-date).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + $queryStartTime = (Get-Date).AddDays(-1).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + $queryEndTime = (Get-Date).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" New-AzSentinelBookmark -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id ((New-Guid).Guid) -DisplayName "Incident Evidence" -Query "SecurityEvent | take 1" -QueryStartTime $queryStartTime -QueryEndTime $queryEndTime -EventTime $queryEndTime ``` ```output diff --git a/src/SecurityInsights/examples/New-AzSentinelEntityQuery.md b/src/SecurityInsights/examples/New-AzSentinelEntityQuery.md index 0a74b9fc86b5..30e2086f2302 100644 --- a/src/SecurityInsights/examples/New-AzSentinelEntityQuery.md +++ b/src/SecurityInsights/examples/New-AzSentinelEntityQuery.md @@ -12,15 +12,13 @@ Enabled : True Kind : Activity CreatedTimeUtc : 12/22/2021 11:44:34 AM LastModifiedTimeUtc : 12/22/2021 11:47:13 AM - ``` This command creates an Entity Query by using a Template. -### Example 2: Create Entity Query +### Example 2: Create Entity Query from cmdlet inputs ```powershell - New-AzSentinelEntityQuery -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -EntityQueryId ((New-Guid).Guid) -Kind Activity -Title 'An account was deleted on this host' -InputEntityType 'Host' -Content "On '{{Computer}}' the account '{{TargetAccount}}' was deleted by '{{AddedBy}}'" -Description "Account deleted on host" -QueryDefinitionQuery 'let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\nSecurityEvent\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\n// parsing for Host to handle variety of conventions coming from data\n| extend Host_HostName = case(\nComputer has ''@'', tostring(split(Computer, ''@'')[0]),\nComputer has ''\\'', tostring(split(Computer, ''\\'')[1]),\nComputer has ''.'', tostring(split(Computer, ''.'')[0]),\nComputer\n)\n| extend Host_NTDomain = case(\nComputer has ''\\'', tostring(split(Computer, ''\\'')[0]), \nComputer has ''.'', tostring(split(Computer, ''.'')[-2]), \nComputer\n)\n| extend Host_DnsDomain = case(\nComputer has ''\\'', tostring(split(Computer, ''\\'')[0]), \nComputer has ''.'', strcat_array(array_slice(split(Computer,''.''),-2,-1),''.''), \nComputer\n)\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \nor v_Host_AzureID =~ _ResourceId \nor v_Host_OMSAgentID == SourceComputerId\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId\n| extend AddedBy = SubjectUserName\n// Future support for Activities\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount\n};\nGetAccountActions(''{{Host_HostName}}'', ''{{Host_NTDomain}}'', ''{{Host_DnsDomain}}'', ''{{Host_AzureID}}'', ''{{Host_OMSAgentID}}'')\n \n| where EventID == 4726' -RequiredInputFieldsSet @(@("Host_HostName","Host_NTDomain"),@("Host_HostName","Host_DnsDomain"),@("Host_AzureID"),@("Host_OMSAgentID")) -EntitiesFilter @{"Host_OsFamily" = @("Windows")} + New-AzSentinelEntityQuery -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Id ((New-Guid).Guid) -Kind Activity -Title 'An account was deleted on this host' -InputEntityType 'Host' -Content "On '{{Computer}}' the account '{{TargetAccount}}' was deleted by '{{AddedBy}}'" -Description "Account deleted on host" -QueryDefinitionQuery 'let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\nSecurityEvent\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\n// parsing for Host to handle variety of conventions coming from data\n| extend Host_HostName = case(\nComputer has ''@'', tostring(split(Computer, ''@'')[0]),\nComputer has ''\\'', tostring(split(Computer, ''\\'')[1]),\nComputer has ''.'', tostring(split(Computer, ''.'')[0]),\nComputer\n)\n| extend Host_NTDomain = case(\nComputer has ''\\'', tostring(split(Computer, ''\\'')[0]), \nComputer has ''.'', tostring(split(Computer, ''.'')[-2]), \nComputer\n)\n| extend Host_DnsDomain = case(\nComputer has ''\\'', tostring(split(Computer, ''\\'')[0]), \nComputer has ''.'', strcat_array(array_slice(split(Computer,''.''),-2,-1),''.''), \nComputer\n)\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \nor v_Host_AzureID =~ _ResourceId \nor v_Host_OMSAgentID == SourceComputerId\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId\n| extend AddedBy = SubjectUserName\n// Future support for Activities\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount\n};\nGetAccountActions(''{{Host_HostName}}'', ''{{Host_NTDomain}}'', ''{{Host_DnsDomain}}'', ''{{Host_AzureID}}'', ''{{Host_OMSAgentID}}'')\n \n| where EventID == 4726' -RequiredInputFieldsSet @(@("Host_HostName","Host_NTDomain"),@("Host_HostName","Host_DnsDomain"),@("Host_AzureID"),@("Host_OMSAgentID")) -EntitiesFilter @{"Host_OsFamily" = @("Windows")} ``` -This command creates an Entity Query. - +This command creates an Entity Query. \ No newline at end of file diff --git a/src/SecurityInsights/examples/New-AzSentinelIncidentComment.md b/src/SecurityInsights/examples/New-AzSentinelIncidentComment.md index fb9e53bab2a5..37f3fd5a3f27 100644 --- a/src/SecurityInsights/examples/New-AzSentinelIncidentComment.md +++ b/src/SecurityInsights/examples/New-AzSentinelIncidentComment.md @@ -1,6 +1,6 @@ ### Example 1: Create an Incident Comment ```powershell - New-AzSentinelIncident -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -IncidentId "myIncidentId" -Id ((New-Guid).Guid) -Message "IncidentCommentGoesHere" + New-AzSentinelIncident -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -IncidentId "myIncidentId" -Message "IncidentCommentGoesHere" ``` This command creates an Incident Comment. diff --git a/src/SecurityInsights/examples/Remove-AzSentinelAlertRuleAction.md b/src/SecurityInsights/examples/Remove-AzSentinelAlertRuleAction.md index 20b8359a8a5a..92e2f7c66c72 100644 --- a/src/SecurityInsights/examples/Remove-AzSentinelAlertRuleAction.md +++ b/src/SecurityInsights/examples/Remove-AzSentinelAlertRuleAction.md @@ -1,6 +1,6 @@ ### Example 1: Removes an alert rule action ```powershell -Remove-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -RuleId 29d2523f-84ce-42d3-b5f1-9e63c85aaed1 -Id 1a33301b-fb83-416a-8d58-3873c7c2dc86 +Remove-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -RuleId "29d2523f-84ce-42d3-b5f1-9e63c85aaed1" -Id "1a33301b-fb83-416a-8d58-3873c7c2dc86" ``` This command removes an alert rule action. diff --git a/src/SecurityInsights/examples/Remove-AzSentinelIncidentRelation.md b/src/SecurityInsights/examples/Remove-AzSentinelIncidentRelation.md index 021221d24452..8dc036aa0e21 100644 --- a/src/SecurityInsights/examples/Remove-AzSentinelIncidentRelation.md +++ b/src/SecurityInsights/examples/Remove-AzSentinelIncidentRelation.md @@ -4,7 +4,7 @@ ### Example 1: Delete an Incident relation >>>>>>> 16ff7bb8ad... Fixes per feedback ```powershell -Remove-AzSentinelIncidentRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId 7cc984fe-61a2-43c2-a1a4-3583c8a89da2 -RelatedResourceId 7cc984fe-61a2-43c2-a1a4-3583c8a89db4 +Remove-AzSentinelIncidentRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId "7cc984fe-61a2-43c2-a1a4-3583c8a89da2" -RelatedResourceId "7cc984fe-61a2-43c2-a1a4-3583c8a89db4" ``` This command removes the incident relation From 78a57ff83351d2ced5f0f493d6263e1ea9700001 Mon Sep 17 00:00:00 2001 From: VeryEarly Date: Wed, 17 Aug 2022 19:38:46 +0800 Subject: [PATCH 17/24] suppress breakingchange and signature issues --- .../BreakingChangeIssues.csv | 10 +---- .../Az.SecurityInsights/SignatureIssues.csv | 44 ++++++++++++++++++- 2 files changed, 45 insertions(+), 9 deletions(-) diff --git a/tools/StaticAnalysis/Exceptions/Az.SecurityInsights/BreakingChangeIssues.csv b/tools/StaticAnalysis/Exceptions/Az.SecurityInsights/BreakingChangeIssues.csv index 74be92541586..17d04bfb4eac 100644 --- a/tools/StaticAnalysis/Exceptions/Az.SecurityInsights/BreakingChangeIssues.csv +++ b/tools/StaticAnalysis/Exceptions/Az.SecurityInsights/BreakingChangeIssues.csv @@ -91,7 +91,6 @@ "Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRules.NewAlertRules","New-AzSentinelAlertRule","0","1050","The parameter set '__AllParameterSets' for cmdlet 'New-AzSentinelAlertRule' has been removed.","Add parameter set '__AllParameterSets' back to cmdlet 'New-AzSentinelAlertRule'." "Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.NewAlertRuleActions","New-AzSentinelAlertRuleAction","0","1020","The cmdlet 'New-AzSentinelAlertRuleAction' no longer has output type 'Microsoft.Azure.Commands.SecurityInsights.Models.Actions.PSSentinelActionResponse'.","Make cmdlet 'New-AzSentinelAlertRuleAction' return type 'Microsoft.Azure.Commands.SecurityInsights.Models.Actions.PSSentinelActionResponse'." "Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.NewAlertRuleActions","New-AzSentinelAlertRuleAction","0","2000","The cmdlet 'New-AzSentinelAlertRuleAction' no longer supports the parameter 'AlertRuleId' and no alias was found for the original parameter name.","Add the parameter 'AlertRuleId' back to the cmdlet 'New-AzSentinelAlertRuleAction', or add an alias to the original parameter name." -"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.NewAlertRuleActions","New-AzSentinelAlertRuleAction","0","2000","The cmdlet 'New-AzSentinelAlertRuleAction' no longer supports the parameter 'ActionId' and no alias was found for the original parameter name.","Add the parameter 'ActionId' back to the cmdlet 'New-AzSentinelAlertRuleAction', or add an alias to the original parameter name." "Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.NewAlertRuleActions","New-AzSentinelAlertRuleAction","0","2020","The cmdlet 'New-AzSentinelAlertRuleAction' no longer supports the type 'Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer' for parameter 'DefaultProfile'.","Change the type for parameter 'DefaultProfile' back to 'Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer'." "Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.NewAlertRuleActions","New-AzSentinelAlertRuleAction","0","2010","The cmdlet 'New-AzSentinelAlertRuleAction' no longer supports the alias 'AzContext' for parameter 'DefaultProfile'.","Add the alias 'AzContext' back to parameter 'DefaultProfile'." "Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.NewAlertRuleActions","New-AzSentinelAlertRuleAction","0","2010","The cmdlet 'New-AzSentinelAlertRuleAction' no longer supports the alias 'AzureRmContext' for parameter 'DefaultProfile'.","Add the alias 'AzureRmContext' back to parameter 'DefaultProfile'." @@ -99,8 +98,6 @@ "Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Actions.NewAlertRuleActions","New-AzSentinelAlertRuleAction","0","1050","The parameter set '__AllParameterSets' for cmdlet 'New-AzSentinelAlertRuleAction' has been removed.","Add parameter set '__AllParameterSets' back to cmdlet 'New-AzSentinelAlertRuleAction'." "Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Bookmarks.NewBookmarks","New-AzSentinelBookmark","0","1020","The cmdlet 'New-AzSentinelBookmark' no longer has output type 'Microsoft.Azure.Commands.SecurityInsights.Models.Bookmarks.PSSentinelBookmark'.","Make cmdlet 'New-AzSentinelBookmark' return type 'Microsoft.Azure.Commands.SecurityInsights.Models.Bookmarks.PSSentinelBookmark'." "Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Bookmarks.NewBookmarks","New-AzSentinelBookmark","0","1060","The parameter set 'BookmarkId.' for cmdlet 'New-AzSentinelBookmark' is no longer the default parameter set.","Change the default parameter for cmdlet 'New-AzSentinelBookmark' back to 'BookmarkId.'." -"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Bookmarks.NewBookmarks","New-AzSentinelBookmark","0","1060","The parameter set 'BookmarkId.' for cmdlet 'New-AzSentinelBookmark' is no longer the default parameter set.","Change the default parameter for cmdlet 'New-AzSentinelBookmark' back to 'BookmarkId.'." -"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Bookmarks.NewBookmarks","New-AzSentinelBookmark","0","2000","The cmdlet 'New-AzSentinelBookmark' no longer supports the parameter 'BookmarkId' and no alias was found for the original parameter name.","Add the parameter 'BookmarkId' back to the cmdlet 'New-AzSentinelBookmark', or add an alias to the original parameter name." "Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Bookmarks.NewBookmarks","New-AzSentinelBookmark","0","2000","The cmdlet 'New-AzSentinelBookmark' no longer supports the parameter 'IncidentInfo' and no alias was found for the original parameter name.","Add the parameter 'IncidentInfo' back to the cmdlet 'New-AzSentinelBookmark', or add an alias to the original parameter name." "Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Bookmarks.NewBookmarks","New-AzSentinelBookmark","0","2020","The cmdlet 'New-AzSentinelBookmark' no longer supports the type 'System.Collections.Generic.IList`1[System.String]' for parameter 'Label'.","Change the type for parameter 'Label' back to 'System.Collections.Generic.IList`1[System.String]'." "Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Bookmarks.NewBookmarks","New-AzSentinelBookmark","0","2020","The cmdlet 'New-AzSentinelBookmark' no longer supports the type 'Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer' for parameter 'DefaultProfile'.","Change the type for parameter 'DefaultProfile' back to 'Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer'." @@ -121,6 +118,7 @@ "Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.NewDataConnectors","New-AzSentinelDataConnector","0","2000","The cmdlet 'New-AzSentinelDataConnector' no longer supports the parameter 'Office365' and no alias was found for the original parameter name.","Add the parameter 'Office365' back to the cmdlet 'New-AzSentinelDataConnector', or add an alias to the original parameter name." "Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.NewDataConnectors","New-AzSentinelDataConnector","0","2000","The cmdlet 'New-AzSentinelDataConnector' no longer supports the parameter 'ThreatIntelligence' and no alias was found for the original parameter name.","Add the parameter 'ThreatIntelligence' back to the cmdlet 'New-AzSentinelDataConnector', or add an alias to the original parameter name." "Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.NewDataConnectors","New-AzSentinelDataConnector","0","2000","The cmdlet 'New-AzSentinelDataConnector' no longer supports the parameter 'AwsRoleArn' and no alias was found for the original parameter name.","Add the parameter 'AwsRoleArn' back to the cmdlet 'New-AzSentinelDataConnector', or add an alias to the original parameter name." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.NewDataConnectors","New-AzSentinelDataConnector","0","2000","The cmdlet 'New-AzSentinelDataConnector' no longer supports the parameter 'Logs' and no alias was found for the original parameter name.","Add the parameter 'Logs' back to the cmdlet 'New-AzSentinelDataConnector', or add an alias to the original parameter name." "Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.NewDataConnectors","New-AzSentinelDataConnector","0","2000","The cmdlet 'New-AzSentinelDataConnector' no longer supports the parameter 'DiscoveryLogs' and no alias was found for the original parameter name.","Add the parameter 'DiscoveryLogs' back to the cmdlet 'New-AzSentinelDataConnector', or add an alias to the original parameter name." "Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.NewDataConnectors","New-AzSentinelDataConnector","0","2000","The cmdlet 'New-AzSentinelDataConnector' no longer supports the parameter 'Indicators' and no alias was found for the original parameter name.","Add the parameter 'Indicators' back to the cmdlet 'New-AzSentinelDataConnector', or add an alias to the original parameter name." "Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.NewDataConnectors","New-AzSentinelDataConnector","0","2020","The cmdlet 'New-AzSentinelDataConnector' no longer supports the type 'Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer' for parameter 'DefaultProfile'.","Change the type for parameter 'DefaultProfile' back to 'Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer'." @@ -138,8 +136,6 @@ "Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.NewIncidents","New-AzSentinelIncident","0","1020","The cmdlet 'New-AzSentinelIncident' no longer has output type 'Microsoft.Azure.Commands.SecurityInsights.Models.Incidents.PSSentinelIncident'.","Make cmdlet 'New-AzSentinelIncident' return type 'Microsoft.Azure.Commands.SecurityInsights.Models.Incidents.PSSentinelIncident'." "Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.NewIncidents","New-AzSentinelIncident","0","1060","The parameter set 'IncidentId' for cmdlet 'New-AzSentinelIncident' is no longer the default parameter set.","Change the default parameter for cmdlet 'New-AzSentinelIncident' back to 'IncidentId'." "Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.NewIncidents","New-AzSentinelIncident","0","1060","The parameter set 'IncidentId' for cmdlet 'New-AzSentinelIncident' is no longer the default parameter set.","Change the default parameter for cmdlet 'New-AzSentinelIncident' back to 'IncidentId'." -"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.NewIncidents","New-AzSentinelIncident","0","1060","The parameter set 'IncidentId' for cmdlet 'New-AzSentinelIncident' is no longer the default parameter set.","Change the default parameter for cmdlet 'New-AzSentinelIncident' back to 'IncidentId'." -"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.NewIncidents","New-AzSentinelIncident","0","2000","The cmdlet 'New-AzSentinelIncident' no longer supports the parameter 'IncidentId' and no alias was found for the original parameter name.","Add the parameter 'IncidentId' back to the cmdlet 'New-AzSentinelIncident', or add an alias to the original parameter name." "Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.NewIncidents","New-AzSentinelIncident","0","2000","The cmdlet 'New-AzSentinelIncident' no longer supports the parameter 'Classificaton' and no alias was found for the original parameter name.","Add the parameter 'Classificaton' back to the cmdlet 'New-AzSentinelIncident', or add an alias to the original parameter name." "Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.NewIncidents","New-AzSentinelIncident","0","2020","The cmdlet 'New-AzSentinelIncident' no longer supports the type 'System.String' for parameter 'ClassificationReason'.","Change the type for parameter 'ClassificationReason' back to 'System.String'." "Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.NewIncidents","New-AzSentinelIncident","0","2020","The cmdlet 'New-AzSentinelIncident' no longer supports the type 'System.Collections.Generic.IList`1[Microsoft.Azure.Commands.SecurityInsights.Models.Incidents.PSSentinelIncidentLabel]' for parameter 'Label'.","Change the type for parameter 'Label' back to 'System.Collections.Generic.IList`1[Microsoft.Azure.Commands.SecurityInsights.Models.Incidents.PSSentinelIncidentLabel]'." @@ -152,12 +148,9 @@ "Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.NewIncidents","New-AzSentinelIncident","0","1050","The parameter set 'IncidentId' for cmdlet 'New-AzSentinelIncident' has been removed.","Add parameter set 'IncidentId' back to cmdlet 'New-AzSentinelIncident'." "Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.NewIncidents","New-AzSentinelIncident","0","1050","The parameter set '__AllParameterSets' for cmdlet 'New-AzSentinelIncident' has been removed.","Add parameter set '__AllParameterSets' back to cmdlet 'New-AzSentinelIncident'." "Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.IncidentsComments.NewBookmarks","New-AzSentinelIncidentComment","0","1020","The cmdlet 'New-AzSentinelIncidentComment' no longer has output type 'Microsoft.Azure.Commands.SecurityInsights.Models.IncidentComments.PSSentinelIncidentComment'.","Make cmdlet 'New-AzSentinelIncidentComment' return type 'Microsoft.Azure.Commands.SecurityInsights.Models.IncidentComments.PSSentinelIncidentComment'." -"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.IncidentsComments.NewBookmarks","New-AzSentinelIncidentComment","0","1060","The parameter set 'IncidentCommentId' for cmdlet 'New-AzSentinelIncidentComment' is no longer the default parameter set.","Change the default parameter for cmdlet 'New-AzSentinelIncidentComment' back to 'IncidentCommentId'." -"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.IncidentsComments.NewBookmarks","New-AzSentinelIncidentComment","0","2000","The cmdlet 'New-AzSentinelIncidentComment' no longer supports the parameter 'IncidentCommentId' and no alias was found for the original parameter name.","Add the parameter 'IncidentCommentId' back to the cmdlet 'New-AzSentinelIncidentComment', or add an alias to the original parameter name." "Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.IncidentsComments.NewBookmarks","New-AzSentinelIncidentComment","0","2020","The cmdlet 'New-AzSentinelIncidentComment' no longer supports the type 'Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer' for parameter 'DefaultProfile'.","Change the type for parameter 'DefaultProfile' back to 'Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer'." "Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.IncidentsComments.NewBookmarks","New-AzSentinelIncidentComment","0","2010","The cmdlet 'New-AzSentinelIncidentComment' no longer supports the alias 'AzContext' for parameter 'DefaultProfile'.","Add the alias 'AzContext' back to parameter 'DefaultProfile'." "Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.IncidentsComments.NewBookmarks","New-AzSentinelIncidentComment","0","2010","The cmdlet 'New-AzSentinelIncidentComment' no longer supports the alias 'AzureRmContext' for parameter 'DefaultProfile'.","Add the alias 'AzureRmContext' back to parameter 'DefaultProfile'." -"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.IncidentsComments.NewBookmarks","New-AzSentinelIncidentComment","0","1050","The parameter set 'IncidentCommentId' for cmdlet 'New-AzSentinelIncidentComment' has been removed.","Add parameter set 'IncidentCommentId' back to cmdlet 'New-AzSentinelIncidentComment'." "Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.IncidentsComments.NewBookmarks","New-AzSentinelIncidentComment","0","1050","The parameter set '__AllParameterSets' for cmdlet 'New-AzSentinelIncidentComment' has been removed.","Add parameter set '__AllParameterSets' back to cmdlet 'New-AzSentinelIncidentComment'." "Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents.NewIncidentsOwner","New-AzSentinelIncidentOwner","0","1000","The cmdlet 'New-AzSentinelIncidentOwner' has been removed and no alias was found for the original cmdlet name.","Add the cmdlet 'New-AzSentinelIncidentOwner' back to the module, or add an alias to the original cmdlet name." "Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRules.RemoveAlertRules","Remove-AzSentinelAlertRule","0","1020","The cmdlet 'Remove-AzSentinelAlertRule' no longer has output type 'Microsoft.Azure.Commands.SecurityInsights.Models.AlertRules.PSSentinelAlertRule'.","Make cmdlet 'Remove-AzSentinelAlertRule' return type 'Microsoft.Azure.Commands.SecurityInsights.Models.AlertRules.PSSentinelAlertRule'." @@ -257,6 +250,7 @@ "Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.UpdateDataConnectors","Update-AzSentinelDataConnector","0","2020","The cmdlet 'Update-AzSentinelDataConnector' no longer supports the type 'Microsoft.Azure.Commands.SecurityInsights.Models.DataConnectors.PSSentinelDataConnector' for parameter 'InputObject'.","Change the type for parameter 'InputObject' back to 'Microsoft.Azure.Commands.SecurityInsights.Models.DataConnectors.PSSentinelDataConnector'." "Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.UpdateDataConnectors","Update-AzSentinelDataConnector","0","2000","The cmdlet 'Update-AzSentinelDataConnector' no longer supports the parameter 'ResourceId' and no alias was found for the original parameter name.","Add the parameter 'ResourceId' back to the cmdlet 'Update-AzSentinelDataConnector', or add an alias to the original parameter name." "Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.UpdateDataConnectors","Update-AzSentinelDataConnector","0","2000","The cmdlet 'Update-AzSentinelDataConnector' no longer supports the parameter 'AwsRoleArn' and no alias was found for the original parameter name.","Add the parameter 'AwsRoleArn' back to the cmdlet 'Update-AzSentinelDataConnector', or add an alias to the original parameter name." +"Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.UpdateDataConnectors","Update-AzSentinelDataConnector","0","2000","The cmdlet 'Update-AzSentinelDataConnector' no longer supports the parameter 'Logs' and no alias was found for the original parameter name.","Add the parameter 'Logs' back to the cmdlet 'Update-AzSentinelDataConnector', or add an alias to the original parameter name." "Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.UpdateDataConnectors","Update-AzSentinelDataConnector","0","2000","The cmdlet 'Update-AzSentinelDataConnector' no longer supports the parameter 'DiscoveryLogs' and no alias was found for the original parameter name.","Add the parameter 'DiscoveryLogs' back to the cmdlet 'Update-AzSentinelDataConnector', or add an alias to the original parameter name." "Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.UpdateDataConnectors","Update-AzSentinelDataConnector","0","2000","The cmdlet 'Update-AzSentinelDataConnector' no longer supports the parameter 'Indicators' and no alias was found for the original parameter name.","Add the parameter 'Indicators' back to the cmdlet 'Update-AzSentinelDataConnector', or add an alias to the original parameter name." "Az.SecurityInsights","Microsoft.Azure.Commands.SecurityInsights.Cmdlets.DataConnectors.UpdateDataConnectors","Update-AzSentinelDataConnector","0","2020","The cmdlet 'Update-AzSentinelDataConnector' no longer supports the type 'Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer' for parameter 'DefaultProfile'.","Change the type for parameter 'DefaultProfile' back to 'Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer'." diff --git a/tools/StaticAnalysis/Exceptions/Az.SecurityInsights/SignatureIssues.csv b/tools/StaticAnalysis/Exceptions/Az.SecurityInsights/SignatureIssues.csv index 1147fe460335..c6676bbd7010 100644 --- a/tools/StaticAnalysis/Exceptions/Az.SecurityInsights/SignatureIssues.csv +++ b/tools/StaticAnalysis/Exceptions/Az.SecurityInsights/SignatureIssues.csv @@ -1,3 +1,45 @@ "AssemblyFileName","ClassName","Target","Severity","ProblemId","Description","Remediation" +"Az.SecurityInsights","Get-AzSentinelAlertRule","Get-AzSentinelAlertRule","2","8010","Get-AzSentinelAlertRule Changes the ConfirmImpact but does not set the SupportsShouldProcess property to true in the cmdlet attribute.","Determine if the cmdlet should implement ShouldProcess and if so determine if it should implement Force / ShouldContinue" +"Az.SecurityInsights","Get-AzSentinelAlertRule","Get-AzSentinelAlertRule","2","8200","Get-AzSentinelAlertRule changes the confirm impact. Please ensure that the change in ConfirmImpact is justified","Verify that ConfirmImpact is changed appropriately by the cmdlet. It is very rare for a cmdlet to change the ConfirmImpact." +"Az.SecurityInsights","Get-AzSentinelAlertRuleAction","Get-AzSentinelAlertRuleAction","2","8010","Get-AzSentinelAlertRuleAction Changes the ConfirmImpact but does not set the SupportsShouldProcess property to true in the cmdlet attribute.","Determine if the cmdlet should implement ShouldProcess and if so determine if it should implement Force / ShouldContinue" +"Az.SecurityInsights","Get-AzSentinelAlertRuleAction","Get-AzSentinelAlertRuleAction","2","8200","Get-AzSentinelAlertRuleAction changes the confirm impact. Please ensure that the change in ConfirmImpact is justified","Verify that ConfirmImpact is changed appropriately by the cmdlet. It is very rare for a cmdlet to change the ConfirmImpact." +"Az.SecurityInsights","Get-AzSentinelAlertRuleTemplate","Get-AzSentinelAlertRuleTemplate","2","8010","Get-AzSentinelAlertRuleTemplate Changes the ConfirmImpact but does not set the SupportsShouldProcess property to true in the cmdlet attribute.","Determine if the cmdlet should implement ShouldProcess and if so determine if it should implement Force / ShouldContinue" +"Az.SecurityInsights","Get-AzSentinelAlertRuleTemplate","Get-AzSentinelAlertRuleTemplate","2","8200","Get-AzSentinelAlertRuleTemplate changes the confirm impact. Please ensure that the change in ConfirmImpact is justified","Verify that ConfirmImpact is changed appropriately by the cmdlet. It is very rare for a cmdlet to change the ConfirmImpact." +"Az.SecurityInsights","Get-AzSentinelAutomationRule","Get-AzSentinelAutomationRule","2","8010","Get-AzSentinelAutomationRule Changes the ConfirmImpact but does not set the SupportsShouldProcess property to true in the cmdlet attribute.","Determine if the cmdlet should implement ShouldProcess and if so determine if it should implement Force / ShouldContinue" +"Az.SecurityInsights","Get-AzSentinelAutomationRule","Get-AzSentinelAutomationRule","2","8200","Get-AzSentinelAutomationRule changes the confirm impact. Please ensure that the change in ConfirmImpact is justified","Verify that ConfirmImpact is changed appropriately by the cmdlet. It is very rare for a cmdlet to change the ConfirmImpact." +"Az.SecurityInsights","Get-AzSentinelBookmark","Get-AzSentinelBookmark","2","8010","Get-AzSentinelBookmark Changes the ConfirmImpact but does not set the SupportsShouldProcess property to true in the cmdlet attribute.","Determine if the cmdlet should implement ShouldProcess and if so determine if it should implement Force / ShouldContinue" +"Az.SecurityInsights","Get-AzSentinelBookmark","Get-AzSentinelBookmark","2","8200","Get-AzSentinelBookmark changes the confirm impact. Please ensure that the change in ConfirmImpact is justified","Verify that ConfirmImpact is changed appropriately by the cmdlet. It is very rare for a cmdlet to change the ConfirmImpact." +"Az.SecurityInsights","Get-AzSentinelBookmarkRelation","Get-AzSentinelBookmarkRelation","2","8010","Get-AzSentinelBookmarkRelation Changes the ConfirmImpact but does not set the SupportsShouldProcess property to true in the cmdlet attribute.","Determine if the cmdlet should implement ShouldProcess and if so determine if it should implement Force / ShouldContinue" +"Az.SecurityInsights","Get-AzSentinelBookmarkRelation","Get-AzSentinelBookmarkRelation","2","8200","Get-AzSentinelBookmarkRelation changes the confirm impact. Please ensure that the change in ConfirmImpact is justified","Verify that ConfirmImpact is changed appropriately by the cmdlet. It is very rare for a cmdlet to change the ConfirmImpact." +"Az.SecurityInsights","Get-AzSentinelDataConnector","Get-AzSentinelDataConnector","2","8010","Get-AzSentinelDataConnector Changes the ConfirmImpact but does not set the SupportsShouldProcess property to true in the cmdlet attribute.","Determine if the cmdlet should implement ShouldProcess and if so determine if it should implement Force / ShouldContinue" +"Az.SecurityInsights","Get-AzSentinelDataConnector","Get-AzSentinelDataConnector","2","8200","Get-AzSentinelDataConnector changes the confirm impact. Please ensure that the change in ConfirmImpact is justified","Verify that ConfirmImpact is changed appropriately by the cmdlet. It is very rare for a cmdlet to change the ConfirmImpact." +"Az.SecurityInsights","Get-AzSentinelEnrichment","Get-AzSentinelEnrichment","2","8010","Get-AzSentinelEnrichment Changes the ConfirmImpact but does not set the SupportsShouldProcess property to true in the cmdlet attribute.","Determine if the cmdlet should implement ShouldProcess and if so determine if it should implement Force / ShouldContinue" +"Az.SecurityInsights","Get-AzSentinelEnrichment","Get-AzSentinelEnrichment","2","8200","Get-AzSentinelEnrichment changes the confirm impact. Please ensure that the change in ConfirmImpact is justified","Verify that ConfirmImpact is changed appropriately by the cmdlet. It is very rare for a cmdlet to change the ConfirmImpact." +"Az.SecurityInsights","Get-AzSentinelEntity","Get-AzSentinelEntity","2","8010","Get-AzSentinelEntity Changes the ConfirmImpact but does not set the SupportsShouldProcess property to true in the cmdlet attribute.","Determine if the cmdlet should implement ShouldProcess and if so determine if it should implement Force / ShouldContinue" +"Az.SecurityInsights","Get-AzSentinelEntity","Get-AzSentinelEntity","2","8200","Get-AzSentinelEntity changes the confirm impact. Please ensure that the change in ConfirmImpact is justified","Verify that ConfirmImpact is changed appropriately by the cmdlet. It is very rare for a cmdlet to change the ConfirmImpact." +"Az.SecurityInsights","Get-AzSentinelEntityActivity","Get-AzSentinelEntityActivity","2","8010","Get-AzSentinelEntityActivity Changes the ConfirmImpact but does not set the SupportsShouldProcess property to true in the cmdlet attribute.","Determine if the cmdlet should implement ShouldProcess and if so determine if it should implement Force / ShouldContinue" +"Az.SecurityInsights","Get-AzSentinelEntityActivity","Get-AzSentinelEntityActivity","2","8200","Get-AzSentinelEntityActivity changes the confirm impact. Please ensure that the change in ConfirmImpact is justified","Verify that ConfirmImpact is changed appropriately by the cmdlet. It is very rare for a cmdlet to change the ConfirmImpact." +"Az.SecurityInsights","Get-AzSentinelEntityQuery","Get-AzSentinelEntityQuery","2","8010","Get-AzSentinelEntityQuery Changes the ConfirmImpact but does not set the SupportsShouldProcess property to true in the cmdlet attribute.","Determine if the cmdlet should implement ShouldProcess and if so determine if it should implement Force / ShouldContinue" +"Az.SecurityInsights","Get-AzSentinelEntityQuery","Get-AzSentinelEntityQuery","2","8200","Get-AzSentinelEntityQuery changes the confirm impact. Please ensure that the change in ConfirmImpact is justified","Verify that ConfirmImpact is changed appropriately by the cmdlet. It is very rare for a cmdlet to change the ConfirmImpact." +"Az.SecurityInsights","Get-AzSentinelEntityQueryTemplate","Get-AzSentinelEntityQueryTemplate","2","8010","Get-AzSentinelEntityQueryTemplate Changes the ConfirmImpact but does not set the SupportsShouldProcess property to true in the cmdlet attribute.","Determine if the cmdlet should implement ShouldProcess and if so determine if it should implement Force / ShouldContinue" +"Az.SecurityInsights","Get-AzSentinelEntityQueryTemplate","Get-AzSentinelEntityQueryTemplate","2","8200","Get-AzSentinelEntityQueryTemplate changes the confirm impact. Please ensure that the change in ConfirmImpact is justified","Verify that ConfirmImpact is changed appropriately by the cmdlet. It is very rare for a cmdlet to change the ConfirmImpact." +"Az.SecurityInsights","Get-AzSentinelEntityRelation","Get-AzSentinelEntityRelation","2","8010","Get-AzSentinelEntityRelation Changes the ConfirmImpact but does not set the SupportsShouldProcess property to true in the cmdlet attribute.","Determine if the cmdlet should implement ShouldProcess and if so determine if it should implement Force / ShouldContinue" +"Az.SecurityInsights","Get-AzSentinelEntityRelation","Get-AzSentinelEntityRelation","2","8200","Get-AzSentinelEntityRelation changes the confirm impact. Please ensure that the change in ConfirmImpact is justified","Verify that ConfirmImpact is changed appropriately by the cmdlet. It is very rare for a cmdlet to change the ConfirmImpact." +"Az.SecurityInsights","Get-AzSentinelIncident","Get-AzSentinelIncident","2","8010","Get-AzSentinelIncident Changes the ConfirmImpact but does not set the SupportsShouldProcess property to true in the cmdlet attribute.","Determine if the cmdlet should implement ShouldProcess and if so determine if it should implement Force / ShouldContinue" +"Az.SecurityInsights","Get-AzSentinelIncident","Get-AzSentinelIncident","2","8200","Get-AzSentinelIncident changes the confirm impact. Please ensure that the change in ConfirmImpact is justified","Verify that ConfirmImpact is changed appropriately by the cmdlet. It is very rare for a cmdlet to change the ConfirmImpact." +"Az.SecurityInsights","Get-AzSentinelIncidentComment","Get-AzSentinelIncidentComment","2","8010","Get-AzSentinelIncidentComment Changes the ConfirmImpact but does not set the SupportsShouldProcess property to true in the cmdlet attribute.","Determine if the cmdlet should implement ShouldProcess and if so determine if it should implement Force / ShouldContinue" +"Az.SecurityInsights","Get-AzSentinelIncidentComment","Get-AzSentinelIncidentComment","2","8200","Get-AzSentinelIncidentComment changes the confirm impact. Please ensure that the change in ConfirmImpact is justified","Verify that ConfirmImpact is changed appropriately by the cmdlet. It is very rare for a cmdlet to change the ConfirmImpact." +"Az.SecurityInsights","Get-AzSentinelIncidentRelation","Get-AzSentinelIncidentRelation","2","8010","Get-AzSentinelIncidentRelation Changes the ConfirmImpact but does not set the SupportsShouldProcess property to true in the cmdlet attribute.","Determine if the cmdlet should implement ShouldProcess and if so determine if it should implement Force / ShouldContinue" +"Az.SecurityInsights","Get-AzSentinelIncidentRelation","Get-AzSentinelIncidentRelation","2","8200","Get-AzSentinelIncidentRelation changes the confirm impact. Please ensure that the change in ConfirmImpact is justified","Verify that ConfirmImpact is changed appropriately by the cmdlet. It is very rare for a cmdlet to change the ConfirmImpact." +"Az.SecurityInsights","Get-AzSentinelMetadata","Get-AzSentinelMetadata","2","8010","Get-AzSentinelMetadata Changes the ConfirmImpact but does not set the SupportsShouldProcess property to true in the cmdlet attribute.","Determine if the cmdlet should implement ShouldProcess and if so determine if it should implement Force / ShouldContinue" +"Az.SecurityInsights","Get-AzSentinelMetadata","Get-AzSentinelMetadata","2","8200","Get-AzSentinelMetadata changes the confirm impact. Please ensure that the change in ConfirmImpact is justified","Verify that ConfirmImpact is changed appropriately by the cmdlet. It is very rare for a cmdlet to change the ConfirmImpact." +"Az.SecurityInsights","Get-AzSentinelOnboardingState","Get-AzSentinelOnboardingState","2","8010","Get-AzSentinelOnboardingState Changes the ConfirmImpact but does not set the SupportsShouldProcess property to true in the cmdlet attribute.","Determine if the cmdlet should implement ShouldProcess and if so determine if it should implement Force / ShouldContinue" +"Az.SecurityInsights","Get-AzSentinelOnboardingState","Get-AzSentinelOnboardingState","2","8200","Get-AzSentinelOnboardingState changes the confirm impact. Please ensure that the change in ConfirmImpact is justified","Verify that ConfirmImpact is changed appropriately by the cmdlet. It is very rare for a cmdlet to change the ConfirmImpact." +"Az.SecurityInsights","Get-AzSentinelSetting","Get-AzSentinelSetting","2","8010","Get-AzSentinelSetting Changes the ConfirmImpact but does not set the SupportsShouldProcess property to true in the cmdlet attribute.","Determine if the cmdlet should implement ShouldProcess and if so determine if it should implement Force / ShouldContinue" +"Az.SecurityInsights","Get-AzSentinelSetting","Get-AzSentinelSetting","2","8200","Get-AzSentinelSetting changes the confirm impact. Please ensure that the change in ConfirmImpact is justified","Verify that ConfirmImpact is changed appropriately by the cmdlet. It is very rare for a cmdlet to change the ConfirmImpact." +"Az.SecurityInsights","Get-AzSentinelThreatIntelligenceIndicator","Get-AzSentinelThreatIntelligenceIndicator","2","8010","Get-AzSentinelThreatIntelligenceIndicator Changes the ConfirmImpact but does not set the SupportsShouldProcess property to true in the cmdlet attribute.","Determine if the cmdlet should implement ShouldProcess and if so determine if it should implement Force / ShouldContinue" +"Az.SecurityInsights","Get-AzSentinelThreatIntelligenceIndicator","Get-AzSentinelThreatIntelligenceIndicator","2","8200","Get-AzSentinelThreatIntelligenceIndicator changes the confirm impact. Please ensure that the change in ConfirmImpact is justified","Verify that ConfirmImpact is changed appropriately by the cmdlet. It is very rare for a cmdlet to change the ConfirmImpact." +"Az.SecurityInsights","Get-AzSentinelThreatIntelligenceIndicatorMetric","Get-AzSentinelThreatIntelligenceIndicatorMetric","2","8010","Get-AzSentinelThreatIntelligenceIndicatorMetric Changes the ConfirmImpact but does not set the SupportsShouldProcess property to true in the cmdlet attribute.","Determine if the cmdlet should implement ShouldProcess and if so determine if it should implement Force / ShouldContinue" +"Az.SecurityInsights","Get-AzSentinelThreatIntelligenceIndicatorMetric","Get-AzSentinelThreatIntelligenceIndicatorMetric","2","8200","Get-AzSentinelThreatIntelligenceIndicatorMetric changes the confirm impact. Please ensure that the change in ConfirmImpact is justified","Verify that ConfirmImpact is changed appropriately by the cmdlet. It is very rare for a cmdlet to change the ConfirmImpact." "Az.SecurityInsights","New-AzSentinelDataConnector","New-AzSentinelDataConnector","1","8410","Parameter Teams of cmdlet New-AzSentinelDataConnector does not follow the enforced naming convention of using a singular noun for a parameter name.","Consider using a singular noun for the parameter name." -"Az.SecurityInsights","Update-AzSentinelDataConnector","Update-AzSentinelDataConnector","1","8410","Parameter Teams of cmdlet Update-AzSentinelDataConnector does not follow the enforced naming convention of using a singular noun for a parameter name.","Consider using a singular noun for the parameter name." \ No newline at end of file +"Az.SecurityInsights","Update-AzSentinelDataConnector","Update-AzSentinelDataConnector","1","8410","Parameter Teams of cmdlet Update-AzSentinelDataConnector does not follow the enforced naming convention of using a singular noun for a parameter name.","Consider using a singular noun for the parameter name." From 55e5e1e571dc1db6b7b05f9dd337180c2a6e9e19 Mon Sep 17 00:00:00 2001 From: VeryEarly Date: Wed, 17 Aug 2022 20:40:07 +0800 Subject: [PATCH 18/24] suppress example issues cannot be resolved --- .../Remove-AzSentinelIncidentRelation.md | 1 - .../Az.SecurityInsights/ExampleIssues.csv | 25 +++++++++++++++++++ 2 files changed, 25 insertions(+), 1 deletion(-) create mode 100644 tools/StaticAnalysis/Exceptions/Az.SecurityInsights/ExampleIssues.csv diff --git a/src/SecurityInsights/examples/Remove-AzSentinelIncidentRelation.md b/src/SecurityInsights/examples/Remove-AzSentinelIncidentRelation.md index 8dc036aa0e21..69e4cbb3a2dd 100644 --- a/src/SecurityInsights/examples/Remove-AzSentinelIncidentRelation.md +++ b/src/SecurityInsights/examples/Remove-AzSentinelIncidentRelation.md @@ -1,4 +1,3 @@ -<<<<<<< HEAD ### Example 1: Removes the incident relation ======= ### Example 1: Delete an Incident relation diff --git a/tools/StaticAnalysis/Exceptions/Az.SecurityInsights/ExampleIssues.csv b/tools/StaticAnalysis/Exceptions/Az.SecurityInsights/ExampleIssues.csv new file mode 100644 index 000000000000..5e61de287f4d --- /dev/null +++ b/tools/StaticAnalysis/Exceptions/Az.SecurityInsights/ExampleIssues.csv @@ -0,0 +1,25 @@ +"Module","Cmdlet","Example","RuleName","ProblemID","Severity","Description","Extent","Remediation" +"SecurityInsights","New-AzSentinelEntityQuery","1","MissingExampleOutput","5045","1","Output of the example is missing.","SecurityInsights\help\New-AzSentinelEntityQuery.md","Add output for the example. Remove any placeholders." +"SecurityInsights","New-AzSentinelEntityQuery","2","MissingExampleCode","5044","1","Code of the example is missing.","SecurityInsights\help\New-AzSentinelEntityQuery.md","Add code for the example. Remove any placeholders." +"SecurityInsights","New-AzSentinelAlertRuleAction","1","Mismatched_Parameter_Value_Type","5111","2","New-AzSentinelAlertRuleAction -LogicAppResourceId ($LogicAppResourceId.Id) is not an expected parameter value type.","-LogicAppResourceId","Use correct parameter value type. Expected Type is string. Now the type is Microsoft.Azure.Management.Logic.Models.WorkflowVersion.(Command)." +"SecurityInsights","New-AzSentinelAlertRuleAction","1","Mismatched_Parameter_Value_Type","5111","2","New-AzSentinelAlertRuleAction -TriggerUri ($LogicAppTriggerUri.Value) is not an expected parameter value type.","-TriggerUri","Use correct parameter value type. Expected Type is string. Now the type is Microsoft.Azure.Management.Logic.Models.WorkflowTriggerCallbackUrl.(Command)." +"SecurityInsights","New-AzSentinelAlertRuleAction","1","Mismatched_Parameter_Value_Type","5111","2","New-AzSentinelAlertRuleAction -Id ((New-Guid).Guid) is not an expected parameter value type.","-Id","Use correct parameter value type. Expected Type is string. Now the type is guid.(Command)." +"SecurityInsights","New-AzSentinelAutomationRule","1","Mismatched_Parameter_Value_Type","5111","2","New-AzSentinelAutomationRule -Id ((New-Guid).Guid) is not an expected parameter value type.","-Id","Use correct parameter value type. Expected Type is string. Now the type is guid.(Command)." +"SecurityInsights","New-AzSentinelAutomationRule","2","Mismatched_Parameter_Value_Type","5111","2","New-AzSentinelAutomationRule -Id ((New-Guid).Guid) is not an expected parameter value type.","-Id","Use correct parameter value type. Expected Type is string. Now the type is guid.(Command)." +"SecurityInsights","New-AzSentinelBookmark","1","Mismatched_Parameter_Value_Type","5111","2","New-AzSentinelBookmark -Id ((New-Guid).Guid) is not an expected parameter value type.","-Id","Use correct parameter value type. Expected Type is string. Now the type is guid.(Command)." +"SecurityInsights","New-AzSentinelBookmarkRelation","1","Mismatched_Parameter_Value_Type","5111","2","New-AzSentinelBookmarkRelation -RelationName ((New-Guid).Guid) is not an expected parameter value type.","-RelationName","Use correct parameter value type. Expected Type is string. Now the type is guid.(Command)." +"SecurityInsights","New-AzSentinelBookmarkRelation","1","Mismatched_Parameter_Value_Type","5111","2","New-AzSentinelBookmarkRelation -RelatedResourceId ($incident.Id) is not an expected parameter value type.","-RelatedResourceId","Use correct parameter value type. Expected Type is string. Now the type is Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IIncident.(Command)." +"SecurityInsights","New-AzSentinelEntityQuery","1","Mismatched_Parameter_Value_Type","5111","2","New-AzSentinelEntityQuery -Title ($template.title) is not an expected parameter value type.","-Title","Use correct parameter value type. Expected Type is string. Now the type is Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IEntityQueryTemplate.(Command)." +"SecurityInsights","New-AzSentinelEntityQuery","1","Mismatched_Parameter_Value_Type","5111","2","New-AzSentinelEntityQuery -InputEntityType ($template.inputEntityType) is not an expected parameter value type.","-InputEntityType","Use correct parameter value type. Expected Type is Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityType. Now the type is Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IEntityQueryTemplate.(Command)." +"SecurityInsights","New-AzSentinelEntityQuery","1","Mismatched_Parameter_Value_Type","5111","2","New-AzSentinelEntityQuery -TemplateName ($template.Name) is not an expected parameter value type.","-TemplateName","Use correct parameter value type. Expected Type is string. Now the type is Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IEntityQueryTemplate.(Command)." +"SecurityInsights","New-AzSentinelEntityQuery","2","Mismatched_Parameter_Value_Type","5111","2","New-AzSentinelEntityQuery -Id ((New-Guid).Guid) is not an expected parameter value type.","-Id","Use correct parameter value type. Expected Type is string. Now the type is guid.(Command)." +"SecurityInsights","New-AzSentinelIncident","1","Mismatched_Parameter_Value_Type","5111","2","New-AzSentinelIncident -Id ((New-Guid).Guid) is not an expected parameter value type.","-Id","Use correct parameter value type. Expected Type is string. Now the type is guid.(Command)." +"SecurityInsights","New-AzSentinelIncidentComment","1","Invalid_Parameter_Name","5011","1","New-AzSentinelIncident -Message is not a valid parameter name.","-Message","Check validity of the parameter -Message." +"SecurityInsights","New-AzSentinelIncidentRelation","1","Mismatched_Parameter_Value_Type","5111","2","New-AzSentinelIncidentRelation -RelationName ((New-Guid).Guid) is not an expected parameter value type.","-RelationName","Use correct parameter value type. Expected Type is string. Now the type is guid.(Command)." +"SecurityInsights","New-AzSentinelIncidentRelation","1","Mismatched_Parameter_Value_Type","5111","2","New-AzSentinelIncidentRelation -RelatedResourceId ($bookmark.Id) is not an expected parameter value type.","-RelatedResourceId","Use correct parameter value type. Expected Type is string. Now the type is Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IBookmark.(Command)." +"SecurityInsights","Remove-AzSentinelAlertRuleAction","1","Invalid_Parameter_Name","5011","1","Remove-AzSentinelAlertRule -Id is not a valid parameter name.","-Id","Check validity of the parameter -Id." +"SecurityInsights","Remove-AzSentinelIncidentRelation","2","Invalid_Parameter_Name","5011","1","Remove-AzSentinelIncidentRelation -RelatedResourceId is not a valid parameter name.","-RelatedResourceId","Check validity of the parameter -RelatedResourceId." +"SecurityInsights","Update-AzSentinelAlertRuleAction","1","Mismatched_Parameter_Value_Type","5111","2","Update-AzSentinelAlertRuleAction -LogicAppResourceId ($LogicAppResourceId.Id) is not an expected parameter value type.","-LogicAppResourceId","Use correct parameter value type. Expected Type is string. Now the type is Microsoft.Azure.Management.Logic.Models.WorkflowVersion.(Command)." +"SecurityInsights","Update-AzSentinelAlertRuleAction","1","Mismatched_Parameter_Value_Type","5111","2","Update-AzSentinelAlertRuleAction -TriggerUri ($LogicAppTriggerUri.Value) is not an expected parameter value type.","-TriggerUri","Use correct parameter value type. Expected Type is string. Now the type is Microsoft.Azure.Management.Logic.Models.WorkflowTriggerCallbackUrl.(Command)." +"SecurityInsights","Update-AzSentinelAlertRuleAction","1","Mismatched_Parameter_Value_Type","5111","2","Update-AzSentinelAlertRuleAction -Id ((New-Guid).Guid) is not an expected parameter value type.","-Id","Use correct parameter value type. Expected Type is string. Now the type is guid.(Command)." +"SecurityInsights","Update-AzSentinelAutomationRule","1","Mismatched_Parameter_Value_Type","5111","2","Update-AzSentinelAutomationRule -Id ((New-Guid).Guid) is not an expected parameter value type.","-Id","Use correct parameter value type. Expected Type is string. Now the type is guid.(Command)." From 991740daf5d2421c0a62d5f8a8a3d5c733110820 Mon Sep 17 00:00:00 2001 From: VeryEarly Date: Wed, 17 Aug 2022 20:43:59 +0800 Subject: [PATCH 19/24] fix doc --- .../docs/Remove-AzSentinelIncidentRelation.md | 7 ------- 1 file changed, 7 deletions(-) diff --git a/src/SecurityInsights/docs/Remove-AzSentinelIncidentRelation.md b/src/SecurityInsights/docs/Remove-AzSentinelIncidentRelation.md index 4df196219756..13994890acc2 100644 --- a/src/SecurityInsights/docs/Remove-AzSentinelIncidentRelation.md +++ b/src/SecurityInsights/docs/Remove-AzSentinelIncidentRelation.md @@ -32,13 +32,6 @@ Delete the incident relation. ### Example 1: Removes the incident relation ```powershell - -``` - -======= - -### Example 1: Delete an Incident relation -```powershell Remove-AzSentinelIncidentRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId "7cc984fe-61a2-43c2-a1a4-3583c8a89da2" -RelatedResourceId "7cc984fe-61a2-43c2-a1a4-3583c8a89db4" ``` From 9a2d4ca7095ed60e5ce87fa79e4c481dd5332989 Mon Sep 17 00:00:00 2001 From: VeryEarly Date: Thu, 18 Aug 2022 09:15:02 +0800 Subject: [PATCH 20/24] suppress one more example issue --- .../Az.SecurityInsights/ExampleIssues.csv | 22 +------------------ 1 file changed, 1 insertion(+), 21 deletions(-) diff --git a/tools/StaticAnalysis/Exceptions/Az.SecurityInsights/ExampleIssues.csv b/tools/StaticAnalysis/Exceptions/Az.SecurityInsights/ExampleIssues.csv index 5e61de287f4d..3a838155b1fa 100644 --- a/tools/StaticAnalysis/Exceptions/Az.SecurityInsights/ExampleIssues.csv +++ b/tools/StaticAnalysis/Exceptions/Az.SecurityInsights/ExampleIssues.csv @@ -1,25 +1,5 @@ "Module","Cmdlet","Example","RuleName","ProblemID","Severity","Description","Extent","Remediation" "SecurityInsights","New-AzSentinelEntityQuery","1","MissingExampleOutput","5045","1","Output of the example is missing.","SecurityInsights\help\New-AzSentinelEntityQuery.md","Add output for the example. Remove any placeholders." "SecurityInsights","New-AzSentinelEntityQuery","2","MissingExampleCode","5044","1","Code of the example is missing.","SecurityInsights\help\New-AzSentinelEntityQuery.md","Add code for the example. Remove any placeholders." -"SecurityInsights","New-AzSentinelAlertRuleAction","1","Mismatched_Parameter_Value_Type","5111","2","New-AzSentinelAlertRuleAction -LogicAppResourceId ($LogicAppResourceId.Id) is not an expected parameter value type.","-LogicAppResourceId","Use correct parameter value type. Expected Type is string. Now the type is Microsoft.Azure.Management.Logic.Models.WorkflowVersion.(Command)." -"SecurityInsights","New-AzSentinelAlertRuleAction","1","Mismatched_Parameter_Value_Type","5111","2","New-AzSentinelAlertRuleAction -TriggerUri ($LogicAppTriggerUri.Value) is not an expected parameter value type.","-TriggerUri","Use correct parameter value type. Expected Type is string. Now the type is Microsoft.Azure.Management.Logic.Models.WorkflowTriggerCallbackUrl.(Command)." -"SecurityInsights","New-AzSentinelAlertRuleAction","1","Mismatched_Parameter_Value_Type","5111","2","New-AzSentinelAlertRuleAction -Id ((New-Guid).Guid) is not an expected parameter value type.","-Id","Use correct parameter value type. Expected Type is string. Now the type is guid.(Command)." -"SecurityInsights","New-AzSentinelAutomationRule","1","Mismatched_Parameter_Value_Type","5111","2","New-AzSentinelAutomationRule -Id ((New-Guid).Guid) is not an expected parameter value type.","-Id","Use correct parameter value type. Expected Type is string. Now the type is guid.(Command)." -"SecurityInsights","New-AzSentinelAutomationRule","2","Mismatched_Parameter_Value_Type","5111","2","New-AzSentinelAutomationRule -Id ((New-Guid).Guid) is not an expected parameter value type.","-Id","Use correct parameter value type. Expected Type is string. Now the type is guid.(Command)." -"SecurityInsights","New-AzSentinelBookmark","1","Mismatched_Parameter_Value_Type","5111","2","New-AzSentinelBookmark -Id ((New-Guid).Guid) is not an expected parameter value type.","-Id","Use correct parameter value type. Expected Type is string. Now the type is guid.(Command)." -"SecurityInsights","New-AzSentinelBookmarkRelation","1","Mismatched_Parameter_Value_Type","5111","2","New-AzSentinelBookmarkRelation -RelationName ((New-Guid).Guid) is not an expected parameter value type.","-RelationName","Use correct parameter value type. Expected Type is string. Now the type is guid.(Command)." -"SecurityInsights","New-AzSentinelBookmarkRelation","1","Mismatched_Parameter_Value_Type","5111","2","New-AzSentinelBookmarkRelation -RelatedResourceId ($incident.Id) is not an expected parameter value type.","-RelatedResourceId","Use correct parameter value type. Expected Type is string. Now the type is Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IIncident.(Command)." -"SecurityInsights","New-AzSentinelEntityQuery","1","Mismatched_Parameter_Value_Type","5111","2","New-AzSentinelEntityQuery -Title ($template.title) is not an expected parameter value type.","-Title","Use correct parameter value type. Expected Type is string. Now the type is Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IEntityQueryTemplate.(Command)." -"SecurityInsights","New-AzSentinelEntityQuery","1","Mismatched_Parameter_Value_Type","5111","2","New-AzSentinelEntityQuery -InputEntityType ($template.inputEntityType) is not an expected parameter value type.","-InputEntityType","Use correct parameter value type. Expected Type is Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityType. Now the type is Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IEntityQueryTemplate.(Command)." -"SecurityInsights","New-AzSentinelEntityQuery","1","Mismatched_Parameter_Value_Type","5111","2","New-AzSentinelEntityQuery -TemplateName ($template.Name) is not an expected parameter value type.","-TemplateName","Use correct parameter value type. Expected Type is string. Now the type is Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IEntityQueryTemplate.(Command)." -"SecurityInsights","New-AzSentinelEntityQuery","2","Mismatched_Parameter_Value_Type","5111","2","New-AzSentinelEntityQuery -Id ((New-Guid).Guid) is not an expected parameter value type.","-Id","Use correct parameter value type. Expected Type is string. Now the type is guid.(Command)." -"SecurityInsights","New-AzSentinelIncident","1","Mismatched_Parameter_Value_Type","5111","2","New-AzSentinelIncident -Id ((New-Guid).Guid) is not an expected parameter value type.","-Id","Use correct parameter value type. Expected Type is string. Now the type is guid.(Command)." -"SecurityInsights","New-AzSentinelIncidentComment","1","Invalid_Parameter_Name","5011","1","New-AzSentinelIncident -Message is not a valid parameter name.","-Message","Check validity of the parameter -Message." -"SecurityInsights","New-AzSentinelIncidentRelation","1","Mismatched_Parameter_Value_Type","5111","2","New-AzSentinelIncidentRelation -RelationName ((New-Guid).Guid) is not an expected parameter value type.","-RelationName","Use correct parameter value type. Expected Type is string. Now the type is guid.(Command)." -"SecurityInsights","New-AzSentinelIncidentRelation","1","Mismatched_Parameter_Value_Type","5111","2","New-AzSentinelIncidentRelation -RelatedResourceId ($bookmark.Id) is not an expected parameter value type.","-RelatedResourceId","Use correct parameter value type. Expected Type is string. Now the type is Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IBookmark.(Command)." "SecurityInsights","Remove-AzSentinelAlertRuleAction","1","Invalid_Parameter_Name","5011","1","Remove-AzSentinelAlertRule -Id is not a valid parameter name.","-Id","Check validity of the parameter -Id." -"SecurityInsights","Remove-AzSentinelIncidentRelation","2","Invalid_Parameter_Name","5011","1","Remove-AzSentinelIncidentRelation -RelatedResourceId is not a valid parameter name.","-RelatedResourceId","Check validity of the parameter -RelatedResourceId." -"SecurityInsights","Update-AzSentinelAlertRuleAction","1","Mismatched_Parameter_Value_Type","5111","2","Update-AzSentinelAlertRuleAction -LogicAppResourceId ($LogicAppResourceId.Id) is not an expected parameter value type.","-LogicAppResourceId","Use correct parameter value type. Expected Type is string. Now the type is Microsoft.Azure.Management.Logic.Models.WorkflowVersion.(Command)." -"SecurityInsights","Update-AzSentinelAlertRuleAction","1","Mismatched_Parameter_Value_Type","5111","2","Update-AzSentinelAlertRuleAction -TriggerUri ($LogicAppTriggerUri.Value) is not an expected parameter value type.","-TriggerUri","Use correct parameter value type. Expected Type is string. Now the type is Microsoft.Azure.Management.Logic.Models.WorkflowTriggerCallbackUrl.(Command)." -"SecurityInsights","Update-AzSentinelAlertRuleAction","1","Mismatched_Parameter_Value_Type","5111","2","Update-AzSentinelAlertRuleAction -Id ((New-Guid).Guid) is not an expected parameter value type.","-Id","Use correct parameter value type. Expected Type is string. Now the type is guid.(Command)." -"SecurityInsights","Update-AzSentinelAutomationRule","1","Mismatched_Parameter_Value_Type","5111","2","Update-AzSentinelAutomationRule -Id ((New-Guid).Guid) is not an expected parameter value type.","-Id","Use correct parameter value type. Expected Type is string. Now the type is guid.(Command)." +"SecurityInsights","Remove-AzSentinelIncidentRelation","1","Invalid_Parameter_Name","5011","1","Remove-AzSentinelIncidentRelation -RelatedResourceId is not a valid parameter name.","-RelatedResourceId","Check validity of the parameter -RelatedResourceId." \ No newline at end of file From dfe0de455cb25038d4bbca477fd96b125fc79844 Mon Sep 17 00:00:00 2001 From: VeryEarly Date: Thu, 18 Aug 2022 10:08:43 +0800 Subject: [PATCH 21/24] exmaple issues --- .../Exceptions/Az.SecurityInsights/ExampleIssues.csv | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/tools/StaticAnalysis/Exceptions/Az.SecurityInsights/ExampleIssues.csv b/tools/StaticAnalysis/Exceptions/Az.SecurityInsights/ExampleIssues.csv index 3a838155b1fa..0c93e4b5b4b6 100644 --- a/tools/StaticAnalysis/Exceptions/Az.SecurityInsights/ExampleIssues.csv +++ b/tools/StaticAnalysis/Exceptions/Az.SecurityInsights/ExampleIssues.csv @@ -2,4 +2,8 @@ "SecurityInsights","New-AzSentinelEntityQuery","1","MissingExampleOutput","5045","1","Output of the example is missing.","SecurityInsights\help\New-AzSentinelEntityQuery.md","Add output for the example. Remove any placeholders." "SecurityInsights","New-AzSentinelEntityQuery","2","MissingExampleCode","5044","1","Code of the example is missing.","SecurityInsights\help\New-AzSentinelEntityQuery.md","Add code for the example. Remove any placeholders." "SecurityInsights","Remove-AzSentinelAlertRuleAction","1","Invalid_Parameter_Name","5011","1","Remove-AzSentinelAlertRule -Id is not a valid parameter name.","-Id","Check validity of the parameter -Id." -"SecurityInsights","Remove-AzSentinelIncidentRelation","1","Invalid_Parameter_Name","5011","1","Remove-AzSentinelIncidentRelation -RelatedResourceId is not a valid parameter name.","-RelatedResourceId","Check validity of the parameter -RelatedResourceId." \ No newline at end of file +"SecurityInsights","Remove-AzSentinelIncidentRelation","1","Invalid_Parameter_Name","5011","1","Remove-AzSentinelIncidentRelation -RelatedResourceId is not a valid parameter name.","-RelatedResourceId","Check validity of the parameter -RelatedResourceId." +"SecurityInsights","New-AzSentinelAlertRuleAction","1","Invalid_Parameter_Name","5011","1","New-AzSentinelAlertRuleAction -RuleId is not a valid parameter name.","-RuleId","Check validity of the parameter -RuleId." +"SecurityInsights","New-AzSentinelAlertRuleAction","1","Invalid_Parameter_Name","5011","1","New-AzSentinelAlertRuleAction -Id is not a valid parameter name.","-Id","Check validity of the parameter -Id." +"SecurityInsights","New-AzSentinelAutomationRule","2","Invalid_Cmdlet","5000","1","New-AzSentinelAutomationRule is not a valid command name.","New-AzSentinelAutomationRule -ResourceGroupName 'myResourceGroup' -WorkspaceName 'myWorkspaceName' -Id ((New-Guid).Guid) -Action $automationRuleAction -DisplayName 'Change severity to Low' -Order 3 -TriggeringLogicIsEnabled","Check the spell of New-AzSentinelAutomationRule." +"SecurityInsights","New-AzSentinelIncidentComment","1","Invalid_Parameter_Name","5011","1","New-AzSentinelIncident -Message is not a valid parameter name.","-Message","Check validity of the parameter -Message." \ No newline at end of file From e60e9b4f2f6e9b1279b5d8249ed678f240021e85 Mon Sep 17 00:00:00 2001 From: VeryEarly Date: Thu, 18 Aug 2022 11:05:35 +0800 Subject: [PATCH 22/24] example issue --- .../Exceptions/Az.SecurityInsights/ExampleIssues.csv | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/StaticAnalysis/Exceptions/Az.SecurityInsights/ExampleIssues.csv b/tools/StaticAnalysis/Exceptions/Az.SecurityInsights/ExampleIssues.csv index 0c93e4b5b4b6..f403d996eff5 100644 --- a/tools/StaticAnalysis/Exceptions/Az.SecurityInsights/ExampleIssues.csv +++ b/tools/StaticAnalysis/Exceptions/Az.SecurityInsights/ExampleIssues.csv @@ -6,4 +6,5 @@ "SecurityInsights","New-AzSentinelAlertRuleAction","1","Invalid_Parameter_Name","5011","1","New-AzSentinelAlertRuleAction -RuleId is not a valid parameter name.","-RuleId","Check validity of the parameter -RuleId." "SecurityInsights","New-AzSentinelAlertRuleAction","1","Invalid_Parameter_Name","5011","1","New-AzSentinelAlertRuleAction -Id is not a valid parameter name.","-Id","Check validity of the parameter -Id." "SecurityInsights","New-AzSentinelAutomationRule","2","Invalid_Cmdlet","5000","1","New-AzSentinelAutomationRule is not a valid command name.","New-AzSentinelAutomationRule -ResourceGroupName 'myResourceGroup' -WorkspaceName 'myWorkspaceName' -Id ((New-Guid).Guid) -Action $automationRuleAction -DisplayName 'Change severity to Low' -Order 3 -TriggeringLogicIsEnabled","Check the spell of New-AzSentinelAutomationRule." +"SecurityInsights","New-AzSentinelAutomationRule","1","Invalid_Cmdlet","5000","1","New-AzSentinelAutomationRule is not a valid command name.","New-AzSentinelAutomationRule -ResourceGroupName 'myResourceGroup' -WorkspaceName 'myWorkspaceName' -Id ((New-Guid).Guid) -Action $automationRuleAction -DisplayName 'Run Playbook to reset AAD password' -Order 2 -TriggeringLogicIsEnabled","Check the spell of New-AzSentinelAutomationRule." "SecurityInsights","New-AzSentinelIncidentComment","1","Invalid_Parameter_Name","5011","1","New-AzSentinelIncident -Message is not a valid parameter name.","-Message","Check validity of the parameter -Message." \ No newline at end of file From ed2bb133398987727d6e531f9a388fd46d6a0435 Mon Sep 17 00:00:00 2001 From: VeryEarly Date: Thu, 8 Sep 2022 12:40:30 +0800 Subject: [PATCH 23/24] fix examples --- .../docs/Get-AzSentinelEnrichment.md | 4 ++-- .../docs/Get-AzSentinelEntityActivity.md | 2 +- .../docs/Get-AzSentinelEntityInsight.md | 8 ++++---- .../docs/Get-AzSentinelEntityRelation.md | 2 +- .../docs/Get-AzSentinelEntityTimeline.md | 6 +++--- .../docs/Get-AzSentinelIncidentRelation.md | 2 +- .../docs/New-AzSentinelAlertRule.md | 14 +++++++------- .../docs/New-AzSentinelDataConnector.md | 9 +-------- .../docs/New-AzSentinelEntityQuery.md | 4 ++-- .../docs/New-AzSentinelIncidentComment.md | 2 +- .../docs/New-AzSentinelOnboardingState.md | 2 +- .../docs/Remove-AzSentinelAlertRuleAction.md | 2 +- .../docs/Remove-AzSentinelIncidentRelation.md | 2 +- .../docs/Update-AzSentinelBookmark.md | 4 ++-- .../docs/Update-AzSentinelIncident.md | 2 +- .../docs/Update-AzSentinelSetting.md | 5 ++--- .../examples/Get-AzSentinelEnrichment.md | 4 ++-- .../examples/Get-AzSentinelEntityActivity.md | 2 +- .../examples/Get-AzSentinelEntityInsight.md | 8 ++++---- .../examples/Get-AzSentinelEntityRelation.md | 2 +- .../examples/Get-AzSentinelEntityTimeline.md | 6 +++--- .../examples/Get-AzSentinelIncidentRelation.md | 2 +- .../examples/New-AzSentinelAlertRule.md | 14 +++++++------- .../examples/New-AzSentinelDataConnector.md | 6 +----- .../examples/New-AzSentinelEntityQuery.md | 5 +++-- .../examples/New-AzSentinelIncidentComment.md | 2 +- .../examples/New-AzSentinelOnboardingState.md | 2 +- .../examples/Remove-AzSentinelAlertRuleAction.md | 2 +- .../examples/Remove-AzSentinelIncidentRelation.md | 5 +---- .../examples/Update-AzSentinelBookmark.md | 4 ++-- .../examples/Update-AzSentinelIncident.md | 2 +- .../examples/Update-AzSentinelSetting.md | 5 ++--- 32 files changed, 63 insertions(+), 78 deletions(-) diff --git a/src/SecurityInsights/docs/Get-AzSentinelEnrichment.md b/src/SecurityInsights/docs/Get-AzSentinelEnrichment.md index 5c84d74fb965..baef8d2c9ebb 100644 --- a/src/SecurityInsights/docs/Get-AzSentinelEnrichment.md +++ b/src/SecurityInsights/docs/Get-AzSentinelEnrichment.md @@ -43,7 +43,7 @@ Get geodata for a single IP address ### Example 1: Get a Domain Enrichment ```powershell - Get-AzSentinelEnrichment -ResourceGroupName "myResourceGroupName" -Domain "microsoft.com + Get-AzSentinelEnrichment -ResourceGroupName "myResourceGroupName" -Domain "microsoft.com" ``` ```output @@ -58,7 +58,7 @@ This command gets an enrichment for a domain. ### Example 2: Get a IP Enrichment ```powershell - Get-AzSentinelEnrichment -ResourceGroupName "myResourceGroupName" IPAddress "1.1.1.1" + Get-AzSentinelEnrichment -ResourceGroupName "myResourceGroupName" -IPAddress "1.1.1.1" ``` ```output diff --git a/src/SecurityInsights/docs/Get-AzSentinelEntityActivity.md b/src/SecurityInsights/docs/Get-AzSentinelEntityActivity.md index adbf250a4333..5884d3c56648 100644 --- a/src/SecurityInsights/docs/Get-AzSentinelEntityActivity.md +++ b/src/SecurityInsights/docs/Get-AzSentinelEntityActivity.md @@ -24,7 +24,7 @@ Get Insights and Activities for an entity. ### Example 1: Get Insights and Activities for an Entity ```powershell - Get-AzSentinelEntityAcivity -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -EntityId "myEntityId" + Get-AzSentinelEntityActivity -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -EntityId "myEntityId" ``` ```output diff --git a/src/SecurityInsights/docs/Get-AzSentinelEntityInsight.md b/src/SecurityInsights/docs/Get-AzSentinelEntityInsight.md index a11223aa02bf..2c2895d37880 100644 --- a/src/SecurityInsights/docs/Get-AzSentinelEntityInsight.md +++ b/src/SecurityInsights/docs/Get-AzSentinelEntityInsight.md @@ -25,8 +25,8 @@ Execute Insights for an entity. ### Example 1: Get Insights for an Entity for a given time range ```powershell - $startTime = (get-date).AddDays(-7).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" - $endTime = (get-date).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + $startTime = (Get-Date).AddDays(-7).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + $endTime = (Get-Date).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" Get-AzSentinelEntityInsight -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -EntityId "myEntityId" -EndTime $endTime -StartTime $startTime ``` @@ -42,8 +42,8 @@ This command gets insights for an Entity for a given time range. ### Example 2: Get Insights for an Entity by entity Id for a given time range ```powershell - $startTime = (get-date).AddDays(-7).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" - $endTime = (get-date).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + $startTime = (Get-Date).AddDays(-7).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + $endTime = (Get-Date).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" $Entity = Get-AzSentinelEntity -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -EntityId "8d036a2d-f37d-e936-6cca-4e172687cb79" $Entity | Get-AzSentinelEntityInsight -EndTime $endTime -StartTime $startTime ``` diff --git a/src/SecurityInsights/docs/Get-AzSentinelEntityRelation.md b/src/SecurityInsights/docs/Get-AzSentinelEntityRelation.md index c7454f551b52..9a0e3a9901fb 100644 --- a/src/SecurityInsights/docs/Get-AzSentinelEntityRelation.md +++ b/src/SecurityInsights/docs/Get-AzSentinelEntityRelation.md @@ -45,7 +45,7 @@ This command lists all Entity Relations for a given Entity. ### Example 2: Get an Entity Relation ```powershell - Get-AzSentinelEntityRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -EntityId "myEntityId" -Id "myEntityRelationId" + Get-AzSentinelEntityRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -EntityId "myEntityId" -RelationName "myEntityRelationId" ``` This command gets an Entity Relation for a given Entity. diff --git a/src/SecurityInsights/docs/Get-AzSentinelEntityTimeline.md b/src/SecurityInsights/docs/Get-AzSentinelEntityTimeline.md index 2d1047f32ff0..50eb215b6459 100644 --- a/src/SecurityInsights/docs/Get-AzSentinelEntityTimeline.md +++ b/src/SecurityInsights/docs/Get-AzSentinelEntityTimeline.md @@ -25,9 +25,9 @@ Timeline for an entity. ### Example 1: Get Timeline for an Entity for a given time range ```powershell - $startTime = (get-date).AddDays(-7).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" - $endTime = (get-date).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" - Get-AzSentinelEntityTime -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -EntityId "myEntityId" -EndTime $endTime -StartTime $startTime + $startTime = (Get-Date).AddDays(-7).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + $endTime = (Get-Date).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + Get-AzSentinelEntityTimeline -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -EntityId "myEntityId" -EndTime $endTime -StartTime $startTime ``` ```output diff --git a/src/SecurityInsights/docs/Get-AzSentinelIncidentRelation.md b/src/SecurityInsights/docs/Get-AzSentinelIncidentRelation.md index 1eeca20f5536..51d3a290bcbf 100644 --- a/src/SecurityInsights/docs/Get-AzSentinelIncidentRelation.md +++ b/src/SecurityInsights/docs/Get-AzSentinelIncidentRelation.md @@ -57,7 +57,7 @@ This command lists all Incident Relations for a given Incident. ### Example 2: Get a Incident Relation ```powershell - Get-AzSentinelIncidentRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId "myIncidentId" -Id "myIncidentRelationId" + Get-AzSentinelIncidentRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId "myIncidentId" -RelationName "myIncidentRelationId" ``` ```output diff --git a/src/SecurityInsights/docs/New-AzSentinelAlertRule.md b/src/SecurityInsights/docs/New-AzSentinelAlertRule.md index 5bef18b69398..f789739783da 100644 --- a/src/SecurityInsights/docs/New-AzSentinelAlertRule.md +++ b/src/SecurityInsights/docs/New-AzSentinelAlertRule.md @@ -77,7 +77,7 @@ This command creates an Alert Rule of the Fusion kind based on the template "Adv This command creates an Alert Rule of the MLBehaviorAnalytics kind based on the template "Anomalous SSH Login Detection" -### Example 2: Create the Threat Intelligence Alert Rule +### Example 3: Create the Threat Intelligence Alert Rule ```powershell $AlertRuleTemplateName = "0dd422ee-e6af-4204-b219-f59ac172e4c6" New-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Kind ThreatIntelligence -Enabled -AlertRuleTemplateName $AlertRuleTemplateName @@ -85,25 +85,25 @@ This command creates an Alert Rule of the MLBehaviorAnalytics kind based on the This command creates an Alert Rule of the ThreatIntelligence kind based on the template "Microsoft Threat Intelligence Analytics" -### Example 3: Create a Microsoft Security Incident Creation Alert Rule +### Example 4: Create a Microsoft Security Incident Creation Alert Rule ```powershell $AlertRuleTemplateName = "a2e0eb51-1f11-461a-999b-cd0ebe5c7a72" - New-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Kind MicrosoftSecurityIncidentCreation -Enabled -AlertRuleTemplateName $AlertRuleTemplateName -DisplayName "Create incidents based on Microsoft Defender for IoT" -ProductFilter "Azure Security Center for IoT" + New-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Kind MicrosoftSecurityIncidentCreation -Enabled -AlertRuleTemplateName $AlertRuleTemplateName -ProductFilter "Azure Security Center for IoT" ``` This command creates an Alert Rule of the MicrosoftSecurityIncidentCreation kind based on the template for Create incidents based on Azure Security Center for IoT alerts. -### Example 4: Create a Scheduled Alert Rule +### Example 5: Create a Scheduled Alert Rule ```powershell -PS C:> New-AzSentinelAlertRule -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Kind Scheduled -Enabled -DisplayName "Powershell Exection Alert (Several Times per Hour)" -Severity Low -Query "SecurityEvent | where EventId == 4688" -QueryFrequency (New-TimeSpan -Hours 1) -QueryPeriod (New-TimeSpan -Hours 1) -TriggerThreshold 10 +New-AzSentinelAlertRule -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Kind Scheduled -Enabled -DisplayName "Powershell Exection Alert (Several Times per Hour)" -Severity Low -Query "SecurityEvent | where EventId == 4688" -QueryFrequency (New-TimeSpan -Hours 1) -QueryPeriod (New-TimeSpan -Hours 1) -TriggerThreshold 10 ``` This command creates an Alert Rule of the Scheduled kind. Please note that that query (parameter -Query) needs to be on a single line as as string. -### Example 5: Create a Near Realtime Alert Rule +### Example 6: Create a Near Realtime Alert Rule ```powershell -PS C:> New-AzSentinelAlertRule -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Kind NRT -Enabled -DisplayName "Break glass account accessed" -Severity High -Query "let Break_Glass_Account = _GetWatchlist('break_glass_account')\n|project UPN;\nSigninLogs\n| where UserPrincipalName in (Break_Glass_Account)" +New-AzSentinelAlertRule -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Kind NRT -Enabled -DisplayName "Break glass account accessed" -Severity High -Query "let Break_Glass_Account = _GetWatchlist('break_glass_account')\n|project UPN;\nSigninLogs\n| where UserPrincipalName in (Break_Glass_Account)" ``` This command creates an Alert Rule of the NRT kind. diff --git a/src/SecurityInsights/docs/New-AzSentinelDataConnector.md b/src/SecurityInsights/docs/New-AzSentinelDataConnector.md index f61fba1d6145..00b481708730 100644 --- a/src/SecurityInsights/docs/New-AzSentinelDataConnector.md +++ b/src/SecurityInsights/docs/New-AzSentinelDataConnector.md @@ -134,16 +134,9 @@ Creates or updates the data connector. ## EXAMPLES -### Example 1: Enables the Threat Intelligence data connector -```powershell - -``` - -======= - ### Example 1: Enable a data connector. ```powershell -New-AzSentinelDataConnector -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Kind 'MicrosoftThreatIntelligence' -BingSafetyPhishingURL Enabled -BingSafetyPhishingUrlLookbackPeriod All -MicrosoftEmergingThreatFeed Enabled -MicrosoftEmergingThreatFeedLookbackPeriod All +New-AzSentinelDataConnector -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Kind 'MicrosoftThreatIntelligence' -BingSafetyPhishingURL Enabled -BingSafetyPhishingUrlLookbackPeriod All -MicrosoftEmergingThreatFeed Enabled -MicrosoftEmergingThreatFeedLookbackPeriod All ``` This command enables the Threat Intelligence data connector diff --git a/src/SecurityInsights/docs/New-AzSentinelEntityQuery.md b/src/SecurityInsights/docs/New-AzSentinelEntityQuery.md index d84bdef3252b..9a4622e929ae 100644 --- a/src/SecurityInsights/docs/New-AzSentinelEntityQuery.md +++ b/src/SecurityInsights/docs/New-AzSentinelEntityQuery.md @@ -35,7 +35,7 @@ Creates or updates the entity query. ```output Title : The user has created an account Name : 6d37a904-d199-43ff-892b-53653b784122 -Content : The user {{InitiatedByAccount}} has created the account {{TargetAccount}} {{Count}} time(s) +Content : The user InitiatedByAccount has created the account TargetAccount Count time(s) Description : This activity displays account creation events performed by the user Enabled : True Kind : Activity @@ -47,7 +47,7 @@ This command creates an Entity Query by using a Template. ### Example 2: Create Entity Query from cmdlet inputs ```powershell - New-AzSentinelEntityQuery -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Id ((New-Guid).Guid) -Kind Activity -Title 'An account was deleted on this host' -InputEntityType 'Host' -Content "On '{{Computer}}' the account '{{TargetAccount}}' was deleted by '{{AddedBy}}'" -Description "Account deleted on host" -QueryDefinitionQuery 'let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\nSecurityEvent\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\n// parsing for Host to handle variety of conventions coming from data\n| extend Host_HostName = case(\nComputer has ''@'', tostring(split(Computer, ''@'')[0]),\nComputer has ''\\'', tostring(split(Computer, ''\\'')[1]),\nComputer has ''.'', tostring(split(Computer, ''.'')[0]),\nComputer\n)\n| extend Host_NTDomain = case(\nComputer has ''\\'', tostring(split(Computer, ''\\'')[0]), \nComputer has ''.'', tostring(split(Computer, ''.'')[-2]), \nComputer\n)\n| extend Host_DnsDomain = case(\nComputer has ''\\'', tostring(split(Computer, ''\\'')[0]), \nComputer has ''.'', strcat_array(array_slice(split(Computer,''.''),-2,-1),''.''), \nComputer\n)\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \nor v_Host_AzureID =~ _ResourceId \nor v_Host_OMSAgentID == SourceComputerId\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId\n| extend AddedBy = SubjectUserName\n// Future support for Activities\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount\n};\nGetAccountActions(''{{Host_HostName}}'', ''{{Host_NTDomain}}'', ''{{Host_DnsDomain}}'', ''{{Host_AzureID}}'', ''{{Host_OMSAgentID}}'')\n \n| where EventID == 4726' -RequiredInputFieldsSet @(@("Host_HostName","Host_NTDomain"),@("Host_HostName","Host_DnsDomain"),@("Host_AzureID"),@("Host_OMSAgentID")) -EntitiesFilter @{"Host_OsFamily" = @("Windows")} + New-AzSentinelEntityQuery -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Id ((New-Guid).Guid) -Kind Activity -Title 'An account was deleted on this host' -InputEntityType 'Host' -Content "On 'SomeCompute' the account 'SomeAccount' was deleted by 'SomeUser'" -Description "Account deleted on host" -QueryDefinitionQuery 'let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\nSecurityEvent\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\n// parsing for Host to handle variety of conventions coming from data\n| extend Host_HostName = case(\nComputer has ''@'', tostring(split(Computer, ''@'')[0]),\nComputer has ''\\'', tostring(split(Computer, ''\\'')[1]),\nComputer has ''.'', tostring(split(Computer, ''.'')[0]),\nComputer\n)\n| extend Host_NTDomain = case(\nComputer has ''\\'', tostring(split(Computer, ''\\'')[0]), \nComputer has ''.'', tostring(split(Computer, ''.'')[-2]), \nComputer\n)\n| extend Host_DnsDomain = case(\nComputer has ''\\'', tostring(split(Computer, ''\\'')[0]), \nComputer has ''.'', strcat_array(array_slice(split(Computer,''.''),-2,-1),''.''), \nComputer\n)\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \nor v_Host_AzureID =~ _ResourceId \nor v_Host_OMSAgentID == SourceComputerId\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId\n| extend AddedBy = SubjectUserName\n// Future support for Activities\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount\n};\nGetAccountActions(''someHost'', ''SomeNTDomain'', ''SomeDNSDomain'', ''SomeID'', ''SomeOMSAgentID'')\n \n| where EventID == 4726' -RequiredInputFieldsSet @(@("Host_HostName","Host_NTDomain"),@("Host_HostName","Host_DnsDomain"),@("Host_AzureID"),@("Host_OMSAgentID")) -EntitiesFilter @{"Host_OsFamily" = @("Windows")} ``` This command creates an Entity Query. diff --git a/src/SecurityInsights/docs/New-AzSentinelIncidentComment.md b/src/SecurityInsights/docs/New-AzSentinelIncidentComment.md index b840522096c1..7a40b8d30b98 100644 --- a/src/SecurityInsights/docs/New-AzSentinelIncidentComment.md +++ b/src/SecurityInsights/docs/New-AzSentinelIncidentComment.md @@ -33,7 +33,7 @@ Creates or updates the incident comment. ### Example 1: Create an Incident Comment ```powershell - New-AzSentinelIncident -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -IncidentId "myIncidentId" -Message "IncidentCommentGoesHere" + New-AzSentinelIncidentComment -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -IncidentId "myIncidentId" -Message "IncidentCommentGoesHere" ``` This command creates an Incident Comment. diff --git a/src/SecurityInsights/docs/New-AzSentinelOnboardingState.md b/src/SecurityInsights/docs/New-AzSentinelOnboardingState.md index 648a211c7449..37f076f45958 100644 --- a/src/SecurityInsights/docs/New-AzSentinelOnboardingState.md +++ b/src/SecurityInsights/docs/New-AzSentinelOnboardingState.md @@ -33,7 +33,7 @@ Create Sentinel onboarding state ### Example 1: Add Sentinel onboarding state ```powershell -AzSentinelOnboardingState -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Name "default" +New-AzSentinelOnboardingState -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Name "default" ``` This command configures the onboarding state of Sentinel diff --git a/src/SecurityInsights/docs/Remove-AzSentinelAlertRuleAction.md b/src/SecurityInsights/docs/Remove-AzSentinelAlertRuleAction.md index 328e5f4b4c93..db808db6a84d 100644 --- a/src/SecurityInsights/docs/Remove-AzSentinelAlertRuleAction.md +++ b/src/SecurityInsights/docs/Remove-AzSentinelAlertRuleAction.md @@ -32,7 +32,7 @@ Delete the action of alert rule. ### Example 1: Removes an alert rule action ```powershell -Remove-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -RuleId "29d2523f-84ce-42d3-b5f1-9e63c85aaed1" -Id "1a33301b-fb83-416a-8d58-3873c7c2dc86" +Remove-AzSentinelAlertRuleAction -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -RuleId "29d2523f-84ce-42d3-b5f1-9e63c85aaed1" -Id "1a33301b-fb83-416a-8d58-3873c7c2dc86" ``` This command removes an alert rule action. diff --git a/src/SecurityInsights/docs/Remove-AzSentinelIncidentRelation.md b/src/SecurityInsights/docs/Remove-AzSentinelIncidentRelation.md index 13994890acc2..4734ca2e1bcd 100644 --- a/src/SecurityInsights/docs/Remove-AzSentinelIncidentRelation.md +++ b/src/SecurityInsights/docs/Remove-AzSentinelIncidentRelation.md @@ -32,7 +32,7 @@ Delete the incident relation. ### Example 1: Removes the incident relation ```powershell -Remove-AzSentinelIncidentRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId "7cc984fe-61a2-43c2-a1a4-3583c8a89da2" -RelatedResourceId "7cc984fe-61a2-43c2-a1a4-3583c8a89db4" +Remove-AzSentinelIncidentRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId "7cc984fe-61a2-43c2-a1a4-3583c8a89da2" -RelationName "7cc984fe-61a2-43c2-a1a4-3583c8a89db4" ``` This command removes the incident relation diff --git a/src/SecurityInsights/docs/Update-AzSentinelBookmark.md b/src/SecurityInsights/docs/Update-AzSentinelBookmark.md index 2e81fc3913f0..09531a69a96d 100644 --- a/src/SecurityInsights/docs/Update-AzSentinelBookmark.md +++ b/src/SecurityInsights/docs/Update-AzSentinelBookmark.md @@ -37,8 +37,8 @@ Creates or updates the bookmark. ### Example 1: Update Sentinel Bookmark ```powershell - $queryStartTime = (get-date).AddDays(-1).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" - $queryEndTime = (get-date).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + $queryStartTime = (Get-Date).AddDays(-1).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + $queryEndTime = (Get-Date).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" Update-AzSentinelBookmark -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id ((New-Guid).Guid) -DisplayName "Incident Evidence" -Query "SecurityEvent | take 1" -QueryStartTime $queryStartTime -QueryEndTime $queryEndTime -EventTime $queryEndTime ``` diff --git a/src/SecurityInsights/docs/Update-AzSentinelIncident.md b/src/SecurityInsights/docs/Update-AzSentinelIncident.md index 111281eb86ec..16edc96c10a5 100644 --- a/src/SecurityInsights/docs/Update-AzSentinelIncident.md +++ b/src/SecurityInsights/docs/Update-AzSentinelIncident.md @@ -42,7 +42,7 @@ Creates or updates the incident. ### Example 1: Update an Incident ```powershell -Update-AzSentinelEntityQuery -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Id "4a21e485-75ae-48b3-a7b9-e6a92bcfe434" -OwnerAssignedTo "user@mydomain.local" +Update-AzSentinelIncident -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Id "4a21e485-75ae-48b3-a7b9-e6a92bcfe434" -OwnerAssignedTo "user@mydomain.local" ``` This command updates an incident by assigning an owner. diff --git a/src/SecurityInsights/docs/Update-AzSentinelSetting.md b/src/SecurityInsights/docs/Update-AzSentinelSetting.md index d7c711d746c3..2e2185d4ad2e 100644 --- a/src/SecurityInsights/docs/Update-AzSentinelSetting.md +++ b/src/SecurityInsights/docs/Update-AzSentinelSetting.md @@ -45,11 +45,10 @@ Updates setting. ### Example 1: Update the Anomalies setting ```powershell - Update-AzSentinelSetting -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -SettingsName 'Anomalies' -Enabled $true + Update-AzSentinelSetting -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -SettingsName "Anomalies" -Enabled $true ``` -This command updates the Anomalies setting, other settings are: -EyesOn, EntityAnalytics and Ueba +This command updates the Anomalies setting, other settings are: EyesOn, EntityAnalytics and Ueba ## PARAMETERS diff --git a/src/SecurityInsights/examples/Get-AzSentinelEnrichment.md b/src/SecurityInsights/examples/Get-AzSentinelEnrichment.md index 06a31e9f90ed..e57d435ff77f 100644 --- a/src/SecurityInsights/examples/Get-AzSentinelEnrichment.md +++ b/src/SecurityInsights/examples/Get-AzSentinelEnrichment.md @@ -1,6 +1,6 @@ ### Example 1: Get a Domain Enrichment ```powershell - Get-AzSentinelEnrichment -ResourceGroupName "myResourceGroupName" -Domain "microsoft.com + Get-AzSentinelEnrichment -ResourceGroupName "myResourceGroupName" -Domain "microsoft.com" ``` ```output Created : 5/2/1991 12:00:00 AM @@ -14,7 +14,7 @@ This command gets an enrichment for a domain. ### Example 2: Get a IP Enrichment ```powershell - Get-AzSentinelEnrichment -ResourceGroupName "myResourceGroupName" IPAddress "1.1.1.1" + Get-AzSentinelEnrichment -ResourceGroupName "myResourceGroupName" -IPAddress "1.1.1.1" ``` ```output Asn : 13335 diff --git a/src/SecurityInsights/examples/Get-AzSentinelEntityActivity.md b/src/SecurityInsights/examples/Get-AzSentinelEntityActivity.md index 57026a3977cf..ec4944808d24 100644 --- a/src/SecurityInsights/examples/Get-AzSentinelEntityActivity.md +++ b/src/SecurityInsights/examples/Get-AzSentinelEntityActivity.md @@ -1,6 +1,6 @@ ### Example 1: Get Insights and Activities for an Entity ```powershell - Get-AzSentinelEntityAcivity -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -EntityId "myEntityId" + Get-AzSentinelEntityActivity -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -EntityId "myEntityId" ``` ```output FriendlyName : WIN2019 diff --git a/src/SecurityInsights/examples/Get-AzSentinelEntityInsight.md b/src/SecurityInsights/examples/Get-AzSentinelEntityInsight.md index e24deacf3f08..2644a1248a4d 100644 --- a/src/SecurityInsights/examples/Get-AzSentinelEntityInsight.md +++ b/src/SecurityInsights/examples/Get-AzSentinelEntityInsight.md @@ -1,7 +1,7 @@ ### Example 1: Get Insights for an Entity for a given time range ```powershell - $startTime = (get-date).AddDays(-7).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" - $endTime = (get-date).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + $startTime = (Get-Date).AddDays(-7).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + $endTime = (Get-Date).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" Get-AzSentinelEntityInsight -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -EntityId "myEntityId" -EndTime $endTime -StartTime $startTime ``` ```output @@ -16,8 +16,8 @@ This command gets insights for an Entity for a given time range. ### Example 2: Get Insights for an Entity by entity Id for a given time range ```powershell - $startTime = (get-date).AddDays(-7).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" - $endTime = (get-date).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + $startTime = (Get-Date).AddDays(-7).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + $endTime = (Get-Date).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" $Entity = Get-AzSentinelEntity -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -EntityId "8d036a2d-f37d-e936-6cca-4e172687cb79" $Entity | Get-AzSentinelEntityInsight -EndTime $endTime -StartTime $startTime ``` diff --git a/src/SecurityInsights/examples/Get-AzSentinelEntityRelation.md b/src/SecurityInsights/examples/Get-AzSentinelEntityRelation.md index 91cc9efac8fb..b8cf261a8458 100644 --- a/src/SecurityInsights/examples/Get-AzSentinelEntityRelation.md +++ b/src/SecurityInsights/examples/Get-AzSentinelEntityRelation.md @@ -7,7 +7,7 @@ This command lists all Entity Relations for a given Entity. ### Example 2: Get an Entity Relation ```powershell - Get-AzSentinelEntityRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -EntityId "myEntityId" -Id "myEntityRelationId" + Get-AzSentinelEntityRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -EntityId "myEntityId" -RelationName "myEntityRelationId" ``` This command gets an Entity Relation for a given Entity. diff --git a/src/SecurityInsights/examples/Get-AzSentinelEntityTimeline.md b/src/SecurityInsights/examples/Get-AzSentinelEntityTimeline.md index 2b9cee700bb0..866475cca8d0 100644 --- a/src/SecurityInsights/examples/Get-AzSentinelEntityTimeline.md +++ b/src/SecurityInsights/examples/Get-AzSentinelEntityTimeline.md @@ -1,8 +1,8 @@ ### Example 1: Get Timeline for an Entity for a given time range ```powershell - $startTime = (get-date).AddDays(-7).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" - $endTime = (get-date).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" - Get-AzSentinelEntityTime -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -EntityId "myEntityId" -EndTime $endTime -StartTime $startTime + $startTime = (Get-Date).AddDays(-7).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + $endTime = (Get-Date).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + Get-AzSentinelEntityTimeline -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -EntityId "myEntityId" -EndTime $endTime -StartTime $startTime ``` ```output DisplayName : Suspicious process executed diff --git a/src/SecurityInsights/examples/Get-AzSentinelIncidentRelation.md b/src/SecurityInsights/examples/Get-AzSentinelIncidentRelation.md index 1b6008296e02..a86c9fa0db81 100644 --- a/src/SecurityInsights/examples/Get-AzSentinelIncidentRelation.md +++ b/src/SecurityInsights/examples/Get-AzSentinelIncidentRelation.md @@ -18,7 +18,7 @@ This command lists all Incident Relations for a given Incident. ### Example 2: Get a Incident Relation ```powershell - Get-AzSentinelIncidentRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId "myIncidentId" -Id "myIncidentRelationId" + Get-AzSentinelIncidentRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId "myIncidentId" -RelationName "myIncidentRelationId" ``` ```output Name : 076bda5c-7d94-b6d8-8ef4-b0b2a0830dac_df9493a7-4f2e-84da-1f41-4914e8c029ba diff --git a/src/SecurityInsights/examples/New-AzSentinelAlertRule.md b/src/SecurityInsights/examples/New-AzSentinelAlertRule.md index 388eb1bf3a81..9f96df72e7fc 100644 --- a/src/SecurityInsights/examples/New-AzSentinelAlertRule.md +++ b/src/SecurityInsights/examples/New-AzSentinelAlertRule.md @@ -14,7 +14,7 @@ This command creates an Alert Rule of the Fusion kind based on the template "Adv This command creates an Alert Rule of the MLBehaviorAnalytics kind based on the template "Anomalous SSH Login Detection" -### Example 2: Create the Threat Intelligence Alert Rule +### Example 3: Create the Threat Intelligence Alert Rule ```powershell $AlertRuleTemplateName = "0dd422ee-e6af-4204-b219-f59ac172e4c6" New-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Kind ThreatIntelligence -Enabled -AlertRuleTemplateName $AlertRuleTemplateName @@ -22,24 +22,24 @@ This command creates an Alert Rule of the MLBehaviorAnalytics kind based on the This command creates an Alert Rule of the ThreatIntelligence kind based on the template "Microsoft Threat Intelligence Analytics" -### Example 3: Create a Microsoft Security Incident Creation Alert Rule +### Example 4: Create a Microsoft Security Incident Creation Alert Rule ```powershell $AlertRuleTemplateName = "a2e0eb51-1f11-461a-999b-cd0ebe5c7a72" - New-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Kind MicrosoftSecurityIncidentCreation -Enabled -AlertRuleTemplateName $AlertRuleTemplateName -DisplayName "Create incidents based on Microsoft Defender for IoT" -ProductFilter "Azure Security Center for IoT" + New-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Kind MicrosoftSecurityIncidentCreation -Enabled -AlertRuleTemplateName $AlertRuleTemplateName -ProductFilter "Azure Security Center for IoT" ``` This command creates an Alert Rule of the MicrosoftSecurityIncidentCreation kind based on the template for Create incidents based on Azure Security Center for IoT alerts. -### Example 4: Create a Scheduled Alert Rule +### Example 5: Create a Scheduled Alert Rule ```powershell -PS C:> New-AzSentinelAlertRule -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Kind Scheduled -Enabled -DisplayName "Powershell Exection Alert (Several Times per Hour)" -Severity Low -Query "SecurityEvent | where EventId == 4688" -QueryFrequency (New-TimeSpan -Hours 1) -QueryPeriod (New-TimeSpan -Hours 1) -TriggerThreshold 10 +New-AzSentinelAlertRule -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Kind Scheduled -Enabled -DisplayName "Powershell Exection Alert (Several Times per Hour)" -Severity Low -Query "SecurityEvent | where EventId == 4688" -QueryFrequency (New-TimeSpan -Hours 1) -QueryPeriod (New-TimeSpan -Hours 1) -TriggerThreshold 10 ``` This command creates an Alert Rule of the Scheduled kind. Please note that that query (parameter -Query) needs to be on a single line as as string. -### Example 5: Create a Near Realtime Alert Rule +### Example 6: Create a Near Realtime Alert Rule ```powershell -PS C:> New-AzSentinelAlertRule -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Kind NRT -Enabled -DisplayName "Break glass account accessed" -Severity High -Query "let Break_Glass_Account = _GetWatchlist('break_glass_account')\n|project UPN;\nSigninLogs\n| where UserPrincipalName in (Break_Glass_Account)" +New-AzSentinelAlertRule -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Kind NRT -Enabled -DisplayName "Break glass account accessed" -Severity High -Query "let Break_Glass_Account = _GetWatchlist('break_glass_account')\n|project UPN;\nSigninLogs\n| where UserPrincipalName in (Break_Glass_Account)" ``` This command creates an Alert Rule of the NRT kind. Please note that that query (parameter -Query) needs to be on a single line as as string. diff --git a/src/SecurityInsights/examples/New-AzSentinelDataConnector.md b/src/SecurityInsights/examples/New-AzSentinelDataConnector.md index d135c3ea082a..52f27ef28661 100644 --- a/src/SecurityInsights/examples/New-AzSentinelDataConnector.md +++ b/src/SecurityInsights/examples/New-AzSentinelDataConnector.md @@ -1,10 +1,6 @@ -<<<<<<< HEAD -### Example 1: Enables the Threat Intelligence data connector -======= ### Example 1: Enable a data connector. ->>>>>>> 16ff7bb8ad... Fixes per feedback ```powershell -New-AzSentinelDataConnector -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Kind 'MicrosoftThreatIntelligence' -BingSafetyPhishingURL Enabled -BingSafetyPhishingUrlLookbackPeriod All -MicrosoftEmergingThreatFeed Enabled -MicrosoftEmergingThreatFeedLookbackPeriod All +New-AzSentinelDataConnector -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Kind 'MicrosoftThreatIntelligence' -BingSafetyPhishingURL Enabled -BingSafetyPhishingUrlLookbackPeriod All -MicrosoftEmergingThreatFeed Enabled -MicrosoftEmergingThreatFeedLookbackPeriod All ``` This command enables the Threat Intelligence data connector \ No newline at end of file diff --git a/src/SecurityInsights/examples/New-AzSentinelEntityQuery.md b/src/SecurityInsights/examples/New-AzSentinelEntityQuery.md index 30e2086f2302..f7c908d7fa11 100644 --- a/src/SecurityInsights/examples/New-AzSentinelEntityQuery.md +++ b/src/SecurityInsights/examples/New-AzSentinelEntityQuery.md @@ -3,10 +3,11 @@ $template = Get-AzSentinelEntityQueryTemplate -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Id "myEntityQueryTemplateId" New-AzSentinelEntityQuery -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Kind Activity -Title ($template.title) -InputEntityType ($template.inputEntityType) -TemplateName ($template.Name) ``` + ```output Title : The user has created an account Name : 6d37a904-d199-43ff-892b-53653b784122 -Content : The user {{InitiatedByAccount}} has created the account {{TargetAccount}} {{Count}} time(s) +Content : The user InitiatedByAccount has created the account TargetAccount Count time(s) Description : This activity displays account creation events performed by the user Enabled : True Kind : Activity @@ -18,7 +19,7 @@ This command creates an Entity Query by using a Template. ### Example 2: Create Entity Query from cmdlet inputs ```powershell - New-AzSentinelEntityQuery -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Id ((New-Guid).Guid) -Kind Activity -Title 'An account was deleted on this host' -InputEntityType 'Host' -Content "On '{{Computer}}' the account '{{TargetAccount}}' was deleted by '{{AddedBy}}'" -Description "Account deleted on host" -QueryDefinitionQuery 'let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\nSecurityEvent\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\n// parsing for Host to handle variety of conventions coming from data\n| extend Host_HostName = case(\nComputer has ''@'', tostring(split(Computer, ''@'')[0]),\nComputer has ''\\'', tostring(split(Computer, ''\\'')[1]),\nComputer has ''.'', tostring(split(Computer, ''.'')[0]),\nComputer\n)\n| extend Host_NTDomain = case(\nComputer has ''\\'', tostring(split(Computer, ''\\'')[0]), \nComputer has ''.'', tostring(split(Computer, ''.'')[-2]), \nComputer\n)\n| extend Host_DnsDomain = case(\nComputer has ''\\'', tostring(split(Computer, ''\\'')[0]), \nComputer has ''.'', strcat_array(array_slice(split(Computer,''.''),-2,-1),''.''), \nComputer\n)\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \nor v_Host_AzureID =~ _ResourceId \nor v_Host_OMSAgentID == SourceComputerId\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId\n| extend AddedBy = SubjectUserName\n// Future support for Activities\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount\n};\nGetAccountActions(''{{Host_HostName}}'', ''{{Host_NTDomain}}'', ''{{Host_DnsDomain}}'', ''{{Host_AzureID}}'', ''{{Host_OMSAgentID}}'')\n \n| where EventID == 4726' -RequiredInputFieldsSet @(@("Host_HostName","Host_NTDomain"),@("Host_HostName","Host_DnsDomain"),@("Host_AzureID"),@("Host_OMSAgentID")) -EntitiesFilter @{"Host_OsFamily" = @("Windows")} + New-AzSentinelEntityQuery -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Id ((New-Guid).Guid) -Kind Activity -Title 'An account was deleted on this host' -InputEntityType 'Host' -Content "On 'SomeCompute' the account 'SomeAccount' was deleted by 'SomeUser'" -Description "Account deleted on host" -QueryDefinitionQuery 'let GetAccountActions = (v_Host_Name:string, v_Host_NTDomain:string, v_Host_DnsDomain:string, v_Host_AzureID:string, v_Host_OMSAgentID:string){\nSecurityEvent\n| where EventID in (4725, 4726, 4767, 4720, 4722, 4723, 4724)\n// parsing for Host to handle variety of conventions coming from data\n| extend Host_HostName = case(\nComputer has ''@'', tostring(split(Computer, ''@'')[0]),\nComputer has ''\\'', tostring(split(Computer, ''\\'')[1]),\nComputer has ''.'', tostring(split(Computer, ''.'')[0]),\nComputer\n)\n| extend Host_NTDomain = case(\nComputer has ''\\'', tostring(split(Computer, ''\\'')[0]), \nComputer has ''.'', tostring(split(Computer, ''.'')[-2]), \nComputer\n)\n| extend Host_DnsDomain = case(\nComputer has ''\\'', tostring(split(Computer, ''\\'')[0]), \nComputer has ''.'', strcat_array(array_slice(split(Computer,''.''),-2,-1),''.''), \nComputer\n)\n| where (Host_HostName =~ v_Host_Name and Host_NTDomain =~ v_Host_NTDomain) \nor (Host_HostName =~ v_Host_Name and Host_DnsDomain =~ v_Host_DnsDomain) \nor v_Host_AzureID =~ _ResourceId \nor v_Host_OMSAgentID == SourceComputerId\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetUserName, TargetDomainName, TargetSid, SubjectUserName, SubjectUserSid, _ResourceId, SourceComputerId\n| extend AddedBy = SubjectUserName\n// Future support for Activities\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = TargetAccount\n};\nGetAccountActions(''someHost'', ''SomeNTDomain'', ''SomeDNSDomain'', ''SomeID'', ''SomeOMSAgentID'')\n \n| where EventID == 4726' -RequiredInputFieldsSet @(@("Host_HostName","Host_NTDomain"),@("Host_HostName","Host_DnsDomain"),@("Host_AzureID"),@("Host_OMSAgentID")) -EntitiesFilter @{"Host_OsFamily" = @("Windows")} ``` This command creates an Entity Query. \ No newline at end of file diff --git a/src/SecurityInsights/examples/New-AzSentinelIncidentComment.md b/src/SecurityInsights/examples/New-AzSentinelIncidentComment.md index 37f3fd5a3f27..26e22ce7d58c 100644 --- a/src/SecurityInsights/examples/New-AzSentinelIncidentComment.md +++ b/src/SecurityInsights/examples/New-AzSentinelIncidentComment.md @@ -1,6 +1,6 @@ ### Example 1: Create an Incident Comment ```powershell - New-AzSentinelIncident -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -IncidentId "myIncidentId" -Message "IncidentCommentGoesHere" + New-AzSentinelIncidentComment -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -IncidentId "myIncidentId" -Message "IncidentCommentGoesHere" ``` This command creates an Incident Comment. diff --git a/src/SecurityInsights/examples/New-AzSentinelOnboardingState.md b/src/SecurityInsights/examples/New-AzSentinelOnboardingState.md index 5e622f5a6de8..712e0f5c3138 100644 --- a/src/SecurityInsights/examples/New-AzSentinelOnboardingState.md +++ b/src/SecurityInsights/examples/New-AzSentinelOnboardingState.md @@ -1,6 +1,6 @@ ### Example 1: Add Sentinel onboarding state ```powershell -AzSentinelOnboardingState -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Name "default" +New-AzSentinelOnboardingState -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Name "default" ``` This command configures the onboarding state of Sentinel \ No newline at end of file diff --git a/src/SecurityInsights/examples/Remove-AzSentinelAlertRuleAction.md b/src/SecurityInsights/examples/Remove-AzSentinelAlertRuleAction.md index 92e2f7c66c72..8f42f6d364c9 100644 --- a/src/SecurityInsights/examples/Remove-AzSentinelAlertRuleAction.md +++ b/src/SecurityInsights/examples/Remove-AzSentinelAlertRuleAction.md @@ -1,6 +1,6 @@ ### Example 1: Removes an alert rule action ```powershell -Remove-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -RuleId "29d2523f-84ce-42d3-b5f1-9e63c85aaed1" -Id "1a33301b-fb83-416a-8d58-3873c7c2dc86" +Remove-AzSentinelAlertRuleAction -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -RuleId "29d2523f-84ce-42d3-b5f1-9e63c85aaed1" -Id "1a33301b-fb83-416a-8d58-3873c7c2dc86" ``` This command removes an alert rule action. diff --git a/src/SecurityInsights/examples/Remove-AzSentinelIncidentRelation.md b/src/SecurityInsights/examples/Remove-AzSentinelIncidentRelation.md index 69e4cbb3a2dd..835381447960 100644 --- a/src/SecurityInsights/examples/Remove-AzSentinelIncidentRelation.md +++ b/src/SecurityInsights/examples/Remove-AzSentinelIncidentRelation.md @@ -1,9 +1,6 @@ ### Example 1: Removes the incident relation -======= -### Example 1: Delete an Incident relation ->>>>>>> 16ff7bb8ad... Fixes per feedback ```powershell -Remove-AzSentinelIncidentRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId "7cc984fe-61a2-43c2-a1a4-3583c8a89da2" -RelatedResourceId "7cc984fe-61a2-43c2-a1a4-3583c8a89db4" +Remove-AzSentinelIncidentRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -IncidentId "7cc984fe-61a2-43c2-a1a4-3583c8a89da2" -RelationName "7cc984fe-61a2-43c2-a1a4-3583c8a89db4" ``` This command removes the incident relation diff --git a/src/SecurityInsights/examples/Update-AzSentinelBookmark.md b/src/SecurityInsights/examples/Update-AzSentinelBookmark.md index 1572c679176e..9d19f6aa49a3 100644 --- a/src/SecurityInsights/examples/Update-AzSentinelBookmark.md +++ b/src/SecurityInsights/examples/Update-AzSentinelBookmark.md @@ -1,7 +1,7 @@ ### Example 1: Update Sentinel Bookmark ```powershell - $queryStartTime = (get-date).AddDays(-1).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" - $queryEndTime = (get-date).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + $queryStartTime = (Get-Date).AddDays(-1).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" + $queryEndTime = (Get-Date).ToUniversalTime() | Get-Date -Format "yyyy-MM-ddThh:00:00.000Z" Update-AzSentinelBookmark -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id ((New-Guid).Guid) -DisplayName "Incident Evidence" -Query "SecurityEvent | take 1" -QueryStartTime $queryStartTime -QueryEndTime $queryEndTime -EventTime $queryEndTime ``` diff --git a/src/SecurityInsights/examples/Update-AzSentinelIncident.md b/src/SecurityInsights/examples/Update-AzSentinelIncident.md index 28e32d27f0aa..b36833ada047 100644 --- a/src/SecurityInsights/examples/Update-AzSentinelIncident.md +++ b/src/SecurityInsights/examples/Update-AzSentinelIncident.md @@ -1,6 +1,6 @@ ### Example 1: Update an Incident ```powershell -Update-AzSentinelEntityQuery -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Id "4a21e485-75ae-48b3-a7b9-e6a92bcfe434" -OwnerAssignedTo "user@mydomain.local" +Update-AzSentinelIncident -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Id "4a21e485-75ae-48b3-a7b9-e6a92bcfe434" -OwnerAssignedTo "user@mydomain.local" ``` This command updates an incident by assigning an owner. diff --git a/src/SecurityInsights/examples/Update-AzSentinelSetting.md b/src/SecurityInsights/examples/Update-AzSentinelSetting.md index 06549800d356..13bb506f59a4 100644 --- a/src/SecurityInsights/examples/Update-AzSentinelSetting.md +++ b/src/SecurityInsights/examples/Update-AzSentinelSetting.md @@ -1,8 +1,7 @@ ### Example 1: Update the Anomalies setting ```powershell - Update-AzSentinelSetting -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -SettingsName 'Anomalies' -Enabled $true + Update-AzSentinelSetting -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -SettingsName "Anomalies" -Enabled $true ``` -This command updates the Anomalies setting, other settings are: -EyesOn, EntityAnalytics and Ueba +This command updates the Anomalies setting, other settings are: EyesOn, EntityAnalytics and Ueba From 010d75acdf7aef778528fc3738578e874d93411a Mon Sep 17 00:00:00 2001 From: VeryEarly Date: Thu, 8 Sep 2022 13:12:37 +0800 Subject: [PATCH 24/24] remove exampleissues.csv --- .../Exceptions/Az.SecurityInsights/ExampleIssues.csv | 10 ---------- 1 file changed, 10 deletions(-) delete mode 100644 tools/StaticAnalysis/Exceptions/Az.SecurityInsights/ExampleIssues.csv diff --git a/tools/StaticAnalysis/Exceptions/Az.SecurityInsights/ExampleIssues.csv b/tools/StaticAnalysis/Exceptions/Az.SecurityInsights/ExampleIssues.csv deleted file mode 100644 index f403d996eff5..000000000000 --- a/tools/StaticAnalysis/Exceptions/Az.SecurityInsights/ExampleIssues.csv +++ /dev/null @@ -1,10 +0,0 @@ -"Module","Cmdlet","Example","RuleName","ProblemID","Severity","Description","Extent","Remediation" -"SecurityInsights","New-AzSentinelEntityQuery","1","MissingExampleOutput","5045","1","Output of the example is missing.","SecurityInsights\help\New-AzSentinelEntityQuery.md","Add output for the example. Remove any placeholders." -"SecurityInsights","New-AzSentinelEntityQuery","2","MissingExampleCode","5044","1","Code of the example is missing.","SecurityInsights\help\New-AzSentinelEntityQuery.md","Add code for the example. Remove any placeholders." -"SecurityInsights","Remove-AzSentinelAlertRuleAction","1","Invalid_Parameter_Name","5011","1","Remove-AzSentinelAlertRule -Id is not a valid parameter name.","-Id","Check validity of the parameter -Id." -"SecurityInsights","Remove-AzSentinelIncidentRelation","1","Invalid_Parameter_Name","5011","1","Remove-AzSentinelIncidentRelation -RelatedResourceId is not a valid parameter name.","-RelatedResourceId","Check validity of the parameter -RelatedResourceId." -"SecurityInsights","New-AzSentinelAlertRuleAction","1","Invalid_Parameter_Name","5011","1","New-AzSentinelAlertRuleAction -RuleId is not a valid parameter name.","-RuleId","Check validity of the parameter -RuleId." -"SecurityInsights","New-AzSentinelAlertRuleAction","1","Invalid_Parameter_Name","5011","1","New-AzSentinelAlertRuleAction -Id is not a valid parameter name.","-Id","Check validity of the parameter -Id." -"SecurityInsights","New-AzSentinelAutomationRule","2","Invalid_Cmdlet","5000","1","New-AzSentinelAutomationRule is not a valid command name.","New-AzSentinelAutomationRule -ResourceGroupName 'myResourceGroup' -WorkspaceName 'myWorkspaceName' -Id ((New-Guid).Guid) -Action $automationRuleAction -DisplayName 'Change severity to Low' -Order 3 -TriggeringLogicIsEnabled","Check the spell of New-AzSentinelAutomationRule." -"SecurityInsights","New-AzSentinelAutomationRule","1","Invalid_Cmdlet","5000","1","New-AzSentinelAutomationRule is not a valid command name.","New-AzSentinelAutomationRule -ResourceGroupName 'myResourceGroup' -WorkspaceName 'myWorkspaceName' -Id ((New-Guid).Guid) -Action $automationRuleAction -DisplayName 'Run Playbook to reset AAD password' -Order 2 -TriggeringLogicIsEnabled","Check the spell of New-AzSentinelAutomationRule." -"SecurityInsights","New-AzSentinelIncidentComment","1","Invalid_Parameter_Name","5011","1","New-AzSentinelIncident -Message is not a valid parameter name.","-Message","Check validity of the parameter -Message." \ No newline at end of file